getting started
Authenticate, configure, script safely
Log in once, override with TRICKEST_TOKEN for CI, and learn the output contract before you automate.
loading
trickest is how engineers, operators, and agents drive Trickest without the UI: spaces and workflows, runs and outputs, Live Tables, fleet capacity, and agent memory — with JSON you can pipe, exit codes you can branch on, and context that persists between commands.
the mental model
Every command prints compact JSON unless you pass --output table or yaml. Pipe to jq and branch in shell without fragile text parsing.
Failures return a JSON envelope with code, message, and hint on stderr, plus POSIX exit codes (auth, not-found, validation, rate limit).
Active space and workflow live in ~/.trickest/config. Workflow-scoped verbs act on the current graph without repeating IDs.
Full treatment in output formats & exit codes.
in practice
The interactive panel below mirrors how teams actually work: authenticate, shape workflows, execute runs, analyze graphs, query data, and script agent memory. Each tab is traced to the CLI documentation.
TRICKEST_TOKEN wins over stored credentials. Interactive login opens browser OAuth on a localhost callback; headless environments use --token or the env var. Credentials live at ~/.trickest/credentials with 0600 permissions and refresh on 401.
export TRICKEST_TOKEN=<your-api-token>trickest auth status# {"authenticated":true,"source":"TRICKEST_TOKEN env var",...}trickest auth login # browser OAuthtrickest auth login --token <token> # headless / CI
install
Install with a single command, verify with trickest --version, then authenticate. The installer detects your OS and architecture and drops a standalone binary on your PATH. The same binary is baked into the sandbox runtime image so in-container agent Bash calls the same verbs.
curl -fsSL https://trickest.io/install.sh | sh
trickest --versionContributors can compile a standalone binary from github.com/trickest/cli. See authentication for OAuth, tokens, and precedence rules.
documentation map
The CLI is not a thin wrapper around a handful of APIs. Command groups map to product areas — the same structure as the developer documentation. Pick a domain to read the full guide.
getting started
Log in once, override with TRICKEST_TOKEN for CI, and learn the output contract before you automate.
workflows
Create workflows imperatively or commit YAML. Validate topology, diff versions, and patch nodes without clicking through the UI.
execution
Execute graphs, watch live status, pull artifacts, schedule recurring work, and control sandbox sessions from the same binary.
agent & knowledge
Script what the agent remembers, open sessions, install skill packs, and read notification and audit streams.
data & assets
Query Live Tables with TQL, sync files, manage variables, browse the tool library, and operate solution datasets.
organization
Scale execution capacity, administer users and teams, inspect usage, and wire external integrations.
Need the exhaustive list? See the command index and federated search.
automation
Set TRICKEST_TOKEN in your pipeline, branch on exit codes, and parse JSON on stdout. The in-product agent and MCP server call the same command registry — so a script you test locally behaves the same inside a sandbox session.
#!/usr/bin/env bash
set -euo pipefail
export TRICKEST_TOKEN="${{ secrets.TRICKEST_TOKEN }}"
trickest workflow apply -f .trickest/workflow.yaml
RUN_ID=$(trickest run execute --output json | jq -r '.id')
trickest run watch "$RUN_ID" --output json
SEV=$(trickest database query "$TABLE" \
'severity = "critical"' --output json | jq '.rows | length')
if [ "$SEV" -gt 0 ]; then exit 1; fistderr → {"code","message","hint"} with exit 2–7 for scripts.
Commit workflow.yaml; apply and patch from CI without UI drift.
trickest memory set and trickest run execute from inside the box.
trickest search queries workflows, runs, and assets in one call.
the contract
Interactive terminals get colored tables; pipes get compact JSON unless you override with --output. Errors are always structured — branch on exit code, parse the envelope for detail.
trickest space ls | jq '.[].name'
trickest run get "$RUN_ID" --output yaml
# stderr when auth fails:
# {"code":"AUTH_ERROR","message":"Not authenticated","hint":"..."}global flags
exit codes
environment
full reference
The marketing page orients you; the docs teach you to operate. Start with authentication and output formats, then follow the sidebar groups.
Get a personalized demo
A 30-minute walkthrough. We map the platform to your stack and answer pricing and deployment questions for your environment.
Resources
Discover other powerful solutions built to elevate your offensive security operations.