README
¶
honey
Alpha software — APIs, config schema, and CLI flags may change between releases without notice.
CLI to search GCP, AWS, Kubernetes, Docker, Consul, Proxmox, and TrueNAS instances in parallel, then SSH, docker exec, or run recipes against results via a TUI, web UI, or MCP server.
Prerequisites
- Go 1.26.2+ (for building from source)
- Credentials for each backend — see Providers
Install
Homebrew (macOS):
brew install --cask shareed2k/tap/honey
Build from source:
go build -o honey ./cmd/honey
Quick start
# Interactive TUI — search all configured backends
honey search
# Filter by name substring
honey search my-host
# JSON output, AWS + Kubernetes only
honey search --json --provider aws,k8s web
Documentation
| Feature | Guide |
|---|---|
| Providers (GCP, AWS, K8s, Consul, Proxmox, …) | Providers |
| Docker & auto-discover on cloud VMs | Docker auto-discover |
| Macros (honeyfile) | Macros |
| MCP server (Cursor, LM Studio, OpenCode) | MCP Server |
| Session recordings | Recordings |
| Web UI & AI assist | Web UI |
| CUE recipes | CUE Recipes |
| Anomaly detection | Anomaly Detection |
| Plugin development | Plugins |
| Add a new backend | Add new backend |
Full docs: shareed2k.github.io/honey
License
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
honey
command
Package main is the honey CLI entrypoint.
|
Package main is the honey CLI entrypoint. |
|
honey-transfer-agent
command
Package main implements the honey-transfer-agent: upload/download cloud objects with short-lived credentials (JWE or env), optional interactive setup, and a JSON session mode.
|
Package main implements the honey-transfer-agent: upload/download cloud objects with short-lived credentials (JWE or env), optional interactive setup, and a JSON session mode. |
|
internal
|
|
|
aichat
Package aichat performs OpenAI-compatible chat HTTP calls for local recipe summarization.
|
Package aichat performs OpenAI-compatible chat HTTP calls for local recipe summarization. |
|
alerts
Package alerts dispatches anomaly notifications with TTL-cache deduplication.
|
Package alerts dispatches anomaly notifications with TTL-cache deduplication. |
|
alertwebhook
Package alertwebhook implements an Alertmanager-compatible webhook receiver.
|
Package alertwebhook implements an Alertmanager-compatible webhook receiver. |
|
anomaly
Package anomaly provides log anomaly detection using ONNX models or a built-in heuristic fallback.
|
Package anomaly provides log anomaly detection using ONNX models or a built-in heuristic fallback. |
|
apps
Package apps provides structures and validation for configuring target proxy applications in honey.yaml.
|
Package apps provides structures and validation for configuring target proxy applications in honey.yaml. |
|
appsecret
Package appsecret handles decryption of secure:v1 app upstream DSNs.
|
Package appsecret handles decryption of secure:v1 app upstream DSNs. |
|
cli
Package cli implements the honey Cobra commands.
|
Package cli implements the honey Cobra commands. |
|
cloudtransfer
Package cloudtransfer resolves short-lived cloud credentials for staging (S3 / GCS).
|
Package cloudtransfer resolves short-lived cloud credentials for staging (S3 / GCS). |
|
config
Package config loads optional YAML settings and backend definitions for honey.
|
Package config loads optional YAML settings and backend definitions for honey. |
|
cuetry
Package cuetry parses, validates, and resolves CUE remote recipes for honey.
|
Package cuetry parses, validates, and resolves CUE remote recipes for honey. |
|
cuetry/secrets
Package secrets resolves CUE recipe secret refs.
|
Package secrets resolves CUE recipe secret refs. |
|
cuetry/secrets/cloud
Package cloud resolves cloud and enterprise secret refs (Vault, AWS), analogous to
|
Package cloud resolves cloud and enterprise secret refs (Vault, AWS), analogous to |
|
cuetry/secrets/env
Package env resolves env:NAME refs from the process environment (local analogue of cloud:/aws-sm:/aws-kms:/k8s:/age:/age-b64:/age-file:/keyring:/vault).
|
Package env resolves env:NAME refs from the process environment (local analogue of cloud:/aws-sm:/aws-kms:/k8s:/age:/age-b64:/age-file:/keyring:/vault). |
|
cuetry/secrets/k8s
Package k8s resolves Kubernetes Secret data keys.
|
Package k8s resolves Kubernetes Secret data keys. |
|
cuetry/secrets/passphrase
Package passphrase resolves age-encrypted material.
|
Package passphrase resolves age-encrypted material. |
|
cuetry/secrets/ref
Package ref holds shared contracts for recipe secret backends (similar in role to how honey centralizes crypto provider contracts).
|
Package ref holds shared contracts for recipe secret backends (similar in role to how honey centralizes crypto provider contracts). |
|
cuetry/secrets/service
Package service resolves keyring:// refs via the OS credential store (Zalando keyring), analogous to cloud:/aws-sm:/aws-kms:/k8s:/age:/age-b64:/age-file:/keyring:/vault.
|
Package service resolves keyring:// refs via the OS credential store (Zalando keyring), analogous to cloud:/aws-sm:/aws-kms:/k8s:/age:/age-b64:/age-file:/keyring:/vault. |
|
cuetry/secrets/stack
Package stack implements symmetric secure:v1 encryption for recipe secrets.
|
Package stack implements symmetric secure:v1 encryption for recipe secrets. |
|
cuetry/secrets/stackunwrap
Package stackunwrap unwraps stack data keys from secretsprovider URLs (KMS, keyring, age, etc.).
|
Package stackunwrap unwraps stack data keys from secretsprovider URLs (KMS, keyring, age, etc.). |
|
hostapi
Package hostapi implements shared host search and backend listing for HTTP and MCP surfaces.
|
Package hostapi implements shared host search and backend listing for HTTP and MCP surfaces. |
|
hostexec
Package hostexec defines the execution surface (HostClient, Executor) shared by the TUI, web server, CUE runner, and provider-specific transports.
|
Package hostexec defines the execution surface (HostClient, Executor) shared by the TUI, web server, CUE runner, and provider-specific transports. |
|
hosts
Package hosts defines the host search record model and pluggable cloud backends.
|
Package hosts defines the host search record model and pluggable cloud backends. |
|
inventory
Package inventory converts honey host records into Ansible-compatible JSON inventory.
|
Package inventory converts honey host records into Ansible-compatible JSON inventory. |
|
jsonutil
Package jsonutil wraps goccy/go-json as a drop-in for encoding/json.
|
Package jsonutil wraps goccy/go-json as a drop-in for encoding/json. |
|
k8sdebug
Package k8sdebug provides utilities for Kubernetes debug containers.
|
Package k8sdebug provides utilities for Kubernetes debug containers. |
|
logger
Package logger provides global debug logging initialization via go.uber.org/zap.
|
Package logger provides global debug logging initialization via go.uber.org/zap. |
|
macros
Package macros loads and validates honeyfile.yaml macro sets.
|
Package macros loads and validates honeyfile.yaml macro sets. |
|
mcpserver
Package mcpserver implements the Model Context Protocol (stdio) server for honey.
|
Package mcpserver implements the Model Context Protocol (stdio) server for honey. |
|
metrics
Package metrics provides Prometheus instrumentation for honey web.
|
Package metrics provides Prometheus instrumentation for honey web. |
|
plugins
Package plugins loads Extism WASM plugins for honey (CUE transforms, custom steps, secret ref backends, and local hooks).
|
Package plugins loads Extism WASM plugins for honey (CUE transforms, custom steps, secret ref backends, and local hooks). |
|
plugins/api/v1
Package v1 defines the honey.plugins/v1 JSON contract between the host and WASM plugins.
|
Package v1 defines the honey.plugins/v1 JSON contract between the host and WASM plugins. |
|
postgres
Package postgres runs host-mediated PostgreSQL queries via pgx on the operator.
|
Package postgres runs host-mediated PostgreSQL queries via pgx on the operator. |
|
provider/all
Package all automatically invokes the init() registration for every native honey provider.
|
Package all automatically invokes the init() registration for every native honey provider. |
|
provider/awsprovider
Package awsprovider lists EC2 instances as honey host records.
|
Package awsprovider lists EC2 instances as honey host records. |
|
provider/consulprovider
Package consulprovider lists Consul catalog nodes as honey host records.
|
Package consulprovider lists Consul catalog nodes as honey host records. |
|
provider/dockerprovider
Package dockerprovider implements the honey Docker Engine search backend.
|
Package dockerprovider implements the honey Docker Engine search backend. |
|
provider/gcp
Package gcp lists Compute Engine VMs as honey host records.
|
Package gcp lists Compute Engine VMs as honey host records. |
|
provider/k8sprovider
Package k8sprovider lists Kubernetes nodes or pods as honey host records.
|
Package k8sprovider lists Kubernetes nodes or pods as honey host records. |
|
provider/localprovider
Package localprovider provides the ability to manage and search manually defined hosts.
|
Package localprovider provides the ability to manage and search manually defined hosts. |
|
provider/proxmoxprovider
Package proxmoxprovider provides Proxmox search capabilities for honey.
|
Package proxmoxprovider provides Proxmox search capabilities for honey. |
|
provider/truenasprovider
Package truenasprovider discovers TrueNAS SCALE hosts via the WebSocket JSON-RPC API.
|
Package truenasprovider discovers TrueNAS SCALE hosts via the WebSocket JSON-RPC API. |
|
proxy
Package proxy manages background connections, tunnels, and active sessions for applications.
|
Package proxy manages background connections, tunnels, and active sessions for applications. |
|
proxy/reverseproxy
Package reverseproxy provides a Teleport-inspired HTTP reverse proxy.
|
Package reverseproxy provides a Teleport-inspired HTTP reverse proxy. |
|
pvelxc
Package pvelxc implements Proxmox VE LXC and QEMU serial console (termproxy/vncwebsocket) bridging for the web UI and TUI.
|
Package pvelxc implements Proxmox VE LXC and QEMU serial console (termproxy/vncwebsocket) bridging for the web UI and TUI. |
|
recipenotify
Package recipenotify wires github.com/nikoksr/notify from environment variables for CUE recipe step notifications.
|
Package recipenotify wires github.com/nikoksr/notify from environment variables for CUE recipe step notifications. |
|
recordings
Package recordings parses session .hrec.jsonl files used by the web UI and TUI replay.
|
Package recordings parses session .hrec.jsonl files used by the web UI and TUI replay. |
|
safepath
Package safepath constrains filesystem paths for user-controlled inputs (cache roots, config discovery, recipe files) and performs reads/writes via os.Root where appropriate.
|
Package safepath constrains filesystem paths for user-controlled inputs (cache roots, config discovery, recipe files) and performs reads/writes via os.Root where appropriate. |
|
searchrun
Package searchrun wires CLI flags and YAML config to host search and caching.
|
Package searchrun wires CLI flags and YAML config to host search and caching. |
|
sshclient
Package sshclient provides SSH client dialing, SFTP, tunnels, and known_hosts helpers for honey.
|
Package sshclient provides SSH client dialing, SFTP, tunnels, and known_hosts helpers for honey. |
|
stepkv
Package stepkv implements a tiny loopback HTTP key/value API backed by an in-memory TTL cache.
|
Package stepkv implements a tiny loopback HTTP key/value API backed by an in-memory TTL cache. |
|
transferagent
Package transferagent resolves and cross-builds honey-transfer-agent binaries for target GOOS/GOARCH and optional cloud flavor (S3/GCS/full).
|
Package transferagent resolves and cross-builds honey-transfer-agent binaries for target GOOS/GOARCH and optional cloud flavor (S3/GCS/full). |
|
transferagent/presign
Package presign generates short-lived presigned URLs for transferring files to/from S3 or GCS without requiring an agent binary on the remote host.
|
Package presign generates short-lived presigned URLs for transferring files to/from S3 or GCS without requiring an agent binary on the remote host. |
|
truenasshell
Package truenasshell bridges honey web terminals to TrueNAS /websocket/shell.
|
Package truenasshell bridges honey web terminals to TrueNAS /websocket/shell. |
|
tun
Package tun manages transparent VPN tunnels via tun2proxy-bin subprocess.
|
Package tun manages transparent VPN tunnels via tun2proxy-bin subprocess. |
|
ui
Package ui implements the bubbletea TUI, SSH helpers, and CUE recipe execution for honey.
|
Package ui implements the bubbletea TUI, SSH helpers, and CUE recipe execution for honey. |
|
webserver
Package webserver provides the embedded HTTP server for honey.
|
Package webserver provides the embedded HTTP server for honey. |
|
webserver/cmd/swag2openapi
command
Command swag2openapi converts swag-generated Swagger 2.0 JSON to OpenAPI 3.x JSON for honey web.
|
Command swag2openapi converts swag-generated Swagger 2.0 JSON to OpenAPI 3.x JSON for honey web. |
|
pkg
|
|
|
pluginpdk
Package pluginpdk provides helpers for honey WASM plugins built with the Extism Go PDK.
|
Package pluginpdk provides helpers for honey WASM plugins built with the Extism Go PDK. |
|
plugins
|
|
|
bash
command
|
|
|
copy
command
|
|
|
file
command
|
|
|
postgres
command
|
|
|
rclone
command
Package main implements the honey rclone RC WASM plugin action registry.
|
Package main implements the honey rclone RC WASM plugin action registry. |
|
service
command
|
|
|
shell
command
|
|
|
template
command
|
Click to show internal directories.
Click to hide internal directories.