@build-astron-co/nimbus 0.2.0 → 0.4.0

package/dist/src/commands/audit/index.js

@@ -0,0 +1,322 @@
+/**
+ * Audit Commands
+ * Audit log viewer and export CLI commands
+ */
+import { ui } from '../../wizard/ui';
+import { auditClient } from '../../clients/enterprise-client';
+import * as fs from 'node:fs';
+/**
+ * Get current team ID from config or environment
+ */
+function getCurrentTeamId() {
+    return process.env.NIMBUS_TEAM_ID || null;
+}
+/**
+ * Parse relative time string (e.g., "7d", "24h") to ISO date
+ */
+function parseRelativeTime(timeStr) {
+    const now = Date.now();
+    const match = timeStr.match(/^(\d+)([dhwm])$/);
+    if (!match) {
+        return timeStr; // Assume it's already a valid date string
+    }
+    const value = parseInt(match[1], 10);
+    const unit = match[2];
+    let ms;
+    switch (unit) {
+        case 'h':
+            ms = value * 60 * 60 * 1000;
+            break;
+        case 'd':
+            ms = value * 24 * 60 * 60 * 1000;
+            break;
+        case 'w':
+            ms = value * 7 * 24 * 60 * 60 * 1000;
+            break;
+        case 'm':
+            ms = value * 30 * 24 * 60 * 60 * 1000;
+            break;
+        default:
+            return timeStr;
+    }
+    return new Date(now - ms).toISOString();
+}
+/**
+ * Parse audit list options
+ */
+export function parseAuditListOptions(args) {
+    const options = {};
+    for (let i = 0; i < args.length; i++) {
+        const arg = args[i];
+        if (arg === '--since' && args[i + 1]) {
+            options.since = parseRelativeTime(args[++i]);
+        }
+        else if (arg === '--until' && args[i + 1]) {
+            options.until = parseRelativeTime(args[++i]);
+        }
+        else if (arg === '--action' && args[i + 1]) {
+            options.action = args[++i];
+        }
+        else if (arg === '--user' && args[i + 1]) {
+            options.userId = args[++i];
+        }
+        else if ((arg === '--limit' || arg === '-n') && args[i + 1]) {
+            options.limit = parseInt(args[++i], 10);
+        }
+        else if (arg === '--json') {
+            options.json = true;
+        }
+        else if (arg === '--non-interactive') {
+            options.nonInteractive = true;
+        }
+    }
+    return options;
+}
+/**
+ * Parse audit export options
+ */
+export function parseAuditExportOptions(args) {
+    const options = {};
+    for (let i = 0; i < args.length; i++) {
+        const arg = args[i];
+        if (arg === '--format' && args[i + 1]) {
+            options.format = args[++i];
+        }
+        else if ((arg === '--output' || arg === '-o') && args[i + 1]) {
+            options.output = args[++i];
+        }
+        else if (arg === '--since' && args[i + 1]) {
+            options.since = parseRelativeTime(args[++i]);
+        }
+        else if (arg === '--until' && args[i + 1]) {
+            options.until = parseRelativeTime(args[++i]);
+        }
+        else if (arg === '--non-interactive') {
+            options.nonInteractive = true;
+        }
+    }
+    return options;
+}
+/**
+ * Format timestamp for display
+ */
+function formatTimestamp(ts) {
+    const date = new Date(ts);
+    return `${date.toLocaleDateString()} ${date.toLocaleTimeString()}`;
+}
+/**
+ * Audit list command
+ */
+export async function auditListCommand(options) {
+    try {
+        const teamId = getCurrentTeamId();
+        if (!teamId) {
+            ui.error('No team selected. Run `nimbus team switch <team-id>` first.');
+            return;
+        }
+        ui.startSpinner({ message: 'Fetching audit logs...' });
+        const result = await auditClient.queryLogs({
+            teamId,
+            userId: options.userId,
+            action: options.action,
+            since: options.since,
+            until: options.until,
+            limit: options.limit || 50,
+        });
+        ui.stopSpinnerSuccess(`Found ${result.total} logs (showing ${result.logs.length})`);
+        if (options.json) {
+            console.log(JSON.stringify(result, null, 2));
+            return;
+        }
+        if (result.logs.length === 0) {
+            ui.info('No audit logs found');
+            return;
+        }
+        ui.newLine();
+        ui.table({
+            columns: [
+                { key: 'timestamp', header: 'Time', width: 20 },
+                { key: 'action', header: 'Action', width: 20 },
+                { key: 'user', header: 'User', width: 15 },
+                { key: 'status', header: 'Status', width: 10 },
+                { key: 'resource', header: 'Resource' },
+            ],
+            data: result.logs.map(log => ({
+                timestamp: formatTimestamp(log.timestamp),
+                action: log.action,
+                user: log.userId || '-',
+                status: log.status,
+                resource: log.resourceType ? `${log.resourceType}/${log.resourceId || ''}` : '-',
+            })),
+        });
+        if (result.total > result.logs.length) {
+            ui.newLine();
+            ui.dim(`Showing ${result.logs.length} of ${result.total} logs. Use --limit to show more.`);
+        }
+    }
+    catch (error) {
+        ui.stopSpinnerFail('Failed to fetch audit logs');
+        ui.error(error.message);
+    }
+}
+/**
+ * Audit export command
+ */
+export async function auditExportCommand(options) {
+    try {
+        const teamId = getCurrentTeamId();
+        if (!teamId) {
+            ui.error('No team selected. Run `nimbus team switch <team-id>` first.');
+            return;
+        }
+        const format = options.format || 'json';
+        const output = options.output || `audit-logs-${new Date().toISOString().split('T')[0]}.${format}`;
+        ui.startSpinner({ message: `Exporting audit logs to ${output}...` });
+        const content = await auditClient.exportLogs(format, {
+            teamId,
+            since: options.since,
+            until: options.until,
+        });
+        fs.writeFileSync(output, content);
+        ui.stopSpinnerSuccess(`Exported to ${output}`);
+        const stats = fs.statSync(output);
+        ui.info(`File size: ${(stats.size / 1024).toFixed(1)} KB`);
+    }
+    catch (error) {
+        ui.stopSpinnerFail('Failed to export audit logs');
+        ui.error(error.message);
+    }
+}
+/**
+ * Parse audit scan options from CLI args
+ */
+export function parseAuditScanOptions(args) {
+    const options = {};
+    for (let i = 0; i < args.length; i++) {
+        const arg = args[i];
+        if (arg === '--framework' && args[i + 1]) {
+            options.framework = args[++i];
+        }
+        else if ((arg === '--output' || arg === '-o') && args[i + 1]) {
+            options.output = args[++i];
+        }
+        else if ((arg === '--dir' || arg === '-d') && args[i + 1]) {
+            options.dir = args[++i];
+        }
+        else if (arg === '--threshold' && args[i + 1]) {
+            options.threshold = parseInt(args[++i], 10);
+        }
+    }
+    return options;
+}
+/**
+ * Audit scan subcommand — runs the local security scanner
+ */
+export async function auditScanCommand(options) {
+    const { scanSecurity } = await import('../../audit/security-scanner');
+    const dir = options.dir ?? process.cwd();
+    ui.startSpinner({ message: `Scanning ${dir} for security issues...` });
+    let result;
+    try {
+        result = await scanSecurity({ dir });
+    }
+    catch (e) {
+        ui.stopSpinnerFail('Scan failed');
+        ui.error(e.message);
+        return;
+    }
+    ui.stopSpinnerSuccess(`Scan complete: ${result.findings.length} finding(s) in ${result.scannedFiles} file(s)`);
+    // Filter by framework if provided (maps framework to relevant finding IDs)
+    let findings = result.findings;
+    if (options.framework) {
+        // Each framework maps loosely to severity thresholds
+        const frameworkSeverityMap = {
+            soc2: ['CRITICAL', 'HIGH', 'MEDIUM'],
+            hipaa: ['CRITICAL', 'HIGH', 'MEDIUM'],
+            pci: ['CRITICAL', 'HIGH'],
+            iso27001: ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW'],
+        };
+        const allowedSeverities = frameworkSeverityMap[options.framework] ?? [];
+        findings = findings.filter((f) => allowedSeverities.includes(f.severity));
+        ui.dim(`Framework filter (${options.framework}): showing ${findings.length} relevant finding(s)`);
+    }
+    if (findings.length === 0) {
+        ui.info('No findings. Scan clean.');
+    }
+    else {
+        ui.newLine();
+        for (const finding of findings) {
+            const severityColor = finding.severity === 'CRITICAL' || finding.severity === 'HIGH'
+                ? 'red'
+                : finding.severity === 'MEDIUM'
+                    ? 'yellow'
+                    : 'white';
+            ui.print(`[${ui.color(finding.severity, severityColor)}] ${finding.id}: ${finding.title}`);
+            if (finding.file)
+                ui.dim(`  File: ${finding.file}${finding.line ? `:${finding.line}` : ''}`);
+            ui.dim(`  ${finding.recommendation}`);
+            ui.newLine();
+        }
+    }
+    // Write JSON report to file if requested
+    if (options.output) {
+        const report = {
+            timestamp: result.timestamp.toISOString(),
+            scannedFiles: result.scannedFiles,
+            scanDuration: result.scanDuration,
+            framework: options.framework ?? null,
+            findingsCount: findings.length,
+            findings,
+        };
+        fs.writeFileSync(options.output, JSON.stringify(report, null, 2), 'utf-8');
+        ui.print(`Report written to ${options.output}`);
+    }
+    // Threshold check — exit code 1 if too many findings
+    if (options.threshold !== undefined && findings.length > options.threshold) {
+        ui.error(`Findings (${findings.length}) exceeded threshold (${options.threshold}). Exiting with code 1.`);
+        process.exit(1);
+    }
+}
+/**
+ * Main audit command dispatcher
+ */
+export async function auditCommand(subcommand, args) {
+    switch (subcommand) {
+        case 'list':
+        case '':
+            await auditListCommand(parseAuditListOptions(args));
+            break;
+        case 'export':
+            await auditExportCommand(parseAuditExportOptions(args));
+            break;
+        case 'scan':
+            await auditScanCommand(parseAuditScanOptions(args));
+            break;
+        default:
+            ui.error(`Unknown audit command: ${subcommand}`);
+            ui.newLine();
+            ui.info('Available audit commands:');
+            ui.print('  nimbus audit                      - List audit logs');
+            ui.print('  nimbus audit list                 - List audit logs');
+            ui.print('  nimbus audit export               - Export audit logs');
+            ui.print('  nimbus audit scan                 - Scan directory for security issues');
+            ui.newLine();
+            ui.info('Options (list):');
+            ui.print('  --since <time>   Filter logs since (e.g., 7d, 24h, 2024-01-01)');
+            ui.print('  --until <time>   Filter logs until');
+            ui.print('  --action <type>  Filter by action type');
+            ui.print('  --user <id>      Filter by user');
+            ui.print('  --limit <n>      Number of logs to show');
+            ui.print('  --json           Output as JSON');
+            ui.newLine();
+            ui.info('Options (scan):');
+            ui.print('  --framework <f>  Compliance framework: soc2|hipaa|pci|iso27001');
+            ui.print('  --output <file>  Write JSON report to file');
+            ui.print('  --dir <path>     Directory to scan (default: cwd)');
+            ui.print('  --threshold <n>  Exit code 1 if findings exceed this count');
+            ui.newLine();
+            ui.info('Export options:');
+            ui.print('  --format <type>  Export format (csv|json)');
+            ui.print('  --output <file>  Output file path');
+    }
+}

package/dist/src/commands/auth-cloud.js

@@ -0,0 +1,345 @@
+/**
+ * Cloud Credential Management Commands
+ *
+ * Validate and display cloud provider credentials.
+ *
+ * Usage:
+ *   nimbus auth aws [--profile <name>]
+ *   nimbus auth gcp [--project <name>]
+ *   nimbus auth azure [--subscription <id>]
+ */
+import { logger } from '../utils';
+import { ui } from '../wizard/ui';
+/**
+ * Check if a CLI tool is installed
+ */
+async function isCliInstalled(cmd) {
+    const { execFile } = await import('child_process');
+    const { promisify } = await import('util');
+    const execFileAsync = promisify(execFile);
+    try {
+        await execFileAsync(cmd, ['--version'], { timeout: 5000 });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Run a CLI command and capture output
+ */
+async function runCommand(cmd, args) {
+    const { execFile } = await import('child_process');
+    const { promisify } = await import('util');
+    const execFileAsync = promisify(execFile);
+    try {
+        const { stdout } = await execFileAsync(cmd, args, { timeout: 15000 });
+        return { stdout: stdout.trim(), success: true };
+    }
+    catch (error) {
+        return { stdout: error.stdout?.trim() || error.message, success: false };
+    }
+}
+/**
+ * nimbus auth aws — Validate AWS credentials
+ */
+export async function authAwsCommand(options = {}) {
+    logger.info('Validating AWS credentials', { options });
+    ui.header('AWS Credentials');
+    // Check if AWS CLI is installed
+    const installed = await isCliInstalled('aws');
+    if (!installed) {
+        ui.error('AWS CLI is not installed');
+        ui.newLine();
+        ui.print('Install the AWS CLI:');
+        ui.print(`  ${ui.dim('brew install awscli')} (macOS)`);
+        ui.print(`  ${ui.dim('pip install awscli')} (pip)`);
+        ui.print(`  ${ui.dim('https://aws.amazon.com/cli/')} (official)`);
+        return;
+    }
+    ui.startSpinner({ message: 'Validating AWS credentials...' });
+    // Get caller identity
+    const identityArgs = ['sts', 'get-caller-identity', '--output', 'json'];
+    if (options.profile) {
+        identityArgs.push('--profile', options.profile);
+    }
+    const identity = await runCommand('aws', identityArgs);
+    if (!identity.success) {
+        ui.stopSpinnerFail('AWS credentials validation failed');
+        ui.newLine();
+        ui.error('Unable to validate AWS credentials');
+        ui.print(ui.dim(identity.stdout));
+        ui.newLine();
+        ui.print('Configure credentials:');
+        ui.print(`  ${ui.dim('aws configure')}`);
+        ui.print(`  ${ui.dim('export AWS_ACCESS_KEY_ID=...')}`);
+        ui.print(`  ${ui.dim('export AWS_SECRET_ACCESS_KEY=...')}`);
+        return;
+    }
+    ui.stopSpinnerSuccess('AWS credentials valid');
+    ui.newLine();
+    // Parse identity
+    try {
+        const data = JSON.parse(identity.stdout);
+        ui.print(`  ${ui.bold('Account:')}  ${data.Account}`);
+        ui.print(`  ${ui.bold('User ARN:')} ${data.Arn}`);
+        ui.print(`  ${ui.bold('User ID:')}  ${data.UserId}`);
+    }
+    catch {
+        ui.print(`  ${identity.stdout}`);
+    }
+    // Get current region
+    const regionArgs = ['configure', 'get', 'region'];
+    if (options.profile) {
+        regionArgs.push('--profile', options.profile);
+    }
+    const region = await runCommand('aws', regionArgs);
+    if (region.success && region.stdout) {
+        ui.print(`  ${ui.bold('Region:')}   ${region.stdout}`);
+    }
+    if (options.profile) {
+        ui.print(`  ${ui.bold('Profile:')}  ${options.profile}`);
+    }
+    ui.newLine();
+    ui.success('AWS credentials are configured and valid');
+}
+/**
+ * nimbus auth gcp — Validate GCP credentials
+ */
+export async function authGcpCommand(options = {}) {
+    logger.info('Validating GCP credentials', { options });
+    ui.header('GCP Credentials');
+    // Check if gcloud CLI is installed
+    const installed = await isCliInstalled('gcloud');
+    if (!installed) {
+        ui.error('Google Cloud SDK (gcloud) is not installed');
+        ui.newLine();
+        ui.print('Install the Google Cloud SDK:');
+        ui.print(`  ${ui.dim('brew install google-cloud-sdk')} (macOS)`);
+        ui.print(`  ${ui.dim('https://cloud.google.com/sdk/docs/install')} (official)`);
+        return;
+    }
+    ui.startSpinner({ message: 'Validating GCP credentials...' });
+    // Get current account
+    const account = await runCommand('gcloud', [
+        'auth',
+        'list',
+        '--filter=status:ACTIVE',
+        '--format=value(account)',
+    ]);
+    if (!account.success || !account.stdout) {
+        ui.stopSpinnerFail('GCP credentials validation failed');
+        ui.newLine();
+        ui.error('No active GCP credentials found');
+        ui.print('Configure credentials:');
+        ui.print(`  ${ui.dim('gcloud auth login')}`);
+        ui.print(`  ${ui.dim('gcloud auth application-default login')}`);
+        return;
+    }
+    ui.stopSpinnerSuccess('GCP credentials valid');
+    ui.newLine();
+    ui.print(`  ${ui.bold('Account:')} ${account.stdout}`);
+    // Check Application Default Credentials
+    const adcCheck = await runCommand('gcloud', [
+        'auth',
+        'application-default',
+        'print-access-token',
+    ]);
+    if (adcCheck.success) {
+        ui.print(`  ${ui.bold('ADC:')}     ${ui.color('configured', 'green')}`);
+    }
+    else {
+        ui.print(`  ${ui.bold('ADC:')}     ${ui.color('not configured', 'yellow')}`);
+        ui.print(ui.dim('  Set with: gcloud auth application-default login'));
+    }
+    // Get current project
+    const projectArgs = options.project
+        ? ['config', 'get-value', 'project', '--project', options.project]
+        : ['config', 'get-value', 'project'];
+    const project = await runCommand('gcloud', projectArgs);
+    if (project.success && project.stdout && project.stdout !== '(unset)') {
+        ui.print(`  ${ui.bold('Project:')} ${project.stdout}`);
+    }
+    else if (options.project) {
+        ui.print(`  ${ui.bold('Project:')} ${options.project}`);
+    }
+    else {
+        ui.print(`  ${ui.bold('Project:')} ${ui.color('not set', 'yellow')}`);
+        ui.print(ui.dim('  Set with: gcloud config set project PROJECT_ID'));
+    }
+    // Get current region
+    const region = await runCommand('gcloud', ['config', 'get-value', 'compute/region']);
+    if (region.success && region.stdout && region.stdout !== '(unset)') {
+        ui.print(`  ${ui.bold('Region:')}  ${region.stdout}`);
+    }
+    ui.newLine();
+    ui.success('GCP credentials are configured and valid');
+}
+/**
+ * nimbus auth azure — Validate Azure credentials
+ */
+export async function authAzureCommand(options = {}) {
+    logger.info('Validating Azure credentials', { options });
+    ui.header('Azure Credentials');
+    // Check if az CLI is installed
+    const installed = await isCliInstalled('az');
+    if (!installed) {
+        ui.error('Azure CLI (az) is not installed');
+        ui.newLine();
+        ui.print('Install the Azure CLI:');
+        ui.print(`  ${ui.dim('brew install azure-cli')} (macOS)`);
+        ui.print(`  ${ui.dim('https://learn.microsoft.com/en-us/cli/azure/install-azure-cli')} (official)`);
+        return;
+    }
+    ui.startSpinner({ message: 'Validating Azure credentials...' });
+    // Get current account
+    const account = await runCommand('az', ['account', 'show', '--output', 'json']);
+    if (!account.success) {
+        ui.stopSpinnerFail('Azure credentials validation failed');
+        ui.newLine();
+        ui.error('No active Azure credentials found');
+        ui.print('Configure credentials:');
+        ui.print(`  ${ui.dim('az login')}`);
+        return;
+    }
+    ui.stopSpinnerSuccess('Azure credentials valid');
+    ui.newLine();
+    try {
+        const data = JSON.parse(account.stdout);
+        ui.print(`  ${ui.bold('Subscription:')} ${data.name} (${data.id})`);
+        ui.print(`  ${ui.bold('Tenant:')}       ${data.tenantId}`);
+        ui.print(`  ${ui.bold('State:')}        ${data.state}`);
+        if (data.user) {
+            ui.print(`  ${ui.bold('User:')}         ${data.user.name} (${data.user.type})`);
+        }
+    }
+    catch {
+        ui.print(`  ${account.stdout}`);
+    }
+    ui.newLine();
+    ui.success('Azure credentials are configured and valid');
+}
+/**
+ * H1: AWS SSO Login — delegates to `aws sso login` so the CLI handles the browser flow.
+ * spawnSync with stdio: 'inherit' so device codes / browser prompts appear in terminal.
+ */
+export async function loginAwsCommand(options = {}) {
+    const installed = await isCliInstalled('aws');
+    if (!installed) {
+        ui.error('AWS CLI is not installed. Install from https://aws.amazon.com/cli/');
+        return;
+    }
+    ui.info('Launching AWS SSO login...');
+    ui.print(ui.dim('The browser (or device code) flow is handled by the AWS CLI.'));
+    ui.newLine();
+    const { spawnSync } = await import('child_process');
+    const args = ['sso', 'login'];
+    if (options.profile) {
+        args.push('--profile', options.profile);
+    }
+    const result = spawnSync('aws', args, { stdio: 'inherit' });
+    if (result.status === 0) {
+        ui.success('AWS SSO login completed successfully.');
+    }
+    else {
+        ui.error('AWS SSO login failed or was cancelled.');
+    }
+}
+/**
+ * H1: GCP Login — delegates to `gcloud auth login --no-launch-browser` (device code flow).
+ */
+export async function loginGcpCommand(options = {}) {
+    const installed = await isCliInstalled('gcloud');
+    if (!installed) {
+        ui.error('Google Cloud SDK not installed. See https://cloud.google.com/sdk/docs/install');
+        return;
+    }
+    ui.info('Launching GCP device-code login...');
+    ui.print(ui.dim('Follow the URL and code shown below to complete authentication.'));
+    ui.newLine();
+    const { spawnSync } = await import('child_process');
+    const args = ['auth', 'login', '--no-launch-browser'];
+    if (options.project) {
+        args.push('--project', options.project);
+    }
+    const result = spawnSync('gcloud', args, { stdio: 'inherit' });
+    if (result.status === 0) {
+        ui.success('GCP login completed successfully.');
+    }
+    else {
+        ui.error('GCP login failed or was cancelled.');
+    }
+}
+/**
+ * H1: Azure Login — delegates to `az login --use-device-code`.
+ */
+export async function loginAzureCommand(options = {}) {
+    const installed = await isCliInstalled('az');
+    if (!installed) {
+        ui.error('Azure CLI not installed. See https://learn.microsoft.com/en-us/cli/azure/install-azure-cli');
+        return;
+    }
+    ui.info('Launching Azure device-code login...');
+    ui.print(ui.dim('Follow the URL and code shown below to complete authentication.'));
+    ui.newLine();
+    const { spawnSync } = await import('child_process');
+    const args = ['login', '--use-device-code'];
+    if (options.subscription) {
+        args.push('--subscription', options.subscription);
+    }
+    const result = spawnSync('az', args, { stdio: 'inherit' });
+    if (result.status === 0) {
+        ui.success('Azure login completed successfully.');
+    }
+    else {
+        ui.error('Azure login failed or was cancelled.');
+    }
+}
+/**
+ * Cloud auth parent command router
+ */
+export async function authCloudCommand(provider, options = {}) {
+    switch (provider) {
+        case 'aws':
+            await authAwsCommand(options);
+            break;
+        case 'gcp':
+        case 'google':
+            await authGcpCommand(options);
+            break;
+        case 'azure':
+            await authAzureCommand(options);
+            break;
+        default:
+            ui.error(`Unknown cloud provider: ${provider}`);
+            ui.newLine();
+            ui.print('Supported providers:');
+            ui.print('  nimbus auth aws     — Validate AWS credentials');
+            ui.print('  nimbus auth gcp     — Validate GCP credentials');
+            ui.print('  nimbus auth azure   — Validate Azure credentials');
+    }
+}
+/**
+ * Cloud login command router — delegates to CLI tools for SSO/OAuth flows (H1).
+ */
+export async function loginCloudCommand(provider, options = {}) {
+    switch (provider) {
+        case 'aws':
+            await loginAwsCommand(options);
+            break;
+        case 'gcp':
+        case 'google':
+            await loginGcpCommand(options);
+            break;
+        case 'azure':
+            await loginAzureCommand(options);
+            break;
+        default:
+            ui.error(`Unknown cloud provider: ${provider}`);
+            ui.newLine();
+            ui.print('Supported providers:');
+            ui.print('  nimbus auth login aws     — AWS SSO login (browser/device code)');
+            ui.print('  nimbus auth login gcp     — GCP device-code login');
+            ui.print('  nimbus auth login azure   — Azure device-code login');
+    }
+}