Operations
Readiness Checks
Human-readable:
safe doctor
Machine-readable:
safe doctor --json
doctor checks dispatcher parity, installed component paths, core tools, verifier dependencies, sandbox readiness, installed wrappers, completions, and linked runner state. It does not create config or data directories.
Status
safe status
Status combines:
- top-level
safeversion; safe-run status;safe-audit status;- install-wrapper installation state.
Scanner Setup
Install or detect scanners on the local default machine:
safe audit setup
Configured machine:
safe audit setup remote-a
safe audit setup --machine remote-a,local
safe audit setup --all
Create a scanner bundle for machines that cannot download tools directly:
safe audit setup --create-bundle
safe audit setup --create-bundle ./scanners.tar.gz
safe audit setup --machine remote-a --bundle ./scanners.tar.gz
Diff Recent Results
safe audit diff --machine local --since 30d
safe audit diff --all --since 7d
Logs And Evidence
Runner decisions:
~/.local/share/safe/run/audit.log
Host-allow executions:
~/.local/share/safe/audit/host-allow-log.jsonl
Audit check outputs:
~/.local/share/safe/audit/checks/
Scan results and SBOMs:
~/.local/share/safe/audit/results/<machine>/
~/.local/share/safe/audit/sbom/<machine>/
Maintenance Checks
Before committing documentation or shell changes, run the smoke checks that match the touched area:
bash -n bin/safe bin/safe-run bin/safe-audit install.sh uninstall.sh
zsh -n lib/install-wrappers.zsh lib/completions/_safe
bash tests/integration/dispatcher.sh
bash tests/install/run.sh
bash tests/audit/smoke.sh
bash tests/audit/external_binary.sh
bash tests/run/safe_audit_integration.sh
git diff --check
Some tests require optional tools such as zsh, curl, tar, sha256sum, or timeout. safe doctor reports feature readiness for the same operational dependencies.