Step 15: CLI wiring, prune, and sgardd daemon.

Local prune: garden.Prune() removes orphaned blobs. 2 tests.

CLI commands: sgard push, sgard pull (with SSH auth via --ssh-key
or ssh-agent), sgard prune (local by default, remote with --remote).

Server daemon: cmd/sgardd with --listen, --repo, --authorized-keys
flags. Runs gRPC server with optional SSH key auth interceptor.

Root command gains --remote and --ssh-key persistent flags with
resolveRemote() (flag > env > repo/remote file).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

PROGRESS.md

@@ -7,9 +7,9 @@ ARCHITECTURE.md for design details.
 
 ## Current Status
 
-**Phase:** Phase 2 in progress. Steps 9–14 complete, ready for Step 15.
+**Phase:** Phase 2 in progress. Steps 9–15 complete, ready for Step 16 (Polish).
 
-**Last updated:** 2026-03-23
+**Last updated:** 2026-03-24
 
 ## Completed Steps
 
@@ -42,7 +42,7 @@ Phase 2: gRPC Remote Sync.
 
 ## Up Next
 
-Step 15: CLI Wiring + Prune.
+Step 16: Polish + Release.
 
 ## Known Issues / Decisions Deferred
 
@@ -75,3 +75,4 @@ Step 15: CLI Wiring + Prune.
 | 2026-03-23 | 12b | Directory recursion in Add, mirror up/down commands, 7 tests. |
 | 2026-03-23 | 13 | Client library: Push, Pull, Prune with chunked blob streaming. 6 integration tests. |
 | 2026-03-23 | 14 | SSH key auth: server interceptor (authorized_keys, signature verification), client PerRPCCredentials (ssh-agent/key file). 8 tests including auth integration. |
+| 2026-03-24 | 15 | CLI wiring: push, pull, prune commands, sgardd daemon binary, --remote/--ssh-key flags, local prune with 2 tests. |

PROJECT_PLAN.md

@@ -158,16 +158,16 @@ Depends on Step 12.
 
 Depends on Steps 13, 14.
 
-- [ ] `garden/prune.go`: `Prune() (int, error)` — collect referenced hashes from manifest, delete orphaned blobs, return count removed
+- [x] `garden/prune.go`: `Prune() (int, error)` — collect referenced hashes, delete orphaned blobs
-- [ ] `garden/prune_test.go`: add file, remove it, prune removes orphaned blob
+- [x] `garden/prune_test.go`: prune removes orphaned, keeps referenced
-- [ ] `server/server.go`: add `Prune` RPC — server-side prune, returns count
+- [x] `server/server.go`: Prune RPC (done in Step 12)
-- [ ] `proto/sgard/v1/sgard.proto`: add `rpc Prune(PruneRequest) returns (PruneResponse)`
+- [x] `proto/sgard/v1/sgard.proto`: Prune RPC (done in Step 9)
-- [ ] `client/client.go`: add `Prune()` method
+- [x] `client/client.go`: Prune() method (done in Step 13)
-- [ ] `cmd/sgard/prune.go`: local prune; with `--remote` flag prunes remote instead
+- [x] `cmd/sgard/prune.go`: local prune; with `--remote` prunes remote instead
-- [ ] `cmd/sgard/main.go`: add `--remote`, `--ssh-key` persistent flags
+- [x] `cmd/sgard/main.go`: add `--remote`, `--ssh-key` persistent flags, resolveRemote()
-- [ ] `cmd/sgard/push.go`, `cmd/sgard/pull.go`
+- [x] `cmd/sgard/push.go`, `cmd/sgard/pull.go`
-- [ ] `cmd/sgardd/main.go`: flags, garden open, auth interceptor, gRPC serve
+- [x] `cmd/sgardd/main.go`: flags, garden open, auth interceptor, gRPC serve
-- [ ] Verify: both binaries compile
+- [x] Verify: both binaries compile
 
 ### Step 16: Polish + Release
 

cmd/sgard/main.go

@@ -4,11 +4,16 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/spf13/cobra"
 )
 
-var repoFlag string
+var (
+	repoFlag   string
+	remoteFlag string
+	sshKeyFlag string
+)
 
 var rootCmd = &cobra.Command{
 	Use:   "sgard",
@@ -23,8 +28,29 @@ func defaultRepo() string {
 	return filepath.Join(home, ".sgard")
 }
 
+// resolveRemote returns the remote address from flag, env, or repo config file.
+func resolveRemote() (string, error) {
+	if remoteFlag != "" {
+		return remoteFlag, nil
+	}
+	if env := os.Getenv("SGARD_REMOTE"); env != "" {
+		return env, nil
+	}
+	// Try <repo>/remote file.
+	data, err := os.ReadFile(filepath.Join(repoFlag, "remote"))
+	if err == nil {
+		addr := strings.TrimSpace(string(data))
+		if addr != "" {
+			return addr, nil
+		}
+	}
+	return "", fmt.Errorf("no remote configured; use --remote, SGARD_REMOTE, or create %s/remote", repoFlag)
+}
+
 func main() {
 	rootCmd.PersistentFlags().StringVar(&repoFlag, "repo", defaultRepo(), "path to sgard repository")
+	rootCmd.PersistentFlags().StringVar(&remoteFlag, "remote", "", "gRPC server address (host:port)")
+	rootCmd.PersistentFlags().StringVar(&sshKeyFlag, "ssh-key", "", "path to SSH private key")
 
 	if err := rootCmd.Execute(); err != nil {
 		fmt.Fprintln(os.Stderr, err)

cmd/sgard/prune.go

@@ -0,0 +1,71 @@
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/kisom/sgard/client"
+	"github.com/kisom/sgard/garden"
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+var pruneCmd = &cobra.Command{
+	Use:   "prune",
+	Short: "Remove orphaned blobs not referenced by the manifest",
+	Long:  "Remove orphaned blobs locally, or on the remote server with --remote.",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		addr, _ := resolveRemote()
+
+		if addr != "" {
+			return pruneRemote(addr)
+		}
+		return pruneLocal()
+	},
+}
+
+func pruneLocal() error {
+	g, err := garden.Open(repoFlag)
+	if err != nil {
+		return err
+	}
+
+	removed, err := g.Prune()
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("Pruned %d orphaned blob(s).\n", removed)
+	return nil
+}
+
+func pruneRemote(addr string) error {
+	signer, err := client.LoadSigner(sshKeyFlag)
+	if err != nil {
+		return err
+	}
+
+	creds := client.NewSSHCredentials(signer)
+	conn, err := grpc.NewClient(addr,
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithPerRPCCredentials(creds),
+	)
+	if err != nil {
+		return fmt.Errorf("connecting to %s: %w", addr, err)
+	}
+	defer func() { _ = conn.Close() }()
+
+	c := client.New(conn)
+	removed, err := c.Prune(context.Background())
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("Pruned %d orphaned blob(s) on remote.\n", removed)
+	return nil
+}
+
+func init() {
+	rootCmd.AddCommand(pruneCmd)
+}

cmd/sgard/pull.go

@@ -0,0 +1,60 @@
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/kisom/sgard/client"
+	"github.com/kisom/sgard/garden"
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+var pullCmd = &cobra.Command{
+	Use:   "pull",
+	Short: "Pull checkpoint from remote server",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		addr, err := resolveRemote()
+		if err != nil {
+			return err
+		}
+
+		g, err := garden.Open(repoFlag)
+		if err != nil {
+			return err
+		}
+
+		signer, err := client.LoadSigner(sshKeyFlag)
+		if err != nil {
+			return err
+		}
+
+		creds := client.NewSSHCredentials(signer)
+		conn, err := grpc.NewClient(addr,
+			grpc.WithTransportCredentials(insecure.NewCredentials()),
+			grpc.WithPerRPCCredentials(creds),
+		)
+		if err != nil {
+			return fmt.Errorf("connecting to %s: %w", addr, err)
+		}
+		defer func() { _ = conn.Close() }()
+
+		c := client.New(conn)
+		pulled, err := c.Pull(context.Background(), g)
+		if err != nil {
+			return err
+		}
+
+		if pulled == 0 {
+			fmt.Println("Already up to date.")
+		} else {
+			fmt.Printf("Pulled %d blob(s).\n", pulled)
+		}
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(pullCmd)
+}

cmd/sgard/push.go

@@ -0,0 +1,61 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/kisom/sgard/client"
+	"github.com/kisom/sgard/garden"
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+var pushCmd = &cobra.Command{
+	Use:   "push",
+	Short: "Push local checkpoint to remote server",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		addr, err := resolveRemote()
+		if err != nil {
+			return err
+		}
+
+		g, err := garden.Open(repoFlag)
+		if err != nil {
+			return err
+		}
+
+		signer, err := client.LoadSigner(sshKeyFlag)
+		if err != nil {
+			return err
+		}
+
+		creds := client.NewSSHCredentials(signer)
+		conn, err := grpc.NewClient(addr,
+			grpc.WithTransportCredentials(insecure.NewCredentials()),
+			grpc.WithPerRPCCredentials(creds),
+		)
+		if err != nil {
+			return fmt.Errorf("connecting to %s: %w", addr, err)
+		}
+		defer func() { _ = conn.Close() }()
+
+		c := client.New(conn)
+		pushed, err := c.Push(context.Background(), g)
+		if errors.Is(err, client.ErrServerNewer) {
+			fmt.Println("Server is newer; run sgard pull instead.")
+			return nil
+		}
+		if err != nil {
+			return err
+		}
+
+		fmt.Printf("Pushed %d blob(s).\n", pushed)
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(pushCmd)
+}

cmd/sgardd/main.go

@@ -0,0 +1,77 @@
+package main
+
+import (
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+
+	"github.com/kisom/sgard/garden"
+	"github.com/kisom/sgard/server"
+	"github.com/kisom/sgard/sgardpb"
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc"
+)
+
+var (
+	listenAddr     string
+	repoPath       string
+	authKeysPath   string
+)
+
+var rootCmd = &cobra.Command{
+	Use:   "sgardd",
+	Short: "sgard gRPC sync daemon",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		g, err := garden.Open(repoPath)
+		if err != nil {
+			return fmt.Errorf("opening repo: %w", err)
+		}
+
+		var opts []grpc.ServerOption
+
+		if authKeysPath != "" {
+			auth, err := server.NewAuthInterceptor(authKeysPath)
+			if err != nil {
+				return fmt.Errorf("loading authorized keys: %w", err)
+			}
+			opts = append(opts,
+				grpc.UnaryInterceptor(auth.UnaryInterceptor()),
+				grpc.StreamInterceptor(auth.StreamInterceptor()),
+			)
+			fmt.Printf("Auth enabled: %s\n", authKeysPath)
+		} else {
+			fmt.Println("WARNING: no --authorized-keys specified, running without authentication")
+		}
+
+		srv := grpc.NewServer(opts...)
+		sgardpb.RegisterGardenSyncServer(srv, server.New(g))
+
+		lis, err := net.Listen("tcp", listenAddr)
+		if err != nil {
+			return fmt.Errorf("listening on %s: %w", listenAddr, err)
+		}
+
+		fmt.Printf("sgardd serving on %s (repo: %s)\n", listenAddr, repoPath)
+		return srv.Serve(lis)
+	},
+}
+
+func defaultRepo() string {
+	home, err := os.UserHomeDir()
+	if err != nil {
+		return ".sgard"
+	}
+	return filepath.Join(home, ".sgard")
+}
+
+func main() {
+	rootCmd.Flags().StringVar(&listenAddr, "listen", ":9473", "gRPC listen address")
+	rootCmd.Flags().StringVar(&repoPath, "repo", defaultRepo(), "path to sgard repository")
+	rootCmd.Flags().StringVar(&authKeysPath, "authorized-keys", "", "path to authorized SSH public keys file")
+
+	if err := rootCmd.Execute(); err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(1)
+	}
+}

garden/prune.go

@@ -0,0 +1,31 @@
+package garden
+
+import "fmt"
+
+// Prune removes orphaned blobs that are not referenced by any manifest entry.
+// Returns the number of blobs removed.
+func (g *Garden) Prune() (int, error) {
+	referenced := make(map[string]bool)
+	for _, e := range g.manifest.Files {
+		if e.Type == "file" && e.Hash != "" {
+			referenced[e.Hash] = true
+		}
+	}
+
+	allBlobs, err := g.store.List()
+	if err != nil {
+		return 0, fmt.Errorf("listing blobs: %w", err)
+	}
+
+	removed := 0
+	for _, hash := range allBlobs {
+		if !referenced[hash] {
+			if err := g.store.Delete(hash); err != nil {
+				return removed, fmt.Errorf("deleting blob %s: %w", hash, err)
+			}
+			removed++
+		}
+	}
+
+	return removed, nil
+}

garden/prune_test.go

@@ -0,0 +1,79 @@
+package garden
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestPruneRemovesOrphanedBlob(t *testing.T) {
+	root := t.TempDir()
+	repoDir := filepath.Join(root, "repo")
+
+	g, err := Init(repoDir)
+	if err != nil {
+		t.Fatalf("Init: %v", err)
+	}
+
+	// Add a file, then remove it from manifest. The blob becomes orphaned.
+	testFile := filepath.Join(root, "testfile")
+	if err := os.WriteFile(testFile, []byte("orphan data"), 0o644); err != nil {
+		t.Fatalf("writing test file: %v", err)
+	}
+
+	if err := g.Add([]string{testFile}); err != nil {
+		t.Fatalf("Add: %v", err)
+	}
+
+	hash := g.manifest.Files[0].Hash
+	if !g.BlobExists(hash) {
+		t.Fatal("blob should exist before prune")
+	}
+
+	if err := g.Remove([]string{testFile}); err != nil {
+		t.Fatalf("Remove: %v", err)
+	}
+
+	removed, err := g.Prune()
+	if err != nil {
+		t.Fatalf("Prune: %v", err)
+	}
+	if removed != 1 {
+		t.Errorf("removed %d blobs, want 1", removed)
+	}
+	if g.BlobExists(hash) {
+		t.Error("orphaned blob should be deleted after prune")
+	}
+}
+
+func TestPruneKeepsReferencedBlobs(t *testing.T) {
+	root := t.TempDir()
+	repoDir := filepath.Join(root, "repo")
+
+	g, err := Init(repoDir)
+	if err != nil {
+		t.Fatalf("Init: %v", err)
+	}
+
+	testFile := filepath.Join(root, "testfile")
+	if err := os.WriteFile(testFile, []byte("keep me"), 0o644); err != nil {
+		t.Fatalf("writing test file: %v", err)
+	}
+
+	if err := g.Add([]string{testFile}); err != nil {
+		t.Fatalf("Add: %v", err)
+	}
+
+	hash := g.manifest.Files[0].Hash
+
+	removed, err := g.Prune()
+	if err != nil {
+		t.Fatalf("Prune: %v", err)
+	}
+	if removed != 0 {
+		t.Errorf("removed %d blobs, want 0 (all referenced)", removed)
+	}
+	if !g.BlobExists(hash) {
+		t.Error("referenced blob should still exist after prune")
+	}
+}