`upload-folder-with-permissions`

Windows only

This command only runs on the Windows build of the CLI. Calling it on Linux/macOS throws NotImplementedException: Only the windows build of the CLI supports permission sync.

One-shot upload of a network folder that also reads each file's Active Directory ACLs and propagates them into the workspace, so users only see files they have permission to access at the OS level.

For a continuous version, use monitor-with-permissions.

Usage

curiosity-cli upload-folder-with-permissions \
  --server             https://my-workspace.example.com/ \
  --token              $CURIOSITY_TOKEN \
  --path               \\\\fileserver\\Shared \
  --permissions-cache  C:\\curiosity\\acl-cache.json \
  --fetch-server-state false

Options

Same set as upload-folder, plus:

Flag	Alias	Required	Description
`--permissions-cache`	`-c`	yes	Path to a `.json` file used to cache resolved ACL → user/group mappings between runs.

Force-applied behavior:

--upload-to is overridden to Custom — ACLs come from the file system, not from a single target group/user. Don't pass --upload-to / --target-uid explicitly.
The CLI calls graph.MapPermissionsAsync for each file as it's ingested, building the ACL graph in the workspace.

Why a cache file?

Resolving a Windows SID to a user or group inside the workspace's graph is the expensive part of permission ingest. The cache stores the SID → workspace-UID mapping so re-runs only re-resolve identities that changed.

Keep the file path stable across runs.
Snapshot it alongside your other deployment artifacts if you ever need to roll back.
Delete it to force a full re-resolve.

Account requirements

The account running the CLI must be able to:

Read every file under --path (use --username / --password / --domain to impersonate a service account if needed).
Read the security descriptors (i.e., have READ_CONTROL) on those files.
Query Active Directory for the SIDs found in the ACLs.