Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

CLI

boatramp is one binary: the server (serve) and every client command. This page lists the commands and details the flags of serve; each command also prints its own flags with boatramp <command> --help.

Precedence for any overridable value: flag / environment variable > config file > built-in default. Project commands read project.cfg; serve reads boatramp.cfg.

Global flags

FlagDefaultDescription
--config <path>project.cfg / boatramp.cfgConfig file to read.
-h, --helpPrint help for the binary or a subcommand.
-V, --versionPrint the version.

Commands

CommandWhat it does
serveRun the HTTP server and publishing API.
sync <dir>Build (optional) and publish a folder as a new atomic deployment.
buildRun the configured build command only.
bundleBundle JS/TS + CSS in-process (bundler feature).
validateParse and check a project.cfg (its routing section).
deploymentsList a site’s deployment history.
rollbackRoll back to the previous (or a specific) deployment.
statusShow a site’s current deployment (id, age, size).
domainAttach or detach hostnames for a site.
aliasManage named pointers (staging, previews) to deployments.
accessConfigure visitor access control (basic auth, IP rules, rate limit).
tokenManage control-plane API tokens.
clusterOperate a cluster’s mesh membership (mint join tokens).
securityInspect the operator security posture (security explain).
authGenerate or inspect the control-plane root key.
gatewayPublish a private service through the edge reverse proxy.
computeManage microVM / container compute workloads.
dnsConfigure DNS and issue wildcard preview certs (acme-dns feature).
logsTail a site’s captured guest stdout/stderr.
statsShow handler invocation stats, consumer lag, and dead letters.
dlqPurge or redrive a consumer topic’s dead-letter queue.
pruneDelete orphan deployments and unreferenced blobs.
scrubVerify every stored blob still hashes to its key.
cert-statusShow cluster-managed certificate status (domain, expiry).
completions <shell>Print a shell-completion script.
manRender the man page to stdout.
cloudflareGenerate a Cloudflare Containers deployment (cluster feature).

Each command’s tasks are covered in the guides — see the How-to guides and the per-topic reference pages. Exit status is 0 on success and non-zero on failure; see Errors & exit codes.

boatramp serve

Run the server: selects backends, TLS, auth, and (with the cluster feature) cluster mode.

Address, storage, cache

FlagEnvDefaultDescription
--addr <host:port>BOATRAMP_ADDR127.0.0.1:8080Bind address.
--data-dir <path>BOATRAMP_DATA_DIR./dataBlob + KV root for the filesystem backends.
--blobs <fs|s3>fsBlob backend (s3 needs --features s3).
--kv <slatedb|memory|cloudflare>slatedbKV backend (cloudflare needs --features cloudflare-kv).
--s3-bucket <name>BOATRAMP_S3_BUCKETS3 bucket (--blobs s3).
--s3-endpoint <url>BOATRAMP_S3_ENDPOINTS3 endpoint (MinIO / R2).
--s3-region <region>BOATRAMP_S3_REGIONS3 region.
--s3-path-styleBOATRAMP_S3_PATH_STYLEfalseUse path-style S3 addressing.
--cache-entries <n>256Front metadata cache size.

Authentication

FlagEnvDefaultDescription
--auth-root-private-key <alg:hex>BOATRAMP_AUTH_ROOT_PRIVATE_KEYRoot key: verify and mint tokens.
--auth-root-public-key <alg:hex>BOATRAMP_AUTH_ROOT_PUBLIC_KEYRoot key: verify only.
--bootstrap-secret <secret>BOATRAMP_BOOTSTRAP_SECRETSingle-use secret enabling token bootstrap.
--oidc-issuer <url>BOATRAMP_OIDC_ISSUEREnable OIDC → token exchange for this issuer.
--oidc-audience <aud>BOATRAMP_OIDC_AUDIENCERequired audience claim.
--oidc-scope-claim <name>BOATRAMP_OIDC_SCOPE_CLAIMClaim mapped to boatramp roles.

Warning: with no root key, control-plane auth is disabled. Under the default multi-tenant posture, serve refuses to start that way on a non-loopback --addr. Configure a key, bind 127.0.0.1, or select a looser security posture.

TLS

FlagDefaultDescription
--tls <off|custom|acme|acme-dns>offTLS mode (HTTPS needs the tls feature).
--tls-cert <path> / --tls-key <path>Certificate + key for --tls custom.
--acme-domain <domain>Domain to issue for (repeatable).
--acme-directory <url>Let’s Encrypt productionACME directory URL.
--acme-contact <email>ACME account contact.
--acme-ca-cert <path>Extra CA root (for a private ACME CA).
--acme-cache <path>./data/acmeCertificate cache directory.
--acme-dns-provider <name>manualDNS-01 provider (--tls acme-dns); see DNS providers.
--acme-wildcard-previewfalseAlso issue *.deploy.<domain> for by-id previews.
--http-redirect-addr <host:port>BOATRAMP_HTTP_REDIRECT_ADDRSecond listener that 308s plain HTTP to HTTPS.

Uploads, serving, cluster

FlagEnvDefaultDescription
--max-upload-bytes <n>BOATRAMP_MAX_UPLOAD_BYTESunlimitedReject larger blob uploads.
--upload-idle-timeout-secs <n>BOATRAMP_UPLOAD_IDLE_TIMEOUTAbort an upload idle this long.
--max-concurrent-uploads <n>BOATRAMP_MAX_CONCURRENT_UPLOADSCap simultaneous uploads.
--default-site <name>BOATRAMP_DEFAULT_SITESite served for an unmatched Host.
--protect-previewsBOATRAMP_PROTECT_PREVIEWSfalseRequire a token to view /_deploy previews.
--cluster-rate-limitBOATRAMP_CLUSTER_RATE_LIMITfalseRate-limit cluster-wide via the KV, not per node.
--shared-cache-coherenceBOATRAMP_SHARED_CACHE_COHERENCEfalseKeep the config cache coherent across processes sharing one KV.

The cluster: and compute: sections are configured in boatramp.cfg, not on the command line.

Example:

boatramp serve --config boatramp.cfg \
  --addr 0.0.0.0:8080 --tls acme --acme-domain pad.example.com
control-plane auth enabled (issuer)
serving https://0.0.0.0:8080 — data /var/lib/boatramp