{
  "slug": "safe/quickstart",
  "title": "Safe Quickstart",
  "description": "Create a local Cuitty Safe, replace env values with references, and resolve them at runtime.",
  "url": "https://cuitty.com/docs/safe/quickstart",
  "markdown_url": "https://cuitty.com/docs/safe/quickstart.md",
  "json_url": "https://cuitty.com/docs/safe/quickstart.json",
  "frontmatter": {
    "title": "Safe Quickstart",
    "description": "Create a local Cuitty Safe, replace env values with references, and resolve them at runtime.",
    "order": 1,
    "section": "Safe",
    "updatedAt": "2026-06-09"
  },
  "headings": [
    {
      "depth": 1,
      "slug": "safe-quickstart",
      "text": "Safe Quickstart"
    },
    {
      "depth": 2,
      "slug": "install",
      "text": "Install"
    },
    {
      "depth": 2,
      "slug": "create-a-local-safe",
      "text": "Create a local Safe"
    },
    {
      "depth": 2,
      "slug": "replace-env-values-with-references",
      "text": "Replace env values with references"
    },
    {
      "depth": 2,
      "slug": "run-with-resolved-env",
      "text": "Run with resolved env"
    },
    {
      "depth": 2,
      "slug": "use-package-scripts",
      "text": "Use package scripts"
    },
    {
      "depth": 2,
      "slug": "next-steps",
      "text": "Next steps"
    }
  ],
  "body_markdown": "# Safe Quickstart\n\nCuitty Safe lets you commit references such as `cuitty-safe:acme/dev/database-url` instead of raw secret values. The resolver injects the real value only at the runtime boundary.\n\n## Install\n\nRepository contributors should route package changes through Socket Firewall and pin exact versions.\n\n```bash\nsfw bun add @cuitty/safe@0.1.0\n```\n\nThe CLI binary target is `cuitty-safe`. Some Cuitty installs may also expose it as `cui safe`.\n\n## Create a local Safe\n\nLocal vault mode is the default first-run mode.\n\n```bash\ncuitty-safe init\ncuitty-safe safe create acme/dev --provider local\ncuitty-safe put acme/dev/database-url --value \"$DATABASE_URL\"\ncuitty-safe put acme/ci/github-token --value \"$GITHUB_TOKEN\"\n```\n\nThe values above come from your current shell. Do not paste real values into committed docs, scripts, or examples.\n\n## Replace env values with references\n\n```dotenv\nDATABASE_URL=cuitty-safe:acme/dev/database-url\nGITHUB_TOKEN=cuitty-safe:acme/ci/github-token\n```\n\nBare paths are valid only when Cuitty Safe is the active resolver:\n\n```dotenv\nDATABASE_URL=acme/dev/database-url\n```\n\n## Run with resolved env\n\n```bash\ncuitty-safe run --env-file .env -- bun run dev\n```\n\n`run` resolves references, injects values into the child process environment, and keeps terminal output masked by default.\n\n## Use package scripts\n\n```jsonc\n{\n  \"scripts\": {\n    \"dev\": \"cuitty-safe run --env-file .env -- vite\",\n    \"deploy\": \"cuitty-safe run --scope acme/prod -- bun run deploy:raw\"\n  },\n  \"cuittySafe\": {\n    \"env\": {\n      \"DATABASE_URL\": \"acme/dev/database-url\",\n      \"GITHUB_TOKEN\": \"acme/ci/github-token\"\n    }\n  }\n}\n```\n\nPrefer `cuitty-safe run` over shell command substitution. Substitution can leak sensitive values into shell history, process listings, or logs.\n\n## Next steps\n\n- [Reference syntax](/docs/safe/references)\n- [Storage modes](/docs/safe/storage-modes)\n- [CI/CD](/docs/safe/ci-cd)\n- [Security model](/docs/safe/security)",
  "body_html": "<h1 id=\"safe-quickstart\">Safe Quickstart</h1>\n<p>Cuitty Safe lets you commit references such as <code>cuitty-safe:acme/dev/database-url</code> instead of raw secret values. The resolver injects the real value only at the runtime boundary.</p>\n<h2 id=\"install\">Install</h2>\n<p>Repository contributors should route package changes through Socket Firewall and pin exact versions.</p>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\"><code><span class=\"line\"><span style=\"color:#B392F0\">sfw</span><span style=\"color:#9ECBFF\"> bun</span><span style=\"color:#9ECBFF\"> add</span><span style=\"color:#9ECBFF\"> @cuitty/safe@0.1.0</span></span></code></pre>\n<p>The CLI binary target is <code>cuitty-safe</code>. Some Cuitty installs may also expose it as <code>cui safe</code>.</p>\n<h2 id=\"create-a-local-safe\">Create a local Safe</h2>\n<p>Local vault mode is the default first-run mode.</p>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\"><code><span class=\"line\"><span style=\"color:#B392F0\">cuitty-safe</span><span style=\"color:#9ECBFF\"> init</span></span>\n<span class=\"line\"><span style=\"color:#B392F0\">cuitty-safe</span><span style=\"color:#9ECBFF\"> safe</span><span style=\"color:#9ECBFF\"> create</span><span style=\"color:#9ECBFF\"> acme/dev</span><span style=\"color:#79B8FF\"> --provider</span><span style=\"color:#9ECBFF\"> local</span></span>\n<span class=\"line\"><span style=\"color:#B392F0\">cuitty-safe</span><span style=\"color:#9ECBFF\"> put</span><span style=\"color:#9ECBFF\"> acme/dev/database-url</span><span style=\"color:#79B8FF\"> --value</span><span style=\"color:#9ECBFF\"> \"</span><span style=\"color:#E1E4E8\">$DATABASE_URL</span><span style=\"color:#9ECBFF\">\"</span></span>\n<span class=\"line\"><span style=\"color:#B392F0\">cuitty-safe</span><span style=\"color:#9ECBFF\"> put</span><span style=\"color:#9ECBFF\"> acme/ci/github-token</span><span style=\"color:#79B8FF\"> --value</span><span style=\"color:#9ECBFF\"> \"</span><span style=\"color:#E1E4E8\">$GITHUB_TOKEN</span><span style=\"color:#9ECBFF\">\"</span></span></code></pre>\n<p>The values above come from your current shell. Do not paste real values into committed docs, scripts, or examples.</p>\n<h2 id=\"replace-env-values-with-references\">Replace env values with references</h2>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"dotenv\"><code><span class=\"line\"><span style=\"color:#FFAB70\">DATABASE_URL</span><span style=\"color:#F97583\">=</span><span style=\"color:#E1E4E8\">cuitty-safe:acme/dev/database-url</span></span>\n<span class=\"line\"><span style=\"color:#FFAB70\">GITHUB_TOKEN</span><span style=\"color:#F97583\">=</span><span style=\"color:#E1E4E8\">cuitty-safe:acme/ci/github-token</span></span></code></pre>\n<p>Bare paths are valid only when Cuitty Safe is the active resolver:</p>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"dotenv\"><code><span class=\"line\"><span style=\"color:#FFAB70\">DATABASE_URL</span><span style=\"color:#F97583\">=</span><span style=\"color:#E1E4E8\">acme/dev/database-url</span></span></code></pre>\n<h2 id=\"run-with-resolved-env\">Run with resolved env</h2>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\"><code><span class=\"line\"><span style=\"color:#B392F0\">cuitty-safe</span><span style=\"color:#9ECBFF\"> run</span><span style=\"color:#79B8FF\"> --env-file</span><span style=\"color:#9ECBFF\"> .env</span><span style=\"color:#79B8FF\"> --</span><span style=\"color:#9ECBFF\"> bun</span><span style=\"color:#9ECBFF\"> run</span><span style=\"color:#9ECBFF\"> dev</span></span></code></pre>\n<p><code>run</code> resolves references, injects values into the child process environment, and keeps terminal output masked by default.</p>\n<h2 id=\"use-package-scripts\">Use package scripts</h2>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"jsonc\"><code><span class=\"line\"><span style=\"color:#E1E4E8\">{</span></span>\n<span class=\"line\"><span style=\"color:#79B8FF\">  \"scripts\"</span><span style=\"color:#E1E4E8\">: {</span></span>\n<span class=\"line\"><span style=\"color:#79B8FF\">    \"dev\"</span><span style=\"color:#E1E4E8\">: </span><span style=\"color:#9ECBFF\">\"cuitty-safe run --env-file .env -- vite\"</span><span style=\"color:#E1E4E8\">,</span></span>\n<span class=\"line\"><span style=\"color:#79B8FF\">    \"deploy\"</span><span style=\"color:#E1E4E8\">: </span><span style=\"color:#9ECBFF\">\"cuitty-safe run --scope acme/prod -- bun run deploy:raw\"</span></span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">  },</span></span>\n<span class=\"line\"><span style=\"color:#79B8FF\">  \"cuittySafe\"</span><span style=\"color:#E1E4E8\">: {</span></span>\n<span class=\"line\"><span style=\"color:#79B8FF\">    \"env\"</span><span style=\"color:#E1E4E8\">: {</span></span>\n<span class=\"line\"><span style=\"color:#79B8FF\">      \"DATABASE_URL\"</span><span style=\"color:#E1E4E8\">: </span><span style=\"color:#9ECBFF\">\"acme/dev/database-url\"</span><span style=\"color:#E1E4E8\">,</span></span>\n<span class=\"line\"><span style=\"color:#79B8FF\">      \"GITHUB_TOKEN\"</span><span style=\"color:#E1E4E8\">: </span><span style=\"color:#9ECBFF\">\"acme/ci/github-token\"</span></span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">    }</span></span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">  }</span></span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">}</span></span></code></pre>\n<p>Prefer <code>cuitty-safe run</code> over shell command substitution. Substitution can leak sensitive values into shell history, process listings, or logs.</p>\n<h2 id=\"next-steps\">Next steps</h2>\n<ul>\n<li><a href=\"/docs/safe/references\">Reference syntax</a></li>\n<li><a href=\"/docs/safe/storage-modes\">Storage modes</a></li>\n<li><a href=\"/docs/safe/ci-cd\">CI/CD</a></li>\n<li><a href=\"/docs/safe/security\">Security model</a></li>\n</ul>",
  "links_out": [
    "/docs/safe/references",
    "/docs/safe/storage-modes",
    "/docs/safe/ci-cd",
    "/docs/safe/security"
  ]
}