tetrapus-admin CLI
tetrapus-admin
is the operator’s day-2 toolbox. It wraps the data-plane and control-plane
HTTP APIs in a single binary and ships with offline verifiers for audit chains,
Merkle attestations, and SBOM bundles. Subcommands either talk to the data plane
(--server) or to the control plane
(--control-url); a few are purely local.
Subcommand reference
| Subcommand | Talks to | One-line |
|---|---|---|
| bootstrap | Data plane | Create the very first admin user; prints a single-use setup URL. |
| keys list | Data plane | Show currently active JWT signing keys (TTY table). |
| keys rotate | Data plane | Rotate the active signing key; prints the new kid. |
| audit verify | Local file | Verify an NDJSON audit chain end-to-end. |
| audit export | Data plane | Pull an Org’s audit slice for offline review. |
| attestation verify | Local file | Re-derive a Merkle root and check a leaf inclusion proof. |
| breakglass | Data plane | Cut a time-boxed root token; every use is audited. |
| backup snapshot | Data plane | Take a hot snapshot to a writable directory. |
| backup verify | Local file | Re-hash a snapshot manifest and check digests. |
| sbom verify | Local file | Verify a signed install bundle (manifest + sig). |
| tenant-plane add | Control plane | Register a new tenant data plane. |
| tenant-plane list | Control plane | List registered tenant planes (TTY table). |
| elevation request | Data plane | Submit a JIT permission elevation request; prints the request id. |
| elevation approve | Data plane | Approve a pending elevation by id; echoes the new status. |
Examples
bootstrap
Bash
tetrapus-admin bootstrap \
--email admin@tetrapus.local \
--server https://localhost:9801
# → POST /api/v1/admin/bootstrap
# → prints a one-time setup URL on stdoutkeys list / rotate
Bash
tetrapus-admin keys list --server https://localhost:9801
tetrapus-admin keys rotate --server https://localhost:9801 --kid 2026-04-jwtaudit verify / export
Bash
tetrapus-admin audit verify \
--jsonl /var/lib/tetrapus/acme/audit.ndjson
tetrapus-admin audit export \
--org acme \
--since 2026-04-01T00:00:00Z \
--out ./audit-acme-april.ndjson \
--server https://localhost:9801attestation verify
Bash
tetrapus-admin attestation verify \
--root ./roots/2026-04.root.json \
--proof ./proofs/event-71234.proof.json \
--leaf ./events/event-71234.jsonbreakglass
Bash
tetrapus-admin breakglass \
--reason "S1 incident #4821 - DB recovery" \
--ttl-min 30 \
--server https://localhost:9801
# → POST /api/v1/admin/breakglass
# → prints { token: "bg_..." , expires_at: "..." }backup snapshot / verify
Bash
tetrapus-admin backup snapshot \
--out /backup/2026-04-26-acme \
--server https://localhost:9801
tetrapus-admin backup verify \
--manifest /backup/2026-04-26-acme/manifest.jsonsbom verify
Bash
tetrapus-admin sbom verify \
--bundle /media/usb/tetrapus-1.0.0.tar.zsttenant-plane add / list
Bash
tetrapus-admin tenant-plane add \
--slug acme \
--region us-east-1 \
--control-url https://control.internal:9100
tetrapus-admin tenant-plane list \
--control-url https://control.internal:9100elevation request / approve
Bash
tetrapus-admin elevation request \
--perms "audit_read,key_rotate" \
--reason "post-incident review (#4821)" \
--server https://localhost:9801
# → { id: "01HW..." }
tetrapus-admin elevation approve \
--id 01HW... \
--server https://localhost:9801
# → { status: "approved" }Defaults
Data-plane subcommands default to https://localhost:9801.
Control-plane subcommands default to http://127.0.0.1:8090.
Set DM_ADMIN_TOKEN in the environment to skip
--token on every call.
Related
- Audit Trail — what
audit verifyconsumes. - Attestation — what
attestation verifychecks. - JIT elevation — what
elevation request/approvedrives.
Questions?
Reach out for help with integration, deployment, or custom domain codecs.