Safe

Safe Storage Modes

Compare local vaults, inline encrypted text, Persist-backed Safes, and 1Password pass-through.

Safe Storage Modes

Each Safe chooses one source of truth. The reference path stays stable even when the backing provider changes.

ModeSource of truthBest fit
Local vaultEncrypted local Safe databaseFirst-run development, locked workstations, local CI workers
Inline encrypted textCiphertext in the referencing filePortable fixtures and small local-only handoffs
Persist adapterCuitty Persist secret storage class with E2EELocal or remote sync experiments that accept alpha guardrails
1Password1Password vault/item/fieldTeam production credentials and headless CI service accounts

Local vault

Local vaults are the default for first-run development.

~/.cuitty/safe/vaults/<account>/<safe>/safe.db
~/.cuitty/safe/vaults/<account>/<safe>/safe.audit.jsonl

Key material should live in the OS credential store when available: macOS Keychain, Windows Credential Manager, or Linux Secret Service. Headless passphrase-derived keys require explicit opt-in.

Inline encrypted text

Inline mode stores authenticated ciphertext next to the config that needs it:

STRIPE_SECRET=csafe:v1:aes-256-gcm:kid_localdev:base64url-nonce:base64url-ciphertext

Inline values must use authenticated encryption, include versioned envelope metadata, and keep decryption keys outside the file.

Persist adapter

Persist mode stores Safe records as E2EE payloads in Cuitty Persist.

import { createSafePersistAdapter } from "@cuitty/safe/server";

const adapter = createSafePersistAdapter({
  profile: "local-first-laptop",
  account: "acme",
  safe: "dev",
  namespace: "safe/acme/dev",
  storageClass: "secret",
  syncMode: "manual",
  alpha: true,
  acknowledgeE2eeRisk: true,
});

The Persist adapter is alpha until Persist’s E2EE profile runtime reaches GA security review, recovery testing, and multi-device revocation testing. For high-value production CI/CD credentials, prefer 1Password service accounts or a locked local vault until that review is complete.

1Password pass-through

1Password mode keeps 1Password as the source of truth. Cuitty Safe stores metadata that maps a Cuitty ref to a 1Password object.

acme/dev/database-url -> op://Development/Database/url

Users do not need to commit op://... references unless they choose the advanced escape hatch.