Skip to main content

Quickstart

In a few minutes you will install the NebCore tools, log in, get a temporary cloud credential through NebCLI, and watch NebGuard step in on a risky action. This walkthrough uses expected-output style so you can confirm each step worked.

Prerequisites

  • NebCLI and NebGuard installed and verified. If you have not done this yet, follow Installation first.
  • Your NebCore tenant slug (for example acme). You sign in with this.
  • The AWS CLI installed, so NebCLI has a tool to hand a cloud credential to.
  • Claude Code installed, for the NebGuard step at the end.

1. Confirm the tools are installed

nebcli version
nebguard version

Both print a version and build information. If either is "command not found", revisit Installation.

2. Log in

nebcli login --tenant <slug>

Replace <slug> with your tenant slug. NebCLI opens your browser to the identity provider; sign in there. On success the terminal confirms you are logged in and saves a personal session on your computer. NebCLI sets up only the access your account is allowed, and reports how much that was.

tip

If NebGuard is already on your PATH, this login also configures NebGuard's license from your tenant, so NebGuard skips its own signup. See NebCLI and NebGuard together.

3. Get a temporary cloud credential

NebCLI never stores a long-lived secret. Instead it asks the platform for a short-lived cloud credential and writes it where the AWS CLI already reads from.

nebcli elevate role <your-role>

Expect NebCLI to report the cloud profile it prepared and when the credential expires. Now run a normal AWS command; the AWS CLI uses the credential directly:

aws sts get-caller-identity

You should see your account ID and the assumed identity returned as JSON. When the credential nears expiry, run nebcli cloud refresh to renew it.

4. Run the self-check

nebcli doctor

doctor checks your identity, connectivity, and that the tools NebCLI depends on are present, and prints a specific fix for anything it finds. Expect a list of checks with a pass marker on each. Resolve any failures before moving on.

5. Turn on NebGuard for Claude Code

NebGuard installs as hooks inside your AI agent. Set it up for Claude Code:

nebguard setup claude-code

Expect NebGuard to install its hooks and write a starter rule-override file in your project. Because you logged in at step 2, NebGuard reads the license NebCLI wrote and runs at the Paid tier.

6. Watch a guardrail fire

Open Claude Code in a git repository and ask it to do something a guardrail blocks, for example a force-push to your main branch:

Force-push my current branch to main.

NebGuard sits between the agent and the action. Before the dangerous command runs, it blocks it and explains why, so the force-push never reaches your remote. Safe actions pass through untouched; NebGuard only stops the ones its rules flag as dangerous, and records every decision either way.

Next steps

  • NebCLI and NebGuard together: how NebGuard reuses your NebCLI license.
  • NebCLI: the command-line tool for identity, credentials, cluster access, elevation, and chart validation.
  • NebGuard: the rule library, the four responses, and how licensing tiers decide which rules run.