Cli
cli
axm-vault command-line interface (cyclopts).
The CLI is a thin shell: it owns argument parsing and human-facing output,
but delegates every operation to the central functions / tools so no
business logic is duplicated across the CLI / MCP boundary. setup is the
only genuine process-lifecycle command (interactive prompts); set/doctor
are backed by the :class:~axm.tools.base.AXMTool implementations, and
get/rotate/path call the resolver, store and config primitives
directly. There is deliberately no import command — a bulk importer is
deferred.
doctor(package=None, instance=None)
Print value-free provenance for every credential in the catalog.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
package
|
str | None
|
Restrict the report to one contributing package. |
None
|
instance
|
str | None
|
Optional multi-instance segment. |
None
|
Source code in packages/axm-vault/src/axm_vault/cli.py
get(group, name, *, reveal=False)
Resolve group.name and print it, masking SECRET values.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
group
|
str
|
Credential group id. |
required |
name
|
str
|
Credential name within the group. |
required |
reveal
|
bool
|
Print the plaintext even for SECRET specs (a deliberate opt-in reveal; no audit trail is emitted). |
False
|
Source code in packages/axm-vault/src/axm_vault/cli.py
main()
path()
rotate(group, name, value, instance=None)
Rotate a SECRET to value, retaining the previous one for one cycle.
The spec is resolved through the catalog first and MUST be
:data:~axm_vault.models.Sensitivity.SECRET: only SECRET specs live in the
keyring, so rotating a CONFIG/NONSENSITIVE spec (or an unknown name) would
write an orphan into the keyring that get never reads — a silent no-op
reported as success. Routing through the catalog turns that into an
up-front error, mirroring set's sensitivity check.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
group
|
str
|
Credential group id. |
required |
name
|
str
|
Credential name within the group. |
required |
value
|
str
|
The new secret value (never echoed back). |
required |
instance
|
str | None
|
Optional multi-instance segment. |
None
|
Source code in packages/axm-vault/src/axm_vault/cli.py
set(group, name, value)
Store group.name in its backend (keyring for SECRET, config else).
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
group
|
str
|
Credential group id. |
required |
name
|
str
|
Credential name within the group. |
required |
value
|
str
|
The value to store (never echoed back). |
required |
Source code in packages/axm-vault/src/axm_vault/cli.py
setup(only=None)
Interactively prompt for and store every storable credential.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
only
|
str | None
|
Restrict setup to a single |
None
|