npm - @attest-it/core - Versions diffs - 0.7.0 → 0.9.0 - Mend

@attest-it/core 0.7.0 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/{chunk-T3NLSO5B.js → chunk-FGYLU2HL.js} +38 -8
package/dist/chunk-FGYLU2HL.js.map +1 -0
package/dist/core-alpha.d.ts +58 -18
package/dist/core-beta.d.ts +58 -18
package/dist/core-public.d.ts +58 -18
package/dist/core-unstripped.d.ts +58 -18
package/dist/crypto-SSL7OBY2.js +3 -0
package/dist/{crypto-VT6YNHUE.js.map → crypto-SSL7OBY2.js.map} +1 -1
package/dist/index.cjs +85 -53
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +58 -18
package/dist/index.d.ts +58 -18
package/dist/index.js +76 -74
package/dist/index.js.map +1 -1
package/package.json +3 -1
package/dist/chunk-T3NLSO5B.js.map +0 -1
package/dist/crypto-VT6YNHUE.js +0 -3

package/dist/index.d.cts CHANGED Viewed

@@ -34,6 +34,8 @@ interface AttestItSettings {
     publicKeyPath: string;
     /** Path to the attestations file */
     attestationsPath: string;
+    /** Path to the seals file */
+    sealsPath: string;
     /** Default command to execute for attestation (can be overridden per suite) */
     defaultCommand?: string;
     /** Key provider configuration for signing attestations */
@@ -52,6 +54,8 @@ interface TeamMember {
     github?: string | undefined;
     /** Base64-encoded Ed25519 public key */
     publicKey: string;
+    /** Public key algorithm (optional, for future-proofing format changes) */
+    publicKeyAlgorithm?: 'ed25519' | undefined;
 }
 /**
  * Fingerprint configuration for gates.
@@ -189,6 +193,7 @@ declare const configSchema: z.ZodObject<{
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
         attestationsPath: z.ZodDefault<z.ZodString>;
+        sealsPath: z.ZodDefault<z.ZodString>;
         defaultCommand: z.ZodOptional<z.ZodString>;
         keyProvider: z.ZodOptional<z.ZodObject<{
             type: z.ZodUnion<[z.ZodEnum<["filesystem", "1password"]>, z.ZodString]>;
@@ -229,6 +234,7 @@ declare const configSchema: z.ZodObject<{
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
         attestationsPath: z.ZodDefault<z.ZodString>;
+        sealsPath: z.ZodDefault<z.ZodString>;
         defaultCommand: z.ZodOptional<z.ZodString>;
         keyProvider: z.ZodOptional<z.ZodObject<{
             type: z.ZodUnion<[z.ZodEnum<["filesystem", "1password"]>, z.ZodString]>;
@@ -269,6 +275,7 @@ declare const configSchema: z.ZodObject<{
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
         attestationsPath: z.ZodDefault<z.ZodString>;
+        sealsPath: z.ZodDefault<z.ZodString>;
         defaultCommand: z.ZodOptional<z.ZodString>;
         keyProvider: z.ZodOptional<z.ZodObject<{
             type: z.ZodUnion<[z.ZodEnum<["filesystem", "1password"]>, z.ZodString]>;
@@ -311,16 +318,19 @@ declare const configSchema: z.ZodObject<{
         email: z.ZodOptional<z.ZodString>;
         github: z.ZodOptional<z.ZodString>;
         publicKey: z.ZodString;
+        publicKeyAlgorithm: z.ZodOptional<z.ZodEnum<["ed25519"]>>;
     }, "strict", z.ZodTypeAny, {
         name: string;
         publicKey: string;
         email?: string | undefined;
         github?: string | undefined;
+        publicKeyAlgorithm?: "ed25519" | undefined;
     }, {
         name: string;
         publicKey: string;
         email?: string | undefined;
         github?: string | undefined;
+        publicKeyAlgorithm?: "ed25519" | undefined;
     }>>>;
     gates: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
         name: z.ZodString;
@@ -441,6 +451,7 @@ declare const configSchema: z.ZodObject<{
         maxAgeDays: number;
         publicKeyPath: string;
         attestationsPath: string;
+        sealsPath: string;
         defaultCommand?: string | undefined;
         keyProvider?: {
             type: string;
@@ -471,6 +482,7 @@ declare const configSchema: z.ZodObject<{
         publicKey: string;
         email?: string | undefined;
         github?: string | undefined;
+        publicKeyAlgorithm?: "ed25519" | undefined;
     }> | undefined;
     gates?: Record<string, {
         name: string;
@@ -501,6 +513,7 @@ declare const configSchema: z.ZodObject<{
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
         attestationsPath: z.ZodDefault<z.ZodString>;
+        sealsPath: z.ZodDefault<z.ZodString>;
         defaultCommand: z.ZodOptional<z.ZodString>;
         keyProvider: z.ZodOptional<z.ZodObject<{
             type: z.ZodUnion<[z.ZodEnum<["filesystem", "1password"]>, z.ZodString]>;
@@ -543,6 +556,7 @@ declare const configSchema: z.ZodObject<{
         publicKey: string;
         email?: string | undefined;
         github?: string | undefined;
+        publicKeyAlgorithm?: "ed25519" | undefined;
     }> | undefined;
     gates?: Record<string, {
         name: string;
@@ -673,30 +687,36 @@ declare const policySchema: z.ZodObject<{
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
         attestationsPath: z.ZodDefault<z.ZodString>;
+        sealsPath: z.ZodDefault<z.ZodString>;
     }, "strict", z.ZodTypeAny, {
         maxAgeDays: number;
         publicKeyPath: string;
         attestationsPath: string;
+        sealsPath: string;
     }, {
         maxAgeDays?: number | undefined;
         publicKeyPath?: string | undefined;
         attestationsPath?: string | undefined;
+        sealsPath?: string | undefined;
     }>>;
     team: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
         name: z.ZodString;
         email: z.ZodOptional<z.ZodString>;
         github: z.ZodOptional<z.ZodString>;
         publicKey: z.ZodString;
+        publicKeyAlgorithm: z.ZodOptional<z.ZodLiteral<"ed25519">>;
     }, "strict", z.ZodTypeAny, {
         name: string;
         publicKey: string;
         email?: string | undefined;
         github?: string | undefined;
+        publicKeyAlgorithm?: "ed25519" | undefined;
     }, {
         name: string;
         publicKey: string;
         email?: string | undefined;
         github?: string | undefined;
+        publicKeyAlgorithm?: "ed25519" | undefined;
     }>>>;
     gates: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
         name: z.ZodString;
@@ -738,12 +758,14 @@ declare const policySchema: z.ZodObject<{
         maxAgeDays: number;
         publicKeyPath: string;
         attestationsPath: string;
+        sealsPath: string;
     };
     team?: Record<string, {
         name: string;
         publicKey: string;
         email?: string | undefined;
         github?: string | undefined;
+        publicKeyAlgorithm?: "ed25519" | undefined;
     }> | undefined;
     gates?: Record<string, {
         name: string;
@@ -761,12 +783,14 @@ declare const policySchema: z.ZodObject<{
         maxAgeDays?: number | undefined;
         publicKeyPath?: string | undefined;
         attestationsPath?: string | undefined;
+        sealsPath?: string | undefined;
     } | undefined;
     team?: Record<string, {
         name: string;
         publicKey: string;
         email?: string | undefined;
         github?: string | undefined;
+        publicKeyAlgorithm?: "ed25519" | undefined;
     }> | undefined;
     gates?: Record<string, {
         name: string;
@@ -1070,7 +1094,7 @@ declare function parseOperationalContent(content: string, format: 'yaml' | 'json
  * The merge strategy prioritizes security-critical fields from the policy
  * configuration while combining operational fields from both sources:
  *
- * - **Policy settings** (maxAgeDays, publicKeyPath, attestationsPath) are used as-is
+ * - **Policy settings** (maxAgeDays, publicKeyPath, attestationsPath, sealsPath) are used as-is
  * - **Operational settings** (defaultCommand, keyProvider) are added from operational config
  * - **Team and gates** come exclusively from policy config
  * - **Suites and groups** come exclusively from operational config
@@ -1263,6 +1287,8 @@ interface KeyGenerationResult {
     publicKeyPath: string;
     /** Human-readable storage location description */
     storageDescription: string;
+    /** Whether the private key is encrypted with a passphrase */
+    encrypted?: boolean;
 }
 /**
  * Options for key generation via provider.
@@ -1273,6 +1299,8 @@ interface KeygenProviderOptions {
     publicKeyPath: string;
     /** Overwrite existing keys */
     force?: boolean;
+    /** Passphrase to encrypt the private key (filesystem provider only) */
+    passphrase?: string;
 }
 /**
  * Abstract interface for key storage providers.
@@ -1514,6 +1542,8 @@ interface KeygenOptions {
     publicPath?: string;
     /** Overwrite existing keys (default: false) */
     force?: boolean;
+    /** Passphrase to encrypt the private key with AES-256 (optional) */
+    passphrase?: string;
 }
 /**
  * Options for signing data.
@@ -1528,6 +1558,8 @@ interface SignOptions {
     keyRef?: string;
     /** Data to sign (string or Buffer) */
     data: string | Buffer;
+    /** Passphrase for encrypted private keys (optional) */
+    passphrase?: string;
 }
 /**
  * Options for verifying signatures.
@@ -2416,9 +2448,8 @@ declare function getHomePublicKeysDir(): string;
 /**
  * Get the project public keys directory.
  *
- * This returns .attest-it/public-keys relative to the given project root.
- * The project public keys directory is used for CI/GitHub Actions to
- * verify attestation seals.
+ * @deprecated Public keys are now stored inline in the team section of config.yaml.
+ * This function is kept for backward compatibility but should not be used in new code.
  *
  * @param projectRoot - The project root directory (defaults to cwd)
  * @returns Path to the project public keys directory
@@ -2428,6 +2459,9 @@ declare function getProjectPublicKeysDir(projectRoot?: string): string;
 /**
  * Check if a project has attest-it configuration.
  *
+ * @deprecated This function is kept for backward compatibility but is no longer used
+ * by the core library. Public keys are now stored inline in config.yaml.
+ *
  * @param projectRoot - The project root directory (defaults to cwd)
  * @returns True if the project has .attest-it/config.yaml or similar
  * @public
@@ -2444,31 +2478,33 @@ interface SavePublicKeyResult {
     projectPath?: string;
 }
 /**
- * Save a public key to the user's home directory and optionally to the project directory.
+ * Save a public key to the user's home directory.
  *
  * This saves the public key as a base64-encoded string (matching the format in config.yaml)
- * to:
- * 1. ~/.attest-it/public-keys/<slug>.pem (always)
- * 2. ./.attest-it/public-keys/<slug>.pem (if project has attest-it config)
+ * to ~/.attest-it/public-keys/<slug>.pem for backup purposes.
+ *
+ * Public keys are now stored inline in the team section of config.yaml and no longer
+ * written to the project directory.
  *
  * @param slug - The identity slug (used for the filename)
  * @param publicKey - The base64-encoded public key
- * @param projectRoot - The project root directory (defaults to cwd)
+ * @param projectRoot - The project root directory (deprecated, kept for backward compatibility)
  * @returns Paths where the key was saved
  * @public
  */
 declare function savePublicKey(slug: string, publicKey: string, projectRoot?: string): Promise<SavePublicKeyResult>;
 /**
- * Save a public key to the user's home directory and optionally to the project directory (sync).
+ * Save a public key to the user's home directory (sync).
  *
  * This saves the public key as a base64-encoded string (matching the format in config.yaml)
- * to:
- * 1. ~/.attest-it/public-keys/<slug>.pem (always)
- * 2. ./.attest-it/public-keys/<slug>.pem (if project has attest-it config)
+ * to ~/.attest-it/public-keys/<slug>.pem for backup purposes.
+ *
+ * Public keys are now stored inline in the team section of config.yaml and no longer
+ * written to the project directory.
  *
  * @param slug - The identity slug (used for the filename)
  * @param publicKey - The base64-encoded public key
- * @param projectRoot - The project root directory (defaults to cwd)
+ * @param projectRoot - The project root directory (deprecated, kept for backward compatibility)
  * @returns Paths where the key was saved
  * @public
  */
@@ -2610,38 +2646,42 @@ declare function verifySeal(seal: Seal, config: AttestItConfig): SignatureVerifi
  * Read seals from the seals.json file (async).
  *
  * @param dir - Directory containing .attest-it/seals.json
+ * @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
  * @returns The seals file contents, or an empty seals file if the file doesn't exist
  * @throws Error if file exists but cannot be read or parsed
  * @public
  */
-declare function readSeals(dir: string): Promise<SealsFile>;
+declare function readSeals(dir: string, sealsPathOverride?: string): Promise<SealsFile>;
 /**
  * Read seals from the seals.json file (sync).
  *
  * @param dir - Directory containing .attest-it/seals.json
+ * @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
  * @returns The seals file contents, or an empty seals file if the file doesn't exist
  * @throws Error if file exists but cannot be read or parsed
  * @public
  */
-declare function readSealsSync(dir: string): SealsFile;
+declare function readSealsSync(dir: string, sealsPathOverride?: string): SealsFile;
 /**
  * Write seals to the seals.json file (async).
  *
  * @param dir - Directory containing .attest-it/seals.json
  * @param sealsFile - The seals file to write
+ * @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
  * @throws Error if file cannot be written
  * @public
  */
-declare function writeSeals(dir: string, sealsFile: SealsFile): Promise<void>;
+declare function writeSeals(dir: string, sealsFile: SealsFile, sealsPathOverride?: string): Promise<void>;
 /**
  * Write seals to the seals.json file (sync).
  *
  * @param dir - Directory containing .attest-it/seals.json
  * @param sealsFile - The seals file to write
+ * @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
  * @throws Error if file cannot be written
  * @public
  */
-declare function writeSealsSync(dir: string, sealsFile: SealsFile): void;
+declare function writeSealsSync(dir: string, sealsFile: SealsFile, sealsPathOverride?: string): void;
 /**
  * Seal verification logic and states.

package/dist/index.d.ts CHANGED Viewed

@@ -30,6 +30,8 @@ interface AttestItSettings {
     publicKeyPath: string;
     /** Path to the attestations file */
     attestationsPath: string;
+    /** Path to the seals file */
+    sealsPath: string;
     /** Default command to execute for attestation (can be overridden per suite) */
     defaultCommand?: string;
     /** Key provider configuration for signing attestations */
@@ -48,6 +50,8 @@ interface TeamMember {
     github?: string | undefined;
     /** Base64-encoded Ed25519 public key */
     publicKey: string;
+    /** Public key algorithm (optional, for future-proofing format changes) */
+    publicKeyAlgorithm?: 'ed25519' | undefined;
 }
 /**
  * Fingerprint configuration for gates.
@@ -255,6 +259,7 @@ declare const configSchema: z.ZodObject<{
         }>>;
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
+        sealsPath: z.ZodDefault<z.ZodString>;
     }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
         attestationsPath: z.ZodDefault<z.ZodString>;
         defaultCommand: z.ZodOptional<z.ZodString>;
@@ -295,6 +300,7 @@ declare const configSchema: z.ZodObject<{
         }>>;
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
+        sealsPath: z.ZodDefault<z.ZodString>;
     }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
         attestationsPath: z.ZodDefault<z.ZodString>;
         defaultCommand: z.ZodOptional<z.ZodString>;
@@ -335,6 +341,7 @@ declare const configSchema: z.ZodObject<{
         }>>;
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
+        sealsPath: z.ZodDefault<z.ZodString>;
     }, z.ZodTypeAny, "passthrough">>>;
     suites: z.ZodEffects<z.ZodRecord<z.ZodString, z.ZodEffects<z.ZodObject<{
         command: z.ZodOptional<z.ZodString>;
@@ -419,16 +426,19 @@ declare const configSchema: z.ZodObject<{
         github: z.ZodOptional<z.ZodString>;
         name: z.ZodString;
         publicKey: z.ZodString;
+        publicKeyAlgorithm: z.ZodOptional<z.ZodEnum<["ed25519"]>>;
     }, "strict", z.ZodTypeAny, {
         email?: string | undefined;
         github?: string | undefined;
         name: string;
         publicKey: string;
+        publicKeyAlgorithm?: "ed25519" | undefined;
     }, {
         email?: string | undefined;
         github?: string | undefined;
         name: string;
         publicKey: string;
+        publicKeyAlgorithm?: "ed25519" | undefined;
     }>>>;
     version: z.ZodLiteral<1>;
 }, "strict", z.ZodTypeAny, {
@@ -457,6 +467,7 @@ declare const configSchema: z.ZodObject<{
         } | undefined;
         maxAgeDays: number;
         publicKeyPath: string;
+        sealsPath: string;
     } & { [k: string]: unknown };
     suites: Record<string, {
         command?: string | undefined;
@@ -475,6 +486,7 @@ declare const configSchema: z.ZodObject<{
         github?: string | undefined;
         name: string;
         publicKey: string;
+        publicKeyAlgorithm?: "ed25519" | undefined;
     }> | undefined;
     version: 1;
 }, {
@@ -529,6 +541,7 @@ declare const configSchema: z.ZodObject<{
         }>>;
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
+        sealsPath: z.ZodDefault<z.ZodString>;
     }, z.ZodTypeAny, "passthrough">;
     suites: Record<string, {
         command?: string | undefined;
@@ -547,6 +560,7 @@ declare const configSchema: z.ZodObject<{
         github?: string | undefined;
         name: string;
         publicKey: string;
+        publicKeyAlgorithm?: "ed25519" | undefined;
     }> | undefined;
     version: 1;
 }>;
@@ -700,30 +714,36 @@ declare const policySchema: z.ZodObject<{
         attestationsPath: z.ZodDefault<z.ZodString>;
         maxAgeDays: z.ZodDefault<z.ZodNumber>;
         publicKeyPath: z.ZodDefault<z.ZodString>;
+        sealsPath: z.ZodDefault<z.ZodString>;
     }, "strict", z.ZodTypeAny, {
         attestationsPath: string;
         maxAgeDays: number;
         publicKeyPath: string;
+        sealsPath: string;
     }, {
         attestationsPath?: string | undefined;
         maxAgeDays?: number | undefined;
         publicKeyPath?: string | undefined;
+        sealsPath?: string | undefined;
     }>>;
     team: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
         email: z.ZodOptional<z.ZodString>;
         github: z.ZodOptional<z.ZodString>;
         name: z.ZodString;
         publicKey: z.ZodString;
+        publicKeyAlgorithm: z.ZodOptional<z.ZodLiteral<"ed25519">>;
     }, "strict", z.ZodTypeAny, {
         email?: string | undefined;
         github?: string | undefined;
         name: string;
         publicKey: string;
+        publicKeyAlgorithm?: "ed25519" | undefined;
     }, {
         email?: string | undefined;
         github?: string | undefined;
         name: string;
         publicKey: string;
+        publicKeyAlgorithm?: "ed25519" | undefined;
     }>>>;
     version: z.ZodLiteral<1>;
 }, "strict", z.ZodTypeAny, {
@@ -741,12 +761,14 @@ declare const policySchema: z.ZodObject<{
         attestationsPath: string;
         maxAgeDays: number;
         publicKeyPath: string;
+        sealsPath: string;
     };
     team?: Record<string, {
         email?: string | undefined;
         github?: string | undefined;
         name: string;
         publicKey: string;
+        publicKeyAlgorithm?: "ed25519" | undefined;
     }> | undefined;
     version: 1;
 }, {
@@ -764,12 +786,14 @@ declare const policySchema: z.ZodObject<{
         attestationsPath?: string | undefined;
         maxAgeDays?: number | undefined;
         publicKeyPath?: string | undefined;
+        sealsPath?: string | undefined;
     } | undefined;
     team?: Record<string, {
         email?: string | undefined;
         github?: string | undefined;
         name: string;
         publicKey: string;
+        publicKeyAlgorithm?: "ed25519" | undefined;
     }> | undefined;
     version: 1;
 }>;
@@ -1064,7 +1088,7 @@ declare function parseOperationalContent(content: string, format: 'json' | 'yaml
  * The merge strategy prioritizes security-critical fields from the policy
  * configuration while combining operational fields from both sources:
  *
- * - **Policy settings** (maxAgeDays, publicKeyPath, attestationsPath) are used as-is
+ * - **Policy settings** (maxAgeDays, publicKeyPath, attestationsPath, sealsPath) are used as-is
  * - **Operational settings** (defaultCommand, keyProvider) are added from operational config
  * - **Team and gates** come exclusively from policy config
  * - **Suites and groups** come exclusively from operational config
@@ -1257,6 +1281,8 @@ interface KeyGenerationResult {
     publicKeyPath: string;
     /** Human-readable storage location description */
     storageDescription: string;
+    /** Whether the private key is encrypted with a passphrase */
+    encrypted?: boolean;
 }
 /**
  * Options for key generation via provider.
@@ -1267,6 +1293,8 @@ interface KeygenProviderOptions {
     publicKeyPath: string;
     /** Overwrite existing keys */
     force?: boolean;
+    /** Passphrase to encrypt the private key (filesystem provider only) */
+    passphrase?: string;
 }
 /**
  * Abstract interface for key storage providers.
@@ -1508,6 +1536,8 @@ interface KeygenOptions {
     publicPath?: string;
     /** Overwrite existing keys (default: false) */
     force?: boolean;
+    /** Passphrase to encrypt the private key with AES-256 (optional) */
+    passphrase?: string;
 }
 /**
  * Options for signing data.
@@ -1522,6 +1552,8 @@ interface SignOptions {
     keyRef?: string;
     /** Data to sign (string or Buffer) */
     data: Buffer | string;
+    /** Passphrase for encrypted private keys (optional) */
+    passphrase?: string;
 }
 /**
  * Options for verifying signatures.
@@ -2406,9 +2438,8 @@ declare function getHomePublicKeysDir(): string;
 /**
  * Get the project public keys directory.
  *
- * This returns .attest-it/public-keys relative to the given project root.
- * The project public keys directory is used for CI/GitHub Actions to
- * verify attestation seals.
+ * @deprecated Public keys are now stored inline in the team section of config.yaml.
+ * This function is kept for backward compatibility but should not be used in new code.
  *
  * @param projectRoot - The project root directory (defaults to cwd)
  * @returns Path to the project public keys directory
@@ -2418,6 +2449,9 @@ declare function getProjectPublicKeysDir(projectRoot?: string): string;
 /**
  * Check if a project has attest-it configuration.
  *
+ * @deprecated This function is kept for backward compatibility but is no longer used
+ * by the core library. Public keys are now stored inline in config.yaml.
+ *
  * @param projectRoot - The project root directory (defaults to cwd)
  * @returns True if the project has .attest-it/config.yaml or similar
  * @public
@@ -2434,31 +2468,33 @@ interface SavePublicKeyResult {
     projectPath?: string;
 }
 /**
- * Save a public key to the user's home directory and optionally to the project directory.
+ * Save a public key to the user's home directory.
  *
  * This saves the public key as a base64-encoded string (matching the format in config.yaml)
- * to:
- * 1. ~/.attest-it/public-keys/<slug>.pem (always)
- * 2. ./.attest-it/public-keys/<slug>.pem (if project has attest-it config)
+ * to ~/.attest-it/public-keys/<slug>.pem for backup purposes.
+ *
+ * Public keys are now stored inline in the team section of config.yaml and no longer
+ * written to the project directory.
  *
  * @param slug - The identity slug (used for the filename)
  * @param publicKey - The base64-encoded public key
- * @param projectRoot - The project root directory (defaults to cwd)
+ * @param projectRoot - The project root directory (deprecated, kept for backward compatibility)
  * @returns Paths where the key was saved
  * @public
  */
 declare function savePublicKey(slug: string, publicKey: string, projectRoot?: string): Promise<SavePublicKeyResult>;
 /**
- * Save a public key to the user's home directory and optionally to the project directory (sync).
+ * Save a public key to the user's home directory (sync).
  *
  * This saves the public key as a base64-encoded string (matching the format in config.yaml)
- * to:
- * 1. ~/.attest-it/public-keys/<slug>.pem (always)
- * 2. ./.attest-it/public-keys/<slug>.pem (if project has attest-it config)
+ * to ~/.attest-it/public-keys/<slug>.pem for backup purposes.
+ *
+ * Public keys are now stored inline in the team section of config.yaml and no longer
+ * written to the project directory.
  *
  * @param slug - The identity slug (used for the filename)
  * @param publicKey - The base64-encoded public key
- * @param projectRoot - The project root directory (defaults to cwd)
+ * @param projectRoot - The project root directory (deprecated, kept for backward compatibility)
  * @returns Paths where the key was saved
  * @public
  */
@@ -2600,38 +2636,42 @@ declare function verifySeal(seal: Seal, config: AttestItConfig): SignatureVerifi
  * Read seals from the seals.json file (async).
  *
  * @param dir - Directory containing .attest-it/seals.json
+ * @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
  * @returns The seals file contents, or an empty seals file if the file doesn't exist
  * @throws Error if file exists but cannot be read or parsed
  * @public
  */
-declare function readSeals(dir: string): Promise<SealsFile>;
+declare function readSeals(dir: string, sealsPathOverride?: string): Promise<SealsFile>;
 /**
  * Read seals from the seals.json file (sync).
  *
  * @param dir - Directory containing .attest-it/seals.json
+ * @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
  * @returns The seals file contents, or an empty seals file if the file doesn't exist
  * @throws Error if file exists but cannot be read or parsed
  * @public
  */
-declare function readSealsSync(dir: string): SealsFile;
+declare function readSealsSync(dir: string, sealsPathOverride?: string): SealsFile;
 /**
  * Write seals to the seals.json file (async).
  *
  * @param dir - Directory containing .attest-it/seals.json
  * @param sealsFile - The seals file to write
+ * @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
  * @throws Error if file cannot be written
  * @public
  */
-declare function writeSeals(dir: string, sealsFile: SealsFile): Promise<void>;
+declare function writeSeals(dir: string, sealsFile: SealsFile, sealsPathOverride?: string): Promise<void>;
 /**
  * Write seals to the seals.json file (sync).
  *
  * @param dir - Directory containing .attest-it/seals.json
  * @param sealsFile - The seals file to write
+ * @param sealsPathOverride - Optional explicit path to seals file (from config.settings.sealsPath)
  * @throws Error if file cannot be written
  * @public
  */
-declare function writeSealsSync(dir: string, sealsFile: SealsFile): void;
+declare function writeSealsSync(dir: string, sealsFile: SealsFile, sealsPathOverride?: string): void;
 /**
  * Seal verification logic and states.