// cli · 02

CLI — providers, auth and config

Everything about providers, authentication, effective config and conformance. Secrets always go to .env; the rest to okami.local.yaml (a non-destructive override).

okami provider

Provider management (arrow-key menus). With no subcommand, lists providers and readiness.

okami provider addadd a catalog preset (--default sets it as default)
okami provider listlist providers and readiness (= okami providers)
okami provider remove <id>remove a provider from okami.yaml
okami provider default <id>switch the default (writes an override to local)
okami provider login <id>shortcut for okami login <id>
okami provider models [id]list models LIVE via /models, else the catalog

okami login

Authenticates a subscription provider (device flow / official CLI). Hard policy: Claude and Codex are always subscription (OAuth/CLI), never pay-as-you-go.

params <provider> arg Provider to authenticate (e.g. codex, minimax). Claude uses the already-logged-in claude CLI.

okami auth

Authentication profiles — metadata, no secret: kind (oauth/cli/api_key), tier, subscription, status and where the credential lives (never the value).

okami authlist the auth profiles (= okami auth list)
okami auth status [--json]status for monitoring/CI

okami config

Effective config (okami.yaml + okami.local.yaml, secrets masked). With no subcommand opens an interactive panel. set auto-routes: UPPERCASE key → .env; a literal sensitive dotted key → refused (use ${ENV}).

params show [--diff] subcmd Effective config (--diff shows only the overrides). get <key> [--raw] subcmd Read a value; a secret is masked (--raw shows the raw value). set <key> <value> [--project] subcmd Set a value (secret→global .env; --project uses the project .env). unset <key> subcmd Remove an override (doesn't touch the base okami.yaml). path subcmd Show where the files live (incl. the global .env). edit [--base] subcmd Open in $EDITOR (--base opens okami.yaml instead of the override). check subcmd Validate that the config loads and point out what's missing (lite doctor).

okami policy

Authored conformance (okami.policy.yaml). CI runs check as a gate. See Operate → Security.

params check [--strict] [--json] [--policy <file>] subcmd Evaluate config+workspace; --strict = production/GA posture; exit≠0 on failure. init [--force] subcmd Create a baseline okami.policy.yaml for you to author. show [--strict] subcmd Show the effective policy (baseline + authored).

okami doctor

Diagnoses config, keys, connectivity, toolchain (git/uv/node/docker/claude), SQLite FTS5, embedder and sandbox. Your first command when something's off.

params --fix flag Repairs stale lock, .env perms (→0600), temp files. --json flag Structured report + health (monitoring/CI). --lint flag Security-POSTURE lint (pass/warn/fail).

okami status

Resolved view: agent, model, providers, memory, approval, persona, voice, auto-skill — with accumulated session tokens and cost. --json for machines.

Open this page in the interactive docs