@codehaus-au/takcli
v0.12.0
Published
Operator CLI for TAK workflows.
Readme
TAKCLI
takcli is a modern operator CLI for Team Awareness Kit workflows.

The first milestone focuses on:
- profile and active-context management
- TAK server diagnostics with
doctor - TAK server operational summaries with
status - curated log observation with
observe logs - CoT query, target discovery, injection, and stream following with
cot - interactive Docker Compose deployment with
deploy - human-friendly output with stable
--json
Install
npm
npm install -g @codehaus-au/takcliConvenience script
curl -fsSL https://raw.githubusercontent.com/codehausau/takcli/main/scripts/install.sh | bashDocker
docker run --rm ghcr.io/codehausau/takcli:latest versionQuick start
Add a profile and make it current:
takcli profile add local --server https://127.0.0.1:8446 --insecure --set-currentRun diagnostics:
takcli doctor
takcli status
takcli observe logs list --deployment tak-demo
takcli cot query --uid my-uid
takcli cot targets
takcli map --open
takcli start map
takcli start replay ./data/adelaide-100km-march-2026.geojson
takcli users list
takcli deploy
takcli doctor --json
takcli status --server https://127.0.0.1:8446 --insecure --jsonUse a one-off target without changing the active profile:
takcli doctor --server https://tak.example.internal:8446 --jsonProfile model
Profiles live in:
~/.takcli/config.yamlYou can override that path with:
TAKCLI_CONFIG=/path/to/config.yaml takcli profile listExample config:
schemaVersion: 1
currentProfile: local
profiles:
local:
server: https://127.0.0.1:8446
tls:
certFile: /path/to/admin.pem
insecureSkipVerify: true
keyFile: /path/to/admin.key
keyPassphrase: change-me
ports:
api: 8446
enrollment: 8443
federation: 8444
cot: 8089Port meanings:
ports.api: primary HTTPS/WebTAK surface,8446in the local compose deploymentports.enrollment: secure admin/cert-management HTTPS surface,8443in the local compose deploymentports.cot: live CoT TLS stream,8089in the local compose deployment
takcli uses ports.enrollment for admin-style HTTPS routes such as CoT history lookups and file-user management, even when the profile server points at 8446.
Commands
Implemented
takcli completion <bash|zsh|fish>takcli doctortakcli statustakcli observe logs listtakcli observe logs <target>takcli cot querytakcli cot targetstakcli cot injecttakcli cot followtakcli replay filetakcli maptakcli start maptakcli start replaytakcli deploytakcli profile listtakcli profile addtakcli profile usetakcli profile showtakcli profile removetakcli users listtakcli users createtakcli users reset-passwordtakcli users deletetakcli users groups showtakcli users groups addtakcli users groups removetakcli users groups settakcli users groups listtakcli users groups memberstakcli version
Roadmap
These command families are intentionally not shipped in v1 yet:
admin- Kubernetes deployment in
takcli deploy
Next candidates
Several strong next-step CLI surfaces for takcli are:
takcli cert- create and rotate TAK CA, server, admin, client, and database TLS material
- automate cert enrollment / Quick Connect bootstrap for the
8446enrollment path - configure PostgreSQL TLS and validate cert wiring
takcli auth- manage file-based users and groups
- configure LDAP / Active Directory backends
- inspect OAuth2 / token endpoint configuration
takcli users- create, delete, bulk-create, and reset passwords for TAK users
- inspect and update IN / OUT group membership
takcli inputs- inspect and manage input listeners, group filtering, multicast routing, and auth mode
- manage group-assignment behavior for x509 and authentication messages
takcli federation- enable federation, upload federate certs, create connections, and manage outbound / mapped groups
- inspect mission disruption tolerance and data-package / mission file blocking settings
takcli retention- drive the data retention tool and validate retention configuration
The best near-term sequence is probably:
certusers/authfederation- Kubernetes deploy support
- deeper observe summaries and metrics
Map console
takcli map launches a local browser UI with:
- a live Leaflet map
- TAK status checks and target refresh controls
- CoT injection from the control panel
- optional live CoT streaming overlays
- optional replay dataset overlays
Product decision:
- primary replay workflow:
takcli start map+takcli start replay - secondary replay workflow:
takcli map --replay-file ...for local inspection, demos, and side-by-side overlay work
Quick examples:
takcli map --open
takcli map --profile local --port 3000
takcli map --replay-file ./data/adelaide-100km-march-2026.geojson --open
takcli map --logo-label "Acme Air Ops"
takcli map --mode web --host 0.0.0.0 --port 3000In headless shells, remote containers, or Codespaces, open the printed http://... URL manually instead of relying on browser auto-launch.
Web mode
takcli map --mode web keeps the embedded server model, but binds it for remote/browser access instead of local desktop UX.
Use it when:
- you are running in Docker or Codespaces
- you want to reverse-proxy the UI
- you are demoing the UI from another machine on the network
Example:
takcli map --mode web --host 0.0.0.0 --port 3000And from Docker:
docker run --rm -p 3000:3000 ghcr.io/codehausau/takcli:latest \
map --mode web --host 0.0.0.0 --port 3000takcli start map also supports --mode web. In web mode, start map disables browser auto-open by default and prints the UI URL for manual use.
Start workflows
For the operator workflow where replay is injected into TAK and the map follows live CoT back from TAK:
takcli start map
takcli start replay ./data/adelaide-100km-march-2026.geojsonIf you are in a headless environment, use:
takcli start map --no-opentakcli start map:
- launches the local map UI
- automatically starts following live CoT from TAK
- draws live session track lines per UID as updates arrive
- is the primary map mode once replay is being injected into TAK
takcli start replay:
- injects replay CoT into the TAK CoT stream
- reuses the same replay engine as
takcli replay file - is intended to be run while
takcli start mapis already following the server - is the preferred replay path when you want the UI to reflect TAK-fed CoT instead of local-only playback
Deploy workflows
takcli deploy is a compose-first wizard that:
- checks for
dockeranddocker compose - renders a TAKCLI-managed
.env, compose file, and deployment metadata directly into the deployment workspace - prompts for deployment secrets interactively and writes the generated
.envwith restricted permissions - starts the stack with
docker compose up -d
The default image sources are:
docker.io/codehausau/takserver-full:<tag>docker.io/codehausau/postgres15-postgis3:<tag>
Quick example:
takcli deploy \
--target docker-compose \
--name tak-demo \
--registry codehausau \
--image-tag latestFor non-interactive use, you can provide the required deployment values up front:
takcli deploy \
--target docker-compose \
--name tak-demo \
--deployment-root ~/.takcli/deployments/tak-demo \
--data-dir ~/.takcli/deployments/tak-demo/data \
--logs-dir ~/.takcli/deployments/tak-demo/data/logs \
--certs-dir ~/.takcli/deployments/tak-demo/data/certs \
--registry codehausau \
--image-tag latest \
--postgres-password change-me \
--ca-name tak-demo-CA \
--ca-pass change-me \
--state ACT \
--city Canberra \
--organization CodeHaus \
--organizational-unit Ops \
--takserver-cert-pass change-me \
--admin-cert-name admin \
--admin-cert-pass change-me \
--save-profiles \
--yesAdd --save-profiles when you want a non-interactive deploy to register the generated local TAK profiles automatically. This creates both <deployment-name> and <deployment-name>-admin and sets the default profile current.
If you need a different PostGIS image, override it explicitly:
takcli deploy \
--target docker-compose \
--name tak-demo \
--db-image your-registry/postgis:customOptional ADS-B sidecar examples:
takcli deploy \
--target docker-compose \
--name tak-demo \
--with-adsb \
--adsb-source mil
takcli deploy \
--target docker-compose \
--name tak-demo \
--with-adsb \
--adsb-source geo \
--adsb-lat 60.3179 \
--adsb-lon 24.9496 \
--adsb-dist-nm 25ADS-B acceptable use note:
takcli's generated ADS-B config links to the adsb.fi open data terms at https://github.com/adsbfi/opendata/blob/main/README.md- The public adsb.fi endpoints are intended for personal, non-commercial use, require attribution to adsb.fi with a link to their home page, and are rate limited to 1 request per second.
- For new geographic integrations, prefer the
v3 /lat/.../lon/.../dist/...endpoint rather than the deprecatedv2geographic endpoint.
CoT workflows
takcli cot query and takcli cot targets resolve their HTTPS lookups through ports.enrollment by default. In the local compose deployment that is 8443, while ports.api remains 8446 for the main WebTAK surface.
Query the latest CoT event for a UID:
takcli cot query --uid alpha --server https://127.0.0.1:8446 --insecure
takcli cot query --uid alpha --server https://127.0.0.1:8446 --insecure --rawList recent CoT targets from the last 24 hours:
takcli cot targets --server https://127.0.0.1:8446 --insecure
takcli cot targets --start-date 2026-03-16 --end-date 2026-03-17 --limit 25 --jsonInject a generated CoT event over the live TLS CoT port:
takcli cot inject \
--uid alpha \
--type a-f-G-U-C \
--lat -35.3 \
--lon 149.1 \
--callsign "Eagle 1"Follow the live CoT stream:
takcli cot follow
takcli cot follow --limit 10 --jsonReplay workflows
Replay a historical GeoJSON vessel-track file into the TAK CoT stream:
takcli replay file ../data/adelaide-100km-march-2026.geojson \
--source auto \
--start-from start \
--speed 3600Replay the same kind of dataset from an HTTP or HTTPS URL:
takcli replay file https://example.invalid/tracks.geojson \
--source auto \
--start-from start \
--speed 3600Inspect the detected source and time range without sending CoT:
takcli replay file ../data/adelaide-100km-march-2026.geojson --describeUser workflows
The TAK file-user-management endpoints are usually exposed on the secure web/admin port. takcli users uses ports.enrollment for those routes, which is 8443 on the local compose deployment in this workspace.
Example profile for an admin client certificate:
takcli profile add local-admin \
--server https://127.0.0.1:8443 \
--api-port 8443 \
--cert-file /path/to/admin.pem \
--key-file /path/to/admin.key \
--key-passphrase change-me \
--insecure \
--set-currentIf your TAK client key is already unencrypted, omit --key-passphrase.
Example user-management flows:
takcli users list
takcli users create alice --password 'Ch@ngeM3whenyoucan' --group Blue --out-group Green
takcli users reset-password alice --password '@lsoCh@ngeM3WhenYouCan'
takcli users groups show alice
takcli users groups add alice --in-group Red
takcli users groups remove alice --out-group Green
takcli users groups members Blue
takcli users delete aliceObserve workflows
takcli observe logs works against deployments already tracked by takcli deploy. If you have more than one tracked deployment, pass --deployment <name> or switch to a profile associated with the deployment you want to inspect.
List curated log targets:
takcli observe logs list --deployment tak-demo
takcli observe logs list --deployment tak-cluster --jsonRead recent lines from a tracked server log:
takcli observe logs api --deployment tak-demo --lines 200
takcli observe logs config-console --deployment tak-demoFollow a live log stream:
takcli observe logs messaging --deployment tak-demo --follow
takcli observe logs database --deployment tak-cluster --followCLI demos
This repo includes reproducible terminal demo tapes for README assets using vhs.
Render the sample demos with:
pnpm demo:readme:livepnpm demo:readme:live starts a dedicated renderer container on the same Docker network as a running local TAK compose deployment and exercises real status, doctor, users, cot, and compose deploy commands. Demo sources live in docs/demos/ and generated assets are written to docs/assets/.
Development
pnpm install
pnpm lint
pnpm typecheck
pnpm test
pnpm buildTAK Server Images
The hardened TAK Server Docker images require Iron Bank base images, so the practical publishing path today is the unhardened image set.
There is a helper script for building release-tagged unhardened images from an upstream tak-server checkout:
./scripts/build-unhardened-takserver-images.sh \
--tak-server-repo /path/to/tak-server \
--tag 5.2-RELEASE-16 \
--platforms linux/amd64,linux/arm64 \
--image-prefix docker.io/codehausauMore detail is in docs/unhardened-takserver-images.md.
Shell completions
Generate a completion script for your shell:
takcli completion bash
takcli completion zsh
takcli completion fishExamples:
takcli completion bash > ~/.local/share/bash-completion/completions/takcli
takcli completion zsh > "${fpath[1]}/_takcli"
takcli completion fish > ~/.config/fish/completions/takcli.fish