# Capy ## Docs - [capy branch: List, Delete, Switch Secret Branches](https://capy.sc/docs/cli/branch.md): Interactive lister and switcher for Capy secret branches. Shows your current branch, protected markers, and supports -D to delete unused branches. - [capy Command: Sync Encrypted Secrets](https://capy.sc/docs/cli/capy.md): The capy command syncs encrypted secrets with the remote, resolves conflicts, and initializes the project on first run. Sets git hooks, writes keep.lock. - [capy checkout: Switch or Create a Secret Branch](https://capy.sc/docs/cli/checkout.md): Non-interactive branch switching with capy checkout. Use -b to create a new branch, add --protected to make it invite-only at the crypto layer. - [capy cleanup: Remove Capy Git Hooks](https://capy.sc/docs/cli/cleanup.md): Remove Capy's post-checkout and post-merge git hooks from a repository. Leaves .env and keep.lock intact — for uninstalling or clearing hook conflicts. - [capy deploy: Set Up Encrypted Production Secrets](https://capy.sc/docs/cli/deploy.md): Generate platform-specific deploy tokens via capy deploy — supports Vercel, Cloudflare, Fly, Railway, Render, Heroku, Lambda, Docker, and GitHub Actions. - [capy edit: Interactive TUI for Secret Editing](https://capy.sc/docs/cli/edit.md): Edit and rotate secrets in a two-pane TUI. Reveal values, edit inline, commit and push — r e c q keybindings, with conflict status indicators per row. - [capy grant-branch: Scriptable Branch Access](https://capy.sc/docs/cli/grant-branch.md): Grant a teammate access to a protected branch from CI: capy grant-branch . Non-interactive, exits non-zero on failure. - [capy info: Show Current Session & Project](https://capy.sc/docs/cli/info.md): Print your authenticated user, active org, current project and branch, keep.lock version, and keyring path. Useful when commands aren't behaving as expected. - [capy invite: Add a Teammate to Your Organization](https://capy.sc/docs/cli/invite.md): Invite a teammate with capy invite . Pick a role, get a one-time redeem code, and share it out-of-band — the service never sees the invite token. - [capy kick: Remove a Teammate from Your Org](https://capy.sc/docs/cli/kick.md): Remove a teammate with capy kick . O(1) revocation: no key rotation, no re-encryption — their local key material becomes cryptographically inert. - [capy logout: End Session and Clear Cached Keys](https://capy.sc/docs/cli/logout.md): End your Capy session and clear cached project keys. Master keys at ~/.capy/orgs/ survive logout — encrypted at rest. Delete ~/.capy/ for a full wipe. - [capy org: Switch Your Active Organization](https://capy.sc/docs/cli/org.md): Switch your active Capy organization with capy org. Affects org-scoped commands like invite and kick; project-scoped commands always read from keep.lock. - [capy push: Publish Local Secret Changes](https://capy.sc/docs/cli/push.md): Push-only sync for Capy: publishes local secret changes to the remote without pulling. Refuses if the remote has diverged — run capy first to reconcile. - [capy redeem: Accept an Invite to a Capy Org](https://capy.sc/docs/cli/redeem.md): Join a Capy organization with capy redeem . The service unwraps the outer layer; your machine unwraps the inner layer locally using the invite token. - [capy revoke-branch: Scriptable Branch Revoke](https://capy.sc/docs/cli/revoke-branch.md): Revoke a teammate's access to a protected branch from CI: capy revoke-branch . Immediate cryptographic inert, 403 on next decrypt. - [capy run: Inject Decrypted Secrets at Runtime](https://capy.sc/docs/cli/run.md): Run any command with decrypted secrets in process env. Capy supports local mode (keyring + .env) and deployed mode (SECRETS_BLOB), with full signal forwarding. - [capy status: Show Drift Between Local & Remote](https://capy.sc/docs/cli/status.md): Read-only three-way diff of your secrets: pinned, local, and remote. Shows + - ~ ? symbols for every variable that differs. Safe to run anytime. - [capy users: Interactive Team & Role Management](https://capy.sc/docs/cli/users.md): Browse organization members in an interactive table. Change roles, grant or revoke protected-branch access, and expand rows to see per-project assignments. - [Capy vs. 1Password CLI: Secrets for Developers](https://capy.sc/docs/comparisons/1password.md): Capy vs. 1Password CLI: a git-aligned .env workflow vs. a unified vault for humans, machines, and agents. Compare trust models and developer ergonomics. - [Capy vs. AWS Secrets Manager: Different Jobs](https://capy.sc/docs/comparisons/aws-secrets-manager.md): Capy vs. AWS Secrets Manager: developer .env workflow vs. AWS-runtime credential store with IAM and rotation. Most teams use both, not one or the other. - [Capy vs. Doppler: Secrets Management Comparison](https://capy.sc/docs/comparisons/doppler.md): Capy vs. Doppler: client-side vs. server-side encryption, keep.lock PR diffs vs. dashboard, O(1) cryptographic kick vs. revoke-and-rotate. Pick by trust model. - [Capy vs. dotenvx: When Shared Keys Stop Scaling](https://capy.sc/docs/comparisons/dotenvx.md): Capy vs. dotenvx: both encrypt client-side, but dotenvx leaves key distribution to you. Capy handles invites, kicks, and key rotation cryptographically. - [Best Secrets Manager: Capy vs. Doppler, 1Password & More](https://capy.sc/docs/comparisons/index.md): Compare Capy to Doppler, 1Password, Infisical, dotenvx, AWS Secrets Manager, and SOPS. Client-side vs. server-side encryption — pick by trust model. - [Capy vs. Infisical: Client- vs. Server-Side E2EE](https://capy.sc/docs/comparisons/infisical.md): Capy vs. Infisical: client-side encryption vs. Infisical's 2023 server-side pivot. Why threat models matter more for teams using AI coding agents. - [Capy vs. SOPS: Productized vs. DIY Secret Encryption](https://capy.sc/docs/comparisons/sops.md): Capy vs. SOPS: SOPS is an encryption primitive — Capy bundles invite, kick, and key registry on top. Compare the operational burden side by side. - [Go Environment Variables: Secrets Manager for Go Apps](https://capy.sc/docs/getting-started/go.md): Manage encrypted secrets for Go services with Capy. Wrap go run and go test, keep os.Getenv working unchanged, and ship binaries with zero plaintext. - [Next.js Environment Variables: Encrypted Secrets](https://capy.sc/docs/getting-started/nextjs.md): Use Capy to encrypt Next.js secrets across dev, build, and deploy. Build-time inlining for static pages, runtime decryption for Edge and Node routes. - [Manage Node.js Environment Variables Securely (Capy)](https://capy.sc/docs/getting-started/nodejs.md): Encrypt and sync .env files in your Node.js app with Capy. Install the CLI, invite teammates, and ship to Vercel without exposing plaintext secrets. - [Encrypted Secrets for PHP, Java, Elixir, Deno & More](https://capy.sc/docs/getting-started/other-runtimes.md): Use Capy with any runtime — PHP, Java, .NET, Elixir, Deno, Bun, shell. capy run -- injects decrypted env vars and forwards signals to your process. - [Python Secrets Management: Encrypted .env Files](https://capy.sc/docs/getting-started/python.md): Replace python-dotenv with Capy: end-to-end encrypted .env files, branch-aware secrets, and one wrapper command (capy run) for uvicorn, pytest, or scripts. - [Ruby & Rails Secrets Management with Capy](https://capy.sc/docs/getting-started/ruby.md): End-to-end encrypted secrets for Ruby and Rails. Wrap bundle exec, rspec, or rails server with Capy — keep ENV["KEY"] working, drop dotenv plaintext. - [Rust Secrets Management: Encrypted Env for Cargo](https://capy.sc/docs/getting-started/rust.md): Wrap cargo run and cargo test with Capy to inject encrypted environment variables into your Rust binaries — no plaintext at rest, no SDK changes needed. - [Capy: Git-Native Secrets Manager for Engineering Teams](https://capy.sc/docs/index.md): Capy is a git-native secrets manager with end-to-end encryption, branch-aware syncs, and PR-reviewable diffs — five CLI commands, zero plaintext on our servers. - [Capy Architecture: How CLI and Service Fit Together](https://capy.sc/docs/internals/architecture.md): How Capy fits together: CLI handles encrypt, sync, invite on dev machines; service brokers co-decrypt and stores ciphertext only. On-disk layout explained. - [Capy Cryptography: BIP-39 to AES-256-GCM](https://capy.sc/docs/internals/cryptography.md): End-to-end Capy cryptography: BIP-39 seed → PBKDF2 master key → HKDF project key → AES-256-GCM ciphertext. Invite, deploy, and revocation primitives explained. - [Zero-Trust Secrets Management: How Capy Works](https://capy.sc/docs/internals/zero-trust.md): Why neither the Capy client nor the service can decrypt alone. Two-share model: master key on client, outer wrap on service. Breach yields only ciphertext. - [Branch-Aware Secrets: Per-Environment .env Files](https://capy.sc/docs/using/branches/overview.md): Capy branches give each environment — dev, staging, prod — its own encrypted secret set, pinned to your git branch via keep.lock. Switch with capy checkout. - [Protected Branches: Lock Down Production Secrets](https://capy.sc/docs/using/branches/protected.md): Restrict production secrets to a vetted subset of your team. Capy protected branches are invite-only at the cryptographic layer — only members can decrypt. - [Deploy Encrypted Secrets to Production with Capy](https://capy.sc/docs/using/deploying.md): Ship secrets to production with zero-trust deploy tokens. Runtime entrypoint pattern for long-running servers, build-time inlining for serverless platforms. - [AWS Lambda Secrets: Container or Zip Deploys](https://capy.sc/docs/using/deploying/aws-lambda.md): Inject encrypted secrets into AWS Lambda via Capy. Container-image cold-start decryption or zip-deploy build-time env, with SAM, CDK, or Serverless Framework. - [Cloudflare Pages & Workers: Encrypted Secrets](https://capy.sc/docs/using/deploying/cloudflare.md): Deploy to Cloudflare Pages or Workers with Capy. Build-time env inlining for Pages, wrangler bulk upload for Workers. Decrypt before the V8 isolate boots. - [Docker Container Secrets: capy run as Entrypoint](https://capy.sc/docs/using/deploying/docker.md): Use Capy as your Docker ENTRYPOINT to inject decrypted secrets at container start. Works with docker-compose, Kubernetes Secrets, and multi-stage builds. - [Fly.io Machines: Encrypted Secrets via capy run](https://capy.sc/docs/using/deploying/fly.md): Deploy to Fly.io with end-to-end encrypted secrets — use capy run as your Machine entrypoint and inject SECRETS_BLOB via flyctl secrets set. Auto-restart safe. - [GitHub Actions Secrets Management with Capy](https://capy.sc/docs/using/deploying/github-actions.md): Wrap any GitHub Actions step — builds, tests, deploys — with capy run to inject decrypted secrets from CAPY_SECRETS_BLOB. Per-environment scoped tokens. - [Railway, Render & Heroku: Secrets via capy run](https://capy.sc/docs/using/deploying/railway-render-heroku.md): Deploy to Railway, Render, or Heroku with end-to-end encrypted secrets. Wrap your start command with capy run and set SECRETS_BLOB per environment. - [Vercel + Next.js Environment Variables (Encrypted)](https://capy.sc/docs/using/deploying/vercel.md): Deploy Next.js to Vercel with Capy-encrypted secrets. Build-time env inlining for static pages, no plaintext in Vercel settings, zero changes to next.config.js. - [Edit Secrets: Capy TUI vs. Editing .env Directly](https://capy.sc/docs/using/editing-secrets.md): Two ways to change a secret in Capy: the interactive capy edit TUI for single rotations, or editing .env plus capy for bulk changes. Both encrypt and push. - [AGPL-3.0 License: What It Means for Capy Users](https://capy.sc/docs/using/license.md): Capy is AGPL-3.0 licensed. Installing the unmodified CLI triggers no obligations for your company. Decision tree for modifications, SaaS, and Docker images. - [Capy Organizations: Cryptographic Tenant Boundary](https://capy.sc/docs/using/organizations/overview.md): Each Capy organization has its own 24-word seed phrase and master key. One org per real security boundary — a service-side breach yields ciphertext only. - [Switch Between Capy Organizations on One Machine](https://capy.sc/docs/using/organizations/switching.md): Use capy org to switch your active organization for org-scoped commands. Projects stay bound to their org via keep.lock — multi-org workflows are seamless. - [Move Your Capy Identity to a New Computer](https://capy.sc/docs/using/organizations/switching-computers.md): Self-custodied key mobility for Capy: transport your identity via one-time code, restore from seed phrase, or accept a fresh invite. No backups on our servers. - [How capy run Decrypts Secrets at Runtime](https://capy.sc/docs/using/running-your-app.md): How capy run injects decrypted secrets into your process — local mode reads .env plus the keyring; deployed mode unwraps SECRETS_BLOB at startup. - [Sync Encrypted .env Across Your Team (Capy)](https://capy.sc/docs/using/syncing-secrets.md): How Capy syncs encrypted secrets across your team: three-way merge of pinned, local, and remote .env state with conflict resolution in an interactive TUI. - [Invite Teammates to Capy: Share Encrypted Access](https://capy.sc/docs/using/team/inviting.md): Share access to encrypted secrets via out-of-band redeem codes. Capy double-wraps the master key so the service never sees the invite token in transit. - [Remove a Teammate: O(1) Revocation in Capy](https://capy.sc/docs/using/team/kicking.md): Kick a teammate from Capy in O(1) — no key rotation, no re-encryption for remaining members. Their local secrets become cryptographically inert on next sync. - [Capy Roles: Owner, Admin, Project Admin, Member](https://capy.sc/docs/using/team/roles.md): Four organization-level roles in Capy: Owner, Admin, Project Admin, Member. Change roles in the capy users TUI or restrict per-project access via grants.