CLI

Daily use

The CLI works mostly from local state. fd0 sync is the explicit network command; the agent can also sync after unlock when on_unlock = true.

Secrets

fd0 set <NAME> <value> [--scope <scope>]

Store a string secret in a scope. Without --scope, fd0 uses the only live scope, asks interactively, or requires --scope in non-interactive use.

fd0 get [<NAME>] [--scope <scope>]

Print a secret. Without a name, fd0 opens the interactive picker.

fd0 copy <NAME> [--clear-after=30s]

Copy a secret to the clipboard and clear it after the timeout.

fd0 ls

List visible secret names across scopes. Values stay encrypted until you request one.

fd0 rm <NAME> [--scope <scope>]

Write a tombstone for a secret. The old event remains audit history.

Scopes and sharing

A scope is the sharing boundary. Add a member to share every current secret in the scope. Remove a member to rotate the scope key for future writes.

# Alice exports her card.
$ fd0 card export

# Bob imports Alice, Alice imports Bob, then Alice grants access.
$ fd0 card import "fd0://card/..." --label bob
$ fd0 scope add-member bob --scope work
$ fd0 sync

# Bob discovers the scope on his next sync.
$ fd0 sync
$ fd0 ls
fd0 card export

Print your signed card and safety number. Share the card over any channel; verify the safety number over a trusted channel.

fd0 card import <fd0://card/...> --label <name>

Pin another identity under a local label.

fd0 scope add-member <label> --scope <scope>

Grant a pinned card access to the scope.

fd0 scope remove-member <label> --scope <scope>

Remove access and rotate the scope key.

Local health

fd0 status

Show whether the agent is running and whether the vault is unlocked.

fd0 doctor

Replay local chains, check vault tips, auth wraps, scope keys, orphan chain files, and SSH socket health.

fd0 lock

Lock the vault in the running agent and zeroize in-memory keys.

fd0 agent status

Show fd0-agent process, vault, agent socket, and SSH socket state.

fd0 agent restart

Replace fd0-agent with the current binary and repair stale agent sockets.

fd0 agent stop

Stop fd0-agent and clean stale sockets when safe.

If a command needs an unlocked vault in an interactive terminal, fd0 prompts for the passphrase instead of failing immediately.