<!-- GENERATED FILE — DO NOT EDIT.
This file is a verbatim mirror of library/cloud/render/SKILL.md,
regenerated post-merge by tools/generate-skills/. Hand-edits here are
silently overwritten on the next regen. Edit the library/ source instead.
See AGENTS.md "Generated artifacts: registry.json, cli-skills/". -->
Render — Printing Press CLI
Prerequisites: Install the CLI
This skill drives the
binary.
You must verify the CLI is installed before invoking any command from this skill. If it is missing, install it first:
- Install via the Printing Press installer:
bash
npx -y @mvanhorn/printing-press install render --cli-only
- Verify:
- Ensure (or ) is on .
If the
install fails (no Node, offline, etc.), fall back to a direct Go install (requires Go 1.26.3 or newer):
bash
go install github.com/mvanhorn/printing-press-library/library/cloud/render/cmd/render-pp-cli@latest
If
reports "command not found" after install, the install step did not put the binary on
. Do not proceed with skill commands until verification succeeds.
When to Use This CLI
Use render-pp-cli when you need to reason about your Render footprint as a whole, not one resource at a time. It shines for env-var promotion across environments, blueprint drift checks in CI, monthly cost rollups, preview cleanup, and audit-log forensics. For one-off interactive workflows like
or
, the official CLI is fine — render-pp-cli covers those too but its real value is the analytical commands the dashboard hides.
Unique Capabilities
These capabilities aren't available in any other tool for this API.
Local state that compounds
-
— Compare env vars between any two services, env-groups, or a service vs an env-group, three-way diff style.
Reach for this when promoting config across environments — it's the cheapest way to see what's actually different without click-through.
bash
render-pp-cli env diff srv-staging-api srv-prod-api --json
-
— Copy env vars from a source service or env-group to a target with --only/--exclude/--dry-run.
Use when shipping a known-good staging config to prod without dragging dev-only keys along.
bash
render-pp-cli env promote --from srv-staging-api --to srv-prod-api --exclude DEBUG_TOKEN --dry-run
-
— Compare a checked-in render.yaml against live workspace state and report added/removed/modified entities by name.
Run this in CI to fail builds when someone edits prod through the dashboard instead of the blueprint.
bash
render-pp-cli drift --blueprint render.yaml --json
-
— Sum monthly cost across services, postgres, key-value, redis, and disks; group by project, environment, or owner.
Reach for this on the Friday cost-review or when finance asks 'what would happen if we downsized these three services?'
bash
render-pp-cli cost --group-by project --json
-
— For each service, fetch last --since 7d of CPU and memory; compute p95 utilization; flag services breaching --high or --low thresholds against plan capacity.
Run this before the cost rollup to find quick downsizing wins or services about to throttle.
bash
render-pp-cli rightsize --since 7d --high 80 --low 20 --json
Lifecycle hygiene
-
— List preview services older than --stale-days N; delete in bulk on --confirm.
Use when the monthly bill spikes and you suspect orphaned preview envs.
bash
render-pp-cli preview-cleanup --stale-days 14 --confirm
-
— Find unattached disks, empty env-groups, custom-domains pointing at deleted services, registry credentials referenced by no service, and disk snapshots beyond retention.
Audit cleanup, billing review, and SOC 2 evidence-gathering all start here.
bash
render-pp-cli orphans --json
Agent-native plumbing
-
— For a given env-var key, list every service and env-group that defines it with hash, length, and last-modified timestamp (never raw value).
First call during a credential rotation or a 'who uses this secret' audit.
bash
render-pp-cli env where STRIPE_KEY --json
-
— Merge deploys, events, and audit-logs for one service into one chronological table for a given window.
First command on-call should run during a 2am page after a deploy.
bash
render-pp-cli incident-timeline srv-checkout-api --since 2h --json
-
— FTS5 search across cached audit logs by actor, target, action, and time window.
Use during SOC 2 evidence-gathering or to answer 'who rotated this key last quarter'.
bash
render-pp-cli audit search --actor riley@example.com --target STRIPE_KEY --since 30d --json
-
— Show commit range, env-var changes, image-tag changes, and plan/region/scale changes between two deploys of one service.
First command in a post-deploy regression triage — answers 'what actually changed'.
bash
render-pp-cli deploys diff srv-checkout-api dep-aaa dep-bbb --json
Command Reference
blueprints —
Blueprints allow you to define your resources in a
file and automatically sync changes to your Render services.
The API gives control over how your Blueprints are used to create and manage resources.
render-pp-cli blueprints disconnect
render-pp-cli blueprints list
render-pp-cli blueprints retrieve
render-pp-cli blueprints update
render-pp-cli blueprints validate
cron-jobs — Manage cron jobs
disks —
Disks allow you to attach persistent storage to your services.
- — Attach a persistent disk to a web service, private service, or background worker. The service must be redeployed for...
render-pp-cli disks delete
- — List persistent disks matching the provided filters. If no filters are provided, returns all disks you have...
render-pp-cli disks retrieve
render-pp-cli disks update
env-groups — Manage env groups
render-pp-cli env-groups create
render-pp-cli env-groups delete
render-pp-cli env-groups list
render-pp-cli env-groups retrieve
render-pp-cli env-groups update
environments — Manage environments
render-pp-cli environments create
render-pp-cli environments delete
render-pp-cli environments list
render-pp-cli environments retrieve
render-pp-cli environments update
events — View events for a service, postgres or key value
render-pp-cli events <eventId>
key-value —
Key Value allows you to interact with your Render Key Value instances.
render-pp-cli key-value create
render-pp-cli key-value delete
render-pp-cli key-value list
render-pp-cli key-value retrieve
render-pp-cli key-value update
logs —
Logs allow you to retrieve logs for your services, Postgres databases, and redis instances.
You can query for logs or subscribe to logs in real-time via a websocket.
render-pp-cli logs delete-owner-stream
render-pp-cli logs delete-resource-stream
render-pp-cli logs get-owner-stream
render-pp-cli logs get-resource-stream
- — List logs matching the provided filters. Logs are paginated by start and end timestamps. There are more logs to...
render-pp-cli logs list-resource-streams
render-pp-cli logs list-values
render-pp-cli logs subscribe
render-pp-cli logs update-owner-stream
render-pp-cli logs update-resource-stream
maintenance — The
endpoints allow you to retrieve the latest maintenance runs for your Render services. You can also reschedule maintenance or trigger it to start immediately.
render-pp-cli maintenance list
render-pp-cli maintenance retrieve
render-pp-cli maintenance update
metrics — The
endpoints allow you to retrieve metrics for your services, Postgres databases, and redis instances.
render-pp-cli metrics get-active-connections
render-pp-cli metrics get-bandwidth
render-pp-cli metrics get-bandwidth-sources
render-pp-cli metrics get-cpu
render-pp-cli metrics get-cpu-limit
render-pp-cli metrics get-cpu-target
render-pp-cli metrics get-disk-capacity
render-pp-cli metrics get-disk-usage
render-pp-cli metrics get-http-latency
render-pp-cli metrics get-http-requests
render-pp-cli metrics get-instance-count
render-pp-cli metrics get-memory
render-pp-cli metrics get-memory-limit
render-pp-cli metrics get-memory-target
render-pp-cli metrics get-replication-lag
render-pp-cli metrics get-task-runs-completed
render-pp-cli metrics get-task-runs-queued
render-pp-cli metrics list-application-filter-values
render-pp-cli metrics list-http-filter-values
render-pp-cli metrics list-path-filter-values
metrics-stream — Manage metrics stream
render-pp-cli metrics-stream delete-owner
render-pp-cli metrics-stream get-owner
render-pp-cli metrics-stream upsert-owner
notification-settings —
Notification Settings allow you to configure which notifications you want to recieve, and
where you will receive them.
render-pp-cli notification-settings list-notification-overrides
render-pp-cli notification-settings patch-owner
render-pp-cli notification-settings patch-service-notification-overrides
render-pp-cli notification-settings retrieve-owner
render-pp-cli notification-settings retrieve-service-notification-overrides
organizations — Manage organizations
owners — Manage owners
render-pp-cli owners list
render-pp-cli owners retrieve
postgres —
Postgres endpoints enable you to interact with your Render Postgres databases.
You can manage databases, exports, recoveries, and failovers.
render-pp-cli postgres create
render-pp-cli postgres delete
render-pp-cli postgres list
render-pp-cli postgres retrieve
render-pp-cli postgres update
projects — Manage projects
render-pp-cli projects create
render-pp-cli projects delete
render-pp-cli projects list
render-pp-cli projects retrieve
render-pp-cli projects update
redis — Manage redis
render-pp-cli redis create
render-pp-cli redis delete
- — List Redis instances matching the provided filters. If no filters are provided, all Redis instances are returned....
render-pp-cli redis retrieve
render-pp-cli redis update
registrycredentials — Manage registrycredentials
render-pp-cli registrycredentials create-registry-credential
render-pp-cli registrycredentials delete-registry-credential
render-pp-cli registrycredentials list-registry-credentials
render-pp-cli registrycredentials retrieve-registry-credential
render-pp-cli registrycredentials update-registry-credential
services —
Services allow you to manage your web services, private services, background workers, cron jobs, and static sites.
render-pp-cli services create
render-pp-cli services delete
render-pp-cli services list
render-pp-cli services retrieve
render-pp-cli services update
task-runs — Manage task runs
render-pp-cli task-runs cancel
render-pp-cli task-runs create-task
render-pp-cli task-runs get
render-pp-cli task-runs list
render-pp-cli task-runs stream-events
tasks — Manage tasks
- — Retrieve the workflow task with the provided ID.
- — List workflow tasks that match the provided filters. If no filters are provided, all task definitions accessible by...
users — The
endpoints allow you to retrieve information about the authenticated user
- — Retrieve the user associated with the provided API key.
webhooks —
Webhooks allows you to manage your Render webhook configuration.
render-pp-cli webhooks create
render-pp-cli webhooks delete
render-pp-cli webhooks list
render-pp-cli webhooks retrieve
render-pp-cli webhooks update
workflows — Manage workflows
render-pp-cli workflows create
render-pp-cli workflows delete
render-pp-cli workflows get
render-pp-cli workflows list
render-pp-cli workflows update
workflowversions — Manage workflowversions
render-pp-cli workflowversions create-workflow-version
render-pp-cli workflowversions get-workflow-version
render-pp-cli workflowversions list-workflow-versions
Finding the right command
When you know what you want to do but not which command does it, ask the CLI directly:
bash
render-pp-cli which "<capability in your own words>"
resolves a natural-language capability query to the best matching command from this CLI's curated feature index. Exit code
means at least one match; exit code
means no confident match — fall back to
or use a narrower query.
Recipes
Promote staging env to prod, exclude debug keys
bash
render-pp-cli env promote --from srv-staging --to srv-prod --exclude DEBUG_TOKEN,SENTRY_DEV_DSN
First diff to see what would change, then promote with the dev-only keys filtered out. Add --apply after review to actually issue the writes.
Find every service that uses a secret before rotating it
bash
render-pp-cli env where STRIPE_KEY --json --select 'service.name,service.id,updatedAt'
Returns service names, IDs, and timestamps for every place STRIPE_KEY is referenced — your rotation checklist.
Friday cost rollup grouped by project
bash
render-pp-cli cost --group-by project --json --select 'project,monthly_usd,resource_count'
Joins cached service/postgres/kv/disk plans against a curated price table; export to CSV for finance.
Detect blueprint drift in CI
bash
render-pp-cli drift --blueprint render.yaml --json --quiet || exit 1
Exits non-zero when the live workspace diverges from the checked-in blueprint; wire it into your CI pipeline.
Incident timeline for a service over the last 2 hours
bash
render-pp-cli incident-timeline srv-checkout-api --since 2h --json --select 'timestamp,kind,actor,summary'
Merges deploys + events + audit-logs into one chronological table — answers 'what changed' during an on-call page.
Auth Setup
Render uses bearer-token auth. Set RENDER_API_KEY (generate one at
https://dashboard.render.com/u/settings#api-keys), or run
render-pp-cli auth set-token <RENDER_API_KEY>
to paste it interactively. Every command sends
Authorization: Bearer <key>
; doctor verifies the key is live.
Agent Mode
Add
to any command. Expands to:
--json --compact --no-input --no-color --yes
.
-
Pipeable — JSON on stdout, errors on stderr
-
Filterable —
keeps a subset of fields. Dotted paths descend into nested structures; arrays traverse element-wise. Critical for keeping context small on verbose APIs:
bash
render-pp-cli blueprints list --agent --select id,name,status
-
Previewable —
shows the request without sending
-
Offline-friendly — sync/search commands can use the local SQLite store when available
-
Non-interactive — never prompts, every input is a flag
-
Explicit retries — use
only when an already-existing create should count as success, and
only when a missing delete target should count as success
Response envelope
Commands that read from the local store or the API wrap output in a provenance envelope:
json
{
"meta": {"source": "live" | "local", "synced_at": "...", "reason": "..."},
"results": <data>
}
Parse
for data and
to know whether it's live or local. A human-readable
summary is printed to stderr only when stdout is a terminal — piped/agent consumers get pure JSON on stdout.
Agent Feedback
When you (or the agent) notice something off about this CLI, record it:
render-pp-cli feedback "the --since flag is inclusive but docs say exclusive"
render-pp-cli feedback --stdin < notes.txt
render-pp-cli feedback list --json --limit 10
Entries are stored locally at
~/.render-pp-cli/feedback.jsonl
. They are never POSTed unless
is set AND either
is passed or
RENDER_FEEDBACK_AUTO_SEND=true
. Default behavior is local-only.
Write what surprised you, not a bug report. Short, specific, one line: that is the part that compounds.
Output Delivery
Every command accepts
. The output goes to the named sink in addition to (or instead of) stdout, so agents can route command results without hand-piping. Three sinks are supported:
| Sink | Effect |
|---|
| Default; write to stdout only |
| Atomically write output to (tmp + rename) |
| POST the output body to the URL ( or when ) |
Unknown schemes are refused with a structured error naming the supported set. Webhook failures return non-zero and log the URL + HTTP status on stderr.
Named Profiles
A profile is a saved set of flag values, reused across invocations. Use it when a scheduled agent calls the same command every run with the same configuration - HeyGen's "Beacon" pattern.
render-pp-cli profile save briefing --json
render-pp-cli --profile briefing blueprints list
render-pp-cli profile list --json
render-pp-cli profile show briefing
render-pp-cli profile delete briefing --yes
Explicit flags always win over profile values; profile values win over defaults.
lists all available profiles under
so introspecting agents discover them at runtime.
Async Jobs
For endpoints that submit long-running work, the generator detects the submit-then-poll pattern (a
/
/
field in the response plus a sibling status endpoint) and wires up three extra flags on the submitting command:
| Flag | Purpose |
|---|
| Block until the job reaches a terminal status instead of returning the job ID immediately |
| Maximum wait duration (default 10m, 0 means no timeout) |
| Initial poll interval (default 2s; grows with exponential backoff up to 30s) |
Use async submission without
when you want to fire-and-forget; use
when you want one command to return the finished artifact.
Exit Codes
| Code | Meaning |
|---|
| 0 | Success |
| 2 | Usage error (wrong arguments) |
| 3 | Resource not found |
| 4 | Authentication required |
| 5 | API error (upstream issue) |
| 7 | Rate limited (wait and retry) |
| 10 | Config error |
Argument Parsing
- Empty, , or → show output
- Starts with → ends with → MCP installation; otherwise → see Prerequisites above
- Anything else → Direct Use (execute as CLI command with )
MCP Server Installation
Install the MCP binary from this CLI's published public-library entry or pre-built release, then register it:
bash
claude mcp add render-pp-mcp -- render-pp-mcp
Direct Use
- Check if installed:
If not found, offer to install (see Prerequisites at the top of this skill).
- Match the user query to the best command from the Unique Capabilities and Command Reference above.
- Execute with the flag:
bash
render-pp-cli <command> [subcommand] [args] --agent
- If ambiguous, drill into subcommand help:
render-pp-cli <command> --help