docs: add v3 cli commands to rpc-go

docs/Reference/RPC/overview.md

@@ -4,20 +4,20 @@ The Remote Provisioning Client (RPC-Go) is a Go-based application that runs dire
 
 RPC-Go supports two primary deployment models:
 
-1. **Cloud deployment (RPS-driven activation)** – RPC-Go acts as a proxy between the Remote Provisioning Server (RPS) and Intel® AMT. This flow is commonly used to configure AMT so that the device can establish a Client Initiated Remote Access (CIRA) connection to the Management Presence Server (MPS).
+1. **Server-driven activation** – RPC-Go acts as a **proxy** between a server (Console or RPS) and Intel® AMT. All orchestration logic resides on the server — RPC-Go simply relays WSMAN commands between the server and AMT. This flow is commonly used to configure AMT so that the device can establish a Client Initiated Remote Access (CIRA) connection to the Management Presence Server (MPS).
 
-2. **Local deployment** – RPC-Go consumes an exported AMT profile (YAML) and applies it directly on the device. This does not require RPS and is well suited for Console-based workflows, flat networks, or environments where cloud connectivity is not desired.
+2. **Local deployment** – RPC-Go applies configuration directly to Intel® AMT on the device, without requiring a server at runtime. RPC-Go consumes an exported AMT profile (YAML) and executes the provisioning sequence locally. This is well suited for flat networks or environments where cloud connectivity is not desired.
 
 ---
 
 ## Activation Flows
 
-### 1. Activation via Remote Provisioning Server (RPS)
+### 1. Server-Driven Activation (Console or RPS)
 
-In this flow:
+In this flow, RPC-Go acts purely as a **proxy** — all activation and configuration logic resides on the server:
 
-1. RPC-Go connects to RPS over a secure WebSocket connection.
-2. RPS orchestrates the WS-Management (WSMAN) sequence required to configure and activate Intel® AMT.
+1. RPC-Go connects to the server (Console or RPS) over a secure WebSocket connection.
+2. The server orchestrates the WS-Management (WSMAN) sequence required to configure and activate Intel® AMT.
 3. RPC-Go relays those commands to AMT through the MEI (HECI) driver or Intel® Local Management Service (LMS).
 4. Once activated and configured, AMT establishes a CIRA tunnel to MPS.
 
@@ -61,6 +61,11 @@ This model is useful for environments where profiles are pre-generated, RPS is *
 
 ## Related Topics
 
-- [Build RPC-Go Manually](./buildRPC_Manual.md)  
-- For v2.x configuration details and CLI options: [v2.x CLI](./v2/commandsRPC.md)  
-- For v3.x configuration details and CLI options: [v3.x CLI – Work in Progress](./v3/about-v3.md)
+- [Build RPC-Go Manually](./buildRPC_Manual.md)
+- For v2.x configuration details and CLI options: [v2.x CLI](./v2/commandsRPC.md)
+- For v3.x CLI reference:
+    - [About v3](./v3/about-v3.md) — What changed and migration guide
+    - [Commands Overview](./v3/commands.md)
+    - [Server Mode CLI](./v3/commandsServer.md) — RPS-driven activation, deactivation, maintenance 
+    - [Local Mode CLI](./v3/commandsLocal.md) — Local activation, configure
+    - [Info and Diagnostics](./v3/commandsInfo.md) — amtinfo, diagnostics, version

docs/Reference/RPC/v3/about-v3.md

@@ -1,17 +1,16 @@
 
 
-RPC-Go v3.x introduces a faster activation workflow and a clearer configuration model.  
-In addition to the existing RPS-driven proxy flow, v3.x adds support for retrieving an encrypted AMT profile directly from the Console or RPS and applying it locally on the device. This significantly improves activation speed, especially in environments where RPS is not required. See the **What Changed in v3.x** section below for more details.
+RPC-Go v3.x introduces a faster activation workflow and a clearer configuration model. In addition to the existing RPS-driven proxy flow, v3.x adds support for retrieving an encrypted AMT profile directly from the Console or RPS and applying it locally on the device. This significantly improves activation speed, especially in environments where RPS is not required. See the **What Changed in v3.x** section below for more details.
 
 v3.x also addresses several long-standing inconsistencies in the configuration and CLI structure:
 
 - The terms `config`, `configv2`, and `profile` were often confused.
 - CLI flags were not fully consistent.
 - Application configuration and provisioning configuration were mixed together.
 
-The goal of v3.x is clarity, consistency, and ease of use—improving how RPC-Go is configured and executed without changing its underlying activation and configuration capabilities.
+The goal of v3.x is clarity, consistency, and ease of use, improving how RPC-Go is configured and executed without changing its underlying activation and configuration capabilities.
 
-!!! important "v2.x is fully supported — no immediate action required"
+!!! important "v2.x is fully supported, no immediate action required"
     RPC-Go v2.x continues to work exactly as before.  
     All existing activation flows, encrypted profiles, and RPS interactions remain fully supported.  
     You may stay on v2.x without upgrading until you are ready.
@@ -35,7 +34,7 @@ https://<RPS or Console Host>/api/v1/admin/profiles/export/<profile-name>?domain
 RPC-Go can authenticate using either username/password or an auth-token, retrieve the encrypted profile, and orchestrate Intel® AMT activation **locally on the device**.  
 This results in **faster and more efficient activation** compared to the legacy proxy model.
 
-This new workflow currently requires some additional configuration (endpoints, tokens, auth settings), and we plan to simplify it in future releases. This is also why v3.x remains in Beta—we want to incorporate customer feedback and ensure the workflow becomes easier as it evolves.
+This new workflow currently requires some additional configuration (endpoints, tokens, auth settings), and we plan to simplify it in future releases. This is also why v3.x remains in Beta. We want to incorporate customer feedback and ensure the workflow becomes easier as it evolves.
 
 If you prefer the traditional RPS-driven model, you can continue using it in both v2.x and v3.x.
 

docs/Reference/RPC/v3/commands.md

@@ -0,0 +1,81 @@
+
+
+The Remote Provisioning Client (RPC-Go) v3.x provides commands for activating, deactivating, configuring, diagnosing, and managing Intel® AMT devices. Commands operate in one of two modes:
+
+- **Server mode** - RPC-Go acts as a **proxy** between a server (Console or RPS) and Intel® AMT. All orchestration logic resides on the server and RPC-Go relays WSMAN commands to AMT.
+- **Local mode** - RPC-Go applies configuration directly to Intel® AMT on the device, without requiring a server at runtime. The device OS is trusted to handle secrets and provisioning data.
+
+!!! note "Elevated Privileges Required"
+    RPC must run with elevated privileges. Commands require `sudo` on Linux or an Administrator Command Prompt on Windows.
+
+## Commands
+
+Run `rpc -h` to see all available commands:
+
+=== "Linux/macOS"
+
+    ```bash
+    sudo ./rpc -h
+    ```
+
+=== "Windows"
+
+    ```powershell
+    rpc.exe -h
+    ```
+
+| Command | Description | Modes | Reference |
+|:--------|:------------|:------|:----------|
+| [activate](commandsServer.md#activate) | Activate AMT on the local device or via remote server. | Server, Local | [Server](commandsServer.md#activate) | [Local](commandsLocal.md#activate) |
+| [deactivate](commandsServer.md#deactivate) | Deactivate AMT on the local device or via remote server. | Server, Local | [Server](commandsServer.md#deactivate) | [Local](commandsLocal.md#deactivate) |
+| [configure](commandsLocal.md#configure) | Configure AMT settings including ethernet, wireless, TLS, CIRA, and other features. | Local | [Local](commandsLocal.md#configure) |
+| [diagnostics](commandsInfo.md#diagnostics) | Collect firmware-level diagnostics for platform debugging. | Local | [Reference](commandsInfo.md#diagnostics) |
+| [amtinfo](commandsInfo.md#amtinfo) | Display AMT status and configuration on the local device. | Local | [Reference](commandsInfo.md#amtinfo) |
+| [version](commandsInfo.md#version) | Display RPC and protocol version. | Local | [Reference](commandsInfo.md#version) |
+
+## Mode Overview
+
+### Server Mode
+
+In server mode, RPC-Go acts as a **proxy**: it connects to a server (Console or RPS) over a secure WebSocket connection and relays WSMAN commands to Intel® AMT. All orchestration logic resides on the server; RPC-Go does not make provisioning decisions.
+
+Use server mode when:
+
+- Devices are managed centrally through Console and MPS.
+- CIRA (Client Initiated Remote Access) connectivity is required.
+- Profiles are managed on the server.
+
+```bash
+rpc activate --url wss://server/activate --profile profilename
+```
+
+See [Server Mode CLI Reference](commandsServer.md) for all server mode commands, flags, and examples.
+
+### Local Mode
+
+Local mode commands apply configuration directly to Intel® AMT through the MEI driver or LMS, without server interaction. RPC-Go reads profiles and secrets from the local filesystem and drives the provisioning sequence itself.
+
+!!! warning "OS Trust Assumption"
+    Local mode assumes the operating system environment is trusted. Profiles, secrets, and credentials are read from and processed on the local device. Ensure the OS has not been compromised before using local mode commands.
+
+Use local mode when:
+
+- A server (Console/RPS) is not required or not available.
+- Profiles are exported from Console and applied on-device.
+
+```bash
+
+# Profile-based activation (exported from Console)
+rpc activate --profile ./myprofile.yaml --key "myprofile_key"
+
+# Flag-based activation
+rpc activate --local --ccm
+```
+
+See [Local Mode CLI Reference](commandsLocal.md) for all local mode commands, flags, and examples.
+
+### Info and Diagnostics
+
+The `amtinfo` command queries AMT status locally, `diagnostics` collects platform debug data, and `version` prints the RPC build info.
+
+See [Info and Diagnostics Reference](commandsInfo.md) for details.

docs/Reference/RPC/v3/commandsInfo.md

@@ -0,0 +1,172 @@
+
+
+These commands query device status, collect diagnostics, and display version information. They run locally and do not require a server connection, with one exception: `amtinfo --sync` pushes collected device info to a remote server and requires [server credentials](#syncing-device-info-to-server).
+
+!!! note "Elevated Privileges Required"
+    RPC must run with elevated privileges. Commands require `sudo` on Linux or an Administrator Command Prompt on Windows.
+
+!!! warning "AMT 19+: `--skip-amt-cert-check` Required"
+    Starting with AMT 19, Intel® AMT uses TLS for local communication. The TLS certificate is **not** in the OS trust store. You must pass `--skip-amt-cert-check` on AMT 19+ platforms for `amtinfo` and `diagnostics`. A future release will remove this requirement.
+
+---
+
+## amtinfo
+
+Query AMT status and configuration locally. This command reads device information directly from Intel® AMT through the MEI driver or LMS.
+
+```bash
+rpc amtinfo
+```
+
+Running `amtinfo` without options prints all available information.
+
+### Status Flags
+
+| Info | Flag | Short | Description |
+|:-----|:-----|:------|:------------|
+| Version | `--ver` | `-r` | Intel® AMT version. |
+| Build Number | `--bld` | `-b` | Intel® AMT build number. |
+| SKU | `--sku` | `-s` | Product SKU. |
+| UUID | `--uuid` | `-u` | Unique Universal Identifier of the device. Used in device-specific MPS API calls. |
+| UPID | `--upid` | | Intel Unique Platform ID. |
+| Control Mode | `--mode` | `-m` | Managed device state: pre-provisioning, CCM, or ACM. |
+| Provisioning State | `--provisioningState` | `-p` | Current provisioning state. |
+| Operational State | `--operationalState` | | Enabled/Disabled. Returns AMT state for 13th Gen Raptor Lake (AMT 16.1) or newer. N/A for earlier generations. |
+| DNS Suffix | `--dns` | `-d` | DNS suffix set via PKI DNS Suffix in Intel® MEBX or DHCP Option 15. Required for ACM activation. |
+| Hostname (OS) | `--hostname` | | Device hostname as set in the OS. |
+| RAS Status | `--ras` | `-a` | Remote Access Service status: connection state, trigger type, and MPS hostname. |
+| LAN Settings | `--lan` | `-l` | Wired/wireless adapter info: DHCP, link status, IP addresses, MAC address. |
+| System Certificates | `--cert` | `-c` | System certificate hashes. If `--password` is also provided, prints both system and user certificate hashes. |
+| User Certificates | `--userCert` | | User certificate hashes. AMT password required. |
+| All | `--all` | `-A` | Show all AMT information. |
+
+### Syncing Device Info to Server
+
+By default, `amtinfo` only prints locally. Adding `--sync` with `--url` makes it collect the same info and then push it to a remote server (e.g., Console or MPS) via HTTP PATCH. Authentication flags are required for the server connection.
+
+```bash
+rpc amtinfo --sync --url https://mps.example.com/api/v1/devices --auth-token eyJhbGci...
+```
+
+| Flag | Description | Env Var |
+|:-----|:------------|:--------|
+| `--sync` | After collecting device info, push it to the server via HTTP PATCH. | |
+| `--url` | Endpoint URL for the PATCH request. **Required with `--sync`.** | |
+| `--auth-token` | Bearer token for server authentication. | `AUTH_TOKEN` |
+| `--auth-username` | Username for basic auth. | `AUTH_USERNAME` |
+| `--auth-password` | Password for basic auth. | `AUTH_PASSWORD` |
+| `--auth-endpoint` | Token endpoint URL. Default: `/api/v1/authorize`. | |
+| `--skip-cert-check` | `-n` | Skip certificate verification for the server connection. **Insecure.** | |
+
+### `amtinfo` Common Flags
+
+| Flag | Short | Description | Env Var |
+|:-----|:------|:------------|:--------|
+| `--json` | `-j` | Output in JSON format. | |
+| `--verbose` | `-v` | Enable verbose logging. | |
+| `--log-level` | | Log level: `trace`, `debug`, `info`, `warn`, `error`, `fatal`, `panic`. Default: `info`. | |
+| `--password` | | AMT admin password. Required for `--userCert`. | `AMT_PASSWORD` |
+| `--skip-amt-cert-check` | | Skip AMT/LMS TLS certificate verification. **Required for AMT 19+.** | |
+| `--lmsaddress` | | LMS address. Default: `localhost`. | |
+| `--lmsport` | | LMS port. Default: `16992` for AMT ≤ v18, `16993` for AMT ≥ v19. | |
+
+### Examples
+
+```bash
+# Show all AMT info
+rpc amtinfo
+
+# Show all AMT info on AMT 19+
+rpc amtinfo --skip-amt-cert-check
+
+# Show only version and control mode
+rpc amtinfo --ver --mode
+
+# Show LAN settings in JSON
+rpc amtinfo --lan --json
+
+# Show user certificates (requires password)
+rpc amtinfo --userCert --password AMTPassword
+
+# Sync device info to Console
+rpc amtinfo --sync --url https://mps.example.com/api/v1/devices --auth-token eyJhbGci...
+```
+
+---
+
+## diagnostics
+
+Collect firmware-level diagnostics for platform debugging. Use this command to inspect CIRA tunnel state, query WSMAN objects, dump CSME flash logs, and generate diagnostic bundles when troubleshooting Intel® AMT issues. If you are working with the Intel support or debug team, they may request these logs to diagnose firmware-level problems.
+
+```bash
+rpc diagnostics <subcommand>
+```
+
+Aliases: `diag`.
+
+### Subcommands
+
+| Subcommand | Description |
+|:-----------|:------------|
+| [cira](#diagnostics-cira) | Dump CIRA-related diagnostics. |
+| [csme](#diagnostics-csme) | Dump CSME / firmware flash diagnostics. |
+| [ws-man](#diagnostics-wsman) | Dump AMT WSMAN class(es). |
+| [bundle](#diagnostics-bundle) | Collect a full diagnostics bundle. |
+
+### diagnostics cira
+
+Dump CIRA-related diagnostics.
+
+```bash
+rpc diagnostics cira
+rpc diagnostics cira -o cira_log.txt
+```
+
+| Flag | Short | Description |
+|:-----|:------|:------------|
+| `-o` | | Output file path for the CIRA log text data. |
+
+### diagnostics csme
+
+Dump CSME / firmware flash diagnostics.
+
+```bash
+rpc diagnostics csme
+rpc diagnostics csme -o flash_log.bin
+```
+
+| Flag | Short | Description |
+|:-----|:------|:------------|
+| `-o` | | Output file path for the flash log binary data. |
+
+### diagnostics wsman
+
+Dump AMT WSMAN class(es).
+
+```bash
+rpc diagnostics ws-man --class AMT_GeneralSettings
+```
+
+### diagnostics bundle
+
+Collect a full diagnostics bundle (combines all diagnostic subcommands).
+
+```bash
+rpc diagnostics bundle
+```
+
+---
+
+## version
+
+Display the current version of RPC-Go and the RPC Protocol version.
+
+```bash
+rpc version
+```
+
+Use `--json` for JSON-formatted output:
+
+```bash
+rpc version --json
+```