CLI Reference

@kill-switch/cli — monitor cloud spending, kill runaway services, and cap coding-agent spend from the terminal. Designed for both developers and AI agents.

Install

# From npm
npm install -g @kill-switch/cli

# From source
git clone https://github.com/divinci-ai/kill-switch.git
cd kill-switch/packages/cli
npm install && npm run build
npm link  # makes `kill-switch` and `ks` available globally
Short alias: Every kill-switch command can also be run as ks. For example: ks onboard, ks check, ks accounts list.

Quick Start

# 1. Authenticate (browser device flow — or pass --api-key)
ks auth setup

# 2. One-command setup (connects provider + applies shields + sets up alerts)
ks onboard --provider cloudflare \
  --account-id YOUR_ACCOUNT_ID \
  --token YOUR_API_TOKEN \
  --name "Production" \
  --shields cost-runaway,ddos \
  --alert-email you@example.com

# 3. Run a monitoring check
ks check

# 4. View results
ks accounts list

Authentication

The CLI authenticates with personal API keys (prefixed with ks_) or a browser device flow. Create a key from the web dashboard at app.kill-switch.net (Settings → API Keys), or via the API.

ks auth setup

Authenticate via your browser (opens a one-time approval page). Add --manual to open the Settings page and paste a key yourself instead.

ks auth login [--api-key KEY]

Authenticate. Uses the browser device flow by default; pass --api-key ks_… for a direct, non-interactive login. Saves to ~/.kill-switch/config.json (0600 permissions).

ks auth status

Show current auth status, account name, and tier.

ks auth logout

Clear stored credentials.

Auth Resolution Order

  1. KILL_SWITCH_API_KEY environment variable (best for CI/CD and AI agents)
  2. --api-key flag on any command
  3. ~/.kill-switch/config.json file (set by ks auth login / ks auth setup)

Onboard (One-Command Setup)

The fastest way to get protected. Connects a cloud provider, applies shield presets, and configures alerts — all in a single command. Designed for both humans and AI agents. (ks setup is an alias for ks onboard.)

AI agent friendly: Every parameter is passable as a flag. Run ks onboard --help-provider cloudflare to get exact instructions for obtaining credentials. 
# Interactive onboarding (prompts for each value)
ks onboard

# Non-interactive: connect Cloudflare (for AI agents like Claude Code)
ks onboard \
  --provider cloudflare \
  --account-id 14a6fa23390363382f378b5bd4a0f849 \
  --token your-cf-api-token \
  --name "Production" \
  --shields cost-runaway,ddos \
  --alert-email you@example.com

# Connect AWS
ks onboard \
  --provider aws \
  --access-key AKIA... \
  --secret-key wJalr... \
  --region us-east-1 \
  --shields aws-cost-runaway,gpu-runaway

# Connect GCP
ks onboard \
  --provider gcp \
  --project-id my-project-123 \
  --service-account "$(cat service-account-key.json)" \
  --shields cost-runaway

# Connect RunPod
ks onboard \
  --provider runpod \
  --runpod-api-key "YOUR_RUNPOD_API_KEY" \
  --shields cost-runaway,gpu-runaway

# Connect Neo4j Aura
ks onboard \
  --provider neo4j \
  --neo4j-client-id "YOUR_CLIENT_ID" \
  --neo4j-client-secret "YOUR_CLIENT_SECRET" \
  --shields cost-runaway

# Connect MongoDB Atlas
ks onboard \
  --provider mongodb \
  --mongodb-subtype atlas \
  --atlas-public-key "YOUR_PUBLIC_KEY" \
  --atlas-private-key "YOUR_PRIVATE_KEY" \
  --atlas-project-id "YOUR_PROJECT_ID" \
  --shields cost-runaway

# Show how to get credentials for a provider
ks onboard --help-provider cloudflare
ks onboard --help-provider aws
ks onboard --help-provider gcp
ks onboard --help-provider runpod
ks onboard --help-provider neo4j
ks onboard --help-provider mongodb

Onboard Options

FlagDescription
--providerCloud provider: cloudflare, gcp, aws, runpod, neo4j, mongodb
--nameAccount name (e.g., "Production")
--help-providerShow how to get credentials for a provider
Cloudflare
--tokenAPI token (must be an API Token, not Global Key)
--account-idAccount ID (from the dashboard URL bar)
GCP
--project-idProject ID
--service-accountService Account JSON
AWS
--access-keyAccess Key ID
--secret-keySecret Access Key
--regionRegion (default: us-east-1)
RunPod
--runpod-api-keyAPI Key
Neo4j Aura
--neo4j-client-idClient ID
--neo4j-client-secretClient Secret
--neo4j-instance-idInstance ID (optional)
MongoDB
--mongodb-subtypeatlas or self-hosted
--atlas-public-keyAtlas API public key
--atlas-private-keyAtlas API private key
--atlas-project-idAtlas project ID
--atlas-cluster-nameAtlas cluster name (optional)
--mongodb-uriConnection URI (self-hosted)
--mongodb-databaseDatabase name (self-hosted, optional)
Protection & alerts
--shieldsComma-separated presets (default: cost-runaway)
--alert-pagerdutyPagerDuty routing key (recommended)
--alert-emailEmail for alerts
--alert-discordDiscord webhook URL
--alert-slackSlack webhook URL
--skip-shieldsSkip applying protection rules
--skip-alertsSkip alert setup

Shield (Quick Protect)

The fastest way to add protection. One command applies a preset rule.

# Apply cost runaway protection
ks shield cost-runaway

# List all available shields
ks shield --list

# Preview without applying
ks shield gpu-runaway --dry-run

# Apply with JSON output (for automation)
ks shield gpu-runaway --json

Available Shields

PresetNameCategory
cost-runawayCost Runaway ProtectionCost
gpu-runawayGPU Instance RunawayCost
lambda-loopLambda Recursive LoopCost
aws-cost-runawayAWS Daily Cost RunawayCost
ddosDDoS ProtectionSecurity
brute-forceBrute Force ProtectionSecurity
exfiltrationData Exfiltration DetectionSecurity
error-stormError Storm ProtectionReliability

Cloud Accounts

ks accounts list

List all connected cloud accounts with provider, name, and status. Filter with --provider or --status.

ks accounts get <id>

Show detailed account info including thresholds and last check results.

ks accounts add <provider> --name "My Account"

Connect a cloud provider. Supported: cloudflare, gcp, aws, and more.

# Connect Cloudflare
ks accounts add cloudflare \
  --name "Production" \
  --token "your-cf-api-token" \
  --account-id "your-account-id"

# Connect GCP
ks accounts add gcp \
  --name "GCP Production" \
  --project-id "my-project" \
  --service-account '{"type":"service_account",...}'

ks accounts check <id>

Run a manual monitoring check on a specific account.

ks accounts delete <id>

Disconnect and delete a cloud account and its stored credentials.

Monitoring

ks check

Run monitoring checks on all connected accounts. Shows violations and actions taken.

$ ks check
Checked 2 account(s) — 1 violation(s)

✓ cloudflare     Production CF
✗ gcp            GCP Staging

Service               Metric          Current   Threshold   Over    Severity
─────────────────────────────────────────────────────────────────────────────
BigQuery              monthlySpend    $523      $500        1x      warning
  Actions: scale-down

ks watch [--interval 60]

Continuously monitor all accounts, polling on an interval (default: 60 seconds). Ctrl-C to stop.

Rules

ks rules list

List kill switch rules. Filter with --trigger (cost, security, custom, api, agent), --enabled, or --disabled.

ks rules presets

List available preset rule templates.

ks rules create <name> --trigger <type>

Create a custom rule. Trigger types: cost, security, api. Pass --condition / --action JSON, or --dry-run to preview.

ks rules toggle <id>

Enable or disable a rule.

ks rules delete <id>

Delete a rule permanently.

Database Kill Switch

Multi-step database kill sequences: snapshot → verify → isolate → nuke. Each step is an explicit command — no interactive prompts.

# Initiate a kill sequence
ks kill init \
  --credential-id "cred_abc123" \
  --trigger "credential compromise detected"

# Check status (omit id to list all active)
ks kill status dbkill-xyz789

# Advance to next step
ks kill advance dbkill-xyz789 --credential-id "cred_abc123"

# Final step (nuke) requires human approval
ks kill advance dbkill-xyz789 \
  --credential-id "cred_abc123" \
  --human-approval

# Abort if needed
ks kill abort dbkill-xyz789

Alerts

ks alerts list

List configured alert channels with type, name, enabled status, and masked config preview.

ks alerts add --type TYPE [options]

Add an alert channel. Supported types: pagerduty, slack, discord, email, webhook, github.

ks alerts remove <name>

Remove an alert channel by name.

ks alerts test

Send a test alert to all configured and enabled channels.

# PagerDuty (recommended — immediate on-call paging)
ks alerts add --type pagerduty --routing-key YOUR_ROUTING_KEY --name "On-Call"

# Slack or Discord webhook
ks alerts add --type slack --webhook-url https://hooks.slack.com/...
ks alerts add --type discord --webhook-url https://discord.com/api/webhooks/...

# GitHub AI Remediation — triggers Claude Code to open a fix PR on extreme violations
ks alerts add --type github \
  --token ghp_YOUR_PAT \
  --repo-owner YOUR_ORG \
  --repo-name YOUR_REPO \
  --workflow kill-switch-remediate.yml \
  --branch main

# Email or generic webhook
ks alerts add --type email --email you@example.com
ks alerts add --type webhook --webhook-url https://your-service.example.com/webhook

# Remove and test
ks alerts remove "PagerDuty"
ks alerts test

Agent Guard (ks guard)

Kill Switch for coding agents — stop a runaway Claude Code / Cursor / Aider session from racking up an LLM bill. ks guard is the same engine as the standalone @kill-switch/agent-guard binary (agent-guard / ksg) — they share one ledger, budget, and escape hatch.

Two enforcement modes. The hook (Claude Code) reads the live transcript, prices real token usage, warns at the soft cap, and denies the next tool call at the hard cap — failing open on any error so a buggy guard never bricks your session. The proxy (any agent) is a local metering reverse-proxy that returns HTTP 402 at the cap — a wall the agent can't argue past.

ks guard install [--global]

Wire the agent-guard hook into Claude Code settings. Defaults to ./.claude/settings.json; pass --global to install into ~/.claude/settings.json.

ks guard status [--json]

Show current session + daily agent spend against the budget.

ks guard config [options]

View or set budget caps.

FlagDescription
--session-soft <usd>Per-session soft cap (warn)
--session-hard <usd>Per-session hard cap (block)
--daily-soft <usd>Daily rolling soft cap (warn)
--daily-hard <usd>Daily rolling hard cap (block)
--slack-webhook <url>Slack incoming-webhook for breach alerts

ks guard pause [--minutes N]

Temporarily disable enforcement (escape hatch). Auto-resumes after N minutes, or stays paused indefinitely. The escape hatch always belongs to the human, never the agent.

ks guard resume

Re-arm enforcement after a pause.

ks guard reset [--all | --session ID | --today]

Clear the agent spend ledger — all sessions, a single session, or just today's.

ks guard proxy [options]

Start the token-metering proxy (HTTP 402 at the hard cap) for non-Claude-Code agents.

FlagDescription
--port <n>Port to listen on (default: 8787)
--flavor <name>API flavor: anthropic | openai (default: anthropic)
--upstream <url>Upstream origin (default: api.anthropic.com / api.openai.com)
# Cap a Claude Code session
ks guard install
ks guard config --session-hard 30 --daily-hard 150
ks guard status

# Hard 402 wall for any other agent (Cursor, Aider, raw scripts)
ks guard proxy --flavor openai --port 8787
# then point the agent at it:
export OPENAI_BASE_URL=http://localhost:8787

# Escape hatch (human only)
ks guard pause --minutes 30
ks guard resume

Organizations

Multi-org support for team and enterprise tiers. Scope any command to an org with the active selection (ks orgs switch) or the X-Org-Id header via the API.

ks orgs list

List organizations you belong to.

ks orgs create <name>

Create a new organization (requires team/enterprise tier).

ks orgs switch <orgId>

Switch the active organization for subsequent commands.

ks orgs info [orgId]

Get organization details.

ks orgs members

List team members in the current organization.

ks orgs invite <email> [--role admin|member|viewer]

Invite a member to the current organization (default role: member).

ks orgs delete <orgId>

Delete an organization (owner only; cannot delete your personal workspace).

Activity Log

Audit trail of every mutation — account connects, rule changes, kill sequences, team changes. Available on team/enterprise tiers.

ks activity

Show recent activity (last 10 entries).

ks activity list [filters]

Query the activity log (owner/admin only).

FlagDescription
--page <n>Page number (default: 1)
--limit <n>Results per page, max 100 (default: 25)
--action <prefix>Filter by action prefix (e.g., cloud_account, rule, team, kill_switch)
--resource-type <type>Filter by resource type
--actor <userId>Filter by actor user ID
--from <date>Start date (ISO format)
--to <date>End date (ISO format)

Providers

Inspect supported cloud providers and validate credentials before connecting.

ks providers list

List supported cloud providers.

ks providers validate <provider> [creds]

Validate cloud provider credentials without connecting an account. Accepts the same credential flags as ks onboard (--token, --account-id, --project-id, --service-account, --access-key, --secret-key, --region, --runpod-api-key).

# Validate a Cloudflare token before connecting
ks providers validate cloudflare \
  --token your-cf-api-token \
  --account-id your-account-id

Status Dashboard

ks status

Mini-dashboard: plan tier, connected accounts, enabled rules, alert channels, and 30-day spend summary — all in one command.

$ ks status

Kill Switch Status

  Plan:        pro
  Accounts:    2 active / 10 max
  Rules:       3 enabled
  Kill seqs:   none
  Alerts:      1 channel(s) — pagerduty
  Spend (30d): $55.00 · $12.00 saved · 2 action(s) taken

Connected Accounts:

Provider      Name                       Status        Last Check
──────────────────────────────────────────────────────────────────
cloudflare    Production CF              active        ok
aws           AWS Dev                    active        ok

Alert Channels:

Type          Name                 Enabled   Config
──────────────────────────────────────────────────────────────────
pagerduty     On-Call              true      ****abcd

Analytics

ks analytics [--days 30]

FinOps overview: total spend, daily average, projected monthly cost, savings from kill-switch actions, and per-account cost breakdown.

$ ks analytics

Analytics Overview

  Total spend:         $123.45
  Avg daily cost:      $4.11
  Projected monthly:   $127.00
  Savings estimate:    $38.20
  Kill switch actions: 3

Last 7 Days:

Date          Cost (USD)   Services   Violations
──────────────────────────────────────────────────
2026-03-30    3.5          5          0
2026-03-31    5.2          6          1

Account Breakdown:

Provider        Total Cost   Avg Daily
──────────────────────────────────────
cloudflare      80           2.67
aws             43.45        1.44

Configuration

ks config init

Create ~/.kill-switch/config.json with defaults.

ks config list

Show all config values. The API key is masked (in both table and --json output); pass --reveal to print it in full.

ks config get <key>

Get a single config value. Secret values (e.g. apiKey) are masked unless you pass --reveal.

ks config set <key> <value>

Set a config value. Keys: apiKey, apiUrl.

Global Options

FlagDescription
--jsonOutput raw JSON to stdout (for automation, piping, AI agents)
--api-key <key>Override API key for this command
--api-url <url>Override API URL (default: https://api.kill-switch.net)
-y, --yesSkip confirmation prompts (for non-interactive / agent use)
-V, --versionShow version number
-h, --helpShow help

AI Agent Usage

The CLI is designed to be used by AI coding agents (Claude Code, Cursor, Windsurf, etc.) to set up cloud cost protection on behalf of users — no manual steps required.

Agent-safe by design: Every parameter is passable as a flag. No interactive prompts when flags are provided (or with -y). All output is parseable with --json. Exit codes are deterministic (0=success, 1=error, 2=auth error). Use --help-provider to discover how to obtain credentials.

Full Agent Workflow

An AI agent can set up Kill Switch monitoring in a few steps:

# Step 1: Authenticate (user provides their API key, or set env var)
export KILL_SWITCH_API_KEY=ks_live_your_key

# Step 2: Discover how to get credentials for the user's provider
ks onboard --help-provider cloudflare --json
# Agent reads the instructions and helps user create the right token

# Step 3: Connect the provider with one command
ks onboard \
  --provider cloudflare \
  --account-id USER_CF_ACCOUNT_ID \
  --token USER_CF_API_TOKEN \
  --name "Production" \
  --shields cost-runaway,ddos,error-storm \
  --alert-pagerduty ROUTING_KEY \
  --json

# Step 4: Add additional alert channels as needed
ks alerts add --type pagerduty --routing-key ROUTING_KEY --json
ks alerts add --type slack --webhook-url https://hooks.slack.com/... --json

# Step 5: Verify full status
ks status --json

Claude Code / CLAUDE.md Integration

Add this to your project's CLAUDE.md to let Claude Code manage Kill Switch for you:

# In your project's CLAUDE.md:
## Kill Switch (Cloud Cost Protection)
- CLI: `ks` (alias for `kill-switch`)
- Auth: KILL_SWITCH_API_KEY env var or `ks auth login --api-key KEY`
- Setup: `ks onboard --provider cloudflare --account-id ID --token TOKEN`
- Check: `ks check --json`
- Credential help: `ks onboard --help-provider cloudflare`
- Cap my own agent spend: `ks guard install && ks guard config --daily-hard 150`

Non-Interactive Commands for Agents

# All commands work with --json for machine-readable output
ks accounts list --json
ks shield cost-runaway --json
ks check --json
ks rules list --json
ks analytics --json
ks guard status --json

# Parse JSON output
ks check --json | jq '.results[].violations | length'

Environment Variables

VariableDescription
KILL_SWITCH_API_KEYAPI key (overrides the config file)
KILL_SWITCH_API_URLAPI URL override (default: https://api.kill-switch.net)

Exit Codes

CodeMeaning
0Success
1Client error (bad arguments, API error)
2Authentication error (invalid/missing API key)

See Also