CLI reference
Every arise command, the project-scoped token model, env vars, and exit codes.
The arise CLI drives everything the dashboard can, from a terminal — laptop, coding agent, or session sandbox. For common workflows, see Using the CLI.
Always available inside a session sandbox, no setup:
- Binary on
PATH(/usr/local/bin/arise). ARISE_CLI_TOKENpre-injected — the project-scoped token the CLI authenticates with. (ARISE_TOKENis also present, but it's the sandbox service key, not a CLI token.)ARISE_API_URLpoints at the platform you're running against.
Quickstart inside a session
arise whoami # confirms what project + account this token has
arise projects info # the project you're running inside
arise secrets ls # encrypted env vars + manifest [env] spec
arise sessions ls # every session on this project (incl. you)
arise cr ls # open change requests
arise cr open --title "..." # propose merging your branch into mainThe sandbox token is project-scoped: read+write anything on this project (secrets, sessions, triggers, change requests, apps), but it can't list other projects or touch account-level resources. See Token scope.
On your laptop
curl -fsSL https://arise.sa/install | bash
arise login # opens browser, you click AuthorizeThe local CLI uses a user-scoped token at ~/.config/arise/config.json (mode 0600), which sees every project on every account you're a member of.
Command surface
Auth
| Command | Effect |
|---|---|
arise login [--token <pat>] [--host <name>] [--api <url>] | Default: opens browser → click Authorize → token written. --token is the headless fallback. --host logs into a named host slot. |
arise logout [--host <name>] | Remove the token for the active host (or named one). |
arise whoami [--host <name>] | Print the user + active account on the chosen host. |
Hosts
A host is one Arise API endpoint. The built-ins cloud (Arise Cloud), selfhost (your arise self-host stack), local-dev (a local pnpm dev server), and arise-internal-dev are always available, and you can add more endpoints. One host is active at a time; the CLI prints the active host before operational commands so Cloud/local actions are harder to mix up.
| Command | Effect |
|---|---|
arise hosts ls | List configured hosts (● marks active). |
arise hosts use [<name>] | Switch active host. No name → arrow-key picker. |
arise hosts add <name> --url <url> [--login] | Register a new host. --login runs the browser flow right after. |
arise hosts rm <name> | Remove a host (confirms when it's the last one). |
arise hosts info [<name>] | Detailed view of one host. |
arise hosts current | Print the active host name (script-friendly). |
--host <name> overrides the active host for one invocation: arise projects ls --host local.
Self-host
arise self-host start creates and starts a production-style local Arise stack
using Docker Compose. On first interactive setup it only asks for the product
integrations you may need: Freestyle for app deployments, a GitHub App
or PAT for repo access, and Pipedream for app connectors. Local ports, Supabase,
generated secrets, and Docker defaults are handled automatically.
| Command | Effect |
|---|---|
arise self-host start | Create config if needed, start the local stack, and register the selfhost host. |
arise self-host configure | Re-run the Freestyle, GitHub, and Pipedream credential wizard. |
arise self-host env ls | Show persistent self-host env values, masking populated secrets. |
arise self-host env set KEY=VALUE … | Update advanced persistent env values before the next start. |
arise self-host logs [service] | Tail Docker Compose logs. |
arise self-host stop | Stop the stack. |
Projects
| Command | Effect |
|---|---|
arise projects ls | Every project on the active account. |
arise projects info [<id-or-slug>] | Show one project (defaults to the linked one). |
arise projects link [<id>] | Bind cwd to a remote project. Writes .arise/link.json with project_id, account_id, host, host_url. No arg → arrow-key picker. |
arise projects unlink | Drop .arise/link.json. |
arise projects open [<id>] | Open the dashboard URL for a project in your browser. |
How a command finds "the project"
In strict order:
--project <id>flag.ARISE_PROJECT_IDenv var..arise/link.jsonin cwd (or any ancestor — git-style).- Inside a session sandbox: the sandbox's own
ARISE_PROJECT_ID.
If none resolve, the command errors pointing to projects link.
How a command finds "the host"
--host <name>flag.hostfield in.arise/link.json(so a repo always hits its home Arise instance).- The globally-active host.
Secrets
Encrypted env vars stored on the project, injected as plain env into every session sandbox at boot.
| Command | Effect |
|---|---|
arise secrets ls | List secret names + manifest [env] spec; marks required-but-missing. |
arise secrets set NAME=VALUE … | Upsert one or more. NAME=- reads VALUE from stdin (so values never appear in shell history). |
arise secrets unset NAME … | Remove. |
Env — dotenv ↔ secrets
| Command | Effect |
|---|---|
arise env pull [--out .env] [--force] | Write a .env skeleton (names only — plaintext can't leave the cloud). |
arise env push --from <path> | Upload every NAME=VALUE from a dotenv file as a secret. Supports quoted values, export NAME=…, comment lines. |
Sessions
Each session is an isolated sandbox VM on its own ephemeral branch.
| Command | Effect |
|---|---|
arise sessions ls | All sessions on the project. |
arise sessions info <id> | Detail view: status, branch, base ref, agent, sandbox URL, errors. |
arise sessions new [--prompt "<text>"] | Start a new session, optionally with an initial prompt. |
arise sessions restart <id> | Re-provision a session in place. |
arise sessions rm <id> | Stop + delete. |
arise sessions open <id> | Open the dashboard URL for a session. |
arise sessions chat [<id>] [--prompt "<text>"] [--new] | Talk to a session's agent — interactive REPL, or one-shot with --prompt. Alias: talk. |
arise sessions preview <id> [port] | Print a clickable preview URL for a port in the session's sandbox (default 3000). |
Inside a sandbox, ARISE_SESSION_ID is your session; arise sessions info $ARISE_SESSION_ID is the live view of yourself.
Triggers
Round-trip through arise.toml's [[triggers]]; the dashboard sees the same state.
| Command | Effect |
|---|---|
arise triggers ls | List triggers + runtime state (last_fired_at). |
arise triggers info <slug> | Show one trigger in full. |
arise triggers fire <slug> | Manually fire a trigger now. |
arise triggers enable <slug> | Set enabled = true. |
arise triggers disable <slug> | Set enabled = false. |
Change requests (cr)
Arise-native PR layer for session work landing on main — merges one branch (head_ref) into another (base_ref) on any git host, no per-host integration. The only sanctioned way for an agent to land session-branch work on main. See Change requests.
| Command | Effect |
|---|---|
arise cr ls [--status open|merged|closed|all] [--project <id>] | List CRs on the project. Default: --status open. |
arise cr show <cr> [--project <id>] | Show one CR's metadata. Alias: arise cr info. Includes the merge-preview (clean / fast-forward / conflicts) for open CRs. |
arise cr diff <cr> [--no-color] [--project <id>] | Unified diff of the CR. Three-dot diff for open / closed CRs; for merged CRs it uses the SHAs captured at merge time. |
arise cr open --title "<text>" [--description "<text>"] [--head <ref>] [--base <ref>] [--session <id>] [--project <id>] | Open a new CR. Aliases: arise cr new, arise cr create. Inside a sandbox, --head defaults to $ARISE_BRANCH_NAME and --session defaults to $ARISE_SESSION_ID. --base defaults to the project's default branch (usually main). --title is required. Aliases: --from (--head), --into (--base), --body (--description). |
arise cr merge <cr> [--message "<text>"] [--project <id>] | Merge an open CR into its base_ref. Fast-forward when possible, three-way merge otherwise. Default message Merge CR #<n>: <title>. Fails with 409 if the CR is not open or there are conflicts. |
arise cr close <cr> [--project <id>] | Close an open CR without merging. Cannot close a merged CR. |
arise cr reopen <cr> [--project <id>] | Reopen a closed CR only — merged CRs are terminal. |
<cr> accepts the short per-project number (3, #3) or the full UUID cr_id. Numbers are unique per project, monotonically increasing.
Inside a sandbox — the typical agent flow
# 1. Commit on the session branch
git add .
git commit -m "Add release-notes skill"
# 2. Push the branch (ARISE_BRANCH_NAME)
git push origin HEAD
# 3. Open the CR — head and session are auto-detected
arise cr open \
--title "Add release-notes skill" \
--description "Drafts release notes from merged commits. Tested against the last 5 tags."
# 4. Confirm it's listed
arise cr ls
# 5. (Optional) show the diff one more time
arise cr diff 3The agent does not merge its own CR — that's the user's call, in the dashboard or via arise cr merge <n>.
Install / update / uninstall
| Command | Effect |
|---|---|
arise update | Re-runs the install script to pull the latest binary. |
arise uninstall | Removes the arise binary and its /usr/local/bin shim, the ~/.arise home dir, and the stored auth token. --keep-home preserves ~/.arise; --keep-auth preserves the token. |
arise version | Print the CLI version. |
Project scaffold
| Command | Effect |
|---|---|
arise init | Scaffold a Arise project in the current directory. Writes arise.toml, .arise/Dockerfile, and the OpenCode config dir (default agent + the arise-system skill + tools), and wires the Arise skill into any local coding agents it finds (.opencode/, .claude/, AGENTS.md, .cursor/). It does not write .arise/link.json — that's created later by projects link or ship. |
arise <project-name> | Same as init but scaffolds into a new directory next to cwd. |
Other commands: ship (alias deploy) pushes your local commits to the project's cloud repo, provisioning a managed repo on first run — despite the alias, it's a git push, not app deployment. channels connects Slack to a project. Run arise help for the full list.
Token scope
Two token types, both with the arise_pat_… prefix, distinguished by an internal project_id column on the token row.
| Type | Scope | Issued by | Typical use |
|---|---|---|---|
| User token | All projects on accounts the user belongs to + account-level routes (/v1/accounts/me, billing, etc.) | arise login browser flow → minted via POST /v1/accounts/tokens | The CLI on your laptop |
| Project token | Read + write everything on one project — secrets, sessions, triggers, change requests, apps. Cannot list other projects or hit account-level routes. | Auto-minted at session create; surfaced via POST /v1/projects/:id/cli-token | The CLI inside a sandbox |
Enforcement: every project route checks the token's project_id against the URL's :projectId. Mismatch → 403. Account routes (/v1/accounts/*) reject any project-scoped token outright.
Inside a sandbox
The session bootstrap injects (among other runtime vars):
ARISE_CLI_TOKEN=… # project-scoped PAT — the CLI authenticates with this
ARISE_TOKEN=… # sandbox service key (daemon control surface) — NOT a CLI token
ARISE_API_URL=https://api.arise.sa
ARISE_PROJECT_ID=<uuid>
ARISE_SESSION_ID=<uuid>The CLI reads ARISE_CLI_TOKEN automatically (falling back to ARISE_EXECUTOR_TOKEN, the same value) and uses ARISE_API_URL as the host base. No config file needed. Don't reach for ARISE_TOKEN — it's the daemon's service key, and the project-scoped API routes the CLI hits reject it.
Rotating
A sandbox's project token is minted at session create and lives for that sandbox. Restarting re-provisions and issues a fresh token; an existing sandbox keeps its token until it restarts.
Common workflows
Spin up a fresh session with custom env
arise secrets set OPENAI_API_KEY=sk-… ANTHROPIC_API_KEY=sk-…
arise sessions new --prompt "Audit the auth module and propose a fix"Inside a session: trigger another session
arise sessions new --prompt "Verify migration 0048 by running pnpm test + opening a CR if anything fails"Run a trigger by hand for debugging
arise triggers ls # confirm the slug + status
arise triggers fire daily-digest # one-shot manual fire
arise sessions ls | head -3 # the new session that the trigger spawnedPull current secrets into a local .env for development
arise env pull # names only, values left blank
$EDITOR .env # fill in values locally
# (don't push — local-only file)Bulk-upload local .env to the cloud project
arise env push --from .env
arise secrets ls # confirmLand session work on main (the CR flow)
The agent opens the CR; the user reviews and merges. No other path to main from inside a session.
# inside a session sandbox, on branch session-<id>
git add .
git commit -m "Add release-notes skill"
git push origin HEAD
arise cr open \
--title "Add release-notes skill" \
--description "Drafts release notes from merged commits. Tested against the last 5 tags."
arise cr ls # confirmThe user then runs arise cr show 3, arise cr diff 3, and arise cr merge 3 (or arise cr close 3).
Environment variables the CLI reads
| Variable | Purpose |
|---|---|
ARISE_CLI_TOKEN | The project-scoped PAT the CLI authenticates with in a sandbox (pre-injected). The primary token name the CLI reads. |
ARISE_EXECUTOR_TOKEN | Same value as ARISE_CLI_TOKEN; the CLI falls back to it if the former is unset. |
ARISE_API_URL | Override the API base URL (default: https://api.arise.sa). |
ARISE_PROJECT_ID | Override the linked project for one command. |
ARISE_CONFIG_FILE | Override ~/.config/arise/config.json location (useful for tests). |
ARISE_DASHBOARD_URL | Override the dashboard URL the login flow opens (default: derived from API URL). |
The ARISE_* prefix is reserved for platform-injected values. Don't declare project secrets with it — the secrets-manager API rejects them and the manifest validator warns.
Exit codes
| Code | Meaning |
|---|---|
0 | Success. |
1 | Operation failed (API error, missing project, etc.). Diagnostics printed to stderr. |
2 | Bad flag, unknown subcommand, missing required arg. |
What the CLI is not
- Not a separate runtime. Use
arise self-host startto run your own local Arise Cloud stack, then switch between Cloud and local APIs witharise hosts use. - Not a
gitreplacement.arise crcomposes withgitrather than wrapping it. - Not the runtime. OpenCode executes the agent in the sandbox; the CLI is the control plane. See Arise vs OpenCode config.