CLI Reference

orlojctl is the command-line interface for managing Orloj resources, running tasks, and inspecting system state.

For server and worker daemon flags, see Server Flags. For load-test and alert-check tools, see Internal Tools.

Usage patterns

orlojctl apply -f <file-or-directory> [--run] [--dry-run] [--namespace <ns>]
orlojctl validate -f <file|dir>
orlojctl create secret <name> --from-literal key=value [...]
orlojctl create token <name> --role <role>
orlojctl seal public-key
orlojctl seal secret -f <secret-manifest> [--out <file>] [--stdout]
orlojctl seal secret <name> --from-literal key=value [...] [--out <file>] [--stdout]
orlojctl approve tool-approval|task-approval <name> [--decided-by <id>] [--comment <text>]
orlojctl deny tool-approval|task-approval <name> [--decided-by <id>] [--comment <text>]
orlojctl request-changes task-approval <name> --decided-by <id> --comment <text>
orlojctl get [-w] <resource> [name] [-o table|json|yaml]
orlojctl get tokens
orlojctl get memory-entries <memory-name> [--query <q>] [--prefix <p>] [--limit <n>]
orlojctl memory-entries <memory-name> [--query <q>] [--prefix <p>] [--limit <n>]
orlojctl delete <resource> <name>
orlojctl delete token <name>
orlojctl describe <resource> <name>
orlojctl edit <resource> <name>
orlojctl diff -f <file-or-directory> [--namespace <ns>]
orlojctl wait <resource>/<name> --for condition=<value> [--timeout <duration>]
orlojctl cancel task <name> [--reason <text>]
orlojctl retry task <name> [--with-overrides key=value ...]
orlojctl top workers|tasks
orlojctl run --system <name> [key=value ...]
orlojctl init <name> [--blueprint pipeline|hierarchical|swarm-loop]
orlojctl logs <agent-name>|task/<task-name>
orlojctl trace task <task-name>
orlojctl graph system|task <name>
orlojctl events [filters...]
orlojctl messages task/<task-name> [--agent <name>] [-o table|json|yaml]
orlojctl metrics task/<task-name> [-o table|json|yaml]
orlojctl health [-o table|json|yaml]
orlojctl status [-o table|json|yaml]
orlojctl completion bash|zsh|fish
orlojctl auth whoami [--server URL]
orlojctl admin create-user <username> --role <role>
orlojctl admin list-users
orlojctl admin delete-user <username>
orlojctl admin reset-password --username <name> --new-password <value>
orlojctl config path|get|use <name>|set-profile <name> [--server URL] [--token value] [--token-env NAME]

Global Auth and Server Resolution

• Global auth flag: --api-token <token>
• Global namespace flag: --namespace <ns> or -n <ns> (applies default namespace to namespace-aware commands)
• Version command: orlojctl version (also -version, --version)
• Token precedence:
  1. --api-token
  2. ORLOJCTL_API_TOKEN
  3. ORLOJ_API_TOKEN
  4. Active profile token, then token_env
• Default server precedence when --server is omitted:
  1. ORLOJCTL_SERVER
  2. ORLOJ_SERVER
  3. Active profile server
  4. http://127.0.0.1:8080

orlojctl apply

• File: applies that manifest.
• Directory: walks recursively (skips .git dirs) and evaluates every .yaml, .yml, and .json file in sorted path order.
  • By default, runnable Task manifests (spec.mode: run or omitted mode) are skipped for safety.
  • Task manifests with spec.mode: template are always applied.
  • Pass --run to include runnable tasks during directory apply.
  • Failures are collected; the command exits with an error if any file failed.

Behavior matrix:

orlojctl validate

Parse and normalize manifests offline (no API server, no orlojctl config file required). Use in CI or before apply to catch schema and normalization errors early.

• File: validates that one manifest.
• Directory: walks recursively (skips .git dirs) and validates every .yaml, .yml, and .json file.
• Exit code: 0 if every file is valid; 1 if any file fails. Failed files are listed with path and error on stdout.

Examples:

orlojctl validate -f agent.yaml
orlojctl validate -f ./manifests/

orlojctl create secret

orlojctl create token

orlojctl seal

Git-safe secret workflow commands:

• orlojctl seal public-key -- fetch the active control-plane sealing public key from GET /v1/sealing-key/public
• orlojctl seal secret -f <secret-manifest> -- read a normal Secret manifest, fetch the active public key, and write <name>.sealed.yaml by default
• orlojctl seal secret <name> --from-literal key=value [...] -- build a transient Secret locally, seal it, and write <name>.sealed.yaml without creating an intermediate plaintext manifest

seal secret does not talk to workers. The generated SealedSecret is later applied through the normal resource API.

By default, seal secret writes YAML to a file:

• with -f secret.yaml, the default output is secret.sealed.yaml next to the source file
• with inline --from-literal, the default output is <name>.sealed.yaml in the current directory

Useful flags:

Examples:

# Seal an existing Secret manifest into secret.sealed.yaml
orlojctl seal secret -f secret.yaml
 
# Seal literals directly into payment-gateway.sealed.yaml
orlojctl seal secret payment-gateway \
  --from-literal api_key=sk-prod-123 \
  --from-literal org=acme
 
# Keep stdout for scripting
orlojctl seal secret -f secret.yaml --stdout

orlojctl approve / orlojctl deny

Approves or denies a pending ToolApproval or TaskApproval:

• orlojctl approve tool-approval <name> ...
• orlojctl deny tool-approval <name> ...
• orlojctl approve task-approval <name> ...
• orlojctl deny task-approval <name> ...

orlojctl request-changes

Requests changes on a pending TaskApproval and reruns the producing agent with injected review.* context:

• orlojctl request-changes task-approval <name> --decided-by reviewer@example.com --comment "Revise the disclaimer"

The command fails if the checkpoint disables request_changes or if the approval has already reached max_review_cycles.

orlojctl get

Supported resources:

• agents
• agent-systems
• model-endpoints
• tools
• secrets
• sealed-secrets
• memories
• agent-policies
• agent-roles
• tool-permissions
• tool-approvals
• task-approvals
• tasks
• task-schedules
• task-webhooks
• workers
• mcp-servers
• tokens

Notes:

• orlojctl get <resource> [name] supports both list and single-resource fetch.
• orlojctl get memory-entries <memory-name> ... delegates to memory entry inspection.

Examples (MCP servers):

# Apply an MCP server manifest
orlojctl apply -f mcp-server.yaml
 
# List all MCP servers
orlojctl get mcp-servers
 
# Get a specific MCP server
orlojctl get mcp-server my-server
 
# Delete an MCP server
orlojctl delete mcp-server my-server

See the Connect an MCP Server guide for full setup instructions.

orlojctl delete

orlojctl run

Positional args after flags are parsed as key=value task input.

orlojctl events

orlojctl memory-entries

Inspect stored entries for a Memory resource.

orlojctl describe

Fetches a single resource and prints a human-readable summary plus YAML payload.

orlojctl edit

Fetches a resource, opens it in $VISUAL/$EDITOR (vi fallback), and applies the edited manifest on save.

orlojctl diff

Shows a unified diff between live state and the provided manifest(s), using normalized resource payloads (runtime status fields excluded).

orlojctl wait

Polls a resource until a condition is met or timeout is reached.

Exit behavior:

• Success when condition is satisfied.
• Timeout exits with code 1.
• Invalid usage/request errors exit with code 2.

orlojctl cancel task

Marks a non-terminal task as Failed through task status update.

orlojctl retry task

Creates a new task from an existing terminal task spec.

orlojctl top

Quick operational summaries for task and worker state.

Targets:

• orlojctl top workers
• orlojctl top tasks

orlojctl messages

Inspect inter-agent task messages.

Target forms:

• orlojctl messages task/<task-name>
• orlojctl messages task <task-name>

orlojctl metrics

Inspect task message observability metrics.

Target forms:

• orlojctl metrics task/<task-name>
• orlojctl metrics task <task-name>

orlojctl health

Checks /healthz.

orlojctl status

Composite status view using /healthz, /v1/auth/config, /v1/capabilities, /v1/workers, and /v1/namespaces.

Table output includes auth_mode, setup_required, and setup_token_required (from auth config; the last is true when ORLOJ_SETUP_TOKEN is set on the server). JSON/YAML snapshots include auth_setup_token_required.

orlojctl completion

Emits shell completion scripts.

Usage:

• orlojctl completion bash
• orlojctl completion zsh
• orlojctl completion fish

orlojctl logs

orlojctl trace

orlojctl graph

orlojctl auth whoami

Returns the currently authenticated identity from /v1/auth/me.

orlojctl admin create-user

orlojctl admin list-users

orlojctl admin delete-user

orlojctl admin reset-password

orlojctl config set-profile

Other config subcommands:

• orlojctl config path: print config file path
• orlojctl config get: print current config/profile data
• orlojctl config use <name>: switch active profile

orlojctl init

Positional argument <name> is required. It sets both the output directory and the resource name prefix.

Command Discovery

Use help output as the authoritative source for your current build:

orlojctl help
go run ./cmd/orlojctl help

Related

• Remote CLI & API Access — server setup, tokens, and profiles
• Server Flags — orlojd and orlojworker daemon flags
• API Reference — REST API reference