More stage -> env updates

Author: jszobody

docs/guide/cli/reference.md

@@ -56,7 +56,7 @@ Add a custom env/environment beyond the standard ones (local, staging, productio
 | `--no-interaction` | boolean | `false` | Run without prompts |
 
 **Arguments:**
-- `[name]` - Stage name (prompted if not provided)
+- `[name]` - Environment name (prompted if not provided)
 
 **Examples:**
 ```bash
@@ -75,7 +75,7 @@ keep env:add hotfix
 keep env:add sandbox --no-interaction
 ```
 
-**Stage Name Requirements:**
+**Environment Name Requirements:**
 - Must be lowercase
 - Can contain letters, numbers, hyphens, and underscores
 - Examples: `qa`, `demo`, `integration`, `sandbox`, `dev2`, `staging-eu`
@@ -231,7 +231,7 @@ Show all secrets from a vault and environment.
 
 | Option | Type | Default | Description |
 |--------|------|---------|-------------|
-| `--env` | string | *interactive* | Stage to list secrets from |
+| `--env` | string | *interactive* | Environment to list secrets from |
 | `--vault` | string | *default vault* | Vault to list secrets from |
 | `--unmask` | boolean | `false` | Show actual secret values instead of masked |
 | `--format` | string | `table` | Output format: `table`, `json`, `env` |
@@ -266,7 +266,7 @@ Generate a template file from existing secrets in a environment.
 | Option | Type | Default | Description |
 |--------|------|---------|-------------|
 | `filename` | string | *required* | Template filename to create |
-| `--env` | string | *required* | Stage to generate template from |
+| `--env` | string | *required* | Environment to generate template from |
 | `--vault` | string | *all vaults* | Specific vault to use |
 | `--overwrite` | boolean | `false` | Overwrite existing template file |
 
@@ -290,7 +290,7 @@ Validate template files for syntax and placeholder resolution.
 | Option | Type | Default | Description |
 |--------|------|---------|-------------|
 | `filename` | string | *required* | Template file to validate |
-| `--env` | string | *optional* | Stage to validate against |
+| `--env` | string | *optional* | Environment to validate against |
 
 ### Examples
 
@@ -374,7 +374,7 @@ Remove secrets from vaults.
 
 | Option | Type | Default | Description |
 |--------|------|---------|-------------|
-| `--env` | string | *interactive* | Stage to delete secret from |
+| `--env` | string | *interactive* | Environment to delete secret from |
 | `--vault` | string | *default vault* | Vault to delete the secret from |
 | `--force` | boolean | `false` | Delete without confirmation prompt |
 
@@ -402,7 +402,7 @@ Rename a secret while preserving its value and metadata.
 
 | Option | Type | Default | Description |
 |--------|------|---------|-------------|
-| `--env` | string | *interactive* | Stage where the secret exists |
+| `--env` | string | *interactive* | Environment where the secret exists |
 | `--vault` | string | *default vault* | Vault containing the secret |
 | `--force` | boolean | `false` | Skip confirmation prompt |
 
@@ -430,7 +430,7 @@ Search for text within secret values.
 
 | Option | Type | Default | Description |
 |--------|------|---------|-------------|
-| `--env` | string | *interactive* | Stage to search in |
+| `--env` | string | *interactive* | Environment to search in |
 | `--vault` | string | *default vault* | Vault to search in |
 | `--unmask` | boolean | `false` | Show actual secret values in results |
 | `--case-sensitive` | boolean | `false` | Make the search case-sensitive |
@@ -603,7 +603,7 @@ Export secrets from vaults with optional template processing.
 
 | Option | Type | Default | Description |
 |--------|------|---------|-------------|
-| `--env` | string | *interactive* | Stage to export secrets from |
+| `--env` | string | *interactive* | Environment to export secrets from |
 | `--vault` | string | *auto-discover* | Vault(s) to export from (comma-separated) |
 | `--format` | string | `env` | Output format: `env`, `json`, `csv` |
 | `--template` | string | | Optional template file with placeholders |
@@ -678,7 +678,7 @@ Execute subprocesses with secrets injected as environment variables (diskless).
 | Option | Type | Default | Description |
 |--------|------|---------|-------------|
 | `--vault` | string | *interactive* | Vault to fetch secrets from |
-| `--env` | string | *interactive* | Stage to use |
+| `--env` | string | *interactive* | Environment to use |
 | `--template` | string | | Template file path, or auto-discover if empty |
 | `--only` | string | | Include only matching keys (patterns) |
 | `--except` | string | | Exclude matching keys (patterns) |

docs/guide/configuration.md

@@ -16,7 +16,7 @@ This interactive command will:
 You'll be prompted for:
 - **Project name**: Display name for your project
 - **Namespace**: Unique identifier for secret prefixes
-- **Stages**: Environment names (defaults to local, staging, production)
+- **Environments**: Environment names (defaults to local, staging, production)
 
 ## Project Structure
 
@@ -88,7 +88,7 @@ In larger teams, you might have:
 
 Workspace filtering lets each developer see only what's relevant to them, while the full configuration remains available to the team.
 
-## Managing Stages
+## Managing Environments
 
 The default envs are local, staging, and production. You can add custom envs as needed:
 

docs/guide/index.md

@@ -7,7 +7,7 @@ Keep is a PHP toolkit for managing secrets across applications, environments, an
 Managing secrets across local, staging, and production environments is challenging. Keep solves this by providing:
 
 - **Unified Interface**: One CLI for all your secret vaults
-- **Stage Organization**: Separate secrets by environment (local, staging, production)
+- **Environment Organization**: Separate secrets by environment (local, staging, production)
 - **Template Generation**: Build configuration files from templates with automatic secret replacement
 - **Team Collaboration**: Share vault access without exposing secret values
 - **Security First**: Encrypted storage, masked output, and secure AWS integration

docs/guide/shell/reference.md

@@ -174,7 +174,7 @@ Summary:
 • Identical across all environments: 1 (25%)
 • Different values: 2 (50%)
 • Missing in some envs: 1 (25%)
-• Stages compared: 2
+• Environments compared: 2
 ```
 
 ### Import/Export
@@ -204,7 +204,7 @@ Note: The `import` command is only available in the CLI, not the shell.
 Checking vault access permissions...
 Keep Vault Verification Results
 ┌────────────────┬────────────┬──────┬───────┬──────┬─────────┬────────┐
-│ Vault          │ Stage      │ List │ Write │ Read │ History │ Delete │
+│ Vault          │ Environment      │ List │ Write │ Read │ History │ Delete │
 ├────────────────┼────────────┼──────┼───────┼──────┼─────────┼────────┤
 │ ssm            │ local      │ ✓    │ ✓     │ ✓    │ ✓       │ ✓      │
 │ ssm            │ staging    │ ✓    │ ✓     │ ✓    │ ✓       │ ✓      │

docs/guide/vaults.md

@@ -68,7 +68,7 @@ keep set DB_PASSWORD "..." --vault=databases --env=production
 - **SSM**: Path-based (`/myapp/env/key`)
 - **Secrets Manager**: Tag-based with namespace tags
 
-**Stage Separation**
+**Environment Separation**
 Each vault organizes secrets by env:
 - `development`
 - `staging`

docs/guide/vaults/aws-secrets-manager.md

@@ -91,7 +91,7 @@ For developers who need complete access to manage secrets across all environment
           "aws:TagKeys": [
             "ManagedBy",
             "Namespace",
-            "Stage",
+            "Environment",
             "VaultSlug"
           ]
         }
@@ -141,7 +141,7 @@ For developers who should only access development and staging environments:
           "secretsmanager:ResourceTag/Namespace": "myapp"
         },
         "ForAnyValue:StringEquals": {
-          "secretsmanager:ResourceTag/Stage": [
+          "secretsmanager:ResourceTag/Environment": [
             "staging",
             "production"
           ]
@@ -168,7 +168,7 @@ For developers who should only access development and staging environments:
           "aws:RequestTag/Namespace": "myapp"
         },
         "ForAnyValue:StringEquals": {
-          "aws:RequestTag/Stage": [
+          "aws:RequestTag/Environment": [
             "staging",
             "production"
           ]
@@ -177,7 +177,7 @@ For developers who should only access development and staging environments:
           "aws:TagKeys": [
             "ManagedBy",
             "Namespace",
-            "Stage",
+            "Environment",
             "VaultSlug"
           ]
         }
@@ -216,7 +216,7 @@ For production deployment processes that only need to read production secrets:
       "Condition": {
         "StringEquals": {
           "secretsmanager:ResourceTag/Namespace": "myapp",
-          "secretsmanager:ResourceTag/Stage": "production"
+          "secretsmanager:ResourceTag/Environment": "production"
         }
       }
     },
@@ -256,7 +256,7 @@ Keep organizes secrets using simple path-style naming for duplicate avoidance, w
 
 ## Security Best Practices
 
-**Tag-Based Access Control**: Keep uses tags (`ManagedBy`, `Namespace`, `Stage`, `VaultSlug`) for precise IAM permissions instead of resource ARNs.
+**Tag-Based Access Control**: Keep uses tags (`ManagedBy`, `Namespace`, `Environment`, `VaultSlug`) for precise IAM permissions instead of resource ARNs.
 
 **Automatic Encryption**: All secrets are automatically encrypted at rest using AWS KMS.