Skip to content

CLI reference

The agentum binary is both the API server (agentum start) and an admin client. From inside the docker container:

Terminal window
docker exec lupid-agentum-1 agentum --help

From outside (with port 7071 exposed or via the dashboard’s reverse proxy):

Terminal window
agentum --api-url http://localhost:3000 --api-key $LUPID_API_KEY agent stats
FlagEnv varDefaultPurpose
--api-url <url>AGENTUM_API_URLhttp://localhost:7071Lupid API base URL
--api-key <key>AGENTUM_API_KEYunsetOperator API key
--token <jwt>AGENTUM_TOKENunsetBearer JWT (agent sessions)
--output <fmt>jsonOutput format: json or table
CommandWhat it does
startRun the full stack (API + gateway + MCP gateway)
serveRun only the REST API (port 7071 by default)
health checkHit the API’s health probe and print the result
health liveLiveness probe (process is up)
health readyReadiness probe (DB + deps reachable)
doctor configValidate the local agentum.yaml and lint for secrets
completions <sh>Print shell completions for bash/zsh/fish/elvish/pwsh
CommandRolePurpose
agent registeradminRegister a new agent
agent listviewerList agents (filter by status / team / search)
agent get <id>viewerFetch one agent
agent statsviewerAggregate counts by status
agent update <id>adminUpdate name / owner / purpose / framework
agent kill <id>adminRevoke JWT + mark terminated
agent rotate <id>adminRotate the agent’s signing keypair
agent suspend <id>adminMove to suspended state
agent activate <id>adminResume a suspended agent
agent quarantine <id>adminMark for investigator review
agent orphans {list,detect}adminFind agents that haven’t checked in
agent delegate {issue,verify}adminIssue / verify delegation tokens
CommandRolePurpose
policy listviewerList all attached policies
policy get <agent-id>viewerPrint the Cedar source for one agent
policy set <agent-id> <file>adminUpload and attach a policy
policy load <dir>adminBulk-load every .cedar in a dir
policy simulate --agent-id … --action … --resource …viewerDry-run evaluation
policy reloadadminForce in-memory cache to refresh
CommandRolePurpose
audit query [--agent-id …] [--event-type …] [--from … --to …] [--limit]viewerQuery audit events
audit prune --before <ts> [--dry-run]adminDelete events older than a timestamp
audit ingest --agent-id … --session-id … --event-type … --details …adminManually ingest an event (debug / replay)
CommandRolePurpose
session listviewerList sessions
session get <id>viewerFetch one session’s metadata
session end <id>adminForce-terminate a session
session replay <id>viewerPrint every audit event in order
CommandRolePurpose
hitl listoperatorList pending HITL requests
hitl get <id>operatorFetch full context for one request
hitl decide <id> --decision approve|denyoperatorDecide on a request
hitl watchoperatorStream new requests over SSE
CommandRolePurpose
alert listviewerList alerts (filter by severity)
alert ack <id>operatorAcknowledge an alert
alert watchoperatorStream new alerts
alert dlqadminInspect undelivered alerts
CommandRolePurpose
vault store --agent-id … --service-name … [--from-env|--from-file|--secret-value …]adminStore the underlying credential
vault issue --agent-id … --service-name …adminIssue a short-lived lease
vault leases [--agent-id …]viewerList active leases
vault revoke <lease-id>adminRevoke a lease
CommandRolePurpose
operator listadminList operators
operator create --email … --full-name … --password … --role …adminCreate a new operator
operator get <id>adminFetch one operator
operator update <id> [--full-name …] [--role …] [--active …]adminModify an operator
operator delete <id>adminDelete an operator
operator reset-password <id> --new-password …adminReset a password
CommandRolePurpose
admin api-keys mint --email … --role … [--agent <id>] [--expires-in …] [--ip-allow …]adminMint a new API key
admin api-keys listadminList keys (metadata only)
admin api-keys revoke <id>adminRevoke a key
admin api-keys rotate <id> [--grace-seconds …]adminRotate a key with a grace period
CommandRolePurpose
mcp server {list,get,create,update,delete}adminManage MCP server registrations
mcp server access-grant <server-id> --agent-id … --tools …adminGrant agent access to MCP tools
mcp session {list,get,terminate}adminInspect live MCP sessions
mcp tool-callsviewerRecent MCP tool-call audit rows
compliance {soc2,pci-dss,hipaa,report}adminGenerate compliance reports
config {show,set,unset,path}Manage local CLI config (~/.config/agentum/cli.toml)
backfill agent-usersadminDerive agent_users rows from sessions (one-shot)
onboard --name …adminRegister an agent + print a copy-paste .env