Airlock CLI

What is the Airlock CLI?

The Airlock CLI is a standalone enforcer that gates shell commands through the Airlock gateway. Sign in and pair once; then use airlock-cli approve to request human approval before running sensitive commands (e.g. git push, production deploys).

• Asks for approval — Before a command runs, it sends a request to the gateway. You see the request on the Airlock mobile app and tap Approve or Reject.
• Blocks until you decide — The terminal waits until you approve, reject, or until a timeout. It exits with a clear result so your shell or script can allow or block the command.
• Stays secure — Sign in once and pair the CLI with your phone once. Approvals are cryptographically verified.

Prerequisites

• An Airlock account — Same account you use for the Airlock mobile app or IDE extension.
• Airlock mobile app — Installed on your phone, signed in. Used to approve/reject and to pair the CLI.

Step 1: Install the CLI

Option A: Download a release

Get the right binary for your system from the releases:

• Windows (64-bit): airlock-cli-windows-amd64.exe
• Windows (32-bit): airlock-cli-windows-386.exe
• Linux (64-bit): airlock-cli-linux-amd64
• Linux (ARM64): airlock-cli-linux-arm64
• macOS (Intel): airlock-cli-darwin-amd64
• macOS (Apple Silicon): airlock-cli-darwin-arm64

Rename to airlock-cli (or airlock-cli.exe on Windows) and put it in your PATH. On Linux/macOS: chmod +x airlock-cli.

Option B: Build from source

cd src/airlock-cli
go build -o airlock-cli ./cmd/airlock-cli

cd src/airlock-cli
go build -o airlock-cli ./cmd/airlock-cli

Step 2: Sign in

airlock-cli sign-in

airlock-cli sign-in

Your browser will open; sign in with your Airlock account. Then check: airlock-cli status — you should see "Signed in: true".

Step 3: Pair with your phone

airlock-cli pair

airlock-cli pair

The CLI shows a pairing code. On the Airlock Mobile Approver app, go to Settings → Pair Another Workspace and enter the code. When done, airlock-cli status should show "Paired: true".

Step 4: Use the approve command

Basic usage:

airlock-cli approve --command "git push origin main"

airlock-cli approve --command "git push origin main"

With more context (recommended):

airlock-cli approve \
  --command "git push origin main" \
  --cwd "/home/me/my-project" \
  --shell "bash" \
  --host "my-laptop"

airlock-cli approve \
  --command "git push origin main" \
  --cwd "/home/me/my-project" \
  --shell "bash" \
  --host "my-laptop"

Exit codes

• 0 — Approved → safe to run the command
• 1 — Denied
• 2 — Verification failed (don't run the command)
• 3 — Timeout (don't assume approval)

Using the CLI from a script

Run the CLI first; only run the real command if the CLI exits 0.

Bash example:

airlock-cli approve --command "$*" --cwd "$(pwd)" --shell "$SHELL" --host "$(hostname)"
if [ $? -eq 0 ]; then
  "$@"
else
  echo "Command not approved or failed."
  exit 1
fi

airlock-cli approve --command "$*" --cwd "$(pwd)" --shell "$SHELL" --host "$(hostname)"
if [ $? -eq 0 ]; then
  "$@"
else
  echo "Command not approved or failed."
  exit 1
fi

Quick reference