---
title: Safe SDK
description: "The @cuitty/safe package shape, client and server halves, and framework subpaths."
section: Safe
order: 7
updatedAt: 2026-06-09
slug: safe/sdk
---
# Safe SDK

Safe follows the Cuitty SDK initiative: one package per product, with subpath exports for each runtime surface.

```text
@cuitty/safe
@cuitty/safe/client
@cuitty/safe/server
@cuitty/safe/types
@cuitty/safe/react
@cuitty/safe/solid
@cuitty/safe/dsl
@cuitty/safe/connectors
@cuitty/safe/crypto
@cuitty/safe/css
```

Do not create dash packages such as `@cuitty/safe-client`.

## Client half

The client is a typed HTTP consumer generated from the root wire protocol.

```ts
import { createSafeClient } from "@cuitty/safe/client";

const safe = createSafeClient({
  baseUrl: "http://localhost:4361",
  auth,
});

await safe.resolve("acme/dev/database-url");
await safe.secrets.put("acme/dev/github-token", { value: tokenFromShell });
await safe.safes.create({ account: "acme", safe: "dev", provider: "local" });
```

Use `POST /api/safe/resolve` for resolution so references and values do not end up in URL paths or access logs.

## Server half

The server half owns product logic and can be embedded instead of calling REST routes.

```ts
import { createSafeServer } from "@cuitty/safe/server";

const safe = await createSafeServer({
  indexPath: ".cuitty/safe/index.json",
});

await safe.resolve("acme/dev/database-url");
```

Provider implementations must redact values before throwing or logging.

## Core integration

`@cuitty/core` remains a thin aggregator. It may lazy-load Safe and pass shared auth, transport, endpoint discovery, and mock mode into `createSafeClient`, but it must not implement resolving, crypto, provider mapping, 1Password auth, or Persist writes.

```ts
const cuitty = createCuitty({
  products: ["safe"],
  endpoints: { safe: "http://localhost:4361" },
  auth,
});

await cuitty.safe?.resolve("acme/dev/database-url");
```

## Framework subpaths

React and Solid components should be functionally equivalent. Components may display refs, provider status, audit metadata, scan findings, and connector health. They must not receive decrypted values unless the user explicitly enters reveal mode.