CLI Reference

Elide supports multiple sub-commands organized by function: server commands, runner commands, project commands, premium networking commands, PKI commands, JVM toolchain commands, and lifecycle commands.

Usage Syntax

Usage:
  elide srcfile.{js|ts|jsx|tsx|py|kts...} [OPTIONS] [--] [ARG...]
  or:  elide {script} [OPTIONS] [--] [ARG...]
  or:  elide build|test|check|project [OPTIONS] [TASKS...]
  or:  elide info|help|discord|bug... [OPTIONS]
  or:  elide js|node [OPTIONS] [--code CODE] [FILE] [ARG...]
  or:  elide run|repl|serve [OPTIONS] [--code CODE] [FILE] [ARG...]
  or:  elide javac|kotlinc|jar|javadoc|... [OPTIONS] [SOURCES...]

Manage, configure, and run polyglot applications with Elide.

Licensing Tiers

Elide commands fall into two tiers:

Tier Commands Requirement
Free / Community run, serve, dev, build, test, install, init, info, help, upgrade, pro, lsp, mcp, all JVM tools, all language runners None
Premium (Elide Pro) fwd, orb (netorb), tun (tunnel), crt (cert) Active Elide Pro license or unexpired EAP build (30-day grace period)

Premium commands that are gated by EAP show an amber warning banner with remaining days. Expired EAP or release builds without a license show a red block banner and exit with code 1. The tun command requires a full license (no EAP grace). The fwd, orb, and crt commands allow EAP grace.

Certain premium _features_ activated via PKL configuration (Tailscale, auto-HTTPS, forward proxy, L4 proxy) are also license-gated at the config level, regardless of which command loads them.

Server Commands

serve -- Free

Production-grade HTTP server with static files, JS/TS handlers, compression (brotli/zstd/gzip), ETag/304, rate limiting, TLS, H/1.1 + H/2, and an interactive TUI dashboard.

shell
$  elide serve ./public                          # serve static files
$  elide serve --host 0.0.0.0 --port 8080 ./dist # custom bind
$  elide serve server.ts                          # JS/TS handler
$  elide serve --no-tui ./public                  # plain log output
$  elide serve --dev ./public                     # dev mode (live-reload SSE)
$  elide serve --config server.pkl ./public       # PKL configuration
$  elide serve --check-config --config server.pkl # validate config, exit
Flag Default Description
--host <ADDR> 127.0.0.1 Hostname or IP to bind to.
--port <PORT> 3000 Port to serve on.
--no-tui false Disable the TUI dashboard, use plain log output.
--dev false Enable dev mode: live-reload SSE endpoint, HTML script injection, relaxed caching.
-c, --config <FILE> none Path to a PKL configuration file.
--check-config / --validate false Validate configuration and exit without starting the server. Exits 0 on success, 1 on failure. Similar to nginx -t.
--reactors <N> 1 Number of reactor (event loop) threads.
--workers <N> 0 (auto) Total number of worker threads across all reactors.
--workers-per-reactor <N> 0 Worker threads per reactor. Takes precedence over --workers.
--pin-reactors false Pin each reactor thread to its own CPU core (Linux only).
--recv-pool-max <N> auto Maximum recv buffers retained per size class in each reactor's pool.
--admin-port <PORT> none Enable admin API on this TCP port (binds to --admin-host).
--admin-host <ADDR> 127.0.0.1 Bind address for the admin API.
--admin-socket <PATH> none Enable admin API on a Unix domain socket (Unix only). Mutually exclusive with --admin-port.
--admin-token <TOKEN> none Bearer token for admin API authentication.

The subject argument accepts a directory (static file serving) or a .js/.mjs/.ts/.mts file (JS/TS handler dispatch via CQ).

dev -- Free

Development server with live-reload, file watching, and an interactive TUI dashboard. Automatically enables dev mode.

shell
$  elide dev ./public
$  elide dev --no-tui ./public
$  elide dev --no-watch ./public
$  elide dev --port 8080 ./public
Flag Default Description
--host <ADDR> 127.0.0.1 Hostname or IP to bind to.
--port <PORT> 3000 Port to serve on.
--no-tui false Disable the TUI dashboard.
--no-watch false Disable file watching.

Premium Networking Commands

fwd -- Premium (license or EAP)

Forward proxy with optional MITM TLS interception, access control, host blocking, and L4 (TCP) relay. Includes an interactive TUI and JSON-lines output mode.

shell
$  elide fwd                                              # HTTP forward proxy on 127.0.0.1:8080
$  elide fwd --mitm                                       # with TLS interception
$  elide fwd --block "*.ads.example.com,tracker.example.net"
$  elide fwd --l4 --l4-listen 0.0.0.0:443                # SNI-routed TLS passthrough
$  elide fwd --config proxy.pkl                           # PKL configuration
$  elide fwd --json                                       # JSON-lines output
Flag Default Description
-l, --listen <ADDR:PORT> 127.0.0.1:8080 Listen address.
-c, --config <FILE> none PKL configuration file. CLI flags override individual settings.
--mitm false Enable MITM TLS interception.
--ca-cert <FILE> auto-generated CA certificate for MITM (PEM). Requires --mitm.
--ca-key <FILE> auto-generated CA private key for MITM (PEM). Requires --mitm.
--block <PATTERNS> none Block hostname patterns (glob, comma-separated).
--allow-hosts <PATTERNS> none Allow only these hostname patterns. Implies default-deny.
--allow-clients <CIDRs> none Allow connections only from these CIDRs.
--allow-ports <PORTS> none Allow only these destination ports (comma-separated).
--deny-ports <PORTS> none Deny these destination ports (comma-separated).
--l4 false Enable L4 TCP relay mode (SNI-routed).
--l4-listen <ADDR:PORT> 0.0.0.0:443 L4 listen address (for --l4 mode).
--admin-port <PORT> none Admin API port.
--reactors <N> 1 Number of reactor threads.
--workers <N> 0 (auto) Total worker threads.
--no-tui false Disable the TUI.
--json false Emit structured JSON-lines to stdout. Disables TUI.

orb -- Premium (license or EAP)

Network orchestrator -- the full-powered Elide server. Combines reverse proxy, load balancing, Tailscale/WireGuard, L4 relay, gRPC proxy, WebRTC, private PKI, auto-HTTPS via ACME, and zero-downtime upgrades. Requires a PKL configuration file.

shell
$  elide orb --config server.pkl
$  elide orb --config server.pkl --tailscale
$  elide orb --config server.pkl --tailscale-direct --tailscale-auth-key tskey-auth-...
$  elide orb --config server.pkl --auto-https letsencrypt --domain example.com
$  elide orb --config server.pkl --derp
Flag Default Description
-c, --config <FILE> required PKL configuration file (ElideServer.pkl).
--tailscale false Bind to Tailscale IP, use Tailscale-issued TLS. Unix only.
--funnel false Expose via Tailscale Funnel (public internet access). Unix only.
--tailscale-direct false Standalone Tailscale node (no tailscaled daemon).
--tailscale-auth-key <KEY> none Pre-auth key for --tailscale-direct.
--tun false Create a TUN device for system-wide tunnel routing.
--auto-https <PROVIDER> none Enable auto-HTTPS via ACME.
--domain <DOMAINS> none Domain(s) to provision ACME certificates for (comma-separated).
--acme-email <EMAIL> none ACME contact email.
--acme-staging false Use ACME staging environment (untrusted certs, for testing).
--dns-challenge <PROVIDER> none DNS-01 challenge provider (cloudflare, webhook).
--derp false Run a DERP relay server alongside the HTTP server.
--derp-port <PORT> 3340 DERP relay port.
--admin-port <PORT> none Admin API port.
--admin-host <ADDR> 127.0.0.1 Admin API bind address.
--admin-socket <PATH> none Admin API Unix socket (Unix only).
--admin-token <TOKEN> auto if non-loopback Bearer token for admin API.
--no-tui false Disable the TUI.
--json false Output in JSON format.

tun -- Premium (license required)

WireGuard tunnel, Tailscale connectivity, and DERP relay. Requires a full Elide Pro license (no EAP grace period).

Subcommands: tun up -- Bring up a system-wide WireGuard tunnel via Tailscale. Creates a TUN device, authenticates with the Tailscale coordination server, establishes WireGuard tunnels, and routes traffic. Requires root or CAP_NET_ADMIN.
shell
$  elide tun up --auth-key tskey-auth-...
$  elide tun up --auth-key tskey-auth-... --exit -node
$  elide tun up --auth-key tskey-auth-... --advertise-routes 10.0.0.0/24,192.168.1.0/24
$  elide tun up --auth-key tskey-auth-... --json
Flag Default Description
--auth-key <KEY> required Pre-authentication key for Tailscale.
--control-url <URL> Tailscale production Tailscale control server URL.
--dev <NAME> elide0 TUN device name.
--mtu <N> 1280 MTU for the TUN interface.
--accept-routes false Accept routes advertised by peers (subnet routing).
--exit-node false Advertise this node as an exit node.
--use-exit-node <PEER> none Route all traffic through a specific peer.
--advertise-routes <CIDRs> none Advertise local subnets to the tailnet (comma-separated).
--self-signed false Generate a self-signed TLS certificate.
--serve <PORT> none Also start an HTTP server on the tunnel.
--foreground true Run in the foreground.
--verbose false Enable verbose logging.
--json false Output in JSON format.
tun down -- Tear down the tunnel. Currently handled by stopping the tun up process (Ctrl+C).
FlagDescription
—forceForce teardown even with active connections.
tun status -- Show tunnel status, connected peers, and routes. Queries the local tailscaled daemon.
FlagDescription
—peersShow detailed peer information.
—routesShow routing table.
—derpShow DERP relay connections.
—jsonOutput in JSON format.
tun derp -- Run a standalone DERP relay server.
FlagDefaultDescription
—host0.0.0.0Bind address.
—port3340Listen port.
—mesh-with noneConnect to other DERP servers for multi-region relay (comma-separated).
—tls-cert noneTLS certificate file.
—tls-key noneTLS key file.
—stun-port noneEnable STUN on this port (default: 3478).
—jsonfalseOutput in JSON format.

PKI Commands

crt -- Premium (license or EAP)

Certificate and PKI management with local CA, system trust store integration, ACME renewal, and format conversion. All subcommands support --json for structured output.

Subcommands: crt ca -- Create or show a local Certificate Authority.
FlagDefaultDescription
—nameElide Local CACA common name.
—days3650Validity period in days.
—key-typeecdsa-p256Key algorithm (ecdsa-p256, ecdsa-p384, ed25519, rsa-2048, rsa-4096).
—out-dirdefault locationOutput directory.
—proxyfalseGenerate a separate MITM proxy CA.
—forcefalseOverwrite existing CA.
—showfalseDisplay existing CA info instead of generating.
—ct-log noneEnable embedded CT log.
—jsonfalseOutput in JSON format.
crt generate -- Generate a TLS certificate.
shell
$  elide crt generate example.com *.example.com
$  elide crt generate --self-signed localhost 127.0.0.1
$  elide crt generate --client alice@example.com    # mTLS client cert
FlagDefaultDescription
requiredDomain names or IP addresses.
—ca-certlocal CACA certificate file to sign with.
—ca-keylocal CACA private key to sign with.
—self-signedfalseForce self-signed (no CA).
—days365Validity period in days.
—clientfalseGenerate a client certificate (for mTLS).
—out-certautoOutput certificate path.
—out-keyautoOutput key path.
—out-dirautoOutput directory.
—bundlefalseInclude CA cert in output (full chain).
—ct-log noneEnable CT log for transparency.
—jsonfalseOutput in JSON format.
crt trust -- Install a CA certificate into system trust stores.
FlagDescription
[FILE]CA certificate file (omit for Elide local CA).
—proxyTrust the proxy MITM CA instead.
—firefoxAlso install into Firefox NSS store.
—javaAlso install into JVM cacerts.
—java-home JVM home directory for —java.
—systemInstall into machine-wide store (requires admin).
—dry-runShow what would be done without doing it.
crt untrust -- Remove a CA certificate from trust stores.
FlagDescription
[FILE]CA certificate file (omit for Elide local CA).
—proxyRemove the proxy MITM CA.
—allRemove from all stores.
—systemRemove from machine-wide store (requires admin).
—dry-runShow what would be done.
crt inspect -- Display certificate details.
shell
$  elide crt inspect ./cert.pem
$  elide crt inspect example.com              # fetch from remote host
$  cat cert.pem | elide crt inspect -         # read from stdin
$  elide crt inspect --chain example.com      # show full chain
FlagDescription
File path, remote host, or - for stdin.
—chainShow all certificates in the chain.
—derInput is DER-encoded.
—briefCompact one-line output.
—jsonOutput in JSON format.
crt verify -- Verify a certificate's validity and trust chain.
FlagDescription
Certificate file or remote host.
—ca CA certificate to verify against.
—ocspCheck OCSP revocation status.
—expiry-warn Warn if expires within N days (default: 30).
—hostname Hostname to verify against.
crt export -- Convert certificates between formats.
FlagDescription
Input certificate file.
—key Private key file (required for PKCS12).
—chain CA/intermediate chain to include.
—format Output format: pem, der, pkcs12.
—out Output file path (required).
—password Password for PKCS12 output.
crt renew -- Renew certificates via ACME.
FlagDescription
Domain names (required).
—acme-email ACME account email.
—acme-server ACME directory URL (default: Let's Encrypt production).
—stagingUse Let's Encrypt staging.
—dns DNS-01 challenge provider (cloudflare, webhook).
—dns-token API token for the DNS provider.
—dns-webhook-url Webhook URL for DNS-01.
—forceRenew even if not expiring soon.
—out-dir Output directory for renewed certificates.

Runner Commands

run -- Free

Run a script file or a snippet of code. If no code is given, start an interactive REPL session. Elide selects an appropriate language if given a clearly identifiable source file.

shell
$  elide run app.js
$  elide run script.py
$  elide repl
$  elide run --debugger app.js
$  elide run --coverage app.js
FlagDescription
—debugger[=MODE]Enable debugger (auto, cdp, dap).
—profiler[=MODE]Enable profiler (cputracing, cpusampling).
—coverage[=MODE]Enable code coverage collection.
—lspEnable LSP features.
—insights Activate insight scripts.

test -- Free

Run a polyglot script, server, or interactive shell in test mode.

shell
$  elide test

Language-Specific Commands

js, node -- Run JavaScript. Equivalent to elide run --javascript ....
shell
$  elide js app.js
$  elide node app.js
python -- Run Python. Equivalent to elide run --python ....
shell
$  elide python script.py
ruby -- Run Ruby. Equivalent to elide run --ruby ....
shell
$  elide ruby app.rb

Project Commands

init -- Free

Initialize a new Elide project.

shell
$  elide init

build -- Free

Run the project build or a build script.

shell
$  elide build
$  elide build --no-cache
$  elide build --inspect
FlagDescription
—inspectInspect the build.
—no-cacheDisable build cache.

install -- Free

Resolve and install all project dependencies.

shell
$  elide install
$  elide i
$  elide install --slim
$  elide install --with npm
FlagDescription
—slimSlim installation mode.
—with Additional ecosystems to install for.

project -- Free

Manage Elide projects defined by elide.pkl or other manifests.

shell
$  elide project

Licensing Commands

pro -- Free

Manage Elide Pro licensing.

Subcommands:
CommandDescription
pro activate Activate Elide Pro with a license token.
`pro use FILE>`Install an offline license key or file.
pro whoamiDisplay current license information.
pro yeetRemove the current license.
shell
$  elide pro activate elide_pro_1234567890abcdef
$  elide pro use /path/to/license.key
$  elide pro whoami
$  elide pro yeet

Lifecycle Commands

upgrade -- Free

Self-update the Elide binary using TUF (The Update Framework) for verified, secure updates.

shell
$  elide upgrade
$  elide upgrade --check
$  elide upgrade --channel preview
$  elide upgrade --graceful   # zero-downtime upgrade (Unix)
FlagDefaultDescription
—checkfalseCheck for updates without applying.
—forcefalseForce update even if on latest version.
—channel releaseRelease channel (release, preview, nightly).
—gracefulfalseZero-downtime upgrade: signal running server to drain, deposit fds, and re-exec (Unix only).

info -- Free

Show information about the current Elide installation.

shell
$  elide info
$  elide info --cargo-lockfile   # print embedded Cargo.lock
FlagDescription
—cargo-lockfilePrint the embedded Cargo.lock and exit.

JVM Toolchain Commands

These commands expose embedded JVM tools. All accept tool-specific flags after --.
CommandDescription
javacJava compiler (up to JDK 24).
kotlincKotlin compiler.
jarBuild and manage Java Archives.
javadocGenerate Java documentation.
javapJava class file disassembler.
native-imageGraalVM Native Image compiler.
jibContainer image builder for JVM/native apps.
javaformatJava code formatter.
ktfmtKotlin code formatter.
mvnEmbedded Maven build tool.
shell
$  elide javac -- [JAVAC_OPTIONS] [SOURCES...]
$  elide kotlinc -- [KOTLINC_OPTIONS] [SOURCES...]
$  elide jar -- [TOOL_OPTIONS] [FILES...]
$  elide native-image [OPTIONS]

Developer Tools

lsp -- Free

Run an LSP (Language Server Protocol) instance for an Elide project.

shell
$  elide lsp

mcp -- Free

Run an MCP (Model Context Protocol) server for an Elide project.

shell
$  elide mcp
$  elide mcp --mode stdio
$  elide mcp --mode http --host localhost --port 8123
FlagDefaultDescription
—mode noneOperating mode: stdio or http.
—host localhostBind host (HTTP mode).
—port 8123Bind port (HTTP mode).

help -- Free

Open documentation, report bugs, or request features.

shell
$  elide help
$  elide docs serve
$  elide bug

Global Options

All commands support these global options:

Option Description
-h, --help Show help text for any command.
-V, --version Print version information and exit. On Linux x86_64, --version is intercepted before runtime init for instant response.
-v, --verbose Enable verbose output (debug logging). Sets ELIDE_LOG=debug.
--debug Activate debugging features and trace-level logging. Sets ELIDE_LOG=trace.
-q, --quiet Squelch most output.
-p, --project <PATH> Path to a specific project directory.
--color Force color mode.
--no-color Force no-color mode.
--timeout <DURATION> Timeout to apply when exiting (human-readable, e.g. 30s, 5m).
--locale <LOCALE> Override the display locale.
--use-version <VERSION> Delegate to a specific installed Elide version.
--ignore-version Ignore .elideversion and --use-version; run the current binary.
--no-telemetry Disallow telemetry. Has no effect on unlicensed EAP builds.
--no-sidecar Disable sidecar process; forces UDP fallback for telemetry on Linux.
--cloud Enable cloud connection (overrides default for subcommand).
--no-cloud Disable cloud connection.
--no-native Disallow native access.
--debugger[=MODE] Enable debugger (auto, cdp, dap).
--profiler[=MODE] Enable profiler (cputracing, cpusampling).
--coverage[=MODE] Enable code coverage.
-X, --vm <KEY=VALUE> Set a VM/engine property (can be repeated).
--insights <FILES> Activate insight scripts.
--crash Immediately crash (for testing).
-- Separator between Elide options and positional parameters / script arguments.
Tip: Argfiles

Elide supports argument files (argfiles). Prefix a filename with @ to read options from that file, one per line. Arguments after -- are never expanded.

Exit Codes

Code Meaning
0 Successful execution or --help / --version.
1 Generic failure: invalid arguments, server error, configuration error, license gate block, EAP expired, initialization failure.
2 Exception in user code (guest language runtime error).

On Linux x86_64, --version exits via a raw syscall(exit_group, 0) before the Rust runtime initializes, so the exit code is always 0.

Environment Variables

Variable Description
ELIDE_LOG Log level (trace, debug, info, warn, error). Overridden by --verbose and --debug.
TAILSCALE_AUTH_KEY Alternative to --tailscale-auth-key for standalone Tailscale mode.
ELIDE_EAP_TTL_DAYS Override EAP grace period (debug builds only; release builds use fixed 30-day TTL).

See Also

Tailscale Integration

Zero-config networking, TLS, and authentication via Tailscale

Getting Started

Run your first code samples with Elide

Previous: Getting Started Next: Releases