What this is for
The complete command reference forgw-cli. The subcommands cover the full endpoint workflow: inventory the machine (discover), record a governance baseline (approve), look at the results (serve, report), score something already on disk (scan), vet something before installing it (vet), keep the inventory fresh (schedule), report to a central console (enroll), capture live traffic (mitm, macOS), and try the whole pipeline on a seeded demo (demo).
For the concepts behind the scores, see Inventory & Risk Scoring. For the dashboard, see Local Dashboard.
Global options
Directory for the encrypted spool + key. Applies to every subcommand. Defaults to
~/.guardway (%USERPROFILE%\.guardway on Windows).Only one
gw-cli process can hold the store at a time. Don’t run discover while serve is running — use the dashboard’s Rescan button instead.discover
Inventory the AI tools, agent projects, skills, MCP servers, and extensions on the machine, then risk-score each artifact and store the result.--deep
Deep, machine-wide scan: walk every folder/project (not just known tool directories) for
SKILL.md skills and MCP configs, then score each skill. Without it, discovery only visits known tool locations.Root directory for the deep walk. Defaults to the user’s home directory.
--report
After scanning, push the findings to the Guardway console. Requires an enrolled endpoint (a saved API key + console URL); a no-op if unconfigured or air-gapped.
Each
discover run also compares every artifact against its last-stored baseline and flags post-approval drift — a new external host, a dropped version pin, or a risk escalation. See Post-approval drift.discover also checks isolation posture (agent settings.json files with permission prompts bypassed, wildcard shell allowlists, or dangerous auto-run hooks) and, once a baseline exists, flags anything outside it as governance — see OWASP AST coverage.
approve
Record the machine’s current inventory as the approved governance baseline — every skill, command, subagent, and MCP config from the lastdiscover, snapshotted by path + content hash into <data-dir>/approved.json. From then on, discover flags anything that appears or changes outside that baseline with a GOV-UNAPPROVED finding — even if its content scans clean, because nobody approved it. This is the control behind OWASP AST09 (Governance).
--clear
Remove the baseline instead of writing it — turns governance findings off.
Governance is opt-in and local — no baseline file, no
GOV-UNAPPROVED findings, nothing sent anywhere. Run approve only after you have reviewed the inventory; approving artifacts you have not looked at defeats the purpose. Review a flagged item, then re-run approve to fold it in. See Governance.serve
Run the local dashboard (and, on macOS, the runtime tap + redaction). Watches your project folders and rescans within seconds of any change, pruning anything you delete.Base port. The tap listens on
<PORT>; the dashboard is served on <PORT> + 1 — so the default dashboard URL is http://localhost:8789.--no-open
Do not auto-open the dashboard in a browser.
scan
Score a single skill file or directory that is already on disk, and print its risk.A skill file or a directory to scan.
--air-gap
Force air-gap mode: the built-in engine only, zero network (no SkillSpector / OSV egress).
vet
Vet a skill/repo from a git URL before installing it. Shallow-clones it into an isolated temp dir, scans every skill/script/MCP artifact, prints a verdict, then deletes the clone. Nothing is ever executed. The exit code is non-zero at or above--fail-on, so it can gate an install in a script or CI. Aliased as gw-cli check.
A git/GitHub URL or
owner/repo. Accepts owner/repo, github.com/owner/repo, .../releases/latest, .../tree/<branch>, SSH, and generic .git URLs.--ref <REF>
Clone a specific branch or tag instead of the default branch.
--air-gap
Scan with the built-in engine only. The clone still uses the network; the scan stays offline (no SkillSpector / OSV egress).
--keep
Keep the cloned repo instead of deleting it (prints where it landed).
--json
Emit a single machine-readable JSON verdict on stdout (for CI gating) instead of the human report.
--summary
Condense output to a digest: the verdict plus finding tallies by category, no per-line dump. Combine with
--json for a compact JSON. A thorough engine can emit hundreds of findings — this makes them glanceable (e.g. Memory Poisoning ×114).Exit non-zero at or above this risk level. One of
low, medium, high, critical.vet also reports provenance for the cloned source (OWASP supply-chain): the HEAD commit, whether that commit is cryptographically signed, and whether the vetted ref is pinned (an immutable commit SHA or tag) or mutable (a branch or the default branch — a later install may fetch different code). It appears in the human report and, with --json, as a provenance object. Provenance is informational — it never changes the verdict or the exit code.
vet needs git on your PATH and network access to fetch. The scan itself can stay offline with --air-gap.report
Print a plain-text summary of the encrypted store — the current inventory and per-artifact risk — to the terminal, or push the stored snapshot to the console.--push
Push the current stored snapshot to the Guardway console instead of printing a summary. Requires an enrolled endpoint; also flushes any queued reports from the offline outbox.
enroll
Enroll this endpoint with the Guardway console sodiscover --report / report --push can send findings. Saves the API key + console URL to <data-dir>/config.toml (mode 0600, never logged).
--key <API_KEY>
The endpoint API key from the console (e.g.
sk-ep-…). Stored 0600; never logged.--url <CONSOLE_URL>
The Guardway console base URL. Defaults to keeping the existing one.
--verify
After saving, immediately push a test report to confirm the key and connectivity.
--remove
Remove the saved reporting config instead of writing it (stops reporting).
Reporting is opt-in and fail-safe: nothing is sent unless a key + URL are configured, secrets are redacted at source,
--air-gap disables it, and a failed push is queued to a local outbox and retried — it never breaks a scan. You can also configure it via the GUARDWAY_CONSOLE_URL and GUARDWAY_API_KEY environment variables instead of enroll.schedule
Auto-refresh: install (or remove) a scheduleddiscover --deep that runs periodically in the background — launchd on macOS, a systemd --user timer on Linux, Task Scheduler on Windows. Each run scans once and exits, so nothing stays resident; the dashboard shows the latest scan whenever you open it.
How often to refresh:
hourly, daily, or weekly.Time of day (24-hour, local) for
daily / weekly runs.--remove
Remove the scheduled refresh instead of installing it.
mitm
Capture all apps’ LLM traffic (including Claude Desktop) via a userspace TLS-inspection proxy. Auto-configures a local CA + the system HTTPS proxy and reverts both on exit. Only LLM hosts are intercepted; everything else passes through untouched. Prompts are shown redacted.Proxy port. The capture dashboard is served on
<PORT> + 1 (default http://localhost:8081).--no-open
Do not auto-open the dashboard.
--uninstall
Remove the Guardway CA trust + system proxy and exit (cleanup).
demo
Seed a deliberately-risky demo skill, scan it, and store it — see the full pipeline end-to-end with no setup.Related
- Overview — what the Guardway CLI is and how to install it.
- Inventory & Risk Scoring — risk levels, engines, verdicts.
- Local Dashboard — the
servedashboard.