Skip to content
Briar
View on GitHub

CLI reference

Auth · secrets · telemetry.

Three commands that manage credentials, audit coverage, and configure what gets sent home. Read this page once on install, then refer back when you add a new provider.

briar auth

Acquire and persist credentials interactively. Every subcommand accepts a positional target (the thing you're logging into) and the same --store / --company pair.

Common flags

target TARGETrequired
github-devicegithub-patbitbucket-app-passwordaws-staticaws-ssojira-tokenjira-sessionlinear-api-keyfireflies
Positional. What to log into.
--company COMPANY
Per-company namespace. Required for vendor targets (so the token lands in GITHUB_{COMPANY}_TOKEN etc.).
--store STORE
envfileaws-secretsmanagerssmvault
Where to persist credentials. Defaults to $BRIAR_DEFAULT_STORE then envfile. Ignored for bootstrap targets — those always persist locally.

$ briar auth login

briar auth login [--company C] [--store S] TARGET

Run the interactive flow for a target and write the resulting credentials.

$ briar auth login github-pat --company acme
$ briar auth login github-device --company acme           # device-flow OAuth
$ briar auth login bitbucket-app-password --company acme
$ briar auth login aws-sso --company acme
$ briar auth login aws-static --company acme
$ briar auth login jira-token --company acme
$ briar auth login jira-session --company acme            # for SSO tenants
$ briar auth login linear-api-key --company acme

$ briar auth logout

briar auth logout [--company C] [--store S] [--yes] TARGET

Delete the credentials a target's login would have written.

--yes
Skip confirmation prompt.
$ briar auth logout github-pat --company acme --yes

$ briar auth refresh

briar auth refresh [--company C] [--store S] TARGET

Renew an OAuth / SSO bundle without re-prompting. Useful for aws-sso and github-device.

$ briar auth refresh aws-sso --company acme

$ briar auth list

briar auth list [--store S] [--company C]

Show which credential env vars are populated (names only — values are never printed).

$ briar auth list --store envfile

$ briar auth status

briar auth status [--company C] [--store S] TARGET

Show one target × company bundle's coverage: which env vars are present, which are missing.

$ briar auth status github-pat --company acme
$ briar auth status jira-session --company acme

briar secrets

Two subcommands: doctor audits the coverage of every (company × extractor) / (company × writer) tuple in a runbook directory; bootstrap runs the envfile loader on demand.

$ briar secrets doctor

briar secrets doctor [--examples DIR] [--store STORE]

Walk every YAML in the directory and report, per(company, extractor, provider) tuple, which env vars are present and which are missing. Same audit for (company, messages, writer).

--examples DIRdefault: ./examples
Runbook YAML directory.
--store STOREdefault: envfile
envfileaws-secretsmanagerssmvault
Credential store backend.
$ briar secrets doctor --examples runbooks/
$ briar secrets doctor --examples runbooks/ --store aws-secretsmanager

$ briar secrets bootstrap

briar secrets bootstrap [--kind {envfile}] [--dry-run]

One-off invocation of a credential bootstrap. Normally bootstraps run automatically at CLI startup; this is for debugging.

--kind {envfile}
envfile
Force one bootstrap backend. Default: auto-detect via is_available().
--dry-run
Run the remote fetch but DON'T write to os.environ. Prints the keys that would be set, without revealing values.
$ briar secrets bootstrap --dry-run
$ briar secrets bootstrap --kind envfile

briar telemetry

Telemetry is opt-out — full by default. The six subcommands let you inspect, preview, and change the tier.

Tier ladder

  • off — no events sent. Persists.
  • errors-only — only Sentry-captured exceptions.
  • full — errors + usage analytics (which command, exit code, duration). No PII. The default.

Per-process and industry overrides

BRIAR_TELEMETRY=off for the current invocation; DO_NOT_TRACK=1 overrides everything (industry standard).

$ briar telemetry status

briar telemetry status

Print the current tier and the config source.

$ briar telemetry status

$ briar telemetry preview

briar telemetry preview [--for-command CMD]

Print the exact JSON event that would be sent for the next invocation. Lets you audit the payload before trusting the system.

--for-command CMD
Pretend command name to render the event for.
$ briar telemetry preview
$ briar telemetry preview --for-command plan.run

$ briar telemetry off

briar telemetry off

Disable telemetry entirely. Persists to the config file.

$ briar telemetry off

$ briar telemetry errors-only

briar telemetry errors-only

Opt into errors-only (default tier). Persists.

$ briar telemetry errors-only

$ briar telemetry full

briar telemetry full

Opt into errors + usage analytics. Persists.

$ briar telemetry full

$ briar telemetry reset

briar telemetry reset

Regenerate the install ID (rotate the anonymous identity used to bucket events).

$ briar telemetry reset

See also