Examples¶
Each subdirectory under examples/ is a self-contained urfave/cli app that exercises one feature of cli-guard end-to-end. Every example writes its audit rows under $TMPDIR.
| Example | Demonstrates |
|---|---|
audit/ |
The foundation. audit.NewWriter + verb.Wrap produce one JSONL row per invocation. |
passthrough/ |
Wrap an existing binary (echo) as an audited urfave subcommand via passthrough.Command. |
policy/ |
policy.ValidateArgSlice rejecting argv with shell metacharacters. |
scope/ |
scope.Resolve mapping --commit-scope=auto to a git toplevel. |
gittree/ |
gittree.CheckClean refusing a verb on a dirty tree. |
repocfg/ |
Per-repo verb allowlist loaded from .coily/coily.yaml. |
exitcode/ |
Public exit-code taxonomy for orchestrators. |
egress/ |
Per-invocation CONNECT proxy with an allowlist (used by passthrough.WithEgress). |
Running¶
From the cli-guard repo root:
go run ./examples/audit hello world
go run ./examples/passthrough -- echo hello
go run ./examples/policy unsafe 'foo; rm -rf /'
go run ./examples/exitcode policy ; echo "exit: $?"
Reading order¶
If you are new to cli-guard:
- audit - the minimum useful program.
- policy - what cli-guard refuses by default.
- scope - how audit rows bind to git history.
- passthrough - the most common production usage.
- exitcode - the contract with orchestrators.
- gittree and repocfg - the repo-verb pattern.
- egress - the network-layer gate (advanced).