npm - @getaegis/cli - Versions diffs - 0.8.0 → 0.8.1 - Mend

@getaegis/cli 0.8.0 → 0.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (210) hide show

package/README.md +5 -0
package/dist/agent/agent.d.ts +98 -0
package/dist/agent/agent.d.ts.map +1 -0
package/dist/agent/agent.js +212 -0
package/dist/agent/agent.js.map +1 -0
package/dist/agent/index.d.ts +3 -0
package/dist/agent/index.d.ts.map +1 -0
package/dist/agent/index.js +2 -0
package/dist/agent/index.js.map +1 -0
package/dist/cli/auth.d.ts +19 -0
package/dist/cli/auth.d.ts.map +1 -0
package/dist/cli/auth.js +44 -0
package/dist/cli/auth.js.map +1 -0
package/dist/cli/commands/agent.d.ts +6 -0
package/dist/cli/commands/agent.d.ts.map +1 -0
package/dist/cli/commands/agent.js +241 -0
package/dist/cli/commands/agent.js.map +1 -0
package/dist/cli/commands/config.d.ts +6 -0
package/dist/cli/commands/config.d.ts.map +1 -0
package/dist/cli/commands/config.js +125 -0
package/dist/cli/commands/config.js.map +1 -0
package/dist/cli/commands/dashboard.d.ts +6 -0
package/dist/cli/commands/dashboard.d.ts.map +1 -0
package/dist/cli/commands/dashboard.js +189 -0
package/dist/cli/commands/dashboard.js.map +1 -0
package/dist/cli/commands/doctor.d.ts +6 -0
package/dist/cli/commands/doctor.d.ts.map +1 -0
package/dist/cli/commands/doctor.js +39 -0
package/dist/cli/commands/doctor.js.map +1 -0
package/dist/cli/commands/gate.d.ts +6 -0
package/dist/cli/commands/gate.d.ts.map +1 -0
package/dist/cli/commands/gate.js +196 -0
package/dist/cli/commands/gate.js.map +1 -0
package/dist/cli/commands/init.d.ts +6 -0
package/dist/cli/commands/init.d.ts.map +1 -0
package/dist/cli/commands/init.js +109 -0
package/dist/cli/commands/init.js.map +1 -0
package/dist/cli/commands/ledger.d.ts +6 -0
package/dist/cli/commands/ledger.d.ts.map +1 -0
package/dist/cli/commands/ledger.js +140 -0
package/dist/cli/commands/ledger.js.map +1 -0
package/dist/cli/commands/mcp.d.ts +6 -0
package/dist/cli/commands/mcp.d.ts.map +1 -0
package/dist/cli/commands/mcp.js +224 -0
package/dist/cli/commands/mcp.js.map +1 -0
package/dist/cli/commands/policy.d.ts +6 -0
package/dist/cli/commands/policy.d.ts.map +1 -0
package/dist/cli/commands/policy.js +126 -0
package/dist/cli/commands/policy.js.map +1 -0
package/dist/cli/commands/user.d.ts +6 -0
package/dist/cli/commands/user.d.ts.map +1 -0
package/dist/cli/commands/user.js +150 -0
package/dist/cli/commands/user.js.map +1 -0
package/dist/cli/commands/vault-manager.d.ts +6 -0
package/dist/cli/commands/vault-manager.d.ts.map +1 -0
package/dist/cli/commands/vault-manager.js +240 -0
package/dist/cli/commands/vault-manager.js.map +1 -0
package/dist/cli/commands/vault.d.ts +6 -0
package/dist/cli/commands/vault.d.ts.map +1 -0
package/dist/cli/commands/vault.js +241 -0
package/dist/cli/commands/vault.js.map +1 -0
package/dist/cli/commands/webhook.d.ts +6 -0
package/dist/cli/commands/webhook.d.ts.map +1 -0
package/dist/cli/commands/webhook.js +151 -0
package/dist/cli/commands/webhook.js.map +1 -0
package/dist/cli/helpers.d.ts +12 -0
package/dist/cli/helpers.d.ts.map +1 -0
package/dist/cli/helpers.js +61 -0
package/dist/cli/helpers.js.map +1 -0
package/dist/cli/index.d.ts +17 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +17 -0
package/dist/cli/index.js.map +1 -0
package/dist/cli/validation.d.ts +37 -0
package/dist/cli/validation.d.ts.map +1 -0
package/dist/cli/validation.js +104 -0
package/dist/cli/validation.js.map +1 -0
package/dist/cli.d.ts +3 -0
package/dist/cli.d.ts.map +1 -0
package/dist/cli.js +30 -0
package/dist/cli.js.map +1 -0
package/dist/config.d.ts +108 -0
package/dist/config.d.ts.map +1 -0
package/dist/config.js +355 -0
package/dist/config.js.map +1 -0
package/dist/dashboard/dashboard-server.d.ts +95 -0
package/dist/dashboard/dashboard-server.d.ts.map +1 -0
package/dist/dashboard/dashboard-server.js +329 -0
package/dist/dashboard/dashboard-server.js.map +1 -0
package/dist/dashboard/index.d.ts +3 -0
package/dist/dashboard/index.d.ts.map +1 -0
package/dist/dashboard/index.js +2 -0
package/dist/dashboard/index.js.map +1 -0
package/dist/dashboard/public/assets/index-CpMruPNh.css +1 -0
package/dist/dashboard/public/assets/index-DkHiw9_f.js +148 -0
package/dist/dashboard/public/favicon.svg +6 -0
package/dist/dashboard/public/index.html +14 -0
package/dist/db.d.ts +15 -0
package/dist/db.d.ts.map +1 -0
package/dist/db.js +190 -0
package/dist/db.js.map +1 -0
package/dist/doctor.d.ts +37 -0
package/dist/doctor.d.ts.map +1 -0
package/dist/doctor.js +196 -0
package/dist/doctor.js.map +1 -0
package/dist/gate/body-inspector.d.ts +31 -0
package/dist/gate/body-inspector.d.ts.map +1 -0
package/dist/gate/body-inspector.js +193 -0
package/dist/gate/body-inspector.js.map +1 -0
package/dist/gate/gate.d.ts +168 -0
package/dist/gate/gate.d.ts.map +1 -0
package/dist/gate/gate.js +1016 -0
package/dist/gate/gate.js.map +1 -0
package/dist/gate/index.d.ts +7 -0
package/dist/gate/index.d.ts.map +1 -0
package/dist/gate/index.js +4 -0
package/dist/gate/index.js.map +1 -0
package/dist/gate/rate-limiter.d.ts +59 -0
package/dist/gate/rate-limiter.d.ts.map +1 -0
package/dist/gate/rate-limiter.js +120 -0
package/dist/gate/rate-limiter.js.map +1 -0
package/dist/index.d.ts +26 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +16 -0
package/dist/index.js.map +1 -0
package/dist/ledger/index.d.ts +3 -0
package/dist/ledger/index.d.ts.map +1 -0
package/dist/ledger/index.js +2 -0
package/dist/ledger/index.js.map +1 -0
package/dist/ledger/ledger.d.ts +98 -0
package/dist/ledger/ledger.d.ts.map +1 -0
package/dist/ledger/ledger.js +145 -0
package/dist/ledger/ledger.js.map +1 -0
package/dist/logger/index.d.ts +3 -0
package/dist/logger/index.d.ts.map +1 -0
package/dist/logger/index.js +2 -0
package/dist/logger/index.js.map +1 -0
package/dist/logger/logger.d.ts +58 -0
package/dist/logger/logger.d.ts.map +1 -0
package/dist/logger/logger.js +201 -0
package/dist/logger/logger.js.map +1 -0
package/dist/mcp/index.d.ts +3 -0
package/dist/mcp/index.d.ts.map +1 -0
package/dist/mcp/index.js +2 -0
package/dist/mcp/index.js.map +1 -0
package/dist/mcp/mcp-server.d.ts +130 -0
package/dist/mcp/mcp-server.d.ts.map +1 -0
package/dist/mcp/mcp-server.js +775 -0
package/dist/mcp/mcp-server.js.map +1 -0
package/dist/metrics/index.d.ts +3 -0
package/dist/metrics/index.d.ts.map +1 -0
package/dist/metrics/index.js +2 -0
package/dist/metrics/index.js.map +1 -0
package/dist/metrics/metrics.d.ts +88 -0
package/dist/metrics/metrics.d.ts.map +1 -0
package/dist/metrics/metrics.js +179 -0
package/dist/metrics/metrics.js.map +1 -0
package/dist/policy/index.d.ts +3 -0
package/dist/policy/index.d.ts.map +1 -0
package/dist/policy/index.js +2 -0
package/dist/policy/index.js.map +1 -0
package/dist/policy/policy.d.ts +119 -0
package/dist/policy/policy.d.ts.map +1 -0
package/dist/policy/policy.js +426 -0
package/dist/policy/policy.js.map +1 -0
package/dist/user/index.d.ts +3 -0
package/dist/user/index.d.ts.map +1 -0
package/dist/user/index.js +2 -0
package/dist/user/index.js.map +1 -0
package/dist/user/user.d.ts +102 -0
package/dist/user/user.d.ts.map +1 -0
package/dist/user/user.js +216 -0
package/dist/user/user.js.map +1 -0
package/dist/vault/crypto.d.ts +28 -0
package/dist/vault/crypto.d.ts.map +1 -0
package/dist/vault/crypto.js +44 -0
package/dist/vault/crypto.js.map +1 -0
package/dist/vault/index.d.ts +10 -0
package/dist/vault/index.d.ts.map +1 -0
package/dist/vault/index.js +6 -0
package/dist/vault/index.js.map +1 -0
package/dist/vault/seal.d.ts +68 -0
package/dist/vault/seal.d.ts.map +1 -0
package/dist/vault/seal.js +110 -0
package/dist/vault/seal.js.map +1 -0
package/dist/vault/shamir.d.ts +33 -0
package/dist/vault/shamir.d.ts.map +1 -0
package/dist/vault/shamir.js +174 -0
package/dist/vault/shamir.js.map +1 -0
package/dist/vault/vault-manager.d.ts +62 -0
package/dist/vault/vault-manager.d.ts.map +1 -0
package/dist/vault/vault-manager.js +141 -0
package/dist/vault/vault-manager.js.map +1 -0
package/dist/vault/vault.d.ts +104 -0
package/dist/vault/vault.d.ts.map +1 -0
package/dist/vault/vault.js +259 -0
package/dist/vault/vault.js.map +1 -0
package/dist/version.d.ts +3 -0
package/dist/version.d.ts.map +1 -0
package/dist/version.js +18 -0
package/dist/version.js.map +1 -0
package/dist/webhook/index.d.ts +3 -0
package/dist/webhook/index.d.ts.map +1 -0
package/dist/webhook/index.js +2 -0
package/dist/webhook/index.js.map +1 -0
package/dist/webhook/webhook.d.ts +114 -0
package/dist/webhook/webhook.d.ts.map +1 -0
package/dist/webhook/webhook.js +269 -0
package/dist/webhook/webhook.js.map +1 -0
package/package.json +7 -3

package/README.md CHANGED Viewed

@@ -1,5 +1,10 @@
 # Aegis
+[![CI](https://github.com/getaegis/aegis/actions/workflows/ci.yml/badge.svg)](https://github.com/getaegis/aegis/actions/workflows/ci.yml)
+[![npm version](https://img.shields.io/npm/v/@getaegis/cli)](https://www.npmjs.com/package/@getaegis/cli)
+[![Docker](https://img.shields.io/badge/ghcr.io-getaegis%2Faegis-blue?logo=docker)](https://ghcr.io/getaegis/aegis)
+[![License](https://img.shields.io/github/license/getaegis/aegis)](LICENSE)
 **Credential isolation for AI agents.**
 Aegis sits between your AI agent and the APIs it calls. The agent never sees, stores, or transmits real credentials — Aegis injects them at the network boundary.

package/dist/agent/agent.d.ts ADDED Viewed

@@ -0,0 +1,98 @@
+import type Database from 'better-sqlite3';
+export interface Agent {
+    id: string;
+    name: string;
+    tokenPrefix: string;
+    rateLimit?: string;
+    createdAt: string;
+    updatedAt: string;
+}
+export interface AgentWithToken extends Agent {
+    token: string;
+}
+/**
+ * Agent Registry — manages agent identities and their credential access grants.
+ *
+ * Agents are identified by tokens (UUID v4 + HMAC suffix). Tokens are:
+ * - Hashed (SHA-256) for fast lookup during request validation — hash-only, no recovery
+ * - Prefixed (first 12 chars) for safe display in logs and audit entries
+ *
+ * Security: Tokens are never stored in recoverable form. If a token is lost,
+ * use regenerateToken() to issue a new one (same pattern as GitHub/Stripe key rotation).
+ */
+export declare class AgentRegistry {
+    private db;
+    private derivedKey;
+    constructor(db: Database.Database, derivedKey: Buffer);
+    /**
+     * Register a new agent. Returns the agent with its token (shown once).
+     *
+     * Token format: aegis_{uuid}_{hmac_prefix}
+     * The HMAC is derived from the UUID using the master key, making tokens
+     * verifiable as Aegis-generated.
+     */
+    add(params: {
+        name: string;
+        rateLimit?: string;
+    }): AgentWithToken;
+    /**
+     * List all registered agents (without tokens).
+     */
+    list(): Agent[];
+    /**
+     * Get an agent by name (without token).
+     */
+    getByName(name: string): Agent | null;
+    /**
+     * Validate an agent token. Returns the agent if the token is valid, null otherwise.
+     *
+     * Uses SHA-256 hash comparison for constant-time-safe lookup.
+     */
+    validateToken(token: string): Agent | null;
+    /**
+     * Remove an agent by name. Also removes all credential grants.
+     */
+    remove(name: string): boolean;
+    /**
+     * Regenerate an agent's token. Issues a new token, invalidates the old one.
+     *
+     * The agent keeps its identity (id, name), credential grants, and rate limits.
+     * Only the token changes. This follows the same pattern as GitHub personal
+     * access token rotation or Stripe API key rolling.
+     *
+     * Returns the agent with the new token (shown once), or null if not found.
+     */
+    regenerateToken(name: string): AgentWithToken | null;
+    /**
+     * Grant an agent access to a credential.
+     */
+    grant(params: {
+        agentName: string;
+        credentialId: string;
+    }): void;
+    /**
+     * Revoke an agent's access to a credential.
+     */
+    revoke(params: {
+        agentName: string;
+        credentialId: string;
+    }): boolean;
+    /**
+     * Check if an agent has access to a specific credential.
+     */
+    hasAccess(agentId: string, credentialId: string): boolean;
+    /**
+     * List all credential IDs an agent has access to.
+     */
+    listGrants(agentName: string): string[];
+    /**
+     * Set or update an agent's rate limit for a specific service.
+     * This is stored as a general rate limit on the agent record.
+     */
+    setRateLimit(params: {
+        agentName: string;
+        rateLimit: string | null;
+    }): Agent;
+    private rowToAgent;
+}
+//# sourceMappingURL=agent.d.ts.map

package/dist/agent/agent.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"agent.d.ts","sourceRoot":"","sources":["../../src/agent/agent.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,QAAQ,MAAM,gBAAgB,CAAC;AAI3C,MAAM,WAAW,KAAK;IACpB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,cAAe,SAAQ,KAAK;IAC3C,KAAK,EAAE,MAAM,CAAC;CACf;AAcD;;;;;;;;;GASG;AACH,qBAAa,aAAa;IAItB,OAAO,CAAC,EAAE;IAHZ,OAAO,CAAC,UAAU,CAAS;gBAGjB,EAAE,EAAE,QAAQ,CAAC,QAAQ,EAC7B,UAAU,EAAE,MAAM;IAKpB;;;;;;OAMG;IACH,GAAG,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,cAAc;IAkCjE;;OAEG;IACH,IAAI,IAAI,KAAK,EAAE;IAQf;;OAEG;IACH,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,KAAK,GAAG,IAAI;IAOrC;;;;OAIG;IACH,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,KAAK,GAAG,IAAI;IAS1C;;OAEG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAS7B;;;;;;;;OAQG;IACH,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,cAAc,GAAG,IAAI;IAkCpD;;OAEG;IACH,KAAK,CAAC,MAAM,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;IAoBhE;;OAEG;IACH,MAAM,CAAC,MAAM,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO;IAapE;;OAEG;IACH,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IAQzD;;OAEG;IACH,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,EAAE;IAevC;;;OAGG;IACH,YAAY,CAAC,MAAM,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,GAAG,KAAK;IAmB5E,OAAO,CAAC,UAAU;CAUnB"}

package/dist/agent/agent.js ADDED Viewed

@@ -0,0 +1,212 @@
+import * as crypto from 'node:crypto';
+// ─── Agent Registry ──────────────────────────────────────────────
+/**
+ * Agent Registry — manages agent identities and their credential access grants.
+ *
+ * Agents are identified by tokens (UUID v4 + HMAC suffix). Tokens are:
+ * - Hashed (SHA-256) for fast lookup during request validation — hash-only, no recovery
+ * - Prefixed (first 12 chars) for safe display in logs and audit entries
+ *
+ * Security: Tokens are never stored in recoverable form. If a token is lost,
+ * use regenerateToken() to issue a new one (same pattern as GitHub/Stripe key rotation).
+ */
+export class AgentRegistry {
+    db;
+    derivedKey;
+    constructor(db, derivedKey) {
+        this.db = db;
+        this.derivedKey = derivedKey;
+    }
+    /**
+     * Register a new agent. Returns the agent with its token (shown once).
+     *
+     * Token format: aegis_{uuid}_{hmac_prefix}
+     * The HMAC is derived from the UUID using the master key, making tokens
+     * verifiable as Aegis-generated.
+     */
+    add(params) {
+        const id = crypto.randomUUID();
+        const uuid = crypto.randomUUID();
+        // Create HMAC of the UUID using the derived key for token integrity
+        const hmac = crypto
+            .createHmac('sha256', this.derivedKey)
+            .update(uuid)
+            .digest('hex')
+            .slice(0, 16);
+        const token = `aegis_${uuid}_${hmac}`;
+        // Hash the full token for fast lookup (hash-only — no recovery, only regeneration)
+        const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
+        const tokenPrefix = token.slice(0, 12);
+        this.db
+            .prepare(`INSERT INTO agents (id, name, token_hash, token_prefix, rate_limit)
+         VALUES (?, ?, ?, ?, ?)`)
+            .run(id, params.name, tokenHash, tokenPrefix, params.rateLimit ?? null);
+        return {
+            id,
+            name: params.name,
+            tokenPrefix,
+            token,
+            rateLimit: params.rateLimit,
+            createdAt: new Date().toISOString(),
+            updatedAt: new Date().toISOString(),
+        };
+    }
+    /**
+     * List all registered agents (without tokens).
+     */
+    list() {
+        const rows = this.db
+            .prepare('SELECT * FROM agents ORDER BY created_at DESC')
+            .all();
+        return rows.map((row) => this.rowToAgent(row));
+    }
+    /**
+     * Get an agent by name (without token).
+     */
+    getByName(name) {
+        const row = this.db.prepare('SELECT * FROM agents WHERE name = ?').get(name);
+        return row ? this.rowToAgent(row) : null;
+    }
+    /**
+     * Validate an agent token. Returns the agent if the token is valid, null otherwise.
+     *
+     * Uses SHA-256 hash comparison for constant-time-safe lookup.
+     */
+    validateToken(token) {
+        const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
+        const row = this.db.prepare('SELECT * FROM agents WHERE token_hash = ?').get(tokenHash);
+        return row ? this.rowToAgent(row) : null;
+    }
+    /**
+     * Remove an agent by name. Also removes all credential grants.
+     */
+    remove(name) {
+        const agent = this.getByName(name);
+        if (!agent)
+            return false;
+        // Foreign key CASCADE handles agent_credentials cleanup
+        const result = this.db.prepare('DELETE FROM agents WHERE name = ?').run(name);
+        return result.changes > 0;
+    }
+    /**
+     * Regenerate an agent's token. Issues a new token, invalidates the old one.
+     *
+     * The agent keeps its identity (id, name), credential grants, and rate limits.
+     * Only the token changes. This follows the same pattern as GitHub personal
+     * access token rotation or Stripe API key rolling.
+     *
+     * Returns the agent with the new token (shown once), or null if not found.
+     */
+    regenerateToken(name) {
+        const agent = this.getByName(name);
+        if (!agent)
+            return null;
+        // Generate a new token with the same UUID+HMAC format
+        const uuid = crypto.randomUUID();
+        const hmac = crypto
+            .createHmac('sha256', this.derivedKey)
+            .update(uuid)
+            .digest('hex')
+            .slice(0, 16);
+        const token = `aegis_${uuid}_${hmac}`;
+        // Compute new hash and prefix
+        const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
+        const tokenPrefix = token.slice(0, 12);
+        // Update only the token fields — identity, grants, and rate limits are preserved
+        this.db
+            .prepare(`UPDATE agents SET token_hash = ?, token_prefix = ?, updated_at = datetime('now') WHERE id = ?`)
+            .run(tokenHash, tokenPrefix, agent.id);
+        return {
+            ...agent,
+            tokenPrefix,
+            token,
+            updatedAt: new Date().toISOString(),
+        };
+    }
+    // ─── Credential Grants ──────────────────────────────────────────
+    /**
+     * Grant an agent access to a credential.
+     */
+    grant(params) {
+        const agent = this.getByName(params.agentName);
+        if (!agent) {
+            throw new Error(`No agent found with name "${params.agentName}"`);
+        }
+        // Check if already granted
+        const existing = this.db
+            .prepare('SELECT 1 FROM agent_credentials WHERE agent_id = ? AND credential_id = ?')
+            .get(agent.id, params.credentialId);
+        if (existing) {
+            return; // Already granted — idempotent
+        }
+        this.db
+            .prepare('INSERT INTO agent_credentials (agent_id, credential_id) VALUES (?, ?)')
+            .run(agent.id, params.credentialId);
+    }
+    /**
+     * Revoke an agent's access to a credential.
+     */
+    revoke(params) {
+        const agent = this.getByName(params.agentName);
+        if (!agent) {
+            throw new Error(`No agent found with name "${params.agentName}"`);
+        }
+        const result = this.db
+            .prepare('DELETE FROM agent_credentials WHERE agent_id = ? AND credential_id = ?')
+            .run(agent.id, params.credentialId);
+        return result.changes > 0;
+    }
+    /**
+     * Check if an agent has access to a specific credential.
+     */
+    hasAccess(agentId, credentialId) {
+        const row = this.db
+            .prepare('SELECT 1 FROM agent_credentials WHERE agent_id = ? AND credential_id = ?')
+            .get(agentId, credentialId);
+        return row !== undefined;
+    }
+    /**
+     * List all credential IDs an agent has access to.
+     */
+    listGrants(agentName) {
+        const agent = this.getByName(agentName);
+        if (!agent) {
+            throw new Error(`No agent found with name "${agentName}"`);
+        }
+        const rows = this.db
+            .prepare('SELECT credential_id FROM agent_credentials WHERE agent_id = ?')
+            .all(agent.id);
+        return rows.map((r) => r.credential_id);
+    }
+    // ─── Per-Agent Rate Limits ──────────────────────────────────────
+    /**
+     * Set or update an agent's rate limit for a specific service.
+     * This is stored as a general rate limit on the agent record.
+     */
+    setRateLimit(params) {
+        const agent = this.getByName(params.agentName);
+        if (!agent) {
+            throw new Error(`No agent found with name "${params.agentName}"`);
+        }
+        this.db
+            .prepare("UPDATE agents SET rate_limit = ?, updated_at = datetime('now') WHERE id = ?")
+            .run(params.rateLimit, agent.id);
+        return {
+            ...agent,
+            rateLimit: params.rateLimit ?? undefined,
+            updatedAt: new Date().toISOString(),
+        };
+    }
+    // ─── Internal ───────────────────────────────────────────────────
+    rowToAgent(row) {
+        return {
+            id: row.id,
+            name: row.name,
+            tokenPrefix: row.token_prefix,
+            rateLimit: row.rate_limit ?? undefined,
+            createdAt: row.created_at,
+            updatedAt: row.updated_at,
+        };
+    }
+}
+//# sourceMappingURL=agent.js.map

package/dist/agent/agent.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"agent.js","sourceRoot":"","sources":["../../src/agent/agent.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AA4BtC,oEAAoE;AAEpE;;;;;;;;;GASG;AACH,MAAM,OAAO,aAAa;IAId;IAHF,UAAU,CAAS;IAE3B,YACU,EAAqB,EAC7B,UAAkB;QADV,OAAE,GAAF,EAAE,CAAmB;QAG7B,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;IAED;;;;;;OAMG;IACH,GAAG,CAAC,MAA4C;QAC9C,MAAM,EAAE,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAEjC,oEAAoE;QACpE,MAAM,IAAI,GAAG,MAAM;aAChB,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,CAAC;aACrC,MAAM,CAAC,IAAI,CAAC;aACZ,MAAM,CAAC,KAAK,CAAC;aACb,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAChB,MAAM,KAAK,GAAG,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC;QAEtC,mFAAmF;QACnF,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC1E,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAEvC,IAAI,CAAC,EAAE;aACJ,OAAO,CACN;gCACwB,CACzB;aACA,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,CAAC,SAAS,IAAI,IAAI,CAAC,CAAC;QAE1E,OAAO;YACL,EAAE;YACF,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,WAAW;YACX,KAAK;YACL,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,IAAI;QACF,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE;aACjB,OAAO,CAAC,+CAA+C,CAAC;aACxD,GAAG,EAAgB,CAAC;QAEvB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IACjD,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,IAAY;QACpB,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,qCAAqC,CAAC,CAAC,GAAG,CAAC,IAAI,CAE9D,CAAC;QACd,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC3C,CAAC;IAED;;;;OAIG;IACH,aAAa,CAAC,KAAa;QACzB,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC1E,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,2CAA2C,CAAC,CAAC,GAAG,CAAC,SAAS,CAEzE,CAAC;QAEd,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,IAAY;QACjB,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QAEzB,wDAAwD;QACxD,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,mCAAmC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC9E,OAAO,MAAM,CAAC,OAAO,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED;;;;;;;;OAQG;IACH,eAAe,CAAC,IAAY;QAC1B,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,sDAAsD;QACtD,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,MAAM;aAChB,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,CAAC;aACrC,MAAM,CAAC,IAAI,CAAC;aACZ,MAAM,CAAC,KAAK,CAAC;aACb,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAChB,MAAM,KAAK,GAAG,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC;QAEtC,8BAA8B;QAC9B,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC1E,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAEvC,iFAAiF;QACjF,IAAI,CAAC,EAAE;aACJ,OAAO,CACN,+FAA+F,CAChG;aACA,GAAG,CAAC,SAAS,EAAE,WAAW,EAAE,KAAK,CAAC,EAAE,CAAC,CAAC;QAEzC,OAAO;YACL,GAAG,KAAK;YACR,WAAW;YACX,KAAK;YACL,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;IACJ,CAAC;IAED,mEAAmE;IAEnE;;OAEG;IACH,KAAK,CAAC,MAAmD;QACvD,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,6BAA6B,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC;QACpE,CAAC;QAED,2BAA2B;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,EAAE;aACrB,OAAO,CAAC,0EAA0E,CAAC;aACnF,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;QAEtC,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,CAAC,+BAA+B;QACzC,CAAC;QAED,IAAI,CAAC,EAAE;aACJ,OAAO,CAAC,uEAAuE,CAAC;aAChF,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,MAAmD;QACxD,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,6BAA6B,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE;aACnB,OAAO,CAAC,wEAAwE,CAAC;aACjF,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;QAEtC,OAAO,MAAM,CAAC,OAAO,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,OAAe,EAAE,YAAoB;QAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE;aAChB,OAAO,CAAC,0EAA0E,CAAC;aACnF,GAAG,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QAE9B,OAAO,GAAG,KAAK,SAAS,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,SAAiB;QAC1B,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACxC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,6BAA6B,SAAS,GAAG,CAAC,CAAC;QAC7D,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE;aACjB,OAAO,CAAC,gEAAgE,CAAC;aACzE,GAAG,CAAC,KAAK,CAAC,EAAE,CAAqC,CAAC;QAErD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;IAC1C,CAAC;IAED,mEAAmE;IAEnE;;;OAGG;IACH,YAAY,CAAC,MAAuD;QAClE,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,6BAA6B,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC;QACpE,CAAC;QAED,IAAI,CAAC,EAAE;aACJ,OAAO,CAAC,6EAA6E,CAAC;aACtF,GAAG,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,EAAE,CAAC,CAAC;QAEnC,OAAO;YACL,GAAG,KAAK;YACR,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,SAAS;YACxC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;IACJ,CAAC;IAED,mEAAmE;IAE3D,UAAU,CAAC,GAAa;QAC9B,OAAO;YACL,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,WAAW,EAAE,GAAG,CAAC,YAAY;YAC7B,SAAS,EAAE,GAAG,CAAC,UAAU,IAAI,SAAS;YACtC,SAAS,EAAE,GAAG,CAAC,UAAU;YACzB,SAAS,EAAE,GAAG,CAAC,UAAU;SAC1B,CAAC;IACJ,CAAC;CACF"}

package/dist/agent/index.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+export type { Agent, AgentWithToken } from './agent.js';
+export { AgentRegistry } from './agent.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/agent/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/agent/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC"}

package/dist/agent/index.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export { AgentRegistry } from './agent.js';
2	+ //# sourceMappingURL=index.js.map

package/dist/agent/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/agent/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC"}

package/dist/cli/auth.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * RBAC enforcement helper for CLI commands.
+ *
+ * Authenticates the current user via AEGIS_USER_TOKEN and checks
+ * whether they have the required permission.
+ */
+import type { getDb } from '../db.js';
+import type { Permission } from '../user/index.js';
+/**
+ * Authenticate the current user via AEGIS_USER_TOKEN and check permission.
+ *
+ * Always enforced once users exist. If no users have been created yet
+ * (bootstrap mode), all commands are allowed — `aegis init` creates the
+ * first admin user.
+ *
+ * Returns true if allowed. Calls process.exit(1) if denied.
+ */
+export declare function requireUserAuth(db: ReturnType<typeof getDb>, derivedKey: Buffer, permission: Permission): boolean;
+//# sourceMappingURL=auth.d.ts.map

package/dist/cli/auth.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/cli/auth.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,UAAU,CAAC;AACtC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAGnD;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAC7B,EAAE,EAAE,UAAU,CAAC,OAAO,KAAK,CAAC,EAC5B,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,UAAU,GACrB,OAAO,CA+BT"}

package/dist/cli/auth.js ADDED Viewed

@@ -0,0 +1,44 @@
+/**
+ * RBAC enforcement helper for CLI commands.
+ *
+ * Authenticates the current user via AEGIS_USER_TOKEN and checks
+ * whether they have the required permission.
+ */
+import { hasPermission, UserRegistry } from '../user/index.js';
+/**
+ * Authenticate the current user via AEGIS_USER_TOKEN and check permission.
+ *
+ * Always enforced once users exist. If no users have been created yet
+ * (bootstrap mode), all commands are allowed — `aegis init` creates the
+ * first admin user.
+ *
+ * Returns true if allowed. Calls process.exit(1) if denied.
+ */
+export function requireUserAuth(db, derivedKey, permission) {
+    const registry = new UserRegistry(db, derivedKey);
+    // Bootstrap mode: no users exist yet — allow everything so init can create the first admin
+    if (registry.count() === 0)
+        return true;
+    const token = process.env.AEGIS_USER_TOKEN;
+    if (!token) {
+        console.error('\n✗ Authentication required. Set AEGIS_USER_TOKEN=<your-api-key>\n');
+        console.error('  Get an API key from your admin, or regenerate with:');
+        console.error('  aegis user regenerate-token --name <name>\n');
+        process.exit(1);
+    }
+    const user = registry.validateToken(token);
+    if (!user) {
+        console.error('\n✗ Invalid API key. Token not recognized.\n');
+        console.error('  Regenerate with: aegis user regenerate-token --name <name>\n');
+        process.exit(1);
+    }
+    if (!hasPermission(user.role, permission)) {
+        console.error(`\n✗ Permission denied. Role "${user.role}" does not have "${permission}".\n`);
+        console.error(`  Required permission: ${permission}`);
+        console.error(`  Your role: ${user.role}`);
+        console.error(`  Contact an admin to upgrade your role.\n`);
+        process.exit(1);
+    }
+    return true;
+}
+//# sourceMappingURL=auth.js.map

package/dist/cli/auth.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/cli/auth.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAE/D;;;;;;;;GAQG;AACH,MAAM,UAAU,eAAe,CAC7B,EAA4B,EAC5B,UAAkB,EAClB,UAAsB;IAEtB,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC;IAElD,2FAA2F;IAC3F,IAAI,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAExC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IAC3C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,CAAC,KAAK,CAAC,oEAAoE,CAAC,CAAC;QACpF,OAAO,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAC;QACvE,OAAO,CAAC,KAAK,CAAC,+CAA+C,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,IAAI,GAAG,QAAQ,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;IAE3C,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,KAAK,CAAC,8CAA8C,CAAC,CAAC;QAC9D,OAAO,CAAC,KAAK,CAAC,gEAAgE,CAAC,CAAC;QAChF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,EAAE,CAAC;QAC1C,OAAO,CAAC,KAAK,CAAC,gCAAgC,IAAI,CAAC,IAAI,oBAAoB,UAAU,MAAM,CAAC,CAAC;QAC7F,OAAO,CAAC,KAAK,CAAC,0BAA0B,UAAU,EAAE,CAAC,CAAC;QACtD,OAAO,CAAC,KAAK,CAAC,gBAAgB,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QAC3C,OAAO,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAC5D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/cli/commands/agent.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+/**
+ * Agent commands: add, list, remove, regenerate, grant, revoke, set-rate-limit.
+ */
+import type { Command } from 'commander';
+export declare function register(program: Command): void;
+//# sourceMappingURL=agent.d.ts.map

package/dist/cli/commands/agent.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"agent.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/agent.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAQzC,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAqP/C"}