@attest-it/core 0.0.2 → 0.4.0

package/dist/index.cjs

@@ -5,12 +5,15 @@ var fs2 = require('fs/promises');
 var path2 = require('path');
 var os = require('os');
 var fs = require('fs');
+var ms = require('ms');
 var yaml = require('yaml');
 var zod = require('zod');
-var crypto = require('crypto');
+var crypto2 = require('crypto');
 var tinyglobby = require('tinyglobby');
 var canonicalizeNamespace = require('canonicalize');
 
+function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
+
 function _interopNamespace(e) {
   if (e && e.__esModule) return e;
   var n = Object.create(null);
@@ -33,7 +36,8 @@ var fs2__namespace = /*#__PURE__*/_interopNamespace(fs2);
 var path2__namespace = /*#__PURE__*/_interopNamespace(path2);
 var os__namespace = /*#__PURE__*/_interopNamespace(os);
 var fs__namespace = /*#__PURE__*/_interopNamespace(fs);
-var crypto__namespace = /*#__PURE__*/_interopNamespace(crypto);
+var ms__default = /*#__PURE__*/_interopDefault(ms);
+var crypto2__namespace = /*#__PURE__*/_interopNamespace(crypto2);
 var canonicalizeNamespace__namespace = /*#__PURE__*/_interopNamespace(canonicalizeNamespace);
 
 var __defProp = Object.defineProperty;
@@ -188,28 +192,47 @@ async function generateKeyPair(options = {}) {
 }
 async function sign(options) {
   await ensureOpenSSLAvailable();
-  const { privateKeyPath, data } = options;
-  if (!await fileExists(privateKeyPath)) {
-    throw new Error(`Private key not found: ${privateKeyPath}`);
+  const { privateKeyPath, keyProvider, keyRef, data } = options;
+  let effectiveKeyPath;
+  let cleanup;
+  if (keyProvider && keyRef) {
+    const result = await keyProvider.getPrivateKey(keyRef);
+    effectiveKeyPath = result.keyPath;
+    cleanup = result.cleanup;
+  } else if (privateKeyPath) {
+    effectiveKeyPath = privateKeyPath;
+  } else {
+    throw new Error(
+      "Either privateKeyPath or both keyProvider and keyRef must be provided for signing"
+    );
   }
-  const dataBuffer = typeof data === "string" ? Buffer.from(data, "utf8") : data;
-  const processBuffer = dataBuffer.length === 0 ? Buffer.from([0]) : dataBuffer;
-  const tmpDir = await fs2__namespace.mkdtemp(path2__namespace.join(os__namespace.tmpdir(), "attest-it-"));
-  const dataFile = path2__namespace.join(tmpDir, "data.bin");
-  const sigFile = path2__namespace.join(tmpDir, "sig.bin");
   try {
-    await fs2__namespace.writeFile(dataFile, processBuffer);
-    const signArgs = ["dgst", "-sha256", "-sign", privateKeyPath, "-out", sigFile, dataFile];
-    const result = await runOpenSSL(signArgs);
-    if (result.exitCode !== 0) {
-      throw new Error(`Failed to sign data: ${result.stderr}`);
+    if (!await fileExists(effectiveKeyPath)) {
+      throw new Error(`Private key not found: ${effectiveKeyPath}`);
     }
-    const sigBuffer = await fs2__namespace.readFile(sigFile);
-    return sigBuffer.toString("base64");
-  } finally {
+    const dataBuffer = typeof data === "string" ? Buffer.from(data, "utf8") : data;
+    const processBuffer = dataBuffer.length === 0 ? Buffer.from([0]) : dataBuffer;
+    const tmpDir = await fs2__namespace.mkdtemp(path2__namespace.join(os__namespace.tmpdir(), "attest-it-"));
+    const dataFile = path2__namespace.join(tmpDir, "data.bin");
+    const sigFile = path2__namespace.join(tmpDir, "sig.bin");
     try {
-      await fs2__namespace.rm(tmpDir, { recursive: true, force: true });
-    } catch {
+      await fs2__namespace.writeFile(dataFile, processBuffer);
+      const signArgs = ["dgst", "-sha256", "-sign", effectiveKeyPath, "-out", sigFile, dataFile];
+      const result = await runOpenSSL(signArgs);
+      if (result.exitCode !== 0) {
+        throw new Error(`Failed to sign data: ${result.stderr}`);
+      }
+      const sigBuffer = await fs2__namespace.readFile(sigFile);
+      return sigBuffer.toString("base64");
+    } finally {
+      try {
+        await fs2__namespace.rm(tmpDir, { recursive: true, force: true });
+      } catch {
+      }
+    }
+  } finally {
+    if (cleanup) {
+      await cleanup();
     }
   }
 }
@@ -259,27 +282,86 @@ var init_crypto = __esm({
     openSSLChecked = false;
   }
 });
+var keyProviderOptionsSchema = zod.z.object({
+  privateKeyPath: zod.z.string().optional(),
+  account: zod.z.string().optional(),
+  vault: zod.z.string().optional(),
+  itemName: zod.z.string().optional()
+}).strict();
+var keyProviderSchema = zod.z.object({
+  type: zod.z.enum(["filesystem", "1password"]).or(zod.z.string()),
+  options: keyProviderOptionsSchema.optional()
+}).strict();
+var teamMemberSchema = zod.z.object({
+  name: zod.z.string().min(1, "Team member name cannot be empty"),
+  email: zod.z.string().email().optional(),
+  github: zod.z.string().min(1).optional(),
+  publicKey: zod.z.string().min(1, "Public key is required")
+}).strict();
+var fingerprintConfigSchema = zod.z.object({
+  paths: zod.z.array(zod.z.string().min(1, "Path cannot be empty")).min(1, "At least one path is required"),
+  exclude: zod.z.array(zod.z.string().min(1, "Exclude pattern cannot be empty")).optional()
+}).strict();
+var durationSchema = zod.z.string().refine(
+  (val) => {
+    try {
+      const parsed = ms__default.default(val);
+      return typeof parsed === "number" && parsed > 0;
+    } catch {
+      return false;
+    }
+  },
+  {
+    message: 'Duration must be a valid duration string (e.g., "30d", "7d", "24h")'
+  }
+);
+var gateSchema = zod.z.object({
+  name: zod.z.string().min(1, "Gate name cannot be empty"),
+  description: zod.z.string().min(1, "Gate description cannot be empty"),
+  authorizedSigners: zod.z.array(zod.z.string().min(1, "Authorized signer slug cannot be empty")).min(1, "At least one authorized signer is required"),
+  fingerprint: fingerprintConfigSchema,
+  maxAge: durationSchema
+}).strict();
 var settingsSchema = zod.z.object({
   maxAgeDays: zod.z.number().int().positive().default(30),
   publicKeyPath: zod.z.string().default(".attest-it/pubkey.pem"),
   attestationsPath: zod.z.string().default(".attest-it/attestations.json"),
-  defaultCommand: zod.z.string().optional()
+  defaultCommand: zod.z.string().optional(),
+  keyProvider: keyProviderSchema.optional()
   // Note: algorithm field was removed - RSA is the only supported algorithm
 }).passthrough();
 var suiteSchema = zod.z.object({
+  // Gate fields (if present, this suite references a gate)
+  gate: zod.z.string().optional(),
+  // Legacy fingerprint definition (for backward compatibility)
   description: zod.z.string().optional(),
-  packages: zod.z.array(zod.z.string().min(1, "Package path cannot be empty")).min(1, "At least one package pattern is required"),
+  packages: zod.z.array(zod.z.string().min(1, "Package path cannot be empty")).optional(),
   files: zod.z.array(zod.z.string().min(1, "File path cannot be empty")).optional(),
   ignore: zod.z.array(zod.z.string().min(1, "Ignore pattern cannot be empty")).optional(),
+  // CLI-specific fields
   command: zod.z.string().optional(),
-  invalidates: zod.z.array(zod.z.string().min(1, "Invalidated suite name cannot be empty")).optional()
-}).strict();
+  timeout: zod.z.string().optional(),
+  interactive: zod.z.boolean().optional(),
+  // Relationship fields
+  invalidates: zod.z.array(zod.z.string().min(1, "Invalidated suite name cannot be empty")).optional(),
+  depends_on: zod.z.array(zod.z.string().min(1, "Dependency suite name cannot be empty")).optional()
+}).strict().refine(
+  (suite) => {
+    return suite.gate !== void 0 || suite.packages !== void 0 && suite.packages.length > 0;
+  },
+  {
+    message: "Suite must either reference a gate or define packages for fingerprinting"
+  }
+);
 var configSchema = zod.z.object({
   version: zod.z.literal(1),
   settings: settingsSchema.default({}),
+  team: zod.z.record(zod.z.string(), teamMemberSchema).optional(),
+  gates: zod.z.record(zod.z.string(), gateSchema).optional(),
   suites: zod.z.record(zod.z.string(), suiteSchema).refine((suites) => Object.keys(suites).length >= 1, {
     message: "At least one suite must be defined"
-  })
+  }),
+  groups: zod.z.record(zod.z.string(), zod.z.array(zod.z.string().min(1, "Suite name in group cannot be empty"))).optional()
 }).strict();
 var ConfigValidationError = class extends Error {
   constructor(message, issues) {
@@ -392,30 +474,52 @@ function resolveConfigPaths(config, repoRoot) {
   };
 }
 function toAttestItConfig(config) {
-  return {
+  const result = {
     version: config.version,
     settings: {
       maxAgeDays: config.settings.maxAgeDays,
       publicKeyPath: config.settings.publicKeyPath,
-      attestationsPath: config.settings.attestationsPath,
-      ...config.settings.defaultCommand !== void 0 && {
-        defaultCommand: config.settings.defaultCommand
-      }
+      attestationsPath: config.settings.attestationsPath
     },
-    suites: Object.fromEntries(
-      Object.entries(config.suites).map(([name, suite]) => [
-        name,
-        {
-          packages: suite.packages,
-          ...suite.description !== void 0 && { description: suite.description },
-          ...suite.files !== void 0 && { files: suite.files },
-          ...suite.ignore !== void 0 && { ignore: suite.ignore },
-          ...suite.command !== void 0 && { command: suite.command },
-          ...suite.invalidates !== void 0 && { invalidates: suite.invalidates }
-        }
-      ])
-    )
+    suites: {}
   };
+  if (config.settings.defaultCommand !== void 0) {
+    result.settings.defaultCommand = config.settings.defaultCommand;
+  }
+  if (config.settings.keyProvider !== void 0) {
+    result.settings.keyProvider = {
+      type: config.settings.keyProvider.type,
+      ...config.settings.keyProvider.options !== void 0 && {
+        options: config.settings.keyProvider.options
+      }
+    };
+  }
+  if (config.team !== void 0) {
+    result.team = config.team;
+  }
+  if (config.gates !== void 0) {
+    result.gates = config.gates;
+  }
+  if (config.groups !== void 0) {
+    result.groups = config.groups;
+  }
+  result.suites = Object.fromEntries(
+    Object.entries(config.suites).map(([name, suite]) => {
+      const mappedSuite = {};
+      if (suite.gate !== void 0) mappedSuite.gate = suite.gate;
+      if (suite.packages !== void 0) mappedSuite.packages = suite.packages;
+      if (suite.description !== void 0) mappedSuite.description = suite.description;
+      if (suite.files !== void 0) mappedSuite.files = suite.files;
+      if (suite.ignore !== void 0) mappedSuite.ignore = suite.ignore;
+      if (suite.command !== void 0) mappedSuite.command = suite.command;
+      if (suite.timeout !== void 0) mappedSuite.timeout = suite.timeout;
+      if (suite.interactive !== void 0) mappedSuite.interactive = suite.interactive;
+      if (suite.invalidates !== void 0) mappedSuite.invalidates = suite.invalidates;
+      if (suite.depends_on !== void 0) mappedSuite.depends_on = suite.depends_on;
+      return [name, mappedSuite];
+    })
+  );
+  return result;
 }
 var LARGE_FILE_THRESHOLD = 50 * 1024 * 1024;
 function sortFiles(files) {
@@ -436,15 +540,15 @@ function computeFinalFingerprint(fileHashes) {
   });
   const hashes = sorted.map((input) => input.hash);
   const concatenated = Buffer.concat(hashes);
-  const finalHash = crypto__namespace.createHash("sha256").update(concatenated).digest();
+  const finalHash = crypto2__namespace.createHash("sha256").update(concatenated).digest();
   return `sha256:${finalHash.toString("hex")}`;
 }
 async function hashFileAsync(realPath, normalizedPath, stats) {
   if (stats.size > LARGE_FILE_THRESHOLD) {
     return new Promise((resolve3, reject) => {
-      const hash2 = crypto__namespace.createHash("sha256");
+      const hash2 = crypto2__namespace.createHash("sha256");
       hash2.update(normalizedPath);
-      hash2.update("\0");
+      hash2.update(":");
       const stream = fs__namespace.createReadStream(realPath);
       stream.on("data", (chunk) => {
         hash2.update(chunk);
@@ -456,17 +560,17 @@ async function hashFileAsync(realPath, normalizedPath, stats) {
     });
   }
   const content = await fs__namespace.promises.readFile(realPath);
-  const hash = crypto__namespace.createHash("sha256");
+  const hash = crypto2__namespace.createHash("sha256");
   hash.update(normalizedPath);
-  hash.update("\0");
+  hash.update(":");
   hash.update(content);
   return hash.digest();
 }
 function hashFileSync(realPath, normalizedPath) {
   const content = fs__namespace.readFileSync(realPath);
-  const hash = crypto__namespace.createHash("sha256");
+  const hash = crypto2__namespace.createHash("sha256");
   hash.update(normalizedPath);
-  hash.update("\0");
+  hash.update(":");
   hash.update(content);
   return hash.digest();
 }
@@ -714,22 +818,37 @@ function createAttestation(params) {
   return attestation;
 }
 async function writeSignedAttestations(options) {
-  const { sign: sign2 } = await Promise.resolve().then(() => (init_crypto(), crypto_exports));
+  const { sign: sign4 } = await Promise.resolve().then(() => (init_crypto(), crypto_exports));
+  const { privateKeyPath, keyProvider, keyRef } = options;
+  if (!privateKeyPath && (!keyProvider || !keyRef)) {
+    throw new Error(
+      "Either privateKeyPath or both keyProvider and keyRef must be provided for signing"
+    );
+  }
   const canonical = canonicalizeAttestations(options.attestations);
-  const signature = await sign2({
-    privateKeyPath: options.privateKeyPath,
+  const signOptions = {
     data: canonical
-  });
+  };
+  if (privateKeyPath !== void 0) {
+    signOptions.privateKeyPath = privateKeyPath;
+  }
+  if (keyProvider !== void 0) {
+    signOptions.keyProvider = keyProvider;
+  }
+  if (keyRef !== void 0) {
+    signOptions.keyRef = keyRef;
+  }
+  const signature = await sign4(signOptions);
   await writeAttestations(options.filePath, options.attestations, signature);
 }
 async function readAndVerifyAttestations(options) {
-  const { verify: verify2 } = await Promise.resolve().then(() => (init_crypto(), crypto_exports));
+  const { verify: verify4 } = await Promise.resolve().then(() => (init_crypto(), crypto_exports));
   const file = await readAttestations(options.filePath);
   if (!file) {
     throw new Error(`Attestations file not found: ${options.filePath}`);
   }
   const canonical = canonicalizeAttestations(file.attestations);
-  const isValid = await verify2({
+  const isValid = await verify4({
     publicKeyPath: options.publicKeyPath,
     data: canonical,
     signature: file.signature
@@ -752,6 +871,123 @@ var SignatureInvalidError = class extends Error {
 
 // src/index.ts
 init_crypto();
+function isBuffer(value) {
+  return Buffer.isBuffer(value);
+}
+function generateKeyPair2() {
+  try {
+    const keyPair = crypto2__namespace.generateKeyPairSync("ed25519", {
+      publicKeyEncoding: {
+        type: "spki",
+        format: "pem"
+      },
+      privateKeyEncoding: {
+        type: "pkcs8",
+        format: "pem"
+      }
+    });
+    const { publicKey, privateKey } = keyPair;
+    if (typeof publicKey !== "string" || typeof privateKey !== "string") {
+      throw new Error("Expected keypair to have string keys");
+    }
+    const publicKeyObj = crypto2__namespace.createPublicKey(publicKey);
+    const publicKeyExport = publicKeyObj.export({
+      type: "spki",
+      format: "der"
+    });
+    if (!isBuffer(publicKeyExport)) {
+      throw new Error("Expected public key export to be a Buffer");
+    }
+    const rawPublicKey = publicKeyExport.subarray(12);
+    const publicKeyBase64 = rawPublicKey.toString("base64");
+    return {
+      publicKey: publicKeyBase64,
+      privateKey
+    };
+  } catch (err) {
+    throw new Error(
+      `Failed to generate Ed25519 keypair: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
+function sign3(data, privateKeyPem) {
+  try {
+    const dataBuffer = typeof data === "string" ? Buffer.from(data, "utf8") : data;
+    const privateKeyObj = crypto2__namespace.createPrivateKey(privateKeyPem);
+    const signatureResult = crypto2__namespace.sign(null, dataBuffer, privateKeyObj);
+    if (!isBuffer(signatureResult)) {
+      throw new Error("Expected signature to be a Buffer");
+    }
+    return signatureResult.toString("base64");
+  } catch (err) {
+    throw new Error(
+      `Failed to sign data with Ed25519: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
+function verify3(data, signature, publicKeyBase64) {
+  try {
+    const dataBuffer = typeof data === "string" ? Buffer.from(data, "utf8") : data;
+    const signatureBuffer = Buffer.from(signature, "base64");
+    const rawPublicKey = Buffer.from(publicKeyBase64, "base64");
+    if (rawPublicKey.length !== 32) {
+      throw new Error(
+        `Invalid Ed25519 public key length: expected 32 bytes, got ${rawPublicKey.length.toString()}`
+      );
+    }
+    const spkiHeader = Buffer.from([
+      48,
+      42,
+      // SEQUENCE, 42 bytes
+      48,
+      5,
+      // SEQUENCE, 5 bytes
+      6,
+      3,
+      43,
+      101,
+      112,
+      // OID 1.3.101.112 (Ed25519)
+      3,
+      33,
+      0
+      // BIT STRING, 33 bytes (32 key + 1 padding)
+    ]);
+    const spkiBuffer = Buffer.concat([spkiHeader, rawPublicKey]);
+    const publicKeyObj = crypto2__namespace.createPublicKey({
+      key: spkiBuffer,
+      format: "der",
+      type: "spki"
+    });
+    return crypto2__namespace.verify(null, dataBuffer, publicKeyObj, signatureBuffer);
+  } catch (err) {
+    if (err instanceof Error && err.message.includes("verification failed")) {
+      return false;
+    }
+    throw new Error(
+      `Failed to verify Ed25519 signature: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
+function getPublicKeyFromPrivate(privateKeyPem) {
+  try {
+    const privateKeyObj = crypto2__namespace.createPrivateKey(privateKeyPem);
+    const publicKeyObj = crypto2__namespace.createPublicKey(privateKeyObj);
+    const publicKeyExport = publicKeyObj.export({
+      type: "spki",
+      format: "der"
+    });
+    if (!isBuffer(publicKeyExport)) {
+      throw new Error("Expected public key export to be a Buffer");
+    }
+    const rawPublicKey = publicKeyExport.subarray(12);
+    return rawPublicKey.toString("base64");
+  } catch (err) {
+    throw new Error(
+      `Failed to extract public key from Ed25519 private key: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
 async function verifyAttestations(options) {
   const { config, repoRoot = process.cwd() } = options;
   const errors = [];
@@ -802,6 +1038,14 @@ async function verifyAttestations(options) {
 }
 async function verifySuite(options) {
   const { suiteName, suiteConfig, attestations, maxAgeDays, repoRoot } = options;
+  if (!suiteConfig.packages || suiteConfig.packages.length === 0) {
+    return {
+      suite: suiteName,
+      status: "NEEDS_ATTESTATION",
+      fingerprint: "",
+      message: "Suite configuration missing packages field"
+    };
+  }
   const fingerprintOptions = {
     packages: suiteConfig.packages.map((p) => resolvePath(p, repoRoot)),
     baseDir: repoRoot,
@@ -871,39 +1115,1063 @@ function resolvePath(relativePath, baseDir) {
   return path2__namespace.join(baseDir, relativePath);
 }
 
+// src/key-provider/filesystem-provider.ts
+init_crypto();
+var FilesystemKeyProvider = class {
+  type = "filesystem";
+  displayName = "Filesystem";
+  privateKeyPath;
+  /**
+   * Create a new FilesystemKeyProvider.
+   * @param options - Provider options
+   */
+  constructor(options = {}) {
+    this.privateKeyPath = options.privateKeyPath ?? getDefaultPrivateKeyPath();
+  }
+  /**
+   * Check if this provider is available.
+   * Filesystem provider is always available.
+   */
+  async isAvailable() {
+    return Promise.resolve(true);
+  }
+  /**
+   * Check if a key exists at the given path.
+   * @param keyRef - Path to the private key file
+   */
+  async keyExists(keyRef) {
+    try {
+      await fs2__namespace.access(keyRef);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Get the private key path for signing.
+   * Returns the path directly with a no-op cleanup function.
+   * @param keyRef - Path to the private key file
+   */
+  async getPrivateKey(keyRef) {
+    if (!await this.keyExists(keyRef)) {
+      throw new Error(`Private key not found: ${keyRef}`);
+    }
+    return {
+      keyPath: keyRef,
+      // No-op cleanup for filesystem provider
+      cleanup: async () => {
+      }
+    };
+  }
+  /**
+   * Generate a new keypair and store on filesystem.
+   * @param options - Key generation options
+   */
+  async generateKeyPair(options) {
+    const { publicKeyPath, force = false } = options;
+    const result = await generateKeyPair({
+      privatePath: this.privateKeyPath,
+      publicPath: publicKeyPath,
+      force
+    });
+    return {
+      privateKeyRef: result.privatePath,
+      publicKeyPath: result.publicPath,
+      storageDescription: `Filesystem: ${result.privatePath}`
+    };
+  }
+  /**
+   * Get the configuration for this provider.
+   */
+  getConfig() {
+    return {
+      type: this.type,
+      options: {
+        privateKeyPath: this.privateKeyPath
+      }
+    };
+  }
+};
+
+// src/key-provider/one-password-provider.ts
+init_crypto();
+var OnePasswordKeyProvider = class _OnePasswordKeyProvider {
+  type = "1password";
+  displayName = "1Password";
+  account;
+  vault;
+  itemName;
+  /**
+   * Create a new OnePasswordKeyProvider.
+   * @param options - Provider options
+   */
+  constructor(options) {
+    if (options.account !== void 0) {
+      this.account = options.account;
+    }
+    this.vault = options.vault;
+    this.itemName = options.itemName;
+  }
+  /**
+   * Check if the 1Password CLI is installed.
+   * @returns True if `op` command is available
+   */
+  static async isInstalled() {
+    try {
+      await execCommand("op", ["--version"]);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * List all 1Password accounts.
+   * @returns Array of account information
+   */
+  static async listAccounts() {
+    try {
+      const output = await execCommand("op", ["account", "list", "--format=json"]);
+      const parsed = JSON.parse(output);
+      if (!Array.isArray(parsed)) {
+        return [];
+      }
+      return parsed;
+    } catch (error) {
+      if (process.env.NODE_ENV !== "production") {
+        console.error("Failed to list 1Password accounts:", error);
+      }
+      return [];
+    }
+  }
+  /**
+   * List vaults in a specific account.
+   * @param account - Account email (optional if only one account)
+   * @returns Array of vault information
+   */
+  static async listVaults(account) {
+    try {
+      const args = ["vault", "list", "--format=json"];
+      if (account) {
+        args.push("--account", account);
+      }
+      const output = await execCommand("op", args);
+      const parsed = JSON.parse(output);
+      if (!Array.isArray(parsed)) {
+        return [];
+      }
+      return parsed;
+    } catch (error) {
+      if (process.env.NODE_ENV !== "production") {
+        console.error("Failed to list 1Password vaults:", error);
+      }
+      return [];
+    }
+  }
+  /**
+   * Check if this provider is available.
+   * Requires `op` CLI to be installed and authenticated.
+   */
+  async isAvailable() {
+    return _OnePasswordKeyProvider.isInstalled();
+  }
+  /**
+   * Check if a key exists in 1Password.
+   * @param keyRef - Item name in 1Password
+   */
+  async keyExists(keyRef) {
+    try {
+      const args = ["item", "get", keyRef, "--vault", this.vault, "--format=json"];
+      if (this.account) {
+        args.push("--account", this.account);
+      }
+      await execCommand("op", args);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Get the private key from 1Password for signing.
+   * Downloads to a temporary file and returns a cleanup function.
+   * @param keyRef - Item name in 1Password
+   * @throws Error if the key does not exist in 1Password
+   */
+  async getPrivateKey(keyRef) {
+    if (!await this.keyExists(keyRef)) {
+      throw new Error(
+        `Key not found in 1Password: "${keyRef}" (vault: ${this.vault})` + (this.account ? ` (account: ${this.account})` : "")
+      );
+    }
+    const tempDir = await fs2__namespace.mkdtemp(path2__namespace.join(os__namespace.tmpdir(), "attest-it-"));
+    const tempKeyPath = path2__namespace.join(tempDir, "private.pem");
+    try {
+      const args = ["document", "get", keyRef, "--vault", this.vault, "--out-file", tempKeyPath];
+      if (this.account) {
+        args.push("--account", this.account);
+      }
+      await execCommand("op", args);
+      await setKeyPermissions(tempKeyPath);
+      return {
+        keyPath: tempKeyPath,
+        cleanup: async () => {
+          try {
+            await fs2__namespace.unlink(tempKeyPath);
+            await fs2__namespace.rmdir(tempDir);
+          } catch (cleanupError) {
+            console.warn(
+              `Warning: Failed to clean up temporary key file at ${tempKeyPath}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`
+            );
+          }
+        }
+      };
+    } catch (error) {
+      try {
+        await fs2__namespace.rm(tempDir, { recursive: true, force: true });
+      } catch (cleanupError) {
+        console.warn(
+          `Warning: Failed to clean up temporary key directory at ${tempDir}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`
+        );
+      }
+      throw error;
+    }
+  }
+  /**
+   * Generate a new keypair and store private key in 1Password.
+   * Public key is written to filesystem for repository commit.
+   * @param options - Key generation options
+   */
+  async generateKeyPair(options) {
+    const { publicKeyPath, force = false } = options;
+    const tempDir = await fs2__namespace.mkdtemp(path2__namespace.join(os__namespace.tmpdir(), "attest-it-keygen-"));
+    const tempPrivateKeyPath = path2__namespace.join(tempDir, "private.pem");
+    try {
+      await generateKeyPair({
+        privatePath: tempPrivateKeyPath,
+        publicPath: publicKeyPath,
+        force
+      });
+      const args = [
+        "document",
+        "create",
+        tempPrivateKeyPath,
+        "--title",
+        this.itemName,
+        "--vault",
+        this.vault
+      ];
+      if (this.account) {
+        args.push("--account", this.account);
+      }
+      await execCommand("op", args);
+      await fs2__namespace.unlink(tempPrivateKeyPath);
+      await fs2__namespace.rmdir(tempDir);
+      return {
+        privateKeyRef: this.itemName,
+        publicKeyPath,
+        storageDescription: `1Password: ${this.vault}/${this.itemName}`
+      };
+    } catch (error) {
+      try {
+        await fs2__namespace.rm(tempDir, { recursive: true, force: true });
+      } catch (cleanupError) {
+        console.warn(
+          `Warning: Failed to clean up temporary key directory at ${tempDir}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`
+        );
+      }
+      throw error;
+    }
+  }
+  /**
+   * Get the configuration for this provider.
+   */
+  getConfig() {
+    return {
+      type: this.type,
+      options: {
+        ...this.account && { account: this.account },
+        vault: this.vault,
+        itemName: this.itemName
+      }
+    };
+  }
+};
+async function execCommand(command, args) {
+  return new Promise((resolve3, reject) => {
+    const proc = child_process.spawn(command, args, { stdio: ["ignore", "pipe", "pipe"] });
+    let stdout = "";
+    let stderr = "";
+    proc.stdout.on("data", (data) => {
+      stdout += data.toString();
+    });
+    proc.stderr.on("data", (data) => {
+      stderr += data.toString();
+    });
+    proc.on("close", (code) => {
+      if (code === 0) {
+        resolve3(stdout.trim());
+      } else {
+        reject(new Error(`Command failed with exit code ${String(code)}: ${stderr}`));
+      }
+    });
+    proc.on("error", (error) => {
+      reject(error);
+    });
+  });
+}
+
+// src/key-provider/macos-keychain-provider.ts
+init_crypto();
+var MacOSKeychainKeyProvider = class _MacOSKeychainKeyProvider {
+  type = "macos-keychain";
+  displayName = "macOS Keychain";
+  itemName;
+  static ACCOUNT = "attest-it";
+  /**
+   * Create a new MacOSKeychainKeyProvider.
+   * @param options - Provider options
+   */
+  constructor(options) {
+    this.itemName = options.itemName;
+  }
+  /**
+   * Check if this provider is available.
+   * Only available on macOS platforms.
+   */
+  static isAvailable() {
+    return process.platform === "darwin";
+  }
+  /**
+   * Check if this provider is available on the current system.
+   */
+  isAvailable() {
+    return Promise.resolve(_MacOSKeychainKeyProvider.isAvailable());
+  }
+  /**
+   * Check if a key exists in the keychain.
+   * @param keyRef - Item name in keychain
+   */
+  async keyExists(keyRef) {
+    try {
+      await execCommand2("security", [
+        "find-generic-password",
+        "-a",
+        _MacOSKeychainKeyProvider.ACCOUNT,
+        "-s",
+        keyRef
+      ]);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Get the private key from keychain for signing.
+   * Downloads to a temporary file and returns a cleanup function.
+   * @param keyRef - Item name in keychain
+   * @throws Error if the key does not exist in keychain
+   */
+  async getPrivateKey(keyRef) {
+    if (!await this.keyExists(keyRef)) {
+      throw new Error(
+        `Key not found in macOS Keychain: "${keyRef}" (account: ${_MacOSKeychainKeyProvider.ACCOUNT})`
+      );
+    }
+    const tempDir = await fs2__namespace.mkdtemp(path2__namespace.join(os__namespace.tmpdir(), "attest-it-"));
+    const tempKeyPath = path2__namespace.join(tempDir, "private.pem");
+    try {
+      const base64Key = await execCommand2("security", [
+        "find-generic-password",
+        "-a",
+        _MacOSKeychainKeyProvider.ACCOUNT,
+        "-s",
+        keyRef,
+        "-w"
+      ]);
+      const keyContent = Buffer.from(base64Key, "base64").toString("utf8");
+      await fs2__namespace.writeFile(tempKeyPath, keyContent, { mode: 384 });
+      await setKeyPermissions(tempKeyPath);
+      return {
+        keyPath: tempKeyPath,
+        cleanup: async () => {
+          try {
+            await fs2__namespace.unlink(tempKeyPath);
+            await fs2__namespace.rmdir(tempDir);
+          } catch (cleanupError) {
+            console.warn(
+              `Warning: Failed to clean up temporary key file at ${tempKeyPath}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`
+            );
+          }
+        }
+      };
+    } catch (error) {
+      try {
+        await fs2__namespace.rm(tempDir, { recursive: true, force: true });
+      } catch (cleanupError) {
+        console.warn(
+          `Warning: Failed to clean up temporary key directory at ${tempDir}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`
+        );
+      }
+      throw error;
+    }
+  }
+  /**
+   * Generate a new keypair and store private key in keychain.
+   * Public key is written to filesystem for repository commit.
+   * @param options - Key generation options
+   */
+  async generateKeyPair(options) {
+    const { publicKeyPath, force = false } = options;
+    const tempDir = await fs2__namespace.mkdtemp(path2__namespace.join(os__namespace.tmpdir(), "attest-it-keygen-"));
+    const tempPrivateKeyPath = path2__namespace.join(tempDir, "private.pem");
+    try {
+      await generateKeyPair({
+        privatePath: tempPrivateKeyPath,
+        publicPath: publicKeyPath,
+        force
+      });
+      const privateKeyContent = await fs2__namespace.readFile(tempPrivateKeyPath, "utf8");
+      const base64Key = Buffer.from(privateKeyContent, "utf8").toString("base64");
+      await execCommand2("security", [
+        "add-generic-password",
+        "-a",
+        _MacOSKeychainKeyProvider.ACCOUNT,
+        "-s",
+        this.itemName,
+        "-w",
+        base64Key,
+        "-T",
+        "",
+        "-U"
+      ]);
+      await fs2__namespace.unlink(tempPrivateKeyPath);
+      await fs2__namespace.rmdir(tempDir);
+      return {
+        privateKeyRef: this.itemName,
+        publicKeyPath,
+        storageDescription: `macOS Keychain: ${this.itemName}`
+      };
+    } catch (error) {
+      try {
+        await fs2__namespace.rm(tempDir, { recursive: true, force: true });
+      } catch (cleanupError) {
+        console.warn(
+          `Warning: Failed to clean up temporary key directory at ${tempDir}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`
+        );
+      }
+      throw error;
+    }
+  }
+  /**
+   * Get the configuration for this provider.
+   */
+  getConfig() {
+    return {
+      type: this.type,
+      options: {
+        itemName: this.itemName
+      }
+    };
+  }
+};
+async function execCommand2(command, args) {
+  return new Promise((resolve3, reject) => {
+    const proc = child_process.spawn(command, args, { stdio: ["ignore", "pipe", "pipe"] });
+    let stdout = "";
+    let stderr = "";
+    proc.stdout.on("data", (data) => {
+      stdout += data.toString();
+    });
+    proc.stderr.on("data", (data) => {
+      stderr += data.toString();
+    });
+    proc.on("close", (code) => {
+      if (code === 0) {
+        resolve3(stdout.trim());
+      } else {
+        reject(new Error(`Command failed with exit code ${String(code)}: ${stderr}`));
+      }
+    });
+    proc.on("error", (error) => {
+      reject(error);
+    });
+  });
+}
+
+// src/key-provider/registry.ts
+var KeyProviderRegistry = class {
+  static providers = /* @__PURE__ */ new Map();
+  /**
+   * Register a key provider factory.
+   * @param type - Provider type identifier
+   * @param factory - Factory function to create provider instances
+   */
+  static register(type, factory) {
+    this.providers.set(type, factory);
+  }
+  /**
+   * Create a key provider from configuration.
+   * @param config - Provider configuration
+   * @returns A key provider instance
+   * @throws Error if the provider type is not registered
+   */
+  static create(config) {
+    const factory = this.providers.get(config.type);
+    if (!factory) {
+      throw new Error(
+        `Unknown key provider type: ${config.type}. Available types: ${Array.from(this.providers.keys()).join(", ")}`
+      );
+    }
+    return factory(config);
+  }
+  /**
+   * Get all registered provider types.
+   * @returns Array of provider type identifiers
+   */
+  static getProviderTypes() {
+    return Array.from(this.providers.keys());
+  }
+};
+KeyProviderRegistry.register("filesystem", (config) => {
+  const privateKeyPath = typeof config.options.privateKeyPath === "string" ? config.options.privateKeyPath : void 0;
+  if (privateKeyPath !== void 0) {
+    return new FilesystemKeyProvider({ privateKeyPath });
+  }
+  return new FilesystemKeyProvider();
+});
+KeyProviderRegistry.register("1password", (config) => {
+  const { options } = config;
+  const account = typeof options.account === "string" ? options.account : void 0;
+  const vault = typeof options.vault === "string" ? options.vault : "";
+  const itemName = typeof options.itemName === "string" ? options.itemName : "";
+  if (!vault || !itemName) {
+    throw new Error("1Password provider requires vault and itemName options");
+  }
+  if (account !== void 0) {
+    return new OnePasswordKeyProvider({ account, vault, itemName });
+  }
+  return new OnePasswordKeyProvider({ vault, itemName });
+});
+KeyProviderRegistry.register("macos-keychain", (config) => {
+  const { options } = config;
+  const itemName = typeof options.itemName === "string" ? options.itemName : "";
+  if (!itemName) {
+    throw new Error("macOS Keychain provider requires itemName option");
+  }
+  return new MacOSKeychainKeyProvider({ itemName });
+});
+var privateKeyRefSchema = zod.z.discriminatedUnion("type", [
+  zod.z.object({
+    type: zod.z.literal("file"),
+    path: zod.z.string().min(1, "File path cannot be empty")
+  }),
+  zod.z.object({
+    type: zod.z.literal("keychain"),
+    service: zod.z.string().min(1, "Service name cannot be empty"),
+    account: zod.z.string().min(1, "Account name cannot be empty")
+  }),
+  zod.z.object({
+    type: zod.z.literal("1password"),
+    account: zod.z.string().optional(),
+    vault: zod.z.string().min(1, "Vault name cannot be empty"),
+    item: zod.z.string().min(1, "Item name cannot be empty"),
+    field: zod.z.string().optional()
+  })
+]);
+var identitySchema = zod.z.object({
+  name: zod.z.string().min(1, "Identity name cannot be empty"),
+  email: zod.z.string().optional(),
+  github: zod.z.string().optional(),
+  publicKey: zod.z.string().min(1, "Public key cannot be empty"),
+  privateKey: privateKeyRefSchema
+}).strict();
+var localConfigSchema = zod.z.object({
+  activeIdentity: zod.z.string().min(1, "Active identity name cannot be empty"),
+  identities: zod.z.record(zod.z.string(), identitySchema).refine((identities) => Object.keys(identities).length >= 1, {
+    message: "At least one identity must be defined"
+  })
+}).strict();
+var LocalConfigValidationError = class extends Error {
+  constructor(message, issues) {
+    super(message);
+    this.issues = issues;
+    this.name = "LocalConfigValidationError";
+  }
+};
+function getLocalConfigPath() {
+  const home = os.homedir();
+  return path2.join(home, ".config", "attest-it", "config.yaml");
+}
+function parseLocalConfigContent(content) {
+  let rawConfig;
+  try {
+    rawConfig = yaml.parse(content);
+  } catch (error) {
+    throw new LocalConfigValidationError(
+      `Failed to parse YAML: ${error instanceof Error ? error.message : String(error)}`,
+      []
+    );
+  }
+  const result = localConfigSchema.safeParse(rawConfig);
+  if (!result.success) {
+    throw new LocalConfigValidationError(
+      "Local configuration validation failed:\n" + result.error.issues.map((issue) => `  - ${issue.path.join(".")}: ${issue.message}`).join("\n"),
+      result.error.issues
+    );
+  }
+  const identities = Object.fromEntries(
+    Object.entries(result.data.identities).map(([key, identity]) => {
+      let privateKey;
+      if (identity.privateKey.type === "1password") {
+        privateKey = {
+          type: "1password",
+          vault: identity.privateKey.vault,
+          item: identity.privateKey.item,
+          ...identity.privateKey.account !== void 0 && {
+            account: identity.privateKey.account
+          },
+          ...identity.privateKey.field !== void 0 && { field: identity.privateKey.field }
+        };
+      } else {
+        privateKey = identity.privateKey;
+      }
+      return [
+        key,
+        {
+          name: identity.name,
+          publicKey: identity.publicKey,
+          privateKey,
+          ...identity.email !== void 0 && { email: identity.email },
+          ...identity.github !== void 0 && { github: identity.github }
+        }
+      ];
+    })
+  );
+  return {
+    activeIdentity: result.data.activeIdentity,
+    identities
+  };
+}
+async function loadLocalConfig(configPath) {
+  const resolvedPath = configPath ?? getLocalConfigPath();
+  try {
+    const content = await fs2.readFile(resolvedPath, "utf8");
+    return parseLocalConfigContent(content);
+  } catch (error) {
+    if (error instanceof LocalConfigValidationError) {
+      throw error;
+    }
+    if (error && typeof error === "object" && "code" in error && (error.code === "ENOENT" || error.code === "ENOTDIR")) {
+      return null;
+    }
+    throw error;
+  }
+}
+function loadLocalConfigSync(configPath) {
+  const resolvedPath = configPath ?? getLocalConfigPath();
+  try {
+    const content = fs.readFileSync(resolvedPath, "utf8");
+    return parseLocalConfigContent(content);
+  } catch (error) {
+    if (error instanceof LocalConfigValidationError) {
+      throw error;
+    }
+    if (error && typeof error === "object" && "code" in error && (error.code === "ENOENT" || error.code === "ENOTDIR")) {
+      return null;
+    }
+    throw error;
+  }
+}
+async function saveLocalConfig(config, configPath) {
+  const resolvedPath = configPath ?? getLocalConfigPath();
+  const content = yaml.stringify(config);
+  const dir = path2.dirname(resolvedPath);
+  await fs2.mkdir(dir, { recursive: true });
+  await fs2.writeFile(resolvedPath, content, "utf8");
+}
+function saveLocalConfigSync(config, configPath) {
+  const resolvedPath = configPath ?? getLocalConfigPath();
+  const content = yaml.stringify(config);
+  const dir = path2.dirname(resolvedPath);
+  fs.mkdirSync(dir, { recursive: true });
+  fs.writeFileSync(resolvedPath, content, "utf8");
+}
+function getActiveIdentity(config) {
+  return config.identities[config.activeIdentity];
+}
+function isAuthorizedSigner(config, gateId, publicKey) {
+  const gate = config.gates?.[gateId];
+  if (!gate) {
+    return false;
+  }
+  const teamMember = findTeamMemberByPublicKey(config, publicKey);
+  if (!teamMember) {
+    return false;
+  }
+  const teamMemberSlug = findTeamMemberSlug(config, teamMember);
+  if (!teamMemberSlug) {
+    return false;
+  }
+  return gate.authorizedSigners.includes(teamMemberSlug);
+}
+function getAuthorizedSignersForGate(config, gateId) {
+  const gate = config.gates?.[gateId];
+  if (!gate || !config.team) {
+    return [];
+  }
+  const authorizedMembers = [];
+  for (const signerSlug of gate.authorizedSigners) {
+    const member = config.team[signerSlug];
+    if (member) {
+      authorizedMembers.push(member);
+    }
+  }
+  return authorizedMembers;
+}
+function findTeamMemberByPublicKey(config, publicKey) {
+  if (!config.team) {
+    return void 0;
+  }
+  for (const member of Object.values(config.team)) {
+    if (member.publicKey === publicKey) {
+      return member;
+    }
+  }
+  return void 0;
+}
+function findTeamMemberSlug(config, teamMember) {
+  if (!config.team) {
+    return void 0;
+  }
+  for (const [slug, member] of Object.entries(config.team)) {
+    if (member === teamMember || member.publicKey === teamMember.publicKey) {
+      return slug;
+    }
+  }
+  return void 0;
+}
+function getGate(config, gateId) {
+  return config.gates?.[gateId];
+}
+var DURATION_PATTERN = /^\d+(\.\d+)?\s*(ms|s|m|h|d|w|y)$/i;
+function isValidDurationFormat(value) {
+  return DURATION_PATTERN.test(value.trim());
+}
+function parseDuration(duration) {
+  if (!isValidDurationFormat(duration)) {
+    throw new Error(`Invalid duration string: ${duration}`);
+  }
+  const result = ms__default.default(duration);
+  if (typeof result !== "number" || result <= 0) {
+    throw new Error(`Invalid duration string: ${duration}`);
+  }
+  return result;
+}
+var sealSchema = zod.z.object({
+  gateId: zod.z.string().min(1, "Gate ID cannot be empty"),
+  // Fingerprint format: sha256:<hex> where hex is at least 1 character
+  // Full fingerprints are 64 hex chars, but tests may use shorter values
+  fingerprint: zod.z.string().regex(/^sha256:[a-f0-9]+$/i, "Invalid fingerprint format (expected sha256:<hex>)"),
+  timestamp: zod.z.string().datetime({ message: "Invalid ISO 8601 timestamp" }),
+  sealedBy: zod.z.string().min(1, "Signer slug cannot be empty"),
+  signature: zod.z.string().min(1, "Signature cannot be empty")
+});
+var sealsFileSchema = zod.z.object({
+  version: zod.z.literal(1, { errorMap: () => ({ message: "Unsupported seals file version" }) }),
+  seals: zod.z.record(zod.z.string(), sealSchema)
+});
+function createSeal(options) {
+  const { gateId, fingerprint, sealedBy, privateKey } = options;
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const canonicalString = `${gateId}:${fingerprint}:${timestamp}`;
+  const signature = sign3(canonicalString, privateKey);
+  return {
+    gateId,
+    fingerprint,
+    timestamp,
+    sealedBy,
+    signature
+  };
+}
+function verifySeal(seal, config) {
+  const { gateId, fingerprint, timestamp, sealedBy, signature } = seal;
+  if (!config.team) {
+    return {
+      valid: false,
+      error: `No team configuration found`
+    };
+  }
+  const teamMember = config.team[sealedBy];
+  if (!teamMember) {
+    return {
+      valid: false,
+      error: `Team member '${sealedBy}' not found in configuration`
+    };
+  }
+  const canonicalString = `${gateId}:${fingerprint}:${timestamp}`;
+  try {
+    const isValid = verify3(canonicalString, signature, teamMember.publicKey);
+    if (!isValid) {
+      return {
+        valid: false,
+        error: "Signature verification failed"
+      };
+    }
+    return { valid: true };
+  } catch (error) {
+    return {
+      valid: false,
+      error: `Signature verification error: ${error instanceof Error ? error.message : String(error)}`
+    };
+  }
+}
+function parseSealsContent(content) {
+  let rawData;
+  try {
+    rawData = JSON.parse(content);
+  } catch (error) {
+    throw new Error(`Invalid JSON: ${error instanceof Error ? error.message : String(error)}`);
+  }
+  const result = sealsFileSchema.safeParse(rawData);
+  if (!result.success) {
+    const issues = result.error.issues.map((issue) => `  - ${issue.path.join(".")}: ${issue.message}`).join("\n");
+    throw new Error(`Invalid seals file:
+${issues}`);
+  }
+  return result.data;
+}
+async function readSeals(dir) {
+  const sealsPath = path2__namespace.join(dir, ".attest-it", "seals.json");
+  try {
+    const content = await fs__namespace.promises.readFile(sealsPath, "utf8");
+    return parseSealsContent(content);
+  } catch (error) {
+    if (error instanceof Error && "code" in error && error.code === "ENOENT") {
+      return {
+        version: 1,
+        seals: {}
+      };
+    }
+    throw new Error(
+      `Failed to read seals file: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
+function readSealsSync(dir) {
+  const sealsPath = path2__namespace.join(dir, ".attest-it", "seals.json");
+  try {
+    const content = fs__namespace.readFileSync(sealsPath, "utf8");
+    return parseSealsContent(content);
+  } catch (error) {
+    if (error instanceof Error && "code" in error && error.code === "ENOENT") {
+      return {
+        version: 1,
+        seals: {}
+      };
+    }
+    throw new Error(
+      `Failed to read seals file: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
+async function writeSeals(dir, sealsFile) {
+  const attestItDir = path2__namespace.join(dir, ".attest-it");
+  const sealsPath = path2__namespace.join(attestItDir, "seals.json");
+  try {
+    await fs__namespace.promises.mkdir(attestItDir, { recursive: true });
+    const content = JSON.stringify(sealsFile, null, 2) + "\n";
+    await fs__namespace.promises.writeFile(sealsPath, content, "utf8");
+  } catch (error) {
+    throw new Error(
+      `Failed to write seals file: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
+function writeSealsSync(dir, sealsFile) {
+  const attestItDir = path2__namespace.join(dir, ".attest-it");
+  const sealsPath = path2__namespace.join(attestItDir, "seals.json");
+  try {
+    fs__namespace.mkdirSync(attestItDir, { recursive: true });
+    const content = JSON.stringify(sealsFile, null, 2) + "\n";
+    fs__namespace.writeFileSync(sealsPath, content, "utf8");
+  } catch (error) {
+    throw new Error(
+      `Failed to write seals file: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
+
+// src/seal/verification.ts
+function verifyGateSeal(config, gateId, seals, currentFingerprint) {
+  const gate = getGate(config, gateId);
+  if (!gate) {
+    return {
+      gateId,
+      state: "MISSING",
+      message: `Gate '${gateId}' not found in configuration`
+    };
+  }
+  const seal = seals.seals[gateId];
+  if (!seal) {
+    return {
+      gateId,
+      state: "MISSING",
+      message: `No seal found for gate '${gateId}'`
+    };
+  }
+  if (seal.fingerprint !== currentFingerprint) {
+    return {
+      gateId,
+      state: "FINGERPRINT_MISMATCH",
+      seal,
+      message: `Fingerprint changed since seal was created`
+    };
+  }
+  if (!config.team) {
+    return {
+      gateId,
+      state: "UNKNOWN_SIGNER",
+      seal,
+      message: `No team configuration found`
+    };
+  }
+  const teamMember = config.team[seal.sealedBy];
+  if (!teamMember) {
+    return {
+      gateId,
+      state: "UNKNOWN_SIGNER",
+      seal,
+      message: `Signer '${seal.sealedBy}' not found in team`
+    };
+  }
+  const authorized = isAuthorizedSigner(config, gateId, teamMember.publicKey);
+  if (!authorized) {
+    return {
+      gateId,
+      state: "UNKNOWN_SIGNER",
+      seal,
+      message: `Signer '${seal.sealedBy}' is not authorized for gate '${gateId}'`
+    };
+  }
+  const verificationResult = verifySeal(seal, config);
+  if (!verificationResult.valid) {
+    return {
+      gateId,
+      state: "INVALID_SIGNATURE",
+      seal,
+      message: verificationResult.error ?? "Signature verification failed"
+    };
+  }
+  try {
+    const maxAgeMs = parseDuration(gate.maxAge);
+    const sealTimestamp = new Date(seal.timestamp).getTime();
+    const now = Date.now();
+    const ageMs = now - sealTimestamp;
+    if (ageMs > maxAgeMs) {
+      const ageDays = Math.floor(ageMs / (1e3 * 60 * 60 * 24));
+      const maxAgeDays = Math.floor(maxAgeMs / (1e3 * 60 * 60 * 24));
+      return {
+        gateId,
+        state: "STALE",
+        seal,
+        message: `Seal is ${ageDays.toString()} days old, exceeds maxAge of ${maxAgeDays.toString()} days`
+      };
+    }
+  } catch (error) {
+    return {
+      gateId,
+      state: "STALE",
+      seal,
+      message: `Cannot verify freshness: invalid maxAge format: ${error instanceof Error ? error.message : String(error)}`
+    };
+  }
+  return {
+    gateId,
+    state: "VALID",
+    seal
+  };
+}
+function verifyAllSeals(config, seals, fingerprints) {
+  if (!config.gates) {
+    return [];
+  }
+  const results = [];
+  for (const gateId of Object.keys(config.gates)) {
+    const fingerprint = fingerprints[gateId];
+    if (!fingerprint) {
+      results.push({
+        gateId,
+        state: "MISSING",
+        message: `No fingerprint computed for gate '${gateId}'`
+      });
+      continue;
+    }
+    const result = verifyGateSeal(config, gateId, seals, fingerprint);
+    results.push(result);
+  }
+  return results;
+}
+
 // src/index.ts
 var version = "0.0.0";
 
 exports.ConfigNotFoundError = ConfigNotFoundError;
 exports.ConfigValidationError = ConfigValidationError;
+exports.FilesystemKeyProvider = FilesystemKeyProvider;
+exports.KeyProviderRegistry = KeyProviderRegistry;
+exports.LocalConfigValidationError = LocalConfigValidationError;
+exports.MacOSKeychainKeyProvider = MacOSKeychainKeyProvider;
+exports.OnePasswordKeyProvider = OnePasswordKeyProvider;
 exports.SignatureInvalidError = SignatureInvalidError;
 exports.canonicalizeAttestations = canonicalizeAttestations;
 exports.checkOpenSSL = checkOpenSSL;
 exports.computeFingerprint = computeFingerprint;
 exports.computeFingerprintSync = computeFingerprintSync;
 exports.createAttestation = createAttestation;
+exports.createSeal = createSeal;
 exports.findAttestation = findAttestation;
 exports.findConfigPath = findConfigPath;
+exports.findTeamMemberByPublicKey = findTeamMemberByPublicKey;
+exports.generateEd25519KeyPair = generateKeyPair2;
 exports.generateKeyPair = generateKeyPair;
+exports.getActiveIdentity = getActiveIdentity;
+exports.getAuthorizedSignersForGate = getAuthorizedSignersForGate;
 exports.getDefaultPrivateKeyPath = getDefaultPrivateKeyPath;
 exports.getDefaultPublicKeyPath = getDefaultPublicKeyPath;
+exports.getGate = getGate;
+exports.getLocalConfigPath = getLocalConfigPath;
+exports.getPublicKeyFromPrivate = getPublicKeyFromPrivate;
+exports.isAuthorizedSigner = isAuthorizedSigner;
 exports.listPackageFiles = listPackageFiles;
 exports.loadConfig = loadConfig;
 exports.loadConfigSync = loadConfigSync;
+exports.loadLocalConfig = loadLocalConfig;
+exports.loadLocalConfigSync = loadLocalConfigSync;
+exports.parseDuration = parseDuration;
 exports.readAndVerifyAttestations = readAndVerifyAttestations;
 exports.readAttestations = readAttestations;
 exports.readAttestationsSync = readAttestationsSync;
+exports.readSeals = readSeals;
+exports.readSealsSync = readSealsSync;
 exports.removeAttestation = removeAttestation;
 exports.resolveConfigPaths = resolveConfigPaths;
+exports.saveLocalConfig = saveLocalConfig;
+exports.saveLocalConfigSync = saveLocalConfigSync;
 exports.setKeyPermissions = setKeyPermissions;
 exports.sign = sign;
+exports.signEd25519 = sign3;
 exports.toAttestItConfig = toAttestItConfig;
 exports.upsertAttestation = upsertAttestation;
 exports.verify = verify;
+exports.verifyAllSeals = verifyAllSeals;
 exports.verifyAttestations = verifyAttestations;
+exports.verifyEd25519 = verify3;
+exports.verifyGateSeal = verifyGateSeal;
+exports.verifySeal = verifySeal;
 exports.version = version;
 exports.writeAttestations = writeAttestations;
 exports.writeAttestationsSync = writeAttestationsSync;
+exports.writeSeals = writeSeals;
+exports.writeSealsSync = writeSealsSync;
 exports.writeSignedAttestations = writeSignedAttestations;
 //# sourceMappingURL=index.cjs.map
 //# sourceMappingURL=index.cjs.map