Vault CLI Usage

This page documents the current vault-cli command contract.

Build and Help

vault --help

Initialize a Vault

vault init --vault-name "personal" --master-password "correct horse battery staple"

Expected output:

vault initialized

Create a Record

create accepts JSON field input through --fields-json. Each field object supports:

key (required)
value (required; can be empty string)
sensitivity (optional, defaults to public)

Allowed sensitivity values: public, semi_private, secret.

vault create \
  --vault-name "personal" \
  --master-password "correct horse battery staple" \
  --fields-json '[{"key":"title","value":"GitHub"},{"key":"username","value":"alice","sensitivity":"semi_private"},{"key":"password","value":"p@ssw0rd!","sensitivity":"secret"},{"key":"domain","value":"github.com"}]'

Expected output:

created <record-uuid>

List Records

vault list --vault-name "personal" --master-password "correct horse battery staple"

Returns JSON for decrypted records when password verification succeeds.

Delete a Record

vault delete \
  --vault-name "personal" \
  --master-password "correct horse battery staple" \
  --record_id "<record-uuid>"

Expected output:

deleted <record-uuid>

Export Records

Export is policy-gated and requires explicit acknowledgment:

vault export \
  --vault-name "personal" \
  --master-password "correct horse battery staple" \
  --acknowledge-export-risk

Without the acknowledgment flag, export fails.

Storage Location

By default, CLI storage is disk-backed through vault-platforms. To control location:

TITANIUMGUARD_VAULT_DIR=/tmp/tg-vault-demo \
  vault list --vault-name "personal" --master-password "correct horse battery staple"

This root contains verifier metadata and per-record encrypted blob files.

Vault Name Rules

init with a new --vault-name creates a separate vault namespace on disk.
init with an existing --vault-name fails with an “already exists” error.
create, list, delete, and export require --vault-name to target the intended vault.