DEV Community

Cover image for Govern AI agents from your CLI
João André Gomes Marques
João André Gomes Marques

Posted on • Edited on • Originally published at asqav.com

Govern AI agents from your CLI

#security #ai #opensource #tutorial

The Asqav CLI ships inside the Python SDK. Install the cli extra and you get an asqav command you can wire into Makefiles, GitHub Actions, and pre-commit hooks:

pip install "asqav[cli]"
Enter fullscreen mode Exit fullscreen mode

Auth is one environment variable, ASQAV_API_KEY. There is no login flow and no config file to manage, which is what you want in CI.

What you can do without leaving the terminal

  • asqav quickstart gets a fresh setup working end to end.
  • asqav doctor validates your governance setup and tells you what is missing.
  • asqav preflight <agent_id> <action_type> runs the revocation, suspension, and policy checks for an action before the agent performs it, and exits non-zero when blocked. Useful as a gate in CI or a pre-commit hook.
  • asqav sign --agent-id ... --action-type ... signs a receipt from the shell.
  • asqav verify <signature_id> verifies a signature by ID. Public, no auth needed.
  • asqav replay <agent_id> <session_id> reconstructs a session timeline and verifies it. --bundle does the same offline from an exported compliance bundle.
  • asqav agents list|create|revoke manages agents.
  • asqav sessions list|end lists and ends signing sessions.
  • asqav budget check|record checks or records agent spend.
  • asqav queue list|count|clear and asqav sync manage the local offline queue.
  • asqav compliance export bundles receipts for auditor handoff; asqav compliance report and asqav compliance frameworks cover framework reports.
  • asqav approve <session_id> <entity_id> approves a pending signing session from the terminal.

Commands that gate take exit codes seriously: preflight exits non-zero when the action is blocked, so a build agent fails closed when policy rejects an action. Most commands also take --json or --output json for machine-readable output.

Wiring it in

Three patterns we use ourselves:

  1. Pre-commit hook: asqav preflight on the acting agent before a risky change, blocks the commit when policy rejects it.
  2. GitHub Action job: asqav compliance export on a schedule, upload the archive as a build artifact.
  3. On-call: asqav replay on the failing session, paste the timeline into the incident channel.

Source and docs:

Run asqav doctor first. It tells you whether your setup is ready before you wire anything into CI.

Top comments (0)