Reference

CLI Reference

All iris commands (v0.2.12), organized by phase. Run iris --help for the live command tree.

Discover

CommandDescription
iris scanScan governance directory for policy violations
iris scan --discoverFind ungoverned agents in Python/TypeScript source
iris scan --discover --auto-registerWrite passport drafts for ungoverned findings
iris scan --discover --governRegister and apply one-line governance fixes
iris scan --format jsonMachine-readable output for CI
iris scm scan-localScan a local repo for agent patterns
iris scm scan-repoScan a GitHub repository
iris scm scan-orgInventory agents across a GitHub org
iris scm webhook startListen for push events and re-scan
iris scm setupInteractive GitHub token/App setup

Inventory

CommandDescription
iris declareDeclare an agent — creates passport.yaml (primary)
iris registerAlias for iris declare
iris quickstartInteractive setup walkthrough
iris listList all governed agents (alias: iris agents)
iris list --filter-ungovernedShow agents missing policy.cedar
iris statusCompliance dashboard and next actions per agent
iris models listModel tiers, export-control status, fallbacks
iris models directivesActive model suspensions and kill switches
iris models reloadHot-reload registry and directives
iris users add/list/removeManage reviewers and delegation users

Define (policy)

CommandDescription
iris compile --agent <name>Plain English intent → Cedar (top-level alias)
iris policy compileSame as iris compile
iris policy compile --backend openaiChoose LLM backend (anthropic, openai, google, mistral, groq, ollama, together)
iris policy compile --litellm-model ollama/llama3.2Any LiteLLM model string
iris policy compile --dry-runPreview Cedar without writing to disk
iris policy diffCompare intent draft vs committed Cedar
iris policy status --agent <name>Check policy binding, staleness, and draft cache
iris policy commit --agent <name>Apply compiled draft to policy.cedar
iris preview --agent <name>Risk impact of pending policy changes
iris framework suggestRecommend applicable compliance frameworks

Guard (runtime)

CommandDescription
iris enforceVerify drop-in clients or @agent.guard() are wired
iris explainPlain-English explanation of how the proxy works
iris delegation status/test/logUser delegation config and audit
iris dlp scan/testScan files and test prompts for sensitive data

HITL (human-in-the-loop)

CommandDescription
iris hitl setup --agent <name>Interactive wizard to enable HITL and declare condition rules
iris hitl listList pending reviews (use --status all for history)
iris hitl list --agent <name>Filter reviews by agent
iris hitl show <review-id>Full detail for a single review
iris hitl approve <review-id>Approve — waiting agent call proceeds
iris hitl reject <review-id> --reason "..."Reject — agent call raises IrisViolationError
iris hitl escalate <review-id>Escalate to a senior reviewer
iris hitl config --agent <name>Show HITL configuration for an agent
iris hitl rules --agent <name>Show what will and will not trigger HITL
iris hitl test --agent <name>Simulate a HITL review flow

Full guide: HITL & Delegation

Audit (compliance)

CommandDescription
iris compliance check --framework <id>Run compliance check (colorado-ai-act, ccpa-admt, china-pipl, hipaa, soc2, aiuc-1, …)
iris compliance assessImpact assessment (Colorado, CCPA ADMT, PIPL PIPIA)
iris certify --framework colorado-ai-actCertification readiness score (alias: iris test)
iris certify --framework aiuc-1 --format aiuc1-exportAIUC-1 evidence JSON keyed by sub-control IDs (B006.1, B006.2, …)
iris certify --framework iso-42001ISO 42001 coverage tiers (FULL / PARTIAL / NOT APPLICABLE) from AIUC-1 crosswalk
iris regulatory check/list/watchTrack AI law changes
iris regulatory history/applyView and apply regulatory updates
iris evidence report --agent <name>Full audit report for one agent
iris evidence list --agent <name>List recent vault events
iris evidence queryFilter vault events by agent, decision, regulation, risk
iris evidence export --agent <name>Export for auditors (JSON, CSV, AIUC-1, OTel)
iris evidence statsAggregate stats across all agents
iris evidence record-cicdWrite signed cicd_run event from CI/CD (github_actions, gitlab, jenkins, terraform, argocd)
iris evidence export --format aiuc1Export via ControlMapping table (same path as AIUC-1 certify)
iris vault redactGDPR erasure — tombstone + payload scrub, mappings preserved

Monitor

CommandDescription
iris witness --agent <name>Live attested feed of policy decisions (alias: iris watch)
iris sentinelContinuous governance monitoring
iris drift snapshot/check/report/watchCompliance posture change detection
iris cost summary/report/alert/optimizeToken cost tracking per agent
iris red-team --agent <name>Adversarial policy bypass testing

Integrate

CommandDescription
iris mcp startStart Cursor MCP server (stdio)
iris entitlementsShow tier and feature availability
iris license status/activate/deactivateLicense management

SDK optional packages

InstallDrop-in client
pip install iris-security-sdk[anthropic]IrisAnthropic
pip install iris-security-sdk[openai]IrisOpenAI
pip install iris-security-sdk[google]IrisGemini
pip install iris-security-sdk[vertexai]IrisVertexAI
pip install iris-security-sdk[langchain]LangChain callbacks
pip install iris-security-sdk[crewai]CrewAI integration
pip install iris-security-scmSCM scanning commands

Environment variables

VariableDescription
IRIS_ENVdev · test · staging · production — stamped on Evidence Vault events
IRIS_AGENT_IDDefault agent for iris evidence record-cicd
IRIS_VAULT_SIGNING_KEYHMAC signing key for Evidence Vault v2 (local dev default is per-agent derived)
IRIS_USER_EMAILActing user for delegation and HITL
IRIS_USER_WORK_AUTHORIZATIONWork authorization for frontier/export-controlled models
IRIS_TELEMETRY_OPT_OUT=1Disable anonymous telemetry
GITHUB_TOKENRequired for iris scm scan-repo / scan-org
← HITL & Delegation Documentation home →