npm - @getaegis/cli - Versions diffs - 0.8.0 → 0.9.0 - Mend

@getaegis/cli 0.8.0 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (242) hide show

package/README.md +43 -14
package/dist/agent/agent.d.ts +98 -0
package/dist/agent/agent.d.ts.map +1 -0
package/dist/agent/agent.js +212 -0
package/dist/agent/agent.js.map +1 -0
package/dist/agent/index.d.ts +3 -0
package/dist/agent/index.d.ts.map +1 -0
package/dist/agent/index.js +2 -0
package/dist/agent/index.js.map +1 -0
package/dist/cli/auth.d.ts +19 -0
package/dist/cli/auth.d.ts.map +1 -0
package/dist/cli/auth.js +44 -0
package/dist/cli/auth.js.map +1 -0
package/dist/cli/commands/agent.d.ts +6 -0
package/dist/cli/commands/agent.d.ts.map +1 -0
package/dist/cli/commands/agent.js +241 -0
package/dist/cli/commands/agent.js.map +1 -0
package/dist/cli/commands/config.d.ts +6 -0
package/dist/cli/commands/config.d.ts.map +1 -0
package/dist/cli/commands/config.js +125 -0
package/dist/cli/commands/config.js.map +1 -0
package/dist/cli/commands/dashboard.d.ts +6 -0
package/dist/cli/commands/dashboard.d.ts.map +1 -0
package/dist/cli/commands/dashboard.js +195 -0
package/dist/cli/commands/dashboard.js.map +1 -0
package/dist/cli/commands/db.d.ts +6 -0
package/dist/cli/commands/db.d.ts.map +1 -0
package/dist/cli/commands/db.js +139 -0
package/dist/cli/commands/db.js.map +1 -0
package/dist/cli/commands/doctor.d.ts +6 -0
package/dist/cli/commands/doctor.d.ts.map +1 -0
package/dist/cli/commands/doctor.js +39 -0
package/dist/cli/commands/doctor.js.map +1 -0
package/dist/cli/commands/gate.d.ts +6 -0
package/dist/cli/commands/gate.d.ts.map +1 -0
package/dist/cli/commands/gate.js +202 -0
package/dist/cli/commands/gate.js.map +1 -0
package/dist/cli/commands/init.d.ts +6 -0
package/dist/cli/commands/init.d.ts.map +1 -0
package/dist/cli/commands/init.js +175 -0
package/dist/cli/commands/init.js.map +1 -0
package/dist/cli/commands/key.d.ts +6 -0
package/dist/cli/commands/key.d.ts.map +1 -0
package/dist/cli/commands/key.js +49 -0
package/dist/cli/commands/key.js.map +1 -0
package/dist/cli/commands/ledger.d.ts +6 -0
package/dist/cli/commands/ledger.d.ts.map +1 -0
package/dist/cli/commands/ledger.js +140 -0
package/dist/cli/commands/ledger.js.map +1 -0
package/dist/cli/commands/mcp.d.ts +6 -0
package/dist/cli/commands/mcp.d.ts.map +1 -0
package/dist/cli/commands/mcp.js +224 -0
package/dist/cli/commands/mcp.js.map +1 -0
package/dist/cli/commands/policy.d.ts +6 -0
package/dist/cli/commands/policy.d.ts.map +1 -0
package/dist/cli/commands/policy.js +126 -0
package/dist/cli/commands/policy.js.map +1 -0
package/dist/cli/commands/user.d.ts +6 -0
package/dist/cli/commands/user.d.ts.map +1 -0
package/dist/cli/commands/user.js +150 -0
package/dist/cli/commands/user.js.map +1 -0
package/dist/cli/commands/vault-manager.d.ts +6 -0
package/dist/cli/commands/vault-manager.d.ts.map +1 -0
package/dist/cli/commands/vault-manager.js +240 -0
package/dist/cli/commands/vault-manager.js.map +1 -0
package/dist/cli/commands/vault.d.ts +6 -0
package/dist/cli/commands/vault.d.ts.map +1 -0
package/dist/cli/commands/vault.js +265 -0
package/dist/cli/commands/vault.js.map +1 -0
package/dist/cli/commands/webhook.d.ts +6 -0
package/dist/cli/commands/webhook.d.ts.map +1 -0
package/dist/cli/commands/webhook.js +151 -0
package/dist/cli/commands/webhook.js.map +1 -0
package/dist/cli/helpers.d.ts +12 -0
package/dist/cli/helpers.d.ts.map +1 -0
package/dist/cli/helpers.js +61 -0
package/dist/cli/helpers.js.map +1 -0
package/dist/cli/index.d.ts +19 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +19 -0
package/dist/cli/index.js.map +1 -0
package/dist/cli/validation.d.ts +37 -0
package/dist/cli/validation.d.ts.map +1 -0
package/dist/cli/validation.js +104 -0
package/dist/cli/validation.js.map +1 -0
package/dist/cli.d.ts +3 -0
package/dist/cli.d.ts.map +1 -0
package/dist/cli.js +37 -0
package/dist/cli.js.map +1 -0
package/dist/config.d.ts +120 -0
package/dist/config.d.ts.map +1 -0
package/dist/config.js +401 -0
package/dist/config.js.map +1 -0
package/dist/dashboard/dashboard-server.d.ts +95 -0
package/dist/dashboard/dashboard-server.d.ts.map +1 -0
package/dist/dashboard/dashboard-server.js +329 -0
package/dist/dashboard/dashboard-server.js.map +1 -0
package/dist/dashboard/index.d.ts +3 -0
package/dist/dashboard/index.d.ts.map +1 -0
package/dist/dashboard/index.js +2 -0
package/dist/dashboard/index.js.map +1 -0
package/dist/dashboard/public/assets/index-Cah0_BKk.js +148 -0
package/dist/dashboard/public/assets/index-CpMruPNh.css +1 -0
package/dist/dashboard/public/favicon.svg +6 -0
package/dist/dashboard/public/index.html +14 -0
package/dist/db.d.ts +27 -0
package/dist/db.d.ts.map +1 -0
package/dist/db.js +209 -0
package/dist/db.js.map +1 -0
package/dist/doctor.d.ts +37 -0
package/dist/doctor.d.ts.map +1 -0
package/dist/doctor.js +216 -0
package/dist/doctor.js.map +1 -0
package/dist/gate/body-inspector.d.ts +31 -0
package/dist/gate/body-inspector.d.ts.map +1 -0
package/dist/gate/body-inspector.js +193 -0
package/dist/gate/body-inspector.js.map +1 -0
package/dist/gate/gate.d.ts +190 -0
package/dist/gate/gate.d.ts.map +1 -0
package/dist/gate/gate.js +1243 -0
package/dist/gate/gate.js.map +1 -0
package/dist/gate/index.d.ts +7 -0
package/dist/gate/index.d.ts.map +1 -0
package/dist/gate/index.js +4 -0
package/dist/gate/index.js.map +1 -0
package/dist/gate/rate-limiter.d.ts +59 -0
package/dist/gate/rate-limiter.d.ts.map +1 -0
package/dist/gate/rate-limiter.js +120 -0
package/dist/gate/rate-limiter.js.map +1 -0
package/dist/index.d.ts +28 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +17 -0
package/dist/index.js.map +1 -0
package/dist/key-storage/credential-manager-windows.d.ts +19 -0
package/dist/key-storage/credential-manager-windows.d.ts.map +1 -0
package/dist/key-storage/credential-manager-windows.js +87 -0
package/dist/key-storage/credential-manager-windows.js.map +1 -0
package/dist/key-storage/file-fallback.d.ts +21 -0
package/dist/key-storage/file-fallback.d.ts.map +1 -0
package/dist/key-storage/file-fallback.js +62 -0
package/dist/key-storage/file-fallback.js.map +1 -0
package/dist/key-storage/index.d.ts +6 -0
package/dist/key-storage/index.d.ts.map +1 -0
package/dist/key-storage/index.js +6 -0
package/dist/key-storage/index.js.map +1 -0
package/dist/key-storage/key-storage.d.ts +41 -0
package/dist/key-storage/key-storage.d.ts.map +1 -0
package/dist/key-storage/key-storage.js +70 -0
package/dist/key-storage/key-storage.js.map +1 -0
package/dist/key-storage/keychain-macos.d.ts +19 -0
package/dist/key-storage/keychain-macos.d.ts.map +1 -0
package/dist/key-storage/keychain-macos.js +51 -0
package/dist/key-storage/keychain-macos.js.map +1 -0
package/dist/key-storage/secret-service-linux.d.ts +19 -0
package/dist/key-storage/secret-service-linux.d.ts.map +1 -0
package/dist/key-storage/secret-service-linux.js +55 -0
package/dist/key-storage/secret-service-linux.js.map +1 -0
package/dist/ledger/index.d.ts +3 -0
package/dist/ledger/index.d.ts.map +1 -0
package/dist/ledger/index.js +2 -0
package/dist/ledger/index.js.map +1 -0
package/dist/ledger/ledger.d.ts +98 -0
package/dist/ledger/ledger.d.ts.map +1 -0
package/dist/ledger/ledger.js +145 -0
package/dist/ledger/ledger.js.map +1 -0
package/dist/logger/index.d.ts +3 -0
package/dist/logger/index.d.ts.map +1 -0
package/dist/logger/index.js +2 -0
package/dist/logger/index.js.map +1 -0
package/dist/logger/logger.d.ts +58 -0
package/dist/logger/logger.d.ts.map +1 -0
package/dist/logger/logger.js +201 -0
package/dist/logger/logger.js.map +1 -0
package/dist/mcp/index.d.ts +3 -0
package/dist/mcp/index.d.ts.map +1 -0
package/dist/mcp/index.js +2 -0
package/dist/mcp/index.js.map +1 -0
package/dist/mcp/mcp-server.d.ts +130 -0
package/dist/mcp/mcp-server.d.ts.map +1 -0
package/dist/mcp/mcp-server.js +775 -0
package/dist/mcp/mcp-server.js.map +1 -0
package/dist/metrics/index.d.ts +3 -0
package/dist/metrics/index.d.ts.map +1 -0
package/dist/metrics/index.js +2 -0
package/dist/metrics/index.js.map +1 -0
package/dist/metrics/metrics.d.ts +88 -0
package/dist/metrics/metrics.d.ts.map +1 -0
package/dist/metrics/metrics.js +179 -0
package/dist/metrics/metrics.js.map +1 -0
package/dist/policy/index.d.ts +3 -0
package/dist/policy/index.d.ts.map +1 -0
package/dist/policy/index.js +2 -0
package/dist/policy/index.js.map +1 -0
package/dist/policy/policy.d.ts +119 -0
package/dist/policy/policy.d.ts.map +1 -0
package/dist/policy/policy.js +426 -0
package/dist/policy/policy.js.map +1 -0
package/dist/user/index.d.ts +3 -0
package/dist/user/index.d.ts.map +1 -0
package/dist/user/index.js +2 -0
package/dist/user/index.js.map +1 -0
package/dist/user/user.d.ts +102 -0
package/dist/user/user.d.ts.map +1 -0
package/dist/user/user.js +216 -0
package/dist/user/user.js.map +1 -0
package/dist/vault/crypto.d.ts +28 -0
package/dist/vault/crypto.d.ts.map +1 -0
package/dist/vault/crypto.js +44 -0
package/dist/vault/crypto.js.map +1 -0
package/dist/vault/index.d.ts +10 -0
package/dist/vault/index.d.ts.map +1 -0
package/dist/vault/index.js +6 -0
package/dist/vault/index.js.map +1 -0
package/dist/vault/seal.d.ts +68 -0
package/dist/vault/seal.d.ts.map +1 -0
package/dist/vault/seal.js +110 -0
package/dist/vault/seal.js.map +1 -0
package/dist/vault/shamir.d.ts +33 -0
package/dist/vault/shamir.d.ts.map +1 -0
package/dist/vault/shamir.js +174 -0
package/dist/vault/shamir.js.map +1 -0
package/dist/vault/vault-manager.d.ts +62 -0
package/dist/vault/vault-manager.d.ts.map +1 -0
package/dist/vault/vault-manager.js +151 -0
package/dist/vault/vault-manager.js.map +1 -0
package/dist/vault/vault.d.ts +104 -0
package/dist/vault/vault.d.ts.map +1 -0
package/dist/vault/vault.js +259 -0
package/dist/vault/vault.js.map +1 -0
package/dist/version.d.ts +3 -0
package/dist/version.d.ts.map +1 -0
package/dist/version.js +18 -0
package/dist/version.js.map +1 -0
package/dist/webhook/index.d.ts +3 -0
package/dist/webhook/index.d.ts.map +1 -0
package/dist/webhook/index.js +2 -0
package/dist/webhook/index.js.map +1 -0
package/dist/webhook/webhook.d.ts +114 -0
package/dist/webhook/webhook.d.ts.map +1 -0
package/dist/webhook/webhook.js +269 -0
package/dist/webhook/webhook.js.map +1 -0
package/package.json +12 -6

package/README.md CHANGED Viewed

@@ -1,5 +1,10 @@
 # Aegis
+[![CI](https://github.com/getaegis/aegis/actions/workflows/ci.yml/badge.svg)](https://github.com/getaegis/aegis/actions/workflows/ci.yml)
+[![npm version](https://img.shields.io/npm/v/@getaegis/cli)](https://www.npmjs.com/package/@getaegis/cli)
+[![Docker](https://img.shields.io/badge/ghcr.io-getaegis%2Faegis-blue?logo=docker)](https://ghcr.io/getaegis/aegis)
+[![License](https://img.shields.io/github/license/getaegis/aegis)](LICENSE)
 **Credential isolation for AI agents.**
 Aegis sits between your AI agent and the APIs it calls. The agent never sees, stores, or transmits real credentials — Aegis injects them at the network boundary.
@@ -41,17 +46,30 @@ Aegis solves all four. Your agent makes HTTP calls through a local proxy. Aegis
 npm install -g @getaegis/cli
 # Initialize — generates master key, config file, and encrypted vault
+aegis init
+```
+By default, `aegis init` stores the master key in your OS keychain (macOS Keychain, Windows Credential Manager, or Linux Secret Service). If no keychain is available, it falls back to a file at `.aegis/.master-key` (mode 0600).
+Alternative storage modes:
+```bash
+# Store in .env file (for CI/headless environments)
+aegis init --env-file
+# Store in aegis.config.yaml (convenient for local dev, not recommended for production)
 aegis init --write-secrets
+# Check where your master key is stored
+aegis key where
 ```
-`aegis init` prints a master key. Without `--write-secrets`, you must export it yourself:
+If you use `--env-file` or need to set the key manually:
 ```bash
 export AEGIS_MASTER_KEY=<key from init>
 ```
-With `--write-secrets`, the key is saved to `aegis.config.yaml` automatically (convenient for local dev, not recommended for production).
 ```bash
 # Add a credential
 aegis vault add \
@@ -90,6 +108,7 @@ curl http://localhost:3100/slack/api/auth.test \
 | **RBAC** | Admin, operator, viewer roles with 16 granular permissions |
 | **Multi-Vault** | Separate vaults for dev/staging/prod with isolated encryption keys |
 | **Shamir's Secret Sharing** | M-of-N key splitting for team master key management |
+| **Cross-Platform Key Storage** | OS keychain by default (macOS Keychain, Windows Credential Manager, Linux Secret Service) with file fallback |
 | **TLS Support** | Optional HTTPS on Gate with cert/key configuration |
 | **Configuration File** | `aegis.config.yaml` with env var overrides and CLI flag overrides |
@@ -116,7 +135,7 @@ The MCP server replicates the full Gate security pipeline: domain guard, agent a
 ## Agent Identity & Scoping
-Without agent auth, any process on localhost can use any credential. Enable agent auth to restrict access:
+Agent authentication is **on by default**. Every request through Gate must include a valid `X-Aegis-Agent` header. Requests without a token get a helpful 401 error with instructions to create an agent.
 ```bash
 # Register an agent — token is printed once, save it
@@ -128,13 +147,16 @@ aegis agent grant --agent "research-bot" --credential "slack-bot"
 # Set per-agent rate limits
 aegis agent set-rate-limit --agent "research-bot" --limit 50/min
-# Start Gate with agent auth required
-aegis gate --require-agent-auth
+# Start Gate (agent auth is on by default)
+aegis gate
 # Agent must include its token in every request
 curl http://localhost:3100/slack/api/auth.test \
   -H "X-Target-Host: api.slack.com" \
   -H "X-Aegis-Agent: aegis_a1b2c3d4..."
+# To disable agent auth (not recommended):
+aegis gate --no-agent-auth
 ```
 Tokens are SHA-256 hashed for storage — they cannot be recovered, only regenerated:
@@ -204,7 +226,8 @@ aegis vault add \
 | `--ttl <days>` | *(none)* | Credential expires after this many days |
 | `--rate-limit` | *(none)* | Rate limit: `100/min`, `1000/hour`, `10/sec` |
 | `--body-inspection` | `block` | Scan outbound bodies for credential patterns: `off`, `warn`, `block` |
-| `--header-name` | — | Custom header name (only for `--auth-type header`) |
+| `--header-name` | — | Custom header name (for `--auth-type header`) |
+| `--query-param` | `key` | Query parameter name (for `--auth-type query`) |
 Update any field later:
@@ -221,7 +244,7 @@ Aegis supports four credential injection methods:
 | `bearer` | `--auth-type bearer` (default) | `Authorization: Bearer <secret>` |
 | `header` | `--auth-type header --header-name X-API-Key` | `X-API-Key: <secret>` |
 | `basic` | `--auth-type basic` | `Authorization: Basic <base64(secret)>` |
-| `query` | `--auth-type query` | Appends `?key=<secret>` to the URL |
+| `query` | `--auth-type query --query-param api_key` | Appends `?api_key=<secret>` to the URL |
 ## Configuration
@@ -463,13 +486,15 @@ Runs diagnostics on your Aegis installation:
 - Config file validation
 - Database accessibility and schema
 - Master key correctness (test decrypt)
+- Key storage backend (keychain type and status)
 - Expired or expiring-soon credentials
 Returns pass/warn/fail for each check.
 ## Security Model
-- **Encryption at rest** — AES-256-GCM with PBKDF2 key derivation (100k iterations, SHA-512, random per-deployment salt)
+- **Encryption at rest** — AES-256-GCM with PBKDF2 key derivation (210,000 iterations, SHA-512, random per-deployment salt)
+- **Cross-platform key storage** — master key stored in OS keychain by default (macOS Keychain, Windows Credential Manager, Linux Secret Service). File fallback for CI/headless
 - **Domain guard** — enforced on every outbound request. No bypass, no override. Wildcards supported (`*.slack.com`)
 - **Credential scopes** — `read` (GET/HEAD/OPTIONS), `write` (POST/PUT/PATCH/DELETE), `*` (all). Enforced at the Gate before any request is forwarded
 - **Header stripping** — agent-supplied `Authorization`, `X-API-Key`, `Proxy-Authorization` headers are removed before injection
@@ -479,13 +504,13 @@ Returns pass/warn/fail for each check.
 - **TLS support** — optional HTTPS on Gate (`aegis gate --tls --cert <path> --key <path>`)
 - **Graceful shutdown** — drains in-flight requests on SIGINT/SIGTERM
-See [SECURITY_ARCHITECTURE.md](docs/SECURITY_ARCHITECTURE.md) for the full security design, threat model, and trust boundaries.
+See [SECURITY_ARCHITECTURE.md](docs/SECURITY_ARCHITECTURE.md) for the full security design and trust boundaries, and [THREAT_MODEL.md](docs/THREAT_MODEL.md) for the STRIDE threat analysis.
 ## CLI Reference
 ```
 aegis init [--write-secrets]              Initialize Aegis (master key + config)
-aegis gate [--port] [--tls] [--require-agent-auth] [--policies-dir] [--policy-mode]
+aegis gate [--port] [--tls] [--no-agent-auth] [--policies-dir] [--policy-mode]
                                           Start the HTTP proxy
 aegis dashboard [--port] [--gate-port]    Start the web dashboard + Gate
@@ -547,8 +572,12 @@ aegis user regenerate-token --name <name> Regenerate user token
 aegis mcp serve [--transport] [--port]    Start the MCP server
 aegis mcp config <claude|cursor|vscode>   Generate MCP host config
+aegis db backup [--output <path>]         Backup the vault database
+aegis db restore --input <path> [--force] Restore from a backup
 aegis config validate                     Validate config file
 aegis config show                         Show resolved configuration
+aegis key where                           Show where the master key is stored
 aegis doctor                              Health check diagnostics
 ```
@@ -556,7 +585,7 @@ aegis doctor                              Health check diagnostics
 | Error | Cause | Fix |
 |-------|-------|-----|
-| `AEGIS_MASTER_KEY is not set` | No master key in config or env | `export AEGIS_MASTER_KEY=<key>` or use `aegis init --write-secrets` |
+| `AEGIS_MASTER_KEY is not set` | No master key in config, env, or keychain | Run `aegis key where` to check storage, or `export AEGIS_MASTER_KEY=<key>` |
 | `Invalid master key` | Wrong key for this vault | Check `AEGIS_MASTER_KEY` matches the key from `aegis init` |
 | `Port 3100 is already in use` | Another process on that port | Use `aegis gate --port 3200` or stop the other process |
 | `Database file is corrupted` | SQLite file damaged | Back up `.aegis/` and re-run `aegis init` |
@@ -585,8 +614,8 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for code style, PR process, and architect
 |-------|------------|
 | Language | TypeScript (ES2022, native ESM) |
 | Runtime | Node.js ≥ 20 |
-| Database | SQLite via better-sqlite3 (WAL mode) |
-| Encryption | AES-256-GCM, PBKDF2 |
+| Database | SQLite via better-sqlite3-multiple-ciphers (WAL mode, ChaCha20-Poly1305 encryption at rest) |
+| Encryption | AES-256-GCM (field-level), ChaCha20-Poly1305 (full-database), PBKDF2 |
 | Logging | pino (structured JSON, field-level redaction) |
 | Metrics | prom-client (Prometheus) |
 | CLI | Commander.js |

package/dist/agent/agent.d.ts ADDED Viewed

@@ -0,0 +1,98 @@
+import type Database from 'better-sqlite3-multiple-ciphers';
+export interface Agent {
+    id: string;
+    name: string;
+    tokenPrefix: string;
+    rateLimit?: string;
+    createdAt: string;
+    updatedAt: string;
+}
+export interface AgentWithToken extends Agent {
+    token: string;
+}
+/**
+ * Agent Registry — manages agent identities and their credential access grants.
+ *
+ * Agents are identified by tokens (UUID v4 + HMAC suffix). Tokens are:
+ * - Hashed (SHA-256) for fast lookup during request validation — hash-only, no recovery
+ * - Prefixed (first 12 chars) for safe display in logs and audit entries
+ *
+ * Security: Tokens are never stored in recoverable form. If a token is lost,
+ * use regenerateToken() to issue a new one (same pattern as GitHub/Stripe key rotation).
+ */
+export declare class AgentRegistry {
+    private db;
+    private derivedKey;
+    constructor(db: Database.Database, derivedKey: Buffer);
+    /**
+     * Register a new agent. Returns the agent with its token (shown once).
+     *
+     * Token format: aegis_{uuid}_{hmac_prefix}
+     * The HMAC is derived from the UUID using the master key, making tokens
+     * verifiable as Aegis-generated.
+     */
+    add(params: {
+        name: string;
+        rateLimit?: string;
+    }): AgentWithToken;
+    /**
+     * List all registered agents (without tokens).
+     */
+    list(): Agent[];
+    /**
+     * Get an agent by name (without token).
+     */
+    getByName(name: string): Agent | null;
+    /**
+     * Validate an agent token. Returns the agent if the token is valid, null otherwise.
+     *
+     * Uses SHA-256 hash comparison for constant-time-safe lookup.
+     */
+    validateToken(token: string): Agent | null;
+    /**
+     * Remove an agent by name. Also removes all credential grants.
+     */
+    remove(name: string): boolean;
+    /**
+     * Regenerate an agent's token. Issues a new token, invalidates the old one.
+     *
+     * The agent keeps its identity (id, name), credential grants, and rate limits.
+     * Only the token changes. This follows the same pattern as GitHub personal
+     * access token rotation or Stripe API key rolling.
+     *
+     * Returns the agent with the new token (shown once), or null if not found.
+     */
+    regenerateToken(name: string): AgentWithToken | null;
+    /**
+     * Grant an agent access to a credential.
+     */
+    grant(params: {
+        agentName: string;
+        credentialId: string;
+    }): void;
+    /**
+     * Revoke an agent's access to a credential.
+     */
+    revoke(params: {
+        agentName: string;
+        credentialId: string;
+    }): boolean;
+    /**
+     * Check if an agent has access to a specific credential.
+     */
+    hasAccess(agentId: string, credentialId: string): boolean;
+    /**
+     * List all credential IDs an agent has access to.
+     */
+    listGrants(agentName: string): string[];
+    /**
+     * Set or update an agent's rate limit for a specific service.
+     * This is stored as a general rate limit on the agent record.
+     */
+    setRateLimit(params: {
+        agentName: string;
+        rateLimit: string | null;
+    }): Agent;
+    private rowToAgent;
+}
+//# sourceMappingURL=agent.d.ts.map

package/dist/agent/agent.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"agent.d.ts","sourceRoot":"","sources":["../../src/agent/agent.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,QAAQ,MAAM,iCAAiC,CAAC;AAI5D,MAAM,WAAW,KAAK;IACpB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,cAAe,SAAQ,KAAK;IAC3C,KAAK,EAAE,MAAM,CAAC;CACf;AAcD;;;;;;;;;GASG;AACH,qBAAa,aAAa;IAItB,OAAO,CAAC,EAAE;IAHZ,OAAO,CAAC,UAAU,CAAS;gBAGjB,EAAE,EAAE,QAAQ,CAAC,QAAQ,EAC7B,UAAU,EAAE,MAAM;IAKpB;;;;;;OAMG;IACH,GAAG,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,cAAc;IAkCjE;;OAEG;IACH,IAAI,IAAI,KAAK,EAAE;IAQf;;OAEG;IACH,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,KAAK,GAAG,IAAI;IAOrC;;;;OAIG;IACH,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,KAAK,GAAG,IAAI;IAS1C;;OAEG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAS7B;;;;;;;;OAQG;IACH,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,cAAc,GAAG,IAAI;IAkCpD;;OAEG;IACH,KAAK,CAAC,MAAM,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;IAoBhE;;OAEG;IACH,MAAM,CAAC,MAAM,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO;IAapE;;OAEG;IACH,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IAQzD;;OAEG;IACH,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,EAAE;IAevC;;;OAGG;IACH,YAAY,CAAC,MAAM,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,GAAG,KAAK;IAmB5E,OAAO,CAAC,UAAU;CAUnB"}

package/dist/agent/agent.js ADDED Viewed

@@ -0,0 +1,212 @@
+import * as crypto from 'node:crypto';
+// ─── Agent Registry ──────────────────────────────────────────────
+/**
+ * Agent Registry — manages agent identities and their credential access grants.
+ *
+ * Agents are identified by tokens (UUID v4 + HMAC suffix). Tokens are:
+ * - Hashed (SHA-256) for fast lookup during request validation — hash-only, no recovery
+ * - Prefixed (first 12 chars) for safe display in logs and audit entries
+ *
+ * Security: Tokens are never stored in recoverable form. If a token is lost,
+ * use regenerateToken() to issue a new one (same pattern as GitHub/Stripe key rotation).
+ */
+export class AgentRegistry {
+    db;
+    derivedKey;
+    constructor(db, derivedKey) {
+        this.db = db;
+        this.derivedKey = derivedKey;
+    }
+    /**
+     * Register a new agent. Returns the agent with its token (shown once).
+     *
+     * Token format: aegis_{uuid}_{hmac_prefix}
+     * The HMAC is derived from the UUID using the master key, making tokens
+     * verifiable as Aegis-generated.
+     */
+    add(params) {
+        const id = crypto.randomUUID();
+        const uuid = crypto.randomUUID();
+        // Create HMAC of the UUID using the derived key for token integrity
+        const hmac = crypto
+            .createHmac('sha256', this.derivedKey)
+            .update(uuid)
+            .digest('hex')
+            .slice(0, 16);
+        const token = `aegis_${uuid}_${hmac}`;
+        // Hash the full token for fast lookup (hash-only — no recovery, only regeneration)
+        const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
+        const tokenPrefix = token.slice(0, 12);
+        this.db
+            .prepare(`INSERT INTO agents (id, name, token_hash, token_prefix, rate_limit)
+         VALUES (?, ?, ?, ?, ?)`)
+            .run(id, params.name, tokenHash, tokenPrefix, params.rateLimit ?? null);
+        return {
+            id,
+            name: params.name,
+            tokenPrefix,
+            token,
+            rateLimit: params.rateLimit,
+            createdAt: new Date().toISOString(),
+            updatedAt: new Date().toISOString(),
+        };
+    }
+    /**
+     * List all registered agents (without tokens).
+     */
+    list() {
+        const rows = this.db
+            .prepare('SELECT * FROM agents ORDER BY created_at DESC')
+            .all();
+        return rows.map((row) => this.rowToAgent(row));
+    }
+    /**
+     * Get an agent by name (without token).
+     */
+    getByName(name) {
+        const row = this.db.prepare('SELECT * FROM agents WHERE name = ?').get(name);
+        return row ? this.rowToAgent(row) : null;
+    }
+    /**
+     * Validate an agent token. Returns the agent if the token is valid, null otherwise.
+     *
+     * Uses SHA-256 hash comparison for constant-time-safe lookup.
+     */
+    validateToken(token) {
+        const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
+        const row = this.db.prepare('SELECT * FROM agents WHERE token_hash = ?').get(tokenHash);
+        return row ? this.rowToAgent(row) : null;
+    }
+    /**
+     * Remove an agent by name. Also removes all credential grants.
+     */
+    remove(name) {
+        const agent = this.getByName(name);
+        if (!agent)
+            return false;
+        // Foreign key CASCADE handles agent_credentials cleanup
+        const result = this.db.prepare('DELETE FROM agents WHERE name = ?').run(name);
+        return result.changes > 0;
+    }
+    /**
+     * Regenerate an agent's token. Issues a new token, invalidates the old one.
+     *
+     * The agent keeps its identity (id, name), credential grants, and rate limits.
+     * Only the token changes. This follows the same pattern as GitHub personal
+     * access token rotation or Stripe API key rolling.
+     *
+     * Returns the agent with the new token (shown once), or null if not found.
+     */
+    regenerateToken(name) {
+        const agent = this.getByName(name);
+        if (!agent)
+            return null;
+        // Generate a new token with the same UUID+HMAC format
+        const uuid = crypto.randomUUID();
+        const hmac = crypto
+            .createHmac('sha256', this.derivedKey)
+            .update(uuid)
+            .digest('hex')
+            .slice(0, 16);
+        const token = `aegis_${uuid}_${hmac}`;
+        // Compute new hash and prefix
+        const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
+        const tokenPrefix = token.slice(0, 12);
+        // Update only the token fields — identity, grants, and rate limits are preserved
+        this.db
+            .prepare(`UPDATE agents SET token_hash = ?, token_prefix = ?, updated_at = datetime('now') WHERE id = ?`)
+            .run(tokenHash, tokenPrefix, agent.id);
+        return {
+            ...agent,
+            tokenPrefix,
+            token,
+            updatedAt: new Date().toISOString(),
+        };
+    }
+    // ─── Credential Grants ──────────────────────────────────────────
+    /**
+     * Grant an agent access to a credential.
+     */
+    grant(params) {
+        const agent = this.getByName(params.agentName);
+        if (!agent) {
+            throw new Error(`No agent found with name "${params.agentName}"`);
+        }
+        // Check if already granted
+        const existing = this.db
+            .prepare('SELECT 1 FROM agent_credentials WHERE agent_id = ? AND credential_id = ?')
+            .get(agent.id, params.credentialId);
+        if (existing) {
+            return; // Already granted — idempotent
+        }
+        this.db
+            .prepare('INSERT INTO agent_credentials (agent_id, credential_id) VALUES (?, ?)')
+            .run(agent.id, params.credentialId);
+    }
+    /**
+     * Revoke an agent's access to a credential.
+     */
+    revoke(params) {
+        const agent = this.getByName(params.agentName);
+        if (!agent) {
+            throw new Error(`No agent found with name "${params.agentName}"`);
+        }
+        const result = this.db
+            .prepare('DELETE FROM agent_credentials WHERE agent_id = ? AND credential_id = ?')
+            .run(agent.id, params.credentialId);
+        return result.changes > 0;
+    }
+    /**
+     * Check if an agent has access to a specific credential.
+     */
+    hasAccess(agentId, credentialId) {
+        const row = this.db
+            .prepare('SELECT 1 FROM agent_credentials WHERE agent_id = ? AND credential_id = ?')
+            .get(agentId, credentialId);
+        return row !== undefined;
+    }
+    /**
+     * List all credential IDs an agent has access to.
+     */
+    listGrants(agentName) {
+        const agent = this.getByName(agentName);
+        if (!agent) {
+            throw new Error(`No agent found with name "${agentName}"`);
+        }
+        const rows = this.db
+            .prepare('SELECT credential_id FROM agent_credentials WHERE agent_id = ?')
+            .all(agent.id);
+        return rows.map((r) => r.credential_id);
+    }
+    // ─── Per-Agent Rate Limits ──────────────────────────────────────
+    /**
+     * Set or update an agent's rate limit for a specific service.
+     * This is stored as a general rate limit on the agent record.
+     */
+    setRateLimit(params) {
+        const agent = this.getByName(params.agentName);
+        if (!agent) {
+            throw new Error(`No agent found with name "${params.agentName}"`);
+        }
+        this.db
+            .prepare("UPDATE agents SET rate_limit = ?, updated_at = datetime('now') WHERE id = ?")
+            .run(params.rateLimit, agent.id);
+        return {
+            ...agent,
+            rateLimit: params.rateLimit ?? undefined,
+            updatedAt: new Date().toISOString(),
+        };
+    }
+    // ─── Internal ───────────────────────────────────────────────────
+    rowToAgent(row) {
+        return {
+            id: row.id,
+            name: row.name,
+            tokenPrefix: row.token_prefix,
+            rateLimit: row.rate_limit ?? undefined,
+            createdAt: row.created_at,
+            updatedAt: row.updated_at,
+        };
+    }
+}
+//# sourceMappingURL=agent.js.map

package/dist/agent/agent.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"agent.js","sourceRoot":"","sources":["../../src/agent/agent.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AA4BtC,oEAAoE;AAEpE;;;;;;;;;GASG;AACH,MAAM,OAAO,aAAa;IAId;IAHF,UAAU,CAAS;IAE3B,YACU,EAAqB,EAC7B,UAAkB;QADV,OAAE,GAAF,EAAE,CAAmB;QAG7B,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;IAED;;;;;;OAMG;IACH,GAAG,CAAC,MAA4C;QAC9C,MAAM,EAAE,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAEjC,oEAAoE;QACpE,MAAM,IAAI,GAAG,MAAM;aAChB,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,CAAC;aACrC,MAAM,CAAC,IAAI,CAAC;aACZ,MAAM,CAAC,KAAK,CAAC;aACb,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAChB,MAAM,KAAK,GAAG,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC;QAEtC,mFAAmF;QACnF,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC1E,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAEvC,IAAI,CAAC,EAAE;aACJ,OAAO,CACN;gCACwB,CACzB;aACA,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,CAAC,SAAS,IAAI,IAAI,CAAC,CAAC;QAE1E,OAAO;YACL,EAAE;YACF,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,WAAW;YACX,KAAK;YACL,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,IAAI;QACF,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE;aACjB,OAAO,CAAC,+CAA+C,CAAC;aACxD,GAAG,EAAgB,CAAC;QAEvB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IACjD,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,IAAY;QACpB,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,qCAAqC,CAAC,CAAC,GAAG,CAAC,IAAI,CAE9D,CAAC;QACd,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC3C,CAAC;IAED;;;;OAIG;IACH,aAAa,CAAC,KAAa;QACzB,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC1E,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,2CAA2C,CAAC,CAAC,GAAG,CAAC,SAAS,CAEzE,CAAC;QAEd,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,IAAY;QACjB,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QAEzB,wDAAwD;QACxD,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,mCAAmC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC9E,OAAO,MAAM,CAAC,OAAO,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED;;;;;;;;OAQG;IACH,eAAe,CAAC,IAAY;QAC1B,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,sDAAsD;QACtD,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,MAAM;aAChB,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,CAAC;aACrC,MAAM,CAAC,IAAI,CAAC;aACZ,MAAM,CAAC,KAAK,CAAC;aACb,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAChB,MAAM,KAAK,GAAG,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC;QAEtC,8BAA8B;QAC9B,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC1E,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAEvC,iFAAiF;QACjF,IAAI,CAAC,EAAE;aACJ,OAAO,CACN,+FAA+F,CAChG;aACA,GAAG,CAAC,SAAS,EAAE,WAAW,EAAE,KAAK,CAAC,EAAE,CAAC,CAAC;QAEzC,OAAO;YACL,GAAG,KAAK;YACR,WAAW;YACX,KAAK;YACL,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;IACJ,CAAC;IAED,mEAAmE;IAEnE;;OAEG;IACH,KAAK,CAAC,MAAmD;QACvD,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,6BAA6B,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC;QACpE,CAAC;QAED,2BAA2B;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,EAAE;aACrB,OAAO,CAAC,0EAA0E,CAAC;aACnF,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;QAEtC,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,CAAC,+BAA+B;QACzC,CAAC;QAED,IAAI,CAAC,EAAE;aACJ,OAAO,CAAC,uEAAuE,CAAC;aAChF,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,MAAmD;QACxD,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,6BAA6B,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE;aACnB,OAAO,CAAC,wEAAwE,CAAC;aACjF,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;QAEtC,OAAO,MAAM,CAAC,OAAO,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,OAAe,EAAE,YAAoB;QAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE;aAChB,OAAO,CAAC,0EAA0E,CAAC;aACnF,GAAG,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QAE9B,OAAO,GAAG,KAAK,SAAS,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,SAAiB;QAC1B,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACxC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,6BAA6B,SAAS,GAAG,CAAC,CAAC;QAC7D,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE;aACjB,OAAO,CAAC,gEAAgE,CAAC;aACzE,GAAG,CAAC,KAAK,CAAC,EAAE,CAAqC,CAAC;QAErD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;IAC1C,CAAC;IAED,mEAAmE;IAEnE;;;OAGG;IACH,YAAY,CAAC,MAAuD;QAClE,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,6BAA6B,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC;QACpE,CAAC;QAED,IAAI,CAAC,EAAE;aACJ,OAAO,CAAC,6EAA6E,CAAC;aACtF,GAAG,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,EAAE,CAAC,CAAC;QAEnC,OAAO;YACL,GAAG,KAAK;YACR,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,SAAS;YACxC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;IACJ,CAAC;IAED,mEAAmE;IAE3D,UAAU,CAAC,GAAa;QAC9B,OAAO;YACL,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,WAAW,EAAE,GAAG,CAAC,YAAY;YAC7B,SAAS,EAAE,GAAG,CAAC,UAAU,IAAI,SAAS;YACtC,SAAS,EAAE,GAAG,CAAC,UAAU;YACzB,SAAS,EAAE,GAAG,CAAC,UAAU;SAC1B,CAAC;IACJ,CAAC;CACF"}

package/dist/agent/index.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+export type { Agent, AgentWithToken } from './agent.js';
+export { AgentRegistry } from './agent.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/agent/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/agent/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC"}

package/dist/agent/index.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export { AgentRegistry } from './agent.js';
2	+ //# sourceMappingURL=index.js.map

package/dist/agent/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/agent/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC"}

package/dist/cli/auth.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * RBAC enforcement helper for CLI commands.
+ *
+ * Authenticates the current user via AEGIS_USER_TOKEN and checks
+ * whether they have the required permission.
+ */
+import type { getDb } from '../db.js';
+import type { Permission } from '../user/index.js';
+/**
+ * Authenticate the current user via AEGIS_USER_TOKEN and check permission.
+ *
+ * Always enforced once users exist. If no users have been created yet
+ * (bootstrap mode), all commands are allowed — `aegis init` creates the
+ * first admin user.
+ *
+ * Returns true if allowed. Calls process.exit(1) if denied.
+ */
+export declare function requireUserAuth(db: ReturnType<typeof getDb>, derivedKey: Buffer, permission: Permission): boolean;
+//# sourceMappingURL=auth.d.ts.map

package/dist/cli/auth.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/cli/auth.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,UAAU,CAAC;AACtC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAGnD;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAC7B,EAAE,EAAE,UAAU,CAAC,OAAO,KAAK,CAAC,EAC5B,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,UAAU,GACrB,OAAO,CA+BT"}

package/dist/cli/auth.js ADDED Viewed

@@ -0,0 +1,44 @@
+/**
+ * RBAC enforcement helper for CLI commands.
+ *
+ * Authenticates the current user via AEGIS_USER_TOKEN and checks
+ * whether they have the required permission.
+ */
+import { hasPermission, UserRegistry } from '../user/index.js';
+/**
+ * Authenticate the current user via AEGIS_USER_TOKEN and check permission.
+ *
+ * Always enforced once users exist. If no users have been created yet
+ * (bootstrap mode), all commands are allowed — `aegis init` creates the
+ * first admin user.
+ *
+ * Returns true if allowed. Calls process.exit(1) if denied.
+ */
+export function requireUserAuth(db, derivedKey, permission) {
+    const registry = new UserRegistry(db, derivedKey);
+    // Bootstrap mode: no users exist yet — allow everything so init can create the first admin
+    if (registry.count() === 0)
+        return true;
+    const token = process.env.AEGIS_USER_TOKEN;
+    if (!token) {
+        console.error('\n✗ Authentication required. Set AEGIS_USER_TOKEN=<your-api-key>\n');
+        console.error('  Get an API key from your admin, or regenerate with:');
+        console.error('  aegis user regenerate-token --name <name>\n');
+        process.exit(1);
+    }
+    const user = registry.validateToken(token);
+    if (!user) {
+        console.error('\n✗ Invalid API key. Token not recognized.\n');
+        console.error('  Regenerate with: aegis user regenerate-token --name <name>\n');
+        process.exit(1);
+    }
+    if (!hasPermission(user.role, permission)) {
+        console.error(`\n✗ Permission denied. Role "${user.role}" does not have "${permission}".\n`);
+        console.error(`  Required permission: ${permission}`);
+        console.error(`  Your role: ${user.role}`);
+        console.error(`  Contact an admin to upgrade your role.\n`);
+        process.exit(1);
+    }
+    return true;
+}
+//# sourceMappingURL=auth.js.map

package/dist/cli/auth.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/cli/auth.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAE/D;;;;;;;;GAQG;AACH,MAAM,UAAU,eAAe,CAC7B,EAA4B,EAC5B,UAAkB,EAClB,UAAsB;IAEtB,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC;IAElD,2FAA2F;IAC3F,IAAI,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAExC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IAC3C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,CAAC,KAAK,CAAC,oEAAoE,CAAC,CAAC;QACpF,OAAO,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAC;QACvE,OAAO,CAAC,KAAK,CAAC,+CAA+C,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,IAAI,GAAG,QAAQ,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;IAE3C,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,KAAK,CAAC,8CAA8C,CAAC,CAAC;QAC9D,OAAO,CAAC,KAAK,CAAC,gEAAgE,CAAC,CAAC;QAChF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,EAAE,CAAC;QAC1C,OAAO,CAAC,KAAK,CAAC,gCAAgC,IAAI,CAAC,IAAI,oBAAoB,UAAU,MAAM,CAAC,CAAC;QAC7F,OAAO,CAAC,KAAK,CAAC,0BAA0B,UAAU,EAAE,CAAC,CAAC;QACtD,OAAO,CAAC,KAAK,CAAC,gBAAgB,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QAC3C,OAAO,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAC5D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/cli/commands/agent.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+/**
+ * Agent commands: add, list, remove, regenerate, grant, revoke, set-rate-limit.
+ */
+import type { Command } from 'commander';
+export declare function register(program: Command): void;
+//# sourceMappingURL=agent.d.ts.map

package/dist/cli/commands/agent.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"agent.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/agent.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAQzC,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAqP/C"}