Command reference
Run maand from the bucket root (the directory created by maand init). Use maand <hook> --help for flags.
Configuration files: configuration.md · KV: KV persistence · Templates: templates.md
Workflow commands
| Command | Summary | Details |
|---|---|---|
maand init |
Create or upgrade bucket (DB, workspace layout, CA, secrets) | — |
maand build |
Read workspace → update maand.db, KV, certs; run post_build hooks |
build.md |
maand deploy |
Push jobs to workers, roll out, run deploy hooks | deploy.md · rolling-deploy · debugging-deploy.md |
maand health_check |
Worker SSH gate + per-job health (manifest probes or commands) | health-check.md |
maand gc |
Purge removed allocations, worker data, old KV history | gc.md |
Inspect commands
| Command | Summary |
|---|---|
maand info |
Bucket ID, update sequence, counts |
maand cat workers |
Worker catalog (includes zone from tags.zone) |
maand cat jobs |
Job catalog (includes deployment_seq) |
maand cat allocations |
Job × worker rows (--jobs, --workers filters; includes worker zone) |
maand cat deployments |
Allocation hashes, versions, post_deploy_status, rollout state (--jobs, --workers) |
maand cat hooks |
Commands from manifests |
maand cat ports |
Declared ports per job |
maand cat certs |
TLS CA and leaf certs with expiry (--jobs, --workers) — certs.md |
maand cat prometheus |
_prometheus/ participation (scrape, alerts, runbooks, dashboards); get, scrape subcommands |
maand cat kv |
List KV keys (--jobs, --active, --deleted; or maand cat kv get <ns> <key> [--reveal]) |
maand logs show |
Filter structured bucket logs (--worker, --run, --job, --phase, --event, --tail) |
Job control
Manual lifecycle on workers (requires prior deploy; validates worker.json / update_seq).
| Command | Summary | Details |
|---|---|---|
maand job start <job> |
make start via runner.py |
job.md |
maand job stop <job> |
make stop |
job.md |
maand job restart <job> |
make restart |
job.md |
maand job run <job> --target reload |
make reload (manual; deploy uses restart_policy) |
job.md |
maand job run <job> --target <name> |
Arbitrary Makefile target | job.md |
maand job status <job> |
make status |
job.md |
maand job create <job> |
Scaffold workspace/jobs/<job>/ |
job.md |
Common flags: --allocations ip,..., --health_check (start/stop/restart/run).
Hooks (hooks & CLI)
| Command | Summary | Details |
|---|---|---|
maand hooks <hook> [job] |
Run one manifest hook with event cli (hook alias) |
hooks.md |
Flags: --verbose. Batch width follows max_concurrent_upgrades in each job manifest.
The same commands run automatically on events: post_build, pre_deploy, post_deploy, job_control, health_check.
Ad-hoc worker shell
| Command | Summary | Details |
|---|---|---|
maand collect facts |
Probe workers; print capacity or regenerate workers.json |
collect.md |
maand run_command "<shell>" |
Run a command on workers over SSH | run-command.md |
Flags for collect facts: --workers, --labels, --concurrency, --generate-workers, --ignore-failure.
Flags for run_command: --workers, --labels, --concurrency, --health_check.
maand init
maand init
Creates (first run) or upgrades (later runs):
data/maand.dbwith schema migrationsworkspace/workers.json(empty[]),workspace/jobs/,workspace/bucket.confmaand.confdefaults — see configuration.md- Bucket CA in
secrets/ca.crt/ca.key - KV encryption key
secrets/kv.key tmp/andlogs/directories
Does not contact workers. Re-running maand init on an existing bucket applies schema upgrades without changing bucket_id or the CA.
Other commands check the database schema before running. If the binary is newer than maand.db, they fail with a hint to run maand init.
maand build
maand build [--purge-secrets-kv]
| Flag | Description |
|---|---|
--purge-secrets-kv |
Force purge vars/job/<job> and secrets/job/<job> for workspace jobs with no active allocations |
Reconciles the entire workspace. No filters. Validates job demands and version constraints. See build.md.
Host prerequisites: python3, bun (if TS/JS commands), for post_build hooks.
maand deploy
maand deploy [--build] [--jobs j1,j2] [--dry-run] [--force] [--sync-only]
| Flag | Description |
|---|---|
-b, --build |
Run maand build first |
--jobs |
Limit to named jobs (still respects deployment sequence) |
-n, --dry-run |
Stage locally and compare hashes; prints per-allocation actions (start, restart, reload, sync, skip) without worker changes |
--force |
Redeploy even when all allocations are already promoted |
--sync-only |
Rsync and promote without lifecycle targets; fails when any allocation still needs start |
After rsync, deploy applies restart_policy (always → make restart, reload → make reload, never → files only). See deploy.md.
Host prerequisites: bash, ssh, rsync, python3, optional bun.
Worker prerequisites: python3, make, rsync, bash, timeout, optional sudo.
See deploy.md.
maand job
maand job start|stop|restart|status <job> [--allocations ip,...] [--health_check]
maand job run <job> --target start|stop|restart|reload|<make-target> [--allocations ip,...] [--health_check]
maand job create <job> [--selectors s1,s2]
See job.md.
maand hooks
maand hooks <hook_name> [job] [--verbose]
Omit job to run on every catalog job that defines the command for cli. Batch width follows each job’s max_concurrent_upgrades.
Command must include cli in manifest executed_on. Script: workspace/jobs/<job>/_hooks/hook_<name>.py (or .ts/.js).
Host prerequisites: python3 or job venv; bun for TS/JS.
See hooks.md and hook-api.md.
maand health_check
maand health_check [--jobs j1,j2] [--wait] [--verbose]
| Flag | Description |
|---|---|
--jobs |
Limit to named jobs |
--wait |
Retry until pass (up to 30 attempts per job) |
--verbose |
Stream command output |
See health-check.md.
maand run_command
maand run_command "<hook>" [-w ip,...] [-l label,...] [-c N] [--health_check]
Host prerequisites: bash, ssh.
Worker prerequisites: bash, timeout, optional sudo.
See run-command.md.
maand collect
maand collect facts [-w ip,...] [-l label,...] [-c N] [--generate-workers] [--ignore-failure]
maand collect uptime [-w ip,...] [-l label,...] [-c N] [--ignore-failure]
Host prerequisites: bash, ssh.
Worker prerequisites: Linux, bash, timeout, optional sudo (facts also needs /proc/meminfo).
Use collect facts to print discovered memory / cpu. With --generate-workers, redirect stdout to update workspace/workers.json, then run maand build.
See collect.md.
maand gc
maand gc [--retain-days N]
See gc.md.
maand info and maand cat
maand info
maand cat workers
maand cat jobs
maand cat allocations [--jobs api] [--workers 10.0.0.1]
maand cat deployments [--jobs vault] [--workers 10.0.0.1]
maand cat hooks
maand cat ports
maand cat certs [--jobs api] [--workers 10.0.0.1]
maand cat prometheus [--jobs j1,j2]
maand cat prometheus get <job> <path>
maand cat prometheus scrape [--jobs j1,j2]
maand cat kv
maand cat kv --jobs vault
maand cat kv --jobs vault --active
maand cat kv --deleted
maand cat kv get maand/job/api job_name
maand cat kv get --reveal secrets/job/vault root_token
See info.md.
maand cat deployments
maand cat deployments [--jobs j1,j2] [--workers ip,...] [--active]
| Flag | Description |
|---|---|
--jobs |
Comma-separated job names |
--workers |
Comma-separated worker IPs |
--active |
Only active allocations (removed=0, disabled=0) |
Shows current_hash, previous_hash, current_version, new_version, post_deploy_status, and rollout state per allocation. Rollout is removed, disabled, or disabled_restart when the allocation flag applies; otherwise hash/version state (new, restart, promoted, health_failed). post_deploy_status is - when unset, or pending / success / failed when the job has post_deploy hooks. deploy clears hash rows for removed allocations. See deploy.md and debugging-deploy.md.
maand cat certs
maand cat certs [--jobs j1,j2] [--workers ip,...]
Lists the bucket CA (secrets/ca.crt) and job leaf certificates from KV with common name, not_after, days_left, and status (ok, expiring, expired, invalid). Uses certs_renewal_buffer from maand.conf for the expiring window (CA and leaf). maand build prints a stderr warning for an expiring or invalid CA and fails when the CA is expired. See certs.md.
maand cat kv
maand cat kv [--jobs j1,j2] [--active] [--deleted]
| Flag | Description |
|---|---|
--jobs |
Comma-separated job names; limits output to KV namespaces accessible to that job (same as hooks/templates: maand/bucket, vars/bucket, worker/allocation namespaces, upstream demand jobs) |
--active |
Only keys with deleted=0 |
--deleted |
Only keys with deleted=1 |
With --jobs, lists every KV namespace the job can read: shared maand/bucket and vars/bucket, each allocated worker's maand/worker/<ip> and tags, job/allocation namespaces, and upstream jobs referenced in command demands.
Recommended command order
maand init
# edit workspace
maand build
maand deploy # or: maand deploy -b
maand health_check # optional
# day-2: maand job *, maand hook, maand collect facts, maand run_command, maand gc
Operations: disable and drain, rolling-deploy, debugging-deploy.md.
Tutorials: quickstart.md, day-2-ops.md.