vaultkit 0.1.2 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 78b1d315e88a305ca599630dcb679921c4b7feb9cf6126892a845da8afc05895
-  data.tar.gz: 5cb8b0aacc91385d26a681a5ab9725f260166952cfe190de7bfa47353e1b2fd6
+  metadata.gz: 7ef641bfa848899716802a548282d99ceb00882f2ebace64e73cad6a465e3f39
+  data.tar.gz: b45579cba40972b3500af392d872c226eec3499fa884179fa87dbeb3a0b7711e
 SHA512:
-  metadata.gz: f123babdc6fea12f1e7a3adaa08a89d1181f82c0b11dfd73171d3a82a84680c9f68e55f2e724a02a232f34c2b8bdeea31c31f8e4a49a045dcccebb710daf3ad4
-  data.tar.gz: 8ddfea885a78988b1c0cd74d6735364f5aab63d7312a639154956dd6e928035f5128b22fe12ccf422ccb9e7d5e45cb251a521dc6ab285bc011abd29b6b2bddb7
+  metadata.gz: 3ac9dd5b9b100dcdbf1a141f25bf1e686efcf9376dd5182aa3827c0b1457b571e65ba8f5fabe6a17a8473d3e4909306d74ef6003421ddf07f5f77e692848cc7d
+  data.tar.gz: f98f55a48d58315877e824663a8c9d4499542f661b838dadf2b5dd534ec66583b43dc4db25d75a55be187aabaa7ae92b2f7abc87634da61ba143f44bfb85d23b

data/bin/vkit

@@ -4,7 +4,7 @@ require_relative "../lib/vkit"
 require_relative "../lib/vkit/cli/errors"
 
 begin
-  Vkit::CLI::BaseCLI.start(ARGV)
+  Vkit::CLI.start(ARGV)
 
 rescue Vkit::CLI::Error => e
   warn "❌ #{e.message}"

data/lib/vkit/cli/base_cli.rb

@@ -168,6 +168,49 @@ module Vkit
           )
         end
       }
+
+      desc "agents SUBCOMMAND ...ARGS", "Manage agents and automation identities"
+      subcommand "agents", Class.new(Thor) {
+
+        # agents tokens SUBCOMMAND
+        desc "tokens SUBCOMMAND ...ARGS", "Manage agent tokens"
+        subcommand "tokens", Class.new(Thor) {
+
+          # agents tokens list
+          desc "list", "List tokens for an agent"
+          option :format, type: :string, default: "table", enum: %w[table json]
+          def list
+            Commands::AgentTokensListCommand.new.call(
+              agent: options[:agent],
+              format: options[:format]
+            )
+          end
+
+          # agents tokens create
+          desc "create", "Create a new agent token (automation identity)"
+          option :name, required: true, desc: "Human-readable name (e.g. billing-bot)"
+          option :expires_in, type: :string, desc: "Token lifetime (e.g. 1h, 24h, 30d)"
+          option :role, type: :string, default: "agent", desc: "Role assigned to this token"
+          def create
+            Commands::AgentTokensCreateCommand.new.call(
+              name: options[:name],
+              expires_in: options[:expires_in],
+              role: options[:role]
+            )
+          end
+
+          # agents tokens revoke
+          desc "revoke", "Revoke an agent token"
+          option :token, required: true, desc: "Token ID or prefix"
+          option :force, type: :boolean, default: false, desc: "Skip confirmation"
+          def revoke
+            Commands::AgentTokensRevokeCommand.new.call(
+              token: options[:token],
+              force: options[:force]
+            )
+          end
+        }
+      }
     end
   end
 end

data/lib/vkit/cli/commands/agent_tokens_create_command.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+require "json"
+require "time"
+
+module Vkit
+  module CLI
+    module Commands
+      class AgentTokensCreateCommand < BaseCommand
+        def call(options)
+          with_auth do
+            user = credential_store.user
+            org  = user["organization_slug"]
+
+            response =
+              authenticated_client.post(
+                "/api/v1/orgs/#{org}/agent_tokens",
+                body: build_body(options)
+              )
+
+            token  = response.fetch("token")
+            secret = response.fetch("secret")
+
+            puts "🔐 AGENT TOKEN ISSUED (shown once)"
+            puts
+
+            puts "🧠 Name:       #{token["name"]}"
+            puts "🎭 Role:       #{token["role"]}"
+            puts "🆔 Token ID:   #{token["id"]}"
+            puts "🏷  Prefix:     #{token["prefix"]}"
+            puts "⏳ Expires At: #{token["expires_at"] || "never"}"
+            puts
+
+            puts "🔑 TOKEN"
+            puts "────────────────────────────────────────"
+            puts secret
+            puts "────────────────────────────────────────"
+            puts
+
+            puts "⚠️  Store this token securely. It cannot be retrieved again."
+          end
+        end
+
+        private
+
+        def build_body(options)
+          body = {
+            name: options.fetch(:name),
+            role: options[:role],
+          }
+
+          if options[:expires_in]
+            body[:expires_at] = parse_expires_in(options[:expires_in]).iso8601
+          end
+
+          body
+        end
+
+        def parse_expires_in(value)
+          number = value.to_i
+        
+          case value
+          when /\A\d+h\z/
+            Time.now.utc + (number * 60 * 60)
+          when /\A\d+d\z/
+            Time.now.utc + (number * 24 * 60 * 60)
+          else
+            raise "Invalid expires_in format (use 1h, 24h, 30d)"
+          end
+        end        
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/agent_tokens_list_command.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require "json"
+require_relative "../../core/table_formatter"
+
+module Vkit
+  module CLI
+    module Commands
+      class AgentTokensListCommand < BaseCommand
+        def call(options)
+          format = options[:format] || "table"
+
+          with_auth do
+            user = credential_store.user
+            org  = user["organization_slug"]
+
+            response =
+              authenticated_client.get(
+                "/api/v1/orgs/#{org}/agent_tokens",
+                params: build_query(options)
+              )
+
+            tokens = response["tokens"] || []
+
+            print_result(tokens, format)
+          end
+        end
+
+        private
+
+        def build_query(options)
+          {}.tap do |q|
+            q[:name] = options[:agent] if options[:agent]
+          end
+        end
+
+        def print_result(tokens, format)
+          if tokens.empty?
+            puts "No tokens found."
+            return
+          end
+
+          case format
+          when "json"
+            puts JSON.pretty_generate(tokens)
+
+          when "table"
+            Vkit::Core::TableFormatter.render(
+              tokens.map do |t|
+                {
+                  "ID"         => t["id"],
+                  "Agent"      => t["name"],
+                  "Prefix"     => t["prefix"],
+                  "Expires At" => t["expires_at"] || "never",
+                  "Revoked At" => t["revoked_at"] || "-",
+                  "Created At" => t["created_at"]
+                }
+              end
+            )
+
+          else
+            raise "Unknown format: #{format}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/agent_tokens_revoke_command.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+require "json"
+
+module Vkit
+  module CLI
+    module Commands
+      class AgentTokensRevokeCommand < BaseCommand
+        def call(options)
+          token_ref = options.fetch(:token)
+
+          with_auth do
+            user = credential_store.user
+            org  = user["organization_slug"]
+
+            token = resolve_token!(org, token_ref)
+
+            unless options[:force]
+              confirm!(token)
+            end
+
+            authenticated_client.post(
+              "/api/v1/orgs/#{org}/agent_tokens/#{token["id"]}/revoke",
+              body: {}
+            )
+
+            puts "🛑 AGENT TOKEN REVOKED"
+            puts
+            puts "🧠 Name:   #{token["name"]}"
+            puts "🏷  Prefix: #{token["prefix"]}"
+            puts "🆔 ID:     #{token["id"]}"
+            puts
+            puts "✅ The token is no longer valid."
+          end
+        end
+
+        private
+
+        def resolve_token!(org, token_ref)
+          response =
+            authenticated_client.get(
+              "/api/v1/orgs/#{org}/agent_tokens"
+            )
+
+          tokens = response["tokens"] || []
+
+          token =
+            tokens.find do |t|
+              t["id"] == token_ref || t["prefix"] == token_ref
+            end
+
+          raise "Agent token not found: #{token_ref}" unless token
+
+          token
+        end
+
+        def confirm!(token)
+          puts "⚠️  You are about to revoke this agent token:"
+          puts
+          puts "🧠 Name:   #{token["name"]}"
+          puts "🏷  Prefix: #{token["prefix"]}"
+          puts "🆔 ID:     #{token["id"]}"
+          puts
+          print "\nType 'revoke' to confirm: "
+
+          input = STDIN.gets&.strip
+          abort "Aborted." unless input == "revoke"
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/fetch_command.rb

@@ -16,8 +16,8 @@ module Vkit
               body: {}
             )
 
-            rows = response["rows"] || []
-            meta = response["meta"] || {}
+            rows = response.dig("rows", "rows") || []
+            meta = response.dig("rows", "meta") || {}
 
             print_result(rows, meta, format)
           end

data/lib/vkit/cli/commands/policy_bundle_command.rb

@@ -3,6 +3,7 @@
 require "json"
 require "fileutils"
 require_relative "../../policy/bundle_compiler"
+require_relative "../../policy/validation_error"
 
 module Vkit
   module CLI
@@ -58,6 +59,9 @@ module Vkit
             puts "   Checksum: #{bundle.dig("bundle", "checksum")}"
             puts "   Output:   #{out}"
           end
+        rescue Vkit::Policy::ValidationError => e
+          puts e.message
+          exit 1
         end
 
         private

data/lib/vkit/cli.rb

@@ -1,4 +1,18 @@
 require "thor"
+require_relative "version"
 
 require_relative "cli/commands"
 require_relative "cli/base_cli"
+
+module Vkit
+  module CLI
+    def self.start(argv = ARGV)
+      if argv.include?("--version") || argv.include?("-v")
+        puts "vkit #{Vkit::VERSION}"
+        exit 0
+      end
+
+      BaseCLI.start(argv)
+    end
+  end
+end

data/lib/vkit/policy/bundle_compiler.rb

@@ -2,6 +2,7 @@ require "json"
 require "yaml"
 require "digest"
 require "time"
+require_relative "policy_validator"
 
 module Vkit
   module Policy
@@ -40,6 +41,9 @@ module Vkit
         files.map do |f|
           data = YAML.load_file(f)
           raise "Policy file #{f} must be a Hash" unless data.is_a?(Hash)
+
+          PolicyValidator.validate!(data, file: File.basename(f))
+
           data.merge("__file" => File.basename(f))
         end
       end

data/lib/vkit/policy/policy_validator.rb

@@ -0,0 +1,129 @@
+module Vkit
+  module Policy
+    class PolicyValidator
+      ACTION_KEYS = %w[deny require_approval mask allow].freeze
+
+      def self.validate!(policy, file: nil)
+        prefix = file ? "In #{file}:\n\n" : ""
+
+        require_string!(policy, "id", prefix)
+        require_string!(policy, "description", prefix)
+
+        action = policy["action"]
+        unless action.is_a?(Hash)
+          raise ValidationError, <<~MSG
+            #{prefix}Invalid action format.
+
+            Expected:
+
+              action:
+                deny: true
+
+            Got:
+
+              action: #{action.inspect}
+
+            VaultKit requires `action` to be a mapping so it can attach
+            metadata like reason, ttl, approvals, and masking rules.
+          MSG
+        end
+
+        validate_action!(action, prefix)
+        true
+      end
+
+      def self.require_string!(hash, key, prefix)
+        value = hash[key]
+        return if value.is_a?(String) && !value.strip.empty?
+
+        raise ValidationError, <<~MSG
+          #{prefix}#{key} is required and must be a non-empty string.
+        MSG
+      end
+
+      def self.validate_action!(action, prefix)
+        intents = ACTION_KEYS.select { |k| action[k] == true }
+
+        if intents.empty?
+          raise ValidationError, <<~MSG
+            #{prefix}Action must specify exactly one intent.
+
+            Choose one of:
+
+              - deny
+              - require_approval
+              - mask
+              - allow
+
+            Example:
+
+              action:
+                deny: true
+          MSG
+        end
+
+        if intents.size > 1
+          raise ValidationError, <<~MSG
+            #{prefix}Action specifies multiple intents: #{intents.join(', ')}.
+
+            Only one intent may be set to true.
+          MSG
+        end
+
+        intent = intents.first
+
+        case intent
+        when "deny"
+          require_reason!(action, prefix)
+
+        when "require_approval"
+          require_reason!(action, prefix)
+          require_string!(action, "approver_role", prefix)
+
+        when "mask"
+          # masking config can be validated later
+
+        when "allow"
+          # nothing required
+        end
+
+        validate_ttl!(action["ttl"], prefix) if action.key?("ttl")
+      end
+
+      def self.require_reason!(action, prefix)
+        reason = action["reason"]
+        return if reason.is_a?(String) && !reason.strip.empty?
+
+        raise ValidationError, <<~MSG
+          #{prefix}action.reason is required and must be a non-empty string
+          when using deny or require_approval.
+        MSG
+      end
+
+      def self.validate_ttl!(ttl, prefix)
+        case ttl
+        when Integer
+          return
+        when String
+          return if ttl.match?(/\A\d+[smhd]\z/)
+
+          raise ValidationError, <<~MSG
+            #{prefix}Invalid ttl format.
+
+            Expected examples:
+              - "30m"
+              - "1h"
+              - "2d"
+
+            Got:
+              ttl: #{ttl.inspect}
+          MSG
+        else
+          raise ValidationError, <<~MSG
+            #{prefix}ttl must be a string duration (e.g. "1h") or an integer (seconds).
+          MSG
+        end
+      end
+    end
+  end
+end

data/lib/vkit/policy/validation_error.rb

@@ -0,0 +1,5 @@
+module Vkit
+  module Policy
+    class ValidationError < StandardError; end
+  end
+end

data/lib/vkit/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Vkit
+  VERSION = "1.0.0"
+end

data/lib/vkit.rb

@@ -1,3 +1,4 @@
 module Vkit; end
 
+require_relative "vkit/version.rb"
 require_relative "vkit/cli.rb"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: vaultkit
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 1.0.0
 platform: ruby
 authors:
 - Nnamdi Ogundu
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-01-10 00:00:00.000000000 Z
+date: 2026-01-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -40,6 +40,9 @@ files:
 - lib/vkit/cli/api/client.rb
 - lib/vkit/cli/base_cli.rb
 - lib/vkit/cli/commands.rb
+- lib/vkit/cli/commands/agent_tokens_create_command.rb
+- lib/vkit/cli/commands/agent_tokens_list_command.rb
+- lib/vkit/cli/commands/agent_tokens_revoke_command.rb
 - lib/vkit/cli/commands/approval_command.rb
 - lib/vkit/cli/commands/base_command.rb
 - lib/vkit/cli/commands/datasource_command.rb
@@ -61,11 +64,14 @@ files:
 - lib/vkit/core/credential_store.rb
 - lib/vkit/core/table_formatter.rb
 - lib/vkit/policy/bundle_compiler.rb
+- lib/vkit/policy/policy_validator.rb
 - lib/vkit/policy/schema/policy_bundle.schema.json
 - lib/vkit/policy/validate_bundle.rb
+- lib/vkit/policy/validation_error.rb
 - lib/vkit/utils/banner.rb
 - lib/vkit/utils/config_loader.rb
 - lib/vkit/utils/logger.rb
+- lib/vkit/version.rb
 homepage: https://vaultkit.io
 licenses:
 - Nonstandard