Safe Quickstart
Create a local Cuitty Safe, replace env values with references, and resolve them at runtime.
Safe Quickstart
Cuitty Safe lets you commit references such as cuitty-safe:acme/dev/database-url instead of raw secret values. The resolver injects the real value only at the runtime boundary.
Install
Repository contributors should route package changes through Socket Firewall and pin exact versions.
sfw bun add @cuitty/[email protected]
The CLI binary target is cuitty-safe. Some Cuitty installs may also expose it as cui safe.
Create a local Safe
Local vault mode is the default first-run mode.
cuitty-safe init
cuitty-safe safe create acme/dev --provider local
cuitty-safe put acme/dev/database-url --value "$DATABASE_URL"
cuitty-safe put acme/ci/github-token --value "$GITHUB_TOKEN"
The values above come from your current shell. Do not paste real values into committed docs, scripts, or examples.
Replace env values with references
DATABASE_URL=cuitty-safe:acme/dev/database-url
GITHUB_TOKEN=cuitty-safe:acme/ci/github-token
Bare paths are valid only when Cuitty Safe is the active resolver:
DATABASE_URL=acme/dev/database-url
Run with resolved env
cuitty-safe run --env-file .env -- bun run dev
run resolves references, injects values into the child process environment, and keeps terminal output masked by default.
Use package scripts
{
"scripts": {
"dev": "cuitty-safe run --env-file .env -- vite",
"deploy": "cuitty-safe run --scope acme/prod -- bun run deploy:raw"
},
"cuittySafe": {
"env": {
"DATABASE_URL": "acme/dev/database-url",
"GITHUB_TOKEN": "acme/ci/github-token"
}
}
}
Prefer cuitty-safe run over shell command substitution. Substitution can leak sensitive values into shell history, process listings, or logs.