CLI Agent (NCTL AI)

Command Line AI Platform Engineering Assistant

The Nirmata CLI Agent is a command line AI Platform Engineering Assistant runs on engineer’s workstation and integrates directly into their development workflow, offering intelligent guidance and automation without requiring cluster access or cloud services.

Preview Feature: Nirmata AI Platform Engineering Assistant is currently available for preview. Contact us to get early access and provide feedback. Contact Us

Key Capabilities

nctl ai is an advanced AI assistant specializing in Platform Engineering and Policy as Code. It provides comprehensive support across multiple domains:

Policy as Code

  • Generate Kyverno policies from natural language descriptions
  • Create and execute comprehensive Kyverno CLI and Chainsaw tests
  • Generate policy exceptions for failing workloads
  • Upgrade Kyverno policies from older versions to CEL
  • Convert policies from OPA/Sentinel to Kyverno

Platform Engineering

  • Troubleshoot Kyverno engine, webhook, and controller issues
  • Get policy recommendations for your environments
  • Manage compliance across clusters
  • Manage Nirmata agents across your clusters
  • Install and configure Kyverno and other controllers

Quick Start

Install nctl using Homebrew:

brew tap nirmata/tap
brew install nctl

For more installation options, refer to the installation.

Run the CLI in interactive mode:

nctl ai

Enter your email when prompted:

Using nctl AI requires authentication with Nirmata Control Hub to access 
AI-enabled services. Please enter your business email to sign up for a 
free trial, or sign in to your account

Enter email: ****@******.com

A verification code has been sent to your email.
Enter verification code: ******

Email verified successfully!
Your credentials have been fetched and successfully saved.

👋 Hi, I am your Nirmata AI Platform Engineering Assistant!

I can help you automate security, compliance, and operational best practices 
across your clusters and pipelines.

💡 Here are some tasks I can do for you, or ask anything:
  â–¶ scan clusters
  â–¶ generate policies and tests
  â–¶ optimize costs

💡 type 'help' to see commands for working in nctl ai

───────────────────────────────────────────────────────────────────────────────────────
>
───────────────────────────────────────────────────────────────────────────────────────

Try some sample prompts like:

  • scan my cluster
  • generate a policy to require pod labels
  • summarize violations across my clusters
  • perform a Kyverno health check

Non-Interactive Mode:

You can also provide a prompt directly for single shot requests:

nctl ai --prompt "create a policy that requires all pods to have resource limits"

See Command Reference for full details.

Available Tools

Kubernetes & Policy Tools:

  • kubectl commands with direct cluster access
  • scan_kubernetes_cluster - Scan running clusters for policy violations
  • scan_resources - Validate resource manifests against policies
  • run_kyverno_tests - Execute policy test suites
  • generate_kyverno_tests - Auto-generate test cases from policies
  • generate_policy - Create policies from natural language descriptions

File & Code Management:

  • Complete filesystem access for reading and writing files
  • Pattern-based search across files and directories
  • Directory traversal and file manipulation
  • Git integration for version control operations

Available Skills

nctl ai loads specialized knowledge dynamically based on your needs:

  • generating-policies - Best practices for policy creation and structure
  • converting-policies - Migration strategies from other policy engines
  • generate-policy-exception - Automated exception generation for violations
  • kyverno-cli-tests - Unit testing for policy validation
  • chainsaw-tests - End-to-end policy testing workflows

You can also add your own Skills to customize the agent.

Once configured, your AI coding assistant will have access to all nctl ai capabilities, including policy generation, testing, and Kubernetes operations.

Adding Tools

The Model Context Protocol (MCP) allows you to extend nctl ai with additional capabilities by connecting external MCP servers. These servers can provide specialized tools, resources, and functionality beyond the built-in features.

Configuration

To configure MCP servers, create a configuration file at ~/.nirmata/nctl/mcp.yaml:

servers:
  - name: resend-email
    command: node
    args:
      - /path/to/directory/mcp-send-email/build/index.js
    env:
      RESEND_API_KEY: your_api_key_here
      SENDER_EMAIL_ADDRESS: example@email.com
      REPLY_TO_EMAIL_ADDRESS: another_example@email.com
    capabilities:
      tools: true
      prompts: false
      resources: false
      attachments: true

Configuration Options

  • name: Unique identifier for the MCP server
  • command: Executable command to start the server (e.g., node, python, binary path)
  • args: Array of command-line arguments passed to the server
  • env: Environment variables required by the server (API keys, configuration values, etc.)
  • capabilities: Defines what features the server provides:
    • tools: Server provides callable tools/functions
    • prompts: Server provides prompt templates
    • resources: Server provides data resources
    • attachments: Server can handle file attachments

Common Use Cases

MCP servers can extend nctl ai with capabilities like:

  • Sending emails and notifications
  • Interacting with external APIs and services
  • Accessing databases and data sources
  • Integration with cloud platforms
  • Custom business logic and workflows

Note: Make sure the MCP server executable is installed and accessible at the specified path before adding it to the configuration.

Adding Skills

You can extend nctl ai with custom domain knowledge and best practices by creating skill files. Skills provide specialized guidance that the AI assistant dynamically loads based on the task context.

Configuration

Skills are stored as Markdown files in the ~/.nirmata/nctl/skills directory:

~/.nirmata/nctl/skills/
  └── kyverno-cli-tests/
      └── SKILL.md
  └── my-custom-skill/
      └── my-first-custom-skill
          └── SKILL.md

Skills can be organized in subdirectories for better organization. Each skill should be a standalone Markdown file.

Creating a Skill File

Create a file named SKILL.md in the skills directory. Here’s an example for Kyverno testing best practices:

Example: ~/.nirmata/nctl/skills/kyverno-cli-tests/SKILL.md

# Kyverno Tests (Unit Tests)

Kyverno CLI tests are used to validate policy behaviors against sample "good" and "bad" resources. Carefully follow the instructions and best practices below when running Kyverno CLI tests:

- Always use the supplied tools to generate and execute Kyverno tests.
- **Testing:** When creating test files for Kyverno policies, always name the test file as "kyverno-test.yaml".
- **Test Execution:** After generating a Kyverno policy, test file (kyverno-test.yaml), and Kubernetes resource files, always run the "kyverno test" command via the `nctl_test` wrapper tool in the policy folder to validate that the policy works correctly with the test scenarios. Utilize the argument `--output-format json` in order to capture rich output. If ANY expected or actual results are recorded as "Unknown", check the test file and/or resource file(s) for resource name mismatches, or for syntax errors in the resource file. Do not ignore any such warnings. Re-execute the test after any changes to prove that the test now works.
-  **Test Results:** all Kyverno tests must `Pass` for a successful outcome. Stop when all tests pass.
-  **Understanding Policy Fail vs Test Fail**: a `Pass` result for a Kyverno test output indicates the test passed i.e. the result matches the expected policy result (pass, fail, etc.), and does not mean that the Policy has passed. Do not get confused by all tests passing. Refer to the table below to understand the difference between the policy result and the test result:
   -  Policy Result: `Pass`; Expected Result: `Pass`; Test Result: `Pass`
   -  Policy Result: `Pass`; Expected Result: `Fail`; Test Result: `Fail`
   -  Policy Result: `Fail`; Expected Result: `Pass`; Test Result: `Fail`
   -  Policy Result: `Fail`; Expected Result: `Fail`; Test Result: `Pass`
-  Only test for `Audit` mode. Do not try to update policies and test for `Enforce` mode.

## Test File Organization

Organize Kyverno CLI test files in a `.kyverno-test` sub-directory where the policy YAML is contained.

Sample test folder structure:

```
pod-security/
  ├── disallow-privileged-containers/
  │   ├── disallow-privileged-containers.yaml
  │   └── .kyverno-tests/
  │       ├── kyverno-test.yaml
  │       ├── resources.yaml
  │       └── variables.yaml
  └── other-policies/
```

Including Executable Scripts

Skills can include scripts that can be executed locally on your workstation. This allows you to extend nctl ai with custom automation, integrations, and tooling specific to your environment.

You can embed scripts directly in your skill files using code blocks, and the AI assistant can:

  • Execute bash, Python, or other scripts locally
  • Run custom validation or transformation tools
  • Integrate with local development tools and workflows
  • Automate repetitive tasks specific to your organization

Example with executable script:

# Custom Policy Validator

Use this script to validate policies against our internal standards:

```bash
#!/bin/bash
# Validate policy naming conventions
grep -q "^metadata:\s*name:\s*[a-z-]*$" "$1" || echo "Policy name must use lowercase with hyphens"
```

Run this validator before committing policies to ensure they meet our standards.

Skill Best Practices

  • Clear Structure: Use headings and lists to organize information
  • Actionable Guidance: Provide specific, actionable instructions
  • Examples: Include code examples and sample outputs
  • Context: Explain when and why to use specific approaches
  • Avoid Ambiguity: Be explicit about requirements and expectations
  • Executable Scripts: Include scripts that can be run locally to automate workflows

How Skills Work

When you interact with nctl ai, the assistant automatically:

  1. Analyzes your request to determine the relevant domain
  2. Loads applicable skills from the skills directory
  3. Applies the guidance and best practices from those skills
  4. Provides responses aligned with your custom knowledge base

Note: Skills are loaded dynamically based on context. You don’t need to restart nctl ai after adding or modifying skill files.

Accessing Nirmata Control Hub

After successful authentication, you can also access the Nirmata Control Hub web interface:

  1. Navigate to https://nirmata.io

  2. Use the same email address you provided during nctl setup

  3. Use the password you created in the authentication process

  4. Manual Setup:

    • Sign up for a 15-day free trial to get your API token
    • Login using the command:
      nctl login --userid YOUR_USER_ID --token YOUR_API_TOKEN

Integrating with MCP clients like Cursor, Claude Code, etc.

Run the agent as an MCP server:

nctl ai --mcp-server

For Cursor and Claude Desktop, edit ~/.cursor/mcp.json or ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "nctl": {
      "command": "nctl",
      "args": ["ai", "--mcp-server", "--token", "YOUR_NIRMATA_TOKEN"]
    }
  }
}

Command Reference

Run help for a full list of commands and capabilities or view the Command Reference documentation:

nctl ai --help

Agentic AI powered workflows

Usage:
  nctl ai [flags]

Examples:

  # Run an interactive AI workflow.
  nctl ai

  # Run an interactive AI workflow with a specific prompt.
  nctl ai --prompt "generate a Kyverno policy that enforces all pods have a 'team' label"

  # Allow AI to access additional directories.
  nctl ai --allowed-dirs "/path/to/policies,/tmp" --prompt "create pod security policies in /path/to/policies"

  # Use a custom MCP configuration file.
  nctl ai --mcp-config "/path/to/custom/mcp.yaml"

  # Start nctl as an MCP server for external AI clients.
  nctl ai --mcp-server

  # Start MCP server with verbose logging.
  nctl ai --mcp-server -v 1


Flags:
      --allowed-dirs strings     additional directories the AI can access (comma-separated)
      --delete-session string    delete a session by ID
      --force                    allow destructive operations in non-interactive mode (requires both --prompt and --skip-permission-checks)
  -h, --help                     help for ai
      --insecure                 allow connection to a Nirmata server with a insecure certificate (not recommended)
      --list-sessions            list all available sessions
      --max-tool-calls int       maximum number of tool calls to make (default 200)
      --mcp-config string        path to MCP configuration file (default: ~/.nirmata/nctl/mcp.yaml)
      --mcp-server               run a MCP (Model Context Protocol) server on stdio for Nirmata AI tools
      --new-session              create a new session (default: true) (default true)
      --prompt string            prompt for the AI workflow
      --resume-session string    ID of session to resume (use 'latest' for the most recent session)
      --skip-permission-checks   skip permission checks for tools (not recommended)
      --token string             the Nirmata API Login Key (env NIRMATA_TOKEN)
      --url string               the Nirmata server base URL (env NIRMATA_URL)
      --usage-details            show AI usage details and exit

Global Flags:
  -v, --v Level   number for the log level verbosity