Skip to main content
The keydris CLI doesn’t modify Claude Code — it wraps the process. It sits between the agent and the network, so every tool call, HTTP request, and payment the agent attempts passes through a local proxy that checks it against your policy before it’s allowed to leave the machine.
1

Download and install the CLI

Fetch and run the install script. This downloads the keydris binary and sets it up on your PATH; KEYDRIS_CHANNEL=dev pins the install to the dev release channel.
    curl -fsSL https://dev.get.keydris.com/keydris-cli/install.sh | KEYDRIS_CHANNEL=dev bash
2

Establish your identity

keydris login runs an OAuth login against Cognito (or the mock IdP locally), then exchanges that login for a short-lived client certificate. This certificate — not a password or API key — is what authenticates every later call the CLI makes to the control plane.
3

Bind the agent to a policy

keydris init claude-code <policy> records which policy governs this agent. The policy’s ID becomes the agent’s blueprint — the identity every rule and grant is evaluated against.
4

Start a session

Running claude triggers a SessionStart hook. The CLI calls the control plane’s issuer over mTLS and receives a short-lived SPIFFE JWT-SVID scoped to the session — proof of “this specific run of this specific agent,” expiring automatically after a fixed TTL.
5

Every call is intercepted

As Claude Code makes tool calls or outbound requests, the local proxy intercepts each one and sends it to the control plane’s broker for a decision. The broker verifies the session’s SVID, checks it hasn’t been revoked, and evaluates it against the policy’s active rules.
6

Allow, approve, or reject

On an allow, the broker mints a short-lived access token scoped to that specific destination and call, and the proxy injects it on the wire — the agent never sees or holds a long-lived credential. On approval-required or reject, the call is held or blocked per the policy’s decision.
7

End the session

When Claude Code exits, a SessionEnd hook revokes the session’s SVID. Any call still in flight with that credential is denied from that point on.
Why this shape The agent process is never trusted with a static secret — only a session-scoped identity that a separate broker checks on every call. This means a compromised or misbehaving agent can be cut off mid-session just by revoking its SVID, without needing to touch the agent itself. Related

Install and set up the CLI

The commands from this walkthrough, step by step.

Build a policy

Author the rules the broker evaluates on each call.
A note: the broker’s live policy evaluation is currently a stub in the reference implementation — it authenticates and tracks sessions correctly, but the allow/reject decision logic against real policy rules is still being wired in. Worth confirming this is finalized before this doc goes out.