This page documents every available kz command, its subcommands, flags, and usage examples.

kz auth — Authentication

Manage authentication to Kizuna instances.

kz auth login

Authenticate with a Kizuna instance using OAuth or token-based login.

# Default OAuth flow (opens browser)
kz auth login

# Specify authentication method
kz auth login --method oauth
kz auth login --method token

Flag	Description
--method <METHOD>	Authentication method: oauth (default) or token

kz auth logout

Remove stored credentials for a profile.

kz auth logout
kz auth logout --profile staging

kz auth status

Display current authentication status — active profile, instance URL, and token validity.

kz auth status
kz auth status --profile production

kz auth refresh

Manually refresh the access token for the active profile.

kz auth refresh

kz auth switch

Switch between saved profiles.

kz auth switch production

kz auth configure

Launch an interactive configuration wizard to set up a new profile or edit an existing one.

kz auth configure

---

kz config — Configuration

View and manage CLI configuration.

kz config show

Display the current resolved configuration as JSON.

kz config show

kz config path

Show where configuration files are stored on your platform.

kz config path

Output example:

Config:      ~/.config/kizuna/config.toml
Credentials: ~/.config/kizuna/credentials.toml
Cache:       ~/.cache/kizuna/
Data:        ~/.local/share/kizuna/

kz config edit

Open the configuration file in your default editor.

kz config edit

kz config init

Initialize configuration directories and create a default config file.

kz config init

---

kz policy — Policy Gateway

Check permissions and invoke tools through the Kizuna Policy Gateway. Useful for CI/CD scripts and automation.

kz policy check

Check whether an action is allowed by the policy engine.

# Basic check
kz policy check --action "repo.delete" --resource "acme-corp/api-service"

# With context
kz policy check \
  --action "agent.create" \
  --resource "org:acme-corp" \
  --context '{"user_role": "admin", "agent_trust_level": 2}'

# JSON output for scripting
kz policy check --action "deploy.production" --resource "acme/api" --format json

Flag	Description
--action <ACTION>	Action to check (e.g., repo.delete, agent.create)
--resource <RESOURCE>	Target resource (e.g., org:acme-corp, acme/repo)
--context <JSON>	Optional JSON context for the policy evaluation
--format <FORMAT>	Output format: table (default) or json

Exit codes:

• 0 — Action allowed
• 1 — Action denied

This makes kz policy check ideal for CI/CD gates:

# In a deployment script
if kz policy check --action "deploy.production" --resource "acme/api" --quiet; then
  echo "Deployment authorized"
  deploy_to_production
else
  echo "Deployment blocked by policy"
  exit 1
fi

kz policy invoke

Execute a tool through the policy gateway with full audit logging.

# Invoke a tool synchronously
kz policy invoke --tool "code-review" \
  --input '{"repo": "acme/api", "pr": 123}'

# Async invocation for long-running operations
kz policy invoke --tool "security-scan" \
  --input '{"repo": "acme/api", "branch": "main"}' \
  --async

# With custom timeout
kz policy invoke --tool "deploy" \
  --input '{"environment": "staging", "version": "1.2.3"}' \
  --timeout 120

Flag	Description
--tool <TOOL>	Tool name to invoke
--input <JSON>	JSON input for the tool
--async	Run asynchronously (returns immediately)
--timeout <SECS>	Timeout in seconds (default: 30)
--format <FORMAT>	Output format: table (default) or json

---

kz identity — OIDC Client Management

Manage OIDC clients for agent authentication and service integrations.

kz identity client list

List all registered OIDC clients.

kz identity client list
kz identity client list --limit 10

Flag	Description
--limit <N>	Maximum number of clients to return (default: 50)

kz identity client create

Register a new OIDC client.

kz identity client create \
  --name "ci-cd-integration" \
  --redirect-uri "https://ci.acme.com/callback" \
  --grant-types "authorization_code,client_credentials"

Flag	Description
--name <NAME>	Client display name (required)
--redirect-uri <URI>	OAuth redirect URI
--grant-types <TYPES>	Comma-separated grant types

kz identity client show

Display details for a specific OIDC client.

kz identity client show 550e8400-e29b-41d4-a716-446655440000

kz identity client update

Update an existing OIDC client.

kz identity client update 550e8400-... \
  --name "updated-name" \
  --redirect-uri "https://new-callback.example.com/callback"

kz identity client delete

Delete an OIDC client (prompts for confirmation).

kz identity client delete 550e8400-...

# Skip confirmation
kz identity client delete 550e8400-... --force

kz identity client rotate-secret

Rotate the client secret for an OIDC client.

kz identity client rotate-secret 550e8400-...

Important: The new secret is displayed once. Store it securely.

---

Placeholder Commands

The following commands are defined in the CLI framework but not yet fully implemented. They return a "coming soon" message:

Command	Purpose
kz repo	Repository CRUD, clone, fork
kz pr	Pull request create, list, review, merge
kz issue	Issue tracking, labels, assignment
kz agent	Agent registration, lifecycle, approval
kz pipeline	CI/CD trigger, cancel, retry, logs
kz change	Jujutsu change operations
kz operation	Jujutsu operation log
kz activity	Activity feed and notifications
kz llm	LLM provider management
kz intent	INTENT.md management
kz webhook	Webhook configuration
kz artifact	Build artifact management
kz package	Package registry operations
kz marketplace	Agent marketplace
kz conflict	Merge conflict resolution
kz runner	Cloud runner and job management
kz governance	Governance and compliance
kz analytics	DORA metrics and agent performance
kz incident	Incident management
kz revocation	Token revocation drills

Next Steps

• Configuration — Set up profiles and environments
• TUI Guide — Use the terminal user interface
• Tutorial: CLI Workflow — Hands-on walkthrough