CLI Reference

The latchgate binary is the single entry point for running the gate server, managing actions, reviewing approvals, querying the audit trail, operating the kill-switch, and launching the agent sandbox.

Global flags

Flag	Env variable	Description
`--config <PATH>`	`LATCHGATE_CONFIG`	Path to `latchgate.toml`. Discovery order: `--config` / `$LATCHGATE_CONFIG` => `.latchgate/latchgate.toml` => `$XDG_CONFIG_HOME/latchgate/latchgate.toml` => built-in defaults.
`--json`	—	Emit structured JSON instead of human-readable output. Exit codes unchanged.
`--operator-key <KEY>`	`LATCHGATE_OPERATOR_KEY`	Operator API key for authenticated commands (approvals, revoke, audit).
`--operator-private-key <PATH>`	`LATCHGATE_OPERATOR_PRIVATE_KEY`	Path to operator’s DPoP private key (PEM-encoded P-256). Required in production.

Commands

`latchgate up`

Start LatchGate. Default: embedded mode — SQLite state, in-process policy engine, in-memory replay cache. Zero external dependencies.

latchgate up                  # embedded mode (default)
latchgate up --infra          # Docker: Redis + OPA + Squid + Prometheus
latchgate up --with-redis URL # external Redis, embedded policy
latchgate up --with-opa URL   # embedded state, external OPA

Flag	Description
`--infra`	Start Redis + OPA + Squid + Prometheus in Docker containers. Provides HA replay protection and defense-in-depth egress proxy. Requires Docker.
`--with-redis <URL>`	Use an external Redis instance for state (replay cache, budgets, approvals). Cannot be combined with `--infra`.
`--with-opa <URL>`	Use an external OPA instance for policy evaluation. Cannot be combined with `--infra`.
`--reset`	Remove `.latchgate/` and re-run the setup wizard before starting.
`--expose-http <ADDR>`	Expose HTTP listeners on the given address (e.g. `127.0.0.1:3000`). INSECURE — adds TCP alongside UDS.
`--insecure-identity`	Allow `provider = none`. Dev only.
`--insecure-signing`	Allow ephemeral signing keys. Dev only.
`--schema-warn`	Allow `response_schema_enforcement = warn`.

On first run, latchgate up detects no project and launches the interactive setup wizard. Subsequent runs start immediately.

On startup, latchgate up discovers resources in this order:

Repo root — if definitions/policies/opa/ and definitions/manifests/ exist (development from source).
Binary-relative — ../share/latchgate/ (tarball or Homebrew install).
Init output — if policies/latchgate.rego and manifests/ exist (generated by latchgate init). This is the recommended path for binary installs.

`latchgate down`

Stop Docker containers started by latchgate up --infra. Use this when a previous --infra session was interrupted without graceful shutdown (kill -9, terminal closed). Normally, Ctrl+C in up handles teardown automatically. No-op if embedded mode was used.

latchgate down                # stop containers, keep data directory
latchgate down --prune        # also delete the data directory (audit.db, receipts, cache)
latchgate down --prune --yes  # skip the confirmation prompt

--prune is destructive: the audit trail is permanently removed. The command prompts for interactive confirmation unless --yes is given.

`latchgate serve`

Start the gate server from a config file. Loads config, initialises all subsystems (registry, state backends, policy engine, WASM runtime), and binds listeners. Security posture is read from the config file’s [posture] section rather than from CLI flags.

For managed setups use latchgate up; serve is for custom deployments, platform provisioners, and container images where the config file is baked in or mounted.

latchgate serve                                   # load config via discovery
latchgate serve --config /tenant/acme/config.toml # explicit config path

Config discovery follows the standard order: --config / $LATCHGATE_CONFIG => .latchgate/latchgate.toml => $XDG_CONFIG_HOME/latchgate/latchgate.toml => built-in defaults.

Unlike latchgate up, serve does not run the setup wizard, does not start Docker infrastructure, and does not apply security posture flags from CLI arguments. All configuration must be present in the TOML file. This makes it suitable for Dockerfiles, systemd units, and orchestrator-managed deployments where the config is provisioned separately.

The process handles SIGTERM and SIGINT gracefully: it stops accepting new requests, waits for in-flight WASM executions to complete, then exits.

`latchgate sandbox`

Launch an agent inside a Linux namespace sandbox. The agent runs in isolated user/network/mount/PID/UTS/IPC/cgroup namespaces with only two paths to the outside world: the gate UDS (for protected actions) and an HTTPS CONNECT proxy (for LLM API traffic to allowed hosts only).

Everything else — host filesystem, network, credentials, other processes — is absent from the namespace.

Requires Linux ≥ 5.8 with unprivileged user namespaces.

latchgate sandbox --profile claude-code
latchgate sandbox --profile aider
latchgate sandbox -- my-custom-agent
latchgate sandbox --workspace ./my-project -- claude
latchgate sandbox --allow-host api.deepseek.com -- my-agent
latchgate sandbox --ro-mount /opt/node-22 -- my-agent
latchgate sandbox --pass-env GITHUB_TOKEN -- my-agent
latchgate sandbox --sandbox-config sandbox.toml -- my-agent

Everything after -- is the command line to run inside the sandbox. With --profile, the command defaults to the profile’s binary if omitted.

Flags

Flag	Description
`--profile <NAME>`	Load a built-in agent profile (`claude-code`, `codex`, `cursor`, `opencode`, `aider`). Sets allow_hosts, credentials, and pass_env. CLI flags merge additively on top.
`--workspace <PATH>`	Host directory mounted as `/workspace` (read-write) inside the sandbox. Default: current working directory.
`--allow-host <HOST>`	Add a hostname to the proxy allowlist (repeatable). HTTPS only, port 443. Additive with hosts from config.
`--ro-mount <PATH>`	Additional read-only bind mount from host (repeatable).
`--pass-env <VAR>`	Pass an environment variable into the sandbox (repeatable). Only explicitly listed variables are passed — no blanket inheritance.
`--gate-socket <PATH>`	Path to the LatchGate gate UDS on the host.
`--sandbox-config <PATH>`	Load sandbox config from a standalone TOML file. Overrides `[sandbox.agent]` from `latchgate.toml`. CLI flags still take precedence.

Environment variables

Variable	Description
`LATCHGATE_USAGE_SIGNAL`	When set (any value), emit a single structured JSON line to stderr on successful launch: profile name and whether a credential resolved. No PII, no secrets.

Configuration precedence

CLI flags (highest)
Standalone --sandbox-config file
[sandbox.agent] section in latchgate.toml
Built-in defaults (lowest)

List flags (--allow-host, --ro-mount, --pass-env) are additive — they extend the TOML values rather than replacing them.

For the full security model, namespace details, and configuration reference, see Agent Sandbox.

`latchgate init`

Scaffold a working LatchGate project in the current directory. Generates latchgate.toml, extracts action manifests from the embedded catalog based on the selected preset, creates operator credentials (P-256 DPoP keypair), and updates .gitignore.

latchgate init                                                # interactive wizard
latchgate init --preset coding                      # non-interactive, specific preset
latchgate init --preset lockdown --location user                # user-global install
latchgate init --preset coding --dev                # local dev mode (peercred with current UID)
latchgate init --list-presets                                  # show available presets
latchgate init --export-preset coding               # dump preset TOML for customization
latchgate init --preset coding --include-examples   # include httpbin.org example manifests
latchgate init --force                                        # overwrite existing latchgate.toml

Interactive mode (default)

When run without --preset, an interactive wizard prompts for:

Install location — Project (.latchgate/ in the current directory) or User (~/.config/latchgate/).
Preset — one of eleven built-in presets, each with a description. See Presets for details.

Built-in presets

Preset	Description
`quickstart`	First evaluation — two auto-allowed reads and two gated writes. No external credentials required.
`agent`	General-purpose AI agent: code, issues, docs, tasks, search, and filesystem. High-risk actions gated.
`coding`	Coding agent: filesystem, GitHub, web search. Writes and PRs gated.
`read-only`	Read and search only — web, APIs, docs, feeds, and public registries. All write actions blocked.
`ops`	Full operations: agent + devops actions. Infrastructure changes and deploys require approval.
`devops`	Infrastructure and deployment: CI/CD, DNS, monitoring, cloud storage, incident management.
`data`	Storage, monitoring, and financial integrations — S3, Datadog, Grafana, Stripe. Write actions gated.
`team`	Agent plus email, messaging, calendar, and notes. Sending messages and creating events gated.
`lockdown`	Full action catalog, nothing auto-granted. Every action requires a named principal or approval.
`blank`	Empty registry. Add actions individually via the TUI or the manifests directory.
`permissive`	All actions auto-granted to every authenticated principal. Dev and demo only — never deploy.

Flags

Flag	Description
`--preset <NAME\|PATH>`	Preset name or path to a custom preset TOML file. Skips the interactive wizard.
`--location <project\|user>`	Install location: `project` (`.latchgate/`) or `user` (`~/.config/latchgate/`). Default: `project`.
`--list-presets`	Show available presets with descriptions and exit.
`--export-preset <NAME>`	Dump a built-in preset as TOML to stdout for customization.
`--include-examples`	Extract example manifests (httpbin.org domains) into a `_examples/` subdirectory.
`--force`	Overwrite `latchgate.toml` and operator key if they already exist.
`--dev`	Configure for local development (peercred identity with current UID). Allows `latchgate up` without the `unsafe-dev` escape hatch. Not for production — accepts any local process as a valid caller.

Generated artifacts

Path	Contents
`latchgate.toml`	Commented config with operator credentials injected
`manifests/`	Action manifests extracted from the embedded catalog per the selected preset
`policies/`	`latchgate.rego` (from embedded) + `data.json` (ACL shaped by the preset’s wildcard grant level)
`operators/`	P-256 DPoP keypair (`<name>.pem`, mode 0600)
`data/`	Audit ledger directory
`.gitignore`	Appended with `.latchgate/`, `data/`, `policies/`, `*.key`

The operator API key is displayed once at setup and never logged. Save it immediately.

Non-interactive mode

Requires --preset. The preset determines which manifests are extracted and how the ACL is shaped. Suitable for CI pipelines and Docker builds where no TTY is available.

Overwrite protection

Refuses to overwrite latchgate.toml or operator PEM files unless --force is given.

`latchgate tui`

Launch the interactive operator terminal. Connects to a running gate and provides a real-time dashboard, approval workflow, and management screens. Requires operator authentication.

latchgate tui

Not compatible with --json. See Operator TUI for details.

`latchgate config`

Manage latchgate.toml without manual editing. All subcommands preserve comments and formatting via AST-level TOML editing.

`latchgate config path`

Print the resolved config file path and the discovery source that produced it (e.g. --config flag, LATCHGATE_CONFIG, project-local .latchgate/, user-global ~/.config/latchgate/, built-in defaults).

latchgate config path
latchgate config path --json

Useful when several config locations are in play and you need to confirm which one the binary will load.

`latchgate config resources`

Show where manifests, providers, and policies are loaded from. Loads the registry without starting the gate and reports how many actions come from embedded vs. user manifests, which overrides are active, and where provider and policy files live.

latchgate config resources
latchgate config resources --json

`latchgate config get`

Query a configuration value by dotted key. Prints the value with type-aware formatting: strings unquoted, integers and booleans as-is, arrays as newline-separated values, tables pretty-printed as TOML. With no key, dumps the entire config.

latchgate config get redis_url                # single field
latchgate config get sandbox.mode             # nested field
latchgate config get sandbox                  # entire table
latchgate config get                          # dump full config
latchgate config get --json                   # full config as JSON

`latchgate config set`

Set a single configuration value with type preservation and validation. The type of the new value is inferred from the existing field (int stays int, bool stays bool). New fields default to string.

latchgate config set redis_url "redis://new:6379"
latchgate config set sandbox.mode strict

The config is validated after editing. If the modified config is invalid, the change is rejected and the file is not written. Writes are atomic (tmp => fsync => rename).

`latchgate config unset`

Remove a configuration field. Uses toml_edit to remove the key while preserving comments and formatting. The resulting config is validated — if removing the field makes the config invalid, the change is rejected.

Idempotent: unsetting an absent key exits 0.

latchgate config unset listen_http_addr
latchgate config unset sandbox.strict_for_actions

`latchgate config validate`

Run all production security checks on latchgate.toml without starting the server or checking external dependencies.

latchgate config validate
latchgate config validate --json

Reports pass/fail per check. In dev mode, production-only checks are skipped.

`latchgate config add-operator`

Generate a P-256 DPoP keypair, compute the JWK thumbprint, and add a complete [operator_credentials.NAME] section to latchgate.toml in one step.

latchgate config add-operator --name alice
latchgate config add-operator --name alice --api-key "explicit-key"
latchgate config add-operator --name alice --key-dir /etc/latchgate/keys

This replaces the multi-step workflow of latchgate operator keygen + manual TOML editing. The API key is displayed once and never logged.

Generated files:

<key-dir>/<name>.pem — P-256 private key (mode 0600)
[operator_credentials.<name>] section in latchgate.toml with api_key and dpop_jkt

Default --key-dir is .latchgate.

`latchgate config remove-operator`

Remove an operator credential from latchgate.toml. Does not delete the PEM file (operator may want a backup).

latchgate config remove-operator alice

`latchgate config add-principal`

Add a peercred principal mapping (Unix UID => principal name) to latchgate.toml. Eliminates manual TOML array editing.

latchgate config add-principal --uid 1001 --name agent-support --scopes tools:call
latchgate config add-principal --uid 1002 --name agent-ops \
  --scopes tools:call,db:query --owner bob@company.com
latchgate config add-principal --uid 1001 --name agent-v2 --force  # overwrite existing

Flag	Required	Description
`--uid <UID>`	yes	Unix UID to map
`--name <NAME>`	yes	Principal name used in policy ACL
`--scopes <S,...>`	yes	Comma-separated scopes (e.g. `tools:call,db:query`)
`--owner <EMAIL>`	no	Contact email for this principal (informational)
`--force`	no	Overwrite if UID already mapped

Automatically sets identity.provider = "peercred" if not already configured.

`latchgate config remove-principal`

Remove a peercred principal mapping by UID.

latchgate config remove-principal --uid 1001

`latchgate config list-principals`

List all configured peercred principal mappings.

latchgate config list-principals
latchgate config list-principals --json

`latchgate config add-webhook`

Add a webhook endpoint to latchgate.toml. Validates URL, events, and secret before writing.

latchgate config add-webhook --name slack-alerts \
  --url https://hooks.slack.com/services/T.../B.../xxx \
  --secret whsec_xxx \
  --events approval.pending,approval.expired

Flag	Required	Description
`--name <NAME>`	yes	Unique webhook name
`--url <URL>`	yes	Endpoint URL (must be HTTPS in production)
`--secret <SECRET>`	yes	HMAC signing secret for payload verification
`--events <E,...>`	yes	Comma-separated event types to subscribe to
`--headers <K=V,...>`	no	Extra headers (e.g. `Authorization=Bearer xxx`)
`--timeout <SECONDS>`	no	Per-request HTTP timeout in seconds (default: 10)

Event types: approval.pending, approval.granted, approval.denied, approval.expired, action.denied, action.executed, action.failed, revocation, budget.exhausted.

Note: the underlying timeout_seconds config field defaults to 5 when populated by hand; the CLI uses 10 to give first-time users more headroom on slow endpoints. Edit latchgate.toml directly to change it after the fact.

`latchgate config remove-webhook`

Remove a webhook endpoint by name.

latchgate config remove-webhook --name slack-alerts

`latchgate config list-webhooks`

List all configured webhook endpoints.

latchgate config list-webhooks
latchgate config list-webhooks --json

`latchgate policy`

Manage OPA ACL entries without editing JSON by hand. Operates on policies/data.json (generated by latchgate init). All writes are atomic. policy_version is auto-incremented on every mutation.

Sinks (allowed_sinks) are auto-derived from action manifests’ declared_side_effects — they are a security invariant and must not be set manually.

`latchgate policy grant`

Add actions to a principal’s ACL. Validates action IDs against manifests before writing.

latchgate policy grant agent-ops http_fetch,github_read,slack_post

Output:

  ✓  agent-ops: 3 action(s) granted

     Actions   http_fetch, github_read, slack_post
     Sinks     http_read, http_write (auto-derived)

If an action ID doesn’t exist in manifests, the command fails with a suggestion:

  ✗  unknown action 'http_fech' — did you mean 'http_fetch'?

`latchgate policy revoke`

Remove actions from a principal’s ACL. Sinks are recomputed from the remaining actions.

latchgate policy revoke agent-ops slack_post

If all actions are revoked, the principal entry is removed entirely.

`latchgate policy show`

Show the full ACL for one or all principals, including risk level breakdown.

latchgate policy show agent-ops       # single principal
latchgate policy show                 # all principals
latchgate policy show --json

`latchgate policy list`

Compact summary of all principals with action counts.

latchgate policy list

  Principal                Actions
  ────────────────────────────────────────
  * (wildcard)             18
  agent-ops                3

`latchgate secrets`

Manage SOPS-encrypted secrets without leaving the CLI. Wraps age-keygen and sops so the operator never handles plaintext files manually.

`latchgate secrets init`

Generate an age keypair and create an empty encrypted secrets file. Configures sops_secrets_file and sops_key_file in latchgate.toml.

latchgate secrets init
latchgate secrets init --force    # overwrite existing key and secrets files

Requires sops and age-keygen on $PATH. The age key file is created with mode 0600 at .latchgate/sops-age.key.

`latchgate secrets set`

Add or update a secret in the encrypted file.

latchgate secrets set GITHUB_TOKEN ghp_xxxx
latchgate secrets set SLACK_BOT_TOKEN xoxb-xxxx

Decrypts the file, updates the key, re-encrypts atomically. The plaintext exists only in a temporary file (auto-deleted on drop) with mode 0600.

`latchgate secrets get`

Read a single secret value (decrypts to stdout).

latchgate secrets get GITHUB_TOKEN

`latchgate secrets list`

List all secrets with coverage status — shows which secrets are set and which are required by action manifests but missing.

latchgate secrets list
latchgate secrets list --json

`latchgate secrets remove`

Remove a secret from the encrypted file.

latchgate secrets remove GITHUB_TOKEN

`latchgate doctor`

Run pre-flight checks before starting the gate. Verifies configuration, dependencies, provider modules, and host capabilities. Exits 0 if all required checks pass, non-zero if any check fails.

latchgate doctor
latchgate doctor --json     # machine-readable output

Checks performed

Check	What it verifies	Severity on failure
`public_base_url`	`public_base_url` is set in config (required for DPoP `htu` validation)	warn
`operator_creds`	At least one operator credential exists and all have `dpop_jkt` in production	error (prod) / warn (dev)
`signing_keys`	`receipt_signing_key_path` and `grant_signing_key_path` are configured in production	error (prod) / warn (dev)
`policy_files`	`policies/latchgate.rego` exists (init-output or repo-root layout)	error
`policy_acl`	`data.json` has at least one ACL entry	error (prod) / warn (dev)
`manifests_dir`	`manifests_dir` exists and contains valid action manifests (YAML parses, schemas resolve)	error
`providers_dir`	`wasm_providers_dir` exists and is a directory	error (strict) / warn (degraded_ok)
`provider_modules`	At least one `.wasm` file exists in the providers directory	warn
`manifest_digest`	For each manifest with a `provider_source`, the SHA-256 of the `.wasm` file matches the declared `provider_module` digest	error
`redis`	Redis is reachable via TCP at the configured `redis_url` (2 second timeout)	error
`opa`	OPA health endpoint responds successfully at `{opa_url}/health` (2 second timeout)	error
`egress_proxy`	Egress proxy is reachable when configured. Warns when unconfigured in production.	error (configured) / warn (unconfigured prod)
`sops`	When `sops_secrets_file` is configured, the `sops` binary is found on `$PATH`	error
`secrets_coverage`	Actions declaring required secrets have `sops_secrets_file` configured	error (required) / warn (optional)
`webhooks`	Each `[[webhooks]]` entry has valid URL, HTTPS (production), non-empty secret, recognised event types, no duplicate names	error
`seccomp`	(Linux only) `/proc/sys/kernel/seccomp/enabled` reads 1 or 2	error (strict) / warn (degraded_ok)
`ledger_schema`	Ledger schema version matches the binary	error / warn
`ledger_integrity`	SQLite `PRAGMA quick_check` on the ledger database	error

Severity levels

ok — check passed. warn — non-blocking issue; the gate can start but may not function correctly. error — blocking issue; fix before starting the gate.

Example output

  ⬡ LatchGate v0.1.0 (a1b2c3d4 2025-06-01)

  Pre-flight check

  Config
  ✓  public_base_url     http://localhost:3000
  ✓  operator_creds      1 operator(s) — all have DPoP binding
  ⚠  signing_keys        ephemeral keys (dev mode) — receipts unverifiable after restart

  Policy
  ✓  policy_files        policies/latchgate.rego present
  ✓  policy_acl          1 principal(s) configured

  Registry
  ✓  manifests_dir       21 action manifest(s) valid
  ✓  providers_dir       target/providers — exists
  ✓  provider_modules    1 .wasm module(s)

  Dependencies
  ✓  redis               reachable at redis://127.0.0.1:6379
  ✓  opa                 reachable at http://127.0.0.1:8181
  ✓  egress_proxy        reachable at http://127.0.0.1:3128

  Security
  ✓  sops                not configured (no sops_secrets_file)
  ✓  secrets_coverage    no actions declare secrets
  ✓  webhooks            none configured (optional)
  ✓  ledger_integrity    quick_check passed

  ✓ 16/17 passed, 1 warning(s)

When errors are found in strict sandbox mode, the output includes a tip about switching to degraded_ok for development hosts.

`latchgate status`

Check whether the gate is running and what it is serving. Connects to the gate via the configured socket and prints health status and registered actions.

latchgate status
latchgate status --json

`latchgate actions`

List registered actions from the running gate. Optionally show full manifest details for a single action.

latchgate actions                        # list all actions
latchgate actions http_fetch             # show full manifest for http_fetch
latchgate actions --json                 # machine-readable output

`latchgate audit`

Query the audit trail. Returns the most recent audit events from the evidence ledger.

latchgate audit                              # last 20 events (default)
latchgate audit --limit 5                    # last 5 events
latchgate audit --action http_fetch          # filter by action ID
latchgate audit --principal agent-ops        # filter by principal
latchgate audit --decision deny              # filter by decision (allow/deny/error/pending_approval)
latchgate audit --after 2025-01-01T00:00:00Z # events after timestamp
latchgate audit --before 2025-02-01T00:00:00Z # events before timestamp
latchgate audit --trace-id abc-123           # exact trace ID match
latchgate audit --session-id sess-456        # exact session ID match
latchgate audit --event-type action_call     # filter by event type
latchgate audit --json                       # machine-readable output

Filters can be combined. --after and --before accept ISO 8601 timestamps. --trace-id and --session-id are exact-match filters for incident investigation. --event-type accepts values like action_call, lease_issued, admin_revoke_all.

`latchgate verify`

Verify the integrity of the ledger’s tamper-evident hash-chain. Walks every event in insertion order and checks that each prev_hash matches the SHA-256 of the preceding event’s JSON. Requires operator authentication.

latchgate verify
latchgate verify --json

Exit codes: 0 if the chain is intact, 2 if a break is detected. On failure, the output identifies the trace_id where the chain broke and how many links were verified before the break.

`latchgate approvals`

Manage pending approvals — list, review, approve, or deny. All subcommands require operator authentication. For single-operator setups, credentials are auto-discovered from latchgate.toml + .latchgate/<name>.pem — no flags needed. When multiple operators are configured, pass --operator-key and --operator-private-key explicitly.

latchgate approvals list                                  # show pending approvals
latchgate approvals list --all                            # include completed approvals
latchgate approvals list --limit 10                       # limit results
latchgate approvals show <approval_id>                    # full review detail
latchgate approvals approve <approval_id>                 # approve and trigger execution
latchgate approvals approve <approval_id> -y              # skip confirmation prompt
latchgate approvals approve <approval_id> \
  --learn-domain api.new-service.com                      # persist domain to action allowlist on success
latchgate approvals deny <approval_id>                    # deny without execution
latchgate approvals deny <approval_id> --reason "Not authorized"

--learn-domain is per-action: a domain learned for slack_post is not available to web_read. The domain is persisted only if execution succeeds. See latchgate domains to inspect and manage learned domains.

`latchgate revoke`

Emergency kill-switch. Advances the revocation epoch — all outstanding ExecutionGrants issued before this call are immediately invalidated. New grants carry the new epoch and remain valid. Prompts for confirmation unless --yes is given.

latchgate revoke                             # interactive confirmation
latchgate revoke --yes                       # skip confirmation
latchgate revoke --json                      # machine-readable output

`latchgate operator keygen`

Generate a DPoP keypair for operator authentication. Outputs the private key (PEM) and the JWK thumbprint (dpop_jkt) to add to [operator_credentials] in latchgate.toml.

latchgate operator keygen                                   # write to default path
latchgate operator keygen --output /etc/latchgate/op.pem    # custom path
latchgate operator keygen -o /etc/latchgate/op.pem          # short form

The private key file is written with mode 0600. For most setups, prefer latchgate config add-operator which generates the keypair and writes the matching [operator_credentials.NAME] section in one step.

`latchgate domains`

Manage learned egress domains — the operator-approved domains that augment the static manifest allowlist. When an operator approves an action with --learn-domain, the domain is persisted so future requests skip re-approval. Per-action isolation applies: a domain learned for slack_post is not available to web_read. Reads and writes the SQLite ledger directly — does not require the gate to be running.

latchgate domains list                           # all learned domains
latchgate domains list --action slack_post       # filter by action
latchgate domains add slack_post hooks.slack.com # add a learned domain
latchgate domains remove slack_post hooks.slack.com
latchgate domains clear slack_post               # remove all learned domains for an action
latchgate domains clear slack_post --yes         # skip confirmation
latchgate domains check slack_post hooks.slack.com  # test whether a domain is allowed

check resolves a domain against an action’s effective allowlist — the static manifest entries plus any learned domains — and reports whether the domain would be permitted, without mutating state. Use it to confirm an add took effect or to debug an unexpected egress denial.

Manifest domains are shown with source manifest in list output and cannot be removed — they require a manifest change and restart. Only learned domains are mutable through this command.

`latchgate completions`

Generate shell completion scripts. Outputs a completion script for the specified shell to stdout.

latchgate completions bash > ~/.local/share/bash-completion/completions/latchgate
latchgate completions zsh  > ~/.zfunc/_latchgate
latchgate completions fish > ~/.config/fish/completions/latchgate.fish

Supported shells: bash, zsh, fish, powershell, elvish.

Environment variables

Variable	Effect
`LATCHGATE_UNSAFE_DEV=1`	Bypass all production startup checks (requires `unsafe-dev` Cargo feature)
`LATCHGATE_CONFIG`	Override config file path
`RUST_LOG`	Override tracing log filter at runtime
`LATCHGATE_OPERATOR_KEY`	Operator API key (alternative to `--operator-key` flag)
`LATCHGATE_OPERATOR_PRIVATE_KEY`	Operator DPoP key path (alternative to `--operator-private-key` flag)
`LATCHGATE_URL`	Gate URL for SDKs and integrations
`LATCHGATE_*`	Per-field config overrides — see Configuration

Exit codes

All commands return 0 on success. Non-zero exit codes indicate errors or degraded state. With --json, the structured output includes an ok field for programmatic checking.