{
  "slug": "safe/security",
  "title": "Safe Security",
  "description": "Security rules for references, encryption, redaction, audit metadata, connectors, and sharing stubs.",
  "url": "https://cuitty.com/docs/safe/security",
  "markdown_url": "https://cuitty.com/docs/safe/security.md",
  "json_url": "https://cuitty.com/docs/safe/security.json",
  "frontmatter": {
    "title": "Safe Security",
    "description": "Security rules for references, encryption, redaction, audit metadata, connectors, and sharing stubs.",
    "order": 9,
    "section": "Safe",
    "updatedAt": "2026-06-09"
  },
  "headings": [
    {
      "depth": 1,
      "slug": "safe-security",
      "text": "Safe Security"
    },
    {
      "depth": 2,
      "slug": "value-handling",
      "text": "Value handling"
    },
    {
      "depth": 2,
      "slug": "encryption",
      "text": "Encryption"
    },
    {
      "depth": 2,
      "slug": "local-vaults",
      "text": "Local vaults"
    },
    {
      "depth": 2,
      "slug": "connector-safety",
      "text": "Connector safety"
    },
    {
      "depth": 2,
      "slug": "audit",
      "text": "Audit"
    },
    {
      "depth": 2,
      "slug": "sharing",
      "text": "Sharing"
    }
  ],
  "body_markdown": "# Safe Security\n\nCuitty Safe treats references as safe to commit and values as sensitive at every boundary.\n\n## Value handling\n\n- Never store decrypted values in Cuitty Code, Registry, Site, logs, wire-protocol fixtures, desktop snapshots, or docs examples.\n- Never place decrypted values in URLs, trace spans, audit payloads, crash reports, or generated config unless the user explicitly requested an output file.\n- `read` prints to stdout and must be treated as sensitive.\n- Terminal masking defaults to enabled.\n- Errors must redact values before leaving provider code.\n\n## Encryption\n\nInline encrypted values must use authenticated encryption, not reversible obfuscation.\n\n```dotenv\nINLINE_ONLY=csafe:v1:aes-256-gcm:kid_localdev:base64url-nonce:base64url-ciphertext\n```\n\nEnvelope metadata should include version, algorithm, key id, nonce, ciphertext, and optional authenticated data. Authenticated data should include the `account/safe/secret` ref, file path when available, and configured purpose.\n\n## Local vaults\n\nLocal vaults store encrypted records and keep key material in the OS credential store when available. Headless passphrase fallback requires explicit opt-in. Vaults should lock after inactivity.\n\n## Connector safety\n\n1Password connector metadata may include vault names, item titles, field names, and object IDs. It must not cache secret values by default.\n\nPersist-backed Safes require E2EE and alpha acknowledgement. Remote writes are blocked unless encryption is required.\n\n## Audit\n\nAudit events are metadata-only:\n\n```text\nreference, actor, process, provider, result, timestamp\n```\n\nSecret values are never audit fields. Reference hashing may be enabled where secret names are themselves sensitive.\n\n## Sharing\n\nSharing is a v0 stub. Future sharing is planned for Cuitty Auth grants, but v0 does not create invite links, cross-user decrypt grants, or direct provider token sharing.",
  "body_html": "<h1 id=\"safe-security\">Safe Security</h1>\n<p>Cuitty Safe treats references as safe to commit and values as sensitive at every boundary.</p>\n<h2 id=\"value-handling\">Value handling</h2>\n<ul>\n<li>Never store decrypted values in Cuitty Code, Registry, Site, logs, wire-protocol fixtures, desktop snapshots, or docs examples.</li>\n<li>Never place decrypted values in URLs, trace spans, audit payloads, crash reports, or generated config unless the user explicitly requested an output file.</li>\n<li><code>read</code> prints to stdout and must be treated as sensitive.</li>\n<li>Terminal masking defaults to enabled.</li>\n<li>Errors must redact values before leaving provider code.</li>\n</ul>\n<h2 id=\"encryption\">Encryption</h2>\n<p>Inline encrypted values must use authenticated encryption, not reversible obfuscation.</p>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"dotenv\"><code><span class=\"line\"><span style=\"color:#FFAB70\">INLINE_ONLY</span><span style=\"color:#F97583\">=</span><span style=\"color:#E1E4E8\">csafe:v1:aes-256-gcm:kid_localdev:base64url-nonce:base64url-ciphertext</span></span></code></pre>\n<p>Envelope metadata should include version, algorithm, key id, nonce, ciphertext, and optional authenticated data. Authenticated data should include the <code>account/safe/secret</code> ref, file path when available, and configured purpose.</p>\n<h2 id=\"local-vaults\">Local vaults</h2>\n<p>Local vaults store encrypted records and keep key material in the OS credential store when available. Headless passphrase fallback requires explicit opt-in. Vaults should lock after inactivity.</p>\n<h2 id=\"connector-safety\">Connector safety</h2>\n<p>1Password connector metadata may include vault names, item titles, field names, and object IDs. It must not cache secret values by default.</p>\n<p>Persist-backed Safes require E2EE and alpha acknowledgement. Remote writes are blocked unless encryption is required.</p>\n<h2 id=\"audit\">Audit</h2>\n<p>Audit events are metadata-only:</p>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"text\"><code><span class=\"line\"><span>reference, actor, process, provider, result, timestamp</span></span></code></pre>\n<p>Secret values are never audit fields. Reference hashing may be enabled where secret names are themselves sensitive.</p>\n<h2 id=\"sharing\">Sharing</h2>\n<p>Sharing is a v0 stub. Future sharing is planned for Cuitty Auth grants, but v0 does not create invite links, cross-user decrypt grants, or direct provider token sharing.</p>",
  "links_out": []
}