Summary
Several read-only tctl commands compute structured status or inventory data but only render human-readable tables or prose. These commands are useful in scripts, CI checks, support tooling, and operational dashboards, but today callers have to parse text output.
Add --format text/json/yaml support to high-value read-only commands where the command output is already data-shaped.
Problem
Commands such as tctl status, tctl version, and tctl list-kinds expose cluster or CLI inventory data, but only as text:
tctl status
tctl version
tctl list-kinds
This makes it difficult to safely automate checks such as:
- what Teleport version is the Auth Service running?
- what exact
tctl version, git ref, and Go runtime is installed?
- what CA rotation phase is the cluster in?
- what resource kinds does this
tctl build support?
- what scoped resources exist under each scope?
- what autoupdate rollout/report state exists?
- what audit schema fields are available?
These are read-only commands, so adding structured output is low risk and gives users a stable automation surface without requiring text parsing.
Current output example:
$ tctl version
Teleport v19.0.0-prealpha.2 git:api/v19.0.0-prealpha.2-892-gbe5eca1031 go1.26.3
There is already precedent for structured version output in tsh:
$ tsh version --format=json
{
"version": "19.0.0-prealpha.2",
"gitref": "api/v19.0.0-prealpha.2-892-gbe5eca1031",
"runtime": "go1.26.3"
}tctl version --format=json could use the same shape:
$ tctl version --format=json
{
"version": "19.0.0-prealpha.2",
"gitref": "api/v19.0.0-prealpha.2-892-gbe5eca1031",
"runtime": "go1.26.3"
}Proposed behavior
Add a --format flag to the commands below:
Default behavior should remain current human-readable text output.
For json and yaml, commands should serialize the underlying model or a stable output DTO rather than the final table rows where practical.
Unsupported format values should return a clear error.
Affected commands
High-priority read-only commands:
tctl statustctl versiontctl list-kindstctl api-resourcestctl scoped statustctl audit schematctl autoupdate agents statustctl autoupdate agents report
Suggested output shapes
For tctl status, serialize the existing status model: cluster name, version, CA pin information, CA rotation state, key status, FIPS mode, signature algorithm suite, and backend/storage details.
For tctl version, match the existing tsh version --format=json/yaml shape where practical: version, git ref, runtime, and any additional tctl-specific version metadata if needed.
For tctl list-kinds / tctl api-resources, serialize the computed resource-kind rows: kind, resource name, supported verbs/commands, singleton status, MFA requirements, and description.
For tctl scoped status, serialize one object per scope with resource counts and assignment counts.
For tctl audit schema, serialize the schema response directly or as a stable list of schema fields grouped the same way as the current table.
For tctl autoupdate agents status, serialize rollout state and the same derived fields shown in the current status table.
For tctl autoupdate agents report, serialize the aggregate counts by group/version plus any omitted totals.
Out of scope
This issue should not change the default text output.
This issue should not add structured output to mutation commands such as create/update/delete flows. Those need separate review because the right serialized result may be less obvious.
This issue should not cover generated artifacts such as scripts, certificates, CRLs, archives, or downloaded files.
Acceptance criteria
- Each affected command keeps its current text output by default.
- Each affected command supports
--format=json.
- Each affected command supports
--format=yaml.
- Unsupported format values fail with a clear error.
- Runtime help documents the supported format values.
- Generated CLI docs document the supported format values.
- Tests cover text/default behavior, JSON output, YAML output, and invalid format handling for each command family.
Code pointers
tool/tctl/common/status_command.go: tctl status builds and renders status data as text.tool/tctl/common/version_command.go: tctl version calls modules.GetModules().PrintVersion().tool/tsh/common/tsh.go: tsh version already supports serialized JSON/YAML version output.tool/tctl/common/resource_command.go: listKinds renders supported resource kinds as a table.tool/tctl/common/scoped_command.go: scoped status computes scope summary rows and renders a table.tool/tctl/common/accessmonitoring/command.go: audit schema fetches schema data but renders it as tables.tool/tctl/common/autoupdate_command.go: autoupdate agents status and autoupdate agents report render rollout/report data as text tables.docs/pages/reference/cli/tctl.mdx: generated CLI docs should reflect the new flags once implemented.
Summary
Several read-only
tctlcommands compute structured status or inventory data but only render human-readable tables or prose. These commands are useful in scripts, CI checks, support tooling, and operational dashboards, but today callers have to parse text output.Add
--format text/json/yamlsupport to high-value read-only commands where the command output is already data-shaped.Problem
Commands such as
tctl status,tctl version, andtctl list-kindsexpose cluster or CLI inventory data, but only as text:This makes it difficult to safely automate checks such as:
tctlversion, git ref, and Go runtime is installed?tctlbuild support?These are read-only commands, so adding structured output is low risk and gives users a stable automation surface without requiring text parsing.
Current output example:
There is already precedent for structured version output in
tsh:{ "version": "19.0.0-prealpha.2", "gitref": "api/v19.0.0-prealpha.2-892-gbe5eca1031", "runtime": "go1.26.3" }tctl version --format=jsoncould use the same shape:{ "version": "19.0.0-prealpha.2", "gitref": "api/v19.0.0-prealpha.2-892-gbe5eca1031", "runtime": "go1.26.3" }Proposed behavior
Add a
--formatflag to the commands below:Default behavior should remain current human-readable text output.
For
jsonandyaml, commands should serialize the underlying model or a stable output DTO rather than the final table rows where practical.Unsupported format values should return a clear error.
Affected commands
High-priority read-only commands:
tctl statustctl versiontctl list-kindstctl api-resourcestctl scoped statustctl audit schematctl autoupdate agents statustctl autoupdate agents reportSuggested output shapes
For
tctl status, serialize the existing status model: cluster name, version, CA pin information, CA rotation state, key status, FIPS mode, signature algorithm suite, and backend/storage details.For
tctl version, match the existingtsh version --format=json/yamlshape where practical: version, git ref, runtime, and any additionaltctl-specific version metadata if needed.For
tctl list-kinds/tctl api-resources, serialize the computed resource-kind rows: kind, resource name, supported verbs/commands, singleton status, MFA requirements, and description.For
tctl scoped status, serialize one object per scope with resource counts and assignment counts.For
tctl audit schema, serialize the schema response directly or as a stable list of schema fields grouped the same way as the current table.For
tctl autoupdate agents status, serialize rollout state and the same derived fields shown in the current status table.For
tctl autoupdate agents report, serialize the aggregate counts by group/version plus any omitted totals.Out of scope
This issue should not change the default text output.
This issue should not add structured output to mutation commands such as create/update/delete flows. Those need separate review because the right serialized result may be less obvious.
This issue should not cover generated artifacts such as scripts, certificates, CRLs, archives, or downloaded files.
Acceptance criteria
--format=json.--format=yaml.Code pointers
tool/tctl/common/status_command.go:tctl statusbuilds and renders status data as text.tool/tctl/common/version_command.go:tctl versioncallsmodules.GetModules().PrintVersion().tool/tsh/common/tsh.go:tsh versionalready supports serialized JSON/YAML version output.tool/tctl/common/resource_command.go:listKindsrenders supported resource kinds as a table.tool/tctl/common/scoped_command.go:scoped statuscomputes scope summary rows and renders a table.tool/tctl/common/accessmonitoring/command.go:audit schemafetches schema data but renders it as tables.tool/tctl/common/autoupdate_command.go:autoupdate agents statusandautoupdate agents reportrender rollout/report data as text tables.docs/pages/reference/cli/tctl.mdx: generated CLI docs should reflect the new flags once implemented.