@getaegis/cli 0.8.0 → 0.9.0

package/dist/cli/commands/vault.js

@@ -0,0 +1,265 @@
+/**
+ * Vault CRUD commands: add, list, remove, rotate, update.
+ */
+import { getConfig } from '../../config.js';
+import { getDb, getVaultSalt, migrate } from '../../db.js';
+import { deriveKey, Vault } from '../../vault/index.js';
+import { requireUserAuth } from '../auth.js';
+import { localTime, VALID_AUTH_TYPES, VALID_BODY_INSPECTION_MODES, validateDomains, validateEnum, validateIdentifier, validateNonNegativeFloat, validatePositiveInt, validateRateLimit, } from '../validation.js';
+export function register(program) {
+    const vault = program.command('vault').description('Manage stored credentials');
+    vault
+        .command('add')
+        .description('Add a new credential to the vault')
+        .requiredOption('-n, --name <name>', 'Unique name for this credential')
+        .requiredOption('-s, --service <service>', 'Service identifier (used in proxy URL path)')
+        .requiredOption('--secret <secret>', 'The API key or token')
+        .requiredOption('-d, --domains <domains>', 'Comma-separated allowed domains (e.g. api.slack.com,*.slack.com)')
+        .option('-a, --auth-type <type>', 'Auth injection type: bearer, header, basic, query', 'bearer')
+        .option('--header-name <name>', 'Custom header name (for auth-type: header)')
+        .option('--query-param <name>', 'Query parameter name (for auth-type: query, default: "key")')
+        .option('--scopes <scopes>', 'Comma-separated scopes: read, write, *', '*')
+        .option('--ttl <days>', 'Credential expires after this many days')
+        .option('--rate-limit <limit>', 'Rate limit: e.g. 100/min, 1000/hour, 10/sec')
+        .option('--body-inspection <mode>', 'Body inspection mode: off, warn, block', 'block')
+        .action((opts) => {
+        // ── Input validation ──
+        validateIdentifier(opts.name, 'credential name');
+        validateIdentifier(opts.service, 'service');
+        const authType = validateEnum(opts.authType, VALID_AUTH_TYPES, 'auth type');
+        const bodyInspection = validateEnum(opts.bodyInspection, VALID_BODY_INSPECTION_MODES, 'body inspection mode');
+        const domains = validateDomains(opts.domains);
+        const ttlDays = opts.ttl ? parseInt(opts.ttl, 10) : undefined;
+        if (ttlDays !== undefined)
+            validatePositiveInt(ttlDays, 'TTL (days)');
+        if (opts.rateLimit)
+            validateRateLimit(opts.rateLimit);
+        // --query-param sets headerName when authType is query
+        const headerName = opts.queryParam && authType === 'query' ? opts.queryParam : opts.headerName;
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'vault:write');
+        const vaultInstance = new Vault(db, config.masterKey, getVaultSalt(config));
+        try {
+            const cred = vaultInstance.add({
+                name: opts.name,
+                service: opts.service,
+                secret: opts.secret,
+                authType,
+                headerName,
+                domains,
+                scopes: opts.scopes.split(',').map((s) => s.trim()),
+                ttlDays,
+                rateLimit: opts.rateLimit,
+                bodyInspection,
+            });
+            console.log(`\n✓ Credential added to Aegis Vault\n`);
+            console.log(`  Name:    ${cred.name}`);
+            console.log(`  Service: ${cred.service}`);
+            console.log(`  Auth:    ${cred.authType}`);
+            if (cred.authType === 'header' && cred.headerName) {
+                console.log(`  Header:  ${cred.headerName}`);
+            }
+            if (cred.authType === 'query') {
+                console.log(`  Param:   ${cred.headerName ?? 'key'}`);
+            }
+            console.log(`  Domains: ${cred.domains.join(', ')}`);
+            console.log(`  Scopes:  ${cred.scopes.join(', ')}`);
+            if (cred.expiresAt) {
+                console.log(`  Expires: ${localTime(cred.expiresAt)}`);
+            }
+            if (cred.rateLimit) {
+                console.log(`  Rate:    ${cred.rateLimit}`);
+            }
+            console.log(`  Body:    ${cred.bodyInspection}`);
+            console.log(`\n  Your agent can now use: http://localhost:${config.port}/${cred.service}/...\n`);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            if (message.includes('UNIQUE')) {
+                console.error(`\n✗ A credential named "${opts.name}" already exists. Remove it first with: aegis vault remove --name ${opts.name}\n`);
+            }
+            else {
+                console.error(`\n✗ Error: ${message}\n`);
+            }
+            process.exit(1);
+        }
+        finally {
+            db.close();
+        }
+    });
+    vault
+        .command('list')
+        .description('List all stored credentials (secrets are never shown)')
+        .action(() => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'vault:read');
+        const vaultInstance = new Vault(db, config.masterKey, getVaultSalt(config));
+        const creds = vaultInstance.list();
+        if (creds.length === 0) {
+            console.log('\n  No credentials stored. Add one with: aegis vault add\n');
+            db.close();
+            return;
+        }
+        console.log(`\n  Aegis Vault — ${creds.length} credential(s)\n`);
+        for (const cred of creds) {
+            console.log(`  ┌ ${cred.name} (${cred.service})`);
+            console.log(`  │ Auth:    ${cred.authType}`);
+            console.log(`  │ Domains: ${cred.domains.join(', ')}`);
+            console.log(`  │ Scopes:  ${cred.scopes.join(', ')}`);
+            if (cred.rateLimit) {
+                console.log(`  │ Rate:    ${cred.rateLimit}`);
+            }
+            if (cred.expiresAt) {
+                console.log(`  │ Expires: ${localTime(cred.expiresAt)}`);
+            }
+            console.log(`  │ Added:   ${localTime(cred.createdAt)}`);
+            console.log(`  └`);
+        }
+        console.log();
+        db.close();
+    });
+    vault
+        .command('remove')
+        .description('Remove a credential from the vault')
+        .requiredOption('-n, --name <name>', 'Name of the credential to remove')
+        .action((opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'vault:write');
+        const vaultInstance = new Vault(db, config.masterKey, getVaultSalt(config));
+        const removed = vaultInstance.remove(opts.name);
+        if (removed) {
+            console.log(`\n✓ Credential "${opts.name}" removed from vault.\n`);
+        }
+        else {
+            console.error(`\n✗ No credential found with name "${opts.name}".\n`);
+            process.exit(1);
+        }
+        db.close();
+    });
+    vault
+        .command('rotate')
+        .description("Rotate a credential's secret (old secret saved to history)")
+        .requiredOption('-n, --name <name>', 'Name of the credential to rotate')
+        .requiredOption('--secret <secret>', 'The new API key or token')
+        .option('--grace-period <hours>', 'Keep old secret valid for this many hours (for zero-downtime rotation)')
+        .action((opts) => {
+        const gracePeriodHours = opts.gracePeriod ? parseFloat(opts.gracePeriod) : undefined;
+        if (gracePeriodHours !== undefined)
+            validateNonNegativeFloat(gracePeriodHours, 'grace period (hours)');
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'vault:write');
+        const vaultInstance = new Vault(db, config.masterKey, getVaultSalt(config));
+        try {
+            const cred = vaultInstance.rotate({
+                name: opts.name,
+                newSecret: opts.secret,
+                gracePeriodHours,
+            });
+            console.log(`\n✓ Credential "${cred.name}" rotated successfully\n`);
+            console.log(`  Old secret saved to history`);
+            if (gracePeriodHours) {
+                console.log(`  Grace period: ${gracePeriodHours} hour(s)`);
+            }
+            console.log();
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ ${message}\n`);
+            process.exit(1);
+        }
+        finally {
+            db.close();
+        }
+    });
+    vault
+        .command('update')
+        .description("Update a credential's metadata without re-entering the secret")
+        .requiredOption('-n, --name <name>', 'Name of the credential to update')
+        .option('-d, --domains <domains>', 'New comma-separated allowed domains')
+        .option('--scopes <scopes>', 'New comma-separated scopes')
+        .option('-a, --auth-type <type>', 'New auth injection type: bearer, header, basic, query')
+        .option('--header-name <name>', 'New custom header name (for auth-type: header)')
+        .option('--query-param <name>', 'New query parameter name (for auth-type: query)')
+        .option('--rate-limit <limit>', "New rate limit: e.g. 100/min, 1000/hour (use 'none' to remove)")
+        .option('--body-inspection <mode>', 'Body inspection mode: off, warn, block')
+        .action((opts) => {
+        // ── Input validation ──
+        if (opts.authType)
+            validateEnum(opts.authType, VALID_AUTH_TYPES, 'auth type');
+        if (opts.bodyInspection)
+            validateEnum(opts.bodyInspection, VALID_BODY_INSPECTION_MODES, 'body inspection mode');
+        const domains = opts.domains ? validateDomains(opts.domains) : undefined;
+        if (opts.rateLimit && opts.rateLimit.toLowerCase() !== 'none')
+            validateRateLimit(opts.rateLimit);
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'vault:write');
+        const vaultInstance = new Vault(db, config.masterKey, getVaultSalt(config));
+        try {
+            // "none" means remove the rate limit
+            const rateLimit = opts.rateLimit !== undefined
+                ? opts.rateLimit.toLowerCase() === 'none'
+                    ? null
+                    : opts.rateLimit
+                : undefined;
+            // --query-param sets headerName when authType is query
+            const resolvedAuthType = opts.authType;
+            let headerName = opts.headerName;
+            if (opts.queryParam) {
+                if (resolvedAuthType && resolvedAuthType !== 'query') {
+                    console.warn(`\n⚠  --query-param is ignored when auth-type is "${resolvedAuthType}" (only applies to "query")\n`);
+                }
+                else {
+                    headerName = opts.queryParam;
+                }
+            }
+            const cred = vaultInstance.update({
+                name: opts.name,
+                domains,
+                scopes: opts.scopes?.split(',').map((s) => s.trim()),
+                authType: opts.authType,
+                headerName,
+                rateLimit,
+                bodyInspection: opts.bodyInspection,
+            });
+            console.log(`\n✓ Credential "${cred.name}" updated\n`);
+            console.log(`  Domains: ${cred.domains.join(', ')}`);
+            console.log(`  Scopes:  ${cred.scopes.join(', ')}`);
+            console.log(`  Auth:    ${cred.authType}`);
+            if (cred.authType === 'header' && cred.headerName) {
+                console.log(`  Header:  ${cred.headerName}`);
+            }
+            if (cred.authType === 'query') {
+                console.log(`  Param:   ${cred.headerName ?? 'key'}`);
+            }
+            if (cred.rateLimit) {
+                console.log(`  Rate:    ${cred.rateLimit}`);
+            }
+            console.log(`  Body:    ${cred.bodyInspection}`);
+            console.log();
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ ${message}\n`);
+            process.exit(1);
+        }
+        finally {
+            db.close();
+        }
+    });
+}
+//# sourceMappingURL=vault.js.map

package/dist/cli/commands/vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.js","sourceRoot":"","sources":["../../../src/cli/commands/vault.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAG3D,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EACL,SAAS,EACT,gBAAgB,EAChB,2BAA2B,EAC3B,eAAe,EACf,YAAY,EACZ,kBAAkB,EAClB,wBAAwB,EACxB,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,kBAAkB,CAAC;AAE1B,MAAM,UAAU,QAAQ,CAAC,OAAgB;IACvC,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,2BAA2B,CAAC,CAAC;IAEhF,KAAK;SACF,OAAO,CAAC,KAAK,CAAC;SACd,WAAW,CAAC,mCAAmC,CAAC;SAChD,cAAc,CAAC,mBAAmB,EAAE,iCAAiC,CAAC;SACtE,cAAc,CAAC,yBAAyB,EAAE,6CAA6C,CAAC;SACxF,cAAc,CAAC,mBAAmB,EAAE,sBAAsB,CAAC;SAC3D,cAAc,CACb,yBAAyB,EACzB,kEAAkE,CACnE;SACA,MAAM,CAAC,wBAAwB,EAAE,mDAAmD,EAAE,QAAQ,CAAC;SAC/F,MAAM,CAAC,sBAAsB,EAAE,4CAA4C,CAAC;SAC5E,MAAM,CAAC,sBAAsB,EAAE,6DAA6D,CAAC;SAC7F,MAAM,CAAC,mBAAmB,EAAE,wCAAwC,EAAE,GAAG,CAAC;SAC1E,MAAM,CAAC,cAAc,EAAE,yCAAyC,CAAC;SACjE,MAAM,CAAC,sBAAsB,EAAE,6CAA6C,CAAC;SAC7E,MAAM,CAAC,0BAA0B,EAAE,wCAAwC,EAAE,OAAO,CAAC;SACrF,MAAM,CACL,CAAC,IAYA,EAAE,EAAE;QACH,yBAAyB;QACzB,kBAAkB,CAAC,IAAI,CAAC,IAAI,EAAE,iBAAiB,CAAC,CAAC;QACjD,kBAAkB,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QAC5C,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,EAAE,WAAW,CAAC,CAAC;QAC5E,MAAM,cAAc,GAAG,YAAY,CACjC,IAAI,CAAC,cAAc,EACnB,2BAA2B,EAC3B,sBAAsB,CACvB,CAAC;QACF,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC9C,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAC9D,IAAI,OAAO,KAAK,SAAS;YAAE,mBAAmB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QACtE,IAAI,IAAI,CAAC,SAAS;YAAE,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAEtD,uDAAuD;QACvD,MAAM,UAAU,GACd,IAAI,CAAC,UAAU,IAAI,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC;QAE9E,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,aAAa,CAAC,CAAC;QACxC,MAAM,aAAa,GAAG,IAAI,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAE5E,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC;gBAC7B,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,QAAQ;gBACR,UAAU;gBACV,OAAO;gBACP,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBACnD,OAAO;gBACP,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,cAAc;aACf,CAAC,CAAC;YAEH,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;YACrD,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;YACvC,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;YAC1C,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC3C,IAAI,IAAI,CAAC,QAAQ,KAAK,QAAQ,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBAClD,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;YAC/C,CAAC;YACD,IAAI,IAAI,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;gBAC9B,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,UAAU,IAAI,KAAK,EAAE,CAAC,CAAC;YACxD,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACrD,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACpD,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,OAAO,CAAC,GAAG,CAAC,cAAc,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YACzD,CAAC;YACD,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;YAC9C,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,cAAc,EAAE,CAAC,CAAC;YACjD,OAAO,CAAC,GAAG,CACT,gDAAgD,MAAM,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,QAAQ,CACpF,CAAC;QACJ,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC/B,OAAO,CAAC,KAAK,CACX,2BAA2B,IAAI,CAAC,IAAI,qEAAqE,IAAI,CAAC,IAAI,IAAI,CACvH,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CAAC,cAAc,OAAO,IAAI,CAAC,CAAC;YAC3C,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;gBAAS,CAAC;YACT,EAAE,CAAC,KAAK,EAAE,CAAC;QACb,CAAC;IACH,CAAC,CACF,CAAC;IAEJ,KAAK;SACF,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,uDAAuD,CAAC;SACpE,MAAM,CAAC,GAAG,EAAE;QACX,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,MAAM,aAAa,GAAG,IAAI,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAE5E,MAAM,KAAK,GAAG,aAAa,CAAC,IAAI,EAAE,CAAC;QACnC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;YAC1E,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,qBAAqB,KAAK,CAAC,MAAM,kBAAkB,CAAC,CAAC;QACjE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,CAAC,IAAI,KAAK,IAAI,CAAC,OAAO,GAAG,CAAC,CAAC;YAClD,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC7C,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACvD,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACtD,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;YAChD,CAAC;YACD,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,OAAO,CAAC,GAAG,CAAC,gBAAgB,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YAC3D,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,gBAAgB,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YACzD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC;QACD,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,KAAK;SACF,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,oCAAoC,CAAC;SACjD,cAAc,CAAC,mBAAmB,EAAE,kCAAkC,CAAC;SACvE,MAAM,CAAC,CAAC,IAAsB,EAAE,EAAE;QACjC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,aAAa,CAAC,CAAC;QACxC,MAAM,aAAa,GAAG,IAAI,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAE5E,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChD,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,CAAC,IAAI,yBAAyB,CAAC,CAAC;QACrE,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,sCAAsC,IAAI,CAAC,IAAI,MAAM,CAAC,CAAC;YACrE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,KAAK;SACF,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,4DAA4D,CAAC;SACzE,cAAc,CAAC,mBAAmB,EAAE,kCAAkC,CAAC;SACvE,cAAc,CAAC,mBAAmB,EAAE,0BAA0B,CAAC;SAC/D,MAAM,CACL,wBAAwB,EACxB,wEAAwE,CACzE;SACA,MAAM,CAAC,CAAC,IAA4D,EAAE,EAAE;QACvE,MAAM,gBAAgB,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACrF,IAAI,gBAAgB,KAAK,SAAS;YAChC,wBAAwB,CAAC,gBAAgB,EAAE,sBAAsB,CAAC,CAAC;QAErE,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,aAAa,CAAC,CAAC;QACxC,MAAM,aAAa,GAAG,IAAI,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAE5E,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,aAAa,CAAC,MAAM,CAAC;gBAChC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,SAAS,EAAE,IAAI,CAAC,MAAM;gBACtB,gBAAgB;aACjB,CAAC,CAAC;YAEH,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,CAAC,IAAI,0BAA0B,CAAC,CAAC;YACpE,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;YAC7C,IAAI,gBAAgB,EAAE,CAAC;gBACrB,OAAO,CAAC,GAAG,CAAC,mBAAmB,gBAAgB,UAAU,CAAC,CAAC;YAC7D,CAAC;YACD,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,OAAO,OAAO,IAAI,CAAC,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;gBAAS,CAAC;YACT,EAAE,CAAC,KAAK,EAAE,CAAC;QACb,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,KAAK;SACF,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,+DAA+D,CAAC;SAC5E,cAAc,CAAC,mBAAmB,EAAE,kCAAkC,CAAC;SACvE,MAAM,CAAC,yBAAyB,EAAE,qCAAqC,CAAC;SACxE,MAAM,CAAC,mBAAmB,EAAE,4BAA4B,CAAC;SACzD,MAAM,CAAC,wBAAwB,EAAE,uDAAuD,CAAC;SACzF,MAAM,CAAC,sBAAsB,EAAE,gDAAgD,CAAC;SAChF,MAAM,CAAC,sBAAsB,EAAE,iDAAiD,CAAC;SACjF,MAAM,CACL,sBAAsB,EACtB,gEAAgE,CACjE;SACA,MAAM,CAAC,0BAA0B,EAAE,wCAAwC,CAAC;SAC5E,MAAM,CACL,CAAC,IASA,EAAE,EAAE;QACH,yBAAyB;QACzB,IAAI,IAAI,CAAC,QAAQ;YAAE,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,EAAE,WAAW,CAAC,CAAC;QAC9E,IAAI,IAAI,CAAC,cAAc;YACrB,YAAY,CAAC,IAAI,CAAC,cAAc,EAAE,2BAA2B,EAAE,sBAAsB,CAAC,CAAC;QACzF,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACzE,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,KAAK,MAAM;YAC3D,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAEpC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,aAAa,CAAC,CAAC;QACxC,MAAM,aAAa,GAAG,IAAI,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAE5E,IAAI,CAAC;YACH,qCAAqC;YACrC,MAAM,SAAS,GACb,IAAI,CAAC,SAAS,KAAK,SAAS;gBAC1B,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,KAAK,MAAM;oBACvC,CAAC,CAAC,IAAI;oBACN,CAAC,CAAC,IAAI,CAAC,SAAS;gBAClB,CAAC,CAAC,SAAS,CAAC;YAEhB,uDAAuD;YACvD,MAAM,gBAAgB,GAAG,IAAI,CAAC,QAAgC,CAAC;YAC/D,IAAI,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;YACjC,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBACpB,IAAI,gBAAgB,IAAI,gBAAgB,KAAK,OAAO,EAAE,CAAC;oBACrD,OAAO,CAAC,IAAI,CACV,oDAAoD,gBAAgB,+BAA+B,CACpG,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;gBAC/B,CAAC;YACH,CAAC;YAED,MAAM,IAAI,GAAG,aAAa,CAAC,MAAM,CAAC;gBAChC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,OAAO;gBACP,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBACpD,QAAQ,EAAE,IAAI,CAAC,QAAgC;gBAC/C,UAAU;gBACV,SAAS;gBACT,cAAc,EAAE,IAAI,CAAC,cAAgD;aACtE,CAAC,CAAC;YAEH,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,CAAC,IAAI,aAAa,CAAC,CAAC;YACvD,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACrD,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACpD,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC3C,IAAI,IAAI,CAAC,QAAQ,KAAK,QAAQ,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBAClD,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;YAC/C,CAAC;YACD,IAAI,IAAI,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;gBAC9B,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,UAAU,IAAI,KAAK,EAAE,CAAC,CAAC;YACxD,CAAC;YACD,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;YAC9C,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,cAAc,EAAE,CAAC,CAAC;YACjD,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,OAAO,OAAO,IAAI,CAAC,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;gBAAS,CAAC;YACT,EAAE,CAAC,KAAK,EAAE,CAAC;QACb,CAAC;IACH,CAAC,CACF,CAAC;AACN,CAAC"}

package/dist/cli/commands/webhook.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Webhook commands: add, list, remove, test, check-expiry.
+ */
+import type { Command } from 'commander';
+export declare function register(program: Command): void;
+//# sourceMappingURL=webhook.d.ts.map

package/dist/cli/commands/webhook.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhook.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/webhook.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAQzC,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CA2K/C"}

package/dist/cli/commands/webhook.js

@@ -0,0 +1,151 @@
+/**
+ * Webhook commands: add, list, remove, test, check-expiry.
+ */
+import { getConfig } from '../../config.js';
+import { getDb, getVaultSalt, migrate } from '../../db.js';
+import { deriveKey, Vault } from '../../vault/index.js';
+import { WEBHOOK_EVENT_TYPES, WebhookManager } from '../../webhook/index.js';
+import { requireUserAuth } from '../auth.js';
+import { localTime } from '../validation.js';
+export function register(program) {
+    const webhookCmd = program.command('webhook').description('Manage webhook alert endpoints');
+    webhookCmd
+        .command('add')
+        .description('Register a webhook endpoint for event notifications')
+        .requiredOption('-u, --url <url>', 'Webhook endpoint URL (http or https)')
+        .requiredOption('-e, --events <events>', 'Comma-separated event types: blocked_request, credential_expiry, rate_limit_exceeded, agent_auth_failure, body_inspection')
+        .option('-l, --label <label>', 'Human-readable label for this webhook')
+        .action((opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'webhook:write');
+        const webhookManager = new WebhookManager({ db, logLevel: config.logLevel });
+        const events = opts.events.split(',').map((e) => e.trim());
+        for (const event of events) {
+            if (!WEBHOOK_EVENT_TYPES.includes(event)) {
+                console.error(`\n  ✗ Invalid event type: ${event}\n  Valid types: ${WEBHOOK_EVENT_TYPES.join(', ')}\n`);
+                process.exit(1);
+            }
+        }
+        try {
+            const webhook = webhookManager.add({
+                url: opts.url,
+                events: events,
+                label: opts.label,
+            });
+            console.log(`\n  ✔ Webhook registered`);
+            console.log(`    ID:     ${webhook.id}`);
+            console.log(`    URL:    ${webhook.url}`);
+            console.log(`    Events: ${webhook.events.join(', ')}`);
+            if (webhook.label)
+                console.log(`    Label:  ${webhook.label}`);
+            console.log(`    Secret: ${webhook.secret}`);
+            console.log(`\n  Use the secret to verify payload signatures (X-Aegis-Signature header).\n`);
+        }
+        catch (err) {
+            console.error(`\n  ✗ ${err instanceof Error ? err.message : String(err)}\n`);
+            process.exit(1);
+        }
+        db.close();
+    });
+    webhookCmd
+        .command('list')
+        .description('List all registered webhooks')
+        .action(() => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'webhook:read');
+        const webhookManager = new WebhookManager({ db, logLevel: config.logLevel });
+        const webhooks = webhookManager.list();
+        if (webhooks.length === 0) {
+            console.log('\n  No webhooks registered. Add one with: aegis webhook add --url https://example.com/hook --events blocked_request\n');
+        }
+        else {
+            console.log(`\n  Aegis Webhooks — ${webhooks.length} registered\n`);
+            for (const w of webhooks) {
+                console.log(`    ${w.label ?? w.id}`);
+                console.log(`      URL:    ${w.url}`);
+                console.log(`      Events: ${w.events.join(', ')}`);
+                console.log(`      Added:  ${localTime(w.createdAt)}`);
+                console.log();
+            }
+        }
+        db.close();
+    });
+    webhookCmd
+        .command('remove')
+        .description('Remove a webhook by ID')
+        .requiredOption('--id <id>', 'Webhook ID to remove')
+        .action((opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'webhook:write');
+        const webhookManager = new WebhookManager({ db, logLevel: config.logLevel });
+        if (webhookManager.remove(opts.id)) {
+            console.log(`\n  ✔ Webhook removed: ${opts.id}\n`);
+        }
+        else {
+            console.error(`\n  ✗ Webhook not found: ${opts.id}\n`);
+            process.exit(1);
+        }
+        db.close();
+    });
+    webhookCmd
+        .command('test')
+        .description('Send a test event to a webhook')
+        .requiredOption('--id <id>', 'Webhook ID to test')
+        .action(async (opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'webhook:read');
+        const webhookManager = new WebhookManager({ db, logLevel: config.logLevel });
+        const webhook = webhookManager.getById(opts.id);
+        if (!webhook) {
+            console.error(`\n  ✗ Webhook not found: ${opts.id}\n`);
+            db.close();
+            process.exit(1);
+        }
+        console.log(`\n  Sending test event to ${webhook.url}...`);
+        webhookManager.emit('blocked_request', {
+            test: true,
+            service: 'test-service',
+            reason: 'test_event',
+            message: 'This is a test webhook delivery from Aegis',
+        });
+        // Give it a moment to deliver
+        await new Promise((resolve) => setTimeout(resolve, 3000));
+        console.log(`  ✔ Test event sent\n`);
+        db.close();
+    });
+    webhookCmd
+        .command('check-expiry')
+        .description('Check for credentials approaching expiry and emit webhook alerts')
+        .option('--threshold <days>', 'Alert threshold in days (default: 7)', '7')
+        .action((opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'webhook:read');
+        const vaultInstance = new Vault(db, config.masterKey, getVaultSalt(config));
+        const webhookManager = new WebhookManager({ db, logLevel: config.logLevel });
+        const thresholdDays = Number.parseInt(opts.threshold, 10) || 7;
+        const alertCount = webhookManager.checkExpiringCredentials(vaultInstance, thresholdDays);
+        if (alertCount === 0) {
+            console.log(`\n  ✔ No credentials expiring within ${thresholdDays} days\n`);
+        }
+        else {
+            console.log(`\n  ⚠ ${alertCount} credential(s) expiring within ${thresholdDays} days — webhook alerts sent\n`);
+        }
+        db.close();
+    });
+}
+//# sourceMappingURL=webhook.js.map

package/dist/cli/commands/webhook.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhook.js","sourceRoot":"","sources":["../../../src/cli/commands/webhook.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAC7E,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAE7C,MAAM,UAAU,QAAQ,CAAC,OAAgB;IACvC,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,WAAW,CAAC,gCAAgC,CAAC,CAAC;IAE5F,UAAU;SACP,OAAO,CAAC,KAAK,CAAC;SACd,WAAW,CAAC,qDAAqD,CAAC;SAClE,cAAc,CAAC,iBAAiB,EAAE,sCAAsC,CAAC;SACzE,cAAc,CACb,uBAAuB,EACvB,2HAA2H,CAC5H;SACA,MAAM,CAAC,qBAAqB,EAAE,uCAAuC,CAAC;SACtE,MAAM,CAAC,CAAC,IAAqD,EAAE,EAAE;QAChE,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QAE1C,MAAM,cAAc,GAAG,IAAI,cAAc,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;QAE7E,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAC3D,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,KAA6C,CAAC,EAAE,CAAC;gBACjF,OAAO,CAAC,KAAK,CACX,6BAA6B,KAAK,oBAAoB,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CACzF,CAAC;gBACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC;gBACjC,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,MAAM,EAAE,MAAgD;gBACxD,KAAK,EAAE,IAAI,CAAC,KAAK;aAClB,CAAC,CAAC;YAEH,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;YACxC,OAAO,CAAC,GAAG,CAAC,eAAe,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC;YACzC,OAAO,CAAC,GAAG,CAAC,eAAe,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;YAC1C,OAAO,CAAC,GAAG,CAAC,eAAe,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACxD,IAAI,OAAO,CAAC,KAAK;gBAAE,OAAO,CAAC,GAAG,CAAC,eAAe,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;YAC/D,OAAO,CAAC,GAAG,CAAC,eAAe,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;YAC7C,OAAO,CAAC,GAAG,CACT,+EAA+E,CAChF,CAAC;QACJ,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC7E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,UAAU;SACP,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,8BAA8B,CAAC;SAC3C,MAAM,CAAC,GAAG,EAAE;QACX,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,cAAc,CAAC,CAAC;QAEzC,MAAM,cAAc,GAAG,IAAI,cAAc,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC7E,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,EAAE,CAAC;QAEvC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO,CAAC,GAAG,CACT,uHAAuH,CACxH,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,wBAAwB,QAAQ,CAAC,MAAM,eAAe,CAAC,CAAC;YACpE,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;gBACzB,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACtC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;gBACtC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBACpD,OAAO,CAAC,GAAG,CAAC,iBAAiB,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;gBACvD,OAAO,CAAC,GAAG,EAAE,CAAC;YAChB,CAAC;QACH,CAAC;QAED,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,UAAU;SACP,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,wBAAwB,CAAC;SACrC,cAAc,CAAC,WAAW,EAAE,sBAAsB,CAAC;SACnD,MAAM,CAAC,CAAC,IAAoB,EAAE,EAAE;QAC/B,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QAE1C,MAAM,cAAc,GAAG,IAAI,cAAc,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;QAE7E,IAAI,cAAc,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;YACnC,OAAO,CAAC,GAAG,CAAC,0BAA0B,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC;QACrD,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,4BAA4B,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC;YACvD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,UAAU;SACP,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,gCAAgC,CAAC;SAC7C,cAAc,CAAC,WAAW,EAAE,oBAAoB,CAAC;SACjD,MAAM,CAAC,KAAK,EAAE,IAAoB,EAAE,EAAE;QACrC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,cAAc,CAAC,CAAC;QAEzC,MAAM,cAAc,GAAG,IAAI,cAAc,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;QAE7E,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAChD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,4BAA4B,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC;YACvD,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,6BAA6B,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC;QAC3D,cAAc,CAAC,IAAI,CAAC,iBAAiB,EAAE;YACrC,IAAI,EAAE,IAAI;YACV,OAAO,EAAE,cAAc;YACvB,MAAM,EAAE,YAAY;YACpB,OAAO,EAAE,4CAA4C;SACtD,CAAC,CAAC;QAEH,8BAA8B;QAC9B,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;QAErC,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,UAAU;SACP,OAAO,CAAC,cAAc,CAAC;SACvB,WAAW,CAAC,kEAAkE,CAAC;SAC/E,MAAM,CAAC,oBAAoB,EAAE,sCAAsC,EAAE,GAAG,CAAC;SACzE,MAAM,CAAC,CAAC,IAA2B,EAAE,EAAE;QACtC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,cAAc,CAAC,CAAC;QAEzC,MAAM,aAAa,GAAG,IAAI,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC5E,MAAM,cAAc,GAAG,IAAI,cAAc,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;QAE7E,MAAM,aAAa,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;QAC/D,MAAM,UAAU,GAAG,cAAc,CAAC,wBAAwB,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;QAEzF,IAAI,UAAU,KAAK,CAAC,EAAE,CAAC;YACrB,OAAO,CAAC,GAAG,CAAC,wCAAwC,aAAa,SAAS,CAAC,CAAC;QAC9E,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CACT,SAAS,UAAU,kCAAkC,aAAa,+BAA+B,CAClG,CAAC;QACJ,CAAC;QAED,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/cli/helpers.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Shared CLI helper utilities.
+ */
+/**
+ * Generate a self-signed TLS certificate using openssl.
+ * Creates certs/aegis.key and certs/aegis.crt in the given base directory.
+ *
+ * The certificate is valid for 365 days, issued to CN=localhost with
+ * SubjectAltNames for localhost and 127.0.0.1.
+ */
+export declare function generateSelfSignedCert(baseDir: string): void;
+//# sourceMappingURL=helpers.d.ts.map

package/dist/cli/helpers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../src/cli/helpers.ts"],"names":[],"mappings":"AAAA;;GAEG;AAMH;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAqD5D"}

package/dist/cli/helpers.js

@@ -0,0 +1,61 @@
+/**
+ * Shared CLI helper utilities.
+ */
+import { execSync } from 'node:child_process';
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+/**
+ * Generate a self-signed TLS certificate using openssl.
+ * Creates certs/aegis.key and certs/aegis.crt in the given base directory.
+ *
+ * The certificate is valid for 365 days, issued to CN=localhost with
+ * SubjectAltNames for localhost and 127.0.0.1.
+ */
+export function generateSelfSignedCert(baseDir) {
+    const certsDir = path.join(baseDir, 'certs');
+    if (!fs.existsSync(certsDir)) {
+        fs.mkdirSync(certsDir, { recursive: true });
+    }
+    const keyPath = path.join(certsDir, 'aegis.key');
+    const certPath = path.join(certsDir, 'aegis.crt');
+    if (fs.existsSync(keyPath) && fs.existsSync(certPath)) {
+        console.log(`\n  TLS certificate already exists at ${certsDir}/`);
+        console.log(`    ${keyPath}`);
+        console.log(`    ${certPath}\n`);
+        return;
+    }
+    try {
+        // Check openssl is available
+        execSync('openssl version', { stdio: 'pipe' });
+    }
+    catch {
+        console.error('\n  ✗ openssl not found. Install OpenSSL to generate self-signed certificates.\n');
+        return;
+    }
+    try {
+        // Generate RSA private key (2048 bits)
+        execSync(`openssl genrsa -out "${keyPath}" 2048`, { stdio: 'pipe' });
+        fs.chmodSync(keyPath, 0o600);
+        // Generate self-signed certificate with SAN for localhost
+        const opensslCmd = [
+            'openssl req -new -x509',
+            `-key "${keyPath}"`,
+            `-out "${certPath}"`,
+            '-days 365',
+            '-subj "/CN=localhost/O=Aegis Local Dev"',
+            '-addext "subjectAltName=DNS:localhost,IP:127.0.0.1"',
+        ].join(' ');
+        execSync(opensslCmd, { stdio: 'pipe' });
+        console.log(`\n  🔒 Self-signed TLS certificate generated:`);
+        console.log(`    Key:  ${keyPath}`);
+        console.log(`    Cert: ${certPath}`);
+        console.log(`    Valid for 365 days (localhost + 127.0.0.1)\n`);
+        console.log(`    Start Gate with TLS: aegis gate --tls`);
+        console.log(`    Or specify paths:    aegis gate --tls --cert ${certPath} --key ${keyPath}\n`);
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        console.error(`\n  ✗ Failed to generate certificate: ${message}\n`);
+    }
+}
+//# sourceMappingURL=helpers.js.map

package/dist/cli/helpers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.js","sourceRoot":"","sources":["../../src/cli/helpers.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAe;IACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC7C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;IACjD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;IAElD,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACtD,OAAO,CAAC,GAAG,CAAC,yCAAyC,QAAQ,GAAG,CAAC,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,OAAO,OAAO,EAAE,CAAC,CAAC;QAC9B,OAAO,CAAC,GAAG,CAAC,OAAO,QAAQ,IAAI,CAAC,CAAC;QACjC,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,6BAA6B;QAC7B,QAAQ,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,KAAK,CACX,kFAAkF,CACnF,CAAC;QACF,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,uCAAuC;QACvC,QAAQ,CAAC,wBAAwB,OAAO,QAAQ,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACrE,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAE7B,0DAA0D;QAC1D,MAAM,UAAU,GAAG;YACjB,wBAAwB;YACxB,SAAS,OAAO,GAAG;YACnB,SAAS,QAAQ,GAAG;YACpB,WAAW;YACX,yCAAyC;YACzC,qDAAqD;SACtD,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEZ,QAAQ,CAAC,UAAU,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QAExC,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;QAC7D,OAAO,CAAC,GAAG,CAAC,aAAa,OAAO,EAAE,CAAC,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,aAAa,QAAQ,EAAE,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC;QAChE,OAAO,CAAC,GAAG,CAAC,2CAA2C,CAAC,CAAC;QACzD,OAAO,CAAC,GAAG,CAAC,oDAAoD,QAAQ,UAAU,OAAO,IAAI,CAAC,CAAC;IACjG,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO,CAAC,KAAK,CAAC,yCAAyC,OAAO,IAAI,CAAC,CAAC;IACtE,CAAC;AACH,CAAC"}

package/dist/cli/index.d.ts

@@ -0,0 +1,19 @@
+/**
+ * CLI module barrel — re-exports all command registration functions.
+ */
+export { register as registerAgent } from './commands/agent.js';
+export { register as registerConfig } from './commands/config.js';
+export { register as registerDashboard } from './commands/dashboard.js';
+export { register as registerDb } from './commands/db.js';
+export { register as registerDoctor } from './commands/doctor.js';
+export { register as registerGate } from './commands/gate.js';
+export { register as registerInit } from './commands/init.js';
+export { register as registerKey } from './commands/key.js';
+export { register as registerLedger } from './commands/ledger.js';
+export { register as registerMcp } from './commands/mcp.js';
+export { register as registerPolicy } from './commands/policy.js';
+export { register as registerUser } from './commands/user.js';
+export { register as registerVault } from './commands/vault.js';
+export { register as registerVaultManager } from './commands/vault-manager.js';
+export { register as registerWebhook } from './commands/webhook.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/cli/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,IAAI,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAChE,OAAO,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,QAAQ,IAAI,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AACxE,OAAO,EAAE,QAAQ,IAAI,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,QAAQ,IAAI,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,QAAQ,IAAI,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,QAAQ,IAAI,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAC5D,OAAO,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,QAAQ,IAAI,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAC5D,OAAO,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,QAAQ,IAAI,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,QAAQ,IAAI,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAChE,OAAO,EAAE,QAAQ,IAAI,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AAC/E,OAAO,EAAE,QAAQ,IAAI,eAAe,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/cli/index.js

@@ -0,0 +1,19 @@
+/**
+ * CLI module barrel — re-exports all command registration functions.
+ */
+export { register as registerAgent } from './commands/agent.js';
+export { register as registerConfig } from './commands/config.js';
+export { register as registerDashboard } from './commands/dashboard.js';
+export { register as registerDb } from './commands/db.js';
+export { register as registerDoctor } from './commands/doctor.js';
+export { register as registerGate } from './commands/gate.js';
+export { register as registerInit } from './commands/init.js';
+export { register as registerKey } from './commands/key.js';
+export { register as registerLedger } from './commands/ledger.js';
+export { register as registerMcp } from './commands/mcp.js';
+export { register as registerPolicy } from './commands/policy.js';
+export { register as registerUser } from './commands/user.js';
+export { register as registerVault } from './commands/vault.js';
+export { register as registerVaultManager } from './commands/vault-manager.js';
+export { register as registerWebhook } from './commands/webhook.js';
+//# sourceMappingURL=index.js.map

package/dist/cli/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,IAAI,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAChE,OAAO,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,QAAQ,IAAI,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AACxE,OAAO,EAAE,QAAQ,IAAI,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,QAAQ,IAAI,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,QAAQ,IAAI,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,QAAQ,IAAI,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAC5D,OAAO,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,QAAQ,IAAI,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAC5D,OAAO,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,QAAQ,IAAI,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,QAAQ,IAAI,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAChE,OAAO,EAAE,QAAQ,IAAI,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AAC/E,OAAO,EAAE,QAAQ,IAAI,eAAe,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/cli/validation.d.ts

@@ -0,0 +1,37 @@
+/**
+ * CLI input validation helpers.
+ *
+ * Pure functions that validate user-provided CLI flags and exit with a
+ * descriptive error when the input is invalid.  Extracted from cli.ts so
+ * they can be unit-tested independently.
+ */
+export declare const IDENTIFIER_RE: RegExp;
+export declare const VALID_AUTH_TYPES: readonly ["bearer", "header", "basic", "query"];
+export declare const VALID_BODY_INSPECTION_MODES: readonly ["off", "warn", "block"];
+export declare const VALID_POLICY_MODES: readonly ["enforce", "dry-run", "off"];
+export declare const VALID_LOG_LEVELS: readonly ["debug", "info", "warn", "error"];
+export declare const VALID_MCP_TRANSPORTS: readonly ["stdio", "streamable-http"];
+/** Validate an identifier (name, service, etc.) used as a DB key or URL path segment. */
+export declare function validateIdentifier(value: string, fieldName: string): void;
+/** Validate a value is one of the allowed enum values. */
+export declare function validateEnum<T extends string>(value: string, allowed: readonly T[], fieldName: string): T;
+/** Validate a port number (1–65535). */
+export declare function validatePort(value: number, fieldName: string): void;
+/** Validate a positive integer. */
+export declare function validatePositiveInt(value: number, fieldName: string): void;
+/** Validate a non-negative float. */
+export declare function validateNonNegativeFloat(value: number, fieldName: string): void;
+/** Validate a rate limit string (e.g. 100/min) early, before storing. */
+export declare function validateRateLimit(value: string): void;
+/** Validate a comma-separated domain list. */
+export declare function validateDomains(raw: string): string[];
+/** Validate an ISO date string. */
+export declare function validateIsoDate(value: string, fieldName: string): void;
+/**
+ * Convert a UTC timestamp from SQLite (e.g. "2026-03-09 00:31:38") to
+ * the user's local time string.  SQLite's datetime('now') stores UTC but
+ * omits the 'Z' suffix, so we append it before parsing so JavaScript's
+ * Date constructor treats it as UTC rather than local.
+ */
+export declare function localTime(utcTimestamp: string): string;
+//# sourceMappingURL=validation.d.ts.map

package/dist/cli/validation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../../src/cli/validation.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,eAAO,MAAM,aAAa,QAAqB,CAAC;AAEhD,eAAO,MAAM,gBAAgB,iDAAkD,CAAC;AAChF,eAAO,MAAM,2BAA2B,mCAAoC,CAAC;AAC7E,eAAO,MAAM,kBAAkB,wCAAyC,CAAC;AACzE,eAAO,MAAM,gBAAgB,6CAA8C,CAAC;AAC5E,eAAO,MAAM,oBAAoB,uCAAwC,CAAC;AAI1E,yFAAyF;AACzF,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,CAOzE;AAED,0DAA0D;AAC1D,wBAAgB,YAAY,CAAC,CAAC,SAAS,MAAM,EAC3C,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,SAAS,CAAC,EAAE,EACrB,SAAS,EAAE,MAAM,GAChB,CAAC,CAQH;AAED,wCAAwC;AACxC,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,CAKnE;AAED,mCAAmC;AACnC,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,CAK1E;AAED,qCAAqC;AACrC,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,CAK/E;AAED,yEAAyE;AACzE,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAcrD;AAED,8CAA8C;AAC9C,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAmBrD;AAED,mCAAmC;AACnC,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,CAQtE;AAID;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAGtD"}