Skip to content

The dossier-runtime verb set

dossier-runtime is the control plane for the loop — one command surface that stands up a client’s sovereign tenant and runs all three faces (Brain, Agency, Ladder) over it. This page is the canonical, exhaustive reference for its verbs.

dossier-runtime provision --root <dir> --client <id> [--vertical <v>] [--no-git]
dossier-runtime list --root <dir>
dossier-runtime run --root <dir> --client <id> (--source-dir <dir> | --url <seed>) [--site] [--dry-run] [--no-git]
dossier-runtime site --root <dir> --client <id> [--build]
dossier-runtime readout --root <dir> --client <id>
dossier-runtime drain --root <dir> --client <id> [--agentic [--subscription] [--model <m>] [--max-turns <n>] [--max-budget <usd>]] [--max-tasks <n>] [--worker <id>] [--no-commit]
dossier-runtime review-queue --root <dir> --client <id>
dossier-runtime approve --root <dir> --client <id> --task <id> [--by <name>]
dossier-runtime reject --root <dir> --client <id> --task <id> [--reason <why>] [--by <name>]
dossier-runtime deprovision --root <dir> --client <id>

These two scope nearly every verb:

FlagMeaning
--root <dir>Tenants root — the parent directory of every tenant’s siloed subtree.
--client <id>Tenant / client id; a single safe path segment.
VerbPurposeKey inputsOutput
provisionStand up a tenant’s siloed workspace (OKF repo + manifest, git by default).--root, --client, --vertical?The tenant record (paths, vcs).
listList provisioned tenants under a root.--rootTenant summaries.
runProvision (idempotent) then run the loop: ingest → extract → emit → commit.--root, --client, --source-dir | --urlThe loop result (per-stage status).
siteRender a tenant’s OKF repo as a static docs site.--root, --client, --build?The render plan (and build result).
readoutLadder. Compute the deterministic L2 adoption readout. Read-only.--root, --clientThe Now/Next/Later ledger.
drainAgency. Run one bounded board-drain over the tenant’s task atoms.--root, --client, --agentic?The drain outcome.
review-queueList tasks awaiting a human decision (status: review).--root, --clientThe review queue.
approveBless agent work: reviewdone, compounded into git. Human-only.--root, --client, --taskThe disposition + commit.
rejectSend work back: reviewbacklog (re-claimable).--root, --client, --taskThe disposition.
deprovisionRemove a tenant’s entire subtree.--root, --clientWhat was removed.

The drainreview-queueapprove/reject arc is the Agency’s human gate: agents propose, a human disposes. See DEC-0053 for the runtime topology and its invariants.


Stand up a tenant’s siloed workspace — its OKF repo, a manifest, and (by default) its own git history.

Terminal window
dossier-runtime provision --root ./clients --client acme-co --vertical digital-experience-agency
FlagMeaning
--root <dir>Tenants root (required).
--client <id>Tenant id (required).
--vertical <v>Vertical preset id (e.g. digital-experience-agency).
--known-external <csv>Ids that live outside this repo (e.g. knowledge-model).
--no-gitProvision without git. Default: one client = one git repo.

Guarantee: idempotent and fully offline — no network, no key. run calls it for you, so you rarely invoke it directly.

List the provisioned tenants under a root.

Terminal window
dossier-runtime list --root ./clients
FlagMeaning
--root <dir>Tenants root (required).

Output: each tenant’s clientId, tenantRoot, and vcs. Read-only, offline.

Provision (idempotent) then run the full loop over one source: ingest → extract → emit → commit. Exactly one source must be given.

Terminal window
# Learn a directory of clean markdown/HTML
dossier-runtime run --root ./clients --client acme-co --source-dir ./acme-docs --subscription
# Learn a public website (keyless crawler)
dossier-runtime run --root ./clients --client acme-co --url https://acme.example.com
FlagMeaning
--source-dir <dir>Directory of clean markdown/HTML to ingest. (Pick one source.)
--url <seed>Public page to crawl + learn; repeatable. Keyless by default. (Pick one source.)
--pages <n>Max pages to crawl from the --url seeds (default 1).
--connector <name>Web connector: http (default, keyless) or firecrawl (premium; needs FIRECRAWL_API_KEY).
--subscriptionExtract via the claude CLI (your subscription) — no API key.
--reconcileMerge this pass into the existing KB by id + confidence (preserve human-curated atoms, flag — never delete — vanished ones) instead of overwriting.
--siteAfter the loop, render the tenant as a static docs site (build-side; run from the repo root).
--dry-runRun every stage but write/commit nothing.
--no-gitRun without git.

Guarantee — no silent network. Extraction calls a model, so run needs a transport: either ANTHROPIC_API_KEY in the environment, or --subscription. Without one it refuses rather than calling out quietly (this holds for --dry-run too, since it still extracts). Each successful pass commits one diff into the client’s own git history.

Render a tenant’s OKF repo as a static docs site.

Terminal window
dossier-runtime site --root ./clients --client acme-co --build
FlagMeaning
--buildBuild the site now. Without it, the command just prints the render command.

When building, this sets DOSSIER_KB to the tenant’s OKF repo and runs the docs build; run it from the monorepo root.

The Ladder. Compute the client’s deterministic L2 adoption readout — a 4-axis score (value · risk · readiness · momentum) over their process/workflow atoms → a Now/Next/Later roadmap, plus the recommended wedge (where to start).

Terminal window
dossier-runtime readout --root ./clients --client acme-co

Output: the machine-readable ledger on stdout; a human summary on stderr (initiatives scored, the confidence floor, and the Now/Next/Later/Watch counts).

Guarantee — read-only. It reads the tenant’s own served OKF and writes nothing; the adoption-readout skill narrates the readout and emits the sovereign OKF artifact. The scoring is deterministic. See DEC-0067 for the spec.

The Agency. Run one bounded board-drain over the tenant’s task atoms: claim the next claimable task (race-safe lease), do the bounded work, transition it, and (optionally) commit.

Terminal window
# Deterministic offline drain (no LLM, no network, no spend) — the default
dossier-runtime drain --root ./clients --client acme-co
# Live persona-grounded agent session (spends; needs a transport)
dossier-runtime drain --root ./clients --client acme-co --agentic --subscription --max-budget 1
FlagMeaning
--agenticRun the live persona-grounded multi-turn session. Spends — needs --subscription or ANTHROPIC_API_KEY; refuses without one. The agent carries each task to review and stops. Omit it to run the deterministic offline worker.
--model <alias>Model for --agentic turns: haiku / sonnet / opus (default haiku).
--max-turns <n>Hard ceiling on agent turns per task (--agentic).
--max-budget <usd>Per-session hard spend cap (--agentic).
--max-tasks <n>Tasks claimed this drain (default 1 = one task per session).
--worker <id>The claimed_by identity recorded on the claim (default local-drain).
--no-commitDon’t commit transitions to git.

Guarantees. Offline by default — no LLM, no network, no spend, a two-way door. Only one drain runs per tenant at a time (a race-safe lease); a drain that can’t run because a peer holds the lock, or because the budget envelope is spent, is a clean no-op (exit 0), not an error. Agent work always stops at review — a machine never marks a task done. See DEC-0053.

List the tasks awaiting a human decision (status: review).

Terminal window
dossier-runtime review-queue --root ./clients --client acme-co

Output: each task’s id, title, assignee, and file path. Read-only.

The human gate’s bless. Move a task reviewdone and compound it into the tenant’s git history. Human-only — this is the loop’s last hop.

Terminal window
dossier-runtime approve --root ./clients --client acme-co --task task-acme-onboard --by dakota
FlagMeaning
--task <id>The task to approve (required).
--by <name>The human disposing, recorded for provenance (default human).

Guarantee: only a human runs this; a task that isn’t in review is rejected with a precise reason (a user error). On success the transition is committed into git.

Send a task back: reviewbacklog, re-claimable. The reason is recorded on the task for the next claimant.

Terminal window
dossier-runtime reject --root ./clients --client acme-co --task task-acme-onboard --reason "needs a second source" --by dakota
FlagMeaning
--task <id>The task to reject (required).
--reason <why>Recorded on the task for the next claimant.
--by <name>The human disposing (default human).

Remove a tenant’s entire subtree.

Terminal window
dossier-runtime deprovision --root ./clients --client acme-co

Output: { clientId, removed }. Idempotent — removing a tenant that doesn’t exist is a clean no-op.


CodeMeaning
0Success. (Also: a drain that cleanly didn’t run — peer lock held, board paused, or budget envelope spent.)
1A stage failed (e.g. a loop stage errored), or an unexpected error.
2A usage error — a missing required flag, an unknown verb, or a disposition on a task that isn’t in review.

Cross-cutting invariants the runtime upholds:

  • No silent network. Any verb that would call a model refuses unless you’ve given it a transport (--subscription or ANTHROPIC_API_KEY).
  • Confidence is capped. Agent-produced atoms are emitted at inferred, the agent floor; only a human promotes them.
  • The human stays the gate. Agent work stops at review; only approve/reject disposes — and approve is the only path to done.
  • One client = one tenant = one repo. Isolation is the file boundary, and every successful mutation is a diff in the client’s own git history.

The full rationale for each of these lives in the decision records — start with DEC-0053 (the runtime topology and its seven invariants).