@de-otio/chaoskb-client 0.2.0

package/dist/cli/commands/config.js

@@ -0,0 +1,244 @@
+import * as fs from 'node:fs';
+import * as readline from 'node:readline';
+import { randomBytes } from 'node:crypto';
+import { loadConfig, saveConfig, CHAOSKB_DIR } from './setup.js';
+import { SecurityTier } from '../../crypto/types.js';
+import * as path from 'node:path';
+const TIER_ORDER = [SecurityTier.Standard, SecurityTier.Enhanced, SecurityTier.Maximum];
+function tierIndex(tier) {
+    return TIER_ORDER.indexOf(tier);
+}
+function prompt(rl, question) {
+    return new Promise((resolve) => {
+        rl.question(question, (answer) => {
+            resolve(answer.trim());
+        });
+    });
+}
+/**
+ * Upgrade security tier.
+ *
+ * Standard → Maximum: re-wrap master key under Argon2id-derived key from passphrase.
+ * Enhanced → Maximum: same as above, with note that mnemonic is invalidated.
+ *
+ * Note: The Enhanced tier (BIP39 mnemonic) is deprecated. New upgrades only
+ * support "maximum". Existing Enhanced-tier users can still upgrade to Maximum.
+ */
+export async function upgradeTierCommand(tier, options) {
+    const dryRun = options?.dryRun ?? false;
+    // Validate tier argument — only 'maximum' is accepted for new upgrades
+    if (tier !== 'maximum') {
+        if (tier === 'enhanced') {
+            console.error('The "enhanced" tier is deprecated. Use "maximum" instead.');
+        }
+        else {
+            console.error(`Invalid tier: "${tier}". Must be "maximum".`);
+        }
+        process.exitCode = 1;
+        return;
+    }
+    const config = await loadConfig();
+    if (!config) {
+        console.error('ChaosKB is not configured. Run `chaoskb-mcp setup` first.');
+        process.exitCode = 1;
+        return;
+    }
+    const currentIndex = tierIndex(config.securityTier);
+    const targetIndex = tierIndex(tier);
+    if (targetIndex <= currentIndex) {
+        console.error(`Already at "${config.securityTier}" tier or higher.`);
+        process.exitCode = 1;
+        return;
+    }
+    // Retrieve master key from OS keyring
+    const { KeyringService } = await import('../../crypto/keyring.js');
+    const keyring = new KeyringService();
+    let masterKey = await keyring.retrieve('chaoskb', 'master-key');
+    if (!masterKey) {
+        // Try file-based key fallback
+        if (process.env.CHAOSKB_KEY_STORAGE === 'file') {
+            const { FILE_KEY_PATH } = await import('../bootstrap.js');
+            try {
+                const hex = fs.readFileSync(FILE_KEY_PATH, 'utf-8').trim();
+                const { SecureBuffer } = await import('../../crypto/secure-buffer.js');
+                masterKey = SecureBuffer.from(Buffer.from(hex, 'hex'));
+            }
+            catch {
+                // Fall through to error
+            }
+        }
+        if (!masterKey) {
+            console.error('Master key not found. Ensure your OS keyring is accessible.');
+            process.exitCode = 1;
+            return;
+        }
+    }
+    if (dryRun) {
+        console.log('[dry-run] Would upgrade security tier from "%s" to "%s".', config.securityTier, tier);
+        console.log('[dry-run] This will:');
+        console.log('[dry-run]   - Derive a wrapping key from your passphrase using Argon2id');
+        console.log('[dry-run]   - Encrypt the master key with the wrapping key');
+        console.log('[dry-run]   - Write encrypted key blob to ~/.chaoskb/master-key.enc');
+        console.log('[dry-run]   - Remove the master key from the OS keyring');
+        console.log('[dry-run] No changes made.');
+        masterKey.dispose();
+        return;
+    }
+    try {
+        await upgradeToMaximum(masterKey, config);
+    }
+    finally {
+        masterKey.dispose();
+    }
+}
+async function upgradeToEnhanced(masterKey, config) {
+    const { generateRecoveryKey } = await import('../../crypto/tiers/enhanced.js');
+    const mnemonic = generateRecoveryKey(masterKey);
+    const words = mnemonic.split(' ');
+    console.log('');
+    console.log('Your 24-word recovery key:');
+    console.log('');
+    // Display in 3 columns of 8
+    for (let i = 0; i < 24; i += 3) {
+        const cols = [];
+        for (let j = 0; j < 3 && i + j < 24; j++) {
+            cols.push(`  ${String(i + j + 1).padStart(2, ' ')}. ${words[i + j].padEnd(10)}`);
+        }
+        console.log(cols.join(''));
+    }
+    console.log('');
+    console.log('Write these words down and store them safely.');
+    console.log('This is your backup recovery factor. Do NOT store it digitally.');
+    console.log('');
+    // Spot-check: ask user to confirm 2 random words
+    const indices = pickRandomIndices(24, 2);
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    try {
+        for (const idx of indices) {
+            const answer = await prompt(rl, `Confirm word #${idx + 1}: `);
+            if (answer.toLowerCase() !== words[idx].toLowerCase()) {
+                console.error(`Incorrect. Expected word #${idx + 1} to be "${words[idx]}".`);
+                console.error('Tier upgrade cancelled.');
+                process.exitCode = 1;
+                return;
+            }
+        }
+    }
+    finally {
+        rl.close();
+    }
+    // Update config
+    config.securityTier = SecurityTier.Enhanced;
+    await saveConfig(config);
+    console.log('');
+    console.log('Security tier upgraded to Enhanced.');
+    console.log('Your master key remains in the OS keyring. The recovery key is your backup.');
+}
+async function upgradeToMaximum(masterKey, config) {
+    if (!process.stdin.isTTY) {
+        console.error('Maximum tier requires an interactive terminal for passphrase entry.');
+        process.exitCode = 1;
+        return;
+    }
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    let passphrase;
+    try {
+        passphrase = await prompt(rl, 'Enter new passphrase (min 25 characters): ');
+        if (passphrase.length < 25) {
+            console.error('Passphrase must be at least 25 characters (e.g. 5+ diceware words).');
+            process.exitCode = 1;
+            return;
+        }
+        const confirm = await prompt(rl, 'Confirm passphrase: ');
+        if (passphrase !== confirm) {
+            console.error('Passphrases do not match.');
+            process.exitCode = 1;
+            return;
+        }
+        if (config.securityTier === SecurityTier.Enhanced) {
+            console.log('');
+            console.log('Note: Your 24-word recovery key will no longer be valid after this upgrade.');
+            console.log('Your passphrase becomes your only recovery factor.');
+            console.log('');
+        }
+    }
+    finally {
+        rl.close();
+    }
+    console.log('Deriving key with Argon2id (this may take a moment)...');
+    // Generate salt and derive wrapping key
+    const salt = randomBytes(16);
+    const { argon2Derive } = await import('../../crypto/index.js');
+    const wrappingKey = argon2Derive(passphrase, salt);
+    try {
+        // Encrypt master key with wrapping key using XChaCha20-Poly1305
+        const { aeadEncrypt } = await import('../../crypto/aead.js');
+        const aad = Buffer.from('chaoskb-master-key-wrap-v1');
+        const result = aeadEncrypt(wrappingKey.buffer, masterKey.buffer, aad);
+        // Write encrypted key blob
+        const blob = {
+            v: 1,
+            kdf: 'argon2id',
+            t: 3,
+            m: 65536,
+            p: 1,
+            salt: Buffer.from(salt).toString('hex'),
+            nonce: Buffer.from(result.nonce).toString('hex'),
+            ciphertext: Buffer.from(new Uint8Array([...result.ciphertext, ...result.tag])).toString('hex'),
+        };
+        const blobPath = path.join(CHAOSKB_DIR, 'master-key.enc');
+        // Write new protection BEFORE removing old
+        fs.writeFileSync(blobPath, JSON.stringify(blob, null, 2), { mode: 0o600 });
+        // Round-trip verification: decrypt the blob we just wrote to ensure it's valid
+        const { aeadDecrypt } = await import('../../crypto/aead.js');
+        try {
+            const verifyNonce = new Uint8Array(Buffer.from(blob.nonce, 'hex'));
+            const verifyCt = Buffer.from(blob.ciphertext, 'hex');
+            const verifyCiphertext = new Uint8Array(verifyCt.subarray(0, verifyCt.length - 16));
+            const verifyTag = new Uint8Array(verifyCt.subarray(verifyCt.length - 16));
+            const recovered = aeadDecrypt(wrappingKey.buffer, verifyNonce, verifyCiphertext, verifyTag, aad);
+            if (!Buffer.from(recovered).equals(masterKey.buffer)) {
+                throw new Error('Round-trip verification failed: decrypted key does not match original');
+            }
+        }
+        catch (err) {
+            // Verification failed — remove the corrupt blob and abort
+            try {
+                fs.unlinkSync(blobPath);
+            }
+            catch { /* ignore */ }
+            throw new Error(`Key encryption verification failed. Keyring entry NOT removed. ` +
+                `Error: ${err instanceof Error ? err.message : String(err)}`);
+        }
+        // Verification passed — safe to remove master key from OS keyring
+        const { KeyringService } = await import('../../crypto/keyring.js');
+        const keyring = new KeyringService();
+        await keyring.delete('chaoskb', 'master-key');
+        // Also remove file-based key if it exists
+        const { FILE_KEY_PATH } = await import('../bootstrap.js');
+        try {
+            fs.unlinkSync(FILE_KEY_PATH);
+        }
+        catch {
+            // File may not exist
+        }
+        // Update config
+        config.securityTier = SecurityTier.Maximum;
+        await saveConfig(config);
+        console.log('');
+        console.log('Security tier upgraded to Maximum.');
+        console.log(`Encrypted key written to ${blobPath}`);
+        console.log('Your passphrase is now your only recovery factor.');
+    }
+    finally {
+        wrappingKey.dispose();
+    }
+}
+function pickRandomIndices(max, count) {
+    const indices = new Set();
+    while (indices.size < count) {
+        indices.add(Math.floor(Math.random() * max));
+    }
+    return [...indices].sort((a, b) => a - b);
+}
+//# sourceMappingURL=config.js.map

package/dist/cli/commands/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../cli/commands/config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,QAAQ,MAAM,eAAe,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACjE,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,MAAM,UAAU,GAAmB,CAAC,YAAY,CAAC,QAAQ,EAAE,YAAY,CAAC,QAAQ,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;AAExG,SAAS,SAAS,CAAC,IAAY;IAC7B,OAAO,UAAU,CAAC,OAAO,CAAC,IAAoB,CAAC,CAAC;AAClD,CAAC;AAED,SAAS,MAAM,CAAC,EAAsB,EAAE,QAAgB;IACtD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,MAAM,EAAE,EAAE;YAC/B,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QACzB,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,IAAY,EAAE,OAA8B;IACnF,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM,IAAI,KAAK,CAAC;IACxC,uEAAuE;IACvE,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;YACxB,OAAO,CAAC,KAAK,CAAC,2DAA2D,CAAC,CAAC;QAC7E,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,kBAAkB,IAAI,uBAAuB,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;IAClC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,CAAC,KAAK,CAAC,2DAA2D,CAAC,CAAC;QAC3E,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IAED,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IACpD,MAAM,WAAW,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;IAEpC,IAAI,WAAW,IAAI,YAAY,EAAE,CAAC;QAChC,OAAO,CAAC,KAAK,CAAC,eAAe,MAAM,CAAC,YAAY,mBAAmB,CAAC,CAAC;QACrE,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IAED,sCAAsC;IACtC,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;IACnE,MAAM,OAAO,GAAG,IAAI,cAAc,EAAE,CAAC;IACrC,IAAI,SAAS,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;IAEhE,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,8BAA8B;QAC9B,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,KAAK,MAAM,EAAE,CAAC;YAC/C,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;YAC1D,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC3D,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,+BAA+B,CAAC,CAAC;gBACvE,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;YACzD,CAAC;YAAC,MAAM,CAAC;gBACP,wBAAwB;YAC1B,CAAC;QACH,CAAC;QACD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,6DAA6D,CAAC,CAAC;YAC7E,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACrB,OAAO;QACT,CAAC;IACH,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,CAAC,0DAA0D,EAAE,MAAM,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;QACnG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,yEAAyE,CAAC,CAAC;QACvF,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,qEAAqE,CAAC,CAAC;QACnF,OAAO,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAC;QACvE,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;QAC1C,SAAS,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,MAAM,gBAAgB,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAC5C,CAAC;YAAS,CAAC;QACT,SAAS,CAAC,OAAO,EAAE,CAAC;IACtB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,SAAwD,EACxD,MAAsF;IAEtF,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,gCAAgC,CAAC,CAAC;IAE/E,MAAM,QAAQ,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;IAChD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAElC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;IAC1C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,4BAA4B;IAC5B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,EAAE,CAAC;QAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YACzC,IAAI,CAAC,IAAI,CAAC,KAAK,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,KAAK,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;QACnF,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;IAC7D,OAAO,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAC;IAC/E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,iDAAiD;IACjD,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IACzC,MAAM,EAAE,GAAG,QAAQ,CAAC,eAAe,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IACtF,IAAI,CAAC;QACH,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;YAC1B,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,EAAE,EAAE,iBAAiB,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC;YAC9D,IAAI,MAAM,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;gBACtD,OAAO,CAAC,KAAK,CAAC,6BAA6B,GAAG,GAAG,CAAC,WAAW,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBAC7E,OAAO,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;gBACzC,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;gBACrB,OAAO;YACT,CAAC;QACH,CAAC;IACH,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC;IAED,gBAAgB;IAChB,MAAM,CAAC,YAAY,GAAG,YAAY,CAAC,QAAQ,CAAC;IAC5C,MAAM,UAAU,CAAC,MAAM,CAAC,CAAC;IAEzB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;IACnD,OAAO,CAAC,GAAG,CAAC,6EAA6E,CAAC,CAAC;AAC7F,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,SAAwD,EACxD,MAAsF;IAEtF,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACzB,OAAO,CAAC,KAAK,CAAC,qEAAqE,CAAC,CAAC;QACrF,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IAED,MAAM,EAAE,GAAG,QAAQ,CAAC,eAAe,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IACtF,IAAI,UAAkB,CAAC;IACvB,IAAI,CAAC;QACH,UAAU,GAAG,MAAM,MAAM,CAAC,EAAE,EAAE,4CAA4C,CAAC,CAAC;QAC5E,IAAI,UAAU,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YAC3B,OAAO,CAAC,KAAK,CAAC,qEAAqE,CAAC,CAAC;YACrF,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACrB,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,EAAE,EAAE,sBAAsB,CAAC,CAAC;QACzD,IAAI,UAAU,KAAK,OAAO,EAAE,CAAC;YAC3B,OAAO,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;YAC3C,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YACrB,OAAO;QACT,CAAC;QAED,IAAI,MAAM,CAAC,YAAY,KAAK,YAAY,CAAC,QAAQ,EAAE,CAAC;YAClD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,6EAA6E,CAAC,CAAC;YAC3F,OAAO,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAC;YAClE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,wDAAwD,CAAC,CAAC;IAEtE,wCAAwC;IACxC,MAAM,IAAI,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC7B,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;IAC/D,MAAM,WAAW,GAAG,YAAY,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;IAEnD,IAAI,CAAC;QACH,gEAAgE;QAChE,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;QAC7D,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;QACtD,MAAM,MAAM,GAAG,WAAW,CACxB,WAAW,CAAC,MAAM,EAClB,SAAS,CAAC,MAAM,EAChB,GAAG,CACJ,CAAC;QAEF,2BAA2B;QAC3B,MAAM,IAAI,GAAG;YACX,CAAC,EAAE,CAAC;YACJ,GAAG,EAAE,UAAU;YACf,CAAC,EAAE,CAAC;YACJ,CAAC,EAAE,KAAK;YACR,CAAC,EAAE,CAAC;YACJ,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YACvC,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YAChD,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,EAAE,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;SAC/F,CAAC;QAEF,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC;QAC1D,2CAA2C;QAC3C,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAE3E,+EAA+E;QAC/E,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;QAC7D,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;YACnE,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;YACrD,MAAM,gBAAgB,GAAG,IAAI,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,QAAQ,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC;YACpF,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC;YAC1E,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,CAAC,MAAM,EAAE,WAAW,EAAE,gBAAgB,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;YACjG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;gBACrD,MAAM,IAAI,KAAK,CAAC,uEAAuE,CAAC,CAAC;YAC3F,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,0DAA0D;YAC1D,IAAI,CAAC;gBAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;YACvD,MAAM,IAAI,KAAK,CACb,iEAAiE;gBACjE,UAAU,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC7D,CAAC;QACJ,CAAC;QAED,kEAAkE;QAClE,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;QACnE,MAAM,OAAO,GAAG,IAAI,cAAc,EAAE,CAAC;QACrC,MAAM,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;QAE9C,0CAA0C;QAC1C,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;QAC1D,IAAI,CAAC;YACH,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;QAC/B,CAAC;QAAC,MAAM,CAAC;YACP,qBAAqB;QACvB,CAAC;QAED,gBAAgB;QAChB,MAAM,CAAC,YAAY,GAAG,YAAY,CAAC,OAAO,CAAC;QAC3C,MAAM,UAAU,CAAC,MAAM,CAAC,CAAC;QAEzB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;QAClD,OAAO,CAAC,GAAG,CAAC,4BAA4B,QAAQ,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;IACnE,CAAC;YAAS,CAAC;QACT,WAAW,CAAC,OAAO,EAAE,CAAC;IACxB,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAW,EAAE,KAAa;IACnD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,OAAO,OAAO,CAAC,IAAI,GAAG,KAAK,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC;IAC/C,CAAC;IACD,OAAO,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;AAC5C,CAAC"}

package/dist/cli/commands/devices.d.ts

@@ -0,0 +1,21 @@
+/**
+ * `chaoskb-mcp devices add`
+ *
+ * On an existing device: generates a link code, sends its hash to the server,
+ * displays the code, then polls until the new device's public key arrives.
+ * When it does, wraps the master key with that key and uploads it.
+ */
+export declare function devicesAddCommand(): Promise<void>;
+/**
+ * `chaoskb-mcp devices list`
+ *
+ * Lists all registered devices for this tenant.
+ */
+export declare function devicesListCommand(): Promise<void>;
+/**
+ * `chaoskb-mcp devices remove <fingerprint>`
+ *
+ * Removes a device by fingerprint.
+ */
+export declare function devicesRemoveCommand(fingerprint: string): Promise<void>;
+//# sourceMappingURL=devices.d.ts.map

package/dist/cli/commands/devices.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"devices.d.ts","sourceRoot":"","sources":["../../../cli/commands/devices.ts"],"names":[],"mappings":"AAkFA;;;;;;GAMG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC,CAiIvD;AAED;;;;GAIG;AACH,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,IAAI,CAAC,CA2BxD;AAED;;;;GAIG;AACH,wBAAsB,oBAAoB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAa7E"}

package/dist/cli/commands/devices.js

@@ -0,0 +1,229 @@
+import * as crypto from 'node:crypto';
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as os from 'node:os';
+import { loadConfig } from './setup.js';
+const CHAOSKB_DIR = path.join(os.homedir(), '.chaoskb');
+/** Base62 alphabet for human-friendly codes. */
+const BASE62 = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
+/** Generate a random base62 string of the given length. */
+function generateLinkCode(length) {
+    const bytes = crypto.randomBytes(length);
+    let code = '';
+    for (let i = 0; i < length; i++) {
+        code += BASE62[bytes[i] % 62];
+    }
+    return code;
+}
+/** SHA-256 hex digest of a string. */
+function hashCode(code) {
+    return crypto.createHash('sha256').update(code).digest('hex');
+}
+/**
+ * Helper to create an authenticated HTTP client for the sync server.
+ * Returns { client, endpoint } or exits with an error message.
+ */
+async function createSyncClient() {
+    const config = await loadConfig();
+    if (!config) {
+        console.error('ChaosKB is not set up. Run `chaoskb-mcp setup` first.');
+        process.exit(1);
+    }
+    if (!config.endpoint) {
+        console.error('Sync is not configured. Run `chaoskb-mcp setup-sync` first.');
+        process.exit(1);
+    }
+    const endpoint = config.endpoint.replace(/\/+$/, '');
+    const sshKeyPath = config.sshKeyPath ?? path.join(os.homedir(), '.ssh', 'id_ed25519');
+    const { SSHSigner } = await import('../../sync/ssh-signer.js');
+    const signer = new SSHSigner(sshKeyPath);
+    let sequence = 1;
+    const signedFetch = async (method, urlPath, body) => {
+        const seq = sequence++;
+        const result = await signer.signRequest(method, urlPath, seq, body);
+        const headers = {
+            Authorization: result.authorization,
+            'X-ChaosKB-Timestamp': result.timestamp,
+            'X-ChaosKB-Sequence': String(result.sequence),
+            'X-ChaosKB-PublicKey': result.publicKey,
+        };
+        if (body) {
+            headers['Content-Type'] = 'application/octet-stream';
+        }
+        return fetch(`${endpoint}${urlPath}`, {
+            method,
+            headers,
+            body: body ?? undefined,
+            signal: AbortSignal.timeout(30_000),
+        });
+    };
+    return { endpoint, signedFetch };
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+/**
+ * `chaoskb-mcp devices add`
+ *
+ * On an existing device: generates a link code, sends its hash to the server,
+ * displays the code, then polls until the new device's public key arrives.
+ * When it does, wraps the master key with that key and uploads it.
+ */
+export async function devicesAddCommand() {
+    const { signedFetch } = await createSyncClient();
+    // 1. Generate link code
+    const linkCode = generateLinkCode(10);
+    const codeHash = hashCode(linkCode);
+    // 2. Send hash to server
+    const body = JSON.stringify({ codeHash });
+    const bodyBytes = new TextEncoder().encode(body);
+    // Use a plain POST with JSON content type
+    const config = await loadConfig();
+    const endpoint = config.endpoint.replace(/\/+$/, '');
+    const sshKeyPath = config.sshKeyPath ?? path.join(os.homedir(), '.ssh', 'id_ed25519');
+    const { SSHSigner } = await import('../../sync/ssh-signer.js');
+    const signer = new SSHSigner(sshKeyPath);
+    let sequence = 1;
+    const makeSignedRequest = async (method, urlPath, reqBody) => {
+        const seq = sequence++;
+        const result = await signer.signRequest(method, urlPath, seq, reqBody);
+        const headers = {
+            Authorization: result.authorization,
+            'X-ChaosKB-Timestamp': result.timestamp,
+            'X-ChaosKB-Sequence': String(result.sequence),
+            'X-ChaosKB-PublicKey': result.publicKey,
+        };
+        if (reqBody) {
+            headers['Content-Type'] = 'application/json';
+        }
+        return fetch(`${endpoint}${urlPath}`, {
+            method,
+            headers,
+            body: reqBody ?? undefined,
+            signal: AbortSignal.timeout(30_000),
+        });
+    };
+    const createResp = await makeSignedRequest('POST', '/v1/link-code', bodyBytes);
+    if (!createResp.ok) {
+        const err = await createResp.text();
+        console.error(`Failed to create link code: ${createResp.status} ${err}`);
+        process.exit(1);
+    }
+    console.log('');
+    console.log(`  Link code: ${linkCode}  (expires in 5 minutes)`);
+    console.log('');
+    console.log('  On the new device, run:');
+    console.log(`    chaoskb-mcp devices confirm ${linkCode}`);
+    console.log('');
+    console.log('  Waiting for new device...');
+    // 3. Poll for new device's public key
+    const pollPath = `/v1/link-code/${encodeURIComponent(codeHash)}/status`;
+    const deadline = Date.now() + 5 * 60 * 1000;
+    let newPublicKey = null;
+    while (Date.now() < deadline) {
+        await sleep(5000);
+        const statusResp = await makeSignedRequest('GET', pollPath);
+        if (!statusResp.ok) {
+            console.error(`  Poll failed: ${statusResp.status}`);
+            continue;
+        }
+        const statusBody = await statusResp.json();
+        if (statusBody.status === 'ready' && statusBody.newPublicKey) {
+            newPublicKey = statusBody.newPublicKey;
+            break;
+        }
+        process.stderr.write('.');
+    }
+    if (!newPublicKey) {
+        console.error('\n  Timed out waiting for new device. Run the command again to generate a new code.');
+        process.exit(1);
+    }
+    console.log('\n  New device connected. Wrapping master key...');
+    // 4. Wrap master key with new device's public key and upload
+    const { parseSSHPublicKey } = await import('../../crypto/ssh-keys.js');
+    const { wrapMasterKey } = await import('../../crypto/tiers/standard.js');
+    const { KeyringService } = await import('../../crypto/keyring.js');
+    const keyring = new KeyringService();
+    const masterKey = await keyring.retrieve('chaoskb', 'master-key');
+    if (!masterKey) {
+        // Try file-based fallback
+        const fileKeyPath = path.join(CHAOSKB_DIR, 'master.key');
+        if (fs.existsSync(fileKeyPath)) {
+            const { SecureBuffer } = await import('../../crypto/secure-buffer.js');
+            const hex = fs.readFileSync(fileKeyPath, 'utf-8').trim();
+            const keyBuf = SecureBuffer.from(Buffer.from(hex, 'hex'));
+            const keyInfo = parseSSHPublicKey(newPublicKey);
+            const wrappedBlob = wrapMasterKey(keyBuf, keyInfo);
+            keyBuf.dispose();
+            const putResp = await makeSignedRequest('PUT', '/v1/wrapped-key', wrappedBlob);
+            if (!putResp.ok) {
+                console.error(`  Failed to upload wrapped key: ${putResp.status}`);
+                process.exit(1);
+            }
+        }
+        else {
+            console.error('  Master key not found. Cannot wrap key for new device.');
+            process.exit(1);
+        }
+    }
+    else {
+        const keyInfo = parseSSHPublicKey(newPublicKey);
+        const wrappedBlob = wrapMasterKey(masterKey, keyInfo);
+        masterKey.dispose();
+        const putResp = await makeSignedRequest('PUT', '/v1/wrapped-key', wrappedBlob);
+        if (!putResp.ok) {
+            console.error(`  Failed to upload wrapped key: ${putResp.status}`);
+            process.exit(1);
+        }
+    }
+    console.log('  Device linked successfully.');
+    console.log('');
+}
+/**
+ * `chaoskb-mcp devices list`
+ *
+ * Lists all registered devices for this tenant.
+ */
+export async function devicesListCommand() {
+    const { signedFetch } = await createSyncClient();
+    const resp = await signedFetch('GET', '/v1/devices');
+    if (!resp.ok) {
+        const err = await resp.text();
+        console.error(`Failed to list devices: ${resp.status} ${err}`);
+        process.exit(1);
+    }
+    const data = await resp.json();
+    console.log('');
+    console.log('  Registered devices');
+    console.log('  ==================');
+    console.log('');
+    if (data.devices.length === 0) {
+        console.log('  (none)');
+    }
+    else {
+        for (const device of data.devices) {
+            const date = new Date(device.registeredAt).toLocaleDateString();
+            console.log(`  Fingerprint: ${device.fingerprint}`);
+            console.log(`  Registered:  ${date}`);
+            console.log('');
+        }
+    }
+}
+/**
+ * `chaoskb-mcp devices remove <fingerprint>`
+ *
+ * Removes a device by fingerprint.
+ */
+export async function devicesRemoveCommand(fingerprint) {
+    const { signedFetch } = await createSyncClient();
+    const resp = await signedFetch('DELETE', `/v1/devices/${encodeURIComponent(fingerprint)}`);
+    if (!resp.ok) {
+        const err = await resp.text();
+        console.error(`Failed to remove device: ${resp.status} ${err}`);
+        process.exit(1);
+    }
+    console.log('');
+    console.log(`  Device ${fingerprint} removed.`);
+    console.log('');
+}
+//# sourceMappingURL=devices.js.map

package/dist/cli/commands/devices.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"devices.js","sourceRoot":"","sources":["../../../cli/commands/devices.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAExC,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,UAAU,CAAC,CAAC;AAExD,gDAAgD;AAChD,MAAM,MAAM,GAAG,gEAAgE,CAAC;AAEhF,2DAA2D;AAC3D,SAAS,gBAAgB,CAAC,MAAc;IACtC,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IACzC,IAAI,IAAI,GAAG,EAAE,CAAC;IACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAChC,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,sCAAsC;AACtC,SAAS,QAAQ,CAAC,IAAY;IAC5B,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAChE,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,gBAAgB;IAI7B,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;IAClC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAC;QACvE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,OAAO,CAAC,KAAK,CAAC,6DAA6D,CAAC,CAAC;QAC7E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACrD,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;IAEtF,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;IAC/D,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC,UAAU,CAAC,CAAC;IACzC,IAAI,QAAQ,GAAG,CAAC,CAAC;IAEjB,MAAM,WAAW,GAAG,KAAK,EAAE,MAAc,EAAE,OAAe,EAAE,IAAiB,EAAqB,EAAE;QAClG,MAAM,GAAG,GAAG,QAAQ,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QAEpE,MAAM,OAAO,GAA2B;YACtC,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,qBAAqB,EAAE,MAAM,CAAC,SAAS;YACvC,oBAAoB,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;YAC7C,qBAAqB,EAAE,MAAM,CAAC,SAAS;SACxC,CAAC;QAEF,IAAI,IAAI,EAAE,CAAC;YACT,OAAO,CAAC,cAAc,CAAC,GAAG,0BAA0B,CAAC;QACvD,CAAC;QAED,OAAO,KAAK,CAAC,GAAG,QAAQ,GAAG,OAAO,EAAE,EAAE;YACpC,MAAM;YACN,OAAO;YACP,IAAI,EAAE,IAAI,IAAI,SAAS;YACvB,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;SACpC,CAAC,CAAC;IACL,CAAC,CAAC;IAEF,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;AACnC,CAAC;AAED,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB;IACrC,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,gBAAgB,EAAE,CAAC;IAEjD,wBAAwB;IACxB,MAAM,QAAQ,GAAG,gBAAgB,CAAC,EAAE,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAEpC,yBAAyB;IACzB,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAEjD,0CAA0C;IAC1C,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;IAClC,MAAM,QAAQ,GAAG,MAAO,CAAC,QAAS,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACvD,MAAM,UAAU,GAAG,MAAO,CAAC,UAAU,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;IAEvF,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;IAC/D,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC,UAAU,CAAC,CAAC;IACzC,IAAI,QAAQ,GAAG,CAAC,CAAC;IAEjB,MAAM,iBAAiB,GAAG,KAAK,EAAE,MAAc,EAAE,OAAe,EAAE,OAAoB,EAAqB,EAAE;QAC3G,MAAM,GAAG,GAAG,QAAQ,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAEvE,MAAM,OAAO,GAA2B;YACtC,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,qBAAqB,EAAE,MAAM,CAAC,SAAS;YACvC,oBAAoB,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;YAC7C,qBAAqB,EAAE,MAAM,CAAC,SAAS;SACxC,CAAC;QAEF,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;QAC/C,CAAC;QAED,OAAO,KAAK,CAAC,GAAG,QAAQ,GAAG,OAAO,EAAE,EAAE;YACpC,MAAM;YACN,OAAO;YACP,IAAI,EAAE,OAAO,IAAI,SAAS;YAC1B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;SACpC,CAAC,CAAC;IACL,CAAC,CAAC;IAEF,MAAM,UAAU,GAAG,MAAM,iBAAiB,CAAC,MAAM,EAAE,eAAe,EAAE,SAAS,CAAC,CAAC;IAC/E,IAAI,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC;QACnB,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,IAAI,EAAE,CAAC;QACpC,OAAO,CAAC,KAAK,CAAC,+BAA+B,UAAU,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;QACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,gBAAgB,QAAQ,0BAA0B,CAAC,CAAC;IAChE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;IACzC,OAAO,CAAC,GAAG,CAAC,mCAAmC,QAAQ,EAAE,CAAC,CAAC;IAC3D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;IAE3C,sCAAsC;IACtC,MAAM,QAAQ,GAAG,iBAAiB,kBAAkB,CAAC,QAAQ,CAAC,SAAS,CAAC;IACxE,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;IAC5C,IAAI,YAAY,GAAkB,IAAI,CAAC;IAEvC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;QAC7B,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC;QAElB,MAAM,UAAU,GAAG,MAAM,iBAAiB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC5D,IAAI,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC;YACnB,OAAO,CAAC,KAAK,CAAC,kBAAkB,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;YACrD,SAAS;QACX,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,UAAU,CAAC,IAAI,EAA+C,CAAC;QACxF,IAAI,UAAU,CAAC,MAAM,KAAK,OAAO,IAAI,UAAU,CAAC,YAAY,EAAE,CAAC;YAC7D,YAAY,GAAG,UAAU,CAAC,YAAY,CAAC;YACvC,MAAM;QACR,CAAC;QAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO,CAAC,KAAK,CAAC,qFAAqF,CAAC,CAAC;QACrG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC;IAEhE,6DAA6D;IAC7D,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,0BAA0B,CAAC,CAAC;IACvE,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,gCAAgC,CAAC,CAAC;IACzE,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;IAEnE,MAAM,OAAO,GAAG,IAAI,cAAc,EAAE,CAAC;IACrC,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;IAClE,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,0BAA0B;QAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;QACzD,IAAI,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YAC/B,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,+BAA+B,CAAC,CAAC;YACvE,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;YACzD,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;YAC1D,MAAM,OAAO,GAAG,iBAAiB,CAAC,YAAY,CAAC,CAAC;YAChD,MAAM,WAAW,GAAG,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YACnD,MAAM,CAAC,OAAO,EAAE,CAAC;YAEjB,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,EAAE,WAAW,CAAC,CAAC;YAC/E,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;gBAChB,OAAO,CAAC,KAAK,CAAC,mCAAmC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;gBACnE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,yDAAyD,CAAC,CAAC;YACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,OAAO,GAAG,iBAAiB,CAAC,YAAY,CAAC,CAAC;QAChD,MAAM,WAAW,GAAG,aAAa,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACtD,SAAS,CAAC,OAAO,EAAE,CAAC;QAEpB,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,EAAE,WAAW,CAAC,CAAC;QAC/E,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;YAChB,OAAO,CAAC,KAAK,CAAC,mCAAmC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;YACnE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;IAC7C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AAClB,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB;IACtC,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,gBAAgB,EAAE,CAAC;IAEjD,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC;IACrD,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAC9B,OAAO,CAAC,KAAK,CAAC,2BAA2B,IAAI,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAA2F,CAAC;IAExH,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IACpC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IACpC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC1B,CAAC;SAAM,CAAC;QACN,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAClC,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,kBAAkB,EAAE,CAAC;YAChE,OAAO,CAAC,GAAG,CAAC,kBAAkB,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;YACpD,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,EAAE,CAAC,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,WAAmB;IAC5D,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,gBAAgB,EAAE,CAAC;IAEjD,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,QAAQ,EAAE,eAAe,kBAAkB,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAC3F,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAC9B,OAAO,CAAC,KAAK,CAAC,4BAA4B,IAAI,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;QAChE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,YAAY,WAAW,WAAW,CAAC,CAAC;IAChD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AAClB,CAAC"}

package/dist/cli/commands/export.d.ts

@@ -0,0 +1,12 @@
+export interface ExportOptions {
+    format: 'encrypted' | 'plaintext';
+    outputPath: string;
+    projectName?: string;
+}
+export declare function exportCommand(options: ExportOptions): Promise<void>;
+/**
+ * Sanitize a string for use as a filename.
+ * Removes characters not safe for filesystems and truncates to reasonable length.
+ */
+export declare function sanitizeFilename(name: string): string;
+//# sourceMappingURL=export.d.ts.map

package/dist/cli/commands/export.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"export.d.ts","sourceRoot":"","sources":["../../../cli/commands/export.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,WAAW,GAAG,WAAW,CAAC;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAUD,wBAAsB,aAAa,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAsBzE;AA0KD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAQrD"}