TRIGGUARD CLI

Install, authorize, verify

The fastest way to experience TrigGuard. Install @trigguard/cli v0.1.3, authenticate via device flow, authorize an execution, and verify the Ed25519-signed receipt - production verified.

Install from npm Become a Design Partner

Under 2 minutes from install to verified receipt.

1

Install

npm install -g @trigguard/cli

Global install. Requires Node.js 18+.

2

Login

tg login

Opens browser device auth at console.trigguardai.com. No manual API key paste.

3

Authorize

tg authorize \
  --surface deploy.release \
  --actor demo \
  --intent "test deployment"

Returns a binding decision and signed receipt:

{
  "decision": "DENY",
  "executionId": "exec_xxxxx",
  "receipt": "signed"
}

4

Verify

tg verify --execution-id exec_xxxxx

Independent Ed25519 verification:

{
  "verificationResult": "passed"
}

Security model

Device auth - browser-based login, no long-lived secrets in shell history
Fail-closed - no receipt, no execution path by default
Ed25519 signatures - receipts verify offline without trusting a dashboard
Deterministic decisions - PERMIT / DENY / SILENCE on every surface

Full security model →

Receipts

Every authorization produces a cryptographically signed receipt binding the decision, surface, actor, and policy context. Verify with tg verify or inspect in the receipt explorer.

Receipt schema → · Verification guide →

NEXT STEPS

SDK integration API reference Decision model Design partner program