The trustplane CLI
cmd/trustplane-cli builds the trustplane binary — the CLI for TrustPlane Auth.
Install
v0.1.0-rc.1 is a private preview pre-release. CLI archives are publicly downloadable from
https://downloads.auth.trustplane.dev/trustplane/v0.1.0-rc.1/; verify SHA256SUMS before
running the binary. See Install & artifacts.
The same release page records the digest-pinned adapter and broker images and the Helm OCI chart
version 0.1.0-rc.1.
From a pre-release TrustPlane Auth source tree:
make build # produces ./bin/trustplane (+ adapter + broker)
Optionally put it on your PATH:
export PATH="$PWD/bin:$PATH"
trustplane --help
The v0.1 command set (exactly these)
trustplane gen-key
trustplane issue
trustplane sign
trustplane verify
trustplane bundle build
trustplane bundle merge-source
trustplane bundle remove-source
trustplane bundle sign
trustplane bundle verify
trustplane broker issue
trustplane up
trustplane demo
The CLI excludes enroll, onboard, list-keys, blindfold, gateway-call, and cloud
instance-identity proof flows, plus managed administration and bundle distribution. Those are
out of the v0.1 boundary by design. See v0.1 boundary.
Commands
gen-key
Generate a signing key pair for local issuing/signing.
issue
Mint a short-lived passport (and optionally write a trust bundle with the public key).
trustplane issue \
--subject spiffe://example.local/ns/default/sa/demo \
--audience example-api \
--trust-domain example.local \
--bundle-out trustplane-bundle.json
sign
Produce transcript-v1 signed request headers without a broker (the no-broker path). Supports
--curl to print a ready-to-run request the adapter accepts. Tampering with the signed request
causes request_binding_mismatch. → Request binding
verify
Verify a passport against a public key or a local bundle.
trustplane verify \
--token "$TOKEN" \
--bundle trustplane-bundle.json \
--kid "$KEY_ID" \
--issuer "$ISSUER" \
--audience example-api \
--trust-domain example.local
bundle build
Compile a local authoring config into a deterministic trustplane-bundle-v1 policy bundle
skeleton. Sign reviewed outputs before production-style adapter loading.
→ Bundle policy & freshness
trustplane bundle build --config bundle.config.json --out trustplane.bundle.json
bundle merge-source
Non-destructively append a client public key + a route source rule to existing trust material and
policy bundle (existing entries preserved; --replace-existing required for duplicates).
→ Trust anchors
trustplane bundle merge-source \
--trust-material trust-material.json \
--policy-bundle trustplane.bundle.json \
--out-trust-material trust-material.merged.json \
--out-policy-bundle trustplane.bundle.merged.json \
--issuer https://issuer.acme.demo/external-jwks \
--trust-domain acme.demo.external \
--kid hosted-demo-client-2 \
--public-key "$CLIENT_PUBLIC_KEY_B64URL" \
--route-id acme.demo.orders.read \
--subject-exact external:jwks:hosted-demo-client-2 \
--required-key-binding software
bundle remove-source
Remove a trusted key and matching route source selector while preserving unrelated trust material
and policy. Destructive removal requires --confirm-remove.
trustplane bundle remove-source \
--trust-material trust-material.json \
--policy-bundle trustplane.bundle.json \
--out-trust-material trust-material.removed.json \
--out-policy-bundle trustplane.bundle.removed.json \
--issuer https://issuer.acme.demo/external-jwks \
--trust-domain acme.demo.external \
--kid hosted-demo-client-2 \
--route-id acme.demo.orders.read \
--subject-exact external:jwks:hosted-demo-client-2 \
--confirm-remove \
--revoke
bundle sign / bundle verify
Sign reviewed trust material or policy bundles, then verify the signed output before mounting. → Signed bundle lifecycle
trustplane bundle sign \
--policy-bundle trustplane.bundle.json \
--out trustplane.bundle.signed.json \
--signer-issuer local://bundle-signer \
--kid bundle-signing-key-1 \
--private-key "$BUNDLE_SIGNING_PRIVATE_KEY_B64URL"
trustplane bundle verify \
--policy-bundle trustplane.bundle.signed.json \
--public-key "$BUNDLE_SIGNING_PUBLIC_KEY_B64URL"
broker issue
Ask the local broker to issue a request-bound passport + proof for a specific call. → Broker
trustplane broker issue \
--method GET --path /orders \
--audience acme.demo.orders --route-id acme.demo.orders.read
up
One-command local orchestrator: starts a software-signer broker (Unix socket), writes local bundle files, and starts a transcript-v1 adapter with in-memory replay + bundle policy. Demo / developer use only.
trustplane up
demo
Run the bundled end-to-end demonstration (issue + verify + protected-service example).
Related make targets
When building from source, the CLI commands are wrapped by convenience Makefile targets:
| Target | What it runs |
|---|---|
make build | Build trustplane, trustplane-adapter, trustplane-broker from source once source access is available |
make demo | trustplane demo + protected-service example |
make demo-bundle | Local trust-bundle key resolution demo |
make demo-adapter | Brownfield adapter (valid / 401 / 403) |
make demo-provider-gateway | Broker + transcript-v1 + replay + deny reasons |
make transcript-conformance | Go/JS/Python transcript-v1 conformance |
make v01-acceptance | The canonical local readiness gate |
make boundaries | Package import boundary checks |
make docker-demo | Docker-based demo |