zad v0.6.5

Install

cargo install --path .

Quick start

# 1. Register global Discord credentials (one-time). Interactive:
#    zad opens your browser to the Developer Portal bot page,
#    you hit "Reset Token" → "Copy", paste once.
zad service create discord --application-id 1234567890

# After create succeeds, zad also opens the OAuth install URL so you
# can add the bot to a guild.

# 2. Enable the service inside each project that should use it.
cd ~/code/my-project
zad service enable discord

# 3. Populate the name -> snowflake directory so you can use channel
#    and user names instead of pasting 19-digit IDs.
zad discord discover

# 4. Drive the service at runtime.
zad discord send --channel general "deploy finished"
zad discord read --channel general --limit 20
zad discord channels --json

# 5. (Optional) DM yourself. `zad service create discord` offers to
#    capture your user ID via Developer Mode; if skipped, set it later:
zad discord self set 1112223334445556
zad discord send --dm @me "reminder: file the time sheet"

Commands

• zad service — Configure or inspect external services
• zad service create — Create credentials for a service
• zad service create 1pass — Create 1Password (1pass) credentials (global by default, `--local` for project-scoped)
• zad service create discord — Create Discord credentials (global by default, `--local` for project-scoped)
• zad service create gcal — Create Google Calendar credentials (global by default, `--local` for project-scoped)
• zad service create spotify — Create Spotify credentials (global by default, `--local` for project-scoped)
• zad service create slack — Create Slack credentials (global by default, `--local` for project-scoped)
• zad service create telegram — Create Telegram credentials (global by default, `--local` for project-scoped)
• zad service create ymusic — Create YouTube Music credentials (global by default, `--local` for project-scoped)
• zad service enable — Enable a service in the current project (using existing credentials)
• zad service enable 1pass — Enable the 1Password service in the current project
• zad service enable discord — Enable the Discord service in the current project
• zad service enable gcal — Enable the Google Calendar service in the current project
• zad service enable slack — Enable the Slack service in the current project
• zad service enable spotify — Enable the Spotify service in the current project
• zad service enable telegram — Enable the Telegram service in the current project
• zad service enable ymusic — Enable the YouTube Music service in the current project
• zad service disable — Disable a service in the current project (inverse of `enable`)
• zad service disable 1pass — Disable the 1Password service in the current project
• zad service disable discord — Disable the Discord service in the current project
• zad service disable gcal — Disable the Google Calendar service in the current project
• zad service disable slack — Disable the Slack service in the current project
• zad service disable spotify — Disable the Spotify service in the current project
• zad service disable telegram — Disable the Telegram service in the current project
• zad service disable ymusic — Disable the YouTube Music service in the current project
• zad service list — List all services with credential and project-enablement status
• zad service show — Show details for a configured service
• zad service show 1pass — Show the 1Password service's effective configuration
• zad service show discord — Show the Discord service's effective configuration
• zad service show gcal — Show the Google Calendar service's effective configuration
• zad service show slack — Show the Slack service's effective configuration
• zad service show spotify — Show the Spotify service's effective configuration
• zad service show telegram — Show the Telegram service's effective configuration
• zad service show ymusic — Show the YouTube Music service's effective configuration
• zad service status — Check whether service credentials work by pinging the provider. Without `--service`, every configured service is pinged in parallel
• zad service delete — Delete credentials for a service (inverse of `create`)
• zad service delete 1pass — Delete 1Password credentials (global by default, `--local` for project-scoped)
• zad service delete discord — Delete Discord credentials (global by default, `--local` for project-scoped)
• zad service delete gcal — Delete Google Calendar credentials (global by default, `--local` for project-scoped)
• zad service delete slack — Delete Slack credentials (global by default, `--local` for project-scoped)
• zad service delete spotify — Delete Spotify credentials (global by default, `--local` for project-scoped)
• zad service delete telegram — Delete Telegram credentials (global by default, `--local` for project-scoped)
• zad service delete ymusic — Delete YouTube Music credentials (global by default, `--local` for project-scoped)
• zad 1pass — Operate the 1Password service (vaults, items, get, read, inject, create)
• zad 1pass vaults — List the vaults this account can see (filtered by policy)
• zad 1pass items — List items (filtered by vault, tags, category, and policy)
• zad 1pass tags — List distinct tags across visible items
• zad 1pass get — Fetch metadata for one item. Fields are filtered by policy — labels/types stay visible, `value` on denied fields is dropped
• zad 1pass read — Resolve a single `op://vault/item/field` reference
• zad 1pass inject — Substitute every `op://…` reference in a template. Each ref is gated through the same policy as `read` before `op inject` runs, so the whole call aborts if any ref is hidden
• zad 1pass create — Create a new item. Gated by the deny-by-default `[create]` block; the agent must be explicitly allowed in a vault
• zad 1pass whoami — Confirm the stored credentials work
• zad 1pass permissions — Inspect or scaffold the permissions policy
• zad 1pass permissions show — Print the effective policy (both file paths + bodies)
• zad 1pass permissions path — Print the two candidate file paths, one per line
• zad 1pass permissions init — Write a starter policy to the selected scope
• zad 1pass permissions check — Dry-run a permissions check without hitting the network
• zad 1pass permissions status — Print whether a pending policy exists at each scope
• zad 1pass permissions diff — Show the unified diff between live and pending (if any)
• zad 1pass permissions discard — Discard the pending policy without touching the live file
• zad 1pass permissions commit — Promote the pending policy to live and upsert a trust-store entry signed with the keychain-held signing key
• zad 1pass permissions sign — Sign the live file with the keychain-held signing key and upsert its entry in the per-machine trust store. Use this to trust a hand-edited file or a permissions file shipped from another machine. Requires `zad signing init` to have run
• zad 1pass permissions add — Queue an allow/deny pattern change. Writes to the pending file
• zad 1pass permissions remove — Queue an allow/deny pattern removal
• zad 1pass permissions content — Queue a content `deny_words` / `deny_patterns` / `max_length` change
• zad 1pass permissions content add-deny-word — Append a case-insensitive deny-word
• zad 1pass permissions content remove-deny-word — Remove a deny-word
• zad 1pass permissions content add-deny-regex — Append a deny regex
• zad 1pass permissions content remove-deny-regex — Remove a deny regex
• zad 1pass permissions content set-max-length — Set the `max_length` codepoint cap. Pass `--clear` to remove
• zad 1pass permissions time — Queue a time-window change
• zad 1pass permissions time set-days — Replace the weekday allow-list. Comma-separated: `mon,tue,wed`
• zad 1pass permissions time set-windows — Replace the HH:MM-HH:MM window list. Comma-separated
• zad discord — Operate the Discord service (send, read, channels, join, leave)
• zad discord send — Send a message to a channel or DM
• zad discord read — Read recent messages from a channel
• zad discord channels — List channels in a guild
• zad discord join — Join a thread channel (Discord only allows explicit joins on threads)
• zad discord leave — Leave a thread channel
• zad discord discover — Best-effort walk of the bot's visible guilds, channels, and members, writing a name -> snowflake map to this project's `directory.toml`. Safe to re-run; preserves hand-authored entries
• zad discord directory — Inspect or hand-edit the name -> snowflake directory
• zad discord directory set — Upsert a name -> snowflake mapping. `<kind>` is one of `guild`, `channel`, or `user`. Channel keys may include a `guild/channel` qualifier
• zad discord directory remove — Remove a single mapping. Silent no-op if the key is absent
• zad discord directory clear — Wipe every entry. Use with `--force`
• zad discord permissions — Inspect, scaffold, or dry-run the permissions policy that narrows what this service may actually do
• zad discord permissions show — Print the effective policy (global + local) for this project
• zad discord permissions init — Write a starter `permissions.toml` at the selected scope
• zad discord permissions path — Print the paths considered for this project, in precedence order
• zad discord permissions check — Dry-run: ask whether a proposed action would be admitted *without* hitting Discord. Useful for agents that want to pre-flight
• zad discord permissions status — Print whether a pending policy exists at each scope
• zad discord permissions diff — Show the unified diff between live and pending (if any)
• zad discord permissions discard — Discard the pending policy without touching the live file
• zad discord permissions commit — Promote the pending policy to live and upsert a trust-store entry signed with the keychain-held signing key
• zad discord permissions sign — Sign the live file with the keychain-held signing key and upsert its entry in the per-machine trust store. Use this to trust a hand-edited file or a permissions file shipped from another machine. Requires `zad signing init` to have run
• zad discord permissions add — Queue an allow/deny pattern change. Writes to the pending file
• zad discord permissions remove — Queue an allow/deny pattern removal
• zad discord permissions content — Queue a content `deny_words` / `deny_patterns` / `max_length` change
• zad discord permissions content add-deny-word — Append a case-insensitive deny-word
• zad discord permissions content remove-deny-word — Remove a deny-word
• zad discord permissions content add-deny-regex — Append a deny regex
• zad discord permissions content remove-deny-regex — Remove a deny regex
• zad discord permissions content set-max-length — Set the `max_length` codepoint cap. Pass `--clear` to remove
• zad discord permissions time — Queue a time-window change
• zad discord permissions time set-days — Replace the weekday allow-list. Comma-separated: `mon,tue,wed`
• zad discord permissions time set-windows — Replace the HH:MM-HH:MM window list. Comma-separated
• zad discord self — Manage the Discord user ID resolved from the literal `@me` in `--dm` targets. Show, set (with API validation), or clear
• zad discord self show — Print the stored self-user ID (or note that it's not set)
• zad discord self set — Validate the supplied snowflake against Discord and store it
• zad discord self clear — Clear the stored self-user ID
• zad gcal — Operate the Google Calendar service (calendars, events, permissions)
• zad gcal calendars — Calendar directory operations (list / show)
• zad gcal calendars list — List every calendar the authenticated user can see
• zad gcal calendars show — Show metadata for one calendar
• zad gcal events — Event read + write operations
• zad gcal events list — List events on a calendar, optionally filtered by time or free-text query
• zad gcal events show — Show one event
• zad gcal events create — Create a new event
• zad gcal events update — Patch an existing event. `--add-attendee` and `--add-reminder-minutes` are additive; `--remove-attendee` is subtractive
• zad gcal events delete — Delete an event
• zad gcal permissions — Inspect or scaffold the permissions policy
• zad gcal permissions show — Print the effective policy (both file paths + bodies)
• zad gcal permissions path — Print the two candidate file paths, one per line
• zad gcal permissions init — Write a starter policy to the selected scope
• zad gcal permissions check — Dry-run a permissions check without hitting the network
• zad gcal permissions status — Print whether a pending policy exists at each scope
• zad gcal permissions diff — Show the unified diff between live and pending (if any)
• zad gcal permissions discard — Discard the pending policy without touching the live file
• zad gcal permissions commit — Promote the pending policy to live and upsert a trust-store entry signed with the keychain-held signing key
• zad gcal permissions sign — Sign the live file with the keychain-held signing key and upsert its entry in the per-machine trust store. Use this to trust a hand-edited file or a permissions file shipped from another machine. Requires `zad signing init` to have run
• zad gcal permissions add — Queue an allow/deny pattern change. Writes to the pending file
• zad gcal permissions remove — Queue an allow/deny pattern removal
• zad gcal permissions content — Queue a content `deny_words` / `deny_patterns` / `max_length` change
• zad gcal permissions content add-deny-word — Append a case-insensitive deny-word
• zad gcal permissions content remove-deny-word — Remove a deny-word
• zad gcal permissions content add-deny-regex — Append a deny regex
• zad gcal permissions content remove-deny-regex — Remove a deny regex
• zad gcal permissions content set-max-length — Set the `max_length` codepoint cap. Pass `--clear` to remove
• zad gcal permissions time — Queue a time-window change
• zad gcal permissions time set-days — Replace the weekday allow-list. Comma-separated: `mon,tue,wed`
• zad gcal permissions time set-windows — Replace the HH:MM-HH:MM window list. Comma-separated
• zad gcal self — Configure the `@me` alias that resolves to your own email
• zad gcal self show — Print the currently configured self email
• zad gcal self set — Set the self email (overwrites whatever's stored)
• zad gcal self clear — Clear the self email
• zad slack — Operate the Slack service (send, read, channels, discover)
• zad slack send — Send a message to a channel or DM
• zad slack read — Read recent messages from a channel
• zad slack channels — List channels in the workspace
• zad slack discover — Best-effort walk of the workspace's channels and members, writing a name -> ID map to this project's `directory.toml`
• zad slack directory — Inspect or hand-edit the name -> ID directory
• zad slack directory set — Upsert a name -> ID mapping. `<kind>` is one of `channel` or `user`
• zad slack directory remove — Remove a single mapping
• zad slack directory clear — Wipe every entry. Use with `--force`
• zad slack permissions — Inspect, scaffold, or dry-run the permissions policy
• zad slack permissions show —
• zad slack permissions init —
• zad slack permissions path —
• zad slack permissions check —
• zad slack permissions status — Print whether a pending policy exists at each scope
• zad slack permissions diff — Show the unified diff between live and pending (if any)
• zad slack permissions discard — Discard the pending policy without touching the live file
• zad slack permissions commit — Promote the pending policy to live and upsert a trust-store entry signed with the keychain-held signing key
• zad slack permissions sign — Sign the live file with the keychain-held signing key and upsert its entry in the per-machine trust store. Use this to trust a hand-edited file or a permissions file shipped from another machine. Requires `zad signing init` to have run
• zad slack permissions add — Queue an allow/deny pattern change. Writes to the pending file
• zad slack permissions remove — Queue an allow/deny pattern removal
• zad slack permissions content — Queue a content `deny_words` / `deny_patterns` / `max_length` change
• zad slack permissions content add-deny-word — Append a case-insensitive deny-word
• zad slack permissions content remove-deny-word — Remove a deny-word
• zad slack permissions content add-deny-regex — Append a deny regex
• zad slack permissions content remove-deny-regex — Remove a deny regex
• zad slack permissions content set-max-length — Set the `max_length` codepoint cap. Pass `--clear` to remove
• zad slack permissions time — Queue a time-window change
• zad slack permissions time set-days — Replace the weekday allow-list. Comma-separated: `mon,tue,wed`
• zad slack permissions time set-windows — Replace the HH:MM-HH:MM window list. Comma-separated
• zad slack self — Manage the Slack user ID resolved from the literal `@me` in targets
• zad slack self show —
• zad slack self set —
• zad slack self clear —
• zad spotify — Operate the Spotify service (search, playlists, library)
• zad spotify search — Search the Spotify catalogue (tracks, albums, artists, playlists)
• zad spotify playlists — Playlist management (list, show, create, rename, delete, add, remove)
• zad spotify playlists list — List the authenticated user's playlists
• zad spotify playlists show — Show one playlist's metadata and tracks
• zad spotify playlists create — Create a new playlist owned by the authenticated user
• zad spotify playlists rename — Rename an existing playlist
• zad spotify playlists delete — Delete (i.e. unfollow) a playlist owned by the user
• zad spotify playlists add — Add one or more tracks to a playlist
• zad spotify playlists remove — Remove one or more tracks from a playlist
• zad spotify library — Library management (saved tracks and albums)
• zad spotify library tracks — Saved-tracks operations
• zad spotify library tracks list — List saved items
• zad spotify library tracks save — Save (like) one or more items
• zad spotify library tracks unsave — Unsave (unlike) one or more items
• zad spotify library albums — Saved-albums operations
• zad spotify library albums list — List saved items
• zad spotify library albums save — Save (like) one or more items
• zad spotify library albums unsave — Unsave (unlike) one or more items
• zad spotify permissions — Inspect or scaffold the permissions policy
• zad spotify permissions show — Print the effective policy (both file paths + bodies)
• zad spotify permissions path — Print the two candidate file paths, one per line
• zad spotify permissions init — Write a starter policy to the selected scope
• zad spotify permissions check — Dry-run a permissions check without hitting the network
• zad spotify permissions status — Print whether a pending policy exists at each scope
• zad spotify permissions diff — Show the unified diff between live and pending (if any)
• zad spotify permissions discard — Discard the pending policy without touching the live file
• zad spotify permissions commit — Promote the pending policy to live and upsert a trust-store entry signed with the keychain-held signing key
• zad spotify permissions sign — Sign the live file with the keychain-held signing key and upsert its entry in the per-machine trust store. Use this to trust a hand-edited file or a permissions file shipped from another machine. Requires `zad signing init` to have run
• zad spotify permissions add — Queue an allow/deny pattern change. Writes to the pending file
• zad spotify permissions remove — Queue an allow/deny pattern removal
• zad spotify permissions content — Queue a content `deny_words` / `deny_patterns` / `max_length` change
• zad spotify permissions content add-deny-word — Append a case-insensitive deny-word
• zad spotify permissions content remove-deny-word — Remove a deny-word
• zad spotify permissions content add-deny-regex — Append a deny regex
• zad spotify permissions content remove-deny-regex — Remove a deny regex
• zad spotify permissions content set-max-length — Set the `max_length` codepoint cap. Pass `--clear` to remove
• zad spotify permissions time — Queue a time-window change
• zad spotify permissions time set-days — Replace the weekday allow-list. Comma-separated: `mon,tue,wed`
• zad spotify permissions time set-windows — Replace the HH:MM-HH:MM window list. Comma-separated
• zad telegram — Operate the Telegram service (send, read, chats, discover)
• zad telegram send — Send a message to a chat (private, group, supergroup, or channel)
• zad telegram read — Fetch recent messages the bot has buffered for a chat
• zad telegram chats — List chats the bot has seen (local directory + recent updates)
• zad telegram discover — Poll the Bot API for recent updates and upsert chat aliases into this project's `directory.toml`
• zad telegram directory — Inspect or hand-edit the name -> chat_id directory
• zad telegram directory set — Upsert a name -> chat_id mapping
• zad telegram directory remove — Remove a single mapping. Silent no-op if the key is absent
• zad telegram directory clear — Wipe every entry. Use with `--force`
• zad telegram permissions — Inspect, scaffold, or dry-run the permissions policy that narrows what this service may actually do
• zad telegram permissions show — Print the effective policy (global + local) for this project
• zad telegram permissions init — Write a starter `permissions.toml` at the selected scope
• zad telegram permissions path — Print the paths considered for this project, in precedence order
• zad telegram permissions check — Dry-run: ask whether a proposed action would be admitted *without* hitting the Bot API. Useful for agents that want to pre-flight
• zad telegram permissions status — Print whether a pending policy exists at each scope
• zad telegram permissions diff — Show the unified diff between live and pending (if any)
• zad telegram permissions discard — Discard the pending policy without touching the live file
• zad telegram permissions commit — Promote the pending policy to live and upsert a trust-store entry signed with the keychain-held signing key
• zad telegram permissions sign — Sign the live file with the keychain-held signing key and upsert its entry in the per-machine trust store. Use this to trust a hand-edited file or a permissions file shipped from another machine. Requires `zad signing init` to have run
• zad telegram permissions add — Queue an allow/deny pattern change. Writes to the pending file
• zad telegram permissions remove — Queue an allow/deny pattern removal
• zad telegram permissions content — Queue a content `deny_words` / `deny_patterns` / `max_length` change
• zad telegram permissions content add-deny-word — Append a case-insensitive deny-word
• zad telegram permissions content remove-deny-word — Remove a deny-word
• zad telegram permissions content add-deny-regex — Append a deny regex
• zad telegram permissions content remove-deny-regex — Remove a deny regex
• zad telegram permissions content set-max-length — Set the `max_length` codepoint cap. Pass `--clear` to remove
• zad telegram permissions time — Queue a time-window change
• zad telegram permissions time set-days — Replace the weekday allow-list. Comma-separated: `mon,tue,wed`
• zad telegram permissions time set-windows — Replace the HH:MM-HH:MM window list. Comma-separated
• zad telegram self — Manage the private-chat ID resolved from the literal `@me` in send/read targets. Capture (by polling for your first message to the bot), show, set, or clear
• zad telegram self show — Print the stored self-chat ID (or note that it's not set)
• zad telegram self set — Set the self-chat ID directly. No validation — use `capture` for a validated setup
• zad telegram self clear — Clear the stored self-chat ID
• zad telegram self capture — Poll `getUpdates` for up to 60s waiting for your first message to the bot, then store that private-chat ID
• zad ymusic — Operate the YouTube Music service (search, playlists, library)
• zad ymusic search — Search YouTube (videos, playlists, channels). YouTube Music shares the Data API surface — songs are videos with the `topicId` set to `Music`, but vanilla `video` queries cover most cases
• zad ymusic playlists — Playlist management (list, show, create, rename, delete, add, remove)
• zad ymusic playlists list — List the authenticated user's playlists
• zad ymusic playlists show — Show one playlist's metadata and items
• zad ymusic playlists create — Create a new playlist owned by the authenticated user
• zad ymusic playlists rename — Rename an existing playlist
• zad ymusic playlists delete — Delete a playlist owned by the user
• zad ymusic playlists add — Add one or more videos to a playlist
• zad ymusic playlists remove — Remove one or more items from a playlist (by playlistItem ID or by video ID — the latter is resolved by listing the playlist first)
• zad ymusic library — Library management — the user's liked videos
• zad ymusic library list — List the authenticated user's liked videos
• zad ymusic library like — Like (save) one or more videos
• zad ymusic library unlike — Unlike (unsave) one or more videos
• zad ymusic permissions — Inspect or scaffold the permissions policy
• zad ymusic permissions show — Print the effective policy (both file paths + bodies)
• zad ymusic permissions path — Print the two candidate file paths, one per line
• zad ymusic permissions init — Write a starter policy to the selected scope
• zad ymusic permissions check — Dry-run a permissions check without hitting the network
• zad ymusic permissions status — Print whether a pending policy exists at each scope
• zad ymusic permissions diff — Show the unified diff between live and pending (if any)
• zad ymusic permissions discard — Discard the pending policy without touching the live file
• zad ymusic permissions commit — Promote the pending policy to live and upsert a trust-store entry signed with the keychain-held signing key
• zad ymusic permissions sign — Sign the live file with the keychain-held signing key and upsert its entry in the per-machine trust store. Use this to trust a hand-edited file or a permissions file shipped from another machine. Requires `zad signing init` to have run
• zad ymusic permissions add — Queue an allow/deny pattern change. Writes to the pending file
• zad ymusic permissions remove — Queue an allow/deny pattern removal
• zad ymusic permissions content — Queue a content `deny_words` / `deny_patterns` / `max_length` change
• zad ymusic permissions content add-deny-word — Append a case-insensitive deny-word
• zad ymusic permissions content remove-deny-word — Remove a deny-word
• zad ymusic permissions content add-deny-regex — Append a deny regex
• zad ymusic permissions content remove-deny-regex — Remove a deny regex
• zad ymusic permissions content set-max-length — Set the `max_length` codepoint cap. Pass `--clear` to remove
• zad ymusic permissions time — Queue a time-window change
• zad ymusic permissions time set-days — Replace the weekday allow-list. Comma-separated: `mon,tue,wed`
• zad ymusic permissions time set-windows — Replace the HH:MM-HH:MM window list. Comma-separated
• zad signing — Manage the local signing key and trust store
• zad signing init — Bootstrap the local signing key. Mints a fresh Ed25519 keypair in the OS keychain and initializes an empty signed trust store. Safe to run on a machine that already has a key (idempotent without --force)
• zad signing show — Print the local signing key's fingerprint and the paths of the public-key cache and trust store
• zad commands — Enumerate CLI commands, flags, and realistic examples
• zad docs — Print topic documentation embedded at build time
• zad man — Print reference manpages embedded at build time

Documentation

• zad docs architecture
• zad docs configuration
• zad docs getting-started
• zad docs permissions
• zad docs services
• zad docs troubleshooting