Current v0.2.1 surfaces are the local CLI, source ESM library exports, local stdio MCP, and remote Streamable HTTP MCP at /mcp. There is no public REST API or separately published SDK package yet; MCP tools are the agent-facing API.
The CLI is the local operator surface. It installs local bundles, runs the setup wizard, syncs host profiles, audits repositories, resolves capability visibility, inspects installed skills, and starts the remote service when you self-host.
Admit a local SKILL.md bundle. The command collects sibling resources, rejects symlinks, validates, signs, records local provenance, and can refresh profile links.
Regenerate local filesystem-native profile links for detected or configured host skill roots. Reports restart_required: true when symlinks change so the operator knows to reload their agent session. Remote mode cannot perform this on client machines.
Interactive wizard that scans the vault, the bundled skills root, and any discovered native agent skill roots (~/.claude/skills, ~/.codex/skills, ~/.cursor/skills), then offers a per-skill adoption decision. The wizard requires a TTY; without one it exits with code 2 and a NoTtyError. Re-run any time to re-scan. Three adoption modes: augment (safe default) refreshes profile symlinks only — existing native dirs are not touched; backup renames each native dir to <root>.bak/<name>, admits the bytes into the vault, then replaces the original with a managed symlink (the typical “import my skills” choice); in-place admits the bytes then removes the native dir and replaces with a symlink — destructive, no backup. After adoption the wizard runs sync-profiles, which emits restart_required: true when symlinks change.
Inspect local vault health, installed skill integrity, ignored OS/editor metadata, and profile visibility. --clean removes ignored OS/editor metadata. --repair re-signs unsigned local skills only — it refuses tampered metadata and remote sources. --json emits a structured report with repair_status per skill.
Walk a repository for vendored SKILL.md files, validate each through the same admission gate the vault uses, and emit a report. Useful for CI checks that block merging unsigned or invalid skills.
Ingest a curated AutoHub bundle into the vault. Applies tool filters and an optional MCP-server descriptor. --reset clears prior import state before importing.
Resolve which skills are visible to a given caller, platform, channel, and query. This exposes the same capability resolution the MCP server runs internally. Output is JSON; --channel is optional, the rest are required.
List installed skills as JSON, with each skill’s declared bin.* action names. Reserved action names (list, search, which) cannot be declared as bin actions.
Run local metadata text search over installed skills. Searches names, descriptions, tags, categories, and when-to-use metadata; embedding-backed semantic search is future work.
Print the resolved script path(s) for a skill without running them. Verifies the signed manifest before parsing. With <action>, prints the single command/args/cwd for that action; without, prints all declared actions.
Generic dispatch that delegates to the named skill’s bin.<action> handler. The skill’s signed manifest declares which actions exist; list, search, and which are reserved.
Start the remote Streamable HTTP MCP service. Set AUTOVAULT_MODE=remote, AUTOVAULT_PUBLIC_URL, admin credentials, and storage path before exposing it.
Two distinct groups. The first is honored by the <code>autovault</code> CLI binary at runtime (parsed in <code>src/config.ts</code>). The second is read only by <code>scripts/install.sh</code> during the initial install; the CLI does not read these.
Set these before invoking the autovault CLI or starting autovault serve. Logs are JSON lines on stderr only; stdout is reserved for MCP framing — never write to stdout from server code.
~/.autovaultVault root directory. Default if unset.<storage>/autovault.sqliteOverride the SQLite index location; defaults under the storage path.local | remotelocal runs the stdio MCP server. Set to remote before autovault serve.https://<host>Required when running autovault serve behind a reverse proxy. Must match the externally visible URL.3000Listen port for the remote MCP service. Some platforms inject PORT instead; check your host.agent=/path,…Override discovered profile roots. Comma-separated agent=/path pairs.trueWhen true (default), security-flag hits block admission. Set false to downgrade them to warnings.infoOne of debug / info / warn / error. JSON-line output on stderr.textSearch backend. Today only text is supported; embedding-backed search is future work.Read only by scripts/install.sh during the initial install. The autovault binary does not parse these — they shape the installer's interactive flow.
1Skip launching the setup wizard at install time; the installer prints a hint to run autovault setup from a terminal afterward.1Accept default answers in the installer's non-prompt branches. Referenced in the NoTtyError message setup prints when invoked without a TTY.1Skip bootstrap-skills.mjs. No bundled skills are installed. Primarily for development.The source package exports the same storage, validation, profile-sync, and capability-resolution helpers used by the CLI and MCP server. This is useful for local integrations built from the repository; it is not a separately documented public SDK package.
Resolve tools, skills, and MCP servers for a scoped caller request. Unknown callers fail closed unless mapped to a restricted profile.
Grouped source exports for installing from configured sources, validating caller-authored SKILL.md bytes, or refreshing an installed skill. MCP tools wrap these same helpers.
Regenerate per-agent and tag-filtered profile symlinks from installed skill metadata and optional profile config.
MCP tools are the agent-facing API. Local hosts spawn the stdio server; remote clients connect to Streamable HTTP MCP at <code>/mcp</code> with OAuth and role-aware filtering.
Search by query or fetch one installed skill by name. Pass include_resources when packaged resource files are needed.
Install a known skill from GitHub, agentskills, HTTPS URL, or local bundle source. Caller-authored bytes should use propose_skill instead.
Submit newly authored SKILL.md content for validation, security scan, capability cross-check, deduplication, signing, and storage.
Compare installed skills against recorded upstream source state and report drift, unchecked inline skills, warnings, and errors.