The agentum binary is both the API server (agentum start) and an admin client.
From inside the docker container:
docker exec lupid-agentum-1 agentum --help
From outside (with port 7071 exposed or via the dashboard’s reverse proxy):
agentum --api-url http://localhost:3000 --api-key $LUPID_API_KEY agent stats
| Flag | Env var | Default | Purpose |
|---|
--api-url <url> | AGENTUM_API_URL | http://localhost:7071 | Lupid API base URL |
--api-key <key> | AGENTUM_API_KEY | unset | Operator API key |
--token <jwt> | AGENTUM_TOKEN | unset | Bearer JWT (agent sessions) |
--output <fmt> | — | json | Output format: json or table |
| Command | What it does |
|---|
start | Run the full stack (API + gateway + MCP gateway) |
serve | Run only the REST API (port 7071 by default) |
health check | Hit the API’s health probe and print the result |
health live | Liveness probe (process is up) |
health ready | Readiness probe (DB + deps reachable) |
doctor config | Validate the local agentum.yaml and lint for secrets |
completions <sh> | Print shell completions for bash/zsh/fish/elvish/pwsh |
| Command | Role | Purpose |
|---|
agent register | admin | Register a new agent |
agent list | viewer | List agents (filter by status / team / search) |
agent get <id> | viewer | Fetch one agent |
agent stats | viewer | Aggregate counts by status |
agent update <id> | admin | Update name / owner / purpose / framework |
agent kill <id> | admin | Revoke JWT + mark terminated |
agent rotate <id> | admin | Rotate the agent’s signing keypair |
agent suspend <id> | admin | Move to suspended state |
agent activate <id> | admin | Resume a suspended agent |
agent quarantine <id> | admin | Mark for investigator review |
agent orphans {list,detect} | admin | Find agents that haven’t checked in |
agent delegate {issue,verify} | admin | Issue / verify delegation tokens |
| Command | Role | Purpose |
|---|
policy list | viewer | List all attached policies |
policy get <agent-id> | viewer | Print the Cedar source for one agent |
policy set <agent-id> <file> | admin | Upload and attach a policy |
policy load <dir> | admin | Bulk-load every .cedar in a dir |
policy simulate --agent-id … --action … --resource … | viewer | Dry-run evaluation |
policy reload | admin | Force in-memory cache to refresh |
| Command | Role | Purpose |
|---|
audit query [--agent-id …] [--event-type …] [--from … --to …] [--limit] | viewer | Query audit events |
audit prune --before <ts> [--dry-run] | admin | Delete events older than a timestamp |
audit ingest --agent-id … --session-id … --event-type … --details … | admin | Manually ingest an event (debug / replay) |
| Command | Role | Purpose |
|---|
session list | viewer | List sessions |
session get <id> | viewer | Fetch one session’s metadata |
session end <id> | admin | Force-terminate a session |
session replay <id> | viewer | Print every audit event in order |
| Command | Role | Purpose |
|---|
hitl list | operator | List pending HITL requests |
hitl get <id> | operator | Fetch full context for one request |
hitl decide <id> --decision approve|deny | operator | Decide on a request |
hitl watch | operator | Stream new requests over SSE |
| Command | Role | Purpose |
|---|
alert list | viewer | List alerts (filter by severity) |
alert ack <id> | operator | Acknowledge an alert |
alert watch | operator | Stream new alerts |
alert dlq | admin | Inspect undelivered alerts |
| Command | Role | Purpose |
|---|
vault store --agent-id … --service-name … [--from-env|--from-file|--secret-value …] | admin | Store the underlying credential |
vault issue --agent-id … --service-name … | admin | Issue a short-lived lease |
vault leases [--agent-id …] | viewer | List active leases |
vault revoke <lease-id> | admin | Revoke a lease |
| Command | Role | Purpose |
|---|
operator list | admin | List operators |
operator create --email … --full-name … --password … --role … | admin | Create a new operator |
operator get <id> | admin | Fetch one operator |
operator update <id> [--full-name …] [--role …] [--active …] | admin | Modify an operator |
operator delete <id> | admin | Delete an operator |
operator reset-password <id> --new-password … | admin | Reset a password |
| Command | Role | Purpose |
|---|
admin api-keys mint --email … --role … [--agent <id>] [--expires-in …] [--ip-allow …] | admin | Mint a new API key |
admin api-keys list | admin | List keys (metadata only) |
admin api-keys revoke <id> | admin | Revoke a key |
admin api-keys rotate <id> [--grace-seconds …] | admin | Rotate a key with a grace period |
| Command | Role | Purpose |
|---|
mcp server {list,get,create,update,delete} | admin | Manage MCP server registrations |
mcp server access-grant <server-id> --agent-id … --tools … | admin | Grant agent access to MCP tools |
mcp session {list,get,terminate} | admin | Inspect live MCP sessions |
mcp tool-calls | viewer | Recent MCP tool-call audit rows |
compliance {soc2,pci-dss,hipaa,report} | admin | Generate compliance reports |
config {show,set,unset,path} | — | Manage local CLI config (~/.config/agentum/cli.toml) |
backfill agent-users | admin | Derive agent_users rows from sessions (one-shot) |
onboard --name … | admin | Register an agent + print a copy-paste .env |