Skip to main content
This page documents every drako command not covered on dedicated pages.
Upgrade the governance enforcement level of an existing .drako.yaml without running drako init again.
drako upgrade [OPTIONS]
--balanced
flag
Upgrade to the balanced level. Enables DLP enforce, ODD enforce, and HITL reject-on-timeout.
--strict
flag
Upgrade to the strict level. Enables all balanced changes plus intent verification (with anti-replay), cryptographic audit trail with 90-day retention, and magnitude enforcement.
--config
string
default:".drako.yaml"
Path to the config file to upgrade.
--yes
flag
Skip the confirmation prompt.
What changes per level:
Featurebalancedstrict
DLPauditenforceenforce
ODDauditenforceenforce
HITL timeoutallowrejectenforce + reject
Intent verificationenforce + anti-replay
Audit→ cryptographic, 90-day retention
Magnitudeenforce
drako upgrade --balanced
drako upgrade --strict --yes
drako upgrade --balanced --config path/to/.drako.yaml
After upgrading, run drako push to sync the new config to the platform.
Manage the scan baseline used to filter previously-acknowledged findings from drako scan output.The baseline is stored in .drako/.baseline.json and is gitignored automatically.

Subcommands

drako baseline show [DIRECTORY]Display a summary of the current baseline.
drako baseline show
drako baseline show path/to/project
Output includes the baseline version, creation timestamp, Drako version, and a breakdown of baselined findings by severity.drako baseline reset [DIRECTORY]Delete the baseline file. The next drako scan will show all findings.
drako baseline reset
drako baseline reset path/to/project
Both subcommands accept an optional DIRECTORY argument (default: .).
To create a baseline, use drako scan . --baseline rather than drako baseline.
Show the policy version history for your tenant on the Drako platform.
drako history [OPTIONS]
--config
string
Path to .drako.yaml. When omitted, Drako searches the current directory.
--limit
integer
default:"20"
Maximum number of versions to display.
Each row shows the version number, creation timestamp, and change summary.
drako history
drako history --limit 50
drako history -n 5
Requires drako push to have been run at least once.
Compare two policy versions side by side. Requires a Pro plan.
drako diff FROM_VERSION TO_VERSION [OPTIONS]
Arguments accept version numbers with or without a v prefix (e.g. v3 or 3).
--config
string
Path to .drako.yaml.
The output groups changes into added, removed, and modified entries with colour coding.
drako diff v1 v2
drako diff 3 5
drako diff v1 v3 --config /path/to/.drako.yaml
Revert to a previous policy version. Creates a new version with the old content. Requires a Pro plan.
drako rollback VERSION [OPTIONS]
--config
string
Path to .drako.yaml.
--yes
flag
Skip the confirmation prompt.
drako rollback v2
drako rollback 3 --yes
Rollback creates a new version — it does not destructively overwrite history. The version number increments.
Automatically apply patches for findings that have an available fix snippet.
drako fix [PATH] [OPTIONS]
PATH defaults to ..
--dry-run
flag
Preview diffs without modifying any files. Prints a unified diff for each fixable finding.
--framework
string
Comma-separated list of frameworks to detect (e.g. crewai,langgraph).
The command scans the project, identifies findings with a fix_snippet, and replaces the matching code_snippet in the source file. Findings without an available fix are skipped with a [skip] message.
# Preview what would change
drako fix . --dry-run

# Apply all available fixes
drako fix .

# Fix a subdirectory
drako fix src/agents/
Always run drako fix --dry-run first to review changes before applying them.
Validate a .drako.yaml configuration file. Fully offline — no backend connection required.
drako validate FILE
FILE is a required positional argument pointing to the config file to validate.The command performs these checks in order:
  1. YAML parseability — the file must be valid YAML.
  2. Schema validation — the document must conform to the Drako Pydantic schema.
  3. Cross-references — HITL trigger tools, hook agent references, A2A channel agents, and fallback tools must all exist in the declared agents/tools sections.
  4. Logical consistency — circuit breaker thresholds, HITL trust score values, and DLP/HITL mode combinations are checked for coherence.
  5. Budget math — daily × 7 vs. weekly, and weekly × 4.33 vs. monthly budget limits are compared.
  6. High-risk warnings — DLP off, on_backend_unreachable: allow, write/execute tools without HITL, chaos experiments without approval.
Exit code 0 = valid (warnings may be printed). Exit code 1 = invalid.
drako validate .drako.yaml
drako validate path/to/custom-config.yaml
Replay historical audit data against a proposed policy change to preview the impact before pushing.
drako simulate --policy FILE [OPTIONS]
--policy
string
required
Path to the .drako.yaml policy file to simulate. Required.
--hours
integer
default:"24"
Number of hours of historical audit data to replay against the proposed policy.
--api-key
string
API key for authentication. Falls back to the DRAKO_API_KEY environment variable.
--endpoint
string
default:"https://api.getdrako.com"
Drako backend endpoint. Falls back to the DRAKO_ENDPOINT environment variable.
--format
terminal | json
default:"terminal"
Output format. terminal renders Rich tables. json emits raw simulation results.
The simulation returns counts of decisions that would be blocked, escalated, modified, or allowed under the new policy, plus a breakdown of block reasons.
# Simulate a proposed policy against the last 24 hours
drako simulate --policy proposed.yaml

# Simulate against the last 7 days
drako simulate --policy proposed.yaml --hours 168

# Export results as JSON
drako simulate --policy proposed.yaml --format json > simulation.json
List and inspect built-in policy templates.

drako templates list

Print all available policy templates with their governance level and description.
drako templates list

drako templates show NAME

Print the full YAML content of a named template.
drako templates show fintech
drako templates show healthcare
Templates can be applied at init time with drako init --template NAME, or referenced in your config with extends: NAME.
Start a local MCP (Model Context Protocol) compliance server that proxies governance calls to the Drako backend.
drako serve [OPTIONS]
--config
string
default:".drako.yaml"
Path to the Drako configuration file.
--port
integer
default:"3100"
Port for the local MCP server. Only used when --transport sse is set.
--transport
stdio | sse
default:"stdio"
MCP transport to use.
  • stdio — reads from stdin (for use with MCP-compatible hosts)
  • sse — starts an HTTP SSE server on --port
# Start with STDIO transport (default)
drako serve

# Start SSE server on port 3100
drako serve --transport sse --port 3100

# Use a custom config file
drako serve --config /path/to/.drako.yaml
Show the status of your Drako integration: config validity, API key, backend connectivity, quota, last scan summary, governance features, and last push.
drako status [OPTIONS]
--config
string
default:".drako.yaml"
Path to the Drako configuration file.
The command performs these checks:
  1. Loads and validates the config file
  2. Resolves and masks the API key
  3. Tests connectivity to the Drako backend
  4. Fetches quota usage
  5. Reads the last cached scan result (up to 24 h old)
  6. Shows active governance features from the local YAML
  7. Fetches the last pushed config version
Exit code 1 if any check fails (missing config, invalid API key, connection error).
drako status
drako status --config /path/to/.drako.yaml
Verify the cryptographic integrity of your audit hash chain on the Drako platform.
drako verify [OPTIONS]
--config
string
default:".drako.yaml"
Path to the Drako configuration file.
--last-n
integer
Only verify the last N entries in the chain. When omitted, the entire chain is verified.
On success, prints the number of entries verified and the current chain head hash. On failure, prints the number of broken links and invalid signatures, then exits with code 1.
drako verify
drako verify --last-n 1000
drako verify --config /path/to/.drako.yaml
Cryptographic audit trails require the strict governance level or the audit.cryptographic: true setting in your config.
Upload your local .drako.yaml config to the Drako platform, creating a new policy snapshot version.
drako push [OPTIONS]
--config
string
default:".drako.yaml"
Path to the config file to push.
--endpoint
string
Override the endpoint from the config file.
--yes
flag
Skip the confirmation prompt.
Before uploading, the command:
  • Validates that the YAML is parseable
  • Strips the api_key field from the payload (security)
  • Shows a summary: agent count, tool count, DLP mode, circuit breaker status
On success, the new snapshot version number is printed along with a list of active and locked features. A link to the dashboard is also shown.
drako push
drako push --yes
drako push --config /path/to/.drako.yaml
drako push --endpoint https://api.getdrako.com
drako push requires network access to the Drako backend. Scanning and local governance work fully offline, but policy sync requires connectivity.

Build docs developers (and LLMs) love

Get started for freeTalk to us