Airlock CLI

Reference enforcer for shell command approval in enterprise deployments

Source & README
Enterprise deployment. Configure integrations against your organization's Gateway at https://<your-gateway-host> and identity at https://<your-auth-host>/realms/<your-realm>. See the Getting started and Developer Guide.

What is the Airlock CLI?

The Airlock CLI is an open-source reference enforcer that gates shell commands through your organization's Integrations Gateway. Authenticate and pair once against https://<your-gateway-host>; then use airlock-cli approve to request human approval before running sensitive commands.

  • Asks for approval — Before a command runs, it sends a request to the gateway. You see the request on the Mobile Approver and tap Approve or Reject.
  • Blocks until you decide — The terminal waits until you approve, reject, or until a timeout. It exits with a clear result so your shell or script can allow or block the command.
  • Stays secure — Sign in once and pair the CLI with your phone once. Approvals are cryptographically verified.

Prerequisites

  • Enterprise Gateway URL — Your deployment's Integrations Gateway (https://<your-gateway-host>).
  • Identity credentials — User or service account from your organization's OIDC realm.
  • Mobile Approver — Organization-distributed app for reviewers (MDM or internal catalog), paired with the CLI.

Step 1: Install the CLI

Option A: Download a release

Get the right binary for your system from the releases:

  • Windows (64-bit): airlock-cli-windows-amd64.exe
  • Windows (32-bit): airlock-cli-windows-386.exe
  • Linux (64-bit): airlock-cli-linux-amd64
  • Linux (ARM64): airlock-cli-linux-arm64
  • macOS (Intel): airlock-cli-darwin-amd64
  • macOS (Apple Silicon): airlock-cli-darwin-arm64

Rename to airlock-cli (or airlock-cli.exe on Windows) and put it in your PATH. On Linux/macOS: chmod +x airlock-cli.

Option B: Build from source 

cd src/airlock-cli
go build -o airlock-cli ./cmd/airlock-cli

Step 2: Sign in

airlock-cli sign-in

Your browser will open; sign in with your organization's identity provider. Then check: airlock-cli status — you should see "Signed in: true".

Step 3: Pair with Mobile Approver 

airlock-cli pair

The CLI shows a pairing code. On the Airlock Mobile Approver app, go to Settings → Pair Another Workspace and enter the code. When done, airlock-cli status should show "Paired: true".

Step 4: Use the approve command

Basic usage:

airlock-cli approve --command "git push origin main"

With more context (recommended): 

airlock-cli approve \
  --command "git push origin main" \
  --cwd "/home/me/my-project" \
  --shell "bash" \
  --host "my-laptop"

Exit codes

  • 0 — Approved → safe to run the command
  • 1 — Denied
  • 2 — Verification failed (don't run the command)
  • 3 — Timeout (don't assume approval)

Using the CLI from a script

Run the CLI first; only run the real command if the CLI exits 0.

Bash example:

airlock-cli approve --command "$*" --cwd "$(pwd)" --shell "$SHELL" --host "$(hostname)"
if [ $? -eq 0 ]; then
  "$@"
else
  echo "Command not approved or failed."
  exit 1
fi

Quick reference

Task Command
Sign inairlock-cli sign-in
Pair phoneairlock-cli pair
Request approvalairlock-cli approve --command "your command"
Check statusairlock-cli status
Sign outairlock-cli sign-out

For full flag details, build instructions, and testing, see the airlock-cli README.