CLI & Agent Tools
Install and sign in
The CLI authenticates with browser, paste, or pre-generated token flows.
curl -fsSL https://outgate.ai/download/install.sh | sh
og login
og status- Browser login starts a loopback listener and opens the console consent page.
- Use og login --no-browser on SSH hosts, containers, or any machine where the browser cannot call back to the CLI.
- Use og login --token-file /run/secrets/og-token for CI and scripts. Prefer token files over --token because command-line arguments can appear in process lists.
Wrap Claude Code and Codex
og creates or reuses a provider share and launches the tool with gateway routing.
og claude
og claude --provider "Anthropic"
og claude --auth-mode env -p "explain this error"
og codex
og codex --provider "OpenAI"When no provider is pinned, the CLI prefers routers first, then direct providers matching the wrapped tool. Interactive sessions can prompt when there are multiple matches; non-interactive runs ask you to pin a provider.
Codex routing detail
Codex currently ignores OPENAI_BASE_URL for its built-in OpenAI provider, so og codex creates a synthetic CODEX_HOME at ~/.codex/og with an outgate model provider pointing at the gateway. This keeps Codex sessions and auth usable while routing through Outgate.
Configuration resolution
Flags win, then project config, environment variables, global config, and defaults.
| Priority | Layer | Examples |
|---|---|---|
| 1 | CLI flags | --provider, --name, --auth-mode, --og-broker |
| 2 | .og.yaml | provider, project, share, region, gateway_url, scan |
| 3 | Environment variables | OG_PROVIDER, OG_REGION, OG_GATEWAY_URL |
| 4 | ~/.og/config.json | api_base, console_url, active region |
| 5 | Build defaults | Default console and API URLs baked into the binary |
Implementation check
This order matches internal/config/resolve.go: global defaults are loaded first, env overrides global config, .og.yaml overrides env, and flags override everything.
.og.yaml project config
Place .og.yaml in a repo root or parent directory; the CLI walks up from the current directory.
provider: "Anthropic"
project: "my-app"
share: "shr-abc123"
region: "reg-abc123"
api_base: "https://console.outgate.ai/api"
gateway_url: "http://localhost:8000"
auth_mode: url
env:
ANTHROPIC_API_KEY: "sk-ant-og-managed"
scan:
max_context_tokens: 128000
context_margin: 0.2
overlap_lines: 50
extensions: [".ts", ".js", ".py", ".yaml", ".json", ".env"]
exclude_dirs: ["node_modules", "dist", ".terraform"]
exclude_files: ["*.min.js", "*.map", "package-lock.json"]
max_file_size: 2097152auth_mode url embeds the gateway share key in the base URL as /_k/{key}. auth_mode env sets ANTHROPIC_API_KEY or OPENAI_API_KEY for tools that require a key environment variable before startup.
Environment variables
Use OG_* variables to steer og itself; tool variables are passed to Claude or Codex.
| Variable | Used by | Purpose |
|---|---|---|
| OG_API_BASE | og | Console API base URL. |
| OG_CONSOLE_URL | og | Console URL for auth and account links. |
| OG_PROVIDER | og | Default provider name or ID. |
| OG_PROJECT | og | Default project/share name. |
| OG_SHARE | og | Pin an existing share by ID or name. |
| OG_REGION | og | Default active region ID. |
| OG_GATEWAY_URL | og | Direct gateway URL for local or private regions. |
| OG_AUTH_MODE | og | url or env share-key passing mode. |
| OPENAI_BASE_URL, OPENAI_API_KEY | Codex/OpenAI-compatible tools | Tool-facing base URL and credential. |
| ANTHROPIC_BASE_URL, ANTHROPIC_API_KEY | Claude Code | Tool-facing base URL and credential. |
| CODEX_HOME | Codex | Synthetic config home used by og codex unless you explicitly override it. |
Scan and Detection Vault
Use guardrails in dry-run mode to find sensitive values before production traffic sees them.
og scan --provider "Local Ollama"
og scan --provider my-provider --project /path/to/project
og vault add "sk-ant-abc123def456" --category credentials --tag staging
og vault list --category credentials
og vault rm --tag stagingog scan sends files through the selected guardrail-enabled provider with dry-run headers. The request does not reach the upstream model; detections are stored as fingerprints in the Detection Vault for future matching.