Connect in 2 minutes
The entry point is a skill, not the CLI. You add one skill; your agent does the rest — it installs the engine, connects this machine, installs the runtime gate, and pulls your organisation's approved skills. The only thing you do by hand is add the skill and approve the sign-in once.
What you need
An skillsvault organisation (create one at the console) and any agent that loads skills (Claude Code, Codex, Pi, …). No CLI setup.
Add the skillsvault skill to your agent
From your harness's skill UI, or:
npx skills add skillsvault/skillsvault-skill
That's the whole human step. The skill is the installer/driver — your agent reads it and bootstraps the rest.
Let your agent connect this machine
Your agent runs skillsvault whoami and, finding this machine isn't connected yet,
asks you to authorize it. Approve the browser sign-in once:
skillsvault login
For CI or headless machines, paste an agent key from Settings → API keys instead of the browser flow:
skillsvault login --key <agent-key> --org <org-slug>
If the skillsvault binary is missing, the agent installs it first:
curl -fsSL https://skillsvault.io/install.sh | sh
Turn on enforcement and pull approved skills
The agent now sets up the gate and installs what your org approved:
skillsvault install-hook # gate skills at invocation time (Claude Code)
skillsvault pull --all # install approved skills into every detected harness;
# removes any banned skill from this machine
Watch the halt fire
Ask your agent to use a skill your org has banned. The gate denies it at invocation with your org's reason — naming the approved replacement — and the machine does not run it:
✗ halt · acme/legacy-export — banned: superseded by acme/pdf-export (>=2.0.0)
The decision lands in your immutable audit log, visible to your governance officer in the console. That is the whole loop: one skill added → a banned skill halted on a real machine → audited.
What just happened
| You did | Your agent did |
|---|---|
| Added one skill | Installed the skillsvault engine |
| Approved sign-in once | Connected this machine to your org |
| — | Installed the runtime gate (Claude Code) |
| — | Pulled approved skills, removed banned ones |
Honest enforcement tiers
The runtime veto — halting a skill mid-invocation — works where the harness exposes a blocking hook, which today means Claude Code. On Codex, Pi, and others, skillsvault provides distribution governance: it installs the approved skills and removes banned ones, but cannot veto an invocation those harnesses never offer to gate. Lead with distribution everywhere; enforcement where the hook exists.
Next
- Quickstart — the same loop driven manually from the CLI.
- The runtime gate — how allow / warn / halt is decided.
- Harness coverage — which harnesses gate vs distribute.