Validate controls, observations, and configuration for correctness without evaluation.
Validate checks structural and semantic correctness of all evaluation inputs
before running the full apply pipeline. It catches schema violations, invalid
timestamps, and cross-file inconsistencies early, reducing time spent debugging
failed evaluations.
What it checks:
- Control schema (id, name, description)
- Observation schema and timestamps
- Cross-file consistency and time sanity
- Duration format and feasibility
Inputs:
--controls, -i Path to control definitions (default: controls)
--observations, -o Path to observation snapshots (default: observations)
--in Single input file or '-' for stdin
--kind Contract kind: control|observation|finding (requires --in)
--schema-version Contract schema version override
--max-unsafe Maximum allowed unsafe duration
--now Override current time (RFC3339) for deterministic output
--format, -f Output format: text or json (default: text)
--strict Treat warnings as errors (exit 2)
--fix-hints Print remediation hints after issues
--quiet Suppress output
--template Custom output template
Outputs:
stdout Validation report listing issues found (text or JSON)
stderr Error messages (if any)
Exit Codes:
0 - All inputs are valid; no issues found
2 - Invalid input or validation failure (also used in --strict mode for warnings)
130 - Interrupted (SIGINT)
Examples:
# Validate project controls and observations
stave validate
# Validate with JSON output
stave validate --format json
# Validate a single file from stdin
cat control.yaml | stave validate --in - --kind control
# Strict mode: treat warnings as errors
stave validate --strict
Offline-only: reads local files; makes zero network connections; no cloud credentials.
Usage:
stave validate [flags]
Examples:
stave validate --controls controls/s3 --observations observations
Flags:
--assert-recent string Fail if no snapshot newer than this duration (e.g. 48h)
-i, --controls string Path to control definitions (inferred if omitted) (default "controls")
--fix-hints Print remediation hints after issues
-f, --format string Output format: text or json (default "text")
-h, --help help for validate
--in string Single input file or '-' for stdin
--kind string Contract kind: control|observation|finding
--max-unsafe string Maximum allowed unsafe duration Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--now string Override current time (RFC3339) for deterministic output
-o, --observations string Path to observation snapshots (inferred if omitted) (default "observations")
--schema-version string Contract schema version override
--strict Treat warnings as errors (exit 2)
--template string Custom output template
Global Flags:
--allow-symlink-output Allow writing output through symlinks (default: refuse)
--force Allow overwriting existing output files
--log-file string Write logs to file (default: stderr)
--log-format string Log format: text|json (default "text")
--log-level string Log level: debug|info|warn|error (overrides -v)
--log-timestamps Include timestamps in logs (breaks determinism)
--log-timings Include timing information (breaks determinism)
--no-color Disable ANSI colors in output
--path-mode string Path rendering in errors/logs: base (basename only) or full (absolute paths) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--quiet Suppress output (exit code only) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--require-offline Assert offline operation: fail if proxy env vars (HTTP_PROXY, HTTPS_PROXY, ALL_PROXY) are set
--sanitize Sanitize infrastructure identifiers (bucket names, ARNs, policies) from output Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
-v, --verbose count Increase verbosity (-v=INFO, -vv=DEBUG)
-y, --yes Auto-confirm all interactive prompts (distinct from --force which controls file overwriting)