Skip to Content
ReferenceServer CLI

Server CLI

For production deployments, strongly prefer gestaltd lock, then gestaltd sync --locked during image build or release preparation, then gestaltd serve --locked at runtime. The lockfile pins resolved provider artifacts and verified hashes, and locked serve refuses to mutate deployment state.

gestaltd manages server lifecycle and provider releases. For release-backed providers, gestaltd lock writes platform-independent static metadata while sync --locked and locked serve select the runtime archive for the platform where they run.

Server commands

CommandPurpose
gestaltdLocal-friendly startup. Generates a config if needed and serves.
gestaltd serve --config PATHStart the server. Repeat --config to layer overrides. Local apps with run: commands and apps.<name>.static are proxied to hot-reload dev servers.
gestaltd serve --locked --config PATHStart read-only from an existing lockfile and prepared artifacts. Repeat --config to layer overrides.
gestaltd serve --artifacts-dir DIRDirectory for prepared provider artifacts.
gestaltd serve --lockfile PATHOverride the lockfile location. PATH resolves like a normal CLI path.
gestaltd lock --config PATHResolve published provider sources and write canonical lock metadata. Repeat --config to layer overrides.
gestaltd lock --check --config PATHVerify that the checked-in lockfile matches the current config without rewriting it.
gestaltd sync --locked --config PATHMaterialize prepared provider artifacts from an existing lockfile. Local source UI preparation uses bounded parallelism by default.
gestaltd sync --locked --cache-dir DIR --config PATHReuse materialized prepared artifacts across sync runs. DIR resolves like a normal CLI path.
gestaltd sync --locked --verbose --config PATHEmit detailed cache, archive download, timing, and output-size diagnostics while syncing.
gestaltd sync --locked --output-format=json --config PATHEmit one compact JSON metrics document to stdout on successful sync.
gestaltd sync --locked --check --config PATHVerify that prepared artifacts exist and match the lockfile without rewriting them.
gestaltd validate --config PATHValidate config without serving. Repeat --config to layer overrides.
gestaltd validate --lockfile PATHAccept the same explicit lockfile path used by lock, sync, and serve without mutating it.
gestaltd --versionPrint the server version.

Provider commands

CommandPurpose
gestaltd provider search [QUERY]Search configured provider repositories. Pass --repo NAME to search one repository.
gestaltd provider info PACKAGEShow available versions and release metadata for one package. Pass --repo NAME to disambiguate.
gestaltd provider add PACKAGE --config PATHAdd an indexed provider package to config and update the lockfile. Package sources are written by default.
gestaltd provider add PACKAGE --kind KIND --name NAMEChoose the provider kind and config entry name explicitly.
gestaltd provider add PACKAGE --version CONSTRAINTWrite a semver version constraint such as ^1.4.0, ~1.4.0, or an exact version.
gestaltd provider add PACKAGE --exact-sourceWrite the resolved provider-release.yaml URL instead of a package source.
gestaltd provider add PACKAGE --syncMaterialize prepared artifacts after locking.
gestaltd provider list --config PATHList configured providers and lock status. Pass --kind KIND to filter.
gestaltd provider remove NAME --config PATHRemove one provider entry and update the lockfile. Pass --kind KIND when the name is ambiguous.
gestaltd provider upgrade --config PATHRefresh lock state for all package sources without editing config version constraints.
gestaltd provider upgrade NAME --version CONSTRAINTChange one package source’s version constraint and update the lockfile.
gestaltd provider repo add NAME URLAdd a provider repository to the user-level store. Pass --config PATH to write providerRepositories into project config instead.
gestaltd provider repo listList the default, user-level, and project provider repositories.
gestaltd provider repo updateFetch and cache provider repository indexes.
gestaltd provider repo remove NAMERemove a provider repository from the user-level store. Pass --config PATH to remove it from project config instead.
gestaltd serve [PATH]...Run one or more local source apps. Without --config, serves a synthesized baseline (unlocked).
gestaltd serve [PATH]... --config PATHLayer local-source PATH overrides on top of the user config. Repeat [PATH]... and --config as needed. With --locked, the fleet loads pinned artifacts while PATH apps with run: commands hot-reload from local trees.
gestaltd provider validate --path PATHValidate a local source app inside the same synthesized Gestalt config used by gestaltd serve [PATH]....
gestaltd provider validate --config PATHValidate the target provider together with selected supporting providers and null deletions from layered config overlays.
gestaltd provider package --version VERSIONBuild provider release archives from a source directory. Executable source providers use SDK-native source packages or build phases and default to the host platform; declarative providers default to a generic archive. Pass --platform ... with os/arch targets or --platform all for multi-platform builds.
gestaltd provider package --output DIROutput directory for the release archives. Defaults to dist/.
gestaltd provider release --dist-dir DIRFinalize already-built release archives by validating them and writing provider-release.yaml into the dist directory.

For config-free local development, inferred static mount paths use the manifest source slug rather than the API-safe provider key. A source ending in workspace-review mounts at /workspace-review when apps.<name>.static.mount is omitted. Explicit apps.<name>.static.mount values take precedence.

Provider package commands use the provider repository model described in Provider packages. Mutating package commands accept one --config path so the CLI edits the intended file instead of a merged runtime view. provider add, provider remove, and provider upgrade NAME --version update the lockfile by default. provider add and provider remove accept --no-lock when you need to edit config only.

gestaltd sync --locked --parallelism N caps concurrent preparation for local source.path app builds. The default is up to four workers, capped by GOMAXPROCS; --parallelism 1 forces sequential preparation. Other provider types and sync --locked --check remain sequential.

gestaltd sync --locked --cache-dir DIR enables an opt-in cache for materialized prepared artifacts. The cache key is the locked archive identity, including the archive SHA-256, resolved archive key, platform, and materializer version. Cache hits restore prepared outputs directly; misses download and install the package, then populate the cache after a successful install. sync --locked --check remains read-only and does not populate the cache. Treat this cache as trusted deployment state: only principals that are allowed to influence deployed prepared artifacts should be able to write to it.

gestaltd sync --locked -v and gestaltd sync --locked --verbose add human-readable diagnostics for cache behavior, archive downloads, phase timings, prepared output size, and archive fetches. There is one verbosity level; -vv is not supported. The top-level gestaltd -v still prints the server version. Without -v or --output-format=json, successful gestaltd sync --locked remains quiet.

gestaltd sync --locked --output-format=json writes one compact JSON metrics document to stdout on success. Child source-build output and errors go to stderr so CI can redirect stdout to a JSON file safely. On failure, stdout is empty and the error is written to stderr. --output-format defaults to text; supported values are text and json.

gestaltd sync \ --locked \ --config ./deploy/config.yaml \ --artifacts-dir ./deploy gestaltd sync \ --locked \ --verbose \ --config ./deploy/config.yaml \ --artifacts-dir ./deploy \ --cache-dir ./.gestaltd-cache gestaltd sync \ --locked \ --output-format=json \ --config ./deploy/config.yaml \ --artifacts-dir ./deploy \ > gestaltd-sync.json gestaltd sync \ --locked \ --verbose \ --output-format=json \ --config ./deploy/config.yaml \ --artifacts-dir ./deploy \ --cache-dir ./.gestaltd-cache \ > gestaltd-sync.json

The JSON schema version is 2 and reports the sync action, inputs, artifact count and decisions, materialized cache counters, archive download counters, archive fetches, phase timings, and prepared output size. In --check mode, the action is check, cache writes remain zero, and output.measured is false.

JSON fieldMeaning
schema.versionMetrics schema version. Current version is 2.
sync.actionmaterialize for normal sync or check for --check.
sync.duration_secondsTotal successful sync duration.
inputs.config_pathsConfig files passed to sync after CLI path resolution.
artifacts.consideredPrepared artifact entries in the effective config.
artifacts.itemsAll prepared artifact decisions recorded by the run, sorted by duration descending.
cache.configuredWhether --cache-dir was passed.
cache.enabledWhether this sync mode can read and write the materialized cache.
cache.dirResolved cache directory.
cache.modeCache mode. Currently materialized.
cache.bucket_versionCache bucket version. Currently materialized/v1.
cache.hits, cache.misses, cache.invalidMaterialized cache lookup counters.
cache.prefetch.*Sparse remote-cache prefetch counters: duration, requests, eligible requests, unique keys, local hits, remote hits, remote misses, failures, and bytes read.
cache.put.successes, cache.put.failuresMaterialized cache write counters. Write failures do not fail sync.
cache.entriesCache events recorded by the run.
archives.requestsCurrent-platform archive acquisition attempts made by this run.
archives.unique_sha256Unique canonical expected SHA-256 values among archive requests.
archives.downloads.*Successful remote archive download count, bytes, and cumulative download time.
archives.fetchesAll archive acquisitions recorded by the run, sorted by duration descending.
phases.*_secondsMajor lifecycle phase timings. Download time is cumulative and may not sum to wall-clock time under parallelism.
output.files, output.bytesAggregate prepared output measurement over known prepared artifact roots, not the entire artifacts directory.
output.rootsAll measured prepared output roots, sorted by bytes descending.

Local Frontend Development

When an app manifest declares run: commands and deployment config sets apps.<name>.static, gestaltd serve spawns the declared commands and reverse-proxies the mount path to the process that binds GESTALT_DEV_PORT. Framework hot reload works through the proxy, including websocket traffic.

run: - command: [npm, run, dev] readyTimeout: 120s

gestaltd injects (after manifest env entries):

VariablePurpose
GESTALT_DEVSet to 1
GESTALT_DEV_PORTPort the frontend dev server must bind on 127.0.0.1
GESTALT_DEV_BASE_PATHMount path from apps.<name>.static.mount
GESTALT_BASE_URLPublic gestaltd origin for two-origin Vite /api/v1 proxying
GESTALT_PROVIDER_SOCKETUnix socket for the app provider when a backend run command is present

Map these in your framework dev script. See Applications > Local Development for Vite, Angular, webpack-dev-server, and Parcel examples.

Production and gestaltd serve --locked serve prepared static/ artifacts, except for apps passed as positional PATH arguments with active run: commands — those are dev-proxied even under --locked. Config or provider changes require restarting gestaltd.

For faster iteration on a local frontend while the rest of the fleet runs from pinned artifacts, pass PATH arguments together with --config and --locked:

gestaltd serve --locked \ --config ./deploy/config.yaml \ --config ./deploy/local/config.yaml \ ./apps/g-issues/ui \ ./apps/delta/ui

For a standalone local provider without the full fleet config, pass PATH to gestaltd serve for a source tree or layer a small local config that includes only the app under test:

gestaltd serve \ --config ./config.yaml \ --config ./support-local.yaml

Examples

gestaltd gestaltd lock --config ./config.yaml gestaltd sync --locked --config ./config.yaml gestaltd sync --locked --config ./config.yaml --cache-dir ./.gestaltd-cache gestaltd sync --locked --config ./config.yaml --verbose gestaltd sync --locked --config ./config.yaml --output-format=json > gestaltd-sync.json gestaltd sync --locked --config ./config.yaml --parallelism 2 gestaltd serve --locked --config ./config.yaml gestaltd validate --config ./config.yaml gestaltd lock --config ./config.yaml --lockfile ./local/gestalt.lock.json gestaltd sync --locked --config ./config.yaml --lockfile ./local/gestalt.lock.json gestaltd serve --config ./config.yaml --lockfile ./local/gestalt.lock.json gestaltd serve ./apps/support/manifest.yaml gestaltd serve --locked --config ./config.yaml ./apps/workspace-review gestaltd serve --locked --config ./config.yaml --lockfile ./local/gestalt.lock.json gestaltd lock --config ./base.yaml --config ./overrides/prod.yaml gestaltd sync --locked --config ./base.yaml --config ./overrides/prod.yaml gestaltd serve --locked --config ./base.yaml --config ./overrides/prod.yaml gestaltd provider search github gestaltd provider info github.com/valon-technologies/gestalt-providers/app/github gestaltd provider repo list gestaltd provider repo add gestalt https://registry.gestaltd.ai/provider-index.yaml --config ./config.yaml gestaltd provider repo update --config ./config.yaml gestaltd provider add github.com/valon-technologies/gestalt-providers/app/github --config ./config.yaml --name github gestaltd provider add github.com/valon-technologies/gestalt-providers/auth/oidc --config ./config.yaml --kind identity --name oidc --version '^1.4.0' gestaltd provider list --config ./config.yaml gestaltd provider list --config ./config.yaml --kind app gestaltd provider upgrade --config ./config.yaml gestaltd provider upgrade github --config ./config.yaml --kind app --version '^1.5.0' gestaltd provider remove github --config ./config.yaml --kind app gestaltd provider validate --path ./apps/support gestaltd provider validate --path ./apps/support --config ./dev/support.yaml --config ./dev/local.yaml gestaltd serve ./apps/support gestaltd serve ./apps/support --config ./dev/support.yaml gestaltd serve ./apps/support --config ./dev/support.yaml --port 8080 gestaltd serve --locked --config ./config.yaml ./apps/workspace-review ./apps/delta gestaltd provider package --version 0.0.1-alpha.1 gestaltd provider package --version 0.0.1-alpha.1 --platform all gestaltd provider package --version 0.0.1-alpha.1 --platform linux/amd64,linux/arm64 gestaltd provider release --dist-dir dist --version 0.0.1-alpha.1

When repeated, --config files merge left-to-right. Maps deep-merge, later scalar values win, lists replace inherited lists, and null deletes inherited keys. By default, lockfiles and artifact paths use the current working directory. --lockfile overrides only the lockfile path. --artifacts-dir overrides only the artifacts directory path.

For source-backed providers, gestaltd serve [PATH]... starts the manifest run argv when one is declared. If run is omitted, it serves or starts the declared entrypoint or SDK-native source package. Sequence-form build commands can prepare dependencies before local startup; output-producing build.command remains the packaging path for compiled artifacts.

See Configuration for the relationship between lock, sync --locked, serve --locked, and validate.