Your keys, your infra, verifiable pages.
Self-deployed tools built on one identity: a single age keypair wrapped by your passkey, and web pages you can verify before trusting them with key material. Everything deploys to your own Cloudflare account — there is no hosted service to trust.
| Product | Status | What it is |
|---|---|---|
| pkvault | pre-release | Passkey-encrypted .env files for teams |
The independently specified @pksuite/crypto package
provides the product-neutral streaming file envelope shared by future tools.
A product appears here only when it has a maintained implementation or a committed near-term release.
- pknotes — end-to-end encrypted markdown notes on the same passkey identity; maintained separately.
Exploratory specifications that are not commitments or active roadmap items
live in spec/research.
- One identity. One passkey-wrapped age identity unlocks every product. Collaborative data uses random keys sealed to identities — the identity unwraps keys; it is not a master key material source. No per-product accounts.
- Verifiable pages. Any page that touches key material is digest-pinned in GitHub Releases with human-gated deploys. If you can't verify it, it doesn't ship.
- Operator-owned infra. Deployments run in your Cloudflare account (Workers + D1 + R2). We publish software, not services.
- One derivation registry. Every HKDF
infostring used anywhere here is documented in spec/derivation-registry.md before it is used. No exceptions.
apps/— deployable products (imported with full history; pkvault's pre-monorepo commits are preserved fromddyy/pkvault)packages/— reusable, product-neutral librariesspec/— specifications;spec/research/is exploratory, non-roadmap
Per-product tags: pkvault-v0.1.1, … Release pages carry the digests for
that product's verifiable pages. Releases prior to the monorepo move remain
valid at the archived original repos.