vaultkit 0.1.0

data/bin/vkit

@@ -0,0 +1,30 @@
+#!/usr/bin/env ruby
+
+require_relative "../lib/vkit"
+require_relative "../lib/vkit/cli/errors"
+
+begin
+  Vkit::CLI::BaseCLI.start(ARGV)
+
+rescue Vkit::CLI::Error => e
+  warn "❌ #{e.message}"
+  exit 1
+
+rescue Thor::Error => e
+  warn "❌ #{e.message}"
+  exit 1
+
+rescue Interrupt
+  warn "\n⏹️  Interrupted"
+  exit 130
+
+rescue => e
+  warn e.message
+
+  # Only show stack trace when debugging
+  if ENV["VKIT_DEBUG"] == "true"
+    warn e.backtrace.join("\n")
+  end
+
+  exit 1
+end

data/lib/vkit/cli/api/client.rb

@@ -0,0 +1,115 @@
+# frozen_string_literal: true
+
+require "net/http"
+require "uri"
+require "json"
+
+module Vkit
+  module CLI
+    module API
+      class Client
+        DEFAULT_TIMEOUT = 15
+
+        def initialize(base_url:, token:)
+          raise ArgumentError, "base_url required" if base_url.nil?
+          raise ArgumentError, "token required" if token.nil?
+
+          @base_url = base_url.chomp("/")
+          @token    = token
+        end
+
+        def get(path, params: {})
+          request(method: :get, path: path, body: params.empty? ? nil : params)
+        end
+
+        def post(path, body:)
+          request(method: :post, path: path, body: body)
+        end
+
+        def put(path, body:)
+          request(method: :put, path: path, body: body)
+        end
+
+        def patch(path, body:)
+          request(method: :patch, path: path, body: body)
+        end
+
+        private
+
+        def request(method:, path:, body: nil)
+          uri = URI("#{@base_url}#{path}")
+
+          req = build_request(method, uri)
+          req["Authorization"] = "Bearer #{@token}"
+          req["Content-Type"]  = "application/json"
+          req.body = JSON.dump(body) if body
+
+          res = Net::HTTP.start(
+            uri.host,
+            uri.port,
+            use_ssl: uri.scheme == "https",
+            open_timeout: DEFAULT_TIMEOUT,
+            read_timeout: DEFAULT_TIMEOUT
+          ) do |http|
+            http.request(req)
+          end
+
+          handle_response(res)
+        end
+
+        def build_request(method, uri)
+          case method
+          when :get   then Net::HTTP::Get.new(uri)
+          when :post  then Net::HTTP::Post.new(uri)
+          when :put   then Net::HTTP::Put.new(uri)
+          when :patch then Net::HTTP::Patch.new(uri)
+          else
+            raise ArgumentError, "Unsupported HTTP method: #{method}"
+          end
+        end
+
+        def handle_response(res)
+          code = res.code.to_i
+          body =
+            if res.body.nil? || res.body.strip.empty?
+              {}
+            else
+              JSON.parse(res.body) rescue { "error" => res.body }
+            end
+        
+          case code
+          when 200..299
+            body
+        
+          when 403
+            if body.is_a?(Hash) && body.key?("error")
+              raise APIError.new(code, body["error"])
+            else
+              # Valid domain response (e.g. policy denied)
+              body
+            end
+        
+          when 202
+            # Queued for approval
+            body
+        
+          when 422
+            raise APIError.new(code, body["error"] || body)
+        
+          else
+            raise APIError.new(code, body["error"] || body)
+          end
+        end        
+      end
+
+      class APIError < StandardError
+        attr_reader :status
+
+        def initialize(status, message)
+          @status = status
+          super("API #{status}: #{message}")
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/base_cli.rb

@@ -0,0 +1,173 @@
+# frozen_string_literal: true
+
+require "thor"
+require_relative "requests_cli"
+
+module Vkit
+  module CLI
+    class BaseCLI < Thor
+      def self.exit_on_failure?
+        true
+      end
+
+      # LOGIN
+      desc "login", "Authenticate with VaultKit control plane"
+      option :endpoint, type: :string
+      option :email, type: :string
+      def login
+        Commands::LoginCommand.new(
+          endpoint: options[:endpoint],
+          email: options[:email]
+        ).call
+      end
+
+      desc "whoami", "Show current identity"
+      def whoami
+        Commands::WhoamiCommand.new.call
+      end
+
+      desc "logout", "Clear stored credentials"
+      def logout
+        Commands::LogoutCommand.new.call
+      end
+
+      # REQUEST
+      desc "request", "Send an inline JSON AQL request (use --aql or pipe via STDIN)"
+      option :aql, type: :string, desc: "AQL JSON payload (inline)"
+      option :env, type: :string, default: "production"
+      option :requester_region, type: :string
+      option :dataset_region, type: :string
+      option :requester_clearance, type: :string, desc: "Clearance level (low/high/admin)"
+      option :format, type: :string, default: "table", enum: %w[json table]
+      def request
+        Commands::RequestCommand.new.call(options[:aql], options)
+      end
+
+      desc "requests SUBCOMMAND ...ARGS", "Manage request history"
+      subcommand "requests", Vkit::CLI::RequestsCLI
+
+      # APPROVALS
+      desc "approval:list", "List all approval requests"
+      option :state, type: :string, default: "pending", enum: %w[pending approved denied all]
+      define_method("approval:list") do
+        Commands::ApprovalCommand.new.call_list(state: options[:state])
+      end
+
+      desc "approval:approve ID", "Approve a pending request"
+      option :ttl, type: :numeric, default: 3600
+      define_method("approval:approve") do |id|
+        Commands::ApprovalCommand.new.call_approve(
+          id: id,
+          ttl_seconds: options[:ttl]
+        )
+      end
+
+      desc "approval:deny ID", "Deny a pending request"
+      option :reason, type: :string
+      define_method("approval:deny") do |id|
+        Commands::ApprovalCommand.new.call_deny(
+          id: id,
+          reason: options[:reason]
+        )
+      end
+
+      # FETCH
+      desc "fetch --grant ID", "Fetch data from Funl using a valid grant"
+      option :grant, type: :string, required: true
+      option :format, type: :string, default: "json", enum: %w[json table]
+      def fetch
+        Commands::FetchCommand.new.call(
+          grant_ref: options[:grant],
+          format: options[:format]
+        )
+      end
+
+      # DATASOURCE
+      desc "datasource SUBCOMMAND ...ARGS", "Manage datasources (admin only)"
+      subcommand "datasource", Class.new(Thor) {
+        desc "add", "Add a new datasource (admin only)"
+        option :id, required: true
+        option :engine, required: true
+        option :username, required: true
+        option :password, required: true
+        option :config, required: true
+
+        def add
+          Commands::DatasourceCommand.new.add(
+            id: options[:id],
+            engine: options[:engine],
+            username: options[:username],
+            password: options[:password],
+            config: options[:config]
+          )
+        end
+
+        desc "list", "List all datasources (admin only)"
+        def list
+          Commands::DatasourceCommand.new.list
+        end
+
+        desc "get ID", "Fetch a datasource by ID (admin only)"
+        def get(id)
+          Commands::DatasourceCommand.new.get(id)
+        end
+      }
+
+      # SCAN
+      desc "scan DATASOURCE", "Scan datasource and diff against registry"
+      option :mode, type: :string, default: "diff_only", enum: %w[diff_only apply]
+      def scan(datasource)
+        Commands::ScanCommand.new.call(
+          datasource,
+          mode: options[:mode]
+        )
+      end
+
+      # POLICY
+      desc "policy SUBCOMMAND ...ARGS", "Manage policy bundles"
+      subcommand "policy", Class.new(Thor) {
+
+        desc "bundle", "Compile YAML policies into a JSON policy bundle"
+        option :policies_dir, type: :string, default: "config/policies"
+        option :registry_dir, type: :string, default: "config"
+        option :out, type: :string, default: "dist/policy_bundle.json"
+        option :org, type: :string
+        option :version, type: :string
+
+        def bundle
+          Commands::PolicyBundleCommand.new.call(
+            policies_dir: options[:policies_dir],
+            registry_dir: options[:registry_dir],
+            out: options[:out],
+            org: options[:org],
+            version: options[:version]
+          )
+        end
+
+        desc "validate", "Validate a compiled policy bundle"
+        option :bundle, type: :string, default: "dist/policy_bundle.json"
+        option :schema, type: :string
+
+        def validate
+          Commands::PolicyValidateCommand.new.call(
+            bundle_path: options[:bundle],
+            schema_path: options[:schema]
+          )
+        end
+
+        desc "deploy", "Deploy a policy bundle to VaultKit"
+        option :bundle, type: :string, default: "dist/policy_bundle.json"
+        option :org, type: :string, required: true
+        option :activate, type: :boolean, default: true
+
+        def deploy
+          Commands::PolicyDeployCommand.new.call(
+            bundle_path: options[:bundle],
+            org: options[:org],
+            activate: options[:activate]
+          )
+        end
+      }
+    end
+  end
+end

data/lib/vkit/cli/commands/approval_command.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+require "json"
+
+module Vkit
+  module CLI
+    module Commands
+      class ApprovalCommand < BaseCommand
+        DEFAULT_TTL = 3600
+
+        def call_list(state: "pending")
+          with_auth do
+            user = credential_store.user
+            org  = user["organization_slug"]
+
+            rows = authenticated_client.get(
+              "/api/v1/orgs/#{org}/approvals?state=#{state}"
+            )
+
+            if rows.empty?
+              puts empty_message_for(state)
+              return
+            end
+
+            puts "📋 Approvals (#{rows.size}, state=#{state})"
+            rows.each do |r|
+              puts "─" * 60
+              puts "🆔  #{r["id"]}"
+              puts "📂  Dataset:    #{r["dataset"]}"
+              puts "📄  Fields:     #{Array(r["fields"]).join(', ')}"
+              puts "👤  Requester:  #{r["requester_email"]}"
+              puts "🔐  Required:   #{r["approver_role"] || 'n/a'}"
+              puts "⚙️   Status:     #{r["state"].capitalize}"
+              puts "🔑  Grant Ref:  #{r["grant_ref"] || 'n/a'}" if r["state"] == "approved"
+              puts "💬  Reason:     #{r["reason"]}"
+              puts "📅  Created:    #{r["created_at"]}"
+            end
+            puts "─" * 60
+          end
+        end
+
+        def call_approve(id:, ttl_seconds: DEFAULT_TTL)
+          with_auth do
+            user = credential_store.user
+            org  = user["organization_slug"]
+
+            res = authenticated_client.post(
+              "/api/v1/orgs/#{org}/approvals/#{id}/approve",
+              body: { ttl_seconds: ttl_seconds }
+            )
+
+            puts "✅ Approved request #{id}"
+            puts "   → Grant Ref: #{res["grant_ref"] || res["grant_id"]}"
+            puts "   → Expires:   #{res["expires_at"]}"
+          end
+        end
+
+        def call_deny(id:, reason: nil)
+          with_auth do
+            user = credential_store.user
+            org  = user["organization_slug"]
+
+            reason ||= prompt_reason
+            raise "Denial reason cannot be empty" if reason.to_s.empty?
+
+            authenticated_client.post(
+              "/api/v1/orgs/#{org}/approvals/#{id}/deny",
+              body: { reason: reason }
+            )
+
+            puts "🚫 Denied request #{id}"
+            puts "   → Reason: #{reason}"
+          end
+        end
+
+        private
+
+        def prompt_reason
+          print "Enter reason for denial: "
+          STDIN.gets&.strip
+        end
+
+        def empty_message_for(state)
+          case state
+          when "pending"  then "📭 No pending approvals."
+          when "approved" then "📭 No approved requests."
+          when "denied"   then "📭 No denied requests."
+          else                 "📭 No approvals found."
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/base_command.rb

@@ -0,0 +1,42 @@
+module Vkit
+  module CLI
+    module Commands
+      class BaseCommand
+        protected
+
+        def with_auth
+          return yield unless requires_auth?
+
+          store = credential_store
+
+          unless store.logged_in?
+            raise "Not logged in. Run `vkit login`."
+          end
+
+          yield
+        end
+
+        def authenticated_client
+          store = credential_store
+
+          if requires_auth? && !store.logged_in?
+            raise "Not logged in. Run `vkit login`."
+          end
+
+          Vkit::CLI::API::Client.new(
+            base_url: store.endpoint,
+            token: store.token
+          )
+        end
+
+        def requires_auth?
+          true
+        end
+
+        def credential_store
+          @credential_store ||= Vkit::Core::CredentialStore.new
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/datasource_command.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require "json"
+
+module Vkit
+  module CLI
+    module Commands
+      class DatasourceCommand < BaseCommand
+        REDACT = "[REDACTED]"
+
+        def add(id:, engine:, username:, password:, config:)
+          with_auth do
+            user = require_admin!
+            org  = user["organization_slug"]
+
+            config_hash = config ? JSON.parse(config) : {}
+
+            response = authenticated_client.post(
+              "/api/v1/orgs/#{org}/datasources",
+              body: {
+                name: id,
+                engine: engine,
+                username: username,
+                password: password,
+                config: config_hash
+              }
+            )
+
+            puts "✅ Datasource created:"
+            print_datasource(response)
+          end
+        end
+
+        def list
+          with_auth do
+            user = require_admin!
+            org  = user["organization_slug"]
+
+            rows = authenticated_client.get(
+              "/api/v1/orgs/#{org}/datasources"
+            )
+
+            puts "📦 Datasources (#{rows.size}):"
+            rows.each do |ds|
+              print_datasource(ds)
+              puts "-" * 40
+            end
+          end
+        end
+
+        def get(name)
+          with_auth do
+            user = require_admin!
+            org  = user["organization_slug"]
+
+            ds = authenticated_client.get(
+              "/api/v1/orgs/#{org}/datasources/#{name}"
+            )
+
+            print_datasource(ds)
+          end
+        end
+
+        private
+
+        def require_admin!
+          user = credential_store.user
+          raise "Not logged in. Run: vkit login" unless user
+
+          unless user["role"] == "admin"
+            raise "⛔ Access denied: only admin users may manage datasources"
+          end
+
+          user
+        end
+
+        def print_datasource(ds)
+          puts JSON.pretty_generate(
+            {
+              name: ds["name"] || ds[:name],
+              engine: ds["engine"] || ds[:engine],
+              config: ds["config"] || ds[:config],
+              username: REDACT,
+              password: REDACT,
+              created_at: ds["created_at"] || ds[:created_at],
+              updated_at: ds["updated_at"] || ds[:updated_at]
+            }
+          )
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/fetch_command.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require "json"
+
+module Vkit
+  module CLI
+    module Commands
+      class FetchCommand < BaseCommand
+        def call(grant_ref:, format: "json")
+          with_auth do
+            user = credential_store.user
+            org  = user["organization_slug"]
+
+            response = authenticated_client.post(
+              "/api/v1/orgs/#{org}/grants/#{grant_ref}/fetch",
+              body: {}
+            )
+
+            rows = response["rows"] || []
+            meta = response["meta"] || {}
+
+            print_result(rows, meta, format)
+          end
+        end
+
+        private
+
+        def print_result(rows, meta, format)
+          puts "✅ OK — #{rows.size} rows"
+
+          if meta.any?
+            puts "ℹ️  Query Metadata:"
+            puts JSON.pretty_generate(meta)
+          end
+
+          case format
+          when "json"
+            puts JSON.pretty_generate(rows)
+          when "table"
+            Vkit::Core::TableFormatter.render(rows)
+          else
+            raise "Unknown format: #{format}"
+          end
+        end
+      end
+    end
+  end
+end