`jmaple` CLI¶

The CLI is the only operator interface. Run jmaple --help for the full tree.

`jmaple serve`¶

Start the FastAPI server.

jmaple serve [--host HOST] [--port PORT] [--reload] [--workers N]

For production, prefer running jmaple.app:app under gunicorn with uvicorn workers instead.

`jmaple migrate`¶

Alembic wrapper.

jmaple migrate upgrade [head]               # apply pending migrations
jmaple migrate downgrade <rev>              # roll back to <rev>
jmaple migrate revision -m "msg"            # autogenerate a new revision
jmaple migrate history                      # show all revisions
jmaple migrate current                      # show currently-applied revision
jmaple migrate consolidate-changes <type> <table>
                                           # migrate a plugin's XChange rows into data_changes

consolidate-changes is a one-time op for plugin authors upgrading past the polymorphic-changes migration. Run with --keep-legacy first to verify; then re-run with --drop-legacy to remove the legacy table.

`jmaple user`¶

jmaple user list                            # all users + their primary identity
jmaple user show <id>                       # full user + all linked identities
jmaple user create -s <subject> [-i ISSUER] [--display-name NAME] [--email EMAIL] [--admin]
jmaple user promote <id>                    # grant admin on the system account

`jmaple account`¶

jmaple account list
jmaple account create -n NAME [--user-id ID] [--personal/--shared]
jmaple account rename <id> -n NAME
jmaple account delete <id> [--yes]

Deletion cascades — every grant, every blob, every per-capability row scoped to the account is removed.

`jmaple grant`¶

jmaple grant list [--account-id ID] [--user-id ID]
jmaple grant add --user-id ID --account-id ID [--role ROLE]
jmaple grant remove <id>

Roles: owner, read-write, read-only. The special role admin lives only on the __system__ account.

`jmaple token`¶

jmaple token issue -u SUBJECT [-i ISSUER] [--name NAME] [-a ACCOUNT] [--admin]
jmaple token list [--user-id ID]
jmaple token revoke <id>                    # sets revoked_at
jmaple token rotate <id>                    # mint a new secret for an existing token

issue is idempotent at the user level: if the user doesn't exist, it creates them + a personal account + an owner grant. If --admin, the user also gets the admin role on the system account.

rotate is for migrating legacy (pre-prefix-index) tokens to the fast-auth path. It prints the new secret once — copy it.

`jmaple subscription`¶

jmaple subscription list                    # all push subscriptions
jmaple subscription revoke <id>             # delete it

`jmaple capability`¶

jmaple capability list                      # registered capabilities + their methods
jmaple capability settings get URN          # show capability settings JSON
jmaple capability settings set URN --json '{}'
                                           # replace capability settings JSON

If the capability defines a settings_model, the JSON is validated against it before writing.

`jmaple version`¶

jmaple version

Prints the installed framework version.

jmaple CLI¶

jmaple serve¶

jmaple migrate¶

jmaple user¶

jmaple account¶

jmaple grant¶

jmaple token¶

jmaple subscription¶

jmaple capability¶

jmaple version¶