Skip to main content

stave export-invariants

Export the control catalog as a list of solver-ready invariants.

Each invariant carries the control's predicate tree, authored intent
rationale, and the optional forbidden_state block — the high-level
"this configuration must never exist" claim external SMT compilers
consume to generate Z3 satisfiability queries.

The export is metadata-only: no observation reads, no findings, no
clock. External solvers receive a pure description of "the rules
Stave checks" without inheriting any of Stave's evaluation
semantics.

Inputs:
  --controls, -i      Control definitions directory (default: built-in catalog)
  --format, -f        Output format: json (default: json)

Outputs:
  stdout: invariant export as a JSON array (sorted by control ID).
  stderr: errors.

Exit codes:
  0   success
  2   input error (bad flag)
  4   internal error (load failure, projection error)
  130 SIGINT

Usage:
  stave export-invariants [flags]

Examples:
  # Built-in catalog → JSON to stdout
  stave export-invariants > invariants.json

  # Filter to controls that author a forbidden_state block
  stave export-invariants | jq '[.invariants[] | select(.forbidden_state.combine != "")]'

  # Custom controls directory
  stave export-invariants --controls ./my-controls > invariants.json

Flags:
  -i, --controls string   control definitions directory (empty = built-in catalog)
  -f, --format string     output format: json (default "json")
  -h, --help              help for export-invariants

Global Flags:
      --allow-symlink-output   Allow writing output through symlinks (default: refuse)
      --force                  Allow overwriting existing output files
      --log-file string        Write logs to file (default: stderr)
      --log-format string      Log format: text|json (default "text")
      --log-level string       Log level: debug|info|warn|error (overrides -v)
      --log-timestamps         Include timestamps in logs (breaks determinism)
      --log-timings            Include timing information (breaks determinism)
      --no-color               Disable ANSI colors in output
      --path-mode string       Path rendering in errors/logs: base (basename only) or full (absolute paths) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --quiet                  Suppress output (exit code only) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --require-offline        Assert offline operation: fail if proxy env vars (HTTP_PROXY, HTTPS_PROXY, ALL_PROXY) are set
      --sanitize               Sanitize infrastructure identifiers (bucket names, ARNs, policies) from output Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --strict                 Enable strict integrity checks for embedded registries and references
  -v, --verbose count          Increase verbosity (-v=INFO, -vv=DEBUG)
  -y, --yes                    Auto-confirm all interactive prompts (distinct from --force which controls file overwriting)