Index
axm_doctor
axm-doctor.
Env bootstrap + auth-status doctor (detect, propose, orchestrate).
Re-exports are resolved lazily (PEP 562 __getattr__): importing the package
does NOT eager-load :mod:axm_doctor.orchestrate (which imports axm-vault)
or :mod:axm_doctor.tools (which imports axm.tools.base). The stdlib-only
detection surface (detect_tool / detect_auth) therefore stays reachable
as the bootstrap probe even on a machine where the rest of AXM is not yet
installable — the heavier symbols are imported only when first accessed.
AuthStatus
Bases: BaseModel
Frozen read-only auth state for a third-party binary.
Carries the command to recover from logged_out (login_cmd) but
NEVER a token value — detection is existence/exit-code only.
Source code in packages/axm-doctor/src/axm_doctor/detect.py
AuthStatusTool
Report third-party auth state — never a token value (mirror of vault).
Source code in packages/axm-doctor/src/axm_doctor/tools.py
name
property
Unique tool identifier.
execute()
Return value-free auth state; any error becomes a failure ToolResult.
Source code in packages/axm-doctor/src/axm_doctor/tools.py
EnvDoctorTool
Read-only env report: tool presence/version + auth + missing secrets.
Source code in packages/axm-doctor/src/axm_doctor/tools.py
name
property
Unique tool identifier.
execute()
Return the full env report; any error becomes a failure ToolResult.
Source code in packages/axm-doctor/src/axm_doctor/tools.py
GhConfigStatus
Bases: BaseModel
Frozen verdict on whether gh carries a base configuration.
configured when gh config get git_protocol exits 0, unconfigured
otherwise, not_installed when the gh binary is absent. The config
value itself is never read.
Source code in packages/axm-doctor/src/axm_doctor/detect.py
GitIdentityStatus
Bases: BaseModel
Frozen verdict on whether a git committer identity is resolvable.
state is decided from the presence of a [git].default store entry
or the exit code of git config --get user.email — the identity value
itself is never read.
Source code in packages/axm-doctor/src/axm_doctor/detect.py
InstallPlan
Bases: BaseModel
A proposed install command for a single tool — description only.
Building a plan runs nothing. argv is the program + arguments executed
as a bare exec (NO shell). fetch_url, when set, marks a script-installer
plan (e.g. the uv curl | sh recipe): instead of a shell pipe, the script
is downloaded to a temp file and run as sh <tmpfile> — both steps are
argv execs, never shell=True. human_command is the copy-pasteable
form a human would type.
Source code in packages/axm-doctor/src/axm_doctor/install.py
InstallResult
Bases: BaseModel
Outcome of :func:run_install.
On a dry-run (confirm=False) executed is False, returncode is
None, and post_check is None — nothing was installed, so nothing is
re-detected. On a confirmed run, post_check carries the re-detected
:class:~axm_doctor.detect.ToolStatus.
Source code in packages/axm-doctor/src/axm_doctor/install.py
MissingSecret
Bases: BaseModel
A credential spec that resolves to "missing" across every layer.
Value-less by construction: it carries only the coordinates of the spec
and a copy-pasteable recovery hint (setup_hint). The secret value
itself NEVER transits axm_doctor.
Source code in packages/axm-doctor/src/axm_doctor/orchestrate.py
ProvisionResult
Bases: BaseModel
Outcome of :func:provision_missing.
On a dry-run (confirm=False) provisioned is False and groups
lists the groups it WOULD prompt for. On a confirmed run provisioned
is True ONLY when a post-setup re-scan confirms every previously-missing
spec now resolves — delegating to vault's setup driver is not proof the
user actually supplied the secrets (they may skip/empty the prompts).
still_missing lists the specs that remain unresolved after the run
(always empty on a dry-run), so a partial provisioning is reported truthfully
rather than as a false green.
Source code in packages/axm-doctor/src/axm_doctor/orchestrate.py
ToolStatus
Bases: BaseModel
Frozen result of probing a single external tool on PATH.
Source code in packages/axm-doctor/src/axm_doctor/detect.py
__dir__()
__getattr__(name)
Resolve a public symbol from its submodule on first access (PEP 562).
Source code in packages/axm-doctor/src/axm_doctor/__init__.py
detect_auth(tool)
Report read-only auth state for a third-party binary.
gh is probed via the exit code of gh auth status; credential-file
tools (claude, codex) via the existence of their credential file
under ~ — the file is never opened, so no token is ever read.
Source code in packages/axm-doctor/src/axm_doctor/detect.py
detect_gh_config()
Report whether gh carries a base config, value-free.
Probes the exit code of gh config get git_protocol (its stdout is
captured and discarded). gh absent → not_installed; any
OSError / SubprocessError degrades to unconfigured. This is
distinct from and additional to the gh auth status login check.
Source code in packages/axm-doctor/src/axm_doctor/detect.py
detect_git_identity()
Report whether a git committer identity is resolvable, value-free.
Cheapest source first: a truthy [git].default in the axm-config
store means an identity exists. Otherwise fall back to the exit code of
git config --get user.email (its stdout — the email — is captured and
discarded, never returned). Any missing binary / OSError /
SubprocessError degrades to unconfigured without raising.
Source code in packages/axm-doctor/src/axm_doctor/detect.py
detect_tool(name)
Probe name on PATH and parse <name> --version.
Returns present with the parsed version string when found, absent
otherwise. Never raises on a missing or misbehaving tool.
Source code in packages/axm-doctor/src/axm_doctor/detect.py
install_command(tool)
Return the official :class:InstallPlan for tool, or None.
Runs nothing. An unknown tool returns None rather than guessing a command.
Source code in packages/axm-doctor/src/axm_doctor/install.py
missing_secrets()
Return the catalog specs that resolve to "missing", value-free.
Reads the vault catalog and the value-free provenance report; a spec is
reported when no resolver layer supplies it. An empty catalog (the
nominal state for vault today) yields [] gracefully.
Source code in packages/axm-doctor/src/axm_doctor/orchestrate.py
provision_missing(*, confirm=False)
Plan (and on confirm execute) provisioning of missing secrets.
Collects the distinct groups owning at least one missing spec. With
confirm=False it returns the plan without prompting or storing. With
confirm=True it delegates to vault's :func:run_setup (one call per
group, restricted via only=); doctor never stores a secret itself.
Source code in packages/axm-doctor/src/axm_doctor/orchestrate.py
run_install(plan, *, confirm=False)
Execute plan only when confirm is True; otherwise dry-run.
With the default confirm=False this NEVER installs: it returns the
command it would run with executed=False and returncode=None.
With confirm=True it runs the command, then re-detects the tool via
:func:~axm_doctor.detect.detect_tool and reports the post-install state.