toolgovern-cli 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +57 -0
  2. package/package.json +2 -2
package/README.md ADDED
@@ -0,0 +1,57 @@
1
+ # toolgovern-cli
2
+
3
+ [![npm version](https://img.shields.io/npm/v/toolgovern-cli.svg)](https://www.npmjs.com/package/toolgovern-cli)
4
+ [![CI](https://github.com/RudrenduPaul/toolgovern/actions/workflows/ci.yml/badge.svg)](https://github.com/RudrenduPaul/toolgovern/actions/workflows/ci.yml)
5
+ [![License: Apache 2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/RudrenduPaul/toolgovern/blob/main/LICENSE)
6
+
7
+ Validate [toolgovern](https://www.npmjs.com/package/toolgovern) policy files and audit local gate
8
+ traces from the command line, without needing a hosted dashboard.
9
+
10
+ ```bash
11
+ npx toolgovern-cli validate ./toolgovern.policy.yml
12
+ npx toolgovern-cli audit ./toolgovern-trace.jsonl --since 24h --decision deny
13
+ ```
14
+
15
+ ## Commands
16
+
17
+ ### `validate <policy-file>`
18
+
19
+ Checks a `toolgovern.policy.yml` file's structure and rule references before it loads at runtime.
20
+
21
+ ```
22
+ $ toolgovern-cli validate ./toolgovern.policy.example.yml
23
+ OK ./toolgovern.policy.example.yml is a valid toolgovern policy.
24
+ ```
25
+
26
+ ### `audit <trace-file> [flags]`
27
+
28
+ Reads a local trace file written by `toolgovern`'s `TraceWriter` and filters it.
29
+
30
+ ```
31
+ $ toolgovern-cli audit ./toolgovern-trace.jsonl --decision deny
32
+ DENY research-sub -> bash [TG01-pipe-to-shell, TG03-network-disabled, TG03-known-paste-relay] 2026-07-12T01:39:22.581Z
33
+
34
+ 1 of 2 trace entries matched.
35
+ ```
36
+
37
+ | Flag | What it does |
38
+ | -------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
39
+ | `--since <window>` | Only entries within the window, e.g. `24h`, `7d` |
40
+ | `--decision <allow\|deny\|require-approval>` | Filter by gate decision |
41
+ | `--agent <id>` | Filter by agent identity |
42
+ | `--rule <ruleId>` | Filter by which rule fired |
43
+ | `--verify-chain` | Recompute every entry's signature and confirm the `prior_trace_id` chain is intact -- add `--key-file <path>` if the trace was written with an HMAC `secretKey` |
44
+
45
+ ## Why a CLI, not just a library
46
+
47
+ `toolgovern`'s `TraceWriter` produces a plain, append-only JSON Lines file on your own machine --
48
+ no server, no account. `toolgovern-cli` is the read side of that: a way to actually look at what
49
+ your agents did without writing a parser yourself, and a way to check `--verify-chain` proves the
50
+ trace hasn't been quietly edited after the fact.
51
+
52
+ See the [full toolgovern documentation](https://github.com/RudrenduPaul/toolgovern) on GitHub for
53
+ the middleware itself, the rule pack, and the trace format spec.
54
+
55
+ ## License
56
+
57
+ Apache 2.0. See [LICENSE](https://github.com/RudrenduPaul/toolgovern/blob/main/LICENSE).
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "toolgovern-cli",
3
- "version": "0.1.0",
3
+ "version": "0.1.1",
4
4
  "description": "CLI for toolgovern -- validate policy files and audit local gate traces.",
5
5
  "license": "Apache-2.0",
6
6
  "type": "module",
@@ -26,7 +26,7 @@
26
26
  "clean": "rm -rf dist"
27
27
  },
28
28
  "dependencies": {
29
- "toolgovern": "0.1.0",
29
+ "toolgovern": "0.1.1",
30
30
  "yaml": "^2.6.1"
31
31
  },
32
32
  "devDependencies": {