CLI reference
taiku CLI commands, flags, and environment variables.
The taiku CLI creates collaborative terminal sessions, manages authentication, exposes tunnels, and configures filesystem sandboxing. This page is a reference for the main commands and options. For real-world usage patterns, see Scenarios and Common Workflows.
taiku
Start a new collaborative terminal session. This is the primary command. Running
taiku with no subcommand creates a session, connects to the server, and opens
the session URL in your browser or desktop app.
taiku [OPTIONS]When you run taiku, it:
- Resolves your authentication credentials.
- Connects to the taiku server to register the session.
- Spawns a local shell process (your default shell, or the one specified with
--shell). - Opens the session URL in the taiku desktop app (or browser, depending on configuration).
- Copies the session URL to your clipboard.
- Streams terminal I/O between your local shell and the server until you exit.
Options
| Option | Description |
|---|---|
--shell <SHELL> | Shell command to run instead of your default shell. It can be any executable, including /bin/bash, /bin/zsh, fish, or python3. If omitted, taiku uses the SHELL environment variable or falls back to /bin/sh. |
--name <NAME> | Display name for the session. Shown in the title bar and session list. Defaults to user@hostname. |
--quiet / -q | Quiet mode. Suppresses the greeting banner and only prints the session URL to stdout. Useful for scripting. |
--verbose / -v | Enable verbose logging output. Prints debug-level logs to stderr. |
--no-app | Skip opening the desktop app. The session URL opens in your default browser instead. Use this on remote servers without a GUI, or when you prefer the browser experience. |
--no-browser | Do not open a browser window on startup. The session URL is still printed and copied to clipboard. |
--no-copy | Do not copy the session URL to the clipboard on startup. |
--enable-readers | Generate separate reader, writer, and admin URLs. Each role gets its own standalone link (its own URL fragment) — there is no extra password appended to the link. The reader link can view but not type; the writer link can type; the admin link can also manage tunnels. |
--token <TOKEN> | Use a specific API token for authentication instead of the stored credentials or environment variable. |
--tunnel <PORTS> | Expose local ports as HTTP tunnels, accessible to session participants. Accepts a comma-separated list of port numbers. If you don't pass this flag, taiku declares port 3000 by default. |
--open-tunnel | Auto-approve all tunnel port requests from session users. Without this flag, each tunnel port request requires manual approval in the terminal. |
--sandbox <PATH> | Restrict the shell to a workspace directory using the operating system's built-in filesystem sandboxing. The shell can only access files within the specified path. |
--sandbox-ro | Make the sandbox workspace read-only. Implies --sandbox. The shell can read files in the workspace but cannot create, modify, or delete them. |
--sandbox-mode <MODE> | Sandbox behavior profile. Options are isolated (default) and trusted. Trusted mode relaxes certain restrictions for scenarios where the sandboxed process needs broader system access. |
--sandbox-allow <PATH> | Add an additional path to the sandbox read-only allow list. Can be repeated to allow multiple paths. |
--sandbox-bridge-claude-auth | Allow sandboxed shells to reuse host Claude authentication and configuration state. |
--sandbox-bridge-codex-auth | Allow sandboxed shells to reuse host Codex authentication and configuration state. |
--sandbox-bridge-opencode-auth | Allow sandboxed shells to reuse host OpenCode authentication and configuration state. |
--sandbox-bridge-amp-auth | Allow sandboxed shells to reuse host Amp authentication and configuration state. |
--sandbox-bridge-cursor-auth | Allow sandboxed shells to reuse host Cursor agent authentication and configuration state. |
--no-sandbox-claude-auth | Deny sandboxed shells access to host Claude auth/config, including trusted sandbox mode. |
--no-sandbox-codex-auth | Deny sandboxed shells access to host Codex auth/config, including trusted sandbox mode. |
--no-sandbox-opencode-auth | Deny sandboxed shells access to host OpenCode auth/config, including trusted sandbox mode. |
--no-sandbox-amp-auth | Deny sandboxed shells access to host Amp auth/config, including trusted sandbox mode. |
--no-sandbox-cursor-auth | Deny sandboxed shells access to host Cursor agent auth/config, including trusted sandbox mode. |
--no-nested-tools | Do not forward Taiku tool integrations into interactive ssh or docker exec shells launched from the session. |
--no-nested-atuin | Do not forward Taiku-scoped Atuin config/history into interactive ssh or docker exec shells launched from the session. |
--server <URL> | Address of the remote taiku server. Defaults to https://taiku.live. Same as TAIKU_SERVER. The flag is accepted globally but omitted from taiku --help; prefer the env var for scripts. |
taiku new
Start another taiku session from this machine, in addition to any you already have running.
taiku new [PATH] [OPTIONS]PATH is the directory the new session starts in (defaults to the current
directory).
| Option | Description |
|---|---|
--name <NAME> | Session name shown in the title. |
--no-sandbox | Start without a filesystem sandbox. |
--sandbox-path <PATH> | Restrict the new session to an explicit directory. |
--sandbox-ro | Make the sandbox workspace read-only. |
--trusted | Use trusted sandbox mode (see --sandbox-mode). |
taiku local
Start a local-only session on a loopback server, with no traffic leaving your machine. Useful for working offline or keeping a session fully private.
taiku local [PATH] [OPTIONS]It takes the same PATH and sandbox options as
taiku new, plus:
| Option | Description |
|---|---|
--port <PORT> | Loopback port for the local server. Defaults to a free port. |
--server-bin <PATH> | Path to the taiku-server binary (see note below). |
taiku local runs its own loopback server, so it needs the taiku-server
binary available. It looks for one next to the taiku binary or at
TAIKU_SERVER_BIN; if your install doesn't include it, point --server-bin at
one.
taiku login
Authenticate with your taiku account. This stores credentials locally so
subsequent taiku commands are authenticated.
taiku login [OPTIONS]On machines with a browser, taiku login opens the OAuth login page. You
authenticate in the browser, and the CLI receives the credentials automatically
via the device authorization flow.
On machines without a desktop (typical servers or build runners), taiku login
prints a URL and a device code. You visit the URL on any device, enter the code,
and authenticate. The CLI polls for completion and stores the credentials when
the flow succeeds.
Options
| Option | Description |
|---|---|
--token <TOKEN> | Provide an API token directly instead of using the interactive device flow. Useful for automated pipelines where browser-based auth is not possible. |
--force | Re-run the sign-in flow even when valid credentials already exist — for example, to switch accounts. |
Where credentials are stored
After successful login, credentials are written to
~/.config/taiku/credentials:
{
"server": "https://taiku.live",
"api_key": "tk_...",
"email": "you@example.com"
}This file is readable only by your user. The CLI reads it automatically on every
invocation. If you are already signed in, taiku login reports that account and
exits without re-running the sign-in flow — so taiku sessions you start are
already authenticated. To switch accounts, run taiku logout first, or
taiku login --force to overwrite the existing credentials.
Inside a taiku session, taiku login and taiku logout are unavailable: the
session already runs as your signed-in account, so manage credentials from your
host machine instead.
taiku logout
Remove stored credentials and log out.
taiku logoutThis deletes the ~/.config/taiku/credentials file. After logging out, taiku
commands that require authentication will prompt you to log in again.
taiku sandbox
Manage the persistent sandbox allow-list. This lets you pre-configure paths that
sandboxed sessions can access without specifying --sandbox-allow every time.
taiku sandbox allow
Add a path to the persistent allow-list.
taiku sandbox allow <PATH> [--rw]| Option | Description |
|---|---|
--rw | Grant read-write access instead of the default read-only. |
taiku sandbox deny
Remove a path from the allow-list.
taiku sandbox deny <PATH>taiku sandbox list
Show all currently allowed paths.
taiku sandbox listtaiku tools
Install and manage the command-line tools taiku uses, routing each install to the right manager (mise, Homebrew, or your system package manager).
| Command | Description |
|---|---|
install [SPEC] [--global] | Install a tool. SPEC can be a tool name, or an explicit manager:package like brew:wget or mise:node@20. Omit it to open an interactive picker. --global installs into the shared environment instead of this project's. |
exec <TOOL> -- [ARGS] | Run a tool at its resolved version without installing it permanently. |
search [QUERY] [--list] | Search the catalog of installable tools. |
sync | Install everything pinned in this project's taiku.lock. |
share | Print taiku.lock to stdout so you can copy it to another machine and taiku tools sync. |
bootstrap [--brew] | Ensure the base managers exist and apply the baseline tool set. --brew also runs your Homebrew bundle (macOS). |
bootstrap-defaults | Install just the default taiku tool set into taiku's managed bin directory. |
taiku install
Shortcut for taiku tools install.
taiku install [SPEC] [--global]With no SPEC, it opens the interactive picker.
taiku init
Print shell setup code that adds taiku's terminal helpers to your shell. Run it once from your shell config so the helpers load in every new shell.
# zsh / bash — add to ~/.zshrc or ~/.bashrc
eval "$(taiku init zsh)"
eval "$(taiku init bash)"
# PowerShell — add to your $PROFILE
taiku init pwsh | Out-String | Invoke-ExpressionThe setup code installs a switch shell function (so
taiku switch can change your current
directory) along with lightweight wrappers that make taiku's path and tool
integrations work smoothly inside your shell. On PowerShell, which reserves the
switch keyword, it installs a Switch-Worktree function with an sw alias
instead.
| Option | Description |
|---|---|
--aggressive | Install a broader set of command wrappers where the shell supports it. Use only if the default helpers miss something; off by default. |
taiku switch
Jump between git worktrees and branches with a fuzzy picker. Run it inside any git repository.
taiku switch [NAME] [OPTIONS]With no argument, taiku switch opens an interactive picker (using fzf or
sk if installed, otherwise a numbered list) over your worktrees and branches.
Pick one and your shell changes into it. With a NAME, it jumps directly:
- A name that matches an existing worktree changes into that worktree.
- A branch name without a worktree creates one under
<repo>/.claude/worktrees/<name>/and changes into it. - Anything else prints an error.
To change your current directory, taiku switch relies on the switch shell
function installed by taiku init. Once that
is set up, you can also just type switch instead of taiku switch.
Picker controls
When the fzf/sk picker is open:
| Key | Action |
|---|---|
Enter | Switch to the selected worktree/branch |
Ctrl+O | Open the row's pull request in a browser tile |
Ctrl+G | View the worktree's diff in taiku |
Ctrl+R / Ctrl+N / Ctrl+P | Re-sort by recent / name / path |
Ctrl+A / Ctrl+W / Ctrl+B | Show all / only worktrees / only branches |
The list is ranked by how often and how recently you switch into each worktree,
with the current worktree pinned at the top. Open pull requests for a branch are
shown inline when the GitHub CLI (gh) is installed and authenticated.
Options
| Option | Description |
|---|---|
--sort <recent|name|path> | Initial sort order. recent (default) puts newest commits first; name and path are alphabetical. |
--filter <all|worktrees|branches> | Which candidates to show. all is the default. |
--no-picker | Force the plain numbered prompt even when fzf/sk is installed. |
--list | Print the candidate list instead of switching. Useful for scripting. |
taiku bystand
Keep the device online and listen for remote session commands. This is a long-running mode where the CLI stays connected to the server without starting an interactive session, waiting for remote instructions from the dashboard.
taiku bystandUse this on machines that should be remotely accessible but do not need an
active session running at all times. While it is running, the device accepts
remote Start session commands from the
dashboard. The desktop app achieves the same
thing with a GUI; taiku bystand does the same without a local window.
taiku remote
Request remote desktop from inside a taiku session shell.
taiku remote [--session <name>] [--client <id>] [--password <password>]This command is only available inside a shell that was created by taiku. It is for the case where you are already in a remote taiku terminal from another computer and want to open the host's desktop in the taiku desktop app.
When you run it, taiku sends a remote desktop request to the connected session
client. If the host requires manual approval, the command prints that the
request is pending and waits for approval, rejection, or timeout. If the host
uses password-only access, pass --password.
| Option | Description |
|---|---|
--session <name> | Target a specific session instead of the current taiku session. |
--client <id> | Target a specific connected client from taiku func list-users. |
--password <password> | Remote desktop guard password, when the host requires password approval. |
taiku remote does not start a new terminal session. It uses the session you
are already in, and it still follows the normal remote desktop requirements:
both sides need the desktop app, the controller must be a different device from
the host, and the host's guard mode may require approval.
taiku share
Publish the session you are already in to a shareable link, without interrupting your live terminal. Run it from inside a session you are hosting on this machine.
taiku share [OPTIONS]taiku share snapshots the running session and moves its hosting onto a server
so the link works from anywhere, then prints the URL to send to collaborators.
Your terminal keeps running throughout; only where the session is hosted
changes. Run outside a session, it prints an error telling you to start one
first.
Everyone with the link can type by default. Start the session with
--enable-readers if you also want a read-only
link to hand out.
| Option | Description |
|---|---|
--keep-path | Preserve the host filesystem path on the destination. Off by default. |
--server <URL> | Destination server for the share. Defaults to the global server. |
To hand the session to a managed machine instead of hosting it from your device,
see taiku cloud.
taiku cloud
Provision or reuse a managed cloud workspace for a local project, start file sync, and open a taiku session on the cloud machine.
taiku cloud [PATH] [OPTIONS]If PATH is omitted, taiku uses the current directory. The local path becomes a
binding, so future runs from that same path reopen the same workspace when
possible.
Run from inside a session, taiku cloud moves that session's project onto the
managed machine and continues there, so it survives device sleep and stays
reachable from anywhere.
Options
| Option | Description |
|---|---|
--verbose | Print full underlying errors instead of shorter user-facing messages. |
--no-transfer-agent-configs | Skip the one-time transfer of supported local agent configs and dotfiles. |
--no-cloud-claude-auth | Do not transfer Claude auth/config into the cloud workspace. |
--no-cloud-codex-auth | Do not transfer Codex auth/config into the cloud workspace. |
--no-cloud-opencode-auth | Do not transfer OpenCode auth/config into the cloud workspace. |
--no-cloud-cursor-auth | Do not transfer Cursor agent auth/config into the cloud workspace. |
--no-cloud-amp-auth | Do not transfer Amp auth/config into the cloud workspace. |
--refresh-agents | Re-run agent config transfer for a workspace that already received one. |
The default transfer also includes Taiku user preferences that should follow the
workspace, such as global .taikuignore rules and tool configuration. Those
preferences refresh on later taiku cloud runs. Machine identity, login
credentials, active-session state, diagnostics, and sandbox path approvals stay
local.
Subcommands
| Command | Description |
|---|---|
status [--all] [--path <PATH>] | Show the workspace bound to a path, or every workspace with --all. |
close [--path <PATH>] | Close the active taiku session on the workspace without stopping it. |
sleep [--path <PATH>] | Pause the workspace's backing machine while keeping identity and data. |
resume [--path <PATH>] | Wake a sleeping workspace. |
restart [--path <PATH>] | Restart the workspace's existing backing machine. |
resize <SIZE_GB> [--path <PATH>] | Grow the workspace's persistent volume to SIZE_GB gigabytes. |
sync [--install|--uninstall] [--path <PATH>] | Reconcile the background file-sync session for the workspace. |
detach [--path <PATH>] | Remove the local-path binding without deleting the workspace. |
attach <WORKSPACE_ID> [PATH] | Bind a local path to an existing workspace. |
delete [--path <PATH>] [--yes] | Permanently delete the workspace and its backing infrastructure. |
rebuild [--path <PATH>] [--yes] is available only on dev-mode servers. It
replaces the backing machine with the current server cloud image for local
cloud-image iteration.
.taikuignore
Taiku initializes a global ignore file at ~/.config/taiku/taikuignore the
first time an ignore-aware command needs it. That file contains editable default
rules for cloud sync and recursive scans, such as node_modules/, target/,
.svelte-kit/, and logs.
Add .taikuignore at the workspace root for path-specific rules. Workspace
rules are applied after the global file, so they can add ignores or opt back in
with ! negation:
private/
archive/
generated-docs/
vendor-notes/
*.log
!private/keep.md
!node_modules/Blank lines and # comments are ignored. Some feature policies are still
separate: markdown scans keep crawl limits and root dot-directory handling, and
gitfile worktrees keep cloud-local .git handling so remote git diff works.
Ignore files apply to recursive work only; explicitly opening or reading a file
is not blocked by the ignore file.
For the end-to-end workflow, see Cloud workspaces.
taiku func
Remote session management. Control a running taiku session from the CLI or from inside a taiku terminal. Commands are relayed through the server to the browser client, which executes them and returns results as JSON.
taiku func [--session <name>] <command> [args]How it works:
- When you start a session with
taiku, the session name is written to~/.config/taiku/active-session.taiku funcreads this file to know which session to target. - Commands are sent via HTTP to the server, which relays them over WebSocket to a connected client. A session window must be open (browser or desktop app) for commands to work. If nothing is connected, commands time out after a few seconds.
taiku funcworks inside taiku terminals. It's one of the few commands not blocked by the nested-session guard.- Use
--session <name>to target a specific session instead of the active one. - Use
--client <id>(fromlist-users) when several participants are connected and you need to control a specific client. - Commands that affect terminals follow the session's normal control model. You can manage your own terminals; other active participants' terminals require handoff or tunnel-admin access.
Layout commands
| Command | Description |
|---|---|
split-h [--tile <key>] | Split tile horizontally |
split-v [--tile <key>] | Split tile vertically |
close-tile [--tile <key>] | Close a tile |
reset-layout | Reset to balanced grid |
toggle-direction [--tile <key>] | Toggle split H/V |
set-ratio <ratio> [--tile <key>] | Set split ratio (0.1-0.9) |
swap-tiles <key-a> <key-b> | Swap two tiles |
maximize [--tile <key>] | Maximize a tile |
focus-tile <key> | Focus a tile |
focus-direction <left|right|up|down> | Focus neighbor tile |
rename-tile <name> [key] | Rename a tile (key defaults to focused) |
get-layout | Print layout tree as JSON |
list-tiles | List all tiles |
get-tab-groups | List tab groups |
Workspace commands
| Command | Description |
|---|---|
list-workspaces | List workspace pages |
create-workspace | Create new workspace |
switch-workspace <index> | Switch workspace page |
list-user-tiles <user-id> | List tiles for user ID from list-users |
setup --grid <RxC> [--tiles <spec>] [--commands <c1,c2,...>] | Create grid layout on target client |
Shell commands
| Command | Description |
|---|---|
list-shells | List shells with sizes |
create-shell | Create a new shell |
close-shell <id> | Close a shell |
write-to-shell <id> <data> | Write to a shell |
run <command> [--tile <key>] | Run command in a tile |
get-shell-output <id> [--chunks N] | Get terminal output |
get-terminal-names | Get shell names |
Session info commands
| Command | Description |
|---|---|
get-session | Session metadata |
list-users | List connected users |
get-role | Get your role |
get-ownership | Shell ownership info |
adopt-shell <id> | Adopt a shell |
Chat commands
| Command | Description |
|---|---|
get-chat | Get chat history |
send-chat <message> | Send chat message |
broadcast-event <type> [--data <json>] | Broadcast plugin event |
Agent commands
| Command | Description |
|---|---|
list-agents | List active AI agents |
get-agent-cost | Token usage summary |
list-agent-sessions | List agent sessions |
get-agent-events <session-id> [--types] [--limit] | Get session events |
Other commands
| Command | Description |
|---|---|
list-tunnels | List tunnel ports |
toast <message> [--kind info|success|error] | Show toast notification |
notify <title> [--body <text>] | Send notification |
show-layout | ASCII layout view |
show-tree | Tree layout view |
taiku logs
Manage local diagnostic logs the CLI stores for support and debugging.
taiku logs export
Export diagnostic logs as an encrypted bundle.
taiku logs export [--output <FILE>]| Option | Description |
|---|---|
--output <FILE> / -o | Where to write the bundle. Defaults to taiku-logs-<timestamp>.tkl. |
taiku logs clear
Clear all stored diagnostic logs.
taiku logs cleartaiku logs status
Show how many log entries are stored and approximate database size.
taiku logs statustaiku update
Check for a newer taiku release and optionally self-update.
taiku update| Option | Description |
|---|---|
--check | Only check for updates; do not install |
Environment variables
| Variable | Description | Default |
|---|---|---|
SHELL | Default shell for new sessions. Taiku reads this when --shell is not provided. | System default |
TAIKU_TOKEN | API token for authentication. Checked after --token flag but before the credentials file. | Not set |
TAIKU_SERVER | Override the server URL (same as the global --server flag). | https://taiku.live |