@arbiterai/cli 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Jaiden Sy
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,128 @@
+# @arbiterai/cli
+
+Official CLI for [Arbiter](https://arbiterai.dev) — the developer-first MCP gateway with agent identity, tool-level access control, secrets vault, and full observability.
+
+## Install
+
+```bash
+npm install -g @arbiterai/cli
+```
+
+Requires Node.js 18+.
+
+## Quickstart
+
+```bash
+# Authenticate via browser (device flow)
+arbiter login
+
+# Create an agent and save the API key
+arbiter agent create --name my-agent
+
+# Grant the agent access to a tool on an MCP server
+arbiter permissions grant --agent <agent-id> --server <server-name> --tool <tool-name>
+
+# Store a secret scoped to the agent
+arbiter vault set --agent <agent-id> --key OPENAI_API_KEY --value sk-...
+```
+
+## Command Reference
+
+### `arbiter login`
+
+Authenticate with Arbiter using the browser-based device flow. Opens a browser tab where you approve access, then stores the token locally at `~/.config/arbiter/config.json`.
+
+### `arbiter logout`
+
+Clear your local session. Does not revoke the token server-side.
+
+### `arbiter status [--json]`
+
+Show current auth state and gateway health.
+
+| Flag | Description |
+|------|-------------|
+| `--json` | Output raw JSON |
+
+### `arbiter agent create --name <name> [--json]`
+
+Create a new agent. Prints the agent ID and a one-time API key — save it immediately.
+
+| Flag | Description |
+|------|-------------|
+| `--name <name>` | Display name for the agent (required) |
+| `--json` | Output raw JSON |
+
+### `arbiter agent list [--json]`
+
+List all agents in your org.
+
+| Flag | Description |
+|------|-------------|
+| `--json` | Output raw JSON |
+
+### `arbiter agent delete <id>`
+
+Delete an agent by ID. Prompts for confirmation before proceeding.
+
+### `arbiter permissions grant --agent <id> --server <name> --tool <tool> [--json]`
+
+Grant a tool permission to an agent on a named MCP server. Use `*` as the tool name to allow all tools on that server.
+
+| Flag | Description |
+|------|-------------|
+| `--agent <id>` | Agent ID (required) |
+| `--server <name>` | MCP server name (required) |
+| `--tool <tool>` | Tool name, or `*` for all tools (required) |
+| `--json` | Output raw JSON |
+
+### `arbiter permissions list --agent <id> [--json]`
+
+List all permissions granted to an agent.
+
+| Flag | Description |
+|------|-------------|
+| `--agent <id>` | Agent ID (required) |
+| `--json` | Output raw JSON |
+
+### `arbiter vault set --agent <id> --key <key> --value <value> [--json]`
+
+Store a secret in the vault scoped to an agent. Key must match `[A-Za-z0-9_]+`.
+
+To avoid the secret appearing in shell history, use:
+
+```bash
+read -s VAL && arbiter vault set --agent <id> --key MY_KEY --value "$VAL"
+```
+
+| Flag | Description |
+|------|-------------|
+| `--agent <id>` | Agent ID to scope the secret to (required) |
+| `--key <key>` | Secret key name, e.g. `OPENAI_API_KEY` (required) |
+| `--value <value>` | Secret value (required) |
+| `--json` | Output raw JSON |
+
+## Auth
+
+Arbiter CLI uses the [OAuth 2.0 Device Authorization Grant](https://datatracker.ietf.org/doc/html/rfc8628) flow:
+
+1. `arbiter login` calls the Arbiter API to initiate a device flow and prints a short code.
+2. Your browser opens to `https://arbiterai.dev/cli-auth?code=<code>` where you approve access.
+3. The CLI polls for the token (every 3 seconds, up to 15 minutes).
+4. On success, the token and org ID are written to `~/.config/arbiter/config.json` (mode `0600`).
+
+To target a self-hosted or staging instance:
+
+```bash
+arbiter --api-url https://your-instance.example.com login
+```
+
+Or set the environment variable:
+
+```bash
+export ARBITER_API_URL=https://your-instance.example.com
+```
+
+## License
+
+AGPL-3.0-or-later

package/dist/index.js

@@ -0,0 +1,660 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __commonJS = (cb, mod) => function __require() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// package.json
+var require_package = __commonJS({
+  "package.json"(exports2, module2) {
+    module2.exports = {
+      name: "@arbiterai/cli",
+      version: "0.1.0",
+      description: "Official CLI for Arbiter \u2014 the developer-first MCP gateway",
+      license: "MIT",
+      keywords: [
+        "mcp",
+        "ai",
+        "gateway",
+        "arbiter",
+        "cli"
+      ],
+      repository: {
+        type: "git",
+        url: "git+https://github.com/JaidenSy/arbiter-cli.git"
+      },
+      type: "commonjs",
+      bin: {
+        arbiter: "dist/index.js"
+      },
+      main: "./dist/index.js",
+      files: [
+        "dist"
+      ],
+      engines: {
+        node: ">=18.0.0"
+      },
+      scripts: {
+        build: "tsup",
+        dev: "tsup --watch",
+        lint: "eslint src --max-warnings 0",
+        "type-check": "tsc --noEmit",
+        prepublishOnly: "npm run build"
+      },
+      dependencies: {
+        axios: "^1.7.7",
+        chalk: "^5.3.0",
+        "cli-table3": "^0.6.5",
+        commander: "^12.1.0",
+        open: "^10.1.0",
+        ora: "^8.1.0"
+      },
+      devDependencies: {
+        "@eslint/js": "^9.13.0",
+        "@types/node": "^22.0.0",
+        eslint: "^9.13.0",
+        tsup: "^8.3.0",
+        typescript: "^5.6.3",
+        "typescript-eslint": "^8.57.2"
+      }
+    };
+  }
+});
+
+// src/index.ts
+var import_commander = require("commander");
+
+// src/lib/api.ts
+var import_axios = __toESM(require("axios"));
+
+// src/lib/config.ts
+var import_fs = __toESM(require("fs"));
+var import_os = __toESM(require("os"));
+var import_path = __toESM(require("path"));
+var DEFAULT_API_URL = "https://nexusai-api-production.up.railway.app";
+function getConfigDir() {
+  return import_path.default.join(import_os.default.homedir(), ".config", "arbiter");
+}
+function getConfigPath() {
+  return import_path.default.join(getConfigDir(), "config.json");
+}
+function getConfig() {
+  try {
+    const raw = import_fs.default.readFileSync(getConfigPath(), "utf-8");
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function setConfig(data) {
+  const dir = getConfigDir();
+  if (!import_fs.default.existsSync(dir)) {
+    import_fs.default.mkdirSync(dir, { recursive: true });
+  }
+  const existing = getConfig() ?? { api_url: resolveApiUrl(), access_token: "", org_id: "" };
+  const updated = { ...existing, ...data };
+  const filePath = getConfigPath();
+  import_fs.default.writeFileSync(filePath, JSON.stringify(updated, null, 2), "utf-8");
+  import_fs.default.chmodSync(filePath, 384);
+}
+function clearConfig() {
+  const filePath = getConfigPath();
+  if (import_fs.default.existsSync(filePath)) {
+    import_fs.default.unlinkSync(filePath);
+  }
+}
+function isLoggedIn() {
+  const cfg = getConfig();
+  return !!cfg?.access_token;
+}
+function requireAuth() {
+  const cfg = getConfig();
+  if (!cfg?.access_token) {
+    console.error("Not logged in. Run `arbiter login`.");
+    process.exit(1);
+  }
+  return cfg;
+}
+function resolveApiUrl() {
+  const envUrl = process.env["ARBITER_API_URL"];
+  if (envUrl) return envUrl;
+  const cfg = getConfig();
+  if (cfg?.api_url) return cfg.api_url;
+  return DEFAULT_API_URL;
+}
+
+// src/lib/api.ts
+var ApiError = class extends Error {
+  constructor(status, detail) {
+    super(detail);
+    this.status = status;
+    this.detail = detail;
+    this.name = "ApiError";
+  }
+  status;
+  detail;
+};
+function createClient() {
+  const client2 = import_axios.default.create({
+    baseURL: resolveApiUrl(),
+    headers: { "Content-Type": "application/json" }
+  });
+  client2.interceptors.request.use((config) => {
+    const cfg = getConfig();
+    if (cfg?.access_token) {
+      config.headers["Authorization"] = `Bearer ${cfg.access_token}`;
+    }
+    return config;
+  });
+  client2.interceptors.response.use(
+    (res) => res,
+    (err) => {
+      const status = err.response?.status ?? 0;
+      const detail = err.response?.data?.detail || err.message || "Unknown error";
+      if (status === 401) {
+        console.error("Session expired. Run `arbiter login`.");
+        process.exit(1);
+      }
+      throw new ApiError(status, detail);
+    }
+  );
+  return client2;
+}
+var _client = null;
+function client() {
+  if (!_client) {
+    _client = createClient();
+  }
+  return _client;
+}
+function resetClient() {
+  _client = null;
+}
+async function get(path2, params) {
+  const res = await client().get(path2, { params });
+  return res.data;
+}
+async function post(path2, body) {
+  const res = await client().post(path2, body);
+  return res.data;
+}
+async function del(path2) {
+  await client().delete(path2);
+}
+
+// src/lib/auth.ts
+var import_axios2 = __toESM(require("axios"));
+var import_ora = __toESM(require("ora"));
+var import_open = __toESM(require("open"));
+var POLL_INTERVAL_MS = 3e3;
+var MAX_POLL_MS = 15 * 60 * 1e3;
+async function deviceFlow() {
+  const baseUrl = resolveApiUrl();
+  const initRes = await import_axios2.default.post(
+    `${baseUrl}/api/v1/auth/cli/device`,
+    {},
+    { headers: { "Content-Type": "application/json" } }
+  );
+  const { device_code, user_code, verification_uri } = initRes.data;
+  const verificationUri = `${verification_uri}?code=${user_code}`;
+  console.log("");
+  console.log("  Open your browser to authorize:");
+  console.log("");
+  console.log(`  ${verificationUri}`);
+  console.log("");
+  console.log(`  Or visit the URL manually and enter code: ${user_code}`);
+  console.log("");
+  try {
+    await (0, import_open.default)(verificationUri);
+  } catch {
+  }
+  const spinner = (0, import_ora.default)("Waiting for authorization... (press Ctrl+C to cancel)").start();
+  const deadline = Date.now() + MAX_POLL_MS;
+  let networkErrorCount = 0;
+  while (Date.now() < deadline) {
+    await sleep(POLL_INTERVAL_MS);
+    try {
+      const pollRes = await import_axios2.default.post(
+        `${baseUrl}/api/v1/auth/cli/token`,
+        { device_code },
+        {
+          headers: { "Content-Type": "application/json" },
+          validateStatus: (s) => [200, 428, 410, 403].includes(s)
+        }
+      );
+      networkErrorCount = 0;
+      if (pollRes.status === 200) {
+        spinner.succeed("Authorization granted.");
+        const token = pollRes.data;
+        setConfig({
+          access_token: token.access_token,
+          org_id: token.org_id,
+          logged_in_at: (/* @__PURE__ */ new Date()).toISOString()
+        });
+        return token;
+      }
+      if (pollRes.status === 428) {
+        continue;
+      }
+      if (pollRes.status === 410) {
+        spinner.fail("Authorization expired.");
+        console.error("Authorization expired. Run `arbiter login` again.");
+        process.exit(1);
+      }
+      if (pollRes.status === 403) {
+        spinner.fail("Authorization denied.");
+        console.error("Authorization denied.");
+        process.exit(1);
+      }
+    } catch {
+      networkErrorCount++;
+      if (networkErrorCount >= 3) {
+        spinner.fail("Network error.");
+        console.error("Could not reach Arbiter API. Check your connection.");
+        process.exit(1);
+      }
+    }
+  }
+  spinner.fail("Authorization timed out.");
+  console.error("Authorization timed out. Run `arbiter login` to try again.");
+  process.exit(1);
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+// src/lib/output.ts
+var import_chalk = __toESM(require("chalk"));
+var import_cli_table3 = __toESM(require("cli-table3"));
+function printTable(headers, rows) {
+  const table = new import_cli_table3.default({
+    head: headers.map((h) => import_chalk.default.bold.cyan(h)),
+    style: { border: ["grey"], head: [] }
+  });
+  for (const row of rows) {
+    table.push(row);
+  }
+  console.log(table.toString());
+}
+function printSuccess(msg) {
+  console.log(import_chalk.default.green("\u2713") + "  " + msg);
+}
+function printError(msg) {
+  console.error(import_chalk.default.red("\u2717") + "  " + msg);
+  process.exit(1);
+}
+function printWarning(msg) {
+  console.warn(import_chalk.default.yellow("\u26A0") + "  " + msg);
+}
+
+// src/commands/login.ts
+function registerLogin(program2) {
+  program2.command("login").description("Authenticate with Arbiter via browser").action(async () => {
+    await deviceFlow();
+    try {
+      const me = await get("/api/v1/auth/me");
+      setConfig({ user_email: me.email });
+      printSuccess(`Logged in as ${me.email} (org: ${me.org_id})`);
+    } catch {
+      printSuccess("Logged in successfully.");
+    }
+  });
+}
+
+// src/commands/logout.ts
+function registerLogout(program2) {
+  program2.command("logout").description("Clear your local Arbiter session").action(() => {
+    if (!isLoggedIn()) {
+      console.log("Not logged in.");
+      return;
+    }
+    clearConfig();
+    printSuccess("Logged out.");
+  });
+}
+
+// src/commands/status.ts
+var import_chalk2 = __toESM(require("chalk"));
+function registerStatus(program2) {
+  program2.command("status").description("Show current auth state and gateway health").option("--json", "Output raw JSON").action(async (opts) => {
+    const cfg = getConfig();
+    const apiUrl = resolveApiUrl();
+    if (!cfg?.access_token) {
+      if (opts.json) {
+        console.log(JSON.stringify({ logged_in: false, api_url: apiUrl }));
+      } else {
+        console.log("Not logged in. Run `arbiter login`.");
+      }
+      return;
+    }
+    let gatewayStatus = "unknown";
+    try {
+      const health = await get("/health");
+      gatewayStatus = health.status;
+    } catch {
+      gatewayStatus = "unreachable";
+    }
+    let me = null;
+    try {
+      me = await get("/api/v1/auth/me");
+    } catch {
+      console.error("Session expired. Run `arbiter login`.");
+      process.exit(1);
+    }
+    if (opts.json) {
+      console.log(
+        JSON.stringify({
+          logged_in: true,
+          email: me?.email ?? null,
+          org_id: me?.org_id ?? cfg.org_id,
+          api_url: apiUrl,
+          gateway_status: gatewayStatus
+        })
+      );
+      return;
+    }
+    console.log(import_chalk2.default.green("Logged in"));
+    console.log(`  Email:          ${me?.email ?? "(unknown)"}`);
+    console.log(`  Org ID:         ${me?.org_id ?? cfg.org_id}`);
+    console.log(`  Plan:           ${me?.org_plan ?? "(unknown)"}`);
+    console.log(`  API:            ${apiUrl}`);
+    console.log(`  Gateway status: ${gatewayStatus === "ok" ? import_chalk2.default.green(gatewayStatus) : import_chalk2.default.yellow(gatewayStatus)}`);
+  });
+}
+
+// src/commands/agent/create.ts
+var import_chalk3 = __toESM(require("chalk"));
+function registerAgentCreate(agentCmd) {
+  agentCmd.command("create").description("Create a new agent").requiredOption("--name <name>", "Display name for the agent").option("--json", "Output raw JSON").action(async (opts) => {
+    requireAuth();
+    let agent;
+    try {
+      agent = await post("/api/v1/agents", { name: opts.name });
+    } catch (err) {
+      if (err instanceof ApiError) {
+        if (err.status === 402) {
+          printError("Plan limit reached. Upgrade at https://arbiterai.dev/pricing");
+        }
+        if (err.status === 409) {
+          printError("An agent with that name already exists.");
+        }
+        printError(`API error: ${err.detail}`);
+      }
+      throw err;
+    }
+    if (opts.json) {
+      console.log(JSON.stringify(agent, null, 2));
+      return;
+    }
+    printSuccess("Agent created");
+    console.log(`  ID:   ${agent.id}`);
+    console.log(`  Name: ${agent.name}`);
+    console.log("");
+    console.log(
+      import_chalk3.default.yellow("\u26A0  Save this API key \u2014 it will not be shown again:")
+    );
+    console.log("");
+    console.log(`  ${import_chalk3.default.bold(agent.api_key ?? "(key not returned)")}`);
+    console.log("");
+  });
+}
+
+// src/commands/agent/list.ts
+function registerAgentList(agentCmd) {
+  agentCmd.command("list").description("List all agents in your org").option("--json", "Output raw JSON").action(async (opts) => {
+    requireAuth();
+    let page;
+    try {
+      page = await get("/api/v1/agents", { skip: 0, limit: 200 });
+    } catch (err) {
+      if (err instanceof ApiError) {
+        printError(err.message);
+      }
+      throw err;
+    }
+    if (opts.json) {
+      console.log(JSON.stringify(page, null, 2));
+      return;
+    }
+    if (page.items.length === 0) {
+      printTable(["ID", "Name", "Scope", "Created"], []);
+      console.log("No agents found. Create one with 'arbiter agent create --name <name>'.");
+      return;
+    }
+    const rows = page.items.map((a) => [
+      a.id,
+      a.name,
+      a.scope,
+      formatDate(a.created_at)
+    ]);
+    printTable(["ID", "Name", "Scope", "Created"], rows);
+  });
+}
+function formatDate(iso) {
+  const d = new Date(iso);
+  return d.toISOString().replace("T", " ").slice(0, 16);
+}
+
+// src/commands/agent/delete.ts
+var readline = __toESM(require("readline"));
+function registerAgentDelete(agentCmd) {
+  agentCmd.command("delete <id>").description("Delete an agent by ID").action(async (id) => {
+    requireAuth();
+    const confirmed = await confirm(`Delete agent ${id}? (y/N) `);
+    if (!confirmed) {
+      console.log("Aborted.");
+      return;
+    }
+    try {
+      await del(`/api/v1/agents/${id}`);
+    } catch (err) {
+      if (err instanceof ApiError) {
+        if (err.status === 404) {
+          printError("Agent not found.");
+        }
+        printError(`API error: ${err.detail}`);
+      }
+      throw err;
+    }
+    printSuccess(`Agent ${id} deleted.`);
+  });
+}
+function confirm(prompt) {
+  return new Promise((resolve) => {
+    const rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout
+    });
+    rl.question(prompt, (answer) => {
+      rl.close();
+      resolve(answer.toLowerCase() === "y");
+    });
+  });
+}
+
+// src/commands/agent/index.ts
+function registerAgentCommands(program2) {
+  const agentCmd = program2.command("agent").description("Manage agents in your org");
+  registerAgentCreate(agentCmd);
+  registerAgentList(agentCmd);
+  registerAgentDelete(agentCmd);
+}
+
+// src/commands/permissions/grant.ts
+function registerPermissionsGrant(permissionsCmd) {
+  permissionsCmd.command("grant").description("Grant a tool permission to an agent").requiredOption("--agent <id>", "Agent ID").requiredOption("--tool <tool>", "Tool name (e.g. read_file, or * for all tools)").requiredOption("--server <name>", "MCP server name").option("--json", "Output raw JSON").action(async (opts) => {
+    requireAuth();
+    const serverPage = await get("/api/v1/mcp-servers", { skip: 0, limit: 200 });
+    const server = serverPage.items.find(
+      (s) => s.name.toLowerCase() === opts.server.toLowerCase()
+    );
+    if (!server) {
+      printError(`MCP server '${opts.server}' not found. Verify the server name against your Arbiter dashboard.`);
+    }
+    let permission;
+    try {
+      permission = await post(`/api/v1/agents/${opts.agent}/permissions`, {
+        mcp_server_id: server.id,
+        tool_name: opts.tool
+      });
+    } catch (err) {
+      if (err instanceof ApiError) {
+        if (err.status === 404) {
+          printError("Agent or MCP server not found.");
+        }
+        if (err.status === 409) {
+          console.log("Permission already exists.");
+          process.exit(0);
+        }
+        printError(`API error: ${err.detail}`);
+      }
+      throw err;
+    }
+    if (opts.json) {
+      console.log(JSON.stringify(permission, null, 2));
+      return;
+    }
+    printSuccess(`Permission granted: ${opts.agent} \u2192 ${opts.server}/${opts.tool}`);
+  });
+}
+
+// src/commands/permissions/list.ts
+function registerPermissionsList(permissionsCmd) {
+  permissionsCmd.command("list").description("List permissions for an agent").requiredOption("--agent <id>", "Agent ID").option("--json", "Output raw JSON").action(async (opts) => {
+    requireAuth();
+    let page;
+    try {
+      page = await get(`/api/v1/agents/${opts.agent}/permissions`);
+    } catch (err) {
+      if (err instanceof ApiError) {
+        if (err.status === 404) {
+          printError("Agent not found.");
+        }
+        printError(`API error: ${err.detail}`);
+      }
+      throw err;
+    }
+    if (opts.json) {
+      console.log(JSON.stringify(page, null, 2));
+      return;
+    }
+    if (page.items.length === 0) {
+      printTable(["Tool", "Server ID", "Granted At"], []);
+      console.log("No permissions granted for this agent.");
+      return;
+    }
+    const rows = page.items.map((p) => [
+      p.tool_name,
+      p.mcp_server_id,
+      formatDate2(p.granted_at)
+    ]);
+    printTable(["Tool", "Server ID", "Granted At"], rows);
+  });
+}
+function formatDate2(iso) {
+  const d = new Date(iso);
+  return d.toISOString().replace("T", " ").slice(0, 16);
+}
+
+// src/commands/permissions/index.ts
+function registerPermissionsCommands(program2) {
+  const permissionsCmd = program2.command("permissions").description("Manage agent tool permissions");
+  registerPermissionsGrant(permissionsCmd);
+  registerPermissionsList(permissionsCmd);
+}
+
+// src/commands/vault/set.ts
+var SECRET_NAME_RE = /^[A-Za-z0-9_]+$/;
+function registerVaultSet(vaultCmd) {
+  vaultCmd.command("set").description("Store a secret in the vault").requiredOption("--agent <id>", "Agent ID to scope the secret to").requiredOption("--key <key>", "Secret key name (e.g. OPENAI_API_KEY)").requiredOption("--value <value>", "Secret value").option("--json", "Output raw JSON").action(async (opts) => {
+    requireAuth();
+    if (!SECRET_NAME_RE.test(opts.key)) {
+      printError(
+        "Secret key must contain only letters, numbers, and underscores (A-Za-z0-9_)."
+      );
+    }
+    if (process.stdout.isTTY) {
+      printWarning(
+        "Secret value provided via --value flag will appear in shell history."
+      );
+      console.warn(
+        `   Consider using: read -s VAL && arbiter vault set --agent ${opts.agent} --key ${opts.key} --value "$VAL"`
+      );
+      console.warn("");
+    }
+    let secret;
+    try {
+      secret = await post("/api/v1/vault/secrets", {
+        name: opts.key,
+        value: opts.value,
+        agent_id: opts.agent
+      });
+    } catch (err) {
+      if (err instanceof ApiError) {
+        if (err.status === 404) {
+          printError("Agent not found.");
+        }
+        if (err.status === 402) {
+          printError("Plan limit reached. Upgrade at https://arbiterai.dev/pricing");
+        }
+        printError(`API error: ${err.detail}`);
+      }
+      throw err;
+    }
+    if (opts.json) {
+      console.log(JSON.stringify(secret, null, 2));
+      return;
+    }
+    printSuccess(`Secret '${opts.key}' set for agent ${opts.agent}.`);
+  });
+}
+
+// src/commands/vault/index.ts
+function registerVaultCommands(program2) {
+  const vaultCmd = program2.command("vault").description("Manage secrets in the vault");
+  registerVaultSet(vaultCmd);
+}
+
+// src/index.ts
+var pkg = require_package();
+var program = new import_commander.Command();
+program.name("arbiter").description("Arbiter CLI \u2014 manage your MCP gateway from the terminal").version(pkg.version, "-v, --version").option("--api-url <url>", "Override API base URL", (url) => {
+  process.env["ARBITER_API_URL"] = url;
+  resetClient();
+});
+registerLogin(program);
+registerLogout(program);
+registerStatus(program);
+registerAgentCommands(program);
+registerPermissionsCommands(program);
+registerVaultCommands(program);
+program.parseAsync(process.argv).catch((err) => {
+  if (err instanceof Error) {
+    console.error(err.message);
+  } else {
+    console.error("An unexpected error occurred.");
+  }
+  process.exit(1);
+});

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "@arbiterai/cli",
+  "version": "0.1.0",
+  "description": "Official CLI for Arbiter — the developer-first MCP gateway",
+  "license": "MIT",
+  "keywords": [
+    "mcp",
+    "ai",
+    "gateway",
+    "arbiter",
+    "cli"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/JaidenSy/arbiter-cli.git"
+  },
+  "type": "commonjs",
+  "bin": {
+    "arbiter": "dist/index.js"
+  },
+  "main": "./dist/index.js",
+  "files": [
+    "dist"
+  ],
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "lint": "eslint src --max-warnings 0",
+    "type-check": "tsc --noEmit",
+    "prepublishOnly": "npm run build"
+  },
+  "dependencies": {
+    "axios": "^1.7.7",
+    "chalk": "^5.3.0",
+    "cli-table3": "^0.6.5",
+    "commander": "^12.1.0",
+    "open": "^10.1.0",
+    "ora": "^8.1.0"
+  },
+  "devDependencies": {
+    "@eslint/js": "^9.13.0",
+    "@types/node": "^22.0.0",
+    "eslint": "^9.13.0",
+    "tsup": "^8.3.0",
+    "typescript": "^5.6.3",
+    "typescript-eslint": "^8.57.2"
+  }
+}