CLI overview
There is one binary, basil. It is both the broker daemon and the client/operator CLI, split into
subcommands. Two broad groups:
- Daemon & offline commands run the broker or work on config files directly (no running broker needed).
- Client commands connect to a running broker over its Unix socket and authorize by your kernel-attested uid/gid.
📝 The CLI cannot impersonate
Client commands take a global --socket <path> and are authorized by the caller's real uid/gid, read
from the kernel (SO_PEERCRED). Running the CLI as a different user is exactly what scopes a request to
that user's grants. Use systemd User=/Group= or runuser -u <svc> to act as a service identity.
Daemon & offline commands
| Command | Purpose |
|---|---|
basil agent | Run the broker daemon. |
basil config init | First-run scaffolding: write a starter catalog + least-privilege policy + config. See First run. |
basil config check | Pre-flight: validate catalog + policy, enforce capability requirements, and read-only probe the backend for declared keys. |
basil bundle | Create, update, verify, review, and promote sealed credential bundles. See Unlock & the sealed bundle. |
basil config explain | Offline policy dry-run: "would this be allowed, and why?" See Policy explain. |
basil doctor | Preflight environment diagnostics before the daemon starts. See Doctor. |
Client & operator commands
Run against a live broker over --socket. They fall into:
- Status & probes:
status,health,ready. - Keys:
new-key,import,import-set,rotate,list. - Crypto:
sign,verify,encrypt,decrypt. - Secrets/values:
get,set. - Minting & identity:
mint-jwt,mint-nats-user,sign-nats-jwt,issue-nats-creds,issue-cert. - Admin (permission-gated):
reload,explain,revoke.
The full table, with signatures, is in the command reference. What any invocation is allowed to do is bounded by the caller's identity and the policy.
Where to go next
- Command reference: every command with its flags and signatures.
- The policy: what a caller's identity is actually allowed to do.
- First run: scaffold a working config with
basil config init.