Validate a console-generated API key and store it in the local CLI config.

gstacks auth login --base-url URL --api-key KEY

gstacks auth login --base-url http://devops.local:8080 --api-key gsk_xxxxx

Remove the local CLI config.

gstacks auth logout

Verify the configured API key and print the authenticated user payload.

gstacks whoami

Print the CLI version, branch, commit, and commit count.

gstacks version

Download and install the latest CLI release over the current binary.

gstacks upgrade

gstacks upgrade

gstacks upgrade --version 0.1.339-6d0940d

gstacks upgrade --force

List connected hosts from the infrastructure inventory.

gstacks host list

gstacks host list

Show one host record with routing-relevant metadata such as tags, traits, ownership, and eligibility state.

gstacks host info --host-id ID

gstacks host info --host-id agt_123

Update operator-managed host routing rules such as tags and eligibility flags. Ownership and classification remain control-plane managed.

gstacks host update --host-id ID [--tag TAG]

gstacks host update --host-id agt_123 --tag pool:edge --sandbox-eligible true

Open an interactive host shell session proxied through the connected host agent.

gstacks host ssh HOST

gstacks host ssh devops

gstacks host ssh --host-id agent-123

gstacks host ssh devops --session-id aterm_123

Schedule a typed managed upgrade for a connected host agent.

gstacks host upgrade HOST [--version VERSION]

gstacks host upgrade devops

gstacks host upgrade --host-id agent-123 --version 0.1.1400

List current host shell sessions and whether they have an active viewer.

gstacks host sessions HOST

gstacks host sessions devops

Attach to an existing host shell session.

gstacks host attach HOST SESSION_ID

gstacks host attach devops aterm_123

List control-plane volumes and summarize their current attachments.

gstacks volume list

gstacks volume list

Show one volume record as JSON, including attachment records and runtime state where available.

gstacks volume info ID

gstacks volume info vol_123

Create a detached control-plane volume.

gstacks volume create --cluster-id ID VOLUME_ID

gstacks volume create --cluster-id cls_123 shared-media

List attachment records for one volume.

gstacks volume attachment list ID

gstacks volume attachment list shared-media

Create one attachment record for a volume.

gstacks volume attachment create ID --target-kind KIND --target-id TARGET

gstacks volume attachment create shared-media --target-kind host --target-id agt_123

Delete one attachment record from a volume.

gstacks volume attachment delete ID ATTACHMENT

gstacks volume attachment delete shared-media volatt_123

List tenant sandboxes from the infrastructure inventory. Archived sandboxes are hidden by default.

gstacks sandbox list

gstacks sandbox list

gstacks sandbox list --archived

gstacks sandbox list --stopped

Create an empty sandbox and optionally constrain placement with host routing inputs.

gstacks sandbox create --cluster-id ID [--host-id ID] [--require-tag TAG] [--require-trait TRAIT]

gstacks sandbox create --cluster-id cls_123 --name buildbox

gstacks sandbox create --cluster-id cls_123 --blueprint dev-ready

gstacks sandbox create --cluster-id cls_123 --host-id agt_123 --require-trait docker --require-tag pool:edge

Create a reusable blueprint from an existing sandbox.

gstacks sandbox blueprint SANDBOX --name NAME

gstacks sandbox blueprint devbox --name captured-devbox

Attach an Access policy directly to one sandbox.

gstacks sandbox access attach SANDBOX POLICY

gstacks sandbox access attach gssbx_123 openai

Show one sandbox record as JSON.

gstacks sandbox info ID

gstacks sandbox info gssbx_123

gstacks sandbox info --sandbox-id gssbx_123

Deprovision a sandbox runtime and archive the sandbox record.

gstacks sandbox delete ID

gstacks sandbox delete gssbx_123

gstacks sandbox delete --sandbox-id gssbx_123

Stop one sandbox runtime.

gstacks sandbox stop ID

gstacks sandbox stop gssbx_123

gstacks sandbox stop --sandbox-id gssbx_123

Start one stopped sandbox runtime.

gstacks sandbox start ID

gstacks sandbox start gssbx_123

gstacks sandbox start --sandbox-id gssbx_123

Create one sandbox fork.

gstacks sandbox fork [--name NAME] --mode MODE SANDBOX_ID

gstacks sandbox fork gssbx_123 --mode filesystem --name feature-auth

gstacks sandbox fork gssbx_123 --mode filesystem --name speculative --count 3

gstacks sandbox fork --mode live --fallback filesystem --name quick-check gssbx_123

List forks created from one sandbox.

gstacks sandbox forks SANDBOX_ID

gstacks sandbox forks gssbx_123

gstacks sandbox forks --archived gssbx_123

gstacks sandbox forks --sandbox-id gssbx_123

Show root, ancestor, current, and descendant fork lineage for one sandbox.

gstacks sandbox lineage SANDBOX_ID

gstacks sandbox lineage gssbx_123

gstacks sandbox lineage --sandbox-id gssbx_123

Open an interactive sandbox terminal.

gstacks sandbox ssh ID

gstacks sandbox ssh gssbx_123

gstacks sandbox ssh --sandbox-id gssbx_123

gstacks sandbox ssh gssbx_123 --session-id sterm_123

List current sandbox shell sessions and whether they have an active viewer.

gstacks sandbox sessions ID

gstacks sandbox sessions gssbx_123

Attach to an existing sandbox shell session.

gstacks sandbox attach ID SESSION_ID

gstacks sandbox attach gssbx_123 sterm_123

List sandbox blueprints and their source artifact references.

gstacks blueprint list

gstacks blueprint list

Create an image-backed blueprint from an external image source.

gstacks blueprint create IMAGE --name NAME [--registry REGISTRY]

gstacks blueprint create hello-world:latest --name hello-world --wait

gstacks blueprint create ghcr.io/acme/dev:latest --name dev-ready --registry reg_123

gstacks blueprint create registry.example.com/acme/dev:latest --name private-dev --registry reg_123 --private

Show one blueprint as JSON.

gstacks blueprint get BLUEPRINT

Mark a blueprint active for sandbox creation.

gstacks blueprint activate BLUEPRINT

Mark a blueprint inactive.

gstacks blueprint deactivate BLUEPRINT

Archive a blueprint and hide it from the active console inventory.

gstacks blueprint archive BLUEPRINT

Delete a blueprint record.

gstacks blueprint delete BLUEPRINT

Attach an Access policy to a blueprint so new sandboxes inherit it.

gstacks blueprint access attach BLUEPRINT POLICY

gstacks blueprint access attach dev-ready openai

List write-only Access secrets.

gstacks access secret list

gstacks access secret list

Create a write-only Access secret from an environment variable or stdin.

gstacks access secret create NAME --value-env ENV

gstacks access secret create openai-api-key --value-env OPENAI_API_KEY

Rotate a write-only Access secret value while keeping policy references stable.

gstacks access secret rotate NAME --value-env ENV

gstacks access secret rotate openai-api-key --value-stdin

Grant a stored Access secret to a sandbox or blueprint as an environment variable.

gstacks access secret grant TARGET SECRET ENV_NAME [--target-kind KIND]

gstacks access secret grant gssbx_123 openai-api-key OPENAI_API_KEY

Create an Access egress policy with arbitrary safe injected headers.

gstacks access policy create NAME --host HOST --header NAME=VALUE

gstacks access policy create openai --host api.openai.com --path /v1/* --method POST --header 'Authorization=Bearer {{secret:openai-api-key}}'

gstacks access policy create vendor --host api.vendor.example --header 'X-Tenant=customer-123' --header 'X-Api-Key={{secret:vendor-token}}'

List Access egress policies.

gstacks access policy list

Disable an Access egress policy without deleting it.

gstacks access policy disable POLICY

List external registry connections.

gstacks registry list

Create an external registry connection for image-backed blueprints.

gstacks registry create NAME [--provider PROVIDER] [--url URL]

gstacks registry create ghcr --provider ghcr --url https://ghcr.io --username robot --credential-secret-ref secret://registry/ghcr

Show one registry connection as JSON.

gstacks registry get REGISTRY

Update an external registry connection.

gstacks registry update REGISTRY [--name NAME]

Delete an external registry connection.

gstacks registry delete REGISTRY

Show internal blueprint registry settings as JSON.

gstacks registry status

List internal blueprint registry repositories.

gstacks registry repositories

List internal blueprint registry artifacts.

gstacks registry artifacts

List extensions visible to the current tenant.

gstacks extensions list

Install an extension into the authenticated control plane tenant.

gstacks extensions install EXTENSION

gstacks extensions install cloudflare-r2

Invoke an installed extension operation through the control plane.

gstacks extensions invoke EXTENSION OPERATION

gstacks extensions invoke cloudflare-r2 cloudflare-r2.bucket.create --target-id default --input-json '{"bucket_name":"globalstacks-dev"}'

Validate a local extension manifest, permissions, egress, artifact metadata, and compatibility.

gstacks extensions validate

Verify generated SDKs match committed OpenAPI and JSON Schema files.

gstacks extensions sdk check

List runtime networks.

gstacks network list

gstacks network list

Create a runtime network.

gstacks network create --cluster-id ID NAME

gstacks network create --cluster-id cls_123 dev

Show one runtime network as JSON.

gstacks network inspect NETWORK

Attach a sandbox to a network and publish an alias.

gstacks network attach NETWORK SANDBOX --alias NAME --port PORT

gstacks network attach dev gssbx_123 --alias api --port 8080

Detach a sandbox from a network.

gstacks network detach NETWORK SANDBOX

List network aliases.

gstacks network alias list NETWORK

Add an alias to a sandbox network member.

gstacks network alias add NETWORK SANDBOX ALIAS --port PORT

gstacks network alias add dev gssbx_123 worker --port 9090

Remove a network alias.

gstacks network alias remove NETWORK ALIAS

List network policies.

gstacks network policy list NETWORK

Allow traffic within a network.

gstacks network policy allow NETWORK --from SOURCE --to TARGET --port PORT

gstacks network policy allow dev --from local --to api --port 8080

Resolve a network alias.

gstacks network resolve NETWORK NAME

Test whether a network route is allowed by policy.

gstacks network test NETWORK SOURCE TARGET:PORT

gstacks network test dev local api:8080

Join a network from this machine.

gstacks mesh join NETWORK

gstacks mesh join dev

Show local mesh join status.

gstacks mesh status [NETWORK]

Forward a local port to one network service.

gstacks mesh forward NETWORK ALIAS:PORT --local PORT

gstacks mesh forward dev api:8080 --local 18080

Generate a Bash completion script.

gstacks completion bash

Generate a Zsh completion script.

gstacks completion zsh

Generate a Fish completion script.

gstacks completion fish

Generate a PowerShell completion script.

gstacks completion powershell