The sieve command.
One binary, one command surface: daemon lifecycle, agent setup, headless
decisions, user rules, and audit queries. By design there is no
--disable-critical and no --yolo — safety behavior is
enforced by the engine, not negotiated by flags.
Commands
| Command | What it does | Key options |
|---|---|---|
sieve start |
Start the daemon (outbound redaction + inbound interception + forwarding). | -c/--config, --dry-run, --no-client-policy |
sieve setup |
Auto-configure detected agents: base URL, PreToolUse hook, launchd service. Shows a diff and asks before changing any file. | --agent, --all-detected, --dry-run, --yes |
sieve doctor |
Diagnose the install: base URL, hook registration, daemon listening, launchd state, local canary detection test. | --agent, --all |
sieve uninstall |
Roll back everything setup changed. |
--agent, --all, --dry-run, --yes |
sieve decisions |
Headless decision queue: list, watch, inspect and resolve held actions. | list / watch / show / resolve |
sieve rules |
Manage user rules in ~/.sieve/rules/user.toml. |
edit / list / enable / disable |
sieve audit |
Query the local audit log (~/.sieve/audit.db). |
tail / query / show / purge |
sieve pause |
Pause non-Critical popups for 1–60 minutes. Critical enforcement is unaffected. | --minutes (default 5) |
sieve resume |
End a pause immediately. | — |
sieve preset |
Get or set the detection preset. | get / set strict|standard|relaxed|custom |
sieve graylist |
List or remove graylisted fingerprints. | list / remove <fingerprint> |
sieve reload |
Reload user rules and configuration without restarting. | — |
sieve status |
Show daemon status (exit 1 if the daemon is offline). | --format |
sieve stop / restart |
Stop or restart the launchd-managed daemon. | --yes |
sieve version |
Print the version. | — |
sieve completions |
Generate shell completions. | bash / zsh / fish |
Some subcommands only exist in feature-gated builds (local usage accounting, audit-log encryption key management) and do not appear in a default build.
Headless decisions
Everything the GUI can decide, the CLI can too — except a deliberate floor: signing, transfers and sensitive-path actions can never be approved headlessly and require the GUI.
sieve decisions list
sieve decisions watch
sieve decisions show <request-id>
sieve decisions resolve <request-id> --block
sieve audit query --since 1h --rule-id OUT-09
Config file
The daemon reads a flat TOML file (default ~/.sieve/sieve.toml).
The one non-negotiable: bind_addr must be 127.0.0.1 —
any other value refuses to start.
| Key | Meaning |
|---|---|
bind_addr |
Listener address; enforced to 127.0.0.1. |
tls_verify_upstream |
Verify upstream TLS certificates (default true). |
[[upstream]] |
One block per listener: port (unique per listener),
url, optional provider_id,
protocol (auto · anthropic ·
openai), trust (official ·
relay). The default install has a single listener on
port 11453. |
[detection] |
Optional toggles such as sequence_detection
(default off). |
[audit] |
level (off · metadata ·
full), retention_days (default 30),
hash_chain (default on), rotation. |
[update] |
Signed rules-update endpoint and telemetry opt-in. |
A misconfigured protocol is fail-closed: an Anthropic-only listener answers a
Chat Completions request with 400, never by silently forwarding.
After changing the listener port, update the agent's base URL to match.
Documented exit codes
| Context | Codes |
|---|---|
sieve-hook (PreToolUse) |
0 allow · 1 deny (including timeout, parse
failure, stale pending — deny is the default on any doubt). |
sieve setup / uninstall |
0 success · 1 an agent failed and was rolled
back · 2 a rollback also failed (manual cleanup steps are
printed). |
sieve status |
1 when the daemon is offline. |
| Daemon startup | 1 on safety-invariant violations (e.g. non-loopback
bind_addr). |
| Argument errors | 2 (clap parse errors; also missing required scope flags,
e.g. uninstall without --agent/--all). |