@getaegis/cli 0.8.0 → 0.8.1

package/dist/cli/commands/webhook.js

@@ -0,0 +1,151 @@
+/**
+ * Webhook commands: add, list, remove, test, check-expiry.
+ */
+import { getConfig } from '../../config.js';
+import { getDb, getVaultSalt, migrate } from '../../db.js';
+import { deriveKey, Vault } from '../../vault/index.js';
+import { WEBHOOK_EVENT_TYPES, WebhookManager } from '../../webhook/index.js';
+import { requireUserAuth } from '../auth.js';
+import { localTime } from '../validation.js';
+export function register(program) {
+    const webhookCmd = program.command('webhook').description('Manage webhook alert endpoints');
+    webhookCmd
+        .command('add')
+        .description('Register a webhook endpoint for event notifications')
+        .requiredOption('-u, --url <url>', 'Webhook endpoint URL (http or https)')
+        .requiredOption('-e, --events <events>', 'Comma-separated event types: blocked_request, credential_expiry, rate_limit_exceeded, agent_auth_failure, body_inspection')
+        .option('-l, --label <label>', 'Human-readable label for this webhook')
+        .action((opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'webhook:write');
+        const webhookManager = new WebhookManager({ db, logLevel: config.logLevel });
+        const events = opts.events.split(',').map((e) => e.trim());
+        for (const event of events) {
+            if (!WEBHOOK_EVENT_TYPES.includes(event)) {
+                console.error(`\n  ✗ Invalid event type: ${event}\n  Valid types: ${WEBHOOK_EVENT_TYPES.join(', ')}\n`);
+                process.exit(1);
+            }
+        }
+        try {
+            const webhook = webhookManager.add({
+                url: opts.url,
+                events: events,
+                label: opts.label,
+            });
+            console.log(`\n  ✔ Webhook registered`);
+            console.log(`    ID:     ${webhook.id}`);
+            console.log(`    URL:    ${webhook.url}`);
+            console.log(`    Events: ${webhook.events.join(', ')}`);
+            if (webhook.label)
+                console.log(`    Label:  ${webhook.label}`);
+            console.log(`    Secret: ${webhook.secret}`);
+            console.log(`\n  Use the secret to verify payload signatures (X-Aegis-Signature header).\n`);
+        }
+        catch (err) {
+            console.error(`\n  ✗ ${err instanceof Error ? err.message : String(err)}\n`);
+            process.exit(1);
+        }
+        db.close();
+    });
+    webhookCmd
+        .command('list')
+        .description('List all registered webhooks')
+        .action(() => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'webhook:read');
+        const webhookManager = new WebhookManager({ db, logLevel: config.logLevel });
+        const webhooks = webhookManager.list();
+        if (webhooks.length === 0) {
+            console.log('\n  No webhooks registered. Add one with: aegis webhook add --url https://example.com/hook --events blocked_request\n');
+        }
+        else {
+            console.log(`\n  Aegis Webhooks — ${webhooks.length} registered\n`);
+            for (const w of webhooks) {
+                console.log(`    ${w.label ?? w.id}`);
+                console.log(`      URL:    ${w.url}`);
+                console.log(`      Events: ${w.events.join(', ')}`);
+                console.log(`      Added:  ${localTime(w.createdAt)}`);
+                console.log();
+            }
+        }
+        db.close();
+    });
+    webhookCmd
+        .command('remove')
+        .description('Remove a webhook by ID')
+        .requiredOption('--id <id>', 'Webhook ID to remove')
+        .action((opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'webhook:write');
+        const webhookManager = new WebhookManager({ db, logLevel: config.logLevel });
+        if (webhookManager.remove(opts.id)) {
+            console.log(`\n  ✔ Webhook removed: ${opts.id}\n`);
+        }
+        else {
+            console.error(`\n  ✗ Webhook not found: ${opts.id}\n`);
+            process.exit(1);
+        }
+        db.close();
+    });
+    webhookCmd
+        .command('test')
+        .description('Send a test event to a webhook')
+        .requiredOption('--id <id>', 'Webhook ID to test')
+        .action(async (opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'webhook:read');
+        const webhookManager = new WebhookManager({ db, logLevel: config.logLevel });
+        const webhook = webhookManager.getById(opts.id);
+        if (!webhook) {
+            console.error(`\n  ✗ Webhook not found: ${opts.id}\n`);
+            db.close();
+            process.exit(1);
+        }
+        console.log(`\n  Sending test event to ${webhook.url}...`);
+        webhookManager.emit('blocked_request', {
+            test: true,
+            service: 'test-service',
+            reason: 'test_event',
+            message: 'This is a test webhook delivery from Aegis',
+        });
+        // Give it a moment to deliver
+        await new Promise((resolve) => setTimeout(resolve, 3000));
+        console.log(`  ✔ Test event sent\n`);
+        db.close();
+    });
+    webhookCmd
+        .command('check-expiry')
+        .description('Check for credentials approaching expiry and emit webhook alerts')
+        .option('--threshold <days>', 'Alert threshold in days (default: 7)', '7')
+        .action((opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'webhook:read');
+        const vaultInstance = new Vault(db, config.masterKey, getVaultSalt(config));
+        const webhookManager = new WebhookManager({ db, logLevel: config.logLevel });
+        const thresholdDays = Number.parseInt(opts.threshold, 10) || 7;
+        const alertCount = webhookManager.checkExpiringCredentials(vaultInstance, thresholdDays);
+        if (alertCount === 0) {
+            console.log(`\n  ✔ No credentials expiring within ${thresholdDays} days\n`);
+        }
+        else {
+            console.log(`\n  ⚠ ${alertCount} credential(s) expiring within ${thresholdDays} days — webhook alerts sent\n`);
+        }
+        db.close();
+    });
+}
+//# sourceMappingURL=webhook.js.map

package/dist/cli/commands/webhook.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhook.js","sourceRoot":"","sources":["../../../src/cli/commands/webhook.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAC7E,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAE7C,MAAM,UAAU,QAAQ,CAAC,OAAgB;IACvC,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,WAAW,CAAC,gCAAgC,CAAC,CAAC;IAE5F,UAAU;SACP,OAAO,CAAC,KAAK,CAAC;SACd,WAAW,CAAC,qDAAqD,CAAC;SAClE,cAAc,CAAC,iBAAiB,EAAE,sCAAsC,CAAC;SACzE,cAAc,CACb,uBAAuB,EACvB,2HAA2H,CAC5H;SACA,MAAM,CAAC,qBAAqB,EAAE,uCAAuC,CAAC;SACtE,MAAM,CAAC,CAAC,IAAqD,EAAE,EAAE;QAChE,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QAE1C,MAAM,cAAc,GAAG,IAAI,cAAc,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;QAE7E,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAC3D,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,KAA6C,CAAC,EAAE,CAAC;gBACjF,OAAO,CAAC,KAAK,CACX,6BAA6B,KAAK,oBAAoB,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CACzF,CAAC;gBACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC;gBACjC,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,MAAM,EAAE,MAAgD;gBACxD,KAAK,EAAE,IAAI,CAAC,KAAK;aAClB,CAAC,CAAC;YAEH,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;YACxC,OAAO,CAAC,GAAG,CAAC,eAAe,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC;YACzC,OAAO,CAAC,GAAG,CAAC,eAAe,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;YAC1C,OAAO,CAAC,GAAG,CAAC,eAAe,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACxD,IAAI,OAAO,CAAC,KAAK;gBAAE,OAAO,CAAC,GAAG,CAAC,eAAe,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;YAC/D,OAAO,CAAC,GAAG,CAAC,eAAe,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;YAC7C,OAAO,CAAC,GAAG,CACT,+EAA+E,CAChF,CAAC;QACJ,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC7E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,UAAU;SACP,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,8BAA8B,CAAC;SAC3C,MAAM,CAAC,GAAG,EAAE;QACX,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,cAAc,CAAC,CAAC;QAEzC,MAAM,cAAc,GAAG,IAAI,cAAc,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC7E,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,EAAE,CAAC;QAEvC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO,CAAC,GAAG,CACT,uHAAuH,CACxH,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,wBAAwB,QAAQ,CAAC,MAAM,eAAe,CAAC,CAAC;YACpE,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;gBACzB,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACtC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;gBACtC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBACpD,OAAO,CAAC,GAAG,CAAC,iBAAiB,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;gBACvD,OAAO,CAAC,GAAG,EAAE,CAAC;YAChB,CAAC;QACH,CAAC;QAED,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,UAAU;SACP,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,wBAAwB,CAAC;SACrC,cAAc,CAAC,WAAW,EAAE,sBAAsB,CAAC;SACnD,MAAM,CAAC,CAAC,IAAoB,EAAE,EAAE;QAC/B,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QAE1C,MAAM,cAAc,GAAG,IAAI,cAAc,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;QAE7E,IAAI,cAAc,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;YACnC,OAAO,CAAC,GAAG,CAAC,0BAA0B,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC;QACrD,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,4BAA4B,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC;YACvD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,UAAU;SACP,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,gCAAgC,CAAC;SAC7C,cAAc,CAAC,WAAW,EAAE,oBAAoB,CAAC;SACjD,MAAM,CAAC,KAAK,EAAE,IAAoB,EAAE,EAAE;QACrC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,cAAc,CAAC,CAAC;QAEzC,MAAM,cAAc,GAAG,IAAI,cAAc,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;QAE7E,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAChD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,4BAA4B,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC;YACvD,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,6BAA6B,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC;QAC3D,cAAc,CAAC,IAAI,CAAC,iBAAiB,EAAE;YACrC,IAAI,EAAE,IAAI;YACV,OAAO,EAAE,cAAc;YACvB,MAAM,EAAE,YAAY;YACpB,OAAO,EAAE,4CAA4C;SACtD,CAAC,CAAC;QAEH,8BAA8B;QAC9B,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;QAErC,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,UAAU;SACP,OAAO,CAAC,cAAc,CAAC;SACvB,WAAW,CAAC,kEAAkE,CAAC;SAC/E,MAAM,CAAC,oBAAoB,EAAE,sCAAsC,EAAE,GAAG,CAAC;SACzE,MAAM,CAAC,CAAC,IAA2B,EAAE,EAAE;QACtC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,cAAc,CAAC,CAAC;QAEzC,MAAM,aAAa,GAAG,IAAI,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC5E,MAAM,cAAc,GAAG,IAAI,cAAc,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;QAE7E,MAAM,aAAa,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;QAC/D,MAAM,UAAU,GAAG,cAAc,CAAC,wBAAwB,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;QAEzF,IAAI,UAAU,KAAK,CAAC,EAAE,CAAC;YACrB,OAAO,CAAC,GAAG,CAAC,wCAAwC,aAAa,SAAS,CAAC,CAAC;QAC9E,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CACT,SAAS,UAAU,kCAAkC,aAAa,+BAA+B,CAClG,CAAC;QACJ,CAAC;QAED,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/cli/helpers.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Shared CLI helper utilities.
+ */
+/**
+ * Generate a self-signed TLS certificate using openssl.
+ * Creates certs/aegis.key and certs/aegis.crt in the given base directory.
+ *
+ * The certificate is valid for 365 days, issued to CN=localhost with
+ * SubjectAltNames for localhost and 127.0.0.1.
+ */
+export declare function generateSelfSignedCert(baseDir: string): void;
+//# sourceMappingURL=helpers.d.ts.map

package/dist/cli/helpers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../src/cli/helpers.ts"],"names":[],"mappings":"AAAA;;GAEG;AAMH;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAqD5D"}

package/dist/cli/helpers.js

@@ -0,0 +1,61 @@
+/**
+ * Shared CLI helper utilities.
+ */
+import { execSync } from 'node:child_process';
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+/**
+ * Generate a self-signed TLS certificate using openssl.
+ * Creates certs/aegis.key and certs/aegis.crt in the given base directory.
+ *
+ * The certificate is valid for 365 days, issued to CN=localhost with
+ * SubjectAltNames for localhost and 127.0.0.1.
+ */
+export function generateSelfSignedCert(baseDir) {
+    const certsDir = path.join(baseDir, 'certs');
+    if (!fs.existsSync(certsDir)) {
+        fs.mkdirSync(certsDir, { recursive: true });
+    }
+    const keyPath = path.join(certsDir, 'aegis.key');
+    const certPath = path.join(certsDir, 'aegis.crt');
+    if (fs.existsSync(keyPath) && fs.existsSync(certPath)) {
+        console.log(`\n  TLS certificate already exists at ${certsDir}/`);
+        console.log(`    ${keyPath}`);
+        console.log(`    ${certPath}\n`);
+        return;
+    }
+    try {
+        // Check openssl is available
+        execSync('openssl version', { stdio: 'pipe' });
+    }
+    catch {
+        console.error('\n  ✗ openssl not found. Install OpenSSL to generate self-signed certificates.\n');
+        return;
+    }
+    try {
+        // Generate RSA private key (2048 bits)
+        execSync(`openssl genrsa -out "${keyPath}" 2048`, { stdio: 'pipe' });
+        fs.chmodSync(keyPath, 0o600);
+        // Generate self-signed certificate with SAN for localhost
+        const opensslCmd = [
+            'openssl req -new -x509',
+            `-key "${keyPath}"`,
+            `-out "${certPath}"`,
+            '-days 365',
+            '-subj "/CN=localhost/O=Aegis Local Dev"',
+            '-addext "subjectAltName=DNS:localhost,IP:127.0.0.1"',
+        ].join(' ');
+        execSync(opensslCmd, { stdio: 'pipe' });
+        console.log(`\n  🔒 Self-signed TLS certificate generated:`);
+        console.log(`    Key:  ${keyPath}`);
+        console.log(`    Cert: ${certPath}`);
+        console.log(`    Valid for 365 days (localhost + 127.0.0.1)\n`);
+        console.log(`    Start Gate with TLS: aegis gate --tls`);
+        console.log(`    Or specify paths:    aegis gate --tls --cert ${certPath} --key ${keyPath}\n`);
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        console.error(`\n  ✗ Failed to generate certificate: ${message}\n`);
+    }
+}
+//# sourceMappingURL=helpers.js.map

package/dist/cli/helpers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.js","sourceRoot":"","sources":["../../src/cli/helpers.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAe;IACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC7C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;IACjD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;IAElD,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACtD,OAAO,CAAC,GAAG,CAAC,yCAAyC,QAAQ,GAAG,CAAC,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,OAAO,OAAO,EAAE,CAAC,CAAC;QAC9B,OAAO,CAAC,GAAG,CAAC,OAAO,QAAQ,IAAI,CAAC,CAAC;QACjC,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,6BAA6B;QAC7B,QAAQ,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,KAAK,CACX,kFAAkF,CACnF,CAAC;QACF,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,uCAAuC;QACvC,QAAQ,CAAC,wBAAwB,OAAO,QAAQ,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACrE,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAE7B,0DAA0D;QAC1D,MAAM,UAAU,GAAG;YACjB,wBAAwB;YACxB,SAAS,OAAO,GAAG;YACnB,SAAS,QAAQ,GAAG;YACpB,WAAW;YACX,yCAAyC;YACzC,qDAAqD;SACtD,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEZ,QAAQ,CAAC,UAAU,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QAExC,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;QAC7D,OAAO,CAAC,GAAG,CAAC,aAAa,OAAO,EAAE,CAAC,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,aAAa,QAAQ,EAAE,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC;QAChE,OAAO,CAAC,GAAG,CAAC,2CAA2C,CAAC,CAAC;QACzD,OAAO,CAAC,GAAG,CAAC,oDAAoD,QAAQ,UAAU,OAAO,IAAI,CAAC,CAAC;IACjG,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO,CAAC,KAAK,CAAC,yCAAyC,OAAO,IAAI,CAAC,CAAC;IACtE,CAAC;AACH,CAAC"}

package/dist/cli/index.d.ts

@@ -0,0 +1,17 @@
+/**
+ * CLI module barrel — re-exports all command registration functions.
+ */
+export { register as registerAgent } from './commands/agent.js';
+export { register as registerConfig } from './commands/config.js';
+export { register as registerDashboard } from './commands/dashboard.js';
+export { register as registerDoctor } from './commands/doctor.js';
+export { register as registerGate } from './commands/gate.js';
+export { register as registerInit } from './commands/init.js';
+export { register as registerLedger } from './commands/ledger.js';
+export { register as registerMcp } from './commands/mcp.js';
+export { register as registerPolicy } from './commands/policy.js';
+export { register as registerUser } from './commands/user.js';
+export { register as registerVault } from './commands/vault.js';
+export { register as registerVaultManager } from './commands/vault-manager.js';
+export { register as registerWebhook } from './commands/webhook.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/cli/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,IAAI,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAChE,OAAO,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,QAAQ,IAAI,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AACxE,OAAO,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,QAAQ,IAAI,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,QAAQ,IAAI,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,QAAQ,IAAI,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAC5D,OAAO,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,QAAQ,IAAI,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,QAAQ,IAAI,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAChE,OAAO,EAAE,QAAQ,IAAI,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AAC/E,OAAO,EAAE,QAAQ,IAAI,eAAe,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/cli/index.js

@@ -0,0 +1,17 @@
+/**
+ * CLI module barrel — re-exports all command registration functions.
+ */
+export { register as registerAgent } from './commands/agent.js';
+export { register as registerConfig } from './commands/config.js';
+export { register as registerDashboard } from './commands/dashboard.js';
+export { register as registerDoctor } from './commands/doctor.js';
+export { register as registerGate } from './commands/gate.js';
+export { register as registerInit } from './commands/init.js';
+export { register as registerLedger } from './commands/ledger.js';
+export { register as registerMcp } from './commands/mcp.js';
+export { register as registerPolicy } from './commands/policy.js';
+export { register as registerUser } from './commands/user.js';
+export { register as registerVault } from './commands/vault.js';
+export { register as registerVaultManager } from './commands/vault-manager.js';
+export { register as registerWebhook } from './commands/webhook.js';
+//# sourceMappingURL=index.js.map

package/dist/cli/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,IAAI,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAChE,OAAO,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,QAAQ,IAAI,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AACxE,OAAO,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,QAAQ,IAAI,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,QAAQ,IAAI,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,QAAQ,IAAI,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAC5D,OAAO,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,QAAQ,IAAI,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,QAAQ,IAAI,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAChE,OAAO,EAAE,QAAQ,IAAI,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AAC/E,OAAO,EAAE,QAAQ,IAAI,eAAe,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/cli/validation.d.ts

@@ -0,0 +1,37 @@
+/**
+ * CLI input validation helpers.
+ *
+ * Pure functions that validate user-provided CLI flags and exit with a
+ * descriptive error when the input is invalid.  Extracted from cli.ts so
+ * they can be unit-tested independently.
+ */
+export declare const IDENTIFIER_RE: RegExp;
+export declare const VALID_AUTH_TYPES: readonly ["bearer", "header", "basic", "query"];
+export declare const VALID_BODY_INSPECTION_MODES: readonly ["off", "warn", "block"];
+export declare const VALID_POLICY_MODES: readonly ["enforce", "dry-run", "off"];
+export declare const VALID_LOG_LEVELS: readonly ["debug", "info", "warn", "error"];
+export declare const VALID_MCP_TRANSPORTS: readonly ["stdio", "streamable-http"];
+/** Validate an identifier (name, service, etc.) used as a DB key or URL path segment. */
+export declare function validateIdentifier(value: string, fieldName: string): void;
+/** Validate a value is one of the allowed enum values. */
+export declare function validateEnum<T extends string>(value: string, allowed: readonly T[], fieldName: string): T;
+/** Validate a port number (1–65535). */
+export declare function validatePort(value: number, fieldName: string): void;
+/** Validate a positive integer. */
+export declare function validatePositiveInt(value: number, fieldName: string): void;
+/** Validate a non-negative float. */
+export declare function validateNonNegativeFloat(value: number, fieldName: string): void;
+/** Validate a rate limit string (e.g. 100/min) early, before storing. */
+export declare function validateRateLimit(value: string): void;
+/** Validate a comma-separated domain list. */
+export declare function validateDomains(raw: string): string[];
+/** Validate an ISO date string. */
+export declare function validateIsoDate(value: string, fieldName: string): void;
+/**
+ * Convert a UTC timestamp from SQLite (e.g. "2026-03-09 00:31:38") to
+ * the user's local time string.  SQLite's datetime('now') stores UTC but
+ * omits the 'Z' suffix, so we append it before parsing so JavaScript's
+ * Date constructor treats it as UTC rather than local.
+ */
+export declare function localTime(utcTimestamp: string): string;
+//# sourceMappingURL=validation.d.ts.map

package/dist/cli/validation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../../src/cli/validation.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,eAAO,MAAM,aAAa,QAAqB,CAAC;AAEhD,eAAO,MAAM,gBAAgB,iDAAkD,CAAC;AAChF,eAAO,MAAM,2BAA2B,mCAAoC,CAAC;AAC7E,eAAO,MAAM,kBAAkB,wCAAyC,CAAC;AACzE,eAAO,MAAM,gBAAgB,6CAA8C,CAAC;AAC5E,eAAO,MAAM,oBAAoB,uCAAwC,CAAC;AAI1E,yFAAyF;AACzF,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,CAOzE;AAED,0DAA0D;AAC1D,wBAAgB,YAAY,CAAC,CAAC,SAAS,MAAM,EAC3C,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,SAAS,CAAC,EAAE,EACrB,SAAS,EAAE,MAAM,GAChB,CAAC,CAQH;AAED,wCAAwC;AACxC,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,CAKnE;AAED,mCAAmC;AACnC,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,CAK1E;AAED,qCAAqC;AACrC,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,CAK/E;AAED,yEAAyE;AACzE,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAcrD;AAED,8CAA8C;AAC9C,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAmBrD;AAED,mCAAmC;AACnC,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,CAQtE;AAID;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAGtD"}

package/dist/cli/validation.js

@@ -0,0 +1,104 @@
+/**
+ * CLI input validation helpers.
+ *
+ * Pure functions that validate user-provided CLI flags and exit with a
+ * descriptive error when the input is invalid.  Extracted from cli.ts so
+ * they can be unit-tested independently.
+ */
+// ─── Constants ───────────────────────────────────────────────────
+export const IDENTIFIER_RE = /^[a-zA-Z0-9_-]+$/;
+export const VALID_AUTH_TYPES = ['bearer', 'header', 'basic', 'query'];
+export const VALID_BODY_INSPECTION_MODES = ['off', 'warn', 'block'];
+export const VALID_POLICY_MODES = ['enforce', 'dry-run', 'off'];
+export const VALID_LOG_LEVELS = ['debug', 'info', 'warn', 'error'];
+export const VALID_MCP_TRANSPORTS = ['stdio', 'streamable-http'];
+// ─── Validators ──────────────────────────────────────────────────
+/** Validate an identifier (name, service, etc.) used as a DB key or URL path segment. */
+export function validateIdentifier(value, fieldName) {
+    if (!value || !IDENTIFIER_RE.test(value)) {
+        console.error(`\n✗ Invalid ${fieldName}: "${value}"\n  Must contain only letters, numbers, hyphens, and underscores.\n`);
+        process.exit(1);
+    }
+}
+/** Validate a value is one of the allowed enum values. */
+export function validateEnum(value, allowed, fieldName) {
+    if (!allowed.includes(value)) {
+        console.error(`\n✗ Invalid ${fieldName}: "${value}"\n  Must be one of: ${allowed.join(', ')}\n`);
+        process.exit(1);
+    }
+    return value;
+}
+/** Validate a port number (1–65535). */
+export function validatePort(value, fieldName) {
+    if (Number.isNaN(value) || !Number.isFinite(value) || value < 1 || value > 65535) {
+        console.error(`\n✗ Invalid ${fieldName}: must be a number between 1 and 65535.\n`);
+        process.exit(1);
+    }
+}
+/** Validate a positive integer. */
+export function validatePositiveInt(value, fieldName) {
+    if (Number.isNaN(value) || !Number.isFinite(value) || value < 1 || !Number.isInteger(value)) {
+        console.error(`\n✗ Invalid ${fieldName}: must be a positive integer.\n`);
+        process.exit(1);
+    }
+}
+/** Validate a non-negative float. */
+export function validateNonNegativeFloat(value, fieldName) {
+    if (Number.isNaN(value) || !Number.isFinite(value) || value < 0) {
+        console.error(`\n✗ Invalid ${fieldName}: must be a non-negative number.\n`);
+        process.exit(1);
+    }
+}
+/** Validate a rate limit string (e.g. 100/min) early, before storing. */
+export function validateRateLimit(value) {
+    // Re-uses the same regex from rate-limiter.ts
+    const match = value.match(/^(\d+)\/(sec(?:ond)?|min(?:ute)?|hr|hour|day)$/i);
+    if (!match) {
+        console.error(`\n✗ Invalid rate limit: "${value}"\n  Expected format: <number>/<unit> (e.g. 100/min, 1000/hour, 10/sec)\n`);
+        process.exit(1);
+    }
+    const count = parseInt(match[1], 10);
+    if (count <= 0) {
+        console.error(`\n✗ Invalid rate limit: count must be positive.\n`);
+        process.exit(1);
+    }
+}
+/** Validate a comma-separated domain list. */
+export function validateDomains(raw) {
+    const domains = raw
+        .split(',')
+        .map((d) => d.trim())
+        .filter((d) => d.length > 0);
+    if (domains.length === 0) {
+        console.error(`\n✗ At least one valid domain is required.\n`);
+        process.exit(1);
+    }
+    for (const domain of domains) {
+        // Allow wildcards like *.slack.com — basic sanity check
+        if (!/^[a-zA-Z0-9.*_-]+(\.[a-zA-Z0-9.*_-]+)*$/.test(domain)) {
+            console.error(`\n✗ Invalid domain: "${domain}"\n  Domains must be valid hostnames (e.g. api.slack.com, *.example.com)\n`);
+            process.exit(1);
+        }
+    }
+    return domains;
+}
+/** Validate an ISO date string. */
+export function validateIsoDate(value, fieldName) {
+    const d = new Date(value);
+    if (Number.isNaN(d.getTime())) {
+        console.error(`\n✗ Invalid ${fieldName}: "${value}"\n  Expected ISO 8601 format (e.g. 2026-01-01, 2026-01-01T00:00:00Z)\n`);
+        process.exit(1);
+    }
+}
+// ─── Formatting ──────────────────────────────────────────────────
+/**
+ * Convert a UTC timestamp from SQLite (e.g. "2026-03-09 00:31:38") to
+ * the user's local time string.  SQLite's datetime('now') stores UTC but
+ * omits the 'Z' suffix, so we append it before parsing so JavaScript's
+ * Date constructor treats it as UTC rather than local.
+ */
+export function localTime(utcTimestamp) {
+    const ts = utcTimestamp.endsWith('Z') ? utcTimestamp : `${utcTimestamp}Z`;
+    return new Date(ts).toLocaleString();
+}
+//# sourceMappingURL=validation.js.map

package/dist/cli/validation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation.js","sourceRoot":"","sources":["../../src/cli/validation.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,oEAAoE;AAEpE,MAAM,CAAC,MAAM,aAAa,GAAG,kBAAkB,CAAC;AAEhD,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAU,CAAC;AAChF,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAU,CAAC;AAC7E,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,SAAS,EAAE,SAAS,EAAE,KAAK,CAAU,CAAC;AACzE,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAU,CAAC;AAC5E,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,OAAO,EAAE,iBAAiB,CAAU,CAAC;AAE1E,oEAAoE;AAEpE,yFAAyF;AACzF,MAAM,UAAU,kBAAkB,CAAC,KAAa,EAAE,SAAiB;IACjE,IAAI,CAAC,KAAK,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACzC,OAAO,CAAC,KAAK,CACX,eAAe,SAAS,MAAM,KAAK,sEAAsE,CAC1G,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,0DAA0D;AAC1D,MAAM,UAAU,YAAY,CAC1B,KAAa,EACb,OAAqB,EACrB,SAAiB;IAEjB,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAU,CAAC,EAAE,CAAC;QAClC,OAAO,CAAC,KAAK,CACX,eAAe,SAAS,MAAM,KAAK,wBAAwB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAClF,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,KAAU,CAAC;AACpB,CAAC;AAED,wCAAwC;AACxC,MAAM,UAAU,YAAY,CAAC,KAAa,EAAE,SAAiB;IAC3D,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,KAAK,EAAE,CAAC;QACjF,OAAO,CAAC,KAAK,CAAC,eAAe,SAAS,2CAA2C,CAAC,CAAC;QACnF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,mCAAmC;AACnC,MAAM,UAAU,mBAAmB,CAAC,KAAa,EAAE,SAAiB;IAClE,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5F,OAAO,CAAC,KAAK,CAAC,eAAe,SAAS,iCAAiC,CAAC,CAAC;QACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,qCAAqC;AACrC,MAAM,UAAU,wBAAwB,CAAC,KAAa,EAAE,SAAiB;IACvE,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;QAChE,OAAO,CAAC,KAAK,CAAC,eAAe,SAAS,oCAAoC,CAAC,CAAC;QAC5E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,iBAAiB,CAAC,KAAa;IAC7C,8CAA8C;IAC9C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;IAC7E,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,CAAC,KAAK,CACX,4BAA4B,KAAK,2EAA2E,CAC7G,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACrC,IAAI,KAAK,IAAI,CAAC,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;QACnE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,8CAA8C;AAC9C,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,MAAM,OAAO,GAAG,GAAG;SAChB,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC/B,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,CAAC,KAAK,CAAC,8CAA8C,CAAC,CAAC;QAC9D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,wDAAwD;QACxD,IAAI,CAAC,yCAAyC,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YAC5D,OAAO,CAAC,KAAK,CACX,wBAAwB,MAAM,4EAA4E,CAC3G,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,mCAAmC;AACnC,MAAM,UAAU,eAAe,CAAC,KAAa,EAAE,SAAiB;IAC9D,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1B,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;QAC9B,OAAO,CAAC,KAAK,CACX,eAAe,SAAS,MAAM,KAAK,yEAAyE,CAC7G,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,oEAAoE;AAEpE;;;;;GAKG;AACH,MAAM,UAAU,SAAS,CAAC,YAAoB;IAC5C,MAAM,EAAE,GAAG,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,GAAG,YAAY,GAAG,CAAC;IAC1E,OAAO,IAAI,IAAI,CAAC,EAAE,CAAC,CAAC,cAAc,EAAE,CAAC;AACvC,CAAC"}

package/dist/cli.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":""}

package/dist/cli.js

@@ -0,0 +1,30 @@
+#!/usr/bin/env node
+import { Command } from 'commander';
+import { registerAgent, registerConfig, registerDashboard, registerDoctor, registerGate, registerInit, registerLedger, registerMcp, registerPolicy, registerUser, registerVault, registerVaultManager, registerWebhook, } from './cli/index.js';
+import { VERSION } from './version.js';
+const program = new Command();
+program
+    .name('aegis')
+    .description('Credential isolation for AI agents. Store, guard, and record.')
+    .version(VERSION);
+// Register all command groups
+registerVault(program);
+registerVaultManager(program);
+registerGate(program);
+registerAgent(program);
+registerPolicy(program);
+registerMcp(program);
+registerWebhook(program);
+registerLedger(program);
+registerUser(program);
+registerConfig(program);
+registerInit(program);
+registerDoctor(program);
+registerDashboard(program);
+// ── Global error handler — catch unhandled errors and print clean messages ──
+process.on('uncaughtException', (err) => {
+    console.error(`\n✗ ${err.message}\n`);
+    process.exit(1);
+});
+program.parse();
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EACL,aAAa,EACb,cAAc,EACd,iBAAiB,EACjB,cAAc,EACd,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,WAAW,EACX,cAAc,EACd,YAAY,EACZ,aAAa,EACb,oBAAoB,EACpB,eAAe,GAChB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAEvC,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,OAAO,CAAC;KACb,WAAW,CAAC,+DAA+D,CAAC;KAC5E,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,8BAA8B;AAC9B,aAAa,CAAC,OAAO,CAAC,CAAC;AACvB,oBAAoB,CAAC,OAAO,CAAC,CAAC;AAC9B,YAAY,CAAC,OAAO,CAAC,CAAC;AACtB,aAAa,CAAC,OAAO,CAAC,CAAC;AACvB,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,WAAW,CAAC,OAAO,CAAC,CAAC;AACrB,eAAe,CAAC,OAAO,CAAC,CAAC;AACzB,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,YAAY,CAAC,OAAO,CAAC,CAAC;AACtB,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,YAAY,CAAC,OAAO,CAAC,CAAC;AACtB,cAAc,CAAC,OAAO,CAAC,CAAC;AACxB,iBAAiB,CAAC,OAAO,CAAC,CAAC;AAE3B,+EAA+E;AAC/E,OAAO,CAAC,EAAE,CAAC,mBAAmB,EAAE,CAAC,GAA8B,EAAE,EAAE;IACjE,OAAO,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,OAAO,IAAI,CAAC,CAAC;IACtC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC;AAEH,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/config.d.ts

@@ -0,0 +1,108 @@
+/** Gate proxy configuration. */
+export interface GateConfig {
+    port: number;
+    tls?: {
+        cert: string;
+        key: string;
+    };
+    require_agent_auth: boolean;
+    policy_mode: 'enforce' | 'dry-run' | 'off';
+    policies_dir?: string;
+}
+/** Vault configuration. */
+export interface VaultConfig {
+    name: string;
+    data_dir: string;
+    master_key: string;
+}
+/** Observability configuration. */
+export interface ObservabilityConfig {
+    log_level: 'debug' | 'info' | 'warn' | 'error';
+    log_format: 'json' | 'pretty';
+    metrics: boolean;
+    dashboard?: {
+        enabled: boolean;
+        port: number;
+    };
+}
+/** MCP server configuration. */
+export interface McpConfig {
+    transport: 'stdio' | 'streamable-http';
+    port: number;
+}
+/** Webhook configuration (inline in config file). */
+export interface WebhookConfigEntry {
+    url: string;
+    secret?: string;
+    events: string[];
+}
+/** Complete aegis.config.yaml schema. */
+export interface AegisConfigFile {
+    gate?: Partial<GateConfig>;
+    vault?: Partial<VaultConfig>;
+    observability?: Partial<ObservabilityConfig>;
+    mcp?: Partial<McpConfig>;
+    webhooks?: WebhookConfigEntry[];
+}
+/** Resolved Aegis configuration — all fields have values. */
+export interface AegisConfig {
+    port: number;
+    masterKey: string;
+    salt: string;
+    dataDir: string;
+    logLevel: 'debug' | 'info' | 'warn' | 'error';
+    logFormat: 'json' | 'pretty';
+    vaultName: string;
+    tls?: {
+        cert: string;
+        key: string;
+    };
+    requireAgentAuth: boolean;
+    policyMode: 'enforce' | 'dry-run' | 'off';
+    policiesDir?: string;
+    metricsEnabled: boolean;
+    dashboard: {
+        enabled: boolean;
+        port: number;
+    };
+    mcp: {
+        transport: 'stdio' | 'streamable-http';
+        port: number;
+    };
+    webhooks: WebhookConfigEntry[];
+    /** Path to the config file used, if any. */
+    configFilePath?: string;
+}
+/**
+ * Find the config file path, checking CWD first, then the CLI script's directory.
+ * The script directory fallback ensures MCP servers spawned by Claude Desktop /
+ * Cursor (which set cwd=/) can still find the config file next to the CLI.
+ * Returns absolute path or null if not found.
+ */
+export declare function findConfigFile(cwd?: string): string | null;
+/**
+ * Parse a YAML config file. Returns the parsed object.
+ * Throws on invalid YAML or file read errors.
+ */
+export declare function parseConfigFile(filePath: string): AegisConfigFile;
+export interface ConfigValidationError {
+    path: string;
+    message: string;
+}
+/**
+ * Validate a parsed config file. Returns an array of errors (empty = valid).
+ */
+export declare function validateConfigFile(config: AegisConfigFile): ConfigValidationError[];
+/**
+ * Load and resolve the full Aegis configuration.
+ *
+ * Resolution order (highest priority wins):
+ *   1. Environment variables (AEGIS_*)
+ *   2. Config file (aegis.config.yaml)
+ *   3. Built-in defaults
+ *
+ * The .env file is loaded into the environment variable layer.
+ * The master key has special handling: env → unseal key file → empty.
+ */
+export declare function getConfig(): AegisConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAOA,gCAAgC;AAChC,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE;QACJ,IAAI,EAAE,MAAM,CAAC;QACb,GAAG,EAAE,MAAM,CAAC;KACb,CAAC;IACF,kBAAkB,EAAE,OAAO,CAAC;IAC5B,WAAW,EAAE,SAAS,GAAG,SAAS,GAAG,KAAK,CAAC;IAC3C,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,2BAA2B;AAC3B,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,mCAAmC;AACnC,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC/C,UAAU,EAAE,MAAM,GAAG,QAAQ,CAAC;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,OAAO,CAAC;QACjB,IAAI,EAAE,MAAM,CAAC;KACd,CAAC;CACH;AAED,gCAAgC;AAChC,MAAM,WAAW,SAAS;IACxB,SAAS,EAAE,OAAO,GAAG,iBAAiB,CAAC;IACvC,IAAI,EAAE,MAAM,CAAC;CACd;AAED,qDAAqD;AACrD,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,yCAAyC;AACzC,MAAM,WAAW,eAAe;IAC9B,IAAI,CAAC,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IAC3B,KAAK,CAAC,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IAC7B,aAAa,CAAC,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC7C,GAAG,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IACzB,QAAQ,CAAC,EAAE,kBAAkB,EAAE,CAAC;CACjC;AAED,6DAA6D;AAC7D,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC9C,SAAS,EAAE,MAAM,GAAG,QAAQ,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;IACpC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,UAAU,EAAE,SAAS,GAAG,SAAS,GAAG,KAAK,CAAC;IAC1C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,OAAO,CAAC;IACxB,SAAS,EAAE;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAC9C,GAAG,EAAE;QAAE,SAAS,EAAE,OAAO,GAAG,iBAAiB,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAC9D,QAAQ,EAAE,kBAAkB,EAAE,CAAC;IAC/B,4CAA4C;IAC5C,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAyBD;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAuB1D;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,eAAe,CAQjE;AAID,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB;AAcD;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,eAAe,GAAG,qBAAqB,EAAE,CA2KnF;AAoBD;;;;;;;;;;GAUG;AACH,wBAAgB,SAAS,IAAI,WAAW,CAiHvC"}