CLI

The DepVault CLI (depvault) is a .NET 10 Native AOT binary — a single self-contained executable with no runtime dependencies.

Installation

Quick Install

Linux / macOS:


curl -fsSL https://get.depvault.com | bash

Windows (PowerShell):


irm https://get.depvault.com | iex

The installer detects your platform, downloads the latest release, and adds it to PATH. Installed to ~/.depvault/bin/ by default. Set DEPVAULT_INSTALL_DIR to customize.

Manual Download

Pre-built binaries on the GitHub Releases page:

Platform	Archive
Linux x64	`depvault-linux-x64.tar.gz`
macOS x64	`depvault-osx-x64.tar.gz`
macOS ARM64	`depvault-osx-arm64.tar.gz`
Windows x64	`depvault-win-x64.zip`

Build from Source

Requires .NET 10 SDK .


git clone https://github.com/suxrobGM/depvault.git
cd depvault/apps/cli
dotnet publish -c Release -r <rid>

Replace <rid> with linux-x64, osx-x64, osx-arm64, or win-x64.

Interactive Mode (REPL)

Run depvault with no arguments to enter an interactive session:


depvault

The REPL displays a banner with your authentication status, vault lock state, and active project. Type commands directly (with or without a leading /) and press Enter. The screen refreshes between commands to show updated status.

Built-in REPL commands:

Command	Description
`help`	List available commands
`exit` / `quit` / `q`	Exit the session

The vault auto-locks after 30 minutes of idle time.

Configuration

The CLI stores configuration in ~/.depvault/:

config.json — Server URL, active project, default output format.
credentials.json — JWT tokens from interactive login. Created by depvault login, removed by depvault logout. Never commit this file.


depvault config set server https://depvault.example.com
depvault config set output json

Authentication Modes

Mode	How it works	Use case
Interactive	`depvault login` with email and password	Local development
CI Token	`DEPVAULT_TOKEN` environment variable	CI/CD pipelines

When DEPVAULT_TOKEN is set, the CLI uses it for all requests and blocks interactive login. See Authentication for details.

Vault Unlock

The vault must be unlocked before pulling or pushing encrypted data. Unlocking derives your Key Encryption Key (KEK) from your vault password and caches it in memory.


depvault unlock

In non-interactive mode, set the DEPVAULT_PASSWORD environment variable to unlock automatically.

Lock the vault to clear the cached KEK and all DEK caches:


depvault lock

If you skip unlock, the CLI prompts for your vault password on the first command that requires decryption and caches it for subsequent commands.

Project Auto-Detection

The CLI automatically detects the active project by reading the remote origin URL from .git/config and matching the repository name against your DepVault projects. This works from any subdirectory within the repository.

Command Tree

Command	Description	Details
`depvault scan`	Scan repo: analyze deps, push env, detect secrets	Scanning
`depvault pull`	Pull env vars and secret files to local folders	Pull & Push
`depvault pull env`	Pull only environment variables	Pull & Push
`depvault pull secrets`	Pull only secret files	Pull & Push
`depvault push env`	Push env vars from local files	Pull & Push
`depvault push secrets`	Upload secret files	Pull & Push
`depvault env list`	List environment variables	Env
`depvault secrets list`	List secret file metadata	Secret Files
`depvault analyze`	Analyze a dependency file	Analysis
`depvault ci pull`	Fetch secrets with CI token	CI/CD
`depvault login`	Authenticate with email/password	Auth
`depvault logout`	Clear stored credentials	Auth
`depvault whoami`	Show current user	Auth
`depvault unlock`	Unlock vault (cache KEK)
`depvault lock`	Lock vault (clear KEK/DEK cache)
`depvault project list`	List all projects	Projects
`depvault project select`	Set active project	Projects
`depvault project info`	Show project details	Projects
`depvault update`	Update CLI to latest version
`depvault version`	Print CLI version
`depvault config set <k> <v>`	Set a configuration value