Skip to content

ddyy/pk

Repository files navigation

pk

Your keys, your infra, verifiable pages.

Self-deployed tools built on one identity: a single age keypair wrapped by your passkey, and web pages you can verify before trusting them with key material. Everything deploys to your own Cloudflare account — there is no hosted service to trust.

Products

Product Status What it is
pkvault pre-release Passkey-encrypted .env files for teams

The independently specified @pksuite/crypto package provides the product-neutral streaming file envelope shared by future tools.

A product appears here only when it has a maintained implementation or a committed near-term release.

Related projects

  • pknotes — end-to-end encrypted markdown notes on the same passkey identity; maintained separately.

Research

Exploratory specifications that are not commitments or active roadmap items live in spec/research.

Principles

  • One identity. One passkey-wrapped age identity unlocks every product. Collaborative data uses random keys sealed to identities — the identity unwraps keys; it is not a master key material source. No per-product accounts.
  • Verifiable pages. Any page that touches key material is digest-pinned in GitHub Releases with human-gated deploys. If you can't verify it, it doesn't ship.
  • Operator-owned infra. Deployments run in your Cloudflare account (Workers + D1 + R2). We publish software, not services.
  • One derivation registry. Every HKDF info string used anywhere here is documented in spec/derivation-registry.md before it is used. No exceptions.

Repository layout

  • apps/ — deployable products (imported with full history; pkvault's pre-monorepo commits are preserved from ddyy/pkvault)
  • packages/ — reusable, product-neutral libraries
  • spec/ — specifications; spec/research/ is exploratory, non-roadmap

Releases

Per-product tags: pkvault-v0.1.1, … Release pages carry the digests for that product's verifiable pages. Releases prior to the monorepo move remain valid at the archived original repos.

About

Passkey-encrypted .env files for teams — secrets live encrypted in Git, teammates unlock with Face ID/WebAuthn PRF. age-compatible wire format, digest-verified unlock page, no server to trust.

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Contributors