The CLI Execution Wrapper

Beyond Kubernetes

Iddio started as a Kubernetes API proxy. But AI agents don’t just use kubectl — they run Terraform to provision infrastructure, Helm to manage releases, and AWS CLI to configure cloud resources. Each of these tools has its own blast-radius profile: terraform plan is safe, terraform destroy is catastrophic.

The CLI execution wrapper extends iddio’s classify-enforce-audit pipeline to any command-line tool. Instead of proxying HTTP requests, it wraps CLI invocations with the same tier-based classification and policy enforcement.

How It Works

iddio exec wraps a CLI command and runs it through the iddio pipeline:

# Instead of running Terraform directly:
terraform apply -auto-approve

# Run it through iddio:
iddio exec -- terraform apply -auto-approve

The wrapper:

1. Parses the command and arguments
2. Identifies the tool (terraform, helm, aws, etc.)
3. Classifies the operation using the tool’s classifier
4. Evaluates the agent’s policy for that tier
5. Executes the command if allowed (or escalates/denies)
6. Audits the execution with full command, exit code, and timing

Per-Tool Classifiers

Each supported tool has its own classifier that understands the tool’s subcommands and their risk profiles:

Terraform

Command	Tier	Rationale
terraform plan	T0 (Observe)	Read-only plan generation
terraform show	T0 (Observe)	State inspection
terraform apply	T2 (Modify)	Creates/updates infrastructure
terraform destroy	T4 (Break-Glass)	Destroys all managed resources
terraform import	T2 (Modify)	Imports existing resources
terraform state rm	T3 (Sensitive)	Removes from state (data loss risk)

Helm

Command	Tier	Rationale
helm list	T0 (Observe)	Lists releases
helm status	T0 (Observe)	Release status inspection
helm upgrade	T2 (Modify)	Updates a release
helm install	T2 (Modify)	Creates a new release
helm rollback	T1 (Operate)	Reverts to previous release
helm uninstall	T3 (Sensitive)	Removes a release

AWS CLI

Command	Tier	Rationale
aws s3 ls	T0 (Observe)	List bucket contents
aws ec2 describe-instances	T0 (Observe)	Instance metadata
aws s3 cp	T2 (Modify)	Upload/download objects
aws ec2 terminate-instances	T4 (Break-Glass)	Instance termination
aws iam create-role	T3 (Sensitive)	IAM changes

Policy Integration

CLI commands use the same policy engine as Kubernetes:

agents:
  claude-code:
    rules:
      - protocol: terraform
        workspaces: ["staging-*"]
        tiers:
          0: allow # plan, show
          2: escalate # apply
          4: deny # destroy

      - protocol: helm
        namespaces: ["staging-*"]
        tiers:
          0: allow # list, status
          1: allow # rollback
          2: escalate # install, upgrade
          3: deny # uninstall

      - protocol: aws
        services: ["s3", "ec2"]
        regions: ["us-east-1"]
        tiers:
          0: allow # describe, list
          2: escalate # modify
          3: deny # IAM changes
          4: deny # terminate

Audit Logging

Every CLI execution is recorded in the same audit log as Kubernetes events:

{
  "timestamp": "2026-02-12T14:30:22Z",
  "agent": "claude-code",
  "protocol": "terraform",
  "command": "terraform apply -auto-approve",
  "workspace": "staging-web",
  "tier": 2,
  "decision": "escalate",
  "approved_by": "alice@company.com",
  "exit_code": 0,
  "duration_ms": 45200,
  "hash": "a3f8c2...",
  "prev_hash": "9e8d7c..."
}

The hash chain integrates seamlessly — Kubernetes API events and CLI execution events share the same chain. A single iddio audit verify covers everything.

Execution Isolation

The wrapped command runs as a subprocess with controlled environment:

• Working directory — inherited from the agent’s context
• Environment variables — filtered to remove any iddio-internal variables
• Stdout/stderr — forwarded to the agent in real-time
• Exit code — forwarded to the agent
• Timeout — configurable per-tool maximum execution time

The wrapper is transparent to the underlying tool. Terraform, Helm, and AWS CLI don’t know they’re running inside iddio.