@kill-switch/cli 0.2.0 → 0.3.0

package/README.md

@@ -40,7 +40,7 @@ ks onboard --provider cloudflare \
   --token YOUR_CF_API_TOKEN \
   --name "Production" \
   --shields cost-runaway,ddos \
-  --alert-email you@example.com
+  --alert-pagerduty YOUR_ROUTING_KEY
 
 # AWS
 ks onboard --provider aws \
@@ -85,6 +85,40 @@ ks shield error-storm         # Scale down on sustained high error rate
 ks shield --list
 ```
 
+## Alert Channels
+
+```sh
+# List configured channels
+ks alerts list
+
+# Add PagerDuty (recommended — get routing key from PagerDuty > Service > Integrations)
+ks alerts add --type pagerduty --routing-key YOUR_ROUTING_KEY
+
+# Add Slack
+ks alerts add --type slack --webhook-url https://hooks.slack.com/...
+
+# Add Discord
+ks alerts add --type discord --webhook-url https://discord.com/api/webhooks/...
+
+# Add GitHub AI remediation (triggers Claude Code to open a fix PR on extreme violations)
+ks alerts add --type github \
+  --token ghp_YOUR_PAT \
+  --repo-owner YOUR_ORG \
+  --repo-name YOUR_REPO \
+  --workflow kill-switch-remediate.yml \
+  --branch main
+
+# Add email or generic webhook
+ks alerts add --type email --email you@example.com
+ks alerts add --type webhook --webhook-url https://your-service.example.com/webhook
+
+# Remove a channel by name
+ks alerts remove "PagerDuty"
+
+# Send a test alert to all channels
+ks alerts test
+```
+
 ## Commands
 
 | Command | Description |
@@ -92,14 +126,18 @@ ks shield --list
 | `ks onboard` | One-command setup: connect + shields + alerts |
 | `ks auth login` | Authenticate with API key |
 | `ks auth status` | Show auth status |
+| `ks status` | Dashboard: accounts, alerts, 30-day spend summary |
 | `ks accounts list` | List connected cloud accounts |
 | `ks accounts add` | Connect a cloud provider |
 | `ks accounts check <id>` | Run manual check on an account |
-| `ks check` | Check all accounts |
+| `ks check` | Check all accounts (shows violations with multiplier column e.g. 60x) |
 | `ks shield <preset>` | Apply a protection preset |
 | `ks rules list` | List active rules |
 | `ks alerts list` | List alert channels |
-| `ks analytics` | Cost analytics overview |
+| `ks alerts add` | Add an alert channel |
+| `ks alerts remove <name>` | Remove an alert channel by name |
+| `ks alerts test` | Send a test alert to all channels |
+| `ks analytics` | Cost analytics: spend summary, 7-day table, per-account breakdown |
 | `ks config list` | Show configuration |
 
 ## AI Agent Usage
@@ -117,8 +155,15 @@ ks onboard \
   --token CF_API_TOKEN \
   --name "Production" \
   --shields cost-runaway,ddos \
+  --alert-pagerduty KEY \
   --json
 
+# Add PagerDuty alerts
+ks alerts add --type pagerduty --routing-key KEY --json
+
+# Full status dashboard
+ks status --json
+
 # All commands support --json for machine-readable output
 ks accounts list --json
 ks check --json
@@ -171,7 +216,7 @@ The CLI uses personal API keys (prefixed with `ks_live_`). Create one from [app.
 - [Dashboard](https://app.kill-switch.net)
 - [API Docs](https://kill-switch.net/docs)
 - [CLI Docs](https://kill-switch.net/docs/cli.html)
-- [GitHub](https://github.com/AiExpanse/kill-switch)
+- [GitHub](https://github.com/divinci-ai/kill-switch)
 
 ## License
 

package/dist/commands/accounts.d.ts

@@ -1,2 +1,3 @@
 import { Command } from "commander";
-export declare function registerAccountCommands(program: Command): void;
+import type { ClientFactory } from "../types.js";
+export declare function registerAccountCommands(program: Command, createClient: ClientFactory): void;

package/dist/commands/accounts.js

@@ -1,22 +1,28 @@
-import { apiRequest } from "../api-client.js";
-import { outputJson, formatTable, formatObject, outputError } from "../output.js";
-export function registerAccountCommands(program) {
+import { outputJson, formatTable, formatObject, handleError, spinner, success } from "../output.js";
+import { confirm } from "../prompts.js";
+export function registerAccountCommands(program, createClient) {
     const accounts = program.command("accounts").description("Manage cloud accounts");
     accounts
         .command("list")
         .alias("ls")
         .description("List connected cloud accounts")
-        .action(async () => {
+        .option("--provider <provider>", "Filter by provider (cloudflare, gcp, aws, runpod)")
+        .option("--status <status>", "Filter by status (active, paused, disconnected)")
+        .action(async (opts) => {
         const json = program.opts().json;
         try {
-            const data = await apiRequest("/cloud-accounts");
-            const list = data.accounts || data;
+            const client = createClient();
+            let list = await client.accounts.list();
+            if (opts.provider)
+                list = list.filter((a) => a.provider === opts.provider);
+            if (opts.status)
+                list = list.filter((a) => a.status === opts.status);
             if (json) {
                 outputJson(list);
             }
             else {
-                formatTable(Array.isArray(list) ? list : [], [
-                    { key: "_id", header: "ID" },
+                formatTable(list, [
+                    { key: "id", header: "ID" },
                     { key: "provider", header: "Provider" },
                     { key: "name", header: "Name" },
                     { key: "status", header: "Status" },
@@ -24,8 +30,7 @@ export function registerAccountCommands(program) {
             }
         }
         catch (err) {
-            outputError(err.message, json);
-            process.exit(1);
+            handleError(err, json);
         }
     });
     accounts
@@ -34,7 +39,8 @@ export function registerAccountCommands(program) {
         .action(async (id) => {
         const json = program.opts().json;
         try {
-            const data = await apiRequest(`/cloud-accounts/${id}`);
+            const client = createClient();
+            const data = await client.accounts.get(id);
             if (json) {
                 outputJson(data);
             }
@@ -43,8 +49,7 @@ export function registerAccountCommands(program) {
             }
         }
         catch (err) {
-            outputError(err.message, json);
-            process.exit(1);
+            handleError(err, json);
         }
     });
     accounts
@@ -66,21 +71,25 @@ export function registerAccountCommands(program) {
             credential.projectId = opts.projectId;
         if (opts.serviceAccount)
             credential.serviceAccountJson = opts.serviceAccount;
+        const s = json ? null : spinner(`Connecting ${provider}...`).start();
         try {
-            const data = await apiRequest("/cloud-accounts", {
-                method: "POST",
-                body: { provider, name: opts.name, credential },
+            const client = createClient();
+            const data = await client.accounts.create({
+                provider: provider,
+                name: opts.name,
+                credential: credential,
             });
+            s?.stop();
             if (json) {
                 outputJson(data);
             }
             else {
-                console.log(`Connected ${provider} account: ${data.name || data._id}`);
+                success(`Connected ${provider} account: ${data.name || data.id}`);
             }
         }
         catch (err) {
-            outputError(err.message, json);
-            process.exit(1);
+            s?.stop();
+            handleError(err, json);
         }
     });
     accounts
@@ -88,19 +97,24 @@ export function registerAccountCommands(program) {
         .alias("rm")
         .description("Disconnect and delete a cloud account")
         .action(async (id) => {
-        const json = program.opts().json;
+        const { json, yes } = program.opts();
         try {
-            await apiRequest(`/cloud-accounts/${id}`, { method: "DELETE" });
+            const ok = await confirm(`Are you sure you want to disconnect account ${id}?`, { yes, json });
+            if (!ok) {
+                console.log("Aborted.");
+                return;
+            }
+            const client = createClient();
+            await client.accounts.delete(id);
             if (json) {
                 outputJson({ deleted: true, id });
             }
             else {
-                console.log(`Account ${id} disconnected.`);
+                success(`Account ${id} disconnected.`);
             }
         }
         catch (err) {
-            outputError(err.message, json);
-            process.exit(1);
+            handleError(err, json);
         }
     });
     accounts
@@ -108,8 +122,11 @@ export function registerAccountCommands(program) {
         .description("Run manual monitoring check on an account")
         .action(async (id) => {
         const json = program.opts().json;
+        const s = json ? null : spinner("Running check...").start();
         try {
-            const data = await apiRequest(`/cloud-accounts/${id}/check`, { method: "POST" });
+            const client = createClient();
+            const data = await client.accounts.check(id);
+            s?.stop();
             if (json) {
                 outputJson(data);
             }
@@ -126,8 +143,8 @@ export function registerAccountCommands(program) {
             }
         }
         catch (err) {
-            outputError(err.message, json);
-            process.exit(1);
+            s?.stop();
+            handleError(err, json);
         }
     });
 }

package/dist/commands/activity.d.ts

@@ -0,0 +1,3 @@
+import { Command } from "commander";
+import type { ClientFactory } from "../types.js";
+export declare function registerActivityCommands(program: Command, createClient: ClientFactory): void;

package/dist/commands/activity.js

@@ -0,0 +1,80 @@
+import { outputJson, formatTable, handleError } from "../output.js";
+export function registerActivityCommands(program, createClient) {
+    const activity = program.command("activity").description("View audit trail and activity logs");
+    activity
+        .command("list")
+        .alias("ls")
+        .description("Query activity log (owner/admin only)")
+        .option("--page <n>", "Page number", "1")
+        .option("--limit <n>", "Results per page (max 100)", "25")
+        .option("--action <prefix>", "Filter by action prefix (e.g., cloud_account, rule, team, kill_switch)")
+        .option("--resource-type <type>", "Filter by resource type")
+        .option("--actor <userId>", "Filter by actor user ID")
+        .option("--from <date>", "Start date (ISO format)")
+        .option("--to <date>", "End date (ISO format)")
+        .action(async (opts) => {
+        const json = program.opts().json;
+        try {
+            const client = createClient();
+            const data = await client.activity.list({
+                page: parseInt(opts.page) || undefined,
+                limit: parseInt(opts.limit) || undefined,
+                action: opts.action,
+                resourceType: opts.resourceType,
+                actorUserId: opts.actor,
+                from: opts.from,
+                to: opts.to,
+            });
+            if (json) {
+                outputJson(data);
+            }
+            else {
+                console.log(`Activity Log — Page ${data.page} (${data.total} total entries)\n`);
+                formatTable((data.entries || []).map((e) => ({
+                    time: new Date(e.created_at).toLocaleString(),
+                    actor: e.actor_email || e.actor_user_id?.substring(0, 12) || "—",
+                    action: e.action,
+                    resource: `${e.resource_type}${e.resource_id ? `:${e.resource_id.substring(0, 8)}` : ""}`,
+                })), [
+                    { key: "time", header: "Time" },
+                    { key: "actor", header: "Actor" },
+                    { key: "action", header: "Action" },
+                    { key: "resource", header: "Resource" },
+                ]);
+                const totalPages = Math.ceil(data.total / data.limit);
+                if (totalPages > 1) {
+                    console.log(`\nPage ${data.page} of ${totalPages}. Use --page ${data.page + 1} for next.`);
+                }
+            }
+        }
+        catch (err) {
+            handleError(err, json);
+        }
+    });
+    // Shorthand: `ks activity` without subcommand shows recent
+    activity
+        .action(async () => {
+        const json = program.opts().json;
+        try {
+            const client = createClient();
+            const data = await client.activity.list({ limit: 10 });
+            if (json) {
+                outputJson(data);
+            }
+            else {
+                console.log("Recent Activity (last 10):\n");
+                for (const e of data.entries || []) {
+                    const time = new Date(e.created_at).toLocaleTimeString();
+                    const actor = e.actor_email || e.actor_user_id?.substring(0, 12) || "?";
+                    console.log(`  ${time}  ${actor}  ${e.action}  ${e.resourceType || ""}`);
+                }
+                if (data.total > 10) {
+                    console.log(`\n  ... ${data.total - 10} more. Use 'ks activity list' for full log.`);
+                }
+            }
+        }
+        catch (err) {
+            handleError(err, json);
+        }
+    });
+}

package/dist/commands/agent-guard.d.ts

@@ -0,0 +1,10 @@
+/**
+ * `ks guard` — the agent-guard surface inside the main Kill Switch CLI.
+ *
+ * Thin wrapper over @kill-switch/agent-guard's exported ops so users get one
+ * tool name. Local-only: these read/write the on-disk ledger + config and
+ * Claude Code settings; they do NOT call the Guardian API (the hook/proxy report
+ * breaches to the API on their own).
+ */
+import { Command } from "commander";
+export declare function registerAgentGuardCommands(program: Command): void;

package/dist/commands/agent-guard.js

@@ -0,0 +1,175 @@
+/**
+ * `ks guard` — the agent-guard surface inside the main Kill Switch CLI.
+ *
+ * Thin wrapper over @kill-switch/agent-guard's exported ops so users get one
+ * tool name. Local-only: these read/write the on-disk ledger + config and
+ * Claude Code settings; they do NOT call the Guardian API (the hook/proxy report
+ * breaches to the API on their own).
+ */
+import { createRequire } from "node:module";
+import { buildStatusReport, installHook, setBudget, resetLedger, writePause, clearPause, configPath, pausePath, startProxy, resolveUpstream, fmtUSD, } from "@kill-switch/agent-guard";
+import { outputJson, colors as c } from "../output.js";
+/** Resolve the absolute path to the agent-guard hook entry (its dist/cli.js). */
+function agentGuardCliPath() {
+    const require = createRequire(import.meta.url);
+    // Resolve the package entry, then point at the sibling cli.js the hook uses.
+    const pkgMain = require.resolve("@kill-switch/agent-guard");
+    return pkgMain.replace(/index\.js$/, "cli.js");
+}
+function bar(spent, hard) {
+    const pct = hard > 0 ? Math.min(100, Math.round((spent / hard) * 100)) : 0;
+    const filled = Math.round(pct / 5);
+    return `[${"█".repeat(filled)}${"░".repeat(20 - filled)}] ${pct}%`;
+}
+export function registerAgentGuardCommands(program) {
+    const guard = program
+        .command("guard")
+        .description("Kill Switch for coding agents — cap Claude Code / Cursor / Aider spend");
+    // ks guard status
+    guard
+        .command("status")
+        .description("Show current session + daily agent spend against the budget")
+        .action(() => {
+        const json = program.opts().json;
+        const report = buildStatusReport();
+        if (json) {
+            outputJson(report);
+            return;
+        }
+        const icon = report.paused ? "⏸ " : report.verdict === "block" ? "🛑" : report.verdict === "warn" ? "⚠️ " : "✅";
+        console.log(`\n${icon} ${c.bold("Agent Guard")} — ${report.paused ? "PAUSED (enforcement off)" : report.verdict.toUpperCase()}`);
+        if (report.paused) {
+            console.log(report.pauseUntil
+                ? c.dim(`   resumes ${new Date(report.pauseUntil).toLocaleString()}`)
+                : c.dim("   paused indefinitely — `ks guard resume` to re-arm"));
+        }
+        console.log("");
+        console.log(`  ${c.bold("Daily (24h):")} ${fmtUSD(report.dailyUSD)} / ${fmtUSD(report.budget.dailyHardUSD)}  ${bar(report.dailyUSD, report.budget.dailyHardUSD)}`);
+        console.log("");
+        if (report.sessions.length === 0) {
+            console.log(c.dim("  No active sessions in the last 24h."));
+        }
+        else {
+            console.log(c.bold("  Active sessions (24h):"));
+            for (const s of report.sessions.slice(0, 8)) {
+                console.log(`   ${fmtUSD(s.costUSD).padStart(9)} / ${fmtUSD(report.budget.sessionHardUSD)}  ${bar(s.costUSD, report.budget.sessionHardUSD)}  ${c.dim(s.id)}`);
+            }
+        }
+        for (const r of report.reasons)
+            console.log(`  ${c.yellow("•")} ${r}`);
+        console.log("");
+    });
+    // ks guard install
+    guard
+        .command("install")
+        .description("Wire the agent-guard hook into Claude Code settings")
+        .option("--global", "Install into ~/.claude/settings.json (default: ./.claude/settings.json)")
+        .action((opts) => {
+        const json = program.opts().json;
+        const { settingsPath, command, added } = installHook(agentGuardCliPath(), process.execPath, { global: opts.global });
+        if (json) {
+            outputJson({ settingsPath, command, added });
+            return;
+        }
+        console.log(`✅ Hook installed → ${settingsPath}`);
+        console.log(`   Events: ${added.length ? added.join(", ") : "(already present — no change)"}`);
+        console.log(c.dim(`   Command: ${command}`));
+        console.log(c.dim(`   Set caps with: ks guard config --session-hard 30 --daily-hard 150`));
+    });
+    // ks guard config
+    guard
+        .command("config")
+        .description("View or set agent-guard budget caps")
+        .option("--session-soft <usd>", "Per-session soft cap (warn)")
+        .option("--session-hard <usd>", "Per-session hard cap (block)")
+        .option("--daily-soft <usd>", "Daily rolling soft cap (warn)")
+        .option("--daily-hard <usd>", "Daily rolling hard cap (block)")
+        .option("--slack-webhook <url>", "Slack incoming-webhook for breach alerts")
+        .action((opts) => {
+        const json = program.opts().json;
+        const anySet = ["sessionSoft", "sessionHard", "dailySoft", "dailyHard", "slackWebhook"].some((k) => opts[k] !== undefined);
+        if (!anySet) {
+            const report = buildStatusReport();
+            if (json)
+                return outputJson({ budget: report.budget, configPath: configPath() });
+            console.log(JSON.stringify(report.budget, null, 2));
+            console.log(c.dim(`\nConfig file: ${configPath()}`));
+            return;
+        }
+        const num = (v) => (v !== undefined ? Number(v) : undefined);
+        const budget = setBudget({
+            sessionSoftUSD: num(opts.sessionSoft),
+            sessionHardUSD: num(opts.sessionHard),
+            dailySoftUSD: num(opts.dailySoft),
+            dailyHardUSD: num(opts.dailyHard),
+            slackWebhook: opts.slackWebhook,
+        });
+        if (json)
+            return outputJson({ budget, saved: true });
+        console.log(`✅ Saved → ${configPath()}`);
+        console.log(JSON.stringify(budget, null, 2));
+    });
+    // ks guard pause
+    guard
+        .command("pause")
+        .description("Temporarily disable enforcement (escape hatch)")
+        .option("--minutes <n>", "Auto-resume after N minutes (default: indefinite)")
+        .action((opts) => {
+        const json = program.opts().json;
+        const mins = opts.minutes !== undefined ? Number(opts.minutes) : NaN;
+        if (opts.minutes !== undefined && Number.isFinite(mins)) {
+            const until = Date.now() + mins * 60_000;
+            writePause(until);
+            if (json)
+                return outputJson({ paused: true, until });
+            console.log(`⏸  Enforcement paused until ${new Date(until).toLocaleString()} (${mins} min).`);
+        }
+        else {
+            writePause();
+            if (json)
+                return outputJson({ paused: true, until: null });
+            console.log("⏸  Enforcement paused indefinitely. Re-arm with `ks guard resume`.");
+        }
+        console.log(c.dim(`   Sentinel: ${pausePath()}`));
+    });
+    // ks guard resume
+    guard
+        .command("resume")
+        .description("Re-arm enforcement after a pause")
+        .action(() => {
+        const json = program.opts().json;
+        clearPause();
+        if (json)
+            return outputJson({ paused: false });
+        console.log("✅ Enforcement re-armed.");
+    });
+    // ks guard reset
+    guard
+        .command("reset")
+        .description("Clear the agent spend ledger")
+        .option("--all", "Wipe all sessions")
+        .option("--session <id>", "Clear a single session")
+        .option("--today", "Clear sessions active today")
+        .action((opts) => {
+        const json = program.opts().json;
+        const msg = resetLedger({ all: opts.all, session: opts.session, today: opts.today });
+        if (json)
+            return outputJson({ message: msg });
+        console.log(`✅ ${msg}`);
+    });
+    // ks guard proxy
+    guard
+        .command("proxy")
+        .description("Start the token-metering proxy (HTTP 402 at the hard cap) for non-Claude-Code agents")
+        .option("--port <n>", "Port to listen on", "8787")
+        .option("--flavor <name>", "API flavor: anthropic | openai", "anthropic")
+        .option("--upstream <url>", "Upstream origin (default: api.anthropic.com / api.openai.com)")
+        .action((opts) => {
+        const flavor = opts.flavor === "openai" ? "openai" : "anthropic";
+        startProxy({
+            port: parseInt(opts.port, 10) || 8787,
+            flavor,
+            upstream: resolveUpstream(flavor, opts.upstream),
+        });
+    });
+}

package/dist/commands/alerts.d.ts

@@ -1,2 +1,3 @@
 import { Command } from "commander";
-export declare function registerAlertCommands(program: Command): void;
+import type { ClientFactory } from "../types.js";
+export declare function registerAlertCommands(program: Command, createClient: ClientFactory): void;