CLI Command Reference¶

Complete reference for all OxideShield™ CLI commands.

Global Options¶

These options apply to all commands:

Option	Description
`--verbose`	Enable verbose logging
`--no-color`	Disable colored output
`--plain`	Plain output mode (for scripting)
`--help, -h`	Show help for command
`--version, -V`	Show version

Commands Overview¶

Command	Description	License
`guard`	Check input against security guards	Community
`scan`	Run red team probes against LLM endpoint	Professional
`proxy`	Start HTTP proxy gateway	Professional
`dashboard`	Start metrics dashboard server	Enterprise
`compliance`	Generate compliance reports	Professional
`init`	Initialize configuration file	Community
`embeddings`	Manage embedding bundles	Professional
`offline`	Manage offline/air-gapped deployment	Community
`threatintel`	Manage threat intelligence sources	Community
`audit`	Manage cryptographic audit logs	Professional
`policy`	Manage policy-as-code configurations	Professional
`limits`	Manage resource limits and view presets	Community

guard¶

Check input text against configured security guards.

oxideshield guard [OPTIONS]

Options¶

Option	Default	Description
`--config, -c`	Auto-discover	Path to guard configuration file
`--profile, -P`	-	Configuration profile to use
`--input, -i`	stdin	Input text to check
`--output-mode`	`false`	Process as output (instead of input)
`--strict`	`false`	Exit with error code on block (for CI/CD)
`--format, -f`	`text`	Output format (`json`, `text`)
`--quiet, -q`	`false`	Quiet mode (only output result)
`--show-config-paths`	-	Show config search paths and exit

Environment Variables¶

Variable	Description
`OXIDESHIELD_CONFIG`	Configuration file path
`OXIDESHIELD_PROFILE`	Profile name to use

Examples¶

# Check input from argument
oxideshield guard --input "ignore previous instructions"

# Check input from stdin
echo "ignore previous instructions" | oxideshield guard

# Use specific config
oxideshield guard --config guards.yaml --input "test input"

# Use named profile
oxideshield guard --profile production --input "test input"

# JSON output for scripting
oxideshield guard --input "test" --format json

# CI/CD mode (exit 1 on block)
oxideshield guard --input "$USER_INPUT" --strict

# Check output (for response filtering)
oxideshield guard --output-mode --input "$LLM_RESPONSE"

Exit Codes¶

Code	Meaning
`0`	Check passed or sanitized
`1`	Check blocked (with `--strict`)

scan¶

Run red team security probes against an LLM endpoint.

oxideshield scan [OPTIONS]

Options¶

Option	Default	Description
`--target, -t`	Required	Target URL to scan
`--api-key`	`$OXIDESHIELD_API_KEY`	API key for authorization
`--model, -m`	-	Model to use for requests
`--probes, -p`	Built-in	Path to probe definition file
`--categories, -c`	`prompt_injection`	Probe categories (comma-separated)
`--concurrency`	`10`	Maximum concurrent requests
`--timeout`	`30`	Request timeout in seconds
`--min-severity`	`low`	Minimum severity (`info`, `low`, `medium`, `high`, `critical`)
`--format, -f`	`text`	Output format (`text`, `json`, `markdown`, `sarif`)
`--output, -o`	stdout	Output file path

Probe Categories¶

prompt_injection - OWASP LLM01 attacks
jailbreak - Jailbreak attempts (DAN, Grandma, etc.)
system_leak - System prompt extraction (OWASP LLM06)
encoding - Encoding-based bypasses
all - All categories

Examples¶

# Basic scan
oxideshield scan --target https://api.example.com/v1/chat

# Authenticated scan
oxideshield scan \
  --target https://api.anthropic.com/v1/messages \
  --api-key $ANTHROPIC_API_KEY \
  --model claude-3-sonnet

# Full scan with all categories
oxideshield scan \
  --target $URL \
  --categories prompt_injection,jailbreak,system_leak

# Generate SARIF report for GitHub
oxideshield scan \
  --target $URL \
  --format sarif \
  --output results.sarif

# Custom probes
oxideshield scan \
  --target $URL \
  --probes custom-probes.yaml

Exit Codes¶

Code	Meaning
`0`	No critical vulnerabilities
`1`	Critical vulnerabilities found
`2`	Scan failed

proxy¶

Start the OxideShield™ HTTP proxy gateway.

oxideshield proxy [OPTIONS]

Options¶

Option	Default	Description
`--config, -c`	-	Configuration file path
`--listen, -l`	`127.0.0.1:8080`	Listen address (host:port)
`--upstream, -u`	`anthropic=https://api.anthropic.com`	Upstream URL (`name=url`, can repeat)
`--default-upstream`	First upstream	Default upstream name
`--guards, -g`	`prompt_injection,jailbreak`	Guards to enable (comma-separated)
`--action, -a`	`block`	Action on guard trigger (`block`, `log`, `alert`)
`--log-level`	`info`	Log level (`debug`, `info`, `warn`, `error`)
`--metrics`	`false`	Enable metrics endpoint
`--metrics-port`	`9090`	Metrics port
`--validate`	-	Validate config and exit
`--example-config`	-	Print example config and exit

Examples¶

# Start with defaults (Anthropic upstream)
oxideshield proxy

# Custom listen address
oxideshield proxy --listen 0.0.0.0:8080

# Multiple upstreams
oxideshield proxy \
  --upstream anthropic=https://api.anthropic.com \
  --upstream openai=https://api.openai.com \
  --default-upstream anthropic

# With specific guards
oxideshield proxy \
  --guards PatternGuard,PIIGuard,ToxicityGuard \
  --action block

# From config file
oxideshield proxy --config proxy.yaml

# Validate configuration
oxideshield proxy --config proxy.yaml --validate

# Print example config
oxideshield proxy --example-config > proxy.yaml

Endpoints¶

Endpoint	Description
`/*`	Proxy to upstream
`/_oxideshield/health`	Health check
`/_oxideshield/metrics`	Prometheus metrics

dashboard¶

Start the OxideShield™ metrics dashboard server.

oxideshield dashboard [OPTIONS]

Options¶

Option	Default	Description
`--listen, -l`	`127.0.0.1:9090`	Bind address
`--no-cors`	`false`	Disable CORS headers
`--no-compression`	`false`	Disable response compression
`--example-config`	-	Print example configuration
`--api-docs`	-	Print API documentation

Examples¶

# Start dashboard
oxideshield dashboard

# Custom port
oxideshield dashboard --listen 0.0.0.0:8080

# Show API documentation
oxideshield dashboard --api-docs

API Endpoints¶

Endpoint	Method	Description
`/api/v1`	GET	API info and endpoints
`/api/v1/overview`	GET	System overview
`/api/v1/metrics`	GET	Detailed metrics
`/api/v1/metrics/guards`	GET	Per-guard metrics
`/api/v1/metrics/types`	GET	Per-type metrics
`/api/v1/alerts`	GET	Current alerts
`/api/v1/metrics/reset`	POST	Reset metrics
`/health`	GET	Health check
`/metrics`	GET	Prometheus metrics

compliance¶

Generate compliance reports mapping guards to regulatory frameworks.

oxideshield compliance [OPTIONS]

Options¶

Option	Default	Description
`--system, -s`	`AI System`	Name of system being assessed
`--framework, -f`	All	Framework(s) to include (`nist-ai-rmf`, `eu-ai-act`, `all`)
`--guards, -g`	-	Guards to include (comma-separated)
`--format`	`markdown`	Output format (`markdown`, `json`, `html`)
`--output, -o`	stdout	Output file
`--note`	-	Add note to report (can repeat)

Frameworks¶

Framework	Description
`nist-ai-rmf`	NIST AI Risk Management Framework
`eu-ai-act`	EU AI Act
`all`	All frameworks

Examples¶

# Generate full compliance report
oxideshield compliance --output report.md

# Specific framework
oxideshield compliance --framework nist-ai-rmf --output nist-report.md

# JSON format with specific guards
oxideshield compliance \
  --framework eu-ai-act \
  --guards PatternGuard,PIIGuard \
  --format json \
  --output compliance.json

# Add notes
oxideshield compliance \
  --note "Q1 2024 assessment" \
  --note "Reviewed by security team"

init¶

Initialize a new OxideShield™ configuration file.

oxideshield init [OPTIONS]

Options¶

Option	Default	Description
`--output, -o`	`oxideshield.yaml`	Output path
`--profile, -P`	-	Create named profile
`--force`	`false`	Overwrite existing file
`--minimal`	`false`	Generate minimal config
`--global`	`false`	Init in user config dir (`~/.config/oxideshield`)
`--show-paths`	-	Show config search paths

Examples¶

# Create default config
oxideshield init

# Create minimal config
oxideshield init --minimal

# Create named profile
oxideshield init --profile production

# Global config
oxideshield init --global

# Show config search paths
oxideshield init --show-paths

embeddings¶

Pre-compute attack embeddings for SemanticSimilarityGuard.

oxideshield embeddings [OPTIONS]

Options¶

Option	Default	Description
`--output, -o`	`attack_embeddings.bincode`	Output file (bincode)
`--json`	`false`	Also output JSON format
`--json-output`	`attack_embeddings.json`	JSON output file
`--model`	`sentence-transformers/all-MiniLM-L6-v2`	Model ID
`--test-mode`	`false`	Use deterministic test embeddings

Examples¶

# Generate embeddings
oxideshield embeddings

# With JSON output
oxideshield embeddings --json

# Test mode (no model download)
oxideshield embeddings --test-mode

offline¶

Manage air-gapped/offline deployment.

oxideshield offline <SUBCOMMAND>

Subcommands¶

`validate`¶

Validate offline configuration.

oxideshield offline validate [OPTIONS]

Option	Description
`--config, -c`	Configuration file
`--verbose, -v`	Detailed output

`package`¶

Create offline deployment package.

oxideshield offline package [OPTIONS]

Option	Default	Description
`--output, -o`	`./oxideshield-offline`	Output directory
`--max-age-days`	`30`	Maximum cache age
`--strict`	`false`	Fail on missing paths

`init`¶

Initialize offline directories.

oxideshield offline init [OPTIONS]

Option	Description
`--dir, -d`	Directory to initialize
`--config, -c`	Configuration file

`status`¶

Show offline configuration status.

oxideshield offline status [OPTIONS]

Option	Description
`--config, -c`	Configuration file

`example-config`¶

Print example offline configuration.

oxideshield offline example-config

`env-vars`¶

Print environment variables for offline mode.

oxideshield offline env-vars

Examples¶

# Check offline status
oxideshield offline status

# Validate configuration
oxideshield offline validate --verbose

# Create offline package
oxideshield offline package --output /tmp/offline-pkg

# Initialize directories
oxideshield offline init --dir /opt/oxideshield

# Show environment variables
oxideshield offline env-vars

Environment Variables¶

Variable	Description
`OXIDESHIELD_OFFLINE`	Enable offline mode (`true`/`false`)
`OXIDESHIELD_OFFLINE_STRICT`	Strict mode (`true`/`false`)
`OXIDESHIELD_MODEL_PATH`	Path to ML models
`OXIDESHIELD_PROBE_PATH`	Path to probe definitions
`OXIDESHIELD_THREATINTEL_PATH`	Path to threat intelligence

threatintel¶

Manage threat intelligence sources and updates.

License: Community

oxideshield threatintel <SUBCOMMAND>

Subcommands¶

`status`¶

Show threat intelligence cache status and staleness.

oxideshield threatintel status

`check`¶

Check for available updates without downloading.

oxideshield threatintel check [OPTIONS]

Option	Description
`--verbose, -v`	Show details for each source

`update`¶

Update threat intelligence from remote sources.

oxideshield threatintel update [OPTIONS]

Option	Description
`--source, -s`	Specific source to update (default: all)
`--force, -f`	Force update even if cache is fresh

`list`¶

List all available threat intelligence sources.

oxideshield threatintel list [OPTIONS]

Option	Description
`--counts, -c`	Show record counts per source

Available Sources¶

Source	Records	Description
JailbreakBench	~100	Jailbreak attack behaviors
HarmBench	~400	LLM safety evaluation behaviors
Garak	600+	NVIDIA LLM vulnerability probes
AdvBench	~500	GCG adversarial attack foundation
StrongREJECT	~313	Forbidden question categories
LakeraPINT	~4,314	Prompt injection benchmark (multilingual)

Examples¶

# Check cache status
oxideshield threatintel status

# Check for updates
oxideshield threatintel check --verbose

# Update all sources
oxideshield threatintel update

# Update specific source
oxideshield threatintel update --source AdvBench --force

# List sources with counts
oxideshield threatintel list --counts

Environment Variables¶

Variable	Default	Description
`OXIDESHIELD_SKIP_UPDATE_CHECK`	`false`	Skip staleness warnings
`OXIDESHIELD_THREATINTEL_MAX_AGE`	`7`	Days before warning
`OXIDESHIELD_THREATINTEL_CRITICAL_AGE`	`30`	Days before critical warning

audit¶

Manage cryptographic audit logs and generate attestation reports.

License: Professional

oxideshield audit <SUBCOMMAND>

Subcommands¶

`status`¶

Show audit storage status and configuration.

oxideshield audit status [OPTIONS]

Option	Description
`--storage-path`	Path to audit storage (default: auto-detect)

Output includes: - Storage location and size - Total entry count - Date range of entries - Storage health status

`list`¶

List audit entries with optional filtering.

oxideshield audit list [OPTIONS]

Option	Default	Description
`--storage-path`	Auto	Path to audit storage
`--guard, -g`	All	Filter by guard name
`--result, -r`	All	Filter by result (`passed`, `blocked`, `sanitized`, `error`)
`--session`	All	Filter by session ID
`--since`	All	Time filter (e.g., `24h`, `7d`, `2026-01-01`)
`--until`	Now	End time filter
`--limit, -n`	100	Maximum entries to show
`--offset`	0	Skip first N entries
`--format, -f`	`table`	Output format (`table`, `json`, `csv`)

`report`¶

Generate a signed attestation report.

oxideshield audit report [OPTIONS]

Option	Default	Description
`--storage-path`	Auto	Path to audit storage
`--format, -f`	`json`	Output format (`json`, `html`)
`--output, -o`	stdout	Output file path
`--guard, -g`	All	Filter by guard name
`--since`	All	Start time for entries
`--until`	Now	End time for entries
`--session`	All	Filter by session ID
`--title`	-	Report title
`--description`	-	Report description

`verify`¶

Verify signatures on audit entries or reports.

oxideshield audit verify [OPTIONS]

Option	Description
`--input, -i`	Path to report or entry file
`--public-key`	Path to public key PEM (optional)
`--deep`	Verify all individual entries (not just report signature)
`--quiet, -q`	Only output pass/fail

Exit codes: - 0 - Verification passed - 1 - Verification failed - 2 - File not found or parse error

`export`¶

Export audit entries to various formats.

oxideshield audit export [OPTIONS]

Option	Default	Description
`--storage-path`	Auto	Path to audit storage
`--format, -f`	`json`	Export format (`json`, `csv`, `jsonl`)
`--output, -o`	stdout	Output file path
`--guard, -g`	All	Filter by guard name
`--since`	All	Start time filter
`--until`	Now	End time filter
`--include-signatures`	`true`	Include cryptographic signatures

Examples¶

# Check audit storage status
oxideshield audit status

# List last 10 blocked entries
oxideshield audit list --result blocked --limit 10

# List entries for PatternGuard from last 24 hours
oxideshield audit list --guard PatternGuard --since 24h

# Generate HTML compliance report
oxideshield audit report \
  --format html \
  --since 7d \
  --title "Weekly Security Audit" \
  --output weekly-report.html

# Generate JSON report for specific session
oxideshield audit report \
  --format json \
  --session user-session-123 \
  --output session-audit.json

# Verify a report
oxideshield audit verify --input weekly-report.json

# Deep verification (all entries)
oxideshield audit verify --input report.json --deep

# Export entries for external analysis
oxideshield audit export \
  --format csv \
  --since 30d \
  --output monthly-entries.csv

Environment Variables¶

Variable	Description
`OXIDESHIELD_AUDIT_STORAGE`	Default audit storage path
`OXIDESHIELD_AUDIT_KEY`	Path to signing key

policy¶

Manage policy-as-code security configurations.

License: Professional

oxideshield policy <SUBCOMMAND>

Subcommands¶

`validate`¶

Validate a policy YAML file.

oxideshield policy validate [OPTIONS]

Option	Description
`--file, -f`	Path to policy YAML file
`--json`	Output validation result as JSON

`diff`¶

Show differences between two policy versions.

oxideshield policy diff [OPTIONS]

Option	Description
`--from, -f`	Path to older policy version
`--to, -t`	Path to newer policy version
`--json`	Output diff as JSON

`simulate`¶

Run simulation tests against a policy.

oxideshield policy simulate [OPTIONS]

Option	Default	Description
`--policy, -p`	Required	Path to policy YAML file
`--tests, -t`	Required	Path to test suite YAML file
`--tag`	All	Filter tests by tag (can repeat)
`--json`	`false`	Output results as JSON
`--output, -o`	stdout	Output file path

`export`¶

Export policy in different formats.

oxideshield policy export [OPTIONS]

Option	Default	Description
`--file, -f`	Required	Path to policy YAML file
`--format`	`yaml`	Output format (`yaml`, `json`, `json-pretty`)
`--output, -o`	stdout	Output file path

`guards`¶

List available guards and their configuration options.

oxideshield policy guards [OPTIONS]

Option	Description
`--verbose`	Show detailed configuration options
`--json`	Output as JSON

`check`¶

Check a single input against a policy.

oxideshield policy check [OPTIONS]

Option	Description
`--policy, -p`	Path to policy YAML file
`--input, -i`	Input text to check
`--json`	Output result as JSON

Examples¶

# Validate a policy file
oxideshield policy validate --file policy.yaml

# Compare two policy versions
oxideshield policy diff --from v1.yaml --to v2.yaml

# Run simulation tests
oxideshield policy simulate \
  --policy policy.yaml \
  --tests tests.yaml

# Run tests with specific tags
oxideshield policy simulate \
  --policy policy.yaml \
  --tests tests.yaml \
  --tag injection --tag pii

# Export policy as JSON
oxideshield policy export --file policy.yaml --format json

# List available guards
oxideshield policy guards --verbose

# Check single input
oxideshield policy check --policy policy.yaml --input "Hello world"

Exit Codes¶

Code	Meaning
`0`	Success / validation passed / input allowed
`1`	Validation failed / input blocked / tests failed

limits¶

Manage resource limits and view available presets.

License: Community

oxideshield limits <SUBCOMMAND>

Subcommands¶

`status`¶

Show current memory usage and platform information.

oxideshield limits status

Output includes: - RSS Memory (physical memory) - Virtual Memory - Peak Memory (if available) - Platform (OS and architecture)

`presets`¶

List available resource limit presets.

oxideshield limits presets [OPTIONS]

Option	Description
`--verbose, -v`	Show detailed configuration for each preset

Available Presets:

Preset	Memory	Timeout	Rate	Use Case
`molt_bot`	512 MB	100ms	1000/s	Chat bot deployments
`strict`	256 MB	50ms	500/s	High-security environments
`permissive`	2 GB	5000ms	10000/s	Development/testing

`example-config`¶

Print example YAML configuration for a preset.

oxideshield limits example-config [OPTIONS]

Option	Default	Description
`--preset, -p`	`molt_bot`	Preset to use (`molt_bot`, `strict`, `permissive`)

Examples¶

# Show current memory status
oxideshield limits status

# List presets with summary
oxideshield limits presets

# Show detailed preset configurations
oxideshield limits presets --verbose

# Generate example config for strict preset
oxideshield limits example-config --preset strict

# Generate config and save to file
oxideshield limits example-config --preset molt_bot > limits.yaml

Shell Completions¶

Generate shell completions:

# Bash
oxideshield completions bash > ~/.local/share/bash-completion/completions/oxideshield

# Zsh
oxideshield completions zsh > ~/.zfunc/_oxideshield

# Fish
oxideshield completions fish > ~/.config/fish/completions/oxideshield.fish

CLI Command Reference¶

Global Options¶

Commands Overview¶

guard¶

Options¶

Environment Variables¶

Examples¶

Exit Codes¶

scan¶

Options¶

Probe Categories¶

Examples¶

Exit Codes¶

proxy¶

Options¶

Examples¶

Endpoints¶

dashboard¶

Options¶

Examples¶

API Endpoints¶

compliance¶

Options¶

Frameworks¶

Examples¶

init¶

Options¶

Examples¶

embeddings¶

Options¶

Examples¶

offline¶

Subcommands¶

validate¶

package¶

init¶

status¶

example-config¶

env-vars¶

Examples¶

Environment Variables¶

threatintel¶

Subcommands¶

status¶

check¶

update¶

list¶

Available Sources¶

Examples¶

Environment Variables¶

audit¶

Subcommands¶

status¶

list¶

report¶

verify¶

export¶

Examples¶

Environment Variables¶

policy¶

Subcommands¶

validate¶

diff¶

simulate¶

export¶

guards¶

check¶

Examples¶

Exit Codes¶

See Also¶

limits¶

Subcommands¶

status¶

presets¶

example-config¶

Examples¶

See Also¶

Shell Completions¶

`validate`¶

`package`¶

`init`¶

`status`¶

`example-config`¶

`env-vars`¶

`status`¶

`check`¶

`update`¶

`list`¶

`status`¶

`list`¶

`report`¶

`verify`¶

`export`¶

`validate`¶

`diff`¶

`simulate`¶

`export`¶

`guards`¶

`check`¶

`status`¶

`presets`¶

`example-config`¶