configuration attestor
Captures the cilock CLI flags that drove this run. cilock is args-only — there is no config file — so the flags (plus the working directory) are the complete invocation surface this attestor records.
| Name | configuration |
|---|---|
| Predicate type | https://aflock.ai/attestations/configuration/v0.2 |
| Lifecycle | prematerial |
| Default binary? | No |
| Recommended trace | off — no syscall tracing needed |
| Auto-attaches when | Not auto-detected — attach explicitly with -a. |
The facts in this box are generated from the CI/lock binary's own catalog (cilock tools list). Do not hand-edit — run npm run gen:catalog.
What it captures
The attestor reads os.Args directly — it does not call into cilock's option resolver, so it records the raw CLI surface, not post-resolution defaults.
flags— map of flag name to value, parsed fromos.Argsup to (but not including) the--separator that delimits cilock args from the wrapped command. Handles--flag value,-f value,--flag=value,-f=value, and bare boolean flags (recorded as"true"). Leading dashes are stripped from keys.working_directory— the process working directory at attest time (os.Getwd()).
Environment variables are not captured by this attestor — see environment for that.
When to use
Audit trails where "which flags produced this attestation" needs to be provable after the fact. Most pipelines do not need it; reach for it when a single runner invokes cilock with varying flag sets and each variant's settings must be frozen alongside its attestation.
Flags
None.
Output shape
{
"flags": {
"step": "build",
"trace": "true"
},
"working_directory": "/workspace"
}
All fields are omitempty; absent fields mean the corresponding source was missing or unreadable.
Gotchas
- The flag parser is positional and naive: it does not consult cilock's option definitions. A value that happens to start with
-(e.g. a negative number) will be treated as the next flag, not as the previous flag's value, and the previous flag will be recorded as"true". flagsreflects what was typed on the command line, not the resolved configuration. Defaults applied by cilock and values sourced from env vars are not merged intoflags.- Secrets passed as flag values (e.g. tokens) appear verbatim in
flags; prefer env vars or file-based secret flags for sensitive values.
CLI example
cilock run --step my-step \
--signer-file-key-path key.pem --outfile attestation.json \
--attestations configuration \
-- echo hi
Validated. See the full real-data example at https://github.com/aflock-ai/attestor-compliance-examples/tree/main/06-configuration.