TazPod CLI Reference

This page maps the real command surface of tazpod from cmd/tazpod/main.go and the command implementations in cmd/tazpod/.

Primary Dispatch Table

CommandReal TargetNotes
tazpodsmartEntry()default no-args path
tazpod initinitProject()creates .tazpod/, .tazpod/vault/, and config
tazpod upup()ensures container is running and starts sync daemon
tazpod downdown()stops and removes container
tazpod sshenter()alias of enter
tazpod enterenter()interactive shell path
tazpod unlockunlock()decrypt vault into RAM and bridge AWS
tazpod locklock()unmount RAM enclave and AWS bind mount
tazpod savesave()re-encrypt RAM vault back to disk
tazpod pull vaultpullVault()S3 -> local encrypted vault
tazpod push vaultpushVault()local encrypted vault -> S3
tazpod syncpull() dispatchercurrently handled by the same dispatcher family as pull; operationally worth remembering
tazpod loginlogin()runs aws sso login --profile <profile>
tazpod vpnvpnCommand()legacy / untrusted path
tazpod setup-storagesetupStorage()bucket creation helper for tazlab-storage
tazpod __internal_sync_daemonsyncDaemon()internal background daemon
tazpod __internal_envprintExportEnv()internal shell helper; currently placeholder
tazpod updateupdateImage()pull latest Docker image (docker pull)
tazpod setup-storagesetupStorage()create S3 bucket tazlab-storage
tazpod --version / tazpod -vfmt.Println(Version)print current version from VERSION file

Operational Paths

tazpod enter

Use this as the normal path. It already includes smart recovery logic:

  • init if missing
  • ensure container exists
  • unlock if local vault exists
  • login -> pull vault -> unlock if local vault is missing
  • auto-lock on shell exit

tazpod up

Use this if you want the container and sync daemon running without immediately entering an interactive shell.

tazpod pull vault

Use this on a fresh machine or when .tazpod/vault/vault.tar.aes is missing locally.

tazpod push vault

Use this when you want an explicit S3 sync instead of waiting for the daemon cycle.

Config Fields That Affect Behavior

From .tazpod/config.yaml and cmd/tazpod/config.go:

  • image
  • container_name
  • user
  • aws_sso.profile
  • providers.<name>.db_host
  • features.debug
  • ghost_mode

Docker Run Flags (used by ensureContainerUp)

FlagValuePurpose
--cap-addSYS_ADMINRequired for mount operations
--security-optapparmor=unconfinedPrevent AppArmor blocking mount
--dns1.1.1.1, 1.0.0.1Cloudflare DNS
-v <cwd>:/workspaceMount project directory
-v ~/.ssh:/home/tazpod/.ssh:roShare SSH keys read-only
-e HOST_CWD=<cwd>Host working directory

Vault Commands Detail

CommandWhat It DoesFailure Mode
unlockDecrypt vault.tar.aes → tmpfs at /home/tazpod/secrets3 attempts, then exit
lockUnmount AWS bridge + tmpfs
saveRe-encrypt RAM → vault.tar.aesSilent success even if vault not mounted (TD-022)
pull vaultDownload from S3 to .tazpod/vault/vault.tar.aescwd-sensitive (TD-022)
push vaultUpload to S3 from .tazpod/vault/vault.tar.aescwd-sensitive (TD-022)

Exit Codes

  • 0: success
  • 1: error (config missing, Docker failure, vault error)
  • 1: unknown command

See Also