Command Reference

This page lists every command exposed by laser. Run laser <command> --help for flag-level detail. The setup commands (auth, context, version, update, tui) work without an active context; every other command requires one.

Auth

laser auth login [--context NAME] [--api-key KEY] [--tenant-id ID]
laser auth logout [--context NAME] [--all]
laser auth purge        # destructive: drops every context and keyring entry

login prompts for a masked API key when --api-key is omitted, validates the key against the platform, and stores the secret in the OS keyring.

Context

laser context create NAME [--api-key KEY] [--tenant-id ID] [--division-id ID] [--environment-id ID] [--deployment-id ID] [--activate]
laser context list
laser context current
laser context show [NAME]
laser context switch NAME           # alias: laser ctx use NAME
laser context delete NAME
laser context rename FROM TO
laser context set FIELD VALUE       # tenant_id | division_id | environment_id | deployment_id

ctx is the visible alias for context.

Tenant

Alias: tn. Every tenant command resolves the active tenant from the current context, or from --tenant-id when supplied.

laser tenant get
laser tenant structure       # full tree: divisions -> environments -> deployments
laser tenant summary         # aggregate counts
laser tenant update [--name NAME] [--description TEXT] [--email EMAIL] [--protected true|false]

Workspace Config

laser tenant config get
laser tenant config update [--join-policy invite_only|open|request_to_join] [--block-external-invitations true|false] [--enforce-domain-only-invitations true|false]

Shows the tenant's join policy, invitation locks, and (when set) the claimed email domain. The join policy decides what happens when someone signs up with an email matching the tenant's domain. Lock toggles only take effect when the tenant has a claimed email_domain.

API Keys

laser tenant key list [--name SUBSTRING] [--page N] [--results N]
laser tenant key create [--name NAME] [--role-id ID] [--division-id ID] [--expires-in-days N] [--validate-ip true|false] [--allowed-ip IP ...]
laser tenant key context
laser tenant key update-security --api-key-id ID [--validate-ip true|false] [--allowed-ip IP ...]
laser tenant key delete --api-key-id ID

tenant key context is a self-introspection call: it returns the calling key's role, division scope, IP-allowlist state, expiry, and the resolved permission set. Useful for verifying that an API key was issued with the scope you expected.

--allowed-ip is repeatable for multiple addresses. The --name, --role-id, and --expires-in-days flags prompt on a TTY when omitted. A newly created key returns its secret once, so capture it immediately.

Cloud Accounts

laser tenant cloud-account list [--page N] [--results N]
laser tenant cloud-account get --cloud-account-id ID
laser tenant cloud-account create [--cloud aws|gcp] [--name NAME] [--account-id ID] [--region REGION] [--remarks TEXT]
laser tenant cloud-account delete --cloud-account-id ID

Members and Invitations

laser tenant member list                                          # active only
laser tenant member all                                           # include inactive
laser tenant member permissions                                   # list available permissions
laser tenant member update --member-id ID [--active true|false] [--role-id ID ...]
laser tenant member delete --member-id ID

laser tenant invitation list                                      # alias: inv
laser tenant invitation create [--email EMAIL] [--message TEXT] [--role-id ID ...]
laser tenant invitation cancel --invitation-id ID

--role-id is repeatable to assign multiple roles in a single call.

Roles

laser tenant role list [--page N] [--results N]
laser tenant role get --role-id ID
laser tenant role create --name NAME [--description TEXT] [--permission KEY ...]
laser tenant role update --role-id ID [--name NAME] [--description TEXT] [--permission KEY ...]
laser tenant role delete --role-id ID
laser tenant role members --role-id ID
laser tenant role assign --role-id ID --member-id ID
laser tenant role revoke --role-id ID --member-id ID

--permission is repeatable. Use laser tenant member permissions to list valid keys.

Billing

laser tenant billing info
laser tenant billing reports [--page N] [--results N]
laser tenant billing report --report-id ID
laser tenant billing invoices [--page N] [--results N]
laser tenant billing invoice --invoice-id ID
laser tenant billing invoice-pdf --invoice-id ID --output FILE.pdf

Division

Alias: div.

laser division list [--page N] [--results N]
laser division get --division-id ID
laser division create [--name NAME] [--description TEXT] [--email EMAIL]
laser division update --division-id ID [--name NAME] [--description TEXT] [--email EMAIL] [--protected true|false]
laser division delete --division-id ID [--code CODE]    # protected divisions need --code

--division-id falls back to the context's division_id when omitted on get / update / delete.

Environment

Alias: env.

laser environment list --division-id ID [--page N] [--results N]
laser environment get --environment-id ID
laser environment create --division-id ID [--name NAME] [--description TEXT]
laser environment update --environment-id ID [--name NAME] [--description TEXT] [--protected true|false]
laser environment delete --environment-id ID [--code CODE]

Both --division-id and --environment-id fall back to the context where applicable.

Deployment

Alias: dep. The largest command tree on the CLI: provisioning, lifecycle, configs, snapshots, backups, networking, and observability.

Every deployment subcommand inherits a scope of --tenant-id, --division-id, --environment-id, and --deployment-id. Each flag falls back to the matching field on the active context when omitted.

Lifecycle

laser deployment list [--environment-id ID] [--page N] [--results N]
laser deployment get [--deployment-id ID]
laser deployment update [--deployment-id ID] [--description TEXT] [--protected true|false]
laser deployment delete [--deployment-id ID] [--code CODE]
laser deployment extend [--deployment-id ID] --add-nodes N [--add-nodes N ...]
laser deployment upgrade [--deployment-id ID] [--tier TIER] [--storage-type TYPE] [--storage-size-gb N]
laser deployment retention [--deployment-id ID] --telemetry-days N
laser deployment spend-limit [--deployment-id ID] [--spend-limit USD | --clear]
laser deployment watch [--deployment-id ID] [--interval-secs N] [--timeout-mins N]

extend accepts a repeated --add-nodes flag for grouped node sets. watch long-polls until the deployment is ready or has failed; the default interval is 5 seconds (clamped to 2-60), and the default timeout is 60 minutes.

Provisioning

laser deployment create-managed \
    [--name NAME] [--cloud aws|gcp] [--region REGION] [--tier TIER] [--cluster standalone|cluster] \
    [--storage-type TYPE] [--storage-size-gb N] [--availability-mode single_az|multi_az] \
    [--protected true|false] [--encrypted true|false] [--dedicated true|false] \
    [--public-ip-enabled true|false] [--subdomain-enabled true|false] \
    [--telemetry-days N] [--spend-limit USD]

laser deployment create-byoc \
    [--name NAME] [--cloud aws|gcp] [--region REGION] [--tier TIER] [--cluster standalone|cluster] \
    [--storage-type TYPE] [--storage-size-gb N] [--availability-mode single_az|multi_az] \
    [--protected true|false] [--encrypted true|false] [--dedicated true|false] \
    [--public-ip-enabled true|false] [--subdomain-enabled true|false] \
    [--telemetry-days N] [--spend-limit USD] \
    [--aws-account-id ID] [--aws-identity-arn ARN] [--aws-external-id ID] [--aws-vpc-id ID] [--aws-vpc-cidr CIDR] \
    [--gcp-project-id ID] [--gcp-service-account-email EMAIL] [--gcp-vpc-name NAME]

laser deployment create-starter \
    [--cloud aws|gcp] [--region REGION] \
    [--environment-id ID | --environment-name NAME] [--deployment-name NAME]

All three commands prompt interactively on a TTY when required flags are omitted. create-starter is the fastest path to a Free-tier standalone deployment for testing.

Configs

laser deployment config list      [--deployment-id ID] --kind iggy|connectors|warden|connector
laser deployment config primary   [--deployment-id ID] --kind iggy|connectors|warden|connector
laser deployment config schema    [--deployment-id ID] --kind iggy|connectors|warden|connector
laser deployment config versions  [--deployment-id ID] --kind ... [--name NAME]
laser deployment config version   [--deployment-id ID] --kind ... [--name NAME] --version N
laser deployment config activate  [--deployment-id ID] --kind ... [--name NAME] --version N
laser deployment config create    [--deployment-id ID] --kind ... [--name NAME] --file FILE.json [--activate]
laser deployment config delete    [--deployment-id ID] --kind ... --config-id ID

Snapshots

Diagnostic HTML reports per node, covering system state, runtimes, certificates, network, kernel parameters, and recent logs.

laser deployment snapshot list     [--deployment-id ID]
laser deployment snapshot create   [--deployment-id ID] [--redact-secrets true|false] [--include-iggy true|false]
laser deployment snapshot delete   [--deployment-id ID] --snapshot-id ID
laser deployment snapshot download [--deployment-id ID] --snapshot-id ID

Backups

Point-in-time storage volume backups. Available for AWS network-storage deployments on Pro and Enterprise plans.

laser deployment backup list    [--deployment-id ID]
laser deployment backup create  [--deployment-id ID]
laser deployment backup delete  [--deployment-id ID] --backup-id ID
laser deployment backup restore [--deployment-id ID] --backup-id ID

backup create takes only the deployment scope; the backup is named server-side. Apply additional metadata directly through the API.

Access Rules (Firewall)

Alias: rules.

laser deployment access-rule list   [--deployment-id ID]
laser deployment access-rule add    [--deployment-id ID] --name NAME \
                                    --cidr CIDR [--cidr CIDR ...] \
                                    [--iggy-tcp] [--iggy-http] [--iggy-websocket] [--iggy-udp] \
                                    [--valid-to RFC3339] [--remarks TEXT]
laser deployment access-rule delete [--deployment-id ID] --rules-id ID

--cidr is repeatable to allow multiple ranges in a single call. Toggle individual Iggy protocols with --iggy-tcp, --iggy-http, --iggy-websocket, --iggy-udp. Use --valid-to to expire the rule automatically.

Connectors and Tasks

laser deployment connector list   [--deployment-id ID]
laser deployment connector delete [--deployment-id ID] --instance-id ID

laser deployment task list [--deployment-id ID]

Observability

laser deployment logs        [--deployment-id ID] --runtime iggy|connectors|connector|warden [--page N] [--results N] [--message SUBSTRING] [--level debug|info|warn|error] [--node ID] [--scope-filter NAME] [--from RFC3339] [--to RFC3339]
laser deployment activity    [--deployment-id ID] [--page N] [--results N]
laser deployment metrics     [--deployment-id ID]
laser deployment heartbeats  [--deployment-id ID]
laser deployment credentials [--deployment-id ID]
laser deployment network     [--deployment-id ID]

Logs are paginated rather than streamed; re-run the command to refresh. For live tailing, use the Logs tab inside the TUI.

Channel

Alias: chan. Tenant notification channels for Slack, generic webhooks, and email.

laser channel list [--page N] [--results N]
laser channel get --channel-id ID
laser channel create [--kind slack|webhook|email] [--name NAME] [--destination URL_OR_ADDRESS] [--remarks TEXT]
laser channel update --channel-id ID [--name NAME] [--destination URL] [--enabled true|false] [--remarks TEXT]
laser channel delete --channel-id ID
laser channel test --channel-id ID
laser channel notifications --channel-id ID [--page N] [--results N]

The format of --destination depends on --kind: a Slack webhook URL, a generic webhook URL, or an email address. The create command prompts interactively on a TTY when required flags are omitted.

Cloud Catalogue

Alias: cl. Read-only discovery for the active tenant's plan and regional availability.

laser cloud list                                  # clouds available
laser cloud regions --cloud aws|gcp
laser cloud clusters --cloud aws|gcp --region REGION
laser cloud storages --cloud aws|gcp --region REGION
laser cloud tiers    --cloud aws|gcp --region REGION

Treat laser cloud tiers as the source of truth for tier availability, per-tier limits, compute specs, supported cluster and storage modes, and plan-aware rate limits.

Audit

laser audit [--page N] [--results N] [--from RFC3339] [--to RFC3339] [--user USER_ID] [--author USER_ID] [--division ID] [--environment ID] [--deployment ID]

Tenant-wide audit log. --user filters by the subject of the action, --author by the actor performing it. Returns immutable records of every state-changing operation.

System

laser version       # print CLI version
laser update        # in-place upgrade to the latest release
laser tui           # alias: laser ui (launches the dashboard)

Aliases

Long form	Alias
`context`	`ctx`
`tenant`	`tn`
`division`	`div`
`environment`	`env`
`deployment`	`dep`
`channel`	`chan`
`cloud`	`cl`
`tui`	`ui`
`tenant invitation`	`tenant inv`
`deployment access-rule`	`deployment rules`

Shell Completion

laser --generate bash       > /etc/bash_completion.d/laser
laser --generate zsh        > "${fpath[1]}/_laser"
laser --generate fish       > ~/.config/fish/completions/laser.fish
laser --generate powershell > $PROFILE.laser.ps1
laser --generate elvish     > ~/.config/elvish/lib/laser-completions.elv