CLI Reference¶
The aiir CLI handles all human-only operations: case management, approval, reporting, evidence handling, and configuration. It is not callable by the AI.
Global Options¶
| Option | Description |
|---|---|
--version |
Show version and exit |
--case PATH |
Override active case directory (most commands) |
Case Management¶
aiir case init¶
Initialize a new case.
aiir case init "Ransomware Investigation"
aiir case init "Phishing Campaign" --description "CEO spearphish, Feb 2026"
| Argument/Option | Description |
|---|---|
name |
Case name (required) |
--description |
Case description |
aiir case activate¶
Set the active case for the session.
aiir case list¶
List all available cases.
aiir case status¶
Show active case summary.
aiir case close¶
Close a case.
aiir case reopen¶
Reopen a closed case.
aiir case migrate¶
Migrate a case from the legacy examiners/ directory structure to the current flat layout.
Dashboard¶
aiir dashboard¶
Open the case review dashboard in the default browser.
The dashboard is the primary review interface — examiners can review, edit, approve, reject, and commit findings entirely in the browser. Use the Commit button (Shift+C) to apply decisions with challenge-response authentication. Alternatively, aiir approve --review applies pending edits from the CLI.
Review¶
aiir review¶
Display case information, findings, timeline, evidence, and audit logs.
aiir review # Case summary
aiir review --findings # Findings table
aiir review --findings --detail # Full finding details
aiir review --findings --status DRAFT # Filter by status
aiir review --timeline # Timeline events
aiir review --timeline --type lateral # Filter by event type
aiir review --timeline --start 2026-02-20T00:00 --end 2026-02-22T23:59
aiir review --todos # All TODOs
aiir review --todos --open # Open TODOs only
aiir review --audit # Audit trail
aiir review --evidence # Evidence integrity
aiir review --iocs # IOCs from findings
aiir review --verify # Cross-check findings vs approvals + HMAC verification
aiir review --verify --mine # HMAC verification for current examiner only
| Option | Description |
|---|---|
--findings |
Show findings summary table |
--detail |
Show full detail (with --findings or --timeline) |
--timeline |
Show timeline events |
--todos |
Show TODO items |
--open |
Show only open TODOs (with --todos) |
--audit |
Show audit log |
--evidence |
Show evidence integrity |
--iocs |
Extract IOCs from findings grouped by status |
--verify |
Cross-check findings against approval records and HMAC verification ledger |
--mine |
Filter HMAC verification to current examiner only (with --verify) |
--status |
Filter by status: DRAFT, APPROVED, REJECTED |
--start |
Start date filter (ISO format) |
--end |
End date filter (ISO format) |
--type |
Filter by event type (with --timeline) |
--limit N |
Limit entries shown (default: 50) |
Approval¶
aiir approve¶
Approve staged findings and/or timeline events. Requires password confirmation.
aiir approve # Interactive review
aiir approve F-alice-001 F-alice-002 # Approve specific findings
aiir approve F-alice-003 --note "Confirmed" # With examiner note
aiir approve F-alice-004 --edit # Edit in $EDITOR first
aiir approve --findings-only # Review only findings
aiir approve --timeline-only # Review only timeline
aiir approve --by bob # Review items by examiner
aiir approve --review # Apply pending dashboard edits
| Option | Description |
|---|---|
ids |
Finding/event IDs to approve (omit for interactive) |
--note |
Add examiner note |
--edit |
Open in $EDITOR before approving |
--interpretation |
Override interpretation field |
--by |
Filter items by creator examiner |
--findings-only |
Review only findings |
--timeline-only |
Review only timeline events |
--review |
Apply pending dashboard edits from pending-reviews.json, recompute hashes and HMAC signatures |
aiir reject¶
Reject staged findings or timeline events.
aiir reject F-alice-004 --reason "Insufficient evidence"
aiir reject T-alice-007 --reason "Timestamp unreliable"
| Option | Description |
|---|---|
ids |
Finding/event IDs to reject (required) |
--reason |
Reason for rejection |
Evidence¶
aiir evidence register¶
Register an evidence file (computes and records SHA-256 hash).
aiir evidence list¶
List registered evidence files with hashes.
aiir evidence verify¶
Re-hash registered evidence files and report any modifications.
aiir evidence log¶
Show evidence access log.
aiir evidence lock / aiir evidence unlock¶
Set evidence directory to read-only (bind mount) or restore write access.
Legacy aliases: aiir lock-evidence, aiir unlock-evidence, aiir register-evidence.
Reporting¶
aiir report¶
Generate case reports from approved data.
aiir report --full --save full-report.json
aiir report --executive-summary
aiir report --timeline --from 2026-02-20 --to 2026-02-22
aiir report --ioc
aiir report --status-brief
aiir report --findings F-alice-001,F-alice-002
| Option | Description |
|---|---|
--full |
Full case report (JSON) |
--executive-summary |
Executive summary |
--timeline |
Timeline report |
--ioc |
IOC report from approved findings |
--findings IDS |
Specific finding IDs (comma-separated) |
--status-brief |
Quick status counts |
--from |
Start date filter (ISO) |
--to |
End date filter (ISO) |
--save FILE |
Save output to file (relative paths use case_dir/reports/) |
TODOs¶
aiir todo add¶
Add a TODO item.
aiir todo add "Analyze USB device history" --priority high --finding F-alice-002
aiir todo add "Cross-reference DNS logs" --assignee bob
aiir todo complete¶
Mark a TODO as completed.
aiir todo update¶
Update a TODO.
aiir todo update TODO-alice-001 --note "Partial analysis done, needs USB timeline"
aiir todo update TODO-alice-001 --priority high
aiir todo update TODO-alice-001 --assignee carol
Audit¶
aiir audit log¶
Show audit trail entries.
aiir audit log
aiir audit log --limit 20
aiir audit log --mcp forensic-mcp
aiir audit log --tool run_command
aiir audit summary¶
Show audit summary with counts per MCP and tool.
Collaboration¶
aiir export¶
Export findings and timeline as JSON for sharing.
aiir merge¶
Merge incoming JSON into local findings and timeline.
Execution¶
aiir exec¶
Execute a forensic command with audit trail logging. Requires TTY confirmation.
Setup¶
aiir setup¶
Routes to setup subcommands. Run aiir setup client to configure your LLM client.
aiir setup client¶
Configure LLM client for AIIR endpoints.
aiir setup client # Interactive wizard
aiir setup client --client=claude-code -y # Solo, Claude Code
aiir setup client --sift=http://10.0.0.5:4508 --windows=10.0.0.10:4624
aiir setup client --remote --token=aiir_gw_... # Remote with auth
| Option | Description |
|---|---|
--client |
Target client: claude-code, claude-desktop, librechat, other |
--sift |
SIFT gateway URL |
--windows |
Windows wintools-mcp endpoint |
--remnux |
REMnux endpoint |
--examiner |
Examiner identity |
--no-mslearn |
Exclude Microsoft Learn MCP |
-y / --yes |
Accept defaults |
--remote |
Remote setup (gateway on another host) |
--token |
Bearer token for gateway auth |
aiir setup test¶
Test connectivity to all detected MCP servers.
aiir setup join-code¶
Generate a join code for remote machines.
Service Management¶
aiir service status¶
Show status of all backend services.
aiir service start / stop / restart¶
Manage backend services through the gateway API.
Configuration¶
aiir config¶
Manage AIIR settings.
aiir config --show # Show current config
aiir config --examiner alice # Set examiner identity
aiir config --setup-password # Set approval password (min 8 chars)
aiir config --reset-password # Reset password (requires current)
Join (Remote Setup)¶
aiir join¶
Join a SIFT gateway from a remote machine using a join code.