Vault & Signals
The kis-dev toolset ships two more capabilities: vault, a secrets-management
subsystem with an agent, audit log, and PKI, and signal, for resuming
suspended workflows. Invoke them as kis-dev vault … and kis-dev signal ….
Run kis-dev vault <cmd> --help for the flags on any subcommand.
kis vault
Section titled “kis vault”What it is. A local vault-agent-fronted secrets store with a hash-chained audit log, workload identity, JWT minting, node bootstrap tokens, and a cluster root CA. It’s the platform’s equivalent of a secrets manager / PKI; the CLI is a thin client over a local agent that attests the calling workload.
When to reach for it. Reading/writing platform secrets, managing workload identities and node tokens, inspecting the audit trail, or rotating the cluster CA.
Secrets
Section titled “Secrets”kis-dev vault get <name> # Read the named secret (the agent attests the calling shell)kis-dev vault put <name> [value] # Write the named secret (value read from elsewhere if omitted)kis-dev vault delete <name> # Remove the secret (recorded in the audit log)kis-dev vault exists <name> # Exit 0 if it exists, 1 if not, 2 on errorIdentity, tokens & policy
Section titled “Identity, tokens & policy”| Command | Description |
|---|---|
identity | A registration entry binds workload selectors (binary path, …), subcommands list, register, revoke |
jwt | Mints a JWT through the local agent for the requested audience |
node-token | Single-use token for a new node joining the cluster, issue, list, revoke |
policy | Inspect and lint access policy, lint |
signer | Inspect and test the configured Signer, test |
Audit, backend, CA & status
Section titled “Audit, backend, CA & status”| Command | Description |
|---|---|
audit | Inspect the hash-chained audit log, query, verify |
backend | Manage the storage backend, migrate |
root | Privileged commands that manipulate the cluster’s root CA, rotate-plan, rotate-execute |
migrate-service | Emits a step-by-step runbook for migrating a service |
status | Prints the local vault-agent’s view of cluster health |
kis signal
Section titled “kis signal”What it is. Sends a signal to a suspended workflow Wait node. A
flow can pause at a Wait node; a signal (by name) resumes it, this is
how an external event hands control back to a waiting workflow.
kis-dev signal <signal-name> ... # resume a suspended workflow Wait nodeRun kis-dev signal --help for how the target workflow/instance is addressed and the
payload format.