vaultkit 1.0.1 → 1.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e4b12d7696d6e2ec91bdf7843bd8648a1c9f0fdce6c59a6c4cbc902b3e4739c8
-  data.tar.gz: 7ae893269eb4075c797294585af9f28ad5da121f892b11e7d2e12ea8f625e956
+  metadata.gz: 5a8fc789ba6238e633e0638eb06e2bae78b32343dbbbee1c7467bae701a2b38d
+  data.tar.gz: a43f1ae331cf39178d22a9f44ca423f3c45dfea81d2265905219432a8f9eca01
 SHA512:
-  metadata.gz: 48fc209dc487ee6649012b5d59da82946b37339cf4d3e1875d34c98146e07c79b93147ea510b98674736b6baf81c422a317f699c287103d0fe354e9191aadfb0
-  data.tar.gz: 62970b31c4cc95ab323e8f2868e41c4214905e680b427a9fe2475621d3e705b0d690c1ad44c113abd5d0b4186398322485b617cca332376c66abdeaacf0d4f6d
+  metadata.gz: 109100e282f4c59e53017492db1a440f6c86d3b6045dce06deb32a2a75c57bcfe908acd28fc94f6e8666382a953c54d4e82d528b59792bc72338d78c90ee3a3c
+  data.tar.gz: 1945666c96230884896912a8a6d970eabe743fb412894c17251573dd107aa64cb20ea1997e231bb874eb06b4154821b73adec83827cd1cd899138a08ec8c22e3

data/lib/vkit/cli/base_cli.rb

@@ -36,6 +36,18 @@ module Vkit
         Commands::ResetCommand.new.call
       end
 
+      desc "init", "Initialize a new VaultKit project"
+      option :dir, type: :string, default: ".", desc: "Target directory"
+      option :with, type: :string, desc: "Comma-separated policy packs to install (e.g. starter,ai_safety)"
+      def init
+        packs = options[:with]&.split(",")&.map(&:strip)
+
+        Commands::InitCommand.new.call(
+          dir: options[:dir],
+          packs: packs
+        )
+      end
+
       # REQUEST
       desc "request", "Send an inline JSON AQL request (use --aql or pipe via STDIN)"
       option :aql, type: :string, desc: "AQL JSON payload (inline)"
@@ -101,6 +113,18 @@ module Vkit
         )
       end
 
+      desc "grant:revoke", "Revoke a grant"
+      option :grant, type: :string, required: true
+      option :reason, type: :string
+      option :force, type: :boolean, default: false
+      define_method("grant:revoke") do
+        Commands::GrantRevokeCommand.new.call(
+          grant_ref: options[:grant],
+          reason: options[:reason],
+          force: options[:force]
+        )
+      end
+
       # DATASOURCE
       desc "datasource SUBCOMMAND ...ARGS", "Manage datasources (admin only)"
       subcommand "datasource", Class.new(Thor) {
@@ -186,6 +210,73 @@ module Vkit
             activate: options[:activate]
           )
         end
+
+        desc "revoke", "Revoke a policy bundle version"
+        option :bundle_version, type: :string, required: true
+        option :reason, type: :string
+        option :force, type: :boolean, default: false
+
+        def revoke
+          Commands::PolicyRevokeCommand.new.call(
+            bundle_version: options[:bundle_version],
+            reason: options[:reason],
+            force: options[:force]
+          )
+        end
+
+        desc "pack SUBCOMMAND ...ARGS", "Manage policy packs"
+        subcommand "pack", Class.new(Thor) {
+
+          desc "list", "List policy packs"
+          option :dir, type: :string, default: "."
+          def list
+            Commands::PolicyPackListCommand.new.call(
+              dir: options[:dir]
+            )
+          end
+
+          desc "add NAME", "Install a policy pack"
+          option :dir, type: :string, default: "."
+          option :force, type: :boolean, default: false
+          def add(name)
+            Commands::PolicyPackAddCommand.new.call(
+              pack_name: name,
+              dir: options[:dir],
+              force: options[:force]
+            )
+          end
+
+          desc "remove NAME", "Remove an installed policy pack"
+          option :dir, type: :string, default: "."
+          option :force, type: :boolean, default: false
+          def remove(name)
+            Commands::PolicyPackRemoveCommand.new.call(
+              pack_name: name,
+              dir: options[:dir],
+              force: options[:force]
+            )
+          end
+
+          desc "info NAME", "Show information about a policy pack"
+          option :dir, type: :string, default: "."
+          def info(name)
+            Commands::PolicyPackInfoCommand.new.call(
+              pack_name: name,
+              dir: options[:dir]
+            )
+          end
+
+          desc "upgrade [NAME]", "Upgrade installed policy packs (all if NAME omitted)"
+          option :dir, type: :string, default: "."
+          option :force, type: :boolean, default: false
+          def upgrade(name = nil)
+            Commands::PolicyPackUpgradeCommand.new.call(
+              pack_name: name,
+              dir: options[:dir],
+              force: options[:force]
+            )
+          end
+        }
       }
 
       desc "agents SUBCOMMAND ...ARGS", "Manage agents and automation identities"

data/lib/vkit/cli/commands/grant_revoke_command.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Vkit
+  module CLI
+    module Commands
+      class GrantRevokeCommand < BaseCommand
+        def call(grant_ref:, reason:, force:)
+          with_auth do
+            user = credential_store.user
+            org  = user["organization_slug"]
+
+            raise "Not authenticated. Please login." if org.nil? || org.empty?
+
+            unless force
+              puts "⚠️  You are about to revoke grant: #{grant_ref}"
+              puts "   Organization: #{org}"
+              puts "   Reason: #{reason || 'Grant revoked via CLI'}"
+              print "Continue? (y/N): "
+              answer = STDIN.gets.strip
+              return puts("Aborted.") unless answer.downcase == "y"
+            end
+
+            response =
+              authenticated_client.post(
+                "/api/v1/orgs/#{org}/grants/#{grant_ref}/revoke",
+                body: {
+                  reason: reason
+                }
+              )
+
+            puts "✅ Grant revoked"
+            puts "   Grant:   #{grant_ref}"
+            puts "   Revoked: #{response["revoked_at"]}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/init_command.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+require "fileutils"
+require_relative "base_command"
+require_relative "../policy_pack/manager"
+
+module Vkit
+  module CLI
+    module Commands
+      class InitCommand < BaseCommand
+        def call(dir:, packs:)
+          dir = File.expand_path(dir)
+          FileUtils.mkdir_p(dir)
+
+          create_structure(dir)
+
+          manager = Vkit::CLI::PolicyPack::Manager.new(
+            project_root: dir
+          )
+
+          total_policies = 0
+          installed = []
+
+          # Default secure behavior
+          if packs.nil? || packs.empty?
+            puts "\nℹ️  No packs specified. Installing 'starter' for secure defaults."
+            packs = ["starter"]
+          end
+
+          packs.each do |pack_name|
+            count = manager.install_with_deps!(pack_name)
+            total_policies += count
+            installed << pack_name
+
+            metadata = manager.pack_metadata(pack_name)
+            puts "✓ Installed #{pack_name} pack (v#{metadata['version']}) - #{count} policies"
+          end
+
+          puts "\n✅ VaultKit project initialized"
+          puts "   Location: #{dir}"
+          puts "   Packs:    #{installed.join(', ')}"
+          puts "   Policies: #{total_policies} total"
+
+          puts "\nNext steps:"
+          puts "  1. Review policies in config/policies/"
+          puts "  2. Run: vkit scan <datasource> --apply"
+          puts "  3. Run: vkit policy bundle"
+          puts "  4. Run: vkit policy deploy"
+
+        rescue StandardError => e
+          puts "❌ Error: #{e.message}"
+          exit 1
+        end
+
+        private
+
+        def create_structure(dir)
+          FileUtils.mkdir_p(File.join(dir, "config", "policies"))
+          FileUtils.mkdir_p(File.join(dir, "datasets"))
+          FileUtils.mkdir_p(File.join(dir, "dist"))
+          FileUtils.mkdir_p(File.join(dir, ".vkit"))
+
+          registry_path = File.join(dir, "datasets", "registry.yaml")
+          unless File.exist?(registry_path)
+            File.write(
+              registry_path,
+              "# Dataset registry\n# Populate with: vkit scan <datasource> --apply\n"
+            )
+          end
+
+          gitignore_path = File.join(dir, ".gitignore")
+          unless File.exist?(gitignore_path)
+            File.write(
+              gitignore_path,
+              "dist/\n.vkit/\n"
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/policy_pack_add_command.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require_relative "base_command"
+
+module Vkit
+  module CLI
+    module Commands
+      class PolicyPackAddCommand < BaseCommand
+        def call(pack_name:, dir:, force: false)
+          ensure_project!(dir)
+
+          manager = Vkit::CLI::PolicyPack::Manager.new(
+            project_root: dir
+          )
+
+          count = manager.install!(pack_name, force: force)
+          meta  = manager.pack_metadata(pack_name)
+
+          puts "✅ Installed #{pack_name}"
+          puts "   Version:  v#{meta['version']}"
+          puts "   Policies: #{count} added"
+          puts "\nRun 'vkit policy bundle' to compile."
+        rescue StandardError => e
+          puts "❌ Error: #{e.message}"
+          exit 1
+        end
+
+        private
+
+        def ensure_project!(dir)
+          dir = File.expand_path(dir)
+          raise "Directory does not exist: #{dir}" unless Dir.exist?(dir)
+          raise "Not a VaultKit project (missing .vkit/)" unless Dir.exist?(File.join(dir, ".vkit"))
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/policy_pack_info_command.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require_relative "base_command"
+
+module Vkit
+  module CLI
+    module Commands
+      class PolicyPackInfoCommand < BaseCommand
+        def call(pack_name:, dir:)
+          manager = Vkit::CLI::PolicyPack::Manager.new(
+            project_root: dir
+          )
+
+          meta = manager.pack_metadata(pack_name)
+
+          puts "\nPolicy Pack: #{meta['name']}"
+          puts "Version:     v#{meta['version']}"
+          puts "Layer:       #{meta['layer'] || 'n/a'}"
+
+          deps = Array(meta["dependencies"])
+          puts "Dependencies: #{deps.empty? ? 'none' : deps.join(', ')}"
+
+          band = meta["priority_band"]
+          if band
+            puts "Priority Band: #{band['min']} – #{band['max']}"
+          end
+
+          puts "\nPolicies Included:"
+          policies = manager.send(:read_pack!, pack_name).last
+          policies.each do |p|
+            puts "  - #{p['id']}"
+          end
+
+          if manager.installed?(pack_name)
+            entry = manager.installed_packs[pack_name]
+            puts "\nInstalled: yes (v#{entry['version']})"
+          else
+            puts "\nInstalled: no"
+          end
+        rescue StandardError => e
+          puts "❌ Error: #{e.message}"
+          exit 1
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/policy_pack_list_command.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require_relative "base_command"
+
+module Vkit
+  module CLI
+    module Commands
+      class PolicyPackListCommand < BaseCommand
+        def call(dir:)
+          manager = Vkit::CLI::PolicyPack::Manager.new(
+            project_root: dir
+          )
+
+          packs = manager.list_status
+
+          if packs.empty?
+            puts "No policy packs available."
+            return
+          end
+
+          puts "Available policy packs:\n\n"
+
+          packs.each do |p|
+            name = p["name"]
+            shipped = p["shipped_version"]
+            installed = p["installed"]
+            installed_version = p["installed_version"]
+            drift = p["drift"]
+
+            if installed
+              if drift
+                puts "⚠ #{name} (installed v#{installed_version}, available v#{shipped})"
+              else
+                puts "✓ #{name} v#{installed_version}"
+              end
+            else
+              puts "  #{name} (not installed)"
+            end
+          end
+        rescue StandardError => e
+          puts "❌ Error: #{e.message}"
+          exit 1
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/policy_pack_remove_command.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require_relative "base_command"
+
+module Vkit
+  module CLI
+    module Commands
+      class PolicyPackRemoveCommand < BaseCommand
+        def call(pack_name:, dir:, force: false)
+          ensure_project!(dir)
+
+          manager = Vkit::CLI::PolicyPack::Manager.new(
+            project_root: dir
+          )
+
+          removed = manager.remove!(pack_name, force: force)
+
+          puts "✅ Removed #{pack_name}"
+          puts "   Files deleted: #{removed}"
+          puts "\nRun 'vkit policy bundle' to recompile."
+        rescue StandardError => e
+          puts "❌ Error: #{e.message}"
+          exit 1
+        end
+
+        private
+
+        def ensure_project!(dir)
+          dir = File.expand_path(dir)
+          raise "Directory does not exist: #{dir}" unless Dir.exist?(dir)
+          raise "Not a VaultKit project (missing .vkit/)" unless Dir.exist?(File.join(dir, ".vkit"))
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/policy_pack_upgrade_command.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+require_relative "base_command"
+
+module Vkit
+  module CLI
+    module Commands
+      class PolicyPackUpgradeCommand < BaseCommand
+        def call(pack_name:, dir:, force: false)
+          ensure_project!(dir)
+
+          manager = Vkit::CLI::PolicyPack::Manager.new(
+            project_root: dir
+          )
+
+          results =
+            if pack_name
+              [upgrade_single(manager, pack_name, force)]
+            else
+              manager.upgrade_all!(force: force)
+            end
+
+          print_summary(results)
+
+          puts "\nRun 'vkit policy bundle' to recompile."
+        rescue StandardError => e
+          puts "❌ Error: #{e.message}"
+          exit 1
+        end
+
+        private
+
+        def upgrade_single(manager, pack, force)
+          result = manager.upgrade!(pack, force: force)
+
+          if result == :up_to_date
+            { name: pack, status: :up_to_date }
+          else
+            {
+              name: pack,
+              status: :upgraded,
+              old: result[:old_version],
+              new: result[:new_version],
+              policies: result[:policies]
+            }
+          end
+        rescue => e
+          { name: pack, status: :failed, error: e.message }
+        end
+
+        def print_summary(results)
+          return if results.empty?
+
+          puts "\nPolicy Pack Upgrade Summary\n"
+
+          results.each do |r|
+            case r[:status]
+            when :up_to_date
+              puts "✓ #{r[:name]} is already up to date"
+
+            when :upgraded
+              puts "✅ #{r[:name]}"
+              puts "   From: v#{r[:old]}"
+              puts "   To:   v#{r[:new]}"
+              puts "   Policies updated: #{r[:policies]}"
+
+            when :failed
+              puts "❌ #{r[:name]}: #{r[:error]}"
+            end
+          end
+        end
+
+        def ensure_project!(dir)
+          dir = File.expand_path(dir)
+          raise "Directory does not exist: #{dir}" unless Dir.exist?(dir)
+          raise "Not a VaultKit project (missing .vkit/)" unless Dir.exist?(File.join(dir, ".vkit"))
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/policy_revoke_command.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Vkit
+  module CLI
+    module Commands
+      class PolicyRevokeCommand < BaseCommand
+        def call(bundle_version:, reason:, force:)
+          with_auth do
+            user = credential_store.user
+            org  = user["organization_slug"]
+
+            raise "Not authenticated. Please login." if org.nil? || org.empty?
+
+            unless force
+              puts "⚠️  You are about to revoke policy bundle version: #{bundle_version}"
+              puts "   Organization: #{org}"
+              puts "   Reason: #{reason || 'Bundle revoked via CLI'}"
+              print "Continue? (y/N): "
+              answer = STDIN.gets.strip
+              return puts("Aborted.") unless answer.downcase == "y"
+            end
+
+            response =
+              authenticated_client.post(
+                "/api/v1/orgs/#{org}/policy_bundles/#{bundle_version}/revoke",
+                body: {
+                  reason: reason
+                }
+              )
+
+            puts "✅ Policy bundle revoked"
+            puts "   Version:  #{response["bundle_version"]}"
+            puts "   Checksum: #{response["checksum"]}"
+            puts "   Revoked:  #{response["revoked_at"]}"
+          end
+        end
+      end
+    end
+  end
+end