CLI REFERENCE

The sieve command.

One binary, one command surface: daemon lifecycle, agent setup, headless decisions, user rules, and audit queries. By design there is no --disable-critical and no --yolo — safety behavior is enforced by the engine, not negotiated by flags.

Commands

CommandWhat it doesKey options
sieve start Start the daemon (outbound redaction + inbound interception + forwarding). -c/--config, --dry-run, --no-client-policy
sieve setup Auto-configure detected agents: base URL, PreToolUse hook, launchd service. Shows a diff and asks before changing any file. --agent, --all-detected, --dry-run, --yes
sieve doctor Diagnose the install: base URL, hook registration, daemon listening, launchd state, local canary detection test. --agent, --all
sieve uninstall Roll back everything setup changed. --agent, --all, --dry-run, --yes
sieve decisions Headless decision queue: list, watch, inspect and resolve held actions. list / watch / show / resolve
sieve rules Manage user rules in ~/.sieve/rules/user.toml. edit / list / enable / disable
sieve audit Query the local audit log (~/.sieve/audit.db). tail / query / show / purge
sieve pause Pause non-Critical popups for 1–60 minutes. Critical enforcement is unaffected. --minutes (default 5)
sieve resume End a pause immediately.
sieve preset Get or set the detection preset. get / set strict|standard|relaxed|custom
sieve graylist List or remove graylisted fingerprints. list / remove <fingerprint>
sieve reload Reload user rules and configuration without restarting.
sieve status Show daemon status (exit 1 if the daemon is offline). --format
sieve stop / restart Stop or restart the launchd-managed daemon. --yes
sieve version Print the version.
sieve completions Generate shell completions. bash / zsh / fish

Some subcommands only exist in feature-gated builds (local usage accounting, audit-log encryption key management) and do not appear in a default build.

Headless decisions

Everything the GUI can decide, the CLI can too — except a deliberate floor: signing, transfers and sensitive-path actions can never be approved headlessly and require the GUI.

sieve decisions list
sieve decisions watch
sieve decisions show <request-id>
sieve decisions resolve <request-id> --block
sieve audit query --since 1h --rule-id OUT-09

Config file

The daemon reads a flat TOML file (default ~/.sieve/sieve.toml). The one non-negotiable: bind_addr must be 127.0.0.1 — any other value refuses to start.

KeyMeaning
bind_addr Listener address; enforced to 127.0.0.1.
tls_verify_upstream Verify upstream TLS certificates (default true).
[[upstream]] One block per listener: port (unique per listener), url, optional provider_id, protocol (auto · anthropic · openai), trust (official · relay). The default install has a single listener on port 11453.
[detection] Optional toggles such as sequence_detection (default off).
[audit] level (off · metadata · full), retention_days (default 30), hash_chain (default on), rotation.
[update] Signed rules-update endpoint and telemetry opt-in.

A misconfigured protocol is fail-closed: an Anthropic-only listener answers a Chat Completions request with 400, never by silently forwarding. After changing the listener port, update the agent's base URL to match.

Documented exit codes

ContextCodes
sieve-hook (PreToolUse) 0 allow · 1 deny (including timeout, parse failure, stale pending — deny is the default on any doubt).
sieve setup / uninstall 0 success · 1 an agent failed and was rolled back · 2 a rollback also failed (manual cleanup steps are printed).
sieve status 1 when the daemon is offline.
Daemon startup 1 on safety-invariant violations (e.g. non-loopback bind_addr).
Argument errors 2 (clap parse errors; also missing required scope flags, e.g. uninstall without --agent/--all).