@getaegis/cli 0.8.0 → 0.8.1

package/dist/cli/commands/mcp.js

@@ -0,0 +1,224 @@
+/**
+ * MCP commands: serve, config.
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { AgentRegistry } from '../../agent/index.js';
+import { getConfig } from '../../config.js';
+import { getDb, getVaultSalt, migrate } from '../../db.js';
+import { Ledger } from '../../ledger/index.js';
+import { AegisMcpServer } from '../../mcp/index.js';
+import { loadPoliciesFromDirectory } from '../../policy/index.js';
+import { deriveKey, Vault } from '../../vault/index.js';
+import { WebhookManager } from '../../webhook/index.js';
+import { requireUserAuth } from '../auth.js';
+import { VALID_LOG_LEVELS, VALID_MCP_TRANSPORTS, validateEnum, validatePort, } from '../validation.js';
+export function register(program) {
+    const mcpCmd = program.command('mcp').description('Run Aegis as an MCP server');
+    mcpCmd
+        .command('serve')
+        .description('Start the Aegis MCP server')
+        .option('--transport <type>', 'Transport type: "stdio" or "streamable-http"')
+        .option('--port <port>', 'Port for streamable-http transport')
+        .option('--agent-token <token>', 'Agent token to authenticate this MCP session')
+        .option('--policies-dir <dir>', 'Directory containing YAML policy files')
+        .option('--policy-mode <mode>', 'Policy enforcement mode: "enforce" or "dry-run"')
+        .option('--log-level <level>', 'Log level: debug, info, warn, error')
+        .action(async (opts) => {
+        // ── Validate CLI flags ──
+        if (opts.port) {
+            const p = Number.parseInt(opts.port, 10);
+            validatePort(p, 'MCP port');
+        }
+        if (opts.transport) {
+            validateEnum(opts.transport, VALID_MCP_TRANSPORTS, 'transport');
+        }
+        if (opts.policyMode) {
+            validateEnum(opts.policyMode, ['enforce', 'dry-run'], 'policy mode');
+        }
+        if (opts.logLevel) {
+            validateEnum(opts.logLevel, VALID_LOG_LEVELS, 'log level');
+        }
+        if (opts.policiesDir && !fs.existsSync(path.resolve(opts.policiesDir))) {
+            console.error(`\n✗ Policy directory not found: ${path.resolve(opts.policiesDir)}\n  Create it and add YAML policy files, or omit --policies-dir\n`);
+            process.exit(1);
+        }
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const mcpKey = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, mcpKey, 'gate:start');
+        const vault = new Vault(db, config.masterKey, getVaultSalt(config));
+        const ledger = new Ledger(db);
+        const agentRegistry = new AgentRegistry(db, mcpKey);
+        // Resolve policies: CLI flags → config file
+        const policyDir = opts.policiesDir ?? config.policiesDir;
+        let policies = [];
+        if (policyDir) {
+            policies = loadPoliciesFromDirectory(policyDir);
+        }
+        // Resolve transport: CLI → config file → default (stdio)
+        const transportOpt = opts.transport ?? config.mcp.transport;
+        const transport = transportOpt === 'streamable-http' ? 'streamable-http' : 'stdio';
+        // Resolve port: CLI → config file → default (3200)
+        const mcpPort = opts.port ? Number.parseInt(opts.port, 10) : config.mcp.port;
+        // Resolve policy mode: CLI → config file → default (enforce)
+        const effectivePolicyMode = opts.policyMode ?? (config.policyMode === 'off' ? 'enforce' : config.policyMode);
+        // Resolve log level: CLI → config file → default (info)
+        const effectiveLogLevel = (opts.logLevel ?? config.logLevel);
+        const webhookManager = new WebhookManager({ db, logLevel: config.logLevel });
+        const mcpServer = new AegisMcpServer({
+            vault,
+            ledger,
+            agentRegistry,
+            agentToken: opts.agentToken,
+            transport,
+            port: mcpPort,
+            policies,
+            policyMode: effectivePolicyMode === 'dry-run' ? 'dry-run' : 'enforce',
+            logLevel: effectiveLogLevel,
+            webhooks: webhookManager,
+        });
+        await mcpServer.start();
+        // Handle graceful shutdown
+        const shutdown = async () => {
+            await mcpServer.stop();
+            db.close();
+            process.exit(0);
+        };
+        process.on('SIGINT', shutdown);
+        process.on('SIGTERM', shutdown);
+    });
+    mcpCmd
+        .command('config')
+        .description('Generate MCP client configuration for popular hosts')
+        .argument('<host>', 'Target host: "claude", "cursor", or "vscode"')
+        .option('--transport <type>', 'Transport type (default: stdio)', 'stdio')
+        .option('--port <port>', 'Port for streamable-http transport (default: 3200)', '3200')
+        .option('--agent-token <token>', 'Agent token to include in the configuration')
+        .action((host, opts) => {
+        const transport = opts.transport;
+        const port = opts.port;
+        // Resolve the aegis CLI path.
+        // Prefer the built dist/cli.js with an absolute node path — this is stable
+        // across shell sessions (unlike `which aegis` which may resolve to an
+        // ephemeral fnm/nvm multishell path that disappears when the terminal closes).
+        let aegisCmd;
+        let aegisBaseArgs;
+        const distCli = path.resolve('dist/cli.js');
+        if (fs.existsSync(distCli)) {
+            // Use node + absolute path to the built CLI (always stable)
+            aegisCmd = process.execPath; // absolute path to the current node binary
+            aegisBaseArgs = [distCli];
+        }
+        else {
+            // Development fallback: use tsx
+            const cliPath = path.resolve('src/cli.ts');
+            aegisCmd = 'npx';
+            aegisBaseArgs = ['tsx', cliPath];
+        }
+        const buildArgs = () => {
+            const args = [...aegisBaseArgs, 'mcp', 'serve', '--transport', transport];
+            if (transport === 'streamable-http') {
+                args.push('--port', port);
+            }
+            if (opts.agentToken) {
+                args.push('--agent-token', opts.agentToken);
+            }
+            return args;
+        };
+        const args = buildArgs();
+        switch (host.toLowerCase()) {
+            case 'claude': {
+                if (transport === 'streamable-http') {
+                    const config = {
+                        mcpServers: {
+                            aegis: {
+                                url: `http://127.0.0.1:${port}/mcp`,
+                            },
+                        },
+                    };
+                    console.log('Add this to your Claude Desktop config (claude_desktop_config.json):');
+                    console.log();
+                    console.log(JSON.stringify(config, null, 2));
+                }
+                else {
+                    const config = {
+                        mcpServers: {
+                            aegis: {
+                                command: aegisCmd,
+                                args,
+                            },
+                        },
+                    };
+                    console.log('Add this to your Claude Desktop config (claude_desktop_config.json):');
+                    console.log();
+                    console.log(JSON.stringify(config, null, 2));
+                }
+                break;
+            }
+            case 'cursor': {
+                if (transport === 'streamable-http') {
+                    const config = {
+                        mcpServers: {
+                            aegis: {
+                                url: `http://127.0.0.1:${port}/mcp`,
+                            },
+                        },
+                    };
+                    console.log('Add this to your Cursor MCP config (.cursor/mcp.json):');
+                    console.log();
+                    console.log(JSON.stringify(config, null, 2));
+                }
+                else {
+                    const config = {
+                        mcpServers: {
+                            aegis: {
+                                command: aegisCmd,
+                                args,
+                            },
+                        },
+                    };
+                    console.log('Add this to your Cursor MCP config (.cursor/mcp.json):');
+                    console.log();
+                    console.log(JSON.stringify(config, null, 2));
+                }
+                break;
+            }
+            case 'vscode': {
+                if (transport === 'streamable-http') {
+                    const config = {
+                        servers: {
+                            aegis: {
+                                type: 'http',
+                                url: `http://127.0.0.1:${port}/mcp`,
+                            },
+                        },
+                    };
+                    console.log('Add this to your VS Code settings (settings.json) under "mcp":');
+                    console.log();
+                    console.log(JSON.stringify(config, null, 2));
+                }
+                else {
+                    const config = {
+                        servers: {
+                            aegis: {
+                                type: 'stdio',
+                                command: aegisCmd,
+                                args,
+                            },
+                        },
+                    };
+                    console.log('Add this to your VS Code settings (settings.json) under "mcp":');
+                    console.log();
+                    console.log(JSON.stringify(config, null, 2));
+                }
+                break;
+            }
+            default:
+                console.error(`Unknown host: ${host}. Supported hosts: claude, cursor, vscode`);
+                process.exit(1);
+        }
+    });
+}
+//# sourceMappingURL=mcp.js.map

package/dist/cli/commands/mcp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp.js","sourceRoot":"","sources":["../../../src/cli/commands/mcp.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAEpD,OAAO,EAAE,yBAAyB,EAAE,MAAM,uBAAuB,CAAC;AAClE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EACL,gBAAgB,EAChB,oBAAoB,EACpB,YAAY,EACZ,YAAY,GACb,MAAM,kBAAkB,CAAC;AAE1B,MAAM,UAAU,QAAQ,CAAC,OAAgB;IACvC,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,4BAA4B,CAAC,CAAC;IAEhF,MAAM;SACH,OAAO,CAAC,OAAO,CAAC;SAChB,WAAW,CAAC,4BAA4B,CAAC;SACzC,MAAM,CAAC,oBAAoB,EAAE,8CAA8C,CAAC;SAC5E,MAAM,CAAC,eAAe,EAAE,oCAAoC,CAAC;SAC7D,MAAM,CAAC,uBAAuB,EAAE,8CAA8C,CAAC;SAC/E,MAAM,CAAC,sBAAsB,EAAE,wCAAwC,CAAC;SACxE,MAAM,CAAC,sBAAsB,EAAE,iDAAiD,CAAC;SACjF,MAAM,CAAC,qBAAqB,EAAE,qCAAqC,CAAC;SACpE,MAAM,CACL,KAAK,EAAE,IAON,EAAE,EAAE;QACH,2BAA2B;QAC3B,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACzC,YAAY,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;QAC9B,CAAC;QACD,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,oBAAoB,EAAE,WAAW,CAAC,CAAC;QAClE,CAAC;QACD,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,SAAS,EAAE,SAAS,CAAU,EAAE,aAAa,CAAC,CAAC;QAChF,CAAC;QACD,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,EAAE,WAAW,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,IAAI,CAAC,WAAW,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;YACvE,OAAO,CAAC,KAAK,CACX,mCAAmC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,mEAAmE,CACrI,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QAEZ,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QACjE,eAAe,CAAC,EAAE,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;QAE1C,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QACpE,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,EAAE,CAAC,CAAC;QAC9B,MAAM,aAAa,GAAG,IAAI,aAAa,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;QAEpD,4CAA4C;QAC5C,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,IAAI,MAAM,CAAC,WAAW,CAAC;QACzD,IAAI,QAAQ,GAA6B,EAAE,CAAC;QAC5C,IAAI,SAAS,EAAE,CAAC;YACd,QAAQ,GAAG,yBAAyB,CAAC,SAAS,CAAC,CAAC;QAClD,CAAC;QAED,yDAAyD;QACzD,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,IAAI,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC;QAC5D,MAAM,SAAS,GACb,YAAY,KAAK,iBAAiB,CAAC,CAAC,CAAE,iBAA2B,CAAC,CAAC,CAAE,OAAiB,CAAC;QAEzF,mDAAmD;QACnD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC;QAE7E,6DAA6D;QAC7D,MAAM,mBAAmB,GACvB,IAAI,CAAC,UAAU,IAAI,CAAC,MAAM,CAAC,UAAU,KAAK,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAEnF,wDAAwD;QACxD,MAAM,iBAAiB,GAAG,CAAC,IAAI,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAIhD,CAAC;QAEZ,MAAM,cAAc,GAAG,IAAI,cAAc,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;QAE7E,MAAM,SAAS,GAAG,IAAI,cAAc,CAAC;YACnC,KAAK;YACL,MAAM;YACN,aAAa;YACb,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,SAAS;YACT,IAAI,EAAE,OAAO;YACb,QAAQ;YACR,UAAU,EAAE,mBAAmB,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;YACrE,QAAQ,EAAE,iBAAiB;YAC3B,QAAQ,EAAE,cAAc;SACzB,CAAC,CAAC;QAEH,MAAM,SAAS,CAAC,KAAK,EAAE,CAAC;QAExB,2BAA2B;QAC3B,MAAM,QAAQ,GAAG,KAAK,IAAmB,EAAE;YACzC,MAAM,SAAS,CAAC,IAAI,EAAE,CAAC;YACvB,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC,CAAC;QAEF,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC/B,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAClC,CAAC,CACF,CAAC;IAEJ,MAAM;SACH,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,qDAAqD,CAAC;SAClE,QAAQ,CAAC,QAAQ,EAAE,8CAA8C,CAAC;SAClE,MAAM,CAAC,oBAAoB,EAAE,iCAAiC,EAAE,OAAO,CAAC;SACxE,MAAM,CAAC,eAAe,EAAE,oDAAoD,EAAE,MAAM,CAAC;SACrF,MAAM,CAAC,uBAAuB,EAAE,6CAA6C,CAAC;SAC9E,MAAM,CAAC,CAAC,IAAY,EAAE,IAA8D,EAAE,EAAE;QACvF,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QACjC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QAEvB,8BAA8B;QAC9B,2EAA2E;QAC3E,sEAAsE;QACtE,+EAA+E;QAC/E,IAAI,QAAgB,CAAC;QACrB,IAAI,aAAuB,CAAC;QAE5B,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QAC5C,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3B,4DAA4D;YAC5D,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,2CAA2C;YACxE,aAAa,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5B,CAAC;aAAM,CAAC;YACN,gCAAgC;YAChC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;YAC3C,QAAQ,GAAG,KAAK,CAAC;YACjB,aAAa,GAAG,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QACnC,CAAC;QAED,MAAM,SAAS,GAAG,GAAa,EAAE;YAC/B,MAAM,IAAI,GAAG,CAAC,GAAG,aAAa,EAAE,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,SAAS,CAAC,CAAC;YAC1E,IAAI,SAAS,KAAK,iBAAiB,EAAE,CAAC;gBACpC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;YAC5B,CAAC;YACD,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBACpB,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;YAC9C,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC,CAAC;QAEF,MAAM,IAAI,GAAG,SAAS,EAAE,CAAC;QAEzB,QAAQ,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;YAC3B,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,IAAI,SAAS,KAAK,iBAAiB,EAAE,CAAC;oBACpC,MAAM,MAAM,GAAG;wBACb,UAAU,EAAE;4BACV,KAAK,EAAE;gCACL,GAAG,EAAE,oBAAoB,IAAI,MAAM;6BACpC;yBACF;qBACF,CAAC;oBACF,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;oBACpF,OAAO,CAAC,GAAG,EAAE,CAAC;oBACd,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC/C,CAAC;qBAAM,CAAC;oBACN,MAAM,MAAM,GAAG;wBACb,UAAU,EAAE;4BACV,KAAK,EAAE;gCACL,OAAO,EAAE,QAAQ;gCACjB,IAAI;6BACL;yBACF;qBACF,CAAC;oBACF,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;oBACpF,OAAO,CAAC,GAAG,EAAE,CAAC;oBACd,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC/C,CAAC;gBACD,MAAM;YACR,CAAC;YACD,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,IAAI,SAAS,KAAK,iBAAiB,EAAE,CAAC;oBACpC,MAAM,MAAM,GAAG;wBACb,UAAU,EAAE;4BACV,KAAK,EAAE;gCACL,GAAG,EAAE,oBAAoB,IAAI,MAAM;6BACpC;yBACF;qBACF,CAAC;oBACF,OAAO,CAAC,GAAG,CAAC,wDAAwD,CAAC,CAAC;oBACtE,OAAO,CAAC,GAAG,EAAE,CAAC;oBACd,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC/C,CAAC;qBAAM,CAAC;oBACN,MAAM,MAAM,GAAG;wBACb,UAAU,EAAE;4BACV,KAAK,EAAE;gCACL,OAAO,EAAE,QAAQ;gCACjB,IAAI;6BACL;yBACF;qBACF,CAAC;oBACF,OAAO,CAAC,GAAG,CAAC,wDAAwD,CAAC,CAAC;oBACtE,OAAO,CAAC,GAAG,EAAE,CAAC;oBACd,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC/C,CAAC;gBACD,MAAM;YACR,CAAC;YACD,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,IAAI,SAAS,KAAK,iBAAiB,EAAE,CAAC;oBACpC,MAAM,MAAM,GAAG;wBACb,OAAO,EAAE;4BACP,KAAK,EAAE;gCACL,IAAI,EAAE,MAAM;gCACZ,GAAG,EAAE,oBAAoB,IAAI,MAAM;6BACpC;yBACF;qBACF,CAAC;oBACF,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;oBAC9E,OAAO,CAAC,GAAG,EAAE,CAAC;oBACd,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC/C,CAAC;qBAAM,CAAC;oBACN,MAAM,MAAM,GAAG;wBACb,OAAO,EAAE;4BACP,KAAK,EAAE;gCACL,IAAI,EAAE,OAAO;gCACb,OAAO,EAAE,QAAQ;gCACjB,IAAI;6BACL;yBACF;qBACF,CAAC;oBACF,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;oBAC9E,OAAO,CAAC,GAAG,EAAE,CAAC;oBACd,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC/C,CAAC;gBACD,MAAM;YACR,CAAC;YACD;gBACE,OAAO,CAAC,KAAK,CAAC,iBAAiB,IAAI,2CAA2C,CAAC,CAAC;gBAChF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/cli/commands/policy.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Policy commands: validate, list, test.
+ */
+import type { Command } from 'commander';
+export declare function register(program: Command): void;
+//# sourceMappingURL=policy.d.ts.map

package/dist/cli/commands/policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/policy.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGzC,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAkJ/C"}

package/dist/cli/commands/policy.js

@@ -0,0 +1,126 @@
+/**
+ * Policy commands: validate, list, test.
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { evaluatePolicy, loadPoliciesFromDirectory, loadPolicyFile } from '../../policy/index.js';
+export function register(program) {
+    const policyCmd = program.command('policy').description('Manage and validate policy files');
+    policyCmd
+        .command('validate')
+        .description('Validate policy files for syntax and schema errors')
+        .argument('<path>', 'Path to a YAML policy file or directory of policy files')
+        .action((filePath) => {
+        const resolved = path.resolve(filePath);
+        if (!fs.existsSync(resolved)) {
+            console.error(`\n✗ Path not found: ${resolved}\n`);
+            process.exit(1);
+        }
+        const stat = fs.statSync(resolved);
+        const results = stat.isDirectory()
+            ? loadPoliciesFromDirectory(resolved)
+            : [loadPolicyFile(resolved)];
+        let hasErrors = false;
+        for (const result of results) {
+            if (result.valid) {
+                console.log(`  ✓ ${result.filePath ?? 'inline'}: valid (agent: ${result.policy?.agent})`);
+            }
+            else {
+                hasErrors = true;
+                console.log(`  ✗ ${result.filePath ?? 'inline'}: invalid`);
+                for (const err of result.errors) {
+                    console.log(`    - ${err.message}`);
+                }
+            }
+        }
+        console.log(`\n  ${results.filter((r) => r.valid).length}/${results.length} policy file(s) valid.\n`);
+        if (hasErrors) {
+            process.exit(1);
+        }
+    });
+    policyCmd
+        .command('list')
+        .description('List all policies and their rules')
+        .argument('<path>', 'Path to a policy file or directory')
+        .action((filePath) => {
+        const resolved = path.resolve(filePath);
+        if (!fs.existsSync(resolved)) {
+            console.error(`\n✗ Path not found: ${resolved}\n`);
+            process.exit(1);
+        }
+        const stat = fs.statSync(resolved);
+        const results = stat.isDirectory()
+            ? loadPoliciesFromDirectory(resolved)
+            : [loadPolicyFile(resolved)];
+        const valid = results.filter((r) => r.valid && r.policy);
+        if (valid.length === 0) {
+            console.log('\n  No valid policy files found.\n');
+            return;
+        }
+        console.log(`\n  ${valid.length} policy(ies):\n`);
+        for (const result of valid) {
+            const policy = result.policy;
+            if (!policy)
+                continue;
+            console.log(`  Agent: ${policy.agent}`);
+            if (policy.rules.length === 0) {
+                console.log('    (no rules)');
+            }
+            for (const rule of policy.rules) {
+                const methods = rule.methods ? rule.methods.join(', ') : '*';
+                const paths = rule.paths ? rule.paths.join(', ') : '*';
+                const rateLimit = rule.rateLimit ?? 'none';
+                console.log(`    → ${rule.service}`);
+                console.log(`      methods: ${methods}`);
+                console.log(`      paths:   ${paths}`);
+                console.log(`      rate:    ${rateLimit}`);
+                if (rule.timeWindow) {
+                    console.log(`      time:    ${rule.timeWindow.start}–${rule.timeWindow.end} (${rule.timeWindow.timezone})`);
+                }
+            }
+            console.log();
+        }
+    });
+    policyCmd
+        .command('test')
+        .description("Test a request against an agent's policy")
+        .requiredOption('-a, --agent <name>', 'Agent name to test against')
+        .requiredOption('-s, --service <service>', 'Service being accessed')
+        .requiredOption('-m, --method <method>', 'HTTP method (GET, POST, etc.)')
+        .requiredOption('--path <path>', 'Request path')
+        .argument('<policyPath>', 'Path to a policy file or directory')
+        .action((policyPath, opts) => {
+        const resolved = path.resolve(policyPath);
+        if (!fs.existsSync(resolved)) {
+            console.error(`\n✗ Path not found: ${resolved}\n`);
+            process.exit(1);
+        }
+        const stat = fs.statSync(resolved);
+        const results = stat.isDirectory()
+            ? loadPoliciesFromDirectory(resolved)
+            : [loadPolicyFile(resolved)];
+        const valid = results.filter((r) => r.valid && r.policy);
+        const agentPolicy = valid.find((r) => r.policy?.agent === opts.agent);
+        if (!agentPolicy?.policy) {
+            console.error(`\n✗ No valid policy found for agent "${opts.agent}"\n`);
+            process.exit(1);
+        }
+        const evaluation = evaluatePolicy(agentPolicy.policy, {
+            service: opts.service,
+            method: opts.method,
+            path: opts.path,
+        });
+        if (evaluation.allowed) {
+            console.log(`\n  ✓ ALLOWED — request matches policy for agent "${opts.agent}"`);
+            if (evaluation.matchedRule) {
+                console.log(`    Matched rule for service: ${evaluation.matchedRule.service}`);
+            }
+        }
+        else {
+            console.log(`\n  ✗ DENIED — ${evaluation.reason}`);
+            console.log(`    Violation type: ${evaluation.violation}`);
+        }
+        console.log();
+    });
+}
+//# sourceMappingURL=policy.js.map

package/dist/cli/commands/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../../src/cli/commands/policy.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EAAE,cAAc,EAAE,yBAAyB,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAElG,MAAM,UAAU,QAAQ,CAAC,OAAgB;IACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,CAAC,kCAAkC,CAAC,CAAC;IAE5F,SAAS;SACN,OAAO,CAAC,UAAU,CAAC;SACnB,WAAW,CAAC,oDAAoD,CAAC;SACjE,QAAQ,CAAC,QAAQ,EAAE,yDAAyD,CAAC;SAC7E,MAAM,CAAC,CAAC,QAAgB,EAAE,EAAE;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAExC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,OAAO,CAAC,KAAK,CAAC,uBAAuB,QAAQ,IAAI,CAAC,CAAC;YACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACnC,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE;YAChC,CAAC,CAAC,yBAAyB,CAAC,QAAQ,CAAC;YACrC,CAAC,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC;QAE/B,IAAI,SAAS,GAAG,KAAK,CAAC;QAEtB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,OAAO,CAAC,GAAG,CAAC,OAAO,MAAM,CAAC,QAAQ,IAAI,QAAQ,mBAAmB,MAAM,CAAC,MAAM,EAAE,KAAK,GAAG,CAAC,CAAC;YAC5F,CAAC;iBAAM,CAAC;gBACN,SAAS,GAAG,IAAI,CAAC;gBACjB,OAAO,CAAC,GAAG,CAAC,OAAO,MAAM,CAAC,QAAQ,IAAI,QAAQ,WAAW,CAAC,CAAC;gBAC3D,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;oBAChC,OAAO,CAAC,GAAG,CAAC,SAAS,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;gBACtC,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,CAAC,GAAG,CACT,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,0BAA0B,CACzF,CAAC;QAEF,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,SAAS;SACN,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,mCAAmC,CAAC;SAChD,QAAQ,CAAC,QAAQ,EAAE,oCAAoC,CAAC;SACxD,MAAM,CAAC,CAAC,QAAgB,EAAE,EAAE;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAExC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,OAAO,CAAC,KAAK,CAAC,uBAAuB,QAAQ,IAAI,CAAC,CAAC;YACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACnC,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE;YAChC,CAAC,CAAC,yBAAyB,CAAC,QAAQ,CAAC;YACrC,CAAC,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC;QAE/B,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC;QAEzD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;YAClD,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,CAAC,MAAM,iBAAiB,CAAC,CAAC;QAElD,KAAK,MAAM,MAAM,IAAI,KAAK,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;YAC7B,IAAI,CAAC,MAAM;gBAAE,SAAS;YAEtB,OAAO,CAAC,GAAG,CAAC,YAAY,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;YACxC,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC9B,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;YAChC,CAAC;YACD,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBAChC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;gBAC7D,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;gBACvD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,MAAM,CAAC;gBAC3C,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;gBACrC,OAAO,CAAC,GAAG,CAAC,kBAAkB,OAAO,EAAE,CAAC,CAAC;gBACzC,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,EAAE,CAAC,CAAC;gBACvC,OAAO,CAAC,GAAG,CAAC,kBAAkB,SAAS,EAAE,CAAC,CAAC;gBAC3C,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;oBACpB,OAAO,CAAC,GAAG,CACT,kBAAkB,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,KAAK,IAAI,CAAC,UAAU,CAAC,QAAQ,GAAG,CAC/F,CAAC;gBACJ,CAAC;YACH,CAAC;YACD,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,SAAS;SACN,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,0CAA0C,CAAC;SACvD,cAAc,CAAC,oBAAoB,EAAE,4BAA4B,CAAC;SAClE,cAAc,CAAC,yBAAyB,EAAE,wBAAwB,CAAC;SACnE,cAAc,CAAC,uBAAuB,EAAE,+BAA+B,CAAC;SACxE,cAAc,CAAC,eAAe,EAAE,cAAc,CAAC;SAC/C,QAAQ,CAAC,cAAc,EAAE,oCAAoC,CAAC;SAC9D,MAAM,CACL,CACE,UAAkB,EAClB,IAAsE,EACtE,EAAE;QACF,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAE1C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,OAAO,CAAC,KAAK,CAAC,uBAAuB,QAAQ,IAAI,CAAC,CAAC;YACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACnC,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE;YAChC,CAAC,CAAC,yBAAyB,CAAC,QAAQ,CAAC;YACrC,CAAC,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC;QAE/B,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC;QACzD,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,EAAE,KAAK,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC;QAEtE,IAAI,CAAC,WAAW,EAAE,MAAM,EAAE,CAAC;YACzB,OAAO,CAAC,KAAK,CAAC,wCAAwC,IAAI,CAAC,KAAK,KAAK,CAAC,CAAC;YACvE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,UAAU,GAAG,cAAc,CAAC,WAAW,CAAC,MAAM,EAAE;YACpD,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,IAAI,EAAE,IAAI,CAAC,IAAI;SAChB,CAAC,CAAC;QAEH,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,qDAAqD,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC;YAChF,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC;gBAC3B,OAAO,CAAC,GAAG,CAAC,iCAAiC,UAAU,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC,CAAC;YACjF,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,kBAAkB,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;YACnD,OAAO,CAAC,GAAG,CAAC,uBAAuB,UAAU,CAAC,SAAS,EAAE,CAAC,CAAC;QAC7D,CAAC;QACD,OAAO,CAAC,GAAG,EAAE,CAAC;IAChB,CAAC,CACF,CAAC;AACN,CAAC"}

package/dist/cli/commands/user.d.ts

@@ -0,0 +1,6 @@
+/**
+ * User commands: add, list, remove, role, regenerate-token.
+ */
+import type { Command } from 'commander';
+export declare function register(program: Command): void;
+//# sourceMappingURL=user.d.ts.map

package/dist/cli/commands/user.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/user.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAQzC,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAmK/C"}

package/dist/cli/commands/user.js

@@ -0,0 +1,150 @@
+/**
+ * User commands: add, list, remove, role, regenerate-token.
+ */
+import { getConfig } from '../../config.js';
+import { getDb, getVaultSalt, migrate } from '../../db.js';
+import { UserRegistry } from '../../user/index.js';
+import { deriveKey } from '../../vault/index.js';
+import { requireUserAuth } from '../auth.js';
+import { localTime, validateEnum, validateIdentifier } from '../validation.js';
+export function register(program) {
+    const userCmd = program.command('user').description('Manage users and roles (RBAC)');
+    userCmd
+        .command('add')
+        .description('Add a new user with a role')
+        .requiredOption('-n, --name <name>', 'Unique username')
+        .requiredOption('-r, --role <role>', 'Role: admin, operator, or viewer')
+        .action((opts) => {
+        // ── Validate CLI flags ──
+        validateIdentifier(opts.name, 'username');
+        const validatedRole = validateEnum(opts.role, ['admin', 'operator', 'viewer'], 'role');
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'user:write');
+        const registry = new UserRegistry(db, key);
+        try {
+            const user = registry.add({
+                name: opts.name,
+                role: validatedRole,
+            });
+            console.log(`\n✓ User added to Aegis\n`);
+            console.log(`  Name:   ${user.name}`);
+            console.log(`  Role:   ${user.role}`);
+            console.log(`  Prefix: ${user.tokenPrefix}`);
+            console.log(`\n  API Key (shown ONCE — save it now):`);
+            console.log(`  ${user.token}\n`);
+            console.log(`  Use AEGIS_USER_TOKEN=<key> to authenticate CLI commands.\n`);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ ${message}\n`);
+            process.exit(1);
+        }
+        db.close();
+    });
+    userCmd
+        .command('list')
+        .description('List all users')
+        .action(() => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'user:read');
+        const registry = new UserRegistry(db, key);
+        const users = registry.list();
+        if (users.length === 0) {
+            console.log('\n  No users registered. Use `aegis user add` to create one.\n');
+        }
+        else {
+            console.log(`\n  Users (${users.length}):\n`);
+            for (const u of users) {
+                console.log(`    ${u.name} [${u.role}] — prefix: ${u.tokenPrefix} — created: ${localTime(u.createdAt)}`);
+            }
+            console.log('');
+        }
+        db.close();
+    });
+    userCmd
+        .command('remove')
+        .description('Remove a user')
+        .requiredOption('-n, --name <name>', 'Username to remove')
+        .option('--confirm', 'Skip confirmation')
+        .action((opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'user:write');
+        const registry = new UserRegistry(db, key);
+        if (!opts.confirm) {
+            console.error(`\n✗ Add --confirm to permanently remove user "${opts.name}"\n`);
+            process.exit(1);
+        }
+        const removed = registry.remove(opts.name);
+        if (removed) {
+            console.log(`\n✓ User "${opts.name}" removed\n`);
+        }
+        else {
+            console.error(`\n✗ No user found with name "${opts.name}"\n`);
+            process.exit(1);
+        }
+        db.close();
+    });
+    userCmd
+        .command('role')
+        .description("Update a user's role")
+        .requiredOption('-n, --name <name>', 'Username to update')
+        .requiredOption('-r, --role <role>', 'New role: admin, operator, or viewer')
+        .action((opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'user:write');
+        const registry = new UserRegistry(db, key);
+        const validRoles = ['admin', 'operator', 'viewer'];
+        if (!validRoles.includes(opts.role)) {
+            console.error(`\n✗ Invalid role "${opts.role}". Must be one of: ${validRoles.join(', ')}\n`);
+            process.exit(1);
+        }
+        try {
+            const updated = registry.updateRole({
+                name: opts.name,
+                role: opts.role,
+            });
+            console.log(`\n✓ User "${updated.name}" role updated to "${updated.role}"\n`);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ ${message}\n`);
+            process.exit(1);
+        }
+        db.close();
+    });
+    userCmd
+        .command('regenerate-token')
+        .description("Regenerate a user's API key (invalidates the old one)")
+        .requiredOption('-n, --name <name>', 'Username')
+        .action((opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'user:write');
+        const registry = new UserRegistry(db, key);
+        const result = registry.regenerateToken(opts.name);
+        if (!result) {
+            console.error(`\n✗ No user found with name "${opts.name}"\n`);
+            process.exit(1);
+        }
+        console.log(`\n✓ Token regenerated for "${result.name}"\n`);
+        console.log(`  New API Key (shown ONCE — save it now):`);
+        console.log(`  ${result.token}\n`);
+        console.log(`  The previous key is now invalid.\n`);
+        db.close();
+    });
+}
+//# sourceMappingURL=user.js.map

package/dist/cli/commands/user.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user.js","sourceRoot":"","sources":["../../../src/cli/commands/user.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAE/E,MAAM,UAAU,QAAQ,CAAC,OAAgB;IACvC,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,WAAW,CAAC,+BAA+B,CAAC,CAAC;IAErF,OAAO;SACJ,OAAO,CAAC,KAAK,CAAC;SACd,WAAW,CAAC,4BAA4B,CAAC;SACzC,cAAc,CAAC,mBAAmB,EAAE,iBAAiB,CAAC;SACtD,cAAc,CAAC,mBAAmB,EAAE,kCAAkC,CAAC;SACvE,MAAM,CAAC,CAAC,IAAoC,EAAE,EAAE;QAC/C,2BAA2B;QAC3B,kBAAkB,CAAC,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAC1C,MAAM,aAAa,GAAG,YAAY,CAChC,IAAI,CAAC,IAAI,EACT,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAU,EACxC,MAAM,CACP,CAAC;QAEF,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QAE3C,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,QAAQ,CAAC,GAAG,CAAC;gBACxB,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,IAAI,EAAE,aAAa;aACpB,CAAC,CAAC;YAEH,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;YACzC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;YAC7C,OAAO,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAC;YACvD,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,KAAK,IAAI,CAAC,CAAC;YACjC,OAAO,CAAC,GAAG,CAAC,8DAA8D,CAAC,CAAC;QAC9E,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,OAAO,OAAO,IAAI,CAAC,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,gBAAgB,CAAC;SAC7B,MAAM,CAAC,GAAG,EAAE;QACX,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;QACtC,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QAE3C,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;QAChF,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,cAAc,KAAK,CAAC,MAAM,MAAM,CAAC,CAAC;YAC9C,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;gBACtB,OAAO,CAAC,GAAG,CACT,OAAO,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,eAAe,CAAC,CAAC,WAAW,eAAe,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,CAC5F,CAAC;YACJ,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;QAED,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,eAAe,CAAC;SAC5B,cAAc,CAAC,mBAAmB,EAAE,oBAAoB,CAAC;SACzD,MAAM,CAAC,WAAW,EAAE,mBAAmB,CAAC;SACxC,MAAM,CAAC,CAAC,IAAyC,EAAE,EAAE;QACpD,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QAE3C,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,iDAAiD,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC;YAC/E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3C,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,CAAC,IAAI,aAAa,CAAC,CAAC;QACnD,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,gCAAgC,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC;YAC9D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,sBAAsB,CAAC;SACnC,cAAc,CAAC,mBAAmB,EAAE,oBAAoB,CAAC;SACzD,cAAc,CAAC,mBAAmB,EAAE,sCAAsC,CAAC;SAC3E,MAAM,CAAC,CAAC,IAAoC,EAAE,EAAE;QAC/C,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QAE3C,MAAM,UAAU,GAAG,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;QACnD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACpC,OAAO,CAAC,KAAK,CACX,qBAAqB,IAAI,CAAC,IAAI,sBAAsB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAC9E,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,QAAQ,CAAC,UAAU,CAAC;gBAClC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,IAAI,EAAE,IAAI,CAAC,IAAuC;aACnD,CAAC,CAAC;YACH,OAAO,CAAC,GAAG,CAAC,aAAa,OAAO,CAAC,IAAI,sBAAsB,OAAO,CAAC,IAAI,KAAK,CAAC,CAAC;QAChF,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,OAAO,OAAO,IAAI,CAAC,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,kBAAkB,CAAC;SAC3B,WAAW,CAAC,uDAAuD,CAAC;SACpE,cAAc,CAAC,mBAAmB,EAAE,UAAU,CAAC;SAC/C,MAAM,CAAC,CAAC,IAAsB,EAAE,EAAE;QACjC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QAE3C,MAAM,MAAM,GAAG,QAAQ,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,CAAC,KAAK,CAAC,gCAAgC,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC;YAC9D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,8BAA8B,MAAM,CAAC,IAAI,KAAK,CAAC,CAAC;QAC5D,OAAO,CAAC,GAAG,CAAC,2CAA2C,CAAC,CAAC;QACzD,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,KAAK,IAAI,CAAC,CAAC;QACnC,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;QAEpD,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/cli/commands/vault-manager.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Vault management commands: create, vaults (list), destroy, split, unseal, seal.
+ */
+import type { Command } from 'commander';
+export declare function register(parent: Command): void;
+//# sourceMappingURL=vault-manager.d.ts.map

package/dist/cli/commands/vault-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-manager.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/vault-manager.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAmBzC,wBAAgB,QAAQ,CAAC,MAAM,EAAE,OAAO,GAAG,IAAI,CA4Q9C"}