apexe
Governed CLI capability runtime built on apcore
apexe 0.3.0 turns existing CLI tools into governed apcore modules and runs them through a shared execution surface. It scans help output, man pages, and shell completions; writes binding files, fail-closed ACL policy, and optional Claude Skills via --skills-dir; then serves the same modules through MCP stdio, HTTP, or SSE and as an A2A agent. The runtime now carries live annotations, preview for destructive commands, ACL allow/deny audit records, owner-only 0o600 JSONL audit logs, retry and circuit-breaker middleware, output caps, timeout killing, /metrics, /usage, and AI guidance on recoverable errors. A2A has no `--enable-approval` flag on A2A CLI transport; approval there is available through the library approval store API.
Features
Get Started
Rust 1.75+ implementation of the apexe scanner, executor, MCP server, and A2A agent runtime.
$ cargo install apexe# Scan an installed CLI tool
apexe scan git
# Inspect generated module bindings
apexe list
# Serve the scanned modules over MCP HTTP with the Explorer UI
apexe serve --transport http --port 8000 --explorer
# Or publish the same modules as an A2A agent
apexe a2a --url http://127.0.0.1:8000 --explorer