serve. They are not CLI
commands.
Synopsis
groundhog --help or groundhog <COMMAND> --help for the help embedded in a particular
build.
Behavior shared by all commands
Configuration
--config <PATH> is global, may appear before or after the command, and defaults to
./groundhog.toml. Every command except init loads and validates it before opening
deployment state. Relative paths inside the file resolve against the file’s directory.
init accepts the option because it is global but ignores it; initialization always writes
<DIR>/groundhog.toml.
Unknown configuration keys, missing files, and invalid limits are usage errors. The binary
supports security mode open. Commands that extend or attest history support anchor mode none;
they refuse stronger configured guarantees rather than silently weakening them.
See Configuration.
Ownership and concurrency
The log has exactly one writer.
serve and seal never bypass that lock. Warehouse publishers
coordinate separately and replace only complete generations.
Output and exit status
Human lifecycle output and diagnostics go to standard error and are not stable parsing interfaces. Lifecycle commands produce no machine-readable standard output.verify produces
one JSON document on standard output when it succeeds or conclusively finds a violation.
init
DIR defaults to the current directory.
Initialization creates an empty log, an empty query warehouse, and generated configuration:
groundhog.toml is published last as the deployment commit point. An exact retry validates the
existing deployment and succeeds without rewriting it. A different configuration, a non-empty
log without committed configuration, a conflicting warehouse, unexpected entries in the owned
data directory, symlinks, or special files are refused rather than overwritten.
Standard output is empty. Standard error reports initialized <DIR> or
already initialized <DIR>.
serve
If
[server].token is non-empty, every request requires Authorization: Bearer <token>.
The process prints serving <socket-path> immediately before entering socket binding and the
HTTP runtime. That line is not a readiness protocol; supervisors should wait for a successful
routed request. A live or unclassifiable existing socket is left untouched. Only a socket proven
stale is removed and rebound.
Replay sees committed log events immediately. Query and catalog see the last successful
project or rebuild. A running service adopts a newly published complete warehouse between
requests without restarting.
SIGINT or SIGTERM starts graceful shutdown. New work stops being admitted, queued mutations
reach their real storage outcome, and then writer ownership is released. If a client loses an
ingest response, it resolves the outcome by retrying identical content with the same batch ID.
seal
seal needs writer ownership, so stop serve first. It does not refresh the warehouse.
For each new segment, standard error reports:
project
events, meta.streams, and meta.projection_state. Publication currently performs a full
recompute.
Publication is atomic, so failure never displaces the last good generation. The command reads the
log without owning its writer and may run while serve is active. Events appended after snapshot
capture wait for the next publication.
Standard output is empty. Standard error reports projected <warehouse-path>.
rebuild
project and rebuild currently both perform a full publication. Their intent differs: project
advances normal query freshness, while rebuild explicitly treats the warehouse as disposable.
rebuild may run while serve is active. Given the same log frontier and compatible build,
repeated rebuilds produce the same logical relations and receipt; byte-identical DuckDB files are
not promised.
Standard output is empty. Standard error reports rebuilt <warehouse-path>.
verify
--chain additionally recomputes every payload content hash, event hash, and the logical history
chain from genesis. It is more expensive because it reads and hashes all event content.
On exit 0 or exit 3, standard output contains exactly one JSON report:
orphans are recognized non-authoritative files. remnants are excluded incomplete final state
that a compatible writer recovery may repair. Either list can be non-empty while verification
succeeds.
On exit 3, failure contains one stable code:
verify --clean is not available;
reported files are not permission for ad hoc deletion.
Unavailable commands
The binary does not accept CLIimport, query, catalog, erase-payload, export-key, or
verify --clean. Use the running HTTP API for ingest, replay, query, and catalog.