@zincapp/znvault-cli 2.16.5 → 2.18.0

package/dist/commands/apikey/managed/list.js

@@ -0,0 +1,58 @@
+// Path: src/commands/apikey/managed/list.ts
+import ora from 'ora';
+import Table from 'cli-table3';
+import { client } from '../../../lib/client.js';
+import * as output from '../../../lib/output.js';
+import { formatRotationMode, formatTimeUntil } from './helpers.js';
+export function registerManagedListCommand(managedCmd) {
+    managedCmd
+        .command('list')
+        .alias('ls')
+        .description('List all managed API keys')
+        .option('-t, --tenant <id>', 'Tenant ID (superadmin only)')
+        .option('--json', 'Output as JSON')
+        .action(async (options) => {
+        const spinner = ora('Fetching managed API keys...').start();
+        try {
+            const result = await client.listManagedApiKeys(options.tenant);
+            spinner.stop();
+            if (options.json) {
+                output.json(result);
+                return;
+            }
+            if (result.items.length === 0) {
+                output.warn('No managed API keys found');
+                return;
+            }
+            const table = new Table({
+                head: ['Name', 'Mode', 'Interval', 'Grace', 'Next Rotation', 'Status', 'Tenant', 'Rotations'],
+                style: { head: ['cyan'] },
+            });
+            for (const key of result.items) {
+                const statusIcon = key.enabled ? '\x1b[32m●\x1b[0m' : '\x1b[31m○\x1b[0m';
+                const nextRotation = key.next_rotation_at ? formatTimeUntil(key.next_rotation_at) : '-';
+                table.push([
+                    key.name,
+                    formatRotationMode(key.rotation_mode),
+                    key.rotation_interval ?? '-',
+                    key.grace_period,
+                    nextRotation,
+                    `${statusIcon} ${key.enabled ? 'Active' : 'Disabled'}`,
+                    key.tenant_id,
+                    key.rotation_count > 0 ? `${key.rotation_count}x` : '-',
+                ]);
+            }
+            console.log(table.toString());
+            const showingInfo = result.pagination.hasMore
+                ? `Showing ${result.items.length} of ${result.pagination.total}`
+                : `Total: ${result.pagination.total}`;
+            console.log(`\n${showingInfo} managed API key(s)`);
+        }
+        catch (err) {
+            spinner.fail('Failed to list managed API keys');
+            output.error(err instanceof Error ? err.message : String(err));
+            process.exit(1);
+        }
+    });
+}
+//# sourceMappingURL=list.js.map

package/dist/commands/apikey/managed/list.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"list.js","sourceRoot":"","sources":["../../../../src/commands/apikey/managed/list.ts"],"names":[],"mappings":"AAAA,4CAA4C;AAO5C,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,KAAK,MAAM,YAAY,CAAC;AAC/B,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,KAAK,MAAM,MAAM,wBAAwB,CAAC;AAEjD,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAEnE,MAAM,UAAU,0BAA0B,CAAC,UAAmB;IAC5D,UAAU;SACP,OAAO,CAAC,MAAM,CAAC;SACf,KAAK,CAAC,IAAI,CAAC;SACX,WAAW,CAAC,2BAA2B,CAAC;SACxC,MAAM,CAAC,mBAAmB,EAAE,6BAA6B,CAAC;SAC1D,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,KAAK,EAAE,OAA2B,EAAE,EAAE;QAC5C,MAAM,OAAO,GAAG,GAAG,CAAC,8BAA8B,CAAC,CAAC,KAAK,EAAE,CAAC;QAE5D,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YAC/D,OAAO,CAAC,IAAI,EAAE,CAAC;YAEf,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACpB,OAAO;YACT,CAAC;YAED,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC9B,MAAM,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;gBACzC,OAAO;YACT,CAAC;YAED,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC;gBACtB,IAAI,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,eAAe,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,CAAC;gBAC7F,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,EAAE;aAC1B,CAAC,CAAC;YAEH,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBAC/B,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,kBAAkB,CAAC;gBACzE,MAAM,YAAY,GAAG,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;gBAExF,KAAK,CAAC,IAAI,CAAC;oBACT,GAAG,CAAC,IAAI;oBACR,kBAAkB,CAAC,GAAG,CAAC,aAAa,CAAC;oBACrC,GAAG,CAAC,iBAAiB,IAAI,GAAG;oBAC5B,GAAG,CAAC,YAAY;oBAChB,YAAY;oBACZ,GAAG,UAAU,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,EAAE;oBACtD,GAAG,CAAC,SAAS;oBACb,GAAG,CAAC,cAAc,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,cAAc,GAAG,CAAC,CAAC,CAAC,GAAG;iBACxD,CAAC,CAAC;YACL,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC9B,MAAM,WAAW,GAAG,MAAM,CAAC,UAAU,CAAC,OAAO;gBAC3C,CAAC,CAAC,WAAW,MAAM,CAAC,KAAK,CAAC,MAAM,OAAO,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE;gBAChE,CAAC,CAAC,UAAU,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;YACxC,OAAO,CAAC,GAAG,CAAC,KAAK,WAAW,qBAAqB,CAAC,CAAC;QACrD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;YAChD,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/commands/apikey/managed/permissions.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Managed API key permissions update command
+ */
+import type { Command } from 'commander';
+export declare function registerManagedPermissionsCommand(managedCmd: Command): void;
+//# sourceMappingURL=permissions.d.ts.map

package/dist/commands/apikey/managed/permissions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.d.ts","sourceRoot":"","sources":["../../../../src/commands/apikey/managed/permissions.ts"],"names":[],"mappings":"AAEA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAMzC,wBAAgB,iCAAiC,CAAC,UAAU,EAAE,OAAO,GAAG,IAAI,CA4E3E"}

package/dist/commands/apikey/managed/permissions.js

@@ -0,0 +1,73 @@
+// Path: src/commands/apikey/managed/permissions.ts
+import ora from 'ora';
+import { client } from '../../../lib/client.js';
+import * as output from '../../../lib/output.js';
+export function registerManagedPermissionsCommand(managedCmd) {
+    managedCmd
+        .command('permissions <name>')
+        .description('Update managed API key permissions')
+        .option('-s, --set <perms>', 'Set permissions (comma-separated, replaces all)')
+        .option('-a, --add <perms>', 'Add permissions (comma-separated)')
+        .option('-r, --remove <perms>', 'Remove permissions (comma-separated)')
+        .option('-t, --tenant <id>', 'Tenant ID (superadmin only)')
+        .option('--json', 'Output as JSON')
+        .action(async (name, options) => {
+        if (!options.set && !options.add && !options.remove) {
+            output.error('At least one of --set, --add, or --remove is required');
+            output.info('Examples:');
+            output.info('  znvault apikey managed permissions my-key --set "secret:read,secret:list"');
+            output.info('  znvault apikey managed permissions my-key --add "kms:encrypt"');
+            output.info('  znvault apikey managed permissions my-key --remove "secret:delete"');
+            process.exit(1);
+        }
+        const spinner = ora('Updating managed API key permissions...').start();
+        try {
+            // First, get the managed key to find its ID and current permissions
+            const managedKey = await client.getManagedApiKey(name, options.tenant);
+            let newPermissions;
+            if (options.set) {
+                // Replace all permissions
+                newPermissions = options.set.split(',').map((p) => p.trim());
+            }
+            else {
+                // Start with current permissions
+                newPermissions = [...managedKey.permissions];
+                if (options.add) {
+                    const toAdd = options.add.split(',').map((p) => p.trim());
+                    for (const perm of toAdd) {
+                        if (!newPermissions.includes(perm)) {
+                            newPermissions.push(perm);
+                        }
+                    }
+                }
+                if (options.remove) {
+                    const toRemove = options.remove.split(',').map((p) => p.trim());
+                    newPermissions = newPermissions.filter((p) => !toRemove.includes(p));
+                }
+            }
+            if (newPermissions.length === 0) {
+                spinner.fail('Cannot remove all permissions');
+                output.error('API key must have at least one permission');
+                process.exit(1);
+            }
+            // Update using the key ID
+            const updatedKey = await client.updateApiKeyPermissions(managedKey.id, newPermissions, options.tenant);
+            spinner.succeed('Permissions updated');
+            if (options.json) {
+                output.json(updatedKey);
+                return;
+            }
+            console.log(`\nManaged key: ${name}`);
+            console.log('Updated permissions:');
+            for (const perm of updatedKey.permissions) {
+                console.log(`  - ${perm}`);
+            }
+        }
+        catch (err) {
+            spinner.fail('Failed to update permissions');
+            output.error(err instanceof Error ? err.message : String(err));
+            process.exit(1);
+        }
+    });
+}
+//# sourceMappingURL=permissions.js.map

package/dist/commands/apikey/managed/permissions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.js","sourceRoot":"","sources":["../../../../src/commands/apikey/managed/permissions.ts"],"names":[],"mappings":"AAAA,mDAAmD;AAOnD,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,KAAK,MAAM,MAAM,wBAAwB,CAAC;AAGjD,MAAM,UAAU,iCAAiC,CAAC,UAAmB;IACnE,UAAU;SACP,OAAO,CAAC,oBAAoB,CAAC;SAC7B,WAAW,CAAC,oCAAoC,CAAC;SACjD,MAAM,CAAC,mBAAmB,EAAE,iDAAiD,CAAC;SAC9E,MAAM,CAAC,mBAAmB,EAAE,mCAAmC,CAAC;SAChE,MAAM,CAAC,sBAAsB,EAAE,sCAAsC,CAAC;SACtE,MAAM,CAAC,mBAAmB,EAAE,6BAA6B,CAAC;SAC1D,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,KAAK,EAAE,IAAY,EAAE,OAAkC,EAAE,EAAE;QACjE,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;YACpD,MAAM,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAC;YACtE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACzB,MAAM,CAAC,IAAI,CAAC,6EAA6E,CAAC,CAAC;YAC3F,MAAM,CAAC,IAAI,CAAC,iEAAiE,CAAC,CAAC;YAC/E,MAAM,CAAC,IAAI,CAAC,sEAAsE,CAAC,CAAC;YACpF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,OAAO,GAAG,GAAG,CAAC,yCAAyC,CAAC,CAAC,KAAK,EAAE,CAAC;QAEvE,IAAI,CAAC;YACH,oEAAoE;YACpE,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;YAEvE,IAAI,cAAwB,CAAC;YAE7B,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;gBAChB,0BAA0B;gBAC1B,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YAC/D,CAAC;iBAAM,CAAC;gBACN,iCAAiC;gBACjC,cAAc,GAAG,CAAC,GAAG,UAAU,CAAC,WAAW,CAAC,CAAC;gBAE7C,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;oBAChB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;oBAC1D,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;wBACzB,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;4BACnC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;wBAC5B,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;oBACnB,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;oBAChE,cAAc,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;gBACvE,CAAC;YACH,CAAC;YAED,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAChC,OAAO,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;gBAC9C,MAAM,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;gBAC1D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YAED,0BAA0B;YAC1B,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,UAAU,CAAC,EAAE,EAAE,cAAc,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;YAEvG,OAAO,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;YAEvC,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;gBACxB,OAAO;YACT,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,EAAE,CAAC,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;YACpC,KAAK,MAAM,IAAI,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC;gBAC1C,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;YAC7C,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/commands/apikey/managed/rotate.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Managed API key rotate command
+ */
+import type { Command } from 'commander';
+export declare function registerManagedRotateCommand(managedCmd: Command): void;
+//# sourceMappingURL=rotate.d.ts.map

package/dist/commands/apikey/managed/rotate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rotate.d.ts","sourceRoot":"","sources":["../../../../src/commands/apikey/managed/rotate.ts"],"names":[],"mappings":"AAEA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAOzC,wBAAgB,4BAA4B,CAAC,UAAU,EAAE,OAAO,GAAG,IAAI,CAuBtE"}

package/dist/commands/apikey/managed/rotate.js

@@ -0,0 +1,29 @@
+// Path: src/commands/apikey/managed/rotate.ts
+import ora from 'ora';
+import { client } from '../../../lib/client.js';
+import * as output from '../../../lib/output.js';
+import { formatDate } from '../helpers.js';
+export function registerManagedRotateCommand(managedCmd) {
+    managedCmd
+        .command('rotate <name>')
+        .description('Force immediate rotation of a managed key')
+        .option('-t, --tenant <id>', 'Tenant ID (superadmin only)')
+        .action(async (name, options) => {
+        const spinner = ora('Rotating managed API key...').start();
+        try {
+            const result = await client.rotateManagedApiKey(name, options.tenant);
+            spinner.succeed('Managed API key rotated');
+            console.log(`\n${result.message}`);
+            if (result.nextRotationAt) {
+                console.log(`Next scheduled rotation: ${formatDate(result.nextRotationAt)}`);
+            }
+            console.log('\nUse "znvault apikey managed bind <name>" to get the new key value.');
+        }
+        catch (err) {
+            spinner.fail('Failed to rotate managed API key');
+            output.error(err instanceof Error ? err.message : String(err));
+            process.exit(1);
+        }
+    });
+}
+//# sourceMappingURL=rotate.js.map

package/dist/commands/apikey/managed/rotate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rotate.js","sourceRoot":"","sources":["../../../../src/commands/apikey/managed/rotate.ts"],"names":[],"mappings":"AAAA,8CAA8C;AAO9C,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,KAAK,MAAM,MAAM,wBAAwB,CAAC;AAEjD,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAE3C,MAAM,UAAU,4BAA4B,CAAC,UAAmB;IAC9D,UAAU;SACP,OAAO,CAAC,eAAe,CAAC;SACxB,WAAW,CAAC,2CAA2C,CAAC;SACxD,MAAM,CAAC,mBAAmB,EAAE,6BAA6B,CAAC;SAC1D,MAAM,CAAC,KAAK,EAAE,IAAY,EAAE,OAA6B,EAAE,EAAE;QAC5D,MAAM,OAAO,GAAG,GAAG,CAAC,6BAA6B,CAAC,CAAC,KAAK,EAAE,CAAC;QAE3D,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;YACtE,OAAO,CAAC,OAAO,CAAC,yBAAyB,CAAC,CAAC;YAE3C,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;YACnC,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;gBAC1B,OAAO,CAAC,GAAG,CAAC,4BAA4B,UAAU,CAAC,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC;YAC/E,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;QACtF,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;YACjD,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/commands/apikey/managed/types.d.ts

@@ -0,0 +1,62 @@
+/**
+ * Type definitions for managed API key commands
+ */
+export interface ManagedListOptions {
+    tenant?: string;
+    json?: boolean;
+}
+export interface ManagedCreateOptions {
+    expires: string;
+    permissions?: string;
+    description?: string;
+    rotationMode: string;
+    rotationInterval?: string;
+    gracePeriod: string;
+    notifyBefore?: string;
+    webhookUrl?: string;
+    ip?: string;
+    tenant?: string;
+    json?: boolean;
+}
+export interface ManagedGetOptions {
+    tenant?: string;
+    json?: boolean;
+}
+export interface ManagedBindOptions {
+    tenant?: string;
+    json?: boolean;
+}
+export interface ManagedRotateOptions {
+    tenant?: string;
+}
+export interface ManagedConfigOptions {
+    rotationInterval?: string;
+    gracePeriod?: string;
+    notifyBefore?: string;
+    webhookUrl?: string;
+    tenant?: string;
+    json?: boolean;
+}
+export interface ManagedDeleteOptions {
+    tenant?: string;
+    force?: boolean;
+}
+export interface ManagedPermissionsOptions {
+    set?: string;
+    add?: string;
+    remove?: string;
+    tenant?: string;
+    json?: boolean;
+}
+export interface ManagedConditionsOptions {
+    ip?: string;
+    timeRange?: string;
+    methods?: string;
+    resources?: string;
+    aliases?: string;
+    tags?: string;
+    clearAll?: boolean;
+    tenant?: string;
+    json?: boolean;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/commands/apikey/managed/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/commands/apikey/managed/types.ts"],"names":[],"mappings":"AAEA;;GAEG;AAEH,MAAM,WAAW,kBAAkB;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,WAAW,iBAAiB;IAChC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,oBAAoB;IACnC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,yBAAyB;IACxC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,WAAW,wBAAwB;IACvC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB"}

package/dist/commands/apikey/managed/types.js

@@ -0,0 +1,3 @@
+// Path: src/commands/apikey/managed/types.ts
+export {};
+//# sourceMappingURL=types.js.map

package/dist/commands/apikey/managed/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/commands/apikey/managed/types.ts"],"names":[],"mappings":"AAAA,6CAA6C"}

package/dist/commands/apikey/permissions.d.ts

@@ -0,0 +1,6 @@
+/**
+ * API key permissions update command
+ */
+import type { Command } from 'commander';
+export declare function registerPermissionsCommand(apiKeyCmd: Command): void;
+//# sourceMappingURL=permissions.d.ts.map

package/dist/commands/apikey/permissions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.d.ts","sourceRoot":"","sources":["../../../src/commands/apikey/permissions.ts"],"names":[],"mappings":"AAEA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAMzC,wBAAgB,0BAA0B,CAAC,SAAS,EAAE,OAAO,GAAG,IAAI,CAuEnE"}

package/dist/commands/apikey/permissions.js

@@ -0,0 +1,70 @@
+// Path: src/commands/apikey/permissions.ts
+import ora from 'ora';
+import { client } from '../../lib/client.js';
+import * as output from '../../lib/output.js';
+export function registerPermissionsCommand(apiKeyCmd) {
+    apiKeyCmd
+        .command('update-permissions <id>')
+        .description('Update API key permissions')
+        .option('-s, --set <perms>', 'Set permissions (comma-separated, replaces all)')
+        .option('-a, --add <perms>', 'Add permissions (comma-separated)')
+        .option('-r, --remove <perms>', 'Remove permissions (comma-separated)')
+        .option('-t, --tenant <id>', 'Tenant ID (superadmin only)')
+        .option('--json', 'Output as JSON')
+        .action(async (id, options) => {
+        if (!options.set && !options.add && !options.remove) {
+            output.error('At least one of --set, --add, or --remove is required');
+            output.info('Examples:');
+            output.info('  znvault apikey update-permissions <id> --set "secret:read,secret:list"');
+            output.info('  znvault apikey update-permissions <id> --add "kms:encrypt"');
+            output.info('  znvault apikey update-permissions <id> --remove "secret:delete"');
+            process.exit(1);
+        }
+        const spinner = ora('Updating permissions...').start();
+        try {
+            let newPermissions;
+            if (options.set) {
+                // Replace all permissions
+                newPermissions = options.set.split(',').map((p) => p.trim());
+            }
+            else {
+                // Need to get current permissions first
+                const currentKey = await client.getApiKey(id, options.tenant);
+                newPermissions = [...currentKey.permissions];
+                if (options.add) {
+                    const toAdd = options.add.split(',').map((p) => p.trim());
+                    for (const perm of toAdd) {
+                        if (!newPermissions.includes(perm)) {
+                            newPermissions.push(perm);
+                        }
+                    }
+                }
+                if (options.remove) {
+                    const toRemove = options.remove.split(',').map((p) => p.trim());
+                    newPermissions = newPermissions.filter((p) => !toRemove.includes(p));
+                }
+            }
+            if (newPermissions.length === 0) {
+                spinner.fail('Cannot remove all permissions');
+                output.error('API key must have at least one permission');
+                process.exit(1);
+            }
+            const key = await client.updateApiKeyPermissions(id, newPermissions, options.tenant);
+            spinner.succeed('Permissions updated');
+            if (options.json) {
+                output.json(key);
+                return;
+            }
+            console.log('\nUpdated permissions:');
+            for (const perm of key.permissions) {
+                console.log(`  - ${perm}`);
+            }
+        }
+        catch (err) {
+            spinner.fail('Failed to update permissions');
+            output.error(err instanceof Error ? err.message : String(err));
+            process.exit(1);
+        }
+    });
+}
+//# sourceMappingURL=permissions.js.map

package/dist/commands/apikey/permissions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.js","sourceRoot":"","sources":["../../../src/commands/apikey/permissions.ts"],"names":[],"mappings":"AAAA,2CAA2C;AAO3C,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAC7C,OAAO,KAAK,MAAM,MAAM,qBAAqB,CAAC;AAG9C,MAAM,UAAU,0BAA0B,CAAC,SAAkB;IAC3D,SAAS;SACN,OAAO,CAAC,yBAAyB,CAAC;SAClC,WAAW,CAAC,4BAA4B,CAAC;SACzC,MAAM,CAAC,mBAAmB,EAAE,iDAAiD,CAAC;SAC9E,MAAM,CAAC,mBAAmB,EAAE,mCAAmC,CAAC;SAChE,MAAM,CAAC,sBAAsB,EAAE,sCAAsC,CAAC;SACtE,MAAM,CAAC,mBAAmB,EAAE,6BAA6B,CAAC;SAC1D,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,KAAK,EAAE,EAAU,EAAE,OAAiC,EAAE,EAAE;QAC9D,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;YACpD,MAAM,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAC;YACtE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACzB,MAAM,CAAC,IAAI,CAAC,0EAA0E,CAAC,CAAC;YACxF,MAAM,CAAC,IAAI,CAAC,8DAA8D,CAAC,CAAC;YAC5E,MAAM,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC;YACjF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,OAAO,GAAG,GAAG,CAAC,yBAAyB,CAAC,CAAC,KAAK,EAAE,CAAC;QAEvD,IAAI,CAAC;YACH,IAAI,cAAwB,CAAC;YAE7B,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;gBAChB,0BAA0B;gBAC1B,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YAC/D,CAAC;iBAAM,CAAC;gBACN,wCAAwC;gBACxC,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,EAAE,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;gBAC9D,cAAc,GAAG,CAAC,GAAG,UAAU,CAAC,WAAW,CAAC,CAAC;gBAE7C,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;oBAChB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;oBAC1D,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;wBACzB,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;4BACnC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;wBAC5B,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;oBACnB,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;oBAChE,cAAc,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;gBACvE,CAAC;YACH,CAAC;YAED,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAChC,OAAO,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;gBAC9C,MAAM,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;gBAC1D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YAED,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,EAAE,EAAE,cAAc,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;YACrF,OAAO,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;YAEvC,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACjB,OAAO;YACT,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;YACtC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;gBACnC,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;YAC7C,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/commands/apikey/policies.d.ts

@@ -0,0 +1,6 @@
+/**
+ * API key policy attachment commands
+ */
+import type { Command } from 'commander';
+export declare function registerPolicyCommands(apiKeyCmd: Command): void;
+//# sourceMappingURL=policies.d.ts.map

package/dist/commands/apikey/policies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policies.d.ts","sourceRoot":"","sources":["../../../src/commands/apikey/policies.ts"],"names":[],"mappings":"AAEA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAQzC,wBAAgB,sBAAsB,CAAC,SAAS,EAAE,OAAO,GAAG,IAAI,CAiF/D"}

package/dist/commands/apikey/policies.js

@@ -0,0 +1,82 @@
+// Path: src/commands/apikey/policies.ts
+import ora from 'ora';
+import Table from 'cli-table3';
+import { client } from '../../lib/client.js';
+import * as output from '../../lib/output.js';
+import { formatDate } from './helpers.js';
+export function registerPolicyCommands(apiKeyCmd) {
+    // List policies attached to an API key
+    apiKeyCmd
+        .command('list-policies <id>')
+        .description('List ABAC policies attached to an API key')
+        .option('-t, --tenant <id>', 'Tenant ID')
+        .option('--json', 'Output as JSON')
+        .action(async (id, options) => {
+        const spinner = ora('Fetching policies...').start();
+        try {
+            const result = await client.getApiKeyPolicies(id, options.tenant);
+            spinner.stop();
+            if (options.json) {
+                output.json(result);
+                return;
+            }
+            if (result.policies.length === 0) {
+                output.info('No ABAC policies attached to this API key');
+                return;
+            }
+            const table = new Table({
+                head: ['Policy ID', 'Policy Name', 'Attached At'],
+                style: { head: ['cyan'] },
+            });
+            for (const policy of result.policies) {
+                table.push([
+                    policy.policyId,
+                    policy.policyName,
+                    formatDate(policy.attachedAt),
+                ]);
+            }
+            console.log(table.toString());
+            console.log(`\nTotal: ${result.policies.length} policy/policies`);
+        }
+        catch (err) {
+            spinner.fail('Failed to fetch policies');
+            output.error(err instanceof Error ? err.message : String(err));
+            process.exit(1);
+        }
+    });
+    // Attach policy to API key
+    apiKeyCmd
+        .command('attach-policy <keyId> <policyId>')
+        .description('Attach an ABAC policy to an API key')
+        .option('-t, --tenant <id>', 'Tenant ID')
+        .action(async (keyId, policyId, options) => {
+        const spinner = ora('Attaching policy...').start();
+        try {
+            await client.attachApiKeyPolicy(keyId, policyId, options.tenant);
+            spinner.succeed(`Policy ${policyId} attached to API key ${keyId}`);
+        }
+        catch (err) {
+            spinner.fail('Failed to attach policy');
+            output.error(err instanceof Error ? err.message : String(err));
+            process.exit(1);
+        }
+    });
+    // Detach policy from API key
+    apiKeyCmd
+        .command('detach-policy <keyId> <policyId>')
+        .description('Detach an ABAC policy from an API key')
+        .option('-t, --tenant <id>', 'Tenant ID')
+        .action(async (keyId, policyId, options) => {
+        const spinner = ora('Detaching policy...').start();
+        try {
+            await client.detachApiKeyPolicy(keyId, policyId, options.tenant);
+            spinner.succeed(`Policy ${policyId} detached from API key ${keyId}`);
+        }
+        catch (err) {
+            spinner.fail('Failed to detach policy');
+            output.error(err instanceof Error ? err.message : String(err));
+            process.exit(1);
+        }
+    });
+}
+//# sourceMappingURL=policies.js.map

package/dist/commands/apikey/policies.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policies.js","sourceRoot":"","sources":["../../../src/commands/apikey/policies.ts"],"names":[],"mappings":"AAAA,wCAAwC;AAOxC,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,KAAK,MAAM,YAAY,CAAC;AAC/B,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAC7C,OAAO,KAAK,MAAM,MAAM,qBAAqB,CAAC;AAE9C,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAE1C,MAAM,UAAU,sBAAsB,CAAC,SAAkB;IACvD,uCAAuC;IACvC,SAAS;SACN,OAAO,CAAC,oBAAoB,CAAC;SAC7B,WAAW,CAAC,2CAA2C,CAAC;SACxD,MAAM,CAAC,mBAAmB,EAAE,WAAW,CAAC;SACxC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,KAAK,EAAE,EAAU,EAAE,OAA4B,EAAE,EAAE;QACzD,MAAM,OAAO,GAAG,GAAG,CAAC,sBAAsB,CAAC,CAAC,KAAK,EAAE,CAAC;QAEpD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,EAAE,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;YAClE,OAAO,CAAC,IAAI,EAAE,CAAC;YAEf,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACpB,OAAO;YACT,CAAC;YAED,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACjC,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;gBACzD,OAAO;YACT,CAAC;YAED,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC;gBACtB,IAAI,EAAE,CAAC,WAAW,EAAE,aAAa,EAAE,aAAa,CAAC;gBACjD,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,EAAE;aAC1B,CAAC,CAAC;YAEH,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACrC,KAAK,CAAC,IAAI,CAAC;oBACT,MAAM,CAAC,QAAQ;oBACf,MAAM,CAAC,UAAU;oBACjB,UAAU,CAAC,MAAM,CAAC,UAAU,CAAC;iBAC9B,CAAC,CAAC;YACL,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC9B,OAAO,CAAC,GAAG,CAAC,YAAY,MAAM,CAAC,QAAQ,CAAC,MAAM,kBAAkB,CAAC,CAAC;QACpE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;YACzC,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,2BAA2B;IAC3B,SAAS;SACN,OAAO,CAAC,kCAAkC,CAAC;SAC3C,WAAW,CAAC,qCAAqC,CAAC;SAClD,MAAM,CAAC,mBAAmB,EAAE,WAAW,CAAC;SACxC,MAAM,CAAC,KAAK,EAAE,KAAa,EAAE,QAAgB,EAAE,OAAkC,EAAE,EAAE;QACpF,MAAM,OAAO,GAAG,GAAG,CAAC,qBAAqB,CAAC,CAAC,KAAK,EAAE,CAAC;QAEnD,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,kBAAkB,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;YACjE,OAAO,CAAC,OAAO,CAAC,UAAU,QAAQ,wBAAwB,KAAK,EAAE,CAAC,CAAC;QACrE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;YACxC,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,6BAA6B;IAC7B,SAAS;SACN,OAAO,CAAC,kCAAkC,CAAC;SAC3C,WAAW,CAAC,uCAAuC,CAAC;SACpD,MAAM,CAAC,mBAAmB,EAAE,WAAW,CAAC;SACxC,MAAM,CAAC,KAAK,EAAE,KAAa,EAAE,QAAgB,EAAE,OAAkC,EAAE,EAAE;QACpF,MAAM,OAAO,GAAG,GAAG,CAAC,qBAAqB,CAAC,CAAC,KAAK,EAAE,CAAC;QAEnD,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,kBAAkB,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;YACjE,OAAO,CAAC,OAAO,CAAC,UAAU,QAAQ,0BAA0B,KAAK,EAAE,CAAC,CAAC;QACvE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;YACxC,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/commands/apikey/rotate.d.ts

@@ -0,0 +1,6 @@
+/**
+ * API key rotate command
+ */
+import type { Command } from 'commander';
+export declare function registerRotateCommand(apiKeyCmd: Command): void;
+//# sourceMappingURL=rotate.d.ts.map

package/dist/commands/apikey/rotate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rotate.d.ts","sourceRoot":"","sources":["../../../src/commands/apikey/rotate.ts"],"names":[],"mappings":"AAEA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAOzC,wBAAgB,qBAAqB,CAAC,SAAS,EAAE,OAAO,GAAG,IAAI,CAsC9D"}

package/dist/commands/apikey/rotate.js

@@ -0,0 +1,42 @@
+// Path: src/commands/apikey/rotate.ts
+import ora from 'ora';
+import { client } from '../../lib/client.js';
+import * as output from '../../lib/output.js';
+import { formatDate } from './helpers.js';
+export function registerRotateCommand(apiKeyCmd) {
+    apiKeyCmd
+        .command('rotate <id>')
+        .description('Rotate an API key (creates new key, invalidates old)')
+        .option('-n, --name <name>', 'New name for the rotated key')
+        .option('-t, --tenant <id>', 'Tenant ID')
+        .option('--json', 'Output as JSON')
+        .action(async (id, options) => {
+        const spinner = ora('Rotating API key...').start();
+        try {
+            const result = await client.rotateApiKey(id, options.name, options.tenant);
+            spinner.succeed('API key rotated');
+            if (options.json) {
+                output.json(result);
+                return;
+            }
+            console.log('\n⚠️  IMPORTANT: Save this new key now - it will not be shown again!');
+            console.log('The old key has been invalidated.\n');
+            console.log('────────────────────────────────────────────────────────────────');
+            console.log(`New API Key: ${result.key}`);
+            console.log('────────────────────────────────────────────────────────────────\n');
+            output.keyValue({
+                'New Key ID': result.apiKey.id,
+                'Name': result.apiKey.name,
+                'Prefix': result.apiKey.prefix,
+                'Expires': formatDate(result.apiKey.expires_at),
+                'Rotation Count': result.apiKey.rotation_count,
+            });
+        }
+        catch (err) {
+            spinner.fail('Failed to rotate API key');
+            output.error(err instanceof Error ? err.message : String(err));
+            process.exit(1);
+        }
+    });
+}
+//# sourceMappingURL=rotate.js.map

package/dist/commands/apikey/rotate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rotate.js","sourceRoot":"","sources":["../../../src/commands/apikey/rotate.ts"],"names":[],"mappings":"AAAA,sCAAsC;AAOtC,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAC7C,OAAO,KAAK,MAAM,MAAM,qBAAqB,CAAC;AAE9C,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAE1C,MAAM,UAAU,qBAAqB,CAAC,SAAkB;IACtD,SAAS;SACN,OAAO,CAAC,aAAa,CAAC;SACtB,WAAW,CAAC,sDAAsD,CAAC;SACnE,MAAM,CAAC,mBAAmB,EAAE,8BAA8B,CAAC;SAC3D,MAAM,CAAC,mBAAmB,EAAE,WAAW,CAAC;SACxC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,KAAK,EAAE,EAAU,EAAE,OAAsB,EAAE,EAAE;QACnD,MAAM,OAAO,GAAG,GAAG,CAAC,qBAAqB,CAAC,CAAC,KAAK,EAAE,CAAC;QAEnD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,EAAE,EAAE,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;YAC3E,OAAO,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;YAEnC,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACpB,OAAO;YACT,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;YACpF,OAAO,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;YACnD,OAAO,CAAC,GAAG,CAAC,kEAAkE,CAAC,CAAC;YAChF,OAAO,CAAC,GAAG,CAAC,gBAAgB,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;YAC1C,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;YAElF,MAAM,CAAC,QAAQ,CAAC;gBACd,YAAY,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE;gBAC9B,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI;gBAC1B,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM;gBAC9B,SAAS,EAAE,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC;gBAC/C,gBAAgB,EAAE,MAAM,CAAC,MAAM,CAAC,cAAc;aAC/C,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;YACzC,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/commands/apikey/self.d.ts

@@ -0,0 +1,6 @@
+/**
+ * API key self commands (for API key authenticated requests)
+ */
+import type { Command } from 'commander';
+export declare function registerSelfCommands(apiKeyCmd: Command): void;
+//# sourceMappingURL=self.d.ts.map

package/dist/commands/apikey/self.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"self.d.ts","sourceRoot":"","sources":["../../../src/commands/apikey/self.ts"],"names":[],"mappings":"AAEA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAOzC,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,OAAO,GAAG,IAAI,CAmG7D"}