CLI commands for the auth group: manage stored provider credentials.
These subcommands mirror the in-TUI /auth modal verbs so credentials can be
managed non-interactively (dotfile bootstrap, CI, remote boxes) without
launching the Textual app:
auth list — one row per known provider with its resolution status.auth set <provider> — store an API key read from stdin (preferred) or,
with --from-env VAR, copied from a process environment variable.auth remove <provider> — delete a stored credential (aliases rm/delete).auth status <provider> — print the resolution source (stored,
env: VAR, missing, ...) for one provider.auth path — print the resolved auth.json path.Security notes:
set defaults to
reading from stdin so the key never lands in shell history or argv, and it
refuses an interactive TTY (use --from-env instead) so an accidental
invocation cannot hang waiting on input.set routes through auth_store.set_stored_key, so chmod warnings from the
same WriteOutcome path the TUI uses are surfaced on stderr.Help rendering for a bare auth invocation is served by ui.show_auth_help,
which does not import this module. The heavy model_config imports here are
function-local so a bare auth/auth -h invocation stays on the startup fast
path (parse_args imports this module only for its light top-level imports).