@attest-it/cli 0.3.0 → 0.4.0

package/dist/bin/attest-it.js

@@ -3,17 +3,21 @@ import { Command } from 'commander';
 import * as fs from 'fs';
 import { readFileSync } from 'fs';
 import * as path from 'path';
-import { dirname, join } from 'path';
+import { join, dirname } from 'path';
 import { detectTheme } from 'chromaterm';
-import { confirm } from '@inquirer/prompts';
-import { loadConfig, readAttestations, computeFingerprint, findAttestation, createAttestation, upsertAttestation, getDefaultPrivateKeyPath, writeSignedAttestations, checkOpenSSL, getDefaultPublicKeyPath, generateKeyPair, setKeyPermissions, verifyAttestations, toAttestItConfig } from '@attest-it/core';
+import { input, select, confirm, checkbox } from '@inquirer/prompts';
+import { loadConfig, toAttestItConfig, readSealsSync, computeFingerprintSync, verifyGateSeal, verifyAllSeals, computeFingerprint, createAttestation, readAttestations, upsertAttestation, KeyProviderRegistry, getDefaultPrivateKeyPath, FilesystemKeyProvider, writeSignedAttestations, loadLocalConfigSync, getActiveIdentity, isAuthorizedSigner, createSeal, writeSealsSync, checkOpenSSL, getDefaultPublicKeyPath, OnePasswordKeyProvider, MacOSKeychainKeyProvider, generateKeyPair, setKeyPermissions, getGate, loadLocalConfig, generateEd25519KeyPair, saveLocalConfig, findConfigPath, findAttestation } from '@attest-it/core';
 import { spawn } from 'child_process';
 import * as os from 'os';
+import { homedir } from 'os';
 import { parse } from 'shell-quote';
 import * as React7 from 'react';
+import { useState, useEffect } from 'react';
 import { render, useApp, Box, Text, useInput } from 'ink';
 import { jsx, jsxs, Fragment } from 'react/jsx-runtime';
-import { readFile, unlink, mkdir, writeFile } from 'fs/promises';
+import { mkdir, writeFile, unlink, readFile } from 'fs/promises';
+import { Spinner, Select, TextInput } from '@inkjs/ui';
+import { stringify } from 'yaml';
 import { fileURLToPath } from 'url';
 
 var globalOptions = {};
@@ -92,30 +96,63 @@ function formatTable(rows) {
   }
   return lines.join("\n");
 }
-function colorizeStatus(status) {
-  const t = getTheme();
-  switch (status) {
-    case "VALID":
-      return t.green(status);
-    case "NEEDS_ATTESTATION":
-    case "FINGERPRINT_CHANGED":
-      return t.yellow(status);
-    case "EXPIRED":
-    case "INVALIDATED_BY_PARENT":
-      return t.red(status);
-    case "SIGNATURE_INVALID":
-      return t.red.bold()(status);
-    default:
-      return status;
-  }
-}
 function outputJson(data) {
   console.log(JSON.stringify(data, null, 2));
 }
+var BOX_CHARS = {
+  topLeft: "\u250C",
+  topRight: "\u2510",
+  bottomLeft: "\u2514",
+  bottomRight: "\u2518",
+  horizontal: "\u2500",
+  vertical: "\u2502"};
+var theme2;
+function getTheme2() {
+  if (!theme2) {
+    const noopFn = (str) => str;
+    const chainable = () => noopFn;
+    theme2 = {
+      red: Object.assign(noopFn, { bold: chainable, dim: chainable }),
+      green: Object.assign(noopFn, { bold: chainable, dim: chainable }),
+      yellow: Object.assign(noopFn, { bold: chainable, dim: chainable }),
+      blue: Object.assign(noopFn, { bold: chainable, dim: chainable }),
+      success: noopFn,
+      error: noopFn,
+      warning: noopFn,
+      info: noopFn,
+      muted: noopFn
+    };
+  }
+  return theme2;
+}
+
+// src/utils/prompts.ts
 async function confirmAction(options) {
+  const theme3 = getTheme2();
+  const defaultIndicator = options.default ? "(Y/n)" : "(y/N)";
+  const message = `${options.message}? ${defaultIndicator}`;
+  const boxWidth = Math.max(message.length + 2, 40);
+  const contentPadding = " ".repeat(boxWidth - message.length - 1);
+  const topBorder = theme3.yellow(
+    `${BOX_CHARS.topLeft}${BOX_CHARS.horizontal.repeat(boxWidth)}${BOX_CHARS.topRight}`
+  );
+  const bottomBorder = theme3.yellow(
+    `${BOX_CHARS.bottomLeft}${BOX_CHARS.horizontal.repeat(boxWidth)}${BOX_CHARS.bottomRight}`
+  );
+  const contentLine = theme3.yellow(BOX_CHARS.vertical) + ` ${message}${contentPadding}` + theme3.yellow(BOX_CHARS.vertical);
+  console.log("");
+  console.log(topBorder);
+  console.log(contentLine);
+  console.log(bottomBorder);
+  console.log("");
   return confirm({
-    message: options.message,
-    default: options.default ?? false
+    message: "",
+    // Empty message since we displayed it above
+    default: options.default ?? false,
+    theme: {
+      prefix: ""
+      // Remove default prefix
+    }
   });
 }
 
@@ -206,71 +243,68 @@ async function runInit(options) {
     process.exit(ExitCode.CONFIG_ERROR);
   }
 }
-var statusCommand = new Command("status").description("Show attestation status for all suites").option("-s, --suite <name>", "Show status for specific suite only").option("--json", "Output JSON for machine parsing").action(async (options) => {
-  await runStatus(options);
+var statusCommand = new Command("status").description("Show seal status for all gates").argument("[gates...]", "Show status for specific gates only").option("--json", "Output JSON for machine parsing").action(async (gates, options) => {
+  await runStatus(gates, options);
 });
-async function runStatus(options) {
+async function runStatus(gates, options) {
   try {
     const config = await loadConfig();
-    const attestationsPath = config.settings.attestationsPath;
-    let attestationsFile = null;
-    try {
-      attestationsFile = await readAttestations(attestationsPath);
-    } catch (err) {
-      if (err instanceof Error && !err.message.includes("ENOENT")) {
-        throw err;
-      }
-    }
-    const attestations = attestationsFile?.attestations ?? [];
-    const suiteNames = options.suite ? [options.suite] : Object.keys(config.suites);
-    if (options.suite && !config.suites[options.suite]) {
-      error(`Suite "${options.suite}" not found in config`);
+    const attestItConfig = toAttestItConfig(config);
+    if (!attestItConfig.gates || Object.keys(attestItConfig.gates).length === 0) {
+      error("No gates defined in configuration");
       process.exit(ExitCode.CONFIG_ERROR);
     }
-    const results = [];
-    let hasInvalid = false;
-    for (const suiteName of suiteNames) {
-      const suiteConfig = config.suites[suiteName];
-      if (!suiteConfig) continue;
-      const fingerprintResult = await computeFingerprint({
-        packages: suiteConfig.packages,
-        ...suiteConfig.ignore && { ignore: suiteConfig.ignore }
-      });
-      const attestation = findAttestation(
-        {
-          schemaVersion: "1",
-          attestations,
-          signature: ""
-        },
-        suiteName
-      );
-      const status = determineStatus(
-        attestation ?? null,
-        fingerprintResult.fingerprint,
-        config.settings.maxAgeDays
-      );
-      let age;
-      if (attestation) {
-        const attestedAt = new Date(attestation.attestedAt);
-        age = Math.floor((Date.now() - attestedAt.getTime()) / (1e3 * 60 * 60 * 24));
-      }
-      if (status !== "VALID") {
-        hasInvalid = true;
-      }
-      results.push({
-        name: suiteName,
-        status,
-        currentFingerprint: fingerprintResult.fingerprint,
-        attestedFingerprint: attestation?.fingerprint,
-        attestedAt: attestation?.attestedAt,
-        age
+    const projectRoot = process.cwd();
+    const sealsFile = readSealsSync(projectRoot);
+    const gatesToCheck = gates.length > 0 ? gates : Object.keys(attestItConfig.gates);
+    for (const gateId of gatesToCheck) {
+      if (!attestItConfig.gates[gateId]) {
+        error(`Gate '${gateId}' not found in configuration`);
+        process.exit(ExitCode.CONFIG_ERROR);
+      }
+    }
+    const fingerprints = {};
+    for (const gateId of gatesToCheck) {
+      const gate = attestItConfig.gates[gateId];
+      if (!gate) continue;
+      const result = computeFingerprintSync({
+        packages: gate.fingerprint.paths,
+        ...gate.fingerprint.exclude && { ignore: gate.fingerprint.exclude }
       });
+      fingerprints[gateId] = result.fingerprint;
     }
+    const verificationResults = gates.length > 0 ? gatesToCheck.map(
+      (gateId) => (
+        // eslint-disable-next-line security/detect-object-injection
+        verifyGateSeal(attestItConfig, gateId, sealsFile, fingerprints[gateId] ?? "")
+      )
+    ) : verifyAllSeals(attestItConfig, sealsFile, fingerprints);
+    const results = verificationResults.map((result) => {
+      const status = {
+        gateId: result.gateId,
+        state: result.state,
+        currentFingerprint: fingerprints[result.gateId] ?? "",
+        message: result.message
+      };
+      if (result.seal) {
+        status.sealedFingerprint = result.seal.fingerprint;
+        status.sealedBy = result.seal.sealedBy;
+        status.sealedAt = result.seal.timestamp;
+        const timestamp = new Date(result.seal.timestamp);
+        const now = Date.now();
+        const ageMs = now - timestamp.getTime();
+        status.age = Math.floor(ageMs / (1e3 * 60 * 60 * 24));
+      }
+      return status;
+    });
     if (options.json) {
       outputJson(results);
     } else {
-      displayStatusTable(results, hasInvalid);
+      displayStatusTable(results);
     }
+    const hasInvalid = results.some(
+      (r) => r.state === "MISSING" || r.state === "FINGERPRINT_MISMATCH" || r.state === "INVALID_SIGNATURE" || r.state === "UNKNOWN_SIGNER" || r.state === "STALE"
+    );
     process.exit(hasInvalid ? ExitCode.FAILURE : ExitCode.SUCCESS);
   } catch (err) {
     if (err instanceof Error) {
@@ -281,50 +315,73 @@ async function runStatus(options) {
     process.exit(ExitCode.CONFIG_ERROR);
   }
 }
-function determineStatus(attestation, currentFingerprint, maxAgeDays) {
-  if (!attestation) {
-    return "NEEDS_ATTESTATION";
-  }
-  if (attestation.fingerprint !== currentFingerprint) {
-    return "FINGERPRINT_CHANGED";
-  }
-  const attestedAt = new Date(attestation.attestedAt);
-  const ageInDays = Math.floor((Date.now() - attestedAt.getTime()) / (1e3 * 60 * 60 * 24));
-  if (ageInDays > maxAgeDays) {
-    return "EXPIRED";
-  }
-  return "VALID";
-}
-function displayStatusTable(results, hasInvalid) {
+function displayStatusTable(results) {
   const tableRows = results.map((r) => ({
-    suite: r.name,
-    status: colorizeStatus(r.status),
+    suite: r.gateId,
+    status: colorizeState(r.state),
     fingerprint: r.currentFingerprint.slice(0, 16) + "...",
     age: formatAge(r)
   }));
   log("");
   log(formatTable(tableRows));
   log("");
-  if (hasInvalid) {
-    log("Run `attest-it run --suite <name>` to update attestations");
-  } else {
-    success("All attestations valid");
+  const sealed = results.filter((r) => r.sealedBy && r.sealedAt);
+  if (sealed.length > 0) {
+    log("Seal metadata:");
+    for (const result of sealed) {
+      log(`  ${result.gateId}:`);
+      log(`    Sealed by: ${result.sealedBy ?? "unknown"}`);
+      if (result.sealedAt) {
+        const date = new Date(result.sealedAt);
+        log(`    Sealed at: ${date.toLocaleString()}`);
+      }
+    }
+    log("");
   }
-}
-function formatAge(result) {
-  if (result.status === "VALID") {
-    return `${String(result.age ?? 0)} days`;
+  const withIssues = results.filter((r) => r.state !== "VALID" && r.message);
+  if (withIssues.length > 0) {
+    log("Issues:");
+    for (const result of withIssues) {
+      log(`  ${result.gateId}: ${result.message ?? "Unknown issue"}`);
+    }
+    log("");
   }
-  if (result.status === "FINGERPRINT_CHANGED") {
-    return "(changed)";
+  const validCount = results.filter((r) => r.state === "VALID").length;
+  const invalidCount = results.length - validCount;
+  if (invalidCount === 0) {
+    success("All gate seals valid");
+  } else {
+    log(`Run 'attest-it seal' to create or update seals`);
   }
-  if (result.status === "NEEDS_ATTESTATION") {
-    return "(none)";
+}
+function colorizeState(state) {
+  const theme3 = getTheme();
+  switch (state) {
+    case "VALID":
+      return theme3.green(state);
+    case "MISSING":
+    case "STALE":
+      return theme3.yellow(state);
+    case "FINGERPRINT_MISMATCH":
+    case "INVALID_SIGNATURE":
+    case "UNKNOWN_SIGNER":
+      return theme3.red(state);
+    default:
+      return state;
   }
-  if (result.status === "EXPIRED") {
-    return `${String(result.age ?? 0)} days (expired)`;
+}
+function formatAge(result) {
+  if (result.state === "VALID" || result.state === "STALE") {
+    return `${String(result.age ?? 0)} days${result.state === "STALE" ? " (stale)" : ""}`;
+  }
+  switch (result.state) {
+    case "MISSING":
+      return "(none)";
+    case "FINGERPRINT_MISMATCH":
+      return "(changed)";
+    default:
+      return "-";
   }
-  return "-";
 }
 function Header({ pendingCount }) {
   const message = `${pendingCount.toString()} suite${pendingCount === 1 ? "" : "s"} need${pendingCount === 1 ? "s" : ""} attestation`;
@@ -407,14 +464,14 @@ function SelectionPrompt({
   onSelect,
   groups
 }) {
-  useInput((input) => {
-    const matchedOption = options.find((opt) => opt.hint === input);
+  useInput((input5) => {
+    const matchedOption = options.find((opt) => opt.hint === input5);
     if (matchedOption) {
       onSelect(matchedOption.value);
       return;
     }
     if (groups) {
-      const matchedGroup = groups.find((group) => group.name === input);
+      const matchedGroup = groups.find((group) => group.name === input5);
       if (matchedGroup) {
         onSelect(matchedGroup.name);
       }
@@ -464,17 +521,17 @@ function SuiteSelector({
       return next;
     });
   }, []);
-  useInput((input, key) => {
-    if (input === "a") {
+  useInput((input5, key) => {
+    if (input5 === "a") {
       setSelectedSuites(new Set(pendingSuites.map((s) => s.name)));
       return;
     }
-    if (input === "n") {
+    if (input5 === "n") {
       onExit();
       return;
     }
-    if (/^[1-9]$/.test(input)) {
-      const idx = parseInt(input, 10) - 1;
+    if (/^[1-9]$/.test(input5)) {
+      const idx = parseInt(input5, 10) - 1;
       if (idx < pendingSuites.length) {
         const suite = pendingSuites[idx];
         if (suite) {
@@ -483,8 +540,8 @@ function SuiteSelector({
       }
       return;
     }
-    if (input.startsWith("g") && groups) {
-      const groupIdx = parseInt(input.slice(1), 10) - 1;
+    if (input5.startsWith("g") && groups) {
+      const groupIdx = parseInt(input5.slice(1), 10) - 1;
       const groupNames = Object.keys(groups);
       if (groupIdx >= 0 && groupIdx < groupNames.length) {
         const groupName = groupNames[groupIdx];
@@ -501,7 +558,7 @@ function SuiteSelector({
       onSelect(Array.from(selectedSuites));
       return;
     }
-    if (input === " ") {
+    if (input5 === " ") {
       const currentSuite = pendingSuites[cursorIndex];
       if (currentSuite) {
         toggleSuite(currentSuite.name);
@@ -634,11 +691,11 @@ function TestRunner({
     };
   }, [currentIndex, phase, suites, executeTest, onComplete]);
   useInput(
-    (input, key) => {
+    (input5, key) => {
       if (phase !== "confirming") return;
       const currentSuite2 = suites[currentIndex];
       if (!currentSuite2) return;
-      if (input.toLowerCase() === "y" || key.return) {
+      if (input5.toLowerCase() === "y" || key.return) {
         createAttestation3(currentSuite2).then(() => {
           setResults((prev) => ({
             ...prev,
@@ -655,7 +712,7 @@ function TestRunner({
           setPhase("running");
         });
       }
-      if (input.toLowerCase() === "n") {
+      if (input5.toLowerCase() === "n") {
         setResults((prev) => ({
           ...prev,
           skipped: [...prev.skipped, currentSuite2]
@@ -824,7 +881,7 @@ function InteractiveRun({
     ] })
   ] });
 }
-function determineStatus2(attestation, currentFingerprint, maxAgeDays) {
+function determineStatus(attestation, currentFingerprint, maxAgeDays) {
   if (!attestation) {
     return "NEEDS_ATTESTATION";
   }
@@ -850,6 +907,9 @@ async function getAllSuiteStatuses(config) {
   const attestations = attestationsFile?.attestations ?? [];
   const results = [];
   for (const [suiteName, suiteConfig] of Object.entries(config.suites)) {
+    if (!suiteConfig.packages) {
+      continue;
+    }
     const fingerprintResult = await computeFingerprint({
       packages: suiteConfig.packages,
       ...suiteConfig.ignore && { ignore: suiteConfig.ignore }
@@ -858,7 +918,7 @@ async function getAllSuiteStatuses(config) {
       { schemaVersion: "1", attestations, signature: "" },
       suiteName
     );
-    const status = determineStatus2(
+    const status = determineStatus(
       attestation,
       fingerprintResult.fingerprint,
       config.settings.maxAgeDays
@@ -1015,6 +1075,9 @@ function createAttestationCreator(config) {
     if (!suiteConfig) {
       throw new Error(`Suite "${suiteName}" not found`);
     }
+    if (!suiteConfig.packages) {
+      throw new Error(`Suite "${suiteName}" has no packages defined`);
+    }
     const fingerprintResult = await computeFingerprint({
       packages: suiteConfig.packages,
       ...suiteConfig.ignore && { ignore: suiteConfig.ignore }
@@ -1029,14 +1092,34 @@ function createAttestationCreator(config) {
     const existingFile = await readAttestations(attestationsPath).catch(() => null);
     const existingAttestations = existingFile?.attestations ?? [];
     const newAttestations = upsertAttestation(existingAttestations, attestation);
-    const privateKeyPath = getDefaultPrivateKeyPath();
-    if (!fs.existsSync(privateKeyPath)) {
-      throw new Error(`Private key not found: ${privateKeyPath}. Run "attest-it keygen" first.`);
+    let keyProvider;
+    let keyRef;
+    if (config.settings.keyProvider) {
+      keyProvider = KeyProviderRegistry.create({
+        type: config.settings.keyProvider.type,
+        options: config.settings.keyProvider.options ?? {}
+      });
+      if (config.settings.keyProvider.type === "filesystem") {
+        keyRef = config.settings.keyProvider.options?.privateKeyPath ?? getDefaultPrivateKeyPath();
+      } else if (config.settings.keyProvider.type === "1password") {
+        keyRef = config.settings.keyProvider.options?.itemName ?? "attest-it-private-key";
+      } else {
+        throw new Error(`Unsupported key provider type: ${config.settings.keyProvider.type}`);
+      }
+    } else {
+      keyProvider = new FilesystemKeyProvider();
+      keyRef = getDefaultPrivateKeyPath();
+    }
+    if (!await keyProvider.keyExists(keyRef)) {
+      const providerName = keyProvider.displayName;
+      const keygenMessage = keyProvider.type === "filesystem" ? 'Run "attest-it keygen" first to generate a keypair.' : 'Run "attest-it keygen" to generate and store a key.';
+      throw new Error(`Private key not found in ${providerName}. ${keygenMessage}`);
     }
     await writeSignedAttestations({
       filePath: attestationsPath,
       attestations: newAttestations,
-      privateKeyPath
+      keyProvider,
+      keyRef
     });
     log(`\u2713 Attestation created for ${suiteName}`);
   };
@@ -1099,7 +1182,7 @@ async function checkDirtyWorkingTree() {
 }
 
 // src/commands/run.ts
-var runCommand = new Command("run").description("Execute tests and create attestation").option("-s, --suite <name>", "Run specific suite (required unless --all or interactive mode)").option("-a, --all", "Run all suites needing attestation").option("--no-attest", "Run tests without creating attestation").option("-y, --yes", "Skip confirmation prompt").option("--dry-run", "Show what would run without executing").option("-c, --continue", "Resume interrupted session").option("--filter <pattern>", "Filter suites by pattern (glob-style)").action(async (options) => {
+var runCommand = new Command("run").description("Execute tests and create attestation").option("-s, --suite <name>", "Run specific suite (required unless --all or interactive mode)").option("-a, --all", "Run all suites needing attestation").option("--no-attest", "Run tests without creating attestation").option("--dry-run", "Show what would run without executing").option("-c, --continue", "Resume interrupted session").option("--filter <pattern>", "Filter suites by pattern (glob-style)").action(async (options) => {
   await runTests(options);
 });
 async function runTests(options) {
@@ -1264,6 +1347,10 @@ async function runSingleSuite(suiteName, config, options) {
     error(`Suite "${suiteName}" not found in config`);
     process.exit(ExitCode.CONFIG_ERROR);
   }
+  if (!suiteConfig.packages) {
+    error(`Suite "${suiteName}" has no packages defined`);
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
   log(`
 === Running suite: ${suiteName} ===
 `);
@@ -1287,9 +1374,9 @@ async function runSingleSuite(suiteName, config, options) {
     log("Skipping attestation (--no-attest)");
     return;
   }
-  const shouldAttest = options.yes ?? await confirmAction({
-    message: "Create attestation?",
-    default: true
+  const shouldAttest = await confirmAction({
+    message: "Create attestation",
+    default: false
   });
   if (!shouldAttest) {
     warn("Attestation cancelled");
@@ -1305,32 +1392,546 @@ async function runSingleSuite(suiteName, config, options) {
   const existingFile = await readAttestations(attestationsPath);
   const existingAttestations = existingFile?.attestations ?? [];
   const newAttestations = upsertAttestation(existingAttestations, attestation);
-  const privateKeyPath = getDefaultPrivateKeyPath();
-  if (!fs.existsSync(privateKeyPath)) {
-    error(`Private key not found: ${privateKeyPath}`);
-    error('Run "attest-it keygen" first to generate a keypair.');
+  let keyProvider;
+  let keyRef;
+  if (config.settings.keyProvider) {
+    keyProvider = KeyProviderRegistry.create({
+      type: config.settings.keyProvider.type,
+      options: config.settings.keyProvider.options ?? {}
+    });
+    if (config.settings.keyProvider.type === "filesystem") {
+      keyRef = config.settings.keyProvider.options?.privateKeyPath ?? getDefaultPrivateKeyPath();
+    } else if (config.settings.keyProvider.type === "1password") {
+      keyRef = config.settings.keyProvider.options?.itemName ?? "attest-it-private-key";
+    } else {
+      throw new Error(`Unsupported key provider type: ${config.settings.keyProvider.type}`);
+    }
+  } else {
+    keyProvider = new FilesystemKeyProvider();
+    keyRef = getDefaultPrivateKeyPath();
+  }
+  if (!await keyProvider.keyExists(keyRef)) {
+    error(`Private key not found in ${keyProvider.displayName}`);
+    if (keyProvider.type === "filesystem") {
+      error('Run "attest-it keygen" first to generate a keypair.');
+    } else {
+      error('Run "attest-it keygen" to generate and store a key.');
+    }
     process.exit(ExitCode.MISSING_KEY);
   }
   await writeSignedAttestations({
     filePath: attestationsPath,
     attestations: newAttestations,
-    privateKeyPath
+    keyProvider,
+    keyRef
   });
   success(`Attestation created for ${suiteName}`);
   log(`  Fingerprint: ${fingerprintResult.fingerprint}`);
   log(`  Attested by: ${attestation.attestedBy}`);
   log(`  Attested at: ${attestation.attestedAt}`);
+  if (suiteConfig.gate) {
+    await promptForSeal(suiteName, suiteConfig.gate, config);
+  }
+}
+async function promptForSeal(suiteName, gateId, config) {
+  log("");
+  log(`Suite '${suiteName}' is linked to gate '${gateId}'`);
+  const localConfig = loadLocalConfigSync();
+  if (!localConfig) {
+    warn("No local identity configuration found - cannot create seal");
+    warn('Run "attest-it keygen" to set up your identity');
+    return;
+  }
+  const identity = getActiveIdentity(localConfig);
+  if (!identity) {
+    warn(`Active identity '${localConfig.activeIdentity}' not found in local config`);
+    return;
+  }
+  const attestItConfig = toAttestItConfig(config);
+  const authorized = isAuthorizedSigner(attestItConfig, gateId, identity.publicKey);
+  if (!authorized) {
+    warn(`You are not authorized to seal gate '${gateId}'`);
+    return;
+  }
+  const shouldSeal = await confirmAction({
+    message: `Create seal for gate '${gateId}'`,
+    default: true
+  });
+  if (!shouldSeal) {
+    log("Seal creation skipped");
+    return;
+  }
+  try {
+    if (!attestItConfig.gates?.[gateId]) {
+      error(`Gate '${gateId}' not found in configuration`);
+      return;
+    }
+    const gate = attestItConfig.gates[gateId];
+    const gateFingerprint = computeFingerprintSync({
+      packages: gate.fingerprint.paths,
+      ...gate.fingerprint.exclude && { ignore: gate.fingerprint.exclude }
+    });
+    const keyProvider = createKeyProviderFromIdentity(identity);
+    const keyRef = getKeyRefFromIdentity(identity);
+    const keyResult = await keyProvider.getPrivateKey(keyRef);
+    const fs4 = await import('fs/promises');
+    const privateKeyPem = await fs4.readFile(keyResult.keyPath, "utf8");
+    await keyResult.cleanup();
+    const seal = createSeal({
+      gateId,
+      fingerprint: gateFingerprint.fingerprint,
+      sealedBy: identity.name,
+      privateKey: privateKeyPem
+    });
+    const projectRoot = process.cwd();
+    const sealsFile = readSealsSync(projectRoot);
+    sealsFile.seals[gateId] = seal;
+    writeSealsSync(projectRoot, sealsFile);
+    success(`Seal created for gate '${gateId}'`);
+    log(`  Sealed by: ${identity.name}`);
+    log(`  Timestamp: ${seal.timestamp}`);
+  } catch (err) {
+    if (err instanceof Error) {
+      error(`Failed to create seal: ${err.message}`);
+    } else {
+      error("Failed to create seal: Unknown error");
+    }
+  }
+}
+function createKeyProviderFromIdentity(identity) {
+  const { privateKey } = identity;
+  switch (privateKey.type) {
+    case "file":
+      return KeyProviderRegistry.create({
+        type: "filesystem",
+        options: { privateKeyPath: privateKey.path }
+      });
+    case "keychain":
+      return KeyProviderRegistry.create({
+        type: "macos-keychain",
+        options: {
+          service: privateKey.service,
+          account: privateKey.account
+        }
+      });
+    case "1password":
+      return KeyProviderRegistry.create({
+        type: "1password",
+        options: {
+          account: privateKey.account,
+          vault: privateKey.vault,
+          itemName: privateKey.item,
+          field: privateKey.field
+        }
+      });
+    default: {
+      const _exhaustiveCheck = privateKey;
+      throw new Error(`Unsupported private key type: ${String(_exhaustiveCheck)}`);
+    }
+  }
 }
-var keygenCommand = new Command("keygen").description("Generate a new RSA keypair for signing attestations").option("-o, --output <path>", "Private key output path").option("-p, --public <path>", "Public key output path").option("-f, --force", "Overwrite existing keys").action(async (options) => {
+function getKeyRefFromIdentity(identity) {
+  const { privateKey } = identity;
+  switch (privateKey.type) {
+    case "file":
+      return privateKey.path;
+    case "keychain":
+      return `${privateKey.service}:${privateKey.account}`;
+    case "1password":
+      return privateKey.item;
+    default: {
+      const _exhaustiveCheck = privateKey;
+      throw new Error(`Unsupported private key type: ${String(_exhaustiveCheck)}`);
+    }
+  }
+}
+function KeygenInteractive(props) {
+  const { onComplete, onError } = props;
+  const [step, setStep] = useState("checking-providers");
+  const [opAvailable, setOpAvailable] = useState(false);
+  const [keychainAvailable, setKeychainAvailable] = useState(false);
+  const [accounts, setAccounts] = useState([]);
+  const [vaults, setVaults] = useState([]);
+  const [_selectedProvider, setSelectedProvider] = useState();
+  const [selectedAccount, setSelectedAccount] = useState();
+  const [selectedVault, setSelectedVault] = useState();
+  const [itemName, setItemName] = useState("attest-it-private-key");
+  const [keychainItemName, setKeychainItemName] = useState("attest-it-private-key");
+  useEffect(() => {
+    const checkProviders = async () => {
+      try {
+        const isInstalled = await OnePasswordKeyProvider.isInstalled();
+        setOpAvailable(isInstalled);
+        if (isInstalled) {
+          const accountList = await OnePasswordKeyProvider.listAccounts();
+          setAccounts(accountList);
+        }
+      } catch {
+        setOpAvailable(false);
+      }
+      const isKeychainAvailable = MacOSKeychainKeyProvider.isAvailable();
+      setKeychainAvailable(isKeychainAvailable);
+      setStep("select-provider");
+    };
+    void checkProviders();
+  }, []);
+  useEffect(() => {
+    if (step === "select-vault" && selectedAccount) {
+      const fetchVaults = async () => {
+        try {
+          const vaultList = await OnePasswordKeyProvider.listVaults(selectedAccount);
+          setVaults(vaultList);
+        } catch (err) {
+          onError(err instanceof Error ? err : new Error("Failed to fetch vaults"));
+        }
+      };
+      void fetchVaults();
+    }
+  }, [step, selectedAccount, onError]);
+  const handleProviderSelect = (value) => {
+    if (value === "filesystem") {
+      setSelectedProvider("filesystem");
+      void generateKeys("filesystem");
+    } else if (value === "1password") {
+      setSelectedProvider("1password");
+      if (accounts.length === 1 && accounts[0]) {
+        setSelectedAccount(accounts[0].email);
+        setStep("select-vault");
+      } else {
+        setStep("select-account");
+      }
+    } else if (value === "macos-keychain") {
+      setSelectedProvider("macos-keychain");
+      setStep("enter-keychain-item-name");
+    }
+  };
+  const handleAccountSelect = (value) => {
+    setSelectedAccount(value);
+    setStep("select-vault");
+  };
+  const handleVaultSelect = (value) => {
+    setSelectedVault(value);
+    setStep("enter-item-name");
+  };
+  const handleItemNameSubmit = (value) => {
+    setItemName(value);
+    void generateKeys("1password");
+  };
+  const handleKeychainItemNameSubmit = (value) => {
+    setKeychainItemName(value);
+    void generateKeys("macos-keychain");
+  };
+  const generateKeys = async (provider) => {
+    setStep("generating");
+    try {
+      const publicKeyPath = props.publicKeyPath ?? getDefaultPublicKeyPath();
+      if (provider === "filesystem") {
+        const fsProvider = new FilesystemKeyProvider();
+        const genOptions = { publicKeyPath };
+        if (props.force !== void 0) {
+          genOptions.force = props.force;
+        }
+        const result = await fsProvider.generateKeyPair(genOptions);
+        onComplete({
+          provider: "filesystem",
+          publicKeyPath: result.publicKeyPath,
+          privateKeyRef: result.privateKeyRef,
+          storageDescription: result.storageDescription
+        });
+      } else if (provider === "1password") {
+        if (!selectedVault || !itemName) {
+          throw new Error("Vault and item name are required for 1Password");
+        }
+        const providerOptions = {
+          vault: selectedVault,
+          itemName
+        };
+        if (selectedAccount !== void 0) {
+          providerOptions.account = selectedAccount;
+        }
+        const opProvider = new OnePasswordKeyProvider(providerOptions);
+        const genOptions = { publicKeyPath };
+        if (props.force !== void 0) {
+          genOptions.force = props.force;
+        }
+        const result = await opProvider.generateKeyPair(genOptions);
+        const completionResult = {
+          provider: "1password",
+          publicKeyPath: result.publicKeyPath,
+          privateKeyRef: result.privateKeyRef,
+          storageDescription: result.storageDescription,
+          vault: selectedVault,
+          itemName
+        };
+        if (selectedAccount !== void 0) {
+          completionResult.account = selectedAccount;
+        }
+        onComplete(completionResult);
+      } else {
+        if (!keychainItemName) {
+          throw new Error("Item name is required for macOS Keychain");
+        }
+        const keychainProvider = new MacOSKeychainKeyProvider({
+          itemName: keychainItemName
+        });
+        const genOptions = { publicKeyPath };
+        if (props.force !== void 0) {
+          genOptions.force = props.force;
+        }
+        const result = await keychainProvider.generateKeyPair(genOptions);
+        onComplete({
+          provider: "macos-keychain",
+          publicKeyPath: result.publicKeyPath,
+          privateKeyRef: result.privateKeyRef,
+          storageDescription: result.storageDescription,
+          itemName: keychainItemName
+        });
+      }
+      setStep("done");
+    } catch (err) {
+      onError(err instanceof Error ? err : new Error("Key generation failed"));
+    }
+  };
+  if (step === "checking-providers") {
+    return /* @__PURE__ */ jsx(Box, { flexDirection: "column", children: /* @__PURE__ */ jsxs(Box, { flexDirection: "row", gap: 1, children: [
+      /* @__PURE__ */ jsx(Spinner, {}),
+      /* @__PURE__ */ jsx(Text, { children: "Checking available key storage providers..." })
+    ] }) });
+  }
+  if (step === "select-provider") {
+    const options = [
+      {
+        label: `Local Filesystem (${getDefaultPrivateKeyPath()})`,
+        value: "filesystem"
+      }
+    ];
+    if (keychainAvailable) {
+      options.push({
+        label: "macOS Keychain",
+        value: "macos-keychain"
+      });
+    }
+    if (opAvailable) {
+      options.push({
+        label: "1Password (requires op CLI)",
+        value: "1password"
+      });
+    }
+    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsx(Text, { bold: true, children: "Where would you like to store your private key?" }),
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsx(Select, { options, onChange: handleProviderSelect })
+    ] });
+  }
+  if (step === "select-account") {
+    const options = accounts.map((account) => ({
+      label: account.email,
+      value: account.email
+    }));
+    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsx(Text, { bold: true, children: "Select 1Password account:" }),
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsx(Select, { options, onChange: handleAccountSelect })
+    ] });
+  }
+  if (step === "select-vault") {
+    if (vaults.length === 0) {
+      return /* @__PURE__ */ jsx(Box, { flexDirection: "column", children: /* @__PURE__ */ jsxs(Box, { flexDirection: "row", gap: 1, children: [
+        /* @__PURE__ */ jsx(Spinner, {}),
+        /* @__PURE__ */ jsx(Text, { children: "Loading vaults..." })
+      ] }) });
+    }
+    const options = vaults.map((vault) => ({
+      label: vault.name,
+      value: vault.name
+    }));
+    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsx(Text, { bold: true, children: "Select vault for private key storage:" }),
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsx(Select, { options, onChange: handleVaultSelect })
+    ] });
+  }
+  if (step === "enter-item-name") {
+    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsx(Text, { bold: true, children: "Enter name for the key item:" }),
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "(This will be visible in your 1Password vault)" }),
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsx(TextInput, { defaultValue: itemName, onSubmit: handleItemNameSubmit })
+    ] });
+  }
+  if (step === "enter-keychain-item-name") {
+    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsx(Text, { bold: true, children: "Enter name for the keychain item:" }),
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "(This will be the service name in your macOS Keychain)" }),
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsx(TextInput, { defaultValue: keychainItemName, onSubmit: handleKeychainItemNameSubmit })
+    ] });
+  }
+  if (step === "generating") {
+    return /* @__PURE__ */ jsx(Box, { flexDirection: "column", children: /* @__PURE__ */ jsxs(Box, { flexDirection: "row", gap: 1, children: [
+      /* @__PURE__ */ jsx(Spinner, {}),
+      /* @__PURE__ */ jsx(Text, { children: "Generating RSA-2048 keypair..." })
+    ] }) });
+  }
+  return /* @__PURE__ */ jsx(Box, {});
+}
+async function runKeygenInteractive(options) {
+  return new Promise((resolve2, reject) => {
+    const props = {
+      onComplete: (result) => {
+        unmount();
+        resolve2(result);
+      },
+      onCancel: () => {
+        unmount();
+        reject(new Error("Keygen cancelled"));
+      },
+      onError: (error2) => {
+        unmount();
+        reject(error2);
+      }
+    };
+    if (options.publicKeyPath !== void 0) {
+      props.publicKeyPath = options.publicKeyPath;
+    }
+    if (options.force !== void 0) {
+      props.force = options.force;
+    }
+    const { unmount } = render(/* @__PURE__ */ jsx(KeygenInteractive, { ...props }));
+  });
+}
+
+// src/commands/keygen.ts
+var keygenCommand = new Command("keygen").description("Generate a new RSA keypair for signing attestations").option("-o, --output <path>", "Public key output path").option("-p, --private <path>", "Private key output path (filesystem only)").option(
+  "--provider <type>",
+  "Key provider: filesystem, 1password, or macos-keychain (skips interactive)"
+).option("--vault <name>", "1Password vault name").option("--item-name <name>", "1Password/macOS Keychain item name").option("--account <email>", "1Password account").option("-f, --force", "Overwrite existing keys").option("--no-interactive", "Disable interactive mode").action(async (options) => {
   await runKeygen(options);
 });
 async function runKeygen(options) {
   try {
-    log("Checking OpenSSL...");
-    const version = await checkOpenSSL();
-    info(`OpenSSL: ${version}`);
-    const privatePath = options.output ?? getDefaultPrivateKeyPath();
-    const publicPath = options.public ?? getDefaultPublicKeyPath();
+    const useInteractive = options.interactive !== false && !options.provider;
+    if (useInteractive) {
+      const interactiveOptions = {};
+      if (options.output !== void 0) {
+        interactiveOptions.publicKeyPath = options.output;
+      }
+      if (options.force !== void 0) {
+        interactiveOptions.force = options.force;
+      }
+      const result = await runKeygenInteractive(interactiveOptions);
+      success("Keypair generated successfully!");
+      log("");
+      log("Private key stored in:");
+      log(`  ${result.storageDescription}`);
+      log("");
+      log("Public key (commit to repo):");
+      log(`  ${result.publicKeyPath}`);
+      log("");
+      if (result.provider === "1password") {
+        log("Add to your .attest-it/config.yaml:");
+        log("");
+        log("settings:");
+        log(`  publicKeyPath: ${result.publicKeyPath}`);
+        log("  keyProvider:");
+        log("    type: 1password");
+        log("    options:");
+        if (result.account) {
+          log(`      account: ${result.account}`);
+        }
+        log(`      vault: ${result.vault ?? ""}`);
+        log(`      itemName: ${result.itemName ?? ""}`);
+        log("");
+      } else if (result.provider === "macos-keychain") {
+        log("Add to your .attest-it/config.yaml:");
+        log("");
+        log("settings:");
+        log(`  publicKeyPath: ${result.publicKeyPath}`);
+        log("  keyProvider:");
+        log("    type: macos-keychain");
+        log("    options:");
+        log(`      itemName: ${result.itemName ?? ""}`);
+        log("");
+      }
+      log("Next steps:");
+      log(`  1. git add ${result.publicKeyPath}`);
+      if (result.provider === "1password" || result.provider === "macos-keychain") {
+        log("  2. Update .attest-it/config.yaml with keyProvider settings");
+      } else {
+        log("  2. Update .attest-it/config.yaml publicKeyPath if needed");
+      }
+      log("  3. attest-it run --suite <suite-name>");
+    } else {
+      await runNonInteractiveKeygen(options);
+    }
+  } catch (err) {
+    if (err instanceof Error) {
+      error(err.message);
+    } else {
+      error("Unknown error occurred");
+    }
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+}
+async function runNonInteractiveKeygen(options) {
+  log("Checking OpenSSL...");
+  const version = await checkOpenSSL();
+  info(`OpenSSL: ${version}`);
+  const publicPath = options.output ?? getDefaultPublicKeyPath();
+  if (options.provider === "1password") {
+    if (!options.vault || !options.itemName) {
+      throw new Error("--vault and --item-name are required for 1password provider");
+    }
+    const providerOptions = {
+      vault: options.vault,
+      itemName: options.itemName
+    };
+    if (options.account !== void 0) {
+      providerOptions.account = options.account;
+    }
+    const provider = new OnePasswordKeyProvider(providerOptions);
+    log(`Generating keypair with 1Password storage...`);
+    log(`Vault: ${options.vault}`);
+    log(`Item: ${options.itemName}`);
+    const genOptions = { publicKeyPath: publicPath };
+    if (options.force !== void 0) {
+      genOptions.force = options.force;
+    }
+    const result = await provider.generateKeyPair(genOptions);
+    success("Keypair generated successfully!");
+    log("");
+    log("Private key stored in:");
+    log(`  ${result.storageDescription}`);
+    log("");
+    log("Public key (commit to repo):");
+    log(`  ${result.publicKeyPath}`);
+  } else if (options.provider === "macos-keychain") {
+    if (!options.itemName) {
+      throw new Error("--item-name is required for macos-keychain provider");
+    }
+    const isAvailable = MacOSKeychainKeyProvider.isAvailable();
+    if (!isAvailable) {
+      throw new Error("macOS Keychain is not available on this platform");
+    }
+    const provider = new MacOSKeychainKeyProvider({
+      itemName: options.itemName
+    });
+    log(`Generating keypair with macOS Keychain storage...`);
+    log(`Item: ${options.itemName}`);
+    const genOptions = { publicKeyPath: publicPath };
+    if (options.force !== void 0) {
+      genOptions.force = options.force;
+    }
+    const result = await provider.generateKeyPair(genOptions);
+    success("Keypair generated successfully!");
+    log("");
+    log("Private key stored in:");
+    log(`  ${result.storageDescription}`);
+    log("");
+    log("Public key (commit to repo):");
+    log(`  ${result.publicKeyPath}`);
+  } else {
+    const privatePath = options.private ?? getDefaultPrivateKeyPath();
     log(`Private key: ${privatePath}`);
     log(`Public key: ${publicPath}`);
     const privateExists = fs.existsSync(privatePath);
@@ -1365,21 +1966,14 @@ async function runKeygen(options) {
     log("");
     log("Public key (commit to repo):");
     log(`  ${result.publicPath}`);
-    log("");
-    info("Important: Back up your private key securely!");
-    log("");
-    log("Next steps:");
-    log(`  1. git add ${result.publicPath}`);
-    log("  2. Update .attest-it/config.yaml publicKeyPath if needed");
-    log("  3. attest-it run --suite <suite-name>");
-  } catch (err) {
-    if (err instanceof Error) {
-      error(err.message);
-    } else {
-      error("Unknown error occurred");
-    }
-    process.exit(ExitCode.CONFIG_ERROR);
   }
+  log("");
+  info("Important: Back up your private key securely!");
+  log("");
+  log("Next steps:");
+  log(`  1. git add ${publicPath}`);
+  log("  2. Update .attest-it/config.yaml publicKeyPath if needed");
+  log("  3. attest-it run --suite <suite-name>");
 }
 var pruneCommand = new Command("prune").description("Remove stale attestations").option("-n, --dry-run", "Show what would be removed without removing").option("-k, --keep-days <n>", "Keep attestations newer than n days", "30").action(async (options) => {
   await runPrune(options);
@@ -1412,7 +2006,7 @@ async function runPrune(options) {
       let fingerprintMatches = false;
       if (suiteExists) {
         const suiteConfig = config.suites[attestation.suite];
-        if (suiteConfig) {
+        if (suiteConfig?.packages) {
           const fingerprintOptions = {
             packages: suiteConfig.packages,
             ...suiteConfig.ignore && { ignore: suiteConfig.ignore }
@@ -1473,57 +2067,211 @@ async function runPrune(options) {
     return;
   }
 }
-var verifyCommand = new Command("verify").description("Verify all attestations (for CI)").option("-s, --suite <name>", "Verify specific suite only").option("--json", "Output JSON for machine parsing").option("--strict", "Fail on warnings (approaching expiry)").action(async (options) => {
-  await runVerify(options);
+var verifyCommand = new Command("verify").description("Verify all gate seals (for CI)").argument("[gates...]", "Verify specific gates only").option("--json", "Output JSON for machine parsing").action(async (gates, options) => {
+  await runVerify(gates, options);
 });
-async function runVerify(options) {
+async function runVerify(gates, options) {
   try {
     const config = await loadConfig();
-    if (options.suite) {
-      if (!config.suites[options.suite]) {
-        error(`Suite "${options.suite}" not found in config`);
-        process.exit(ExitCode.CONFIG_ERROR);
-      }
-      const filteredSuiteEntry = config.suites[options.suite];
-      if (!filteredSuiteEntry) {
-        error(`Suite "${options.suite}" not found in config`);
+    const attestItConfig = toAttestItConfig(config);
+    if (!attestItConfig.gates || Object.keys(attestItConfig.gates).length === 0) {
+      error("No gates defined in configuration");
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const projectRoot = process.cwd();
+    const sealsFile = readSealsSync(projectRoot);
+    const gatesToVerify = gates.length > 0 ? gates : Object.keys(attestItConfig.gates);
+    for (const gateId of gatesToVerify) {
+      if (!attestItConfig.gates[gateId]) {
+        error(`Gate '${gateId}' not found in configuration`);
         process.exit(ExitCode.CONFIG_ERROR);
       }
-      const filteredConfig = {
-        version: config.version,
-        settings: config.settings,
-        suites: { [options.suite]: filteredSuiteEntry }
-      };
-      const result2 = await verifyAttestations({ config: toAttestItConfig(filteredConfig) });
-      if (options.json) {
-        outputJson(result2);
-      } else {
-        displayResults(result2, filteredConfig.settings.maxAgeDays, options.strict);
-      }
-      if (!result2.success) {
-        process.exit(ExitCode.FAILURE);
-        return;
-      }
-      if (options.strict && hasWarnings(result2, filteredConfig.settings.maxAgeDays)) {
-        process.exit(ExitCode.FAILURE);
-        return;
-      }
-      process.exit(ExitCode.SUCCESS);
-      return;
     }
-    const result = await verifyAttestations({ config: toAttestItConfig(config) });
+    const fingerprints = {};
+    for (const gateId of gatesToVerify) {
+      const gate = attestItConfig.gates[gateId];
+      if (!gate) continue;
+      const result = computeFingerprintSync({
+        packages: gate.fingerprint.paths,
+        ...gate.fingerprint.exclude && { ignore: gate.fingerprint.exclude }
+      });
+      fingerprints[gateId] = result.fingerprint;
+    }
+    const results = gates.length > 0 ? gatesToVerify.map(
+      (gateId) => (
+        // eslint-disable-next-line security/detect-object-injection
+        verifyGateSeal(attestItConfig, gateId, sealsFile, fingerprints[gateId] ?? "")
+      )
+    ) : verifyAllSeals(attestItConfig, sealsFile, fingerprints);
     if (options.json) {
-      outputJson(result);
+      outputJson(results);
     } else {
-      displayResults(result, config.settings.maxAgeDays, options.strict);
+      displayResults(results);
     }
-    if (!result.success) {
+    const hasInvalid = results.some(
+      (r) => r.state === "MISSING" || r.state === "FINGERPRINT_MISMATCH" || r.state === "INVALID_SIGNATURE" || r.state === "UNKNOWN_SIGNER"
+    );
+    const hasStale = results.some((r) => r.state === "STALE");
+    if (hasInvalid) {
       process.exit(ExitCode.FAILURE);
+    } else if (hasStale) {
+      process.exit(ExitCode.SUCCESS);
+    } else {
+      process.exit(ExitCode.SUCCESS);
+    }
+  } catch (err) {
+    if (err instanceof Error) {
+      error(err.message);
+    } else {
+      error("Unknown error occurred");
+    }
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+}
+function displayResults(results) {
+  log("");
+  const tableRows = results.map((r) => ({
+    suite: r.gateId,
+    status: colorizeState2(r.state),
+    fingerprint: formatFingerprint(r),
+    age: formatAge2(r)
+  }));
+  log(formatTable(tableRows));
+  log("");
+  const withIssues = results.filter(
+    (r) => r.state !== "VALID" && r.state !== "STALE" && // STALE gets its own warning below
+    r.message
+  );
+  if (withIssues.length > 0) {
+    for (const result of withIssues) {
+      if (result.message) {
+        log(`${result.gateId}: ${result.message}`);
+      }
+    }
+    log("");
+  }
+  const validCount = results.filter((r) => r.state === "VALID").length;
+  const staleCount = results.filter((r) => r.state === "STALE").length;
+  const invalidCount = results.length - validCount - staleCount;
+  if (invalidCount === 0 && staleCount === 0) {
+    success("All gate seals valid");
+  } else {
+    if (invalidCount > 0) {
+      error(`${String(invalidCount)} gate(s) have invalid or missing seals`);
+      log("Run `attest-it seal` to create seals for these gates");
+    }
+    if (staleCount > 0) {
+      warn(`${String(staleCount)} gate(s) have stale seals (exceeds maxAge)`);
+      log("Run `attest-it seal --force <gate>` to update stale seals");
+    }
+  }
+}
+function colorizeState2(state) {
+  const theme3 = getTheme();
+  switch (state) {
+    case "VALID":
+      return theme3.green(state);
+    case "MISSING":
+    case "STALE":
+      return theme3.yellow(state);
+    case "FINGERPRINT_MISMATCH":
+    case "INVALID_SIGNATURE":
+    case "UNKNOWN_SIGNER":
+      return theme3.red(state);
+    default:
+      return state;
+  }
+}
+function formatFingerprint(result) {
+  if (result.seal?.fingerprint) {
+    const fp = result.seal.fingerprint;
+    if (fp.length > 16) {
+      return fp.slice(0, 16) + "...";
+    }
+    return fp;
+  }
+  return result.state === "MISSING" ? "(none)" : "-";
+}
+function formatAge2(result) {
+  if (result.seal?.timestamp) {
+    const timestamp = new Date(result.seal.timestamp);
+    const now = Date.now();
+    const ageMs = now - timestamp.getTime();
+    const ageDays = Math.floor(ageMs / (1e3 * 60 * 60 * 24));
+    if (result.state === "STALE") {
+      return `${String(ageDays)} days (stale)`;
+    }
+    return `${String(ageDays)} days`;
+  }
+  switch (result.state) {
+    case "MISSING":
+      return "(none)";
+    case "FINGERPRINT_MISMATCH":
+      return "(changed)";
+    default:
+      return "-";
+  }
+}
+var sealCommand = new Command("seal").description("Create seals for gates").argument("[gates...]", "Gate IDs to seal (defaults to all gates without valid seals)").option("--force", "Force seal creation even if gate already has a valid seal").option("--dry-run", "Show what would be sealed without creating seals").action(async (gates, options) => {
+  await runSeal(gates, options);
+});
+async function runSeal(gates, options) {
+  try {
+    const config = await loadConfig();
+    const attestItConfig = toAttestItConfig(config);
+    if (!attestItConfig.gates || Object.keys(attestItConfig.gates).length === 0) {
+      error("No gates defined in configuration");
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const localConfig = loadLocalConfigSync();
+    if (!localConfig) {
+      error("No local identity configuration found");
+      error('Run "attest-it keygen" first to set up your identity');
+      process.exit(ExitCode.CONFIG_ERROR);
     }
-    if (options.strict && hasWarnings(result, config.settings.maxAgeDays)) {
+    const identity = getActiveIdentity(localConfig);
+    if (!identity) {
+      error(`Active identity '${localConfig.activeIdentity}' not found in local config`);
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const projectRoot = process.cwd();
+    const sealsFile = readSealsSync(projectRoot);
+    const gatesToSeal = gates.length > 0 ? gates : getAllGateIds(attestItConfig);
+    for (const gateId of gatesToSeal) {
+      if (!attestItConfig.gates[gateId]) {
+        error(`Gate '${gateId}' not found in configuration`);
+        process.exit(ExitCode.CONFIG_ERROR);
+      }
+    }
+    const summary = {
+      sealed: [],
+      skipped: [],
+      failed: []
+    };
+    for (const gateId of gatesToSeal) {
+      try {
+        const result = await processSingleGate(gateId, attestItConfig, identity, sealsFile, options);
+        if (result.sealed) {
+          summary.sealed.push(gateId);
+        } else if (result.skipped) {
+          summary.skipped.push({ gate: gateId, reason: result.reason ?? "Unknown" });
+        }
+      } catch (err) {
+        const errorMsg = err instanceof Error ? err.message : "Unknown error";
+        summary.failed.push({ gate: gateId, error: errorMsg });
+      }
+    }
+    if (!options.dryRun && summary.sealed.length > 0) {
+      writeSealsSync(projectRoot, sealsFile);
+    }
+    displaySummary(summary, options.dryRun);
+    if (summary.failed.length > 0) {
       process.exit(ExitCode.FAILURE);
+    } else if (summary.sealed.length === 0 && summary.skipped.length === 0) {
+      process.exit(ExitCode.NO_WORK);
+    } else {
+      process.exit(ExitCode.SUCCESS);
     }
-    process.exit(ExitCode.SUCCESS);
   } catch (err) {
     if (err instanceof Error) {
       error(err.message);
@@ -1533,79 +2281,1294 @@ async function runVerify(options) {
     process.exit(ExitCode.CONFIG_ERROR);
   }
 }
-function displayResults(result, maxAgeDays, strict) {
+async function processSingleGate(gateId, config, identity, sealsFile, options) {
+  verbose(`Processing gate: ${gateId}`);
+  const gate = getGate(config, gateId);
+  if (!gate) {
+    return { sealed: false, skipped: true, reason: "Gate not found in configuration" };
+  }
+  const existingSeal = sealsFile.seals[gateId];
+  if (existingSeal && !options.force) {
+    return {
+      sealed: false,
+      skipped: true,
+      reason: "Gate already has a seal (use --force to override)"
+    };
+  }
+  const fingerprintResult = computeFingerprintSync({
+    packages: gate.fingerprint.paths,
+    ...gate.fingerprint.exclude && { ignore: gate.fingerprint.exclude }
+  });
+  verbose(`  Fingerprint: ${fingerprintResult.fingerprint}`);
+  const authorized = isAuthorizedSigner(config, gateId, identity.publicKey);
+  if (!authorized) {
+    return {
+      sealed: false,
+      skipped: true,
+      reason: `Not authorized to seal this gate (authorized signers: ${gate.authorizedSigners.join(", ")})`
+    };
+  }
+  if (options.dryRun) {
+    log(`  Would seal gate: ${gateId}`);
+    return { sealed: true, skipped: false };
+  }
+  const keyProvider = createKeyProviderFromIdentity2(identity);
+  const keyRef = getKeyRefFromIdentity2(identity);
+  const keyResult = await keyProvider.getPrivateKey(keyRef);
+  const fs4 = await import('fs/promises');
+  const privateKeyPem = await fs4.readFile(keyResult.keyPath, "utf8");
+  await keyResult.cleanup();
+  const seal = createSeal({
+    gateId,
+    fingerprint: fingerprintResult.fingerprint,
+    sealedBy: identity.name,
+    privateKey: privateKeyPem
+  });
+  sealsFile.seals[gateId] = seal;
+  log(`  Sealed gate: ${gateId}`);
+  verbose(`    Sealed by: ${identity.name}`);
+  verbose(`    Timestamp: ${seal.timestamp}`);
+  return { sealed: true, skipped: false };
+}
+function getAllGateIds(config) {
+  return Object.keys(config.gates ?? {});
+}
+function displaySummary(summary, dryRun) {
   log("");
-  if (!result.signatureValid) {
-    error("Signature verification FAILED");
-    log("The attestations file may have been tampered with.");
+  const prefix = dryRun ? "Would seal" : "Sealed";
+  if (summary.sealed.length > 0) {
+    success(`${prefix} ${String(summary.sealed.length)} gate(s): ${summary.sealed.join(", ")}`);
+  }
+  if (summary.skipped.length > 0) {
+    log("");
+    warn(`Skipped ${String(summary.skipped.length)} gate(s):`);
+    for (const skip of summary.skipped) {
+      log(`  ${skip.gate}: ${skip.reason}`);
+    }
+  }
+  if (summary.failed.length > 0) {
     log("");
+    error(`Failed to seal ${String(summary.failed.length)} gate(s):`);
+    for (const fail of summary.failed) {
+      log(`  ${fail.gate}: ${fail.error}`);
+    }
+  }
+  if (summary.sealed.length === 0 && summary.skipped.length === 0 && summary.failed.length === 0) {
+    log("No gates to seal");
   }
-  for (const errorMsg of result.errors) {
-    error(errorMsg);
+}
+function createKeyProviderFromIdentity2(identity) {
+  const { privateKey } = identity;
+  switch (privateKey.type) {
+    case "file":
+      return KeyProviderRegistry.create({
+        type: "filesystem",
+        options: { privateKeyPath: privateKey.path }
+      });
+    case "keychain":
+      return KeyProviderRegistry.create({
+        type: "macos-keychain",
+        options: {
+          itemName: privateKey.service
+        }
+      });
+    case "1password":
+      return KeyProviderRegistry.create({
+        type: "1password",
+        options: {
+          account: privateKey.account,
+          vault: privateKey.vault,
+          itemName: privateKey.item,
+          field: privateKey.field
+        }
+      });
+    default: {
+      const _exhaustiveCheck = privateKey;
+      throw new Error(`Unsupported private key type: ${String(_exhaustiveCheck)}`);
+    }
+  }
+}
+function getKeyRefFromIdentity2(identity) {
+  const { privateKey } = identity;
+  switch (privateKey.type) {
+    case "file":
+      return privateKey.path;
+    case "keychain":
+      return privateKey.service;
+    case "1password":
+      return privateKey.item;
+    default: {
+      const _exhaustiveCheck = privateKey;
+      throw new Error(`Unsupported private key type: ${String(_exhaustiveCheck)}`);
+    }
   }
-  if (result.errors.length > 0) {
+}
+var listCommand = new Command("list").description("List all local identities").action(async () => {
+  await runList();
+});
+async function runList() {
+  try {
+    const config = await loadLocalConfig();
+    if (!config) {
+      error("No identities configured");
+      log("");
+      log("Run: attest-it identity create");
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const theme3 = getTheme2();
+    const identities = Object.entries(config.identities);
     log("");
+    log(theme3.blue.bold()("Local Identities:"));
+    log("");
+    for (const [slug, identity] of identities) {
+      const isActive = slug === config.activeIdentity;
+      const marker = isActive ? theme3.green("\u2605") : " ";
+      const nameDisplay = isActive ? theme3.green.bold()(identity.name) : identity.name;
+      const keyPreview = identity.publicKey.slice(0, 12) + "...";
+      let keyType;
+      switch (identity.privateKey.type) {
+        case "file":
+          keyType = "file";
+          break;
+        case "keychain":
+          keyType = "keychain";
+          break;
+        case "1password":
+          keyType = "1password";
+          break;
+      }
+      log(`${marker} ${theme3.blue(slug)}`);
+      log(`  Name:       ${nameDisplay}`);
+      if (identity.email) {
+        log(`  Email:      ${identity.email}`);
+      }
+      if (identity.github) {
+        log(`  GitHub:     ${identity.github}`);
+      }
+      log(`  Public Key: ${keyPreview}`);
+      log(`  Key Type:   ${keyType}`);
+      log("");
+    }
+    if (identities.length === 1) {
+      log(`1 identity configured`);
+    } else {
+      log(`${identities.length.toString()} identities configured`);
+    }
+    log("");
+  } catch (err) {
+    if (err instanceof Error) {
+      error(err.message);
+    } else {
+      error("Unknown error occurred");
+    }
+    process.exit(ExitCode.CONFIG_ERROR);
   }
-  const tableRows = result.suites.map((s) => ({
-    suite: s.suite,
-    status: colorizeStatus(s.status),
-    fingerprint: s.fingerprint.slice(0, 16) + "...",
-    age: formatAgeColumn(s)
-  }));
-  log(formatTable(tableRows));
-  log("");
-  if (result.success) {
-    success("All attestations valid");
-  } else {
-    const needsAttestation = result.suites.filter((s) => s.status !== "VALID");
-    if (needsAttestation.length > 0) {
-      log("Remediation:");
-      for (const suite of needsAttestation) {
-        log(`  attest-it run --suite ${suite.suite}`);
-        if (suite.message) {
-          log(`    ${suite.message}`);
+}
+var createCommand = new Command("create").description("Create a new identity with Ed25519 keypair").action(async () => {
+  await runCreate();
+});
+async function runCreate() {
+  try {
+    const theme3 = getTheme2();
+    log("");
+    log(theme3.blue.bold()("Create New Identity"));
+    log("");
+    const existingConfig = await loadLocalConfig();
+    const slug = await input({
+      message: "Identity slug (unique identifier):",
+      validate: (value) => {
+        if (!value || value.trim().length === 0) {
+          return "Slug cannot be empty";
         }
+        if (!/^[a-z0-9-]+$/.test(value)) {
+          return "Slug must contain only lowercase letters, numbers, and hyphens";
+        }
+        if (existingConfig?.identities[value]) {
+          return `Identity "${value}" already exists`;
+        }
+        return true;
+      }
+    });
+    const name = await input({
+      message: "Display name:",
+      validate: (value) => {
+        if (!value || value.trim().length === 0) {
+          return "Name cannot be empty";
+        }
+        return true;
+      }
+    });
+    const email = await input({
+      message: "Email (optional):",
+      default: ""
+    });
+    const github = await input({
+      message: "GitHub username (optional):",
+      default: ""
+    });
+    const keyStorageType = await select({
+      message: "Where should the private key be stored?",
+      choices: [
+        { name: "File system (~/.config/attest-it/keys/)", value: "file" },
+        { name: "macOS Keychain", value: "keychain" },
+        { name: "1Password", value: "1password" }
+      ]
+    });
+    log("");
+    log("Generating Ed25519 keypair...");
+    const keyPair = generateEd25519KeyPair();
+    let privateKeyRef;
+    let keyStorageDescription;
+    switch (keyStorageType) {
+      case "file": {
+        const keysDir = join(homedir(), ".config", "attest-it", "keys");
+        await mkdir(keysDir, { recursive: true });
+        const keyPath = join(keysDir, `${slug}.pem`);
+        await writeFile(keyPath, keyPair.privateKey, { mode: 384 });
+        privateKeyRef = { type: "file", path: keyPath };
+        keyStorageDescription = keyPath;
+        break;
+      }
+      case "keychain": {
+        const { MacOSKeychainKeyProvider: MacOSKeychainKeyProvider3 } = await import('@attest-it/core');
+        if (!MacOSKeychainKeyProvider3.isAvailable()) {
+          error("macOS Keychain is not available on this system");
+          process.exit(ExitCode.CONFIG_ERROR);
+        }
+        const { execFile } = await import('child_process');
+        const { promisify } = await import('util');
+        const execFileAsync = promisify(execFile);
+        const encodedKey = Buffer.from(keyPair.privateKey).toString("base64");
+        try {
+          await execFileAsync("security", [
+            "add-generic-password",
+            "-a",
+            "attest-it",
+            "-s",
+            slug,
+            "-w",
+            encodedKey,
+            "-U"
+          ]);
+        } catch (err) {
+          throw new Error(
+            `Failed to store key in macOS Keychain: ${err instanceof Error ? err.message : String(err)}`
+          );
+        }
+        privateKeyRef = { type: "keychain", service: slug, account: "attest-it" };
+        keyStorageDescription = "macOS Keychain (" + slug + "/attest-it)";
+        break;
+      }
+      case "1password": {
+        const vault = await input({
+          message: "1Password vault name:",
+          validate: (value) => {
+            if (!value || value.trim().length === 0) {
+              return "Vault name cannot be empty";
+            }
+            return true;
+          }
+        });
+        const item = await input({
+          message: "1Password item name:",
+          default: `attest-it-${slug}`,
+          validate: (value) => {
+            if (!value || value.trim().length === 0) {
+              return "Item name cannot be empty";
+            }
+            return true;
+          }
+        });
+        const { execFile } = await import('child_process');
+        const { promisify } = await import('util');
+        const execFileAsync = promisify(execFile);
+        try {
+          await execFileAsync("op", [
+            "item",
+            "create",
+            "--category=SecureNote",
+            "--vault",
+            vault,
+            `--title=${item}`,
+            `privateKey[password]=${keyPair.privateKey}`
+          ]);
+        } catch (err) {
+          throw new Error(
+            `Failed to store key in 1Password: ${err instanceof Error ? err.message : String(err)}`
+          );
+        }
+        privateKeyRef = { type: "1password", vault, item, field: "privateKey" };
+        keyStorageDescription = `1Password (${vault}/${item})`;
+        break;
       }
+      default:
+        throw new Error(`Unknown key storage type: ${keyStorageType}`);
+    }
+    const identity = {
+      name,
+      publicKey: keyPair.publicKey,
+      privateKey: privateKeyRef,
+      ...email && { email },
+      ...github && { github }
+    };
+    let newConfig;
+    if (existingConfig) {
+      newConfig = {
+        ...existingConfig,
+        identities: {
+          ...existingConfig.identities,
+          [slug]: identity
+        }
+      };
+    } else {
+      newConfig = {
+        activeIdentity: slug,
+        identities: {
+          [slug]: identity
+        }
+      };
+    }
+    await saveLocalConfig(newConfig);
+    log("");
+    success("Identity created successfully");
+    log("");
+    log(`  Slug:        ${slug}`);
+    log(`  Name:        ${name}`);
+    if (email) {
+      log(`  Email:       ${email}`);
+    }
+    if (github) {
+      log(`  GitHub:      ${github}`);
+    }
+    log(`  Public Key:  ${keyPair.publicKey.slice(0, 32)}...`);
+    log(`  Private Key: ${keyStorageDescription}`);
+    log("");
+    if (!existingConfig) {
+      success(`Set as active identity`);
+      log("");
+    } else {
+      log(`To use this identity, run: attest-it identity use ${slug}`);
+      log("");
+    }
+  } catch (err) {
+    if (err instanceof Error) {
+      error(err.message);
+    } else {
+      error("Unknown error occurred");
     }
+    process.exit(ExitCode.CONFIG_ERROR);
   }
-  const warningThreshold = 7;
-  const nearExpiry = result.suites.filter(
-    (s) => s.status === "VALID" && (s.age ?? 0) > maxAgeDays - warningThreshold
-  );
-  if (nearExpiry.length > 0) {
+}
+var useCommand = new Command("use").description("Set the active identity").argument("<slug>", "Identity slug to activate").action(async (slug) => {
+  await runUse(slug);
+});
+async function runUse(slug) {
+  try {
+    const config = await loadLocalConfig();
+    if (!config) {
+      error("No identities configured");
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const identity = config.identities[slug];
+    if (!identity) {
+      error(`Identity "${slug}" not found`);
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const newConfig = {
+      ...config,
+      activeIdentity: slug
+    };
+    await saveLocalConfig(newConfig);
+    success(`Active identity set to: ${identity.name} (${slug})`);
+  } catch (err) {
+    if (err instanceof Error) {
+      error(err.message);
+    } else {
+      error("Unknown error occurred");
+    }
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+}
+var showCommand = new Command("show").description("Show identity details").argument("[slug]", "Identity slug (defaults to active identity)").action(async (slug) => {
+  await runShow(slug);
+});
+async function runShow(slug) {
+  try {
+    const config = await loadLocalConfig();
+    if (!config) {
+      error("No identities configured");
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const theme3 = getTheme2();
+    let targetSlug;
+    let isActive;
+    if (slug) {
+      targetSlug = slug;
+      isActive = slug === config.activeIdentity;
+    } else {
+      targetSlug = config.activeIdentity;
+      isActive = true;
+    }
+    const identity = config.identities[targetSlug];
+    if (!identity) {
+      error(`Identity "${targetSlug}" not found`);
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    log("");
+    log(theme3.blue.bold()("Identity Details:"));
+    log("");
+    log(`  Slug:       ${theme3.blue(targetSlug)}${isActive ? theme3.green(" (active)") : ""}`);
+    log(`  Name:       ${identity.name}`);
+    if (identity.email) {
+      log(`  Email:      ${identity.email}`);
+    }
+    if (identity.github) {
+      log(`  GitHub:     ${identity.github}`);
+    }
+    log("");
+    log(`  Public Key: ${identity.publicKey}`);
+    log("");
+    log("  Private Key Storage:");
+    switch (identity.privateKey.type) {
+      case "file":
+        log(`    Type: File`);
+        log(`    Path: ${identity.privateKey.path}`);
+        break;
+      case "keychain":
+        log(`    Type: macOS Keychain`);
+        log(`    Service: ${identity.privateKey.service}`);
+        log(`    Account: ${identity.privateKey.account}`);
+        break;
+      case "1password":
+        log(`    Type: 1Password`);
+        if (identity.privateKey.account) {
+          log(`    Account: ${identity.privateKey.account}`);
+        }
+        log(`    Vault: ${identity.privateKey.vault}`);
+        log(`    Item: ${identity.privateKey.item}`);
+        if (identity.privateKey.field) {
+          log(`    Field: ${identity.privateKey.field}`);
+        }
+        break;
+    }
+    log("");
+  } catch (err) {
+    if (err instanceof Error) {
+      error(err.message);
+    } else {
+      error("Unknown error occurred");
+    }
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+}
+var editCommand = new Command("edit").description("Edit identity or rotate keypair").argument("<slug>", "Identity slug to edit").action(async (slug) => {
+  await runEdit(slug);
+});
+async function runEdit(slug) {
+  try {
+    const config = await loadLocalConfig();
+    if (!config) {
+      error("No identities configured");
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const identity = config.identities[slug];
+    if (!identity) {
+      error(`Identity "${slug}" not found`);
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const theme3 = getTheme2();
+    log("");
+    log(theme3.blue.bold()(`Edit Identity: ${slug}`));
+    log("");
+    const name = await input({
+      message: "Display name:",
+      default: identity.name,
+      validate: (value) => {
+        if (!value || value.trim().length === 0) {
+          return "Name cannot be empty";
+        }
+        return true;
+      }
+    });
+    const email = await input({
+      message: "Email (optional):",
+      default: identity.email ?? ""
+    });
+    const github = await input({
+      message: "GitHub username (optional):",
+      default: identity.github ?? ""
+    });
+    const rotateKey = await confirm({
+      message: "Rotate keypair (generate new keys)?",
+      default: false
+    });
+    let publicKey = identity.publicKey;
+    const privateKeyRef = identity.privateKey;
+    if (rotateKey) {
+      log("");
+      log("Generating new Ed25519 keypair...");
+      const keyPair = generateEd25519KeyPair();
+      publicKey = keyPair.publicKey;
+      switch (identity.privateKey.type) {
+        case "file": {
+          await writeFile(identity.privateKey.path, keyPair.privateKey, { mode: 384 });
+          log(`  Updated private key at: ${identity.privateKey.path}`);
+          break;
+        }
+        case "keychain": {
+          const { execFile } = await import('child_process');
+          const { promisify } = await import('util');
+          const execFileAsync = promisify(execFile);
+          const encodedKey = Buffer.from(keyPair.privateKey).toString("base64");
+          try {
+            await execFileAsync("security", [
+              "delete-generic-password",
+              "-s",
+              identity.privateKey.service,
+              "-a",
+              identity.privateKey.account
+            ]);
+            await execFileAsync("security", [
+              "add-generic-password",
+              "-s",
+              identity.privateKey.service,
+              "-a",
+              identity.privateKey.account,
+              "-w",
+              encodedKey,
+              "-U"
+            ]);
+            log(`  Updated private key in macOS Keychain`);
+          } catch (err) {
+            throw new Error(
+              `Failed to update key in macOS Keychain: ${err instanceof Error ? err.message : String(err)}`
+            );
+          }
+          break;
+        }
+        case "1password": {
+          const { execFile } = await import('child_process');
+          const { promisify } = await import('util');
+          const execFileAsync = promisify(execFile);
+          try {
+            const opArgs = [
+              "item",
+              "edit",
+              identity.privateKey.item,
+              "--vault",
+              identity.privateKey.vault,
+              `privateKey[password]=${keyPair.privateKey}`
+            ];
+            if (identity.privateKey.account) {
+              opArgs.push("--account", identity.privateKey.account);
+            }
+            await execFileAsync("op", opArgs);
+            log(`  Updated private key in 1Password`);
+          } catch (err) {
+            throw new Error(
+              `Failed to update key in 1Password: ${err instanceof Error ? err.message : String(err)}`
+            );
+          }
+          break;
+        }
+      }
+    }
+    const updatedIdentity = {
+      name,
+      publicKey,
+      privateKey: privateKeyRef,
+      ...email && { email },
+      ...github && { github }
+    };
+    const newConfig = {
+      ...config,
+      identities: {
+        ...config.identities,
+        [slug]: updatedIdentity
+      }
+    };
+    await saveLocalConfig(newConfig);
+    log("");
+    success("Identity updated successfully");
+    log("");
+    if (rotateKey) {
+      log("  New Public Key: " + publicKey.slice(0, 32) + "...");
+      log("");
+      log(
+        theme3.yellow(
+          "  Warning: If this identity is used in team configurations,\n  you must update those configurations with the new public key."
+        )
+      );
+      log("");
+    }
+  } catch (err) {
+    if (err instanceof Error) {
+      error(err.message);
+    } else {
+      error("Unknown error occurred");
+    }
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+}
+var removeCommand = new Command("remove").description("Delete identity and optionally delete private key").argument("<slug>", "Identity slug to remove").action(async (slug) => {
+  await runRemove(slug);
+});
+async function runRemove(slug) {
+  try {
+    const config = await loadLocalConfig();
+    if (!config) {
+      error("No identities configured");
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const identity = config.identities[slug];
+    if (!identity) {
+      error(`Identity "${slug}" not found`);
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const theme3 = getTheme2();
+    log("");
+    log(theme3.blue.bold()(`Remove Identity: ${slug}`));
+    log("");
+    log(`  Name:  ${identity.name}`);
+    if (identity.email) {
+      log(`  Email: ${identity.email}`);
+    }
+    log("");
+    const confirmDelete = await confirm({
+      message: "Are you sure you want to delete this identity?",
+      default: false
+    });
+    if (!confirmDelete) {
+      log("Cancelled");
+      process.exit(ExitCode.CANCELLED);
+    }
+    const deletePrivateKey = await confirm({
+      message: "Also delete the private key from storage?",
+      default: false
+    });
+    if (deletePrivateKey) {
+      switch (identity.privateKey.type) {
+        case "file": {
+          try {
+            await unlink(identity.privateKey.path);
+            log(`  Deleted private key file: ${identity.privateKey.path}`);
+          } catch (err) {
+            if (err && typeof err === "object" && "code" in err && err.code !== "ENOENT") {
+              throw err;
+            }
+          }
+          break;
+        }
+        case "keychain": {
+          const { execFile } = await import('child_process');
+          const { promisify } = await import('util');
+          const execFileAsync = promisify(execFile);
+          try {
+            await execFileAsync("security", [
+              "delete-generic-password",
+              "-s",
+              identity.privateKey.service,
+              "-a",
+              identity.privateKey.account
+            ]);
+            log(`  Deleted private key from macOS Keychain`);
+          } catch (err) {
+            if (err instanceof Error && !err.message.includes("could not be found") && !err.message.includes("does not exist")) {
+              throw err;
+            }
+          }
+          break;
+        }
+        case "1password": {
+          const { execFile } = await import('child_process');
+          const { promisify } = await import('util');
+          const execFileAsync = promisify(execFile);
+          try {
+            const opArgs = [
+              "item",
+              "delete",
+              identity.privateKey.item,
+              "--vault",
+              identity.privateKey.vault
+            ];
+            if (identity.privateKey.account) {
+              opArgs.push("--account", identity.privateKey.account);
+            }
+            await execFileAsync("op", opArgs);
+            log(`  Deleted private key from 1Password`);
+          } catch (err) {
+            if (err instanceof Error && !err.message.includes("not found") && !err.message.includes("doesn't exist")) {
+              throw err;
+            }
+          }
+          break;
+        }
+      }
+    }
+    const { [slug]: _removed, ...remainingIdentities } = config.identities;
+    if (Object.keys(remainingIdentities).length === 0) {
+      error("Cannot remove last identity");
+      log("");
+      log("At least one identity must exist");
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    let newActiveIdentity = config.activeIdentity;
+    if (slug === config.activeIdentity) {
+      const firstKey = Object.keys(remainingIdentities)[0];
+      if (!firstKey) {
+        throw new Error("No remaining identities after removal");
+      }
+      newActiveIdentity = firstKey;
+      log("");
+      log(theme3.yellow(`  Removed active identity. New active identity: ${newActiveIdentity}`));
+    }
+    const newConfig = {
+      activeIdentity: newActiveIdentity,
+      identities: remainingIdentities
+    };
+    await saveLocalConfig(newConfig);
+    log("");
+    success(`Identity "${slug}" removed`);
+    log("");
+  } catch (err) {
+    if (err instanceof Error) {
+      error(err.message);
+    } else {
+      error("Unknown error occurred");
+    }
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+}
+var exportCommand = new Command("export").description("Export identity for team onboarding (YAML snippet)").argument("[slug]", "Identity slug to export (defaults to active identity)").action(async (slug) => {
+  await runExport(slug);
+});
+async function runExport(slug) {
+  try {
+    const config = await loadLocalConfig();
+    if (!config) {
+      error("No identities configured");
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const theme3 = getTheme2();
+    const targetSlug = slug ?? config.activeIdentity;
+    const identity = config.identities[targetSlug];
+    if (!identity) {
+      error(`Identity "${targetSlug}" not found`);
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    log("");
+    log(theme3.blue.bold()("Team Configuration YAML:"));
+    log("");
+    log(theme3.muted("# Add this to your team config file (.attest-it/team-config.yaml)"));
+    log("");
+    const exportData = {
+      name: identity.name,
+      publicKey: identity.publicKey
+    };
+    if (identity.email) {
+      exportData.email = identity.email;
+    }
+    if (identity.github) {
+      exportData.github = identity.github;
+    }
+    const yamlData = {
+      [targetSlug]: exportData
+    };
+    const yamlString = stringify(yamlData);
+    log(yamlString);
+    log("");
+    log(theme3.muted('# The team owner can add this to the "members:" section'));
+    log("");
+  } catch (err) {
+    if (err instanceof Error) {
+      error(err.message);
+    } else {
+      error("Unknown error occurred");
+    }
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+}
+
+// src/commands/identity/index.ts
+var identityCommand = new Command("identity").description("Manage local identities and keypairs").addCommand(listCommand).addCommand(createCommand).addCommand(useCommand).addCommand(showCommand).addCommand(editCommand).addCommand(removeCommand).addCommand(exportCommand);
+var whoamiCommand = new Command("whoami").description("Show the current active identity").action(async () => {
+  await runWhoami();
+});
+async function runWhoami() {
+  try {
+    const config = await loadLocalConfig();
+    if (!config) {
+      error("No identities configured");
+      log("");
+      log("Run: attest-it identity create");
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const identity = getActiveIdentity(config);
+    if (!identity) {
+      error("Active identity not found");
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const theme3 = getTheme2();
     log("");
-    for (const suite of nearExpiry) {
-      warn(`${suite.suite} attestation approaching expiry (${String(suite.age)} days old)`);
+    log(theme3.green.bold()(identity.name));
+    if (identity.email) {
+      log(theme3.muted(identity.email));
     }
-    if (strict) {
-      log("(--strict mode: warnings are treated as errors)");
+    if (identity.github) {
+      log(theme3.muted("@" + identity.github));
     }
+    log("");
+    log(`Identity: ${theme3.blue(config.activeIdentity)}`);
+    log("");
+  } catch (err) {
+    if (err instanceof Error) {
+      error(err.message);
+    } else {
+      error("Unknown error occurred");
+    }
+    process.exit(ExitCode.CONFIG_ERROR);
   }
 }
-function formatAgeColumn(s) {
-  if (s.status === "VALID") {
-    return `${String(s.age ?? 0)} days`;
+var listCommand2 = new Command("list").description("List team members and their authorizations").action(async () => {
+  await runList2();
+});
+async function runList2() {
+  try {
+    const config = await loadConfig();
+    const attestItConfig = toAttestItConfig(config);
+    if (!attestItConfig.team || Object.keys(attestItConfig.team).length === 0) {
+      error("No team members configured");
+      log("");
+      log("Run: attest-it team add");
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const theme3 = getTheme2();
+    const teamMembers = Object.entries(attestItConfig.team);
+    log("");
+    log(theme3.blue.bold()("Team Members:"));
+    log("");
+    for (const [slug, member] of teamMembers) {
+      const keyPreview = member.publicKey.slice(0, 12) + "...";
+      log(theme3.blue(slug));
+      log(`  Name:       ${member.name}`);
+      if (member.email) {
+        log(`  Email:      ${member.email}`);
+      }
+      if (member.github) {
+        log(`  GitHub:     ${member.github}`);
+      }
+      log(`  Public Key: ${keyPreview}`);
+      const authorizedGates = [];
+      if (attestItConfig.gates) {
+        for (const [gateId, gate] of Object.entries(attestItConfig.gates)) {
+          if (gate.authorizedSigners.includes(slug)) {
+            authorizedGates.push(gateId);
+          }
+        }
+      }
+      if (authorizedGates.length > 0) {
+        log(`  Gates:      ${authorizedGates.join(", ")}`);
+      } else {
+        log(`  Gates:      ${theme3.muted("(none)")}`);
+      }
+      log("");
+    }
+    if (teamMembers.length === 1) {
+      log(`1 team member configured`);
+    } else {
+      log(`${teamMembers.length.toString()} team members configured`);
+    }
+    log("");
+  } catch (err) {
+    if (err instanceof Error) {
+      error(err.message);
+    } else {
+      error("Unknown error occurred");
+    }
+    process.exit(ExitCode.CONFIG_ERROR);
   }
-  if (s.status === "NEEDS_ATTESTATION") {
-    return "(none)";
+}
+var addCommand = new Command("add").description("Add a new team member").action(async () => {
+  await runAdd();
+});
+function validatePublicKey(value) {
+  if (!value || value.trim().length === 0) {
+    return "Public key cannot be empty";
   }
-  if (s.status === "EXPIRED") {
-    return `${String(s.age ?? 0)} days (expired)`;
+  const base64Regex = /^[A-Za-z0-9+/]+=*$/;
+  if (!base64Regex.test(value)) {
+    return "Public key must be valid Base64";
   }
-  if (s.status === "FINGERPRINT_CHANGED") {
-    return "(changed)";
+  if (value.length !== 44) {
+    return "Public key must be 44 characters (32 bytes in Base64)";
   }
-  if (s.status === "INVALIDATED_BY_PARENT") {
-    return "(invalidated)";
+  try {
+    const decoded = Buffer.from(value, "base64");
+    if (decoded.length !== 32) {
+      return "Public key must decode to 32 bytes";
+    }
+  } catch {
+    return "Invalid Base64 encoding";
   }
-  return "-";
+  return true;
 }
-function hasWarnings(result, maxAgeDays) {
-  const warningThreshold = 7;
-  return result.suites.some(
-    (s) => s.status === "VALID" && (s.age ?? 0) > maxAgeDays - warningThreshold
-  );
+async function runAdd() {
+  try {
+    const theme3 = getTheme2();
+    log("");
+    log(theme3.blue.bold()("Add Team Member"));
+    log("");
+    const config = await loadConfig();
+    const attestItConfig = toAttestItConfig(config);
+    const existingTeam = attestItConfig.team ?? {};
+    const slug = await input({
+      message: "Member slug (unique identifier):",
+      validate: (value) => {
+        if (!value || value.trim().length === 0) {
+          return "Slug cannot be empty";
+        }
+        if (!/^[a-z0-9-]+$/.test(value)) {
+          return "Slug must contain only lowercase letters, numbers, and hyphens";
+        }
+        if (existingTeam[value]) {
+          return `Team member "${value}" already exists`;
+        }
+        return true;
+      }
+    });
+    const name = await input({
+      message: "Display name:",
+      validate: (value) => {
+        if (!value || value.trim().length === 0) {
+          return "Name cannot be empty";
+        }
+        return true;
+      }
+    });
+    const email = await input({
+      message: "Email (optional):",
+      default: ""
+    });
+    const github = await input({
+      message: "GitHub username (optional):",
+      default: ""
+    });
+    log("");
+    log('Paste the public key (from "attest-it identity export"):');
+    const publicKey = await input({
+      message: "Public key:",
+      validate: validatePublicKey
+    });
+    let authorizedGates = [];
+    if (attestItConfig.gates && Object.keys(attestItConfig.gates).length > 0) {
+      log("");
+      const gateChoices = Object.entries(attestItConfig.gates).map(([gateId, gate]) => ({
+        name: `${gateId} - ${gate.name}`,
+        value: gateId
+      }));
+      authorizedGates = await checkbox({
+        message: "Select gates to authorize (use space to select):",
+        choices: gateChoices
+      });
+    }
+    const teamMember = {
+      name,
+      publicKey: publicKey.trim()
+    };
+    if (email && email.trim().length > 0) {
+      teamMember.email = email.trim();
+    }
+    if (github && github.trim().length > 0) {
+      teamMember.github = github.trim();
+    }
+    const updatedConfig = {
+      ...config,
+      team: {
+        ...existingTeam,
+        [slug]: teamMember
+      }
+    };
+    if (authorizedGates.length > 0 && updatedConfig.gates) {
+      for (const gateId of authorizedGates) {
+        const gate = updatedConfig.gates[gateId];
+        if (gate) {
+          if (!gate.authorizedSigners.includes(slug)) {
+            gate.authorizedSigners.push(slug);
+          }
+        }
+      }
+    }
+    const configPath = findConfigPath();
+    if (!configPath) {
+      error("Configuration file not found");
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const yamlContent = stringify(updatedConfig);
+    await writeFile(configPath, yamlContent, "utf8");
+    log("");
+    success(`Team member "${slug}" added successfully`);
+    if (authorizedGates.length > 0) {
+      log(`Authorized for gates: ${authorizedGates.join(", ")}`);
+    }
+    log("");
+  } catch (err) {
+    if (err instanceof Error) {
+      error(err.message);
+    } else {
+      error("Unknown error occurred");
+    }
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+}
+var editCommand2 = new Command("edit").description("Edit a team member").argument("<slug>", "Team member slug to edit").action(async (slug) => {
+  await runEdit2(slug);
+});
+function validatePublicKey2(value) {
+  if (!value || value.trim().length === 0) {
+    return "Public key cannot be empty";
+  }
+  const base64Regex = /^[A-Za-z0-9+/]+=*$/;
+  if (!base64Regex.test(value)) {
+    return "Public key must be valid Base64";
+  }
+  if (value.length !== 44) {
+    return "Public key must be 44 characters (32 bytes in Base64)";
+  }
+  try {
+    const decoded = Buffer.from(value, "base64");
+    if (decoded.length !== 32) {
+      return "Public key must decode to 32 bytes";
+    }
+  } catch {
+    return "Invalid Base64 encoding";
+  }
+  return true;
+}
+async function runEdit2(slug) {
+  try {
+    const theme3 = getTheme2();
+    const config = await loadConfig();
+    const attestItConfig = toAttestItConfig(config);
+    const existingMember = attestItConfig.team?.[slug];
+    if (!existingMember) {
+      error(`Team member "${slug}" not found`);
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    log("");
+    log(theme3.blue.bold()(`Edit Team Member: ${slug}`));
+    log("");
+    log(theme3.muted("Leave blank to keep current value"));
+    log("");
+    const name = await input({
+      message: "Display name:",
+      default: existingMember.name,
+      validate: (value) => {
+        if (!value || value.trim().length === 0) {
+          return "Name cannot be empty";
+        }
+        return true;
+      }
+    });
+    const email = await input({
+      message: "Email (optional):",
+      default: existingMember.email ?? ""
+    });
+    const github = await input({
+      message: "GitHub username (optional):",
+      default: existingMember.github ?? ""
+    });
+    const updateKey = await confirm({
+      message: "Update public key?",
+      default: false
+    });
+    let publicKey = existingMember.publicKey;
+    if (updateKey) {
+      log("");
+      log("Paste the new public key:");
+      publicKey = await input({
+        message: "Public key:",
+        default: existingMember.publicKey,
+        validate: validatePublicKey2
+      });
+    }
+    const currentGates = [];
+    if (attestItConfig.gates) {
+      for (const [gateId, gate] of Object.entries(attestItConfig.gates)) {
+        if (gate.authorizedSigners.includes(slug)) {
+          currentGates.push(gateId);
+        }
+      }
+    }
+    let selectedGates = currentGates;
+    if (attestItConfig.gates && Object.keys(attestItConfig.gates).length > 0) {
+      log("");
+      const gateChoices = Object.entries(attestItConfig.gates).map(([gateId, gate]) => ({
+        name: `${gateId} - ${gate.name}`,
+        value: gateId,
+        checked: currentGates.includes(gateId)
+      }));
+      selectedGates = await checkbox({
+        message: "Select gates to authorize (use space to select):",
+        choices: gateChoices
+      });
+    }
+    const updatedMember = {
+      name: name.trim(),
+      publicKey: publicKey.trim()
+    };
+    if (email && email.trim().length > 0) {
+      updatedMember.email = email.trim();
+    }
+    if (github && github.trim().length > 0) {
+      updatedMember.github = github.trim();
+    }
+    const updatedConfig = {
+      ...config,
+      team: {
+        ...attestItConfig.team,
+        [slug]: updatedMember
+      }
+    };
+    if (updatedConfig.gates) {
+      for (const [gateId, gate] of Object.entries(updatedConfig.gates)) {
+        if (currentGates.includes(gateId) && !selectedGates.includes(gateId)) {
+          gate.authorizedSigners = gate.authorizedSigners.filter((s) => s !== slug);
+        }
+        if (!currentGates.includes(gateId) && selectedGates.includes(gateId)) {
+          if (!gate.authorizedSigners.includes(slug)) {
+            gate.authorizedSigners.push(slug);
+          }
+        }
+      }
+    }
+    const configPath = findConfigPath();
+    if (!configPath) {
+      error("Configuration file not found");
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const yamlContent = stringify(updatedConfig);
+    await writeFile(configPath, yamlContent, "utf8");
+    log("");
+    success(`Team member "${slug}" updated successfully`);
+    if (selectedGates.length > 0) {
+      log(`Authorized for gates: ${selectedGates.join(", ")}`);
+    } else {
+      log("Not authorized for any gates");
+    }
+    log("");
+  } catch (err) {
+    if (err instanceof Error) {
+      error(err.message);
+    } else {
+      error("Unknown error occurred");
+    }
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+}
+var removeCommand2 = new Command("remove").description("Remove a team member").argument("<slug>", "Team member slug to remove").option("-f, --force", "Skip confirmation prompt").action(async (slug, options) => {
+  await runRemove2(slug, options);
+});
+async function runRemove2(slug, options) {
+  try {
+    const theme3 = getTheme2();
+    const config = await loadConfig();
+    const attestItConfig = toAttestItConfig(config);
+    const existingMember = attestItConfig.team?.[slug];
+    if (!existingMember) {
+      error(`Team member "${slug}" not found`);
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    log("");
+    log(theme3.blue.bold()(`Remove Team Member: ${slug}`));
+    log("");
+    log(`Name: ${existingMember.name}`);
+    if (existingMember.email) {
+      log(`Email: ${existingMember.email}`);
+    }
+    if (existingMember.github) {
+      log(`GitHub: ${existingMember.github}`);
+    }
+    log("");
+    const projectRoot = process.cwd();
+    let sealsFile;
+    try {
+      sealsFile = readSealsSync(projectRoot);
+    } catch {
+      sealsFile = { version: 1, seals: {} };
+    }
+    const sealsCreatedByMember = [];
+    for (const [gateId, seal] of Object.entries(sealsFile.seals)) {
+      if (seal.sealedBy === slug) {
+        sealsCreatedByMember.push(gateId);
+      }
+    }
+    if (sealsCreatedByMember.length > 0) {
+      warn("This member has created seals for the following gates:");
+      for (const gateId of sealsCreatedByMember) {
+        warn(`  - ${gateId}`);
+      }
+      log("");
+      warn("These seals will still be valid but attributed to a removed member.");
+      log("");
+    }
+    const authorizedGates = [];
+    if (attestItConfig.gates) {
+      for (const [gateId, gate] of Object.entries(attestItConfig.gates)) {
+        if (gate.authorizedSigners.includes(slug)) {
+          authorizedGates.push(gateId);
+        }
+      }
+    }
+    if (authorizedGates.length > 0) {
+      log("This member is authorized for the following gates:");
+      for (const gateId of authorizedGates) {
+        log(`  - ${gateId}`);
+      }
+      log("");
+    }
+    if (!options.force) {
+      const confirmed = await confirm({
+        message: `Are you sure you want to remove "${slug}"?`,
+        default: false
+      });
+      if (!confirmed) {
+        error("Removal cancelled");
+        process.exit(ExitCode.CANCELLED);
+      }
+    }
+    const updatedTeam = { ...attestItConfig.team };
+    delete updatedTeam[slug];
+    const updatedConfig = {
+      ...config,
+      team: updatedTeam
+    };
+    if (updatedConfig.gates) {
+      for (const gate of Object.values(updatedConfig.gates)) {
+        gate.authorizedSigners = gate.authorizedSigners.filter((s) => s !== slug);
+      }
+    }
+    const configPath = findConfigPath();
+    if (!configPath) {
+      error("Configuration file not found");
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const yamlContent = stringify(updatedConfig);
+    await writeFile(configPath, yamlContent, "utf8");
+    log("");
+    success(`Team member "${slug}" removed successfully`);
+    log("");
+  } catch (err) {
+    if (err instanceof Error) {
+      error(err.message);
+    } else {
+      error("Unknown error occurred");
+    }
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
 }
+
+// src/commands/team/index.ts
+var teamCommand = new Command("team").description("Manage team members and authorizations").addCommand(listCommand2).addCommand(addCommand).addCommand(editCommand2).addCommand(removeCommand2);
 function hasVersion(data) {
   return typeof data === "object" && data !== null && "version" in data && // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
   typeof data.version === "string";
@@ -1645,6 +3608,10 @@ program.addCommand(runCommand);
 program.addCommand(keygenCommand);
 program.addCommand(pruneCommand);
 program.addCommand(verifyCommand);
+program.addCommand(sealCommand);
+program.addCommand(identityCommand);
+program.addCommand(teamCommand);
+program.addCommand(whoamiCommand);
 async function run() {
   if (process.argv.includes("--version") || process.argv.includes("-V")) {
     console.log(getPackageVersion());