Skip to content
Sanctum

CLI Reference

This page documents the command-line tools used to manage, monitor, and maintain a Sanctum instance.

Gateway Management

Section titled “Gateway Management”

The OpenClaw gateway is the core agent runtime. Always use the openclaw CLI to manage it — never use raw launchctl commands for the gateway.

Start the Gateway

Section titled “Start the Gateway”
Terminal window
openclaw gateway start

Loads the gateway LaunchAgent and starts the agent runtime on the configured port (default 18789).

Stop the Gateway

Section titled “Stop the Gateway”
Terminal window
openclaw gateway stop

Gracefully shuts down the gateway, cleans up state files and port locks, then unloads the LaunchAgent.

Restart Pattern

Section titled “Restart Pattern”
Terminal window
# Mac
openclaw gateway stop
openclaw gateway start


# VM
systemctl --user restart openclaw-gateway.service

A convenience script is also available:

Terminal window
~/.sanctum/scripts/gateway-restart.sh

Agent Commands

Section titled “Agent Commands”

Send a Message to an Agent

Section titled “Send a Message to an Agent”
Terminal window
openclaw agent --agent <agent_name> --message "<message>"
FlagDescription
--agentAgent identifier: main (Yoda), windu, quigon, cilghal, mundi, or jocasta
--messageThe message to deliver to the agent
Terminal window
# Send a message to the main agent (Yoda)
openclaw agent --agent main --message "Run the evening briefing"


# Send a message to the security agent
openclaw agent --agent windu --message "Generate the weekly security report"

Cross-Node Agent Messaging

Section titled “Cross-Node Agent Messaging”

For sending messages between Mac and VM agents, use the council bridge SSH pattern:

Terminal window
ssh ubuntu@10.10.10.10 \
  '/home/ubuntu/.npm-global/bin/openclaw agent --agent main --message "Hello from Jocasta"'

launchctl Patterns

Section titled “launchctl Patterns”

macOS uses launchctl to manage LaunchAgents and LaunchDaemons. Sanctum uses the modern bootstrap/bootout subcommands.

Load a LaunchAgent

Section titled “Load a LaunchAgent”
Terminal window
launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/<label>.plist
Terminal window
# Example: load the watchdog
launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/com.sanctum.watchdog.plist

Unload a LaunchAgent

Section titled “Unload a LaunchAgent”
Terminal window
launchctl bootout gui/$(id -u) ~/Library/LaunchAgents/<label>.plist
Terminal window
# Example: unload the watchdog
launchctl bootout gui/$(id -u) ~/Library/LaunchAgents/com.sanctum.watchdog.plist

Check Agent Status

Section titled “Check Agent Status”
Terminal window
launchctl print gui/$(id -u)/<label>
Terminal window
# Example: check if the council MLX server is running
launchctl print gui/$(id -u)/com.sanctum.council-mlx

Load a LaunchDaemon

Section titled “Load a LaunchDaemon”

LaunchDaemons require sudo and use the system domain:

Terminal window
sudo launchctl bootstrap system /Library/LaunchDaemons/<label>.plist
sudo launchctl bootout system /Library/LaunchDaemons/<label>.plist

generate-plists.sh

Section titled “generate-plists.sh”

Renders LaunchAgent plist files from templates using values from instance.yaml and the macOS Keychain.

Terminal window
~/.sanctum/generate-plists.sh [--dry-run]
FlagDescription
--dry-runShow what would be generated without writing any files

What It Does

Section titled “What It Does”
  1. Reads templates from ~/.sanctum/templates/launchagents/
  2. Checks each template’s corresponding service enabled flag in instance.yaml
  3. Skips disabled services
  4. Expands {{PLACEHOLDER}} tokens with config values
  5. Retrieves secrets from the macOS Keychain using the configured keychain_account
  6. Writes rendered plists to ~/Library/LaunchAgents/ (or /Library/LaunchDaemons/)
Terminal window
# Preview changes
~/.sanctum/generate-plists.sh --dry-run


# Generate and install
~/.sanctum/generate-plists.sh

run-all.sh (Test Suite)

Section titled “run-all.sh (Test Suite)”

Runs the full Sanctum test suite to verify all services, connections, and configurations.

Terminal window
~/.sanctum/run-all.sh

The test suite checks:

  • All enabled LaunchAgents are loaded and running
  • Gateway is responsive on the configured port
  • VM is reachable via SSH
  • Bridge interface has the correct IP
  • All enabled services respond on their configured ports
  • Firewalla bridge can authenticate
  • Home Assistant is accessible
  • Cloudflare tunnel is connected
  • Tailscale is connected and peers are reachable
  • Node connectivity (LAN and Tailscale)

Output uses color-coded pass/fail indicators. A summary count is printed at the end.

[PASS] Gateway responding on port 18789
[PASS] VM reachable at 10.10.10.10
[PASS] Home Assistant at port 8123
[FAIL] Kiwix server not responding on port 8888
---
Results: 15/16 passed

watchdog.sh

Section titled “watchdog.sh”

The watchdog script runs every 600 seconds via the com.sanctum.watchdog LaunchAgent. It monitors all enabled services and attempts auto-healing via service-doctor.

Terminal window
~/.sanctum/watchdog.sh

Behavior

Section titled “Behavior”
  1. Iterates through all services with enabled: true in instance.yaml
  2. Checks each service’s health (port check, process check, or custom probe)
  3. If a service is unhealthy, invokes service-doctor to attempt recovery
  4. Logs all results to ~/.sanctum/logs/watchdog.log
  5. Sends a notification via sanctum_notify if any service required healing

Manual Run

Section titled “Manual Run”

Run the watchdog manually to check current health:

Terminal window
~/.sanctum/watchdog.sh

sanctum-backup.sh

Section titled “sanctum-backup.sh”

Creates a backup of the Sanctum configuration and critical state files.

Terminal window
~/.sanctum/sanctum-backup.sh [--destination <path>]
FlagDescription
--destinationOverride the default backup directory (from paths.backups in config)

What Gets Backed Up

Section titled “What Gets Backed Up”
ItemDescription
instance.yamlCentral configuration
templates/LaunchAgent plist templates
lib/Shell and Python libraries
Agent configsOpenClaw/DenchClaw configuration
HA configHome Assistant configuration.yaml and automations
VM stateKey VM configuration files (via SSH)
Keychain exportsMetadata only (not the actual secrets)
Terminal window
# Default backup to configured path
~/.sanctum/sanctum-backup.sh


# Backup to a specific location
~/.sanctum/sanctum-backup.sh --destination /Volumes/External/sanctum-backup

Backups are timestamped and stored as compressed archives:

~/.sanctum/backups/sanctum-backup-2026-03-19T120000.tar.gz

sanctum-restore.sh

Section titled “sanctum-restore.sh”

Restore a Sanctum instance from a backup archive.

Terminal window
~/.sanctum/sanctum-restore.sh <backup_file>
ArgumentDescription
backup_filePath to a .tar.gz backup archive
Terminal window
~/.sanctum/sanctum-restore.sh ~/.sanctum/backups/sanctum-backup-2026-03-19T120000.tar.gz

Restore Process

Section titled “Restore Process”
  1. Validates the backup archive integrity
  2. Extracts to a temporary directory for review
  3. Shows a diff of what would change
  4. Prompts for confirmation before overwriting
  5. Restores configuration files
  6. Re-runs generate-plists.sh to regenerate LaunchAgents
  7. Optionally restarts affected services

Quick Reference

Section titled “Quick Reference”
CommandPurpose
openclaw gateway startStart the Mac gateway
openclaw gateway stopStop the Mac gateway
openclaw agent --agent main --message "..."Send a message to an agent
~/.sanctum/generate-plists.shRegenerate all LaunchAgent plists
~/.sanctum/generate-plists.sh --dry-runPreview plist generation
~/.sanctum/run-all.shRun the full test suite
~/.sanctum/watchdog.shRun the health watchdog manually
~/.sanctum/sanctum-backup.shCreate a configuration backup
~/.sanctum/sanctum-restore.sh <file>Restore from a backup
launchctl bootstrap gui/$(id -u) <plist>Load a LaunchAgent
launchctl bootout gui/$(id -u) <plist>Unload a LaunchAgent
launchctl print gui/$(id -u)/<label>Check agent status
systemctl --user restart openclaw-gatewayRestart VM gateway