RubyGems - vaultkit - Versions diffs - 0.1.0 → 0.1.2 - Mend

vaultkit 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml +4 -4
data/README.md +906 -729
data/lib/vkit/cli/base_cli.rb +1 -1
data/lib/vkit/cli/commands/base_command.rb +2 -0
data/lib/vkit/cli/commands/login_command.rb +7 -7
data/lib/vkit/cli/commands/logout_command.rb +15 -0
data/lib/vkit/cli/commands/policy_bundle_command.rb +44 -21
data/lib/vkit/cli/commands/policy_deploy_command.rb +20 -1
data/lib/vkit/cli/commands/whoami_command.rb +34 -4
data/lib/vkit/core/auth_client.rb +16 -4
data/lib/vkit/core/credential_store.rb +16 -0
metadata +3 -3

data/lib/vkit/cli/base_cli.rb CHANGED Viewed

@@ -157,7 +157,7 @@ module Vkit
         desc "deploy", "Deploy a policy bundle to VaultKit"
         option :bundle, type: :string, default: "dist/policy_bundle.json"
-        option :org, type: :string, required: true
+        option :org, type: :string
         option :activate, type: :boolean, default: true
         def deploy

data/lib/vkit/cli/commands/base_command.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+require_relative "../api/client"
 module Vkit
   module CLI
     module Commands

data/lib/vkit/cli/commands/login_command.rb CHANGED Viewed

@@ -31,7 +31,7 @@ module Vkit
           result =
             case auth
             when "oidc"
-              oidc_flow(client, discovery["oidc"]["login_url"])
+              oidc_flow(client)
             when "password"
               password_flow(client)
             when "token"
@@ -55,20 +55,20 @@ module Vkit
         private
-        def oidc_flow(client, login_url)
+        def oidc_flow(client)
           start = client.start_cli_login
           poll_token = start["poll_token"]
+          login_url  = start["login_url"]
           open_browser(login_url)
           puts "⏳ Waiting for authentication to complete..."
           loop do
             res = client.poll_cli_login(poll_token)
             case res.code.to_i
             when 204
               sleep 2
-              next
             when 200
               body = JSON.parse(res.body)
               return {
@@ -83,7 +83,7 @@ module Vkit
               raise "Unexpected response: #{res.code}"
             end
           end
-        end
+        end
         def password_flow(client)
           email = @email || prompt("Email")

data/lib/vkit/cli/commands/logout_command.rb CHANGED Viewed

@@ -3,6 +3,21 @@ module Vkit
     module Commands
       class LogoutCommand < BaseCommand
         def call
+          token = credential_store.token
+          if token
+            begin
+              client = Vkit::Core::AuthClient.new(
+                base_url: credential_store.endpoint
+              )
+              client.logout(token)
+            rescue => e
+              warn "⚠️ Server logout failed: #{e.message}"
+              warn "⚠️ Continuing with local logout"
+            end
+          end
           credential_store.clear_token!
           puts "🧹 Logged out"
         end

data/lib/vkit/cli/commands/policy_bundle_command.rb CHANGED Viewed

@@ -1,10 +1,13 @@
+# frozen_string_literal: true
 require "json"
+require "fileutils"
 require_relative "../../policy/bundle_compiler"
 module Vkit
   module CLI
     module Commands
-      class PolicyBundleCommand
+      class PolicyBundleCommand < BaseCommand
         def call(policies_dir:, registry_dir:, out:, org:, version:)
           policies_dir = File.expand_path(policies_dir)
           registry_dir = File.expand_path(registry_dir)
@@ -15,26 +18,46 @@ module Vkit
           version ||= git_sha
-          bundle = Vkit::Policy::BundleCompiler.compile!(
-            org_slug: org || "unknown",
-            bundle_version: version,
-            policies_dir: policies_dir,
-            registry_dir: registry_dir,
-            source: {
-              repo: git_repo,
-              ref: git_ref,
-              commit_sha: version
-            }
-          )
-          FileUtils.mkdir_p(File.dirname(out))
-          File.write(out, JSON.pretty_generate(bundle))
-          puts "✅ Policy bundle created"
-          puts "   Org:     #{bundle.dig("bundle", "org_slug")}"
-          puts "   Version: #{bundle.dig("bundle", "bundle_version")}"
-          puts "   Checksum: #{bundle.dig("bundle", "checksum")}"
-          puts "   Output:  #{out}"
+          with_auth do
+            derived_org = credential_store.user["organization_slug"]
+            raise "Unable to determine organization from credentials. Please login." \
+              if derived_org.nil? || derived_org.empty?
+            if org && org != derived_org
+              raise <<~MSG
+                Organization mismatch detected.
+                  Authenticated organization: #{derived_org}
+                  Provided via --org:          #{org}
+                Refusing to continue to prevent cross-organization policy bundles.
+              MSG
+            end
+            org_slug = org || derived_org
+            bundle = Vkit::Policy::BundleCompiler.compile!(
+              org_slug: org_slug,
+              bundle_version: version,
+              policies_dir: policies_dir,
+              registry_dir: registry_dir,
+              source: {
+                repo: git_repo,
+                ref: git_ref,
+                commit_sha: version
+              }
+            )
+            FileUtils.mkdir_p(File.dirname(out))
+            File.write(out, JSON.pretty_generate(bundle))
+            puts "✅ Policy bundle created"
+            puts "   Org:      #{bundle.dig("bundle", "org_slug")}"
+            puts "   Version:  #{bundle.dig("bundle", "bundle_version")}"
+            puts "   Checksum: #{bundle.dig("bundle", "checksum")}"
+            puts "   Output:   #{out}"
+          end
         end
         private

data/lib/vkit/cli/commands/policy_deploy_command.rb CHANGED Viewed

@@ -11,10 +11,28 @@ module Vkit
             bundle_path = File.expand_path(bundle_path)
             raise "Bundle not found: #{bundle_path}" unless File.exist?(bundle_path)
+            derived_org = credential_store.user["organization_slug"]
+            raise "Unable to determine organization from credentials. Please login." \
+              if derived_org.nil? || derived_org.empty?
+            if org && org != derived_org
+              raise <<~MSG
+                Organization mismatch detected.
+                  Authenticated organization: #{derived_org}
+                  Provided via --org:          #{org}
+                Refusing to deploy policy bundle to a different organization.
+              MSG
+            end
+            org_slug = org || derived_org
             bundle = JSON.parse(File.read(bundle_path))
             response = authenticated_client.post(
-              "/api/v1/orgs/#{org}/policy_bundles",
+              "/api/v1/orgs/#{org_slug}/policy_bundles",
               body: {
                 bundle: bundle,
                 activate: activate
@@ -22,6 +40,7 @@ module Vkit
             )
             puts "🚀 Policy bundle deployed"
+            puts "   Org:     #{org_slug}"
             puts "   Version: #{response['bundle_version']}"
             puts "   State:   #{response['state']}"
           end

data/lib/vkit/cli/commands/whoami_command.rb CHANGED Viewed

@@ -3,10 +3,40 @@ module Vkit
     module Commands
       class WhoamiCommand < BaseCommand
         def call
-          with_auth do
-            user = credential_store.user
-            puts "👤 #{user['email']} (role: #{user['role']}, org: #{user['organization_slug']})"
-          end
+          user = fetch_user_from_server_or_fallback
+          puts "👤 #{user['email']} " \
+               "(role: #{user['role']}, org: #{user['organization_slug']})"
+        end
+        private
+        def fetch_user_from_server_or_fallback
+          token = credential_store.token
+          endpoint = credential_store.endpoint
+          raise "Not logged in" if token.nil? || endpoint.nil?
+          client = Vkit::Core::AuthClient.new(base_url: endpoint)
+          server_user = client.whoami(token)
+          # keep cache in sync if server is authoritative
+          credential_store.save_user(server_user)
+          server_user
+        rescue => e
+          fallback_local_user(e)
+        end
+        def fallback_local_user(error)
+          user = credential_store.user
+          raise "Not logged in" if user.nil?
+          warn "⚠️ Unable to verify identity with server"
+          warn "⚠️ #{error.message}"
+          warn "⚠️ Showing cached identity"
+          user
         end
       end
     end

data/lib/vkit/core/auth_client.rb CHANGED Viewed

@@ -29,11 +29,15 @@ module Vkit
       end
       def poll_cli_login(poll_token)
-        uri = uri_for("/auth/cli/poll?token=#{poll_token}")
-        req = Net::HTTP::Get.new(uri)
+        uri = uri_for("/auth/cli/poll")
+        req = Net::HTTP::Post.new(uri)
+        req["Content-Type"] = "application/json"
+        req.body = JSON.dump(
+          poll_token: poll_token
+        )
         http_request(uri, req, allow_non_200: true)
-      end
+      end
       def password_login(email:, password:)
         uri = uri_for("/api/users/sign_in")
@@ -66,6 +70,14 @@ module Vkit
         body["user"]
       end
+      def logout(token)
+        uri = uri_for("/api/users/sign_out")
+        req = Net::HTTP::Delete.new(uri)
+        req["Authorization"] = "Bearer #{token}"
+        http_request(uri, req, allow_non_200: true)
+      end
       private
       def uri_for(path)

data/lib/vkit/core/credential_store.rb CHANGED Viewed

@@ -33,6 +33,22 @@ module Vkit
         true
       end
+      def save_user(user)
+        payload = load_payload
+        return unless payload
+        payload["user"] = user
+        case
+        when mac?
+          mac_keychain_store(payload)
+        when linux? && secret_tool_available?
+          linux_secret_service_store(payload)
+        else
+          file_store(payload)
+        end
+      end
       def endpoint
         load_payload&.dig("endpoint")
       end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: vaultkit
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.2
 platform: ruby
 authors:
 - Nnamdi Ogundu
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-01-03 00:00:00.000000000 Z
+date: 2026-01-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -68,7 +68,7 @@ files:
 - lib/vkit/utils/logger.rb
 homepage: https://vaultkit.io
 licenses:
-- Proprietary
+- Nonstandard
 metadata:
   rubygems_mfa_required: 'true'
   source_code_uri: https://github.com/ndbaba1/vaultkitcli