edged precheck

OS fingerprint reconstruct-and-continue pre-flight check

Synopsis

precheck performs startup validation and OS fingerprint reconstruction.

It must run (and succeed) before the edged daemon starts. Systemd ordering:
  edged-precheck.service (Type=oneshot) → edged.service (Requires=edged-precheck.service)

Exit codes:
  0  clean: fingerprint matched, first-run init, or reconstruction succeeded
  1  config invalid
  2  state_root invalid
  3  mTLS cert unreadable, expires within 7 days, or rotation failed
  5  reconstruction failed; edged MUST NOT start

Automatic rotation:
  When --rotate-certs is set (or when ca_key_file is configured and the leaf cert
  is expiring within the threshold), precheck rotates the leaf cert automatically
  before performing the expiry check.

Usage

edged precheck [flags]

Options

      --rotate-certs              rotate mTLS leaf cert before expiry check (requires ca_key_file in config)
      --rotation-valid-days int   validity period for the rotated leaf cert (days) (default 365)

Options inherited from parent commands

      --config string            path to edge.toml configuration file (required)
      --control-socket string    unix socket path for local control RPC API (default "/run/edged/ctl.sock")
      --log-level string         override log level (debug|info|warn|error); uses config value if empty
      --prometheus-addr string   TCP address for Prometheus /metrics endpoint (e.g. :9090); disabled when empty