Skip to content

Rite CLI

rite is a single command with subcommands that follow the ceremony lifecycle: validate a definition, prepare a printed script, execute it, then verify and report on the result.

New to rite? The Getting Started guide walks through these commands end to end on a real ceremony. For the full flag list of every command, see the CLI reference.

Environment variables

The --param, --role, and --material inputs accepted by check, run, and script can also be supplied through the environment, which is useful in CI or when a value should not land in shell history:

  • RITE_PARAM_<NAME> sets parameter <NAME>.
  • RITE_ROLE_<ROLE_ID> assigns a person to <ROLE_ID>.
  • RITE_MATERIAL_<NAME> provides material <NAME> (a path or identifier).

A command-line flag takes precedence over the matching environment variable. The name after the prefix is case-insensitive, so RITE_ROLE_CRYPTO_OFFICER and RITE_ROLE_crypto_officer are equivalent.

export RITE_ROLE_CRYPTO_OFFICER="Alice Rivera"
rite run ceremony.rite.yaml

rite check

Validate a ceremony definition file without executing it. It reports diagnostics (missing references, undefined roles, schema errors, unsupported actions), or a summary on success.

Validate a ceremony:

rite check ceremony.rite.yaml

Supply a role and a parameter at validation time:

rite check ceremony.rite.yaml \
  --role crypto_officer="Alice Rivera" \
  --param org="Example Corp"

rite script

Generate a self-contained, printable HTML protocol that participants complete by hand during the ceremony. Run-specific inputs are interpolated into the document.

Write demo.html next to the ceremony:

rite script ceremony.rite.yaml

Brand the document with an organization name, logo, accent color, and output path:

rite script ceremony.rite.yaml \
  --brand-name "Example Corp" \
  --logo ./assets/logo.png \
  --accent "#1f3a5f" \
  -o protocol.html

rite run

Execute a ceremony interactively, recording every action in an append-only transcript. It writes a timestamped output directory with an artifacts/ folder and transcript.jsonl, and prints the transcript fingerprint.

Run interactively (the terminal UI is auto-detected):

rite run ceremony.rite.yaml

Write the output directory to a specific location:

rite run ceremony.rite.yaml -o ./ceremonies

Run non-interactively in CI, auto-answering every prompt:

rite run ceremony.rite.yaml --frontend headless

rite verify

Verify a transcript’s integrity: the append-only hash chain, the re-derived entropy, and, for a run directory, the artifact digests. This proves the transcript is internally consistent; compare the printed fingerprint against the one the operators recorded to tie it to the ceremony you witnessed.

Verify a run directory, which also re-hashes the artifacts inside it:

rite verify ./root-signing-key-ceremony-20260101T120000

Verify a standalone transcript file:

rite verify transcript.jsonl

Accept a transcript from an interrupted run that has no terminal fact:

rite verify ./root-signing-key-ceremony-20260101T120000 --allow-truncated

rite report

Generate a self-contained, human-readable HTML report from a transcript, suitable for stakeholders and auditors. Unlike verify, it does not re-check integrity.

Write report.html next to the transcript:

rite report ./root-signing-key-ceremony-20260101T120000

Brand the report and choose the output path:

rite report ./root-signing-key-ceremony-20260101T120000 \
  --brand-name "Example Corp" \
  -o report.html