vaultkit 0.1.0

data/lib/vkit/cli/commands/login_command.rb

@@ -0,0 +1,136 @@
+require "io/console"
+require_relative "../../core/auth_client"
+require_relative "../../core/credential_store"
+require "base64"
+require "json"
+
+module Vkit
+  module CLI
+    module Commands
+      class LoginCommand < BaseCommand
+        def requires_auth?
+          false
+        end
+
+        def initialize(endpoint: nil, email: nil)
+          @endpoint = endpoint
+          @email = email
+        end
+
+        def call
+          endpoint =
+            @endpoint ||
+            ENV["VKIT_ENDPOINT"] ||
+            credential_store.endpoint ||
+            prompt("VaultKit Control Plane URL")
+          client = Vkit::Core::AuthClient.new(base_url: endpoint)
+
+          discovery = client.discover
+          auth = discovery["preferred"]
+
+          result =
+            case auth
+            when "oidc"
+              oidc_flow(client, discovery["oidc"]["login_url"])
+            when "password"
+              password_flow(client)
+            when "token"
+              token_flow(client)
+            else
+              raise "Unsupported auth mode: #{auth}"
+            end
+
+          store = Vkit::Core::CredentialStore.new
+          store.save(
+            endpoint: endpoint,
+            token: result[:token],
+            user: result[:user]
+          )
+
+          puts "✅ Logged in as #{result[:user]['email']}"
+        rescue => e
+          puts "❌ Login failed: #{e.message}"
+          exit 1
+        end
+
+        private
+
+        def oidc_flow(client, login_url)
+          start = client.start_cli_login
+          poll_token = start["poll_token"]
+
+          open_browser(login_url)
+          puts "⏳ Waiting for authentication to complete..."
+
+          loop do
+            res = client.poll_cli_login(poll_token)
+
+            case res.code.to_i
+            when 204
+              sleep 2
+              next
+            when 200
+              body = JSON.parse(res.body)
+              return {
+                token: body["token"],
+                user: body["user"]
+              }
+            when 410
+              raise "Login session expired"
+            when 404
+              raise "Invalid login session"
+            else
+              raise "Unexpected response: #{res.code}"
+            end
+          end
+        end
+
+        def password_flow(client)
+          email = @email || prompt("Email")
+          password = prompt_password("Password")
+
+          res = client.password_login(email: email, password: password)
+
+          {
+            token: res[:token],
+            user: res[:user]
+          }
+        end
+
+        def token_flow(client)
+          token = ENV["VAULTKIT_TOKEN"] || prompt_password("API Token")
+          user = client.whoami(token)
+
+          {
+            token: token,
+            user: user
+          }
+        end
+
+        def prompt(label)
+          print "#{label}: "
+          STDIN.gets.strip
+        end
+
+        def prompt_password(label)
+          print "#{label}: "
+          STDIN.noecho(&:gets).to_s.strip.tap { puts }
+        end
+
+        def open_browser(url)
+          os = RbConfig::CONFIG["host_os"]
+
+          if os =~ /darwin/
+            system("open", url)
+          elsif os =~ /linux/
+            system("xdg-open", url)
+          elsif os =~ /mswin|mingw|cygwin/
+            system("start", url)
+          else
+            puts "Open this URL in your browser:\n#{url}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/logout_command.rb

@@ -0,0 +1,12 @@
+module Vkit
+  module CLI
+    module Commands
+      class LogoutCommand < BaseCommand
+        def call
+          credential_store.clear_token!
+          puts "🧹 Logged out"
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/policy_bundle_command.rb

@@ -0,0 +1,62 @@
+require "json"
+require_relative "../../policy/bundle_compiler"
+
+module Vkit
+  module CLI
+    module Commands
+      class PolicyBundleCommand
+        def call(policies_dir:, registry_dir:, out:, org:, version:)
+          policies_dir = File.expand_path(policies_dir)
+          registry_dir = File.expand_path(registry_dir)
+          out          = File.expand_path(out)
+
+          raise "Policies dir not found: #{policies_dir}" unless Dir.exist?(policies_dir)
+          raise "Registry dir not found: #{registry_dir}" unless Dir.exist?(registry_dir)
+
+          version ||= git_sha
+
+          bundle = Vkit::Policy::BundleCompiler.compile!(
+            org_slug: org || "unknown",
+            bundle_version: version,
+            policies_dir: policies_dir,
+            registry_dir: registry_dir,
+            source: {
+              repo: git_repo,
+              ref: git_ref,
+              commit_sha: version
+            }
+          )
+
+          FileUtils.mkdir_p(File.dirname(out))
+          File.write(out, JSON.pretty_generate(bundle))
+
+          puts "✅ Policy bundle created"
+          puts "   Org:     #{bundle.dig("bundle", "org_slug")}"
+          puts "   Version: #{bundle.dig("bundle", "bundle_version")}"
+          puts "   Checksum: #{bundle.dig("bundle", "checksum")}"
+          puts "   Output:  #{out}"
+        end
+
+        private
+
+        def git_sha
+          `git rev-parse HEAD`.strip
+        rescue
+          Time.now.to_i.to_s
+        end
+
+        def git_repo
+          `git config --get remote.origin.url`.strip
+        rescue
+          nil
+        end
+
+        def git_ref
+          `git rev-parse --abbrev-ref HEAD`.strip
+        rescue
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/policy_deploy_command.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require "json"
+
+module Vkit
+  module CLI
+    module Commands
+      class PolicyDeployCommand < BaseCommand
+        def call(bundle_path:, org:, activate:)
+          with_auth do
+            bundle_path = File.expand_path(bundle_path)
+            raise "Bundle not found: #{bundle_path}" unless File.exist?(bundle_path)
+
+            bundle = JSON.parse(File.read(bundle_path))
+
+            response = authenticated_client.post(
+              "/api/v1/orgs/#{org}/policy_bundles",
+              body: {
+                bundle: bundle,
+                activate: activate
+              }
+            )
+
+            puts "🚀 Policy bundle deployed"
+            puts "   Version: #{response['bundle_version']}"
+            puts "   State:   #{response['state']}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/policy_validate_command.rb

@@ -0,0 +1,31 @@
+require_relative "../policy_bundle_validator"
+
+module Vkit
+  module CLI
+    module Commands
+      class PolicyValidateCommand
+        def call(bundle_path:, schema_path:)
+          bundle_path = File.expand_path(bundle_path)
+          raise "Bundle not found: #{bundle_path}" unless File.exist?(bundle_path)
+        
+          schema_path ||= default_schema_path
+          raise "Schema not found: #{schema_path}" unless File.exist?(schema_path)
+        
+          validator = Vkit::CLI::PolicyBundleValidator.new(
+            schema_path: schema_path
+          )
+        
+          validator.validate!(bundle_path)
+        
+          puts "✅ Policy bundle is valid"
+        end        
+
+        private
+
+        def default_schema_path
+          File.expand_path("../../policy/schema/policy_bundle.schema.json", __dir__)
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/request_command.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+require "json"
+require "time"
+require_relative "../../core/table_formatter"
+
+module Vkit
+  module CLI
+    module Commands
+      class RequestCommand < BaseCommand
+        def call(aql_str, options)
+          with_auth do
+            user = credential_store.user
+            org  = user["organization_slug"]
+
+            aql =
+              if aql_str&.strip&.length&.positive?
+                JSON.parse(aql_str)
+              else
+                JSON.parse(STDIN.read)
+              end
+
+            response = authenticated_client.post(
+              "/api/v1/orgs/#{org}/requests",
+              body: {
+                aql: aql,
+                options: {
+                  environment: options[:env],
+                  requester_region: options[:requester_region],
+                  dataset_region: options[:dataset_region],
+                  requester_clearance: options[:requester_clearance],
+                  datasource: options[:datasource]
+                }.compact
+              }
+            )
+
+            handle_result(response, options)
+          end
+        rescue JSON::ParserError
+          raise "Invalid JSON AQL"
+        end
+
+        private
+
+        def handle_result(result, options)
+          status = result["status"]
+
+          if options[:format] == "json"
+            puts JSON.pretty_generate(result)
+            exit status == "denied" ? 2 : 0
+          end
+
+          case status
+          when "denied"
+            puts "❌ DENIED"
+            puts "Reason: #{result["reason"]}"
+            exit 2
+
+          when "queued"
+            puts "⏳ QUEUED for approval"
+            puts "Request ID: #{result["request_id"]}"
+            exit 0
+
+          when "granted"
+            expires_at = Time.parse(result["expires_at"]).getlocal
+
+            puts "✅ ACCESS GRANTED"
+            puts "Grant ID: #{result["grant_id"]}"
+            puts "Expires: #{expires_at.strftime("%Y-%m-%d %H:%M:%S %Z")}"
+
+            if (mask = result["masked_fields"]) && mask.any?
+              puts "Masked Fields: #{mask.join(', ')}"
+            else
+              puts "Masked Fields: none"
+            end
+
+            puts
+            puts "To execute and retrieve the data, run:"
+            puts "   vkit fetch --grant #{result["grant_ref"] || result["grant_id"]}"
+            exit 0
+
+          when "ok"
+            rows = result["rows"] || []
+
+            puts "✅ OK — #{rows.size} rows"
+            puts "ℹ️  Query Metadata:"
+            puts JSON.pretty_generate(result["meta"] || {})
+            puts
+            puts "ℹ️  Data Rows:"
+            Vkit::Core::TableFormatter.render(rows)
+            exit 0
+
+          else
+            puts "❓ Unexpected response:"
+            puts result.inspect
+            exit 1
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/requests_list_command.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require "json"
+require_relative "../../core/table_formatter"
+
+module Vkit
+  module CLI
+    module Commands
+      class RequestsListCommand < BaseCommand
+        def call(state:, format:)
+          with_auth do
+            user = credential_store.user
+            org  = user["organization_slug"]
+
+            params = {}
+            params[:state] = state unless state == "all"
+
+            response = authenticated_client.get(
+              "/api/v1/orgs/#{org}/requests",
+              params: params
+            )
+
+            render(response, format)
+          end
+        end
+
+        private
+
+        def render(rows, format)
+          if rows.empty?
+            puts "📭 No requests found"
+            return
+          end
+
+          case format
+          when "json"
+            puts JSON.pretty_generate(rows)
+          when "table"
+            Vkit::Core::TableFormatter.render(rows)
+          else
+            raise "Unknown format: #{format}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/scan_command.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require "json"
+
+module Vkit
+  module CLI
+    module Commands
+      class ScanCommand < BaseCommand
+        def call(datasource_name, mode: "diff_only")
+          with_auth do
+            user = credential_store.user
+            org  = user["organization_slug"]
+
+            puts "🔍 Running scan for datasource '#{datasource_name}' (mode=#{mode})..."
+
+            response = authenticated_client.post(
+              "/api/v1/orgs/#{org}/datasources/#{datasource_name}/scan",
+              body: {
+                datasource: datasource_name,
+                mode: mode
+              }
+            )
+
+            puts "✅ Scan completed"
+            puts "🆔 Scan ID: #{response["scan_id"]}"
+            puts "📌 Mode: #{response["mode"]}"
+
+            diff = response["diff"] || {}
+
+            if diff.empty?
+              puts "✨ No changes detected"
+            else
+              puts "📐 Registry diff:"
+              puts "─" * 50
+              puts JSON.pretty_generate(diff)
+              puts "─" * 50
+            end
+
+            if response.key?("applied")
+              puts response["applied"] ? "✅ Changes applied" : "ℹ️ Changes not applied"
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/whoami_command.rb

@@ -0,0 +1,14 @@
+module Vkit
+  module CLI
+    module Commands
+      class WhoamiCommand < BaseCommand
+        def call
+          with_auth do
+            user = credential_store.user
+            puts "👤 #{user['email']} (role: #{user['role']}, org: #{user['organization_slug']})"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands.rb

@@ -0,0 +1,5 @@
+require_relative "commands/base_command"
+
+Dir[File.join(__dir__, "commands", "*.rb")].each do |file|
+  require_relative file.sub("#{__dir__}/", "")
+end

data/lib/vkit/cli/errors.rb

@@ -0,0 +1,6 @@
+module Vkit
+  module CLI
+    class Error < StandardError; end
+    class ConfigError < Error; end
+  end
+end

data/lib/vkit/cli/policy_bundle_validator.rb

@@ -0,0 +1,71 @@
+require "json"
+require "json_schemer"
+
+module Vkit
+  module CLI
+    class PolicyBundleValidator
+      def initialize(schema_path:)
+        @schema = JSON.parse(File.read(schema_path))
+        @schemer = JSONSchemer.schema(@schema)
+      end
+
+      def validate!(bundle_path)
+        bundle = JSON.parse(File.read(bundle_path))
+        errors = @schemer.validate(bundle).to_a
+
+        return if errors.empty?
+
+        puts "\n❌ Policy bundle validation failed\n\n"
+
+        errors.each do |err|
+          puts format_error(err, bundle)
+        end
+
+        puts "\nFix the errors above and re-run validation."
+        exit 1
+      end
+
+      private
+
+      def format_error(err, bundle)
+        pointer = err["data_pointer"]
+        policy = policy_from_pointer(pointer, bundle)
+
+        msg = []
+        msg << "Policy: #{policy || 'global'}"
+        msg << "Path: #{human_path(pointer)}"
+        msg << "Error: #{human_message(err)}"
+
+        msg.join("\n  ")
+      end
+
+      def policy_from_pointer(pointer, bundle)
+        return nil unless pointer =~ %r{/policies/(\d+)}
+
+        index = Regexp.last_match(1).to_i
+        bundle.dig("policies", index, "id")
+      end
+
+      def human_path(pointer)
+        pointer
+          .gsub("/", ".")
+          .sub(".", "")
+          .gsub(/\.(\d+)/, '[\1]')
+      end
+
+      def human_message(err)
+        case err["error"]
+        when /missing required properties/
+          missing = err.dig("details", "missing_keys")&.join(", ")
+          "Missing required field(s): #{missing}"
+        when /disallowed additional property/
+          "This field is not allowed in the compiled policy bundle"
+        when /type/
+          "Invalid value type"
+        else
+          err["error"]
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/requests_cli.rb

@@ -0,0 +1,23 @@
+module Vkit
+  module CLI
+    class RequestsCLI < Thor
+      desc "list", "List your past requests"
+      option :state,
+             type: :string,
+             default: "all",
+             enum: %w[all pending approved denied]
+
+      option :format,
+             type: :string,
+             default: "table",
+             enum: %w[json table]
+
+      def list
+        Commands::RequestsListCommand.new.call(
+          state: options[:state],
+          format: options[:format]
+        )
+      end
+    end
+  end
+end

data/lib/vkit/cli.rb

@@ -0,0 +1,4 @@
+require "thor"
+
+require_relative "cli/commands"
+require_relative "cli/base_cli"