TUI
Launch the full-screen dashboard:
keyledger
Layout
Section titled “Layout”The interface is split into a sidebar (left, always visible) and a main panel (right). The sidebar lists all providers with their live key counts. Press tab to move focus between them.
Switch views with the number keys or action shortcuts. These keys work from any view, including Providers and Settings.
| Key | View |
|---|---|
1 | Keys |
2 | Health |
3 | Diff |
4 | Snapshots |
p | Providers |
g | Settings |
Keys view
Section titled “Keys view”The default view. Shows a table of all keys across every enabled provider.
Columns: Key ID · Name · WorkSpace · Created · Last Used · Owner · Status · Risk
Keyboard:
| Key | Action |
|---|---|
↑ / k | Move up |
↓ / j | Move down |
← → | Switch to WorkSpaces tab / back to Keys tab |
/ | Open filter bar |
esc | Clear filter |
o | Cycle sort: Created → Last Used → Name → Risk |
s | Save snapshot to database |
The active sort column is underlined in purple in the table header. Sorting by Risk puts critical keys first.
The bottom third of the screen shows a detail pane for the selected key with full metadata and risk reasons.
WorkSpaces tab
Section titled “WorkSpaces tab”Press → to switch to the WorkSpaces tab inside the Keys view. This shows a collapsible provider → workspace/project tree with per-scope key counts and risk breakdown. The key table at the bottom updates to show only keys in the selected scope.
| Key | Action |
|---|---|
↑ / k | Move up |
↓ / j | Move down |
enter / l | Expand provider |
h | Collapse provider |
← | Switch back to Keys tab |
Filter syntax
Section titled “Filter syntax”Multiple terms are ANDed together separated by spaces.
| Expression | Matches |
|---|---|
foo | Substring in ID, name, scope, or status |
name:prod | Name contains “prod” |
id:abc | Key ID contains “abc” |
scope:staging | Scope contains “staging” |
status:active | Exact status match |
risk:critical | Risk score — critical, warning, or ok |
age:>90 | Keys older than 90 days |
idle:>30 | Keys idle for more than 30 days |
idle:never | Keys that have never been used |
owner:alice | Owner name or email contains “alice” |
provider:aws | Filter by provider |
Example — find all active OpenAI keys unused for more than 30 days:
provider:openai status:active idle:>30Health view
Section titled “Health view”Shows keys grouped by risk level: Critical first, then Warning, then OK (hidden by default).
| Key | Action |
|---|---|
↑ / k | Move up |
↓ / j | Move down |
o | Toggle visibility of OK keys |
s | Save snapshot to database |
esc | Go back to Keys view |
A risk distribution bar at the bottom shows the percentage breakdown. The selected key’s full detail and risk reasons appear in the pane below.
Diff view
Section titled “Diff view”Compares the most recent database snapshot against the current live inventory. Shows added, removed, and changed keys.
| Key | Action |
|---|---|
↑ / k | Move up |
↓ / j | Move down |
o | Open a saved snapshot for comparison |
enter | Show detail for selected change |
esc | Go back to Keys view |
Snapshots view
Section titled “Snapshots view”Manage all saved snapshots. Press 4 to open.
| Key | Action |
|---|---|
↑ / k | Move up |
↓ / j | Move down |
d | Delete selected snapshot (confirmation popup) |
x | Export snapshot to JSON file |
enter | Diff selected snapshot against live inventory |
esc | Go back to Keys view |
Deleting a snapshot shows a centered confirmation dialog — press y or enter to confirm, n or esc to cancel.
Providers screen (p)
Section titled “Providers screen (p)”Configure providers: enable/disable, set credentials, and for session-based providers (Mistral), run the interactive login flow.
The provider list shows each provider’s credential status as set (green) or missing (red). For AWS, credentials are considered set when either sso_creds alone, or both access_key_id and secret_access_key, are present.
| Key | Action |
|---|---|
↑ / k | Navigate providers |
↓ / j | Navigate providers |
enter | Open provider detail |
space | Toggle enabled/disabled (list view) |
d | Delete stored credential (detail view, shows confirmation popup) |
t | Run login flow (session-based providers) |
esc | Go back |
Credentials are stored in an AES-256-GCM encrypted SQLite database. You will be prompted to set a password on first use and enter it to unlock on each session.
Settings screen (g)
Section titled “Settings screen (g)”Edit thresholds, snapshot directory, timeout, and parallelism. Changes are saved immediately to the database.
Global shortcuts
Section titled “Global shortcuts”| Key | Action |
|---|---|
r | Refresh all providers |
? | Toggle help overlay |
tab | Switch focus: sidebar ↔ main panel |
esc | Go back / close dialog |
q | Quit |
ctrl+c | Quit immediately |