sentinelayer-cli 0.1.2 → 0.4.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (129) hide show
  1. package/README.md +998 -996
  2. package/bin/create-sentinelayer.js +5 -5
  3. package/bin/sentinelayer-cli.js +4 -4
  4. package/bin/sl.js +5 -5
  5. package/package.json +63 -54
  6. package/src/agents/jules/config/definition.js +209 -209
  7. package/src/agents/jules/config/system-prompt.js +175 -175
  8. package/src/agents/jules/error-intake.js +51 -51
  9. package/src/agents/jules/fix-cycle.js +377 -377
  10. package/src/agents/jules/loop.js +367 -367
  11. package/src/agents/jules/pulse.js +327 -319
  12. package/src/agents/jules/stream.js +186 -186
  13. package/src/agents/jules/swarm/file-scanner.js +74 -74
  14. package/src/agents/jules/swarm/index.js +11 -11
  15. package/src/agents/jules/swarm/orchestrator.js +362 -362
  16. package/src/agents/jules/swarm/pattern-hunter.js +123 -123
  17. package/src/agents/jules/swarm/sub-agent.js +308 -308
  18. package/src/agents/jules/tools/auth-audit.js +557 -222
  19. package/src/agents/jules/tools/dispatch.js +327 -327
  20. package/src/agents/jules/tools/file-edit.js +180 -180
  21. package/src/agents/jules/tools/file-read.js +100 -100
  22. package/src/agents/jules/tools/frontend-analyze.js +570 -570
  23. package/src/agents/jules/tools/glob.js +168 -168
  24. package/src/agents/jules/tools/grep.js +228 -228
  25. package/src/agents/jules/tools/index.js +29 -29
  26. package/src/agents/jules/tools/path-guards.js +161 -161
  27. package/src/agents/jules/tools/runtime-audit.js +503 -493
  28. package/src/agents/jules/tools/shell.js +383 -383
  29. package/src/agents/jules/tools/url-policy.js +100 -0
  30. package/src/ai/aidenid.js +972 -945
  31. package/src/ai/client.js +508 -508
  32. package/src/ai/domain-target-store.js +268 -268
  33. package/src/ai/identity-store.js +270 -270
  34. package/src/ai/site-store.js +145 -145
  35. package/src/audit/agents/architecture.js +180 -180
  36. package/src/audit/agents/compliance.js +179 -179
  37. package/src/audit/agents/documentation.js +165 -165
  38. package/src/audit/agents/performance.js +145 -145
  39. package/src/audit/agents/security.js +215 -215
  40. package/src/audit/agents/testing.js +172 -172
  41. package/src/audit/orchestrator.js +557 -557
  42. package/src/audit/package.js +204 -204
  43. package/src/audit/registry.js +284 -284
  44. package/src/audit/replay.js +103 -103
  45. package/src/auth/gate.js +45 -11
  46. package/src/auth/http.js +270 -113
  47. package/src/auth/service.js +891 -848
  48. package/src/auth/session-store.js +359 -345
  49. package/src/cli.js +252 -252
  50. package/src/commands/ai/identity-lifecycle.js +1338 -1337
  51. package/src/commands/ai/provision-governance.js +1272 -1246
  52. package/src/commands/ai/shared.js +147 -147
  53. package/src/commands/ai.js +11 -11
  54. package/src/commands/apply.js +12 -12
  55. package/src/commands/audit.js +1166 -1166
  56. package/src/commands/auth.js +375 -366
  57. package/src/commands/chat.js +191 -191
  58. package/src/commands/config.js +184 -184
  59. package/src/commands/cost.js +311 -311
  60. package/src/commands/daemon/core.js +850 -850
  61. package/src/commands/daemon/extended.js +1048 -1048
  62. package/src/commands/daemon/shared.js +213 -213
  63. package/src/commands/daemon.js +11 -11
  64. package/src/commands/guide.js +174 -174
  65. package/src/commands/ingest.js +58 -58
  66. package/src/commands/init.js +55 -55
  67. package/src/commands/legacy-args.js +10 -10
  68. package/src/commands/mcp.js +461 -404
  69. package/src/commands/omargate.js +15 -15
  70. package/src/commands/persona.js +20 -20
  71. package/src/commands/plugin.js +260 -260
  72. package/src/commands/policy.js +132 -132
  73. package/src/commands/prompt.js +238 -238
  74. package/src/commands/review.js +704 -704
  75. package/src/commands/scan.js +866 -788
  76. package/src/commands/spec.js +716 -716
  77. package/src/commands/swarm.js +651 -651
  78. package/src/commands/telemetry.js +202 -202
  79. package/src/commands/watch.js +510 -510
  80. package/src/config/agent-dictionary.js +182 -182
  81. package/src/config/io.js +56 -56
  82. package/src/config/paths.js +18 -18
  83. package/src/config/schema.js +55 -55
  84. package/src/config/service.js +184 -184
  85. package/src/cost/budget.js +235 -235
  86. package/src/cost/history.js +188 -188
  87. package/src/cost/tracker.js +171 -171
  88. package/src/daemon/artifact-lineage.js +534 -534
  89. package/src/daemon/assignment-ledger.js +770 -770
  90. package/src/daemon/ast-parser-layer.js +258 -258
  91. package/src/daemon/budget-governor.js +633 -633
  92. package/src/daemon/callgraph-overlay.js +646 -646
  93. package/src/daemon/error-worker.js +626 -626
  94. package/src/daemon/hybrid-mapper.js +929 -929
  95. package/src/daemon/jira-lifecycle.js +632 -632
  96. package/src/daemon/operator-control.js +657 -657
  97. package/src/daemon/reliability-lane.js +471 -471
  98. package/src/daemon/watchdog.js +971 -971
  99. package/src/guide/generator.js +316 -316
  100. package/src/ingest/engine.js +918 -918
  101. package/src/legacy-cli.js +2592 -2435
  102. package/src/mcp/registry.js +695 -695
  103. package/src/memory/blackboard.js +301 -301
  104. package/src/memory/retrieval.js +581 -581
  105. package/src/plugin/manifest.js +553 -553
  106. package/src/policy/packs.js +144 -144
  107. package/src/prompt/generator.js +118 -106
  108. package/src/review/ai-review.js +669 -669
  109. package/src/review/local-review.js +1295 -1284
  110. package/src/review/replay.js +235 -235
  111. package/src/review/report.js +664 -664
  112. package/src/review/spec-binding.js +487 -487
  113. package/src/scaffold/generator.js +67 -0
  114. package/src/scaffold/templates.js +150 -0
  115. package/src/scan/generator.js +418 -351
  116. package/src/scan/gh-secrets.js +107 -0
  117. package/src/spec/generator.js +519 -519
  118. package/src/spec/regenerate.js +237 -237
  119. package/src/spec/templates.js +91 -91
  120. package/src/swarm/dashboard.js +247 -247
  121. package/src/swarm/factory.js +363 -363
  122. package/src/swarm/pentest.js +934 -934
  123. package/src/swarm/registry.js +419 -419
  124. package/src/swarm/report.js +158 -158
  125. package/src/swarm/runtime.js +576 -576
  126. package/src/swarm/scenario-dsl.js +272 -272
  127. package/src/telemetry/ledger.js +302 -302
  128. package/src/telemetry/sync.js +107 -61
  129. package/src/ui/markdown.js +220 -220
package/src/commands/ai/provision-governance.js CHANGED
@@ -1,1246 +1,1272 @@
1
- import path from "node:path";
2
- import process from "node:process";
3
-
4
- import pc from "picocolors";
5
-
6
- import {
7
- buildProvisionEmailPayload,
8
- createDomain,
9
- createTemporarySite,
10
- createTarget,
11
- freezeDomain,
12
- getTarget,
13
- normalizeAidenIdApiUrl,
14
- provisionEmailIdentity,
15
- resolveAidenIdCredentials,
16
- verifyDomain,
17
- verifyTarget,
18
- } from "../../ai/aidenid.js";
19
- import {
20
- getDomainById,
21
- getTargetById as getTrackedTargetById,
22
- recordDomainProofResponse,
23
- recordTargetProofResponse,
24
- } from "../../ai/domain-target-store.js";
25
- import { listSites, recordTemporarySite } from "../../ai/site-store.js";
26
- import { getIdentityById, recordProvisionedIdentity } from "../../ai/identity-store.js";
27
- import { resolveOutputRoot } from "../../config/service.js";
28
- import {
29
- buildCurlPreview,
30
- normalizeIdempotencyKey,
31
- parseCsvTokens,
32
- parseJsonObject,
33
- parsePositiveInteger,
34
- shouldEmitJson,
35
- stableTimestampForFile,
36
- writeArtifact,
37
- } from "./shared.js";
38
-
39
- export function registerAiProvisionAndGovernanceCommands(ai) {
40
- ai
41
- .command("provision-email")
42
- .alias("provision")
43
- .description("Provision an AIdenID identity payload (dry-run by default, optional live execute)")
44
- .option("--path <path>", "Workspace path for artifact/config resolution", ".")
45
- .option("--output-dir <path>", "Optional artifact output root override")
46
- .option("--api-url <url>", "AIdenID API base URL", "https://api.aidenid.com")
47
- .option("--api-key <key>", "AIdenID API key (or use AIDENID_API_KEY env)")
48
- .option("--org-id <id>", "AIdenID org id (or use AIDENID_ORG_ID env)")
49
- .option("--project-id <id>", "AIdenID project id (or use AIDENID_PROJECT_ID env)")
50
- .option("--alias-template <value>", "Optional alias template")
51
- .option("--ttl-hours <hours>", "Identity TTL in hours", "24")
52
- .option("--tags <csv>", "Comma-separated tags")
53
- .option("--domain-pool-id <id>", "Optional domain pool id")
54
- .option("--receive-mode <mode>", "Identity receive mode", "EDGE_ACCEPT")
55
- .option("--extraction-types <csv>", "Comma-separated extraction types", "otp,link")
56
- .option("--allow-webhooks", "Allow webhook delivery", true)
57
- .option("--no-allow-webhooks", "Disable webhook delivery")
58
- .option("--idempotency-key <key>", "Explicit idempotency key override")
59
- .option("--execute", "Execute live API call (default is dry-run artifact generation)")
60
- .option("--json", "Emit machine-readable output")
61
- .action(async (options, command) => {
62
- const emitJson = shouldEmitJson(options, command);
63
- const targetPath = path.resolve(process.cwd(), String(options.path || "."));
64
- const apiUrl = normalizeAidenIdApiUrl(options.apiUrl);
65
- const idempotencyKey = normalizeIdempotencyKey(options.idempotencyKey);
66
- const ttlHours = parsePositiveInteger(options.ttlHours, "ttlHours", 24);
67
-
68
- const payload = buildProvisionEmailPayload({
69
- aliasTemplate: options.aliasTemplate,
70
- ttlHours,
71
- tags: options.tags,
72
- domainPoolId: options.domainPoolId,
73
- receiveMode: options.receiveMode,
74
- allowWebhooks: Boolean(options.allowWebhooks),
75
- extractionTypes: options.extractionTypes,
76
- });
77
-
78
- const outputRoot = await resolveOutputRoot({
79
- cwd: targetPath,
80
- outputDirOverride: options.outputDir,
81
- env: process.env,
82
- });
83
- const artifactsDir = path.join(outputRoot, "aidenid", "provision-email");
84
- const stamp = stableTimestampForFile();
85
- const requestPath = path.join(artifactsDir, `request-${stamp}.json`);
86
-
87
- await writeArtifact(requestPath, {
88
- generatedAt: new Date().toISOString(),
89
- apiUrl,
90
- idempotencyKey,
91
- payload,
92
- });
93
-
94
- const resolvedCredentials = resolveAidenIdCredentials({
95
- apiKey: options.apiKey,
96
- orgId: options.orgId,
97
- projectId: options.projectId,
98
- env: process.env,
99
- requireAll: false,
100
- });
101
-
102
- if (!options.execute) {
103
- const result = {
104
- command: "ai provision-email",
105
- execute: false,
106
- apiUrl,
107
- idempotencyKey,
108
- requestPath,
109
- credentialsMissing: resolvedCredentials.missing,
110
- curlPreview: buildCurlPreview({
111
- apiUrl,
112
- idempotencyKey,
113
- requestPath,
114
- }),
115
- };
116
-
117
- if (emitJson) {
118
- console.log(JSON.stringify(result, null, 2));
119
- return;
120
- }
121
-
122
- console.log(pc.bold("AIdenID provision request artifact created (dry-run)"));
123
- console.log(pc.gray(`Request: ${requestPath}`));
124
- console.log(pc.gray(`API: ${apiUrl}`));
125
- console.log(pc.gray(`Idempotency-Key: ${idempotencyKey}`));
126
- if (resolvedCredentials.missing.length > 0) {
127
- console.log(
128
- pc.yellow(`Missing credentials for live execute: ${resolvedCredentials.missing.join(", ")}`)
129
- );
130
- }
131
- console.log(pc.gray("Execute preview:"));
132
- console.log(result.curlPreview);
133
- return;
134
- }
135
-
136
- const requiredCredentials = resolveAidenIdCredentials({
137
- apiKey: options.apiKey,
138
- orgId: options.orgId,
139
- projectId: options.projectId,
140
- env: process.env,
141
- requireAll: true,
142
- });
143
-
144
- const execution = await provisionEmailIdentity({
145
- apiUrl,
146
- apiKey: requiredCredentials.apiKey,
147
- orgId: requiredCredentials.orgId,
148
- projectId: requiredCredentials.projectId,
149
- idempotencyKey,
150
- payload,
151
- });
152
-
153
- const responsePath = path.join(artifactsDir, `response-${stamp}.json`);
154
- await writeArtifact(responsePath, {
155
- receivedAt: new Date().toISOString(),
156
- apiUrl,
157
- idempotencyKey,
158
- response: execution.response,
159
- });
160
-
161
- const responseIdentity = execution.response || {};
162
- const registryUpdate = await recordProvisionedIdentity({
163
- outputRoot,
164
- response: execution.response || {},
165
- context: {
166
- apiUrl,
167
- orgId: requiredCredentials.orgId,
168
- projectId: requiredCredentials.projectId,
169
- idempotencyKey,
170
- tags: payload.tags,
171
- },
172
- });
173
- const result = {
174
- command: "ai provision-email",
175
- execute: true,
176
- apiUrl,
177
- idempotencyKey,
178
- requestPath,
179
- responsePath,
180
- identity: {
181
- id: String(responseIdentity.id || "").trim() || null,
182
- emailAddress: String(responseIdentity.emailAddress || "").trim() || null,
183
- status: String(responseIdentity.status || "").trim() || null,
184
- expiresAt: responseIdentity.expiresAt || null,
185
- projectId: responseIdentity.projectId || null,
186
- },
187
- response: execution.response,
188
- identityRegistryPath: registryUpdate.registryPath,
189
- };
190
-
191
- if (emitJson) {
192
- console.log(JSON.stringify(result, null, 2));
193
- return;
194
- }
195
-
196
- console.log(pc.bold("AIdenID identity provisioned"));
197
- console.log(pc.gray(`Request: ${requestPath}`));
198
- console.log(pc.gray(`Response: ${responsePath}`));
199
- if (result.identity.id || result.identity.emailAddress) {
200
- console.log(
201
- pc.green(
202
- `${result.identity.id || "unknown-id"} | ${result.identity.emailAddress || "unknown-email"} | ${
203
- result.identity.status || "unknown-status"
204
- }`
205
- )
206
- );
207
- }
208
- });
209
-
210
- const identity = ai.command("identity").description("AIdenID identity lifecycle commands");
211
- const domain = identity.command("domain").description("AIdenID domain governance commands");
212
- const target = identity.command("target").description("AIdenID target governance commands");
213
- const site = identity.command("site").description("AIdenID temporary callback domain commands");
214
- const legalHold = identity.command("legal-hold").description("Identity legal-hold controls");
215
-
216
- domain
217
- .command("create")
218
- .description("Create a domain registration and proof challenge (dry-run by default)")
219
- .argument("<domainName>", "Domain hostname")
220
- .option("--path <path>", "Workspace path for artifact/config resolution", ".")
221
- .option("--output-dir <path>", "Optional artifact output root override")
222
- .option("--api-url <url>", "AIdenID API base URL", "https://api.aidenid.com")
223
- .option("--api-key <key>", "AIdenID API key (or use AIDENID_API_KEY env)")
224
- .option("--org-id <id>", "AIdenID org id (or use AIDENID_ORG_ID env)")
225
- .option("--project-id <id>", "AIdenID project id (or use AIDENID_PROJECT_ID env)")
226
- .option("--trust-class <value>", "Domain trust class", "BYOD")
227
- .option("--verification-method <value>", "Domain verification method", "DNS_TXT")
228
- .option("--challenge-value <value>", "Explicit challenge value override")
229
- .option("--proof-ttl-hours <hours>", "Proof TTL hours", "24")
230
- .option("--idempotency-key <key>", "Explicit idempotency key override")
231
- .option("--execute", "Execute live API call")
232
- .option("--json", "Emit machine-readable output")
233
- .action(async (domainName, options, command) => {
234
- const emitJson = shouldEmitJson(options, command);
235
- const targetPath = path.resolve(process.cwd(), String(options.path || "."));
236
- const outputRoot = await resolveOutputRoot({
237
- cwd: targetPath,
238
- outputDirOverride: options.outputDir,
239
- env: process.env,
240
- });
241
- const apiUrl = normalizeAidenIdApiUrl(options.apiUrl);
242
- const idempotencyKey = normalizeIdempotencyKey(options.idempotencyKey);
243
- const proofTtlHours = parsePositiveInteger(options.proofTtlHours, "proofTtlHours", 24);
244
- const payload = {
245
- domainName: String(domainName || "").trim(),
246
- trustClass: String(options.trustClass || "BYOD").trim() || "BYOD",
247
- verificationMethod:
248
- String(options.verificationMethod || "DNS_TXT").trim() || "DNS_TXT",
249
- challengeValue: String(options.challengeValue || "").trim() || null,
250
- proofTtlHours,
251
- };
252
- if (!payload.domainName) {
253
- throw new Error("domainName is required.");
254
- }
255
-
256
- const artifactsDir = path.join(outputRoot, "aidenid", "domain-create");
257
- const stamp = stableTimestampForFile();
258
- const requestPath = path.join(artifactsDir, `request-${encodeURIComponent(payload.domainName)}-${stamp}.json`);
259
- await writeArtifact(requestPath, {
260
- generatedAt: new Date().toISOString(),
261
- apiUrl,
262
- idempotencyKey,
263
- payload,
264
- });
265
-
266
- const resolvedCredentials = resolveAidenIdCredentials({
267
- apiKey: options.apiKey,
268
- orgId: options.orgId,
269
- projectId: options.projectId,
270
- env: process.env,
271
- requireAll: false,
272
- });
273
-
274
- if (!options.execute) {
275
- const result = {
276
- command: "ai identity domain create",
277
- execute: false,
278
- apiUrl,
279
- idempotencyKey,
280
- requestPath,
281
- payload,
282
- credentialsMissing: resolvedCredentials.missing,
283
- curlPreview: [
284
- `curl -X POST ${apiUrl}/v1/domains \\`,
285
- ` -H \"Authorization: Bearer $AIDENID_API_KEY\" \\`,
286
- ` -H \"X-Org-Id: $AIDENID_ORG_ID\" \\`,
287
- ` -H \"X-Project-Id: $AIDENID_PROJECT_ID\" \\`,
288
- ` -H \"Idempotency-Key: ${idempotencyKey}\" \\`,
289
- ` -H \"Content-Type: application/json\" \\`,
290
- ` --data @${String(requestPath || "").replace(/\\/g, "/")}`,
291
- ].join("\n"),
292
- };
293
- if (emitJson) {
294
- console.log(JSON.stringify(result, null, 2));
295
- return;
296
- }
297
- console.log(pc.bold("AIdenID domain create artifact generated (dry-run)"));
298
- console.log(pc.gray(`Request: ${requestPath}`));
299
- if (resolvedCredentials.missing.length > 0) {
300
- console.log(
301
- pc.yellow(`Missing credentials for live execute: ${resolvedCredentials.missing.join(", ")}`)
302
- );
303
- }
304
- console.log(result.curlPreview);
305
- return;
306
- }
307
-
308
- const requiredCredentials = resolveAidenIdCredentials({
309
- apiKey: options.apiKey,
310
- orgId: options.orgId,
311
- projectId: options.projectId,
312
- env: process.env,
313
- requireAll: true,
314
- });
315
- const execution = await createDomain({
316
- apiUrl,
317
- apiKey: requiredCredentials.apiKey,
318
- orgId: requiredCredentials.orgId,
319
- projectId: requiredCredentials.projectId,
320
- idempotencyKey,
321
- payload,
322
- });
323
- const responsePath = path.join(
324
- artifactsDir,
325
- `response-${encodeURIComponent(payload.domainName)}-${stamp}.json`
326
- );
327
- await writeArtifact(responsePath, {
328
- receivedAt: new Date().toISOString(),
329
- apiUrl,
330
- idempotencyKey,
331
- response: execution.response,
332
- });
333
-
334
- const proofResponse = execution.response || {};
335
- const registryUpdate = await recordDomainProofResponse({
336
- outputRoot,
337
- domain: proofResponse.domain || {},
338
- proof: proofResponse,
339
- context: {
340
- source: "domain-create",
341
- idempotencyKey,
342
- projectId: requiredCredentials.projectId,
343
- },
344
- });
345
- const result = {
346
- command: "ai identity domain create",
347
- execute: true,
348
- apiUrl,
349
- idempotencyKey,
350
- requestPath,
351
- responsePath,
352
- domain: proofResponse.domain || null,
353
- proof: {
354
- proofId: proofResponse.proofId || null,
355
- challengeValue: proofResponse.challengeValue || null,
356
- proofStatus: proofResponse.proofStatus || null,
357
- proofExpiresAt: proofResponse.proofExpiresAt || null,
358
- },
359
- registryPath: registryUpdate.registryPath,
360
- };
361
- if (emitJson) {
362
- console.log(JSON.stringify(result, null, 2));
363
- return;
364
- }
365
- console.log(pc.bold("AIdenID domain created"));
366
- console.log(pc.gray(`Response: ${responsePath}`));
367
- console.log(
368
- `${String(result.domain?.id || "unknown-domain")} | ${String(result.domain?.domainName || payload.domainName)}`
369
- );
370
- });
371
-
372
- domain
373
- .command("verify")
374
- .description("Verify domain proof challenge (dry-run by default)")
375
- .argument("<domainId>", "Domain id")
376
- .option("--path <path>", "Workspace path for artifact/config resolution", ".")
377
- .option("--output-dir <path>", "Optional artifact output root override")
378
- .option("--api-url <url>", "AIdenID API base URL", "https://api.aidenid.com")
379
- .option("--api-key <key>", "AIdenID API key (or use AIDENID_API_KEY env)")
380
- .option("--org-id <id>", "AIdenID org id (or use AIDENID_ORG_ID env)")
381
- .option("--project-id <id>", "AIdenID project id (or use AIDENID_PROJECT_ID env)")
382
- .option("--method <value>", "Verification method", "DNS_TXT")
383
- .option("--challenge-value <value>", "Challenge value override (fallback: local registry)")
384
- .option("--proof-value <value>", "Proof value", "txt-verification-record")
385
- .option("--verification-source <value>", "Verification source", "sentinelayer-cli")
386
- .option("--expires-hours <hours>", "Proof expiration in hours", "24")
387
- .option("--idempotency-key <key>", "Explicit idempotency key override")
388
- .option("--execute", "Execute live API call")
389
- .option("--json", "Emit machine-readable output")
390
- .action(async (domainId, options, command) => {
391
- const emitJson = shouldEmitJson(options, command);
392
- const targetPath = path.resolve(process.cwd(), String(options.path || "."));
393
- const outputRoot = await resolveOutputRoot({
394
- cwd: targetPath,
395
- outputDirOverride: options.outputDir,
396
- env: process.env,
397
- });
398
- const apiUrl = normalizeAidenIdApiUrl(options.apiUrl);
399
- const idempotencyKey = normalizeIdempotencyKey(options.idempotencyKey);
400
- const tracked = await getDomainById({ outputRoot, domainId });
401
- const challengeValue =
402
- String(options.challengeValue || "").trim() ||
403
- String(tracked.domain?.challengeValue || "").trim() ||
404
- null;
405
- if (!challengeValue) {
406
- throw new Error(
407
- `challengeValue is required. Provide --challenge-value or run domain create first for '${domainId}'.`
408
- );
409
- }
410
- const payload = {
411
- method: String(options.method || "DNS_TXT").trim() || "DNS_TXT",
412
- challengeValue,
413
- proofValue: String(options.proofValue || "txt-verification-record").trim() || null,
414
- verificationSource:
415
- String(options.verificationSource || "sentinelayer-cli").trim() || null,
416
- expiresHours: parsePositiveInteger(options.expiresHours, "expiresHours", 24),
417
- };
418
-
419
- const artifactsDir = path.join(outputRoot, "aidenid", "domain-verify");
420
- const stamp = stableTimestampForFile();
421
- const requestPath = path.join(artifactsDir, `request-${encodeURIComponent(domainId)}-${stamp}.json`);
422
- await writeArtifact(requestPath, {
423
- generatedAt: new Date().toISOString(),
424
- apiUrl,
425
- idempotencyKey,
426
- domainId,
427
- payload,
428
- });
429
-
430
- const resolvedCredentials = resolveAidenIdCredentials({
431
- apiKey: options.apiKey,
432
- orgId: options.orgId,
433
- projectId: options.projectId || tracked.domain?.projectId,
434
- env: process.env,
435
- requireAll: false,
436
- });
437
- if (!options.execute) {
438
- const result = {
439
- command: "ai identity domain verify",
440
- execute: false,
441
- domainId,
442
- apiUrl,
443
- idempotencyKey,
444
- requestPath,
445
- payload,
446
- credentialsMissing: resolvedCredentials.missing,
447
- };
448
- if (emitJson) {
449
- console.log(JSON.stringify(result, null, 2));
450
- return;
451
- }
452
- console.log(pc.bold("AIdenID domain verify artifact generated (dry-run)"));
453
- console.log(pc.gray(`Request: ${requestPath}`));
454
- if (resolvedCredentials.missing.length > 0) {
455
- console.log(
456
- pc.yellow(`Missing credentials for live execute: ${resolvedCredentials.missing.join(", ")}`)
457
- );
458
- }
459
- return;
460
- }
461
-
462
- const requiredCredentials = resolveAidenIdCredentials({
463
- apiKey: options.apiKey,
464
- orgId: options.orgId,
465
- projectId: options.projectId || tracked.domain?.projectId,
466
- env: process.env,
467
- requireAll: true,
468
- });
469
- const execution = await verifyDomain({
470
- apiUrl,
471
- apiKey: requiredCredentials.apiKey,
472
- orgId: requiredCredentials.orgId,
473
- projectId: requiredCredentials.projectId,
474
- domainId,
475
- idempotencyKey,
476
- payload,
477
- });
478
- const responsePath = path.join(
479
- artifactsDir,
480
- `response-${encodeURIComponent(domainId)}-${stamp}.json`
481
- );
482
- await writeArtifact(responsePath, {
483
- receivedAt: new Date().toISOString(),
484
- apiUrl,
485
- idempotencyKey,
486
- domainId,
487
- response: execution.response,
488
- });
489
-
490
- const proofResponse = execution.response || {};
491
- const registryUpdate = await recordDomainProofResponse({
492
- outputRoot,
493
- domain: proofResponse.domain || {},
494
- proof: proofResponse,
495
- context: {
496
- source: "domain-verify",
497
- idempotencyKey,
498
- projectId: requiredCredentials.projectId,
499
- },
500
- });
501
- const result = {
502
- command: "ai identity domain verify",
503
- execute: true,
504
- domainId,
505
- apiUrl,
506
- idempotencyKey,
507
- requestPath,
508
- responsePath,
509
- domain: proofResponse.domain || null,
510
- proof: {
511
- proofId: proofResponse.proofId || null,
512
- challengeValue: proofResponse.challengeValue || null,
513
- proofStatus: proofResponse.proofStatus || null,
514
- proofExpiresAt: proofResponse.proofExpiresAt || null,
515
- },
516
- registryPath: registryUpdate.registryPath,
517
- };
518
- if (emitJson) {
519
- console.log(JSON.stringify(result, null, 2));
520
- return;
521
- }
522
- console.log(pc.bold("AIdenID domain verified"));
523
- console.log(pc.gray(`Response: ${responsePath}`));
524
- console.log(
525
- `${String(result.domain?.id || domainId)} | verification=${String(result.domain?.verificationStatus || "UNKNOWN")}`
526
- );
527
- });
528
-
529
- domain
530
- .command("freeze")
531
- .description("Freeze a domain for containment (dry-run by default)")
532
- .argument("<domainId>", "Domain id")
533
- .option("--path <path>", "Workspace path for artifact/config resolution", ".")
534
- .option("--output-dir <path>", "Optional artifact output root override")
535
- .option("--api-url <url>", "AIdenID API base URL", "https://api.aidenid.com")
536
- .option("--api-key <key>", "AIdenID API key (or use AIDENID_API_KEY env)")
537
- .option("--org-id <id>", "AIdenID org id (or use AIDENID_ORG_ID env)")
538
- .option("--project-id <id>", "AIdenID project id (or use AIDENID_PROJECT_ID env)")
539
- .option("--reason <text>", "Freeze reason", "incident containment")
540
- .option("--pool-isolated", "Isolate the domain pool", true)
541
- .option("--no-pool-isolated", "Do not isolate the domain pool")
542
- .option("--idempotency-key <key>", "Explicit idempotency key override")
543
- .option("--execute", "Execute live API call")
544
- .option("--json", "Emit machine-readable output")
545
- .action(async (domainId, options, command) => {
546
- const emitJson = shouldEmitJson(options, command);
547
- const targetPath = path.resolve(process.cwd(), String(options.path || "."));
548
- const outputRoot = await resolveOutputRoot({
549
- cwd: targetPath,
550
- outputDirOverride: options.outputDir,
551
- env: process.env,
552
- });
553
- const apiUrl = normalizeAidenIdApiUrl(options.apiUrl);
554
- const idempotencyKey = normalizeIdempotencyKey(options.idempotencyKey);
555
- const tracked = await getDomainById({ outputRoot, domainId });
556
- const payload = {
557
- reason: String(options.reason || "").trim() || "incident containment",
558
- poolIsolated: Boolean(options.poolIsolated),
559
- };
560
-
561
- const artifactsDir = path.join(outputRoot, "aidenid", "domain-freeze");
562
- const stamp = stableTimestampForFile();
563
- const requestPath = path.join(artifactsDir, `request-${encodeURIComponent(domainId)}-${stamp}.json`);
564
- await writeArtifact(requestPath, {
565
- generatedAt: new Date().toISOString(),
566
- apiUrl,
567
- idempotencyKey,
568
- domainId,
569
- payload,
570
- });
571
-
572
- const resolvedCredentials = resolveAidenIdCredentials({
573
- apiKey: options.apiKey,
574
- orgId: options.orgId,
575
- projectId: options.projectId || tracked.domain?.projectId,
576
- env: process.env,
577
- requireAll: false,
578
- });
579
- if (!options.execute) {
580
- const result = {
581
- command: "ai identity domain freeze",
582
- execute: false,
583
- domainId,
584
- apiUrl,
585
- idempotencyKey,
586
- requestPath,
587
- payload,
588
- credentialsMissing: resolvedCredentials.missing,
589
- };
590
- if (emitJson) {
591
- console.log(JSON.stringify(result, null, 2));
592
- return;
593
- }
594
- console.log(pc.bold("AIdenID domain freeze artifact generated (dry-run)"));
595
- console.log(pc.gray(`Request: ${requestPath}`));
596
- if (resolvedCredentials.missing.length > 0) {
597
- console.log(
598
- pc.yellow(`Missing credentials for live execute: ${resolvedCredentials.missing.join(", ")}`)
599
- );
600
- }
601
- return;
602
- }
603
-
604
- const requiredCredentials = resolveAidenIdCredentials({
605
- apiKey: options.apiKey,
606
- orgId: options.orgId,
607
- projectId: options.projectId || tracked.domain?.projectId,
608
- env: process.env,
609
- requireAll: true,
610
- });
611
- const execution = await freezeDomain({
612
- apiUrl,
613
- apiKey: requiredCredentials.apiKey,
614
- orgId: requiredCredentials.orgId,
615
- projectId: requiredCredentials.projectId,
616
- domainId,
617
- idempotencyKey,
618
- payload,
619
- });
620
- const responsePath = path.join(
621
- artifactsDir,
622
- `response-${encodeURIComponent(domainId)}-${stamp}.json`
623
- );
624
- await writeArtifact(responsePath, {
625
- receivedAt: new Date().toISOString(),
626
- apiUrl,
627
- idempotencyKey,
628
- domainId,
629
- response: execution.response,
630
- });
631
-
632
- const registryUpdate = await recordDomainProofResponse({
633
- outputRoot,
634
- domain: execution.response || {},
635
- proof: {},
636
- context: {
637
- source: "domain-freeze",
638
- idempotencyKey,
639
- projectId: requiredCredentials.projectId,
640
- },
641
- });
642
- const result = {
643
- command: "ai identity domain freeze",
644
- execute: true,
645
- domainId,
646
- apiUrl,
647
- idempotencyKey,
648
- requestPath,
649
- responsePath,
650
- domain: execution.response || null,
651
- registryPath: registryUpdate.registryPath,
652
- };
653
- if (emitJson) {
654
- console.log(JSON.stringify(result, null, 2));
655
- return;
656
- }
657
- console.log(pc.bold("AIdenID domain frozen"));
658
- console.log(pc.gray(`Response: ${responsePath}`));
659
- console.log(
660
- `${String(result.domain?.id || domainId)} | freeze=${String(result.domain?.freezeStatus || "UNKNOWN")}`
661
- );
662
- });
663
-
664
- target
665
- .command("create")
666
- .description("Create a managed target and proof challenge (dry-run by default)")
667
- .argument("<host>", "Target host")
668
- .option("--path <path>", "Workspace path for artifact/config resolution", ".")
669
- .option("--output-dir <path>", "Optional artifact output root override")
670
- .option("--api-url <url>", "AIdenID API base URL", "https://api.aidenid.com")
671
- .option("--api-key <key>", "AIdenID API key (or use AIDENID_API_KEY env)")
672
- .option("--org-id <id>", "AIdenID org id (or use AIDENID_ORG_ID env)")
673
- .option("--project-id <id>", "AIdenID project id (or use AIDENID_PROJECT_ID env)")
674
- .option("--domain-id <id>", "Optional domain id")
675
- .option("--allowed-paths <csv>", "Allowed paths", "/")
676
- .option("--allowed-methods <csv>", "Allowed methods", "GET")
677
- .option("--allowed-scenarios <csv>", "Allowed scenarios", "form_boundary_fuzz")
678
- .option("--max-rps <count>", "Maximum requests per second", "5")
679
- .option("--max-concurrency <count>", "Maximum concurrency", "5")
680
- .option("--stop-conditions-json <json>", "JSON object for stop conditions", "{}")
681
- .option("--maintenance-window-json <json>", "JSON object for maintenance window", "{}")
682
- .option("--contact-json <json>", "JSON object for contact metadata", "{}")
683
- .option("--idempotency-key <key>", "Explicit idempotency key override")
684
- .option("--execute", "Execute live API call")
685
- .option("--json", "Emit machine-readable output")
686
- .action(async (host, options, command) => {
687
- const emitJson = shouldEmitJson(options, command);
688
- const targetPath = path.resolve(process.cwd(), String(options.path || "."));
689
- const outputRoot = await resolveOutputRoot({
690
- cwd: targetPath,
691
- outputDirOverride: options.outputDir,
692
- env: process.env,
693
- });
694
- const apiUrl = normalizeAidenIdApiUrl(options.apiUrl);
695
- const idempotencyKey = normalizeIdempotencyKey(options.idempotencyKey);
696
- const payload = {
697
- host: String(host || "").trim(),
698
- domainId: String(options.domainId || "").trim() || null,
699
- maintenanceWindow: parseJsonObject(options.maintenanceWindowJson, "maintenanceWindowJson"),
700
- contact: parseJsonObject(options.contactJson, "contactJson"),
701
- policy: {
702
- allowedPaths: parseCsvTokens(options.allowedPaths, ["/"]),
703
- allowedMethods: parseCsvTokens(options.allowedMethods, ["GET"]),
704
- allowedScenarios: parseCsvTokens(options.allowedScenarios, ["form_boundary_fuzz"]),
705
- maxRps: parsePositiveInteger(options.maxRps, "maxRps", 5),
706
- maxConcurrency: parsePositiveInteger(options.maxConcurrency, "maxConcurrency", 5),
707
- stopConditions: parseJsonObject(options.stopConditionsJson, "stopConditionsJson"),
708
- },
709
- };
710
- if (!payload.host) {
711
- throw new Error("host is required.");
712
- }
713
-
714
- const artifactsDir = path.join(outputRoot, "aidenid", "target-create");
715
- const stamp = stableTimestampForFile();
716
- const requestPath = path.join(artifactsDir, `request-${encodeURIComponent(payload.host)}-${stamp}.json`);
717
- await writeArtifact(requestPath, {
718
- generatedAt: new Date().toISOString(),
719
- apiUrl,
720
- idempotencyKey,
721
- payload,
722
- });
723
-
724
- const resolvedCredentials = resolveAidenIdCredentials({
725
- apiKey: options.apiKey,
726
- orgId: options.orgId,
727
- projectId: options.projectId,
728
- env: process.env,
729
- requireAll: false,
730
- });
731
- if (!options.execute) {
732
- const result = {
733
- command: "ai identity target create",
734
- execute: false,
735
- apiUrl,
736
- idempotencyKey,
737
- requestPath,
738
- payload,
739
- credentialsMissing: resolvedCredentials.missing,
740
- };
741
- if (emitJson) {
742
- console.log(JSON.stringify(result, null, 2));
743
- return;
744
- }
745
- console.log(pc.bold("AIdenID target create artifact generated (dry-run)"));
746
- console.log(pc.gray(`Request: ${requestPath}`));
747
- if (resolvedCredentials.missing.length > 0) {
748
- console.log(
749
- pc.yellow(`Missing credentials for live execute: ${resolvedCredentials.missing.join(", ")}`)
750
- );
751
- }
752
- return;
753
- }
754
-
755
- const requiredCredentials = resolveAidenIdCredentials({
756
- apiKey: options.apiKey,
757
- orgId: options.orgId,
758
- projectId: options.projectId,
759
- env: process.env,
760
- requireAll: true,
761
- });
762
- const execution = await createTarget({
763
- apiUrl,
764
- apiKey: requiredCredentials.apiKey,
765
- orgId: requiredCredentials.orgId,
766
- projectId: requiredCredentials.projectId,
767
- idempotencyKey,
768
- payload,
769
- });
770
- const responsePath = path.join(
771
- artifactsDir,
772
- `response-${encodeURIComponent(payload.host)}-${stamp}.json`
773
- );
774
- await writeArtifact(responsePath, {
775
- receivedAt: new Date().toISOString(),
776
- apiUrl,
777
- idempotencyKey,
778
- response: execution.response,
779
- });
780
-
781
- const proofResponse = execution.response || {};
782
- const registryUpdate = await recordTargetProofResponse({
783
- outputRoot,
784
- target: proofResponse.target || {},
785
- proof: proofResponse,
786
- context: {
787
- source: "target-create",
788
- idempotencyKey,
789
- projectId: requiredCredentials.projectId,
790
- domainId: payload.domainId,
791
- },
792
- });
793
- const result = {
794
- command: "ai identity target create",
795
- execute: true,
796
- apiUrl,
797
- idempotencyKey,
798
- requestPath,
799
- responsePath,
800
- target: proofResponse.target || null,
801
- proof: {
802
- proofId: proofResponse.proofId || null,
803
- challengeValue: proofResponse.challengeValue || null,
804
- proofStatus: proofResponse.proofStatus || null,
805
- proofExpiresAt: proofResponse.proofExpiresAt || null,
806
- },
807
- registryPath: registryUpdate.registryPath,
808
- };
809
- if (emitJson) {
810
- console.log(JSON.stringify(result, null, 2));
811
- return;
812
- }
813
- console.log(pc.bold("AIdenID target created"));
814
- console.log(pc.gray(`Response: ${responsePath}`));
815
- console.log(`${String(result.target?.id || "unknown-target")} | ${String(result.target?.host || payload.host)}`);
816
- });
817
-
818
- target
819
- .command("verify")
820
- .description("Verify target proof challenge (dry-run by default)")
821
- .argument("<targetId>", "Target id")
822
- .option("--path <path>", "Workspace path for artifact/config resolution", ".")
823
- .option("--output-dir <path>", "Optional artifact output root override")
824
- .option("--api-url <url>", "AIdenID API base URL", "https://api.aidenid.com")
825
- .option("--api-key <key>", "AIdenID API key (or use AIDENID_API_KEY env)")
826
- .option("--org-id <id>", "AIdenID org id (or use AIDENID_ORG_ID env)")
827
- .option("--project-id <id>", "AIdenID project id (or use AIDENID_PROJECT_ID env)")
828
- .option("--method <value>", "Verification method", "DNS_TXT")
829
- .option("--challenge-value <value>", "Challenge value override (fallback: local registry)")
830
- .option("--proof-value <value>", "Proof value", "target-txt-proof")
831
- .option("--verification-source <value>", "Verification source", "sentinelayer-cli")
832
- .option("--expires-hours <hours>", "Proof expiration in hours", "24")
833
- .option("--idempotency-key <key>", "Explicit idempotency key override")
834
- .option("--execute", "Execute live API call")
835
- .option("--json", "Emit machine-readable output")
836
- .action(async (targetId, options, command) => {
837
- const emitJson = shouldEmitJson(options, command);
838
- const targetPath = path.resolve(process.cwd(), String(options.path || "."));
839
- const outputRoot = await resolveOutputRoot({
840
- cwd: targetPath,
841
- outputDirOverride: options.outputDir,
842
- env: process.env,
843
- });
844
- const apiUrl = normalizeAidenIdApiUrl(options.apiUrl);
845
- const idempotencyKey = normalizeIdempotencyKey(options.idempotencyKey);
846
- const tracked = await getTrackedTargetById({ outputRoot, targetId });
847
- const challengeValue =
848
- String(options.challengeValue || "").trim() ||
849
- String(tracked.target?.challengeValue || "").trim() ||
850
- null;
851
- if (!challengeValue) {
852
- throw new Error(
853
- `challengeValue is required. Provide --challenge-value or run target create first for '${targetId}'.`
854
- );
855
- }
856
- const payload = {
857
- method: String(options.method || "DNS_TXT").trim() || "DNS_TXT",
858
- challengeValue,
859
- proofValue: String(options.proofValue || "target-txt-proof").trim() || null,
860
- verificationSource:
861
- String(options.verificationSource || "sentinelayer-cli").trim() || null,
862
- expiresHours: parsePositiveInteger(options.expiresHours, "expiresHours", 24),
863
- };
864
-
865
- const artifactsDir = path.join(outputRoot, "aidenid", "target-verify");
866
- const stamp = stableTimestampForFile();
867
- const requestPath = path.join(artifactsDir, `request-${encodeURIComponent(targetId)}-${stamp}.json`);
868
- await writeArtifact(requestPath, {
869
- generatedAt: new Date().toISOString(),
870
- apiUrl,
871
- idempotencyKey,
872
- targetId,
873
- payload,
874
- });
875
-
876
- const resolvedCredentials = resolveAidenIdCredentials({
877
- apiKey: options.apiKey,
878
- orgId: options.orgId,
879
- projectId: options.projectId || tracked.target?.projectId,
880
- env: process.env,
881
- requireAll: false,
882
- });
883
- if (!options.execute) {
884
- const result = {
885
- command: "ai identity target verify",
886
- execute: false,
887
- targetId,
888
- apiUrl,
889
- idempotencyKey,
890
- requestPath,
891
- payload,
892
- credentialsMissing: resolvedCredentials.missing,
893
- };
894
- if (emitJson) {
895
- console.log(JSON.stringify(result, null, 2));
896
- return;
897
- }
898
- console.log(pc.bold("AIdenID target verify artifact generated (dry-run)"));
899
- console.log(pc.gray(`Request: ${requestPath}`));
900
- if (resolvedCredentials.missing.length > 0) {
901
- console.log(
902
- pc.yellow(`Missing credentials for live execute: ${resolvedCredentials.missing.join(", ")}`)
903
- );
904
- }
905
- return;
906
- }
907
-
908
- const requiredCredentials = resolveAidenIdCredentials({
909
- apiKey: options.apiKey,
910
- orgId: options.orgId,
911
- projectId: options.projectId || tracked.target?.projectId,
912
- env: process.env,
913
- requireAll: true,
914
- });
915
- const execution = await verifyTarget({
916
- apiUrl,
917
- apiKey: requiredCredentials.apiKey,
918
- orgId: requiredCredentials.orgId,
919
- projectId: requiredCredentials.projectId,
920
- targetId,
921
- idempotencyKey,
922
- payload,
923
- });
924
- const responsePath = path.join(
925
- artifactsDir,
926
- `response-${encodeURIComponent(targetId)}-${stamp}.json`
927
- );
928
- await writeArtifact(responsePath, {
929
- receivedAt: new Date().toISOString(),
930
- apiUrl,
931
- idempotencyKey,
932
- targetId,
933
- response: execution.response,
934
- });
935
-
936
- const proofResponse = execution.response || {};
937
- const registryUpdate = await recordTargetProofResponse({
938
- outputRoot,
939
- target: proofResponse.target || {},
940
- proof: proofResponse,
941
- context: {
942
- source: "target-verify",
943
- idempotencyKey,
944
- projectId: requiredCredentials.projectId,
945
- },
946
- });
947
- const result = {
948
- command: "ai identity target verify",
949
- execute: true,
950
- targetId,
951
- apiUrl,
952
- idempotencyKey,
953
- requestPath,
954
- responsePath,
955
- target: proofResponse.target || null,
956
- proof: {
957
- proofId: proofResponse.proofId || null,
958
- challengeValue: proofResponse.challengeValue || null,
959
- proofStatus: proofResponse.proofStatus || null,
960
- proofExpiresAt: proofResponse.proofExpiresAt || null,
961
- },
962
- registryPath: registryUpdate.registryPath,
963
- };
964
- if (emitJson) {
965
- console.log(JSON.stringify(result, null, 2));
966
- return;
967
- }
968
- console.log(pc.bold("AIdenID target verified"));
969
- console.log(pc.gray(`Response: ${responsePath}`));
970
- console.log(
971
- `${String(result.target?.id || targetId)} | verification=${String(result.target?.verificationStatus || "UNKNOWN")}`
972
- );
973
- });
974
-
975
- target
976
- .command("show")
977
- .description("Show managed target details")
978
- .argument("<targetId>", "Target id")
979
- .option("--path <path>", "Workspace path for artifact/config resolution", ".")
980
- .option("--output-dir <path>", "Optional artifact output root override")
981
- .option("--api-url <url>", "AIdenID API base URL", "https://api.aidenid.com")
982
- .option("--api-key <key>", "AIdenID API key (or use AIDENID_API_KEY env)")
983
- .option("--org-id <id>", "AIdenID org id (or use AIDENID_ORG_ID env)")
984
- .option("--project-id <id>", "AIdenID project id (or use AIDENID_PROJECT_ID env)")
985
- .option("--json", "Emit machine-readable output")
986
- .action(async (targetId, options, command) => {
987
- const emitJson = shouldEmitJson(options, command);
988
- const targetPath = path.resolve(process.cwd(), String(options.path || "."));
989
- const outputRoot = await resolveOutputRoot({
990
- cwd: targetPath,
991
- outputDirOverride: options.outputDir,
992
- env: process.env,
993
- });
994
- const apiUrl = normalizeAidenIdApiUrl(options.apiUrl);
995
- const tracked = await getTrackedTargetById({ outputRoot, targetId });
996
- const credentials = resolveAidenIdCredentials({
997
- apiKey: options.apiKey,
998
- orgId: options.orgId,
999
- projectId: options.projectId || tracked.target?.projectId,
1000
- env: process.env,
1001
- requireAll: true,
1002
- });
1003
-
1004
- const execution = await getTarget({
1005
- apiUrl,
1006
- apiKey: credentials.apiKey,
1007
- orgId: credentials.orgId,
1008
- projectId: credentials.projectId,
1009
- targetId,
1010
- });
1011
- const stamp = stableTimestampForFile();
1012
- const artifactsDir = path.join(outputRoot, "aidenid", "target-show");
1013
- const outputPath = path.join(artifactsDir, `target-${encodeURIComponent(targetId)}-${stamp}.json`);
1014
- await writeArtifact(outputPath, {
1015
- generatedAt: new Date().toISOString(),
1016
- targetId,
1017
- response: execution.response,
1018
- });
1019
-
1020
- const registryUpdate = await recordTargetProofResponse({
1021
- outputRoot,
1022
- target: execution.response || {},
1023
- proof: {},
1024
- context: {
1025
- source: "target-show",
1026
- projectId: credentials.projectId,
1027
- },
1028
- });
1029
- const payload = {
1030
- command: "ai identity target show",
1031
- targetId,
1032
- outputPath,
1033
- target: execution.response,
1034
- registryPath: registryUpdate.registryPath,
1035
- };
1036
- if (emitJson) {
1037
- console.log(JSON.stringify(payload, null, 2));
1038
- return;
1039
- }
1040
-
1041
- console.log(pc.bold("AIdenID target"));
1042
- console.log(pc.gray(`Artifact: ${outputPath}`));
1043
- console.log(
1044
- `${String(execution.response?.id || targetId)} | host=${String(execution.response?.host || "unknown")}`
1045
- );
1046
- console.log(
1047
- `status=${String(execution.response?.status || "UNKNOWN")} verification=${String(
1048
- execution.response?.verificationStatus || "UNKNOWN"
1049
- )}`
1050
- );
1051
- });
1052
-
1053
- site
1054
- .command("create")
1055
- .description("Create an ephemeral callback site linked to an identity (dry-run by default)")
1056
- .argument("<identityId>", "Identity id")
1057
- .option("--path <path>", "Workspace path for artifact/config resolution", ".")
1058
- .option("--output-dir <path>", "Optional artifact output root override")
1059
- .option("--api-url <url>", "AIdenID API base URL", "https://api.aidenid.com")
1060
- .option("--api-key <key>", "AIdenID API key (or use AIDENID_API_KEY env)")
1061
- .option("--org-id <id>", "AIdenID org id (or use AIDENID_ORG_ID env)")
1062
- .option("--project-id <id>", "AIdenID project id (or use AIDENID_PROJECT_ID env)")
1063
- .option("--domain-id <id>", "Domain id used for callback host")
1064
- .option("--subdomain-prefix <value>", "Subdomain prefix", "cb")
1065
- .option("--callback-path <value>", "Callback path", "/callback")
1066
- .option("--ttl-hours <hours>", "Site TTL in hours", "24")
1067
- .option("--dns-cleanup-contract-json <json>", "JSON cleanup contract", "{}")
1068
- .option("--metadata-json <json>", "JSON metadata", "{}")
1069
- .option("--idempotency-key <key>", "Explicit idempotency key override")
1070
- .option("--execute", "Execute live API call")
1071
- .option("--json", "Emit machine-readable output")
1072
- .action(async (identityId, options, command) => {
1073
- const emitJson = shouldEmitJson(options, command);
1074
- const targetPath = path.resolve(process.cwd(), String(options.path || "."));
1075
- const outputRoot = await resolveOutputRoot({
1076
- cwd: targetPath,
1077
- outputDirOverride: options.outputDir,
1078
- env: process.env,
1079
- });
1080
- const apiUrl = normalizeAidenIdApiUrl(options.apiUrl);
1081
- const idempotencyKey = normalizeIdempotencyKey(options.idempotencyKey);
1082
- const ttlHours = parsePositiveInteger(options.ttlHours, "ttlHours", 24);
1083
- const domainId = String(options.domainId || "").trim();
1084
- if (!domainId) {
1085
- throw new Error("domainId is required. Use --domain-id <id>.");
1086
- }
1087
- const trackedIdentity = await getIdentityById({
1088
- outputRoot,
1089
- identityId,
1090
- });
1091
- const payload = {
1092
- identityId,
1093
- domainId,
1094
- subdomainPrefix: String(options.subdomainPrefix || "cb").trim() || "cb",
1095
- callbackPath: String(options.callbackPath || "/callback").trim() || "/callback",
1096
- ttlHours,
1097
- dnsCleanupContract: parseJsonObject(options.dnsCleanupContractJson, "dnsCleanupContractJson"),
1098
- metadata: parseJsonObject(options.metadataJson, "metadataJson"),
1099
- };
1100
-
1101
- const artifactsDir = path.join(outputRoot, "aidenid", "site-create");
1102
- const stamp = stableTimestampForFile();
1103
- const requestPath = path.join(artifactsDir, `request-${encodeURIComponent(identityId)}-${stamp}.json`);
1104
- await writeArtifact(requestPath, {
1105
- generatedAt: new Date().toISOString(),
1106
- apiUrl,
1107
- idempotencyKey,
1108
- payload,
1109
- });
1110
-
1111
- const resolvedCredentials = resolveAidenIdCredentials({
1112
- apiKey: options.apiKey,
1113
- orgId: options.orgId || trackedIdentity.identity?.orgId,
1114
- projectId: options.projectId || trackedIdentity.identity?.projectId,
1115
- env: process.env,
1116
- requireAll: false,
1117
- });
1118
- if (!options.execute) {
1119
- const result = {
1120
- command: "ai identity site create",
1121
- execute: false,
1122
- identityId,
1123
- apiUrl,
1124
- idempotencyKey,
1125
- requestPath,
1126
- payload,
1127
- credentialsMissing: resolvedCredentials.missing,
1128
- };
1129
- if (emitJson) {
1130
- console.log(JSON.stringify(result, null, 2));
1131
- return;
1132
- }
1133
- console.log(pc.bold("AIdenID site create artifact generated (dry-run)"));
1134
- console.log(pc.gray(`Request: ${requestPath}`));
1135
- if (resolvedCredentials.missing.length > 0) {
1136
- console.log(
1137
- pc.yellow(`Missing credentials for live execute: ${resolvedCredentials.missing.join(", ")}`)
1138
- );
1139
- }
1140
- return;
1141
- }
1142
-
1143
- const requiredCredentials = resolveAidenIdCredentials({
1144
- apiKey: options.apiKey,
1145
- orgId: options.orgId || trackedIdentity.identity?.orgId,
1146
- projectId: options.projectId || trackedIdentity.identity?.projectId,
1147
- env: process.env,
1148
- requireAll: true,
1149
- });
1150
- const execution = await createTemporarySite({
1151
- apiUrl,
1152
- apiKey: requiredCredentials.apiKey,
1153
- orgId: requiredCredentials.orgId,
1154
- projectId: requiredCredentials.projectId,
1155
- idempotencyKey,
1156
- payload,
1157
- });
1158
- const responsePath = path.join(
1159
- artifactsDir,
1160
- `response-${encodeURIComponent(identityId)}-${stamp}.json`
1161
- );
1162
- await writeArtifact(responsePath, {
1163
- receivedAt: new Date().toISOString(),
1164
- apiUrl,
1165
- idempotencyKey,
1166
- response: execution.response,
1167
- });
1168
-
1169
- const registryUpdate = await recordTemporarySite({
1170
- outputRoot,
1171
- site: execution.response || {},
1172
- context: {
1173
- source: "site-create",
1174
- idempotencyKey,
1175
- identityId,
1176
- domainId,
1177
- projectId: requiredCredentials.projectId,
1178
- },
1179
- });
1180
- const result = {
1181
- command: "ai identity site create",
1182
- execute: true,
1183
- identityId,
1184
- apiUrl,
1185
- idempotencyKey,
1186
- requestPath,
1187
- responsePath,
1188
- site: execution.response || null,
1189
- registryPath: registryUpdate.registryPath,
1190
- };
1191
- if (emitJson) {
1192
- console.log(JSON.stringify(result, null, 2));
1193
- return;
1194
- }
1195
- console.log(pc.bold("AIdenID temporary site created"));
1196
- console.log(pc.gray(`Response: ${responsePath}`));
1197
- console.log(
1198
- `${String(result.site?.id || "unknown-site")} | ${String(result.site?.callbackUrl || result.site?.host || "unknown-host")}`
1199
- );
1200
- });
1201
-
1202
- site
1203
- .command("list")
1204
- .description("List locally tracked temporary callback sites")
1205
- .option("--path <path>", "Workspace path for artifact/config resolution", ".")
1206
- .option("--output-dir <path>", "Optional artifact output root override")
1207
- .option("--identity-id <id>", "Optional identity filter")
1208
- .option("--json", "Emit machine-readable output")
1209
- .action(async (options, command) => {
1210
- const emitJson = shouldEmitJson(options, command);
1211
- const targetPath = path.resolve(process.cwd(), String(options.path || "."));
1212
- const outputRoot = await resolveOutputRoot({
1213
- cwd: targetPath,
1214
- outputDirOverride: options.outputDir,
1215
- env: process.env,
1216
- });
1217
- const listing = await listSites({
1218
- outputRoot,
1219
- identityId: options.identityId,
1220
- });
1221
- const payload = {
1222
- command: "ai identity site list",
1223
- registryPath: listing.registryPath,
1224
- count: listing.sites.length,
1225
- sites: listing.sites,
1226
- };
1227
- if (emitJson) {
1228
- console.log(JSON.stringify(payload, null, 2));
1229
- return;
1230
- }
1231
-
1232
- console.log(pc.bold("AIdenID temporary sites"));
1233
- console.log(pc.gray(`Registry: ${listing.registryPath}`));
1234
- if (listing.sites.length === 0) {
1235
- console.log(pc.gray("No tracked temporary sites."));
1236
- return;
1237
- }
1238
- for (const item of listing.sites) {
1239
- console.log(
1240
- `- ${item.siteId} | ${item.identityId || "unknown-identity"} | ${item.status} | ${item.callbackUrl || item.host || "unknown-host"}`
1241
- );
1242
- }
1243
- });
1244
-
1245
- return { identity, legalHold };
1246
- }
1
+ import path from "node:path";
2
+ import process from "node:process";
3
+
4
+ import pc from "picocolors";
5
+
6
+ import {
7
+ buildProvisionEmailPayload,
8
+ createDomain,
9
+ createTemporarySite,
10
+ createTarget,
11
+ freezeDomain,
12
+ getTarget,
13
+ normalizeAidenIdApiUrl,
14
+ provisionEmailIdentity,
15
+ resolveAidenIdCredentials,
16
+ verifyDomain,
17
+ verifyTarget,
18
+ } from "../../ai/aidenid.js";
19
+ import {
20
+ getDomainById,
21
+ getTargetById as getTrackedTargetById,
22
+ recordDomainProofResponse,
23
+ recordTargetProofResponse,
24
+ } from "../../ai/domain-target-store.js";
25
+ import { listSites, recordTemporarySite } from "../../ai/site-store.js";
26
+ import { getIdentityById, recordProvisionedIdentity } from "../../ai/identity-store.js";
27
+ import { resolveOutputRoot } from "../../config/service.js";
28
+ import { readStoredSession } from "../../auth/session-store.js";
29
+ import { fetchAidenIdCredentials } from "../../auth/service.js";
30
+ import {
31
+ buildCurlPreview,
32
+ normalizeIdempotencyKey,
33
+ parseCsvTokens,
34
+ parseJsonObject,
35
+ parsePositiveInteger,
36
+ shouldEmitJson,
37
+ stableTimestampForFile,
38
+ writeArtifact,
39
+ } from "./shared.js";
40
+
41
+ function addProvisionEmailOptions(cmd) {
42
+ return cmd
43
+ .option("--path <path>", "Workspace path for artifact/config resolution", ".")
44
+ .option("--output-dir <path>", "Optional artifact output root override")
45
+ .option("--api-url <url>", "AIdenID API base URL", "https://api.aidenid.com")
46
+ .option("--api-key <key>", "AIdenID API key (or use AIDENID_API_KEY env)")
47
+ .option("--org-id <id>", "AIdenID org id (or use AIDENID_ORG_ID env)")
48
+ .option("--project-id <id>", "AIdenID project id (or use AIDENID_PROJECT_ID env)")
49
+ .option("--alias-template <value>", "Optional alias template")
50
+ .option("--ttl-hours <hours>", "Identity TTL in hours", "24")
51
+ .option("--tags <csv>", "Comma-separated tags")
52
+ .option("--domain-pool-id <id>", "Optional domain pool id")
53
+ .option("--receive-mode <mode>", "Identity receive mode", "EDGE_ACCEPT")
54
+ .option("--extraction-types <csv>", "Comma-separated extraction types", "otp,link")
55
+ .option("--allow-webhooks", "Allow webhook delivery", true)
56
+ .option("--no-allow-webhooks", "Disable webhook delivery")
57
+ .option("--idempotency-key <key>", "Explicit idempotency key override")
58
+ .option("--execute", "Execute live API call (default is dry-run artifact generation)")
59
+ .option("--json", "Emit machine-readable output");
60
+ }
61
+
62
+ async function provisionEmailAction(options, command) {
63
+ const emitJson = shouldEmitJson(options, command);
64
+ const targetPath = path.resolve(process.cwd(), String(options.path || "."));
65
+ const apiUrl = normalizeAidenIdApiUrl(options.apiUrl);
66
+ const idempotencyKey = normalizeIdempotencyKey(options.idempotencyKey);
67
+ const ttlHours = parsePositiveInteger(options.ttlHours, "ttlHours", 24);
68
+
69
+ const payload = buildProvisionEmailPayload({
70
+ aliasTemplate: options.aliasTemplate,
71
+ ttlHours,
72
+ tags: options.tags,
73
+ domainPoolId: options.domainPoolId,
74
+ receiveMode: options.receiveMode,
75
+ allowWebhooks: Boolean(options.allowWebhooks),
76
+ extractionTypes: options.extractionTypes,
77
+ });
78
+
79
+ const outputRoot = await resolveOutputRoot({
80
+ cwd: targetPath,
81
+ outputDirOverride: options.outputDir,
82
+ env: process.env,
83
+ });
84
+ const artifactsDir = path.join(outputRoot, "aidenid", "provision-email");
85
+ const stamp = stableTimestampForFile();
86
+ const requestPath = path.join(artifactsDir, `request-${stamp}.json`);
87
+
88
+ await writeArtifact(requestPath, {
89
+ generatedAt: new Date().toISOString(),
90
+ apiUrl,
91
+ idempotencyKey,
92
+ payload,
93
+ });
94
+
95
+ let session = null;
96
+ try { session = await readStoredSession(); } catch { /* no session */ }
97
+
98
+ const makeFetcher = () => {
99
+ if (!session || !session.token) return null;
100
+ return () => fetchAidenIdCredentials({ apiUrl: session.apiUrl, token: session.token });
101
+ };
102
+
103
+ const resolvedCredentials = await resolveAidenIdCredentials({
104
+ apiKey: options.apiKey,
105
+ orgId: options.orgId,
106
+ projectId: options.projectId,
107
+ env: process.env,
108
+ requireAll: false,
109
+ session,
110
+ fetchCredentials: makeFetcher(),
111
+ });
112
+
113
+ if (!options.execute) {
114
+ const result = {
115
+ command: "ai provision-email",
116
+ execute: false,
117
+ apiUrl,
118
+ idempotencyKey,
119
+ requestPath,
120
+ credentialsMissing: resolvedCredentials.missing,
121
+ curlPreview: buildCurlPreview({
122
+ apiUrl,
123
+ idempotencyKey,
124
+ requestPath,
125
+ }),
126
+ };
127
+
128
+ if (emitJson) {
129
+ console.log(JSON.stringify(result, null, 2));
130
+ return;
131
+ }
132
+
133
+ console.log(pc.bold("AIdenID provision request artifact created (dry-run)"));
134
+ console.log(pc.gray(`Request: ${requestPath}`));
135
+ console.log(pc.gray(`API: ${apiUrl}`));
136
+ console.log(pc.gray(`Idempotency-Key: ${idempotencyKey}`));
137
+ if (resolvedCredentials.missing.length > 0) {
138
+ console.log(
139
+ pc.yellow(`Missing credentials for live execute: ${resolvedCredentials.missing.join(", ")}`)
140
+ );
141
+ }
142
+ console.log(pc.gray("Execute preview:"));
143
+ console.log(result.curlPreview);
144
+ return;
145
+ }
146
+
147
+ const requiredCredentials = await resolveAidenIdCredentials({
148
+ apiKey: options.apiKey,
149
+ orgId: options.orgId,
150
+ projectId: options.projectId,
151
+ env: process.env,
152
+ requireAll: true,
153
+ session,
154
+ fetchCredentials: makeFetcher(),
155
+ });
156
+
157
+ const execution = await provisionEmailIdentity({
158
+ apiUrl,
159
+ apiKey: requiredCredentials.apiKey,
160
+ orgId: requiredCredentials.orgId,
161
+ projectId: requiredCredentials.projectId,
162
+ idempotencyKey,
163
+ payload,
164
+ });
165
+
166
+ const responsePath = path.join(artifactsDir, `response-${stamp}.json`);
167
+ await writeArtifact(responsePath, {
168
+ receivedAt: new Date().toISOString(),
169
+ apiUrl,
170
+ idempotencyKey,
171
+ response: execution.response,
172
+ });
173
+
174
+ const responseIdentity = execution.response || {};
175
+ const registryUpdate = await recordProvisionedIdentity({
176
+ outputRoot,
177
+ response: execution.response || {},
178
+ context: {
179
+ apiUrl,
180
+ orgId: requiredCredentials.orgId,
181
+ projectId: requiredCredentials.projectId,
182
+ idempotencyKey,
183
+ tags: payload.tags,
184
+ },
185
+ });
186
+ const result = {
187
+ command: "ai provision-email",
188
+ execute: true,
189
+ apiUrl,
190
+ idempotencyKey,
191
+ requestPath,
192
+ responsePath,
193
+ identity: {
194
+ id: String(responseIdentity.id || "").trim() || null,
195
+ emailAddress: String(responseIdentity.emailAddress || "").trim() || null,
196
+ status: String(responseIdentity.status || "").trim() || null,
197
+ expiresAt: responseIdentity.expiresAt || null,
198
+ projectId: responseIdentity.projectId || null,
199
+ },
200
+ response: execution.response,
201
+ identityRegistryPath: registryUpdate.registryPath,
202
+ };
203
+
204
+ if (emitJson) {
205
+ console.log(JSON.stringify(result, null, 2));
206
+ return;
207
+ }
208
+
209
+ console.log(pc.bold("AIdenID identity provisioned"));
210
+ console.log(pc.gray(`Request: ${requestPath}`));
211
+ console.log(pc.gray(`Response: ${responsePath}`));
212
+ if (result.identity.id || result.identity.emailAddress) {
213
+ console.log(
214
+ pc.green(
215
+ `${result.identity.id || "unknown-id"} | ${result.identity.emailAddress || "unknown-email"} | ${
216
+ result.identity.status || "unknown-status"
217
+ }`
218
+ )
219
+ );
220
+ }
221
+ }
222
+
223
+ export function registerAiProvisionAndGovernanceCommands(ai) {
224
+ addProvisionEmailOptions(
225
+ ai.command("provision-email")
226
+ .alias("provision")
227
+ .description("Provision an AIdenID identity payload (dry-run by default, optional live execute)")
228
+ ).action(provisionEmailAction);
229
+
230
+ const identity = ai.command("identity").description("AIdenID identity lifecycle commands");
231
+
232
+ addProvisionEmailOptions(
233
+ identity.command("provision")
234
+ .description("Provision an AIdenID identity (alias for 'sl ai provision-email')")
235
+ ).action(provisionEmailAction);
236
+ const domain = identity.command("domain").description("AIdenID domain governance commands");
237
+ const target = identity.command("target").description("AIdenID target governance commands");
238
+ const site = identity.command("site").description("AIdenID temporary callback domain commands");
239
+ const legalHold = identity.command("legal-hold").description("Identity legal-hold controls");
240
+
241
+ domain
242
+ .command("create")
243
+ .description("Create a domain registration and proof challenge (dry-run by default)")
244
+ .argument("<domainName>", "Domain hostname")
245
+ .option("--path <path>", "Workspace path for artifact/config resolution", ".")
246
+ .option("--output-dir <path>", "Optional artifact output root override")
247
+ .option("--api-url <url>", "AIdenID API base URL", "https://api.aidenid.com")
248
+ .option("--api-key <key>", "AIdenID API key (or use AIDENID_API_KEY env)")
249
+ .option("--org-id <id>", "AIdenID org id (or use AIDENID_ORG_ID env)")
250
+ .option("--project-id <id>", "AIdenID project id (or use AIDENID_PROJECT_ID env)")
251
+ .option("--trust-class <value>", "Domain trust class", "BYOD")
252
+ .option("--verification-method <value>", "Domain verification method", "DNS_TXT")
253
+ .option("--challenge-value <value>", "Explicit challenge value override")
254
+ .option("--proof-ttl-hours <hours>", "Proof TTL hours", "24")
255
+ .option("--idempotency-key <key>", "Explicit idempotency key override")
256
+ .option("--execute", "Execute live API call")
257
+ .option("--json", "Emit machine-readable output")
258
+ .action(async (domainName, options, command) => {
259
+ const emitJson = shouldEmitJson(options, command);
260
+ const targetPath = path.resolve(process.cwd(), String(options.path || "."));
261
+ const outputRoot = await resolveOutputRoot({
262
+ cwd: targetPath,
263
+ outputDirOverride: options.outputDir,
264
+ env: process.env,
265
+ });
266
+ const apiUrl = normalizeAidenIdApiUrl(options.apiUrl);
267
+ const idempotencyKey = normalizeIdempotencyKey(options.idempotencyKey);
268
+ const proofTtlHours = parsePositiveInteger(options.proofTtlHours, "proofTtlHours", 24);
269
+ const payload = {
270
+ domainName: String(domainName || "").trim(),
271
+ trustClass: String(options.trustClass || "BYOD").trim() || "BYOD",
272
+ verificationMethod:
273
+ String(options.verificationMethod || "DNS_TXT").trim() || "DNS_TXT",
274
+ challengeValue: String(options.challengeValue || "").trim() || null,
275
+ proofTtlHours,
276
+ };
277
+ if (!payload.domainName) {
278
+ throw new Error("domainName is required.");
279
+ }
280
+
281
+ const artifactsDir = path.join(outputRoot, "aidenid", "domain-create");
282
+ const stamp = stableTimestampForFile();
283
+ const requestPath = path.join(artifactsDir, `request-${encodeURIComponent(payload.domainName)}-${stamp}.json`);
284
+ await writeArtifact(requestPath, {
285
+ generatedAt: new Date().toISOString(),
286
+ apiUrl,
287
+ idempotencyKey,
288
+ payload,
289
+ });
290
+
291
+ const resolvedCredentials = await resolveAidenIdCredentials({
292
+ apiKey: options.apiKey,
293
+ orgId: options.orgId,
294
+ projectId: options.projectId,
295
+ env: process.env,
296
+ requireAll: false,
297
+ });
298
+
299
+ if (!options.execute) {
300
+ const result = {
301
+ command: "ai identity domain create",
302
+ execute: false,
303
+ apiUrl,
304
+ idempotencyKey,
305
+ requestPath,
306
+ payload,
307
+ credentialsMissing: resolvedCredentials.missing,
308
+ curlPreview: [
309
+ `curl -X POST ${apiUrl}/v1/domains \\`,
310
+ ` -H \"Authorization: Bearer $AIDENID_API_KEY\" \\`,
311
+ ` -H \"X-Org-Id: $AIDENID_ORG_ID\" \\`,
312
+ ` -H \"X-Project-Id: $AIDENID_PROJECT_ID\" \\`,
313
+ ` -H \"Idempotency-Key: ${idempotencyKey}\" \\`,
314
+ ` -H \"Content-Type: application/json\" \\`,
315
+ ` --data @${String(requestPath || "").replace(/\\/g, "/")}`,
316
+ ].join("\n"),
317
+ };
318
+ if (emitJson) {
319
+ console.log(JSON.stringify(result, null, 2));
320
+ return;
321
+ }
322
+ console.log(pc.bold("AIdenID domain create artifact generated (dry-run)"));
323
+ console.log(pc.gray(`Request: ${requestPath}`));
324
+ if (resolvedCredentials.missing.length > 0) {
325
+ console.log(
326
+ pc.yellow(`Missing credentials for live execute: ${resolvedCredentials.missing.join(", ")}`)
327
+ );
328
+ }
329
+ console.log(result.curlPreview);
330
+ return;
331
+ }
332
+
333
+ const requiredCredentials = await resolveAidenIdCredentials({
334
+ apiKey: options.apiKey,
335
+ orgId: options.orgId,
336
+ projectId: options.projectId,
337
+ env: process.env,
338
+ requireAll: true,
339
+ });
340
+ const execution = await createDomain({
341
+ apiUrl,
342
+ apiKey: requiredCredentials.apiKey,
343
+ orgId: requiredCredentials.orgId,
344
+ projectId: requiredCredentials.projectId,
345
+ idempotencyKey,
346
+ payload,
347
+ });
348
+ const responsePath = path.join(
349
+ artifactsDir,
350
+ `response-${encodeURIComponent(payload.domainName)}-${stamp}.json`
351
+ );
352
+ await writeArtifact(responsePath, {
353
+ receivedAt: new Date().toISOString(),
354
+ apiUrl,
355
+ idempotencyKey,
356
+ response: execution.response,
357
+ });
358
+
359
+ const proofResponse = execution.response || {};
360
+ const registryUpdate = await recordDomainProofResponse({
361
+ outputRoot,
362
+ domain: proofResponse.domain || {},
363
+ proof: proofResponse,
364
+ context: {
365
+ source: "domain-create",
366
+ idempotencyKey,
367
+ projectId: requiredCredentials.projectId,
368
+ },
369
+ });
370
+ const result = {
371
+ command: "ai identity domain create",
372
+ execute: true,
373
+ apiUrl,
374
+ idempotencyKey,
375
+ requestPath,
376
+ responsePath,
377
+ domain: proofResponse.domain || null,
378
+ proof: {
379
+ proofId: proofResponse.proofId || null,
380
+ challengeValue: proofResponse.challengeValue || null,
381
+ proofStatus: proofResponse.proofStatus || null,
382
+ proofExpiresAt: proofResponse.proofExpiresAt || null,
383
+ },
384
+ registryPath: registryUpdate.registryPath,
385
+ };
386
+ if (emitJson) {
387
+ console.log(JSON.stringify(result, null, 2));
388
+ return;
389
+ }
390
+ console.log(pc.bold("AIdenID domain created"));
391
+ console.log(pc.gray(`Response: ${responsePath}`));
392
+ console.log(
393
+ `${String(result.domain?.id || "unknown-domain")} | ${String(result.domain?.domainName || payload.domainName)}`
394
+ );
395
+ });
396
+
397
+ domain
398
+ .command("verify")
399
+ .description("Verify domain proof challenge (dry-run by default)")
400
+ .argument("<domainId>", "Domain id")
401
+ .option("--path <path>", "Workspace path for artifact/config resolution", ".")
402
+ .option("--output-dir <path>", "Optional artifact output root override")
403
+ .option("--api-url <url>", "AIdenID API base URL", "https://api.aidenid.com")
404
+ .option("--api-key <key>", "AIdenID API key (or use AIDENID_API_KEY env)")
405
+ .option("--org-id <id>", "AIdenID org id (or use AIDENID_ORG_ID env)")
406
+ .option("--project-id <id>", "AIdenID project id (or use AIDENID_PROJECT_ID env)")
407
+ .option("--method <value>", "Verification method", "DNS_TXT")
408
+ .option("--challenge-value <value>", "Challenge value override (fallback: local registry)")
409
+ .option("--proof-value <value>", "Proof value", "txt-verification-record")
410
+ .option("--verification-source <value>", "Verification source", "sentinelayer-cli")
411
+ .option("--expires-hours <hours>", "Proof expiration in hours", "24")
412
+ .option("--idempotency-key <key>", "Explicit idempotency key override")
413
+ .option("--execute", "Execute live API call")
414
+ .option("--json", "Emit machine-readable output")
415
+ .action(async (domainId, options, command) => {
416
+ const emitJson = shouldEmitJson(options, command);
417
+ const targetPath = path.resolve(process.cwd(), String(options.path || "."));
418
+ const outputRoot = await resolveOutputRoot({
419
+ cwd: targetPath,
420
+ outputDirOverride: options.outputDir,
421
+ env: process.env,
422
+ });
423
+ const apiUrl = normalizeAidenIdApiUrl(options.apiUrl);
424
+ const idempotencyKey = normalizeIdempotencyKey(options.idempotencyKey);
425
+ const tracked = await getDomainById({ outputRoot, domainId });
426
+ const challengeValue =
427
+ String(options.challengeValue || "").trim() ||
428
+ String(tracked.domain?.challengeValue || "").trim() ||
429
+ null;
430
+ if (!challengeValue) {
431
+ throw new Error(
432
+ `challengeValue is required. Provide --challenge-value or run domain create first for '${domainId}'.`
433
+ );
434
+ }
435
+ const payload = {
436
+ method: String(options.method || "DNS_TXT").trim() || "DNS_TXT",
437
+ challengeValue,
438
+ proofValue: String(options.proofValue || "txt-verification-record").trim() || null,
439
+ verificationSource:
440
+ String(options.verificationSource || "sentinelayer-cli").trim() || null,
441
+ expiresHours: parsePositiveInteger(options.expiresHours, "expiresHours", 24),
442
+ };
443
+
444
+ const artifactsDir = path.join(outputRoot, "aidenid", "domain-verify");
445
+ const stamp = stableTimestampForFile();
446
+ const requestPath = path.join(artifactsDir, `request-${encodeURIComponent(domainId)}-${stamp}.json`);
447
+ await writeArtifact(requestPath, {
448
+ generatedAt: new Date().toISOString(),
449
+ apiUrl,
450
+ idempotencyKey,
451
+ domainId,
452
+ payload,
453
+ });
454
+
455
+ const resolvedCredentials = await resolveAidenIdCredentials({
456
+ apiKey: options.apiKey,
457
+ orgId: options.orgId,
458
+ projectId: options.projectId || tracked.domain?.projectId,
459
+ env: process.env,
460
+ requireAll: false,
461
+ });
462
+ if (!options.execute) {
463
+ const result = {
464
+ command: "ai identity domain verify",
465
+ execute: false,
466
+ domainId,
467
+ apiUrl,
468
+ idempotencyKey,
469
+ requestPath,
470
+ payload,
471
+ credentialsMissing: resolvedCredentials.missing,
472
+ };
473
+ if (emitJson) {
474
+ console.log(JSON.stringify(result, null, 2));
475
+ return;
476
+ }
477
+ console.log(pc.bold("AIdenID domain verify artifact generated (dry-run)"));
478
+ console.log(pc.gray(`Request: ${requestPath}`));
479
+ if (resolvedCredentials.missing.length > 0) {
480
+ console.log(
481
+ pc.yellow(`Missing credentials for live execute: ${resolvedCredentials.missing.join(", ")}`)
482
+ );
483
+ }
484
+ return;
485
+ }
486
+
487
+ const requiredCredentials = await resolveAidenIdCredentials({
488
+ apiKey: options.apiKey,
489
+ orgId: options.orgId,
490
+ projectId: options.projectId || tracked.domain?.projectId,
491
+ env: process.env,
492
+ requireAll: true,
493
+ });
494
+ const execution = await verifyDomain({
495
+ apiUrl,
496
+ apiKey: requiredCredentials.apiKey,
497
+ orgId: requiredCredentials.orgId,
498
+ projectId: requiredCredentials.projectId,
499
+ domainId,
500
+ idempotencyKey,
501
+ payload,
502
+ });
503
+ const responsePath = path.join(
504
+ artifactsDir,
505
+ `response-${encodeURIComponent(domainId)}-${stamp}.json`
506
+ );
507
+ await writeArtifact(responsePath, {
508
+ receivedAt: new Date().toISOString(),
509
+ apiUrl,
510
+ idempotencyKey,
511
+ domainId,
512
+ response: execution.response,
513
+ });
514
+
515
+ const proofResponse = execution.response || {};
516
+ const registryUpdate = await recordDomainProofResponse({
517
+ outputRoot,
518
+ domain: proofResponse.domain || {},
519
+ proof: proofResponse,
520
+ context: {
521
+ source: "domain-verify",
522
+ idempotencyKey,
523
+ projectId: requiredCredentials.projectId,
524
+ },
525
+ });
526
+ const result = {
527
+ command: "ai identity domain verify",
528
+ execute: true,
529
+ domainId,
530
+ apiUrl,
531
+ idempotencyKey,
532
+ requestPath,
533
+ responsePath,
534
+ domain: proofResponse.domain || null,
535
+ proof: {
536
+ proofId: proofResponse.proofId || null,
537
+ challengeValue: proofResponse.challengeValue || null,
538
+ proofStatus: proofResponse.proofStatus || null,
539
+ proofExpiresAt: proofResponse.proofExpiresAt || null,
540
+ },
541
+ registryPath: registryUpdate.registryPath,
542
+ };
543
+ if (emitJson) {
544
+ console.log(JSON.stringify(result, null, 2));
545
+ return;
546
+ }
547
+ console.log(pc.bold("AIdenID domain verified"));
548
+ console.log(pc.gray(`Response: ${responsePath}`));
549
+ console.log(
550
+ `${String(result.domain?.id || domainId)} | verification=${String(result.domain?.verificationStatus || "UNKNOWN")}`
551
+ );
552
+ });
553
+
554
+ domain
555
+ .command("freeze")
556
+ .description("Freeze a domain for containment (dry-run by default)")
557
+ .argument("<domainId>", "Domain id")
558
+ .option("--path <path>", "Workspace path for artifact/config resolution", ".")
559
+ .option("--output-dir <path>", "Optional artifact output root override")
560
+ .option("--api-url <url>", "AIdenID API base URL", "https://api.aidenid.com")
561
+ .option("--api-key <key>", "AIdenID API key (or use AIDENID_API_KEY env)")
562
+ .option("--org-id <id>", "AIdenID org id (or use AIDENID_ORG_ID env)")
563
+ .option("--project-id <id>", "AIdenID project id (or use AIDENID_PROJECT_ID env)")
564
+ .option("--reason <text>", "Freeze reason", "incident containment")
565
+ .option("--pool-isolated", "Isolate the domain pool", true)
566
+ .option("--no-pool-isolated", "Do not isolate the domain pool")
567
+ .option("--idempotency-key <key>", "Explicit idempotency key override")
568
+ .option("--execute", "Execute live API call")
569
+ .option("--json", "Emit machine-readable output")
570
+ .action(async (domainId, options, command) => {
571
+ const emitJson = shouldEmitJson(options, command);
572
+ const targetPath = path.resolve(process.cwd(), String(options.path || "."));
573
+ const outputRoot = await resolveOutputRoot({
574
+ cwd: targetPath,
575
+ outputDirOverride: options.outputDir,
576
+ env: process.env,
577
+ });
578
+ const apiUrl = normalizeAidenIdApiUrl(options.apiUrl);
579
+ const idempotencyKey = normalizeIdempotencyKey(options.idempotencyKey);
580
+ const tracked = await getDomainById({ outputRoot, domainId });
581
+ const payload = {
582
+ reason: String(options.reason || "").trim() || "incident containment",
583
+ poolIsolated: Boolean(options.poolIsolated),
584
+ };
585
+
586
+ const artifactsDir = path.join(outputRoot, "aidenid", "domain-freeze");
587
+ const stamp = stableTimestampForFile();
588
+ const requestPath = path.join(artifactsDir, `request-${encodeURIComponent(domainId)}-${stamp}.json`);
589
+ await writeArtifact(requestPath, {
590
+ generatedAt: new Date().toISOString(),
591
+ apiUrl,
592
+ idempotencyKey,
593
+ domainId,
594
+ payload,
595
+ });
596
+
597
+ const resolvedCredentials = await resolveAidenIdCredentials({
598
+ apiKey: options.apiKey,
599
+ orgId: options.orgId,
600
+ projectId: options.projectId || tracked.domain?.projectId,
601
+ env: process.env,
602
+ requireAll: false,
603
+ });
604
+ if (!options.execute) {
605
+ const result = {
606
+ command: "ai identity domain freeze",
607
+ execute: false,
608
+ domainId,
609
+ apiUrl,
610
+ idempotencyKey,
611
+ requestPath,
612
+ payload,
613
+ credentialsMissing: resolvedCredentials.missing,
614
+ };
615
+ if (emitJson) {
616
+ console.log(JSON.stringify(result, null, 2));
617
+ return;
618
+ }
619
+ console.log(pc.bold("AIdenID domain freeze artifact generated (dry-run)"));
620
+ console.log(pc.gray(`Request: ${requestPath}`));
621
+ if (resolvedCredentials.missing.length > 0) {
622
+ console.log(
623
+ pc.yellow(`Missing credentials for live execute: ${resolvedCredentials.missing.join(", ")}`)
624
+ );
625
+ }
626
+ return;
627
+ }
628
+
629
+ const requiredCredentials = await resolveAidenIdCredentials({
630
+ apiKey: options.apiKey,
631
+ orgId: options.orgId,
632
+ projectId: options.projectId || tracked.domain?.projectId,
633
+ env: process.env,
634
+ requireAll: true,
635
+ });
636
+ const execution = await freezeDomain({
637
+ apiUrl,
638
+ apiKey: requiredCredentials.apiKey,
639
+ orgId: requiredCredentials.orgId,
640
+ projectId: requiredCredentials.projectId,
641
+ domainId,
642
+ idempotencyKey,
643
+ payload,
644
+ });
645
+ const responsePath = path.join(
646
+ artifactsDir,
647
+ `response-${encodeURIComponent(domainId)}-${stamp}.json`
648
+ );
649
+ await writeArtifact(responsePath, {
650
+ receivedAt: new Date().toISOString(),
651
+ apiUrl,
652
+ idempotencyKey,
653
+ domainId,
654
+ response: execution.response,
655
+ });
656
+
657
+ const registryUpdate = await recordDomainProofResponse({
658
+ outputRoot,
659
+ domain: execution.response || {},
660
+ proof: {},
661
+ context: {
662
+ source: "domain-freeze",
663
+ idempotencyKey,
664
+ projectId: requiredCredentials.projectId,
665
+ },
666
+ });
667
+ const result = {
668
+ command: "ai identity domain freeze",
669
+ execute: true,
670
+ domainId,
671
+ apiUrl,
672
+ idempotencyKey,
673
+ requestPath,
674
+ responsePath,
675
+ domain: execution.response || null,
676
+ registryPath: registryUpdate.registryPath,
677
+ };
678
+ if (emitJson) {
679
+ console.log(JSON.stringify(result, null, 2));
680
+ return;
681
+ }
682
+ console.log(pc.bold("AIdenID domain frozen"));
683
+ console.log(pc.gray(`Response: ${responsePath}`));
684
+ console.log(
685
+ `${String(result.domain?.id || domainId)} | freeze=${String(result.domain?.freezeStatus || "UNKNOWN")}`
686
+ );
687
+ });
688
+
689
+ target
690
+ .command("create")
691
+ .description("Create a managed target and proof challenge (dry-run by default)")
692
+ .argument("<host>", "Target host")
693
+ .option("--path <path>", "Workspace path for artifact/config resolution", ".")
694
+ .option("--output-dir <path>", "Optional artifact output root override")
695
+ .option("--api-url <url>", "AIdenID API base URL", "https://api.aidenid.com")
696
+ .option("--api-key <key>", "AIdenID API key (or use AIDENID_API_KEY env)")
697
+ .option("--org-id <id>", "AIdenID org id (or use AIDENID_ORG_ID env)")
698
+ .option("--project-id <id>", "AIdenID project id (or use AIDENID_PROJECT_ID env)")
699
+ .option("--domain-id <id>", "Optional domain id")
700
+ .option("--allowed-paths <csv>", "Allowed paths", "/")
701
+ .option("--allowed-methods <csv>", "Allowed methods", "GET")
702
+ .option("--allowed-scenarios <csv>", "Allowed scenarios", "form_boundary_fuzz")
703
+ .option("--max-rps <count>", "Maximum requests per second", "5")
704
+ .option("--max-concurrency <count>", "Maximum concurrency", "5")
705
+ .option("--stop-conditions-json <json>", "JSON object for stop conditions", "{}")
706
+ .option("--maintenance-window-json <json>", "JSON object for maintenance window", "{}")
707
+ .option("--contact-json <json>", "JSON object for contact metadata", "{}")
708
+ .option("--idempotency-key <key>", "Explicit idempotency key override")
709
+ .option("--execute", "Execute live API call")
710
+ .option("--json", "Emit machine-readable output")
711
+ .action(async (host, options, command) => {
712
+ const emitJson = shouldEmitJson(options, command);
713
+ const targetPath = path.resolve(process.cwd(), String(options.path || "."));
714
+ const outputRoot = await resolveOutputRoot({
715
+ cwd: targetPath,
716
+ outputDirOverride: options.outputDir,
717
+ env: process.env,
718
+ });
719
+ const apiUrl = normalizeAidenIdApiUrl(options.apiUrl);
720
+ const idempotencyKey = normalizeIdempotencyKey(options.idempotencyKey);
721
+ const payload = {
722
+ host: String(host || "").trim(),
723
+ domainId: String(options.domainId || "").trim() || null,
724
+ maintenanceWindow: parseJsonObject(options.maintenanceWindowJson, "maintenanceWindowJson"),
725
+ contact: parseJsonObject(options.contactJson, "contactJson"),
726
+ policy: {
727
+ allowedPaths: parseCsvTokens(options.allowedPaths, ["/"]),
728
+ allowedMethods: parseCsvTokens(options.allowedMethods, ["GET"]),
729
+ allowedScenarios: parseCsvTokens(options.allowedScenarios, ["form_boundary_fuzz"]),
730
+ maxRps: parsePositiveInteger(options.maxRps, "maxRps", 5),
731
+ maxConcurrency: parsePositiveInteger(options.maxConcurrency, "maxConcurrency", 5),
732
+ stopConditions: parseJsonObject(options.stopConditionsJson, "stopConditionsJson"),
733
+ },
734
+ };
735
+ if (!payload.host) {
736
+ throw new Error("host is required.");
737
+ }
738
+
739
+ const artifactsDir = path.join(outputRoot, "aidenid", "target-create");
740
+ const stamp = stableTimestampForFile();
741
+ const requestPath = path.join(artifactsDir, `request-${encodeURIComponent(payload.host)}-${stamp}.json`);
742
+ await writeArtifact(requestPath, {
743
+ generatedAt: new Date().toISOString(),
744
+ apiUrl,
745
+ idempotencyKey,
746
+ payload,
747
+ });
748
+
749
+ const resolvedCredentials = await resolveAidenIdCredentials({
750
+ apiKey: options.apiKey,
751
+ orgId: options.orgId,
752
+ projectId: options.projectId,
753
+ env: process.env,
754
+ requireAll: false,
755
+ });
756
+ if (!options.execute) {
757
+ const result = {
758
+ command: "ai identity target create",
759
+ execute: false,
760
+ apiUrl,
761
+ idempotencyKey,
762
+ requestPath,
763
+ payload,
764
+ credentialsMissing: resolvedCredentials.missing,
765
+ };
766
+ if (emitJson) {
767
+ console.log(JSON.stringify(result, null, 2));
768
+ return;
769
+ }
770
+ console.log(pc.bold("AIdenID target create artifact generated (dry-run)"));
771
+ console.log(pc.gray(`Request: ${requestPath}`));
772
+ if (resolvedCredentials.missing.length > 0) {
773
+ console.log(
774
+ pc.yellow(`Missing credentials for live execute: ${resolvedCredentials.missing.join(", ")}`)
775
+ );
776
+ }
777
+ return;
778
+ }
779
+
780
+ const requiredCredentials = await resolveAidenIdCredentials({
781
+ apiKey: options.apiKey,
782
+ orgId: options.orgId,
783
+ projectId: options.projectId,
784
+ env: process.env,
785
+ requireAll: true,
786
+ });
787
+ const execution = await createTarget({
788
+ apiUrl,
789
+ apiKey: requiredCredentials.apiKey,
790
+ orgId: requiredCredentials.orgId,
791
+ projectId: requiredCredentials.projectId,
792
+ idempotencyKey,
793
+ payload,
794
+ });
795
+ const responsePath = path.join(
796
+ artifactsDir,
797
+ `response-${encodeURIComponent(payload.host)}-${stamp}.json`
798
+ );
799
+ await writeArtifact(responsePath, {
800
+ receivedAt: new Date().toISOString(),
801
+ apiUrl,
802
+ idempotencyKey,
803
+ response: execution.response,
804
+ });
805
+
806
+ const proofResponse = execution.response || {};
807
+ const registryUpdate = await recordTargetProofResponse({
808
+ outputRoot,
809
+ target: proofResponse.target || {},
810
+ proof: proofResponse,
811
+ context: {
812
+ source: "target-create",
813
+ idempotencyKey,
814
+ projectId: requiredCredentials.projectId,
815
+ domainId: payload.domainId,
816
+ },
817
+ });
818
+ const result = {
819
+ command: "ai identity target create",
820
+ execute: true,
821
+ apiUrl,
822
+ idempotencyKey,
823
+ requestPath,
824
+ responsePath,
825
+ target: proofResponse.target || null,
826
+ proof: {
827
+ proofId: proofResponse.proofId || null,
828
+ challengeValue: proofResponse.challengeValue || null,
829
+ proofStatus: proofResponse.proofStatus || null,
830
+ proofExpiresAt: proofResponse.proofExpiresAt || null,
831
+ },
832
+ registryPath: registryUpdate.registryPath,
833
+ };
834
+ if (emitJson) {
835
+ console.log(JSON.stringify(result, null, 2));
836
+ return;
837
+ }
838
+ console.log(pc.bold("AIdenID target created"));
839
+ console.log(pc.gray(`Response: ${responsePath}`));
840
+ console.log(`${String(result.target?.id || "unknown-target")} | ${String(result.target?.host || payload.host)}`);
841
+ });
842
+
843
+ target
844
+ .command("verify")
845
+ .description("Verify target proof challenge (dry-run by default)")
846
+ .argument("<targetId>", "Target id")
847
+ .option("--path <path>", "Workspace path for artifact/config resolution", ".")
848
+ .option("--output-dir <path>", "Optional artifact output root override")
849
+ .option("--api-url <url>", "AIdenID API base URL", "https://api.aidenid.com")
850
+ .option("--api-key <key>", "AIdenID API key (or use AIDENID_API_KEY env)")
851
+ .option("--org-id <id>", "AIdenID org id (or use AIDENID_ORG_ID env)")
852
+ .option("--project-id <id>", "AIdenID project id (or use AIDENID_PROJECT_ID env)")
853
+ .option("--method <value>", "Verification method", "DNS_TXT")
854
+ .option("--challenge-value <value>", "Challenge value override (fallback: local registry)")
855
+ .option("--proof-value <value>", "Proof value", "target-txt-proof")
856
+ .option("--verification-source <value>", "Verification source", "sentinelayer-cli")
857
+ .option("--expires-hours <hours>", "Proof expiration in hours", "24")
858
+ .option("--idempotency-key <key>", "Explicit idempotency key override")
859
+ .option("--execute", "Execute live API call")
860
+ .option("--json", "Emit machine-readable output")
861
+ .action(async (targetId, options, command) => {
862
+ const emitJson = shouldEmitJson(options, command);
863
+ const targetPath = path.resolve(process.cwd(), String(options.path || "."));
864
+ const outputRoot = await resolveOutputRoot({
865
+ cwd: targetPath,
866
+ outputDirOverride: options.outputDir,
867
+ env: process.env,
868
+ });
869
+ const apiUrl = normalizeAidenIdApiUrl(options.apiUrl);
870
+ const idempotencyKey = normalizeIdempotencyKey(options.idempotencyKey);
871
+ const tracked = await getTrackedTargetById({ outputRoot, targetId });
872
+ const challengeValue =
873
+ String(options.challengeValue || "").trim() ||
874
+ String(tracked.target?.challengeValue || "").trim() ||
875
+ null;
876
+ if (!challengeValue) {
877
+ throw new Error(
878
+ `challengeValue is required. Provide --challenge-value or run target create first for '${targetId}'.`
879
+ );
880
+ }
881
+ const payload = {
882
+ method: String(options.method || "DNS_TXT").trim() || "DNS_TXT",
883
+ challengeValue,
884
+ proofValue: String(options.proofValue || "target-txt-proof").trim() || null,
885
+ verificationSource:
886
+ String(options.verificationSource || "sentinelayer-cli").trim() || null,
887
+ expiresHours: parsePositiveInteger(options.expiresHours, "expiresHours", 24),
888
+ };
889
+
890
+ const artifactsDir = path.join(outputRoot, "aidenid", "target-verify");
891
+ const stamp = stableTimestampForFile();
892
+ const requestPath = path.join(artifactsDir, `request-${encodeURIComponent(targetId)}-${stamp}.json`);
893
+ await writeArtifact(requestPath, {
894
+ generatedAt: new Date().toISOString(),
895
+ apiUrl,
896
+ idempotencyKey,
897
+ targetId,
898
+ payload,
899
+ });
900
+
901
+ const resolvedCredentials = await resolveAidenIdCredentials({
902
+ apiKey: options.apiKey,
903
+ orgId: options.orgId,
904
+ projectId: options.projectId || tracked.target?.projectId,
905
+ env: process.env,
906
+ requireAll: false,
907
+ });
908
+ if (!options.execute) {
909
+ const result = {
910
+ command: "ai identity target verify",
911
+ execute: false,
912
+ targetId,
913
+ apiUrl,
914
+ idempotencyKey,
915
+ requestPath,
916
+ payload,
917
+ credentialsMissing: resolvedCredentials.missing,
918
+ };
919
+ if (emitJson) {
920
+ console.log(JSON.stringify(result, null, 2));
921
+ return;
922
+ }
923
+ console.log(pc.bold("AIdenID target verify artifact generated (dry-run)"));
924
+ console.log(pc.gray(`Request: ${requestPath}`));
925
+ if (resolvedCredentials.missing.length > 0) {
926
+ console.log(
927
+ pc.yellow(`Missing credentials for live execute: ${resolvedCredentials.missing.join(", ")}`)
928
+ );
929
+ }
930
+ return;
931
+ }
932
+
933
+ const requiredCredentials = await resolveAidenIdCredentials({
934
+ apiKey: options.apiKey,
935
+ orgId: options.orgId,
936
+ projectId: options.projectId || tracked.target?.projectId,
937
+ env: process.env,
938
+ requireAll: true,
939
+ });
940
+ const execution = await verifyTarget({
941
+ apiUrl,
942
+ apiKey: requiredCredentials.apiKey,
943
+ orgId: requiredCredentials.orgId,
944
+ projectId: requiredCredentials.projectId,
945
+ targetId,
946
+ idempotencyKey,
947
+ payload,
948
+ });
949
+ const responsePath = path.join(
950
+ artifactsDir,
951
+ `response-${encodeURIComponent(targetId)}-${stamp}.json`
952
+ );
953
+ await writeArtifact(responsePath, {
954
+ receivedAt: new Date().toISOString(),
955
+ apiUrl,
956
+ idempotencyKey,
957
+ targetId,
958
+ response: execution.response,
959
+ });
960
+
961
+ const proofResponse = execution.response || {};
962
+ const registryUpdate = await recordTargetProofResponse({
963
+ outputRoot,
964
+ target: proofResponse.target || {},
965
+ proof: proofResponse,
966
+ context: {
967
+ source: "target-verify",
968
+ idempotencyKey,
969
+ projectId: requiredCredentials.projectId,
970
+ },
971
+ });
972
+ const result = {
973
+ command: "ai identity target verify",
974
+ execute: true,
975
+ targetId,
976
+ apiUrl,
977
+ idempotencyKey,
978
+ requestPath,
979
+ responsePath,
980
+ target: proofResponse.target || null,
981
+ proof: {
982
+ proofId: proofResponse.proofId || null,
983
+ challengeValue: proofResponse.challengeValue || null,
984
+ proofStatus: proofResponse.proofStatus || null,
985
+ proofExpiresAt: proofResponse.proofExpiresAt || null,
986
+ },
987
+ registryPath: registryUpdate.registryPath,
988
+ };
989
+ if (emitJson) {
990
+ console.log(JSON.stringify(result, null, 2));
991
+ return;
992
+ }
993
+ console.log(pc.bold("AIdenID target verified"));
994
+ console.log(pc.gray(`Response: ${responsePath}`));
995
+ console.log(
996
+ `${String(result.target?.id || targetId)} | verification=${String(result.target?.verificationStatus || "UNKNOWN")}`
997
+ );
998
+ });
999
+
1000
+ target
1001
+ .command("show")
1002
+ .description("Show managed target details")
1003
+ .argument("<targetId>", "Target id")
1004
+ .option("--path <path>", "Workspace path for artifact/config resolution", ".")
1005
+ .option("--output-dir <path>", "Optional artifact output root override")
1006
+ .option("--api-url <url>", "AIdenID API base URL", "https://api.aidenid.com")
1007
+ .option("--api-key <key>", "AIdenID API key (or use AIDENID_API_KEY env)")
1008
+ .option("--org-id <id>", "AIdenID org id (or use AIDENID_ORG_ID env)")
1009
+ .option("--project-id <id>", "AIdenID project id (or use AIDENID_PROJECT_ID env)")
1010
+ .option("--json", "Emit machine-readable output")
1011
+ .action(async (targetId, options, command) => {
1012
+ const emitJson = shouldEmitJson(options, command);
1013
+ const targetPath = path.resolve(process.cwd(), String(options.path || "."));
1014
+ const outputRoot = await resolveOutputRoot({
1015
+ cwd: targetPath,
1016
+ outputDirOverride: options.outputDir,
1017
+ env: process.env,
1018
+ });
1019
+ const apiUrl = normalizeAidenIdApiUrl(options.apiUrl);
1020
+ const tracked = await getTrackedTargetById({ outputRoot, targetId });
1021
+ const credentials = await resolveAidenIdCredentials({
1022
+ apiKey: options.apiKey,
1023
+ orgId: options.orgId,
1024
+ projectId: options.projectId || tracked.target?.projectId,
1025
+ env: process.env,
1026
+ requireAll: true,
1027
+ });
1028
+
1029
+ const execution = await getTarget({
1030
+ apiUrl,
1031
+ apiKey: credentials.apiKey,
1032
+ orgId: credentials.orgId,
1033
+ projectId: credentials.projectId,
1034
+ targetId,
1035
+ });
1036
+ const stamp = stableTimestampForFile();
1037
+ const artifactsDir = path.join(outputRoot, "aidenid", "target-show");
1038
+ const outputPath = path.join(artifactsDir, `target-${encodeURIComponent(targetId)}-${stamp}.json`);
1039
+ await writeArtifact(outputPath, {
1040
+ generatedAt: new Date().toISOString(),
1041
+ targetId,
1042
+ response: execution.response,
1043
+ });
1044
+
1045
+ const registryUpdate = await recordTargetProofResponse({
1046
+ outputRoot,
1047
+ target: execution.response || {},
1048
+ proof: {},
1049
+ context: {
1050
+ source: "target-show",
1051
+ projectId: credentials.projectId,
1052
+ },
1053
+ });
1054
+ const payload = {
1055
+ command: "ai identity target show",
1056
+ targetId,
1057
+ outputPath,
1058
+ target: execution.response,
1059
+ registryPath: registryUpdate.registryPath,
1060
+ };
1061
+ if (emitJson) {
1062
+ console.log(JSON.stringify(payload, null, 2));
1063
+ return;
1064
+ }
1065
+
1066
+ console.log(pc.bold("AIdenID target"));
1067
+ console.log(pc.gray(`Artifact: ${outputPath}`));
1068
+ console.log(
1069
+ `${String(execution.response?.id || targetId)} | host=${String(execution.response?.host || "unknown")}`
1070
+ );
1071
+ console.log(
1072
+ `status=${String(execution.response?.status || "UNKNOWN")} verification=${String(
1073
+ execution.response?.verificationStatus || "UNKNOWN"
1074
+ )}`
1075
+ );
1076
+ });
1077
+
1078
+ site
1079
+ .command("create")
1080
+ .description("Create an ephemeral callback site linked to an identity (dry-run by default)")
1081
+ .argument("<identityId>", "Identity id")
1082
+ .option("--path <path>", "Workspace path for artifact/config resolution", ".")
1083
+ .option("--output-dir <path>", "Optional artifact output root override")
1084
+ .option("--api-url <url>", "AIdenID API base URL", "https://api.aidenid.com")
1085
+ .option("--api-key <key>", "AIdenID API key (or use AIDENID_API_KEY env)")
1086
+ .option("--org-id <id>", "AIdenID org id (or use AIDENID_ORG_ID env)")
1087
+ .option("--project-id <id>", "AIdenID project id (or use AIDENID_PROJECT_ID env)")
1088
+ .option("--domain-id <id>", "Domain id used for callback host")
1089
+ .option("--subdomain-prefix <value>", "Subdomain prefix", "cb")
1090
+ .option("--callback-path <value>", "Callback path", "/callback")
1091
+ .option("--ttl-hours <hours>", "Site TTL in hours", "24")
1092
+ .option("--dns-cleanup-contract-json <json>", "JSON cleanup contract", "{}")
1093
+ .option("--metadata-json <json>", "JSON metadata", "{}")
1094
+ .option("--idempotency-key <key>", "Explicit idempotency key override")
1095
+ .option("--execute", "Execute live API call")
1096
+ .option("--json", "Emit machine-readable output")
1097
+ .action(async (identityId, options, command) => {
1098
+ const emitJson = shouldEmitJson(options, command);
1099
+ const targetPath = path.resolve(process.cwd(), String(options.path || "."));
1100
+ const outputRoot = await resolveOutputRoot({
1101
+ cwd: targetPath,
1102
+ outputDirOverride: options.outputDir,
1103
+ env: process.env,
1104
+ });
1105
+ const apiUrl = normalizeAidenIdApiUrl(options.apiUrl);
1106
+ const idempotencyKey = normalizeIdempotencyKey(options.idempotencyKey);
1107
+ const ttlHours = parsePositiveInteger(options.ttlHours, "ttlHours", 24);
1108
+ const domainId = String(options.domainId || "").trim();
1109
+ if (!domainId) {
1110
+ throw new Error("domainId is required. Use --domain-id <id>.");
1111
+ }
1112
+ const trackedIdentity = await getIdentityById({
1113
+ outputRoot,
1114
+ identityId,
1115
+ });
1116
+ const payload = {
1117
+ identityId,
1118
+ domainId,
1119
+ subdomainPrefix: String(options.subdomainPrefix || "cb").trim() || "cb",
1120
+ callbackPath: String(options.callbackPath || "/callback").trim() || "/callback",
1121
+ ttlHours,
1122
+ dnsCleanupContract: parseJsonObject(options.dnsCleanupContractJson, "dnsCleanupContractJson"),
1123
+ metadata: parseJsonObject(options.metadataJson, "metadataJson"),
1124
+ };
1125
+
1126
+ const artifactsDir = path.join(outputRoot, "aidenid", "site-create");
1127
+ const stamp = stableTimestampForFile();
1128
+ const requestPath = path.join(artifactsDir, `request-${encodeURIComponent(identityId)}-${stamp}.json`);
1129
+ await writeArtifact(requestPath, {
1130
+ generatedAt: new Date().toISOString(),
1131
+ apiUrl,
1132
+ idempotencyKey,
1133
+ payload,
1134
+ });
1135
+
1136
+ const resolvedCredentials = await resolveAidenIdCredentials({
1137
+ apiKey: options.apiKey,
1138
+ orgId: options.orgId || trackedIdentity.identity?.orgId,
1139
+ projectId: options.projectId || trackedIdentity.identity?.projectId,
1140
+ env: process.env,
1141
+ requireAll: false,
1142
+ });
1143
+ if (!options.execute) {
1144
+ const result = {
1145
+ command: "ai identity site create",
1146
+ execute: false,
1147
+ identityId,
1148
+ apiUrl,
1149
+ idempotencyKey,
1150
+ requestPath,
1151
+ payload,
1152
+ credentialsMissing: resolvedCredentials.missing,
1153
+ };
1154
+ if (emitJson) {
1155
+ console.log(JSON.stringify(result, null, 2));
1156
+ return;
1157
+ }
1158
+ console.log(pc.bold("AIdenID site create artifact generated (dry-run)"));
1159
+ console.log(pc.gray(`Request: ${requestPath}`));
1160
+ if (resolvedCredentials.missing.length > 0) {
1161
+ console.log(
1162
+ pc.yellow(`Missing credentials for live execute: ${resolvedCredentials.missing.join(", ")}`)
1163
+ );
1164
+ }
1165
+ return;
1166
+ }
1167
+
1168
+ const requiredCredentials = await resolveAidenIdCredentials({
1169
+ apiKey: options.apiKey,
1170
+ orgId: options.orgId || trackedIdentity.identity?.orgId,
1171
+ projectId: options.projectId || trackedIdentity.identity?.projectId,
1172
+ env: process.env,
1173
+ requireAll: true,
1174
+ });
1175
+ const execution = await createTemporarySite({
1176
+ apiUrl,
1177
+ apiKey: requiredCredentials.apiKey,
1178
+ orgId: requiredCredentials.orgId,
1179
+ projectId: requiredCredentials.projectId,
1180
+ idempotencyKey,
1181
+ payload,
1182
+ });
1183
+ const responsePath = path.join(
1184
+ artifactsDir,
1185
+ `response-${encodeURIComponent(identityId)}-${stamp}.json`
1186
+ );
1187
+ await writeArtifact(responsePath, {
1188
+ receivedAt: new Date().toISOString(),
1189
+ apiUrl,
1190
+ idempotencyKey,
1191
+ response: execution.response,
1192
+ });
1193
+
1194
+ const registryUpdate = await recordTemporarySite({
1195
+ outputRoot,
1196
+ site: execution.response || {},
1197
+ context: {
1198
+ source: "site-create",
1199
+ idempotencyKey,
1200
+ identityId,
1201
+ domainId,
1202
+ projectId: requiredCredentials.projectId,
1203
+ },
1204
+ });
1205
+ const result = {
1206
+ command: "ai identity site create",
1207
+ execute: true,
1208
+ identityId,
1209
+ apiUrl,
1210
+ idempotencyKey,
1211
+ requestPath,
1212
+ responsePath,
1213
+ site: execution.response || null,
1214
+ registryPath: registryUpdate.registryPath,
1215
+ };
1216
+ if (emitJson) {
1217
+ console.log(JSON.stringify(result, null, 2));
1218
+ return;
1219
+ }
1220
+ console.log(pc.bold("AIdenID temporary site created"));
1221
+ console.log(pc.gray(`Response: ${responsePath}`));
1222
+ console.log(
1223
+ `${String(result.site?.id || "unknown-site")} | ${String(result.site?.callbackUrl || result.site?.host || "unknown-host")}`
1224
+ );
1225
+ });
1226
+
1227
+ site
1228
+ .command("list")
1229
+ .description("List locally tracked temporary callback sites")
1230
+ .option("--path <path>", "Workspace path for artifact/config resolution", ".")
1231
+ .option("--output-dir <path>", "Optional artifact output root override")
1232
+ .option("--identity-id <id>", "Optional identity filter")
1233
+ .option("--json", "Emit machine-readable output")
1234
+ .action(async (options, command) => {
1235
+ const emitJson = shouldEmitJson(options, command);
1236
+ const targetPath = path.resolve(process.cwd(), String(options.path || "."));
1237
+ const outputRoot = await resolveOutputRoot({
1238
+ cwd: targetPath,
1239
+ outputDirOverride: options.outputDir,
1240
+ env: process.env,
1241
+ });
1242
+ const listing = await listSites({
1243
+ outputRoot,
1244
+ identityId: options.identityId,
1245
+ });
1246
+ const payload = {
1247
+ command: "ai identity site list",
1248
+ registryPath: listing.registryPath,
1249
+ count: listing.sites.length,
1250
+ sites: listing.sites,
1251
+ };
1252
+ if (emitJson) {
1253
+ console.log(JSON.stringify(payload, null, 2));
1254
+ return;
1255
+ }
1256
+
1257
+ console.log(pc.bold("AIdenID temporary sites"));
1258
+ console.log(pc.gray(`Registry: ${listing.registryPath}`));
1259
+ if (listing.sites.length === 0) {
1260
+ console.log(pc.gray("No tracked temporary sites."));
1261
+ return;
1262
+ }
1263
+ for (const item of listing.sites) {
1264
+ console.log(
1265
+ `- ${item.siteId} | ${item.identityId || "unknown-identity"} | ${item.status} | ${item.callbackUrl || item.host || "unknown-host"}`
1266
+ );
1267
+ }
1268
+ });
1269
+
1270
+ return { identity, legalHold };
1271
+ }
1272
+