Docs

CLI

Framework-agnostic CLI for non-Next.js projects. Run it in your CI to push deps and signal deployments.

When to use

Use the CLI when you cannot use the Next.js plugin. Typical cases: - Static export deployed to Firebase Hosting via GitLab CI. - Vite, Astro, Remix, or any non-Next stack you build in CI. - A monorepo where part of the app does not wrap a next.config. The Next.js plugin (@withpanache/nextjs) remains the recommended path when you have a Next.js app: it wires CSP reporting at runtime and pushes the deps manifest automatically during next build.

Installation

Add the CLI as a dev dependency, or invoke it ad-hoc via npx:

npm install --save-dev @withpanache/cli
# or
pnpm add -D @withpanache/cli

# Ad-hoc, no install:
npx @withpanache/cli ingest deps

withpanache ingest deps

Detect the lockfile (npm, pnpm, yarn classic, yarn berry), parse production dependencies, and push the manifest to Panache. Equivalent of what the Next.js plugin does at build time. Git context (SHA, branch, preview URL) is detected automatically from CI environment variables: GITHUB_*, CI_COMMIT_*, VERCEL_*, CF_PAGES_*, DEPLOY_URL. Override any field with the matching --flag.

# In .gitlab-ci.yml (or any CI), after install:
export PANACHE_SITE_TOKEN=pnch_xxxxxxxx
npx @withpanache/cli ingest deps

# Explicit overrides:
withpanache ingest deps --branch main --git-sha $CI_COMMIT_SHA

withpanache csp inject <file>

Inject the Panache CSP reporting directives (report-uri + report-to) into a config file. Supported formats: firebase.json (auto-detected by filename) and raw CSP files. Dry-run by default: the diff is printed to stderr. Pass --write to apply. Use --learning-mode to switch enforce to Content-Security-Policy-Report-Only. Re-running with --write updates an existing entry in place, no duplicate. The CSP token (pncsp_<32hex>) is generated in the dashboard under Settings > CSP and is non-secret — it scopes reports to your site.

export PANACHE_CSP_TOKEN=pncsp_xxxxxxxx
withpanache csp inject firebase.json --write

# Learning mode (Report-Only header, violations are not blocked):
withpanache csp inject firebase.json --write --learning-mode

# Raw CSP file (no header key, just the directive value):
withpanache csp inject csp.txt --format raw --write

withpanache deploy

Signal a deployment so Panache re-runs the HTTP checks against the live URL. Use this in CI flows where there is no preview URL per branch (e.g. Firebase Hosting static export). Requires a workflow configured for the site with triggerProvider=api. Otherwise the call is a no-op and the CLI prints a hint.

export PANACHE_SITE_TOKEN=pnch_xxxxxxxx
withpanache deploy --url https://my-site.web.app

JSON output

Pass --json to emit a single-line JSON object on stdout (logs go to stderr). Useful for scripting.

$ withpanache ingest deps --json
{"ok":true,"command":"ingest deps","status":200,"packages":487,"branch":"main"}

# On failure:
$ withpanache deploy --json
{"ok":false,"error":"missing site token (set PANACHE_SITE_TOKEN or pass --token)"}

Environment variables

All flags can be supplied via env vars to keep tokens out of `ps aux` and CI logs. Recommended over --token.

Variable	Purpose
`PANACHE_SITE_TOKEN`	Bearer token for `ingest deps` and `deploy`.
`PANACHE_CSP_TOKEN`	CSP token (`pncsp_<32hex>`) for `csp inject`.
`PANACHE_API_URL`	Override the ingest API URL. Default: `https://withpanache.dev`.
`PANACHE_CSP_ENDPOINT`	Override the CSP report endpoint. Default: `https://csp.withpanache.dev`.
`PANACHE_CSP_LEARNING_MODE`	`1`/`true`/`yes` enables Report-Only mode.
`PANACHE_DEFAULT_BRANCH`	Default branch name. Default: `main`.

Exit codes

The CLI uses distinct exit codes so CI scripts can react appropriately:

Exit	Meaning
`0`	Success.
`1`	User error (missing token, malformed flag, ambiguous file format).
`2`	Push failure (non-2xx HTTP response from the Panache API).
`3`	File error (unreadable input, write failure, empty CSP).

Need help?

If you have questions about the CLI or need assistance, reach out at hello@withpanache.dev