jcli
cli.johlem.net suite manager — install / remove / list / run / update
v1.5.0Quick Start
Install jcli (one-liner)
curl -fsSL https://cli.johlem.net/tools/jcli/install.sh | bashThis drops a single Rust binary at ~/.local/bin/jcli and verifies its
SHA-256 (and Ed25519 signature, if signify is installed).
Manage the rest of the suite through jcli
jcli list # all available tools
jcli list --role blue # filter by daily-use role (red / blue / dual)
jcli list --tag forensics # filter by tag (siem, phishing, recon, …)
jcli install urlrecon phishprobe # install one or more
jcli info urlrecon # details + status
jcli run urlrecon -- --help # exec an installed tool through jcli
jcli update --all # keep everything current
jcli doctor # environment health check
jcli rollback urlrecon # restore the previous .bakInvestigation playbooks
jcli playbook # list the 6 canonical playbooks
jcli playbook incident-response # show the step list with per-step rationale
jcli playbook phishing-triage # phishprobe → urlrecon → socq, scored
jcli playbook external-recon # urlrecon → darkrecon → webharvest → …Uninstall
rm ~/.local/bin/jcli ~/.local/bin/jcli.bak 2>/dev/null
rm -rf ~/.jcli/ # registry (chmod 600)What it does
jcli is the suite manager for cli.johlem.net's Rust tooling line. It does for
the security toolkit what cargo does for Rust crates or rustup
does for Rust toolchains: one command-line to install, update, list, and run every
sister tool in the suite.
- Catalogue-driven. jcli reads
cli.johlem.net/catalogue.jsonto know what's available. Adding a new tool to the suite means adding one entry server-side — no client update. - Signed releases. Every binary jcli installs is SHA-256 verified and,
if
signifyis available, Ed25519-signature verified againstjohlem-release.pubbefore being placed on disk. - Atomic install with backup. Every install / update moves the previous
binary to
<tool>.bakbefore placing the new one.jcli rollback <tool>restores it. - Local registry. What jcli installed (with version + source + install
timestamp) lives at
~/.jcli/installed.toml— chmod 600 because it can leak your monitored host list otherwise. - Pipe-clean JSON.
jcli list --output jsonandjcli info <tool> --output jsonproduce stable JSON for scripting.
Subcommands
| Command | Status | What it does |
|---|---|---|
install <tool> --from <PATH> | working | Install from a local binary path (foundation flow) |
install <tool> | stub | Network install — lands with signed manifest infrastructure |
remove <tool> | working | Uninstall (binary moved to .bak for rollback) |
rollback <tool> | working | Restore the most recent .bak |
list [--installed | --available] | working | Show catalogue with install status |
list --role <red|blue|dual> | working | Filter the catalogue by daily-use role annotation |
list --tag <tag> | working | Filter the catalogue by tag (siem, phishing, recon, forensics, …) |
info <tool> | working | Tool details + install status |
playbook | working | List the 6 canonical investigation / engagement playbooks |
playbook <slug> | working | Render the ordered tool sequence + per-step "why" for one playbook |
run <tool> -- <args> | working | Exec the installed tool with passthrough args |
doctor | working | Environment health check (PATH, signify, sha256sum, install-dir) |
update [--all] | stub | Network update — lands with signed manifests |
self-update | stub | Same — uses the same manifest infrastructure |
Playbooks
Each playbook is an ordered list of tools — one tool per step — with a one-line
"why this step" annotation. They mirror socq's pack idea but at the suite
level: a quick map from a real scenario (incident, hunt, engagement) to the tools
that move it forward.
| Slug | Title | Tool chain |
|---|---|---|
incident-response | Incident Response (initial walkthrough) | specter → logtimeline → socq → urlrecon → phishprobe → credsweep |
threat-hunt | Proactive Threat Hunt | socq → phishprobe → avwatch → urlrecon → hostwatch |
external-recon | External Recon (red team / OSINT) | urlrecon → darkrecon → webharvest → skyrecon → lexharvest |
pentest-internal | Internal Pentest (post-foothold) | pentree → vlanrecon → wifiaudit → cidrcalc → payloadforge → hashcrackref → lexharvest → stegcrypt |
phishing-triage | Phishing Triage (BEC + URL) | phishprobe (triage/ioc/score/takedown) → urlrecon → socq |
secrets-audit | Secrets Audit (CI + repo hygiene) | credsweep (scan/patterns/install-hook) → b64chain |
Roles & tags
The suite ships as one set of binaries, but daily-use mental models split into three
roles. jcli list --role and --tag filter the catalogue without
a server round-trip — the annotations are baked into the binary.
| Role | Tools |
|---|---|
red | darkrecon, hashcrackref, lexharvest, payloadforge, pentree, skyrecon, stegcrypt, webharvest |
blue | avwatch, casper, credsweep, hostwatch, logtimeline, openclaw, phishprobe, socq, specter, ubdem, vlanrecon |
dual | b64chain, cidrcalc, jcli, ohm, regexlab, shard, speedtest-cli, urlrecon, wifiaudit |
On-disk layout
~/.local/bin/<tool> # the static binary itself
~/.local/bin/<tool>.bak # previous version (rollback target)
~/.jcli/installed.toml # registry (chmod 600)
~/.local/share/<tool>/ # per-tool data dir (config, state)Two env vars override the defaults so jcli can be sandboxed for testing or used out of a shared user account:
JCLI_HOME— overrides~/.jcli(registry location)JCLI_INSTALL_DIR— overrides~/.local/bin(install destination)
Security model: jcli writes secrets-adjacent files (the
installed.toml registry can leak your monitored host list) with mode
0o600. It refuses to install a binary whose SHA-256 doesn't match
the manifest. If signify is available, Ed25519 signature verification
is mandatory — a tampered binary is rejected loudly before being placed.
Review every script before piping into bash: install.sh · jcli/install.sh