Skip to main content

stave ci fix-loop

Run apply-before/apply-after/verify in one command

Usage

stave ci fix-loop [flags]

Description

Fix-loop executes the remediation verification lifecycle in one run: apply before state, apply after state, compare findings, and emit a remediation report suitable for CI/CD.

Input: --before Directory containing before-remediation observations --after Directory containing after-remediation observations --controls Directory containing control definitions

Output: stdout remediation report JSON --out writes evaluation.before.json, evaluation.after.json, verification.json, remediation-report.json

Exit Codes: 0 - No remaining or introduced violations 3 - Remaining or introduced violations exist

Offline-only: reads local files; makes zero network connections; no cloud credentials.

Flags

FlagTypeDescription
-a, --afterstringPath to after-remediation observations (required)
-b, --beforestringPath to before-remediation observations (required)
-i, --controlsstringPath to control definitions directory (default: controls)
--eval-timestringEvaluation reference timestamp (RFC3339). Durations and temporal risk are measured against this time. Defaults to wall clock.
--max-unsafestringMaximum allowed unsafe duration Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--outstringWrite remediation artifacts to this directory

Examples

# Run a full fix-loop comparing before and after observations
stave ci fix-loop --before ./obs-before --after ./obs-after --controls ./controls --out ./output --eval-time 2026-01-11T00:00:00Z

# Run in CI with a strict 72-hour threshold
stave ci fix-loop --before ./obs-before --after ./obs-after --controls ./controls --out ./output --max-unsafe 72h --eval-time 2026-01-11T00:00:00Z

# Inspect the remediation report
cat ./output/remediation-report.json | jq '.summary'