Rite CLI
rite is a single command with subcommands that follow the ceremony lifecycle:
validate a definition, prepare a printed script, execute it, then verify and
report on the result.
rite check: validate a ceremony definitionrite script: generate a printable HTML scriptrite run: execute a ceremony interactivelyrite verify: verify a transcript’s integrityrite report: generate an HTML post-ceremony report
New to rite? The Getting Started guide walks through
these commands end to end on a real ceremony. For the full flag list of every
command, see the CLI reference.
Environment variables
The --param, --role, and --material inputs accepted by check, run, and
script can also be supplied through the environment, which is useful in CI or
when a value should not land in shell history:
RITE_PARAM_<NAME>sets parameter<NAME>.RITE_ROLE_<ROLE_ID>assigns a person to<ROLE_ID>.RITE_MATERIAL_<NAME>provides material<NAME>(a path or identifier).
A command-line flag takes precedence over the matching environment variable. The
name after the prefix is case-insensitive, so RITE_ROLE_CRYPTO_OFFICER and
RITE_ROLE_crypto_officer are equivalent.
export RITE_ROLE_CRYPTO_OFFICER="Alice Rivera"
rite run ceremony.rite.yamlrite check
Validate a ceremony definition file without executing it. It reports diagnostics (missing references, undefined roles, schema errors, unsupported actions), or a summary on success.
Validate a ceremony:
rite check ceremony.rite.yamlSupply a role and a parameter at validation time:
rite check ceremony.rite.yaml \
--role crypto_officer="Alice Rivera" \
--param org="Example Corp"rite script
Generate a self-contained, printable HTML protocol that participants complete by hand during the ceremony. Run-specific inputs are interpolated into the document.
Write demo.html next to the ceremony:
rite script ceremony.rite.yamlBrand the document with an organization name, logo, accent color, and output path:
rite script ceremony.rite.yaml \
--brand-name "Example Corp" \
--logo ./assets/logo.png \
--accent "#1f3a5f" \
-o protocol.htmlrite run
Execute a ceremony interactively, recording every action in an append-only
transcript. It writes a timestamped output directory with an artifacts/ folder
and transcript.jsonl, and prints the transcript fingerprint.
Run interactively (the terminal UI is auto-detected):
rite run ceremony.rite.yamlWrite the output directory to a specific location:
rite run ceremony.rite.yaml -o ./ceremoniesRun non-interactively in CI, auto-answering every prompt:
rite run ceremony.rite.yaml --frontend headlessrite verify
Verify a transcript’s integrity: the append-only hash chain, the re-derived entropy, and, for a run directory, the artifact digests. This proves the transcript is internally consistent; compare the printed fingerprint against the one the operators recorded to tie it to the ceremony you witnessed.
Verify a run directory, which also re-hashes the artifacts inside it:
rite verify ./root-signing-key-ceremony-20260101T120000Verify a standalone transcript file:
rite verify transcript.jsonlAccept a transcript from an interrupted run that has no terminal fact:
rite verify ./root-signing-key-ceremony-20260101T120000 --allow-truncatedrite report
Generate a self-contained, human-readable HTML report from a transcript,
suitable for stakeholders and auditors. Unlike verify, it does not re-check
integrity.
Write report.html next to the transcript:
rite report ./root-signing-key-ceremony-20260101T120000Brand the report and choose the output path:
rite report ./root-signing-key-ceremony-20260101T120000 \
--brand-name "Example Corp" \
-o report.html