autonomy attestation eval

Evaluate a bundle against current orchestrator state without executing

Synopsis

Pulls the orchestrator's current enrollment + rollout-state for the
node, reads the manifest from a local bundle tarball, and runs the
attestation gate's sub-checks against the resulting Input.  Prints
the verdict (allow / deny + reason) without any side effects.

This is the dry-run an operator uses BEFORE activating a bundle, to
catch enrollment-ref misalignments at command-line time instead of
at first decision under AUTONOMY_ATTESTATION_MODE=enforce.

The --bundle argument is a path to a local .tar (use 'autonomy bundle
pull' first when working from an OCI ref).  The gate's
AttestationEnforce mode is used so the deny path produces an error
exit code — drive this from CI to assert a fleet has been correctly
re-enrolled before promoting a new bundle.

Usage

autonomy attestation eval [flags]

Examples

# Evaluate a freshly-pulled bundle against the local node
  autonomy bundle pull registry/robot:v2 ./robot-v2.tar
  autonomy attestation eval --bundle ./robot-v2.tar

  # Evaluate against a specific fleet node (no local runtime required)
  autonomy attestation eval --bundle ./robot-v2.tar --node-id robot-arm-007

Options

      --bundle string             Path to a local bundle .tar (required; use 'autonomy bundle pull' first for OCI refs)
      --node-id string            Node identifier (defaults to AUTONOMY_NODE_ID env var; the CLI does not load the unified config file, so identity.node_id from config is not consulted here — pass --node-id explicitly when working from a config-file-only deployment)
      --orchestrator-url string   orchestrator base URL (env: AUTONOMY_ORCHESTRATOR_URL)
      --output string             Output format: text or json (default "text")

See also

• autonomy attestation — Inspect runtime attestation state (enrollment + rollout)