RAGit
CommandsSecurity

security

Audit and purge the knowledge-state security surface

What This Group Covers

The security command group is the operational layer for protecting RAGit-owned knowledge state.

  • Use security audit to inspect control-plane state, store state, repo-tracked docs, and provider egress posture.
  • Use security purge to sanitize or remove unsafe local state without rewriting repo-tracked documents.

Operating Model

  • Write paths sanitize before persistence.
  • Admission control runs before those writes and records security.admission events whenever content is quarantined or blocked.
  • Retrieval and packet outputs re-mask before printing.
  • security.admission_mode decides whether high-risk content is only reported (report-only) or actively blocked/replaced before persistence (enforce).
  • Remote embedding egress is policy-controlled through security.remote_embedding_policy.
  • Repo-tracked documents are never auto-rewritten by purge. Fix the document first, then rerun ingest.

doctor

Diagnose repository and runtime health

security audit

Inspect knowledge-state security findings and provider egress posture

On this page

What This Group CoversOperating ModelRelated Commands