@fusionkit/cli 0.1.0

package/dist/commands/fusion.js

@@ -0,0 +1,112 @@
+import { resolve } from "node:path";
+import { FUSION_TOOLS, pickTool, runFusion } from "../fusion-quickstart.js";
+import { collect, parseFusionTool, parseIdValue, parsePanelModelSpec, parsePort } from "../shared/options.js";
+/** Attach the panel/gateway flags shared by `fusion` and the per-tool launchers. */
+function applyFusionOptions(command) {
+    return command
+        .option("--model <spec>", "panel model ID=MODEL or ID=PROVIDER:MODEL (repeatable)", collect)
+        .option("--models <spec>", "alias of --model", collect)
+        .option("--model-endpoint <spec>", "pre-running OpenAI-compatible endpoint ID=URL (repeatable)", collect)
+        .option("--key-env <spec>", "env var holding a model's API key ID=ENV (repeatable)", collect)
+        .option("--judge-model <model>", "model used for judge synthesis")
+        .option("--synthesis-url <url>", "pre-running fusionkit serve for synthesis")
+        .option("--fusionkit-dir <dir>", "local FusionKit checkout (dev override for the uvx synthesizer)")
+        .option("--repo <dir>", "coding workspace the panel fuses over")
+        .option("--cursor-kit-dir <dir>", "built Cursorkit checkout for the cursor tool")
+        .option("--local", "use the local MLX panel trio instead of the default cloud panel")
+        .option("--observe", "boot the local scope dashboard and stream live trace events")
+        .option("--auth-token <token>", "require a bearer token on the gateway")
+        .option("--port <n>", "gateway port (default: ephemeral)")
+        .allowUnknownOption()
+        .passThroughOptions();
+}
+/** Build the `RunFusionOptions` shared by every entrypoint from parsed flags. */
+function resolveOptions(opts) {
+    const options = {};
+    const keyEnvs = {};
+    for (const spec of opts.keyEnv ?? []) {
+        const { id, value } = parseIdValue("--key-env", spec);
+        keyEnvs[id] = value;
+    }
+    if (opts.judgeModel !== undefined)
+        options.judgeModel = opts.judgeModel;
+    if (opts.synthesisUrl !== undefined)
+        options.synthesisUrl = opts.synthesisUrl;
+    if (opts.fusionkitDir !== undefined)
+        options.fusionkitDir = resolve(opts.fusionkitDir);
+    if (opts.repo !== undefined)
+        options.repo = resolve(opts.repo);
+    if (opts.cursorKitDir !== undefined)
+        options.cursorKitDir = resolve(opts.cursorKitDir);
+    if (opts.local === true)
+        options.local = true;
+    if (opts.observe === true)
+        options.observe = true;
+    if (opts.authToken !== undefined)
+        options.authToken = opts.authToken;
+    if (opts.port !== undefined)
+        options.port = parsePort(opts.port, 0);
+    const fusionkitDirEnv = process.env.FUSIONKIT_DIR ?? process.env.WARRANT_FUSIONKIT_DIR;
+    if (options.fusionkitDir === undefined && fusionkitDirEnv !== undefined) {
+        options.fusionkitDir = resolve(fusionkitDirEnv);
+    }
+    const modelSpecs = [...(opts.model ?? []), ...(opts.models ?? [])];
+    if (modelSpecs.length > 0) {
+        options.models = modelSpecs.map((spec) => parsePanelModelSpec(spec, keyEnvs));
+    }
+    const endpointSpecs = opts.modelEndpoint ?? [];
+    if (endpointSpecs.length > 0) {
+        const endpoints = {};
+        for (const spec of endpointSpecs) {
+            const { id, value } = parseIdValue("--model-endpoint", spec);
+            endpoints[id] = value;
+        }
+        options.endpoints = endpoints;
+        // Pre-running endpoints define the panel; ignore any --model specs.
+        options.models = Object.keys(endpoints).map((id) => ({
+            id,
+            model: id,
+            provider: "openai-compatible"
+        }));
+    }
+    return options;
+}
+export function registerFusion(program) {
+    // Generic `fusion [tool]` — keeps the original surface and interactive pick.
+    applyFusionOptions(program
+        .command("fusion")
+        .description("one command: real model fusion backs a coding agent")
+        .argument("[tool]", `${FUSION_TOOLS.join(" | ")} (omit on a TTY to pick interactively)`)
+        .argument("[args...]", "arguments forwarded to the tool")
+        .option("--tool <tool>", `coding agent to launch (${FUSION_TOOLS.join(" | ")})`))
+        .addHelpText("after", "\nfusionkit's own flags must precede the tool name; everything after the tool is forwarded to it.")
+        .action(async (positionalTool, args, opts) => {
+        let tool = opts.tool ? parseFusionTool(opts.tool) : undefined;
+        let toolArgs = [...args];
+        if (positionalTool !== undefined) {
+            if (tool === undefined && FUSION_TOOLS.includes(positionalTool)) {
+                tool = positionalTool;
+            }
+            else {
+                toolArgs = [positionalTool, ...toolArgs];
+            }
+        }
+        const options = resolveOptions(opts);
+        const resolvedTool = tool ?? (process.stdin.isTTY ? await pickTool() : "codex");
+        const code = await runFusion(resolvedTool, toolArgs, options);
+        process.exit(code);
+    });
+    // Top-level shortcuts: `fusionkit codex`, `fusionkit claude`, etc.
+    for (const tool of FUSION_TOOLS) {
+        applyFusionOptions(program
+            .command(tool)
+            .description(`real model fusion backs ${tool === "serve" ? "any tool (prints setup snippets)" : tool}`)
+            .argument("[args...]", `arguments forwarded to ${tool}`))
+            .addHelpText("after", `\nfusionkit's own flags must precede any ${tool} args; everything after is forwarded to ${tool}.`)
+            .action(async (args, opts) => {
+            const options = resolveOptions(opts);
+            const code = await runFusion(tool, args, options);
+            process.exit(code);
+        });
+    }
+}

package/dist/commands/init.d.ts

@@ -0,0 +1,2 @@
+import type { Command } from "commander";
+export declare function registerInit(program: Command): void;

package/dist/commands/init.js

@@ -0,0 +1,24 @@
+import { join } from "node:path";
+import { initHome } from "../config.js";
+import { resolveDir } from "../shared/plane.js";
+export function registerInit(program) {
+    program
+        .command("init")
+        .description("initialize org keys, config, policy")
+        .option("--port <n>", "plane port")
+        .option("--host <host>", "plane bind host")
+        .option("--plane-url <url>", "public plane URL for clients and runners")
+        .action((opts) => {
+        const dir = resolveDir(program.opts().dir);
+        const home = initHome(dir, {
+            ...(opts.port ? { port: Number(opts.port) } : {}),
+            ...(opts.host ? { host: opts.host } : {}),
+            ...(opts.planeUrl ? { planeUrl: opts.planeUrl } : {})
+        });
+        console.log(`initialized warrant home at ${home.dir}`);
+        console.log(`plane url: ${home.config.planeUrl}`);
+        console.log(`policy: ${join(home.dir, "policy.json")}`);
+        console.log(`enroll token (for runners): ${home.config.enrollToken}`);
+        console.log(`admin token (for the control panel): ${home.config.adminToken}`);
+    });
+}

package/dist/commands/lifecycle.d.ts

@@ -0,0 +1,2 @@
+import type { Command } from "commander";
+export declare function registerLifecycle(program: Command): void;

package/dist/commands/lifecycle.js

@@ -0,0 +1,124 @@
+import { readFileSync, writeFileSync } from "node:fs";
+import { resolve } from "node:path";
+import { verifyReceiptBundle } from "@fusionkit/protocol";
+import { pullRun } from "@fusionkit/workspace";
+import { loadHome } from "../config.js";
+import { renderReceipt, renderRunList } from "../render.js";
+import { clientFor, resolveDir, waitForTerminal } from "../shared/plane.js";
+export function registerLifecycle(program) {
+    const dirOf = () => resolveDir(program.opts().dir);
+    program
+        .command("runs")
+        .description("list runs")
+        .action(async () => {
+        const { runs } = await clientFor(dirOf()).listRuns();
+        console.log(renderRunList(runs));
+    });
+    program
+        .command("approve <runId>")
+        .description("grant required consent")
+        .action(async (runId) => {
+        const dir = dirOf();
+        const home = loadHome(dir);
+        const result = await clientFor(dir).approve(runId, {
+            kind: "human",
+            id: home.config.requestedBy
+        });
+        console.log(`run ${result.runId} [${result.status}]`);
+    });
+    program
+        .command("cancel <runId>")
+        .description("cancel an unclaimed run")
+        .action(async (runId) => {
+        const dir = dirOf();
+        const home = loadHome(dir);
+        const result = await clientFor(dir).cancel(runId, {
+            kind: "human",
+            id: home.config.requestedBy
+        });
+        console.log(`run ${result.runId} [${result.status}]`);
+    });
+    program
+        .command("watch <runId>")
+        .description("stream run status")
+        .action(async (runId) => {
+        const status = await waitForTerminal(clientFor(dirOf()), runId, (s) => console.log(s));
+        console.log(`final: ${status}`);
+    });
+    program
+        .command("receipt <runId>")
+        .description("one screen, five questions")
+        .action(async (runId) => {
+        console.log(renderReceipt(await clientFor(dirOf()).getBundle(runId)));
+    });
+    program
+        .command("bundle <runId>")
+        .description("save offline-verifiable bundle")
+        .option("--out <file>", "output path")
+        .action(async (runId, opts) => {
+        const bundle = await clientFor(dirOf()).getBundle(runId);
+        const out = opts.out ?? `${runId}.bundle.json`;
+        writeFileSync(out, JSON.stringify(bundle, null, 2));
+        console.log(`bundle written to ${out}`);
+    });
+    program
+        .command("verify <file>")
+        .description("verify a bundle offline")
+        .action((file) => {
+        const bundle = JSON.parse(readFileSync(file, "utf8"));
+        const result = verifyReceiptBundle(bundle);
+        if (result.ok) {
+            console.log("VERIFIED: signatures, event chain, and linkage all check out");
+            return;
+        }
+        console.error("VERIFICATION FAILED:");
+        for (const problem of result.problems)
+            console.error(`  - ${problem}`);
+        process.exit(1);
+    });
+    program
+        .command("pull <runId>")
+        .description("divergence-safe pull of results")
+        .option("--repo <dir>", "workspace repository", ".")
+        .action(async (runId, opts) => {
+        const client = clientFor(dirOf());
+        const bundle = await client.getBundle(runId);
+        const diffHash = bundle.receipt.workspaceOut.diffHash;
+        if (!diffHash) {
+            console.log("run produced no workspace changes; nothing to pull");
+            return;
+        }
+        const diff = await client.getBlob(diffHash);
+        const result = pullRun(resolve(opts.repo), runId, bundle.contract.workspace.baseRef, diff);
+        switch (result.mode) {
+            case "applied":
+                console.log("applied run output to the working tree (clean fast path)");
+                break;
+            case "branch":
+                console.log(`local workspace diverged from the contract base; results are on branch ${result.branch}`);
+                break;
+            case "empty":
+                console.log("run produced no workspace changes; nothing to pull");
+                break;
+            default: {
+                const exhausted = result;
+                throw new Error(`unreachable: ${String(exhausted)}`);
+            }
+        }
+    });
+    program
+        .command("export")
+        .description("audit JSONL export")
+        .option("--since <iso>", "only export events at or after this timestamp")
+        .action(async (opts) => {
+        process.stdout.write(await clientFor(dirOf()).exportJsonl(opts.since));
+    });
+    program
+        .command("ui")
+        .description("control panel URL and login token")
+        .action(() => {
+        const home = loadHome(dirOf());
+        console.log(`control panel: ${home.config.planeUrl}/ui/`);
+        console.log(`login token:   ${home.config.adminToken}`);
+    });
+}

package/dist/commands/local.d.ts

@@ -0,0 +1,2 @@
+import type { Command } from "commander";
+export declare function registerLocal(program: Command): void;

package/dist/commands/local.js

@@ -0,0 +1,25 @@
+import { LOCAL_TOOLS, runLocal } from "../local.js";
+import { fail } from "../shared/errors.js";
+export function registerLocal(program) {
+    program
+        .command("local")
+        .description("back a vendor agent with a local model")
+        .argument("[tool]", `${LOCAL_TOOLS.join(" | ")}`)
+        .argument("[args...]", "arguments forwarded to the tool")
+        .option("--public-url <url>", "public tunnel URL for Cursor (or WARRANT_PUBLIC_URL)")
+        .option("--auth-token <token>", "require a bearer token on the gateway")
+        .allowUnknownOption()
+        .passThroughOptions()
+        .addHelpText("after", "\nwarrant's own flags must precede the tool name; everything after the tool is forwarded to it.")
+        .action(async (tool, args, opts) => {
+        if (tool === undefined || !LOCAL_TOOLS.includes(tool)) {
+            fail(`usage: warrant local <${LOCAL_TOOLS.join(" | ")}> [args...]`);
+        }
+        const options = {
+            ...(opts.publicUrl !== undefined ? { publicUrl: opts.publicUrl } : {}),
+            ...(opts.authToken !== undefined ? { authToken: opts.authToken } : {})
+        };
+        const code = await runLocal(tool, args, options);
+        process.exit(code);
+    });
+}

package/dist/commands/plane.d.ts

@@ -0,0 +1,2 @@
+import type { Command } from "commander";
+export declare function registerPlane(program: Command): void;

package/dist/commands/plane.js

@@ -0,0 +1,30 @@
+import { join } from "node:path";
+import { Plane, startPlaneServer } from "@fusionkit/plane";
+import { loadHome, secretStoreFor } from "../config.js";
+import { resolveDir } from "../shared/plane.js";
+export function registerPlane(program) {
+    const plane = program.command("plane").description("control plane + control panel");
+    plane
+        .command("start")
+        .description("start the control plane + control panel")
+        .option("--port <n>", "bind port")
+        .option("--host <host>", "bind host")
+        .action(async (opts) => {
+        const dir = resolveDir(program.opts().dir);
+        const home = loadHome(dir);
+        const planeInstance = new Plane({
+            dataDir: join(dir, "data"),
+            policy: home.policy,
+            planePrivateKeyPem: home.planePrivateKeyPem,
+            planePublicKeyPem: home.planePublicKeyPem,
+            adminToken: home.config.adminToken,
+            enrollToken: home.config.enrollToken,
+            secretStore: secretStoreFor(home)
+        });
+        const port = opts.port ? Number(opts.port) : home.config.port;
+        const host = opts.host ?? home.config.host;
+        const started = await startPlaneServer(planeInstance, { port, host });
+        console.log(`warrant plane listening on http://${started.host}:${started.port}`);
+        console.log(`control panel: http://${started.host}:${started.port}/ui/`);
+    });
+}

package/dist/commands/run.d.ts

@@ -0,0 +1,2 @@
+import type { Command } from "commander";
+export declare function registerRun(program: Command): void;

package/dist/commands/run.js

@@ -0,0 +1,149 @@
+import { readFileSync } from "node:fs";
+import { resolve } from "node:path";
+import { agents, handoff, targets } from "@fusionkit/handoff";
+import { AGENT_KINDS } from "@fusionkit/protocol";
+import { captureWorkspace } from "@fusionkit/workspace";
+import { loadHome } from "../config.js";
+import { renderDisclosure, renderReceipt, renderTrace } from "../render.js";
+import { fail } from "../shared/errors.js";
+import { collect, isolationFlag } from "../shared/options.js";
+import { CONTINUE_WAIT_TIMEOUT_MS, clientFor, resolveDir, waitForTerminal } from "../shared/plane.js";
+function agentSpecFor(kind) {
+    switch (kind) {
+        case "claude-code":
+            return agents.claudeCode();
+        case "codex":
+            return agents.codex();
+        case "pi":
+            return agents.pi();
+        case "mock":
+            return agents.mock();
+        case "command":
+            return agents.command();
+        default:
+            fail(`unknown agent kind "${kind}" (expected ${AGENT_KINDS.join(" | ")})`);
+    }
+}
+function addRunOptions(cmd) {
+    return cmd
+        .option("--agent <kind>", `agent kind (${AGENT_KINDS.join(" | ")})`)
+        .option("--pool <pool>", "runner pool", "default")
+        .option("--secret <name>", "release a secret into the session (repeatable)", collect)
+        .option("--allow-host <host>", "allow egress to host (repeatable)", collect)
+        .option("--allow-untracked <glob>", "include untracked files matching glob (repeatable)", collect)
+        .option("--repo <dir>", "workspace repository", ".")
+        .option("--isolation <tier>", "session isolation: process | hermetic | vercel-sandbox")
+        .option("--dry-run", "show what would move; move nothing")
+        .option("--no-watch", "do not wait for completion");
+}
+export function registerRun(program) {
+    addRunOptions(program
+        .command("run")
+        .description("request a governed run")
+        .argument("[task...]", "task prompt")).action(async (task, opts) => {
+        const dir = resolveDir(program.opts().dir);
+        if (!opts.agent)
+            fail(`--agent is required (${AGENT_KINDS.join(" | ")})`);
+        const prompt = task.join(" ").trim();
+        if (!prompt)
+            fail("a task prompt is required");
+        const home = loadHome(dir);
+        const client = clientFor(dir);
+        const repoDir = resolve(opts.repo);
+        const captured = captureWorkspace(repoDir, {
+            allowUntracked: opts.allowUntracked ?? []
+        });
+        const isolation = isolationFlag(opts.isolation);
+        const request = {
+            requestedBy: { kind: "human", id: home.config.requestedBy },
+            agentKind: opts.agent,
+            prompt,
+            pool: opts.pool,
+            secretNames: opts.secret ?? [],
+            workspace: captured.manifest,
+            network: {
+                defaultDeny: home.policy.network.defaultDeny,
+                allowHosts: opts.allowHost ?? []
+            },
+            budget: {},
+            disclosure: "minimal-context",
+            ...(isolation ? { isolation } : {})
+        };
+        if (opts.dryRun) {
+            const report = await client.dryRun(request);
+            console.log(renderDisclosure(report));
+            return;
+        }
+        await client.putBlob(captured.bundle);
+        if (captured.dirtyDiff)
+            await client.putBlob(captured.dirtyDiff);
+        for (const file of captured.untracked)
+            await client.putBlob(file.content);
+        const created = await client.requestRun(request);
+        console.log(`run ${created.runId} [${created.status}]`);
+        if (!opts.watch)
+            return;
+        const status = await waitForTerminal(client, created.runId, (s) => console.log(`  ${s}`));
+        if (status === "completed" || status === "failed") {
+            const bundle = await client.getBundle(created.runId);
+            console.log("");
+            console.log(renderReceipt(bundle));
+        }
+    });
+    addRunOptions(program
+        .command("continue")
+        .description("hand local work to a governed runner")
+        .argument("[task...]", "task prompt"))
+        .option("--transcript <file>", "carry a session transcript as semantic state")
+        .option("--reason <text>", "why the runtime boundary changes")
+        .action(async (task, opts) => {
+        const dir = resolveDir(program.opts().dir);
+        if (!opts.agent)
+            fail(`--agent is required (${AGENT_KINDS.join(" | ")})`);
+        const prompt = task.join(" ").trim();
+        if (!prompt)
+            fail("a task prompt is required");
+        const home = loadHome(dir);
+        const repoDir = resolve(opts.repo);
+        const target = targets.pool(opts.pool);
+        const transcript = opts.transcript ? readFileSync(opts.transcript, "utf8") : undefined;
+        const h = handoff({
+            workspace: repoDir,
+            plane: { url: home.config.planeUrl, adminToken: home.config.adminToken },
+            actor: { kind: "human", id: home.config.requestedBy },
+            agent: agentSpecFor(opts.agent),
+            secrets: opts.secret ?? [],
+            allowHosts: opts.allowHost ?? [],
+            allowUntracked: opts.allowUntracked ?? []
+        });
+        const isolation = isolationFlag(opts.isolation);
+        const continueOptions = {
+            task: prompt,
+            ...(opts.reason ? { reason: opts.reason } : {}),
+            ...(transcript !== undefined ? { transcript } : {}),
+            ...(isolation ? { session: isolation } : {})
+        };
+        if (opts.dryRun) {
+            const { report } = await h.dryRun(target, continueOptions);
+            console.log(renderDisclosure(report));
+            return;
+        }
+        const run = await h.continueIn(target, continueOptions);
+        console.log(`continuation ${run.envelope.envelopeId} → ${target.id} as run ${run.runId}`);
+        if (!opts.watch)
+            return;
+        const outcome = await run.wait({ timeoutMs: CONTINUE_WAIT_TIMEOUT_MS });
+        if (outcome.status === "awaiting_approval") {
+            console.log(`awaiting approval (${outcome.consentRequirements.join("; ")}) — run: warrant approve ${run.runId}`);
+            return;
+        }
+        console.log("");
+        console.log(renderTrace(h.trace()));
+        if (outcome.status === "completed" || outcome.status === "failed") {
+            console.log("");
+            console.log(renderReceipt(await run.receipt()));
+            console.log("");
+            console.log(`pull results: warrant pull ${run.runId}`);
+        }
+    });
+}

package/dist/commands/runner.d.ts

@@ -0,0 +1,2 @@
+import type { Command } from "commander";
+export declare function registerRunner(program: Command): void;

package/dist/commands/runner.js

@@ -0,0 +1,33 @@
+import { resolve } from "node:path";
+import { Runner } from "@fusionkit/runner";
+import { loadHome } from "../config.js";
+import { resolveDir } from "../shared/plane.js";
+export function registerRunner(program) {
+    const runner = program.command("runner").description("outbound-only execution runner");
+    runner
+        .command("start")
+        .description("start an outbound-only runner")
+        .option("--pool <pool>", "runner pool", "default")
+        .option("--plane <url>", "plane URL")
+        .option("--enroll-token <token>", "enrollment token")
+        .option("--data-dir <dir>", "runner data directory")
+        .action(async (opts) => {
+        const dir = resolveDir(program.opts().dir);
+        let planeUrl = opts.plane;
+        let enrollToken = opts.enrollToken;
+        if (!planeUrl || !enrollToken) {
+            const home = loadHome(dir);
+            planeUrl = planeUrl ?? home.config.planeUrl;
+            enrollToken = enrollToken ?? home.config.enrollToken;
+        }
+        const instance = new Runner({
+            planeUrl,
+            pool: opts.pool,
+            dataDir: resolve(opts.dataDir ?? ".warrant-runner"),
+            enrollToken
+        });
+        const identity = await instance.ensureEnrolled();
+        console.log(`runner ${identity.runnerId} polling pool "${identity.pool}" (outbound-only)`);
+        await instance.start();
+    });
+}

package/dist/commands/secrets.d.ts

@@ -0,0 +1,2 @@
+import type { Command } from "commander";
+export declare function registerSecrets(program: Command): void;

package/dist/commands/secrets.js

@@ -0,0 +1,21 @@
+import { loadHome, secretStoreFor } from "../config.js";
+import { resolveDir } from "../shared/plane.js";
+export function registerSecrets(program) {
+    const secrets = program.command("secrets").description("org secret store");
+    secrets
+        .command("set <name> <value>")
+        .description("store a secret in the org store")
+        .action((name, value) => {
+        const home = loadHome(resolveDir(program.opts().dir));
+        secretStoreFor(home).set(name, value);
+        console.log(`secret "${name}" stored (value encrypted at rest)`);
+    });
+    secrets
+        .command("list")
+        .description("list stored secret names")
+        .action(() => {
+        const home = loadHome(resolveDir(program.opts().dir));
+        const names = secretStoreFor(home).names();
+        console.log(names.length > 0 ? names.join("\n") : "no secrets stored");
+    });
+}

package/dist/config.d.ts

@@ -0,0 +1,30 @@
+import { SecretStore } from "@fusionkit/plane";
+import type { MasterKey } from "@fusionkit/plane";
+import type { Policy } from "@fusionkit/protocol";
+export type CliConfig = {
+    version: "warrant.config.v2";
+    planeUrl: string;
+    port: number;
+    /** Bind address for `plane start`. Loopback by default. */
+    host: string;
+    adminToken: string;
+    enrollToken: string;
+    requestedBy: string;
+};
+export type WarrantHome = {
+    dir: string;
+    config: CliConfig;
+    policy: Policy;
+    master: MasterKey;
+    planePublicKeyPem: string;
+    planePrivateKeyPem: string;
+};
+export type InitOptions = {
+    port?: number;
+    host?: string;
+    /** Public URL clients and runners should use to reach the plane. */
+    planeUrl?: string;
+};
+export declare function initHome(dir: string, options?: InitOptions): WarrantHome;
+export declare function loadHome(dir: string): WarrantHome;
+export declare function secretStoreFor(home: WarrantHome): SecretStore;

package/dist/config.js

@@ -0,0 +1,69 @@
+import { randomBytes } from "node:crypto";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { defaultPolicy, FileKeyProvider, resolveMasterKey, SecretStore } from "@fusionkit/plane";
+/** Defaults for `warrant init`; flags (--port/--host) override them. */
+const DEFAULT_PLANE_PORT = 7172;
+const DEFAULT_PLANE_HOST = "127.0.0.1";
+function masterKeyPath(dir) {
+    return join(dir, "master.key");
+}
+function keyProvider(dir, master) {
+    return new FileKeyProvider(master, join(dir, "keys", "plane.pub.pem"), join(dir, "keys", "plane.key.enc"));
+}
+export function initHome(dir, options = {}) {
+    mkdirSync(join(dir, "keys"), { recursive: true });
+    const configPath = join(dir, "config.json");
+    if (existsSync(configPath)) {
+        throw new Error(`already initialized: ${configPath} exists`);
+    }
+    const port = options.port ?? DEFAULT_PLANE_PORT;
+    const host = options.host ?? DEFAULT_PLANE_HOST;
+    const config = {
+        version: "warrant.config.v2",
+        planeUrl: options.planeUrl ?? `http://${DEFAULT_PLANE_HOST}:${port}`,
+        port,
+        host,
+        adminToken: randomBytes(32).toString("base64url"),
+        enrollToken: randomBytes(32).toString("base64url"),
+        requestedBy: process.env.USER ?? "operator"
+    };
+    // Master key: WARRANT_MASTER_KEY if set, otherwise a generated 0600 key
+    // file. Config holds no key material, so config alone decrypts nothing.
+    const master = resolveMasterKey(masterKeyPath(dir), { createIfMissing: true });
+    writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 0o600 });
+    const policy = defaultPolicy();
+    writeFileSync(join(dir, "policy.json"), JSON.stringify(policy, null, 2));
+    const pair = keyProvider(dir, master).ensure();
+    return {
+        dir,
+        config,
+        policy,
+        master,
+        planePublicKeyPem: pair.publicKeyPem,
+        planePrivateKeyPem: pair.privateKeyPem
+    };
+}
+export function loadHome(dir) {
+    const configPath = join(dir, "config.json");
+    if (!existsSync(configPath)) {
+        throw new Error(`not initialized: run "warrant init" first (missing ${configPath})`);
+    }
+    const config = JSON.parse(readFileSync(configPath, "utf8"));
+    if (!config.host)
+        config.host = "127.0.0.1";
+    const policy = JSON.parse(readFileSync(join(dir, "policy.json"), "utf8"));
+    const master = resolveMasterKey(masterKeyPath(dir));
+    const pair = keyProvider(dir, master).getOrgKeyPair();
+    return {
+        dir,
+        config,
+        policy,
+        master,
+        planePublicKeyPem: pair.publicKeyPem,
+        planePrivateKeyPem: pair.privateKeyPem
+    };
+}
+export function secretStoreFor(home) {
+    return new SecretStore(join(home.dir, "secrets.enc"), home.master);
+}