Propagate CLI
The propagate CLI lives in the propagate monorepo. It is the sole interface for deploying app stacks — the previous Next.js wizard has been removed.
Prerequisites
| Requirement | Notes |
|---|---|
| Node.js ≥ 18.17 | |
| pnpm 10+ | Monorepo package manager |
| Pulumi CLI | Required for apply, status, diff, destroy |
| Cardano wallet extension | Nami, Eternl, Lace, etc. — for propagate login |
| GitHub App on target org | Installed via browser during propagate create / apply / propagate auth github (no PAT) |
VERCEL_TOKEN | Project create/deploy permissions (or provide during propagate create) |
PROPAGATE_HOST_NAME | Base domain for nested DNS (optional; falls back to *.vercel.app) |
Install
From the propagate repo root:
pnpm install
pnpm buildRun via:
pnpm propagate <command>
# or
node packages/cli/dist/index.js <command>Commands
| Command | Description |
|---|---|
propagate init | Create .propagate/ workspace and global config at ~/.propagate/config.yaml |
propagate login | Hosted wallet auth — opens browser on propagate.prisma.events |
propagate auth github | Install Propagate GitHub App on the stack’s target org |
propagate auth vercel | Connect Vercel (OAuth, GitHub App, team GitHub integration) |
propagate auth upstash | Install Upstash Redis marketplace integration on the Vercel team |
propagate auth railway | Save Railway API token for Neo4j provisioning (use No workspace scope at railway.com/account/tokens) |
propagate create | Interactive prompts → stack.yaml, values.yaml, credentials.json |
propagate validate | Validate manifests and capability graph; write resolved.json |
propagate validate --schema-only | Validate stack.yaml schema only (skip app manifests) |
propagate apply | Run Pulumi to provision infrastructure |
propagate apply --yes | Apply without confirmation |
propagate status | Show Pulumi stack outputs (URLs, project IDs) |
propagate diff | Compare manifest to last-applied; run pulumi preview |
propagate destroy | Tear down infrastructure (--yes to skip confirm) |
propagate export | Print stack.yaml to stdout |
propagate export --resolved | Print full resolved stack including derivable values |
Quick start
# 1. Initialise workspace in your project directory
propagate init
# 2. Authenticate (opens browser — connect Cardano wallet, sign nonce)
propagate login
# 3. Interactive manifest generation
propagate create
# Prompts: client name, event name/dates, event code, GitHub org,
# Vercel team, app selection, timelining secrets (Telegram, OpenAI), Vercel token
# Redis and Neo4j are provisioned on apply unless overridden in values.yaml
# then GitHub App install in browser (if not already installed)
# 4. Validate (requires app.manifest.yaml in each selected app repo)
propagate validate
# 5. Provision
export PROPAGATE_HOST_NAME=prisma.events # optional
propagate apply --yes
# 6. Check outputs
propagate statusWorkspace layout
Running commands from a project directory creates:
.propagate/
stack.yaml # infrastructure intent (committed)
values.yaml # user secrets — gitignored
credentials.json # GitHub App install + Vercel token — gitignored
resolved.json # validation output — gitignored
pulumi-state/ # local Pulumi backend — gitignored
last-applied/ # snapshot after successful apply — gitignoredpropagate create prompts
The create flow mirrors the former web wizard steps:
- Metadata — client name, event name, start/end dates
- Event code — DNS-safe slug (default derived from event name, e.g.
Argentina ALJ→argentina-alj) - GitHub — target organisation
- Vercel — team ID
- App selection — multi-select from deployable catalog (
docs,timelining) - User capabilities — conditional prompts (e.g.
TELEGRAM_BOT_TOKEN,OPENAI_API_KEYfor timelining). Redis and Neo4j are not prompted — provisioned on apply. - Vercel token — stored in
credentials.json - GitHub App install — browser opens on propagate.prisma.events ; install the Propagate app on the target org (skipped if already installed)
Authentication
Wallet login
propagate login opens a browser session on the hosted auth app (propagate.prisma.events ). You connect a Cardano wallet, sign a nonce, and the CLI polls until complete. The session is stored at ~/.propagate/session.json. Authorization is checked against register.prisma.events (enrol app) — your wallet must be registered there.
Override the auth host for local dev:
PROPAGATE_AUTH_URL=http://localhost:3000 propagate loginLocal dev requires REGISTER_API_TOKEN in packages/web/.env.local on the auth server.
GitHub App install
Forking requires the Propagate GitHub App installed on provider.github.targetOrg — not a personal access token. Triggered during propagate create, before propagate apply (if missing), via propagate auth github, or optionally after propagate login when a workspace stack already exists.
- CLI creates an install session via
POST /api/github/cli/init - Browser opens
/cli-github-install - You install the app on the target GitHub organisation
- GitHub redirects to the app Setup URL; CLI polls until complete
.propagate/credentials.jsonstoresinstallationId,targetOrg, andcredentialRef- At
apply/destroy, the CLI mints a short-lived installation token from the auth server
Example credentials.json:
{
"github": {
"installationId": 12345678,
"targetOrg": "client-org",
"credentialRef": "...",
"installedAt": "2026-06-13T..."
},
"vercelToken": "..."
}Vercel token
For CI or headless use, the Vercel token can be supplied via environment variable instead of credentials.json:
export VERCEL_TOKEN=...Vercel connect troubleshooting
Git-linked deploys require three links: Vercel OAuth (token + team), the Vercel GitHub App on your target org, and GitHub under Vercel team → Settings → Integrations → GitHub → Connect.
If propagate auth vercel completes OAuth and GitHub App steps but fails verification:
- In the Vercel dashboard for the stack’s team (
stack.yaml→provider.vercel.teamId): Settings → Integrations → GitHub → Connect - Re-run
propagate auth vercelorpropagate apply(apply runs a live probe before Pulumi)
Monorepo packages
| Package | Role |
|---|---|
packages/core | Zod schemas, catalog loader, capability resolver, validation |
packages/cli | Commander + Clack prompts |
packages/web | Hosted auth app (wallet login + GitHub App install) |
packages/infra | Pulumi program (GitHub fork + Vercel deploy) |
catalog/apps.yaml | App catalog with local paths and source URLs |
Related
- Manifests —
stack.yamlandapp.manifest.yamlschemas - Workflow — full operator sequence
- Neo4j provisioning — Railway Neo4j for timelining