@getaegis/cli 0.8.0 → 0.8.1

package/dist/vault/vault.js

@@ -0,0 +1,259 @@
+import * as crypto from 'node:crypto';
+import { decrypt, deriveKey, encrypt } from './crypto.js';
+export class Vault {
+    db;
+    /** Cached derived key — PBKDF2 runs once in the constructor. */
+    derivedKey;
+    constructor(db, masterKey, salt = 'aegis-vault-v1') {
+        this.db = db;
+        if (!masterKey) {
+            throw new Error('AEGIS_MASTER_KEY is not set. Run `aegis init` to generate a config and master key.');
+        }
+        this.derivedKey = deriveKey(masterKey, salt);
+        this.verifyKey();
+    }
+    /**
+     * Verify the master key by attempting to decrypt the first stored credential.
+     * Throws a clear error if the key is wrong (AES-256-GCM auth tag mismatch).
+     * Silently succeeds if the vault is empty (nothing to verify against).
+     */
+    verifyKey() {
+        const row = this.db.prepare('SELECT encrypted, iv, auth_tag FROM credentials LIMIT 1').get();
+        if (!row)
+            return; // Empty vault — nothing to verify
+        try {
+            decrypt({ encrypted: row.encrypted, iv: row.iv, authTag: row.auth_tag }, this.derivedKey);
+        }
+        catch {
+            throw new Error('Invalid master key — cannot decrypt vault credentials.\n' +
+                '  The AEGIS_MASTER_KEY does not match the key used to encrypt this vault.\n' +
+                '  Check your config file or environment variable.');
+        }
+    }
+    /**
+     * Store a new credential in the vault.
+     */
+    /** Maximum credential secret size: 512 KB. */
+    static MAX_SECRET_BYTES = 512 * 1024;
+    /** Maximum credential name length: 128 characters. */
+    static MAX_NAME_LENGTH = 128;
+    add(params) {
+        // Validate name length
+        if (params.name.length > Vault.MAX_NAME_LENGTH) {
+            throw new Error(`Credential name is too long (${params.name.length} chars). Maximum is ${Vault.MAX_NAME_LENGTH} characters.`);
+        }
+        // Validate secret size
+        const secretBytes = Buffer.byteLength(params.secret, 'utf-8');
+        if (secretBytes > Vault.MAX_SECRET_BYTES) {
+            const sizeKB = Math.round(secretBytes / 1024);
+            throw new Error(`Credential value is too large (${sizeKB} KB). Maximum is ${Vault.MAX_SECRET_BYTES / 1024} KB.`);
+        }
+        const id = crypto.randomUUID();
+        const { encrypted, iv, authTag } = encrypt(params.secret, this.derivedKey);
+        let expiresAt = null;
+        if (params.ttlDays !== undefined && params.ttlDays > 0) {
+            const expiry = new Date();
+            expiry.setDate(expiry.getDate() + params.ttlDays);
+            expiresAt = expiry.toISOString();
+        }
+        const stmt = this.db.prepare(`
+      INSERT INTO credentials (id, name, service, encrypted, iv, auth_tag, auth_type, header_name, domains, scopes, expires_at, rate_limit, body_inspection)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+        stmt.run(id, params.name, params.service, encrypted, iv, authTag, params.authType ?? 'bearer', params.headerName ?? null, JSON.stringify(params.domains), JSON.stringify(params.scopes ?? ['*']), expiresAt, params.rateLimit ?? null, params.bodyInspection ?? 'block');
+        return {
+            id,
+            name: params.name,
+            service: params.service,
+            authType: params.authType ?? 'bearer',
+            headerName: params.headerName,
+            domains: params.domains,
+            scopes: params.scopes ?? ['*'],
+            expiresAt: expiresAt ?? undefined,
+            rateLimit: params.rateLimit,
+            bodyInspection: params.bodyInspection ?? 'block',
+            createdAt: new Date().toISOString(),
+            updatedAt: new Date().toISOString(),
+        };
+    }
+    /**
+     * Rotate a credential's secret. The old secret is saved to credential_history
+     * with an optional grace period during which it remains valid.
+     */
+    rotate(params) {
+        // Validate secret size
+        const secretBytes = Buffer.byteLength(params.newSecret, 'utf-8');
+        if (secretBytes > Vault.MAX_SECRET_BYTES) {
+            const sizeKB = Math.round(secretBytes / 1024);
+            throw new Error(`Credential value is too large (${sizeKB} KB). Maximum is ${Vault.MAX_SECRET_BYTES / 1024} KB.`);
+        }
+        const row = this.db.prepare('SELECT * FROM credentials WHERE name = ?').get(params.name);
+        if (!row) {
+            throw new Error(`No credential found with name "${params.name}"`);
+        }
+        // Save old encrypted secret to history
+        let graceExpires = null;
+        if (params.gracePeriodHours !== undefined && params.gracePeriodHours > 0) {
+            const grace = new Date();
+            grace.setTime(grace.getTime() + params.gracePeriodHours * 60 * 60 * 1000);
+            graceExpires = grace.toISOString();
+        }
+        this.db
+            .prepare(`INSERT INTO credential_history (credential_id, encrypted, iv, auth_tag, grace_expires)
+         VALUES (?, ?, ?, ?, ?)`)
+            .run(row.id, row.encrypted, row.iv, row.auth_tag, graceExpires);
+        // Encrypt and store new secret
+        const { encrypted, iv, authTag } = encrypt(params.newSecret, this.derivedKey);
+        this.db
+            .prepare(`UPDATE credentials SET encrypted = ?, iv = ?, auth_tag = ?, updated_at = datetime('now')
+         WHERE id = ?`)
+            .run(encrypted, iv, authTag, row.id);
+        return this.rowToCredential({
+            ...row,
+            encrypted,
+            iv,
+            auth_tag: authTag,
+            updated_at: new Date().toISOString(),
+        });
+    }
+    /**
+     * Update a credential's metadata (domains, scopes, auth type, header name)
+     * without re-entering the secret.
+     */
+    update(params) {
+        const row = this.db.prepare('SELECT * FROM credentials WHERE name = ?').get(params.name);
+        if (!row) {
+            throw new Error(`No credential found with name "${params.name}"`);
+        }
+        const newDomains = params.domains ?? JSON.parse(row.domains);
+        const newScopes = params.scopes ?? JSON.parse(row.scopes);
+        const newAuthType = params.authType ?? row.auth_type;
+        const newHeaderName = params.headerName !== undefined ? params.headerName : row.header_name;
+        const newRateLimit = params.rateLimit !== undefined ? params.rateLimit : row.rate_limit;
+        const newBodyInspection = params.bodyInspection ?? row.body_inspection;
+        this.db
+            .prepare(`UPDATE credentials SET domains = ?, scopes = ?, auth_type = ?, header_name = ?, rate_limit = ?, body_inspection = ?, updated_at = datetime('now')
+         WHERE id = ?`)
+            .run(JSON.stringify(newDomains), JSON.stringify(newScopes), newAuthType, newHeaderName, newRateLimit, newBodyInspection, row.id);
+        return {
+            ...this.rowToCredential(row),
+            domains: newDomains,
+            scopes: newScopes,
+            authType: newAuthType,
+            headerName: newHeaderName ?? undefined,
+            rateLimit: newRateLimit ?? undefined,
+            bodyInspection: newBodyInspection,
+            updatedAt: new Date().toISOString(),
+        };
+    }
+    /**
+     * Check if a credential has expired based on its expiresAt field.
+     */
+    isExpired(credential) {
+        if (!credential.expiresAt)
+            return false;
+        return new Date(credential.expiresAt) <= new Date();
+    }
+    /**
+     * List all credentials (without secrets).
+     */
+    list() {
+        const rows = this.db
+            .prepare('SELECT * FROM credentials ORDER BY created_at DESC')
+            .all();
+        return rows.map((row) => this.rowToCredential(row));
+    }
+    /**
+     * Get a credential by name, including the decrypted secret.
+     */
+    getByName(name) {
+        const row = this.db.prepare('SELECT * FROM credentials WHERE name = ?').get(name);
+        if (!row)
+            return null;
+        const secret = decrypt({
+            encrypted: row.encrypted,
+            iv: row.iv,
+            authTag: row.auth_tag,
+        }, this.derivedKey);
+        return { ...this.rowToCredential(row), secret };
+    }
+    /**
+     * Get a credential by service name, including the decrypted secret.
+     */
+    getByService(service) {
+        const row = this.db
+            .prepare('SELECT * FROM credentials WHERE service = ? LIMIT 1')
+            .get(service);
+        if (!row)
+            return null;
+        const secret = decrypt({
+            encrypted: row.encrypted,
+            iv: row.iv,
+            authTag: row.auth_tag,
+        }, this.derivedKey);
+        return { ...this.rowToCredential(row), secret };
+    }
+    /**
+     * Find a credential whose allowed domains match a given hostname.
+     */
+    findByDomain(hostname) {
+        const all = this.db.prepare('SELECT * FROM credentials').all();
+        for (const row of all) {
+            const domains = JSON.parse(row.domains);
+            if (this.domainMatches(hostname, domains)) {
+                const secret = decrypt({
+                    encrypted: row.encrypted,
+                    iv: row.iv,
+                    authTag: row.auth_tag,
+                }, this.derivedKey);
+                return { ...this.rowToCredential(row), secret };
+            }
+        }
+        return null;
+    }
+    /**
+     * Remove a credential by name.
+     */
+    remove(name) {
+        const result = this.db.prepare('DELETE FROM credentials WHERE name = ?').run(name);
+        return result.changes > 0;
+    }
+    /**
+     * Check if a hostname matches any of the allowed domain patterns.
+     * Supports wildcards: *.slack.com matches api.slack.com
+     */
+    domainMatches(hostname, allowedDomains) {
+        for (const pattern of allowedDomains) {
+            if (pattern === hostname)
+                return true;
+            // Wildcard: *.example.com matches sub.example.com (single level only)
+            if (pattern.startsWith('*.')) {
+                const suffix = pattern.slice(1); // .example.com
+                if (hostname.endsWith(suffix)) {
+                    const prefix = hostname.slice(0, -suffix.length);
+                    // Only match single-level: "api" is OK, "deep.api" is not
+                    if (prefix.length > 0 && !prefix.includes('.'))
+                        return true;
+                }
+            }
+        }
+        return false;
+    }
+    rowToCredential(row) {
+        return {
+            id: row.id,
+            name: row.name,
+            service: row.service,
+            authType: row.auth_type,
+            headerName: row.header_name ?? undefined,
+            domains: JSON.parse(row.domains),
+            scopes: JSON.parse(row.scopes),
+            expiresAt: row.expires_at ?? undefined,
+            rateLimit: row.rate_limit ?? undefined,
+            bodyInspection: (row.body_inspection ?? 'block'),
+            createdAt: row.created_at,
+            updatedAt: row.updated_at,
+        };
+    }
+}
+//# sourceMappingURL=vault.js.map

package/dist/vault/vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.js","sourceRoot":"","sources":["../../src/vault/vault.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AAGtC,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AA0C1D,MAAM,OAAO,KAAK;IAKN;IAJV,gEAAgE;IACxD,UAAU,CAAS;IAE3B,YACU,EAAqB,EAC7B,SAAiB,EACjB,OAAwB,gBAAgB;QAFhC,OAAE,GAAF,EAAE,CAAmB;QAI7B,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACb,oFAAoF,CACrF,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QAC7C,IAAI,CAAC,SAAS,EAAE,CAAC;IACnB,CAAC;IAED;;;;OAIG;IACK,SAAS;QACf,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,yDAAyD,CAAC,CAAC,GAAG,EAE7E,CAAC;QAEd,IAAI,CAAC,GAAG;YAAE,OAAO,CAAC,kCAAkC;QAEpD,IAAI,CAAC;YACH,OAAO,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,SAAS,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,GAAG,CAAC,QAAQ,EAAE,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAC5F,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CACb,0DAA0D;gBACxD,6EAA6E;gBAC7E,mDAAmD,CACtD,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,8CAA8C;IAC9C,MAAM,CAAU,gBAAgB,GAAG,GAAG,GAAG,IAAI,CAAC;IAE9C,sDAAsD;IACtD,MAAM,CAAU,eAAe,GAAG,GAAG,CAAC;IAEtC,GAAG,CAAC,MAWH;QACC,uBAAuB;QACvB,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,eAAe,EAAE,CAAC;YAC/C,MAAM,IAAI,KAAK,CACb,gCAAgC,MAAM,CAAC,IAAI,CAAC,MAAM,uBAAuB,KAAK,CAAC,eAAe,cAAc,CAC7G,CAAC;QACJ,CAAC;QAED,uBAAuB;QACvB,MAAM,WAAW,GAAG,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC9D,IAAI,WAAW,GAAG,KAAK,CAAC,gBAAgB,EAAE,CAAC;YACzC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;YAC9C,MAAM,IAAI,KAAK,CACb,kCAAkC,MAAM,oBAAoB,KAAK,CAAC,gBAAgB,GAAG,IAAI,MAAM,CAChG,CAAC;QACJ,CAAC;QAED,MAAM,EAAE,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAC/B,MAAM,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAE3E,IAAI,SAAS,GAAkB,IAAI,CAAC;QACpC,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS,IAAI,MAAM,CAAC,OAAO,GAAG,CAAC,EAAE,CAAC;YACvD,MAAM,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YAC1B,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;YAClD,SAAS,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;QACnC,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;KAG5B,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CACN,EAAE,EACF,MAAM,CAAC,IAAI,EACX,MAAM,CAAC,OAAO,EACd,SAAS,EACT,EAAE,EACF,OAAO,EACP,MAAM,CAAC,QAAQ,IAAI,QAAQ,EAC3B,MAAM,CAAC,UAAU,IAAI,IAAI,EACzB,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,EAC9B,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,GAAG,CAAC,CAAC,EACtC,SAAS,EACT,MAAM,CAAC,SAAS,IAAI,IAAI,EACxB,MAAM,CAAC,cAAc,IAAI,OAAO,CACjC,CAAC;QAEF,OAAO;YACL,EAAE;YACF,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,QAAQ;YACrC,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,CAAC,GAAG,CAAC;YAC9B,SAAS,EAAE,SAAS,IAAI,SAAS;YACjC,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,OAAO;YAChD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,MAAsE;QAC3E,uBAAuB;QACvB,MAAM,WAAW,GAAG,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACjE,IAAI,WAAW,GAAG,KAAK,CAAC,gBAAgB,EAAE,CAAC;YACzC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;YAC9C,MAAM,IAAI,KAAK,CACb,kCAAkC,MAAM,oBAAoB,KAAK,CAAC,gBAAgB,GAAG,IAAI,MAAM,CAChG,CAAC;QACJ,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,0CAA0C,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAE1E,CAAC;QAEd,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,kCAAkC,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC;QACpE,CAAC;QAED,uCAAuC;QACvC,IAAI,YAAY,GAAkB,IAAI,CAAC;QACvC,IAAI,MAAM,CAAC,gBAAgB,KAAK,SAAS,IAAI,MAAM,CAAC,gBAAgB,GAAG,CAAC,EAAE,CAAC;YACzE,MAAM,KAAK,GAAG,IAAI,IAAI,EAAE,CAAC;YACzB,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,MAAM,CAAC,gBAAgB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1E,YAAY,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;QACrC,CAAC;QAED,IAAI,CAAC,EAAE;aACJ,OAAO,CACN;gCACwB,CACzB;aACA,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QAElE,+BAA+B;QAC/B,MAAM,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAE9E,IAAI,CAAC,EAAE;aACJ,OAAO,CACN;sBACc,CACf;aACA,GAAG,CAAC,SAAS,EAAE,EAAE,EAAE,OAAO,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;QAEvC,OAAO,IAAI,CAAC,eAAe,CAAC;YAC1B,GAAG,GAAG;YACN,SAAS;YACT,EAAE;YACF,QAAQ,EAAE,OAAO;YACjB,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACrC,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,MAQN;QACC,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,0CAA0C,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAE1E,CAAC;QAEd,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,kCAAkC,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC7D,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1D,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,IAAI,GAAG,CAAC,SAAS,CAAC;QACrD,MAAM,aAAa,GAAG,MAAM,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC;QAC5F,MAAM,YAAY,GAAG,MAAM,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC;QACxF,MAAM,iBAAiB,GAAG,MAAM,CAAC,cAAc,IAAI,GAAG,CAAC,eAAe,CAAC;QAEvE,IAAI,CAAC,EAAE;aACJ,OAAO,CACN;sBACc,CACf;aACA,GAAG,CACF,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,EAC1B,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EACzB,WAAW,EACX,aAAa,EACb,YAAY,EACZ,iBAAiB,EACjB,GAAG,CAAC,EAAE,CACP,CAAC;QAEJ,OAAO;YACL,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC;YAC5B,OAAO,EAAE,UAAU;YACnB,MAAM,EAAE,SAAS;YACjB,QAAQ,EAAE,WAAuB;YACjC,UAAU,EAAE,aAAa,IAAI,SAAS;YACtC,SAAS,EAAE,YAAY,IAAI,SAAS;YACpC,cAAc,EAAE,iBAAuC;YACvD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,UAAsB;QAC9B,IAAI,CAAC,UAAU,CAAC,SAAS;YAAE,OAAO,KAAK,CAAC;QACxC,OAAO,IAAI,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC;IACtD,CAAC;IAED;;OAEG;IACH,IAAI;QACF,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE;aACjB,OAAO,CAAC,oDAAoD,CAAC;aAC7D,GAAG,EAAqB,CAAC;QAE5B,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC;IACtD,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,IAAY;QACpB,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,0CAA0C,CAAC,CAAC,GAAG,CAAC,IAAI,CAEnE,CAAC;QAEd,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QAEtB,MAAM,MAAM,GAAG,OAAO,CACpB;YACE,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,OAAO,EAAE,GAAG,CAAC,QAAQ;SACtB,EACD,IAAI,CAAC,UAAU,CAChB,CAAC;QAEF,OAAO,EAAE,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IAClD,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,OAAe;QAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE;aAChB,OAAO,CAAC,qDAAqD,CAAC;aAC9D,GAAG,CAAC,OAAO,CAA8B,CAAC;QAE7C,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QAEtB,MAAM,MAAM,GAAG,OAAO,CACpB;YACE,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,OAAO,EAAE,GAAG,CAAC,QAAQ;SACtB,EACD,IAAI,CAAC,UAAU,CAChB,CAAC;QAEF,OAAO,EAAE,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IAClD,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,QAAgB;QAC3B,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,2BAA2B,CAAC,CAAC,GAAG,EAAqB,CAAC;QAElF,KAAK,MAAM,GAAG,IAAI,GAAG,EAAE,CAAC;YACtB,MAAM,OAAO,GAAa,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAClD,IAAI,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,CAAC;gBAC1C,MAAM,MAAM,GAAG,OAAO,CACpB;oBACE,SAAS,EAAE,GAAG,CAAC,SAAS;oBACxB,EAAE,EAAE,GAAG,CAAC,EAAE;oBACV,OAAO,EAAE,GAAG,CAAC,QAAQ;iBACtB,EACD,IAAI,CAAC,UAAU,CAChB,CAAC;gBACF,OAAO,EAAE,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;YAClD,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,IAAY;QACjB,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,wCAAwC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACnF,OAAO,MAAM,CAAC,OAAO,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED;;;OAGG;IACH,aAAa,CAAC,QAAgB,EAAE,cAAwB;QACtD,KAAK,MAAM,OAAO,IAAI,cAAc,EAAE,CAAC;YACrC,IAAI,OAAO,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YAEtC,sEAAsE;YACtE,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7B,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,eAAe;gBAChD,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC9B,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;oBACjD,0DAA0D;oBAC1D,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC;wBAAE,OAAO,IAAI,CAAC;gBAC9D,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAEO,eAAe,CAAC,GAAkB;QACxC,OAAO;YACL,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,OAAO,EAAE,GAAG,CAAC,OAAO;YACpB,QAAQ,EAAE,GAAG,CAAC,SAAqB;YACnC,UAAU,EAAE,GAAG,CAAC,WAAW,IAAI,SAAS;YACxC,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC;YAChC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC;YAC9B,SAAS,EAAE,GAAG,CAAC,UAAU,IAAI,SAAS;YACtC,SAAS,EAAE,GAAG,CAAC,UAAU,IAAI,SAAS;YACtC,cAAc,EAAE,CAAC,GAAG,CAAC,eAAe,IAAI,OAAO,CAAuB;YACtE,SAAS,EAAE,GAAG,CAAC,UAAU;YACzB,SAAS,EAAE,GAAG,CAAC,UAAU;SAC1B,CAAC;IACJ,CAAC"}

package/dist/version.d.ts

@@ -0,0 +1,3 @@
+/** The current Aegis version, sourced from package.json. */
+export declare const VERSION: string;
+//# sourceMappingURL=version.d.ts.map

package/dist/version.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"version.d.ts","sourceRoot":"","sources":["../src/version.ts"],"names":[],"mappings":"AAiBA,4DAA4D;AAC5D,eAAO,MAAM,OAAO,EAAE,MAAsB,CAAC"}

package/dist/version.js

@@ -0,0 +1,18 @@
+import { readFileSync } from 'node:fs';
+import { dirname, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+/**
+ * Read the version from package.json at runtime.
+ *
+ * Uses the package.json relative to this file's location so it works both
+ * in development (src/) and after compilation (dist/).
+ */
+function loadVersion() {
+    const thisDir = dirname(fileURLToPath(import.meta.url));
+    const pkgPath = resolve(thisDir, '..', 'package.json');
+    const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+    return pkg.version;
+}
+/** The current Aegis version, sourced from package.json. */
+export const VERSION = loadVersion();
+//# sourceMappingURL=version.js.map

package/dist/version.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"version.js","sourceRoot":"","sources":["../src/version.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC;;;;;GAKG;AACH,SAAS,WAAW;IAClB,MAAM,OAAO,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACxD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;IACvD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAwB,CAAC;IAC9E,OAAO,GAAG,CAAC,OAAO,CAAC;AACrB,CAAC;AAED,4DAA4D;AAC5D,MAAM,CAAC,MAAM,OAAO,GAAW,WAAW,EAAE,CAAC"}

package/dist/webhook/index.d.ts

@@ -0,0 +1,3 @@
+export type { Webhook, WebhookEventType, WebhookManagerOptions, WebhookPayload, } from './webhook.js';
+export { WEBHOOK_EVENT_TYPES, WebhookManager } from './webhook.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/webhook/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/webhook/index.ts"],"names":[],"mappings":"AAAA,YAAY,EACV,OAAO,EACP,gBAAgB,EAChB,qBAAqB,EACrB,cAAc,GACf,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC"}

package/dist/webhook/index.js

@@ -0,0 +1,2 @@
+export { WEBHOOK_EVENT_TYPES, WebhookManager } from './webhook.js';
+//# sourceMappingURL=index.js.map

package/dist/webhook/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/webhook/index.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC"}

package/dist/webhook/webhook.d.ts

@@ -0,0 +1,114 @@
+/**
+ * Aegis Webhook Alerts — fire-and-forget HTTP notifications for security events.
+ *
+ * Webhook endpoints are stored in SQLite and can subscribe to specific event types.
+ * When an event fires, all matching webhooks receive a JSON POST with event details.
+ *
+ * Delivery is best-effort: retries up to 3 times with exponential backoff.
+ * Failed deliveries are logged but never block the request pipeline.
+ */
+import type Database from 'better-sqlite3';
+import type { Vault } from '../vault/index.js';
+/**
+ * Event types that can trigger webhook notifications.
+ */
+export type WebhookEventType = 'blocked_request' | 'credential_expiry' | 'rate_limit_exceeded' | 'agent_auth_failure' | 'body_inspection';
+export declare const WEBHOOK_EVENT_TYPES: readonly WebhookEventType[];
+/**
+ * Stored webhook configuration.
+ */
+export interface Webhook {
+    id: string;
+    url: string;
+    events: WebhookEventType[];
+    /** Optional human-readable label */
+    label?: string;
+    /** HMAC secret for signing payloads (auto-generated) */
+    secret: string;
+    createdAt: string;
+}
+/**
+ * Payload sent to webhook endpoints.
+ */
+export interface WebhookPayload {
+    /** Unique event ID */
+    id: string;
+    /** Event type */
+    event: WebhookEventType;
+    /** ISO 8601 timestamp */
+    timestamp: string;
+    /** Event-specific details */
+    details: Record<string, unknown>;
+}
+export interface WebhookManagerOptions {
+    db: Database.Database;
+    logLevel?: 'debug' | 'info' | 'warn' | 'error';
+    /** Maximum retries per delivery attempt (default: 3) */
+    maxRetries?: number;
+    /** Base delay in ms for exponential backoff (default: 1000) */
+    baseDelayMs?: number;
+    /** Request timeout in ms (default: 10000) */
+    timeoutMs?: number;
+    /** Testing: override transport */
+    _testTransport?: (url: string, payload: string, headers: Record<string, string>) => Promise<number>;
+}
+export declare class WebhookManager {
+    private db;
+    private logger;
+    private maxRetries;
+    private baseDelayMs;
+    private timeoutMs;
+    private testTransport?;
+    constructor(options: WebhookManagerOptions);
+    /**
+     * Register a new webhook endpoint.
+     */
+    add(params: {
+        url: string;
+        events: WebhookEventType[];
+        label?: string;
+    }): Webhook;
+    /**
+     * List all registered webhooks.
+     */
+    list(): Webhook[];
+    /**
+     * Get a webhook by ID.
+     */
+    getById(id: string): Webhook | null;
+    /**
+     * Remove a webhook by ID.
+     */
+    remove(id: string): boolean;
+    /**
+     * Emit an event to all matching webhooks.
+     * This is fire-and-forget — it never blocks the caller.
+     */
+    emit(event: WebhookEventType, details: Record<string, unknown>): void;
+    /**
+     * Deliver a payload to a webhook endpoint with retries.
+     */
+    private deliver;
+    /**
+     * Send an HTTP/HTTPS POST request.
+     */
+    private send;
+    /**
+     * HMAC-SHA256 signature for payload verification.
+     * Recipients can verify the webhook came from Aegis using:
+     *   sha256=HMAC(body, secret)
+     */
+    private sign;
+    /**
+     * Sleep for a given number of milliseconds.
+     */
+    private sleep;
+    private rowToWebhook;
+    /**
+     * Check all credentials in the vault for approaching expiry.
+     * Emits `credential_expiry` webhook events for credentials expiring within `thresholdDays`.
+     * Returns the number of credentials that triggered alerts.
+     */
+    checkExpiringCredentials(vault: Vault, thresholdDays?: number): number;
+}
+//# sourceMappingURL=webhook.d.ts.map

package/dist/webhook/webhook.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhook.d.ts","sourceRoot":"","sources":["../../src/webhook/webhook.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,OAAO,KAAK,QAAQ,MAAM,gBAAgB,CAAC;AAG3C,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAI/C;;GAEG;AACH,MAAM,MAAM,gBAAgB,GACxB,iBAAiB,GACjB,mBAAmB,GACnB,qBAAqB,GACrB,oBAAoB,GACpB,iBAAiB,CAAC;AAEtB,eAAO,MAAM,mBAAmB,EAAE,SAAS,gBAAgB,EAMjD,CAAC;AAEX;;GAEG;AACH,MAAM,WAAW,OAAO;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAC3B,oCAAoC;IACpC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,sBAAsB;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,iBAAiB;IACjB,KAAK,EAAE,gBAAgB,CAAC;IACxB,yBAAyB;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAWD,MAAM,WAAW,qBAAqB;IACpC,EAAE,EAAE,QAAQ,CAAC,QAAQ,CAAC;IACtB,QAAQ,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC/C,wDAAwD;IACxD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+DAA+D;IAC/D,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,6CAA6C;IAC7C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kCAAkC;IAClC,cAAc,CAAC,EAAE,CACf,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAC5B,OAAO,CAAC,MAAM,CAAC,CAAC;CACtB;AAID,qBAAa,cAAc;IACzB,OAAO,CAAC,EAAE,CAAoB;IAC9B,OAAO,CAAC,MAAM,CAAc;IAC5B,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,aAAa,CAAC,CAID;gBAET,OAAO,EAAE,qBAAqB;IAc1C;;OAEG;IACH,GAAG,CAAC,MAAM,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,gBAAgB,EAAE,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO;IA0CjF;;OAEG;IACH,IAAI,IAAI,OAAO,EAAE;IAQjB;;OAEG;IACH,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,GAAG,IAAI;IAQnC;;OAEG;IACH,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAW3B;;;OAGG;IACH,IAAI,CAAC,KAAK,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IA8BrE;;OAEG;YACW,OAAO;IAiDrB;;OAEG;IACH,OAAO,CAAC,IAAI;IAuCZ;;;;OAIG;IACH,OAAO,CAAC,IAAI;IAMZ;;OAEG;IACH,OAAO,CAAC,KAAK;IAIb,OAAO,CAAC,YAAY;IAapB;;;;OAIG;IACH,wBAAwB,CAAC,KAAK,EAAE,KAAK,EAAE,aAAa,SAAI,GAAG,MAAM;CAgDlE"}