CLI
pfai is the command-line client for ProxifAI — 60 top-level commands covering tasks, code, cloud, AI gateway, and platform admin, with kubectl-style verbs and structured output.
pfai is the command-line client for ProxifAI. It talks to the same API your browser uses, so anything you can click in the web UI you can script — managing tasks and projects, browsing repos and pull requests, dispatching agents, running pipelines, configuring providers, and more. The CLI is built on Cobra and follows kubectl-style verbs (list/ls, view/get, delete/rm) with structured output (table, JSON, YAML) for easy piping.
Install
pfai is published as a single static binary on the proxifai-oss releases page for macOS and Linux on both amd64 and arm64.
# Pick the right asset for your OS/arch from the latest release.
# Example for macOS arm64:
curl -L -o pfai \
https://github.com/proxifai/proxifai-oss/releases/latest/download/pfai-darwin-arm64
chmod +x pfai
sudo mv pfai /usr/local/bin/
pfai versionAvailable assets: pfai-linux-amd64, pfai-linux-arm64, pfai-darwin-amd64, pfai-darwin-arm64.
git clone https://github.com/proxifai/proxifai-oss.git
cd proxifai-oss
go install ./cmd/pfai
# Or, for a tagged release without a clone:
go install github.com/proxifai/proxifai-oss/cmd/pfai@latestRequires Go 1.25+.
The pfai binary is bundled inside the main proxifai Docker image at /usr/local/bin/pfai, so anything running in the platform’s containers (agents, pipeline jobs) can call it directly. There’s no separate CLI image.
Verify the install:
pfai version
pfai auth ping --server https://your-proxifai-hostAuthenticate
pfai auth login runs a PKCE OAuth flow: it spins up a tiny local callback server, opens your browser to the workspace’s authorization endpoint (Keycloak by default), exchanges the code for a long-lived pfai token, and writes it to ~/.proxifai/credentials.json.
pfai auth login # opens a browser
pfai auth login --no-browser # prints the URL instead
pfai auth login --as work # save under a named context
pfai auth status # who am I, and is my token valid
pfai auth token # decode the active token's JWT claims
pfai auth ping # health-check the server
pfai auth logout # clear stored credentialsFor non-interactive environments (CI, scripts) you have three options:
| Approach | When to use |
|---|---|
PFAI_TOKEN + PFAI_SERVER env vars | Standard CI usage |
pfai context add ci --server … --token … | Multiple servers/identities to switch between |
pfai auth login --as ci then export the token from ~/.proxifai/contexts.yaml | One-time setup, then ship the token as a secret |
PFAI_EXECUTION_ID is set automatically inside agent containers by the workflow runtime, so commands like pfai exec status work without extra wiring.
Contexts
A context bundles a server URL + token + identity under a name. Switch between them without re-logging in:
pfai context ls # all configured contexts
pfai context current # active context name
pfai context use prod # make 'prod' the active context
pfai context add staging --server https://staging.example.com --token …
pfai context rm old-prod # delete a context
pfai --context staging task ls # one-shot override (also -C)The active context lives in ~/.proxifai/contexts.yaml; the canonical credentials file remains ~/.proxifai/credentials.json.
Global flags
Every command accepts these:
| Flag | Short | Description |
|---|---|---|
--output <fmt> | -o | Output format: table (default), json, yaml, name |
--json | Shorthand for -o json | |
--query <expr> | -q | JMESPath expression to filter JSON output |
--yes | -y | Skip confirmation prompts (destructive ops auto-accept) |
--server <url> | Override PFAI_SERVER for this call | |
--token <token> | Override PFAI_TOKEN for this call | |
--context <name> | -C | Use a non-active context for this call |
--debug | Log HTTP requests/responses + a curl repro to stderr | |
--dry-run | Print the request and exit without calling the server |
Output format precedence: -o flag → --json → context’s saved format → table.
Output formats
pfai task ls # human-readable table (default)
pfai task ls -o json # full JSON, one record per row
pfai task ls -o yaml # YAML for piping into kustomize/etc.
pfai task ls -o name # IDs only, one per line — pipe to xargs
pfai task ls --json -q '[?priority==`high`].id' # JMESPath filterThe name format is built for shell composition:
# Cancel every running pipeline:
pfai pipeline ls --status running -o name | xargs -n1 pfai pipeline cancelVerb aliases
Every CRUD subcommand has both forms — pick whichever your fingers prefer:
| Canonical | Alias |
|---|---|
list | ls |
view | get |
delete | rm |
So pfai task list, pfai task ls, and pfai task get <id> all work.
Command reference
60 top-level commands organized into 6 Cobra groups, plus a handful of utilities. Run pfai <command> --help for full subcommand docs.
Core
| Command | What it does |
|---|---|
pfai task | Issues / tasks: list, view, create, update, delete, dispatch to an agent, comment |
pfai project | Projects: full CRUD plus members, status, milestones |
pfai sprint | Sprints: list, view, create, set active, add/remove tasks |
pfai initiative | Initiatives (roadmap-level groupings) |
pfai request | Customer requests (intake feed) |
pfai custom-field | Define custom fields per team and per entity |
pfai workflow | Workflows: full CRUD, run/publish/promote/versions, export/import/restore, executions/logs/cancel/retry/resume, artifacts |
pfai exec | Inside-agent commands: report status, log, stream, mark file changed, post output |
Code
| Command | What it does |
|---|---|
pfai repo | Repositories: list, view, create, clone, browse |
pfai branch | Branches: list, view, create, delete |
pfai commit | Commit history |
pfai pr | Pull requests: list, view, create, merge, diff, comment, review |
pfai tag | Git tags |
pfai release | Releases and assets |
pfai pipeline | CI/CD: list, view, jobs, logs, rerun, cancel, dispatch, list workflow files |
pfai file | Read/write repository files via API |
pfai compare | Compare two refs |
pfai codeintel | Code-intelligence: search, context, impact, communities, processes, index |
pfai branch-protection | Branch protection rules |
pfai push-rule | Push rules (commit message, file size, etc.) |
pfai approval-rule | PR approval rules |
pfai protected-tag | Protected tags |
pfai deploy-key | Deploy keys |
Cloud
| Command | What it does |
|---|---|
pfai cloud | Manage virtual clusters, workloads, deployments, port-forwards, exec, db dumps. Multiple contexts. |
pfai deploy | Open a forge PR with auto-generated k8s/ Kustomize manifests and .proxifai/config.yaml for the current repo. Shortcut for the Cloud quickstart flow. |
Platform
| Command | What it does |
|---|---|
pfai secret | Workspace secrets (env-injected into pipelines/agents) |
pfai trigger | Event-rule triggers — fire workflows on platform events |
pfai integration | Slack, GitHub, etc.; plus webhook subscriptions per integration |
pfai outbound-webhook | Outbound webhook subscriptions (org-level) |
pfai event-type | Event-type catalog (built-in + custom) |
pfai model-provider | LLM provider rows (model_provider table) — see AI Gateway |
pfai provider-key | Personal LLM API keys (BYOK) |
pfai model-default | Default model per use case (general / chat / embedding) |
pfai gateway | Gateway usage + budgets + rate limits |
Collaboration
| Command | What it does |
|---|---|
pfai inbox | Notifications: list, view, mark read, snooze |
pfai ticket | Customer support tickets (Backoffice) |
pfai doc | Collaborative documents |
pfai label | Labels (issues, PRs, etc.) |
pfai comment | Comments — across tasks, PRs, docs |
pfai view | Saved views (filters) |
pfai agent | Agent definitions: list/view/create/update/delete and view executions |
pfai starred | Your starred items |
pfai kb | Knowledge base: search, suggest, chat (interactive AI chat with streaming), doc (list/view/ingest/rm), conv (conversation history) |
pfai search | Cross-entity search |
pfai time | Time entries |
Admin
| Command | What it does |
|---|---|
pfai team | Teams: members, settings |
pfai org | Organizations: members, settings |
pfai token | API tokens — list, create, rotate, revoke |
pfai config | CLI configuration |
pfai context | Named server/identity contexts (covered above) |
pfai auth | Authentication (covered above) |
pfai audit-log | Audit log |
pfai admin | Superuser ops: cross-org listing, view, update; user management |
pfai activity | Recent activity feed |
Utility
| Command | What it does |
|---|---|
pfai api <METHOD> <path> [body] | Direct API passthrough — useful for endpoints not yet wrapped |
pfai logs <kind>/<id> | Stream logs from any async resource (executions, pipeline jobs, …) |
pfai wait <kind>/<id> | Block until an async resource reaches a terminal state |
pfai diag | Print a redacted support bundle for bug reports |
pfai version | Print the CLI version |
pfai completion | Generate shell completion (bash, zsh, fish, powershell) |
Examples
# Triage: list high-priority open tasks assigned to me, JSON to jq
pfai task ls --status open --priority high --assignee @me --json | jq '.'
# Open the first PR I haven't reviewed in my browser
pfai pr ls --review-requested @me -o name | head -1 | xargs pfai pr view --web
# Dispatch a task to an agent
pfai task dispatch task_42 --agent claude-code --branch main
# Watch a pipeline run to completion, then exit non-zero if it failed
pfai pipeline rerun run_123
pfai wait pipeline-run/run_123
# Tail logs for the latest workflow execution
pfai workflow executions --latest -o name | xargs pfai logs
# Drive a workflow from a script
pfai workflow run wf_42 --param key=value
pfai workflow logs $(pfai workflow executions wf_42 --latest -o name)
# Bulk update labels: add 'needs-review' to all PRs older than 3 days
pfai pr ls --updated-before "3 days ago" -o name | \
xargs -I{} pfai pr update {} --add-label needs-review
# Direct API for an endpoint without a wrapper:
pfai api GET /api/v1/forge/repos
pfai api POST /api/v1/forge/repos '{"name":"new-repo","private":true}'Shell completion
# bash
pfai completion bash > ~/.local/share/bash-completion/completions/pfai
# zsh (with oh-my-zsh-style fpath)
pfai completion zsh > "${fpath[1]}/_pfai"
# fish
pfai completion fish > ~/.config/fish/completions/pfai.fishCompletion includes context names for pfai context use / --context and resource IDs for verbs that take them.
Environment variables
| Variable | Used by | Description |
|---|---|---|
PFAI_SERVER | every command | Server URL (overridden by --server and active context) |
PFAI_TOKEN | every command | Auth token (overridden by --token and active context) |
PFAI_EXECUTION_ID | pfai exec* | Active execution; auto-set in agent containers |
See also
Configure model providers and BYOK keys that pfai model-provider / provider-key manage.
The runtime that pfai workflow / pfai exec talk to.
Repos, PRs, releases, and CI/CD — wrapped by pfai repo / pr / pipeline.
Where the API lives in the single-binary topology that pfai connects to.