tsafe-cli 1.0.26

Secrets runtime for developers — inject credentials into processes via exec, never into shell history or .env files
docs.rs failed to build tsafe-cli-1.0.26
Please check the build logs for more information.
See Builds for ideas on how to fix a failed build, or Metadata for how to configure docs.rs builds.
If you believe this is docs.rs' fault, open an issue.
Visit the last successful build: tsafe-cli-1.0.25

tsafe-cli

Command-line secret vault. Keeps secrets encrypted locally (Argon2id + XChaCha20-Poly1305), injects them into processes via tsafe exec, syncs from cloud providers, and maintains a full audit trail — without touching shell history.

Install

cargo install tsafe-cli

Core commands

Command What it does
tsafe init Create a new encrypted vault for the active profile
tsafe set KEY Store a secret (prompts for value; value is never passed as an argument)
tsafe get KEY Decrypt and print a secret; --copy sends it to the clipboard
tsafe list List all secret keys; --ns NS scopes to a namespace
tsafe delete KEY Remove a secret from the vault
tsafe mv SOURCE [DEST] Rename or move a secret, optionally across profiles
tsafe exec -- CMD Run a command with secrets injected as environment variables
tsafe exec --dry-run -- CMD Show which secrets would be injected without running the command
tsafe exec --keys K1,K2 -- CMD Inject only the listed keys
tsafe exec --contract NAME -- CMD Run under a named authority contract (policy-gated)
tsafe export --format env|json|yaml|toml Dump all secrets in the requested format
tsafe import --from .env Import secrets from a .env, JSON, YAML, or TOML file
tsafe import --dry-run Preview what would be imported without writing
tsafe gen KEY Generate and store a random secret
tsafe gen KEY --charset hex --exclude-ambiguous Customise the generator
tsafe snapshot Take a point-in-time snapshot of the vault
tsafe snapshot list List available snapshots
tsafe snapshot restore Restore a vault from a snapshot
tsafe doctor Check vault health and configuration
tsafe doctor --json Machine-readable health output
tsafe audit View the HMAC-chained audit log
tsafe audit-verify Verify audit log chain integrity
tsafe audit rotate Rotate the audit log (archive and start fresh)
tsafe agent status --json Check the tsafe agent socket status
tsafe biometric enable Store the vault password in the OS keyring with biometric protection
tsafe biometric disable Remove the keyring credential
tsafe biometric status Show whether biometric unlock is configured
tsafe ssh keygen Generate and store an SSH key pair
tsafe ssh agent Start an SSH agent backed by the vault
tsafe ssh config Manage SSH config entries
tsafe rotate Rotate the master password
tsafe rotate-key Re-encrypt the vault with a new derived key
tsafe build-info Show compiled-in feature flags and build profile
tsafe build-info --json Machine-readable build info
tsafe qr KEY Print a secret as a QR code in the terminal
tsafe totp Generate a TOTP code for a stored TOTP secret
tsafe explain [TOPIC] Contextual help on concepts like contracts, namespaces, and policies
tsafe kv-pull Pull secrets from Azure Key Vault
tsafe kv-push Push secrets to Azure Key Vault
tsafe aws-pull Pull from AWS Secrets Manager
tsafe aws-push Push to AWS Secrets Manager
tsafe ssm-pull Pull from AWS SSM Parameter Store
tsafe ssm-push Push to AWS SSM Parameter Store
tsafe gcp-pull Pull from GCP Secret Manager
tsafe gcp-push Push to GCP Secret Manager
tsafe vault-pull Pull from HashiCorp Vault
tsafe bw-pull Pull from Bitwarden
tsafe kp-pull Pull from KeePass
tsafe pull --config FILE Multi-source pull driven by a config file
tsafe push --config FILE Multi-destination push driven by a config file
tsafe profile Manage named profiles (isolated vaults)
tsafe ns Manage namespace prefixes
tsafe policy View and set secret rotation policies
tsafe validate --cellos-policy FILE Validate a CellOS policy document
tsafe template --file FILE Render a template with secret interpolation
tsafe diff Show secrets changed since last snapshot
tsafe history KEY View version history for a secret
tsafe completions SHELL Generate shell completion scripts
tsafe ui Launch the full-screen terminal UI

Capabilities and build profiles

The binary reports what was compiled in:

tsafe build-info
# build_profile: default-core
# capabilities: agent,akv-pull,biometric,ssh,team-core,tui

Build profiles:

Label Capabilities
default-core agent, akv-pull, biometric, ssh, team-core, tui
custom Any other combination of features
enterprise-minimal No optional features compiled in

Logging

Controlled by environment variables; logging is off by default (zero overhead):

Variable Effect
TSAFE_LOG=debug|info Structured tracing output to stderr
TSAFE_LOG_FORMAT=json Newline-delimited JSON on stderr (CI / log aggregators)
TSAFE_OTEL_STDOUT=1 Emit OpenTelemetry spans to stdout (otel feature only)
OTEL_EXPORTER_OTLP_ENDPOINT OTLP HTTP exporter endpoint (otel feature only)

Feature flags

Feature What it adds Default
tui Full-screen terminal UI (tsafe ui) via tsafe-tui yes
akv-pull Azure Key Vault pull and push yes
biometric OS biometric / keyring unlock (Windows Hello, macOS Touch ID) yes
agent tsafe agent command surface yes
team-core tsafe team command surface yes
ssh SSH key generation, agent, and config management yes
cloud-pull-aws AWS Secrets Manager and SSM Parameter Store no
cloud-pull-gcp GCP Secret Manager no
cloud-pull-vault HashiCorp Vault pull no
cloud-pull-keepass KeePass pull no
cloud-pull-bitwarden Bitwarden pull no
multi-pull Config-driven multi-source pull (enables all cloud-pull-* features) no
otel OpenTelemetry tracing bridge (OTLP HTTP or stdout exporter) no
git-helpers Git credential helper and diff hook no
ots-sharing One-time secret sharing no
plugins tsafe plugin command surface no
collab Collaboration service scaffolding (Tranche 3+) no

License

Licensed under either of MIT or Apache-2.0 at your option.

Repository: https://github.com/0ryant/tsafe