tsafe-cli
Command-line secret vault. Keeps secrets encrypted locally (Argon2id +
XChaCha20-Poly1305), injects them into processes via tsafe exec, syncs from
cloud providers, and maintains a full audit trail — without touching shell
history.
Install
cargo install tsafe-cli
Core commands
| Command | What it does |
|---|---|
tsafe init |
Create a new encrypted vault for the active profile |
tsafe set KEY |
Store a secret (prompts for value; value is never passed as an argument) |
tsafe get KEY |
Decrypt and print a secret; --copy sends it to the clipboard |
tsafe list |
List all secret keys; --ns NS scopes to a namespace |
tsafe delete KEY |
Remove a secret from the vault |
tsafe mv SOURCE [DEST] |
Rename or move a secret, optionally across profiles |
tsafe exec -- CMD |
Run a command with secrets injected as environment variables |
tsafe exec --dry-run -- CMD |
Show which secrets would be injected without running the command |
tsafe exec --keys K1,K2 -- CMD |
Inject only the listed keys |
tsafe exec --contract NAME -- CMD |
Run under a named authority contract (policy-gated) |
tsafe export --format env|json|yaml|toml |
Dump all secrets in the requested format |
tsafe import --from .env |
Import secrets from a .env, JSON, YAML, or TOML file |
tsafe import --dry-run |
Preview what would be imported without writing |
tsafe gen KEY |
Generate and store a random secret |
tsafe gen KEY --charset hex --exclude-ambiguous |
Customise the generator |
tsafe snapshot |
Take a point-in-time snapshot of the vault |
tsafe snapshot list |
List available snapshots |
tsafe snapshot restore |
Restore a vault from a snapshot |
tsafe doctor |
Check vault health and configuration |
tsafe doctor --json |
Machine-readable health output |
tsafe audit |
View the HMAC-chained audit log |
tsafe audit-verify |
Verify audit log chain integrity |
tsafe audit rotate |
Rotate the audit log (archive and start fresh) |
tsafe agent status --json |
Check the tsafe agent socket status |
tsafe biometric enable |
Store the vault password in the OS keyring with biometric protection |
tsafe biometric disable |
Remove the keyring credential |
tsafe biometric status |
Show whether biometric unlock is configured |
tsafe ssh keygen |
Generate and store an SSH key pair |
tsafe ssh agent |
Start an SSH agent backed by the vault |
tsafe ssh config |
Manage SSH config entries |
tsafe rotate |
Rotate the master password |
tsafe rotate-key |
Re-encrypt the vault with a new derived key |
tsafe build-info |
Show compiled-in feature flags and build profile |
tsafe build-info --json |
Machine-readable build info |
tsafe qr KEY |
Print a secret as a QR code in the terminal |
tsafe totp |
Generate a TOTP code for a stored TOTP secret |
tsafe explain [TOPIC] |
Contextual help on concepts like contracts, namespaces, and policies |
tsafe kv-pull |
Pull secrets from Azure Key Vault |
tsafe kv-push |
Push secrets to Azure Key Vault |
tsafe aws-pull |
Pull from AWS Secrets Manager |
tsafe aws-push |
Push to AWS Secrets Manager |
tsafe ssm-pull |
Pull from AWS SSM Parameter Store |
tsafe ssm-push |
Push to AWS SSM Parameter Store |
tsafe gcp-pull |
Pull from GCP Secret Manager |
tsafe gcp-push |
Push to GCP Secret Manager |
tsafe vault-pull |
Pull from HashiCorp Vault |
tsafe bw-pull |
Pull from Bitwarden |
tsafe kp-pull |
Pull from KeePass |
tsafe pull --config FILE |
Multi-source pull driven by a config file |
tsafe push --config FILE |
Multi-destination push driven by a config file |
tsafe profile |
Manage named profiles (isolated vaults) |
tsafe ns |
Manage namespace prefixes |
tsafe policy |
View and set secret rotation policies |
tsafe validate --cellos-policy FILE |
Validate a CellOS policy document |
tsafe template --file FILE |
Render a template with secret interpolation |
tsafe diff |
Show secrets changed since last snapshot |
tsafe history KEY |
View version history for a secret |
tsafe completions SHELL |
Generate shell completion scripts |
tsafe ui |
Launch the full-screen terminal UI |
Capabilities and build profiles
The binary reports what was compiled in:
tsafe build-info
# build_profile: default-core
# capabilities: agent,akv-pull,biometric,ssh,team-core,tui
Build profiles:
| Label | Capabilities |
|---|---|
default-core |
agent, akv-pull, biometric, ssh, team-core, tui |
custom |
Any other combination of features |
enterprise-minimal |
No optional features compiled in |
Logging
Controlled by environment variables; logging is off by default (zero overhead):
| Variable | Effect |
|---|---|
TSAFE_LOG=debug|info |
Structured tracing output to stderr |
TSAFE_LOG_FORMAT=json |
Newline-delimited JSON on stderr (CI / log aggregators) |
TSAFE_OTEL_STDOUT=1 |
Emit OpenTelemetry spans to stdout (otel feature only) |
OTEL_EXPORTER_OTLP_ENDPOINT |
OTLP HTTP exporter endpoint (otel feature only) |
Feature flags
| Feature | What it adds | Default |
|---|---|---|
tui |
Full-screen terminal UI (tsafe ui) via tsafe-tui |
yes |
akv-pull |
Azure Key Vault pull and push | yes |
biometric |
OS biometric / keyring unlock (Windows Hello, macOS Touch ID) | yes |
agent |
tsafe agent command surface |
yes |
team-core |
tsafe team command surface |
yes |
ssh |
SSH key generation, agent, and config management | yes |
cloud-pull-aws |
AWS Secrets Manager and SSM Parameter Store | no |
cloud-pull-gcp |
GCP Secret Manager | no |
cloud-pull-vault |
HashiCorp Vault pull | no |
cloud-pull-keepass |
KeePass pull | no |
cloud-pull-bitwarden |
Bitwarden pull | no |
multi-pull |
Config-driven multi-source pull (enables all cloud-pull-* features) | no |
otel |
OpenTelemetry tracing bridge (OTLP HTTP or stdout exporter) | no |
git-helpers |
Git credential helper and diff hook | no |
ots-sharing |
One-time secret sharing | no |
plugins |
tsafe plugin command surface |
no |
collab |
Collaboration service scaffolding (Tranche 3+) | no |
License
Licensed under either of MIT or Apache-2.0 at your option.
Repository: https://github.com/0ryant/tsafe