@llm-dev-ops/agentics-cli 1.4.4 → 1.4.7

package/dist/auth/role-permissions.js

@@ -0,0 +1,43 @@
+/**
+ * Role Permissions
+ *
+ * Lookup table for role-based access control.
+ * Three roles: owner, admin, member.
+ * Permissions enforced server-side.
+ */
+const ROLE_PERMISSIONS = {
+    owner: new Set([
+        'plan:read', 'plan:create', 'plan:delete', 'plan:approve',
+        'simulate:read', 'simulate:create', 'simulate:run', 'simulate:delete',
+        'deploy:read', 'deploy:create', 'deploy:run', 'deploy:rollback',
+        'export:read', 'export:create',
+        'policy:read', 'policy:create', 'policy:edit', 'policy:delete',
+        'org:read', 'org:manage',
+        'usage:read', 'usage:reset',
+    ]),
+    admin: new Set([
+        'plan:read', 'plan:create', 'plan:delete', 'plan:approve',
+        'simulate:read', 'simulate:create', 'simulate:run', 'simulate:delete',
+        'deploy:read', 'deploy:create', 'deploy:run', 'deploy:rollback',
+        'export:read', 'export:create',
+        'policy:read', 'policy:create', 'policy:edit', 'policy:delete',
+        'org:read',
+        'usage:read',
+    ]),
+    member: new Set([
+        'plan:read', 'plan:create',
+        'simulate:read', 'simulate:create', 'simulate:run',
+        'deploy:read',
+        'export:read', 'export:create',
+        'policy:read',
+        'org:read',
+        'usage:read',
+    ]),
+};
+export function hasPermission(role, permission) {
+    return ROLE_PERMISSIONS[role]?.has(permission) ?? false;
+}
+export function getPermissions(role) {
+    return ROLE_PERMISSIONS[role] ?? new Set();
+}
+//# sourceMappingURL=role-permissions.js.map

package/dist/auth/role-permissions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-permissions.js","sourceRoot":"","sources":["../../src/auth/role-permissions.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAaH,MAAM,gBAAgB,GAA6C;IACjE,KAAK,EAAE,IAAI,GAAG,CAAa;QACzB,WAAW,EAAE,aAAa,EAAE,aAAa,EAAE,cAAc;QACzD,eAAe,EAAE,iBAAiB,EAAE,cAAc,EAAE,iBAAiB;QACrE,aAAa,EAAE,eAAe,EAAE,YAAY,EAAE,iBAAiB;QAC/D,aAAa,EAAE,eAAe;QAC9B,aAAa,EAAE,eAAe,EAAE,aAAa,EAAE,eAAe;QAC9D,UAAU,EAAE,YAAY;QACxB,YAAY,EAAE,aAAa;KAC5B,CAAC;IACF,KAAK,EAAE,IAAI,GAAG,CAAa;QACzB,WAAW,EAAE,aAAa,EAAE,aAAa,EAAE,cAAc;QACzD,eAAe,EAAE,iBAAiB,EAAE,cAAc,EAAE,iBAAiB;QACrE,aAAa,EAAE,eAAe,EAAE,YAAY,EAAE,iBAAiB;QAC/D,aAAa,EAAE,eAAe;QAC9B,aAAa,EAAE,eAAe,EAAE,aAAa,EAAE,eAAe;QAC9D,UAAU;QACV,YAAY;KACb,CAAC;IACF,MAAM,EAAE,IAAI,GAAG,CAAa;QAC1B,WAAW,EAAE,aAAa;QAC1B,eAAe,EAAE,iBAAiB,EAAE,cAAc;QAClD,aAAa;QACb,aAAa,EAAE,eAAe;QAC9B,aAAa;QACb,UAAU;QACV,YAAY;KACb,CAAC;CACH,CAAC;AAEF,MAAM,UAAU,aAAa,CAAC,IAAa,EAAE,UAAsB;IACjE,OAAO,gBAAgB,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,UAAU,CAAC,IAAI,KAAK,CAAC;AAC1D,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,IAAa;IAC1C,OAAO,gBAAgB,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,EAAE,CAAC;AAC7C,CAAC"}

package/dist/cli/index.js

@@ -64,20 +64,43 @@ import { executeWhoamiCommand, formatWhoamiForDisplay } from '../commands/whoami
 import { executeLogoutCommand, formatLogoutForDisplay } from '../commands/logout.js';
 import { executePlanCommand, executePlanListCommand, executePlanCreateCommand, executePlanInspectCommand, executePlanDeleteCommand, executePlanApproveCommand, formatPlansListForDisplay, formatPlanForDisplay, } from '../commands/plan.js';
 import { executeSimulateCommand, executeSimulateListCommand, executeSimulateCreateCommand, executeSimulateInspectCommand, executeSimulateDeleteCommand, executeSimulateRunCommand, formatSimulationsListForDisplay, formatSimulationForDisplay, } from '../commands/simulate.js';
-import { executeInspectCommand, executeInspectLatestCommand, executeInspectRunCommand, formatResultsForDisplay, } from '../commands/inspect.js';
+import { executeInspectCommand, executeInspectLatestCommand, executeInspectRunCommand, executeInspectArtifactsCommand, formatResultsForDisplay, formatArtifactsForDisplay, } from '../commands/inspect.js';
 import { executeQuantifyCommand, executeQuantifyCreateCommand, executeQuantifyListCommand, executeQuantifyInspectCommand, executeQuantifyDeleteCommand, executeQuantifyCompareCommand, formatQuantifyForDisplay, formatQuantifyListForDisplay, formatCompareForDisplay, } from '../commands/quantify.js';
 import { executeDeployCommand, executeDeployPreviewCommand, executeDeployRunCommand, executeDeployStatusCommand, executeDeployRollbackCommand, executeDeployListCommand, formatDeployForDisplay, formatDeployListForDisplay, } from '../commands/deploy.js';
 import { executeExportCommand, executeExportTerraformCommand, executeExportKubernetesCommand, executeExportErpCommand, formatExportForDisplay, } from '../commands/export.js';
 import { executeDiligenceCommand } from '../commands/diligence.js';
 import { executeUsageCommand, executeUsageHistoryCommand, executeUsageLimitsCommand, executeUsageResetCommand, formatUsageForDisplay, formatHistoryForDisplay, formatLimitsForDisplay, } from '../commands/usage.js';
-import { executePolicyListCommand, executePolicyInspectCommand, executePolicyCreateCommand, executePolicyEditCommand, executePolicyDeleteCommand, executePolicyEnableCommand, executePolicyDisableCommand, formatPolicyForDisplay, formatPoliciesListForDisplay, } from '../commands/policy.js';
+import { executePolicyListCommand, executePolicyInspectCommand, executePolicyCreateCommand, executePolicyEditCommand, executePolicyDeleteCommand, executePolicyEnableCommand, executePolicyDisableCommand, executePolicyDryRunCommand, executePolicyScopeCommand, formatPolicyForDisplay, formatPoliciesListForDisplay, formatDryRunForDisplay, formatScopeForDisplay, } from '../commands/policy.js';
 import { executeErpListCommand, executeErpInspectCommand, executeErpSurfaceCommand, executeErpMapCommand, executeErpExportCommand, formatErpListForDisplay, formatErpInspectForDisplay, formatErpSurfaceForDisplay, formatErpMapForDisplay, formatErpExportForDisplay, } from '../commands/erp.js';
+// ============================================================================
+// CONTROL PLANE HARDENING GATES
+// ============================================================================
+// Gates are enforced in this order:
+// 1. Auth Session Gate - Requires authenticated session
+// 2. Service Health Gate - Validates Ruvector-backed service availability
+// 3. Output Format Gate - Enforces strict JSON output
+// 4. Execution Gate - Entitlement/kill-switch (existing)
+//
+// CRITICAL: CLI MUST fail loudly if any gate fails. No fallback behavior.
+// ============================================================================
 // Execution Gate - HARD KILL-SWITCH
 import { enforceExecutionGate } from '../gates/execution-gate.js';
+// Auth Session Gate - Requires authenticated session
+import { enforceAuthSessionGate, requiresAuthentication } from '../gates/auth-session-gate.js';
+// Service Health Gate - Validates Ruvector-backed services
+import { enforceServiceHealthGate, requiresHealthCheck } from '../gates/service-health-gate.js';
+// Output Format Gate - Enforces strict JSON output
+import { enforceOutputFormatGate, requiresStructuredOutput, getDefaultFormat } from '../gates/output-format-gate.js';
+// Argument Guard Gate - Validates argument types per ADR-001
+import { enforceArgumentGuard, requiresArgumentValidation } from '../gates/argument-guard.js';
+// Lineage Gate - Enforces simulation traceability per ADR-004
+import { enforceLineageGate, requiresLineageValidation } from '../gates/lineage-gate.js';
+// Help Renderer - Schema-driven help from COMMAND_REGISTRY (ADR-002 Decision 1)
+import { renderHelp } from '../modules/help-renderer.js';
 // ============================================================================
 // CLI Version
 // ============================================================================
-const VERSION = '1.4.4';
+const VERSION = '1.4.5';
 // ============================================================================
 // Main CLI Function
 // ============================================================================
@@ -118,13 +141,77 @@ async function main() {
         process.exit(EXIT_CODES.SUCCESS);
     }
     // ============================================================================
-    // HARD EXECUTION GATE - Enforced before ANY command dispatch
+    // CONTROL PLANE HARDENING - Multi-Gate Enforcement
+    // ============================================================================
+    // Gates are enforced in strict order. Each gate MUST pass before proceeding.
+    // Failure at any gate results in immediate process exit with clear error.
+    //
+    // Gate 1: Execution Gate (kill-switch)
+    // Gate 2: Authentication Gate (session required)
+    // Gate 3: Service Health Gate (Ruvector availability)
+    // Gate 4: Output Format Gate (strict JSON enforcement)
+    // Gate 5: Argument Guard Gate (ADR-001 argument type validation)
+    // Gate 6: Lineage Gate (ADR-004 simulation traceability)
+    // ============================================================================
+    // ============================================================================
+    // GATE 1: HARD EXECUTION GATE - Enforced before ANY command dispatch
     // ============================================================================
     // This is a global kill-switch that blocks all operational commands unless
     // execution is explicitly enabled. Only identity/help commands are allowed
     // when execution is disabled. This gate does NOT check entitlements, usage,
     // or billing - it is a binary on/off switch.
     enforceExecutionGate(parsed.command);
+    // ============================================================================
+    // GATE 2: AUTHENTICATION SESSION GATE - Requires valid credentials
+    // ============================================================================
+    // CLI requires authenticated session for ALL operational commands.
+    // Checks platform credentials first, then falls back to GCP credentials.
+    // CRITICAL: No anonymous operations are permitted.
+    if (requiresAuthentication(parsed.command)) {
+        await enforceAuthSessionGate();
+    }
+    // ============================================================================
+    // GATE 3: SERVICE HEALTH GATE - Validates Ruvector-backed services
+    // ============================================================================
+    // CLI MUST validate that Ruvector service is healthy before any operation.
+    // This ensures all operations are properly persisted and verifiable.
+    // CRITICAL: Abort immediately if service health check fails.
+    if (requiresHealthCheck(parsed.command)) {
+        await enforceServiceHealthGate();
+    }
+    // ============================================================================
+    // GATE 4: OUTPUT FORMAT GATE - Enforces strict JSON output
+    // ============================================================================
+    // CLI enforces strict JSON output for operational commands.
+    // Narrative output formats (text, table, csv) are blocked.
+    // CRITICAL: Only json and yaml formats are permitted.
+    if (requiresStructuredOutput(parsed.command)) {
+        const validatedFormat = enforceOutputFormatGate(options.format, parsed.command);
+        options.format = validatedFormat;
+    }
+    else {
+        // For non-operational commands, use default format
+        options.format = options.format ?? getDefaultFormat(parsed.command);
+    }
+    // ============================================================================
+    // GATE 5: ARGUMENT GUARD - Validates argument types per ADR-001
+    // ============================================================================
+    // Enforces ID vs natural language rules, blocks forbidden synthesis,
+    // and validates required arguments before any command dispatch.
+    // Derived from the ADR command registry (adr-command-semantics.ts).
+    if (requiresArgumentValidation(parsed.command)) {
+        enforceArgumentGuard(parsed);
+    }
+    // ============================================================================
+    // GATE 6: LINEAGE GATE - Enforces simulation traceability (ADR-004)
+    // ============================================================================
+    // Enterprise artifact-producing commands (erp surface, erp map, erp export)
+    // must reference a governed simulation. This ensures every integration
+    // proposal and ERP mapping traces back to a simulation run.
+    // CRITICAL: No enterprise artifact without simulation lineage.
+    if (requiresLineageValidation(parsed.command, parsed.subcommand)) {
+        enforceLineageGate(parsed);
+    }
     // Dispatch to command handlers
     try {
         let result = null;
@@ -267,13 +354,10 @@ async function main() {
                         }, null, parsed.flags['pretty'] ? 2 : 0));
                     }
                     else {
-                        console.log(`Plan approved (advisory): ${planApproveResult.plan.id}`);
+                        console.log(`Plan approved: ${planApproveResult.plan.id}`);
                         console.log(`  Previous status: ${planApproveResult.previous_status}`);
                         console.log(`  New status: ${planApproveResult.plan.status}`);
                         console.log(`  Approved by: ${planApproveResult.plan.approved_by ?? 'cli-user'}`);
-                        if (planApproveResult.advisory) {
-                            console.log('  Note: This was an advisory approval (no real execution performed)');
-                        }
                     }
                     if (options.verbose) {
                         console.error(`Approved in ${planApproveResult.timing}ms`);
@@ -389,17 +473,17 @@ async function main() {
                         }, null, parsed.flags['pretty'] ? 2 : 0));
                     }
                     else {
-                        console.log(`Simulation run completed (advisory): ${simRunResult.simulation.id}`);
-                        console.log(`  Previous status: ${simRunResult.previous_status}`);
-                        console.log(`  New status: ${simRunResult.simulation.status}`);
-                        if (simRunResult.advisory) {
-                            console.log('  Note: This was an advisory execution (no real execution performed)');
+                        console.log(`Simulation: ${simRunResult.simulation.id}`);
+                        console.log(`  Name:     ${simRunResult.simulation.name}`);
+                        console.log(`  Status:   ${simRunResult.simulation.status}`);
+                        if (simRunResult.simulation.result?.summary) {
+                            console.log(`  Result:   ${simRunResult.simulation.result.summary}`);
                         }
                     }
                     if (options.verbose) {
                         console.error(`Run completed in ${simRunResult.timing}ms`);
                     }
-                    process.exit(EXIT_CODES.SUCCESS);
+                    process.exit(simRunResult.simulation.status === 'failed' ? EXIT_CODES.GENERAL_ERROR : EXIT_CODES.SUCCESS);
                 }
                 // Default simulate behavior (execute simulation via orchestration)
                 const simInput = parsed.subcommand ?? parsed.positionalArgs[0] ?? '';
@@ -442,6 +526,26 @@ async function main() {
                     }
                     process.exit(EXIT_CODES.SUCCESS);
                 }
+                if (parsed.subcommand === 'artifacts') {
+                    const artifactRunId = parsed.positionalArgs[0] ?? '';
+                    const artifactsResult = await executeInspectArtifactsCommand({ id: artifactRunId }, options);
+                    if (options.format === 'json') {
+                        console.log(JSON.stringify({
+                            artifacts: artifactsResult.artifacts,
+                            run_id: artifactsResult.run_id,
+                            count: artifactsResult.count,
+                            found: artifactsResult.found,
+                            timing: artifactsResult.timing,
+                        }, null, parsed.flags['pretty'] ? 2 : 0));
+                    }
+                    else {
+                        console.log(formatArtifactsForDisplay(artifactsResult.artifacts, artifactsResult.run_id));
+                    }
+                    if (options.verbose) {
+                        console.error(`Query completed in ${artifactsResult.timing}ms`);
+                    }
+                    process.exit(EXIT_CODES.SUCCESS);
+                }
                 if (parsed.subcommand === 'run') {
                     const runId = parsed.positionalArgs[0] ?? '';
                     const runResult = await executeInspectRunCommand({ id: runId }, options);
@@ -664,11 +768,8 @@ async function main() {
                         }, null, parsed.flags['pretty'] ? 2 : 0));
                     }
                     else {
-                        console.log(`Deployment run completed (advisory): ${deployRunResult.result.id}`);
+                        console.log(`Deployment run completed: ${deployRunResult.result.id}`);
                         console.log(formatDeployForDisplay(deployRunResult.result));
-                        if (deployRunResult.advisory) {
-                            console.log('Note: This was an advisory execution (no real changes made)');
-                        }
                     }
                     if (options.verbose) {
                         console.error(`Run completed in ${deployRunResult.timing}ms`);
@@ -709,11 +810,8 @@ async function main() {
                         }, null, parsed.flags['pretty'] ? 2 : 0));
                     }
                     else {
-                        console.log(`Deployment rolled back (advisory): ${deployRollbackResult.result.id}`);
+                        console.log(`Deployment rolled back: ${deployRollbackResult.result.id}`);
                         console.log(formatDeployForDisplay(deployRollbackResult.result));
-                        if (deployRollbackResult.advisory) {
-                            console.log('Note: This was an advisory rollback (no real changes made)');
-                        }
                     }
                     if (options.verbose) {
                         console.error(`Rollback completed in ${deployRollbackResult.timing}ms`);
@@ -1193,9 +1291,47 @@ async function main() {
                     }
                     process.exit(EXIT_CODES.SUCCESS);
                 }
+                if (parsed.subcommand === 'dry-run') {
+                    const policyId = parsed.positionalArgs[0] ?? '';
+                    const contextStr = parsed.options['context'];
+                    const context = contextStr ? JSON.parse(contextStr) : undefined;
+                    const policyDryRunResult = await executePolicyDryRunCommand({ id: policyId, context }, options);
+                    if (options.format === 'json') {
+                        console.log(JSON.stringify({
+                            policy: policyDryRunResult.policy,
+                            evaluation: policyDryRunResult.evaluation,
+                            timing: policyDryRunResult.timing,
+                        }, null, parsed.flags['pretty'] ? 2 : 0));
+                    }
+                    else {
+                        console.log(formatDryRunForDisplay(policyDryRunResult));
+                    }
+                    if (options.verbose) {
+                        console.error(`Dry-run completed in ${policyDryRunResult.timing}ms`);
+                    }
+                    process.exit(EXIT_CODES.SUCCESS);
+                }
+                if (parsed.subcommand === 'scope') {
+                    const policyId = parsed.positionalArgs[0] ?? '';
+                    const policyScopeResult = await executePolicyScopeCommand({ id: policyId }, options);
+                    if (options.format === 'json') {
+                        console.log(JSON.stringify({
+                            policy: policyScopeResult.policy,
+                            scope: policyScopeResult.scope,
+                            timing: policyScopeResult.timing,
+                        }, null, parsed.flags['pretty'] ? 2 : 0));
+                    }
+                    else {
+                        console.log(formatScopeForDisplay(policyScopeResult));
+                    }
+                    if (options.verbose) {
+                        console.error(`Scope query completed in ${policyScopeResult.timing}ms`);
+                    }
+                    process.exit(EXIT_CODES.SUCCESS);
+                }
                 // Unknown subcommand
                 console.error(`Unknown policy subcommand: ${parsed.subcommand}`);
-                console.error('Supported subcommands: list, inspect, create, edit, delete, enable, disable');
+                console.error('Supported subcommands: list, inspect, create, edit, delete, enable, disable, dry-run, scope');
                 process.exit(EXIT_CODES.USAGE_ERROR);
             }
             default:
@@ -1247,140 +1383,9 @@ async function main() {
 // Help Output
 // ============================================================================
 function printHelp() {
-    console.log(`
-agentics - CLI for the Agentics Platform
-
-USAGE:
-  agentics <command> [options] [arguments]
-
-WORKFLOW:
-  The recommended end-to-end workflow follows these steps:
-
-  plan → simulate → inspect → quantify → deploy → export
-
-  1. plan      - Create a simulation plan from org manifest
-  2. simulate  - Execute simulation via agentics-simulation-runner
-  3. inspect   - Retrieve deterministic outputs from simulation-engine
-  4. quantify  - Generate CFO-grade ROI analysis (optional)
-  5. deploy    - Resolve deployment intent from simulation
-  6. export    - Generate deployment artifacts (terraform, k8s, etc.)
-
-COMMANDS:
-  login       Authenticate with the Agentics platform
-              Opens browser for authorization, stores API key locally
-  logout      Clear local authentication state
-              Removes credentials, requires re-login for protected commands
-  whoami      Show current identity and authentication status
-              Reflects actual env/config state, no network calls
-  plan        Create a simulation plan from manifest
-              Uses: agentics-simulation-planner
-  simulate    Execute a simulation from a plan
-              Uses: agentics-simulation-runner → agentics-simulation-engine
-  inspect     Query simulation results (read-only)
-              Uses: agentics-results-index
-  quantify    Generate ROI/financial impact analysis
-              Uses: enterprise-roi-engine
-  deploy      Resolve deployment intent from simulation
-              Uses: agentics-deployment-intent
-  export      Generate deployment artifacts
-              Uses: agentics-deployment-exporters
-  diligence   Package compliance artifacts
-              Uses: diligence-artifacts
-  usage       Check usage balance and connectivity
-              Uses: agentics-usage-ledger
-  version     Show version information
-  help        Show this help message
-
-GLOBAL OPTIONS:
-  --timeout <ms>     Request timeout in milliseconds
-  --trace-id <id>    Correlation ID for tracing
-  --format <fmt>     Output format: json, yaml, table, text, csv
-  --verbose, -v      Enable verbose output
-  --pretty           Pretty-print output
-  --help, -h         Show help
-
-COMMAND OPTIONS:
-  login:
-    --no-browser             Skip opening browser automatically
-
-  plan:
-    --params <json>          Parameters for plan creation
-
-  simulate:
-    --config <json>          Runtime configuration
-    --iterations <n>         Number of iterations (default: 1)
-
-  inspect:
-    --depth <type>           Output depth: summary, detailed, full (default: summary)
-    --include-metrics        Include metrics in output
-    --include-traces         Include trace data in output
-
-  quantify:
-    --report-type <type>     Report type: executive-summary, detailed-analysis,
-                             cfo-grade, custom (default: cfo-grade)
-    --params <json>          Additional parameters for ROI calculation
-
-  deploy:
-    --spec <json>            Intent specification
-    --environment <env>      Target environment
-
-  export:
-    --export-format <fmt>    Format: terraform, kubernetes, cloudformation,
-                             pulumi, ansible, custom (default: terraform)
-    --output <path>          Output path for artifacts
-
-  diligence:
-    --frameworks <list>      Comma-separated: SOC2, HIPAA, GDPR, PCI-DSS, custom
-    --requirements <json>    Custom requirements
-
-EXAMPLES:
-  # Authenticate with the platform
-  agentics login
-  agentics login --no-browser
-
-  # Complete workflow example (with JSON references)
-  agentics plan "production-deployment"
-  agentics simulate '{"id":"plan-123",...}' --iterations 10
-  agentics inspect '{"id":"sim-456",...}' --output-type metrics
-  agentics quantify '{"id":"sim-456",...}' --report-type cfo-grade
-  agentics deploy '{"id":"sim-456",...}' --environment staging
-  agentics export '{"id":"intent-789",...}' --export-format terraform
-  agentics diligence '[{"id":"ref-1"},...]' --frameworks SOC2,HIPAA
-
-  # Natural language input (Claude-style invocation)
-  agentics simulate "run an enterprise ERP cost optimization simulation"
-  agentics inspect "show me the results from the last production test"
-  agentics quantify "calculate ROI for the Q4 infrastructure upgrade"
-  agentics deploy "deploy the microservices update to staging"
-  agentics export "generate terraform for the new kubernetes cluster"
-  agentics diligence "package compliance docs for the SOC2 audit"
-
-ENVIRONMENT VARIABLES:
-  AGENTICS_LOCAL_DEV             Set to 'true' to enable local development mode
-                                 (required to use localhost endpoints)
-  AGENTICS_PLATFORM_URL          Override platform URL for authentication
-  AGENTICS_MANIFESTS_URL         Override manifests service URL
-  AGENTICS_PLANNER_URL           Override planner service URL
-  AGENTICS_RUNNER_URL            Override runner service URL
-  AGENTICS_SIMULATION_ENGINE_URL Override simulation engine URL
-  AGENTICS_RESULTS_INDEX_URL     Override results index URL
-  ENTERPRISE_ROI_ENGINE_URL      Override ROI engine URL
-  AGENTICS_INTENT_URL            Override intent service URL
-  AGENTICS_EXPORTERS_URL         Override exporters service URL
-  DILIGENCE_URL                  Override diligence service URL
-  AGENTICS_USAGE_LEDGER_URL      Override usage ledger service URL
-
-LOCALHOST SAFEGUARD:
-  By default, the CLI targets production Cloud Run endpoints.
-  Localhost endpoints are blocked unless AGENTICS_LOCAL_DEV=true is set.
-  This prevents accidental local execution in production environments.
-
-PLATFORM UI:
-  For API key management and interactive workflows, visit:
-  https://platform.agentics.dev
-
-For more information, visit: https://docs.agentics.dev/cli
-`);
+    // ADR-002 Decision 1: Help output generated from COMMAND_REGISTRY.
+    // See src/modules/help-renderer.ts — all content derives from the schema.
+    console.log(renderHelp());
 }
 // ============================================================================
 // Entry Point