Skip to main content

NebCLI and NebGuard together

Overview

NebCLI and NebGuard are separate tools that each stand on their own. NebGuard runs and licenses itself without NebCLI: nebguard setup walks a first-time user through its own signup. When you also use NebCLI, NebGuard skips that signup and reuses the license NebCLI already wrote, so an existing NebCore tenant gets full Paid-tier guardrails with no second signup, no consent prompt, and no name or email to re-enter.

This page explains how NebGuard reuses the NebCLI license, and what happens when NebCLI is not in the picture.

How NebGuard gets its license

NebGuard needs two things to do its job: who you are, so it picks rules appropriate to your environment, and what you are entitled to, your licensing tier, which decides how many rules run. Both come from a license: a small, tamper-proof signed token that states your tier. NebGuard carries the matching public key and verifies the token offline, so it never has to call the network to check it. That offline check matters because guardrails fire on every action your AI agent takes.

NebGuard resolves that license two ways:

  • On its own. Run nebguard setup with no license present and NebGuard runs its own signup: a short browser consent that registers you and licenses the tool directly. NebCLI is not involved.
  • From NebCLI, when present. NebCLI writes your tenant license to ~/.nebcore (encrypted on disk, so a backup or a curious cat cannot read it). If NebGuard finds that license, it reads your identity and tier straight from it, so it never has to ask you to sign up again.

The second path is a convenience, not a requirement: NebGuard piggybacks on the NebCLI license purely to avoid re-collecting details you already gave NebCLI.

What happens when you log in with NebCLI

When you run nebcli login --tenant <slug> and the login succeeds, NebCLI does two things:

  1. It saves your personal session, so you are authenticated for platform actions.
  2. It fetches your tenant's signed license from the platform, encrypts it, and writes it to ~/.nebcore, where NebGuard reads it.

If NebGuard is also installed and on your PATH, NebCLI goes one step further and configures NebGuard's license in the same login, so you do not have to set it up separately.

nebcli login --tenant acme
|
|-- saves your personal session
|-- fetches + writes your tenant license to ~/.nebcore
|-- detects nebguard on PATH --> configures NebGuard from that license
(no separate prompt, no consent step)

The result: NebGuard starts directly at the Paid tier. Because your tenant has already accepted the platform's terms through your organization's master agreement, NebGuard reuses that acceptance with no separate prompt and no trial period.

info

This automatic configuration during nebcli login is part of the streamlined experience and is still rolling out. The underlying behavior, NebGuard reading the license that NebCLI writes, works today; the convenience of having a single login also configure NebGuard happens when both tools are present and on your PATH.

What tier you get

SituationNebGuard tier
NebCLI license present (a NebCore tenant)Paid (all the higher-value rules run)
Tenant with the Development add-onPaid plus the Development rules
Standalone signup via nebguard setupFree, after a time-boxed trial
A tenant whose subscription lapsesFree (the platform re-issues a free license)

Reusing a NebCLI tenant license is the difference between the always-on free safety rules and the full set. Any subscription level counts as Paid.

If you install NebGuard later

The bridge is best-effort: if NebGuard is not on your PATH when you log in with NebCLI, NebCLI simply skips it, with no error and no warning. When you install NebGuard afterward, run its setup yourself:

nebguard setup claude-code

If a NebCLI login is already on disk, NebGuard reads that license and picks up your Paid tier from there, with no second login. If there is no NebCLI license, the same setup runs NebGuard's own signup instead.

When the tier changes

NebGuard reads the license once at the start of each AI session and keeps that result for the whole session. So any change (a tier upgrade, an add-on purchase, a trial expiring, or a subscription lapsing) takes effect at the start of the next session, never in the middle of one. NebCLI refreshes the license between sessions, including at login, so the next session sees the current tier.

Next steps

  • Quickstart: log in and watch a guardrail fire.
  • Installation: install both tools, verified.
  • NebGuard: the licensing model and the rule library in full.
  • NebCLI: everything NebCLI does beyond login.