CLI Reference

Complete reference for the labhit command-line tool.

Global Options

--verbose, -v     Enable debug-level logging
--config, -c      Path to engine config (default: .labhit/config.yaml)
--help, -h        Show help
--version, -V     Show version

Pipeline Commands

`labhit run`

Execute a pipeline.

labhit run [OPTIONS]

Options:

Flag	Description	Default
`--file, -f <path>`	Pipeline definition file	`.labhit/pipeline.yaml`
`--stage, -s <name>`	Run a single stage and its dependencies	All stages
`--dry-run`	Show execution plan without running	Off
`--verbose, -v`	Debug logging	Off

Examples:

labhit run                              # Run full pipeline
labhit run --stage build                # Run build + its dependencies
labhit run --dry-run                    # Preview the execution DAG
labhit run -f ci/release-pipeline.yaml  # Use a custom pipeline file

Behavior:

Parses pipeline YAML and builds the dependency graph
Detects Docker availability for sandbox: stages
Loads extensions from .labhit/extensions/
Loads policies from .labhit/policies/ (if present)
Dispatches stages in parallel where dependencies allow
Prints colored status for each stage
Exits with code 0 on success, 1 on failure

`labhit validate`

Validate pipeline YAML without executing.

labhit validate [OPTIONS]

Options:

Flag	Description	Default
`--file, -f <path>`	Pipeline file to validate	`.labhit/pipeline.yaml`

Checks:

YAML syntax
Required fields (engine, pipeline.name, stages)
Stage structure (each stage has use: or run:, not both)
Dependency graph (no cycles, no missing stage references)

Examples:

labhit validate
labhit validate --file custom-pipeline.yaml

`labhit init`

Scaffold a new LabHit project.

labhit init [PATH]

Arguments:

Argument	Description	Default
`PATH`	Directory to initialize	Current directory

Creates:

.labhit/pipeline.yaml — Starter pipeline template
.labhit/config.yaml — Engine configuration template

Examples:

labhit init                   # Initialize current directory
labhit init ./my-project      # Initialize a new directory

Server Commands

`labhit serve`

Start the LabHit API server.

labhit serve [OPTIONS]

Options:

Flag	Description	Default
`--host <addr>`	Bind address	`127.0.0.1`
`--port, -p <port>`	HTTP port	`8080`
`--playground`	Enable GraphQL playground	Off
`--format <fmt>`	Log format: `text` or `json`	`text`
`--cors-origins <list>`	Allowed CORS origins (comma-separated)	None
`--database-url <url>`	Database URL	In-memory

Environment variables:

Variable	Purpose
`JWT_SECRET`	JWT signing secret (enables authentication)
`GITHUB_CLIENT_ID`	GitHub OAuth client ID
`GITHUB_CLIENT_SECRET`	GitHub OAuth client secret
`LABHIT_API_KEY`	API key for programmatic access
`LABHIT_WEBHOOK_SECRET`	HMAC secret for webhook verification
`ADMIN_GITHUB_LOGINS`	Comma-separated admin GitHub usernames
`DATABASE_URL`	SQLite database path

Examples:

labhit serve                                    # Local dev server
labhit serve --port 3000 --playground           # With GraphQL playground
labhit serve --format json --database-url sqlite:///var/lib/labhit/data.db

Authentication Commands

`labhit auth login`

Authenticate via GitHub.

labhit auth login [OPTIONS]

Options:

Flag	Description	Default
`--api-url <url>`	API server URL	`https://api.labhit.dev`

Flow:

Requests a device code from the API server
Opens your browser to GitHub's authorization page
Displays a user code to enter on GitHub
Polls until authorization completes
Stores tokens at ~/.labhit/credentials.json (file mode 0600)

`labhit auth status`

Show current authentication status.

labhit auth status

Output includes: email, tier, API URL, credentials file path.

`labhit auth logout`

Revoke session and remove local credentials.

labhit auth logout

Sends the refresh token to the API to revoke the session server-side, then deletes ~/.labhit/credentials.json.

`labhit auth refresh`

Refresh an expired access token.

labhit auth refresh

Uses the stored refresh token to obtain a new access token without re-authenticating.

Extension Commands

`labhit extension init`

Scaffold a new extension project.

labhit extension init <NAME> [OPTIONS]

Arguments:

Argument	Description
`NAME`	Extension identifier in `category/name` format

Options:

Flag	Description	Default
`--lang <language>`	Project language	`rust`

Creates:

Cargo.toml with labhit-pdk dependency
src/main.rs with extension entry point template
extension.yaml manifest with metadata and capabilities

Examples:

labhit extension init scan/my-scanner
labhit extension init build/custom-builder --lang rust

`labhit extension build`

Compile an extension to WASM.

labhit extension build [PATH]

Arguments:

Argument	Description	Default
`PATH`	Extension project directory	Current directory

Requirements:

wasm32-wasip1 target installed: rustup target add wasm32-wasip1
Cargo.toml with labhit-pdk dependency

Output: target/wasm32-wasip1/release/<crate_name>.wasm

`labhit extension test`

Test an extension locally.

labhit extension test [PATH]

Builds the extension, loads it in the WASM runtime with a sample StepInput, and displays the output, metadata, and logs.

`labhit extension list`

List installed extensions.

labhit extension list

Shows extensions in .labhit/extensions/ with their ID, name, version, and capability count.

Output format:

ID                    NAME             VERSION   CAPABILITIES
scan/my-scanner       My Scanner       0.1.0     3
source/git            Git Source        1.0.0     2

`labhit extension install`

Install an extension from a package file.

labhit extension install <ID> [OPTIONS]

Arguments:

Argument	Description
`ID`	Extension identifier (`category/name`)

Options:

Flag	Description	Default
`--version <ver>`	Specific version to install	Latest

Examples:

labhit extension install source/git
labhit extension install scan/trivy --version 0.5.0

Validates the package, extracts it to .labhit/extensions/<category>/<name>/.

`labhit extension pack`

Package an extension for distribution.

labhit extension pack [PATH] [OPTIONS]

Options:

Flag	Description	Default
`--output <dir>`	Output directory	Current directory

Builds the extension, creates a .lhx package (compressed archive containing the WASM module, manifest, and README), and prints the file size and SHA-256 hash.

Output: <name>-<version>.lhx

`labhit extension search`

Search the extension registry.

labhit extension search <QUERY> [OPTIONS]

Options:

Flag	Description	Default
`--category <cat>`	Filter by category	All

Examples:

labhit extension search trivy
labhit extension search scanner --category scan

Exit Codes

Code	Meaning
`0`	Success
`1`	Pipeline failure (one or more stages failed)
`2`	Configuration error (invalid YAML, missing file)

Configuration Files

File	Purpose
`.labhit/pipeline.yaml`	Pipeline definition
`.labhit/config.yaml`	Engine configuration
`.labhit/extensions/`	Installed extensions
`.labhit/policies/`	Policy definitions
`~/.labhit/credentials.json`	Auth tokens (mode 0600)

CLI Reference

Global Options#

Pipeline Commands#

labhit run#

labhit validate#

labhit init#

Server Commands#

labhit serve#

Authentication Commands#

labhit auth login#

labhit auth status#

labhit auth logout#

labhit auth refresh#

Extension Commands#

labhit extension init#

labhit extension build#

labhit extension test#

labhit extension list#

labhit extension install

labhit extension pack#

labhit extension search

Exit Codes#

Configuration Files#

Global Options

Pipeline Commands

`labhit run`

`labhit validate`

`labhit init`

Server Commands

`labhit serve`

Authentication Commands

`labhit auth login`

`labhit auth status`

`labhit auth logout`

`labhit auth refresh`

Extension Commands

`labhit extension init`

`labhit extension build`

`labhit extension test`

`labhit extension list`

`labhit extension install`

`labhit extension pack`

`labhit extension search`

Exit Codes

Configuration Files