npm - @getaegis/cli - Versions diffs - 0.8.0 → 0.8.1 - Mend

@getaegis/cli 0.8.0 → 0.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (210) hide show

package/README.md +5 -0
package/dist/agent/agent.d.ts +98 -0
package/dist/agent/agent.d.ts.map +1 -0
package/dist/agent/agent.js +212 -0
package/dist/agent/agent.js.map +1 -0
package/dist/agent/index.d.ts +3 -0
package/dist/agent/index.d.ts.map +1 -0
package/dist/agent/index.js +2 -0
package/dist/agent/index.js.map +1 -0
package/dist/cli/auth.d.ts +19 -0
package/dist/cli/auth.d.ts.map +1 -0
package/dist/cli/auth.js +44 -0
package/dist/cli/auth.js.map +1 -0
package/dist/cli/commands/agent.d.ts +6 -0
package/dist/cli/commands/agent.d.ts.map +1 -0
package/dist/cli/commands/agent.js +241 -0
package/dist/cli/commands/agent.js.map +1 -0
package/dist/cli/commands/config.d.ts +6 -0
package/dist/cli/commands/config.d.ts.map +1 -0
package/dist/cli/commands/config.js +125 -0
package/dist/cli/commands/config.js.map +1 -0
package/dist/cli/commands/dashboard.d.ts +6 -0
package/dist/cli/commands/dashboard.d.ts.map +1 -0
package/dist/cli/commands/dashboard.js +189 -0
package/dist/cli/commands/dashboard.js.map +1 -0
package/dist/cli/commands/doctor.d.ts +6 -0
package/dist/cli/commands/doctor.d.ts.map +1 -0
package/dist/cli/commands/doctor.js +39 -0
package/dist/cli/commands/doctor.js.map +1 -0
package/dist/cli/commands/gate.d.ts +6 -0
package/dist/cli/commands/gate.d.ts.map +1 -0
package/dist/cli/commands/gate.js +196 -0
package/dist/cli/commands/gate.js.map +1 -0
package/dist/cli/commands/init.d.ts +6 -0
package/dist/cli/commands/init.d.ts.map +1 -0
package/dist/cli/commands/init.js +109 -0
package/dist/cli/commands/init.js.map +1 -0
package/dist/cli/commands/ledger.d.ts +6 -0
package/dist/cli/commands/ledger.d.ts.map +1 -0
package/dist/cli/commands/ledger.js +140 -0
package/dist/cli/commands/ledger.js.map +1 -0
package/dist/cli/commands/mcp.d.ts +6 -0
package/dist/cli/commands/mcp.d.ts.map +1 -0
package/dist/cli/commands/mcp.js +224 -0
package/dist/cli/commands/mcp.js.map +1 -0
package/dist/cli/commands/policy.d.ts +6 -0
package/dist/cli/commands/policy.d.ts.map +1 -0
package/dist/cli/commands/policy.js +126 -0
package/dist/cli/commands/policy.js.map +1 -0
package/dist/cli/commands/user.d.ts +6 -0
package/dist/cli/commands/user.d.ts.map +1 -0
package/dist/cli/commands/user.js +150 -0
package/dist/cli/commands/user.js.map +1 -0
package/dist/cli/commands/vault-manager.d.ts +6 -0
package/dist/cli/commands/vault-manager.d.ts.map +1 -0
package/dist/cli/commands/vault-manager.js +240 -0
package/dist/cli/commands/vault-manager.js.map +1 -0
package/dist/cli/commands/vault.d.ts +6 -0
package/dist/cli/commands/vault.d.ts.map +1 -0
package/dist/cli/commands/vault.js +241 -0
package/dist/cli/commands/vault.js.map +1 -0
package/dist/cli/commands/webhook.d.ts +6 -0
package/dist/cli/commands/webhook.d.ts.map +1 -0
package/dist/cli/commands/webhook.js +151 -0
package/dist/cli/commands/webhook.js.map +1 -0
package/dist/cli/helpers.d.ts +12 -0
package/dist/cli/helpers.d.ts.map +1 -0
package/dist/cli/helpers.js +61 -0
package/dist/cli/helpers.js.map +1 -0
package/dist/cli/index.d.ts +17 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +17 -0
package/dist/cli/index.js.map +1 -0
package/dist/cli/validation.d.ts +37 -0
package/dist/cli/validation.d.ts.map +1 -0
package/dist/cli/validation.js +104 -0
package/dist/cli/validation.js.map +1 -0
package/dist/cli.d.ts +3 -0
package/dist/cli.d.ts.map +1 -0
package/dist/cli.js +30 -0
package/dist/cli.js.map +1 -0
package/dist/config.d.ts +108 -0
package/dist/config.d.ts.map +1 -0
package/dist/config.js +355 -0
package/dist/config.js.map +1 -0
package/dist/dashboard/dashboard-server.d.ts +95 -0
package/dist/dashboard/dashboard-server.d.ts.map +1 -0
package/dist/dashboard/dashboard-server.js +329 -0
package/dist/dashboard/dashboard-server.js.map +1 -0
package/dist/dashboard/index.d.ts +3 -0
package/dist/dashboard/index.d.ts.map +1 -0
package/dist/dashboard/index.js +2 -0
package/dist/dashboard/index.js.map +1 -0
package/dist/dashboard/public/assets/index-CpMruPNh.css +1 -0
package/dist/dashboard/public/assets/index-DkHiw9_f.js +148 -0
package/dist/dashboard/public/favicon.svg +6 -0
package/dist/dashboard/public/index.html +14 -0
package/dist/db.d.ts +15 -0
package/dist/db.d.ts.map +1 -0
package/dist/db.js +190 -0
package/dist/db.js.map +1 -0
package/dist/doctor.d.ts +37 -0
package/dist/doctor.d.ts.map +1 -0
package/dist/doctor.js +196 -0
package/dist/doctor.js.map +1 -0
package/dist/gate/body-inspector.d.ts +31 -0
package/dist/gate/body-inspector.d.ts.map +1 -0
package/dist/gate/body-inspector.js +193 -0
package/dist/gate/body-inspector.js.map +1 -0
package/dist/gate/gate.d.ts +168 -0
package/dist/gate/gate.d.ts.map +1 -0
package/dist/gate/gate.js +1016 -0
package/dist/gate/gate.js.map +1 -0
package/dist/gate/index.d.ts +7 -0
package/dist/gate/index.d.ts.map +1 -0
package/dist/gate/index.js +4 -0
package/dist/gate/index.js.map +1 -0
package/dist/gate/rate-limiter.d.ts +59 -0
package/dist/gate/rate-limiter.d.ts.map +1 -0
package/dist/gate/rate-limiter.js +120 -0
package/dist/gate/rate-limiter.js.map +1 -0
package/dist/index.d.ts +26 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +16 -0
package/dist/index.js.map +1 -0
package/dist/ledger/index.d.ts +3 -0
package/dist/ledger/index.d.ts.map +1 -0
package/dist/ledger/index.js +2 -0
package/dist/ledger/index.js.map +1 -0
package/dist/ledger/ledger.d.ts +98 -0
package/dist/ledger/ledger.d.ts.map +1 -0
package/dist/ledger/ledger.js +145 -0
package/dist/ledger/ledger.js.map +1 -0
package/dist/logger/index.d.ts +3 -0
package/dist/logger/index.d.ts.map +1 -0
package/dist/logger/index.js +2 -0
package/dist/logger/index.js.map +1 -0
package/dist/logger/logger.d.ts +58 -0
package/dist/logger/logger.d.ts.map +1 -0
package/dist/logger/logger.js +201 -0
package/dist/logger/logger.js.map +1 -0
package/dist/mcp/index.d.ts +3 -0
package/dist/mcp/index.d.ts.map +1 -0
package/dist/mcp/index.js +2 -0
package/dist/mcp/index.js.map +1 -0
package/dist/mcp/mcp-server.d.ts +130 -0
package/dist/mcp/mcp-server.d.ts.map +1 -0
package/dist/mcp/mcp-server.js +775 -0
package/dist/mcp/mcp-server.js.map +1 -0
package/dist/metrics/index.d.ts +3 -0
package/dist/metrics/index.d.ts.map +1 -0
package/dist/metrics/index.js +2 -0
package/dist/metrics/index.js.map +1 -0
package/dist/metrics/metrics.d.ts +88 -0
package/dist/metrics/metrics.d.ts.map +1 -0
package/dist/metrics/metrics.js +179 -0
package/dist/metrics/metrics.js.map +1 -0
package/dist/policy/index.d.ts +3 -0
package/dist/policy/index.d.ts.map +1 -0
package/dist/policy/index.js +2 -0
package/dist/policy/index.js.map +1 -0
package/dist/policy/policy.d.ts +119 -0
package/dist/policy/policy.d.ts.map +1 -0
package/dist/policy/policy.js +426 -0
package/dist/policy/policy.js.map +1 -0
package/dist/user/index.d.ts +3 -0
package/dist/user/index.d.ts.map +1 -0
package/dist/user/index.js +2 -0
package/dist/user/index.js.map +1 -0
package/dist/user/user.d.ts +102 -0
package/dist/user/user.d.ts.map +1 -0
package/dist/user/user.js +216 -0
package/dist/user/user.js.map +1 -0
package/dist/vault/crypto.d.ts +28 -0
package/dist/vault/crypto.d.ts.map +1 -0
package/dist/vault/crypto.js +44 -0
package/dist/vault/crypto.js.map +1 -0
package/dist/vault/index.d.ts +10 -0
package/dist/vault/index.d.ts.map +1 -0
package/dist/vault/index.js +6 -0
package/dist/vault/index.js.map +1 -0
package/dist/vault/seal.d.ts +68 -0
package/dist/vault/seal.d.ts.map +1 -0
package/dist/vault/seal.js +110 -0
package/dist/vault/seal.js.map +1 -0
package/dist/vault/shamir.d.ts +33 -0
package/dist/vault/shamir.d.ts.map +1 -0
package/dist/vault/shamir.js +174 -0
package/dist/vault/shamir.js.map +1 -0
package/dist/vault/vault-manager.d.ts +62 -0
package/dist/vault/vault-manager.d.ts.map +1 -0
package/dist/vault/vault-manager.js +141 -0
package/dist/vault/vault-manager.js.map +1 -0
package/dist/vault/vault.d.ts +104 -0
package/dist/vault/vault.d.ts.map +1 -0
package/dist/vault/vault.js +259 -0
package/dist/vault/vault.js.map +1 -0
package/dist/version.d.ts +3 -0
package/dist/version.d.ts.map +1 -0
package/dist/version.js +18 -0
package/dist/version.js.map +1 -0
package/dist/webhook/index.d.ts +3 -0
package/dist/webhook/index.d.ts.map +1 -0
package/dist/webhook/index.js +2 -0
package/dist/webhook/index.js.map +1 -0
package/dist/webhook/webhook.d.ts +114 -0
package/dist/webhook/webhook.d.ts.map +1 -0
package/dist/webhook/webhook.js +269 -0
package/dist/webhook/webhook.js.map +1 -0
package/package.json +7 -3

package/dist/logger/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/logger/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC"}

package/dist/logger/logger.d.ts ADDED Viewed

@@ -0,0 +1,58 @@
+/**
+ * Aegis Logger — structured logging with pino.
+ *
+ * Central logger factory for all Aegis modules. Provides:
+ * - Structured JSON output in production, pretty-print in development
+ * - Declarative field-level redaction (secrets, tokens, passwords)
+ * - Pattern-based scrubbing for credential-like strings in log values
+ * - Request correlation IDs via child loggers
+ * - stderr output support (required for MCP stdio transport)
+ *
+ * SECURITY: This is a security product — secrets must NEVER appear in logs.
+ * The logger enforces this through three layers:
+ *   1. Pino's `redact` option censors known sensitive field paths
+ *   2. Custom serializers scrub credential-like patterns from string values
+ *   3. The `safeMeta()` helper strips sensitive fields from ad-hoc objects
+ */
+import pino from 'pino';
+export type LogLevel = 'debug' | 'info' | 'warn' | 'error' | 'fatal' | 'silent';
+export interface LoggerOptions {
+    /** Minimum log level (default: 'info') */
+    level?: LogLevel;
+    /** Module name — appears as `module` field in every log entry (e.g. 'gate', 'mcp', 'vault') */
+    module?: string;
+    /** Use pretty-print instead of JSON (default: auto-detect from NODE_ENV) */
+    pretty?: boolean;
+    /** Write to stderr instead of stdout (required for MCP stdio transport) */
+    stderr?: boolean;
+}
+/**
+ * Scrub credential-like patterns from a string value.
+ * Replaces matches with [REDACTED] to prevent accidental exposure.
+ */
+export declare function scrubString(value: string): string;
+/**
+ * Strip sensitive fields from an arbitrary object before logging.
+ * Use this for ad-hoc metadata objects that aren't covered by pino's redact paths.
+ */
+export declare function safeMeta(obj: Record<string, unknown>): Record<string, unknown>;
+/**
+ * Create a pino logger instance for an Aegis module.
+ *
+ * @example
+ * ```ts
+ * const logger = createLogger({ module: 'gate', level: 'debug' });
+ * logger.info({ service: 'slack', method: 'GET' }, 'Request proxied');
+ *
+ * // Child logger with request correlation ID
+ * const reqLogger = logger.child({ requestId: generateRequestId() });
+ * reqLogger.info({ status: 200 }, 'Response sent');
+ * ```
+ */
+export declare function createLogger(options?: LoggerOptions): pino.Logger;
+/**
+ * Generate a unique request correlation ID.
+ * Included in all log entries for a given request, and stored in Ledger records.
+ */
+export declare function generateRequestId(): string;
+//# sourceMappingURL=logger.d.ts.map

package/dist/logger/logger.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/logger/logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,IAAI,MAAM,MAAM,CAAC;AAIxB,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,OAAO,GAAG,QAAQ,CAAC;AAEhF,MAAM,WAAW,aAAa;IAC5B,0CAA0C;IAC1C,KAAK,CAAC,EAAE,QAAQ,CAAC;IACjB,+FAA+F;IAC/F,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,4EAA4E;IAC5E,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,2EAA2E;IAC3E,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AA8ED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAQjD;AAED;;;GAGG;AACH,wBAAgB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAgC9E;AAID;;;;;;;;;;;;GAYG;AACH,wBAAgB,YAAY,CAAC,OAAO,GAAE,aAAkB,GAAG,IAAI,CAAC,MAAM,CA2CrE;AAID;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C"}

package/dist/logger/logger.js ADDED Viewed

@@ -0,0 +1,201 @@
+/**
+ * Aegis Logger — structured logging with pino.
+ *
+ * Central logger factory for all Aegis modules. Provides:
+ * - Structured JSON output in production, pretty-print in development
+ * - Declarative field-level redaction (secrets, tokens, passwords)
+ * - Pattern-based scrubbing for credential-like strings in log values
+ * - Request correlation IDs via child loggers
+ * - stderr output support (required for MCP stdio transport)
+ *
+ * SECURITY: This is a security product — secrets must NEVER appear in logs.
+ * The logger enforces this through three layers:
+ *   1. Pino's `redact` option censors known sensitive field paths
+ *   2. Custom serializers scrub credential-like patterns from string values
+ *   3. The `safeMeta()` helper strips sensitive fields from ad-hoc objects
+ */
+import { randomUUID } from 'node:crypto';
+import pino from 'pino';
+// ─── Redaction ───────────────────────────────────────────────────
+/**
+ * Field paths that are always redacted from log output.
+ * Uses pino's path syntax — supports wildcards and nested paths.
+ */
+const REDACT_PATHS = [
+    // Direct secret fields
+    'secret',
+    'password',
+    'masterKey',
+    'master_key',
+    'token',
+    'apiKey',
+    'api_key',
+    'accessToken',
+    'access_token',
+    'refreshToken',
+    'refresh_token',
+    'clientSecret',
+    'client_secret',
+    // Nested in objects
+    '*.secret',
+    '*.password',
+    '*.masterKey',
+    '*.master_key',
+    '*.token',
+    '*.apiKey',
+    '*.api_key',
+    '*.accessToken',
+    '*.access_token',
+    // HTTP headers that carry credentials
+    'headers.authorization',
+    'headers.Authorization',
+    'headers.x-api-key',
+    'headers.X-API-Key',
+    'headers.x-aegis-agent',
+    'headers.X-Aegis-Agent',
+    'headers.cookie',
+    'headers.Cookie',
+    'headers.set-cookie',
+    'headers.Set-Cookie',
+    'headers.proxy-authorization',
+    'headers.Proxy-Authorization',
+    // Credential object fields
+    'credential.secret',
+    'credential.password',
+    'credential.token',
+];
+// ─── Pattern Scrubbing ──────────────────────────────────────────
+/**
+ * Patterns that look like credentials in arbitrary string values.
+ * These catch secrets that end up in unexpected places (error messages, URLs, etc.).
+ */
+const CREDENTIAL_PATTERNS = [
+    // Bearer tokens
+    /Bearer\s+[A-Za-z0-9\-._~+/]+=*/g,
+    // Basic auth
+    /Basic\s+[A-Za-z0-9+/]+=*/g,
+    // Common API key formats (sk-, pk-, key-, etc.)
+    /\b(sk|pk|key|api|token|secret|password)[-_][A-Za-z0-9\-._]{16,}\b/gi,
+    // AWS-style keys
+    /\b(AKIA|ASIA)[A-Z0-9]{16}\b/g,
+    // Long hex strings (32+ chars — likely keys/tokens)
+    /\b[0-9a-f]{32,}\b/gi,
+    // JWT-like patterns (three dot-separated base64 segments)
+    /\beyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/g,
+    // Aegis agent tokens
+    /\baegis_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}_[0-9a-f]+\b/g,
+];
+/**
+ * Scrub credential-like patterns from a string value.
+ * Replaces matches with [REDACTED] to prevent accidental exposure.
+ */
+export function scrubString(value) {
+    let result = value;
+    for (const pattern of CREDENTIAL_PATTERNS) {
+        // Reset lastIndex for global regexes
+        pattern.lastIndex = 0;
+        result = result.replace(pattern, '[REDACTED]');
+    }
+    return result;
+}
+/**
+ * Strip sensitive fields from an arbitrary object before logging.
+ * Use this for ad-hoc metadata objects that aren't covered by pino's redact paths.
+ */
+export function safeMeta(obj) {
+    const sensitiveKeys = new Set([
+        'secret',
+        'password',
+        'masterkey',
+        'master_key',
+        'token',
+        'apikey',
+        'api_key',
+        'accesstoken',
+        'access_token',
+        'refreshtoken',
+        'refresh_token',
+        'clientsecret',
+        'client_secret',
+        'authorization',
+        'cookie',
+    ]);
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+        if (sensitiveKeys.has(key.toLowerCase())) {
+            result[key] = '[REDACTED]';
+        }
+        else if (typeof value === 'string') {
+            result[key] = scrubString(value);
+        }
+        else if (value !== null && typeof value === 'object' && !Array.isArray(value)) {
+            result[key] = safeMeta(value);
+        }
+        else {
+            result[key] = value;
+        }
+    }
+    return result;
+}
+// ─── Logger Factory ─────────────────────────────────────────────
+/**
+ * Create a pino logger instance for an Aegis module.
+ *
+ * @example
+ * ```ts
+ * const logger = createLogger({ module: 'gate', level: 'debug' });
+ * logger.info({ service: 'slack', method: 'GET' }, 'Request proxied');
+ *
+ * // Child logger with request correlation ID
+ * const reqLogger = logger.child({ requestId: generateRequestId() });
+ * reqLogger.info({ status: 200 }, 'Response sent');
+ * ```
+ */
+export function createLogger(options = {}) {
+    const { level = 'info', module: moduleName, pretty, stderr = false } = options;
+    // Auto-detect pretty mode from NODE_ENV unless explicitly set
+    const usePretty = pretty ?? process.env.NODE_ENV !== 'production';
+    const pinoOptions = {
+        level,
+        redact: {
+            paths: REDACT_PATHS,
+            censor: '[REDACTED]',
+        },
+        // Add the module name as a base field on every log entry
+        ...(moduleName ? { base: { module: moduleName } } : { base: {} }),
+        // Use ISO timestamps for consistency
+        timestamp: pino.stdTimeFunctions.isoTime,
+        formatters: {
+            level(label) {
+                return { level: label };
+            },
+        },
+    };
+    // Destination: stderr (fd 2) or stdout (fd 1)
+    const fd = stderr ? 2 : 1;
+    if (usePretty) {
+        // Pretty-print for development — human-readable output
+        pinoOptions.transport = {
+            target: 'pino-pretty',
+            options: {
+                colorize: true,
+                translateTime: 'HH:MM:ss.l',
+                ignore: 'pid,hostname',
+                destination: fd,
+            },
+        };
+        return pino(pinoOptions);
+    }
+    // Production: JSON to stdout/stderr
+    const destination = pino.destination({ fd, sync: false });
+    return pino(pinoOptions, destination);
+}
+// ─── Correlation IDs ────────────────────────────────────────────
+/**
+ * Generate a unique request correlation ID.
+ * Included in all log entries for a given request, and stored in Ledger records.
+ */
+export function generateRequestId() {
+    return randomUUID();
+}
+//# sourceMappingURL=logger.js.map

package/dist/logger/logger.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/logger/logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,IAAI,MAAM,MAAM,CAAC;AAiBxB,oEAAoE;AAEpE;;;GAGG;AACH,MAAM,YAAY,GAAa;IAC7B,uBAAuB;IACvB,QAAQ;IACR,UAAU;IACV,WAAW;IACX,YAAY;IACZ,OAAO;IACP,QAAQ;IACR,SAAS;IACT,aAAa;IACb,cAAc;IACd,cAAc;IACd,eAAe;IACf,cAAc;IACd,eAAe;IAEf,oBAAoB;IACpB,UAAU;IACV,YAAY;IACZ,aAAa;IACb,cAAc;IACd,SAAS;IACT,UAAU;IACV,WAAW;IACX,eAAe;IACf,gBAAgB;IAEhB,sCAAsC;IACtC,uBAAuB;IACvB,uBAAuB;IACvB,mBAAmB;IACnB,mBAAmB;IACnB,uBAAuB;IACvB,uBAAuB;IACvB,gBAAgB;IAChB,gBAAgB;IAChB,oBAAoB;IACpB,oBAAoB;IACpB,6BAA6B;IAC7B,6BAA6B;IAE7B,2BAA2B;IAC3B,mBAAmB;IACnB,qBAAqB;IACrB,kBAAkB;CACnB,CAAC;AAEF,mEAAmE;AAEnE;;;GAGG;AACH,MAAM,mBAAmB,GAAa;IACpC,gBAAgB;IAChB,iCAAiC;IACjC,aAAa;IACb,2BAA2B;IAC3B,gDAAgD;IAChD,qEAAqE;IACrE,iBAAiB;IACjB,8BAA8B;IAC9B,oDAAoD;IACpD,qBAAqB;IACrB,0DAA0D;IAC1D,2DAA2D;IAC3D,qBAAqB;IACrB,mFAAmF;CACpF,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,KAAa;IACvC,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,KAAK,MAAM,OAAO,IAAI,mBAAmB,EAAE,CAAC;QAC1C,qCAAqC;QACrC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QACtB,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,QAAQ,CAAC,GAA4B;IACnD,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC;QAC5B,QAAQ;QACR,UAAU;QACV,WAAW;QACX,YAAY;QACZ,OAAO;QACP,QAAQ;QACR,SAAS;QACT,aAAa;QACb,cAAc;QACd,cAAc;QACd,eAAe;QACf,cAAc;QACd,eAAe;QACf,eAAe;QACf,QAAQ;KACT,CAAC,CAAC;IAEH,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,IAAI,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YACzC,MAAM,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC;QAC7B,CAAC;aAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrC,MAAM,CAAC,GAAG,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;QACnC,CAAC;aAAM,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAChF,MAAM,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC,KAAgC,CAAC,CAAC;QAC3D,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACtB,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,mEAAmE;AAEnE;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,YAAY,CAAC,UAAyB,EAAE;IACtD,MAAM,EAAE,KAAK,GAAG,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;IAE/E,8DAA8D;IAC9D,MAAM,SAAS,GAAG,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;IAElE,MAAM,WAAW,GAAuB;QACtC,KAAK;QACL,MAAM,EAAE;YACN,KAAK,EAAE,YAAY;YACnB,MAAM,EAAE,YAAY;SACrB;QACD,yDAAyD;QACzD,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;QACjE,qCAAqC;QACrC,SAAS,EAAE,IAAI,CAAC,gBAAgB,CAAC,OAAO;QACxC,UAAU,EAAE;YACV,KAAK,CAAC,KAAa;gBACjB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;YAC1B,CAAC;SACF;KACF,CAAC;IAEF,8CAA8C;IAC9C,MAAM,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAE1B,IAAI,SAAS,EAAE,CAAC;QACd,uDAAuD;QACvD,WAAW,CAAC,SAAS,GAAG;YACtB,MAAM,EAAE,aAAa;YACrB,OAAO,EAAE;gBACP,QAAQ,EAAE,IAAI;gBACd,aAAa,EAAE,YAAY;gBAC3B,MAAM,EAAE,cAAc;gBACtB,WAAW,EAAE,EAAE;aAChB;SACF,CAAC;QACF,OAAO,IAAI,CAAC,WAAW,CAAC,CAAC;IAC3B,CAAC;IAED,oCAAoC;IACpC,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC1D,OAAO,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;AACxC,CAAC;AAED,mEAAmE;AAEnE;;;GAGG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,UAAU,EAAE,CAAC;AACtB,CAAC"}

package/dist/mcp/index.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+export type { AegisMcpServerOptions } from './mcp-server.js';
+export { AegisMcpServer } from './mcp-server.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/mcp/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/mcp/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/mcp/index.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export { AegisMcpServer } from './mcp-server.js';
2	+ //# sourceMappingURL=index.js.map

package/dist/mcp/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/mcp/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/mcp/mcp-server.d.ts ADDED Viewed

@@ -0,0 +1,130 @@
+/**
+ * Aegis MCP Server — exposes Aegis credential isolation as MCP tools.
+ *
+ * The MCP server sits between an AI agent (MCP client) and external APIs.
+ * The agent uses tools to make authenticated API calls without ever seeing credentials.
+ *
+ * Tools:
+ *   - aegis_proxy_request: Make an authenticated API call through Aegis
+ *   - aegis_list_services: List available services (names only, never secrets)
+ *   - aegis_health: Check Aegis status
+ *
+ * Transports:
+ *   - stdio: For local process-spawned integrations (Claude Desktop, Cursor, VS Code)
+ *   - streamable-http: For remote server access
+ */
+import type { AgentRegistry } from '../agent/index.js';
+import type { Ledger } from '../ledger/index.js';
+import type { AegisMetrics } from '../metrics/index.js';
+import type { PolicyValidationResult } from '../policy/index.js';
+import type { Vault } from '../vault/index.js';
+import type { WebhookManager } from '../webhook/index.js';
+export interface AegisMcpServerOptions {
+    /** Vault instance for credential lookup and injection. */
+    vault: Vault;
+    /** Ledger instance for audit logging. */
+    ledger: Ledger;
+    /** Agent registry — required when agentToken is provided. */
+    agentRegistry?: AgentRegistry;
+    /** Pre-configured agent token for this MCP session. */
+    agentToken?: string;
+    /** Transport type. */
+    transport: 'stdio' | 'streamable-http';
+    /** Port for streamable-http transport (default: 3200). */
+    port?: number;
+    /** Policy validation results for policy evaluation. */
+    policies?: PolicyValidationResult[];
+    /** Policy enforcement mode (default: "enforce"). */
+    policyMode?: 'enforce' | 'dry-run';
+    /** Log level (default: "info"). */
+    logLevel?: 'debug' | 'info' | 'warn' | 'error';
+    /** Prometheus metrics collector. */
+    metrics?: AegisMetrics;
+    /** Webhook manager for alert notifications. */
+    webhooks?: WebhookManager;
+}
+/**
+ * Aegis MCP Server — wraps the Aegis credential isolation layer as an MCP server.
+ *
+ * This gives any MCP-compatible AI agent (Claude, ChatGPT, Cursor, VS Code Copilot)
+ * the ability to make authenticated API calls without ever seeing credentials.
+ */
+export declare class AegisMcpServer {
+    private server;
+    private vault;
+    private ledger;
+    private agentRegistry?;
+    private authenticatedAgent?;
+    private transportType;
+    private port;
+    private policyMap;
+    private policyMode;
+    private logger;
+    private rateLimiter;
+    private bodyInspector;
+    private httpServer?;
+    private metrics?;
+    private webhooks?;
+    constructor(options: AegisMcpServerOptions);
+    private registerTools;
+    /**
+     * aegis_proxy_request — Make an authenticated API call through Aegis.
+     *
+     * The agent provides service, path, method, headers, and body.
+     * Aegis injects credentials, enforces domain guard, rate limits, body inspection,
+     * and policy evaluation — then returns the response.
+     */
+    private registerProxyRequestTool;
+    /**
+     * aegis_list_services — List available services the agent can use.
+     *
+     * Returns service names and domains only — never secrets.
+     */
+    private registerListServicesTool;
+    /**
+     * aegis_health — Check Aegis status.
+     */
+    private registerHealthTool;
+    /**
+     * Execute an authenticated proxy request through Aegis.
+     *
+     * This replicates the Gate's security pipeline:
+     * 1. Credential lookup
+     * 2. TTL check
+     * 3. Agent credential scoping
+     * 4. Policy evaluation
+     * 5. Agent rate limiting
+     * 6. Credential rate limiting
+     * 7. Domain guard
+     * 8. Body inspection
+     * 9. Credential injection + forward
+     * 10. Audit logging
+     */
+    private proxyRequest;
+    /**
+     * Make the actual outbound HTTP request with credential injection.
+     */
+    private makeOutboundRequest;
+    /**
+     * Inject the credential into outbound request headers based on auth type.
+     * For `query` auth, the secret is appended as a URL query parameter instead.
+     */
+    private injectCredential;
+    /**
+     * Start the MCP server with the configured transport.
+     */
+    start(): Promise<void>;
+    /**
+     * Start with stdio transport (for local integrations).
+     */
+    private startStdio;
+    /**
+     * Start with Streamable HTTP transport (for remote access).
+     */
+    private startStreamableHttp;
+    /**
+     * Stop the MCP server.
+     */
+    stop(): Promise<void>;
+}
+//# sourceMappingURL=mcp-server.d.ts.map

package/dist/mcp/mcp-server.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"mcp-server.d.ts","sourceRoot":"","sources":["../../src/mcp/mcp-server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AASH,OAAO,KAAK,EAAS,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAI9D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAEjD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,KAAK,EAAU,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAEzE,OAAO,KAAK,EAAwB,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAErE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAI1D,MAAM,WAAW,qBAAqB;IACpC,0DAA0D;IAC1D,KAAK,EAAE,KAAK,CAAC;IACb,yCAAyC;IACzC,MAAM,EAAE,MAAM,CAAC;IACf,6DAA6D;IAC7D,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,uDAAuD;IACvD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,sBAAsB;IACtB,SAAS,EAAE,OAAO,GAAG,iBAAiB,CAAC;IACvC,0DAA0D;IAC1D,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,uDAAuD;IACvD,QAAQ,CAAC,EAAE,sBAAsB,EAAE,CAAC;IACpC,oDAAoD;IACpD,UAAU,CAAC,EAAE,SAAS,GAAG,SAAS,CAAC;IACnC,mCAAmC;IACnC,QAAQ,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC/C,oCAAoC;IACpC,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,cAAc,CAAC;CAC3B;AAUD;;;;;GAKG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,MAAM,CAAY;IAC1B,OAAO,CAAC,KAAK,CAAQ;IACrB,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,aAAa,CAAC,CAAgB;IACtC,OAAO,CAAC,kBAAkB,CAAC,CAAQ;IACnC,OAAO,CAAC,aAAa,CAA8B;IACnD,OAAO,CAAC,IAAI,CAAS;IACrB,OAAO,CAAC,SAAS,CAAsB;IACvC,OAAO,CAAC,UAAU,CAAwB;IAC1C,OAAO,CAAC,MAAM,CAAc;IAC5B,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,aAAa,CAAgB;IACrC,OAAO,CAAC,UAAU,CAAC,CAAc;IACjC,OAAO,CAAC,OAAO,CAAC,CAAe;IAC/B,OAAO,CAAC,QAAQ,CAAC,CAAiB;gBAEtB,OAAO,EAAE,qBAAqB;IAgD1C,OAAO,CAAC,aAAa;IAMrB;;;;;;OAMG;IACH,OAAO,CAAC,wBAAwB;IAmEhC;;;;OAIG;IACH,OAAO,CAAC,wBAAwB;IA2ChC;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA4C1B;;;;;;;;;;;;;;OAcG;YACW,YAAY;IA6Y1B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA6F3B;;;OAGG;IACH,OAAO,CAAC,gBAAgB;IA8BxB;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAQ5B;;OAEG;YACW,UAAU;IAMxB;;OAEG;YACW,mBAAmB;IAwFjC;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;CAa5B"}