Enumerate every agent in your team with online state, OS, version, tags, and last-seen time.

$ tuc agent list
ID          NAME     STATUS   TAGS          LAST SEEN
agt_9f2c1   web-01   online   prod,web      just now
agt_4b7e8   db-01    online   prod,db       2m ago

Filter agents by a specific tag.

$ tuc agent list --tag prod
ID          NAME     STATUS   TAGS    LAST SEEN
agt_9f2c1   web-01   online   prod    1m ago
agt_4b7e8   db-01    online   prod    3m ago

List all online agents with the prod tag.

$ tuc agent list --tag prod --status online
ID          NAME     STATUS   TAGS    LAST SEEN
agt_9f2c1   web-01   online   prod    1m ago

Filter agents by offline status.

$ tuc agent list --status offline
ID          NAME      STATUS   TAGS       LAST SEEN
agt_7k2m9   cache-01  offline  canary     3h ago

Sort agents alphabetically by name.

$ tuc agent list --sort name
ID          NAME     STATUS   LAST SEEN
agt_4b7e8   cache-01 online   5m ago
agt_9f2c1   db-01    online   1m ago

Sort agents by last-seen timestamp (newest first).

$ tuc agent list --sort last-seen
ID          NAME     STATUS   LAST SEEN
agt_9f2c1   web-01   online   just now
agt_4b7e8   db-01    online   2m ago

Limit output to 50 agents.

$ tuc agent list --limit 50
(showing 1-50 of 127 agents)

Output agent list as JSON.

$ tuc agent list --output json
[{"id":"agt_9f2c1","name":"web-01",...}]

Output agent list as CSV.

$ tuc agent list --output csv
id,name,status,tags,last_seen
agt_9f2c1,web-01,online,prod,1m ago

Filter agents by resource utilization (CPU > 80%).

$ tuc agent list --filter "cpu>80"
ID          NAME     CPU    STATUS
agt_3x1p2   api-03   87%    online

Complete agent onboarding with a dashboard-generated pairing key. Generates ED25519 identity locally.

$ tuc agent pair PK-4XQ9-71MZ
✓ identity generated (ed25519)
✓ paired as web-02 (agt_c31a0)

Pair an agent with a custom name.

$ tuc agent pair PK-4XQ9-71MZ --name my-agent
✓ paired as my-agent (agt_c31a0)

Pair an agent and immediately assign tags.

$ tuc agent pair PK-4XQ9-71MZ --tags prod,web
✓ paired as web-02 (agt_c31a0)
✓ tagged with prod, web

Pair an agent with consent verification disabled.

$ tuc agent pair PK-4XQ9-71MZ --no-consent
✓ paired (consent not required)

Generate a new pairing token for agent onboarding.

$ tuc agent pair-token
PK-7XQ2-85NZ (expires in 1 hour)

Generate a pairing token with custom expiration.

$ tuc agent pair-token --ttl 24h
PK-7XQ2-85NZ (expires in 24h)

Inspect a single agent: identity, connection path, security posture, tags, and consent.

$ tuc agent info agt_9f2c1
name              web-01
id                agt_9f2c1
fingerprint       SHA256:tQ8r…b4Jc
os                Linux 5.15.0
version           2.8.1
status            online
last_seen         2m ago
tags              prod,web
posture           9/10 checks passing

Show current status and connection health of an agent.

$ tuc agent status agt_9f2c1
status     online (12m 34s)
latency    45ms
cpu        12%
memory     234MB / 2GB

Show the agent software version and build information.

$ tuc agent version agt_9f2c1
agent       2.8.1 (build 2026-05-15)
components  core/2.8.1 sdk/2.4.0 runtime/1.2.3

Show comprehensive health check results for an agent.

$ tuc agent health agt_9f2c1
✓ network connectivity
✓ disk space (89% available)
✓ certificate expiry (45 days)
⚠ memory pressure (78% used)

Stream agent logs to stdout.

$ tuc agent logs agt_9f2c1
2026-06-11 14:22:01 [info] heartbeat sent
2026-06-11 14:21:58 [info] posture check passed

Show agent logs from the last 1 hour.

$ tuc agent logs agt_9f2c1 --since 1h
(showing 23 log entries)

Filter agent logs by level (error, warn, info, debug).

$ tuc agent logs agt_9f2c1 --level error
2026-06-11 13:15:22 [error] certificate validation failed

Show CPU, memory, disk, and network metrics for an agent.

$ tuc agent metrics agt_9f2c1
cpu         12.3% (4 cores)
memory      512MB / 2GB (25%)
disk        45GB / 100GB (45%)
network     2.3MB/s in, 1.1MB/s out

Export agent metrics as JSON.

$ tuc agent metrics agt_9f2c1 --json
{"cpu":12.3,"memory":512,...}

Attach a tag to an agent for targeting and policy.

$ tuc agent tag agt_9f2c1 canary
✓ tagged web-01 with "canary"

Attach multiple tags to an agent at once.

$ tuc agent tag agt_9f2c1 prod web http
✓ added 3 tags to web-01

Remove a tag from an agent.

$ tuc agent untag agt_9f2c1 canary
✓ removed "canary" from web-01

List all tags assigned to an agent.

$ tuc agent tags agt_9f2c1
prod
web
http

Rename an agent.

$ tuc agent rename agt_9f2c1 production-web-01
✓ renamed to production-web-01

Restart an agent remotely.

$ tuc agent restart agt_9f2c1
✓ restart signal sent to web-01

Update agent software to the latest version.

$ tuc agent update agt_9f2c1
✓ update started (2.8.1 → 2.9.0)
(restart required)

Update agent to a specific version.

$ tuc agent update agt_9f2c1 --to 2.8.0
✓ downgrade started (2.9.0 → 2.8.0)

Preview what would happen during an update.

$ tuc agent update agt_9f2c1 --dry-run
Would update: 2.8.1 → 2.9.0
Size: 45MB | Duration: ~2m

Deregister an agent from the fleet.

$ tuc agent delete agt_9f2c1
⚠ This cannot be undone. Confirm? [y/N] y
✓ agent agt_9f2c1 deleted

Force delete an agent without confirmation.

$ tuc agent delete agt_9f2c1 --force
✓ agent agt_9f2c1 deleted

Reset an agent to factory defaults.

$ tuc agent reset agt_9f2c1
✓ agent reset (will reconnect in 30s)

Isolate an agent from other fleet operations.

$ tuc agent isolate agt_9f2c1
✓ web-01 isolated (sessions will be blocked)

Remove isolation from an agent.

$ tuc agent unisolate agt_9f2c1
✓ web-01 unisolated

Check if an agent requires consent for sessions.

$ tuc agent consent agt_9f2c1
consent_required  true
policy            manual
last_consent      2h ago by alice@team

Set agent to require manual consent for sessions.

$ tuc agent consent agt_9f2c1 --require manual
✓ consent policy updated

Disable consent requirement for an agent.

$ tuc agent consent agt_9f2c1 --require none
✓ consent disabled

Enable session recording for an agent.

$ tuc agent record agt_9f2c1 --enable
✓ recording enabled

Disable session recording for an agent.

$ tuc agent record agt_9f2c1 --disable
✓ recording disabled

Send a ping to test agent connectivity.

$ tuc agent ping agt_9f2c1
✓ pong (45ms)

Trace the network path to an agent.

$ tuc agent trace agt_9f2c1
hop 1: client → rendezvous (12ms)
hop 2: rendezvous → web-01 (33ms)

Show certificate info for an agent.

$ tuc agent cert agt_9f2c1
fingerprint  SHA256:tQ8r…b4Jc
subject      CN=agt_9f2c1
expires      2027-06-11 (380 days)

Rotate the certificate for an agent.

$ tuc agent cert agt_9f2c1 --rotate
✓ new certificate generated and installed

Open an end-to-end encrypted terminal session to an agent.

$ tuc session start web-01
✓ consent granted · recording on
web-01:~$ _

Start a session without recording.

$ tuc session start web-01 --no-record
✓ session started (recording OFF)
web-01:~$ _

Start a session with auto-close timeout.

$ tuc session start web-01 --timeout 30m
web-01:~$ _
(auto-close in 30 minutes)

Start a session and switch to a specific user.

$ tuc session start web-01 --user root
✓ switched to root
root@web-01:~# _

Start a session and execute a command directly.

$ tuc session start web-01 --exec "systemctl status nginx"
● nginx.service - The NGINX HTTP Server
  Active: active (running)

Start a session with environment variables.

$ tuc session start web-01 --env DEBUG=1 --env ENV=prod
✓ session started with 2 environment variables

Start an interactive session (default behavior).

$ tuc session start web-01 --interactive
web-01:~$ _

Start a non-interactive session for automation.

$ tuc session start web-01 --non-interactive < script.sh

List active and recent sessions with details.

$ tuc session list
SESSION     AGENT    ACTOR        DURATION  REC  STATUS
ses_77ab2   web-01   alice@team   12m       yes  active
ses_1c09f   db-01    bob@team     closed    yes  closed

List sessions for a specific agent.

$ tuc session list --agent web-01
SESSION     ACTOR        DURATION  STATUS
ses_77ab2   alice@team   12m       active

List sessions for a specific user.

$ tuc session list --actor alice@team
SESSION     AGENT    DURATION  STATUS
ses_77ab2   web-01   12m       active

Filter sessions by status (active, closed, suspended).

$ tuc session list --status active
SESSION     AGENT    ACTOR        DURATION
ses_77ab2   web-01   alice@team   12m

List sessions from the last 24 hours.

$ tuc session list --since 24h
(showing 47 sessions)

Limit results to 100 sessions.

$ tuc session list --limit 100
(showing 1-100 of 523 sessions)

Output sessions as JSON.

$ tuc session list --output json
[{"id":"ses_77ab2","agent":"web-01",...}]

Output sessions as CSV.

$ tuc session list --output csv
id,agent,actor,status,duration
ses_77ab2,web-01,alice@team,active,12m

Show detailed information about a session.

$ tuc session info ses_77ab2
id              ses_77ab2
agent           web-01
actor           alice@team
started         2026-06-11 14:22:00
duration        12m 34s
recording       yes
recorded_bytes  1.2MB
status          active

Check current status of a session.

$ tuc session status ses_77ab2
status          active
idle_time       2m 15s
cpu             12%
memory          89MB

Show session duration and timeline.

$ tuc session duration ses_77ab2
started   2026-06-11 14:22:00
now       2026-06-11 14:34:34
elapsed   12m 34s
timeout   (30m remaining)

Replay a recorded session from signed recording.

$ tuc session replay ses_1c09f
▶ replaying 14m32s recording (signed, verified)

Replay a session at 2x speed.

$ tuc session replay ses_1c09f --speed 2x
▶ replaying at 2x speed

Replay a session at 0.5x speed.

$ tuc session replay ses_1c09f --speed 0.5x
▶ replaying at 0.5x speed

Start replay from 5 minutes into the session.

$ tuc session replay ses_1c09f --from 5m
▶ replaying from 5m mark

Replay a specific time range of a session.

$ tuc session replay ses_1c09f --from 5m --to 10m
▶ replaying segment 5m-10m (5m duration)

Export session recording as asciinema JSON.

$ tuc session export ses_1c09f > session.json
✓ exported 14m32s recording

Export session as asciinema .cast file.

$ tuc session export ses_1c09f --format cast > session.cast

Export session as standalone HTML player.

$ tuc session export ses_1c09f --format html > player.html

Verify cryptographic signature of a session recording.

$ tuc session verify ses_1c09f
✓ signature verified (signed by alice@team)
✓ recording unaltered
✓ timestamp authentic

Show command log from a session.

$ tuc session logs ses_77ab2
14:22:05  ls -la /var/www
14:22:08  cat config.json
14:22:15  systemctl restart app

Generate full text transcript of a session.

$ tuc session transcript ses_77ab2
web-01:~$ ls -la
total 12
drwxr-xr-x  3 user user  4096 Jun 11 14:22 .

Suspend (pause) an active session.

$ tuc session suspend ses_77ab2
✓ session suspended (can be resumed)

Resume a suspended session.

$ tuc session resume ses_77ab2
✓ session resumed
web-01:~$ _

Close an active session.

$ tuc session end ses_77ab2
✓ session ended (recording finalized)

Forcefully terminate a session immediately.

$ tuc session terminate ses_77ab2
✓ session terminated

Kill a session and disconnect the agent.

$ tuc session kill ses_77ab2
✓ session killed (agent disconnected)

Set a timeout for an active session.

$ tuc session timeout ses_77ab2 15m
✓ session will auto-close in 15m

Check consent status for a session.

$ tuc session consent ses_77ab2
consent_required  true
given_by          alice@team
given_at          2026-06-11 14:22:00

Approve a session awaiting approval.

$ tuc session approve ses_77ab2
✓ session approved

Deny a session awaiting approval.

$ tuc session deny ses_77ab2
✓ session denied (will be terminated)

List sessions awaiting approval.

$ tuc session pending-approval
SESSION     AGENT    ACTOR        REQUESTED
ses_88bc3   web-02   charlie@team 2m ago
ses_92xf1   db-03    dave@team    5m ago

Show CPU, memory, and network metrics during session.

$ tuc session metrics ses_77ab2
cpu         8.2%
memory      67MB / 2GB (3%)
network     12KB/s in, 4KB/s out

Show session bandwidth usage.

$ tuc session bandwidth ses_77ab2
input       1.2MB / 12m = 1.6KB/s
output      2.8MB / 12m = 3.9KB/s
total       4.0MB

List all commands executed in a session.

$ tuc session commands ses_77ab2
ls -la /var/www
cat config.json
systemctl restart app

Analyze input/output patterns in a session.

$ tuc session io ses_77ab2
keystrokes   234
paste_events 3
output_chars 8432

Show recording metadata for a session.

$ tuc session recording ses_77ab2
enabled    yes
format     asciinema
size       1.2MB
frames     8432
signature  valid
signed_by  system

Download the recording file.

$ tuc session recording ses_77ab2 --download
✓ downloaded to ./ses_77ab2.cast (1.2MB)

Search sessions by command, actor, or agent.

$ tuc session search "systemctl restart"
ses_77ab2  alice@team  web-01  found 2 matches

Search sessions from the last 7 days.

$ tuc session search "docker" --from 7d
(found 5 matching sessions)

Run a command across all agents with a tag. Risk is classified; MEDIUM needs confirmation, HIGH needs approval token.

$ tuc fleet run --tag prod --command "systemctl restart nginx"
risk: MEDIUM → confirm? [y/N] y
✓ web-01  exit 0  (1.2s)
✓ web-02  exit 0  (1.4s)

Preview a fleet run without executing.

$ tuc fleet run --tag prod --command "uptime" --dry-run
Would run on: web-01, web-02, web-03
Risk level: LOW
Estimated time: 5s

Run with automatic confirmation (for automation).

$ tuc fleet run --tag prod --command "systemctl restart nginx" --confirm
✓ web-01  exit 0  (1.2s)
✓ web-02  exit 0  (1.4s)

Run using a pre-generated approval token.

$ tuc fleet run --tag prod --command "systemctl restart nginx" --approval-token APR_xyz123
✓ approved by alice@team
✓ web-01  exit 0

Run command with concurrency limit (default: unlimited).

$ tuc fleet run --tag prod --command "echo test" --parallel 5
(processing 5 agents at a time)

Set timeout for each agent execution.

$ tuc fleet run --tag prod --command "systemctl restart nginx" --timeout 60s
(60s per agent)

Set both per-agent and overall timeout.

$ tuc fleet run --tag prod --command "systemctl restart nginx" --timeout 60s --overall-timeout 5m
(5m total, 60s per agent)

Output results as JSON.

$ tuc fleet run --tag prod --command "systemctl restart nginx" --output json
[{"agent":"web-01","exit":0,"duration":"1.2s"}]

Stop execution if any agent fails.

$ tuc fleet run --tag prod --command "systemctl restart nginx" --stop-on-error
✓ web-01  exit 0
✗ web-02  exit 1  (stopping)

Run in batches of 3 agents sequentially.

$ tuc fleet run --tag prod --command "systemctl restart nginx" --batch-size 3
Batch 1 (3/12): ✓ web-01, ✓ web-02, ✓ web-03
Batch 2 (3/12): (in progress)

Filter agents by OS before running command.

$ tuc fleet run --tag prod --command "systemctl restart nginx" --filter "os:linux"
Matched 8/12 agents (Linux only)

Exclude specific agents from run.

$ tuc fleet run --tag prod --command "systemctl restart nginx" --exclude web-01
Running on: web-02, web-03, ..., web-12

Run on agents with multiple tags (AND logic).

$ tuc fleet run --tags prod,web --command "systemctl restart nginx"
Matched 8/12 agents (prod AND web)

Run on specific agents (whitelist).

$ tuc fleet run --agent web-01 --agent web-02 --command "systemctl restart nginx"
Running on 2 agents

Run on agents in a specific region.

$ tuc fleet run --region us-east --command "systemctl restart nginx"
Matched 12/27 agents (us-east region)

Run on agents with specific OS.

$ tuc fleet run --os linux --command "systemctl restart nginx"
Matched 18/27 agents (Linux)

Run on agents with specific architecture.

$ tuc fleet run --arch arm64 --command "systemctl restart nginx"
Matched 3/27 agents (ARM64)

Run a local script across fleet.

$ tuc fleet run --script /path/to/script.sh --tag prod
✓ web-01  exit 0
✓ web-02  exit 0

Show fleet health at a glance.

$ tuc fleet status
prod   12/12 online
db      3/3  online
canary  1/2  online (cache-01 offline 3h)

Show detailed fleet status with CPU, memory, disk.

$ tuc fleet status --detailed
prod    12/12  online  cpu: 23%  mem: 45%  disk: 67%
db       3/3   online  cpu: 8%   mem: 12%  disk: 34%

Output fleet status as JSON.

$ tuc fleet status --json
{"prod":{"online":12,"total":12},...}

List all tags in the fleet.

$ tuc fleet tags
prod   (12 agents)
web    (8 agents)
db     (3 agents)
canary (2 agents)

List all regions in the fleet.

$ tuc fleet regions
us-east   (12 agents)
us-west   (8 agents)
eu-west   (7 agents)

Show fleet health summary with failing checks.

$ tuc fleet health
✓ 25/27 agents online
✓ 26/27 certificates valid (1 expires in 5 days)
⚠ 2 agents with high CPU (>80%)

Run deep health checks on all agents.

$ tuc fleet health --deep
(scanning 27 agents...)
✓ network connectivity
✓ disk space
⚠ certificate expiry (1 agent)

Check health of agents with a specific tag.

$ tuc fleet health --tag prod
✓ 12/12 prod agents online

Show security posture across fleet.

$ tuc fleet posture
✓ all agents pass baseline checks
✓ certificates valid
⚠ 2 agents with disabled encryption

Run compliance checks across fleet.

$ tuc fleet compliance
✓ 27/27 agents compliant
⚠ 3 agents missing required tags

Scale tag capacity to 20 agents (auto-launch/stop).

$ tuc fleet scale prod --to 20
Currently: 12 agents
Target: 20 agents
Launch: 8 new agents? [y/N] y
✓ launching 8 agents...

Set up autoscaling based on CPU threshold.

$ tuc fleet scale prod --min 5 --max 20 --cpu-threshold 80
✓ autoscaling configured

Autoscale using multiple thresholds.

$ tuc fleet scale prod --cpu-threshold 75 --memory-threshold 85
✓ autoscaling updated

Disable autoscaling for a tag.

$ tuc fleet scale prod --disable
✓ autoscaling disabled

Pause fleet operations on agents with a tag.

$ tuc fleet pause canary
✓ canary fleet paused (1 agent)

Pause gracefully (drain active sessions).

$ tuc fleet pause canary --drain
Draining 2 active sessions...
✓ canary fleet paused

Resume fleet operations on paused agents.

$ tuc fleet resume canary
✓ canary fleet resumed (1 agent online)

Rollback last fleet run.

$ tuc fleet rollback
Rollback "systemctl restart nginx" on prod? [y/N] y
✓ rollback executed

Rollback a specific fleet run.

$ tuc fleet rollback --run run_abc123
✓ rollback executed

Rollback all recent fleet runs.

$ tuc fleet rollback --all
Rolling back 3 recent runs?
✓ all rollbacks executed

List recent fleet runs.

$ tuc fleet runs
RUN_ID      COMMAND                ACTOR        AGENTS  STATUS
run_abc123  systemctl restart..    alice@team   12/12   success
run_xyz789  docker pull latest     bob@team     8/8     success

List fleet runs from last 24 hours.

$ tuc fleet runs --since 24h
(showing 23 runs)

List failed fleet runs.

$ tuc fleet runs --status failed
(showing 2 failed runs)

Show detailed info about a fleet run.

$ tuc fleet run-info run_abc123
command     systemctl restart nginx
actor       alice@team
started     2026-06-11 14:22:00
duration    2m 15s
agents      12/12 success

Show per-agent results of a fleet run.

$ tuc fleet run-results run_abc123
web-01  ✓ exit 0  (1.2s)
web-02  ✓ exit 0  (1.4s)
web-03  ✗ exit 1  (timeout)

Show output from a specific agent in a fleet run.

$ tuc fleet run-log run_abc123 web-01
Stopping nginx: [  OK  ]
Starting nginx: [  OK  ]

Update all agents with a tag.

$ tuc fleet update --tag prod
Updates available: 2.8.1 → 2.9.0
Update 12 agents? [y/N] y

Update agents in batches.

$ tuc fleet update --tag prod --batch-size 3
Batch 1: ✓ web-01, ✓ web-02, ✓ web-03
Batch 2: (in progress)

Update without verification checks.

$ tuc fleet update --tag prod --skip-verify
✓ 12 agents updated

Restart all agents with a tag.

$ tuc fleet restart --tag prod
Restart 12 agents? [y/N] y
✓ 12 restart signals sent

Restart agents with stagger delay.

$ tuc fleet restart --tag prod --stagger 30s
Restarting agents (30s apart)...

List valid approval tokens.

$ tuc fleet approval-tokens
APR_xyz123  HIGH   expires 2026-06-15
APR_abc456  MEDIUM expires 2026-06-12

Generate approval token for HIGH-risk operations.

$ tuc fleet approval-token --generate --level HIGH
APR_xyz123 (valid for 48h)

Revoke an approval token.

$ tuc fleet approval-token --revoke APR_xyz123
✓ token revoked

Assess risk of a command before running.

$ tuc fleet risk --command "systemctl restart nginx" --tag prod
risk_level    MEDIUM
affected      12 agents
downtime_est  ~2 minutes
approval      required

Enable notifications on fleet run failures.

$ tuc fleet notify --when failure
✓ notifications enabled (slack, email)

Send fleet notifications to Slack channel.

$ tuc fleet notify --channel slack://monitoring
✓ slack notifications configured

List notification subscriptions.

$ tuc fleet notify --list
slack://monitoring  (all events)
alice@team          (failures only)

List all identities registered with TucDesk.

$ tuc identity list
ID             TYPE  FINGERPRINT           ROLE
agt_9f2c1     agent SHA256:tQ8r…b4Jc     prod
alice@team    user  SHA256:kL3x…m9Df     admin

Show detailed identity information.

$ tuc identity info agt_9f2c1
fingerprint   SHA256:tQ8r…b4Jc
public_key    (ed25519)
created       2026-01-15
expires       2027-01-15
revoked       no

Generate a new agent identity.

$ tuc identity generate --type agent
✓ new identity: agt_x8z2k (ed25519)

Generate a new user identity.

$ tuc identity generate --type user
✓ new identity: user_abc123 (ed25519)

Import identity from file.

$ tuc identity import ./identity.pem
✓ imported identity: agt_9f2c1

Export identity public key to file.

$ tuc identity export agt_9f2c1 > identity.pub

Export identity including private key (careful!).

$ tuc identity export agt_9f2c1 --private > identity.key

Rotate identity keys (generate new keypair).

$ tuc identity rotate agt_9f2c1
✓ new keypair generated
old key revoked automatically

Rotate identity but keep old key valid for 7 days.

$ tuc identity rotate agt_9f2c1 --keep-old 7d
✓ old key valid until 2026-06-18

Revoke an identity immediately.

$ tuc identity revoke agt_9f2c1
⚠ This will disconnect the agent. Continue? [y/N] y
✓ identity revoked

Verify a signature using an identity.

$ tuc identity verify agt_9f2c1 sig_xyz123
✓ signature valid (signed 2m ago)

Show identity fingerprint.

$ tuc identity fingerprint agt_9f2c1
SHA256:tQ8r…b4Jc

List all API keys and tokens.

$ tuc key list
KEY_ID      SCOPE       CREATED        EXPIRES        ACTIVE
key_abc123  fleet:run   2026-05-01     2026-08-01     yes
key_xyz789  agent:list  2026-06-01     2027-06-01     yes

Generate a new API key with specific scope.

$ tuc key generate --scope fleet:run
api_key_xyz123...
(save this securely, it won't be shown again)

Generate API key with multiple scopes.

$ tuc key generate --scope agent:list,agent:update
api_key_abc123...

Generate temporary API key valid for 24 hours.

$ tuc key generate --ttl 24h
api_key_temp_xyz...
(expires in 24 hours)

Revoke an API key.

$ tuc key revoke key_abc123
✓ key revoked

Rotate API key (revoke old, generate new).

$ tuc key rotate key_abc123
api_key_new_xyz...

Validate an API key.

$ tuc key validate api_key_xyz123
✓ valid (scope: fleet:run, expires: 2026-08-01)

Backup all API keys to encrypted file.

$ tuc key backup
✓ backed up 12 keys to ./keys-backup.tuc

Show audit log for API key usage.

$ tuc key audit key_abc123
(showing 15 recent uses)

List all certificates in use.

$ tuc cert list
AGENT      SUBJECT          EXPIRES       STATUS
web-01     CN=agt_9f2c1     2027-06-11    valid
db-01      CN=agt_4b7e8     2027-02-15    warning (expires soon)

Show detailed certificate information.

$ tuc cert info agt_9f2c1
subject         CN=agt_9f2c1
issuer          CN=TucDesk CA
not_before      2026-06-11
not_after       2027-06-11
fingerprint_sha256  e3b0c4…49a7c

Generate new certificate for an agent.

$ tuc cert generate --agent agt_9f2c1
✓ new certificate generated (valid 365 days)

Generate certificate with custom validity period.

$ tuc cert generate --agent agt_9f2c1 --validity 730d
✓ new certificate generated (valid 730 days)

Validate certificate for an agent.

$ tuc cert validate --agent agt_9f2c1
✓ certificate valid and not revoked

Validate all agent certificates.

$ tuc cert validate-all
✓ 26/27 certificates valid
⚠ 1 certificate expires in 5 days

Revoke a certificate.

$ tuc cert revoke --agent agt_9f2c1
✓ certificate revoked (agent will disconnect)

Install a custom CA certificate.

$ tuc cert install --file ./ca.crt
✓ certificate installed

Export certificate chain.

$ tuc cert export --agent agt_9f2c1 > cert.pem

Encrypt a file using team key.

$ tuc encrypt --file data.json
✓ encrypted to data.json.tuc

Decrypt an encrypted file.

$ tuc decrypt --file data.json.tuc
✓ decrypted to data.json

Sign a file using your identity.

$ tuc sign --file report.pdf
✓ signature saved to report.pdf.sig

Verify a file signature.

$ tuc verify --file report.pdf --signature report.pdf.sig
✓ signature valid (signed by alice@team)

Calculate cryptographic hash of file.

$ tuc hash --file data.json
sha256: e3b0c4…49a7c

Calculate hash using specific algorithm.

$ tuc hash --file data.json --algorithm sha512
sha512: 5e4e…9f3c

List all secrets in your team vault.

$ tuc secret list
prod-db-password
api-key-slack
prod-tls-key

Retrieve a secret from vault.

$ tuc secret get prod-db-password
(secret value printed to stdout)

Retrieve secret without echoing (for scripts).

$ tuc secret get prod-db-password --no-echo
(printed without echo)

Store a secret in vault.

$ tuc secret set prod-db-password (prompted for value)
✓ secret stored (encrypted)

Store secret from file contents.

$ tuc secret set prod-tls-key --file ./key.pem
✓ secret stored

Delete a secret from vault.

$ tuc secret delete old-api-key
⚠ This cannot be undone. Confirm? [y/N] y
✓ secret deleted

Rotate a secret (backup old, create new).

$ tuc secret rotate prod-db-password
✓ old secret backed up
(new value generated and printed)

Show who accessed a secret and when.

$ tuc secret audit prod-db-password
alice@team     read   2026-06-11 14:22
bob@team       read   2026-06-11 10:15

Run security posture check on local agent.

$ tuc posture check
✓ encryption enabled
✓ certificate valid
✓ firewall configured
⚠ update available

Generate posture report for compliance.

$ tuc posture report
✓ 26/27 agents pass baseline
⚠ 2 certificates expire in <30 days
✓ 100% encryption enabled

Export posture report as PDF.

$ tuc posture export --format pdf
✓ report saved to posture-2026-06-11.pdf

Set CLI configuration value (persisted in ~/.config/tuc/config.toml).

$ tuc config set api_url https://api.yourdomain.com
✓ api_url saved

Get CLI configuration value.

$ tuc config get api_url
https://api.yourdomain.com

List all CLI configuration values.

$ tuc config list
api_url            https://api.yourdomain.com
default_tag        prod
output_format      text

List configuration including defaults.

$ tuc config list --all
api_url            https://api.yourdomain.com (custom)
timeout            30s (default)

Reset configuration to default value.

$ tuc config reset output_format
✓ reset to default: text

Reset all configuration to defaults.

$ tuc config reset-all
⚠ Reset all config? [y/N] y
✓ configuration reset

Validate configuration syntax.

$ tuc config validate
✓ configuration valid

Export configuration to file.

$ tuc config export > config-backup.toml

Import configuration from file.

$ tuc config import config-backup.toml
✓ configuration imported

Set default tag for fleet operations.

$ tuc config set default_tag prod
✓ default_tag saved

Set default output format.

$ tuc config set output_format json
✓ output_format saved

Set API request timeout.

$ tuc config set api_timeout 60s
✓ api_timeout saved

Show team information.

$ tuc team info
name           acme-corp
members        12
agents         27
subscription   enterprise

List team members.

$ tuc team members
alice@team     admin     active
bob@team       operator  active
charlie@team   viewer    active

Filter team members by role.

$ tuc team members --role operator
bob@team       operator  active
dave@team      operator  active

Invite a new team member.

$ tuc team invite newuser@company.com --role operator
✓ invitation sent to newuser@company.com

Invite a team member as admin.

$ tuc team invite admin@company.com --role admin
✓ invitation sent

Invite a team member with viewer access.

$ tuc team invite viewer@company.com --role viewer
✓ invitation sent

Remove a team member.

$ tuc team revoke olduser@company.com
✓ user access revoked

Change a team member role.

$ tuc team update-role bob@team admin
✓ role updated (operator → admin)

List pending invitations.

$ tuc team pending-invites
newuser@company.com  invited 2h ago
another@company.com  invited 1d ago

Resend invitation to pending member.

$ tuc team resend-invite newuser@company.com
✓ invitation sent

Switch to allowlist ACL mode (only explicit permissions).

$ tuc acl set --mode allowlist
✓ ACL mode: allowlist (2 rules active)

Switch to denylist ACL mode (allow by default).

$ tuc acl set --mode denylist
✓ ACL mode: denylist

List all ACL rules.

$ tuc acl list
alice@team  allow  fleet:run:prod
bob@team    deny   fleet:run:*

Add ACL rule allowing user to run fleet operations on tag.

$ tuc acl add --user alice@team --action fleet:run --resource prod
✓ rule added

Add ACL rule allowing sessions on tag.

$ tuc acl add --user bob@team --action session:start --resource web
✓ rule added

Add ACL rule for a role.

$ tuc acl add --role operator --action agent:list
✓ rule added for operator role

Remove ACL rule.

$ tuc acl remove --user alice@team --action fleet:run --resource prod
✓ rule removed

Add deny rule.

$ tuc acl deny --user charlie@team --action fleet:run
✓ deny rule added

Add allow rule.

$ tuc acl allow --user dave@team --action agent:list
✓ allow rule added

Export ACL rules to file.

$ tuc acl export > acl-rules.json

Import ACL rules from file.

$ tuc acl import acl-rules.json
✓ 5 rules imported

Test if user can perform action.

$ tuc acl test --user alice@team --action fleet:run --resource prod
✓ allowed

Export tamper-evident audit log for compliance review.

$ tuc audit export --from 2026-05-01
✓ 4,182 signed entries → audit-2026-05-01.jsonl

Export audit log for specific date range.

$ tuc audit export --from 2026-05-01 --to 2026-05-31
✓ 3,456 entries exported

Export audit log as CSV.

$ tuc audit export --format csv > audit.csv

List recent audit entries.

$ tuc audit list
TIMESTAMP           ACTOR        ACTION           TARGET     RESULT
2026-06-11 14:22    alice@team   fleet:run        prod       success
2026-06-11 14:21    bob@team     session:start    web-01     success

Filter audit log by actor.

$ tuc audit list --actor alice@team
(showing 23 entries by alice@team)

Filter audit log by action type.

$ tuc audit list --action fleet:run
(showing 45 fleet runs)

Filter audit log by result.

$ tuc audit list --result failed
(showing 2 failed operations)

Show audit entries from last 7 days.

$ tuc audit list --since 7d
(showing 234 entries)

Verify audit log integrity.

$ tuc audit verify
✓ audit log integrity verified (4,182 entries)

Search audit log by keyword.

$ tuc audit search "nginx"
(found 3 matching entries)

Show audit log statistics.

$ tuc audit stats
total_entries    4,182
date_range       2026-01-01 to 2026-06-11
actions          42 unique types

Run comprehensive compliance scan.

$ tuc compliance scan
✓ 27/27 agents scanned
✓ 26/27 agents compliant
⚠ 1 agent non-compliant (missing security updates)

Scan for specific compliance policy.

$ tuc compliance scan --policy pci-dss
✓ PCI-DSS compliance: 95%

Scan for HIPAA compliance.

$ tuc compliance scan --policy hipaa
✓ HIPAA compliance: 100%

Scan for GDPR compliance.

$ tuc compliance scan --policy gdpr
✓ GDPR compliance: 98%

Generate compliance report.

$ tuc compliance report
Generating report...
✓ report-2026-06-11.pdf

Export compliance data as JSON.

$ tuc compliance export --format json > compliance.json

Auto-remediate compliance issues on agent.

$ tuc compliance remediate --agent agt_9f2c1
✓ applied 3 remediation steps

Create backup of team configuration.

$ tuc backup create
✓ backup-2026-06-11.tuc created (2.3MB)

List available backups.

$ tuc backup list
backup-2026-06-11.tuc  2.3MB   2h ago
backup-2026-06-10.tuc  2.1MB   1d ago

Restore from backup file.

$ tuc backup restore backup-2026-06-11.tuc
⚠ This will overwrite current config. Continue? [y/N] y
✓ restored from backup

Delete a backup file.

$ tuc backup delete backup-2026-06-10.tuc
✓ backup deleted

Enable daily automatic backups.

$ tuc backup auto-enable --daily
✓ automatic daily backups enabled

List notification subscriptions.

$ tuc notification list
slack://monitoring  (all events)
alice@team          (failures only)

Subscribe to notifications on Slack channel.

$ tuc notification subscribe --channel slack://alerts
✓ subscribed to slack://alerts

Subscribe to failure notifications via email.

$ tuc notification subscribe --email alice@team --when failure
✓ subscribed

Unsubscribe from notifications.

$ tuc notification unsubscribe --channel slack://alerts
✓ unsubscribed

Send test notification to channel.

$ tuc notification test --channel slack://alerts
✓ test notification sent

List configured webhooks.

$ tuc webhook list
WEBHOOK_ID  EVENT     URL                        ACTIVE
wh_abc123   fleet:run https://monitoring.local    yes
wh_xyz789   agent:up  https://monitoring.local    yes

Create webhook for fleet run events.

$ tuc webhook create --event fleet:run --url https://monitoring.local/tuc/webhook
✓ webhook created (wh_abc123)

Create webhook for agent online events.

$ tuc webhook create --event agent:online --url https://api.example.com
✓ webhook created

Create webhook for agent offline events.

$ tuc webhook create --event agent:offline --url https://api.example.com
✓ webhook created

Create webhook for session start events.

$ tuc webhook create --event session:start --url https://audit.example.com
✓ webhook created

Create webhook for session end events.

$ tuc webhook create --event session:end --url https://audit.example.com
✓ webhook created

Update webhook URL.

$ tuc webhook update wh_abc123 --url https://new.endpoint.com
✓ webhook updated

Disable a webhook.

$ tuc webhook update wh_abc123 --active false
✓ webhook disabled

Delete a webhook.

$ tuc webhook delete wh_abc123
✓ webhook deleted

Send test event to webhook.

$ tuc webhook test wh_abc123
✓ test event sent (200 OK)

Show webhook delivery logs.

$ tuc webhook logs wh_abc123
2026-06-11 14:22  200  4ms
2026-06-11 14:21  200  5ms

Retry failed webhook delivery.

$ tuc webhook retry wh_abc123 --event evt_xyz
✓ retrying event delivery

Verify webhook request signature.

$ tuc webhook verify sig_xyz123
✓ signature verified

Connect Slack workspace to TucDesk.

$ tuc integration slack connect
(opens browser to Slack OAuth)
✓ Slack workspace connected

Disconnect Slack integration.

$ tuc integration slack disconnect
⚠ This will revoke TucDesk access. Continue? [y/N] y
✓ disconnected

Send notifications to Slack channel on failure.

$ tuc integration slack notify --channel alerts --when failure
✓ slack notifications configured

Send test message to Slack.

$ tuc integration slack test
✓ test message sent to #tuc-notifications

Connect PagerDuty account.

$ tuc integration pagerduty connect --token <api-key>
✓ PagerDuty account connected

Send high-severity incidents to PagerDuty.

$ tuc integration pagerduty notify --severity high
✓ high-severity notifications configured

Disconnect PagerDuty.

$ tuc integration pagerduty disconnect
✓ disconnected

Connect Datadog account.

$ tuc integration datadog connect --api-key xxx --app-key yyy
✓ Datadog account connected

Send TucDesk metrics to Datadog.

$ tuc integration datadog send-metrics
✓ metrics sent to Datadog

Disconnect Datadog.

$ tuc integration datadog disconnect
✓ disconnected

Connect Splunk via HTTP Event Collector.

$ tuc integration splunk connect --hec-token xxx --hec-url https://splunk.local:8088
✓ Splunk HEC connected

Send TucDesk logs to Splunk.

$ tuc integration splunk send-logs
✓ logs sent to Splunk

Disconnect Splunk.

$ tuc integration splunk disconnect
✓ disconnected

Create API token for CI/CD integration.

$ tuc api token create --name "CI/CD"
api_token_xyz123...
(save this securely)

Create token with specific scopes.

$ tuc api token create --scope fleet:run,agent:list
api_token_xyz123...

Create temporary token valid for 24 hours.

$ tuc api token create --ttl 24h
api_token_temp_xyz...

List API tokens.

$ tuc api token list
NAME     SCOPE           CREATED        ACTIVE
CI/CD    fleet:run       2026-06-01     yes
Backup   agent:list      2026-05-15     yes

Revoke an API token.

$ tuc api token revoke tok_abc123
✓ token revoked

Rotate token (revoke old, issue new).

$ tuc api token rotate tok_abc123
api_token_new_xyz...

Validate an API token.

$ tuc api token validate api_token_xyz123
✓ valid (scope: fleet:run,agent:list)

Register new OAuth application.

$ tuc oauth app create --name "monitoring"
client_id      app_xyz123
client_secret  secret_abc456
redirect_uri   (configure in app)

List registered OAuth applications.

$ tuc oauth app list
monitoring  app_xyz123  active
backup-tool app_abc456  active

Revoke OAuth application.

$ tuc oauth app revoke app_xyz123
✓ application revoked

Authorize OAuth application with specific scope.

$ tuc oauth authorize --app-id app_xyz123 --scope fleet:run
✓ application authorized

Show sync status with other instances.

$ tuc sync status
instance-01   synced   5s ago
instance-02   synced   3s ago

Enable sync with another TucDesk instance.

$ tuc sync enable --peer https://other-instance.com
✓ sync enabled (bidirectional)

Disable sync with a peer.

$ tuc sync disable --peer https://other-instance.com
✓ sync disabled

Force immediate sync with all peers.

$ tuc sync force-sync
✓ sync in progress
✓ 2 peers synchronized

Show sync conflicts that need resolution.

$ tuc sync conflicts
agent tag: prod (3 versions)
acl rule: user-alice (2 versions)

Resolve sync conflicts using strategy.

$ tuc sync resolve --conflicts acl --strategy latest
✓ conflicts resolved

Pair mobile device with dashboard pairing code.

$ tuc mobile pair --code 123456
✓ mobile device paired (iOS/Android)

Unpair a mobile device.

$ tuc mobile unpair device_abc123
✓ device unpaired

List paired mobile devices.

$ tuc mobile list
DEVICE_ID      OS       NAME          LAST SEEN
device_abc123  iOS      Alice iPhone  5m ago
device_xyz789  Android  Bob Pixel     1h ago

Check status of paired mobile device.

$ tuc mobile status device_abc123
status      online
battery     87%
location    online (last seen 5m ago)

Show logs from mobile device.

$ tuc mobile logs device_abc123
2026-06-11 14:22  [info] session connected
2026-06-11 14:21  [info] heartbeat sent

Push update to mobile app.

$ tuc mobile update device_abc123
✓ update pushed (will install on next launch)

Check mobile device permissions.

$ tuc mobile permissions device_abc123
notification   granted
clipboard      denied

Configure mobile device settings.

$ tuc mobile config device_abc123 --set push-notifications true
✓ configuration updated

Check dashboard service status.

$ tuc dashboard status
web        online (1.2.3)
api        online (1.2.3)
database   online
cache      online

Get dashboard configuration.

$ tuc dashboard config get session-timeout
session-timeout: 30m

Set dashboard configuration.

$ tuc dashboard config set session-timeout 60m
✓ configuration updated

Show dashboard web service logs.

$ tuc dashboard logs --service web
2026-06-11 14:22 [info] request GET /api/agents

Show dashboard metrics.

$ tuc dashboard metrics
requests_per_sec  234
error_rate        0.1%
response_time     45ms

Run health check on dashboard.

$ tuc dashboard health
✓ web service healthy
✓ api responding
✓ database connected

Restart dashboard services.

$ tuc dashboard restart
(restarting services...)
✓ dashboard restarted

Backup dashboard data.

$ tuc dashboard backup
✓ backup created (234MB)

Set dashboard theme.

$ tuc dashboard theme set dark
✓ theme updated

Set dashboard to light theme.

$ tuc dashboard theme set light
✓ theme updated

Set dashboard language.

$ tuc dashboard language set es
✓ language updated (español)

Run comprehensive system diagnostics.

$ tuc doctor
✓ CLI version: 2.8.1
✓ API connectivity
✓ local configuration
✗ certificate expiry (warning)

Run diagnostics with detailed output.

$ tuc doctor --verbose
(detailed system information)

Enable debug logging.

$ tuc debug enable
✓ debug logging enabled
(logs written to ~/.config/tuc/debug.log)

Stream debug logs in real-time.

$ tuc debug logs --follow
(streaming debug logs...)

Disable debug logging.

$ tuc debug disable
✓ debug logging disabled

Trace command execution with timing.

$ tuc trace --command "tuc agent list"
send request        2ms
receive response    45ms
parse json          1ms

Run performance benchmarks.

$ tuc benchmark
agent list (100 agents)  234ms
fleet run (12 agents)    1.2s

Show system information.

$ tuc sysinfo
OS:         macOS 13.2
Arch:       arm64
CLI:        2.8.1
API:        https://api.yourdomain.com

Test network connectivity to API.

$ tuc network test
✓ connection to api.yourdomain.com
✓ TLS certificate valid
✓ response time 45ms

Detect proxy settings.

$ tuc network proxy --detect
proxy detected: http://proxy.local:3128

Set HTTP proxy.

$ tuc network proxy --set http://proxy.local:3128
✓ proxy configured

Test DNS resolution.

$ tuc network dns-test
api.yourdomain.com  → 203.0.113.45 (45ms)

Export logs from last 24 hours.

$ tuc log export --since 24h
✓ exported to logs-2026-06-11.zip

Clear local log files.

$ tuc log clear
⚠ Clear logs? [y/N] y
✓ logs cleared

Get information about an error code.

$ tuc error report ERR_CONN_TIMEOUT
Connection timeout. Check network or increase timeout.

Submit error report to support.

$ tuc error submit --description "agent won't pair"
✓ report submitted (ticket: TKT-123456)

Show CLI version.

$ tuc version
2.8.1 (build 2026-05-15)

Check for available updates.

$ tuc version --check
✓ 2.9.0 available (current: 2.8.1)

Update CLI to latest version.

$ tuc update
Updating 2.8.1 → 2.9.0...
✓ CLI updated

Update to specific version.

$ tuc update --to 2.8.0
⚠ Downgrade to 2.8.0? [y/N] y
✓ downgraded

Preview update without installing.

$ tuc update --dry-run
Would update: 2.8.1 → 2.9.0 (24MB)

Show CLI help.

$ tuc help
tuc — the TucDesk fleet CLI
COMMANDS: agent, session, fleet, config, audit, acl

Show help for specific command.

$ tuc help fleet
fleet — fleet operations
SUBCOMMANDS: run, status, health, scale

Show command examples.

$ tuc examples
# Run command on production fleet
tuc fleet run --tag prod --command "systemctl restart nginx"

Send feedback to TucDesk team.

$ tuc feedback
(opens feedback form in browser)

Send feedback directly.

$ tuc feedback --message "please add X feature"
✓ feedback sent

Clear CLI cache.

$ tuc cache clear
✓ cache cleared (freed 12MB)

Show cache statistics.

$ tuc cache stats
items       234
size        12MB
hits        1,234
misses      89

Show local storage info.

$ tuc storage info
config    ~/.config/tuc (234KB)
logs      ~/.tuc/logs (45MB)
cache     ~/.tuc/cache (12MB)

Run multiple operations from YAML file.

$ tuc batch run --file operations.yml
(executing 5 operations...)
✓ batch completed

Create reusable batch operation.

$ tuc batch create --name "daily-update"
(editor opens for definition)
✓ batch created

List saved batch operations.

$ tuc batch list
daily-update     (5 steps)
weekly-scan      (8 steps)

Execute a saved batch operation.

$ tuc batch execute daily-update
(executing batch...)
✓ completed

Schedule batch operation on cron.

$ tuc batch schedule daily-update --cron "0 0 * * *"
✓ scheduled daily at midnight

Delete a batch operation.

$ tuc batch delete old-batch
✓ batch deleted

Run bash/shell script through TucDesk.

$ tuc script run deploy.sh
(executing script on agents...)

Validate script syntax before running.

$ tuc script validate deploy.sh
✓ script valid

Create new script template.

$ tuc script template > myscript.sh
(template with examples)

List script library functions.

$ tuc script library list
tuc_alert()
tuc_retry()
tuc_parallel()

Preview command without executing.

$ tuc --dry-run fleet run --tag prod --command "systemctl restart"
Would affect: 12 agents

Test a command on single agent.

$ tuc test --agent web-01 "echo test"
web-01: test

Validate command syntax.

$ tuc validate --command "systemctl restart nginx"
✓ command valid

Show fleet-wide metrics.

$ tuc metrics fleet
agents_online    26/27 (96%)
avg_latency      45ms
cpu_usage        23%

Show metrics for specific agent.

$ tuc metrics agent agt_9f2c1
cpu        12.3%
memory     512MB / 2GB
uptime     45d

Export metrics in Prometheus format.

$ tuc metrics export --format prometheus > metrics.txt

Show metric timeseries for agent.

$ tuc metrics timeseries --agent agt_9f2c1 --metric cpu
(CPU usage over time graph)

List defined policies.

$ tuc policy list
session-timeout     30m
fleet-approval      required
encryption          required

Create new policy.

$ tuc policy create --name session-timeout --value 60m
✓ policy created

Update policy value.

$ tuc policy update session-timeout --value 60m
✓ policy updated

Delete policy.

$ tuc policy delete old-policy
✓ policy deleted

Show policy change history.

$ tuc policy audit session-timeout
2026-06-11  alice@team  30m → 45m

Create command alias for faster typing.

$ tuc alias create restart-prod "fleet run --tag prod --command 'systemctl restart'"
✓ alias created (restart-prod)

List custom aliases.

$ tuc alias list
restart-prod     fleet run --tag prod...
update-prod      fleet update --tag prod...

Delete custom alias.

$ tuc alias delete restart-prod
✓ alias deleted

Find agents matching query.

$ tuc query --agent "os:linux AND cpu>80"
Matched 3 agents

Find sessions matching query.

$ tuc query --session "actor:alice@team AND duration>30m"
Matched 2 sessions

Export agents list as JSON.

$ tuc export agents --format json > agents.json

Export configuration as YAML.

$ tuc export config --format yaml > config.yaml

Import agents from JSON file.

$ tuc import agents --file agents.json
✓ imported 5 agents

Import configuration from file.

$ tuc import config --file config.yaml
✓ configuration imported

Acquire exclusive lock for fleet operations.

$ tuc lock acquire --resource fleet
✓ fleet locked (held by you)

Release fleet lock.

$ tuc lock release --resource fleet
✓ fleet lock released

Enable maintenance mode (pause operations).

$ tuc maintenance enable
✓ maintenance mode enabled

Disable maintenance mode.

$ tuc maintenance disable
✓ maintenance mode disabled

Check maintenance mode status.

$ tuc maintenance status
mode      enabled
since     2026-06-11 14:20
reason    system update

Initialize environment configuration.

$ tuc env init
✓ environment initialized

List environment variables.

$ tuc env list
TUC_API_URL        https://api.yourdomain.com
TUC_DEFAULT_TAG    prod

Set environment variable.

$ tuc env set TUC_API_URL https://api.yourdomain.com
✓ environment variable set

Get environment variable value.

$ tuc env get TUC_API_URL
https://api.yourdomain.com

Unset environment variable.

$ tuc env unset TUC_DEFAULT_TAG
✓ variable removed

Export all environment variables.

$ tuc env export > .env

Import environment from file.

$ tuc env import .env.prod
✓ 5 variables imported

Validate environment configuration.

$ tuc env validate
✓ environment configuration valid

Switch to different environment profile.

$ tuc env switch prod
✓ switched to prod environment

Create new environment profile.

$ tuc env create-profile staging
✓ profile created (staging)