The ardur console entry point ships with the Python package. After
pip install -e python/, run ardur --help to see this list at runtime.
The CLI splits into two groups:
- Protocol path —
start,issue,verify,attest. Used by builders who want to issue Mission Passports and run a governance proxy directly. - Personal path —
hub,setup,status,doctor,doctor-claude-code,uninstall,run,desktop-observe,personal-native-host,personal-native-manifest,profile init,protect claude-code,claude-code-hook,claude-code-report,gemini-cli-hook,gemini-cli-fixture,gemini-cli-report,codex-app-server-event,codex-app-server-fixture,codex-app-server-report,posture scan,posture report. Used by the local Ardur Personal product shape.
Source: python/vibap/cli.py.
Start the local governance proxy HTTP service. Optionally issue a Mission Passport from a JSON mission file and start a session immediately.
ardur start [--host HOST] [--port PORT] [--mission FILE]
[--keys-dir DIR] [--state-dir DIR] [--log-path FILE]
[--require-auth | --no-require-auth]
Defaults: bind 127.0.0.1:8080. Auth required by default.
State directory security: --state-dir is local secret state. Persisted
sessions and passport state can contain bearer credentials, including parent
passport_token values and delegated child replay tokens. The proxy creates or
hardens the state and sessions/ directories to 0700 and writes JSON state
files as 0600; do not point this option at a shared or world-readable
location.
Issue an ES256-signed Mission Passport JWT.
ardur issue --agent-id ID --mission TEXT
[--allowed-tools NAME ...] [--forbidden-tools NAME ...]
[--resource-scope PATTERN ...]
[--max-tool-calls N] [--max-duration-s N]
[--delegation-allowed] [--max-delegation-depth N]
[--ttl-s N] [--keys-dir DIR]
Prints {"token": "...", "claims": {...}} to stdout.
Verify a Mission Passport signature and decode its claims.
ardur verify --token JWT [--keys-dir DIR]
Issue a behavioral attestation for a saved session, summarising the receipt chain.
ardur attest --session SESSION_ID
[--keys-dir DIR] [--state-dir DIR] [--log-path FILE]
Start the local Ardur Personal Hub HTTP service.
ardur hub [--host HOST] [--port PORT] [--home DIR]
See Personal Hub HTTP API for the endpoints exposed.
Configure Ardur Personal on this machine. Generates a Hub token (or reuses an
existing one), writes the local config, prints the token once for setup, and
on macOS installs a per-user LaunchAgent plist at
~/Library/LaunchAgents/dev.ardur.personal-hub.plist so the Hub can be
managed via launchctl or brew services. Run ardur uninstall to remove
the plist.
ardur setup [--host HOST] [--port PORT] [--home DIR]
[--rotate-token] [--extension-path DIR]
--rotate-token forces a new token even if one already exists.
--extension-path selects which browser-extension directory the setup output
points users to (default: examples/ardur-personal-extension).
Show Hub status — current sessions, latest receipt, adapter availability.
ardur status [--hub-url URL] [--hub-token TOKEN] [--home DIR]
Health-check the local Ardur Personal setup: config presence, Hub reachability, key material, write permissions.
ardur doctor [--home DIR] [--hub-url URL] [--hub-token TOKEN]
Verify the Claude Code plugin and active passport setup. Reports missing
plugin files, missing claude binary, missing or stale active_mission.jwt.
ardur doctor-claude-code [--home DIR] [--plugin-dir DIR]
Remove Ardur Personal launch files (the macOS LaunchAgent plist installed by
ardur setup) without deleting the home directory by default.
ardur uninstall [--home DIR] [--remove-data]
--remove-data also deletes the local Ardur Personal evidence and key
material under the home directory.
Run a CLI command through the local Hub. Non-interactive only.
ardur run [--hub-url URL] [--hub-token TOKEN] [--home DIR] -- <command>
Record a desktop observation against the Hub. On macOS, autodetects the
foreground app and window title via the Accessibility API when --app and
--title are omitted.
ardur desktop-observe [--hub-url URL] [--hub-token TOKEN] [--home DIR]
[--session-id ID] [--app NAME] [--title TEXT]
[--text EXCERPT]
--text is an explicit-consent visible text excerpt to include in the
session review; omit it to record an app/title-only observation.
Run the browser native-messaging host that bridges the browser extension to the local Hub. Invoked by Chrome/Firefox via the manifest, not by users directly.
ardur personal-native-host [--hub-url URL] [--hub-token TOKEN] [--home DIR]
[--once-json FILE]
--once-json is a development-mode flag: process one JSON message file and
exit (used by tests and the smoke harness, not by browsers).
Emit a browser native-messaging manifest JSON for installation under the
browser's NativeMessagingHosts/ directory.
ardur personal-native-manifest --host-path PATH --extension-id ID
[--browser chrome|chrome-for-testing|chromium|edge|firefox]
Write a starter ARDUR.md profile from a built-in template.
ardur profile init --template TEMPLATE
[--path PATH] [--force] [--json]
Templates: read-only, safe-coding. Default path: ./ARDUR.md.
Compile a Mission Passport (from an ARDUR.md profile or from CLI flags) and
write active_mission.jwt for the Claude Code plugin to read. Prints the
exact claude invocation that pairs the plugin with the active passport.
ardur protect claude-code [--scope DIR] [--profile PATH]
[--mode read-only|safe-coding]
[--json] [--home DIR] [--plugin-dir DIR]
[--keys-dir DIR] [--agent-id ID]
[--mission TEXT]
[--max-tool-calls N] [--max-duration-s N]
[--ttl-s N]
Profile mode and CLI mode set the same Mission Passport — the Markdown profile is a friendly layer over the same capability set.
Implements the Claude Code hook executable invoked by
plugins/claude-code/hooks/. Not intended for human invocation; called by
Claude Code with hook-specific stdin payloads (pre, post, subagent-start,
subagent-stop).
Read a Claude Code receipt chain and emit a human or JSON summary of allow, deny, and chain-verification outcomes.
ardur claude-code-report [--home DIR] [--chain-dir DIR] [--keys-dir DIR]
[--verify-expiry] [--json]
--verify-expiry also enforces short receipt expiry windows during chain
verification (off by default so reports work on archived chains).
Write a local-only Gemini CLI settings/context fixture and print a redacted shareable context document with digests for the generated files.
ardur gemini-cli-fixture [--home DIR] [--project-dir DIR]
[--chain-dir DIR] [--keys-dir DIR]
The fixture writes settings.json, extensions/ardur-local/gemini-extension.json,
and GEMINI.md under the selected local directories. It is a proof harness for
visible Gemini CLI hook/tool-boundary events; it is not a live-provider or
server-side enforcement claim.
Run the local-only Gemini CLI pre-tool-call hook adapter. The hook reads one
JSON object from stdin, evaluates the active Mission Passport from
ARDUR_MISSION_PASSPORT, appends a signed receipt under
ARDUR_GEMINI_HOOK_DIR (or the default Ardur home), and prints a JSON result.
ardur gemini-cli-hook [pre|--phase pre] [--keys-dir DIR]
status=allow means Ardur recorded evidence and left Gemini/user permission
flow authoritative. status=deny and status=unknown return a blocking result
for wrappers that fail closed. Unknown results are used for unmapped Gemini tool
schemas or other coverage gaps instead of silently treating insufficient
evidence as safe success.
Verify Gemini CLI hook receipt chains and emit a redacted local observability report with allow/deny/unknown counts, chain verification status, coverage gaps, and the explicit non-claims for provider-hidden reasoning/server-side tool calls.
ardur gemini-cli-report [--home DIR] [--chain-dir DIR] [--keys-dir DIR]
[--verify-expiry] [--json]
Write a local-only Codex app-server config/schema/context fixture and print a redacted shareable context document with digests for the generated files.
ardur codex-app-server-fixture [--home DIR] [--project-dir DIR]
[--chain-dir DIR] [--keys-dir DIR]
By default the fixture writes under isolated Ardur local state, not the caller's
real ~/.codex. It writes config.json, ardur-host-event.schema.json, and
CODEX.md under the selected local directories. This is an adoption/proof
harness for visible local Codex app-server or host-event-style fields only.
Read one representative Codex app-server/host-event JSON object from stdin,
evaluate the active Mission Passport from ARDUR_MISSION_PASSPORT, append a
signed receipt under ARDUR_CODEX_APP_SERVER_DIR (or the default Ardur home),
and print a JSON result.
ardur codex-app-server-event [--keys-dir DIR]
status=allow means Ardur recorded local evidence and left Codex/user
permission flow authoritative. status=deny and status=unknown return a
blocking result for wrappers that fail closed. Unknown results are used for
unmapped Codex host-event schemas or other coverage gaps instead of treating
insufficient evidence as safe success.
Verify Codex app-server receipt chains and emit a redacted local observability report with allow/deny/unknown counts, chain verification status, coverage gaps, and the explicit non-claims for live Codex cloud enforcement, provider-hidden reasoning, sandbox isolation, universal CLI/eBPF/kernel capture, or production enforcement.
ardur codex-app-server-report [--home DIR] [--chain-dir DIR] [--keys-dir DIR]
[--verify-expiry] [--json]
Derive a local posture-index document from receipt chains, an optional
ARDUR.md profile, and an optional redacted no-key evidence bundle. The scan is
read-only: it does not write receipts, rotate keys, mutate profiles, or create
missing signing material. It reports only what local Ardur artifacts can support.
ardur posture scan --receipts DIR_OR_JSONL
[--keys-dir DIR] [--profile ARDUR.md]
[--evidence-bundle bundle.redacted.json]
[--verify-expiry]
[--format json|markdown]
The JSON output uses positioning=derived_local_evidence. This is an honest
boundary label: the posture index summarizes signed local tool-call evidence,
chain status, policy verdict counts, unknown boundaries such as Bash subprocess
effects, profile digests, and redacted bundle metadata. It is not live
enterprise-wide discovery, provider-hidden visibility, kernel/process capture,
or proof of effects outside the captured tool-call boundary.
Credential-like values are emitted as [REDACTED]; local absolute paths are
replaced with stable <PATH:...> placeholders so reports can be shared without
leaking private workstation paths.
Render a posture JSON document from ardur posture scan --format json as a
concise Markdown report, or re-emit it as formatted JSON.
ardur posture report --input posture.json [--format markdown|json]
../guides/ardur-personal-hub.md— the end-to-end Personal Hub walkthrough.../../python/README.md— install + protocol quickstart.../../plugins/claude-code/README.md— the Claude Code plugin's own README, including receipt verification.