@atollhq/cli is the recommended interface for agents and terminal-first humans.
Install
--json, non-TTY output, CI, shell completions, and ATOLL_NO_UPDATE_CHECK=1.
Authenticate
--org-id org-uuid or set it later with atoll config set-org org-uuid --profile <name>.
API keys are created in the web app:
- Agents for agent keys
- Settings > Members > Create API Key for integration keys
Common commands
atoll api get is a GET-only authenticated fallback for uncommon inspection gaps. It only accepts Atoll paths under /api/, and the CLI blocks /api/internal/*, billing, and KPI sync admin routes because some GET endpoints can run jobs or synchronize external state. Use typed commands for routine mutations and human-admin-gated workflows.
Internal KPI calculations
Use--internal-task-completion when a goal’s progress should be calculated from linked task completion instead of an external metric or manual snapshots.
KPI HTTP sync drafts
Agents can draft generic third-party KPI pollers with the CLI after a human admin has allowlisted the exact destination host. Agents cannot publish syncs or run network requests. Human admins complete approval in Atoll.GET, https, JSON, no redirects, no query strings, no request bodies, and no secret values. Use secret reference names only; admins enter the actual values in Atoll.
Global flags
| Flag | Purpose |
|---|---|
--profile <name> | Use a saved auth profile |
--org-id <id> | Override the selected organization |
--team <id> | Override the default team |
--env-mode | Use ATOLL_* environment variables as the selected runtime context |
--json | Emit machine-readable JSON |
Context resolution
The CLI resolves request context with these rules:| Selection | Behavior |
|---|---|
| Explicit flags | --org-id, --team, and command-level project flags win for that command. |
| Repo-local context | .atoll/context.json can select a profile and non-secret defaults for one repository. |
| Selected profile | --profile, repo-local profile, ATOLL_PROFILE, or the active profile supplies credentials and defaults. Ambient ATOLL_* values that conflict with the selected profile fail before network calls. |
| Env mode | --env-mode or ATOLL_ENV_MODE=1 makes ATOLL_API_KEY, ATOLL_ORG_ID, and related defaults the selected runtime context. |
| Legacy config | Older top-level config values are used only when no profile or env-mode context is selected. |
ATOLL_* env vars do not silently override profile context. Conflicting env values fail before network calls. Pass --profile, add repo-local .atoll/context.json, or opt into env mode.
Repo-local context is intentionally non-secret. Commit it only when the defaults are safe for the repository:
profile, orgId, defaultProject, defaultTeam, and baseUrl. apiKey is rejected. If the file omits profile, use an explicit --profile or --env-mode; the CLI refuses to combine repo-local project/org defaults with an unrelated active profile.

