Skip to content

CLI Reference

Luigi Colluto edited this page Jul 15, 2026 · 3 revisions

CLI Reference

argopython -m argo.cli, on any OS.

Commands

Command Stage(s) Purpose
ingest 1 brief + repo → scope.json (+ read-only repo copy)
recon 2 scope.json + repo → repo_profile.json + custom prompts
run 3 per-focus findings JSON
sca SCA dependency manifests → known-vuln pins (opt-out; no-op without manifests)
validate 4 dedup + adversarial validation → validated_findings.json
corroborate opt-out, networked: cross-check vs. docs + VCS history
runtime opt-in sandboxed runtime verification → runtime_results.json
live ⚠️ opt-in, AUTHORIZED USE ONLY: bounded read-only requests to in-scope hosts
report 5 REPORT.md + DRAFT submissions
pipeline 1–5 the whole chain; stops before any submission
fix 6 (opt-in) propose + verify a patch per confirmed finding
bench 7 score a labeled suite — precision/recall/F1 by archetype + CWE
serve run the HTTP API + web UI

There is intentionally no submit command — submission is a manual human action.

Per-command inputs

argo ingest   --repo PATH_OR_URL [--brief BRIEF.txt] [--links LINKS.txt] [--run RUN_ID]
argo recon    --run RUN_ID
argo run      --run RUN_ID
argo sca      --run RUN_ID
argo validate --run RUN_ID
argo report   --run RUN_ID
argo pipeline --repo PATH_OR_URL [--brief BRIEF.txt] [--links LINKS.txt] [--commit SHA] [--dry-run] [--smoke]
argo fix      --run RUN_ID [--no-verify] [--re-audit] [--docker IMAGE] [--build-cmd "CMD"] [--only ID,ID]
argo bench    --suite DIR [--fixes] [--re-audit] [--parallel-cases N] [--ab-audit-model MODEL]
argo feedback [--program P --dedup K --accepted/--rejected [--run R] [--note ...]] | [--import FILE]
argo quality  [--program P] [--runs-dir DIR]
  • --briefoptional: omit to audit a local/personal codebase as a source-only review.
  • --repo — a local folder path (need not be a git repo; never pushed anywhere) or a git URL.
  • --commit — pin --repo at a specific git revision (reproducible / known-CVE checkout): a URL is fetched at that SHA, a local git path is checked out at it. Omit for the default head.
  • --links — a curated reference-links file, one URL per line, additive to what the model extracts from the brief.
  • --run — reuse an existing run id (auto-generated if omitted).

Shared options (all commands)

Flag Default Meaning
--runner {headless|codex|mock} headless see Multi-Backend
--codex-model MODEL (runner=codex) omit to use the Codex CLI's own default
--codex-oss off use the open-source provider
--codex-local-provider {ollama|lmstudio} which local provider
--audit-model MODEL override only the Stage-3 audit model
--calibration off force audit → Opus
--budget USD none HARD per-run ceiling
--parallel N 3 max concurrent audit/validate sessions
--runs-dir DIR runs root dir for run artifacts
--timeout SECONDS 1800 per-session wall-clock cap
--session-budget USD none per-session cost cap

pipeline-only options

Flag Meaning
--research / --no-research Stage-0 web OSINT before recon. On by default. See Threat-Informed Audit
--sca / --no-sca software-composition analysis between audit and validate. On by default.
--corroborate / --no-corroborate docs + VCS cross-check after validate. On by default. See Docs & History Corroboration
--docs-url URL pin a docs URL for corroboration (repeatable)
--accepted-risks FILE the vendor's intended/accepted-by-design behaviors — see Design-Aware Impact Discipline
--runtime (+ --runtime-image/--runtime-run-cmd) opt-in sandboxed runtime verification. See Runtime Verification
--critic-passes N completeness-critic re-passes per audit focus. Default 1; 0 disables.
--dry-run ingest + recon, then STOP before any audit
--smoke de-risked real end-to-end check: cheapest models, one focus, low budget/timeout/caps

fix-only options

Flag Meaning
--no-verify skip the build/compile + no-new-errors check
--docker IMAGE run the verify build inside this Docker image
--build-cmd "CMD" explicit build/compile command
--only ID,ID only fix these confirmed finding ids

bench-only options

Flag Meaning
--suite DIR suite directory (<case>/case.json + expected_findings.json)
--fixes also generate + verify patches per case
--ab-audit-model MODEL run the suite a second time with this audit model; report the delta

Examples

# Zero-token full-glue test:
python -m argo.cli pipeline --runner mock --brief tests/fixtures/brief.txt --repo tests/fixtures/repo

# Inspect generated prompts before spending:
python -m argo.cli pipeline --dry-run --brief brief.md --repo https://github.com/acme/cms

# Real, cheap end-to-end check (~$1, one focus):
python -m argo.cli pipeline --smoke

# Real run on a high-value target: audit on Opus, hard $20 ceiling, 2 sessions at a time:
python -m argo.cli pipeline --brief brief.md --links links.txt \
  --repo https://github.com/acme/cms --calibration --budget 20 --parallel 2

Related

Clone this wiki locally