Skip to content

docs(cli): fix stale CLI commands + drop removed webhook form #98

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
indykish merged 2 commits into from
Jun 17, 2026
+13 −23
Merged

docs(cli): fix stale CLI commands + drop removed webhook form #98

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b2254b9
docs(cli): fix stale CLI commands + drop removed webhook form
indykish Jun 17, 2026
b188e38
docs(cli): sync overview table to agent-key commands (greptile)
indykish Jun 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 1 addition & 11 deletions agents/webhooks.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,14 +143,4 @@ agentsfleet logs 0198a7b2-9e1f-7c3a-8b25-6d4f0a9e2c71

Rejected requests carry a reason code (`webhook_rejected: signature_mismatch`, etc.) so you can tell a noisy upstream from a real auth bug.

## Advanced: URL-embedded secret

Some upstreams (a few SaaS form-postbacks, a few legacy systems) can't attach a signature header. For those, the platform accepts a path-embedded secret:

```
https://api.agentsfleet.net/v1/webhooks/{agent_id}/{url_secret}
```

The `url_secret` is matched in constant time. Reserved segments (`approval`, `grant-approval`, `svix`) cannot be used as secret values. Prefer HMAC where the upstream supports it — the URL-embedded form is a fallback.

**Path resolution order.** The trailing segment is resolved against declared `triggers[].source` values *first*, then falls back to a `url_secret` lookup. So `POST /v1/webhooks/0198a7b2-9e1f-7c3a-8b25-6d4f0a9e2c71/github` routes to the `github` source when the agent declares one, and only searches `url_secret` values for a constant-time match on the literal string `github` when no such source is declared. Practical consequence: avoid choosing a `url_secret` value that collides with any `triggers[].source` on the same agent — the source wins and the secret will never match.
The platform accepts webhooks only with a valid signature (HMAC or Svix) or the per-source path (`/github`, `/approval`, `/grant-approval`, `/svix`). There is no URL-embedded-secret fallback.
22 changes: 11 additions & 11 deletions cli/agentsfleet.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ description: "Complete agentsfleet command reference."
| Agents (top-level) | `install --from`, `list`, `status`, `stop`, `resume`, `kill`, `delete`, `logs`, `events`, `steer` |
| Credentials | `credential add`, `credential show`, `credential list`, `credential delete` |
| Workspaces | `workspace add`, `workspace list`, `workspace use`, `workspace show`, `workspace credentials`, `workspace delete` |
| External agents | `agent add`, `agent list`, `agent delete` |
| External agents | `agent-key add`, `agent-key list`, `agent-key delete` |
| Integration grants | `grant list`, `grant delete` |
| Billing | `billing show` |
| Diagnostics | `doctor` |
Expand Down Expand Up @@ -294,30 +294,30 @@ agentsfleet workspace delete 0198a7b0-3c2d-7f14-9a08-1b6e4d2f8c50

External agents are API-key–authenticated callers (LangGraph, CrewAI, Composio, your own code) that drive a specific agent programmatically.

### `agentsfleet agent add`
### `agentsfleet agent-key add`

Mint an API key bound to one agent.

```bash
agentsfleet agent add --workspace 0198a7b0-3c2d-7f14-9a08-1b6e4d2f8c50 --agent 0198a7b2-9e1f-7c3a-8b25-6d4f0a9e2c71 --name my-agent
agentsfleet agent-key add --workspace 0198a7b0-3c2d-7f14-9a08-1b6e4d2f8c50 --agent 0198a7b2-9e1f-7c3a-8b25-6d4f0a9e2c71 --name my-agent
```

The raw key (`agt_a…`) is returned **once**; store it in your secret manager.

### `agentsfleet agent list`
### `agentsfleet agent-key list`

List every external agent key in a workspace.

```bash
agentsfleet agent list --workspace 0198a7b0-3c2d-7f14-9a08-1b6e4d2f8c50
agentsfleet agent-key list --workspace 0198a7b0-3c2d-7f14-9a08-1b6e4d2f8c50
```

### `agentsfleet agent delete <agent-key-id>`
### `agentsfleet agent-key delete <agent-key-id>`

Revoke an external agent key.

```bash
agentsfleet agent delete --workspace 0198a7b0-3c2d-7f14-9a08-1b6e4d2f8c50 0198a7b4-6e1a-7c93-b052-8f3d2a1e7c46
agentsfleet agent-key delete --workspace 0198a7b0-3c2d-7f14-9a08-1b6e4d2f8c50 0198a7b4-6e1a-7c93-b052-8f3d2a1e7c46
```

---
Expand Down Expand Up @@ -380,7 +380,7 @@ agentsfleet tenant provider show
agentsfleet tenant provider show --json
```

### `agentsfleet tenant provider set`
### `agentsfleet tenant provider add`

Activate a self-managed credential for the tenant. The credential must already exist in the workspace vault (`agentsfleet credential add <name>`). The command validates the credential structure, resolves the model's context cap from the `cap.json` endpoint, and pins both into the tenant's provider row.

Expand All @@ -389,17 +389,17 @@ Activate a self-managed credential for the tenant. The credential must already e
agentsfleet credential add account-fireworks --data='{"provider":"fireworks","api_key":"fw_…","model":"accounts/fireworks/models/kimi-k2.6"}'

# 2. Activate it for the tenant
agentsfleet tenant provider set --credential account-fireworks
agentsfleet tenant provider add --credential account-fireworks
```

In-flight events finish under the snapshot they were claimed under; the next event's debits use the new posture.

### `agentsfleet tenant provider reset`
### `agentsfleet tenant provider delete`

Drop the explicit `tenant_providers` row and fall back to the platform-managed synth-default.

```bash
agentsfleet tenant provider reset
agentsfleet tenant provider delete
```

For the install-time vs trigger-time resolution flow, the frontmatter overlay sentinels, and the provider routing details, see [`docs/architecture/user_flow.md` §8.7](https://github.com/agentsfleet/agentsfleet/blob/main/docs/architecture/user_flow.md#87-model-and-context-cap-origin-platform-vs-self-managed) and [`docs/architecture/billing_and_provider_keys.md`](https://github.com/agentsfleet/agentsfleet/blob/main/docs/architecture/billing_and_provider_keys.md). The architecture is the canonical reference; this page is the command surface.
Expand Down
2 changes: 1 addition & 1 deletion cli/configuration.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ Every **other command** then resolves its token, and the order is TTY-aware:
|----------|---------|---------|
| `AGENTSFLEET_API_URL` | API base URL | `https://api.agentsfleet.net` |
| `AGENTSFLEET_TOKEN` | Auth token (for CI and scripts; user-bound, from `agentsfleet login`) | *(from `agentsfleet login`)* |
| `AGENTSFLEET_API_KEY` | Service auth (machine-bound, from `agentsfleet agent add`). Use this for service-to-service calls and external agents (LangGraph, CrewAI, Composio, your own code). | — |
| `AGENTSFLEET_API_KEY` | Service auth (machine-bound, from `agentsfleet agent-key add`). Use this for service-to-service calls and external agents (LangGraph, CrewAI, Composio, your own code). | — |
| `AGENTSFLEET_STATE_DIR` | Directory for local CLI state (credentials, telemetry, session). | `~/.config/agentsfleet` |
| `NO_COLOR` | Set to `1` to disable color output. | — |
| `AGENTSFLEET_TELEMETRY_DISABLED` | Set to `1` to opt out of anonymous analytics + tracing. | unset (telemetry on) |
Expand Down
Loading