@llm-dev-ops/agentics-cli 1.4.1 → 1.4.6

package/dist/gates/auth-session-gate.js

@@ -0,0 +1,151 @@
+/**
+ * Authentication Session Gate Module
+ *
+ * CONTROL PLANE HARDENING
+ *
+ * PURPOSE: Enforce authenticated session requirement for ALL operational commands.
+ *          CLI MUST require valid authentication before invoking remote services.
+ *
+ * CRITICAL REQUIREMENTS:
+ * - CLI requires authenticated session
+ * - No anonymous operations allowed
+ * - Clear error messaging for auth failures
+ *
+ * FORBIDDEN:
+ * - Fallback to anonymous access
+ * - Silent auth bypass
+ * - Local execution fallback
+ */
+import { hasValidCredentials, getActiveAccount } from '../auth/gcp-identity.js';
+import { createCredentialStore } from '../utils/credentials.js';
+import { EXIT_CODES } from '../types/index.js';
+// ============================================================================
+// Authentication Gate Configuration
+// ============================================================================
+/**
+ * Exit code for authentication required.
+ */
+export const AUTH_REQUIRED_EXIT_CODE = EXIT_CODES.AUTH_ERROR;
+// ============================================================================
+// Authentication Gate Error
+// ============================================================================
+export class AuthSessionRequiredError extends Error {
+    constructor() {
+        super(`\n` +
+            `━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n` +
+            `  AUTHENTICATION REQUIRED\n` +
+            `━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n` +
+            `\n` +
+            `  The CLI requires an authenticated session to execute this command.\n` +
+            `  No valid credentials were found.\n` +
+            `\n` +
+            `  TO AUTHENTICATE:\n` +
+            `\n` +
+            `  Option 1: Platform login (recommended)\n` +
+            `    agentics login\n` +
+            `\n` +
+            `  Option 2: GCP authentication\n` +
+            `    gcloud auth login\n` +
+            `\n` +
+            `  After authenticating, re-run your command.\n` +
+            `\n` +
+            `━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n`);
+        this.name = 'AuthSessionRequiredError';
+    }
+}
+// ============================================================================
+// Authentication Gate Implementation
+// ============================================================================
+/**
+ * Check if user has valid platform credentials.
+ */
+async function hasPlatformCredentials() {
+    try {
+        const store = createCredentialStore();
+        const credentials = await store.load();
+        if (credentials && credentials.api_key) {
+            return { valid: true, email: credentials.email };
+        }
+        return { valid: false };
+    }
+    catch {
+        return { valid: false };
+    }
+}
+/**
+ * Check if user has valid GCP credentials.
+ */
+function hasGcpCredentials() {
+    const hasCredentials = hasValidCredentials();
+    if (hasCredentials) {
+        const account = getActiveAccount();
+        return { valid: true, account: account ?? undefined };
+    }
+    return { valid: false };
+}
+/**
+ * Check if user has valid authentication.
+ * Checks both platform credentials and GCP credentials.
+ */
+export async function checkAuthSessionGate() {
+    // Check platform credentials first
+    const platformAuth = await hasPlatformCredentials();
+    if (platformAuth.valid) {
+        return {
+            authenticated: true,
+            method: 'platform',
+            account: platformAuth.email,
+        };
+    }
+    // Fall back to GCP credentials
+    const gcpAuth = hasGcpCredentials();
+    if (gcpAuth.valid) {
+        return {
+            authenticated: true,
+            method: 'gcp',
+            account: gcpAuth.account,
+        };
+    }
+    // No valid credentials found
+    return {
+        authenticated: false,
+        exitCode: AUTH_REQUIRED_EXIT_CODE,
+        message: new AuthSessionRequiredError().message,
+    };
+}
+/**
+ * Enforce the authentication session gate.
+ * Exits the process if no valid authentication is found.
+ */
+export async function enforceAuthSessionGate() {
+    const result = await checkAuthSessionGate();
+    if (!result.authenticated) {
+        console.error(result.message);
+        process.exit(result.exitCode);
+    }
+}
+/**
+ * Commands that require authentication.
+ * All operational commands require authentication.
+ * Only login, whoami, help, and version are allowed without authentication.
+ */
+const AUTH_REQUIRED_COMMANDS = new Set([
+    'plan',
+    'simulate',
+    'inspect',
+    'quantify',
+    'deploy',
+    'export',
+    'diligence',
+    'usage',
+    'policy',
+    'erp',
+    'logout',
+]);
+/**
+ * Check if a command requires authentication.
+ */
+export function requiresAuthentication(command) {
+    return AUTH_REQUIRED_COMMANDS.has(command);
+}
+//# sourceMappingURL=auth-session-gate.js.map

package/dist/gates/auth-session-gate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-session-gate.js","sourceRoot":"","sources":["../../src/gates/auth-session-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAChF,OAAO,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAChE,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE/C,+EAA+E;AAC/E,oCAAoC;AACpC,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,UAAU,CAAC,UAAU,CAAC;AAE7D,+EAA+E;AAC/E,4BAA4B;AAC5B,+EAA+E;AAE/E,MAAM,OAAO,wBAAyB,SAAQ,KAAK;IACjD;QACE,KAAK,CACH,IAAI;YACJ,+EAA+E;YAC/E,6BAA6B;YAC7B,+EAA+E;YAC/E,IAAI;YACJ,wEAAwE;YACxE,sCAAsC;YACtC,IAAI;YACJ,sBAAsB;YACtB,IAAI;YACJ,4CAA4C;YAC5C,sBAAsB;YACtB,IAAI;YACJ,kCAAkC;YAClC,yBAAyB;YACzB,IAAI;YACJ,gDAAgD;YAChD,IAAI;YACJ,+EAA+E,CAChF,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAC;IACzC,CAAC;CACF;AAcD,+EAA+E;AAC/E,qCAAqC;AACrC,+EAA+E;AAE/E;;GAEG;AACH,KAAK,UAAU,sBAAsB;IACnC,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,qBAAqB,EAAE,CAAC;QACtC,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,IAAI,EAAE,CAAC;QAEvC,IAAI,WAAW,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACvC,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,WAAW,CAAC,KAAK,EAAE,CAAC;QACnD,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IAC1B,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB;IACxB,MAAM,cAAc,GAAG,mBAAmB,EAAE,CAAC;IAC7C,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,OAAO,GAAG,gBAAgB,EAAE,CAAC;QACnC,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,CAAC;IACxD,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;AAC1B,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB;IACxC,mCAAmC;IACnC,MAAM,YAAY,GAAG,MAAM,sBAAsB,EAAE,CAAC;IACpD,IAAI,YAAY,CAAC,KAAK,EAAE,CAAC;QACvB,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,MAAM,EAAE,UAAU;YAClB,OAAO,EAAE,YAAY,CAAC,KAAK;SAC5B,CAAC;IACJ,CAAC;IAED,+BAA+B;IAC/B,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;IACpC,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,OAAO;YACL,aAAa,EAAE,IAAI;YACnB,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,OAAO,CAAC,OAAO;SACzB,CAAC;IACJ,CAAC;IAED,6BAA6B;IAC7B,OAAO;QACL,aAAa,EAAE,KAAK;QACpB,QAAQ,EAAE,uBAAuB;QACjC,OAAO,EAAE,IAAI,wBAAwB,EAAE,CAAC,OAAO;KAChD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB;IAC1C,MAAM,MAAM,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAE5C,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;QAC1B,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC9B,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC;IACrC,MAAM;IACN,UAAU;IACV,SAAS;IACT,UAAU;IACV,QAAQ;IACR,QAAQ;IACR,WAAW;IACX,OAAO;IACP,QAAQ;IACR,KAAK;IACL,QAAQ;CACT,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAe;IACpD,OAAO,sBAAsB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AAC7C,CAAC"}

package/dist/gates/execution-gate.d.ts

@@ -1,22 +1,18 @@
 /**
  * Execution Gate Module
  *
- * HARD EXECUTION KILL-SWITCH
- *
- * PURPOSE: Global execution gate that prevents all operational commands from running
- *          unless execution is explicitly enabled. This is a binary gate enforced
- *          BEFORE any entitlement, usage, or billing logic.
+ * PURPOSE: Global execution gate that controls command access based on
+ *          user entitlement (internal email or paid API key).
  *
  * ENTITLEMENTS:
  * - "internal" - Internal maintainers (allow-listed by email)
- * - Standard entitlements follow existing payment/execution logic
- *
- * FORBIDDEN:
- * - Consulting usage or billing for internal users
- * - Allowing partial execution
- * - Allowing "free tier" commands
+ * - "paid" - Users with a valid API key
+ * - "none" - No entitlement, blocked from operational commands
  *
- * This is a hard kill-switch, not a pricing feature.
+ * LOGIC:
+ * - Identity commands (login, logout, whoami, help, version) always allowed
+ * - Internal or paid users get full access to all commands
+ * - Users with no entitlement are blocked
  */
 /**
  * Entitlement types supported by the execution gate.
@@ -55,9 +51,8 @@ export interface ExecutionGateResult {
  * Execution flow:
  *   1. Always allow identity and help commands
  *   2. Resolve user entitlement
- *   3. If entitlement === "internal" → allow execution
- *   4. If EXECUTION_ENABLED === true → allow execution
- *   5. Otherwise → block execution
+ *   3. If entitlement === "internal" or "paid" → allow execution
+ *   4. Otherwise → block execution
  *
  * @param command - The command name (e.g., 'plan', 'simulate', 'login')
  * @returns ExecutionGateResult indicating if execution is allowed
@@ -70,9 +65,9 @@ export declare function checkExecutionGate(command: string): ExecutionGateResult
  */
 export declare function enforceExecutionGate(command: string): void;
 /**
- * Check if execution is globally enabled.
+ * Check if execution is enabled for the current user.
  *
- * @returns true if execution is enabled, false otherwise
+ * @returns true if the user has internal or paid entitlement
  */
 export declare function isExecutionEnabled(): boolean;
 /**

package/dist/gates/execution-gate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"execution-gate.d.ts","sourceRoot":"","sources":["../../src/gates/execution-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAsCH;;GAEG;AACH,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,MAAM,CAAC;AAqBvD;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,IAAI,WAAW,CAqBhD;AAgBD;;;GAGG;AACH,eAAO,MAAM,2BAA2B,IAA+B,CAAC;AAoBxE,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,mBAAmB,CAyBvE;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAO1D;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,IAAI,OAAO,CAE5C;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,IAAI,WAAW,CAAC,MAAM,CAAC,CAExD"}
+{"version":3,"file":"execution-gate.d.ts","sourceRoot":"","sources":["../../src/gates/execution-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AA6BH;;GAEG;AACH,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,MAAM,CAAC;AAuDvD;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,IAAI,WAAW,CA8BhD;AAiBD;;;GAGG;AACH,eAAO,MAAM,2BAA2B,IAA+B,CAAC;AAoBxE,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,mBAAmB,CAyBvE;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAO1D;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,IAAI,OAAO,CAG5C;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,IAAI,WAAW,CAAC,MAAM,CAAC,CAExD"}

package/dist/gates/execution-gate.js

@@ -1,22 +1,18 @@
 /**
  * Execution Gate Module
  *
- * HARD EXECUTION KILL-SWITCH
- *
- * PURPOSE: Global execution gate that prevents all operational commands from running
- *          unless execution is explicitly enabled. This is a binary gate enforced
- *          BEFORE any entitlement, usage, or billing logic.
+ * PURPOSE: Global execution gate that controls command access based on
+ *          user entitlement (internal email or paid API key).
  *
  * ENTITLEMENTS:
  * - "internal" - Internal maintainers (allow-listed by email)
- * - Standard entitlements follow existing payment/execution logic
- *
- * FORBIDDEN:
- * - Consulting usage or billing for internal users
- * - Allowing partial execution
- * - Allowing "free tier" commands
+ * - "paid" - Users with a valid API key
+ * - "none" - No entitlement, blocked from operational commands
  *
- * This is a hard kill-switch, not a pricing feature.
+ * LOGIC:
+ * - Identity commands (login, logout, whoami, help, version) always allowed
+ * - Internal or paid users get full access to all commands
+ * - Users with no entitlement are blocked
  */
 import * as fs from 'node:fs';
 import * as path from 'node:path';
@@ -27,16 +23,7 @@ import { getActiveAccount } from '../auth/gcp-identity.js';
 // Execution Gate Configuration
 // ============================================================================
 /**
- * HARD KILL-SWITCH: Execution is DISABLED by default.
- *
- * To enable execution, set environment variable:
- *   AGENTICS_EXECUTION_ENABLED=true
- *
- * This gate decides IF execution is possible at all.
- */
-const EXECUTION_ENABLED = process.env.AGENTICS_EXECUTION_ENABLED === 'true';
-/**
- * Commands that are ALWAYS allowed, regardless of execution gate status.
+ * Commands that are ALWAYS allowed, regardless of entitlement.
  * These are identity and help commands only.
  */
 const ALLOWED_COMMANDS = new Set([
@@ -47,14 +34,9 @@ const ALLOWED_COMMANDS = new Set([
     'version',
 ]);
 /**
- * INTERNAL_EMAILS: Authoritative allow-list for internal maintainers.
- *
- * Users with emails in this list are granted the "internal" entitlement,
- * which allows full CLI execution without payment verification.
- *
- * This is a first-class entitlement, not a bypass or debug shortcut.
+ * Default internal emails (fallback if config file doesn't exist).
  */
-const INTERNAL_EMAILS = new Set([
+const DEFAULT_INTERNAL_EMAILS = [
     'nick@nicholasruest.com',
     'sales@globalbusinessadvisors.co',
     'nicholasruest1@gmail.com',
@@ -63,7 +45,44 @@ const INTERNAL_EMAILS = new Set([
     'ruv@agentics.org',
     'cvsrohit@gmail.com',
     'rishubcheddlla@gmail.com',
-]);
+];
+/**
+ * Load internal emails from config file or use defaults.
+ * Config file: ~/.agentics/internal-users.json
+ * Format: { "emails": ["email1@example.com", "email2@example.com"] }
+ */
+function loadInternalEmails() {
+    try {
+        const configPath = path.join(os.homedir(), '.agentics', 'internal-users.json');
+        if (fs.existsSync(configPath)) {
+            const content = fs.readFileSync(configPath, 'utf-8');
+            const config = JSON.parse(content);
+            if (Array.isArray(config.emails)) {
+                return new Set(config.emails.map((e) => e.toLowerCase()));
+            }
+        }
+    }
+    catch {
+        // Config file doesn't exist or is invalid, use defaults
+    }
+    // Create default config file if it doesn't exist
+    try {
+        const configDir = path.join(os.homedir(), '.agentics');
+        const configPath = path.join(configDir, 'internal-users.json');
+        if (!fs.existsSync(configPath)) {
+            if (!fs.existsSync(configDir)) {
+                fs.mkdirSync(configDir, { recursive: true });
+            }
+            fs.writeFileSync(configPath, JSON.stringify({ emails: DEFAULT_INTERNAL_EMAILS }, null, 2));
+        }
+    }
+    catch {
+        // Failed to create config file, continue with defaults
+    }
+    return new Set(DEFAULT_INTERNAL_EMAILS.map(e => e.toLowerCase()));
+}
+// Load internal emails once at startup
+const INTERNAL_EMAILS = loadInternalEmails();
 /**
  * Resolve the entitlement for the currently authenticated user.
  *
@@ -80,28 +99,37 @@ export function resolveEntitlement() {
     if (envEmail && INTERNAL_EMAILS.has(envEmail.toLowerCase())) {
         return 'internal';
     }
-    // Check stored credentials for email
-    const storedEmail = getStoredEmail();
-    if (storedEmail && INTERNAL_EMAILS.has(storedEmail.toLowerCase())) {
+    // Check stored credentials for email and payment status
+    const storedCreds = getStoredCredentials();
+    if (storedCreds?.email && INTERNAL_EMAILS.has(storedCreds.email.toLowerCase())) {
         return 'internal';
     }
+    // Check if API key holder has paid status
+    if (storedCreds?.api_key && storedCreds.payment_status === 'paid') {
+        return 'paid';
+    }
     // Fall back to gcloud account
     const account = getActiveAccount();
     if (account && INTERNAL_EMAILS.has(account.toLowerCase())) {
         return 'internal';
     }
-    // Future: Check for paid entitlements via payment service
+    // If user has a valid API key, treat as paid (API keys are issued to paying users)
+    if (storedCreds?.api_key) {
+        return 'paid';
+    }
     return 'none';
 }
 /**
- * Read email from stored credentials (sync).
+ * Read stored credentials (sync).
  */
-function getStoredEmail() {
+function getStoredCredentials() {
     try {
         const credPath = path.join(os.homedir(), '.agentics', 'credentials.json');
         const content = fs.readFileSync(credPath, 'utf-8');
         const creds = JSON.parse(content);
-        return creds.email ?? null;
+        if (!creds.api_key)
+            return null;
+        return creds;
     }
     catch {
         return null;
@@ -136,9 +164,8 @@ Contact the Agentics team to enable execution.
  * Execution flow:
  *   1. Always allow identity and help commands
  *   2. Resolve user entitlement
- *   3. If entitlement === "internal" → allow execution
- *   4. If EXECUTION_ENABLED === true → allow execution
- *   5. Otherwise → block execution
+ *   3. If entitlement === "internal" or "paid" → allow execution
+ *   4. Otherwise → block execution
  *
  * @param command - The command name (e.g., 'plan', 'simulate', 'login')
  * @returns ExecutionGateResult indicating if execution is allowed
@@ -150,12 +177,12 @@ export function checkExecutionGate(command) {
     }
     // Resolve entitlement before applying execution gate
     const entitlement = resolveEntitlement();
-    // Internal users have full access - this is a first-class entitlement
+    // Internal users have full access
     if (entitlement === 'internal') {
         return { allowed: true };
     }
-    // If execution is enabled, allow all commands
-    if (EXECUTION_ENABLED) {
+    // Paid users have full access
+    if (entitlement === 'paid') {
         return { allowed: true };
     }
     // Block all other commands
@@ -178,12 +205,13 @@ export function enforceExecutionGate(command) {
     }
 }
 /**
- * Check if execution is globally enabled.
+ * Check if execution is enabled for the current user.
  *
- * @returns true if execution is enabled, false otherwise
+ * @returns true if the user has internal or paid entitlement
  */
 export function isExecutionEnabled() {
-    return EXECUTION_ENABLED;
+    const entitlement = resolveEntitlement();
+    return entitlement === 'internal' || entitlement === 'paid';
 }
 /**
  * Get the list of commands that are always allowed.

package/dist/gates/execution-gate.js.map

@@ -1 +1 @@
-{"version":3,"file":"execution-gate.js","sourceRoot":"","sources":["../../src/gates/execution-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,+EAA+E;AAC/E,+BAA+B;AAC/B,+EAA+E;AAE/E;;;;;;;GAOG;AACH,MAAM,iBAAiB,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,KAAK,MAAM,CAAC;AAE5E;;;GAGG;AACH,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,SAAS;CACV,CAAC,CAAC;AAWH;;;;;;;GAOG;AACH,MAAM,eAAe,GAAwB,IAAI,GAAG,CAAC;IACnD,wBAAwB;IACxB,iCAAiC;IACjC,0BAA0B;IAC1B,yBAAyB;IACzB,aAAa;IACb,kBAAkB;IAClB,oBAAoB;IACpB,0BAA0B;CAC3B,CAAC,CAAC;AAEH;;;;;;;;;GASG;AACH,MAAM,UAAU,kBAAkB;IAChC,sEAAsE;IACtE,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;IACpD,IAAI,QAAQ,IAAI,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAC5D,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,qCAAqC;IACrC,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;IACrC,IAAI,WAAW,IAAI,eAAe,CAAC,GAAG,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAClE,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,8BAA8B;IAC9B,MAAM,OAAO,GAAG,gBAAgB,EAAE,CAAC;IACnC,IAAI,OAAO,IAAI,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAC1D,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,0DAA0D;IAC1D,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,cAAc;IACrB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,kBAAkB,CAAC,CAAC;QAC1E,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACnD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAClC,OAAO,KAAK,CAAC,KAAK,IAAI,IAAI,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG,UAAU,CAAC,iBAAiB,CAAC;AAExE,+EAA+E;AAC/E,+BAA+B;AAC/B,+EAA+E;AAE/E,MAAM,eAAe,GAAG;;;;;;;;CAQvB,CAAC,IAAI,EAAE,CAAC;AAYT;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,0CAA0C;IAC1C,IAAI,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,qDAAqD;IACrD,MAAM,WAAW,GAAG,kBAAkB,EAAE,CAAC;IAEzC,sEAAsE;IACtE,IAAI,WAAW,KAAK,UAAU,EAAE,CAAC;QAC/B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,8CAA8C;IAC9C,IAAI,iBAAiB,EAAE,CAAC;QACtB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,2BAA2B;IAC3B,OAAO;QACL,OAAO,EAAE,KAAK;QACd,QAAQ,EAAE,2BAA2B;QACrC,OAAO,EAAE,eAAe;KACzB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAe;IAClD,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAE3C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC9B,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,iBAAiB,CAAC;AAC3B,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,gBAAgB,CAAC;AAC1B,CAAC"}
+{"version":3,"file":"execution-gate.js","sourceRoot":"","sources":["../../src/gates/execution-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,+EAA+E;AAC/E,+BAA+B;AAC/B,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,SAAS;CACV,CAAC,CAAC;AAWH;;GAEG;AACH,MAAM,uBAAuB,GAAG;IAC9B,wBAAwB;IACxB,iCAAiC;IACjC,0BAA0B;IAC1B,yBAAyB;IACzB,aAAa;IACb,kBAAkB;IAClB,oBAAoB;IACpB,0BAA0B;CAC3B,CAAC;AAEF;;;;GAIG;AACH,SAAS,kBAAkB;IACzB,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,qBAAqB,CAAC,CAAC;QAC/E,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACrD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACnC,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;gBACjC,OAAO,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;YACpE,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,wDAAwD;IAC1D,CAAC;IAED,iDAAiD;IACjD,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,CAAC,CAAC;QACvD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,qBAAqB,CAAC,CAAC;QAC/D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC/B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC9B,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC/C,CAAC;YACD,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,uBAAuB,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7F,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,uDAAuD;IACzD,CAAC;IAED,OAAO,IAAI,GAAG,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;AACpE,CAAC;AAED,uCAAuC;AACvC,MAAM,eAAe,GAAG,kBAAkB,EAAE,CAAC;AAE7C;;;;;;;;;GASG;AACH,MAAM,UAAU,kBAAkB;IAChC,sEAAsE;IACtE,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;IACpD,IAAI,QAAQ,IAAI,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAC5D,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,wDAAwD;IACxD,MAAM,WAAW,GAAG,oBAAoB,EAAE,CAAC;IAC3C,IAAI,WAAW,EAAE,KAAK,IAAI,eAAe,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAC/E,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,0CAA0C;IAC1C,IAAI,WAAW,EAAE,OAAO,IAAI,WAAW,CAAC,cAAc,KAAK,MAAM,EAAE,CAAC;QAClE,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,8BAA8B;IAC9B,MAAM,OAAO,GAAG,gBAAgB,EAAE,CAAC;IACnC,IAAI,OAAO,IAAI,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAC1D,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,mFAAmF;IACnF,IAAI,WAAW,EAAE,OAAO,EAAE,CAAC;QACzB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB;IAC3B,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,kBAAkB,CAAC,CAAC;QAC1E,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACnD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAoB,CAAC;QACrD,IAAI,CAAC,KAAK,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAChC,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG,UAAU,CAAC,iBAAiB,CAAC;AAExE,+EAA+E;AAC/E,+BAA+B;AAC/B,+EAA+E;AAE/E,MAAM,eAAe,GAAG;;;;;;;;CAQvB,CAAC,IAAI,EAAE,CAAC;AAYT;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,0CAA0C;IAC1C,IAAI,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,qDAAqD;IACrD,MAAM,WAAW,GAAG,kBAAkB,EAAE,CAAC;IAEzC,kCAAkC;IAClC,IAAI,WAAW,KAAK,UAAU,EAAE,CAAC;QAC/B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,8BAA8B;IAC9B,IAAI,WAAW,KAAK,MAAM,EAAE,CAAC;QAC3B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,2BAA2B;IAC3B,OAAO;QACL,OAAO,EAAE,KAAK;QACd,QAAQ,EAAE,2BAA2B;QACrC,OAAO,EAAE,eAAe;KACzB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAe;IAClD,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAE3C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC9B,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,WAAW,GAAG,kBAAkB,EAAE,CAAC;IACzC,OAAO,WAAW,KAAK,UAAU,IAAI,WAAW,KAAK,MAAM,CAAC;AAC9D,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,gBAAgB,CAAC;AAC1B,CAAC"}

package/dist/gates/index.d.ts

@@ -1,8 +1,26 @@
 /**
- * Gates Module
+ * Control Plane Hardening Gates Index
  *
  * Centralized execution control for the Agentics CLI.
  * This module contains all gate logic for controlling command execution.
+ *
+ * GATE ENFORCEMENT ORDER:
+ * 1. Execution Gate - Kill-switch (entitlement check)
+ * 2. Auth Session Gate - Requires authenticated session
+ * 3. Service Health Gate - Validates Ruvector-backed service availability
+ * 4. Output Format Gate - Enforces strict JSON output
+ *
+ * CRITICAL REQUIREMENTS MET:
+ * - CLI requires Ruvector-backed services (Service Health Gate)
+ * - CLI never executes agents locally (Localhost Safeguard in endpoints.ts)
+ * - CLI fails loudly if services misconfigured (All gates fail-fast)
+ * - Requires authenticated session (Auth Session Gate)
+ * - Validates target service availability (Service Health Gate)
+ * - Enforces strict JSON outputs (Output Format Gate)
+ * - Never allows narrative output (Output Format Gate)
  */
-export { checkExecutionGate, enforceExecutionGate, isExecutionEnabled, getAllowedCommands, EXECUTION_BLOCKED_EXIT_CODE, type ExecutionGateResult, } from './execution-gate.js';
+export { checkExecutionGate, enforceExecutionGate, isExecutionEnabled, getAllowedCommands, resolveEntitlement, EXECUTION_BLOCKED_EXIT_CODE, type ExecutionGateResult, type Entitlement, } from './execution-gate.js';
+export { enforceAuthSessionGate, checkAuthSessionGate, requiresAuthentication, AUTH_REQUIRED_EXIT_CODE, AuthSessionRequiredError, type AuthSessionGateResult, } from './auth-session-gate.js';
+export { enforceServiceHealthGate, checkServiceHealthGate, requiresHealthCheck, SERVICE_UNAVAILABLE_EXIT_CODE, ServiceHealthError, type ServiceHealthResult, type ServiceHealthGateResult, } from './service-health-gate.js';
+export { enforceOutputFormatGate, checkOutputFormatGate, requiresStructuredOutput, getDefaultFormat, INVALID_FORMAT_EXIT_CODE, InvalidOutputFormatError, type OutputFormatGateResult, } from './output-format-gate.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/gates/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/gates/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,kBAAkB,EAClB,kBAAkB,EAClB,2BAA2B,EAC3B,KAAK,mBAAmB,GACzB,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/gates/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAGH,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAClB,2BAA2B,EAC3B,KAAK,mBAAmB,EACxB,KAAK,WAAW,GACjB,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,wBAAwB,EACxB,KAAK,qBAAqB,GAC3B,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EACL,wBAAwB,EACxB,sBAAsB,EACtB,mBAAmB,EACnB,6BAA6B,EAC7B,kBAAkB,EAClB,KAAK,mBAAmB,EACxB,KAAK,uBAAuB,GAC7B,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EACL,uBAAuB,EACvB,qBAAqB,EACrB,wBAAwB,EACxB,gBAAgB,EAChB,wBAAwB,EACxB,wBAAwB,EACxB,KAAK,sBAAsB,GAC5B,MAAM,yBAAyB,CAAC"}

package/dist/gates/index.js

@@ -1,8 +1,30 @@
 /**
- * Gates Module
+ * Control Plane Hardening Gates Index
  *
  * Centralized execution control for the Agentics CLI.
  * This module contains all gate logic for controlling command execution.
+ *
+ * GATE ENFORCEMENT ORDER:
+ * 1. Execution Gate - Kill-switch (entitlement check)
+ * 2. Auth Session Gate - Requires authenticated session
+ * 3. Service Health Gate - Validates Ruvector-backed service availability
+ * 4. Output Format Gate - Enforces strict JSON output
+ *
+ * CRITICAL REQUIREMENTS MET:
+ * - CLI requires Ruvector-backed services (Service Health Gate)
+ * - CLI never executes agents locally (Localhost Safeguard in endpoints.ts)
+ * - CLI fails loudly if services misconfigured (All gates fail-fast)
+ * - Requires authenticated session (Auth Session Gate)
+ * - Validates target service availability (Service Health Gate)
+ * - Enforces strict JSON outputs (Output Format Gate)
+ * - Never allows narrative output (Output Format Gate)
  */
-export { checkExecutionGate, enforceExecutionGate, isExecutionEnabled, getAllowedCommands, EXECUTION_BLOCKED_EXIT_CODE, } from './execution-gate.js';
+// Execution Gate - Hard kill-switch
+export { checkExecutionGate, enforceExecutionGate, isExecutionEnabled, getAllowedCommands, resolveEntitlement, EXECUTION_BLOCKED_EXIT_CODE, } from './execution-gate.js';
+// Auth Session Gate - Requires authenticated session
+export { enforceAuthSessionGate, checkAuthSessionGate, requiresAuthentication, AUTH_REQUIRED_EXIT_CODE, AuthSessionRequiredError, } from './auth-session-gate.js';
+// Service Health Gate - Validates Ruvector-backed services
+export { enforceServiceHealthGate, checkServiceHealthGate, requiresHealthCheck, SERVICE_UNAVAILABLE_EXIT_CODE, ServiceHealthError, } from './service-health-gate.js';
+// Output Format Gate - Enforces strict JSON output
+export { enforceOutputFormatGate, checkOutputFormatGate, requiresStructuredOutput, getDefaultFormat, INVALID_FORMAT_EXIT_CODE, InvalidOutputFormatError, } from './output-format-gate.js';
 //# sourceMappingURL=index.js.map

package/dist/gates/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/gates/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,kBAAkB,EAClB,kBAAkB,EAClB,2BAA2B,GAE5B,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/gates/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,oCAAoC;AACpC,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,EAClB,2BAA2B,GAG5B,MAAM,qBAAqB,CAAC;AAE7B,qDAAqD;AACrD,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,wBAAwB,GAEzB,MAAM,wBAAwB,CAAC;AAEhC,2DAA2D;AAC3D,OAAO,EACL,wBAAwB,EACxB,sBAAsB,EACtB,mBAAmB,EACnB,6BAA6B,EAC7B,kBAAkB,GAGnB,MAAM,0BAA0B,CAAC;AAElC,mDAAmD;AACnD,OAAO,EACL,uBAAuB,EACvB,qBAAqB,EACrB,wBAAwB,EACxB,gBAAgB,EAChB,wBAAwB,EACxB,wBAAwB,GAEzB,MAAM,yBAAyB,CAAC"}

package/dist/gates/output-format-gate.d.ts

@@ -0,0 +1,54 @@
+/**
+ * Output Format Gate Module
+ *
+ * CONTROL PLANE HARDENING
+ *
+ * PURPOSE: Enforce strict JSON-only output for CLI operations.
+ *          CLI MUST NOT produce narrative output for operational commands.
+ *
+ * CRITICAL REQUIREMENTS:
+ * - Enforce strict JSON outputs
+ * - Never allow narrative output
+ * - Validate output format before rendering
+ *
+ * FORBIDDEN:
+ * - Narrative/prose output
+ * - Unstructured text responses
+ * - Human-readable summaries (for operational commands)
+ */
+import { type OutputFormat } from '../types/index.js';
+/**
+ * Exit code for invalid output format.
+ */
+export declare const INVALID_FORMAT_EXIT_CODE: 65;
+export declare class InvalidOutputFormatError extends Error {
+    readonly requestedFormat: string;
+    readonly allowedFormats: string[];
+    constructor(requestedFormat: string, allowedFormats: string[]);
+}
+export interface OutputFormatGateResult {
+    valid: boolean;
+    format: OutputFormat;
+    exitCode?: number;
+    message?: string;
+}
+/**
+ * Validate the requested output format.
+ * Only structured formats (json, yaml) are allowed for operational commands.
+ */
+export declare function checkOutputFormatGate(requestedFormat: OutputFormat | undefined, command: string): OutputFormatGateResult;
+/**
+ * Enforce the output format gate.
+ * Exits the process if an invalid format is requested.
+ */
+export declare function enforceOutputFormatGate(requestedFormat: OutputFormat | undefined, command: string): OutputFormat;
+/**
+ * Check if a command requires structured output.
+ */
+export declare function requiresStructuredOutput(command: string): boolean;
+/**
+ * Get the default output format for a command.
+ * Always returns 'json' for operational commands.
+ */
+export declare function getDefaultFormat(command: string): OutputFormat;
+//# sourceMappingURL=output-format-gate.d.ts.map

package/dist/gates/output-format-gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"output-format-gate.d.ts","sourceRoot":"","sources":["../../src/gates/output-format-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAc,KAAK,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAelE;;GAEG;AACH,eAAO,MAAM,wBAAwB,IAA+B,CAAC;AAMrE,qBAAa,wBAAyB,SAAQ,KAAK;IACjD,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,cAAc,EAAE,MAAM,EAAE,CAAC;gBAEtB,eAAe,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE;CA0B9D;AAMD,MAAM,WAAW,sBAAsB;IACrC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,YAAY,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAMD;;;GAGG;AACH,wBAAgB,qBAAqB,CACnC,eAAe,EAAE,YAAY,GAAG,SAAS,EACzC,OAAO,EAAE,MAAM,GACd,sBAAsB,CAmBxB;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,eAAe,EAAE,YAAY,GAAG,SAAS,EACzC,OAAO,EAAE,MAAM,GACd,YAAY,CASd;AAoBD;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAEjE;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,YAAY,CAK9D"}