vaultkit 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (36) hide show
  1. checksums.yaml +7 -0
  2. data/README.md +961 -0
  3. data/bin/funl +0 -0
  4. data/bin/vkit +30 -0
  5. data/lib/vkit/cli/api/client.rb +115 -0
  6. data/lib/vkit/cli/base_cli.rb +173 -0
  7. data/lib/vkit/cli/commands/approval_command.rb +94 -0
  8. data/lib/vkit/cli/commands/base_command.rb +42 -0
  9. data/lib/vkit/cli/commands/datasource_command.rb +93 -0
  10. data/lib/vkit/cli/commands/fetch_command.rb +48 -0
  11. data/lib/vkit/cli/commands/login_command.rb +136 -0
  12. data/lib/vkit/cli/commands/logout_command.rb +12 -0
  13. data/lib/vkit/cli/commands/policy_bundle_command.rb +62 -0
  14. data/lib/vkit/cli/commands/policy_deploy_command.rb +32 -0
  15. data/lib/vkit/cli/commands/policy_validate_command.rb +31 -0
  16. data/lib/vkit/cli/commands/request_command.rb +102 -0
  17. data/lib/vkit/cli/commands/requests_list_command.rb +47 -0
  18. data/lib/vkit/cli/commands/scan_command.rb +47 -0
  19. data/lib/vkit/cli/commands/whoami_command.rb +14 -0
  20. data/lib/vkit/cli/commands.rb +5 -0
  21. data/lib/vkit/cli/errors.rb +6 -0
  22. data/lib/vkit/cli/policy_bundle_validator.rb +71 -0
  23. data/lib/vkit/cli/requests_cli.rb +23 -0
  24. data/lib/vkit/cli.rb +4 -0
  25. data/lib/vkit/core/auth_client.rb +104 -0
  26. data/lib/vkit/core/credential_resolver.rb +37 -0
  27. data/lib/vkit/core/credential_store.rb +186 -0
  28. data/lib/vkit/core/table_formatter.rb +36 -0
  29. data/lib/vkit/policy/bundle_compiler.rb +154 -0
  30. data/lib/vkit/policy/schema/policy_bundle.schema.json +296 -0
  31. data/lib/vkit/policy/validate_bundle.rb +37 -0
  32. data/lib/vkit/utils/banner.rb +0 -0
  33. data/lib/vkit/utils/config_loader.rb +0 -0
  34. data/lib/vkit/utils/logger.rb +0 -0
  35. data/lib/vkit.rb +3 -0
  36. metadata +94 -0
@@ -0,0 +1,296 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
3
+ "$id": "https://vaultkit.io/schemas/policy-bundle.schema.json",
4
+ "title": "VaultKit Policy Bundle",
5
+ "description": "Canonical, versioned bundle of datasets, datasources, and policies compiled from human-authored VaultKit policy templates.",
6
+ "type": "object",
7
+ "required": ["bundle", "registry", "policies"],
8
+ "additionalProperties": false,
9
+
10
+ "properties": {
11
+ "bundle": {
12
+ "type": "object",
13
+ "description": "Bundle metadata and provenance information.",
14
+ "required": [
15
+ "format_version",
16
+ "org_slug",
17
+ "bundle_version",
18
+ "created_at",
19
+ "source",
20
+ "checksum"
21
+ ],
22
+ "additionalProperties": false,
23
+ "properties": {
24
+ "format_version": {
25
+ "type": "string",
26
+ "pattern": "^v\\d+$",
27
+ "description": "Policy bundle format version."
28
+ },
29
+ "org_slug": {
30
+ "type": "string",
31
+ "minLength": 1
32
+ },
33
+ "bundle_version": {
34
+ "type": "string",
35
+ "minLength": 1
36
+ },
37
+ "created_at": {
38
+ "type": "string",
39
+ "format": "date-time"
40
+ },
41
+ "checksum": {
42
+ "type": "string",
43
+ "pattern": "^[a-f0-9]{64}$",
44
+ "description": "SHA-256 checksum of the canonicalized bundle."
45
+ },
46
+ "source": {
47
+ "type": "object",
48
+ "required": ["type"],
49
+ "additionalProperties": false,
50
+ "properties": {
51
+ "type": {
52
+ "type": "string",
53
+ "enum": ["git"]
54
+ },
55
+ "repo": { "type": "string" },
56
+ "ref": { "type": "string" },
57
+ "commit_sha": {
58
+ "type": "string",
59
+ "pattern": "^[a-f0-9]{7,40}$"
60
+ }
61
+ }
62
+ },
63
+ "compat": {
64
+ "type": "object",
65
+ "additionalProperties": false,
66
+ "properties": {
67
+ "min_control_plane": { "type": "string" },
68
+ "max_control_plane": { "type": "string" }
69
+ }
70
+ }
71
+ }
72
+ },
73
+
74
+ "registry": {
75
+ "type": "object",
76
+ "description": "Dataset and datasource registry used during policy evaluation.",
77
+ "required": ["datasets"],
78
+ "additionalProperties": false,
79
+ "properties": {
80
+ "datasets": {
81
+ "type": "array",
82
+ "minItems": 1,
83
+ "items": {
84
+ "type": "object",
85
+ "required": ["name", "datasource", "fields"],
86
+ "additionalProperties": false,
87
+ "properties": {
88
+ "name": { "type": "string", "minLength": 1 },
89
+ "datasource": { "type": "string", "minLength": 1 },
90
+ "fields": {
91
+ "type": "array",
92
+ "minItems": 1,
93
+ "items": {
94
+ "type": "object",
95
+ "required": ["name"],
96
+ "additionalProperties": false,
97
+ "properties": {
98
+ "name": { "type": "string", "minLength": 1 },
99
+ "type": { "type": ["string", "null"] },
100
+ "sensitivity": { "type": ["string", "null"] },
101
+ "tags": {
102
+ "type": "array",
103
+ "items": { "type": "string" }
104
+ }
105
+ }
106
+ }
107
+ }
108
+ }
109
+ }
110
+ },
111
+
112
+ "datasources": {
113
+ "type": "array",
114
+ "description": "Logical datasource definitions referenced by datasets.",
115
+ "items": {
116
+ "type": "object",
117
+ "required": ["name", "type"],
118
+ "additionalProperties": false,
119
+ "properties": {
120
+ "name": { "type": "string" },
121
+ "type": {
122
+ "type": "string",
123
+ "enum": [
124
+ "postgres",
125
+ "snowflake",
126
+ "bigquery",
127
+ "mysql",
128
+ "mongo",
129
+ "elasticsearch",
130
+ "http_api"
131
+ ]
132
+ },
133
+ "config": {
134
+ "type": "object",
135
+ "additionalProperties": true
136
+ }
137
+ }
138
+ }
139
+ }
140
+ }
141
+ },
142
+
143
+ "policies": {
144
+ "type": "array",
145
+ "minItems": 1,
146
+ "description": "Ordered list of compiled policy rules.",
147
+ "items": {
148
+ "type": "object",
149
+ "required": ["id", "description", "match", "action"],
150
+ "additionalProperties": false,
151
+
152
+ "properties": {
153
+ "id": {
154
+ "type": "string",
155
+ "minLength": 1
156
+ },
157
+ "description": {
158
+ "type": "string"
159
+ },
160
+
161
+ "match": {
162
+ "type": "object",
163
+ "description": "Data matching conditions. If dataset is omitted, policy applies globally.",
164
+ "additionalProperties": false,
165
+ "properties": {
166
+ "dataset": {
167
+ "type": "string",
168
+ "description": "Optional. If omitted, policy applies to all datasets."
169
+ },
170
+ "fields": {
171
+ "type": "object",
172
+ "additionalProperties": false,
173
+ "properties": {
174
+ "any": {
175
+ "type": "array",
176
+ "items": { "type": "string" }
177
+ },
178
+ "all": {
179
+ "type": "array",
180
+ "items": { "type": "string" }
181
+ },
182
+ "sensitivity": {
183
+ "type": ["string", "null"]
184
+ },
185
+ "category": {
186
+ "type": ["string", "null"]
187
+ },
188
+ "contains": {
189
+ "type": "array",
190
+ "items": { "type": "string" }
191
+ }
192
+ }
193
+ },
194
+ "context": {
195
+ "type": "object",
196
+ "description": "Static context constraints evaluated as part of matching.",
197
+ "additionalProperties": false,
198
+ "properties": {
199
+ "requester_role": { "type": ["string", "null"] },
200
+ "requester_region": { "type": ["string", "null"] },
201
+ "dataset_region": { "type": ["string", "null"] }
202
+ }
203
+ }
204
+ }
205
+ },
206
+
207
+ "when": {
208
+ "type": "object",
209
+ "description": "Runtime context constraints evaluated at request time.",
210
+ "additionalProperties": false,
211
+ "properties": {
212
+ "requester_role": { "type": ["string", "null"] },
213
+ "requester_clearance": { "type": ["string", "integer", "null"] },
214
+ "requester_region": { "type": ["string", "null"] },
215
+ "dataset_region": { "type": ["string", "null"] },
216
+ "environment": { "type": ["string", "null"] },
217
+ "time": {
218
+ "type": "object",
219
+ "additionalProperties": false,
220
+ "properties": {
221
+ "after": {
222
+ "type": "string",
223
+ "pattern": "^\\d{2}:\\d{2}$"
224
+ },
225
+ "before": {
226
+ "type": "string",
227
+ "pattern": "^\\d{2}:\\d{2}$"
228
+ }
229
+ }
230
+ }
231
+ }
232
+ },
233
+
234
+ "action": {
235
+ "type": "string",
236
+ "enum": ["deny", "allow", "mask", "require_approval"]
237
+ },
238
+
239
+ "ttl_seconds": {
240
+ "type": ["string", "integer", "null"],
241
+ "description": "TTL for grants (e.g. 1h, 30m, or seconds)."
242
+ },
243
+
244
+ "reason": {
245
+ "type": ["string", "null"]
246
+ },
247
+
248
+ "masking": {
249
+ "type": "object",
250
+ "additionalProperties": false,
251
+ "properties": {
252
+ "fields": {
253
+ "type": "array",
254
+ "items": {
255
+ "type": "object",
256
+ "required": ["name", "method"],
257
+ "additionalProperties": false,
258
+ "properties": {
259
+ "name": { "type": "string" },
260
+ "method": {
261
+ "type": "string",
262
+ "enum": ["redact", "hash", "truncate", "nullify"]
263
+ }
264
+ }
265
+ }
266
+ }
267
+ }
268
+ },
269
+
270
+ "approval": {
271
+ "type": "object",
272
+ "additionalProperties": false,
273
+ "properties": {
274
+ "approver_role": { "type": "string" }
275
+ }
276
+ },
277
+
278
+ "priority": {
279
+ "type": ["integer", "null"]
280
+ }
281
+ }
282
+ }
283
+ },
284
+
285
+ "signing": {
286
+ "type": ["object", "null"],
287
+ "description": "Optional cryptographic signature over the bundle.",
288
+ "additionalProperties": false,
289
+ "properties": {
290
+ "alg": { "type": "string" },
291
+ "key_id": { "type": "string" },
292
+ "signature": { "type": "string" }
293
+ }
294
+ }
295
+ }
296
+ }
@@ -0,0 +1,37 @@
1
+ require "json"
2
+ require "json_schemer"
3
+
4
+ module Vkit
5
+ module Policy
6
+ class ValidateBundle
7
+ def self.call!(bundle_path:, schema_path:)
8
+ bundle_path = File.expand_path(bundle_path)
9
+ schema_path = File.expand_path(schema_path)
10
+
11
+ raise "Bundle not found: #{bundle_path}" unless File.exist?(bundle_path)
12
+ raise "Schema not found: #{schema_path}" unless File.exist?(schema_path)
13
+
14
+ bundle = JSON.parse(File.read(bundle_path))
15
+ schema = JSON.parse(File.read(schema_path))
16
+
17
+ schemer = JSONSchemer.schema(schema)
18
+ errors = schemer.validate(bundle).to_a
19
+
20
+ if errors.any?
21
+ raise ValidationError.new(errors)
22
+ end
23
+
24
+ true
25
+ end
26
+
27
+ class ValidationError < StandardError
28
+ attr_reader :errors
29
+
30
+ def initialize(errors)
31
+ @errors = errors
32
+ super("Bundle schema validation failed")
33
+ end
34
+ end
35
+ end
36
+ end
37
+ end
File without changes
File without changes
File without changes
data/lib/vkit.rb ADDED
@@ -0,0 +1,3 @@
1
+ module Vkit; end
2
+
3
+ require_relative "vkit/cli.rb"
metadata ADDED
@@ -0,0 +1,94 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: vaultkit
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.0
5
+ platform: ruby
6
+ authors:
7
+ - Nnamdi Ogundu
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2026-01-03 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: thor
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - "~>"
18
+ - !ruby/object:Gem::Version
19
+ version: '1.2'
20
+ type: :runtime
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - "~>"
25
+ - !ruby/object:Gem::Version
26
+ version: '1.2'
27
+ description: Command-line interface for interacting with the VaultKit control plane
28
+ email:
29
+ - founders@vaultkit.io
30
+ executables:
31
+ - vkit
32
+ extensions: []
33
+ extra_rdoc_files: []
34
+ files:
35
+ - README.md
36
+ - bin/funl
37
+ - bin/vkit
38
+ - lib/vkit.rb
39
+ - lib/vkit/cli.rb
40
+ - lib/vkit/cli/api/client.rb
41
+ - lib/vkit/cli/base_cli.rb
42
+ - lib/vkit/cli/commands.rb
43
+ - lib/vkit/cli/commands/approval_command.rb
44
+ - lib/vkit/cli/commands/base_command.rb
45
+ - lib/vkit/cli/commands/datasource_command.rb
46
+ - lib/vkit/cli/commands/fetch_command.rb
47
+ - lib/vkit/cli/commands/login_command.rb
48
+ - lib/vkit/cli/commands/logout_command.rb
49
+ - lib/vkit/cli/commands/policy_bundle_command.rb
50
+ - lib/vkit/cli/commands/policy_deploy_command.rb
51
+ - lib/vkit/cli/commands/policy_validate_command.rb
52
+ - lib/vkit/cli/commands/request_command.rb
53
+ - lib/vkit/cli/commands/requests_list_command.rb
54
+ - lib/vkit/cli/commands/scan_command.rb
55
+ - lib/vkit/cli/commands/whoami_command.rb
56
+ - lib/vkit/cli/errors.rb
57
+ - lib/vkit/cli/policy_bundle_validator.rb
58
+ - lib/vkit/cli/requests_cli.rb
59
+ - lib/vkit/core/auth_client.rb
60
+ - lib/vkit/core/credential_resolver.rb
61
+ - lib/vkit/core/credential_store.rb
62
+ - lib/vkit/core/table_formatter.rb
63
+ - lib/vkit/policy/bundle_compiler.rb
64
+ - lib/vkit/policy/schema/policy_bundle.schema.json
65
+ - lib/vkit/policy/validate_bundle.rb
66
+ - lib/vkit/utils/banner.rb
67
+ - lib/vkit/utils/config_loader.rb
68
+ - lib/vkit/utils/logger.rb
69
+ homepage: https://vaultkit.io
70
+ licenses:
71
+ - Proprietary
72
+ metadata:
73
+ rubygems_mfa_required: 'true'
74
+ source_code_uri: https://github.com/ndbaba1/vaultkitcli
75
+ post_install_message:
76
+ rdoc_options: []
77
+ require_paths:
78
+ - lib
79
+ required_ruby_version: !ruby/object:Gem::Requirement
80
+ requirements:
81
+ - - ">="
82
+ - !ruby/object:Gem::Version
83
+ version: '3.0'
84
+ required_rubygems_version: !ruby/object:Gem::Requirement
85
+ requirements:
86
+ - - ">="
87
+ - !ruby/object:Gem::Version
88
+ version: '0'
89
+ requirements: []
90
+ rubygems_version: 3.3.3
91
+ signing_key:
92
+ specification_version: 4
93
+ summary: VaultKit CLI
94
+ test_files: []