@behalfid/cli 0.1.0

package/dist/commands/agents.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function agentsCommand(): Command;

package/dist/commands/agents.js

@@ -0,0 +1,159 @@
+import { Command } from "commander";
+import { apiRequest, resolveBaseUrl } from "../lib/client.js";
+import { isJsonMode, printJson, printKv, printSuccess, printTable, runAction } from "../lib/output.js";
+import { patchConfig, readSession } from "../lib/config.js";
+function requireSession() {
+    if (!readSession()) {
+        throw new Error("This command requires you to be logged in. Run `behalf login`.");
+    }
+}
+export function agentsCommand() {
+    const cmd = new Command("agents").description("manage agents");
+    cmd
+        .command("list")
+        .description("list all agents in your account")
+        .action(runAction(async () => {
+        requireSession();
+        const baseUrl = resolveBaseUrl();
+        const data = await apiRequest("/api/dashboard/agents", { baseUrl });
+        if (isJsonMode()) {
+            printJson(data);
+            return;
+        }
+        if (!data.agents.length) {
+            console.log("No agents yet. Run `behalf agents create --name <name>` to create one.");
+            return;
+        }
+        printTable(data.agents.map(a => ({
+            agentId: a.agentId,
+            name: a.name,
+            status: a.status,
+            type: a.agentType ?? "native",
+            provider: a.provider ?? "",
+            created: a.createdAt.slice(0, 10),
+        })));
+    }));
+    cmd
+        .command("create")
+        .description("create a new agent")
+        .requiredOption("-n, --name <name>", "agent name")
+        .option("--type <type>", "agent type: native or connected (default: native)")
+        .option("--provider <provider>", "provider (for connected agents): ollie, chatgpt, claude, etc.")
+        .option("--description <desc>", "agent description")
+        .option("--external-id <id>", "external agent ID (for connected agents)")
+        .option("--external-label <label>", "external agent label (for connected agents)")
+        .option("--save", "save the new agent ID and API key to ~/.behalf/config.json")
+        .action(runAction(async (opts) => {
+        requireSession();
+        const baseUrl = resolveBaseUrl();
+        const body = { name: opts.name };
+        if (opts.type)
+            body.agentType = opts.type;
+        if (opts.provider)
+            body.provider = opts.provider;
+        if (opts.description)
+            body.description = opts.description;
+        if (opts.externalId)
+            body.externalAgentId = opts.externalId;
+        if (opts.externalLabel)
+            body.externalAgentLabel = opts.externalLabel;
+        const data = await apiRequest("/api/dashboard/agents", { method: "POST", body, baseUrl });
+        if (opts.save) {
+            patchConfig({ agentId: data.agent.agentId, apiKey: data.apiKey });
+        }
+        if (isJsonMode()) {
+            printJson(data);
+            return;
+        }
+        console.log(`\nAgent created: ${data.agent.agentId}`);
+        console.log(`\nAPI Key (shown once — save it now):\n`);
+        console.log(`  ${data.apiKey}\n`);
+        if (opts.save) {
+            console.log(`Saved agent ID and API key to config.`);
+        }
+        else {
+            console.log(`To save to config, run:`);
+            console.log(`  behalf config set agent-id ${data.agent.agentId}`);
+            console.log(`  behalf config set api-key  ${data.apiKey}`);
+        }
+    }));
+    cmd
+        .command("show <agentId>")
+        .description("show agent details and permissions")
+        .action(runAction(async (agentId) => {
+        requireSession();
+        const baseUrl = resolveBaseUrl();
+        const data = await apiRequest(`/api/dashboard/agents/${encodeURIComponent(agentId)}`, { baseUrl });
+        if (isJsonMode()) {
+            printJson(data);
+            return;
+        }
+        const a = data.agent;
+        printKv({
+            agentId: a.agentId,
+            name: a.name,
+            status: a.status,
+            type: a.agentType ?? "native",
+            provider: a.provider ?? "",
+            description: a.description ?? "",
+            "last used": a.lastUsedAt ?? "never",
+            created: a.createdAt,
+        });
+        if (Array.isArray(data.permissions) && data.permissions.length) {
+            console.log("\nPermissions:");
+            printTable(data.permissions.map(p => ({
+                permissionId: String(p.permissionId ?? ""),
+                action: String(p.action ?? ""),
+                resource: String(p.resource ?? ""),
+                status: String(p.status ?? ""),
+                expires: p.expiresAt ? String(p.expiresAt).slice(0, 10) : "never",
+            })));
+        }
+        else {
+            console.log("\nNo permissions.");
+        }
+    }));
+    cmd
+        .command("disable <agentId>")
+        .description("disable an agent")
+        .action(runAction(async (agentId) => {
+        requireSession();
+        const baseUrl = resolveBaseUrl();
+        await apiRequest(`/api/dashboard/agents/${encodeURIComponent(agentId)}/disable`, { method: "POST", baseUrl });
+        if (isJsonMode())
+            printJson({ disabled: true, agentId });
+        else
+            printSuccess(`Agent ${agentId} disabled.`);
+    }));
+    cmd
+        .command("enable <agentId>")
+        .description("enable a disabled agent")
+        .action(runAction(async (agentId) => {
+        requireSession();
+        const baseUrl = resolveBaseUrl();
+        await apiRequest(`/api/dashboard/agents/${encodeURIComponent(agentId)}/enable`, { method: "POST", baseUrl });
+        if (isJsonMode())
+            printJson({ enabled: true, agentId });
+        else
+            printSuccess(`Agent ${agentId} enabled.`);
+    }));
+    cmd
+        .command("rotate-key <agentId>")
+        .description("rotate an agent's API key")
+        .option("-k, --api-key <key>", "current agent API key (overrides config)")
+        .action(runAction(async (agentId, opts) => {
+        const baseUrl = resolveBaseUrl();
+        const session = readSession();
+        const data = await apiRequest(session
+            ? `/api/dashboard/agents/${encodeURIComponent(agentId)}/rotate-key`
+            : `/api/agents/${encodeURIComponent(agentId)}/rotate-key`, { method: "POST", apiKey: opts.apiKey, baseUrl });
+        if (isJsonMode()) {
+            printJson(data);
+            return;
+        }
+        console.log(`\nNew API Key for ${agentId} (shown once — save it now):\n`);
+        console.log(`  ${data.apiKey}\n`);
+        console.log(`Run: behalf config set api-key ${data.apiKey}`);
+    }));
+    return cmd;
+}

package/dist/commands/config.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function configCommand(): Command;

package/dist/commands/config.js

@@ -0,0 +1,67 @@
+import { Command } from "commander";
+import { CONFIG_FILE_PATH, patchConfig, readConfig, writeConfig } from "../lib/config.js";
+import { isJsonMode, printJson, printTable, runAction } from "../lib/output.js";
+const VALID_KEYS = ["api-key", "agent-id", "base-url"];
+const KEY_MAP = {
+    "api-key": "apiKey",
+    "agent-id": "agentId",
+    "base-url": "baseUrl",
+};
+function assertKey(key) {
+    if (!VALID_KEYS.includes(key)) {
+        throw new Error(`Unknown key "${key}". Valid keys: ${VALID_KEYS.join(", ")}`);
+    }
+    return key;
+}
+export function configCommand() {
+    const cmd = new Command("config").description("manage local CLI config");
+    cmd
+        .command("set <key> <value>")
+        .description("set a config value (keys: api-key, agent-id, base-url)")
+        .action(runAction(async (key, value) => {
+        const k = assertKey(key);
+        patchConfig({ [KEY_MAP[k]]: value });
+        if (!isJsonMode())
+            console.log(`Set ${key}.`);
+        else
+            printJson({ key, value });
+    }));
+    cmd
+        .command("get <key>")
+        .description("get a config value")
+        .action(runAction(async (key) => {
+        const k = assertKey(key);
+        const val = readConfig()[KEY_MAP[k]];
+        if (isJsonMode())
+            printJson({ [key]: val ?? null });
+        else
+            console.log(val ?? "(not set)");
+    }));
+    cmd
+        .command("list")
+        .description("list all config values")
+        .action(runAction(async () => {
+        const cfg = readConfig();
+        const rows = {
+            "api-key": cfg.apiKey ? `${cfg.apiKey.slice(0, 15)}…` : "(not set)",
+            "agent-id": cfg.agentId ?? "(not set)",
+            "base-url": cfg.baseUrl ?? "(not set)",
+            "config file": CONFIG_FILE_PATH,
+        };
+        if (isJsonMode())
+            printJson(rows);
+        else
+            printTable([rows]);
+    }));
+    cmd
+        .command("clear")
+        .description("clear all config values")
+        .action(runAction(async () => {
+        writeConfig({});
+        if (!isJsonMode())
+            console.log("Config cleared.");
+        else
+            printJson({ cleared: true });
+    }));
+    return cmd;
+}

package/dist/commands/health.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function healthCommand(): Command;

package/dist/commands/health.js

@@ -0,0 +1,25 @@
+import { Command } from "commander";
+import { apiRequest, resolveBaseUrl } from "../lib/client.js";
+import { isJsonMode, printJson, printKv, runAction } from "../lib/output.js";
+export function healthCommand() {
+    return new Command("health")
+        .description("check API health")
+        .option("--db", "also check database connectivity (requires setup token or console auth)")
+        .action(runAction(async (opts) => {
+        const baseUrl = resolveBaseUrl();
+        const data = await apiRequest("/api/health", { baseUrl });
+        if (opts.db) {
+            const dbData = await apiRequest("/api/health/db", { baseUrl });
+            const merged = { ...data, ...dbData };
+            if (isJsonMode())
+                printJson(merged);
+            else
+                printKv(merged);
+            return;
+        }
+        if (isJsonMode())
+            printJson(data);
+        else
+            printKv(data);
+    }));
+}

package/dist/commands/init.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function initCommand(): Command;

package/dist/commands/init.js

@@ -0,0 +1,71 @@
+import { Command } from "commander";
+import { patchConfig, readConfig, readSession, writeSession } from "../lib/config.js";
+import { DEFAULT_BASE_URL, originOf } from "../lib/client.js";
+import { ask, askPassword } from "../lib/prompt.js";
+import { runAction } from "../lib/output.js";
+export function initCommand() {
+    return new Command("init")
+        .description("interactive setup wizard")
+        .action(runAction(async function () {
+        const config = readConfig();
+        const hasSession = !!readSession();
+        console.log("\nWelcome to BehalfID CLI\n");
+        if (config.baseUrl || config.apiKey || hasSession) {
+            console.log("Current config:");
+            if (config.baseUrl)
+                console.log(`  base url: ${config.baseUrl}`);
+            if (config.apiKey)
+                console.log(`  api key:  ${config.apiKey.slice(0, 15)}…`);
+            if (hasSession)
+                console.log(`  session:  active`);
+            console.log("");
+        }
+        // Base URL
+        const baseUrlInput = await ask("Base URL", config.baseUrl ?? DEFAULT_BASE_URL);
+        const baseUrl = baseUrlInput.replace(/\/+$/, "");
+        if (baseUrl !== config.baseUrl)
+            patchConfig({ baseUrl });
+        // Auth
+        console.log("\nHow would you like to authenticate?");
+        console.log("  1. Log in with email and password");
+        console.log("  2. Enter an agent API key");
+        console.log("  3. Skip");
+        const choice = await ask("Choice", "1");
+        if (choice === "1") {
+            const email = await ask("Email");
+            const password = await askPassword("Password");
+            const response = await fetch(`${baseUrl}/api/auth/login`, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                    Accept: "application/json",
+                    Origin: originOf(baseUrl),
+                },
+                body: JSON.stringify({ email, password }),
+            });
+            const setCookie = response.headers.get("set-cookie");
+            const match = setCookie?.match(/behalfid_developer=([^;]+)/);
+            const sessionCookie = match ? `behalfid_developer=${match[1]}` : null;
+            const body = (await response.json().catch(() => null));
+            if (!response.ok || !sessionCookie) {
+                const msg = typeof body === "object" &&
+                    body !== null &&
+                    "error" in body &&
+                    typeof body.error === "string"
+                    ? body.error
+                    : "Login failed.";
+                throw new Error(msg);
+            }
+            writeSession(sessionCookie);
+            console.log(`\nLogged in as ${body?.user.email}.`);
+        }
+        else if (choice === "2") {
+            const apiKey = await ask("Agent API key (bhf_sk_...)");
+            if (apiKey) {
+                patchConfig({ apiKey });
+                console.log("API key saved.");
+            }
+        }
+        console.log("\nSetup complete. Run `behalf --help` to see available commands.\n");
+    }));
+}

package/dist/commands/login.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function loginCommand(): Command;

package/dist/commands/login.js

@@ -0,0 +1,45 @@
+import { Command } from "commander";
+import { readSession, writeSession } from "../lib/config.js";
+import { originOf, resolveBaseUrl } from "../lib/client.js";
+import { isJsonMode, printJson, printSuccess, runAction } from "../lib/output.js";
+import { ask, askPassword, confirm } from "../lib/prompt.js";
+export function loginCommand() {
+    return new Command("login")
+        .description("log in to your BehalfID developer account")
+        .option("-e, --email <email>", "developer account email")
+        .option("-p, --password <password>", "developer account password")
+        .action(runAction(async (opts) => {
+        if (readSession()) {
+            const ok = await confirm("You are already logged in. Log in again?");
+            if (!ok)
+                return;
+        }
+        const baseUrl = resolveBaseUrl();
+        const email = opts.email ?? (await ask("Email"));
+        const password = opts.password ?? (await askPassword("Password"));
+        if (!email || !password)
+            throw new Error("Email and password are required.");
+        const response = await fetch(`${baseUrl}/api/auth/login`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json", Accept: "application/json", Origin: originOf(baseUrl) },
+            body: JSON.stringify({ email, password }),
+        });
+        const setCookie = response.headers.get("set-cookie");
+        const match = setCookie?.match(/behalfid_developer=([^;]+)/);
+        const sessionCookie = match ? `behalfid_developer=${match[1]}` : null;
+        const body = (await response.json().catch(() => null));
+        if (!response.ok) {
+            const msg = typeof body === "object" && body !== null && "error" in body && typeof body.error === "string"
+                ? body.error
+                : `Login failed with status ${response.status}.`;
+            throw new Error(msg);
+        }
+        if (!sessionCookie)
+            throw new Error("Login succeeded but no session cookie was returned.");
+        writeSession(sessionCookie);
+        if (isJsonMode())
+            printJson({ loggedIn: true, email: body?.user.email });
+        else
+            printSuccess(`Logged in as ${body?.user.email}.`);
+    }));
+}

package/dist/commands/logout.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function logoutCommand(): Command;

package/dist/commands/logout.js

@@ -0,0 +1,33 @@
+import { Command } from "commander";
+import { clearSession, readSession } from "../lib/config.js";
+import { apiRequest, resolveBaseUrl } from "../lib/client.js";
+import { isJsonMode, printJson, printSuccess, runAction } from "../lib/output.js";
+export function logoutCommand() {
+    return new Command("logout")
+        .description("log out of your BehalfID developer account")
+        .action(runAction(async function () {
+        const session = readSession();
+        if (!session) {
+            if (!isJsonMode())
+                console.log("Not logged in.");
+            else
+                printJson({ loggedOut: false, reason: "not logged in" });
+            return;
+        }
+        const baseUrl = resolveBaseUrl();
+        try {
+            await apiRequest("/api/auth/logout", {
+                method: "POST",
+                baseUrl,
+            });
+        }
+        catch {
+            // Server-side logout is best-effort; always clear local session.
+        }
+        clearSession();
+        if (isJsonMode())
+            printJson({ loggedOut: true });
+        else
+            printSuccess("Logged out.");
+    }));
+}

package/dist/commands/logs.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function logsCommand(): Command;

package/dist/commands/logs.js

@@ -0,0 +1,32 @@
+import { Command } from "commander";
+import { apiRequest, resolveApiKey, resolveBaseUrl } from "../lib/client.js";
+import { isJsonMode, printJson, printTable, runAction } from "../lib/output.js";
+export function logsCommand() {
+    return new Command("logs")
+        .description("show recent verification logs for an agent")
+        .argument("<agentId>", "agent ID")
+        .option("-k, --api-key <key>", "agent API key (overrides config)")
+        .action(runAction(async (agentId, opts) => {
+        const apiKey = opts.apiKey ?? resolveApiKey();
+        if (!apiKey)
+            throw new Error("An agent API key is required. Set it with `behalf config set api-key <key>` or pass --api-key.");
+        const baseUrl = resolveBaseUrl();
+        const data = await apiRequest(`/api/logs/${encodeURIComponent(agentId)}`, { apiKey, baseUrl });
+        if (isJsonMode()) {
+            printJson(data);
+            return;
+        }
+        if (!Array.isArray(data) || data.length === 0) {
+            console.log("No logs yet.");
+            return;
+        }
+        printTable(data.map(l => ({
+            requestId: l.requestId,
+            action: l.action,
+            vendor: l.vendor ?? "",
+            allowed: l.allowed ? "yes" : "no",
+            risk: l.risk,
+            when: l.createdAt.replace("T", " ").slice(0, 19),
+        })));
+    }));
+}

package/dist/commands/mcp.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function mcpCommand(): Command;

package/dist/commands/mcp.js

@@ -0,0 +1,150 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { join, resolve } from "node:path";
+import { Command } from "commander";
+import { resolveApiKey, resolveBaseUrl } from "../lib/client.js";
+import { readConfig } from "../lib/config.js";
+import { generateContextMd, generateMcpJson } from "../lib/context-generator.js";
+import { fetchAndCacheDetail, readCachedDetail } from "../lib/passport-cache.js";
+import { isJsonMode, printJson, printKv, runAction } from "../lib/output.js";
+import { confirm } from "../lib/prompt.js";
+function readJsonFile(path) {
+    if (!existsSync(path))
+        return null;
+    try {
+        return JSON.parse(readFileSync(path, "utf-8"));
+    }
+    catch {
+        return null;
+    }
+}
+export function mcpCommand() {
+    const cmd = new Command("mcp").description("BehalfID MCP server — real-time agent enforcement");
+    cmd
+        .command("start")
+        .description("start the BehalfID MCP server on stdio (used by .mcp.json)")
+        .action(runAction(async () => {
+        const config = readConfig();
+        const agentId = config.agentId ?? process.env.BEHALFID_AGENT_ID;
+        const apiKey = resolveApiKey();
+        const baseUrl = resolveBaseUrl();
+        if (!agentId) {
+            throw new Error("Agent ID not configured. Run `behalf config set agent-id <agentId>` first.");
+        }
+        if (!apiKey) {
+            throw new Error("API key not configured. Run `behalf config set api-key <bhf_sk_xxx>` first.");
+        }
+        // Start the MCP server — this takes over the process
+        const { startMcpServer } = await import("../lib/mcp-server.js");
+        await startMcpServer({ agentId, apiKey, baseUrl });
+    }));
+    cmd
+        .command("init")
+        .description("set up BehalfID enforcement in the current directory")
+        .option("--refresh", "force-refresh the permissions cache from the server")
+        .option("--no-inject", "skip patching CLAUDE.md / AGENTS.md")
+        .option("--dry-run", "show what would be written without writing anything")
+        .action(runAction(async (opts) => {
+        const config = readConfig();
+        const agentId = config.agentId ?? process.env.BEHALFID_AGENT_ID;
+        const baseUrl = resolveBaseUrl();
+        if (!agentId) {
+            throw new Error("Agent ID not configured. Run `behalf config set agent-id <agentId>` first.");
+        }
+        if (!isJsonMode())
+            console.log(`Initializing BehalfID enforcement for agent ${agentId}…\n`);
+        // Fetch permissions
+        let detail = opts.refresh ? null : readCachedDetail(agentId);
+        if (!detail) {
+            if (!isJsonMode())
+                process.stdout.write("Fetching permissions from server… ");
+            detail = await fetchAndCacheDetail(agentId, baseUrl, opts.refresh ?? false);
+            if (!isJsonMode())
+                console.log("done.");
+        }
+        else {
+            if (!isJsonMode())
+                console.log("Using cached permissions (run with --refresh to update).");
+        }
+        const cwd = process.cwd();
+        const behalfDir = join(cwd, ".behalf");
+        const contextFile = join(behalfDir, "context.md");
+        const mcpJsonFile = join(cwd, ".mcp.json");
+        const contextMd = generateContextMd(detail);
+        const existingMcp = readJsonFile(mcpJsonFile);
+        const mcpJson = generateMcpJson(existingMcp ?? undefined);
+        if (opts.dryRun) {
+            if (isJsonMode()) {
+                printJson({ wouldWrite: [contextFile, mcpJsonFile] });
+            }
+            else {
+                console.log(`Would write:\n  ${contextFile}\n  ${mcpJsonFile}`);
+                console.log("\n--- .behalf/context.md ---\n");
+                console.log(contextMd);
+            }
+            return;
+        }
+        // Write .behalf/context.md
+        if (!existsSync(behalfDir))
+            mkdirSync(behalfDir, { recursive: true });
+        writeFileSync(contextFile, contextMd);
+        // Write / merge .mcp.json
+        writeFileSync(mcpJsonFile, mcpJson);
+        // Inject into CLAUDE.md if present or if user confirms
+        if (opts.inject !== false) {
+            const claudeMdPath = join(cwd, "CLAUDE.md");
+            const agentsMdPath = join(cwd, "AGENTS.md");
+            for (const [label, path] of [["CLAUDE.md", claudeMdPath], ["AGENTS.md", agentsMdPath]]) {
+                if (!existsSync(path))
+                    continue;
+                const content = readFileSync(path, "utf-8");
+                const include = "@.behalf/context.md";
+                if (content.includes(include))
+                    continue;
+                const ok = opts.dryRun
+                    ? false
+                    : await confirm(`Add \`${include}\` to ${label}?`, true);
+                if (ok) {
+                    writeFileSync(path, content + `\n\n${include}\n`);
+                    if (!isJsonMode())
+                        console.log(`  Patched ${label}.`);
+                }
+            }
+        }
+        if (isJsonMode()) {
+            printJson({ initialized: true, agentId, contextFile, mcpJsonFile });
+            return;
+        }
+        console.log("");
+        printKv({
+            "context file": resolve(contextFile),
+            "mcp config": resolve(mcpJsonFile),
+            permissions: `${detail.permissions.filter(p => p.status === "active").length} active`,
+        });
+        console.log(`\nBehalfID enforcement is active. Launch your AI tool normally — or run \`behalf claude\` to start Claude Code.\n`);
+    }));
+    cmd
+        .command("status")
+        .description("show current MCP config and cached permissions for this directory")
+        .action(runAction(async () => {
+        const config = readConfig();
+        const agentId = config.agentId ?? process.env.BEHALFID_AGENT_ID;
+        const cwd = process.cwd();
+        const mcpJsonPath = join(cwd, ".mcp.json");
+        const contextPath = join(cwd, ".behalf/context.md");
+        const mcpJson = readJsonFile(mcpJsonPath);
+        const hasMcp = !!mcpJson?.mcpServers?.behalfid;
+        const hasContext = existsSync(contextPath);
+        const cached = agentId ? readCachedDetail(agentId) : null;
+        if (isJsonMode()) {
+            printJson({ agentId, hasMcp, hasContext, cachedPermissions: cached?.permissions?.length ?? 0 });
+            return;
+        }
+        printKv({
+            "agent id": agentId ?? "(not set)",
+            ".mcp.json": hasMcp ? "✓ behalfid server configured" : "✗ not configured",
+            "context file": hasContext ? "✓ present" : "✗ missing",
+            "cached permissions": cached ? `${cached.permissions.filter(p => p.status === "active").length} active` : "none (run mcp init)",
+        });
+    }));
+    return cmd;
+}

package/dist/commands/passport.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function passportCommand(): Command;

package/dist/commands/passport.js

@@ -0,0 +1,41 @@
+import { Command } from "commander";
+import { apiRequest, resolveApiKey, resolveBaseUrl } from "../lib/client.js";
+import { isJsonMode, printJson, printKv, printTable, runAction } from "../lib/output.js";
+export function passportCommand() {
+    return new Command("passport")
+        .description("show the public passport (active permissions) for an agent")
+        .argument("<agentId>", "agent ID")
+        .option("-k, --api-key <key>", "agent API key or passport token (overrides config)")
+        .action(runAction(async (agentId, opts) => {
+        const apiKey = opts.apiKey ?? resolveApiKey();
+        if (!apiKey)
+            throw new Error("An agent API key or passport token is required. Pass --api-key or set it with `behalf config set api-key <key>`.");
+        const baseUrl = resolveBaseUrl();
+        const data = await apiRequest(`/api/passport/${encodeURIComponent(agentId)}`, { apiKey, baseUrl });
+        if (isJsonMode()) {
+            printJson(data);
+            return;
+        }
+        printKv({
+            agentId: data.agent.agentId,
+            name: data.agent.name,
+            type: data.agent.agentType ?? "native",
+            provider: data.agent.provider ?? "",
+            description: data.agent.description ?? "",
+            version: data.passportVersion,
+        });
+        if (data.permissions.length === 0) {
+            console.log("\nNo active permissions.");
+        }
+        else {
+            console.log("\nPermissions:");
+            printTable(data.permissions.map(p => ({
+                action: p.action,
+                resource: p.resource ?? "",
+                scope: p.scope ?? "",
+                status: p.status,
+                expires: p.expiresAt ? p.expiresAt.slice(0, 10) : "never",
+            })));
+        }
+    }));
+}

package/dist/commands/permissions.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function permissionsCommand(): Command;