{
  "slug": "safe/storage-modes",
  "title": "Safe Storage Modes",
  "description": "Compare local vaults, inline encrypted text, Persist-backed Safes, and 1Password pass-through.",
  "url": "https://cuitty.com/docs/safe/storage-modes",
  "markdown_url": "https://cuitty.com/docs/safe/storage-modes.md",
  "json_url": "https://cuitty.com/docs/safe/storage-modes.json",
  "frontmatter": {
    "title": "Safe Storage Modes",
    "description": "Compare local vaults, inline encrypted text, Persist-backed Safes, and 1Password pass-through.",
    "order": 3,
    "section": "Safe",
    "updatedAt": "2026-06-09"
  },
  "headings": [
    {
      "depth": 1,
      "slug": "safe-storage-modes",
      "text": "Safe Storage Modes"
    },
    {
      "depth": 2,
      "slug": "local-vault",
      "text": "Local vault"
    },
    {
      "depth": 2,
      "slug": "inline-encrypted-text",
      "text": "Inline encrypted text"
    },
    {
      "depth": 2,
      "slug": "persist-adapter",
      "text": "Persist adapter"
    },
    {
      "depth": 2,
      "slug": "1password-pass-through",
      "text": "1Password pass-through"
    }
  ],
  "body_markdown": "# Safe Storage Modes\n\nEach Safe chooses one source of truth. The reference path stays stable even when the backing provider changes.\n\n| Mode | Source of truth | Best fit |\n| --- | --- | --- |\n| Local vault | Encrypted local Safe database | First-run development, locked workstations, local CI workers |\n| Inline encrypted text | Ciphertext in the referencing file | Portable fixtures and small local-only handoffs |\n| Persist adapter | Cuitty Persist `secret` storage class with E2EE | Local or remote sync experiments that accept alpha guardrails |\n| 1Password | 1Password vault/item/field | Team production credentials and headless CI service accounts |\n\n## Local vault\n\nLocal vaults are the default for first-run development.\n\n```text\n~/.cuitty/safe/vaults/<account>/<safe>/safe.db\n~/.cuitty/safe/vaults/<account>/<safe>/safe.audit.jsonl\n```\n\nKey material should live in the OS credential store when available: macOS Keychain, Windows Credential Manager, or Linux Secret Service. Headless passphrase-derived keys require explicit opt-in.\n\n## Inline encrypted text\n\nInline mode stores authenticated ciphertext next to the config that needs it:\n\n```dotenv\nSTRIPE_SECRET=csafe:v1:aes-256-gcm:kid_localdev:base64url-nonce:base64url-ciphertext\n```\n\nInline values must use authenticated encryption, include versioned envelope metadata, and keep decryption keys outside the file.\n\n## Persist adapter\n\nPersist mode stores Safe records as E2EE payloads in Cuitty Persist.\n\n```ts\nimport { createSafePersistAdapter } from \"@cuitty/safe/server\";\n\nconst adapter = createSafePersistAdapter({\n  profile: \"local-first-laptop\",\n  account: \"acme\",\n  safe: \"dev\",\n  namespace: \"safe/acme/dev\",\n  storageClass: \"secret\",\n  syncMode: \"manual\",\n  alpha: true,\n  acknowledgeE2eeRisk: true,\n});\n```\n\nThe Persist adapter is alpha until Persist's E2EE profile runtime reaches GA security review, recovery testing, and multi-device revocation testing. For high-value production CI/CD credentials, prefer 1Password service accounts or a locked local vault until that review is complete.\n\n## 1Password pass-through\n\n1Password mode keeps 1Password as the source of truth. Cuitty Safe stores metadata that maps a Cuitty ref to a 1Password object.\n\n```text\nacme/dev/database-url -> op://Development/Database/url\n```\n\nUsers do not need to commit `op://...` references unless they choose the advanced escape hatch.",
  "body_html": "<h1 id=\"safe-storage-modes\">Safe Storage Modes</h1>\n<p>Each Safe chooses one source of truth. The reference path stays stable even when the backing provider changes.</p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n<table><thead><tr><th>Mode</th><th>Source of truth</th><th>Best fit</th></tr></thead><tbody><tr><td>Local vault</td><td>Encrypted local Safe database</td><td>First-run development, locked workstations, local CI workers</td></tr><tr><td>Inline encrypted text</td><td>Ciphertext in the referencing file</td><td>Portable fixtures and small local-only handoffs</td></tr><tr><td>Persist adapter</td><td>Cuitty Persist <code>secret</code> storage class with E2EE</td><td>Local or remote sync experiments that accept alpha guardrails</td></tr><tr><td>1Password</td><td>1Password vault/item/field</td><td>Team production credentials and headless CI service accounts</td></tr></tbody></table>\n<h2 id=\"local-vault\">Local vault</h2>\n<p>Local vaults are the default for first-run development.</p>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"text\"><code><span class=\"line\"><span>~/.cuitty/safe/vaults/&#x3C;account>/&#x3C;safe>/safe.db</span></span>\n<span class=\"line\"><span>~/.cuitty/safe/vaults/&#x3C;account>/&#x3C;safe>/safe.audit.jsonl</span></span></code></pre>\n<p>Key material should live in the OS credential store when available: macOS Keychain, Windows Credential Manager, or Linux Secret Service. Headless passphrase-derived keys require explicit opt-in.</p>\n<h2 id=\"inline-encrypted-text\">Inline encrypted text</h2>\n<p>Inline mode stores authenticated ciphertext next to the config that needs it:</p>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"dotenv\"><code><span class=\"line\"><span style=\"color:#FFAB70\">STRIPE_SECRET</span><span style=\"color:#F97583\">=</span><span style=\"color:#E1E4E8\">csafe:v1:aes-256-gcm:kid_localdev:base64url-nonce:base64url-ciphertext</span></span></code></pre>\n<p>Inline values must use authenticated encryption, include versioned envelope metadata, and keep decryption keys outside the file.</p>\n<h2 id=\"persist-adapter\">Persist adapter</h2>\n<p>Persist mode stores Safe records as E2EE payloads in Cuitty Persist.</p>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"ts\"><code><span class=\"line\"><span style=\"color:#F97583\">import</span><span style=\"color:#E1E4E8\"> { createSafePersistAdapter } </span><span style=\"color:#F97583\">from</span><span style=\"color:#9ECBFF\"> \"@cuitty/safe/server\"</span><span style=\"color:#E1E4E8\">;</span></span>\n<span class=\"line\"></span>\n<span class=\"line\"><span style=\"color:#F97583\">const</span><span style=\"color:#79B8FF\"> adapter</span><span style=\"color:#F97583\"> =</span><span style=\"color:#B392F0\"> createSafePersistAdapter</span><span style=\"color:#E1E4E8\">({</span></span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">  profile: </span><span style=\"color:#9ECBFF\">\"local-first-laptop\"</span><span style=\"color:#E1E4E8\">,</span></span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">  account: </span><span style=\"color:#9ECBFF\">\"acme\"</span><span style=\"color:#E1E4E8\">,</span></span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">  safe: </span><span style=\"color:#9ECBFF\">\"dev\"</span><span style=\"color:#E1E4E8\">,</span></span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">  namespace: </span><span style=\"color:#9ECBFF\">\"safe/acme/dev\"</span><span style=\"color:#E1E4E8\">,</span></span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">  storageClass: </span><span style=\"color:#9ECBFF\">\"secret\"</span><span style=\"color:#E1E4E8\">,</span></span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">  syncMode: </span><span style=\"color:#9ECBFF\">\"manual\"</span><span style=\"color:#E1E4E8\">,</span></span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">  alpha: </span><span style=\"color:#79B8FF\">true</span><span style=\"color:#E1E4E8\">,</span></span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">  acknowledgeE2eeRisk: </span><span style=\"color:#79B8FF\">true</span><span style=\"color:#E1E4E8\">,</span></span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">});</span></span></code></pre>\n<p>The Persist adapter is alpha until Persist’s E2EE profile runtime reaches GA security review, recovery testing, and multi-device revocation testing. For high-value production CI/CD credentials, prefer 1Password service accounts or a locked local vault until that review is complete.</p>\n<h2 id=\"1password-pass-through\">1Password pass-through</h2>\n<p>1Password mode keeps 1Password as the source of truth. Cuitty Safe stores metadata that maps a Cuitty ref to a 1Password object.</p>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"text\"><code><span class=\"line\"><span>acme/dev/database-url -> op://Development/Database/url</span></span></code></pre>\n<p>Users do not need to commit <code>op://...</code> references unless they choose the advanced escape hatch.</p>",
  "links_out": []
}