Installation
Install the packaged CLI and choose the right runtime path.
Recommended Install Path
Use the packaged CLI as the default install path for external developers. Repo-local scripts are still available for reference runtimes and internal validation, but they should not be your first integration step.
pipx install lemma-cli
Run lemma demo to see the Lemma Firewall in action: issues a credential, starts the firewall, and runs containment tests in under 30 seconds.
For local interactive flows, the CLI will open browser approval and help you confirm wallet unlock state before you connect a runtime.
Prerequisites
- Python 3.10+ with
pipxavailable - A browser session for wallet approval, or an existing proof file for non-interactive workflows
- Stable runtime identifiers for
runtime_id,agent_id, andworkspace_id - Your runtime or gateway can attach
X-Lemma-Credentialto protected requests
Default Path: Bring Your Own Runtime
Most developers should follow the generic proof-first path: start a wallet session, obtain a proof, and wire request headers in their own runtime.
lemma session start --api-base https://lemma.id
lemma session status --api-base https://lemma.id --json
Reference Path: Lemma Firewall
If you want the full reference runtime, gateway, and conformance sequence, use the dedicated Lemma Firewall wrapper command.
lemma setup-openclaw --api-base https://lemma.id
What Gets Installed Into Your Flow
- Proof-first request contract via
X-Lemma-Credentialon protected routes - Optional short-lived bearer compatibility via
/api/auth/exchange-proof - Runtime registration, policy defaults, and kill-switch controls in Agent Ops
- Decision logging and explainability endpoints for incident review
If you are using Lemma Firewall or internal validation scripts, the repo-local setup and firewall scripts remain available. Treat them as reference tooling, not as the default requirement for third-party runtime onboarding.