securegate-cli-tool 2.0.0

package/src/commands/connect.js

@@ -0,0 +1,102 @@
+/**
+ * securegate connect — Create a new provider connection
+ */
+
+const chalk = require('chalk');
+const inquirer = require('inquirer');
+const ora = require('ora');
+const api = require('../api');
+
+// Provider registry (mirrors lib/providers.ts)
+const PROVIDERS = [
+    { value: 'openai', name: 'OpenAI — GPT-4o, GPT-4.1, o3, DALL·E', placeholder: 'sk-...' },
+    { value: 'anthropic', name: 'Anthropic — Claude 4, Claude 3.5 Sonnet', placeholder: 'sk-ant-...' },
+    { value: 'google', name: 'Google AI — Gemini 2.5 Pro, Flash', placeholder: 'AIza...' },
+    { value: 'azure', name: 'Azure OpenAI — GPT-4o via Azure', placeholder: 'Your Azure API key' },
+    { value: 'groq', name: 'Groq — Ultra-fast LPU inference', placeholder: 'gsk_...' },
+    { value: 'together', name: 'Together AI — Llama, Qwen, DeepSeek', placeholder: 'Your key' },
+    { value: 'fireworks', name: 'Fireworks AI — Fast serverless inference', placeholder: 'fw_...' },
+    { value: 'perplexity', name: 'Perplexity — Sonar models + web search', placeholder: 'pplx-...' },
+    { value: 'mistral', name: 'Mistral AI — Mistral Large, Codestral', placeholder: 'Your key' },
+    { value: 'deepseek', name: 'DeepSeek — V3, R1 reasoning', placeholder: 'sk-...' },
+    { value: 'cohere', name: 'Cohere — Command R+, Embed', placeholder: 'Your key' },
+    { value: 'replicate', name: 'Replicate — Open-source models', placeholder: 'r8_...' },
+    { value: 'bedrock', name: 'AWS Bedrock — Managed AI on AWS', placeholder: 'Your key' },
+    { value: 'huggingface', name: 'Hugging Face — 200k+ models', placeholder: 'hf_...' },
+    { value: 'custom', name: 'Custom / OpenAI-Compatible — vLLM, LM Studio, Ollama', placeholder: 'Your key' },
+];
+
+async function connectCommand() {
+    console.log();
+    console.log(chalk.cyan.bold('🔗 Connect a Provider'));
+    console.log(chalk.dim('━'.repeat(50)));
+    console.log();
+
+    const answers = await inquirer.prompt([
+        {
+            type: 'list',
+            name: 'provider',
+            message: 'Select your AI provider:',
+            choices: PROVIDERS,
+            pageSize: 15,
+        },
+    ]);
+
+    const selected = PROVIDERS.find(p => p.value === answers.provider);
+    const followUp = [
+        {
+            type: 'password',
+            name: 'apiKey',
+            message: `Enter your ${selected.name.split(' — ')[0]} API key:`,
+            mask: '•',
+            validate: (v) => v.length > 5 ? true : 'API key seems too short',
+        },
+    ];
+
+    // Custom provider needs base URL
+    if (answers.provider === 'custom') {
+        followUp.push({
+            type: 'input',
+            name: 'baseUrl',
+            message: 'Base URL (e.g., http://localhost:11434/v1):',
+            validate: (v) => v.startsWith('http') ? true : 'Must start with http:// or https://',
+        });
+        followUp.push({
+            type: 'input',
+            name: 'customName',
+            message: 'Connection name (optional):',
+            default: 'custom-endpoint',
+        });
+    }
+
+    const details = await inquirer.prompt(followUp);
+
+    const spinner = ora('Encrypting & storing your key...').start();
+
+    try {
+        const res = await api.createConnection({
+            provider: answers.provider,
+            apiKey: details.apiKey,
+            customName: details.customName,
+            baseUrl: details.baseUrl,
+        });
+
+        if (res.status !== 200 && res.status !== 201) {
+            throw new Error(res.data?.error || `Server returned ${res.status}`);
+        }
+
+        spinner.succeed(chalk.green('Connection created!'));
+        console.log();
+        console.log(chalk.dim('  Connection ID: ') + chalk.white.bold(res.data.connection_id));
+        console.log(chalk.dim('  Provider:      ') + chalk.white(answers.provider));
+        console.log();
+        console.log(chalk.yellow('  Next step: Generate a security key'));
+        console.log(chalk.dim(`  Run: ${chalk.cyan('securegate keys create')}`));
+        console.log();
+    } catch (err) {
+        spinner.fail(chalk.red(`Failed: ${err.message}`));
+        process.exitCode = 1;
+    }
+}
+
+module.exports = connectCommand;

package/src/commands/keys.js

@@ -0,0 +1,232 @@
+/**
+ * securegate keys — Manage security keys
+ */
+
+const chalk = require('chalk');
+const inquirer = require('inquirer');
+const ora = require('ora');
+const api = require('../api');
+const { setConnection, PROXY_BASE_URL } = require('../config');
+
+async function keysListCommand() {
+    console.log();
+    console.log(chalk.cyan.bold('🔑 Security Keys'));
+    console.log(chalk.dim('━'.repeat(50)));
+
+    const spinner = ora('Fetching connections...').start();
+
+    try {
+        const res = await api.listConnections();
+
+        if (res.status !== 200) {
+            throw new Error(res.data?.error || `Server returned ${res.status}`);
+        }
+
+        const connections = res.data?.connections || res.data || [];
+        spinner.stop();
+
+        if (connections.length === 0) {
+            console.log();
+            console.log(chalk.dim('  No connections found.'));
+            console.log(chalk.dim(`  Run: ${chalk.cyan('securegate connect')} to create one.`));
+            console.log();
+            return;
+        }
+
+        console.log();
+        for (const conn of connections) {
+            const keyCount = conn.security_keys?.length || 0;
+            console.log(chalk.white.bold(`  ${conn.connection_id}`));
+            console.log(chalk.dim(`    Provider: ${conn.provider}`));
+            console.log(chalk.dim(`    Keys:     ${keyCount} active`));
+            console.log(chalk.dim(`    Created:  ${new Date(conn.created_at).toLocaleDateString()}`));
+
+            if (conn.security_keys?.length > 0) {
+                for (const key of conn.security_keys) {
+                    const preview = key.key_prefix || 'SG_***';
+                    const status = key.is_active ? chalk.green('● active') : chalk.red('● revoked');
+                    console.log(chalk.dim(`      ${preview}  ${status}  ${key.label || 'no label'}`));
+                }
+            }
+            console.log();
+        }
+    } catch (err) {
+        spinner.fail(chalk.red(`Failed: ${err.message}`));
+        process.exitCode = 1;
+    }
+}
+
+async function keysCreateCommand() {
+    console.log();
+    console.log(chalk.cyan.bold('🔑 Generate Security Key'));
+    console.log(chalk.dim('━'.repeat(50)));
+
+    const spinner = ora('Fetching connections...').start();
+
+    try {
+        const res = await api.listConnections();
+        spinner.stop();
+
+        if (res.status !== 200) {
+            throw new Error(res.data?.error || `Server returned ${res.status}`);
+        }
+
+        const connections = res.data?.connections || res.data || [];
+
+        if (connections.length === 0) {
+            console.log();
+            console.log(chalk.dim('  No connections found. Create one first:'));
+            console.log(chalk.cyan('  securegate connect'));
+            console.log();
+            return;
+        }
+
+        const choices = connections.map(c => ({
+            name: `${c.connection_id} (${c.provider})`,
+            value: c.connection_id,
+        }));
+
+        console.log();
+        const { connectionId, label } = await inquirer.prompt([
+            {
+                type: 'list',
+                name: 'connectionId',
+                message: 'Which connection?',
+                choices,
+            },
+            {
+                type: 'input',
+                name: 'label',
+                message: 'Key label (optional):',
+                default: `${require('os').hostname()} CLI`,
+            },
+        ]);
+
+        const genSpinner = ora('Generating security key...').start();
+        const keyRes = await api.generateKey(connectionId, label);
+
+        if (keyRes.status !== 200 && keyRes.status !== 201) {
+            throw new Error(keyRes.data?.error || `Server returned ${keyRes.status}`);
+        }
+
+        genSpinner.succeed(chalk.green('Security key generated!'));
+
+        const { security_key, bound_to, usage } = keyRes.data;
+
+        // Save locally
+        setConnection(connectionId, {
+            security_key,
+            provider: connections.find(c => c.connection_id === connectionId)?.provider,
+            bound_to,
+            created_at: new Date().toISOString(),
+        });
+
+        console.log();
+        console.log(chalk.yellow.bold('  ⚠  SAVE THIS KEY — IT WILL NOT BE SHOWN AGAIN!'));
+        console.log();
+        console.log(chalk.dim('  Security Key:'));
+        console.log(chalk.white.bold(`  ${security_key}`));
+        console.log();
+        if (bound_to) {
+            console.log(chalk.dim(`  Bound to IP:     ${bound_to.ip || 'auto-bind on first use'}`));
+            console.log(chalk.dim(`  Bound to Device: ${bound_to.device || 'this machine'}`));
+        }
+        console.log();
+        console.log(chalk.dim('  Quick usage:'));
+        console.log(chalk.dim(`  ${chalk.cyan(`baseURL: "${usage?.baseURL || PROXY_BASE_URL}"`)}`));
+        console.log(chalk.dim(`  ${chalk.cyan(`apiKey:  "${security_key.substring(0, 12)}..."`)}`));
+        console.log();
+    } catch (err) {
+        spinner?.fail?.(chalk.red(`Failed: ${err.message}`));
+        process.exitCode = 1;
+    }
+}
+
+async function keysRevokeCommand(keyId) {
+    if (!keyId) {
+        console.log(chalk.red('  Error: Key ID required.'));
+        console.log(chalk.dim('  Usage: securegate keys revoke <key-id>'));
+        return;
+    }
+
+    const { confirm } = await inquirer.prompt([{
+        type: 'confirm',
+        name: 'confirm',
+        message: `Revoke key ${chalk.red(keyId)}? This cannot be undone.`,
+        default: false,
+    }]);
+
+    if (!confirm) {
+        console.log(chalk.dim('  Cancelled.'));
+        return;
+    }
+
+    const spinner = ora('Revoking key...').start();
+
+    try {
+        const res = await api.deleteKey(keyId);
+
+        if (res.status !== 200) {
+            throw new Error(res.data?.error || `Server returned ${res.status}`);
+        }
+
+        spinner.succeed(chalk.green('Key revoked.'));
+    } catch (err) {
+        spinner.fail(chalk.red(`Failed: ${err.message}`));
+        process.exitCode = 1;
+    }
+}
+
+async function keysLockCommand(keyId, options) {
+    if (!keyId) {
+        console.log(chalk.red('  Error: Key ID required.'));
+        console.log(chalk.dim('  Usage: securegate keys lock <key-id> [--ip <ip-address>]'));
+        return;
+    }
+
+    const spinner = ora('Checking IP...').start();
+    let ipToLock = options.ip;
+
+    if (!ipToLock) {
+        try {
+            const res = await fetch('https://api.ipify.org?format=json').then(r => r.json());
+            ipToLock = res.ip;
+        } catch (err) {
+            spinner.fail(chalk.red('Failed to detect public IP. Please specify with --ip'));
+            return;
+        }
+    }
+    spinner.stop();
+
+    console.log();
+    const { confirm } = await inquirer.prompt([{
+        type: 'confirm',
+        name: 'confirm',
+        message: `Lock key ${chalk.cyan(keyId)} to IP ${chalk.yellow(ipToLock)}?`,
+        default: true,
+    }]);
+
+    if (!confirm) {
+        console.log(chalk.dim('  Cancelled.'));
+        return;
+    }
+
+    const lockSpinner = ora('Locking key...').start();
+
+    try {
+        const res = await api.lockKey(keyId, ipToLock);
+
+        if (res.status !== 200) {
+            throw new Error(res.data?.error || `Server returned ${res.status}`);
+        }
+
+        lockSpinner.succeed(chalk.green(`Key locked to ${ipToLock}`));
+        console.log(chalk.dim('  Run `securegate keys list` to verify.'));
+        console.log();
+    } catch (err) {
+        lockSpinner.fail(chalk.red(`Failed: ${err.message}`));
+        process.exitCode = 1;
+    }
+}
+
+module.exports = { keysListCommand, keysCreateCommand, keysRevokeCommand, keysLockCommand };

package/src/commands/login.js

@@ -0,0 +1,60 @@
+/**
+ * securegate login — Authenticate with SecureGate
+ */
+
+const chalk = require('chalk');
+const inquirer = require('inquirer');
+const ora = require('ora');
+const api = require('../api');
+const { getAuth } = require('../config');
+
+async function loginCommand() {
+    console.log();
+    console.log(chalk.cyan.bold('🔐 SecureGate Login'));
+    console.log(chalk.dim('━'.repeat(50)));
+    console.log();
+
+    // Check if already logged in
+    const existing = getAuth();
+    if (existing?.user?.email) {
+        const { confirm } = await inquirer.prompt([{
+            type: 'confirm',
+            name: 'confirm',
+            message: `Already logged in as ${chalk.cyan(existing.user.email)}. Re-authenticate?`,
+            default: false,
+        }]);
+        if (!confirm) return;
+    }
+
+    const answers = await inquirer.prompt([
+        {
+            type: 'input',
+            name: 'email',
+            message: 'Email:',
+            validate: (v) => v.includes('@') ? true : 'Enter a valid email',
+        },
+        {
+            type: 'password',
+            name: 'password',
+            message: 'Password:',
+            mask: '•',
+            validate: (v) => v.length >= 6 ? true : 'Password must be at least 6 characters',
+        },
+    ]);
+
+    const spinner = ora('Authenticating...').start();
+
+    try {
+        const data = await api.login(answers.email, answers.password);
+        spinner.succeed(chalk.green('Logged in successfully!'));
+        console.log();
+        console.log(chalk.dim(`  User: ${data.user?.email}`));
+        console.log(chalk.dim(`  ID:   ${data.user?.id?.substring(0, 8)}...`));
+        console.log();
+    } catch (err) {
+        spinner.fail(chalk.red(`Login failed: ${err.message}`));
+        process.exitCode = 1;
+    }
+}
+
+module.exports = loginCommand;

package/src/commands/providers.js

@@ -0,0 +1,51 @@
+/**
+ * securegate providers — List available providers
+ */
+
+const chalk = require('chalk');
+
+const PROVIDERS = {
+    'Major Providers': [
+        { id: 'openai', name: 'OpenAI', desc: 'GPT-4o, GPT-4.1, o3, DALL·E, Whisper' },
+        { id: 'anthropic', name: 'Anthropic', desc: 'Claude 4, Claude 3.5 Sonnet, Haiku' },
+        { id: 'google', name: 'Google AI', desc: 'Gemini 2.5 Pro, Gemini Flash, PaLM' },
+        { id: 'azure', name: 'Azure OpenAI', desc: 'GPT-4o & OpenAI models via Azure' },
+    ],
+    'Cloud & Inference': [
+        { id: 'groq', name: 'Groq', desc: 'Ultra-fast LPU inference for Llama, Mixtral' },
+        { id: 'together', name: 'Together AI', desc: 'Open-source models: Llama, Qwen, DeepSeek' },
+        { id: 'fireworks', name: 'Fireworks AI', desc: 'Fast serverless inference for open models' },
+        { id: 'perplexity', name: 'Perplexity', desc: 'Sonar models with built-in web search' },
+        { id: 'mistral', name: 'Mistral AI', desc: 'Mistral Large, Medium, Codestral' },
+        { id: 'deepseek', name: 'DeepSeek', desc: 'DeepSeek-V3, DeepSeek-R1 reasoning' },
+    ],
+    'Specialized & Enterprise': [
+        { id: 'cohere', name: 'Cohere', desc: 'Command R+, Embed, Rerank for enterprise' },
+        { id: 'replicate', name: 'Replicate', desc: 'Run open-source models via API' },
+        { id: 'bedrock', name: 'AWS Bedrock', desc: 'Managed AI models on AWS infrastructure' },
+        { id: 'huggingface', name: 'Hugging Face', desc: 'Inference API for 200k+ models' },
+    ],
+    'Custom': [
+        { id: 'custom', name: 'Custom / OpenAI-Compatible', desc: 'vLLM, LM Studio, Ollama, LocalAI, etc.' },
+    ],
+};
+
+function providersCommand() {
+    console.log();
+    console.log(chalk.cyan.bold('📦 Available Providers'));
+    console.log(chalk.dim('━'.repeat(50)));
+    console.log();
+
+    for (const [category, providers] of Object.entries(PROVIDERS)) {
+        console.log(chalk.white.bold(`  ${category}`));
+        for (const p of providers) {
+            console.log(`    ${chalk.cyan(p.id.padEnd(16))} ${chalk.dim(p.desc)}`);
+        }
+        console.log();
+    }
+
+    console.log(chalk.dim(`  Run ${chalk.cyan('securegate connect')} to add a provider.`));
+    console.log();
+}
+
+module.exports = providersCommand;

package/src/commands/status.js

@@ -0,0 +1,78 @@
+/**
+ * securegate status — Show current authentication & connection state
+ */
+
+const chalk = require('chalk');
+const ora = require('ora');
+const { getAuth, getConnections, CONFIG_FILE } = require('../config');
+const api = require('../api');
+
+async function statusCommand() {
+    console.log();
+    console.log(chalk.cyan.bold('📊 SecureGate Status'));
+    console.log(chalk.dim('━'.repeat(50)));
+    console.log();
+
+    // Auth status
+    const auth = getAuth();
+    if (!auth) {
+        console.log(chalk.dim('  Auth:   ') + chalk.red('Not logged in'));
+        console.log(chalk.dim(`  Run: ${chalk.cyan('securegate login')}`));
+        console.log();
+        return;
+    }
+
+    console.log(chalk.dim('  Auth:   ') + chalk.green('● Logged in'));
+    console.log(chalk.dim('  Email:  ') + chalk.white(auth.user?.email || 'unknown'));
+    console.log(chalk.dim('  ID:     ') + chalk.dim(auth.user?.id?.substring(0, 8) + '...'));
+
+    if (auth.expires_at) {
+        const remaining = auth.expires_at - Date.now();
+        if (remaining > 0) {
+            const mins = Math.round(remaining / 60000);
+            console.log(chalk.dim('  Token:  ') + chalk.green(`Valid (${mins}m remaining)`));
+        } else {
+            console.log(chalk.dim('  Token:  ') + chalk.yellow('Expired (will auto-refresh)'));
+        }
+    }
+    console.log();
+
+    // Local connections
+    const localConns = getConnections();
+    const localCount = Object.keys(localConns).length;
+    console.log(chalk.dim(`  Local keys: ${localCount} saved in ${CONFIG_FILE}`));
+
+    // Remote connections
+    const spinner = ora({ text: 'Fetching remote status...', indent: 2 }).start();
+    try {
+        const res = await api.listConnections();
+        if (res.status === 200) {
+            const conns = res.data?.connections || res.data || [];
+            spinner.succeed(`${conns.length} connection(s) on server`);
+
+            for (const c of conns) {
+                const keyCount = c.security_keys?.length || 0;
+                console.log(chalk.dim(`    ${chalk.cyan(c.connection_id)} — ${c.provider} — ${keyCount} key(s)`));
+            }
+        } else {
+            spinner.warn('Could not fetch remote status');
+        }
+    } catch (err) {
+        spinner.warn(`Could not reach server: ${err.message}`);
+    }
+
+    console.log();
+    // Plan info
+    try {
+        const profile = await api.getProfile();
+        if (profile.status === 200) {
+            const plan = profile.data?.plan || 'free';
+            const planColor = plan === 'free' ? chalk.dim : chalk.green;
+            console.log(chalk.dim('  Plan:   ') + planColor(plan.charAt(0).toUpperCase() + plan.slice(1)));
+        }
+    } catch { }
+
+    console.log();
+}
+
+module.exports = statusCommand;

package/src/config.js

@@ -0,0 +1,82 @@
+/**
+ * SecureGate CLI — Configuration & Storage
+ * Manages ~/.securegate/config.json
+ */
+
+const os = require('os');
+const fs = require('fs');
+const path = require('path');
+
+const CONFIG_DIR = path.join(os.homedir(), '.securegate');
+const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
+
+// Supabase project
+const SUPABASE_URL = 'https://pbrmsfoowrjqsikgkijb.supabase.co';
+const SUPABASE_ANON_KEY = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InBicm1zZm9vd3JqcXNpa2draWpiIiwicm9sZSI6ImFub24iLCJpYXQiOjE3Mzg5MTg0NjcsImV4cCI6MjA1NDQ5NDQ2N30.4lGMcORfVTiRxSRcVMeuiECra3SvDpkWRMkJEiRQAS8';
+
+// Public-facing proxy URL
+const PROXY_BASE_URL = 'https://securegate.xyz/v1';
+
+function ensureConfigDir() {
+    if (!fs.existsSync(CONFIG_DIR)) {
+        fs.mkdirSync(CONFIG_DIR, { recursive: true });
+    }
+}
+
+function loadConfig() {
+    try {
+        if (fs.existsSync(CONFIG_FILE)) {
+            return JSON.parse(fs.readFileSync(CONFIG_FILE, 'utf8'));
+        }
+    } catch { }
+    return {};
+}
+
+function saveConfig(config) {
+    ensureConfigDir();
+    fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2), { mode: 0o600 });
+}
+
+function getAuth() {
+    const config = loadConfig();
+    return config.auth || null;
+}
+
+function setAuth(auth) {
+    const config = loadConfig();
+    config.auth = auth;
+    saveConfig(config);
+}
+
+function clearAuth() {
+    const config = loadConfig();
+    delete config.auth;
+    saveConfig(config);
+}
+
+function getConnections() {
+    const config = loadConfig();
+    return config.connections || {};
+}
+
+function setConnection(connectionId, data) {
+    const config = loadConfig();
+    if (!config.connections) config.connections = {};
+    config.connections[connectionId] = data;
+    saveConfig(config);
+}
+
+module.exports = {
+    CONFIG_DIR,
+    CONFIG_FILE,
+    SUPABASE_URL,
+    SUPABASE_ANON_KEY,
+    PROXY_BASE_URL,
+    loadConfig,
+    saveConfig,
+    getAuth,
+    setAuth,
+    clearAuth,
+    getConnections,
+    setConnection,
+};