CLI Reference ¶

1 Top-level usage ¶

nimvault {SUBCMD} [sub-command options & parameters]

nimvault auto-detects the git repository root via git rev-parse --show-toplevel and uses .vault/ within it. All commands accept the optional --recipient KEY flag.

The CLI is built on cligen with dispatchMulti for subcommand routing. Each subcommand is a thin wrapper around the corresponding commands module proc.

2 Commands ¶

2.1 seal ¶

nimvault seal [--recipient KEY]

Encrypt all vault entries from their plaintext locations. Reads each file at the path stored in the manifest, encrypts it in parallel via startProcess, and writes .vault/<id>.gpg blobs. Re-encrypts the manifest after sealing.

Exits non-zero if any plaintext file is missing.

2.2 unseal ¶

nimvault unseal [--recipient KEY]

Decrypt all vault blobs to their target paths in parallel. Creates parent directories as needed. Sets file permissions to 600 (owner read/write only).

Exits non-zero if any blob file is missing.

2.3 add ¶

nimvault add <path> [--recipient KEY]

Add a file to the vault. The path is stored with ~/ for portability. Generates a random 16-char hex ID, encrypts the file, and appends to the manifest.

Exits non-zero if:

The file does not exist
The file is already in the vault

2.4 rm ¶

nimvault rm <path> [--recipient KEY]

Remove a file from the vault. Deletes the encrypted blob and removes the manifest entry. Does NOT delete the local plaintext file.

2.5 mv ¶

nimvault mv <old-path> <new-path> [--recipient KEY]

Move/rename a vault entry’s target path. If the file exists at the old path, it is physically moved. The encrypted blob is unchanged; only the manifest entry is updated.

2.6 list ¶

nimvault list [--recipient KEY]

List all vault entries showing their ID and target path.

2.7 status ¶

nimvault status [--recipient KEY]

Show sync status of all vault entries by comparing SHA-256 hashes of local files against decrypted blobs:

[in-sync]: local matches vault
[modified]: local differs from vault (needs seal)
[missing]: local file not found (needs unseal)
[no-blob]: encrypted blob missing (needs seal or add)

3 Global options ¶

--recipient KEY: GPG recipient key ID. Overrides env var and config file. See configuration for the full resolution chain.
--help: Show help for the current command.
--version: Show nimvault version.

4 Exit codes ¶

Code	Meaning
0	Success
1	Error (missing file, GPG failure, not in git repo)