Option Description
--jsonJSON output mode for scripting and AI agents --version, -VShow version and exit --helpShow command help
Command Description
pretorin loginAuthenticate with the Pretorin API (--api-key/-k, --api-url) pretorin logoutClear stored credentials pretorin whoamiDisplay authentication status pretorin versionShow CLI version pretorin update [VERSION]Update to latest version, or a specific version pretorin mcp-serveStart the MCP server (stdio transport)
Command Description
pretorin frameworks listList all frameworks pretorin frameworks get <id>Get framework details pretorin frameworks families <id>List control families pretorin frameworks family <fw> <family>Get control family details pretorin frameworks controls <id> [FAMILY_ID]List controls (--family/-f, --limit/-n) pretorin frameworks control <fw> <ctrl>Get control details (--brief/-b) pretorin frameworks documents <id>Get document requirements pretorin frameworks metadata <id>Get per-control framework metadata pretorin frameworks submit-artifact <file>Submit a compliance artifact JSON file
Subcommands of pretorin frameworks for authoring, validating, and uploading
custom or forked frameworks. See Custom Frameworks
for the full authoring workflow.
Command Description
pretorin frameworks init-custom <framework_id>Scaffold a minimal valid unified.json (--title/-t, --output/-o, --force/-f) pretorin frameworks validate-custom <file>Validate a unified.json artifact against the bundled JSON Schema pretorin frameworks build-custom <input>Normalize a source catalog (unified, OSCAL, or known custom) into uploadable unified.json (--framework-id/-f required, --output/-o, --force) pretorin frameworks upload-custom <file>Upload a unified.json artifact as a draft revision (--framework-id/-f, --version-label/-v, --publish) pretorin frameworks fork-framework <source_id> <new_id>Create a linked-fork draft from an upstream framework (--version-label/-v) pretorin frameworks rebase-fork <framework_id>Create a rebase draft for a fork against the latest upstream revision (--version-label/-v) pretorin frameworks revisions <framework_id>List all draft and published revisions for a framework pretorin frameworks export-oscal <file>Regenerate an OSCAL catalog from a unified.json artifact (--output/-o, --force)
Command Description
pretorin context listList systems and frameworks with progress pretorin context setSet active system/framework context (--system/-s, --framework/-f, --no-verify) pretorin context showDisplay and validate current active context (--quiet/-q, --check) pretorin context clearClear active context pretorin context verifyVerify active context with source attestation (--ttl, --quiet/-q) pretorin context manifestShow resolved source manifest and evaluate against detected sources (--quiet/-q)
Command Description
pretorin control status <ctrl> <status>Update control implementation status (--framework-id/-f, --system/-s) pretorin control context <ctrl>Get rich control context with AI guidance (--framework-id/-f, --system/-s)
Command Description
pretorin evidence create <ctrl> <fw>Create a local evidence file (--name/-n, --description/-d, --artifact-content, --type/-t) pretorin evidence listList local evidence files (--framework/-f) pretorin evidence pushPush local evidence to the platform (--dry-run) pretorin evidence searchSearch platform evidence (--control-id/-c, --framework-id/-f, --system/-s, --limit/-n) pretorin evidence upsert <ctrl> <fw>Find-or-create evidence and link it (--name/-n, --description/-d, --artifact-content, --type/-t, --system/-s, --code-file, --code-lines, --code-repo, --code-commit) pretorin evidence upload <file> <ctrl> <fw>Upload a file as evidence (--name/-n, --type/-t, --description/-d, --system/-s) pretorin evidence link <evidence_id> <ctrl>Link evidence to a control (--framework-id/-f, --system/-s) pretorin evidence link-cci <evidence_id> <cci_implementation_id>Link evidence to a per-system CCI implementation row (--system/-s, --override-system-mismatch, --override-reason) pretorin evidence link-stig <evidence_id> <stig_rule_id>Link evidence to a STIG rule workflow (lazy-creates the row) (--system/-s, --override-system-mismatch, --override-reason) pretorin evidence mark-current <evidence_id>Re-affirm evidence freshness; bumps expires_at by the refresh cadence and resolves any expiring/expired monitoring events (--system/-s) pretorin evidence validate <evidence_id>Compare recorded source-material hash before re-verifying or replacing a drifted Markdown artifact (--system/-s, --source-root) pretorin evidence delete <evidence_id>Delete an evidence item (--system/-s, --framework-id/-f, --yes/-y)
Command Description
pretorin narrative create <ctrl> <fw>Create a local narrative file (--content/-c, --name/-n, --ai-generated) pretorin narrative listList local narrative files (--framework/-f) pretorin narrative pushPush local narratives to the platform (--dry-run) pretorin narrative push-file <ctrl> <fw> <sys> <file>Push a single narrative file to the platform pretorin narrative get <ctrl> <fw>Get current control narrative (--system/-s)
Command Description
pretorin notes create <ctrl> <fw>Create a local note file (--content/-c, --name/-n) pretorin notes list [ctrl] [fw]List notes — platform (--system/-s) or local (--local, --framework/-f) pretorin notes pushPush local notes to the platform (--dry-run) pretorin notes add <ctrl> <fw>Add a note directly on the platform (--content/-c, --system/-s) pretorin notes resolve <ctrl> <fw> <note_id>Resolve or reopen a control note (--system/-s, --reopen, --content/-c, --pinned)
Command Description
pretorin monitoring pushPush a monitoring event (--system/-s, --framework/-f, --title/-t, --event-type, --severity, --control/-c, --description/-d, --update-control-status)
Command Description
pretorin policy listList org policies available for questionnaire work pretorin policy showShow persisted policy questionnaire state (--policy) pretorin policy populateDraft policy questionnaire updates from the current workspace (--policy, --path/-p, --apply)
Command Description
pretorin scope showShow scope questionnaire state and review findings (--system/-s, --framework-id/-f) pretorin scope populateDraft scope questionnaire updates from the current workspace (--system/-s, --framework-id/-f, --path/-p, --apply)
Command Description
pretorin agent run "<task>"Run a compliance task (--skill/-s, --model/-m, --base-url, --working-dir/-w, --no-stream, --legacy, --max-turns, --no-mcp) pretorin agent doctorValidate Codex runtime setup pretorin agent installDownload the pinned Codex binary pretorin agent versionShow pinned Codex version and install status pretorin agent skillsList available agent skills pretorin agent mcp-listList configured MCP servers for the agent pretorin agent mcp-add <name> <transport> <cmd>Add an MCP server configuration (--arg/-a, --scope) pretorin agent mcp-remove <name>Remove an MCP server configuration
Command Description
pretorin skill installInstall the Pretorin skill for AI coding agents (--agent/-a, --path/-p, --force/-f) pretorin skill uninstallUninstall the Pretorin skill (--agent/-a, --path/-p) pretorin skill statusShow installation status of the Pretorin skill pretorin skill list-agentsList all known agents and their skill directories
Command Description
pretorin review runReview code against a control (--control-id/-c, --framework-id/-f, --system/-s, --path/-p, --local, --output-dir/-o) pretorin review statusCheck implementation status for a control (--control-id/-c, --framework-id/-f, --system/-s)
Command Description
pretorin config listList all configuration pretorin config get <key>Get a config value pretorin config set <key> <value>Set a config value pretorin config pathShow config file path
Command Description
pretorin campaign controlsRun bulk control narrative/evidence campaign (--system, --framework-id, --mode, --family, --controls, --all-controls, --artifacts, --review-job, --concurrency, --max-retries, --checkpoint, --apply, --output) pretorin campaign policyRun bulk policy questionnaire campaign (--mode, --policies, --all-incomplete, --system, --concurrency, --max-retries, --checkpoint, --apply, --output) pretorin campaign scopeRun bulk scope questionnaire campaign (--system, --framework-id, --mode, --concurrency, --max-retries, --checkpoint, --apply, --output) pretorin campaign statusShow campaign progress from a checkpoint file (--checkpoint, --output)
Domain Mode Description
controls initialDraft new narratives and evidence for controls controls notes-fixAddress platform notes on existing controls controls review-fixFix findings from a family review job policy answerGenerate answers for policy questions policy review-fixFix findings from a policy review scope answerGenerate answers for scope questions scope review-fixFix findings from a scope review
Command Description
pretorin vendor listList all vendors in the organization pretorin vendor create <name>Create a vendor (--type/-t, --description/-d, --authorization-level/-a) pretorin vendor get <vendor_id>Get vendor details pretorin vendor update <vendor_id>Update vendor fields (--name, --description/-d, --type/-t, --authorization-level/-a) pretorin vendor delete <vendor_id>Delete a vendor (--force/-f) pretorin vendor upload-doc <vendor_id> <file>Upload a vendor evidence document (--name/-n, --description/-d, --attestation-type) pretorin vendor list-docs <vendor_id>List documents linked to a vendor
csp, saas, managed_service, internal
Manage a system’s risk register. Risks are system-scoped except for the org-level risk library subgroup. See Risk Management for the full workflow.
Command Description
pretorin risk list <system_id>List risks for a system (--category, --risk-level, --status) pretorin risk show <system_id> <risk_id>Show full risk including eager-loaded artifact links pretorin risk create <system_id>Create a custom risk (--title, --category, --description, --treatment, --treatment-plan, --treatment-due-date, --framework, --suggested-control-family repeatable) pretorin risk seed <system_id>Seed risks from library templates (--framework, --template-id repeatable) pretorin risk update <system_id> <risk_id>Update fields including mitigation (--title, --description, --category, --likelihood, --impact, --owner-id, --status, --review-frequency-days, --treatment, --treatment-plan, --treatment-due-date) pretorin risk link add <system_id> <risk_id>Attach an artifact (--link-type, exactly one of --control + --framework, --evidence, --finding, --vendor, --monitoring-event) pretorin risk link rm <system_id> <risk_id> <link_id>Remove a risk artifact link pretorin risk refresh-summary <system_id> <risk_id>Re-score risk and trigger best-effort AI summary regeneration pretorin risk library listBrowse the org-level risk template library (--category)
mitigate, accept, transfer, avoid
contributes_to_risk, mitigates_risk, evidence_of_risk
Command Description
pretorin stig listList STIG benchmarks (--technology-area/-t, --product/-p, --limit/-l) pretorin stig show <stig_id>Show STIG benchmark detail with severity breakdown pretorin stig rules <stig_id>List rules for a benchmark (--severity/-s, --cci, --limit/-l) pretorin stig applicableShow applicable STIGs for the active system (--system/-s) pretorin stig inferAI-infer applicable STIGs from system profile (--system/-s)
Command Description
pretorin cci listList CCIs (--control/-c, --status, --limit/-l) pretorin cci show <cci_id>Show CCI detail with linked SRGs and STIG rules (e.g., CCI-000015) pretorin cci chain <control_id>Full traceability chain: Control -> CCIs -> SRGs -> STIG rules (--system/-s) pretorin cci impl <cci_uuid>Show the per-system CCI implementation row (status, narrative, evidence_ids, eMASS fields) — 404 means uninitialized (--system/-s)
Recipes are markdown + script playbooks the calling AI agent executes. See
Recipes for authoring guidance.
Command Description
pretorin recipe listList all loaded recipes with id, name, tier, author, and source path (--tier, --source) pretorin recipe show <recipe_id>Display a recipe’s manifest, body, and (with --sources) all loader paths pretorin recipe new <recipe_id>Scaffold a new recipe directory (--location user/project/builtin, --author, --name) pretorin recipe validate <recipe_id>Validate a recipe’s manifest, scripts, and description quality (--path for path-based override) pretorin recipe run <recipe_id>Run a recipe’s script locally for testing (--script/-s, --param/-p repeatable, --path, --system, --framework, --no-context)
The legacy pretorin scan command was removed when the recipes system landed.
Scanning now happens through built-in recipes that the calling AI agent invokes
via MCP. See STIG Scanning for the recipe-based workflow.
Recipe ID Wraps CLI requirement
inspec-baselineChef InSpec inspecopenscap-baselineOpenSCAP oscapcloud-aws-baselineAWS APIs awscloud-azure-baselineAzure APIs azmanual-attestationHuman attestation —
Command Description
pretorin harness initDeprecated: initialize harness config pretorin harness doctorDeprecated: validate harness setup pretorin harness run "<task>"Deprecated: run task through harness backend