-
-
Notifications
You must be signed in to change notification settings - Fork 2
Getting Started
git clone https://github.com/gigioneggiando/argo.git
cd argo
pip install -r requirements.txt
# optional, for the `argo` entry point instead of `python -m argo.cli`:
pip install -e .Everywhere in these docs, argo ≡ python -m argo.cli — both work on any OS.
Before spending a cent, exercise the whole pipeline for free:
# 1. Full glue test, deterministic fixtures, zero tokens:
python -m argo.cli pipeline --runner mock --brief tests/fixtures/brief.txt --repo tests/fixtures/repo
# 2. Real ingest + recon, then STOP before any audit — inspect the generated prompts:
python -m argo.cli pipeline --dry-run --brief brief.md --repo https://github.com/acme/cms--dry-run is the prompt-quality feedback loop: you eyeball the custom prompts Argo generated
for your target before paying to actually run them.
Auditing your own code (the common case) — no brief needed, just point at a folder:
python -m argo.cli pipeline --repo ./your-codeThe repo is mounted read-only and never pushed anywhere; a local/OSS model keeps the source fully on-device, a cloud backend (Claude/Codex) sends it to that provider's API to analyze it. See Two Modes for the full comparison with bug-bounty mode.
A cheap, real, end-to-end sanity check (~$1, one focus, tight caps):
python -m argo.cli pipeline --smokeRun --smoke after changing anything in the runner, flags, or envelope parsing — it is the fastest
way to prove the real CLI seam still works.
Three separate things land in three different places:
-
Program description → a text file passed with
--brief(paste the whole program page: scope, rules, rewards, exclusions, "no DoS"). -
Useful links (site, docs, security page, advisory history) → a text file, one per line,
passed with
--links. These are NOT the code. -
Code repository → not a link — the codebase to analyze, passed with
--repo.
argo ingest --brief brief.md --links links.txt --repo https://github.com/acme/acme-cms
argo recon --run RUN_ID
argo run --run RUN_ID
argo validate --run RUN_ID
argo report --run RUN_ID
# or, all five stages at once (stops before any submission):
argo pipeline --brief brief.md --links links.txt --repo https://github.com/acme/acme-cmsFull flag reference: CLI Reference.
argo pipeline ... # default: Claude Code (headless)
argo pipeline ... --runner codex # Codex CLI / OpenAI
argo pipeline ... --runner codex --codex-oss --codex-local-provider ollama --codex-model qwen2.5-coder:32b
argo pipeline ... --runner mock # free fixturesSee Multi-Backend for the full backend/account/fallback story.
If you'd rather not use the CLI at all:
python -m argo.cli serve --open # starts the API + UI, opens http://127.0.0.1:8000Or just double-click start.cmd (Windows) / run ./start.sh. See Web UI.
argo pipeline ... --runner mock # exercises the whole glue with fixtures, zero tokens
argo pipeline ... --dry-run # runs ingest+recon, shows generated prompts, then STOPS
argo pipeline ... --no-research # skip the Stage-0 web OSINT (fully offline)- Architecture — what actually happens, stage by stage.
- Guardrails & Safety — the constraints enforced in code, so you know exactly what Argo will and will not do to the repo or the target.