-
-
Notifications
You must be signed in to change notification settings - Fork 2
CLI Reference
Luigi Colluto edited this page Jul 15, 2026
·
2 revisions
argo ≡ python -m argo.cli, on any OS.
| Command | Stage(s) | Purpose |
|---|---|---|
ingest |
1 | brief + repo → scope.json (+ read-only repo copy) |
recon |
2 |
scope.json + repo → repo_profile.json + custom prompts |
run |
3 | per-focus findings JSON |
sca |
SCA | dependency manifests → known-vuln pins (opt-out; no-op without manifests) |
validate |
4 | dedup + adversarial validation → validated_findings.json
|
corroborate |
— | opt-out, networked: cross-check vs. docs + VCS history |
runtime |
— | opt-in sandboxed runtime verification → runtime_results.json
|
live |
— | |
report |
5 |
REPORT.md + DRAFT submissions |
pipeline |
1–5 | the whole chain; stops before any submission |
fix |
6 (opt-in) | propose + verify a patch per confirmed finding |
bench |
7 | score a labeled suite — precision/recall/F1 by archetype + CWE |
serve |
— | run the HTTP API + web UI |
There is intentionally no submit command — submission is a manual human action.
argo ingest --repo PATH_OR_URL [--brief BRIEF.txt] [--links LINKS.txt] [--run RUN_ID]
argo recon --run RUN_ID
argo run --run RUN_ID
argo sca --run RUN_ID
argo validate --run RUN_ID
argo report --run RUN_ID
argo pipeline --repo PATH_OR_URL [--brief BRIEF.txt] [--links LINKS.txt] [--commit SHA] [--dry-run] [--smoke]
argo fix --run RUN_ID [--no-verify] [--re-audit] [--docker IMAGE] [--build-cmd "CMD"] [--only ID,ID]
argo bench --suite DIR [--fixes] [--re-audit] [--parallel-cases N] [--ab-audit-model MODEL]
argo feedback [--program P --dedup K --accepted/--rejected [--run R] [--note ...]] | [--import FILE]
argo quality [--program P] [--runs-dir DIR]-
--brief— optional: omit to audit a local/personal codebase as a source-only review. -
--repo— a local folder path (need not be a git repo; never pushed anywhere) or a git URL. -
--commit— pin--repoat a specific git revision (reproducible / known-CVE checkout): a URL is fetched at that SHA, a local git path is checked out at it. Omit for the default head. -
--links— a curated reference-links file, one URL per line, additive to what the model extracts from the brief. -
--run— reuse an existing run id (auto-generated if omitted).
| Flag | Default | Meaning |
|---|---|---|
--runner {headless|codex|mock} |
headless |
see Multi-Backend |
--codex-model MODEL |
— | (runner=codex) omit to use the Codex CLI's own default |
--codex-oss |
off | use the open-source provider |
--codex-local-provider {ollama|lmstudio} |
— | which local provider |
--audit-model MODEL |
— | override only the Stage-3 audit model |
--calibration |
off | force audit → Opus |
--budget USD |
none | HARD per-run ceiling |
--parallel N |
3 | max concurrent audit/validate sessions |
--runs-dir DIR |
runs |
root dir for run artifacts |
--timeout SECONDS |
1800 | per-session wall-clock cap |
--session-budget USD |
none | per-session cost cap |
| Flag | Meaning |
|---|---|
--research / --no-research |
Stage-0 web OSINT before recon. On by default. See Threat-Informed Audit |
--sca / --no-sca |
software-composition analysis between audit and validate. On by default. |
--corroborate / --no-corroborate |
docs + VCS cross-check after validate. On by default. See Docs & History Corroboration |
--docs-url URL |
pin a docs URL for corroboration (repeatable) |
--accepted-risks FILE |
the vendor's intended/accepted-by-design behaviors — see Design-Aware Impact Discipline |
--runtime (+ --runtime-image/--runtime-run-cmd) |
opt-in sandboxed runtime verification. See Runtime Verification |
--critic-passes N |
completeness-critic re-passes per audit focus. Default 1; 0 disables. |
--dry-run |
ingest + recon, then STOP before any audit |
--smoke |
de-risked real end-to-end check: cheapest models, one focus, low budget/timeout/caps |
| Flag | Meaning |
|---|---|
--no-verify |
skip the build/compile + no-new-errors check |
--docker IMAGE |
run the verify build inside this Docker image |
--build-cmd "CMD" |
explicit build/compile command |
--only ID,ID |
only fix these confirmed finding ids |
| Flag | Meaning |
|---|---|
--suite DIR |
suite directory (<case>/case.json + expected_findings.json) |
--fixes |
also generate + verify patches per case |
--ab-audit-model MODEL |
run the suite a second time with this audit model; report the delta |
# Zero-token full-glue test:
python -m argo.cli pipeline --runner mock --brief tests/fixtures/brief.txt --repo tests/fixtures/repo
# Inspect generated prompts before spending:
python -m argo.cli pipeline --dry-run --brief brief.md --repo https://github.com/acme/cms
# Real, cheap end-to-end check (~$1, one focus):
python -m argo.cli pipeline --smoke
# Real run on a high-value target: audit on Opus, hard $20 ceiling, 2 sessions at a time:
python -m argo.cli pipeline --brief brief.md --links links.txt \
--repo https://github.com/acme/cms --calibration --budget 20 --parallel 2- Getting Started — the quickstart version of this page.
- Architecture — what each command actually does under the hood.