Skip to main content

Vault configuration

VariableDescription
AIVAULT_DIROverride the vault root directory (default: ~/.aivault/data/vault)
AIVAULT_KEYVault master key (base64-encoded, for the env key provider)
AIVAULT_DISABLE_DISK_LOGSSet to 1 to suppress audit log writes to disk

Daemon configuration

VariableDefaultDescription
AIVAULTD_DISABLE0Set to 1 to run broker in-process (skip daemon)
AIVAULTD_AUTOSTART1Set to 0 to require daemon already running
AIVAULTD_AUTOSTART_ONCE0Set to 1 to auto-start aivaultd with --once (serve one request then exit). Enabled automatically when AIVAULT_DIR is set.
AIVAULTD_SOCKET~/.aivault/run/aivaultd.sockOverride the daemon unix socket path. When unset, the CLI tries the per-user socket first and then a well-known shared socket (macOS: /Users/Shared/aivault/run/aivaultd.sock, Linux: /var/run/aivault/aivaultd.sock). Default is $AIVAULT_DIR/run/aivaultd.sock when AIVAULT_DIR is set.
AIVAULTD_SOCKET_MODE0600Override the daemon unix socket file mode (octal), e.g. 0660 to allow group access
AIVAULTD_SOCKET_DIR_MODE0700Override the daemon unix socket directory mode (octal), e.g. 0750 to allow group traversal

Development / testing

These variables are for local and e2e testing only. Do not use them in production. In release builds, the dev-only escape hatches are disabled to avoid foot-guns. If any of these are set, aivault will fail closed with an error:
  • AIVAULT_DEV_ALLOW_HTTP_LOCAL
  • AIVAULT_DEV_ALLOW_NON_DEFAULT_PORTS
  • AIVAULT_DEV_ALLOW_REMOTE_CLIENTS
  • AIVAULT_DEV_HTTP1_ONLY
  • AIVAULT_DEV_CA_CERT_PATH
  • AIVAULT_DEV_RESOLVE
VariableDescription
AIVAULT_DEV_RESOLVEOverride DNS resolution with host=ip:port pairs (comma-separated)
AIVAULT_DEV_CA_CERT_PATHPath to a PEM CA/root certificate for local TLS testing
AIVAULT_DEV_ALLOW_NON_DEFAULT_PORTSSet to 1 to allow explicit host:port authorities
AIVAULT_DEV_HTTP1_ONLYSet to 1 to force HTTP/1.1 for simple local listeners
AIVAULT_DEV_ALLOW_HTTP_LOCALSet to 1 to allow http://localhost-style upstreams for local testing (debug builds only)
AIVAULT_DEV_ALLOW_REMOTE_CLIENTSSet to 1 to allow non-loopback --client-ip values (debug builds only)
AIVAULT_DEV_FORCE_DEFAULT_FILE_PROVIDERSet to 1 to force vault auto-init to use the file provider (useful for CI/headless macOS)
AIVAULT_E2E_NETWORKSet to 1 to enable e2e tests that hit real upstream APIs

Example: isolated test environment

export AIVAULT_DIR="$(mktemp -d)"
export AIVAULTD_DISABLE=1
aivault status
aivault secrets create --name OPENAI_API_KEY --value sk-test --scope global
aivault invoke openai/chat-completions --body '...'
Next: Storage