Skip to content

Models

models

Value-less credential catalog models.

These pydantic models describe credential schemas only — they never hold a secret value (security invariant AC5). A :class:CredentialSpec declares where and how a credential is fetched; a :class:CredentialGroup bundles the specs a package requires.

Layer = Literal['env', 'file', 'keyring', 'default', 'prompt']

Resolution layer a credential may be sourced from.

CredentialGroup

Bases: BaseModel

A bundle of credential specs declared by a package.

Source code in packages/axm-vault/src/axm_vault/models.py
Python
class CredentialGroup(BaseModel):  # type: ignore[explicit-any]
    """A bundle of credential specs declared by a package."""

    model_config = ConfigDict(frozen=True, extra="forbid")

    id: str
    package: str
    title: str
    specs: tuple[CredentialSpec, ...]
    multi: bool = False

    def spec(self, name: str) -> CredentialSpec:
        """Return the spec named ``name``.

        Raises:
            KeyError: if no spec with that name exists in the group.
        """
        for candidate in self.specs:
            if candidate.name == name:
                return candidate
        raise KeyError(name)
spec(name)

Return the spec named name.

Raises:

Type Description
KeyError

if no spec with that name exists in the group.

Source code in packages/axm-vault/src/axm_vault/models.py
Python
def spec(self, name: str) -> CredentialSpec:
    """Return the spec named ``name``.

    Raises:
        KeyError: if no spec with that name exists in the group.
    """
    for candidate in self.specs:
        if candidate.name == name:
            return candidate
    raise KeyError(name)

CredentialSpec

Bases: BaseModel

Schema for a single credential — value-less by construction.

Source code in packages/axm-vault/src/axm_vault/models.py
Python
class CredentialSpec(BaseModel):  # type: ignore[explicit-any]
    """Schema for a single credential — value-less by construction."""

    model_config = ConfigDict(frozen=True, extra="forbid")

    name: str
    env: str
    kind: str
    sensitivity: Sensitivity = Sensitivity.SECRET
    required: bool = True
    default: str | None = None
    prompt: str | None = None
    aliases: tuple[str, ...] = ()

Sensitivity

Bases: StrEnum

Classification of how sensitive a credential value is.

Source code in packages/axm-vault/src/axm_vault/models.py
Python
class Sensitivity(StrEnum):
    """Classification of how sensitive a credential value is."""

    SECRET = "secret"  # noqa: S105 # enum label, not a password value
    CONFIG = "config"
    NONSENSITIVE = "nonsensitive"