Fix docs: comprehensive audit against source code

- --output → --file on export command (6 files)
- --secure → --plain on set command (inverted logic)
- Remove nonexistent --force on set command
- keep list → keep show (not a real command)
- keep get --unmask → --format=raw
- Fix template:add signature (no filename arg, --vault, --overwrite)
- Fix IAM policy tag Environment → Env (matches actual code)
- Server --host default 127.0.0.1 → localhost
- Remove undocumented env vars and DEBUG=1 feature
- Fix web UI routes (/export doesn't exist, add /templates)
- Fix broken links to nonexistent files
- Fix shell prompt format (>>> → ssm:local>)
- Fix shell alias q → quit (not exit), remove list alias

Author: jszobody

docs/TROUBLESHOOTING.md

@@ -68,7 +68,7 @@ location.reload()
 **Debug**:
 ```bash
 # Test vault access via CLI
-keep list --vault=aws --env=production
+keep show --env=production
 
 # Check AWS credentials
 aws sts get-caller-identity
@@ -96,7 +96,7 @@ aws sts get-caller-identity
 **Debug**:
 ```bash
 # Verify via CLI
-keep get MY_SECRET --vault=aws --env=prod
+keep get MY_SECRET --env=local
 ```
 
 #### Masked Values Won't Unmask
@@ -154,12 +154,6 @@ npm run dev
 
 ## Debug Mode
 
-### Enable Verbose Logging
-```bash
-# Set debug environment variable
-DEBUG=1 keep server
-```
-
 ### Check Browser Console
 1. Open DevTools (F12)
 2. Check Console tab for errors
@@ -267,9 +261,9 @@ keep server
 If UI is completely broken:
 ```bash
 # Use CLI instead
-keep list
-keep get SECRET_NAME
-keep set SECRET_NAME value
+keep show --env=local
+keep get SECRET_NAME --env=local
+keep set SECRET_NAME value --env=local
 
 # Or use AWS CLI directly
 aws ssm get-parameter --name /myapp/SECRET_NAME

docs/WEB_UI.md

@@ -16,7 +16,7 @@ keep server --port=8080
 # Without auto-opening browser
 keep server --no-browser
 
-# Specific network interface (default: 127.0.0.1)
+# Specific network interface (default: localhost)
 keep server --host=0.0.0.0
 ```
 
@@ -49,7 +49,7 @@ Compare secrets across envs and vaults:
   - ✗ Missing
 - **Inline editing** directly from diff cells
 - **Multi-select** for comparing specific vault/env combinations
-- **Export diff** to CSV for reporting
+- **Export** comparison data for reporting
 
 ### Export
 
@@ -97,9 +97,9 @@ Manage Keep configuration:
 ## Navigation
 
 ### URL Routes
-- `/` - Secrets table (default)
+- `/secrets` - Secrets table (default, `/` redirects here)
+- `/templates` - Template management
 - `/diff` - Diff matrix view
-- `/export` - Export interface
 - `/settings` - Configuration
 
 ### Keyboard Shortcuts
@@ -123,7 +123,7 @@ Manage Keep configuration:
 - All operations go directly to vault
 
 ### Network Security
-- Binds to 127.0.0.1 by default
+- Binds to localhost by default
 - No CORS headers (prevents external access)
 - HTTPS not required for localhost
 - Token validation on all API endpoints
@@ -216,13 +216,6 @@ npm run dev
 ```bash
 # PHP tests
 composer test
-
-# JavaScript tests
-cd src/Server/frontend
-npm test
-
-# With coverage
-npm run test:coverage
 ```
 
 ### Project Structure
@@ -241,10 +234,6 @@ src/Server/
 └── BUILD.md            # Build documentation
 ```
 
-## Contributing
-
-See [CONTRIBUTING.md](../CONTRIBUTING.md) for development guidelines.
-
 ## FAQ
 
 **Q: Can I access the UI remotely?**
@@ -262,6 +251,3 @@ A: Currently uses a dark theme. Light theme support planned for future release.
 **Q: Can I export the UI settings?**
 A: Settings are stored in Keep's configuration files, not the UI. Use `keep init` to manage.
 
-## Changelog
-
-See [CHANGELOG.md](../CHANGELOG.md) for version history and updates.

docs/commands/SERVER.md

@@ -20,9 +20,9 @@ Launches a local web server that provides a browser-based interface for managing
 - **Example**: `keep server --port=8080`
 
 ### `--host=<host>`
-- **Default**: `127.0.0.1`
+- **Default**: `localhost`
 - **Description**: Network interface to bind to
-- **Security**: Use `127.0.0.1` for local-only access
+- **Security**: Use `localhost` for local-only access
 - **Example**: `keep server --host=0.0.0.0` (allows network access)
 
 ### `--no-browser`
@@ -72,7 +72,7 @@ The server generates a unique authentication token on each startup:
 - Token expires when server stops
 
 ### Network Security
-- **Default binding**: `127.0.0.1` (localhost only)
+- **Default binding**: `localhost` (localhost only)
 - **No HTTPS**: Not required for localhost connections
 - **No CORS**: Prevents cross-origin requests
 - **Token validation**: All API requests require valid token
@@ -109,29 +109,6 @@ Error: Permission denied binding to port 80
 2. Check firewall settings
 3. Ensure correct port and host
 
-## Environment Variables
-
-### `KEEP_SERVER_PORT`
-Override default port:
-```bash
-export KEEP_SERVER_PORT=8080
-keep server
-```
-
-### `KEEP_SERVER_HOST`
-Override default host:
-```bash
-export KEEP_SERVER_HOST=0.0.0.0
-keep server
-```
-
-### `KEEP_NO_BROWSER`
-Disable browser auto-open:
-```bash
-export KEEP_NO_BROWSER=1
-keep server
-```
-
 ## Files
 
 ### Server Files
@@ -144,9 +121,9 @@ The web UI does not create or modify any local files. All data is read from and
 
 ## Related Commands
 
-- [`keep init`](INIT.md) - Set up vaults before using UI
-- [`keep list`](LIST.md) - CLI alternative to view secrets
-- [`keep export`](EXPORT.md) - CLI alternative for exporting
+- `keep init` - Set up vaults before using UI
+- `keep show` - CLI alternative to view secrets
+- `keep export` - CLI alternative for exporting
 
 ## Notes
 

docs/guide/aws-authentication.md

@@ -103,7 +103,7 @@ When running on EC2, ECS, or Lambda, use IAM roles:
 # The AWS SDK automatically uses the instance role
 
 # In your deployment script:
-keep export --env=production --output=.env
+keep export --env=production --file=.env
 php artisan config:cache
 ```
 
@@ -155,7 +155,7 @@ jobs:
           aws-region: us-east-1
 
       - run: |
-          vendor/bin/keep export --env=production --output=.env
+          vendor/bin/keep export --env=production --file=.env
           # Deploy your application
 ```
 
@@ -166,7 +166,7 @@ jobs:
 deploy:
   script:
     # Using GitLab's AWS integration
-    - vendor/bin/keep export --env=production --output=.env
+    - vendor/bin/keep export --env=production --file=.env
   id_tokens:
     AWS_TOKEN:
       aud: https://gitlab.com

docs/guide/cli/index.md

@@ -62,8 +62,8 @@ fi
 keep copy --only="*" --from=template --to=$ENV
 
 # Set environment-specific values
-keep set DATABASE_URL "postgres://db-$ENV.internal/app" --env=$ENV --force
-keep set API_URL "https://api-$ENV.example.com" --env=$ENV --force
+keep set DATABASE_URL "postgres://db-$ENV.internal/app" --env=$ENV
+keep set API_URL "https://api-$ENV.example.com" --env=$ENV
 
 # Validate
 keep show --env=$ENV
@@ -76,14 +76,13 @@ keep show --env=$ENV
 #!/bin/bash
 set -euo pipefail
 
-keep set API_KEY "$NEW_KEY" --env=production --force
+keep set API_KEY "$NEW_KEY" --env=production
 keep run --env=production -- npm run deploy
 ```
 
 ### Use Force Flags for Automation
 ```bash
 # Avoid interactive prompts in scripts
-keep set KEY "value" --env=production --force
 keep delete OLD_KEY --env=staging --force
 keep export --env=production --file=.env --overwrite
 ```

docs/guide/cli/reference.md

@@ -222,8 +222,7 @@ Create or update secrets in vaults.
 |--------|------|---------|-------------|
 | `--env` | string | *interactive* | Target env (local, staging, production) |
 | `--vault` | string | *default vault* | Vault to store the secret in |
-| `--secure` | boolean | `true` | Whether to encrypt the secret |
-| `--force` | boolean | `false` | Overwrite existing secrets without confirmation |
+| `--plain` | boolean | `false` | Do not encrypt the value |
 
 **Arguments:**
 - `[key]` - Secret key name (prompted if not provided)
@@ -256,8 +255,8 @@ keep set
 # Direct mode
 keep set API_KEY "abc123" --env=local
 
-# Force overwrite
-keep set API_KEY "new-value" --env=production --force
+# Store as plain text (not encrypted)
+keep set API_KEY "new-value" --env=production --plain
 
 # Specify vault
 keep set STRIPE_KEY "sk_live_..." --env=production --vault=secretsmanager
@@ -327,26 +326,21 @@ keep show --env=production --vault=secretsmanager --format=env
 
 ## `keep template:add`
 
-Generate a template file from existing secrets in a environment.
+Generate a template file from existing secrets in an environment. The template is saved as `{env}.env` in the template directory.
 
 | Option | Type | Default | Description |
 |--------|------|---------|-------------|
-| `filename` | string | *required* | Template filename to create |
-| `--env` | string | *required* | Environment to generate template from |
-| `--vault` | string | *all vaults* | Specific vault to use |
-| `--overwrite` | boolean | `false` | Overwrite existing template file |
+| `--env` | string | *interactive* | Environment to generate template from |
+| `--path` | string | *template directory* | Custom template directory path |
 
 ### Examples
 
 ```bash
-# Create template from production secrets
-keep template:add .env.template --env=production
+# Create template from production secrets (saves as production.env)
+keep template:add --env=production
 
-# Create from specific vault
-keep template:add api.template --env=production --vault=ssm
-
-# Overwrite existing template
-keep template:add config.env --env=staging --overwrite
+# Specify custom template directory
+keep template:add --env=staging --path=./config/templates
 ```
 
 ## `keep template:validate`
@@ -355,7 +349,7 @@ Validate template files for syntax and placeholder resolution.
 
 | Option | Type | Default | Description |
 |--------|------|---------|-------------|
-| `filename` | string | *required* | Template file to validate |
+| `[template]` | string | *optional* | Template file to validate (prompted if not provided) |
 | `--env` | string | *optional* | Environment to validate against |
 
 ### Examples
@@ -389,27 +383,27 @@ The interactive shell provides:
 
 **Context Management:**
 ```bash
-keep> env production      # Switch to production env (alias: e)
-keep> vault ssm          # Switch to ssm vault (alias: v)
-keep> use ssm:production # Switch both at once (alias: u)
-keep> context            # Show current context (alias: ctx)
+ssm:local> env production      # Switch to production env (alias: e)
+ssm:local> vault ssm          # Switch to ssm vault (alias: v)
+ssm:local> use ssm:production # Switch both at once (alias: u)
+ssm:local> context            # Show current context (alias: ctx)
 ```
 
 **Secret Operations:**
 ```bash
-keep> set API_KEY value  # Set a secret
-keep> get API_KEY        # Get a secret (alias: g)
-keep> delete API_KEY     # Delete a secret (alias: d)
-keep> show               # List all secrets (aliases: ls, list, l)
-keep> copy KEY --to=prod # Copy using current context as source
+ssm:local> set API_KEY value  # Set a secret
+ssm:local> get API_KEY        # Get a secret (alias: g)
+ssm:local> delete API_KEY     # Delete a secret (alias: d)
+ssm:local> show               # List all secrets (aliases: ls, l)
+ssm:local> copy KEY --to=prod # Copy using current context as source
 ```
 
 **Shell Control:**
 ```bash
-keep> help               # Show available commands (alias: ?)
-keep> history            # Show command history (alias: h)
-keep> clear              # Clear screen (alias: cls)
-keep> exit               # Exit shell (aliases: quit, q)
+ssm:local> help               # Show available commands (alias: ?)
+ssm:local> history            # Show command history (alias: h)
+ssm:local> clear              # Clear screen (alias: cls)
+ssm:local> exit               # Exit shell (aliases: quit, q)
 ```
 
 ### Examples
@@ -419,12 +413,12 @@ keep> exit               # Exit shell (aliases: quit, q)
 keep shell --env=production --vault=ssm
 
 # Interactive session
-keep (ssm:production)> show
-keep (ssm:production)> env development
+ssm:production> show
+ssm:production> env development
 ✓ Switched to env: development
-keep (ssm:development)> set API_KEY "dev-key"
-keep (ssm:development)> copy API_KEY --to=production
-keep (ssm:development)> exit
+ssm:development> set API_KEY "dev-key"
+ssm:development> copy API_KEY --to=production
+ssm:development> exit
 Goodbye!
 ```
 

docs/guide/deployment/index.md

@@ -15,7 +15,7 @@ Templates provide:
 
 ```bash
 # Create template from existing secrets
-keep template:add production.env --env=production
+keep template:add --env=production
 ```
 
 ### 2. [Runtime Secrets Injection](./runtime-injection.md)

docs/guide/deployment/templates.md

@@ -42,14 +42,11 @@ Templates are your application's complete environment configuration - Keep handl
 Generate templates automatically from your vault:
 
 ```bash
-# Create template from all secrets in an env
-keep template:add production.env --env=production
+# Create template from all secrets in an env (saves as production.env)
+keep template:add --env=production
 
-# From specific vault
-keep template:add api.env --env=production --vault=ssm
-
-# Overwrite existing template
-keep template:add config.env --env=staging --overwrite
+# Specify custom template directory
+keep template:add --env=staging --path=./config/templates
 ```
 
 ### Manual Creation