Epsitec.Briefcases.Cli 2.8.1.2629

Prefix Reserved
dotnet tool install --global Epsitec.Briefcases.Cli --version 2.8.1.2629
                    
This package contains a .NET tool you can call from the shell/command line.
dotnet new tool-manifest
                    
if you are setting up this repo
dotnet tool install --local Epsitec.Briefcases.Cli --version 2.8.1.2629
                    
This package contains a .NET tool you can call from the shell/command line.
#tool dotnet:?package=Epsitec.Briefcases.Cli&version=2.8.1.2629
                    
nuke :add-package Epsitec.Briefcases.Cli --version 2.8.1.2629
                    

Briefcases CLI

A command-line tool for managing encrypted briefcases — zero-knowledge, event-sourced document storage with post-quantum cryptography.

Installation

dotnet tool install -g Epsitec.Briefcases.Cli

Quick Start

# Provision your identity keys against auth (uid is assigned, not chosen;
# prompts for --login / --auth-pwd / --totp when omitted). This also logs
# you in: the session is stored and refreshed automatically from then on.
briefcases identity provision

# Create a new briefcase
briefcases create

# Add files
briefcases add ./document.pdf
briefcases add ./project-folder

# Restore files from briefcase
briefcases restore

# View briefcase tree
briefcases tree

# Show a QR code to import your keys into the mobile app
briefcases export-keys

Commands

Command Description
configure Display or update CLI settings
identity Manage your identity keys against the auth registry (provision / publish / recover / status / whois)
recover Recover user keys from BIP-39 mnemonic (offline, no auth validation)
rotate-keys Rotate your identity keys and re-key every briefcase you own
export-keys Display a QR code that imports your keys into a mobile app
create Create a new briefcase (genesis transaction)
add Add or update files/directories in the briefcase
delete Delete files/directories from the briefcase
restore Restore files from the briefcase to the working directory
rename Rename a file or folder in the briefcase
tag List or edit the tags carried by a node
find Find nodes by tag, key, prefix, or absence of tags
tree Display the hierarchical structure of briefcase contents
read Render a node or subtree as it stood at a generation
diff List nodes changed between two generations (NDJSON, for indexing)
status Show differences between briefcase state and working directory
sync Synchronize with the server (online mode)
list List the briefcases you can reach and are a member of (with workspace names)
card Show or publish the workspace card of the configured briefcase
listen Monitor real-time server events
acl Manage access control lists
invite Manage briefcase invitations
member Re-key rotated members of a briefcase you own (owner)
recovery Manage social recovery: provision the recovery vault, open the request, assist, complete
recover-laks Re-wrap your custom LAKs after a lost-key recovery (owner)
successor Designate or remove briefcase successors (owner)
succession Claim or veto access to a briefcase whose owner is gone
timelock Seal, inspect, or open a general-purpose time capsule
dump Dump ledger or user profile for debugging

Successor continuity

The owner of a briefcase never changes, but the owner may designate successors who can obtain full read access if the owner disappears. A designated successor has no privilege until it succeeds.

The probation window defaults to 48 hours: a successor cannot finalize a claim until it elapses, giving the owner time to veto. Override it at creation with briefcases create --probation <minutes> (e.g. 0 to disable, for tests).

Owner commands:

Command Description
successor grant <userId> Designate an active member as a successor and provision the escrow
successor revoke <userId> Remove a successor and drop the escrow
successor list Show designated, pending, and accepted successors
succession cancel <userId> Veto a pending succession within the probation window

Successor commands:

Command Description
succession request Start a probation-gated claim
succession status Show pending requests and their probation deadlines
succession accept Finalize after probation, then pull and decrypt the escrow

After acceptance, sync then ls/read/tree return every node to the successor. The successor never becomes the owner and cannot act as the owner.

Social recovery

An owner who loses their private keys and their recovery phrase can regain access through a trusted member. The briefcase's recovery vault holds Access-Key shards the owner deposited ahead of time: one entry per chosen member, each an independent 2-of-2 split — one shard sealed to that member, the other kept by the server. Neither shard alone reveals anything.

Provisioning a member is a trust decision: an assisting member receives their whole entry, so choose recovery peers as deliberately as you would a successor. Owner commands, run while access is still held:

Command Description
recovery vault provision [--uid <uid>]... Deposit recovery shards for members (all active members when --uid is omitted)
recovery vault status Show which active members hold a vault entry

The recovery itself, for an owner A assisted by a member B:

# A — start over with a fresh identity (new keys, new phrase):
briefcases identity provision --reprovision

# A — open the recovery request for the briefcase:
briefcases recovery request --bid <bid>

# B — assist: prepares the rekey package, prints a PIN for A:
briefcases recovery assist <bid>

# A — accept the recovery invitation with B's PIN, then complete:
briefcases invite accept <invite-id> <PIN>
briefcases recovery complete --bid <bid>

recovery complete reconstructs the Access Key from the shards, verifies it against the genesis recovery anchor, restores access, and re-wraps the owner's custom LAKs. It is idempotent — re-run it after an interruption and it finishes only the missing steps. There is no probation here: the safeguard is B, who should verify out of band that A really lost their keys before assisting.

Time capsules

timelock seals arbitrary bytes so they cannot be decrypted before a chosen time — no briefcase, no server account required. It seals to a public randomness beacon (drand's quicknet network): the file stays unopenable, by anyone, until the beacon for its round is published, and no earlier. The produced file is a standard tlock/age capsule — it opens with the official tlock CLI or tlock-js, and vice versa.

Command Description
timelock seal (--at \| --minutes \| --round) [--in] [--out] [--binary] Seal a payload to a chosen time, delay, or round
timelock inspect [--in] Show a sealed file's round, chain hash, and unlock time
timelock open [--in] [--out] Decrypt a sealed file once its round is due

Exactly one of --at <timestamp>, --minutes <n>, or --round <n> chooses the unlock point; --in/--out default to stdin/stdout, so the command composes with pipes. --out omitted means the sealed or recovered bytes are the command's output — no other text is printed, so a pipeline never sees anything but the payload.

# Seal a short secret for one hour, to a file.
echo "the launch code is 4-8-15-16-23-42" | briefcases timelock seal --minutes 60 --out capsule.age

# Check when it opens, without any key material or network access.
briefcases timelock inspect --in capsule.age
#   Round: 12345678
#   Chain hash: 52db9ba7...
#   Unlock time: 2026-07-08T15:30:00Z (locked)

# Try to open it early: reports the unlock time and exits cleanly, no error.
briefcases timelock open --in capsule.age
#   Still timelocked; unlocks at 2026-07-08T15:30:00Z. Run 'briefcases timelock open' again after that time.

# ... after the hour has passed ...
briefcases timelock open --in capsule.age
#   Opened.

open fetches the unlocking beacon from the public relays and verifies it before decrypting; a relay outage is reported as a retryable warning, never a hard failure. A tampered or corrupted file is rejected with a clear error.

Workspace cards

A workspace card carries small, human-meaningful metadata for a briefcase — workspace name, owner, an optional description, colour, icon, and tags — that members read without downloading the ledger and that the server never sees in cleartext.

Command Description
list Shows each accessible briefcase with its workspace name (when a card exists and is readable).
card show Decrypt and display the configured briefcase's card.
card set --name <text> [--kind --description --color --icon --tag …] Publish or update the card (owner only).

The card is stored in an internal system:-tagged anchor node, hidden from the file views by default. Reveal it with tree --system (add --show-gen for its generation) or materialize it with restore --system.

Cold-read verification. When you hold an access token, list and card show verify the card's owner signature against the auth directory named by the token's iss claim (defense in depth). list marks a verified entry green with a trailing and a tampered one red with ; card show adds a Verified: line (yes / NO — signature invalid / not checked). Verification is best-effort: with no token, or when the signer key cannot be resolved, the card simply shows as not checked and the listing still succeeds.

Sessions and tokens

Log in once, work all day — the CLI manages its own access tokens:

  • briefcases identity provision (first run) or auth-cli login establishes the session and stores it in the .auth-cli/ directory next to the storage root, shared with the external auth-cli tool.
  • Every online command then mints fresh access tokens automatically from the stored refresh token — at startup and mid-command, so long transfers and listen survive token expiry — and persists the refreshed pair back for the next invocation.
  • When the session eventually dies (refresh token expired or revoked), the command exits with a single actionable error telling you to run auth-cli login (or briefcases identity provision on a fresh machine).

No manual token refresh is ever needed in the nominal flow. Run any command with --verbose to trace the token lifecycle (source, remaining lifetime, refresh and write-back decisions); identity status prints a Session: line describing the stored session without touching the network.

Global Options

  • --root <path> — Override briefcase storage root (default: ./.briefcases/)
  • --settings <name> — Override settings filename (default: default.json)
  • --bid <id> — Override briefcase ID (* is only useful for generation paths such as create)
  • --url <url> — Override server URL for this invocation
  • --auth-url <url> — Override the auth service URL for this invocation (persist it with configure auth-url=…; default: the production auth)
  • --storage <backend> — Storage backend: fs / filesystem (default) or zip
  • --dir <path> — Override working directory
  • --token <jwt> — Use this exact access token for the invocation: it is never refreshed and never persisted; scripting callers own its lifecycle
  • --ignore-auth-cli — Do not touch the local .auth-cli/ session at all: no token is read from it and nothing is written back (not even by identity provision)
  • --resource <urn> — Bind minted access tokens to the given resource audience (RFC 8707); persist it with configure resource=… (default: unbound)
  • --verbose — Enable verbose output (includes the token lifecycle diagnostics)
  • --insecure — Disable TLS certificate validation

License

MIT — Copyright © 2026, EPSITEC SA, CH-1400 Yverdon-les-Bains, Switzerland

Product Compatible and additional computed target framework versions.
.NET net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

This package has no dependencies.

Version Downloads Last Updated
2.8.1.2629 61 7/15/2026
2.8.0.2629 49 7/15/2026
2.7.3.2629 67 7/14/2026
2.7.2.2629 68 7/14/2026
2.7.1.2629 74 7/14/2026
2.7.0.2629 75 7/14/2026
2.6.2.2629 77 7/14/2026
2.6.1.2629 69 7/14/2026
2.6.0.2629 74 7/14/2026
2.5.0.2628 79 7/12/2026
2.3.0.2628 89 7/10/2026
2.2.0.2628 84 7/8/2026
2.1.6.2627 100 7/3/2026
2.1.5.2627 96 7/2/2026
2.1.4.2627 97 7/2/2026
2.1.3.2627 104 6/30/2026
2.1.2.2627 96 6/29/2026
2.1.1.2627 108 6/29/2026
2.1.0.2627 92 6/29/2026
2.0.0.2626 107 6/28/2026
Loading failed