CLI Commands

This page provides a complete reference for the nefia CLI. Commands are organized by function.

When invoked with no arguments in a terminal, nefia launches the interactive TUI dashboard.

Global Flags

These persistent flags are available on all commands:

Setup Commands

setup

Guided first-time onboarding that creates config, generates VPN keys, and can invite a host.

nefia setup [flags]

setup is the canonical command. nefia init remains available as an alias for backward compatibility.

The setup flow is idempotent and runs four phases:

1. Check or create nefia.yaml
2. Check or generate the operator WireGuard keypair
3. Optionally collect the first host's details
4. Generate an invite token for that host

In interactive mode, Nefia can open the browser automatically if login is required before generating the invite. In non-interactive mode, pass --host-name and --host-os to generate an invite token, or --skip-host to stop after config and key setup.

# Initialize config and keys only
nefia setup --skip-host
 
# Full unattended bootstrap
nefia setup --non-interactive --host-name my-server --host-os linux

login

Authenticate with your Nefia account.

nefia login

Uses challenge-response authentication: the CLI generates a verifier and challenge, opens the browser for approval, then polls until the approval completes. No local HTTP server is required. On success, stores a refresh token in your OS keyring (macOS Keychain, Linux Secret Service, Windows Credential Manager). See Authentication for details.

logout

Remove stored authentication tokens.

nefia logout

Core Commands

exec

Execute a command on one or more remote hosts.

nefia exec [flags] -- <command>

The -- separator is required to distinguish nefia flags from the remote command. Everything after -- is concatenated and executed as a single shell command on the remote host(s).

Examples:

# Run on a single host
nefia exec --host my-server -- uname -a
 
# Run on all hosts in a group
nefia exec --target group:webservers -- systemctl status nginx
 
# Run on all hosts with fail-fast
nefia exec --target all --fail-fast -- apt update
 
# Run within a session context
nefia exec --session <id> -- ls -la /tmp
 
# Queue for offline hosts
nefia exec --target group:laptops --when-online --queue-ttl 48h -- softwareupdate --install --all

MCP-Only Parameters:

When using nefia.exec via MCP, these additional parameters are available:

ssh

Open an interactive SSH session to a remote host via VPN tunnel.

nefia ssh <host-id> [-- <command>]

Opens a fully interactive SSH terminal session to the specified host. If a command is provided after --, it runs non-interactively and returns the output.

Arguments:

Examples:

# Interactive SSH session
nefia ssh my-pc
 
# Run a single command
nefia ssh my-pc -- whoami
 
# Run a command with arguments
nefia ssh my-pc -- ls -la /var/log

All traffic flows through the WireGuard VPN tunnel. The host must have an active VPN configuration.

fs

Remote file system operations.

nefia fs read --host <id> --path <remote-path> [--base64] [--out <local-path>]

# Read and display
nefia fs read --host web-1 --path /etc/hostname
 
# Download a large log file
nefia fs read --host web-01 --path /var/log/app/access.log --out ./access.log

nefia fs write --host <id> --path <remote-path> [--text <content>] [--in <local-path>]

# Write inline text
nefia fs write --host web-1 --path /tmp/hello.txt --text "Hello"
 
# Upload a local file
nefia fs write --host db-01 --path /tmp/backup.sql.gz --in ./backup.sql.gz

nefia fs list --host <id> --path <remote-path>

nefia fs stat --host <id> --path <remote-path>

push

Push a local file to multiple remote hosts in parallel.

nefia push <local-file> <remote-path>

The remote path must be the full destination file path (not a directory). The local file is read into memory only after target resolution and policy checks succeed, saving memory when validation fails.

# Deploy a config file to all web servers
nefia push --target group:webservers ./nginx.conf /etc/nginx/nginx.conf
 
# Push to a single host
nefia push --host my-pc ./script.sh /tmp/script.sh

sync

Synchronize a local directory to remote hosts via SFTP.

nefia sync <local-dir> <remote-dir>

Only changed files are transferred (based on size and modification time by default). Use --checksum for SHA256-based comparison.

# Sync app directory with preview
nefia sync --target group:webservers --dry-run ./dist /opt/app/dist
 
# Sync with cleanup of removed files
nefia sync --target all --delete --exclude "*.log" ./config /etc/myapp

plan exec

Create an execution plan for review before applying.

nefia plan exec [flags] -- <command>

Generates a JSON execution plan that captures the target hosts, command, and policy evaluation so you can review what will happen before executing.

# Generate plan
nefia plan exec --target all -- systemctl restart nginx --out plan.json
 
# Review the plan
cat plan.json
 
# Apply the plan
nefia apply plan.json

apply

Execute a saved execution plan.

nefia apply <plan-file>

Runs a JSON execution plan generated by nefia plan exec. Shows a summary and prompts for confirmation before executing.

Session Commands

Session commands and their subcommands do not require authentication. They work without nefia login.

session open

Create a persistent session bound to a host and root directory.

nefia session open --host <id> [--root <dir>] [--cwd <dir>]

Returns a session ID for subsequent file and exec operations.

session close

Close an active session.

nefia session close <session-id> [--summary]

When --summary is provided, a structured summary of session activity is generated and printed before the session is closed.

session list

List all active sessions.

nefia session list

nefia session recordings [--limit N]

nefia session replay <session-id> [--speed <factor>]

nefia session export <session-id> [--out <path>]

session summary

Generate an AI-consumable summary of a session.

nefia session summary <session-id>

Generates a structured summary of session activity from audit records. The summary includes commands executed, files read/written, error count, duration, and a markdown narrative. It is persisted to disk and can be retrieved later.

nefia session summary <session-id>
nefia session summary <session-id> --output json

ping

Test point-to-point VPN latency to a specific host.

nefia ping <host-id> [flags]

Creates a temporary tunnel, probes the target VPN address, and prints aggregate loss and latency statistics.

VPN Commands

nefia vpn keygen [--force]

nefia vpn show-config

nefia vpn invite --name <hostname> --os <macos|linux|windows> [flags]

nefia vpn reinvite --name <hostname> [flags]

# Regenerate expired invite
nefia vpn reinvite --name my-server --stun
 
# Change OS and regenerate
nefia vpn reinvite --name my-server --os linux --endpoint 203.0.113.10:51820

nefia vpn listen [--timeout <duration>] [--count <n>]

# Enroll all pending hosts
nefia vpn listen --count 0
 
# Enroll exactly 3 hosts with a longer timeout
nefia vpn listen --count 3 --timeout 2h

nefia vpn enroll-status --name <name>

nefia vpn status [--live] [--ping]

nefia vpn diagnose [--host <id>]

nefia vpn rotate-key [--grace-period <duration>]

nefia vpn push-key [--host <id>]

nefia vpn token-info --token <token>

nefia vpn approve --name <hostname>
nefia vpn approve --all --accept-risk=approve-all

# Approve and wait for a pending host
nefia vpn approve --name my-pc
 
# Approve a fleet-enrolled host immediately
nefia vpn approve --name fleet-host-1
 
# Approve all pending-approval hosts at once
nefia vpn approve --all --accept-risk=approve-all

nefia vpn fleet list

nefia vpn fleet revoke <nonce>

Team Management Commands

team list

List all teams you belong to.

nefia team list

Displays a table of teams with slug, name, plan, your role, member count, and host count. The currently active team is marked with *.

team current

Show the currently active team.

nefia team current

Displays the active team's slug, name, ID, plan, your role, member count, and host count. If no team is selected, shows "personal" (your default workspace).

Running nefia team with no subcommand also shows the current team.

team use

Switch the active team.

nefia team use <slug>

Sets the active team for subsequent commands. The choice is persisted to the config file. Use personal to switch back to your personal workspace.

It can also be overridden per-command with --team or the NEFIA_TEAM environment variable.

team create

Create a new shared team.

nefia team create --name <name>

Creates a new team and sets you as the owner. A URL-safe slug is generated from the name.

team invite

Generate an invitation code for the active team.

nefia team invite [--role MEMBER|ADMIN] [--max-uses N] [--expires H]

Generates a single-use or multi-use invitation code. Requires ADMIN or OWNER role.

team join

Join a team via invitation code.

nefia team join <code>

Joins the team associated with the invitation code. The code must be valid, unexpired, and not fully used.

team members

List members of the active team.

nefia team members

Displays a table of team members with email, name, role, and join date.

team role

Change a member's role in the active team.

nefia team role <email> --role <ADMIN|MEMBER>

Requires OWNER role. Cannot demote the last owner of a team.

team leave

Leave the active team.

nefia team leave

Removes you from the active team and switches to your personal workspace. You cannot leave your personal team. Team owners must transfer ownership first.

Configuration Commands

config show

Show the resolved configuration with source annotations.

nefia config show [--reveal] [--filter <substring>]

By default, sensitive fields are masked. Sources are annotated as config file, environment override, or default.

config ssh-config

Generate OpenSSH config entries for Nefia-managed hosts.

nefia config ssh-config [--write] [--identity-file <path>]

Hosts with active VPN addresses use the VPN IP as HostName. Pending hosts are skipped.

Profile Commands

profile list

List available config profiles.

nefia profile list

Profiles live under ~/.config/nefia/profiles/. The active profile is marked with * when --profile or NEFIA_PROFILE is set.

profile show

Show the raw contents of a profile file.

nefia profile show <name>

Displays the profile path and YAML content.

profile create

Create a new profile from the built-in template.

nefia profile create <name>

Writes a starter profile file and prints example activation commands.

Host Management Commands

hosts list

List all configured hosts.

nefia hosts list

Displays a table of all hosts with ID, address, OS, user, VPN status, and tags.

hosts show

Display detailed host information.

nefia hosts show <host-id>

hosts remove

Remove a host from configuration.

nefia hosts remove <host-id>

nefia hosts import --from <source> [--file <path>] [--dry-run]

# Import from default SSH config
nefia hosts import --from ssh-config
 
# Import from Ansible inventory
nefia hosts import --from ansible-inventory --file inventory.yml
 
# Preview what would be imported
nefia hosts import --from known-hosts --dry-run
 
# Import from CSV without prompting
nefia hosts import --from csv --file hosts.csv --yes

nefia hosts refresh [--target <selector>] [--categories <list>]

# Refresh all active hosts
nefia hosts refresh
 
# Refresh a specific host
nefia hosts refresh --target host-1
 
# Collect only specific categories
nefia hosts refresh --categories os,cpu

revoke

Emergency revoke of a host's VPN access.

nefia revoke <host>
nefia revoke --all --accept-risk=revoke-all

revoke clears the stored peer configuration and removes the host from inventory so future reconnection attempts fail immediately.

groups list

List all configured host groups.

nefia groups list

Shows groups with their tag filter criteria.

power wake

Wake an offline host with Wake-on-LAN.

nefia power wake <host> [--proxy <online-host>] [--wait] [--timeout <duration>]

Nefia resolves the target MAC from host.mac first, then from collected host metadata. If you omit --proxy, it tries to find an active agent on the same /24 subnet automatically.

recording

Manage session recordings (asciinema v2 .cast.gz files). Recording commands and their subcommands do not require authentication and work without nefia login.

nefia recording list [--limit <N>]

nefia recording replay <session-id> [--speed <factor>]

nefia recording export <session-id> [--out <path>]

nefia recording delete <session-id>

Playbook Commands

playbook run

Execute a playbook against target hosts.

nefia playbook run <name-or-path> [flags]

Playbooks are discovered from search paths (in priority order):

1. Direct file path (if path separator or .yaml/.yml extension present)
2. ./playbooks/<name>.yaml
3. User config directory (e.g. ~/.config/nefia/playbooks/<name>.yaml)

nefia playbook run setup-monitoring --target group:webservers
nefia playbook run ./playbooks/deploy.yaml --target all --dry-run
nefia playbook run security-baseline --host pc-office --var port=9100

playbook validate

Validate playbook YAML syntax.

nefia playbook validate <path>

playbook list

List available playbooks from the search paths.

nefia playbook list

playbook show

Display playbook details including name, description, variables, and all steps.

nefia playbook show <name-or-path>

Schedule Commands

nefia schedule create --name <name> --cron <expr> --playbook <file> --target <selector> [flags]

nefia schedule create --name daily-backup --cron "0 2 * * *" --playbook backup --target all
nefia schedule create --name hourly-check --cron "0 * * * *" --playbook health --target group:web --timezone Asia/Tokyo

nefia schedule list

nefia schedule show <id-or-name>

nefia schedule update <id-or-name> [flags]

nefia schedule delete <id-or-name>

nefia schedule enable <id-or-name>
nefia schedule disable <id-or-name>

nefia schedule history [id-or-name] [--limit N]

nefia schedule trigger <id-or-name>

Queue Commands

queue list

List offline commands queued by nefia exec --when-online.

nefia queue list [--status <state>]

Human output shows the queue ID, host, status, truncated command, and expiry timestamp.

queue show

Show details for a queued command.

nefia queue show <id>

Displays the full details of a queue entry including ID, host, status, command, timestamps, retry lineage, and execution results (exit code, stdout, stderr) if available.

queue cancel

Cancel a queued command before it runs.

nefia queue cancel <id>

queue retry

Create a new pending entry from a failed, expired, or cancelled queue entry.

nefia queue retry <id> [--ttl <duration>]

Alias: requeue

The new entry is linked to the original via a retry_of field. The host must still exist in the configuration.

# Retry a failed queue entry with default TTL
nefia queue retry abc123
 
# Retry with a custom TTL
nefia queue retry abc123 --ttl 48h

Webhook Commands

webhook list

List configured webhook destinations from alerts.webhooks.

nefia webhook list

webhook test

Send a test event to every configured webhook.

nefia webhook test [--type <event-type>]

webhook send

Send a custom webhook event.

nefia webhook send --type <event-type> --message <text> [--details key=value]

Webhook delivery waits up to 30 seconds for completion and returns an error if no webhooks are configured.

Agent Management

agent version

Show the nefia-agent version on remote hosts.

nefia agent version [--target <selector>]

Defaults to all if no target is specified. Displays version, compatibility status, and any messages per host.

agent upgrade

Upgrade nefia-agent on remote hosts.

nefia agent upgrade [--target <selector>] [--agent-dir <dir>]

Prompts for confirmation before upgrading. Displays old and new version for each host.

agent update

Trigger remote agent self-update via update server.

nefia agent update [--target <selector>] [--version <version>]

Unlike agent upgrade which pushes a binary from the operator, this command instructs the agent to pull its own update from its configured update server. It enables auto-update in the agent config, optionally sets a pinned version, and restarts the agent service.

# Update agent on a specific host to the latest version
nefia agent update --host my-pc
 
# Update agent to a specific version
nefia agent update --host my-pc --version v1.2.0

agent pin

Pin agent to a specific version on remote hosts.

nefia agent pin <version> [--target <selector>]

Sets the pinned_version in the remote agent config. When pinned, the agent's auto-update will only update to the specified version and will not automatically upgrade beyond it.

nefia agent pin v1.2.0 --host my-pc
nefia agent pin v1.2.0 --target all

agent unpin

Clear pinned version on remote agents.

nefia agent unpin [--target <selector>]

Clears the pinned_version in the remote agent config. The agent's auto-update will resume tracking the latest available version.

nefia agent unpin --host my-pc
nefia agent unpin --target all

Audit Commands

nefia audit tail [-n <count>]

nefia audit show --job <job-id>

nefia audit verify [date] [--range <range>]

nefia audit list [flags]

# List today's audit records
nefia audit list
 
# List records for a specific date
nefia audit list --date 2026-03-01
 
# Filter by operation type
nefia audit list --op exec --range 7d
 
# Filter by host and limit results
nefia audit list --host my-pc --limit 50
 
# Show records in reverse order
nefia audit list --range 30d --reverse
 
# Human-readable summary
nefia audit list --summary

System Commands

account

Show account and subscription information.

nefia account

Displays your plan, status, host count, limits, and cancellation status.

status

Show system status overview with per-host connectivity.

nefia status [--no-check] [--active]

Displays version, config path, VPN status, policy mode, audit status, auth state, host/group/session counts, and a per-host connectivity table.

When VPN is enabled and --no-check is not set, the command creates a standalone VPN tunnel and probes each active host with a TCP dial (3-second timeout, up to 10 concurrent). The host table shows:

Use --no-check for fast output without connectivity probing. Use --output json for structured output including a hosts array.

validate

Validate configuration and optionally test host connectivity.

nefia validate [--target <selector>]

When a --target is specified, resolves the selector and tests SSH connectivity to each matched host via the VPN tunnel.

bugreport

Generate a sanitized diagnostic bundle for support and debugging.

nefia bugreport [--output-file <path>]

The bundle includes system information, sanitized config structure, VPN status, doctor output, and recent audit errors. Private keys, tokens, passwords, SSH keys, API keys, and full command lines are excluded.

update

Check for and apply updates to the Nefia CLI.

nefia update [--check]

Downloads the latest release, verifies the Ed25519 signature, and atomically replaces the running binary.

backup

Back up configuration and state to a tar.gz archive.

nefia backup [--output <path>]

Archives the configuration file, audit logs, and session state. Sensitive files (keys, tokens, secrets) are automatically excluded.

restore

Restore configuration and state from a backup archive.

nefia restore <archive-path>

Extracts files from a backup archive to the config and state directories. Includes Zip Slip protection and skips sensitive files. Prompts for confirmation before restoring.

version

Show version, build, and runtime information.

nefia version

Displays the nefia version, git commit, build date, Go version, and OS/architecture.

Diagnostics Commands

netcheck

Run compact VPN network diagnostics.

nefia netcheck [--host <id>]

netcheck is the top-level, discoverable form of nefia vpn diagnose. It summarizes NAT type, STUN reachability, DERP RTTs, TURN/relay availability, route conflicts, and per-host connectivity.

doctor

Run comprehensive system health checks covering configuration, authentication, audit, VPN, and host connectivity.

nefia doctor [--host <id>]

Similar to brew doctor or tailscale netcheck, this command runs a multi-phase diagnostic suite and reports results as [PASS], [WARN], or [FAIL].

Phases:

1. Config -- Verifies the configuration file can be found and loaded
2. Auth -- Checks whether the user is logged in
3. Audit -- Validates audit logging is enabled and the audit directory is writable
4. VPN -- Runs all vpn diagnose checks (keypair, port availability, peer validation, STUN, address uniqueness)
5. Connectivity -- Creates a standalone VPN tunnel and TCP-dials each active host (10 concurrent, 3s timeout)

Exit codes:

• 0 -- All checks passed (warnings are allowed)
• 1 -- One or more checks failed

Use --output json for structured output with a checks array and summary object.

explain

Look up an error code and display detailed resolution steps.

nefia explain [code] [--list]

Accepts both structured codes (e.g., E2001) and domain codes (e.g., SSH_AUTH_FAILED).

All domain errors in Nefia are produced using the sentinel error pattern (types.Errorf(types.ErrXxx, ...)). The CLI classifies errors via errors.Is() to determine the appropriate exit code and user-facing message. nefia explain displays the resolution steps and documentation links for a given error code.

# Look up a specific error code
nefia explain E2001
 
# Look up by domain code
nefia explain SSH_AUTH_FAILED
 
# List all error codes
nefia explain --list

Agent Binary

nefia-agent

The nefia-agent binary runs on target PCs and establishes the WireGuard tunnel back to the operator. It is installed during enrollment.

nefia-agent enroll [--token <token> | --token-file <path>] [--install] [--yes]

nefia-agent run [flags]

nefia-agent install-service
nefia-agent uninstall-service [--yes]
nefia-agent status
nefia-agent wol --mac <mac-address> [--broadcast <ip:port>]

DERP Server

nefia-derp

The nefia-derp binary runs a standalone DERP relay server for NAT traversal when direct peer-to-peer connections are not possible.

nefia-derp [flags]

Example:

# Start with ACL and metrics authentication
nefia-derp --addr :8443 --allowed-keys-file /etc/nefia/allowed-keys.txt --metrics-token "secret-token"

Advanced Commands

dashboard

Launch the interactive TUI dashboard.

nefia dashboard

Also available by running nefia with no subcommand in a terminal.

daemon

Run the background daemon for scheduled playbook execution and background tasks.

nefia daemon run

nefia daemon install

mcp serve

Start the MCP (Model Context Protocol) server for AI agent integration.

nefia mcp serve

Starts a JSON-RPC 2.0 server over stdio. AI agents like Claude can connect to this server to execute commands and manage files within the policy engine's guardrails. The MCP server hot-reloads configuration changes and starts background VPN monitoring, idle sweep, and host sync.

mcp serve-mtls

Start the MCP server over mTLS TCP.

nefia mcp serve-mtls

Starts the MCP server as a network gateway using mutual TLS authentication instead of stdio. Requires mcp.mtls.enabled: true in configuration (set up via nefia mtls init). Each client connection is authenticated by its client certificate CN, which is used as the agent identity for audit and policy purposes.

docs

Open the documentation site in your default browser.

nefia docs [topic]

Available topics are audit, config, exec, fs, mcp, playbook, policy, push, schedule, and vpn. In JSON output mode, the command returns the resolved URL instead of launching a browser.

completion

Generate shell completion scripts.

nefia completion [bash|zsh|fish|powershell]

# Bash (add to ~/.bashrc)
eval "$(nefia completion bash)"
 
# Zsh (add to ~/.zshrc)
eval "$(nefia completion zsh)"
 
# Fish
nefia completion fish | source

# PowerShell (add to $PROFILE)
nefia completion powershell | Out-String | Invoke-Expression

device-lock

Cryptographic device verification for the VPN mesh (Tailnet Lock style). Uses an Ed25519 authority keypair to sign each host's WireGuard public key. Only hosts with a valid, non-revoked signature are permitted to connect when device lock is enabled.

Alias: dl

nefia device-lock init

nefia device-lock sign <host-id>

nefia device-lock verify

nefia device-lock revoke <host-id>

nefia device-lock status

posture

Check device posture compliance against configured policies.

nefia posture check [--target <selector>]

nefia posture policy

ssh-ca

Manage the SSH Certificate Authority for short-lived certificate-based authentication.

nefia ssh-ca init

nefia ssh-ca sign-user [--duration <duration>] [--principals <list>]

# Sign with defaults (current user, 24h)
nefia ssh-ca sign-user
 
# Sign with custom duration and principals
nefia ssh-ca sign-user --duration 8h --principals deploy,admin

nefia ssh-ca sign-host --host <host-id>

nefia ssh-ca trust-known-hosts [--host <host-id>]

nefia ssh-ca server-snippet [--host <host-id>] [--os <linux|macos|windows>]

nefia ssh-ca status

mtls

Manage mTLS certificates for the MCP gateway. Uses ECDSA P-256 CA and TLS 1.3.

nefia mtls init [--hosts <san-list>]

# Initialize with default SANs
nefia mtls init
 
# Initialize with custom SANs
nefia mtls init --hosts "my-host.local,10.0.0.5"

nefia mtls issue-client --name <cn> [--duration <duration>] [--out-dir <dir>]

nefia mtls issue-client --name my-agent
nefia mtls issue-client --name ci-bot --duration 168h --out-dir ./certs

nefia mtls status

secrets

Manage dynamic credential injection for secret references in commands and playbooks.