Safe Storage Modes
Compare local vaults, inline encrypted text, Persist-backed Safes, and 1Password pass-through.
Safe Storage Modes
Each Safe chooses one source of truth. The reference path stays stable even when the backing provider changes.
| Mode | Source of truth | Best fit |
|---|---|---|
| Local vault | Encrypted local Safe database | First-run development, locked workstations, local CI workers |
| Inline encrypted text | Ciphertext in the referencing file | Portable fixtures and small local-only handoffs |
| Persist adapter | Cuitty Persist secret storage class with E2EE | Local or remote sync experiments that accept alpha guardrails |
| 1Password | 1Password vault/item/field | Team production credentials and headless CI service accounts |
Local vault
Local vaults are the default for first-run development.
~/.cuitty/safe/vaults/<account>/<safe>/safe.db
~/.cuitty/safe/vaults/<account>/<safe>/safe.audit.jsonl
Key material should live in the OS credential store when available: macOS Keychain, Windows Credential Manager, or Linux Secret Service. Headless passphrase-derived keys require explicit opt-in.
Inline encrypted text
Inline mode stores authenticated ciphertext next to the config that needs it:
STRIPE_SECRET=csafe:v1:aes-256-gcm:kid_localdev:base64url-nonce:base64url-ciphertext
Inline values must use authenticated encryption, include versioned envelope metadata, and keep decryption keys outside the file.
Persist adapter
Persist mode stores Safe records as E2EE payloads in Cuitty Persist.
import { createSafePersistAdapter } from "@cuitty/safe/server";
const adapter = createSafePersistAdapter({
profile: "local-first-laptop",
account: "acme",
safe: "dev",
namespace: "safe/acme/dev",
storageClass: "secret",
syncMode: "manual",
alpha: true,
acknowledgeE2eeRisk: true,
});
The Persist adapter is alpha until Persist’s E2EE profile runtime reaches GA security review, recovery testing, and multi-device revocation testing. For high-value production CI/CD credentials, prefer 1Password service accounts or a locked local vault until that review is complete.
1Password pass-through
1Password mode keeps 1Password as the source of truth. Cuitty Safe stores metadata that maps a Cuitty ref to a 1Password object.
acme/dev/database-url -> op://Development/Database/url
Users do not need to commit op://... references unless they choose the advanced escape hatch.