mcpg cloud (tenant CLI)
mcpg.cloud from a terminal — login, publish configs as managed gateways, inspect instances/operations/logs, manage config versions and custom domains.
mcpg cloud — the tenant CLI
The binary is mcpg-cloud (apps/cloud/cli), reached as
mcpg cloud …. It links none of the control-plane server — just the
shared CLI core.
mcpg cloud login OIDC PKCE sign-in → <state_dir>/credentials.json
--issuer (MCPG_FED_ISSUER) --client-id --no-browser
mcpg cloud logout
mcpg cloud whoami The orgs this login can act on (slugs for --org)
mcpg cloud use Store default --org/--workspace/--env in the context
(no flags: print the context in effect)
mcpg cloud publish <NAME> Config → managed gateway (SSE phase ladder; same NAME
re-publishes in place)
--config <file> --image-tag --replicas --region
--isolation-tier --custom-hostname
mcpg cloud instances Running gateways: endpoint URLs + instance uids
mcpg cloud operations Recent provisioning operations
mcpg cloud delete <NAME|UID> Tear down (UUID-shaped target = uid, else name)
mcpg cloud logs <NAME> Recent gateway logs --follow to stream
mcpg cloud versions <NAME> Published config versions
mcpg cloud diff <NAME> --from <v> --to <v>
mcpg cloud rollback <NAME> --to <v> (deploy params do NOT yet default from the
target version — pass them if the instance deviates)
mcpg cloud domains add|verify|remove <HOSTNAME> | list
DNS-TXT ownership proof for --custom-hostname
Coordinates
Every command's --org/--workspace/--env resolve flag > env
(MCPG_ORG/MCPG_WORKSPACE/MCPG_ENV) > the use context > an error
that teaches all three. After mcpg cloud use --org acme --workspace prod --env eu, commands take just their primary noun:
mcpg cloud publish edge --config gw.yaml
mcpg cloud logs edge --follow
mcpg cloud delete edge
Auth
Bearer id_token from login, attached automatically (with best-effort
refresh); the stored federation license rides along as
x-mcpg-license so the CP resolves your real tenant org on first
contact. Against a loopback CP (auth_mode=none), no login is needed.