ai-gateway
Unified AI gateway for command catalog, policy firewall, and safe execution
Version: 9.8.4 | Size: 5.0MB | Author: Warith Al Maawali
License: Proprietary | Website: https://www.digi77.com
File Information
| Property | Value |
|---|---|
| Binary Name | ai-gateway |
| Version | 9.8.4 |
| Build Date | REDACTED-BUILD-TIME |
| Rust Version | 1.82.0 |
| File Size | 5.0MB |
| Author | Warith Al Maawali |
| License | Proprietary |
| Category | Kodachi Binary |
| Description | Unified AI gateway for command catalog, policy firewall, and safe execution |
| Git Commit | unknown |
| Metadata Generated | 2026-06-28T11:16:36Z |
| Binary Timestamp | Unknown |
| JSON Data | View Raw JSON |
SHA256 Checksum
4c5611130d9230d187d6c5f60aa1a6e259de9dc189c406edc733980a51d6875b
Features
| # | Feature |
|---|---|
| 1 | Embedded command catalog with 800+ commands from 15+ services |
| 2 | TF-IDF + substring hybrid search across all services |
| 3 | Three-tier risk classification (Passive/Active/Dangerous) |
| 4 | Policy firewall with allowlist enforcement |
| 5 | Workspace confinement and path validation |
| 6 | Failure cooldown to prevent cascading degradation |
| 7 | Per-agent identity, rate limiting, and audit trail for executions |
| 8 | Approval ticket workflow for agent-to-human authorization |
| 9 | Configurable per-operation timeouts with env var override |
| 10 | Full JSON/JSON-pretty/JSON-human output support |
Security Features
| Feature | Description |
|---|---|
| Input Validation | Argument parsing via clap; per-command validation is the consumer's responsibility |
| Rate Limiting | Not provided by cli-core |
| Authentication | Not provided by cli-core (see online-auth) |
| Encryption | Not provided by cli-core |
System Requirements
| Requirement | Value |
|---|---|
| OS | Linux (Debian-based) |
| Privileges | root/sudo for system operations |
| Dependencies | OpenSSL, libcurl |
Global Options
| Flag | Description |
|---|---|
-h, --help |
Print help information |
-v, --version |
Print version information |
-n, --info |
Display detailed information |
-e, --examples |
Show usage examples |
--json |
Output in JSON format |
-o, --output-format <FORMAT> |
Force output format (text|json) |
--json-pretty |
Pretty-print JSON output with indentation |
--json-human |
Enhanced JSON output with improved formatting (like jq) |
--fields <FIELD_LIST> |
Select specific fields to include in output (comma-separated) |
--limit <NUMBER> |
Limit number of results returned |
--offset <NUMBER> |
Skip first N results (for pagination) |
-d, --work-dir <PATH> |
Working directory (defaults to auto-detected base directory) |
--port <PORT> |
Set custom port number (1024-65535) |
--log-level <LEVEL> |
Set log level (error|warn|info|debug) |
--verbose |
Enable verbose output |
--quiet |
Suppress non-essential output |
--no-color |
Disable colored output |
--config <FILE> |
Use custom configuration file |
--timeout <SECS> |
Set operation timeout in seconds (optional; no default applied) |
--retry <COUNT> |
Retry attempts (optional; no default applied) |
Commands
Administration
index
Rebuild the search index from the embedded registry
Usage:
ai-gateway index rebuild
Examples:
ai-gateway index rebuild
ai-gateway index rebuild --json
ai-gateway index rebuild --json-pretty
policy
Show the current safety policy configuration
Usage:
ai-gateway policy show
Examples:
ai-gateway policy show
ai-gateway policy show --json
ai-gateway policy show --json-pretty
doctor
Health check that verifies all registered binaries exist and respond
Usage:
ai-gateway doctor
Examples:
ai-gateway doctor
ai-gateway doctor --json
ai-gateway doctor --json-pretty
approve
Issue or verify human approval tickets for agent execution
Usage:
ai-gateway approve issue <service> <command> [--agent-id <id>] [--ttl <secs>]
ai-gateway approve verify --ticket <ticket> <service> <command> [--agent-id <id>]
Examples:
ai-gateway approve issue health-control block-internet --agent-id kodachi-claw --ttl 600 --json
ai-gateway approve verify --ticket "$TICKET" health-control block-internet --agent-id kodachi-claw --json
Discovery
list
List all services and their commands from the embedded registry
Usage:
ai-gateway list [--service <name>] [--category <name>]
Options:
--service: Filter by service name--category: Filter by category name
Examples:
ai-gateway list
ai-gateway list --json
ai-gateway list --service tor-switch
ai-gateway list --service health-control --json
ai-gateway list --category passive
search
Search across all services and commands using TF-IDF + substring matching
Usage:
ai-gateway search <query> [--limit <N>]
Options:
--limit: Maximum number of results to return
Examples:
ai-gateway search "tor status"
ai-gateway search "dns leak" --json
ai-gateway search "network check" --limit 5
ai-gateway search "panic" --json-pretty
help
Show detailed help for a service or specific command
Usage:
ai-gateway help <service> [command]
Examples:
ai-gateway help tor-switch
ai-gateway help tor-switch tor-status --json
ai-gateway help health-control --json-pretty
ai-gateway help dns-leak test
ai-gateway help zeroclaw --json
capabilities
Show effective capabilities for an AI agent identity
Usage:
ai-gateway capabilities [--agent-id <id>] [--agent-token <token>]
Options:
--agent-id: Agent profile (kodachi-claw/nullclaw/agentzero/openclaw/picoclaw/nanoclaw/claude-code/gpt/gemini/open-interpreter; aliases: zeroclaw, nanclaw, "claude code", "open interpreter")--agent-token: Optional token for authenticated agent profiles
Examples:
ai-gateway capabilities --agent-id kodachi-claw --agent-token $KODACHI_AGENT_TOKEN_KODACHI_CLAW --json
ai-gateway capabilities --agent-id nullclaw --agent-token $KODACHI_AGENT_TOKEN_NULLCLAW
ai-gateway capabilities --agent-id openclaw --agent-token $KODACHI_AGENT_TOKEN_OPENCLAW --json
ai-gateway capabilities --agent-id picoclaw --agent-token $KODACHI_AGENT_TOKEN_PICOCLAW --json
ai-gateway capabilities --agent-id nanoclaw --agent-token $KODACHI_AGENT_TOKEN_NANOCLAW --json
ai-gateway capabilities --agent-id nanclaw --agent-token $KODACHI_AGENT_TOKEN_NANOCLAW --json
ai-gateway capabilities --agent-id claude-code --agent-token $KODACHI_AGENT_TOKEN_CLAUDE_CODE --json
ai-gateway capabilities --agent-id "claude code" --agent-token $KODACHI_AGENT_TOKEN_CLAUDE_CODE --json
ai-gateway capabilities --agent-id gpt --agent-token $KODACHI_AGENT_TOKEN_GPT --json
ai-gateway capabilities --agent-id gemini --agent-token $KODACHI_AGENT_TOKEN_GEMINI --json
ai-gateway capabilities --agent-id open-interpreter --agent-token $KODACHI_AGENT_TOKEN_OPEN_INTERPRETER --json
ai-gateway capabilities --agent-id "open interpreter" --agent-token $KODACHI_AGENT_TOKEN_OPEN_INTERPRETER --json
ai-gateway capabilities --agent-id anonymous --json
Execution
run
Validate and execute a binary command through the safety layer
Usage:
ai-gateway run <service> --command <cmd> [--args <args>...] [--args-json <json>] [--dry-run] [--timeout <secs>] [--agent-id <id>] [--agent-token <token>] [--approval-ticket <ticket>] OR ai-gateway run --batch-json <json> --agent-id <id> --agent-token <token>
Options:
--command: Command to execute (required)--args: Command arguments (multiple)--args-json: Command arguments as JSON object/array--batch-json: Batch execution payload for trusted agents (JSON array, sequential mode only)--dry-run: Validate without executing--timeout: Execution timeout in seconds--confirm: Approval token for commands requiring confirmation--approval-ticket: Human-issued approval ticket for Active/Dangerous commands--agent-id: Agent profile (trusted profiles require token auth)--agent-token: Agent auth token for token-required profiles
Examples:
ai-gateway run health-control --command net-check --dry-run
ai-gateway run ip-fetch --command fetch --dry-run --json
ai-gateway run tor-switch --command tor-status --timeout 60 --json
ai-gateway run tor-switch --command set-exit-node --args-json '{"country":"de"}' --dry-run --json
ai-gateway run dns-leak --command test --dry-run --json-pretty
ai-gateway run kodachi-claw --command status --agent-id kodachi-claw --agent-token $KODACHI_AGENT_TOKEN_KODACHI_CLAW --dry-run --json
KODACHI_TRUSTED_BATCH_MODE=true ai-gateway run --agent-id kodachi-claw --agent-token $KODACHI_AGENT_TOKEN_KODACHI_CLAW --batch-json '[{"service":"kodachi-claw","command":"status"},{"service":"kodachi-claw","command":"doctor","dry_run":true}]' --json
ai-gateway approve issue health-control block-internet --agent-id kodachi-claw --ttl 600 --json
Operational Scenarios
Scenario-oriented workflows generated from the binary's built-in -e --json examples.
Scenario 1: Service Discovery
Discover and explore all available Kodachi services and commands
Step 1: List all services with their commands in JSON format
ai-gateway list --json
Step 2: List commands for a specific service
ai-gateway list --service tor-switch --json
Step 3: List health-control commands in text format
ai-gateway list --service health-control
Scenario 2: Command Search
Search across all services using TF-IDF + substring hybrid search engine
Step 1: Search for Tor exit node commands
ai-gateway search "tor exit node" --json
Note
Uses TF-IDF cosine similarity + substring matching
Step 2: Search with limited results
ai-gateway search "dns leak" --limit 5 --json
Step 3: Search for network check commands in text format
ai-gateway search "network check"
Step 4: Find all panic/emergency commands
ai-gateway search "panic" --json
Note
Dangerous commands are blocked unless pentest mode
Scenario 3: Service Help
Get detailed help for any service or specific command
Step 1: Full specification for tor-switch service
ai-gateway help tor-switch --json
Step 2: Help for a specific command
ai-gateway help health-control security-status --json
Step 3: Text help for dns-switch service
ai-gateway help dns-switch
Step 4: Pretty-printed JSON help for ip-fetch
ai-gateway help ip-fetch --json-pretty
Scenario 4: Safe Command Execution
Validate first, then execute when appropriate. No env var is needed for passive/active commands.
Step 1: Step 1 (validate): preview a passive command
ai-gateway run tor-switch --command tor-status --dry-run --json
Note
Always use --dry-run first for safety
Step 2: Step 2 (apply): execute passive command (no env needed)
ai-gateway run tor-switch --command tor-status --json
Note
Passive commands execute without KODACHI_PENTEST_MODE
Step 3: Active command flow (no env needed): validate with explicit confirmation
ai-gateway run tor-switch --command set-exit-node --args-json '{"country":"de"}' --confirm --dry-run --json
Note
For active commands, remove --dry-run to apply changes
Step 4: Dry-run DNS leak test with custom timeout
ai-gateway run dns-leak --command test --dry-run --timeout 60 --json
Note
Timeout can be overridden with KODACHI_TOOL_TIMEOUT_MS env var
Step 5: Dry-run ip-fetch fetch command
ai-gateway run ip-fetch --command fetch --dry-run --json
Note
Dry-run keeps examples deterministic in offline/auth-restricted environments
Step 6: Pass structured JSON arguments for agent-safe invocation
ai-gateway run tor-switch --command set-exit-node --args-json '{"country":"de"}' --dry-run --json
Note
`--args-json` avoids brittle shell quoting in agent pipelines
Scenario 5: Safety Policy
View and understand the safety policy configuration
Step 1: Show current safety policy as JSON
ai-gateway policy show --json
Step 2: Show safety policy in text format
ai-gateway policy show
Step 3: Pretty-printed policy configuration
ai-gateway policy show --json-pretty
Note
Run with inline env: KODACHI_PENTEST_MODE=true ai-gateway run health-control --command wipe-file --confirm --json
Step 4: Dangerous command flow: env var required in addition to explicit confirm
KODACHI_PENTEST_MODE=true ai-gateway run health-control --command wipe-file --confirm "I understand" --dry-run --json
Note
KODACHI_PENTEST_MODE is required only for dangerous commands
Scenario 6: Administration
Index management and system health checks
Step 1: Rebuild the search index
ai-gateway index rebuild --json
Step 2: Check health of all registered binaries
ai-gateway doctor --json
Step 3: Health check in text format
ai-gateway doctor
Scenario 7: Output Formats
All commands support multiple output formats
Step 1: Standard JSON output (compact)
ai-gateway list --json
Step 2: Pretty-printed JSON with indentation
ai-gateway list --json-pretty
Step 3: Enhanced human-friendly JSON (like jq)
ai-gateway list --json-human
Step 4: Show version information
ai-gateway --version
Step 5: Show detailed program info as JSON
ai-gateway --info --json
Scenario 8: AI Agent Integration
How Kodachi AI standardizes execution for agentzero/openclaw/picoclaw/kodachi-claw/nullclaw/nanoclaw/open-interpreter via one gateway contract
Step 1: AI agent finds the best matching command
ai-gateway search "check tor status" --limit 1 --json
Note
ai-cmd delegates execution through ai-gateway; pipe to jq externally if needed
Step 2: AI agent validates before executing
ai-gateway run tor-switch --command tor-status --dry-run --json
Note
Safety layer prevents dangerous commands from AI agents
Step 3: AI agent executes passive command (no env required)
ai-gateway run tor-switch --command tor-status --json
Note
Passive command execution does not require KODACHI_PENTEST_MODE
Step 4: Kodachi Claw integration path through ai-gateway
ai-gateway run kodachi-claw --command status --dry-run --json
Note
Kodachi AI gives the same JSON execution contract to all agents
Step 5: AgentZero integration template (must be in allowlist)
ai-gateway run agentzero --command status --dry-run --json
Note
Add agentzero to the default allowlist in policy_engine.rs
Step 6: OpenClaw integration template
ai-gateway run openclaw --command status --dry-run --json
Note
Use --dry-run first, then remove --dry-run to execute
Step 7: PicoClaw integration template
ai-gateway run picoclaw --command status --dry-run --json
Note
Same API shape as ai-cmd and zeroclaw integrations
Step 8: Kodachi Claw live execution path (no allow-all env required when installed/allowlisted)
ai-gateway run kodachi-claw --command status --json
Step 9: NullClaw integration template
ai-gateway run nullclaw --command status --dry-run --json
Note
Ensure nullclaw is in the policy engine allowlist
Step 10: NanoClaw integration template
ai-gateway run nanoclaw --command status --dry-run --json
Note
Consistent gateway contract keeps agent integrations simple
Step 11: AI agent gets command specification
ai-gateway help tor-switch tor-status --json
Note
Use jq in your shell after this command for field extraction
Scenario 9: Agent Security
Identity verification, capability discovery, and approval-ticket workflow
Step 1: Discover what kodachi-claw is allowed to do
ai-gateway capabilities --agent-id kodachi-claw --agent-token $KODACHI_AGENT_TOKEN_KODACHI_CLAW --json
Step 2: Discover trusted GPT agent capabilities
ai-gateway capabilities --agent-id gpt --agent-token $KODACHI_AGENT_TOKEN_GPT --json
Step 3: Discover trusted Claude Code agent capabilities
ai-gateway capabilities --agent-id claude-code --agent-token $KODACHI_AGENT_TOKEN_CLAUDE_CODE --json
Step 4: Discover trusted Gemini agent capabilities
ai-gateway capabilities --agent-id gemini --agent-token $KODACHI_AGENT_TOKEN_GEMINI --json
Step 5: Discover trusted Open Interpreter agent capabilities
ai-gateway capabilities --agent-id open-interpreter --agent-token $KODACHI_AGENT_TOKEN_OPEN_INTERPRETER --json
Step 6: Discover trusted OpenClaw agent capabilities
ai-gateway capabilities --agent-id openclaw --agent-token $KODACHI_AGENT_TOKEN_OPENCLAW --json
Step 7: Discover trusted PicoClaw agent capabilities
ai-gateway capabilities --agent-id picoclaw --agent-token $KODACHI_AGENT_TOKEN_PICOCLAW --json
Step 8: Discover trusted NanoClaw agent capabilities
ai-gateway capabilities --agent-id nanoclaw --agent-token $KODACHI_AGENT_TOKEN_NANOCLAW --json
Step 9: Human issues time-limited approval ticket for an active/dangerous operation
ai-gateway approve issue health-control block-internet --agent-id kodachi-claw --ttl 600 --json
Note
Requires KODACHI_GATEWAY_APPROVAL_SECRET; extract .data.ticket with jq externally
Step 10: Agent executes command using identity + approval workflow
ai-gateway run health-control --command block-internet --agent-id kodachi-claw --agent-token $KODACHI_AGENT_TOKEN_KODACHI_CLAW --approval-ticket "$TICKET" --json
Note
Without valid ticket, execution returns requires_approval
Environment Variables
| Variable | Description | Default | Values |
|---|---|---|---|
RUST_LOG |
Set logging level | info | error|warn|info|debug|trace |
NO_COLOR |
Disable all colored output when set | unset | 1|true|yes (any value disables color) |
Exit Codes
| Code | Description |
|---|---|
| 5 | File not found |
| 2 | Invalid arguments |
| 0 | Success |
| 3 | Permission denied |
| 4 | Network error |
| 1 | General error |