Safe
Persist Adapter
Configure the alpha Cuitty Persist adapter for Safe records with mandatory E2EE guardrails.
Persist Adapter
The Persist adapter stores Safe records in Cuitty Persist’s secret storage class with end-to-end encryption.
Alpha caveat: Cuitty Safe’s Persist adapter is alpha until Persist’s E2EE profile runtime reaches GA. Use it sparingly for high-value production credentials. Prefer 1Password service accounts or a locked local vault for production CI/CD until GA security review, recovery testing, and multi-device revocation testing are complete.
Configuration
import { createSafePersistAdapter } from "@cuitty/safe/server";
const adapter = createSafePersistAdapter({
profile: "local-first-laptop",
account: "acme",
safe: "dev",
namespace: "safe/acme/dev",
storageClass: "secret",
syncMode: "manual",
alpha: true,
acknowledgeE2eeRisk: true,
});
Guardrails
alpha: trueandacknowledgeE2eeRisk: trueare required.- Manual sync is the default.
- Remote writes are blocked unless encryption is
required. - Remote Persist targets must show a visible warning in UI and CLI output.
- Audit metadata includes device id, key fingerprint, profile id, provider, result, and timestamp.
- Persist access controls are not the only boundary. Safe encryption remains mandatory.
Record shape
Persist Safe records contain encrypted envelopes and metadata:
interface PersistSafeSecretRecord {
id: string;
ref: string;
account: string;
safe: string;
secret: string;
envelope: SafeEncryptedEnvelope;
metadata: SafeSecretMetadata;
createdAt: string;
updatedAt: string;
deletedAt?: string;
}
List operations return metadata only. Read operations require explicit resolution and must redact values from errors and logs.