Skip to content

Manifests

Generate a synthetic Active Directory environment, inspect its graph, and explore principals, hosts, and the command vocabulary.

A manifest is the generated world — the graph of hosts, principals, credentials, groups, and the edges between them. Every trajectory you sample targets a manifest, so this is where the environment’s shape is fixed.

Manifest generation runs as an async job. The durable manifest record only exists once the job completes.

The minimum useful invocation picks a preset:

Terminal window
dn worlds manifest-create --preset small --seed 7 --name corp-ad

For explicit sizing — reproducible counts, custom domain names — skip --preset and pass the dimensions directly:

Terminal window
dn worlds manifest-create \
--name corp-ad \
--seed 7 \
--num-users 50 \
--num-hosts 10 \
--domain corp.local \
--json

--domain is repeatable. --num-users accepts 1–50,000; --num-hosts accepts 1–10,000.

The command returns a job record. Wait on the job, then fetch the manifest:

Terminal window
dn worlds job-wait <job-id>
dn worlds manifest-get <manifest-id>

small, medium, large, and enterprise are opaque preset names passed through to the Worlds backend — the topology they produce is backend-owned, not specified by the control plane. Use them when you want “a reasonable target of this scale” and don’t care about exact counts; use explicit --num-users / --num-hosts when you need a reproducible shape.

--seed <int> makes generation deterministic. Same preset or dimensions plus the same seed produces the same graph. Different seed, different environment with the same parameters — useful for training diversity.

Manifests are workspace-scoped and belong to a project. Omit --project-id to land in the workspace default project. Trajectories sampled from the manifest must match its project; cross-project sampling is rejected at submission.

The fastest way to understand what was generated is the Graph Explorer in the web app (Worlds → Manifests → your manifest → Graph Explorer). It renders the full graph with edge-severity filters, node search, and a subgraph focus that centers on any selected node at depth 2.

From the CLI you have the same inspection surface in pieces:

Terminal window
dn worlds graph-nodes <manifest-id>
dn worlds graph-edges <manifest-id>
dn worlds subgraph <manifest-id> <node-id> --depth 2

graph-nodes and graph-edges paginate; subgraph returns a k-hop neighborhood around a node.

Principals are the identities in the graph — users, computers, service accounts, groups. Search and drill in:

Terminal window
dn worlds principals <manifest-id> --query alice
dn worlds principal <manifest-id> <principal-id>
dn worlds principal-details <manifest-id> <principal-id>

principal-details expands memberships, credentials, and the principal’s graph context.

Hosts work the same way:

Terminal window
dn worlds host <manifest-id> <host-id>
dn worlds host-details <manifest-id> <host-id>

host-details includes services, artifacts, and graph neighbors.

Every manifest carries a command catalog — the actions the sampler can take against the environment. The web UI shows this on the manifest Overview tab; from the CLI:

Terminal window
dn worlds commands <manifest-id>

The catalog is live: it reads from the Worlds backend sandbox that generated the manifest. Backend sandboxes are not permanent — when the sandbox has been reaped, commands returns empty and both the graph explorer and command catalog in the web UI surface “backend no longer available” warnings. The durable manifest record (stats, artifact refs, related trajectories) stays readable regardless.

The manifest detail view in the web app shows related trajectories inline on the Overview tab — each with its goal, strategy, step count, and outcome. From the CLI:

Terminal window
dn worlds manifest-trajectories <manifest-id>