@tameflare/cli 0.8.0

package/dist/commands/init.js

@@ -0,0 +1,173 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.initCommand = initCommand;
+const commander_1 = require("commander");
+const child_process_1 = require("child_process");
+const fs_1 = require("fs");
+const path_1 = require("path");
+const utils_1 = require("../utils");
+function initCommand() {
+    const cmd = new commander_1.Command("init")
+        .description("Initialize TameFlare gateway in the current directory")
+        .option("--port <port>", "Gateway port", "9443")
+        .option("--enforcement <level>", "Enforcement level: monitor, soft_enforce, full_enforce", "monitor")
+        .option("--platform <name>", "Platform template: openclaw, langchain, n8n, claude-code")
+        .action(async (opts) => {
+        const tfDir = (0, utils_1.getTfDir)();
+        if ((0, utils_1.isGatewayInitialized)()) {
+            console.log("[TF] Already initialized at", tfDir);
+            console.log("[TF] Starting gateway...");
+        }
+        else {
+            console.log("[TF] Initializing TameFlare...");
+            // Create .tf directory
+            (0, fs_1.mkdirSync)(tfDir, { recursive: true });
+            // Apply platform template enforcement level
+            const enforcement = opts.platform
+                ? "full_enforce"
+                : opts.enforcement;
+            // Write config
+            const config = [
+                "gateway:",
+                `  port: ${opts.port}`,
+                "  dashboard_port: 3000",
+                `  enforcement_level: ${enforcement}`,
+                "  proxy_mode: standard",
+                "",
+                "database:",
+                `  url: "file:${(0, path_1.join)(tfDir, "local.db").replace(/\\/g, "/")}"`,
+                "",
+                "tls:",
+                `  ca_cert: "${(0, path_1.join)(tfDir, "ca.crt").replace(/\\/g, "/")}"`,
+                `  ca_key: "${(0, path_1.join)(tfDir, "ca.key").replace(/\\/g, "/")}"`,
+            ].join("\n");
+            (0, fs_1.writeFileSync)((0, utils_1.getConfigPath)(), config, "utf-8");
+            console.log("[TF] Config created at", (0, utils_1.getConfigPath)());
+            // Write platform template
+            if (opts.platform) {
+                const template = getPlatformTemplate(opts.platform);
+                if (template) {
+                    const templatePath = (0, path_1.join)(tfDir, "platform.json");
+                    (0, fs_1.writeFileSync)(templatePath, JSON.stringify(template, null, 2), "utf-8");
+                    console.log(`[TF] Platform template: ${opts.platform}`);
+                    console.log(`[TF] Enforcement: full_enforce (platform default)`);
+                    console.log(`[TF] After gateway starts, run the setup commands below:`);
+                    console.log();
+                    for (const cmd of template.setup_commands) {
+                        console.log(`  ${cmd}`);
+                    }
+                    console.log();
+                }
+                else {
+                    console.error(`[TF] Unknown platform: ${opts.platform}`);
+                    console.error(`[TF] Available: openclaw, langchain, n8n, claude-code`);
+                    process.exit(1);
+                }
+            }
+        }
+        // Find and start the gateway binary
+        const gatewayBin = findGatewayBinary();
+        if (!gatewayBin) {
+            console.error("[TF] Gateway binary not found.");
+            console.error("[TF] Build it with: cd apps/gateway-v2 && go build -o gateway ./cmd/gateway");
+            process.exit(1);
+        }
+        console.log("[TF] Starting gateway...");
+        const gateway = (0, child_process_1.spawn)(gatewayBin, ["--config", (0, utils_1.getConfigPath)()], {
+            stdio: "inherit",
+            detached: false,
+        });
+        gateway.on("error", (err) => {
+            console.error("[TF] Failed to start gateway:", err.message);
+            process.exit(1);
+        });
+        // Write PID file for stop command
+        const pidFile = (0, path_1.join)(tfDir, "gateway.pid");
+        if (gateway.pid) {
+            (0, fs_1.writeFileSync)(pidFile, String(gateway.pid), "utf-8");
+        }
+        // Handle clean shutdown
+        process.on("SIGINT", () => {
+            gateway.kill("SIGTERM");
+            process.exit(0);
+        });
+        process.on("SIGTERM", () => {
+            gateway.kill("SIGTERM");
+            process.exit(0);
+        });
+    });
+    return cmd;
+}
+function getPlatformTemplate(platform) {
+    const templates = {
+        openclaw: {
+            name: "OpenClaw",
+            description: "AI agent framework — blocks all unknown domains, pre-allows LLM APIs",
+            connectors: ["openai", "anthropic"],
+            setup_commands: [
+                'npx tf connector add openai --token $OPENAI_API_KEY',
+                'npx tf connector add anthropic --token $ANTHROPIC_API_KEY',
+                'npx tf permissions set --gateway "default" --connector openai --action "openai.chat.*" --decision allow',
+                'npx tf permissions set --gateway "default" --connector anthropic --action "anthropic.message.*" --decision allow',
+                '# All other outbound traffic is blocked by default',
+            ],
+        },
+        langchain: {
+            name: "LangChain",
+            description: "LLM framework — pre-allows LLM APIs and search, blocks file:// and localhost",
+            connectors: ["openai", "anthropic"],
+            setup_commands: [
+                'npx tf connector add openai --token $OPENAI_API_KEY',
+                'npx tf connector add anthropic --token $ANTHROPIC_API_KEY',
+                'npx tf permissions set --gateway "default" --connector openai --action "*" --decision allow',
+                'npx tf permissions set --gateway "default" --connector anthropic --action "*" --decision allow',
+                '# Add tool connectors as needed:',
+                '# npx tf connector add generic --domains serpapi.com --token $SERP_KEY',
+            ],
+        },
+        n8n: {
+            name: "n8n",
+            description: "Workflow automation — pre-allows common integration endpoints",
+            connectors: ["openai", "slack", "github"],
+            setup_commands: [
+                'npx tf connector add openai --token $OPENAI_API_KEY',
+                'npx tf connector add slack --token $SLACK_BOT_TOKEN',
+                'npx tf connector add github --token $GITHUB_TOKEN',
+                'npx tf permissions set --gateway "workflow" --connector openai --action "*" --decision allow',
+                'npx tf permissions set --gateway "workflow" --connector slack --action "slack.message.*" --decision allow',
+                'npx tf permissions set --gateway "workflow" --connector github --action "github.issue.*" --decision allow',
+                'npx tf permissions set --gateway "workflow" --connector github --action "github.pr.merge" --decision require_approval',
+            ],
+        },
+        "claude-code": {
+            name: "Claude Code",
+            description: "AI coding assistant — pre-allows package registries and git, blocks all other outbound",
+            connectors: ["github"],
+            setup_commands: [
+                'npx tf connector add github --token $GITHUB_TOKEN',
+                'npx tf connector add generic --domains registry.npmjs.org,pypi.org --auth-type none',
+                'npx tf permissions set --gateway "claude" --connector github --action "github.api.read" --decision allow',
+                'npx tf permissions set --gateway "claude" --connector github --action "github.pr.create" --decision allow',
+                'npx tf permissions set --gateway "claude" --connector github --action "github.pr.merge" --decision require_approval',
+                'npx tf permissions set --gateway "claude" --connector github --action "github.file.commit" --decision allow',
+                'npx tf permissions set --gateway "claude" --connector generic --action "*" --decision allow',
+                '# All other outbound traffic is blocked by default',
+            ],
+        },
+    };
+    return templates[platform] ?? null;
+}
+function findGatewayBinary() {
+    const candidates = [
+        (0, path_1.join)(process.cwd(), "apps", "gateway-v2", "gateway.exe"),
+        (0, path_1.join)(process.cwd(), "apps", "gateway-v2", "gateway"),
+        (0, path_1.join)(process.cwd(), "gateway.exe"),
+        (0, path_1.join)(process.cwd(), "gateway"),
+    ];
+    for (const candidate of candidates) {
+        if ((0, fs_1.existsSync)(candidate)) {
+            return candidate;
+        }
+    }
+    return null;
+}

package/dist/commands/kill-switch.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function killSwitchCommand(): Command;

package/dist/commands/kill-switch.js

@@ -0,0 +1,45 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.killSwitchCommand = killSwitchCommand;
+const commander_1 = require("commander");
+const utils_1 = require("../utils");
+function killSwitchCommand() {
+    const cmd = new commander_1.Command("kill-switch")
+        .description("Emergency: block all gateway traffic");
+    cmd
+        .command("activate")
+        .description("Activate kill switch — block ALL traffic immediately")
+        .option("--reason <reason>", "Reason for activation", "Manual activation")
+        .action(async (opts) => {
+        (0, utils_1.requireGateway)();
+        try {
+            await (0, utils_1.gatewayRequest)("POST", "/internal/kill-switch", {
+                active: true,
+                reason: opts.reason,
+            });
+            console.log("[TF] KILL SWITCH ACTIVATED");
+            console.log(`  Reason: ${opts.reason}`);
+            console.log("  All traffic is now blocked.");
+            console.log("  Deactivate with: tf kill-switch deactivate");
+        }
+        catch (err) {
+            console.error(`[TF] Failed: ${err.message}`);
+        }
+    });
+    cmd
+        .command("deactivate")
+        .description("Deactivate kill switch — resume normal enforcement")
+        .action(async () => {
+        (0, utils_1.requireGateway)();
+        try {
+            await (0, utils_1.gatewayRequest)("POST", "/internal/kill-switch", {
+                active: false,
+            });
+            console.log("[TF] Kill switch deactivated. Normal enforcement resumed.");
+        }
+        catch (err) {
+            console.error(`[TF] Failed: ${err.message}`);
+        }
+    });
+    return cmd;
+}

package/dist/commands/license.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function licenseCommand(): Command;

package/dist/commands/license.js

@@ -0,0 +1,143 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.licenseCommand = licenseCommand;
+const commander_1 = require("commander");
+const utils_1 = require("../utils");
+function licenseCommand() {
+    const cmd = new commander_1.Command("license")
+        .description("Manage license and plan");
+    cmd
+        .command("status")
+        .description("Show current license tier, usage, and limits")
+        .action(async () => {
+        try {
+            const baseUrl = (0, utils_1.getBaseUrl)();
+            const apiKey = (0, utils_1.getApiKey)();
+            const response = await fetch(`${baseUrl}/api/license/activate`, {
+                method: "GET",
+                headers: {
+                    Authorization: `Bearer ${apiKey}`,
+                    "Content-Type": "application/json",
+                    "User-Agent": "@agentfirewall/cli/0.1.0",
+                },
+            });
+            const data = (await response.json());
+            if (!response.ok) {
+                console.error(`Error ${response.status}: ${data.error ?? "Unknown error"}`);
+                process.exit(1);
+            }
+            console.log(`\nPlan: ${data.tier_name} (${data.tier})`);
+            console.log(`License ID: ${data.license_id}`);
+            console.log(`Valid: ${data.valid ? "Yes" : "No"}`);
+            console.log(`Expires: ${new Date(data.expires_at).toLocaleDateString()}`);
+            const limits = data.limits;
+            console.log("\nLimits:");
+            console.log(`  Agents:       ${limits.maxAgents === -1 ? "Unlimited" : limits.maxAgents}`);
+            console.log(`  Actions/mo:   ${limits.maxActionsPerMonth === -1 ? "Unlimited" : limits.maxActionsPerMonth.toLocaleString()}`);
+            console.log(`  Audit retain: ${limits.auditRetentionDays === -1 ? "Unlimited" : `${limits.auditRetentionDays} days`}`);
+            const features = data.features;
+            if (features.length > 0) {
+                console.log("\nFeatures:");
+                features.forEach((f) => console.log(`  + ${f.replace(/_/g, " ")}`));
+            }
+            else {
+                console.log("\nFeatures: (none — upgrade for more)");
+            }
+            if (data.price !== null && data.price !== undefined) {
+                console.log(`\nPrice: ${data.price === 0 ? "Free" : `$${data.price}/mo`}`);
+            }
+            console.log("");
+        }
+        catch (err) {
+            console.error("Failed to fetch license status:", err instanceof Error ? err.message : err);
+            process.exit(1);
+        }
+    });
+    cmd
+        .command("activate <key>")
+        .description("Activate a license key on this instance")
+        .action(async (key) => {
+        try {
+            const baseUrl = (0, utils_1.getBaseUrl)();
+            const apiKey = (0, utils_1.getApiKey)();
+            console.log("Activating license key...");
+            const response = await fetch(`${baseUrl}/api/license/activate`, {
+                method: "POST",
+                headers: {
+                    Authorization: `Bearer ${apiKey}`,
+                    "Content-Type": "application/json",
+                    "User-Agent": "@agentfirewall/cli/0.1.0",
+                },
+                body: JSON.stringify({ license_key: key }),
+            });
+            const data = (await response.json());
+            if (!response.ok) {
+                console.error(`Activation failed: ${data.error ?? "Unknown error"}`);
+                if (data.details)
+                    console.error(`Details: ${data.details}`);
+                process.exit(1);
+            }
+            console.log(`\nLicense activated successfully!`);
+            console.log(`  Tier:       ${data.tier}`);
+            console.log(`  License ID: ${data.license_id}`);
+            console.log(`  Expires:    ${new Date(data.expires_at).toLocaleDateString()}`);
+            const limits = data.limits;
+            console.log(`  Agents:     ${limits.maxAgents === -1 ? "Unlimited" : limits.maxAgents}`);
+            console.log(`  Actions/mo: ${limits.maxActionsPerMonth === -1 ? "Unlimited" : limits.maxActionsPerMonth.toLocaleString()}`);
+            const features = data.features;
+            if (features.length > 0) {
+                console.log(`  Features:   ${features.join(", ")}`);
+            }
+            console.log("");
+        }
+        catch (err) {
+            console.error("Activation failed:", err instanceof Error ? err.message : err);
+            process.exit(1);
+        }
+    });
+    cmd
+        .command("usage")
+        .description("Show current usage against plan limits")
+        .action(async () => {
+        try {
+            const baseUrl = (0, utils_1.getBaseUrl)();
+            const apiKey = (0, utils_1.getApiKey)();
+            const response = await fetch(`${baseUrl}/api/license/activate`, {
+                method: "GET",
+                headers: {
+                    Authorization: `Bearer ${apiKey}`,
+                    "Content-Type": "application/json",
+                    "User-Agent": "@agentfirewall/cli/0.1.0",
+                },
+            });
+            const data = (await response.json());
+            if (!response.ok) {
+                console.error(`Error: ${data.error ?? "Unknown error"}`);
+                process.exit(1);
+            }
+            console.log(`\nPlan: ${data.tier_name}`);
+            console.log("");
+            const table = (0, utils_1.formatTable)(["Resource", "Current", "Limit", "Usage"], [
+                [
+                    "Agents",
+                    String(data.usage?.agents ?? "?"),
+                    data.limits.maxAgents === -1 ? "Unlimited" : String(data.limits.maxAgents),
+                    data.limits.maxAgents === -1 ? "-" : `${Math.round(((data.usage?.agents ?? 0) / data.limits.maxAgents) * 100)}%`,
+                ],
+                [
+                    "Actions/mo",
+                    String(data.usage?.actions ?? "?"),
+                    data.limits.maxActionsPerMonth === -1 ? "Unlimited" : String(data.limits.maxActionsPerMonth),
+                    data.limits.maxActionsPerMonth === -1 ? "-" : `${Math.round(((data.usage?.actions ?? 0) / data.limits.maxActionsPerMonth) * 100)}%`,
+                ],
+            ]);
+            console.log(table);
+            console.log("");
+        }
+        catch (err) {
+            console.error("Failed to fetch usage:", err instanceof Error ? err.message : err);
+            process.exit(1);
+        }
+    });
+    return cmd;
+}

package/dist/commands/logs.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function logsCommand(): Command;

package/dist/commands/logs.js

@@ -0,0 +1,69 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.logsCommand = logsCommand;
+const commander_1 = require("commander");
+const utils_1 = require("../utils");
+function logsCommand() {
+    const cmd = new commander_1.Command("logs")
+        .description("View recent traffic logs")
+        .option("--gateway <name>", "Filter by gateway name")
+        .option("-n, --limit <count>", "Number of entries", "25")
+        .action(async (opts) => {
+        (0, utils_1.requireGateway)();
+        try {
+            const entries = await (0, utils_1.gatewayRequest)("GET", "/internal/traffic");
+            if (!entries || entries.length === 0) {
+                console.log("[TF] No traffic logged yet.");
+                console.log("  Run a process with: tf run --name <name> <command>");
+                return;
+            }
+            let filtered = entries;
+            if (opts.gateway) {
+                filtered = entries.filter((e) => e.gateway_name === opts.gateway);
+            }
+            const limit = parseInt(opts.limit, 10);
+            filtered = filtered.slice(0, limit);
+            console.log("[TF] Recent Traffic");
+            console.log("");
+            for (const entry of filtered) {
+                const time = new Date(entry.timestamp).toLocaleTimeString();
+                const symbol = getSymbol(entry.decision);
+                const gwName = entry.gateway_name.padEnd(15);
+                const method = entry.method.padEnd(7);
+                const url = truncate(entry.url, 55);
+                const decision = entry.decision;
+                console.log(`  ${time}  ${symbol} ${gwName} ${method} ${url}  ${decision}`);
+                if (entry.reason && entry.decision !== "allowed") {
+                    console.log(`           ${" ".repeat(15)} ${"".padEnd(7)} -> ${entry.reason}`);
+                }
+            }
+            console.log("");
+            console.log(`  Showing ${filtered.length} of ${entries.length} entries`);
+        }
+        catch (err) {
+            console.error("[TF] Gateway is not running.");
+            console.error("  Start it with: tf init");
+        }
+    });
+    return cmd;
+}
+function getSymbol(decision) {
+    switch (decision) {
+        case "allowed":
+        case "would_allow":
+            return "\x1b[32m✓\x1b[0m";
+        case "denied":
+            return "\x1b[31m✗\x1b[0m";
+        case "would_deny":
+            return "\x1b[33m~\x1b[0m";
+        case "error":
+            return "\x1b[31m!\x1b[0m";
+        default:
+            return "?";
+    }
+}
+function truncate(s, maxLen) {
+    if (s.length <= maxLen)
+        return s;
+    return s.substring(0, maxLen - 3) + "...";
+}

package/dist/commands/policies.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function policiesCommand(): Command;

package/dist/commands/policies.js

@@ -0,0 +1,113 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.policiesCommand = policiesCommand;
+const commander_1 = require("commander");
+const fs = __importStar(require("fs"));
+const utils_1 = require("../utils");
+function policiesCommand() {
+    const cmd = new commander_1.Command("policies").description("Manage policies");
+    cmd
+        .command("list")
+        .description("List active policies")
+        .action(async () => {
+        const data = await (0, utils_1.apiRequest)("GET", "/v1/policies");
+        const policies = (data.policies ?? []);
+        if (policies.length === 0) {
+            console.log("No policies found.");
+            return;
+        }
+        console.log((0, utils_1.formatTable)(["Name", "Priority", "Tags", "Status"], policies.map((p) => [
+            String(p.name),
+            String(p.priority),
+            Array.isArray(p.tags) ? p.tags.join(", ") : "—",
+            p.enabled ? "active" : "disabled",
+        ])));
+    });
+    cmd
+        .command("create")
+        .description("Create a policy from a YAML file")
+        .requiredOption("--file <path>", "Path to YAML policy file")
+        .action(async (opts) => {
+        const filePath = opts.file;
+        if (!fs.existsSync(filePath)) {
+            console.error(`File not found: ${filePath}`);
+            process.exit(1);
+        }
+        const yaml = fs.readFileSync(filePath, "utf-8");
+        const data = await (0, utils_1.apiRequest)("POST", "/v1/policies", {
+            policy_yaml: yaml,
+        });
+        console.log("Policy created successfully!");
+        console.log(`  ID:   ${data.policy_id}`);
+        console.log(`  Name: ${data.name}`);
+        const validation = data.validation;
+        if (validation?.warnings && Array.isArray(validation.warnings) && validation.warnings.length > 0) {
+            console.log("  Warnings:");
+            for (const w of validation.warnings) {
+                console.log(`    - ${w}`);
+            }
+        }
+    });
+    cmd
+        .command("simulate")
+        .description("Simulate policy evaluation")
+        .requiredOption("--action-type <type>", "Action type (e.g. github.pr.merge)")
+        .requiredOption("--provider <provider>", "Provider (e.g. github)")
+        .requiredOption("--target <target>", "Resource target")
+        .option("--environment <env>", "Environment", "production")
+        .action(async (opts) => {
+        const data = await (0, utils_1.apiRequest)("POST", "/v1/policies/simulate", {
+            action_spec: {
+                type: opts.actionType,
+                resource: {
+                    provider: opts.provider,
+                    account: "cli",
+                    target: opts.target,
+                    environment: opts.environment,
+                },
+                parameters: {},
+                context: { reason: "CLI simulation" },
+                risk_hints: {},
+            },
+        });
+        const decision = data.simulated_decision;
+        console.log(`Outcome:  ${decision?.outcome}`);
+        console.log(`Reason:   ${decision?.reason}`);
+        console.log(`Risk:     ${decision?.risk_score}`);
+        console.log(`Policies: ${decision?.matched_policies?.join(", ") ?? "none"}`);
+    });
+    return cmd;
+}

package/dist/commands/run.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function runCommand(): Command;

package/dist/commands/run.js

@@ -0,0 +1,85 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runCommand = runCommand;
+const commander_1 = require("commander");
+const child_process_1 = require("child_process");
+const utils_1 = require("../utils");
+function runCommand() {
+    const cmd = new commander_1.Command("run")
+        .description("Run a process through the TameFlare proxy")
+        .requiredOption("--name <name>", "Process name")
+        .argument("<command...>", "Command to run")
+        .action(async (commandArgs, opts) => {
+        (0, utils_1.requireGateway)();
+        const processName = opts.name;
+        const [command, ...args] = commandArgs;
+        console.log(`[TF] Registering process "${processName}"...`);
+        // Register process with gateway
+        let registration;
+        try {
+            registration = await (0, utils_1.gatewayRequest)("POST", "/internal/processes/register", {
+                name: processName,
+                pid: process.pid,
+            });
+        }
+        catch (err) {
+            console.error(`[TF] Failed to register process: ${err.message}`);
+            process.exit(1);
+        }
+        const proxyUrl = registration.proxy_url;
+        const caCert = registration.ca_cert;
+        console.log(`[TF] Process "${processName}" registered on port ${registration.port}`);
+        console.log(`[TF] Proxy: ${proxyUrl}`);
+        console.log(`[TF] Starting: ${command} ${args.join(" ")}`);
+        console.log("");
+        // Spawn child process with proxy environment variables
+        const env = {
+            ...process.env,
+            HTTP_PROXY: proxyUrl,
+            HTTPS_PROXY: proxyUrl,
+            http_proxy: proxyUrl,
+            https_proxy: proxyUrl,
+            // Trust the TameFlare CA certificate for various runtimes
+            NODE_EXTRA_CA_CERTS: caCert,
+            SSL_CERT_FILE: caCert,
+            REQUESTS_CA_BUNDLE: caCert,
+            CURL_CA_BUNDLE: caCert,
+            // Mark as TameFlare-wrapped (processes can detect this if needed)
+            TF_PROCESS_NAME: processName,
+            TF_PROXY_PORT: String(registration.port),
+        };
+        const child = (0, child_process_1.spawn)(command, args, {
+            stdio: "inherit",
+            env,
+            shell: true,
+        });
+        child.on("error", (err) => {
+            console.error(`[TF] Failed to start command: ${err.message}`);
+            deregister(processName);
+            process.exit(1);
+        });
+        child.on("exit", (code, signal) => {
+            console.log("");
+            console.log(`[TF] Process "${processName}" exited (code ${code ?? signal})`);
+            deregister(processName);
+            process.exit(code ?? 1);
+        });
+        // Clean shutdown on signals
+        const cleanup = () => {
+            child.kill("SIGTERM");
+            deregister(processName);
+        };
+        process.on("SIGINT", cleanup);
+        process.on("SIGTERM", cleanup);
+    });
+    return cmd;
+}
+async function deregister(name) {
+    try {
+        await (0, utils_1.gatewayRequest)("POST", "/internal/processes/deregister", { name });
+        console.log(`[TF] Process "${name}" deregistered`);
+    }
+    catch {
+        // Gateway may already be down — ignore
+    }
+}

package/dist/commands/status.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function statusCommand(): Command;