​

Taco CLI

make build-cli

• --server <url> sets the service endpoint (default http://localhost:8080).

• taco unit create <id>: Create a unit registration.
• taco unit ls [--prefix <pfx>]: List units.
• taco unit rm <id>: Delete a unit.
• taco unit pull <id> [-f <file>]: Download unit tfstate to a file.
• taco unit push <id> [-f <file>] [--if-locked-by <uuid>]: Upload unit tfstate.
• taco unit lock <id> [--who --info]: Acquire a lock.
• taco unit unlock <id> [<lock-id>]: Release a lock (lock ID is positional; if omitted, CLI uses .taco/<id>.lock).
• taco unit acquire <id> [-f <file>]: Lock + download.
• taco unit release <id> [-f <file>]: Upload + unlock.

• taco unit versions <id>: List all versions of a unit with timestamps and hashes.
• taco unit restore <id> <version-number>: Restore unit to a previous version.

• taco provider init [dir] [--system-unit <id>] [--no-create] [--force]
  • Scaffolds a Terraform workspace in dir (default opentaco-config).
  • Configures the HTTP backend to __opentaco_system by default.
  • Creates that system unit unless --no-create is set.

• taco login [--force-login] — Runs OIDC PKCE, saves tokens to ~/.config/opentaco/credentials.json under the current --server.
  • No flags needed if the server exposes /v1/auth/config (OpenTaco does); the CLI will auto-discover issuer/client_id.
• taco whoami — Prints current identity.
• taco creds --json — Prints AWS Process Credentials JSON via /v1/auth/issue-s3-creds.
• taco logout — Removes saved tokens for the current --server.

​

Unit Status (Dependencies)

taco unit status [<unit-id> | --prefix <pfx>] [-o json]

• No args lists all units (equivalent to --prefix /).
• --prefix / is treated as “all units”.
• -o json returns raw statuses (green|yellow|red) with edge details.
• Default table output maps to friendly, colored labels:
  • up to date (green)
  • needs re-apply (red)
  • might need re-apply (yellow)