@getaegis/cli 0.8.0 → 0.9.0

package/dist/webhook/webhook.js

@@ -0,0 +1,269 @@
+/**
+ * Aegis Webhook Alerts — fire-and-forget HTTP notifications for security events.
+ *
+ * Webhook endpoints are stored in SQLite and can subscribe to specific event types.
+ * When an event fires, all matching webhooks receive a JSON POST with event details.
+ *
+ * Delivery is best-effort: retries up to 3 times with exponential backoff.
+ * Failed deliveries are logged but never block the request pipeline.
+ */
+import * as crypto from 'node:crypto';
+import * as http from 'node:http';
+import * as https from 'node:https';
+import { createLogger } from '../logger/index.js';
+export const WEBHOOK_EVENT_TYPES = [
+    'blocked_request',
+    'credential_expiry',
+    'rate_limit_exceeded',
+    'agent_auth_failure',
+    'body_inspection',
+];
+// ─── WebhookManager ──────────────────────────────────────────────
+export class WebhookManager {
+    db;
+    logger;
+    maxRetries;
+    baseDelayMs;
+    timeoutMs;
+    testTransport;
+    constructor(options) {
+        this.db = options.db;
+        this.logger = createLogger({
+            module: 'webhook',
+            level: options.logLevel ?? 'info',
+        });
+        this.maxRetries = options.maxRetries ?? 3;
+        this.baseDelayMs = options.baseDelayMs ?? 1000;
+        this.timeoutMs = options.timeoutMs ?? 10_000;
+        this.testTransport = options._testTransport;
+    }
+    // ─── CRUD ────────────────────────────────────────────────────
+    /**
+     * Register a new webhook endpoint.
+     */
+    add(params) {
+        // Validate URL
+        const parsed = new URL(params.url);
+        if (!['http:', 'https:'].includes(parsed.protocol)) {
+            throw new Error(`Invalid webhook URL protocol: ${parsed.protocol} (must be http or https)`);
+        }
+        // Validate events
+        for (const event of params.events) {
+            if (!WEBHOOK_EVENT_TYPES.includes(event)) {
+                throw new Error(`Invalid event type: ${event}. Valid types: ${WEBHOOK_EVENT_TYPES.join(', ')}`);
+            }
+        }
+        if (params.events.length === 0) {
+            throw new Error('At least one event type is required');
+        }
+        const id = crypto.randomUUID();
+        const secret = crypto.randomBytes(32).toString('hex');
+        this.db
+            .prepare(`INSERT INTO webhooks (id, url, events, label, secret)
+         VALUES (?, ?, ?, ?, ?)`)
+            .run(id, params.url, JSON.stringify(params.events), params.label ?? null, secret);
+        this.logger.info({ id, url: params.url, events: params.events }, 'Webhook registered');
+        return {
+            id,
+            url: params.url,
+            events: params.events,
+            label: params.label,
+            secret,
+            createdAt: new Date().toISOString(),
+        };
+    }
+    /**
+     * List all registered webhooks.
+     */
+    list() {
+        const rows = this.db
+            .prepare('SELECT * FROM webhooks ORDER BY created_at DESC')
+            .all();
+        return rows.map((row) => this.rowToWebhook(row));
+    }
+    /**
+     * Get a webhook by ID.
+     */
+    getById(id) {
+        const row = this.db.prepare('SELECT * FROM webhooks WHERE id = ?').get(id);
+        return row ? this.rowToWebhook(row) : null;
+    }
+    /**
+     * Remove a webhook by ID.
+     */
+    remove(id) {
+        const result = this.db.prepare('DELETE FROM webhooks WHERE id = ?').run(id);
+        if (result.changes > 0) {
+            this.logger.info({ id }, 'Webhook removed');
+            return true;
+        }
+        return false;
+    }
+    // ─── Event Emission ──────────────────────────────────────────
+    /**
+     * Emit an event to all matching webhooks.
+     * This is fire-and-forget — it never blocks the caller.
+     */
+    emit(event, details) {
+        const payload = {
+            id: crypto.randomUUID(),
+            event,
+            timestamp: new Date().toISOString(),
+            details,
+        };
+        // Find all webhooks subscribed to this event
+        const webhooks = this.list().filter((w) => w.events.includes(event));
+        if (webhooks.length === 0)
+            return;
+        this.logger.debug({ event, webhookCount: webhooks.length, payloadId: payload.id }, 'Emitting webhook event');
+        // Fire-and-forget — don't await, don't block
+        for (const webhook of webhooks) {
+            this.deliver(webhook, payload).catch((err) => {
+                this.logger.error({ webhookId: webhook.id, url: webhook.url, err: String(err) }, 'Webhook delivery failed after all retries');
+            });
+        }
+    }
+    // ─── Delivery ────────────────────────────────────────────────
+    /**
+     * Deliver a payload to a webhook endpoint with retries.
+     */
+    async deliver(webhook, payload) {
+        const body = JSON.stringify(payload);
+        const signature = this.sign(body, webhook.secret);
+        const headers = {
+            'Content-Type': 'application/json',
+            'X-Aegis-Signature': signature,
+            'X-Aegis-Event': payload.event,
+            'X-Aegis-Delivery': payload.id,
+            'User-Agent': 'Aegis-Webhook/1.0',
+        };
+        for (let attempt = 0; attempt <= this.maxRetries; attempt++) {
+            try {
+                const statusCode = await this.send(webhook.url, body, headers);
+                if (statusCode >= 200 && statusCode < 300) {
+                    this.logger.debug({ webhookId: webhook.id, status: statusCode, attempt }, 'Webhook delivered');
+                    return;
+                }
+                // Non-2xx but not a network error — log and retry
+                this.logger.warn({ webhookId: webhook.id, status: statusCode, attempt }, 'Webhook delivery non-2xx response');
+            }
+            catch (err) {
+                this.logger.warn({ webhookId: webhook.id, attempt, err: String(err) }, 'Webhook delivery failed');
+            }
+            // Exponential backoff before retry (skip delay on last attempt)
+            if (attempt < this.maxRetries) {
+                const delay = this.baseDelayMs * 2 ** attempt;
+                await this.sleep(delay);
+            }
+        }
+        // All retries exhausted
+        throw new Error(`Webhook delivery failed after ${this.maxRetries + 1} attempts to ${webhook.url}`);
+    }
+    /**
+     * Send an HTTP/HTTPS POST request.
+     */
+    send(url, body, headers) {
+        // Use test transport if provided
+        if (this.testTransport) {
+            return this.testTransport(url, body, headers);
+        }
+        return new Promise((resolve, reject) => {
+            const parsed = new URL(url);
+            const transport = parsed.protocol === 'https:' ? https : http;
+            const req = transport.request({
+                hostname: parsed.hostname,
+                port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
+                path: parsed.pathname + parsed.search,
+                method: 'POST',
+                headers: {
+                    ...headers,
+                    'Content-Length': Buffer.byteLength(body),
+                },
+                timeout: this.timeoutMs,
+            }, (res) => {
+                // Consume response body to free socket
+                res.resume();
+                resolve(res.statusCode ?? 0);
+            });
+            req.on('error', reject);
+            req.on('timeout', () => {
+                req.destroy(new Error('Webhook request timeout'));
+            });
+            req.write(body);
+            req.end();
+        });
+    }
+    /**
+     * HMAC-SHA256 signature for payload verification.
+     * Recipients can verify the webhook came from Aegis using:
+     *   sha256=HMAC(body, secret)
+     */
+    sign(body, secret) {
+        const hmac = crypto.createHmac('sha256', secret);
+        hmac.update(body);
+        return `sha256=${hmac.digest('hex')}`;
+    }
+    /**
+     * Sleep for a given number of milliseconds.
+     */
+    sleep(ms) {
+        return new Promise((resolve) => setTimeout(resolve, ms));
+    }
+    rowToWebhook(row) {
+        return {
+            id: row.id,
+            url: row.url,
+            events: JSON.parse(row.events),
+            label: row.label ?? undefined,
+            secret: row.secret,
+            createdAt: row.created_at,
+        };
+    }
+    // ─── Credential Expiry Checking ────────────────────────────────
+    /**
+     * Check all credentials in the vault for approaching expiry.
+     * Emits `credential_expiry` webhook events for credentials expiring within `thresholdDays`.
+     * Returns the number of credentials that triggered alerts.
+     */
+    checkExpiringCredentials(vault, thresholdDays = 7) {
+        const credentials = vault.list();
+        const now = new Date();
+        const thresholdMs = thresholdDays * 24 * 60 * 60 * 1000;
+        let alertCount = 0;
+        for (const cred of credentials) {
+            if (!cred.expiresAt)
+                continue;
+            const expiresAt = new Date(cred.expiresAt);
+            const timeRemaining = expiresAt.getTime() - now.getTime();
+            // Already expired
+            if (timeRemaining <= 0) {
+                this.emit('credential_expiry', {
+                    credential: cred.name,
+                    service: cred.service,
+                    expiredAt: cred.expiresAt,
+                    status: 'expired',
+                    daysRemaining: 0,
+                });
+                alertCount++;
+                continue;
+            }
+            // Expiring soon (within threshold)
+            if (timeRemaining <= thresholdMs) {
+                const daysRemaining = Math.ceil(timeRemaining / (24 * 60 * 60 * 1000));
+                this.emit('credential_expiry', {
+                    credential: cred.name,
+                    service: cred.service,
+                    expiresAt: cred.expiresAt,
+                    status: 'expiring_soon',
+                    daysRemaining,
+                });
+                alertCount++;
+            }
+        }
+        if (alertCount > 0) {
+            this.logger.info({ alertCount, thresholdDays }, 'Credential expiry check completed with alerts');
+        }
+        return alertCount;
+    }
+}
+//# sourceMappingURL=webhook.js.map

package/dist/webhook/webhook.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhook.js","sourceRoot":"","sources":["../../src/webhook/webhook.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,KAAK,MAAM,YAAY,CAAC;AAGpC,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAelD,MAAM,CAAC,MAAM,mBAAmB,GAAgC;IAC9D,iBAAiB;IACjB,mBAAmB;IACnB,qBAAqB;IACrB,oBAAoB;IACpB,iBAAiB;CACT,CAAC;AAwDX,oEAAoE;AAEpE,MAAM,OAAO,cAAc;IACjB,EAAE,CAAoB;IACtB,MAAM,CAAc;IACpB,UAAU,CAAS;IACnB,WAAW,CAAS;IACpB,SAAS,CAAS;IAClB,aAAa,CAIA;IAErB,YAAY,OAA8B;QACxC,IAAI,CAAC,EAAE,GAAG,OAAO,CAAC,EAAE,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,YAAY,CAAC;YACzB,MAAM,EAAE,SAAS;YACjB,KAAK,EAAE,OAAO,CAAC,QAAQ,IAAI,MAAM;SAClC,CAAC,CAAC;QACH,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,IAAI,CAAC;QAC/C,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC;QAC7C,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC;IAC9C,CAAC;IAED,gEAAgE;IAEhE;;OAEG;IACH,GAAG,CAAC,MAAmE;QACrE,eAAe;QACf,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YACnD,MAAM,IAAI,KAAK,CAAC,iCAAiC,MAAM,CAAC,QAAQ,0BAA0B,CAAC,CAAC;QAC9F,CAAC;QAED,kBAAkB;QAClB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClC,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzC,MAAM,IAAI,KAAK,CACb,uBAAuB,KAAK,kBAAkB,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC/E,CAAC;YACJ,CAAC;QACH,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QAED,MAAM,EAAE,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAEtD,IAAI,CAAC,EAAE;aACJ,OAAO,CACN;gCACwB,CACzB;aACA,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,IAAI,IAAI,EAAE,MAAM,CAAC,CAAC;QAEpF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,EAAE,oBAAoB,CAAC,CAAC;QAEvF,OAAO;YACL,EAAE;YACF,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,MAAM;YACN,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,IAAI;QACF,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE;aACjB,OAAO,CAAC,iDAAiD,CAAC;aAC1D,GAAG,EAAkB,CAAC;QAEzB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC;IACnD,CAAC;IAED;;OAEG;IACH,OAAO,CAAC,EAAU;QAChB,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,qCAAqC,CAAC,CAAC,GAAG,CAAC,EAAE,CAE5D,CAAC;QAEd,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC7C,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,EAAU;QACf,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,mCAAmC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC5E,IAAI,MAAM,CAAC,OAAO,GAAG,CAAC,EAAE,CAAC;YACvB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,iBAAiB,CAAC,CAAC;YAC5C,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,gEAAgE;IAEhE;;;OAGG;IACH,IAAI,CAAC,KAAuB,EAAE,OAAgC;QAC5D,MAAM,OAAO,GAAmB;YAC9B,EAAE,EAAE,MAAM,CAAC,UAAU,EAAE;YACvB,KAAK;YACL,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO;SACR,CAAC;QAEF,6CAA6C;QAC7C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;QACrE,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO;QAElC,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,EAAE,KAAK,EAAE,YAAY,EAAE,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,EAC/D,wBAAwB,CACzB,CAAC;QAEF,6CAA6C;QAC7C,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;gBACpD,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,EAC7D,2CAA2C,CAC5C,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,gEAAgE;IAEhE;;OAEG;IACK,KAAK,CAAC,OAAO,CAAC,OAAgB,EAAE,OAAuB;QAC7D,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACrC,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;QAElD,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,kBAAkB;YAClC,mBAAmB,EAAE,SAAS;YAC9B,eAAe,EAAE,OAAO,CAAC,KAAK;YAC9B,kBAAkB,EAAE,OAAO,CAAC,EAAE;YAC9B,YAAY,EAAE,mBAAmB;SAClC,CAAC;QAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,IAAI,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,EAAE,CAAC;YAC5D,IAAI,CAAC;gBACH,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;gBAE/D,IAAI,UAAU,IAAI,GAAG,IAAI,UAAU,GAAG,GAAG,EAAE,CAAC;oBAC1C,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,EACtD,mBAAmB,CACpB,CAAC;oBACF,OAAO;gBACT,CAAC;gBAED,kDAAkD;gBAClD,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,EACtD,mCAAmC,CACpC,CAAC;YACJ,CAAC;YAAC,OAAO,GAAY,EAAE,CAAC;gBACtB,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,EACpD,yBAAyB,CAC1B,CAAC;YACJ,CAAC;YAED,gEAAgE;YAChE,IAAI,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;gBAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,GAAG,CAAC,IAAI,OAAO,CAAC;gBAC9C,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;QAED,wBAAwB;QACxB,MAAM,IAAI,KAAK,CACb,iCAAiC,IAAI,CAAC,UAAU,GAAG,CAAC,gBAAgB,OAAO,CAAC,GAAG,EAAE,CAClF,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,IAAI,CAAC,GAAW,EAAE,IAAY,EAAE,OAA+B;QACrE,iCAAiC;QACjC,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;QAChD,CAAC;QAED,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YAC5B,MAAM,SAAS,GAAG,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;YAE9D,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,CAC3B;gBACE,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9D,IAAI,EAAE,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM;gBACrC,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,GAAG,OAAO;oBACV,gBAAgB,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;iBAC1C;gBACD,OAAO,EAAE,IAAI,CAAC,SAAS;aACxB,EACD,CAAC,GAAG,EAAE,EAAE;gBACN,uCAAuC;gBACvC,GAAG,CAAC,MAAM,EAAE,CAAC;gBACb,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,CAAC,CAAC,CAAC;YAC/B,CAAC,CACF,CAAC;YAEF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YACxB,GAAG,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;gBACrB,GAAG,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC,CAAC;YACpD,CAAC,CAAC,CAAC;YAEH,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAChB,GAAG,CAAC,GAAG,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;OAIG;IACK,IAAI,CAAC,IAAY,EAAE,MAAc;QACvC,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACjD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAClB,OAAO,UAAU,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;IACxC,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,EAAU;QACtB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;IAC3D,CAAC;IAEO,YAAY,CAAC,GAAe;QAClC,OAAO;YACL,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,GAAG,EAAE,GAAG,CAAC,GAAG;YACZ,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAuB;YACpD,KAAK,EAAE,GAAG,CAAC,KAAK,IAAI,SAAS;YAC7B,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,SAAS,EAAE,GAAG,CAAC,UAAU;SAC1B,CAAC;IACJ,CAAC;IAED,kEAAkE;IAElE;;;;OAIG;IACH,wBAAwB,CAAC,KAAY,EAAE,aAAa,GAAG,CAAC;QACtD,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QACjC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,WAAW,GAAG,aAAa,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACxD,IAAI,UAAU,GAAG,CAAC,CAAC;QAEnB,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,IAAI,CAAC,IAAI,CAAC,SAAS;gBAAE,SAAS;YAE9B,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAC3C,MAAM,aAAa,GAAG,SAAS,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC;YAE1D,kBAAkB;YAClB,IAAI,aAAa,IAAI,CAAC,EAAE,CAAC;gBACvB,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE;oBAC7B,UAAU,EAAE,IAAI,CAAC,IAAI;oBACrB,OAAO,EAAE,IAAI,CAAC,OAAO;oBACrB,SAAS,EAAE,IAAI,CAAC,SAAS;oBACzB,MAAM,EAAE,SAAS;oBACjB,aAAa,EAAE,CAAC;iBACjB,CAAC,CAAC;gBACH,UAAU,EAAE,CAAC;gBACb,SAAS;YACX,CAAC;YAED,mCAAmC;YACnC,IAAI,aAAa,IAAI,WAAW,EAAE,CAAC;gBACjC,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,GAAG,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;gBACvE,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE;oBAC7B,UAAU,EAAE,IAAI,CAAC,IAAI;oBACrB,OAAO,EAAE,IAAI,CAAC,OAAO;oBACrB,SAAS,EAAE,IAAI,CAAC,SAAS;oBACzB,MAAM,EAAE,eAAe;oBACvB,aAAa;iBACd,CAAC,CAAC;gBACH,UAAU,EAAE,CAAC;YACf,CAAC;QACH,CAAC;QAED,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;YACnB,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,EAAE,UAAU,EAAE,aAAa,EAAE,EAC7B,+CAA+C,CAChD,CAAC;QACJ,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;CACF"}

package/package.json

@@ -1,6 +1,7 @@
 {
   "name": "@getaegis/cli",
-  "version": "0.8.0",
+  "version": "0.9.0",
+  "mcpName": "io.github.getaegis/aegis",
   "description": "Credential isolation for AI agents. Store, guard, and record — your agent never sees your API keys.",
   "type": "module",
   "main": "dist/index.js",
@@ -32,8 +33,11 @@
     "format": "biome format --write src/ tests/",
     "typecheck": "tsc --noEmit",
     "verify": "biome check src/ tests/ && tsc --noEmit",
+    "bench": "tsx benchmarks/run.ts",
+    "bench:memory": "tsx --expose-gc benchmarks/memory-check.ts",
     "prepublishOnly": "yarn build && yarn test",
-    "prepare": "husky"
+    "prepare": "husky",
+    "release": "release-it"
   },
   "lint-staged": {
     "*.{ts,tsx,js,jsx}": [
@@ -53,7 +57,7 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.27.1",
     "@types/ws": "^8.18.1",
-    "better-sqlite3": "^11.8.0",
+    "better-sqlite3-multiple-ciphers": "^12.6.2",
     "chalk": "^5.4.1",
     "commander": "^13.1.0",
     "pino": "^10.3.1",
@@ -65,12 +69,14 @@
   },
   "devDependencies": {
     "@biomejs/biome": "^2.4.4",
-    "@types/better-sqlite3": "^7.6.12",
+    "@release-it/conventional-changelog": "^10.0.5",
+    "@types/autocannon": "^7.12.7",
     "@types/node": "^22.13.0",
-    "@types/pino": "^7.0.5",
+    "autocannon": "^8.0.0",
     "husky": "^9.1.7",
     "lint-staged": "^16.2.7",
     "pino-pretty": "^13.1.3",
+    "release-it": "^19.2.4",
     "tsx": "^4.19.0",
     "typescript": "^5.7.0",
     "vitest": "^3.0.0"
@@ -79,4 +85,4 @@
     "node": ">=20.0.0"
   },
   "packageManager": "yarn@4.12.0+sha512.f45ab632439a67f8bc759bf32ead036a1f413287b9042726b7cc4818b7b49e14e9423ba49b18f9e06ea4941c1ad062385b1d8760a8d5091a1a31e5f6219afca8"
-}
+}