docs · cli reference
CLI reference.
Every oknek subcommand with synopsis, purpose, and example output. The CLI talks to the daemon over the Unix socket at /run/oknek/oknek.sock. All output is scriptable with --json where applicable.
oknek status
synopsis oknek status [--json]
Print the daemon's current state — version, kernel, hook mode, socket, DB, rule pack version, count of watched/blocked/alerted agents. Default human-readable; --json emits structured output suitable for scripting.
$ oknek status
oknek 0.1.0 · kernel 6.8.0-111-generic · ebpf-mode
socket: /run/oknek/oknek.sock ok
db: /var/lib/oknek/oknek.db (8.2 MiB) ok
rule pack: v1.0.4 (R1–R7) · last sync 2 min ago
license: pro (expires 2026-08-12)
agents: 3 watched · 0 blocked · 0 alertedoknek logs
synopsis oknek logs [--tail] [--since 1h] [--rule R1] [--agent <id>] [--json]
Stream or query event log. --tail follows live events (like journalctl -f). --since filters by time. --rule filters by rule ID. --agent filters by agent identifier.
$ oknek logs --tail --rule R1
2026-05-30T17:43:02Z BLOCK rule=R1 subcommand_chain depth=12 agent=claude-code-7f3a
2026-05-30T17:43:02Z chain: env → curl → bash -c → eval → ... → ;
2026-05-30T17:43:02Z evidence stored at /var/lib/oknek/events/2026-05-30/e_47fb91.jsonoknek allow
synopsis oknek allow <event-id | pid | pattern> [--once | --persist]
Release a suspended agent after a block. --once allows the single pending operation. --persist adds an allowlist entry that survives daemon restarts.
$ oknek allow 4421 --once
released pid 4421 · one-shot allow recorded
agent claude-code-7f3a will be re-baselined next sessionoknek block
synopsis oknek block <pid | agent-id>
Force-suspend an agent. Useful for emergency response. The agent's process is SIGSTOP'd and an evidence bundle is written. Reverse with oknek allow.
$ oknek block claude-code-7f3a
agent claude-code-7f3a suspended (pid 4421)
reason: manual · evidence /var/lib/oknek/events/2026-05-30/e_manual_4421.jsonoknek baseline
synopsis oknek baseline [reset | show | export <path>]
Manage the 14-day rolling behavioral baseline used by R7. reset clears the baseline and re-learns from scratch. show prints baseline statistics. export writes the full baseline as JSONL.
$ oknek baseline show
agent claude-code-7f3a · 14 days · 1,847 events
exec.observed: 1,412
open.observed: 287
socket.connect: 88
exec.suspicious: 60
...oknek update
synopsis oknek update [--check]
Fetch and apply the latest rule pack from the signed update channel. --check inspects without applying. Pro+ tier syncs hourly automatically; manual invocation is for OSS users or to force a fetch.
$ oknek update
rule pack: v1.0.4 → v1.0.5 ok
signature verified · 7f3a9eb2… ok
1 rule added (R8 subagent definition drift)
0 rules modified
0 rules removed
reloaded in 14msoknek license
synopsis oknek license [activate <KEY> | status | deactivate]
Manage the paid-tier license. activate registers the daemon against your account. status shows tier + expiry. deactivate releases the seat (useful when decommissioning a server).
$ oknek license activate OK-PRO-7f3a-9eb2-44cc-1d8e
verifying with control plane... ok
tier: pro
expires: 2026-08-12
features unlocked: hourly_rules, alerts, dashboard, sla_24hoknek rules
synopsis oknek rules [list | show <RXX> | enable <RXX> | disable <RXX>]
Inspect or toggle individual detection rules. Useful for quieting a known-false-positive or surgical testing.
$ oknek rules list
R1 subcommand-chain bypass enabled · threshold=8
R2 settings.json permission flip enabled
R3 plaintext credential read enabled
R4 MCP URL drift enabled
R5 egress to non-allowlisted domain enabled · deny-by-default
R6 CLAUDE.md indirect prompt enabled · warn-only
R7 behavioral drift score enabled · window=14doknek version
synopsis oknek version
Print version, git commit, kernel hook mode, rule pack version. Always one line, scriptable.
$ oknek version
oknek 0.1.0 · git=f8a2c91 · hook=ebpf · rules=v1.0.5Next: rule format.
Now you can operate the daemon. The rule format docs show you how the detections are defined and how to write your own.