cli: correct keyring new and --keyring-path help text

[SAY-5]

What

Two small-but-confusing inaccuracies in the keyring CLI help, per #4704:

1. keyring new --help claimed that DEFRA_KEYRING_SECRET "must be set to unlock the keyring" and that the command "will overwrite existing keys". Neither matches the default flow:

   • On a first run with no DEFRA_KEYRING_SECRET set, the keyring is initialised with "secret" as its password rather than erroring out. The env var is only needed to unlock an existing keyring.
   • Existing keys are preserved unless --force is passed. Running the command a second time without --force returns key ... already exists, use --force to overwrite.

2. --keyring-path help text was Path to store encrypted keys when using the file backend. The default shown to the user is "keys", which looks like a cwd-relative path but is actually resolved against --rootdir by LoadConfig (relative paths are Join'd with rootdir). Users on a first run routinely guess wrong about where keys/ lands.

Fix

Rewrite both help strings to match the actual behaviour:

• keyring new --help now says the env var unlocks an existing keyring, that a first run defaults to "secret" and should be rotated, and that existing keys are preserved unless --force is passed.
• --keyring-path help now notes that the default "keys" is rootdir-relative and typically resolves to ~/.defradb/keys.

No behaviour change. Only help strings. CLI reference docs regenerate from the same metadata.

Verification

On develop before this PR:

$ env -u DEFRA_KEYRING_SECRET ./defradb keyring new --force
INF cli generated new encryption key
INF cli generated new peer key

— works fine without the env var, contradicting the old help text. After this PR the help text matches.

$ ./defradb keyring new
Error: key encryption-key already exists, use --force to overwrite

— the "WARNING: This will overwrite existing keys" line in the old help was also contradicted by this behaviour.

Fixes #4704

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ae2f3608-82d3-4a3b-8b4d-f71fa9da6357

📥 Commits

Reviewing files that changed from the base of the PR and between 989a5d8 and 679de64.

📒 Files selected for processing (2)

• cli/keyring_new.go
• cli/root.go

📜 Recent review details

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2026-03-27T08:24:16.083Z

Learnt from: islamaliev
Repo: sourcenetwork/defradb PR: 4661
File: http/middleware.go:93-93
Timestamp: 2026-03-27T08:24:16.083Z
Learning: When handling `client.ErrNotAuthorizedToPerformOperation` in the defradb repository, treat it as an unauthenticated/missing-identity condition (not insufficient permissions). Map it to HTTP 401 Unauthorized rather than 403 Forbidden; this mapping is intentional and consistent with prior behavior (pre-PR `#4661`).

Applied to files:

• cli/root.go
• cli/keyring_new.go

🔇 Additional comments (2)

cli/root.go (1)

97-99: Help text clarification is accurate and user-friendly.

This wording is clearer and aligns the default "keys" value with <rootdir>/keys, which should reduce operator confusion.

cli/keyring_new.go (1)

35-43: Long description now matches actual command semantics.

Good correction on both points: secret usage context and non-overwrite behavior unless --force is provided.

---

📝 Walkthrough

Walkthrough

Documentation updates to CLI help text for the keyring new command and --keyring-path flag. Changes clarify that DEFRA_KEYRING_SECRET unlocks existing keyrings, describe default "secret" password initialization, and explain that existing keys are preserved unless --force is passed. Help text updated to clarify --keyring-path relative path resolution.

Changes

Cohort / File(s)	Summary
Keyring Command Help Text cli/keyring_new.go	Updated description to clarify DEFRA_KEYRING_SECRET is for unlocking existing keyrings; added first-run behavior mentioning default "secret" password; corrected warning text to reflect that existing keys are preserved unless --force is explicitly passed.
Keyring Path Flag Help Text cli/root.go	Clarified --keyring-path help text to explain relative paths are resolved against --rootdir, with default "keys" expanding to <rootdir>/keys.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Clarify DEFRA_KEYRING_SECRET unlocks existing keyrings [#4704]	✅
Document default "secret" password initialization behavior [#4704]	✅
Correct warning text about key overwriting behavior [#4704]	✅
Fix --keyring-path default description relative to rootdir [#4704]	✅

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}