Skip to content

broker-ctl CLI

Top-level command reference, captured from broker-ctl itself. Run any subcommand with --help for its flags.

broker-ctl — infrabroker configuration management

Usage:
  broker-ctl [--config f] [--client-config f] <command> [args]

Commands:
  broker-ctl host add      [flags]                          Add or update a host
  broker-ctl host list     [--remote]                       List configured hosts (--remote: live from the signer, mTLS)
  broker-ctl host remove   <name>                           Remove a host
  broker-ctl ca-keys add   --name <n> [flags]               Add or update a CA key entry
  broker-ctl ca-keys list                                   List configured CA keys
  broker-ctl ca-keys remove <name>                          Remove a CA key entry
  broker-ctl callers add   --name <cn> [flags]              Add or update a caller
  broker-ctl callers list                                   List configured callers
  broker-ctl callers remove <cn>                            Remove a caller
  broker-ctl reload        [flags]                          Reload the signer
  broker-ctl approval list  [flags]                         List approval requests
  broker-ctl approval allow <id> [--learn --ttl 2h]         Approve a request (--learn waives re-approval for the TTL)
  broker-ctl approval deny  <id> [flags]                    Deny a request
  broker-ctl audit tail    --log <f> [-n N]                 Follow audit log in real time
  broker-ctl audit show    --log <f> [filters]              Search and filter log entries
  broker-ctl audit verify  --log <f> [--key seed]           Verify chain integrity
  broker-ctl audit repair  --log <f> [--apply --key seed]   Quarantine a torn final record so the signer can boot
  broker-ctl policy explain --host <n> [--command c]        Show a host's composed command policy
  broker-ctl policy recommend --audit <f> [filters]         Suggest policy changes from the audit log
  broker-ctl policy add     --host <n> --allow <regex>      Add a command-policy allow rule (signer API, mTLS)
  broker-ctl policy remove  --host <n> --allow <regex>      Remove a command-policy allow rule
  broker-ctl policy grant   --host <n> --allow <regex> [--ttl 2h]  Create a runtime, expiring grant (signer API, mTLS)
  broker-ctl policy grants  [--json]                        List active runtime grants
  broker-ctl policy revoke  <grant-id>                      Revoke a runtime grant
  broker-ctl cluster list  --remote                         List Kubernetes clusters live from the signer (mTLS)
  broker-ctl version       [--verbose]                      Print the build version

Global options:
  --config         Path to signer.json (default: ./signer.json), before the subcommand
  --client-config  Path to the client parameters file for the remote commands
  --version        Print the build version and exit (--verbose for details)

Client parameters (remote commands: reload, policy add/remove/grant/grants/revoke,
approval, host list --remote):
  Per-parameter precedence: flag > env var > client config file > default.
  File search order: --client-config, $BROKER_CTL_CONFIG,
  ~/.config/broker-ctl/config.json, /etc/infrabroker/broker-ctl.json (the current
  working directory is not searched; use --client-config for a local file).
  Sections "signer" and "control_plane", each with url/cert/key/ca (see broker-ctl.example.json).
  Env vars: BROKER_CTL_SIGNER_{URL,CERT,KEY,CA}, BROKER_CTL_CP_{URL,CERT,KEY,CA}.
exit status 1