Expand a finding or archetype into the family of controls that
detect the same class of structural defect across services.
When a single finding fires, its archetype identifies every other place
the same defect can manifest in your infrastructure. Use --finding to
pivot from a specific control, --archetype to start from a known class,
or --list to see all archetypes.
Inputs:
--archetype <id> Archetype ID (e.g., ghost-reference)
--finding <id> Control ID to look up the archetype from
--list List all archetypes with control counts
--format text|json Output format (default: text)
--snapshots <dir> Path to observations dir (optional; enables
snapshot coverage section)
--controls <dir> Control definitions directory (default: controls)
Outputs:
stdout: archetype summary, controls grouped by service, optional
snapshot coverage and recommended commands.
stderr: errors only.
Exit codes:
0 success
2 input error (missing flags, unknown archetype/finding)
4 internal error (control loader failure)
130 SIGINT
Usage:
stave expand [flags]
Examples:
# List all archetypes with control counts
stave expand --list
# Expand an archetype into its control family
stave expand --archetype ghost-reference
# Pivot from a known finding to its sibling controls
stave expand --finding CTL.ROUTE53.DANGLING.S3.001
# JSON output for tooling
stave expand --archetype ghost-reference --format json
Flags:
--archetype string archetype ID to expand (e.g., ghost-reference)
-i, --controls string control definitions directory (default "controls")
--finding string control ID to expand from (e.g., CTL.ROUTE53.DANGLING.S3.001)
-f, --format string output format: text or json (default "text")
-h, --help help for expand
--list list all archetypes with control counts
--snapshots string observations directory for snapshot coverage check
Global Flags:
--allow-symlink-output Allow writing output through symlinks (default: refuse)
--force Allow overwriting existing output files
--log-file string Write logs to file (default: stderr)
--log-format string Log format: text|json (default "text")
--log-level string Log level: debug|info|warn|error (overrides -v)
--log-timestamps Include timestamps in logs (breaks determinism)
--log-timings Include timing information (breaks determinism)
--no-color Disable ANSI colors in output
--path-mode string Path rendering in errors/logs: base (basename only) or full (absolute paths) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--quiet Suppress output (exit code only) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--require-offline Assert offline operation: fail if proxy env vars (HTTP_PROXY, HTTPS_PROXY, ALL_PROXY) are set
--sanitize Sanitize infrastructure identifiers (bucket names, ARNs, policies) from output Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--strict Enable strict integrity checks for embedded registries and references
-v, --verbose count Increase verbosity (-v=INFO, -vv=DEBUG)
-y, --yes Auto-confirm all interactive prompts (distinct from --force which controls file overwriting)