NET CLI
net-mesh — the unified command-line interface for the NET mesh.
The non-interactive counterpart to net-deck: a one-shot tool for operator scripts, CI pipelines, daemon authoring, and ad-hoc cluster inspection. Same SDK underneath, same signed admin chain, no TUI.
Install
# crates.io
# prebuilt binary (no compile)
# npm (per-platform binary shim)
# PyPI (maturin-built wheel, bundles the binary)
The crate is net-cli but the binary it installs is net-mesh. Prebuilt tarballs for linux (glibc + musl, x86_64 + aarch64), macOS (x86_64 + aarch64), and Windows (x86_64 + aarch64) are published to the GitHub Releases page under the cli-v* tag prefix.
Quick start
# Generate an operator identity (ed25519 seed + pubkey + fingerprint)
# One-shot snapshot read (auto-formatted JSON for non-TTY, table for TTY)
# Tail substrate logs as ndjson, follow mode, filtered to one daemon
# Signed admin commit — drain a node, propagated on the admin chain via RedEX
# Break-glass ICE — simulate blast radius first, commit only after confirm
Subcommand surface
| Subcommand | What it does |
|---|---|
version |
SDK version + build metadata. |
identity |
Generate / inspect / fingerprint operator identity files. |
admin |
Signed admin-chain commits — drain, cordon, maintenance, drop-replicas, etc. |
ice |
Break-glass ICE — simulate then commit force-drain / evict / restart / cutover. |
snapshot |
One-shot MeshOsSnapshot reads (and --watch for streaming). |
audit |
Read-only queries against the RedEX-committed audit ledger. |
log tail |
Substrate log stream (--follow, --daemon, --level). |
failures tail |
Substrate failure stream — same shape as log tail. |
cap |
Capability advertisement + discovery. |
peer |
Peer + NAT-traversal helpers (peer ls today; reflex/NAT in Phase 2). |
daemon |
Per-daemon listing from the local snapshot. |
netdb |
NetDB local KV adapter — Cortex-backed tasks + memories. |
subnet |
Hierarchical subnet inspection (show, ls, tree). |
gateway |
SubnetGateway stats + export-table operator surface. |
channel |
ChannelConfigRegistry inspection (visibility, ls). |
aggregator |
AggregatorDaemon inspection + remote query. |
completion |
Emit a shell-completion script (bash / zsh / fish / powershell). |
man |
Emit the troff(1) man page on stdout. |
Global flags
Applied to every subcommand; environment-variable fallbacks in brackets:
--config <path>[NET_MESH_CONFIG]— profile file (default$XDG_CONFIG_HOME/net-mesh/config.toml).--profile <name>[NET_MESH_PROFILE]— named profile within the config file.--output (json|yaml|ndjson|table|text)— auto-detectstable/texton TTY andjson/ndjsonoff-TTY.--quiet/-q— suppress stderr diagnostics.--verbose/-v—-vinfo,-vvdebug,-vvvtrace.NET_MESH_LOG=env-filter overrides.--no-color[NO_COLOR]— disable ANSI in table / text output.--timeout <dur>— global per-call timeout (e.g.500ms,1h30m). Default30s.
Config + identity
The profile file is optional — every flag has a sensible default. When present, it lives at $XDG_CONFIG_HOME/net-mesh/config.toml (or the platform equivalent) and looks like:
[]
= "~/.config/net-mesh/identity.toml"
= "in-process"
= 30000
[]
= "~/.config/net-mesh/ops-identity.toml"
= "10.0.0.4:7700"
= "abcd…" # 64 hex
= "1234…" # 64 hex
Operator identity files are authored by net-mesh identity generate — ed25519 seed + public key + SHA-256 fingerprint, the same format the deck loads from the maintenance node. Every signed admin / ice command picks the identity up from the active profile (or --identity).
Exit codes
Typed via ExitCodeKind. Scripts can match on the discriminator:
0— success2— usage / parse error3— config / identity load failure4— substrate refused the action (auth, ICE threshold, etc.)5— timeout6— transport error- non-zero otherwise — see
src/error.rsfor the full table
Shell completion + man page
Release tarballs ship these pre-generated under share/bash-completion/... and share/man/man1/.
License
Apache-2.0. See LICENSE.