@getaegis/cli 0.8.0 → 0.9.0

package/dist/cli/commands/db.js

@@ -0,0 +1,139 @@
+/**
+ * Database commands: backup, restore.
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import Database from 'better-sqlite3-multiple-ciphers';
+import { getConfig } from '../../config.js';
+import { deriveDbKey, getDb, getVaultSalt, migrate } from '../../db.js';
+import { deriveKey } from '../../vault/index.js';
+import { VaultManager } from '../../vault/vault-manager.js';
+import { requireUserAuth } from '../auth.js';
+export function register(program) {
+    const dbCmd = program.command('db').description('Database backup and restore');
+    dbCmd
+        .command('backup')
+        .description('Create a backup of the current vault database')
+        .option('-o, --output <path>', 'Output file path', './aegis-backup.db')
+        .action(async (opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'vault:manage');
+        const outputPath = path.resolve(opts.output);
+        const outputDir = path.dirname(outputPath);
+        if (!fs.existsSync(outputDir)) {
+            fs.mkdirSync(outputDir, { recursive: true });
+        }
+        if (fs.existsSync(outputPath)) {
+            console.error(`\n✗ Backup file already exists: ${outputPath}`);
+            console.error(`  Remove it first or choose a different path.\n`);
+            db.close();
+            process.exit(1);
+        }
+        try {
+            console.log(`\n  Backing up database to: ${outputPath}`);
+            await db.backup(outputPath);
+            db.close();
+            // Verify the backup is valid
+            const backupDb = new Database(outputPath, { readonly: true });
+            if (config.masterKey) {
+                const salt = getVaultSalt(config);
+                const dbKey = deriveDbKey(config.masterKey, salt);
+                backupDb.pragma(`key="x'${dbKey.toString('hex')}'"`);
+            }
+            const tables = backupDb
+                .prepare("SELECT count(*) as cnt FROM sqlite_master WHERE type='table'")
+                .get();
+            backupDb.close();
+            const stats = fs.statSync(outputPath);
+            const sizeKb = (stats.size / 1024).toFixed(1);
+            console.log(`  ✓ Backup complete (${sizeKb} KB, ${tables.cnt} tables)\n`);
+        }
+        catch (err) {
+            db.close();
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ Backup failed: ${message}\n`);
+            process.exit(1);
+        }
+    });
+    dbCmd
+        .command('restore')
+        .description('Restore a vault database from a backup file')
+        .requiredOption('-i, --input <path>', 'Backup file to restore from')
+        .option('--force', 'Overwrite the current database without confirmation')
+        .action((opts) => {
+        const config = getConfig();
+        const inputPath = path.resolve(opts.input);
+        if (!fs.existsSync(inputPath)) {
+            console.error(`\n✗ Backup file not found: ${inputPath}\n`);
+            process.exit(1);
+        }
+        // Verify the backup is a valid (possibly encrypted) SQLite database
+        try {
+            const backupDb = new Database(inputPath, { readonly: true });
+            if (config.masterKey) {
+                const salt = getVaultSalt(config);
+                const dbKey = deriveDbKey(config.masterKey, salt);
+                backupDb.pragma(`key="x'${dbKey.toString('hex')}'"`);
+            }
+            const tables = backupDb
+                .prepare("SELECT count(*) as cnt FROM sqlite_master WHERE type='table'")
+                .get();
+            if (tables.cnt === 0) {
+                backupDb.close();
+                console.error('\n✗ Backup file contains no tables — this does not look like an Aegis database.\n');
+                process.exit(1);
+            }
+            backupDb.close();
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ Backup file is not a valid Aegis database: ${message}\n`);
+            process.exit(1);
+        }
+        // Resolve the current database path
+        const manager = new VaultManager(config.dataDir);
+        const info = manager.getVaultInfo(config.vaultName);
+        const dbPath = info
+            ? path.join(config.dataDir, info.dbPath)
+            : path.join(config.dataDir, 'aegis.db');
+        if (fs.existsSync(dbPath) && !opts.force) {
+            console.error(`\n✗ Database already exists at: ${dbPath}`);
+            console.error(`  Use --force to overwrite, or back up first with: aegis db backup\n`);
+            process.exit(1);
+        }
+        try {
+            // Ensure directory exists
+            const dir = path.dirname(dbPath);
+            if (!fs.existsSync(dir)) {
+                fs.mkdirSync(dir, { recursive: true });
+            }
+            // Remove WAL and SHM files from the target (stale journal files cause issues)
+            for (const suffix of ['-wal', '-shm']) {
+                const walPath = `${dbPath}${suffix}`;
+                if (fs.existsSync(walPath)) {
+                    fs.unlinkSync(walPath);
+                }
+            }
+            // Copy the backup file to the database path
+            fs.copyFileSync(inputPath, dbPath);
+            // Verify the restored database works
+            const db = getDb(config);
+            migrate(db);
+            const tables = db
+                .prepare("SELECT count(*) as cnt FROM sqlite_master WHERE type='table'")
+                .get();
+            db.close();
+            console.log(`\n  ✓ Database restored from: ${inputPath}`);
+            console.log(`  ✓ ${tables.cnt} tables verified\n`);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ Restore failed: ${message}\n`);
+            process.exit(1);
+        }
+    });
+}
+//# sourceMappingURL=db.js.map

package/dist/cli/commands/db.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"db.js","sourceRoot":"","sources":["../../../src/cli/commands/db.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,QAAQ,MAAM,iCAAiC,CAAC;AAEvD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AACxE,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AAC5D,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAE7C,MAAM,UAAU,QAAQ,CAAC,OAAgB;IACvC,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,WAAW,CAAC,6BAA6B,CAAC,CAAC;IAE/E,KAAK;SACF,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,+CAA+C,CAAC;SAC5D,MAAM,CAAC,qBAAqB,EAAE,kBAAkB,EAAE,mBAAmB,CAAC;SACtE,MAAM,CAAC,KAAK,EAAE,IAAwB,EAAE,EAAE;QACzC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,cAAc,CAAC,CAAC;QAEzC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7C,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC3C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC9B,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/C,CAAC;QAED,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,OAAO,CAAC,KAAK,CAAC,mCAAmC,UAAU,EAAE,CAAC,CAAC;YAC/D,OAAO,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;YACjE,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,CAAC;YACH,OAAO,CAAC,GAAG,CAAC,+BAA+B,UAAU,EAAE,CAAC,CAAC;YACzD,MAAM,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YAC5B,EAAE,CAAC,KAAK,EAAE,CAAC;YAEX,6BAA6B;YAC7B,MAAM,QAAQ,GAAG,IAAI,QAAQ,CAAC,UAAU,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;YAC9D,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;gBACrB,MAAM,IAAI,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;gBAClC,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;gBAClD,QAAQ,CAAC,MAAM,CAAC,UAAU,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACvD,CAAC;YACD,MAAM,MAAM,GAAG,QAAQ;iBACpB,OAAO,CAAC,8DAA8D,CAAC;iBACvE,GAAG,EAAqB,CAAC;YAC5B,QAAQ,CAAC,KAAK,EAAE,CAAC;YAEjB,MAAM,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YACtC,MAAM,MAAM,GAAG,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YAE9C,OAAO,CAAC,GAAG,CAAC,wBAAwB,MAAM,QAAQ,MAAM,CAAC,GAAG,YAAY,CAAC,CAAC;QAC5E,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,sBAAsB,OAAO,IAAI,CAAC,CAAC;YACjD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,KAAK;SACF,OAAO,CAAC,SAAS,CAAC;SAClB,WAAW,CAAC,6CAA6C,CAAC;SAC1D,cAAc,CAAC,oBAAoB,EAAE,6BAA6B,CAAC;SACnE,MAAM,CAAC,SAAS,EAAE,qDAAqD,CAAC;SACxE,MAAM,CAAC,CAAC,IAAwC,EAAE,EAAE;QACnD,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAE3C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC9B,OAAO,CAAC,KAAK,CAAC,8BAA8B,SAAS,IAAI,CAAC,CAAC;YAC3D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,oEAAoE;QACpE,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,IAAI,QAAQ,CAAC,SAAS,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;YAC7D,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;gBACrB,MAAM,IAAI,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;gBAClC,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;gBAClD,QAAQ,CAAC,MAAM,CAAC,UAAU,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACvD,CAAC;YACD,MAAM,MAAM,GAAG,QAAQ;iBACpB,OAAO,CAAC,8DAA8D,CAAC;iBACvE,GAAG,EAAqB,CAAC;YAC5B,IAAI,MAAM,CAAC,GAAG,KAAK,CAAC,EAAE,CAAC;gBACrB,QAAQ,CAAC,KAAK,EAAE,CAAC;gBACjB,OAAO,CAAC,KAAK,CACX,mFAAmF,CACpF,CAAC;gBACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,QAAQ,CAAC,KAAK,EAAE,CAAC;QACnB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,kDAAkD,OAAO,IAAI,CAAC,CAAC;YAC7E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,oCAAoC;QACpC,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACjD,MAAM,IAAI,GAAG,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACpD,MAAM,MAAM,GAAG,IAAI;YACjB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC;YACxC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QAE1C,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YACzC,OAAO,CAAC,KAAK,CAAC,mCAAmC,MAAM,EAAE,CAAC,CAAC;YAC3D,OAAO,CAAC,KAAK,CAAC,sEAAsE,CAAC,CAAC;YACtF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,CAAC;YACH,0BAA0B;YAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YACjC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACzC,CAAC;YAED,8EAA8E;YAC9E,KAAK,MAAM,MAAM,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC;gBACtC,MAAM,OAAO,GAAG,GAAG,MAAM,GAAG,MAAM,EAAE,CAAC;gBACrC,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC3B,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;gBACzB,CAAC;YACH,CAAC;YAED,4CAA4C;YAC5C,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;YAEnC,qCAAqC;YACrC,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;YACzB,OAAO,CAAC,EAAE,CAAC,CAAC;YACZ,MAAM,MAAM,GAAG,EAAE;iBACd,OAAO,CAAC,8DAA8D,CAAC;iBACvE,GAAG,EAAqB,CAAC;YAC5B,EAAE,CAAC,KAAK,EAAE,CAAC;YAEX,OAAO,CAAC,GAAG,CAAC,iCAAiC,SAAS,EAAE,CAAC,CAAC;YAC1D,OAAO,CAAC,GAAG,CAAC,OAAO,MAAM,CAAC,GAAG,oBAAoB,CAAC,CAAC;QACrD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,uBAAuB,OAAO,IAAI,CAAC,CAAC;YAClD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/cli/commands/doctor.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Doctor command: run health checks on the Aegis installation.
+ */
+import type { Command } from 'commander';
+export declare function register(program: Command): void;
+//# sourceMappingURL=doctor.d.ts.map

package/dist/cli/commands/doctor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"doctor.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/doctor.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAOzC,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAiC/C"}

package/dist/cli/commands/doctor.js

@@ -0,0 +1,39 @@
+/**
+ * Doctor command: run health checks on the Aegis installation.
+ */
+import { getConfig } from '../../config.js';
+import { getDb, getVaultSalt, migrate } from '../../db.js';
+import { printDoctorReport, runDoctor } from '../../doctor.js';
+import { deriveKey, VaultManager } from '../../vault/index.js';
+import { requireUserAuth } from '../auth.js';
+export function register(program) {
+    program
+        .command('doctor')
+        .description('Run health checks on your Aegis installation')
+        .action(() => {
+        console.log('\n  Aegis Doctor — running health checks...\n');
+        const config = getConfig();
+        const manager = new VaultManager(config.dataDir);
+        const vaultInfo = manager.getVaultInfo(config.vaultName);
+        let db = null;
+        if (vaultInfo) {
+            try {
+                db = getDb(config);
+            }
+            catch {
+                // db stays null — runDoctor handles that case
+            }
+        }
+        if (db) {
+            migrate(db);
+            const key = deriveKey(config.masterKey, getVaultSalt(config));
+            requireUserAuth(db, key, 'doctor:run');
+        }
+        const report = runDoctor({ config, db });
+        printDoctorReport(report);
+        if (report.overall === 'fail') {
+            process.exit(1);
+        }
+    });
+}
+//# sourceMappingURL=doctor.js.map

package/dist/cli/commands/doctor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"doctor.js","sourceRoot":"","sources":["../../../src/cli/commands/doctor.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAC/D,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAE7C,MAAM,UAAU,QAAQ,CAAC,OAAgB;IACvC,OAAO;SACJ,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,8CAA8C,CAAC;SAC3D,MAAM,CAAC,GAAG,EAAE;QACX,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;QAE7D,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACjD,MAAM,SAAS,GAAG,OAAO,CAAC,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAEzD,IAAI,EAAE,GAAoC,IAAI,CAAC;QAC/C,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,CAAC;gBACH,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;YACrB,CAAC;YAAC,MAAM,CAAC;gBACP,8CAA8C;YAChD,CAAC;QACH,CAAC;QAED,IAAI,EAAE,EAAE,CAAC;YACP,OAAO,CAAC,EAAE,CAAC,CAAC;YACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;YAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;QACzC,CAAC;QAED,MAAM,MAAM,GAAG,SAAS,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;QACzC,iBAAiB,CAAC,MAAM,CAAC,CAAC;QAE1B,IAAI,MAAM,CAAC,OAAO,KAAK,MAAM,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/cli/commands/gate.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Gate command: start the Aegis Gate proxy.
+ */
+import type { Command } from 'commander';
+export declare function register(program: Command): void;
+//# sourceMappingURL=gate.d.ts.map

package/dist/cli/commands/gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gate.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/gate.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAazC,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAkP/C"}

package/dist/cli/commands/gate.js

@@ -0,0 +1,202 @@
+/**
+ * Gate command: start the Aegis Gate proxy.
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { AgentRegistry } from '../../agent/index.js';
+import { getConfig } from '../../config.js';
+import { getDb, getVaultSalt, migrate } from '../../db.js';
+import { Gate } from '../../gate/index.js';
+import { Ledger } from '../../ledger/index.js';
+import { AegisMetrics } from '../../metrics/index.js';
+import { deriveKey, Vault } from '../../vault/index.js';
+import { VERSION } from '../../version.js';
+import { WebhookManager } from '../../webhook/index.js';
+import { requireUserAuth } from '../auth.js';
+import { VALID_POLICY_MODES, validateEnum, validatePort } from '../validation.js';
+export function register(program) {
+    program
+        .command('gate')
+        .description('Start the Aegis Gate proxy')
+        .option('-p, --port <port>', 'Port to listen on')
+        .option('--tls', 'Enable TLS (HTTPS) on Gate')
+        .option('--cert <path>', 'Path to TLS certificate file (PEM)')
+        .option('--key <path>', 'Path to TLS private key file (PEM)')
+        .option('--no-agent-auth', 'Disable agent authentication (allows any localhost process to use credentials)')
+        .option('--policies-dir <path>', 'Directory containing YAML policy files')
+        .option('--policy-mode <mode>', 'Policy enforcement mode: enforce, dry-run, or off')
+        .action(async (opts) => {
+        // ── Validate CLI flags ──
+        if (opts.port) {
+            const p = Number.parseInt(opts.port, 10);
+            validatePort(p, 'gate port');
+        }
+        if (opts.policyMode) {
+            validateEnum(opts.policyMode, VALID_POLICY_MODES, 'policy mode');
+        }
+        let config;
+        try {
+            config = getConfig();
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ ${msg}\n`);
+            process.exit(1);
+        }
+        const port = opts.port ? Number.parseInt(opts.port, 10) : config.port;
+        let db;
+        try {
+            db = getDb(config);
+            migrate(db);
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ Cannot open database: ${msg}\n`);
+            process.exit(1);
+        }
+        if (!config.masterKey) {
+            console.error('\n✗ AEGIS_MASTER_KEY is not set.\n  Run `aegis init` to generate a config and master key.\n');
+            process.exit(1);
+        }
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'gate:start');
+        const vaultInstance = new Vault(db, config.masterKey, getVaultSalt(config));
+        const ledger = new Ledger(db);
+        // Resolve TLS: CLI flags → config file
+        const useTls = opts.tls ?? !!config.tls;
+        let tlsConfig;
+        if (useTls) {
+            const certPath = opts.cert ?? config.tls?.cert ?? path.join(process.cwd(), 'certs', 'aegis.crt');
+            const keyPath = opts.key ?? config.tls?.key ?? path.join(process.cwd(), 'certs', 'aegis.key');
+            if (!fs.existsSync(certPath)) {
+                console.error(`\n✗ TLS certificate not found at ${certPath}\n  Generate one with: aegis init --generate-cert\n  Or specify a path: aegis gate --tls --cert /path/to/cert.pem --key /path/to/key.pem\n`);
+                process.exit(1);
+            }
+            if (!fs.existsSync(keyPath)) {
+                console.error(`\n✗ TLS private key not found at ${keyPath}\n  Generate one with: aegis init --generate-cert\n  Or specify a path: aegis gate --tls --cert /path/to/cert.pem --key /path/to/key.pem\n`);
+                process.exit(1);
+            }
+            tlsConfig = { certPath, keyPath };
+        }
+        const registry = new AgentRegistry(db, key);
+        // Resolve policy: CLI flags → config file
+        const effectiveRequireAgentAuth = opts.agentAuth !== undefined ? opts.agentAuth : config.requireAgentAuth;
+        const effectivePolicyMode = opts.policyMode ??
+            (config.policyMode === 'off' ? undefined : config.policyMode);
+        const policyDir = opts.policiesDir
+            ? path.resolve(opts.policiesDir)
+            : config.policiesDir
+                ? path.resolve(config.policiesDir)
+                : undefined;
+        if (policyDir && !fs.existsSync(policyDir)) {
+            console.error(`\n✗ Policy directory not found at ${policyDir}\n  Create it and add YAML policy files, or omit --policies-dir\n`);
+            process.exit(1);
+        }
+        const webhookManager = new WebhookManager({ db, logLevel: config.logLevel });
+        // Metrics: create instance if enabled in config
+        const metrics = config.metricsEnabled
+            ? new AegisMetrics({ vault: vaultInstance })
+            : undefined;
+        const gate = new Gate({
+            port,
+            vault: vaultInstance,
+            ledger,
+            logLevel: config.logLevel,
+            tls: tlsConfig,
+            agentRegistry: registry,
+            requireAgentAuth: effectiveRequireAgentAuth,
+            policyDir,
+            policyMode: effectivePolicyMode,
+            webhooks: webhookManager,
+            metrics,
+            maxBodySize: config.maxBodySize,
+            requestTimeout: config.requestTimeout,
+            maxConnectionsPerAgent: config.maxConnectionsPerAgent,
+        });
+        const protocol = tlsConfig ? 'https' : 'http';
+        console.log(`\n  ╔══════════════════════════════════╗`);
+        console.log(`  ║         Aegis Gate ${VERSION.padEnd(13)}║`);
+        console.log(`  ╚══════════════════════════════════╝\n`);
+        if (tlsConfig) {
+            console.log('  🔒 TLS enabled\n');
+        }
+        else {
+            console.log('  ⚠  Running without TLS — credentials are transmitted in cleartext on localhost\n');
+            console.log('     To enable TLS: aegis gate --tls (after running aegis init --generate-cert)\n');
+        }
+        if (effectiveRequireAgentAuth) {
+            console.log('  🔑 Agent authentication required (X-Aegis-Agent header)\n');
+        }
+        else {
+            console.log('  ⚠  Agent authentication disabled (--no-agent-auth) — any localhost process can use credentials\n');
+        }
+        if (metrics) {
+            console.log('  📊 Metrics enabled (/_aegis/metrics)\n');
+        }
+        if (policyDir) {
+            const modeLabel = effectivePolicyMode === 'dry-run' ? 'DRY-RUN (log only)' : 'ENFORCE (block violations)';
+            console.log(`  📋 Policies: ${policyDir}`);
+            console.log(`     Mode:     ${modeLabel}\n`);
+        }
+        if (config.configFilePath) {
+            console.log(`  📄 Config:   ${config.configFilePath}\n`);
+        }
+        const creds = vaultInstance.list();
+        if (creds.length === 0) {
+            console.log('  ⚠ No credentials in vault. Add some first: aegis vault add\n');
+        }
+        else {
+            console.log(`  ${creds.length} credential(s) loaded:\n`);
+            for (const c of creds) {
+                console.log(`    ${c.service} → ${c.domains.join(', ')} (${c.authType})`);
+            }
+            console.log();
+        }
+        try {
+            await gate.start();
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ Failed to start Gate: ${message}\n`);
+            db.close();
+            process.exit(1);
+        }
+        console.log(`  Agent config: set your agent's base URL to ${protocol}://localhost:${port}`);
+        console.log(`  Example:      curl ${protocol}://localhost:${port}/slack/api/chat.postMessage\n`);
+        console.log(`  Press Ctrl+C to stop.\n`);
+        // Graceful shutdown
+        let shutdownInProgress = false;
+        const shutdown = async () => {
+            if (shutdownInProgress) {
+                console.log('\n  Force shutdown — terminating immediately.');
+                process.exit(1);
+            }
+            shutdownInProgress = true;
+            console.log('\n  Shutting down Aegis Gate...');
+            console.log('  (Press Ctrl+C again to force quit)\n');
+            const result = await gate.stop();
+            if (result.drained) {
+                console.log('  All in-flight requests completed.');
+            }
+            else {
+                console.log(`  Shutdown timed out — ${result.activeAtClose} request(s) were still in-flight.`);
+            }
+            // Log shutdown event to Ledger as a system event
+            ledger.logSystem({
+                service: '_aegis',
+                targetDomain: 'localhost',
+                method: 'SHUTDOWN',
+                path: '/',
+                reason: result.drained
+                    ? 'Graceful shutdown — all requests drained'
+                    : `Forced shutdown — ${result.activeAtClose} request(s) still active`,
+            });
+            db.close();
+            console.log('  Aegis Gate stopped.\n');
+            process.exit(0);
+        };
+        process.on('SIGINT', shutdown);
+        process.on('SIGTERM', shutdown);
+    });
+}
+//# sourceMappingURL=gate.js.map

package/dist/cli/commands/gate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gate.js","sourceRoot":"","sources":["../../../src/cli/commands/gate.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,MAAM,qBAAqB,CAAC;AAC3C,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAC3C,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,kBAAkB,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAElF,MAAM,UAAU,QAAQ,CAAC,OAAgB;IACvC,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,4BAA4B,CAAC;SACzC,MAAM,CAAC,mBAAmB,EAAE,mBAAmB,CAAC;SAChD,MAAM,CAAC,OAAO,EAAE,4BAA4B,CAAC;SAC7C,MAAM,CAAC,eAAe,EAAE,oCAAoC,CAAC;SAC7D,MAAM,CAAC,cAAc,EAAE,oCAAoC,CAAC;SAC5D,MAAM,CACL,iBAAiB,EACjB,gFAAgF,CACjF;SACA,MAAM,CAAC,uBAAuB,EAAE,wCAAwC,CAAC;SACzE,MAAM,CAAC,sBAAsB,EAAE,mDAAmD,CAAC;SACnF,MAAM,CACL,KAAK,EAAE,IAQN,EAAE,EAAE;QACH,2BAA2B;QAC3B,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACzC,YAAY,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;QAC/B,CAAC;QACD,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,kBAAkB,EAAE,aAAa,CAAC,CAAC;QACnE,CAAC;QAED,IAAI,MAAoC,CAAC;QACzC,IAAI,CAAC;YACH,MAAM,GAAG,SAAS,EAAE,CAAC;QACvB,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,OAAO,CAAC,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC;QAEtE,IAAI,EAA4B,CAAC;QACjC,IAAI,CAAC;YACH,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;YACnB,OAAO,CAAC,EAAE,CAAC,CAAC;QACd,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,OAAO,CAAC,KAAK,CAAC,6BAA6B,GAAG,IAAI,CAAC,CAAC;YACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACtB,OAAO,CAAC,KAAK,CACX,6FAA6F,CAC9F,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;QAEvC,MAAM,aAAa,GAAG,IAAI,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC5E,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,EAAE,CAAC,CAAC;QAE9B,uCAAuC;QACvC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;QACxC,IAAI,SAA4D,CAAC;QACjE,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,QAAQ,GACZ,IAAI,CAAC,IAAI,IAAI,MAAM,CAAC,GAAG,EAAE,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;YAClF,MAAM,OAAO,GACX,IAAI,CAAC,GAAG,IAAI,MAAM,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;YAEhF,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC7B,OAAO,CAAC,KAAK,CACX,oCAAoC,QAAQ,4IAA4I,CACzL,CAAC;gBACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC5B,OAAO,CAAC,KAAK,CACX,oCAAoC,OAAO,4IAA4I,CACxL,CAAC;gBACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YAED,SAAS,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;QACpC,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,aAAa,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QAE5C,0CAA0C;QAC1C,MAAM,yBAAyB,GAC7B,IAAI,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,gBAAgB,CAAC;QAC1E,MAAM,mBAAmB,GACtB,IAAI,CAAC,UAAgD;YACtD,CAAC,MAAM,CAAC,UAAU,KAAK,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAE,MAAM,CAAC,UAAoC,CAAC,CAAC;QAC3F,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW;YAChC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC;YAChC,CAAC,CAAC,MAAM,CAAC,WAAW;gBAClB,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC;gBAClC,CAAC,CAAC,SAAS,CAAC;QAEhB,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC3C,OAAO,CAAC,KAAK,CACX,qCAAqC,SAAS,mEAAmE,CAClH,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,cAAc,GAAG,IAAI,cAAc,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;QAE7E,gDAAgD;QAChD,MAAM,OAAO,GAAG,MAAM,CAAC,cAAc;YACnC,CAAC,CAAC,IAAI,YAAY,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC;YAC5C,CAAC,CAAC,SAAS,CAAC;QAEd,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC;YACpB,IAAI;YACJ,KAAK,EAAE,aAAa;YACpB,MAAM;YACN,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,GAAG,EAAE,SAAS;YACd,aAAa,EAAE,QAAQ;YACvB,gBAAgB,EAAE,yBAAyB;YAC3C,SAAS;YACT,UAAU,EAAE,mBAAmB;YAC/B,QAAQ,EAAE,cAAc;YACxB,OAAO;YACP,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,sBAAsB,EAAE,MAAM,CAAC,sBAAsB;SACtD,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;QAE9C,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,0BAA0B,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;QAExD,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;QACpC,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CACT,oFAAoF,CACrF,CAAC;YACF,OAAO,CAAC,GAAG,CACT,mFAAmF,CACpF,CAAC;QACJ,CAAC;QAED,IAAI,yBAAyB,EAAE,CAAC;YAC9B,OAAO,CAAC,GAAG,CAAC,6DAA6D,CAAC,CAAC;QAC7E,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CACT,oGAAoG,CACrG,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;QAC1D,CAAC;QAED,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,SAAS,GACb,mBAAmB,KAAK,SAAS,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,4BAA4B,CAAC;YAC1F,OAAO,CAAC,GAAG,CAAC,kBAAkB,SAAS,EAAE,CAAC,CAAC;YAC3C,OAAO,CAAC,GAAG,CAAC,kBAAkB,SAAS,IAAI,CAAC,CAAC;QAC/C,CAAC;QAED,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;YAC1B,OAAO,CAAC,GAAG,CAAC,kBAAkB,MAAM,CAAC,cAAc,IAAI,CAAC,CAAC;QAC3D,CAAC;QAED,MAAM,KAAK,GAAG,aAAa,CAAC,IAAI,EAAE,CAAC;QACnC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;QAChF,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,MAAM,0BAA0B,CAAC,CAAC;YACzD,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;gBACtB,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,OAAO,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC;YAC5E,CAAC;YACD,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,6BAA6B,OAAO,IAAI,CAAC,CAAC;YACxD,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,gDAAgD,QAAQ,gBAAgB,IAAI,EAAE,CAAC,CAAC;QAC5F,OAAO,CAAC,GAAG,CACT,wBAAwB,QAAQ,gBAAgB,IAAI,+BAA+B,CACpF,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;QAEzC,oBAAoB;QACpB,IAAI,kBAAkB,GAAG,KAAK,CAAC;QAC/B,MAAM,QAAQ,GAAG,KAAK,IAAI,EAAE;YAC1B,IAAI,kBAAkB,EAAE,CAAC;gBACvB,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;gBAC7D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,kBAAkB,GAAG,IAAI,CAAC;YAC1B,OAAO,CAAC,GAAG,CAAC,iCAAiC,CAAC,CAAC;YAC/C,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC;YAEtD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAEjC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnB,OAAO,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;YACrD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CACT,0BAA0B,MAAM,CAAC,aAAa,mCAAmC,CAClF,CAAC;YACJ,CAAC;YAED,iDAAiD;YACjD,MAAM,CAAC,SAAS,CAAC;gBACf,OAAO,EAAE,QAAQ;gBACjB,YAAY,EAAE,WAAW;gBACzB,MAAM,EAAE,UAAU;gBAClB,IAAI,EAAE,GAAG;gBACT,MAAM,EAAE,MAAM,CAAC,OAAO;oBACpB,CAAC,CAAC,0CAA0C;oBAC5C,CAAC,CAAC,qBAAqB,MAAM,CAAC,aAAa,0BAA0B;aACxE,CAAC,CAAC;YAEH,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;YACvC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC,CAAC;QACF,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC/B,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAClC,CAAC,CACF,CAAC;AACN,CAAC"}

package/dist/cli/commands/init.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Init command: generate master key, config file, and data directory.
+ */
+import type { Command } from 'commander';
+export declare function register(program: Command): void;
+//# sourceMappingURL=init.d.ts.map

package/dist/cli/commands/init.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/init.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAMzC,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAwL/C"}

package/dist/cli/commands/init.js

@@ -0,0 +1,175 @@
+/**
+ * Init command: generate master key, config file, and data directory.
+ */
+import * as crypto from 'node:crypto';
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { FileFallbackStorage } from '../../key-storage/file-fallback.js';
+import { getKeyStorage } from '../../key-storage/index.js';
+import { VaultManager } from '../../vault/index.js';
+import { generateSelfSignedCert } from '../helpers.js';
+export function register(program) {
+    program
+        .command('init')
+        .description('Initialize Aegis — generate master key, config file, and data directory')
+        .option('--write-secrets', 'Write master key to config file (convenient but less secure)', false)
+        .option('--env-file', 'Store master key in .env file instead of OS keychain (for CI/headless)', false)
+        .option('--generate-cert', 'Generate a self-signed TLS certificate for local dev use', false)
+        .action((opts) => {
+        const configPath = path.join(process.cwd(), 'aegis.config.yaml');
+        if (fs.existsSync(configPath)) {
+            console.log('\n  aegis.config.yaml already exists. To reinitialize, remove it first:\n');
+            console.log('    rm aegis.config.yaml && aegis init\n');
+            process.exit(1);
+        }
+        const masterKey = crypto.randomBytes(32).toString('hex');
+        const dataDir = path.join(process.cwd(), '.aegis');
+        if (!fs.existsSync(dataDir)) {
+            fs.mkdirSync(dataDir, { recursive: true });
+        }
+        // Create the "default" vault through VaultManager (skip if it already exists)
+        const manager = new VaultManager(dataDir);
+        let salt;
+        const existingVaults = manager.list();
+        const existing = existingVaults.find((v) => v.name === 'default');
+        if (existing) {
+            salt = existing.salt;
+        }
+        else {
+            const created = manager.create('default', masterKey);
+            salt = created.salt;
+        }
+        // ── Store master key ────────────────────────────────────────
+        let keyStorageMethod = 'shown';
+        if (opts.writeSecrets) {
+            // Stored in config file (legacy flag)
+            keyStorageMethod = 'config-file';
+        }
+        else if (opts.envFile) {
+            // Stored in .env file (CI/headless mode)
+            const envPath = path.join(process.cwd(), '.env');
+            let envContent = '';
+            if (fs.existsSync(envPath)) {
+                envContent = fs.readFileSync(envPath, 'utf-8');
+                // Remove existing AEGIS_MASTER_KEY line if present
+                envContent = envContent.replace(/^AEGIS_MASTER_KEY=.*\n?/m, '');
+            }
+            envContent += `AEGIS_MASTER_KEY=${masterKey}\n`;
+            fs.writeFileSync(envPath, envContent, { mode: 0o600 });
+            keyStorageMethod = 'env-file';
+        }
+        else {
+            // Default: store in OS keychain
+            const keyStorage = getKeyStorage(dataDir);
+            if (keyStorage.backend !== 'file' && keyStorage.isAvailable()) {
+                try {
+                    keyStorage.setKey(masterKey);
+                    keyStorageMethod = 'keychain';
+                }
+                catch {
+                    // Keychain failed — auto-fallback to file storage
+                    console.log('\n  ⚠  OS keychain storage failed. Falling back to file storage.');
+                    try {
+                        const fileFallback = new FileFallbackStorage(dataDir);
+                        fileFallback.setKey(masterKey);
+                        keyStorageMethod = 'keychain'; // auto-stored in file fallback
+                        console.log(`    Key stored in ${dataDir}/.master-key (mode 0600)`);
+                        console.log('    For better security, re-run with --env-file or fix your OS keychain.\n');
+                    }
+                    catch {
+                        // File fallback also failed — show the key
+                        console.log('    File fallback also failed. Displaying key for manual storage.\n');
+                    }
+                }
+            }
+            else {
+                // No OS keychain available — store in file fallback
+                keyStorage.setKey(masterKey);
+                keyStorageMethod = 'keychain'; // File fallback is still auto-stored
+            }
+        }
+        const masterKeyLine = opts.writeSecrets
+            ? `  master_key: "${masterKey}"   # ⚠ stored in file — use OS keychain or env var for production`
+            : '  # master_key: stored in OS keychain (run "aegis key where" to check)';
+        const configContent = `# Aegis Configuration — generated by aegis init
+# CLI flags override these values. Environment variables (AEGIS_*) override both.
+
+gate:
+  port: 3100
+  # tls:
+  #   cert: ./certs/aegis.crt
+  #   key: ./certs/aegis.key
+  # require_agent_auth: false
+
+vault:
+${masterKeyLine}
+  name: default
+  data_dir: ./.aegis
+
+observability:
+  log_level: info
+  log_format: pretty
+  metrics: true
+  # dashboard:
+  #   enabled: true
+  #   port: 3200
+
+# policies:
+#   dir: ./policies
+#   mode: enforce
+
+# mcp:
+#   transport: stdio
+#   port: 3200
+
+# webhooks: []
+`;
+        if (opts.writeSecrets) {
+            fs.writeFileSync(configPath, configContent, { mode: 0o600 });
+        }
+        else {
+            fs.writeFileSync(configPath, configContent, { mode: 0o644 });
+        }
+        console.log('\n  ╔══════════════════════════════════╗');
+        console.log('  ║       Aegis Initialized ✓        ║');
+        console.log('  ╚══════════════════════════════════╝\n');
+        console.log('  Config file: aegis.config.yaml');
+        console.log('  Default vault created (salt stored in vault registry)');
+        // ── Key storage output ──────────────────────────────────────
+        const keyStorage = getKeyStorage(dataDir);
+        switch (keyStorageMethod) {
+            case 'keychain':
+                console.log(`\n  ✓ Master key stored in ${keyStorage.name}`);
+                console.log('    The key is encrypted by your OS and never touches disk as plaintext.');
+                console.log('    Run "aegis key where" to verify.\n');
+                break;
+            case 'env-file':
+                console.log('\n  Master key saved to .env (mode 0600)');
+                console.log('    ⚠  This file contains your master key in plaintext.');
+                console.log('    Add .env to .gitignore if not already present.\n');
+                break;
+            case 'config-file':
+                console.log('  Master key saved to aegis.config.yaml (mode 0600)\n');
+                break;
+            case 'shown':
+                console.log('\n  ⚠  Store the following secret securely — it will NOT be shown again.\n');
+                console.log(`  AEGIS_MASTER_KEY=${masterKey}\n`);
+                console.log('  Export it in your shell profile or use a secrets manager:');
+                console.log(`    export AEGIS_MASTER_KEY=${masterKey}\n`);
+                console.log('  Or re-run with --write-secrets to save it to the config file (less secure):');
+                console.log('    rm aegis.config.yaml && aegis init --write-secrets');
+                break;
+        }
+        console.log(`  Vault salt: ${salt} (stored in .aegis/vaults.json)`);
+        console.log('  Data directory: ./.aegis\n');
+        console.log('  Next steps:');
+        console.log('    1. Add a credential:  aegis vault add --name slack --service slack --secret xoxb-... --domains api.slack.com');
+        console.log('    2. Start the gate:    aegis gate');
+        console.log('    3. Point your agent:  http://localhost:3100/{service}/api/path\n');
+        // Generate self-signed TLS certificate for local dev
+        if (opts.generateCert) {
+            generateSelfSignedCert(process.cwd());
+        }
+    });
+}
+//# sourceMappingURL=init.js.map

package/dist/cli/commands/init.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../../../src/cli/commands/init.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EAAE,mBAAmB,EAAE,MAAM,oCAAoC,CAAC;AACzE,OAAO,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AAEvD,MAAM,UAAU,QAAQ,CAAC,OAAgB;IACvC,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,yEAAyE,CAAC;SACtF,MAAM,CACL,iBAAiB,EACjB,8DAA8D,EAC9D,KAAK,CACN;SACA,MAAM,CACL,YAAY,EACZ,wEAAwE,EACxE,KAAK,CACN;SACA,MAAM,CAAC,iBAAiB,EAAE,0DAA0D,EAAE,KAAK,CAAC;SAC5F,MAAM,CAAC,CAAC,IAAwE,EAAE,EAAE;QACnF,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,mBAAmB,CAAC,CAAC;QACjE,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,OAAO,CAAC,GAAG,CAAC,2EAA2E,CAAC,CAAC;YACzF,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;YACxD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAEzD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,QAAQ,CAAC,CAAC;QACnD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5B,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7C,CAAC;QAED,8EAA8E;QAC9E,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,CAAC;QAC1C,IAAI,IAAY,CAAC;QACjB,MAAM,cAAc,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;QACtC,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC;QAClE,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC;QACvB,CAAC;aAAM,CAAC;YACN,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;YACrD,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;QACtB,CAAC;QAED,+DAA+D;QAC/D,IAAI,gBAAgB,GAAsD,OAAO,CAAC;QAElF,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,sCAAsC;YACtC,gBAAgB,GAAG,aAAa,CAAC;QACnC,CAAC;aAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACxB,yCAAyC;YACzC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;YACjD,IAAI,UAAU,GAAG,EAAE,CAAC;YACpB,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC3B,UAAU,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;gBAC/C,mDAAmD;gBACnD,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,0BAA0B,EAAE,EAAE,CAAC,CAAC;YAClE,CAAC;YACD,UAAU,IAAI,oBAAoB,SAAS,IAAI,CAAC;YAChD,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;YACvD,gBAAgB,GAAG,UAAU,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,gCAAgC;YAChC,MAAM,UAAU,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;YAC1C,IAAI,UAAU,CAAC,OAAO,KAAK,MAAM,IAAI,UAAU,CAAC,WAAW,EAAE,EAAE,CAAC;gBAC9D,IAAI,CAAC;oBACH,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;oBAC7B,gBAAgB,GAAG,UAAU,CAAC;gBAChC,CAAC;gBAAC,MAAM,CAAC;oBACP,kDAAkD;oBAClD,OAAO,CAAC,GAAG,CAAC,kEAAkE,CAAC,CAAC;oBAChF,IAAI,CAAC;wBACH,MAAM,YAAY,GAAG,IAAI,mBAAmB,CAAC,OAAO,CAAC,CAAC;wBACtD,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;wBAC/B,gBAAgB,GAAG,UAAU,CAAC,CAAC,+BAA+B;wBAC9D,OAAO,CAAC,GAAG,CAAC,qBAAqB,OAAO,0BAA0B,CAAC,CAAC;wBACpE,OAAO,CAAC,GAAG,CACT,4EAA4E,CAC7E,CAAC;oBACJ,CAAC;oBAAC,MAAM,CAAC;wBACP,2CAA2C;wBAC3C,OAAO,CAAC,GAAG,CAAC,qEAAqE,CAAC,CAAC;oBACrF,CAAC;gBACH,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,oDAAoD;gBACpD,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBAC7B,gBAAgB,GAAG,UAAU,CAAC,CAAC,qCAAqC;YACtE,CAAC;QACH,CAAC;QAED,MAAM,aAAa,GAAG,IAAI,CAAC,YAAY;YACrC,CAAC,CAAC,kBAAkB,SAAS,oEAAoE;YACjG,CAAC,CAAC,wEAAwE,CAAC;QAE7E,MAAM,aAAa,GAAG;;;;;;;;;;;EAW1B,aAAa;;;;;;;;;;;;;;;;;;;;;CAqBd,CAAC;QAEI,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,aAAa,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC/D,CAAC;aAAM,CAAC;YACN,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,aAAa,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC/D,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC;QACtD,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;QAExD,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;QAChD,OAAO,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAC;QAEvE,+DAA+D;QAC/D,MAAM,UAAU,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;QAE1C,QAAQ,gBAAgB,EAAE,CAAC;YACzB,KAAK,UAAU;gBACb,OAAO,CAAC,GAAG,CAAC,8BAA8B,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC7D,OAAO,CAAC,GAAG,CAAC,0EAA0E,CAAC,CAAC;gBACxF,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC;gBACtD,MAAM;YACR,KAAK,UAAU;gBACb,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;gBACxD,OAAO,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAC;gBACvE,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;gBACpE,MAAM;YACR,KAAK,aAAa;gBAChB,OAAO,CAAC,GAAG,CAAC,uDAAuD,CAAC,CAAC;gBACrE,MAAM;YACR,KAAK,OAAO;gBACV,OAAO,CAAC,GAAG,CAAC,4EAA4E,CAAC,CAAC;gBAC1F,OAAO,CAAC,GAAG,CAAC,sBAAsB,SAAS,IAAI,CAAC,CAAC;gBACjD,OAAO,CAAC,GAAG,CAAC,6DAA6D,CAAC,CAAC;gBAC3E,OAAO,CAAC,GAAG,CAAC,+BAA+B,SAAS,IAAI,CAAC,CAAC;gBAC1D,OAAO,CAAC,GAAG,CACT,+EAA+E,CAChF,CAAC;gBACF,OAAO,CAAC,GAAG,CAAC,wDAAwD,CAAC,CAAC;gBACtE,MAAM;QACV,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,iCAAiC,CAAC,CAAC;QACpE,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC7B,OAAO,CAAC,GAAG,CACT,kHAAkH,CACnH,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;QAEpF,qDAAqD;QACrD,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,sBAAsB,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;QACxC,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/cli/commands/key.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Key management commands: aegis key where
+ */
+import type { Command } from 'commander';
+export declare function register(program: Command): void;
+//# sourceMappingURL=key.d.ts.map

package/dist/cli/commands/key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/key.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIzC,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAgD/C"}