toolgovern-cli 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +57 -0
- package/package.json +2 -2
package/README.md
ADDED
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
# toolgovern-cli
|
|
2
|
+
|
|
3
|
+
[](https://www.npmjs.com/package/toolgovern-cli)
|
|
4
|
+
[](https://github.com/RudrenduPaul/toolgovern/actions/workflows/ci.yml)
|
|
5
|
+
[](https://github.com/RudrenduPaul/toolgovern/blob/main/LICENSE)
|
|
6
|
+
|
|
7
|
+
Validate [toolgovern](https://www.npmjs.com/package/toolgovern) policy files and audit local gate
|
|
8
|
+
traces from the command line, without needing a hosted dashboard.
|
|
9
|
+
|
|
10
|
+
```bash
|
|
11
|
+
npx toolgovern-cli validate ./toolgovern.policy.yml
|
|
12
|
+
npx toolgovern-cli audit ./toolgovern-trace.jsonl --since 24h --decision deny
|
|
13
|
+
```
|
|
14
|
+
|
|
15
|
+
## Commands
|
|
16
|
+
|
|
17
|
+
### `validate <policy-file>`
|
|
18
|
+
|
|
19
|
+
Checks a `toolgovern.policy.yml` file's structure and rule references before it loads at runtime.
|
|
20
|
+
|
|
21
|
+
```
|
|
22
|
+
$ toolgovern-cli validate ./toolgovern.policy.example.yml
|
|
23
|
+
OK ./toolgovern.policy.example.yml is a valid toolgovern policy.
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
### `audit <trace-file> [flags]`
|
|
27
|
+
|
|
28
|
+
Reads a local trace file written by `toolgovern`'s `TraceWriter` and filters it.
|
|
29
|
+
|
|
30
|
+
```
|
|
31
|
+
$ toolgovern-cli audit ./toolgovern-trace.jsonl --decision deny
|
|
32
|
+
DENY research-sub -> bash [TG01-pipe-to-shell, TG03-network-disabled, TG03-known-paste-relay] 2026-07-12T01:39:22.581Z
|
|
33
|
+
|
|
34
|
+
1 of 2 trace entries matched.
|
|
35
|
+
```
|
|
36
|
+
|
|
37
|
+
| Flag | What it does |
|
|
38
|
+
| -------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
39
|
+
| `--since <window>` | Only entries within the window, e.g. `24h`, `7d` |
|
|
40
|
+
| `--decision <allow\|deny\|require-approval>` | Filter by gate decision |
|
|
41
|
+
| `--agent <id>` | Filter by agent identity |
|
|
42
|
+
| `--rule <ruleId>` | Filter by which rule fired |
|
|
43
|
+
| `--verify-chain` | Recompute every entry's signature and confirm the `prior_trace_id` chain is intact -- add `--key-file <path>` if the trace was written with an HMAC `secretKey` |
|
|
44
|
+
|
|
45
|
+
## Why a CLI, not just a library
|
|
46
|
+
|
|
47
|
+
`toolgovern`'s `TraceWriter` produces a plain, append-only JSON Lines file on your own machine --
|
|
48
|
+
no server, no account. `toolgovern-cli` is the read side of that: a way to actually look at what
|
|
49
|
+
your agents did without writing a parser yourself, and a way to check `--verify-chain` proves the
|
|
50
|
+
trace hasn't been quietly edited after the fact.
|
|
51
|
+
|
|
52
|
+
See the [full toolgovern documentation](https://github.com/RudrenduPaul/toolgovern) on GitHub for
|
|
53
|
+
the middleware itself, the rule pack, and the trace format spec.
|
|
54
|
+
|
|
55
|
+
## License
|
|
56
|
+
|
|
57
|
+
Apache 2.0. See [LICENSE](https://github.com/RudrenduPaul/toolgovern/blob/main/LICENSE).
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "toolgovern-cli",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.1",
|
|
4
4
|
"description": "CLI for toolgovern -- validate policy files and audit local gate traces.",
|
|
5
5
|
"license": "Apache-2.0",
|
|
6
6
|
"type": "module",
|
|
@@ -26,7 +26,7 @@
|
|
|
26
26
|
"clean": "rm -rf dist"
|
|
27
27
|
},
|
|
28
28
|
"dependencies": {
|
|
29
|
-
"toolgovern": "0.1.
|
|
29
|
+
"toolgovern": "0.1.1",
|
|
30
30
|
"yaml": "^2.6.1"
|
|
31
31
|
},
|
|
32
32
|
"devDependencies": {
|