cremind setup

Headless first-run setup — check status, mint the first admin token, recover an orphaned setup, and read or write server-wide config.

cremind setup is the CLI entry point for bootstrapping a fresh Cremind server, recovering a half-finished setup, and editing server-wide configuration after the fact. It exposes the same actions the Setup Wizard walks an admin through in the web UI, but in a form you can script into infrastructure automation.

Two halves with different auth

Subcommand	Auth	Purpose
`status`	unauthenticated	Check whether the server has finished first-run setup.
`complete`	unauthenticated	POST a setup payload and receive a freshly minted admin JWT.
`reset-orphaned`	unauthenticated	Recover from a setup that is marked complete but has no profiles.
`reconfigure`	admin token	Reset the complete flag on a healthy server so the wizard runs again.
`server-config get [key]`	admin token	Read non-secret server-wide settings.
`server-config set KEY=VALUE...`	admin token	Write one or more server-wide config keys.

The bootstrap subcommands (status, complete, reset-orphaned) deliberately ignore CREMIND_TOKEN because they are how you obtain one in the first place. The maintenance subcommands require CREMIND_TOKEN to belong to an admin profile. CREMIND_SERVER (default http://localhost:1112) controls which server the CLI talks to, and all subcommands respect the root-level --json flag.

A typical first-run flow

# 1. Confirm the server is fresh
cremind setup status
# setup_complete  false

# 2. POST the wizard payload and capture the token
export CREMIND_TOKEN=$(cremind setup complete --json-file bootstrap.json --json | jq -r .token)

# 3. Verify identity is now usable
cremind me

setup complete is the only unauthenticated way to mint a token — every other path requires an existing one. The payload mirrors the web wizard one-for-one; the first profile must be named admin:

{
  "profile": "admin",
  "server_config": { "user_working_dir": "/srv/cremind" },
  "llm_config":    { "anthropic.api_key": "sk-...", "auth_method": "anthropic" }
}

Pass the payload inline with --json, from a file (or stdin) with --json-file (- for stdin), or piped on stdin if neither flag is given. On success it prints profile, expires_at, and token, and writes the recommended export CREMIND_TOKEN=... line to stderr.

setup complete cannot change your shell environment. Either copy the printed export line, or capture the token in a subshell as shown above.

Server config

Read every non-secret server-wide setting, or a single key for scripts:

cremind setup server-config get
cremind setup server-config get user_working_dir

Write one or more keys in a single atomic PATCH — if any pair is rejected, none are applied:

cremind setup server-config set log_level=debug user_working_dir=/srv/cremind

Re-running the wizard

reconfigure (admin auth) resets the complete flag so the wizard runs again on next boot — useful after rotating the JWT secret. reset-orphaned (unauthenticated) is the recovery path for the narrower case where the server is marked complete but has no profiles; the server rejects it in any other state.

cremind setup reconfigure
cremind setup status
# setup_complete  false

Troubleshooting

Message	Cause
`a 'profile' field is required`	`complete` saw no `profile` key in the JSON and no `--profile` flag.
`--json and --json-file are mutually exclusive`	Pick one payload source; omit both (or pass `--json-file -`) to read stdin.
`401 Unauthorized` on `reconfigure` / `server-config`	These need an admin token — confirm with `cremind me`.
`setup already complete`	The server was bootstrapped before; use `cremind profile` `create` for new profiles, or `reconfigure` first.

cremind me

Confirm which profile your token authorizes after bootstrap.

CLI overview

The CREMIND_TOKEN / CREMIND_SERVER variables and the global --json flag.