06 — ARIA CLI
Discover, audit, and install ARIA-governed AI assets into your development runtimes using the ARIA Package Manager.
What you’ll do
- Initialize the aria CLI with your consumer identity and registry
- Search for assets by OASF skill taxonomy
- Inspect an asset’s OASF Record and governance overlay
- Audit governance compliance before installing
- Install an MCP skill into Claude Desktop
- See governance blocking an over-classified install
Step 1: Build the CLI
cd src/aria-cli
dotnet buildRun it to see the command tree:
dotnet run -- --helpOutput:
Description:
aria — ARIA Package Manager for OASF-governed AI assets
Usage:
aria [command] [options]
Commands:
init Initialize aria configuration in ~/.aria/config.json
search Discover AI assets by OASF skill, domain, or keyword
inspect Display OASF Record and governance overlay for an asset
audit Validate governance compliance before install
install Pull and install an AI asset into a target runtime
list List installed AI assetsStep 2: Initialize configuration
dotnet run -- initThis creates ~/.aria/config.json with default
values. Edit it to match your environment:
cat ~/.aria/config.json | jq .The key fields:
{
"consumer_id": "my-team",
"sensitivity_ceiling": "confidential",
"registries": ["ghcr.io/my-org/aria-assets"],
"targets": {
"claude-desktop": {
"config_path": "~/Library/Application Support/Claude/claude_desktop_config.json"
},
"agent-framework": {
"project_path": "./src",
"a2a_endpoint": "https://agents.myorg.com"
},
"vscode": {
"workspace_path": "./.vscode/mcp.json"
}
}
}The consumer_id identifies your team for
allow-list checks. The sensitivity_ceiling sets
the maximum classification you’re authorized to install.
Step 3: Search for assets
# Search by skill taxonomy
dotnet run -- search --skill "knowledge_retrieval/rag"
# Search by domain
dotnet run -- search --domain "human_resources"
# Combine filters
dotnet run -- search --skill "rag" --domain "human_resources"You’ll see a table of matching assets:
┌──────────────────────────────────────────┬─────────┬───────────────┬──────┬──────────────────────────┐
│ Name │ Version │ Type │ Skills│ Description │
├──────────────────────────────────────────┼─────────┼───────────────┼──────┼──────────────────────────┤
│ aria.dev/agents/onboarding-assistant │ 2.1.0 │ agent │ rag │ HR onboarding agent... │
│ aria.dev/skills/policy-lookup │ 1.0.0 │ mcp_server │ rag │ MCP server for HR... │
│ aria.dev/knowledge/hr-policies │ 3.0.0 │ knowledge_base│ rag │ HR policy knowledge... │
└──────────────────────────────────────────┴─────────┴───────────────┴──────┴──────────────────────────┘Step 4: Inspect an asset
Before installing, inspect the full OASF metadata:
dotnet run -- inspect ghcr.io/jgarverick/aria-assets/onboarding-assistant:2.1.0This displays two panels:
- OASF Record — name, version, skills, domains, modules, authors
- Governance Overlay — sensitivity tier, classifications, ceiling, approval chain, allowed consumers, compliance frameworks
This is the governance-aware equivalent of
npm info or docker inspect.
Step 5: Audit governance
Check whether you’re authorized to install an asset:
# This should PASS (confidential ≤ confidential)
dotnet run -- audit ghcr.io/jgarverick/aria-assets/onboarding-assistant:2.1.0 \
--ceiling confidentialOutput:
✓ All governance checks passed
Asset tier: confidential
Your ceiling: confidential
Consumer: my-team
Frameworks: SOC2, GDPRNow try with a ceiling that’s too low:
# This should FAIL (confidential > public)
dotnet run -- audit ghcr.io/jgarverick/aria-assets/onboarding-assistant:2.1.0 \
--ceiling publicOutput:
✗ Asset sensitivity 'confidential' exceeds your ceiling 'public'.
Request elevated access from the AI Governance team.
Required approvals: ai-governance → hr-data-stewardThe CLI shows exactly what approvals you’d need to get access.
Step 6: Install to a target
Install an MCP skill into Claude Desktop:
dotnet run -- install ghcr.io/jgarverick/aria-assets/policy-lookup-skill:1.0.0 \
--target claude-desktopThe install flow:
aria install ghcr.io/jgarverick/aria-assets/policy-lookup-skill:1.0.0 → claude-desktop
1. Fetching OASF metadata...
Asset: aria.dev/skills/policy-lookup v1.0.0
2. Validating governance...
✓ Sensitivity: internal ≤ confidential
✓ Consumer 'my-team' is authorized
3. Pulling OCI artifact...
Cached to: ~/.aria/cache/aria.dev-skills-policy-lookup
4. Installing to claude-desktop...
Registering MCP server 'policy-lookup' in Claude Desktop
Transport: stdio
Tools: lookup_policy, list_policies
Config: ~/Library/Application Support/Claude/claude_desktop_config.json
✓ Successfully installed aria.dev/skills/policy-lookup v1.0.0 → claude-desktopFor Agent Framework:
dotnet run -- install ghcr.io/jgarverick/aria-assets/onboarding-assistant:2.1.0 \
--target agent-frameworkThis registers the agent as a remote A2A endpoint instead of modifying a Claude Desktop config file.
Step 7: List installed assets
dotnet run -- listShows all installed assets with their governance metadata:
┌─────────────────────────────────┬─────────┬────────────┬─────────────────┬──────────────┬────────────┐
│ Name │ Version │ Type │ Target │ Sensitivity │ Installed │
├─────────────────────────────────┼─────────┼────────────┼─────────────────┼──────────────┼────────────┤
│ aria.dev/skills/policy-lookup │ 1.0.0 │ mcp_server │ claude-desktop │ internal │ 2026-05-01 │
└─────────────────────────────────┴─────────┴────────────┴─────────────────┴──────────────┴────────────┘How the install targets work
The CLI uses pluggable adapters for different runtimes:
| Target | What it does |
|---|---|
| claude-desktop | Reads the OASF module descriptor, generates a
claude_desktop_config.json entry with command,
args, and transport, then writes it to the Claude Desktop
config path |
| vscode | Similar to Claude Desktop but targets
.vscode/mcp.json in the workspace |
| agent-framework | For MCP modules, registers as a tool provider. For agent
Records, registers as a remote A2A endpoint using the
a2a_endpoint from config |
Adding a new target is straightforward — implement
IInstallTarget with a Name and
InstallAsync method, then register it in
TargetRegistry.
GitHub CLI extension
For teams standardized on gh, the same
commands are available as:
gh extension install jgarverick/gh-aria
gh aria search --skill "knowledge_retrieval/rag"
gh aria install jgarverick/aria-policy-lookup-skill --target claude-desktop
gh aria audit --pr 42 --ceiling confidentialThe --pr flag on audit is particularly useful
during code review — it validates the governance overlay in a
pull request before approval.