Keyhole is a governance platform that manages how software changes are realized across environments. It enforces policy, audit, and identity requirements before any change is applied.
This repository exposes the public developer interface for Keyhole:
- Language SDKs (starting with Python)
- Public JSON schemas and OpenAPI contracts
- A local test runtime that developers can run to validate realization behavior without connecting to a production Keyhole deployment
- Bridge examples and integration smoke tests
- Deployment templates for running the public runtime on third-party infrastructure
This repository does not contain Keyhole's private governance engine, promotion kernel internals, production secrets, or protected control-plane logic.
By default, the test runtime operates in local-only mode — realization requests execute immediately without MCP governance gating and no events are emitted to the Keyhole Event Spine.
To enable governed mode, configure KEYHOLE_MCP_URL and
KEYHOLE_MCP_TOKEN on the runtime. In governed mode every /realize call is
gate-checked through the Keyhole MCP governance surface before execution.
Governed mode is described conceptually here, but the current runtime response contract remains minimal. Future versions (S41+) may expose explicit mode and verdict fields in the runtime response.
The Keyhole Developer Kit exists to let external builders:
- understand the public Keyhole integration model,
- develop against stable public contracts,
- run a real local runtime target,
- validate SDK, bridge, and realization behavior without requiring access to a private Keyhole deployment.
The goal is to provide a real, executable public developer surface while keeping protected Keyhole internals outside the repository.
pip install --upgrade keyhole-sdkdocker compose upcurl http://localhost:8080/healthz
curl http://localhost:8080/identityExample identity response:
{
"runtime_id": "keyhole-test-runtime",
"runtime_name": "Keyhole Test Runtime",
"runtime_version": "0.1.0",
"environment": "dev",
"capabilities": ["realize", "state", "health"]
}curl http://localhost:8080/stateExample initial response:
{
"current_digest": null,
"realized_digests": [],
"updated_at": "2026-03-06T12:00:00+00:00"
}curl -X POST http://localhost:8080/realize \
-H "Content-Type: application/json" \
-d '{
"candidate_digest": "sha256:abc123",
"payload": {}
}'Example first response:
{
"digest": "sha256:abc123",
"status": "ACCEPT",
"message": "Digest realized successfully.",
"realized_at": "2026-03-06T12:01:00+00:00"
}curl -X POST http://localhost:8080/realize \
-H "Content-Type: application/json" \
-d '{
"candidate_digest": "sha256:abc123",
"payload": {}
}'Example replay response:
{
"digest": "sha256:abc123",
"status": "ALREADY_REALIZED",
"message": "Digest has already been realized. No state mutation performed.",
"realized_at": "2026-03-06T12:02:00+00:00"
}Install from PyPI:
pip install --upgrade keyhole-sdkUse the SDK client:
from keyhole_sdk import KeyholeClient
client = KeyholeClient(base_url="http://localhost:8080")
# Check health
print(client.health())
# Runtime identity
print(client.identity())
# Runtime state
print(client.state())
# Submit a realization request
receipt = client.realize(
candidate_digest="sha256:abc123",
payload={},
)
print(receipt)
# Replay the same digest safely
replay = client.realize(
candidate_digest="sha256:abc123",
payload={},
)
print(replay)
client.close()Install the CLI:
pip install keyhole-clikeyhole runtime health
keyhole runtime identity
keyhole runtime state
keyhole runtime realize sha256:abc123The CLI reads KEYHOLE_RUNTIME_URL from the environment (default: http://localhost:8080).
The public test runtime currently exposes:
GET /healthz— liveness checkGET /identity— runtime identity and declared capabilitiesGET /state— current runtime-local statePOST /realize— bounded realization endpoint with digest-based idempotent replay behavior
This runtime is intentionally narrow in scope.
It is:
- a real HTTP-addressable target for SDK and bridge validation,
- a deterministic local/public runtime for integration testing,
- a deployable container image for external builders.
It is not:
- the Keyhole MCP server,
- the full Keyhole platform,
- a governance engine,
- a production persistence layer.
.
├── deploy/
│ └── compose.server.yml
├── docs/
│ ├── architecture.md
│ ├── bridge-contract.md
│ ├── quickstart.md
│ ├── test-runtime.md
│ └── traefik-deploy.md
├── examples/
│ ├── bridge-smoke-test/
│ └── python-client/
├── openapi/
│ └── test-runtime.openapi.yaml
├── packages/
│ └── python/
│ ├── keyhole-sdk/
│ └── keyhole-cli/
├── schemas/
│ ├── realization_request.v1.schema.json
│ └── runtime_realization_receipt.v1.schema.json
├── services/
│ └── test-runtime/
├── docker-compose.yml
└── README.md
| Package | Description |
|---|---|
keyhole-sdk |
Python SDK for interacting with Keyhole-compatible runtimes |
keyhole-cli |
CLI for interacting with Keyhole-compatible runtimes |
The public test runtime container is published to GHCR:
ghcr.io/keyhole-solution/keyhole-test-runtime:latest
This repository is designed for:
- external builders deploying a real runtime target,
- SDK and CLI integration testing,
- bridge smoke tests,
- contract validation against a stable public surface,
- local and remote replay-safe realization testing.
This repository is the public builder-facing surface of the Keyhole ecosystem.
It exposes public contracts, runtime behavior, examples, SDK integration patterns, and deployable public artifacts.
It does not expose private governance internals. That separation is intentional and load-bearing.