管理 vault 数据¶

CLI 增删改查。5 层都有统一命令格式：vault <layer> <verb> <slug>。

列 / 看¶

vault person list
vault platform list [--category <vendor|government|bank|...>]
vault account list [--platform <slug>] [--owner <person-slug>]
vault credential list [--account <slug>] [--kind <ak_sk|password|...>]
vault resource list [--platform <slug>] [--type <type>] [--account <slug>]

vault person show <slug>
vault platform show <slug>
vault account show <slug>                  # slug = <platform>/<name>
vault credential show <slug> [--unmask] [--field <name>]
vault resource show <ref>                  # ref = <platform>/<type>/<id>

所有 list / show 都支持 --json 输出给脚本用。

增 / 改 / 删¶

vault <layer> add  <slug>             # 打开 $EDITOR 填模板
vault <layer> edit <slug>             # 打开 $EDITOR 改现有
vault <layer> rm   <slug> [-y]        # 删（带确认）

例：

vault person add wife-lin             # 新 person
vault account add aliyun/new-sub      # 新账号
vault credential add new-token        # 新钥匙
vault resource add aws-cloud/ec2/i-xxxx

脱敏¶

vault credential show <slug> 默认脱敏输出（****abcd）。加 --unmask 打印明文：

vault credential show aliyun-main --unmask          # 整份明文
vault credential show aliyun-main --unmask --field access_key_id  # 单字段

list / --json 输出始终脱敏。

关系校验¶

vault check

扫所有 account/credential/resource，检查：

account.owner_ref → persons/.json 存在
account.platform → platforms/.json 存在
credential.account_ref → accounts/… 存在
resource.account_ref or owner_ref 至少一个有效
resource.attachments[].path → data/files/ 下文件存在

全通过 → 退出码 0；有问题 → 退出码 1 + 列清单。

反查¶

vault who-uses <credential-slug>        # 扫工作区所有 vault.json
vault who-uses <resource-ref>

存储布局¶

data/
  persons/<slug>.json
  platforms/<slug>.json
  accounts/<platform>/<name>.json
  credentials/<slug>.json                 # slug 扁平
  resources/<platform>/<type>/<id>.json
  files/                                  # 字节存储，由 resource.attachments 引用

凭证字段约定（按 kind）¶

kind	values 字段
`ak_sk`	access_key_id, access_key_secret
`api_token`	token
`openapi_app`	app_id, app_private_key, alipay_public_key / platform_public_key
`oauth_token`	access_token, refresh_token, expires_at
`password`	username, password
`private_key`	private_key, key_type, key_use
`hardware_token`	serial, pin, ...
`pin`	pin
`certificate`	cert, key, chain