DEV Community

João André Gomes Marques
João André Gomes Marques

Posted on • Originally published at asqav.com

Govern AI agents from your CLI

#security #ai #tutorial #opensource

The Asqav CLI used to be a thin wrapper around the Python SDK. As of this release, the CLI is the primary integration surface, with feature parity between the Python and TypeScript distributions and a stable command set you can wire into Makefiles, GitHub Actions, and pre-commit hooks.

Install via pip or npm, both ship the same subcommands:

pip install asqav[cli]
# or
npm install -g @asqav/cli
Enter fullscreen mode Exit fullscreen mode

What you can do without leaving the terminal

The CLI exposes the operations a reviewer or a DevOps engineer needs day-to-day:

  • asqav preflight runs an action through the policy engine in dry-run mode, prints the decision and the triggering rule, and exits non-zero if blocked. Useful in CI before merging an agent change.
  • asqav replay reconstructs the receipt timeline for a workflow and verifies every signature against the public key. Works offline against an exported bundle.
  • asqav budget shows the current per-agent spend, the rate-limit window, and the next reset. Pipes into Slack alerts cleanly.
  • asqav approve resolves a pending approval card from the terminal. Reason text required, captured into the signed receipt.
  • asqav compliance export bundles receipts, policy versions, and incident records into a portable archive ready for auditor handoff.

Tier-gated commands, multi-party signing flows, retention policies, and SCITT submission are namespaced under asqav enterprise and surface a clear license-required error on Free.

A short demo session 

$ asqav login
Paste API key: sk_***

$ asqav preflight --agent fintech-bot \
    --action wire_transfer --amount 850000 --currency EUR
DECISION: APPROVAL_REQUIRED
RULE:     wire.amount > 500000
NEXT:     asqav approve act_01HZX...

$ asqav approve act_01HZX9 \
    --reason "Verified counterparty + invoice 2026-INV-1812"
RECEIPT:  rcpt_01HZXA2K... (ML-DSA-65)
STATUS:   verified

$ asqav replay trace_q4_payroll
12 actions, 12 signatures verified
0 incidents, 0 budget violations

$ asqav compliance export --since 2026-04-01 \
    --out evidence-2026-04.zip
wrote 1247 receipts, 14 policy versions, 3 incidents
Enter fullscreen mode Exit fullscreen mode

Each command writes to stdout in a parseable shape (--json for machine output) and exits non-zero on policy violation. The CLI is the contract you need for Makefile-driven environments and for build agents that should fail closed when an action is blocked.

Same commands, two languages

The Python and TypeScript CLIs read the same config file (~/.asqav/config.toml), use the same auth scheme, and produce identical output. Pick whichever fits your stack. A Vercel deployment running the TypeScript CLI in a GitHub Action talks to the same backend as a Python service running the Python CLI in a cron job, against the same signed receipts.

Wiring it in

The CLI is meant to be boring infrastructure. Three patterns we use ourselves:

  1. Pre-commit hook: asqav preflight against the staged agent change, blocks the commit if the policy rejects it.
  2. GitHub Action job: asqav compliance export on a weekly schedule, uploads the zip as a release artifact.
  3. On-call paging: asqav replay on the failing trace ID, attached to the incident channel inside two minutes.

Source and docs:

Open a terminal, run asqav preflight against your next agent change, and the dashboard becomes the optional surface, not the required one.

Top comments (0)