Daily use
The CLI works mostly from local state. fd0 sync is the explicit network command; the agent can also sync after unlock when on_unlock = true.
Secrets
Store a string secret in a scope. Without --scope, fd0 uses the only live scope, asks interactively, or requires --scope in non-interactive use.
Print a secret. Without a name, fd0 opens the interactive picker.
Copy a secret to the clipboard and clear it after the timeout.
List visible secret names across scopes. Values stay encrypted until you request one.
Write a tombstone for a secret. The old event remains audit history.
Scopes and sharing
A scope is the sharing boundary. Add a member to share every current secret in the scope. Remove a member to rotate the scope key for future writes.
# Alice exports her card. $ fd0 card export # Bob imports Alice, Alice imports Bob, then Alice grants access. $ fd0 card import "fd0://card/..." --label bob $ fd0 scope add-member bob --scope work $ fd0 sync # Bob discovers the scope on his next sync. $ fd0 sync $ fd0 ls
Print your signed card and safety number. Share the card over any channel; verify the safety number over a trusted channel.
Pin another identity under a local label.
Grant a pinned card access to the scope.
Remove access and rotate the scope key.
Local health
Show whether the agent is running and whether the vault is unlocked.
Replay local chains, check vault tips, auth wraps, scope keys, orphan chain files, and SSH socket health.
Lock the vault in the running agent and zeroize in-memory keys.
Show fd0-agent process, vault, agent socket, and SSH socket state.
Replace fd0-agent with the current binary and repair stale agent sockets.
Stop fd0-agent and clean stale sockets when safe.