Skip to main content

CLI Command Groups

This page catalogs the current public kt command surface. Use it when you need to find the right command family quickly, or when you want one high-level map of the documented CLI.

Bootstrap, auth, and diagnostics

CommandWhat it covers
kt initScaffold a starter policy-config.yaml and example tests for a new local project
kt auth loginSign in and store a reusable CLI session
kt auth logoutRemove stored session credentials for the active profile
kt auth whoamiShow the active identity and API access context
kt auth token createMint a scoped automation token backed by IAM role bindings
kt auth token listList issued auth tokens
kt auth token revokeRevoke a previously issued auth token
kt doctorReport API connectivity, config readability, state-directory access, and local supervisor records
kt config validateParse and validate a declarative gateway configuration without starting a runtime

Policy authoring and rollout

CommandWhat it covers
kt policy lintValidate a runtime config or IAM policy document
kt policy testExecute local pack tests and inline testing suites
kt policy pushUpload a policy config as a new version for a gateway
kt policy deployRoll out a source policy version to one or more target gateways and verify application
kt policy diffCompute a dry-run reconcile plan for IAM policy documents
kt policy applyReconcile reviewed IAM policy documents to the control plane
kt policy evaluateSimulate an action and resource KRN against local or selected remote IAM policies
kt policy exportExport selected or all remote IAM policies to YAML or JSON

Use this group for the normal authoring loop:

kt init
kt config validate --file policy-config.yaml
kt policy lint --file policy-config.yaml
kt policy test --json
kt gateway check --config policy-config.yaml
kt policy push --file policy-config.yaml --gateway-id local-gateway

The command family manages two document types. Runtime policy-config.yaml uses lint, test, push, and deploy; IAM policy documents use lint, diff, apply, evaluate, and export. See Policy Lifecycle before automating either path.

Gateway runtime and lifecycle

CommandWhat it covers
kt gateway runStart a local governance gateway for the supported public request families
kt gateway checkResolve config, provider credentials, routing, and the policy chain without starting a server
kt gateway createCreate a local supervisor definition with the listen and upstream settings you want to manage
kt gateway listList local gateways, or remote gateways with --remote
kt gateway inspectInspect a named local gateway and optional recent lifecycle history
kt gateway configQuery a running gateway config endpoint by URL
kt gateway reloadAsk a running gateway at a specific URL to reload
kt gateway diffCompare the current named gateway state with its saved local service state
kt gateway revertAsk a running gateway at a specific URL to revert
kt gateway reconcileReconcile a named gateway, or every known gateway with --all
kt gateway installInstall a local gateway as a user service
kt gateway startStart an installed gateway service
kt gateway statusShow service-manager status for an installed gateway
kt gateway stopStop an installed gateway service
kt gateway uninstallRemove the installed gateway service definition
kt gateway upgrade plan/apply/status/rollbackPlan, apply, inspect, or roll back a local runtime binary upgrade

Focused guides:

Profiles, regions, and locality

CommandWhat it covers
kt configure set region <region> --profile <profile>Persist a profile-scoped default region in ~/.keeptrusts/config.yaml
kt configure get region --profile <profile>Read the configured default region for one profile
kt configure list-profilesShow known profile names from config and stored credentials
kt regions listDiscover available regions with sovereignty class and API endpoints
kt regions useWrite the default region for the active CLI profile
kt regions switchAlias for use
kt regions currentShow the resolved region, winning source, resolved API endpoint, and requested scope
kt regions statusShow detailed status for each region

Use a command's own --region <region> option for API-backed operations. The top-level kt --region <region> ... form is a compatibility shim for local gateway/runtime surfaces that still read process-wide context.

kt regions list also supports --enabled, --disabled, --group <group_key>, --sovereignty-class <class>, and --json.

Removed config commands

kt config show, kt config migrate, and kt config diff are no longer part of the public CLI surface. Use kt configure ... for profile defaults, kt regions ... for locality inspection, and the command-specific diff surfaces such as kt gateway diff or kt policy diff where those workflows still exist.

Declarative-config precedence

Use kt configure ... and kt regions ... to manage the requested region for API-backed CLI commands. Use policy-config.yaml for gateway and provider locality. The CLI profile default does not override runtime routing declared in the policy config.

Published-hostname MCP

This surface is not a separate kt subcommand. The gateway serves MCP directly from a published agent hostname at /mcp.

Use Gateway MCP Surface for the current transport details, capability limits, and the distinction between the hosted MCP surface, runtime MCP bridge targets, and declarative tool-server metadata.

Events, exports, and escalations

CommandWhat it covers
kt events tailQuery recent event records from the Keeptrusts API
kt events exportExport event data directly as CSV or JSON
kt trail lookupQuery immutable Trail events by request ID or audit filters
kt trail verifyVerify a nonempty bounded Trail window: digest-link checks by default, or event hash, sequence, and intra-window link checks with --deep
kt trail exportExport a filtered Trail window to JSON, JSONL, CSV, or gzip
kt export-jobs listList asynchronous export jobs
kt export-jobs getInspect one export job and its state
kt export-jobs createQueue a new evidence export job
kt export-jobs downloadDownload a completed export artifact
kt escalation listList escalations raised by policy outcomes
kt escalation getInspect a specific escalation
kt escalation claimClaim an escalation for triage
kt escalation unclaimRelease a previously claimed escalation
kt escalation resolveMark an escalation resolved with the chosen outcome

History, secrets, cache, and control

CommandWhat it covers
kt history list-sessions/get-session/delete-sessionBrowse, inspect, and delete governed history sessions
kt history export/tag/search/share/replay/statsExport, organize, inspect, replay, and summarize governed history
kt history learnRequest server-side learning for one selected history session, or preview its source entries
kt history condenseGenerate a condensed session summary for review or handoff
kt secret list/get/create/update/deleteManage hosted secret records without putting secret values on the command line
kt secrets add/statusManage local credential resolution for provider targets
kt cache stats/list/inspect/clearInspect or clear the response-cache backend selected by the current environment
kt control planCompute a dry-run reconcile plan for a control manifest
kt control applyApply a control manifest to the Keeptrusts API
kt control exportExport current remote control state into a manifest

Workflow notes:

  • Use kt secret ... for hosted secret records.
  • Use kt secrets ... for local keychain or environment credential resolution checks.
  • Use kt cache ... with the exact gateway cache environment; detailed entry and counter views are filesystem-specific.
  • Use kt control plan before apply, and pair every apply --prune with a reviewed plan --prune.

IAM, users, teams, roles, policies, and agents

CommandWhat it covers
kt user ...User inventory, invitations, lifecycle, and direct role assignment
kt team ...Team CRUD operations, membership, and team-level role grants
kt role ...Role CRUD operations plus policy attachment and effective-action inspection
kt iam policy ...Manage reusable IAM policies
kt agent list/get/create/update/deleteManage first-class agent records
kt agent link-gateway/unlink-gatewayBind agents to gateway runtimes

Focused guides:

Spend, budgets, provider budgets, and API tokens

CommandWhat it covers
kt spend summaryAggregate spend reporting
kt spend budget ...Org, team, user, or key budget management
kt spend provider-budget ...Provider-specific budget ceilings
kt token ...Governed API token lifecycle, including create, update, clone, revoke, rotate, validate, and code exchange

Use this group when you need to manage cost ceilings, publish bounded access, or rotate customer-facing gateway credentials.

Runtime feature guides

The CLI also drives the gateway runtime behaviors configured through policy-config.yaml and related declarative documents.

FeatureWhere to read more
Streaming compatibility and chunked passthroughStreaming & SSE
WebSocket proxy compatibilityWebSocket Gateway
Connected relay transport for NAT-bound gatewaysConnected Gateway Relay
Cross-provider request and response translationFormat Translation
Ordered fallback and failover routingMulti-Provider Fallback
Route-based targeting and chain overridesRoutes and Consumer Groups
Caching behavior and runtime defaultsRuntime Configuration
Cache inspection and maintenanceLocal Response Cache
Provider routing, fallback, and model groupsProviders Configuration, Data Routing Policy
Rate limitsRate Limits Configuration
Declarative policy schema and gateway config shapeDeclarative Config Reference
Policy controls such as DLP, human oversight, tool validation, and audit loggingPolicy Controls Catalog, Policies Overview

Next steps