Getting Started¶

Installation¶

Install with one line — it detects your OS and CPU, downloads the standalone binary, and puts it on your PATH:

curl -fsSL https://cli.my.secutec.com/install.sh | sh

The binary you get defaults to the environment of the host you installed from (cli → production, staging.cli → staging, testing.cli → testing). Override any time with mysecutec -e <env> or mysecutec config set environment <env>.

Prefer a direct download? Grab the binary for your platform from cli.my.secutec.com, make it executable, and move it onto your PATH.

Check what you have, and keep it current:

mysecutec version          # prints version + commit
mysecutec update           # upgrade to the latest build

Use it with your AI agent¶

The CLI is designed to be driven by an AI coding agent (Claude Code, OpenAI Codex, Cursor, …) so you can ask about your security posture in plain language instead of memorizing commands.

1. Authenticate once:

1	`mysecutec login`

2. Drop the agent guide into your project. It teaches the agent how to use the CLI safely (conventions, the full command catalog, confirmation rules). Agents auto-discover an AGENTS.md in the working directory:

curl -fsSL https://cli.my.secutec.com/AGENTS.md -o AGENTS.md

3. Just ask. From that folder, talk to your agent in natural language — it translates your intent into mysecutec commands, reads the JSON, and answers:

# Claude Code
claude "Show me the threats that need my attention most urgently"

# OpenAI Codex
codex "Are any of our credentials leaked? Summarize by breach source."

# one-shot / non-interactive (Claude Code)
claude -p "Give me a posture scorecard: assets, threats by severity, dark-web exposure"

Cursor, Windsurf, and other AGENTS.md-aware tools work the same way — open the folder and ask. See the AI Agents guide for the full playbook, example prompts, and the safety rules the agent follows.

Authentication¶

MySecutec CLI uses OAuth2 PKCE (Proof Key for Code Exchange) via Keycloak.

1	`mysecutec login`

This opens a browser for authentication. A local callback server listens on port 9876 at http://localhost:9876/callback.

OAuth Configuration:

Parameter	Value
Client ID	`my-secutec-mobile-app-pkce`
Scope	`openid profile email offline_access`
Code Challenge Method	`S256`
Realm	`secutec`
Callback Port	`9876` (configurable)

Auth URLs per environment:

{AuthURL}/realms/secutec/protocol/openid-connect/auth    # Authorization
{AuthURL}/realms/secutec/protocol/openid-connect/token   # Token exchange
{AuthURL}/realms/secutec/protocol/openid-connect/logout  # Logout

Logout¶

1	`mysecutec logout`

Clears stored tokens.

Status¶

1	`mysecutec status`

Shows current authentication and token status.

Token Storage¶

Tokens are stored at ~/.mysecutec/tokens-{environment}.json with 0600 permissions.

Configuration¶

Configuration is stored at ~/.mysecutec/config.yaml.

List configuration¶

1	`mysecutec config list`

Displays: environment, output_format, default_limit, no_color, callback_port.

Get a config value¶

mysecutec config get environment
mysecutec config get output_format
mysecutec config get no_color

Set a config value¶

mysecutec config set environment staging
mysecutec config set output_format json
mysecutec config set no_color true

Switch environment¶

mysecutec use testing
mysecutec use staging
mysecutec use production

Config Key	Default	Description
`environment`	`production`	API environment
`output_format`	`text`	Output format (`text` or `json`)
`default_limit`	`20`	Default pagination limit
`no_color`	`false`	Disable colored output
`callback_port`	`9876`	OAuth callback port

Impersonation¶

Partners can impersonate customer organizations.

Interactive mode¶

1	`mysecutec impersonate`

Opens an interactive picker using the organization autocomplete API.

API: GET /org/v1/organizations/autocomplete?search=<query>

Response:

[
  {
    "label": "Acme Corp",
    "value": "org-uuid-123",
    "alias": "acme"
  }
]

Direct mode¶

1	`mysecutec impersonate <org_id>`

API: POST /iam/v1/impersonations/{org_id}