Runta CLI Skill
Create a runta-cli/SKILL.md file with this content.
---name: runta-clidescription: Operate Runta cloud runtimes with the runta command-line interface. Use when Codex needs to create, list, inspect, resize, pause, resume, stop, boot, or delete runtimes; execute commands; copy files; create or restore checkpoints; configure egress allowlists or denylists; or manage tenant secrets and runtime secret stubs from a terminal.---
# Runta CLI
## Operating Rules
Use the CLI for terminal-first Runta work. Prefer exact commands the user can run, and verify uncommon flags with `runta <command> --help` if the installed CLI may differ from these docs.
Keep `RUNTA_TOKEN` out of source control and logs. Configure it in the shell where commands run:
```bashexport RUNTA_TOKEN=rt...```
Treat `runta rm`, `runta checkpoint rm`, `runta secret delete`, and `runta secret rule delete` as destructive. Ask before running them unless the user explicitly requested that deletion.
## Install
Linux:
```bashnpm install -g @runta/runta-clirunta --help```
macOS Apple silicon:
```bashbrew install runta-dev/tap/runtarunta --help```
The npm CLI package targets Linux x64 and Linux arm64. If npm cannot resolve its native optional dependency, use the CLI artifact from the Runta account or release channel.
## Runtimes
Create a runtime with explicit resources:
```bashrunta run --name demo --cpus 2 --memory 2048runta run --name demo --cpus 2 --memory 2048 --publish 8080/httpsrunta run --name demo --cpus 1 --memory 512 --publish 8080/https --idle-timeout 300```
Use these lifecycle commands:
```bashrunta ps -arunta inspect demorunta resize --memory 4096 demorunta boot demorunta pause demorunta resume demorunta shutdown demorunta rm demo```
`runta run` requires `--cpus <vcpus>` and `--memory <memory_mib>`. `--publish` is repeatable and uses `<port>/http` or `<port>/https`. `--idle-timeout` suspends the runtime after the given idle seconds.
## Command Execution
Use `runta exec` for commands inside a runtime:
```bashrunta exec demo -- sh -lc 'pwd && python3 --version'runta exec demo -- sh -lc 'echo hello from $(hostname)'runta exec -it demo bash```
Use `--` before shell commands when there is any chance command arguments could be parsed as CLI options. Use `-i`, `--interactive`, `-t`, or `--tty` for interactive sessions; `-it` is valid shorthand.
## Files
Remote paths use `<runtime_name>:<path>`.
```bashecho "hello from local" > local-file.txtrunta cp local-file.txt demo:/tmp/local-file.txt
runta exec demo -- sh -lc 'mkdir -p /tmp/results && echo "hello from runtime" > /tmp/results/result.txt'runta cp demo:/tmp/results ./results```
## Checkpoints
A checkpoint captures runtime state, writable filesystem changes, and restore metadata.
```bashrunta checkpoint create demo demo-checkpointrunta checkpoint restore demo-checkpoint restored-demorunta checkpoint restore demo-checkpoint restored-demo --publish 8080/httpsrunta checkpoint lsrunta checkpoint ls --allrunta checkpoint rm demo-checkpoint```
`runta checkpoint list` is an alias for `runta checkpoint ls`. `--all` includes system-managed idle checkpoints.
## Egress
Egress modes are `denylist` and `allowlist`. Host values are hostnames or wildcard host patterns, not URLs. Do not include protocol, path, port, or query string.
```bashrunta egress listrunta egress describe demorunta egress set demo --mode allowlist --allow pypi.org '*.pythonhosted.org' api.openai.comrunta egress set demo --mode denylist --deny example.comrunta egress set demo --mode denylist```
`denylist` with no denied hosts is the default open policy. Use `allowlist` when a runtime should reach only explicitly named hosts.
For batch policy files, use a top-level `policies` list and omit `<runtime_name>`:
```yamlpolicies: - runtime: demo mode: allowlist allow: - pypi.org - "*.pythonhosted.org" - runtime: crawler mode: denylist deny: - example.com```
```bashrunta egress set -f policy.yaml```
## Secrets
Store tenant secret values without exposing them on the command line when possible:
```bashexport OPENAI_API_KEY=sk...runta secret set openai-api-key --value-env OPENAI_API_KEY --cache-ttl-secs 300runta secret set github-token --value-stdinrunta secret set manual-secret --promptrunta secret listrunta secret describe openai-api-keyrunta secret delete openai-api-key```
Create runtime-scoped secret stubs to inject headers into matching outbound requests:
```bashrunta secret rule set demo \ --host api.openai.com \ --path /v1/* \ --secret openai-api-key \ --header Authorization \ --template 'Bearer ${credential}'
runta secret rule list --runtime demorunta secret rule describe <stub_id>runta secret rule delete <stub_id>```
For stub files, use a top-level `rules` list and omit `<runtime_name>`:
```yamlrules: - runtime: demo host: api.openai.com path: /v1/* secret: openai-api-key header: Authorization template: Bearer ${credential}```
```bashrunta secret rule set -f rules.yaml```
## Troubleshooting
If the CLI reports a missing token, set `RUNTA_TOKEN` in the same shell. For HTTP 401 or rejected token errors, check whether the token is missing, expired, or copied incorrectly. For runtime readiness errors, retry the operation after inspecting runtime state with `runta inspect <runtime_name>`.