akua vendor

Shipped

Materialize and inspect the workspace vendor tree at .akua/vendor/.

akua vendor <subcommand> [flags]

Subcommands:

• add <name> — copy the declared dependency into .akua/vendor/<name>/ and pin its digest in akua.lock. The dependency must already exist in [dependencies]; otherwise the command fails with a suggestion to declare it in akua.toml. Works for path, oci, git, and helm (repo) deps alike — the resolver's vendor-first lookup is universal across all four source kinds, so once added, the canonical source can be deleted and akua render still succeeds via the vendored bytes.
• check — compare the on-disk vendor trees against akua.toml + akua.lock. Drift exits with code 1.
• list — enumerate on-disk vendor trees, including orphaned entries.

add honors the universal write-contract flags: --plan, --timeout, and --idempotency-key. check and list are read-only.

Auth flags (private git remotes)

vendor add accepts credentials at the call site for fetching private git deps. Akua never reads ambient credential files (~/.netrc, ~/.docker/config.json, env vars) — the SDK and CLI surface are the only auth sources. See E_MANIFEST_GIT_USERINFO for why credentials in akua.toml URLs are rejected.

--auth-file shape:

[auth]
"akua-git.cnap.tech" = { username = "svc", password = "tok" }
"akua-git.cnap.tech/org-A" = { username = "org-A", password = "tokA" }

Lockfile guarantee: regardless of the credential used to fetch, akua.lock's source field stores the canonicalized URL with userinfo, default ports, and .git suffix stripped. Credentials never leak into akua.lock.

See examples/12-vendor-offline/ for the end-to-end offline-render contract demonstrated against a path dep with the canonical source deleted.