The ardur console entry point ships with the Python package. After
pip install -e python/, run ardur --help to see this list at runtime.
The CLI splits into two groups:
- Protocol path —
start,issue,verify,attest. Used by builders who want to issue Mission Passports and run a governance proxy directly. - Personal path —
hub,setup,status,doctor,doctor-claude-code,uninstall,run,desktop-observe,personal-native-host,personal-native-manifest,profile init,protect claude-code,claude-code-hook,claude-code-report,gemini-cli-hook,gemini-cli-fixture,gemini-cli-report,codex-app-server-event,codex-app-server-fixture,codex-app-server-report,posture scan,posture report. Used by the local Ardur Personal product shape.
Source: python/vibap/cli.py.
Start the local governance proxy HTTP service. Optionally issue a Mission Passport from a JSON mission file and start a session immediately.
ardur start [--host HOST] [--port PORT] [--mission FILE]
[--keys-dir DIR] [--state-dir DIR] [--log-path FILE]
[--require-auth | --no-require-auth]
Defaults: bind 127.0.0.1:8080. Auth required by default.
State directory security: --state-dir is local secret state. Persisted
sessions and passport state can contain bearer credentials, including parent
passport_token values and delegated child replay tokens. The proxy creates or
hardens the state and sessions/ directories to 0700 and writes JSON state
files as 0600; do not point this option at a shared or world-readable
location.
Activate or deactivate the emergency kill switch on a running governance proxy.
ardur kill-switch [--deactivate] [--proxy-url URL] [--api-token TOKEN]
If the local proxy cannot be reached, TLS/scheme setup looks wrong, or the
proxy rejects the bearer token, the JSON output preserves ok: false and adds
deterministic next_steps. The hints are local/no-key recovery guidance only:
start the loopback governance proxy, match the <proxy-url> scheme/host/port,
supply or rotate <api-token>, then rerun ardur kill-switch. They use
placeholders such as <proxy-url>, <proxy-port>, and <api-token> rather
than copying raw tokens, URL credentials, or private paths. Successful
activate/deactivate responses preserve the proxy response shape and omit
remediation noise.
Issue an ES256-signed Mission Passport JWT.
ardur issue --agent-id ID --mission TEXT
[--allowed-tools NAME ...] [--forbidden-tools NAME ...]
[--resource-scope PATTERN ...]
[--max-tool-calls N] [--max-duration-s N]
[--delegation-allowed] [--max-delegation-depth N]
[--ttl-s N] [--keys-dir DIR]
Prints {"token": "...", "claims": {...}} to stdout.
Verify a Mission Passport signature and decode its claims.
ardur verify --token JWT [--keys-dir DIR]
Issue a behavioral attestation for a saved session, summarising the receipt chain.
ardur attest --session SESSION_ID
[--keys-dir DIR] [--state-dir DIR] [--log-path FILE]
Start the local Ardur Personal Hub HTTP service.
ardur hub [--host HOST] [--port PORT] [--home DIR]
See Personal Hub HTTP API for the endpoints exposed.
Configure Ardur Personal on this machine. Generates a Hub token (or reuses an
existing one), writes the local config, prints the token once for setup, and
on macOS installs a per-user LaunchAgent plist at
~/Library/LaunchAgents/dev.ardur.personal-hub.plist so the Hub can be
managed via launchctl or brew services. Run ardur uninstall to remove
the plist.
ardur setup [--host HOST] [--port PORT] [--home DIR]
[--rotate-token] [--extension-path DIR]
--rotate-token forces a new token even if one already exists.
--extension-path selects which browser-extension directory the setup output
points users to (default: examples/ardur-personal-extension).
Show Hub status — current sessions, latest receipt, adapter availability.
ardur status [--hub-url URL] [--hub-token TOKEN] [--home DIR]
When the local Hub cannot be reached or returns a local token/auth setup error,
the JSON output keeps the failing status response and adds a deterministic
next_steps array. These hints are local-only setup guidance: run setup if
needed, start the loopback Hub, supply or rotate the Hub token, then re-run
ardur status or ardur doctor. They use placeholders such as
<ardur-home>, <hub-url>, and <hub-token> and do not claim live provider
behavior, provider-hidden action visibility, or release readiness. Healthy Hub
responses preserve the existing response shape and omit actionable remediation.
Health-check the local Ardur Personal setup: config presence, Hub reachability, key material, write permissions.
ardur doctor [--home DIR] [--hub-url URL] [--hub-token TOKEN]
The JSON output preserves the ok and checks fields and includes a
machine-readable next_steps array when core setup checks fail. These local
remediation hints cover missing setup/config/token state, starting or checking
the loopback Hub, and re-running ardur doctor; they use placeholders such as
<ardur-home>, <hub-url>, and <hub-token> rather than copying raw local
paths or tokens. When the core setup is healthy, next_steps is an empty array.
Verify the Claude Code plugin and active passport setup. Reports missing
plugin files, missing claude binary, missing or stale active_mission.jwt,
and machine-readable next_steps remediation hints when a check fails.
ardur doctor-claude-code [--home DIR] [--plugin-dir DIR]
The command is local-only: it inspects files, PATH, and Claude Code plugin
validation state, but does not run a live Claude prompt or call a provider API.
Use failed next_steps entries to recover the setup, then re-run the doctor
before claiming the local Claude Code path is ready.
Remove Ardur Personal launch files (the macOS LaunchAgent plist installed by
ardur setup) without deleting the home directory by default.
ardur uninstall [--home DIR] [--remove-data] [--dry-run]
--remove-data also deletes the local Ardur Personal evidence and key
material under the home directory.
Use --dry-run to print deterministic JSON showing the local LaunchAgent and,
when --remove-data is also set, the Ardur Personal home directory that would
be removed. Dry-run mode does not delete launch files or data.
Dry-run JSON also includes a placeholder-safe next_steps array so users can
interpret the preview before running a destructive command. The hints point to
reviewing would_remove, unloading only the local Ardur Personal LaunchAgent if
it is running, backing up/exporting <ardur-home> to <backup-location> before
--remove-data, and rerunning ardur uninstall intentionally without
--dry-run only after the preview matches intent. The guidance uses placeholders
instead of raw local homes, temp paths, Hub tokens, evidence files, or key
material.
Run a CLI command through the local Hub. Non-interactive only.
ardur run [--hub-url URL] [--hub-token TOKEN] [--home DIR] -- <command>
If the local Hub cannot be reached, or session start/policy setup fails before
<command> runs because local Hub auth/token state is missing or invalid,
ardur run preserves the existing setup-failure exit code (127) and prints a
placeholder-safe Next steps: section to stderr. The remediation text points to
local setup, Hub startup, Hub token supply/rotation, and ardur doctor using
<ardur-home>, <hub-url>, <hub-token>, and <command> placeholders rather
than copying raw temp homes or tokens. Blocked commands still exit 126 with a
receipt when policy evaluation succeeds; successful commands preserve stdout,
stderr, and child exit-code streaming without remediation noise.
Record a desktop observation against the Hub. On macOS, autodetects the
foreground app and window title via the Accessibility API when --app and
--title are omitted.
ardur desktop-observe [--hub-url URL] [--hub-token TOKEN] [--home DIR]
[--session-id ID] [--app NAME] [--title TEXT]
[--text EXCERPT]
--text is an explicit-consent visible text excerpt to include in the
session review; omit it to record an app/title-only observation.
When the local Hub cannot be reached or returns a local token/auth setup error,
desktop-observe preserves the failing ok: false / error_code JSON response
and adds deterministic next_steps. The hints are local/no-key recovery
guidance only: run setup if needed, start the loopback Hub, supply or rotate the
Hub token, run ardur doctor, then re-run ardur desktop-observe --app <app-name> --title <window-title> --home <ardur-home> --hub-url <hub-url> --hub-token <hub-token>. They use placeholders such as <ardur-home>,
<hub-url>, <hub-token>, <app-name>, and <window-title> rather than
copying raw local paths, temp homes, URL credentials, or tokens. This does not
claim live provider/API behavior, provider-hidden action visibility, browser
store/native-host installation proof, release readiness, or public metadata
readiness; successful observations preserve the Hub response shape without
remediation noise.
Run the browser native-messaging host that bridges the browser extension to the local Hub. Invoked by Chrome/Firefox via the manifest, not by users directly.
ardur personal-native-host [--hub-url URL] [--hub-token TOKEN] [--home DIR]
[--once-json FILE]
--once-json is the development/smoke path: process one JSON message file and
exit with the native-host JSON response. Browsers do not pass this flag; they
use Native Messaging length-prefix framing, but Hub setup/auth failures carry
the same JSON response payload inside that framing.
When the local Hub cannot be reached or returns a local token/auth setup error,
personal-native-host preserves the failing ok: false / error_code response
and adds a deterministic next_steps array. The hints are local/no-key recovery
guidance only: run setup if needed, start the loopback Hub, supply or rotate the
Hub token, run ardur doctor, then re-run ardur personal-native-host --once-json <native-message.json> --home <ardur-home> --hub-url <hub-url> --hub-token <hub-token>. They use placeholders such as <ardur-home>,
<hub-url>, <hub-token>, and <native-message.json> and do not claim browser
store deployment proof, live provider/API behavior, provider-hidden action
visibility, native-host installation proof, release readiness, or public
metadata readiness.
Emit a browser native-messaging manifest JSON for installation under the
browser's NativeMessagingHosts/ directory.
ardur personal-native-manifest --host-path PATH --extension-id ID
[--browser chrome|chrome-for-testing|chromium|edge|firefox]
Write a starter ARDUR.md profile from a built-in template.
ardur profile init --template TEMPLATE
[--path PATH] [--force] [--json]
Templates: read-only, safe-coding. Default path: ./ARDUR.md.
If the target profile already exists and --force is omitted, the command
fails closed instead of overwriting local guardrails. JSON output includes
ok: false, error: "profile_exists", condition: "profile_exists", and
deterministic next_steps; human output prints the same recovery guidance under
"Next steps". The placeholder-only local recovery commands are
ardur profile init --path ARDUR.md --force when you intend to replace the
profile, or ardur protect claude-code --profile ARDUR.md to use the existing
profile.
Compile a Mission Passport (from an ARDUR.md profile or from CLI flags) and
write active_mission.jwt for the Claude Code plugin to read. Prints the
exact claude invocation that pairs the plugin with the active passport.
ardur protect claude-code [--scope DIR] [--profile PATH]
[--mode read-only|safe-coding]
[--json] [--home DIR] [--plugin-dir DIR]
[--keys-dir DIR] [--agent-id ID]
[--mission TEXT]
[--max-tool-calls N] [--max-duration-s N]
[--ttl-s N]
Profile mode and CLI mode set the same Mission Passport — the Markdown profile is a friendly layer over the same capability set.
If neither --scope nor a profile Protect folder: value is available, the
command exits nonzero without configuring Claude Code. JSON output includes
ok: false, error: "missing_scope", condition: "missing_scope", and
local next_steps; human output prints the same recovery guidance under a
"Next steps" section with placeholders such as <your-project>.
If the selected Claude Code plugin directory is missing or incomplete, the
command also exits nonzero without writing active_mission.jwt. JSON output
includes ok: false, error: "claude_code_plugin_incomplete",
condition: "claude_code_plugin_incomplete", stable missing_checks, and
placeholder-only next_steps such as
ardur doctor-claude-code --plugin-dir <claude-code-plugin> --home <ardur-home>;
human output prints the same recovery guidance without a Python traceback or raw
local temp paths.
Implements the Claude Code hook executable invoked by
plugins/claude-code/hooks/. Not intended for human invocation; called by
Claude Code with hook-specific stdin payloads (pre, post, subagent-start,
subagent-stop).
Read a Claude Code receipt chain and emit a human or JSON summary of allow, deny, and chain-verification outcomes.
ardur claude-code-report [--home DIR] [--chain-dir DIR] [--keys-dir DIR]
[--verify-expiry] [--json]
--verify-expiry also enforces short receipt expiry windows during chain
verification (off by default so reports work on archived chains).
When no local Claude Code hook receipts are present, the JSON report includes a
next_steps array and the human output prints a concise "Next steps" section:
configure ardur protect claude-code, run the printed
claude --plugin-dir ... command, then rerun ardur claude-code-report. These
hints use placeholders such as <your-project>, <ardur-home>, and
<claude-code-plugin>; they do not call Claude, contact a provider, or imply
visibility into provider-hidden actions.
Write a local-only Gemini CLI settings/context fixture and print a redacted shareable context document with digests for the generated files.
ardur gemini-cli-fixture [--home DIR] [--project-dir DIR]
[--chain-dir DIR] [--keys-dir DIR]
The fixture writes settings.json, extensions/ardur-local/gemini-extension.json,
and GEMINI.md under the selected local directories. It is a proof harness for
visible Gemini CLI hook/tool-boundary events; it is not a live-provider or
server-side enforcement claim.
Run the local-only Gemini CLI pre-tool-call hook adapter. The hook reads one
JSON object from stdin, evaluates the active Mission Passport from
ARDUR_MISSION_PASSPORT, appends a signed receipt under
ARDUR_GEMINI_HOOK_DIR (or the default Ardur home), and prints a JSON result.
ardur gemini-cli-hook [pre|--phase pre] [--keys-dir DIR]
status=allow means Ardur recorded evidence and left Gemini/user permission
flow authoritative. status=deny and status=unknown return a blocking result
for wrappers that fail closed. Unknown results are used for unmapped Gemini tool
schemas or other coverage gaps instead of silently treating insufficient
evidence as safe success.
Verify Gemini CLI hook receipt chains and emit a redacted local observability report with allow/deny/unknown counts, chain verification status, coverage gaps, and the explicit non-claims for provider-hidden reasoning/server-side tool calls.
ardur gemini-cli-report [--home DIR] [--chain-dir DIR] [--keys-dir DIR]
[--verify-expiry] [--json]
When no local Gemini CLI hook receipts are present, the JSON report includes a
next_steps array and the human output prints a concise "Next steps" section:
create a local fixture with ardur gemini-cli-fixture --project-dir <your-project>,
configure Gemini CLI to use the generated local hook/settings, run a local
Gemini CLI command that triggers a hook, then rerun ardur gemini-cli-report.
These hints use placeholders such as <your-project>, <ardur-home>, and
<chain-dir>; they do not call Gemini, contact a provider, or imply visibility
into provider-hidden actions.
Write a local-only Codex app-server config/schema/context fixture and print a redacted shareable context document with digests for the generated files.
ardur codex-app-server-fixture [--home DIR] [--project-dir DIR]
[--chain-dir DIR] [--keys-dir DIR]
By default the fixture writes under isolated Ardur local state, not the caller's
real ~/.codex. It writes config.json, ardur-host-event.schema.json, and
CODEX.md under the selected local directories. This is an adoption/proof
harness for visible local Codex app-server or host-event-style fields only.
Read one representative Codex app-server/host-event JSON object from stdin,
evaluate the active Mission Passport from ARDUR_MISSION_PASSPORT, append a
signed receipt under ARDUR_CODEX_APP_SERVER_DIR (or the default Ardur home),
and print a JSON result.
ardur codex-app-server-event [--keys-dir DIR]
status=allow means Ardur recorded local evidence and left Codex/user
permission flow authoritative. status=deny and status=unknown return a
blocking result for wrappers that fail closed. Unknown results are used for
unmapped Codex host-event schemas or other coverage gaps instead of treating
insufficient evidence as safe success.
Verify Codex app-server receipt chains and emit a redacted local observability report with allow/deny/unknown counts, chain verification status, coverage gaps, and the explicit non-claims for live Codex cloud enforcement, provider-hidden reasoning, sandbox isolation, universal CLI/eBPF/kernel capture, or production enforcement.
ardur codex-app-server-report [--home DIR] [--chain-dir DIR] [--keys-dir DIR]
[--verify-expiry] [--json]
When no local Codex app-server receipts are present, the JSON report includes a
next_steps array and the human output prints a concise "Next steps" section:
create a local fixture with ardur codex-app-server-fixture --project-dir <your-project>,
feed a local Codex app-server host-event JSON object through
ardur codex-app-server-event, then rerun ardur codex-app-server-report.
These hints use placeholders such as <your-project>, <ardur-home>, and
<chain-dir>; they do not call Codex, contact a provider, prove live Codex
cloud behavior, or imply visibility into provider-hidden actions.
Derive a local posture-index document from receipt chains, an optional
ARDUR.md profile, and an optional redacted no-key evidence bundle. The scan is
read-only: it does not write receipts, rotate keys, mutate profiles, or create
missing signing material. It reports only what local Ardur artifacts can support.
ardur posture scan --receipts DIR_OR_JSONL
[--keys-dir DIR] [--profile ARDUR.md]
[--evidence-bundle bundle.redacted.json]
[--verify-expiry]
[--format json|markdown]
The JSON output uses positioning=derived_local_evidence. This is an honest
boundary label: the posture index summarizes signed local tool-call evidence,
chain status, policy verdict counts, unknown boundaries such as Bash subprocess
effects, profile digests, and redacted bundle metadata. It is not live
enterprise-wide discovery, provider-hidden visibility, kernel/process capture,
or proof of effects outside the captured tool-call boundary.
Credential-like values are emitted as [REDACTED]; local absolute paths are
replaced with stable <PATH:...> placeholders so reports can be shared without
leaking private workstation paths.
When receipt evidence is missing, unverified because public keys are unavailable,
or broken by failed chain verification, the JSON output includes a next_steps
array and Markdown output prints a concise ## Next steps section. These hints
use placeholders such as <ardur-home>, <chain-dir>, <keys-dir>, and
<your-project> to guide local recovery without leaking workstation paths. The
hints point users at local receipt production, key selection, and posture-scan
reruns; they do not call live providers, prove provider-hidden actions, repair or
reconstruct missing evidence, perform asset inventory, or claim kernel/process
capture.
Render a posture JSON document from ardur posture scan --format json as a
concise Markdown report, or re-emit it as formatted JSON.
ardur posture report --input posture.json [--format markdown|json]
If --input is missing, unreadable, a directory, malformed JSON, or JSON that
is not an object, the command fails closed with exit code 1. JSON output
returns ok: false, matching error and condition fields, a human-readable
message and detail, and a next_steps array. Markdown output prints
Error:, Detail:, and a concise Next steps: section.
The recovery hints are local-only and placeholder-only. They tell the user to
create a posture JSON document with
ardur posture scan --receipts <chain-dir> --keys-dir <keys-dir> --format json > <posture-json>,
then rerun ardur posture report --input <posture-json> --format json. The
placeholders (<chain-dir>, <keys-dir>, and <posture-json>) are deliberate:
the report path does not print local absolute paths, raw tokens, private keys, or
provider credentials, and the hints do not call live providers, create missing
evidence, reconstruct private keys, prove provider-hidden behavior, or claim
kernel/process capture.
../guides/ardur-personal-hub.md— the end-to-end Personal Hub walkthrough.../../python/README.md— install + protocol quickstart.../../plugins/claude-code/README.md— the Claude Code plugin's own README, including receipt verification.