tsafe-cli 1.0.24

Secrets runtime for developers — inject credentials into processes via exec, never into shell history or .env files
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

# tsafe-cli

Command-line secret vault. Keeps secrets encrypted locally (Argon2id +
XChaCha20-Poly1305), injects them into processes via `tsafe exec`, syncs from
cloud providers, and maintains a full audit trail — without touching shell
history.

## Install

```
cargo install tsafe-cli
```

## Core commands

| Command | What it does |
|---|---|
| `tsafe init` | Create a new encrypted vault for the active profile |
| `tsafe set KEY` | Store a secret (prompts for value; value is never passed as an argument) |
| `tsafe get KEY` | Decrypt and print a secret; `--copy` sends it to the clipboard |
| `tsafe list` | List all secret keys; `--ns NS` scopes to a namespace |
| `tsafe delete KEY` | Remove a secret from the vault |
| `tsafe mv SOURCE [DEST]` | Rename or move a secret, optionally across profiles |
| `tsafe exec -- CMD` | Run a command with secrets injected as environment variables |
| `tsafe exec --dry-run -- CMD` | Show which secrets would be injected without running the command |
| `tsafe exec --keys K1,K2 -- CMD` | Inject only the listed keys |
| `tsafe exec --contract NAME -- CMD` | Run under a named authority contract (policy-gated) |
| `tsafe export --format env\|json\|yaml\|toml` | Dump all secrets in the requested format |
| `tsafe import --from .env` | Import secrets from a `.env`, JSON, YAML, or TOML file |
| `tsafe import --dry-run` | Preview what would be imported without writing |
| `tsafe gen KEY` | Generate and store a random secret |
| `tsafe gen KEY --charset hex --exclude-ambiguous` | Customise the generator |
| `tsafe snapshot` | Take a point-in-time snapshot of the vault |
| `tsafe snapshot list` | List available snapshots |
| `tsafe snapshot restore` | Restore a vault from a snapshot |
| `tsafe doctor` | Check vault health and configuration |
| `tsafe doctor --json` | Machine-readable health output |
| `tsafe audit` | View the HMAC-chained audit log |
| `tsafe audit-verify` | Verify audit log chain integrity |
| `tsafe audit rotate` | Rotate the audit log (archive and start fresh) |
| `tsafe agent status --json` | Check the tsafe agent socket status |
| `tsafe biometric enable` | Store the vault password in the OS keyring with biometric protection |
| `tsafe biometric disable` | Remove the keyring credential |
| `tsafe biometric status` | Show whether biometric unlock is configured |
| `tsafe ssh keygen` | Generate and store an SSH key pair |
| `tsafe ssh agent` | Start an SSH agent backed by the vault |
| `tsafe ssh config` | Manage SSH config entries |
| `tsafe rotate` | Rotate the master password |
| `tsafe rotate-key` | Re-encrypt the vault with a new derived key |
| `tsafe build-info` | Show compiled-in feature flags and build profile |
| `tsafe build-info --json` | Machine-readable build info |
| `tsafe qr KEY` | Print a secret as a QR code in the terminal |
| `tsafe totp` | Generate a TOTP code for a stored TOTP secret |
| `tsafe explain [TOPIC]` | Contextual help on concepts like contracts, namespaces, and policies |
| `tsafe kv-pull` | Pull secrets from Azure Key Vault |
| `tsafe kv-push` | Push secrets to Azure Key Vault |
| `tsafe aws-pull` | Pull from AWS Secrets Manager |
| `tsafe aws-push` | Push to AWS Secrets Manager |
| `tsafe ssm-pull` | Pull from AWS SSM Parameter Store |
| `tsafe ssm-push` | Push to AWS SSM Parameter Store |
| `tsafe gcp-pull` | Pull from GCP Secret Manager |
| `tsafe gcp-push` | Push to GCP Secret Manager |
| `tsafe vault-pull` | Pull from HashiCorp Vault |
| `tsafe bw-pull` | Pull from Bitwarden |
| `tsafe kp-pull` | Pull from KeePass |
| `tsafe pull --config FILE` | Multi-source pull driven by a config file |
| `tsafe push --config FILE` | Multi-destination push driven by a config file |
| `tsafe profile` | Manage named profiles (isolated vaults) |
| `tsafe ns` | Manage namespace prefixes |
| `tsafe policy` | View and set secret rotation policies |
| `tsafe validate --cellos-policy FILE` | Validate a CellOS policy document |
| `tsafe template --file FILE` | Render a template with secret interpolation |
| `tsafe diff` | Show secrets changed since last snapshot |
| `tsafe history KEY` | View version history for a secret |
| `tsafe completions SHELL` | Generate shell completion scripts |
| `tsafe ui` | Launch the full-screen terminal UI |

## Capabilities and build profiles

The binary reports what was compiled in:

```
tsafe build-info
# build_profile: default-core
# capabilities: agent,akv-pull,biometric,ssh,team-core,tui
```

Build profiles:

| Label | Capabilities |
|---|---|
| `default-core` | `agent`, `akv-pull`, `biometric`, `ssh`, `team-core`, `tui` |
| `custom` | Any other combination of features |
| `enterprise-minimal` | No optional features compiled in |

## Logging

Controlled by environment variables; logging is off by default (zero overhead):

| Variable | Effect |
|---|---|
| `TSAFE_LOG=debug\|info` | Structured tracing output to stderr |
| `TSAFE_LOG_FORMAT=json` | Newline-delimited JSON on stderr (CI / log aggregators) |
| `TSAFE_OTEL_STDOUT=1` | Emit OpenTelemetry spans to stdout (`otel` feature only) |
| `OTEL_EXPORTER_OTLP_ENDPOINT` | OTLP HTTP exporter endpoint (`otel` feature only) |

## Feature flags

| Feature | What it adds | Default |
|---|---|---|
| `tui` | Full-screen terminal UI (`tsafe ui`) via `tsafe-tui` | yes |
| `akv-pull` | Azure Key Vault pull and push | yes |
| `biometric` | OS biometric / keyring unlock (Windows Hello, macOS Touch ID) | yes |
| `agent` | `tsafe agent` command surface | yes |
| `team-core` | `tsafe team` command surface | yes |
| `ssh` | SSH key generation, agent, and config management | yes |
| `cloud-pull-aws` | AWS Secrets Manager and SSM Parameter Store | no |
| `cloud-pull-gcp` | GCP Secret Manager | no |
| `cloud-pull-vault` | HashiCorp Vault pull | no |
| `cloud-pull-keepass` | KeePass pull | no |
| `cloud-pull-bitwarden` | Bitwarden pull | no |
| `multi-pull` | Config-driven multi-source pull (enables all cloud-pull-* features) | no |
| `otel` | OpenTelemetry tracing bridge (OTLP HTTP or stdout exporter) | no |
| `git-helpers` | Git credential helper and diff hook | no |
| `ots-sharing` | One-time secret sharing | no |
| `plugins` | `tsafe plugin` command surface | no |
| `collab` | Collaboration service scaffolding (Tranche 3+) | no |

## License

Licensed under either of [MIT](LICENSE-MIT) or
[Apache-2.0](LICENSE-APACHE) at your option.

Repository: <https://github.com/0ryant/tsafe>