@getaegis/cli 0.8.0 → 0.9.0

package/dist/cli/commands/user.js

@@ -0,0 +1,150 @@
+/**
+ * User commands: add, list, remove, role, regenerate-token.
+ */
+import { getConfig } from '../../config.js';
+import { getDb, getVaultSalt, migrate } from '../../db.js';
+import { UserRegistry } from '../../user/index.js';
+import { deriveKey } from '../../vault/index.js';
+import { requireUserAuth } from '../auth.js';
+import { localTime, validateEnum, validateIdentifier } from '../validation.js';
+export function register(program) {
+    const userCmd = program.command('user').description('Manage users and roles (RBAC)');
+    userCmd
+        .command('add')
+        .description('Add a new user with a role')
+        .requiredOption('-n, --name <name>', 'Unique username')
+        .requiredOption('-r, --role <role>', 'Role: admin, operator, or viewer')
+        .action((opts) => {
+        // ── Validate CLI flags ──
+        validateIdentifier(opts.name, 'username');
+        const validatedRole = validateEnum(opts.role, ['admin', 'operator', 'viewer'], 'role');
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'user:write');
+        const registry = new UserRegistry(db, key);
+        try {
+            const user = registry.add({
+                name: opts.name,
+                role: validatedRole,
+            });
+            console.log(`\n✓ User added to Aegis\n`);
+            console.log(`  Name:   ${user.name}`);
+            console.log(`  Role:   ${user.role}`);
+            console.log(`  Prefix: ${user.tokenPrefix}`);
+            console.log(`\n  API Key (shown ONCE — save it now):`);
+            console.log(`  ${user.token}\n`);
+            console.log(`  Use AEGIS_USER_TOKEN=<key> to authenticate CLI commands.\n`);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ ${message}\n`);
+            process.exit(1);
+        }
+        db.close();
+    });
+    userCmd
+        .command('list')
+        .description('List all users')
+        .action(() => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'user:read');
+        const registry = new UserRegistry(db, key);
+        const users = registry.list();
+        if (users.length === 0) {
+            console.log('\n  No users registered. Use `aegis user add` to create one.\n');
+        }
+        else {
+            console.log(`\n  Users (${users.length}):\n`);
+            for (const u of users) {
+                console.log(`    ${u.name} [${u.role}] — prefix: ${u.tokenPrefix} — created: ${localTime(u.createdAt)}`);
+            }
+            console.log('');
+        }
+        db.close();
+    });
+    userCmd
+        .command('remove')
+        .description('Remove a user')
+        .requiredOption('-n, --name <name>', 'Username to remove')
+        .option('--confirm', 'Skip confirmation')
+        .action((opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'user:write');
+        const registry = new UserRegistry(db, key);
+        if (!opts.confirm) {
+            console.error(`\n✗ Add --confirm to permanently remove user "${opts.name}"\n`);
+            process.exit(1);
+        }
+        const removed = registry.remove(opts.name);
+        if (removed) {
+            console.log(`\n✓ User "${opts.name}" removed\n`);
+        }
+        else {
+            console.error(`\n✗ No user found with name "${opts.name}"\n`);
+            process.exit(1);
+        }
+        db.close();
+    });
+    userCmd
+        .command('role')
+        .description("Update a user's role")
+        .requiredOption('-n, --name <name>', 'Username to update')
+        .requiredOption('-r, --role <role>', 'New role: admin, operator, or viewer')
+        .action((opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'user:write');
+        const registry = new UserRegistry(db, key);
+        const validRoles = ['admin', 'operator', 'viewer'];
+        if (!validRoles.includes(opts.role)) {
+            console.error(`\n✗ Invalid role "${opts.role}". Must be one of: ${validRoles.join(', ')}\n`);
+            process.exit(1);
+        }
+        try {
+            const updated = registry.updateRole({
+                name: opts.name,
+                role: opts.role,
+            });
+            console.log(`\n✓ User "${updated.name}" role updated to "${updated.role}"\n`);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ ${message}\n`);
+            process.exit(1);
+        }
+        db.close();
+    });
+    userCmd
+        .command('regenerate-token')
+        .description("Regenerate a user's API key (invalidates the old one)")
+        .requiredOption('-n, --name <name>', 'Username')
+        .action((opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'user:write');
+        const registry = new UserRegistry(db, key);
+        const result = registry.regenerateToken(opts.name);
+        if (!result) {
+            console.error(`\n✗ No user found with name "${opts.name}"\n`);
+            process.exit(1);
+        }
+        console.log(`\n✓ Token regenerated for "${result.name}"\n`);
+        console.log(`  New API Key (shown ONCE — save it now):`);
+        console.log(`  ${result.token}\n`);
+        console.log(`  The previous key is now invalid.\n`);
+        db.close();
+    });
+}
+//# sourceMappingURL=user.js.map

package/dist/cli/commands/user.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user.js","sourceRoot":"","sources":["../../../src/cli/commands/user.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAE/E,MAAM,UAAU,QAAQ,CAAC,OAAgB;IACvC,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,WAAW,CAAC,+BAA+B,CAAC,CAAC;IAErF,OAAO;SACJ,OAAO,CAAC,KAAK,CAAC;SACd,WAAW,CAAC,4BAA4B,CAAC;SACzC,cAAc,CAAC,mBAAmB,EAAE,iBAAiB,CAAC;SACtD,cAAc,CAAC,mBAAmB,EAAE,kCAAkC,CAAC;SACvE,MAAM,CAAC,CAAC,IAAoC,EAAE,EAAE;QAC/C,2BAA2B;QAC3B,kBAAkB,CAAC,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAC1C,MAAM,aAAa,GAAG,YAAY,CAChC,IAAI,CAAC,IAAI,EACT,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAU,EACxC,MAAM,CACP,CAAC;QAEF,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QAE3C,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,QAAQ,CAAC,GAAG,CAAC;gBACxB,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,IAAI,EAAE,aAAa;aACpB,CAAC,CAAC;YAEH,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;YACzC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;YAC7C,OAAO,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAC;YACvD,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,KAAK,IAAI,CAAC,CAAC;YACjC,OAAO,CAAC,GAAG,CAAC,8DAA8D,CAAC,CAAC;QAC9E,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,OAAO,OAAO,IAAI,CAAC,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,gBAAgB,CAAC;SAC7B,MAAM,CAAC,GAAG,EAAE;QACX,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;QACtC,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QAE3C,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;QAChF,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,cAAc,KAAK,CAAC,MAAM,MAAM,CAAC,CAAC;YAC9C,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;gBACtB,OAAO,CAAC,GAAG,CACT,OAAO,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,eAAe,CAAC,CAAC,WAAW,eAAe,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,CAC5F,CAAC;YACJ,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;QAED,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,eAAe,CAAC;SAC5B,cAAc,CAAC,mBAAmB,EAAE,oBAAoB,CAAC;SACzD,MAAM,CAAC,WAAW,EAAE,mBAAmB,CAAC;SACxC,MAAM,CAAC,CAAC,IAAyC,EAAE,EAAE;QACpD,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QAE3C,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,iDAAiD,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC;YAC/E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3C,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,CAAC,IAAI,aAAa,CAAC,CAAC;QACnD,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,gCAAgC,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC;YAC9D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,sBAAsB,CAAC;SACnC,cAAc,CAAC,mBAAmB,EAAE,oBAAoB,CAAC;SACzD,cAAc,CAAC,mBAAmB,EAAE,sCAAsC,CAAC;SAC3E,MAAM,CAAC,CAAC,IAAoC,EAAE,EAAE;QAC/C,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QAE3C,MAAM,UAAU,GAAG,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;QACnD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACpC,OAAO,CAAC,KAAK,CACX,qBAAqB,IAAI,CAAC,IAAI,sBAAsB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAC9E,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,QAAQ,CAAC,UAAU,CAAC;gBAClC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,IAAI,EAAE,IAAI,CAAC,IAAuC;aACnD,CAAC,CAAC;YACH,OAAO,CAAC,GAAG,CAAC,aAAa,OAAO,CAAC,IAAI,sBAAsB,OAAO,CAAC,IAAI,KAAK,CAAC,CAAC;QAChF,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,OAAO,OAAO,IAAI,CAAC,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,kBAAkB,CAAC;SAC3B,WAAW,CAAC,uDAAuD,CAAC;SACpE,cAAc,CAAC,mBAAmB,EAAE,UAAU,CAAC;SAC/C,MAAM,CAAC,CAAC,IAAsB,EAAE,EAAE;QACjC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,MAAM,QAAQ,GAAG,IAAI,YAAY,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QAE3C,MAAM,MAAM,GAAG,QAAQ,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,CAAC,KAAK,CAAC,gCAAgC,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC;YAC9D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,8BAA8B,MAAM,CAAC,IAAI,KAAK,CAAC,CAAC;QAC5D,OAAO,CAAC,GAAG,CAAC,2CAA2C,CAAC,CAAC;QACzD,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,KAAK,IAAI,CAAC,CAAC;QACnC,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;QAEpD,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/cli/commands/vault-manager.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Vault management commands: create, vaults (list), destroy, split, unseal, seal.
+ */
+import type { Command } from 'commander';
+export declare function register(parent: Command): void;
+//# sourceMappingURL=vault-manager.d.ts.map

package/dist/cli/commands/vault-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-manager.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/vault-manager.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAmBzC,wBAAgB,QAAQ,CAAC,MAAM,EAAE,OAAO,GAAG,IAAI,CA4Q9C"}

package/dist/cli/commands/vault-manager.js

@@ -0,0 +1,240 @@
+/**
+ * Vault management commands: create, vaults (list), destroy, split, unseal, seal.
+ */
+import * as crypto from 'node:crypto';
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { getConfig } from '../../config.js';
+import { getDb, getVaultSalt, migrate } from '../../db.js';
+import { combine, decodeShare, deriveKey, encodeShare, SealManager, split, VaultManager, } from '../../vault/index.js';
+import { requireUserAuth } from '../auth.js';
+import { localTime } from '../validation.js';
+function collectShares(value, previous) {
+    return [...previous, value];
+}
+export function register(parent) {
+    // These are subcommands of the 'vault' command, which is already
+    // registered by vault.ts.  We look it up so we can attach to it.
+    const vault = parent.commands.find((c) => c.name() === 'vault');
+    if (!vault)
+        throw new Error('vault command must be registered before vault-manager');
+    vault
+        .command('create')
+        .description('Create a new named vault with its own database and encryption salt')
+        .requiredOption('-n, --name <name>', 'Name for the new vault')
+        .option('--master-key <key>', 'Master key for the vault (if not provided, prompts or uses AEGIS_MASTER_KEY)')
+        .action((opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'vault:manage');
+        db.close();
+        const manager = new VaultManager(config.dataDir);
+        try {
+            const { salt } = manager.create(opts.name, config.masterKey || undefined);
+            console.log(`\n  ✓ Vault "${opts.name}" created\n`);
+            console.log(`  Salt:     ${salt}`);
+            console.log(`  Database: .aegis/vaults/${opts.name}.db\n`);
+            console.log(`  To use this vault:`);
+            console.log(`    AEGIS_VAULT=${opts.name} aegis vault list`);
+            console.log(`    AEGIS_VAULT=${opts.name} aegis gate\n`);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ ${message}\n`);
+            process.exit(1);
+        }
+    });
+    vault
+        .command('vaults')
+        .description('List all named vaults')
+        .action(() => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'vault:read');
+        db.close();
+        const manager = new VaultManager(config.dataDir);
+        const vaults = manager.list();
+        if (vaults.length === 0) {
+            console.log('\n  No vaults found. Create one with: aegis vault create --name <name>\n');
+            return;
+        }
+        console.log(`\n  Aegis Vaults — ${vaults.length} vault(s)\n`);
+        const active = config.vaultName;
+        for (const v of vaults) {
+            const marker = v.name === active ? ' ← active' : '';
+            console.log(`  • ${v.name}${marker}`);
+            console.log(`    Database:   ${v.dbPath}`);
+            console.log(`    Created:    ${localTime(v.createdAt)}`);
+            console.log();
+        }
+    });
+    vault
+        .command('destroy')
+        .description('Permanently delete a named vault and its database')
+        .requiredOption('-n, --name <name>', 'Name of the vault to delete')
+        .option('--confirm', 'Skip confirmation prompt')
+        .action((opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'vault:manage');
+        db.close();
+        const manager = new VaultManager(config.dataDir);
+        if (!opts.confirm) {
+            console.log(`\n  ⚠  This will permanently delete vault "${opts.name}" and all its data.`);
+            console.log(`  Run again with --confirm to proceed.\n`);
+            return;
+        }
+        try {
+            manager.remove(opts.name);
+            console.log(`\n  ✓ Vault "${opts.name}" deleted.\n`);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ ${message}\n`);
+            process.exit(1);
+        }
+    });
+    vault
+        .command('split')
+        .description("Split the master key into M-of-N shares using Shamir's Secret Sharing")
+        .requiredOption('-t, --threshold <n>', 'Minimum shares needed to reconstruct (≥ 2)')
+        .requiredOption('-s, --shares <n>', 'Total shares to generate (≥ threshold, ≤ 255)')
+        .option('--remove-env-key', 'Remove AEGIS_MASTER_KEY from .env after splitting', false)
+        .action((opts) => {
+        const config = getConfig();
+        const db = getDb(config);
+        migrate(db);
+        const key = deriveKey(config.masterKey, getVaultSalt(config));
+        requireUserAuth(db, key, 'vault:manage');
+        db.close();
+        if (!config.masterKey) {
+            console.error('\n✗ AEGIS_MASTER_KEY is required to split. Set it in .env or as an env var.\n');
+            process.exit(1);
+        }
+        const threshold = Number.parseInt(opts.threshold, 10);
+        const totalShares = Number.parseInt(opts.shares, 10);
+        if (Number.isNaN(threshold) || Number.isNaN(totalShares)) {
+            console.error('\n✗ Threshold and shares must be numbers.\n');
+            process.exit(1);
+        }
+        try {
+            const secretBuf = Buffer.from(config.masterKey, 'utf-8');
+            const shares = split(secretBuf, threshold, totalShares);
+            // Store seal config (threshold + key hash for verification)
+            const sealMgr = new SealManager(config.dataDir);
+            sealMgr.enableSplit(threshold, totalShares, config.masterKey);
+            console.log(`\n  ╔══════════════════════════════════════════╗`);
+            console.log(`  ║     Master Key Split — ${threshold}-of-${totalShares} Scheme      ║`);
+            console.log(`  ╚══════════════════════════════════════════╝\n`);
+            console.log(`  ⚠  Store each share with a different key holder.`);
+            console.log(`  ⚠  These shares will NOT be shown again.\n`);
+            for (const share of shares) {
+                console.log(`  Share ${share.index}:  ${encodeShare(share)}`);
+            }
+            console.log(`\n  Threshold: ${threshold} of ${totalShares} shares required to unseal.`);
+            console.log(`  Key hash:  ${crypto.createHash('sha256').update(config.masterKey).digest('hex').slice(0, 16)}...`);
+            // Optionally remove the master key from .env
+            if (opts.removeEnvKey) {
+                const envPath = path.join(process.cwd(), '.env');
+                if (fs.existsSync(envPath)) {
+                    const envContent = fs.readFileSync(envPath, 'utf-8');
+                    const filtered = envContent
+                        .split('\n')
+                        .filter((line) => !line.trim().startsWith('AEGIS_MASTER_KEY'))
+                        .join('\n');
+                    fs.writeFileSync(envPath, filtered, { mode: 0o600 });
+                    console.log(`\n  ✓ Removed AEGIS_MASTER_KEY from .env`);
+                }
+            }
+            else {
+                console.log(`\n  Note: AEGIS_MASTER_KEY is still in .env / environment.`);
+                console.log(`  Use --remove-env-key to remove it after distributing shares.`);
+            }
+            console.log(`\n  To unseal later:`);
+            console.log(`    aegis vault unseal --key-share <share1> --key-share <share2> ...`);
+            console.log(`  To seal (remove reconstructed key):`);
+            console.log(`    aegis vault seal\n`);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ ${message}\n`);
+            process.exit(1);
+        }
+    });
+    vault
+        .command('unseal')
+        .description('Reconstruct the master key from Shamir shares')
+        .option('--key-share <share>', 'Provide a key share (repeat for each share)', collectShares, [])
+        .action((opts) => {
+        const config = getConfig();
+        if (opts.keyShare.length === 0) {
+            console.error('\n✗ Provide at least one share: --key-share <share>\n');
+            console.error('  Example:');
+            console.error('    aegis vault unseal --key-share aegis_share_01_... --key-share aegis_share_02_...\n');
+            process.exit(1);
+        }
+        const sealMgr = new SealManager(config.dataDir);
+        const sealConfig = sealMgr.getSealConfig();
+        if (!sealConfig) {
+            console.error('\n✗ Key splitting is not configured. Run `aegis vault split` first.\n');
+            process.exit(1);
+        }
+        if (opts.keyShare.length < sealConfig.threshold) {
+            console.error(`\n✗ Not enough shares. Provided ${opts.keyShare.length}, need ${sealConfig.threshold}.\n`);
+            process.exit(1);
+        }
+        try {
+            // Decode all shares
+            const shares = opts.keyShare.map((s) => decodeShare(s));
+            // Reconstruct the master key
+            const reconstructed = combine(shares);
+            const masterKey = reconstructed.toString('utf-8');
+            // Verify against stored hash
+            if (!sealMgr.verifyKey(masterKey)) {
+                console.error('\n✗ Key verification failed. The provided shares do not reconstruct the correct master key.\n');
+                console.error('  Possible causes:');
+                console.error('  • Wrong shares provided');
+                console.error(`  • Not enough valid shares (need at least ${sealConfig.threshold})`);
+                console.error('  • Shares from different split operations\n');
+                process.exit(1);
+            }
+            // Write the unseal key
+            sealMgr.writeUnsealKey(masterKey);
+            console.log(`\n  ✓ Vault unsealed successfully.\n`);
+            console.log(`  Master key reconstructed and stored in .aegis/.unseal-key (mode 0600).`);
+            console.log(`  All Aegis commands will use the reconstructed key.\n`);
+            console.log(`  To seal the vault again: aegis vault seal\n`);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`\n✗ ${message}\n`);
+            process.exit(1);
+        }
+    });
+    vault
+        .command('seal')
+        .description('Seal the vault — securely remove the reconstructed master key')
+        .action(() => {
+        const config = getConfig();
+        const sealMgr = new SealManager(config.dataDir);
+        if (!sealMgr.isSplitEnabled()) {
+            console.error('\n✗ Key splitting is not configured. Nothing to seal.\n');
+            process.exit(1);
+        }
+        if (!sealMgr.isUnsealed()) {
+            console.log('\n  Vault is already sealed.\n');
+            return;
+        }
+        sealMgr.seal();
+        console.log(`\n  ✓ Vault sealed.\n`);
+        console.log(`  The reconstructed master key has been securely removed.`);
+        console.log(`  To unseal: aegis vault unseal --key-share <share1> --key-share <share2> ...\n`);
+    });
+}
+//# sourceMappingURL=vault-manager.js.map

package/dist/cli/commands/vault-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-manager.js","sourceRoot":"","sources":["../../../src/cli/commands/vault-manager.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EACL,OAAO,EACP,WAAW,EACX,SAAS,EACT,WAAW,EACX,WAAW,EACX,KAAK,EACL,YAAY,GACb,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAE7C,SAAS,aAAa,CAAC,KAAa,EAAE,QAAkB;IACtD,OAAO,CAAC,GAAG,QAAQ,EAAE,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,MAAe;IACtC,iEAAiE;IACjE,iEAAiE;IACjE,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,OAAO,CAAC,CAAC;IAChE,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAErF,KAAK;SACF,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,oEAAoE,CAAC;SACjF,cAAc,CAAC,mBAAmB,EAAE,wBAAwB,CAAC;SAC7D,MAAM,CACL,oBAAoB,EACpB,8EAA8E,CAC/E;SACA,MAAM,CAAC,CAAC,IAA0C,EAAE,EAAE;QACrD,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,cAAc,CAAC,CAAC;QACzC,EAAE,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAEjD,IAAI,CAAC;YACH,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,SAAS,IAAI,SAAS,CAAC,CAAC;YAE1E,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,CAAC,IAAI,aAAa,CAAC,CAAC;YACpD,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC;YACnC,OAAO,CAAC,GAAG,CAAC,6BAA6B,IAAI,CAAC,IAAI,OAAO,CAAC,CAAC;YAC3D,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;YACpC,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,CAAC,IAAI,mBAAmB,CAAC,CAAC;YAC7D,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,CAAC,IAAI,eAAe,CAAC,CAAC;QAC3D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,OAAO,OAAO,IAAI,CAAC,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,KAAK;SACF,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,uBAAuB,CAAC;SACpC,MAAM,CAAC,GAAG,EAAE;QACX,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,EAAE,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACjD,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;QAE9B,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,GAAG,CAAC,0EAA0E,CAAC,CAAC;YACxF,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,MAAM,aAAa,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC;QAChC,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;YACvB,MAAM,MAAM,GAAG,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;YACpD,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,GAAG,MAAM,EAAE,CAAC,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;YAC3C,OAAO,CAAC,GAAG,CAAC,mBAAmB,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YACzD,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,KAAK;SACF,OAAO,CAAC,SAAS,CAAC;SAClB,WAAW,CAAC,mDAAmD,CAAC;SAChE,cAAc,CAAC,mBAAmB,EAAE,6BAA6B,CAAC;SAClE,MAAM,CAAC,WAAW,EAAE,0BAA0B,CAAC;SAC/C,MAAM,CAAC,CAAC,IAAyC,EAAE,EAAE;QACpD,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,cAAc,CAAC,CAAC;QACzC,EAAE,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAEjD,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,8CAA8C,IAAI,CAAC,IAAI,qBAAqB,CAAC,CAAC;YAC1F,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;YACxD,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1B,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,CAAC,IAAI,cAAc,CAAC,CAAC;QACvD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,OAAO,OAAO,IAAI,CAAC,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,KAAK;SACF,OAAO,CAAC,OAAO,CAAC;SAChB,WAAW,CAAC,uEAAuE,CAAC;SACpF,cAAc,CAAC,qBAAqB,EAAE,4CAA4C,CAAC;SACnF,cAAc,CAAC,kBAAkB,EAAE,+CAA+C,CAAC;SACnF,MAAM,CAAC,kBAAkB,EAAE,mDAAmD,EAAE,KAAK,CAAC;SACtF,MAAM,CAAC,CAAC,IAAkE,EAAE,EAAE;QAC7E,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,cAAc,CAAC,CAAC;QACzC,EAAE,CAAC,KAAK,EAAE,CAAC;QAEX,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACtB,OAAO,CAAC,KAAK,CACX,+EAA+E,CAChF,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QACtD,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAErD,IAAI,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,IAAI,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,CAAC;YACzD,OAAO,CAAC,KAAK,CAAC,6CAA6C,CAAC,CAAC;YAC7D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YACzD,MAAM,MAAM,GAAG,KAAK,CAAC,SAAS,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;YAExD,4DAA4D;YAC5D,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAChD,OAAO,CAAC,WAAW,CAAC,SAAS,EAAE,WAAW,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;YAE9D,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC;YAChE,OAAO,CAAC,GAAG,CAAC,8BAA8B,SAAS,OAAO,WAAW,gBAAgB,CAAC,CAAC;YACvF,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC;YAChE,OAAO,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAC;YAClE,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;YAE5D,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,OAAO,CAAC,GAAG,CAAC,WAAW,KAAK,CAAC,KAAK,MAAM,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAChE,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,kBAAkB,SAAS,OAAO,WAAW,6BAA6B,CAAC,CAAC;YACxF,OAAO,CAAC,GAAG,CACT,gBAAgB,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CACrG,CAAC;YAEF,6CAA6C;YAC7C,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;gBACtB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;gBACjD,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC3B,MAAM,UAAU,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;oBACrD,MAAM,QAAQ,GAAG,UAAU;yBACxB,KAAK,CAAC,IAAI,CAAC;yBACX,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;yBAC7D,IAAI,CAAC,IAAI,CAAC,CAAC;oBACd,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;oBACrD,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;gBAC1D,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;gBAC1E,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;YAChF,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;YACpC,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;YACpF,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;YACrD,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;QACxC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,OAAO,OAAO,IAAI,CAAC,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,KAAK;SACF,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,+CAA+C,CAAC;SAC5D,MAAM,CAAC,qBAAqB,EAAE,6CAA6C,EAAE,aAAa,EAAE,EAAE,CAAC;SAC/F,MAAM,CAAC,CAAC,IAA4B,EAAE,EAAE;QACvC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAE3B,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAC;YACvE,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;YAC5B,OAAO,CAAC,KAAK,CACX,wFAAwF,CACzF,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAChD,MAAM,UAAU,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;QAE3C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,CAAC,KAAK,CAAC,uEAAuE,CAAC,CAAC;YACvF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,UAAU,CAAC,SAAS,EAAE,CAAC;YAChD,OAAO,CAAC,KAAK,CACX,mCAAmC,IAAI,CAAC,QAAQ,CAAC,MAAM,UAAU,UAAU,CAAC,SAAS,KAAK,CAC3F,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,CAAC;YACH,oBAAoB;YACpB,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC;YAExD,6BAA6B;YAC7B,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;YACtC,MAAM,SAAS,GAAG,aAAa,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAElD,6BAA6B;YAC7B,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,CAAC;gBAClC,OAAO,CAAC,KAAK,CACX,+FAA+F,CAChG,CAAC;gBACF,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;gBACpC,OAAO,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;gBAC3C,OAAO,CAAC,KAAK,CAAC,8CAA8C,UAAU,CAAC,SAAS,GAAG,CAAC,CAAC;gBACrF,OAAO,CAAC,KAAK,CAAC,8CAA8C,CAAC,CAAC;gBAC9D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YAED,uBAAuB;YACvB,OAAO,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;YAElC,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;YACpD,OAAO,CAAC,GAAG,CAAC,0EAA0E,CAAC,CAAC;YACxF,OAAO,CAAC,GAAG,CAAC,wDAAwD,CAAC,CAAC;YACtE,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;QAC/D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,KAAK,CAAC,OAAO,OAAO,IAAI,CAAC,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,KAAK;SACF,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,+DAA+D,CAAC;SAC5E,MAAM,CAAC,GAAG,EAAE;QACX,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAEhD,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC;YAC9B,OAAO,CAAC,KAAK,CAAC,yDAAyD,CAAC,CAAC;YACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC;YAC1B,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;YAC9C,OAAO;QACT,CAAC;QAED,OAAO,CAAC,IAAI,EAAE,CAAC;QAEf,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;QACzE,OAAO,CAAC,GAAG,CACT,iFAAiF,CAClF,CAAC;IACJ,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/cli/commands/vault.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Vault CRUD commands: add, list, remove, rotate, update.
+ */
+import type { Command } from 'commander';
+export declare function register(program: Command): void;
+//# sourceMappingURL=vault.d.ts.map

package/dist/cli/commands/vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/vault.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAmBzC,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAqT/C"}