@getaegis/cli 0.8.0 → 0.8.1

package/dist/dashboard/public/favicon.svg

@@ -0,0 +1,6 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" fill="none">
+  <circle cx="32" cy="32" r="30" stroke="#C8973E" stroke-width="2.5"/>
+  <circle cx="32" cy="32" r="23" stroke="#C8973E" stroke-width="1.5"/>
+  <circle cx="32" cy="32" r="10" stroke="#C8973E" stroke-width="2"/>
+  <circle cx="32" cy="32" r="3" fill="#C8973E"/>
+</svg>

package/dist/dashboard/public/index.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Aegis Dashboard</title>
+    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
+    <script type="module" crossorigin src="/assets/index-DkHiw9_f.js"></script>
+    <link rel="stylesheet" crossorigin href="/assets/index-CpMruPNh.css">
+  </head>
+  <body class="bg-surface-0 text-primary antialiased">
+    <div id="root"></div>
+  </body>
+</html>

package/dist/db.d.ts

@@ -0,0 +1,15 @@
+import Database from 'better-sqlite3';
+import type { AegisConfig } from './config.js';
+/**
+ * Open the SQLite database for the active vault.
+ * Uses VaultManager to resolve vault name → database path.
+ * Falls back to `.aegis/aegis.db` only if no vaults exist (pre-init state).
+ */
+export declare function getDb(config: AegisConfig): Database.Database;
+/**
+ * Get the salt for the active vault.
+ * Returns the vault-specific salt from the registry, or the env salt for fallback.
+ */
+export declare function getVaultSalt(config: AegisConfig): string;
+export declare function migrate(db: Database.Database): void;
+//# sourceMappingURL=db.d.ts.map

package/dist/db.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAEA,OAAO,QAAQ,MAAM,gBAAgB,CAAC;AACtC,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAG/C;;;;GAIG;AACH,wBAAgB,KAAK,CAAC,MAAM,EAAE,WAAW,GAAG,QAAQ,CAAC,QAAQ,CA+B5D;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,WAAW,GAAG,MAAM,CAIxD;AAED,wBAAgB,OAAO,CAAC,EAAE,EAAE,QAAQ,CAAC,QAAQ,GAAG,IAAI,CAgJnD"}

package/dist/db.js

@@ -0,0 +1,190 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import Database from 'better-sqlite3';
+import { VaultManager } from './vault/vault-manager.js';
+/**
+ * Open the SQLite database for the active vault.
+ * Uses VaultManager to resolve vault name → database path.
+ * Falls back to `.aegis/aegis.db` only if no vaults exist (pre-init state).
+ */
+export function getDb(config) {
+    const manager = new VaultManager(config.dataDir);
+    const info = manager.getVaultInfo(config.vaultName);
+    let dbPath;
+    if (info) {
+        dbPath = path.join(config.dataDir, info.dbPath);
+    }
+    else {
+        // Fallback for commands that run before vault creation (e.g. doctor, init)
+        dbPath = path.join(config.dataDir, 'aegis.db');
+    }
+    const dir = path.dirname(dbPath);
+    if (!fs.existsSync(dir)) {
+        fs.mkdirSync(dir, { recursive: true });
+    }
+    try {
+        const db = new Database(dbPath);
+        db.pragma('journal_mode = WAL');
+        return db;
+    }
+    catch (err) {
+        const sqliteErr = err;
+        if (sqliteErr.code === 'SQLITE_NOTADB') {
+            throw new Error(`Database file is corrupted or not a valid SQLite database: ${dbPath}\n` +
+                `  Back up the file and reinitialize with: aegis init`);
+        }
+        throw err;
+    }
+}
+/**
+ * Get the salt for the active vault.
+ * Returns the vault-specific salt from the registry, or the env salt for fallback.
+ */
+export function getVaultSalt(config) {
+    const manager = new VaultManager(config.dataDir);
+    const info = manager.getVaultInfo(config.vaultName);
+    return info ? info.salt : config.salt;
+}
+export function migrate(db) {
+    db.exec(`
+    CREATE TABLE IF NOT EXISTS credentials (
+      id          TEXT PRIMARY KEY,
+      name        TEXT NOT NULL UNIQUE,
+      service     TEXT NOT NULL,
+      encrypted   BLOB NOT NULL,
+      iv          BLOB NOT NULL,
+      auth_tag    BLOB NOT NULL,
+      auth_type   TEXT NOT NULL DEFAULT 'bearer',
+      header_name TEXT,
+      domains     TEXT NOT NULL,
+      scopes      TEXT NOT NULL DEFAULT '*',
+      expires_at  TEXT,
+      rate_limit  TEXT,
+      body_inspection TEXT NOT NULL DEFAULT 'block',
+      created_at  TEXT NOT NULL DEFAULT (datetime('now')),
+      updated_at  TEXT NOT NULL DEFAULT (datetime('now'))
+    );
+
+    CREATE TABLE IF NOT EXISTS credential_history (
+      id              INTEGER PRIMARY KEY AUTOINCREMENT,
+      credential_id   TEXT NOT NULL,
+      encrypted       BLOB NOT NULL,
+      iv              BLOB NOT NULL,
+      auth_tag        BLOB NOT NULL,
+      rotated_at      TEXT NOT NULL DEFAULT (datetime('now')),
+      grace_expires   TEXT,
+      FOREIGN KEY (credential_id) REFERENCES credentials(id) ON DELETE CASCADE
+    );
+
+    CREATE TABLE IF NOT EXISTS audit_log (
+      id            INTEGER PRIMARY KEY AUTOINCREMENT,
+      timestamp     TEXT NOT NULL DEFAULT (datetime('now')),
+      credential_id TEXT,
+      credential_name TEXT,
+      service       TEXT NOT NULL,
+      target_domain TEXT NOT NULL,
+      method        TEXT NOT NULL,
+      path          TEXT NOT NULL,
+      status        TEXT NOT NULL DEFAULT 'allowed',
+      blocked_reason TEXT,
+      response_code INTEGER,
+      channel       TEXT NOT NULL DEFAULT 'gate'
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_audit_timestamp ON audit_log(timestamp);
+    CREATE INDEX IF NOT EXISTS idx_audit_credential ON audit_log(credential_id);
+    CREATE INDEX IF NOT EXISTS idx_audit_service ON audit_log(service);
+    CREATE INDEX IF NOT EXISTS idx_history_credential ON credential_history(credential_id);
+
+    CREATE TABLE IF NOT EXISTS agents (
+      id              TEXT PRIMARY KEY,
+      name            TEXT NOT NULL UNIQUE,
+      token_hash      TEXT NOT NULL,
+      token_prefix    TEXT NOT NULL,
+      rate_limit      TEXT,
+      created_at      TEXT NOT NULL DEFAULT (datetime('now')),
+      updated_at      TEXT NOT NULL DEFAULT (datetime('now'))
+    );
+
+    CREATE TABLE IF NOT EXISTS agent_credentials (
+      agent_id        TEXT NOT NULL,
+      credential_id   TEXT NOT NULL,
+      granted_at      TEXT NOT NULL DEFAULT (datetime('now')),
+      PRIMARY KEY (agent_id, credential_id),
+      FOREIGN KEY (agent_id) REFERENCES agents(id) ON DELETE CASCADE,
+      FOREIGN KEY (credential_id) REFERENCES credentials(id) ON DELETE CASCADE
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_agents_token_hash ON agents(token_hash);
+    CREATE INDEX IF NOT EXISTS idx_agent_creds_agent ON agent_credentials(agent_id);
+    CREATE INDEX IF NOT EXISTS idx_agent_creds_cred ON agent_credentials(credential_id);
+
+    CREATE TABLE IF NOT EXISTS webhooks (
+      id          TEXT PRIMARY KEY,
+      url         TEXT NOT NULL,
+      events      TEXT NOT NULL,
+      label       TEXT,
+      secret      TEXT NOT NULL,
+      created_at  TEXT NOT NULL DEFAULT (datetime('now'))
+    );
+
+    CREATE TABLE IF NOT EXISTS users (
+      id              TEXT PRIMARY KEY,
+      name            TEXT NOT NULL UNIQUE,
+      role            TEXT NOT NULL DEFAULT 'viewer',
+      token_hash      TEXT NOT NULL,
+      token_prefix    TEXT NOT NULL,
+      created_at      TEXT NOT NULL DEFAULT (datetime('now')),
+      updated_at      TEXT NOT NULL DEFAULT (datetime('now'))
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_users_token_hash ON users(token_hash);
+  `);
+    // Migration: add expires_at column if not present (for pre-v0.2 databases)
+    const cols = db.prepare('PRAGMA table_info(credentials)').all();
+    const colNames = cols.map((c) => c.name);
+    if (!colNames.includes('expires_at')) {
+        db.exec('ALTER TABLE credentials ADD COLUMN expires_at TEXT');
+    }
+    if (!colNames.includes('rate_limit')) {
+        db.exec('ALTER TABLE credentials ADD COLUMN rate_limit TEXT');
+    }
+    if (!colNames.includes('body_inspection')) {
+        db.exec("ALTER TABLE credentials ADD COLUMN body_inspection TEXT NOT NULL DEFAULT 'block'");
+    }
+    // Migration: add agent identity columns to audit_log (for pre-v0.3 databases)
+    const auditCols = db.prepare('PRAGMA table_info(audit_log)').all();
+    const auditColNames = auditCols.map((c) => c.name);
+    if (!auditColNames.includes('agent_name')) {
+        db.exec('ALTER TABLE audit_log ADD COLUMN agent_name TEXT');
+    }
+    if (!auditColNames.includes('agent_token_prefix')) {
+        db.exec('ALTER TABLE audit_log ADD COLUMN agent_token_prefix TEXT');
+    }
+    if (!auditColNames.includes('channel')) {
+        db.exec("ALTER TABLE audit_log ADD COLUMN channel TEXT NOT NULL DEFAULT 'gate'");
+    }
+    // Migration: drop encrypted token columns from agents table (v0.3 security hardening)
+    // SQLite 3.35.0+ supports DROP COLUMN. For older versions, we recreate the table.
+    const agentCols = db.prepare('PRAGMA table_info(agents)').all();
+    const agentColNames = agentCols.map((c) => c.name);
+    if (agentColNames.includes('encrypted_token')) {
+        db.exec(`
+      CREATE TABLE IF NOT EXISTS agents_new (
+        id              TEXT PRIMARY KEY,
+        name            TEXT NOT NULL UNIQUE,
+        token_hash      TEXT NOT NULL,
+        token_prefix    TEXT NOT NULL,
+        rate_limit      TEXT,
+        created_at      TEXT NOT NULL DEFAULT (datetime('now')),
+        updated_at      TEXT NOT NULL DEFAULT (datetime('now'))
+      );
+      INSERT OR IGNORE INTO agents_new (id, name, token_hash, token_prefix, rate_limit, created_at, updated_at)
+        SELECT id, name, token_hash, token_prefix, rate_limit, created_at, updated_at FROM agents;
+      DROP TABLE agents;
+      ALTER TABLE agents_new RENAME TO agents;
+      CREATE INDEX IF NOT EXISTS idx_agents_token_hash ON agents(token_hash);
+    `);
+    }
+}
+//# sourceMappingURL=db.js.map

package/dist/db.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"db.js","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,QAAQ,MAAM,gBAAgB,CAAC;AAEtC,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAExD;;;;GAIG;AACH,MAAM,UAAU,KAAK,CAAC,MAAmB;IACvC,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,IAAI,GAAG,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAEpD,IAAI,MAAc,CAAC;IACnB,IAAI,IAAI,EAAE,CAAC;QACT,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IAClD,CAAC;SAAM,CAAC;QACN,2EAA2E;QAC3E,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,CAAC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC;QAChC,EAAE,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;QAChC,OAAO,EAAE,CAAC;IACZ,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,SAAS,GAAG,GAA0C,CAAC;QAC7D,IAAI,SAAS,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CACb,8DAA8D,MAAM,IAAI;gBACtE,sDAAsD,CACzD,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,MAAmB;IAC9C,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,IAAI,GAAG,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpD,OAAO,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,OAAO,CAAC,EAAqB;IAC3C,EAAE,CAAC,IAAI,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6FP,CAAC,CAAC;IAEH,2EAA2E;IAC3E,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,CAAC,gCAAgC,CAAC,CAAC,GAAG,EAA6B,CAAC;IAC3F,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IACzC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QACrC,EAAE,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QACrC,EAAE,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;QAC1C,EAAE,CAAC,IAAI,CAAC,kFAAkF,CAAC,CAAC;IAC9F,CAAC;IAED,8EAA8E;IAC9E,MAAM,SAAS,GAAG,EAAE,CAAC,OAAO,CAAC,8BAA8B,CAAC,CAAC,GAAG,EAA6B,CAAC;IAC9F,MAAM,aAAa,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IACnD,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QAC1C,EAAE,CAAC,IAAI,CAAC,kDAAkD,CAAC,CAAC;IAC9D,CAAC;IACD,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;QAClD,EAAE,CAAC,IAAI,CAAC,0DAA0D,CAAC,CAAC;IACtE,CAAC;IACD,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACvC,EAAE,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC;IACnF,CAAC;IAED,sFAAsF;IACtF,kFAAkF;IAClF,MAAM,SAAS,GAAG,EAAE,CAAC,OAAO,CAAC,2BAA2B,CAAC,CAAC,GAAG,EAA6B,CAAC;IAC3F,MAAM,aAAa,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IACnD,IAAI,aAAa,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;QAC9C,EAAE,CAAC,IAAI,CAAC;;;;;;;;;;;;;;;KAeP,CAAC,CAAC;IACL,CAAC;AACH,CAAC"}

package/dist/doctor.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Aegis Doctor — health check diagnostics.
+ *
+ * Validates the Aegis installation by checking:
+ *   1. Config file and configuration
+ *   2. Database accessibility and schema
+ *   3. Credential decryption (master key correctness)
+ *   4. Expired / expiring-soon credentials
+ *
+ * Returns a structured list of check results that the CLI can render.
+ */
+import type Database from 'better-sqlite3';
+import type { AegisConfig } from './config.js';
+export interface CheckResult {
+    label: string;
+    status: 'pass' | 'warn' | 'fail';
+    detail: string;
+}
+export interface DoctorReport {
+    checks: CheckResult[];
+    overall: 'pass' | 'warn' | 'fail';
+}
+export interface DoctorOptions {
+    /** Resolved Aegis configuration */
+    config: AegisConfig;
+    /** An open better-sqlite3 database, or null if no DB is available */
+    db: Database.Database | null;
+}
+/**
+ * Run all Aegis health checks and return a structured report.
+ */
+export declare function runDoctor(opts: DoctorOptions): DoctorReport;
+/**
+ * Render a DoctorReport to the console with coloured output.
+ */
+export declare function printDoctorReport(report: DoctorReport): void;
+//# sourceMappingURL=doctor.d.ts.map

package/dist/doctor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"doctor.d.ts","sourceRoot":"","sources":["../src/doctor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,QAAQ,MAAM,gBAAgB,CAAC;AAC3C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAI/C,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;IACjC,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,WAAW,EAAE,CAAC;IACtB,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;CACnC;AAED,MAAM,WAAW,aAAa;IAC5B,mCAAmC;IACnC,MAAM,EAAE,WAAW,CAAC;IACpB,qEAAqE;IACrE,EAAE,EAAE,QAAQ,CAAC,QAAQ,GAAG,IAAI,CAAC;CAC9B;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,aAAa,GAAG,YAAY,CAwK3D;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI,CAiB5D"}

package/dist/doctor.js

@@ -0,0 +1,196 @@
+/**
+ * Aegis Doctor — health check diagnostics.
+ *
+ * Validates the Aegis installation by checking:
+ *   1. Config file and configuration
+ *   2. Database accessibility and schema
+ *   3. Credential decryption (master key correctness)
+ *   4. Expired / expiring-soon credentials
+ *
+ * Returns a structured list of check results that the CLI can render.
+ */
+import { getVaultSalt, migrate } from './db.js';
+import { Vault } from './vault/index.js';
+/**
+ * Run all Aegis health checks and return a structured report.
+ */
+export function runDoctor(opts) {
+    const checks = [];
+    // ── 1. Validate config file and configuration ──────────────────
+    const { config } = opts;
+    if (config.configFilePath) {
+        checks.push({
+            label: 'Config file',
+            status: 'pass',
+            detail: `Found at ${config.configFilePath}`,
+        });
+    }
+    else {
+        checks.push({
+            label: 'Config file',
+            status: 'warn',
+            detail: 'No aegis.config.yaml found — using environment variables or defaults',
+        });
+    }
+    if (!config.masterKey) {
+        checks.push({
+            label: 'Master key',
+            status: 'fail',
+            detail: 'AEGIS_MASTER_KEY is not set. Run: aegis init',
+        });
+    }
+    else {
+        checks.push({ label: 'Master key', status: 'pass', detail: 'AEGIS_MASTER_KEY is set' });
+    }
+    // ── 2. Verify database accessibility and schema ────────────────
+    const { db } = opts;
+    const effectiveSalt = db ? getVaultSalt(config) : config.salt;
+    if (effectiveSalt === 'aegis-vault-v1') {
+        checks.push({
+            label: 'Salt',
+            status: 'warn',
+            detail: 'AEGIS_SALT is using the default value — run: aegis init to generate a random salt',
+        });
+    }
+    else {
+        checks.push({ label: 'Salt', status: 'pass', detail: 'AEGIS_SALT is set (custom)' });
+    }
+    if (!db) {
+        checks.push({
+            label: 'Database',
+            status: 'fail',
+            detail: 'Database is not available. Run: aegis init',
+        });
+    }
+    else {
+        try {
+            migrate(db);
+            checks.push({ label: 'Database', status: 'pass', detail: 'SQLite accessible' });
+            const tables = db
+                .prepare("SELECT name FROM sqlite_master WHERE type='table'")
+                .all();
+            const tableNames = tables.map((t) => t.name);
+            const requiredTables = ['credentials', 'credential_history', 'audit_log'];
+            const missingTables = requiredTables.filter((t) => !tableNames.includes(t));
+            if (missingTables.length > 0) {
+                checks.push({
+                    label: 'Schema',
+                    status: 'fail',
+                    detail: `Missing tables: ${missingTables.join(', ')}`,
+                });
+            }
+            else {
+                checks.push({
+                    label: 'Schema',
+                    status: 'pass',
+                    detail: 'All required tables present (credentials, credential_history, audit_log)',
+                });
+            }
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            checks.push({
+                label: 'Database',
+                status: 'fail',
+                detail: `Cannot access database: ${message}`,
+            });
+        }
+    }
+    // ── 3. Test-decrypt a credential ───────────────────────────────
+    if (db && config.masterKey) {
+        try {
+            const vault = new Vault(db, config.masterKey, effectiveSalt);
+            const creds = vault.list();
+            if (creds.length === 0) {
+                checks.push({
+                    label: 'Decrypt test',
+                    status: 'warn',
+                    detail: 'No credentials stored — cannot verify decryption. Add one with: aegis vault add',
+                });
+            }
+            else {
+                // Key verification already passed in constructor — confirm with explicit decrypt
+                checks.push({
+                    label: 'Decrypt test',
+                    status: 'pass',
+                    detail: `Successfully decrypted credential "${creds[0].name}"`,
+                });
+            }
+            // ── 4. Expired / expiring-soon credentials ──────────────────
+            const expired = creds.filter((c) => vault.isExpired(c));
+            const expiringSoon = creds.filter((c) => {
+                if (!c.expiresAt || vault.isExpired(c))
+                    return false;
+                const expiryDate = new Date(c.expiresAt);
+                const now = new Date();
+                const daysLeft = (expiryDate.getTime() - now.getTime()) / (1000 * 60 * 60 * 24);
+                return daysLeft <= 7;
+            });
+            if (expired.length > 0) {
+                checks.push({
+                    label: 'Expired creds',
+                    status: 'warn',
+                    detail: `${expired.length} expired: ${expired.map((c) => c.name).join(', ')}`,
+                });
+            }
+            else {
+                checks.push({
+                    label: 'Expired creds',
+                    status: 'pass',
+                    detail: 'No expired credentials',
+                });
+            }
+            if (expiringSoon.length > 0) {
+                checks.push({
+                    label: 'Expiring soon',
+                    status: 'warn',
+                    detail: `${expiringSoon.length} expiring within 7 days: ${expiringSoon.map((c) => c.name).join(', ')}`,
+                });
+            }
+            // Summary stats
+            checks.push({
+                label: 'Credentials',
+                status: 'pass',
+                detail: `${creds.length} stored (${creds.length - expired.length} active, ${expired.length} expired)`,
+            });
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            const isKeyError = message.includes('Invalid master key');
+            checks.push({
+                label: isKeyError ? 'Decrypt test' : 'Vault',
+                status: 'fail',
+                detail: isKeyError
+                    ? 'Decryption failed — master key or salt may be incorrect'
+                    : `Cannot initialize vault: ${message}`,
+            });
+        }
+    }
+    // ── Compute overall status ─────────────────────────────────────
+    const hasFailure = checks.some((c) => c.status === 'fail');
+    const hasWarning = checks.some((c) => c.status === 'warn');
+    const overall = hasFailure ? 'fail' : hasWarning ? 'warn' : 'pass';
+    return { checks, overall };
+}
+/**
+ * Render a DoctorReport to the console with coloured output.
+ */
+export function printDoctorReport(report) {
+    for (const check of report.checks) {
+        const icon = check.status === 'pass' ? '✓' : check.status === 'warn' ? '⚠' : '✗';
+        const color = check.status === 'pass' ? '\x1b[32m' : check.status === 'warn' ? '\x1b[33m' : '\x1b[31m';
+        const reset = '\x1b[0m';
+        console.log(`  ${color}${icon}${reset} ${check.label}: ${check.detail}`);
+    }
+    console.log();
+    if (report.overall === 'fail') {
+        console.log('  Overall: ✗ Issues found — fix the failures above\n');
+    }
+    else if (report.overall === 'warn') {
+        console.log('  Overall: ⚠ Healthy with warnings\n');
+    }
+    else {
+        console.log('  Overall: ✓ All checks passed\n');
+    }
+}
+//# sourceMappingURL=doctor.js.map

package/dist/doctor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"doctor.js","sourceRoot":"","sources":["../src/doctor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAChD,OAAO,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAoBzC;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,IAAmB;IAC3C,MAAM,MAAM,GAAkB,EAAE,CAAC;IAEjC,kEAAkE;IAElE,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAExB,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;QAC1B,MAAM,CAAC,IAAI,CAAC;YACV,KAAK,EAAE,aAAa;YACpB,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,YAAY,MAAM,CAAC,cAAc,EAAE;SAC5C,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC;YACV,KAAK,EAAE,aAAa;YACpB,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,sEAAsE;SAC/E,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QACtB,MAAM,CAAC,IAAI,CAAC;YACV,KAAK,EAAE,YAAY;YACnB,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,8CAA8C;SACvD,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAC,CAAC;IAC1F,CAAC;IAED,kEAAkE;IAElE,MAAM,EAAE,EAAE,EAAE,GAAG,IAAI,CAAC;IAEpB,MAAM,aAAa,GAAG,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC;IAC9D,IAAI,aAAa,KAAK,gBAAgB,EAAE,CAAC;QACvC,MAAM,CAAC,IAAI,CAAC;YACV,KAAK,EAAE,MAAM;YACb,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,mFAAmF;SAC5F,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,4BAA4B,EAAE,CAAC,CAAC;IACvF,CAAC;IAED,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,MAAM,CAAC,IAAI,CAAC;YACV,KAAK,EAAE,UAAU;YACjB,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,4CAA4C;SACrD,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,IAAI,CAAC;YACH,OAAO,CAAC,EAAE,CAAC,CAAC;YACZ,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC,CAAC;YAEhF,MAAM,MAAM,GAAG,EAAE;iBACd,OAAO,CAAC,mDAAmD,CAAC;iBAC5D,GAAG,EAA6B,CAAC;YACpC,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YAC7C,MAAM,cAAc,GAAG,CAAC,aAAa,EAAE,oBAAoB,EAAE,WAAW,CAAC,CAAC;YAC1E,MAAM,aAAa,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YAE5E,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC7B,MAAM,CAAC,IAAI,CAAC;oBACV,KAAK,EAAE,QAAQ;oBACf,MAAM,EAAE,MAAM;oBACd,MAAM,EAAE,mBAAmB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;iBACtD,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CAAC;oBACV,KAAK,EAAE,QAAQ;oBACf,MAAM,EAAE,MAAM;oBACd,MAAM,EAAE,0EAA0E;iBACnF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,MAAM,CAAC,IAAI,CAAC;gBACV,KAAK,EAAE,UAAU;gBACjB,MAAM,EAAE,MAAM;gBACd,MAAM,EAAE,2BAA2B,OAAO,EAAE;aAC7C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,kEAAkE;IAElE,IAAI,EAAE,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;YAC7D,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;YAE3B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,MAAM,CAAC,IAAI,CAAC;oBACV,KAAK,EAAE,cAAc;oBACrB,MAAM,EAAE,MAAM;oBACd,MAAM,EAAE,iFAAiF;iBAC1F,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,iFAAiF;gBACjF,MAAM,CAAC,IAAI,CAAC;oBACV,KAAK,EAAE,cAAc;oBACrB,MAAM,EAAE,MAAM;oBACd,MAAM,EAAE,sCAAsC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG;iBAC/D,CAAC,CAAC;YACL,CAAC;YAED,+DAA+D;YAE/D,MAAM,OAAO,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;YACxD,MAAM,YAAY,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;gBACtC,IAAI,CAAC,CAAC,CAAC,SAAS,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC;oBAAE,OAAO,KAAK,CAAC;gBACrD,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;gBACzC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,QAAQ,GAAG,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;gBAChF,OAAO,QAAQ,IAAI,CAAC,CAAC;YACvB,CAAC,CAAC,CAAC;YAEH,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvB,MAAM,CAAC,IAAI,CAAC;oBACV,KAAK,EAAE,eAAe;oBACtB,MAAM,EAAE,MAAM;oBACd,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,aAAa,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;iBAC9E,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CAAC;oBACV,KAAK,EAAE,eAAe;oBACtB,MAAM,EAAE,MAAM;oBACd,MAAM,EAAE,wBAAwB;iBACjC,CAAC,CAAC;YACL,CAAC;YAED,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC5B,MAAM,CAAC,IAAI,CAAC;oBACV,KAAK,EAAE,eAAe;oBACtB,MAAM,EAAE,MAAM;oBACd,MAAM,EAAE,GAAG,YAAY,CAAC,MAAM,4BAA4B,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;iBACvG,CAAC,CAAC;YACL,CAAC;YAED,gBAAgB;YAChB,MAAM,CAAC,IAAI,CAAC;gBACV,KAAK,EAAE,aAAa;gBACpB,MAAM,EAAE,MAAM;gBACd,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,YAAY,KAAK,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,YAAY,OAAO,CAAC,MAAM,WAAW;aACtG,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAAC;YAC1D,MAAM,CAAC,IAAI,CAAC;gBACV,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,OAAO;gBAC5C,MAAM,EAAE,MAAM;gBACd,MAAM,EAAE,UAAU;oBAChB,CAAC,CAAC,yDAAyD;oBAC3D,CAAC,CAAC,4BAA4B,OAAO,EAAE;aAC1C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,kEAAkE;IAElE,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC;IAC3D,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC;IAC3D,MAAM,OAAO,GAAG,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;IAEnE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAoB;IACpD,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClC,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;QACjF,MAAM,KAAK,GACT,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC;QAC3F,MAAM,KAAK,GAAG,SAAS,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,GAAG,IAAI,GAAG,KAAK,IAAI,KAAK,CAAC,KAAK,KAAK,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3E,CAAC;IAED,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,IAAI,MAAM,CAAC,OAAO,KAAK,MAAM,EAAE,CAAC;QAC9B,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;IACtE,CAAC;SAAM,IAAI,MAAM,CAAC,OAAO,KAAK,MAAM,EAAE,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;IACtD,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;IAClD,CAAC;AACH,CAAC"}

package/dist/gate/body-inspector.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Request Body Inspector — scans outbound request bodies for credential-like
+ * patterns that may indicate an agent is trying to exfiltrate secrets.
+ *
+ * This is a defence-in-depth measure. Even though the agent never sees
+ * decrypted credentials directly, an agent could attempt to send previously
+ * obtained secrets (e.g. from environment variables, config files) through
+ * Gate to an attacker-controlled domain. The body inspector catches this.
+ *
+ * Sensitivity modes:
+ *   - "off"   — no scanning (fastest, least secure)
+ *   - "warn"  — scan and log matches but allow the request through
+ *   - "block" — scan and block requests containing credential patterns (default)
+ */
+export type BodyInspectionMode = 'off' | 'warn' | 'block';
+export interface InspectionResult {
+    /** Whether any credential-like patterns were found */
+    suspicious: boolean;
+    /** Human-readable descriptions of what was found */
+    matches: string[];
+}
+export declare class BodyInspector {
+    /**
+     * Scan a request body string for credential-like patterns.
+     *
+     * @param body The raw request body as a string
+     * @returns An InspectionResult indicating whether suspicious patterns were found
+     */
+    inspect(body: string): InspectionResult;
+}
+//# sourceMappingURL=body-inspector.d.ts.map

package/dist/gate/body-inspector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"body-inspector.d.ts","sourceRoot":"","sources":["../../src/gate/body-inspector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,MAAM,MAAM,kBAAkB,GAAG,KAAK,GAAG,MAAM,GAAG,OAAO,CAAC;AAE1D,MAAM,WAAW,gBAAgB;IAC/B,sDAAsD;IACtD,UAAU,EAAE,OAAO,CAAC;IACpB,oDAAoD;IACpD,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AA4KD,qBAAa,aAAa;IACxB;;;;;OAKG;IACH,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,gBAAgB;CA0BxC"}