Reference

CLI Command Cheat Sheet

A searchable rundown of shell commands you actually reach for — git, grep, curl, ssh, docker, find, awk, sed, package managers, archive tools, the lot — with canonical syntax, the flags you use 90% of the time, a couple of examples, the gotcha that bites everyone, and per-row OS badges so you know whether it runs on Linux, macOS, Windows, or in your Termux shell.

How to use: pick a category tab or filter live by typing into the search box (matches across name, description, syntax, flags, and examples). Tap any worked example to see a plain-English explanation of what it does, or tap any highlighted term inside an example (or any abbreviated term in a cell) to see what it stands for. The Danger column flags destructive commands at a glance and Modern alt points to a newer replacement where one exists. The command column stays pinned as you scroll horizontally.

19 categories 258 commands Last updated

OS Compatibility Legend

Each row carries one or more badges showing where the command runs. Combine 🛡 root with the OS badges when the command requires elevated privileges.

  • Linux
  • macOS
  • Windows
  • Cross-platform
  • Requires root / sudo
  • Android (Termux)

Danger Level

The Danger column rates how much damage a careless invocation can do.

  • ✓ safe Read-only or trivially reversible
  • ▲ caution Can overwrite / modify state
  • ⚠ destructive Irreversible data loss possible

Interactive Tools

Compose tricky invocations interactively. All four widgets run locally in your browser — nothing leaves the page. Copy the composed command from the output block once you're happy.

Shell & CLI Glossary 32 terms

Click any term to see a beginner-friendly explanation. Cross-references inside an explanation open in a stacked modal — Escape closes them one at a time.

Command OS / Appliance Danger Description Syntax Flags / Options Examples Recipes / Combos Gotchas Modern alt See also Docs
ls
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe List directory contents. ls [-l] [-a] [-h] [-S|-t] [-r] [<path>...]
7 flags -l · Long format: permissions, owner, size, mtime. Show all
-l
Long format: permissions, owner, size, mtime.
-a
Include dotfiles (entries starting with '.').
-h
Human-readable sizes (K, M, G) — combine with -l.
-S
Sort by file size, largest first.
-t
Sort by modification time, newest first.
-r
Reverse the sort order.
-R
Recurse into subdirectories.
2 recipes ls -1 *.log | xargs -I{} gzip {} Show all

macOS ships BSD ls, which lacks --color=auto (use -G instead) and orders flags differently. Install GNU coreutils via Homebrew (brew install coreutils) to get gls matching Linux behaviour.

 eza / lsd — colourful, git-aware ls with icons cd, tree, stat
  • man 1 ls
cd
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Change the current shell directory. cd [<dir>|-|~]
3 flags - · Switch back to the previous directory ($OLDPWD). Show all
-
Switch back to the previous directory ($OLDPWD).
~
Home directory (also bare 'cd' with no arg).
..
Parent directory.
2 recipes cd "$(git rev-parse --show-toplevel)" Show all

cd is a shell builtin, not a binary — it can’t be run via sudo or xargs. Use pushd / popd if you need a directory stack.

 pwd, pushd
  • help cd (bash builtin)
pwd
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Print the current working directory. pwd [-L|-P]
2 flags
-L
Logical path — follows symlinks (default).
-P
Physical path — resolves symlinks.
2 recipes export PROJ=$(pwd) && cd /tmp && echo "... Show all
cd, realpath
  • man 1 pwd
mkdir
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Create one or more directories. mkdir [-p] [-m <mode>] <dir>...
2 flags
-p
Create parent directories as needed; do not error if it exists.
-m <mode>
Set permissions on the new directory (octal, e.g. 700).
2 recipes mkdir -p project/{src,tests,docs} && ls... Show all
rmdir, chmod
  • man 1 mkdir
rmdir
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Remove empty directories. rmdir [-p] [-v] <dir>...
2 flags
-p
Remove the directory and its empty ancestors — e.g. rmdir -p a/b/c removes c, then b, then a if all become empty.
-v
Verbose — print each directory as it is removed.
2 recipes find . -type d -empty | sort -r | xargs... Show all

rmdir fails if the directory contains even a single hidden file (.keep, .DS_Store). Use rm -rf only when you’re certain of the contents, or run ls -la dir/ first to confirm it’s truly empty.

 rm, mkdir, find
  • man 1 rmdir
rm
🐧🍎⚙️🤖
⚠ destructive
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
⚠ destructive Remove files and directories. rm [-r] [-f] [-i] <file>...
4 flags -r · Recursive — remove directories and their contents. Show all
-r
Recursive — remove directories and their contents.
-f
Force — never prompt, ignore non-existent files.
-i
Interactive — prompt before each removal.
-v
Verbose — print each file as it's removed.
2 recipes find . -name '*.bak' -type f | xargs rm -- Show all

rm -rf / is the canonical destructive command. On macOS and modern GNU coreutils, rm refuses / without --no-preserve-root, but a leading variable that resolves to empty (rm -rf "$VAR"/) still nukes / — always quote-test critical paths. There is no undelete.

 mv, rmdir, trash
  • man 1 rm
mv
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Move or rename files and directories. mv [-i] [-n] [-v] <src>... <dst>
3 flags -i · Prompt before overwriting an existing destination. Show all
-i
Prompt before overwriting an existing destination.
-n
Never overwrite — silently skip if dst exists.
-v
Verbose — print each move.
2 recipes for f in *.jpeg; do mv -- "$f" "${f%.jp... Show all
cp, rename, rm
  • man 1 mv
cp
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Copy files and directories. cp [-r] [-i] [-p] [-v] <src>... <dst>
5 flags -r · Recursive — copy directories and contents. Show all
-r
Recursive — copy directories and contents.
-i
Prompt before overwriting.
-p
Preserve mode, ownership, and timestamps.
-a
Archive — preserve everything, symlinks too (GNU only).
-v
Verbose — print each copy.
2 recipes cp -p "$file" "${file}.$(date +%Y%m%d)" Show all

BSD cp (macOS) has no -a; use cp -pR or install GNU coreutils. Trailing / on the source means “contents of” — cp -r src/ dst/ copies the contents of src into dst, while cp -r src dst/ copies the src directory itself into dst.

 mv, rsync
  • man 1 cp
touch
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Create empty files or update their access / modification timestamps. touch [-c] [-d <date>] [-r <ref>] <file>...
3 flags -c · Do not create the file if it doesn't exist. Show all
-c
Do not create the file if it doesn't exist.
-d <date>
Set the timestamp explicitly (e.g. '2026-01-01 12:00').
-r <ref>
Copy timestamps from another file.
2 recipes touch -r reference.txt target.txt Show all
stat, mkdir
  • man 1 touch
ln
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Create hard or symbolic links. ln [-s] [-f] <target> <link_name>
3 flags -s · Symbolic (soft) link — a pointer to a path. Show all
-s
Symbolic (soft) link — a pointer to a path.
-f
Force — remove an existing link before creating the new one.
-v
Print each link as it's created.
2 recipes find /usr/local/bin -maxdepth 1 -type l... Show all

Hard links share the same inode and break if the file system runs out of inodes; you can’t hard-link across file systems or to directories. Symbolic links can point at anything but become broken if the target moves.

 readlink, realpath
  • man 1 ln
stat
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Display detailed file metadata — inode, size, permissions, and all three timestamps. stat [-c <fmt>|--format=<fmt>] <file>...
2 flags
-c <fmt>
GNU custom format string (%s = size, %y = mtime, %a = octal mode).
-f <fmt>
BSD/macOS custom format string.
2 recipes stat -c '%y %n' * | sort Show all

Format strings differ between GNU stat (Linux: -c) and BSD stat (macOS: -f). Cross-platform scripts should detect the variant or fall back to ls -l.

 ls, file
  • man 1 stat
file
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Identify a file's type by its content (magic numbers), not its extension. file [-b] [-i] <path>...
2 flags
-b
Brief — omit the filename from output.
-i
Print MIME type instead of human-readable description.
2 recipes file * | grep 'ASCII text' | cut -d: -f... Show all
stat
  • man 1 file
tree
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Show a directory hierarchy as an ASCII tree. tree [-L <depth>] [-a] [-d] [-I <pattern>] [<path>]
4 flags -L <n> · Limit depth to n levels. Show all
-L <n>
Limit depth to n levels.
-a
Show dotfiles.
-d
Directories only.
-I <pat>
Ignore files matching the glob pattern.
2 recipes tree -d -L 3 | grep '/$' Show all

Not installed by default on macOS (brew install tree) or many minimal Linux containers (apt install tree).

 eza --tree — git-aware tree with icons and colour ls, find
  • man 1 tree
realpath
🐧⚙️🤖
✓ safe
🐧 Linux⚙️ Cross-platform🤖 Termux
✓ safe Resolve a path to its absolute, symlink-free canonical form. realpath [-e] [-s] <path>
2 flags
-e
All components must exist (error otherwise).
-s
Strip .. and . but don't resolve symlinks.
2 recipes SCRIPT_DIR=$(realpath "$(dirname "$0")") Show all

Not available on stock macOS — install via brew install coreutils and use grealpath, or fall back to readlink -f (also macOS-missing) or cd "$(dirname p)" && pwd.

 readlink, pwd
  • man 1 realpath
dirname
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Strip the last path component, returning the directory portion of a path. dirname <path>...
1 flag
-z
Delimit output with NUL instead of newline — for use with xargs -0 or read -d ''.
2 recipes cd "$(dirname "$(which python3)")" Show all
basename, realpath, pwd
  • man 1 dirname
basename
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Strip the directory portion (and optionally a suffix) from a path, leaving only the filename. basename <path> [<suffix>]
2 flags
-s <suffix>
GNU form — strip this suffix from each result (equivalent to passing suffix as the second argument).
-z
Delimit output with NUL instead of newline.
2 recipes for f in /var/log/*.log; do cp "$f" ~/b... Show all

Passing multiple paths to POSIX basename is undefined behaviour — only GNU coreutils supports multiple arguments. For portability across scripts that run on both Linux and macOS, call basename once per path inside a loop rather than passing a list.

 dirname, realpath
  • man 1 basename
grep
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Search text for lines matching a pattern. grep [-i] [-r] [-n] [-E|-F|-P] [-v] <pattern> [<file>...]
11 flags -i · Case-insensitive match. Show all
-i
Case-insensitive match.
-r
Recursive search through directories.
-n
Prefix each match with its line number.
-E
Extended regex (POSIX ERE) — +, ?, |, () without backslashes.
-F
Fixed-string match (no regex). Fastest mode.
-P
Perl-compatible regex (lookaround, \d, etc.). GNU only.
-v
Invert — print lines that do NOT match.
-l
Print only filenames containing a match.
-c
Print only the count of matching lines per file.
-A <n>
Print n lines of trailing context after each match.
-B <n>
Print n lines of leading context before each match.
2 recipes grep -rFl "SecretKey" . | xargs -I {} g... Show all

macOS ships BSD grep, which lacks -P and orders flags differently. Install GNU grep via brew install grep for cross-platform ggrep. Patterns starting with - need a -- separator (grep -- -foo file). ripgrep (rg) is faster, respects .gitignore, and is generally preferable for ad-hoc work.

 Prefer rg (ripgrep) for interactive use — faster, .gitignore-aware, and Unicode-correct by default. awk, sed, find, ripgrep, ↳ regex
  • man 1 grep
find
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Walk a directory tree and act on files matching tests. find <path>... [tests] [actions]
8 flags -name <glob> · Match filename by glob (case-sensitive). Show all
-name <glob>
Match filename by glob (case-sensitive).
-iname <glob>
Case-insensitive filename match.
-type f|d|l
Restrict to files (f), directories (d), or symlinks (l).
-mtime <n>
Modified n*24 hours ago (+n = older, -n = newer).
-size <n>[ckMG]
Size match (+ = larger, - = smaller; suffix sets unit).
-delete
Delete matching files (use only after dry-running with -print).
-exec <cmd> {} \;
Run command per file ({} is replaced with the path).
-exec <cmd> {} +
Run command once with all paths batched as args (faster).
2 recipes find . -name '*.py' -print0 | xargs -0 ... Show all

-print is the default action — drop it for clarity, add it back when piping into xargs with weird filenames (use -print0 + xargs -0 to handle spaces). BSD find (macOS) and GNU find have minor flag differences (-printf is GNU-only).

 Consider fd for interactive use — simpler syntax, .gitignore-aware, and colored output by default. xargs, grep, fd, ↳ find
  • man 1 find
awk
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Pattern-action language for column-oriented text processing. awk [-F <sep>] '<pattern> { <action> }' [<file>...]
3 flags -F <sep> · Input field separator (default: whitespace runs). Show all
-F <sep>
Input field separator (default: whitespace runs).
-v <var>=<val>
Set an awk variable before execution.
-f <script>
Read the awk program from a file.
2 recipes awk -F: '{print $1}' /etc/passwd | sort... Show all

NR is the line number, NF the field count; $0 is the whole line, $1..$NF the fields. Built-in to every Unix; for anything more elaborate, reach for Python or jq (for JSON).

 sed, cut, grep
sed
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Stream editor — apply scripted edits to a stream of text. sed [-i[<ext>]] [-E] '<script>' [<file>...]
4 flags -i · Edit files in place (GNU). BSD/macOS requires -... Show all
-i
Edit files in place (GNU). BSD/macOS requires -i ''.
-E
Extended regex (so + ? () work without backslashes).
-n
Suppress default output (use with /pat/p to print only matches).
-e <script>
Add another script; repeat for multiple.
2 recipes grep -rl 'v1/api' src/ | xargs sed -i '... Show all

sed -i means “in-place” on GNU but BSD/macOS requires a backup-extension arg (sed -i '' 's/…'). The portable form is sed -i.bak 's/…' which works on both and leaves a .bak behind. Don’t mix delimiters inside the script: use s|/path|/new|g when the pattern contains slashes.

 awk, tr, grep, ↳ regex
  • man 1 sed
cut
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Extract specific bytes, characters, or fields from each line. cut [-d <delim>] -f <fields> [<file>...]
3 flags -d <delim> · Field delimiter (default: tab). Show all
-d <delim>
Field delimiter (default: tab).
-f <list>
Field list (1,3 or 2-5 or 3-).
-c <list>
Character positions instead of fields.
2 recipes cut -d, -f1,3 report.csv | sort -u Show all
awk, paste
  • man 1 cut
sort
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Sort lines of text. sort [-n] [-r] [-u] [-k <field>] [-t <sep>] [<file>...]
6 flags -n · Numeric sort (so 10 follows 9, not 1). Show all
-n
Numeric sort (so 10 follows 9, not 1).
-r
Reverse order.
-u
Output unique lines only (like uniq, no need to pre-sort).
-k <field>
Sort on field N (1-indexed).
-t <sep>
Field separator (default: whitespace).
-h
Human-readable numeric sort (handles 1K, 2M, 3G).
2 recipes sort -t: -k3 -n /etc/passwd | cut -d: -... Show all
uniq, shuf
  • man 1 sort
uniq
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Filter adjacent duplicate lines. uniq [-c] [-d] [-u] [<file>]
3 flags -c · Prefix each line with its occurrence count. Show all
-c
Prefix each line with its occurrence count.
-d
Only print lines that appear more than once.
-u
Only print lines that appear exactly once.
2 recipes cut -d' ' -f1 access.log | sort | uniq ... Show all

uniq only collapses adjacent duplicates — pipe sort in first, or use sort -u for a one-step equivalent.

 sort
  • man 1 uniq
head
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Print the first N lines (or bytes) of a stream. head [-n <count>|-c <bytes>] [<file>...]
2 flags
-n <n>
First n lines (default: 10). Negative means all but last n.
-c <n>
First n bytes.
2 recipes head -n 1 *.csv Show all
tail, less
  • man 1 head
tail
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Print the last N lines, optionally following a growing file. tail [-n <count>] [-f] [<file>...]
3 flags -n <n> · Last n lines (default: 10). +n starts at line n. Show all
-n <n>
Last n lines (default: 10). +n starts at line n.
-f
Follow — keep printing as the file grows.
-F
Follow even across log rotation (re-open by name).
2 recipes tail -F /var/log/app.log | grep --line-... Show all
head, less
  • man 1 tail
less
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Page through text interactively (forward and backward). less [+<line>] [-N] [-S] [-R] [<file>]
4 flags +<line> · Start at the given line number. Show all
+<line>
Start at the given line number.
-N
Show line numbers.
-S
Chop long lines instead of wrapping.
-R
Pass ANSI colour codes through.
2 recipes grep -n 'ERROR' app.log | less -N +1 Show all

Inside less: /pattern searches forward, ?pattern searches backward, n/N jumps next/prev, g/G go to top/bottom, q quits. +F tails the file like tail -f until Ctrl+C drops you into normal less mode.

 more, tail, head
  • man 1 less
cat
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Concatenate files and print to stdout. cat [-n] [-A] [<file>...]
2 flags
-n
Number every output line.
-A
Show all non-printable chars ($ for newlines, ^I for tabs).
2 recipes cat /dev/urandom | tr -dc 'A-Za-z0-9' |... Show all

“Useless use of cat” — cat file | grep x is just grep x file. Pipelines work better when you don’t detach the input from its source.

 bat adds syntax highlighting, line numbers, and git diff markers — a drop-in viewer replacement for interactive use. tac, head, tail
  • man 1 cat
tee
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Read stdin, write to stdout AND to one or more files. tee [-a] <file>...
1 flag
-a
Append to files instead of overwriting.
2 recipes curl -fsSL https://example.com/install.... Show all

The echo … | sudo tee -a pattern is how you write to a root-only file when you can’t run sudo on a redirect (because >> is interpreted by your unprivileged shell, not the sudo’d process).

 cat, xargs
  • man 1 tee
xargs
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Build and execute commands from stdin. xargs [-0] [-n <max>] [-I <repl>] [-P <jobs>] <cmd>
4 flags -0 · Input is null-separated (pair with find -print0). Show all
-0
Input is null-separated (pair with find -print0).
-n <n>
Max args per command invocation.
-I <repl>
Replace <repl> in cmd with each input item.
-P <n>
Run up to n commands in parallel.
2 recipes git diff --name-only HEAD~1 | xargs -I ... Show all

Without -0, filenames with spaces or newlines break. Always pair find -print0 with xargs -0. -I {} implies -n 1.

 find, parallel
  • man 1 xargs
jq
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Filter, transform, and query JSON from the command line. jq [-r] [-c] '<filter>' [<file>]
4 flags -r · Raw output — strings without surrounding quotes. Show all
-r
Raw output — strings without surrounding quotes.
-c
Compact (one JSON value per line).
-s
Slurp — read all input into one big array.
-e
Exit non-zero if the filter produces no/false output.
2 recipes curl -s 'https://api.github.com/repos/o... Show all

Not installed by default — apt install jq / brew install jq. For YAML use yq (the Mike Farah Go reimplementation); they share most of the syntax.

 awk, yq
wc
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Count lines, words, characters, or bytes. wc [-l] [-w] [-c] [-m] [<file>...]
4 flags -l · Lines only. Show all
-l
Lines only.
-w
Words only.
-c
Bytes only.
-m
Characters (matters for multi-byte UTF-8).
2 recipes git diff --name-only | xargs wc -l | so... Show all
awk
  • man 1 wc
tr
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Translate or delete characters from stdin. tr [-d] [-s] [-c] '<set1>' ['<set2>']
3 flags -d · Delete characters in set1. Show all
-d
Delete characters in set1.
-s
Squeeze repeated chars in set1 to a single occurrence.
-c
Complement set1 (act on chars NOT in it).
2 recipes cat /dev/urandom | tr -dc 'A-Za-z0-9' |... Show all
sed, awk
  • man 1 tr
diff
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Compare files line by line. diff [-u] [-r] [-i] [-w] <file1> <file2>
6 flags -u · Unified diff format (the standard for patches a... Show all
-u
Unified diff format (the standard for patches and code review).
-r
Recursive — compare directories.
-i
Ignore case differences.
-w
Ignore all whitespace.
-q
Quiet — only report which files differ, not how.
-N
Treat absent files as empty (useful for full-dir patches).
2 recipes diff <(sort file_a.txt) <(sort file_b.txt) Show all
patch, git diff, comm
  • man 1 diff
patch
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Apply a diff (patch file) to update one or more files. patch [-p<n>] [-R] [--dry-run] [-i <patchfile>]
4 flags -p<n> · Strip n leading path components from filenames ... Show all
-p<n>
Strip n leading path components from filenames in the patch.
-R
Reverse — undo a previously applied patch.
--dry-run
Test the apply without modifying files.
-i <file>
Read the patch from a file instead of stdin.
2 recipes diff -u original.conf current.conf | pa... Show all
diff, git apply
  • man 1 patch
tac
🐧⚙️🤖
✓ safe
🐧 Linux⚙️ Cross-platform🤖 Termux
✓ safe Print lines in reverse order (cat backwards). tac [<file>...]
2 flags
-r
Treat the separator as a regex.
-s <sep>
Use <sep> instead of newline as the record separator.
2 recipes tac access.log | grep -m 1 'POST /api/l... Show all

Not bundled with macOS by default — brew install coreutils gives gtac, or use tail -r (BSD).

 cat, rev
  • man 1 tac
paste
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Merge corresponding lines of files side by side. paste [-d <delim>] [-s] <file>...
2 flags
-d <delim>
Field delimiter (default: tab).
-s
Serial — paste all lines of one file together, not column-wise.
2 recipes paste <(cut -d: -f1 /etc/passwd) <(cut ... Show all
cut, join
  • man 1 paste
rg
🐧🍎⚙️
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform
✓ safe Fast recursive search respecting .gitignore — a modern grep replacement. rg [options] <pattern> [<path>...]
11 flags -i · Case-insensitive match. Show all
-i
Case-insensitive match.
-l
Print only filenames with a match.
-n
Show line numbers (on by default in terminal output).
-t <type>
Search only files of a given type (e.g. -t py, -t js).
--no-ignore
Do not respect .gitignore / .rgignore files.
-g <glob>
Include or exclude files matching a glob (prefix ! to exclude).
-A <n>
Print n lines of context after each match.
-B <n>
Print n lines of context before each match.
--hidden
Search hidden files and directories (dotfiles).
-s
Case-sensitive match (overrides -i and smartcase).
--stats
Print summary statistics after search results.
2 recipes rg -t py 'def ' --no-heading -N | wc -l Show all

Not installed by default — cargo install ripgrep, apt install ripgrep, or brew install ripgrep. rg skips binary files and .gitignored paths silently; add --no-ignore --binary to override. Regex engine is Rust’s (RE2-style) — no lookahead/lookbehind. For PCRE2 features use rg -P (requires PCRE2 feature at build time).

 grep, find, fd, ↳ regex
comm
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Compare two sorted files line by line, showing lines unique to each or common to both. comm [-123] <file1> <file2>
3 flags -1 · Suppress lines unique to file1 (first column). Show all
-1
Suppress lines unique to file1 (first column).
-2
Suppress lines unique to file2 (second column).
-3
Suppress lines common to both files (third column).
2 recipes comm -3 <(pip freeze | sort) <(cat requ... Show all

Both inputs must be sorted — comm processes lines sequentially and gives wrong results on unsorted input. Use process substitution (<(sort file)) to sort on the fly. Output is three tab-indented columns: only-in-1, only-in-2, both; use -1, -2, -3 flags to suppress unwanted columns.

 diff, sort, uniq
  • man 1 comm
column
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Format input into aligned columns or a table — turns tab/space-separated data into readable output. column [-t] [-s <sep>] [-o <out-sep>] [-N <names>] [<file>...]
5 flags -t · Create a table — auto-align columns by padding ... Show all
-t
Create a table — auto-align columns by padding with spaces.
-s <sep>
Input column separator (default: whitespace). Specify ',' for CSV.
-o <sep>
Output column separator (default: two spaces). GNU util-linux only.
-N <names>
Comma-separated column headers to add. GNU util-linux only.
-R <cols>
Right-align named/numbered columns. GNU util-linux only.
2 recipes ps aux | awk 'NR==1 || $3>1.0' | column -t Show all

The -o, -N, and -R flags are GNU util-linux extensions unavailable on macOS’s BSD column. On macOS, use brew install util-linux or stick to -t and -s which are portable. column -t buffers the entire input before printing — avoid piping infinite streams into it.

 awk, paste, cut
  • man 1 column
nl
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Number lines of files, with control over which lines are numbered and the format used. nl [-b <style>] [-n <format>] [-w <width>] [-v <start>] [<file>...]
7 flags -b a · Number all lines including blank ones (default:... Show all
-b a
Number all lines including blank ones (default: -b t, body only).
-b p<regex>
Number only lines matching the regex.
-n rz
Right-align line numbers, zero-padded.
-n ln
Left-align line numbers.
-w <n>
Width of the line-number field.
-v <n>
Starting line number (default: 1).
-s <sep>
Separator between line number and content (default: tab).
2 recipes nl -bp'^[A-Z]' notes.txt Show all

nl treats the input as logical pages delimited by \\:\\:\\: (header), \\:\\: (body), and \\: (footer) by default — these delimiters reset numbering per page. Use -b a if your file looks like it’s skipping lines unexpectedly. For simple numbered output, cat -n or grep -n '' are often simpler.

 cat, head, awk
  • man 1 nl
ps
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Snapshot the current process list. ps [aux | -ef] [-o <fmt>]
3 flags aux · BSD style: all users, including no-controlling-... Show all
aux
BSD style: all users, including no-controlling-terminal procs.
-ef
POSIX style: full format, every process.
-o <fmt>
Custom output columns (e.g. pid,user,%cpu,%mem,cmd).
1 recipe

ps aux and ps -ef are nearly equivalent but use different flag syntax (BSD vs POSIX). On modern Linux either works; on minimal busybox boxes (and some Android setups) only one is available.

 Use procs for a colourised, human-friendly alternative (cargo install procs). top, pgrep, htop
  • man 1 ps
top
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Live, sortable view of running processes. top [-d <delay>] [-n <iters>] [-o <field>] [-u <user>]
4 flags -d <s> · Refresh delay in seconds (default: 3 on Linux, ... Show all
-d <s>
Refresh delay in seconds (default: 3 on Linux, 1 on macOS).
-n <n>
Run for n iterations then exit (good for scripts).
-o <field>
Sort by field (cpu, mem, time).
-u <user>
Show only this user's processes.
1 recipe

Linux top and macOS top are different binaries with different keybindings. Inside Linux top: P sort by CPU, M by memory, k kill a PID, q quit.

 Prefer htop or btop for colour, mouse support, and tree view. htop, ps, iotop
  • man 1 top
htop
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Interactive process viewer with colour, mouse support, and tree mode. htop [-d <ds>] [-u <user>] [-p <pid>...]
3 flags -u <user> · Show only this user's processes. Show all
-u <user>
Show only this user's processes.
-p <pid,...>
Show only the listed PIDs.
-t
Start in tree view.
1 recipe

Not installed by default — apt install htop / brew install htop / pkg install htop in Termux. Inside htop: F5 tree, F6 sort, F9 kill, F10 quit.

 Use btop for an even richer resource overview including disk and network graphs. top, btop
  • man 1 htop
kill
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Send a signal to one or more processes (default: SIGTERM). kill [-<signal>|-l] <pid>...
4 flags -9 / -KILL · SIGKILL — unblockable, kernel kills the process. Show all
-9 / -KILL
SIGKILL — unblockable, kernel kills the process.
-15 / -TERM
SIGTERM — graceful shutdown (default).
-1 / -HUP
SIGHUP — many daemons reload config on this.
-l
List all signal names.
2 recipes kill $(pgrep -f 'python my-script.py') Show all

Reach for -15 first — -9 bypasses cleanup and can leave locked files, half-written data, or zombie children. A process that ignores -15 for >5s is the only candidate for -9.

 pkill, killall, pgrep
  • man 1 kill
pkill
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Kill processes by name pattern instead of PID. pkill [-<signal>] [-f] [-u <user>] <pattern>
3 flags -f · Match against the full command line, not just t... Show all
-f
Match against the full command line, not just the process name.
-u <user>
Only kill processes owned by this user.
-<signal>
Which signal to send (default: TERM).
1 recipe
kill, pgrep, killall
  • man 1 pkill
pgrep
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe List PIDs of processes matching a name pattern. pgrep [-f] [-u <user>] [-a] <pattern>
4 flags -f · Match the full command line. Show all
-f
Match the full command line.
-a
Print the command line alongside the PID.
-u <user>
Restrict to one user.
-d <sep>
Use a custom delimiter between PIDs (e.g. comma for kill input).
1 recipe
pkill, ps
  • man 1 pgrep
jobs
⚙️
✓ safe
⚙️ Cross-platform
✓ safe List the current shell's background and stopped jobs. jobs [-l] [-p]
2 flags
-l
Include PIDs in the output.
-p
Print PIDs only.
1 recipe

Jobs are shell-local — they disappear when the shell exits unless you use nohup or disown. Use fg %1 to foreground job 1, bg %1 to resume it in the background.

 bg, fg, nohup, disown
  • help jobs (bash builtin)
nohup
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Run a command immune to hangups (so it survives shell exit). nohup <cmd> [args...] [&]
2 flags
&
Trailing & backgrounds the command (shell syntax, not a nohup flag).
> file 2>&1
Redirect output explicitly; otherwise nohup appends to nohup.out in CWD.
1 recipe

Output goes to nohup.out in the current directory unless you redirect explicitly. For something more durable, use systemd service units (Linux), launchd (macOS), or a terminal multiplexer like tmux.

 disown, tmux, screen
  • man 1 nohup
lsof
🐧🍎⚙️
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform
✓ safe List open files (including network sockets) and their owning processes. lsof [-i [<host>:<port>]] [-p <pid>] [-u <user>]
4 flags -i · Internet sockets — append :<port> Show all
-i
Internet sockets — append :<port> or @host.
-p <pid>
Files opened by a specific PID.
-u <user>
Files opened by a specific user.
+D <dir>
All open files under a directory.
2 recipes sudo lsof -p $(pgrep nginx) | grep -E '... Show all

Almost always needs sudo to see other users’ files / sockets. On Linux, ss -ltnp is faster for “what’s listening on which port”.

 ss, netstat, fuser
  • man 8 lsof
time
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Run a command and report how long it took. time <cmd> [args...]
2 flags
/usr/bin/time -v
GNU binary form: verbose stats including max RSS, page faults, I/O.
/usr/bin/time -f <fmt>
Custom format (%e elapsed, %U user, %S sys, %M peak RSS in KB).
1 recipe

time is both a shell builtin and a binary (/usr/bin/time). The builtin (which most shells default to) shows real/user/sys; the binary supports -v for memory and I/O stats (/usr/bin/time -v ... on Linux).

 hyperfine
  • man 1 time
killall
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution Kill all processes with a given name. killall [-<signal>] [-i] [-u <user>] <name>...
4 flags -<signal> · Signal to send (default: TERM). Show all
-<signal>
Signal to send (default: TERM).
-i
Interactive — confirm before killing each.
-u <user>
Only processes owned by this user.
-r
Match name as a regex (Linux).
1 recipe

BSD killall (macOS) and GNU killall (Linux) differ — macOS killall matches the exact command name only and lacks -r. Older Solaris killall killed every process the user owned (true to the name), so the command name has historical footgun connotations.

 kill, pkill
  • man 1 killall
bg
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Resume a stopped job in the background. bg [%<jobspec>]
3 flags %<n> · Specific job number (from `jobs`). Show all
%<n>
Specific job number (from `jobs`).
%+ / %%
Most recent job (default).
%-
Previous job.
1 recipe
fg, jobs, nohup
  • help bg (bash builtin)
fg
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Bring a backgrounded or stopped job to the foreground. fg [%<jobspec>]
3 flags %<n> · Specific job number. Show all
%<n>
Specific job number.
%+ / %%
Most recent job (default).
%<string>
Job whose command starts with <string>.
1 recipe
bg, jobs
  • help fg (bash builtin)
strace
🐧🛡
▲ caution
🐧 Linux🛡 root
▲ caution Trace system calls and signals a process is making. strace [-f] [-e <expr>] [-p <pid>] [-o <file>] <cmd>
6 flags -f · Follow forks (child processes too). Show all
-f
Follow forks (child processes too).
-e <expr>
Filter syscalls (trace=open,read,write or trace=%file).
-p <pid>
Attach to a running process instead of starting one.
-o <file>
Write trace to file instead of stderr.
-c
Summary table at exit — count + time per syscall.
-t
Prefix each line with a timestamp.
1 recipe

Linux-only. macOS uses dtruss (needs root + SIP adjustment) or dtrace. strace adds significant overhead — don’t attach to busy production processes without thinking. ltrace is the library-call equivalent.

 ltrace, dtruss, perf
  • man 1 strace
tmux
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Terminal multiplexer — split panes, persistent sessions over ssh. tmux [new|attach|ls|kill-session] [-t <name>]
7 flags new -s <name> · Create a named session. Show all
new -s <name>
Create a named session.
attach -t <name>
Reattach (or just `tmux a` for the most recent).
ls
List sessions.
kill-session -t <name>
End a session.
Ctrl+b d
Detach (leaves session running).
Ctrl+b % / Ctrl+b "
Split pane vertically / horizontally.
Ctrl+b c / Ctrl+b n
New window / next window.
1 recipe

Configuration goes in ~/.tmux.conf. The default prefix is Ctrl+b; many people rebind to Ctrl+a (screen-compatible) via set -g prefix C-a.

 screen, mosh
  • man 1 tmux
screen
🐧🍎⚙️
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform
✓ safe Older terminal multiplexer — pre-installed on many minimal systems. screen [-S <name>] [-r <name>] [-ls]
5 flags -S <name> · Create a named session. Show all
-S <name>
Create a named session.
-r [<name>]
Reattach a detached session.
-ls
List sessions.
-X <cmd>
Send a command to a running session.
Ctrl+a d
Detach (default prefix is Ctrl+a).
1 recipe
tmux
  • man 1 screen
timeout
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution Run a command and kill it if it exceeds a time limit. timeout [-s <signal>] [-k <kill-after>] <duration> <cmd> [args...]
4 flags <duration> · Time limit — a number in seconds or with a suff... Show all
<duration>
Time limit — a number in seconds or with a suffix: 30s, 5m, 1h.
-s <signal>
Signal to send when time expires (default: SIGTERM).
-k <kill-after>
Send SIGKILL this long after the initial signal if the process is still alive.
--preserve-status
Exit with the command's own exit code rather than 124 on timeout.
1 recipe

timeout exits with code 124 if the time limit was reached. macOS ships gtimeout (from GNU coreutils via Homebrew) instead of timeout.

 watch, nohup
  • man 1 timeout
watch
🐧🍎⚙️
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform
✓ safe Re-run a command at regular intervals and show its output full-screen. watch [-n <secs>] [-d] [-t] <cmd>
5 flags -n <secs> · Refresh interval in seconds (default: 2). Show all
-n <secs>
Refresh interval in seconds (default: 2).
-d
Highlight differences between refreshes.
-t
Turn off the header (command, interval, date).
-e
Freeze the display and exit if the command returns non-zero.
-g
Exit when the command output changes (useful for waiting on a state change).
2 recipes watch -n 5 -e 'curl -s -o /dev/null -w ... Show all

watch passes the command to sh -c, so shell builtins and aliases work but interactive features (readline, colour prompts) don’t. On macOS install via brew install watch — the native system doesn’t ship it.

 timeout, top, entr
  • man 1 watch
disown
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Remove a job from the shell's job table so it keeps running after the shell exits. disown [%<jobspec>...] [-h] [-ar]
4 flags %<n> · Disown a specific job number. Show all
%<n>
Disown a specific job number.
-h
Mark the job to ignore SIGHUP but leave it in the job table.
-a
Disown all jobs.
-r
Disown only running jobs.
1 recipe

Unlike nohup, disown does not redirect output — if the process writes to the terminal after the shell exits, output is lost or can cause errors. Use nohup together with disown, or redirect explicitly before backgrounding.

 nohup, jobs, bg
  • help disown (bash builtin)
pstree
🐧🍎⚙️
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform
✓ safe Display running processes as a tree showing parent–child relationships. pstree [-p] [-u] [-a] [<pid>|<user>]
5 flags -p · Show PIDs alongside each process name. Show all
-p
Show PIDs alongside each process name.
-u
Show the owning user when it differs from the parent.
-a
Show command-line arguments.
-h
Highlight the current process and its ancestors.
-n
Sort by PID instead of name.
1 recipe

Install via apt install psmisc (Linux) or brew install pstree (macOS). On macOS the built-in pstree is from Homebrew; not available by default.

 ps, htop, procs
  • man 1 pstree
nice
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution Launch a command with an adjusted scheduling priority. nice [-n <adj>] <cmd> [args...]
1 flag
-n <adj>
Niceness adjustment: -20 (highest priority) to +19 (lowest). Default: +10.
1 recipe

Only root can set a negative niceness (higher priority). Normal users can only raise niceness (lower priority) and cannot subsequently lower it again — use renice if you need to adjust a running process.

 renice, chrt, ionice
  • man 1 nice
renice
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution Change the scheduling priority of an already-running process. renice -n <adj> [-p <pid>] [-u <user>] [-g <pgrp>]
4 flags -n <adj> · New niceness value: -20 (highest) to +19 (lowest). Show all
-n <adj>
New niceness value: -20 (highest) to +19 (lowest).
-p <pid>
Target a specific PID (default target type).
-u <user>
Renice all processes owned by a user.
-g <pgrp>
Renice all processes in a process group.
1 recipe

Only root can decrease niceness (raise priority). Non-root users can only increase niceness, and cannot undo it — plan the initial niceness at launch with nice if you’re unsure.

 nice, ionice, chrt
  • man 1 renice
curl
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Transfer data to / from URLs (HTTP, HTTPS, FTP, SFTP, and more). curl [-X <method>] [-H "<header>"] [-d <data>] [-o <file>] [-L] [-sS] <url>
12 flags -X <method> · HTTP method (GET default; POST, PUT, DELETE, PA... Show all
-X <method>
HTTP method (GET default; POST, PUT, DELETE, PATCH…).
-H "<header>"
Add a request header; repeat for multiple.
-d <data>
Request body (also implies POST if -X is not set).
--data-binary @<file>
Send the contents of a file as the body, byte-for-byte.
-o <file>
Write response body to a file instead of stdout.
-O
Save as the URL's basename.
-L
Follow 3xx redirects.
-sS
Silent (-s) but show errors (-S). Common in scripts.
-I
HEAD request — fetch headers only.
-u <user>:<pass>
HTTP basic auth.
-v
Verbose — print full request and response headers.
--fail
Return a non-zero exit code on 4xx/5xx responses.
2 recipes curl -sSf https://api.example/items | j... Show all

curl | sh executes arbitrary network code — only do this for sources you trust. Default macOS curl lacks brotli/zstd support — install via Homebrew for full features. Use --fail in scripts so 4xx/5xx responses produce a non-zero exit code.

 wget, httpie, rsync, ↳ curl
wget
🐧⚙️🤖
▲ caution
🐧 Linux⚙️ Cross-platform🤖 Termux
▲ caution Non-interactive network downloader with resume and recursive mirroring support. wget [-O <file>] [-c] [-r] [-N] [-q] <url>
7 flags -O <file> · Output filename (- for stdout). Show all
-O <file>
Output filename (- for stdout).
-c
Continue a partially downloaded file.
-r
Recursive — mirror a site.
-N
Only download if newer than the local copy.
-q
Quiet — no output.
--no-parent
Don't follow links above the given directory when mirroring.
-P <dir>
Save files into this directory.
1 recipe

Not installed on macOS by default — brew install wget. curl covers most of the same use cases and is preinstalled everywhere. Overwriting an existing file happens silently unless you use -N.

 curl, aria2c
  • man 1 wget
ping
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Send ICMP echo requests to a host and report round-trip time. ping [-c <count>] [-i <interval>] [-W <timeout>] <host>
4 flags -c <n> · Stop after n requests. Show all
-c <n>
Stop after n requests.
-i <s>
Wait s seconds between requests (default 1).
-W <s>
Per-reply timeout in seconds.
-4 / -6
Force IPv4 or IPv6.
1 recipe

Some networks block ICMP — “ping fails” doesn’t always mean the host is down. Sub-second -i values usually require root.

 traceroute, mtr
  • man 8 ping
traceroute
🐧🍎⚙️
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform
✓ safe Show the network path (hop by hop) to a host. traceroute [-n] [-T] [-I] [-w <s>] <host>
4 flags -n · Numeric only — don't resolve hostnames (faster). Show all
-n
Numeric only — don't resolve hostnames (faster).
-T
Use TCP SYN instead of UDP (often gets past firewalls).
-I
Use ICMP echo (Linux: needs root).
-w <s>
Wait s seconds for each reply.
1 recipe
mtr, ping
  • man 8 traceroute
mtr
🐧🍎⚙️
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform
✓ safe Combined traceroute + ping with a live rolling display of per-hop loss and latency. mtr [-r] [-c <count>] [-w] [-n] <host>
4 flags -r · Report mode — run N cycles then print and exit. Show all
-r
Report mode — run N cycles then print and exit.
-c <n>
Number of cycles.
-w
Wide report (no truncated hostnames).
-n
Numeric — skip reverse DNS.
1 recipe
traceroute, ping
  • man 8 mtr
dig
🐧🍎⚙️
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform
✓ safe Detailed DNS lookups — the canonical DNS debugger with full control over query type and resolver. dig [@<server>] <name> [<type>] [+short] [+trace]
5 flags @<server> · Use this DNS server instead of the system resol... Show all
@<server>
Use this DNS server instead of the system resolver.
<type>
Record type — A, AAAA, MX, TXT, NS, CNAME, SOA, ANY.
+short
Compact output — just the answer.
+trace
Trace the query from the roots downward.
+noall +answer
Print only the ANSWER section — cleaner than +short for multi-value records.
2 recipes dig +short example.com A && dig +short ... Show all
host, nslookup
  • man 1 dig
host
🐧🍎⚙️
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform
✓ safe Simpler DNS lookup utility — terse output by default, good for quick checks. host [-t <type>] [-a] <name> [<server>]
2 flags
-t <type>
Record type (A, MX, TXT, NS…).
-a
All record types (equivalent to -t ANY).
1 recipe
dig, nslookup
  • man 1 host
nslookup
🐧🍎🪟⚙️
✓ safe
🐧 Linux🍎 macOS🪟 Windows⚙️ Cross-platform
✓ safe Older interactive DNS query tool — still useful on Windows where dig is not bundled. nslookup [-type=<type>] <name> [<server>]
2 flags
-type=<type>
Record type — A, MX, TXT, NS, SOA.
-debug
Verbose mode — show full response.
1 recipe

dig is more powerful and has better scripting support; reach for nslookup on Windows where dig isn’t bundled.

 Prefer dig for scriptable output and more control over query options. dig, host
  • man 1 nslookup
ss
🐧
✓ safe
🐧 Linux
✓ safe Inspect sockets — listening ports, established connections, and per-socket stats. ss [-l] [-t] [-u] [-n] [-p] [-a]
7 flags -l · Listening sockets only. Show all
-l
Listening sockets only.
-t
TCP.
-u
UDP.
-n
Numeric — don't resolve hosts or services.
-p
Show the owning process (needs root for others' processes).
-a
All sockets (not just listening).
-s
Summary statistics — total counts by state.
2 recipes ss -tlnp | awk 'NR>1 {print $4, $6}' Show all

ss replaced netstat on modern Linux — faster and reads /proc/net directly. macOS uses netstat + lsof -i instead.

 netstat, lsof
  • man 8 ss
netstat
🐧🍎🪟⚙️
✓ safe
🐧 Linux🍎 macOS🪟 Windows⚙️ Cross-platform
✓ safe List network connections, routing tables, and interface stats. netstat [-l] [-t] [-u] [-n] [-p] [-r]
5 flags -l · Listening sockets. Show all
-l
Listening sockets.
-t / -u
TCP / UDP.
-n
Numeric addresses and ports.
-p
Show owning process (Linux; not BSD/macOS).
-r
Routing table.
1 recipe

Deprecated on modern Linux in favour of ss (faster, same data). Still standard on macOS, BSD, and Windows.

 On Linux, prefer ss — it is faster, actively maintained, and reads kernel data directly. ss, lsof, route
  • man 8 netstat
nmap
🐧🍎🪟⚙️🛡
▲ caution
🐧 Linux🍎 macOS🪟 Windows⚙️ Cross-platform🛡 root
▲ caution Port scanner and network discovery tool — detect open ports, services, and OS fingerprints. nmap [-sS|-sT|-sU] [-p <ports>] [-A] [-Pn] <target>
6 flags -sS · TCP SYN (stealth) scan — requires root. Show all
-sS
TCP SYN (stealth) scan — requires root.
-sT
TCP connect scan — no root needed but more visible.
-sU
UDP scan.
-p <ports>
Ports list (22,80,443 or 1-1024).
-A
Aggressive: OS detect, version, scripts, traceroute.
-Pn
Skip host discovery — treat all hosts as up.
1 recipe

Only scan networks you own or have written permission to scan. Aggressive scans are noisy and may trigger IDS alerts.

 ss, masscan
  • man 1 nmap
ip
🐧
▲ caution
🐧 Linux
▲ caution Show and manipulate routing, devices, addresses, and tunnels — the modern Linux networking Swiss army knife. ip [<object>] [<command>] [<args>]
5 flags ip addr · Show IP addresses on all interfaces. Show all
ip addr
Show IP addresses on all interfaces.
ip link
Show / change interface link state.
ip route
Show / change the routing table.
ip -br a
Brief one-line-per-interface summary.
ip -6 addr
Show IPv6 addresses only.
1 recipe

Replaced the older ifconfig / route / arp trio. Not available on macOS — use ifconfig + route + netstat -rn there.

 Replaces ifconfig on Linux — prefer ip for scripting and modern distros. ifconfig, ss
  • man 8 ip
nc
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Netcat — read and write arbitrary TCP/UDP connections, the swiss-army knife of networking. nc [-l] [-u] [-z] [-v] [-w <sec>] [<host>] <port>
6 flags -l · Listen mode — bind a port instead of connecting. Show all
-l
Listen mode — bind a port instead of connecting.
-u
UDP instead of TCP.
-z
Zero-I/O — port scan / connection test.
-v
Verbose.
-w <sec>
Timeout after n seconds of idle.
-k
Keep listening after a client disconnects (GNU netcat).
2 recipes nc -zv example.com 1 65535 2>&1 | grep ... Show all

Multiple incompatible implementations exist: GNU netcat (nc), OpenBSD netcat (the default on macOS and most Linux), and ncat from the nmap project. Flag behaviour differs, especially around -k and -c.

 ncat, socat, ss
  • man 1 nc
ifconfig
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution Show and configure network interfaces — legacy Linux, still the default on macOS and BSD. ifconfig [<iface>] [up|down] [<addr> netmask <mask>]
3 flags <iface> up · Bring an interface online. Show all
<iface> up
Bring an interface online.
<iface> down
Bring an interface offline.
-a
Show all interfaces, including downed ones.
1 recipe

Deprecated on modern Linux — use ip. Still default on macOS and BSD.

 On Linux, prefer ip addrifconfig is legacy and may not be installed. ip
  • man 8 ifconfig
ssh
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Open an authenticated, encrypted shell on a remote host. ssh [-p <port>] [-i <key>] [-L|-R <fwd>] [<user>@]<host> [<cmd>]
10 flags -p <port> · Use a non-default port (default 22). Show all
-p <port>
Use a non-default port (default 22).
-i <keyfile>
Identity file — private key to use for auth.
-L <lport>:<rhost>:<rport>
Local port forward — bind local port to a remote-side address.
-R <rport>:<lhost>:<lport>
Remote port forward — open a port on the remote that tunnels back to you.
-D <port>
SOCKS proxy on the local port.
-J <user@jump>
Hop via a jump host.
-N
Don't execute a remote command — useful with -L / -R / -D.
-f
Background after auth — good for tunnels.
-A
Forward your ssh-agent (be careful on untrusted hosts).
-v
Verbose; -vv / -vvv for more detail (debugging auth).
2 recipes ssh host 'tail -f /var/log/app.log' Show all

Config goes in ~/.ssh/config — set HostName, User, Port, IdentityFile per host and never type those flags again. StrictHostKeyChecking accept-new is the sane default (warns on changed keys but accepts first contact). Agent forwarding (-A) gives the remote sudo over your local keys — don’t enable it on shared boxes.

 scp, rsync, ssh-keygen, ssh-copy-id
  • man 1 ssh
  • man 5 ssh_config
scp
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Copy files over SSH — simple one-shot transfers between hosts. scp [-r] [-P <port>] [-i <key>] <src>... [<user>@]<host>:<dst>
5 flags -r · Recursive — copy directories. Show all
-r
Recursive — copy directories.
-P <port>
Remote port (note: capital P, unlike ssh's -p).
-i <key>
Identity file.
-p
Preserve timestamps and mode.
-C
Compress in transit.
1 recipe

OpenSSH 9+ switched scp’s wire protocol from RCP to SFTP — behaves similarly but rejects some old quoting tricks. For anything beyond trivial copies, prefer rsync (resumes, delta transfer, much faster on retries).

 For anything beyond trivial copies prefer rsync (delta transfer, resume, faster retries) or sftp. rsync, sftp, ssh
  • man 1 scp
rsync
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Fast incremental file sync (local or over SSH) with delta transfer. rsync [-a] [-v] [--delete] [-z] [-P] <src>/ <dst>/
8 flags -a · Archive — recursive + symlinks + perms + times ... Show all
-a
Archive — recursive + symlinks + perms + times + group + owner.
-v
Verbose.
-z
Compress in transit.
--delete
Delete files on dst that aren't in src (mirror). DESTRUCTIVE — dry-run first.
-n / --dry-run
Preview what would change without doing it.
-P
Progress bar + partial-resume on interrupted transfers.
-e "ssh -p <port>"
Use a custom SSH command (e.g. non-default port).
--exclude=<pat>
Skip paths matching the pattern (repeat for multiple).
2 recipes tar -C /src -cf - . | ssh user@host 'ta... Show all

Trailing / matters: src/ means “contents of src”, src means “the src dir itself”. Always dry-run --delete first. -a is shorthand for -rlptgoD; drop -a and explicitly pick flags if you don’t want owners/groups preserved.

 scp, tar, cp
  • man 1 rsync
ssh-keygen
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Generate, inspect, and manage SSH keypairs. ssh-keygen [-t <algo>] [-b <bits>] [-f <path>] [-C <comment>]
7 flags -t ed25519 · Modern, fast, secure default. Pick this. Show all
-t ed25519
Modern, fast, secure default. Pick this.
-t rsa -b 4096
RSA fallback for old servers that don't support ed25519.
-f <path>
Output keypair to this path (and path.pub).
-C <comment>
Comment appended to the public key — usually your email.
-N ""
Empty passphrase (only for unattended use; otherwise omit).
-y -f <key>
Print the public key for an existing private key.
-l -f <key>
Print the fingerprint of a key.
1 recipe

Default output path is ~/.ssh/id_ed25519 — answer the prompts if you want a different location. Use a passphrase for anything that touches production; pair with ssh-add so you only enter it once per session.

 ssh, ssh-copy-id, ssh-add
  • man 1 ssh-keygen
ssh-copy-id
🐧🍎⚙️
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform
✓ safe Install your public key into a remote user's authorized_keys. ssh-copy-id [-i <pubkey>] [-p <port>] [<user>@]<host>
3 flags -i <pubkey> · Which public key to install. Show all
-i <pubkey>
Which public key to install.
-p <port>
Non-default SSH port.
-f
Force — skip the test-key-already-present check.
1 recipe

Not bundled with Windows OpenSSH — workaround: cat ~/.ssh/id_ed25519.pub | ssh user@host 'cat >> ~/.ssh/authorized_keys'.

 ssh, ssh-keygen
  • man 1 ssh-copy-id
sftp
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Interactive file transfer over SSH (FTP-like commands). sftp [-P <port>] [-i <key>] [-b <batchfile>] [<user>@]<host>
4 flags -P <port> · Remote port (note: capital P, unlike ssh's -p). Show all
-P <port>
Remote port (note: capital P, unlike ssh's -p).
-i <key>
Identity file.
-b <batchfile>
Batch mode — read sftp commands from a file.
-r
Recursive transfers (used inside the session with get/put).
1 recipe

Once connected: ls, cd, get, put, mget, mput, bye. sshfs (FUSE) mounts a remote dir as a local filesystem if you’d rather use regular file tools.

 scp, rsync, sshfs
  • man 1 sftp
mosh
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Mobile shell — SSH-like but survives roaming, sleep, and packet loss. mosh [--ssh="<ssh cmd>"] [-p <udp-port-range>] [<user>@]<host>
2 flags
--ssh="<cmd>"
Use a custom ssh invocation (e.g. with -i / -p).
-p <port>
Pin a specific UDP port instead of the 60000-61000 range.
1 recipe

Uses UDP on ports 60000–61000 — open those if your network blocks them. Needs mosh installed on both ends (server-side acts as a relay). For SSH-only environments stick with ssh + tmux.

 ssh, tmux
ssh-agent
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Authentication agent that holds decrypted private keys in memory for a session. ssh-agent [-s] [-k] | eval "$(ssh-agent -s)"
4 flags -s · Output Bourne-shell commands to set environment... Show all
-s
Output Bourne-shell commands to set environment variables (default on most systems).
-c
Output C-shell commands.
-k
Kill the running agent (uses SSH_AGENT_PID env var).
-t <seconds>
Set a default key lifetime — keys auto-expire after this many seconds.
1 recipe

Each new shell needs the agent’s environment variables (SSH_AUTH_SOCK, SSH_AGENT_PID). Most desktop environments (GNOME, macOS) auto-start an agent on login — running a second one wastes memory. On macOS, keys added with ssh-add --apple-use-keychain survive reboots via the system keychain.

 ssh-add, ssh, ssh-keygen
  • man 1 ssh-agent
ssh-add
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Add private keys to the running ssh-agent so you don't re-enter passphrases. ssh-add [-t <lifetime>] [-d] [-l] [<keyfile>...]
6 flags <keyfile> · Path to the private key to load (default: ~/.ss... Show all
<keyfile>
Path to the private key to load (default: ~/.ssh/id_ed25519, id_rsa, etc.).
-t <seconds>
Expire the key from the agent after this many seconds.
-d <keyfile>
Remove a specific key from the agent.
-D
Remove all keys from the agent.
-l
List fingerprints of all keys currently held by the agent.
--apple-use-keychain
macOS only — store the passphrase in the system Keychain so the key survives reboots.
1 recipe

Requires a running ssh-agent (check $SSH_AUTH_SOCK). On macOS, the system agent auto-loads keys from Keychain — use ssh-add --apple-use-keychain once so keys persist after a reboot.

 ssh-agent, ssh-keygen, ssh
  • man 1 ssh-add
git clone
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Copy a remote repository to your machine. git clone [--depth <n>] [-b <branch>] <url> [<dir>]
4 flags --depth <n> · Shallow clone — only the most recent n commits.... Show all
--depth <n>
Shallow clone — only the most recent n commits. Smaller, faster.
-b <branch>
Clone a specific branch (instead of the default).
--recurse-submodules
Initialise and clone submodules too.
--single-branch
Only fetch the named branch, not all branches.
1 recipe
git init, git remote
  • man 1 git-clone
git init
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Initialise a new empty repository (or reinitialise an existing one). git init [-b <branch>] [--bare] [<dir>]
3 flags -b <branch> · Set the name of the initial branch (e.g. 'main'... Show all
-b <branch>
Set the name of the initial branch (e.g. 'main' instead of 'master').
--bare
Create a bare repository — no working tree, for server-side hosting.
<dir>
Create the repo inside a new directory instead of the current one.
1 recipe
git clone, git remote
  • man 1 git-init
git status
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Show working-tree and staging-area changes. git status [-s] [-b] [--untracked-files=<mode>]
3 flags -s · Short format — two-letter status codes. Show all
-s
Short format — two-letter status codes.
-b
Show current branch + tracking info even in short mode.
-uno / --untracked-files=no
Hide untracked files (faster on big trees).
1 recipe
git diff, git log
  • man 1 git-status
git add
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Stage changes for the next commit. git add [-A|-u|-p] [<pathspec>...]
4 flags -A · Stage everything — new, modified, deleted. Show all
-A
Stage everything — new, modified, deleted.
-u
Stage modified and deleted but NOT new files.
-p
Interactive — pick hunks to stage one by one.
-n / --dry-run
Show what would be added without staging.
1 recipe

git add . stages everything below the current directory; git add -A stages the entire working tree. Big difference if you’re inside a subfolder. Use -p for surgical commits when one set of edits should be split across multiple commits.

 git restore, git reset, git commit
  • man 1 git-add
git commit
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Record staged changes as a new commit. git commit [-m "<msg>"] [-a] [--amend] [--no-edit]
5 flags -m "<msg>" · Inline commit message; skips $EDITOR. Show all
-m "<msg>"
Inline commit message; skips $EDITOR.
-a
Stage all tracked, modified files before committing.
--amend
Replace the previous commit. Rewrites history.
--no-edit
Used with --amend to keep the previous message verbatim.
-s / --signoff
Append a Signed-off-by trailer.
1 recipe

Never --amend a commit that’s already pushed to a shared branch without coordinating a force-push. -a stages already-tracked files only — new files still need git add first.

 git add, git push, git reset, git log
  • man 1 git-commit
git push
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Upload local commits to a remote branch. git push [-u] [--force-with-lease] [<remote>] [<branch>]
5 flags -u / --set-upstream · Set tracking — first push of a new branch. Show all
-u / --set-upstream
Set tracking — first push of a new branch.
--force
Overwrite remote history. Dangerous on shared branches.
--force-with-lease
Safer force — refuses if someone else pushed since you fetched.
--tags
Push tags too.
--dry-run
Show what would be pushed.
1 recipe

Default --force can wipe a teammate’s pushed work. Use --force-with-lease — it refuses to push if the remote moved on after your last fetch. Even safer: --force-with-lease=<branch>:<sha> pinning the exact SHA you expect to be overwriting.

 For opening a PR immediately after pushing, use gh pr create — combines push + PR creation. git pull, git fetch, gh pr
  • man 1 git-push
git pull
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Fetch from remote and merge / rebase into the current branch. git pull [--rebase] [--ff-only] [<remote>] [<branch>]
3 flags --rebase · Rebase local commits on top of fetched ones (cl... Show all
--rebase
Rebase local commits on top of fetched ones (cleaner history).
--ff-only
Only fast-forward; abort if a merge would be needed.
--no-ff
Always create a merge commit.
1 recipe

Set git config --global pull.rebase true (or pull.ff only) once and you’ll never accidentally create a junky “Merge branch ‘main’ of …” commit again.

 git fetch, git merge, git rebase
  • man 1 git-pull
git fetch
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Download remote commits without merging. git fetch [--all] [--prune] [<remote>] [<refspec>]
3 flags --all · Fetch from every configured remote. Show all
--all
Fetch from every configured remote.
--prune
Remove local refs to branches that no longer exist on the remote.
--tags
Fetch tags too.
1 recipe
git pull, git remote
  • man 1 git-fetch
git switch
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Change branches — the modern replacement for git checkout for branch operations. git switch [-c|-C] [-t <upstream>] <branch>
4 flags -c <branch> · Create and switch to a new branch. Show all
-c <branch>
Create and switch to a new branch.
-C <branch>
Create or reset; force-overwrite if it exists.
-
Switch to the previous branch (like cd -).
--detach
Detach HEAD at a commit instead of moving a branch.
1 recipe
git restore, git checkout, git branch
  • man 1 git-switch
git restore
⚙️
⚠ destructive
⚙️ Cross-platform
⚠ destructive Restore files in the working tree or staging area — replaces git checkout -- file. git restore [--staged] [--source=<commit>] <pathspec>...
3 flags --staged · Unstage — remove from index but keep working-tr... Show all
--staged
Unstage — remove from index but keep working-tree changes.
--source=<ref>
Restore from a specific commit/branch.
-W -S
Restore both working tree (-W) and staged version (-S).
1 recipe

git restore (no --staged) permanently discards working-tree changes — there is no undo unless you have a stash or the content in the reflog. Always check git diff before restoring.

 git switch, git reset, git checkout
  • man 1 git-restore
git branch
⚙️
✓ safe
⚙️ Cross-platform
✓ safe List, create, delete, or rename branches. git branch [-a] [-d|-D <name>] [-m <new>] [<name> [<base>]]
5 flags -a · List local + remote-tracking branches. Show all
-a
List local + remote-tracking branches.
-v / -vv
Show last commit / upstream info.
-d <name>
Delete a merged branch.
-D <name>
Force-delete (even if unmerged).
-m <new>
Rename the current branch.
1 recipe
git switch, git merge
  • man 1 git-branch
git merge
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Merge another branch into the current one. git merge [--no-ff] [--squash] [--abort] <branch>
4 flags --no-ff · Always create a merge commit, even for fast-for... Show all
--no-ff
Always create a merge commit, even for fast-forwardable cases.
--ff-only
Only allow fast-forward; abort otherwise.
--squash
Squash the merged commits into a single commit (don't auto-commit).
--abort
Bail out of a conflicted merge and reset.
1 recipe
git rebase, git pull
  • man 1 git-merge
git rebase
⚙️
⚠ destructive
⚙️ Cross-platform
⚠ destructive Replay commits onto a different base — rewrites history. git rebase [-i] [--onto <newbase>] [--continue|--abort] <upstream>
5 flags -i · Interactive — pick / squash / reword / drop / r... Show all
-i
Interactive — pick / squash / reword / drop / reorder commits.
--onto <ref>
Reparent onto a specific commit (advanced).
--continue
Resume after resolving a conflict.
--abort
Bail out and reset to the pre-rebase state.
--autosquash
Auto-apply fixup!/squash! commits during interactive rebase.
1 recipe

Never rebase commits that have been pushed to a shared branch. Rebasing rewrites SHAs, so anyone with the old SHAs will be on a diverged history. After a rebase you must --force-with-lease to push.

 git merge, git cherry-pick, git reflog
  • man 1 git-rebase
git stash
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Temporarily shelve working-tree changes. git stash [push -m "<msg>"|pop|list|drop|apply]
6 flags push -m "<msg>" · Save current changes with a label. Show all
push -m "<msg>"
Save current changes with a label.
-u
Include untracked files too.
pop
Apply the top stash and drop it from the list.
apply
Apply without dropping.
list
Show all stashes.
drop stash@{<n>}
Delete a specific stash entry.
1 recipe

Stashes are local-only — they never push or sync. Don’t treat the stash as long-term storage; commit to a wip branch if you’ll be gone for more than a day. stash pop can conflict just like a merge; resolve conflicts then git stash drop manually if pop leaves the stash behind.

 git commit, git restore, git switch
  • man 1 git-stash
git log
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Show commit history. git log [--oneline] [--graph] [-<n>] [--author=<who>] [<path>...]
7 flags --oneline · One commit per line — SHA + subject. Show all
--oneline
One commit per line — SHA + subject.
--graph
ASCII branch/merge graph.
-<n>
Last n commits.
--author=<who>
Filter by author.
--since=<when>
Commits newer than e.g. '2 weeks ago'.
-p
Show diffs alongside each commit.
--stat
Show per-file change counts.
1 recipe
git show, git diff, git blame
  • man 1 git-log
git diff
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Show changes between commits, branches, working tree, or staging. git diff [--staged] [<commit>[..<commit>]] [-- <path>...]
4 flags --staged / --cached · Diff staged changes vs HEAD. Show all
--staged / --cached
Diff staged changes vs HEAD.
--stat
Summary of changes per file.
--name-only
Just the changed filenames.
-w
Ignore whitespace changes.
1 recipe
git log, git show
  • man 1 git-diff
git reset
⚙️
⚠ destructive
⚙️ Cross-platform
⚠ destructive Move HEAD (and optionally the index / working tree) to a different commit. git reset [--soft|--mixed|--hard] [<commit>]
3 flags --soft · Move HEAD only. Index and working tree untouched. Show all
--soft
Move HEAD only. Index and working tree untouched.
--mixed
Move HEAD and reset index. Working tree untouched (default).
--hard
Move HEAD and reset both index and working tree. DESTRUCTIVE.
1 recipe

--hard discards uncommitted changes silently — no undo. Use git reflog to recover the previous HEAD if you reset by mistake. Avoid --hard on shared branches; use git revert instead to create a safe undo commit.

 git restore, git revert, git reflog
  • man 1 git-reset
git remote
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Manage the set of configured remote repositories. git remote [-v | add <name> <url> | set-url <name> <url> | remove <name>]
4 flags -v · Verbose list — show URLs. Show all
-v
Verbose list — show URLs.
add <name> <url>
Add a new remote.
set-url <name> <url>
Change an existing remote's URL.
rename <old> <new>
Rename a remote.
1 recipe
git fetch, git push
  • man 1 git-remote
git tag
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Create, list, or delete lightweight / annotated tags. git tag [-a <name> -m "<msg>"] [-d <name>] [-l <glob>]
4 flags -a <name> · Annotated tag (carries metadata + message). Show all
-a <name>
Annotated tag (carries metadata + message).
-m "<msg>"
Annotation message (required with -a).
-d <name>
Delete a local tag.
-l <glob>
List tags matching a glob.
1 recipe
git push, git describe
  • man 1 git-tag
git cherry-pick
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Apply specific commits from another branch onto the current one. git cherry-pick [-x] [-n] [--continue|--abort] <commit>...
4 flags -x · Append a 'cherry-picked from <sha><... Show all
-x
Append a 'cherry-picked from <sha>' line to the commit message.
-n / --no-commit
Apply but don't auto-commit — stage only.
--continue / --abort
Resume / bail out of a conflicted cherry-pick.
<a>..<b>
Cherry-pick a range of commits (excluding a).
1 recipe
git rebase, git revert
  • man 1 git-cherry-pick
git revert
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Create a new commit that undoes the changes from a previous commit. git revert [--no-commit] [--continue|--abort] <commit>...
3 flags --no-commit / -n · Apply the revert as staged changes; commit your... Show all
--no-commit / -n
Apply the revert as staged changes; commit yourself.
-m <parent>
When reverting a merge commit, pick which parent's mainline to keep.
--continue / --abort
Resume / bail out of a conflicted revert.
1 recipe

git revert creates a new commit instead of rewriting history — safe to use on shared branches, unlike git reset or git rebase. Reverting a merge commit needs -m 1 to indicate “keep the mainline” (usually the branch you merged into).

 git reset, git cherry-pick, git reflog
  • man 1 git-revert
git reflog
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Show the local history of HEAD movements — the 'undo' database. git reflog [show] [<ref>] [-<n>]
3 flags show · Default subcommand — list recent HEAD positions. Show all
show
Default subcommand — list recent HEAD positions.
-<n>
Limit to the last n entries.
expire
Prune old reflog entries (rarely needed manually).
1 recipe

The reflog is your safety net for any operation that rewrites history (reset --hard, rebase, amend, checkout --). Default expiry is 90 days. The reflog is local-only — never pushed.

 git reset, git rebase
  • man 1 git-reflog
git show
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Show one commit (or other object) — message, diff, metadata. git show [--stat] [--name-only] [<commit>]
4 flags <commit> · Default: HEAD. Show all
<commit>
Default: HEAD.
--stat
Per-file change summary instead of the full diff.
--name-only
Just the changed filenames.
-s
Suppress diff output (message only).
1 recipe
git log, git diff
  • man 1 git-show
git blame
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Annotate each line of a file with the commit that last touched it. git blame [-L <range>] [-w] [-C] [-M] <file>
4 flags -L <start>,<end> · Blame only the given line range (also -L /patte... Show all
-L <start>,<end>
Blame only the given line range (also -L /pattern/).
-w
Ignore whitespace-only changes.
-C
Detect lines copied from other files in the same commit.
-M
Detect lines moved within the same file.
1 recipe
git log, git show
  • man 1 git-blame
git bisect
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Binary-search the commit history to find the one that introduced a bug. git bisect [start|good|bad|reset] [<commit>]
4 flags start [<bad>] [<good>] · Begin a bisect session. Show all
start [<bad>] [<good>]
Begin a bisect session.
good / bad
Mark the current commit good or bad; git checks out the next midpoint.
reset
End the session and restore the original HEAD.
run <cmd>
Automate — git runs <cmd> at each step (exit 0 = good, non-0 = bad).
1 recipe
git log, git diff
  • man 1 git-bisect
git submodule
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Manage repositories nested inside the current one. git submodule [add|init|update|status|deinit] [args...]
5 flags add <url> [<path>] · Add a new submodule at <path>. Show all
add <url> [<path>]
Add a new submodule at <path>.
init
Register submodules in .git/config (read from .gitmodules).
update [--init] [--recursive]
Check out each submodule at the SHA the parent pinned.
--remote
Update to the latest commit on the submodule's tracked branch.
deinit <path>
Remove a submodule's working tree (does not delete commits).
1 recipe

Submodules are notoriously fiddly — they pin specific commits, so pulling main may leave submodules at stale SHAs unless you git submodule update. Many projects switch to git subtrees or Bazel / nx workspaces to escape the pain.

 git clone
  • man 1 git-submodule
git worktree
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Check out multiple branches simultaneously in separate working directories. git worktree [add|list|remove|prune] [<path>] [<commit-ish>]
5 flags add <path> <branch> · Create a new linked working tree at <p... Show all
add <path> <branch>
Create a new linked working tree at <path> for <branch>.
-b <newbranch>
Create and check out a new branch in the worktree.
list
List all worktrees with their HEAD and path.
remove <path>
Remove a worktree (must be clean).
prune
Remove stale worktree administrative files.
1 recipe

Each branch can only be checked out in one worktree at a time — git will refuse to add a worktree for a branch already in use elsewhere. Clean up stale worktrees with git worktree prune after removing directories manually.

 git branch, git switch
  • man 1 git-worktree
git clean
⚙️
⚠ destructive
⚙️ Cross-platform
⚠ destructive Remove untracked files and directories from the working tree. git clean [-f] [-d] [-x] [-n] [<path>...]
5 flags -f · Force — required to actually delete (safety gate). Show all
-f
Force — required to actually delete (safety gate).
-d
Also remove untracked directories.
-x
Also remove files ignored by .gitignore (e.g. build artifacts).
-n / --dry-run
Preview what would be removed without deleting anything.
-i
Interactive — confirm each deletion.
1 recipe

git clean has no undo — deleted untracked files are gone permanently (not in reflog). Always run -n first. -x will delete .env, build outputs, and any other ignored files — be careful in projects with local-only config.

 git restore, git reset
  • man 1 git-clean
git config
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Read and write per-repo, user-global, or system-wide git settings. git config [--global|--local|--system] [<key> [<value>] | --list | --unset <key>]
6 flags --global · Write to ~/.gitconfig (all repos for the curren... Show all
--global
Write to ~/.gitconfig (all repos for the current user).
--local
Write to .git/config (this repo only, default).
--system
Write to the system-wide config (all users).
--list
Dump all settings in effect (shows which file each comes from with --show-origin).
--unset <key>
Remove a setting.
--show-origin
Include the config file path next to each setting.
1 recipe

Local config (.git/config) overrides global (~/.gitconfig) which overrides system. Always verify with --show-origin when a setting doesn’t take effect. Sensitive values (tokens, signing keys) should go in a file outside the repo, referenced by include.path.

 git alias
  • man 1 git-config
git describe
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Describe a commit using the nearest reachable tag and offset. git describe [--tags] [--always] [--dirty[=<suffix>]] [<commit>]
5 flags --tags · Consider lightweight tags (not just annotated o... Show all
--tags
Consider lightweight tags (not just annotated ones).
--always
Fall back to the SHA if no tag is reachable.
--long
Always show the long format (tag-N-gSHA) even when exactly on a tag.
--dirty[=<suffix>]
Append '-dirty' (or a custom suffix) if the working tree has uncommitted changes.
--abbrev=<n>
Use n hex digits for the SHA (default 7).
1 recipe
git tag, git log
  • man 1 git-describe
gh pr
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Create, view, and manage GitHub pull requests from the terminal. gh pr [create|view|list|checkout|merge|close|edit] [<number>|<url>] [flags]
8 flags create · Open a new PR; prompts for title, body, base, a... Show all
create
Open a new PR; prompts for title, body, base, and reviewers.
--title / --body
Supply PR title and body non-interactively.
--base <branch>
Set the target branch (default: the repo's default branch).
--draft
Open as a draft PR.
--fill
Pre-fill title/body from the branch's commits automatically.
checkout <number>
Fetch and check out a PR's branch locally.
merge <number>
Merge a PR via the API (--squash / --rebase / --merge).
list
List open PRs.
1 recipe
Use gh pr create after pushing instead of opening the GitHub web UI — it stays in the terminal flow. gh repo, gh issue, git push
gh repo
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Create, clone, fork, and view GitHub repositories from the terminal. gh repo [create|clone|fork|view|sync] [<repo>] [flags]
6 flags create · Create a new repo on GitHub (interactive or via... Show all
create
Create a new repo on GitHub (interactive or via flags).
--public / --private / --internal
Visibility of the created repo.
clone <repo>
Clone a repo by owner/name — no need to copy the full URL.
fork <repo>
Fork a repo to your account and clone it locally.
view <repo>
Display repo metadata; open in browser with --web.
sync
Sync a fork with its upstream.
1 recipe
gh pr, gh issue, git clone, git remote
gh issue
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Create, view, list, and close GitHub issues from the terminal. gh issue [create|view|list|close|edit|comment] [<number>] [flags]
6 flags create · Open an issue — interactive or via --title / --... Show all
create
Open an issue — interactive or via --title / --body / --label.
--label <label>
Apply one or more labels (repeat the flag for multiple).
--assignee <user>
Assign the issue to a user (@ for yourself).
list
List open issues; filter with --state, --label, --assignee.
close <number>
Close an issue.
view <number> --web
Open the issue in the browser.
1 recipe
gh pr, gh repo
apt
🐧🛡🤖
▲ caution
🐧 Linux🛡 root🤖 Termux
▲ caution Debian/Ubuntu package manager — the user-facing wrapper around apt-get and apt-cache. apt [update|upgrade|install|remove|purge|autoremove|search|show] [<pkg>...]
8 flags update · Refresh the package list from configured repos. Show all
update
Refresh the package list from configured repos.
upgrade
Upgrade all installed packages to their latest available versions.
install <pkg>
Install one or more packages.
remove <pkg>
Remove a package but keep its config files.
purge <pkg>
Remove a package and delete its config files.
autoremove
Drop orphaned dependencies no longer needed by any installed package.
search <pat>
Search package names and descriptions for a pattern.
show <pkg>
Display detailed metadata for a package.
2 recipes sudo apt update && sudo apt upgrade -y ... Show all

Always run apt update before apt install — a stale index causes “package not found” errors even when the package exists. purge deletes config files; remove keeps them. Prefer apt-get in non-interactive scripts (its output format and exit codes are stable across releases).

 apt supersedes apt-get/apt-cache for interactive use; prefer apt-get in scripts for its stable CLI contract apt-get, dpkg
  • man 8 apt
brew
🍎🐧⚙️
▲ caution
🍎 macOS🐧 Linux⚙️ Cross-platform
▲ caution Homebrew package manager for macOS (and Linux via Linuxbrew). brew [install|uninstall|upgrade|search|info|services] [<pkg>...]
9 flags install <pkg> · Install a formula. Show all
install <pkg>
Install a formula.
install --cask <pkg>
Install a GUI app (cask).
uninstall <pkg>
Remove a package.
upgrade
Upgrade all installed formulae and casks (or a single named package).
update
Fetch the latest Homebrew and formula definitions from GitHub.
search <pat>
Search formulae and casks by name or description.
info <pkg>
Show metadata, deps, and installed status for a formula.
services [start|stop|restart] <pkg>
Manage launchd-driven services (macOS only).
list
List all installed formulae and casks.
2 recipes brew update && brew upgrade && brew cle... Show all

Never run sudo brew — Homebrew installs into a user-writable prefix and refuses to run as root by design. On Apple Silicon the prefix is /opt/homebrew; on Intel it is /usr/local — scripts that hardcode the path will break cross-architecture.

 port, apt
pacman
🐧🛡
▲ caution
🐧 Linux🛡 root
▲ caution Arch Linux package manager — fast, simple, and handles full system upgrades atomically. pacman [-S|-R|-Q|-Sy|-Syu|-Ss|-U] [<pkg>...]
9 flags -S <pkg> · Install or upgrade a package from the repos. Show all
-S <pkg>
Install or upgrade a package from the repos.
-Sy
Refresh the package database only.
-Syu
Refresh the database then perform a full system upgrade.
-R <pkg>
Remove a package, keeping orphaned dependencies.
-Rns <pkg>
Remove a package, its unneeded deps, and its config files.
-Ss <pat>
Search remote package repos by name or description.
-Qi <pkg>
Show detailed info about an installed package.
-Qe
List packages explicitly installed by the user (not pulled as deps).
-U <file.pkg.tar.zst>
Install a local package file.
2 recipes sudo pacman -Syu && pacman -Qe | wc -l Show all

Never run pacman -Sy <pkg> (sync index only, then install) on a running Arch system — partial upgrades break the shared-library dependency chain and can render the system unbootable. Always use -Syu to upgrade everything atomically first. -Rns permanently deletes config files; -R alone leaves them in place.

 yay, paru, dnf
  • man 8 pacman
pip
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Install Python packages from PyPI — the standard tool for pure-Python library dependencies. pip [install|uninstall|list|show|freeze] [<pkg>...]
8 flags install <pkg> · Install a package from PyPI. Show all
install <pkg>
Install a package from PyPI.
install -r requirements.txt
Install every dependency listed in a requirements file.
install -e <path>
Editable install — changes to source code take effect immediately without reinstalling.
install --user <pkg>
Install into the user site-packages, not the system Python.
install -U <pkg>
Upgrade an already-installed package to the latest version.
uninstall <pkg>
Remove an installed package.
freeze
Dump all installed package versions in requirements.txt format.
list --outdated
List installed packages that have newer releases available on PyPI.
2 recipes python -m venv .venv && . .venv/bin/act... Show all

Never pip install as root on a system Python — it collides with the distro package manager. On modern Debian/Ubuntu, the system Python is “externally managed” and pip refuses unless --break-system-packages is passed (a red flag to avoid). Always use a venv or pipx for CLI tools.

 uv pip is a drop-in replacement 10–100× faster; pipx handles CLI tool installs in isolated envs pipx, uv, poetry
pipx
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Install Python CLI tools into isolated per-tool virtual environments so they never conflict. pipx [install|uninstall|upgrade|run|list] <pkg>
7 flags install <pkg> · Install a CLI tool into a dedicated venv and ex... Show all
install <pkg>
Install a CLI tool into a dedicated venv and expose its binary on PATH.
uninstall <pkg>
Remove a tool and its isolated environment.
upgrade <pkg>
Upgrade a single installed tool to its latest version.
upgrade-all
Upgrade every tool managed by pipx.
run <pkg> [args...]
Fetch and run a tool without installing it — ephemeral, like npx.
list
List all tools installed by pipx with their versions.
inject <pkg> <dep>
Add an extra library into an existing tool's venv (for plugins).
2 recipes pipx install ansible && pipx inject ans... Show all

pipx run re-downloads the package every time by default; add --spec <pkg>==<ver> to pin a version for reproducible one-off runs. Tools installed via pipx do not see each other’s dependencies — if a tool needs a plugin, use pipx inject rather than a bare pip install.

 uv tool install is a faster drop-in for pipx install pip, uv
npm
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Node.js package manager — installs dependencies, runs scripts, and publishes packages. npm [install|uninstall|update|run|publish|init] [<pkg>...]
9 flags install <pkg> · Install a package into ./node_modules and recor... Show all
install <pkg>
Install a package into ./node_modules and record it in package.json.
install -g <pkg>
Install a package globally as a system-wide CLI tool.
install --save-dev <pkg>
Install and record as a devDependency (not shipped in production).
install
Install every dependency listed in package.json.
ci
Clean install — installs exactly what package-lock.json specifies, without updating it.
run <script>
Run a script defined in the package.json scripts block.
update [<pkg>]
Upgrade packages within the semver ranges declared in package.json.
outdated
List packages that have newer releases available.
uninstall <pkg>
Remove a package from node_modules and package.json.
2 recipes npm ci && npm run lint && npm test && n... Show all

Use npm ci in CI — it errors instead of silently mutating package-lock.json, and it’s faster because it skips dependency resolution. Never mix npm and yarn/pnpm in the same repo — each writes its own lockfile and they will conflict.

 pnpm or bun are faster drop-ins with stricter dependency isolation npx, pnpm, yarn
npx
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Run a one-off npm package binary without installing it globally. npx [-y] <package>[@version] [args...]
4 flags -y / --yes · Auto-accept the install prompt without asking. Show all
-y / --yes
Auto-accept the install prompt without asking.
<pkg>@<ver>
Pin a specific version of the package to run.
--no
Never install — only use an already-available local binary.
--package <pkg>
Install a package without running it (useful for adding to PATH temporarily).
2 recipes npx serve dist/ Show all

npx will silently install and execute packages from npm — double-check the package name to avoid typosquatting attacks. When a local node_modules/.bin binary matches the name, npx runs that instead of downloading, which is usually the desired behaviour.

 npm
cargo
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Rust package manager and build tool — manages crate dependencies, compilation, and testing. cargo [new|build|run|test|add|install|publish] [<args>...]
8 flags new <name> · Create a new Rust project directory with a Carg... Show all
new <name>
Create a new Rust project directory with a Cargo.toml and src/main.rs.
build [--release]
Compile the project; --release enables optimisations and strips debug symbols.
run [-- <args>]
Build and execute the binary; arguments after -- are passed to the program.
test [<filter>]
Run unit and integration tests, optionally filtering by name.
add <crate>
Add a dependency to Cargo.toml and update Cargo.lock.
install <crate>
Compile and install a binary crate globally into ~/.cargo/bin.
update
Update dependencies in Cargo.lock to the latest compatible versions.
clippy
Run the Clippy linter for idiomatic Rust style suggestions.
2 recipes cargo test && cargo build --release Show all

cargo install compiles from source — the first install of a large crate like rustc-serialize can take several minutes. Binary crates installed via cargo install are not automatically updated; re-run cargo install <crate> to upgrade, or use cargo-update (cargo install cargo-update) for a bulk upgrade command.

 rustup
bundle
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Ruby's Bundler — manage gem dependencies per project using a Gemfile and Gemfile.lock. bundle [install|update|exec|add|check] [<gem>...]
6 flags install · Install all gems specified in Gemfile.lock into... Show all
install
Install all gems specified in Gemfile.lock into the bundle.
update [<gem>]
Re-resolve and upgrade gems within the constraints in the Gemfile.
exec <cmd>
Run a command in the context of the bundle (uses bundled gem versions).
add <gem>
Add a gem to the Gemfile and install it immediately.
check
Verify that all Gemfile dependencies are satisfied without installing.
outdated
List gems that have newer versions available.
2 recipes bundle install && bundle exec jekyll build Show all

Always prefix Ruby commands with bundle exec in a Bundler project — running a gem binary directly uses the globally installed version, which may differ from what Gemfile.lock specifies and cause subtle incompatibilities. Commit Gemfile.lock for applications (reproducible installs) but not for libraries (allows downstream flexibility).

 gem
dnf
🐧🛡
▲ caution
🐧 Linux🛡 root
▲ caution Fedora and RHEL package manager — the modern successor to yum with improved dependency resolution. dnf [install|remove|upgrade|search|info|list|group] [<pkg>...]
9 flags install <pkg> · Install one or more packages from configured re... Show all
install <pkg>
Install one or more packages from configured repos.
remove <pkg>
Uninstall a package and, by default, its unneeded dependencies.
upgrade [<pkg>]
Upgrade all installed packages (or a single named package).
search <pat>
Search package names and summaries for a pattern.
info <pkg>
Show detailed metadata for a package.
list installed
List all currently installed packages.
group install <grp>
Install a predefined package group such as "Development Tools".
autoremove
Remove packages installed as dependencies that are no longer needed.
history
Show the transaction history — useful for auditing or undoing changes.
2 recipes sudo dnf upgrade -y && sudo dnf autorem... Show all

dnf remove also removes dependent packages by default — inspect the removal list carefully before confirming. Use dnf history undo last to roll back the most recent transaction if a removal goes wrong. On RHEL 8/9 the command may be dnf4 or aliased — check which binary is active.

 dnf replaces yum — same subcommands, faster solver, and better output yum, rpm, apt
  • man 8 dnf
apk
🐧🛡
▲ caution
🐧 Linux🛡 root
▲ caution Alpine Linux package manager — lean and fast, commonly used in Docker container images. apk [add|del|update|upgrade|search|info] [<pkg>...]
7 flags add <pkg> · Install a package. Show all
add <pkg>
Install a package.
add --no-cache <pkg>
Install without storing the package index — saves space in container layers.
del <pkg>
Remove a package.
update
Refresh the package index from configured repositories.
upgrade
Upgrade all installed packages to their latest available versions.
search <pat>
Search the package index for a pattern.
info <pkg>
Display metadata and file list for an installed package.
2 recipes apk add --no-cache bash git openssh-cli... Show all

The --no-cache flag is the canonical way to avoid bloating Alpine container layers — it is equivalent to apk add … && rm -rf /var/cache/apk/* but done in a single step. Alpine uses musl libc, not glibc — some binaries compiled for standard Linux will not run or require the libc6-compat compatibility package.

 apt, dnf
dpkg
🐧🛡
▲ caution
🐧 Linux🛡 root
▲ caution Low-level Debian package tool — install, remove, and inspect individual .deb files. dpkg [-i|-r|-l|-L|-S] [<pkg>|<file>]
6 flags -i <file.deb> · Install a .deb file directly — does not resolve... Show all
-i <file.deb>
Install a .deb file directly — does not resolve dependencies, use apt for that.
-r <pkg>
Remove an installed package, keeping its config files.
-l [<pat>]
List installed packages, optionally filtered by a glob pattern.
-L <pkg>
List all files installed by a package.
-S <file>
Find which installed package owns a given file path.
--get-selections
Dump the install/hold/deinstall state of all packages — useful for backups.
2 recipes sudo dpkg -i package.deb; sudo apt-get ... Show all

dpkg -i does not resolve dependencies — the install will fail with “depends on…” errors if prerequisites are missing. Follow up with sudo apt-get install -f to fetch and install the missing deps automatically. Use apt instead of dpkg whenever possible for automatic dependency handling.

 apt, apt-get
  • man 1 dpkg
yarn
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Alternative Node.js package manager — deterministic installs via a lockfile, workspaces support. yarn [install|add|remove|run|upgrade] [<pkg>...]
7 flags install · Install all dependencies from yarn.lock into no... Show all
install
Install all dependencies from yarn.lock into node_modules.
add <pkg>
Add a dependency and update yarn.lock.
add -D <pkg>
Add as a devDependency.
remove <pkg>
Remove a dependency from package.json and yarn.lock.
run <script>
Run a script defined in package.json (shorthand: yarn <script>).
upgrade [<pkg>]
Upgrade packages within the semver ranges in package.json.
workspaces foreach run build
Run the build script in every workspace (Yarn Berry monorepos).
2 recipes yarn install --frozen-lockfile && yarn ... Show all

Classic Yarn v1 and Berry (v2+) have meaningfully different behaviours — Berry’s Plug’n’Play mode bypasses node_modules entirely and breaks some tooling that assumes the directory exists. Check .yarnrc.yml if things behave oddly; the presence of that file means Berry.

 pnpm or bun offer comparable speed with stricter hoisting rules npm, pnpm, bun
pnpm
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Performant, disk-efficient Node package manager using a shared content-addressable store. pnpm [install|add|remove|run|exec|dlx] [<pkg>...]
8 flags install · Install all dependencies from the lockfile (ali... Show all
install
Install all dependencies from the lockfile (alias: i).
add <pkg>
Add a dependency (-D for dev, -O for optional, -g for global).
remove <pkg>
Remove a dependency from package.json and the lockfile.
run <script>
Run a script from package.json.
exec <cmd>
Run a binary from node_modules/.bin without 'run'.
dlx <pkg>
Fetch and execute a package in a temporary environment — pnpm's equivalent of npx.
-w / --workspace-root
Operate on the monorepo workspace root instead of the current package.
--filter <pattern>
Scope the command to matching workspace packages.
2 recipes pnpm install --frozen-lockfile && pnpm ... Show all

pnpm’s strict symlinked node_modules layout means packages cannot accidentally import unlisted dependencies (phantom deps) — a feature, but it can break code that relies on npm/yarn’s flat hoisting. Set shamefully-hoist=true in .npmrc only as a last resort; prefer fixing the actual dependency declaration.

 bun is a comparable alternative; both outperform npm on install speed npm, yarn
flatpak
🐧
▲ caution
🐧 Linux
▲ caution Install sandboxed Linux desktop applications from Flathub and other remotes, distribution-agnostic. flatpak [install|uninstall|update|run|list|search] [<remote>] <app>
7 flags install <remote> <app> · Install an application from a configured remote... Show all
install <remote> <app>
Install an application from a configured remote (e.g. flathub).
uninstall <app>
Remove an installed Flatpak application.
update
Update all installed Flatpak applications and runtimes.
run <app>
Launch an installed Flatpak application.
list
List all installed Flatpak applications and runtimes.
search <pat>
Search for applications across all configured remotes.
remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
Add the Flathub remote if it is not already configured.
2 recipes flatpak remote-add --if-not-exists flat... Show all

Flatpak apps run in a sandbox with restricted access to the host filesystem — some apps need extra permissions granted via flatpak override --user --filesystem=home <app> (or the Flatseal GUI). Runtimes are shared between apps but can accumulate; run flatpak uninstall --unused periodically to reclaim space.

 snap, apt, dnf
snap
🐧
▲ caution
🐧 Linux
▲ caution Install sandboxed snap packages from the Snap Store — cross-distribution, auto-updating. snap [install|remove|refresh|find|list|info] [<pkg>]
7 flags install <pkg> · Install a snap from the Snap Store. Show all
install <pkg>
Install a snap from the Snap Store.
install --classic <pkg>
Install in classic confinement mode — full filesystem access, required by some developer tools.
remove <pkg>
Remove an installed snap and its data.
refresh [<pkg>]
Update all installed snaps (or a single named snap) to the latest channel version.
find <pat>
Search the Snap Store for matching applications.
list
List all installed snaps with channel and version info.
info <pkg>
Show available channels, version, size, and confinement details for a snap.
2 recipes sudo snap install node --classic --chan... Show all

Snaps run as squashfs images mounted at /snap/<name> — they add mount points and may slow cold startup. Classic confinement (--classic) removes sandboxing entirely; treat classic snaps with the same trust as native packages. Snap Store is proprietary and controlled by Canonical; organisations requiring air-gap installs should consider Flatpak instead.

 flatpak, apt
gem
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Ruby's built-in package manager — install, manage, and publish RubyGems globally or per-user. gem [install|uninstall|update|list|search|info] [<gem>...]
8 flags install <gem> · Install a gem from RubyGems.org. Show all
install <gem>
Install a gem from RubyGems.org.
install <gem> -v <version>
Install a specific version of a gem.
uninstall <gem>
Remove an installed gem.
update [<gem>]
Upgrade all installed gems (or a single named gem) to their latest versions.
list [<pat>]
List locally installed gems, optionally filtered by a pattern.
search <pat>
Search RubyGems.org for gems matching a pattern.
info <gem>
Show metadata for an installed gem.
--user-install
Install the gem into the user's home directory, not the system Ruby.
2 recipes gem install bundler jekyll && bundle init Show all

Avoid sudo gem install on a system Ruby — writing to the system gem path risks breaking OS tools that depend on specific gem versions (macOS is particularly fragile here). Use rbenv or rvm to manage per-project Ruby versions, or pass --user-install to install into ~/.gem. In Bundler-managed projects, prefer bundle add <gem> over bare gem install.

 bundle, rbenv
apt-get
🐧🛡
▲ caution
🐧 Linux🛡 root
▲ caution Low-level Debian/Ubuntu package tool with a stable CLI contract — preferred over apt in scripts. apt-get [update|upgrade|dist-upgrade|install|remove|purge|autoremove] [<pkg>...]
9 flags update · Refresh the package index from configured repos... Show all
update
Refresh the package index from configured repositories.
upgrade
Upgrade installed packages without removing any (never adds new deps that need removals).
dist-upgrade
Upgrade and intelligently add/remove packages to satisfy new dependencies.
install <pkg>
Install one or more packages and their dependencies.
remove <pkg>
Remove a package but keep its config files.
purge <pkg>
Remove a package together with its config files.
autoremove
Drop orphaned dependencies no package needs any more.
-y
Assume yes to all prompts — required for non-interactive scripts.
install -f
Fix broken dependencies (e.g. after a failed dpkg -i).
2 recipes sudo DEBIAN_FRONTEND=noninteractive apt... Show all

Prefer apt-get over apt in scripts — its output format and exit codes are a stable contract across releases, whereas apt prints a warning that “its CLI is not stable”. upgrade never removes packages; use dist-upgrade when an upgrade requires removals (e.g. a kernel transition). Set DEBIAN_FRONTEND=noninteractive to avoid debconf dialogs hanging an automated install.

 apt is the friendlier interactive front-end; keep apt-get for scripts apt, dpkg
  • man 8 apt-get
winget
🪟
▲ caution
🪟 Windows
▲ caution Windows Package Manager — Microsoft's official CLI for installing and updating Windows apps. winget [install|uninstall|upgrade|search|show|list] [<id>|<name>]
8 flags install <id> · Install a package by its ID or name from the co... Show all
install <id>
Install a package by its ID or name from the configured sources.
uninstall <id>
Remove an installed package.
upgrade [<id>]
Upgrade a named package, or list available upgrades when given no argument.
upgrade --all
Upgrade every package that has a newer version available.
search <term>
Search the repositories for packages matching a term.
show <id>
Display detailed metadata for a package.
list
List installed packages winget can manage.
-e / --exact
Match the ID/name exactly rather than as a substring.
2 recipes winget install --id Git.Git -e --silent... Show all

Package IDs (e.g. Microsoft.PowerShell) are stable; loose name matches can resolve to the wrong package, so pass --id with -e for scripts. Unattended installs need --silent plus --accept-package-agreements and --accept-source-agreements, or winget will block waiting for input. winget ships with modern Windows 10/11 via “App Installer”.

 choco
choco
🪟
▲ caution
🪟 Windows
▲ caution Chocolatey — a community-driven Windows package manager built on PowerShell and NuGet. choco [install|uninstall|upgrade|search|list|outdated] [<pkg>...]
8 flags install <pkg> · Install one or more packages from the Chocolate... Show all
install <pkg>
Install one or more packages from the Chocolatey community repository.
uninstall <pkg>
Remove an installed package.
upgrade <pkg>
Upgrade a package (all upgrades everything).
search <term>
Search the repository for matching packages.
list
List locally installed Chocolatey packages.
outdated
Show installed packages that have newer versions available.
-y
Confirm all prompts automatically — required for unattended runs.
--version <v>
Pin a specific package version to install.
2 recipes choco install git vscode 7zip -y Show all

Chocolatey must run from an elevated (Administrator) PowerShell or cmd, and most operations need -y to skip confirmation in scripts. The community feed is volunteer-maintained, so a given package’s quality and update cadence vary — verify the source for anything sensitive. Packages install to C:\\ProgramData\\chocolatey; pin versions with --version for reproducible provisioning.

 winget is Microsoft's first-party alternative; Chocolatey has a larger community catalogue winget
zypper
🐧🛡
▲ caution
🐧 Linux🛡 root
▲ caution openSUSE and SUSE Linux Enterprise package manager with strong dependency and repo handling. zypper [in|rm|up|dup|se|if|ref] [<pkg>...]
8 flags in <pkg> · Install one or more packages (full form: ... Show all
in <pkg>
Install one or more packages (full form: install).
rm <pkg>
Remove a package (full form: remove).
up [<pkg>]
Update installed packages to newer versions within the current repos.
dup
Distribution upgrade — the correct way to move a rolling Tumbleweed system forward.
ref
Refresh repository metadata (refresh).
se <pat>
Search for packages by name or summary (search).
if <pkg>
Show detailed info for a package (info).
-n / --non-interactive
Assume the default answer to all prompts — for scripts.
2 recipes sudo zypper -n dup --allow-vendor-change Show all

On rolling Tumbleweed, use zypper dup (dist upgrade), not zypper up — plain up can leave a rolling release in a partially upgraded, inconsistent state. The short subcommands (in, rm, se) are aliases for the full words. Pass -n for non-interactive scripts; otherwise zypper waits for a y/n answer.

 dnf, apt
nix-env
🐧
▲ caution
🐧 Linux
▲ caution Imperative package manager for Nix — install, upgrade, and roll back packages per user profile. nix-env [-i|-e|-u|-q] [<pkg>...] [--rollback]
7 flags -i <pkg> · Install a package into the current user's Nix p... Show all
-i <pkg>
Install a package into the current user's Nix profile.
-e <pkg>
Erase (uninstall) a package from the profile.
-u [<pkg>]
Upgrade installed packages (all, or a named one).
-q
Query — list installed packages (--installed) or available ones (-a).
-qaP <pat>
Search available packages by attribute path matching a pattern.
--rollback
Revert the profile to its previous generation.
--list-generations
List every saved generation of the profile with timestamps.
2 recipes nix-env -u && nix-env --list-generations Show all

Prefer attribute-path installs (-iA nixpkgs.<name>) over name matching (-i <name>) — the latter is slow and can resolve ambiguously. Every change creates a new generation, so --rollback always works, but old generations pin store paths and consume disk until you run nix-collect-garbage -d. On flakes-based setups, nix profile is the modern replacement for nix-env.

 nix profile (with flakes) is the newer interface superseding nix-env apt, dnf
tar
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Tape archiver — bundle (and optionally compress) directories. tar [c|x|t] [v] [z|j|J] [-f <archive>] [<files>...]
11 flags c · Create a new archive. Show all
c
Create a new archive.
x
Extract from an archive.
t
List contents.
v
Verbose — list each file processed.
f <archive>
Archive filename (use - for stdin/stdout).
z
Compress/decompress with gzip (.tar.gz / .tgz).
j
Compress/decompress with bzip2 (.tar.bz2).
J
Compress/decompress with xz (.tar.xz).
-C <dir>
Change to dir before reading/writing (controls relative paths in the archive).
--exclude=<pat>
Skip files matching the glob.
--zstd
Compress/decompress with zstd (.tar.zst) — GNU tar 1.31+ and macOS 13+.
2 recipes tar czf - ./dist | ssh user@host 'cat >... Show all

Argument order matters — c, x, or t must come first; f <archive> must directly precede the filename. Long options (--create, --extract) are more forgiving. Always inspect with tar tf before extracting untrusted archives — tarballs can embed absolute paths or ../ traversals (the classic “tar slip” attack). Use -C and consider --strip-components to control where files land.

 gzip, xz, zip, zstd
  • man 1 tar
zip
🐧🍎🪟⚙️🤖
▲ caution
🐧 Linux🍎 macOS🪟 Windows⚙️ Cross-platform🤖 Termux
▲ caution Create a ZIP archive — the portable cross-platform format. zip [-r] [-9] [-e] [-x <pat>] <archive>.zip <files>...
6 flags -r · Recurse into directories. Show all
-r
Recurse into directories.
-9
Best (slowest) compression ratio.
-e
Encrypt with a password (ZipCrypto — weak; use 7z AES for real security).
-u
Update — add only new or changed files to an existing archive.
-d <entry>
Delete a specific entry from the archive.
-x <pat>
Exclude files matching pattern.
1 recipe

-e uses ZipCrypto which is trivially crackable; use 7z with AES-256 (-p -mhe=on) for any sensitive data. ZIP stores paths relative to the current directory, so run from the project root to get clean relative paths inside the archive.

 unzip, tar, 7z
  • man 1 zip
unzip
🐧🍎🪟⚙️🤖
▲ caution
🐧 Linux🍎 macOS🪟 Windows⚙️ Cross-platform🤖 Termux
▲ caution Extract files from a ZIP archive. unzip [-l] [-o] [-d <dir>] <archive>.zip [<files>...]
6 flags -l · List contents without extracting. Show all
-l
List contents without extracting.
-o
Overwrite existing files without prompting.
-d <dir>
Extract into the given directory (created if absent).
-q
Quiet — suppress output.
-n
Never overwrite — skip files that already exist.
-p
Pipe a single entry to stdout without creating any files.
1 recipe

Without -d extraction lands in the current directory, which can scatter files everywhere if the ZIP lacks a top-level directory. Always inspect with -l first, or extract into a fresh subdirectory.

 zip, tar, 7z
  • man 1 unzip
gzip
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Single-file gzip compression (.gz) — the universal Unix compression tool. gzip [-d] [-k] [-<level>] <file>...
6 flags -d · Decompress (equivalent to running gunzip). Show all
-d
Decompress (equivalent to running gunzip).
-k
Keep the original file — by default gzip replaces it with the .gz.
-<1..9>
Compression level (1=fastest, 9=smallest; default 6).
-r
Recursively compress all files in a directory tree in place.
-l
List compression stats for a .gz file without decompressing.
-c
Write to stdout, leaving the original unchanged.
1 recipe

gzip operates on one file at a time and cannot pack directories. Bundle with tar first (tar czf bundle.tar.gz dir/) — that is the origin of the .tar.gz convention.

 zstd compresses faster than gzip at similar or better ratios and supports multithreading — prefer it when both sides control the toolchain. tar, xz, bzip2, zstd
  • man 1 gzip
7z
🐧🍎🪟⚙️
▲ caution
🐧 Linux🍎 macOS🪟 Windows⚙️ Cross-platform
▲ caution 7-Zip — high-ratio compression with strong encryption, supports many formats. 7z [a|x|e|l|t] [-p<pwd>] [-mhe=on] <archive>.7z [<files>...]
8 flags a · Add to (or create) an archive. Show all
a
Add to (or create) an archive.
x
Extract preserving full internal directory paths.
e
Extract to current directory, collapsing all paths.
l
List archive contents.
t
Test archive integrity.
-p<pwd>
Set or use a password (AES-256 encryption).
-mhe=on
Encrypt filenames as well as file content (requires -p).
-mx=<0..9>
Compression level (0=store, 9=ultra).
1 recipe

On Linux/macOS the binary may be named 7za (standalone) or 7zz depending on how it was installed. The e command strips paths — use x to preserve the directory structure. 7z does not preserve Unix ownership or permissions; use tar for that.

 zip, tar, xz
xz
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution LZMA2 compression — smallest archives at the cost of CPU time. xz [-d] [-k] [-<level>] [-T <n>] <file>
6 flags -d · Decompress (equivalent to running unxz). Show all
-d
Decompress (equivalent to running unxz).
-k
Keep the original file.
-<1..9>
Compression level (default 6; -9e is extreme).
-T <n>
Use n threads (0 = all cores) — multithreading supported since xz 5.2.
-l
List compressed file metadata and ratio without decompressing.
-c
Write to stdout, leaving the original file intact.
1 recipe

xz is single-threaded by default and noticeably slow — always add -T0 for large files. Decompression is also slower than gzip; factor that into pipelines where decompression speed matters (e.g. frequent restores from backup).

 zstd compresses and decompresses far faster than xz at similar ratios; prefer zstd for interactive use and reserve xz for distribution archives where download size is critical. gzip, zstd, bzip2, tar
  • man 1 xz
bzip2
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution Block-sorting Burrows–Wheeler compression — better ratio than gzip, slower. bzip2 [-d] [-k] [-<level>] <file>...
5 flags -d · Decompress (equivalent to bunzip2). Show all
-d
Decompress (equivalent to bunzip2).
-k
Keep the original file.
-<1..9>
Compression level (default 9 — also controls block size).
-c
Write to stdout, leaving the original file intact.
-t
Test archive integrity without decompressing.
1 recipe

bzip2 does not support multithreading natively — use pbzip2 for parallel compression. Mostly superseded by xz (better ratio) and zstd (far faster); still ubiquitous in legacy .tar.bz2 source tarballs.

 zstd is dramatically faster than bzip2 at comparable or better compression ratios. Prefer zstd for new archives; bzip2 remains relevant only for reading legacy .tar.bz2 files. gzip, xz, zstd
  • man 1 bzip2
zstd
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution Zstandard — fast compression balancing gzip's speed with xz's ratio. zstd [-d] [-<level>] [-T <n>] [-k] [--long] <file>...
7 flags -d · Decompress .zst files (equivalent to unzstd). Show all
-d
Decompress .zst files (equivalent to unzstd).
-<1..19>
Compression level (default 3; higher levels are slower with diminishing returns).
-T <n>
Number of threads (0 = all cores).
-k
Keep the original file — zstd replaces it by default.
--long
Enable long-range matching (wider window) for better ratio on large redundant data.
-c
Write compressed output to stdout.
--train
Build a compression dictionary from sample files for better ratio on small files.
2 recipes zstd -T0 -c db.dump | ssh user@host 'zs... Show all

.zst is not as universally supported as .gz — check that the target system has zstd installed before shipping an archive. Default level 3 is the sweet spot; going above level 9 rarely justifies the CPU cost unless ratio is paramount and --long applies.

 gzip, xz, tar
sudo
🐧🍎⚙️🛡🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🛡 root🤖 Termux
▲ caution Run a single command as another user (default: root). sudo [-i|-u <user>|-E|-k] <cmd> [args...]
6 flags -i · Open an interactive root shell (simulates a fre... Show all
-i
Open an interactive root shell (simulates a fresh login).
-s
Run shell as target user, keep current $PWD/environment.
-u <user>
Run as a non-root user.
-E
Preserve calling user's environment (subject to /etc/sudoers).
-k
Invalidate cached credentials (re-prompt next time).
-v
Refresh credential timestamp without running anything.
1 recipe

sudo cmd >> /etc/file doesn’t work — the redirect is your unprivileged shell. Use echo … | sudo tee -a /etc/file instead. Edit /etc/sudoers only via visudo so syntax errors don’t lock you out.

 su, doas, visudo
  • man 8 sudo
chmod
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Change file permissions using octal or symbolic notation. chmod [<mode>|<symbolic>] <file>...
5 flags <octal> · Three or four octal digits — owner, group, othe... Show all
<octal>
Three or four octal digits — owner, group, others (+ setuid/sticky).
u/g/o/a
Target: user, group, others, all.
+/-/=
Add / remove / set permissions.
r/w/x
Read / write / execute.
-R
Recurse into directories.
2 recipes find . -type f -exec chmod 644 {} + Show all

Octal cheat sheet: r=4 w=2 x=1. 755 is “owner rwx, others rx” (the default for executables and dirs); 644 is “owner rw, others r” (regular files); 600 is “owner only” (private keys, .env). Capital X in symbolic mode means “x on dirs but not regular files unless already executable” — exactly what you want with -R.

 chown, umask, stat, ↳ chmod
  • man 1 chmod
chown
🐧🍎⚙️🛡
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🛡 root
▲ caution Change file owner and / or group. chown [-R] [<user>][:<group>] <file>...
5 flags <user> · New owner. Show all
<user>
New owner.
:<group>
New group only (keep owner).
<user>:<group>
Both at once.
-R
Recursive.
-h
Act on the symlink itself, not its target.
1 recipe
chmod, chgrp
  • man 1 chown
umask
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Show or set the default permission mask applied when new files are created. umask [-S] [<octal>|<symbolic>]
2 flags
<octal>
Mask in octal (077, 022, 002).
-S
Show / set in symbolic notation (u=rwx,g=,o=).
1 recipe

Umask is subtracted from the default base mode (666 for files, 777 for dirs). umask 022 → new files 644, new dirs 755 (the typical default). umask 077 → owner-only, useful for paranoid home dirs.

 chmod
  • help umask (bash builtin)
df
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Report filesystem disk space usage. df [-h] [-T] [-i] [<path>]
4 flags -h · Human-readable (K, M, G). Show all
-h
Human-readable (K, M, G).
-H
Like -h but powers of 1000 instead of 1024.
-T
Include filesystem type.
-i
Show inode usage instead of block usage.
1 recipe

“No space left on device” can mean blocks OR inodes — check df -i too. Lots of small files can exhaust inodes well before blocks fill up.

 Use duf for a colourised, categorised disk-usage overview (brew install duf / apt install duf). du, lsblk
  • man 1 df
du
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Estimate file space usage per directory. du [-h] [-s] [-d <depth>] [<path>...]
5 flags -h · Human-readable sizes. Show all
-h
Human-readable sizes.
-s
Summary — one total per arg.
-d <n>
Max depth to descend.
-a
Include individual files, not just directories.
--exclude=<pat>
Skip paths matching the glob.
1 recipe

du -sh * misses dotfiles — use du -sh .[!.]* * to include them. ncdu is an interactive front end worth installing if you’re hunting space hogs.

 Use dust for a tree-formatted, colourised disk-usage view (cargo install du-dust). df, ncdu
  • man 1 du
mount
🐧🍎⚙️🛡
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🛡 root
▲ caution Mount a filesystem at a directory, or list current mounts. mount [-t <type>] [-o <opts>] <device> <mountpoint>
3 flags -t <type> · Filesystem type (ext4, xfs, nfs, cifs, …); usua... Show all
-t <type>
Filesystem type (ext4, xfs, nfs, cifs, …); usually auto-detected.
-o <opts>
Comma-separated options (ro, noexec, uid=…, vers=4…).
-a
Mount everything in /etc/fstab (used at boot).
1 recipe
umount, lsblk, fstab
  • man 8 mount
umount
🐧🍎⚙️🛡
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🛡 root
▲ caution Unmount a filesystem safely before removing or ejecting the device. umount [-l] [-f] <mountpoint|device>
2 flags
-l
Lazy — detach now, clean up when no longer busy.
-f
Force (mostly NFS-only).

“Target is busy” usually means a shell is cd‘d into the mount or a process has an open file. lsof +D /mnt/usb or fuser -m /mnt/usb tells you who.

 mount, fuser, lsof
  • man 8 umount
lsblk
🐧
✓ safe
🐧 Linux
✓ safe List block devices in a tree (disks, partitions, LUKS, LVM mappings). lsblk [-f] [-p] [-o <cols>]
3 flags -f · Include filesystem type, UUID, label. Show all
-f
Include filesystem type, UUID, label.
-p
Print full paths (/dev/sda1).
-o <cols>
Custom columns (NAME,SIZE,FSTYPE,MOUNTPOINT,…).
1 recipe
df, blkid, fdisk
  • man 8 lsblk
free
🐧
✓ safe
🐧 Linux
✓ safe Show RAM and swap usage including buffers and cache. free [-h] [-s <sec>] [-c <count>]
3 flags -h · Human-readable sizes. Show all
-h
Human-readable sizes.
-m / -g
Megabytes / gigabytes.
-s <sec>
Repeat every n seconds (loop).
1 recipe

available is what you actually have — free excludes cache that the kernel will reclaim on demand. Linux uses free RAM as cache aggressively; “low free RAM” is usually fine.

 Use htop or btop for a live, graphical memory + swap gauge alongside process info. top, vmstat
  • man 1 free
uname
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Print system and kernel information. uname [-a|-r|-s|-m]
4 flags -a · Everything: kernel, hostname, kernel version, a... Show all
-a
Everything: kernel, hostname, kernel version, arch, OS.
-r
Kernel release.
-s
Kernel name (Linux / Darwin / …).
-m
Machine architecture (x86_64, arm64, …).
1 recipe
lsb_release, hostnamectl
  • man 1 uname
id
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Print the calling user's UID, GID, and all group memberships. id [-u|-g|-G|-n] [<user>]
4 flags -u · Effective UID only. Show all
-u
Effective UID only.
-g
Effective GID only.
-G
All group IDs.
-n
Print names instead of numeric IDs (combine with -u/-g/-G).
1 recipe
whoami, groups
  • man 1 id
chgrp
🐧🍎⚙️🛡
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🛡 root
▲ caution Change group ownership of files — the group-only counterpart to chown. chgrp [-R] <group> <file>...
2 flags
-R
Recursive.
-h
Act on the symlink itself, not its target.
1 recipe
chown, chmod
  • man 1 chgrp
passwd
🐧🍎⚙️🛡
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🛡 root
▲ caution Change a user's login password. passwd [<user>]
4 flags <user> · Change a different user's password (root only). Show all
<user>
Change a different user's password (root only).
-l
Lock account (Linux).
-u
Unlock account.
-e
Expire — force the user to change on next login.
1 recipe
chpasswd, usermod
  • man 1 passwd
whoami
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Print the effective user's login name. whoami
1 flag
(no args)
Same as id -un. Useful in scripts and SSH prompts.
1 recipe
id, who
  • man 1 whoami
who
🐧🍎⚙️
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform
✓ safe Show who is currently logged in to the system. who [-H] [-a] [<file>]
3 flags -H · Print column headers. Show all
-H
Print column headers.
-a
All info — boot time, dead processes, run-level.
-b
Last boot time.
1 recipe
w, whoami, last
  • man 1 who
uptime
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Show how long the system has been running and the 1/5/15-minute load averages. uptime [-p] [-s]
2 flags
-p
Pretty format — "up 3 days, 12 hours".
-s
Since when — date and time the system last booted.
1 recipe

Load average columns are 1-min, 5-min, 15-min averages. On Linux they include processes in uninterruptible sleep (D state); on macOS / BSD they don’t — so the same machine reports different numbers under each OS.

 top, w
  • man 1 uptime
hostname
🐧🍎⚙️🛡
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🛡 root
▲ caution Print or set the system's hostname. hostname [-f|-s|-i] [<new>]
4 flags -f · FQDN (fully qualified domain name). Show all
-f
FQDN (fully qualified domain name).
-s
Short form (strip the domain).
-i
IP address (Linux).
<new>
Set the hostname (root, this session only — persist via /etc/hostname or hostnamectl).
1 recipe
hostnamectl, uname
  • man 1 hostname
systemctl
🐧
▲ caution
🐧 Linux
▲ caution Control the systemd system and service manager — start, stop, enable, and inspect units. systemctl <verb> [<unit>]
9 flags start <unit> · Start a unit immediately. Show all
start <unit>
Start a unit immediately.
stop <unit>
Stop a running unit.
restart <unit>
Stop then start a unit — applies changed config.
reload <unit>
Ask the process to reload its config without a full restart (if supported).
enable <unit>
Enable a unit to start at boot.
disable <unit>
Remove the boot-time start link.
status <unit>
Show running state, recent logs, and PID.
is-active <unit>
Exit 0 if the unit is active — useful in scripts.
list-units --failed
List all units that have failed.
2 recipes systemctl list-units --failed --no-lege... Show all

systemctl enable only arms the unit for boot — it doesn’t start it now. Use --now to do both. systemctl mask is stronger than disable: it symlinks the unit to /dev/null so nothing can start it — even as a dependency. Unmask with systemctl unmask.

 journalctl, service, systemd-analyze
  • man 1 systemctl
journalctl
🐧
✓ safe
🐧 Linux
✓ safe Query and filter logs collected by systemd's journal daemon. journalctl [-u <unit>] [-f] [-n <lines>] [-S <since>] [-p <priority>]
9 flags -u <unit> · Filter to a specific systemd unit (e.g. nginx, ... Show all
-u <unit>
Filter to a specific systemd unit (e.g. nginx, sshd).
-f
Follow — tail new entries as they arrive (like tail -f).
-n <n>
Show only the last n lines.
-S <time>
Show entries since a time ("today", "1 hour ago", "2024-01-01 08:00").
-U <time>
Show entries until a time.
-p <level>
Filter by priority: emerg, alert, crit, err, warning, notice, info, debug.
-b
Entries from the current boot only; -b -1 is the previous boot.
--disk-usage
Report how much space the journal is consuming.
--vacuum-size=<sz>
Shrink stored journal to at most this size (e.g. 500M).
2 recipes journalctl -u nginx --since today --no-... Show all
systemctl, dmesg, syslog
  • man 1 journalctl
crontab
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution Schedule recurring commands with the cron daemon using per-user crontab files. crontab [-l|-e|-r] [-u <user>]
4 flags -l · List the current user's crontab. Show all
-l
List the current user's crontab.
-e
Open the crontab in $EDITOR for editing.
-r
Remove (delete) the entire crontab — no confirmation prompt.
-u <user>
Operate on a different user's crontab (root only).
1 recipe

Cron runs with a minimal PATH — always use absolute paths for both commands and any files they reference. The five-field time spec is min hour day month weekday; * means “every”. Use https://crontab.guru to verify your schedule expression before deploying. crontab -r deletes everything with no undo — prefer crontab -e and removing individual lines.

 systemctl, at, anacron
  • man 5 crontab
  • man 1 crontab
groups
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Print the group memberships of the current user or a named user. groups [<user>]
1 flag
<user>
Show the groups for this user instead of the caller.
1 recipe

Group membership changes made with usermod -aG don’t apply to existing shells. Log out and back in (or run newgrp <group>) to pick up the new membership without a full logout.

 id, whoami, usermod
  • man 1 groups
echo
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Print arguments to stdout. echo [-n] [-e] <string>...
2 flags
-n
Do not append a trailing newline.
-e
Interpret backslash escapes (\n, \t, …).
2 recipes echo "Build finished at $(date)" >> bui... Show all

echo is a shell builtin AND a binary; behaviour differs slightly across both. For anything beyond trivial output, prefer printf — it’s portable, supports format strings, and doesn’t quietly interpret -e/-n as data.

 printf
  • help echo (bash builtin)
printf
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Format and print — like C's printf, portable across POSIX shells. printf <format> [<arg>...]
5 flags %s · String specifier. Show all
%s
String specifier.
%d / %i
Signed integer.
%f / %.<n>f
Float, optionally with n decimals.
%x / %X
Lowercase / uppercase hex.
%-<n>s
Left-align string in a field of width n.
2 recipes printf '%s\n' "$@" Show all
echo
  • man 1 printf
export
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Mark a shell variable as exported to child processes. export [-p] [-n] [<name>[=<value>]...]
3 flags -p · Print all exported variables in re-importable f... Show all
-p
Print all exported variables in re-importable form.
-n
Un-export a variable (keep it as a shell var, drop from environment).
<name>=<value>
Assign and export in one step.
2 recipes export PATH="$HOME/.local/bin:$PATH" Show all

An assignment without export (FOO=bar) sets a shell variable that child processes will not see. FOO=bar cmd exports for that single invocation only — clean and useful.

 env, unset
  • help export (bash builtin)
env
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Print the environment, or run a command with a modified one. env [-i] [<name>=<value>...] [<cmd> [args...]]
2 flags
-i
Start with an empty environment.
-u <name>
Remove a variable before running cmd.
2 recipes env | grep -i proxy Show all

The shebang line #!/usr/bin/env python3 uses env to look up Python in PATH — portable across distros that install Python in different places.

 export, printenv
  • man 1 env
alias
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Create a shorthand for a longer command. alias [<name>='<replacement>']
3 flags (no args) · Print every defined alias. Show all
(no args)
Print every defined alias.
<name>='<cmd>'
Define a new alias for this shell session.
<name>
Show what one specific alias expands to.
2 recipes alias gs='git status' && echo "alias gs... Show all

Aliases are shell-local — define them in ~/.bashrc / ~/.zshrc for persistence. They don’t expand inside scripts run with #!/bin/bash unless you enable shopt -s expand_aliases; use a function instead for script-level reuse.

 unalias, function
  • help alias (bash builtin)
history
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Show or manipulate the command history. history [-c] [-d <offset>] [<count>]
3 flags -c · Clear current session's history. Show all
-c
Clear current session's history.
-d <n>
Delete entry at offset n.
-w
Write current session to the history file.
2 recipes history | grep ssh Show all

Bash truncates history to HISTSIZE entries; the file to HISTFILESIZE. Multi-shell users want HISTCONTROL=ignoreboth and shopt -s histappend to avoid clobbering history when several shells exit at once.

 alias
  • help history (bash builtin)
which
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Show the full path to a command (or that it's an alias / builtin). which [-a] <name>
1 flag
-a
Print all matches in PATH, not just the first.
2 recipes command -v python3 || echo 'not found' Show all

which doesn’t know about aliases or shell functions — type does. Prefer command -v in scripts (POSIX, portable, predictable).

 Prefer command -v in scripts — POSIX-portable and aware of builtins. type, whereis, command
  • man 1 which
type
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Tell you what a name is — alias, builtin, function, or external binary. type [-a] [-t] <name>...
2 flags
-a
All matches (aliases, builtins, AND each binary in PATH).
-t
Just the kind (alias / keyword / function / builtin / file).
2 recipes type -t "$cmd" 2>/dev/null || echo "$cm... Show all
which, command
  • help type (bash builtin)
man
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Show the manual page for a command, syscall, or function. man [<section>] <name>
3 flags <section> · Section number: 1=commands, 2=syscalls, 3=libc,... Show all
<section>
Section number: 1=commands, 2=syscalls, 3=libc, 5=files, 7=misc, 8=admin.
-k <kw>
Keyword search (same as apropos).
-f <name>
One-line description (same as whatis).
2 recipes man bash | grep -A3 'HISTCONTROL' Show all

Inside man: /pattern search, n/N next/prev, q quit. For colourised man pages set MANPAGER='less -R' and a colour-aware LESS_TERMCAP_* set in your shell init. tldr is a friendlier “example-first” alternative.

 apropos, whatis, tldr
  • man 1 man
read
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Read one line from stdin into shell variables. read [-p <prompt>] [-s] [-r] [-t <sec>] [-a <arr>] <var>...
5 flags -p <prompt> · Print the prompt before reading. Show all
-p <prompt>
Print the prompt before reading.
-s
Silent — don't echo (for passwords).
-r
Raw — don't interpret backslashes.
-t <sec>
Timeout.
-a <arr>
Read into an array, splitting on IFS.
2 recipes while IFS= read -r line; do echo ">> $l... Show all

Always use read -r in scripts — without it, backslashes get interpreted as line continuations. while IFS= read -r line; do …; done < file is the canonical loop for reading a file line by line in bash.

 readarray, mapfile
  • help read (bash builtin)
Redirection idioms
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Plumb stdin / stdout / stderr to files, pipes, and each other. cmd [> file] [>> file] [< file] [2> file] [2>&1] [<<EOF...EOF] [<(cmd)]
10 flags > file · Redirect stdout to file (overwrite). Show all
> file
Redirect stdout to file (overwrite).
>> file
Append stdout to file.
< file
Use file as stdin.
2> file
Redirect stderr.
2>&1
Merge stderr into stdout (must come AFTER any > redirect).
&> file
Redirect both stdout and stderr (bash shorthand).
| cmd
Pipe stdout to cmd's stdin.
<<EOF ... EOF
Heredoc — multi-line stdin terminated by EOF.
<<<"<word>"
Herestring — single-line stdin from <word>.
<(cmd)
Process substitution — treat cmd's stdout as a file.
2 recipes make build > build.log 2>&1 && echo OK ... Show all

Order matters: cmd > file 2>&1 sends both to file, but cmd 2>&1 > file sends stderr to the original stdout (terminal) and stdout to the file. &> is bash-only; portable scripts should use > file 2>&1.

 tee, xargs
  • bash(1) — REDIRECTION section
unalias
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Remove one or more shell aliases. unalias [-a] <name>...
2 flags
-a
Remove all aliases.
<name>
Remove the named alias.
1 recipe
alias
  • help unalias (bash builtin)
printenv
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Print environment variables. printenv [<name>...]
2 flags
(no args)
Print every env var = value.
<name>
Print just that variable's value, no name= prefix.
1 recipe
env, export
  • man 1 printenv
set
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Set shell options or positional parameters; with no args, print all shell vars. set [-e|-u|-x|-o <opt>|+<flag>] [-- <args>...]
5 flags -e · errexit — exit immediately on any command failure. Show all
-e
errexit — exit immediately on any command failure.
-u
nounset — error on unset variables.
-x
xtrace — print each command before executing it.
-o pipefail
Pipeline fails if any stage fails (bash/zsh).
+<flag>
Disable that flag (set -x trace on, set +x trace off).
2 recipes set -euo pipefail trap 'echo "Error on ... Show all

set -euo pipefail at the top of every bash script catches a huge class of bugs early. Shell options apply to the current shell, not children — script-level only.

 shopt, unset
  • help set (bash builtin)
unset
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Remove a shell variable or function. unset [-v|-f] <name>...
2 flags
-v
Variables only (default).
-f
Functions only.
1 recipe

Unsetting critical variables like PATH, HOME, or IFS can break the shell session completely — commands won’t be found and scripts will misbehave silently. Always double-check the name before unsetting an env variable.

 export, set
  • help unset (bash builtin)
pushd / popd
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Directory stack — push the current dir + cd somewhere new, then pop back. pushd <dir> | popd | dirs
4 flags pushd <dir> · cd to dir and push the previous dir onto the st... Show all
pushd <dir>
cd to dir and push the previous dir onto the stack.
popd
Pop the top of the stack and cd to it.
dirs
Show the stack.
dirs -v
Stack with numbered entries — handy for cd ~<n>.
2 recipes pushd /etc && sudo cp nginx.conf nginx.... Show all
cd, dirs
  • help pushd (bash builtin)
source
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Execute a script in the current shell (so its vars/aliases persist). source <file> [args...] | . <file>
2 flags
. <file>
POSIX-portable spelling — works in dash/ash too.
source <file>
Bash/zsh-specific alias for the dot operator.
2 recipes source ~/.bashrc && echo 'Shell reloaded' Show all

Running a script via ./script.sh spawns a subshell — any export/cd/alias inside doesn’t affect your current shell. Use source when you explicitly want the script’s side effects to stick (env vars, virtualenv activation).

 export, exec
  • help source (bash builtin)
eval
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Concatenate args and execute them as a shell command. eval <command-string>
1 flag
<args>
Joined with spaces and re-parsed by the shell — double interpretation.
2 recipes eval "$(ssh-agent -s)" && ssh-add ~/.ss... Show all

eval double-parses its input — any user-supplied string is a shell injection vector. Reach for it only when you genuinely need to evaluate a dynamically constructed command (and double-quote your input).

 exec, source
  • help eval (bash builtin)
trap
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Run a command when the shell receives a signal or exits. trap '<cmd>' <signal>...
5 flags EXIT / 0 · Fire on shell exit — cleanup hook. Show all
EXIT / 0
Fire on shell exit — cleanup hook.
ERR
Fire when any command returns non-zero (with set -e).
INT
Ctrl+C.
TERM / HUP
External termination.
trap - <signal>
Reset the handler back to default.
2 recipes tmpdir=$(mktemp -d) && trap 'rm -rf "$t... Show all
kill, set
  • help trap (bash builtin)
command
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Run a command, bypassing aliases and functions, or test whether it exists. command [-v|-V|-p] <name> [args...]
3 flags -v · Print the path or definition of name — like whi... Show all
-v
Print the path or definition of name — like which but POSIX and alias-aware.
-V
Verbose description — same as type.
-p
Use the system default PATH, ignoring the current one.
2 recipes command -v docker &>/dev/null || { echo... Show all
which, type
  • help command (bash builtin)
python3
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Run Python — REPL, scripts, modules, one-liners. python3 [-i] [-c "<code>"] [-m <module>] [<script> [args]]
5 flags -c "<code>" · Execute a one-liner. Show all
-c "<code>"
Execute a one-liner.
-m <mod>
Run a module as a script (python3 -m http.server).
-i
Drop into REPL after running the script (great for debugging).
-u
Unbuffered stdout/stderr — see prints immediately in pipes.
-V / --version
Print version and exit.
2 recipes python3 -m venv .venv && source .venv/b... Show all

System Python and your project’s Python are different — use python3 -m venv .venv && . .venv/bin/activate per project. On macOS, python (no 3) usually doesn’t exist; always use python3. uv / pyenv manage parallel interpreter versions.

 uv / pyenv manage parallel interpreter versions and virtualenvs pip, pipx, uv, pyenv
node
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Run JavaScript with Node.js — REPL, scripts, one-liners. node [-e "<code>"] [-p "<expr>"] [<script> [args]]
5 flags -e "<code>" · Execute the code string. Show all
-e "<code>"
Execute the code string.
-p "<expr>"
Evaluate and print the expression's result.
-r <mod>
Require the module before running (for shims).
--inspect
Enable the Chrome DevTools debugger.
-v / --version
Print version.
2 recipes node -e 'console.log(process.version)' Show all
bun / deno — faster or more secure drop-in alternatives; nvm / fnm manage multiple Node versions npm, npx, nvm, deno, bun
nvm
🐧🍎
▲ caution
🐧 Linux🍎 macOS
▲ caution Node Version Manager — install and switch between Node.js versions. nvm [install|use|ls|alias|exec] [<version>]
6 flags install <version> · Download and install a Node version (e.g. 22, l... Show all
install <version>
Download and install a Node version (e.g. 22, lts/iron, node).
use <version>
Switch to a previously installed version in the current shell.
ls
List all locally installed versions.
ls-remote [--lts]
List available versions to install (optionally filter LTS only).
alias default <version>
Set the version used in new shells.
exec <version> <cmd>
Run a command under a specific Node version without switching.
2 recipes nvm install 22 && nvm alias default 22 Show all

nvm is a shell function, not a binary — it modifies PATH in the current shell. It must be sourced in your .bashrc / .zshrc; running it in a subshell or via sudo has no effect on the parent. fnm is a faster alternative with Windows support.

 fnm (fast Node manager, Rust) — same concept but faster shell startup and native Windows support node, npm, bun
bun
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution Fast all-in-one JavaScript runtime + package manager + bundler + test runner. bun [run|install|add|x|test|build] [<args>...]
6 flags run <script> · Execute a JS/TS file or package.json script. Show all
run <script>
Execute a JS/TS file or package.json script.
install
Install dependencies (10–30× faster than npm).
add <pkg>
Add a dependency.
x <pkg>
Run a one-off package binary (npx equivalent).
test
Run built-in test runner.
build
Bundle for production.
2 recipes bun --version && bun install && bun run... Show all

Node-compatible for most APIs but not 100% — some native modules (notably anything with N-API quirks) still break. For production-critical Node apps, validate compatibility first. Windows support shipped in 2024 but is still less mature than Linux/macOS.

 bun is itself the modern alternative — already faster than Node + npm combined for most tasks node, npm, deno, npx
ruby
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Run Ruby — REPL via irb, scripts, one-liners. ruby [-e "<code>"] [-n|-p] [-l] [<script> [args]]
5 flags -e "<code>" · Execute a one-liner. Show all
-e "<code>"
Execute a one-liner.
-n
Wrap script in 'while gets; …; end' (auto line loop).
-p
Like -n but auto-prints $_ each iteration.
-l
Chomp newlines + add newline on print (line-mode).
-r <lib>
Require a library before running.
2 recipes ruby -r json -e "puts JSON.pretty_gener... Show all
irb, gem, bundle
  • ruby --help
irb
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Interactive Ruby REPL. irb [-r <lib>] [--simple-prompt]
2 flags
-r <lib>
Require a library on start.
--simple-prompt
Minimal prompt.
1 recipe
ruby, pry
bash
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe GNU Bash shell — interactive or batch. bash [-c "<cmd>"] [-i] [-l] [<script> [args]]
7 flags -c "<cmd>" · Execute one command string then exit. Show all
-c "<cmd>"
Execute one command string then exit.
-i
Force interactive mode.
-l / --login
Login shell — sources /etc/profile + ~/.bash_profile.
-x
Trace each command before execution (debugging).
-e
Exit on first error (set -e at script start does the same).
-u
Treat unset variables as an error.
-o pipefail
Pipeline fails if any stage fails, not just the last.
2 recipes bash -x script.sh 2>&1 | tee debug.log Show all

The “strict mode” trio set -euo pipefail at the top of every script catches a huge class of bugs early — unset vars typoed as commands, partial-pipeline failures silently ignored, etc. macOS ships bash 3.2 (2007) under /bin/bashbrew install bash for the modern one at /opt/homebrew/bin/bash.

 zsh, sh, dash
  • man 1 bash
zsh
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Z shell — bash-compatible-ish with extras (globbing, prompts, plugins). zsh [-c "<cmd>"] [-i] [-l] [-x] [<script> [args]]
4 flags -c "<cmd>" · Execute one command string then exit. Show all
-c "<cmd>"
Execute one command string then exit.
-i
Force interactive mode.
-l / --login
Login shell — sources /etc/zprofile + ~/.zprofile.
-x
Trace each command before execution.
1 recipe

Default shell on macOS since Catalina. Most bash scripts work unchanged but a few subtle differences exist (word splitting on unquoted vars, glob behaviour). Pin scripts to bash with #!/usr/bin/env bash when portability matters.

 bash, oh-my-zsh
  • man 1 zsh
Shebang lines
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe The #! interpreter directive at the top of a script. #!<path-to-interpreter> [<flags>]
3 flags #!/usr/bin/env <interp> · Portable — finds the interpreter via PATH (pref... Show all
#!/usr/bin/env <interp>
Portable — finds the interpreter via PATH (preferred).
#!/bin/sh
POSIX shell. Use when scripting for non-bash environments.
#!/usr/bin/env -S <interp> <args>
GNU coreutils ≥ 8.30 — pass multiple args to the interpreter.
1 recipe

Use #!/usr/bin/env <interp> for portability — it finds the interpreter via PATH instead of hard-coding /usr/local/bin/.... Linux limits the shebang line to 128 chars and historically only allows one arg to the interpreter — env -S (GNU coreutils ≥ 8.30) splits a second arg-string for you.

 bash, python3, node
deno
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Secure-by-default JavaScript / TypeScript runtime (Node-compatible-ish). deno [run|test|fmt|lint|task|install] [--allow-<perm>] [<file>]
7 flags run <file> · Execute a script. Show all
run <file>
Execute a script.
--allow-net
Grant network permission (default denied).
--allow-read[=<paths>]
Filesystem read permission.
--allow-env
Read environment variables.
-A
Allow all permissions (escape hatch — be careful).
test [<file>]
Run tests.
fmt
Format code (built-in).
2 recipes deno run --allow-read --allow-net fetch... Show all
deno is itself the modern alternative — built-in TypeScript, secure by default, no node_modules node, bun
uv
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Fast Python package + project manager (Rust, drop-in for pip + venv + pip-tools). uv [pip|venv|run|add|sync|tool] [<args>...]
6 flags pip install <pkg> · Drop-in pip replacement (10–100× faster). Show all
pip install <pkg>
Drop-in pip replacement (10–100× faster).
venv [<path>]
Create a virtual environment (default: .venv).
add <pkg>
Add a dependency to pyproject.toml + sync.
sync
Install everything in pyproject.toml / uv.lock.
run <cmd>
Run a command inside the project's venv.
tool install <pkg>
Install a Python CLI tool isolated (pipx equivalent).
2 recipes uv sync && uv run python -m myapp Show all
uv is itself the modern replacement for pip + venv + pip-tools + pipx in one binary pip, pipx, poetry
go
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Run Go — build, test, format, manage modules. go [run|build|test|fmt|mod|install|get] [<args>...]
7 flags run <file> · Compile and run in one step. Show all
run <file>
Compile and run in one step.
build [-o <out>]
Compile to a binary.
test [./...]
Run tests; ./... means recursive.
fmt ./...
Format every package.
mod tidy
Clean up go.mod + go.sum.
install <pkg>@<ver>
Build + install a binary into $GOBIN.
vet ./...
Static analysis.
2 recipes go build ./... && go vet ./... && go te... Show all
rustc, node
rustc
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Rust compiler — rarely invoked directly, usually wrapped by cargo. rustc [-O] [--edition <year>] [-o <out>] [--explain <code>] <file.rs>
4 flags -O · Optimise. Show all
-O
Optimise.
--edition <year>
Pin a Rust edition (2015/2018/2021/2024).
-o <out>
Output binary name.
--explain <code>
Explain an error code (e.g. E0382).
1 recipe

For real projects always use cargo build / cargo runrustc doesn’t know about Cargo.toml, external crates, or feature flags. Direct invocation is only useful for single-file experiments and explaining compiler errors.

 cargo, rustup
pyenv
🐧🍎
▲ caution
🐧 Linux🍎 macOS
▲ caution Install and switch between multiple Python interpreter versions. pyenv [install|global|local|shell|versions|rehash] [<version>]
6 flags install <version> · Download and build a Python version (e.g. 3.12.3). Show all
install <version>
Download and build a Python version (e.g. 3.12.3).
global <version>
Set the system-wide default Python version.
local <version>
Write a .python-version file in the current directory.
shell <version>
Override the version for the current shell session only.
versions
List all installed versions (active one is starred).
rehash
Rebuild shims after installing a new version or package.
2 recipes pyenv install 3.12.3 && pyenv global 3.... Show all

pyenv works by prepending shims to PATH — if your shell doesn’t source eval "$(pyenv init -)" in its rc file, pyenv commands run but the version switching has no effect. Run pyenv doctor to diagnose setup issues.

 uv can install and pin Python versions too — uv python install 3.12 — and is faster python3, uv, pip
java
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Run compiled Java programs and inspect the JVM. java [-cp <classpath>] [-jar <file>] [-D<prop>=<val>] [<class> [args]]
5 flags -cp <path> · Classpath — directories and JARs to search for ... Show all
-cp <path>
Classpath — directories and JARs to search for classes.
-jar <file>
Run an executable JAR file.
-D<key>=<val>
Set a system property accessible via System.getProperty().
-Xmx<size>
Maximum heap size (e.g. -Xmx512m, -Xmx2g).
-version
Print the JVM version and exit.
2 recipes javac Hello.java && java Hello Show all

java and javac versions must match — code compiled with JDK 21 cannot run on JRE 11. Use SDKMAN! (sdk install java 21-tem) or jenv to manage multiple JDK versions on one machine.

 javac, mvn, gradle
dotnet
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Run, build, test, and publish .NET (C#/F#/VB) projects. dotnet [run|build|test|publish|add|restore|new] [<args>...]
7 flags run · Build and run the project in the current direct... Show all
run
Build and run the project in the current directory.
build [-c <config>]
Compile the project (Debug by default, use -c Release for prod).
test
Discover and run tests via the built-in test host.
publish -c Release -o <dir>
Produce a self-contained or framework-dependent publish artifact.
add package <pkg>
Add a NuGet package reference to the project file.
new <template>
Scaffold a project from a template (e.g. webapi, console, blazor).
--version
Print the .NET SDK version.
2 recipes dotnet new webapi -n MyApi && cd MyApi ... Show all

Multiple SDK versions can coexist; a global.json in the repo root pins the exact SDK version used by all dotnet commands in that tree. Without it, the latest installed SDK is used, which can break builds if the team is on different versions. Use dotnet --list-sdks to see what’s installed.

 java, go
docker run
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Create and start a container from an image. docker run [-d] [-it] [--rm] [-p <h>:<c>] [-v <h>:<c>] [-e <k>=<v>] <image> [<cmd>]
10 flags -d · Detached — run in the background. Show all
-d
Detached — run in the background.
-it
Interactive (-i) + allocate a TTY (-t).
--rm
Auto-remove the container when it exits.
--name <name>
Assign a name instead of a random one.
-p <hp>:<cp>
Publish a container port to the host.
-v <hpath>:<cpath>[:ro]
Mount a host path into the container (optionally read-only).
-e <k>=<v>
Set an environment variable inside the container.
--env-file <file>
Load env vars from a file.
--network <net>
Attach to a specific Docker network.
-u <uid>[:<gid>]
Run as a non-root user / group.
2 recipes docker run --rm -it -v $PWD:/app -w /ap... Show all

Default users inside containers are often root, even when the host user isn’t. Anything written into a bind-mount lands on disk as root. Pass -u "$(id -u):$(id -g)" to match your host UID, or build the image with a non-root USER.

 podman run is a drop-in replacement that runs daemonless and rootless by default — no UID mismatch foot-gun. docker exec, docker ps, docker stop
docker ps
⚙️
✓ safe
⚙️ Cross-platform
✓ safe List containers. docker ps [-a] [--filter <f>] [--format <fmt>]
4 flags -a · Include stopped containers. Show all
-a
Include stopped containers.
-q
Quiet — IDs only (handy with xargs).
--filter <k>=<v>
Filter by status=exited, name=web, ancestor=nginx, etc.
--format <go-template>
Custom output — e.g. 'table {{.Names}}\t{{.Image}}'.
1 recipe
docker rm, docker stop
docker build
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Build an image from a Dockerfile. docker build [-t <tag>] [-f <Dockerfile>] [--build-arg <k>=<v>] [--target <stage>] <context>
6 flags -t <tag> · Tag the resulting image (name:version). Show all
-t <tag>
Tag the resulting image (name:version).
-f <file>
Use a Dockerfile at a non-standard path.
--build-arg <k>=<v>
Pass an ARG into the build.
--target <stage>
Stop at a named stage in a multi-stage build.
--no-cache
Disable the layer cache.
--platform <plat>
Build for a specific platform (linux/arm64, linux/amd64).
2 recipes docker build -t myapp:dev . && docker r... Show all

The context (.) is uploaded to the daemon before the build starts — add a .dockerignore to exclude node_modules, .git, etc. or you’ll send gigabytes on every build. Use BuildKit (DOCKER_BUILDKIT=1 on older Docker, default since 23.0) for cache mounts, parallel stages, and secret mounts.

 docker buildx, docker push
docker exec
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Run a command inside an already-running container. docker exec [-it] [-u <user>] <container> <cmd> [args...]
4 flags -it · Interactive + TTY (required for interactive she... Show all
-it
Interactive + TTY (required for interactive shells).
-u <user>
Run as a different user inside the container.
-e <k>=<v>
Add an env var for this exec invocation only.
-w <dir>
Set the working directory inside the container.
1 recipe
docker run, docker logs
docker logs
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Show stdout / stderr of a container. docker logs [-f] [--tail <n>] [--since <t>] <container>
4 flags -f · Follow — keep streaming new log lines. Show all
-f
Follow — keep streaming new log lines.
--tail <n>
Only show the last n lines.
--since <time>
Lines newer than a duration (10m) or timestamp (2024-01-01).
-t
Prefix each line with a timestamp.
1 recipe
docker ps, docker exec
docker compose
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Define and run multi-container applications via a YAML file. docker compose [-f <file>] [up|down|ps|logs|exec|build] [args...]
8 flags up · Build + create + start everything in compose.yml. Show all
up
Build + create + start everything in compose.yml.
up -d
Detached — return to the shell after services start.
down
Stop + remove containers and networks; add -v to remove volumes too.
ps
List services and their current state.
logs [-f]
Aggregate logs from all services; -f to follow.
exec <svc> <cmd>
Run a one-off command in a named service container.
build [--no-cache]
(Re)build images for services that have a build: stanza.
-f <file>
Use a non-default compose file (default: compose.yml or docker-compose.yml).
2 recipes docker compose up -d && docker compose ... Show all

docker compose (v2, plugin) and docker-compose (v1, standalone Python binary) take nearly identical args; v1 is legacy and absent from new Docker Desktop installs. compose.yml is the v3+ preferred filename, but most projects still ship docker-compose.yml — both are recognised automatically.

 docker compose (space, no hyphen) is the v2 plugin bundled with Docker Desktop and Docker Engine ≥ 20.10. Prefer it over the legacy docker-compose v1 binary. docker run, docker build
docker stop
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Send SIGTERM to a container, then SIGKILL after a timeout. docker stop [-t <sec>] <container>...
1 flag
-t <sec>
Grace period before SIGKILL (default 10 seconds).
1 recipe
docker kill, docker rm
docker rm
⚙️
⚠ destructive
⚙️ Cross-platform
⚠ destructive Remove one or more stopped containers. docker rm [-f] [-v] <container>...
2 flags
-f
Force-remove a running container (sends SIGKILL first).
-v
Also remove any anonymous volumes attached to the container.
1 recipe
docker stop, docker ps
docker images
⚙️
✓ safe
⚙️ Cross-platform
✓ safe List images stored locally. docker images [-a] [--filter <f>] [--format <fmt>] [<repo>[:<tag>]]
4 flags -a · Include intermediate layer images. Show all
-a
Include intermediate layer images.
-q
Image IDs only.
--filter dangling=true
Show only untagged dangling images — cleanup candidates.
--format <go-template>
Custom output — e.g. 'table {{.Repository}}:{{.Tag}}\t{{.Size}}'.
1 recipe
docker pull, docker rmi, docker system prune
docker pull
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Download an image from a registry. docker pull [--platform <plat>] <image>[:<tag>]
3 flags <image>:<tag> · Specify a tag (default: latest). Show all
<image>:<tag>
Specify a tag (default: latest).
--platform <plat>
Force a specific platform — e.g. linux/amd64 on Apple Silicon.
-a
Pull all tags of the repository.
1 recipe
docker push, docker images
docker push
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Upload an image to a registry. docker push <registry>/<repo>[:<tag>]
2 flags
<registry>/<repo>:<tag>
Image reference must include the registry hostname for non-Docker-Hub destinations.
-a
Push all tags of the repository.
1 recipe

Must docker login <registry> first. The registry hostname is part of the image name — retagging with docker tag is the step that "moves" an image to a different registry.

 docker pull, docker login, docker tag
docker inspect
⚙️
✓ safe
⚙️ Cross-platform
✓ safe Dump low-level JSON metadata for a container, image, network, or volume. docker inspect [--format <go-template>] <object>...
2 flags
--format <tmpl>
Go-template to extract a specific field — avoids grepping raw JSON.
--type container|image|volume|network
Disambiguate when an ID could refer to multiple object types.
1 recipe
docker ps, docker logs
docker rmi
⚙️
⚠ destructive
⚙️ Cross-platform
⚠ destructive Remove one or more images from local storage. docker rmi [-f] <image>...
2 flags
-f
Force removal even if a stopped container still references the image.
<image>
Name:tag or image ID; repeat to delete multiple images at once.
1 recipe
docker images, docker system prune
docker system prune
⚙️
⚠ destructive
⚙️ Cross-platform
⚠ destructive Remove all unused containers, networks, images, and optionally volumes. docker system prune [-a] [-f] [--volumes]
4 flags -a · Also remove images not referenced by any contai... Show all
-a
Also remove images not referenced by any container (not just dangling ones).
-f
Skip the confirmation prompt.
--volumes
Also remove anonymous and named volumes not attached to a running container.
--filter until=<duration>
Only prune objects older than the given duration (e.g. 72h).
1 recipe

docker system prune -a --volumes will delete named volumes — including database data. Double-check what is running before adding --volumes, and back up critical volumes first. There is no undo.

 docker rm, docker rmi, docker volume rm
docker volume
⚙️
⚠ destructive
⚙️ Cross-platform
⚠ destructive Manage named volumes — create, list, inspect, and remove persistent storage. docker volume [create|ls|inspect|rm|prune] [args...]
5 flags create <name> · Create a named volume. Show all
create <name>
Create a named volume.
ls
List all volumes.
inspect <name>
Show low-level details (mount path, driver, labels).
rm <name>
Delete a named volume (must not be in use).
prune [-f]
Remove all volumes not mounted by any container.
1 recipe

docker volume rm permanently deletes the data. Verify no container is using the volume first with docker ps -a --filter volume=<name>. Use docker run --rm -v pgdata:/data alpine tar cz /data > backup.tar.gz to back up a volume before removal.

 docker run, docker system prune
podman
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution Daemonless, rootless Docker-compatible container engine. podman <command> [args...]
4 flags run / build / ps / exec / logs · Same subcommand surface as Docker — most invoca... Show all
run / build / ps / exec / logs
Same subcommand surface as Docker — most invocations are drop-in replacements.
--userns=keep-id
Map your host UID into the container — the rootless default keeps file ownership sane.
podman machine init|start
macOS / Windows: initialise and start the underlying Linux VM.
podman generate systemd <container>
Generate a systemd unit file to run the container as a service.
1 recipe

CLI is a near-superset of Docker’s — most docker commands work via alias docker=podman. Default is rootless (user namespaces), so ports below 1024 won’t bind without extra config (net.ipv4.ip_unprivileged_port_start=80 in /etc/sysctl.d/). On macOS, a tiny Linux VM (podman-machine) runs behind the scenes.

 podman is the daemonless, rootless alternative to docker — no background daemon to crash, and rootless by default. docker run, docker build, buildah
kubectl
⚙️
▲ caution
⚙️ Cross-platform
▲ caution Talk to a Kubernetes cluster — inspect, deploy, exec, and manage resources. kubectl [-n <ns>] [get|describe|logs|exec|apply|delete] <resource> [args...]
6 flags -n <namespace> · Operate inside a non-default namespace. Show all
-n <namespace>
Operate inside a non-default namespace.
--context <ctx>
Use a specific kubeconfig context.
-l <key>=<val>
Label selector — target a group of resources.
-o yaml|json|wide
Output format.
--all-namespaces / -A
Operate across every namespace.
--dry-run=client
Validate a manifest locally without sending it to the API server.
2 recipes kubectl get pods -n production -o wide ... Show all

Always confirm kubectl config current-context before destructive commands — landing a kubectl delete on production because you forgot to switch contexts is a classic footgun. kubectx + kubens from ahmetb/kubectx make context and namespace switching ergonomic. Use --dry-run=client -o yaml to preview what apply would change.

 kubectx, helm, k9s
buildah
🐧
▲ caution
🐧 Linux
▲ caution Build OCI container images without a daemon — layer by layer or from a Dockerfile. buildah [bud|from|run|copy|commit|push] [args...]
6 flags bud -t <tag> . · Build from a Dockerfile (bud = build-using-dock... Show all
bud -t <tag> .
Build from a Dockerfile (bud = build-using-dockerfile).
from <image>
Start a new working container based on an existing image.
run <container> -- <cmd>
Run a command inside a working container during assembly.
copy <container> <src> <dst>
Copy files into a working container.
commit <container> <image>
Snapshot the working container as a new image.
--layers
Cache intermediate layers (speeds up repeated builds).
1 recipe

buildah is Linux-only — it leverages Linux namespaces directly and is not available on macOS or Windows without a VM. It pairs naturally with podman: images built by buildah are immediately visible to podman images.

 buildah builds OCI-compliant images without the Docker daemon — the daemonless complement to podman. podman, docker build
Redirection (> >> 2> &>)
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Route a command's standard output, standard error, or both to a file or device. <cmd> [>|>>|2>|&>|2>&1] <file> | <cmd> < <file>
7 flags > · Redirect stdout to a file — truncates Show all
>
Redirect stdout to a file — truncates the file if it exists.
>>
Append stdout to a file — safe; creates the file if it doesn't exist.
2>
Redirect stderr to a file.
&>
Redirect both stdout and stderr to a file (bash/zsh; not POSIX).
2>&1
Merge stderr into stdout stream — POSIX-portable alternative to &>.
<
Feed a file as stdin to a command.
/dev/null
Discard any output directed here — the null device.
1 recipe

> truncates immediately when the shell opens the file — before the command even runs. So sort file > file wipes file to zero bytes first, then sorts nothing. Use a temp file and mv, or sponge (moreutils). &> and &>> are bash/zsh extensions not available in POSIX sh or dash.

 tee, pipe
Pipe (|)
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Connect the stdout of one command to the stdin of the next, forming a pipeline. <cmd1> | <cmd2> [| <cmd3> ...] | <cmd1> |& <cmd2>
2 flags
|
Connect stdout of the left command to stdin of the right command.
|&
Pipe both stdout and stderr — shorthand for 2>&1 | (bash/zsh only).
1 recipe

The exit status of a pipeline is the exit status of the last command by default. Set set -o pipefail (bash/zsh) to propagate any non-zero status from earlier stages — essential in scripts that need to detect upstream failures. Each command in a pipeline runs in a subshell, so variable assignments inside a pipeline do not persist to the parent shell.

 tee, xargs, redirection
Logical operators (&& || ;)
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Chain commands conditionally on success or failure, unconditionally, or send them to the background. <cmd1> && <cmd2> | <cmd1> || <cmd2> | <cmd1>; <cmd2> | <cmd> &
4 flags && · AND — run the right command only if the left co... Show all
&&
AND — run the right command only if the left command exits with status 0 (success).
||
OR — run the right command only if the left command exits with a non-zero status (failure).
;
Sequence — run the right command unconditionally after the left finishes.
&
Background — run the preceding command asynchronously; the shell does not wait.
1 recipe

&& and || only look at the exit status of the immediately preceding command — not the full chain. Use parentheses to group: (cmd1 && cmd2) || fallback. Background jobs (&) inherit the parent shell’s file descriptors; redirect their output to a file or they’ll mix with subsequent terminal output.

 command-substitution, pipe
Command substitution ($(...))
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Capture the output of a command and use it inline as a string or argument. $(<cmd>) | `<cmd>` | $(( <expr> ))
3 flags $(...) · Preferred form — nests cleanly and is POSIX-com... Show all
$(...)
Preferred form — nests cleanly and is POSIX-compatible.
`...`
Legacy backtick form — avoid in new scripts as nesting requires backslash-escaping.
$(( ))
Arithmetic expansion — evaluates an integer expression and substitutes the result.
1 recipe

Always double-quote command substitutions — \"$(cmd)\" — to prevent word-splitting and glob expansion on the output. Unquoted substitution will break on filenames containing spaces or special characters. Backtick form treats backslashes specially inside, making nested substitutions error-prone; prefer $(...).

 process-substitution, logical-operators
Process substitution (<(...))
🐧🍎
✓ safe
🐧 Linux🍎 macOS
✓ safe Treat a command's output as a file-like object, enabling commands that require filename arguments to consume live data from another process. <(<cmd>) | >(<cmd>)
2 flags
<(...)
Open a read-end FIFO backed by the command's stdout — pass it where a filename is expected.
>(...)
Open a write-end FIFO — data written there is piped into the command's stdin.
1 recipe

Process substitution is a bash and zsh extension — it is not available in POSIX sh or dash. Scripts using <(...) must start with #!/usr/bin/env bash. The substituted path is a /dev/fd/N file descriptor (Linux) or a named pipe under /tmp (macOS); commands that lseek over their input (e.g. some archive tools) won’t work.

 pipe, redirection
Heredoc & herestring (<< <<<)
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Feed a multi-line block of text or a single string directly into a command's stdin without a separate file. <cmd> << <DELIM> | <cmd> <<- <DELIM> | <cmd> <<< "<string>"
3 flags << · Heredoc — reads lines until a line containing o... Show all
<<
Heredoc — reads lines until a line containing only the delimiter; parameter/command expansion active.
<<-
Strip leading tabs from each heredoc line — useful for indented scripts.
<<<
Herestring — feeds a single word or quoted string as stdin (bash/zsh; not POSIX).
1 recipe

Quoting the heredoc delimiter (<< 'EOF') suppresses variable and command expansion inside the block — without quotes, $HOME and $(cmd) are expanded, which can cause surprises. The closing delimiter must appear on a line by itself with no leading spaces (use <<- with tabs if you need indentation). Herestrings (<<<) are bash/zsh extensions and not available in /bin/sh.

 redirection, pipe
Brace & tilde expansion ({} ~)
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Generate lists of strings or paths at parse time — before any command runs — enabling concise multi-target operations. {<a>,<b>,<c>} | {<n>..<m>} | ~ | ~<user>
4 flags {a,b,c} · Comma list — expands to each item in place (e.g... Show all
{a,b,c}
Comma list — expands to each item in place (e.g. file.{yml,json}).
{1..10}
Sequence — expands to an integer (or character) range, inclusive.
~
Tilde alone — expands to $HOME.
~user
Tilde + username — expands to that user's home directory.
1 recipe

Brace expansion happens before variable expansion, so {1..$n} does not work — the shell sees the literal string $n before it reads the variable. Use seq 1 $n or an arithmetic loop instead. Brace expansion is a bash/zsh feature; POSIX sh does not support it. Tilde expansion only triggers when ~ is unquoted and at the start of a word.

 command-substitution
vim
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Modal terminal text editor — separate modes for moving, inserting, and issuing commands. vim [+<line>] [-R] [<file>...]
8 flags +<line> · Open the file with the cursor on line <... Show all
+<line>
Open the file with the cursor on line <line> (bare + jumps to the last line).
+/<pat>
Open and jump to the first line matching <pat>.
-R
Read-only mode — guards against accidental edits while browsing.
-d
Diff mode — equivalent to running vimdiff on the given files.
-o / -O
Open the listed files in horizontal (-o) or vertical (-O) split windows.
-p
Open each file in its own tab page.
-u <vimrc>
Use the given config file instead of the default; -u NONE starts with no config at all.
-c <cmd>
Run an Ex command after loading the first file (e.g. -c 'set number').
4 recipes :%s/old/new/g Show all

vim is modal — keystrokes mean different things in Normal, Insert, and Visual mode. If typed text does nothing or beeps, you are in Normal mode; press i to insert or Esc to return to Normal. To exit when stuck, press Esc then type :q! to quit discarding changes, or :wq to save and quit. A leftover .swp file means a previous session crashed or the file is open elsewhere.

 nvim (Neovim) is a compatible fork with Lua config and async plugins vimdiff, nano, less
vimdiff
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution Open two to four files in vim with their differences highlighted side by side. vimdiff <file1> <file2> [<file3> [<file4>]]
2 flags
-R
Open all files read-only so the diff can be reviewed without edits.
-c 'set diffopt+=iwhite'
Pass an Ex command — here, make the diff ignore whitespace changes.
2 recipes git config --global merge.tool vimdiff ... Show all

The cursor controls which window is the target for :diffget/:diffput — double-check which split you are in before pushing changes. Use :diffupdate if the highlighting goes stale after manual edits. Closing one split with :q leaves the others in diff mode until you quit them too.

 nvim -d for Neovim; delta or git difftool for richer diffs vim, diff
  • man 1 vimdiff
nano
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Small, approachable terminal editor with on-screen shortcut hints — no modes to learn. nano [-l] [+<line>[,<col>]] [<file>]
6 flags +<line>,<col> · Open with the cursor at the given line and (opt... Show all
+<line>,<col>
Open with the cursor at the given line and (optional) column.
-l
Show line numbers in the left margin.
-w
Disable automatic line wrapping of long lines.
-m
Enable mouse support for click-to-position.
-i
Auto-indent new lines to match the previous line.
-B
Save a backup of the previous version as <file>~ on write.
2 recipes EDITOR=nano crontab -e Show all

Saving is Ctrl-O (WriteOut), not Ctrl-S — and Ctrl-X exits, prompting to save if there are unsaved changes. The ^ in the bottom bar means the Ctrl key and M- means the Alt/Meta key. Older builds wrap long lines by default, which can mangle config files — pass -w to disable it.

 micro offers a similar modeless feel with mouse and syntax-highlighting defaults vim, less
less
🐧🍎⚙️
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform
✓ safe Scroll forward and backward through text or files one screen at a time — the default pager. less [-N] [-S] [+<cmd>] [<file>...]
7 flags -N · Show line numbers in the left margin. Show all
-N
Show line numbers in the left margin.
-S
Chop (do not wrap) long lines; scroll right with the arrow keys to see them.
-R
Pass ANSI colour escape codes through so coloured output renders correctly.
-F
Quit immediately if the content fits on one screen (don't page short files).
-X
Don't clear the screen on exit — leave the last page visible in the scrollback.
+F
Start in follow mode, like tail -f; press Ctrl-C to stop following and scroll freely.
+G
Jump to the end of the file on open.
2 recipes git log -p | less -R Show all

less is read-only — it never edits the file, so it’s safe on huge or production files (it doesn’t load the whole file into memory). Inside less, / searches forward, ? backward, g/G jump to the start/end, and q quits. Coloured input looks garbled unless you pass -R. The pager honours the LESS environment variable for default flags.

 bat adds syntax highlighting and Git gutters while paging like less vim, nano
  • man 1 less
tmux
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Modern terminal multiplexer — detachable sessions split into windows and panes, fully scriptable. tmux [new|attach|ls|kill-session] [-s <name>] [-t <target>]
7 flags new -s <name> · Create a new named session. Show all
new -s <name>
Create a new named session.
attach -t <name>
Re-attach to an existing detached session (alias: a).
ls
List all running sessions and their window counts.
kill-session -t <name>
Terminate a named session and all its panes.
kill-server
Stop the tmux server and every session it manages.
new -A -s <name>
Attach to the named session if it exists, otherwise create it — idempotent startup.
rename-session -t <old> <new>
Rename an existing session.
3 recipes tmux new -A -s main Show all

Almost every tmux key is preceded by the prefix, by default Ctrl-b — press and release it, then the command key. Detaching (Ctrl-b d) leaves the session and its processes running in the background; only kill-session or exiting every shell ends it. Config lives in ~/.tmux.conf; reload it with Ctrl-b :source-file ~/.tmux.conf without restarting the server.

 screen, ssh
screen
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution GNU Screen — the long-standing terminal multiplexer for detachable, persistent shell sessions. screen [-S <name>] [-r [<name>]] [-ls] [-d <name>]
6 flags -S <name> · Start a new session with a given name. Show all
-S <name>
Start a new session with a given name.
-r [<name>]
Re-attach to a detached session (name optional if only one).
-ls
List running screen sessions and their attach state.
-d <name>
Detach a session that is currently attached elsewhere.
-dr <name>
Force-detach then re-attach in one step — useful when a session is stuck attached on another terminal.
-X <cmd>
Send a command to a running session without attaching.
2 recipes screen -dr deploy Show all

Screen’s prefix key is Ctrl-a, which collides with the shell’s “move to start of line” binding — press Ctrl-a a to send a literal Ctrl-a to the program. A session shown as (Attached) in -ls but unreachable usually means a dead terminal; use -dr to reclaim it. Scrollback requires entering copy mode with Ctrl-a [.

 tmux is the actively developed, more scriptable successor tmux, ssh
top
🐧🍎⚙️
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform
✓ safe Live, refreshing view of running processes ranked by CPU or memory usage. top [-d <secs>] [-o <field>] [-p <pid>] [-b -n <count>]
6 flags -d <secs> · Set the refresh delay between updates in seconds. Show all
-d <secs>
Set the refresh delay between updates in seconds.
-o <field>
Sort by a field (e.g. %CPU or %MEM); Linux uses -o, on macOS the syntax differs.
-p <pid>
Monitor only the listed process IDs.
-u <user>
Show only processes owned by the given user.
-b
Batch mode — non-interactive plain output, suitable for piping or logging.
-n <count>
In batch mode, refresh <count> times then exit.
2 recipes top -b -n 1 | head -20 Show all

top flags differ between the Linux (procps) and macOS (BSD) implementations — -o %CPU works on Linux but macOS uses -o cpu. The first CPU% reading is averaged since boot and is unreliable; trust the second refresh onward. Press h inside top for the interactive key list.

 htop and btop offer colour, mouse support, and easier sorting htop, ps, free
  • man 1 top
htop
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution Interactive, colour process viewer with per-core meters, mouse support, and tree view. htop [-u <user>] [-p <pid>[,<pid>...]] [-t] [-d <tenths>]
5 flags -u <user> · Show only processes owned by the given user. Show all
-u <user>
Show only processes owned by the given user.
-p <pid>,...
Show only the listed process IDs.
-t
Start in tree view, showing parent/child process relationships.
-d <tenths>
Set the update delay in tenths of a second.
-s <column>
Sort by the named column on startup (e.g. PERCENT_CPU).
2 recipes htop -p $(pgrep -d, python) Show all

htop often isn’t installed by default — add it via your package manager. Sending a signal (F9) defaults to SIGTERM; pick SIGKILL only as a last resort. You can only signal or renice processes you own unless htop is run with sudo. Use F4 to filter and F3 to search by name.

 btop adds graphs and network/disk panels in a similar TUI top, ps, kill
journalctl
🐧🛡
✓ safe
🐧 Linux🛡 root
✓ safe Query and display logs from the systemd journal — services, the kernel, and boot history. journalctl [-u <unit>] [-f] [-b] [-p <prio>] [--since <when>]
8 flags -u <unit> · Show logs for a specific systemd unit (e.g. Show all
-u <unit>
Show logs for a specific systemd unit (e.g. nginx.service).
-f
Follow — stream new log entries live as they are written.
-b [<n>]
Show logs from the current boot, or boot <n> (-1 = previous boot).
-p <prio>
Filter by priority (e.g. err, warning) and above.
--since / --until <when>
Restrict the time window (e.g. --since "1 hour ago").
-k
Show only kernel messages — the journal equivalent of dmesg.
-n <count>
Show only the last <count> lines (like tail).
--no-pager
Print straight to stdout instead of paging through less.
2 recipes journalctl -u ssh.service --since today... Show all

Without sudo or membership in the systemd-journal group you see only your own user’s logs, not system-wide entries. The journal may be volatile (lost on reboot) unless Storage=persistent is set in /etc/systemd/journal.conf. Output is paged through less by default — add --no-pager when piping.

 dmesg, systemctl, less
  • man 1 journalctl
dmesg
🐧🛡
✓ safe
🐧 Linux🛡 root
✓ safe Print the kernel ring buffer — boot messages, driver output, and hardware events. dmesg [-H] [-w] [-T] [-l <level>] [--clear]
5 flags -H · Human-readable output — colour, relative timest... Show all
-H
Human-readable output — colour, relative timestamps, and paging.
-w
Wait and follow — print new kernel messages as they arrive.
-T
Show human-readable wall-clock timestamps instead of seconds-since-boot.
-l <level>
Filter by log level (e.g. err, warn).
--clear
Clear the ring buffer after printing (needs root).
2 recipes sudo dmesg -T | grep -i 'usb\|sda\|error' Show all

On many distributions reading dmesg now requires root because kernel.dmesg_restrict is enabled — prefix with sudo if you get “Operation not permitted”. Default timestamps are seconds since boot, which are hard to correlate with real events; add -T for wall-clock time. The ring buffer is fixed-size, so old messages are overwritten — use journalctl -k for full history.

 journalctl -k reads the same kernel log via systemd with persistent history journalctl, less
  • man 1 dmesg
free
🐧
✓ safe
🐧 Linux
✓ safe Show total, used, and available system memory and swap in a single snapshot. free [-h] [-m|-g] [-s <secs>] [-t]
5 flags -h · Human-readable units (auto-scales to KiB/MiB/GiB). Show all
-h
Human-readable units (auto-scales to KiB/MiB/GiB).
-m / -g
Force output in mebibytes (-m) or gibibytes (-g).
-s <secs>
Repeat the report every <secs> seconds until interrupted.
-t
Add a total line summing RAM and swap.
-w
Wide mode — split the buffers and cache columns apart.
2 recipes free -h | awk '/Mem:/ {print $3 " used ... Show all

The number that matters is the available column, not free — Linux deliberately uses spare RAM for disk cache (the buff/cache column), which it instantly reclaims when programs need it. A small free with large available is healthy, not a problem.

 top, vmstat, uptime
  • man 1 free
uptime
🐧🍎⚙️
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform
✓ safe Show how long the system has been running plus the 1-, 5-, and 15-minute load averages. uptime [-p] [-s]
2 flags
-p
Pretty output — print only the uptime in words (e.g. "up 3 days, 4 hours").
-s
Print the exact date and time the system booted.
2 recipes watch -n 5 uptime Show all

Load average counts processes that are running or waiting (including on disk I/O), not just CPU usage — a load of 4 is healthy on a 4-core box but saturated on a single core. Compare the figure to your core count (nproc). The three numbers are the 1-, 5-, and 15-minute averages, so a high first number that is falling means a spike that is passing.

 top, free, vmstat
  • man 1 uptime
vmstat
🐧
✓ safe
🐧 Linux
✓ safe Report virtual-memory, process, CPU, and I/O statistics sampled over an interval. vmstat [<delay> [<count>]] [-s] [-d] [-w]
5 flags <delay> <count> · Sample every <delay> seconds... Show all
<delay> <count>
Sample every <delay> seconds, <count> times (omit count to run forever).
-s
Print a one-shot table of memory and event totals instead of the rolling report.
-d
Show per-disk I/O statistics.
-w
Wide output — wider columns that don't truncate large numbers.
-S M
Display memory figures in megabytes instead of kilobytes.
2 recipes vmstat 2 | awk 'NR>2 {print $1, $2, $13... Show all

The first line of output is the average since boot and should be ignored — only the lines after a delay sample reflect current activity. High values in the si/so (swap in/out) columns mean the system is thrashing swap and needs more RAM. The wa CPU column is time waiting on I/O, which often explains apparent slowness that isn’t CPU-bound.

 iostat, free, top
  • man 8 vmstat
iostat
🐧
✓ safe
🐧 Linux
✓ safe Report CPU utilisation and per-device disk I/O throughput and latency. iostat [-x] [-d] [-h] [-m] [<interval> [<count>]]
6 flags -x · Extended statistics — utilisation, queue size, ... Show all
-x
Extended statistics — utilisation, queue size, await, and service times per device.
-d
Show device (disk) statistics only, hiding the CPU report.
-h
Human-readable units for throughput figures.
-m
Display throughput in megabytes per second instead of blocks.
<interval> <count>
Sample every <interval> seconds, <count> times.
-p <dev>
Show statistics for a device and its individual partitions.
2 recipes iostat -x 1 | awk '$NF>80 {print}' Show all

iostat ships in the sysstat package, which is not always installed by default. As with vmstat, the first report is the average since boot — ignore it and read subsequent samples. The key fields in -x are %util (how busy the device is) and await (average request latency in ms); a high await with high %util means the disk is the bottleneck.

 vmstat, top, free
  • man 1 iostat
psql
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution PostgreSQL's interactive terminal — run SQL, inspect schemas, and script queries against a database. psql [-h <host>] [-p <port>] [-U <user>] [-d <db>] [-c <sql>] [-f <file>]
7 flags -h <host> · Connect to the server at the given host (defaul... Show all
-h <host>
Connect to the server at the given host (default: local socket).
-p <port>
Connect on a non-default port (default 5432).
-U <user>
Connect as the named database role.
-d <db>
Select the database to connect to.
-c <sql>
Run a single SQL command non-interactively and exit.
-f <file>
Execute SQL from a script file.
-A -t
Unaligned, tuples-only output — clean values for piping into scripts.
2 recipes psql -d mydb -Atc 'SELECT email FROM us... Show all

Inside psql, backslash meta-commands differ from SQL: \l lists databases, \dt lists tables, \d <table> describes one, and \q quits. Statements must end in a semicolon — a missing ; leaves you at the -> continuation prompt. Set PGPASSWORD or use a ~/.pgpass file to avoid interactive password prompts in scripts.

 mysql, sqlite3
mysql
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution Interactive client for MySQL and MariaDB — run SQL, manage databases, and execute scripts. mysql [-h <host>] [-P <port>] [-u <user>] [-p] [-e <sql>] [<db>]
7 flags -h <host> · Connect to the server at the given host. Show all
-h <host>
Connect to the server at the given host.
-P <port>
Connect on a non-default port (default 3306). Note the capital P.
-u <user>
Connect as the named MySQL user.
-p
Prompt for the password (never put the value next to -p on the command line).
-e <sql>
Execute a SQL statement and exit, instead of opening the interactive prompt.
-D <db>
Select the default database to use after connecting.
-B
Batch mode — tab-separated, header-less output suitable for scripts.
2 recipes mysql -u app -p -Be 'SELECT id,email FR... Show all

Putting the password directly after -p (e.g. -psecret) is insecure — it shows in the process list and shell history. Use a bare -p to be prompted, or a ~/.my.cnf with a [client] section. The port flag is capital -P; lowercase -p is the password. End statements with ; or \G (the latter prints rows vertically).

 psql, sqlite3
sqlite3
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Command-line shell for SQLite — a serverless, single-file SQL database needing no daemon. sqlite3 [<file.db>] [<sql>] [-csv|-json|-html]
6 flags <file.db> · Open (or create) the given database file; omit ... Show all
<file.db>
Open (or create) the given database file; omit for an in-memory database.
-csv
Render query results as CSV.
-json
Render query results as a JSON array of objects.
-header
Include a column-name header row in the output.
-line
Print one column per line — readable for wide rows.
-readonly
Open the database file read-only, refusing any writes.
2 recipes sqlite3 -csv -header app.db 'SELECT * F... Show all

Dot-commands like .tables, .schema, .mode, and .quit are sqlite3 shell features, not SQL — they take no trailing semicolon, while SQL statements do. SQLite uses file-level locking, so a single writer blocks others; enable WAL mode (PRAGMA journal_mode=WAL;) for better concurrent reads. The whole database is one file, so copy or back it up by copying that file (ideally while no writer is active).

 psql, mysql
redis-cli
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution Command-line client for Redis — issue commands against the in-memory key-value store. redis-cli [-h <host>] [-p <port>] [-a <pass>] [-n <db>] [<command> ...]
6 flags -h <host> · Connect to a Redis server at the given host (de... Show all
-h <host>
Connect to a Redis server at the given host (default 127.0.0.1).
-p <port>
Connect on a non-default port (default 6379).
-a <pass>
Authenticate with a password (prefer REDISCLI_AUTH to keep it out of history).
-n <db>
Select a numbered logical database (0–15 by default).
--scan
Iterate keys safely with SCAN instead of the blocking KEYS command.
--stat
Print rolling server statistics (memory, clients, ops/sec).
2 recipes redis-cli --scan --pattern 'session:*' ... Show all

Never run KEYS * on a production server — it scans the entire keyspace and blocks every other client; use --scan/SCAN for cursor-based iteration. The -a password ends up in shell history and the process list; set REDISCLI_AUTH instead. FLUSHALL and FLUSHDB wipe data instantly with no confirmation — treat them like rm -rf.

 mongosh
mongosh
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution MongoDB's modern JavaScript shell — connect, query collections, and run admin commands. mongosh [<uri>] [--host <h>] [--port <p>] [-u <user>] [--eval <js>] [--file <f>]
7 flags <uri> · Connect using a full mongodb:// co... Show all
<uri>
Connect using a full mongodb:// connection string.
--host <h>
Connect to the server at the given host.
--port <p>
Connect on a non-default port (default 27017).
-u <user> -p
Authenticate as a user; bare -p prompts for the password.
--eval <js>
Run a JavaScript expression and exit instead of opening the interactive shell.
--file <f>
Execute a JavaScript file against the connection.
--quiet
Suppress the startup banner — cleaner output for scripts.
2 recipes mongosh --quiet --eval 'db.events.find(... Show all

The shell language is JavaScript, not SQL — you call methods like db.collection.find({...}) and switch databases with use <db>. Putting credentials in the URI exposes them in shell history; prefer -u user -p with an interactive prompt or an environment-based config. The legacy mongo binary is gone in MongoDB 6+, so old tutorials using it won’t work — use mongosh.

 mongosh replaces the legacy mongo shell removed in MongoDB 6+ redis-cli, psql
gpg
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution GnuPG — encrypt, decrypt, sign, and verify data using OpenPGP keys. gpg [-e] [-d] [-s] [--armor] [-r <recipient>] [<file>]
8 flags -e / --encrypt · Encrypt a file for one or more recipients. Show all
-e / --encrypt
Encrypt a file for one or more recipients.
-d / --decrypt
Decrypt a file (output goes to stdout unless redirected).
-s / --sign
Create a cryptographic signature over the input.
-r <recipient>
Encrypt for the named recipient (email or key ID).
-a / --armor
Produce ASCII-armored (text) output instead of binary.
--verify <sig> [<file>]
Verify a detached or inline signature.
-c / --symmetric
Encrypt with a passphrase only (symmetric, no recipient key).
--import / --export
Import a key from, or export a key to, a file.
2 recipes gpg --armor --export alice@example.com ... Show all

Symmetric (-c) encryption protects with a passphrase alone; public-key (-e -r) needs the recipient’s key in your keyring (import it first). --verify only proves the signature is valid for some key — you must separately confirm that key actually belongs to who you think (check the fingerprint). The agent caches your passphrase, so a failed decrypt may be a stale cached value; restart gpg-agent if keys misbehave.

 openssl, age
openssl
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution Swiss-army crypto toolkit — TLS certificates, key generation, hashing, and raw encryption. openssl <subcommand> [options...]
7 flags req · Create and process certificate signing requests... Show all
req
Create and process certificate signing requests (CSRs) and self-signed certs.
x509
Display, convert, and sign X.509 certificates.
genrsa / genpkey
Generate an RSA (or other) private key.
s_client -connect <host>:<port>
Open a TLS connection to inspect a server's certificate and protocol.
enc -aes-256-cbc
Symmetrically encrypt or decrypt data with AES-256.
dgst -sha256
Compute a SHA-256 digest of the input.
rand <n>
Emit <n> bytes of cryptographically secure random data.
2 recipes openssl req -x509 -newkey rsa:4096 -key... Show all

openssl is really many sub-tools, each with its own flags — openssl <cmd> -help lists them. The -nodes flag means “no DES”, i.e. don’t encrypt the private key — never use it for a key you’ll store long-term. Many one-liners online use deprecated algorithms (MD5, 1024-bit RSA); prefer SHA-256 and ≥2048-bit (ideally 4096-bit) RSA or ECDSA.

 gpg, ssh-keygen, base64
ssh-keygen
🐧🍎⚙️🤖
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
▲ caution Generate, manage, and convert SSH authentication key pairs. ssh-keygen [-t <type>] [-b <bits>] [-f <file>] [-C <comment>] [-p]
7 flags -t <type> · Key type — ed25519 (recommended), ... Show all
-t <type>
Key type — ed25519 (recommended), rsa, or ecdsa.
-b <bits>
Key size in bits (RSA only; use ≥4096).
-f <file>
Output key file path (default ~/.ssh/id_<type>).
-C <comment>
Comment label embedded in the public key (often an email).
-p
Change (or add/remove) the passphrase on an existing key.
-y -f <key>
Recompute the public key from an existing private key.
-l -f <key>
Show a key's fingerprint.
2 recipes ssh-keygen -t ed25519 -f ~/.ssh/id_ed25... Show all

The .pub file is the public half — safe to share and copy to servers; the matching file without an extension is the private key and must never leave the machine. Prefer ed25519 over RSA for new keys (smaller, faster, secure). Always set a passphrase on personal keys; an unprotected private key is a plaintext credential. Private keys must be mode 600 or SSH refuses to use them.

 openssl, gpg
  • man 1 ssh-keygen
base64
🐧🍎⚙️🤖
✓ safe
🐧 Linux🍎 macOS⚙️ Cross-platform🤖 Termux
✓ safe Encode binary data to printable ASCII (and back) using the base64 alphabet. base64 [-d] [-w <cols>] [<file>]
3 flags -d / --decode · Decode base64 input back to its original bytes. Show all
-d / --decode
Decode base64 input back to its original bytes.
-w <cols>
Wrap encoded output every <cols> characters (GNU; -w 0 = no wrapping).
-i / --ignore-garbage
When decoding, skip non-alphabet characters instead of erroring.
2 recipes base64 -w 0 cert.pem | pbcopy Show all

base64 is encoding, not encryption — it provides zero confidentiality; anyone can decode it instantly. Never use it to “hide” a secret. The GNU -w wrap flag does not exist on macOS/BSD base64 (which wraps differently); pipe through tr -d '\n' for portable unwrapping. Encoded data is ~33% larger than the original.

 openssl, gpg
  • man 1 base64
age
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution Modern, minimal file-encryption tool with small keys and a deliberately tiny feature set. age [-e] [-d] [-r <recipient>] [-p] [-o <out>] [<file>]
8 flags -e / --encrypt · Encrypt the input (the default action). Show all
-e / --encrypt
Encrypt the input (the default action).
-d / --decrypt
Decrypt an age-encrypted file.
-r <recipient>
Encrypt to a public-key recipient (an age1... string or SSH key).
-R <file>
Read recipients from a file (one per line).
-p / --passphrase
Encrypt with a passphrase instead of a key pair.
-i <identity>
Use the given identity (private key) file when decrypting.
-a / --armor
Produce ASCII-armored (PEM-like text) output.
-o <out>
Write to the named output file instead of stdout.
2 recipes tar czf - mydir | age -p -o backup.tar.... Show all

The private identity file (from age-keygen) is a plaintext secret — protect it like an SSH private key; anyone with it can decrypt. age has no key management, expiry, or signing (by design) — if you need signatures or a web of trust, use gpg. age can encrypt to SSH public keys (-R/-r), which is convenient when recipients already publish one.

 age is itself the modern alternative to gpg for simple file encryption gpg, openssl, ssh-keygen
kubectl
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution The Kubernetes CLI — inspect, deploy, and manage resources against a cluster's API server. kubectl <verb> <resource> [<name>] [-n <namespace>] [-o <format>]
8 flags get <resource> · List resources of a type (e.g. pods Show all
get <resource>
List resources of a type (e.g. pods, svc, deploy).
describe <resource> <name>
Show detailed state and recent events for one resource.
apply -f <file>
Create or update resources to match a manifest (declarative).
delete <resource> <name>
Remove a resource from the cluster.
logs <pod> [-f]
Print a pod's container logs; -f follows them live.
exec -it <pod> -- <cmd>
Run a command inside a running container (e.g. -- /bin/sh).
-n <namespace>
Target a specific namespace instead of the default.
-o <format>
Output format — wide, yaml, json, or jsonpath=....
2 recipes kubectl exec -it deploy/api -- /bin/sh Show all

Commands target whatever cluster and namespace the current context selects — run kubectl config current-context and pass -n explicitly to avoid acting on the wrong cluster (a common cause of production accidents). Prefer apply -f (declarative) over imperative create/edit so manifests stay the source of truth. delete is immediate and not undoable — double-check the namespace and name.

 helm, docker compose
helm
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution The Kubernetes package manager — install, upgrade, and roll back applications packaged as charts. helm <command> [<release>] [<chart>] [-n <namespace>] [-f <values>]
8 flags install <release> <chart> · Install a chart as a named release into the clu... Show all
install <release> <chart>
Install a chart as a named release into the cluster.
upgrade <release> <chart>
Upgrade an existing release to a new chart or values (-i = install if absent).
uninstall <release>
Remove a release and all the resources it created.
list
List installed releases in the current namespace (-A for all namespaces).
repo add <name> <url>
Register a chart repository so its charts can be installed by name.
-f <values.yaml>
Override chart defaults with a custom values file.
rollback <release> [<rev>]
Revert a release to a previous revision.
--dry-run --debug
Render the chart and show what would be applied without touching the cluster.
2 recipes helm upgrade -i web bitnami/nginx --dry... Show all

A release name plus namespace must be unique — reusing a name in the same namespace fails unless you upgrade instead of install. Always run helm repo update after adding a repo, or chart lookups use a stale index. Use upgrade -i (install-if-absent) in CI so the same command works whether the release exists yet or not, and --dry-run to preview rendered manifests.

 kubectl
docker compose
🐧🍎⚙️
▲ caution
🐧 Linux🍎 macOS⚙️ Cross-platform
▲ caution Define and run a multi-container application stack from a single compose YAML file. docker compose [-f <file>] <up|down|ps|logs|build|exec> [options]
8 flags up [-d] · Create and start all services; -d ... Show all
up [-d]
Create and start all services; -d runs them detached in the background.
down [-v]
Stop and remove containers and networks; -v also removes named volumes.
ps
List the containers managed by the compose project and their status.
logs [-f] [<svc>]
Show (and optionally follow) logs for all services or one named service.
build [<svc>]
Build or rebuild service images from their Dockerfiles.
exec <svc> <cmd>
Run a command inside a running service container.
-f <file>
Use a specific compose file (default compose.yaml/docker-compose.yml).
--build
With up, rebuild images before starting.
2 recipes docker compose up -d --build && docker ... Show all

Modern Docker ships docker compose (a v2 plugin, space not hyphen); the legacy docker-compose Python script is deprecated and may behave subtly differently. down -v deletes named volumes — your database data goes with it, so omit -v to preserve state. Compose namespaces resources by the project name (the directory name by default), so running the same file from two directories creates two independent stacks.

 docker compose (v2 plugin) replaces the standalone docker-compose Python script kubectl, helm