CLI reference

Every Tonbo Artifacts subcommand and flag.

artifacts <command> [options]

Global flags (apply to every command):

FlagMeaning
--verbose / -vDebug logging
--quiet / -qWarnings + errors only
--traceTrace logging
--format jsonMachine-readable output (where supported)
--no-colorDisable colour output
--version / -VPrint version

Commands

CommandPurpose
loginAuthenticate against the orchestrator
logoutForget saved credentials
whoamiPrint the currently authenticated identity
workspace createCreate a workspace; mount it too if a mountpoint is given
workspace listList your workspaces
workspace showPrint one workspace's details
workspace deleteSoft-delete a workspace
inspectInspect a workspace's metadata keyspace
platformPlatform-operator subcommands (tenant, grant, ticket)
mountMount a workspace at a local path
unmountCleanly unmount a workspace
storage setPersist BYO bucket credentials to local cache
storage showPrint masked cache contents
storage clearRemove the BYO cache
statusPer-mount health & metrics (Phase 2; prints "not yet implemented")
statsWorkspace-wide telemetry aggregates (Phase 2; prints "not yet implemented")
migrateBulk import (Phase 2; prints "not yet implemented"). Use rclone / aws s3 cp.

login

artifacts login [--manual-code]

Opens a browser to https://user.tonbo.dev/login by default. Stores credentials at ~/.config/tonbo/artifacts/credentials.json (mode 0600). Use --manual-code for SSH sessions, cloud shells, and containers where the browser cannot reach the CLI callback.

logout

artifacts logout

Removes the credentials file. Doesn't touch the BYO storage cache.

workspace create

artifacts workspace create <name> [mountpoint] \
    [--backend managed|byo] \
    [--bucket <bucket>] \
    [--endpoint <s3-url>] \
    [--region <region>] \
    [--cache-profile interactive|benchmark|custom]

<name> matches ^[a-zA-Z0-9][a-zA-Z0-9_-]{0,62}$ (letters, digits, -, _; up to 63 characters). Each flag has an ARTIFACTS_S3_* env var fallback (see the Workspaces guide for the full table).

Pass a [mountpoint] to mount the new workspace in the same command, equivalent to workspace create followed by mount. The mountpoint directory is created if missing and the mount daemonizes as usual:

artifacts workspace create my-workspace /mnt/work

Output on success:

Workspace my-workspace is active.

Re-running the same command on a pending_format workspace resumes provisioning from the last successful step.

workspace list / show / delete

artifacts workspace list
artifacts workspace show <name>
artifacts workspace delete <name> [--yes]

--yes skips the interactive confirmation prompt.

The workspace argument accepts three forms in every command (create, show, delete, mount):

FormExampleWhen to use
<name>my-workspaceDefault; resolves to your own handle
<handle>/<name>tzu/my-workspaceUnambiguous, useful when scripting
artifacts://<handle>/<name>artifacts://tzu/my-workspaceFully-qualified URI; same effect as the slash form

mount

artifacts mount <workspace> <mountpoint> \
    [--read-only] \
    [--foreground|-f] \
    [--cache-profile <profile>] \
    [--cache-root <dir>] [--cache-size <MiB>]

artifacts mount --manifest <path> <mountpoint> \
    [--read-only] \
    [--foreground|-f] \
    [--cache-profile <profile>] \
    [--cache-root <dir>] [--cache-size <MiB>]

Default is daemonized (background). --foreground / -f keeps FUSE attached to the terminal, useful for debugging. --read-only mounts the workspace read-only; there is no -r short form.

--manifest <path> mounts from supplied manifest material instead of issuing a new mount session. Platform worker agents use this form when they inject a manifest file into the worker machine; ops can also use it to replay a saved manifest. Only the mountpoint is positional in that case. Worker flags may narrow access with --read-only, but cannot widen a read-only manifest to writable.

For platform-issued mount tickets (see platform ticket), pass the ticket and the material used to verify its signature:

FlagMeaning
--ticket <token>Mount-session ticket value
--ticket-file <path>Read the ticket from a file instead of the flag
--ticket-public-key <path>Public key to verify the ticket signature
--ticket-jwks-url <url>JWKS endpoint to fetch verification keys
--ticket-skip-signature-verificationSkip signature verification (dev/testing only)

unmount

artifacts unmount <mountpoint>

Calls fusermount3 -u. Equivalent to kill -TERM on the daemon.

key

API keys (tbo_*) are issued and managed in your User Center account at https://user.tonbo.dev, not from the CLI. Export the key as TONBO_API_KEY and the CLI and SDK pick it up automatically; no artifacts login is needed. See API keys.

export TONBO_API_KEY=tbo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
artifacts mount my-workspace /mnt/work

The artifacts key subcommand group is not yet wired to the orchestrator. Mint and manage keys in User Center for now.

storage set / show / clear

artifacts storage set [--access-key-id ...] [--secret-access-key ...]
                      [--session-token ...] [--region ...]
artifacts storage show
artifacts storage clear

Manages the local BYO credential cache at ~/.config/tonbo/artifacts/byo-credentials (mode 0600). set with no flags captures the current ARTIFACTS_S3_* env vars.

Environment variables the CLI reads

VariableUsed byEffect
TONBO_API_KEYall commandsUser-Center-issued tbo_* API key; auto-detected for headless auth
ARTIFACTS_S3_ACCESS_KEY_IDworkspace create, mountBYO bucket access key
ARTIFACTS_S3_SECRET_ACCESS_KEYsameBYO bucket secret
ARTIFACTS_S3_SESSION_TOKENsame(optional) STS session token
ARTIFACTS_S3_REGIONsamebucket region
ARTIFACTS_S3_BUCKETworkspace createdefault for --bucket
ARTIFACTS_S3_ENDPOINTworkspace createdefault for --endpoint
AWS_REGION / AWS_DEFAULT_REGIONfallback for region
ARTIFACTS_VERSIONinstall.shpin a specific build