Syntax
vectra-guard trust <subcommand> [options]
vg trust <subcommand> [options]
Description
Manage a trust store of pre-approved commands. Trusted commands skip sandboxing and approval prompts, improving performance for known-safe operations.
Subcommands
trust list
List all trusted commands.
Output: Table showing command, approval date, use count, last used, and expiration.
trust add
Add a command to the trust store.
vg trust add <command> [--note <text>] [--duration <time>]
command: The exact command string to trust (e.g., npm install express)
Optional note explaining why this command is trusted
Trust duration (e.g., 24h, 7d, 30d). Default: permanent (never expires)
trust remove
Remove a command from the trust store.
vg trust remove <command>
command: The exact command string to remove
trust clean
Remove all expired entries from the trust store.
Examples
Add commonly used commands
vg trust add "npm install" --note "Safe package manager"
vg trust add "npm test" --note "Test suite"
vg trust add "git status" --note "Read-only git command"
# ✅ Commands trusted
Temporary trust with expiration
vg trust add "npm install debug" --duration 7d --note "Testing debug package"
# Trusted for 7 days only
List trusted commands
vg trust list
# COMMAND APPROVED USE COUNT LAST USED EXPIRES
# npm install 2026-03-01 15 2026-03-03 10:30 Never
# npm test 2026-03-01 8 2026-03-03 09:15 Never
# npm install debug 2026-03-03 2 2026-03-03 11:00 2026-03-10
Interactive approval with remember
vg exec --interactive -- npm install lodash
# ⚠️ Command requires approval
# Command: npm install lodash
# Risk Level: MEDIUM
#
# Options:
# y - Yes, run once
# r - Yes, and remember (trust permanently)
# n - No, cancel
#
# Choose [y/r/N]: r
# ✅ Approved and remembered
Remove trust
vg trust remove "npm install debug"
# ✅ Removed command from trust store: npm install debug
Clean expired entries
vg trust clean
# ✅ Cleaned expired entries from trust store
Bulk trust for CI
#!/bin/bash
# Trust common CI commands
COMMANDS=(
"npm ci"
"npm run build"
"npm run test"
"npm run lint"
)
for cmd in "${COMMANDS[@]}"; do
vg trust add "$cmd" --note "CI pipeline"
done
Trust Store Location
Trusted commands are stored in:
~/.vectra-guard/trust-store.json
sandbox:
trust_store_path: /custom/path/trust-store.json
Security Considerations
- Exact match only: Trust is command-specific.
npm install ≠ npm install lodash
- No wildcards: Cannot trust patterns like
npm install *
- Sandbox bypass: Trusted commands skip sandbox (ensure they’re actually safe)
- Critical commands: Commands like
rm -rf / cannot be trusted (hard-blocked)
- exec - Execute commands (respects trust store)
- validate - Validate before trusting