Interface parity: fix shell args, add encrypt toggle, add vault:delete and env:remove

Shell fixes:
- Fix diff command mapping broken --from/--to to correct --env (collect)
- Add unmask flag to history command
- Add overwrite, skip-existing, dry-run flags to import command
- Add overwrite, dry-run flags to copy command

Web UI:
- Add encrypt toggle to SecretDialog for create/update operations
- Wire secure param through API client, composable, and controller

New CLI commands:
- vault:delete: Remove vault config with confirmation and default vault protection
- env:remove: Remove custom environments with system env protection

Author: jszobody

src/Commands/EnvRemoveCommand.php

@@ -0,0 +1,75 @@
+<?php
+
+namespace STS\Keep\Commands;
+
+use STS\Keep\Data\Settings;
+use STS\Keep\Facades\Keep;
+
+use function Laravel\Prompts\confirm;
+use function Laravel\Prompts\select;
+
+class EnvRemoveCommand extends BaseCommand
+{
+    private const SYSTEM_ENVS = ['local', 'staging', 'production'];
+
+    protected $signature = 'env:remove
+        {name? : The environment to remove}
+        {--force : Skip confirmation prompt}';
+
+    protected $description = 'Remove a custom environment';
+
+    protected function process()
+    {
+        $settings = Settings::load();
+        $envs = $settings->envs();
+
+        $customEnvs = array_values(array_diff($envs, self::SYSTEM_ENVS));
+
+        if (empty($customEnvs)) {
+            $this->info('No custom environments to remove.');
+            $this->neutral('System environments (local, staging, production) cannot be removed.');
+
+            return self::SUCCESS;
+        }
+
+        $envName = $this->argument('name') ?? select(
+            label: 'Which environment do you want to remove?',
+            options: $customEnvs
+        );
+
+        if (in_array($envName, self::SYSTEM_ENVS)) {
+            $this->error("Cannot remove system environment '{$envName}'.");
+
+            return self::FAILURE;
+        }
+
+        if (! in_array($envName, $envs)) {
+            $this->error("Environment '{$envName}' not found.");
+
+            return self::FAILURE;
+        }
+
+        $this->line('Current environments: '.implode(', ', $envs));
+
+        if (! $this->option('force')) {
+            $confirmed = confirm(
+                label: "Are you sure you want to remove the '{$envName}' environment?",
+                default: false,
+                hint: 'This removes the environment from settings only — secrets in remote vaults are not affected'
+            );
+
+            if (! $confirmed) {
+                $this->neutral('Environment removal cancelled.');
+
+                return self::SUCCESS;
+            }
+        }
+
+        $settings->withEnvs(
+            array_values(array_filter($envs, fn ($e) => $e !== $envName))
+        )->save();
+
+        $this->newLine();
+        $this->success("Environment <secret-name>{$envName}</secret-name> has been removed.");
+    }
+}

src/Commands/VaultDeleteCommand.php

@@ -0,0 +1,84 @@
+<?php
+
+namespace STS\Keep\Commands;
+
+use STS\Keep\Facades\Keep;
+
+use function Laravel\Prompts\confirm;
+use function Laravel\Prompts\select;
+use function Laravel\Prompts\table;
+
+class VaultDeleteCommand extends BaseCommand
+{
+    protected $signature = 'vault:delete
+        {vault? : The vault slug to delete}
+        {--force : Skip confirmation prompt}';
+
+    protected $description = 'Delete a vault configuration';
+
+    protected function process()
+    {
+        $configuredVaults = Keep::getConfiguredVaults();
+
+        if ($configuredVaults->isEmpty()) {
+            $this->info('No vaults are configured.');
+
+            return self::SUCCESS;
+        }
+
+        $slug = $this->argument('vault') ?? select(
+            label: 'Which vault do you want to delete?',
+            options: $configuredVaults->keys()->toArray()
+        );
+
+        if (! $configuredVaults->has($slug)) {
+            $this->error("Vault '{$slug}' not found.");
+
+            return self::FAILURE;
+        }
+
+        $defaultVault = Keep::getDefaultVault();
+
+        if ($slug === $defaultVault) {
+            $this->error('Cannot delete the default vault.');
+            $this->line('Change the default vault first with: keep init');
+
+            return self::FAILURE;
+        }
+
+        $config = $configuredVaults->get($slug);
+
+        $this->newLine();
+        $this->line('Vault to be deleted:');
+        table(['Slug', 'Name', 'Driver'], [
+            [$slug, $config->name(), $config->driver()],
+        ]);
+
+        if (! $this->option('force')) {
+            $confirmed = confirm(
+                label: 'Are you sure you want to delete this vault configuration?',
+                default: false,
+                hint: 'This removes the local config only — secrets in the remote vault are not affected'
+            );
+
+            if (! $confirmed) {
+                $this->neutral('Vault deletion cancelled.');
+
+                return self::SUCCESS;
+            }
+        }
+
+        $vaultFile = getcwd().'/.keep/vaults/'.$slug.'.json';
+
+        if (! $this->filesystem->exists($vaultFile)) {
+            $this->error("Vault configuration file not found: {$vaultFile}");
+
+            return self::FAILURE;
+        }
+
+        $this->filesystem->delete($vaultFile);
+
+        $this->newLine();
+        $this->success("Vault <secret-name>{$slug}</secret-name> configuration has been deleted.");
+    }
+}

src/KeepApplication.php

@@ -35,9 +35,11 @@ public function __construct(protected KeepInstall $install)
 
             Commands\VaultAddCommand::class,
             Commands\VaultEditCommand::class,
+            Commands\VaultDeleteCommand::class,
             Commands\VaultListCommand::class,
 
             Commands\EnvAddCommand::class,
+            Commands\EnvRemoveCommand::class,
 
             Commands\WorkspaceCommand::class,
 

src/Server/Controllers/SecretController.php

@@ -40,7 +40,8 @@ public function create(): array
 
         try {
             $vault = $this->getVault();
-            $vault->set($this->body['key'], $this->body['value']);
+            $secure = ($this->body['secure'] ?? true) !== false;
+            $vault->set($this->body['key'], $this->body['value'], $secure);
         } catch (\InvalidArgumentException $e) {
             return $this->error($e->getMessage());
         }
@@ -58,8 +59,9 @@ public function update(string $key): array
         }
 
         $vault = $this->getVault();
-        $vault->set(urldecode($key), $this->body['value']);
-        
+        $secure = ($this->body['secure'] ?? true) !== false;
+        $vault->set(urldecode($key), $this->body['value'], $secure);
+
         return $this->success([
             'success' => true,
             'message' => "Secret '{$key}' updated in vault '{$this->body['vault']}' environment '{$this->body['env']}'"

src/Server/frontend/src/components/SecretDialog.vue

@@ -34,9 +34,19 @@
             />
           </div>
 
-          <div class="text-xs text-muted-foreground">
-            Vault: <span class="font-medium">{{ vault }}</span> • 
-            Env: <span class="font-medium">{{ env }}</span>
+          <div class="flex items-center justify-between">
+            <div class="text-xs text-muted-foreground">
+              Vault: <span class="font-medium">{{ vault }}</span> •
+              Env: <span class="font-medium">{{ env }}</span>
+            </div>
+            <label class="flex items-center space-x-2 text-sm cursor-pointer">
+              <input
+                type="checkbox"
+                v-model="form.secure"
+                class="rounded border-border"
+              />
+              <span class="text-muted-foreground">Encrypt</span>
+            </label>
           </div>
 
           <div v-if="saveError" class="p-3 bg-red-50 dark:bg-red-950/20 border border-red-200 dark:border-red-900 rounded-md">
@@ -84,7 +94,8 @@ const { createSecret, updateSecret } = useSecrets()
 
 const form = reactive({
   key: '',
-  value: ''
+  value: '',
+  secure: true
 })
 
 const keyError = ref('')
@@ -153,10 +164,10 @@ async function save() {
   
   try {
     if (props.secret) {
-      await updateSecret(form.key, form.value, props.vault, props.env)
+      await updateSecret(form.key, form.value, props.vault, props.env, form.secure)
       toast.success('Secret updated', `Secret '${form.key}' has been updated successfully`)
     } else {
-      await createSecret(form.key, form.value, props.vault, props.env)
+      await createSecret(form.key, form.value, props.vault, props.env, form.secure)
       toast.success('Secret created', `Secret '${form.key}' has been created successfully`)
     }
     emit('success')

src/Server/frontend/src/composables/useSecrets.js

@@ -22,11 +22,11 @@ export function useSecrets() {
     }
   }
 
-  async function createSecret(key, value, vault, env) {
+  async function createSecret(key, value, vault, env, secure = true) {
     loading.value = true
     error.value = null
     try {
-      const response = await api.createSecret(key, value, vault, env)
+      const response = await api.createSecret(key, value, vault, env, secure)
       // Don't call loadSecrets here - let the component handle refresh
       return response
     } catch (err) {
@@ -37,11 +37,11 @@ export function useSecrets() {
     }
   }
 
-  async function updateSecret(key, value, vault, env) {
+  async function updateSecret(key, value, vault, env, secure = true) {
     loading.value = true
     error.value = null
     try {
-      const response = await api.updateSecret(key, value, vault, env)
+      const response = await api.updateSecret(key, value, vault, env, secure)
       // Don't call loadSecrets here - let the component handle refresh
       return response
     } catch (err) {

src/Server/frontend/src/services/api.js

@@ -57,17 +57,17 @@ class ApiClient {
     return this.request(`/secrets/${encodeURIComponent(key)}?vault=${vault}&env=${env}&unmask=${unmask}`)
   }
 
-  async createSecret(key, value, vault, env) {
+  async createSecret(key, value, vault, env, secure = true) {
     return this.request('/secrets', {
       method: 'POST',
-      body: JSON.stringify({ key, value, vault, env })
+      body: JSON.stringify({ key, value, vault, env, secure })
     })
   }
 
-  async updateSecret(key, value, vault, env) {
+  async updateSecret(key, value, vault, env, secure = true) {
     return this.request(`/secrets/${encodeURIComponent(key)}`, {
       method: 'PUT',
-      body: JSON.stringify({ value, vault, env })
+      body: JSON.stringify({ value, vault, env, secure })
     })
   }
 

src/Shell/ArgumentProcessor.php

@@ -21,6 +21,7 @@ class ArgumentProcessor
         ],
         'history' => [
             'arguments' => ['key'],
+            'flags' => ['unmask'],
         ],
         'delete' => [
             'arguments' => ['key'],
@@ -31,9 +32,11 @@ class ArgumentProcessor
             'options' => [
                 1 => '--to', // Second positional becomes --to option
             ],
+            'flags' => ['overwrite', 'dry-run'],
         ],
         'import' => [
             'arguments' => ['from'],
+            'flags' => ['overwrite', 'skip-existing', 'dry-run'],
         ],
         'rename' => [
             'arguments' => ['old', 'new'],
@@ -50,10 +53,7 @@ class ArgumentProcessor
             'arguments' => ['name'],
         ],
         'diff' => [
-            'options' => [
-                0 => '--from',
-                1 => '--to',
-            ],
+            'collect' => '--env',
             'flags' => ['unmask'],
         ],
         'verify' => [
@@ -92,6 +92,11 @@ public static function process(string $command, array $positionals, array &$inpu
         if (isset($config['options'])) {
             self::processOptions($positionals, $config['options'], $input);
         }
+
+        // Collect remaining positionals into a single comma-separated option
+        if (isset($config['collect'])) {
+            self::processCollect($positionals, $config['collect'], $config['flags'] ?? [], $input);
+        }
     }
 
     /**
@@ -129,4 +134,16 @@ private static function processOptions(array $positionals, array $options, array
             }
         }
     }
+
+    /**
+     * Collect all non-flag positionals into a single comma-separated option
+     */
+    private static function processCollect(array $positionals, string $option, array $flags, array &$input): void
+    {
+        $values = array_filter($positionals, fn ($p) => !in_array($p, $flags));
+
+        if (!empty($values)) {
+            $input[$option] = implode(',', $values);
+        }
+    }
 }