create-vellaveto 4.0.0

package/dist/constants.d.ts

@@ -0,0 +1,6 @@
+export declare const VERSION = "4.0.0";
+export declare const IMAGE_TAG = "4.0.0";
+export declare const IMAGE_REPO = "ghcr.io/paolovella/vellaveto";
+export declare const DEFAULT_PORT = 3000;
+export declare const DEFAULT_PROXY_PORT = 3001;
+export declare const BANNER = "\n __     __   _ _                 _\n \\ \\   / /__| | | __ ___   _____| |_ ___\n  \\ \\ / / _ \\ | |/ _` \\ \\ / / _ \\ __/ _ \\\n   \\ V /  __/ | | (_| |\\ V /  __/ || (_) |\n    \\_/ \\___|_|_|\\__,_| \\_/ \\___|\\__\\___/\n\n  MCP Tool Firewall \u2014 Setup Wizard v4.0.0\n";

package/dist/constants.js

@@ -0,0 +1,14 @@
+export const VERSION = "4.0.0";
+export const IMAGE_TAG = "4.0.0";
+export const IMAGE_REPO = "ghcr.io/paolovella/vellaveto";
+export const DEFAULT_PORT = 3000;
+export const DEFAULT_PROXY_PORT = 3001;
+export const BANNER = `
+ __     __   _ _                 _
+ \\ \\   / /__| | | __ ___   _____| |_ ___
+  \\ \\ / / _ \\ | |/ _\` \\ \\ / / _ \\ __/ _ \\
+   \\ V /  __/ | | (_| |\\ V /  __/ || (_) |
+    \\_/ \\___|_|_|\\__,_| \\_/ \\___|\\__\\___/
+
+  MCP Tool Firewall — Setup Wizard v${VERSION}
+`;

package/dist/generators/binary.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Binary download script generator.
+ *
+ * Produces a setup.sh that downloads the pre-built Vellaveto binary for
+ * the current platform and places it in ./bin/. Self-contained — just
+ * run `bash setup.sh` and the server starts.
+ */
+import type { WizardState, GeneratedFile } from "../types.js";
+export declare function generateBinaryFiles(state: WizardState): GeneratedFile[];

package/dist/generators/binary.js

@@ -0,0 +1,86 @@
+/**
+ * Binary download script generator.
+ *
+ * Produces a setup.sh that downloads the pre-built Vellaveto binary for
+ * the current platform and places it in ./bin/. Self-contained — just
+ * run `bash setup.sh` and the server starts.
+ */
+import { VERSION } from "../constants.js";
+export function generateBinaryFiles(state) {
+    return [
+        {
+            path: "setup.sh",
+            content: generateSetupScript(state),
+            description: "Download + start script for Vellaveto binary",
+        },
+    ];
+}
+function generateSetupScript(state) {
+    return `#!/usr/bin/env bash
+# Vellaveto ${VERSION} — setup script
+# Generated by create-vellaveto
+#
+# This script downloads the Vellaveto binary for your platform,
+# creates an .env file with your API key, and starts the server.
+#
+# Usage: bash setup.sh
+set -euo pipefail
+
+VERSION="${VERSION}"
+REPO="paolovella/vellaveto"
+INSTALL_DIR="./bin"
+SCRIPT_DIR="$(cd "$(dirname "\${BASH_SOURCE[0]}")" && pwd)"
+
+# Detect platform
+OS="$(uname -s | tr '[:upper:]' '[:lower:]')"
+ARCH="$(uname -m)"
+case "\${ARCH}" in
+  x86_64|amd64) ARCH="x86_64" ;;
+  aarch64|arm64) ARCH="aarch64" ;;
+  *) echo "Error: Unsupported architecture: \${ARCH}" >&2; exit 1 ;;
+esac
+
+case "\${OS}" in
+  linux)  TARGET="\${ARCH}-unknown-linux-gnu" ;;
+  darwin) TARGET="\${ARCH}-apple-darwin" ;;
+  *)      echo "Error: Unsupported OS: \${OS}" >&2; exit 1 ;;
+esac
+
+TARBALL="vellaveto-\${VERSION}-\${TARGET}.tar.gz"
+URL="https://github.com/\${REPO}/releases/download/v\${VERSION}/\${TARBALL}"
+
+echo "==> Downloading Vellaveto \${VERSION} for \${TARGET}..."
+mkdir -p "\${INSTALL_DIR}"
+if ! curl -fsSL "\${URL}" -o "/tmp/\${TARBALL}"; then
+  echo ""
+  echo "Error: Download failed. Check that version \${VERSION} has a release for \${TARGET}."
+  echo "  URL: \${URL}"
+  exit 1
+fi
+
+echo "==> Extracting to \${INSTALL_DIR}/..."
+tar -xzf "/tmp/\${TARBALL}" -C "\${INSTALL_DIR}"
+rm -f "/tmp/\${TARBALL}"
+chmod +x "\${INSTALL_DIR}/vellaveto" "\${INSTALL_DIR}/vellaveto-http-proxy" 2>/dev/null || true
+
+# Write .env if it doesn't exist
+if [ ! -f "\${SCRIPT_DIR}/.env" ]; then
+  cat > "\${SCRIPT_DIR}/.env" << 'ENVEOF'
+# Vellaveto environment variables — do not commit this file
+VELLAVETO_API_KEY=${state.apiKey}
+ENVEOF
+  echo "==> Wrote .env"
+fi
+
+echo ""
+echo "Vellaveto is ready!"
+echo ""
+echo "Start the server:"
+echo "  cd \${SCRIPT_DIR}"
+echo "  source .env"
+echo "  \${INSTALL_DIR}/vellaveto serve --config vellaveto.toml"
+echo ""
+echo "Or start the HTTP proxy:"
+echo "  \${INSTALL_DIR}/vellaveto-http-proxy serve --config vellaveto.toml"
+`;
+}

package/dist/generators/docker.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Docker Compose and .env file generator.
+ *
+ * Mirrors the production docker-compose.yml with security hardening:
+ * read_only, no-new-privileges, healthcheck, resource limits, tmpfs, logging.
+ */
+import type { WizardState, GeneratedFile } from "../types.js";
+export declare function generateDockerFiles(state: WizardState): GeneratedFile[];

package/dist/generators/docker.js

@@ -0,0 +1,122 @@
+/**
+ * Docker Compose and .env file generator.
+ *
+ * Mirrors the production docker-compose.yml with security hardening:
+ * read_only, no-new-privileges, healthcheck, resource limits, tmpfs, logging.
+ */
+import { IMAGE_REPO, IMAGE_TAG, DEFAULT_PORT, DEFAULT_PROXY_PORT } from "../constants.js";
+export function generateDockerFiles(state) {
+    return [
+        {
+            path: "docker-compose.yml",
+            content: generateDockerCompose(),
+            description: "Docker Compose with hardened Vellaveto services",
+        },
+        {
+            path: ".env",
+            content: generateDotEnv(state),
+            description: "Environment variables (contains API key — do not commit)",
+        },
+    ];
+}
+function generateDockerCompose() {
+    return `# Vellaveto — Docker Compose
+#
+# Usage:
+#   docker compose up -d          # Start Vellaveto
+#   docker compose logs -f        # Follow logs
+#   docker compose down           # Stop
+#
+# Environment variables loaded from .env file automatically.
+
+services:
+  vellaveto:
+    image: ${IMAGE_REPO}:${IMAGE_TAG}
+    ports:
+      - "${DEFAULT_PORT}:${DEFAULT_PORT}"
+    env_file:
+      - .env
+    environment:
+      - RUST_LOG=\${RUST_LOG:-info}
+    volumes:
+      - ./vellaveto.toml:/etc/vellaveto/config.toml:ro
+      - vellaveto-audit:/var/log/vellaveto
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:${DEFAULT_PORT}/health"]
+      interval: 30s
+      timeout: 5s
+      start_period: 10s
+      retries: 3
+    restart: unless-stopped
+    read_only: true
+    tmpfs:
+      - /tmp
+    security_opt:
+      - no-new-privileges:true
+    deploy:
+      resources:
+        limits:
+          cpus: "1.0"
+          memory: 256M
+        reservations:
+          cpus: "0.25"
+          memory: 64M
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  vellaveto-proxy:
+    image: ${IMAGE_REPO}:${IMAGE_TAG}
+    entrypoint: ["vellaveto-http-proxy"]
+    command: ["--config", "/etc/vellaveto/config.toml", "--listen", "0.0.0.0:${DEFAULT_PROXY_PORT}"]
+    ports:
+      - "${DEFAULT_PROXY_PORT}:${DEFAULT_PROXY_PORT}"
+    env_file:
+      - .env
+    environment:
+      - RUST_LOG=\${RUST_LOG:-info}
+    volumes:
+      - ./vellaveto.toml:/etc/vellaveto/config.toml:ro
+      - vellaveto-audit:/var/log/vellaveto
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:${DEFAULT_PROXY_PORT}/health"]
+      interval: 30s
+      timeout: 5s
+      start_period: 10s
+      retries: 3
+    restart: unless-stopped
+    read_only: true
+    tmpfs:
+      - /tmp
+    security_opt:
+      - no-new-privileges:true
+    deploy:
+      resources:
+        limits:
+          cpus: "1.0"
+          memory: 256M
+        reservations:
+          cpus: "0.25"
+          memory: 64M
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+volumes:
+  vellaveto-audit:
+`;
+}
+function generateDotEnv(state) {
+    let env = "";
+    env += "# Vellaveto environment variables\n";
+    env += "# IMPORTANT: Do not commit this file to version control\n\n";
+    env += `VELLAVETO_API_KEY=${state.apiKey}\n`;
+    if (state.corsOrigins.length > 0) {
+        env += `VELLAVETO_CORS_ORIGINS=${state.corsOrigins.join(",")}\n`;
+    }
+    return env;
+}

package/dist/generators/helm.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Kubernetes / Helm values generator.
+ *
+ * Produces a vellaveto-values.yaml for `helm install -f` and a
+ * vellaveto-configmap.yaml for applying the TOML config via kubectl.
+ */
+import type { WizardState, GeneratedFile } from "../types.js";
+export declare function generateHelmFiles(state: WizardState): GeneratedFile[];

package/dist/generators/helm.js

@@ -0,0 +1,100 @@
+/**
+ * Kubernetes / Helm values generator.
+ *
+ * Produces a vellaveto-values.yaml for `helm install -f` and a
+ * vellaveto-configmap.yaml for applying the TOML config via kubectl.
+ */
+import { IMAGE_TAG } from "../constants.js";
+import { generateToml } from "./toml.js";
+export function generateHelmFiles(state) {
+    return [
+        {
+            path: "vellaveto-values.yaml",
+            content: generateValues(state),
+            description: "Helm values override for Vellaveto chart",
+        },
+        {
+            path: "vellaveto-configmap.yaml",
+            content: generateConfigMap(state),
+            description: "Kubernetes ConfigMap with Vellaveto TOML config",
+        },
+    ];
+}
+function generateValues(state) {
+    let yaml = "";
+    yaml += "# Vellaveto Helm values — generated by setup wizard\n";
+    yaml += "# Usage: helm install vellaveto oci://ghcr.io/paolovella/vellaveto/chart -f vellaveto-values.yaml\n\n";
+    yaml += `image:\n`;
+    yaml += `  tag: "${IMAGE_TAG}"\n\n`;
+    yaml += "securityContext:\n";
+    yaml += "  runAsNonRoot: true\n";
+    yaml += "  runAsUser: 1000\n";
+    yaml += "  runAsGroup: 1000\n";
+    yaml += "  readOnlyRootFilesystem: true\n";
+    yaml += "  allowPrivilegeEscalation: false\n";
+    yaml += "  capabilities:\n";
+    yaml += "    drop:\n";
+    yaml += "      - ALL\n\n";
+    yaml += "resources:\n";
+    yaml += "  limits:\n";
+    yaml += "    cpu: 500m\n";
+    yaml += "    memory: 128Mi\n";
+    yaml += "  requests:\n";
+    yaml += "    cpu: 100m\n";
+    yaml += "    memory: 64Mi\n\n";
+    yaml += "vellaveto:\n";
+    yaml += "  logLevel: info\n";
+    yaml += "  strictMode: true\n\n";
+    yaml += "  injection:\n";
+    yaml += `    enabled: ${state.injectionEnabled}\n`;
+    yaml += `    blocking: ${state.injectionBlocking}\n\n`;
+    yaml += "  dlp:\n";
+    yaml += `    enabled: ${state.dlpEnabled}\n`;
+    yaml += `    blocking: ${state.dlpBlocking}\n\n`;
+    yaml += "  audit:\n";
+    yaml += `    redactionLevel: "${capitalize(state.redactionLevel)}"\n\n`;
+    yaml += "  # API key should be provided via Kubernetes Secret:\n";
+    yaml += "  #   kubectl create secret generic vellaveto-api-key --from-literal=api-key=<YOUR_KEY>\n";
+    yaml += "  extraEnv:\n";
+    yaml += "    - name: VELLAVETO_API_KEY\n";
+    yaml += "      valueFrom:\n";
+    yaml += "        secretKeyRef:\n";
+    yaml += "          name: vellaveto-api-key\n";
+    yaml += "          key: api-key\n\n";
+    yaml += "metrics:\n";
+    yaml += "  enabled: true\n";
+    yaml += "  serviceMonitor:\n";
+    yaml += "    enabled: false\n\n";
+    yaml += "probes:\n";
+    yaml += "  liveness:\n";
+    yaml += "    enabled: true\n";
+    yaml += "  readiness:\n";
+    yaml += "    enabled: true\n";
+    return yaml;
+}
+function generateConfigMap(state) {
+    const toml = generateToml(state);
+    // Indent each TOML line by 4 spaces for the ConfigMap data block
+    const indented = toml
+        .split("\n")
+        .map((line) => (line ? `    ${line}` : ""))
+        .join("\n");
+    let yaml = "";
+    yaml += "# Vellaveto ConfigMap — generated by setup wizard\n";
+    yaml += "# Usage: kubectl apply -f vellaveto-configmap.yaml\n";
+    yaml += "apiVersion: v1\n";
+    yaml += "kind: ConfigMap\n";
+    yaml += "metadata:\n";
+    yaml += "  name: vellaveto-config\n";
+    yaml += "  labels:\n";
+    yaml += "    app.kubernetes.io/name: vellaveto\n";
+    yaml += "    app.kubernetes.io/component: config\n";
+    yaml += "data:\n";
+    yaml += "  config.toml: |\n";
+    yaml += indented;
+    yaml += "\n";
+    return yaml;
+}
+function capitalize(s) {
+    return s.charAt(0).toUpperCase() + s.slice(1);
+}

package/dist/generators/snippets.d.ts

@@ -0,0 +1,9 @@
+/**
+ * SDK integration code snippet generator.
+ *
+ * Each snippet shows VellavetoClient construction, evaluate(), and verdict
+ * handling. Matches actual SDK APIs from sdk/{python,typescript,go,java}/.
+ */
+import type { SdkLanguage } from "../types.js";
+export declare function generateSnippet(language: SdkLanguage, apiKey: string): string;
+export declare function installCommand(language: SdkLanguage): string;

package/dist/generators/snippets.js

@@ -0,0 +1,147 @@
+/**
+ * SDK integration code snippet generator.
+ *
+ * Each snippet shows VellavetoClient construction, evaluate(), and verdict
+ * handling. Matches actual SDK APIs from sdk/{python,typescript,go,java}/.
+ */
+import { DEFAULT_PORT } from "../constants.js";
+export function generateSnippet(language, apiKey) {
+    switch (language) {
+        case "python":
+            return pythonSnippet(apiKey);
+        case "typescript":
+            return typescriptSnippet(apiKey);
+        case "go":
+            return goSnippet(apiKey);
+        case "java":
+            return javaSnippet(apiKey);
+        case "skip":
+            return "";
+    }
+}
+export function installCommand(language) {
+    switch (language) {
+        case "python":
+            return "pip install vellaveto";
+        case "typescript":
+            return "npm install vellaveto";
+        case "go":
+            return "go get github.com/paolovella/vellaveto/sdk/go";
+        case "java":
+            return "<!-- Add to pom.xml -->\n<dependency>\n  <groupId>io.vellaveto</groupId>\n  <artifactId>vellaveto-sdk</artifactId>\n  <version>4.0.0</version>\n</dependency>";
+        case "skip":
+            return "";
+    }
+}
+function pythonSnippet(apiKey) {
+    return `from vellaveto import VellavetoClient
+
+client = VellavetoClient(
+    url="http://localhost:${DEFAULT_PORT}",
+    api_key="${apiKey}",
+)
+
+result = client.evaluate(
+    tool="filesystem",
+    function="read_file",
+    parameters={"path": "/etc/passwd"},
+)
+
+if result.verdict == "Allow":
+    print("Action allowed")
+elif result.verdict == "Deny":
+    print(f"Action denied: {result.reason}")
+elif result.verdict == "RequireApproval":
+    print(f"Approval required: {result.reason}")
+`;
+}
+function typescriptSnippet(apiKey) {
+    return `import { VellavetoClient } from "vellaveto";
+
+const client = new VellavetoClient({
+  baseUrl: "http://localhost:${DEFAULT_PORT}",
+  apiKey: "${apiKey}",
+});
+
+const result = await client.evaluate({
+  tool: "filesystem",
+  function: "read_file",
+  parameters: { path: "/etc/passwd" },
+});
+
+if (result.verdict === "Allow") {
+  console.log("Action allowed");
+} else if (result.verdict === "Deny") {
+  console.log(\`Action denied: \${result.reason}\`);
+} else if (result.verdict === "RequireApproval") {
+  console.log(\`Approval required: \${result.reason}\`);
+}
+`;
+}
+function goSnippet(apiKey) {
+    return `package main
+
+import (
+	"context"
+	"fmt"
+	"log"
+
+	"github.com/paolovella/vellaveto/sdk/go/vellaveto"
+)
+
+func main() {
+	client := vellaveto.NewClient(
+		"http://localhost:${DEFAULT_PORT}",
+		vellaveto.WithAPIKey("${apiKey}"),
+	)
+
+	result, err := client.Evaluate(context.Background(), &vellaveto.Action{
+		Tool:     "filesystem",
+		Function: "read_file",
+		Parameters: map[string]any{
+			"path": "/etc/passwd",
+		},
+	})
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	switch result.Verdict {
+	case "Allow":
+		fmt.Println("Action allowed")
+	case "Deny":
+		fmt.Printf("Action denied: %s\\n", result.Reason)
+	case "RequireApproval":
+		fmt.Printf("Approval required: %s\\n", result.Reason)
+	}
+}
+`;
+}
+function javaSnippet(apiKey) {
+    return `import io.vellaveto.VellavetoClient;
+import io.vellaveto.model.Action;
+import io.vellaveto.model.EvaluationResult;
+
+import java.util.Map;
+
+public class Example {
+    public static void main(String[] args) {
+        VellavetoClient client = VellavetoClient.builder("http://localhost:${DEFAULT_PORT}")
+            .apiKey("${apiKey}")
+            .build();
+
+        EvaluationResult result = client.evaluate(Action.builder()
+            .tool("filesystem")
+            .function("read_file")
+            .parameters(Map.of("path", "/etc/passwd"))
+            .build());
+
+        switch (result.getVerdict()) {
+            case "Allow" -> System.out.println("Action allowed");
+            case "Deny" -> System.out.println("Action denied: " + result.getReason());
+            case "RequireApproval" -> System.out.println("Approval required: " + result.getReason());
+        }
+    }
+}
+`;
+}

package/dist/generators/toml.d.ts

@@ -0,0 +1,9 @@
+/**
+ * TOML configuration generator.
+ *
+ * Output must match vellaveto-server/src/setup_wizard.rs generate_config_toml()
+ * (lines ~1596-1844) so configs are interchangeable between the web wizard and
+ * this CLI wizard.
+ */
+import type { WizardState } from "../types.js";
+export declare function generateToml(state: WizardState): string;