> ## Documentation Index > Fetch the complete documentation index at: https://docs.yespapa.io/llms.txt > Use this file to discover all available pages before exploring further. # CLI Reference > Complete reference for all YesPaPa CLI commands and options ## `yespapa init` Initialize YesPaPa on a new machine. ```bash theme={null} yespapa init [--host-name ] ``` **Options:** * `--host-name ` — Custom name for this host (default: system hostname) **Steps:** 1. Generates a 160-bit TOTP seed 2. Sets a master key (min 8 characters) 3. Optionally pairs with the YesPaPa mobile app via remote server 4. Displays a QR code for your authenticator app 5. Verifies TOTP code (3 attempts) 6. Creates `~/.yespapa/` directory with SQLite database 7. Injects shell interceptors into `.zshrc` / `.bashrc` 8. Seeds default deny-list rules (10 patterns) 9. Starts the daemon in the background **Remote server pairing:** When prompted to pair with the mobile app, the init flow asks for: * **Remote server type** — `supabase` (default) or `selfhosted`. Choose `selfhosted` if you are running your own backend that implements the YesPaPa protocol. * **Remote server URL** — The URL of the remote server. Defaults can be overridden with the `YESPAPA_DEFAULT_REMOTE_URL` environment variable. * **Remote server key** — The anonymous/public key for the remote server. Defaults can be overridden with the `YESPAPA_DEFAULT_REMOTE_KEY` environment variable. The init flow will: * Connect and authenticate with the remote server * Register this host * Display a standard `otpauth://` QR code (scannable by any TOTP app) * Display a pairing QR code / deep link for the YesPaPa mobile app (`yespapa://pair?...`) * Store remote config in the local database *** ## `yespapa status` Show the current state of YesPaPa. ```bash theme={null} yespapa status ``` **Output includes:** * Host name * Daemon status (running/stopped, PID) * Socket status (active/not found) * Interceptor status (installed/not installed) * Remote server status (configured/offline) * Pending commands count * Active auto-bypasses count * Recent commands (last 5) *** ## `yespapa rules` Manage interception rules. ### `yespapa rules list` ```bash theme={null} yespapa rules list ``` Shows all configured rules (deny-list and allow-list) with their patterns, types, and bundles. ### `yespapa rules add` ```bash theme={null} yespapa rules add --pattern --type [--bundle ] ``` **Options:** * `--pattern ` — Glob pattern to match commands (e.g., `rm -rf *`, `docker rm *`) * `--type ` — Whether to intercept (deny) or skip (allow) * `--bundle ` — Category name (destructive, git-rewrite, privilege, network, process) ### `yespapa rules remove` ```bash theme={null} yespapa rules remove --id ``` *** ## `yespapa bypass` Manage auto-bypass (grace periods). ### `yespapa bypass activate` ```bash theme={null} yespapa bypass activate --scope --duration ``` Requires TOTP code or master key. **Options:** * `--scope ` — `all` or a bundle name (destructive, git-rewrite, privilege, network, process) * `--duration ` — `1h`, `24h`, or `7d` ### `yespapa bypass list` ```bash theme={null} yespapa bypass list ``` Shows active auto-bypasses with scope, remaining time, and ID. ### `yespapa bypass revoke` ```bash theme={null} yespapa bypass revoke [--id ] ``` Requires TOTP code or master key. Revokes a specific bypass or all if `--id` is omitted. *** ## `yespapa test` Send a test command to verify mobile app connectivity. ```bash theme={null} yespapa test ``` Connects to the remote server, inserts a test command, and waits for you to approve/deny from the mobile app. Verifies the full push notification pipeline. *** ## `yespapa config` Manage YesPaPa configuration. Changes require TOTP or master key authentication. ### `yespapa config list` ```bash theme={null} yespapa config list ``` Shows all config keys with current values, defaults, and descriptions. ### `yespapa config get` ```bash theme={null} yespapa config get ``` Get a single config value. ### `yespapa config set` ```bash theme={null} yespapa config set ``` Set a config value (requires TOTP or master key). Restart the daemon after changes. **Available config keys:** | Key | Default | Description | | ----------------------- | ------- | ---------------------------------------------------- | | `allow_password_bypass` | `true` | Allow master key as TOTP bypass for command approval | | `default_timeout` | `120` | Approval timeout in seconds (0 = wait forever) | | `allow_sudo_bypass` | `true` | Auto-approve sudo commands (false = require TOTP) | | `allow_remote_exec` | `false` | Enable `yespapa exec` for programmatic access | *** ## `yespapa exec` Execute a command through the YesPaPa gateway programmatically. ```bash theme={null} yespapa exec [--justification ] [--timeout ] -- ``` Disabled by default. Enable with `yespapa config set allow_remote_exec true`. **Options:** * `--justification ` — Reason for running this command (displayed to approver) * `--timeout ` — Timeout in seconds (0 = wait forever, default: 0) **Output:** Structured JSON events on stderr for agent consumption. *** ## `yespapa approve` Approve a pending command by ID. ```bash theme={null} yespapa approve ``` Requires TOTP code or master key. Useful for approving commands from another terminal. *** ## `yespapa uninstall` Remove YesPaPa from this machine. ```bash theme={null} yespapa uninstall ``` Requires TOTP code or master key. Removes: * Shell interceptors from profile files * Daemon process * `~/.yespapa/` directory and database * Unix socket *** ## Environment Variables | Variable | Description | | ---------------------------- | ------------------------------------------------------------------- | | `YESPAPA_DEBUG` | Legacy — JSON events are now always emitted on stderr | | `YESPAPA_DEFAULT_REMOTE_URL` | Override the default remote server URL (used during `yespapa init`) | | `YESPAPA_DEFAULT_REMOTE_KEY` | Override the default remote server key (used during `yespapa init`) | | `REMOTE_URL` | Remote server URL (set during init) | | `REMOTE_KEY` | Remote server anonymous key (set during init) |