vaultkit 0.1.3 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e7924ff85def4166e7acb533f23e56a94cbca1f3d049b7745a65f88423375807
-  data.tar.gz: fdbb7973e3fc214695718efb96a38de8bf2c77548fd2ce10506b5bbae515b57c
+  metadata.gz: e4b12d7696d6e2ec91bdf7843bd8648a1c9f0fdce6c59a6c4cbc902b3e4739c8
+  data.tar.gz: 7ae893269eb4075c797294585af9f28ad5da121f892b11e7d2e12ea8f625e956
 SHA512:
-  metadata.gz: b02054d1e6abd18c1986d8967148ac49ffb807bc031dbfddab30e7eb3055384e96bdb0911f2ba1b6d82e62f1fa6d99ad0a115d3380a71efe63103d4512e825ad
-  data.tar.gz: 6481994bc927812c1d5327bcd37169b4d98c11662bf689df6ef6f3d35e876fc59fdf19f6d7188e5cfb3183191de169a911a57a2dae7bf48019cf245ee83f9e64
+  metadata.gz: 48fc209dc487ee6649012b5d59da82946b37339cf4d3e1875d34c98146e07c79b93147ea510b98674736b6baf81c422a317f699c287103d0fe354e9191aadfb0
+  data.tar.gz: 62970b31c4cc95ab323e8f2868e41c4214905e680b427a9fe2475621d3e705b0d690c1ad44c113abd5d0b4186398322485b617cca332376c66abdeaacf0d4f6d

data/lib/vkit/cli/base_cli.rb

@@ -31,6 +31,11 @@ module Vkit
         Commands::LogoutCommand.new.call
       end
 
+      desc "reset", "Clear all stored credentials and configuration"
+      def reset
+        Commands::ResetCommand.new.call
+      end
+
       # REQUEST
       desc "request", "Send an inline JSON AQL request (use --aql or pipe via STDIN)"
       option :aql, type: :string, desc: "AQL JSON payload (inline)"
@@ -71,6 +76,20 @@ module Vkit
         )
       end
 
+      desc "approvals:watch", "Watch pending approval requests"
+      option :interval, type: :numeric, default: 3, desc: "Polling interval in seconds"
+      option :format, type: :string, default: "table", enum: %w[table json], desc: "Output format (table for humans, json for automations)"
+      option :pretty, type: :boolean, default: false, desc: "Pretty-print JSON output"
+      option :since, type: :string, desc: "Only show approvals created after this time (ISO8601 or 10m, 2h)"
+      define_method("approvals:watch") do
+        Commands::ApprovalWatchCommand.new.call(
+          interval: options[:interval],
+          format: options[:format],
+          pretty: options[:pretty],
+          since: options[:since]
+        )
+      end
+
       # FETCH
       desc "fetch --grant ID", "Fetch data from Funl using a valid grant"
       option :grant, type: :string, required: true
@@ -168,6 +187,49 @@ module Vkit
           )
         end
       }
+
+      desc "agents SUBCOMMAND ...ARGS", "Manage agents and automation identities"
+      subcommand "agents", Class.new(Thor) {
+
+        # agents tokens SUBCOMMAND
+        desc "tokens SUBCOMMAND ...ARGS", "Manage agent tokens"
+        subcommand "tokens", Class.new(Thor) {
+
+          # agents tokens list
+          desc "list", "List tokens for an agent"
+          option :format, type: :string, default: "table", enum: %w[table json]
+          def list
+            Commands::AgentTokensListCommand.new.call(
+              agent: options[:agent],
+              format: options[:format]
+            )
+          end
+
+          # agents tokens create
+          desc "create", "Create a new agent token (automation identity)"
+          option :name, required: true, desc: "Human-readable name (e.g. billing-bot)"
+          option :expires_in, type: :string, desc: "Token lifetime (e.g. 1h, 24h, 30d)"
+          option :role, type: :string, default: "agent", desc: "Role assigned to this token"
+          def create
+            Commands::AgentTokensCreateCommand.new.call(
+              name: options[:name],
+              expires_in: options[:expires_in],
+              role: options[:role]
+            )
+          end
+
+          # agents tokens revoke
+          desc "revoke", "Revoke an agent token"
+          option :token, required: true, desc: "Token ID or prefix"
+          option :force, type: :boolean, default: false, desc: "Skip confirmation"
+          def revoke
+            Commands::AgentTokensRevokeCommand.new.call(
+              token: options[:token],
+              force: options[:force]
+            )
+          end
+        }
+      }
     end
   end
 end

data/lib/vkit/cli/commands/agent_tokens_create_command.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+require "json"
+require "time"
+
+module Vkit
+  module CLI
+    module Commands
+      class AgentTokensCreateCommand < BaseCommand
+        def call(options)
+          with_auth do
+            user = credential_store.user
+            org  = user["organization_slug"]
+
+            response =
+              authenticated_client.post(
+                "/api/v1/orgs/#{org}/agent_tokens",
+                body: build_body(options)
+              )
+
+            token  = response.fetch("token")
+            secret = response.fetch("secret")
+
+            puts "🔐 AGENT TOKEN ISSUED (shown once)"
+            puts
+
+            puts "🧠 Name:       #{token["name"]}"
+            puts "🎭 Role:       #{token["role"]}"
+            puts "🆔 Token ID:   #{token["id"]}"
+            puts "🏷  Prefix:     #{token["prefix"]}"
+            puts "⏳ Expires At: #{token["expires_at"] || "never"}"
+            puts
+
+            puts "🔑 TOKEN"
+            puts "────────────────────────────────────────"
+            puts secret
+            puts "────────────────────────────────────────"
+            puts
+
+            puts "⚠️  Store this token securely. It cannot be retrieved again."
+          end
+        end
+
+        private
+
+        def build_body(options)
+          body = {
+            name: options.fetch(:name),
+            role: options[:role],
+          }
+
+          if options[:expires_in]
+            body[:expires_at] = parse_expires_in(options[:expires_in]).iso8601
+          end
+
+          body
+        end
+
+        def parse_expires_in(value)
+          number = value.to_i
+        
+          case value
+          when /\A\d+h\z/
+            Time.now.utc + (number * 60 * 60)
+          when /\A\d+d\z/
+            Time.now.utc + (number * 24 * 60 * 60)
+          else
+            raise "Invalid expires_in format (use 1h, 24h, 30d)"
+          end
+        end        
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/agent_tokens_list_command.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require "json"
+require_relative "../../core/table_formatter"
+
+module Vkit
+  module CLI
+    module Commands
+      class AgentTokensListCommand < BaseCommand
+        def call(options)
+          format = options[:format] || "table"
+
+          with_auth do
+            user = credential_store.user
+            org  = user["organization_slug"]
+
+            response =
+              authenticated_client.get(
+                "/api/v1/orgs/#{org}/agent_tokens",
+                params: build_query(options)
+              )
+
+            tokens = response["tokens"] || []
+
+            print_result(tokens, format)
+          end
+        end
+
+        private
+
+        def build_query(options)
+          {}.tap do |q|
+            q[:name] = options[:agent] if options[:agent]
+          end
+        end
+
+        def print_result(tokens, format)
+          if tokens.empty?
+            puts "No tokens found."
+            return
+          end
+
+          case format
+          when "json"
+            puts JSON.pretty_generate(tokens)
+
+          when "table"
+            Vkit::Core::TableFormatter.render(
+              tokens.map do |t|
+                {
+                  "ID"         => t["id"],
+                  "Agent"      => t["name"],
+                  "Prefix"     => t["prefix"],
+                  "Expires At" => t["expires_at"] || "never",
+                  "Revoked At" => t["revoked_at"] || "-",
+                  "Created At" => t["created_at"]
+                }
+              end
+            )
+
+          else
+            raise "Unknown format: #{format}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/agent_tokens_revoke_command.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+require "json"
+
+module Vkit
+  module CLI
+    module Commands
+      class AgentTokensRevokeCommand < BaseCommand
+        def call(options)
+          token_ref = options.fetch(:token)
+
+          with_auth do
+            user = credential_store.user
+            org  = user["organization_slug"]
+
+            token = resolve_token!(org, token_ref)
+
+            unless options[:force]
+              confirm!(token)
+            end
+
+            authenticated_client.post(
+              "/api/v1/orgs/#{org}/agent_tokens/#{token["id"]}/revoke",
+              body: {}
+            )
+
+            puts "🛑 AGENT TOKEN REVOKED"
+            puts
+            puts "🧠 Name:   #{token["name"]}"
+            puts "🏷  Prefix: #{token["prefix"]}"
+            puts "🆔 ID:     #{token["id"]}"
+            puts
+            puts "✅ The token is no longer valid."
+          end
+        end
+
+        private
+
+        def resolve_token!(org, token_ref)
+          response =
+            authenticated_client.get(
+              "/api/v1/orgs/#{org}/agent_tokens"
+            )
+
+          tokens = response["tokens"] || []
+
+          token =
+            tokens.find do |t|
+              t["id"] == token_ref || t["prefix"] == token_ref
+            end
+
+          raise "Agent token not found: #{token_ref}" unless token
+
+          token
+        end
+
+        def confirm!(token)
+          puts "⚠️  You are about to revoke this agent token:"
+          puts
+          puts "🧠 Name:   #{token["name"]}"
+          puts "🏷  Prefix: #{token["prefix"]}"
+          puts "🆔 ID:     #{token["id"]}"
+          puts
+          print "\nType 'revoke' to confirm: "
+
+          input = STDIN.gets&.strip
+          abort "Aborted." unless input == "revoke"
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/approval_watch_command.rb

@@ -0,0 +1,129 @@
+# frozen_string_literal: true
+
+require "json"
+require "time"
+
+module Vkit
+  module CLI
+    module Commands
+      class ApprovalWatchCommand < BaseCommand
+        DEFAULT_INTERVAL = 3
+
+        def call(interval: DEFAULT_INTERVAL, format: "table", pretty: false, since: nil)
+          with_auth do
+            user = credential_store.user
+            org  = user["organization_slug"]
+
+            since_time = parse_since(since)
+            seen = {}
+
+            if format == "table"
+              puts "⏳ Watching approval queue (Ctrl+C to stop)…"
+              puts "Since: #{since_time.iso8601}" if since_time
+              puts
+            end
+
+            loop do
+              approvals =
+                authenticated_client.get(
+                  "/api/v1/orgs/#{org}/approvals",
+                  params: build_query(since_time)
+                )
+
+              approvals.each do |approval|
+                next if seen[approval["id"]]
+
+                emit(approval, format, pretty)
+                seen[approval["id"]] = true
+              end
+
+              sleep interval
+            end
+          end
+        rescue Interrupt
+          puts "\n👋 Watch stopped." if format == "table"
+        end
+
+        private
+
+        def build_query(since_time)
+          {}.tap do |q|
+            q[:state] = "pending"
+            q[:since] = since_time.iso8601 if since_time
+          end
+        end
+
+        def parse_since(value)
+          return nil if value.nil?
+        
+          now = Time.now.utc
+        
+          case value
+          when /\A(\d+)m\z/
+            now - Regexp.last_match(1).to_i * 60
+          when /\A(\d+)h\z/
+            now - Regexp.last_match(1).to_i * 60 * 60
+          when /\A(\d+)d\z/
+            now - Regexp.last_match(1).to_i * 60 * 60 * 24
+          else
+            Time.iso8601(value)
+          end
+        rescue ArgumentError
+          raise "Invalid --since value (use ISO8601 or 10m, 2h, 1d)"
+        end        
+
+        def emit(approval, format, pretty)
+          case format
+          when "json"
+            print_json(normalize(approval), pretty: pretty)
+          when "table"
+            render_human(approval)
+          else
+            raise "Unknown format: #{format}"
+          end
+        end
+
+        def print_json(obj, pretty:)
+          if pretty
+            puts JSON.pretty_generate(obj)
+          else
+            puts JSON.generate(obj)
+          end
+        end
+
+        def normalize(a)
+          {
+            type: "approval.pending",
+            id: a["id"],
+            dataset: a["dataset"],
+            fields: a["fields"],
+            requester: a["requester"],
+            approver_role: a["approver_role"],
+            created_at: a["created_at"]
+          }
+        end
+
+        def render_human(a)
+          puts "🔔 NEW APPROVAL"
+          puts "────────────────────────────"
+          puts "ID:        #{a["id"]}"
+          puts "Dataset:   #{a["dataset"]}"
+          puts "Fields:    #{Array(a["fields"]).join(", ")}"
+          puts "Requester: #{a["requester"]}"
+          puts "Role Req:  #{a["approver_role"] || "any"}"
+          puts "Created:   #{format_time(a["created_at"])}"
+          puts
+          puts "▶ Approve: vkit approval approve #{a["id"]}"
+          puts "▶ Deny:    vkit approval deny #{a["id"]} --reason \"…\""
+          puts
+        end
+
+        def format_time(value)
+          Time.parse(value).getlocal.strftime("%Y-%m-%d %H:%M:%S")
+        rescue
+          value
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/fetch_command.rb

@@ -16,8 +16,8 @@ module Vkit
               body: {}
             )
 
-            rows = response["rows"] || []
-            meta = response["meta"] || {}
+            rows = response.dig("rows", "rows") || []
+            meta = response.dig("rows", "meta") || {}
 
             print_result(rows, meta, format)
           end

data/lib/vkit/cli/commands/policy_bundle_command.rb

@@ -3,6 +3,7 @@
 require "json"
 require "fileutils"
 require_relative "../../policy/bundle_compiler"
+require_relative "../../policy/validation_error"
 
 module Vkit
   module CLI
@@ -58,6 +59,9 @@ module Vkit
             puts "   Checksum: #{bundle.dig("bundle", "checksum")}"
             puts "   Output:   #{out}"
           end
+        rescue Vkit::Policy::ValidationError => e
+          puts e.message
+          exit 1
         end
 
         private

data/lib/vkit/cli/commands/reset_command.rb

@@ -0,0 +1,20 @@
+module Vkit
+  module CLI
+    module Commands
+      class ResetCommand < BaseCommand
+        def call
+          print "⚠️  This will clear all stored credentials. Continue? (y/N): "
+          response = $stdin.gets.chomp
+          
+          unless response.downcase == 'y'
+            puts "Cancelled"
+            return
+          end
+
+          credential_store.clear!
+          puts "🧹 All credentials cleared"
+        end
+      end
+    end
+  end
+end

data/lib/vkit/policy/bundle_compiler.rb

@@ -2,6 +2,7 @@ require "json"
 require "yaml"
 require "digest"
 require "time"
+require_relative "policy_validator"
 
 module Vkit
   module Policy
@@ -40,6 +41,9 @@ module Vkit
         files.map do |f|
           data = YAML.load_file(f)
           raise "Policy file #{f} must be a Hash" unless data.is_a?(Hash)
+
+          PolicyValidator.validate!(data, file: File.basename(f))
+
           data.merge("__file" => File.basename(f))
         end
       end

data/lib/vkit/policy/policy_validator.rb

@@ -0,0 +1,129 @@
+module Vkit
+  module Policy
+    class PolicyValidator
+      ACTION_KEYS = %w[deny require_approval mask allow].freeze
+
+      def self.validate!(policy, file: nil)
+        prefix = file ? "In #{file}:\n\n" : ""
+
+        require_string!(policy, "id", prefix)
+        require_string!(policy, "description", prefix)
+
+        action = policy["action"]
+        unless action.is_a?(Hash)
+          raise ValidationError, <<~MSG
+            #{prefix}Invalid action format.
+
+            Expected:
+
+              action:
+                deny: true
+
+            Got:
+
+              action: #{action.inspect}
+
+            VaultKit requires `action` to be a mapping so it can attach
+            metadata like reason, ttl, approvals, and masking rules.
+          MSG
+        end
+
+        validate_action!(action, prefix)
+        true
+      end
+
+      def self.require_string!(hash, key, prefix)
+        value = hash[key]
+        return if value.is_a?(String) && !value.strip.empty?
+
+        raise ValidationError, <<~MSG
+          #{prefix}#{key} is required and must be a non-empty string.
+        MSG
+      end
+
+      def self.validate_action!(action, prefix)
+        intents = ACTION_KEYS.select { |k| action[k] == true }
+
+        if intents.empty?
+          raise ValidationError, <<~MSG
+            #{prefix}Action must specify exactly one intent.
+
+            Choose one of:
+
+              - deny
+              - require_approval
+              - mask
+              - allow
+
+            Example:
+
+              action:
+                deny: true
+          MSG
+        end
+
+        if intents.size > 1
+          raise ValidationError, <<~MSG
+            #{prefix}Action specifies multiple intents: #{intents.join(', ')}.
+
+            Only one intent may be set to true.
+          MSG
+        end
+
+        intent = intents.first
+
+        case intent
+        when "deny"
+          require_reason!(action, prefix)
+
+        when "require_approval"
+          require_reason!(action, prefix)
+          require_string!(action, "approver_role", prefix)
+
+        when "mask"
+          # masking config can be validated later
+
+        when "allow"
+          # nothing required
+        end
+
+        validate_ttl!(action["ttl"], prefix) if action.key?("ttl")
+      end
+
+      def self.require_reason!(action, prefix)
+        reason = action["reason"]
+        return if reason.is_a?(String) && !reason.strip.empty?
+
+        raise ValidationError, <<~MSG
+          #{prefix}action.reason is required and must be a non-empty string
+          when using deny or require_approval.
+        MSG
+      end
+
+      def self.validate_ttl!(ttl, prefix)
+        case ttl
+        when Integer
+          return
+        when String
+          return if ttl.match?(/\A\d+[smhd]\z/)
+
+          raise ValidationError, <<~MSG
+            #{prefix}Invalid ttl format.
+
+            Expected examples:
+              - "30m"
+              - "1h"
+              - "2d"
+
+            Got:
+              ttl: #{ttl.inspect}
+          MSG
+        else
+          raise ValidationError, <<~MSG
+            #{prefix}ttl must be a string duration (e.g. "1h") or an integer (seconds).
+          MSG
+        end
+      end
+    end
+  end
+end

data/lib/vkit/policy/validation_error.rb

@@ -0,0 +1,5 @@
+module Vkit
+  module Policy
+    class ValidationError < StandardError; end
+  end
+end

data/lib/vkit/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Vkit
-  VERSION = "0.1.3"
+  VERSION = "1.0.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: vaultkit
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 1.0.1
 platform: ruby
 authors:
 - Nnamdi Ogundu
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-01-10 00:00:00.000000000 Z
+date: 2026-01-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -40,7 +40,11 @@ files:
 - lib/vkit/cli/api/client.rb
 - lib/vkit/cli/base_cli.rb
 - lib/vkit/cli/commands.rb
+- lib/vkit/cli/commands/agent_tokens_create_command.rb
+- lib/vkit/cli/commands/agent_tokens_list_command.rb
+- lib/vkit/cli/commands/agent_tokens_revoke_command.rb
 - lib/vkit/cli/commands/approval_command.rb
+- lib/vkit/cli/commands/approval_watch_command.rb
 - lib/vkit/cli/commands/base_command.rb
 - lib/vkit/cli/commands/datasource_command.rb
 - lib/vkit/cli/commands/fetch_command.rb
@@ -51,6 +55,7 @@ files:
 - lib/vkit/cli/commands/policy_validate_command.rb
 - lib/vkit/cli/commands/request_command.rb
 - lib/vkit/cli/commands/requests_list_command.rb
+- lib/vkit/cli/commands/reset_command.rb
 - lib/vkit/cli/commands/scan_command.rb
 - lib/vkit/cli/commands/whoami_command.rb
 - lib/vkit/cli/errors.rb
@@ -61,8 +66,10 @@ files:
 - lib/vkit/core/credential_store.rb
 - lib/vkit/core/table_formatter.rb
 - lib/vkit/policy/bundle_compiler.rb
+- lib/vkit/policy/policy_validator.rb
 - lib/vkit/policy/schema/policy_bundle.schema.json
 - lib/vkit/policy/validate_bundle.rb
+- lib/vkit/policy/validation_error.rb
 - lib/vkit/utils/banner.rb
 - lib/vkit/utils/config_loader.rb
 - lib/vkit/utils/logger.rb