# AGENTS.md

Use the local `drata` CLI for Drata/GRC tasks in this repository.

Detailed workflow: `skills/drata-cli-workflow/SKILL.md`

## Getting oriented

- CLI entrypoint: `src/cli.mjs`. Library code: `src/lib/`. Tests: `test/` (run with `npm test`).
- OpenAPI specs at `specs/v1.json` and `specs/v2.json` are regenerated by `npm run refresh-specs`. Do not hand-edit.
- If `drata` isn't on PATH, run `node ./src/cli.mjs` instead. Check auth with `drata auth status --json` before the first API call.
- Node 20+ required.

## Key rules

- Prefer `drata` over handcrafted `curl` or one-off API scripts.
- Use versionless commands first (e.g. `drata get-company --json`); only pin `v1`/`v2` when behavior differs or the user asks.
- Use `--json` for agent-readable output.
- Use read-only mode for reporting: `DRATA_READ_ONLY=1` or `--read-only`.
- For writes, run `--dry-run --json` first, then execute only after confirming the request shape.
- Never print, commit, or persist real Drata API keys.
- Prefer Keychain auth (`drata auth login --api-key-stdin`), `--api-key-file`, or `DRATA_API_KEY_CMD` over inline secrets.