CLI Guide

Installation

pip install licit-ai-cli

Or from source:

git clone https://github.com/Diego303/licit-cli.git
cd licit-cli
pip install -e ".[dev]"

Invocation

# As an installed command
licit [options] <command> [arguments]

# As a Python module
python -m licit [options] <command> [arguments]

Global options

Option	Description
`--version`	Shows the licit version
`--config PATH`	Path to a specific `.licit.yaml` file
`-v`, `--verbose`	Enables detailed logging (DEBUG level)
`--help`	Shows help

licit --version
# licit, version 1.0.0

licit --verbose status
# Shows debug logs during execution

Commands

`licit init`

Initializes licit in the current project. Automatically detects project characteristics and generates the configuration.

licit init [--framework {eu-ai-act|owasp|all}]

Options:

Option	Default	Description
`--framework`	`all`	Regulatory framework to enable

What it does:

Runs ProjectDetector to detect languages, frameworks, CI/CD, AI agents, etc.
Generates .licit.yaml with configuration adapted to the project.
Creates the .licit/ directory for internal data.
If it detects architect or vigil, automatically enables their connectors.

Example:

$ cd my-fastapi-project/
$ licit init

Initialized licit in my-fastapi-project
  Languages: python
  Frameworks: fastapi
  Agent configs: CLAUDE.md
  CI/CD: github-actions
  Config saved to .licit.yaml

Example with specific framework:

$ licit init --framework eu-ai-act
# Only enables EU AI Act, disables OWASP

`licit status`

Shows the current state of licit and connected data sources.

licit status

What it shows:

Project information (name, languages, frameworks)
Configuration state
Enabled frameworks (EU AI Act, OWASP)
Detected data sources (provenance, FRIA, changelog, etc.)
Configured connectors (architect, vigil)
Found AI agent configurations

Example:

$ licit status

  licit Status
  ────────────────────────────────────────
  Project: my-fastapi-project
  Config: .licit.yaml

  Frameworks:
    [x] EU AI Act
    [x] OWASP Agentic Top 10
    [ ] NIST AI RMF (V1)
    [ ] ISO 42001 (V1)

  Data Sources:
    [x] Git history (142 commits)
    [x] Provenance tracking
    [ ] Config changelog
    [ ] FRIA document
    [ ] Annex IV documentation

  Connectors:
    [x] architect (.architect/config.yaml, enabled)
    [x] vigil (.vigil.yaml, enabled)
    Security findings: 3 total (1 critical, 1 high)

  Agent Configs (2):
    - CLAUDE.md (claude-code)
    - .cursorrules (cursor)

The status command now shows:

Connector status as “enabled” or “detected”
Security findings count when SARIF findings are present

`licit connect`

Configures optional connectors to integrate external data sources.

licit connect {architect|vigil} [--enable|--disable]

Arguments:

Argument	Description
`architect`	Connector for Architect (reports and audit logs)
`vigil`	Connector for Vigil (SARIF security findings)

Options:

Option	Default	Description
`--enable`	(default)	Enables the connector
`--disable`		Disables the connector

What it does:

Enables or disables the connector in .licit.yaml.
When enabling, auto-detects configuration paths if not configured.
Verifies data availability on disk with available().
Shows feedback on whether connector data was found.

Example:

$ licit connect architect
  architect data found at: .architect/reports
  Connector 'architect' enabled.

$ licit connect vigil --enable
  vigil data found
  Connector 'vigil' enabled.

$ licit connect architect --disable
  Connector 'architect' disabled.

Data enriched by connectors:

Connector	Data sources	Evidence provided
architect	Reports JSON, audit JSONL, config YAML	Audit trail, guardrails, quality gates, budget, dry-run, rollback
vigil	SARIF 2.1.0, SBOM CycloneDX	Security findings (critical/high/medium/low)

`licit trace`

Tracks code provenance — identifies what was written by AI and what by humans.

Status: Functional (Phase 2 completed).

licit trace [--since DATE|TAG] [--report] [--stats]

Options:

Option	Description
`--since`	Analyzes commits from a date (YYYY-MM-DD). Filters by author date
`--report`	Generates provenance report file at `.licit/reports/provenance.md`
`--stats`	Shows statistics in terminal

What it does:

Runs GitAnalyzer to analyze commits with 6 heuristics (author, message, volume, co-authors, file patterns, time).
Optionally reads agent session logs (Claude Code).
Classifies each file as ai (score >= 0.7), mixed (>= 0.5) or human (< 0.5).
Stores results in .licit/provenance.jsonl (merge + deduplication by file).
If sign: true, signs each record with HMAC-SHA256.

Example:

$ licit trace --since 2026-01-01

  Analyzing git history for AI provenance...
  Analyzed 45 files across 52 records
  AI-generated: 18 files
  Human-written: 22 files

$ licit trace --stats

  Provenance Statistics
  ────────────────────────────────────────
  Total files tracked: 45
  AI-generated:        18 (40.0%)
  Human-written:       22
  Mixed:               5

Example with report:

$ licit trace --report
# Generates .licit/reports/provenance.md with detailed per-file table

Heuristics used:

#	Heuristic	Weight	What it detects
H1	Author pattern	3.0	AI author names (claude, copilot, cursor, bot, etc.)
H2	Message pattern	1.5	Commit patterns (conventional commits, “implement”, `[ai]`)
H3	Bulk changes	2.0	Massive changes (>20 files + >500 lines)
H4	Co-author	3.0	`Co-authored-by:` with AI keywords
H5	File patterns	1.0	All files are test files
H6	Time pattern	0.5	Commits between 1am-5am

Only heuristics that produce a signal (score > 0) contribute to the weighted average.

`licit changelog`

Generates a changelog of AI agent configuration changes with semantic diffing and severity classification.

Status: Functional (Phase 3 completed).

licit changelog [--since DATE|TAG] [--format {markdown|json}]

Options:

Option	Default	Description
`--since`	(all)	Changes from date or tag
`--format`	`markdown`	Output format: `markdown` or `json`

What it does:

Runs ConfigWatcher to retrieve git history of monitored files.
Applies diff_configs() (semantic differ) between consecutive versions of each file.
Classifies each change with ChangeClassifier (MAJOR/MINOR/PATCH).
Renders the changelog with ChangelogRenderer (Markdown or JSON).
Displays output in terminal and saves it to output_path.

Monitored files (by default):

CLAUDE.md, .cursorrules, .cursor/rules
AGENTS.md, .github/copilot-instructions.md, .github/agents/*.md
.architect/config.yaml, architect.yaml

Example:

$ licit changelog

# Agent Config Changelog

> 3 change(s) detected across 2 file(s): **1** major, **1** minor, **1** patch

## .architect/config.yaml

- **[MAJOR]** Changed: model from claude-sonnet-4 to claude-opus-4 (`a1b2c3d4`) — 2026-03-12
- **[PATCH]** Changed: budget.max_cost_usd from 5.0 to 10.0 (`a1b2c3d4`) — 2026-03-12

## CLAUDE.md

- **[MINOR]** Changed: section:Rules from 5 lines to 8 lines (+3/-0) (`e5f6g7h8`) — 2026-03-11

  Changelog saved to .licit/changelog.md

JSON example:

$ licit changelog --format json --since 2026-03-01
# Generates JSON with "changes" array and saves to .licit/changelog.json

Severity classification:

Severity	Trigger	Examples
MAJOR	Model/provider change, or deletion of MINOR field	`model: gpt-4` → `gpt-5`, deleting `guardrails`
MINOR	Prompt, guardrails, tools, rules, Markdown section change	Editing `system_prompt`, adding `blocked_commands`
PATCH	Everything else	Parameter adjustments, formatting

Supported diff formats:

Format	Extensions	Strategy
YAML	`.yaml`, `.yml`	Recursive key-value diff
JSON	`.json`	Recursive key-value diff
Markdown	`.md`	Diff by sections (headings)
Plain text	Others	Full content diff

For detailed changelog system documentation, see Changelog.

`licit fria`

Completes the Fundamental Rights Impact Assessment (EU AI Act Article 27).

Status: Functional (Phase 4 completed).

licit fria [--update] [--auto]

Options:

Option	Description
`--update`	Updates an existing FRIA instead of creating a new one
`--auto`	Non-interactive mode: accepts auto-detected values and defaults without prompts (ideal for CI/CD)

What it does:

Detects the project and gathers available evidence.
Runs an interactive 5-step questionnaire (16 questions). With --auto, automatically accepts all detected values and uses the first option as default for questions without auto-detection.
Auto-detects answers where possible (8 fields: system_purpose, ai_technology, models_used, human_review, guardrails, security_scanning, testing, audit_trail).
Saves data to .licit/fria-data.json and generates report at .licit/fria-report.md.

5 questionnaire steps:

Step	Title	Questions
1	System Description	Purpose, AI technology, models, scope, human review
2	Fundamental Rights Identification	Personal data, employment, safety, discrimination
3	Impact Assessment	Risk level, maximum impact, detection speed
4	Mitigation Measures	Guardrails, scanning, testing, audit trail, additional measures
5	Monitoring & Review	Review frequency, responsible party, incident process

Auto-detection: For fields marked with auto_detect, licit attempts to infer the answer from the project configuration. If successful, it displays the detected value and asks whether to accept it.

Generated files:

.licit/fria-data.json — Raw assessment data (JSON, reusable with --update)
.licit/fria-report.md — Human-readable Markdown FRIA report

Example:

$ licit fria

============================================================
  FUNDAMENTAL RIGHTS IMPACT ASSESSMENT (FRIA)
  EU AI Act -- Article 27
============================================================

──────────────────────────────────────────────────
  Step 1: System Description
──────────────────────────────────────────────────

  [1.1] What is the primary purpose of this AI system?
  -> Auto-detected: AI-assisted code development using claude-code
    Accept this value? [Y/n]:

`licit annex-iv`

Generates the Annex IV Technical Documentation (EU AI Act).

Status: Functional (Phase 4 completed).

licit annex-iv [--organization NAME] [--product NAME]

Options:

Option	Description
`--organization`	Organization name (default: project name)
`--product`	Product name (default: project name)

What it does:

Detects the project and gathers all available evidence.
Auto-populates an Annex IV document with 6 sections from project metadata.
Generates recommendations for sections with missing evidence.
Writes the result to .licit/annex-iv.md.

6 auto-generated sections:

Section	Content
1. General Description	Purpose, AI components, languages, frameworks
2. Development Process	Version control, AI provenance, agent configs
3. Monitoring & Control	CI/CD, audit trail, changelog
4. Risk Management	Guardrails, quality gates, budget, oversight, FRIA
5. Testing & Validation	Test framework, security tools
6. Changes & Lifecycle	Summary of tracking mechanisms

Example:

$ licit annex-iv --organization "ACME Corp" --product "WebApp"

  Annex IV documentation saved to: .licit/annex-iv.md

Generated file:

.licit/annex-iv.md — Complete technical documentation in Markdown

`licit report`

Generates a unified compliance report.

Status: Functional (Phase 6). Evaluates EU AI Act + OWASP Agentic Top 10. Supports Markdown, JSON and HTML.

licit report [--framework {eu-ai-act|owasp|all}] [--format {markdown|json|html}] [--output PATH]

Options:

Option	Default	Description
`--framework`	`all`	Framework to evaluate
`--format`	`markdown`	Output format
`-o`, `--output`	`.licit/reports/compliance-report.{ext}`	Output file path

Example:

$ licit report --framework eu-ai-act

  Compliance Summary
  ─────────────────────────────────────────────
  Project: my-app
  Generated: 2026-03-15 12:00 UTC

  eu-ai-act (2024/1689)
    [##..................] 9.1%
    1 compliant | 4 partial | 6 non-compliant

  ─────────────────────────────────────────────
  Overall: [##..................] 9.1%
  1/11 controls compliant

  Report saved to: .licit/reports/compliance-report.md

Output formats:

Format	Description
`markdown`	Summary tables + detail per requirement with `[PASS]`/`[FAIL]`/`[PARTIAL]` icons
`json`	Structured JSON with `overall`, `frameworks[]`, `results[]`
`html`	Self-contained HTML (no external dependencies), color badges, responsive

Generated files:

.licit/reports/compliance-report.md (or .json/.html depending on --format)

`licit gaps`

Identifies compliance gaps with actionable recommendations.

Status: Functional (Phase 6). Shows gaps with suggested tools and effort level.

licit gaps [--framework {eu-ai-act|owasp|all}]

Options:

Option	Default	Description
`--framework`	`all`	Framework to analyze

Example:

$ licit gaps --framework eu-ai-act

  10 compliance gap(s) found:

  1. [X] [ART-27-1] Fundamental Rights Impact Assessment (FRIA)
     Missing: Before putting an AI system into use, deployers shall
     carry out an assessment of the impact on fundamental rights.
     -> Run: licit fria -- to complete the FRIA
     Tools: licit fria

  2. [!] [ART-12-1] Record Keeping — Automatic Logging
     Incomplete: AI systems shall be designed with capabilities enabling
     automatic recording of events (logs) over the lifetime.
     -> Enable structured audit trail (architect reports or manual logging)
     Tools: licit trace, architect (audit log)

Gaps are sorted by severity ([X] non-compliant before [!] partial) and each one includes description, recommendation, and suggested tools.

`licit verify`

Verifies compliance and returns exit code for CI/CD.

Status: Functional (Phases 4-5). Evaluates EU AI Act (11 articles) and OWASP Agentic Top 10 (10 risks).

licit verify [--framework {eu-ai-act|owasp|all}]

Exit codes:

Code	Meaning
`0`	COMPLIANT — All critical requirements met
`1`	NON_COMPLIANT — Some critical requirement not met
`2`	PARTIAL — Some requirement partially met

Usage in CI/CD (GitHub Actions):

- name: Compliance check
  run: licit verify
  # Pipeline fails if exit code != 0

Command summary table

Command	Phase	Status	Short description
`init`	1	Functional	Initializes licit in the project
`status`	1	Functional	Shows status and connected sources
`connect`	1	Functional	Configures connectors
`trace`	2	Functional	Provenance traceability
`changelog`	3	Functional	Agent config changelog
`fria`	4	Functional	FRIA (EU AI Act Art. 27)
`annex-iv`	4	Functional	Annex IV technical documentation
`report`	6	Functional	Unified report (MD/JSON/HTML)
`gaps`	6	Functional	Gaps with recommendations
`verify`	4-6	Functional (EU AI Act + OWASP)	CI/CD gate