> ## Documentation Index
> Fetch the complete documentation index at: https://docs.keydris.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Keydris cli

> download and setup keydris cli

The keydris CLI doesn't modify Claude Code — it wraps the process. It sits between the agent and the network, so every tool call, HTTP request, and payment the agent attempts passes through a local proxy that checks it against your policy before it's allowed to leave the machine.

<Steps>
  <Step title="Download and install the CLI">
    Fetch and run the install script. This downloads the `keydris` binary and sets it up on your `PATH`; `KEYDRIS_CHANNEL=dev` pins the install to the dev release channel.

    ```bash theme={null}
        curl -fsSL https://dev.get.keydris.com/keydris-cli/install.sh | KEYDRIS_CHANNEL=dev bash
    ```
  </Step>

  <Step title="Establish your identity">
    `keydris login` runs an OAuth login against Cognito (or the mock IdP locally), then exchanges that login for a short-lived client certificate. This certificate — not a password or API key — is what authenticates every later call the CLI makes to the control plane.
  </Step>

  <Step title="Bind the agent to a policy">
    `keydris init claude-code <policy>` records which policy governs this agent. The policy's ID becomes the agent's **blueprint** — the identity every rule and grant is evaluated against.
  </Step>

  <Step title="Start a session">
    Running `claude` triggers a SessionStart hook. The CLI calls the control plane's issuer over mTLS and receives a short-lived SPIFFE JWT-SVID scoped to the session — proof of "this specific run of this specific agent," expiring automatically after a fixed TTL.
  </Step>

  <Step title="Every call is intercepted">
    As Claude Code makes tool calls or outbound requests, the local proxy intercepts each one and sends it to the control plane's broker for a decision. The broker verifies the session's SVID, checks it hasn't been revoked, and evaluates it against the policy's active rules.
  </Step>

  <Step title="Allow, approve, or reject">
    On an allow, the broker mints a short-lived access token scoped to that specific destination and call, and the proxy injects it on the wire — the agent never sees or holds a long-lived credential. On approval-required or reject, the call is held or blocked per the policy's decision.
  </Step>

  <Step title="End the session">
    When Claude Code exits, a SessionEnd hook revokes the session's SVID. Any call still in flight with that credential is denied from that point on.
  </Step>
</Steps>

Why this shape The agent process is never trusted with a static secret — only a session-scoped identity that a separate broker checks on every call. This means a compromised or misbehaving agent can be cut off mid-session just by revoking its SVID, without needing to touch the agent itself. Related

<CardGroup cols={2}>
  <Card title="Install and set up the CLI" icon="terminal" href="/getting-started/cli-setup">
    The commands from this walkthrough, step by step.
  </Card>

  <Card title="Build a policy" icon="diagram-project" href="/features/policy-builder">
    Author the rules the broker evaluates on each call.
  </Card>
</CardGroup>

A note: the broker's live policy evaluation is currently a stub in the reference implementation — it authenticates and tracks sessions correctly, but the allow/reject decision logic against real policy rules is still being wired in. Worth confirming this is finalized before this doc goes out.
