vaultkit 0.1.1 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 34fa800a34471c3f3b5c33ac0a6d422eaa7bb1371fe432094fda2b4cf19d6686
-  data.tar.gz: eacac1644c5598c4ad819e3d5ddb8cb029a73749dd78f55d9b9bd890bf769d61
+  metadata.gz: 78b1d315e88a305ca599630dcb679921c4b7feb9cf6126892a845da8afc05895
+  data.tar.gz: 5cb8b0aacc91385d26a681a5ab9725f260166952cfe190de7bfa47353e1b2fd6
 SHA512:
-  metadata.gz: 5cb6321bac94a278f7e74deafda228bc4e544a240e318a2fcd6765678e6191485e25767dee7cb342c428c1bd3bf36d68dd3d4905ac84b6266910db6a86bdfbee
-  data.tar.gz: 7416063b5dd6ad13bbe4d617dc97d925429594061f3857180296093d0f3089c9be0bd3afb5a61540e4850d2d1a81a8205c6276aa871ba0ff2da57d10a19412a3
+  metadata.gz: f123babdc6fea12f1e7a3adaa08a89d1181f82c0b11dfd73171d3a82a84680c9f68e55f2e724a02a232f34c2b8bdeea31c31f8e4a49a045dcccebb710daf3ad4
+  data.tar.gz: 8ddfea885a78988b1c0cd74d6735364f5aab63d7312a639154956dd6e928035f5128b22fe12ccf422ccb9e7d5e45cb251a521dc6ab285bc011abd29b6b2bddb7

data/README.md

@@ -27,7 +27,12 @@ The VaultKit CLI (`vkit`) is the primary interface for interacting with the Vaul
 
 ## 🎯 What is VaultKit CLI?
 
-The VaultKit CLI provides command-line access to:
+The VaultKit CLI provides command-line access to VaultKit for:
+
+- **Users** - Data analysts, engineers, and administrators
+- **AI Agents** - LLMs and autonomous systems requiring governed data access
+- **Tools & Services** - CI/CD pipelines, data pipelines, and automated workflows
+- **Applications** - Programmatic integration via scripting
 
 | Capability | Description |
 |------------|-------------|
@@ -73,16 +78,6 @@ VaultKit uses a **request → policy → grant → fetch** workflow:
 gem install vaultkitcli
 ```
 
-### Option 2: Install from Source
-
-```bash
-git clone https://github.com/yourorg/vaultkit-cli.git
-cd vaultkit-cli
-bundle install
-gem build vaultkitcli.gemspec
-gem install ./vaultkitcli-0.1.0.gem
-```
-
 ### Verify Installation
 
 ```bash
@@ -129,7 +124,7 @@ vkit request --aql '{
 
 If granted immediately:
 ```bash
-vkit fetch --grant g_customers_abc123xyz
+vkit fetch --grant gr_abc123xyz
 ```
 
 If approval required:
@@ -138,7 +133,7 @@ If approval required:
 vkit requests list --state pending
 
 # After approval
-vkit fetch --grant g_customers_abc123xyz
+vkit fetch --grant gr_abc123xyz
 ```
 
 ---
@@ -180,12 +175,21 @@ vkit whoami
 
 **Output:**
 ```
-User ID:         user_12345
-Email:           analyst@company.com
-Role:            analyst
-Clearance Level: 2 (high)
-Region:          US
-Session Expires: 2024-01-15 18:00:00 UTC
+👤 analyst@acme.com (role: analyst, org: acme)
+```
+
+**JSON Format:**
+```bash
+vkit whoami --format json
+```
+
+**Output:**
+```json
+{
+  "email": "analyst@acme.com",
+  "role": "analyst",
+  "org": "acme"
+}
 ```
 
 ### `vkit logout`
@@ -212,12 +216,12 @@ vkit request --aql '{
 
 # Output:
 # ✓ Request granted immediately
-# Grant ID: g_customers_abc123xyz
+# Grant ID: gr_abc123xyz
 # TTL: 4 hours
-# Use: vkit fetch --grant g_customers_abc123xyz
+# Use: vkit fetch --grant gr_abc123xyz
 
 # 2. Fetch data
-vkit fetch --grant g_customers_abc123xyz --format table
+vkit fetch --grant gr_abc123xyz --format table
 ```
 
 ### Workflow 2: Approval Required
@@ -241,7 +245,7 @@ vkit request --aql '{
 vkit requests list --state pending
 
 # 3. After approval, fetch data
-vkit fetch --grant g_customers_approved_abc123
+vkit fetch --grant gr_approved_abc123
 ```
 
 ### Workflow 3: Denied Access
@@ -491,16 +495,16 @@ vkit fetch --grant <GRANT_REF> [--format FORMAT]
 **Examples:**
 ```bash
 # Fetch and display as table
-vkit fetch --grant g_customers_abc123xyz
+vkit fetch --grant gr_abc123xyz
 
 # Fetch as JSON
-vkit fetch --grant g_customers_abc123xyz --format json
+vkit fetch --grant gr_abc123xyz --format json
 
 # Fetch and save to CSV
-vkit fetch --grant g_customers_abc123xyz --format csv --output results.csv
+vkit fetch --grant gr_abc123xyz --format csv --output results.csv
 
 # Pipe to jq for processing
-vkit fetch --grant g_customers_abc123xyz --format json | jq '.data[] | select(.revenue > 1000)'
+vkit fetch --grant gr_abc123xyz --format json | jq '.data[] | select(.revenue > 1000)'
 ```
 
 ---
@@ -525,7 +529,7 @@ vkit datasource add --id <ID> --engine <ENGINE> [OPTIONS]
 
 **Examples:**
 
-**PostgreSQL:**
+**PostgreSQL (Built-in credential storage):**
 ```bash
 vkit datasource add \
   --id production_pg \
@@ -541,33 +545,18 @@ vkit datasource add \
   }'
 ```
 
-**With HashiCorp Vault:**
+**MySQL:**
 ```bash
 vkit datasource add \
-  --id production_pg \
-  --engine postgres \
-  --credential-backend vault \
-  --vault-path secret/data/databases/production \
+  --id production_mysql \
+  --engine mysql \
+  --username app_reader \
+  --password $MYSQL_PASSWORD \
   --config '{
-    "host": "db.production.internal",
-    "port": 5432,
-    "database": "analytics",
-    "ssl_mode": "verify-full"
-  }'
-```
-
-**Snowflake:**
-```bash
-vkit datasource add \
-  --id snowflake_prod \
-  --engine snowflake \
-  --username analytics_user \
-  --password $SNOWFLAKE_PASSWORD \
-  --config '{
-    "account": "xy12345.us-east-1",
-    "warehouse": "ANALYTICS_WH",
-    "database": "PRODUCTION",
-    "schema": "PUBLIC"
+    "host": "mysql.production.internal",
+    "port": 3306,
+    "database": "ecommerce",
+    "ssl_mode": "REQUIRED"
   }'
 ```
 
@@ -630,7 +619,7 @@ vkit datasource remove <DATASOURCE_ID> [--force]
 
 **Example:**
 ```bash
-vkit datasource remove old_staging_customers_db --force
+vkit datasource remove old_staging_db --force
 ```
 
 ---
@@ -716,10 +705,18 @@ vkit policy bundle [OPTIONS]
 - `--registry_dir` — Path to registry files (default: `config`)
 - `--datasources_dir` — Path to datasource configs (default: `config/datasources`)
 - `--out` — Output bundle file (default: `dist/policy_bundle.json`)
-- `--org` — Organization identifier
+- `--org` — Organization identifier (optional, defaults to logged-in user's org)
 
 **Example:**
 ```bash
+# Using logged-in user's org
+vkit policy bundle \
+  --policies_dir config/policies \
+  --registry_dir config \
+  --datasources_dir config/datasources \
+  --out dist/policy_bundle.json
+
+# Specifying org explicitly
 vkit policy bundle \
   --policies_dir config/policies \
   --registry_dir config \
@@ -759,13 +756,18 @@ vkit policy deploy --bundle <BUNDLE_FILE> [OPTIONS]
 
 **Options:**
 - `--bundle` — Path to bundle file (required)
-- `--org` — Organization identifier
+- `--org` — Organization identifier (optional, defaults to logged-in user's org)
 - `--activate` — Immediately activate bundle
 - `--dry-run` — Validate deployment without activating
 
 **Examples:**
 ```bash
-# Deploy and activate
+# Deploy and activate (using logged-in user's org)
+vkit policy deploy \
+  --bundle dist/policy_bundle.json \
+  --activate
+
+# Deploy with explicit org
 vkit policy deploy \
   --bundle dist/policy_bundle.json \
   --org acme \
@@ -774,7 +776,6 @@ vkit policy deploy \
 # Dry run (test deployment)
 vkit policy deploy \
   --bundle dist/policy_bundle.json \
-  --org acme \
   --dry-run
 ```
 
@@ -854,69 +855,6 @@ vkit audit export \
 
 ---
 
-## ⚙️ Configuration
-
-### Configuration File
-
-Create `~/.vkit/config.yaml` for persistent settings:
-
-```yaml
-# VaultKit Control Plane
-api_url: "https://vaultkit.company.com"
-
-# Authentication
-auth:
-  method: "sso"  # or "password"
-  sso_provider: "okta"
-
-# Default Settings
-defaults:
-  datasource: "production_pg"
-  environment: "production"
-  requester_region: "US"
-  clearance_level: "high"
-
-# Output Preferences
-output:
-  format: "table"  # json, table, csv
-  color: true
-
-# Audit Logging
-audit:
-  local_log: true
-  log_customers_path: "~/.vkit/audit.log"
-
-# Request Settings
-request:
-  default_ttl: 3600  # 1 hour
-  auto_retry: true
-  retry_attempts: 3
-```
-
-### Environment Variables
-
-Override config file with environment variables:
-
-```bash
-# Required
-export VKIT_API_URL="https://vaultkit.company.com"
-
-# Optional
-export VKIT_CONFIg_customers_PATH="~/.vkit/config.yaml"
-export VKIT_AUTH_TOKEN="eyJhbGciOiJIUzI1NiIs..."
-export VKIT_DEFAULT_DATASOURCE="production_pg"
-export VKIT_OUTPUT_FORMAT="json"
-```
-
-### Precedence Order
-
-1. Command-line flags (highest priority)
-2. Environment variables
-3. Configuration file
-4. Built-in defaults (lowest priority)
-
----
-
 ## 🔬 Advanced Usage
 
 ### Scripting with vkit
@@ -992,7 +930,7 @@ jobs:
             --policies_dir config/policies \
             --registry_dir config \
             --out policy_bundle.json \
-            --org ${{ secrets.ORg_customers_ID }}
+            --org ${{ secrets.ORG_ID }}
       
       - name: Validate Bundle
         run: vkit policy validate --bundle policy_bundle.json
@@ -1001,7 +939,7 @@ jobs:
         run: |
           vkit policy deploy \
             --bundle policy_bundle.json \
-            --org ${{ secrets.ORg_customers_ID }} \
+            --org ${{ secrets.ORG_ID }} \
             --activate
 ```
 
@@ -1019,7 +957,7 @@ vkit requests list --format json | jq 'group_by(.state) | map({state: .[0].state
 
 **Find high-value transactions:**
 ```bash
-vkit fetch --grant g_customers_abc123 --format json | jq '.data[] | select(.amount > 10000)'
+vkit fetch --grant gr_abc123 --format json | jq '.data[] | select(.amount > 10000)'
 ```
 
 ---
@@ -1073,7 +1011,7 @@ docker compose up
 **Problem:**
 ```
 Error: Grant has expired
-Grant ID: g_customers_abc123xyz
+Grant ID: gr_abc123xyz
 Expired at: 2024-01-15 12:00:00 UTC
 ```
 
@@ -1183,7 +1121,7 @@ bundle exec rubocop -a
 
 ## 📚 Additional Resources
 
-- **Main Repository**: [github.com/yourorg/vaultkit](https://github.com/yourorg/vaultkit)
+- **Main Repository**: [github.com/ndbaba1/vaultkitcli.git](https://github.com/ndbaba1/vaultkitcli.git)
 - **Documentation**: [docs.vaultkit.io](https://docs.vaultkit.io)
 - **AQL Specification**: [docs.vaultkit.io/aql](https://docs.vaultkit.io/aql)
 - **Policy Reference**: [docs.vaultkit.io/policies](https://docs.vaultkit.io/policies)
@@ -1197,13 +1135,4 @@ VaultKit CLI is licensed under the Apache License 2.0. See [LICENSE](LICENSE) fo
 
 ---
 
-## 💬 Support
-
-- **Issues**: [github.com/yourorg/vaultkit-cli/issues](https://github.com/yourorg/vaultkit-cli/issues)
-- **Discussions**: [github.com/yourorg/vaultkit-cli/discussions](https://github.com/yourorg/vaultkit-cli/discussions)
-- **Email**: support@vaultkit.io
-- **Slack**: [vaultkit.slack.com](https://vaultkit.slack.com)
-
----
-
 **Built with ❤️ by the VaultKit team**

data/lib/vkit/cli/commands/login_command.rb

@@ -31,7 +31,7 @@ module Vkit
           result =
             case auth
             when "oidc"
-              oidc_flow(client, discovery["oidc"]["login_url"])
+              oidc_flow(client)
             when "password"
               password_flow(client)
             when "token"
@@ -55,20 +55,20 @@ module Vkit
 
         private
 
-        def oidc_flow(client, login_url)
+        def oidc_flow(client)
           start = client.start_cli_login
           poll_token = start["poll_token"]
-
+          login_url  = start["login_url"]
+        
           open_browser(login_url)
           puts "⏳ Waiting for authentication to complete..."
-
+        
           loop do
             res = client.poll_cli_login(poll_token)
-
+        
             case res.code.to_i
             when 204
               sleep 2
-              next
             when 200
               body = JSON.parse(res.body)
               return {
@@ -83,7 +83,7 @@ module Vkit
               raise "Unexpected response: #{res.code}"
             end
           end
-        end
+        end        
 
         def password_flow(client)
           email = @email || prompt("Email")

data/lib/vkit/cli/commands/logout_command.rb

@@ -3,6 +3,21 @@ module Vkit
     module Commands
       class LogoutCommand < BaseCommand
         def call
+          token = credential_store.token
+
+          if token
+            begin
+              client = Vkit::Core::AuthClient.new(
+                base_url: credential_store.endpoint
+              )
+
+              client.logout(token)
+            rescue => e
+              warn "⚠️ Server logout failed: #{e.message}"
+              warn "⚠️ Continuing with local logout"
+            end
+          end
+
           credential_store.clear_token!
           puts "🧹 Logged out"
         end

data/lib/vkit/cli/commands/whoami_command.rb

@@ -3,10 +3,40 @@ module Vkit
     module Commands
       class WhoamiCommand < BaseCommand
         def call
-          with_auth do
-            user = credential_store.user
-            puts "👤 #{user['email']} (role: #{user['role']}, org: #{user['organization_slug']})"
-          end
+          user = fetch_user_from_server_or_fallback
+
+          puts "👤 #{user['email']} " \
+               "(role: #{user['role']}, org: #{user['organization_slug']})"
+        end
+
+        private
+
+        def fetch_user_from_server_or_fallback
+          token = credential_store.token
+          endpoint = credential_store.endpoint
+
+          raise "Not logged in" if token.nil? || endpoint.nil?
+
+          client = Vkit::Core::AuthClient.new(base_url: endpoint)
+          server_user = client.whoami(token)
+
+          # keep cache in sync if server is authoritative
+          credential_store.save_user(server_user)
+
+          server_user
+        rescue => e
+          fallback_local_user(e)
+        end
+
+        def fallback_local_user(error)
+          user = credential_store.user
+          raise "Not logged in" if user.nil?
+
+          warn "⚠️ Unable to verify identity with server"
+          warn "⚠️ #{error.message}"
+          warn "⚠️ Showing cached identity"
+
+          user
         end
       end
     end

data/lib/vkit/core/auth_client.rb

@@ -29,11 +29,15 @@ module Vkit
       end
 
       def poll_cli_login(poll_token)
-        uri = uri_for("/auth/cli/poll?token=#{poll_token}")
-        req = Net::HTTP::Get.new(uri)
-
+        uri = uri_for("/auth/cli/poll")
+        req = Net::HTTP::Post.new(uri)
+        req["Content-Type"] = "application/json"
+        req.body = JSON.dump(
+          poll_token: poll_token
+        )
+      
         http_request(uri, req, allow_non_200: true)
-      end
+      end      
 
       def password_login(email:, password:)
         uri = uri_for("/api/users/sign_in")
@@ -66,6 +70,14 @@ module Vkit
         body["user"]
       end
 
+      def logout(token)
+        uri = uri_for("/api/users/sign_out")
+        req = Net::HTTP::Delete.new(uri)
+        req["Authorization"] = "Bearer #{token}"
+      
+        http_request(uri, req, allow_non_200: true)
+      end      
+
       private
 
       def uri_for(path)

data/lib/vkit/core/credential_store.rb

@@ -33,6 +33,22 @@ module Vkit
         true
       end
 
+      def save_user(user)
+        payload = load_payload
+        return unless payload
+      
+        payload["user"] = user
+      
+        case
+        when mac?
+          mac_keychain_store(payload)
+        when linux? && secret_tool_available?
+          linux_secret_service_store(payload)
+        else
+          file_store(payload)
+        end
+      end      
+
       def endpoint
         load_payload&.dig("endpoint")
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: vaultkit
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
 platform: ruby
 authors:
 - Nnamdi Ogundu
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-01-05 00:00:00.000000000 Z
+date: 2026-01-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor