akua secret
Planned
Typed secret operations. Secrets move as refs, never raw bytes.
akua secret <sub> [args]Subcommands
akua secret add <name> --from-env=<var> --store=<vault|infisical|sops>
akua secret get <name> --format=ref # returns a ref; never raw value
akua secret rotate <name>
akua secret grant <name> --to=<service> --scope=<read|write>
akua secret revoke <name> --from=<service>
akua secret trace <name> # who has access, who's used it
akua secret list [--store=<name>]
akua secret delete <name> # soft delete; needs approvalJSON output (trace)
{
"name": "stripe-api-key",
"store": "vault",
"ref": "vault://secrets/stripe/api-key",
"grants": [
{"service": "checkout", "scope": "read", "granted_at": "2026-01-15"}
],
"last_access": "2026-04-20T14:03:00Z",
"rotation": {
"policy": "30d",
"last_rotated": "2026-04-15",
"next_due": "2026-05-15"
}
}