CLI reference · agentjail

agentjail ships as two binaries: agentjail (the management CLI) and agentjail-hook (called automatically by the agent’s PreToolUse hook). This page documents every subcommand of the management CLI, plus how to invoke the hook manually for testing.

`agentjail version`

Prints the installed version and exits.

agentjail version

Example output:

agentjail v0.1.0-alpha

`agentjail install`

Installs the hook and starts the daemon. The --for flag selects the target agent host.

agentjail install --for <target>

Flag	Required	Description
`--for`	yes	Agent host to install for. Only `claude-code` is implemented; `codex` and `cursor` exit with “not yet implemented”.

agentjail install is macOS-only.

Example

agentjail install --for claude-code

`agentjail uninstall`

Removes the hook and daemon installed by agentjail install.

agentjail uninstall

`agentjail status`

Prints whether the daemon is running and whether the hook is registered.

agentjail status

`agentjail logs`

Tails and filters the daemon audit log.

agentjail logs
agentjail logs -v

Flag	Description
`-v`	Adds a secondary summary line per entry showing `command`/`file_path`, `reason`, and `session_id`. Does not dump the full input document.

`agentjail policy list`

Prints a table of all policy rules with three columns: RULE, STATUS, and SOURCE.

agentjail policy list

Example output:

RULE              STATUS   SOURCE
file_policy       core     agentpolicy/policies/file_policy.rego
command_policy    core     agentpolicy/policies/command_policy.rego
mcp_policy        core     agentpolicy/policies/mcp_policy.rego
network-guard     enabled  library
secret-scanner    disabled library

Core rules (file_policy, command_policy, mcp_policy) always show status core and a source path under agentpolicy/policies/.
Library rules show enabled or disabled and source library (the literal string, not an on-disk path).

`agentjail policy enable` / `agentjail policy disable`

Toggle library rules on or off. The named rule is copied into (or removed from) ~/.agentjail/rules/ and the daemon receives a SIGHUP to hot-reload.

agentjail policy enable <name>
agentjail policy disable <name>

Core rules (file_policy, command_policy, mcp_policy) are always active and cannot be disabled; disable rejects them with an error.

`agentjail ui`

Opens the local web UI development tool.

agentjail ui

Testing a tool call manually (`agentjail-hook`)

Policy evaluation is performed by the agentjail-hook binary, not by a subcommand of the management CLI. The hook communicates over a Unix socket with the running daemon (which keeps OPA warm). Users do not run an eval command directly; to test a call manually, pipe a Claude PreToolUse JSON payload to the hook with the daemon already running:

echo '{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"rm -rf /"}}' \
  | agentjail-hook

Output:

{
  "hookSpecificOutput": {
    "hookEventName": "PreToolUse",
    "permissionDecision": "deny",
    "permissionDecisionReason": "Blocked: rm -rf on absolute path"
  }
}

Exit codes

Code	Meaning
`0`	Call is allowed or requires confirmation (`allow` / `ask`).
`2`	Call is denied (`deny`).

agentjail version

agentjail install

Example

agentjail uninstall

agentjail status

agentjail logs

agentjail policy list

agentjail policy enable / agentjail policy disable

agentjail ui

Testing a tool call manually (agentjail-hook)