CLI overview
kitelogik is the command-line interface that ships with the package. Every command targets policy work — scaffolding a project, turning the YAML edit surface into Rego, dry-running an event before it hits production, and auditing your bundle against the OWASP Agentic Security control list.
Install
pip install kitelogikThe kitelogik script lands on PATH at the same scope as the package (virtualenv, --user, etc.). If kitelogik: command not found after install, the venv probably isn't active — use python -m kitelogik.cli instead.
Commands
| Command | What it does |
|---|---|
init | Scaffold a new governed agent project (5 files) |
compile | Compile a YAML policy file to Rego |
validate | Validate Rego syntax via opa check |
test | Run OPA tests against the policies directory |
check | Dry-run a JSON governance event against loaded policies |
compliance | Default-deny / event-coverage / OWASP audit |
version | Print the installed kitelogik version |
kitelogik --help prints the same list. Every subcommand supports --help for its own flags.
OPA dependency: binary or Docker
Every command that talks to OPA — validate, test, check, compliance — first tries to invoke a bare opa binary on PATH. If OPA isn't installed, the CLI transparently re-runs the same command inside openpolicyagent/opa:latest via Docker, bind-mounting your policies/ directory read-only at /policies.
In practice that means:
- If you've followed the quickstart and have Docker running, you don't need a separate
opainstall. - If neither
opanordockeris onPATH, the CLI prints a clear error pointing at both install paths.
The pinned image tag (:latest here, see source) keeps CLI behaviour reproducible across machines and matches what CI uses.
How the policies directory is found
For commands that take a --path flag (validate, test, check, compliance), the CLI uses the explicit path if you pass one. Without --path, it walks upward from cwd looking for the first match of:
<parent>/kitelogik/policies/— the namespaced layout used inside the OSS repo<parent>/policies/— the bare layout produced bykitelogik init
So kitelogik validate Just Works from anywhere inside a project tree created by init.
Exit codes
All commands follow the same convention:
| Code | Meaning |
|---|---|
0 | Success — the operation completed and (where applicable) policies validated cleanly |
1 | A pre-flight error (file not found, bad JSON, missing OPA + Docker) |
| Other | Forwarded from OPA — typically a syntax or test failure surfaced verbatim |
CI scripts can set -e against the binary directly; kitelogik test in particular streams OPA output to your terminal so the failure diagnostic appears in the build log.
A typical project loop
# Once
kitelogik init my-agent && cd my-agent
# Iterate
vim policies/policy.yaml
kitelogik compile policies/policy.yaml # YAML -> Rego
kitelogik validate # syntax check
kitelogik test # unit tests against policies/
kitelogik check '{"action": "approve_refund", "args": {"amount": 200}, ...}'
# Before shipping
kitelogik compliance # default-deny, event coverage, OWASP mapThe first-policy guide walks through the loop end-to-end on a real example.
Related
- Quickstart — the 5-minute path that uses
init+compile - Your first policy —
compile/validate/teston a real rule