Skip to content

📖 Scribe: Document missing CLI commands (connect, org-*, upgrade) #53

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
igorls wants to merge 2 commits into from
Closed

📖 Scribe: Document missing CLI commands (connect, org-*, upgrade) #53

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
356a19e
docs: add missing CLI commands to reference
google-labs-jules[bot] Mar 2, 2026
d9b2616
fix(control): use correct chmod api for zig 0.15
google-labs-jules[bot] Mar 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 76 additions & 0 deletions docs/reference/cli.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,82 @@ meshguard up [options]

---

## `meshguard connect`

Direct peer connection via token exchange (no seed node needed). Performs a coordinated UDP hole punch.

```bash
meshguard connect --generate [--in <minutes>]
meshguard connect --join <mg://token>
```

| Flag | Description |
| ---- | ----------- |
| `--generate` | Run as initiator. Generates a token to share with the peer. |
| `--in <minutes>` | Wait time before coordinated punch (default: 1). |
| `--join` | Run as joiner. Accepts an `mg://` token. |
Copy link

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the connect flags table, --join is documented without its required token argument, but the CLI expects --join <mg://token> (it errors if --join has no value). Update the table row to reflect that the flag requires an argument.

Suggested change
| `--join` | Run as joiner. Accepts an `mg://` token. |
| `--join <mg://token>` | Run as joiner. Accepts an `mg://` token. |

Copilot uses AI. Check for mistakes.

---

## `meshguard org-keygen`

Generate a new Ed25519 organization keypair.

```bash
meshguard org-keygen
```

**Output files** (in `$MESHGUARD_CONFIG_DIR`, default `~/.config/meshguard/org/`):
Copy link

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The org-keygen section’s output path wording is inconsistent with how $MESHGUARD_CONFIG_DIR is defined elsewhere in this doc and in code: $MESHGUARD_CONFIG_DIR defaults to ~/.config/meshguard/, and the org keys are written under $MESHGUARD_CONFIG_DIR/org/. Consider changing this line to say the files are in $MESHGUARD_CONFIG_DIR/org/ (default ~/.config/meshguard/org/).

Suggested change
**Output files** (in `$MESHGUARD_CONFIG_DIR`, default `~/.config/meshguard/org/`):
**Output files** (in `$MESHGUARD_CONFIG_DIR/org/` (default `~/.config/meshguard/org/`)):

Copilot uses AI. Check for mistakes.

- `org.key` — secret key
- `org.pub` — public key

Generates an org keypair and derives the deterministic mesh domain (e.g., `a1b2c3.mesh`).

---

## `meshguard org-sign`

Sign a node's public key with the org private key, producing a `NodeCertificate`.

```bash
meshguard org-sign <node.pub> --name <label> [--expires <unix-timestamp>]
```

| Argument | Description |
| -------- | ----------- |
| `<node.pub>` | Path to the node's `.pub` file or base64 key |
| `--name` | Required human-readable label for the node |
| `--expires` | Optional unix timestamp for certificate expiration |
Comment on lines +136 to +144
Copy link

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

org-sign docs state that --name is required, but the CLI currently defaults the name to node when --name is omitted. Either update the docs to describe the default/optional behavior, or update the CLI to enforce --name as required so the docs and behavior match.

Copilot uses AI. Check for mistakes.

---

## `meshguard org-vouch`

Vouch for an external node without making it a full org member. The vouch propagates to all org members via gossip.
Copy link

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The org-vouch description implies the vouch immediately propagates “via gossip”, but the implementation writes a vouch file that is gossiped when the node next runs meshguard up. Consider clarifying that propagation happens on the next daemon start / while the daemon is running.

Suggested change
Vouch for an external node without making it a full org member. The vouch propagates to all org members via gossip.
Vouch for an external node without making it a full org member. This writes a vouch that will be propagated to all org members via gossip when your node's daemon is running (for example, after `meshguard up`).

Copilot uses AI. Check for mistakes.

```bash
meshguard org-vouch <node.pub>
```

| Argument | Description |
| -------- | ----------- |
| `<node.pub>` | Path to the external node's `.pub` file or base64 key |

---

## `meshguard upgrade`

Upgrade meshguard to the latest release from GitHub.

```bash
meshguard upgrade
```

Queries the GitHub API, downloads the latest `meshguard-linux-amd64` binary, replaces the current executable, and restarts the systemd service if running.
Copy link

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The upgrade section says it “replaces the current executable, and restarts the systemd service if running”, but the current implementation installs to /usr/local/bin/meshguard and unconditionally runs systemctl stop meshguard followed by systemctl start meshguard (no check for whether it was already running). Please adjust the wording to match the actual behavior (and mention the fixed install path if that’s intentional).

Suggested change
Queries the GitHub API, downloads the latest `meshguard-linux-amd64` binary, replaces the current executable, and restarts the systemd service if running.
Queries the GitHub API, downloads the latest `meshguard-linux-amd64` binary, installs it to `/usr/local/bin/meshguard`, and restarts the `meshguard` systemd service by running `systemctl stop meshguard` followed by `systemctl start meshguard`, regardless of whether it was previously running.

Copilot uses AI. Check for mistakes.

---

## `meshguard down`

Stop the daemon and remove the `mg0` interface.
Expand Down
2 changes: 1 addition & 1 deletion src/services/control.zig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ pub const ControlSocket = struct {
try std.posix.listen(sock, 4);

// Make socket accessible to non-root users
std.fs.cwd().chmod(self.socket_path, 0o666) catch {};
std.posix.fchmodat(std.fs.cwd().fd, self.socket_path, 0o666, 0) catch {};

self.server = sock;
}
Expand Down
5 changes: 5 additions & 0 deletions test_chmod.zig
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
const std = @import("std");
pub fn main() !void {
std.posix.fchmodat(std.fs.cwd().fd, "test_file.txt", 0o666, 0) catch {};
std.debug.print("chmod ok\n", .{});
}
Loading