# CLI reference

> The agentjail command-line interface: subcommands, flags, and example output.

agentjail ships as two binaries: `agentjail` (the management CLI) and
`agentjail-hook` (called automatically by the agent's `PreToolUse` hook). This
page documents every subcommand of the management CLI, plus how to invoke the
hook manually for testing.

## `agentjail version`

Prints the installed version and exits.

```sh
agentjail version
```

Example output:

```text
agentjail v0.1.0-alpha
```

## `agentjail install`

Installs the hook and starts the daemon. The `--for` flag selects the target
agent host.

```sh
agentjail install --for <target>
```

| Flag | Required | Description |
|------|----------|-------------|
| `--for` | yes | Agent host to install for. Only `claude-code` is implemented; `codex` and `cursor` exit with "not yet implemented". |

agentjail install is macOS-only.

### Example

```sh
agentjail install --for claude-code
```

## `agentjail uninstall`

Removes the hook and daemon installed by `agentjail install`.

```sh
agentjail uninstall
```

## `agentjail status`

Prints whether the daemon is running and whether the hook is registered.

```sh
agentjail status
```

## `agentjail logs`

Tails and filters the daemon audit log.

```sh
agentjail logs
agentjail logs -v
```

| Flag | Description |
|------|-------------|
| `-v` | Adds a secondary summary line per entry showing `command`/`file_path`, `reason`, and `session_id`. Does not dump the full input document. |

## `agentjail policy list`

Prints a table of all policy rules with three columns: **RULE**, **STATUS**, and **SOURCE**.

```sh
agentjail policy list
```

Example output:

```text
RULE              STATUS   SOURCE
file_policy       core     agentpolicy/policies/file_policy.rego
command_policy    core     agentpolicy/policies/command_policy.rego
mcp_policy        core     agentpolicy/policies/mcp_policy.rego
network-guard     enabled  library
secret-scanner    disabled library
```

- **Core rules** (`file_policy`, `command_policy`, `mcp_policy`) always show status `core` and a source path under `agentpolicy/policies/`.
- **Library rules** show `enabled` or `disabled` and source `library` (the literal string, not an on-disk path).

## `agentjail policy enable` / `agentjail policy disable`

Toggle library rules on or off. The named rule is copied into (or removed from)
`~/.agentjail/rules/` and the daemon receives a `SIGHUP` to hot-reload.

```sh
agentjail policy enable <name>
agentjail policy disable <name>
```

Core rules (`file_policy`, `command_policy`, `mcp_policy`) are always active
and cannot be disabled; `disable` rejects them with an error.

## `agentjail ui`

Opens the local web UI development tool.

```sh
agentjail ui
```

## Testing a tool call manually (`agentjail-hook`)

Policy evaluation is performed by the `agentjail-hook` binary, not by a
subcommand of the management CLI. The hook communicates over a Unix socket with
the running daemon (which keeps OPA warm). Users do not run an eval command
directly; to test a call manually, pipe a Claude `PreToolUse` JSON payload to
the hook with the daemon already running:

```sh
echo '{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"rm -rf /"}}' \
  | agentjail-hook
```

Output:

```json
{
  "hookSpecificOutput": {
    "hookEventName": "PreToolUse",
    "permissionDecision": "deny",
    "permissionDecisionReason": "Blocked: rm -rf on absolute path"
  }
}
```

### Exit codes

| Code | Meaning |
|------|---------|
| `0` | Call is allowed or requires confirmation (`allow` / `ask`). |
| `2` | Call is denied (`deny`). |

## See also

- [Configuration](/docs/reference/configuration): config file, custom rules, and daemon flags.
- [Default policies](/docs/reference/default-policies): what ships in the default bundle.