tyr CLI

tyr is the admin CLI. It talks to tyr-server over REST.

Global flags

Flag	Env	Default	Description
`--server`	`TYR_SERVER`	`https://localhost:7701`	REST endpoint

Credentials are stored at ~/.config/tyr/token after tyr login.

Commands

`tyr login`

tyr login --username admin
# prompts for password (use --password to skip)

Stores a JWT that’s valid for 24 hours. Subsequent commands use it automatically.

`tyr logout`

Deletes the stored token.

`tyr whoami`

Shows the decoded claims of the current token — user, role, expiry.

`tyr agent`

`tyr agent list`

Lists all connected daemons.

ID                                    NAME            STATUS    LAST_SEEN
4f27e3c1-ab89-...                     alice-laptop    online    5s ago
8b13df22-cc01-...                     prod-worker-1   online    12s ago

`tyr audit`

`tyr audit tail [--agent <name>]`

Live-tail events via SSE.

tyr audit tail                      # all agents
tyr audit tail --agent prod-worker-1

`tyr policy`

`tyr policy apply -f <file>`

Applies a YAML policy. Creates a new version.

tyr policy apply -f examples/policies/default-policy.yaml

`tyr policy list`

Lists all policy versions.

`tyr policy show <version>`

Prints the YAML source and compiled Cedar for a version.

`tyr policy diff --from <v1> --to <v2>`

Unified diff between two versions.

`tyr policy rollback <version>`

Re-applies the YAML of the given version as a new version. Non-destructive.

`tyr policy assign`

Binds a policy version to a target.

tyr policy assign --target-type daemon     --target-id <agent-uuid> --version 3
tyr policy assign --target-type agent-type --target-id cursor       --version 5

`tyr policy unassign <id>`

Removes an assignment by its ID. The target reverts to deny-by-default (or to its remaining overlays).

`tyr policy assignments`

Lists all current assignments.

`tyr policy effective <agent-id>`

Shows the fully-merged effective policy for a specific daemon — base + all applicable overlays.

`tyr enrollment-token`

`tyr enrollment-token create`

tyr enrollment-token create --label "laptops-q2" --max-uses 50 --expires-hours 168

Returns a one-time-display token. Store it carefully — it’s hashed (argon2id) server-side.

Flag	Default	Description
`--label`	required	Human label shown in the UI
`--max-uses`	∞	How many agents can enroll with this token
`--expires-hours`	∞	TTL in hours

Exit codes

Code	Meaning
0	Success
1	Generic error (network, server)
2	Not logged in
3	Permission denied (role too low)
4	Policy compile error

Scripting tip

Pipe JSON through jq:

curl -sS -H "Authorization: Bearer $(cat ~/.config/tyr/token)" \
  https://tyr.example.com:7701/api/v1/agents | jq '.[] | .name'

All CLI commands have REST equivalents — see the REST API reference.