@oculisecurity/cli 0.1.0

package/dist/routes/admin.js

@@ -0,0 +1,399 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerAdminRoutes = registerAdminRoutes;
+const local_policy_1 = require("../services/local-policy");
+function registerAdminRoutes(app, ctx) {
+    // GET /admin/search — unified search over audit records (unauthenticated — demo only)
+    app.get('/api/admin/search', async (request, reply) => {
+        const limit = Math.min(parseInt(request.query.limit ?? '50', 10) || 50, 500);
+        const offset = parseInt(request.query.offset ?? '0', 10) || 0;
+        const result = ctx.audit.search({
+            q: request.query.q,
+            decision: request.query.decision,
+            from: request.query.from,
+            to: request.query.to,
+            limit,
+            offset,
+        });
+        reply.send(result);
+    });
+    // GET /admin/aggregate — server-side GROUP BY aggregation (unauthenticated — demo only)
+    app.get('/api/admin/aggregate', async (request, reply) => {
+        const groupByRaw = request.query.groupBy;
+        if (!groupByRaw || !groupByRaw.trim()) {
+            reply.code(400).send({ error: 'groupBy is required' });
+            return;
+        }
+        const groupBy = groupByRaw.split(',').map((s) => s.trim()).filter(Boolean);
+        if (groupBy.length === 0) {
+            reply.code(400).send({ error: 'groupBy is required' });
+            return;
+        }
+        const limit = Math.min(parseInt(request.query.limit ?? '100', 10) || 100, 500);
+        const result = ctx.audit.aggregate({
+            groupBy,
+            q: request.query.q,
+            decision: request.query.decision,
+            from: request.query.from,
+            to: request.query.to,
+            limit,
+        });
+        reply.send(result);
+    });
+    // GET /admin/logs — recent audit log entries (requires auth)
+    app.get('/api/admin/logs', async (request, reply) => {
+        // Auth check — require at least some valid actor (set by auth middleware)
+        if (!request.actor?.actor) {
+            reply.code(401).send({ error: 'Unauthorized' });
+            return;
+        }
+        const limit = Math.min(parseInt(request.query.limit ?? '50', 10), 500);
+        const offset = parseInt(request.query.offset ?? '0', 10);
+        const logs = ctx.audit.query(limit, offset);
+        const total = ctx.audit.count();
+        reply.send({ total, limit, offset, logs });
+    });
+    // GET /admin/upstreams — list registered upstreams (requires auth)
+    app.get('/api/admin/upstreams', async (request, reply) => {
+        if (!request.actor?.actor) {
+            reply.code(401).send({ error: 'Unauthorized' });
+            return;
+        }
+        const upstreams = ctx.upstream.listUpstreams().map((u) => ({
+            id: u.id,
+            name: u.name,
+            baseUrl: u.baseUrl,
+            timeout: u.timeout,
+            // never expose authHeader
+        }));
+        reply.send({ upstreams });
+    });
+    // -----------------------------------------------------------------------
+    // Dashboard stats endpoints (unauthenticated — demo only)
+    // -----------------------------------------------------------------------
+    app.get('/api/admin/stats/summary', async (request, reply) => {
+        const hours = Math.min(parseInt(request.query.hours ?? '24', 10) || 24, 720);
+        reply.send(ctx.audit.summary(hours));
+    });
+    app.get('/api/admin/stats/top-tools', async (request, reply) => {
+        const limit = Math.min(parseInt(request.query.limit ?? '5', 10) || 5, 50);
+        reply.send(ctx.audit.topTools(limit));
+    });
+    app.get('/api/admin/stats/top-denied', async (request, reply) => {
+        const limit = Math.min(parseInt(request.query.limit ?? '5', 10) || 5, 50);
+        reply.send(ctx.audit.topDeniedTools(limit));
+    });
+    app.get('/api/admin/stats/top-actors', async (request, reply) => {
+        const limit = Math.min(parseInt(request.query.limit ?? '5', 10) || 5, 50);
+        reply.send(ctx.audit.topActors(limit));
+    });
+    app.get('/api/admin/stats/decisions', async (_request, reply) => {
+        reply.send(ctx.audit.decisionBreakdown());
+    });
+    app.get('/api/admin/stats/timeseries', async (request, reply) => {
+        const hours = Math.min(parseInt(request.query.hours ?? '1', 10) || 1, 168);
+        const bucket = Math.min(parseInt(request.query.bucket ?? '5', 10) || 5, 60);
+        reply.send(ctx.audit.timeSeries(hours, bucket));
+    });
+    // -----------------------------------------------------------------------
+    // Settings (read-only view of runtime config)
+    // -----------------------------------------------------------------------
+    app.get('/api/admin/settings', async (_request, reply) => {
+        const c = ctx.config;
+        reply.send({
+            gateway: {
+                port: c.port,
+                logLevel: c.logLevel,
+                opaEnabled: c.opaEnabled,
+                opaUrl: c.opaEnabled ? c.opaUrl : null,
+                storeFullArgs: c.storeFullArgs,
+                dbPath: c.dbPath,
+            },
+            rateLimit: {
+                capacity: c.rateLimitCapacity,
+                refillPerSecond: c.rateLimitRefillPerSecond,
+            },
+            upstreams: c.upstreams.map((u) => ({
+                id: u.id,
+                name: u.name,
+                baseUrl: u.baseUrl,
+                timeout: u.timeout,
+                hasAuth: !!u.authHeader,
+                tools: u.tools ?? [],
+            })),
+            telemetry: {
+                endpointUrl: '/v1/events',
+                claudeCodeHook: {
+                    type: 'http',
+                    url: `http://<gateway-host>:${c.port}/v1/events`,
+                },
+            },
+        });
+    });
+    // -----------------------------------------------------------------------
+    // Policy management (unauthenticated — demo only)
+    // -----------------------------------------------------------------------
+    // POST /admin/policies/test — must be registered BEFORE :id param route
+    app.post('/api/admin/policies/test', async (request, reply) => {
+        const body = request.body;
+        if (!body.input || typeof body.input !== 'object') {
+            reply.code(400).send({ error: 'input object is required' });
+            return;
+        }
+        try {
+            const decision = await ctx.policy.evaluate(body.input);
+            reply.send({ decision });
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            reply.code(500).send({ error: 'Policy evaluation failed', details: msg });
+        }
+    });
+    // GET /admin/policies — list all policies
+    app.get('/api/admin/policies', async (_request, reply) => {
+        const policies = ctx.policyStore.list();
+        reply.send({ policies });
+    });
+    // GET /admin/policies/:id — get single policy
+    app.get('/api/admin/policies/:id', async (request, reply) => {
+        const id = parseInt(request.params.id, 10);
+        if (isNaN(id)) {
+            reply.code(400).send({ error: 'Invalid policy id' });
+            return;
+        }
+        const policy = ctx.policyStore.getById(id);
+        if (!policy) {
+            reply.code(404).send({ error: 'Policy not found' });
+            return;
+        }
+        reply.send(policy);
+    });
+    // POST /admin/policies — create new policy
+    app.post('/api/admin/policies', async (request, reply) => {
+        const body = request.body;
+        const name = body.name;
+        const rego = body.rego;
+        if (!name || !rego) {
+            reply.code(400).send({ error: 'name and rego are required' });
+            return;
+        }
+        const created = ctx.policyStore.create({
+            name,
+            rego,
+            description: body.description ?? undefined,
+            version: body.version ?? undefined,
+            updatedBy: body.updatedBy ?? 'admin@oculisecurity.com',
+        });
+        reply.code(201).send(created);
+    });
+    // PUT /admin/policies/:id — update policy
+    app.put('/api/admin/policies/:id', async (request, reply) => {
+        const id = parseInt(request.params.id, 10);
+        if (isNaN(id)) {
+            reply.code(400).send({ error: 'Invalid policy id' });
+            return;
+        }
+        const body = request.body;
+        const updated = ctx.policyStore.update(id, {
+            name: body.name,
+            description: body.description,
+            version: body.version,
+            rego: body.rego,
+            updatedBy: body.updatedBy ?? 'admin@oculisecurity.com',
+            isActive: body.isActive,
+        });
+        if (!updated) {
+            reply.code(404).send({ error: 'Policy not found' });
+            return;
+        }
+        reply.send(updated);
+    });
+    // POST /admin/policies/:id/duplicate — duplicate a policy
+    app.post('/api/admin/policies/:id/duplicate', async (request, reply) => {
+        const id = parseInt(request.params.id, 10);
+        if (isNaN(id)) {
+            reply.code(400).send({ error: 'Invalid policy id' });
+            return;
+        }
+        const duplicated = ctx.policyStore.duplicate(id);
+        if (!duplicated) {
+            reply.code(404).send({ error: 'Policy not found' });
+            return;
+        }
+        reply.code(201).send(duplicated);
+    });
+    // DELETE /admin/policies/:id — delete a policy
+    app.delete('/api/admin/policies/:id', async (request, reply) => {
+        const id = parseInt(request.params.id, 10);
+        if (isNaN(id)) {
+            reply.code(400).send({ error: 'Invalid policy id' });
+            return;
+        }
+        const deleted = ctx.policyStore.delete(id);
+        if (!deleted) {
+            reply.code(404).send({ error: 'Policy not found' });
+            return;
+        }
+        reply.send({ success: true });
+    });
+    // -----------------------------------------------------------------------
+    // Visual Rules (unauthenticated — demo only)
+    // -----------------------------------------------------------------------
+    // POST /admin/rules/test — must be registered BEFORE :id param route
+    app.post('/api/admin/rules/test', async (request, reply) => {
+        const body = request.body;
+        const ruleInput = body.rule;
+        const eventInput = body.event;
+        if (!ruleInput || !eventInput) {
+            reply.code(400).send({ error: 'rule and event objects are required' });
+            return;
+        }
+        // Validate regex patterns
+        for (const field of ['command_pattern', 'file_pattern']) {
+            const pattern = ruleInput[field];
+            if (pattern) {
+                try {
+                    new RegExp(pattern);
+                }
+                catch {
+                    reply.code(400).send({ error: `Invalid regex in ${field}: ${pattern}` });
+                    return;
+                }
+            }
+        }
+        const policyRule = {
+            id: ruleInput.rule_id ?? 'test',
+            match: {
+                tool: ruleInput.tool,
+                command_pattern: ruleInput.command_pattern,
+                file_pattern: ruleInput.file_pattern,
+                mcp_server: ruleInput.mcp_server,
+            },
+            action: (['deny', 'warn', 'allow'].includes(ruleInput.action)
+                ? ruleInput.action
+                : 'deny'),
+        };
+        const event = eventInput;
+        const matches = (0, local_policy_1.ruleMatches)(policyRule, event);
+        reply.send({ matches, action: matches ? policyRule.action : 'no match' });
+    });
+    // GET /admin/rules — list all visual rules
+    app.get('/api/admin/rules', async (_request, reply) => {
+        const rules = ctx.policyStore.listVisualRules();
+        reply.send({ rules });
+    });
+    // GET /admin/rules/:id — get single visual rule
+    app.get('/api/admin/rules/:id', async (request, reply) => {
+        const id = parseInt(request.params.id, 10);
+        if (isNaN(id)) {
+            reply.code(400).send({ error: 'Invalid rule id' });
+            return;
+        }
+        const rule = ctx.policyStore.getVisualRuleById(id);
+        if (!rule) {
+            reply.code(404).send({ error: 'Rule not found' });
+            return;
+        }
+        reply.send(rule);
+    });
+    // POST /admin/rules — create visual rule
+    app.post('/api/admin/rules', async (request, reply) => {
+        const body = request.body;
+        const rule_id = body.rule_id;
+        const action = body.action;
+        if (!rule_id || !action) {
+            reply.code(400).send({ error: 'rule_id and action are required' });
+            return;
+        }
+        if (!['deny', 'warn', 'allow'].includes(action)) {
+            reply.code(400).send({ error: 'action must be deny, warn, or allow' });
+            return;
+        }
+        // Validate regex patterns
+        for (const field of ['command_pattern', 'file_pattern']) {
+            const pattern = body[field];
+            if (pattern) {
+                try {
+                    new RegExp(pattern);
+                }
+                catch {
+                    reply.code(400).send({ error: `Invalid regex in ${field}: ${pattern}` });
+                    return;
+                }
+            }
+        }
+        // Check at least one match field
+        if (!body.tool && !body.command_pattern && !body.file_pattern && !body.mcp_server) {
+            reply.code(400).send({ error: 'At least one match field (tool, command_pattern, file_pattern, mcp_server) is required' });
+            return;
+        }
+        try {
+            const created = ctx.policyStore.createVisualRule(body);
+            reply.code(201).send(created);
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            if (msg.includes('UNIQUE constraint')) {
+                reply.code(409).send({ error: `Rule ID "${rule_id}" already exists` });
+                return;
+            }
+            throw err;
+        }
+    });
+    // PUT /admin/rules/:id — update visual rule
+    app.put('/api/admin/rules/:id', async (request, reply) => {
+        const id = parseInt(request.params.id, 10);
+        if (isNaN(id)) {
+            reply.code(400).send({ error: 'Invalid rule id' });
+            return;
+        }
+        const body = request.body;
+        // Validate regex patterns if provided
+        for (const field of ['command_pattern', 'file_pattern']) {
+            const pattern = body[field];
+            if (pattern) {
+                try {
+                    new RegExp(pattern);
+                }
+                catch {
+                    reply.code(400).send({ error: `Invalid regex in ${field}: ${pattern}` });
+                    return;
+                }
+            }
+        }
+        if (body.action && !['deny', 'warn', 'allow'].includes(body.action)) {
+            reply.code(400).send({ error: 'action must be deny, warn, or allow' });
+            return;
+        }
+        try {
+            const updated = ctx.policyStore.updateVisualRule(id, body);
+            if (!updated) {
+                reply.code(404).send({ error: 'Rule not found' });
+                return;
+            }
+            reply.send(updated);
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            if (msg.includes('UNIQUE constraint')) {
+                reply.code(409).send({ error: `Rule ID "${body.rule_id}" already exists` });
+                return;
+            }
+            throw err;
+        }
+    });
+    // DELETE /admin/rules/:id — delete visual rule
+    app.delete('/api/admin/rules/:id', async (request, reply) => {
+        const id = parseInt(request.params.id, 10);
+        if (isNaN(id)) {
+            reply.code(400).send({ error: 'Invalid rule id' });
+            return;
+        }
+        const deleted = ctx.policyStore.deleteVisualRule(id);
+        if (!deleted) {
+            reply.code(404).send({ error: 'Rule not found' });
+            return;
+        }
+        reply.send({ success: true });
+    });
+}

package/dist/routes/call.d.ts

@@ -0,0 +1,13 @@
+import { FastifyInstance } from 'fastify';
+import { PolicyService } from '../services/policy';
+import { AuditService } from '../services/audit';
+import { UpstreamConnector } from '../services/upstream';
+import { RateLimiter } from '../services/ratelimit';
+interface CallRouteContext {
+    policy: PolicyService;
+    audit: AuditService;
+    upstream: UpstreamConnector;
+    rateLimiter: RateLimiter;
+}
+export declare function registerCallRoutes(app: FastifyInstance, ctx: CallRouteContext): void;
+export {};

package/dist/routes/call.js

@@ -0,0 +1,68 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerCallRoutes = registerCallRoutes;
+const tool_executor_1 = require("../services/tool-executor");
+function registerCallRoutes(app, ctx) {
+    const executor = new tool_executor_1.ToolExecutor(ctx);
+    app.post('/v1/call', {
+        schema: {
+            body: {
+                type: 'object',
+                required: ['upstreamId', 'tool', 'args'],
+                properties: {
+                    upstreamId: { type: 'string' },
+                    tool: { type: 'string' },
+                    args: { type: 'object' },
+                    sessionId: { type: 'string' },
+                },
+            },
+        },
+    }, async (request, reply) => {
+        const { upstreamId, tool, args, sessionId } = request.body;
+        const execResult = await executor.execute({
+            actor: request.actor,
+            upstreamId,
+            tool,
+            args,
+            sessionId,
+            ip: request.ip,
+        });
+        switch (execResult.kind) {
+            case 'allow':
+                reply.code(200).send({
+                    requestId: execResult.requestId,
+                    decision: { allow: true, reason: execResult.reason },
+                    upstream: { id: execResult.upstreamId, latencyMs: execResult.latencyMs },
+                    result: execResult.result,
+                });
+                return;
+            case 'deny':
+                if (execResult.httpStatus === 429) {
+                    reply
+                        .code(429)
+                        .header('Retry-After', String(Math.ceil((execResult.retryAfterMs ?? 0) / 1000)))
+                        .send({
+                        requestId: execResult.requestId,
+                        decision: { allow: false, reason: execResult.reason },
+                        error: `Rate limit exceeded. Retry after ~${execResult.retryAfterMs}ms`,
+                    });
+                }
+                else {
+                    reply.code(execResult.httpStatus).send({
+                        requestId: execResult.requestId,
+                        decision: { allow: false, reason: execResult.reason },
+                        error: execResult.reason,
+                    });
+                }
+                return;
+            case 'error':
+                reply.code(execResult.httpStatus).send({
+                    requestId: execResult.requestId,
+                    decision: { allow: true, reason: execResult.reason },
+                    upstream: { id: execResult.upstreamId, latencyMs: execResult.latencyMs },
+                    error: execResult.message,
+                });
+                return;
+        }
+    });
+}

package/dist/routes/events.d.ts

@@ -0,0 +1,7 @@
+import { FastifyInstance } from 'fastify';
+import { AuditService } from '../services/audit';
+interface EventsRouteContext {
+    audit: AuditService;
+}
+export declare function registerEventsRoute(app: FastifyInstance, ctx: EventsRouteContext): void;
+export {};

package/dist/routes/events.js

@@ -0,0 +1,125 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerEventsRoute = registerEventsRoute;
+const uuid_1 = require("uuid");
+const ClaudeCodeAdapter = __importStar(require("./adapters/claude-code"));
+function normalizePayload(body) {
+    if (ClaudeCodeAdapter.detect(body)) {
+        const event = ClaudeCodeAdapter.normalize(body);
+        return {
+            source: 'claude-code',
+            events: [
+                {
+                    tool: event.tool ?? '__stop__',
+                    args: event.tool_args,
+                    result: event.tool_result,
+                    sessionId: event.session_id,
+                    actor: event.actor,
+                },
+            ],
+        };
+    }
+    // Standard TelemetryPayload — validate manually
+    const payload = body;
+    if (typeof payload.source !== 'string' ||
+        !payload.source ||
+        !Array.isArray(payload.events) ||
+        payload.events.length < 1 ||
+        payload.events.length > 100) {
+        return null;
+    }
+    for (const event of payload.events) {
+        if (typeof event.tool !== 'string' || !event.tool) {
+            return null;
+        }
+    }
+    return payload;
+}
+function registerEventsRoute(app, ctx) {
+    app.post('/v1/events', async (request, reply) => {
+        const body = request.body;
+        if (!body || typeof body !== 'object') {
+            reply.code(400).send({ error: 'Invalid request body' });
+            return;
+        }
+        const payload = normalizePayload(body);
+        if (!payload) {
+            reply.code(400).send({
+                error: 'Invalid payload. Expected { source, events: [{ tool, ... }] } or Claude Code hook format { hook_event_name, tool_name, ... }',
+            });
+            return;
+        }
+        const { source, orgId, events } = payload;
+        const ip = request.ip;
+        const isClaudeCode = source === 'claude-code';
+        // For Claude Code hooks, stash the full raw body so nothing is lost
+        const rawBodyJson = isClaudeCode ? JSON.stringify(body) : null;
+        request.log.info({ source, toolCount: events.length }, 'telemetry received');
+        if (isClaudeCode) {
+            request.log.debug({ rawBody: body }, 'claude-code hook raw payload');
+        }
+        for (const event of events) {
+            const requestId = (0, uuid_1.v4)();
+            // For Claude Code hooks use raw body; for standard events use parsed args
+            const argsJson = isClaudeCode
+                ? rawBodyJson
+                : (event.args ? JSON.stringify(event.args) : null);
+            const resultStr = event.result != null ? JSON.stringify(event.result) : null;
+            const responseJson = resultStr
+                ? resultStr.length <= 8192 ? resultStr : resultStr.slice(0, 8192) + '…'
+                : null;
+            ctx.audit.log({
+                requestId,
+                timestamp: event.timestamp ?? new Date().toISOString(),
+                actor: event.actor ?? source,
+                orgId: orgId ?? 'default',
+                upstreamId: `ext:${source}`,
+                tool: event.tool,
+                argsHash: event.args ? ctx.audit.hash(event.args) : 'none',
+                argsJson,
+                decision: 'allow',
+                reason: 'telemetry',
+                latencyMs: event.durationMs ?? 0,
+                outcome: event.error ? 'error' : 'success',
+                responseHash: event.result != null ? ctx.audit.hash(event.result) : undefined,
+                responseJson,
+                ip,
+                sessionId: event.sessionId ?? requestId,
+            });
+        }
+        reply.code(202).send({ received: events.length });
+    });
+}

package/dist/routes/health.d.ts

@@ -0,0 +1,2 @@
+import { FastifyInstance } from 'fastify';
+export declare function registerHealthRoutes(app: FastifyInstance): void;

package/dist/routes/health.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerHealthRoutes = registerHealthRoutes;
+function registerHealthRoutes(app) {
+    app.get('/health', async (_req, reply) => {
+        reply.send({
+            status: 'ok',
+            timestamp: new Date().toISOString(),
+            service: 'oculi-security-gateway',
+        });
+    });
+}

package/dist/routes/hooks.d.ts

@@ -0,0 +1,11 @@
+import { FastifyInstance } from 'fastify';
+import { PolicyService } from '../services/policy';
+import { AuditService } from '../services/audit';
+import { RateLimiter } from '../services/ratelimit';
+interface HooksRouteContext {
+    policy: PolicyService;
+    audit: AuditService;
+    rateLimiter: RateLimiter;
+}
+export declare function registerHooksRoute(app: FastifyInstance, ctx: HooksRouteContext): void;
+export {};