create-vellaveto 4.0.0

package/dist/generators/toml.js

@@ -0,0 +1,232 @@
+/**
+ * TOML configuration generator.
+ *
+ * Output must match vellaveto-server/src/setup_wizard.rs generate_config_toml()
+ * (lines ~1596-1844) so configs are interchangeable between the web wizard and
+ * this CLI wizard.
+ */
+import { escapeTomlString } from "../utils.js";
+export function generateToml(state) {
+    let toml = "";
+    // Header
+    toml += "# Vellaveto Configuration\n";
+    toml += "# Generated by the setup wizard\n\n";
+    // API key note
+    if (state.apiKey) {
+        toml +=
+            "# API key configured via wizard — set VELLAVETO_API_KEY environment variable\n\n";
+    }
+    // CORS origins
+    if (state.corsOrigins.length > 0) {
+        toml +=
+            "# Allowed CORS origins (also settable via VELLAVETO_CORS_ORIGINS env var)\n";
+        toml += "allowed_origins = [";
+        for (let i = 0; i < state.corsOrigins.length; i++) {
+            if (i > 0)
+                toml += ", ";
+            toml += `"${escapeTomlString(state.corsOrigins[i])}"`;
+        }
+        toml += "]\n\n";
+    }
+    // Policies
+    toml += "# ─── Policies ───────────────────────────────────────────────\n\n";
+    toml += generatePolicyPreset(state.policyPreset);
+    // Detection
+    toml += "# ─── Detection ──────────────────────────────────────────────\n\n";
+    toml += "[injection]\n";
+    toml += `enabled = ${state.injectionEnabled}\n`;
+    if (state.injectionEnabled) {
+        toml += `blocking = ${state.injectionBlocking}\n`;
+    }
+    toml += "\n";
+    toml += "[dlp]\n";
+    toml += `enabled = ${state.dlpEnabled}\n`;
+    if (state.dlpEnabled) {
+        toml += `blocking = ${state.dlpBlocking}\n`;
+    }
+    toml += "\n";
+    if (state.behavioralEnabled) {
+        toml += "[behavioral]\n";
+        toml += "enabled = true\n\n";
+    }
+    // Audit
+    toml += "# ─── Audit ──────────────────────────────────────────────────\n\n";
+    toml += "[audit]\n";
+    toml += `redaction_level = "${escapeTomlString(state.redactionLevel)}"\n`;
+    if (state.checkpointInterval > 0) {
+        toml += `checkpoint_interval = ${state.checkpointInterval}\n`;
+    }
+    toml += "\n";
+    // Audit export
+    if (state.auditExportFormat !== "none") {
+        toml += "[audit_export]\n";
+        toml += `format = "${escapeTomlString(state.auditExportFormat)}"\n`;
+        if (state.auditExportTarget) {
+            toml += `target = "${escapeTomlString(state.auditExportTarget)}"\n`;
+        }
+        toml += "\n";
+    }
+    // Compliance
+    const hasCompliance = state.complianceFrameworks.length > 0;
+    if (hasCompliance) {
+        toml +=
+            "# ─── Compliance ─────────────────────────────────────────────\n\n";
+        toml += "[compliance]\n";
+        if (state.complianceFrameworks.includes("eu_ai_act")) {
+            toml += "\n[compliance.eu_ai_act]\n";
+            toml += "enabled = true\n";
+            toml += "transparency_marking = true\n";
+        }
+        if (state.complianceFrameworks.includes("soc2")) {
+            toml += "\n[compliance.soc2]\n";
+            toml += "enabled = true\n";
+        }
+        if (state.complianceFrameworks.includes("iso42001")) {
+            toml += "\n[compliance.iso42001]\n";
+            toml += "enabled = true\n";
+        }
+        if (state.complianceFrameworks.includes("nis2")) {
+            toml +=
+                "\n# NIS2 compliance enabled — incident reporting and supply chain checks active\n";
+        }
+        if (state.complianceFrameworks.includes("dora")) {
+            toml +=
+                "\n# DORA compliance enabled — ICT risk management and incident tracking active\n";
+        }
+        toml += "\n";
+    }
+    return toml;
+}
+function generatePolicyPreset(preset) {
+    switch (preset) {
+        case "strict":
+            return generateStrictPreset();
+        case "balanced":
+            return generateBalancedPreset();
+        case "permissive":
+            return generatePermissivePreset();
+    }
+}
+function generateStrictPreset() {
+    let toml = "";
+    toml +=
+        "# Policy preset: Strict (deny-by-default, maximum security)\n\n";
+    // Default deny
+    toml += "[[policies]]\n";
+    toml += 'id = "default-deny"\n';
+    toml += 'name = "Default deny all"\n';
+    toml += 'policy_type = "Deny"\n';
+    toml += "priority = 0\n";
+    toml += 'tool = "*"\n';
+    toml += 'function = "*"\n\n';
+    // Block credentials
+    toml += "[[policies]]\n";
+    toml += 'id = "block-credentials"\n';
+    toml += 'name = "Block credential access"\n';
+    toml += 'policy_type = "Deny"\n';
+    toml += "priority = 100\n";
+    toml += 'tool = "*"\n';
+    toml += 'function = "*"\n\n';
+    toml += "[policies.path_rules]\n";
+    toml +=
+        'blocked_patterns = ["**/.env", "**/*.key", "**/*.pem", "**/credentials*", "**/.ssh/**", "**/.aws/**"]\n\n';
+    // Block exfiltration
+    toml += "[[policies]]\n";
+    toml += 'id = "block-exfiltration"\n';
+    toml += 'name = "Block data exfiltration"\n';
+    toml += 'policy_type = "Deny"\n';
+    toml += "priority = 100\n";
+    toml += 'tool = "*"\n';
+    toml += 'function = "*"\n\n';
+    toml += "[policies.network_rules]\n";
+    toml +=
+        'blocked_domains = ["*.pastebin.com", "*.transfer.sh", "*.ngrok.io"]\n\n';
+    // Require approval for destructive
+    toml += "[[policies]]\n";
+    toml += 'id = "approve-destructive"\n';
+    toml += 'name = "Require approval for destructive operations"\n';
+    toml += 'policy_type = "RequireApproval"\n';
+    toml += "priority = 50\n";
+    toml += 'tool = "*"\n';
+    toml += 'function = "*"\n\n';
+    toml += "[policies.path_rules]\n";
+    toml += 'write_patterns = ["**/*"]\n\n';
+    return toml;
+}
+function generateBalancedPreset() {
+    let toml = "";
+    toml +=
+        "# Policy preset: Balanced (deny-by-default, read allowed, writes require approval)\n\n";
+    // Default deny
+    toml += "[[policies]]\n";
+    toml += 'id = "default-deny"\n';
+    toml += 'name = "Default deny all"\n';
+    toml += 'policy_type = "Deny"\n';
+    toml += "priority = 0\n";
+    toml += 'tool = "*"\n';
+    toml += 'function = "*"\n\n';
+    // Block credentials
+    toml += "[[policies]]\n";
+    toml += 'id = "block-credentials"\n';
+    toml += 'name = "Block credential access"\n';
+    toml += 'policy_type = "Deny"\n';
+    toml += "priority = 100\n";
+    toml += 'tool = "*"\n';
+    toml += 'function = "*"\n\n';
+    toml += "[policies.path_rules]\n";
+    toml +=
+        'blocked_patterns = ["**/.env", "**/*.key", "**/*.pem", "**/credentials*", "**/.ssh/**", "**/.aws/**"]\n\n';
+    // Allow reads
+    toml += "[[policies]]\n";
+    toml += 'id = "allow-reads"\n';
+    toml += 'name = "Allow file reads"\n';
+    toml += 'policy_type = "Allow"\n';
+    toml += "priority = 50\n";
+    toml += 'tool = "*"\n';
+    toml += 'function = "read*"\n\n';
+    // Require approval for writes
+    toml += "[[policies]]\n";
+    toml += 'id = "approve-writes"\n';
+    toml += 'name = "Require approval for file writes"\n';
+    toml += 'policy_type = "RequireApproval"\n';
+    toml += "priority = 50\n";
+    toml += 'tool = "*"\n';
+    toml += 'function = "write*"\n\n';
+    return toml;
+}
+function generatePermissivePreset() {
+    let toml = "";
+    toml +=
+        "# Policy preset: Permissive (allow-by-default, block credentials and exfiltration)\n\n";
+    // Default allow
+    toml += "[[policies]]\n";
+    toml += 'id = "default-allow"\n';
+    toml += 'name = "Default allow all"\n';
+    toml += 'policy_type = "Allow"\n';
+    toml += "priority = 0\n";
+    toml += 'tool = "*"\n';
+    toml += 'function = "*"\n\n';
+    // Block credentials
+    toml += "[[policies]]\n";
+    toml += 'id = "block-credentials"\n';
+    toml += 'name = "Block credential access"\n';
+    toml += 'policy_type = "Deny"\n';
+    toml += "priority = 100\n";
+    toml += 'tool = "*"\n';
+    toml += 'function = "*"\n\n';
+    toml += "[policies.path_rules]\n";
+    toml +=
+        'blocked_patterns = ["**/.env", "**/*.key", "**/*.pem", "**/credentials*", "**/.ssh/**", "**/.aws/**"]\n\n';
+    // Block exfiltration
+    toml += "[[policies]]\n";
+    toml += 'id = "block-exfiltration"\n';
+    toml += 'name = "Block data exfiltration"\n';
+    toml += 'policy_type = "Deny"\n';
+    toml += "priority = 100\n";
+    toml += 'tool = "*"\n';
+    toml += 'function = "*"\n\n';
+    toml += "[policies.network_rules]\n";
+    toml +=
+        'blocked_domains = ["*.pastebin.com", "*.transfer.sh", "*.ngrok.io"]\n\n';
+    return toml;
+}

package/dist/index.d.ts

@@ -0,0 +1,11 @@
+#!/usr/bin/env node
+/**
+ * create-vellaveto — CLI setup wizard for Vellaveto MCP Tool Firewall
+ *
+ * Usage:
+ *   npx create-vellaveto                  Interactive wizard (creates ./vellaveto/)
+ *   npx create-vellaveto my-project       Write files to ./my-project/
+ *   npx create-vellaveto --help           Show help
+ *   npx create-vellaveto --version        Show version
+ */
+export {};

package/dist/index.js

@@ -0,0 +1,74 @@
+#!/usr/bin/env node
+/**
+ * create-vellaveto — CLI setup wizard for Vellaveto MCP Tool Firewall
+ *
+ * Usage:
+ *   npx create-vellaveto                  Interactive wizard (creates ./vellaveto/)
+ *   npx create-vellaveto my-project       Write files to ./my-project/
+ *   npx create-vellaveto --help           Show help
+ *   npx create-vellaveto --version        Show version
+ */
+import { VERSION } from "./constants.js";
+import { runWizard } from "./wizard.js";
+function printHelp() {
+    console.log(`
+create-vellaveto v${VERSION}
+
+Setup wizard for Vellaveto — MCP Tool Firewall
+
+Usage:
+  npx create-vellaveto [project-directory]
+
+Arguments:
+  project-directory   Directory to create (default: vellaveto)
+
+Options:
+  --help, -h          Show this help message
+  --version, -v       Show version number
+
+Examples:
+  npx create-vellaveto                # Creates ./vellaveto/ with all files
+  npx create-vellaveto my-project     # Creates ./my-project/ with all files
+`);
+}
+function main() {
+    const args = process.argv.slice(2);
+    let projectDir;
+    for (let i = 0; i < args.length; i++) {
+        const arg = args[i];
+        switch (arg) {
+            case "--help":
+            case "-h":
+                printHelp();
+                process.exit(0);
+                break;
+            case "--version":
+            case "-v":
+                console.log(VERSION);
+                process.exit(0);
+                break;
+            // Keep --output as hidden alias for backwards compat
+            case "--output":
+            case "-o":
+                i++;
+                if (i >= args.length) {
+                    console.error("Error: --output requires a directory path");
+                    process.exit(1);
+                }
+                projectDir = args[i];
+                break;
+            default:
+                if (arg.startsWith("-")) {
+                    console.error(`Unknown option: ${arg}`);
+                    console.error("Run with --help for usage information.");
+                    process.exit(1);
+                }
+                projectDir = arg;
+        }
+    }
+    runWizard(projectDir).catch((err) => {
+        console.error("Fatal error:", err);
+        process.exit(1);
+    });
+}
+main();

package/dist/steps/audit.d.ts

@@ -0,0 +1,2 @@
+import type { WizardState } from "../types.js";
+export declare function auditStep(state: WizardState): Promise<void>;

package/dist/steps/audit.js

@@ -0,0 +1,109 @@
+import * as p from "@clack/prompts";
+export async function auditStep(state) {
+    const redaction = await p.select({
+        message: "Audit log redaction level",
+        options: [
+            {
+                value: "off",
+                label: "Off",
+                hint: "No redaction — full parameters logged (dev only)",
+            },
+            {
+                value: "low",
+                label: "Low (recommended)",
+                hint: "Redact known secrets (API keys, tokens)",
+            },
+            {
+                value: "high",
+                label: "High",
+                hint: "Redact all parameter values",
+            },
+        ],
+        initialValue: "low",
+    });
+    if (p.isCancel(redaction)) {
+        p.cancel("Setup cancelled.");
+        process.exit(0);
+    }
+    state.redactionLevel = redaction;
+    const format = await p.select({
+        message: "Audit export format",
+        options: [
+            {
+                value: "none",
+                label: "None",
+                hint: "Local file logging only",
+            },
+            {
+                value: "jsonl",
+                label: "JSONL",
+                hint: "JSON Lines — one event per line",
+            },
+            {
+                value: "cef",
+                label: "CEF",
+                hint: "Common Event Format — for SIEM integration",
+            },
+            {
+                value: "webhook",
+                label: "Webhook",
+                hint: "POST events to an HTTP endpoint",
+            },
+        ],
+    });
+    if (p.isCancel(format)) {
+        p.cancel("Setup cancelled.");
+        process.exit(0);
+    }
+    state.auditExportFormat = format;
+    if (format === "webhook") {
+        const target = await p.text({
+            message: "Webhook URL",
+            placeholder: "https://example.com/vellaveto-events",
+            validate(value) {
+                try {
+                    const url = new URL(value);
+                    if (url.protocol !== "https:" && url.protocol !== "http:") {
+                        return "URL must use http:// or https://";
+                    }
+                }
+                catch {
+                    return "Please enter a valid URL";
+                }
+            },
+        });
+        if (p.isCancel(target)) {
+            p.cancel("Setup cancelled.");
+            process.exit(0);
+        }
+        state.auditExportTarget = target;
+    }
+    else if (format === "jsonl" || format === "cef") {
+        const target = await p.text({
+            message: "Export file path",
+            placeholder: `/var/log/vellaveto/export.${format}`,
+            defaultValue: `/var/log/vellaveto/export.${format}`,
+        });
+        if (p.isCancel(target)) {
+            p.cancel("Setup cancelled.");
+            process.exit(0);
+        }
+        state.auditExportTarget = target;
+    }
+    const checkpoint = await p.text({
+        message: "Audit checkpoint interval (seconds, 0 to disable)",
+        placeholder: "300",
+        defaultValue: "300",
+        validate(value) {
+            const n = Number(value);
+            if (isNaN(n) || n < 0 || !Number.isInteger(n)) {
+                return "Must be a non-negative integer";
+            }
+        },
+    });
+    if (p.isCancel(checkpoint)) {
+        p.cancel("Setup cancelled.");
+        process.exit(0);
+    }
+    state.checkpointInterval = Number(checkpoint);
+}

package/dist/steps/compliance.d.ts

@@ -0,0 +1,2 @@
+import type { WizardState } from "../types.js";
+export declare function complianceStep(state: WizardState): Promise<void>;

package/dist/steps/compliance.js

@@ -0,0 +1,26 @@
+import * as p from "@clack/prompts";
+const FRAMEWORKS = [
+    { value: "eu_ai_act", label: "EU AI Act", hint: "Transparency marking, risk assessment" },
+    { value: "nis2", label: "NIS2", hint: "Incident reporting, supply chain checks" },
+    { value: "dora", label: "DORA", hint: "ICT risk management, incident tracking" },
+    { value: "soc2", label: "SOC 2", hint: "Trust service criteria auditing" },
+    { value: "iso42001", label: "ISO 42001", hint: "AI management system standard" },
+];
+export async function complianceStep(state) {
+    p.log.info("Select which compliance frameworks to enable:");
+    const selected = [];
+    for (const fw of FRAMEWORKS) {
+        const enabled = await p.confirm({
+            message: `${fw.label} — ${fw.hint}`,
+            initialValue: false,
+        });
+        if (p.isCancel(enabled)) {
+            p.cancel("Setup cancelled.");
+            process.exit(0);
+        }
+        if (enabled) {
+            selected.push(fw.value);
+        }
+    }
+    state.complianceFrameworks = selected;
+}

package/dist/steps/detection.d.ts

@@ -0,0 +1,2 @@
+import type { WizardState } from "../types.js";
+export declare function detectionStep(state: WizardState): Promise<void>;

package/dist/steps/detection.js

@@ -0,0 +1,52 @@
+import * as p from "@clack/prompts";
+export async function detectionStep(state) {
+    const injectionEnabled = await p.confirm({
+        message: "Enable injection detection?",
+        initialValue: true,
+    });
+    if (p.isCancel(injectionEnabled)) {
+        p.cancel("Setup cancelled.");
+        process.exit(0);
+    }
+    state.injectionEnabled = injectionEnabled;
+    if (injectionEnabled) {
+        const injectionBlocking = await p.confirm({
+            message: "Block requests with detected injections? (vs. log-only)",
+            initialValue: false,
+        });
+        if (p.isCancel(injectionBlocking)) {
+            p.cancel("Setup cancelled.");
+            process.exit(0);
+        }
+        state.injectionBlocking = injectionBlocking;
+    }
+    const dlpEnabled = await p.confirm({
+        message: "Enable DLP (Data Loss Prevention) scanning?",
+        initialValue: true,
+    });
+    if (p.isCancel(dlpEnabled)) {
+        p.cancel("Setup cancelled.");
+        process.exit(0);
+    }
+    state.dlpEnabled = dlpEnabled;
+    if (dlpEnabled) {
+        const dlpBlocking = await p.confirm({
+            message: "Block requests with DLP findings? (vs. log-only)",
+            initialValue: false,
+        });
+        if (p.isCancel(dlpBlocking)) {
+            p.cancel("Setup cancelled.");
+            process.exit(0);
+        }
+        state.dlpBlocking = dlpBlocking;
+    }
+    const behavioralEnabled = await p.confirm({
+        message: "Enable behavioral anomaly detection?",
+        initialValue: false,
+    });
+    if (p.isCancel(behavioralEnabled)) {
+        p.cancel("Setup cancelled.");
+        process.exit(0);
+    }
+    state.behavioralEnabled = behavioralEnabled;
+}

package/dist/steps/policies.d.ts

@@ -0,0 +1,2 @@
+import type { WizardState } from "../types.js";
+export declare function policiesStep(state: WizardState): Promise<void>;

package/dist/steps/policies.js

@@ -0,0 +1,29 @@
+import * as p from "@clack/prompts";
+export async function policiesStep(state) {
+    const preset = await p.select({
+        message: "Select a policy preset",
+        options: [
+            {
+                value: "strict",
+                label: "Strict",
+                hint: "Deny-by-default. Block credentials + exfiltration. Destructive ops require approval.",
+            },
+            {
+                value: "balanced",
+                label: "Balanced (recommended)",
+                hint: "Deny-by-default. Block credentials. Reads allowed, writes require approval.",
+            },
+            {
+                value: "permissive",
+                label: "Permissive",
+                hint: "Allow-by-default. Only block credentials and exfiltration attempts.",
+            },
+        ],
+        initialValue: "balanced",
+    });
+    if (p.isCancel(preset)) {
+        p.cancel("Setup cancelled.");
+        process.exit(0);
+    }
+    state.policyPreset = preset;
+}

package/dist/steps/sdk.d.ts

@@ -0,0 +1,2 @@
+import type { WizardState } from "../types.js";
+export declare function sdkStep(state: WizardState): Promise<void>;

package/dist/steps/sdk.js

@@ -0,0 +1,25 @@
+import * as p from "@clack/prompts";
+import pc from "picocolors";
+import { generateSnippet, installCommand } from "../generators/snippets.js";
+export async function sdkStep(state) {
+    const language = await p.select({
+        message: "Show integration snippet for which SDK?",
+        options: [
+            { value: "python", label: "Python", hint: "pip install vellaveto" },
+            { value: "typescript", label: "TypeScript", hint: "npm install vellaveto" },
+            { value: "go", label: "Go", hint: "go get vellaveto" },
+            { value: "java", label: "Java", hint: "Maven / Gradle" },
+            { value: "skip", label: "Skip", hint: "No snippet needed" },
+        ],
+    });
+    if (p.isCancel(language)) {
+        p.cancel("Setup cancelled.");
+        process.exit(0);
+    }
+    state.sdkLanguage = language;
+    if (language !== "skip") {
+        const install = installCommand(language);
+        const snippet = generateSnippet(language, state.apiKey);
+        p.note(`${pc.dim("Install:")}\n${install}\n\n${pc.dim("Usage:")}\n${snippet}`, `${language.charAt(0).toUpperCase() + language.slice(1)} SDK`);
+    }
+}

package/dist/steps/security.d.ts

@@ -0,0 +1,2 @@
+import type { WizardState } from "../types.js";
+export declare function securityStep(state: WizardState): Promise<void>;

package/dist/steps/security.js

@@ -0,0 +1,61 @@
+import * as p from "@clack/prompts";
+import pc from "picocolors";
+import { generateApiKey, isValidOrigin } from "../utils.js";
+export async function securityStep(state) {
+    const generatedKey = generateApiKey();
+    p.log.info(`Generated API key: ${pc.cyan(generatedKey)}`);
+    const useGenerated = await p.confirm({
+        message: "Use this API key?",
+        initialValue: true,
+    });
+    if (p.isCancel(useGenerated)) {
+        p.cancel("Setup cancelled.");
+        process.exit(0);
+    }
+    if (useGenerated) {
+        state.apiKey = generatedKey;
+    }
+    else {
+        const customKey = await p.text({
+            message: "Enter your API key",
+            validate(value) {
+                if (value.length < 8)
+                    return "API key must be at least 8 characters";
+            },
+        });
+        if (p.isCancel(customKey)) {
+            p.cancel("Setup cancelled.");
+            process.exit(0);
+        }
+        state.apiKey = customKey;
+    }
+    const corsInput = await p.text({
+        message: "Allowed CORS origins (comma-separated, or * for all)",
+        placeholder: "http://localhost:3000",
+        defaultValue: "",
+    });
+    if (p.isCancel(corsInput)) {
+        p.cancel("Setup cancelled.");
+        process.exit(0);
+    }
+    if (corsInput.trim()) {
+        const origins = corsInput
+            .split(",")
+            .map((s) => s.trim())
+            .filter(Boolean);
+        const invalid = origins.filter((o) => !isValidOrigin(o));
+        if (invalid.length > 0) {
+            p.log.warn(`Skipping invalid origins: ${invalid.join(", ")}`);
+        }
+        state.corsOrigins = origins.filter((o) => isValidOrigin(o));
+    }
+    const anonymous = await p.confirm({
+        message: "Allow anonymous (unauthenticated) evaluate requests?",
+        initialValue: false,
+    });
+    if (p.isCancel(anonymous)) {
+        p.cancel("Setup cancelled.");
+        process.exit(0);
+    }
+    state.anonymousMode = anonymous;
+}

package/dist/steps/welcome.d.ts

@@ -0,0 +1,2 @@
+import type { WizardState } from "../types.js";
+export declare function welcomeStep(state: WizardState, projectDir: string | undefined): Promise<string>;