CLI overview 

    There is one binary, basil. It is both the broker daemon and the client/operator CLI, split into subcommands. Two broad groups:

    • Daemon & offline commands run the broker or work on config files directly (no running broker needed).
    • Client commands connect to a running broker over its Unix socket and authorize by your kernel-attested uid/gid.
    📝 The CLI cannot impersonate

    Client commands take a global --socket <path> and are authorized by the caller's real uid/gid, read from the kernel (SO_PEERCRED). Running the CLI as a different user is exactly what scopes a request to that user's grants. Use systemd User=/Group= or runuser -u <svc> to act as a service identity.

    Daemon & offline commands 

    CommandPurpose
    basil agentRun the broker daemon.
    basil config initFirst-run scaffolding: write a starter catalog + least-privilege policy + config. See First run.
    basil config checkPre-flight: validate catalog + policy, enforce capability requirements, and read-only probe the backend for declared keys.
    basil bundleCreate, update, verify, review, and promote sealed credential bundles. See Unlock & the sealed bundle.
    basil config explainOffline policy dry-run: "would this be allowed, and why?" See Policy explain.
    basil doctorPreflight environment diagnostics before the daemon starts. See Doctor.

    Client & operator commands 

    Run against a live broker over --socket. They fall into:

    • Status & probes: status, health, ready.
    • Keys: new-key, import, import-set, rotate, list.
    • Crypto: sign, verify, encrypt, decrypt.
    • Secrets/values: get, set.
    • Minting & identity: mint-jwt, mint-nats-user, sign-nats-jwt, issue-nats-creds, issue-cert.
    • Admin (permission-gated): reload, explain, revoke.

    The full table, with signatures, is in the command reference. What any invocation is allowed to do is bounded by the caller's identity and the policy.

    Where to go next 

    • Command reference: every command with its flags and signatures.
    • The policy: what a caller's identity is actually allowed to do.
    • First run: scaffold a working config with basil config init.