@opentrust/cli 7.0.0

package/README.md

@@ -0,0 +1,68 @@
+# @opentrust/cli
+
+CLI tool to manage [OpenTrust](https://github.com/opentrust-dev/opentrust) — an open-source AI Agent Runtime Security Platform.
+
+## Install
+
+```bash
+npm install -g @opentrust/cli
+```
+
+Or run directly with `npx`:
+
+```bash
+npx @opentrust/cli <command>
+```
+
+## Prerequisites
+
+- **Node.js** >= 18
+- **pnpm** >= 9 (Dashboard uses pnpm monorepo)
+- Clone the [opentrust](https://github.com/opentrust-dev/opentrust) repo first
+
+## Usage
+
+Navigate to your opentrust project directory, then:
+
+```bash
+# Install all dependencies, build, and initialize databases
+opentrust setup
+
+# Start all services (core + dashboard + gateway)
+opentrust start
+
+# Start a single service
+opentrust start core
+
+# Check status of all services
+opentrust status
+
+# Stop all services
+opentrust stop
+
+# Stop a single service
+opentrust stop gateway
+
+# View logs
+opentrust logs core
+opentrust logs dashboard -f        # follow mode
+opentrust logs gateway -n 100      # last 100 lines
+```
+
+## Services
+
+| Service | Port | Description |
+|---------|------|-------------|
+| **Core** | 53666 | Security engine — content detection (S01-S10), behavior assessment, Agent registry |
+| **Dashboard** | 53667/53668 | Management panel — Agent assets, risk graph, policy management, detection logs |
+| **Gateway** | 8900 | AI security gateway — LLM API proxy with automatic PII/credential sanitization |
+
+## Environment Variables
+
+| Variable | Description |
+|----------|-------------|
+| `OPENTRUST_HOME` | Override the project root directory (defaults to `cwd`) |
+
+## License
+
+Apache-2.0

package/dist/commands/logs.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function registerLogsCommand(program: Command): void;

package/dist/commands/logs.js

@@ -0,0 +1,35 @@
+import { spawn } from "node:child_process";
+import fs from "node:fs";
+import { SERVICES, getAllServiceKeys } from "../lib/process-manager.js";
+export function registerLogsCommand(program) {
+    program
+        .command("logs <service>")
+        .description("Tail logs for a service (core, dashboard, gateway)")
+        .option("-n, --lines <n>", "Number of lines to show", "50")
+        .option("-f, --follow", "Follow log output", false)
+        .action(async (service, options) => {
+        const svc = SERVICES[service];
+        if (!svc) {
+            console.error(`Unknown service: ${service}`);
+            console.error(`Available: ${getAllServiceKeys().join(", ")}`);
+            process.exit(1);
+        }
+        if (!fs.existsSync(svc.logFile)) {
+            console.log(`No log file found for ${svc.name}.`);
+            console.log(`Start it first: opentrust start ${service}`);
+            return;
+        }
+        const args = ["-n", options.lines];
+        if (options.follow)
+            args.push("-f");
+        args.push(svc.logFile);
+        const tail = spawn("tail", args, { stdio: "inherit" });
+        tail.on("error", (err) => {
+            console.error(`Failed to tail logs: ${err.message}`);
+        });
+        process.on("SIGINT", () => {
+            tail.kill();
+            process.exit(0);
+        });
+    });
+}

package/dist/commands/setup.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function registerSetupCommand(program: Command): void;

package/dist/commands/setup.js

@@ -0,0 +1,57 @@
+import { execSync } from "node:child_process";
+import fs from "node:fs";
+import { paths } from "../lib/paths.js";
+export function registerSetupCommand(program) {
+    program
+        .command("setup")
+        .description("Install dependencies, build, and initialize databases")
+        .action(async () => {
+        console.log("OpenTrust Setup\n");
+        const steps = [
+            {
+                label: "Core",
+                cwd: paths.core,
+                commands: ["npm install"],
+            },
+            {
+                label: "Dashboard",
+                cwd: paths.dashboard,
+                commands: [
+                    "pnpm install",
+                    "pnpm build",
+                    "pnpm db:generate",
+                    "pnpm db:migrate",
+                    "pnpm db:seed",
+                ],
+            },
+            {
+                label: "Gateway",
+                cwd: paths.gateway,
+                commands: ["npm install"],
+            },
+        ];
+        for (const step of steps) {
+            if (!fs.existsSync(step.cwd)) {
+                console.log(`  ⚠ ${step.label}: directory not found, skipping`);
+                continue;
+            }
+            console.log(`Setting up ${step.label}...`);
+            for (const cmd of step.commands) {
+                try {
+                    console.log(`  $ ${cmd}`);
+                    execSync(cmd, { cwd: step.cwd, stdio: "inherit" });
+                }
+                catch (err) {
+                    console.error(`  Failed: ${cmd}`);
+                    process.exit(1);
+                }
+            }
+            console.log(`  ${step.label} ready.\n`);
+        }
+        console.log("-------------------------------------------");
+        console.log("Setup complete!");
+        console.log("-------------------------------------------");
+        console.log("\nRun 'opentrust start' to launch all services.");
+        console.log("Or start individually: 'opentrust start core'");
+    });
+}

package/dist/commands/start.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function registerStartCommand(program: Command): void;

package/dist/commands/start.js

@@ -0,0 +1,24 @@
+import { startService, getAllServiceKeys, SERVICES } from "../lib/process-manager.js";
+export function registerStartCommand(program) {
+    program
+        .command("start [service]")
+        .description("Start services (core, dashboard, gateway, or all)")
+        .action(async (service) => {
+        const keys = service ? [service] : getAllServiceKeys();
+        for (const key of keys) {
+            if (!SERVICES[key]) {
+                console.error(`Unknown service: ${key}`);
+                console.error(`Available: ${getAllServiceKeys().join(", ")}`);
+                process.exit(1);
+            }
+        }
+        console.log(service
+            ? `Starting ${SERVICES[service].name}...`
+            : "Starting all OpenTrust services...");
+        for (const key of keys) {
+            startService(key);
+        }
+        console.log("\nUse 'opentrust status' to check health.");
+        console.log("Use 'opentrust logs <service>' to view output.");
+    });
+}

package/dist/commands/status.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function registerStatusCommand(program: Command): void;

package/dist/commands/status.js

@@ -0,0 +1,23 @@
+import { getStatus, checkHealth, getAllServiceKeys, SERVICES } from "../lib/process-manager.js";
+export function registerStatusCommand(program) {
+    program
+        .command("status")
+        .description("Show status of all OpenTrust services")
+        .action(async () => {
+        console.log("OpenTrust Service Status\n");
+        const keys = getAllServiceKeys();
+        for (const key of keys) {
+            const svc = SERVICES[key];
+            const { running, pid } = getStatus(key);
+            const healthy = running ? await checkHealth(key) : false;
+            const statusIcon = running ? (healthy ? "\x1b[32m●\x1b[0m" : "\x1b[33m●\x1b[0m") : "\x1b[31m●\x1b[0m";
+            const statusText = running
+                ? healthy
+                    ? `running (PID ${pid})`
+                    : `running, not healthy yet (PID ${pid})`
+                : "stopped";
+            console.log(`  ${statusIcon} ${svc.name.padEnd(12)} ${statusText.padEnd(35)} port ${svc.port}`);
+        }
+        console.log("");
+    });
+}

package/dist/commands/stop.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function registerStopCommand(program: Command): void;

package/dist/commands/stop.js

@@ -0,0 +1,22 @@
+import { stopService, getAllServiceKeys, SERVICES } from "../lib/process-manager.js";
+export function registerStopCommand(program) {
+    program
+        .command("stop [service]")
+        .description("Stop services (core, dashboard, gateway, or all)")
+        .action(async (service) => {
+        const keys = service ? [service] : getAllServiceKeys();
+        for (const key of keys) {
+            if (!SERVICES[key]) {
+                console.error(`Unknown service: ${key}`);
+                console.error(`Available: ${getAllServiceKeys().join(", ")}`);
+                process.exit(1);
+            }
+        }
+        console.log(service
+            ? `Stopping ${SERVICES[service].name}...`
+            : "Stopping all OpenTrust services...");
+        for (const key of keys) {
+            stopService(key);
+        }
+    });
+}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/index.js

@@ -0,0 +1,23 @@
+#!/usr/bin/env node
+import { Command } from "commander";
+import { readFileSync } from "node:fs";
+import { fileURLToPath } from "node:url";
+import { dirname, join } from "node:path";
+import { registerStartCommand } from "./commands/start.js";
+import { registerStopCommand } from "./commands/stop.js";
+import { registerStatusCommand } from "./commands/status.js";
+import { registerSetupCommand } from "./commands/setup.js";
+import { registerLogsCommand } from "./commands/logs.js";
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const pkg = JSON.parse(readFileSync(join(__dirname, "../package.json"), "utf-8"));
+const program = new Command();
+program
+    .name("opentrust")
+    .description("OpenTrust — manage local AI security services")
+    .version(pkg.version);
+registerStartCommand(program);
+registerStopCommand(program);
+registerStatusCommand(program);
+registerSetupCommand(program);
+registerLogsCommand(program);
+program.parse();

package/dist/lib/paths.d.ts

@@ -0,0 +1,15 @@
+export declare const paths: {
+    projectRoot: string;
+    runtime: string;
+    logs: string;
+    core: string;
+    dashboard: string;
+    gateway: string;
+    guards: string;
+    corePid: string;
+    dashboardPid: string;
+    gatewayPid: string;
+    coreLog: string;
+    dashboardLog: string;
+    gatewayLog: string;
+};

package/dist/lib/paths.js

@@ -0,0 +1,63 @@
+import path from "node:path";
+import os from "node:os";
+import fs from "node:fs";
+import { fileURLToPath } from "node:url";
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+function findProjectRoot() {
+    // 1. OPENTRUST_HOME env var takes priority
+    if (process.env.OPENTRUST_HOME) {
+        return path.resolve(process.env.OPENTRUST_HOME);
+    }
+    // 2. Check if cwd looks like the opentrust project root
+    const cwd = process.cwd();
+    if (isOpenTrustRoot(cwd)) {
+        return cwd;
+    }
+    // 3. Walk up from cwd looking for the project root
+    let dir = cwd;
+    while (true) {
+        const parent = path.dirname(dir);
+        if (parent === dir)
+            break;
+        dir = parent;
+        if (isOpenTrustRoot(dir))
+            return dir;
+    }
+    // 4. Fallback: resolve relative to __dirname (works inside monorepo)
+    const fallback = path.resolve(__dirname, "../../..");
+    if (isOpenTrustRoot(fallback)) {
+        return fallback;
+    }
+    // 5. Last resort: use cwd and let commands fail with meaningful errors
+    return cwd;
+}
+function isOpenTrustRoot(dir) {
+    try {
+        const pkgPath = path.join(dir, "package.json");
+        if (!fs.existsSync(pkgPath))
+            return false;
+        const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
+        return pkg.name === "opentrust";
+    }
+    catch {
+        return false;
+    }
+}
+const projectRoot = findProjectRoot();
+/** ~/.opentrust/ — runtime data (pid files, logs) */
+const runtimeDir = path.join(os.homedir(), ".opentrust");
+export const paths = {
+    projectRoot,
+    runtime: runtimeDir,
+    logs: path.join(runtimeDir, "logs"),
+    core: path.join(projectRoot, "core"),
+    dashboard: path.join(projectRoot, "dashboard"),
+    gateway: path.join(projectRoot, "gateway"),
+    guards: path.join(projectRoot, "guards"),
+    corePid: path.join(runtimeDir, "core.pid"),
+    dashboardPid: path.join(runtimeDir, "dashboard.pid"),
+    gatewayPid: path.join(runtimeDir, "gateway.pid"),
+    coreLog: path.join(runtimeDir, "logs", "core.log"),
+    dashboardLog: path.join(runtimeDir, "logs", "dashboard.log"),
+    gatewayLog: path.join(runtimeDir, "logs", "gateway.log"),
+};

package/dist/lib/process-manager.d.ts

@@ -0,0 +1,19 @@
+export interface ServiceDef {
+    name: string;
+    cwd: string;
+    command: string;
+    args: string[];
+    pidFile: string;
+    logFile: string;
+    port: number;
+    healthUrl?: string;
+}
+export declare const SERVICES: Record<string, ServiceDef>;
+export declare function startService(key: string): boolean;
+export declare function stopService(key: string): boolean;
+export declare function getStatus(key: string): {
+    running: boolean;
+    pid?: number;
+};
+export declare function checkHealth(key: string): Promise<boolean>;
+export declare function getAllServiceKeys(): string[];

package/dist/lib/process-manager.js

@@ -0,0 +1,146 @@
+import { spawn } from "node:child_process";
+import fs from "node:fs";
+import { paths } from "./paths.js";
+export const SERVICES = {
+    core: {
+        name: "Core",
+        cwd: paths.core,
+        command: "npx",
+        args: ["tsx", "src/index.ts"],
+        pidFile: paths.corePid,
+        logFile: paths.coreLog,
+        port: 53666,
+        healthUrl: "http://localhost:53666/health",
+    },
+    dashboard: {
+        name: "Dashboard",
+        cwd: paths.dashboard,
+        command: "npx",
+        args: ["turbo", "dev"],
+        pidFile: paths.dashboardPid,
+        logFile: paths.dashboardLog,
+        port: 53667,
+        healthUrl: "http://localhost:53667/health",
+    },
+    gateway: {
+        name: "Gateway",
+        cwd: paths.gateway,
+        command: "npx",
+        args: ["tsx", "src/index.ts"],
+        pidFile: paths.gatewayPid,
+        logFile: paths.gatewayLog,
+        port: 8900,
+        healthUrl: "http://localhost:8900/health",
+    },
+};
+function ensureDirs() {
+    for (const dir of [paths.runtime, paths.logs]) {
+        if (!fs.existsSync(dir))
+            fs.mkdirSync(dir, { recursive: true });
+    }
+}
+export function startService(key) {
+    const svc = SERVICES[key];
+    if (!svc) {
+        console.error(`Unknown service: ${key}`);
+        return false;
+    }
+    if (!fs.existsSync(svc.cwd)) {
+        console.error(`  ${svc.name}: directory not found at ${svc.cwd}`);
+        return false;
+    }
+    const status = getStatus(key);
+    if (status.running) {
+        console.log(`  ${svc.name}: already running (PID ${status.pid})`);
+        return true;
+    }
+    ensureDirs();
+    const logFd = fs.openSync(svc.logFile, "a");
+    const child = spawn(svc.command, svc.args, {
+        cwd: svc.cwd,
+        env: { ...process.env, FORCE_COLOR: "0" },
+        stdio: ["ignore", logFd, logFd],
+        detached: true,
+    });
+    if (child.pid) {
+        fs.writeFileSync(svc.pidFile, String(child.pid), "utf-8");
+        child.unref();
+        console.log(`  ${svc.name}: started (PID ${child.pid}, port ${svc.port})`);
+        fs.closeSync(logFd);
+        return true;
+    }
+    fs.closeSync(logFd);
+    console.error(`  ${svc.name}: failed to start`);
+    return false;
+}
+export function stopService(key) {
+    const svc = SERVICES[key];
+    if (!svc) {
+        console.error(`Unknown service: ${key}`);
+        return false;
+    }
+    const status = getStatus(key);
+    if (!status.running) {
+        console.log(`  ${svc.name}: not running`);
+        return false;
+    }
+    try {
+        // Kill the process group (negative PID) to stop all children
+        process.kill(-status.pid, "SIGTERM");
+    }
+    catch (err) {
+        try {
+            process.kill(status.pid, "SIGTERM");
+        }
+        catch {
+            // already dead
+        }
+    }
+    try {
+        fs.unlinkSync(svc.pidFile);
+    }
+    catch { }
+    console.log(`  ${svc.name}: stopped (was PID ${status.pid})`);
+    return true;
+}
+export function getStatus(key) {
+    const svc = SERVICES[key];
+    if (!svc)
+        return { running: false };
+    if (!fs.existsSync(svc.pidFile))
+        return { running: false };
+    const pid = parseInt(fs.readFileSync(svc.pidFile, "utf-8").trim(), 10);
+    if (isNaN(pid)) {
+        try {
+            fs.unlinkSync(svc.pidFile);
+        }
+        catch { }
+        return { running: false };
+    }
+    try {
+        process.kill(pid, 0);
+        return { running: true, pid };
+    }
+    catch {
+        try {
+            fs.unlinkSync(svc.pidFile);
+        }
+        catch { }
+        return { running: false };
+    }
+}
+export async function checkHealth(key) {
+    const svc = SERVICES[key];
+    if (!svc?.healthUrl)
+        return false;
+    try {
+        const res = await fetch(svc.healthUrl);
+        return res.ok;
+    }
+    catch {
+        return false;
+    }
+}
+export function getAllServiceKeys() {
+    return Object.keys(SERVICES);
+}

package/package.json

@@ -0,0 +1,50 @@
+{
+  "name": "@opentrust/cli",
+  "version": "7.0.0",
+  "description": "CLI tool to manage OpenTrust AI Agent Runtime Security Platform — setup, start, stop, status, logs",
+  "type": "module",
+  "bin": {
+    "opentrust": "./dist/index.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsx src/index.ts",
+    "typecheck": "tsc --noEmit",
+    "prepublishOnly": "npm run build"
+  },
+  "dependencies": {
+    "commander": "^12.1.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "tsx": "^4.19.0",
+    "typescript": "^5.7.0"
+  },
+  "keywords": [
+    "opentrust",
+    "ai-security",
+    "agent-security",
+    "cli",
+    "pii",
+    "prompt-injection",
+    "llm-security",
+    "ai-agent"
+  ],
+  "homepage": "https://github.com/opentrust-dev/opentrust#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/opentrust-dev/opentrust.git",
+    "directory": "cli"
+  },
+  "bugs": {
+    "url": "https://github.com/opentrust-dev/opentrust/issues"
+  },
+  "author": "OpenTrust",
+  "license": "Apache-2.0",
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}