CLI reference (auto-generated)¶
Generated from src/privaci/cli/app.py. For copy-pasteable
examples see cli-reference.md.
Regenerate with make docs-generate.
Invoking privaci with no subcommand runs privaci run.
privaci (default)¶
In-VPC PostgreSQL masking and anonymization engine.
| Option | Env var | Default | Description |
|---|---|---|---|
--log-level |
PRIVACI_LOG_LEVEL |
info |
Logging level. |
--contract-version |
— | False |
Print the commercial-tier contract version and exit. |
--config |
— | /config/mask-rules.yaml |
Path to mask-rules.yaml. |
--source |
SOURCE_DB_URL |
— | Source database URL or secret URI. |
--target |
TARGET_DB_URL |
— | Target database URL or secret URI. |
--dry-run |
— | False |
Run pre-flight checks only; do not write rows. |
--no-audit-table |
— | False |
Disable writes to _privaci.audit_log for this run. |
--prometheus-port |
— | — | Serve Prometheus metrics on this port (off by default). |
privaci catalog inspect¶
Introspect the source schema and print tables, load order, warnings.
| Option | Env var | Default | Description |
|---|---|---|---|
--source |
SOURCE_DB_URL |
— | Source database URL or secret URI. |
privaci detect-drift¶
Compare live source schema to the last snapshot on target (commercial).
| Option | Env var | Default | Description |
|---|---|---|---|
--source |
SOURCE_DB_URL |
— | Source database URL or secret URI. |
--target |
TARGET_DB_URL |
— | Target database URL or secret URI. |
--accept-drift |
— | False |
Emit findings JSON but do not exit 6 when drift is detected. |
privaci dry-run¶
Pre-flight checks only; no writes.
| Option | Env var | Default | Description |
|---|---|---|---|
--config |
— | /config/mask-rules.yaml |
Path to mask-rules.yaml. |
--source |
SOURCE_DB_URL |
— | Source database URL or secret URI. |
--target |
TARGET_DB_URL |
— | Target database URL or secret URI. |
--report |
— | — | Write a markdown auto-detect report to this path. |
privaci gen-salt¶
Emit a 64-character hex salt to stdout.
privaci generate-ci¶
Emit CI/CD workflow files for a chosen platform.
| Option | Env var | Default | Description |
|---|---|---|---|
--platform |
— | — | github-actions |
--output-dir |
— | . |
Directory to write generated files into. |
privaci install-pack¶
Fetch, verify, and merge a signed vertical config pack.
| Option | Env var | Default | Description |
|---|---|---|---|
--config |
— | /config/mask-rules.yaml |
Path to mask-rules.yaml. |
--registry-url |
— | https://raw.githubusercontent.com/boundarylogic/config-packs/main |
Base URL for pack manifests. |
--local-pack-dir |
— | — | Offline pack directory (contains |
--yes |
— | False |
Apply the merge without prompting. |
privaci migrate-config¶
Upgrade a config between schema versions (no-op when versions match).
| Option | Env var | Default | Description |
|---|---|---|---|
--from |
— | — | Current schema version. |
--to |
— | — | Target schema version. |
privaci preview¶
Safe sample preview, policy diff JSON, and SARIF output (commercial).
| Option | Env var | Default | Description |
|---|---|---|---|
--config |
— | /config/mask-rules.yaml |
Path to mask-rules.yaml. |
--source |
SOURCE_DB_URL |
— | Source database URL or secret URI. |
--target |
TARGET_DB_URL |
— | Target database URL or secret URI. |
--commercial-extensions |
— | — | Path to commercial-extensions.yaml (subset, json_mask). |
--sample |
— | 0 |
|
--policy-diff |
— | — | |
--sarif |
— | — |
privaci report¶
Render a compliance report for a completed run.
| Option | Env var | Default | Description |
|---|---|---|---|
--run |
— | — | Run UUID to report on. |
--format |
— | json |
Output format (json; pdf requires commercial layer). |
--output |
— | — | Write report bytes to this path (default: stdout). |
privaci resume¶
Resume an interrupted run from checkpoints.
| Option | Env var | Default | Description |
|---|---|---|---|
--config |
— | /config/mask-rules.yaml |
Path to mask-rules.yaml. |
--source |
SOURCE_DB_URL |
— | Source database URL or secret URI. |
--target |
TARGET_DB_URL |
— | Target database URL or secret URI. |
--no-audit-table |
— | False |
Disable writes to _privaci.audit_log for this run. |
privaci run¶
Execute a masking run against the configured source and target.
| Option | Env var | Default | Description |
|---|---|---|---|
--config |
— | /config/mask-rules.yaml |
Path to mask-rules.yaml. |
--source |
SOURCE_DB_URL |
— | Source database URL or secret URI. |
--target |
TARGET_DB_URL |
— | Target database URL or secret URI. |
--dry-run |
— | False |
Run pre-flight checks only; do not write rows. |
--no-audit-table |
— | False |
Disable writes to _privaci.audit_log for this run. |
--prometheus-port |
— | — | Serve Prometheus metrics on this port (off by default). |
privaci schema config¶
Print the mask-rules.yaml JSON Schema to stdout.
privaci validate¶
Validate the config file (connectivity checks run during run).
| Option | Env var | Default | Description |
|---|---|---|---|
--config |
— | /config/mask-rules.yaml |
Path to mask-rules.yaml. |
privaci verify¶
Audit a completed run: compare target against source (value-free).
| Option | Env var | Default | Description |
|---|---|---|---|
--config |
— | /config/mask-rules.yaml |
Path to mask-rules.yaml. |
--source |
SOURCE_DB_URL |
— | Source database URL or secret URI. |
--target |
TARGET_DB_URL |
— | Target database URL or secret URI. |
--sample-size |
— | 1000 |
Rows per table to sample for row-level checks. |