CLI
The `map` binary. Login (OAuth2 PKCE), dispatch any protocol, MCP tools, identity check. Stores config at ~/.map/config.json.
The MAP CLI is a Rust binary at services/map-cli. Installing produces the map command on your PATH.
Install
cargo install --git https://github.com/l1fe-ai/map map-cli
# or
curl -fsSL https://get.multiagentic.dev | shCommands
| Command | Purpose |
|---|---|
map login | OAuth2 PKCE flow; provisions API key; stores ~/.map/config.json |
map whoami | Show the active identity, tenant, capabilities |
map invoke <PROTOCOL> <OPERATION> | Dispatch one operation |
map mcp list | List available MCP tools |
map mcp call <TOOL> | Invoke an MCP tool |
map logout | Revoke tokens and clear config |
map --help | Full help, including hidden commands |
map login
map login --auth-url https://auth.l1fe.aiWhat happens:
- CLI spawns a local callback server on
127.0.0.1:8600 - Opens your default browser to the OAuth2 authorization endpoint with PKCE challenge
- After you approve, browser redirects to the local callback with an authorization code
- CLI exchanges the code for
access_token+refresh_token - CLI calls the provisioner endpoint to mint an API key bound to your DID
- CLI stores everything in
~/.map/config.json:
{
"auth_url": "https://auth.l1fe.ai",
"api_url": "https://api.multiagentic.dev",
"agent_did": "did:oas:l1fe:agent:0xa3f9c1a4...",
"access_token": "...",
"refresh_token": "...",
"api_key": "map_live_...",
"tenant_id": "org_default"
}Tokens refresh automatically when the CLI runs subsequent commands.
map whoami
$ map whoami
DID: did:oas:l1fe:agent:0xa3f9c1a4b5...
Name: Acme Operations Bot
Tenant: org_acme
Conformance: L1 · verified lineage
Capabilities:
- map.macs.*
- map.mind.recall_memory
- map.marc.reasoning_task
- map.max.audit_query
- map.market.query_orderbook
Audit head: 0x4f81b3a (refreshed 12s ago)map invoke
The general dispatch surface. Equivalent to POST /v1/dispatch.
map invoke MACS auth_negotiation --input '{
"profile": "DidAuth",
"challenge_kind": "Nonce"
}'Flags
| Flag | Default | Notes |
|---|---|---|
--input <json> | required (or stdin) | Operation payload |
--input-file <path> | — | Read JSON from a file |
--version <semver> | v1.0.0 | Specific protocol version |
--tenant-id <id> | from config | Override tenant |
--stream | off | Receive SSE events for long ops |
--idempotency-key <key> | — | For safe retries on state-changing ops |
--trace | off | Print full trace context |
--audit-tail | off | After the call, show the audit record(s) it produced |
--output <format> | json | json | yaml | human |
--timeout <secs> | 30 | Cancel if no response |
Examples
map invoke MARC reasoning_task --input '{
"intent": "is the proposed treaty enforceable?",
"premises": ["mars://treaty/0x91a", "mars://policy/0x12c"],
"budget": { "tokens": 32000, "deadline_ms": 12000 },
"return_fields": ["derivation", "citations", "confidence"]
}' --audit-tailmap invoke MIND store_memory --input '{
"kind": "episodic",
"payload": { "subject": "meeting", "with": "ops@globex", "topic": "treaty draft v2" }
}' --idempotency-key "meeting-2026-05-20-globex-ops"map invoke MAX audit_query --input '{
"correlation_id": "req_abc123",
"include_inputs": true
}' --output humanmap invoke MACE deliberate --input '{
"motion": "ratify treaty 0x91a",
"quorum": "supermajority",
"deadline_ms": 60000
}' --stream
# Streams progress events as the council deliberatesmap mcp
The CLI is also an MCP client and host. See MCP for the protocol-level details.
# List MCP tools exposed by the configured MAP
map mcp list
# Group by category
map mcp list --category map-cognitive
map mcp list --category map-governance
map mcp list --category map-commerce
map mcp list --category map-infrastructure
# Call a tool
map mcp call map.marc.reasoning_task --input '{
"intent": "...",
"budget": { "tokens": 8000, "deadline_ms": 8000 }
}'map logout
map logoutRevokes both the OAuth2 tokens (against the auth server) and the API key (against the provisioner endpoint), then deletes ~/.map/config.json. map whoami afterwards reports not authenticated.
Config precedence
For every command, settings are resolved in this order:
- Explicit CLI flag (
--tenant-id, etc.) - Environment variable (
MAP_TENANT_ID,MAP_API_KEY, ...) ~/.map/config.json
Useful for switching tenants:
MAP_TENANT_ID=org_globex map invoke MARS query_registry --input '{}'Multiple profiles
map --profile dev login --auth-url https://auth.dev.l1fe.ai
map --profile prod login --auth-url https://auth.l1fe.ai
map --profile dev invoke MIM message_send --input '{...}'Profiles are independent — they write to ~/.map/profiles/<name>.json.
Shell completions
map completions bash > ~/.local/share/bash-completion/completions/map
map completions zsh > ~/.zsh/completions/_map
map completions fish > ~/.config/fish/completions/map.fishExit codes
| Code | Meaning |
|---|---|
| 0 | success |
| 1 | usage error |
| 2 | not authenticated (run map login) |
| 3 | capability denied |
| 4 | rate limited |
| 5 | timeout |
| 6 | adapter / upstream error |
| 7 | policy denied |
| 99 | internal CLI error |
These let you script around specific failures cleanly.
The CLI is the same binary used by CI/CD systems to dispatch MAP calls. The auth flow supports headless mode via MAP_API_KEY + MAP_AGENT_DID env vars.