CLI Commands¶
Coming Soon
The flow-sdk CLI is not yet publicly available. It will be released in an upcoming release. The documentation below is provided as a preview of upcoming capabilities. Today, the SDK is available inside Code Blocks, Hosted Services, Agents, and Workflows on the Manifest Platform — no installation required.
The flow-sdk CLI is namespace-first. Use grouped commands for authentication, development, deployments, service invocation, and platform CRUD operations.
Command Groups¶
Root groups:
auth- authentication and identitydev- local component development workflowsdeployments- deploy/publish/promote/rollback/list/statusservices- hosted service invocationcomponents,connectors,datasets,hosted-services,solutions,policies,webhooks,mcp-servers,experiments- canonical management CRUD namespaces
flow-sdk auth login¶
Authenticate with the Manifest Platform and store credentials locally.
How It Works¶
- Exchanges your organization API key (
fl_...) for a JWT access token - Auto-discovers accessible organizations and workspaces
- Stores the token and tenant context in
~/.flow/config.json(permissions0600)
Options¶
| Flag | Required | Description |
|---|---|---|
--api-key |
Yes | Organization API key (prompted securely if omitted) |
--url |
Yes | Platform API URL (prompted if omitted) |
--org-id |
No | Organization UUID (auto-discovered if omitted) |
--workspace-id |
No | Workspace UUID (auto-discovered if omitted) |
Examples¶
Output¶
Auto-selected organization: Acme Corp
Auto-selected workspace: Production
Logged in. org=550e8400-... workspace=6ba7b810-...
Credentials saved to ~/.flow/config.json
Multiple Organizations
If your API key has access to multiple organizations, the CLI presents a numbered list for you to choose from.
flow-sdk auth login-user¶
Authenticate as a user via request-bound browser flow and pasted token.
How It Works¶
- CLI creates a one-time request with
POST /api/v1/auth/cli-login-requests. - CLI prints a verification URL in the web app (
/cli-login/{request_id}?secret=...). - User signs in through the app session (including MFA policy if required), generates token, and pastes it into CLI.
- CLI validates token with
/auth/meand persists local config.
Options¶
| Flag | Required | Description |
|---|---|---|
--url |
Yes | Platform API URL |
--token |
No | Pre-generated token from request-bound app page |
Example¶
flow-sdk dev scaffold¶
Generate a new component project with the correct directory structure, imports, configuration files, and test stubs.
Templates¶
| Template | Description |
|---|---|
basic |
Minimal component -- implement execute() and you are done |
connector |
API-backed component with auth, httpx client lifecycle, and operation stub |
agent |
Pydantic AI agent with tool registration and GatewayClient for LLM calls |
workflow |
Multi-step workflow with node definitions and workflow YAML spec |
Options¶
| Flag | Default | Description |
|---|---|---|
--template, -t |
basic |
Project template to use |
--out, -o |
. (current dir) |
Parent directory for the new project |
--list, -l |
List available templates and exit |
Examples¶
Available templates:
basic Minimal component — implement execute() and you are done.
connector Adds auth via SecretsClient, httpx client lifecycle, and
an operation stub for API-backed components.
agent Pydantic AI agent with tool registration and GatewayClient
for LLM calls.
workflow Multi-step workflow with node definitions and workflow YAML
spec.
Usage: flow-sdk dev scaffold <name> --template <template>
Next Steps After Scaffolding¶
Naming Rules¶
Component names must:
- Start with a letter
- Contain only letters, digits, hyphens (
-), and underscores (_) - Not include path separators, dots, or spaces
flow-sdk deployments deploy¶
Deploy a component to the Manifest Platform.
Options¶
| Flag | Default | Description |
|---|---|---|
--ring |
dev |
Deployment ring: dev, staging, or prod |
--json |
Emit machine-readable JSON output |
Examples¶
Prerequisites
You must be logged in (flow-sdk auth login or flow-sdk auth login-user) before deploying. The component directory must contain a valid component.py and any required configuration files.
flow-sdk deployments publish¶
Validate and publish a component to the platform catalog.
Options¶
| Flag | Description |
|---|---|
--json |
Emit machine-readable JSON output |
Examples¶
# Publish from the component directory
flow-sdk deployments publish ./my-processor
# Machine-readable output for CI/CD
flow-sdk deployments publish ./my-processor --json
flow-sdk dev test¶
Run a component through its full lifecycle with a mock runtime context.
Options¶
| Flag | Default | Description |
|---|---|---|
--input, -i |
None | JSON file containing input data for the component |
--env |
dev |
Simulated environment: dev, staging, or prod |
--json |
Emit machine-readable JSON output |
Examples¶
Output¶
Component: MyProcessor
Path: /Users/you/projects/my-processor
Environment: dev
Running lifecycle...
Result: SUCCESS (142.3ms)
Output: {"processed": true, "items": 42}
flow-sdk dev validate¶
Validate a component's implementation against the platform contract without executing it.
Checks Performed¶
| Check | Description |
|---|---|
subclasses_base_component |
Component class extends BaseComponent |
execute_is_implemented |
execute() method is defined |
models_are_valid_pydantic |
Input/output models are valid Pydantic models |
health_check_returns_valid_result |
health_check() returns a HealthCheckResult |
Examples¶
Validating component at: /Users/you/projects/my-processor
v subclasses_base_component OK
v execute_is_implemented OK
v models_are_valid_pydantic OK
v health_check_returns_valid_result OK
Validation: PASSED (4/4 checks passed)
flow-sdk auth whoami¶
Show the current authenticated identity, organization, and workspace.
Options¶
| Flag | Description |
|---|---|
--json |
Emit machine-readable JSON output |
Examples¶
flow-sdk services invoke¶
Invoke a deployed service endpoint.
flow-sdk services invoke --service-id <uuid> --path <endpoint> [--method <method>] [--body <json>] [--version <n>] [--json]
Options¶
| Flag | Default | Description |
|---|---|---|
--service-id |
(required) | Service UUID to invoke |
--path |
(required) | Endpoint path (e.g. /analyze) |
--method |
POST |
HTTP method (GET, POST, PUT, DELETE) |
--body |
None | JSON request body string |
--version |
None | Service version number |
--json |
Emit machine-readable JSON output |
Examples¶
Deployment Commands¶
flow-sdk deployments list¶
List deployments in the current workspace.
| Flag | Description |
|---|---|
--ring |
Filter by ring name (e.g. dev, staging, prod) |
--status |
Filter by status (e.g. active, failed) |
--json |
Emit machine-readable JSON output |
Examples¶
# List all deployments
flow-sdk deployments list
# Filter by ring and status
flow-sdk deployments list --ring dev --status active --json
flow-sdk deployments status¶
Check deployment health and status.
Examples¶
flow-sdk deployments promote¶
Promote a deployment to the next ring.
| Flag | Description |
|---|---|
--target-ring |
(required) Target ring ID or name |
--notes |
Optional promotion notes |
--json |
Emit machine-readable JSON output |
Examples¶
# Promote to staging
flow-sdk deployments promote d-abc123 --target-ring staging --notes "Release 2.1"
# Promote with JSON output
flow-sdk deployments promote d-abc123 --target-ring production --json
flow-sdk deployments rollback¶
Roll back a deployment.
flow-sdk deployments rollback <deployment-id> --reason <text> [--rollback-to <deployment-id>] [--json]
| Flag | Description |
|---|---|
--reason |
(required) Reason for rollback |
--rollback-to |
Specific deployment ID to roll back to |
--json |
Emit machine-readable JSON output |
Examples¶
# Roll back to previous deployment
flow-sdk deployments rollback d-abc123 --reason "Performance regression"
# Roll back to a specific version
flow-sdk deployments rollback d-abc123 --rollback-to d-xyz789 --reason "Reverting to v1.3"
Hosted Service Token Commands¶
flow-sdk hosted-services mint-token¶
Mint an HSL service token for programmatic access to a deployed service.
flow-sdk hosted-services mint-token \
--service-id <uuid> \
--claims '{"tenant_id": "t-123", "role": "reader"}' \
--ttl 120
| Flag | Default | Description |
|---|---|---|
--service-id |
(required) | Hosted service ID |
--claims |
(required) | JSON string of custom claims |
--ttl |
60 |
Token TTL in minutes |
--json |
Emit JSON output |
flow-sdk hosted-services revoke-token¶
Revoke a single service token by its JTI.
flow-sdk hosted-services revoke-token \
--service-id <uuid> \
--jti <token-jti> \
--expires-at 2025-12-31T23:59:59Z \
--reason "Credential rotation"
flow-sdk hosted-services revoke-all-tokens¶
Revoke all service tokens for a service. Prompts for confirmation unless --yes is passed.
flow-sdk hosted-services revoke-all-tokens \
--service-id <uuid> \
--reason "Security incident" \
--yes
flow-sdk hosted-services list-revocations¶
List token revocations for a service.
flow-sdk hosted-services list-revocations --service-id <uuid>
flow-sdk hosted-services list-revocations --service-id <uuid> --include-expired --json
flow-sdk components backup¶
Download a platform-admin component backup archive (.tar.gz).
flow-sdk components backup \
--components all \
[--component-ids <id1,id2>] \
[--include-archived] \
[--output ./components-backup.tar.gz] \
[--json]
Notes:
- Uses canonical endpoint
POST /api/v1/orgs/{org_id}/workspaces/{workspace_id}/component-backups/download. --componentsacceptsallor comma-separated component types (for exampleagent,codeblock).- Requires platform-admin persona.
Configuration File¶
All CLI commands that interact with the platform read credentials from ~/.flow/config.json:
{
"access_token": "eyJhbGciOi...",
"platform_url": "https://api.flow.marut.cloud",
"org_id": "550e8400-e29b-41d4-a716-446655440000",
"workspace_id": "6ba7b810-9dad-11d1-80b4-00c04fd430c8"
}
Security
The config file contains a JWT access token and is written with 0600 permissions (owner read/write only). Do not commit this file to version control.