CLI reference

The cgf binary is the canonical entry point. Every command is also available as a TypeScript API under @/lib/cgf — the CLI is a thin shell.

Synopsis

cgf <command> [args] [flags]

Run cgf --help for the full surface; this page is the normative list.

Commands

cgf ingest [root]                          Build graph from a project
cgf check  [root] [--format md|sarif]      Run claim packs
cgf narrative [root] [--format md|html]    Render human dossier
cgf bundle [root] --out <file>             Build a .cgfevidence
           [--sign --tsa <url>]
cgf sign   <file>                          Add a signature to an existing bundle
cgf verify <file>                          Cryptographic verify
cgf verify-policy <file> [--preset <id>]   Cryptographic + policy verify
cgf inspect <file>                         Read-only inspection
cgf bundle-diff <baseline> <head>          Structured diff
cgf doctor [root] [--bundle <file>]        End-to-end health check
cgf trust  add-key | list-keys | remove-key
           add-tsa | list-tsas | remove-tsa
           export | import [--mode merge|replace]

Common flags

| Flag | Meaning | |---|---| | --out <file> | Output path for bundle / narrative. | | --format md\|sarif | Output format for check. | | --format md\|html | Output format for narrative. | | --sign | Sign the bundle with the active key. | | --tsa <url> | Add an RFC 3161 timestamp from this TSA. | | --preset <id> | Apply a named policy preset on verify. |

End-to-end

# 1. Discover the project
cgf ingest                              # → .cgf/graph.json

# 2. Run claim packs
cgf check                               # → .cgf/check.{txt,md}
cgf check --format sarif > check.sarif  # CI-friendly output

# 3. Render a human dossier
cgf narrative --format md  > dossier.md
cgf narrative --format html > dossier.html

# 4. Seal as a signed bundle, timestamped
cgf bundle --out dossier.cgfevidence \
           --sign --tsa https://freetsa.org/tsr

# 5. Verify on another machine
cgf verify dossier.cgfevidence

# 6. Verify under a strict policy
cgf verify-policy dossier.cgfevidence --preset eu-ai-act-high-risk

# 7. Compare two releases
cgf bundle-diff baseline.cgfevidence head.cgfevidence

# 8. One-command sanity check
cgf doctor --bundle dossier.cgfevidence

Exit codes

| Code | Meaning | |---:|---| | 0 | Success / pass | | 1 | Operational error (bad path, malformed file, IO) | | 2 | Cryptographic failure (bad signature, broken hash, invalid TSA) | | 3 | Policy violation (signatures fine, policy not satisfied) | | 4 | Claim-pack failure (check / verify-policy with claims) |

CI pipelines typically fail on 1, 2, 3 and 4 and surface the SARIF or check.md output as a build artifact.

Reading next

• CGF in 5 minutes.
• The .cgfevidence bundle format.
• Trust store & policy presets.