Resolver
resolver
Layered credential resolver.
Resolves a credential value by walking a fixed precedence of layers
(env > file > keyring > default > prompt). Each layer is consulted in
turn; the first to yield a value wins and is reported back in :class:Resolved
alongside the layer it came from and the originating spec.
The file layer reads the per-namespace TOML file under ~/.axm only,
via :class:axm_config.store.NamespaceStore — vault never resolves the
~/.axm path itself (that stays axm-config's responsibility), but it also
never consults the environment from this layer: provenance reported as
file is always file-backed. The env tier lives solely in the env
layer (spec.env + aliases). The keyring layer is consulted only for
specs classified :data:~axm_vault.models.Sensitivity.SECRET.
Note: axm_config exposes no file-only accessor in its public
__init__ surface (get/load mix env + file); vault therefore reads
through the internal-public :class:~axm_config.store.NamespaceStore to stay
file-only without re-implementing ~/.axm resolution.
resolver = Resolver()
module-attribute
Process-wide non-interactive resolver singleton.
MissingCredentialError
Resolved
Bases: BaseModel
The outcome of resolving a single credential.
Carries the resolved value, the layer it was sourced from and the
originating spec — but never masks: callers wrap secrets themselves
(e.g. via :func:~axm_vault.secrets.as_secret).
Source code in packages/axm-vault/src/axm_vault/resolver.py
Resolver
Walk the layer precedence to resolve a credential value.
The resolver is stateless and cheap to instantiate; a process-wide
:data:resolver singleton is provided for the common case. Set
interactive=True to enable the prompt layer (off by default so the
resolver is safe in non-interactive contexts).
Source code in packages/axm-vault/src/axm_vault/resolver.py
| Python | |
|---|---|
68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 | |
keyring_available()
Report whether the OS keyring backend is usable, value-free.
Probes the backend with a read that resolves no real credential; a
:class:KeyringUnavailableError means no usable backend (headless
host). The doctor uses this to flag keyring unavailable without
ever reading a secret value.
Source code in packages/axm-vault/src/axm_vault/resolver.py
probe(layer, spec, group, instance=None)
Report whether layer supplies spec, value-free.
Reduces the layer's value to a boolean the instant it is read, so the value never escapes — the seam the doctor uses to build provenance without violating the never-leak invariant.
Source code in packages/axm-vault/src/axm_vault/resolver.py
resolve(group, name, instance=None)
Resolve group.name by walking :data:PRECEDENCE.
Returns the first layer that yields a value. Raises
:class:MissingCredentialError when a required spec resolves to
nothing across every layer.
Source code in packages/axm-vault/src/axm_vault/resolver.py
bind(model, group, instance=None)
Build model from the resolved values of every spec in group.
Each field is keyed by spec.name; SECRET specs are wrapped with
:func:~axm_vault.secrets.as_secret so the consumer model holds
SecretStr. A missing required spec propagates
:class:MissingCredentialError. The return type is the concrete model
type (generic over type[_ModelT]), so a caller need not cast the
result back to its model.
Source code in packages/axm-vault/src/axm_vault/resolver.py
get(group, name, instance=None)
Resolve group.name via the singleton :data:resolver.
Convenience over resolver.resolve(load_catalog().group(group), name)
returning just the resolved value.