Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.openaeon.ai/llms.txt

Use this file to discover all available pages before exploring further.

openaeon secrets

Use openaeon secrets to migrate credentials from plaintext to SecretRefs and keep the active secrets runtime healthy. Command roles:
  • reload: gateway RPC (secrets.reload) that re-resolves refs and swaps runtime snapshot only on full success (no config writes).
  • audit: read-only scan of config + auth stores + legacy residues (.env, auth.json) for plaintext, unresolved refs, and precedence drift.
  • configure: interactive planner for provider setup + target mapping + preflight (TTY required).
  • apply: execute a saved plan (--dry-run for validation only), then scrub migrated plaintext residues.
Recommended operator loop: 
openaeon secrets audit --check
openaeon secrets configure
openaeon secrets apply --from /tmp/openaeon-secrets-plan.json --dry-run
openaeon secrets apply --from /tmp/openaeon-secrets-plan.json
openaeon secrets audit --check
openaeon secrets reload
Exit code note for CI/gates:
  • audit --check returns 1 on findings, 2 when refs are unresolved.
Related:

Reload runtime snapshot

Re-resolve secret refs and atomically swap runtime snapshot. 
openaeon secrets reload
openaeon secrets reload --json
Notes:
  • Uses gateway RPC method secrets.reload.
  • If resolution fails, gateway keeps last-known-good snapshot and returns an error (no partial activation).
  • JSON response includes warningCount.

Audit

Scan OpenAEON state for:
  • plaintext secret storage
  • unresolved refs
  • precedence drift (auth-profiles shadowing config refs)
  • legacy residues (auth.json, OAuth out-of-scope notes)
openaeon secrets audit
openaeon secrets audit --check
openaeon secrets audit --json
Exit behavior:
  • --check exits non-zero on findings.
  • unresolved refs exit with a higher-priority non-zero code.
Report shape highlights:
  • status: clean | findings | unresolved
  • summary: plaintextCount, unresolvedRefCount, shadowedRefCount, legacyResidueCount
  • finding codes:
    • PLAINTEXT_FOUND
    • REF_UNRESOLVED
    • REF_SHADOWED
    • LEGACY_RESIDUE

Configure (interactive helper)

Build provider + SecretRef changes interactively, run preflight, and optionally apply: 
openaeon secrets configure
openaeon secrets configure --plan-out /tmp/openaeon-secrets-plan.json
openaeon secrets configure --apply --yes
openaeon secrets configure --providers-only
openaeon secrets configure --skip-provider-setup
openaeon secrets configure --json
Flow:
  • Provider setup first (add/edit/remove for secrets.providers aliases).
  • Credential mapping second (select fields and assign {source, provider, id} refs).
  • Preflight and optional apply last.
Flags:
  • --providers-only: configure secrets.providers only, skip credential mapping.
  • --skip-provider-setup: skip provider setup and map credentials to existing providers.
Notes:
  • Requires an interactive TTY.
  • You cannot combine --providers-only with --skip-provider-setup.
  • configure targets secret-bearing fields in openaeon.json.
  • Include all secret-bearing fields you intend to migrate (for example both models.providers.*.apiKey and skills.entries.*.apiKey) so audit can reach a clean state.
  • It performs preflight resolution before apply.
  • Generated plans default to scrub options (scrubEnv, scrubAuthProfilesForProviderTargets, scrubLegacyAuthJson all enabled).
  • Apply path is one-way for migrated plaintext values.
  • Without --apply, CLI still prompts Apply this plan now? after preflight.
  • With --apply (and no --yes), CLI prompts an extra irreversible-migration confirmation.
Exec provider safety note:
  • Homebrew installs often expose symlinked binaries under /opt/homebrew/bin/*.
  • Set allowSymlinkCommand: true only when needed for trusted package-manager paths, and pair it with trustedDirs (for example ["/opt/homebrew"]).

Apply a saved plan

Apply or preflight a plan generated previously: 
openaeon secrets apply --from /tmp/openaeon-secrets-plan.json
openaeon secrets apply --from /tmp/openaeon-secrets-plan.json --dry-run
openaeon secrets apply --from /tmp/openaeon-secrets-plan.json --json
Plan contract details (allowed target paths, validation rules, and failure semantics): What apply may update:
  • openaeon.json (SecretRef targets + provider upserts/deletes)
  • auth-profiles.json (provider-target scrubbing)
  • legacy auth.json residues
  • ~/.openaeon/.env known secret keys whose values were migrated

Why no rollback backups

secrets apply intentionally does not write rollback backups containing old plaintext values. Safety comes from strict preflight + atomic-ish apply with best-effort in-memory restore on failure.

Example

# Audit first, then configure, then confirm clean:
openaeon secrets audit --check
openaeon secrets configure
openaeon secrets audit --check
If audit --check still reports plaintext findings after a partial migration, verify you also migrated skill keys (skills.entries.*.apiKey) and any other reported target paths.