@datacules/agent-identity-cli
v0.13.0
Published
CLI for @datacules/agent-identity — audit chain verification, compliance reports, credential resolution testing
Maintainers
Readme
@datacules/agent-identity-cli
CLI for @datacules/agent-identity. Verify audit chain integrity, generate SOC 2 / GDPR / HIPAA compliance reports, and test credential resolution — all from the command line.
Part of the agent-identity monorepo by Datacules LLC.
Installation
npm install -g @datacules/agent-identity-clior run without installing:
npx @datacules/agent-identity-cli audit verify --file ./audit.jsonlPrerequisites
- Node.js ≥ 20
@datacules/agent-identity-complianceinstalled in the same project (peer dependency)
Commands
audit verify
Verify the SHA-256 hash chain of a JSONL audit log produced by HashChainAuditLogger.
# Verify an entire log
agent-identity-cli audit verify --file ./audit.jsonl
# Verify only entries within a date range
agent-identity-cli audit verify --file ./audit.jsonl --from 2026-01-01 --to 2026-03-31Output on success:
✓ Audit chain intact
Entries verified : 14872
Root hash : a3f9c21e84b72d19…Output on failure:
✗ Audit chain BROKEN
Entries checked : 14872
Broken at index : 8431
Reason : Entry 8431: hash mismatch — entry data appears to have been modifiedExit code 0 = intact, 1 = broken or error.
report <soc2|gdpr|hipaa>
Generate a compliance report from a JSONL audit log.
# SOC 2 CC6 report — JSON to stdout
agent-identity-cli report soc2 --file ./audit.jsonl --from 2026-01-01 --to 2026-03-31
# GDPR Article 30 report — Markdown format
agent-identity-cli report gdpr --file ./audit.jsonl --format markdown
# HIPAA §164.312 report — write to directory
agent-identity-cli report hipaa --file ./audit.jsonl --output ./compliance-reports/Flags:
| Flag | Default | Description |
|------|---------|-------------|
| --file <path> | required | JSONL audit log file |
| --from <date> | start of current month | ISO 8601 date (e.g. 2026-01-01) |
| --to <date> | now | ISO 8601 date |
| --format | json | json or markdown |
| --output <dir> | stdout | Directory to write the report file |
health
Check if the agent-identity server (Next.js dashboard or Docker sidecar) is running.
agent-identity-cli health
agent-identity-cli health --url http://localhost:3001 # sidecarresolve
Test credential resolution against the running server. Useful for verifying routing rules.
agent-identity-cli resolve --provider openai --user user-123
agent-identity-cli resolve --provider anthropic --user user-456 --url http://localhost:3001Output on success:
{
"resolvedFor": "user-123",
"credentialId": "cred-openai-prod",
"provider": "openai"
}Typical compliance workflow
# 1. Your agent runs. The HashChainAuditLogger writes JSONL to a file.
# 2. At quarter end, verify the log is untampered:
agent-identity-cli audit verify --file /var/log/agent-identity/audit.jsonl \\
--from 2026-01-01 --to 2026-03-31
# 3. Generate the compliance report:
agent-identity-cli report soc2 --file /var/log/agent-identity/audit.jsonl \\
--from 2026-01-01 --to 2026-03-31 \\
--output ./compliance-reports/
# 4. Attach the report to your SOC 2 audit package.Producing a JSONL audit log
import { createWriteStream } from 'node:fs';
import { HashChainAuditLogger } from '@datacules/agent-identity-compliance';
import { createRouterFromStore } from '@datacules/agent-identity';
// Write one JSON object per line to a file
const stream = createWriteStream('/var/log/agent-identity/audit.jsonl', { flags: 'a' });
const fileSink = { log: (e: unknown) => stream.write(JSON.stringify(e) + '\n') };
const auditLogger = new HashChainAuditLogger(fileSink);
const router = createRouterFromStore(store, rules, auditLogger);Architecture note
All CLI I/O is injected via function closures (readFile, fetch, writeFile) so every
public function (parseArguments, runAuditVerify, runReport, runHealth, runResolve)
can be unit-tested without a live server or filesystem. The test suite covers 14 cases
across 5 suites in packages/cli/src/cli.test.ts.
License
Datacules Open Source License — permissive, commercial-friendly.
