Skip to content
Arbitus Arbitus

CLI Reference

The arbitus binary provides several commands for running, validating, and auditing your gateway.

Command Overview

Section titled “Command Overview”
CommandDescription
arbitus [config]Start the gateway (default command)
arbitus validate <config>Validate configuration file
arbitus audit <db>Query audit log
arbitus replay <db>Replay recorded requests
arbitus verify-log <db>Verify log integrity and hash chain

arbitus — Start Gateway

Section titled “arbitus — Start Gateway”

Start the gateway with a configuration file:

Terminal window
arbitus gateway.yml

Options

Section titled “Options”
FlagDefaultDescription
-c, --config <FILE>gateway.ymlPath to configuration file
--addr <ADDR>From configOverride listen address
--log-level <LEVEL>infoLog level: trace, debug, info, warn, error
--hot-reloadfalseEnable hot-reload on config changes (SIGUSR1)
-h, --helpShow help

Signals

Section titled “Signals”
SignalBehavior
SIGINTGraceful shutdown
SIGTERMGraceful shutdown
SIGUSR1Hot-reload configuration

Examples

Section titled “Examples”
Terminal window
# Start with default config
arbitus


# Start with specific config
arbitus -c /etc/arbitus/production.yml


# Override listen address
arbitus gateway.yml --addr 0.0.0.0:8080


# Enable hot-reload
arbitus gateway.yml --hot-reload


# Debug logging
arbitus gateway.yml --log-level debug

arbitus validate — Validate Config

Section titled “arbitus validate — Validate Config”

Check configuration file for errors without starting the gateway:

Terminal window
arbitus validate gateway.yml

Options

Section titled “Options”
FlagDescription
-c, --config <FILE>Path to configuration file (required)
--strictEnable strict validation (warn on unknown fields)
-h, --helpShow help

Exit Codes

Section titled “Exit Codes”
CodeMeaning
0Configuration is valid
1Configuration has errors
2File not found

Examples

Section titled “Examples”
Terminal window
# Validate default config
arbitus validate


# Validate specific config
arbitus validate -c /etc/arbitus/config.yml


# Strict validation
arbitus validate gateway.yml --strict

arbitus audit — Query Audit Log

Section titled “arbitus audit — Query Audit Log”

Query the audit database for requests, errors, and blocked calls:

Terminal window
arbitus audit gateway-audit.db [OPTIONS]

Options

Section titled “Options”
FlagDefaultDescription
-a, --agent <NAME>All agentsFilter by agent name
-o, --outcome <TYPE>AllFilter: allowed, blocked, shadowed
-m, --method <METHOD>AllFilter by JSON-RPC method
-t, --tool <NAME>AllFilter by tool name
--since <DURATION>All timeTime range: 1h, 24h, 7d, 30d
--until <DURATION>NowEnd of time range
-l, --limit <N>100Limit number of results
--format <FORMAT>tableOutput format: table, json, csv
-h, --helpShow help

Output Formats

Section titled “Output Formats”

Table (default)

Section titled “Table (default)”
AGE            AGENT            METHOD             TOOL                   OUTCOME    REASON
──────────────────────────────────────────────────────────────────────────────────────────────
3s ago         cursor           tools/call         write_file             blocked    tool 'write_file' not in allowlist
5s ago         cursor           tools/call         read_file              allowed

JSON

Section titled “JSON”
Terminal window
arbitus audit gateway-audit.db --format json
[
  {
    "timestamp": "2026-04-07T12:34:56Z",
    "agent": "cursor",
    "method": "tools/call",
    "tool": "write_file",
    "outcome": "blocked",
    "reason": "tool 'write_file' not in allowlist"
  }
]

CSV

Section titled “CSV”
Terminal window
arbitus audit gateway-audit.db --format csv > audit-export.csv

Examples

Section titled “Examples”
Terminal window
# All blocked requests in the last hour
arbitus audit gateway-audit.db --outcome blocked --since 1h


# Requests from specific agent
arbitus audit gateway-audit.db --agent claude-code


# Export to JSON for analysis
arbitus audit gateway-audit.db --format json > audit.json


# Last 1000 requests
arbitus audit gateway-audit.db --limit 1000


# Specific tool calls
arbitus audit gateway-audit.db --tool write_file --outcome blocked

arbitus replay — Replay Requests

Section titled “arbitus replay — Replay Requests”

Replay recorded requests against a test upstream (for debugging and testing):

Terminal window
arbitus replay gateway-audit.db [OPTIONS]

Options

Section titled “Options”
FlagDefaultDescription
--upstream <URL>RequiredTarget upstream server
--agent <NAME>All agentsFilter requests by agent
--dry-runfalseShow what would be sent without sending
--rate-limit <N>No limitMax requests per second
-h, --helpShow help

Examples

Section titled “Examples”
Terminal window
# Replay all requests to test upstream
arbitus replay gateway-audit.db --upstream http://localhost:3001/mcp


# Dry-run (show what would be sent)
arbitus replay gateway-audit.db --upstream http://localhost:3001/mcp --dry-run


# Replay requests from specific agent
arbitus replay gateway-audit.db --upstream http://test-server:3000/mcp --agent cursor


# Rate-limited replay
arbitus replay gateway-audit.db --upstream http://localhost:3001/mcp --rate-limit 10

arbitus verify-log — Verify Log Integrity

Section titled “arbitus verify-log — Verify Log Integrity”

Verify the hash chain and integrity of the audit log:

Terminal window
arbitus verify-log gateway-audit.db

Options

Section titled “Options”
FlagDescription
--detailedShow each entry verification
-h, --helpShow help

Exit Codes

Section titled “Exit Codes”
CodeMeaning
0Log integrity verified
1Log corrupted or tampered
2Database error

Output

Section titled “Output”
Verifying audit log integrity...


✓ Entry 1: hash verified
✓ Entry 2: hash verified (previous hash matches)
✓ Entry 3: hash verified (previous hash matches)
...
✓ Entry 1247: hash verified (previous hash matches)


Log integrity verified: 1247 entries, 0 corrupted


Chain root: a3f2b8c9d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1
First entry: 2026-04-01T00:00:00Z
Last entry:  2026-04-07T12:34:56Z

Examples

Section titled “Examples”
Terminal window
# Basic verification
arbitus verify-log gateway-audit.db


# Detailed output
arbitus verify-log gateway-audit.db --detailed

Global Options

Section titled “Global Options”

These options apply to all commands:

FlagDescription
-v, --versionPrint version information
-h, --helpShow help
--log-level <LEVEL>Override log level

Environment Variables

Section titled “Environment Variables”
VariableDescription
ARBITUS_CONFIGDefault configuration file path
ARBITUS_LOG_LEVELDefault log level
ARBITUS_ADDRDefault listen address

Environment variables can be used to set defaults. Command-line flags take precedence.

Terminal window
# Set default config location
export ARBITUS_CONFIG=/etc/arbitus/gateway.yml


# Run with defaults
arbitus

Configuration File

Section titled “Configuration File”

The configuration file uses YAML format. See the Configuration reference for all options.

# Minimal configuration
transport:
  type: http
  addr: "0.0.0.0:4000"
  upstream: "http://localhost:3000/mcp"


agents:
  default:
    rate_limit: 60

Exit Codes

Section titled “Exit Codes”
CodeMeaning
0Success
1Error (configuration, runtime, etc.)
2Invalid arguments
130Interrupted (SIGINT)
143Terminated (SIGTERM)

Next Steps

Section titled “Next Steps”