@trigguard/cli 0.1.1

package/dist/commands/replay.js

@@ -0,0 +1,130 @@
+import { computeReplayArtifactHash, loadAllReplayArtifacts, loadReplayArtifact, replayDecision, signReplayReceipt, verifyReplayReceipt, verifyTransparencyInclusion, } from "@trigguard/policy-engine";
+import { readFileSync, writeFileSync } from "node:fs";
+function printReplayResult(artifact, actual, replayMatch) {
+    console.log(`Receipt: ${artifact.receipt_id}`);
+    console.log(`Bundle: ${artifact.policy_bundle_hash}`);
+    console.log(`Expected: ${artifact.expected_decision}`);
+    console.log(`Actual: ${actual}`);
+    console.log(`Match: ${replayMatch ? "YES" : "NO"}`);
+}
+function argValue(args, name) {
+    const i = args.indexOf(name);
+    if (i < 0)
+        return undefined;
+    return args[i + 1];
+}
+function hasFlag(args, name) {
+    return args.includes(name);
+}
+function parseJsonFile(path) {
+    return JSON.parse(readFileSync(path, "utf8"));
+}
+export async function runReplay(argv) {
+    const sub = argv[0];
+    if (sub === "sign") {
+        await runReplaySign(argv.slice(1));
+        return;
+    }
+    if (sub === "verify") {
+        await runReplayVerify(argv.slice(1));
+        return;
+    }
+    const receiptId = argv[0];
+    if (!receiptId) {
+        console.error("Usage: trigguard replay <receipt_id>\n   or: trigguard replay sign <receipt_id> [--out file] [--anchor]\n   or: trigguard replay verify <receipt.json> [--artifact artifact.json] [--bundle-hash sha256:..|64-hex] [--public-key pem] [--json]");
+        process.exit(1);
+        return;
+    }
+    const artifact = loadReplayArtifact(receiptId);
+    if (!artifact) {
+        console.error(`Replay artifact not found for receipt_id=${receiptId}`);
+        process.exit(1);
+        return;
+    }
+    const out = replayDecision(artifact);
+    printReplayResult(artifact, out.decision, out.replay_match);
+    if (!out.replay_match)
+        process.exitCode = 2;
+}
+async function runReplaySign(argv) {
+    const receiptId = argv[0];
+    if (!receiptId) {
+        console.error("Usage: trigguard replay sign <receipt_id> [--out file] [--anchor]");
+        process.exit(1);
+        return;
+    }
+    const artifact = loadReplayArtifact(receiptId);
+    if (!artifact) {
+        console.error(`Replay artifact not found for receipt_id=${receiptId}`);
+        process.exit(1);
+        return;
+    }
+    const anchor = hasFlag(argv, "--anchor");
+    const outPath = argValue(argv, "--out");
+    const signer = argValue(argv, "--signer");
+    const signed = signReplayReceipt(artifact, { anchor, ...(signer ? { signer } : {}) });
+    if (outPath)
+        writeFileSync(outPath, `${JSON.stringify(signed, null, 2)}\n`, "utf8");
+    console.log(JSON.stringify(signed, null, 2));
+}
+async function runReplayVerify(argv) {
+    const receiptPath = argv[0];
+    if (!receiptPath) {
+        console.error("Usage: trigguard replay verify <receipt.json> [--artifact artifact.json] [--bundle-hash sha256:..|64-hex] [--public-key pem] [--json]");
+        process.exit(1);
+        return;
+    }
+    const jsonOut = hasFlag(argv, "--json");
+    const artifactPath = argValue(argv, "--artifact");
+    const expectedBundleHash = argValue(argv, "--bundle-hash");
+    const publicKeyPem = argValue(argv, "--public-key");
+    const replayReceipt = parseJsonFile(receiptPath);
+    const artifact = artifactPath
+        ? parseJsonFile(artifactPath)
+        : loadReplayArtifact(replayReceipt.receipt_id);
+    if (!artifact) {
+        console.error("Replay artifact could not be loaded (use --artifact <artifact.json>).");
+        process.exit(1);
+        return;
+    }
+    const verifyResult = verifyReplayReceipt({ replayReceipt, artifact, expectedBundleHash, publicKeyPem });
+    if (!verifyResult.ok) {
+        if (jsonOut)
+            console.log(JSON.stringify(verifyResult, null, 2));
+        else
+            console.error(`INVALID ${verifyResult.failed_check}: ${verifyResult.detail}`);
+        process.exitCode = 2;
+        return;
+    }
+    const inclusion = verifyTransparencyInclusion(computeReplayArtifactHash(artifact));
+    const out = {
+        ok: true,
+        checks: verifyResult.checks,
+        transparency: inclusion,
+        receipt_id: replayReceipt.receipt_id,
+    };
+    if (jsonOut)
+        console.log(JSON.stringify(out, null, 2));
+    else {
+        console.log("OK replay receipt signature and artifact verified");
+        console.log(`Transparency inclusion: ${inclusion.ok ? "YES" : "NO"}`);
+        console.log(`Transparency root: ${inclusion.root_hash}`);
+    }
+}
+export async function runReplayAudit() {
+    const artifacts = loadAllReplayArtifacts();
+    let matches = 0;
+    let mismatches = 0;
+    for (const artifact of artifacts) {
+        const out = replayDecision(artifact);
+        if (out.replay_match)
+            matches += 1;
+        else
+            mismatches += 1;
+    }
+    console.log(`Total receipts: ${artifacts.length}`);
+    console.log(`Replay matches: ${matches}`);
+    console.log(`Replay mismatches: ${mismatches}`);
+    if (mismatches > 0)
+        process.exitCode = 2;
+}

package/dist/commands/session.d.ts

@@ -0,0 +1,6 @@
+import type { SessionSnapshot } from "../cp/types.js";
+export declare function resolveSessionSnapshot(): Promise<SessionSnapshot>;
+export declare function runLogin(args: string[]): Promise<void>;
+export declare function runLogout(args: string[]): Promise<void>;
+export declare function runWhoami(args: string[]): Promise<void>;
+export declare function runStatus(args: string[]): Promise<void>;

package/dist/commands/session.js

@@ -0,0 +1,280 @@
+import readline from "node:readline/promises";
+import { stdin as input, stdout as output } from "node:process";
+import { ControlPlaneError, fetchDashboardOrgs, fetchMe, loginWithPassword, resolveActiveOrg, } from "../cp/client.js";
+import { loadConfig, saveConfig, clearSession } from "../cp/config.js";
+import { resolveApiKeySource, storedCliApiKeyForSession } from "../cp/credentials.js";
+import { defaultMachineLabel, ensureCliApiKey } from "../cp/provisionCliKey.js";
+import { runLoginWeb } from "./login-web.js";
+function flagValue(args, name) {
+    const i = args.indexOf(name);
+    if (i === -1)
+        return undefined;
+    const next = args[i + 1];
+    if (next === undefined || next.startsWith("-"))
+        return undefined;
+    return next;
+}
+function hasFlag(args, name) {
+    return args.includes(name);
+}
+async function promptLine(label, hidden = false) {
+    if (hidden && process.stdin.isTTY) {
+        output.write(label);
+        const chunks = [];
+        input.setRawMode?.(true);
+        try {
+            for await (const chunk of input) {
+                const s = chunk.toString("utf8");
+                for (const ch of s) {
+                    const code = ch.charCodeAt(0);
+                    if (code === 13 || code === 10) {
+                        output.write("\n");
+                        return chunks.join("");
+                    }
+                    if (code === 127 || code === 8) {
+                        chunks.pop();
+                        continue;
+                    }
+                    if (code === 3) {
+                        output.write("\n");
+                        throw new Error("login_cancelled");
+                    }
+                    chunks.push(ch);
+                }
+            }
+        }
+        finally {
+            input.setRawMode?.(false);
+        }
+        return chunks.join("");
+    }
+    const rl = readline.createInterface({ input, output });
+    try {
+        return (await rl.question(label)).trim();
+    }
+    finally {
+        rl.close();
+    }
+}
+export async function resolveSessionSnapshot() {
+    const config = loadConfig();
+    const token = config.sessionToken;
+    if (!token) {
+        return {
+            authenticated: false,
+            user: null,
+            orgs: [],
+            activeOrg: null,
+            controlPlaneUrl: config.controlPlaneUrl,
+            environment: config.environment,
+        };
+    }
+    try {
+        const me = await fetchMe({ ...config, sessionToken: token });
+        let orgs = [];
+        try {
+            const dash = await fetchDashboardOrgs({ ...config, sessionToken: token });
+            orgs = dash.orgs;
+        }
+        catch (e) {
+            if (!(e instanceof ControlPlaneError) || e.code !== "email_verification_required") {
+                throw e;
+            }
+        }
+        return {
+            authenticated: true,
+            user: me,
+            orgs,
+            activeOrg: resolveActiveOrg(orgs, config.activeOrgId),
+            controlPlaneUrl: config.controlPlaneUrl,
+            environment: config.environment,
+        };
+    }
+    catch {
+        return {
+            authenticated: false,
+            user: null,
+            orgs: [],
+            activeOrg: null,
+            controlPlaneUrl: config.controlPlaneUrl,
+            environment: config.environment,
+        };
+    }
+}
+export async function runLogin(args) {
+    const usePassword = hasFlag(args, "--password") ||
+        Boolean(flagValue(args, "--email")) ||
+        Boolean(process.env.TRIGGUARD_PASSWORD?.trim());
+    if (hasFlag(args, "--web") || (!usePassword && input.isTTY)) {
+        await runLoginWeb(args);
+        return;
+    }
+    const json = hasFlag(args, "--json");
+    const email = flagValue(args, "--email") ??
+        process.env.TRIGGUARD_EMAIL?.trim() ??
+        (await promptLine("Email: "));
+    const password = flagValue(args, "--password") ??
+        process.env.TRIGGUARD_PASSWORD ??
+        (await promptLine("Password: ", true));
+    if (!email || !password) {
+        throw new Error("email_and_password_required");
+    }
+    const config = loadConfig();
+    let token;
+    let user;
+    try {
+        ({ token, user } = await loginWithPassword(config, email, password));
+    }
+    catch (e) {
+        if (e instanceof ControlPlaneError && e.code === "invalid_credentials") {
+            throw new Error("Invalid email or password");
+        }
+        throw e;
+    }
+    let activeOrgId;
+    const priorOrgHint = config.user?.email === user.email ? config.activeOrgId : undefined;
+    try {
+        const dash = await fetchDashboardOrgs({ ...config, sessionToken: token });
+        activeOrgId = resolveActiveOrg(dash.orgs, priorOrgHint)?.orgId;
+    }
+    catch (e) {
+        if (e instanceof ControlPlaneError && e.code === "email_verification_required") {
+            activeOrgId = undefined;
+        }
+        else {
+            throw e;
+        }
+    }
+    const sessionConfig = {
+        ...config,
+        sessionToken: token,
+        activeOrgId,
+        user: { id: user.id, email: user.email },
+    };
+    let apiKey;
+    let apiKeyId;
+    let apiKeyDisplayName;
+    if (activeOrgId) {
+        const reuseKey = storedCliApiKeyForSession(config, user, activeOrgId);
+        const key = await ensureCliApiKey(sessionConfig, activeOrgId, reuseKey, defaultMachineLabel());
+        apiKey = key.rawKey;
+        apiKeyId = key.keyId;
+        apiKeyDisplayName = key.displayName;
+    }
+    saveConfig({
+        version: config.version,
+        controlPlaneUrl: config.controlPlaneUrl,
+        environment: config.environment,
+        sessionToken: token,
+        activeOrgId,
+        user: { id: user.id, email: user.email },
+        apiKey,
+        apiKeyId,
+        apiKeyDisplayName,
+    });
+    if (json) {
+        console.log(JSON.stringify({
+            ok: true,
+            user: { id: user.id, email: user.email },
+            controlPlaneUrl: config.controlPlaneUrl,
+            activeOrgId: activeOrgId ?? null,
+            apiKeyConfigured: Boolean(apiKey),
+            apiKeySource: apiKey ? "config" : "none",
+        }, null, 2));
+        return;
+    }
+    console.log(`Signed in as ${user.email}`);
+    if (activeOrgId)
+        console.log(`Workspace: ${activeOrgId}`);
+    else
+        console.log("Workspace: (verify email to list organizations)");
+    if (apiKey)
+        console.log("API key configured for this machine.");
+}
+export async function runLogout(args) {
+    const json = hasFlag(args, "--json");
+    clearSession(loadConfig());
+    if (json) {
+        console.log(JSON.stringify({ ok: true }, null, 2));
+        return;
+    }
+    console.log("Signed out.");
+}
+export async function runWhoami(args) {
+    const json = hasFlag(args, "--json");
+    const config = loadConfig();
+    const snap = await resolveSessionSnapshot();
+    const apiKeySource = resolveApiKeySource(config);
+    const apiKeyConfigured = apiKeySource !== "none";
+    if (!snap.authenticated || !snap.user) {
+        if (json) {
+            console.log(JSON.stringify({ authenticated: false, apiKeyConfigured: false }, null, 2));
+        }
+        else {
+            console.log("Not signed in. Run: tg login");
+        }
+        process.exit(snap.authenticated ? 0 : 1);
+    }
+    if (json) {
+        console.log(JSON.stringify({
+            authenticated: true,
+            user: snap.user,
+            activeOrg: snap.activeOrg,
+            controlPlaneUrl: snap.controlPlaneUrl,
+            environment: snap.environment,
+            apiKeyConfigured,
+            apiKeySource,
+        }, null, 2));
+        return;
+    }
+    console.log(`User: ${snap.user.email}`);
+    console.log(`User ID: ${snap.user.id}`);
+    if (snap.activeOrg) {
+        console.log(`Organization: ${snap.activeOrg.name}`);
+        console.log(`Workspace: ${snap.activeOrg.orgId}`);
+        console.log(`Plan: ${snap.activeOrg.plan}`);
+    }
+    else if (!snap.user.emailVerifiedAt) {
+        console.log("Email verification required before workspace listing.");
+    }
+    console.log(`Environment: ${snap.environment}`);
+    console.log(`API key configured: ${apiKeyConfigured ? "yes" : "no"}`);
+    console.log(`API key source: ${apiKeySource}`);
+}
+export async function runStatus(args) {
+    const json = hasFlag(args, "--json");
+    const config = loadConfig();
+    const snap = await resolveSessionSnapshot();
+    const apiKeySource = resolveApiKeySource(config);
+    const apiKeyConfigured = apiKeySource !== "none";
+    const payload = {
+        authentication: snap.authenticated ? "signed_in" : "signed_out",
+        organization: snap.activeOrg?.name ?? null,
+        workspace: snap.activeOrg?.orgId ?? null,
+        plan: snap.activeOrg?.plan ?? null,
+        environment: snap.environment,
+        apiEndpoint: snap.controlPlaneUrl,
+        emailVerified: Boolean(snap.user?.emailVerifiedAt),
+        user: snap.user?.email ?? null,
+        apiKeyConfigured,
+        apiKeySource,
+        authorityStatus: snap.authenticated && apiKeyConfigured ? "ready" : "needs_login",
+        verificationStatus: "available",
+    };
+    if (json) {
+        console.log(JSON.stringify(payload, null, 2));
+        return;
+    }
+    console.log("TrigGuard CLI status");
+    console.log(`  Authentication: ${payload.authentication}`);
+    console.log(`  User:           ${payload.user ?? "—"}`);
+    console.log(`  Organization:   ${payload.organization ?? "—"}`);
+    console.log(`  Workspace:      ${payload.workspace ?? "—"}`);
+    console.log(`  Plan:           ${payload.plan ?? "—"}`);
+    console.log(`  Environment:    ${payload.environment}`);
+    console.log(`  API endpoint:   ${payload.apiEndpoint}`);
+    console.log(`  Email verified: ${payload.emailVerified ? "yes" : "no"}`);
+    console.log(`  API key:        ${apiKeyConfigured ? `configured (${apiKeySource})` : "not configured"}`);
+    console.log(`  Authority:      ${payload.authorityStatus}`);
+    console.log(`  Verification:   ${payload.verificationStatus}`);
+}

package/dist/commands/simulate.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Simulates a POST /decide against a local (or custom) execution authority; verifies the
+ * Ed25519 receipt. Does not run protected actions.
+ */
+export declare function runSimulate(argv: string[]): Promise<void>;

package/dist/commands/simulate.js

@@ -0,0 +1,89 @@
+import { parseArgs } from "node:util";
+import { requestDecision, TrigGuardClientError, } from "@trigguard/decision";
+import { DEFAULT_DEV_PORT, MOCK_AUTHORITY_PUBLIC_KEY_HEX } from "../dev/authority.js";
+const DEFAULT_ENDPOINT = `http://127.0.0.1:${DEFAULT_DEV_PORT}`;
+function ucaseDecision(d) {
+    if (d === "permit")
+        return "PERMIT";
+    if (d === "deny")
+        return "DENY";
+    return d.toUpperCase();
+}
+/**
+ * Simulates a POST /decide against a local (or custom) execution authority; verifies the
+ * Ed25519 receipt. Does not run protected actions.
+ */
+export async function runSimulate(argv) {
+    const { values, positionals } = parseArgs({
+        args: argv,
+        options: {
+            riskScore: { type: "string" },
+            origin: { type: "string" },
+            endpoint: { type: "string" },
+            "public-key": { type: "string" },
+            "timeout-ms": { type: "string" },
+            json: { type: "boolean", default: false },
+        },
+        allowPositionals: true,
+        strict: true,
+    });
+    const surface = String(positionals[0] ?? "").trim();
+    if (!surface) {
+        console.error("trigguard simulate: missing <surface> (e.g. deploy.production)");
+        process.exit(2);
+    }
+    const endpoint = (values.endpoint && String(values.endpoint).trim()) || DEFAULT_ENDPOINT;
+    const authorityPublicKey = (values["public-key"] && String(values["public-key"]).trim()) ||
+        MOCK_AUTHORITY_PUBLIC_KEY_HEX;
+    let riskScore;
+    if (values.riskScore != null && String(values.riskScore).trim() !== "") {
+        const n = Number(String(values.riskScore).trim());
+        if (!Number.isFinite(n)) {
+            console.error("trigguard simulate: --riskScore must be a number");
+            process.exit(2);
+        }
+        riskScore = n;
+    }
+    const origin = values.origin != null && String(values.origin).trim() !== ""
+        ? String(values.origin).trim()
+        : "trigguard-cli-simulate";
+    let timeoutMs;
+    if (values["timeout-ms"] != null && String(values["timeout-ms"]).trim() !== "") {
+        const t = Number.parseInt(String(values["timeout-ms"]).trim(), 10);
+        if (!Number.isFinite(t) || t <= 0) {
+            console.error("trigguard simulate: --timeout-ms must be a positive integer");
+            process.exit(2);
+        }
+        timeoutMs = t;
+    }
+    const jsonOut = values.json === true;
+    try {
+        const result = await requestDecision({
+            endpoint,
+            authorityPublicKey,
+            surface,
+            riskScore,
+            origin,
+            timeoutMs,
+        });
+        if (jsonOut) {
+            console.log(JSON.stringify(result, null, 2));
+        }
+        else {
+            console.log(`Decision: ${ucaseDecision(String(result.decision))}`);
+            console.log(`Reason: ${result.reason}`);
+            console.log(`Policy fingerprint: ${result.policyFingerprint}`);
+            console.log(`Timestamp: ${result.timestamp}`);
+            console.log(`Endpoint: ${endpoint}`);
+            console.log("Receipt: verified (Ed25519)");
+        }
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        console.error(`trigguard simulate: ${msg}`);
+        if (e instanceof TrigGuardClientError && e.code) {
+            process.stderr.write(`(code: ${e.code})\n`);
+        }
+        process.exit(1);
+    }
+}

package/dist/commands/tg-authorize.d.ts

@@ -0,0 +1,12 @@
+export interface AuthorizeInput {
+    surface: string;
+    actorId: string;
+    intent?: string;
+    risk?: string | number;
+    environment?: string;
+    context?: Record<string, unknown>;
+    subjectDigest?: string;
+}
+export { defaultGatewayUrl } from "../tg/gateway.js";
+export declare function resolveApiKey(): string | undefined;
+export declare function runTgAuthorize(args: string[]): Promise<void>;