# squadron vars

Manage configuration variables.

Variables are stored in an encrypted vault at `.squadron/vars.vault` and can be referenced in HCL configs using `vars.name`. The vault is initialized automatically the first time you run `squadron engage`.

## Commands

### vars set

Set a variable value.

```bash
squadron vars set <name> <value>
```

Example:

```bash
squadron vars set anthropic_api_key sk-ant-api03-...
```

### vars get

Get a variable value.

```bash
squadron vars get <name>
```

Example:

```bash
squadron vars get anthropic_api_key
# Output: sk-ant-api03-...
```

### vars list

List all variables.

```bash
squadron vars list
```

Example output:

```
anthropic_api_key = sk-ant-*** (secret)
openai_api_key = sk-*** (secret)
app_name = myapp
```

### vars change-passphrase

Change the vault encryption passphrase.

```bash
squadron vars change-passphrase
squadron vars change-passphrase --new-passphrase-file /path/to/new-passphrase
```

### vars export

Export all variables as plaintext (use with caution).

```bash
squadron vars export
```

## Using Variables in HCL

Define a variable:

```hcl
variable "anthropic_api_key" {
  secret = true  # Masks value in output
}

variable "app_name" {
  default = "myapp"  # Optional default
}
```

Reference variables:

```hcl
model "anthropic" {
  api_key = vars.anthropic_api_key
}
```

## Encryption

Variables are encrypted at rest using AES-256-GCM with an Argon2id-derived key. The encryption passphrase is stored in your OS keychain (macOS Keychain, Linux Secret Service/KeyCtl, Windows Credential Manager) and never written to disk.

The vault is initialized automatically the first time you run [squadron engage](/cli/engage).