@getaegis/cli 0.8.0 → 0.8.1

package/dist/cli/commands/vault-manager.js

@@ -0,0 +1,240 @@
+/**
+ * Vault management commands: create, vaults (list), destroy, split, unseal, seal.
+ */
+import * as crypto from 'node:crypto';
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { getConfig } from '../../config.js';
+import { getDb, getVaultSalt, migrate } from '../../db.js';
+import { combine, decodeShare, deriveKey, encodeShare, SealManager, split, VaultManager, } from '../../vault/index.js';
+import { requireUserAuth } from '../auth.js';
+import { localTime } from '../validation.js';
+function collectShares(value, previous) {
+    return [...previous, value];
+}
+export function register(parent) {
+    // These are subcommands of the 'vault' command, which is already
+    // registered by vault.ts.  We look it up so we can attach to it.
+    const vault = parent.commands.find((c) => c.name() === 'vault');
+    if (!vault)
+        throw new Error('vault command must be registered before vault-manager');
+    vault
+        .command('create')
+        .description('Create a new named vault with its own database and encryption salt')
+        .requiredOption('-n, --name <name>', 'Name for the new vault')
+        .option('--master-key <key>', 'Master key for the vault (if not provided, prompts or uses AEGIS_MASTER_KEY)')
+        .action((opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'vault:manage');
+        db.close();
+        const manager = new VaultManager(config.dataDir);
+        try {
+            const { salt } = manager.create(opts.name);
+            console.log(`\n  ✓ Vault "${opts.name}" created\n`);
+            console.log(`  Salt:     ${salt}`);
+            console.log(`  Database: .aegis/vaults/${opts.name}.db\n`);
+            console.log(`  To use this vault:`);
+            console.log(`    AEGIS_VAULT=${opts.name} aegis vault list`);
+            console.log(`    AEGIS_VAULT=${opts.name} aegis gate\n`);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ ${message}\n`);
+            process.exit(1);
+        }
+    });
+    vault
+        .command('vaults')
+        .description('List all named vaults')
+        .action(() => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'vault:read');
+        db.close();
+        const manager = new VaultManager(config.dataDir);
+        const vaults = manager.list();
+        if (vaults.length === 0) {
+            console.log('\n  No vaults found. Create one with: aegis vault create --name <name>\n');
+            return;
+        }
+        console.log(`\n  Aegis Vaults — ${vaults.length} vault(s)\n`);
+        const active = config.vaultName;
+        for (const v of vaults) {
+            const marker = v.name === active ? ' ← active' : '';
+            console.log(`  • ${v.name}${marker}`);
+            console.log(`    Database:   ${v.dbPath}`);
+            console.log(`    Created:    ${localTime(v.createdAt)}`);
+            console.log();
+        }
+    });
+    vault
+        .command('destroy')
+        .description('Permanently delete a named vault and its database')
+        .requiredOption('-n, --name <name>', 'Name of the vault to delete')
+        .option('--confirm', 'Skip confirmation prompt')
+        .action((opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'vault:manage');
+        db.close();
+        const manager = new VaultManager(config.dataDir);
+        if (!opts.confirm) {
+            console.log(`\n  ⚠  This will permanently delete vault "${opts.name}" and all its data.`);
+            console.log(`  Run again with --confirm to proceed.\n`);
+            return;
+        }
+        try {
+            manager.remove(opts.name);
+            console.log(`\n  ✓ Vault "${opts.name}" deleted.\n`);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ ${message}\n`);
+            process.exit(1);
+        }
+    });
+    vault
+        .command('split')
+        .description("Split the master key into M-of-N shares using Shamir's Secret Sharing")
+        .requiredOption('-t, --threshold <n>', 'Minimum shares needed to reconstruct (≥ 2)')
+        .requiredOption('-s, --shares <n>', 'Total shares to generate (≥ threshold, ≤ 255)')
+        .option('--remove-env-key', 'Remove AEGIS_MASTER_KEY from .env after splitting', false)
+        .action((opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'vault:manage');
+        db.close();
+        if (!config.masterKey) {
+            console.error('\n✗ AEGIS_MASTER_KEY is required to split. Set it in .env or as an env var.\n');
+            process.exit(1);
+        }
+        const threshold = Number.parseInt(opts.threshold, 10);
+        const totalShares = Number.parseInt(opts.shares, 10);
+        if (Number.isNaN(threshold) || Number.isNaN(totalShares)) {
+            console.error('\n✗ Threshold and shares must be numbers.\n');
+            process.exit(1);
+        }
+        try {
+            const secretBuf = Buffer.from(config.masterKey, 'utf-8');
+            const shares = split(secretBuf, threshold, totalShares);
+            // Store seal config (threshold + key hash for verification)
+            const sealMgr = new SealManager(config.dataDir);
+            sealMgr.enableSplit(threshold, totalShares, config.masterKey);
+            console.log(`\n  ╔══════════════════════════════════════════╗`);
+            console.log(`  ║     Master Key Split — ${threshold}-of-${totalShares} Scheme      ║`);
+            console.log(`  ╚══════════════════════════════════════════╝\n`);
+            console.log(`  ⚠  Store each share with a different key holder.`);
+            console.log(`  ⚠  These shares will NOT be shown again.\n`);
+            for (const share of shares) {
+                console.log(`  Share ${share.index}:  ${encodeShare(share)}`);
+            }
+            console.log(`\n  Threshold: ${threshold} of ${totalShares} shares required to unseal.`);
+            console.log(`  Key hash:  ${crypto.createHash('sha256').update(config.masterKey).digest('hex').slice(0, 16)}...`);
+            // Optionally remove the master key from .env
+            if (opts.removeEnvKey) {
+                const envPath = path.join(process.cwd(), '.env');
+                if (fs.existsSync(envPath)) {
+                    const envContent = fs.readFileSync(envPath, 'utf-8');
+                    const filtered = envContent
+                        .split('\n')
+                        .filter((line) => !line.trim().startsWith('AEGIS_MASTER_KEY'))
+                        .join('\n');
+                    fs.writeFileSync(envPath, filtered, { mode: 0o600 });
+                    console.log(`\n  ✓ Removed AEGIS_MASTER_KEY from .env`);
+                }
+            }
+            else {
+                console.log(`\n  Note: AEGIS_MASTER_KEY is still in .env / environment.`);
+                console.log(`  Use --remove-env-key to remove it after distributing shares.`);
+            }
+            console.log(`\n  To unseal later:`);
+            console.log(`    aegis vault unseal --key-share <share1> --key-share <share2> ...`);
+            console.log(`  To seal (remove reconstructed key):`);
+            console.log(`    aegis vault seal\n`);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ ${message}\n`);
+            process.exit(1);
+        }
+    });
+    vault
+        .command('unseal')
+        .description('Reconstruct the master key from Shamir shares')
+        .option('--key-share <share>', 'Provide a key share (repeat for each share)', collectShares, [])
+        .action((opts) => {
+        const config = getConfig();
+        if (opts.keyShare.length === 0) {
+            console.error('\n✗ Provide at least one share: --key-share <share>\n');
+            console.error('  Example:');
+            console.error('    aegis vault unseal --key-share aegis_share_01_... --key-share aegis_share_02_...\n');
+            process.exit(1);
+        }
+        const sealMgr = new SealManager(config.dataDir);
+        const sealConfig = sealMgr.getSealConfig();
+        if (!sealConfig) {
+            console.error('\n✗ Key splitting is not configured. Run `aegis vault split` first.\n');
+            process.exit(1);
+        }
+        if (opts.keyShare.length < sealConfig.threshold) {
+            console.error(`\n✗ Not enough shares. Provided ${opts.keyShare.length}, need ${sealConfig.threshold}.\n`);
+            process.exit(1);
+        }
+        try {
+            // Decode all shares
+            const shares = opts.keyShare.map((s) => decodeShare(s));
+            // Reconstruct the master key
+            const reconstructed = combine(shares);
+            const masterKey = reconstructed.toString('utf-8');
+            // Verify against stored hash
+            if (!sealMgr.verifyKey(masterKey)) {
+                console.error('\n✗ Key verification failed. The provided shares do not reconstruct the correct master key.\n');
+                console.error('  Possible causes:');
+                console.error('  • Wrong shares provided');
+                console.error(`  • Not enough valid shares (need at least ${sealConfig.threshold})`);
+                console.error('  • Shares from different split operations\n');
+                process.exit(1);
+            }
+            // Write the unseal key
+            sealMgr.writeUnsealKey(masterKey);
+            console.log(`\n  ✓ Vault unsealed successfully.\n`);
+            console.log(`  Master key reconstructed and stored in .aegis/.unseal-key (mode 0600).`);
+            console.log(`  All Aegis commands will use the reconstructed key.\n`);
+            console.log(`  To seal the vault again: aegis vault seal\n`);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ ${message}\n`);
+            process.exit(1);
+        }
+    });
+    vault
+        .command('seal')
+        .description('Seal the vault — securely remove the reconstructed master key')
+        .action(() => {
+        const config = getConfig();
+        const sealMgr = new SealManager(config.dataDir);
+        if (!sealMgr.isSplitEnabled()) {
+            console.error('\n✗ Key splitting is not configured. Nothing to seal.\n');
+            process.exit(1);
+        }
+        if (!sealMgr.isUnsealed()) {
+            console.log('\n  Vault is already sealed.\n');
+            return;
+        }
+        sealMgr.seal();
+        console.log(`\n  ✓ Vault sealed.\n`);
+        console.log(`  The reconstructed master key has been securely removed.`);
+        console.log(`  To unseal: aegis vault unseal --key-share <share1> --key-share <share2> ...\n`);
+    });
+}
+//# sourceMappingURL=vault-manager.js.map

package/dist/cli/commands/vault-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-manager.js","sourceRoot":"","sources":["../../../src/cli/commands/vault-manager.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EACL,OAAO,EACP,WAAW,EACX,SAAS,EACT,WAAW,EACX,WAAW,EACX,KAAK,EACL,YAAY,GACb,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAE7C,SAAS,aAAa,CAAC,KAAa,EAAE,QAAkB;IACtD,OAAO,CAAC,GAAG,QAAQ,EAAE,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,MAAe;IACtC,iEAAiE;IACjE,iEAAiE;IACjE,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,OAAO,CAAC,CAAC;IAChE,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAErF,KAAK;SACF,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,oEAAoE,CAAC;SACjF,cAAc,CAAC,mBAAmB,EAAE,wBAAwB,CAAC;SAC7D,MAAM,CACL,oBAAoB,EACpB,8EAA8E,CAC/E;SACA,MAAM,CAAC,CAAC,IAA0C,EAAE,EAAE;QACrD,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,cAAc,CAAC,CAAC;QACzC,EAAE,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAEjD,IAAI,CAAC;YACH,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAE3C,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,CAAC,IAAI,aAAa,CAAC,CAAC;YACpD,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC;YACnC,OAAO,CAAC,GAAG,CAAC,6BAA6B,IAAI,CAAC,IAAI,OAAO,CAAC,CAAC;YAC3D,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;YACpC,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,CAAC,IAAI,mBAAmB,CAAC,CAAC;YAC7D,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,CAAC,IAAI,eAAe,CAAC,CAAC;QAC3D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,OAAO,OAAO,IAAI,CAAC,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,KAAK;SACF,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,uBAAuB,CAAC;SACpC,MAAM,CAAC,GAAG,EAAE;QACX,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,EAAE,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACjD,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;QAE9B,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,GAAG,CAAC,0EAA0E,CAAC,CAAC;YACxF,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,MAAM,aAAa,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC;QAChC,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;YACvB,MAAM,MAAM,GAAG,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;YACpD,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,GAAG,MAAM,EAAE,CAAC,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;YAC3C,OAAO,CAAC,GAAG,CAAC,mBAAmB,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YACzD,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,KAAK;SACF,OAAO,CAAC,SAAS,CAAC;SAClB,WAAW,CAAC,mDAAmD,CAAC;SAChE,cAAc,CAAC,mBAAmB,EAAE,6BAA6B,CAAC;SAClE,MAAM,CAAC,WAAW,EAAE,0BAA0B,CAAC;SAC/C,MAAM,CAAC,CAAC,IAAyC,EAAE,EAAE;QACpD,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,cAAc,CAAC,CAAC;QACzC,EAAE,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAEjD,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,8CAA8C,IAAI,CAAC,IAAI,qBAAqB,CAAC,CAAC;YAC1F,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;YACxD,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1B,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,CAAC,IAAI,cAAc,CAAC,CAAC;QACvD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,OAAO,OAAO,IAAI,CAAC,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,KAAK;SACF,OAAO,CAAC,OAAO,CAAC;SAChB,WAAW,CAAC,uEAAuE,CAAC;SACpF,cAAc,CAAC,qBAAqB,EAAE,4CAA4C,CAAC;SACnF,cAAc,CAAC,kBAAkB,EAAE,+CAA+C,CAAC;SACnF,MAAM,CAAC,kBAAkB,EAAE,mDAAmD,EAAE,KAAK,CAAC;SACtF,MAAM,CAAC,CAAC,IAAkE,EAAE,EAAE;QAC7E,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,cAAc,CAAC,CAAC;QACzC,EAAE,CAAC,KAAK,EAAE,CAAC;QAEX,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACtB,OAAO,CAAC,KAAK,CACX,+EAA+E,CAChF,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QACtD,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAErD,IAAI,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,IAAI,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,CAAC;YACzD,OAAO,CAAC,KAAK,CAAC,6CAA6C,CAAC,CAAC;YAC7D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YACzD,MAAM,MAAM,GAAG,KAAK,CAAC,SAAS,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;YAExD,4DAA4D;YAC5D,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAChD,OAAO,CAAC,WAAW,CAAC,SAAS,EAAE,WAAW,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;YAE9D,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC;YAChE,OAAO,CAAC,GAAG,CAAC,8BAA8B,SAAS,OAAO,WAAW,gBAAgB,CAAC,CAAC;YACvF,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC;YAChE,OAAO,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAC;YAClE,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;YAE5D,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,OAAO,CAAC,GAAG,CAAC,WAAW,KAAK,CAAC,KAAK,MAAM,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAChE,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,kBAAkB,SAAS,OAAO,WAAW,6BAA6B,CAAC,CAAC;YACxF,OAAO,CAAC,GAAG,CACT,gBAAgB,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CACrG,CAAC;YAEF,6CAA6C;YAC7C,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;gBACtB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;gBACjD,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC3B,MAAM,UAAU,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;oBACrD,MAAM,QAAQ,GAAG,UAAU;yBACxB,KAAK,CAAC,IAAI,CAAC;yBACX,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;yBAC7D,IAAI,CAAC,IAAI,CAAC,CAAC;oBACd,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;oBACrD,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;gBAC1D,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;gBAC1E,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;YAChF,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;YACpC,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;YACpF,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;YACrD,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;QACxC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,OAAO,OAAO,IAAI,CAAC,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,KAAK;SACF,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,+CAA+C,CAAC;SAC5D,MAAM,CAAC,qBAAqB,EAAE,6CAA6C,EAAE,aAAa,EAAE,EAAE,CAAC;SAC/F,MAAM,CAAC,CAAC,IAA4B,EAAE,EAAE;QACvC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAE3B,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAC;YACvE,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;YAC5B,OAAO,CAAC,KAAK,CACX,wFAAwF,CACzF,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAChD,MAAM,UAAU,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;QAE3C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,CAAC,KAAK,CAAC,uEAAuE,CAAC,CAAC;YACvF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,UAAU,CAAC,SAAS,EAAE,CAAC;YAChD,OAAO,CAAC,KAAK,CACX,mCAAmC,IAAI,CAAC,QAAQ,CAAC,MAAM,UAAU,UAAU,CAAC,SAAS,KAAK,CAC3F,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,CAAC;YACH,oBAAoB;YACpB,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC;YAExD,6BAA6B;YAC7B,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;YACtC,MAAM,SAAS,GAAG,aAAa,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAElD,6BAA6B;YAC7B,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,CAAC;gBAClC,OAAO,CAAC,KAAK,CACX,+FAA+F,CAChG,CAAC;gBACF,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;gBACpC,OAAO,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;gBAC3C,OAAO,CAAC,KAAK,CAAC,8CAA8C,UAAU,CAAC,SAAS,GAAG,CAAC,CAAC;gBACrF,OAAO,CAAC,KAAK,CAAC,8CAA8C,CAAC,CAAC;gBAC9D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YAED,uBAAuB;YACvB,OAAO,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;YAElC,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;YACpD,OAAO,CAAC,GAAG,CAAC,0EAA0E,CAAC,CAAC;YACxF,OAAO,CAAC,GAAG,CAAC,wDAAwD,CAAC,CAAC;YACtE,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;QAC/D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,OAAO,OAAO,IAAI,CAAC,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,KAAK;SACF,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,+DAA+D,CAAC;SAC5E,MAAM,CAAC,GAAG,EAAE;QACX,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAEhD,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC;YAC9B,OAAO,CAAC,KAAK,CAAC,yDAAyD,CAAC,CAAC;YACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC;YAC1B,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;YAC9C,OAAO;QACT,CAAC;QAED,OAAO,CAAC,IAAI,EAAE,CAAC;QAEf,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;QACzE,OAAO,CAAC,GAAG,CACT,iFAAiF,CAClF,CAAC;IACJ,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/cli/commands/vault.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Vault CRUD commands: add, list, remove, rotate, update.
+ */
+import type { Command } from 'commander';
+export declare function register(program: Command): void;
+//# sourceMappingURL=vault.d.ts.map

package/dist/cli/commands/vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/vault.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAmBzC,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAuR/C"}

package/dist/cli/commands/vault.js

@@ -0,0 +1,241 @@
+/**
+ * Vault CRUD commands: add, list, remove, rotate, update.
+ */
+import { getConfig } from '../../config.js';
+import { getDb, getVaultSalt, migrate } from '../../db.js';
+import { deriveKey, Vault } from '../../vault/index.js';
+import { requireUserAuth } from '../auth.js';
+import { localTime, VALID_AUTH_TYPES, VALID_BODY_INSPECTION_MODES, validateDomains, validateEnum, validateIdentifier, validateNonNegativeFloat, validatePositiveInt, validateRateLimit, } from '../validation.js';
+export function register(program) {
+    const vault = program.command('vault').description('Manage stored credentials');
+    vault
+        .command('add')
+        .description('Add a new credential to the vault')
+        .requiredOption('-n, --name <name>', 'Unique name for this credential')
+        .requiredOption('-s, --service <service>', 'Service identifier (used in proxy URL path)')
+        .requiredOption('--secret <secret>', 'The API key or token')
+        .requiredOption('-d, --domains <domains>', 'Comma-separated allowed domains (e.g. api.slack.com,*.slack.com)')
+        .option('-a, --auth-type <type>', 'Auth injection type: bearer, header, basic, query', 'bearer')
+        .option('--header-name <name>', 'Custom header name (for auth-type: header)')
+        .option('--scopes <scopes>', 'Comma-separated scopes: read, write, *', '*')
+        .option('--ttl <days>', 'Credential expires after this many days')
+        .option('--rate-limit <limit>', 'Rate limit: e.g. 100/min, 1000/hour, 10/sec')
+        .option('--body-inspection <mode>', 'Body inspection mode: off, warn, block', 'block')
+        .action((opts) => {
+        // ── Input validation ──
+        validateIdentifier(opts.name, 'credential name');
+        validateIdentifier(opts.service, 'service');
+        const authType = validateEnum(opts.authType, VALID_AUTH_TYPES, 'auth type');
+        const bodyInspection = validateEnum(opts.bodyInspection, VALID_BODY_INSPECTION_MODES, 'body inspection mode');
+        const domains = validateDomains(opts.domains);
+        const ttlDays = opts.ttl ? parseInt(opts.ttl, 10) : undefined;
+        if (ttlDays !== undefined)
+            validatePositiveInt(ttlDays, 'TTL (days)');
+        if (opts.rateLimit)
+            validateRateLimit(opts.rateLimit);
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'vault:write');
+        const vaultInstance = new Vault(db, config.masterKey, getVaultSalt(config));
+        try {
+            const cred = vaultInstance.add({
+                name: opts.name,
+                service: opts.service,
+                secret: opts.secret,
+                authType,
+                headerName: opts.headerName,
+                domains,
+                scopes: opts.scopes.split(',').map((s) => s.trim()),
+                ttlDays,
+                rateLimit: opts.rateLimit,
+                bodyInspection,
+            });
+            console.log(`\n✓ Credential added to Aegis Vault\n`);
+            console.log(`  Name:    ${cred.name}`);
+            console.log(`  Service: ${cred.service}`);
+            console.log(`  Auth:    ${cred.authType}`);
+            console.log(`  Domains: ${cred.domains.join(', ')}`);
+            console.log(`  Scopes:  ${cred.scopes.join(', ')}`);
+            if (cred.expiresAt) {
+                console.log(`  Expires: ${localTime(cred.expiresAt)}`);
+            }
+            if (cred.rateLimit) {
+                console.log(`  Rate:    ${cred.rateLimit}`);
+            }
+            console.log(`  Body:    ${cred.bodyInspection}`);
+            console.log(`\n  Your agent can now use: http://localhost:${config.port}/${cred.service}/...\n`);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            if (message.includes('UNIQUE')) {
+                console.error(`\n✗ A credential named "${opts.name}" already exists. Remove it first with: aegis vault remove --name ${opts.name}\n`);
+            }
+            else {
+                console.error(`\n✗ Error: ${message}\n`);
+            }
+            process.exit(1);
+        }
+        finally {
+            db.close();
+        }
+    });
+    vault
+        .command('list')
+        .description('List all stored credentials (secrets are never shown)')
+        .action(() => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'vault:read');
+        const vaultInstance = new Vault(db, config.masterKey, getVaultSalt(config));
+        const creds = vaultInstance.list();
+        if (creds.length === 0) {
+            console.log('\n  No credentials stored. Add one with: aegis vault add\n');
+            db.close();
+            return;
+        }
+        console.log(`\n  Aegis Vault — ${creds.length} credential(s)\n`);
+        for (const cred of creds) {
+            console.log(`  ┌ ${cred.name} (${cred.service})`);
+            console.log(`  │ Auth:    ${cred.authType}`);
+            console.log(`  │ Domains: ${cred.domains.join(', ')}`);
+            console.log(`  │ Scopes:  ${cred.scopes.join(', ')}`);
+            if (cred.rateLimit) {
+                console.log(`  │ Rate:    ${cred.rateLimit}`);
+            }
+            if (cred.expiresAt) {
+                console.log(`  │ Expires: ${localTime(cred.expiresAt)}`);
+            }
+            console.log(`  │ Added:   ${localTime(cred.createdAt)}`);
+            console.log(`  └`);
+        }
+        console.log();
+        db.close();
+    });
+    vault
+        .command('remove')
+        .description('Remove a credential from the vault')
+        .requiredOption('-n, --name <name>', 'Name of the credential to remove')
+        .action((opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'vault:write');
+        const vaultInstance = new Vault(db, config.masterKey, getVaultSalt(config));
+        const removed = vaultInstance.remove(opts.name);
+        if (removed) {
+            console.log(`\n✓ Credential "${opts.name}" removed from vault.\n`);
+        }
+        else {
+            console.error(`\n✗ No credential found with name "${opts.name}".\n`);
+            process.exit(1);
+        }
+        db.close();
+    });
+    vault
+        .command('rotate')
+        .description("Rotate a credential's secret (old secret saved to history)")
+        .requiredOption('-n, --name <name>', 'Name of the credential to rotate')
+        .requiredOption('--secret <secret>', 'The new API key or token')
+        .option('--grace-period <hours>', 'Keep old secret valid for this many hours (for zero-downtime rotation)')
+        .action((opts) => {
+        const gracePeriodHours = opts.gracePeriod ? parseFloat(opts.gracePeriod) : undefined;
+        if (gracePeriodHours !== undefined)
+            validateNonNegativeFloat(gracePeriodHours, 'grace period (hours)');
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'vault:write');
+        const vaultInstance = new Vault(db, config.masterKey, getVaultSalt(config));
+        try {
+            const cred = vaultInstance.rotate({
+                name: opts.name,
+                newSecret: opts.secret,
+                gracePeriodHours,
+            });
+            console.log(`\n✓ Credential "${cred.name}" rotated successfully\n`);
+            console.log(`  Old secret saved to history`);
+            if (gracePeriodHours) {
+                console.log(`  Grace period: ${gracePeriodHours} hour(s)`);
+            }
+            console.log();
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ ${message}\n`);
+            process.exit(1);
+        }
+        finally {
+            db.close();
+        }
+    });
+    vault
+        .command('update')
+        .description("Update a credential's metadata without re-entering the secret")
+        .requiredOption('-n, --name <name>', 'Name of the credential to update')
+        .option('-d, --domains <domains>', 'New comma-separated allowed domains')
+        .option('--scopes <scopes>', 'New comma-separated scopes')
+        .option('-a, --auth-type <type>', 'New auth injection type: bearer, header, basic, query')
+        .option('--header-name <name>', 'New custom header name (for auth-type: header)')
+        .option('--rate-limit <limit>', "New rate limit: e.g. 100/min, 1000/hour (use 'none' to remove)")
+        .option('--body-inspection <mode>', 'Body inspection mode: off, warn, block')
+        .action((opts) => {
+        // ── Input validation ──
+        if (opts.authType)
+            validateEnum(opts.authType, VALID_AUTH_TYPES, 'auth type');
+        if (opts.bodyInspection)
+            validateEnum(opts.bodyInspection, VALID_BODY_INSPECTION_MODES, 'body inspection mode');
+        const domains = opts.domains ? validateDomains(opts.domains) : undefined;
+        if (opts.rateLimit && opts.rateLimit.toLowerCase() !== 'none')
+            validateRateLimit(opts.rateLimit);
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'vault:write');
+        const vaultInstance = new Vault(db, config.masterKey, getVaultSalt(config));
+        try {
+            // "none" means remove the rate limit
+            const rateLimit = opts.rateLimit !== undefined
+                ? opts.rateLimit.toLowerCase() === 'none'
+                    ? null
+                    : opts.rateLimit
+                : undefined;
+            const cred = vaultInstance.update({
+                name: opts.name,
+                domains,
+                scopes: opts.scopes?.split(',').map((s) => s.trim()),
+                authType: opts.authType,
+                headerName: opts.headerName,
+                rateLimit,
+                bodyInspection: opts.bodyInspection,
+            });
+            console.log(`\n✓ Credential "${cred.name}" updated\n`);
+            console.log(`  Domains: ${cred.domains.join(', ')}`);
+            console.log(`  Scopes:  ${cred.scopes.join(', ')}`);
+            console.log(`  Auth:    ${cred.authType}`);
+            if (cred.headerName) {
+                console.log(`  Header:  ${cred.headerName}`);
+            }
+            if (cred.rateLimit) {
+                console.log(`  Rate:    ${cred.rateLimit}`);
+            }
+            console.log(`  Body:    ${cred.bodyInspection}`);
+            console.log();
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ ${message}\n`);
+            process.exit(1);
+        }
+        finally {
+            db.close();
+        }
+    });
+}
+//# sourceMappingURL=vault.js.map

package/dist/cli/commands/vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.js","sourceRoot":"","sources":["../../../src/cli/commands/vault.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAG3D,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EACL,SAAS,EACT,gBAAgB,EAChB,2BAA2B,EAC3B,eAAe,EACf,YAAY,EACZ,kBAAkB,EAClB,wBAAwB,EACxB,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,kBAAkB,CAAC;AAE1B,MAAM,UAAU,QAAQ,CAAC,OAAgB;IACvC,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,2BAA2B,CAAC,CAAC;IAEhF,KAAK;SACF,OAAO,CAAC,KAAK,CAAC;SACd,WAAW,CAAC,mCAAmC,CAAC;SAChD,cAAc,CAAC,mBAAmB,EAAE,iCAAiC,CAAC;SACtE,cAAc,CAAC,yBAAyB,EAAE,6CAA6C,CAAC;SACxF,cAAc,CAAC,mBAAmB,EAAE,sBAAsB,CAAC;SAC3D,cAAc,CACb,yBAAyB,EACzB,kEAAkE,CACnE;SACA,MAAM,CAAC,wBAAwB,EAAE,mDAAmD,EAAE,QAAQ,CAAC;SAC/F,MAAM,CAAC,sBAAsB,EAAE,4CAA4C,CAAC;SAC5E,MAAM,CAAC,mBAAmB,EAAE,wCAAwC,EAAE,GAAG,CAAC;SAC1E,MAAM,CAAC,cAAc,EAAE,yCAAyC,CAAC;SACjE,MAAM,CAAC,sBAAsB,EAAE,6CAA6C,CAAC;SAC7E,MAAM,CAAC,0BAA0B,EAAE,wCAAwC,EAAE,OAAO,CAAC;SACrF,MAAM,CACL,CAAC,IAWA,EAAE,EAAE;QACH,yBAAyB;QACzB,kBAAkB,CAAC,IAAI,CAAC,IAAI,EAAE,iBAAiB,CAAC,CAAC;QACjD,kBAAkB,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QAC5C,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,EAAE,WAAW,CAAC,CAAC;QAC5E,MAAM,cAAc,GAAG,YAAY,CACjC,IAAI,CAAC,cAAc,EACnB,2BAA2B,EAC3B,sBAAsB,CACvB,CAAC;QACF,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC9C,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAC9D,IAAI,OAAO,KAAK,SAAS;YAAE,mBAAmB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACtE,IAAI,IAAI,CAAC,SAAS;YAAE,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAEtD,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,aAAa,CAAC,CAAC;QACxC,MAAM,aAAa,GAAG,IAAI,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAE5E,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC;gBAC7B,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,QAAQ;gBACR,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,OAAO;gBACP,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBACnD,OAAO;gBACP,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,cAAc;aACf,CAAC,CAAC;YAEH,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;YACrD,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;YACvC,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;YAC1C,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC3C,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACrD,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACpD,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,OAAO,CAAC,GAAG,CAAC,cAAc,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YACzD,CAAC;YACD,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;YAC9C,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,cAAc,EAAE,CAAC,CAAC;YACjD,OAAO,CAAC,GAAG,CACT,gDAAgD,MAAM,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,QAAQ,CACpF,CAAC;QACJ,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC/B,OAAO,CAAC,KAAK,CACX,2BAA2B,IAAI,CAAC,IAAI,qEAAqE,IAAI,CAAC,IAAI,IAAI,CACvH,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CAAC,cAAc,OAAO,IAAI,CAAC,CAAC;YAC3C,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;gBAAS,CAAC;YACT,EAAE,CAAC,KAAK,EAAE,CAAC;QACb,CAAC;IACH,CAAC,CACF,CAAC;IAEJ,KAAK;SACF,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,uDAAuD,CAAC;SACpE,MAAM,CAAC,GAAG,EAAE;QACX,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,MAAM,aAAa,GAAG,IAAI,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAE5E,MAAM,KAAK,GAAG,aAAa,CAAC,IAAI,EAAE,CAAC;QACnC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;YAC1E,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,qBAAqB,KAAK,CAAC,MAAM,kBAAkB,CAAC,CAAC;QACjE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,CAAC,IAAI,KAAK,IAAI,CAAC,OAAO,GAAG,CAAC,CAAC;YAClD,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC7C,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACvD,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACtD,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;YAChD,CAAC;YACD,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,OAAO,CAAC,GAAG,CAAC,gBAAgB,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YAC3D,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,gBAAgB,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YACzD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC;QACD,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,KAAK;SACF,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,oCAAoC,CAAC;SACjD,cAAc,CAAC,mBAAmB,EAAE,kCAAkC,CAAC;SACvE,MAAM,CAAC,CAAC,IAAsB,EAAE,EAAE;QACjC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,aAAa,CAAC,CAAC;QACxC,MAAM,aAAa,GAAG,IAAI,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAE5E,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChD,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,CAAC,IAAI,yBAAyB,CAAC,CAAC;QACrE,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,sCAAsC,IAAI,CAAC,IAAI,MAAM,CAAC,CAAC;YACrE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,KAAK;SACF,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,4DAA4D,CAAC;SACzE,cAAc,CAAC,mBAAmB,EAAE,kCAAkC,CAAC;SACvE,cAAc,CAAC,mBAAmB,EAAE,0BAA0B,CAAC;SAC/D,MAAM,CACL,wBAAwB,EACxB,wEAAwE,CACzE;SACA,MAAM,CAAC,CAAC,IAA4D,EAAE,EAAE;QACvE,MAAM,gBAAgB,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACrF,IAAI,gBAAgB,KAAK,SAAS;YAChC,wBAAwB,CAAC,gBAAgB,EAAE,sBAAsB,CAAC,CAAC;QAErE,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,aAAa,CAAC,CAAC;QACxC,MAAM,aAAa,GAAG,IAAI,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAE5E,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,aAAa,CAAC,MAAM,CAAC;gBAChC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,SAAS,EAAE,IAAI,CAAC,MAAM;gBACtB,gBAAgB;aACjB,CAAC,CAAC;YAEH,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,CAAC,IAAI,0BAA0B,CAAC,CAAC;YACpE,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;YAC7C,IAAI,gBAAgB,EAAE,CAAC;gBACrB,OAAO,CAAC,GAAG,CAAC,mBAAmB,gBAAgB,UAAU,CAAC,CAAC;YAC7D,CAAC;YACD,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,OAAO,OAAO,IAAI,CAAC,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;gBAAS,CAAC;YACT,EAAE,CAAC,KAAK,EAAE,CAAC;QACb,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,KAAK;SACF,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,+DAA+D,CAAC;SAC5E,cAAc,CAAC,mBAAmB,EAAE,kCAAkC,CAAC;SACvE,MAAM,CAAC,yBAAyB,EAAE,qCAAqC,CAAC;SACxE,MAAM,CAAC,mBAAmB,EAAE,4BAA4B,CAAC;SACzD,MAAM,CAAC,wBAAwB,EAAE,uDAAuD,CAAC;SACzF,MAAM,CAAC,sBAAsB,EAAE,gDAAgD,CAAC;SAChF,MAAM,CACL,sBAAsB,EACtB,gEAAgE,CACjE;SACA,MAAM,CAAC,0BAA0B,EAAE,wCAAwC,CAAC;SAC5E,MAAM,CACL,CAAC,IAQA,EAAE,EAAE;QACH,yBAAyB;QACzB,IAAI,IAAI,CAAC,QAAQ;YAAE,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,EAAE,WAAW,CAAC,CAAC;QAC9E,IAAI,IAAI,CAAC,cAAc;YACrB,YAAY,CAAC,IAAI,CAAC,cAAc,EAAE,2BAA2B,EAAE,sBAAsB,CAAC,CAAC;QACzF,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACzE,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,KAAK,MAAM;YAC3D,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAEpC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,aAAa,CAAC,CAAC;QACxC,MAAM,aAAa,GAAG,IAAI,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAE5E,IAAI,CAAC;YACH,qCAAqC;YACrC,MAAM,SAAS,GACb,IAAI,CAAC,SAAS,KAAK,SAAS;gBAC1B,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,KAAK,MAAM;oBACvC,CAAC,CAAC,IAAI;oBACN,CAAC,CAAC,IAAI,CAAC,SAAS;gBAClB,CAAC,CAAC,SAAS,CAAC;YAEhB,MAAM,IAAI,GAAG,aAAa,CAAC,MAAM,CAAC;gBAChC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,OAAO;gBACP,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBACpD,QAAQ,EAAE,IAAI,CAAC,QAAgC;gBAC/C,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,SAAS;gBACT,cAAc,EAAE,IAAI,CAAC,cAAgD;aACtE,CAAC,CAAC;YAEH,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,CAAC,IAAI,aAAa,CAAC,CAAC;YACvD,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACrD,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACpD,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC3C,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBACpB,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;YAC/C,CAAC;YACD,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;YAC9C,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,cAAc,EAAE,CAAC,CAAC;YACjD,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,OAAO,OAAO,IAAI,CAAC,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;gBAAS,CAAC;YACT,EAAE,CAAC,KAAK,EAAE,CAAC;QACb,CAAC;IACH,CAAC,CACF,CAAC;AACN,CAAC"}

package/dist/cli/commands/webhook.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Webhook commands: add, list, remove, test, check-expiry.
+ */
+import type { Command } from 'commander';
+export declare function register(program: Command): void;
+//# sourceMappingURL=webhook.d.ts.map

package/dist/cli/commands/webhook.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhook.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/webhook.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAQzC,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CA2K/C"}