vaultkit 0.1.0

data/lib/vkit/policy/schema/policy_bundle.schema.json

@@ -0,0 +1,296 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://vaultkit.io/schemas/policy-bundle.schema.json",
+  "title": "VaultKit Policy Bundle",
+  "description": "Canonical, versioned bundle of datasets, datasources, and policies compiled from human-authored VaultKit policy templates.",
+  "type": "object",
+  "required": ["bundle", "registry", "policies"],
+  "additionalProperties": false,
+
+  "properties": {
+    "bundle": {
+      "type": "object",
+      "description": "Bundle metadata and provenance information.",
+      "required": [
+        "format_version",
+        "org_slug",
+        "bundle_version",
+        "created_at",
+        "source",
+        "checksum"
+      ],
+      "additionalProperties": false,
+      "properties": {
+        "format_version": {
+          "type": "string",
+          "pattern": "^v\\d+$",
+          "description": "Policy bundle format version."
+        },
+        "org_slug": {
+          "type": "string",
+          "minLength": 1
+        },
+        "bundle_version": {
+          "type": "string",
+          "minLength": 1
+        },
+        "created_at": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "checksum": {
+          "type": "string",
+          "pattern": "^[a-f0-9]{64}$",
+          "description": "SHA-256 checksum of the canonicalized bundle."
+        },
+        "source": {
+          "type": "object",
+          "required": ["type"],
+          "additionalProperties": false,
+          "properties": {
+            "type": {
+              "type": "string",
+              "enum": ["git"]
+            },
+            "repo": { "type": "string" },
+            "ref": { "type": "string" },
+            "commit_sha": {
+              "type": "string",
+              "pattern": "^[a-f0-9]{7,40}$"
+            }
+          }
+        },
+        "compat": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "min_control_plane": { "type": "string" },
+            "max_control_plane": { "type": "string" }
+          }
+        }
+      }
+    },
+
+    "registry": {
+      "type": "object",
+      "description": "Dataset and datasource registry used during policy evaluation.",
+      "required": ["datasets"],
+      "additionalProperties": false,
+      "properties": {
+        "datasets": {
+          "type": "array",
+          "minItems": 1,
+          "items": {
+            "type": "object",
+            "required": ["name", "datasource", "fields"],
+            "additionalProperties": false,
+            "properties": {
+              "name": { "type": "string", "minLength": 1 },
+              "datasource": { "type": "string", "minLength": 1 },
+              "fields": {
+                "type": "array",
+                "minItems": 1,
+                "items": {
+                  "type": "object",
+                  "required": ["name"],
+                  "additionalProperties": false,
+                  "properties": {
+                    "name": { "type": "string", "minLength": 1 },
+                    "type": { "type": ["string", "null"] },
+                    "sensitivity": { "type": ["string", "null"] },
+                    "tags": {
+                      "type": "array",
+                      "items": { "type": "string" }
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+    
+        "datasources": {
+          "type": "array",
+          "description": "Logical datasource definitions referenced by datasets.",
+          "items": {
+            "type": "object",
+            "required": ["name", "type"],
+            "additionalProperties": false,
+            "properties": {
+              "name": { "type": "string" },
+              "type": {
+                "type": "string",
+                "enum": [
+                  "postgres",
+                  "snowflake",
+                  "bigquery",
+                  "mysql",
+                  "mongo",
+                  "elasticsearch",
+                  "http_api"
+                ]
+              },
+              "config": {
+                "type": "object",
+                "additionalProperties": true
+              }
+            }
+          }
+        }
+      }
+    },    
+
+    "policies": {
+      "type": "array",
+      "minItems": 1,
+      "description": "Ordered list of compiled policy rules.",
+      "items": {
+        "type": "object",
+        "required": ["id", "description", "match", "action"],
+        "additionalProperties": false,
+
+        "properties": {
+          "id": {
+            "type": "string",
+            "minLength": 1
+          },
+          "description": {
+            "type": "string"
+          },
+
+          "match": {
+            "type": "object",
+            "description": "Data matching conditions. If dataset is omitted, policy applies globally.",
+            "additionalProperties": false,
+            "properties": {
+              "dataset": {
+                "type": "string",
+                "description": "Optional. If omitted, policy applies to all datasets."
+              },
+              "fields": {
+                "type": "object",
+                "additionalProperties": false,
+                "properties": {
+                  "any": {
+                    "type": "array",
+                    "items": { "type": "string" }
+                  },
+                  "all": {
+                    "type": "array",
+                    "items": { "type": "string" }
+                  },
+                  "sensitivity": {
+                    "type": ["string", "null"]
+                  },
+                  "category": {
+                    "type": ["string", "null"]
+                  },
+                  "contains": {
+                    "type": "array",
+                    "items": { "type": "string" }
+                  }
+                }
+              },
+              "context": {
+                "type": "object",
+                "description": "Static context constraints evaluated as part of matching.",
+                "additionalProperties": false,
+                "properties": {
+                  "requester_role": { "type": ["string", "null"] },
+                  "requester_region": { "type": ["string", "null"] },
+                  "dataset_region": { "type": ["string", "null"] }
+                }
+              }
+            }
+          },
+
+          "when": {
+            "type": "object",
+            "description": "Runtime context constraints evaluated at request time.",
+            "additionalProperties": false,
+            "properties": {
+              "requester_role": { "type": ["string", "null"] },
+              "requester_clearance": { "type": ["string", "integer", "null"] },
+              "requester_region": { "type": ["string", "null"] },
+              "dataset_region": { "type": ["string", "null"] },
+              "environment": { "type": ["string", "null"] },
+              "time": {
+                "type": "object",
+                "additionalProperties": false,
+                "properties": {
+                  "after": {
+                    "type": "string",
+                    "pattern": "^\\d{2}:\\d{2}$"
+                  },
+                  "before": {
+                    "type": "string",
+                    "pattern": "^\\d{2}:\\d{2}$"
+                  }
+                }
+              }
+            }
+          },
+
+          "action": {
+            "type": "string",
+            "enum": ["deny", "allow", "mask", "require_approval"]
+          },
+
+          "ttl_seconds": {
+            "type": ["string", "integer", "null"],
+            "description": "TTL for grants (e.g. 1h, 30m, or seconds)."
+          },
+
+          "reason": {
+            "type": ["string", "null"]
+          },
+
+          "masking": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+              "fields": {
+                "type": "array",
+                "items": {
+                  "type": "object",
+                  "required": ["name", "method"],
+                  "additionalProperties": false,
+                  "properties": {
+                    "name": { "type": "string" },
+                    "method": {
+                      "type": "string",
+                      "enum": ["redact", "hash", "truncate", "nullify"]
+                    }
+                  }
+                }
+              }
+            }
+          },
+
+          "approval": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+              "approver_role": { "type": "string" }
+            }
+          },
+
+          "priority": {
+            "type": ["integer", "null"]
+          }
+        }
+      }
+    },
+
+    "signing": {
+      "type": ["object", "null"],
+      "description": "Optional cryptographic signature over the bundle.",
+      "additionalProperties": false,
+      "properties": {
+        "alg": { "type": "string" },
+        "key_id": { "type": "string" },
+        "signature": { "type": "string" }
+      }
+    }
+  }
+}

data/lib/vkit/policy/validate_bundle.rb

@@ -0,0 +1,37 @@
+require "json"
+require "json_schemer"
+
+module Vkit
+  module Policy
+    class ValidateBundle
+      def self.call!(bundle_path:, schema_path:)
+        bundle_path = File.expand_path(bundle_path)
+        schema_path = File.expand_path(schema_path)
+
+        raise "Bundle not found: #{bundle_path}" unless File.exist?(bundle_path)
+        raise "Schema not found: #{schema_path}" unless File.exist?(schema_path)
+
+        bundle = JSON.parse(File.read(bundle_path))
+        schema = JSON.parse(File.read(schema_path))
+
+        schemer = JSONSchemer.schema(schema)
+        errors = schemer.validate(bundle).to_a
+
+        if errors.any?
+          raise ValidationError.new(errors)
+        end
+
+        true
+      end
+
+      class ValidationError < StandardError
+        attr_reader :errors
+
+        def initialize(errors)
+          @errors = errors
+          super("Bundle schema validation failed")
+        end
+      end
+    end
+  end
+end

data/lib/vkit.rb

@@ -0,0 +1,3 @@
+module Vkit; end
+
+require_relative "vkit/cli.rb"

metadata

@@ -0,0 +1,94 @@
+--- !ruby/object:Gem::Specification
+name: vaultkit
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Nnamdi Ogundu
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2026-01-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+description: Command-line interface for interacting with the VaultKit control plane
+email:
+- founders@vaultkit.io
+executables:
+- vkit
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- bin/funl
+- bin/vkit
+- lib/vkit.rb
+- lib/vkit/cli.rb
+- lib/vkit/cli/api/client.rb
+- lib/vkit/cli/base_cli.rb
+- lib/vkit/cli/commands.rb
+- lib/vkit/cli/commands/approval_command.rb
+- lib/vkit/cli/commands/base_command.rb
+- lib/vkit/cli/commands/datasource_command.rb
+- lib/vkit/cli/commands/fetch_command.rb
+- lib/vkit/cli/commands/login_command.rb
+- lib/vkit/cli/commands/logout_command.rb
+- lib/vkit/cli/commands/policy_bundle_command.rb
+- lib/vkit/cli/commands/policy_deploy_command.rb
+- lib/vkit/cli/commands/policy_validate_command.rb
+- lib/vkit/cli/commands/request_command.rb
+- lib/vkit/cli/commands/requests_list_command.rb
+- lib/vkit/cli/commands/scan_command.rb
+- lib/vkit/cli/commands/whoami_command.rb
+- lib/vkit/cli/errors.rb
+- lib/vkit/cli/policy_bundle_validator.rb
+- lib/vkit/cli/requests_cli.rb
+- lib/vkit/core/auth_client.rb
+- lib/vkit/core/credential_resolver.rb
+- lib/vkit/core/credential_store.rb
+- lib/vkit/core/table_formatter.rb
+- lib/vkit/policy/bundle_compiler.rb
+- lib/vkit/policy/schema/policy_bundle.schema.json
+- lib/vkit/policy/validate_bundle.rb
+- lib/vkit/utils/banner.rb
+- lib/vkit/utils/config_loader.rb
+- lib/vkit/utils/logger.rb
+homepage: https://vaultkit.io
+licenses:
+- Proprietary
+metadata:
+  rubygems_mfa_required: 'true'
+  source_code_uri: https://github.com/ndbaba1/vaultkitcli
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.3
+signing_key:
+specification_version: 4
+summary: VaultKit CLI
+test_files: []