@attest-it/cli 0.4.0 → 0.6.0

package/dist/bin/attest-it.js

@@ -6,10 +6,10 @@ import * as path from 'path';
 import { join, dirname } from 'path';
 import { detectTheme } from 'chromaterm';
 import { input, select, confirm, checkbox } from '@inquirer/prompts';
-import { loadConfig, toAttestItConfig, readSealsSync, computeFingerprintSync, verifyGateSeal, verifyAllSeals, computeFingerprint, createAttestation, readAttestations, upsertAttestation, KeyProviderRegistry, getDefaultPrivateKeyPath, FilesystemKeyProvider, writeSignedAttestations, loadLocalConfigSync, getActiveIdentity, isAuthorizedSigner, createSeal, writeSealsSync, checkOpenSSL, getDefaultPublicKeyPath, OnePasswordKeyProvider, MacOSKeychainKeyProvider, generateKeyPair, setKeyPermissions, getGate, loadLocalConfig, generateEd25519KeyPair, saveLocalConfig, findConfigPath, findAttestation } from '@attest-it/core';
+import { loadConfig, toAttestItConfig, readSealsSync, computeFingerprintSync, verifyGateSeal, verifyAllSeals, computeFingerprint, createAttestation, readAttestations, upsertAttestation, KeyProviderRegistry, getDefaultPrivateKeyPath, FilesystemKeyProvider, writeSignedAttestations, loadLocalConfigSync, getActiveIdentity, isAuthorizedSigner, createSeal, writeSealsSync, checkOpenSSL, getDefaultPublicKeyPath, OnePasswordKeyProvider, MacOSKeychainKeyProvider, generateKeyPair, setKeyPermissions, getGate, loadLocalConfig, YubiKeyProvider, getAttestItConfigDir, generateEd25519KeyPair, saveLocalConfig, findConfigPath, loadPreferences, savePreferences, findAttestation, setAttestItHomeDir } from '@attest-it/core';
+import tabtab2 from '@pnpm/tabtab';
 import { spawn } from 'child_process';
 import * as os from 'os';
-import { homedir } from 'os';
 import { parse } from 'shell-quote';
 import * as React7 from 'react';
 import { useState, useEffect } from 'react';
@@ -171,6 +171,87 @@ var ExitCode = {
   /** Missing required key file */
   MISSING_KEY: 5
 };
+var PROGRAM_NAME = "attest-it";
+var PROGRAM_ALIAS = "attest";
+function detectCurrentShell() {
+  const shellPath = process.env.SHELL ?? "";
+  if (shellPath.endsWith("/bash") || shellPath.endsWith("/bash.exe")) {
+    return "bash";
+  }
+  if (shellPath.endsWith("/zsh") || shellPath.endsWith("/zsh.exe")) {
+    return "zsh";
+  }
+  if (shellPath.endsWith("/fish") || shellPath.endsWith("/fish.exe")) {
+    return "fish";
+  }
+  return null;
+}
+function getSourceCommand(shell) {
+  switch (shell) {
+    case "bash":
+      return "source ~/.bashrc";
+    case "zsh":
+      return "source ~/.zshrc";
+    case "fish":
+      return "source ~/.config/fish/config.fish";
+  }
+}
+async function offerCompletionInstall() {
+  try {
+    const prefs = await loadPreferences();
+    if (prefs.cliExperience?.declinedCompletionInstall) {
+      return false;
+    }
+    const shell = detectCurrentShell();
+    if (!shell) {
+      return false;
+    }
+    log("");
+    const shouldInstall = await confirm({
+      message: `Would you like to enable shell completions for ${shell}?`,
+      default: true
+    });
+    if (!shouldInstall) {
+      await savePreferences({
+        ...prefs,
+        cliExperience: {
+          ...prefs.cliExperience,
+          declinedCompletionInstall: true
+        }
+      });
+      log("");
+      info("No problem! If you change your mind, you can run:");
+      log("  attest-it completion install");
+      log("");
+      return false;
+    }
+    await tabtab2.install({
+      name: PROGRAM_NAME,
+      completer: PROGRAM_NAME,
+      shell
+    });
+    await tabtab2.install({
+      name: PROGRAM_ALIAS,
+      completer: PROGRAM_ALIAS,
+      shell
+    });
+    log("");
+    success(`Shell completions installed for ${shell}!`);
+    info(`Completions enabled for both "${PROGRAM_NAME}" and "${PROGRAM_ALIAS}" commands.`);
+    log("");
+    info("Restart your shell or run:");
+    log(`  ${getSourceCommand(shell)}`);
+    log("");
+    return true;
+  } catch (err) {
+    error(`Failed to install completions: ${err instanceof Error ? err.message : String(err)}`);
+    log("");
+    info("You can try again later with:");
+    log("  attest-it completion install");
+    log("");
+    return false;
+  }
+}
 
 // src/commands/init.ts
 var initCommand = new Command("init").description("Initialize attest-it configuration").option("-p, --path <path>", "Config file path", ".attest-it/config.yaml").option("-f, --force", "Overwrite existing config").action(async (options) => {
@@ -234,6 +315,7 @@ async function runInit(options) {
     log(`  1. Edit ${options.path} to define your test suites`);
     log("  2. Run: attest-it keygen");
     log("  3. Run: attest-it status");
+    await offerCompletionInstall();
   } catch (err) {
     if (err instanceof Error) {
       error(err.message);
@@ -1524,6 +1606,15 @@ function createKeyProviderFromIdentity(identity) {
           field: privateKey.field
         }
       });
+    case "yubikey":
+      return KeyProviderRegistry.create({
+        type: "yubikey",
+        options: {
+          encryptedKeyPath: privateKey.encryptedKeyPath,
+          slot: privateKey.slot,
+          serial: privateKey.serial
+        }
+      });
     default: {
       const _exhaustiveCheck = privateKey;
       throw new Error(`Unsupported private key type: ${String(_exhaustiveCheck)}`);
@@ -1539,6 +1630,8 @@ function getKeyRefFromIdentity(identity) {
       return `${privateKey.service}:${privateKey.account}`;
     case "1password":
       return privateKey.item;
+    case "yubikey":
+      return privateKey.encryptedKeyPath;
     default: {
       const _exhaustiveCheck = privateKey;
       throw new Error(`Unsupported private key type: ${String(_exhaustiveCheck)}`);
@@ -2382,6 +2475,15 @@ function createKeyProviderFromIdentity2(identity) {
           field: privateKey.field
         }
       });
+    case "yubikey":
+      return KeyProviderRegistry.create({
+        type: "yubikey",
+        options: {
+          encryptedKeyPath: privateKey.encryptedKeyPath,
+          slot: privateKey.slot,
+          serial: privateKey.serial
+        }
+      });
     default: {
       const _exhaustiveCheck = privateKey;
       throw new Error(`Unsupported private key type: ${String(_exhaustiveCheck)}`);
@@ -2397,6 +2499,8 @@ function getKeyRefFromIdentity2(identity) {
       return privateKey.service;
     case "1password":
       return privateKey.item;
+    case "yubikey":
+      return privateKey.encryptedKeyPath;
     default: {
       const _exhaustiveCheck = privateKey;
       throw new Error(`Unsupported private key type: ${String(_exhaustiveCheck)}`);
@@ -2436,6 +2540,9 @@ async function runList() {
         case "1password":
           keyType = "1password";
           break;
+        case "yubikey":
+          keyType = "yubikey";
+          break;
       }
       log(`${marker} ${theme3.blue(slug)}`);
       log(`  Name:       ${nameDisplay}`);
@@ -2464,31 +2571,46 @@ async function runList() {
     process.exit(ExitCode.CONFIG_ERROR);
   }
 }
+
+// src/commands/identity/validation.ts
+function validateSlug(value, existingIdentities) {
+  const trimmed = value.trim();
+  if (!trimmed) {
+    return "Slug cannot be empty";
+  }
+  if (!/^[a-z0-9-]+$/.test(trimmed)) {
+    return "Slug must contain only lowercase letters, numbers, and hyphens";
+  }
+  if (existingIdentities?.[trimmed]) {
+    return `Identity "${trimmed}" already exists`;
+  }
+  return true;
+}
+var EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+function validateEmail(value, required = false) {
+  const trimmed = value.trim();
+  if (!trimmed) {
+    return required ? "Email cannot be empty" : true;
+  }
+  if (!EMAIL_REGEX.test(trimmed)) {
+    return "Please enter a valid email address";
+  }
+  return true;
+}
 var createCommand = new Command("create").description("Create a new identity with Ed25519 keypair").action(async () => {
   await runCreate();
 });
 async function runCreate() {
   try {
-    const theme3 = getTheme2();
+    const theme3 = getTheme();
     log("");
     log(theme3.blue.bold()("Create New Identity"));
     log("");
     const existingConfig = await loadLocalConfig();
-    const slug = await input({
+    const slug = (await input({
       message: "Identity slug (unique identifier):",
-      validate: (value) => {
-        if (!value || value.trim().length === 0) {
-          return "Slug cannot be empty";
-        }
-        if (!/^[a-z0-9-]+$/.test(value)) {
-          return "Slug must contain only lowercase letters, numbers, and hyphens";
-        }
-        if (existingConfig?.identities[value]) {
-          return `Identity "${value}" already exists`;
-        }
-        return true;
-      }
-    });
+      validate: (value) => validateSlug(value, existingConfig?.identities)
+    })).trim();
     const name = await input({
       message: "Display name:",
       validate: (value) => {
@@ -2498,21 +2620,37 @@ async function runCreate() {
         return true;
       }
     });
-    const email = await input({
+    const email = (await input({
       message: "Email (optional):",
-      default: ""
-    });
+      default: "",
+      validate: validateEmail
+    })).trim();
     const github = await input({
       message: "GitHub username (optional):",
       default: ""
     });
+    info("Checking available key storage providers...");
+    const opAvailable = await OnePasswordKeyProvider.isInstalled();
+    const keychainAvailable = MacOSKeychainKeyProvider.isAvailable();
+    const yubikeyInstalled = await YubiKeyProvider.isInstalled();
+    const yubikeyConnected = yubikeyInstalled ? await YubiKeyProvider.isConnected() : false;
+    const configDir = getAttestItConfigDir();
+    const storageChoices = [
+      { name: `File system (${join(configDir, "keys")})`, value: "file" }
+    ];
+    if (keychainAvailable) {
+      storageChoices.push({ name: "macOS Keychain", value: "keychain" });
+    }
+    if (opAvailable) {
+      storageChoices.push({ name: "1Password", value: "1password" });
+    }
+    if (yubikeyInstalled) {
+      const yubikeyLabel = yubikeyConnected ? "YubiKey (encrypted with challenge-response)" : "YubiKey (not connected - insert YubiKey first)";
+      storageChoices.push({ name: yubikeyLabel, value: "yubikey" });
+    }
     const keyStorageType = await select({
       message: "Where should the private key be stored?",
-      choices: [
-        { name: "File system (~/.config/attest-it/keys/)", value: "file" },
-        { name: "macOS Keychain", value: "keychain" },
-        { name: "1Password", value: "1password" }
-      ]
+      choices: storageChoices
     });
     log("");
     log("Generating Ed25519 keypair...");
@@ -2521,7 +2659,7 @@ async function runCreate() {
     let keyStorageDescription;
     switch (keyStorageType) {
       case "file": {
-        const keysDir = join(homedir(), ".config", "attest-it", "keys");
+        const keysDir = join(getAttestItConfigDir(), "keys");
         await mkdir(keysDir, { recursive: true });
         const keyPath = join(keysDir, `${slug}.pem`);
         await writeFile(keyPath, keyPair.privateKey, { mode: 384 });
@@ -2530,44 +2668,138 @@ async function runCreate() {
         break;
       }
       case "keychain": {
-        const { MacOSKeychainKeyProvider: MacOSKeychainKeyProvider3 } = await import('@attest-it/core');
-        if (!MacOSKeychainKeyProvider3.isAvailable()) {
+        if (!MacOSKeychainKeyProvider.isAvailable()) {
           error("macOS Keychain is not available on this system");
           process.exit(ExitCode.CONFIG_ERROR);
         }
+        const keychains = await MacOSKeychainKeyProvider.listKeychains();
+        if (keychains.length === 0) {
+          throw new Error("No keychains found on this system");
+        }
+        const formatKeychainChoice = (kc) => {
+          return `${theme3.blue.bold()(kc.name)} ${theme3.muted(`(${kc.path})`)}`;
+        };
+        let selectedKeychain;
+        if (keychains.length === 1 && keychains[0]) {
+          selectedKeychain = keychains[0];
+          info(`Using keychain: ${formatKeychainChoice(selectedKeychain)}`);
+        } else {
+          const selectedPath = await select({
+            message: "Select keychain:",
+            choices: keychains.map((kc) => ({
+              name: formatKeychainChoice(kc),
+              value: kc.path
+            }))
+          });
+          const foundKeychain = keychains.find((kc) => kc.path === selectedPath);
+          if (!foundKeychain) {
+            throw new Error("Selected keychain not found");
+          }
+          selectedKeychain = foundKeychain;
+        }
+        const keychainItemName = await input({
+          message: "Keychain item name:",
+          default: `attest-it-${slug}`,
+          validate: (value) => {
+            if (!value || value.trim().length === 0) {
+              return "Item name cannot be empty";
+            }
+            return true;
+          }
+        });
         const { execFile } = await import('child_process');
         const { promisify } = await import('util');
         const execFileAsync = promisify(execFile);
         const encodedKey = Buffer.from(keyPair.privateKey).toString("base64");
         try {
-          await execFileAsync("security", [
+          const addArgs = [
             "add-generic-password",
             "-a",
             "attest-it",
             "-s",
-            slug,
+            keychainItemName,
             "-w",
             encodedKey,
-            "-U"
-          ]);
+            "-U",
+            selectedKeychain.path
+          ];
+          await execFileAsync("security", addArgs);
         } catch (err) {
           throw new Error(
             `Failed to store key in macOS Keychain: ${err instanceof Error ? err.message : String(err)}`
           );
         }
-        privateKeyRef = { type: "keychain", service: slug, account: "attest-it" };
-        keyStorageDescription = "macOS Keychain (" + slug + "/attest-it)";
+        privateKeyRef = {
+          type: "keychain",
+          service: keychainItemName,
+          account: "attest-it",
+          keychain: selectedKeychain.path
+        };
+        keyStorageDescription = `macOS Keychain: ${selectedKeychain.name}/${keychainItemName}`;
         break;
       }
       case "1password": {
-        const vault = await input({
-          message: "1Password vault name:",
-          validate: (value) => {
-            if (!value || value.trim().length === 0) {
-              return "Vault name cannot be empty";
+        const accounts = await OnePasswordKeyProvider.listAccounts();
+        if (accounts.length === 0) {
+          throw new Error(
+            '1Password CLI is installed but no accounts are signed in. Run "op signin" first.'
+          );
+        }
+        const { execFile } = await import('child_process');
+        const { promisify } = await import('util');
+        const execFileAsync = promisify(execFile);
+        const accountDetails = await Promise.all(
+          accounts.map(async (acc) => {
+            try {
+              const { stdout } = await execFileAsync("op", [
+                "account",
+                "get",
+                "--account",
+                acc.user_uuid,
+                "--format=json"
+              ]);
+              const details = JSON.parse(stdout);
+              const name2 = details !== null && typeof details === "object" && "name" in details && typeof details.name === "string" ? details.name : acc.url;
+              return {
+                url: acc.url,
+                email: acc.email,
+                name: name2
+              };
+            } catch {
+              return {
+                url: acc.url,
+                email: acc.email,
+                name: acc.url
+              };
             }
-            return true;
-          }
+          })
+        );
+        const formatAccountChoice = (acc) => {
+          return `${theme3.blue.bold()(acc.name)} ${theme3.muted(`(${acc.url})`)}`;
+        };
+        let selectedAccount;
+        if (accountDetails.length === 1 && accountDetails[0]) {
+          selectedAccount = accountDetails[0].url;
+          info(`Using 1Password account: ${formatAccountChoice(accountDetails[0])}`);
+        } else {
+          selectedAccount = await select({
+            message: "Select 1Password account:",
+            choices: accountDetails.map((acc) => ({
+              name: formatAccountChoice(acc),
+              value: acc.url
+            }))
+          });
+        }
+        const vaults = await OnePasswordKeyProvider.listVaults(selectedAccount);
+        if (vaults.length === 0) {
+          throw new Error(`No vaults found in 1Password account: ${selectedAccount}`);
+        }
+        const selectedVault = await select({
+          message: "Select vault for private key storage:",
+          choices: vaults.map((v) => ({
+            name: v.name,
+            value: v.name
+          }))
         });
         const item = await input({
           message: "1Password item name:",
@@ -2579,26 +2811,109 @@ async function runCreate() {
             return true;
           }
         });
-        const { execFile } = await import('child_process');
-        const { promisify } = await import('util');
-        const execFileAsync = promisify(execFile);
+        const { tmpdir } = await import('os');
+        const tempDir = join(tmpdir(), `attest-it-${String(Date.now())}`);
+        await mkdir(tempDir, { recursive: true });
+        const tempPrivatePath = join(tempDir, "private.pem");
         try {
-          await execFileAsync("op", [
-            "item",
+          await writeFile(tempPrivatePath, keyPair.privateKey, { mode: 384 });
+          const { execFile: execFile2 } = await import('child_process');
+          const { promisify: promisify2 } = await import('util');
+          const execFileAsync2 = promisify2(execFile2);
+          const opArgs = [
+            "document",
             "create",
-            "--category=SecureNote",
+            tempPrivatePath,
+            "--title",
+            item,
             "--vault",
-            vault,
-            `--title=${item}`,
-            `privateKey[password]=${keyPair.privateKey}`
-          ]);
-        } catch (err) {
-          throw new Error(
-            `Failed to store key in 1Password: ${err instanceof Error ? err.message : String(err)}`
-          );
+            selectedVault
+          ];
+          if (selectedAccount) {
+            opArgs.push("--account", selectedAccount);
+          }
+          await execFileAsync2("op", opArgs);
+        } finally {
+          const { rm } = await import('fs/promises');
+          await rm(tempDir, { recursive: true, force: true }).catch(() => {
+          });
+        }
+        privateKeyRef = {
+          type: "1password",
+          vault: selectedVault,
+          item,
+          ...selectedAccount && { account: selectedAccount }
+        };
+        keyStorageDescription = `1Password (${selectedVault}/${item})`;
+        break;
+      }
+      case "yubikey": {
+        if (!await YubiKeyProvider.isConnected()) {
+          error("No YubiKey detected. Please insert your YubiKey and try again.");
+          process.exit(ExitCode.CONFIG_ERROR);
+        }
+        const yubikeys = await YubiKeyProvider.listDevices();
+        if (yubikeys.length === 0) {
+          throw new Error("No YubiKeys detected. Please insert a YubiKey and try again.");
+        }
+        const formatYubiKeyChoice = (yk) => {
+          return `${theme3.blue.bold()(yk.type)} ${theme3.muted(`(Serial: ${yk.serial}, FW: ${yk.firmware})`)}`;
+        };
+        let selectedSerial;
+        if (yubikeys.length === 1 && yubikeys[0]) {
+          selectedSerial = yubikeys[0].serial;
+          info(`Using YubiKey: ${formatYubiKeyChoice(yubikeys[0])}`);
+        } else {
+          selectedSerial = await select({
+            message: "Select YubiKey:",
+            choices: yubikeys.map((yk) => ({
+              name: formatYubiKeyChoice(yk),
+              value: yk.serial
+            }))
+          });
         }
-        privateKeyRef = { type: "1password", vault, item, field: "privateKey" };
-        keyStorageDescription = `1Password (${vault}/${item})`;
+        const slot = 2;
+        const isChallengeResponseConfigured = await YubiKeyProvider.isChallengeResponseConfigured(
+          slot,
+          selectedSerial
+        );
+        if (!isChallengeResponseConfigured) {
+          log("");
+          error(`YubiKey slot ${String(slot)} is not configured for HMAC challenge-response.`);
+          log("");
+          log("To configure it, run:");
+          log(theme3.blue(`  ykman otp chalresp --generate ${String(slot)}`));
+          log("");
+          log("This will configure slot 2 with a randomly generated secret.");
+          log(theme3.muted("Note: Make sure to back up the secret if needed for recovery."));
+          process.exit(ExitCode.CONFIG_ERROR);
+        }
+        const encryptedKeyName = await input({
+          message: "Encrypted key file name:",
+          default: `${slug}.enc`,
+          validate: (value) => {
+            if (!value || value.trim().length === 0) {
+              return "File name cannot be empty";
+            }
+            return true;
+          }
+        });
+        const keysDir = join(getAttestItConfigDir(), "keys");
+        await mkdir(keysDir, { recursive: true });
+        const encryptedKeyPath = join(keysDir, encryptedKeyName);
+        const result = await YubiKeyProvider.encryptPrivateKey({
+          privateKey: keyPair.privateKey,
+          encryptedKeyPath,
+          slot,
+          serial: selectedSerial
+        });
+        privateKeyRef = {
+          type: "yubikey",
+          encryptedKeyPath: result.encryptedKeyPath,
+          slot,
+          serial: selectedSerial
+        };
+        keyStorageDescription = result.storageDescription;
         break;
       }
       default:
@@ -2650,6 +2965,7 @@ async function runCreate() {
       log(`To use this identity, run: attest-it identity use ${slug}`);
       log("");
     }
+    await offerCompletionInstall();
   } catch (err) {
     if (err instanceof Error) {
       error(err.message);
@@ -2910,6 +3226,37 @@ async function runEdit(slug) {
     process.exit(ExitCode.CONFIG_ERROR);
   }
 }
+
+// src/utils/format-key-location.ts
+function formatKeyLocation(privateKey) {
+  const theme3 = getTheme();
+  switch (privateKey.type) {
+    case "file":
+      return `${theme3.blue.bold()("File")}: ${theme3.muted(privateKey.path)}`;
+    case "keychain": {
+      let keychainName = "default";
+      if (privateKey.keychain) {
+        const filename = privateKey.keychain.split("/").pop() ?? privateKey.keychain;
+        keychainName = filename.replace(/\.keychain(-db)?$/, "");
+      }
+      return `${theme3.blue.bold()("macOS Keychain")}: ${theme3.muted(`${keychainName}/${privateKey.service}`)}`;
+    }
+    case "1password": {
+      const parts = [privateKey.vault, privateKey.item];
+      if (privateKey.account) {
+        parts.unshift(privateKey.account);
+      }
+      return `${theme3.blue.bold()("1Password")}: ${theme3.muted(parts.join("/"))}`;
+    }
+    case "yubikey": {
+      const slotInfo = privateKey.slot ? ` (slot ${String(privateKey.slot)})` : "";
+      const serialInfo = privateKey.serial ? ` [${privateKey.serial}]` : "";
+      return `${theme3.blue.bold()("YubiKey")}${serialInfo}${slotInfo}: ${theme3.muted(privateKey.encryptedKeyPath)}`;
+    }
+    default:
+      return "Unknown storage";
+  }
+}
 var removeCommand = new Command("remove").description("Delete identity and optionally delete private key").argument("<slug>", "Identity slug to remove").action(async (slug) => {
   await runRemove(slug);
 });
@@ -2925,7 +3272,7 @@ async function runRemove(slug) {
       error(`Identity "${slug}" not found`);
       process.exit(ExitCode.CONFIG_ERROR);
     }
-    const theme3 = getTheme2();
+    const theme3 = getTheme();
     log("");
     log(theme3.blue.bold()(`Remove Identity: ${slug}`));
     log("");
@@ -2942,6 +3289,9 @@ async function runRemove(slug) {
       log("Cancelled");
       process.exit(ExitCode.CANCELLED);
     }
+    const keyLocation = formatKeyLocation(identity.privateKey);
+    log(`  Private key: ${keyLocation}`);
+    log("");
     const deletePrivateKey = await confirm({
       message: "Also delete the private key from storage?",
       default: false
@@ -2964,13 +3314,17 @@ async function runRemove(slug) {
           const { promisify } = await import('util');
           const execFileAsync = promisify(execFile);
           try {
-            await execFileAsync("security", [
+            const deleteArgs = [
               "delete-generic-password",
               "-s",
               identity.privateKey.service,
               "-a",
               identity.privateKey.account
-            ]);
+            ];
+            if (identity.privateKey.keychain) {
+              deleteArgs.push(identity.privateKey.keychain);
+            }
+            await execFileAsync("security", deleteArgs);
             log(`  Deleted private key from macOS Keychain`);
           } catch (err) {
             if (err instanceof Error && !err.message.includes("could not be found") && !err.message.includes("does not exist")) {
@@ -3108,17 +3462,20 @@ async function runWhoami() {
       error("Active identity not found");
       process.exit(ExitCode.CONFIG_ERROR);
     }
-    const theme3 = getTheme2();
+    const theme3 = getTheme();
+    log("");
+    log(theme3.blue.bold()("Active Identity"));
     log("");
-    log(theme3.green.bold()(identity.name));
+    log(`  Slug:       ${theme3.green.bold()(config.activeIdentity)}`);
+    log(`  Name:       ${identity.name}`);
     if (identity.email) {
-      log(theme3.muted(identity.email));
+      log(`  Email:      ${theme3.muted(identity.email)}`);
     }
     if (identity.github) {
-      log(theme3.muted("@" + identity.github));
+      log(`  GitHub:     ${theme3.muted("@" + identity.github)}`);
     }
-    log("");
-    log(`Identity: ${theme3.blue(config.activeIdentity)}`);
+    log(`  Public Key: ${theme3.muted(identity.publicKey.slice(0, 24) + "...")}`);
+    log(`  Key Store:  ${formatKeyLocation(identity.privateKey)}`);
     log("");
   } catch (err) {
     if (err instanceof Error) {
@@ -3569,6 +3926,266 @@ async function runRemove2(slug, options) {
 
 // src/commands/team/index.ts
 var teamCommand = new Command("team").description("Manage team members and authorizations").addCommand(listCommand2).addCommand(addCommand).addCommand(editCommand2).addCommand(removeCommand2);
+var PROGRAM_NAME2 = "attest-it";
+var PROGRAM_ALIAS2 = "attest";
+var PROGRAM_NAMES = [PROGRAM_NAME2, PROGRAM_ALIAS2];
+function isSupportedShell(value) {
+  return value === "bash" || value === "zsh" || value === "fish";
+}
+async function getCompletions(env) {
+  let shell;
+  try {
+    const detectedShell = tabtab2.getShellFromEnv(process.env);
+    shell = detectedShell === "pwsh" ? "bash" : detectedShell;
+  } catch {
+    shell = "bash";
+  }
+  const commands = [
+    { name: "init", description: "Initialize a new config file" },
+    { name: "status", description: "Show status of all gates" },
+    { name: "run", description: "Run test suites interactively" },
+    { name: "verify", description: "Verify all seals are valid" },
+    { name: "seal", description: "Create a seal for a gate" },
+    { name: "keygen", description: "Generate a new keypair" },
+    { name: "prune", description: "Remove stale attestations" },
+    { name: "identity", description: "Manage identities" },
+    { name: "team", description: "Manage team members" },
+    { name: "whoami", description: "Show active identity" },
+    { name: "completion", description: "Shell completion commands" }
+  ];
+  const globalOptions2 = [
+    { name: "--help", description: "Show help" },
+    { name: "--version", description: "Show version" },
+    { name: "--verbose", description: "Verbose output" },
+    { name: "--quiet", description: "Minimal output" },
+    { name: "--config", description: "Path to config file" }
+  ];
+  const identitySubcommands = [
+    { name: "create", description: "Create a new identity" },
+    { name: "list", description: "List all identities" },
+    { name: "use", description: "Switch active identity" },
+    { name: "remove", description: "Remove an identity" }
+  ];
+  const teamSubcommands = [
+    { name: "add", description: "Add yourself to the team" },
+    { name: "list", description: "List team members" },
+    { name: "remove", description: "Remove a team member" }
+  ];
+  const completionSubcommands = [
+    { name: "install", description: "Install shell completion" },
+    { name: "uninstall", description: "Uninstall shell completion" }
+  ];
+  const words = env.line.split(/\s+/).filter(Boolean);
+  const lastWord = env.last;
+  const prevWord = env.prev;
+  if (prevWord === "--config" || prevWord === "-c") {
+    tabtab2.logFiles();
+    return;
+  }
+  if (lastWord.startsWith("-")) {
+    tabtab2.log(globalOptions2, shell, console.log);
+    return;
+  }
+  const commandIndex = words.findIndex(
+    (w) => !w.startsWith("-") && !PROGRAM_NAMES.includes(w) && w !== "npx"
+  );
+  const currentCommand = commandIndex >= 0 ? words[commandIndex] ?? null : null;
+  if (currentCommand === "identity") {
+    const subcommandIndex = words.findIndex(
+      (w, i) => i > commandIndex && !w.startsWith("-")
+    );
+    const subcommand = subcommandIndex >= 0 ? words[subcommandIndex] ?? null : null;
+    if (subcommand === "use" || subcommand === "remove") {
+      const identities = await getIdentitySlugs();
+      if (identities.length > 0) {
+        tabtab2.log(identities, shell, console.log);
+        return;
+      }
+    }
+    if (!subcommand || subcommandIndex < 0) {
+      tabtab2.log(identitySubcommands, shell, console.log);
+      return;
+    }
+  }
+  if (currentCommand === "team") {
+    const subcommandIndex = words.findIndex(
+      (w, i) => i > commandIndex && !w.startsWith("-")
+    );
+    const subcommand = subcommandIndex >= 0 ? words[subcommandIndex] ?? null : null;
+    if (!subcommand || subcommandIndex < 0) {
+      tabtab2.log(teamSubcommands, shell, console.log);
+      return;
+    }
+  }
+  if (currentCommand === "completion") {
+    const subcommandIndex = words.findIndex(
+      (w, i) => i > commandIndex && !w.startsWith("-")
+    );
+    const subcommand = subcommandIndex >= 0 ? words[subcommandIndex] ?? null : null;
+    if (subcommand === "install") {
+      tabtab2.log(["bash", "zsh", "fish"], shell, console.log);
+      return;
+    }
+    if (!subcommand || subcommandIndex < 0) {
+      tabtab2.log(completionSubcommands, shell, console.log);
+      return;
+    }
+  }
+  if (currentCommand === "status" || currentCommand === "verify" || currentCommand === "seal") {
+    const gates = await getGateNames();
+    if (gates.length > 0) {
+      tabtab2.log(gates, shell, console.log);
+      return;
+    }
+  }
+  if (currentCommand === "run") {
+    const suites = await getSuiteNames();
+    if (suites.length > 0) {
+      tabtab2.log(suites, shell, console.log);
+      return;
+    }
+  }
+  const knownCommands = [
+    "init",
+    "status",
+    "run",
+    "verify",
+    "seal",
+    "keygen",
+    "prune",
+    "identity",
+    "team",
+    "whoami",
+    "completion"
+  ];
+  if (!currentCommand || !knownCommands.includes(currentCommand)) {
+    tabtab2.log([...commands, ...globalOptions2], shell, console.log);
+  }
+}
+async function getIdentitySlugs() {
+  try {
+    const config = await loadLocalConfig();
+    if (config?.identities) {
+      return Object.keys(config.identities);
+    }
+  } catch {
+  }
+  return [];
+}
+async function getGateNames() {
+  try {
+    const config = await loadConfig();
+    if (config.gates) {
+      return Object.keys(config.gates);
+    }
+  } catch {
+  }
+  return [];
+}
+async function getSuiteNames() {
+  try {
+    const config = await loadConfig();
+    return Object.keys(config.suites);
+  } catch {
+  }
+  return [];
+}
+var completionCommand = new Command("completion").description("Shell completion commands");
+function detectCurrentShell2() {
+  const shellPath = process.env.SHELL ?? "";
+  if (shellPath.endsWith("/bash") || shellPath.endsWith("/bash.exe")) {
+    return "bash";
+  }
+  if (shellPath.endsWith("/zsh") || shellPath.endsWith("/zsh.exe")) {
+    return "zsh";
+  }
+  if (shellPath.endsWith("/fish") || shellPath.endsWith("/fish.exe")) {
+    return "fish";
+  }
+  return null;
+}
+function getSourceCommand2(shell) {
+  switch (shell) {
+    case "bash":
+      return "source ~/.bashrc";
+    case "zsh":
+      return "source ~/.zshrc";
+    case "fish":
+      return "source ~/.config/fish/config.fish";
+  }
+}
+completionCommand.command("install [shell]").description("Install shell completion (auto-detects shell, or specify bash/zsh/fish)").action(async (shellArg) => {
+  try {
+    let shell;
+    if (shellArg !== void 0) {
+      if (!isSupportedShell(shellArg)) {
+        error(`Shell "${shellArg}" is not supported. Use bash, zsh, or fish.`);
+        process.exit(ExitCode.CONFIG_ERROR);
+      }
+      shell = shellArg;
+    } else {
+      const detected = detectCurrentShell2();
+      if (!detected) {
+        error(
+          "Could not detect your shell. Please specify: attest-it completion install <bash|zsh|fish>"
+        );
+        process.exit(ExitCode.CONFIG_ERROR);
+      }
+      shell = detected;
+      info(`Detected shell: ${shell}`);
+    }
+    await tabtab2.install({
+      name: PROGRAM_NAME2,
+      completer: PROGRAM_NAME2,
+      shell
+    });
+    await tabtab2.install({
+      name: PROGRAM_ALIAS2,
+      completer: PROGRAM_ALIAS2,
+      shell
+    });
+    log("");
+    success(`Shell completion installed for ${shell}!`);
+    info(`Completions enabled for both "${PROGRAM_NAME2}" and "${PROGRAM_ALIAS2}" commands.`);
+    log("");
+    info("Restart your shell or run:");
+    log(`  ${getSourceCommand2(shell)}`);
+    log("");
+  } catch (err) {
+    error(`Failed to install completion: ${err instanceof Error ? err.message : String(err)}`);
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+});
+completionCommand.command("uninstall").description("Uninstall shell completion").action(async () => {
+  try {
+    await tabtab2.uninstall({
+      name: PROGRAM_NAME2
+    });
+    await tabtab2.uninstall({
+      name: PROGRAM_ALIAS2
+    });
+    log("");
+    success("Shell completion uninstalled!");
+    log("");
+  } catch (err) {
+    error(`Failed to uninstall completion: ${err instanceof Error ? err.message : String(err)}`);
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+});
+completionCommand.command("server", { hidden: true }).description("Completion server (internal)").action(async () => {
+  const env = tabtab2.parseEnv(process.env);
+  if (env.complete) {
+    await getCompletions(env);
+  }
+});
+function createCompletionServerCommand() {
+  return new Command("completion-server").allowUnknownOption().allowExcessArguments(true).action(async () => {
+    const env = tabtab2.parseEnv(process.env);
+    if (env.complete) {
+      await getCompletions(env);
+    }
+  });
+}
 function hasVersion(data) {
   return typeof data === "object" && data !== null && "version" in data && // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
   typeof data.version === "string";
@@ -3612,12 +4229,28 @@ program.addCommand(sealCommand);
 program.addCommand(identityCommand);
 program.addCommand(teamCommand);
 program.addCommand(whoamiCommand);
+program.addCommand(completionCommand);
+program.addCommand(createCompletionServerCommand(), { hidden: true });
+function processHomeDirOption() {
+  const homeDirIndex = process.argv.indexOf("--home-dir");
+  if (homeDirIndex !== -1 && homeDirIndex + 1 < process.argv.length) {
+    const homeDir = process.argv[homeDirIndex + 1];
+    if (homeDir && !homeDir.startsWith("-")) {
+      setAttestItHomeDir(homeDir);
+      process.argv.splice(homeDirIndex, 2);
+    }
+  }
+}
 async function run() {
+  processHomeDirOption();
   if (process.argv.includes("--version") || process.argv.includes("-V")) {
     console.log(getPackageVersion());
     process.exit(0);
   }
-  await initTheme();
+  const isCompletionServer = process.argv.includes("completion-server");
+  if (!isCompletionServer) {
+    await initTheme();
+  }
   program.parse();
   const options = program.opts();
   const outputOptions = {};