https://github.com/lunal-dev/privateclaw-cli
PrivateClaw CLI — TEE verification and management for PrivateClaw CVMs
https://github.com/lunal-dev/privateclaw-cli
Last synced: 2 days ago
JSON representation
PrivateClaw CLI — TEE verification and management for PrivateClaw CVMs
- Host: GitHub
- URL: https://github.com/lunal-dev/privateclaw-cli
- Owner: lunal-dev
- License: mit
- Created: 2026-03-25T05:11:03.000Z (15 days ago)
- Default Branch: main
- Last Pushed: 2026-03-28T04:25:35.000Z (12 days ago)
- Last Synced: 2026-04-03T01:40:35.842Z (6 days ago)
- Language: Shell
- Size: 29.3 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# privateclaw-cli
TEE verification and management CLI for [PrivateClaw](https://privateclaw.dev) CVMs.
## Install
```bash
curl -fsSL https://github.com/lunal-dev/privateclaw-cli/releases/download/v1.0.0/install.sh | bash
```
This installs two binaries to `/usr/local/bin/`:
- `privateclaw` — shell script CLI with `verify`, `attest`, and `assign` subcommands
- `attestation-cli` — pre-built binary from [attestation-rs](https://github.com/lunal-dev/attestation-rs) for cryptographic TEE attestation
## Commands
### `privateclaw verify`
User-facing command. Cryptographically verifies your CVM is running in a genuine TEE:
1. **TEE Attestation** — validates AMD SEV-SNP attestation evidence via `attestation-cli`, confirms SSH host key is bound to the TEE
2. **Inference Provider** — shows configured Lunal inference endpoint
3. **External Access Lockout** — audits SSH authorized keys and firewall
### `privateclaw attest`
Boot-time command (called by cloud-init). Generates attestation evidence binding the SSH host key to the TEE hardware.
### `privateclaw assign`
Internal command (called by systemd timer). Polls Azure IMDS for user configuration and applies it.
## Independent Verification
You can verify a CVM's attestation evidence from any machine:
```bash
# Copy evidence from CVM
scp user@cvm:/etc/privateclaw/evidence.json .
# Verify locally (install attestation-cli first)
attestation-cli verify -e evidence.json --expected-report-data
```
## Auditing
This repo contains everything that runs on your CVM. The `privateclaw` script is a single shell file — read it directly to see exactly what it does.
The only binary dependency is [`attestation-cli`](https://github.com/lunal-dev/attestation-rs), which is also open source.