Skip to content

avp-protocol/avp-cli

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.github/workflows
.github/workflows
 
 
src/avp_cli
src/avp_cli
 
 
tests
tests
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

AVP Shield

avp-cli

Command-line interface for Agent Vault Protocol
Store · Retrieve · Migrate · All platforms

Release CI License

Overview

avp is the official command-line tool for the Agent Vault Protocol. It lets you store, retrieve, and migrate secrets across backends — from encrypted files to hardware secure elements.

Installation

pip (Recommended)

pip install avp-cli

From Source

git clone https://github.com/avp-protocol/avp-cli.git
cd avp-cli
pip install -e .

Quick Start

Store a secret

avp store anthropic_api_key "sk-ant-..." --backend file

Retrieve a secret

avp get anthropic_api_key
# sk-ant-...

List secrets

avp list
# anthropic_api_key    file     2026-02-18
# openai_api_key       keychain 2026-02-15

Delete a secret

avp delete anthropic_api_key

Migration

Upgrade your security without changing agent code:

# Step 1: Migrate from file to OS keychain (free, blocks 90% of attacks)
avp migrate --from file --to keychain

# Step 2: Migrate from keychain to hardware (FIPS 140-3 Level 3)
avp migrate --from keychain --to hardware

Each migration is verifiable — the CLI compares source and destination before deleting the source.

Backend Configuration

File Backend

avp config set backend file
avp config set file.path ~/.avp/secrets.enc
avp config set file.cipher chacha20-poly1305

Keychain Backend

avp config set backend keychain
# Uses macOS Keychain, Windows Credential Manager, or libsecret on Linux

Hardware Backend

avp config set backend hardware
avp config set hardware.device /dev/ttyUSB0
# or auto-detect
avp config set hardware.device auto

Remote Backend

avp config set backend remote
avp config set remote.url https://vault.company.com
avp login  # Opens browser for auth

Commands

Command Description
avp store <name> <value> Store a secret
avp get <name> Retrieve a secret
avp delete <name> Delete a secret
avp list List all secrets
avp rotate <name> Rotate a secret
avp migrate Migrate between backends
avp config View/set configuration
avp discover Show vault capabilities
avp login Authenticate to remote vault
avp logout End session

Environment Variables

AVP_CONFIG      # Config file path (default: ~/.avp/config.toml)
AVP_BACKEND     # Backend type: file, keychain, hardware, remote
AVP_WORKSPACE   # Workspace name (default: "default")
AVP_DEBUG       # Enable debug logging

Shell Integration

Bash/Zsh

# Add to ~/.bashrc or ~/.zshrc
eval "$(avp completion bash)"

Fish

avp completion fish | source

PowerShell

avp completion powershell | Out-String | Invoke-Expression

Security

  • Secrets are never logged or written to shell history
  • Values can be piped: avp get key | xargs -I {} curl -H "Authorization: {}"
  • Interactive PIN entry for hardware backends
  • Session tokens stored in OS keychain

Contributing

See CONTRIBUTING.md for development setup.

License

Apache 2.0 — see LICENSE.

Specification · Issues

About

Command-line interface for Agent Vault Protocol

avp-protocol.github.io/website/docs/cli.html

Topics

python cli command-line avp credential-management

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages