§ DOCUMENTATION
CLI Reference
Install the Execlave CLI, authenticate with an API key, and operate your organization from the terminal. Ships 11 command groups.
Installation
npm install -g @execlave/cliInstalls the execlave binary globally. Requires Node.js 18+. Verify with:
execlave --versionQuickstart — authenticate with an environment variable
The fastest, most reliable way to authenticate the CLI is to export your API key as an environment variable. The CLI checks EXECLAVE_API_KEY on every invocation and uses it directly — no login step, no on-disk credentials.
# 1. Mint an API key in the dashboard → Settings → API Keysexport EXECLAVE_API_KEY="exe_prod_..."export EXECLAVE_BASE_URL="https://api.execlave.com" # optional, this is the default # 2. Verify the connection and keyexeclave status # 3. Run any read command to confirm authorizationexeclave agents listOn Windows PowerShell use $env:EXECLAVE_API_KEY = "exe_prod_...".
Top-level commands
11 command groups. Run any command with --help for full subcommand details.
| Command | Description |
|---|---|
login | Interactively store an API key + base URL in the local config file. |
status | Check backend health and verify the active API key. |
bootstrap | Interactive setup wizard for a new Execlave environment. |
agents | List, pause (kill switch), and resume AI agents. |
org | Show current organization info and settings. |
workspace | List and create workspaces. |
prompts | List, deploy, rollback, and approve prompt versions. |
traces | List recent execution traces and view 24h stats. |
policies | List, apply, test, and inspect governance policies and violations. |
incidents | List and export policy-violation incidents (CSV/JSON). |
validators | Manage custom HTTP validators (Bring-Your-Own-Validator). |
Common usage examples
execlave status # health + auth checkexeclave org list # current organizationexeclave workspace list # workspaces in this orgexeclave agents listexeclave agents pause <agent-id> --reason "Investigating runaway costs"execlave agents resume <agent-id> execlave traces list --agent-id <agent-id>execlave traces stats # rolling 24h summaryexeclave policies listexeclave policies violationsexeclave policies apply --file ./policies.yamlexeclave policies test --file ./policies.yaml --from 7dexeclave policies chain --id <policy-id>execlave prompts list --agent-id <agent-id>execlave prompts deploy <version-id> --env stagingexeclave prompts approve <version-id>execlave prompts rollback <version-id> --reason "Regression in eval suite"execlave incidents listexeclave incidents export --format csv --from 30d execlave validators listexeclave validators create \ --name "PII Scrubber" \ --url https://validator.example.com/check \ --fail-mode fail_closedexeclave validators test <validator-id>execlave validators rotate-secret <validator-id>execlave --api-version v1 agents list # defaultexeclave --api-version v0 agents list # legacy, unversioned routesAuthentication precedence
On every invocation the CLI resolves the API key by walking three sources in order and using the first one it finds. There is intentionally no --api-key flag — pass keys via env vars or the config file.
| # | Source | Notes |
|---|---|---|
| 1 | EXECLAVE_API_KEY | Highest precedence. Recommended for CI and ad-hoc shells. |
| 2 | AGENTGUARD_API_KEY | Deprecated alias. Still works; emits a deprecation warning once per process. |
| 3 | Config file (token) | Written by execlave login. Persisted across sessions. |
The base URL follows the same precedence chain: EXECLAVE_BASE_URL > AGENTGUARD_BASE_URL > config baseUrl > https://api.execlave.com.
Config file location
The CLI uses the conf package with project name execlave-cli. The schema is { token, baseUrl, organizationId, apiVersion }. On first write the file is locked down to the current user (chmod 0600 on POSIX, icacls ACL on Windows).
| Platform | Path |
|---|---|
| macOS | ~/Library/Preferences/execlave-cli-nodejs/config.json |
| Linux | ~/.config/execlave-cli-nodejs/config.json |
| Windows | %APPDATA%\execlave-cli-nodejs\config.json |
Delete this file to fully sign out, or set EXECLAVE_API_KEY to an empty string in your shell to override it for the current session.