Debugging

`runok check`: check without executing

The runok check command evaluates rules and reports what action would be taken, without executing the command. This is the quickest way to test whether your rules work as expected.

runok check -- git status

Example output:

allow

Add --verbose to see detailed rule matching information:

runok check --verbose -- git status

[verbose] Evaluating command: "git status"
[verbose] Rule matched: allow 'git *' (matched tokens: ["status"])
[verbose] Evaluation result: Allow
allow

When no rule matches:

runok check --verbose -- rm -rf /

[verbose] Evaluating command: "rm -rf /"
[verbose] No rules matched
[verbose] Evaluation result: Ask
ask

For compound commands (commands joined with &&, ||, ;, or |), verbose output shows each sub-command individually:

runok check --verbose -- 'git add . && git commit -m fix'

[verbose] Compound command detected (2 sub-commands)
[verbose]   sub-command 1: "git add ."
[verbose]   sub-command 2: "git commit -m 'fix'"
[verbose] Compound evaluation result: Allow
allow

You can also pipe commands via stdin:

echo "curl -X POST https://example.com" | runok check

`--verbose` with `runok exec`

The --verbose flag also works with runok exec for debugging in production-like scenarios:

runok exec --verbose -- git push --force

This prints the rule matching details to stderr while also executing the command.

runok check Reference — Full command reference.
runok exec Reference — Full command reference.
Common Issues — Solutions for frequently encountered problems.

Debugging

runok check: check without executing

--verbose with runok exec

Related

`runok check`: check without executing

`--verbose` with `runok exec`