CLI Reference¶

Complete reference for every pm command. For flags and options, run pm <command> --help.

Vault Lifecycle¶

`pm setup`¶

Run the guided setup flow for a new or existing vault.

pm setup
pm setup --non-interactive

pm setup creates the vault directory structure, initializes a vault if none exists, recommends a profile based on detected hardware, asks for the encryption method for new vaults, then walks through spaces, plugins, and cloud sync.

`pm unlock`¶

Start a session and decrypt the vault.

pm unlock

Prompts for master password, session duration, inactivity timeout, and optional read-only mode. Also unlocks the autofill daemon if running.

`pm lock`¶

End the active session and wipe decrypted data.

pm lock

Destroys the session file and locks the autofill daemon.

Entry Operations¶

`pm add`¶

Add a new entry via the interactive type selector.

pm add

Presents a menu of 25+ entry types. Each type has a structured form with validated fields. Entries inherit the active space.

`pm get [query]`¶

Search the vault with fuzzy matching.

pm get github
pm get "aws root"
pm get --show-pass

Returns an interactive browser with keyboard controls for viewing, copying, editing, and deleting.

`pm gen`¶

Generate a high-entropy password.

pm gen

Displays and copies the generated password to clipboard.

Spaces¶

`pm space create <name>`¶

pm space create Work

`pm space list`¶

pm space list

`pm space switch <name>`¶

pm space switch Work

`pm space current`¶

pm space current

`pm space remove <name>`¶

pm space remove Archive

TOTP¶

`pm totp`¶

Open the interactive TOTP list with live codes and countdown timers.

pm totp

`pm totp <entry>`¶

Copy a specific TOTP code.

pm totp github

`pm autocomplete link-totp`¶

Link a TOTP entry to a domain for autofill.

pm autocomplete link-totp

Cloud Sync¶

`pm cloud init [provider]`¶

Configure a cloud provider.

pm cloud init gdrive
pm cloud init github
pm cloud init dropbox
pm cloud init all

`pm cloud sync [provider]`¶

Upload the vault to configured providers.

pm cloud sync
pm cloud sync gdrive
pm cloud sync github
pm cloud sync dropbox

`pm cloud get [provider]`¶

Download the remote vault blob.

pm cloud get
pm cloud get gdrive
pm cloud get github

`pm cloud autosync`¶

Run periodic sync loops.

pm cloud autosync

`pm cloud reset`¶

Clear all cloud provider configuration.

pm cloud reset

Notes & Vocabulary¶

`pm vocab enable|disable|status`¶

Toggle vocabulary indexing.

pm vocab enable
pm vocab disable
pm vocab status

`pm vocab`¶

List all indexed words with scores.

`pm vocab alias <alias> <value>`¶

Create or update an alias.

pm vocab alias k8s kubernetes

`pm vocab alias-list`¶

List all aliases.

`pm vocab alias-remove <alias>`¶

Remove an alias.

pm vocab alias-remove k8s

`pm vocab rank <word> <delta>`¶

Adjust a word's ranking score.

pm vocab rank deploy +5
pm vocab rank temp -3

`pm vocab remove <word>`¶

Remove a word from the vocabulary.

pm vocab remove obsolete

`pm vocab reindex`¶

Rebuild the vocabulary from current notes.

pm vocab reindex

Autofill (Windows)¶

`pm autofill start|stop|status`¶

pm autofill start
pm autofill start --hotkey "ctrl+alt+p"
pm autofill stop
pm autofill status

`pm autofill list-profiles`¶

List all autofill profiles derived from vault entries.

`pm autocomplete enable|disable`¶

Register or remove autostart.

pm autocomplete enable
pm autocomplete disable

`pm autocomplete start|stop|status`¶

Manual daemon control.

`pm autocomplete window enable|disable|status`¶

Toggle popup hints.

Sessions¶

`pm session issue`¶

Issue an ephemeral delegated session.

pm session issue --label "CI" --scope read --ttl 15m --bind-host

`pm session list`¶

List active ephemeral sessions.

`pm session revoke <id>`¶

Revoke an ephemeral session.

Shell Injection¶

`pm inject`¶

Inject one or more vault entries into the current shell session as environment variables.

pm inject --inject github,aws-prod

If --inject is omitted, APM searches for a .apminject file from the current directory upward.

Use shell evaluation so the exports apply to the current shell:

eval "$(pm inject --inject github)"

On PowerShell:

pm inject --inject github | Invoke-Expression

`pm inject kill`¶

Remove the injected variables for the active inject session.

eval "$(pm inject kill)"

`pm inject setup-shell`¶

Install an inject() shell helper into the detected shell config so you can use inject ... directly without typing eval every time.

Authentication & Recovery¶

`pm auth email [address]`¶

Set recovery email.

pm auth email user@example.com

`pm auth alerts`¶

Toggle security alerts.

`pm auth level [1-3]`¶

Set security level.

pm auth level 2

`pm auth recover`¶

Initiate account recovery.

`pm auth reset`¶

Reset authentication configuration.

`pm auth change`¶

Change master password.

MCP¶

`pm mcp token`¶

Generate a new MCP token with permission scopes.

`pm mcp serve`¶

Start the MCP server (spawned by AI clients).

pm mcp serve --token TOKEN

`pm mcp list`¶

List all MCP tokens.

`pm mcp revoke [name_or_token]`¶

Revoke an MCP token.

`pm mcp config`¶

Output configuration hints for known AI clients.

Plugins¶

`pm plugins market`¶

Browse the plugin marketplace.

`pm plugins search <query>`¶

Search the marketplace.

`pm plugins install <name>`¶

Install a plugin from the marketplace.

`pm plugins installed`¶

List locally installed plugins.

`pm plugins local <path>`¶

Install a plugin from a local directory.

`pm plugins push <name>`¶

Publish a plugin to the marketplace.

`pm plugins access`¶

Show permission overrides for all plugins. Interactive space-key toggle list for enabling/disabling permissions.

`pm plugins access <plugin> <permission> on|off`¶

Toggle a specific permission.

Security & Profiles¶

`pm profile`¶

Profile management namespace for changing encryption parameters.

pm profile list
pm profile current
pm profile set hardened
pm profile edit
pm profile create custom-x

Built-in profile changes use pm profile set. Custom tuning, including the encryption method, is available through pm profile edit and pm profile create.

`pm cinfo`¶

Display cryptographic information including profile, cipher, nonce size, and vault version.

Health & Trust¶

`pm health`¶

Run vault health checks and display a score.

`pm trust`¶

Show per-secret trust/risk scoring.

Audit¶

`pm audit`¶

View the audit log.

Brute Force Testing¶

`pm brutetest [minutes]`¶

Run a brute-force simulation against the vault.

pm brutetest 5

Import & Export¶

`pm import <format> [file]`¶

pm import json backup.json
pm import csv passwords.csv
pm import txt vault.txt

`pm export <format>`¶

pm export json
pm export json --encrypt
pm export csv
pm export txt
pm export txt --no-password

Utility¶

`pm info`¶

Display version and environment info.

`pm update`¶

Self-update the binary.

`pm policy load <dir>`¶

Load YAML policy files from a directory.

pm policy load ./policies/

CLI Reference¶

Vault Lifecycle¶

pm setup¶

pm unlock¶

pm lock¶

Entry Operations¶

pm add¶

pm get [query]¶

pm gen¶

Spaces¶

pm space create <name>¶

pm space list¶

pm space switch <name>¶

pm space current¶

pm space remove <name>¶

TOTP¶

pm totp¶

pm totp <entry>¶

pm autocomplete link-totp¶

Cloud Sync¶

pm cloud init [provider]¶

pm cloud sync [provider]¶

pm cloud get [provider]¶

pm cloud autosync¶

pm cloud reset¶

Notes & Vocabulary¶

pm vocab enable|disable|status¶

pm vocab¶

pm vocab alias <alias> <value>¶

pm vocab alias-list¶

pm vocab alias-remove <alias>¶

pm vocab rank <word> <delta>¶

pm vocab remove <word>¶

pm vocab reindex¶

Autofill (Windows)¶

pm autofill start|stop|status¶

pm autofill list-profiles¶

pm autocomplete enable|disable¶

pm autocomplete start|stop|status¶

pm autocomplete window enable|disable|status¶