Agent CLI Reference

Complete command-line reference for the GrantFlow Agent binary. This page documents all commands, flags, and options available.

Command Overview

The GrantFlow Agent provides the following commands:

Command	Description
enroll	Enroll the agent with the GrantFlow control plane
run	Run the agent (foreground or as service)
service install	Install the agent as a system service
service start	Start the agent service
service stop	Stop the agent service
service restart	Restart the agent service
service status	Check agent service status
service uninstall	Uninstall the agent service
fix-config	Fix relative paths in configuration file
version	Display agent version information
help	Display help for any command

enroll

Enroll the agent with the GrantFlow control plane. This command exchanges the enrollment token for an mTLS certificate and creates the agent configuration file.

Syntax

agent enroll [flags]

Flags

Flag	Type	Required	Description
--enrollment-url	string	Yes	Enrollment service URL (e.g., https://enrollment.grantflow.cloud/enroll)
--tenant-id	string	Yes	Tenant ID (GUID format)
--agent-id	string	Yes	Agent ID (unique identifier for this agent)
--token	string	Yes	Enrollment token (obtained from GrantFlow Admin UI)
--output, -o	string	No	Directory to save certificate files (default: ./certs)
--config-dir	string	No	Directory to save configuration file (default: ./config)
--key-size	int	No	RSA key size in bits (default: 4096)
--server	string	No	Control plane URL (default: https://localhost:8443)
--server-name	string	No	Override TLS server name for verification
--verbose, -v	boolean	No	Enable verbose logging during enrollment

Examples

Windows:

.\agent.exe enroll `
  --enrollment-url https://enrollment.grantflow.cloud/enroll `
  --tenant-id YOUR_TENANT_ID `
  --agent-id agent-001 `
  --token ept_YOUR_ENROLLMENT_TOKEN

Linux:

sudo ./agent enroll \
  --enrollment-url https://enrollment.grantflow.cloud/enroll \
  --tenant-id YOUR_TENANT_ID \
  --agent-id agent-001 \
  --token ept_YOUR_ENROLLMENT_TOKEN

Custom paths:

./agent enroll \
  --enrollment-url https://enrollment.grantflow.cloud/enroll \
  --tenant-id YOUR_TENANT_ID \
  --agent-id agent-001 \
  --token ept_... \
  --output /etc/grantflow/certs \
  --config-dir /etc/grantflow

With custom control plane URL:

./agent enroll \
  --enrollment-url https://enrollment.grantflow.cloud/enroll \
  --tenant-id YOUR_TENANT_ID \
  --agent-id agent-001 \
  --token ept_... \
  --server https://agents.grantflow.cloud:8443

Verbose mode (for troubleshooting):

./agent enroll \
  --enrollment-url https://enrollment.grantflow.cloud/enroll \
  --tenant-id YOUR_TENANT_ID \
  --agent-id agent-001 \
  --token ept_... \
  --verbose

Output

On success, the command creates:

• Configuration file: config/agent-config.yaml with absolute paths
• Certificate files:
  • certs/agent-cert.pem - Agent mTLS certificate
  • certs/agent-key.pem - Agent private key
  • certs/ca-chain.pem - CA certificate chain

Enrolling agent: agent-001
Tenant ID: YOUR_TENANT_ID
Enrollment URL: https://enrollment.grantflow.cloud/enroll
Generating 4096-bit RSA key pair...
Creating Certificate Signing Request...
Submitting enrollment request...
✓ Private key saved: C:\Program Files\GrantFlow Agent\certs\agent-key.pem
✓ Certificate saved: C:\Program Files\GrantFlow Agent\certs\agent-cert.pem
✓ CA chain saved: C:\Program Files\GrantFlow Agent\certs\ca-chain.pem
✓ Certificate chain verified successfully
✓ Configuration saved: C:\Program Files\GrantFlow Agent\config\agent-config.yaml

✓ Enrollment complete!

To run the agent, simply use:
  agent run

Or specify a custom config:
  agent run --config C:\Program Files\GrantFlow Agent\config\agent-config.yaml

Note: The verbose output above is shown when using the --verbose flag. Without it, only the checkmarks (✓) and file paths are displayed.

Exit Codes

Code	Meaning
0	Success
1	Enrollment failed (network, invalid token, etc.)

Enrollment Token Expiry

Enrollment tokens expire after 1 hour. If enrollment fails with a token validation error, generate a new token from the GrantFlow Admin UI.

run

Run the agent in the foreground (for testing) or as a service (when started by service manager).

Syntax

agent run [flags]

Flags

Flag	Type	Required	Description
--config	string	No	Path to configuration file (default: ./config/agent-config.yaml)
--service	boolean	No	Run as service (used by service manager, not for manual use)

Examples

Run in foreground (for testing):

# Windows
.\agent.exe run

# Linux
sudo ./agent run

With custom config path:

./agent run --config /etc/grantflow/agent-config.yaml

Output

The agent logs to:

• Windows (foreground): Console output
• Windows (service): C:\Windows\Temp\grantflow-agent-YYYYMMDD.log
• Linux (foreground): Console output
• Linux (service): systemd journal (journalctl -u grantflow-agent)

2025/11/03 14:30:52 === GrantFlow Agent Started ===
2025/11/03 14:30:52 Agent ID: agent-001
2025/11/03 14:30:52 Tenant ID: YOUR_TENANT_ID
2025/11/03 14:30:52 Control Plane: https://agents.grantflow.cloud:8443
2025/11/03 14:30:53 Successfully connected to control plane
2025/11/03 14:30:53 Agent registered and ready to receive jobs

Exit Codes

Code	Meaning
0	Normal shutdown (SIGTERM/SIGINT received)
1	Fatal error (certificate not found, connection failed, etc.)

Testing Before Service Installation

Use agent run to test the agent in foreground mode before installing it as a service. Press Ctrl+C to stop.

service

Manage the agent as a system service (Windows Service or systemd unit).

service install

Install the agent as a system service.

Syntax

agent service install [flags]

Flags

Flag	Type	Required	Description
--config	string	No	Path to configuration file (default: ./config/agent-config.yaml)

Examples

# Windows
cd "C:\Program Files\GrantFlow Agent"
.\agent.exe service install

# Linux
cd /opt/grantflow-agent
sudo ./agent service install

Service Configuration

Windows:

• Service name: GrantFlowAgent
• Display name: GrantFlow Agent
• Start type: Automatic
• Service account: NT AUTHORITY\LocalService
• Restart on failure: Yes

Linux:

• Service name: grantflow-agent
• Unit type: simple
• Start on boot: Use systemctl enable grantflow-agent
• User: Root or dedicated service user

Output

✓ Service installed successfully
  Name: GrantFlowAgent
  Executable: C:\Program Files\GrantFlow Agent\agent.exe
  Config: C:\Program Files\GrantFlow Agent\config\agent-config.yaml

Logs will be written to: C:\Windows\Temp\grantflow-agent-*.log

To start the service, run:
  agent service start

service start

Start the agent service.

Syntax

agent service start

Examples

# Windows
.\agent.exe service start

# Linux
sudo ./agent service start

Output

✓ Service started successfully

To view logs, check: C:\Windows\Temp\grantflow-agent-20251103.log
PowerShell command to view latest log:
  Get-Content (Get-ChildItem C:\Windows\Temp\grantflow-agent-*.log | Sort-Object LastWriteTime -Descending | Select-Object -First 1).FullName

service stop

Stop the agent service.

Syntax

agent service stop

Examples

# Windows
.\agent.exe service stop

# Linux
sudo ./agent service stop

Output

✓ Service stopped successfully

service restart

Restart the agent service (stop then start).

Syntax

agent service restart

Examples

# Windows
.\agent.exe service stop
.\agent.exe service start

# Linux (or use systemctl)
sudo systemctl restart grantflow-agent

service status

Check the status of the agent service.

Syntax

agent service status

Examples

# Windows
.\agent.exe service status

# Linux
sudo ./agent service status

Output

Service Status: Running

Possible statuses:

• Running - Service is running
• Stopped - Service is stopped
• Not Installed - Service is not installed

service uninstall

Uninstall the agent service. The service must be stopped before uninstalling.

Syntax

agent service uninstall

Examples

# Windows
.\agent.exe service stop
.\agent.exe service uninstall

# Linux
sudo ./agent service stop
sudo ./agent service uninstall

Output

✓ Service uninstalled successfully

Uninstall Does Not Remove Files

Uninstalling the service only removes the service registration. Configuration files, certificates, and the agent binary are preserved. Delete them manually if needed.

fix-config

Convert relative paths in an existing configuration file to absolute paths. This is useful for configuration files created with older agent versions that used relative paths.

Syntax

agent fix-config [flags]

Flags

Flag	Type	Required	Description
--config	string	Yes	Path to configuration file to fix

Examples

# Windows
cd "C:\Program Files\GrantFlow Agent"
.\agent.exe fix-config --config .\config\agent-config.yaml

# Linux
cd /opt/grantflow-agent
sudo ./agent fix-config --config ./config/agent-config.yaml

What It Does

1. Reads the existing configuration file
2. Converts relative certificate paths to absolute paths
3. Verifies that certificate files exist at the new paths
4. Creates a backup of the original configuration (.backup extension)
5. Saves the updated configuration

Output

Current configuration:
  Tenant ID: YOUR_TENANT_ID
  Agent ID: agent-001
  Server URL: https://agents.grantflow.cloud:8443
  Certificate: certs\agent-cert.pem
  Key: certs\agent-key.pem
  CA: certs\ca-chain.pem

Converting certificate path:
  From: certs\agent-cert.pem
  To:   C:\Program Files\GrantFlow Agent\certs\agent-cert.pem

Converting key path:
  From: certs\agent-key.pem
  To:   C:\Program Files\GrantFlow Agent\certs\agent-key.pem

Converting CA path:
  From: certs\ca-chain.pem
  To:   C:\Program Files\GrantFlow Agent\certs\ca-chain.pem

Verifying files exist at new paths...
✓ Certificate file found: C:\Program Files\GrantFlow Agent\certs\agent-cert.pem
✓ Key file found: C:\Program Files\GrantFlow Agent\certs\agent-key.pem
✓ CA file found: C:\Program Files\GrantFlow Agent\certs\ca-chain.pem

✓ Backup created: C:\Program Files\GrantFlow Agent\config\agent-config.yaml.backup
✓ Config file updated: C:\Program Files\GrantFlow Agent\config\agent-config.yaml

Updated configuration:
  Certificate: C:\Program Files\GrantFlow Agent\certs\agent-cert.pem
  Key: C:\Program Files\GrantFlow Agent\certs\agent-key.pem
  CA: C:\Program Files\GrantFlow Agent\certs\ca-chain.pem

✓ Config file fixed successfully!

Exit Codes

Code	Meaning
0	Success
1	Configuration file not found or invalid
2	Certificate files not found at resolved paths

When to Use

New enrollments (since recent versions) automatically create configuration files with absolute paths. This command is only needed for older installations with relative paths that cause issues when running as a Windows service.

version

Display the agent version information.

Syntax

agent version

Examples

# Windows
.\agent.exe version

# Linux
./agent version

Output

GrantFlow Agent
Version: 1.0.0
Build: 20251103-142305
Commit: a1b2c3d
Go Version: go1.21.5
OS/Arch: windows/amd64

help

Display help information for any command.

Syntax

agent help [command]

Examples

# General help
./agent help

# Help for specific command
./agent help enroll
./agent help service
./agent help service install

Global Flags

These flags are available for all commands:

Flag	Type	Description
--help, -h	boolean	Display help for the command
--version, -v	boolean	Display version information

Examples

# Display help for enroll command
./agent enroll --help

# Display version
./agent --version

Configuration File Format

The agent configuration file is in YAML format. It is automatically created by the enroll command.

Location

• Windows: C:\Program Files\GrantFlow Agent\config\agent-config.yaml
• Linux: /opt/grantflow-agent/config/agent-config.yaml

Example

tenantId: "YOUR_TENANT_ID"
agentId: "agent-001"
serverUrl: "https://agents.grantflow.cloud:8443"
certPath: "C:\\Program Files\\GrantFlow Agent\\certs\\agent-cert.pem"
keyPath: "C:\\Program Files\\GrantFlow Agent\\certs\\agent-key.pem"
caPath: "C:\\Program Files\\GrantFlow Agent\\certs\\ca-chain.pem"

Fields

Field	Type	Required	Description
tenantId	string	Yes	Tenant ID (GUID format)
agentId	string	Yes	Agent ID (unique identifier)
serverUrl	string	Yes	Control plane URL
certPath	string	Yes	Absolute path to agent certificate
keyPath	string	Yes	Absolute path to agent private key
caPath	string	Yes	Absolute path to CA certificate chain

Absolute Paths Required

All certificate paths must be absolute paths. Relative paths will fail when the agent runs as a service because the working directory is different from the installation directory.

Environment Variables

The agent does not use environment variables for configuration. All configuration is stored in the YAML configuration file.

For proxy configuration, use system-level proxy settings:

Windows:

• Set in Internet Options → Connections → LAN Settings
• Or use netsh winhttp set proxy

Linux:

• Set http_proxy, https_proxy, no_proxy environment variables
• Or configure system-wide in /etc/environment

Exit Codes

All agent commands use standard exit codes:

Code	Meaning
0	Success
1	General error
2	Configuration error
3	Network error
4	Certificate error
130	Interrupted by user (Ctrl+C)

Command Cheat Sheet

Quick reference for common operations:

# Installation
./agent enroll --enrollment-url URL --tenant-id ID --agent-id ID --enrollment-key KEY
./agent service install
./agent service start

# Management
./agent service status
./agent service stop
./agent service start
./agent service restart

# Logs (Windows)
Get-Content C:\Windows\Temp\grantflow-agent-$(Get-Date -Format "yyyyMMdd").log -Wait -Tail 50

# Logs (Linux)
sudo journalctl -u grantflow-agent -f

# Update
./agent service stop
# Replace binary
./agent service start

# Troubleshooting
./agent run                              # Test in foreground
./agent fix-config --config path         # Fix relative paths
sc.exe qc GrantFlowAgent                 # Check service account (Windows)
./agent version                          # Check version

# Uninstall
./agent service stop
./agent service uninstall
# Delete files manually if needed

See Also

• Active Directory Agents - Complete installation guide
• Agent Quick Reference - Quick command reference
• AD Connector Permissions - Required AD permissions
• AD Connector Network - Network requirements