genesis-mesh admin |
Run operator admin actions against the Network Authority. |
None |
genesis-mesh admin invite |
Create a single-use invite token and print it. |
--config - Config path.--na - Network Authority URL.--operator-key - Operator private key.--operator-key-id - Operator key ID. default: operator-local--role - Role to assign. default: ['client']--validity-hours - Maximum certificate validity. default: 168--token-expiry-hours - Invite validity. default: 24
|
genesis-mesh admin revoke |
Revoke a certificate by ID. |
--config - Config path.--na - Network Authority URL.--operator-key - Operator private key.--operator-key-id - Operator key ID. default: operator-local--reason - Revocation reason. default: unspecified
|
genesis-mesh dev |
Run local developer workflows. |
None |
genesis-mesh dev down |
Remove local development artifacts created by `genesis-mesh init`. |
None |
genesis-mesh dev up |
Run the in-process local smoke workflow. |
None |
genesis-mesh discover |
Discover registered agents on the Network Authority by capability. |
--config - Config path.--na - Network Authority URL (overrides config).--capability - Filter to agents advertising this capability.--format - Output format. default: table
|
genesis-mesh federation |
Review and bootstrap recognition between sovereigns. |
None |
genesis-mesh federation bootstrap |
Review another sovereign and optionally issue a direct treaty. |
--acceptor - Recognizing sovereign NA endpoint. default: Sentinel.UNSET--issuer - Sovereign being recognized.--issuer-bundle - Trust bundle for the sovereign being recognized.--acceptor-config, --config - Config for acceptor admin signing.--operator-key - Acceptor operator private key.--operator-key-id - Acceptor operator key ID. default: operator-local--role - Role accepted from issuer. default: ['role:service:maintainer']--accepted-status - Accepted attestation status. default: ['active']--claim - Treaty claim as key=value. Repeatable. default: Sentinel.UNSET--validity-hours - Treaty validity window. default: 24--evidence - Optional JSON evidence output path.--dry-run - Review and preview without issuing a treaty. default: False--yes - Issue treaty without interactive confirmation. default: False--format - Output format. default: table
|
genesis-mesh genesis |
Manage genesis blocks. |
None |
genesis-mesh genesis create |
Create a new genesis block (unsigned). |
--network-name - Network name (e.g., USG) default: Sentinel.UNSET--network-version - Network version default: v0.1--root-key - Path to root public key default: Sentinel.UNSET--na-key - Path to NA public key default: Sentinel.UNSET--na-valid-days - NA key validity in days default: 90--anchor - Bootstrap anchor (id:endpoint) default: Sentinel.UNSET--output - Output genesis block path default: Sentinel.UNSET
|
genesis-mesh genesis sign |
Sign a genesis block with Root Sovereign key. |
--genesis - Path to unsigned genesis block default: Sentinel.UNSET--root-private-key - Path to root private key default: Sentinel.UNSET--key-id - Root key identifier default: rs-2025-q1--output - Output signed genesis block path default: Sentinel.UNSET
|
genesis-mesh genesis verify |
Verify genesis block signatures. |
--genesis - Path to signed genesis block default: Sentinel.UNSET
|
genesis-mesh info |
Display genesis block information. |
--genesis - Path to signed genesis block default: Sentinel.UNSET
|
genesis-mesh init |
Create local keys, a signed genesis block, and CLI config. |
--config - Config path to write.--home - Directory for generated artifacts. default: .genesis-mesh--network-name - Network name. default: USG--network-version - Network version. default: v0.1--na-endpoint - Network Authority URL. default: http://127.0.0.1:8443--genesis-file - Signed genesis output path.--na-private-key-file - Network Authority private key output path.--operator-private-key-file - Operator private key output path.--operator-public-key-file - Operator public key output path.--db-path - Network Authority SQLite DB path to store in config.--na-host - Network Authority bind host to store in config. default: 127.0.0.1--na-port - Network Authority bind port to store in config. default: 8443--anchor - Optional peer bootstrap anchor id:endpoint. Do not use the NA HTTP endpoint.--force - Overwrite existing config and artifacts. default: False
|
genesis-mesh join |
Enroll this machine as a node and persist node config. |
--config - Config path.--na - Network Authority URL. default: Sentinel.UNSET--token - Invite token. Required only for first enrollment.--role - Requested local role. default: ['client']--validity-hours - Requested certificate validity. default: 168--persistent - Start the peer runtime after enrollment. default: False--listen-host - Peer runtime bind host. default: 0.0.0.0--listen-port - Peer runtime bind port. default: 0--peer - Bootstrap peer endpoint (host:port or ws://host:port). Repeatable. default: Sentinel.UNSET
|
genesis-mesh keygen |
Generate cryptographic keys. |
None |
genesis-mesh keygen network-authority |
Generate Network Authority keypair. |
--output - Output path (without extension) default: Sentinel.UNSET--key-id - Key identifier default: na-2025-q1
|
genesis-mesh keygen node |
Generate node identity keypair. |
--output - Output path (without extension) default: Sentinel.UNSET--key-id - Optional key identifier default: Sentinel.UNSET
|
genesis-mesh keygen root |
Generate Root Sovereign keypair (offline authority). |
--output - Output path (without extension) default: Sentinel.UNSET--key-id - Key identifier default: rs-2025-q1
|
genesis-mesh managed |
Managed sovereign backup, restore, and audit operations. |
None |
genesis-mesh managed audit-export |
Export redacted Network Authority audit events. |
--db-path - Network Authority SQLite database path. default: Sentinel.UNSET--output - Destination audit export path. default: Sentinel.UNSET--format - Audit export format. default: jsonl--event-type - Optional event type filter.
|
genesis-mesh managed backup |
Create a consistent SQLite backup using SQLite's online backup API. |
--db-path - Network Authority SQLite database path. default: Sentinel.UNSET--output - Destination backup path. default: Sentinel.UNSET
|
genesis-mesh managed restore |
Restore a Network Authority database from a backup file. |
--db-path - Network Authority SQLite database path to replace. default: Sentinel.UNSET--backup - Backup database to restore from. default: Sentinel.UNSET--pre-restore-backup - Optional destination for a copy of the current DB before restore.--yes - Confirm the offline restore operation. default: False
|
genesis-mesh na |
Run Network Authority operations. |
None |
genesis-mesh na start |
Start a local Network Authority server from config. |
--config - Config path.--host - Bind host.--port - Bind port.--db-path - SQLite database path.
|
genesis-mesh proof |
Run and clean sovereign proof workflows. |
None |
genesis-mesh proof cleanup |
Remove only proof artifacts from a Network Authority database. |
--db-path - Network Authority SQLite database path. default: Sentinel.UNSET--backup-path - Explicit backup destination path.--backup-dir - Directory for timestamped DB backup.--yes - Confirm cleanup without an interactive prompt. default: False--format - Output format. default: table
|
genesis-mesh proof remote |
Run the attestation -> treaty -> revocation proof against two endpoints. |
--acceptor - Recognizing sovereign NA endpoint. default: Sentinel.UNSET--issuer - Subject/issuing sovereign NA endpoint. default: Sentinel.UNSET--acceptor-config - Config for acceptor admin signing.--issuer-config - Config for issuer admin signing.--operator-key - Shared operator private key for both NAs.--operator-key-id - Shared operator key ID. default: operator-local--acceptor-operator-key - Acceptor operator private key.--acceptor-operator-key-id - Acceptor operator key ID.--issuer-operator-key - Issuer operator private key.--issuer-operator-key-id - Issuer operator key ID.--role - Attested role to prove. default: role:service:maintainer--subject-id - Subject ID for the proof attestation.--subject-public-key - Subject public key. default: proof-subject-public-key--claim - Extra proof claim as key=value. Repeatable. default: Sentinel.UNSET--validity-hours - Proof artifact validity window. default: 24--proof-bundle - Optional JSON proof bundle output path.--adoption-proof - Require external-operator evidence fields. default: False--acceptor-operator-label - Human label for the acceptor operator. default: unspecified--issuer-operator-label - Human label for the issuer operator. default: unspecified--acceptor-operator-type - Relationship of the acceptor operator to Genesis Core. default: unknown--issuer-operator-type - Relationship of the issuer operator to Genesis Core. default: unknown--issuer-controls-keys - Issuer operator confirms they control their keys. default: False--issuer-controls-infrastructure - Issuer operator confirms they control their infrastructure. default: False--operator-assistance-note - Onboarding assistance note for the proof bundle. Repeatable. default: Sentinel.UNSET
|
genesis-mesh send |
Send a message to a node through a peer WebSocket connection. |
--to - Recipient node public key. default: Sentinel.UNSET--via - Peer WebSocket endpoint (ws://host:port). default: Sentinel.UNSET--message - Message text to send. default: Sentinel.UNSET--config - Config path.
|
genesis-mesh sovereign |
Inspect public sovereign metadata. |
None |
genesis-mesh sovereign inspect |
Fetch operator-safe public trust material for a sovereign. |
--na, --endpoint - Network Authority URL. default: Sentinel.UNSET--format - Output format. default: table
|
genesis-mesh status |
Show Network Authority and node status from config. |
|
genesis-mesh supply-chain |
Verify portable maintainer trust for CI and release gates. |
None |
genesis-mesh supply-chain verify |
Allow or deny a maintainer action using portable sovereign trust. |
--attestation - Membership attestation JSON issued by the maintainer sovereign. default: Sentinel.UNSET--treaty - Recognition treaty JSON from the accepting sovereign. default: Sentinel.UNSET--treaty-issuer-public-key - Base64 public key accepted for the treaty issuer. default: Sentinel.UNSET--project-id - Expected supply-chain project ID. default: Sentinel.UNSET--repository - Optional expected repository claim.--delegated-role - Expected delegated role claim. default: release-maintainer--role - Required role in the attestation. default: role:supply-chain:release-maintainer--revocation-feed - Optional signed sovereign revocation feed JSON. Repeatable. default: Sentinel.UNSET--min-feed-sequence - Reject feeds at or below this sequence as stale.--proof-bundle - Optional redacted JSON audit output path.--format - Output format for CI logs. default: text
|
genesis-mesh treaty |
Inspect and manage direct-recognition treaty lifecycle. |
None |
genesis-mesh treaty inspect |
Inspect one treaty and its lifecycle state. |
--na - Network Authority endpoint. default: Sentinel.UNSET--format - Output format. default: table
|
genesis-mesh treaty list |
List treaties with lifecycle state and expiry risk. |
--na - Network Authority endpoint. default: Sentinel.UNSET--issuer-sovereign-id - Filter by treaty issuer sovereign.--subject-sovereign-id - Filter by treaty subject sovereign.--status - Filter by persisted treaty status.--format - Output format. default: table
|
genesis-mesh treaty renew |
Create a new treaty from an existing treaty and retire the old one. |
--na - Network Authority endpoint. default: Sentinel.UNSET--validity-hours - New treaty validity window. default: 24--config - Config for operator signing.--operator-key - Operator private key.--operator-key-id - Operator key ID. default: operator-local--yes - Renew without interactive confirmation. default: False
|
genesis-mesh treaty replace |
Create a replacement treaty with updated scope and retire the old one. |
--na - Network Authority endpoint. default: Sentinel.UNSET--role - Replacement role. Repeatable. default: Sentinel.UNSET--accepted-status - Accepted status. Repeatable. default: Sentinel.UNSET--claim - Replacement claim as key=value. Repeatable. default: Sentinel.UNSET--validity-hours - New treaty validity window. default: 24--config - Config for operator signing.--operator-key - Operator private key.--operator-key-id - Operator key ID. default: operator-local--yes - Replace without interactive confirmation. default: False
|
genesis-mesh treaty revoke |
Revoke a persisted treaty through existing admin semantics. |
--na - Network Authority endpoint. default: Sentinel.UNSET--reason - Revocation reason. default: unspecified--config - Config for operator signing.--operator-key - Operator private key.--operator-key-id - Operator key ID. default: operator-local--yes - Revoke without interactive confirmation. default: False
|
genesis-mesh trust-bundle |
Export, inspect, and validate public sovereign trust bundles. |
None |
genesis-mesh trust-bundle export |
Export public sovereign trust material into one JSON bundle. |
--na - Network Authority endpoint. default: Sentinel.UNSET--output - Bundle output path. default: Sentinel.UNSET--include-revocation-feed, --no-include-revocation-feed - Include the public sovereign revocation feed. default: True--format - Output format. default: table
|
genesis-mesh trust-bundle import |
Import a bundle into local review evidence without granting trust. |
--bundle - Bundle JSON path. default: Sentinel.UNSET--na - Optional live NA endpoint to compare against.--output - Optional review receipt output path.--format - Output format. default: table
|
genesis-mesh trust-bundle inspect |
Inspect a trust bundle without contacting a Network Authority. |
--bundle - Bundle JSON path. default: Sentinel.UNSET--format - Output format. default: table
|
genesis-mesh trust-bundle validate |
Validate trust bundle structure and optional live endpoint consistency. |
--bundle - Bundle JSON path. default: Sentinel.UNSET--na - Optional live NA endpoint to compare against.--format - Output format. default: table
|