@attest-it/core 0.6.0 → 0.8.0

package/dist/index.d.cts

@@ -34,6 +34,8 @@ interface AttestItSettings {
     publicKeyPath: string;
     /** Path to the attestations file */
     attestationsPath: string;
+    /** Path to the seals file */
+    sealsPath: string;
     /** Default command to execute for attestation (can be overridden per suite) */
     defaultCommand?: string;
     /** Key provider configuration for signing attestations */
@@ -189,6 +191,7 @@ declare const configSchema: z.ZodObject<{
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
         attestationsPath: z.ZodDefault<z.ZodString>;
+        sealsPath: z.ZodDefault<z.ZodString>;
         defaultCommand: z.ZodOptional<z.ZodString>;
         keyProvider: z.ZodOptional<z.ZodObject<{
             type: z.ZodUnion<[z.ZodEnum<["filesystem", "1password"]>, z.ZodString]>;
@@ -229,6 +232,7 @@ declare const configSchema: z.ZodObject<{
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
         attestationsPath: z.ZodDefault<z.ZodString>;
+        sealsPath: z.ZodDefault<z.ZodString>;
         defaultCommand: z.ZodOptional<z.ZodString>;
         keyProvider: z.ZodOptional<z.ZodObject<{
             type: z.ZodUnion<[z.ZodEnum<["filesystem", "1password"]>, z.ZodString]>;
@@ -269,6 +273,7 @@ declare const configSchema: z.ZodObject<{
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
         attestationsPath: z.ZodDefault<z.ZodString>;
+        sealsPath: z.ZodDefault<z.ZodString>;
         defaultCommand: z.ZodOptional<z.ZodString>;
         keyProvider: z.ZodOptional<z.ZodObject<{
             type: z.ZodUnion<[z.ZodEnum<["filesystem", "1password"]>, z.ZodString]>;
@@ -441,6 +446,7 @@ declare const configSchema: z.ZodObject<{
         maxAgeDays: number;
         publicKeyPath: string;
         attestationsPath: string;
+        sealsPath: string;
         defaultCommand?: string | undefined;
         keyProvider?: {
             type: string;
@@ -501,6 +507,7 @@ declare const configSchema: z.ZodObject<{
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
         attestationsPath: z.ZodDefault<z.ZodString>;
+        sealsPath: z.ZodDefault<z.ZodString>;
         defaultCommand: z.ZodOptional<z.ZodString>;
         keyProvider: z.ZodOptional<z.ZodObject<{
             type: z.ZodUnion<[z.ZodEnum<["filesystem", "1password"]>, z.ZodString]>;
@@ -673,14 +680,17 @@ declare const policySchema: z.ZodObject<{
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
         attestationsPath: z.ZodDefault<z.ZodString>;
+        sealsPath: z.ZodDefault<z.ZodString>;
     }, "strict", z.ZodTypeAny, {
         maxAgeDays: number;
         publicKeyPath: string;
         attestationsPath: string;
+        sealsPath: string;
     }, {
         maxAgeDays?: number | undefined;
         publicKeyPath?: string | undefined;
         attestationsPath?: string | undefined;
+        sealsPath?: string | undefined;
     }>>;
     team: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
         name: z.ZodString;
@@ -738,6 +748,7 @@ declare const policySchema: z.ZodObject<{
         maxAgeDays: number;
         publicKeyPath: string;
         attestationsPath: string;
+        sealsPath: string;
     };
     team?: Record<string, {
         name: string;
@@ -761,6 +772,7 @@ declare const policySchema: z.ZodObject<{
         maxAgeDays?: number | undefined;
         publicKeyPath?: string | undefined;
         attestationsPath?: string | undefined;
+        sealsPath?: string | undefined;
     } | undefined;
     team?: Record<string, {
         name: string;
@@ -1070,7 +1082,7 @@ declare function parseOperationalContent(content: string, format: 'yaml' | 'json
  * The merge strategy prioritizes security-critical fields from the policy
  * configuration while combining operational fields from both sources:
  *
- * - **Policy settings** (maxAgeDays, publicKeyPath, attestationsPath) are used as-is
+ * - **Policy settings** (maxAgeDays, publicKeyPath, attestationsPath, sealsPath) are used as-is
  * - **Operational settings** (defaultCommand, keyProvider) are added from operational config
  * - **Team and gates** come exclusively from policy config
  * - **Suites and groups** come exclusively from operational config
@@ -1263,6 +1275,8 @@ interface KeyGenerationResult {
     publicKeyPath: string;
     /** Human-readable storage location description */
     storageDescription: string;
+    /** Whether the private key is encrypted with a passphrase */
+    encrypted?: boolean;
 }
 /**
  * Options for key generation via provider.
@@ -1273,6 +1287,8 @@ interface KeygenProviderOptions {
     publicKeyPath: string;
     /** Overwrite existing keys */
     force?: boolean;
+    /** Passphrase to encrypt the private key (filesystem provider only) */
+    passphrase?: string;
 }
 /**
  * Abstract interface for key storage providers.
@@ -1514,6 +1530,8 @@ interface KeygenOptions {
     publicPath?: string;
     /** Overwrite existing keys (default: false) */
     force?: boolean;
+    /** Passphrase to encrypt the private key with AES-256 (optional) */
+    passphrase?: string;
 }
 /**
  * Options for signing data.
@@ -1528,6 +1546,8 @@ interface SignOptions {
     keyRef?: string;
     /** Data to sign (string or Buffer) */
     data: string | Buffer;
+    /** Passphrase for encrypted private keys (optional) */
+    passphrase?: string;
 }
 /**
  * Options for verifying signatures.
@@ -1560,6 +1580,13 @@ declare function getDefaultPrivateKeyPath(): string;
  * @public
  */
 declare function getDefaultPublicKeyPath(): string;
+/**
+ * Get the default YubiKey encrypted key path based on OS.
+ * - macOS/Linux: ~/.config/attest-it/yubikey-private.enc
+ * - Windows: %APPDATA%\attest-it\yubikey-private.enc
+ * @public
+ */
+declare function getDefaultYubiKeyEncryptedKeyPath(): string;
 /**
  * Generate a new RSA-2048 keypair using OpenSSL.
  *
@@ -1811,6 +1838,8 @@ interface OnePasswordAccount {
     url: string;
     /** User UUID */
     user_uuid: string;
+    /** Human-readable account name (e.g., "North Family") */
+    name?: string;
 }
 /**
  * Information about a 1Password vault.
@@ -1850,7 +1879,7 @@ declare class OnePasswordKeyProvider implements KeyProvider {
     static isInstalled(): Promise<boolean>;
     /**
      * List all 1Password accounts.
-     * @returns Array of account information
+     * @returns Array of account information including human-readable names
      */
     static listAccounts(): Promise<OnePasswordAccount[]>;
     /**
@@ -2393,6 +2422,77 @@ declare function saveLocalConfigSync(config: LocalConfig, configPath?: string):
  * @public
  */
 declare function getActiveIdentity(config: LocalConfig): Identity | undefined;
+/**
+ * Get the user's home public keys directory.
+ *
+ * This returns ~/.attest-it/public-keys, which is different from the
+ * config directory (~/.config/attest-it). The public keys directory
+ * is designed to be easily shareable and discoverable.
+ *
+ * @returns Path to the user's home public keys directory
+ * @public
+ */
+declare function getHomePublicKeysDir(): string;
+/**
+ * Get the project public keys directory.
+ *
+ * This returns .attest-it/public-keys relative to the given project root.
+ * The project public keys directory is used for CI/GitHub Actions to
+ * verify attestation seals.
+ *
+ * @param projectRoot - The project root directory (defaults to cwd)
+ * @returns Path to the project public keys directory
+ * @public
+ */
+declare function getProjectPublicKeysDir(projectRoot?: string): string;
+/**
+ * Check if a project has attest-it configuration.
+ *
+ * @param projectRoot - The project root directory (defaults to cwd)
+ * @returns True if the project has .attest-it/config.yaml or similar
+ * @public
+ */
+declare function hasProjectConfig(projectRoot?: string): boolean;
+/**
+ * Result from saving public keys.
+ * @public
+ */
+interface SavePublicKeyResult {
+    /** Path where the key was saved in the user's home directory */
+    homePath: string;
+    /** Path where the key was saved in the project directory, if applicable */
+    projectPath?: string;
+}
+/**
+ * Save a public key to the user's home directory and optionally to the project directory.
+ *
+ * This saves the public key as a base64-encoded string (matching the format in config.yaml)
+ * to:
+ * 1. ~/.attest-it/public-keys/<slug>.pem (always)
+ * 2. ./.attest-it/public-keys/<slug>.pem (if project has attest-it config)
+ *
+ * @param slug - The identity slug (used for the filename)
+ * @param publicKey - The base64-encoded public key
+ * @param projectRoot - The project root directory (defaults to cwd)
+ * @returns Paths where the key was saved
+ * @public
+ */
+declare function savePublicKey(slug: string, publicKey: string, projectRoot?: string): Promise<SavePublicKeyResult>;
+/**
+ * Save a public key to the user's home directory and optionally to the project directory (sync).
+ *
+ * This saves the public key as a base64-encoded string (matching the format in config.yaml)
+ * to:
+ * 1. ~/.attest-it/public-keys/<slug>.pem (always)
+ * 2. ./.attest-it/public-keys/<slug>.pem (if project has attest-it config)
+ *
+ * @param slug - The identity slug (used for the filename)
+ * @param publicKey - The base64-encoded public key
+ * @param projectRoot - The project root directory (defaults to cwd)
+ * @returns Paths where the key was saved
+ * @public
+ */
+declare function savePublicKeySync(slug: string, publicKey: string, projectRoot?: string): SavePublicKeyResult;
 
 /**
  * Authorization logic for attest-it v2.0.
@@ -2530,38 +2630,42 @@ declare function verifySeal(seal: Seal, config: AttestItConfig): SignatureVerifi
  * Read seals from the seals.json file (async).
  *
  * @param dir - Directory containing .attest-it/seals.json
+ * @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
  * @returns The seals file contents, or an empty seals file if the file doesn't exist
  * @throws Error if file exists but cannot be read or parsed
  * @public
  */
-declare function readSeals(dir: string): Promise<SealsFile>;
+declare function readSeals(dir: string, sealsPathOverride?: string): Promise<SealsFile>;
 /**
  * Read seals from the seals.json file (sync).
  *
  * @param dir - Directory containing .attest-it/seals.json
+ * @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
  * @returns The seals file contents, or an empty seals file if the file doesn't exist
  * @throws Error if file exists but cannot be read or parsed
  * @public
  */
-declare function readSealsSync(dir: string): SealsFile;
+declare function readSealsSync(dir: string, sealsPathOverride?: string): SealsFile;
 /**
  * Write seals to the seals.json file (async).
  *
  * @param dir - Directory containing .attest-it/seals.json
  * @param sealsFile - The seals file to write
+ * @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
  * @throws Error if file cannot be written
  * @public
  */
-declare function writeSeals(dir: string, sealsFile: SealsFile): Promise<void>;
+declare function writeSeals(dir: string, sealsFile: SealsFile, sealsPathOverride?: string): Promise<void>;
 /**
  * Write seals to the seals.json file (sync).
  *
  * @param dir - Directory containing .attest-it/seals.json
  * @param sealsFile - The seals file to write
+ * @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
  * @throws Error if file cannot be written
  * @public
  */
-declare function writeSealsSync(dir: string, sealsFile: SealsFile): void;
+declare function writeSealsSync(dir: string, sealsFile: SealsFile, sealsPathOverride?: string): void;
 
 /**
  * Seal verification logic and states.
@@ -2621,4 +2725,4 @@ declare function verifyAllSeals(config: AttestItConfig, seals: SealsFile, finger
  */
 declare const version = "0.0.0";
 
-export { type AttestItConfig, type AttestItSettings, type Attestation, type AttestationsFile, type CliExperiencePreferences, type Config, ConfigNotFoundError, ConfigValidationError, type CreateSealOptions, type VerifyOptions$1 as CryptoVerifyOptions, type KeyPair as Ed25519KeyPair, FilesystemKeyProvider, type FilesystemKeyProviderOptions, type FingerprintConfig, type FingerprintOptions, type FingerprintResult, type GateConfig, type Identity, type KeyGenerationResult, type KeyPaths, type KeyProvider, type KeyProviderConfig, type KeyProviderFactory, KeyProviderRegistry, type KeyProviderSettings, type KeyRetrievalResult, type KeygenOptions, type KeygenProviderOptions, type LocalConfig, LocalConfigValidationError, type MacOSKeychain, MacOSKeychainKeyProvider, type MacOSKeychainKeyProviderOptions, type OnePasswordAccount, OnePasswordKeyProvider, type OnePasswordKeyProviderOptions, type OnePasswordVault, type OperationalConfig, OperationalValidationError, type PolicyConfig, PolicyValidationError, type PrivateKeyRef, type ReadSignedAttestationsOptions, type Seal, type SealVerificationResult, type SealsFile, type SignOptions, SignatureInvalidError, type SignatureVerificationResult, type SuiteConfig, type SuiteVerificationResult, type TeamMember, type UserPreferences, type ValidationError, type ValidationErrorType, type VerificationState, type VerificationStatus, type VerifyOptions, type VerifyResult, type WriteSignedAttestationsOptions, type YubiKeyInfo, YubiKeyProvider, type YubiKeyProviderOptions, canonicalizeAttestations, checkOpenSSL, computeFingerprint, computeFingerprintSync, createAttestation, createSeal, findAttestation, findConfigPath, findTeamMemberByPublicKey, generateKeyPair as generateEd25519KeyPair, generateKeyPair$1 as generateKeyPair, getActiveIdentity, getAttestItConfigDir, getAttestItHomeDir, getAuthorizedSignersForGate, getDefaultPrivateKeyPath, getDefaultPublicKeyPath, getGate, getLocalConfigPath, getPreference, getPreferencesPath, getPublicKeyFromPrivate, isAuthorizedSigner, listPackageFiles, loadConfig, loadConfigSync, loadLocalConfig, loadLocalConfigSync, loadPreferences, mergeConfigs, operationalSchema, parseDuration, parseOperationalContent, parsePolicyContent, policySchema, readAndVerifyAttestations, readAttestations, readAttestationsSync, readSeals, readSealsSync, removeAttestation, resolveConfigPaths, saveLocalConfig, saveLocalConfigSync, savePreferences, setAttestItHomeDir, setKeyPermissions, setPreference, sign$1 as sign, sign as signEd25519, toAttestItConfig, upsertAttestation, validateSuiteGateReferences, verify$1 as verify, verifyAllSeals, verifyAttestations, verify as verifyEd25519, verifyGateSeal, verifySeal, version, writeAttestations, writeAttestationsSync, writeSeals, writeSealsSync, writeSignedAttestations };
+export { type AttestItConfig, type AttestItSettings, type Attestation, type AttestationsFile, type CliExperiencePreferences, type Config, ConfigNotFoundError, ConfigValidationError, type CreateSealOptions, type VerifyOptions$1 as CryptoVerifyOptions, type KeyPair as Ed25519KeyPair, FilesystemKeyProvider, type FilesystemKeyProviderOptions, type FingerprintConfig, type FingerprintOptions, type FingerprintResult, type GateConfig, type Identity, type KeyGenerationResult, type KeyPaths, type KeyProvider, type KeyProviderConfig, type KeyProviderFactory, KeyProviderRegistry, type KeyProviderSettings, type KeyRetrievalResult, type KeygenOptions, type KeygenProviderOptions, type LocalConfig, LocalConfigValidationError, type MacOSKeychain, MacOSKeychainKeyProvider, type MacOSKeychainKeyProviderOptions, type OnePasswordAccount, OnePasswordKeyProvider, type OnePasswordKeyProviderOptions, type OnePasswordVault, type OperationalConfig, OperationalValidationError, type PolicyConfig, PolicyValidationError, type PrivateKeyRef, type ReadSignedAttestationsOptions, type SavePublicKeyResult, type Seal, type SealVerificationResult, type SealsFile, type SignOptions, SignatureInvalidError, type SignatureVerificationResult, type SuiteConfig, type SuiteVerificationResult, type TeamMember, type UserPreferences, type ValidationError, type ValidationErrorType, type VerificationState, type VerificationStatus, type VerifyOptions, type VerifyResult, type WriteSignedAttestationsOptions, type YubiKeyInfo, YubiKeyProvider, type YubiKeyProviderOptions, canonicalizeAttestations, checkOpenSSL, computeFingerprint, computeFingerprintSync, createAttestation, createSeal, findAttestation, findConfigPath, findTeamMemberByPublicKey, generateKeyPair as generateEd25519KeyPair, generateKeyPair$1 as generateKeyPair, getActiveIdentity, getAttestItConfigDir, getAttestItHomeDir, getAuthorizedSignersForGate, getDefaultPrivateKeyPath, getDefaultPublicKeyPath, getDefaultYubiKeyEncryptedKeyPath, getGate, getHomePublicKeysDir, getLocalConfigPath, getPreference, getPreferencesPath, getProjectPublicKeysDir, getPublicKeyFromPrivate, hasProjectConfig, isAuthorizedSigner, listPackageFiles, loadConfig, loadConfigSync, loadLocalConfig, loadLocalConfigSync, loadPreferences, mergeConfigs, operationalSchema, parseDuration, parseOperationalContent, parsePolicyContent, policySchema, readAndVerifyAttestations, readAttestations, readAttestationsSync, readSeals, readSealsSync, removeAttestation, resolveConfigPaths, saveLocalConfig, saveLocalConfigSync, savePreferences, savePublicKey, savePublicKeySync, setAttestItHomeDir, setKeyPermissions, setPreference, sign$1 as sign, sign as signEd25519, toAttestItConfig, upsertAttestation, validateSuiteGateReferences, verify$1 as verify, verifyAllSeals, verifyAttestations, verify as verifyEd25519, verifyGateSeal, verifySeal, version, writeAttestations, writeAttestationsSync, writeSeals, writeSealsSync, writeSignedAttestations };

package/dist/index.d.ts

@@ -30,6 +30,8 @@ interface AttestItSettings {
     publicKeyPath: string;
     /** Path to the attestations file */
     attestationsPath: string;
+    /** Path to the seals file */
+    sealsPath: string;
     /** Default command to execute for attestation (can be overridden per suite) */
     defaultCommand?: string;
     /** Key provider configuration for signing attestations */
@@ -255,6 +257,7 @@ declare const configSchema: z.ZodObject<{
         }>>;
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
+        sealsPath: z.ZodDefault<z.ZodString>;
     }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
         attestationsPath: z.ZodDefault<z.ZodString>;
         defaultCommand: z.ZodOptional<z.ZodString>;
@@ -295,6 +298,7 @@ declare const configSchema: z.ZodObject<{
         }>>;
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
+        sealsPath: z.ZodDefault<z.ZodString>;
     }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
         attestationsPath: z.ZodDefault<z.ZodString>;
         defaultCommand: z.ZodOptional<z.ZodString>;
@@ -335,6 +339,7 @@ declare const configSchema: z.ZodObject<{
         }>>;
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
+        sealsPath: z.ZodDefault<z.ZodString>;
     }, z.ZodTypeAny, "passthrough">>>;
     suites: z.ZodEffects<z.ZodRecord<z.ZodString, z.ZodEffects<z.ZodObject<{
         command: z.ZodOptional<z.ZodString>;
@@ -457,6 +462,7 @@ declare const configSchema: z.ZodObject<{
         } | undefined;
         maxAgeDays: number;
         publicKeyPath: string;
+        sealsPath: string;
     } & { [k: string]: unknown };
     suites: Record<string, {
         command?: string | undefined;
@@ -529,6 +535,7 @@ declare const configSchema: z.ZodObject<{
         }>>;
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
+        sealsPath: z.ZodDefault<z.ZodString>;
     }, z.ZodTypeAny, "passthrough">;
     suites: Record<string, {
         command?: string | undefined;
@@ -700,14 +707,17 @@ declare const policySchema: z.ZodObject<{
         attestationsPath: z.ZodDefault<z.ZodString>;
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
+        sealsPath: z.ZodDefault<z.ZodString>;
     }, "strict", z.ZodTypeAny, {
         attestationsPath: string;
         maxAgeDays: number;
         publicKeyPath: string;
+        sealsPath: string;
     }, {
         attestationsPath?: string | undefined;
         maxAgeDays?: number | undefined;
         publicKeyPath?: string | undefined;
+        sealsPath?: string | undefined;
     }>>;
     team: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
         email: z.ZodOptional<z.ZodString>;
@@ -741,6 +751,7 @@ declare const policySchema: z.ZodObject<{
         attestationsPath: string;
         maxAgeDays: number;
         publicKeyPath: string;
+        sealsPath: string;
     };
     team?: Record<string, {
         email?: string | undefined;
@@ -764,6 +775,7 @@ declare const policySchema: z.ZodObject<{
         attestationsPath?: string | undefined;
         maxAgeDays?: number | undefined;
         publicKeyPath?: string | undefined;
+        sealsPath?: string | undefined;
     } | undefined;
     team?: Record<string, {
         email?: string | undefined;
@@ -1064,7 +1076,7 @@ declare function parseOperationalContent(content: string, format: 'json' | 'yaml
  * The merge strategy prioritizes security-critical fields from the policy
  * configuration while combining operational fields from both sources:
  *
- * - **Policy settings** (maxAgeDays, publicKeyPath, attestationsPath) are used as-is
+ * - **Policy settings** (maxAgeDays, publicKeyPath, attestationsPath, sealsPath) are used as-is
  * - **Operational settings** (defaultCommand, keyProvider) are added from operational config
  * - **Team and gates** come exclusively from policy config
  * - **Suites and groups** come exclusively from operational config
@@ -1257,6 +1269,8 @@ interface KeyGenerationResult {
     publicKeyPath: string;
     /** Human-readable storage location description */
     storageDescription: string;
+    /** Whether the private key is encrypted with a passphrase */
+    encrypted?: boolean;
 }
 /**
  * Options for key generation via provider.
@@ -1267,6 +1281,8 @@ interface KeygenProviderOptions {
     publicKeyPath: string;
     /** Overwrite existing keys */
     force?: boolean;
+    /** Passphrase to encrypt the private key (filesystem provider only) */
+    passphrase?: string;
 }
 /**
  * Abstract interface for key storage providers.
@@ -1508,6 +1524,8 @@ interface KeygenOptions {
     publicPath?: string;
     /** Overwrite existing keys (default: false) */
     force?: boolean;
+    /** Passphrase to encrypt the private key with AES-256 (optional) */
+    passphrase?: string;
 }
 /**
  * Options for signing data.
@@ -1522,6 +1540,8 @@ interface SignOptions {
     keyRef?: string;
     /** Data to sign (string or Buffer) */
     data: Buffer | string;
+    /** Passphrase for encrypted private keys (optional) */
+    passphrase?: string;
 }
 /**
  * Options for verifying signatures.
@@ -1554,6 +1574,13 @@ declare function getDefaultPrivateKeyPath(): string;
  * @public
  */
 declare function getDefaultPublicKeyPath(): string;
+/**
+ * Get the default YubiKey encrypted key path based on OS.
+ * - macOS/Linux: ~/.config/attest-it/yubikey-private.enc
+ * - Windows: %APPDATA%\attest-it\yubikey-private.enc
+ * @public
+ */
+declare function getDefaultYubiKeyEncryptedKeyPath(): string;
 /**
  * Generate a new RSA-2048 keypair using OpenSSL.
  *
@@ -1805,6 +1832,8 @@ interface OnePasswordAccount {
     url: string;
     /** User UUID */
     user_uuid: string;
+    /** Human-readable account name (e.g., "North Family") */
+    name?: string;
 }
 /**
  * Information about a 1Password vault.
@@ -1844,7 +1873,7 @@ declare class OnePasswordKeyProvider implements KeyProvider {
     static isInstalled(): Promise<boolean>;
     /**
      * List all 1Password accounts.
-     * @returns Array of account information
+     * @returns Array of account information including human-readable names
      */
     static listAccounts(): Promise<OnePasswordAccount[]>;
     /**
@@ -2383,6 +2412,77 @@ declare function saveLocalConfigSync(config: LocalConfig, configPath?: string):
  * @public
  */
 declare function getActiveIdentity(config: LocalConfig): Identity | undefined;
+/**
+ * Get the user's home public keys directory.
+ *
+ * This returns ~/.attest-it/public-keys, which is different from the
+ * config directory (~/.config/attest-it). The public keys directory
+ * is designed to be easily shareable and discoverable.
+ *
+ * @returns Path to the user's home public keys directory
+ * @public
+ */
+declare function getHomePublicKeysDir(): string;
+/**
+ * Get the project public keys directory.
+ *
+ * This returns .attest-it/public-keys relative to the given project root.
+ * The project public keys directory is used for CI/GitHub Actions to
+ * verify attestation seals.
+ *
+ * @param projectRoot - The project root directory (defaults to cwd)
+ * @returns Path to the project public keys directory
+ * @public
+ */
+declare function getProjectPublicKeysDir(projectRoot?: string): string;
+/**
+ * Check if a project has attest-it configuration.
+ *
+ * @param projectRoot - The project root directory (defaults to cwd)
+ * @returns True if the project has .attest-it/config.yaml or similar
+ * @public
+ */
+declare function hasProjectConfig(projectRoot?: string): boolean;
+/**
+ * Result from saving public keys.
+ * @public
+ */
+interface SavePublicKeyResult {
+    /** Path where the key was saved in the user's home directory */
+    homePath: string;
+    /** Path where the key was saved in the project directory, if applicable */
+    projectPath?: string;
+}
+/**
+ * Save a public key to the user's home directory and optionally to the project directory.
+ *
+ * This saves the public key as a base64-encoded string (matching the format in config.yaml)
+ * to:
+ * 1. ~/.attest-it/public-keys/<slug>.pem (always)
+ * 2. ./.attest-it/public-keys/<slug>.pem (if project has attest-it config)
+ *
+ * @param slug - The identity slug (used for the filename)
+ * @param publicKey - The base64-encoded public key
+ * @param projectRoot - The project root directory (defaults to cwd)
+ * @returns Paths where the key was saved
+ * @public
+ */
+declare function savePublicKey(slug: string, publicKey: string, projectRoot?: string): Promise<SavePublicKeyResult>;
+/**
+ * Save a public key to the user's home directory and optionally to the project directory (sync).
+ *
+ * This saves the public key as a base64-encoded string (matching the format in config.yaml)
+ * to:
+ * 1. ~/.attest-it/public-keys/<slug>.pem (always)
+ * 2. ./.attest-it/public-keys/<slug>.pem (if project has attest-it config)
+ *
+ * @param slug - The identity slug (used for the filename)
+ * @param publicKey - The base64-encoded public key
+ * @param projectRoot - The project root directory (defaults to cwd)
+ * @returns Paths where the key was saved
+ * @public
+ */
+declare function savePublicKeySync(slug: string, publicKey: string, projectRoot?: string): SavePublicKeyResult;
 
 /**
  * Authorization logic for attest-it v2.0.
@@ -2520,38 +2620,42 @@ declare function verifySeal(seal: Seal, config: AttestItConfig): SignatureVerifi
  * Read seals from the seals.json file (async).
  *
  * @param dir - Directory containing .attest-it/seals.json
+ * @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
  * @returns The seals file contents, or an empty seals file if the file doesn't exist
  * @throws Error if file exists but cannot be read or parsed
  * @public
  */
-declare function readSeals(dir: string): Promise<SealsFile>;
+declare function readSeals(dir: string, sealsPathOverride?: string): Promise<SealsFile>;
 /**
  * Read seals from the seals.json file (sync).
  *
  * @param dir - Directory containing .attest-it/seals.json
+ * @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
  * @returns The seals file contents, or an empty seals file if the file doesn't exist
  * @throws Error if file exists but cannot be read or parsed
  * @public
  */
-declare function readSealsSync(dir: string): SealsFile;
+declare function readSealsSync(dir: string, sealsPathOverride?: string): SealsFile;
 /**
  * Write seals to the seals.json file (async).
  *
  * @param dir - Directory containing .attest-it/seals.json
  * @param sealsFile - The seals file to write
+ * @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
  * @throws Error if file cannot be written
  * @public
  */
-declare function writeSeals(dir: string, sealsFile: SealsFile): Promise<void>;
+declare function writeSeals(dir: string, sealsFile: SealsFile, sealsPathOverride?: string): Promise<void>;
 /**
  * Write seals to the seals.json file (sync).
  *
  * @param dir - Directory containing .attest-it/seals.json
  * @param sealsFile - The seals file to write
+ * @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
  * @throws Error if file cannot be written
  * @public
  */
-declare function writeSealsSync(dir: string, sealsFile: SealsFile): void;
+declare function writeSealsSync(dir: string, sealsFile: SealsFile, sealsPathOverride?: string): void;
 
 /**
  * Seal verification logic and states.
@@ -2611,4 +2715,4 @@ declare function verifyAllSeals(config: AttestItConfig, seals: SealsFile, finger
  */
 declare const version = "0.0.0";
 
-export { type AttestItConfig, type AttestItSettings, type Attestation, type AttestationsFile, type CliExperiencePreferences, type Config, ConfigNotFoundError, ConfigValidationError, type CreateSealOptions, type VerifyOptions$1 as CryptoVerifyOptions, type KeyPair as Ed25519KeyPair, FilesystemKeyProvider, type FilesystemKeyProviderOptions, type FingerprintConfig, type FingerprintOptions, type FingerprintResult, type GateConfig, type Identity, type KeyGenerationResult, type KeyPaths, type KeyProvider, type KeyProviderConfig, type KeyProviderFactory, KeyProviderRegistry, type KeyProviderSettings, type KeyRetrievalResult, type KeygenOptions, type KeygenProviderOptions, type LocalConfig, LocalConfigValidationError, type MacOSKeychain, MacOSKeychainKeyProvider, type MacOSKeychainKeyProviderOptions, type OnePasswordAccount, OnePasswordKeyProvider, type OnePasswordKeyProviderOptions, type OnePasswordVault, type OperationalConfig, OperationalValidationError, type PolicyConfig, PolicyValidationError, type PrivateKeyRef, type ReadSignedAttestationsOptions, type Seal, type SealVerificationResult, type SealsFile, type SignOptions, SignatureInvalidError, type SignatureVerificationResult, type SuiteConfig, type SuiteVerificationResult, type TeamMember, type UserPreferences, type ValidationError, type ValidationErrorType, type VerificationState, type VerificationStatus, type VerifyOptions, type VerifyResult, type WriteSignedAttestationsOptions, type YubiKeyInfo, YubiKeyProvider, type YubiKeyProviderOptions, canonicalizeAttestations, checkOpenSSL, computeFingerprint, computeFingerprintSync, createAttestation, createSeal, findAttestation, findConfigPath, findTeamMemberByPublicKey, generateKeyPair as generateEd25519KeyPair, generateKeyPair$1 as generateKeyPair, getActiveIdentity, getAttestItConfigDir, getAttestItHomeDir, getAuthorizedSignersForGate, getDefaultPrivateKeyPath, getDefaultPublicKeyPath, getGate, getLocalConfigPath, getPreference, getPreferencesPath, getPublicKeyFromPrivate, isAuthorizedSigner, listPackageFiles, loadConfig, loadConfigSync, loadLocalConfig, loadLocalConfigSync, loadPreferences, mergeConfigs, operationalSchema, parseDuration, parseOperationalContent, parsePolicyContent, policySchema, readAndVerifyAttestations, readAttestations, readAttestationsSync, readSeals, readSealsSync, removeAttestation, resolveConfigPaths, saveLocalConfig, saveLocalConfigSync, savePreferences, setAttestItHomeDir, setKeyPermissions, setPreference, sign$1 as sign, sign as signEd25519, toAttestItConfig, upsertAttestation, validateSuiteGateReferences, verify$1 as verify, verifyAllSeals, verifyAttestations, verify as verifyEd25519, verifyGateSeal, verifySeal, version, writeAttestations, writeAttestationsSync, writeSeals, writeSealsSync, writeSignedAttestations };
+export { type AttestItConfig, type AttestItSettings, type Attestation, type AttestationsFile, type CliExperiencePreferences, type Config, ConfigNotFoundError, ConfigValidationError, type CreateSealOptions, type VerifyOptions$1 as CryptoVerifyOptions, type KeyPair as Ed25519KeyPair, FilesystemKeyProvider, type FilesystemKeyProviderOptions, type FingerprintConfig, type FingerprintOptions, type FingerprintResult, type GateConfig, type Identity, type KeyGenerationResult, type KeyPaths, type KeyProvider, type KeyProviderConfig, type KeyProviderFactory, KeyProviderRegistry, type KeyProviderSettings, type KeyRetrievalResult, type KeygenOptions, type KeygenProviderOptions, type LocalConfig, LocalConfigValidationError, type MacOSKeychain, MacOSKeychainKeyProvider, type MacOSKeychainKeyProviderOptions, type OnePasswordAccount, OnePasswordKeyProvider, type OnePasswordKeyProviderOptions, type OnePasswordVault, type OperationalConfig, OperationalValidationError, type PolicyConfig, PolicyValidationError, type PrivateKeyRef, type ReadSignedAttestationsOptions, type SavePublicKeyResult, type Seal, type SealVerificationResult, type SealsFile, type SignOptions, SignatureInvalidError, type SignatureVerificationResult, type SuiteConfig, type SuiteVerificationResult, type TeamMember, type UserPreferences, type ValidationError, type ValidationErrorType, type VerificationState, type VerificationStatus, type VerifyOptions, type VerifyResult, type WriteSignedAttestationsOptions, type YubiKeyInfo, YubiKeyProvider, type YubiKeyProviderOptions, canonicalizeAttestations, checkOpenSSL, computeFingerprint, computeFingerprintSync, createAttestation, createSeal, findAttestation, findConfigPath, findTeamMemberByPublicKey, generateKeyPair as generateEd25519KeyPair, generateKeyPair$1 as generateKeyPair, getActiveIdentity, getAttestItConfigDir, getAttestItHomeDir, getAuthorizedSignersForGate, getDefaultPrivateKeyPath, getDefaultPublicKeyPath, getDefaultYubiKeyEncryptedKeyPath, getGate, getHomePublicKeysDir, getLocalConfigPath, getPreference, getPreferencesPath, getProjectPublicKeysDir, getPublicKeyFromPrivate, hasProjectConfig, isAuthorizedSigner, listPackageFiles, loadConfig, loadConfigSync, loadLocalConfig, loadLocalConfigSync, loadPreferences, mergeConfigs, operationalSchema, parseDuration, parseOperationalContent, parsePolicyContent, policySchema, readAndVerifyAttestations, readAttestations, readAttestationsSync, readSeals, readSealsSync, removeAttestation, resolveConfigPaths, saveLocalConfig, saveLocalConfigSync, savePreferences, savePublicKey, savePublicKeySync, setAttestItHomeDir, setKeyPermissions, setPreference, sign$1 as sign, sign as signEd25519, toAttestItConfig, upsertAttestation, validateSuiteGateReferences, verify$1 as verify, verifyAllSeals, verifyAttestations, verify as verifyEd25519, verifyGateSeal, verifySeal, version, writeAttestations, writeAttestationsSync, writeSeals, writeSealsSync, writeSignedAttestations };