@tameflare/cli 0.8.0

package/README.md

@@ -0,0 +1,83 @@
+# @tameflare/cli
+
+The official CLI for [TameFlare](https://tameflare.com) — secure and govern AI agent traffic through a transparent proxy gateway.
+
+## Install
+
+```bash
+npm i -g @tameflare/cli
+```
+
+Or run directly with npx:
+
+```bash
+npx @tameflare/cli init
+```
+
+## Quick Start
+
+```bash
+# 1. Initialize TameFlare in your project
+tf init
+
+# 2. Add a connector (e.g. GitHub)
+tf connector add github --token ghp_xxx
+
+# 3. Run your agent through the gateway
+tf run --name my-agent -- python agent.py
+```
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `tf init` | Initialize TameFlare — downloads gateway, creates config |
+| `tf run --name <n> <cmd>` | Run a process through the proxy gateway |
+| `tf status` | Show gateway status and active processes |
+| `tf stop` | Stop the gateway |
+| `tf logs` | View recent traffic logs |
+| `tf kill-switch` | Emergency stop — block all traffic |
+| `tf connector add <type>` | Add a connector (github, openai, slack, stripe, generic) |
+| `tf connector list` | List active connectors |
+| `tf connector remove <id>` | Remove a connector |
+| `tf permissions set` | Set access rules for a gateway |
+| `tf permissions list` | List access rules |
+| `tf approvals list` | List pending approval requests |
+| `tf approvals approve <id>` | Approve a pending request |
+| `tf approvals deny <id>` | Deny a pending request |
+
+## How It Works
+
+TameFlare acts as a transparent HTTP/HTTPS proxy between your AI agent and external APIs. When you run `tf run`, the CLI:
+
+1. Starts (or connects to) the TameFlare gateway
+2. Registers your process and gets a dedicated proxy port
+3. Sets `HTTP_PROXY` and `HTTPS_PROXY` env vars on your process
+4. All outbound traffic flows through the gateway for inspection and enforcement
+
+The gateway matches requests against connectors (GitHub, OpenAI, Stripe, etc.), applies permission rules, and either allows, denies, or holds requests for human approval.
+
+## Requirements
+
+- Node.js >= 18
+- The TameFlare gateway binary (downloaded automatically by `tf init`)
+
+## Dashboard
+
+TameFlare includes a web dashboard for real-time traffic monitoring, policy management, and approval workflows. Start it with:
+
+```bash
+docker compose up
+```
+
+Then open [http://localhost:3000](http://localhost:3000).
+
+## Links
+
+- [Documentation](https://tameflare.com/docs)
+- [GitHub](https://github.com/agentfirewall/agentfirewall)
+- [Website](https://tameflare.com)
+
+## License
+
+[ELv2](https://github.com/agentfirewall/agentfirewall/blob/main/LICENSE)

package/dist/commands/actions.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function actionsCommand(): Command;

package/dist/commands/actions.js

@@ -0,0 +1,50 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.actionsCommand = actionsCommand;
+const commander_1 = require("commander");
+const utils_1 = require("../utils");
+function actionsCommand() {
+    const cmd = new commander_1.Command("actions").description("View action requests");
+    cmd
+        .command("list")
+        .description("List recent action requests")
+        .option("--limit <n>", "Number of results", "20")
+        .action(async (opts) => {
+        const data = await (0, utils_1.apiRequest)("GET", `/v1/audit/events?limit=${opts.limit}`);
+        const events = (data.events ?? []);
+        const actionEvents = events.filter((e) => e.type?.startsWith("action."));
+        if (actionEvents.length === 0) {
+            console.log("No action events found.");
+            return;
+        }
+        console.log((0, utils_1.formatTable)(["Time", "Type", "Agent", "Action"], actionEvents.map((e) => [
+            e.timestamp ? new Date(e.timestamp).toLocaleString() : "—",
+            e.type,
+            e.agent_id ? e.agent_id.slice(0, 12) + "..." : "—",
+            e.action_type ?? "—",
+        ])));
+    });
+    cmd
+        .command("get")
+        .description("Get action request details")
+        .requiredOption("--id <id>", "Action request ID")
+        .action(async (opts) => {
+        const data = await (0, utils_1.apiRequest)("GET", `/v1/actions/${opts.id}`);
+        console.log(`ID:       ${data.action_request_id}`);
+        console.log(`Status:   ${data.status}`);
+        const decision = data.decision;
+        if (decision) {
+            console.log(`Outcome:  ${decision.outcome}`);
+            console.log(`Reason:   ${decision.reason}`);
+            console.log(`Risk:     ${decision.risk_score}`);
+        }
+        if (data.decision_token) {
+            console.log(`Token:    ${String(data.decision_token).slice(0, 20)}...`);
+        }
+        const approval = data.approval;
+        if (approval) {
+            console.log(`Approval: ${approval.status}`);
+        }
+    });
+    return cmd;
+}

package/dist/commands/agents.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function agentsCommand(): Command;

package/dist/commands/agents.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.agentsCommand = agentsCommand;
+const commander_1 = require("commander");
+const utils_1 = require("../utils");
+function agentsCommand() {
+    const cmd = new commander_1.Command("agents").description("Manage agents");
+    cmd
+        .command("list")
+        .description("List registered agents")
+        .action(async () => {
+        const data = await (0, utils_1.apiRequest)("GET", "/v1/agents");
+        const agents = (data.agents ?? []);
+        if (agents.length === 0) {
+            console.log("No agents registered.");
+            return;
+        }
+        console.log((0, utils_1.formatTable)(["Name", "ID", "Environment", "Status", "Last Seen"], agents.map((a) => [
+            a.name,
+            a.id?.slice(0, 12) + "...",
+            a.environment,
+            a.status,
+            a.last_seen_at ?? "Never",
+        ])));
+    });
+    cmd
+        .command("register")
+        .description("Register a new agent")
+        .requiredOption("--name <name>", "Agent name")
+        .option("--runtime <runtime>", "Runtime (e.g. node, python)")
+        .option("--environment <env>", "Environment", "development")
+        .action(async (opts) => {
+        const data = await (0, utils_1.apiRequest)("POST", "/v1/agents/register", {
+            name: opts.name,
+            runtime: opts.runtime,
+            environment: opts.environment,
+        });
+        console.log("Agent registered successfully!");
+        console.log(`  ID:     ${data.agent_id}`);
+        console.log(`  Prefix: ${data.api_key_prefix}`);
+        console.log(`  Key:    ${data.api_key}`);
+        console.log("");
+        console.log("Store this API key securely. It will not be shown again.");
+    });
+    return cmd;
+}

package/dist/commands/approvals.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function approvalsCommand(): Command;

package/dist/commands/approvals.js

@@ -0,0 +1,122 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.approvalsCommand = approvalsCommand;
+const commander_1 = require("commander");
+const GATEWAY_URL = "http://127.0.0.1:9443";
+function approvalsCommand() {
+    const cmd = new commander_1.Command("approvals")
+        .description("Manage pending approval requests");
+    cmd
+        .command("list")
+        .description("List pending approval requests")
+        .option("--all", "Show all recent approvals (not just pending)")
+        .action(async (opts) => {
+        try {
+            const url = opts.all
+                ? `${GATEWAY_URL}/internal/approvals/recent`
+                : `${GATEWAY_URL}/internal/approvals`;
+            const res = await fetch(url);
+            if (!res.ok) {
+                console.error(`Error: ${res.statusText}`);
+                process.exit(1);
+            }
+            const data = await res.json();
+            const items = opts.all ? data : data.pending;
+            if (!items || items.length === 0) {
+                console.log(opts.all ? "No recent approvals." : "No pending approvals.");
+                return;
+            }
+            if (!opts.all) {
+                console.log(`\n${data.count} pending approval(s):\n`);
+            }
+            for (const req of items) {
+                const status = req.status === "pending"
+                    ? "\x1b[33m⏳ pending\x1b[0m"
+                    : req.status === "approved"
+                        ? "\x1b[32m✓ approved\x1b[0m"
+                        : req.status === "denied"
+                            ? "\x1b[31m✗ denied\x1b[0m"
+                            : `\x1b[90m${req.status}\x1b[0m`;
+                console.log(`  ${status}  ${req.id}`);
+                console.log(`    Gateway:   ${req.gateway_name}`);
+                console.log(`    Action:    ${req.action_type} (${req.connector_type})`);
+                console.log(`    Request:   ${req.method} ${req.url}`);
+                console.log(`    Created:   ${req.created_at}`);
+                if (req.status === "pending") {
+                    console.log(`    Expires:   ${req.expires_at}`);
+                }
+                if (req.responded_by) {
+                    console.log(`    By:        ${req.responded_by}`);
+                }
+                if (req.response_note) {
+                    console.log(`    Note:      ${req.response_note}`);
+                }
+                console.log();
+            }
+        }
+        catch (err) {
+            console.error("Failed to connect to gateway. Is it running?");
+            console.error(`  Run: tf init`);
+            process.exit(1);
+        }
+    });
+    cmd
+        .command("approve <id>")
+        .description("Approve a pending request")
+        .option("--by <name>", "Who is approving", "cli-user")
+        .option("--note <text>", "Optional note")
+        .action(async (id, opts) => {
+        try {
+            const res = await fetch(`${GATEWAY_URL}/internal/approvals/respond`, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify({
+                    id,
+                    approved: true,
+                    by: opts.by,
+                    note: opts.note ?? "",
+                }),
+            });
+            if (!res.ok) {
+                const text = await res.text();
+                console.error(`Error: ${text}`);
+                process.exit(1);
+            }
+            console.log(`\x1b[32m✓\x1b[0m Approved: ${id}`);
+        }
+        catch (err) {
+            console.error("Failed to connect to gateway. Is it running?");
+            process.exit(1);
+        }
+    });
+    cmd
+        .command("deny <id>")
+        .description("Deny a pending request")
+        .option("--by <name>", "Who is denying", "cli-user")
+        .option("--note <text>", "Reason for denial")
+        .action(async (id, opts) => {
+        try {
+            const res = await fetch(`${GATEWAY_URL}/internal/approvals/respond`, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify({
+                    id,
+                    approved: false,
+                    by: opts.by,
+                    note: opts.note ?? "",
+                }),
+            });
+            if (!res.ok) {
+                const text = await res.text();
+                console.error(`Error: ${text}`);
+                process.exit(1);
+            }
+            console.log(`\x1b[31m✗\x1b[0m Denied: ${id}`);
+        }
+        catch (err) {
+            console.error("Failed to connect to gateway. Is it running?");
+            process.exit(1);
+        }
+    });
+    return cmd;
+}

package/dist/commands/connector.d.ts

@@ -0,0 +1,3 @@
+import { Command } from "commander";
+export declare function connectorCommand(): Command;
+export declare function permissionsCommand(): Command;

package/dist/commands/connector.js

@@ -0,0 +1,228 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.connectorCommand = connectorCommand;
+exports.permissionsCommand = permissionsCommand;
+const commander_1 = require("commander");
+const readline = __importStar(require("readline"));
+const utils_1 = require("../utils");
+function connectorCommand() {
+    const cmd = new commander_1.Command("connector")
+        .description("Manage connectors (API integrations)");
+    // tf connector add <type>
+    cmd
+        .command("add <type>")
+        .description("Add a connector (github, generic)")
+        .option("--token <token>", "API token or credential (visible in shell history — prefer --token-stdin or --token-env)")
+        .option("--token-stdin", "Read token from stdin (avoids shell history exposure)")
+        .option("--token-env <var>", "Read token from environment variable")
+        .option("--name <name>", "Display name")
+        .option("--domains <domains>", "Comma-separated domains (for generic type)")
+        .option("--auth-type <type>", "Auth type: bearer, api_key, basic, none", "bearer")
+        .option("--auth-header <header>", "Custom auth header name (for api_key type)")
+        .action(async (type, opts) => {
+        (0, utils_1.requireGateway)();
+        let token = opts.token;
+        if (opts.tokenEnv) {
+            token = process.env[opts.tokenEnv];
+            if (!token) {
+                console.error(`[TF] Environment variable ${opts.tokenEnv} is not set.`);
+                process.exit(1);
+            }
+        }
+        else if (opts.tokenStdin) {
+            token = await readStdin();
+            if (!token) {
+                console.error("[TF] No token received from stdin.");
+                process.exit(1);
+            }
+        }
+        else if (!token) {
+            token = await prompt(`Paste your ${type} token: `);
+        }
+        const body = {
+            type,
+            display_name: opts.name || type,
+            token,
+        };
+        if (type === "generic") {
+            if (!opts.domains) {
+                const domainsStr = await prompt("Domains (comma-separated): ");
+                body.domains = domainsStr.split(",").map((d) => d.trim());
+            }
+            else {
+                body.domains = opts.domains.split(",").map((d) => d.trim());
+            }
+            body.auth_type = opts.authType;
+            if (opts.authHeader) {
+                body.auth_header = opts.authHeader;
+            }
+        }
+        try {
+            const result = await (0, utils_1.gatewayRequest)("POST", "/internal/connectors/add", body);
+            console.log(`[TF] Connector added: ${result.name} (${result.type})`);
+            console.log(`  ID:      ${result.id}`);
+            console.log(`  Domains: ${result.domains.join(", ")}`);
+        }
+        catch (err) {
+            console.error(`[TF] Failed: ${err.message}`);
+            process.exit(1);
+        }
+    });
+    // tf connector list
+    cmd
+        .command("list")
+        .description("List all connectors")
+        .action(async () => {
+        (0, utils_1.requireGateway)();
+        try {
+            const connectors = await (0, utils_1.gatewayRequest)("GET", "/internal/connectors");
+            if (!connectors || connectors.length === 0) {
+                console.log("[TF] No connectors configured.");
+                console.log("  Add one with: tf connector add github --token <PAT>");
+                return;
+            }
+            console.log("[TF] Connectors");
+            const rows = connectors.map((c) => [
+                c.id,
+                c.type,
+                c.display_name,
+                (c.domains || []).join(", "),
+            ]);
+            console.log((0, utils_1.formatTable)(["ID", "Type", "Name", "Domains"], rows));
+        }
+        catch (err) {
+            console.error(`[TF] Failed: ${err.message}`);
+        }
+    });
+    // tf connector remove <id>
+    cmd
+        .command("remove <id>")
+        .description("Remove a connector")
+        .action(async (id) => {
+        (0, utils_1.requireGateway)();
+        try {
+            await (0, utils_1.gatewayRequest)("POST", "/internal/connectors/remove", { id });
+            console.log(`[TF] Connector ${id} removed.`);
+        }
+        catch (err) {
+            console.error(`[TF] Failed: ${err.message}`);
+        }
+    });
+    return cmd;
+}
+// tf permissions command (separate top-level for clarity)
+function permissionsCommand() {
+    const cmd = new commander_1.Command("permissions")
+        .description("Manage gateway permissions on connectors");
+    // tf permissions set
+    cmd
+        .command("set")
+        .description("Set a permission rule")
+        .requiredOption("--gateway <name>", "Gateway name")
+        .requiredOption("--connector <type>", "Connector type (github, generic, or *)")
+        .requiredOption("--action <pattern>", "Action pattern (e.g. github.pr.*, *)")
+        .requiredOption("--decision <decision>", "Decision: allow, deny, require_approval")
+        .action(async (opts) => {
+        (0, utils_1.requireGateway)();
+        try {
+            await (0, utils_1.gatewayRequest)("POST", "/internal/permissions/set", {
+                gateway_name: opts.gateway,
+                connector_type: opts.connector,
+                action_pattern: opts.action,
+                decision: opts.decision,
+            });
+            console.log(`[TF] Permission set: ${opts.gateway} → ${opts.connector}.${opts.action} = ${opts.decision}`);
+        }
+        catch (err) {
+            console.error(`[TF] Failed: ${err.message}`);
+        }
+    });
+    // tf permissions list
+    cmd
+        .command("list")
+        .description("List permission rules")
+        .option("--gateway <name>", "Filter by gateway name")
+        .action(async (opts) => {
+        (0, utils_1.requireGateway)();
+        try {
+            const url = opts.gateway
+                ? `/internal/permissions?gateway=${encodeURIComponent(opts.gateway)}`
+                : "/internal/permissions";
+            const rules = await (0, utils_1.gatewayRequest)("GET", url);
+            if (!rules || rules.length === 0) {
+                console.log("[TF] No permissions configured.");
+                console.log("  Default: all actions denied (deny-all).");
+                console.log("  Set with: tf permissions set --gateway <name> --connector <type> --action '*' --decision allow");
+                return;
+            }
+            console.log("[TF] Permissions");
+            const rows = rules.map((r) => [
+                r.gateway_name,
+                r.connector_type,
+                r.action_pattern,
+                r.decision,
+            ]);
+            console.log((0, utils_1.formatTable)(["Gateway", "Connector", "Action Pattern", "Decision"], rows));
+        }
+        catch (err) {
+            console.error(`[TF] Failed: ${err.message}`);
+        }
+    });
+    return cmd;
+}
+function readStdin() {
+    return new Promise((resolve) => {
+        let data = "";
+        process.stdin.setEncoding("utf8");
+        process.stdin.on("data", (chunk) => { data += chunk; });
+        process.stdin.on("end", () => { resolve(data.trim()); });
+        if (process.stdin.isTTY) {
+            resolve("");
+        }
+    });
+}
+function prompt(question) {
+    const rl = readline.createInterface({
+        input: process.stdin,
+        output: process.stdout,
+    });
+    return new Promise((resolve) => {
+        rl.question(question, (answer) => {
+            rl.close();
+            resolve(answer.trim());
+        });
+    });
+}

package/dist/commands/init.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function initCommand(): Command;