generic-ml-cache-cli 0.4.0__tar.gz → 0.5.0__tar.gz

{generic_ml_cache_cli-0.4.0 → generic_ml_cache_cli-0.5.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: generic-ml-cache-cli
-Version: 0.4.0
+Version: 0.5.0
 Summary: Terminal UI for generic-ml-cache: the gmlcache command. A thin inbound driver over generic-ml-cache-core -- reads config, provides the data source, maps commands onto the core library.
 Project-URL: Homepage, https://github.com/danielslobozian/generic-ml-cache
 Project-URL: Repository, https://github.com/danielslobozian/generic-ml-cache
@@ -24,7 +24,7 @@ Classifier: Programming Language :: Python :: 3.13
 Classifier: Topic :: Utilities
 Requires-Python: >=3.9
 Requires-Dist: argcomplete<4,>=3
-Requires-Dist: generic-ml-cache-core>=0.4.0
+Requires-Dist: generic-ml-cache-core>=0.5.0
 Provides-Extra: dev
 Requires-Dist: coverage>=7; extra == 'dev'
 Requires-Dist: pytest-cov; extra == 'dev'
@@ -80,7 +80,7 @@ gmlcache doctor | models | status | init                     # environment & con
 `gmlcache` is the terminal client — one inbound driver over the engine. The whole cache
 logic and every adapter live in
 [`generic-ml-cache-core`](https://github.com/danielslobozian/generic-ml-cache/tree/main/packages/core),
-a **stateless, dependency-free** library. To embed the cache in your own application
+a **stateless** library. To embed the cache in your own application
 instead of driving it from a terminal, depend on the core and inject your own data
 source — you never reimplement the adapters.
 

{generic_ml_cache_cli-0.4.0 → generic_ml_cache_cli-0.5.0}/README.md

@@ -45,7 +45,7 @@ gmlcache doctor | models | status | init                     # environment & con
 `gmlcache` is the terminal client — one inbound driver over the engine. The whole cache
 logic and every adapter live in
 [`generic-ml-cache-core`](https://github.com/danielslobozian/generic-ml-cache/tree/main/packages/core),
-a **stateless, dependency-free** library. To embed the cache in your own application
+a **stateless** library. To embed the cache in your own application
 instead of driving it from a terminal, depend on the core and inject your own data
 source — you never reimplement the adapters.
 

{generic_ml_cache_cli-0.4.0 → generic_ml_cache_cli-0.5.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "generic-ml-cache-cli"
-version = "0.4.0"
+version = "0.5.0"
 description = "Terminal UI for generic-ml-cache: the gmlcache command. A thin inbound driver over generic-ml-cache-core -- reads config, provides the data source, maps commands onto the core library."
 readme = "README.md"
 requires-python = ">=3.9"
@@ -25,7 +25,7 @@ classifiers = [
   "Programming Language :: Python :: 3.13",
   "Topic :: Utilities",
 ]
-dependencies = ["generic-ml-cache-core>=0.4.0", "argcomplete>=3,<4"]
+dependencies = ["generic-ml-cache-core>=0.5.0", "argcomplete>=3,<4"]
 
 [project.urls]
 Homepage = "https://github.com/danielslobozian/generic-ml-cache"

{generic_ml_cache_cli-0.4.0 → generic_ml_cache_cli-0.5.0}/src/generic_ml_cache_cli/cli.py

@@ -31,6 +31,11 @@ except ImportError:  # completion is a convenience; never let its absence break
     argcomplete = None
 
 from generic_ml_cache_core.adapter.inbound.composition import build_use_cases
+from generic_ml_cache_core.adapter.out.crypto.filesystem_encryption_manifest_store import (
+    FilesystemEncryptionManifestStore,
+)
+from generic_ml_cache_core.adapter.out.crypto.store_encryptor import StoreEncryptor
+from generic_ml_cache_core.adapter.out.persistence.sqlite_store_lock import SqliteStoreLock
 from generic_ml_cache_core.adapter.out.client.registry import registered_names
 from generic_ml_cache_core.application.domain.model.execution.artifact import (
     INPUT_ARTIFACT_TYPES,
@@ -44,7 +49,16 @@ from generic_ml_cache_core.application.port.inbound.run_managed_local_execution_
     RunManagedLocalExecutionCommand,
 )
 from generic_ml_cache_core.application.port.out.base import ClientAdapter
-from generic_ml_cache_core.common.errors import CacheError, CacheMiss, ConfigError, RunInterrupted
+from generic_ml_cache_core.common.errors import (
+    CacheError,
+    CacheMiss,
+    ConfigError,
+    EncryptionStateError,
+    EncryptionTokenRequired,
+    RunInterrupted,
+    StoreLocked,
+    WrongEncryptionToken,
+)
 
 from . import __version__, config
 
@@ -186,9 +200,9 @@ def _cmd_run(args: argparse.Namespace) -> int:
     def executable_override(client: str):
         return config.executable_for(file_cfg, client, flag=args.executable)
 
-    wired = build_use_cases(store_root, executable_override, timeout)
-
+    token = _resolve_token(args)
     try:
+        wired = build_use_cases(store_root, executable_override, timeout, encryption_token=token)
         execution = wired.run_managed.execute(command)
     except RunInterrupted as exc:
         # A requested stop, not a failure: nothing was recorded. Exit 130 is the
@@ -206,6 +220,9 @@ def _cmd_run(args: argparse.Namespace) -> int:
     except CacheMiss as exc:
         print(f"gmlc: {exc}", file=sys.stderr)
         return 3
+    except (EncryptionTokenRequired, WrongEncryptionToken) as exc:
+        print(f"gmlc: {exc} (set --token or GMLCACHE_TOKEN)", file=sys.stderr)
+        return 4
     except CacheError as exc:
         print(f"gmlc: {exc}", file=sys.stderr)
         return 4
@@ -428,6 +445,7 @@ def _cmd_status(args: argparse.Namespace) -> int:
 
     path = config.resolve_config_path()
     loaded = file_cfg.source is not None
+    encryption = FilesystemEncryptionManifestStore(Path(str(settings["store"][0]))).state().value
 
     if args.json:
         import json
@@ -437,6 +455,7 @@ def _cmd_status(args: argparse.Namespace) -> int:
                 {
                     "config_file": str(path),
                     "loaded": loaded,
+                    "encryption": encryption,
                     "settings": {k: {"value": v[0], "source": v[1]} for k, v in settings.items()},
                     "executables": dict(file_cfg.executables),
                 },
@@ -446,6 +465,7 @@ def _cmd_status(args: argparse.Namespace) -> int:
         return 0
 
     print(f"config file : {path}  ({'loaded' if loaded else 'not present'})")
+    print(f"encryption  : {encryption}")
     print("effective settings (no run flags applied):")
     for key in ("mode", "persist", "store", "timeout", "trust_scan", "max_size"):
         value, source = settings[key]
@@ -702,24 +722,30 @@ def _cmd_export(args: argparse.Namespace) -> int:
         print(f"gmlc: {exc}", file=sys.stderr)
         return 4
 
-    wired = build_use_cases(Path(str(settings["store"][0])))
     include = set(getattr(args, "tag", None) or [])
     exclude = set(getattr(args, "exclude_tag", None) or [])
 
     lines = []
     skipped_no_input = 0
-    for summary in wired.repository.current_execution_summaries():
-        tags = wired.repository.tags_for(summary.execution_key)
-        if include and not include & set(tags):
-            continue
-        if exclude and exclude & set(tags):
-            continue
-        execution = wired.repository.find_current(summary.execution_key)
-        # Only DATASET-depth entries carry the input side of the corpus.
-        if execution is None or not execution.input_persisted:
-            skipped_no_input += 1
-            continue
-        lines.append(json.dumps(_export_record(summary, execution, tags, wired.blob_store)))
+    try:
+        wired = build_use_cases(
+            Path(str(settings["store"][0])), encryption_token=_resolve_token(args)
+        )
+        for summary in wired.repository.current_execution_summaries():
+            tags = wired.repository.tags_for(summary.execution_key)
+            if include and not include & set(tags):
+                continue
+            if exclude and exclude & set(tags):
+                continue
+            execution = wired.repository.find_current(summary.execution_key)
+            # Only DATASET-depth entries carry the input side of the corpus.
+            if execution is None or not execution.input_persisted:
+                skipped_no_input += 1
+                continue
+            lines.append(json.dumps(_export_record(summary, execution, tags, wired.blob_store)))
+    except (EncryptionTokenRequired, WrongEncryptionToken) as exc:
+        print(f"gmlc: {exc} (set --token or GMLCACHE_TOKEN)", file=sys.stderr)
+        return 4
 
     if args.output:
         Path(args.output).write_text("".join(line + "\n" for line in lines), encoding="utf-8")
@@ -738,6 +764,119 @@ def _cmd_export(args: argparse.Namespace) -> int:
     return 0
 
 
+# -- encryption -------------------------------------------------------------
+
+
+def _resolve_token(args: argparse.Namespace) -> Optional[str]:
+    """The encryption token for this call: the --token flag, else GMLCACHE_TOKEN.
+    A token is a secret, so it is never read from the config file."""
+    flag = getattr(args, "token", None)
+    return flag if flag else (os.environ.get("GMLCACHE_TOKEN") or None)
+
+
+def _load_cipher():
+    """Build the cipher, with a friendly error if the optional extra is missing."""
+    try:
+        from generic_ml_cache_core.adapter.out.crypto.aesgcm_cipher import AesGcmCipher
+    except ImportError as exc:  # pragma: no cover - exercised only without the extra
+        raise SystemExit(
+            "error: encryption needs an optional dependency — install with "
+            '`pip install "generic-ml-cache-core[encryption]"`'
+        ) from exc
+    return AesGcmCipher()
+
+
+def _store_encryptor(store_root: Path, cipher=None) -> StoreEncryptor:
+    return StoreEncryptor(
+        store_root,
+        FilesystemEncryptionManifestStore(store_root),
+        SqliteStoreLock(store_root),
+        cipher,
+    )
+
+
+def _store_root() -> Optional[Path]:
+    try:
+        return Path(str(config.resolve_settings(config.load())["store"][0]))
+    except ConfigError as exc:
+        print(f"gmlc: {exc}", file=sys.stderr)
+        return None
+
+
+def _cmd_encrypt(args: argparse.Namespace) -> int:
+    store_root = _store_root()
+    if store_root is None:
+        return 4
+    cipher = _load_cipher()
+    token = cipher.generate_token()
+    try:
+        _store_encryptor(store_root, cipher).enable(token)
+    except (EncryptionStateError, StoreLocked) as exc:
+        print(f"gmlc: {exc}", file=sys.stderr)
+        return 4
+    print("encryption enabled. Save this token — it is shown once and cannot be recovered:")
+    print(f"\n    {token}\n")
+    print("Pass it with --token or GMLCACHE_TOKEN to read or write this store.")
+    return 0
+
+
+def _cmd_decrypt(args: argparse.Namespace) -> int:
+    store_root = _store_root()
+    if store_root is None:
+        return 4
+    token = _resolve_token(args)
+    if not token:
+        print("gmlc: provide the token with --token or GMLCACHE_TOKEN", file=sys.stderr)
+        return 4
+    try:
+        _store_encryptor(store_root, _load_cipher()).disable(token)
+    except (WrongEncryptionToken, EncryptionStateError, StoreLocked) as exc:
+        print(f"gmlc: {exc}", file=sys.stderr)
+        return 4
+    print("encryption disabled. The store is now public; no token is needed.")
+    return 0
+
+
+def _cmd_rotate(args: argparse.Namespace) -> int:
+    store_root = _store_root()
+    if store_root is None:
+        return 4
+    old_token = _resolve_token(args)
+    if not old_token:
+        print("gmlc: provide the current token with --token or GMLCACHE_TOKEN", file=sys.stderr)
+        return 4
+    cipher = _load_cipher()
+    new_token = cipher.generate_token()
+    try:
+        _store_encryptor(store_root, cipher).rotate(old_token, new_token)
+    except (WrongEncryptionToken, EncryptionStateError, StoreLocked) as exc:
+        print(f"gmlc: {exc}", file=sys.stderr)
+        return 4
+    print("token rotated. Save the new token — it is shown once:")
+    print(f"\n    {new_token}\n")
+    return 0
+
+
+def _cmd_invalidate(args: argparse.Namespace) -> int:
+    store_root = _store_root()
+    if store_root is None:
+        return 4
+    if not args.yes:
+        print(
+            "gmlc: this permanently wipes the cache (crypto-shred) and cannot be undone. "
+            "Re-run with --yes to confirm.",
+            file=sys.stderr,
+        )
+        return 4
+    try:
+        _store_encryptor(store_root).invalidate()  # no token needed
+    except StoreLocked as exc:
+        print(f"gmlc: {exc}", file=sys.stderr)
+        return 4
+    print("store invalidated: the cache was wiped and is now empty and public.")
+    return 0
+
+
 def _use_color() -> bool:
     """Colour only when writing to a real terminal and NO_COLOR is unset, so piped
     or redirected output never carries escape codes (the conventional contract)."""
@@ -914,6 +1053,9 @@ def build_parser() -> argparse.ArgumentParser:
         help="also cache a call that fails (non-zero exit); default is to store only successes",
     )
     run.add_argument("--executable", help="override the client executable (the seam)")
+    run.add_argument(
+        "--token", help="encryption token for an encrypted store (or set GMLCACHE_TOKEN)"
+    )
     run.add_argument(
         "--timeout", type=float, default=None, help="seconds before the real call is killed"
     )
@@ -1071,8 +1213,35 @@ def build_parser() -> argparse.ArgumentParser:
         metavar="FILE",
         help="write JSONL to FILE instead of stdout (a per-record summary still goes to stderr)",
     )
+    exportp.add_argument(
+        "--token", help="encryption token if the store is encrypted (or set GMLCACHE_TOKEN)"
+    )
     exportp.set_defaults(func=_cmd_export)
 
+    encryptp = sub.add_parser(
+        "encrypt", help="enable at-rest encryption of the store (generates and shows a token)"
+    )
+    encryptp.set_defaults(func=_cmd_encrypt)
+
+    decryptp = sub.add_parser(
+        "decrypt", help="disable encryption (decrypts the store back to plaintext; needs the token)"
+    )
+    decryptp.add_argument("--token", help="the encryption token (or set GMLCACHE_TOKEN)")
+    decryptp.set_defaults(func=_cmd_decrypt)
+
+    rotatep = sub.add_parser(
+        "rotate", help="rotate the encryption token (needs the current token; shows the new one)"
+    )
+    rotatep.add_argument("--token", help="the current encryption token (or set GMLCACHE_TOKEN)")
+    rotatep.set_defaults(func=_cmd_rotate)
+
+    invalidatep = sub.add_parser(
+        "invalidate",
+        help="wipe the cache (crypto-shred) — the escape when the token is lost. Needs --yes.",
+    )
+    invalidatep.add_argument("--yes", action="store_true", help="confirm the irreversible wipe")
+    invalidatep.set_defaults(func=_cmd_invalidate)
+
     init = sub.add_parser(
         "init",
         help="create the config file in the default location (if absent), then show the store",

{generic_ml_cache_cli-0.4.0 → generic_ml_cache_cli-0.5.0}/src/generic_ml_cache_cli/config.py

@@ -13,9 +13,8 @@ Three rules keep this predictable:
   config file, the built-in default. The ``store`` location is the exception -- config file or
   built-in default only, with **no flag and no environment** -- because where the
   stored executions live is the cache's own concern, not a per-call knob.
-* **Zero dependencies.** The format is INI (stdlib :mod:`configparser`) and the
-  per-user location is resolved inline, so nothing beyond the standard library is
-  needed on any supported Python.
+* **Plain INI.** The format is INI (stdlib :mod:`configparser`) and the per-user
+  location is resolved inline.
 
 Location (override everything with ``GMLCACHE_CONFIG=/path/to/file``):
 

{generic_ml_cache_cli-0.4.0 → generic_ml_cache_cli-0.5.0}/tests/conftest.py

@@ -118,7 +118,7 @@ def _isolate_config(monkeypatch, tmp_path):
     monkeypatch.setenv("GMLCACHE_CONFIG", str(tmp_path / "no-such-config.ini"))
     monkeypatch.setenv("XDG_DATA_HOME", str(tmp_path / "xdg-data"))
     monkeypatch.setenv("LOCALAPPDATA", str(tmp_path / "localappdata"))
-    for var in ("GMLCACHE_MODE", "GMLCACHE_PERSIST", "GMLCACHE_TIMEOUT"):
+    for var in ("GMLCACHE_MODE", "GMLCACHE_PERSIST", "GMLCACHE_TIMEOUT", "GMLCACHE_TOKEN"):
         monkeypatch.delenv(var, raising=False)
 
 

generic_ml_cache_cli-0.5.0/tests/test_encrypted_run.py

@@ -0,0 +1,91 @@
+# SPDX-FileCopyrightText: 2026 Daniel Slobozian
+# SPDX-License-Identifier: Apache-2.0
+"""End-to-end: a managed run against an encrypted store (via build_use_cases)."""
+
+from __future__ import annotations
+
+import pytest
+
+pytest.importorskip("cryptography")
+
+from generic_ml_cache_core.adapter.inbound.composition import build_use_cases  # noqa: E402
+from generic_ml_cache_core.adapter.out.crypto.aesgcm_cipher import AesGcmCipher  # noqa: E402
+from generic_ml_cache_core.adapter.out.crypto.filesystem_encryption_manifest_store import (  # noqa: E402
+    FilesystemEncryptionManifestStore,
+)
+from generic_ml_cache_core.application.domain.model.execution.artifact import (  # noqa: E402
+    ArtifactType,
+)
+from generic_ml_cache_core.application.domain.model.execution.execution_state import (  # noqa: E402
+    ExecutionState,
+)
+from generic_ml_cache_core.application.port.inbound.run_managed_local_execution_command import (  # noqa: E402
+    RunManagedLocalExecutionCommand,
+)
+from generic_ml_cache_core.common.errors import (  # noqa: E402
+    EncryptionTokenRequired,
+    WrongEncryptionToken,
+)
+
+_MARKER = "ENCRYPTME-distinctive-123"
+
+
+def _encrypt_store(store_root, token):
+    manifest, _ = AesGcmCipher().create_envelope(token)
+    FilesystemEncryptionManifestStore(store_root).save(manifest)
+
+
+def _command():
+    return RunManagedLocalExecutionCommand(
+        client="fake", model="m1", effort="high", context="", prompt=f"STDOUT {_MARKER}"
+    )
+
+
+def _blob_bytes(store_root):
+    return b"".join(p.read_bytes() for p in (store_root / "blobs").rglob("*") if p.is_file())
+
+
+def test_encrypted_run_stores_ciphertext_and_replays_with_token(tmp_path):
+    store = tmp_path / "store"
+    token = AesGcmCipher().generate_token()
+    _encrypt_store(store, token)
+
+    execution = build_use_cases(store, encryption_token=token).run_managed.execute(_command())
+    assert execution.execution_state is ExecutionState.SUCCESS
+
+    # the marker must NOT appear in the persisted blobs — they are ciphertext
+    assert _MARKER.encode() not in _blob_bytes(store)
+
+    # replay (a cache hit) with the token decrypts the output correctly
+    served = build_use_cases(store, encryption_token=token).run_managed.execute(_command())
+    stdout = next(a.content for a in served.artifacts if a.artifact_type is ArtifactType.STDOUT)
+    assert _MARKER.encode() in stdout
+
+
+def test_public_store_keeps_plaintext_and_ignores_a_token(tmp_path):
+    store = tmp_path / "store"  # no manifest -> public
+    execution = build_use_cases(store, encryption_token="ignored").run_managed.execute(_command())
+    assert execution.execution_state is ExecutionState.SUCCESS
+    assert _MARKER.encode() in _blob_bytes(store)  # plaintext on disk
+
+
+def test_encrypted_store_without_token_blocks_content_but_not_metadata(tmp_path):
+    store = tmp_path / "store"
+    token = AesGcmCipher().generate_token()
+    _encrypt_store(store, token)
+    recorded = build_use_cases(store, encryption_token=token).run_managed.execute(_command())
+    key = recorded.call_identity.generate_key()
+
+    wired = build_use_cases(store)  # no token
+    # metadata is still readable (it is not encrypted) ...
+    assert wired.repository.find_current(key) is not None
+    # ... but serving the hit must hydrate the blob, which needs the token.
+    with pytest.raises(EncryptionTokenRequired):
+        wired.run_managed.execute(_command())
+
+
+def test_wrong_token_is_rejected_when_opening_the_store(tmp_path):
+    store = tmp_path / "store"
+    _encrypt_store(store, AesGcmCipher().generate_token())
+    with pytest.raises(WrongEncryptionToken):
+        build_use_cases(store, encryption_token=AesGcmCipher().generate_token())

generic_ml_cache_cli-0.5.0/tests/test_encryption_cli.py

@@ -0,0 +1,101 @@
+# SPDX-FileCopyrightText: 2026 Daniel Slobozian
+# SPDX-License-Identifier: Apache-2.0
+"""End-to-end CLI tests for encrypt / decrypt / rotate / invalidate."""
+
+from __future__ import annotations
+
+import pytest
+
+pytest.importorskip("cryptography")
+
+from generic_ml_cache_cli.cli import main  # noqa: E402
+
+_RUN = ["run", "--client", "fake", "--model", "m1", "--effort", "high"]
+
+
+def _token_from(out: str) -> str:
+    """The token is printed on its own indented, space-free line."""
+    for line in out.splitlines():
+        s = line.strip()
+        if s and " " not in s and len(s) >= 20:
+            return s
+    raise AssertionError(f"no token found in:\n{out}")
+
+
+def _enable(capsys) -> str:
+    assert main(["encrypt"]) == 0
+    return _token_from(capsys.readouterr().out)
+
+
+def test_encrypt_then_run_with_token_round_trips(capsys, monkeypatch):
+    token = _enable(capsys)
+    monkeypatch.setenv("GMLCACHE_TOKEN", token)
+
+    assert main(_RUN + ["--prompt", "STDOUT SECRETMARKER"]) == 0
+    assert "SECRETMARKER" in capsys.readouterr().out
+    # offline replay against the encrypted store, with the token
+    assert main(_RUN + ["--prompt", "STDOUT SECRETMARKER", "--offline"]) == 0
+    capsys.readouterr()
+
+    assert main(["status"]) == 0
+    assert "encryption  : encrypted" in capsys.readouterr().out
+
+
+def test_run_without_token_on_encrypted_store_is_blocked(capsys, monkeypatch):
+    token = _enable(capsys)
+    monkeypatch.setenv("GMLCACHE_TOKEN", token)
+    main(_RUN + ["--prompt", "STDOUT hi"])  # record one entry
+    capsys.readouterr()
+
+    monkeypatch.delenv("GMLCACHE_TOKEN", raising=False)
+    rc = main(_RUN + ["--prompt", "STDOUT hi"])  # hit -> hydrate -> needs the token
+    assert rc == 4
+    assert "token" in capsys.readouterr().err.lower()
+
+
+def test_decrypt_returns_store_to_public(capsys):
+    token = _enable(capsys)
+    assert main(["decrypt", "--token", token]) == 0
+    capsys.readouterr()
+    main(["status"])
+    assert "encryption  : public" in capsys.readouterr().out
+
+
+def test_decrypt_with_wrong_token_fails(capsys):
+    _enable(capsys)
+    assert main(["decrypt", "--token", "definitely-not-the-right-token-xyz"]) == 4
+    assert "gmlc:" in capsys.readouterr().err
+
+
+def test_rotate_swaps_the_token(capsys, monkeypatch):
+    run = _RUN + ["--prompt", "STDOUT zz"]
+    old = _enable(capsys)
+    monkeypatch.setenv("GMLCACHE_TOKEN", old)
+    main(run)
+    capsys.readouterr()
+
+    assert main(["rotate", "--token", old]) == 0
+    new = _token_from(capsys.readouterr().out)
+    assert new != old
+
+    monkeypatch.setenv("GMLCACHE_TOKEN", new)
+    assert main(run + ["--offline"]) == 0  # new token reads
+    capsys.readouterr()
+    monkeypatch.setenv("GMLCACHE_TOKEN", old)
+    assert main(run + ["--offline"]) == 4  # old token rejected
+
+
+def test_invalidate_requires_yes_then_wipes_to_public(capsys, monkeypatch):
+    token = _enable(capsys)
+    monkeypatch.setenv("GMLCACHE_TOKEN", token)
+    main(_RUN + ["--prompt", "STDOUT x"])
+    capsys.readouterr()
+
+    assert main(["invalidate"]) == 4  # refused without --yes
+    assert "yes" in capsys.readouterr().err.lower()
+
+    assert main(["invalidate", "--yes"]) == 0
+    capsys.readouterr()
+    monkeypatch.delenv("GMLCACHE_TOKEN", raising=False)
+    main(["status"])
+    assert "encryption  : public" in capsys.readouterr().out