redshift
// Manage application secrets with the Redshift CLI (https://redshiftapp.com) — decentralized, encrypted secret management built on Nostr. Use when setting, getting, deleting, listing, uploading, or downloading secrets, injecting secrets into commands, configuring projects/environments, or authenticati
$ git log --oneline --stat
stars:1,933
forks:367
updated:March 4, 2026
SKILL.mdreadonly
SKILL.md Frontmatter
nameredshift
descriptionManage application secrets with the Redshift CLI (https://redshiftapp.com) — decentralized, encrypted secret management built on Nostr. Use when setting, getting, deleting, listing, uploading, or downloading secrets, injecting secrets into commands, configuring projects/environments, or authenticating with Nostr keys. Covers redshift secrets, redshift run, redshift setup, redshift login, and related commands.
homepagehttps://redshiftapp.com
metadata[object Object]
Redshift
Decentralized secret management via the redshift CLI. Secrets are client-side encrypted (NIP-59 Gift Wrap) and stored on Nostr relays — no central server.
Project homepage: https://redshiftapp.com
Key concepts
- Project (
-p): a project slug (e.g.backend,myapp) - Config/Environment (
-c): an environment slug (e.g.dev,staging,production) - redshift.yaml: per-directory project config created by
redshift setup - When
-p/-care omitted, Redshift reads fromredshift.yamlin the current directory
Security considerations
- Never pass secret values directly on the command line in shared/logged environments — prefer
redshift secrets setinteractively or pipe from stdin - Use
REDSHIFT_NSEC/REDSHIFT_BUNKERenv vars for CI/CD rather than CLI flags - Avoid
redshift serve --host 0.0.0.0unless you intend to expose the web UI to the network — default127.0.0.1is localhost-only - All encryption is client-side; secrets never leave the device unencrypted
- Private keys are stored in the system keychain, not in plaintext config files
Authentication
redshift login # Interactive (recommended)
redshift login --nsec nsec1... # Direct private key (use env var in CI instead)
redshift login --bunker "bunker://pubkey?relay=wss://relay.example&secret=xxx" # NIP-46 (ALWAYS quote the URL)
redshift login --connect # Generate NostrConnect URI for bunker app
redshift me # Check current identity
redshift logout # Clear credentials
CI/CD: set REDSHIFT_NSEC or REDSHIFT_BUNKER env vars instead of redshift login. These should be stored in your CI platform's secret management (e.g. GitHub Actions secrets), never hardcoded.
Project setup
redshift setup # Interactive
redshift setup -p myapp -c production # Non-interactive
redshift setup --no-interactive -p app -c dev # Strict non-interactive
Creates redshift.yaml with project, environment, and relay list.
Secrets
# List all
redshift secrets # Redacted values
redshift secrets --raw # Show plaintext values
redshift secrets --json # JSON output
redshift secrets --only-names # Names only
# Get
redshift secrets get API_KEY
redshift secrets get API_KEY --plain # Raw value, no formatting
redshift secrets get API_KEY --copy # Copy to clipboard
redshift secrets get KEY1 KEY2 # Multiple keys
# Set
redshift secrets set API_KEY sk_live_xxx
redshift secrets set API_KEY '123' DB_URL 'postgres://...' # Multiple at once
# Delete
redshift secrets delete OLD_KEY
redshift secrets delete KEY1 KEY2 -y # Skip confirmation
# Download
redshift secrets download ./secrets.json # JSON (default)
redshift secrets download --format=env --no-file # Print .env to stdout
redshift secrets download --format=env ./secrets.env # Save as .env file
# Formats: json, env, yaml, docker, env-no-quotes
# Upload
redshift secrets upload secrets.env
Override project/environment on any secrets command with -p / -c:
redshift secrets -p backend -c production --raw
redshift secrets set -p myapp -c staging FEATURE_FLAG true
Run with secrets injected
Important: Only run commands the user has explicitly requested. Never construct arbitrary commands to pass to redshift run. Always confirm the command with the user before executing.
redshift run -- npm start
redshift run -- python app.py
redshift run --command "npm start && npm test"
redshift run -p myapp -c prod -- docker-compose up
# Mount secrets to a file instead of env vars
redshift run --mount secrets.json -- cat secrets.json
redshift run --mount secrets.env --mount-format env -- cat secrets.env
# Fallback for offline mode
redshift run --fallback ./fallback.json -- npm start
redshift run --fallback-only -- npm start # Read only from fallback
# Preserve existing env values for specific keys
redshift run --preserve-env PORT,HOST -- npm start
Configuration
redshift configure # Show config
redshift configure --all # Show all saved options
redshift configure get project # Get specific option
redshift configure set project=myapp # Set option
redshift configure unset project # Remove option
redshift configure reset --yes # Reset to initial state
Web UI
redshift serve # http://127.0.0.1:3000 (localhost only)
redshift serve --port 8080 --open # Custom port, auto-open browser
redshift serve --host 0.0.0.0 # ⚠️ Exposes to network — use with caution
Global flags
| Flag | Short | Description |
|---|---|---|
--help | -h | Show help |
--version | -v | Show version |
--json | JSON output | |
--silent | Suppress info messages | |
--debug | Verbose debug output | |
--config-dir | Override config dir (~/.redshift) |
Environment variables
| Variable | Description |
|---|---|
REDSHIFT_NSEC | Private key for CI/CD (bypasses interactive login) |
REDSHIFT_BUNKER | NIP-46 bunker URL for CI/CD (alternative to nsec) |
REDSHIFT_CONFIG_DIR | Override config directory (default: ~/.redshift) |
Important notes
- Always quote bunker URLs (
--bunker "bunker://...") — shell interprets&otherwise - Secret values with spaces or special chars should be quoted
- Complex values (objects/arrays) are auto-JSON-stringified when injected by
redshift run