@attest-it/cli 0.0.2 → 0.2.0

package/dist/index.js

@@ -1,16 +1,42 @@
 import { Command } from 'commander';
 import * as fs from 'fs';
 import * as path from 'path';
-import YAML from 'yaml';
-import pc from 'picocolors';
-import { confirm, input, select } from '@inquirer/prompts';
+import { join, dirname } from 'path';
+import { detectTheme } from 'chromaterm';
+import { confirm } from '@inquirer/prompts';
 import { loadConfig, readAttestations, computeFingerprint, findAttestation, createAttestation, upsertAttestation, getDefaultPrivateKeyPath, writeSignedAttestations, checkOpenSSL, getDefaultPublicKeyPath, generateKeyPair, setKeyPermissions, verifyAttestations, toAttestItConfig } from '@attest-it/core';
 import { spawn } from 'child_process';
 import * as os from 'os';
 import { parse } from 'shell-quote';
+import * as React7 from 'react';
+import { render, useApp, Box, Text, useInput } from 'ink';
+import { jsx, jsxs, Fragment } from 'react/jsx-runtime';
+import { readFile, unlink, mkdir, writeFile } from 'fs/promises';
 
 // src/index.ts
 var globalOptions = {};
+var theme;
+async function initTheme() {
+  theme = await detectTheme();
+}
+function getTheme() {
+  if (!theme) {
+    const noopFn = (str) => str;
+    const chainable = () => noopFn;
+    theme = {
+      red: Object.assign(noopFn, { bold: chainable, dim: chainable }),
+      green: Object.assign(noopFn, { bold: chainable, dim: chainable }),
+      yellow: Object.assign(noopFn, { bold: chainable, dim: chainable }),
+      blue: Object.assign(noopFn, { bold: chainable, dim: chainable }),
+      success: noopFn,
+      error: noopFn,
+      warning: noopFn,
+      info: noopFn,
+      muted: noopFn
+    };
+  }
+  return theme;
+}
 function setOutputOptions(options) {
   globalOptions = options;
 }
@@ -21,22 +47,22 @@ function log(message) {
 }
 function verbose(message) {
   if (globalOptions.verbose && !globalOptions.quiet) {
-    console.log(pc.dim(message));
+    console.log(getTheme().muted(message));
   }
 }
 function success(message) {
-  log(pc.green("\u2713 " + message));
+  log(getTheme().success("\u2713 " + message));
 }
 function error(message) {
-  console.error(pc.red("\u2717 " + message));
+  console.error(getTheme().error("\u2717 " + message));
 }
 function warn(message) {
   if (!globalOptions.quiet) {
-    console.warn(pc.yellow("\u26A0 " + message));
+    console.warn(getTheme().warning("\u26A0 " + message));
   }
 }
 function info(message) {
-  log(pc.blue("\u2139 " + message));
+  log(getTheme().info("\u2139 " + message));
 }
 function formatTable(rows) {
   const headers = ["Suite", "Status", "Fingerprint", "Age"];
@@ -65,17 +91,18 @@ function formatTable(rows) {
   return lines.join("\n");
 }
 function colorizeStatus(status) {
+  const t = getTheme();
   switch (status) {
     case "VALID":
-      return pc.green(status);
+      return t.green(status);
     case "NEEDS_ATTESTATION":
     case "FINGERPRINT_CHANGED":
-      return pc.yellow(status);
+      return t.yellow(status);
     case "EXPIRED":
     case "INVALIDATED_BY_PARENT":
-      return pc.red(status);
+      return t.red(status);
     case "SIGNATURE_INVALID":
-      return pc.red(pc.bold(status));
+      return t.red.bold()(status);
     default:
       return status;
   }
@@ -89,24 +116,6 @@ async function confirmAction(options) {
     default: options.default ?? false
   });
 }
-async function selectOption(options) {
-  return select({
-    message: options.message,
-    choices: options.choices
-  });
-}
-async function getInput(options) {
-  const inputConfig = {
-    message: options.message
-  };
-  if (options.default !== void 0) {
-    inputConfig.default = options.default;
-  }
-  if (options.validate !== void 0) {
-    inputConfig.validate = options.validate;
-  }
-  return input(inputConfig);
-}
 
 // src/utils/exit-codes.ts
 var ExitCode = {
@@ -114,18 +123,56 @@ var ExitCode = {
   SUCCESS: 0,
   /** Tests failed or attestation invalid */
   FAILURE: 1,
+  /** Nothing needed attestation */
+  NO_WORK: 2,
   /** Configuration or validation error */
-  CONFIG_ERROR: 2,
+  CONFIG_ERROR: 3,
   /** User cancelled the operation */
-  CANCELLED: 3,
+  CANCELLED: 4,
   /** Missing required key file */
-  MISSING_KEY: 4
+  MISSING_KEY: 5
 };
 
 // src/commands/init.ts
-var initCommand = new Command("init").description("Initialize attest-it configuration").option("-p, --path <path>", "Config file path", ".attest-it/config.yaml").option("-f, --force", "Overwrite existing config").option("--json", "Output JSON instead of YAML").action(async (options) => {
+var initCommand = new Command("init").description("Initialize attest-it configuration").option("-p, --path <path>", "Config file path", ".attest-it/config.yaml").option("-f, --force", "Overwrite existing config").action(async (options) => {
   await runInit(options);
 });
+var CONFIG_TEMPLATE = `# attest-it configuration
+# See https://github.com/attest-it/attest-it for documentation
+
+version: 1
+
+settings:
+  # How long attestations remain valid (in days)
+  maxAgeDays: 30
+  # Path to the public key used for signature verification
+  publicKeyPath: .attest-it/pubkey.pem
+  # Path to the attestations file
+  attestationsPath: .attest-it/attestations.json
+  # Signing algorithm
+  algorithm: rsa
+
+# Define your test suites below. Each suite groups tests that require
+# human verification before their attestations are accepted.
+#
+# Example:
+#
+# suites:
+#   visual-tests:
+#     description: Visual regression tests requiring human review
+#     packages:
+#       - packages/ui
+#       - packages/components
+#     command: pnpm vitest packages/ui packages/components
+#
+#   integration:
+#     description: Integration tests with external services
+#     packages:
+#       - packages/api
+#     command: pnpm vitest packages/api --project=integration
+
+suites: {}
+`;
 async function runInit(options) {
   try {
     const configPath = path.resolve(options.path);
@@ -140,102 +187,14 @@ async function runInit(options) {
         process.exit(ExitCode.CANCELLED);
       }
     }
-    log("");
-    info("Welcome to attest-it!");
-    log("This will create a configuration file for human-gated test attestations.");
-    log("");
-    const maxAgeDays = await getInput({
-      message: "Maximum attestation age (days):",
-      default: "30",
-      validate: (v) => {
-        const n = parseInt(v, 10);
-        return !isNaN(n) && n > 0 ? true : "Must be a positive number";
-      }
-    });
-    const algorithm = await selectOption({
-      message: "Signing algorithm:",
-      choices: [
-        {
-          value: "ed25519",
-          name: "Ed25519 (Recommended)",
-          description: "Fast, modern, secure"
-        },
-        { value: "rsa", name: "RSA", description: "Broader compatibility" }
-      ]
-    });
-    const suites = [];
-    let addMore = true;
-    log("");
-    info("Now configure your test suites.");
-    log("Suites are groups of tests that require human verification.");
-    log("");
-    while (addMore) {
-      const suiteName = await getInput({
-        message: "Suite name:",
-        validate: (v) => v.length > 0 ? true : "Required"
-      });
-      const description = await getInput({
-        message: "Description (optional):"
-      });
-      const packagesInput = await getInput({
-        message: "Package paths (comma-separated):",
-        default: `packages/${suiteName}`,
-        validate: (v) => v.length > 0 ? true : "At least one package required"
-      });
-      const command = await getInput({
-        message: "Test command:",
-        default: `pnpm vitest ${packagesInput.split(",")[0]?.trim() ?? ""}`
-      });
-      suites.push({
-        name: suiteName,
-        description,
-        packages: packagesInput.split(",").map((p) => p.trim()).filter(Boolean),
-        command
-      });
-      addMore = await confirmAction({
-        message: "Add another suite?",
-        default: false
-      });
-    }
-    if (suites.length === 0) {
-      error("At least one suite is required");
-      process.exit(ExitCode.CONFIG_ERROR);
-    }
-    const config = {
-      version: 1,
-      settings: {
-        maxAgeDays: parseInt(maxAgeDays, 10),
-        publicKeyPath: ".attest-it/pubkey.pem",
-        attestationsPath: ".attest-it/attestations.json",
-        algorithm
-      },
-      suites: Object.fromEntries(
-        suites.map((s) => {
-          const suite = {
-            packages: s.packages,
-            command: s.command
-          };
-          if (s.description) {
-            suite.description = s.description;
-          }
-          return [s.name, suite];
-        })
-      )
-    };
     await fs.promises.mkdir(configDir, { recursive: true });
-    const content = options.json ? JSON.stringify(config, null, 2) : YAML.stringify(config, { indent: 2 });
-    await fs.promises.writeFile(configPath, content, "utf-8");
-    const attestDir = path.dirname(
-      path.resolve(path.dirname(configPath), config.settings.attestationsPath)
-    );
-    await fs.promises.mkdir(attestDir, { recursive: true });
+    await fs.promises.writeFile(configPath, CONFIG_TEMPLATE, "utf-8");
     success(`Configuration created at ${configPath}`);
     log("");
     log("Next steps:");
-    log("  1. Review and edit the configuration as needed");
+    log(`  1. Edit ${options.path} to define your test suites`);
     log("  2. Run: attest-it keygen");
-    log("  3. Run: attest-it run --suite <suite-name>");
-    log("  4. Commit the attestation file");
+    log("  3. Run: attest-it status");
   } catch (err) {
     if (err instanceof Error) {
       error(err.message);
@@ -365,92 +324,797 @@ function formatAge(result) {
   }
   return "-";
 }
-var runCommand = new Command("run").description("Execute tests and create attestation").option("-s, --suite <name>", "Run specific suite (required unless --all)").option("-a, --all", "Run all suites needing attestation").option("--no-attest", "Run tests without creating attestation").option("-y, --yes", "Skip confirmation prompt").action(async (options) => {
-  await runTests(options);
-});
-async function runTests(options) {
-  try {
-    if (!options.suite && !options.all) {
-      error("Either --suite or --all is required");
-      process.exit(ExitCode.CONFIG_ERROR);
+function Header({ pendingCount }) {
+  const message = `${pendingCount.toString()} suite${pendingCount === 1 ? "" : "s"} need${pendingCount === 1 ? "s" : ""} attestation`;
+  return /* @__PURE__ */ jsx(Box, { borderStyle: "single", paddingX: 1, children: /* @__PURE__ */ jsx(Text, { children: message }) });
+}
+function StatusBadge({ status }) {
+  const statusConfig = getStatusConfig(status);
+  if (statusConfig.bold) {
+    return /* @__PURE__ */ jsx(Text, { color: statusConfig.color, bold: true, children: statusConfig.text });
+  }
+  return /* @__PURE__ */ jsx(Text, { color: statusConfig.color, children: statusConfig.text });
+}
+function getStatusConfig(status) {
+  switch (status) {
+    case "VALID":
+      return { text: "\u2713 VALID", color: "green" };
+    case "NEEDS_ATTESTATION":
+      return { text: "MISSING", color: "yellow" };
+    case "FINGERPRINT_CHANGED":
+      return { text: "CHANGED", color: "yellow" };
+    case "EXPIRED":
+      return { text: "STALE", color: "red" };
+    case "SIGNATURE_INVALID":
+      return { text: "INVALID", color: "red", bold: true };
+    case "INVALIDATED_BY_PARENT":
+      return { text: "INVALIDATED", color: "red" };
+    default: {
+      const _exhaustive = status;
+      return { text: String(_exhaustive), color: "yellow" };
     }
-    const config = await loadConfig();
-    const suitesToRun = options.all ? Object.keys(config.suites) : options.suite ? [options.suite] : [];
-    if (options.suite && !config.suites[options.suite]) {
-      error(`Suite "${options.suite}" not found in config`);
-      process.exit(ExitCode.CONFIG_ERROR);
+  }
+}
+function SuiteTable({
+  suites,
+  selectable = false,
+  selected = /* @__PURE__ */ new Set()
+}) {
+  const columnWidths = calculateColumnWidths(suites);
+  return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+    /* @__PURE__ */ jsxs(Box, { children: [
+      selectable && /* @__PURE__ */ jsx(Text, { children: " ".repeat(4) }),
+      /* @__PURE__ */ jsx(Text, { bold: true, children: padEnd("Status", columnWidths.status) }),
+      /* @__PURE__ */ jsx(Text, { children: " " }),
+      /* @__PURE__ */ jsx(Text, { bold: true, children: padEnd("Suite", columnWidths.suite) }),
+      /* @__PURE__ */ jsx(Text, { children: " " }),
+      /* @__PURE__ */ jsx(Text, { bold: true, children: "Reason" })
+    ] }),
+    /* @__PURE__ */ jsx(Box, { children: /* @__PURE__ */ jsx(Text, { color: "gray", children: "\u2500".repeat(
+      (selectable ? 4 : 0) + columnWidths.status + columnWidths.suite + columnWidths.reason
+    ) }) }),
+    suites.map((suite) => /* @__PURE__ */ jsxs(Box, { children: [
+      selectable && /* @__PURE__ */ jsx(Text, { children: selected.has(suite.name) ? "[\u2713] " : "[ ] " }),
+      /* @__PURE__ */ jsx(Box, { width: columnWidths.status, children: /* @__PURE__ */ jsx(StatusBadge, { status: suite.status }) }),
+      /* @__PURE__ */ jsx(Text, { children: " " }),
+      /* @__PURE__ */ jsx(Text, { children: padEnd(suite.name, columnWidths.suite) }),
+      /* @__PURE__ */ jsx(Text, { children: " " }),
+      /* @__PURE__ */ jsx(Text, { color: "gray", children: suite.reason })
+    ] }, suite.name))
+  ] });
+}
+function calculateColumnWidths(suites, _selectable) {
+  const statusHeader = "Status";
+  const suiteHeader = "Suite";
+  const reasonHeader = "Reason";
+  const statusWidth = Math.max(statusHeader.length, 13);
+  const suiteWidth = Math.max(suiteHeader.length, ...suites.map((s) => s.name.length));
+  const reasonWidth = Math.max(reasonHeader.length, ...suites.map((s) => s.reason.length));
+  return {
+    status: statusWidth,
+    suite: suiteWidth,
+    reason: reasonWidth
+  };
+}
+function padEnd(str, width) {
+  return str.padEnd(width, " ");
+}
+function SelectionPrompt({
+  message,
+  options,
+  onSelect,
+  groups
+}) {
+  useInput((input) => {
+    const matchedOption = options.find((opt) => opt.hint === input);
+    if (matchedOption) {
+      onSelect(matchedOption.value);
+      return;
     }
-    const isDirty = await checkDirtyWorkingTree();
-    if (isDirty) {
-      error("Working tree has uncommitted changes. Please commit or stash before attesting.");
-      process.exit(ExitCode.CONFIG_ERROR);
+    if (groups) {
+      const matchedGroup = groups.find((group) => group.name === input);
+      if (matchedGroup) {
+        onSelect(matchedGroup.name);
+      }
     }
-    for (const suiteName of suitesToRun) {
-      const suiteConfig = config.suites[suiteName];
-      if (!suiteConfig) continue;
-      log(`
-=== Running suite: ${suiteName} ===
-`);
-      const fingerprintOptions = {
-        packages: suiteConfig.packages,
-        ...suiteConfig.ignore && { ignore: suiteConfig.ignore }
-      };
-      const fingerprintResult = await computeFingerprint(fingerprintOptions);
-      verbose(`Fingerprint: ${fingerprintResult.fingerprint}`);
-      verbose(`Files: ${String(fingerprintResult.fileCount)}`);
-      const command = buildCommand(config, suiteConfig.command, suiteConfig.files);
-      log(`Running: ${command}`);
-      log("");
-      const exitCode = await executeCommand(command);
-      if (exitCode !== 0) {
-        error(`Tests failed with exit code ${String(exitCode)}`);
-        process.exit(ExitCode.FAILURE);
+  });
+  return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+    /* @__PURE__ */ jsx(Text, { bold: true, children: message }),
+    /* @__PURE__ */ jsx(Box, { marginTop: 1, gap: 2, children: options.map((option) => /* @__PURE__ */ jsxs(Text, { children: [
+      option.hint && /* @__PURE__ */ jsxs(Fragment, { children: [
+        /* @__PURE__ */ jsxs(Text, { color: "cyan", children: [
+          "[",
+          option.hint,
+          "]"
+        ] }),
+        " "
+      ] }),
+      option.label
+    ] }, option.value)) }),
+    groups && groups.length > 0 && /* @__PURE__ */ jsx(Box, { marginTop: 1, gap: 2, children: groups.map((group) => /* @__PURE__ */ jsxs(Text, { children: [
+      /* @__PURE__ */ jsxs(Text, { color: "cyan", children: [
+        "[",
+        group.name,
+        "]"
+      ] }),
+      " ",
+      group.label
+    ] }, group.name)) })
+  ] });
+}
+function SuiteSelector({
+  pendingSuites,
+  validSuites,
+  groups,
+  onSelect,
+  onExit
+}) {
+  const [selectedSuites, setSelectedSuites] = React7.useState(/* @__PURE__ */ new Set());
+  const [cursorIndex, setCursorIndex] = React7.useState(0);
+  const toggleSuite = React7.useCallback((suiteName) => {
+    setSelectedSuites((prev) => {
+      const next = new Set(prev);
+      if (next.has(suiteName)) {
+        next.delete(suiteName);
+      } else {
+        next.add(suiteName);
       }
-      success("Tests passed!");
-      if (options.attest === false) {
-        log("Skipping attestation (--no-attest)");
-        continue;
+      return next;
+    });
+  }, []);
+  useInput((input, key) => {
+    if (input === "a") {
+      setSelectedSuites(new Set(pendingSuites.map((s) => s.name)));
+      return;
+    }
+    if (input === "n") {
+      onExit();
+      return;
+    }
+    if (/^[1-9]$/.test(input)) {
+      const idx = parseInt(input, 10) - 1;
+      if (idx < pendingSuites.length) {
+        const suite = pendingSuites[idx];
+        if (suite) {
+          toggleSuite(suite.name);
+        }
       }
-      const shouldAttest = options.yes ?? await confirmAction({
-        message: "Create attestation?",
-        default: true
-      });
-      if (!shouldAttest) {
-        warn("Attestation cancelled");
-        process.exit(ExitCode.CANCELLED);
+      return;
+    }
+    if (input.startsWith("g") && groups) {
+      const groupIdx = parseInt(input.slice(1), 10) - 1;
+      const groupNames = Object.keys(groups);
+      if (groupIdx >= 0 && groupIdx < groupNames.length) {
+        const groupName = groupNames[groupIdx];
+        if (groupName) {
+          const groupSuites = groups[groupName] ?? [];
+          const newSelected = new Set(selectedSuites);
+          groupSuites.forEach((s) => newSelected.add(s));
+          setSelectedSuites(newSelected);
+        }
       }
-      const attestation = createAttestation({
-        suite: suiteName,
-        fingerprint: fingerprintResult.fingerprint,
-        command,
-        attestedBy: os.userInfo().username
-      });
-      const attestationsPath = config.settings.attestationsPath;
-      const existingFile = await readAttestations(attestationsPath);
-      const existingAttestations = existingFile?.attestations ?? [];
-      const newAttestations = upsertAttestation(existingAttestations, attestation);
-      const privateKeyPath = getDefaultPrivateKeyPath();
-      if (!fs.existsSync(privateKeyPath)) {
-        error(`Private key not found: ${privateKeyPath}`);
-        error('Run "attest-it keygen" first to generate a keypair.');
-        process.exit(ExitCode.MISSING_KEY);
+      return;
+    }
+    if (key.return) {
+      onSelect(Array.from(selectedSuites));
+      return;
+    }
+    if (input === " ") {
+      const currentSuite = pendingSuites[cursorIndex];
+      if (currentSuite) {
+        toggleSuite(currentSuite.name);
       }
-      await writeSignedAttestations({
-        filePath: attestationsPath,
-        attestations: newAttestations,
-        privateKeyPath
-      });
-      success(`Attestation created for ${suiteName}`);
-      log(`  Fingerprint: ${fingerprintResult.fingerprint}`);
-      log(`  Attested by: ${attestation.attestedBy}`);
-      log(`  Attested at: ${attestation.attestedAt}`);
+      return;
     }
-    log("");
-    success("All suites completed!");
-    log(
-      `
-To commit: git add ${config.settings.attestationsPath} && git commit -m "Update attestations"`
+    if (key.upArrow) {
+      setCursorIndex(Math.max(0, cursorIndex - 1));
+      return;
+    }
+    if (key.downArrow) {
+      setCursorIndex(Math.min(pendingSuites.length - 1, cursorIndex + 1));
+      return;
+    }
+  });
+  return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+    /* @__PURE__ */ jsx(Header, { pendingCount: pendingSuites.length }),
+    /* @__PURE__ */ jsx(Box, { marginY: 1, children: /* @__PURE__ */ jsx(SuiteTable, { suites: pendingSuites, selectable: true, selected: selectedSuites }) }),
+    validSuites.length > 0 && /* @__PURE__ */ jsxs(Box, { marginY: 1, flexDirection: "column", children: [
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "Already valid:" }),
+      validSuites.map((s) => /* @__PURE__ */ jsxs(Text, { dimColor: true, children: [
+        "  ",
+        "\u2713 ",
+        s.name,
+        " (attested ",
+        String(s.age ?? 0),
+        " days ago)"
+      ] }, s.name))
+    ] }),
+    /* @__PURE__ */ jsx(
+      SelectionPrompt,
+      {
+        message: "Select suites to run:",
+        options: [
+          { label: "All pending", value: "all", hint: "a" },
+          { label: "By number", value: "number", hint: "1-9" },
+          { label: "None/exit", value: "none", hint: "n" }
+        ],
+        groups: groups ? Object.keys(groups).map((name, i) => ({
+          name: `g${String(i + 1)}`,
+          label: name
+        })) : void 0,
+        onSelect: () => {
+        }
+      }
+    ),
+    /* @__PURE__ */ jsxs(Text, { color: "cyan", children: [
+      selectedSuites.size,
+      " selected. Press Enter to confirm."
+    ] })
+  ] });
+}
+function ProgressSummary({
+  completed,
+  remaining,
+  failed,
+  skipped
+}) {
+  return /* @__PURE__ */ jsx(Box, { borderStyle: "single", paddingX: 1, children: /* @__PURE__ */ jsxs(Text, { children: [
+    /* @__PURE__ */ jsxs(Text, { color: "green", children: [
+      "Completed: ",
+      completed
+    ] }),
+    "    ",
+    /* @__PURE__ */ jsxs(Text, { color: "yellow", children: [
+      "Remaining: ",
+      remaining
+    ] }),
+    "    ",
+    /* @__PURE__ */ jsxs(Text, { color: "red", children: [
+      "Failed: ",
+      failed
+    ] }),
+    "    ",
+    /* @__PURE__ */ jsxs(Text, { color: "gray", children: [
+      "Skipped: ",
+      skipped
+    ] })
+  ] }) });
+}
+function TestRunner({
+  suites,
+  executeTest,
+  createAttestation: createAttestation3,
+  onComplete
+}) {
+  const [currentIndex, setCurrentIndex] = React7.useState(0);
+  const [phase, setPhase] = React7.useState("running");
+  const [results, setResults] = React7.useState({
+    completed: [],
+    failed: [],
+    skipped: []
+  });
+  const [_testPassed, setTestPassed] = React7.useState(false);
+  const resultsRef = React7.useRef(results);
+  React7.useEffect(() => {
+    resultsRef.current = results;
+  }, [results]);
+  React7.useEffect(() => {
+    if (phase !== "running") return;
+    const currentSuite2 = suites[currentIndex];
+    if (!currentSuite2) {
+      onComplete(resultsRef.current);
+      setPhase("complete");
+      return;
+    }
+    let cancelled = false;
+    executeTest(currentSuite2).then((passed) => {
+      if (cancelled) return;
+      setTestPassed(passed);
+      if (passed) {
+        setPhase("confirming");
+      } else {
+        setResults((prev) => ({
+          ...prev,
+          failed: [...prev.failed, currentSuite2]
+        }));
+        setCurrentIndex((prev) => prev + 1);
+      }
+    }).catch(() => {
+      if (cancelled) return;
+      setResults((prev) => ({
+        ...prev,
+        failed: [...prev.failed, currentSuite2]
+      }));
+      setCurrentIndex((prev) => prev + 1);
+    });
+    return () => {
+      cancelled = true;
+    };
+  }, [currentIndex, phase, suites, executeTest, onComplete]);
+  useInput(
+    (input, key) => {
+      if (phase !== "confirming") return;
+      const currentSuite2 = suites[currentIndex];
+      if (!currentSuite2) return;
+      if (input.toLowerCase() === "y" || key.return) {
+        createAttestation3(currentSuite2).then(() => {
+          setResults((prev) => ({
+            ...prev,
+            completed: [...prev.completed, currentSuite2]
+          }));
+          setCurrentIndex((prev) => prev + 1);
+          setPhase("running");
+        }).catch(() => {
+          setResults((prev) => ({
+            ...prev,
+            skipped: [...prev.skipped, currentSuite2]
+          }));
+          setCurrentIndex((prev) => prev + 1);
+          setPhase("running");
+        });
+      }
+      if (input.toLowerCase() === "n") {
+        setResults((prev) => ({
+          ...prev,
+          skipped: [...prev.skipped, currentSuite2]
+        }));
+        setCurrentIndex((prev) => prev + 1);
+        setPhase("running");
+      }
+    },
+    { isActive: phase === "confirming" }
+  );
+  const currentSuite = suites[currentIndex];
+  return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+    /* @__PURE__ */ jsx(
+      ProgressSummary,
+      {
+        completed: results.completed.length,
+        failed: results.failed.length,
+        remaining: suites.length - currentIndex,
+        skipped: results.skipped.length
+      }
+    ),
+    /* @__PURE__ */ jsxs(Box, { marginY: 1, children: [
+      phase === "running" && currentSuite && /* @__PURE__ */ jsxs(Box, { children: [
+        /* @__PURE__ */ jsx(SimpleSpinner, {}),
+        /* @__PURE__ */ jsxs(Text, { children: [
+          " Running ",
+          currentSuite,
+          "..."
+        ] })
+      ] }),
+      phase === "confirming" && currentSuite && /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+        /* @__PURE__ */ jsx(Text, { color: "green", children: "\u2713 Tests passed!" }),
+        /* @__PURE__ */ jsxs(Text, { children: [
+          "Create attestation for ",
+          currentSuite,
+          "? [Y/n]: "
+        ] })
+      ] }),
+      phase === "complete" && /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+        /* @__PURE__ */ jsx(Text, { color: "green", children: "\u2713 All suites processed" }),
+        /* @__PURE__ */ jsxs(Text, { children: [
+          "Completed: ",
+          results.completed.length,
+          ", Failed: ",
+          results.failed.length,
+          ", Skipped:",
+          " ",
+          results.skipped.length
+        ] })
+      ] })
+    ] })
+  ] });
+}
+function SimpleSpinner() {
+  const [frame, setFrame] = React7.useState(0);
+  const frames = ["\u280B", "\u2819", "\u2839", "\u2838", "\u283C", "\u2834", "\u2826", "\u2827", "\u2807", "\u280F"];
+  React7.useEffect(() => {
+    const timer = setInterval(() => {
+      setFrame((f) => (f + 1) % frames.length);
+    }, 80);
+    return () => {
+      clearInterval(timer);
+    };
+  }, []);
+  return /* @__PURE__ */ jsx(Text, { color: "cyan", children: frames[frame] });
+}
+function InteractiveRun({
+  allSuites,
+  config,
+  executeTest,
+  createAttestation: createAttestation3,
+  saveSession: saveSession2,
+  preSelected
+}) {
+  const { exit } = useApp();
+  const [phase, setPhase] = React7.useState(preSelected ? "running" : "selecting");
+  const [selectedSuites, setSelectedSuites] = React7.useState(preSelected ?? []);
+  const [results, setResults] = React7.useState({
+    completed: [],
+    failed: [],
+    skipped: []
+  });
+  const pendingSuites = React7.useMemo(
+    () => allSuites.filter((s) => s.status !== "VALID"),
+    [allSuites]
+  );
+  const validSuites = React7.useMemo(
+    () => allSuites.filter((s) => s.status === "VALID"),
+    [allSuites]
+  );
+  const handleSelect = React7.useCallback(
+    (selected) => {
+      if (selected.length === 0) {
+        exit();
+        return;
+      }
+      setSelectedSuites(selected);
+      setPhase("running");
+    },
+    [exit]
+  );
+  const handleRunComplete = React7.useCallback(
+    (runResults) => {
+      void (async () => {
+        setResults(runResults);
+        if (runResults.failed.length === 0 && runResults.skipped.length === 0) {
+          await saveSession2([], [], []);
+        } else {
+          await saveSession2(runResults.completed, runResults.failed, []);
+        }
+        setPhase("complete");
+      })();
+    },
+    [saveSession2]
+  );
+  if (pendingSuites.length === 0) {
+    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsx(Text, { color: "green", children: "\u2713 All suites are valid. Nothing to run." }),
+      validSuites.length > 0 && /* @__PURE__ */ jsxs(Text, { dimColor: true, children: [
+        validSuites.length,
+        " suite(s) already attested."
+      ] })
+    ] });
+  }
+  return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+    phase === "selecting" && /* @__PURE__ */ jsx(
+      SuiteSelector,
+      {
+        pendingSuites,
+        validSuites,
+        groups: config.groups,
+        onSelect: handleSelect,
+        onExit: () => {
+          exit();
+        }
+      }
+    ),
+    phase === "running" && /* @__PURE__ */ jsx(
+      TestRunner,
+      {
+        suites: selectedSuites,
+        executeTest,
+        createAttestation: createAttestation3,
+        onComplete: handleRunComplete
+      }
+    ),
+    phase === "complete" && /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsx(
+        ProgressSummary,
+        {
+          completed: results.completed.length,
+          failed: results.failed.length,
+          remaining: 0,
+          skipped: results.skipped.length
+        }
+      ),
+      /* @__PURE__ */ jsx(Box, { marginY: 1, children: results.failed.length === 0 && results.skipped.length === 0 ? /* @__PURE__ */ jsx(Text, { color: "green", children: "\u2713 All suites attested successfully!" }) : /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+        results.failed.length > 0 && /* @__PURE__ */ jsxs(Text, { color: "red", children: [
+          "\u2717 ",
+          results.failed.length,
+          " suite(s) failed: ",
+          results.failed.join(", ")
+        ] }),
+        /* @__PURE__ */ jsx(Text, { children: "Run `attest-it run` again to continue with remaining suites." })
+      ] }) })
+    ] })
+  ] });
+}
+function determineStatus2(attestation, currentFingerprint, maxAgeDays) {
+  if (!attestation) {
+    return "NEEDS_ATTESTATION";
+  }
+  if (attestation.fingerprint !== currentFingerprint) {
+    return "FINGERPRINT_CHANGED";
+  }
+  const attestedAt = new Date(attestation.attestedAt);
+  const ageInDays = Math.floor((Date.now() - attestedAt.getTime()) / (1e3 * 60 * 60 * 24));
+  if (ageInDays > maxAgeDays) {
+    return "EXPIRED";
+  }
+  return "VALID";
+}
+async function getAllSuiteStatuses(config) {
+  let attestationsFile = null;
+  try {
+    attestationsFile = await readAttestations(config.settings.attestationsPath);
+  } catch (err) {
+    if (err instanceof Error && !err.message.includes("ENOENT")) {
+      throw err;
+    }
+  }
+  const attestations = attestationsFile?.attestations ?? [];
+  const results = [];
+  for (const [suiteName, suiteConfig] of Object.entries(config.suites)) {
+    const fingerprintResult = await computeFingerprint({
+      packages: suiteConfig.packages,
+      ...suiteConfig.ignore && { ignore: suiteConfig.ignore }
+    });
+    const attestation = findAttestation(
+      { schemaVersion: "1", attestations, signature: "" },
+      suiteName
+    );
+    const status = determineStatus2(
+      attestation,
+      fingerprintResult.fingerprint,
+      config.settings.maxAgeDays
     );
+    let age;
+    if (attestation) {
+      const attestedAt = new Date(attestation.attestedAt);
+      age = Math.floor((Date.now() - attestedAt.getTime()) / (1e3 * 60 * 60 * 24));
+    }
+    results.push({
+      name: suiteName,
+      status,
+      reason: formatStatusReason(status, age, config.settings.maxAgeDays),
+      currentFingerprint: fingerprintResult.fingerprint,
+      attestedFingerprint: attestation?.fingerprint,
+      attestedAt: attestation?.attestedAt,
+      age
+    });
+  }
+  return results;
+}
+function formatStatusReason(status, age, maxAgeDays) {
+  switch (status) {
+    case "VALID":
+      return `Attested ${String(age ?? 0)} days ago`;
+    case "NEEDS_ATTESTATION":
+      return "No attestation found";
+    case "FINGERPRINT_CHANGED":
+      return "Source files modified";
+    case "EXPIRED":
+      return `${String(age ?? 0)} days old (max: ${String(maxAgeDays ?? 30)})`;
+    case "SIGNATURE_INVALID":
+      return "Signature verification failed";
+    case "INVALIDATED_BY_PARENT":
+      return "Invalidated by parent suite";
+    default:
+      return status;
+  }
+}
+function getSessionPath() {
+  return join(process.cwd(), ".attest-it", "session.json");
+}
+async function loadSession() {
+  try {
+    const content = await readFile(getSessionPath(), "utf-8");
+    const data = JSON.parse(content);
+    if (!isValidSession(data)) {
+      return null;
+    }
+    return data;
+  } catch {
+    return null;
+  }
+}
+async function saveSession(session) {
+  const sessionPath = getSessionPath();
+  const dir = dirname(sessionPath);
+  await mkdir(dir, { recursive: true });
+  await writeFile(sessionPath, JSON.stringify(session, null, 2), "utf-8");
+}
+async function clearSession() {
+  try {
+    await unlink(getSessionPath());
+  } catch {
+  }
+}
+function isValidSession(data) {
+  if (typeof data !== "object" || data === null) {
+    return false;
+  }
+  const obj = data;
+  return typeof obj.started === "string" && Array.isArray(obj.selected) && obj.selected.every((item) => typeof item === "string") && Array.isArray(obj.completed) && obj.completed.every((item) => typeof item === "string") && Array.isArray(obj.failed) && obj.failed.every((item) => typeof item === "string") && Array.isArray(obj.remaining) && obj.remaining.every((item) => typeof item === "string");
+}
+async function runInteractive(options) {
+  const config = await loadConfig();
+  const allSuites = await getAllSuiteStatuses(config);
+  let preSelected;
+  if (options.continue) {
+    const session = await loadSession();
+    if (session && session.remaining.length > 0) {
+      preSelected = session.remaining;
+      log(`Resuming session with ${String(preSelected.length)} remaining suite(s)`);
+    }
+  }
+  if (options.dryRun) {
+    handleDryRun(allSuites, config, options.filter);
+    return;
+  }
+  const pendingSuites = allSuites.filter((s) => s.status !== "VALID");
+  if (pendingSuites.length === 0) {
+    log("All suites are valid. Nothing to run.");
+    process.exit(ExitCode.NO_WORK);
+  }
+  const isDirty = await checkDirtyWorkingTree();
+  if (isDirty) {
+    error("Working tree has uncommitted changes. Please commit or stash before attesting.");
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+  const executeTest = createTestExecutor(config);
+  const createAttestationFn = createAttestationCreator(config);
+  const saveSessionFn = createSessionSaver();
+  const interactiveRunProps = {
+    allSuites,
+    config,
+    executeTest,
+    createAttestation: createAttestationFn,
+    saveSession: saveSessionFn,
+    ...preSelected !== void 0 && { preSelected }
+  };
+  const { waitUntilExit } = render(/* @__PURE__ */ jsx(InteractiveRun, { ...interactiveRunProps }));
+  await waitUntilExit();
+}
+function handleDryRun(allSuites, config, filterPattern) {
+  let pendingSuites = allSuites.filter((s) => s.status !== "VALID");
+  if (filterPattern) {
+    const regex = new RegExp("^" + filterPattern.replace(/\*/g, ".*") + "$", "i");
+    pendingSuites = pendingSuites.filter((s) => regex.test(s.name));
+  }
+  if (pendingSuites.length === 0) {
+    log("No suites would run (all valid or filtered out).");
+    process.exit(ExitCode.NO_WORK);
+  }
+  log(`Would run ${String(pendingSuites.length)} suite(s):`);
+  pendingSuites.forEach((s, i) => {
+    log(`  ${String(i + 1)}. ${s.name} (${s.status})`);
+  });
+  log("");
+  log("Use `attest-it run` to execute.");
+  process.exit(ExitCode.SUCCESS);
+}
+function createTestExecutor(config) {
+  return async (suiteName) => {
+    const suiteConfig = config.suites[suiteName];
+    if (!suiteConfig) {
+      error(`Suite "${suiteName}" not found in config`);
+      return false;
+    }
+    let command = suiteConfig.command ?? config.settings.defaultCommand;
+    if (!command) {
+      error(`No command specified for suite "${suiteName}"`);
+      return false;
+    }
+    if (command.includes("${files}") && suiteConfig.files) {
+      command = command.replaceAll("${files}", suiteConfig.files.join(" "));
+    }
+    log(`Running: ${command}`);
+    const exitCode = await executeCommand(command);
+    return exitCode === 0;
+  };
+}
+function createAttestationCreator(config) {
+  return async (suiteName) => {
+    const suiteConfig = config.suites[suiteName];
+    if (!suiteConfig) {
+      throw new Error(`Suite "${suiteName}" not found`);
+    }
+    const fingerprintResult = await computeFingerprint({
+      packages: suiteConfig.packages,
+      ...suiteConfig.ignore && { ignore: suiteConfig.ignore }
+    });
+    const attestation = createAttestation({
+      suite: suiteName,
+      fingerprint: fingerprintResult.fingerprint,
+      command: suiteConfig.command ?? config.settings.defaultCommand ?? "",
+      attestedBy: os.userInfo().username
+    });
+    const attestationsPath = config.settings.attestationsPath;
+    const existingFile = await readAttestations(attestationsPath).catch(() => null);
+    const existingAttestations = existingFile?.attestations ?? [];
+    const newAttestations = upsertAttestation(existingAttestations, attestation);
+    const privateKeyPath = getDefaultPrivateKeyPath();
+    if (!fs.existsSync(privateKeyPath)) {
+      throw new Error(`Private key not found: ${privateKeyPath}. Run "attest-it keygen" first.`);
+    }
+    await writeSignedAttestations({
+      filePath: attestationsPath,
+      attestations: newAttestations,
+      privateKeyPath
+    });
+    log(`\u2713 Attestation created for ${suiteName}`);
+  };
+}
+function createSessionSaver() {
+  return async (completed, failed, remaining) => {
+    if (completed.length === 0 && failed.length === 0 && remaining.length === 0) {
+      await clearSession();
+    } else {
+      await saveSession({
+        started: (/* @__PURE__ */ new Date()).toISOString(),
+        selected: [...completed, ...failed, ...remaining],
+        completed,
+        failed,
+        remaining
+      });
+    }
+  };
+}
+async function executeCommand(command) {
+  return new Promise((resolve2) => {
+    const parsed = parse(command);
+    const stringArgs = parsed.filter((t) => typeof t === "string");
+    if (stringArgs.length === 0) {
+      error("Empty command");
+      resolve2(1);
+      return;
+    }
+    const [executable, ...args] = stringArgs;
+    if (!executable) {
+      resolve2(1);
+      return;
+    }
+    const child = spawn(executable, args, { stdio: "inherit" });
+    child.on("close", (code) => {
+      resolve2(code ?? 1);
+    });
+    child.on("error", (err) => {
+      error(`Command failed: ${err.message}`);
+      resolve2(1);
+    });
+  });
+}
+async function checkDirtyWorkingTree() {
+  return new Promise((resolve2) => {
+    const child = spawn("git", ["status", "--porcelain"], {
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    let output = "";
+    child.stdout.on("data", (data) => {
+      output += data.toString();
+    });
+    child.on("close", () => {
+      resolve2(output.trim().length > 0);
+    });
+    child.on("error", () => {
+      resolve2(false);
+    });
+  });
+}
+
+// src/commands/run.ts
+var runCommand = new Command("run").description("Execute tests and create attestation").option("-s, --suite <name>", "Run specific suite (required unless --all or interactive mode)").option("-a, --all", "Run all suites needing attestation").option("--no-attest", "Run tests without creating attestation").option("-y, --yes", "Skip confirmation prompt").option("--dry-run", "Show what would run without executing").option("-c, --continue", "Resume interrupted session").option("--filter <pattern>", "Filter suites by pattern (glob-style)").action(async (options) => {
+  await runTests(options);
+});
+async function runTests(options) {
+  try {
+    if (options.suite) {
+      await runDirectMode(options);
+      return;
+    }
+    if (options.all) {
+      await runAllPending(options);
+      return;
+    }
+    await runInteractive({
+      dryRun: options.dryRun,
+      continue: options.continue,
+      filter: options.filter
+    });
   } catch (err) {
     if (err instanceof Error) {
       error(err.message);
@@ -486,7 +1150,7 @@ function parseCommand(command) {
   }
   return { executable, args };
 }
-async function executeCommand(command) {
+async function executeCommand2(command) {
   return new Promise((resolve2) => {
     let parsed;
     try {
@@ -513,7 +1177,7 @@ async function executeCommand(command) {
     });
   });
 }
-async function checkDirtyWorkingTree() {
+async function checkDirtyWorkingTree2() {
   return new Promise((resolve2) => {
     const child = spawn("git", ["status", "--porcelain"], {
       stdio: ["ignore", "pipe", "pipe"]
@@ -530,6 +1194,131 @@ async function checkDirtyWorkingTree() {
     });
   });
 }
+async function runDirectMode(options) {
+  if (!options.suite) {
+    error("Suite name is required for direct mode");
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+  const config = await loadConfig();
+  if (!config.suites[options.suite]) {
+    error(`Suite "${options.suite}" not found in config`);
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+  const isDirty = await checkDirtyWorkingTree2();
+  if (isDirty) {
+    error("Working tree has uncommitted changes. Please commit or stash before attesting.");
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+  await runSingleSuite(options.suite, config, options);
+  log("");
+  success("Suite completed!");
+  log(
+    `
+To commit: git add ${config.settings.attestationsPath} && git commit -m "Update attestations"`
+  );
+}
+async function runAllPending(options) {
+  const config = await loadConfig();
+  const allSuites = await getAllSuiteStatuses(config);
+  const pendingSuites = allSuites.filter((s) => s.status !== "VALID");
+  if (pendingSuites.length === 0) {
+    log("All suites are valid. Nothing to run.");
+    process.exit(ExitCode.NO_WORK);
+  }
+  let suitesToRun = pendingSuites;
+  if (options.filter) {
+    const regex = new RegExp("^" + options.filter.replace(/\*/g, ".*") + "$", "i");
+    suitesToRun = pendingSuites.filter((s) => regex.test(s.name));
+    if (suitesToRun.length === 0) {
+      log(`No suites match filter: ${options.filter}`);
+      process.exit(ExitCode.NO_WORK);
+    }
+  }
+  if (options.dryRun) {
+    log(`Would run ${String(suitesToRun.length)} suite(s):`);
+    suitesToRun.forEach((s, i) => {
+      log(`  ${String(i + 1)}. ${s.name} (${s.status})`);
+    });
+    process.exit(ExitCode.SUCCESS);
+  }
+  const isDirty = await checkDirtyWorkingTree2();
+  if (isDirty) {
+    error("Working tree has uncommitted changes. Please commit or stash before attesting.");
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+  for (const suite of suitesToRun) {
+    await runSingleSuite(suite.name, config, options);
+  }
+  log("");
+  success("All suites completed!");
+  log(
+    `
+To commit: git add ${config.settings.attestationsPath} && git commit -m "Update attestations"`
+  );
+}
+async function runSingleSuite(suiteName, config, options) {
+  const suiteConfig = config.suites[suiteName];
+  if (!suiteConfig) {
+    error(`Suite "${suiteName}" not found in config`);
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+  log(`
+=== Running suite: ${suiteName} ===
+`);
+  const fingerprintOptions = {
+    packages: suiteConfig.packages,
+    ...suiteConfig.ignore && { ignore: suiteConfig.ignore }
+  };
+  const fingerprintResult = await computeFingerprint(fingerprintOptions);
+  verbose(`Fingerprint: ${fingerprintResult.fingerprint}`);
+  verbose(`Files: ${String(fingerprintResult.fileCount)}`);
+  const command = buildCommand(config, suiteConfig.command, suiteConfig.files);
+  log(`Running: ${command}`);
+  log("");
+  const exitCode = await executeCommand2(command);
+  if (exitCode !== 0) {
+    error(`Tests failed with exit code ${String(exitCode)}`);
+    process.exit(ExitCode.FAILURE);
+  }
+  success("Tests passed!");
+  if (options.attest === false) {
+    log("Skipping attestation (--no-attest)");
+    return;
+  }
+  const shouldAttest = options.yes ?? await confirmAction({
+    message: "Create attestation?",
+    default: true
+  });
+  if (!shouldAttest) {
+    warn("Attestation cancelled");
+    process.exit(ExitCode.CANCELLED);
+  }
+  const attestation = createAttestation({
+    suite: suiteName,
+    fingerprint: fingerprintResult.fingerprint,
+    command,
+    attestedBy: os.userInfo().username
+  });
+  const attestationsPath = config.settings.attestationsPath;
+  const existingFile = await readAttestations(attestationsPath);
+  const existingAttestations = existingFile?.attestations ?? [];
+  const newAttestations = upsertAttestation(existingAttestations, attestation);
+  const privateKeyPath = getDefaultPrivateKeyPath();
+  if (!fs.existsSync(privateKeyPath)) {
+    error(`Private key not found: ${privateKeyPath}`);
+    error('Run "attest-it keygen" first to generate a keypair.');
+    process.exit(ExitCode.MISSING_KEY);
+  }
+  await writeSignedAttestations({
+    filePath: attestationsPath,
+    attestations: newAttestations,
+    privateKeyPath
+  });
+  success(`Attestation created for ${suiteName}`);
+  log(`  Fingerprint: ${fingerprintResult.fingerprint}`);
+  log(`  Attested by: ${attestation.attestedBy}`);
+  log(`  Attested at: ${attestation.attestedAt}`);
+}
 var keygenCommand = new Command("keygen").description("Generate a new RSA keypair for signing attestations").option("-o, --output <path>", "Private key output path").option("-p, --public <path>", "Public key output path").option("-f, --force", "Overwrite existing keys").action(async (options) => {
   await runKeygen(options);
 });
@@ -678,7 +1467,7 @@ async function runPrune(options) {
     } else {
       error("Unknown error occurred");
     }
-    process.exit(2);
+    process.exit(ExitCode.CONFIG_ERROR);
     return;
   }
 }
@@ -739,7 +1528,7 @@ async function runVerify(options) {
     } else {
       error("Unknown error occurred");
     }
-    process.exit(2);
+    process.exit(ExitCode.CONFIG_ERROR);
   }
 }
 function displayResults(result, maxAgeDays, strict) {
@@ -825,7 +1614,8 @@ program.addCommand(runCommand);
 program.addCommand(keygenCommand);
 program.addCommand(pruneCommand);
 program.addCommand(verifyCommand);
-function run() {
+async function run() {
+  await initTheme();
   program.parse();
   const options = program.opts();
   const outputOptions = {};