Editor's Note
pp-pangolin
The first agent-native CLI for Pangolin — every endpoint, plus offline SQLite, cross-org audits Trigger phrases: `expose service through pangolin`, `back up pangolin config`, `audit pangolin access`, `which pangolin certs expire`, `list pangolin resources`, `use pangolin`, `run pangolin`.
Install
npx skills add https://github.com/mvanhorn/printing-press-library --skill pp-pangolinPangolin — Printing Press CLI
Prerequisites: Install the CLI
This skill drives the pangolin-pp-cli binary. You must verify the CLI is installed before invoking any command from this skill. If it is missing, install it first:
- Install via the Printing Press installer:
npx -y @mvanhorn/printing-press-library install pangolin --cli-only - Verify:
pangolin-pp-cli --version - Ensure
$GOPATH/bin(or$HOME/go/bin) is on$PATH.
If the npx install fails (no Node, offline, etc.), fall back to a direct Go install (requires Go 1.26.3 or newer):
go install github.com/mvanhorn/printing-press-library/library/developer-tools/pangolin/cmd/pangolin-pp-cli@latest
If --version reports "command not found" after install, the install step did not put the binary on $PATH. Do not proceed with skill commands until verification succeeds.
Pangolin is the open-source, self-hosted alternative to Cloudflare Tunnels. This CLI exposes all 157 integration-API endpoints with --json, --select, --csv, and --dry-run, mirrors the full configuration into a local SQLite store, and adds commands that span orgs — audit, cert-watch, access-graph, backup, restore, expose — that no Pangolin tool offers today.
When to Use This CLI
Reach for this CLI whenever the user mentions Pangolin, exposing a homelab service through a tunnel, managing reverse-proxy resources, or auditing who can reach what on a self-hosted edge proxy. The CLI is the right tool for any Pangolin workflow that involves more than a single resource or a single org, or anything an agent should drive programmatically.
Unique Capabilities
These capabilities aren't available in any other tool for this API.
Local state that compounds
-
audit— Find stale targets, orphaned resources, and missing role bindings across every org you administer, in one command.When the user asks 'is anything broken in my Pangolin stack?', this is the single command that answers it — no dashboard tab-clicking.
pangolin-pp-cli audit --json --select issues -
cert-watch— List certificates sorted by days-until-expiry across every org, with a configurable warning window.When the user asks 'what certs expire soon?', skip the dashboard and get an actionable list with one call.
pangolin-pp-cli cert-watch --days 30 --json -
access-graph— Answer 'who can reach what' by joining users, roles, resources, and orgs into one queryable view.When the user asks 'what does $person have access to?' or 'who can hit this resource?', this is the answer.
pangolin-pp-cli access-graph --user $USER_ID --json
Disaster recovery
-
backup— Export the complete Pangolin configuration — orgs, sites, resources, targets, roles, IdPs — as version-controllable JSON.When the user wants a disaster-recovery snapshot or a config diff between dates, this is the artifact.
pangolin-pp-cli backup --out pangolin-backup.json -
restore— Re-apply a backup against a fresh Pangolin install, in the correct dependency order, with dry-run preview.When the user rebuilds a Pangolin host or moves between machines, this is the way back up.
pangolin-pp-cli restore pangolin-backup.json --dry-run
Agent-native plumbing
-
expose— Create site (if needed), create resource, attach target, bind a role — in one command, with dry-run preview.When the user (or an agent) wants to expose a homelab service, this is the entire workflow in one line.
pangolin-pp-cli expose grafana --target 192.168.1.50:3000 --site site_42 --role admins --dry-run -
doctor— Validate auth, probe both /v1 and /api/v1 mount paths, and report the working integration-API base URL with environment-variable guidance.When the user sets up the CLI for the first time, this catches the single most common misconfiguration before any other command fails.
pangolin-pp-cli doctor
Command Reference
access-token — Manage access token
pangolin-pp-cli access-token <accessTokenId>— Delete a access token.
certificate — Manage certificate
pangolin-pp-cli certificate <certId> <orgId>— Restart a certificate by ID.
client — Manage client
pangolin-pp-cli client create— Update a client by its client ID.pangolin-pp-cli client delete— Delete a client by its client ID.pangolin-pp-cli client get— Get a client by its client ID.
domain — Manage domain
pangolin-pp-cli domain— Check if a domain namespace is available based on subdomain
domains — Manage domains
pangolin-pp-cli domains— List all domain namespaces in the system
idp — Manage idp
pangolin-pp-cli idp delete— Delete IDP.pangolin-pp-cli idp get— Get an IDP by its IDP ID.pangolin-pp-cli idp list— List all IDP in the system.pangolin-pp-cli idp update— Create an OIDC IdP.
maintenance — Manage maintenance
pangolin-pp-cli maintenance— Get maintenance information for a resource by domain.
openapi-json — Manage openapi json
pangolin-pp-cli openapi-json— Get OpenAPI specification as JSON
openapi-yaml — Manage openapi yaml
pangolin-pp-cli openapi-yaml— Get OpenAPI specification as YAML
org — Manage org
pangolin-pp-cli org create— Update an organizationpangolin-pp-cli org delete— Delete an organizationpangolin-pp-cli org get— Get an organizationpangolin-pp-cli org update— Create a new organization
orgs — Manage orgs
pangolin-pp-cli orgs— List all organizations in the system.
resource — Manage resource
pangolin-pp-cli resource create— Update a resource.pangolin-pp-cli resource delete— Delete a resource.pangolin-pp-cli resource get— Get a resource by resourceId.
role — Manage role
pangolin-pp-cli role create— Update a role.pangolin-pp-cli role delete— Delete a role.pangolin-pp-cli role get— Get a role.
site — Manage site
pangolin-pp-cli site create— Update a site.pangolin-pp-cli site delete— Delete a site and all its associated data.pangolin-pp-cli site get— Get a site by siteId.
site-resource — Manage site resource
pangolin-pp-cli site-resource create— Update a site resource.pangolin-pp-cli site-resource delete— Delete a site resource.pangolin-pp-cli site-resource get— Get a specific site resource by siteResourceId.
target — Manage target
pangolin-pp-cli target create— Update a target.pangolin-pp-cli target delete— Delete a target.pangolin-pp-cli target get— Get a target.
user — Manage user
pangolin-pp-cli user <userId>— Get a user by ID.
users — Manage users
pangolin-pp-cli users— List non–server-admin users (server admin).
Finding the right command
When you know what you want to do but not which command does it, ask the CLI directly:
pangolin-pp-cli which "<capability in your own words>"
which resolves a natural-language capability query to the best matching command from this CLI's curated feature index. Exit code 0 means at least one match; exit code 2 means no confident match — fall back to --help or use a narrower query.
Recipes
Expose a homelab service in one command
pangolin-pp-cli expose grafana --target 192.168.1.50:3000 --role admins --dry-run
Previews the full create-site-resource-target-role chain; drop --dry-run to apply.
Find expiring certs across every org
pangolin-pp-cli cert-watch --days 30 --json --select domain,daysUntilExpiry
Returns a compact JSON array of certs expiring within 30 days. Pair with --select to shrink the agent's context cost.
Audit access for a specific user
pangolin-pp-cli access-graph --user $USER_ID --json --select resource,org,role
Joins users x roles x resources x orgs into a single answer for 'what can this person reach?'.
Disaster-recovery backup
pangolin-pp-cli backup --out backups/pangolin-$(date +%F).json
Snapshots the entire Pangolin configuration as JSON; commit to git for diffable history.
Search resources by partial name
pangolin-pp-cli search 'grafana' --json --select id,name,fullDomain
FTS over the local store finds resources without paginating the live API.
Auth Setup
Authentication is a single Bearer integration token. Set PANGOLIN_TOKEN in your environment; the base URL is typically https://<your-dashboard>/api/v1 (note: the OpenAPI spec advertises /v1 but real EE deployments mount the API under /api/v1). Set PANGOLIN_BASE_URL accordingly and run pangolin-pp-cli doctor to confirm.
Run pangolin-pp-cli doctor to verify setup.
Agent Mode
Add --agent to any command. Expands to: --json --compact --no-input --no-color --yes.
-
Pipeable — JSON on stdout, errors on stderr
-
Filterable —
--selectkeeps a subset of fields. Dotted paths descend into nested structures; arrays traverse element-wise. Critical for keeping context small on verbose APIs:pangolin-pp-cli client get mock-value --agent --select id,name,status -
Previewable —
--dry-runshows the request without sending -
Offline-friendly — sync/search commands can use the local SQLite store when available
-
Non-interactive — never prompts, every input is a flag
-
Explicit retries — use
--idempotentonly when an already-existing create should count as success, and--ignore-missingonly when a missing delete target should count as success
Response envelope
Commands that read from the local store or the API wrap output in a provenance envelope:
{
"meta": {"source": "live" | "local", "synced_at": "...", "reason": "..."},
"results": <data>
}
Parse .results for data and .meta.source to know whether it's live or local. A human-readable N results (live) summary is printed to stderr only when stdout is a terminal AND no machine-format flag (--json, --csv, --compact, --quiet, --plain, --select) is set — piped/agent consumers and explicit-format runs get pure JSON on stdout.
Agent Feedback
When you (or the agent) notice something off about this CLI, record it:
pangolin-pp-cli feedback "the --since flag is inclusive but docs say exclusive"
pangolin-pp-cli feedback --stdin < notes.txt
pangolin-pp-cli feedback list --json --limit 10
Entries are stored locally at ~/.pangolin-pp-cli/feedback.jsonl. They are never POSTed unless PANGOLIN_FEEDBACK_ENDPOINT is set AND either --send is passed or PANGOLIN_FEEDBACK_AUTO_SEND=true. Default behavior is local-only.
Write what surprised you, not a bug report. Short, specific, one line: that is the part that compounds.
Output Delivery
Every command accepts --deliver <sink>. The output goes to the named sink in addition to (or instead of) stdout, so agents can route command results without hand-piping. Three sinks are supported:
| Sink | Effect |
|---|---|
stdout | Default; write to stdout only |
file:<path> | Atomically write output to <path> (tmp + rename) |
webhook:<url> | POST the output body to the URL (application/json or application/x-ndjson when --compact) |
Unknown schemes are refused with a structured error naming the supported set. Webhook failures return non-zero and log the URL + HTTP status on stderr.
Named Profiles
A profile is a saved set of flag values, reused across invocations. Use it when a scheduled agent calls the same command every run with the same configuration - HeyGen's "Beacon" pattern.
pangolin-pp-cli profile save briefing --json
pangolin-pp-cli --profile briefing client get mock-value
pangolin-pp-cli profile list --json
pangolin-pp-cli profile show briefing
pangolin-pp-cli profile delete briefing --yes
Explicit flags always win over profile values; profile values win over defaults. agent-context lists all available profiles under available_profiles so introspecting agents discover them at runtime.
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 2 | Usage error (wrong arguments) |
| 3 | Resource not found |
| 4 | Authentication required |
| 5 | API error (upstream issue) |
| 7 | Rate limited (wait and retry) |
| 10 | Config error |
Argument Parsing
Parse $ARGUMENTS:
- Empty,
help, or--help→ showpangolin-pp-cli --helpoutput - Starts with
install→ ends withmcp→ MCP installation; otherwise → see Prerequisites above - Anything else → Direct Use (execute as CLI command with
--agent)
MCP Server Installation
- Install the MCP server:
go install github.com/mvanhorn/printing-press-library/library/developer-tools/pangolin/cmd/pangolin-pp-mcp@latest - Register with Claude Code:
claude mcp add pangolin-pp-mcp -- pangolin-pp-mcp - Verify:
claude mcp list
Direct Use
- Check if installed:
which pangolin-pp-cliIf not found, offer to install (see Prerequisites at the top of this skill). - Match the user query to the best command from the Unique Capabilities and Command Reference above.
- Execute with the
--agentflag:pangolin-pp-cli <command> [subcommand] [args] --agent - If ambiguous, drill into subcommand help:
pangolin-pp-cli <command> --help.