Command-line interface for Strix — run governed actions through the kernel and verify the signed evidence
Project description
strix-cli
Command-line interface for Strix governance evidence verification.
Wraps the strix-verify Python package into ergonomic commands for operators, SREs, and CI pipelines. Every evidence record produced by the Strix platform can be independently verified using only standard cryptographic primitives (Ed25519 + SHA-256) — no Strix SDK or account required.
Install
# From the monorepo (editable)
cd python/strix-cli
pip install -e .
# Verifies you have the CLI available
strix version
Minimum Python 3.10.
Quick Start
# Verify an evidence record end-to-end
strix verify 12345
# Same, but emit JSON for scripting
strix verify --json 12345 | jq '.signatureValid'
# Check endpoint reachability
strix health
# Walk through the verification steps one at a time
strix simulate 12345
# Confirm your local environment is set up correctly
strix doctor
Commands
Connected execution (governed run)
strix run executes a governed action through the hosted Strix kernel in
connected mode (a tenant sk_ API key), end-to-end:
evaluate → (operator approval for HIGH+) → execute → close the proof loop
On success it emits a verifiable proof reference you can check with the same CLI:
export STRIX_API_KEY=sk_live_... # tenant key from the Console
export KERNEL_URL=https://www.strixgov.com
strix run notification.send --env production --ack "sending the release note"
# → APPROVED — token: ...
# PROOF — evidenceId: <id> verify: npx @strixgov/verifier <id>
strix verify <id> # verify the record this run produced
A machine tenant key never self-approves. HIGH-risk actions return the
Console approval URL and fail closed (exit 25) unless a human approves; pass
--wait [seconds] to block and poll until approved, then execute:
strix run member.role.update --env production --ack "promote alice to admin" --wait 300
Exit codes are aligned with the solo CLI: 0 ok · 20 not-configured ·
21 unreachable · 22 denied · 24 timeout · 25 pending-approval ·
26 approval-timeout · 40 bad input.
Verification
| Command | What it does |
|---|---|
strix verify <id> |
Fetch + verify a record by evidence ID |
strix verify-file <path> |
Verify a record from a JSON file |
strix fetch-proof <id> |
Fetch a raw record without verifying |
strix simulate <id> |
Dry-run verification step by step |
Layer 2 deployment-context checks (SE-14) are opt-in:
strix verify 12345 --expect-env production --expect-tenant acme-corp
Historical JWKs for key rotation can come from a file or the STRIX_SIGNING_JWKS_EXTRA env var:
strix verify 12345 --extra-keys ./historical-keys.json
Diagnostics
| Command | What it does |
|---|---|
strix health |
Ping proof API + JWKS endpoint |
strix jwks |
Print the live JWKS |
strix jwks --kid strix-prod-2026-04 |
Filter to a single key |
strix doctor |
Full environment check (Python, deps, network, env flags) |
strix version |
Print CLI + verifier versions |
Capability Registry
| Command | What it does |
|---|---|
strix capability list |
List every capability in the registry |
strix capability list --bucket identity-access |
Filter by bucket |
strix capability show <id> |
Show a single manifest |
strix capability scaffold <bucket>.<name> |
Create a new capability skeleton |
strix capability validate <path> |
Validate a manifest without registering |
strix capability register <path> |
Validate + register |
The CLI auto-discovers capabilities/ by walking up from cwd, or you can pass --registry explicitly.
Output Modes
All commands support two output modes:
- Human (default): Rich-formatted tables with color. Good for terminals.
- JSON (
--json): Stable, machine-readable JSON. Good for CI,jq, scripts.
Errors and progress logs go to stderr; primary output goes to stdout. This means strix verify <id> > result.json captures only the structured result.
Exit Codes
The CLI uses distinct exit codes so CI pipelines can tell transient failures apart from verification failures:
| Code | Meaning |
|---|---|
0 |
Command succeeded / record VERIFIED |
1 |
Verification failed (tamper, unsigned, missing key, compliance violation) |
2 |
Environment or network error (transient — safe to retry) |
Example: CI Verification
#!/usr/bin/env bash
# Block a deploy if any evidence from the last 100 records fails verification.
set -euo pipefail
for id in $(strix fetch-recent-ids --limit 100); do
if ! strix verify --quiet "$id"; then
echo "Evidence $id failed verification" >&2
exit 1
fi
done
Example: Cross-Environment Replay Detection (SE-14)
Strix stores the signing environment and tenantId on the record, never read from process.env at verification time. This lets you catch cross-environment replays without special infrastructure:
# In your production verification job:
strix verify 12345 --expect-env production --expect-tenant acme-corp
# → environmentMatch: false ⇒ record was signed in staging, not production
Architecture Notes
This CLI is a thin presentation layer over strix-verify. It:
- Does not store, cache, or persist evidence records.
- Does not require Strix credentials. Public JWKS + public proof API only.
- Does not assert compliance flags — they are always derived from verification outcomes (CI-5).
- Reads
environmentandtenantIdfrom the stored record fields only (SE-14).
If you need to embed verification into a larger Python application, import the strix_verify package directly.
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file strix_cli-0.2.0.tar.gz.
File metadata
- Download URL: strix_cli-0.2.0.tar.gz
- Upload date:
- Size: 36.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6f8986c581edfb4b07bbfeb90f92ce4ebbb8ea7ea98112ba829d2ae7cecf4033
|
|
| MD5 |
6a619a2ac8a2716cb81b2a8d37bf14d9
|
|
| BLAKE2b-256 |
095b0e536665dc1c8ca101902ffa0d3a82ba8fe74ce6349cbe5e510417afd753
|
Provenance
The following attestation bundles were made for strix_cli-0.2.0.tar.gz:
Publisher:
publish-strix-cli.yml on Tarshann/strix-platform
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
strix_cli-0.2.0.tar.gz -
Subject digest:
6f8986c581edfb4b07bbfeb90f92ce4ebbb8ea7ea98112ba829d2ae7cecf4033 - Sigstore transparency entry: 1710128124
- Sigstore integration time:
-
Permalink:
Tarshann/strix-platform@2a38aaef4a38f5af6e86c960d4a573bd7f7afe1f -
Branch / Tag:
refs/tags/strix-cli-v0.2.0 - Owner: https://github.com/Tarshann
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-strix-cli.yml@2a38aaef4a38f5af6e86c960d4a573bd7f7afe1f -
Trigger Event:
push
-
Statement type:
File details
Details for the file strix_cli-0.2.0-py3-none-any.whl.
File metadata
- Download URL: strix_cli-0.2.0-py3-none-any.whl
- Upload date:
- Size: 27.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
29a5dad11dd893712d28640749e10babf6cc07362a8708e6524ef4bb1f62e74e
|
|
| MD5 |
1d788e701dcf394c5aeeb1f7357b1c20
|
|
| BLAKE2b-256 |
d153cfdf3baeb7ce7973b83b6412ae9d288cbff758f9306598535e6e1e5e3e98
|
Provenance
The following attestation bundles were made for strix_cli-0.2.0-py3-none-any.whl:
Publisher:
publish-strix-cli.yml on Tarshann/strix-platform
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
strix_cli-0.2.0-py3-none-any.whl -
Subject digest:
29a5dad11dd893712d28640749e10babf6cc07362a8708e6524ef4bb1f62e74e - Sigstore transparency entry: 1710128157
- Sigstore integration time:
-
Permalink:
Tarshann/strix-platform@2a38aaef4a38f5af6e86c960d4a573bd7f7afe1f -
Branch / Tag:
refs/tags/strix-cli-v0.2.0 - Owner: https://github.com/Tarshann
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-strix-cli.yml@2a38aaef4a38f5af6e86c960d4a573bd7f7afe1f -
Trigger Event:
push
-
Statement type: