hoziron vault

Credential vault — securely store and manage secrets for integrations and providers.

Synopsis

hoziron vault <subcommand> [options]

Subcommands

hoziron vault init

Initialize the vault storage. Required before first use.

$ hoziron vault init
✓ Vault initialized at ~/.hoziron/vault/

hoziron vault set

Store a credential. The value is prompted interactively (not echoed).

hoziron vault set <key>

Examples

$ hoziron vault set POSTGRES_CONNECTION_URL
? Enter value for POSTGRES_CONNECTION_URL: ********
✓ Stored POSTGRES_CONNECTION_URL

$ hoziron vault set GITHUB_TOKEN
? Enter value for GITHUB_TOKEN: ********
✓ Stored GITHUB_TOKEN

$ hoziron vault set SLACK_BOT_TOKEN
? Enter value for SLACK_BOT_TOKEN: ********
✓ Stored SLACK_BOT_TOKEN

hoziron vault list

List all stored keys. Values are never shown.

$ hoziron vault list
KEY                        STORED
POSTGRES_CONNECTION_URL    2026-06-01
GITHUB_TOKEN               2026-06-02
SLACK_BOT_TOKEN            2026-06-03
ANTHROPIC_API_KEY          2026-05-28

hoziron vault remove

$ hoziron vault remove GITHUB_TOKEN
✓ Removed GITHUB_TOKEN from vault

How the Vault Works

• Credentials are encrypted at rest in ~/.hoziron/vault/
• Integration servers receive credentials as environment variables at startup
• Provider keys referenced by api_key_env in config are resolved from both the vault and the process environment
• The vault is local to the machine — for container deployments, prefer injecting secrets via the orchestrator's native secrets mechanism (Kubernetes Secrets, Docker Secrets, etc.)

Vault vs Environment Variables

Both work. The vault provides convenience for interactive use; env vars are better for automated/ephemeral environments.

See Also

• config.md — config set-key for provider API keys specifically
• integration.md — Integrations that consume vault credentials
• ../data-integration.md — Credential patterns for data access