broker-ctl CLI¶
Top-level command reference, captured from broker-ctl itself. Run any subcommand with --help for its flags.
broker-ctl — infrabroker configuration management
Usage:
broker-ctl [--config f] [--client-config f] <command> [args]
Commands:
broker-ctl host add [flags] Add or update a host
broker-ctl host list [--remote] List configured hosts (--remote: live from the signer, mTLS)
broker-ctl host remove <name> Remove a host
broker-ctl ca-keys add --name <n> [flags] Add or update a CA key entry
broker-ctl ca-keys list List configured CA keys
broker-ctl ca-keys remove <name> Remove a CA key entry
broker-ctl callers add --name <cn> [flags] Add or update a caller
broker-ctl callers list List configured callers
broker-ctl callers remove <cn> Remove a caller
broker-ctl reload [flags] Reload the signer
broker-ctl approval list [flags] List approval requests
broker-ctl approval allow <id> [--learn --ttl 2h] Approve a request (--learn waives re-approval for the TTL)
broker-ctl approval deny <id> [flags] Deny a request
broker-ctl audit tail --log <f> [-n N] Follow audit log in real time
broker-ctl audit show --log <f> [filters] Search and filter log entries
broker-ctl audit verify --log <f> [--key seed] Verify chain integrity
broker-ctl audit repair --log <f> [--apply --key seed] Quarantine a torn final record so the signer can boot
broker-ctl policy explain --host <n> [--command c] Show a host's composed command policy
broker-ctl policy recommend --audit <f> [filters] Suggest policy changes from the audit log
broker-ctl policy add --host <n> --allow <regex> Add a command-policy allow rule (signer API, mTLS)
broker-ctl policy remove --host <n> --allow <regex> Remove a command-policy allow rule
broker-ctl policy grant --host <n> --allow <regex> [--ttl 2h] Create a runtime, expiring grant (signer API, mTLS)
broker-ctl policy grants [--json] List active runtime grants
broker-ctl policy revoke <grant-id> Revoke a runtime grant
broker-ctl cluster list --remote List Kubernetes clusters live from the signer (mTLS)
broker-ctl version [--verbose] Print the build version
Global options:
--config Path to signer.json (default: ./signer.json), before the subcommand
--client-config Path to the client parameters file for the remote commands
--version Print the build version and exit (--verbose for details)
Client parameters (remote commands: reload, policy add/remove/grant/grants/revoke,
approval, host list --remote):
Per-parameter precedence: flag > env var > client config file > default.
File search order: --client-config, $BROKER_CTL_CONFIG,
~/.config/broker-ctl/config.json, /etc/infrabroker/broker-ctl.json (the current
working directory is not searched; use --client-config for a local file).
Sections "signer" and "control_plane", each with url/cert/key/ca (see broker-ctl.example.json).
Env vars: BROKER_CTL_SIGNER_{URL,CERT,KEY,CA}, BROKER_CTL_CP_{URL,CERT,KEY,CA}.
exit status 1