Skip to Content
CLIPull & Push

Pull & Push

The depvault pull and depvault push commands sync config and secret files between your project and your local repository. Each file is handled as a single client-encrypted blob — the CLI never parses files into variables. App ownership and the environment slug are inferred from each file’s path and name.

All commands default to the active project (set with depvault project select). Override with --project.


push

Push config and secret files as encrypted blobs. The CLI reads each file, encrypts the whole file with the project DEK (AES-256-GCM), and uploads the ciphertext. No parsing into variables, no stale-variable pruning.

depvault push

When --file is omitted in interactive mode, the CLI discovers pushable config and secret files in the repository and prompts you to multi-select which to push (all selected by default). In non-interactive mode, --file is required.

FlagDescriptionDefault
--projectProject ID.Active project
--fileSingle file to push. Auto-discovers and multi-selects if omitted.Auto-discover

App and environment inference

For each file, the CLI infers:

  • App — by walking up from the file to the nearest ancestor directory that contains a project marker (*.sln, *.csproj, package.json, go.mod, Cargo.toml, pom.xml, etc.). The app is identified by that directory’s repo-relative path ("" for the repo root).
  • Environment slug — from the filename: appsettings.json / bare .envbase; appsettings.Production.jsonprod; .env.locallocal; .env.stagingstaging. Unknown segments keep their own slug (e.g. .env.qaqa) and are never collapsed to base.

There are no --vault or --tag flags — apps and environments are derived from the repository layout.

Examples

Push everything with auto-discovery:

depvault push

Push a single file explicitly:

depvault push --file apps/backend/.env

pull

Pull a project’s encrypted config and secret files and restore each one byte-for-byte to its original repo-relative path. The CLI fetches the repository map and blobs, decrypts them client-side with the project DEK, and writes each file verbatim — no re-serialization, no format conversion. Intermediate directories are recreated as needed.

depvault pull
FlagDescriptionDefault
--projectProject ID.Active project
--appOnly pull files for this app (matches app name or repo-relative path).All apps
--environmentOnly pull files for this environment slug (e.g. dev, prod, staging).All environments
--include-baseInclude base-environment files when filtering by --environment.true
--include-secretsAlso download secret files.true
--output-dirBase directory for restored files.Repo root
--forceOverwrite existing files without prompting.false

Output structure

Files are restored to the exact relativePath they were pushed from. For a repo with two apps:

./ ├── apps/backend/.env # config file, environment "base" ├── apps/backend/appsettings.Production.json ├── apps/backend/certs/server.pem # secret file └── apps/frontend/.env.local

Examples

Restore everything for the active project:

depvault pull

Restore only the backend app’s production files (plus shared base files):

depvault pull --app apps/backend --environment prod

Restore production files without including base:

depvault pull --environment prod --include-base false

Restore without secret files:

depvault pull --include-secrets false

A normal pull always restores files verbatim — there is no format conversion on pull.


Listing files

Browse the config and secret files stored for a project in the web dashboard’s project file views. For CI pipelines, see depvault ci pull.