Skip to main content
The Palyra CLI (palyra-cli) is designed with a strict output contract and a robust profile management system that enables multi-environment operations. This page details the technical implementation of the CLI’s output formatting, the lifecycle of connection profiles, identity pairing flows, and auxiliary management commands such as backup/restore and support bundle generation.

CLI Output Contract

The CLI implements a multi-format output system supporting human-readable text, JSON, and NDJSON (Newline Delimited JSON). This contract is pinned by parity tests to ensure stability for operators and automation scripts crates/palyra-cli/src/output/mod.rs#4-6.

Exit Codes

The CLI maps internal errors to a stable set of process exit codes. These codes are part of the documented operator contract crates/palyra-cli/src/output/mod.rs#22-38.
Exit CodeNameDescription
0SuccessOperation completed successfully.
1InternalUnhandled internal error.
2ValidationInvalid input or flag combination.
3AuthAuthentication failure or expired credentials.
4ConnectivityFailed to reach the daemon or provider.
6PolicyCedar policy engine denied the action.
130CancelledOperation interrupted by user (SIGINT).

Output Formatting and Redaction

Output is routed through the output module, which handles serialization and mandatory secret redaction. Sources: crates/palyra-cli/src/output/mod.rs#22-155, crates/palyra-common/src/redaction.rs#10-10

Profile Lifecycle and Registry

Profiles allow users to switch between different Palyra environments (e.g., local, production, staging) by isolating connection endpoints, credentials, and state roots.

Profile Registry Structure

The registry is stored in cli/profiles.toml within the CLI state root crates/palyra-cli/src/app/mod.rs#34-35. It is managed via the CliProfilesDocument and CliConnectionProfile structs crates/palyra-cli/src/app/mod.rs#140-173.

Profile Operations

The palyra profile command family implements the following lifecycle:
  1. Create/Clone: Initializes a new profile. If strict_mode is enabled, the profile enforces higher security guardrails crates/palyra-cli/src/app/mod.rs#168-169.
  2. Use: Sets the default_profile in the registry crates/palyra-cli/src/app/mod.rs#144-144.
  3. Export/Import: Supports portability. Exports can be plaintext (redacted) or encrypted using AES-256-GCM with a PBKDF2-derived key crates/palyra-cli/src/commands/profile.rs#31-40.

Data Flow: Profile Resolution

The RootCommandContext resolves the active profile by checking the --profile flag, the PALYRA_CLI_PROFILE environment variable, or the registry default crates/palyra-cli/src/app/mod.rs#32-58. Sources: crates/palyra-cli/src/app/mod.rs#32-173, crates/palyra-cli/src/commands/profile.rs#31-183

Identity and Pairing Flows

Palyra uses a pairing handshake to establish trust between a CLI/Device and the Daemon.

Pairing Handshake

The pairing flow is managed via PairingCommand. It supports:

Secret Storage

Identity secrets (private keys, CA state) are stored using the SecretStore trait. Sources: crates/palyra-cli/src/commands/pairing.rs#8-178, crates/palyra-identity/src/store.rs#1-132

Auxiliary Commands

Backup and Restore

The palyra backup command creates portable ZIP archives containing configuration, state, and optional workspace data crates/palyra-cli/src/commands/backup.rs#1-5.

Support Bundle

The palyra support-bundle command generates a diagnostic package for troubleshooting. It aggregates:

Auth and Policy Diagnostics

Implementation Entity Map

The following diagram bridges the high-level CLI concepts to the specific code entities responsible for their execution. Sources: crates/palyra-cli/src/app/mod.rs#45-147, crates/palyra-identity/src/store.rs#41-132, crates/palyra-control-plane/src/client.rs#58-118, crates/palyra-cli/src/commands/pairing.rs#23-156