@attest-it/cli 0.7.0 → 0.9.0

package/dist/bin/attest-it.js

@@ -4,21 +4,19 @@ import * as fs from 'fs';
 import { readFileSync } from 'fs';
 import * as path from 'path';
 import { join, dirname } from 'path';
+import { fileURLToPath } from 'url';
 import { detectTheme } from 'chromaterm';
 import { input, select, confirm, checkbox } from '@inquirer/prompts';
-import { loadConfig, toAttestItConfig, readSealsSync, computeFingerprintSync, verifyGateSeal, verifyAllSeals, computeFingerprint, createAttestation, readAttestations, upsertAttestation, KeyProviderRegistry, getDefaultPrivateKeyPath, FilesystemKeyProvider, writeSignedAttestations, loadLocalConfigSync, getActiveIdentity, isAuthorizedSigner, createSeal, writeSealsSync, checkOpenSSL, getDefaultPublicKeyPath, OnePasswordKeyProvider, MacOSKeychainKeyProvider, generateKeyPair, setKeyPermissions, getGate, loadLocalConfig, YubiKeyProvider, getAttestItConfigDir, generateEd25519KeyPair, saveLocalConfig, savePublicKey, findConfigPath, loadPreferences, savePreferences, findAttestation, setAttestItHomeDir, getDefaultYubiKeyEncryptedKeyPath } from '@attest-it/core';
+import { loadConfig, toAttestItConfig, readSealsSync, computeFingerprintSync, verifyGateSeal, verifyAllSeals, computeFingerprint, createAttestation, readAttestations, upsertAttestation, KeyProviderRegistry, getDefaultPrivateKeyPath, FilesystemKeyProvider, writeSignedAttestations, loadLocalConfigSync, getActiveIdentity, isAuthorizedSigner, createSeal, writeSealsSync, getGate, loadLocalConfig, OnePasswordKeyProvider, MacOSKeychainKeyProvider, YubiKeyProvider, getAttestItConfigDir, generateEd25519KeyPair, saveLocalConfig, savePublicKey, findConfigPath, loadPreferences, savePreferences, findAttestation, setAttestItHomeDir } from '@attest-it/core';
 import tabtab2 from '@pnpm/tabtab';
 import { spawn } from 'child_process';
 import * as os from 'os';
 import { parse } from 'shell-quote';
 import * as React7 from 'react';
-import { useState, useEffect } from 'react';
 import { render, useApp, Box, Text, useInput } from 'ink';
 import { jsx, jsxs, Fragment } from 'react/jsx-runtime';
 import { mkdir, writeFile, unlink, readFile } from 'fs/promises';
-import { Spinner, Select, TextInput } from '@inkjs/ui';
 import { stringify } from 'yaml';
-import { fileURLToPath } from 'url';
 
 var globalOptions = {};
 var theme;
@@ -252,47 +250,93 @@ async function offerCompletionInstall() {
     return false;
   }
 }
+function hasVersion(data) {
+  return typeof data === "object" && data !== null && "version" in data && // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+  typeof data.version === "string";
+}
+var cachedVersion;
+function getPackageVersion() {
+  if (cachedVersion !== void 0) {
+    return cachedVersion;
+  }
+  const __filename = fileURLToPath(import.meta.url);
+  const __dirname = dirname(__filename);
+  const possiblePaths = [join(__dirname, "../package.json"), join(__dirname, "../../package.json")];
+  for (const packageJsonPath of possiblePaths) {
+    try {
+      const content = readFileSync(packageJsonPath, "utf-8");
+      const packageJsonData = JSON.parse(content);
+      if (!hasVersion(packageJsonData)) {
+        throw new Error(`Invalid package.json at ${packageJsonPath}: missing version field`);
+      }
+      cachedVersion = packageJsonData.version;
+      return cachedVersion;
+    } catch (error2) {
+      if (error2 instanceof Error && "code" in error2 && error2.code === "ENOENT") {
+        continue;
+      }
+      throw error2;
+    }
+  }
+  throw new Error("Could not find package.json");
+}
 
 // src/commands/init.ts
 var initCommand = new Command("init").description("Initialize attest-it configuration").option("-p, --path <path>", "Config file path", ".attest-it/config.yaml").option("-f, --force", "Overwrite existing config").action(async (options) => {
   await runInit(options);
 });
-var CONFIG_TEMPLATE = `# attest-it configuration
-# See https://github.com/attest-it/attest-it for documentation
-
-version: 1
-
-settings:
-  # How long attestations remain valid (in days)
-  maxAgeDays: 30
-  # Path to the public key used for signature verification
-  publicKeyPath: .attest-it/pubkey.pem
-  # Path to the attestations file
-  attestationsPath: .attest-it/attestations.json
-  # Signing algorithm
-  algorithm: rsa
-
-# Define your test suites below. Each suite groups tests that require
-# human verification before their attestations are accepted.
-#
-# Example:
-#
-# suites:
-#   visual-tests:
-#     description: Visual regression tests requiring human review
-#     packages:
-#       - packages/ui
-#       - packages/components
-#     command: pnpm vitest packages/ui packages/components
-#
-#   integration:
-#     description: Integration tests with external services
-#     packages:
-#       - packages/api
-#     command: pnpm vitest packages/api --project=integration
-
-suites: {}
-`;
+function loadConfigTemplate() {
+  const __filename = fileURLToPath(import.meta.url);
+  const __dirname = dirname(__filename);
+  const possiblePaths = [
+    join(__dirname, "../../templates/config.yaml"),
+    join(__dirname, "../templates/config.yaml")
+  ];
+  for (const templatePath of possiblePaths) {
+    try {
+      return fs.readFileSync(templatePath, "utf-8");
+    } catch (error2) {
+      if (error2 instanceof Error && "code" in error2 && error2.code === "ENOENT") {
+        continue;
+      }
+      throw error2;
+    }
+  }
+  throw new Error("Could not find config.yaml template");
+}
+function isPackageJson(data) {
+  return typeof data === "object" && data !== null && "name" in data && "version" in data && // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+  typeof data.name === "string" && // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+  typeof data.version === "string";
+}
+function detectPackageManager() {
+  if (fs.existsSync("pnpm-lock.yaml")) return "pnpm";
+  if (fs.existsSync("yarn.lock")) return "yarn";
+  if (fs.existsSync("bun.lockb")) return "bun";
+  return "npm";
+}
+async function ensureDevDependency() {
+  const packageJsonPath = "package.json";
+  const packageManager = detectPackageManager();
+  let created = false;
+  let packageJson;
+  if (fs.existsSync(packageJsonPath)) {
+    const content = await fs.promises.readFile(packageJsonPath, "utf8");
+    const parsed = JSON.parse(content);
+    if (!isPackageJson(parsed)) {
+      throw new Error("Invalid package.json: missing required name or version field");
+    }
+    packageJson = parsed;
+  } else {
+    packageJson = { name: path.basename(process.cwd()), version: "1.0.0" };
+    created = true;
+  }
+  const devDeps = packageJson.devDependencies ?? {};
+  devDeps["attest-it"] = "^" + getPackageVersion();
+  packageJson.devDependencies = devDeps;
+  await fs.promises.writeFile(packageJsonPath, JSON.stringify(packageJson, null, 2) + "\n");
+  return { packageManager, created };
+}
 async function runInit(options) {
   try {
     const configPath = path.resolve(options.path);
@@ -307,14 +351,22 @@ async function runInit(options) {
         process.exit(ExitCode.CANCELLED);
       }
     }
+    const { packageManager, created } = await ensureDevDependency();
+    if (created) {
+      success("Created package.json");
+    } else {
+      success("Updated package.json with attest-it devDependency");
+    }
     await fs.promises.mkdir(configDir, { recursive: true });
-    await fs.promises.writeFile(configPath, CONFIG_TEMPLATE, "utf-8");
+    const configTemplate = loadConfigTemplate();
+    await fs.promises.writeFile(configPath, configTemplate, "utf-8");
     success(`Configuration created at ${configPath}`);
     log("");
     log("Next steps:");
-    log(`  1. Edit ${options.path} to define your test suites`);
-    log("  2. Run: attest-it keygen");
-    log("  3. Run: attest-it status");
+    log(`  1. Run: ${packageManager} install`);
+    log("  2. Run: attest-it identity create  (if you haven't already)");
+    log("  3. Run: attest-it team join");
+    log("  4. Edit .attest-it/config.yaml to define your gates and suites");
     await offerCompletionInstall();
   } catch (err) {
     if (err instanceof Error) {
@@ -337,7 +389,7 @@ async function runStatus(gates, options) {
       process.exit(ExitCode.CONFIG_ERROR);
     }
     const projectRoot = process.cwd();
-    const sealsFile = readSealsSync(projectRoot);
+    const sealsFile = readSealsSync(projectRoot, attestItConfig.settings.sealsPath);
     const gatesToCheck = gates.length > 0 ? gates : Object.keys(attestItConfig.gates);
     for (const gateId of gatesToCheck) {
       if (!attestItConfig.gates[gateId]) {
@@ -546,14 +598,14 @@ function SelectionPrompt({
   onSelect,
   groups
 }) {
-  useInput((input5) => {
-    const matchedOption = options.find((opt) => opt.hint === input5);
+  useInput((input4) => {
+    const matchedOption = options.find((opt) => opt.hint === input4);
     if (matchedOption) {
       onSelect(matchedOption.value);
       return;
     }
     if (groups) {
-      const matchedGroup = groups.find((group) => group.name === input5);
+      const matchedGroup = groups.find((group) => group.name === input4);
       if (matchedGroup) {
         onSelect(matchedGroup.name);
       }
@@ -603,17 +655,17 @@ function SuiteSelector({
       return next;
     });
   }, []);
-  useInput((input5, key) => {
-    if (input5 === "a") {
+  useInput((input4, key) => {
+    if (input4 === "a") {
       setSelectedSuites(new Set(pendingSuites.map((s) => s.name)));
       return;
     }
-    if (input5 === "n") {
+    if (input4 === "n") {
       onExit();
       return;
     }
-    if (/^[1-9]$/.test(input5)) {
-      const idx = parseInt(input5, 10) - 1;
+    if (/^[1-9]$/.test(input4)) {
+      const idx = parseInt(input4, 10) - 1;
       if (idx < pendingSuites.length) {
         const suite = pendingSuites[idx];
         if (suite) {
@@ -622,8 +674,8 @@ function SuiteSelector({
       }
       return;
     }
-    if (input5.startsWith("g") && groups) {
-      const groupIdx = parseInt(input5.slice(1), 10) - 1;
+    if (input4.startsWith("g") && groups) {
+      const groupIdx = parseInt(input4.slice(1), 10) - 1;
       const groupNames = Object.keys(groups);
       if (groupIdx >= 0 && groupIdx < groupNames.length) {
         const groupName = groupNames[groupIdx];
@@ -640,7 +692,7 @@ function SuiteSelector({
       onSelect(Array.from(selectedSuites));
       return;
     }
-    if (input5 === " ") {
+    if (input4 === " ") {
       const currentSuite = pendingSuites[cursorIndex];
       if (currentSuite) {
         toggleSuite(currentSuite.name);
@@ -773,11 +825,11 @@ function TestRunner({
     };
   }, [currentIndex, phase, suites, executeTest, onComplete]);
   useInput(
-    (input5, key) => {
+    (input4, key) => {
       if (phase !== "confirming") return;
       const currentSuite2 = suites[currentIndex];
       if (!currentSuite2) return;
-      if (input5.toLowerCase() === "y" || key.return) {
+      if (input4.toLowerCase() === "y" || key.return) {
         createAttestation3(currentSuite2).then(() => {
           setResults((prev) => ({
             ...prev,
@@ -794,7 +846,7 @@ function TestRunner({
           setPhase("running");
         });
       }
-      if (input5.toLowerCase() === "n") {
+      if (input4.toLowerCase() === "n") {
         setResults((prev) => ({
           ...prev,
           skipped: [...prev.skipped, currentSuite2]
@@ -989,12 +1041,24 @@ async function getAllSuiteStatuses(config) {
   const attestations = attestationsFile?.attestations ?? [];
   const results = [];
   for (const [suiteName, suiteConfig] of Object.entries(config.suites)) {
-    if (!suiteConfig.packages) {
+    let packages;
+    let ignore;
+    if (suiteConfig.gate && config.gates) {
+      const gateConfig = config.gates[suiteConfig.gate];
+      if (gateConfig) {
+        packages = gateConfig.fingerprint.paths;
+        ignore = gateConfig.fingerprint.exclude;
+      }
+    } else if (suiteConfig.packages) {
+      packages = suiteConfig.packages;
+      ignore = suiteConfig.ignore;
+    }
+    if (!packages || packages.length === 0) {
       continue;
     }
     const fingerprintResult = await computeFingerprint({
-      packages: suiteConfig.packages,
-      ...suiteConfig.ignore && { ignore: suiteConfig.ignore }
+      packages,
+      ...ignore && { ignore }
     });
     const attestation = findAttestation(
       { schemaVersion: "1", attestations, signature: "" },
@@ -1495,9 +1559,9 @@ async function runSingleSuite(suiteName, config, options) {
   if (!await keyProvider.keyExists(keyRef)) {
     error(`Private key not found in ${keyProvider.displayName}`);
     if (keyProvider.type === "filesystem") {
-      error('Run "attest-it keygen" first to generate a keypair.');
+      error('Run "attest-it identity create" first to generate a keypair.');
     } else {
-      error('Run "attest-it keygen" to generate and store a key.');
+      error('Run "attest-it identity create" to generate and store a key.');
     }
     process.exit(ExitCode.MISSING_KEY);
   }
@@ -1521,7 +1585,7 @@ async function promptForSeal(suiteName, gateId, config) {
   const localConfig = loadLocalConfigSync();
   if (!localConfig) {
     warn("No local identity configuration found - cannot create seal");
-    warn('Run "attest-it keygen" to set up your identity');
+    warn('Run "attest-it identity create" to set up your identity');
     return;
   }
   const identity = getActiveIdentity(localConfig);
@@ -1556,21 +1620,22 @@ async function promptForSeal(suiteName, gateId, config) {
     const keyProvider = createKeyProviderFromIdentity(identity);
     const keyRef = getKeyRefFromIdentity(identity);
     const keyResult = await keyProvider.getPrivateKey(keyRef);
-    const fs4 = await import('fs/promises');
-    const privateKeyPem = await fs4.readFile(keyResult.keyPath, "utf8");
+    const fs3 = await import('fs/promises');
+    const privateKeyPem = await fs3.readFile(keyResult.keyPath, "utf8");
     await keyResult.cleanup();
+    const identitySlug = localConfig.activeIdentity;
     const seal = createSeal({
       gateId,
       fingerprint: gateFingerprint.fingerprint,
-      sealedBy: identity.name,
+      sealedBy: identitySlug,
       privateKey: privateKeyPem
     });
     const projectRoot = process.cwd();
-    const sealsFile = readSealsSync(projectRoot);
+    const sealsFile = readSealsSync(projectRoot, attestItConfig.settings.sealsPath);
     sealsFile.seals[gateId] = seal;
-    writeSealsSync(projectRoot, sealsFile);
+    writeSealsSync(projectRoot, sealsFile, attestItConfig.settings.sealsPath);
     success(`Seal created for gate '${gateId}'`);
-    log(`  Sealed by: ${identity.name}`);
+    log(`  Sealed by: ${identitySlug} (${identity.name})`);
     log(`  Timestamp: ${seal.timestamp}`);
   } catch (err) {
     if (err instanceof Error) {
@@ -1638,626 +1703,6 @@ function getKeyRefFromIdentity(identity) {
     }
   }
 }
-function KeygenInteractive(props) {
-  const { onComplete, onCancel, onError } = props;
-  const [step, setStep] = useState("checking-providers");
-  const [opAvailable, setOpAvailable] = useState(false);
-  const [keychainAvailable, setKeychainAvailable] = useState(false);
-  const [yubiKeyAvailable, setYubiKeyAvailable] = useState(false);
-  const [accounts, setAccounts] = useState([]);
-  const [vaults, setVaults] = useState([]);
-  const [yubiKeyDevices, setYubiKeyDevices] = useState([]);
-  const [_selectedProvider, setSelectedProvider] = useState();
-  const [selectedAccount, setSelectedAccount] = useState();
-  const [selectedVault, setSelectedVault] = useState();
-  const [itemName, setItemName] = useState("attest-it-private-key");
-  const [keychainItemName, setKeychainItemName] = useState("attest-it-private-key");
-  const [selectedYubiKeySerial, setSelectedYubiKeySerial] = useState();
-  const [selectedYubiKeySlot, setSelectedYubiKeySlot] = useState(2);
-  const [slot1Configured, setSlot1Configured] = useState(false);
-  const [slot2Configured, setSlot2Configured] = useState(false);
-  useInput((_input, key) => {
-    if (key.escape) {
-      onCancel();
-    }
-  });
-  useEffect(() => {
-    const checkProviders = async () => {
-      try {
-        const isInstalled = await OnePasswordKeyProvider.isInstalled();
-        setOpAvailable(isInstalled);
-        if (isInstalled) {
-          const accountList = await OnePasswordKeyProvider.listAccounts();
-          setAccounts(accountList);
-        }
-      } catch {
-        setOpAvailable(false);
-      }
-      const isKeychainAvailable = MacOSKeychainKeyProvider.isAvailable();
-      setKeychainAvailable(isKeychainAvailable);
-      try {
-        const isInstalled = await YubiKeyProvider.isInstalled();
-        if (isInstalled) {
-          const isConnected = await YubiKeyProvider.isConnected();
-          if (isConnected) {
-            const devices = await YubiKeyProvider.listDevices();
-            setYubiKeyDevices(devices);
-            setYubiKeyAvailable(devices.length > 0);
-          }
-        }
-      } catch {
-        setYubiKeyAvailable(false);
-      }
-      setStep("select-provider");
-    };
-    void checkProviders();
-  }, []);
-  useEffect(() => {
-    if (step === "select-vault" && selectedAccount) {
-      const fetchVaults = async () => {
-        try {
-          const vaultList = await OnePasswordKeyProvider.listVaults(selectedAccount);
-          setVaults(vaultList);
-        } catch (err) {
-          onError(err instanceof Error ? err : new Error("Failed to fetch vaults"));
-        }
-      };
-      void fetchVaults();
-    }
-  }, [step, selectedAccount, onError]);
-  const checkYubiKeySlots = async (serial) => {
-    try {
-      const slot1 = await YubiKeyProvider.isChallengeResponseConfigured(1, serial);
-      const slot2 = await YubiKeyProvider.isChallengeResponseConfigured(2, serial);
-      setSlot1Configured(slot1);
-      setSlot2Configured(slot2);
-      if (slot1 && slot2) {
-        setStep("select-yubikey-slot");
-      } else if (slot2) {
-        setSelectedYubiKeySlot(2);
-        void generateKeys("yubikey");
-      } else if (slot1) {
-        setSelectedYubiKeySlot(1);
-        void generateKeys("yubikey");
-      } else {
-        setStep("yubikey-offer-setup");
-      }
-    } catch (err) {
-      onError(err instanceof Error ? err : new Error("Failed to check YubiKey slots"));
-    }
-  };
-  const handleProviderSelect = (value) => {
-    if (value === "filesystem") {
-      setSelectedProvider("filesystem");
-      void generateKeys("filesystem");
-    } else if (value === "1password") {
-      setSelectedProvider("1password");
-      if (accounts.length === 1 && accounts[0]) {
-        setSelectedAccount(accounts[0].user_uuid);
-        setStep("select-vault");
-      } else {
-        setStep("select-account");
-      }
-    } else if (value === "macos-keychain") {
-      setSelectedProvider("macos-keychain");
-      setStep("enter-keychain-item-name");
-    } else if (value === "yubikey") {
-      setSelectedProvider("yubikey");
-      if (yubiKeyDevices.length > 1) {
-        setStep("select-yubikey-device");
-      } else if (yubiKeyDevices.length === 1 && yubiKeyDevices[0]) {
-        setSelectedYubiKeySerial(yubiKeyDevices[0].serial);
-        void checkYubiKeySlots(yubiKeyDevices[0].serial);
-      }
-    }
-  };
-  const handleAccountSelect = (value) => {
-    setSelectedAccount(value);
-    setStep("select-vault");
-  };
-  const handleVaultSelect = (value) => {
-    setSelectedVault(value);
-    setStep("enter-item-name");
-  };
-  const handleItemNameSubmit = (value) => {
-    setItemName(value);
-    void generateKeys("1password");
-  };
-  const handleKeychainItemNameSubmit = (value) => {
-    setKeychainItemName(value);
-    void generateKeys("macos-keychain");
-  };
-  const handleYubiKeyDeviceSelect = (value) => {
-    setSelectedYubiKeySerial(value);
-    void checkYubiKeySlots(value);
-  };
-  const handleYubiKeySlotSelect = (value) => {
-    const slot = value === "1" ? 1 : 2;
-    setSelectedYubiKeySlot(slot);
-    void generateKeys("yubikey");
-  };
-  const handleYubiKeySetupConfirm = (value) => {
-    if (value === "yes") {
-      void setupYubiKeySlot();
-    } else {
-      onError(new Error("YubiKey setup cancelled"));
-    }
-  };
-  const setupYubiKeySlot = async () => {
-    setStep("yubikey-configuring");
-    try {
-      const { spawn: spawn3 } = await import('child_process');
-      const args = ["otp", "chalresp", "--touch", "--generate", "2"];
-      if (selectedYubiKeySerial) {
-        args.unshift("--device", selectedYubiKeySerial);
-      }
-      await new Promise((resolve2, reject) => {
-        const proc = spawn3("ykman", args, { stdio: "inherit" });
-        proc.on("close", (code) => {
-          if (code === 0) {
-            resolve2();
-          } else {
-            reject(new Error(`ykman exited with code ${String(code)}`));
-          }
-        });
-        proc.on("error", reject);
-      });
-      setSelectedYubiKeySlot(2);
-      void generateKeys("yubikey");
-    } catch (err) {
-      onError(err instanceof Error ? err : new Error("Failed to configure YubiKey"));
-    }
-  };
-  const generateKeys = async (provider) => {
-    setStep("generating");
-    try {
-      const publicKeyPath = props.publicKeyPath ?? getDefaultPublicKeyPath();
-      if (provider === "filesystem") {
-        const fsProvider = new FilesystemKeyProvider();
-        const genOptions = { publicKeyPath };
-        if (props.force !== void 0) {
-          genOptions.force = props.force;
-        }
-        const result = await fsProvider.generateKeyPair(genOptions);
-        onComplete({
-          provider: "filesystem",
-          publicKeyPath: result.publicKeyPath,
-          privateKeyRef: result.privateKeyRef,
-          storageDescription: result.storageDescription
-        });
-      } else if (provider === "1password") {
-        if (!selectedVault || !itemName) {
-          throw new Error("Vault and item name are required for 1Password");
-        }
-        const vault = vaults.find((v) => v.id === selectedVault);
-        if (!vault) {
-          throw new Error("Selected vault not found");
-        }
-        const providerOptions = {
-          vault: vault.name,
-          itemName
-        };
-        if (selectedAccount !== void 0) {
-          providerOptions.account = selectedAccount;
-        }
-        const opProvider = new OnePasswordKeyProvider(providerOptions);
-        const genOptions = { publicKeyPath };
-        if (props.force !== void 0) {
-          genOptions.force = props.force;
-        }
-        const result = await opProvider.generateKeyPair(genOptions);
-        const completionResult = {
-          provider: "1password",
-          publicKeyPath: result.publicKeyPath,
-          privateKeyRef: result.privateKeyRef,
-          storageDescription: result.storageDescription,
-          vault: vault.name,
-          itemName
-        };
-        if (selectedAccount !== void 0) {
-          completionResult.account = selectedAccount;
-        }
-        onComplete(completionResult);
-      } else if (provider === "macos-keychain") {
-        if (!keychainItemName) {
-          throw new Error("Item name is required for macOS Keychain");
-        }
-        const keychainProvider = new MacOSKeychainKeyProvider({
-          itemName: keychainItemName
-        });
-        const genOptions = { publicKeyPath };
-        if (props.force !== void 0) {
-          genOptions.force = props.force;
-        }
-        const result = await keychainProvider.generateKeyPair(genOptions);
-        onComplete({
-          provider: "macos-keychain",
-          publicKeyPath: result.publicKeyPath,
-          privateKeyRef: result.privateKeyRef,
-          storageDescription: result.storageDescription,
-          itemName: keychainItemName
-        });
-      } else {
-        const encryptedKeyPath = getDefaultYubiKeyEncryptedKeyPath();
-        const providerOptions = {
-          encryptedKeyPath,
-          slot: selectedYubiKeySlot
-        };
-        if (selectedYubiKeySerial !== void 0) {
-          providerOptions.serial = selectedYubiKeySerial;
-        }
-        const ykProvider = new YubiKeyProvider(providerOptions);
-        const genOptions = { publicKeyPath };
-        if (props.force !== void 0) {
-          genOptions.force = props.force;
-        }
-        const result = await ykProvider.generateKeyPair(genOptions);
-        const completionResult = {
-          provider: "yubikey",
-          publicKeyPath: result.publicKeyPath,
-          privateKeyRef: result.privateKeyRef,
-          storageDescription: result.storageDescription,
-          slot: selectedYubiKeySlot,
-          encryptedKeyPath
-        };
-        if (selectedYubiKeySerial !== void 0) {
-          completionResult.serial = selectedYubiKeySerial;
-        }
-        onComplete(completionResult);
-      }
-      setStep("done");
-    } catch (err) {
-      onError(err instanceof Error ? err : new Error("Key generation failed"));
-    }
-  };
-  if (step === "checking-providers") {
-    return /* @__PURE__ */ jsx(Box, { flexDirection: "column", children: /* @__PURE__ */ jsxs(Box, { flexDirection: "row", gap: 1, children: [
-      /* @__PURE__ */ jsx(Spinner, {}),
-      /* @__PURE__ */ jsx(Text, { children: "Checking available key storage providers..." })
-    ] }) });
-  }
-  if (step === "select-provider") {
-    const options = [
-      {
-        label: `Local Filesystem (${getDefaultPrivateKeyPath()})`,
-        value: "filesystem"
-      }
-    ];
-    if (keychainAvailable) {
-      options.push({
-        label: "macOS Keychain",
-        value: "macos-keychain"
-      });
-    }
-    if (yubiKeyAvailable) {
-      options.push({
-        label: "YubiKey (hardware security key)",
-        value: "yubikey"
-      });
-    }
-    if (opAvailable) {
-      options.push({
-        label: "1Password (requires op CLI)",
-        value: "1password"
-      });
-    }
-    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
-      /* @__PURE__ */ jsx(Text, { bold: true, children: "Where would you like to store your private key?" }),
-      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "" }),
-      /* @__PURE__ */ jsx(Select, { options, onChange: handleProviderSelect })
-    ] });
-  }
-  if (step === "select-account") {
-    const options = accounts.map((account) => ({
-      label: account.name ? `${account.name} (${account.email})` : account.email,
-      value: account.user_uuid
-    }));
-    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
-      /* @__PURE__ */ jsx(Text, { bold: true, children: "Select 1Password account:" }),
-      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "" }),
-      /* @__PURE__ */ jsx(Select, { options, onChange: handleAccountSelect })
-    ] });
-  }
-  if (step === "select-vault") {
-    if (vaults.length === 0) {
-      return /* @__PURE__ */ jsx(Box, { flexDirection: "column", children: /* @__PURE__ */ jsxs(Box, { flexDirection: "row", gap: 1, children: [
-        /* @__PURE__ */ jsx(Spinner, {}),
-        /* @__PURE__ */ jsx(Text, { children: "Loading vaults..." })
-      ] }) });
-    }
-    const options = vaults.map((vault) => ({
-      label: vault.name,
-      value: vault.id
-    }));
-    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
-      /* @__PURE__ */ jsx(Text, { bold: true, children: "Select vault for private key storage:" }),
-      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "" }),
-      /* @__PURE__ */ jsx(Select, { options, onChange: handleVaultSelect })
-    ] });
-  }
-  if (step === "enter-item-name") {
-    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
-      /* @__PURE__ */ jsx(Text, { bold: true, children: "Enter name for the key item:" }),
-      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "(This will be visible in your 1Password vault)" }),
-      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "" }),
-      /* @__PURE__ */ jsx(TextInput, { defaultValue: itemName, onSubmit: handleItemNameSubmit })
-    ] });
-  }
-  if (step === "enter-keychain-item-name") {
-    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
-      /* @__PURE__ */ jsx(Text, { bold: true, children: "Enter name for the keychain item:" }),
-      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "(This will be the service name in your macOS Keychain)" }),
-      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "" }),
-      /* @__PURE__ */ jsx(TextInput, { defaultValue: keychainItemName, onSubmit: handleKeychainItemNameSubmit })
-    ] });
-  }
-  if (step === "select-yubikey-device") {
-    const options = yubiKeyDevices.map((device) => ({
-      label: `${device.type} (Serial: ${device.serial})`,
-      value: device.serial
-    }));
-    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
-      /* @__PURE__ */ jsx(Text, { bold: true, children: "Select YubiKey device:" }),
-      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "" }),
-      /* @__PURE__ */ jsx(Select, { options, onChange: handleYubiKeyDeviceSelect })
-    ] });
-  }
-  if (step === "select-yubikey-slot") {
-    const options = [];
-    if (slot2Configured) {
-      options.push({
-        label: "Slot 2 (recommended)",
-        value: "2"
-      });
-    }
-    if (slot1Configured) {
-      options.push({
-        label: "Slot 1",
-        value: "1"
-      });
-    }
-    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
-      /* @__PURE__ */ jsx(Text, { bold: true, children: "Select YubiKey slot for challenge-response:" }),
-      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "" }),
-      /* @__PURE__ */ jsx(Select, { options, onChange: handleYubiKeySlotSelect })
-    ] });
-  }
-  if (step === "yubikey-offer-setup") {
-    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
-      /* @__PURE__ */ jsx(Text, { bold: true, children: "Your YubiKey is not configured for challenge-response." }),
-      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "" }),
-      /* @__PURE__ */ jsx(Text, { children: "Would you like to configure slot 2 for challenge-response now?" }),
-      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "This will enable touch-to-sign functionality." }),
-      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "" }),
-      /* @__PURE__ */ jsx(
-        Select,
-        {
-          options: [
-            { label: "Yes, configure my YubiKey", value: "yes" },
-            { label: "No, cancel", value: "no" }
-          ],
-          onChange: handleYubiKeySetupConfirm
-        }
-      )
-    ] });
-  }
-  if (step === "yubikey-configuring") {
-    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
-      /* @__PURE__ */ jsxs(Box, { flexDirection: "row", gap: 1, children: [
-        /* @__PURE__ */ jsx(Spinner, {}),
-        /* @__PURE__ */ jsx(Text, { children: "Configuring YubiKey slot 2 for challenge-response..." })
-      ] }),
-      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "Touch your YubiKey when it flashes." })
-    ] });
-  }
-  if (step === "generating") {
-    return /* @__PURE__ */ jsx(Box, { flexDirection: "column", children: /* @__PURE__ */ jsxs(Box, { flexDirection: "row", gap: 1, children: [
-      /* @__PURE__ */ jsx(Spinner, {}),
-      /* @__PURE__ */ jsx(Text, { children: "Generating RSA-2048 keypair..." })
-    ] }) });
-  }
-  return /* @__PURE__ */ jsx(Box, {});
-}
-async function runKeygenInteractive(options) {
-  return new Promise((resolve2, reject) => {
-    const props = {
-      onComplete: (result) => {
-        unmount();
-        resolve2(result);
-      },
-      onCancel: () => {
-        unmount();
-        reject(new Error("Keygen cancelled"));
-      },
-      onError: (error2) => {
-        unmount();
-        reject(error2);
-      }
-    };
-    if (options.publicKeyPath !== void 0) {
-      props.publicKeyPath = options.publicKeyPath;
-    }
-    if (options.force !== void 0) {
-      props.force = options.force;
-    }
-    const { unmount } = render(/* @__PURE__ */ jsx(KeygenInteractive, { ...props }));
-  });
-}
-
-// src/commands/keygen.ts
-var keygenCommand = new Command("keygen").description("Generate a new RSA keypair for signing attestations").option("-o, --output <path>", "Public key output path").option("-p, --private <path>", "Private key output path (filesystem only)").option(
-  "--provider <type>",
-  "Key provider: filesystem, 1password, or macos-keychain (skips interactive)"
-).option("--vault <name>", "1Password vault name").option("--item-name <name>", "1Password/macOS Keychain item name").option("--account <email>", "1Password account").option("-f, --force", "Overwrite existing keys").option("--no-interactive", "Disable interactive mode").action(async (options) => {
-  await runKeygen(options);
-});
-async function runKeygen(options) {
-  try {
-    const useInteractive = options.interactive !== false && !options.provider;
-    if (useInteractive) {
-      const interactiveOptions = {};
-      if (options.output !== void 0) {
-        interactiveOptions.publicKeyPath = options.output;
-      }
-      if (options.force !== void 0) {
-        interactiveOptions.force = options.force;
-      }
-      const result = await runKeygenInteractive(interactiveOptions);
-      success("Keypair generated successfully!");
-      log("");
-      log("Private key stored in:");
-      log(`  ${result.storageDescription}`);
-      log("");
-      log("Public key (commit to repo):");
-      log(`  ${result.publicKeyPath}`);
-      log("");
-      if (result.provider === "1password") {
-        log("Add to your .attest-it/config.yaml:");
-        log("");
-        log("settings:");
-        log(`  publicKeyPath: ${result.publicKeyPath}`);
-        log("  keyProvider:");
-        log("    type: 1password");
-        log("    options:");
-        if (result.account) {
-          log(`      account: ${result.account}`);
-        }
-        log(`      vault: ${result.vault ?? ""}`);
-        log(`      itemName: ${result.itemName ?? ""}`);
-        log("");
-      } else if (result.provider === "macos-keychain") {
-        log("Add to your .attest-it/config.yaml:");
-        log("");
-        log("settings:");
-        log(`  publicKeyPath: ${result.publicKeyPath}`);
-        log("  keyProvider:");
-        log("    type: macos-keychain");
-        log("    options:");
-        log(`      itemName: ${result.itemName ?? ""}`);
-        log("");
-      }
-      log("Next steps:");
-      log(`  1. git add ${result.publicKeyPath}`);
-      if (result.provider === "1password" || result.provider === "macos-keychain") {
-        log("  2. Update .attest-it/config.yaml with keyProvider settings");
-      } else {
-        log("  2. Update .attest-it/config.yaml publicKeyPath if needed");
-      }
-      log("  3. attest-it run --suite <suite-name>");
-    } else {
-      await runNonInteractiveKeygen(options);
-    }
-  } catch (err) {
-    if (err instanceof Error) {
-      error(err.message);
-    } else {
-      error("Unknown error occurred");
-    }
-    process.exit(ExitCode.CONFIG_ERROR);
-  }
-}
-async function runNonInteractiveKeygen(options) {
-  log("Checking OpenSSL...");
-  const version = await checkOpenSSL();
-  info(`OpenSSL: ${version}`);
-  const publicPath = options.output ?? getDefaultPublicKeyPath();
-  if (options.provider === "1password") {
-    if (!options.vault || !options.itemName) {
-      throw new Error("--vault and --item-name are required for 1password provider");
-    }
-    const providerOptions = {
-      vault: options.vault,
-      itemName: options.itemName
-    };
-    if (options.account !== void 0) {
-      providerOptions.account = options.account;
-    }
-    const provider = new OnePasswordKeyProvider(providerOptions);
-    log(`Generating keypair with 1Password storage...`);
-    log(`Vault: ${options.vault}`);
-    log(`Item: ${options.itemName}`);
-    const genOptions = { publicKeyPath: publicPath };
-    if (options.force !== void 0) {
-      genOptions.force = options.force;
-    }
-    const result = await provider.generateKeyPair(genOptions);
-    success("Keypair generated successfully!");
-    log("");
-    log("Private key stored in:");
-    log(`  ${result.storageDescription}`);
-    log("");
-    log("Public key (commit to repo):");
-    log(`  ${result.publicKeyPath}`);
-  } else if (options.provider === "macos-keychain") {
-    if (!options.itemName) {
-      throw new Error("--item-name is required for macos-keychain provider");
-    }
-    const isAvailable = MacOSKeychainKeyProvider.isAvailable();
-    if (!isAvailable) {
-      throw new Error("macOS Keychain is not available on this platform");
-    }
-    const provider = new MacOSKeychainKeyProvider({
-      itemName: options.itemName
-    });
-    log(`Generating keypair with macOS Keychain storage...`);
-    log(`Item: ${options.itemName}`);
-    const genOptions = { publicKeyPath: publicPath };
-    if (options.force !== void 0) {
-      genOptions.force = options.force;
-    }
-    const result = await provider.generateKeyPair(genOptions);
-    success("Keypair generated successfully!");
-    log("");
-    log("Private key stored in:");
-    log(`  ${result.storageDescription}`);
-    log("");
-    log("Public key (commit to repo):");
-    log(`  ${result.publicKeyPath}`);
-  } else {
-    const privatePath = options.private ?? getDefaultPrivateKeyPath();
-    log(`Private key: ${privatePath}`);
-    log(`Public key: ${publicPath}`);
-    const privateExists = fs.existsSync(privatePath);
-    const publicExists = fs.existsSync(publicPath);
-    if ((privateExists || publicExists) && !options.force) {
-      if (privateExists) {
-        warn(`Private key already exists: ${privatePath}`);
-      }
-      if (publicExists) {
-        warn(`Public key already exists: ${publicPath}`);
-      }
-      const shouldOverwrite = await confirmAction({
-        message: "Overwrite existing keys?",
-        default: false
-      });
-      if (!shouldOverwrite) {
-        error("Keygen cancelled");
-        process.exit(ExitCode.CANCELLED);
-      }
-    }
-    log("\nGenerating RSA-2048 keypair...");
-    const result = await generateKeyPair({
-      privatePath,
-      publicPath,
-      force: true
-    });
-    await setKeyPermissions(result.privatePath);
-    success("Keypair generated successfully!");
-    log("");
-    log("Private key (KEEP SECRET):");
-    log(`  ${result.privatePath}`);
-    log("");
-    log("Public key (commit to repo):");
-    log(`  ${result.publicPath}`);
-  }
-  log("");
-  info("Important: Back up your private key securely!");
-  log("");
-  log("Next steps:");
-  log(`  1. git add ${publicPath}`);
-  log("  2. Update .attest-it/config.yaml publicKeyPath if needed");
-  log("  3. attest-it run --suite <suite-name>");
-}
 var pruneCommand = new Command("prune").description("Remove stale attestations").option("-n, --dry-run", "Show what would be removed without removing").option("-k, --keep-days <n>", "Keep attestations newer than n days", "30").action(async (options) => {
   await runPrune(options);
 });
@@ -2362,7 +1807,7 @@ async function runVerify(gates, options) {
       process.exit(ExitCode.CONFIG_ERROR);
     }
     const projectRoot = process.cwd();
-    const sealsFile = readSealsSync(projectRoot);
+    const sealsFile = readSealsSync(projectRoot, attestItConfig.settings.sealsPath);
     const gatesToVerify = gates.length > 0 ? gates : Object.keys(attestItConfig.gates);
     for (const gateId of gatesToVerify) {
       if (!attestItConfig.gates[gateId]) {
@@ -2509,7 +1954,7 @@ async function runSeal(gates, options) {
     const localConfig = loadLocalConfigSync();
     if (!localConfig) {
       error("No local identity configuration found");
-      error('Run "attest-it keygen" first to set up your identity');
+      error('Run "attest-it identity create" first to set up your identity');
       process.exit(ExitCode.CONFIG_ERROR);
     }
     const identity = getActiveIdentity(localConfig);
@@ -2518,7 +1963,7 @@ async function runSeal(gates, options) {
       process.exit(ExitCode.CONFIG_ERROR);
     }
     const projectRoot = process.cwd();
-    const sealsFile = readSealsSync(projectRoot);
+    const sealsFile = readSealsSync(projectRoot, attestItConfig.settings.sealsPath);
     const gatesToSeal = gates.length > 0 ? gates : getAllGateIds(attestItConfig);
     for (const gateId of gatesToSeal) {
       if (!attestItConfig.gates[gateId]) {
@@ -2531,9 +1976,17 @@ async function runSeal(gates, options) {
       skipped: [],
       failed: []
     };
+    const identitySlug = localConfig.activeIdentity;
     for (const gateId of gatesToSeal) {
       try {
-        const result = await processSingleGate(gateId, attestItConfig, identity, sealsFile, options);
+        const result = await processSingleGate(
+          gateId,
+          attestItConfig,
+          identity,
+          identitySlug,
+          sealsFile,
+          options
+        );
         if (result.sealed) {
           summary.sealed.push(gateId);
         } else if (result.skipped) {
@@ -2545,7 +1998,7 @@ async function runSeal(gates, options) {
       }
     }
     if (!options.dryRun && summary.sealed.length > 0) {
-      writeSealsSync(projectRoot, sealsFile);
+      writeSealsSync(projectRoot, sealsFile, attestItConfig.settings.sealsPath);
     }
     displaySummary(summary, options.dryRun);
     if (summary.failed.length > 0) {
@@ -2564,7 +2017,7 @@ async function runSeal(gates, options) {
     process.exit(ExitCode.CONFIG_ERROR);
   }
 }
-async function processSingleGate(gateId, config, identity, sealsFile, options) {
+async function processSingleGate(gateId, config, identity, identitySlug, sealsFile, options) {
   verbose(`Processing gate: ${gateId}`);
   const gate = getGate(config, gateId);
   if (!gate) {
@@ -2598,18 +2051,18 @@ async function processSingleGate(gateId, config, identity, sealsFile, options) {
   const keyProvider = createKeyProviderFromIdentity2(identity);
   const keyRef = getKeyRefFromIdentity2(identity);
   const keyResult = await keyProvider.getPrivateKey(keyRef);
-  const fs4 = await import('fs/promises');
-  const privateKeyPem = await fs4.readFile(keyResult.keyPath, "utf8");
+  const fs3 = await import('fs/promises');
+  const privateKeyPem = await fs3.readFile(keyResult.keyPath, "utf8");
   await keyResult.cleanup();
   const seal = createSeal({
     gateId,
     fingerprint: fingerprintResult.fingerprint,
-    sealedBy: identity.name,
+    sealedBy: identitySlug,
     privateKey: privateKeyPem
   });
   sealsFile.seals[gateId] = seal;
   log(`  Sealed gate: ${gateId}`);
-  verbose(`    Sealed by: ${identity.name}`);
+  verbose(`    Sealed by: ${identitySlug} (${identity.name})`);
   verbose(`    Timestamp: ${seal.timestamp}`);
   return { sealed: true, skipped: false };
 }
@@ -3151,9 +2604,9 @@ async function runCreate() {
     log("");
     log(theme3.blue.bold()("Public key saved to:"));
     log(`  ${publicKeyResult.homePath}`);
-    if (publicKeyResult.projectPath) {
-      log(`  ${publicKeyResult.projectPath}`);
-    }
+    log("");
+    log("To add yourself to a project, run:");
+    log(theme3.blue("  attest-it team join"));
     log("");
     if (!existingConfig) {
       success(`Set as active identity`);
@@ -3274,155 +2727,6 @@ async function runShow(slug) {
     process.exit(ExitCode.CONFIG_ERROR);
   }
 }
-var editCommand = new Command("edit").description("Edit identity or rotate keypair").argument("<slug>", "Identity slug to edit").action(async (slug) => {
-  await runEdit(slug);
-});
-async function runEdit(slug) {
-  try {
-    const config = await loadLocalConfig();
-    if (!config) {
-      error("No identities configured");
-      process.exit(ExitCode.CONFIG_ERROR);
-    }
-    const identity = config.identities[slug];
-    if (!identity) {
-      error(`Identity "${slug}" not found`);
-      process.exit(ExitCode.CONFIG_ERROR);
-    }
-    const theme3 = getTheme2();
-    log("");
-    log(theme3.blue.bold()(`Edit Identity: ${slug}`));
-    log("");
-    const name = await input({
-      message: "Display name:",
-      default: identity.name,
-      validate: (value) => {
-        if (!value || value.trim().length === 0) {
-          return "Name cannot be empty";
-        }
-        return true;
-      }
-    });
-    const email = await input({
-      message: "Email (optional):",
-      default: identity.email ?? ""
-    });
-    const github = await input({
-      message: "GitHub username (optional):",
-      default: identity.github ?? ""
-    });
-    const rotateKey = await confirm({
-      message: "Rotate keypair (generate new keys)?",
-      default: false
-    });
-    let publicKey = identity.publicKey;
-    const privateKeyRef = identity.privateKey;
-    if (rotateKey) {
-      log("");
-      log("Generating new Ed25519 keypair...");
-      const keyPair = generateEd25519KeyPair();
-      publicKey = keyPair.publicKey;
-      switch (identity.privateKey.type) {
-        case "file": {
-          await writeFile(identity.privateKey.path, keyPair.privateKey, { mode: 384 });
-          log(`  Updated private key at: ${identity.privateKey.path}`);
-          break;
-        }
-        case "keychain": {
-          const { execFile } = await import('child_process');
-          const { promisify } = await import('util');
-          const execFileAsync = promisify(execFile);
-          const encodedKey = Buffer.from(keyPair.privateKey).toString("base64");
-          try {
-            await execFileAsync("security", [
-              "delete-generic-password",
-              "-s",
-              identity.privateKey.service,
-              "-a",
-              identity.privateKey.account
-            ]);
-            await execFileAsync("security", [
-              "add-generic-password",
-              "-s",
-              identity.privateKey.service,
-              "-a",
-              identity.privateKey.account,
-              "-w",
-              encodedKey,
-              "-U"
-            ]);
-            log(`  Updated private key in macOS Keychain`);
-          } catch (err) {
-            throw new Error(
-              `Failed to update key in macOS Keychain: ${err instanceof Error ? err.message : String(err)}`
-            );
-          }
-          break;
-        }
-        case "1password": {
-          const { execFile } = await import('child_process');
-          const { promisify } = await import('util');
-          const execFileAsync = promisify(execFile);
-          try {
-            const opArgs = [
-              "item",
-              "edit",
-              identity.privateKey.item,
-              "--vault",
-              identity.privateKey.vault,
-              `privateKey[password]=${keyPair.privateKey}`
-            ];
-            if (identity.privateKey.account) {
-              opArgs.push("--account", identity.privateKey.account);
-            }
-            await execFileAsync("op", opArgs);
-            log(`  Updated private key in 1Password`);
-          } catch (err) {
-            throw new Error(
-              `Failed to update key in 1Password: ${err instanceof Error ? err.message : String(err)}`
-            );
-          }
-          break;
-        }
-      }
-    }
-    const updatedIdentity = {
-      name,
-      publicKey,
-      privateKey: privateKeyRef,
-      ...email && { email },
-      ...github && { github }
-    };
-    const newConfig = {
-      ...config,
-      identities: {
-        ...config.identities,
-        [slug]: updatedIdentity
-      }
-    };
-    await saveLocalConfig(newConfig);
-    log("");
-    success("Identity updated successfully");
-    log("");
-    if (rotateKey) {
-      log("  New Public Key: " + publicKey.slice(0, 32) + "...");
-      log("");
-      log(
-        theme3.yellow(
-          "  Warning: If this identity is used in team configurations,\n  you must update those configurations with the new public key."
-        )
-      );
-      log("");
-    }
-  } catch (err) {
-    if (err instanceof Error) {
-      error(err.message);
-    } else {
-      error("Unknown error occurred");
-    }
-    process.exit(ExitCode.CONFIG_ERROR);
-  }
-}
 
 // src/utils/format-key-location.ts
 function formatKeyLocation(privateKey) {
@@ -3641,7 +2945,7 @@ async function runExport(slug) {
 }
 
 // src/commands/identity/index.ts
-var identityCommand = new Command("identity").description("Manage local identities and keypairs").addCommand(listCommand).addCommand(createCommand).addCommand(useCommand).addCommand(showCommand).addCommand(editCommand).addCommand(removeCommand).addCommand(exportCommand);
+var identityCommand = new Command("identity").description("Manage local identities and keypairs").addCommand(listCommand).addCommand(createCommand).addCommand(useCommand).addCommand(showCommand).addCommand(removeCommand).addCommand(exportCommand);
 var whoamiCommand = new Command("whoami").description("Show the current active identity").action(async () => {
   await runWhoami();
 });
@@ -3742,6 +3046,49 @@ async function runList2() {
     process.exit(ExitCode.CONFIG_ERROR);
   }
 }
+async function promptForGateAuthorization(gates) {
+  if (!gates || Object.keys(gates).length === 0) {
+    return [];
+  }
+  const gateChoices = Object.entries(gates).map(([gateId, gate]) => ({
+    name: `${gateId} - ${gate.name}`,
+    value: gateId
+  }));
+  const authorizedGates = await checkbox({
+    message: "Select gates to authorize (use space to select):",
+    choices: gateChoices
+  });
+  return authorizedGates;
+}
+function addTeamMemberToConfig(config, memberSlug, memberData, authorizedGates) {
+  const existingTeam = config.team ?? {};
+  const updatedConfig = {
+    ...config,
+    team: {
+      ...existingTeam,
+      [memberSlug]: {
+        name: memberData.name,
+        publicKey: memberData.publicKey,
+        publicKeyAlgorithm: memberData.publicKeyAlgorithm ?? "ed25519",
+        ...memberData.email ? { email: memberData.email } : {},
+        ...memberData.github ? { github: memberData.github } : {}
+      }
+    }
+  };
+  if (authorizedGates.length > 0 && updatedConfig.gates) {
+    for (const gateId of authorizedGates) {
+      const gate = updatedConfig.gates[gateId];
+      if (gate) {
+        if (!gate.authorizedSigners.includes(memberSlug)) {
+          gate.authorizedSigners.push(memberSlug);
+        }
+      }
+    }
+  }
+  return updatedConfig;
+}
+
+// src/commands/team/add.ts
 var addCommand = new Command("add").description("Add a new team member").action(async () => {
   await runAdd();
 });
@@ -3813,45 +3160,22 @@ async function runAdd() {
       message: "Public key:",
       validate: validatePublicKey
     });
-    let authorizedGates = [];
-    if (attestItConfig.gates && Object.keys(attestItConfig.gates).length > 0) {
-      log("");
-      const gateChoices = Object.entries(attestItConfig.gates).map(([gateId, gate]) => ({
-        name: `${gateId} - ${gate.name}`,
-        value: gateId
-      }));
-      authorizedGates = await checkbox({
-        message: "Select gates to authorize (use space to select):",
-        choices: gateChoices
-      });
-    }
-    const teamMember = {
+    log("");
+    const authorizedGates = await promptForGateAuthorization(attestItConfig.gates);
+    const memberData = {
       name,
-      publicKey: publicKey.trim()
+      publicKey: publicKey.trim(),
+      publicKeyAlgorithm: "ed25519"
     };
-    if (email && email.trim().length > 0) {
-      teamMember.email = email.trim();
-    }
-    if (github && github.trim().length > 0) {
-      teamMember.github = github.trim();
+    const trimmedEmail = email.trim();
+    const trimmedGithub = github.trim();
+    if (trimmedEmail && trimmedEmail.length > 0) {
+      memberData.email = trimmedEmail;
     }
-    const updatedConfig = {
-      ...config,
-      team: {
-        ...existingTeam,
-        [slug]: teamMember
-      }
-    };
-    if (authorizedGates.length > 0 && updatedConfig.gates) {
-      for (const gateId of authorizedGates) {
-        const gate = updatedConfig.gates[gateId];
-        if (gate) {
-          if (!gate.authorizedSigners.includes(slug)) {
-            gate.authorizedSigners.push(slug);
-          }
-        }
-      }
+    if (trimmedGithub && trimmedGithub.length > 0) {
+      memberData.github = trimmedGithub;
     }
+    const updatedConfig = addTeamMemberToConfig(config, slug, memberData, authorizedGates);
     const configPath = findConfigPath();
     if (!configPath) {
       error("Configuration file not found");
@@ -3874,127 +3198,73 @@ async function runAdd() {
     process.exit(ExitCode.CONFIG_ERROR);
   }
 }
-var editCommand2 = new Command("edit").description("Edit a team member").argument("<slug>", "Team member slug to edit").action(async (slug) => {
-  await runEdit2(slug);
+var joinCommand = new Command("join").description("Add yourself to the project team using your active identity").action(async () => {
+  await runJoin();
 });
-function validatePublicKey2(value) {
-  if (!value || value.trim().length === 0) {
-    return "Public key cannot be empty";
-  }
-  const base64Regex = /^[A-Za-z0-9+/]+=*$/;
-  if (!base64Regex.test(value)) {
-    return "Public key must be valid Base64";
-  }
-  if (value.length !== 44) {
-    return "Public key must be 44 characters (32 bytes in Base64)";
-  }
-  try {
-    const decoded = Buffer.from(value, "base64");
-    if (decoded.length !== 32) {
-      return "Public key must decode to 32 bytes";
-    }
-  } catch {
-    return "Invalid Base64 encoding";
-  }
-  return true;
-}
-async function runEdit2(slug) {
+async function runJoin() {
   try {
     const theme3 = getTheme2();
-    const config = await loadConfig();
-    const attestItConfig = toAttestItConfig(config);
-    const existingMember = attestItConfig.team?.[slug];
-    if (!existingMember) {
-      error(`Team member "${slug}" not found`);
-      process.exit(ExitCode.CONFIG_ERROR);
-    }
     log("");
-    log(theme3.blue.bold()(`Edit Team Member: ${slug}`));
+    log(theme3.blue.bold()("Join Project Team"));
     log("");
-    log(theme3.muted("Leave blank to keep current value"));
+    const localConfig = await loadLocalConfig();
+    if (!localConfig) {
+      error('No identity found. Run "attest-it identity create" first.');
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const activeIdentity = getActiveIdentity(localConfig);
+    if (!activeIdentity) {
+      error('No active identity. Run "attest-it identity use <slug>" to select one.');
+      process.exit(ExitCode.CONFIG_ERROR);
+    }
+    const activeSlug = localConfig.activeIdentity;
+    info(`Using identity: ${activeSlug}`);
+    log(`  Name: ${activeIdentity.name}`);
+    log(`  Public Key: ${activeIdentity.publicKey.slice(0, 32)}...`);
     log("");
-    const name = await input({
-      message: "Display name:",
-      default: existingMember.name,
-      validate: (value) => {
-        if (!value || value.trim().length === 0) {
-          return "Name cannot be empty";
-        }
-        return true;
-      }
-    });
-    const email = await input({
-      message: "Email (optional):",
-      default: existingMember.email ?? ""
-    });
-    const github = await input({
-      message: "GitHub username (optional):",
-      default: existingMember.github ?? ""
-    });
-    const updateKey = await confirm({
-      message: "Update public key?",
-      default: false
-    });
-    let publicKey = existingMember.publicKey;
-    if (updateKey) {
-      log("");
-      log("Paste the new public key:");
-      publicKey = await input({
-        message: "Public key:",
-        default: existingMember.publicKey,
-        validate: validatePublicKey2
-      });
+    const config = await loadConfig();
+    const attestItConfig = toAttestItConfig(config);
+    const existingTeam = attestItConfig.team ?? {};
+    const existingMemberWithKey = Object.entries(existingTeam).find(
+      ([, member]) => member.publicKey === activeIdentity.publicKey
+    );
+    if (existingMemberWithKey) {
+      error(`You're already a team member as "${existingMemberWithKey[0]}"`);
+      process.exit(ExitCode.CONFIG_ERROR);
     }
-    const currentGates = [];
-    if (attestItConfig.gates) {
-      for (const [gateId, gate] of Object.entries(attestItConfig.gates)) {
-        if (gate.authorizedSigners.includes(slug)) {
-          currentGates.push(gateId);
+    let slug = activeSlug;
+    if (existingTeam[slug]) {
+      log(`Slug "${slug}" is already taken by another team member.`);
+      slug = await input({
+        message: "Choose a different slug:",
+        validate: (value) => {
+          if (!value || value.trim().length === 0) {
+            return "Slug cannot be empty";
+          }
+          if (!/^[a-z0-9-]+$/.test(value)) {
+            return "Slug must contain only lowercase letters, numbers, and hyphens";
+          }
+          if (existingTeam[value]) {
+            return `Slug "${value}" is already taken`;
+          }
+          return true;
         }
-      }
-    }
-    let selectedGates = currentGates;
-    if (attestItConfig.gates && Object.keys(attestItConfig.gates).length > 0) {
-      log("");
-      const gateChoices = Object.entries(attestItConfig.gates).map(([gateId, gate]) => ({
-        name: `${gateId} - ${gate.name}`,
-        value: gateId,
-        checked: currentGates.includes(gateId)
-      }));
-      selectedGates = await checkbox({
-        message: "Select gates to authorize (use space to select):",
-        choices: gateChoices
       });
     }
-    const updatedMember = {
-      name: name.trim(),
-      publicKey: publicKey.trim()
+    log("");
+    const authorizedGates = await promptForGateAuthorization(attestItConfig.gates);
+    const memberData = {
+      name: activeIdentity.name,
+      publicKey: activeIdentity.publicKey,
+      publicKeyAlgorithm: "ed25519"
     };
-    if (email && email.trim().length > 0) {
-      updatedMember.email = email.trim();
+    if (activeIdentity.email) {
+      memberData.email = activeIdentity.email;
     }
-    if (github && github.trim().length > 0) {
-      updatedMember.github = github.trim();
-    }
-    const updatedConfig = {
-      ...config,
-      team: {
-        ...attestItConfig.team,
-        [slug]: updatedMember
-      }
-    };
-    if (updatedConfig.gates) {
-      for (const [gateId, gate] of Object.entries(updatedConfig.gates)) {
-        if (currentGates.includes(gateId) && !selectedGates.includes(gateId)) {
-          gate.authorizedSigners = gate.authorizedSigners.filter((s) => s !== slug);
-        }
-        if (!currentGates.includes(gateId) && selectedGates.includes(gateId)) {
-          if (!gate.authorizedSigners.includes(slug)) {
-            gate.authorizedSigners.push(slug);
-          }
-        }
-      }
+    if (activeIdentity.github) {
+      memberData.github = activeIdentity.github;
     }
+    const updatedConfig = addTeamMemberToConfig(config, slug, memberData, authorizedGates);
     const configPath = findConfigPath();
     if (!configPath) {
       error("Configuration file not found");
@@ -4003,11 +3273,9 @@ async function runEdit2(slug) {
     const yamlContent = stringify(updatedConfig);
     await writeFile(configPath, yamlContent, "utf8");
     log("");
-    success(`Team member "${slug}" updated successfully`);
-    if (selectedGates.length > 0) {
-      log(`Authorized for gates: ${selectedGates.join(", ")}`);
-    } else {
-      log("Not authorized for any gates");
+    success(`Team member "${slug}" added successfully`);
+    if (authorizedGates.length > 0) {
+      log(`Authorized for gates: ${authorizedGates.join(", ")}`);
     }
     log("");
   } catch (err) {
@@ -4046,7 +3314,7 @@ async function runRemove2(slug, options) {
     const projectRoot = process.cwd();
     let sealsFile;
     try {
-      sealsFile = readSealsSync(projectRoot);
+      sealsFile = readSealsSync(projectRoot, attestItConfig.settings.sealsPath);
     } catch {
       sealsFile = { version: 1, seals: {} };
     }
@@ -4122,7 +3390,7 @@ async function runRemove2(slug, options) {
 }
 
 // src/commands/team/index.ts
-var teamCommand = new Command("team").description("Manage team members and authorizations").addCommand(listCommand2).addCommand(addCommand).addCommand(editCommand2).addCommand(removeCommand2);
+var teamCommand = new Command("team").description("Manage team members and authorizations").addCommand(listCommand2).addCommand(addCommand).addCommand(joinCommand).addCommand(removeCommand2);
 var PROGRAM_NAME2 = "attest-it";
 var PROGRAM_ALIAS2 = "attest";
 var PROGRAM_NAMES = [PROGRAM_NAME2, PROGRAM_ALIAS2];
@@ -4143,7 +3411,6 @@ async function getCompletions(env) {
     { name: "run", description: "Run test suites interactively" },
     { name: "verify", description: "Verify all seals are valid" },
     { name: "seal", description: "Create a seal for a gate" },
-    { name: "keygen", description: "Generate a new keypair" },
     { name: "prune", description: "Remove stale attestations" },
     { name: "identity", description: "Manage identities" },
     { name: "team", description: "Manage team members" },
@@ -4248,7 +3515,6 @@ async function getCompletions(env) {
     "run",
     "verify",
     "seal",
-    "keygen",
     "prune",
     "identity",
     "team",
@@ -4383,43 +3649,12 @@ function createCompletionServerCommand() {
     }
   });
 }
-function hasVersion(data) {
-  return typeof data === "object" && data !== null && "version" in data && // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
-  typeof data.version === "string";
-}
-var cachedVersion;
-function getPackageVersion() {
-  if (cachedVersion !== void 0) {
-    return cachedVersion;
-  }
-  const __filename = fileURLToPath(import.meta.url);
-  const __dirname = dirname(__filename);
-  const possiblePaths = [join(__dirname, "../package.json"), join(__dirname, "../../package.json")];
-  for (const packageJsonPath of possiblePaths) {
-    try {
-      const content = readFileSync(packageJsonPath, "utf-8");
-      const packageJsonData = JSON.parse(content);
-      if (!hasVersion(packageJsonData)) {
-        throw new Error(`Invalid package.json at ${packageJsonPath}: missing version field`);
-      }
-      cachedVersion = packageJsonData.version;
-      return cachedVersion;
-    } catch (error2) {
-      if (error2 instanceof Error && "code" in error2 && error2.code === "ENOENT") {
-        continue;
-      }
-      throw error2;
-    }
-  }
-  throw new Error("Could not find package.json");
-}
 var program = new Command();
 program.name("attest-it").description("Human-gated test attestation system").option("-c, --config <path>", "Path to config file").option("-v, --verbose", "Verbose output").option("-q, --quiet", "Minimal output");
 program.option("-V, --version", "output the version number");
 program.addCommand(initCommand);
 program.addCommand(statusCommand);
 program.addCommand(runCommand);
-program.addCommand(keygenCommand);
 program.addCommand(pruneCommand);
 program.addCommand(verifyCommand);
 program.addCommand(sealCommand);