Command Line Flags Overview#
The following flags are available for agent client configuration. Each flag is bound to a Viper configuration key of the same name, enabling consistent access throughout the application. CLI flags take precedence over environment variables and configuration file values.
| Flag (shorthand) | Type | Default | Description | Viper Key |
|---|---|---|---|---|
--config | string | $HOME/.cipherswarmagent.yaml | Path to configuration file | config |
--debug, -d | bool | false | Enable debug mode | debug |
--api-token, -a | string | (none, required) | API token for the CipherSwarm server | api_token |
--api-url, -u | string | (none, required) | URL of the CipherSwarm server | api_url |
--data-path, -p | string | ./data | Directory for agent data storage | data_path |
--gpu-temp-threshold, -g | int | 80 | GPU temperature threshold (Celsius) | gpu_temp_threshold |
--always-use-native-hashcat, -n | bool | false | Force use of native hashcat binary | always_use_native_hashcat |
--sleep-on-failure, -s | duration | 60s | Sleep duration after task failure | sleep_on_failure |
--files-path, -f | string | {data_path}/files | Directory for task files | files_path |
--extra-debugging, -e | bool | false | Enable additional debugging information | extra_debugging |
--status-timer, -t | int | 10 | Interval (seconds) for status updates | status_timer |
--heartbeat-interval | duration | 10s | Interval between heartbeat messages | heartbeat_interval |
--force-benchmark | bool | false | Force re-run of benchmarks, bypassing persistent cache | force_benchmark_run |
--write-zaps-to-file, -w | bool | false | Write zap output to file | write_zaps_to_file |
--zap-path, -z | string | {data_path}/zaps | Directory for zap output files | zap_path |
--retain-zaps-on-completion, -r | bool | false | Retain zap files after task completion | retain_zaps_on_completion |
--task-timeout | duration | 24h | Maximum time for a single task before timeout | task_timeout |
--download-max-retries | int | 3 | Maximum number of download retry attempts | download_max_retries |
--download-retry-delay | duration | 2s | Base delay between download retries (exponential backoff) | download_retry_delay |
--insecure-downloads | bool | false | Skip TLS certificate verification for downloads | insecure_downloads |
--max-heartbeat-backoff | int | 6 | Maximum heartbeat backoff multiplier (exponential backoff cap) | max_heartbeat_backoff |
--always-trust-files | bool | false | Skip checksum verification for downloaded files (not recommended) | always_trust_files |
--enable-additional-hash-types | bool | true | Enable support for additional hash types during benchmarking | enable_additional_hash_types |
--hashcat-path | string | "" | Path to a custom Hashcat binary (overrides automatic detection) | hashcat_path |
--connect-timeout | duration | 10s | Maximum time to wait for TCP connection establishment to the API server | connect_timeout |
--read-timeout | duration | 30s | Maximum time to wait for reading HTTP response data from the server | read_timeout |
--write-timeout | duration | 10s | Maximum time to wait for writing HTTP request data to the server | write_timeout |
--request-timeout | duration | 60s | Maximum total time for an entire HTTP request/response cycle | request_timeout |
--api-max-retries | int | 3 | Maximum number of retry attempts for failed API requests (network errors and 5xx responses) | api_max_retries |
--api-retry-initial-delay | duration | 1s | Initial delay before the first retry attempt (exponential backoff increases subsequent delays) | api_retry_initial_delay |
--api-retry-max-delay | duration | 30s | Maximum delay between retry attempts (caps exponential backoff growth) | api_retry_max_delay |
--circuit-breaker-failure-threshold | int | 5 | Number of consecutive API failures before the circuit breaker opens | circuit_breaker_failure_threshold |
--circuit-breaker-timeout | duration | 60s | Time the circuit breaker stays open before attempting to close (half-open state) | circuit_breaker_timeout |
--defer-benchmarks | bool | false | Skip full GPU benchmarks at startup; use quick hashcat --hash-info capability detection instead. Significantly reduces agent startup time from minutes to seconds. When enabled, placeholder benchmark results are submitted at startup, and real benchmarks are run in the background during idle periods (if --benchmark-while-idle is also enabled). | defer_benchmarks |
--benchmark-while-idle | bool | true | When --defer-benchmarks is enabled, run real background benchmarks incrementally during idle periods (one hash type at a time) to replace placeholder results. Background benchmarking is automatically paused when a task starts and resumed after task completion. Has no effect if --defer-benchmarks is false. | benchmark_while_idle |
Server-Recommended Settings#
The agent fetches configuration from the server's /configuration endpoint during startup and on reload. The server can recommend timeout, retry, and circuit breaker settings that override the agent's local configuration. When server recommendations are present, the agent logs the applied values and rebuilds its API client with the new settings. This ensures agents can adapt to server capacity and network conditions without requiring manual reconfiguration.
Backward Compatibility#
The agent supports deprecated underscore-style flag aliases (e.g., --api_token, --data_path) for backward compatibility with existing deployments and scripts. These aliases are hidden and will display a deprecation warning when used. Values set via deprecated flags are automatically bridged to their canonical kebab-case equivalents (e.g., --api-token, --data-path).
For all new deployments, scripts, and configuration examples, use the kebab-case flag names. The underscore-style aliases are maintained solely for transition purposes and may be removed in a future major version.
Benchmark Caching#
The agent uses persistent disk caching for benchmark results, storing them at {data_path}/benchmark_cache.json. Cached benchmarks survive agent restarts and can be retried automatically if submission to the server fails. This prevents unnecessary re-runs of the computationally expensive benchmarking process.
Use the --force-benchmark flag to bypass the cache and force a fresh benchmark run. This is useful when hardware changes occur or when you need to verify current performance. Server-initiated reloads automatically force fresh benchmarks to ensure up-to-date results are submitted.
Deferred Benchmarking#
When --defer-benchmarks is enabled, the agent splits benchmarking into two phases to minimize startup time:
Phase 1 — Capability Detection (startup): Instead of running a full GPU benchmark, the agent executes RunCapabilityDetection(), which invokes hashcat --hash-info --machine-readable to enumerate all supported hash types in seconds. For each discovered hash type, a placeholder cache entry is created with SpeedHs=1 and Placeholder=true, and these placeholder results are submitted to the server immediately. The agent then enters the main task loop without waiting for GPU benchmarks to complete.
Phase 2 — Background Benchmarking (idle): When --benchmark-while-idle is also enabled (the default), the RunBackgroundBenchmarks() goroutine processes placeholder entries from the cache one hash type at a time. Before each run, it calls waitForIdle(), which polls the agent's activity state and blocks until the agent is idle (CurrentActivityWaiting). Priority ordering ensures common types (MD5/0, SHA1/100, NTLM/1000) are benchmarked first, followed by remaining types in ascending numeric order. After each single-type benchmark completes, the placeholder cache entry is replaced with real results and submitted to the server incrementally. Background benchmarking pauses automatically when a task starts (goroutine is cancelled) and restarts after task completion.
--force-benchmark overrides deferred mode — if set, the agent always runs a full benchmark at startup regardless of --defer-benchmarks.
Note for air-gapped environments: Deferred benchmarking requires no external network access during capability detection. Placeholder results are submitted to the CipherSwarm server in the same manner as full benchmark results, so the server can begin assigning tasks immediately. Background benchmarks update results incrementally as they complete during idle periods.
Configuration Precedence#
Viper merges configuration from multiple sources in the following order of precedence (highest to lowest):
- Command line flags
- Environment variables (automatically mapped by Viper)
- Configuration file (YAML, e.g.,
cipherswarmagent.yaml) - Default values (set in code)
This means a value set via a CLI flag will override the same value set via an environment variable or config file.
Usage Examples#
Setting Flags via Command Line#
cipherswarmagent \
--api-token=YOUR_TOKEN \
--api-url=https://swarm.example.com \
--data-path=/var/lib/cipherswarm \
--gpu-temp-threshold=75 \
--debug \
--status-timer=30
Short flag forms are available for many options, e.g. -a for --api-token, -u for --api-url, -d for --debug.
Using Environment Variables#
Viper automatically maps environment variables to configuration keys. For example:
export API_TOKEN=YOUR_TOKEN
export API_URL=https://swarm.example.com
export DATA_PATH=/var/lib/cipherswarm
export GPU_TEMP_THRESHOLD=75
cipherswarmagent
Using a Configuration File#
Create a YAML file (e.g., cipherswarmagent.yaml):
api_token: YOUR_TOKEN
api_url: https://swarm.example.com
data_path: /var/lib/cipherswarm
gpu_temp_threshold: 75
debug: true
status_timer: 30
Then run:
cipherswarmagent --config /path/to/cipherswarmagent.yaml
Overriding Config File with CLI Flags#
Any CLI flag will override the corresponding value in the config file or environment variable:
cipherswarmagent --config /etc/cipherswarmagent.yaml --debug=false --status-timer=5
Best Practices#
- Use CLI flags for quick overrides or scripting.
- Use environment variables for containerized or cloud deployments.
- Use a configuration file for persistent, version-controlled settings.
- Combine methods as needed; CLI flags always take precedence.
- Review the agent's
--helpoutput for the most up-to-date flag list and descriptions.
Implementation Details#
Each flag is defined in the agent's cmd/root.go using Cobra, then bound to a Viper key with the same name. Default values are set in lib/config/config.go. At runtime, Viper merges all sources, and the agent reads configuration via Viper's API, ensuring consistent and predictable behavior across all deployment scenarios. For more details, see the agent's configuration implementation and configuration management code.
