Pull & Push
The depvault pull and depvault push commands sync config and secret files between your project and your local repository. Each file is handled as a single client-encrypted blob — the CLI never parses files into variables. App ownership and the environment slug are inferred from each file’s path and name.
All commands default to the active project (set with depvault project select). Override with --project.
push
Push config and secret files as encrypted blobs. The CLI reads each file, encrypts the whole file with the project DEK (AES-256-GCM), and uploads the ciphertext. No parsing into variables, no stale-variable pruning.
depvault pushWhen --file is omitted in interactive mode, the CLI discovers pushable config and secret files in the repository and prompts you to multi-select which to push (all selected by default). In non-interactive mode, --file is required.
| Flag | Description | Default |
|---|---|---|
--project | Project ID. | Active project |
--file | Single file to push. Auto-discovers and multi-selects if omitted. | Auto-discover |
App and environment inference
For each file, the CLI infers:
- App — by walking up from the file to the nearest ancestor directory that contains a project marker (
*.sln,*.csproj,package.json,go.mod,Cargo.toml,pom.xml, etc.). The app is identified by that directory’s repo-relative path (""for the repo root). - Environment slug — from the filename:
appsettings.json/ bare.env→base;appsettings.Production.json→prod;.env.local→local;.env.staging→staging. Unknown segments keep their own slug (e.g..env.qa→qa) and are never collapsed tobase.
There are no --vault or --tag flags — apps and environments are derived from the repository layout.
Examples
Push everything with auto-discovery:
depvault pushPush a single file explicitly:
depvault push --file apps/backend/.envpull
Pull a project’s encrypted config and secret files and restore each one byte-for-byte to its original repo-relative path. The CLI fetches the repository map and blobs, decrypts them client-side with the project DEK, and writes each file verbatim — no re-serialization, no format conversion. Intermediate directories are recreated as needed.
depvault pull| Flag | Description | Default |
|---|---|---|
--project | Project ID. | Active project |
--app | Only pull files for this app (matches app name or repo-relative path). | All apps |
--environment | Only pull files for this environment slug (e.g. dev, prod, staging). | All environments |
--include-base | Include base-environment files when filtering by --environment. | true |
--include-secrets | Also download secret files. | true |
--output-dir | Base directory for restored files. | Repo root |
--force | Overwrite existing files without prompting. | false |
Output structure
Files are restored to the exact relativePath they were pushed from. For a repo with two apps:
./
├── apps/backend/.env # config file, environment "base"
├── apps/backend/appsettings.Production.json
├── apps/backend/certs/server.pem # secret file
└── apps/frontend/.env.localExamples
Restore everything for the active project:
depvault pullRestore only the backend app’s production files (plus shared base files):
depvault pull --app apps/backend --environment prodRestore production files without including base:
depvault pull --environment prod --include-base falseRestore without secret files:
depvault pull --include-secrets falseA normal pull always restores files verbatim — there is no format conversion on pull.
Listing files
Browse the config and secret files stored for a project in the web dashboard’s project file views. For CI pipelines, see depvault ci pull.