Runtime CLI

mentu-runtime is the daemon that manages VMs, sandboxed execution, and network interception. It runs alongside the mentu CLI.

In normal mode, mentu executes steps directly on the host. In VM mode (--vm), it delegates to mentu-runtime for isolated execution. The daemon starts automatically on first use.

mentu-runtime <command> [subcommand] [flags]

Execution modes

Mode	What happens	When to use
Normal (default)	Steps run as host processes	Trusted tools, fast iteration
VM (`--vm`)	Steps run inside a sandboxed VM via `mentu-runtime`	Untrusted tools, long unattended runs

Daemon

Command	Description
`mentu-runtime daemon start`	Start the daemon (foreground, blocks until SIGINT)
`mentu-runtime daemon stop`	Graceful shutdown
`mentu-runtime daemon status`	Show state, version, PID, uptime
`mentu-runtime daemon logs`	Stream logs

Logs flags:

Flag	Description
`--pretty`	Human-readable formatting
`--level <level>`	Filter by level (debug, info, warning, error)
`--json`	Raw JSON output

VM

Command	Description
`mentu-runtime vm start`	Boot the VM
`mentu-runtime vm stop`	Graceful shutdown
`mentu-runtime vm pause`	Suspend the VM
`mentu-runtime vm resume`	Resume from suspend
`mentu-runtime vm status`	Show state, backend, CPU, memory, uptime

Start flags:

Flag	Description
`--backend <vz\|krun>`	Choose VM backend

Stop flags:

Flag	Description
`--force`	Force immediate shutdown

Settings

Command	Description
`mentu-runtime settings get`	Show all settings
`mentu-runtime settings set`	Update settings
`mentu-runtime settings check`	Preview whether changes need a restart
`mentu-runtime settings reset`	Reset to defaults

Set flags:

Flag	Type	Description
`--cpu`	int	Number of CPU cores
`--memory`	int	Memory in MB
`--engine`	string	Backend (`vz` or `krun`)
`--rosetta`	bool	Enable Rosetta x86 translation
`--network-mode`	string	Network mode

Engine

Command	Description
`mentu-runtime engine status`	Show current backend and state
`mentu-runtime engine switch <backend>`	Switch backend (reports if restart is needed)

Services

Command	Description
`mentu-runtime service list`	List all internal services
`mentu-runtime service status <name>`	Show service state
`mentu-runtime service restart <name>`	Restart a service

Network

Command	Description
`mentu-runtime network bindings`	Show host-to-guest port bindings

Events

Command	Description
`mentu-runtime events`	Stream events in real-time (Ctrl+C to stop)

Flag	Description
`--json`	Raw JSON output

Sandboxed execution

Run a command inside a sandboxed VM using a profile:

mentu-runtime exec --profile spectre.sandbox.json -- /usr/local/bin/spectre analyze

Flag	Description
`--profile <path>`	Path to sandbox profile JSON
`--interceptor`	Enable network interception

MCP server mode

Run mentu-runtime as an MCP server for AI agent control:

mentu-runtime --mcp
mentu-runtime --mcp --embedded

Flag	Description
`--mcp`	Start as stdio MCP server (requires running daemon)
`--embedded`	In-process mode, no separate daemon needed

Utility

These commands run locally and do not require the daemon.

Command	Description
`mentu-runtime version`	Show version
`mentu-runtime config`	Show configuration
`mentu-runtime validate`	Validate configuration
`mentu-runtime backends`	List available VM backends
`mentu-runtime bind-port --port <n>`	Bind a privileged port
`mentu-runtime socket <username>`	Create socket symlink