crewship apply
Apply a YAML manifest that describes a crew or workspace. Re-running apply is idempotent and convergent: missing resources are created, drifted ones updated, and resources that disappeared from the manifest are deleted (with confirmation). Mutations go through normal REST endpoints so RBAC, audit logging, and WebSocket events fire the same way they would for an interactive user.Flags
| Flag | Default | Purpose |
|---|---|---|
--file <path> | (required) | Path to manifest YAML/JSON. Use - to read from stdin (capped at 4 MiB; split larger files). |
--dry-run | false | Validate, render the plan, and exit without mutating. |
--strict | false | Fail if any resource in the manifest already exists. Use in CI when you require a fresh workspace. |
--replace | false | Delete every matching resource before recreating it. Destructive; prompts unless --yes. |
--from-env | false | Read credential values from the process environment (var name = credential’s env: field). |
--secrets-file <path> | "" | Load credential values from a KEY=VALUE file. Comments (#) and quoted values supported. |
--skip-test-gate | false | Forward skip_test_gate: true on routine save so apply can ship a brand-new routine without first running it. Server gates the field on OWNER/ADMIN role; MANAGER+ callers get the standard “fresh passing test_run within 5 minutes” requirement. |
-y, --yes | false | Skip confirmation prompts. Required when running in a non-TTY (CI) with destructive operations. |
--strict and --replace are mutually exclusive. Apply also requires an authenticated session (crewship login) and a workspace context — both are inherited from the current CLI profile.
Use --skip-test-gate when applying a manifest whose routine depends on credentials that are still PENDING from the same apply: the test_run would attempt to invoke the routine before its credentials exist, fail, and block save. Operators with OWNER/ADMIN role bypass the gate; everyone else must seed the credentials first and re-run apply without the flag.
Examples
Idempotent re-apply
env: entry in the manifest. Re-running converges drift.
Dry-run as a CI check
Strict mode for ephemeral workspaces
Replace an existing crew
Read from stdin
sed, op inject, or a templating step.
KEY=VALUE secrets file
secrets.env:
--env-file: no env-var expansion happens, the file is the source of truth.
Plan + confirm flow
Apply is two-pass: it computes the full plan first, prints it, asks for confirmation on anything destructive, and only then executes.| Marker | Meaning |
|---|---|
+ | Create — resource is in the manifest but missing in the workspace |
~ | Update — drift between manifest and current state |
= | Unchanged — matches |
- | Delete — exists in workspace, manifest doesn’t declare it |
Credential resolution
Manifests never carry secret values.crewship apply resolves the env: slot through a chain of sources, in order:
--secrets-file <path>if supplied--from-env(process environment) if supplied- Otherwise the credential is created as
status=PENDINGand printed at the end
credential not configured until you set the value through the UI or crewship credential update.
What gets deleted on sync
Resources synced (= deleted when missing from the manifest, with confirmation):- crews (in workspace bundles)
- agents within each declared crew
- agent skill bindings
- agent credential bindings
- MCP servers on each declared crew
- skills at workspace scope — drop them via
crewship skill rm - credentials themselves — drop them via UI or
crewship credential delete
Exit codes
| Code | Meaning |
|---|---|
0 | Success (apply completed, or dry-run validated cleanly) |
1 | Generic failure (validation, network, partial apply) |
apply doesn’t surface a “code 2 = changes applied” because every CI pipeline already knows the previous state via git. Use --dry-run for the “did anything change?” check.
Common errors
crew "code-review" already exists— drop--strictto update in place, or pass--replaceto recreate.aborted: destructive plan requires confirmation (pass --yes)—applysaw a-line in the plan and stdin isn’t a TTY. Pass-y/--yesin CI, or run interactively.invalid services_json: services["xyz"]: name must be a DNS label— service names must be valid RFC 1035 DNS labels (1–63 chars, lowercase letters/digits/-, starting with a letter and ending with letter or digit) since they become bridge-network DNS aliases.skill "X" references unknown credential env "Y"— everyenv_refs:entry must point at a credential declared in the same manifest (in the crew or at workspace scope).
Next step after apply
When the manifest declaresspec.devcontainer on any crew, apply prints a hint at the end:
See also
- Guides → Workspace Manifests — the narrative tour
- CLI → export — round-trip back to YAML
- CLI → crew provision — chained step for crews with devcontainers
- Configuration → Manifest Schema — every field, every default