@attest-it/core 0.5.0 → 0.6.0

package/dist/index.js

@@ -2,14 +2,14 @@ import { getDefaultPrivateKeyPath, generateKeyPair, setKeyPermissions } from './
 export { checkOpenSSL, generateKeyPair, getDefaultPrivateKeyPath, getDefaultPublicKeyPath, setKeyPermissions, sign, verify } from './chunk-VC3BBBBO.js';
 import * as fs from 'fs';
 import { readFileSync, mkdirSync, writeFileSync } from 'fs';
-import * as fs6 from 'fs/promises';
+import * as fs7 from 'fs/promises';
 import { readFile, mkdir, writeFile } from 'fs/promises';
 import * as path6 from 'path';
 import { join, resolve, dirname } from 'path';
 import ms from 'ms';
-import { stringify, parse } from 'yaml';
+import { parse, stringify } from 'yaml';
 import { z } from 'zod';
-import * as crypto2 from 'crypto';
+import * as crypto3 from 'crypto';
 import { glob, globSync } from 'tinyglobby';
 import * as os2 from 'os';
 import { homedir } from 'os';
@@ -255,6 +255,299 @@ function toAttestItConfig(config) {
   );
   return result;
 }
+var teamMemberSchema2 = z.object({
+  name: z.string().min(1, "Team member name cannot be empty"),
+  email: z.string().email().optional(),
+  github: z.string().min(1).optional(),
+  publicKey: z.string().min(1, "Public key is required")
+}).strict();
+var fingerprintConfigSchema2 = z.object({
+  paths: z.array(z.string().min(1, "Path cannot be empty")).min(1, "At least one path is required"),
+  exclude: z.array(z.string().min(1, "Exclude pattern cannot be empty")).optional()
+}).strict();
+var durationSchema2 = z.string().refine(
+  (val) => {
+    try {
+      const parsed = ms(val);
+      return typeof parsed === "number" && parsed > 0;
+    } catch {
+      return false;
+    }
+  },
+  {
+    message: 'Duration must be a valid duration string (e.g., "30d", "7d", "24h")'
+  }
+);
+var gateSchema2 = z.object({
+  name: z.string().min(1, "Gate name cannot be empty"),
+  description: z.string().min(1, "Gate description cannot be empty"),
+  authorizedSigners: z.array(z.string().min(1, "Authorized signer slug cannot be empty")).min(1, "At least one authorized signer is required"),
+  fingerprint: fingerprintConfigSchema2,
+  maxAge: durationSchema2
+}).strict();
+var keyProviderOptionsSchema2 = z.object({
+  privateKeyPath: z.string().optional(),
+  account: z.string().optional(),
+  vault: z.string().optional(),
+  itemName: z.string().optional()
+}).passthrough();
+var keyProviderSchema2 = z.object({
+  type: z.enum(["filesystem", "1password"]).or(z.string()),
+  options: keyProviderOptionsSchema2.optional()
+}).strict();
+
+// src/config/policy-schema.ts
+var policySettingsSchema = z.object({
+  maxAgeDays: z.number().int().positive().default(30),
+  publicKeyPath: z.string().default(".attest-it/pubkey.pem"),
+  attestationsPath: z.string().default(".attest-it/attestations.json")
+}).strict();
+var policySchema = z.object({
+  version: z.literal(1),
+  settings: policySettingsSchema.default({}),
+  team: z.record(z.string(), teamMemberSchema2).optional(),
+  gates: z.record(z.string(), gateSchema2).optional()
+}).strict();
+var PolicyValidationError = class extends Error {
+  constructor(message, issues) {
+    super(message);
+    this.issues = issues;
+    this.name = "PolicyValidationError";
+  }
+};
+function parsePolicyContent(content, format) {
+  let rawConfig;
+  try {
+    if (format === "yaml") {
+      rawConfig = parse(content);
+    } else {
+      rawConfig = JSON.parse(content);
+    }
+  } catch (error) {
+    throw new PolicyValidationError(
+      `Failed to parse ${format.toUpperCase()}: ${error instanceof Error ? error.message : String(error)}`,
+      []
+    );
+  }
+  const result = policySchema.safeParse(rawConfig);
+  if (!result.success) {
+    throw new PolicyValidationError(
+      "Policy validation failed:\n" + result.error.issues.map((issue) => `  - ${issue.path.join(".")}: ${issue.message}`).join("\n"),
+      result.error.issues
+    );
+  }
+  return result.data;
+}
+var operationalSettingsSchema = z.object({
+  defaultCommand: z.string().optional(),
+  keyProvider: keyProviderSchema2.optional()
+}).strict();
+var suiteSchema2 = z.object({
+  // Gate fields (if present, this suite references a gate)
+  gate: z.string().optional(),
+  // Legacy fingerprint definition (for backward compatibility)
+  description: z.string().optional(),
+  packages: z.array(z.string().min(1, "Package path cannot be empty")).optional(),
+  files: z.array(z.string().min(1, "File path cannot be empty")).optional(),
+  ignore: z.array(z.string().min(1, "Ignore pattern cannot be empty")).optional(),
+  // CLI-specific fields
+  command: z.string().optional(),
+  timeout: z.string().optional(),
+  interactive: z.boolean().optional(),
+  // Relationship fields
+  invalidates: z.array(z.string().min(1, "Invalidated suite name cannot be empty")).optional(),
+  depends_on: z.array(z.string().min(1, "Dependency suite name cannot be empty")).optional()
+}).strict().refine(
+  (suite) => {
+    return suite.gate !== void 0 || suite.packages !== void 0 && suite.packages.length > 0;
+  },
+  {
+    message: "Suite must either reference a gate or define packages for fingerprinting"
+  }
+);
+var operationalSchema = z.object({
+  version: z.literal(1),
+  settings: operationalSettingsSchema.default({}),
+  suites: z.record(z.string(), suiteSchema2).refine((suites) => Object.keys(suites).length >= 1, {
+    message: "At least one suite must be defined"
+  }),
+  groups: z.record(z.string(), z.array(z.string().min(1, "Suite name in group cannot be empty"))).optional()
+}).strict();
+var OperationalValidationError = class extends Error {
+  constructor(message, issues) {
+    super(message);
+    this.issues = issues;
+    this.name = "OperationalValidationError";
+  }
+};
+function parseOperationalContent(content, format) {
+  let rawConfig;
+  try {
+    if (format === "yaml") {
+      rawConfig = parse(content);
+    } else {
+      rawConfig = JSON.parse(content);
+    }
+  } catch (error) {
+    throw new OperationalValidationError(
+      `Failed to parse ${format.toUpperCase()}: ${error instanceof Error ? error.message : String(error)}`,
+      []
+    );
+  }
+  const result = operationalSchema.safeParse(rawConfig);
+  if (!result.success) {
+    throw new OperationalValidationError(
+      "Operational configuration validation failed:\n" + result.error.issues.map((issue) => `  - ${issue.path.join(".")}: ${issue.message}`).join("\n"),
+      result.error.issues
+    );
+  }
+  return result.data;
+}
+
+// src/config/merge.ts
+function toSuiteConfig(suite) {
+  const result = {};
+  if (suite.gate !== void 0) result.gate = suite.gate;
+  if (suite.description !== void 0) result.description = suite.description;
+  if (suite.packages !== void 0) result.packages = suite.packages;
+  if (suite.files !== void 0) result.files = suite.files;
+  if (suite.ignore !== void 0) result.ignore = suite.ignore;
+  if (suite.command !== void 0) result.command = suite.command;
+  if (suite.timeout !== void 0) result.timeout = suite.timeout;
+  if (suite.interactive !== void 0) result.interactive = suite.interactive;
+  if (suite.invalidates !== void 0) result.invalidates = suite.invalidates;
+  if (suite.depends_on !== void 0) result.depends_on = suite.depends_on;
+  return result;
+}
+function toTeamMember(member) {
+  const result = {
+    name: member.name,
+    publicKey: member.publicKey
+  };
+  if (member.email !== void 0) result.email = member.email;
+  if (member.github !== void 0) result.github = member.github;
+  return result;
+}
+function toGateConfig(gate) {
+  const fingerprint = {
+    paths: gate.fingerprint.paths
+  };
+  if (gate.fingerprint.exclude !== void 0) {
+    fingerprint.exclude = gate.fingerprint.exclude;
+  }
+  return {
+    name: gate.name,
+    description: gate.description,
+    authorizedSigners: gate.authorizedSigners,
+    fingerprint,
+    maxAge: gate.maxAge
+  };
+}
+function toKeyProvider(provider) {
+  const result = {
+    type: provider.type
+  };
+  if (provider.options !== void 0) {
+    const options = {};
+    let hasOptions = false;
+    if (provider.options.privateKeyPath !== void 0) {
+      options.privateKeyPath = provider.options.privateKeyPath;
+      hasOptions = true;
+    }
+    if (provider.options.account !== void 0) {
+      options.account = provider.options.account;
+      hasOptions = true;
+    }
+    if (provider.options.vault !== void 0) {
+      options.vault = provider.options.vault;
+      hasOptions = true;
+    }
+    if (provider.options.itemName !== void 0) {
+      options.itemName = provider.options.itemName;
+      hasOptions = true;
+    }
+    if (hasOptions) {
+      result.options = options;
+    }
+  }
+  return result;
+}
+function mergeConfigs(policy, operational) {
+  const settings = {
+    // Security settings from policy (these are trust-critical)
+    maxAgeDays: policy.settings.maxAgeDays,
+    publicKeyPath: policy.settings.publicKeyPath,
+    attestationsPath: policy.settings.attestationsPath
+  };
+  if (operational.settings.defaultCommand !== void 0) {
+    settings.defaultCommand = operational.settings.defaultCommand;
+  }
+  if (operational.settings.keyProvider !== void 0) {
+    settings.keyProvider = toKeyProvider(operational.settings.keyProvider);
+  }
+  const suites = {};
+  for (const [name, suite] of Object.entries(operational.suites)) {
+    suites[name] = toSuiteConfig(suite);
+  }
+  const config = {
+    version: 1,
+    settings,
+    suites
+  };
+  if (policy.team !== void 0) {
+    const team = {};
+    for (const [slug, member] of Object.entries(policy.team)) {
+      team[slug] = toTeamMember(member);
+    }
+    config.team = team;
+  }
+  if (policy.gates !== void 0) {
+    const gates = {};
+    for (const [slug, gate] of Object.entries(policy.gates)) {
+      gates[slug] = toGateConfig(gate);
+    }
+    config.gates = gates;
+  }
+  if (operational.groups !== void 0) {
+    config.groups = operational.groups;
+  }
+  return config;
+}
+
+// src/config/validation.ts
+function validateSuiteGateReferences(policy, operational) {
+  const errors = [];
+  const gates = policy.gates ?? {};
+  const team = policy.team ?? {};
+  for (const [suiteName, suiteConfig] of Object.entries(operational.suites)) {
+    const gateName = suiteConfig.gate;
+    if (gateName === void 0) {
+      continue;
+    }
+    const gate = gates[gateName];
+    if (gate === void 0) {
+      errors.push({
+        type: "UNKNOWN_GATE",
+        suite: suiteName,
+        gate: gateName,
+        message: `Suite "${suiteName}" references unknown gate "${gateName}". The gate must be defined in policy.yaml.`
+      });
+      continue;
+    }
+    for (const signerSlug of gate.authorizedSigners) {
+      if (team[signerSlug] === void 0) {
+        errors.push({
+          type: "MISSING_TEAM_MEMBER",
+          suite: suiteName,
+          gate: gateName,
+          signer: signerSlug,
+          message: `Gate "${gateName}" (referenced by suite "${suiteName}") authorizes signer "${signerSlug}", but this team member is not defined in policy.yaml.`
+        });
+      }
+    }
+  }
+  return errors;
+}
 var LARGE_FILE_THRESHOLD = 50 * 1024 * 1024;
 function sortFiles(files) {
   return [...files].sort((a, b) => {
@@ -274,13 +567,13 @@ function computeFinalFingerprint(fileHashes) {
   });
   const hashes = sorted.map((input) => input.hash);
   const concatenated = Buffer.concat(hashes);
-  const finalHash = crypto2.createHash("sha256").update(concatenated).digest();
+  const finalHash = crypto3.createHash("sha256").update(concatenated).digest();
   return `sha256:${finalHash.toString("hex")}`;
 }
 async function hashFileAsync(realPath, normalizedPath, stats) {
   if (stats.size > LARGE_FILE_THRESHOLD) {
-    return new Promise((resolve3, reject) => {
-      const hash2 = crypto2.createHash("sha256");
+    return new Promise((resolve4, reject) => {
+      const hash2 = crypto3.createHash("sha256");
       hash2.update(normalizedPath);
       hash2.update(":");
       const stream = fs.createReadStream(realPath);
@@ -288,13 +581,13 @@ async function hashFileAsync(realPath, normalizedPath, stats) {
         hash2.update(chunk);
       });
       stream.on("end", () => {
-        resolve3(hash2.digest());
+        resolve4(hash2.digest());
       });
       stream.on("error", reject);
     });
   }
   const content = await fs.promises.readFile(realPath);
-  const hash = crypto2.createHash("sha256");
+  const hash = crypto3.createHash("sha256");
   hash.update(normalizedPath);
   hash.update(":");
   hash.update(content);
@@ -302,7 +595,7 @@ async function hashFileAsync(realPath, normalizedPath, stats) {
 }
 function hashFileSync(realPath, normalizedPath) {
   const content = fs.readFileSync(realPath);
-  const hash = crypto2.createHash("sha256");
+  const hash = crypto3.createHash("sha256");
   hash.update(normalizedPath);
   hash.update(":");
   hash.update(content);
@@ -607,7 +900,7 @@ function isBuffer(value) {
 }
 function generateKeyPair2() {
   try {
-    const keyPair = crypto2.generateKeyPairSync("ed25519", {
+    const keyPair = crypto3.generateKeyPairSync("ed25519", {
       publicKeyEncoding: {
         type: "spki",
         format: "pem"
@@ -621,7 +914,7 @@ function generateKeyPair2() {
     if (typeof publicKey !== "string" || typeof privateKey !== "string") {
       throw new Error("Expected keypair to have string keys");
     }
-    const publicKeyObj = crypto2.createPublicKey(publicKey);
+    const publicKeyObj = crypto3.createPublicKey(publicKey);
     const publicKeyExport = publicKeyObj.export({
       type: "spki",
       format: "der"
@@ -644,8 +937,8 @@ function generateKeyPair2() {
 function sign3(data, privateKeyPem) {
   try {
     const dataBuffer = typeof data === "string" ? Buffer.from(data, "utf8") : data;
-    const privateKeyObj = crypto2.createPrivateKey(privateKeyPem);
-    const signatureResult = crypto2.sign(null, dataBuffer, privateKeyObj);
+    const privateKeyObj = crypto3.createPrivateKey(privateKeyPem);
+    const signatureResult = crypto3.sign(null, dataBuffer, privateKeyObj);
     if (!isBuffer(signatureResult)) {
       throw new Error("Expected signature to be a Buffer");
     }
@@ -685,12 +978,12 @@ function verify3(data, signature, publicKeyBase64) {
       // BIT STRING, 33 bytes (32 key + 1 padding)
     ]);
     const spkiBuffer = Buffer.concat([spkiHeader, rawPublicKey]);
-    const publicKeyObj = crypto2.createPublicKey({
+    const publicKeyObj = crypto3.createPublicKey({
       key: spkiBuffer,
       format: "der",
       type: "spki"
     });
-    return crypto2.verify(null, dataBuffer, publicKeyObj, signatureBuffer);
+    return crypto3.verify(null, dataBuffer, publicKeyObj, signatureBuffer);
   } catch (err) {
     if (err instanceof Error && err.message.includes("verification failed")) {
       return false;
@@ -702,8 +995,8 @@ function verify3(data, signature, publicKeyBase64) {
 }
 function getPublicKeyFromPrivate(privateKeyPem) {
   try {
-    const privateKeyObj = crypto2.createPrivateKey(privateKeyPem);
-    const publicKeyObj = crypto2.createPublicKey(privateKeyObj);
+    const privateKeyObj = crypto3.createPrivateKey(privateKeyPem);
+    const publicKeyObj = crypto3.createPublicKey(privateKeyObj);
     const publicKeyExport = publicKeyObj.export({
       type: "spki",
       format: "der"
@@ -869,7 +1162,7 @@ var FilesystemKeyProvider = class {
    */
   async keyExists(keyRef) {
     try {
-      await fs6.access(keyRef);
+      await fs7.access(keyRef);
       return true;
     } catch {
       return false;
@@ -1027,7 +1320,7 @@ var OnePasswordKeyProvider = class _OnePasswordKeyProvider {
         `Key not found in 1Password: "${keyRef}" (vault: ${this.vault})` + (this.account ? ` (account: ${this.account})` : "")
       );
     }
-    const tempDir = await fs6.mkdtemp(path6.join(os2.tmpdir(), "attest-it-"));
+    const tempDir = await fs7.mkdtemp(path6.join(os2.tmpdir(), "attest-it-"));
     const tempKeyPath = path6.join(tempDir, "private.pem");
     try {
       const args = ["document", "get", keyRef, "--vault", this.vault, "--out-file", tempKeyPath];
@@ -1040,8 +1333,8 @@ var OnePasswordKeyProvider = class _OnePasswordKeyProvider {
         keyPath: tempKeyPath,
         cleanup: async () => {
           try {
-            await fs6.unlink(tempKeyPath);
-            await fs6.rmdir(tempDir);
+            await fs7.unlink(tempKeyPath);
+            await fs7.rmdir(tempDir);
           } catch (cleanupError) {
             console.warn(
               `Warning: Failed to clean up temporary key file at ${tempKeyPath}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`
@@ -1051,7 +1344,7 @@ var OnePasswordKeyProvider = class _OnePasswordKeyProvider {
       };
     } catch (error) {
       try {
-        await fs6.rm(tempDir, { recursive: true, force: true });
+        await fs7.rm(tempDir, { recursive: true, force: true });
       } catch (cleanupError) {
         console.warn(
           `Warning: Failed to clean up temporary key directory at ${tempDir}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`
@@ -1067,7 +1360,7 @@ var OnePasswordKeyProvider = class _OnePasswordKeyProvider {
    */
   async generateKeyPair(options) {
     const { publicKeyPath, force = false } = options;
-    const tempDir = await fs6.mkdtemp(path6.join(os2.tmpdir(), "attest-it-keygen-"));
+    const tempDir = await fs7.mkdtemp(path6.join(os2.tmpdir(), "attest-it-keygen-"));
     const tempPrivateKeyPath = path6.join(tempDir, "private.pem");
     try {
       await generateKeyPair({
@@ -1088,8 +1381,8 @@ var OnePasswordKeyProvider = class _OnePasswordKeyProvider {
         args.push("--account", this.account);
       }
       await execCommand("op", args);
-      await fs6.unlink(tempPrivateKeyPath);
-      await fs6.rmdir(tempDir);
+      await fs7.unlink(tempPrivateKeyPath);
+      await fs7.rmdir(tempDir);
       return {
         privateKeyRef: this.itemName,
         publicKeyPath,
@@ -1097,7 +1390,7 @@ var OnePasswordKeyProvider = class _OnePasswordKeyProvider {
       };
     } catch (error) {
       try {
-        await fs6.rm(tempDir, { recursive: true, force: true });
+        await fs7.rm(tempDir, { recursive: true, force: true });
       } catch (cleanupError) {
         console.warn(
           `Warning: Failed to clean up temporary key directory at ${tempDir}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`
@@ -1121,7 +1414,7 @@ var OnePasswordKeyProvider = class _OnePasswordKeyProvider {
   }
 };
 async function execCommand(command, args) {
-  return new Promise((resolve3, reject) => {
+  return new Promise((resolve4, reject) => {
     const proc = spawn(command, args, { stdio: ["ignore", "pipe", "pipe"] });
     let stdout = "";
     let stderr = "";
@@ -1133,7 +1426,7 @@ async function execCommand(command, args) {
     });
     proc.on("close", (code) => {
       if (code === 0) {
-        resolve3(stdout.trim());
+        resolve4(stdout.trim());
       } else {
         reject(new Error(`Command failed with exit code ${String(code)}: ${stderr}`));
       }
@@ -1226,7 +1519,7 @@ var MacOSKeychainKeyProvider = class _MacOSKeychainKeyProvider {
         `Key not found in macOS Keychain: "${keyRef}" (account: ${_MacOSKeychainKeyProvider.ACCOUNT})`
       );
     }
-    const tempDir = await fs6.mkdtemp(path6.join(os2.tmpdir(), "attest-it-"));
+    const tempDir = await fs7.mkdtemp(path6.join(os2.tmpdir(), "attest-it-"));
     const tempKeyPath = path6.join(tempDir, "private.pem");
     try {
       const findArgs = [
@@ -1242,14 +1535,14 @@ var MacOSKeychainKeyProvider = class _MacOSKeychainKeyProvider {
       }
       const base64Key = await execCommand2("security", findArgs);
       const keyContent = Buffer.from(base64Key, "base64").toString("utf8");
-      await fs6.writeFile(tempKeyPath, keyContent, { mode: 384 });
+      await fs7.writeFile(tempKeyPath, keyContent, { mode: 384 });
       await setKeyPermissions(tempKeyPath);
       return {
         keyPath: tempKeyPath,
         cleanup: async () => {
           try {
-            await fs6.unlink(tempKeyPath);
-            await fs6.rmdir(tempDir);
+            await fs7.unlink(tempKeyPath);
+            await fs7.rmdir(tempDir);
           } catch (cleanupError) {
             console.warn(
               `Warning: Failed to clean up temporary key file at ${tempKeyPath}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`
@@ -1259,7 +1552,7 @@ var MacOSKeychainKeyProvider = class _MacOSKeychainKeyProvider {
       };
     } catch (error) {
       try {
-        await fs6.rm(tempDir, { recursive: true, force: true });
+        await fs7.rm(tempDir, { recursive: true, force: true });
       } catch (cleanupError) {
         console.warn(
           `Warning: Failed to clean up temporary key directory at ${tempDir}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`
@@ -1275,7 +1568,7 @@ var MacOSKeychainKeyProvider = class _MacOSKeychainKeyProvider {
    */
   async generateKeyPair(options) {
     const { publicKeyPath, force = false } = options;
-    const tempDir = await fs6.mkdtemp(path6.join(os2.tmpdir(), "attest-it-keygen-"));
+    const tempDir = await fs7.mkdtemp(path6.join(os2.tmpdir(), "attest-it-keygen-"));
     const tempPrivateKeyPath = path6.join(tempDir, "private.pem");
     try {
       await generateKeyPair({
@@ -1283,7 +1576,7 @@ var MacOSKeychainKeyProvider = class _MacOSKeychainKeyProvider {
         publicPath: publicKeyPath,
         force
       });
-      const privateKeyContent = await fs6.readFile(tempPrivateKeyPath, "utf8");
+      const privateKeyContent = await fs7.readFile(tempPrivateKeyPath, "utf8");
       const base64Key = Buffer.from(privateKeyContent, "utf8").toString("base64");
       const addArgs = [
         "add-generic-password",
@@ -1301,8 +1594,8 @@ var MacOSKeychainKeyProvider = class _MacOSKeychainKeyProvider {
         addArgs.push(this.keychain);
       }
       await execCommand2("security", addArgs);
-      await fs6.unlink(tempPrivateKeyPath);
-      await fs6.rmdir(tempDir);
+      await fs7.unlink(tempPrivateKeyPath);
+      await fs7.rmdir(tempDir);
       return {
         privateKeyRef: this.itemName,
         publicKeyPath,
@@ -1310,7 +1603,7 @@ var MacOSKeychainKeyProvider = class _MacOSKeychainKeyProvider {
       };
     } catch (error) {
       try {
-        await fs6.rm(tempDir, { recursive: true, force: true });
+        await fs7.rm(tempDir, { recursive: true, force: true });
       } catch (cleanupError) {
         console.warn(
           `Warning: Failed to clean up temporary key directory at ${tempDir}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`
@@ -1332,7 +1625,7 @@ var MacOSKeychainKeyProvider = class _MacOSKeychainKeyProvider {
   }
 };
 async function execCommand2(command, args) {
-  return new Promise((resolve3, reject) => {
+  return new Promise((resolve4, reject) => {
     const proc = spawn(command, args, { stdio: ["ignore", "pipe", "pipe"] });
     let stdout = "";
     let stderr = "";
@@ -1344,7 +1637,7 @@ async function execCommand2(command, args) {
     });
     proc.on("close", (code) => {
       if (code === 0) {
-        resolve3(stdout.trim());
+        resolve4(stdout.trim());
       } else {
         reject(new Error(`Command failed with exit code ${String(code)}: ${stderr}`));
       }
@@ -1354,69 +1647,6 @@ async function execCommand2(command, args) {
     });
   });
 }
-
-// src/key-provider/registry.ts
-var KeyProviderRegistry = class {
-  static providers = /* @__PURE__ */ new Map();
-  /**
-   * Register a key provider factory.
-   * @param type - Provider type identifier
-   * @param factory - Factory function to create provider instances
-   */
-  static register(type, factory) {
-    this.providers.set(type, factory);
-  }
-  /**
-   * Create a key provider from configuration.
-   * @param config - Provider configuration
-   * @returns A key provider instance
-   * @throws Error if the provider type is not registered
-   */
-  static create(config) {
-    const factory = this.providers.get(config.type);
-    if (!factory) {
-      throw new Error(
-        `Unknown key provider type: ${config.type}. Available types: ${Array.from(this.providers.keys()).join(", ")}`
-      );
-    }
-    return factory(config);
-  }
-  /**
-   * Get all registered provider types.
-   * @returns Array of provider type identifiers
-   */
-  static getProviderTypes() {
-    return Array.from(this.providers.keys());
-  }
-};
-KeyProviderRegistry.register("filesystem", (config) => {
-  const privateKeyPath = typeof config.options.privateKeyPath === "string" ? config.options.privateKeyPath : void 0;
-  if (privateKeyPath !== void 0) {
-    return new FilesystemKeyProvider({ privateKeyPath });
-  }
-  return new FilesystemKeyProvider();
-});
-KeyProviderRegistry.register("1password", (config) => {
-  const { options } = config;
-  const account = typeof options.account === "string" ? options.account : void 0;
-  const vault = typeof options.vault === "string" ? options.vault : "";
-  const itemName = typeof options.itemName === "string" ? options.itemName : "";
-  if (!vault || !itemName) {
-    throw new Error("1Password provider requires vault and itemName options");
-  }
-  if (account !== void 0) {
-    return new OnePasswordKeyProvider({ account, vault, itemName });
-  }
-  return new OnePasswordKeyProvider({ vault, itemName });
-});
-KeyProviderRegistry.register("macos-keychain", (config) => {
-  const { options } = config;
-  const itemName = typeof options.itemName === "string" ? options.itemName : "";
-  if (!itemName) {
-    throw new Error("macOS Keychain provider requires itemName option");
-  }
-  return new MacOSKeychainKeyProvider({ itemName });
-});
 var homeDirOverride = null;
 function setAttestItHomeDir(dir) {
   homeDirOverride = dir;
@@ -1582,6 +1812,617 @@ function saveLocalConfigSync(config, configPath) {
 function getActiveIdentity(config) {
   return config.identities[config.activeIdentity];
 }
+
+// src/key-provider/yubikey-provider.ts
+var EncryptedKeyFileSchema = z.object({
+  version: z.literal(1),
+  iv: z.string().min(1),
+  authTag: z.string().min(1),
+  salt: z.string().min(1),
+  challenge: z.string().min(1),
+  ciphertext: z.string().min(1),
+  slot: z.union([z.literal(1), z.literal(2)]),
+  serial: z.string().optional(),
+  aad: z.string().optional()
+});
+var activeCleanupHandlers = /* @__PURE__ */ new Set();
+var processHandlersInstalled = false;
+function installProcessHandlers() {
+  if (processHandlersInstalled) return;
+  processHandlersInstalled = true;
+  const runCleanup = async () => {
+    const handlers = Array.from(activeCleanupHandlers);
+    await Promise.allSettled(handlers.map((h) => h()));
+  };
+  process.once("beforeExit", () => {
+    void runCleanup();
+  });
+  process.once("SIGINT", () => {
+    void runCleanup().finally(() => process.exit(130));
+  });
+  process.once("SIGTERM", () => {
+    void runCleanup().finally(() => process.exit(143));
+  });
+}
+function validateEncryptedKeyFile(data) {
+  const parsed = EncryptedKeyFileSchema.parse(data);
+  const iv = Buffer.from(parsed.iv, "base64");
+  if (iv.length !== 12) {
+    throw new Error(`Invalid IV size: expected 12 bytes, got ${String(iv.length)}`);
+  }
+  const authTag = Buffer.from(parsed.authTag, "base64");
+  if (authTag.length !== 16) {
+    throw new Error(`Invalid auth tag size: expected 16 bytes, got ${String(authTag.length)}`);
+  }
+  const salt = Buffer.from(parsed.salt, "base64");
+  if (salt.length !== 32) {
+    throw new Error(`Invalid salt size: expected 32 bytes, got ${String(salt.length)}`);
+  }
+  const challenge = Buffer.from(parsed.challenge, "base64");
+  if (challenge.length !== 32) {
+    throw new Error(`Invalid challenge size: expected 32 bytes, got ${String(challenge.length)}`);
+  }
+  return parsed;
+}
+function constructAAD(version2, slot, serial) {
+  const aadObject = {
+    version: version2,
+    slot,
+    serial: serial ?? "unspecified"
+  };
+  return Buffer.from(JSON.stringify(aadObject), "utf8");
+}
+var YubiKeyProvider = class _YubiKeyProvider {
+  type = "yubikey";
+  displayName = "YubiKey";
+  encryptedKeyPath;
+  slot;
+  serial;
+  /**
+   * Create a new YubiKeyProvider.
+   * @param options - Provider options
+   * @throws Error if encryptedKeyPath is outside the attest-it config directory
+   */
+  constructor(options) {
+    const resolvedPath = path6.resolve(options.encryptedKeyPath);
+    const configDir = getAttestItConfigDir();
+    if (!resolvedPath.startsWith(configDir)) {
+      throw new Error(
+        `Encrypted key path must be within attest-it config directory (${configDir}). Got: ${resolvedPath}`
+      );
+    }
+    this.encryptedKeyPath = resolvedPath;
+    this.slot = options.slot ?? 2;
+    if (options.serial !== void 0) {
+      this.serial = options.serial;
+    }
+  }
+  /**
+   * Check if ykman CLI is installed and available.
+   * @returns true if ykman is available
+   */
+  static async isInstalled() {
+    try {
+      await execCommand3("ykman", ["--version"]);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Check if any YubiKey is connected.
+   * @returns true if at least one YubiKey is connected
+   */
+  static async isConnected() {
+    try {
+      const output = await execCommand3("ykman", ["list", "--serials"]);
+      return output.trim().length > 0;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Check if HMAC challenge-response is configured on a slot.
+   * @param slot - Slot number (1 or 2)
+   * @param serial - Optional YubiKey serial number
+   * @returns true if challenge-response is configured
+   */
+  static async isChallengeResponseConfigured(slot = 2, serial) {
+    try {
+      const args = ["otp", "info"];
+      if (serial) {
+        args.unshift("--device", serial);
+      }
+      const output = await execCommand3("ykman", args);
+      const slotPattern = new RegExp(`Slot ${String(slot)}:\\s+programmed.*challenge-response`, "i");
+      return slotPattern.test(output);
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * List connected YubiKeys.
+   * @returns Array of YubiKey information
+   */
+  static async listDevices() {
+    if (!await _YubiKeyProvider.isInstalled()) {
+      return [];
+    }
+    try {
+      const output = await execCommand3("ykman", ["list", "--serials"]);
+      const serials = output.trim().split("\n").filter((s) => s.length > 0);
+      const devices = [];
+      for (const serial of serials) {
+        try {
+          const infoOutput = await execCommand3("ykman", ["--device", serial, "info"]);
+          const typeMatch = /Device type:\s+(.+)/i.exec(infoOutput);
+          const fwMatch = /Firmware version:\s+(.+)/i.exec(infoOutput);
+          devices.push({
+            serial,
+            type: typeMatch?.[1]?.trim() ?? "YubiKey",
+            firmware: fwMatch?.[1]?.trim() ?? "Unknown"
+          });
+        } catch {
+          devices.push({
+            serial,
+            type: "YubiKey",
+            firmware: "Unknown"
+          });
+        }
+      }
+      return devices;
+    } catch {
+      return [];
+    }
+  }
+  /**
+   * Check if this provider is available on the current system.
+   * Requires ykman to be installed.
+   */
+  async isAvailable() {
+    return _YubiKeyProvider.isInstalled();
+  }
+  /**
+   * Check if an encrypted key file exists.
+   * @param keyRef - Path to encrypted key file
+   */
+  async keyExists(keyRef) {
+    try {
+      await fs7.access(keyRef);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Get the private key by decrypting with YubiKey.
+   * Downloads to a temporary file and returns a cleanup function.
+   *
+   * **Important**: Always call the cleanup function when done to securely delete
+   * the temporary key file. The cleanup is also registered for process exit handlers.
+   *
+   * @param keyRef - Path to encrypted key file
+   * @throws Error if the key cannot be decrypted
+   */
+  async getPrivateKey(keyRef) {
+    installProcessHandlers();
+    if (!await this.keyExists(keyRef)) {
+      throw new Error(`Encrypted key file not found: ${keyRef}`);
+    }
+    const encryptedData = await fs7.readFile(keyRef, "utf8");
+    let keyFile;
+    try {
+      const parsed = JSON.parse(encryptedData);
+      keyFile = validateEncryptedKeyFile(parsed);
+    } catch (err) {
+      if (err instanceof z.ZodError) {
+        throw new Error(
+          `Invalid encrypted key file format: ${err.errors.map((e) => e.message).join(", ")}`
+        );
+      }
+      throw new Error(`Invalid encrypted key file: malformed JSON or structure`);
+    }
+    const expectedSerial = this.serial ?? keyFile.serial;
+    if (!expectedSerial) {
+      console.warn(
+        "WARNING: No YubiKey serial number specified for key verification. Any YubiKey with the correct HMAC secret could decrypt this key. For better security, re-encrypt the key with a serial number specified."
+      );
+    }
+    if (expectedSerial) {
+      const devices = await _YubiKeyProvider.listDevices();
+      const matchingDevice = devices.find((d) => d.serial === expectedSerial);
+      if (!matchingDevice) {
+        throw new Error(
+          `Required YubiKey not found. Expected serial: ${expectedSerial}. Connected devices: ${devices.map((d) => d.serial).join(", ") || "none"}`
+        );
+      }
+    }
+    const challenge = Buffer.from(keyFile.challenge, "base64");
+    const response = await performChallengeResponse(challenge, keyFile.slot, expectedSerial);
+    const salt = Buffer.from(keyFile.salt, "base64");
+    const aesKey = deriveKey(response, salt);
+    const iv = Buffer.from(keyFile.iv, "base64");
+    const authTag = Buffer.from(keyFile.authTag, "base64");
+    const ciphertext = Buffer.from(keyFile.ciphertext, "base64");
+    let privateKeyContent;
+    try {
+      const decipher = crypto3.createDecipheriv("aes-256-gcm", aesKey, iv);
+      if (keyFile.aad) {
+        decipher.setAAD(Buffer.from(keyFile.aad, "base64"));
+      }
+      decipher.setAuthTag(authTag);
+      const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+      privateKeyContent = decrypted.toString("utf8");
+    } catch {
+      throw new Error(
+        "Failed to decrypt private key. Verify you are using the correct YubiKey and the encrypted key file has not been corrupted or tampered with."
+      );
+    }
+    const tempDir = await fs7.mkdtemp(path6.join(os2.tmpdir(), "attest-it-"));
+    const tempKeyPath = path6.join(tempDir, "private.pem");
+    const cleanup = async () => {
+      activeCleanupHandlers.delete(cleanup);
+      try {
+        const keySize = Buffer.byteLength(privateKeyContent);
+        await fs7.writeFile(tempKeyPath, crypto3.randomBytes(keySize));
+        await fs7.unlink(tempKeyPath);
+        await fs7.rmdir(tempDir);
+      } catch {
+      }
+    };
+    try {
+      await fs7.writeFile(tempKeyPath, privateKeyContent, { mode: 384 });
+      await setKeyPermissions(tempKeyPath);
+      activeCleanupHandlers.add(cleanup);
+      return {
+        keyPath: tempKeyPath,
+        cleanup
+      };
+    } catch (error) {
+      await cleanup();
+      throw error;
+    }
+  }
+  /**
+   * Generate a new keypair and store encrypted with YubiKey.
+   * Public key is written to filesystem for repository commit.
+   *
+   * **Security Note**: Always specify a serial number to bind the key to a specific YubiKey.
+   *
+   * @param options - Key generation options
+   */
+  async generateKeyPair(options) {
+    const { publicKeyPath, force = false } = options;
+    if (!await _YubiKeyProvider.isChallengeResponseConfigured(this.slot, this.serial)) {
+      throw new Error(
+        `YubiKey slot ${String(this.slot)} is not configured for HMAC challenge-response. Ensure your YubiKey is connected and use "ykman otp chalresp --generate 2" to configure it.`
+      );
+    }
+    if (!force && await this.keyExists(this.encryptedKeyPath)) {
+      throw new Error(
+        `Encrypted key file already exists: ${this.encryptedKeyPath}. Use force: true to overwrite.`
+      );
+    }
+    let serial;
+    if (this.serial) {
+      serial = this.serial;
+    } else {
+      const devices = await _YubiKeyProvider.listDevices();
+      if (devices.length === 1 && devices[0]) {
+        serial = devices[0].serial;
+      } else if (devices.length > 1) {
+        console.warn(
+          "WARNING: Multiple YubiKeys detected but no serial specified. Key will not be bound to a specific device. For better security, specify a serial number."
+        );
+      }
+    }
+    const tempDir = await fs7.mkdtemp(path6.join(os2.tmpdir(), "attest-it-keygen-"));
+    const tempPrivateKeyPath = path6.join(tempDir, "private.pem");
+    try {
+      await generateKeyPair({
+        privatePath: tempPrivateKeyPath,
+        publicPath: publicKeyPath,
+        force
+      });
+      const privateKeyContent = await fs7.readFile(tempPrivateKeyPath, "utf8");
+      const challenge = crypto3.randomBytes(32);
+      const salt = crypto3.randomBytes(32);
+      const iv = crypto3.randomBytes(12);
+      const response = await performChallengeResponse(challenge, this.slot, this.serial);
+      const aesKey = deriveKey(response, salt);
+      const aad = constructAAD(1, this.slot, serial);
+      const cipher = crypto3.createCipheriv("aes-256-gcm", aesKey, iv);
+      cipher.setAAD(aad);
+      const ciphertext = Buffer.concat([
+        cipher.update(Buffer.from(privateKeyContent, "utf8")),
+        cipher.final()
+      ]);
+      const authTag = cipher.getAuthTag();
+      const keyFile = {
+        version: 1,
+        iv: iv.toString("base64"),
+        authTag: authTag.toString("base64"),
+        salt: salt.toString("base64"),
+        challenge: challenge.toString("base64"),
+        ciphertext: ciphertext.toString("base64"),
+        slot: this.slot,
+        aad: aad.toString("base64"),
+        ...serial && { serial }
+      };
+      await fs7.mkdir(path6.dirname(this.encryptedKeyPath), { recursive: true });
+      await fs7.writeFile(this.encryptedKeyPath, JSON.stringify(keyFile, null, 2), { mode: 384 });
+      await setKeyPermissions(this.encryptedKeyPath);
+      const keySize = Buffer.byteLength(privateKeyContent);
+      await fs7.writeFile(tempPrivateKeyPath, crypto3.randomBytes(keySize));
+      await fs7.unlink(tempPrivateKeyPath);
+      await fs7.rmdir(tempDir);
+      return {
+        privateKeyRef: this.encryptedKeyPath,
+        publicKeyPath,
+        storageDescription: `YubiKey-encrypted: ${this.encryptedKeyPath}`
+      };
+    } catch (error) {
+      try {
+        await fs7.rm(tempDir, { recursive: true, force: true });
+      } catch {
+      }
+      throw error;
+    }
+  }
+  /**
+   * Encrypt an existing private key with YubiKey challenge-response.
+   *
+   * @remarks
+   * This static method allows encrypting a private key that was generated
+   * elsewhere (e.g., by the CLI) without having to create a provider instance first.
+   *
+   * **Security Note**: Always specify a serial number to bind the key to a specific YubiKey.
+   * The serial provides defense-in-depth by ensuring only the intended YubiKey can decrypt.
+   *
+   * @param options - Encryption options
+   * @returns Path to the encrypted key file and storage description
+   * @public
+   */
+  static async encryptPrivateKey(options) {
+    const { privateKey, encryptedKeyPath, slot = 2, serial } = options;
+    const resolvedPath = path6.resolve(encryptedKeyPath);
+    const configDir = getAttestItConfigDir();
+    if (!resolvedPath.startsWith(configDir)) {
+      throw new Error(
+        `Encrypted key path must be within attest-it config directory (${configDir}). Got: ${resolvedPath}`
+      );
+    }
+    if (!serial) {
+      console.warn(
+        "WARNING: No YubiKey serial number specified. Key will not be bound to a specific device. For better security, specify a serial number."
+      );
+    }
+    if (!await _YubiKeyProvider.isChallengeResponseConfigured(slot, serial)) {
+      throw new Error(
+        `YubiKey slot ${String(slot)} is not configured for HMAC challenge-response. Ensure your YubiKey is connected and use "ykman otp chalresp --generate 2" to configure it.`
+      );
+    }
+    const challenge = crypto3.randomBytes(32);
+    const salt = crypto3.randomBytes(32);
+    const iv = crypto3.randomBytes(12);
+    const response = await performChallengeResponse(challenge, slot, serial);
+    const aesKey = deriveKey(response, salt);
+    const aad = constructAAD(1, slot, serial);
+    const cipher = crypto3.createCipheriv("aes-256-gcm", aesKey, iv);
+    cipher.setAAD(aad);
+    const ciphertext = Buffer.concat([
+      cipher.update(Buffer.from(privateKey, "utf8")),
+      cipher.final()
+    ]);
+    const authTag = cipher.getAuthTag();
+    const keyFile = {
+      version: 1,
+      iv: iv.toString("base64"),
+      authTag: authTag.toString("base64"),
+      salt: salt.toString("base64"),
+      challenge: challenge.toString("base64"),
+      ciphertext: ciphertext.toString("base64"),
+      slot,
+      aad: aad.toString("base64"),
+      ...serial && { serial }
+    };
+    await fs7.mkdir(path6.dirname(resolvedPath), { recursive: true });
+    await fs7.writeFile(resolvedPath, JSON.stringify(keyFile, null, 2), { mode: 384 });
+    await setKeyPermissions(resolvedPath);
+    return {
+      encryptedKeyPath: resolvedPath,
+      storageDescription: `YubiKey-encrypted: ${resolvedPath}`
+    };
+  }
+  /**
+   * Get the configuration for this provider.
+   */
+  getConfig() {
+    return {
+      type: this.type,
+      options: {
+        encryptedKeyPath: this.encryptedKeyPath,
+        slot: this.slot,
+        ...this.serial && { serial: this.serial }
+      }
+    };
+  }
+};
+async function execCommand3(command, args) {
+  return new Promise((resolve4, reject) => {
+    const proc = spawn(command, args, { stdio: ["ignore", "pipe", "pipe"] });
+    let stdout = "";
+    let stderr = "";
+    proc.stdout.on("data", (data) => {
+      stdout += data.toString();
+    });
+    proc.stderr.on("data", (data) => {
+      stderr += data.toString();
+    });
+    proc.on("close", (code) => {
+      if (code === 0) {
+        resolve4(stdout.trim());
+      } else {
+        reject(new Error(`Command failed with exit code ${String(code)}: ${stderr}`));
+      }
+    });
+    proc.on("error", (error) => {
+      reject(error);
+    });
+  });
+}
+async function performChallengeResponse(challenge, slot, serial) {
+  const args = ["otp", "chalresp", "--slot", String(slot)];
+  if (serial) {
+    args.unshift("--device", serial);
+  }
+  args.push(challenge.toString("hex"));
+  try {
+    const output = await execCommand3("ykman", args);
+    return Buffer.from(output.trim(), "hex");
+  } catch {
+    throw new Error(
+      "YubiKey challenge-response failed. Verify your YubiKey is inserted and the slot is configured for challenge-response."
+    );
+  }
+}
+function deriveKey(response, salt) {
+  const derived = crypto3.hkdfSync("sha256", response, salt, "attest-it-yubikey-v1", 32);
+  return Buffer.from(derived);
+}
+
+// src/key-provider/registry.ts
+var KeyProviderRegistry = class {
+  static providers = /* @__PURE__ */ new Map();
+  /**
+   * Register a key provider factory.
+   * @param type - Provider type identifier
+   * @param factory - Factory function to create provider instances
+   */
+  static register(type, factory) {
+    this.providers.set(type, factory);
+  }
+  /**
+   * Create a key provider from configuration.
+   * @param config - Provider configuration
+   * @returns A key provider instance
+   * @throws Error if the provider type is not registered
+   */
+  static create(config) {
+    const factory = this.providers.get(config.type);
+    if (!factory) {
+      throw new Error(
+        `Unknown key provider type: ${config.type}. Available types: ${Array.from(this.providers.keys()).join(", ")}`
+      );
+    }
+    return factory(config);
+  }
+  /**
+   * Get all registered provider types.
+   * @returns Array of provider type identifiers
+   */
+  static getProviderTypes() {
+    return Array.from(this.providers.keys());
+  }
+};
+KeyProviderRegistry.register("filesystem", (config) => {
+  const privateKeyPath = typeof config.options.privateKeyPath === "string" ? config.options.privateKeyPath : void 0;
+  if (privateKeyPath !== void 0) {
+    return new FilesystemKeyProvider({ privateKeyPath });
+  }
+  return new FilesystemKeyProvider();
+});
+KeyProviderRegistry.register("1password", (config) => {
+  const { options } = config;
+  const account = typeof options.account === "string" ? options.account : void 0;
+  const vault = typeof options.vault === "string" ? options.vault : "";
+  const itemName = typeof options.itemName === "string" ? options.itemName : "";
+  if (!vault || !itemName) {
+    throw new Error("1Password provider requires vault and itemName options");
+  }
+  if (account !== void 0) {
+    return new OnePasswordKeyProvider({ account, vault, itemName });
+  }
+  return new OnePasswordKeyProvider({ vault, itemName });
+});
+KeyProviderRegistry.register("macos-keychain", (config) => {
+  const { options } = config;
+  const itemName = typeof options.itemName === "string" ? options.itemName : "";
+  if (!itemName) {
+    throw new Error("macOS Keychain provider requires itemName option");
+  }
+  return new MacOSKeychainKeyProvider({ itemName });
+});
+KeyProviderRegistry.register("yubikey", (config) => {
+  const { options } = config;
+  const encryptedKeyPath = typeof options.encryptedKeyPath === "string" ? options.encryptedKeyPath : "";
+  if (!encryptedKeyPath) {
+    throw new Error("YubiKey provider requires encryptedKeyPath option");
+  }
+  const slot = typeof options.slot === "number" && (options.slot === 1 || options.slot === 2) ? options.slot : void 0;
+  const serial = typeof options.serial === "string" ? options.serial : void 0;
+  const providerOptions = {
+    encryptedKeyPath
+  };
+  if (slot !== void 0) {
+    providerOptions.slot = slot;
+  }
+  if (serial !== void 0) {
+    providerOptions.serial = serial;
+  }
+  return new YubiKeyProvider(providerOptions);
+});
+var cliExperienceSchema = z.object({
+  declinedCompletionInstall: z.boolean().optional()
+}).strict();
+var userPreferencesSchema = z.object({
+  cliExperience: cliExperienceSchema.optional()
+}).strict();
+function getPreferencesPath() {
+  return join(getAttestItConfigDir(), "preferences.yaml");
+}
+async function loadPreferences() {
+  const prefsPath = getPreferencesPath();
+  try {
+    const content = await readFile(prefsPath, "utf8");
+    const parsed = parse(content);
+    const result = userPreferencesSchema.safeParse(parsed);
+    if (result.success) {
+      const prefs = {};
+      if (result.data.cliExperience) {
+        prefs.cliExperience = {
+          ...result.data.cliExperience.declinedCompletionInstall !== void 0 && {
+            declinedCompletionInstall: result.data.cliExperience.declinedCompletionInstall
+          }
+        };
+      }
+      return prefs;
+    }
+    console.warn("Invalid preferences file, using defaults:", result.error.message);
+    return {};
+  } catch (error) {
+    if (error && typeof error === "object" && "code" in error && (error.code === "ENOENT" || error.code === "ENOTDIR")) {
+      return {};
+    }
+    throw error;
+  }
+}
+async function savePreferences(preferences) {
+  const prefsPath = getPreferencesPath();
+  const content = stringify(preferences);
+  const dir = dirname(prefsPath);
+  await mkdir(dir, { recursive: true });
+  await writeFile(prefsPath, content, "utf8");
+}
+async function setPreference(key, value) {
+  const prefs = await loadPreferences();
+  prefs[key] = value;
+  await savePreferences(prefs);
+}
+async function getPreference(key) {
+  const prefs = await loadPreferences();
+  return prefs[key];
+}
 function isAuthorizedSigner(config, gateId, publicKey) {
   const gate = config.gates?.[gateId];
   if (!gate) {
@@ -1898,6 +2739,6 @@ function verifyAllSeals(config, seals, fingerprints) {
 // src/index.ts
 var version = "0.0.0";
 
-export { ConfigNotFoundError, ConfigValidationError, FilesystemKeyProvider, KeyProviderRegistry, LocalConfigValidationError, MacOSKeychainKeyProvider, OnePasswordKeyProvider, SignatureInvalidError, canonicalizeAttestations, computeFingerprint, computeFingerprintSync, createAttestation, createSeal, findAttestation, findConfigPath, findTeamMemberByPublicKey, generateKeyPair2 as generateEd25519KeyPair, getActiveIdentity, getAttestItConfigDir, getAttestItHomeDir, getAuthorizedSignersForGate, getGate, getLocalConfigPath, getPublicKeyFromPrivate, isAuthorizedSigner, listPackageFiles, loadConfig, loadConfigSync, loadLocalConfig, loadLocalConfigSync, parseDuration, readAndVerifyAttestations, readAttestations, readAttestationsSync, readSeals, readSealsSync, removeAttestation, resolveConfigPaths, saveLocalConfig, saveLocalConfigSync, setAttestItHomeDir, sign3 as signEd25519, toAttestItConfig, upsertAttestation, verifyAllSeals, verifyAttestations, verify3 as verifyEd25519, verifyGateSeal, verifySeal, version, writeAttestations, writeAttestationsSync, writeSeals, writeSealsSync, writeSignedAttestations };
+export { ConfigNotFoundError, ConfigValidationError, FilesystemKeyProvider, KeyProviderRegistry, LocalConfigValidationError, MacOSKeychainKeyProvider, OnePasswordKeyProvider, OperationalValidationError, PolicyValidationError, SignatureInvalidError, YubiKeyProvider, canonicalizeAttestations, computeFingerprint, computeFingerprintSync, createAttestation, createSeal, findAttestation, findConfigPath, findTeamMemberByPublicKey, generateKeyPair2 as generateEd25519KeyPair, getActiveIdentity, getAttestItConfigDir, getAttestItHomeDir, getAuthorizedSignersForGate, getGate, getLocalConfigPath, getPreference, getPreferencesPath, getPublicKeyFromPrivate, isAuthorizedSigner, listPackageFiles, loadConfig, loadConfigSync, loadLocalConfig, loadLocalConfigSync, loadPreferences, mergeConfigs, operationalSchema, parseDuration, parseOperationalContent, parsePolicyContent, policySchema, readAndVerifyAttestations, readAttestations, readAttestationsSync, readSeals, readSealsSync, removeAttestation, resolveConfigPaths, saveLocalConfig, saveLocalConfigSync, savePreferences, setAttestItHomeDir, setPreference, sign3 as signEd25519, toAttestItConfig, upsertAttestation, validateSuiteGateReferences, verifyAllSeals, verifyAttestations, verify3 as verifyEd25519, verifyGateSeal, verifySeal, version, writeAttestations, writeAttestationsSync, writeSeals, writeSealsSync, writeSignedAttestations };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map