Readiness produces a pre-evaluation coverage report. It loads the
control catalog, the chain catalog, and the observation snapshots,
then reports — without running the evaluation engine — what
fraction of the catalog can fire against the observed asset surface.
Distinct from 'stave apply --dry-run', which checks input schema
validity (does it load? is the shape right?). Readiness measures
catalog effectiveness: of the ~2,662 controls and ~597 chains in
the catalog, how many can fire given what the collector captured?
Which asset types are absent? Which collection actions unlock the
most coverage?
Readiness is advisory. It does not gate 'stave apply' and it does
not run the engine. Operators can always evaluate what they have,
even if the snapshot exercises only a slice of the catalog.
Inputs:
--observations DIR Observation snapshot directory
--controls DIR Control catalog (default: embedded built-ins)
--chains DIR Chain catalog (default: chains)
--format FORMAT Output: text (default) | json
--top N Action plan entries (default: 5)
Outputs:
stdout The readiness report
stderr Loader diagnostics
Exit Codes:
0 Report produced
2 Input error
4 Internal error
130 SIGINT
Caveats:
- Phase 1 measures asset-type coverage only. The intent
dimension (data_classification tags, role-type labels,
vendor_registry presence) and the foundational dimension
(CloudTrail enabled, IMDSv2 enforced, GuardDuty baseline)
are deferred pending catalog metadata.
- Controls without applicable_asset_types declarations fall
in the 'indeterminate' bucket. The analyzer cannot
statically classify them; the engine fires them on any
asset at evaluation time.
Usage:
stave readiness [flags]
Examples:
# Default text report against an observation directory
stave readiness --observations ./my-snapshot
# Machine-readable for CI or tooling
stave readiness --observations ./my-snapshot --format json
# Widen the action plan to the top 10 unblocking asset types
stave readiness --observations ./my-snapshot --top 10
Flags:
--chains string chain catalog directory (default "chains")
-i, --controls string control catalog directory (default "controls")
-f, --format string output format: text | json (default "text")
-h, --help help for readiness
-o, --observations string observation snapshot directory (required)
--quiet suppress output (exit code only)
--top int number of action-plan entries to surface (default 5)
Global Flags:
--allow-symlink-output Allow writing output through symlinks (default: refuse)
--force Allow overwriting existing output files
--log-file string Write logs to file (default: stderr)
--log-format string Log format: text|json (default "text")
--log-level string Log level: debug|info|warn|error (overrides -v)
--log-timestamps Include timestamps in logs (breaks determinism)
--log-timings Include timing information (breaks determinism)
--no-color Disable ANSI colors in output
--path-mode string Path rendering in errors/logs: base (basename only) or full (absolute paths) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--require-offline Assert offline operation: fail if proxy env vars (HTTP_PROXY, HTTPS_PROXY, ALL_PROXY) are set
--sanitize Sanitize infrastructure identifiers (bucket names, ARNs, policies) from output Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--strict Enable strict integrity checks for embedded registries and references
-v, --verbose count Increase verbosity (-v=INFO, -vv=DEBUG)
-y, --yes Auto-confirm all interactive prompts (distinct from --force which controls file overwriting)