Install the CLI

Everything on this site can be done from the dashboard too. The CLI is faster, it can wire your local coding agents for you, and it is the only way to manage policy as code.

Install

Full instructions for every platform live in the CLI’s own docs: docs.cli.vulnetix.com/docs/getting-started. The short version:

Homebrew
brew install vulnetix/tap/vulnetix
Scoop
scoop bucket add vulnetix https://github.com/Vulnetix/scoop-bucket
scoop install vulnetix
Nix
nix profile install github:Vulnetix/cli
Go
go install github.com/Vulnetix/cli@latest
curl
Download the binary for your platform from the releases page — see the curl install guide.

Check it worked:

vulnetix version

Log in

vulnetix auth login

This opens a browser and stores a credential under ~/.vulnetix/. It authenticates you, the operator, so you can read and change your organisation’s firewall policy.

Note This is not the credential your applications send at inference time. That is the VULNETIX_API_KEY. See your two keys — the distinction matters and it is the most common thing people get wrong.

Confirm:

vulnetix auth status

The commands you will use

CommandWhat it does
ai-firewall statusShow policy, keys, wired clients, and any problems
ai-firewall key set|removeManage the provider-key vault
ai-firewall install|uninstallWire local clients to the gateway
ai-firewall policy provider|model|guardrailChange policy
ai-firewall settingsTurn inference logging on or off
ai-firewall apply|exportPolicy as code
ai-firewall snippetGenerate working client code
ai-firewall baselineAdopt the recommended guardrail set

The full flag reference for each is in the CLI documentation. This site shows them in the context of the feature they configure.

Shell completion

Worth doing — several flags (--rule-type, --action, --lang, --sdk, --scope) have completions, and the client names on install do too.

vulnetix completion fish > ~/.config/fish/completions/vulnetix.fish
# or: bash | zsh | powershell