{
  "slug": "safe/references",
  "title": "Safe References",
  "description": "The canonical account/safe/secret model and accepted reference syntaxes for Cuitty Safe.",
  "url": "https://cuitty.com/docs/safe/references",
  "markdown_url": "https://cuitty.com/docs/safe/references.md",
  "json_url": "https://cuitty.com/docs/safe/references.json",
  "frontmatter": {
    "title": "Safe References",
    "description": "The canonical account/safe/secret model and accepted reference syntaxes for Cuitty Safe.",
    "order": 2,
    "section": "Safe",
    "updatedAt": "2026-06-09"
  },
  "headings": [
    {
      "depth": 1,
      "slug": "safe-references",
      "text": "Safe References"
    },
    {
      "depth": 2,
      "slug": "accepted-syntaxes",
      "text": "Accepted syntaxes"
    },
    {
      "depth": 2,
      "slug": "parsing-rules",
      "text": "Parsing rules"
    },
    {
      "depth": 2,
      "slug": "resolver-strictness",
      "text": "Resolver strictness"
    },
    {
      "depth": 2,
      "slug": "source-of-truth-index",
      "text": "Source-of-truth index"
    }
  ],
  "body_markdown": "# Safe References\n\nEvery Cuitty Safe reference normalizes to:\n\n```text\naccount/safe/secret\n```\n\n`account` is the namespace, `safe` is the Safe name, and `secret` is the remaining logical key path.\n\n## Accepted syntaxes\n\n```dotenv\n# Bare path, valid when Cuitty Safe is the active resolver.\nDATABASE_URL=acme/dev/database-url\n\n# Explicit scheme, preferred for mixed env files.\nDATABASE_URL=cuitty-safe:acme/dev/database-url\n\n# URL-style scheme for tools that require URI-looking values.\nDATABASE_URL=cuitty-safe://acme/dev/database-url\n\n# Inline encrypted literal. This is ciphertext, not a pointer.\nDATABASE_URL=csafe:v1:aes-256-gcm:kid_localdev:base64url-nonce:base64url-ciphertext\n```\n\n## Parsing rules\n\n- `account` and `safe` are required and cannot contain `/`.\n- `secret` is required and may contain additional `/` characters.\n- References are case-sensitive.\n- Tools should URL-encode reserved characters.\n- The resolver should warn when a configured backend is case-insensitive.\n- Decrypted values must not appear in URLs, logs, trace spans, crash reports, docs examples, or generated fixtures.\n\n## Resolver strictness\n\n```ts\ntype SafeReferenceMode = \"explicit-only\" | \"known-env-vars\" | \"all-values\";\n```\n\nDefaults:\n\n- `.env` and `.env.*` use `explicit-only`, plus `known-env-vars` when a `cuittySafe.env` map exists.\n- `package.json` resolves only `cuittySafe.env` and explicit `cuitty-safe:` values.\n- Shell scripts resolve only explicit CLI calls or explicit `cuitty-safe:` values.\n- CI/CD resolves explicit references only.\n\n## Source-of-truth index\n\nCuitty Safe tracks where each Safe lives in metadata-only indexes:\n\n```text\n~/.cuitty/safe/index.json\n.cuitty/safe/index.json\n```\n\nThe index stores provider, status, key fingerprint, connector version, source pointer, and sharing stub metadata. It never stores secret values.",
  "body_html": "<h1 id=\"safe-references\">Safe References</h1>\n<p>Every Cuitty Safe reference normalizes to:</p>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"text\"><code><span class=\"line\"><span>account/safe/secret</span></span></code></pre>\n<p><code>account</code> is the namespace, <code>safe</code> is the Safe name, and <code>secret</code> is the remaining logical key path.</p>\n<h2 id=\"accepted-syntaxes\">Accepted syntaxes</h2>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"dotenv\"><code><span class=\"line\"><span style=\"color:#6A737D\"># Bare path, valid when Cuitty Safe is the active resolver.</span></span>\n<span class=\"line\"><span style=\"color:#FFAB70\">DATABASE_URL</span><span style=\"color:#F97583\">=</span><span style=\"color:#E1E4E8\">acme/dev/database-url</span></span>\n<span class=\"line\"></span>\n<span class=\"line\"><span style=\"color:#6A737D\"># Explicit scheme, preferred for mixed env files.</span></span>\n<span class=\"line\"><span style=\"color:#FFAB70\">DATABASE_URL</span><span style=\"color:#F97583\">=</span><span style=\"color:#E1E4E8\">cuitty-safe:acme/dev/database-url</span></span>\n<span class=\"line\"></span>\n<span class=\"line\"><span style=\"color:#6A737D\"># URL-style scheme for tools that require URI-looking values.</span></span>\n<span class=\"line\"><span style=\"color:#FFAB70\">DATABASE_URL</span><span style=\"color:#F97583\">=</span><span style=\"color:#E1E4E8\">cuitty-safe://acme/dev/database-url</span></span>\n<span class=\"line\"></span>\n<span class=\"line\"><span style=\"color:#6A737D\"># Inline encrypted literal. This is ciphertext, not a pointer.</span></span>\n<span class=\"line\"><span style=\"color:#FFAB70\">DATABASE_URL</span><span style=\"color:#F97583\">=</span><span style=\"color:#E1E4E8\">csafe:v1:aes-256-gcm:kid_localdev:base64url-nonce:base64url-ciphertext</span></span></code></pre>\n<h2 id=\"parsing-rules\">Parsing rules</h2>\n<ul>\n<li><code>account</code> and <code>safe</code> are required and cannot contain <code>/</code>.</li>\n<li><code>secret</code> is required and may contain additional <code>/</code> characters.</li>\n<li>References are case-sensitive.</li>\n<li>Tools should URL-encode reserved characters.</li>\n<li>The resolver should warn when a configured backend is case-insensitive.</li>\n<li>Decrypted values must not appear in URLs, logs, trace spans, crash reports, docs examples, or generated fixtures.</li>\n</ul>\n<h2 id=\"resolver-strictness\">Resolver strictness</h2>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"ts\"><code><span class=\"line\"><span style=\"color:#F97583\">type</span><span style=\"color:#B392F0\"> SafeReferenceMode</span><span style=\"color:#F97583\"> =</span><span style=\"color:#9ECBFF\"> \"explicit-only\"</span><span style=\"color:#F97583\"> |</span><span style=\"color:#9ECBFF\"> \"known-env-vars\"</span><span style=\"color:#F97583\"> |</span><span style=\"color:#9ECBFF\"> \"all-values\"</span><span style=\"color:#E1E4E8\">;</span></span></code></pre>\n<p>Defaults:</p>\n<ul>\n<li><code>.env</code> and <code>.env.*</code> use <code>explicit-only</code>, plus <code>known-env-vars</code> when a <code>cuittySafe.env</code> map exists.</li>\n<li><code>package.json</code> resolves only <code>cuittySafe.env</code> and explicit <code>cuitty-safe:</code> values.</li>\n<li>Shell scripts resolve only explicit CLI calls or explicit <code>cuitty-safe:</code> values.</li>\n<li>CI/CD resolves explicit references only.</li>\n</ul>\n<h2 id=\"source-of-truth-index\">Source-of-truth index</h2>\n<p>Cuitty Safe tracks where each Safe lives in metadata-only indexes:</p>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"text\"><code><span class=\"line\"><span>~/.cuitty/safe/index.json</span></span>\n<span class=\"line\"><span>.cuitty/safe/index.json</span></span></code></pre>\n<p>The index stores provider, status, key fingerprint, connector version, source pointer, and sharing stub metadata. It never stores secret values.</p>",
  "links_out": []
}