Exit Codes

Reference for Nefia CLI exit codes and their meanings.

The nefia CLI uses structured exit codes to communicate the outcome of every operation. These codes are consistent across all commands and designed for reliable use in scripts and automation.

Exit Code Reference

Code	Constant	Meaning
0	--	All operations completed successfully on all targeted hosts.
1	`ExitPartialFail`	Some hosts failed while others succeeded in a batch operation.
2	`ExitUserError`	Invalid arguments, configuration error, authentication failure, or policy violation.
3	`ExitInternalError`	Unexpected error, bug, or system-level failure. Should be reported.
130	`ExitCanceled`	The user pressed Ctrl+C (SIGINT) to cancel the operation.

When Each Code Occurs

Exit 0 -- Success

Returned when every targeted host completes the operation without error.

nefia exec --target all -- hostname succeeds on all hosts.
nefia fs read --host web-01 --path /etc/hostname reads the file successfully.
nefia vpn status runs and displays the status table.

Exit 1 -- Partial Failure

Returned when at least one host succeeded and at least one failed, or when a diagnostic command detects failures. This is the most common non-zero code in multi-host operations.

A command times out on one host but succeeds on the remaining four.
One host has a broken SSH session while others respond normally.
A file push succeeds on most targets but one host has insufficient disk space.
nefia doctor detects one or more [FAIL] checks (warnings alone do not cause exit 1).

Exit 2 -- User Error

Returned when the CLI rejects the request due to a user-correctable problem.

An unknown flag or missing required argument is provided.
The configuration file is missing or contains invalid YAML.
Authentication credentials are expired or missing (nefia login required).
A policy rule blocks the requested command or path.

Exit 3 -- Internal Error

Returned when Nefia encounters an unexpected condition not caused by user input.

A panic is caught by the top-level recovery handler.
The VPN subsystem encounters an unrecoverable state.

Exit 130 -- Canceled

Returned when the user sends SIGINT (Ctrl+C). Nefia performs a graceful shutdown: in-flight commands are cancelled, connections are drained, and partial results are printed.

Error Codes

In addition to numeric exit codes, Nefia returns structured error codes in JSON output (--output json) and MCP responses. These error codes appear in the error_code field of per-host results.

Error Code	Category	Description
`CONFIG_INVALID`	Configuration	The configuration file is invalid or missing required fields.
`SELECTOR_INVALID`	Configuration	The target selector syntax is malformed (e.g., `group:` without a name).
`HOST_NOT_FOUND`	Host	The specified host ID does not exist in the configuration.
`SSH_CONNECT_FAILED`	Connection	SSH connection to the target host failed (network unreachable, VPN down).
`SSH_AUTH_FAILED`	Connection	SSH authentication was rejected (wrong key, no matching auth method).
`SSH_SESSION_FAILED`	Connection	SSH session could not be established after connecting (server-side error).
`CMD_TIMEOUT`	Execution	The command exceeded its configured timeout.
`CMD_EXIT_NONZERO`	Execution	The command completed but returned a non-zero exit code.
`SFTP_FAILED`	File System	An SFTP operation failed (read, write, list, stat, or patch).
`FILE_NOT_FOUND`	File System	The requested file does not exist on the remote host.
`PERMISSION_DENIED`	File System	Access to the file or directory was denied by the remote OS.
`FILE_TOO_LARGE`	File System	The file exceeds `ssh.max_file_size_bytes`. Use `fs read --out` for large file downloads.
`SESSION_NOT_FOUND`	Session	The specified session ID does not exist or has expired.
`PATH_DENIED`	Policy	The requested file path is outside the session sandbox or denied by policy.
`POLICY_DENIED`	Policy	The operation was blocked by the policy engine (deny rule match).
`LICENSE_DENIED`	Auth	The operation requires a subscription plan that the current account does not have.
`AUTH_REQUIRED`	Auth	Authentication is required but no valid token is available. Run `nefia login`.
`AUTH_EXPIRED`	Auth	The authentication token has expired. Run `nefia login` to re-authenticate.
`DEVICE_LIMIT_EXCEEDED`	Auth	The subscription's device limit has been reached. Remove unused devices or upgrade your plan.
`VPN_FAILED`	VPN	A VPN tunnel operation failed (connection, peer management).
`VPN_SETUP_FAILED`	VPN	VPN enrollment or key exchange failed during setup.
`DERP_CONNECT_FAILED`	VPN	Could not connect to the DERP relay server (server down, URL incorrect, or WebSocket blocked).
`DERP_AUTH_FAILED`	VPN	The DERP relay server rejected the authentication handshake (invalid key or ACL rejection).
`PLAYBOOK_INVALID`	Playbook	The playbook YAML is invalid (schema error, undefined variables, unreachable steps).
`CANCELLED`	Execution	The operation was cancelled before completion (e.g., context timeout or concurrency limit).
`TEAM_NOT_FOUND`	Team	The specified team does not exist or the user is not a member.
`TEAM_ACCESS_DENIED`	Team	The user does not have sufficient permissions for the team operation.
`TEAM_MEMBER_LIMIT`	Team	The team has reached its member limit.
`TEAM_INVITE_INVALID`	Team	The team invite is invalid, expired, or has already been used.
`INTERNAL`	Internal	An unexpected internal error occurred. Report this as a bug.

Using Exit Codes in Scripts

Here is a pattern for handling each exit code in a bash script:

bash

#!/bin/bash
nefia exec --target group:production --output json -- systemctl is-active app > result.json
rc=$?
 
case $rc in
  0)
    echo "All hosts healthy"
    ;;
  1)
    echo "Partial failure — check result.json for details"
    jq '.results[] | select(.exit_code != 0) | .host' result.json
    ;;
  2)
    echo "Configuration or auth error — fix and retry"
    exit 1
    ;;
  3)
    echo "Internal error — report bug with verbose output"
    exit 1
    ;;
  130)
    echo "Interrupted by user"
    exit 0
    ;;
esac

Machine-Parseable Output

Combine exit codes with --output json for full programmatic control:

json

// nefia exec --target all --output json -- df -h / (exit code 1)
{
  "exit_code": 1,
  "summary": "2/3 hosts succeeded",
  "results": [
    { "host": "web-01", "exit_code": 0, "stdout": "Filesystem  Size  Used ..." },
    { "host": "web-02", "exit_code": 0, "stdout": "Filesystem  Size  Used ..." },
    { "host": "db-01",  "exit_code": -1, "error": "connection timeout" }
  ]
}

Nefia provides a structured error code system (E-codes) that maps each domain error to a detailed explanation with resolution steps. Use nefia explain <code> to look up any error code interactively.

bash

nefia explain E2001
nefia explain --list

All domain errors are defined as sentinel errors that can be matched with Go's errors.Is(). When classifying errors from scripts or programs, use the error_code field (the string codes listed in the table above). Within Go code, type-safe matching via errors.Is(err, types.ErrXxx) is recommended.

Error Codes Reference

Complete catalog of E-codes (E1001-E9002) with titles, descriptions, and step-by-step resolution instructions.

CLI Commands

Complete reference for all Nefia CLI commands, flags, and options.

Remote Execution

Execute commands across multiple hosts with targeting and concurrency control.