Skip to main content

stave search

Search the capability catalog by intent. Ranks every capability
(control group, compound chain, operational feature) against the
query tokens, expanding synonyms so the user does not need to know
Stave's vocabulary first.

Scoring (per matched token, summed):
  title:        3
  use_when:     2
  keyword:      1
  description:  0.5
Phrase-verbatim hits add 5; threshold of 1.0 filters single-word
matches against long descriptions.

Use this when you know your problem but not the catalog vocabulary:
"public S3 bucket", "expired access keys", "Cognito unauthenticated
access", "CloudTrail logging disabled", "shadow admin", "orphaned
policies".

Inputs:
  <query>       Free-form intent string (required)
  --top N       Number of matches to surface (default 10)
  --format F    text (default) | json
  --controls    Control catalog directory (default: controls)
  --chains      Chain catalog directory (default: chains)

Exit codes:
  0   Matches found (or zero matches but query was well-formed)
  2   Invalid input (missing query, bad --format)
  4   Internal error (catalog load failure)

Usage:
  stave search <query> [flags]

Examples:
  stave search "public S3 bucket"
  stave search "how long was this misconfigured"
  stave search "shadow admin"
  stave search "kms rotation" --format json

Flags:
      --chains string     chain catalog directory (default "chains")
  -i, --controls string   control catalog directory (default "controls")
  -f, --format string     output format: text | json (default "text")
  -h, --help              help for search
      --top int           number of matches to surface (default 10)

Global Flags:
      --allow-symlink-output   Allow writing output through symlinks (default: refuse)
      --force                  Allow overwriting existing output files
      --log-file string        Write logs to file (default: stderr)
      --log-format string      Log format: text|json (default "text")
      --log-level string       Log level: debug|info|warn|error (overrides -v)
      --log-timestamps         Include timestamps in logs (breaks determinism)
      --log-timings            Include timing information (breaks determinism)
      --no-color               Disable ANSI colors in output
      --path-mode string       Path rendering in errors/logs: base (basename only) or full (absolute paths) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --quiet                  Suppress output (exit code only) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --require-offline        Assert offline operation: fail if proxy env vars (HTTP_PROXY, HTTPS_PROXY, ALL_PROXY) are set
      --sanitize               Sanitize infrastructure identifiers (bucket names, ARNs, policies) from output Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
      --strict                 Enable strict integrity checks for embedded registries and references
  -v, --verbose count          Increase verbosity (-v=INFO, -vv=DEBUG)
  -y, --yes                    Auto-confirm all interactive prompts (distinct from --force which controls file overwriting)