@de-otio/chaoskb-client 0.2.0

package/dist/cli/bootstrap-lock.js

@@ -0,0 +1,62 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as os from 'node:os';
+const STALE_THRESHOLD_MS = 30_000;
+const RETRY_INTERVAL_MS = 500;
+const MAX_RETRIES = 60;
+function getChaoskbDir(baseDir) {
+    return baseDir ?? path.join(os.homedir(), '.chaoskb');
+}
+/**
+ * Acquire an exclusive file lock for bootstrap.
+ * Uses O_CREAT | O_EXCL for atomic creation.
+ * Returns a release function.
+ */
+export async function acquireBootstrapLock(baseDir) {
+    const chaoskbDir = getChaoskbDir(baseDir);
+    const lockPath = path.join(chaoskbDir, '.bootstrap.lock');
+    // Ensure the directory exists before trying to create the lock file
+    if (!fs.existsSync(chaoskbDir)) {
+        fs.mkdirSync(chaoskbDir, { recursive: true, mode: 0o700 });
+    }
+    for (let attempt = 0; attempt < MAX_RETRIES; attempt++) {
+        try {
+            const fd = fs.openSync(lockPath, fs.constants.O_CREAT | fs.constants.O_EXCL | fs.constants.O_WRONLY);
+            // Write PID and timestamp for stale lock detection
+            fs.writeSync(fd, JSON.stringify({ pid: process.pid, timestamp: Date.now() }));
+            fs.closeSync(fd);
+            return () => {
+                try {
+                    fs.unlinkSync(lockPath);
+                }
+                catch {
+                    // Lock file may have already been removed
+                }
+            };
+        }
+        catch (err) {
+            if (err.code !== 'EEXIST') {
+                throw err;
+            }
+            // Lock file exists — check if it's stale
+            try {
+                const stat = fs.statSync(lockPath);
+                const ageMs = Date.now() - stat.mtimeMs;
+                if (ageMs > STALE_THRESHOLD_MS) {
+                    // Stale lock — remove and retry
+                    fs.unlinkSync(lockPath);
+                    continue;
+                }
+            }
+            catch {
+                // Lock file disappeared between checks — retry
+                continue;
+            }
+            // Lock is held and not stale — wait and retry
+            await new Promise((resolve) => setTimeout(resolve, RETRY_INTERVAL_MS));
+        }
+    }
+    throw new Error('Timed out waiting for bootstrap lock. If ChaosKB is not running elsewhere, ' +
+        `delete ${lockPath} and try again.`);
+}
+//# sourceMappingURL=bootstrap-lock.js.map

package/dist/cli/bootstrap-lock.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap-lock.js","sourceRoot":"","sources":["../../cli/bootstrap-lock.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAE9B,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAClC,MAAM,iBAAiB,GAAG,GAAG,CAAC;AAC9B,MAAM,WAAW,GAAG,EAAE,CAAC;AAEvB,SAAS,aAAa,CAAC,OAAgB;IACrC,OAAO,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,UAAU,CAAC,CAAC;AACxD,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,OAAgB;IACzD,MAAM,UAAU,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC;IAE1D,oEAAoE;IACpE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,WAAW,EAAE,OAAO,EAAE,EAAE,CAAC;QACvD,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,EAAE,CAAC,SAAS,CAAC,OAAO,GAAG,EAAE,CAAC,SAAS,CAAC,MAAM,GAAG,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YACrG,mDAAmD;YACnD,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC;YAC9E,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YAEjB,OAAO,GAAG,EAAE;gBACV,IAAI,CAAC;oBACH,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;gBAC1B,CAAC;gBAAC,MAAM,CAAC;oBACP,0CAA0C;gBAC5C,CAAC;YACH,CAAC,CAAC;QACJ,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACrD,MAAM,GAAG,CAAC;YACZ,CAAC;YAED,yCAAyC;YACzC,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;gBACnC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;gBACxC,IAAI,KAAK,GAAG,kBAAkB,EAAE,CAAC;oBAC/B,gCAAgC;oBAChC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;oBACxB,SAAS;gBACX,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,+CAA+C;gBAC/C,SAAS;YACX,CAAC;YAED,8CAA8C;YAC9C,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IAED,MAAM,IAAI,KAAK,CACb,6EAA6E;QAC7E,UAAU,QAAQ,iBAAiB,CACpC,CAAC;AACJ,CAAC"}

package/dist/cli/bootstrap.d.ts

@@ -0,0 +1,23 @@
+export declare const CHAOSKB_DIR: string;
+export declare const FILE_KEY_PATH: string;
+export interface BootstrapOptions {
+    /** Override the base directory (default: ~/.chaoskb). For testing. */
+    baseDir?: string;
+}
+/**
+ * Auto-bootstrap ChaosKB on first launch.
+ *
+ * Creates ~/.chaoskb/, generates a master key, stores it in the OS keyring,
+ * initializes the database, and writes config.json — all with standard
+ * security tier and no interactive prompts.
+ *
+ * Idempotent: no-ops if config.json already exists.
+ * Concurrency-safe: uses file-based locking to prevent races.
+ */
+export declare function bootstrap(options?: BootstrapOptions): Promise<void>;
+/**
+ * Retry sync registration on subsequent launches when syncPending is true.
+ * Called from the MCP server startup path.
+ */
+export declare function retrySyncRegistration(configPath: string): Promise<void>;
+//# sourceMappingURL=bootstrap.d.ts.map

package/dist/cli/bootstrap.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap.d.ts","sourceRoot":"","sources":["../../cli/bootstrap.ts"],"names":[],"mappings":"AAMA,eAAO,MAAM,WAAW,QAAsC,CAAC;AAC/D,eAAO,MAAM,aAAa,QAAuC,CAAC;AAElE,MAAM,WAAW,gBAAgB;IAC/B,sEAAsE;IACtE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAMD;;;;;;;;;GASG;AACH,wBAAsB,SAAS,CAAC,OAAO,CAAC,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CAsGzE;AA8WD;;;GAGG;AACH,wBAAsB,qBAAqB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAqB7E"}

package/dist/cli/bootstrap.js

@@ -0,0 +1,438 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as os from 'node:os';
+import { acquireBootstrapLock } from './bootstrap-lock.js';
+export const CHAOSKB_DIR = path.join(os.homedir(), '.chaoskb');
+export const FILE_KEY_PATH = path.join(CHAOSKB_DIR, 'master.key');
+function resolveDir(baseDir) {
+    return baseDir ?? CHAOSKB_DIR;
+}
+/**
+ * Auto-bootstrap ChaosKB on first launch.
+ *
+ * Creates ~/.chaoskb/, generates a master key, stores it in the OS keyring,
+ * initializes the database, and writes config.json — all with standard
+ * security tier and no interactive prompts.
+ *
+ * Idempotent: no-ops if config.json already exists.
+ * Concurrency-safe: uses file-based locking to prevent races.
+ */
+export async function bootstrap(options) {
+    const chaoskbDir = resolveDir(options?.baseDir);
+    const configPath = path.join(chaoskbDir, 'config.json');
+    const modelsDir = path.join(chaoskbDir, 'models');
+    const fileKeyPath = path.join(chaoskbDir, 'master.key');
+    // Fast path: already configured
+    if (fs.existsSync(configPath)) {
+        return;
+    }
+    const releaseLock = await acquireBootstrapLock(chaoskbDir);
+    try {
+        // Double-check after acquiring lock — another process may have completed bootstrap
+        if (fs.existsSync(configPath)) {
+            return;
+        }
+        // 1. Create directory structure
+        if (!fs.existsSync(chaoskbDir)) {
+            fs.mkdirSync(chaoskbDir, { recursive: true, mode: 0o700 });
+        }
+        fs.chmodSync(chaoskbDir, 0o700);
+        if (!fs.existsSync(modelsDir)) {
+            fs.mkdirSync(modelsDir, { recursive: true, mode: 0o700 });
+        }
+        // 2. Generate master key
+        const { EncryptionService } = await import('../crypto/encryption-service.js');
+        const encryption = new EncryptionService();
+        const masterKey = encryption.generateMasterKey();
+        // 3. Store master key
+        try {
+            await storeKeyInKeyring(masterKey);
+        }
+        catch (keyringError) {
+            // Keyring failed — check for file-based fallback
+            if (process.env.CHAOSKB_KEY_STORAGE === 'file') {
+                process.stderr.write('\n⚠ OS keyring unavailable. Storing key in ' + fileKeyPath + ' (file-based).\n' +
+                    '  This is less secure than the OS keyring. The key file is readable by any process running as your user.\n\n');
+                fs.writeFileSync(fileKeyPath, masterKey.buffer.toString('hex'), { mode: 0o600 });
+            }
+            else {
+                masterKey.dispose();
+                throw new Error(`Failed to store master key in OS keyring: ${keyringError instanceof Error ? keyringError.message : String(keyringError)}\n\n` +
+                    '  To fix this, either:\n' +
+                    '  • Install/configure your OS keyring service (macOS Keychain, Linux Secret Service, Windows Credential Manager)\n' +
+                    '  • Set CHAOSKB_KEY_STORAGE=file to use file-based key storage (less secure)\n');
+            }
+        }
+        // Copy master key bytes before disposing (needed for sync registration)
+        const masterKeyBytes = Buffer.from(masterKey.buffer);
+        masterKey.dispose();
+        // 4. Initialize database
+        const { DatabaseManager } = await import('../storage/database-manager.js');
+        const dbManager = new DatabaseManager(chaoskbDir);
+        const db = dbManager.getPersonalDb();
+        db.close();
+        dbManager.closeAll();
+        // 5. Detect SSH key for zero-config sync
+        const sshResult = await detectSSHKey();
+        // 6. Register with sync server (non-blocking)
+        const syncResult = await attemptSyncRegistration(sshResult, masterKeyBytes);
+        // Zero the copy
+        masterKeyBytes.fill(0);
+        // 7. Write config
+        const config = {
+            securityTier: 'standard',
+            projects: [],
+            syncEnabled: syncResult.enabled,
+            syncPending: syncResult.pending,
+            ...(syncResult.endpoint && { endpoint: syncResult.endpoint }),
+            ...(sshResult.fingerprint && { sshKeyFingerprint: sshResult.fingerprint }),
+            ...(sshResult.keyPath && { sshKeyPath: sshResult.keyPath }),
+        };
+        fs.writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 0o600 });
+        // 8. Log sync status
+        if (syncResult.enabled) {
+            process.stderr.write('Sync enabled. Your knowledge base will sync automatically.\n');
+        }
+        else if (syncResult.pending) {
+            process.stderr.write('Sync server unreachable. Will retry on next launch.\n');
+        }
+        else if (!sshResult.publicKey) {
+            process.stderr.write('\nNo SSH key found. Using a generated key stored in your OS keyring.\n' +
+                'Multi-device sync requires an SSH key — run ssh-keygen to create one,\n' +
+                'then: chaoskb-mcp config rotate-key\n\n');
+        }
+    }
+    finally {
+        releaseLock();
+    }
+}
+/**
+ * Detect the user's SSH key for zero-config sync.
+ *
+ * Priority: ssh-agent (Ed25519 > RSA) → filesystem (id_ed25519 > id_rsa)
+ * If no SSH key found, returns source: 'none'.
+ */
+async function detectSSHKey() {
+    // Respect opt-out
+    if (process.env.CHAOSKB_SYNC === 'off') {
+        return { publicKey: null, fingerprint: null, keyPath: null, source: 'none' };
+    }
+    // Try ssh-agent first
+    if (process.env.SSH_AUTH_SOCK) {
+        try {
+            const { listSSHAgentKeys } = await import('../crypto/ssh-agent.js');
+            const keys = await listSSHAgentKeys();
+            // Prefer Ed25519 over RSA
+            const ed25519 = keys.find((k) => k.type === 'ed25519');
+            const rsa = keys.find((k) => k.type === 'rsa');
+            const picked = ed25519 ?? rsa;
+            if (picked) {
+                return {
+                    publicKey: `ssh-${picked.type === 'ed25519' ? 'ed25519' : 'rsa'} ${Buffer.from(picked.publicKeyBytes).toString('base64')}`,
+                    fingerprint: picked.fingerprint,
+                    keyPath: null,
+                    source: 'agent',
+                };
+            }
+        }
+        catch {
+            // Agent not available or failed — fall through to filesystem
+        }
+    }
+    // Try filesystem
+    const sshDir = path.join(os.homedir(), '.ssh');
+    const candidates = [
+        { file: 'id_ed25519.pub', keyFile: 'id_ed25519' },
+        { file: 'id_rsa.pub', keyFile: 'id_rsa' },
+    ];
+    for (const { file, keyFile } of candidates) {
+        const pubKeyPath = path.join(sshDir, file);
+        if (fs.existsSync(pubKeyPath)) {
+            try {
+                const content = fs.readFileSync(pubKeyPath, 'utf-8').trim();
+                const { parseSSHPublicKey } = await import('../crypto/ssh-keys.js');
+                const parsed = parseSSHPublicKey(content);
+                return {
+                    publicKey: content,
+                    fingerprint: parsed.fingerprint,
+                    keyPath: path.join(sshDir, keyFile),
+                    source: 'file',
+                };
+            }
+            catch {
+                // Malformed key file — skip
+                continue;
+            }
+        }
+    }
+    // No SSH key found — try generating a fallback key in keyring
+    try {
+        const fallback = await generateFallbackKey();
+        if (fallback)
+            return fallback;
+    }
+    catch {
+        // Keyring unavailable — continue without sync
+    }
+    return { publicKey: null, fingerprint: null, keyPath: null, source: 'none' };
+}
+/**
+ * Generate a fallback Ed25519 key pair and store it in the OS keyring.
+ * Never written to disk. Returns null if keyring is unavailable.
+ */
+async function generateFallbackKey() {
+    const sodium = (await import('sodium-native')).default;
+    const { KeyringService } = await import('../crypto/keyring.js');
+    const pk = Buffer.alloc(sodium.crypto_sign_PUBLICKEYBYTES);
+    const sk = Buffer.alloc(sodium.crypto_sign_SECRETKEYBYTES);
+    sodium.crypto_sign_keypair(pk, sk);
+    try {
+        // Store secret key in keyring only (never on disk)
+        const keyring = new KeyringService();
+        const { SecureBuffer } = await import('../crypto/secure-buffer.js');
+        await keyring.store('chaoskb', 'identity-secret', SecureBuffer.from(sk));
+        await keyring.store('chaoskb', 'identity-public', SecureBuffer.from(pk));
+    }
+    catch {
+        sk.fill(0);
+        return null;
+    }
+    // Build the SSH public key line
+    const { createHash } = await import('node:crypto');
+    const typeStr = Buffer.from('ssh-ed25519');
+    const keyBlob = Buffer.concat([
+        uint32BE(typeStr.length), typeStr,
+        uint32BE(pk.length), pk,
+    ]);
+    const base64Blob = keyBlob.toString('base64');
+    const fingerprint = 'SHA256:' + createHash('sha256').update(keyBlob).digest('base64').replace(/=+$/, '');
+    sk.fill(0);
+    return {
+        publicKey: `ssh-ed25519 ${base64Blob}`,
+        fingerprint,
+        keyPath: null,
+        source: 'none', // still 'none' — it's a generated key, not a user's SSH key
+    };
+}
+function uint32BE(n) {
+    const buf = Buffer.alloc(4);
+    buf.writeUInt32BE(n);
+    return buf;
+}
+const DEFAULT_SYNC_ENDPOINT = 'https://sync.chaoskb.com';
+/**
+ * Attempt to register with the sync server during bootstrap.
+ *
+ * Non-blocking: if the server is unreachable, returns pending=true
+ * and the next launch will retry.
+ */
+async function attemptSyncRegistration(ssh, masterKeyBuffer) {
+    if (process.env.CHAOSKB_SYNC === 'off' || !ssh.publicKey) {
+        return { enabled: false, pending: false, endpoint: null };
+    }
+    const endpoint = process.env.CHAOSKB_SYNC_ENDPOINT ?? DEFAULT_SYNC_ENDPOINT;
+    try {
+        const response = await fetchWithTimeout(`${endpoint}/v1/auth/register`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ publicKey: ssh.publicKey }),
+        });
+        if (!response.ok) {
+            const body = await response.json().catch(() => ({}));
+            const status = body.status;
+            if (status === 'link_required') {
+                process.stderr.write('This SSH key is not recognized. To link it to an existing account,\n' +
+                    'run "chaoskb-mcp devices add" on a device that already has access.\n');
+                return { enabled: false, pending: false, endpoint };
+            }
+            // Other server errors — mark as pending for retry
+            return { enabled: false, pending: true, endpoint };
+        }
+        const regResult = await response.json();
+        // Existing account — download and unwrap master key (new-device restore)
+        if (regResult.status === 'existing') {
+            await restoreMasterKey(endpoint, ssh);
+            return { enabled: true, pending: false, endpoint };
+        }
+        // New account — wrap master key and upload
+        if (masterKeyBuffer.length > 0) {
+            await uploadWrappedMasterKey(endpoint, ssh, masterKeyBuffer);
+        }
+        return { enabled: true, pending: false, endpoint };
+    }
+    catch {
+        // Network error — mark as pending for retry
+        return { enabled: false, pending: true, endpoint };
+    }
+}
+/**
+ * Fetch with a 10-second timeout.
+ */
+async function fetchWithTimeout(url, init) {
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), 10_000);
+    try {
+        return await fetch(url, { ...init, signal: controller.signal });
+    }
+    finally {
+        clearTimeout(timeoutId);
+    }
+}
+/**
+ * Wrap the master key with the SSH public key and upload to the sync server.
+ * The wrapped blob is signed with the SSH private key for integrity verification.
+ */
+async function uploadWrappedMasterKey(endpoint, ssh, masterKeyBuffer) {
+    if (!ssh.publicKey)
+        return;
+    const { parseSSHPublicKey } = await import('../crypto/ssh-keys.js');
+    const { wrapMasterKey } = await import('../crypto/tiers/standard.js');
+    const { SecureBuffer } = await import('../crypto/secure-buffer.js');
+    const keyInfo = parseSSHPublicKey(ssh.publicKey);
+    const secureMasterKey = SecureBuffer.from(masterKeyBuffer);
+    try {
+        const wrappedBlob = wrapMasterKey(secureMasterKey, keyInfo);
+        // Sign the wrapped blob for integrity verification
+        const { SSHSigner } = await import('../sync/ssh-signer.js');
+        const signer = new SSHSigner(ssh.keyPath ?? undefined);
+        const { authorization, timestamp, sequence, publicKey } = await signer.signRequest('PUT', '/v1/wrapped-key', 1, wrappedBlob);
+        await fetchWithTimeout(`${endpoint}/v1/wrapped-key`, {
+            method: 'PUT',
+            headers: {
+                'Content-Type': 'application/octet-stream',
+                Authorization: authorization,
+                'X-ChaosKB-Timestamp': timestamp,
+                'X-ChaosKB-Sequence': String(sequence),
+                'X-ChaosKB-PublicKey': publicKey,
+            },
+            body: wrappedBlob,
+        });
+    }
+    finally {
+        secureMasterKey.dispose();
+    }
+}
+/**
+ * Restore the master key on a new device.
+ *
+ * Downloads the wrapped master key blob from the server,
+ * verifies the signature, unwraps with the SSH private key,
+ * and stores in the OS keyring.
+ */
+async function restoreMasterKey(endpoint, ssh) {
+    if (!ssh.publicKey)
+        return;
+    const { SSHSigner } = await import('../sync/ssh-signer.js');
+    const signer = new SSHSigner(ssh.keyPath ?? undefined);
+    const { authorization, timestamp, sequence, publicKey } = await signer.signRequest('GET', '/v1/wrapped-key', 1);
+    const response = await fetchWithTimeout(`${endpoint}/v1/wrapped-key`, {
+        method: 'GET',
+        headers: {
+            Authorization: authorization,
+            'X-ChaosKB-Timestamp': timestamp,
+            'X-ChaosKB-Sequence': String(sequence),
+            'X-ChaosKB-PublicKey': publicKey,
+        },
+    });
+    if (!response.ok) {
+        throw new Error(`Failed to download wrapped key: ${response.status}`);
+    }
+    const wrappedBlob = new Uint8Array(await response.arrayBuffer());
+    // Unwrap with SSH private key
+    const { parseSSHPublicKey } = await import('../crypto/ssh-keys.js');
+    const keyInfo = parseSSHPublicKey(ssh.publicKey);
+    if (keyInfo.type === 'ed25519') {
+        const { unwrapMasterKeyEd25519 } = await import('../crypto/tiers/standard.js');
+        // Read the private key to get the secret key bytes for unwrapping
+        // For Ed25519 unwrap, we need the raw secret key — ssh-agent can sign
+        // but can't expose the raw key for crypto_box_seal_open.
+        // Fall back to key file for unwrapping.
+        if (ssh.keyPath) {
+            const keyData = fs.readFileSync(ssh.keyPath, 'utf-8');
+            const { createPrivateKey } = await import('node:crypto');
+            const keyObj = createPrivateKey({ key: keyData, format: 'pem' });
+            const exported = keyObj.export({ type: 'pkcs8', format: 'der' });
+            // Ed25519 PKCS8 DER: last 32 bytes are the private key, preceded by 2-byte wrapper
+            // The actual key bytes are at offset 16 (after DER headers), 32 bytes of seed + 32 bytes of public
+            const derBuf = Buffer.from(exported);
+            // Extract the 32-byte seed from the PKCS8 structure
+            // PKCS8 for Ed25519: 30 2e 02 01 00 30 05 06 03 2b 65 70 04 22 04 20 [32 bytes seed]
+            const seedOffset = derBuf.indexOf(Buffer.from([0x04, 0x20]), 12);
+            if (seedOffset === -1) {
+                throw new Error('Could not extract Ed25519 seed from private key');
+            }
+            const seed = derBuf.subarray(seedOffset + 2, seedOffset + 34);
+            // Generate the full 64-byte secret key from the seed
+            const sodium = (await import('sodium-native')).default;
+            const fullSk = Buffer.alloc(sodium.crypto_sign_SECRETKEYBYTES);
+            const fullPk = Buffer.alloc(sodium.crypto_sign_PUBLICKEYBYTES);
+            sodium.crypto_sign_seed_keypair(fullPk, fullSk, seed);
+            const masterKey = unwrapMasterKeyEd25519(wrappedBlob, fullSk, fullPk);
+            // Store in keyring
+            await storeKeyInKeyring(masterKey);
+            masterKey.dispose();
+            // Zero sensitive buffers
+            fullSk.fill(0);
+            seed.fill(0);
+        }
+        else {
+            // Key is in agent only — can't extract raw key for crypto_box_seal_open
+            // This is a known limitation: agent-only keys can sign but can't unwrap sealed boxes
+            throw new Error('Cannot restore master key: SSH key is in agent only (no key file).\n' +
+                'crypto_box_seal_open requires the raw private key. Ensure the key file is available at ~/.ssh/id_ed25519');
+        }
+    }
+    else {
+        // RSA unwrap
+        const { unwrapMasterKeyRSA } = await import('../crypto/tiers/standard.js');
+        const { createPrivateKey } = await import('node:crypto');
+        if (!ssh.keyPath) {
+            throw new Error('Cannot restore master key: no RSA key file path');
+        }
+        const keyData = fs.readFileSync(ssh.keyPath, 'utf-8');
+        const rsaPrivKey = createPrivateKey({ key: keyData, format: 'pem' });
+        const masterKey = unwrapMasterKeyRSA(wrappedBlob, rsaPrivKey);
+        await storeKeyInKeyring(masterKey);
+        masterKey.dispose();
+    }
+    process.stderr.write('Master key restored from sync server. Your knowledge base will sync shortly.\n');
+}
+/**
+ * Retry sync registration on subsequent launches when syncPending is true.
+ * Called from the MCP server startup path.
+ */
+export async function retrySyncRegistration(configPath) {
+    try {
+        const configData = JSON.parse(fs.readFileSync(configPath, 'utf-8'));
+        if (!configData.syncPending)
+            return;
+        const sshResult = await detectSSHKey();
+        if (!sshResult.publicKey)
+            return;
+        const syncResult = await attemptSyncRegistration(sshResult, Buffer.alloc(0));
+        if (syncResult.enabled || !syncResult.pending) {
+            // Either succeeded or permanently failed — clear pending
+            configData.syncEnabled = syncResult.enabled;
+            configData.syncPending = false;
+            if (syncResult.endpoint)
+                configData.endpoint = syncResult.endpoint;
+            if (sshResult.fingerprint)
+                configData.sshKeyFingerprint = sshResult.fingerprint;
+            fs.writeFileSync(configPath, JSON.stringify(configData, null, 2), { mode: 0o600 });
+        }
+    }
+    catch {
+        // Retry failed silently — will try again next launch
+    }
+}
+async function storeKeyInKeyring(masterKey) {
+    // macOS: warn about potential keychain access dialog
+    if (process.platform === 'darwin') {
+        process.stderr.write('Storing encryption key in macOS Keychain.\n' +
+            'You may see a system dialog asking to allow keychain access — this is expected.\n');
+    }
+    const { KeyringService } = await import('../crypto/keyring.js');
+    const keyring = new KeyringService();
+    await keyring.store('chaoskb', 'master-key', masterKey);
+}
+//# sourceMappingURL=bootstrap.js.map

package/dist/cli/bootstrap.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../cli/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAG3D,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,UAAU,CAAC,CAAC;AAC/D,MAAM,CAAC,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;AAOlE,SAAS,UAAU,CAAC,OAAgB;IAClC,OAAO,OAAO,IAAI,WAAW,CAAC;AAChC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,OAA0B;IACxD,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAChD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;IACxD,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAClD,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;IAExD,gCAAgC;IAChC,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9B,OAAO;IACT,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,oBAAoB,CAAC,UAAU,CAAC,CAAC;IAC3D,IAAI,CAAC;QACH,mFAAmF;QACnF,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC/B,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC7D,CAAC;QACD,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QAEhC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC9B,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC5D,CAAC;QAED,yBAAyB;QACzB,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,iCAAiC,CAAC,CAAC;QAC9E,MAAM,UAAU,GAAG,IAAI,iBAAiB,EAAE,CAAC;QAC3C,MAAM,SAAS,GAAG,UAAU,CAAC,iBAAiB,EAAE,CAAC;QAEjD,sBAAsB;QACtB,IAAI,CAAC;YACH,MAAM,iBAAiB,CAAC,SAAS,CAAC,CAAC;QACrC,CAAC;QAAC,OAAO,YAAY,EAAE,CAAC;YACtB,iDAAiD;YACjD,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,KAAK,MAAM,EAAE,CAAC;gBAC/C,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,6CAA6C,GAAG,WAAW,GAAG,kBAAkB;oBAChF,8GAA8G,CAC/G,CAAC;gBACF,EAAE,CAAC,aAAa,CAAC,WAAW,EAAE,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;YACnF,CAAC;iBAAM,CAAC;gBACN,SAAS,CAAC,OAAO,EAAE,CAAC;gBACpB,MAAM,IAAI,KAAK,CACb,6CAA6C,YAAY,YAAY,KAAK,CAAC,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,MAAM;oBAC9H,0BAA0B;oBAC1B,oHAAoH;oBACpH,gFAAgF,CACjF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,wEAAwE;QACxE,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACrD,SAAS,CAAC,OAAO,EAAE,CAAC;QAEpB,yBAAyB;QACzB,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,gCAAgC,CAAC,CAAC;QAC3E,MAAM,SAAS,GAAG,IAAI,eAAe,CAAC,UAAU,CAAC,CAAC;QAClD,MAAM,EAAE,GAAG,SAAS,CAAC,aAAa,EAAE,CAAC;QACrC,EAAE,CAAC,KAAK,EAAE,CAAC;QACX,SAAS,CAAC,QAAQ,EAAE,CAAC;QAErB,yCAAyC;QACzC,MAAM,SAAS,GAAG,MAAM,YAAY,EAAE,CAAC;QAEvC,8CAA8C;QAC9C,MAAM,UAAU,GAAG,MAAM,uBAAuB,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;QAE5E,gBAAgB;QAChB,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAEvB,kBAAkB;QAClB,MAAM,MAAM,GAAkB;YAC5B,YAAY,EAAE,UAAU;YACxB,QAAQ,EAAE,EAAE;YACZ,WAAW,EAAE,UAAU,CAAC,OAAO;YAC/B,WAAW,EAAE,UAAU,CAAC,OAAO;YAC/B,GAAG,CAAC,UAAU,CAAC,QAAQ,IAAI,EAAE,QAAQ,EAAE,UAAU,CAAC,QAAQ,EAAE,CAAC;YAC7D,GAAG,CAAC,SAAS,CAAC,WAAW,IAAI,EAAE,iBAAiB,EAAE,SAAS,CAAC,WAAW,EAAE,CAAC;YAC1E,GAAG,CAAC,SAAS,CAAC,OAAO,IAAI,EAAE,UAAU,EAAE,SAAS,CAAC,OAAO,EAAE,CAAC;SAC5D,CAAC;QACF,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAE/E,qBAAqB;QACrB,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;YACvB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,8DAA8D,CAAC,CAAC;QACvF,CAAC;aAAM,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;YAC9B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAC;QAChF,CAAC;aAAM,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC;YAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,wEAAwE;gBACxE,yEAAyE;gBACzE,yCAAyC,CAC1C,CAAC;QACJ,CAAC;IACH,CAAC;YAAS,CAAC;QACT,WAAW,EAAE,CAAC;IAChB,CAAC;AACH,CAAC;AAWD;;;;;GAKG;AACH,KAAK,UAAU,YAAY;IACzB,kBAAkB;IAClB,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,KAAK,KAAK,EAAE,CAAC;QACvC,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;IAC/E,CAAC;IAED,sBAAsB;IACtB,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC;QAC9B,IAAI,CAAC;YACH,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;YACpE,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC;YAEtC,0BAA0B;YAC1B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC;YACvD,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,KAAK,CAAC,CAAC;YAC/C,MAAM,MAAM,GAAG,OAAO,IAAI,GAAG,CAAC;YAE9B,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO;oBACL,SAAS,EAAE,OAAO,MAAM,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE;oBAC1H,WAAW,EAAE,MAAM,CAAC,WAAW;oBAC/B,OAAO,EAAE,IAAI;oBACb,MAAM,EAAE,OAAO;iBAChB,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,6DAA6D;QAC/D,CAAC;IACH,CAAC;IAED,iBAAiB;IACjB,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,MAAM,CAAC,CAAC;IAC/C,MAAM,UAAU,GAAG;QACjB,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,YAAY,EAAE;QACjD,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE;KAC1C,CAAC;IAEF,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,UAAU,EAAE,CAAC;QAC3C,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QAC3C,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC5D,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;gBACpE,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;gBAC1C,OAAO;oBACL,SAAS,EAAE,OAAO;oBAClB,WAAW,EAAE,MAAM,CAAC,WAAW;oBAC/B,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC;oBACnC,MAAM,EAAE,MAAM;iBACf,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,4BAA4B;gBAC5B,SAAS;YACX,CAAC;QACH,CAAC;IACH,CAAC;IAED,8DAA8D;IAC9D,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,mBAAmB,EAAE,CAAC;QAC7C,IAAI,QAAQ;YAAE,OAAO,QAAQ,CAAC;IAChC,CAAC;IAAC,MAAM,CAAC;QACP,8CAA8C;IAChD,CAAC;IAED,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;AAC/E,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,mBAAmB;IAChC,MAAM,MAAM,GAAG,CAAC,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,OAAc,CAAC;IAC9D,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;IAEhE,MAAM,EAAE,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,0BAAoC,CAAC,CAAC;IACrE,MAAM,EAAE,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,0BAAoC,CAAC,CAAC;IACrE,MAAM,CAAC,mBAAmB,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IAEnC,IAAI,CAAC;QACH,mDAAmD;QACnD,MAAM,OAAO,GAAG,IAAI,cAAc,EAAE,CAAC;QACrC,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,4BAA4B,CAAC,CAAC;QACpE,MAAM,OAAO,CAAC,KAAK,CAAC,SAAS,EAAE,iBAAiB,EAAE,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;QACzE,MAAM,OAAO,CAAC,KAAK,CAAC,SAAS,EAAE,iBAAiB,EAAE,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;IAC3E,CAAC;IAAC,MAAM,CAAC;QACP,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACX,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;IACnD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC3C,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC;QAC5B,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,OAAO;QACjC,QAAQ,CAAC,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE;KACxB,CAAC,CAAC;IACH,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC9C,MAAM,WAAW,GAAG,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAEzG,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAEX,OAAO;QACL,SAAS,EAAE,eAAe,UAAU,EAAE;QACtC,WAAW;QACX,OAAO,EAAE,IAAI;QACb,MAAM,EAAE,MAAM,EAAE,4DAA4D;KAC7E,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ,CAAC,CAAS;IACzB,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC5B,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IACrB,OAAO,GAAG,CAAC;AACb,CAAC;AAUD,MAAM,qBAAqB,GAAG,0BAA0B,CAAC;AAEzD;;;;;GAKG;AACH,KAAK,UAAU,uBAAuB,CACpC,GAAuB,EACvB,eAAuB;IAEvB,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,KAAK,KAAK,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;QACzD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC5D,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,qBAAqB,CAAC;IAE5E,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,GAAG,QAAQ,mBAAmB,EAAE;YACtE,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,SAAS,EAAE,CAAC;SACnD,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YACrD,MAAM,MAAM,GAAI,IAAgC,CAAC,MAAM,CAAC;YAExD,IAAI,MAAM,KAAK,eAAe,EAAE,CAAC;gBAC/B,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,sEAAsE;oBACtE,sEAAsE,CACvE,CAAC;gBACF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;YACtD,CAAC;YAED,kDAAkD;YAClD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;QACrD,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAyC,CAAC;QAE/E,yEAAyE;QACzE,IAAI,SAAS,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YACpC,MAAM,gBAAgB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;YACtC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;QACrD,CAAC;QAED,2CAA2C;QAC3C,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,MAAM,sBAAsB,CAAC,QAAQ,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;QAC/D,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;IACrD,CAAC;IAAC,MAAM,CAAC;QACP,4CAA4C;QAC5C,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IACrD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,gBAAgB,CAAC,GAAW,EAAE,IAAiB;IAC5D,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,MAAM,CAAC,CAAC;IAC/D,IAAI,CAAC;QACH,OAAO,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;IAClE,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,SAAS,CAAC,CAAC;IAC1B,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,sBAAsB,CACnC,QAAgB,EAChB,GAAuB,EACvB,eAAuB;IAEvB,IAAI,CAAC,GAAG,CAAC,SAAS;QAAE,OAAO;IAE3B,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;IACpE,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;IACtE,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,4BAA4B,CAAC,CAAC;IAEpE,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACjD,MAAM,eAAe,GAAG,YAAY,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAE3D,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,aAAa,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;QAE5D,mDAAmD;QACnD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;QAC5D,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC,GAAG,CAAC,OAAO,IAAI,SAAS,CAAC,CAAC;QACvD,MAAM,EAAE,aAAa,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAChF,KAAK,EACL,iBAAiB,EACjB,CAAC,EACD,WAAW,CACZ,CAAC;QAEF,MAAM,gBAAgB,CAAC,GAAG,QAAQ,iBAAiB,EAAE;YACnD,MAAM,EAAE,KAAK;YACb,OAAO,EAAE;gBACP,cAAc,EAAE,0BAA0B;gBAC1C,aAAa,EAAE,aAAa;gBAC5B,qBAAqB,EAAE,SAAS;gBAChC,oBAAoB,EAAE,MAAM,CAAC,QAAQ,CAAC;gBACtC,qBAAqB,EAAE,SAAS;aACjC;YACD,IAAI,EAAE,WAAW;SAClB,CAAC,CAAC;IACL,CAAC;YAAS,CAAC;QACT,eAAe,CAAC,OAAO,EAAE,CAAC;IAC5B,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,gBAAgB,CAC7B,QAAgB,EAChB,GAAuB;IAEvB,IAAI,CAAC,GAAG,CAAC,SAAS;QAAE,OAAO;IAE3B,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC,GAAG,CAAC,OAAO,IAAI,SAAS,CAAC,CAAC;IACvD,MAAM,EAAE,aAAa,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAChF,KAAK,EACL,iBAAiB,EACjB,CAAC,CACF,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,GAAG,QAAQ,iBAAiB,EAAE;QACpE,MAAM,EAAE,KAAK;QACb,OAAO,EAAE;YACP,aAAa,EAAE,aAAa;YAC5B,qBAAqB,EAAE,SAAS;YAChC,oBAAoB,EAAE,MAAM,CAAC,QAAQ,CAAC;YACtC,qBAAqB,EAAE,SAAS;SACjC;KACF,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,mCAAmC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC;IAEjE,8BAA8B;IAC9B,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;IACpE,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAEjD,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC/B,MAAM,EAAE,sBAAsB,EAAE,GAAG,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;QAC/E,kEAAkE;QAClE,sEAAsE;QACtE,yDAAyD;QACzD,wCAAwC;QACxC,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;YAChB,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YACtD,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;YACzD,MAAM,MAAM,GAAG,gBAAgB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;YACjE,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;YACjE,mFAAmF;YACnF,mGAAmG;YACnG,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACrC,oDAAoD;YACpD,qFAAqF;YACrF,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACjE,IAAI,UAAU,KAAK,CAAC,CAAC,EAAE,CAAC;gBACtB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;YACrE,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,UAAU,GAAG,CAAC,EAAE,UAAU,GAAG,EAAE,CAAC,CAAC;YAE9D,qDAAqD;YACrD,MAAM,MAAM,GAAG,CAAC,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,OAAc,CAAC;YAC9D,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,0BAAoC,CAAC,CAAC;YACzE,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,0BAAoC,CAAC,CAAC;YACzE,MAAM,CAAC,wBAAwB,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;YAEtD,MAAM,SAAS,GAAG,sBAAsB,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;YAEtE,mBAAmB;YACnB,MAAM,iBAAiB,CAAC,SAAS,CAAC,CAAC;YACnC,SAAS,CAAC,OAAO,EAAE,CAAC;YAEpB,yBAAyB;YACzB,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACf,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACf,CAAC;aAAM,CAAC;YACN,wEAAwE;YACxE,qFAAqF;YACrF,MAAM,IAAI,KAAK,CACb,sEAAsE;gBACtE,0GAA0G,CAC3G,CAAC;QACJ,CAAC;IACH,CAAC;SAAM,CAAC;QACN,aAAa;QACb,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;QAC3E,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QACzD,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;QACrE,CAAC;QACD,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACtD,MAAM,UAAU,GAAG,gBAAgB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QACrE,MAAM,SAAS,GAAG,kBAAkB,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;QAC9D,MAAM,iBAAiB,CAAC,SAAS,CAAC,CAAC;QACnC,SAAS,CAAC,OAAO,EAAE,CAAC;IACtB,CAAC;IAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gFAAgF,CAAC,CAAC;AACzG,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,UAAkB;IAC5D,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAkB,CAAC;QACrF,IAAI,CAAC,UAAU,CAAC,WAAW;YAAE,OAAO;QAEpC,MAAM,SAAS,GAAG,MAAM,YAAY,EAAE,CAAC;QACvC,IAAI,CAAC,SAAS,CAAC,SAAS;YAAE,OAAO;QAEjC,MAAM,UAAU,GAAG,MAAM,uBAAuB,CAAC,SAAS,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAE7E,IAAI,UAAU,CAAC,OAAO,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;YAC9C,yDAAyD;YACzD,UAAU,CAAC,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC;YAC5C,UAAU,CAAC,WAAW,GAAG,KAAK,CAAC;YAC/B,IAAI,UAAU,CAAC,QAAQ;gBAAE,UAAU,CAAC,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAAC;YACnE,IAAI,SAAS,CAAC,WAAW;gBAAE,UAAU,CAAC,iBAAiB,GAAG,SAAS,CAAC,WAAW,CAAC;YAChF,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACrF,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,qDAAqD;IACvD,CAAC;AACH,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,SAA6B;IAC5D,qDAAqD;IACrD,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,6CAA6C;YAC7C,mFAAmF,CACpF,CAAC;IACJ,CAAC;IAED,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;IAChE,MAAM,OAAO,GAAG,IAAI,cAAc,EAAE,CAAC;IACrC,MAAM,OAAO,CAAC,KAAK,CAAC,SAAS,EAAE,YAAY,EAAE,SAAuD,CAAC,CAAC;AACxG,CAAC"}

package/dist/cli/commands/config.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Upgrade security tier.
+ *
+ * Standard → Maximum: re-wrap master key under Argon2id-derived key from passphrase.
+ * Enhanced → Maximum: same as above, with note that mnemonic is invalidated.
+ *
+ * Note: The Enhanced tier (BIP39 mnemonic) is deprecated. New upgrades only
+ * support "maximum". Existing Enhanced-tier users can still upgrade to Maximum.
+ */
+export declare function upgradeTierCommand(tier: string, options?: {
+    dryRun?: boolean;
+}): Promise<void>;
+//# sourceMappingURL=config.d.ts.map

package/dist/cli/commands/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../cli/commands/config.ts"],"names":[],"mappings":"AAqBA;;;;;;;;GAQG;AACH,wBAAsB,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,OAAO,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAsEpG"}