advanced.md
1 # Advanced Commands 2 3 ## Device 4 5 ### auths device link 6 7 ```bash 8 auths device link 9 ``` 10 11 <!-- BEGIN GENERATED: auths device link --> 12 Authorize a new device to act on behalf of the identity 13 14 <div class="flags-container"> 15 <input type="checkbox" id="flags---identity-key-aliasIDENTITYKEYALIAS" class="flags-state"> 16 <table> 17 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 18 <tbody> 19 <tr><td><code>--identity-key-alias <IDENTITY_KEY_ALIAS></code></td><td>—</td><td>Local alias of the *identity's* key (used for signing). [aliases: --ika]</td></tr> 20 <tr><td><code>--device-key-alias <DEVICE_KEY_ALIAS></code></td><td>—</td><td>Local alias of the *new device's* key (must be imported first). [aliases: --dka]</td></tr> 21 <tr><td><code>--device-did <DEVICE_DID></code></td><td>—</td><td>Identity ID of the new device being authorized (must match device-key-alias). [aliases: --device]</td></tr> 22 <tr><td><code>--payload <PAYLOAD_PATH></code></td><td>—</td><td>Optional path to a JSON file containing arbitrary payload data for the authorization.</td></tr> 23 <tr><td><code>--schema <SCHEMA_PATH></code></td><td>—</td><td>Optional path to a JSON schema for validating the payload (experimental).</td></tr> 24 </tbody> 25 <tbody class="flags-overflow"> 26 <tr><td><code>--expires-in-days <DAYS></code></td><td>—</td><td>Optional number of days until this device authorization expires. [aliases: --days]</td></tr> 27 <tr><td><code>--note <NOTE></code></td><td>—</td><td>Optional description/note for this device authorization.</td></tr> 28 <tr><td><code>--capabilities <CAPABILITIES></code></td><td>—</td><td>Permissions to grant this device (comma-separated)</td></tr> 29 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 30 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 31 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 32 </tbody> 33 </table> 34 <label for="flags---identity-key-aliasIDENTITYKEYALIAS" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 35 </div> 36 <!-- END GENERATED: auths device link --> 37 38 --- 39 40 ### auths device revoke 41 42 ```bash 43 auths device revoke 44 ``` 45 46 <!-- BEGIN GENERATED: auths device revoke --> 47 Revoke an existing device authorization using the identity key 48 49 <div class="flags-container"> 50 <input type="checkbox" id="flags---device-didDEVICEDID" class="flags-state"> 51 <table> 52 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 53 <tbody> 54 <tr><td><code>--device-did <DEVICE_DID></code></td><td>—</td><td>Identity ID of the device authorization to revoke. [aliases: --device]</td></tr> 55 <tr><td><code>--identity-key-alias <IDENTITY_KEY_ALIAS></code></td><td>—</td><td>Local alias of the *identity's* key (required to authorize revocation).</td></tr> 56 <tr><td><code>--note <NOTE></code></td><td>—</td><td>Optional note explaining the revocation.</td></tr> 57 <tr><td><code>--dry-run</code></td><td>—</td><td>Preview actions without making changes.</td></tr> 58 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 59 </tbody> 60 <tbody class="flags-overflow"> 61 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 62 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 63 </tbody> 64 </table> 65 <label for="flags---device-didDEVICEDID" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 66 </div> 67 <!-- END GENERATED: auths device revoke --> 68 69 --- 70 71 ### auths device extend 72 73 ```bash 74 auths device extend 75 ``` 76 77 <!-- BEGIN GENERATED: auths device extend --> 78 Extend the expiration date of an existing device authorization 79 80 <div class="flags-container"> 81 <input type="checkbox" id="flags---device-didDEVICEDID" class="flags-state"> 82 <table> 83 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 84 <tbody> 85 <tr><td><code>--device-did <DEVICE_DID></code></td><td>—</td><td>Identity ID of the device authorization to extend. [aliases: --device]</td></tr> 86 <tr><td><code>--expires-in-days <DAYS></code></td><td>—</td><td>Number of days to extend the expiration by (from now). [aliases: --days]</td></tr> 87 <tr><td><code>--identity-key-alias <IDENTITY_KEY_ALIAS></code></td><td>—</td><td>Local alias of the *identity's* key (required for re-signing). [aliases: --ika]</td></tr> 88 <tr><td><code>--device-key-alias <DEVICE_KEY_ALIAS></code></td><td>—</td><td>Local alias of the *device's* key (required for re-signing). [aliases: --dka]</td></tr> 89 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 90 </tbody> 91 <tbody class="flags-overflow"> 92 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 93 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 94 </tbody> 95 </table> 96 <label for="flags---device-didDEVICEDID" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 97 </div> 98 <!-- END GENERATED: auths device extend --> 99 100 --- 101 102 ## Identity 103 104 ### auths id init-did 105 106 ```bash 107 auths id init-did 108 ``` 109 110 <!-- BEGIN GENERATED: auths id init-did --> 111 error: unrecognized subcommand 'init-did' 112 113 _No options._ 114 <!-- END GENERATED: auths id init-did --> 115 116 --- 117 118 ### auths id rotate 119 120 ```bash 121 auths id rotate 122 ``` 123 124 <!-- BEGIN GENERATED: auths id rotate --> 125 Rotate identity keys. Stores the new key under a new alias 126 127 <div class="flags-container"> 128 <input type="checkbox" id="flags---aliasALIAS" class="flags-state"> 129 <table> 130 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 131 <tbody> 132 <tr><td><code>--alias <ALIAS></code></td><td>—</td><td>Alias of the identity key to rotate.</td></tr> 133 <tr><td><code>--current-key-alias <CURRENT_KEY_ALIAS></code></td><td>—</td><td>Alias of the CURRENT private key controlling the identity.</td></tr> 134 <tr><td><code>--next-key-alias <NEXT_KEY_ALIAS></code></td><td>—</td><td>Alias to store the NEWLY generated private key under.</td></tr> 135 <tr><td><code>--add-witness <ADD_WITNESS></code></td><td>—</td><td>Verification server prefix to add (e.g., B...). Can be specified multiple times.</td></tr> 136 <tr><td><code>--remove-witness <REMOVE_WITNESS></code></td><td>—</td><td>Verification server prefix to remove (e.g., B...). Can be specified multiple times.</td></tr> 137 </tbody> 138 <tbody class="flags-overflow"> 139 <tr><td><code>--witness-threshold <WITNESS_THRESHOLD></code></td><td>—</td><td>New simple verification threshold count (e.g., 1 for 1-of-N).</td></tr> 140 <tr><td><code>--dry-run</code></td><td>—</td><td>Preview actions without making changes</td></tr> 141 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 142 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 143 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 144 </tbody> 145 </table> 146 <label for="flags---aliasALIAS" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 147 </div> 148 <!-- END GENERATED: auths id rotate --> 149 150 --- 151 152 ## Key Management 153 154 ### auths key import 155 156 ```bash 157 auths key import 158 ``` 159 160 <!-- BEGIN GENERATED: auths key import --> 161 Import an Ed25519 key from a 32-byte seed file and store it encrypted 162 163 <div class="flags-container"> 164 <input type="checkbox" id="flags---key-aliasKEYALIAS" class="flags-state"> 165 <table> 166 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 167 <tbody> 168 <tr><td><code>--key-alias <KEY_ALIAS></code></td><td>—</td><td>Local alias to assign to the imported key. [aliases: --alias]</td></tr> 169 <tr><td><code>--seed-file <SEED_FILE></code></td><td>—</td><td>Path to the file containing the raw 32-byte Ed25519 seed.</td></tr> 170 <tr><td><code>--controller-did <CONTROLLER_DID></code></td><td>—</td><td>Controller DID (e.g., did:key:...) to associate with the imported key.</td></tr> 171 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 172 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 173 </tbody> 174 <tbody class="flags-overflow"> 175 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 176 </tbody> 177 </table> 178 <label for="flags---key-aliasKEYALIAS" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 179 </div> 180 <!-- END GENERATED: auths key import --> 181 182 --- 183 184 ### auths key export 185 186 ```bash 187 auths key export 188 ``` 189 190 <!-- BEGIN GENERATED: auths key export --> 191 Export a stored key in various formats (requires passphrase for some formats) 192 193 <div class="flags-container"> 194 <input type="checkbox" id="flags---key-aliasKEYALIAS" class="flags-state"> 195 <table> 196 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 197 <tbody> 198 <tr><td><code>--key-alias <KEY_ALIAS></code></td><td>—</td><td>Local alias of the key to export. [aliases: --alias]</td></tr> 199 <tr><td><code>--passphrase <PASSPHRASE></code></td><td>—</td><td>Passphrase to decrypt the key (needed for 'pem'/'pub' formats).</td></tr> 200 <tr><td><code>--format <FORMAT></code></td><td>—</td><td>Export format: pem (OpenSSH private), pub (OpenSSH public), enc (raw encrypted bytes).</td></tr> 201 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 202 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 203 </tbody> 204 <tbody class="flags-overflow"> 205 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 206 </tbody> 207 </table> 208 <label for="flags---key-aliasKEYALIAS" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 209 </div> 210 <!-- END GENERATED: auths key export --> 211 212 --- 213 214 ### auths key delete 215 216 ```bash 217 auths key delete 218 ``` 219 220 <!-- BEGIN GENERATED: auths key delete --> 221 Remove a key from the platform's secure storage by alias 222 223 <table> 224 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 225 <tbody> 226 <tr><td><code>--key-alias <KEY_ALIAS></code></td><td>—</td><td>Local alias of the key to remove. [aliases: --alias]</td></tr> 227 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 228 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 229 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 230 </tbody> 231 </table> 232 <!-- END GENERATED: auths key delete --> 233 234 --- 235 236 ## Policy 237 238 ### auths policy explain 239 240 ```bash 241 auths policy explain 242 ``` 243 244 <!-- BEGIN GENERATED: auths policy explain --> 245 Evaluate a policy against a context and show the decision 246 247 <table> 248 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 249 <tbody> 250 <tr><td><code><FILE></code></td><td>—</td><td>Path to the policy file (JSON)</td></tr> 251 <tr><td><code>-c, --context <CONTEXT></code></td><td>—</td><td>Path to the context file (JSON)</td></tr> 252 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 253 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 254 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 255 </tbody> 256 </table> 257 <!-- END GENERATED: auths policy explain --> 258 259 --- 260 261 ### auths policy test 262 263 ```bash 264 auths policy test 265 ``` 266 267 <!-- BEGIN GENERATED: auths policy test --> 268 Run a policy against a test suite 269 270 <table> 271 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 272 <tbody> 273 <tr><td><code><FILE></code></td><td>—</td><td>Path to the policy file (JSON)</td></tr> 274 <tr><td><code>-t, --tests <TESTS></code></td><td>—</td><td>Path to the test suite file (JSON)</td></tr> 275 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 276 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 277 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 278 </tbody> 279 </table> 280 <!-- END GENERATED: auths policy test --> 281 282 --- 283 284 ### auths policy diff 285 286 ```bash 287 auths policy diff 288 ``` 289 290 <!-- BEGIN GENERATED: auths policy diff --> 291 Compare two policies and show semantic differences 292 293 <table> 294 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 295 <tbody> 296 <tr><td><code><OLD></code></td><td>—</td><td>Path to the old policy file (JSON)</td></tr> 297 <tr><td><code><NEW></code></td><td>—</td><td>Path to the new policy file (JSON)</td></tr> 298 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 299 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 300 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 301 </tbody> 302 </table> 303 <!-- END GENERATED: auths policy diff --> 304 305 --- 306 307 ## Emergency 308 309 ### auths emergency revoke-device 310 311 ```bash 312 auths emergency revoke-device 313 ``` 314 315 <!-- BEGIN GENERATED: auths emergency revoke-device --> 316 Revoke a compromised device immediately 317 318 <div class="flags-container"> 319 <input type="checkbox" id="flags---deviceDEVICE" class="flags-state"> 320 <table> 321 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 322 <tbody> 323 <tr><td><code>--device <DEVICE></code></td><td>—</td><td>Device DID to revoke</td></tr> 324 <tr><td><code>--identity-key-alias <IDENTITY_KEY_ALIAS></code></td><td>—</td><td>Local alias of the identity's key (used for signing the revocation)</td></tr> 325 <tr><td><code>--note <NOTE></code></td><td>—</td><td>Optional note explaining the revocation</td></tr> 326 <tr><td><code>-y, --yes</code></td><td>—</td><td>Skip confirmation prompt</td></tr> 327 <tr><td><code>--dry-run</code></td><td>—</td><td>Preview actions without making changes</td></tr> 328 </tbody> 329 <tbody class="flags-overflow"> 330 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Path to the Auths repository</td></tr> 331 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 332 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 333 </tbody> 334 </table> 335 <label for="flags---deviceDEVICE" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 336 </div> 337 <!-- END GENERATED: auths emergency revoke-device --> 338 339 --- 340 341 ### auths emergency rotate-now 342 343 ```bash 344 auths emergency rotate-now 345 ``` 346 347 <!-- BEGIN GENERATED: auths emergency rotate-now --> 348 Force immediate key rotation 349 350 <div class="flags-container"> 351 <input type="checkbox" id="flags---current-aliasCURRENTALIAS" class="flags-state"> 352 <table> 353 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 354 <tbody> 355 <tr><td><code>--current-alias <CURRENT_ALIAS></code></td><td>—</td><td>Local alias of the current signing key</td></tr> 356 <tr><td><code>--next-alias <NEXT_ALIAS></code></td><td>—</td><td>Local alias for the new signing key after rotation</td></tr> 357 <tr><td><code>-y, --yes</code></td><td>—</td><td>Skip confirmation prompt (requires typing ROTATE)</td></tr> 358 <tr><td><code>--dry-run</code></td><td>—</td><td>Preview actions without making changes</td></tr> 359 <tr><td><code>--reason <REASON></code></td><td>—</td><td>Reason for rotation</td></tr> 360 </tbody> 361 <tbody class="flags-overflow"> 362 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Path to the Auths repository</td></tr> 363 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 364 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 365 </tbody> 366 </table> 367 <label for="flags---current-aliasCURRENTALIAS" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 368 </div> 369 <!-- END GENERATED: auths emergency rotate-now --> 370 371 --- 372 373 ### auths emergency freeze 374 375 ```bash 376 auths emergency freeze 377 ``` 378 379 <!-- BEGIN GENERATED: auths emergency freeze --> 380 Freeze all signing operations 381 382 <div class="flags-container"> 383 <input type="checkbox" id="flags---durationDURATION" class="flags-state"> 384 <table> 385 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 386 <tbody> 387 <tr><td><code>--duration <DURATION></code></td><td><code>24h</code></td><td>Duration to freeze (e.g., "24h", "7d")</td></tr> 388 <tr><td><code>-y, --yes</code></td><td>—</td><td>Skip confirmation prompt (requires typing identity name)</td></tr> 389 <tr><td><code>--dry-run</code></td><td>—</td><td>Preview actions without making changes</td></tr> 390 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Path to the Auths repository</td></tr> 391 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 392 </tbody> 393 <tbody class="flags-overflow"> 394 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 395 </tbody> 396 </table> 397 <label for="flags---durationDURATION" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 398 </div> 399 <!-- END GENERATED: auths emergency freeze --> 400 401 --- 402 403 ### auths emergency report 404 405 ```bash 406 auths emergency report 407 ``` 408 409 <!-- BEGIN GENERATED: auths emergency report --> 410 Generate an incident report 411 412 <table> 413 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 414 <tbody> 415 <tr><td><code>--events <EVENTS></code></td><td><code>100</code></td><td>Include last N events in report</td></tr> 416 <tr><td><code>-o, --output <OUTPUT_FILE></code></td><td>—</td><td>Output file path (defaults to stdout) [aliases: --file]</td></tr> 417 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Path to the Auths repository</td></tr> 418 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 419 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 420 </tbody> 421 </table> 422 <!-- END GENERATED: auths emergency report --> 423 424 --- 425 426 ## Git 427 428 ### auths git allowed-signers 429 430 ```bash 431 auths git allowed-signers 432 ``` 433 434 <!-- BEGIN GENERATED: auths git allowed-signers --> 435 Generate allowed_signers file from Auths device authorizations 436 437 <table> 438 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 439 <tbody> 440 <tr><td><code>--repo <REPO></code></td><td><code>~/.auths</code></td><td>Path to the Auths identity repository</td></tr> 441 <tr><td><code>-o, --output <OUTPUT_FILE></code></td><td>—</td><td>Output file path. If not specified, outputs to stdout</td></tr> 442 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 443 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 444 </tbody> 445 </table> 446 <!-- END GENERATED: auths git allowed-signers --> 447 448 --- 449 450 ### auths git install-hooks 451 452 ```bash 453 auths git install-hooks 454 ``` 455 456 <!-- BEGIN GENERATED: auths git install-hooks --> 457 Install Git hooks for automatic allowed_signers regeneration 458 459 <div class="flags-container"> 460 <input type="checkbox" id="flags---repoREPO" class="flags-state"> 461 <table> 462 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 463 <tbody> 464 <tr><td><code>--repo <REPO></code></td><td><code>.</code></td><td>Path to the Git repository where hooks should be installed. Defaults to the current directory</td></tr> 465 <tr><td><code>--auths-repo <AUTHS_REPO></code></td><td><code>~/.auths</code></td><td>Path to the Auths identity repository</td></tr> 466 <tr><td><code>--allowed-signers-path <ALLOWED_SIGNERS_PATH></code></td><td><code>.auths/allowed_signers</code></td><td>Path where allowed_signers file should be written</td></tr> 467 <tr><td><code>--force</code></td><td>—</td><td>Overwrite existing hook without prompting</td></tr> 468 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 469 </tbody> 470 <tbody class="flags-overflow"> 471 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 472 </tbody> 473 </table> 474 <label for="flags---repoREPO" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 475 </div> 476 <!-- END GENERATED: auths git install-hooks --> 477 478 --- 479 480 ## Trust 481 482 ### auths trust pin 483 484 ```bash 485 auths trust pin 486 ``` 487 488 <!-- BEGIN GENERATED: auths trust pin --> 489 Manually pin an identity as trusted 490 491 <div class="flags-container"> 492 <input type="checkbox" id="flags---didDID" class="flags-state"> 493 <table> 494 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 495 <tbody> 496 <tr><td><code>--did <DID></code></td><td>—</td><td>The DID of the identity to pin (e.g., did:keri:E...)</td></tr> 497 <tr><td><code>--key <KEY></code></td><td>—</td><td>The public key in hex format (64 chars for Ed25519)</td></tr> 498 <tr><td><code>--kel-tip <KEL_TIP></code></td><td>—</td><td>Optional KEL tip SAID for rotation tracking</td></tr> 499 <tr><td><code>--note <NOTE></code></td><td>—</td><td>Optional note about this identity</td></tr> 500 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 501 </tbody> 502 <tbody class="flags-overflow"> 503 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 504 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 505 </tbody> 506 </table> 507 <label for="flags---didDID" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 508 </div> 509 <!-- END GENERATED: auths trust pin --> 510 511 --- 512 513 ### auths trust list 514 515 ```bash 516 auths trust list 517 ``` 518 519 <!-- BEGIN GENERATED: auths trust list --> 520 List all pinned identities 521 522 <table> 523 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 524 <tbody> 525 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 526 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 527 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 528 </tbody> 529 </table> 530 <!-- END GENERATED: auths trust list --> 531 532 --- 533 534 ### auths trust remove 535 536 ```bash 537 auths trust remove 538 ``` 539 540 <!-- BEGIN GENERATED: auths trust remove --> 541 Remove a pinned identity 542 543 <table> 544 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 545 <tbody> 546 <tr><td><code><DID></code></td><td>—</td><td>The DID of the identity to remove</td></tr> 547 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 548 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 549 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 550 </tbody> 551 </table> 552 <!-- END GENERATED: auths trust remove --> 553 554 --- 555 556 ### auths trust show 557 558 ```bash 559 auths trust show 560 ``` 561 562 <!-- BEGIN GENERATED: auths trust show --> 563 Show details of a pinned identity 564 565 <table> 566 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 567 <tbody> 568 <tr><td><code><DID></code></td><td>—</td><td>The DID of the identity to show</td></tr> 569 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 570 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 571 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 572 </tbody> 573 </table> 574 <!-- END GENERATED: auths trust show --> 575 576 --- 577 578 ## Organization 579 580 ### auths org create 581 582 ```bash 583 auths org create 584 ``` 585 586 <!-- BEGIN GENERATED: auths org create --> 587 Create a new organization identity 588 589 <div class="flags-container"> 590 <input type="checkbox" id="flags---nameNAME" class="flags-state"> 591 <table> 592 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 593 <tbody> 594 <tr><td><code>--name <NAME></code></td><td>—</td><td>Organization name</td></tr> 595 <tr><td><code>--local-key-alias <LOCAL_KEY_ALIAS></code></td><td>—</td><td>Alias for the local signing key (auto-generated if not provided)</td></tr> 596 <tr><td><code>--metadata-file <METADATA_FILE></code></td><td>—</td><td>Optional metadata file (if provided, merged with org metadata)</td></tr> 597 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 598 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 599 </tbody> 600 <tbody class="flags-overflow"> 601 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 602 </tbody> 603 </table> 604 <label for="flags---nameNAME" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 605 </div> 606 <!-- END GENERATED: auths org create --> 607 608 --- 609 610 ### auths org add-member 611 612 ```bash 613 auths org add-member 614 ``` 615 616 <!-- BEGIN GENERATED: auths org add-member --> 617 Add a member to an organization 618 619 <div class="flags-container"> 620 <input type="checkbox" id="flags---orgORG" class="flags-state"> 621 <table> 622 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 623 <tbody> 624 <tr><td><code>--org <ORG></code></td><td>—</td><td>Organization identity ID</td></tr> 625 <tr><td><code>--member-did <MEMBER_DID></code></td><td>—</td><td>Member identity ID to add [aliases: --member]</td></tr> 626 <tr><td><code>--role <ROLE></code></td><td>—</td><td>Role to assign (admin, member, readonly)</td></tr> 627 <tr><td><code>--capabilities <CAPABILITIES></code></td><td>—</td><td>Override default capabilities (comma-separated)</td></tr> 628 <tr><td><code>--signer-alias <SIGNER_ALIAS></code></td><td>—</td><td>Alias of the signing key in keychain</td></tr> 629 </tbody> 630 <tbody class="flags-overflow"> 631 <tr><td><code>--note <NOTE></code></td><td>—</td><td>Optional note for the authorization</td></tr> 632 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 633 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 634 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 635 </tbody> 636 </table> 637 <label for="flags---orgORG" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 638 </div> 639 <!-- END GENERATED: auths org add-member --> 640 641 --- 642 643 ### auths org revoke-member 644 645 ```bash 646 auths org revoke-member 647 ``` 648 649 <!-- BEGIN GENERATED: auths org revoke-member --> 650 Revoke a member from an organization 651 652 <div class="flags-container"> 653 <input type="checkbox" id="flags---orgORG" class="flags-state"> 654 <table> 655 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 656 <tbody> 657 <tr><td><code>--org <ORG></code></td><td>—</td><td>Organization identity ID</td></tr> 658 <tr><td><code>--member-did <MEMBER_DID></code></td><td>—</td><td>Member identity ID to revoke [aliases: --member]</td></tr> 659 <tr><td><code>--note <NOTE></code></td><td>—</td><td>Reason for revocation</td></tr> 660 <tr><td><code>--signer-alias <SIGNER_ALIAS></code></td><td>—</td><td>Alias of the signing key in keychain</td></tr> 661 <tr><td><code>--dry-run</code></td><td>—</td><td>Preview actions without making changes</td></tr> 662 </tbody> 663 <tbody class="flags-overflow"> 664 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 665 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 666 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 667 </tbody> 668 </table> 669 <label for="flags---orgORG" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 670 </div> 671 <!-- END GENERATED: auths org revoke-member --> 672 673 --- 674 675 ### auths org list-members 676 677 ```bash 678 auths org list-members 679 ``` 680 681 <!-- BEGIN GENERATED: auths org list-members --> 682 List members of an organization 683 684 <table> 685 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 686 <tbody> 687 <tr><td><code>--org <ORG></code></td><td>—</td><td>Organization identity ID</td></tr> 688 <tr><td><code>--include-revoked</code></td><td>—</td><td>Include revoked members</td></tr> 689 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 690 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 691 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 692 </tbody> 693 </table> 694 <!-- END GENERATED: auths org list-members --> 695 696 --- 697 698 ## Audit 699 700 ### auths audit 701 702 ```bash 703 auths audit 704 ``` 705 706 <!-- BEGIN GENERATED: auths audit --> 707 Generate signing audit reports for compliance 708 709 <div class="flags-container"> 710 <input type="checkbox" id="flags---repoREPO" class="flags-state"> 711 <table> 712 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 713 <tbody> 714 <tr><td><code>--repo <REPO></code></td><td><code>.</code></td><td>Path to the Git repository to audit (defaults to current directory)</td></tr> 715 <tr><td><code>--since <SINCE></code></td><td>—</td><td>Start date for audit period (YYYY-MM-DD or YYYY-QN for quarter)</td></tr> 716 <tr><td><code>--until <UNTIL></code></td><td>—</td><td>End date for audit period (YYYY-MM-DD)</td></tr> 717 <tr><td><code>--format <FORMAT></code></td><td><code>table</code></td><td>Output format</td></tr> 718 <tr><td><code>--require-all-signed</code></td><td>—</td><td>Require all commits to be signed (for CI exit codes)</td></tr> 719 </tbody> 720 <tbody class="flags-overflow"> 721 <tr><td><code>--exit-code</code></td><td>—</td><td>Return exit code 1 if any unsigned commits found</td></tr> 722 <tr><td><code>--author <AUTHOR></code></td><td>—</td><td>Filter by author email</td></tr> 723 <tr><td><code>--signer <SIGNER></code></td><td>—</td><td>Filter by signing identity/device DID</td></tr> 724 <tr><td><code>-n, --count <COUNT></code></td><td><code>100</code></td><td>Maximum number of commits to include</td></tr> 725 <tr><td><code>-o, --output-file <OUTPUT_FILE></code></td><td>—</td><td>Output file path (defaults to stdout)</td></tr> 726 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 727 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 728 </tbody> 729 </table> 730 <label for="flags---repoREPO" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 731 </div> 732 <!-- END GENERATED: auths audit --> 733 734 --- 735 736 ## Agent 737 738 ### auths agent start 739 740 ```bash 741 auths agent start 742 ``` 743 744 <!-- BEGIN GENERATED: auths agent start --> 745 Start the SSH agent daemon 746 747 <div class="flags-container"> 748 <input type="checkbox" id="flags---socketSOCKET" class="flags-state"> 749 <table> 750 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 751 <tbody> 752 <tr><td><code>--socket <SOCKET></code></td><td>—</td><td>Custom Unix socket path</td></tr> 753 <tr><td><code>--foreground</code></td><td>—</td><td>Run in foreground instead of daemonizing</td></tr> 754 <tr><td><code>--timeout <TIMEOUT></code></td><td><code>30m</code></td><td>Idle timeout before auto-lock</td></tr> 755 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 756 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 757 </tbody> 758 <tbody class="flags-overflow"> 759 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 760 </tbody> 761 </table> 762 <label for="flags---socketSOCKET" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 763 </div> 764 <!-- END GENERATED: auths agent start --> 765 766 --- 767 768 ### auths agent stop 769 770 ```bash 771 auths agent stop 772 ``` 773 774 <!-- BEGIN GENERATED: auths agent stop --> 775 Stop the SSH agent daemon 776 777 <table> 778 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 779 <tbody> 780 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 781 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 782 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 783 </tbody> 784 </table> 785 <!-- END GENERATED: auths agent stop --> 786 787 --- 788 789 ### auths agent status 790 791 ```bash 792 auths agent status 793 ``` 794 795 <!-- BEGIN GENERATED: auths agent status --> 796 Show agent status 797 798 <table> 799 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 800 <tbody> 801 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 802 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 803 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 804 </tbody> 805 </table> 806 <!-- END GENERATED: auths agent status --> 807 808 --- 809 810 ### auths agent env 811 812 ```bash 813 auths agent env 814 ``` 815 816 <!-- BEGIN GENERATED: auths agent env --> 817 Output shell environment for SSH_AUTH_SOCK (use with eval) 818 819 <table> 820 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 821 <tbody> 822 <tr><td><code>--shell <SHELL></code></td><td><code>bash</code></td><td>Shell format</td></tr> 823 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 824 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 825 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 826 </tbody> 827 </table> 828 <!-- END GENERATED: auths agent env --> 829 830 --- 831 832 ### auths agent lock 833 834 ```bash 835 auths agent lock 836 ``` 837 838 <!-- BEGIN GENERATED: auths agent lock --> 839 Lock the agent (clear keys from memory) 840 841 <table> 842 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 843 <tbody> 844 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 845 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 846 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 847 </tbody> 848 </table> 849 <!-- END GENERATED: auths agent lock --> 850 851 --- 852 853 ### auths agent unlock 854 855 ```bash 856 auths agent unlock 857 ``` 858 859 <!-- BEGIN GENERATED: auths agent unlock --> 860 Unlock the agent (re-load keys) 861 862 <table> 863 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 864 <tbody> 865 <tr><td><code>--agent-key-alias <AGENT_KEY_ALIAS></code></td><td><code>default</code></td><td>Key alias to unlock [aliases: --key]</td></tr> 866 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 867 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 868 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 869 </tbody> 870 </table> 871 <!-- END GENERATED: auths agent unlock --> 872 873 --- 874 875 ### auths agent install-service 876 877 ```bash 878 auths agent install-service 879 ``` 880 881 <!-- BEGIN GENERATED: auths agent install-service --> 882 Install as a system service (launchd on macOS, systemd on Linux) 883 884 <div class="flags-container"> 885 <input type="checkbox" id="flags---dry-run" class="flags-state"> 886 <table> 887 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 888 <tbody> 889 <tr><td><code>--dry-run</code></td><td>—</td><td>Print service file without installing</td></tr> 890 <tr><td><code>--force</code></td><td>—</td><td>Overwrite existing service file</td></tr> 891 <tr><td><code>--manager <MANAGER></code></td><td>—</td><td>Service manager (auto-detect by default)</td></tr> 892 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 893 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 894 </tbody> 895 <tbody class="flags-overflow"> 896 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 897 </tbody> 898 </table> 899 <label for="flags---dry-run" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 900 </div> 901 <!-- END GENERATED: auths agent install-service --> 902 903 --- 904 905 ### auths agent uninstall-service 906 907 ```bash 908 auths agent uninstall-service 909 ``` 910 911 <!-- BEGIN GENERATED: auths agent uninstall-service --> 912 Uninstall the system service 913 914 <table> 915 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 916 <tbody> 917 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 918 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 919 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 920 </tbody> 921 </table> 922 <!-- END GENERATED: auths agent uninstall-service --> 923 924 --- 925 926 ## Witness 927 928 ### auths witness start 929 930 ```bash 931 auths witness start 932 ``` 933 934 <!-- BEGIN GENERATED: auths witness start --> 935 Start the witness HTTP server 936 937 <div class="flags-container"> 938 <input type="checkbox" id="flags---bindBIND" class="flags-state"> 939 <table> 940 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 941 <tbody> 942 <tr><td><code>--bind <BIND></code></td><td><code>127.0.0.1:3333</code></td><td>Address to bind to (e.g., "127.0.0.1:3333")</td></tr> 943 <tr><td><code>--db-path <DB_PATH></code></td><td><code>witness.db</code></td><td>Path to the SQLite database for witness storage</td></tr> 944 <tr><td><code>--witness-did <WITNESS_DID></code></td><td>—</td><td>Witness DID (auto-generated if not provided) [aliases: --witness]</td></tr> 945 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 946 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 947 </tbody> 948 <tbody class="flags-overflow"> 949 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 950 </tbody> 951 </table> 952 <label for="flags---bindBIND" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 953 </div> 954 <!-- END GENERATED: auths witness start --> 955 956 --- 957 958 ### auths witness add 959 960 ```bash 961 auths witness add 962 ``` 963 964 <!-- BEGIN GENERATED: auths witness add --> 965 Add a witness URL to the identity configuration 966 967 <table> 968 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 969 <tbody> 970 <tr><td><code>--url <URL></code></td><td>—</td><td>Witness server URL (e.g., "http://127.0.0.1:3333")</td></tr> 971 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 972 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 973 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 974 </tbody> 975 </table> 976 <!-- END GENERATED: auths witness add --> 977 978 --- 979 980 ### auths witness remove 981 982 ```bash 983 auths witness remove 984 ``` 985 986 <!-- BEGIN GENERATED: auths witness remove --> 987 Remove a witness URL from the identity configuration 988 989 <table> 990 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 991 <tbody> 992 <tr><td><code>--url <URL></code></td><td>—</td><td>Witness server URL to remove</td></tr> 993 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 994 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 995 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 996 </tbody> 997 </table> 998 <!-- END GENERATED: auths witness remove --> 999 1000 --- 1001 1002 ### auths witness list 1003 1004 ```bash 1005 auths witness list 1006 ``` 1007 1008 <!-- BEGIN GENERATED: auths witness list --> 1009 List configured witnesses for the current identity 1010 1011 <table> 1012 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 1013 <tbody> 1014 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 1015 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 1016 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 1017 </tbody> 1018 </table> 1019 <!-- END GENERATED: auths witness list --> 1020 1021 --- 1022 1023 ## SCIM 1024 1025 ### auths scim serve 1026 1027 ```bash 1028 auths scim serve 1029 ``` 1030 1031 <!-- BEGIN GENERATED: auths scim serve --> 1032 Start the SCIM provisioning server 1033 1034 <div class="flags-container"> 1035 <input type="checkbox" id="flags---bindBIND" class="flags-state"> 1036 <table> 1037 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 1038 <tbody> 1039 <tr><td><code>--bind <BIND></code></td><td><code>0.0.0.0:3301</code></td><td>Listen address</td></tr> 1040 <tr><td><code>--database-url <DATABASE_URL></code></td><td>—</td><td>PostgreSQL connection URL</td></tr> 1041 <tr><td><code>--registry-path <REGISTRY_PATH></code></td><td>—</td><td>Path to the Auths registry Git repository</td></tr> 1042 <tr><td><code>--log-level <LOG_LEVEL></code></td><td><code>info</code></td><td>Log level</td></tr> 1043 <tr><td><code>--test-mode</code></td><td>—</td><td>Enable test mode (auto-tenant, relaxed TLS)</td></tr> 1044 </tbody> 1045 <tbody class="flags-overflow"> 1046 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 1047 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 1048 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 1049 </tbody> 1050 </table> 1051 <label for="flags---bindBIND" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 1052 </div> 1053 <!-- END GENERATED: auths scim serve --> 1054 1055 --- 1056 1057 ### auths scim quickstart 1058 1059 ```bash 1060 auths scim quickstart 1061 ``` 1062 1063 <!-- BEGIN GENERATED: auths scim quickstart --> 1064 Zero-config quickstart: temp DB + test tenant + running server 1065 1066 <table> 1067 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 1068 <tbody> 1069 <tr><td><code>--bind <BIND></code></td><td><code>0.0.0.0:3301</code></td><td>Listen address</td></tr> 1070 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 1071 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 1072 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 1073 </tbody> 1074 </table> 1075 <!-- END GENERATED: auths scim quickstart --> 1076 1077 --- 1078 1079 ### auths scim test-connection 1080 1081 ```bash 1082 auths scim test-connection 1083 ``` 1084 1085 <!-- BEGIN GENERATED: auths scim test-connection --> 1086 Validate the full SCIM pipeline: create -> get -> patch -> delete 1087 1088 <table> 1089 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 1090 <tbody> 1091 <tr><td><code>--url <URL></code></td><td><code>http://localhost:3301</code></td><td>Server URL</td></tr> 1092 <tr><td><code>--token <TOKEN></code></td><td>—</td><td>Bearer token</td></tr> 1093 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 1094 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 1095 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 1096 </tbody> 1097 </table> 1098 <!-- END GENERATED: auths scim test-connection --> 1099 1100 --- 1101 1102 ### auths scim tenants 1103 1104 ```bash 1105 auths scim tenants 1106 ``` 1107 1108 <!-- BEGIN GENERATED: auths scim tenants --> 1109 List SCIM tenants 1110 1111 <table> 1112 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 1113 <tbody> 1114 <tr><td><code>--database-url <DATABASE_URL></code></td><td>—</td><td>PostgreSQL connection URL</td></tr> 1115 <tr><td><code>--json</code></td><td>—</td><td>Output as JSON</td></tr> 1116 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 1117 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 1118 </tbody> 1119 </table> 1120 <!-- END GENERATED: auths scim tenants --> 1121 1122 --- 1123 1124 ### auths scim add-tenant 1125 1126 ```bash 1127 auths scim add-tenant 1128 ``` 1129 1130 <!-- BEGIN GENERATED: auths scim add-tenant --> 1131 Generate a new bearer token for an IdP tenant 1132 1133 <div class="flags-container"> 1134 <input type="checkbox" id="flags---nameNAME" class="flags-state"> 1135 <table> 1136 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 1137 <tbody> 1138 <tr><td><code>--name <NAME></code></td><td>—</td><td>Tenant name</td></tr> 1139 <tr><td><code>--database-url <DATABASE_URL></code></td><td>—</td><td>PostgreSQL connection URL</td></tr> 1140 <tr><td><code>--expires-in <EXPIRES_IN></code></td><td>—</td><td>Token expiry duration (e.g., 90d, 365d). Omit for no expiry</td></tr> 1141 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 1142 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 1143 </tbody> 1144 <tbody class="flags-overflow"> 1145 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 1146 </tbody> 1147 </table> 1148 <label for="flags---nameNAME" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 1149 </div> 1150 <!-- END GENERATED: auths scim add-tenant --> 1151 1152 --- 1153 1154 ### auths scim rotate-token 1155 1156 ```bash 1157 auths scim rotate-token 1158 ``` 1159 1160 <!-- BEGIN GENERATED: auths scim rotate-token --> 1161 Rotate bearer token for an existing tenant 1162 1163 <div class="flags-container"> 1164 <input type="checkbox" id="flags---nameNAME" class="flags-state"> 1165 <table> 1166 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 1167 <tbody> 1168 <tr><td><code>--name <NAME></code></td><td>—</td><td>Tenant name</td></tr> 1169 <tr><td><code>--database-url <DATABASE_URL></code></td><td>—</td><td>PostgreSQL connection URL</td></tr> 1170 <tr><td><code>--expires-in <EXPIRES_IN></code></td><td>—</td><td>Token expiry duration (e.g., 90d, 365d)</td></tr> 1171 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 1172 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 1173 </tbody> 1174 <tbody class="flags-overflow"> 1175 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 1176 </tbody> 1177 </table> 1178 <label for="flags---nameNAME" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 1179 </div> 1180 <!-- END GENERATED: auths scim rotate-token --> 1181 1182 --- 1183 1184 ### auths scim status 1185 1186 ```bash 1187 auths scim status 1188 ``` 1189 1190 <!-- BEGIN GENERATED: auths scim status --> 1191 Show SCIM sync state for debugging 1192 1193 <table> 1194 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 1195 <tbody> 1196 <tr><td><code>--database-url <DATABASE_URL></code></td><td>—</td><td>PostgreSQL connection URL</td></tr> 1197 <tr><td><code>--json</code></td><td>—</td><td>Output as JSON</td></tr> 1198 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 1199 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 1200 </tbody> 1201 </table> 1202 <!-- END GENERATED: auths scim status --> 1203 1204 --- 1205 1206 ## Configuration 1207 1208 ### auths config set 1209 1210 ```bash 1211 auths config set <KEY> <VALUE> 1212 ``` 1213 1214 <!-- BEGIN GENERATED: auths config set --> 1215 Set a configuration value (e.g. `auths config set passphrase.cache always`) 1216 1217 <table> 1218 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 1219 <tbody> 1220 <tr><td><code><KEY></code></td><td>—</td><td>Dotted key path (e.g. `passphrase.cache`, `passphrase.duration`)</td></tr> 1221 <tr><td><code><VALUE></code></td><td>—</td><td>Value to assign</td></tr> 1222 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 1223 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 1224 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 1225 </tbody> 1226 </table> 1227 <!-- END GENERATED: auths config set --> 1228 1229 --- 1230 1231 ### auths config get 1232 1233 ```bash 1234 auths config get <KEY> 1235 ``` 1236 1237 <!-- BEGIN GENERATED: auths config get --> 1238 Get a configuration value (e.g. `auths config get passphrase.cache`) 1239 1240 <table> 1241 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 1242 <tbody> 1243 <tr><td><code><KEY></code></td><td>—</td><td>Dotted key path</td></tr> 1244 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 1245 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 1246 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 1247 </tbody> 1248 </table> 1249 <!-- END GENERATED: auths config get --> 1250 1251 --- 1252 1253 ### auths config show 1254 1255 ```bash 1256 auths config show 1257 ``` 1258 1259 <!-- BEGIN GENERATED: auths config show --> 1260 Show the full configuration 1261 1262 <table> 1263 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 1264 <tbody> 1265 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 1266 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 1267 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 1268 </tbody> 1269 </table> 1270 <!-- END GENERATED: auths config show --> 1271 1272 --- 1273 1274 ## Approval 1275 1276 ### auths approval list 1277 1278 ```bash 1279 auths approval list 1280 ``` 1281 1282 <!-- BEGIN GENERATED: auths approval list --> 1283 List pending approval requests 1284 1285 <table> 1286 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 1287 <tbody> 1288 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 1289 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 1290 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 1291 </tbody> 1292 </table> 1293 <!-- END GENERATED: auths approval list --> 1294 1295 --- 1296 1297 ### auths approval grant 1298 1299 ```bash 1300 auths approval grant 1301 ``` 1302 1303 <!-- BEGIN GENERATED: auths approval grant --> 1304 Grant approval for a pending request 1305 1306 <table> 1307 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 1308 <tbody> 1309 <tr><td><code>--request <REQUEST></code></td><td>—</td><td>The request hash to approve (hex-encoded)</td></tr> 1310 <tr><td><code>--note <NOTE></code></td><td>—</td><td>Optional note for the approval</td></tr> 1311 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 1312 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 1313 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 1314 </tbody> 1315 </table> 1316 <!-- END GENERATED: auths approval grant --> 1317 1318 --- 1319 1320 ## Artifact 1321 1322 ### auths artifact sign 1323 1324 ```bash 1325 auths artifact sign <FILE> 1326 ``` 1327 1328 <!-- BEGIN GENERATED: auths artifact sign --> 1329 Sign an artifact file with your Auths identity 1330 1331 <div class="flags-container"> 1332 <input type="checkbox" id="flags-FILE" class="flags-state"> 1333 <table> 1334 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 1335 <tbody> 1336 <tr><td><code><FILE></code></td><td>—</td><td>Path to the artifact file to sign.</td></tr> 1337 <tr><td><code>--sig-output <PATH></code></td><td>—</td><td>Output path for the signature file. Defaults to <FILE>.auths.json</td></tr> 1338 <tr><td><code>--identity-key-alias <IDENTITY_KEY_ALIAS></code></td><td>—</td><td>Local alias of the identity key. Omit for device-only CI signing. [aliases: --ika]</td></tr> 1339 <tr><td><code>--device-key-alias <DEVICE_KEY_ALIAS></code></td><td>—</td><td>Local alias of the device key (used for dual-signing). [aliases: --dka]</td></tr> 1340 <tr><td><code>--expires-in-days <N></code></td><td>—</td><td>Number of days until the signature expires [aliases: --days]</td></tr> 1341 </tbody> 1342 <tbody class="flags-overflow"> 1343 <tr><td><code>--note <NOTE></code></td><td>—</td><td>Optional note to embed in the attestation</td></tr> 1344 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 1345 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 1346 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 1347 </tbody> 1348 </table> 1349 <label for="flags-FILE" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 1350 </div> 1351 <!-- END GENERATED: auths artifact sign --> 1352 1353 --- 1354 1355 ### auths artifact verify 1356 1357 ```bash 1358 auths artifact verify <FILE> 1359 ``` 1360 1361 <!-- BEGIN GENERATED: auths artifact verify --> 1362 Verify an artifact's signature against an Auths identity 1363 1364 <div class="flags-container"> 1365 <input type="checkbox" id="flags-FILE" class="flags-state"> 1366 <table> 1367 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 1368 <tbody> 1369 <tr><td><code><FILE></code></td><td>—</td><td>Path to the artifact file to verify.</td></tr> 1370 <tr><td><code>--signature <PATH></code></td><td>—</td><td>Path to the signature file. Defaults to <FILE>.auths.json</td></tr> 1371 <tr><td><code>--identity-bundle <IDENTITY_BUNDLE></code></td><td>—</td><td>Path to identity bundle JSON (for CI/CD stateless verification)</td></tr> 1372 <tr><td><code>--witness-receipts <WITNESS_RECEIPTS></code></td><td>—</td><td>Path to witness receipts JSON file</td></tr> 1373 <tr><td><code>--witness-keys <WITNESS_KEYS>...</code></td><td>—</td><td>Witness public keys as DID:hex pairs (e.g., "did:key:z6Mk...:abcd1234...")</td></tr> 1374 </tbody> 1375 <tbody class="flags-overflow"> 1376 <tr><td><code>--witness-threshold <WITNESS_THRESHOLD></code></td><td><code>1</code></td><td>Witness quorum threshold (default: 1)</td></tr> 1377 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 1378 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 1379 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 1380 </tbody> 1381 </table> 1382 <label for="flags-FILE" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 1383 </div> 1384 <!-- END GENERATED: auths artifact verify --> 1385 1386 --- 1387 1388 ### auths artifact publish 1389 1390 ```bash 1391 auths artifact publish 1392 ``` 1393 1394 <!-- BEGIN GENERATED: auths artifact publish --> 1395 Publish a signed artifact attestation to a registry 1396 1397 <div class="flags-container"> 1398 <input type="checkbox" id="flags---signatureSIGNATURE" class="flags-state"> 1399 <table> 1400 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 1401 <tbody> 1402 <tr><td><code>--signature <SIGNATURE></code></td><td>—</td><td>Path to the .auths.json signature file created by `auths artifact sign`</td></tr> 1403 <tr><td><code>--package <PACKAGE></code></td><td>—</td><td>Package identifier for registry indexing (e.g., npm:react@18.3.0)</td></tr> 1404 <tr><td><code>--registry <REGISTRY></code></td><td><code>https://auths-registry.fly.dev</code></td><td>Registry URL to publish to</td></tr> 1405 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 1406 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 1407 </tbody> 1408 <tbody class="flags-overflow"> 1409 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 1410 </tbody> 1411 </table> 1412 <label for="flags---signatureSIGNATURE" class="flags-toggle"><span class="flags-show">Show all flags</span><span class="flags-hide">Show less</span></label> 1413 </div> 1414 <!-- END GENERATED: auths artifact publish --> 1415 1416 --- 1417 1418 ## Completions 1419 1420 ### auths completions 1421 1422 ```bash 1423 auths completions <SHELL> 1424 ``` 1425 1426 <!-- BEGIN GENERATED: auths completions --> 1427 Generate shell completions 1428 1429 <table> 1430 <thead><tr><th>Flag</th><th>Default</th><th>Description</th></tr></thead> 1431 <tbody> 1432 <tr><td><code><SHELL></code></td><td>—</td><td>The shell to generate completions for</td></tr> 1433 <tr><td><code>--json</code></td><td>—</td><td>Emit machine-readable JSON</td></tr> 1434 <tr><td><code>-q, --quiet</code></td><td>—</td><td>Suppress non-essential output</td></tr> 1435 <tr><td><code>--repo <REPO></code></td><td>—</td><td>Override the local storage directory (default: ~/.auths)</td></tr> 1436 </tbody> 1437 </table> 1438 <!-- END GENERATED: auths completions -->