npm - @getaegis/cli - Versions diffs - 0.8.0 → 0.8.1 - Mend

@getaegis/cli 0.8.0 → 0.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (210) hide show

package/README.md +5 -0
package/dist/agent/agent.d.ts +98 -0
package/dist/agent/agent.d.ts.map +1 -0
package/dist/agent/agent.js +212 -0
package/dist/agent/agent.js.map +1 -0
package/dist/agent/index.d.ts +3 -0
package/dist/agent/index.d.ts.map +1 -0
package/dist/agent/index.js +2 -0
package/dist/agent/index.js.map +1 -0
package/dist/cli/auth.d.ts +19 -0
package/dist/cli/auth.d.ts.map +1 -0
package/dist/cli/auth.js +44 -0
package/dist/cli/auth.js.map +1 -0
package/dist/cli/commands/agent.d.ts +6 -0
package/dist/cli/commands/agent.d.ts.map +1 -0
package/dist/cli/commands/agent.js +241 -0
package/dist/cli/commands/agent.js.map +1 -0
package/dist/cli/commands/config.d.ts +6 -0
package/dist/cli/commands/config.d.ts.map +1 -0
package/dist/cli/commands/config.js +125 -0
package/dist/cli/commands/config.js.map +1 -0
package/dist/cli/commands/dashboard.d.ts +6 -0
package/dist/cli/commands/dashboard.d.ts.map +1 -0
package/dist/cli/commands/dashboard.js +189 -0
package/dist/cli/commands/dashboard.js.map +1 -0
package/dist/cli/commands/doctor.d.ts +6 -0
package/dist/cli/commands/doctor.d.ts.map +1 -0
package/dist/cli/commands/doctor.js +39 -0
package/dist/cli/commands/doctor.js.map +1 -0
package/dist/cli/commands/gate.d.ts +6 -0
package/dist/cli/commands/gate.d.ts.map +1 -0
package/dist/cli/commands/gate.js +196 -0
package/dist/cli/commands/gate.js.map +1 -0
package/dist/cli/commands/init.d.ts +6 -0
package/dist/cli/commands/init.d.ts.map +1 -0
package/dist/cli/commands/init.js +109 -0
package/dist/cli/commands/init.js.map +1 -0
package/dist/cli/commands/ledger.d.ts +6 -0
package/dist/cli/commands/ledger.d.ts.map +1 -0
package/dist/cli/commands/ledger.js +140 -0
package/dist/cli/commands/ledger.js.map +1 -0
package/dist/cli/commands/mcp.d.ts +6 -0
package/dist/cli/commands/mcp.d.ts.map +1 -0
package/dist/cli/commands/mcp.js +224 -0
package/dist/cli/commands/mcp.js.map +1 -0
package/dist/cli/commands/policy.d.ts +6 -0
package/dist/cli/commands/policy.d.ts.map +1 -0
package/dist/cli/commands/policy.js +126 -0
package/dist/cli/commands/policy.js.map +1 -0
package/dist/cli/commands/user.d.ts +6 -0
package/dist/cli/commands/user.d.ts.map +1 -0
package/dist/cli/commands/user.js +150 -0
package/dist/cli/commands/user.js.map +1 -0
package/dist/cli/commands/vault-manager.d.ts +6 -0
package/dist/cli/commands/vault-manager.d.ts.map +1 -0
package/dist/cli/commands/vault-manager.js +240 -0
package/dist/cli/commands/vault-manager.js.map +1 -0
package/dist/cli/commands/vault.d.ts +6 -0
package/dist/cli/commands/vault.d.ts.map +1 -0
package/dist/cli/commands/vault.js +241 -0
package/dist/cli/commands/vault.js.map +1 -0
package/dist/cli/commands/webhook.d.ts +6 -0
package/dist/cli/commands/webhook.d.ts.map +1 -0
package/dist/cli/commands/webhook.js +151 -0
package/dist/cli/commands/webhook.js.map +1 -0
package/dist/cli/helpers.d.ts +12 -0
package/dist/cli/helpers.d.ts.map +1 -0
package/dist/cli/helpers.js +61 -0
package/dist/cli/helpers.js.map +1 -0
package/dist/cli/index.d.ts +17 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +17 -0
package/dist/cli/index.js.map +1 -0
package/dist/cli/validation.d.ts +37 -0
package/dist/cli/validation.d.ts.map +1 -0
package/dist/cli/validation.js +104 -0
package/dist/cli/validation.js.map +1 -0
package/dist/cli.d.ts +3 -0
package/dist/cli.d.ts.map +1 -0
package/dist/cli.js +30 -0
package/dist/cli.js.map +1 -0
package/dist/config.d.ts +108 -0
package/dist/config.d.ts.map +1 -0
package/dist/config.js +355 -0
package/dist/config.js.map +1 -0
package/dist/dashboard/dashboard-server.d.ts +95 -0
package/dist/dashboard/dashboard-server.d.ts.map +1 -0
package/dist/dashboard/dashboard-server.js +329 -0
package/dist/dashboard/dashboard-server.js.map +1 -0
package/dist/dashboard/index.d.ts +3 -0
package/dist/dashboard/index.d.ts.map +1 -0
package/dist/dashboard/index.js +2 -0
package/dist/dashboard/index.js.map +1 -0
package/dist/dashboard/public/assets/index-CpMruPNh.css +1 -0
package/dist/dashboard/public/assets/index-DkHiw9_f.js +148 -0
package/dist/dashboard/public/favicon.svg +6 -0
package/dist/dashboard/public/index.html +14 -0
package/dist/db.d.ts +15 -0
package/dist/db.d.ts.map +1 -0
package/dist/db.js +190 -0
package/dist/db.js.map +1 -0
package/dist/doctor.d.ts +37 -0
package/dist/doctor.d.ts.map +1 -0
package/dist/doctor.js +196 -0
package/dist/doctor.js.map +1 -0
package/dist/gate/body-inspector.d.ts +31 -0
package/dist/gate/body-inspector.d.ts.map +1 -0
package/dist/gate/body-inspector.js +193 -0
package/dist/gate/body-inspector.js.map +1 -0
package/dist/gate/gate.d.ts +168 -0
package/dist/gate/gate.d.ts.map +1 -0
package/dist/gate/gate.js +1016 -0
package/dist/gate/gate.js.map +1 -0
package/dist/gate/index.d.ts +7 -0
package/dist/gate/index.d.ts.map +1 -0
package/dist/gate/index.js +4 -0
package/dist/gate/index.js.map +1 -0
package/dist/gate/rate-limiter.d.ts +59 -0
package/dist/gate/rate-limiter.d.ts.map +1 -0
package/dist/gate/rate-limiter.js +120 -0
package/dist/gate/rate-limiter.js.map +1 -0
package/dist/index.d.ts +26 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +16 -0
package/dist/index.js.map +1 -0
package/dist/ledger/index.d.ts +3 -0
package/dist/ledger/index.d.ts.map +1 -0
package/dist/ledger/index.js +2 -0
package/dist/ledger/index.js.map +1 -0
package/dist/ledger/ledger.d.ts +98 -0
package/dist/ledger/ledger.d.ts.map +1 -0
package/dist/ledger/ledger.js +145 -0
package/dist/ledger/ledger.js.map +1 -0
package/dist/logger/index.d.ts +3 -0
package/dist/logger/index.d.ts.map +1 -0
package/dist/logger/index.js +2 -0
package/dist/logger/index.js.map +1 -0
package/dist/logger/logger.d.ts +58 -0
package/dist/logger/logger.d.ts.map +1 -0
package/dist/logger/logger.js +201 -0
package/dist/logger/logger.js.map +1 -0
package/dist/mcp/index.d.ts +3 -0
package/dist/mcp/index.d.ts.map +1 -0
package/dist/mcp/index.js +2 -0
package/dist/mcp/index.js.map +1 -0
package/dist/mcp/mcp-server.d.ts +130 -0
package/dist/mcp/mcp-server.d.ts.map +1 -0
package/dist/mcp/mcp-server.js +775 -0
package/dist/mcp/mcp-server.js.map +1 -0
package/dist/metrics/index.d.ts +3 -0
package/dist/metrics/index.d.ts.map +1 -0
package/dist/metrics/index.js +2 -0
package/dist/metrics/index.js.map +1 -0
package/dist/metrics/metrics.d.ts +88 -0
package/dist/metrics/metrics.d.ts.map +1 -0
package/dist/metrics/metrics.js +179 -0
package/dist/metrics/metrics.js.map +1 -0
package/dist/policy/index.d.ts +3 -0
package/dist/policy/index.d.ts.map +1 -0
package/dist/policy/index.js +2 -0
package/dist/policy/index.js.map +1 -0
package/dist/policy/policy.d.ts +119 -0
package/dist/policy/policy.d.ts.map +1 -0
package/dist/policy/policy.js +426 -0
package/dist/policy/policy.js.map +1 -0
package/dist/user/index.d.ts +3 -0
package/dist/user/index.d.ts.map +1 -0
package/dist/user/index.js +2 -0
package/dist/user/index.js.map +1 -0
package/dist/user/user.d.ts +102 -0
package/dist/user/user.d.ts.map +1 -0
package/dist/user/user.js +216 -0
package/dist/user/user.js.map +1 -0
package/dist/vault/crypto.d.ts +28 -0
package/dist/vault/crypto.d.ts.map +1 -0
package/dist/vault/crypto.js +44 -0
package/dist/vault/crypto.js.map +1 -0
package/dist/vault/index.d.ts +10 -0
package/dist/vault/index.d.ts.map +1 -0
package/dist/vault/index.js +6 -0
package/dist/vault/index.js.map +1 -0
package/dist/vault/seal.d.ts +68 -0
package/dist/vault/seal.d.ts.map +1 -0
package/dist/vault/seal.js +110 -0
package/dist/vault/seal.js.map +1 -0
package/dist/vault/shamir.d.ts +33 -0
package/dist/vault/shamir.d.ts.map +1 -0
package/dist/vault/shamir.js +174 -0
package/dist/vault/shamir.js.map +1 -0
package/dist/vault/vault-manager.d.ts +62 -0
package/dist/vault/vault-manager.d.ts.map +1 -0
package/dist/vault/vault-manager.js +141 -0
package/dist/vault/vault-manager.js.map +1 -0
package/dist/vault/vault.d.ts +104 -0
package/dist/vault/vault.d.ts.map +1 -0
package/dist/vault/vault.js +259 -0
package/dist/vault/vault.js.map +1 -0
package/dist/version.d.ts +3 -0
package/dist/version.d.ts.map +1 -0
package/dist/version.js +18 -0
package/dist/version.js.map +1 -0
package/dist/webhook/index.d.ts +3 -0
package/dist/webhook/index.d.ts.map +1 -0
package/dist/webhook/index.js +2 -0
package/dist/webhook/index.js.map +1 -0
package/dist/webhook/webhook.d.ts +114 -0
package/dist/webhook/webhook.d.ts.map +1 -0
package/dist/webhook/webhook.js +269 -0
package/dist/webhook/webhook.js.map +1 -0
package/package.json +7 -3

package/dist/gate/body-inspector.js ADDED Viewed

@@ -0,0 +1,193 @@
+/**
+ * Request Body Inspector — scans outbound request bodies for credential-like
+ * patterns that may indicate an agent is trying to exfiltrate secrets.
+ *
+ * This is a defence-in-depth measure. Even though the agent never sees
+ * decrypted credentials directly, an agent could attempt to send previously
+ * obtained secrets (e.g. from environment variables, config files) through
+ * Gate to an attacker-controlled domain. The body inspector catches this.
+ *
+ * Sensitivity modes:
+ *   - "off"   — no scanning (fastest, least secure)
+ *   - "warn"  — scan and log matches but allow the request through
+ *   - "block" — scan and block requests containing credential patterns (default)
+ */
+const CREDENTIAL_PATTERNS = [
+    // Bearer tokens embedded in body text
+    {
+        name: 'Bearer token',
+        pattern: /Bearer\s+[A-Za-z0-9\-._~+/]+=*/gi,
+        minLength: 20,
+    },
+    // ── Vendor-specific prefixes ───────────────────────────────────
+    // OpenAI / Anthropic
+    {
+        name: 'API key (sk-* prefix)',
+        pattern: /\bsk-[A-Za-z0-9]{20,}\b/g,
+    },
+    {
+        name: 'API key (pk-* prefix)',
+        pattern: /\bpk-[A-Za-z0-9]{20,}\b/g,
+    },
+    // Slack tokens
+    {
+        name: 'Slack token (xoxb/xoxp/xoxa/xoxr)',
+        pattern: /\bxox[bpar]-[A-Za-z0-9-]{10,}\b/g,
+    },
+    // GitHub tokens
+    {
+        name: 'GitHub token (ghp/gho/ghu/ghs/ghr)',
+        pattern: /\bgh[pousr]_[A-Za-z0-9]{30,}\b/g,
+    },
+    // AWS access keys
+    {
+        name: 'AWS access key',
+        pattern: /\bAKIA[A-Z0-9]{16}\b/g,
+    },
+    // AWS secret keys (40-char base64-like after common JSON/YAML key names)
+    {
+        name: 'AWS secret key pattern',
+        pattern: /(?:aws_secret_access_key|secret_key|secretAccessKey)["':\s]*[A-Za-z0-9/+=]{40}/gi,
+    },
+    // Google Cloud / Firebase API keys
+    {
+        name: 'Google API key (AIza* prefix)',
+        pattern: /\bAIza[A-Za-z0-9_-]{35}\b/g,
+    },
+    // Google OAuth tokens
+    {
+        name: 'Google OAuth token (ya29.*)',
+        pattern: /\bya29\.[A-Za-z0-9_-]{20,}\b/g,
+    },
+    // Stripe keys
+    {
+        name: 'Stripe key (sk_live/pk_live/rk_live)',
+        pattern: /\b[spr]k_live_[A-Za-z0-9]{20,}\b/g,
+    },
+    // Stripe test keys (still credentials — should not be in body)
+    {
+        name: 'Stripe test key (sk_test/pk_test/rk_test)',
+        pattern: /\b[spr]k_test_[A-Za-z0-9]{20,}\b/g,
+    },
+    // Twilio API keys
+    {
+        name: 'Twilio API key',
+        pattern: /\bSK[0-9a-f]{32}\b/g,
+    },
+    // SendGrid API keys
+    {
+        name: 'SendGrid API key',
+        pattern: /\bSG\.[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}\b/g,
+    },
+    // npm tokens
+    {
+        name: 'npm token',
+        pattern: /\bnpm_[A-Za-z0-9]{36}\b/g,
+    },
+    // Discord bot tokens (base64.base64.base64 format)
+    {
+        name: 'Discord bot token',
+        pattern: /\b[A-Za-z0-9]{24,}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27,}\b/g,
+    },
+    // Azure connection strings
+    {
+        name: 'Azure connection string',
+        pattern: /DefaultEndpointsProtocol=https?;AccountName=[^;]+;AccountKey=[^;]+/gi,
+    },
+    // Mailgun API keys
+    {
+        name: 'Mailgun API key',
+        pattern: /\bkey-[A-Za-z0-9]{32}\b/g,
+    },
+    // Heroku API keys
+    {
+        name: 'Heroku API key',
+        pattern: /\b[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b/g,
+    },
+    // ── Database connection strings ────────────────────────────────
+    // PostgreSQL / MySQL / MongoDB / Redis connection URIs with credentials
+    {
+        name: 'Database connection string',
+        pattern: /\b(?:postgres(?:ql)?|mysql|mongodb(?:\+srv)?|redis|rediss):\/\/[^\s"']+:[^\s"']+@[^\s"']+\b/gi,
+    },
+    // ── Crypto wallet keys ─────────────────────────────────────────
+    // Ethereum / EVM private keys (0x + 64 hex chars)
+    {
+        name: 'Ethereum private key (0x + 64 hex)',
+        pattern: /\b0x[0-9a-fA-F]{64}\b/g,
+    },
+    // ── Generic heuristics ─────────────────────────────────────────
+    // Generic long hex strings (likely keys/tokens — 40+ hex chars)
+    {
+        name: 'Long hex string (possible key)',
+        pattern: /\b[0-9a-f]{40,}\b/gi,
+    },
+    // Base64-encoded strings that are suspiciously long (likely encoded credentials)
+    {
+        name: 'Long base64 string (possible encoded credential)',
+        pattern: /\b[A-Za-z0-9+/]{50,}={0,2}\b/g,
+    },
+    // JWT tokens (eyJ prefix = base64-encoded JSON header)
+    {
+        name: 'JWT token',
+        pattern: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g,
+    },
+    // Basic auth in body (username:password in base64)
+    {
+        name: 'Basic auth credential',
+        pattern: /Basic\s+[A-Za-z0-9+/]+=*/gi,
+        minLength: 15,
+    },
+    // Authorization header value embedded in body
+    {
+        name: 'Authorization value in body',
+        pattern: /["']?authorization["']?\s*[:=]\s*["'][^"']{10,}["']/gi,
+    },
+    // Generic "api_key", "api-key", "apikey" with a value
+    {
+        name: 'API key assignment',
+        pattern: /["']?(?:api[-_]?key|api[-_]?secret|access[-_]?token|secret[-_]?key|client[-_]?secret|auth[-_]?token)["']?\s*[:=]\s*["'][^"']{8,}["']/gi,
+    },
+    // Private key blocks (RSA, EC, DSA, ENCRYPTED, generic)
+    {
+        name: 'Private key block',
+        pattern: /-----BEGIN\s(?:RSA\s|EC\s|DSA\s|ENCRYPTED\s|OPENSSH\s)?PRIVATE\sKEY-----/g,
+    },
+    // Password-like assignments in JSON/YAML/config
+    {
+        name: 'Password assignment',
+        pattern: /["']?(?:password|passwd|pwd|secret)["']?\s*[:=]\s*["'][^"']{8,}["']/gi,
+    },
+];
+export class BodyInspector {
+    /**
+     * Scan a request body string for credential-like patterns.
+     *
+     * @param body The raw request body as a string
+     * @returns An InspectionResult indicating whether suspicious patterns were found
+     */
+    inspect(body) {
+        if (!body || body.length === 0) {
+            return { suspicious: false, matches: [] };
+        }
+        const matches = [];
+        for (const { name, pattern, minLength } of CREDENTIAL_PATTERNS) {
+            // Reset lastIndex for global regexes
+            pattern.lastIndex = 0;
+            const found = body.match(pattern);
+            if (found) {
+                for (const match of found) {
+                    if (minLength && match.length < minLength)
+                        continue;
+                    // Don't include the actual matched value in the log — it might be a credential!
+                    matches.push(`${name} detected (${match.length} chars)`);
+                }
+            }
+        }
+        return {
+            suspicious: matches.length > 0,
+            matches,
+        };
+    }
+}
+//# sourceMappingURL=body-inspector.js.map

package/dist/gate/body-inspector.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"body-inspector.js","sourceRoot":"","sources":["../../src/gate/body-inspector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAuBH,MAAM,mBAAmB,GAAwB;IAC/C,sCAAsC;IACtC;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,kCAAkC;QAC3C,SAAS,EAAE,EAAE;KACd;IAED,kEAAkE;IAElE,qBAAqB;IACrB;QACE,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,0BAA0B;KACpC;IACD;QACE,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,0BAA0B;KACpC;IACD,eAAe;IACf;QACE,IAAI,EAAE,mCAAmC;QACzC,OAAO,EAAE,kCAAkC;KAC5C;IACD,gBAAgB;IAChB;QACE,IAAI,EAAE,oCAAoC;QAC1C,OAAO,EAAE,iCAAiC;KAC3C;IACD,kBAAkB;IAClB;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,uBAAuB;KACjC;IACD,yEAAyE;IACzE;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,kFAAkF;KAC5F;IACD,mCAAmC;IACnC;QACE,IAAI,EAAE,+BAA+B;QACrC,OAAO,EAAE,4BAA4B;KACtC;IACD,sBAAsB;IACtB;QACE,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,+BAA+B;KACzC;IACD,cAAc;IACd;QACE,IAAI,EAAE,sCAAsC;QAC5C,OAAO,EAAE,mCAAmC;KAC7C;IACD,+DAA+D;IAC/D;QACE,IAAI,EAAE,2CAA2C;QACjD,OAAO,EAAE,mCAAmC;KAC7C;IACD,kBAAkB;IAClB;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,qBAAqB;KAC/B;IACD,oBAAoB;IACpB;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,iDAAiD;KAC3D;IACD,aAAa;IACb;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,0BAA0B;KACpC;IACD,mDAAmD;IACnD;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,6DAA6D;KACvE;IACD,2BAA2B;IAC3B;QACE,IAAI,EAAE,yBAAyB;QAC/B,OAAO,EAAE,sEAAsE;KAChF;IACD,mBAAmB;IACnB;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,0BAA0B;KACpC;IACD,kBAAkB;IAClB;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,mEAAmE;KAC7E;IAED,kEAAkE;IAElE,wEAAwE;IACxE;QACE,IAAI,EAAE,4BAA4B;QAClC,OAAO,EACL,+FAA+F;KAClG;IAED,kEAAkE;IAElE,kDAAkD;IAClD;QACE,IAAI,EAAE,oCAAoC;QAC1C,OAAO,EAAE,wBAAwB;KAClC;IAED,kEAAkE;IAElE,gEAAgE;IAChE;QACE,IAAI,EAAE,gCAAgC;QACtC,OAAO,EAAE,qBAAqB;KAC/B;IACD,iFAAiF;IACjF;QACE,IAAI,EAAE,kDAAkD;QACxD,OAAO,EAAE,+BAA+B;KACzC;IACD,uDAAuD;IACvD;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,oEAAoE;KAC9E;IACD,mDAAmD;IACnD;QACE,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,4BAA4B;QACrC,SAAS,EAAE,EAAE;KACd;IACD,8CAA8C;IAC9C;QACE,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,uDAAuD;KACjE;IACD,sDAAsD;IACtD;QACE,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EACL,wIAAwI;KAC3I;IACD,wDAAwD;IACxD;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,2EAA2E;KACrF;IACD,gDAAgD;IAChD;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,uEAAuE;KACjF;CACF,CAAC;AAEF,MAAM,OAAO,aAAa;IACxB;;;;;OAKG;IACH,OAAO,CAAC,IAAY;QAClB,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAC5C,CAAC;QAED,MAAM,OAAO,GAAa,EAAE,CAAC;QAE7B,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,mBAAmB,EAAE,CAAC;YAC/D,qCAAqC;YACrC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YAEtB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAClC,IAAI,KAAK,EAAE,CAAC;gBACV,KAAK,MAAM,KAAK,IAAI,KAAK,EAAE,CAAC;oBAC1B,IAAI,SAAS,IAAI,KAAK,CAAC,MAAM,GAAG,SAAS;wBAAE,SAAS;oBACpD,gFAAgF;oBAChF,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,cAAc,KAAK,CAAC,MAAM,SAAS,CAAC,CAAC;gBAC3D,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,UAAU,EAAE,OAAO,CAAC,MAAM,GAAG,CAAC;YAC9B,OAAO;SACR,CAAC;IACJ,CAAC;CACF"}

package/dist/gate/gate.d.ts ADDED Viewed

@@ -0,0 +1,168 @@
+import type { AgentRegistry } from '../agent/index.js';
+import type { Ledger } from '../ledger/index.js';
+import type { AegisMetrics } from '../metrics/index.js';
+import type { Policy } from '../policy/index.js';
+import type { Vault } from '../vault/index.js';
+import type { WebhookManager } from '../webhook/index.js';
+/**
+ * Check whether an HTTP method is permitted by a credential's scopes.
+ * Returns true if the method is allowed, false if blocked.
+ */
+export declare function methodMatchesScope(method: string, scopes: string[]): boolean;
+export interface TlsOptions {
+    /** Path to the PEM-encoded certificate file */
+    certPath: string;
+    /** Path to the PEM-encoded private key file */
+    keyPath: string;
+}
+export interface GateOptions {
+    port: number;
+    vault: Vault;
+    ledger: Ledger;
+    logLevel?: 'debug' | 'info' | 'warn' | 'error';
+    /** TLS configuration — if provided, Gate starts as HTTPS */
+    tls?: TlsOptions;
+    /** Maximum time (ms) to wait for in-flight requests during shutdown (default: 10000) */
+    shutdownTimeoutMs?: number;
+    /** Agent registry — required when requireAgentAuth is true */
+    agentRegistry?: AgentRegistry;
+    /** When true, every request must include a valid X-Aegis-Agent token */
+    requireAgentAuth?: boolean;
+    /** Directory containing YAML policy files — enables policy evaluation */
+    policyDir?: string;
+    /** Policy enforcement mode: "enforce" blocks violations, "dry-run" logs but allows (default: "enforce") */
+    policyMode?: 'enforce' | 'dry-run';
+    /** Prometheus metrics collector — if provided, Gate records request/block metrics */
+    metrics?: AegisMetrics;
+    /** Webhook manager — if provided, Gate emits webhook events on blocks */
+    webhooks?: WebhookManager;
+    /** Callback fired after every audit entry is logged — used by dashboard for live feed */
+    onAuditEntry?: (entry: AuditBroadcast) => void;
+    /** Testing: redirect outbound requests to a local server */
+    _testUpstream?: {
+        protocol: 'http' | 'https';
+        hostname: string;
+        port: number;
+    };
+    /** Testing: inject policies directly without loading from disk */
+    _testPolicies?: Map<string, Policy>;
+}
+/** Shape of the audit entry broadcast to the dashboard live feed. */
+export interface AuditBroadcast {
+    timestamp: string;
+    credentialId: string | null;
+    credentialName: string | null;
+    service: string;
+    targetDomain: string;
+    method: string;
+    path: string;
+    status: 'allowed' | 'blocked' | 'system';
+    blockedReason: string | null;
+    responseCode: number | null;
+    agentName: string | null;
+    agentTokenPrefix: string | null;
+    channel: 'gate' | 'mcp';
+}
+/**
+ * Aegis Gate — HTTP proxy that sits between an AI agent and external APIs.
+ *
+ * The agent makes requests to: http://localhost:{port}/{service}/actual/api/path
+ * Gate resolves the service → looks up credential → injects auth → forwards to real API.
+ *
+ * The agent NEVER sees the credential.
+ */
+export declare class Gate {
+    private server;
+    private vault;
+    private ledger;
+    private port;
+    private logger;
+    private tlsOptions?;
+    private testUpstream?;
+    private rateLimiter;
+    private bodyInspector;
+    private shuttingDown;
+    private activeRequests;
+    private shutdownTimeoutMs;
+    private agentRegistry?;
+    private requireAgentAuth;
+    private policyMap;
+    private policyMode;
+    private policyDir?;
+    private policyWatcher?;
+    private metrics?;
+    private webhooks?;
+    private onAuditEntry?;
+    constructor(options: GateOptions);
+    /**
+     * Start the Gate proxy server.
+     */
+    /**
+     * Whether the Gate is running with TLS.
+     */
+    get isTls(): boolean;
+    /**
+     * Whether policies are loaded and active.
+     */
+    get hasPolicies(): boolean;
+    /**
+     * The current policy enforcement mode.
+     */
+    get currentPolicyMode(): 'enforce' | 'dry-run';
+    /**
+     * Load policies from a directory.
+     */
+    private loadPolicies;
+    /**
+     * Reload policies from the configured directory.
+     * Called on file system changes for hot-reload.
+     */
+    reloadPolicies(): void;
+    /**
+     * Start watching the policy directory for changes (hot-reload).
+     * Debounces changes to avoid rapid reloads.
+     */
+    private startPolicyWatcher;
+    start(): Promise<void>;
+    /**
+     * The port the server is listening on (may differ from constructor if 0 was passed).
+     */
+    get listeningPort(): number;
+    /**
+     * Stop the Gate proxy server gracefully.
+     *
+     * 1. Sets `shuttingDown = true` — new requests receive 503 Service Unavailable.
+     * 2. Waits for in-flight requests to complete (up to `shutdownTimeoutMs`).
+     * 3. Closes the server socket and returns.
+     *
+     * During the drain phase the server still accepts connections so clients get
+     * a clean 503 rather than a connection-refused error.
+     */
+    stop(): Promise<{
+        drained: boolean;
+        activeAtClose: number;
+    }>;
+    /**
+     * Whether the Gate is currently shutting down (draining in-flight requests).
+     */
+    get isShuttingDown(): boolean;
+    /**
+     * The number of currently in-flight requests.
+     */
+    get inFlightRequests(): number;
+    private handleRequest;
+    /**
+     * Inject the credential into outbound request headers based on auth type.
+     * For `query` auth, the secret is appended as a URL query parameter instead.
+     */
+    private injectCredential;
+    /**
+     * Log an allowed request and broadcast to dashboard live feed.
+     */
+    private auditAllowed;
+    /**
+     * Log a blocked request and broadcast to dashboard live feed.
+     */
+    private auditBlocked;
+}
+//# sourceMappingURL=gate.d.ts.map

package/dist/gate/gate.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"gate.d.ts","sourceRoot":"","sources":["../../src/gate/gate.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAS,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAC9D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAEjD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAEjD,OAAO,KAAK,EAAwB,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAErE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAa1D;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAM5E;AAED,MAAM,WAAW,UAAU;IACzB,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAC;IACjB,+CAA+C;IAC/C,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,KAAK,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC/C,4DAA4D;IAC5D,GAAG,CAAC,EAAE,UAAU,CAAC;IACjB,wFAAwF;IACxF,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,8DAA8D;IAC9D,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,wEAAwE;IACxE,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,yEAAyE;IACzE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2GAA2G;IAC3G,UAAU,CAAC,EAAE,SAAS,GAAG,SAAS,CAAC;IACnC,qFAAqF;IACrF,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,yEAAyE;IACzE,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,yFAAyF;IACzF,YAAY,CAAC,EAAE,CAAC,KAAK,EAAE,cAAc,KAAK,IAAI,CAAC;IAC/C,4DAA4D;IAC5D,aAAa,CAAC,EAAE;QAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAC/E,kEAAkE;IAClE,aAAa,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACrC;AAED,qEAAqE;AACrE,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,SAAS,GAAG,SAAS,GAAG,QAAQ,CAAC;IACzC,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,OAAO,EAAE,MAAM,GAAG,KAAK,CAAC;CACzB;AAED;;;;;;;GAOG;AACH,qBAAa,IAAI;IACf,OAAO,CAAC,MAAM,CAA2C;IACzD,OAAO,CAAC,KAAK,CAAQ;IACrB,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,IAAI,CAAS;IACrB,OAAO,CAAC,MAAM,CAAc;IAC5B,OAAO,CAAC,UAAU,CAAC,CAAa;IAChC,OAAO,CAAC,YAAY,CAAC,CAAiE;IACtF,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,aAAa,CAAgB;IACrC,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,cAAc,CAAK;IAC3B,OAAO,CAAC,iBAAiB,CAAS;IAClC,OAAO,CAAC,aAAa,CAAC,CAAgB;IACtC,OAAO,CAAC,gBAAgB,CAAU;IAClC,OAAO,CAAC,SAAS,CAAsB;IACvC,OAAO,CAAC,UAAU,CAAwB;IAC1C,OAAO,CAAC,SAAS,CAAC,CAAS;IAC3B,OAAO,CAAC,aAAa,CAAC,CAAe;IACrC,OAAO,CAAC,OAAO,CAAC,CAAe;IAC/B,OAAO,CAAC,QAAQ,CAAC,CAAiB;IAClC,OAAO,CAAC,YAAY,CAAC,CAAkC;gBAE3C,OAAO,EAAE,WAAW;IA+BhC;;OAEG;IACH;;OAEG;IACH,IAAI,KAAK,IAAI,OAAO,CAEnB;IAED;;OAEG;IACH,IAAI,WAAW,IAAI,OAAO,CAEzB;IAED;;OAEG;IACH,IAAI,iBAAiB,IAAI,SAAS,GAAG,SAAS,CAE7C;IAED;;OAEG;IACH,OAAO,CAAC,YAAY;IAcpB;;;OAGG;IACH,cAAc,IAAI,IAAI;IAMtB;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAkB1B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAgFtB;;OAEG;IACH,IAAI,aAAa,IAAI,MAAM,CAE1B;IAED;;;;;;;;;OASG;IACH,IAAI,IAAI,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,aAAa,EAAE,MAAM,CAAA;KAAE,CAAC;IA6D5D;;OAEG;IACH,IAAI,cAAc,IAAI,OAAO,CAE5B;IAED;;OAEG;IACH,IAAI,gBAAgB,IAAI,MAAM,CAE7B;YAEa,aAAa;IAkxB3B;;;OAGG;IACH,OAAO,CAAC,gBAAgB;IA8BxB;;OAEG;IACH,OAAO,CAAC,YAAY;IA6BpB;;OAEG;IACH,OAAO,CAAC,YAAY;CA0BrB"}