Command line interface for the Agent Communication Protocol (ACP)
Project description
ACP CLI (acpctl)
The ACP CLI provides a simple command-line interface for interacting with the Agent Communication Protocol.
It allows developers and operators to:
- create and manage agent identities
- send and inspect messages
- test agent communication
- explore ACP-based systems
What is ACP?
ACP (Agent Communication Protocol) is a protocol for secure, identity-based communication between autonomous systems.
The CLI is the easiest way to experiment with ACP without writing code.
This project is not related to other packages using the acronym "ACP"
Current Functionality
Current phase includes:
acp identity createacp identity showacp identity exportacp identity verifyacp discover getacp discover listacp discover well-knownacp register putacp register updateacp register showacp message sendacp message capabilitiesacp agent runacp agent statusacp transport listacp transport probeacp relay statusacp relay healthacp relay registry listacp relay registry showacp relay routes showacp relay ops statsacp relay ops failuresacp config showacp config validate
Installation
From repository root:
pip install -e acp-runtime
pip install -e acpctl
Then run:
acp --help
From PyPI:
pip install acp-runtime acpctl
Config
CLI reads optional JSON config from:
--config <path>- or
ACP_CONFIG_FILE - or
~/.acp/config.jsonif it exists
Supported config keys:
{
"storage_dir": ".acp-data",
"discovery_scheme": "https",
"relay_hints": ["https://relay.example"],
"enterprise_directory_hints": [],
"timeout_seconds": 5,
"allow_insecure_http": false,
"allow_insecure_tls": false,
"ca_file": null,
"mtls_enabled": false,
"cert_file": null,
"key_file": null,
"key_provider": "local",
"vault_url": null,
"vault_path": null,
"vault_token_env": "VAULT_TOKEN"
}
Global transport hardening flags:
--allow-insecure-httplocal/dev/demo exception forhttp://--allow-insecure-tlsdisable TLS certificate verification--ca-file <path>custom CA bundle for HTTPS verification--mtls-enabledenable optional enterprise HTTP mTLS profile--cert-file <path>client/server certificate for mTLS profile--key-file <path>client/server private key for mTLS profile--key-provider <local|vault>select key custody backend--vault-url <url>Vault base URL when provider isvault--vault-path <path>Vault secret path prefix (or{agent_id}template)--vault-token-env <name>env var containing the Vault token
When key_provider=vault and mtls_enabled=true, cert_file/key_file may be supplied by provider material (leave both unset) or overridden explicitly (set both).
You can override storage directly:
acp --storage-dir /tmp/acp-data identity show --agent-id agent:demo@localhost:8088
Examples
Create identity:
acp identity create --agent-id agent:john.chess@demo
Create identity with endpoint and relay hint:
acp identity create \
--agent-id agent:john.chess@demo \
--direct-endpoint https://john.example.net/api/v1/acp/messages \
--relay-hint https://relay.example.net
Show identity:
acp identity show --agent-id agent:john.chess@demo
Export identity document:
acp identity export --agent-id agent:john.chess@demo --out ./john.identity.json
Verify identity document:
acp identity verify --file ./john.identity.json
Discover identity:
acp discover get --agent-id agent:ricardo.chess@demo
Discover agent metadata from /.well-known/acp:
acp discover well-known https://ricardo.example.net --agent-id agent:ricardo.chess@demo
Overlay adoption bootstrap check (well-known first):
acp discover well-known https://overlay-service.example.net
List discovery cache:
acp discover list
Register local identity with relay:
acp register put \
--agent-id agent:john.chess@demo \
--relay https://relay.example.net \
--endpoint https://john.example.net/api/v1/acp/messages
Update registration to publish MQTT hint:
acp register update \
--agent-id agent:john.chess@demo \
--relay https://relay.example.net \
--transport mqtt \
--broker mqtt://localhost:1883 \
--topic acp/agent/john.chess.demo \
--qos 1
Show relay registration:
acp register show --agent-id agent:john.chess@demo --relay https://relay.example.net
Send message payload:
acp message send \
--from agent:john.chess@demo \
--to agent:ricardo.chess@demo \
--payload-json '{"kind":"ping","value":1}' \
--delivery-mode auto
Request capabilities:
acp message capabilities \
--from agent:john.chess@demo \
--to agent:ricardo.chess@demo
Run a local agent runtime:
acp agent run \
--agent-id agent:john.chess@localhost:8088 \
--transport direct \
--transport amqp \
--port 8088
Check agent status:
acp agent status \
--agent-id agent:john.chess@localhost:8088 \
--relay https://relay.example.net
List transport configuration:
acp transport list --agent-id agent:john.chess@localhost:8088
Probe transport reachability:
acp transport probe --agent-id agent:john.chess@localhost:8088
Relay status:
acp relay status --relay https://relay.example.net
Relay health:
acp relay health --relay https://relay.example.net
Relay registry list/show:
acp relay registry list --relay https://relay.example.net --limit 50
acp relay registry show --relay https://relay.example.net --agent-id agent:john.chess@localhost:8088
Relay routes and ops:
acp relay routes show --relay https://relay.example.net --limit 50
acp relay ops stats --relay https://relay.example.net
acp relay ops failures --relay https://relay.example.net --limit 50
JSON output:
acp --json discover get --agent-id agent:ricardo.chess@demo
Local demo-only HTTP example (explicit override):
acp --allow-insecure-http relay status --relay http://localhost:8080
Optional HTTPS + mTLS example:
acp \
--config ~/.acp/config.json \
--mtls-enabled \
--ca-file ./tls/ca.pem \
--cert-file ./tls/client-cert.pem \
--key-file ./tls/client-key.pem \
transport probe --agent-id agent:john.chess@demo
Optional Vault-backed key-provider selection:
export VAULT_TOKEN="..."
acp \
--key-provider vault \
--vault-url https://vault.example.net \
--vault-path secret/data/acp/identities \
--json config show
Config validation:
acp config show
acp config validate
Security Notes
- Private keys are never printed by default.
- Identity verification uses existing SDK identity verification logic.
- Discovery uses existing SDK discovery order (cache,
.well-known, relay/directory hints). - No insecure identity bypass is added in this phase.
acp message capabilitiesreports non-error no-response outcomes explicitly.- HTTPS is the default for HTTP-based ACP paths.
- Local/dev/demo
http://use requires explicit--allow-insecure-http. - HTTP mTLS is optional and enterprise-focused; ACP core protocol semantics are unchanged.
- For local/self-signed mTLS testing, set
ca_fileto your local CA bundle and keepallow_insecure_tls=falseby default.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file acpctl-0.1.1.tar.gz.
File metadata
- Download URL: acpctl-0.1.1.tar.gz
- Upload date:
- Size: 29.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7a577bf1b36afbfe2b09f51866b79692a7e964be30b8f960ee6e3791d83c7ed7
|
|
| MD5 |
4792dd00f260401626ab49082f310666
|
|
| BLAKE2b-256 |
97b93fafa7a3fc72d1888379940e5f7536dce3a4efbf6350123b66e18d35fbb3
|
File details
Details for the file acpctl-0.1.1-py3-none-any.whl.
File metadata
- Download URL: acpctl-0.1.1-py3-none-any.whl
- Upload date:
- Size: 34.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
689179ab5671eb37ab5840e735a7f045a3f1d9d5fa0f1b585da213f0fde1a231
|
|
| MD5 |
e553bcbf4e869ec6dabce024582c7097
|
|
| BLAKE2b-256 |
46f9f1e5d838754d43be4b1a7bd6e01fb8ba3e3e8c79483136182f7fab6c0fab
|
