grafos provider
Provider readiness + cell management. Operator surface.
grafos provider
Manage cloud providers and their cells. `list`, `status`, `init`, `doctor`, `teardown`, `revoke`, `mint-bootstrap-token`, and `conformance` cover the full lifecycle: onboarding a provider, bringing up a cell, checking health, rotating identity, and tearing down when you're done
Usage: grafos provider [OPTIONS] <COMMAND>
Commands: list Show every provider this fabric recognises with its readiness state, disabled reason (if any), ownership modes, and cell rollup. Hits the orchestrator's `/api/v1/providers` endpoint — surfaces the same set the orchestrator uses to admit / refuse provider work status Show one provider's connector status, registered cells, readiness, and last conformance result. Same data source as `provider list` but narrowed to a single provider with per-cell detail (provider/cell_id/url/health/heartbeat freshness) so operators can drill in without parsing the full list init Productized provider onboarding entry point. Dispatches to the matching `grafos cloud connect <provider>` machinery for AWS, GCP, and Azure. Customer-facing surface is stable — shell scripts pinned to `grafos provider init <cloud>` don't break across releases doctor Run live health checks against a provider and print stable failure markers. Combines: * scheduler-side checks (orchestrator reachable, `/api/v1/providers` reachable, this provider not `disabled`, cell rollup non-zero, no fenced cells); and * provider-specific probes when available (delegating to `cloud doctor aws` for AWS, etc.). Markers match the orchestrator's refusal vocabulary (`PROVIDER_NOT_ENABLED`, `NO_ELIGIBLE_PROVIDER_CELL`, `SCHEDULER_UNREACHABLE`, `PROVIDER_NO_CELLS`, …) so dashboards / shell scripts / the orchestrator agree on terminology. Exits non-zero on any FAIL teardown Stop customer-owned cells and remove local records ONLY after provider-side teardown succeeds. Wraps the matching `cloud teardown <p>` machinery. `--dry-run` shows what would be terminated without touching any cloud resource revoke Revoke a provider cell's identity at the scheduler so future register/heartbeat/work-poll/complete calls from that cell fail closed with `cell_identity_revoked`. The revoke is durable across orchestrator restart. `--reason` is free-form, surfaced in audit. Use `--no-drain` to fail-close in-flight work instead of letting it complete (default `--drain` honors the existing per-lease drain policy) mint-bootstrap-token Mint a one-use provider bootstrap token. FabricAdmin-gated POST to `/api/v1/cells/bootstrap/tokens`. Prints the token, expiry, and the exact `grafos cloud bootstrap-cell` invocation for the cell host to consume. The customer-owned flow calls this directly; the Tenura-hosted flow uses the equivalent `/v1/provider-bootstrap/tokens` on the Tenura account API. `provider init <cloud> --scheduler <url>` calls this under the hood for end-to-end onboarding conformance Read provider conformance evidence. `show <provider>` fetches the latest schema-v1 record from `/api/v1/providers/<p>/conformance`; `run <provider>` posts a fresh record produced by the per-cloud shell harness help Print this message or the help of the given subcommand(s)
Options: --fabric <FABRIC> Fabric address (host:port). Overrides GRAFOS_FABRIC env var [env: GRAFOS_FABRIC=] --json Output in JSON format for scripting --wide Show additional columns in table output --no-color Disable color output --pool <POOL> Pool name (default: "default") [default: default] -h, --help Print help -V, --version Print versiongrafos provider list
Show every provider this fabric recognises with its readiness state, disabled reason (if any), ownership modes, and cell rollup. Hits the orchestrator's `/api/v1/providers` endpoint — surfaces the same set the orchestrator uses to admit / refuse provider work
Usage: grafos provider list [OPTIONS]
Options: --fabric <FABRIC> Fabric address (host:port). Overrides GRAFOS_FABRIC env var [env: GRAFOS_FABRIC=] --scheduler <SCHEDULER> Override the scheduler URL. Same context-awareness rule as `grafos fabric *`: this flag wins, then the `GRAFOS_SCHEDULER` env var, then the Tenura-hosted credentials. `provider list` requires an orchestrator (a cell-mode scheduler doesn't see the full provider universe and will return 404) [env: GRAFOS_SCHEDULER=] --bearer <BEARER> FabricAdmin bearer token (alternative to --cert/--key/--ca when the orchestrator is in mtls+token / token mode) [env: GRAFOS_BEARER=] --cert <CERT> Client certificate (PEM) for mTLS to the orchestrator. Pair with --key + --ca; same auth surface used by `grafos cloud connect` and `grafos admin` [env: GRAFOS_CERT=] --wide Show additional columns in table output --key <KEY> Client private key (PEM) matching --cert [env: GRAFOS_KEY=] --no-color Disable color output --ca <CA> CA bundle (PEM) used to verify the orchestrator's TLS cert. Required when the orchestrator is signed by a fabric CA not in the public WebPKI set [env: GRAFOS_CA=] --pool <POOL> Pool name (default: "default") [default: default] --enabled-only Hide disabled providers from the listing. Default keeps them visible so operators can see "azure isn't ready yet, here's why." --json Emit a stable JSON shape (`schema_version: 1`) the dashboard, agent skill, and CI can consume -h, --help Print help -V, --version Print versiongrafos provider status
Show one provider's connector status, registered cells, readiness, and last conformance result. Same data source as `provider list` but narrowed to a single provider with per-cell detail (provider/cell_id/url/health/heartbeat freshness) so operators can drill in without parsing the full list
Usage: grafos provider status [OPTIONS] <PROVIDER>
Arguments: <PROVIDER> Provider id (`aws` | `gcp` | `azure` | `lab` | …). Anything outside `KNOWN_PROVIDERS` returns `disabled` with reason `unknown_provider`
Options: --fabric <FABRIC> Fabric address (host:port). Overrides GRAFOS_FABRIC env var [env: GRAFOS_FABRIC=] --scheduler <SCHEDULER> Orchestrator URL. Falls back to `GRAFOS_SCHEDULER`, then to the Tenura-hosted credentials when that context applies [env: GRAFOS_SCHEDULER=] --bearer <BEARER> FabricAdmin bearer token (alternative to --cert/--key/--ca when the orchestrator is in mtls+token / token mode) [env: GRAFOS_BEARER=] --cert <CERT> Client certificate (PEM) for mTLS to the orchestrator. Pair with --key + --ca; same auth surface used by `grafos cloud connect` and `grafos admin` [env: GRAFOS_CERT=] --wide Show additional columns in table output --key <KEY> Client private key (PEM) matching --cert [env: GRAFOS_KEY=] --no-color Disable color output --ca <CA> CA bundle (PEM) used to verify the orchestrator's TLS cert. Required when the orchestrator is signed by a fabric CA not in the public WebPKI set [env: GRAFOS_CA=] --pool <POOL> Pool name (default: "default") [default: default] --json -h, --help Print help -V, --version Print versiongrafos provider init
Productized provider onboarding entry point. Dispatches to the matching `grafos cloud connect <provider>` machinery for AWS, GCP, and Azure. Customer-facing surface is stable — shell scripts pinned to `grafos provider init <cloud>` don't break across releases
Usage: grafos provider init [OPTIONS] <COMMAND>
Commands: aws AWS provider onboarding. Delegates to `grafos cloud connect aws` for the STS / role / region work, then — when `--scheduler` is set — mints a one-use provider bootstrap token via `provider mint-bootstrap-token` and prints the cell-host launch command. Without `--scheduler` it just prints the manual mint instructions; that's the fallback for operators who mint separately gcp GCP provider onboarding. Same shape as `Aws` — connector + optional mint azure Azure provider onboarding. Refuses with the same `provider_not_enabled` marker the orchestrator emits, so operator-facing tooling and orchestrator-facing tooling agree on whether azure is a real target today local Local provider onboarding (Linux host running the cell-agent in-process; ronald is the canonical target). Mints a bootstrap token, runs `cloud bootstrap-cell` to generate the keypair + exchange the CSR + write the identity dir, then either prints the `cloud cell-agent` command or writes a systemd unit. The operator runs `systemctl daemon-reload && systemctl enable --now grafos-cell-agent` to start the agent — we deliberately don't shell out to systemctl from this command (no privilege-escalation surface) docker Docker-host provider onboarding. Same shape as `Local` but the cell-agent runs in a container (the cell host IS the docker engine). Stubbed today — needs the container image + compose/run wrapper. Refuses fast bare-metal Bare-metal provider onboarding (e.g. a Pi5 cell, an off-fleet x86 host). Stubbed — needs a remote-launch path (SSH or tftp + cloud-init equivalent) that this thin wrapper doesn't have today. Refuses fast help Print this message or the help of the given subcommand(s)
Options: --fabric <FABRIC> Fabric address (host:port). Overrides GRAFOS_FABRIC env var [env: GRAFOS_FABRIC=] --json Output in JSON format for scripting --wide Show additional columns in table output --no-color Disable color output --pool <POOL> Pool name (default: "default") [default: default] -h, --help Print help -V, --version Print versiongrafos provider init aws
AWS provider onboarding. Delegates to `grafos cloud connect aws` for the STS / role / region work, then — when `--scheduler` is set — mints a one-use provider bootstrap token via `provider mint-bootstrap-token` and prints the cell-host launch command. Without `--scheduler` it just prints the manual mint instructions; that's the fallback for operators who mint separately
Usage: grafos provider init aws [OPTIONS] --mode <MODE>
Options: --fabric <FABRIC> Fabric address (host:port). Overrides GRAFOS_FABRIC env var
[env: GRAFOS_FABRIC=]
--mode <MODE> Which cloud ownership mode to configure
Possible values: - tenura-managed: User pays Tenura (included credits or paid balance). Tenura controls the AWS account, launches cells, meters usage, and tears down. Minimizes user setup - customer-owned: User connects their own AWS account via an external-id IAM role + short-lived STS session. Tenura never stores long-lived AWS secrets; the per-run session expires automatically
--json Output in JSON format for scripting
--role-arn <ROLE_ARN> IAM role ARN the CLI will assume via STS (customer-owned mode). Ignored for `--mode tenura-managed`
--external-id <EXTERNAL_ID> External id the IAM role's trust policy expects (customer-owned mode)
--wide Show additional columns in table output
--no-color Disable color output
--regions <REGIONS> Comma-separated allowed regions. Defaults to `us-east-1`
[default: us-east-1]
--max-cost-usd <MAX_COST_USD> Per-run cost cap in USD (customer-owned mode). Omitted means the connector accepts any cost the pre-flight estimate returns
--pool <POOL> Pool name (default: "default")
[default: default]
--skip-verify Skip the live STS AssumeRole + GetCallerIdentity check. The resulting connector is recorded with `verified: false` and is NOT considered ready by `grafos cloud status` or the dashboard. Use only for offline/CI scenarios where a real AWS round-trip is impossible. Default behaviour verifies
--bootstrap-scheduler <BOOTSTRAP_SCHEDULER> Orchestrator URL the cell will register against. When set, `provider init` mints a bootstrap token here after the connector succeeds and prints the cell-host `bootstrap-cell` command. When omitted, the init command runs the connector and exits with manual-mint instructions
[env: GRAFOS_BOOTSTRAP_SCHEDULER=]
--bootstrap-bearer <BOOTSTRAP_BEARER> FabricAdmin bearer for the mint. Only needed when the orchestrator is in `--auth-mode mtls+token` or `token`; for `mtls`-only orchestrators pass `--bootstrap-cert` / `--bootstrap-key` instead
[env: GRAFOS_BOOTSTRAP_BEARER=]
--bootstrap-cert <BOOTSTRAP_CERT> [env: GRAFOS_BOOTSTRAP_CERT=]
--bootstrap-key <BOOTSTRAP_KEY> [env: GRAFOS_BOOTSTRAP_KEY=]
--bootstrap-ca <BOOTSTRAP_CA> [env: GRAFOS_BOOTSTRAP_CA=]
--bootstrap-cell-id <BOOTSTRAP_CELL_ID> Cell id the bootstrap token will encode. Required when minting; the cell host's exchange must present this id
--bootstrap-owner-mode <BOOTSTRAP_OWNER_MODE> Owner mode encoded on the bootstrap token. Defaults to `customer_owned` because productized init is the canonical customer-owned path
[default: customer_owned]
--bootstrap-ttl-secs <BOOTSTRAP_TTL_SECS> Token TTL in seconds. Defaults to 900 (15 min); the orchestrator caps at 1800 (30 min) per the design doc
[default: 900]
--no-bootstrap-mint Skip the bootstrap-mint step even when --bootstrap-scheduler is supplied. Useful for CI flows that connect the connector here and mint the token elsewhere
-h, --help Print help (see a summary with '-h')
-V, --version Print versiongrafos provider init gcp
GCP provider onboarding. Same shape as `Aws` — connector + optional mint
Usage: grafos provider init gcp [OPTIONS]
Options: --fabric <FABRIC> Fabric address (host:port). Overrides GRAFOS_FABRIC env var [env: GRAFOS_FABRIC=] --project <PROJECT> GCP project id. Defaults to `gcloud config get-value project` --json Output in JSON format for scripting --region <REGION> Default region for cells provisioned through this connector [default: us-east1] --max-cost-usd <MAX_COST_USD> Optional cost cap in USD per provisioned cell --wide Show additional columns in table output --no-color Disable color output --skip-verify Skip the live `gcloud auth list` + `gcloud projects describe` round-trip. The resulting connector is recorded with `verified=false` and is NOT considered ready --bootstrap-scheduler <BOOTSTRAP_SCHEDULER> Orchestrator URL the cell will register against. When set, `provider init` mints a bootstrap token here after the connector succeeds and prints the cell-host `bootstrap-cell` command. When omitted, the init command runs the connector and exits with manual-mint instructions [env: GRAFOS_BOOTSTRAP_SCHEDULER=] --pool <POOL> Pool name (default: "default") [default: default] --bootstrap-bearer <BOOTSTRAP_BEARER> FabricAdmin bearer for the mint. Only needed when the orchestrator is in `--auth-mode mtls+token` or `token`; for `mtls`-only orchestrators pass `--bootstrap-cert` / `--bootstrap-key` instead [env: GRAFOS_BOOTSTRAP_BEARER=] --bootstrap-cert <BOOTSTRAP_CERT> [env: GRAFOS_BOOTSTRAP_CERT=] --bootstrap-key <BOOTSTRAP_KEY> [env: GRAFOS_BOOTSTRAP_KEY=] --bootstrap-ca <BOOTSTRAP_CA> [env: GRAFOS_BOOTSTRAP_CA=] --bootstrap-cell-id <BOOTSTRAP_CELL_ID> Cell id the bootstrap token will encode. Required when minting; the cell host's exchange must present this id --bootstrap-owner-mode <BOOTSTRAP_OWNER_MODE> Owner mode encoded on the bootstrap token. Defaults to `customer_owned` because productized init is the canonical customer-owned path [default: customer_owned] --bootstrap-ttl-secs <BOOTSTRAP_TTL_SECS> Token TTL in seconds. Defaults to 900 (15 min); the orchestrator caps at 1800 (30 min) per the design doc [default: 900] --no-bootstrap-mint Skip the bootstrap-mint step even when --bootstrap-scheduler is supplied. Useful for CI flows that connect the connector here and mint the token elsewhere -h, --help Print help -V, --version Print versiongrafos provider init azure
Azure provider onboarding. Refuses with the same `provider_not_enabled` marker the orchestrator emits, so operator-facing tooling and orchestrator-facing tooling agree on whether azure is a real target today
Usage: grafos provider init azure [OPTIONS]
Options: --fabric <FABRIC> Fabric address (host:port). Overrides GRAFOS_FABRIC env var [env: GRAFOS_FABRIC=] --json Output in JSON format for scripting --wide Show additional columns in table output --no-color Disable color output --pool <POOL> Pool name (default: "default") [default: default] -h, --help Print help -V, --version Print versiongrafos provider init local
Local provider onboarding (Linux host running the cell-agent in-process; ronald is the canonical target). Mints a bootstrap token, runs `cloud bootstrap-cell` to generate the keypair + exchange the CSR + write the identity dir, then either prints the `cloud cell-agent` command or writes a systemd unit. The operator runs `systemctl daemon-reload && systemctl enable --now grafos-cell-agent` to start the agent — we deliberately don't shell out to systemctl from this command (no privilege-escalation surface)
Usage: grafos provider init local [OPTIONS] --scheduler <SCHEDULER> --cell-id <CELL_ID>
Options: --fabric <FABRIC> Fabric address (host:port). Overrides GRAFOS_FABRIC env var [env: GRAFOS_FABRIC=] --scheduler <SCHEDULER> Orchestrator URL the cell will register against. The bootstrap-token mint AND the cell-agent's outbound register both target this URL [env: GRAFOS_SCHEDULER=] --cell-id <CELL_ID> Cell id encoded in the bootstrap token + the issued cert's URI SAN. Required: there's no good default because the operator must pick a value that doesn't collide with other cells in the fleet --json Output in JSON format for scripting --provider <PROVIDER> Provider tag. Default `lab` matches the Pi5/ronald convention; pass `docker` for docker-host fabrics or any other lowercase letters/digits/`-` value the orchestrator recognises [default: lab] --wide Show additional columns in table output --no-color Disable color output --owner-mode <OWNER_MODE> Owner mode encoded in the bootstrap token. Default `local_bootstrap` matches the on-disk durable record's default and is the right value for a ronald-style non-customer-owned local cell. Pass `customer_owned` if the cell is being provisioned for a paying tenant [default: local_bootstrap] --identity-dir <IDENTITY_DIR> Identity dir written by `cloud bootstrap-cell`. Default `~/.config/grafos/cell-identity` for user-mode setups; pass `/etc/grafos/cell-identity` (or similar) when installing as a system service. Mode 0700 --pool <POOL> Pool name (default: "default") [default: default] --scheduler-ca <SCHEDULER_CA> CA bundle path the cell-agent presents to the orchestrator's TLS layer. Same flag as `cell-agent --scheduler-ca`. When omitted the agent uses public WebPKI roots — fine for hosted Tenura, breaks for fabric-CA-only orchestrators [env: GRAFOS_SCHEDULER_CA=] --bootstrap-bearer <BOOTSTRAP_BEARER> Bootstrap-mint auth (FabricAdmin). For `--auth-mode=none` orchestrators (test/dev) leave these unset. For `mtls+token` / `mtls`-only deployments pass the FabricAdmin cert + key (and optional bearer); the same auth surface `provider revoke` and `provider mint-bootstrap-token` use [env: GRAFOS_BOOTSTRAP_BEARER=] --bootstrap-cert <BOOTSTRAP_CERT> [env: GRAFOS_BOOTSTRAP_CERT=] --bootstrap-key <BOOTSTRAP_KEY> [env: GRAFOS_BOOTSTRAP_KEY=] --bootstrap-ca <BOOTSTRAP_CA> CA bundle the mint POST uses to verify the orchestrator's TLS cert. When unset, defaults to `--scheduler-ca` since mint and exchange target the same orchestrator. Pass this only when the FabricAdmin auth surface lives behind a different trust anchor than the cell-agent registration surface (rare) [env: GRAFOS_BOOTSTRAP_CA=] --bootstrap-ttl-secs <BOOTSTRAP_TTL_SECS> Token TTL in seconds. Default 900 (15 min); orchestrator caps at 1800. The mint→bootstrap-cell chain runs in this process so the token is exchanged within seconds — 15 min is plenty [default: 900] --systemd-unit-out <SYSTEMD_UNIT_OUT> Path to write a systemd unit file. When supplied, the command writes a unit that runs `cloud cell-agent` pointed at the identity dir + the supplied scheduler. Operator finishes installation with `systemctl daemon-reload && systemctl enable --now <unit>`. When omitted, the command prints the `cloud cell-agent` shell invocation instead --systemd-service-name <SYSTEMD_SERVICE_NAME> Service name embedded in the systemd unit. Defaults to `grafos-cell-agent`. Useful when running multiple cell agents on the same host (different cell ids) [default: grafos-cell-agent] --systemd-user <SYSTEMD_USER> User account the systemd unit runs as. Defaults to the `SUDO_USER` env var (set when init was launched via `sudo`), else `nobody` — so the generated unit never silently runs the cell agent as root. The identity dir must be readable by whichever user ends up in this field; pass an explicit value to override the default --cell-url <CELL_URL> Local cell scheduler URL the cell-agent talks to. For a ronald-style host running grafos-scheduler in `--mode cell` on localhost:9100, this defaults to `http://127.0.0.1:9100`. The orchestrator never reaches this URL — it's only the cell-agent's local handoff [default: http://127.0.0.1:9100] --total-mem <TOTAL_MEM> Memory + CPU + node count the cell agent advertises on its outbound register. Defaults match the existing `cloud cell-agent` defaults for a ronald-class host [default: 1073741824] --available-mem <AVAILABLE_MEM> [default: 1073741824] --total-cpu <TOTAL_CPU> [default: 4] --available-cpu <AVAILABLE_CPU> [default: 4] --nodes <NODES> [default: 1] -h, --help Print help -V, --version Print versiongrafos provider init docker
Docker-host provider onboarding. Same shape as `Local` but the cell-agent runs in a container (the cell host IS the docker engine). Stubbed today — needs the container image + compose/run wrapper. Refuses fast
Usage: grafos provider init docker [OPTIONS]
Options: --fabric <FABRIC> Fabric address (host:port). Overrides GRAFOS_FABRIC env var [env: GRAFOS_FABRIC=] --json Output in JSON format for scripting --wide Show additional columns in table output --no-color Disable color output --pool <POOL> Pool name (default: "default") [default: default] -h, --help Print help -V, --version Print versiongrafos provider init bare-metal
Bare-metal provider onboarding (e.g. a Pi5 cell, an off-fleet x86 host). Stubbed — needs a remote-launch path (SSH or tftp + cloud-init equivalent) that this thin wrapper doesn't have today. Refuses fast
Usage: grafos provider init bare-metal [OPTIONS]
Options: --fabric <FABRIC> Fabric address (host:port). Overrides GRAFOS_FABRIC env var [env: GRAFOS_FABRIC=] --json Output in JSON format for scripting --wide Show additional columns in table output --no-color Disable color output --pool <POOL> Pool name (default: "default") [default: default] -h, --help Print help -V, --version Print versiongrafos provider doctor
Run live health checks against a provider and print stable failure markers. Combines: * scheduler-side checks (orchestrator reachable, `/api/v1/providers` reachable, this provider not `disabled`, cell rollup non-zero, no fenced cells); and * provider-specific probes when available (delegating to `cloud doctor aws` for AWS, etc.). Markers match the orchestrator's refusal vocabulary (`PROVIDER_NOT_ENABLED`, `NO_ELIGIBLE_PROVIDER_CELL`, `SCHEDULER_UNREACHABLE`, `PROVIDER_NO_CELLS`, …) so dashboards / shell scripts / the orchestrator agree on terminology. Exits non-zero on any FAIL
Usage: grafos provider doctor [OPTIONS] [PROVIDER]
Arguments: [PROVIDER] Provider id to probe. Optional — when omitted the doctor runs scheduler-side checks against EVERY enabled provider the orchestrator returns from `/api/v1/providers`. Pinning a single provider also enables the provider-specific probes (e.g. AWS STS / cell-launch validation when `provider == aws`)
Options: --fabric <FABRIC> Fabric address (host:port). Overrides GRAFOS_FABRIC env var [env: GRAFOS_FABRIC=] --scheduler <SCHEDULER> Orchestrator URL. Falls back to `GRAFOS_SCHEDULER`, then to the Tenura-hosted credentials when that context applies [env: GRAFOS_SCHEDULER=] --bearer <BEARER> FabricAdmin bearer token (alternative to --cert/--key/--ca when the orchestrator is in mtls+token / token mode) [env: GRAFOS_BEARER=] --cert <CERT> Client certificate (PEM) for mTLS to the orchestrator. Pair with --key + --ca; same auth surface used by `grafos cloud connect` and `grafos admin` [env: GRAFOS_CERT=] --wide Show additional columns in table output --key <KEY> Client private key (PEM) matching --cert [env: GRAFOS_KEY=] --no-color Disable color output --ca <CA> CA bundle (PEM) used to verify the orchestrator's TLS cert. Required when the orchestrator is signed by a fabric CA not in the public WebPKI set [env: GRAFOS_CA=] --pool <POOL> Pool name (default: "default") [default: default] --skip-provider-probes Skip the per-provider deep probes (AWS STS, etc.) — only run the scheduler-side checks. Useful for fast preflight in CI or when the per-cloud SDKs aren't installed --json -h, --help Print help -V, --version Print versiongrafos provider teardown
Stop customer-owned cells and remove local records ONLY after provider-side teardown succeeds. Wraps the matching `cloud teardown <p>` machinery. `--dry-run` shows what would be terminated without touching any cloud resource
Usage: grafos provider teardown [OPTIONS] <COMMAND>
Commands: aws AWS: tear down cells recorded in `.grafos/cloud/aws-cells.json` gcp GCP: tear down cells recorded in `.grafos/cloud/gcp-cells.json` azure Azure: refused with `provider_not_enabled` until the Azure connector + provisioner ships in a later 205.d slice help Print this message or the help of the given subcommand(s)
Options: --fabric <FABRIC> Fabric address (host:port). Overrides GRAFOS_FABRIC env var [env: GRAFOS_FABRIC=] --json Output in JSON format for scripting --wide Show additional columns in table output --no-color Disable color output --pool <POOL> Pool name (default: "default") [default: default] -h, --help Print help -V, --version Print versiongrafos provider teardown aws
AWS: tear down cells recorded in `.grafos/cloud/aws-cells.json`
Usage: grafos provider teardown aws [OPTIONS]
Options: --cell-id <CELL_ID> Tear down only the cell with this id (matches `aws-cells.json:.cells[].cell_id`). Mutually exclusive with `--all` --fabric <FABRIC> Fabric address (host:port). Overrides GRAFOS_FABRIC env var [env: GRAFOS_FABRIC=] --all Tear down every recorded AWS cell --json Output in JSON format for scripting --dry-run Show what would be torn down without contacting AWS or touching local records. Reads `.grafos/cloud/aws-cells.json` directly. NOTE: dry-run reflects what the CLI has on disk; a cell that's been terminated out-of-band but still appears in the local file will be listed as a candidate. The live path is the source of truth --wide Show additional columns in table output --no-color Disable color output --pool <POOL> Pool name (default: "default") [default: default] -h, --help Print help -V, --version Print versiongrafos provider teardown gcp
GCP: tear down cells recorded in `.grafos/cloud/gcp-cells.json`
Usage: grafos provider teardown gcp [OPTIONS]
Options: --cell-id <CELL_ID> GCP cell ids are integers (matching `gcp-cells.json:.cells[].cell_id`) --fabric <FABRIC> Fabric address (host:port). Overrides GRAFOS_FABRIC env var [env: GRAFOS_FABRIC=] --all --json Output in JSON format for scripting --dry-run --wide Show additional columns in table output --no-color Disable color output --pool <POOL> Pool name (default: "default") [default: default] -h, --help Print help -V, --version Print versiongrafos provider teardown azure
Azure: refused with `provider_not_enabled` until the Azure connector + provisioner ships in a later 205.d slice
Usage: grafos provider teardown azure [OPTIONS]
Options: --fabric <FABRIC> Fabric address (host:port). Overrides GRAFOS_FABRIC env var [env: GRAFOS_FABRIC=] --json Output in JSON format for scripting --wide Show additional columns in table output --no-color Disable color output --pool <POOL> Pool name (default: "default") [default: default] -h, --help Print help -V, --version Print versiongrafos provider revoke
Revoke a provider cell's identity at the scheduler so future register/heartbeat/work-poll/complete calls from that cell fail closed with `cell_identity_revoked`. The revoke is durable across orchestrator restart. `--reason` is free-form, surfaced in audit. Use `--no-drain` to fail-close in-flight work instead of letting it complete (default `--drain` honors the existing per-lease drain policy)
Usage: grafos provider revoke [OPTIONS] <PROVIDER> <CELL_ID>
Arguments: <PROVIDER> Provider id (`aws` | `gcp` | `lab` | …) <CELL_ID> Cell id (matches the `cell_id` shown by `provider status <p>` and `/api/v1/cells`). Required — there's no "revoke all" by design (the operator must be explicit)
Options: --fabric <FABRIC> Fabric address (host:port). Overrides GRAFOS_FABRIC env var [env: GRAFOS_FABRIC=] --reason <REASON> Free-form reason text recorded in the audit event. Defaults to `operator_requested` so the audit log always carries SOMETHING useful [default: operator_requested] --drain Default behavior — let in-flight leases / runs reach the existing drain policy. Pair with `--no-drain` to fail-close instead --no-drain Cancel/fence in-flight work via the existing destructive-control-plane rules (matches the design doc's `drain=false` semantics) --wide Show additional columns in table output --no-color Disable color output --scheduler <SCHEDULER> Orchestrator URL. Falls back to `GRAFOS_SCHEDULER`, then to the Tenura-hosted credentials when that context applies [env: GRAFOS_SCHEDULER=] --bearer <BEARER> FabricAdmin bearer token (alternative to --cert/--key/--ca when the orchestrator is in mtls+token / token mode) [env: GRAFOS_BEARER=] --pool <POOL> Pool name (default: "default") [default: default] --cert <CERT> Client certificate (PEM) for mTLS to the orchestrator. Pair with --key + --ca; same auth surface used by `grafos cloud connect` and `grafos admin` [env: GRAFOS_CERT=] --key <KEY> Client private key (PEM) matching --cert [env: GRAFOS_KEY=] --ca <CA> CA bundle (PEM) used to verify the orchestrator's TLS cert. Required when the orchestrator is signed by a fabric CA not in the public WebPKI set [env: GRAFOS_CA=] --json -y, --yes Skip the interactive confirmation. Required when stdin is not a TTY (CI / scripts) -h, --help Print help -V, --version Print versiongrafos provider mint-bootstrap-token
Mint a one-use provider bootstrap token. FabricAdmin-gated POST to `/api/v1/cells/bootstrap/tokens`. Prints the token, expiry, and the exact `grafos cloud bootstrap-cell` invocation for the cell host to consume. The customer-owned flow calls this directly; the Tenura-hosted flow uses the equivalent `/v1/provider-bootstrap/tokens` on the Tenura account API. `provider init <cloud> --scheduler <url>` calls this under the hood for end-to-end onboarding
Usage: grafos provider mint-bootstrap-token [OPTIONS] --provider <PROVIDER> --cell-id-hint <CELL_ID_HINT>
Options: --fabric <FABRIC> Fabric address (host:port). Overrides GRAFOS_FABRIC env var [env: GRAFOS_FABRIC=] --provider <PROVIDER> Provider id the bootstrap token is being minted for. Must match a Tenura-known provider name (`aws`, `gcp`, `lab`, …); typo'd values get refused with the same `provider_not_enabled` marker the orchestrator uses --cell-id-hint <CELL_ID_HINT> Cell id encoded in the token. The cell agent's exchange must present this id; the SAN on the issued cert is `urn:fabricbios:cell:<provider>:<cell_id>` --owner-mode <OWNER_MODE> Ownership mode for the cell being onboarded. Stable wire values: `tenura_managed`, `customer_owned`, `local_bootstrap`. Defaults to `customer_owned` because that's the canonical productized init mode [default: customer_owned] --wide Show additional columns in table output --no-color Disable color output --ttl-secs <TTL_SECS> Token lifetime in seconds. Default 900 (15 min) matches the design-doc default; the orchestrator caps at 1800 (30 min) [default: 900] --pool <POOL> Pool name (default: "default") [default: default] --scheduler <SCHEDULER> Orchestrator URL. Falls back to `GRAFOS_SCHEDULER`, then to the Tenura-hosted credentials when that context applies [env: GRAFOS_SCHEDULER=] --bearer <BEARER> FabricAdmin bearer token (alternative to --cert/--key/--ca when the orchestrator is in mtls+token / token mode) [env: GRAFOS_BEARER=] --cert <CERT> Client certificate (PEM) for mTLS to the orchestrator. Pair with --key + --ca; same auth surface used by `grafos cloud connect` and `grafos admin` [env: GRAFOS_CERT=] --key <KEY> Client private key (PEM) matching --cert [env: GRAFOS_KEY=] --ca <CA> CA bundle (PEM) used to verify the orchestrator's TLS cert. Required when the orchestrator is signed by a fabric CA not in the public WebPKI set [env: GRAFOS_CA=] --json Emit the mint response as JSON instead of the human-readable summary + bootstrap-cell command -h, --help Print help -V, --version Print versiongrafos provider conformance
Read provider conformance evidence. `show <provider>` fetches the latest schema-v1 record from `/api/v1/providers/<p>/conformance`; `run <provider>` posts a fresh record produced by the per-cloud shell harness
Usage: grafos provider conformance [OPTIONS] <COMMAND>
Commands: show Show the latest evidence record for `<provider>`. Prints a human summary by default; `--json` emits the raw schema-v1 record. Refuses with `unknown_provider` when the provider is not in `KNOWN_PROVIDERS` run Record-runner help Print this message or the help of the given subcommand(s)
Options: --fabric <FABRIC> Fabric address (host:port). Overrides GRAFOS_FABRIC env var [env: GRAFOS_FABRIC=] --json Output in JSON format for scripting --wide Show additional columns in table output --no-color Disable color output --pool <POOL> Pool name (default: "default") [default: default] -h, --help Print help -V, --version Print versiongrafos provider conformance show
Show the latest evidence record for `<provider>`. Prints a human summary by default; `--json` emits the raw schema-v1 record. Refuses with `unknown_provider` when the provider is not in `KNOWN_PROVIDERS`
Usage: grafos provider conformance show [OPTIONS] <PROVIDER>
Arguments: <PROVIDER> Provider id (`aws` | `gcp` | `azure` | `lab`)
Options: --fabric <FABRIC> Fabric address (host:port). Overrides GRAFOS_FABRIC env var [env: GRAFOS_FABRIC=] --scheduler <SCHEDULER> Orchestrator URL. Falls back to `GRAFOS_SCHEDULER`, then the Tenura-hosted credentials when that context applies [env: GRAFOS_SCHEDULER=] --bearer <BEARER> FabricObserver bearer token (alternative to --cert/--key/--ca when the orchestrator is in mtls+token / token mode) [env: GRAFOS_BEARER=] --cert <CERT> Client certificate (PEM) for mTLS to the orchestrator [env: GRAFOS_CERT=] --wide Show additional columns in table output --key <KEY> Client private key (PEM) matching --cert [env: GRAFOS_KEY=] --no-color Disable color output --ca <CA> CA bundle (PEM) used to verify the orchestrator's TLS cert [env: GRAFOS_CA=] --pool <POOL> Pool name (default: "default") [default: default] --json Emit the raw schema-v1 record (JSON) instead of the human summary table. Useful for piping into `jq` or feeding the dashboard -h, --help Print help -V, --version Print versiongrafos provider conformance run
Record-runner.
Read a schema-v1 conformance record from `--record <path>`, validate it client-side (refuse fast on bad shape so the orchestrator never sees malformed bytes), POST it to `/api/v1/providers/<p>/conformance`, and print the per-axis PASS/PARTIAL/FAIL summary. Exits non-zero if `overall != PASS`. The `<provider>` arg MUST equal the record's `provider_id`; mismatch is a fatal arg error.
Per-cloud shell harnesses (`scripts/conformance-<p>.sh`) exercise each axis against a real backend, write the JSON record, and invoke this runner — which is the only FabricAdmin call site for the conformance endpoint that goes through the CLI's auth-gate machinery.
Usage: grafos provider conformance run [OPTIONS] --record <RECORD> <PROVIDER>
Arguments: <PROVIDER> Provider id (`aws` | `gcp` | `azure` | `lab`). MUST equal the record's `provider_id` field; mismatch refuses fast
Options: --fabric <FABRIC> Fabric address (host:port). Overrides GRAFOS_FABRIC env var
[env: GRAFOS_FABRIC=]
--record <RECORD> Path to the schema-v1 conformance record JSON. Use `-` to read from stdin (handy when chained off a per-cloud harness emitting JSON on stdout)
--scheduler <SCHEDULER> Orchestrator URL. Falls back to `GRAFOS_SCHEDULER`, then to the Tenura-hosted credentials when that context applies
[env: GRAFOS_SCHEDULER=]
--bearer <BEARER> FabricAdmin bearer token (alternative to --cert/--key/--ca when the orchestrator is in mtls+token / token mode)
[env: GRAFOS_BEARER=]
--wide Show additional columns in table output
--cert <CERT> Client certificate (PEM) for mTLS to the orchestrator
[env: GRAFOS_CERT=]
--no-color Disable color output
--key <KEY> Client private key (PEM) matching --cert
[env: GRAFOS_KEY=]
--pool <POOL> Pool name (default: "default")
[default: default]
--ca <CA> CA bundle (PEM) used to verify the orchestrator's TLS cert
[env: GRAFOS_CA=]
--json Emit the runner result as JSON instead of the human summary table. Includes the posted record, the orchestrator's response (recorded / idempotent / conflict), and the per-axis status array
-h, --help Print help (see a summary with '-h')
-V, --version Print version