Safe

Safe Quickstart

Create a local Cuitty Safe, replace env values with references, and resolve them at runtime.

Safe Quickstart

Cuitty Safe lets you commit references such as cuitty-safe:acme/dev/database-url instead of raw secret values. The resolver injects the real value only at the runtime boundary.

Install

Repository contributors should route package changes through Socket Firewall and pin exact versions.

sfw bun add @cuitty/[email protected]

The CLI binary target is cuitty-safe. Some Cuitty installs may also expose it as cui safe.

Create a local Safe

Local vault mode is the default first-run mode.

cuitty-safe init
cuitty-safe safe create acme/dev --provider local
cuitty-safe put acme/dev/database-url --value "$DATABASE_URL"
cuitty-safe put acme/ci/github-token --value "$GITHUB_TOKEN"

The values above come from your current shell. Do not paste real values into committed docs, scripts, or examples.

Replace env values with references

DATABASE_URL=cuitty-safe:acme/dev/database-url
GITHUB_TOKEN=cuitty-safe:acme/ci/github-token

Bare paths are valid only when Cuitty Safe is the active resolver:

DATABASE_URL=acme/dev/database-url

Run with resolved env

cuitty-safe run --env-file .env -- bun run dev

run resolves references, injects values into the child process environment, and keeps terminal output masked by default.

Use package scripts

{
  "scripts": {
    "dev": "cuitty-safe run --env-file .env -- vite",
    "deploy": "cuitty-safe run --scope acme/prod -- bun run deploy:raw"
  },
  "cuittySafe": {
    "env": {
      "DATABASE_URL": "acme/dev/database-url",
      "GITHUB_TOKEN": "acme/ci/github-token"
    }
  }
}

Prefer cuitty-safe run over shell command substitution. Substitution can leak sensitive values into shell history, process listings, or logs.

Next steps