CLI

fremforge CLI

The fremforge CLI is a single-binary wrapper around the public REST API. Same verbs, same authorization model, same scopes. Distributed from EU PoPs only; no npm registry, no Docker Hub, no Sigstore Fulcio dependency.

Install

One-liner (recommended)

curl -sSfL https://cli.frem.sh/cli/install.sh | sh

The installer auto-detects your OS (Linux or macOS) and architecture (arm64 or x86_64), downloads the matching binary from https://cli.frem.sh/cli/, downloads the canonical SHA256SUMS from https://trust.frem.sh/ (a separate host with a separate writer credential, so a compromise of the binary host alone cannot forge a match), verifies the SHA-256, and installs to ~/.local/bin/fremforge or /usr/local/bin/fremforge.

Override the install location with FREMFORGE_INSTALL_DIR:

curl -sSfL https://cli.frem.sh/cli/install.sh | FREMFORGE_INSTALL_DIR=/opt/fremforge/bin sh

Pin a specific version:

curl -sSfL https://cli.frem.sh/cli/install.sh | FREMFORGE_VERSION=0.1.0 sh

Manual download

If you’d rather not pipe a remote script to sh, the binaries are reachable directly. Pick the matching pair:

OS	Arch	URL
macOS	arm64	`https://cli.frem.sh/cli/fremforge-darwin-arm64`
macOS	x86_64	`https://cli.frem.sh/cli/fremforge-darwin-x86_64`
Linux	arm64	`https://cli.frem.sh/cli/fremforge-linux-arm64`
Linux	x86_64	`https://cli.frem.sh/cli/fremforge-linux-x86_64`

Verify against the canonical hash on trust.frem.sh before running the binary:

# 1. Download the binary
curl -fsSL https://cli.frem.sh/cli/fremforge-$(uname -s | tr A-Z a-z)-$(uname -m) \
  -o fremforge

# 2. Download the canonical SHA256SUMS (separate host, separate credential)
curl -fsSL https://trust.frem.sh/SHA256SUMS -o SHA256SUMS

# 3. Verify
sha256sum --check --ignore-missing SHA256SUMS

# 4. Install
chmod +x fremforge
sudo install -m 0755 fremforge /usr/local/bin/fremforge

Verify the Ed25519 signature (optional, recommended)

Beyond the SHA-256 match, each release is signed as a DSSE-wrapped in-toto Statement under the same trust root as fremforge SLSA build provenance. The verifier downloads the public trust root from www.frem.sh/.well-known/slsa-trust-root.json and checks the Ed25519 signature on the SHA256SUMS bytes.

# Pull the trust root and the signed envelope
curl -fsSL https://www.frem.sh/.well-known/slsa-trust-root.json -o slsa-trust-root.json
curl -fsSL https://trust.frem.sh/SHA256SUMS.intoto.jsonl -o SHA256SUMS.intoto.jsonl

# Verify using slsa-verifier
slsa-verifier verify-artifact fremforge \
  --provenance-path SHA256SUMS.intoto.jsonl \
  --source-uri https://frem.sh/fremforge/monolith \
  --builder-id https://frem.sh/runner-controller/v1 \
  --trusted-root slsa-trust-root.json

The trust root is the same one used for SLSA-L2 build provenance on artifacts your runner produces, same Ed25519 key, same builderId, same verification recipe.

Authentication

The CLI reads FREMFORGE_TOKEN from the environment, or accepts --token=… on every command. Generate a personal access token (PAT) at https://frem.sh/-/user/settings/applications with the scopes you need.

export FREMFORGE_TOKEN='<your PAT>'
fremforge whoami

Override the base URL with FREMFORGE_URL= (must be HTTPS); default is https://frem.sh.

Commands

fremforge whoami                                  Print the user the token authenticates as.
fremforge data-export start <slug>                Queue a full data export for the org.
fremforge data-export list <slug>                 List recent export jobs.
fremforge dependency-updates enable <slug>        Enable hosted Renovate for the org.
fremforge dependency-updates disable <slug>       Disable hosted Renovate for the org.
fremforge dependency-updates run-now <slug>       Trigger an out-of-cycle Renovate run (1/h cap).
fremforge audit-log <slug>                        Fetch the org audit-log slice.
                  [--since=DATE] [--actor=…] [--action=…] [--limit=N]
fremforge audit-verify <slug> [--human]           Walk the per-tenant audit hash chain + WORM
                                                  anchor; report integrity.
                                                  Exit 0=ok, 2=partial, 3=broken, 4=anchor_mismatch.
fremforge sbom <owner>/<repo> <tag>               Download a release SBOM.
                  [--format=spdx|cyclonedx]

Run fremforge --help for the canonical reference, or pipe to --human on any command that supports it for table-formatted output.

Worked examples

Audit-chain integrity (use in CI)

export FREMFORGE_TOKEN='<your PAT, audit:read scope>'

# Human-readable, for terminals
fremforge audit-verify acme --human

# Script-friendly: exit code reflects integrity_status
#   0 = ok, 2 = partial, 3 = broken, 4 = anchor_mismatch
fremforge audit-verify acme || {
  echo "integrity check failed with exit code $?"
  exit 1
}

See audit chain integrity for the full guarantee.

Self-service data export

# Kick off
fremforge data-export start acme | jq .

# Poll
fremforge data-export list acme | jq '.[] | {id, status, created_at}'

See data export for the artifact format, retention, and signed-URL download flow.

Dependency updates (hosted Renovate)

fremforge dependency-updates enable acme
fremforge dependency-updates run-now acme   # 1/h rate-limit applies

See dependency updates for what gets enrolled and how to scope it per-repo.

SBOM download

fremforge sbom acme/api v1.4.0 --format=spdx > sbom.spdx.json
fremforge sbom acme/api v1.4.0 --format=cyclonedx > sbom.cyclonedx.json

Audit log slice

fremforge audit-log acme --since=2026-05-01 --action=push-protection-override | jq .

Output format

By default every command emits JSON to stdout, script-friendly and pipe-friendly. Pass --human on the commands that support it (currently audit-verify) for a formatted summary.

Updating the CLI

The one-liner installer is idempotent, running it again pulls the latest binary, re-verifies the checksum, and overwrites the old binary in place:

curl -sSfL https://cli.frem.sh/cli/install.sh | sh

Sovereignty notes

The CLI distribution path is fully EU-sovereign:

Binaries: T Cloud OBS (eu-de, Magdeburg / Biere, Germany), behind a Bunny pull-zone restricted to EU PoPs only.
SHA256SUMS + DSSE envelope: A separate T Cloud OBS bucket (trust.frem.sh) with a separate writer credential, splitting the binary host from the integrity host means compromising one cannot forge a match against the other.
Trust root: Static JSON file served from www.frem.sh (same Bunny EU-only routing).
No npm registry dependency: registry.npmjs.com runs in US AWS; the CLI never touches it on install or on use.
No Docker Hub dependency: same reason.
No Sigstore Fulcio / Rekor: Sigstore’s transparency log is US-hosted. fremforge runs its own Ed25519 signer + a static trust root rather than depending on Fulcio.

Sub-processors involved on the install path are listed in the public sub-processor register and are the same ones already covering customer Personal Data per the DPA Annex B.

Source

CLI source: fremforge/monolith/packages/cli (TypeScript, Node-only fetch, no runtime npm deps).