general-augment-cli 0.1.0__py3-none-any.whl

general_augment_cli-0.1.0.dist-info/METADATA

@@ -0,0 +1,180 @@
+Metadata-Version: 2.4
+Name: general-augment-cli
+Version: 0.1.0
+Summary: Standalone CLI for General Augment.
+Author: General Augment
+License-Expression: MIT
+Requires-Python: >=3.12
+Requires-Dist: httpx>=0.27.0
+Requires-Dist: pydantic>=2.7.0
+Requires-Dist: pyyaml>=6.0.0
+Requires-Dist: rich>=13.7.0
+Requires-Dist: typer[all]>=0.12.0
+Provides-Extra: dev
+Requires-Dist: pytest-asyncio>=0.23.0; extra == 'dev'
+Requires-Dist: pytest>=8.0.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# General Augment CLI
+
+Standalone developer CLI for General Augment.
+
+During private beta, use the repo-local command prefix unless the published package is
+available in your Python package index:
+
+```bash
+uv run --project packages/cli genaug --version
+uv run --project packages/cli genaug --help
+```
+
+When the package is available, the same commands work through the installed `genaug`
+entrypoint:
+
+```bash
+pip install general-augment-cli
+genaug --version
+genaug auth login --api-key gaadmlive...
+genaug doctor
+genaug projects list
+genaug init dayplan-agent --tool web_search
+genaug integrate https://petstore3.swagger.io/api/v3/openapi.json
+genaug validate ./petstore-agent/genaug-agent.yaml
+genaug deploy ./petstore-agent/genaug-agent.yaml
+genaug keys create --project petstore-agent --name "Production backend"
+genaug mock --host 127.0.0.1 --port 8787 --quiet
+genaug smoke --idempotency-key smoke-replay-1 --metadata feature=spark
+genaug smoke --project petstore-agent
+genaug verify --project petstore-agent
+genaug onboarding verify --project petstore-agent --json
+```
+
+If the package install fails during private beta, keep using
+`uv run --project packages/cli genaug ...` from the General Augment repository instead
+of assuming the package has shipped to your package index.
+
+`genaug auth login` verifies the key against `/api/v1/admin/me` before writing local
+config. The CLI stores auth at `~/.genaug/config.yaml` by default with owner-only file
+permissions. Set
+`GENAUG_CLI_CONFIG` to use a custom path.
+
+Preferred environment overrides:
+
+```bash
+export GENAUG_ADMIN_API_KEY=gaadmlive...
+export GENAUG_ADMIN_BASE_URL=https://api.generalaugment.com
+```
+
+`GENAUG_API_KEY` and `GENAUG_API_BASE_URL` are also accepted, which keeps local
+mock and SDK test scripts easy to share.
+
+The generated manifest is `genaug-agent.yaml`. Use `genaug init <name>` when you want
+a starter agent before an OpenAPI spec exists. Use
+`genaug integrate <openapi-spec> --auto-deploy` when you want the CLI to create or
+update the project and register the generated OpenAPI tools in one pass. Without
+`--auto-deploy`, review the scaffold first, then run
+`genaug validate ./<agent>/genaug-agent.yaml` and
+`genaug deploy ./<agent>/genaug-agent.yaml`. `deploy` runs the same local validation
+before calling the hosted API. Both scaffolds include
+`CODING_AGENT_PROMPT.md`, which is the paste-ready backend handoff for a coding agent.
+
+## Common workflows
+
+- Auth: `genaug auth login`, `genaug auth whoami`, `genaug auth logout`
+- Starter scaffold: `genaug init <name> --tool web_search`
+- Local config validation: `genaug validate ./genaug-agent.yaml --json`
+- Projects: `genaug projects list`, `genaug projects create`, `genaug projects usage`,
+  `genaug projects runtime-policy`, `genaug projects export`, `genaug projects archive`
+- API keys: `genaug keys create`, `genaug keys list`, `genaug keys update`,
+  `genaug keys revoke`
+- Skills, tools, and channels: `genaug skills list`, `genaug skills view`,
+  `genaug skills apply`, `genaug skills delete`, `genaug tools list`, `genaug tools toggle`,
+  `genaug tools discovery`, `genaug channels status`, `genaug channels connect`,
+  `genaug channels test`, `genaug channels disconnect`. Telegram supports connect,
+  test, and disconnect; WhatsApp/SMS support sender configuration and clearing.
+- MCP servers: `genaug mcp list`, `genaug mcp add`, `genaug mcp test`,
+  `genaug mcp delete`. Use exactly one transport per server: `--url` for HTTP
+  endpoints or `--command` for stdio servers.
+- Model providers: `genaug model-providers list`, `genaug model-providers set`,
+  `genaug model-providers health`, `genaug model-providers revoke`
+- Billing: `genaug billing checkout`, `genaug billing portal`,
+  `genaug billing events`
+- Memory: `genaug memory store`, `genaug memory search`, `genaug memory profile`,
+  `genaug memory delete`, `genaug memory purge-user`
+- Users and identity: `genaug users list`, `genaug users detail`,
+  `genaug users delete`, `genaug identity list`, `genaug identity create-test`,
+  `genaug identity link-user`, `genaug identity verification-code`,
+  `genaug identity magic-link`, `genaug identity verify`,
+  `genaug identity resolve`, `genaug identity unlink`
+- Observability: `genaug observability trace`, `genaug observability support-bundle`
+- Approvals: `genaug approvals list`, `genaug approvals approve`, `genaug approvals deny`
+- Operations: `genaug doctor`, `genaug status`, `genaug logs`
+- App smoke checks: `genaug smoke --message "Reply exactly with: ok"`,
+  `genaug smoke --structured`, `genaug smoke --json`
+- Project acceptance checks: `genaug verify --project <project-slug>`, which checks
+  project keys, hosted agent test, tools, logs, usage, usage limits, observability,
+  runtime policy model routing, memory lifecycle, and tool-call audit before printing
+  dashboard URLs for the same tenant.
+- One-command onboarding gate: `genaug onboarding verify --project <project-slug> --json`,
+  which wraps the same project checks with CLI/API version metadata and a coding-agent
+  friendly ready/blocked payload.
+- Local development: `genaug dev ./genaug-agent.yaml --message "Hello"`
+- Local mock testing: `genaug mock --host 127.0.0.1 --port 8787 --quiet`
+
+## Billing
+
+```bash
+genaug billing checkout --project dayplan-agent --tier pro
+genaug billing portal --project dayplan-agent
+genaug billing events --project dayplan-agent --json
+```
+
+Use these commands for hosted billing actions when Stripe is configured for the
+project. `checkout` returns a hosted Stripe Checkout URL for Pro or Team, `portal`
+returns a hosted Stripe Customer Portal URL for linked customers, and `events` lists
+stored Stripe webhook events such as checkout completion, invoice payment, and payment
+failure. These commands do not create Stripe products, prices, or webhooks directly;
+those stay in the server-side billing setup and readiness flow.
+
+For a full CLI-to-dashboard onboarding proof from this repository, run:
+
+```bash
+make app-developer-onboarding-smoke
+```
+
+That harness creates a fresh dummy tenant from a richer OpenAPI fixture, proves
+generated tool governance, deploys SOUL.md and skills, sends real `/v1/responses`
+smokes for multiple app users, runs `genaug verify --json`, starts an owned dashboard
+dev server, and writes JSON evidence plus screenshots for the project overview, skills,
+tools, integrate, and analytics pages. Add `GENAUG_DASHBOARD_SMOKE_ARCHIVE_PROJECT=1`
+when CI should archive the created smoke project after the artifact is captured.
+
+`genaug smoke` checks `/health/ready` and sends one project-keyed `/v1/responses`
+request using bearer auth. Use `--idempotency-key`, `--request-id`, `--traceparent`,
+and repeated `--metadata key=value` flags when you need replayable support/debug
+evidence from hosted API or the local mock. Use `--project <project-slug>` when the
+configured key is a management key and the app-facing request needs `X-Project-ID`.
+Use `--structured` to request the default `json_schema` smoke response, or
+`--schema-file ./schema.json` to verify an app-specific structured-output contract.
+With `--json`, smoke output includes the `/health/ready` payload, the full
+`/v1/responses` object, `response_id`, `request_id`, and `trace_id` so automation can
+prove health and tracing from one command.
+
+When the API returns a rate-limit `429`, the CLI prints the stable reason and
+`Retry-After` timing when the platform includes them.
+
+`genaug doctor` checks the resolved config path, base URL, API key presence,
+`/health/ready`, and `/api/v1/admin/me` without printing secret values. Run it before
+`integrate` when a new developer is unsure whether local auth or network setup is the
+problem.
+
+`genaug mock` runs the deterministic local HTTP mock. Use it for offline app contract tests against
+`/v1/responses`, memory routes, project setup, OpenAPI tool registration, key
+management, logs, usage, observability, health checks, idempotency replays, trace
+metadata, structured-output fixtures, and semantic SSE fixtures.
+
+The console commands are defined in `pyproject.toml`:
+
+```toml
+[project.scripts]
+genaug = "platform_cli.main:app"
+```

general_augment_cli-0.1.0.dist-info/RECORD

@@ -0,0 +1,42 @@
+platform_cli/__init__.py,sha256=DBLEXhxNCZ-Ktmkv1pHf96Gxdju6CudLAXko3tNUNlc,103
+platform_cli/branding.py,sha256=bIf4iFjfhqdZCyi8SLrj7ntfh7ntd5lx-WT822sRzUM,808
+platform_cli/client.py,sha256=lrI5ZQhsbvf40J9cLbKDF_pdED4UzEbXNTjxlkEaxPk,5774
+platform_cli/config.py,sha256=vrS5EQf3ga_V5ogHR-QjIzrJF9haNGbCf5VYuG6tUcM,3329
+platform_cli/errors.py,sha256=winlh1baNtsGOITbUVLi6_4qsPD0waBHhHMQ5LACDSM,3377
+platform_cli/local_mock.py,sha256=cwb-sj59kdc16sBIbbjUWl9Y0bAtpniW_grjxd4p-eU,56202
+platform_cli/main.py,sha256=NNwCV0WQTuTnc5WnxaNRsuPKFjJk-dq7rjgKW42GMiM,3717
+platform_cli/openapi.py,sha256=WTDc7_kXU2QSEvl4gUfVnhM7DL2okBqhq1pHT-miGHw,38949
+platform_cli/output.py,sha256=7Cu_oXlAaC-C2-zoU5DHqwYPaSwkH7cASo-ZQZlUgdM,1229
+platform_cli/readiness.py,sha256=6upaOGnmpQrY9OadEgvkaOZBxkM0cWGkCZyTRZdOZuQ,5505
+platform_cli/runtime.py,sha256=sacxB7xcX1OqIG1XpbT4AGwZorcGBRCopqaPs9pQK-4,566
+platform_cli/commands/__init__.py,sha256=A8DLS6s7JOgyk1tKlSPcVH1JOS1WCon1VWyG5kXjcKs,52
+platform_cli/commands/approvals.py,sha256=tUfYBtOhuH-mG2yLlopKE8Cu0O2zHCZS_KWhxVe-Ptw,4724
+platform_cli/commands/auth.py,sha256=8F8zEngqU9OCtSPaK1OKSXnQ6l8PQ6JjXReuqCtwvCc,3174
+platform_cli/commands/billing.py,sha256=pf7YM7B1VDN4MoQTzKeKKS6tcZWr8TpRoWy_eExdNc4,4656
+platform_cli/commands/channels.py,sha256=tw3AdUeheJvluoExQ5VCxTG_Q-TLVxnEW9cjgMb2yfY,8117
+platform_cli/commands/deploy.py,sha256=toQfSh3oSbjXAi6UtG0Ptg5xZgsAs5QmtHwvqUTywl8,2363
+platform_cli/commands/dev.py,sha256=NDZ09zqwHkpO2XrF7tc9z1RBVUx2QC9jROX7Vd5Xf2w,1134
+platform_cli/commands/doctor.py,sha256=DCuRA4QEm_eDvSdm84vV2iSzNsBngVEuT9OjX4fJ-nc,5414
+platform_cli/commands/identity.py,sha256=FpjAVxPU4_C9UNkh5V8uCgIiAHXG2fxX9dIdFjA0i2U,14636
+platform_cli/commands/init.py,sha256=AN5MtGnqyxi16DD6gWigN3ZR4t4iTreSKQ6JwBqiwYo,2145
+platform_cli/commands/integrate.py,sha256=RMEFEEsSd6oDFob2jOzlD_Fg6loBI2fDy0SzBI42HUc,3515
+platform_cli/commands/keys.py,sha256=f1aS4oDx41MEeYXZYGebPoP4-cMpHBifCmwFrB0Tdf8,4101
+platform_cli/commands/logs.py,sha256=rpaMIEFLWRHaFqZeoH6Ea371kXdeqrB2hXL5rNajKj0,1415
+platform_cli/commands/mcp.py,sha256=2JULbTBiPqNZPSV0Szl6r4lxAnA0Q9l5WDKDCQKicVU,8759
+platform_cli/commands/memory.py,sha256=vVh8Mi5NQn5q7pCZMnTQR-LfWV8grEftiMYThbmVZMA,10644
+platform_cli/commands/mock.py,sha256=yo27qm8siuF6ij-dX27MmDGjR4o1HT_TVMNf5F8--oA,860
+platform_cli/commands/model_providers.py,sha256=gSvz3eHvF73Y73dtLgXJPkWlMTGNm26rH09_R4vkwdM,8006
+platform_cli/commands/observability.py,sha256=OzChmay-LzzKbGiHmUR4uxW6w2biKUiwFddp-7oC9_w,5868
+platform_cli/commands/onboarding.py,sha256=5cVn2A_me19SWhIMVqtVV6HX1t-e29S6-Uuj1tTa_1I,2735
+platform_cli/commands/projects.py,sha256=xAk83RQ-l3fzZTT7M2xiBz4LFLFNdBjMsLfFptuueFg,10874
+platform_cli/commands/skills.py,sha256=YTzrAMecdYZL8eZJX0zEmXSbq_HaQ97S6xWGtHYUN6Q,3900
+platform_cli/commands/smoke.py,sha256=C8XGfG_UZ6huOuaIfbZuHDF_vG-Te_Xj49q9Zgiufhw,9521
+platform_cli/commands/status.py,sha256=Cgce1sM_Qesajb_0iihoPq7pj6OqldRn-CLS_Ojhcdg,1893
+platform_cli/commands/tools.py,sha256=Oel0Zhc0HDJMXYMhqLtg4Mw4PGCu9D68_HLGK2yY7rc,6184
+platform_cli/commands/users.py,sha256=fJtulN-If1ofAMnOUFMkv6blnc2e_KIOilMaoovV0oE,5191
+platform_cli/commands/validate.py,sha256=OcRz5ciUX8B_Dh-K6PDryc3MnyoJNBJgt8g3TCp555s,3247
+platform_cli/commands/verify.py,sha256=q1a8Jxb_RzXy4JG3o1SO14trkQB30co8vvBk_OsbE5U,21798
+general_augment_cli-0.1.0.dist-info/METADATA,sha256=Qupg4x7qEgZUvG3txFkYIHk8XutJ4D5J_dlIxifjRcU,8629
+general_augment_cli-0.1.0.dist-info/WHEEL,sha256=QccIxa26bgl1E6uMy58deGWi-0aeIkkangHcxk2kWfw,87
+general_augment_cli-0.1.0.dist-info/entry_points.txt,sha256=gIrBMQrsprNFXJjV_Xo6afAg7HILdJ611BoJnoAiAVU,49
+general_augment_cli-0.1.0.dist-info/RECORD,,

general_augment_cli-0.1.0.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.29.0
+Root-Is-Purelib: true
+Tag: py3-none-any

general_augment_cli-0.1.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+genaug = platform_cli.main:app

platform_cli/__init__.py

@@ -0,0 +1,5 @@
+"""Standalone CLI package for the agent platform."""
+
+__all__ = ["__version__"]
+
+__version__ = "0.1.0"

platform_cli/branding.py

@@ -0,0 +1,27 @@
+"""Small branding model for standalone CLI copy."""
+
+from __future__ import annotations
+
+import os
+
+from pydantic import BaseModel, Field
+
+
+class Branding(BaseModel):
+    """User-facing CLI branding loaded from environment variables."""
+
+    product_name: str = Field(
+        default_factory=lambda: os.getenv("BRAND_PRODUCT_NAME", "General Augment"),
+    )
+    product_slug: str = Field(
+        default_factory=lambda: os.getenv("BRAND_PRODUCT_SLUG", "general-augment"),
+    )
+    docs_url: str = Field(
+        default_factory=lambda: os.getenv("BRAND_DOCS_URL", "https://docs.generalaugment.com"),
+    )
+    api_key_prefix: str = Field(default_factory=lambda: os.getenv("BRAND_API_KEY_PREFIX", "gaadm"))
+
+
+def get_branding() -> Branding:
+    """Return current process branding."""
+    return Branding()

platform_cli/client.py

@@ -0,0 +1,179 @@
+"""Thin HTTP client for the standalone CLI."""
+
+from __future__ import annotations
+
+from collections.abc import Mapping
+from typing import Any
+from urllib.parse import quote
+
+import httpx
+
+from platform_cli.config import CLIConfig
+from platform_cli.errors import APIError, CLIError
+
+ADMIN_PREFIX = "/api/v1/admin"
+INTEGRATIONS_PREFIX = "/api/v1/integrations"
+REQUEST_TIMEOUT_SECONDS = 30.0
+
+
+class PlatformClient:
+    """Synchronous HTTP client for platform admin and public endpoints."""
+
+    def __init__(self, config: CLIConfig, *, timeout: float = REQUEST_TIMEOUT_SECONDS) -> None:
+        """Initialize the client from CLI config."""
+        self.config = config
+        self.base_url = config.base_url.rstrip("/")
+        self.timeout = timeout
+        self._client = httpx.Client(timeout=timeout)
+
+    def close(self) -> None:
+        """Close the underlying HTTP client."""
+        self._client.close()
+
+    def __enter__(self) -> PlatformClient:
+        """Return this client in context managers."""
+        return self
+
+    def __exit__(self, *_: object) -> None:
+        """Close this client."""
+        self.close()
+
+    def admin(
+        self,
+        method: str,
+        path: str,
+        *,
+        json: Mapping[str, Any] | None = None,
+        params: Mapping[str, Any] | None = None,
+    ) -> Any:
+        """Call an admin API endpoint."""
+        if not self.config.api_key:
+            raise CLIError("No API key configured. Run genaug auth login first.")
+        return self._request(
+            method,
+            f"{ADMIN_PREFIX}{path}",
+            json=json,
+            params=params,
+            authenticated=True,
+        )
+
+    def public(
+        self,
+        method: str,
+        path: str,
+        *,
+        params: Mapping[str, Any] | None = None,
+    ) -> Any:
+        """Call a public API endpoint."""
+        return self._request(method, path, params=params, authenticated=False)
+
+    def integrations(
+        self,
+        method: str,
+        path: str,
+        *,
+        json: Mapping[str, Any] | None = None,
+        params: Mapping[str, Any] | None = None,
+    ) -> Any:
+        """Call an app-integration endpoint with admin API-key auth."""
+        if not self.config.api_key:
+            raise CLIError("No API key configured. Run genaug auth login first.")
+        return self._request(
+            method,
+            f"{INTEGRATIONS_PREFIX}{path}",
+            json=json,
+            params=params,
+            authenticated=True,
+        )
+
+    def app(
+        self,
+        method: str,
+        path: str,
+        *,
+        json: Mapping[str, Any] | None = None,
+        params: Mapping[str, Any] | None = None,
+        headers: Mapping[str, str] | None = None,
+    ) -> Any:
+        """Call an app-facing endpoint using bearer auth."""
+        if not self.config.api_key:
+            raise CLIError("No API key configured. Run genaug auth login first.")
+        return self._request(
+            method,
+            path,
+            json=json,
+            params=params,
+            extra_headers=headers,
+            authenticated=True,
+            auth_mode="bearer",
+        )
+
+    def _request(
+        self,
+        method: str,
+        path: str,
+        *,
+        json: Mapping[str, Any] | None = None,
+        params: Mapping[str, Any] | None = None,
+        extra_headers: Mapping[str, str] | None = None,
+        authenticated: bool,
+        auth_mode: str = "admin",
+    ) -> Any:
+        """Send one request and decode the response."""
+        headers: dict[str, str] = {}
+        if authenticated and self.config.api_key:
+            if auth_mode == "bearer":
+                headers["Authorization"] = f"Bearer {self.config.api_key}"
+            else:
+                headers["X-Admin-Key"] = self.config.api_key
+        headers.update(dict(extra_headers or {}))
+        try:
+            response = self._client.request(
+                method,
+                f"{self.base_url}{path}",
+                headers=headers,
+                json=dict(json) if json is not None else None,
+                params=dict(params) if params is not None else None,
+            )
+        except (httpx.ConnectError, httpx.TimeoutException, httpx.RequestError) as exc:
+            raise CLIError(f"Could not reach the platform API at {self.base_url}: {exc}") from exc
+        if response.status_code >= 400:
+            raise APIError(response.status_code, _error_detail(response), response.headers)
+        if not response.content:
+            return None
+        try:
+            return response.json()
+        except ValueError as exc:
+            if authenticated:
+                raise CLIError(
+                    "Platform API returned malformed JSON for an authenticated request."
+                ) from exc
+            return response.text
+
+
+def resolve_project(client: PlatformClient, project_ref: str) -> dict[str, Any]:
+    """Resolve a project by id, slug, or name."""
+    payload = client.admin("GET", "/projects")
+    items = payload.get("items", []) if isinstance(payload, dict) else []
+    for item in items:
+        if not isinstance(item, dict):
+            continue
+        if project_ref in {str(item.get("id")), str(item.get("slug")), str(item.get("name"))}:
+            return item
+    raise CLIError(f"Project not found: {project_ref}")
+
+
+def encode_path_segment(value: str) -> str:
+    """Encode one path segment for safe URL interpolation."""
+    return quote(value, safe="")
+
+
+def _error_detail(response: httpx.Response) -> Any:
+    """Extract one error detail from an HTTP response."""
+    try:
+        payload = response.json()
+    except ValueError:
+        return response.text
+    if isinstance(payload, dict):
+        return payload.get("detail") or payload
+    return payload

platform_cli/commands/__init__.py

@@ -0,0 +1 @@
+"""Typer command modules for the standalone CLI."""

platform_cli/commands/approvals.py

@@ -0,0 +1,150 @@
+"""Approval queue management commands."""
+
+from __future__ import annotations
+
+from typing import Annotated
+
+import typer
+
+from platform_cli.client import encode_path_segment, resolve_project
+from platform_cli.output import print_json, print_success, table
+from platform_cli.runtime import Runtime
+
+app = typer.Typer(help="Manage governed tool approvals.")
+APPROVAL_STATUSES = {"pending", "all"}
+
+
+@app.command("list")
+def list_approvals(
+    ctx: typer.Context,
+    project: Annotated[str, typer.Option(help="Project id, slug, or name.")],
+    status: Annotated[
+        str,
+        typer.Option(help="Approval rows to list: pending or all."),
+    ] = "pending",
+    json_output: Annotated[
+        bool,
+        typer.Option("--json", help="Print machine-readable JSON."),
+    ] = False,
+) -> None:
+    """List approval rows for one project."""
+    normalized_status = _approval_status(status)
+    runtime: Runtime = ctx.obj
+    with runtime.client() as client:
+        project_payload = resolve_project(client, project)
+        response = client.admin(
+            "GET",
+            f"/projects/{encode_path_segment(str(project_payload['id']))}/approvals",
+            params={"status": normalized_status},
+        )
+    if json_output:
+        print_json(response)
+        return
+    items = response.get("items", []) if isinstance(response, dict) else []
+    rows = [_approval_row(item) for item in items if isinstance(item, dict)]
+    table(
+        "Approvals",
+        ["Approval ID", "Tool", "Status", "Action", "Channel", "Expires At"],
+        rows,
+    )
+
+
+@app.command("approve")
+def approve_approval(
+    ctx: typer.Context,
+    approval_id: Annotated[str, typer.Argument(help="Approval id to approve.")],
+    project: Annotated[str, typer.Option(help="Project id, slug, or name.")],
+    yes: Annotated[
+        bool,
+        typer.Option("--yes", help="Confirm approving and resuming this governed action."),
+    ] = False,
+    json_output: Annotated[
+        bool,
+        typer.Option("--json", help="Print machine-readable JSON."),
+    ] = False,
+) -> None:
+    """Approve one pending governed tool action."""
+    _resolve_approval(
+        ctx,
+        approval_id,
+        project=project,
+        action="approve",
+        yes=yes,
+        json_output=json_output,
+    )
+
+
+@app.command("deny")
+def deny_approval(
+    ctx: typer.Context,
+    approval_id: Annotated[str, typer.Argument(help="Approval id to deny.")],
+    project: Annotated[str, typer.Option(help="Project id, slug, or name.")],
+    yes: Annotated[
+        bool,
+        typer.Option("--yes", help="Confirm denying and resuming this governed action."),
+    ] = False,
+    json_output: Annotated[
+        bool,
+        typer.Option("--json", help="Print machine-readable JSON."),
+    ] = False,
+) -> None:
+    """Deny one pending governed tool action."""
+    _resolve_approval(
+        ctx,
+        approval_id,
+        project=project,
+        action="deny",
+        yes=yes,
+        json_output=json_output,
+    )
+
+
+def _resolve_approval(
+    ctx: typer.Context,
+    approval_id: str,
+    *,
+    project: str,
+    action: str,
+    yes: bool,
+    json_output: bool,
+) -> None:
+    """Approve or deny one approval row."""
+    if not yes and not typer.confirm(f"{action.title()} approval {approval_id}?"):
+        raise typer.Exit(1)
+    runtime: Runtime = ctx.obj
+    with runtime.client() as client:
+        project_payload = resolve_project(client, project)
+        response = client.admin(
+            "POST",
+            (
+                f"/projects/{encode_path_segment(str(project_payload['id']))}/approvals/"
+                f"{encode_path_segment(approval_id)}/{action}"
+            ),
+        )
+    if json_output:
+        print_json(response)
+        return
+    approval = response.get("approval", {}) if isinstance(response, dict) else {}
+    enqueued = response.get("enqueued", False) if isinstance(response, dict) else False
+    status = approval.get("status", action + "d") if isinstance(approval, dict) else action + "d"
+    print_success(f"Approval {approval_id} {status}; enqueued={enqueued}.")
+
+
+def _approval_row(approval: dict[str, object]) -> list[object]:
+    """Return a compact approval row."""
+    return [
+        approval.get("approval_id", ""),
+        approval.get("tool_id", ""),
+        approval.get("status", ""),
+        approval.get("action_summary", ""),
+        approval.get("channel", ""),
+        approval.get("expires_at", ""),
+    ]
+
+
+def _approval_status(value: str) -> str:
+    """Validate approval list status."""
+    normalized = value.strip().lower()
+    if normalized not in APPROVAL_STATUSES:
+        raise typer.BadParameter("--status must be one of: all, pending.")
+    return normalized