--- title: "CLI Reference" description: "Complete reference for all Signet CLI commands." order: 9 section: "Reference" --- Signet CLI Reference ==================== Complete reference for all Signet CLI commands. For the [[daemon]] HTTP API, see [[api]]. For initial setup walkthrough, see [[quickstart]]. > Path note: `$SIGNET_WORKSPACE` means your active Signet workspace path. > Default is `~/.agents`, configurable via `signet workspace set `. --- Installation --- ```bash # direct native binary curl -fsSL https://signetai.sh/install.sh | bash # npm wrapper for the same compiled Signet binary npm install -g signetai # Bun wrapper for the same compiled Signet binary bun add -g signetai ``` All three install paths install the same compiled Signet binary. The npm and Bun paths install the `signetai` wrapper plus a platform native package tarball from the same GitHub release. Install scripts only link the native binary into place; if scripts are disabled, the wrapper resolves the native package directly. They do not install Bun, rebuild Signet, or install daemon dependencies. Published native binaries currently cover Linux x64, Linux arm64, macOS x64, macOS arm64, and Windows x64. Windows direct installs should use `npm install -g signetai`; the old PowerShell `install.ps1` path has been removed until a native Windows direct installer ships. --- Commands Overview --- | Command | Description | |---------|-------------| | `signet` | Show help, examples, and command map | | `signet setup` | First-time setup wizard | | `signet configure` | Interactive config editor (`signet config` alias) | | `signet status` | Show daemon and agent status | | `signet doctor` | Run local health checks | | `signet doctor hermes` | Check Hermes Agent plugin freshness, config activation, and tool routing | | `signet route` | Inspect and control inference routing | | `signet dashboard` | Open web UI in browser | | `signet daemon` | Grouped daemon subcommands | | `signet desktop` | Build and install the Electron desktop app from source | | `signet daemon start` | Start the daemon | | `signet daemon stop` | Stop the daemon | | `signet daemon restart` | Restart the daemon | | `signet daemon logs` | View daemon logs | | `signet remember` | Save a memory | | `signet recall` | Search memories | | `signet index` | Index a project with GraphIQ and make it active code context | | `signet export` | Export a portable bundle | | `signet import` | Import a portable bundle | | `signet migrate-schema` | Migrate database to unified schema | | `signet migrate-vectors` | Migrate BLOB vectors to sqlite-vec format | | `signet sync` | Sync hooks, extensions, built-in templates, and skills | | `signet secret` | Manage encrypted secrets | | `signet graphiq` | Manage the optional GraphIQ code retrieval plugin | | `signet skill` | Manage agent skills from registry | | `signet git` | Git sync management for $SIGNET_WORKSPACE | | `signet hook` | Lifecycle hook commands | | `signet update` | Check, install, and manage auto-updates | | `signet bypass` | Per-session hook bypass toggle | | `signet embed` | Manage memory embeddings | --- `signet` (No Arguments) --- Shows the top-level help output with examples. This keeps the CLI safe to call from scripts and agents without dropping into an interactive menu. ``` ◈ signet v0.1.0 own your agent. bring it anywhere. Usage: signet [options] [command] Examples: signet setup signet status signet doctor signet doctor hermes signet daemon start signet remember "Nicholai prefers command-first CLIs" ``` Use explicit commands for interactive flows: - `signet setup` — initialize or migrate a workspace - `signet configure` — edit agent settings interactively - `signet doctor` — troubleshoot local issues - `signet doctor hermes` — troubleshoot Hermes Agent integration issues --- `signet desktop` --- Builds the official Electron desktop app from an existing Signet source checkout. Without `--repo` or `SIGNET_SOURCE_DIR`, the command first syncs the managed workspace checkout at `/signetai`, ignoring generated desktop build artifacts such as `surfaces/desktop/release/` so stale local artifacts do not block fast-forward pulls. Explicit source paths are left under user control; set `SIGNET_SOURCE_DIR` or pass `--repo `. To build the checkout you are currently in, run `signet desktop install --repo .`. ```bash signet desktop build signet desktop install signet desktop install --repo . signet desktop install --repo ~/signet/signetai signet desktop install --skip-build ``` `signet desktop install` runs `bun install`, then `bun run build:desktop`, then installs the newest built artifact. Linux/Arch currently installs a user-level AppImage launcher at `~/.local/bin/signet-desktop` and a desktop entry under `~/.local/share/applications/signet.desktop`. macOS and Windows builds are produced by the desktop package, with native installer automation still guarded until those platform installers are wired. --- `signet setup` --- Interactive first-time setup wizard (with optional non-interactive mode). Creates the `$SIGNET_WORKSPACE/` directory and all necessary files. ```bash signet setup signet setup --path /custom/path signet setup --non-interactive \ --name "My Agent" \ --harness claude-code \ --identity-preset minimal \ --deployment-type vps \ --embedding-provider native ``` Options: | Option | Description | |--------|-------------| | `-p, --path ` | Custom base path (default: `$SIGNET_WORKSPACE`) | | `--non-interactive` | Run setup without prompts | | `--name ` | Agent name in non-interactive mode | | `--description ` | Agent description in non-interactive mode | | `--deployment-type ` | Deployment context (`local`, `vps`, `server`) used for interactive guidance and non-interactive inferred defaults | | `--harness ` | Repeatable/comma-separated harness list (`claude-code`, `opencode`, `openclaw`, `hermes-agent`, `oh-my-pi`, `pi`, `codex`, `gemini`) | | `--identity-preset ` | Identity/context preset (`minimal`, `hermes`, `openclaw`, `custom`); controls startup-loaded files and special prompt files like `DREAMING.md` | | `--embedding-provider ` | Non-interactive embedding provider (`ollama`, `openai`, `native`, `none`) | | `--embedding-model ` | Non-interactive embedding model | | `--extraction-provider ` | Non-interactive extraction provider (`claude-code`, `codex`, `ollama`, `opencode`, `openrouter`, `openai-compatible`, `none`) | | `--extraction-model ` | Non-interactive extraction model | | `--extraction-endpoint ` | Non-interactive extraction endpoint for OpenAI-compatible providers | | `--search-balance ` | Non-interactive search alpha (`0-1`) | | `--openclaw-runtime-path ` | Non-interactive OpenClaw mode (`plugin`, `legacy`) | | `--configure-openclaw-workspace` | Patch discovered OpenClaw configs to `$SIGNET_WORKSPACE` | | `--open-dashboard` | Open dashboard after non-interactive setup | | `--skip-git` | Skip git initialization/commits in non-interactive mode | | `--disable-signet-secrets` | Leave the bundled Signet Secrets core plugin installed but disabled | | `--with-graphiq` | Install and enable the optional verified GraphIQ code retrieval plugin | | `--disable-graphiq` | Leave the optional GraphIQ plugin disabled | | `--create-local-backup` | If OpenClaw points at this workspace and no origin exists, create a local snapshot automatically | | `--allow-unprotected-workspace` | Explicitly allow setup to finish without origin or snapshot in non-interactive mode | Non-interactive behavior: - setup method: create new identity (no GitHub import) - provider flags are optional; setup infers defaults from `--deployment-type` - `--identity-preset` defaults to `minimal` for new workspaces - the Minimal preset creates `AGENTS.md` for startup context and `DREAMING.md` for dreaming sessions; `DREAMING.md` is not loaded into normal startup context - hooks/connectors are configured for requested harnesses - with `--deployment-type vps`, setup prefers non-local extraction defaults from selected harnesses when those tools are available locally, then other detected tooling (`claude-code`, `codex`, `opencode`), and falls back to `none` when needed - for existing-identity migration, previously configured extraction providers are preserved unless `--extraction-provider` is explicitly passed - the bundled Signet Secrets core plugin is enabled by default; pass `--disable-signet-secrets` to opt out while leaving it installed - GraphIQ is optional and disabled by default; pass `--with-graphiq` to install it via the bundled install script (downloads from GitHub releases) - explicit provider flags override inferred defaults - git: enabled unless `--skip-git` is passed - when OpenClaw points at this workspace and no `origin` remote exists, setup requires either backup creation (`--create-local-backup`) or explicit bypass (`--allow-unprotected-workspace`) - snapshot-backed protection is treated as "fresh" for 7 days; after that, status/doctor warn again unless a remote origin exists or a new snapshot is made Extraction safety note: - intended usage is `claude-code` on Haiku, `codex` on gpt-5.4-mini with a Pro/Max subscription, or local `ollama` with at least `qwen3:4b` - with `--deployment-type vps`, setup avoids defaulting to local `ollama` extraction and prefers non-local providers - set `--extraction-provider none` on a VPS if you do not want background extraction - remote API extraction can create extreme usage fees fast Wizard steps: 1. **Agent Name** - What to call your agent 2. **Harnesses** - Which AI platforms you use: - Claude Code (Anthropic CLI) - Codex - OpenCode - OpenClaw - Oh My Pi - Pi - Hermes Agent 3. **OpenClaw Workspace** - Appears only when an existing OpenClaw config is detected; workspace is patched only if you opt in, and setup warns that uninstalling OpenClaw can delete this workspace unless backups exist 4. **Description** - Short agent description 5. **Core Plugins** - Signet Secrets explains encrypted local storage, value-safe CLI/MCP/SDK access, command injection with output redaction, and connections to Signet's local encrypted store and compatible 1Password references, then asks whether to enable the bundled `signet.secrets` plugin 6. **Optional Code Retrieval** - GraphIQ explains fast local codebase indexing, structural context, constants, and blast-radius tools, then asks whether to install the verified managed `signet.graphiq` plugin 7. **Deployment Context** - Where Signet is running (`local`, `vps`, `server`) to show environment-aware guidance before extraction provider selection 8. **Embedding Provider**: - Built-in (recommended, no setup required) - Ollama (local) - OpenAI API - Skip embeddings 9. **Embedding Model** - Based on provider: - Built-in: `nomic-embed-text-v1.5` - Ollama: `nomic-embed-text`, `all-minilm`, `mxbai-embed-large` - OpenAI: text-embedding-3-small, text-embedding-3-large - Ollama selections run preflight checks for binary availability, service health, and model presence; if checks fail, setup offers retry, switch to built-in embeddings, switch to OpenAI, or continue without embeddings 10. **Search Balance** - Semantic vs keyword weighting 11. **Advanced Settings** (optional): - `top_k` - Search candidates per source - `min_score` - Minimum search score threshold - `session_budget` - Context character limit - `decay_rate` - Memory importance decay 12. **Import** - Optionally import from another platform 13. **Git** - Initialize version control 14. **Launch Dashboard** - Open web UI What gets created: ``` $SIGNET_WORKSPACE/ ├── agent.yaml # Configuration ├── AGENTS.md # Agent identity ├── MEMORY.md # Working memory ├── memory/ │ ├── memories.db # SQLite database │ └── scripts/ # Memory tools ├── harnesses/ ├── hooks/ # OpenClaw hooks (if selected) │ └── agent-memory/ └── .daemon/ ├── plugins/ # Bundled core plugin registry └── logs/ ``` If harnesses are selected, their configs are also created: - **Claude Code**: `~/.claude/settings.json` with hooks, `~/.claude/CLAUDE.md` - **OpenCode**: `~/.config/opencode/plugins/signet.mjs` plugin, `~/.config/opencode/AGENTS.md` - **OpenClaw**: `$SIGNET_WORKSPACE/hooks/agent-memory/` hook directory - **Codex**: wrapper installed at `~/.config/signet/bin/codex` with session hooks --- `signet configure` --- Interactive configuration editor for modifying `$SIGNET_WORKSPACE/agent.yaml`. ```bash signet configure signet config # Alias ``` Sections: 1. **Agent identity** - Name and description 2. **Harnesses** - AI platform selection 3. **Embedding provider** - Ollama/OpenAI settings 4. **Search settings** - Alpha, top_k, min_score 5. **Memory settings** - Session budget, decay rate 6. **View current config** - Display agent.yaml contents Changes are saved to `agent.yaml` immediately. --- `signet index ` --- Thin wrapper around `graphiq index `. The command installs GraphIQ if it is missing, indexes the project into `/.graphiq/`, enables the managed `signet.graphiq` plugin, and records that path as Signet's active code project. ```bash signet index ~/signet/signetai signet index . --no-install ``` The GraphIQ index stays outside Signet memory and the main Signet database. Signet only stores plugin state and the active project pointer under `$SIGNET_WORKSPACE/.daemon/graphiq/state.json`. --- `signet graphiq` --- Manage the optional verified GraphIQ code retrieval plugin. | Command | Description | |---------|-------------| | `signet graphiq install` | Install GraphIQ from GitHub releases via script and enable the plugin | | `signet graphiq status` | Show GraphIQ status for the active indexed project | | `signet graphiq doctor` | Diagnose the active GraphIQ index | | `signet graphiq upgrade-index` | Rebuild stale artifacts for the active project | | `signet graphiq uninstall` | Disable Signet's GraphIQ integration and keep project indexes | | `signet graphiq uninstall --purge-indexes` | Disable integration and delete known `.graphiq/` directories | GraphIQ is maintained as a managed plugin by `aaf2tbz`, but remains optional and is not installed during setup unless the user opts in. --- `signet status` --- Show comprehensive status of the Signet installation. ```bash signet status signet status --path /custom/path ``` Options: | Option | Description | |--------|-------------| | `-p, --path ` | Custom base path | Output: ``` ◈ signet v0.1.0 own your agent. bring it anywhere. Status ● Daemon running PID: 12345 Uptime: 2h 15m Dashboard: http://localhost:3850 ✓ AGENTS.md ✓ agent.yaml ✓ memories.db Memories: 42 Conversations: 7 Path: /home/user/.agents ``` --- `signet dashboard` --- Open the Signet web dashboard in your default browser. ```bash signet dashboard signet ui # Alias ``` Options: | Option | Description | |--------|-------------| | `-p, --path ` | Custom base path | If the daemon is not running, it will be started automatically. --- `signet route` --- Inspect and control the shared inference router. Requires the daemon to be running for `list`, `status`, `doctor`, `explain`, and `test`. ```bash signet route list signet route status signet route doctor signet route explain "fix this bun test" --agent rose --task-class hard_coding signet route test "summarize this transcript" --agent dot --task-class casual_chat --timeout 60000 signet route pin opus/opus46 --agent rose --task-class hard_coding signet route unpin --agent rose --task-class hard_coding ``` Subcommands: | Command | Description | |---------|-------------| | `signet route list` | List router config plus runtime health | | `signet route status` | Show configured targets, policies, and workload bindings | | `signet route doctor` | Report broken or unavailable route targets | | `signet route explain ` | Dry-run a route decision and print the trace | | `signet route test ` | Execute a real prompt through the router | | `signet route pin ` | Write a hard pin into `agent.yaml` | | `signet route unpin` | Remove a hard pin from `agent.yaml` | Common options: | Option | Description | |--------|-------------| | `--agent ` | Agent id override | | `--task-class ` | Task-class override | | `--operation ` | Routing operation kind | | `--privacy ` | Privacy tier override | | `--policy ` | Explicit policy override | | `--target ` | Explicit target pin for the current request | | `--timeout ` | Request timeout for `route test`, up to 600000 ms | | `--refresh` | Re-check target health before routing | | `--debug` | Print the full routing decision trace | | `--json` | Emit raw JSON | Pins are stored under `routing.agents..pinnedTargets` in `$SIGNET_WORKSPACE/agent.yaml`. --- Daemon Commands --- Daemon operations live under the `signet daemon` subcommand group. The top-level shortcuts still exist as backwards-compatible aliases, but the grouped form is the preferred surface. ```bash signet daemon start signet daemon stop signet daemon restart signet daemon status signet daemon logs # Backwards-compatible aliases signet start signet stop signet restart signet logs ``` ### `signet daemon start` Start the Signet daemon if not already running. ``` ◈ signet v0.1.0 own your agent. bring it anywhere. ✔ Daemon started Dashboard: http://localhost:3850 ``` Top-level alias: `signet start` ### `signet daemon stop` Stop the running Signet daemon. Top-level alias: `signet stop` ### `signet daemon restart` Stop and start the daemon. Useful after installing an update. Top-level alias: `signet restart` ### `signet daemon logs` View daemon logs. ```bash signet daemon logs signet daemon logs -n 100 signet daemon logs --follow signet daemon logs --level warn signet daemon logs --category memory ``` Top-level alias: `signet logs` Options: | Option | Description | |--------|-------------| | `-n, --lines ` | Number of lines to show (default: 50) | | `-f, --follow` | Follow log output in real-time | | `-l, --level ` | Filter by level: `debug`, `info`, `warn`, `error` | | `-c, --category ` | Filter by category: `daemon`, `api`, `memory`, `sync`, `git`, `watcher` | ### Service Installation The daemon can be installed as a system service (systemd on Linux, launchd on macOS) using the daemon package's bun scripts: ```bash cd platform/daemon bun run install:service # Install as systemd/launchd service bun run uninstall:service # Remove the service ``` These are package-level scripts, not top-level `signet` CLI commands. They register a unit that starts the daemon automatically at login. --- `signet remember` --- Save a memory to the database. The daemon embeds it for vector search if an embedding provider is configured. ```bash signet remember "User prefers dark mode" signet remember "critical: never push to main" --critical signet remember "deploy runs on Friday" --tags devops,deploy --who user signet remember "deploy incident started before it was written down" --occurred-at 2026-05-13T18:00:00Z ``` Options: | Option | Description | |--------|-------------| | `-w, --who ` | Who is remembering (default: `user`) | | `-t, --tags ` | Comma-separated tags | | `-i, --importance ` | Importance score, 0-1 (default: 0.7) | | `--critical` | Mark as critical/pinned | | `--occurred-at ` | Event time this memory is about | | `--observed-at ` | Observation time this memory records | | `--source-created-at ` | Source-system creation time for this memory | | `--valid-from ` | Start of validity window for this memory | | `--valid-until ` | End of validity window for this memory | Output: ``` ✔ Saved memory: mem_abc123 (embedded) Tags: devops,deploy ``` --- `signet recall` --- Search memories using hybrid vector + keyword search. ```bash signet recall "user preferences" signet recall "release notes" --project /home/user/myapp signet recall "deploy process" --limit 5 --type decision signet recall "auth" --tags backend --who claude-code --since 2026-01-01 signet recall "deploy checklist" --keyword-query "deploy OR rollback" --min-score 0.8 signet recall "2026/05/13" signet recall "temporal recall" --time-start 2026-05-13T00:00:00Z --time-end 2026-05-14T00:00:00Z signet recall "project history" --aggregate --aggregate-budget small signet recall "secrets" --json ``` Primary controls: | Option | Description | |--------|-------------| | `-l, --limit ` | Max results (default: 10) | | `--project ` | Filter by project | Common refinements: | Option | Description | |--------|-------------| | `-t, --type ` | Filter by memory type | | `--tags ` | Filter by tags (comma-separated) | | `--who ` | Filter by author | | `--since ` | Only include memories created after this date | | `--until ` | Only include memories created before this date | | `--time-start ` | Temporal recall lower bound | | `--time-end ` | Temporal recall upper bound | | `--time-facets ` | Temporal facets to search: `session`, `source`, `captured`, `observed`, `occurred`, `valid` | | `--time-mode ` | Temporal mode: `auto`, `timeline`, or `filter` | Exact date queries such as `2026/05/13`, `2026-05-13`, and `May 13 2026` activate temporal recall automatically. Date-only queries return a timeline; date plus topic filters recall to matching temporal rows. Advanced controls: | Option | Description | |--------|-------------| | `--keyword-query ` | Override the keyword/FTS query used for recall | | `--pinned` | Only return pinned memories | | `--importance-min ` | Only return memories at or above this importance | | `--min-score ` | Minimum recall score threshold, applied client-side | | `--agent ` | Filter by agent ID | | `--aggregate` | Synthesize one aggregate answer from bounded recall evidence | | `--aggregate-budget ` | Aggregate recall budget: `small`, `medium`, or `large` | | `--no-save-aggregate` | Return the aggregate answer without saving it as a memory; saving requires `remember` permission | | `--json` | Print the recall response as JSON | --- `signet session search` --- Search active or completed session transcripts. This is separate from `signet recall`, which searches stored memories only. ```bash signet session search "Juniper trunk ports" signet session search "handoff notes" --session-key parent-session --limit 5 signet session search "delegated task" --current-session-key child-session --agent research-agent --json ``` Options: | Option | Description | |--------|-------------| | `--session-key ` | Search one transcript session | | `--current-session-key ` | Current session key; sub-agent lineage may resolve to the parent | | `--agent ` | Agent ID scope | | `--project ` | Filter by project | | `-l, --limit ` | Max results (default: 10, max: 20) | | `--json` | Print the transcript search response as JSON | --- `signet export` / `signet import` --- Export and import portable Signet bundles. This is the supported path for moving an agent between machines or backing up identity + memory state from the CLI. ```bash signet export signet export --json signet import ./signet-export-2026-03-22 signet import ./signet-export-2026-03-22.json --json --conflict merge ``` `signet export` writes a portable bundle containing: - identity files - `agent.yaml` - memories - entities - relations - installed skills `signet import` restores those files into `$SIGNET_WORKSPACE/`. Conflict handling for memories is controlled with `--conflict`: - `skip` — keep existing memories and skip duplicates - `overwrite` — replace matching memories - `merge` — merge compatible records when supported --- `signet migrate-schema` --- Migrate an existing memory database to Signet's unified schema. Useful when upgrading from an older version or copying `$SIGNET_WORKSPACE/` between machines. ```bash signet migrate-schema signet migrate-schema --path /custom/path ``` Supported source schemas: | Schema | Source | |--------|--------| | `python` | Original Python memory system | | `cli-v1` | Early Signet CLI (v0.1.x) | | `core` | Current unified schema (no migration needed) | Migration is idempotent - safe to run multiple times. All existing memories are preserved. The daemon is stopped and restarted automatically during the process. Output: ``` - Checking database schema... Migrating from python schema... ✓ Migrated 261 memories from python to core Migration complete! ``` --- `signet migrate-vectors` --- Migrate existing BLOB-format embeddings to the sqlite-vec format. Run this once after upgrading from a version that stored vectors as raw BLOBs. ```bash signet migrate-vectors signet migrate-vectors --keep-blobs signet migrate-vectors --dry-run ``` Options: | Option | Description | |--------|-------------| | `--keep-blobs` | Keep the old BLOB column after migration (safer rollback) | | `--remove-zvec` | Delete `vectors.zvec` file after successful migration | | `--dry-run` | Show what would be migrated without making changes | --- `signet sync` --- Sync hooks, extensions, built-in template files, and skills to your `$SIGNET_WORKSPACE/` directory, and re-register hooks for the active harnesses listed in `agent.yaml`. Run this after an upgrade if built-in skills appear stale or hooks need updating. If OpenClaw is still configured on the legacy Signet hook path, `signet sync` now migrates it to the plugin runtime path automatically so full lifecycle capture resumes. The command may report installed harnesses it detects on disk, but inactive harnesses are not modified. ```bash signet sync ``` --- `signet secret` --- Manage encrypted [[secrets]] stored via the daemon, including 1Password service-account integration. ```bash signet secret put OPENAI_API_KEY signet secret put GITHUB_TOKEN ghp_... # value inline signet secret list signet secret delete GITHUB_TOKEN signet secret has OPENAI_API_KEY # 1Password integration signet secret onepassword connect signet secret onepassword status signet secret onepassword vaults signet secret onepassword import --vault Engineering --prefix OP signet secret onepassword disconnect ``` Subcommands: | Command | Description | |---------|-------------| | `signet secret put [value]` | Store a secret; prompts if value omitted | | `signet secret list` | List all secret names (never values) | | `signet secret delete ` | Delete a secret (prompts for confirmation) | | `signet secret has ` | Check existence; exits 0 if found, 1 if not | | `signet secret onepassword connect [token]` | Save/validate a 1Password service account token | | `signet secret onepassword status` | Show 1Password connection and vault access status | | `signet secret onepassword vaults` | List accessible 1Password vaults | | `signet secret onepassword import` | Import password-like fields from 1Password into Signet secrets | | `signet secret onepassword disconnect` | Remove stored 1Password service account token | A `GITHUB_TOKEN` secret is used by `signet git` to authenticate pushes to a remote repository. --- `signet skill` --- Manage agent [[skills]] from the GitHub-based registry. Skills are installed to `$SIGNET_WORKSPACE/skills/` and symlinked into [[harnesses|harness]] config directories. ```bash signet skill list signet skill install browser-use signet skill uninstall weather signet skill search github signet skill show ``` Subcommands: | Command | Description | |---------|-------------| | `signet skill list` | List installed skills | | `signet skill install ` | Install a skill from the registry | | `signet skill uninstall ` | Remove an installed skill | | `signet skill search ` | Search the GitHub skills registry | | `signet skill show ` | Show skill details | Registry search queries GitHub for repositories tagged `agent-skill` or containing a `SKILL.md` file. Unauthenticated searches are limited to 10 requests per minute. --- `signet git` --- Git sync management for the `$SIGNET_WORKSPACE` directory. A `GITHUB_TOKEN` secret must be set for push operations. ```bash signet git status signet git sync signet git pull signet git push signet git enable signet git enable --interval 600 signet git disable ``` Subcommands: | Command | Description | |---------|-------------| | `signet git status` | Show git status, sync state, and token presence | | `signet git sync` | Pull remote changes then push | | `signet git pull` | Pull changes from remote | | `signet git push` | Push commits to remote | | `signet git enable` | Enable daemon auto-sync | | `signet git disable` | Disable daemon auto-sync | `signet git enable` options: | Option | Description | |--------|-------------| | `-i, --interval ` | Sync interval in seconds (default: 300) | --- `signet api-key` --- Create named API keys for remote connectors and other daemon clients. See [[remote-connectors|Remote Harness Connectors]] for the full remote setup flow. ```bash signet api-key create --name "work laptop pi" --connector pi --agent-id pi-work-laptop signet api-key list signet api-key revoke ``` The raw `sig_sk_...` key is printed once. Store it on the remote machine as `SIGNET_API_KEY`. `--agent-id` creates an auth-enforced agent scope: a key created with `--agent-id ` defaults requests to that agent and rejects requests for other agents. --- `signet connector` --- Install portable harness connectors. Use `signet connect ` as a short alias for `signet connector install `. For a start-to-finish remote machine setup, see [[remote-connectors|Remote Harness Connectors]]. ```bash signet connector install pi signet connector install pi --url https://signet-home.tailnet:3850 --api-key sig_sk_... --agent-id pi-work-laptop signet connect codex --url https://signet-home.tailnet:3850 --api-key sig_sk_... # For a Codex client scoped to one agent: signet api-key create --name "codex tailnet" --connector codex --agent-id signet connect codex --url https://signet-home.tailnet:3850 --api-key sig_sk_... ``` Connector installers are also published as individual npm packages for machines where you only want to configure one harness: ```bash npx -y @signetai/connector-pi install --url https://signet-home.tailnet:3850 --api-key sig_sk_... --agent-id pi-work-laptop npx -y @signetai/connector-opencode install --url https://signet-home.tailnet:3850 --api-key sig_sk_... --agent-id opencode-work-laptop npx -y @signetai/connector-codex install --url https://signet-home.tailnet:3850 --api-key sig_sk_... ``` For Codex, `@signetai/codex-plugin` is the native-plugin-oriented installer name. It writes the same generated Codex plugin marketplace bundle and compatibility hook/MCP config as `signet connect codex`: ```bash npx -y @signetai/codex-plugin install --url https://signet-home.tailnet:3850 --api-key sig_sk_... # Use a key created with --agent-id to scope this Codex install to that agent. ``` --- `signet hook` --- Lifecycle hook commands for harness integration. These are called by connector packages automatically; you rarely need to invoke them directly. ```bash signet hook session-start --harness claude-code signet hook user-prompt-submit --harness claude-code signet hook session-end --harness claude-code signet hook pre-compaction --harness claude-code signet hook compaction-complete --harness claude-code --summary "..." signet hook synthesis signet hook synthesis-complete --content "..." ``` Subcommands: | Command | Description | |---------|-------------| | `signet hook session-start` | Initialize session, inject context | | `signet hook user-prompt-submit` | Inject relevant memories for a prompt | | `signet hook session-end` | Extract and save memories from transcript | | `signet hook pre-compaction` | Get summary instructions before compaction | | `signet hook compaction-complete` | Save session summary after compaction | | `signet hook synthesis` | Get the MEMORY.md synthesis prompt | | `signet hook synthesis-complete` | Save synthesized MEMORY.md content | Most subcommands require `-H, --harness ` identifying the calling platform (e.g. `claude-code`, `opencode`, `openclaw`). If the daemon is When hook payloads are provided over stdin, the CLI now prefers canonical `session_key` / `sessionKey` fields before legacy `session_id` aliases. `signet hook user-prompt-submit` forwards preferred `userMessage` when it is provided, while still carrying legacy `userPrompt` compatibility fields. `signet hook session-end` forwards both stdin `transcript_path` / `transcriptPath` and inline `transcript` content for lossless capture. `signet hook compaction-complete` also forwards stdin `cwd` as the fallback `project` scope when transcript persistence has not landed yet. not running, hooks exit cleanly with code 0 so the harness is not blocked. --- `signet update` --- Check for updates, install them manually, or configure unattended auto-installs. Use an explicit subcommand such as `signet update check`. ```bash signet update check # check for updates signet update check --force signet update install signet update status signet update enable signet update enable --interval 3600 signet update disable ``` Subcommands: | Command | Description | |---------|-------------| | `signet update check` | Check if a newer version is available | | `signet update install` | Download and install the latest version | | `signet update status` | Show auto-update settings and last result | | `signet update enable` | Enable unattended background installs | | `signet update disable` | Disable unattended background installs | `signet update check` options: | Option | Description | |--------|-------------| | `-f, --force` | Force a fresh check, ignoring cached result | `signet update enable` options: | Option | Description | |--------|-------------| | `-i, --interval ` | Check interval in seconds (default: 21600; range: 300-604800) | After `signet update install` completes, a daemon restart is required to run the new version: `signet daemon restart`. --- `signet bypass` --- Toggle per-session hook bypass. When bypass is enabled for a session, all Signet hooks return empty no-op responses — the daemon is still running, but it stays silent for that session. MCP tools (memory_search, memory_store, etc.) continue to work normally. ```bash signet bypass # List active sessions with bypass status signet bypass --list # Same as above signet bypass # Enable bypass for a session signet bypass --off # Disable bypass for a session ``` Subcommands: | Command | Description | |---------|-------------| | `signet bypass` | List active sessions and their bypass status | | `signet bypass --list` | Same as `signet bypass` with no arguments | | `signet bypass ` | Enable bypass for the given session | | `signet bypass --off ` | Disable bypass for the given session | You can also bypass hooks entirely at the process level using the `SIGNET_BYPASS` environment variable (see below). --- `signet embed` --- Manage memory embeddings. Requires the daemon to be running. ```bash signet embed backfill signet embed backfill --batch-size 100 signet embed backfill --dry-run signet embed gaps ``` Subcommands: | Command | Description | |---------|-------------| | `signet embed backfill` | Re-embed memories missing vector embeddings | | `signet embed gaps` | Show count of memories missing embeddings | `signet embed backfill` options: | Option | Description | |--------|-------------| | `--batch-size ` | Memories per batch (default: 50) | | `--dry-run` | Preview without calling the embedding provider | After `backfill` completes, coverage is printed: ``` Coverage: 100.0% (1200/1200 embedded) ``` --- Environment Variables --- | Variable | Description | Default | |----------|-------------|---------| | `SIGNET_PORT` | Daemon HTTP port | `3850` | | `SIGNET_PATH` | Base agents directory | `$SIGNET_WORKSPACE` | | `SIGNET_HOST` | Daemon host for local calls and default bind address | `127.0.0.1` | | `SIGNET_BIND` | Explicit daemon bind address override | `SIGNET_HOST` | | `SIGNET_LOG_FILE` | Explicit daemon log file path | unset | | `SIGNET_LOG_DIR` | Daemon log directory override | `$SIGNET_WORKSPACE/.daemon/logs` | | `SIGNET_SQLITE_PATH` | macOS explicit SQLite dylib override used by the daemon before opening the database | unset | | `SIGNET_DAEMON_RUNTIME` | Installed daemon runtime selector. Set to `rust` only for explicit daemon-rs parity testing; default uses the TypeScript/Bun daemon | `typescript` | | `SIGNET_SESSION_START_TIMEOUT` | Session-start daemon wait budget in ms for Signet-managed clients. Generated Claude Code hook config writes this value directly. Generated Codex hook config rounds up to seconds and adds 5 seconds of harness grace | `15000` | | `SIGNET_FETCH_TIMEOUT` | Legacy fallback for session-start timeout in ms when `SIGNET_SESSION_START_TIMEOUT` is unset | `15000` | | `SIGNET_PROMPT_SUBMIT_TIMEOUT` | Prompt-submit daemon wait budget in ms; OpenCode uses this value directly, generated Claude Code hook config writes this value + 2000 ms grace, and generated Codex hook config rounds up to seconds and adds 2 seconds of harness grace | `5000` | | `SIGNET_BYPASS` | Skip all hook processing (exit immediately) | unset | --- Exit Codes --- | Code | Meaning | |------|---------| | 0 | Success | | 1 | General error |