Unify secret key validation and fix documentation

- Add SecretKeyValidator as single source of truth for key validation
- Update Secret, Placeholder, ImportService, SecretController to use unified validator
- Fix frontend validation to match backend rules (SecretDialog, RenameDialog)
- Add path traversal protection to TemplateService
- Remove exception type leakage from Router error responses
- Add missing command configs to ArgumentProcessor (diff, verify, export)
- Remove dead cache export code from ExportCommand
- Extract import delay to named constant

Documentation fixes:
- Fix --output to --file flag throughout docs
- Fix keep list to keep show, keep ui to keep server
- Remove false rate limiting claims from WEB_UI.md
- Replace YAML with CSV in export format docs and frontend
- Fix broken links to CLI reference
- Add Secret Key Naming Rules section to CLI reference
- Clarify template placeholder syntax

Author: jszobody

docs/WEB_UI.md

@@ -53,7 +53,7 @@ Compare secrets across envs and vaults:
 ### Export
 
 Export secrets in multiple formats:
-- **Formats**: ENV, JSON, YAML, Shell script
+- **Formats**: ENV, JSON, CSV
 - **Live preview** before download
 - **Copy to clipboard** for quick use
 - **Template support** for custom formats
@@ -125,7 +125,7 @@ Manage Keep configuration:
 - Binds to 127.0.0.1 by default
 - No CORS headers (prevents external access)
 - HTTPS not required for localhost
-- Rate limiting on API endpoints
+- Token validation on all API endpoints
 
 ## Troubleshooting
 

docs/guide/cli/index.md

@@ -143,7 +143,7 @@ For detailed command syntax and options, see the [CLI Command Reference](./refer
 | `keep run` | Runtime injection | Production deployment |
 | `keep delete` | Remove secrets | Cleanup |
 | `keep shell` | Interactive mode | Exploration |
-| `keep ui` | Web interface | Management |
+| `keep server` | Web interface | Management |
 
 ## Integration Examples
 

docs/guide/cli/reference.md

@@ -182,6 +182,25 @@ Create or update secrets in vaults.
 - `[key]` - Secret key name (prompted if not provided)
 - `[value]` - Secret value (prompted if not provided)
 
+### Secret Key Naming Rules
+
+Secret keys must follow these rules:
+- **Allowed characters**: Letters, numbers, underscores, and hyphens (`A-Za-z0-9_-`)
+- **Length**: 1-255 characters
+- **Cannot start with hyphen**: Keys like `-MY_KEY` are rejected (could be interpreted as command flags)
+
+**Valid examples:**
+- `DATABASE_PASSWORD`
+- `api-key`
+- `my_service_v2_token`
+- `AWS_ACCESS_KEY_ID`
+
+**Invalid examples:**
+- `-starts-with-hyphen` (starts with hyphen)
+- `has spaces` (contains spaces)
+- `path/with/slashes` (contains slashes)
+- `dotted.key.name` (contains dots)
+
 **Examples:**
 ```bash
 # Interactive mode

docs/guide/deployment/index.md

@@ -101,4 +101,4 @@ One template per env, containing both secrets (as placeholders) and static confi
 - Learn about [Runtime Secrets Injection](./runtime-injection.md)
 - Set up [Templates](./templates.md) for your applications
 - Understand [File Export](./exporting.md) options
-- Review [Security Best Practices](/guide/reference/security-architecture)
+- Review [AWS Authentication](/guide/aws-authentication) for security best practices

docs/guide/deployment/templates.md

@@ -23,14 +23,11 @@ TIMEZONE=UTC
 REDIS_HOST=redis.internal
 QUEUE_CONNECTION=redis
 
-# Secrets from vaults
+# Secrets from vaults (format: {vault:key})
 DATABASE_URL={ssm:DATABASE_URL}
 REDIS_PASSWORD={ssm:REDIS_PASSWORD}
 API_KEY={ssm:API_KEY}
 
-# Path-based secrets
-STRIPE_KEY={ssm:payments/stripe/key}
-
 # Multiple vaults
 AWS_ACCESS_KEY={ssm:AWS_ACCESS_KEY}
 GITHUB_TOKEN={secretsmanager:GITHUB_TOKEN}

docs/guide/quick-start.md

@@ -29,7 +29,7 @@ keep get DB_PASSWORD --env=local --unmask
 
 ```bash
 # Export secrets to a .env file
-keep export --env=local --output=.env
+keep export --env=local --file=.env
 ```
 
 This creates a `.env` file with your secrets:

docs/guide/vaults/aws-secrets-manager.md

@@ -343,4 +343,4 @@ For supported services like RDS, enable automatic rotation:
 
 - [AWS SSM Parameter Store](./aws-ssm) - For cost-effective configuration and simple secrets
 - [Deployment & Runtime](../deployment/) - Export secrets and runtime injection
-- [CLI Reference](../reference/cli-reference) - Complete command documentation
+- [CLI Reference](../cli/reference) - Complete command documentation

docs/guide/vaults/aws-ssm.md

@@ -233,4 +233,4 @@ keep export --template=env.template --env=production --vault=ssm --output=.env
 
 - [AWS Secrets Manager](./aws-secrets-manager) - For more advanced secret rotation features
 - [Deployment & Runtime](../deployment/) - Export secrets and runtime injection
-- [CLI Reference](../reference/cli-reference) - Complete command documentation
+- [CLI Reference](../cli/reference) - Complete command documentation

docs/guide/web-ui/features.md

@@ -9,7 +9,7 @@ The Secrets page provides full CRUD operations with real-time search and filteri
 - Copy secrets between environments and vaults
 - View revision history
 - Bulk import from `.env` files
-- Export in ENV, JSON, YAML, or Shell format
+- Export in ENV, JSON, or CSV format
 
 ## Diff Matrix
 
@@ -45,12 +45,11 @@ API_KEY={secretsmanager:API_KEY}
 ### Import
 Drop `.env` files or paste content to bulk import secrets. The preview shows what will be imported with conflict detection. Choose to skip existing secrets or overwrite them.
 
-### Export  
+### Export
 Generate configuration files in multiple formats:
 - **ENV** - Standard `.env` format
 - **JSON** - Structured object
-- **YAML** - Key-value pairs
-- **Shell** - Export statements
+- **CSV** - Spreadsheet-compatible format
 
 Export supports filtering by patterns and selective inclusion.
 

docs/index.md

@@ -46,13 +46,13 @@ keep vault:add
 keep set DB_PASSWORD "super-secret" --env=production
 
 # List secrets
-keep list --env=staging
+keep show --env=staging
 
 # Compare environments
 keep diff --env=staging,production
 
 # Export to .env
-keep export --env=production --output=.env
+keep export --env=production --file=.env
 
 # Use templates  
 keep export --template=.env.template --env=production --output=.env