npm - @attest-it/core - Versions diffs - 0.2.0 → 0.5.0 - Mend

@attest-it/core 0.2.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/dist/{chunk-CEE7ONNG.js → chunk-VC3BBBBO.js} +39 -20
package/dist/chunk-VC3BBBBO.js.map +1 -0
package/dist/core-alpha.d.ts +1146 -19
package/dist/core-beta.d.ts +1146 -19
package/dist/core-public.d.ts +1146 -19
package/dist/core-unstripped.d.ts +1146 -19
package/dist/{crypto-VAXWUGKL.js → crypto-CE2YISRD.js} +3 -3
package/dist/{crypto-VAXWUGKL.js.map → crypto-CE2YISRD.js.map} +1 -1
package/dist/index.cjs +1385 -56
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +1196 -20
package/dist/index.d.ts +1192 -20
package/dist/index.js +1325 -54
package/dist/index.js.map +1 -1
package/package.json +3 -1
package/dist/chunk-CEE7ONNG.js.map +0 -1

package/dist/index.js CHANGED Viewed

@@ -1,35 +1,97 @@
-export { checkOpenSSL, generateKeyPair, getDefaultPrivateKeyPath, getDefaultPublicKeyPath, setKeyPermissions, sign, verify } from './chunk-CEE7ONNG.js';
+import { getDefaultPrivateKeyPath, generateKeyPair, setKeyPermissions } from './chunk-VC3BBBBO.js';
+export { checkOpenSSL, generateKeyPair, getDefaultPrivateKeyPath, getDefaultPublicKeyPath, setKeyPermissions, sign, verify } from './chunk-VC3BBBBO.js';
 import * as fs from 'fs';
-import { readFileSync } from 'fs';
-import { readFile } from 'fs/promises';
-import * as path from 'path';
-import { join, resolve } from 'path';
-import { parse } from 'yaml';
+import { readFileSync, mkdirSync, writeFileSync } from 'fs';
+import * as fs6 from 'fs/promises';
+import { readFile, mkdir, writeFile } from 'fs/promises';
+import * as path6 from 'path';
+import { join, resolve, dirname } from 'path';
+import ms from 'ms';
+import { stringify, parse } from 'yaml';
 import { z } from 'zod';
-import * as crypto from 'crypto';
+import * as crypto2 from 'crypto';
 import { glob, globSync } from 'tinyglobby';
-import * as os from 'os';
+import * as os2 from 'os';
+import { homedir } from 'os';
 import * as canonicalizeNamespace from 'canonicalize';
+import { spawn } from 'child_process';
+var keyProviderOptionsSchema = z.object({
+  privateKeyPath: z.string().optional(),
+  account: z.string().optional(),
+  vault: z.string().optional(),
+  itemName: z.string().optional()
+}).strict();
+var keyProviderSchema = z.object({
+  type: z.enum(["filesystem", "1password"]).or(z.string()),
+  options: keyProviderOptionsSchema.optional()
+}).strict();
+var teamMemberSchema = z.object({
+  name: z.string().min(1, "Team member name cannot be empty"),
+  email: z.string().email().optional(),
+  github: z.string().min(1).optional(),
+  publicKey: z.string().min(1, "Public key is required")
+}).strict();
+var fingerprintConfigSchema = z.object({
+  paths: z.array(z.string().min(1, "Path cannot be empty")).min(1, "At least one path is required"),
+  exclude: z.array(z.string().min(1, "Exclude pattern cannot be empty")).optional()
+}).strict();
+var durationSchema = z.string().refine(
+  (val) => {
+    try {
+      const parsed = ms(val);
+      return typeof parsed === "number" && parsed > 0;
+    } catch {
+      return false;
+    }
+  },
+  {
+    message: 'Duration must be a valid duration string (e.g., "30d", "7d", "24h")'
+  }
+);
+var gateSchema = z.object({
+  name: z.string().min(1, "Gate name cannot be empty"),
+  description: z.string().min(1, "Gate description cannot be empty"),
+  authorizedSigners: z.array(z.string().min(1, "Authorized signer slug cannot be empty")).min(1, "At least one authorized signer is required"),
+  fingerprint: fingerprintConfigSchema,
+  maxAge: durationSchema
+}).strict();
 var settingsSchema = z.object({
   maxAgeDays: z.number().int().positive().default(30),
   publicKeyPath: z.string().default(".attest-it/pubkey.pem"),
   attestationsPath: z.string().default(".attest-it/attestations.json"),
-  defaultCommand: z.string().optional()
+  defaultCommand: z.string().optional(),
+  keyProvider: keyProviderSchema.optional()
   // Note: algorithm field was removed - RSA is the only supported algorithm
 }).passthrough();
 var suiteSchema = z.object({
+  // Gate fields (if present, this suite references a gate)
+  gate: z.string().optional(),
+  // Legacy fingerprint definition (for backward compatibility)
   description: z.string().optional(),
-  packages: z.array(z.string().min(1, "Package path cannot be empty")).min(1, "At least one package pattern is required"),
+  packages: z.array(z.string().min(1, "Package path cannot be empty")).optional(),
   files: z.array(z.string().min(1, "File path cannot be empty")).optional(),
   ignore: z.array(z.string().min(1, "Ignore pattern cannot be empty")).optional(),
+  // CLI-specific fields
   command: z.string().optional(),
+  timeout: z.string().optional(),
+  interactive: z.boolean().optional(),
+  // Relationship fields
   invalidates: z.array(z.string().min(1, "Invalidated suite name cannot be empty")).optional(),
   depends_on: z.array(z.string().min(1, "Dependency suite name cannot be empty")).optional()
-}).strict();
+}).strict().refine(
+  (suite) => {
+    return suite.gate !== void 0 || suite.packages !== void 0 && suite.packages.length > 0;
+  },
+  {
+    message: "Suite must either reference a gate or define packages for fingerprinting"
+  }
+);
 var configSchema = z.object({
   version: z.literal(1),
   settings: settingsSchema.default({}),
+  team: z.record(z.string(), teamMemberSchema).optional(),
+  gates: z.record(z.string(), gateSchema).optional(),
   suites: z.record(z.string(), suiteSchema).refine((suites) => Object.keys(suites).length >= 1, {
     message: "At least one suite must be defined"
   }),
@@ -146,32 +208,52 @@ function resolveConfigPaths(config, repoRoot) {
   };
 }
 function toAttestItConfig(config) {
-  return {
+  const result = {
     version: config.version,
     settings: {
       maxAgeDays: config.settings.maxAgeDays,
       publicKeyPath: config.settings.publicKeyPath,
-      attestationsPath: config.settings.attestationsPath,
-      ...config.settings.defaultCommand !== void 0 && {
-        defaultCommand: config.settings.defaultCommand
-      }
+      attestationsPath: config.settings.attestationsPath
     },
-    suites: Object.fromEntries(
-      Object.entries(config.suites).map(([name, suite]) => [
-        name,
-        {
-          packages: suite.packages,
-          ...suite.description !== void 0 && { description: suite.description },
-          ...suite.files !== void 0 && { files: suite.files },
-          ...suite.ignore !== void 0 && { ignore: suite.ignore },
-          ...suite.command !== void 0 && { command: suite.command },
-          ...suite.invalidates !== void 0 && { invalidates: suite.invalidates },
-          ...suite.depends_on !== void 0 && { depends_on: suite.depends_on }
-        }
-      ])
-    ),
-    ...config.groups !== void 0 && { groups: config.groups }
+    suites: {}
   };
+  if (config.settings.defaultCommand !== void 0) {
+    result.settings.defaultCommand = config.settings.defaultCommand;
+  }
+  if (config.settings.keyProvider !== void 0) {
+    result.settings.keyProvider = {
+      type: config.settings.keyProvider.type,
+      ...config.settings.keyProvider.options !== void 0 && {
+        options: config.settings.keyProvider.options
+      }
+    };
+  }
+  if (config.team !== void 0) {
+    result.team = config.team;
+  }
+  if (config.gates !== void 0) {
+    result.gates = config.gates;
+  }
+  if (config.groups !== void 0) {
+    result.groups = config.groups;
+  }
+  result.suites = Object.fromEntries(
+    Object.entries(config.suites).map(([name, suite]) => {
+      const mappedSuite = {};
+      if (suite.gate !== void 0) mappedSuite.gate = suite.gate;
+      if (suite.packages !== void 0) mappedSuite.packages = suite.packages;
+      if (suite.description !== void 0) mappedSuite.description = suite.description;
+      if (suite.files !== void 0) mappedSuite.files = suite.files;
+      if (suite.ignore !== void 0) mappedSuite.ignore = suite.ignore;
+      if (suite.command !== void 0) mappedSuite.command = suite.command;
+      if (suite.timeout !== void 0) mappedSuite.timeout = suite.timeout;
+      if (suite.interactive !== void 0) mappedSuite.interactive = suite.interactive;
+      if (suite.invalidates !== void 0) mappedSuite.invalidates = suite.invalidates;
+      if (suite.depends_on !== void 0) mappedSuite.depends_on = suite.depends_on;
+      return [name, mappedSuite];
+    })
+  );
+  return result;
 }
 var LARGE_FILE_THRESHOLD = 50 * 1024 * 1024;
 function sortFiles(files) {
@@ -182,7 +264,7 @@ function sortFiles(files) {
   });
 }
 function normalizePath(filePath) {
-  return filePath.split(path.sep).join("/");
+  return filePath.split(path6.sep).join("/");
 }
 function computeFinalFingerprint(fileHashes) {
   const sorted = [...fileHashes].sort((a, b) => {
@@ -192,15 +274,15 @@ function computeFinalFingerprint(fileHashes) {
   });
   const hashes = sorted.map((input) => input.hash);
   const concatenated = Buffer.concat(hashes);
-  const finalHash = crypto.createHash("sha256").update(concatenated).digest();
+  const finalHash = crypto2.createHash("sha256").update(concatenated).digest();
   return `sha256:${finalHash.toString("hex")}`;
 }
 async function hashFileAsync(realPath, normalizedPath, stats) {
   if (stats.size > LARGE_FILE_THRESHOLD) {
     return new Promise((resolve3, reject) => {
-      const hash2 = crypto.createHash("sha256");
+      const hash2 = crypto2.createHash("sha256");
       hash2.update(normalizedPath);
-      hash2.update("\0");
+      hash2.update(":");
       const stream = fs.createReadStream(realPath);
       stream.on("data", (chunk) => {
         hash2.update(chunk);
@@ -212,17 +294,17 @@ async function hashFileAsync(realPath, normalizedPath, stats) {
     });
   }
   const content = await fs.promises.readFile(realPath);
-  const hash = crypto.createHash("sha256");
+  const hash = crypto2.createHash("sha256");
   hash.update(normalizedPath);
-  hash.update("\0");
+  hash.update(":");
   hash.update(content);
   return hash.digest();
 }
 function hashFileSync(realPath, normalizedPath) {
   const content = fs.readFileSync(realPath);
-  const hash = crypto.createHash("sha256");
+  const hash = crypto2.createHash("sha256");
   hash.update(normalizedPath);
-  hash.update("\0");
+  hash.update(":");
   hash.update(content);
   return hash.digest();
 }
@@ -232,7 +314,7 @@ function validateOptions(options) {
   }
   const baseDir = options.baseDir ?? process.cwd();
   for (const pkg of options.packages) {
-    const pkgPath = path.resolve(baseDir, pkg);
+    const pkgPath = path6.resolve(baseDir, pkg);
     if (!fs.existsSync(pkgPath)) {
       throw new Error(`Package path does not exist: ${pkgPath}`);
     }
@@ -246,7 +328,7 @@ async function computeFingerprint(options) {
   const fileHashCache = /* @__PURE__ */ new Map();
   const fileHashInputs = [];
   for (const file of sortedFiles) {
-    const filePath = path.resolve(baseDir, file);
+    const filePath = path6.resolve(baseDir, file);
     let realPath = filePath;
     let stats = await fs.promises.lstat(filePath);
     if (stats.isSymbolicLink()) {
@@ -289,7 +371,7 @@ function computeFingerprintSync(options) {
   const fileHashCache = /* @__PURE__ */ new Map();
   const fileHashInputs = [];
   for (const file of sortedFiles) {
-    const filePath = path.resolve(baseDir, file);
+    const filePath = path6.resolve(baseDir, file);
     let realPath = filePath;
     let stats = fs.lstatSync(filePath);
     if (stats.isSymbolicLink()) {
@@ -416,7 +498,7 @@ async function writeAttestations(filePath, attestations, signature) {
     signature
   };
   attestationsFileSchema.parse(fileContent);
-  const dir = path.dirname(filePath);
+  const dir = path6.dirname(filePath);
   await fs.promises.mkdir(dir, { recursive: true });
   const json = JSON.stringify(fileContent, null, 2);
   await fs.promises.writeFile(filePath, json, "utf-8");
@@ -428,7 +510,7 @@ function writeAttestationsSync(filePath, attestations, signature) {
     signature
   };
   attestationsFileSchema.parse(fileContent);
-  const dir = path.dirname(filePath);
+  const dir = path6.dirname(filePath);
   fs.mkdirSync(dir, { recursive: true });
   const json = JSON.stringify(fileContent, null, 2);
   fs.writeFileSync(filePath, json, "utf-8");
@@ -462,7 +544,7 @@ function createAttestation(params) {
     suite: params.suite,
     fingerprint: params.fingerprint,
     attestedAt: (/* @__PURE__ */ new Date()).toISOString(),
-    attestedBy: params.attestedBy ?? os.userInfo().username,
+    attestedBy: params.attestedBy ?? os2.userInfo().username,
     command: params.command,
     exitCode: 0
   };
@@ -470,22 +552,37 @@ function createAttestation(params) {
   return attestation;
 }
 async function writeSignedAttestations(options) {
-  const { sign: sign2 } = await import('./crypto-VAXWUGKL.js');
+  const { sign: sign4 } = await import('./crypto-CE2YISRD.js');
+  const { privateKeyPath, keyProvider, keyRef } = options;
+  if (!privateKeyPath && (!keyProvider || !keyRef)) {
+    throw new Error(
+      "Either privateKeyPath or both keyProvider and keyRef must be provided for signing"
+    );
+  }
   const canonical = canonicalizeAttestations(options.attestations);
-  const signature = await sign2({
-    privateKeyPath: options.privateKeyPath,
+  const signOptions = {
     data: canonical
-  });
+  };
+  if (privateKeyPath !== void 0) {
+    signOptions.privateKeyPath = privateKeyPath;
+  }
+  if (keyProvider !== void 0) {
+    signOptions.keyProvider = keyProvider;
+  }
+  if (keyRef !== void 0) {
+    signOptions.keyRef = keyRef;
+  }
+  const signature = await sign4(signOptions);
   await writeAttestations(options.filePath, options.attestations, signature);
 }
 async function readAndVerifyAttestations(options) {
-  const { verify: verify2 } = await import('./crypto-VAXWUGKL.js');
+  const { verify: verify4 } = await import('./crypto-CE2YISRD.js');
   const file = await readAttestations(options.filePath);
   if (!file) {
     throw new Error(`Attestations file not found: ${options.filePath}`);
   }
   const canonical = canonicalizeAttestations(file.attestations);
-  const isValid = await verify2({
+  const isValid = await verify4({
     publicKeyPath: options.publicKeyPath,
     data: canonical,
     signature: file.signature
@@ -505,6 +602,123 @@ var SignatureInvalidError = class extends Error {
     this.name = "SignatureInvalidError";
   }
 };
+function isBuffer(value) {
+  return Buffer.isBuffer(value);
+}
+function generateKeyPair2() {
+  try {
+    const keyPair = crypto2.generateKeyPairSync("ed25519", {
+      publicKeyEncoding: {
+        type: "spki",
+        format: "pem"
+      },
+      privateKeyEncoding: {
+        type: "pkcs8",
+        format: "pem"
+      }
+    });
+    const { publicKey, privateKey } = keyPair;
+    if (typeof publicKey !== "string" || typeof privateKey !== "string") {
+      throw new Error("Expected keypair to have string keys");
+    }
+    const publicKeyObj = crypto2.createPublicKey(publicKey);
+    const publicKeyExport = publicKeyObj.export({
+      type: "spki",
+      format: "der"
+    });
+    if (!isBuffer(publicKeyExport)) {
+      throw new Error("Expected public key export to be a Buffer");
+    }
+    const rawPublicKey = publicKeyExport.subarray(12);
+    const publicKeyBase64 = rawPublicKey.toString("base64");
+    return {
+      publicKey: publicKeyBase64,
+      privateKey
+    };
+  } catch (err) {
+    throw new Error(
+      `Failed to generate Ed25519 keypair: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
+function sign3(data, privateKeyPem) {
+  try {
+    const dataBuffer = typeof data === "string" ? Buffer.from(data, "utf8") : data;
+    const privateKeyObj = crypto2.createPrivateKey(privateKeyPem);
+    const signatureResult = crypto2.sign(null, dataBuffer, privateKeyObj);
+    if (!isBuffer(signatureResult)) {
+      throw new Error("Expected signature to be a Buffer");
+    }
+    return signatureResult.toString("base64");
+  } catch (err) {
+    throw new Error(
+      `Failed to sign data with Ed25519: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
+function verify3(data, signature, publicKeyBase64) {
+  try {
+    const dataBuffer = typeof data === "string" ? Buffer.from(data, "utf8") : data;
+    const signatureBuffer = Buffer.from(signature, "base64");
+    const rawPublicKey = Buffer.from(publicKeyBase64, "base64");
+    if (rawPublicKey.length !== 32) {
+      throw new Error(
+        `Invalid Ed25519 public key length: expected 32 bytes, got ${rawPublicKey.length.toString()}`
+      );
+    }
+    const spkiHeader = Buffer.from([
+      48,
+      42,
+      // SEQUENCE, 42 bytes
+      48,
+      5,
+      // SEQUENCE, 5 bytes
+      6,
+      3,
+      43,
+      101,
+      112,
+      // OID 1.3.101.112 (Ed25519)
+      3,
+      33,
+      0
+      // BIT STRING, 33 bytes (32 key + 1 padding)
+    ]);
+    const spkiBuffer = Buffer.concat([spkiHeader, rawPublicKey]);
+    const publicKeyObj = crypto2.createPublicKey({
+      key: spkiBuffer,
+      format: "der",
+      type: "spki"
+    });
+    return crypto2.verify(null, dataBuffer, publicKeyObj, signatureBuffer);
+  } catch (err) {
+    if (err instanceof Error && err.message.includes("verification failed")) {
+      return false;
+    }
+    throw new Error(
+      `Failed to verify Ed25519 signature: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
+function getPublicKeyFromPrivate(privateKeyPem) {
+  try {
+    const privateKeyObj = crypto2.createPrivateKey(privateKeyPem);
+    const publicKeyObj = crypto2.createPublicKey(privateKeyObj);
+    const publicKeyExport = publicKeyObj.export({
+      type: "spki",
+      format: "der"
+    });
+    if (!isBuffer(publicKeyExport)) {
+      throw new Error("Expected public key export to be a Buffer");
+    }
+    const rawPublicKey = publicKeyExport.subarray(12);
+    return rawPublicKey.toString("base64");
+  } catch (err) {
+    throw new Error(
+      `Failed to extract public key from Ed25519 private key: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
 async function verifyAttestations(options) {
   const { config, repoRoot = process.cwd() } = options;
   const errors = [];
@@ -555,6 +769,14 @@ async function verifyAttestations(options) {
 }
 async function verifySuite(options) {
   const { suiteName, suiteConfig, attestations, maxAgeDays, repoRoot } = options;
+  if (!suiteConfig.packages || suiteConfig.packages.length === 0) {
+    return {
+      suite: suiteName,
+      status: "NEEDS_ATTESTATION",
+      fingerprint: "",
+      message: "Suite configuration missing packages field"
+    };
+  }
   const fingerprintOptions = {
     packages: suiteConfig.packages.map((p) => resolvePath(p, repoRoot)),
     baseDir: repoRoot,
@@ -618,15 +840,1064 @@ function checkInvalidationChains(config, results) {
   }
 }
 function resolvePath(relativePath, baseDir) {
-  if (path.isAbsolute(relativePath)) {
+  if (path6.isAbsolute(relativePath)) {
     return relativePath;
   }
-  return path.join(baseDir, relativePath);
+  return path6.join(baseDir, relativePath);
+}
+var FilesystemKeyProvider = class {
+  type = "filesystem";
+  displayName = "Filesystem";
+  privateKeyPath;
+  /**
+   * Create a new FilesystemKeyProvider.
+   * @param options - Provider options
+   */
+  constructor(options = {}) {
+    this.privateKeyPath = options.privateKeyPath ?? getDefaultPrivateKeyPath();
+  }
+  /**
+   * Check if this provider is available.
+   * Filesystem provider is always available.
+   */
+  async isAvailable() {
+    return Promise.resolve(true);
+  }
+  /**
+   * Check if a key exists at the given path.
+   * @param keyRef - Path to the private key file
+   */
+  async keyExists(keyRef) {
+    try {
+      await fs6.access(keyRef);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Get the private key path for signing.
+   * Returns the path directly with a no-op cleanup function.
+   * @param keyRef - Path to the private key file
+   */
+  async getPrivateKey(keyRef) {
+    if (!await this.keyExists(keyRef)) {
+      throw new Error(`Private key not found: ${keyRef}`);
+    }
+    return {
+      keyPath: keyRef,
+      // No-op cleanup for filesystem provider
+      cleanup: async () => {
+      }
+    };
+  }
+  /**
+   * Generate a new keypair and store on filesystem.
+   * @param options - Key generation options
+   */
+  async generateKeyPair(options) {
+    const { publicKeyPath, force = false } = options;
+    const result = await generateKeyPair({
+      privatePath: this.privateKeyPath,
+      publicPath: publicKeyPath,
+      force
+    });
+    return {
+      privateKeyRef: result.privatePath,
+      publicKeyPath: result.publicPath,
+      storageDescription: `Filesystem: ${result.privatePath}`
+    };
+  }
+  /**
+   * Get the configuration for this provider.
+   */
+  getConfig() {
+    return {
+      type: this.type,
+      options: {
+        privateKeyPath: this.privateKeyPath
+      }
+    };
+  }
+};
+var OnePasswordKeyProvider = class _OnePasswordKeyProvider {
+  type = "1password";
+  displayName = "1Password";
+  account;
+  vault;
+  itemName;
+  /**
+   * Create a new OnePasswordKeyProvider.
+   * @param options - Provider options
+   */
+  constructor(options) {
+    if (options.account !== void 0) {
+      this.account = options.account;
+    }
+    this.vault = options.vault;
+    this.itemName = options.itemName;
+  }
+  /**
+   * Check if the 1Password CLI is installed.
+   * @returns True if `op` command is available
+   */
+  static async isInstalled() {
+    try {
+      await execCommand("op", ["--version"]);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * List all 1Password accounts.
+   * @returns Array of account information
+   */
+  static async listAccounts() {
+    try {
+      const output = await execCommand("op", ["account", "list", "--format=json"]);
+      const parsed = JSON.parse(output);
+      if (!Array.isArray(parsed)) {
+        return [];
+      }
+      return parsed;
+    } catch (error) {
+      if (process.env.NODE_ENV !== "production") {
+        console.error("Failed to list 1Password accounts:", error);
+      }
+      return [];
+    }
+  }
+  /**
+   * List vaults in a specific account.
+   * @param account - Account email (optional if only one account)
+   * @returns Array of vault information
+   */
+  static async listVaults(account) {
+    try {
+      const args = ["vault", "list", "--format=json"];
+      if (account) {
+        args.push("--account", account);
+      }
+      const output = await execCommand("op", args);
+      const parsed = JSON.parse(output);
+      if (!Array.isArray(parsed)) {
+        return [];
+      }
+      return parsed;
+    } catch (error) {
+      if (process.env.NODE_ENV !== "production") {
+        console.error("Failed to list 1Password vaults:", error);
+      }
+      return [];
+    }
+  }
+  /**
+   * Check if this provider is available.
+   * Requires `op` CLI to be installed and authenticated.
+   */
+  async isAvailable() {
+    return _OnePasswordKeyProvider.isInstalled();
+  }
+  /**
+   * Check if a key exists in 1Password.
+   * @param keyRef - Item name in 1Password
+   */
+  async keyExists(keyRef) {
+    try {
+      const args = ["item", "get", keyRef, "--vault", this.vault, "--format=json"];
+      if (this.account) {
+        args.push("--account", this.account);
+      }
+      await execCommand("op", args);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Get the private key from 1Password for signing.
+   * Downloads to a temporary file and returns a cleanup function.
+   * @param keyRef - Item name in 1Password
+   * @throws Error if the key does not exist in 1Password
+   */
+  async getPrivateKey(keyRef) {
+    if (!await this.keyExists(keyRef)) {
+      throw new Error(
+        `Key not found in 1Password: "${keyRef}" (vault: ${this.vault})` + (this.account ? ` (account: ${this.account})` : "")
+      );
+    }
+    const tempDir = await fs6.mkdtemp(path6.join(os2.tmpdir(), "attest-it-"));
+    const tempKeyPath = path6.join(tempDir, "private.pem");
+    try {
+      const args = ["document", "get", keyRef, "--vault", this.vault, "--out-file", tempKeyPath];
+      if (this.account) {
+        args.push("--account", this.account);
+      }
+      await execCommand("op", args);
+      await setKeyPermissions(tempKeyPath);
+      return {
+        keyPath: tempKeyPath,
+        cleanup: async () => {
+          try {
+            await fs6.unlink(tempKeyPath);
+            await fs6.rmdir(tempDir);
+          } catch (cleanupError) {
+            console.warn(
+              `Warning: Failed to clean up temporary key file at ${tempKeyPath}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`
+            );
+          }
+        }
+      };
+    } catch (error) {
+      try {
+        await fs6.rm(tempDir, { recursive: true, force: true });
+      } catch (cleanupError) {
+        console.warn(
+          `Warning: Failed to clean up temporary key directory at ${tempDir}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`
+        );
+      }
+      throw error;
+    }
+  }
+  /**
+   * Generate a new keypair and store private key in 1Password.
+   * Public key is written to filesystem for repository commit.
+   * @param options - Key generation options
+   */
+  async generateKeyPair(options) {
+    const { publicKeyPath, force = false } = options;
+    const tempDir = await fs6.mkdtemp(path6.join(os2.tmpdir(), "attest-it-keygen-"));
+    const tempPrivateKeyPath = path6.join(tempDir, "private.pem");
+    try {
+      await generateKeyPair({
+        privatePath: tempPrivateKeyPath,
+        publicPath: publicKeyPath,
+        force
+      });
+      const args = [
+        "document",
+        "create",
+        tempPrivateKeyPath,
+        "--title",
+        this.itemName,
+        "--vault",
+        this.vault
+      ];
+      if (this.account) {
+        args.push("--account", this.account);
+      }
+      await execCommand("op", args);
+      await fs6.unlink(tempPrivateKeyPath);
+      await fs6.rmdir(tempDir);
+      return {
+        privateKeyRef: this.itemName,
+        publicKeyPath,
+        storageDescription: `1Password: ${this.vault}/${this.itemName}`
+      };
+    } catch (error) {
+      try {
+        await fs6.rm(tempDir, { recursive: true, force: true });
+      } catch (cleanupError) {
+        console.warn(
+          `Warning: Failed to clean up temporary key directory at ${tempDir}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`
+        );
+      }
+      throw error;
+    }
+  }
+  /**
+   * Get the configuration for this provider.
+   */
+  getConfig() {
+    return {
+      type: this.type,
+      options: {
+        ...this.account && { account: this.account },
+        vault: this.vault,
+        itemName: this.itemName
+      }
+    };
+  }
+};
+async function execCommand(command, args) {
+  return new Promise((resolve3, reject) => {
+    const proc = spawn(command, args, { stdio: ["ignore", "pipe", "pipe"] });
+    let stdout = "";
+    let stderr = "";
+    proc.stdout.on("data", (data) => {
+      stdout += data.toString();
+    });
+    proc.stderr.on("data", (data) => {
+      stderr += data.toString();
+    });
+    proc.on("close", (code) => {
+      if (code === 0) {
+        resolve3(stdout.trim());
+      } else {
+        reject(new Error(`Command failed with exit code ${String(code)}: ${stderr}`));
+      }
+    });
+    proc.on("error", (error) => {
+      reject(error);
+    });
+  });
+}
+var MacOSKeychainKeyProvider = class _MacOSKeychainKeyProvider {
+  type = "macos-keychain";
+  displayName = "macOS Keychain";
+  itemName;
+  keychain;
+  static ACCOUNT = "attest-it";
+  /**
+   * Create a new MacOSKeychainKeyProvider.
+   * @param options - Provider options
+   */
+  constructor(options) {
+    this.itemName = options.itemName;
+    if (options.keychain !== void 0) {
+      this.keychain = options.keychain;
+    }
+  }
+  /**
+   * Check if this provider is available.
+   * Only available on macOS platforms.
+   */
+  static isAvailable() {
+    return process.platform === "darwin";
+  }
+  /**
+   * List available keychains on the system.
+   * @returns Array of keychain information
+   */
+  static async listKeychains() {
+    if (!_MacOSKeychainKeyProvider.isAvailable()) {
+      return [];
+    }
+    try {
+      const output = await execCommand2("security", ["list-keychains"]);
+      const keychains = [];
+      const lines = output.split("\n");
+      for (const line of lines) {
+        const match = /"(.+)"/.exec(line.trim());
+        if (match?.[1]) {
+          const fullPath = match[1];
+          const filename = fullPath.split("/").pop() ?? fullPath;
+          const name = filename.replace(/\.keychain(-db)?$/, "");
+          keychains.push({ path: fullPath, name });
+        }
+      }
+      return keychains;
+    } catch {
+      return [];
+    }
+  }
+  /**
+   * Check if this provider is available on the current system.
+   */
+  isAvailable() {
+    return Promise.resolve(_MacOSKeychainKeyProvider.isAvailable());
+  }
+  /**
+   * Check if a key exists in the keychain.
+   * @param keyRef - Item name in keychain
+   */
+  async keyExists(keyRef) {
+    try {
+      const args = ["find-generic-password", "-a", _MacOSKeychainKeyProvider.ACCOUNT, "-s", keyRef];
+      if (this.keychain) {
+        args.push(this.keychain);
+      }
+      await execCommand2("security", args);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Get the private key from keychain for signing.
+   * Downloads to a temporary file and returns a cleanup function.
+   * @param keyRef - Item name in keychain
+   * @throws Error if the key does not exist in keychain
+   */
+  async getPrivateKey(keyRef) {
+    if (!await this.keyExists(keyRef)) {
+      throw new Error(
+        `Key not found in macOS Keychain: "${keyRef}" (account: ${_MacOSKeychainKeyProvider.ACCOUNT})`
+      );
+    }
+    const tempDir = await fs6.mkdtemp(path6.join(os2.tmpdir(), "attest-it-"));
+    const tempKeyPath = path6.join(tempDir, "private.pem");
+    try {
+      const findArgs = [
+        "find-generic-password",
+        "-a",
+        _MacOSKeychainKeyProvider.ACCOUNT,
+        "-s",
+        keyRef,
+        "-w"
+      ];
+      if (this.keychain) {
+        findArgs.push(this.keychain);
+      }
+      const base64Key = await execCommand2("security", findArgs);
+      const keyContent = Buffer.from(base64Key, "base64").toString("utf8");
+      await fs6.writeFile(tempKeyPath, keyContent, { mode: 384 });
+      await setKeyPermissions(tempKeyPath);
+      return {
+        keyPath: tempKeyPath,
+        cleanup: async () => {
+          try {
+            await fs6.unlink(tempKeyPath);
+            await fs6.rmdir(tempDir);
+          } catch (cleanupError) {
+            console.warn(
+              `Warning: Failed to clean up temporary key file at ${tempKeyPath}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`
+            );
+          }
+        }
+      };
+    } catch (error) {
+      try {
+        await fs6.rm(tempDir, { recursive: true, force: true });
+      } catch (cleanupError) {
+        console.warn(
+          `Warning: Failed to clean up temporary key directory at ${tempDir}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`
+        );
+      }
+      throw error;
+    }
+  }
+  /**
+   * Generate a new keypair and store private key in keychain.
+   * Public key is written to filesystem for repository commit.
+   * @param options - Key generation options
+   */
+  async generateKeyPair(options) {
+    const { publicKeyPath, force = false } = options;
+    const tempDir = await fs6.mkdtemp(path6.join(os2.tmpdir(), "attest-it-keygen-"));
+    const tempPrivateKeyPath = path6.join(tempDir, "private.pem");
+    try {
+      await generateKeyPair({
+        privatePath: tempPrivateKeyPath,
+        publicPath: publicKeyPath,
+        force
+      });
+      const privateKeyContent = await fs6.readFile(tempPrivateKeyPath, "utf8");
+      const base64Key = Buffer.from(privateKeyContent, "utf8").toString("base64");
+      const addArgs = [
+        "add-generic-password",
+        "-a",
+        _MacOSKeychainKeyProvider.ACCOUNT,
+        "-s",
+        this.itemName,
+        "-w",
+        base64Key,
+        "-T",
+        "",
+        "-U"
+      ];
+      if (this.keychain) {
+        addArgs.push(this.keychain);
+      }
+      await execCommand2("security", addArgs);
+      await fs6.unlink(tempPrivateKeyPath);
+      await fs6.rmdir(tempDir);
+      return {
+        privateKeyRef: this.itemName,
+        publicKeyPath,
+        storageDescription: `macOS Keychain: ${this.itemName}`
+      };
+    } catch (error) {
+      try {
+        await fs6.rm(tempDir, { recursive: true, force: true });
+      } catch (cleanupError) {
+        console.warn(
+          `Warning: Failed to clean up temporary key directory at ${tempDir}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`
+        );
+      }
+      throw error;
+    }
+  }
+  /**
+   * Get the configuration for this provider.
+   */
+  getConfig() {
+    return {
+      type: this.type,
+      options: {
+        itemName: this.itemName
+      }
+    };
+  }
+};
+async function execCommand2(command, args) {
+  return new Promise((resolve3, reject) => {
+    const proc = spawn(command, args, { stdio: ["ignore", "pipe", "pipe"] });
+    let stdout = "";
+    let stderr = "";
+    proc.stdout.on("data", (data) => {
+      stdout += data.toString();
+    });
+    proc.stderr.on("data", (data) => {
+      stderr += data.toString();
+    });
+    proc.on("close", (code) => {
+      if (code === 0) {
+        resolve3(stdout.trim());
+      } else {
+        reject(new Error(`Command failed with exit code ${String(code)}: ${stderr}`));
+      }
+    });
+    proc.on("error", (error) => {
+      reject(error);
+    });
+  });
+}
+// src/key-provider/registry.ts
+var KeyProviderRegistry = class {
+  static providers = /* @__PURE__ */ new Map();
+  /**
+   * Register a key provider factory.
+   * @param type - Provider type identifier
+   * @param factory - Factory function to create provider instances
+   */
+  static register(type, factory) {
+    this.providers.set(type, factory);
+  }
+  /**
+   * Create a key provider from configuration.
+   * @param config - Provider configuration
+   * @returns A key provider instance
+   * @throws Error if the provider type is not registered
+   */
+  static create(config) {
+    const factory = this.providers.get(config.type);
+    if (!factory) {
+      throw new Error(
+        `Unknown key provider type: ${config.type}. Available types: ${Array.from(this.providers.keys()).join(", ")}`
+      );
+    }
+    return factory(config);
+  }
+  /**
+   * Get all registered provider types.
+   * @returns Array of provider type identifiers
+   */
+  static getProviderTypes() {
+    return Array.from(this.providers.keys());
+  }
+};
+KeyProviderRegistry.register("filesystem", (config) => {
+  const privateKeyPath = typeof config.options.privateKeyPath === "string" ? config.options.privateKeyPath : void 0;
+  if (privateKeyPath !== void 0) {
+    return new FilesystemKeyProvider({ privateKeyPath });
+  }
+  return new FilesystemKeyProvider();
+});
+KeyProviderRegistry.register("1password", (config) => {
+  const { options } = config;
+  const account = typeof options.account === "string" ? options.account : void 0;
+  const vault = typeof options.vault === "string" ? options.vault : "";
+  const itemName = typeof options.itemName === "string" ? options.itemName : "";
+  if (!vault || !itemName) {
+    throw new Error("1Password provider requires vault and itemName options");
+  }
+  if (account !== void 0) {
+    return new OnePasswordKeyProvider({ account, vault, itemName });
+  }
+  return new OnePasswordKeyProvider({ vault, itemName });
+});
+KeyProviderRegistry.register("macos-keychain", (config) => {
+  const { options } = config;
+  const itemName = typeof options.itemName === "string" ? options.itemName : "";
+  if (!itemName) {
+    throw new Error("macOS Keychain provider requires itemName option");
+  }
+  return new MacOSKeychainKeyProvider({ itemName });
+});
+var homeDirOverride = null;
+function setAttestItHomeDir(dir) {
+  homeDirOverride = dir;
+}
+function getAttestItHomeDir() {
+  return homeDirOverride;
+}
+var privateKeyRefSchema = z.discriminatedUnion("type", [
+  z.object({
+    type: z.literal("file"),
+    path: z.string().min(1, "File path cannot be empty")
+  }),
+  z.object({
+    type: z.literal("keychain"),
+    service: z.string().min(1, "Service name cannot be empty"),
+    account: z.string().min(1, "Account name cannot be empty"),
+    keychain: z.string().optional()
+  }),
+  z.object({
+    type: z.literal("1password"),
+    account: z.string().optional(),
+    vault: z.string().min(1, "Vault name cannot be empty"),
+    item: z.string().min(1, "Item name cannot be empty"),
+    field: z.string().optional()
+  })
+]);
+var identitySchema = z.object({
+  name: z.string().min(1, "Identity name cannot be empty"),
+  email: z.string().optional(),
+  github: z.string().optional(),
+  publicKey: z.string().min(1, "Public key cannot be empty"),
+  privateKey: privateKeyRefSchema
+}).strict();
+var localConfigSchema = z.object({
+  activeIdentity: z.string().min(1, "Active identity name cannot be empty"),
+  identities: z.record(z.string(), identitySchema).refine((identities) => Object.keys(identities).length >= 1, {
+    message: "At least one identity must be defined"
+  })
+}).strict();
+var LocalConfigValidationError = class extends Error {
+  constructor(message, issues) {
+    super(message);
+    this.issues = issues;
+    this.name = "LocalConfigValidationError";
+  }
+};
+function getLocalConfigPath() {
+  if (homeDirOverride) {
+    return join(homeDirOverride, "config.yaml");
+  }
+  const home = homedir();
+  return join(home, ".config", "attest-it", "config.yaml");
+}
+function getAttestItConfigDir() {
+  if (homeDirOverride) {
+    return homeDirOverride;
+  }
+  return join(homedir(), ".config", "attest-it");
+}
+function parseLocalConfigContent(content) {
+  let rawConfig;
+  try {
+    rawConfig = parse(content);
+  } catch (error) {
+    throw new LocalConfigValidationError(
+      `Failed to parse YAML: ${error instanceof Error ? error.message : String(error)}`,
+      []
+    );
+  }
+  const result = localConfigSchema.safeParse(rawConfig);
+  if (!result.success) {
+    throw new LocalConfigValidationError(
+      "Local configuration validation failed:\n" + result.error.issues.map((issue) => `  - ${issue.path.join(".")}: ${issue.message}`).join("\n"),
+      result.error.issues
+    );
+  }
+  const identities = Object.fromEntries(
+    Object.entries(result.data.identities).map(([key, identity]) => {
+      let privateKey;
+      if (identity.privateKey.type === "1password") {
+        privateKey = {
+          type: "1password",
+          vault: identity.privateKey.vault,
+          item: identity.privateKey.item,
+          ...identity.privateKey.account !== void 0 && {
+            account: identity.privateKey.account
+          },
+          ...identity.privateKey.field !== void 0 && { field: identity.privateKey.field }
+        };
+      } else if (identity.privateKey.type === "keychain") {
+        privateKey = {
+          type: "keychain",
+          service: identity.privateKey.service,
+          account: identity.privateKey.account,
+          ...identity.privateKey.keychain !== void 0 && {
+            keychain: identity.privateKey.keychain
+          }
+        };
+      } else {
+        privateKey = identity.privateKey;
+      }
+      return [
+        key,
+        {
+          name: identity.name,
+          publicKey: identity.publicKey,
+          privateKey,
+          ...identity.email !== void 0 && { email: identity.email },
+          ...identity.github !== void 0 && { github: identity.github }
+        }
+      ];
+    })
+  );
+  return {
+    activeIdentity: result.data.activeIdentity,
+    identities
+  };
+}
+async function loadLocalConfig(configPath) {
+  const resolvedPath = configPath ?? getLocalConfigPath();
+  try {
+    const content = await readFile(resolvedPath, "utf8");
+    return parseLocalConfigContent(content);
+  } catch (error) {
+    if (error instanceof LocalConfigValidationError) {
+      throw error;
+    }
+    if (error && typeof error === "object" && "code" in error && (error.code === "ENOENT" || error.code === "ENOTDIR")) {
+      return null;
+    }
+    throw error;
+  }
+}
+function loadLocalConfigSync(configPath) {
+  const resolvedPath = configPath ?? getLocalConfigPath();
+  try {
+    const content = readFileSync(resolvedPath, "utf8");
+    return parseLocalConfigContent(content);
+  } catch (error) {
+    if (error instanceof LocalConfigValidationError) {
+      throw error;
+    }
+    if (error && typeof error === "object" && "code" in error && (error.code === "ENOENT" || error.code === "ENOTDIR")) {
+      return null;
+    }
+    throw error;
+  }
+}
+async function saveLocalConfig(config, configPath) {
+  const resolvedPath = configPath ?? getLocalConfigPath();
+  const content = stringify(config);
+  const dir = dirname(resolvedPath);
+  await mkdir(dir, { recursive: true });
+  await writeFile(resolvedPath, content, "utf8");
+}
+function saveLocalConfigSync(config, configPath) {
+  const resolvedPath = configPath ?? getLocalConfigPath();
+  const content = stringify(config);
+  const dir = dirname(resolvedPath);
+  mkdirSync(dir, { recursive: true });
+  writeFileSync(resolvedPath, content, "utf8");
+}
+function getActiveIdentity(config) {
+  return config.identities[config.activeIdentity];
+}
+function isAuthorizedSigner(config, gateId, publicKey) {
+  const gate = config.gates?.[gateId];
+  if (!gate) {
+    return false;
+  }
+  const teamMember = findTeamMemberByPublicKey(config, publicKey);
+  if (!teamMember) {
+    return false;
+  }
+  const teamMemberSlug = findTeamMemberSlug(config, teamMember);
+  if (!teamMemberSlug) {
+    return false;
+  }
+  return gate.authorizedSigners.includes(teamMemberSlug);
+}
+function getAuthorizedSignersForGate(config, gateId) {
+  const gate = config.gates?.[gateId];
+  if (!gate || !config.team) {
+    return [];
+  }
+  const authorizedMembers = [];
+  for (const signerSlug of gate.authorizedSigners) {
+    const member = config.team[signerSlug];
+    if (member) {
+      authorizedMembers.push(member);
+    }
+  }
+  return authorizedMembers;
+}
+function findTeamMemberByPublicKey(config, publicKey) {
+  if (!config.team) {
+    return void 0;
+  }
+  for (const member of Object.values(config.team)) {
+    if (member.publicKey === publicKey) {
+      return member;
+    }
+  }
+  return void 0;
+}
+function findTeamMemberSlug(config, teamMember) {
+  if (!config.team) {
+    return void 0;
+  }
+  for (const [slug, member] of Object.entries(config.team)) {
+    if (member === teamMember || member.publicKey === teamMember.publicKey) {
+      return slug;
+    }
+  }
+  return void 0;
+}
+function getGate(config, gateId) {
+  return config.gates?.[gateId];
+}
+var DURATION_PATTERN = /^\d+(\.\d+)?\s*(ms|s|m|h|d|w|y)$/i;
+function isValidDurationFormat(value) {
+  return DURATION_PATTERN.test(value.trim());
+}
+function parseDuration(duration) {
+  if (!isValidDurationFormat(duration)) {
+    throw new Error(`Invalid duration string: ${duration}`);
+  }
+  const result = ms(duration);
+  if (typeof result !== "number" || result <= 0) {
+    throw new Error(`Invalid duration string: ${duration}`);
+  }
+  return result;
+}
+var sealSchema = z.object({
+  gateId: z.string().min(1, "Gate ID cannot be empty"),
+  // Fingerprint format: sha256:<hex> where hex is at least 1 character
+  // Full fingerprints are 64 hex chars, but tests may use shorter values
+  fingerprint: z.string().regex(/^sha256:[a-f0-9]+$/i, "Invalid fingerprint format (expected sha256:<hex>)"),
+  timestamp: z.string().datetime({ message: "Invalid ISO 8601 timestamp" }),
+  sealedBy: z.string().min(1, "Signer slug cannot be empty"),
+  signature: z.string().min(1, "Signature cannot be empty")
+});
+var sealsFileSchema = z.object({
+  version: z.literal(1, { errorMap: () => ({ message: "Unsupported seals file version" }) }),
+  seals: z.record(z.string(), sealSchema)
+});
+function createSeal(options) {
+  const { gateId, fingerprint, sealedBy, privateKey } = options;
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const canonicalString = `${gateId}:${fingerprint}:${timestamp}`;
+  const signature = sign3(canonicalString, privateKey);
+  return {
+    gateId,
+    fingerprint,
+    timestamp,
+    sealedBy,
+    signature
+  };
+}
+function verifySeal(seal, config) {
+  const { gateId, fingerprint, timestamp, sealedBy, signature } = seal;
+  if (!config.team) {
+    return {
+      valid: false,
+      error: `No team configuration found`
+    };
+  }
+  const teamMember = config.team[sealedBy];
+  if (!teamMember) {
+    return {
+      valid: false,
+      error: `Team member '${sealedBy}' not found in configuration`
+    };
+  }
+  const canonicalString = `${gateId}:${fingerprint}:${timestamp}`;
+  try {
+    const isValid = verify3(canonicalString, signature, teamMember.publicKey);
+    if (!isValid) {
+      return {
+        valid: false,
+        error: "Signature verification failed"
+      };
+    }
+    return { valid: true };
+  } catch (error) {
+    return {
+      valid: false,
+      error: `Signature verification error: ${error instanceof Error ? error.message : String(error)}`
+    };
+  }
+}
+function parseSealsContent(content) {
+  let rawData;
+  try {
+    rawData = JSON.parse(content);
+  } catch (error) {
+    throw new Error(`Invalid JSON: ${error instanceof Error ? error.message : String(error)}`);
+  }
+  const result = sealsFileSchema.safeParse(rawData);
+  if (!result.success) {
+    const issues = result.error.issues.map((issue) => `  - ${issue.path.join(".")}: ${issue.message}`).join("\n");
+    throw new Error(`Invalid seals file:
+${issues}`);
+  }
+  return result.data;
+}
+async function readSeals(dir) {
+  const sealsPath = path6.join(dir, ".attest-it", "seals.json");
+  try {
+    const content = await fs.promises.readFile(sealsPath, "utf8");
+    return parseSealsContent(content);
+  } catch (error) {
+    if (error instanceof Error && "code" in error && error.code === "ENOENT") {
+      return {
+        version: 1,
+        seals: {}
+      };
+    }
+    throw new Error(
+      `Failed to read seals file: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
+function readSealsSync(dir) {
+  const sealsPath = path6.join(dir, ".attest-it", "seals.json");
+  try {
+    const content = fs.readFileSync(sealsPath, "utf8");
+    return parseSealsContent(content);
+  } catch (error) {
+    if (error instanceof Error && "code" in error && error.code === "ENOENT") {
+      return {
+        version: 1,
+        seals: {}
+      };
+    }
+    throw new Error(
+      `Failed to read seals file: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
+async function writeSeals(dir, sealsFile) {
+  const attestItDir = path6.join(dir, ".attest-it");
+  const sealsPath = path6.join(attestItDir, "seals.json");
+  try {
+    await fs.promises.mkdir(attestItDir, { recursive: true });
+    const content = JSON.stringify(sealsFile, null, 2) + "\n";
+    await fs.promises.writeFile(sealsPath, content, "utf8");
+  } catch (error) {
+    throw new Error(
+      `Failed to write seals file: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
+function writeSealsSync(dir, sealsFile) {
+  const attestItDir = path6.join(dir, ".attest-it");
+  const sealsPath = path6.join(attestItDir, "seals.json");
+  try {
+    fs.mkdirSync(attestItDir, { recursive: true });
+    const content = JSON.stringify(sealsFile, null, 2) + "\n";
+    fs.writeFileSync(sealsPath, content, "utf8");
+  } catch (error) {
+    throw new Error(
+      `Failed to write seals file: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
+// src/seal/verification.ts
+function verifyGateSeal(config, gateId, seals, currentFingerprint) {
+  const gate = getGate(config, gateId);
+  if (!gate) {
+    return {
+      gateId,
+      state: "MISSING",
+      message: `Gate '${gateId}' not found in configuration`
+    };
+  }
+  const seal = seals.seals[gateId];
+  if (!seal) {
+    return {
+      gateId,
+      state: "MISSING",
+      message: `No seal found for gate '${gateId}'`
+    };
+  }
+  if (seal.fingerprint !== currentFingerprint) {
+    return {
+      gateId,
+      state: "FINGERPRINT_MISMATCH",
+      seal,
+      message: `Fingerprint changed since seal was created`
+    };
+  }
+  if (!config.team) {
+    return {
+      gateId,
+      state: "UNKNOWN_SIGNER",
+      seal,
+      message: `No team configuration found`
+    };
+  }
+  const teamMember = config.team[seal.sealedBy];
+  if (!teamMember) {
+    return {
+      gateId,
+      state: "UNKNOWN_SIGNER",
+      seal,
+      message: `Signer '${seal.sealedBy}' not found in team`
+    };
+  }
+  const authorized = isAuthorizedSigner(config, gateId, teamMember.publicKey);
+  if (!authorized) {
+    return {
+      gateId,
+      state: "UNKNOWN_SIGNER",
+      seal,
+      message: `Signer '${seal.sealedBy}' is not authorized for gate '${gateId}'`
+    };
+  }
+  const verificationResult = verifySeal(seal, config);
+  if (!verificationResult.valid) {
+    return {
+      gateId,
+      state: "INVALID_SIGNATURE",
+      seal,
+      message: verificationResult.error ?? "Signature verification failed"
+    };
+  }
+  try {
+    const maxAgeMs = parseDuration(gate.maxAge);
+    const sealTimestamp = new Date(seal.timestamp).getTime();
+    const now = Date.now();
+    const ageMs = now - sealTimestamp;
+    if (ageMs > maxAgeMs) {
+      const ageDays = Math.floor(ageMs / (1e3 * 60 * 60 * 24));
+      const maxAgeDays = Math.floor(maxAgeMs / (1e3 * 60 * 60 * 24));
+      return {
+        gateId,
+        state: "STALE",
+        seal,
+        message: `Seal is ${ageDays.toString()} days old, exceeds maxAge of ${maxAgeDays.toString()} days`
+      };
+    }
+  } catch (error) {
+    return {
+      gateId,
+      state: "STALE",
+      seal,
+      message: `Cannot verify freshness: invalid maxAge format: ${error instanceof Error ? error.message : String(error)}`
+    };
+  }
+  return {
+    gateId,
+    state: "VALID",
+    seal
+  };
+}
+function verifyAllSeals(config, seals, fingerprints) {
+  if (!config.gates) {
+    return [];
+  }
+  const results = [];
+  for (const gateId of Object.keys(config.gates)) {
+    const fingerprint = fingerprints[gateId];
+    if (!fingerprint) {
+      results.push({
+        gateId,
+        state: "MISSING",
+        message: `No fingerprint computed for gate '${gateId}'`
+      });
+      continue;
+    }
+    const result = verifyGateSeal(config, gateId, seals, fingerprint);
+    results.push(result);
+  }
+  return results;
 }
 // src/index.ts
 var version = "0.0.0";
-export { ConfigNotFoundError, ConfigValidationError, SignatureInvalidError, canonicalizeAttestations, computeFingerprint, computeFingerprintSync, createAttestation, findAttestation, findConfigPath, listPackageFiles, loadConfig, loadConfigSync, readAndVerifyAttestations, readAttestations, readAttestationsSync, removeAttestation, resolveConfigPaths, toAttestItConfig, upsertAttestation, verifyAttestations, version, writeAttestations, writeAttestationsSync, writeSignedAttestations };
+export { ConfigNotFoundError, ConfigValidationError, FilesystemKeyProvider, KeyProviderRegistry, LocalConfigValidationError, MacOSKeychainKeyProvider, OnePasswordKeyProvider, SignatureInvalidError, canonicalizeAttestations, computeFingerprint, computeFingerprintSync, createAttestation, createSeal, findAttestation, findConfigPath, findTeamMemberByPublicKey, generateKeyPair2 as generateEd25519KeyPair, getActiveIdentity, getAttestItConfigDir, getAttestItHomeDir, getAuthorizedSignersForGate, getGate, getLocalConfigPath, getPublicKeyFromPrivate, isAuthorizedSigner, listPackageFiles, loadConfig, loadConfigSync, loadLocalConfig, loadLocalConfigSync, parseDuration, readAndVerifyAttestations, readAttestations, readAttestationsSync, readSeals, readSealsSync, removeAttestation, resolveConfigPaths, saveLocalConfig, saveLocalConfigSync, setAttestItHomeDir, sign3 as signEd25519, toAttestItConfig, upsertAttestation, verifyAllSeals, verifyAttestations, verify3 as verifyEd25519, verifyGateSeal, verifySeal, version, writeAttestations, writeAttestationsSync, writeSeals, writeSealsSync, writeSignedAttestations };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map