@getaegis/cli 0.8.0 → 0.8.1

package/dist/cli/commands/doctor.js

@@ -0,0 +1,39 @@
+/**
+ * Doctor command: run health checks on the Aegis installation.
+ */
+import { getConfig } from '../../config.js';
+import { getDb, getVaultSalt, migrate } from '../../db.js';
+import { printDoctorReport, runDoctor } from '../../doctor.js';
+import { deriveKey, VaultManager } from '../../vault/index.js';
+import { requireUserAuth } from '../auth.js';
+export function register(program) {
+    program
+        .command('doctor')
+        .description('Run health checks on your Aegis installation')
+        .action(() => {
+        console.log('\n  Aegis Doctor — running health checks...\n');
+        const config = getConfig();
+        const manager = new VaultManager(config.dataDir);
+        const vaultInfo = manager.getVaultInfo(config.vaultName);
+        let db = null;
+        if (vaultInfo) {
+            try {
+                db = getDb(config);
+            }
+            catch {
+                // db stays null — runDoctor handles that case
+            }
+        }
+        if (db) {
+            migrate(db);
+            const key = deriveKey(config.masterKey, getVaultSalt(config));
+            requireUserAuth(db, key, 'doctor:run');
+        }
+        const report = runDoctor({ config, db });
+        printDoctorReport(report);
+        if (report.overall === 'fail') {
+            process.exit(1);
+        }
+    });
+}
+//# sourceMappingURL=doctor.js.map

package/dist/cli/commands/doctor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"doctor.js","sourceRoot":"","sources":["../../../src/cli/commands/doctor.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAC/D,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAE7C,MAAM,UAAU,QAAQ,CAAC,OAAgB;IACvC,OAAO;SACJ,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,8CAA8C,CAAC;SAC3D,MAAM,CAAC,GAAG,EAAE;QACX,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;QAE7D,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACjD,MAAM,SAAS,GAAG,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAEzD,IAAI,EAAE,GAAoC,IAAI,CAAC;QAC/C,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,CAAC;gBACH,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;YACrB,CAAC;YAAC,MAAM,CAAC;gBACP,8CAA8C;YAChD,CAAC;QACH,CAAC;QAED,IAAI,EAAE,EAAE,CAAC;YACP,OAAO,CAAC,EAAE,CAAC,CAAC;YACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;YAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;QACzC,CAAC;QAED,MAAM,MAAM,GAAG,SAAS,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;QACzC,iBAAiB,CAAC,MAAM,CAAC,CAAC;QAE1B,IAAI,MAAM,CAAC,OAAO,KAAK,MAAM,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/cli/commands/gate.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Gate command: start the Aegis Gate proxy.
+ */
+import type { Command } from 'commander';
+export declare function register(program: Command): void;
+//# sourceMappingURL=gate.d.ts.map

package/dist/cli/commands/gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gate.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/gate.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAazC,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAuO/C"}

package/dist/cli/commands/gate.js

@@ -0,0 +1,196 @@
+/**
+ * Gate command: start the Aegis Gate proxy.
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { AgentRegistry } from '../../agent/index.js';
+import { getConfig } from '../../config.js';
+import { getDb, getVaultSalt, migrate } from '../../db.js';
+import { Gate } from '../../gate/index.js';
+import { Ledger } from '../../ledger/index.js';
+import { AegisMetrics } from '../../metrics/index.js';
+import { deriveKey, Vault } from '../../vault/index.js';
+import { VERSION } from '../../version.js';
+import { WebhookManager } from '../../webhook/index.js';
+import { requireUserAuth } from '../auth.js';
+import { VALID_POLICY_MODES, validateEnum, validatePort } from '../validation.js';
+export function register(program) {
+    program
+        .command('gate')
+        .description('Start the Aegis Gate proxy')
+        .option('-p, --port <port>', 'Port to listen on')
+        .option('--tls', 'Enable TLS (HTTPS) on Gate')
+        .option('--cert <path>', 'Path to TLS certificate file (PEM)')
+        .option('--key <path>', 'Path to TLS private key file (PEM)')
+        .option('--require-agent-auth', 'Require X-Aegis-Agent token on every request')
+        .option('--policies-dir <path>', 'Directory containing YAML policy files')
+        .option('--policy-mode <mode>', 'Policy enforcement mode: enforce, dry-run, or off')
+        .action(async (opts) => {
+        // ── Validate CLI flags ──
+        if (opts.port) {
+            const p = Number.parseInt(opts.port, 10);
+            validatePort(p, 'gate port');
+        }
+        if (opts.policyMode) {
+            validateEnum(opts.policyMode, VALID_POLICY_MODES, 'policy mode');
+        }
+        let config;
+        try {
+            config = getConfig();
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ ${msg}\n`);
+            process.exit(1);
+        }
+        const port = opts.port ? Number.parseInt(opts.port, 10) : config.port;
+        let db;
+        try {
+            db = getDb(config);
+            migrate(db);
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ Cannot open database: ${msg}\n`);
+            process.exit(1);
+        }
+        if (!config.masterKey) {
+            console.error('\n✗ AEGIS_MASTER_KEY is not set.\n  Run `aegis init` to generate a config and master key.\n');
+            process.exit(1);
+        }
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'gate:start');
+        const vaultInstance = new Vault(db, config.masterKey, getVaultSalt(config));
+        const ledger = new Ledger(db);
+        // Resolve TLS: CLI flags → config file
+        const useTls = opts.tls ?? !!config.tls;
+        let tlsConfig;
+        if (useTls) {
+            const certPath = opts.cert ?? config.tls?.cert ?? path.join(process.cwd(), 'certs', 'aegis.crt');
+            const keyPath = opts.key ?? config.tls?.key ?? path.join(process.cwd(), 'certs', 'aegis.key');
+            if (!fs.existsSync(certPath)) {
+                console.error(`\n✗ TLS certificate not found at ${certPath}\n  Generate one with: aegis init --generate-cert\n  Or specify a path: aegis gate --tls --cert /path/to/cert.pem --key /path/to/key.pem\n`);
+                process.exit(1);
+            }
+            if (!fs.existsSync(keyPath)) {
+                console.error(`\n✗ TLS private key not found at ${keyPath}\n  Generate one with: aegis init --generate-cert\n  Or specify a path: aegis gate --tls --cert /path/to/cert.pem --key /path/to/key.pem\n`);
+                process.exit(1);
+            }
+            tlsConfig = { certPath, keyPath };
+        }
+        const registry = new AgentRegistry(db, key);
+        // Resolve policy: CLI flags → config file
+        const effectiveRequireAgentAuth = opts.requireAgentAuth ?? config.requireAgentAuth;
+        const effectivePolicyMode = opts.policyMode ??
+            (config.policyMode === 'off' ? undefined : config.policyMode);
+        const policyDir = opts.policiesDir
+            ? path.resolve(opts.policiesDir)
+            : config.policiesDir
+                ? path.resolve(config.policiesDir)
+                : undefined;
+        if (policyDir && !fs.existsSync(policyDir)) {
+            console.error(`\n✗ Policy directory not found at ${policyDir}\n  Create it and add YAML policy files, or omit --policies-dir\n`);
+            process.exit(1);
+        }
+        const webhookManager = new WebhookManager({ db, logLevel: config.logLevel });
+        // Metrics: create instance if enabled in config
+        const metrics = config.metricsEnabled
+            ? new AegisMetrics({ vault: vaultInstance })
+            : undefined;
+        const gate = new Gate({
+            port,
+            vault: vaultInstance,
+            ledger,
+            logLevel: config.logLevel,
+            tls: tlsConfig,
+            agentRegistry: registry,
+            requireAgentAuth: effectiveRequireAgentAuth,
+            policyDir,
+            policyMode: effectivePolicyMode,
+            webhooks: webhookManager,
+            metrics,
+        });
+        const protocol = tlsConfig ? 'https' : 'http';
+        console.log(`\n  ╔══════════════════════════════════╗`);
+        console.log(`  ║         Aegis Gate ${VERSION.padEnd(13)}║`);
+        console.log(`  ╚══════════════════════════════════╝\n`);
+        if (tlsConfig) {
+            console.log('  🔒 TLS enabled\n');
+        }
+        else {
+            console.log('  ⚠  Running without TLS — credentials are transmitted in cleartext on localhost\n');
+            console.log('     To enable TLS: aegis gate --tls (after running aegis init --generate-cert)\n');
+        }
+        if (effectiveRequireAgentAuth) {
+            console.log('  🔑 Agent authentication required (X-Aegis-Agent header)\n');
+        }
+        if (metrics) {
+            console.log('  📊 Metrics enabled (/_aegis/metrics)\n');
+        }
+        if (policyDir) {
+            const modeLabel = effectivePolicyMode === 'dry-run' ? 'DRY-RUN (log only)' : 'ENFORCE (block violations)';
+            console.log(`  📋 Policies: ${policyDir}`);
+            console.log(`     Mode:     ${modeLabel}\n`);
+        }
+        if (config.configFilePath) {
+            console.log(`  📄 Config:   ${config.configFilePath}\n`);
+        }
+        const creds = vaultInstance.list();
+        if (creds.length === 0) {
+            console.log('  ⚠ No credentials in vault. Add some first: aegis vault add\n');
+        }
+        else {
+            console.log(`  ${creds.length} credential(s) loaded:\n`);
+            for (const c of creds) {
+                console.log(`    ${c.service} → ${c.domains.join(', ')} (${c.authType})`);
+            }
+            console.log();
+        }
+        try {
+            await gate.start();
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ Failed to start Gate: ${message}\n`);
+            db.close();
+            process.exit(1);
+        }
+        console.log(`  Agent config: set your agent's base URL to ${protocol}://localhost:${port}`);
+        console.log(`  Example:      curl ${protocol}://localhost:${port}/slack/api/chat.postMessage\n`);
+        console.log(`  Press Ctrl+C to stop.\n`);
+        // Graceful shutdown
+        let shutdownInProgress = false;
+        const shutdown = async () => {
+            if (shutdownInProgress) {
+                console.log('\n  Force shutdown — terminating immediately.');
+                process.exit(1);
+            }
+            shutdownInProgress = true;
+            console.log('\n  Shutting down Aegis Gate...');
+            console.log('  (Press Ctrl+C again to force quit)\n');
+            const result = await gate.stop();
+            if (result.drained) {
+                console.log('  All in-flight requests completed.');
+            }
+            else {
+                console.log(`  Shutdown timed out — ${result.activeAtClose} request(s) were still in-flight.`);
+            }
+            // Log shutdown event to Ledger as a system event
+            ledger.logSystem({
+                service: '_aegis',
+                targetDomain: 'localhost',
+                method: 'SHUTDOWN',
+                path: '/',
+                reason: result.drained
+                    ? 'Graceful shutdown — all requests drained'
+                    : `Forced shutdown — ${result.activeAtClose} request(s) still active`,
+            });
+            db.close();
+            console.log('  Aegis Gate stopped.\n');
+            process.exit(0);
+        };
+        process.on('SIGINT', shutdown);
+        process.on('SIGTERM', shutdown);
+    });
+}
+//# sourceMappingURL=gate.js.map

package/dist/cli/commands/gate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gate.js","sourceRoot":"","sources":["../../../src/cli/commands/gate.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,MAAM,qBAAqB,CAAC;AAC3C,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAC3C,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,kBAAkB,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAElF,MAAM,UAAU,QAAQ,CAAC,OAAgB;IACvC,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,4BAA4B,CAAC;SACzC,MAAM,CAAC,mBAAmB,EAAE,mBAAmB,CAAC;SAChD,MAAM,CAAC,OAAO,EAAE,4BAA4B,CAAC;SAC7C,MAAM,CAAC,eAAe,EAAE,oCAAoC,CAAC;SAC7D,MAAM,CAAC,cAAc,EAAE,oCAAoC,CAAC;SAC5D,MAAM,CAAC,sBAAsB,EAAE,8CAA8C,CAAC;SAC9E,MAAM,CAAC,uBAAuB,EAAE,wCAAwC,CAAC;SACzE,MAAM,CAAC,sBAAsB,EAAE,mDAAmD,CAAC;SACnF,MAAM,CACL,KAAK,EAAE,IAQN,EAAE,EAAE;QACH,2BAA2B;QAC3B,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACzC,YAAY,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;QAC/B,CAAC;QACD,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,kBAAkB,EAAE,aAAa,CAAC,CAAC;QACnE,CAAC;QAED,IAAI,MAAoC,CAAC;QACzC,IAAI,CAAC;YACH,MAAM,GAAG,SAAS,EAAE,CAAC;QACvB,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,OAAO,CAAC,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC;QAEtE,IAAI,EAA4B,CAAC;QACjC,IAAI,CAAC;YACH,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;YACnB,OAAO,CAAC,EAAE,CAAC,CAAC;QACd,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,OAAO,CAAC,KAAK,CAAC,6BAA6B,GAAG,IAAI,CAAC,CAAC;YACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACtB,OAAO,CAAC,KAAK,CACX,6FAA6F,CAC9F,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;QAEvC,MAAM,aAAa,GAAG,IAAI,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC5E,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,EAAE,CAAC,CAAC;QAE9B,uCAAuC;QACvC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;QACxC,IAAI,SAA4D,CAAC;QACjE,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,QAAQ,GACZ,IAAI,CAAC,IAAI,IAAI,MAAM,CAAC,GAAG,EAAE,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;YAClF,MAAM,OAAO,GACX,IAAI,CAAC,GAAG,IAAI,MAAM,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;YAEhF,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC7B,OAAO,CAAC,KAAK,CACX,oCAAoC,QAAQ,4IAA4I,CACzL,CAAC;gBACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC5B,OAAO,CAAC,KAAK,CACX,oCAAoC,OAAO,4IAA4I,CACxL,CAAC;gBACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YAED,SAAS,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;QACpC,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,aAAa,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QAE5C,0CAA0C;QAC1C,MAAM,yBAAyB,GAAG,IAAI,CAAC,gBAAgB,IAAI,MAAM,CAAC,gBAAgB,CAAC;QACnF,MAAM,mBAAmB,GACtB,IAAI,CAAC,UAAgD;YACtD,CAAC,MAAM,CAAC,UAAU,KAAK,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAE,MAAM,CAAC,UAAoC,CAAC,CAAC;QAC3F,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW;YAChC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC;YAChC,CAAC,CAAC,MAAM,CAAC,WAAW;gBAClB,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC;gBAClC,CAAC,CAAC,SAAS,CAAC;QAEhB,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC3C,OAAO,CAAC,KAAK,CACX,qCAAqC,SAAS,mEAAmE,CAClH,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,cAAc,GAAG,IAAI,cAAc,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;QAE7E,gDAAgD;QAChD,MAAM,OAAO,GAAG,MAAM,CAAC,cAAc;YACnC,CAAC,CAAC,IAAI,YAAY,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC;YAC5C,CAAC,CAAC,SAAS,CAAC;QAEd,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC;YACpB,IAAI;YACJ,KAAK,EAAE,aAAa;YACpB,MAAM;YACN,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,GAAG,EAAE,SAAS;YACd,aAAa,EAAE,QAAQ;YACvB,gBAAgB,EAAE,yBAAyB;YAC3C,SAAS;YACT,UAAU,EAAE,mBAAmB;YAC/B,QAAQ,EAAE,cAAc;YACxB,OAAO;SACR,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;QAE9C,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,0BAA0B,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;QAExD,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;QACpC,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CACT,oFAAoF,CACrF,CAAC;YACF,OAAO,CAAC,GAAG,CACT,mFAAmF,CACpF,CAAC;QACJ,CAAC;QAED,IAAI,yBAAyB,EAAE,CAAC;YAC9B,OAAO,CAAC,GAAG,CAAC,6DAA6D,CAAC,CAAC;QAC7E,CAAC;QAED,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;QAC1D,CAAC;QAED,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,SAAS,GACb,mBAAmB,KAAK,SAAS,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,4BAA4B,CAAC;YAC1F,OAAO,CAAC,GAAG,CAAC,kBAAkB,SAAS,EAAE,CAAC,CAAC;YAC3C,OAAO,CAAC,GAAG,CAAC,kBAAkB,SAAS,IAAI,CAAC,CAAC;QAC/C,CAAC;QAED,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;YAC1B,OAAO,CAAC,GAAG,CAAC,kBAAkB,MAAM,CAAC,cAAc,IAAI,CAAC,CAAC;QAC3D,CAAC;QAED,MAAM,KAAK,GAAG,aAAa,CAAC,IAAI,EAAE,CAAC;QACnC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;QAChF,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,MAAM,0BAA0B,CAAC,CAAC;YACzD,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;gBACtB,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,OAAO,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC;YAC5E,CAAC;YACD,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,6BAA6B,OAAO,IAAI,CAAC,CAAC;YACxD,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,gDAAgD,QAAQ,gBAAgB,IAAI,EAAE,CAAC,CAAC;QAC5F,OAAO,CAAC,GAAG,CACT,wBAAwB,QAAQ,gBAAgB,IAAI,+BAA+B,CACpF,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;QAEzC,oBAAoB;QACpB,IAAI,kBAAkB,GAAG,KAAK,CAAC;QAC/B,MAAM,QAAQ,GAAG,KAAK,IAAI,EAAE;YAC1B,IAAI,kBAAkB,EAAE,CAAC;gBACvB,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;gBAC7D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,kBAAkB,GAAG,IAAI,CAAC;YAC1B,OAAO,CAAC,GAAG,CAAC,iCAAiC,CAAC,CAAC;YAC/C,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC;YAEtD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAEjC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnB,OAAO,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;YACrD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CACT,0BAA0B,MAAM,CAAC,aAAa,mCAAmC,CAClF,CAAC;YACJ,CAAC;YAED,iDAAiD;YACjD,MAAM,CAAC,SAAS,CAAC;gBACf,OAAO,EAAE,QAAQ;gBACjB,YAAY,EAAE,WAAW;gBACzB,MAAM,EAAE,UAAU;gBAClB,IAAI,EAAE,GAAG;gBACT,MAAM,EAAE,MAAM,CAAC,OAAO;oBACpB,CAAC,CAAC,0CAA0C;oBAC5C,CAAC,CAAC,qBAAqB,MAAM,CAAC,aAAa,0BAA0B;aACxE,CAAC,CAAC;YAEH,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;YACvC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC,CAAC;QACF,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC/B,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAClC,CAAC,CACF,CAAC;AACN,CAAC"}

package/dist/cli/commands/init.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Init command: generate master key, config file, and data directory.
+ */
+import type { Command } from 'commander';
+export declare function register(program: Command): void;
+//# sourceMappingURL=init.d.ts.map

package/dist/cli/commands/init.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/init.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIzC,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAmH/C"}

package/dist/cli/commands/init.js

@@ -0,0 +1,109 @@
+/**
+ * Init command: generate master key, config file, and data directory.
+ */
+import * as crypto from 'node:crypto';
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { VaultManager } from '../../vault/index.js';
+import { generateSelfSignedCert } from '../helpers.js';
+export function register(program) {
+    program
+        .command('init')
+        .description('Initialize Aegis — generate master key, config file, and data directory')
+        .option('--write-secrets', 'Write master key to config file (convenient but less secure)', false)
+        .option('--generate-cert', 'Generate a self-signed TLS certificate for local dev use', false)
+        .action((opts) => {
+        const configPath = path.join(process.cwd(), 'aegis.config.yaml');
+        if (fs.existsSync(configPath)) {
+            console.log('\n  aegis.config.yaml already exists. To reinitialize, remove it first:\n');
+            console.log('    rm aegis.config.yaml && aegis init\n');
+            process.exit(1);
+        }
+        const masterKey = crypto.randomBytes(32).toString('hex');
+        const dataDir = path.join(process.cwd(), '.aegis');
+        if (!fs.existsSync(dataDir)) {
+            fs.mkdirSync(dataDir, { recursive: true });
+        }
+        // Create the "default" vault through VaultManager (skip if it already exists)
+        const manager = new VaultManager(dataDir);
+        let salt;
+        const existingVaults = manager.list();
+        const existing = existingVaults.find((v) => v.name === 'default');
+        if (existing) {
+            salt = existing.salt;
+        }
+        else {
+            const created = manager.create('default');
+            salt = created.salt;
+        }
+        const masterKeyLine = opts.writeSecrets
+            ? `  master_key: "${masterKey}"   # ⚠ stored in file — use env var for production`
+            : `  # master_key: set AEGIS_MASTER_KEY env var (see below)`;
+        const configContent = `# Aegis Configuration — generated by aegis init
+# CLI flags override these values. Environment variables (AEGIS_*) override both.
+
+gate:
+  port: 3100
+  # tls:
+  #   cert: ./certs/aegis.crt
+  #   key: ./certs/aegis.key
+  # require_agent_auth: false
+
+vault:
+${masterKeyLine}
+  name: default
+  data_dir: ./.aegis
+
+observability:
+  log_level: info
+  log_format: pretty
+  metrics: true
+  # dashboard:
+  #   enabled: true
+  #   port: 3200
+
+# policies:
+#   dir: ./policies
+#   mode: enforce
+
+# mcp:
+#   transport: stdio
+#   port: 3200
+
+# webhooks: []
+`;
+        if (opts.writeSecrets) {
+            fs.writeFileSync(configPath, configContent, { mode: 0o600 });
+        }
+        else {
+            fs.writeFileSync(configPath, configContent, { mode: 0o644 });
+        }
+        console.log(`\n  ╔══════════════════════════════════╗`);
+        console.log(`  ║       Aegis Initialized ✓        ║`);
+        console.log(`  ╚══════════════════════════════════╝\n`);
+        console.log(`  Config file: aegis.config.yaml`);
+        console.log(`  Default vault created (salt stored in vault registry)`);
+        if (opts.writeSecrets) {
+            console.log(`  Master key saved to aegis.config.yaml (mode 0600)\n`);
+        }
+        else {
+            console.log(`\n  ⚠  Store the following secret securely — it will NOT be shown again.\n`);
+            console.log(`  AEGIS_MASTER_KEY=${masterKey}\n`);
+            console.log(`  Export it in your shell profile or use a secrets manager:`);
+            console.log(`    export AEGIS_MASTER_KEY=${masterKey}\n`);
+            console.log(`  Or re-run with --write-secrets to save it to the config file (less secure):`);
+            console.log(`    rm aegis.config.yaml && aegis init --write-secrets`);
+        }
+        console.log(`\n  Vault salt: ${salt} (stored in .aegis/vaults.json)`);
+        console.log(`  Data directory: ./.aegis\n`);
+        console.log(`  Next steps:`);
+        console.log(`    1. Add a credential:  aegis vault add --name slack --service slack --secret xoxb-... --domains api.slack.com`);
+        console.log(`    2. Start the gate:    aegis gate`);
+        console.log(`    3. Point your agent:  http://localhost:3100/{service}/api/path\n`);
+        // Generate self-signed TLS certificate for local dev
+        if (opts.generateCert) {
+            generateSelfSignedCert(process.cwd());
+        }
+    });
+}
+//# sourceMappingURL=init.js.map

package/dist/cli/commands/init.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../../../src/cli/commands/init.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AAEvD,MAAM,UAAU,QAAQ,CAAC,OAAgB;IACvC,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,yEAAyE,CAAC;SACtF,MAAM,CACL,iBAAiB,EACjB,8DAA8D,EAC9D,KAAK,CACN;SACA,MAAM,CAAC,iBAAiB,EAAE,0DAA0D,EAAE,KAAK,CAAC;SAC5F,MAAM,CAAC,CAAC,IAAsD,EAAE,EAAE;QACjE,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,mBAAmB,CAAC,CAAC;QACjE,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,OAAO,CAAC,GAAG,CAAC,2EAA2E,CAAC,CAAC;YACzF,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;YACxD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAEzD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,QAAQ,CAAC,CAAC;QACnD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5B,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7C,CAAC;QAED,8EAA8E;QAC9E,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,CAAC;QAC1C,IAAI,IAAY,CAAC;QACjB,MAAM,cAAc,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;QACtC,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC;QAClE,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC;QACvB,CAAC;aAAM,CAAC;YACN,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAC1C,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;QACtB,CAAC;QAED,MAAM,aAAa,GAAG,IAAI,CAAC,YAAY;YACrC,CAAC,CAAC,kBAAkB,SAAS,qDAAqD;YAClF,CAAC,CAAC,0DAA0D,CAAC;QAE/D,MAAM,aAAa,GAAG;;;;;;;;;;;EAW1B,aAAa;;;;;;;;;;;;;;;;;;;;;CAqBd,CAAC;QAEI,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,aAAa,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC/D,CAAC;aAAM,CAAC;YACN,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,aAAa,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC/D,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC;QACtD,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;QAExD,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;QAChD,OAAO,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAC;QAEvE,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CAAC,uDAAuD,CAAC,CAAC;QACvE,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,4EAA4E,CAAC,CAAC;YAC1F,OAAO,CAAC,GAAG,CAAC,sBAAsB,SAAS,IAAI,CAAC,CAAC;YACjD,OAAO,CAAC,GAAG,CAAC,6DAA6D,CAAC,CAAC;YAC3E,OAAO,CAAC,GAAG,CAAC,+BAA+B,SAAS,IAAI,CAAC,CAAC;YAC1D,OAAO,CAAC,GAAG,CACT,+EAA+E,CAChF,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,wDAAwD,CAAC,CAAC;QACxE,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,iCAAiC,CAAC,CAAC;QACtE,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC7B,OAAO,CAAC,GAAG,CACT,kHAAkH,CACnH,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;QAEpF,qDAAqD;QACrD,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,sBAAsB,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;QACxC,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/cli/commands/ledger.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Ledger commands: show, stats, export.
+ */
+import type { Command } from 'commander';
+export declare function register(program: Command): void;
+//# sourceMappingURL=ledger.d.ts.map

package/dist/cli/commands/ledger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ledger.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/ledger.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAQzC,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAwJ/C"}

package/dist/cli/commands/ledger.js

@@ -0,0 +1,140 @@
+/**
+ * Ledger commands: show, stats, export.
+ */
+import * as fs from 'node:fs';
+import { getConfig } from '../../config.js';
+import { getDb, getVaultSalt, migrate } from '../../db.js';
+import { Ledger } from '../../ledger/index.js';
+import { deriveKey } from '../../vault/index.js';
+import { requireUserAuth } from '../auth.js';
+import { localTime, validateEnum, validateIsoDate, validatePositiveInt } from '../validation.js';
+export function register(program) {
+    const ledgerCmd = program.command('ledger').description('View and export audit logs');
+    ledgerCmd
+        .command('show')
+        .description('Show recent audit log entries')
+        .option('-s, --service <service>', 'Filter by service')
+        .option('-n, --limit <limit>', 'Number of entries to show', '20')
+        .option('--since <date>', 'Show entries since date (ISO format)')
+        .option('--blocked', 'Show only blocked requests')
+        .option('--system', 'Show only system events (startup, shutdown)')
+        .option('--agent <name>', 'Filter by agent name')
+        .action((opts) => {
+        const config = getConfig();
+        // ── Validate CLI flags ──
+        const parsedLimit = parseInt(opts.limit, 10);
+        validatePositiveInt(parsedLimit, 'limit');
+        if (opts.since) {
+            validateIsoDate(opts.since, '--since date');
+        }
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'ledger:read');
+        const ledger = new Ledger(db);
+        const entries = ledger.query({
+            service: opts.service,
+            status: opts.blocked ? 'blocked' : opts.system ? 'system' : undefined,
+            since: opts.since,
+            limit: parsedLimit,
+            agentName: opts.agent,
+        });
+        if (entries.length === 0) {
+            console.log('\n  No audit entries found.\n');
+            db.close();
+            return;
+        }
+        console.log(`\n  Aegis Ledger — ${entries.length} entries\n`);
+        for (const entry of entries) {
+            const icon = entry.status === 'allowed' ? '✓' : entry.status === 'system' ? '●' : '✗';
+            const reason = entry.blockedReason ? ` (${entry.blockedReason})` : '';
+            const agent = entry.agentName ? ` [${entry.agentName}]` : '';
+            const channel = entry.channel !== 'gate' ? ` via ${entry.channel}` : '';
+            console.log(`  ${icon} ${localTime(entry.timestamp)} | ${entry.method.padEnd(6)} ${entry.service}${entry.path} → ${entry.targetDomain} [${entry.responseCode ?? '-'}]${agent}${channel}${reason}`);
+        }
+        console.log();
+        db.close();
+    });
+    ledgerCmd
+        .command('stats')
+        .description('Show audit log statistics')
+        .option('--since <date>', 'Stats since date (ISO format)')
+        .option('--agent <name>', 'Stats for a specific agent')
+        .action((opts) => {
+        // ── Validate CLI flags ──
+        if (opts.since) {
+            validateIsoDate(opts.since, '--since date');
+        }
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'ledger:read');
+        const ledger = new Ledger(db);
+        const stats = ledger.stats(opts.since, opts.agent);
+        console.log(`\n  Aegis Ledger — Statistics\n`);
+        console.log(`  Total requests:   ${stats.total}`);
+        console.log(`  Allowed:          ${stats.allowed}`);
+        console.log(`  Blocked:          ${stats.blocked}`);
+        if (stats.system > 0) {
+            console.log(`  System:           ${stats.system}`);
+        }
+        if (Object.keys(stats.byService).length > 0) {
+            console.log(`\n  By service:`);
+            for (const [service, count] of Object.entries(stats.byService)) {
+                console.log(`    ${service}: ${count}`);
+            }
+        }
+        console.log();
+        db.close();
+    });
+    ledgerCmd
+        .command('export')
+        .description('Export audit log (CSV, JSON, or JSON Lines)')
+        .option('-s, --service <service>', 'Filter by service')
+        .option('--since <date>', 'Export entries since date')
+        .option('-f, --format <format>', 'Output format: csv, json, or jsonl', 'csv')
+        .option('-o, --output <file>', 'Output file path')
+        .action((opts) => {
+        // ── Validate CLI flags ──
+        if (opts.since) {
+            validateIsoDate(opts.since, '--since date');
+        }
+        validateEnum(opts.format, ['csv', 'json', 'jsonl'], 'format');
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'ledger:export');
+        const ledger = new Ledger(db);
+        const queryParams = {
+            service: opts.service,
+            since: opts.since,
+        };
+        let output;
+        switch (opts.format) {
+            case 'json':
+                output = ledger.exportJson(queryParams);
+                break;
+            case 'jsonl':
+                output = ledger.exportJsonLines(queryParams);
+                break;
+            case 'csv':
+                output = ledger.exportCsv(queryParams);
+                break;
+            default:
+                console.error(`\n✗ Unknown format "${opts.format}". Use csv, json, or jsonl.\n`);
+                db.close();
+                return;
+        }
+        if (opts.output) {
+            fs.writeFileSync(opts.output, output, 'utf-8');
+            console.log(`\n✓ Exported ${opts.format.toUpperCase()} to ${opts.output}\n`);
+        }
+        else {
+            console.log(output);
+        }
+        db.close();
+    });
+}
+//# sourceMappingURL=ledger.js.map

package/dist/cli/commands/ledger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ledger.js","sourceRoot":"","sources":["../../../src/cli/commands/ledger.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAE9B,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAEjG,MAAM,UAAU,QAAQ,CAAC,OAAgB;IACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,CAAC,4BAA4B,CAAC,CAAC;IAEtF,SAAS;SACN,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,+BAA+B,CAAC;SAC5C,MAAM,CAAC,yBAAyB,EAAE,mBAAmB,CAAC;SACtD,MAAM,CAAC,qBAAqB,EAAE,2BAA2B,EAAE,IAAI,CAAC;SAChE,MAAM,CAAC,gBAAgB,EAAE,sCAAsC,CAAC;SAChE,MAAM,CAAC,WAAW,EAAE,4BAA4B,CAAC;SACjD,MAAM,CAAC,UAAU,EAAE,6CAA6C,CAAC;SACjE,MAAM,CAAC,gBAAgB,EAAE,sBAAsB,CAAC;SAChD,MAAM,CACL,CAAC,IAOA,EAAE,EAAE;QACH,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,2BAA2B;QAC3B,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAC7C,mBAAmB,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QAC1C,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,eAAe,CAAC,IAAI,CAAC,KAAK,EAAE,cAAc,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,aAAa,CAAC,CAAC;QACxC,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,EAAE,CAAC,CAAC;QAE9B,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC;YAC3B,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;YACrE,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,KAAK,EAAE,WAAW;YAClB,SAAS,EAAE,IAAI,CAAC,KAAK;SACtB,CAAC,CAAC;QAEH,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;YAC7C,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,OAAO,CAAC,MAAM,YAAY,CAAC,CAAC;QAC9D,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;YACtF,MAAM,MAAM,GAAG,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,aAAa,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YACtE,MAAM,KAAK,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7D,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,KAAK,MAAM,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACxE,OAAO,CAAC,GAAG,CACT,KAAK,IAAI,IAAI,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,OAAO,GAAG,KAAK,CAAC,IAAI,MAAM,KAAK,CAAC,YAAY,KAAK,KAAK,CAAC,YAAY,IAAI,GAAG,IAAI,KAAK,GAAG,OAAO,GAAG,MAAM,EAAE,CACtL,CAAC;QACJ,CAAC;QACD,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CACF,CAAC;IAEJ,SAAS;SACN,OAAO,CAAC,OAAO,CAAC;SAChB,WAAW,CAAC,2BAA2B,CAAC;SACxC,MAAM,CAAC,gBAAgB,EAAE,+BAA+B,CAAC;SACzD,MAAM,CAAC,gBAAgB,EAAE,4BAA4B,CAAC;SACtD,MAAM,CAAC,CAAC,IAAwC,EAAE,EAAE;QACnD,2BAA2B;QAC3B,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,eAAe,CAAC,IAAI,CAAC,KAAK,EAAE,cAAc,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,aAAa,CAAC,CAAC;QACxC,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,EAAE,CAAC,CAAC;QAE9B,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QAEnD,OAAO,CAAC,GAAG,CAAC,iCAAiC,CAAC,CAAC;QAC/C,OAAO,CAAC,GAAG,CAAC,uBAAuB,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;QAClD,OAAO,CAAC,GAAG,CAAC,uBAAuB,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,uBAAuB,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACpD,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,OAAO,CAAC,GAAG,CAAC,uBAAuB,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QACrD,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5C,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;YAC/B,KAAK,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC/D,OAAO,CAAC,GAAG,CAAC,OAAO,OAAO,KAAK,KAAK,EAAE,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;QACD,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,SAAS;SACN,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,6CAA6C,CAAC;SAC1D,MAAM,CAAC,yBAAyB,EAAE,mBAAmB,CAAC;SACtD,MAAM,CAAC,gBAAgB,EAAE,2BAA2B,CAAC;SACrD,MAAM,CAAC,uBAAuB,EAAE,oCAAoC,EAAE,KAAK,CAAC;SAC5E,MAAM,CAAC,qBAAqB,EAAE,kBAAkB,CAAC;SACjD,MAAM,CAAC,CAAC,IAA2E,EAAE,EAAE;QACtF,2BAA2B;QAC3B,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,eAAe,CAAC,IAAI,CAAC,KAAK,EAAE,cAAc,CAAC,CAAC;QAC9C,CAAC;QACD,YAAY,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAU,EAAE,QAAQ,CAAC,CAAC;QAEvE,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,EAAE,CAAC,CAAC;QAE9B,MAAM,WAAW,GAAG;YAClB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC;QAEF,IAAI,MAAc,CAAC;QACnB,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;YACpB,KAAK,MAAM;gBACT,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;gBACxC,MAAM;YACR,KAAK,OAAO;gBACV,MAAM,GAAG,MAAM,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;gBAC7C,MAAM;YACR,KAAK,KAAK;gBACR,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;gBACvC,MAAM;YACR;gBACE,OAAO,CAAC,KAAK,CAAC,uBAAuB,IAAI,CAAC,MAAM,+BAA+B,CAAC,CAAC;gBACjF,EAAE,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO;QACX,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;YAC/C,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,OAAO,IAAI,CAAC,MAAM,IAAI,CAAC,CAAC;QAC/E,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACtB,CAAC;QACD,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/cli/commands/mcp.d.ts

@@ -0,0 +1,6 @@
+/**
+ * MCP commands: serve, config.
+ */
+import type { Command } from 'commander';
+export declare function register(program: Command): void;
+//# sourceMappingURL=mcp.d.ts.map

package/dist/cli/commands/mcp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/mcp.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAkBzC,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAgP/C"}