CLI & MCP
The Lelu CLI provides tools for local development, policy management, audit log viewing, and running the Model Context Protocol (MCP) server for seamless integration with AI assistants like Cursor and Claude.
Installation
The CLI is available in all three SDK packages. You can run it directly using npx or install it globally.
# Install globally npm install -g @lelu-auth/lelu # Or run directly npx @lelu-auth/lelu help
# Install via pip pip install lelu-agent-auth-sdk # Run CLI lelu help
# Install Go module go get github.com/lelu-auth/lelu/sdk/go # Build and run CLI cd sdk/go/cmd/lelu go build -o lelu ./lelu help
CLI Commands
The Lelu CLI provides commands for viewing audit logs and managing authorization policies directly from your terminal.
Audit Log
View recent authorization events and audit trail data from the platform service.
# View recent audit events lelu audit-log # Customize number of events LELU_AUDIT_LIMIT=50 lelu audit-log # Use custom platform URL LELU_PLATFORM_URL=https://your-platform.com lelu audit-log
Policy Management
Create, update, view, and delete authorization policies stored in the platform.
# List all policies lelu policies list # View a specific policy lelu policies get auth # Create or update a policy from file lelu policies set auth ./auth.rego # Delete a policy lelu policies delete old-policy # Use different tenant LELU_TENANT_ID=prod lelu policies list
Environment Variables
| Variable | Default | Description |
|---|---|---|
| LELU_PLATFORM_URL | http://localhost:9091 | Platform API URL |
| LELU_PLATFORM_API_KEY | platform-dev-key | Platform API key |
| LELU_TENANT_ID | default | Tenant ID for multi-tenant setups |
| LELU_AUDIT_LIMIT | 20 | Number of audit events to fetch |
Platform Service Required
The CLI commands require the Lelu platform service to be running. If the service is not available, the CLI will provide helpful Docker setup instructions.
Model Context Protocol (MCP)
Lelu ships a standalone MCP server (@lelu/mcp) that exposes policy-aware authorization tools over both stdio (for local AI clients) and HTTP/SSE (for networked or Docker deployments). When an AI assistant calls a tool, Lelu evaluates your Rego policy and can pause execution to request human approval.
Docker (recommended)
The MCP server is included in the Lelu docker-compose.yml. Start it alongside the engine:
docker compose up -d mcp
# Health check
curl http://localhost:3003/healthz
# {"status":"ok","service":"lelu-mcp"}
# SSE endpoint for AI clients
# http://localhost:3003/sseThe container connects to the engine over the internal Docker network (http://engine:8080) and is exposed on host port 3003. Configure your API key via the LELU_API_KEY environment variable.
npx (local stdio)
For local development with Cursor or Claude Desktop, run the MCP server directly via npx in stdio mode:
npx @lelu/mcp start --transport stdio \ --engine-url http://localhost:8083 \ --api-key YOUR_API_KEY
Client setup
Use CLI quick-add for your client, or choose manual configuration for full control:
npx @lelu/mcp add --cursor
{
"mcpServers": {
"lelu": {
"url": "http://localhost:3003/sse"
}
}
}Available MCP tools
| Tool | Description |
|---|---|
| lelu_agent_authorize | Confidence-aware authorization for an AI agent action |
| lelu_authorize | Authorize a human user action against the active policy |
| lelu_mint_token | Issue a short-lived JIT token for a specific action |
| lelu_revoke_token | Revoke a previously issued token |
| lelu_health | Check that the Lelu engine is reachable |
Policy Testing
You can test your Rego policies locally before deploying them to the Platform.
# Evaluate a policy against a mock request lelu policy eval ./policy.rego \ --action "delete_db" \ --confidence 0.85 # Output: # Result: requires_approval # Reason: Confidence 0.85 is below threshold 0.95 for action 'delete_db'