@getaegis/cli 0.8.0 → 0.9.0

package/dist/cli/commands/key.js

@@ -0,0 +1,49 @@
+/**
+ * Key management commands: aegis key where
+ */
+import * as path from 'node:path';
+import { getConfig, parseConfigFile } from '../../config.js';
+import { getKeyStorage } from '../../key-storage/index.js';
+export function register(program) {
+    const key = program.command('key').description('Manage the Aegis master key');
+    key
+        .command('where')
+        .description('Show where the master key is currently stored and resolved from')
+        .action(() => {
+        const config = getConfig();
+        const dataDir = config.dataDir;
+        const storage = getKeyStorage(dataDir);
+        console.log('\n  Master Key Storage\n');
+        console.log(`  Active backend:  ${storage.name} (${storage.backend})`);
+        console.log(`  Available:       ${storage.isAvailable() ? 'yes' : 'no'}`);
+        const hasKey = storage.getKey() !== undefined;
+        console.log(`  Key stored:      ${hasKey ? 'yes' : 'no'}`);
+        // Check all resolution sources
+        console.log('\n  Resolution chain (highest priority first):\n');
+        const envKey = process.env.AEGIS_MASTER_KEY;
+        console.log(`    1. AEGIS_MASTER_KEY env var:  ${envKey ? '✓ set' : '✗ not set'}`);
+        // Check config file
+        const configFile = config.configFilePath;
+        if (configFile) {
+            try {
+                const fileConfig = parseConfigFile(configFile);
+                const inFile = !!fileConfig.vault?.master_key;
+                console.log(`    2. Config file (${path.basename(configFile)}):  ${inFile ? '✓ set' : '✗ not set'}`);
+            }
+            catch {
+                console.log('    2. Config file:               ✗ error reading');
+            }
+        }
+        else {
+            console.log('    2. Config file:               ✗ no config file found');
+        }
+        console.log(`    3. OS keychain (${storage.name}):  ${hasKey ? '✓ stored' : '✗ not stored'}`);
+        if (config.masterKey) {
+            console.log('\n  ✓ Master key is resolved and available.\n');
+        }
+        else {
+            console.log('\n  ✗ No master key found. Run "aegis init" to generate one.\n');
+        }
+    });
+}
+//# sourceMappingURL=key.js.map

package/dist/cli/commands/key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"key.js","sourceRoot":"","sources":["../../../src/cli/commands/key.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAE3D,MAAM,UAAU,QAAQ,CAAC,OAAgB;IACvC,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,6BAA6B,CAAC,CAAC;IAE9E,GAAG;SACA,OAAO,CAAC,OAAO,CAAC;SAChB,WAAW,CAAC,iEAAiE,CAAC;SAC9E,MAAM,CAAC,GAAG,EAAE;QACX,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC/B,MAAM,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;QAEvC,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;QACxC,OAAO,CAAC,GAAG,CAAC,sBAAsB,OAAO,CAAC,IAAI,KAAK,OAAO,CAAC,OAAO,GAAG,CAAC,CAAC;QACvE,OAAO,CAAC,GAAG,CAAC,sBAAsB,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAE1E,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,KAAK,SAAS,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAE3D,+BAA+B;QAC/B,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC;QAEhE,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,qCAAqC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QAEnF,oBAAoB;QACpB,MAAM,UAAU,GAAG,MAAM,CAAC,cAAc,CAAC;QACzC,IAAI,UAAU,EAAE,CAAC;YACf,IAAI,CAAC;gBACH,MAAM,UAAU,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;gBAC/C,MAAM,MAAM,GAAG,CAAC,CAAC,UAAU,CAAC,KAAK,EAAE,UAAU,CAAC;gBAC9C,OAAO,CAAC,GAAG,CACT,uBAAuB,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,OAAO,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,EAAE,CACxF,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;YACnE,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,0DAA0D,CAAC,CAAC;QAC1E,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,uBAAuB,OAAO,CAAC,IAAI,OAAO,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,cAAc,EAAE,CAAC,CAAC;QAE9F,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACrB,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;QAC/D,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;QAChF,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/cli/commands/ledger.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Ledger commands: show, stats, export.
+ */
+import type { Command } from 'commander';
+export declare function register(program: Command): void;
+//# sourceMappingURL=ledger.d.ts.map

package/dist/cli/commands/ledger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ledger.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/ledger.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAQzC,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAwJ/C"}

package/dist/cli/commands/ledger.js

@@ -0,0 +1,140 @@
+/**
+ * Ledger commands: show, stats, export.
+ */
+import * as fs from 'node:fs';
+import { getConfig } from '../../config.js';
+import { getDb, getVaultSalt, migrate } from '../../db.js';
+import { Ledger } from '../../ledger/index.js';
+import { deriveKey } from '../../vault/index.js';
+import { requireUserAuth } from '../auth.js';
+import { localTime, validateEnum, validateIsoDate, validatePositiveInt } from '../validation.js';
+export function register(program) {
+    const ledgerCmd = program.command('ledger').description('View and export audit logs');
+    ledgerCmd
+        .command('show')
+        .description('Show recent audit log entries')
+        .option('-s, --service <service>', 'Filter by service')
+        .option('-n, --limit <limit>', 'Number of entries to show', '20')
+        .option('--since <date>', 'Show entries since date (ISO format)')
+        .option('--blocked', 'Show only blocked requests')
+        .option('--system', 'Show only system events (startup, shutdown)')
+        .option('--agent <name>', 'Filter by agent name')
+        .action((opts) => {
+        const config = getConfig();
+        // ── Validate CLI flags ──
+        const parsedLimit = parseInt(opts.limit, 10);
+        validatePositiveInt(parsedLimit, 'limit');
+        if (opts.since) {
+            validateIsoDate(opts.since, '--since date');
+        }
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'ledger:read');
+        const ledger = new Ledger(db);
+        const entries = ledger.query({
+            service: opts.service,
+            status: opts.blocked ? 'blocked' : opts.system ? 'system' : undefined,
+            since: opts.since,
+            limit: parsedLimit,
+            agentName: opts.agent,
+        });
+        if (entries.length === 0) {
+            console.log('\n  No audit entries found.\n');
+            db.close();
+            return;
+        }
+        console.log(`\n  Aegis Ledger — ${entries.length} entries\n`);
+        for (const entry of entries) {
+            const icon = entry.status === 'allowed' ? '✓' : entry.status === 'system' ? '●' : '✗';
+            const reason = entry.blockedReason ? ` (${entry.blockedReason})` : '';
+            const agent = entry.agentName ? ` [${entry.agentName}]` : '';
+            const channel = entry.channel !== 'gate' ? ` via ${entry.channel}` : '';
+            console.log(`  ${icon} ${localTime(entry.timestamp)} | ${entry.method.padEnd(6)} ${entry.service}${entry.path} → ${entry.targetDomain} [${entry.responseCode ?? '-'}]${agent}${channel}${reason}`);
+        }
+        console.log();
+        db.close();
+    });
+    ledgerCmd
+        .command('stats')
+        .description('Show audit log statistics')
+        .option('--since <date>', 'Stats since date (ISO format)')
+        .option('--agent <name>', 'Stats for a specific agent')
+        .action((opts) => {
+        // ── Validate CLI flags ──
+        if (opts.since) {
+            validateIsoDate(opts.since, '--since date');
+        }
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'ledger:read');
+        const ledger = new Ledger(db);
+        const stats = ledger.stats(opts.since, opts.agent);
+        console.log(`\n  Aegis Ledger — Statistics\n`);
+        console.log(`  Total requests:   ${stats.total}`);
+        console.log(`  Allowed:          ${stats.allowed}`);
+        console.log(`  Blocked:          ${stats.blocked}`);
+        if (stats.system > 0) {
+            console.log(`  System:           ${stats.system}`);
+        }
+        if (Object.keys(stats.byService).length > 0) {
+            console.log(`\n  By service:`);
+            for (const [service, count] of Object.entries(stats.byService)) {
+                console.log(`    ${service}: ${count}`);
+            }
+        }
+        console.log();
+        db.close();
+    });
+    ledgerCmd
+        .command('export')
+        .description('Export audit log (CSV, JSON, or JSON Lines)')
+        .option('-s, --service <service>', 'Filter by service')
+        .option('--since <date>', 'Export entries since date')
+        .option('-f, --format <format>', 'Output format: csv, json, or jsonl', 'csv')
+        .option('-o, --output <file>', 'Output file path')
+        .action((opts) => {
+        // ── Validate CLI flags ──
+        if (opts.since) {
+            validateIsoDate(opts.since, '--since date');
+        }
+        validateEnum(opts.format, ['csv', 'json', 'jsonl'], 'format');
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'ledger:export');
+        const ledger = new Ledger(db);
+        const queryParams = {
+            service: opts.service,
+            since: opts.since,
+        };
+        let output;
+        switch (opts.format) {
+            case 'json':
+                output = ledger.exportJson(queryParams);
+                break;
+            case 'jsonl':
+                output = ledger.exportJsonLines(queryParams);
+                break;
+            case 'csv':
+                output = ledger.exportCsv(queryParams);
+                break;
+            default:
+                console.error(`\n✗ Unknown format "${opts.format}". Use csv, json, or jsonl.\n`);
+                db.close();
+                return;
+        }
+        if (opts.output) {
+            fs.writeFileSync(opts.output, output, 'utf-8');
+            console.log(`\n✓ Exported ${opts.format.toUpperCase()} to ${opts.output}\n`);
+        }
+        else {
+            console.log(output);
+        }
+        db.close();
+    });
+}
+//# sourceMappingURL=ledger.js.map

package/dist/cli/commands/ledger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ledger.js","sourceRoot":"","sources":["../../../src/cli/commands/ledger.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAE9B,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAEjG,MAAM,UAAU,QAAQ,CAAC,OAAgB;IACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,CAAC,4BAA4B,CAAC,CAAC;IAEtF,SAAS;SACN,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,+BAA+B,CAAC;SAC5C,MAAM,CAAC,yBAAyB,EAAE,mBAAmB,CAAC;SACtD,MAAM,CAAC,qBAAqB,EAAE,2BAA2B,EAAE,IAAI,CAAC;SAChE,MAAM,CAAC,gBAAgB,EAAE,sCAAsC,CAAC;SAChE,MAAM,CAAC,WAAW,EAAE,4BAA4B,CAAC;SACjD,MAAM,CAAC,UAAU,EAAE,6CAA6C,CAAC;SACjE,MAAM,CAAC,gBAAgB,EAAE,sBAAsB,CAAC;SAChD,MAAM,CACL,CAAC,IAOA,EAAE,EAAE;QACH,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,2BAA2B;QAC3B,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAC7C,mBAAmB,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QAC1C,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,eAAe,CAAC,IAAI,CAAC,KAAK,EAAE,cAAc,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,aAAa,CAAC,CAAC;QACxC,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,EAAE,CAAC,CAAC;QAE9B,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC;YAC3B,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;YACrE,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,KAAK,EAAE,WAAW;YAClB,SAAS,EAAE,IAAI,CAAC,KAAK;SACtB,CAAC,CAAC;QAEH,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;YAC7C,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,OAAO,CAAC,MAAM,YAAY,CAAC,CAAC;QAC9D,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;YACtF,MAAM,MAAM,GAAG,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,aAAa,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YACtE,MAAM,KAAK,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7D,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,KAAK,MAAM,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACxE,OAAO,CAAC,GAAG,CACT,KAAK,IAAI,IAAI,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,OAAO,GAAG,KAAK,CAAC,IAAI,MAAM,KAAK,CAAC,YAAY,KAAK,KAAK,CAAC,YAAY,IAAI,GAAG,IAAI,KAAK,GAAG,OAAO,GAAG,MAAM,EAAE,CACtL,CAAC;QACJ,CAAC;QACD,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CACF,CAAC;IAEJ,SAAS;SACN,OAAO,CAAC,OAAO,CAAC;SAChB,WAAW,CAAC,2BAA2B,CAAC;SACxC,MAAM,CAAC,gBAAgB,EAAE,+BAA+B,CAAC;SACzD,MAAM,CAAC,gBAAgB,EAAE,4BAA4B,CAAC;SACtD,MAAM,CAAC,CAAC,IAAwC,EAAE,EAAE;QACnD,2BAA2B;QAC3B,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,eAAe,CAAC,IAAI,CAAC,KAAK,EAAE,cAAc,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,aAAa,CAAC,CAAC;QACxC,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,EAAE,CAAC,CAAC;QAE9B,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QAEnD,OAAO,CAAC,GAAG,CAAC,iCAAiC,CAAC,CAAC;QAC/C,OAAO,CAAC,GAAG,CAAC,uBAAuB,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;QAClD,OAAO,CAAC,GAAG,CAAC,uBAAuB,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,uBAAuB,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACpD,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,OAAO,CAAC,GAAG,CAAC,uBAAuB,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QACrD,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5C,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;YAC/B,KAAK,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC/D,OAAO,CAAC,GAAG,CAAC,OAAO,OAAO,KAAK,KAAK,EAAE,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;QACD,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,SAAS;SACN,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,6CAA6C,CAAC;SAC1D,MAAM,CAAC,yBAAyB,EAAE,mBAAmB,CAAC;SACtD,MAAM,CAAC,gBAAgB,EAAE,2BAA2B,CAAC;SACrD,MAAM,CAAC,uBAAuB,EAAE,oCAAoC,EAAE,KAAK,CAAC;SAC5E,MAAM,CAAC,qBAAqB,EAAE,kBAAkB,CAAC;SACjD,MAAM,CAAC,CAAC,IAA2E,EAAE,EAAE;QACtF,2BAA2B;QAC3B,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,eAAe,CAAC,IAAI,CAAC,KAAK,EAAE,cAAc,CAAC,CAAC;QAC9C,CAAC;QACD,YAAY,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAU,EAAE,QAAQ,CAAC,CAAC;QAEvE,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,EAAE,CAAC,CAAC;QAE9B,MAAM,WAAW,GAAG;YAClB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC;QAEF,IAAI,MAAc,CAAC;QACnB,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;YACpB,KAAK,MAAM;gBACT,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;gBACxC,MAAM;YACR,KAAK,OAAO;gBACV,MAAM,GAAG,MAAM,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;gBAC7C,MAAM;YACR,KAAK,KAAK;gBACR,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;gBACvC,MAAM;YACR;gBACE,OAAO,CAAC,KAAK,CAAC,uBAAuB,IAAI,CAAC,MAAM,+BAA+B,CAAC,CAAC;gBACjF,EAAE,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO;QACX,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;YAC/C,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,OAAO,IAAI,CAAC,MAAM,IAAI,CAAC,CAAC;QAC/E,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACtB,CAAC;QACD,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/cli/commands/mcp.d.ts

@@ -0,0 +1,6 @@
+/**
+ * MCP commands: serve, config.
+ */
+import type { Command } from 'commander';
+export declare function register(program: Command): void;
+//# sourceMappingURL=mcp.d.ts.map

package/dist/cli/commands/mcp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/mcp.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAkBzC,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAgP/C"}

package/dist/cli/commands/mcp.js

@@ -0,0 +1,224 @@
+/**
+ * MCP commands: serve, config.
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { AgentRegistry } from '../../agent/index.js';
+import { getConfig } from '../../config.js';
+import { getDb, getVaultSalt, migrate } from '../../db.js';
+import { Ledger } from '../../ledger/index.js';
+import { AegisMcpServer } from '../../mcp/index.js';
+import { loadPoliciesFromDirectory } from '../../policy/index.js';
+import { deriveKey, Vault } from '../../vault/index.js';
+import { WebhookManager } from '../../webhook/index.js';
+import { requireUserAuth } from '../auth.js';
+import { VALID_LOG_LEVELS, VALID_MCP_TRANSPORTS, validateEnum, validatePort, } from '../validation.js';
+export function register(program) {
+    const mcpCmd = program.command('mcp').description('Run Aegis as an MCP server');
+    mcpCmd
+        .command('serve')
+        .description('Start the Aegis MCP server')
+        .option('--transport <type>', 'Transport type: "stdio" or "streamable-http"')
+        .option('--port <port>', 'Port for streamable-http transport')
+        .option('--agent-token <token>', 'Agent token to authenticate this MCP session')
+        .option('--policies-dir <dir>', 'Directory containing YAML policy files')
+        .option('--policy-mode <mode>', 'Policy enforcement mode: "enforce" or "dry-run"')
+        .option('--log-level <level>', 'Log level: debug, info, warn, error')
+        .action(async (opts) => {
+        // ── Validate CLI flags ──
+        if (opts.port) {
+            const p = Number.parseInt(opts.port, 10);
+            validatePort(p, 'MCP port');
+        }
+        if (opts.transport) {
+            validateEnum(opts.transport, VALID_MCP_TRANSPORTS, 'transport');
+        }
+        if (opts.policyMode) {
+            validateEnum(opts.policyMode, ['enforce', 'dry-run'], 'policy mode');
+        }
+        if (opts.logLevel) {
+            validateEnum(opts.logLevel, VALID_LOG_LEVELS, 'log level');
+        }
+        if (opts.policiesDir && !fs.existsSync(path.resolve(opts.policiesDir))) {
+            console.error(`\n✗ Policy directory not found: ${path.resolve(opts.policiesDir)}\n  Create it and add YAML policy files, or omit --policies-dir\n`);
+            process.exit(1);
+        }
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const mcpKey = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, mcpKey, 'gate:start');
+        const vault = new Vault(db, config.masterKey, getVaultSalt(config));
+        const ledger = new Ledger(db);
+        const agentRegistry = new AgentRegistry(db, mcpKey);
+        // Resolve policies: CLI flags → config file
+        const policyDir = opts.policiesDir ?? config.policiesDir;
+        let policies = [];
+        if (policyDir) {
+            policies = loadPoliciesFromDirectory(policyDir);
+        }
+        // Resolve transport: CLI → config file → default (stdio)
+        const transportOpt = opts.transport ?? config.mcp.transport;
+        const transport = transportOpt === 'streamable-http' ? 'streamable-http' : 'stdio';
+        // Resolve port: CLI → config file → default (3200)
+        const mcpPort = opts.port ? Number.parseInt(opts.port, 10) : config.mcp.port;
+        // Resolve policy mode: CLI → config file → default (enforce)
+        const effectivePolicyMode = opts.policyMode ?? (config.policyMode === 'off' ? 'enforce' : config.policyMode);
+        // Resolve log level: CLI → config file → default (info)
+        const effectiveLogLevel = (opts.logLevel ?? config.logLevel);
+        const webhookManager = new WebhookManager({ db, logLevel: config.logLevel });
+        const mcpServer = new AegisMcpServer({
+            vault,
+            ledger,
+            agentRegistry,
+            agentToken: opts.agentToken,
+            transport,
+            port: mcpPort,
+            policies,
+            policyMode: effectivePolicyMode === 'dry-run' ? 'dry-run' : 'enforce',
+            logLevel: effectiveLogLevel,
+            webhooks: webhookManager,
+        });
+        await mcpServer.start();
+        // Handle graceful shutdown
+        const shutdown = async () => {
+            await mcpServer.stop();
+            db.close();
+            process.exit(0);
+        };
+        process.on('SIGINT', shutdown);
+        process.on('SIGTERM', shutdown);
+    });
+    mcpCmd
+        .command('config')
+        .description('Generate MCP client configuration for popular hosts')
+        .argument('<host>', 'Target host: "claude", "cursor", or "vscode"')
+        .option('--transport <type>', 'Transport type (default: stdio)', 'stdio')
+        .option('--port <port>', 'Port for streamable-http transport (default: 3200)', '3200')
+        .option('--agent-token <token>', 'Agent token to include in the configuration')
+        .action((host, opts) => {
+        const transport = opts.transport;
+        const port = opts.port;
+        // Resolve the aegis CLI path.
+        // Prefer the built dist/cli.js with an absolute node path — this is stable
+        // across shell sessions (unlike `which aegis` which may resolve to an
+        // ephemeral fnm/nvm multishell path that disappears when the terminal closes).
+        let aegisCmd;
+        let aegisBaseArgs;
+        const distCli = path.resolve('dist/cli.js');
+        if (fs.existsSync(distCli)) {
+            // Use node + absolute path to the built CLI (always stable)
+            aegisCmd = process.execPath; // absolute path to the current node binary
+            aegisBaseArgs = [distCli];
+        }
+        else {
+            // Development fallback: use tsx
+            const cliPath = path.resolve('src/cli.ts');
+            aegisCmd = 'npx';
+            aegisBaseArgs = ['tsx', cliPath];
+        }
+        const buildArgs = () => {
+            const args = [...aegisBaseArgs, 'mcp', 'serve', '--transport', transport];
+            if (transport === 'streamable-http') {
+                args.push('--port', port);
+            }
+            if (opts.agentToken) {
+                args.push('--agent-token', opts.agentToken);
+            }
+            return args;
+        };
+        const args = buildArgs();
+        switch (host.toLowerCase()) {
+            case 'claude': {
+                if (transport === 'streamable-http') {
+                    const config = {
+                        mcpServers: {
+                            aegis: {
+                                url: `http://127.0.0.1:${port}/mcp`,
+                            },
+                        },
+                    };
+                    console.log('Add this to your Claude Desktop config (claude_desktop_config.json):');
+                    console.log();
+                    console.log(JSON.stringify(config, null, 2));
+                }
+                else {
+                    const config = {
+                        mcpServers: {
+                            aegis: {
+                                command: aegisCmd,
+                                args,
+                            },
+                        },
+                    };
+                    console.log('Add this to your Claude Desktop config (claude_desktop_config.json):');
+                    console.log();
+                    console.log(JSON.stringify(config, null, 2));
+                }
+                break;
+            }
+            case 'cursor': {
+                if (transport === 'streamable-http') {
+                    const config = {
+                        mcpServers: {
+                            aegis: {
+                                url: `http://127.0.0.1:${port}/mcp`,
+                            },
+                        },
+                    };
+                    console.log('Add this to your Cursor MCP config (.cursor/mcp.json):');
+                    console.log();
+                    console.log(JSON.stringify(config, null, 2));
+                }
+                else {
+                    const config = {
+                        mcpServers: {
+                            aegis: {
+                                command: aegisCmd,
+                                args,
+                            },
+                        },
+                    };
+                    console.log('Add this to your Cursor MCP config (.cursor/mcp.json):');
+                    console.log();
+                    console.log(JSON.stringify(config, null, 2));
+                }
+                break;
+            }
+            case 'vscode': {
+                if (transport === 'streamable-http') {
+                    const config = {
+                        servers: {
+                            aegis: {
+                                type: 'http',
+                                url: `http://127.0.0.1:${port}/mcp`,
+                            },
+                        },
+                    };
+                    console.log('Add this to your VS Code settings (settings.json) under "mcp":');
+                    console.log();
+                    console.log(JSON.stringify(config, null, 2));
+                }
+                else {
+                    const config = {
+                        servers: {
+                            aegis: {
+                                type: 'stdio',
+                                command: aegisCmd,
+                                args,
+                            },
+                        },
+                    };
+                    console.log('Add this to your VS Code settings (settings.json) under "mcp":');
+                    console.log();
+                    console.log(JSON.stringify(config, null, 2));
+                }
+                break;
+            }
+            default:
+                console.error(`Unknown host: ${host}. Supported hosts: claude, cursor, vscode`);
+                process.exit(1);
+        }
+    });
+}
+//# sourceMappingURL=mcp.js.map

package/dist/cli/commands/mcp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp.js","sourceRoot":"","sources":["../../../src/cli/commands/mcp.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAEpD,OAAO,EAAE,yBAAyB,EAAE,MAAM,uBAAuB,CAAC;AAClE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EACL,gBAAgB,EAChB,oBAAoB,EACpB,YAAY,EACZ,YAAY,GACb,MAAM,kBAAkB,CAAC;AAE1B,MAAM,UAAU,QAAQ,CAAC,OAAgB;IACvC,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,4BAA4B,CAAC,CAAC;IAEhF,MAAM;SACH,OAAO,CAAC,OAAO,CAAC;SAChB,WAAW,CAAC,4BAA4B,CAAC;SACzC,MAAM,CAAC,oBAAoB,EAAE,8CAA8C,CAAC;SAC5E,MAAM,CAAC,eAAe,EAAE,oCAAoC,CAAC;SAC7D,MAAM,CAAC,uBAAuB,EAAE,8CAA8C,CAAC;SAC/E,MAAM,CAAC,sBAAsB,EAAE,wCAAwC,CAAC;SACxE,MAAM,CAAC,sBAAsB,EAAE,iDAAiD,CAAC;SACjF,MAAM,CAAC,qBAAqB,EAAE,qCAAqC,CAAC;SACpE,MAAM,CACL,KAAK,EAAE,IAON,EAAE,EAAE;QACH,2BAA2B;QAC3B,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACzC,YAAY,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;QAC9B,CAAC;QACD,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,oBAAoB,EAAE,WAAW,CAAC,CAAC;QAClE,CAAC;QACD,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,SAAS,EAAE,SAAS,CAAU,EAAE,aAAa,CAAC,CAAC;QAChF,CAAC;QACD,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,EAAE,WAAW,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,IAAI,CAAC,WAAW,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;YACvE,OAAO,CAAC,KAAK,CACX,mCAAmC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,mEAAmE,CACrI,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QAEZ,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QACjE,eAAe,CAAC,EAAE,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;QAE1C,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QACpE,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,EAAE,CAAC,CAAC;QAC9B,MAAM,aAAa,GAAG,IAAI,aAAa,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;QAEpD,4CAA4C;QAC5C,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,IAAI,MAAM,CAAC,WAAW,CAAC;QACzD,IAAI,QAAQ,GAA6B,EAAE,CAAC;QAC5C,IAAI,SAAS,EAAE,CAAC;YACd,QAAQ,GAAG,yBAAyB,CAAC,SAAS,CAAC,CAAC;QAClD,CAAC;QAED,yDAAyD;QACzD,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,IAAI,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC;QAC5D,MAAM,SAAS,GACb,YAAY,KAAK,iBAAiB,CAAC,CAAC,CAAE,iBAA2B,CAAC,CAAC,CAAE,OAAiB,CAAC;QAEzF,mDAAmD;QACnD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC;QAE7E,6DAA6D;QAC7D,MAAM,mBAAmB,GACvB,IAAI,CAAC,UAAU,IAAI,CAAC,MAAM,CAAC,UAAU,KAAK,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAEnF,wDAAwD;QACxD,MAAM,iBAAiB,GAAG,CAAC,IAAI,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAIhD,CAAC;QAEZ,MAAM,cAAc,GAAG,IAAI,cAAc,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;QAE7E,MAAM,SAAS,GAAG,IAAI,cAAc,CAAC;YACnC,KAAK;YACL,MAAM;YACN,aAAa;YACb,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,SAAS;YACT,IAAI,EAAE,OAAO;YACb,QAAQ;YACR,UAAU,EAAE,mBAAmB,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;YACrE,QAAQ,EAAE,iBAAiB;YAC3B,QAAQ,EAAE,cAAc;SACzB,CAAC,CAAC;QAEH,MAAM,SAAS,CAAC,KAAK,EAAE,CAAC;QAExB,2BAA2B;QAC3B,MAAM,QAAQ,GAAG,KAAK,IAAmB,EAAE;YACzC,MAAM,SAAS,CAAC,IAAI,EAAE,CAAC;YACvB,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC,CAAC;QAEF,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC/B,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAClC,CAAC,CACF,CAAC;IAEJ,MAAM;SACH,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,qDAAqD,CAAC;SAClE,QAAQ,CAAC,QAAQ,EAAE,8CAA8C,CAAC;SAClE,MAAM,CAAC,oBAAoB,EAAE,iCAAiC,EAAE,OAAO,CAAC;SACxE,MAAM,CAAC,eAAe,EAAE,oDAAoD,EAAE,MAAM,CAAC;SACrF,MAAM,CAAC,uBAAuB,EAAE,6CAA6C,CAAC;SAC9E,MAAM,CAAC,CAAC,IAAY,EAAE,IAA8D,EAAE,EAAE;QACvF,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QACjC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QAEvB,8BAA8B;QAC9B,2EAA2E;QAC3E,sEAAsE;QACtE,+EAA+E;QAC/E,IAAI,QAAgB,CAAC;QACrB,IAAI,aAAuB,CAAC;QAE5B,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QAC5C,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3B,4DAA4D;YAC5D,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,2CAA2C;YACxE,aAAa,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5B,CAAC;aAAM,CAAC;YACN,gCAAgC;YAChC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;YAC3C,QAAQ,GAAG,KAAK,CAAC;YACjB,aAAa,GAAG,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QACnC,CAAC;QAED,MAAM,SAAS,GAAG,GAAa,EAAE;YAC/B,MAAM,IAAI,GAAG,CAAC,GAAG,aAAa,EAAE,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,SAAS,CAAC,CAAC;YAC1E,IAAI,SAAS,KAAK,iBAAiB,EAAE,CAAC;gBACpC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;YAC5B,CAAC;YACD,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBACpB,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;YAC9C,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC,CAAC;QAEF,MAAM,IAAI,GAAG,SAAS,EAAE,CAAC;QAEzB,QAAQ,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;YAC3B,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,IAAI,SAAS,KAAK,iBAAiB,EAAE,CAAC;oBACpC,MAAM,MAAM,GAAG;wBACb,UAAU,EAAE;4BACV,KAAK,EAAE;gCACL,GAAG,EAAE,oBAAoB,IAAI,MAAM;6BACpC;yBACF;qBACF,CAAC;oBACF,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;oBACpF,OAAO,CAAC,GAAG,EAAE,CAAC;oBACd,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC/C,CAAC;qBAAM,CAAC;oBACN,MAAM,MAAM,GAAG;wBACb,UAAU,EAAE;4BACV,KAAK,EAAE;gCACL,OAAO,EAAE,QAAQ;gCACjB,IAAI;6BACL;yBACF;qBACF,CAAC;oBACF,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;oBACpF,OAAO,CAAC,GAAG,EAAE,CAAC;oBACd,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC/C,CAAC;gBACD,MAAM;YACR,CAAC;YACD,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,IAAI,SAAS,KAAK,iBAAiB,EAAE,CAAC;oBACpC,MAAM,MAAM,GAAG;wBACb,UAAU,EAAE;4BACV,KAAK,EAAE;gCACL,GAAG,EAAE,oBAAoB,IAAI,MAAM;6BACpC;yBACF;qBACF,CAAC;oBACF,OAAO,CAAC,GAAG,CAAC,wDAAwD,CAAC,CAAC;oBACtE,OAAO,CAAC,GAAG,EAAE,CAAC;oBACd,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC/C,CAAC;qBAAM,CAAC;oBACN,MAAM,MAAM,GAAG;wBACb,UAAU,EAAE;4BACV,KAAK,EAAE;gCACL,OAAO,EAAE,QAAQ;gCACjB,IAAI;6BACL;yBACF;qBACF,CAAC;oBACF,OAAO,CAAC,GAAG,CAAC,wDAAwD,CAAC,CAAC;oBACtE,OAAO,CAAC,GAAG,EAAE,CAAC;oBACd,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC/C,CAAC;gBACD,MAAM;YACR,CAAC;YACD,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,IAAI,SAAS,KAAK,iBAAiB,EAAE,CAAC;oBACpC,MAAM,MAAM,GAAG;wBACb,OAAO,EAAE;4BACP,KAAK,EAAE;gCACL,IAAI,EAAE,MAAM;gCACZ,GAAG,EAAE,oBAAoB,IAAI,MAAM;6BACpC;yBACF;qBACF,CAAC;oBACF,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;oBAC9E,OAAO,CAAC,GAAG,EAAE,CAAC;oBACd,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC/C,CAAC;qBAAM,CAAC;oBACN,MAAM,MAAM,GAAG;wBACb,OAAO,EAAE;4BACP,KAAK,EAAE;gCACL,IAAI,EAAE,OAAO;gCACb,OAAO,EAAE,QAAQ;gCACjB,IAAI;6BACL;yBACF;qBACF,CAAC;oBACF,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;oBAC9E,OAAO,CAAC,GAAG,EAAE,CAAC;oBACd,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC/C,CAAC;gBACD,MAAM;YACR,CAAC;YACD;gBACE,OAAO,CAAC,KAAK,CAAC,iBAAiB,IAAI,2CAA2C,CAAC,CAAC;gBAChF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/cli/commands/policy.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Policy commands: validate, list, test.
+ */
+import type { Command } from 'commander';
+export declare function register(program: Command): void;
+//# sourceMappingURL=policy.d.ts.map

package/dist/cli/commands/policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/policy.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGzC,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAkJ/C"}

package/dist/cli/commands/policy.js

@@ -0,0 +1,126 @@
+/**
+ * Policy commands: validate, list, test.
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { evaluatePolicy, loadPoliciesFromDirectory, loadPolicyFile } from '../../policy/index.js';
+export function register(program) {
+    const policyCmd = program.command('policy').description('Manage and validate policy files');
+    policyCmd
+        .command('validate')
+        .description('Validate policy files for syntax and schema errors')
+        .argument('<path>', 'Path to a YAML policy file or directory of policy files')
+        .action((filePath) => {
+        const resolved = path.resolve(filePath);
+        if (!fs.existsSync(resolved)) {
+            console.error(`\n✗ Path not found: ${resolved}\n`);
+            process.exit(1);
+        }
+        const stat = fs.statSync(resolved);
+        const results = stat.isDirectory()
+            ? loadPoliciesFromDirectory(resolved)
+            : [loadPolicyFile(resolved)];
+        let hasErrors = false;
+        for (const result of results) {
+            if (result.valid) {
+                console.log(`  ✓ ${result.filePath ?? 'inline'}: valid (agent: ${result.policy?.agent})`);
+            }
+            else {
+                hasErrors = true;
+                console.log(`  ✗ ${result.filePath ?? 'inline'}: invalid`);
+                for (const err of result.errors) {
+                    console.log(`    - ${err.message}`);
+                }
+            }
+        }
+        console.log(`\n  ${results.filter((r) => r.valid).length}/${results.length} policy file(s) valid.\n`);
+        if (hasErrors) {
+            process.exit(1);
+        }
+    });
+    policyCmd
+        .command('list')
+        .description('List all policies and their rules')
+        .argument('<path>', 'Path to a policy file or directory')
+        .action((filePath) => {
+        const resolved = path.resolve(filePath);
+        if (!fs.existsSync(resolved)) {
+            console.error(`\n✗ Path not found: ${resolved}\n`);
+            process.exit(1);
+        }
+        const stat = fs.statSync(resolved);
+        const results = stat.isDirectory()
+            ? loadPoliciesFromDirectory(resolved)
+            : [loadPolicyFile(resolved)];
+        const valid = results.filter((r) => r.valid && r.policy);
+        if (valid.length === 0) {
+            console.log('\n  No valid policy files found.\n');
+            return;
+        }
+        console.log(`\n  ${valid.length} policy(ies):\n`);
+        for (const result of valid) {
+            const policy = result.policy;
+            if (!policy)
+                continue;
+            console.log(`  Agent: ${policy.agent}`);
+            if (policy.rules.length === 0) {
+                console.log('    (no rules)');
+            }
+            for (const rule of policy.rules) {
+                const methods = rule.methods ? rule.methods.join(', ') : '*';
+                const paths = rule.paths ? rule.paths.join(', ') : '*';
+                const rateLimit = rule.rateLimit ?? 'none';
+                console.log(`    → ${rule.service}`);
+                console.log(`      methods: ${methods}`);
+                console.log(`      paths:   ${paths}`);
+                console.log(`      rate:    ${rateLimit}`);
+                if (rule.timeWindow) {
+                    console.log(`      time:    ${rule.timeWindow.start}–${rule.timeWindow.end} (${rule.timeWindow.timezone})`);
+                }
+            }
+            console.log();
+        }
+    });
+    policyCmd
+        .command('test')
+        .description("Test a request against an agent's policy")
+        .requiredOption('-a, --agent <name>', 'Agent name to test against')
+        .requiredOption('-s, --service <service>', 'Service being accessed')
+        .requiredOption('-m, --method <method>', 'HTTP method (GET, POST, etc.)')
+        .requiredOption('--path <path>', 'Request path')
+        .argument('<policyPath>', 'Path to a policy file or directory')
+        .action((policyPath, opts) => {
+        const resolved = path.resolve(policyPath);
+        if (!fs.existsSync(resolved)) {
+            console.error(`\n✗ Path not found: ${resolved}\n`);
+            process.exit(1);
+        }
+        const stat = fs.statSync(resolved);
+        const results = stat.isDirectory()
+            ? loadPoliciesFromDirectory(resolved)
+            : [loadPolicyFile(resolved)];
+        const valid = results.filter((r) => r.valid && r.policy);
+        const agentPolicy = valid.find((r) => r.policy?.agent === opts.agent);
+        if (!agentPolicy?.policy) {
+            console.error(`\n✗ No valid policy found for agent "${opts.agent}"\n`);
+            process.exit(1);
+        }
+        const evaluation = evaluatePolicy(agentPolicy.policy, {
+            service: opts.service,
+            method: opts.method,
+            path: opts.path,
+        });
+        if (evaluation.allowed) {
+            console.log(`\n  ✓ ALLOWED — request matches policy for agent "${opts.agent}"`);
+            if (evaluation.matchedRule) {
+                console.log(`    Matched rule for service: ${evaluation.matchedRule.service}`);
+            }
+        }
+        else {
+            console.log(`\n  ✗ DENIED — ${evaluation.reason}`);
+            console.log(`    Violation type: ${evaluation.violation}`);
+        }
+        console.log();
+    });
+}
+//# sourceMappingURL=policy.js.map

package/dist/cli/commands/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../../src/cli/commands/policy.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EAAE,cAAc,EAAE,yBAAyB,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAElG,MAAM,UAAU,QAAQ,CAAC,OAAgB;IACvC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,CAAC,kCAAkC,CAAC,CAAC;IAE5F,SAAS;SACN,OAAO,CAAC,UAAU,CAAC;SACnB,WAAW,CAAC,oDAAoD,CAAC;SACjE,QAAQ,CAAC,QAAQ,EAAE,yDAAyD,CAAC;SAC7E,MAAM,CAAC,CAAC,QAAgB,EAAE,EAAE;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAExC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,OAAO,CAAC,KAAK,CAAC,uBAAuB,QAAQ,IAAI,CAAC,CAAC;YACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACnC,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE;YAChC,CAAC,CAAC,yBAAyB,CAAC,QAAQ,CAAC;YACrC,CAAC,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC;QAE/B,IAAI,SAAS,GAAG,KAAK,CAAC;QAEtB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,OAAO,CAAC,GAAG,CAAC,OAAO,MAAM,CAAC,QAAQ,IAAI,QAAQ,mBAAmB,MAAM,CAAC,MAAM,EAAE,KAAK,GAAG,CAAC,CAAC;YAC5F,CAAC;iBAAM,CAAC;gBACN,SAAS,GAAG,IAAI,CAAC;gBACjB,OAAO,CAAC,GAAG,CAAC,OAAO,MAAM,CAAC,QAAQ,IAAI,QAAQ,WAAW,CAAC,CAAC;gBAC3D,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;oBAChC,OAAO,CAAC,GAAG,CAAC,SAAS,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;gBACtC,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,CAAC,GAAG,CACT,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,0BAA0B,CACzF,CAAC;QAEF,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,SAAS;SACN,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,mCAAmC,CAAC;SAChD,QAAQ,CAAC,QAAQ,EAAE,oCAAoC,CAAC;SACxD,MAAM,CAAC,CAAC,QAAgB,EAAE,EAAE;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAExC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,OAAO,CAAC,KAAK,CAAC,uBAAuB,QAAQ,IAAI,CAAC,CAAC;YACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACnC,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE;YAChC,CAAC,CAAC,yBAAyB,CAAC,QAAQ,CAAC;YACrC,CAAC,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC;QAE/B,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC;QAEzD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;YAClD,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,CAAC,MAAM,iBAAiB,CAAC,CAAC;QAElD,KAAK,MAAM,MAAM,IAAI,KAAK,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;YAC7B,IAAI,CAAC,MAAM;gBAAE,SAAS;YAEtB,OAAO,CAAC,GAAG,CAAC,YAAY,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;YACxC,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC9B,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;YAChC,CAAC;YACD,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBAChC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;gBAC7D,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;gBACvD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,MAAM,CAAC;gBAC3C,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;gBACrC,OAAO,CAAC,GAAG,CAAC,kBAAkB,OAAO,EAAE,CAAC,CAAC;gBACzC,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,EAAE,CAAC,CAAC;gBACvC,OAAO,CAAC,GAAG,CAAC,kBAAkB,SAAS,EAAE,CAAC,CAAC;gBAC3C,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;oBACpB,OAAO,CAAC,GAAG,CACT,kBAAkB,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,KAAK,IAAI,CAAC,UAAU,CAAC,QAAQ,GAAG,CAC/F,CAAC;gBACJ,CAAC;YACH,CAAC;YACD,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,SAAS;SACN,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,0CAA0C,CAAC;SACvD,cAAc,CAAC,oBAAoB,EAAE,4BAA4B,CAAC;SAClE,cAAc,CAAC,yBAAyB,EAAE,wBAAwB,CAAC;SACnE,cAAc,CAAC,uBAAuB,EAAE,+BAA+B,CAAC;SACxE,cAAc,CAAC,eAAe,EAAE,cAAc,CAAC;SAC/C,QAAQ,CAAC,cAAc,EAAE,oCAAoC,CAAC;SAC9D,MAAM,CACL,CACE,UAAkB,EAClB,IAAsE,EACtE,EAAE;QACF,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAE1C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,OAAO,CAAC,KAAK,CAAC,uBAAuB,QAAQ,IAAI,CAAC,CAAC;YACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACnC,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE;YAChC,CAAC,CAAC,yBAAyB,CAAC,QAAQ,CAAC;YACrC,CAAC,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC;QAE/B,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC;QACzD,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,EAAE,KAAK,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC;QAEtE,IAAI,CAAC,WAAW,EAAE,MAAM,EAAE,CAAC;YACzB,OAAO,CAAC,KAAK,CAAC,wCAAwC,IAAI,CAAC,KAAK,KAAK,CAAC,CAAC;YACvE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,UAAU,GAAG,cAAc,CAAC,WAAW,CAAC,MAAM,EAAE;YACpD,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,IAAI,EAAE,IAAI,CAAC,IAAI;SAChB,CAAC,CAAC;QAEH,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,qDAAqD,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC;YAChF,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC;gBAC3B,OAAO,CAAC,GAAG,CAAC,iCAAiC,UAAU,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC,CAAC;YACjF,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,kBAAkB,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;YACnD,OAAO,CAAC,GAAG,CAAC,uBAAuB,UAAU,CAAC,SAAS,EAAE,CAAC,CAAC;QAC7D,CAAC;QACD,OAAO,CAAC,GAAG,EAAE,CAAC;IAChB,CAAC,CACF,CAAC;AACN,CAAC"}

package/dist/cli/commands/user.d.ts

@@ -0,0 +1,6 @@
+/**
+ * User commands: add, list, remove, role, regenerate-token.
+ */
+import type { Command } from 'commander';
+export declare function register(program: Command): void;
+//# sourceMappingURL=user.d.ts.map

package/dist/cli/commands/user.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/user.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAQzC,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAmK/C"}