@i4ctime/q-ring 0.2.0

package/dist/index.js

@@ -0,0 +1,1525 @@
+#!/usr/bin/env node
+
+// src/cli/commands.ts
+import { Command } from "commander";
+
+// src/core/keyring.ts
+import { Entry, findCredentials } from "@napi-rs/keyring";
+
+// src/utils/hash.ts
+import { createHash } from "crypto";
+function hashProjectPath(projectPath) {
+  return createHash("sha256").update(projectPath).digest("hex").slice(0, 12);
+}
+
+// src/core/scope.ts
+var SERVICE_PREFIX = "q-ring";
+function globalService() {
+  return `${SERVICE_PREFIX}:global`;
+}
+function projectService(projectPath) {
+  const hash = hashProjectPath(projectPath);
+  return `${SERVICE_PREFIX}:project:${hash}`;
+}
+function resolveScope(opts) {
+  const { scope, projectPath } = opts;
+  if (scope === "global") {
+    return [{ scope: "global", service: globalService() }];
+  }
+  if (scope === "project") {
+    if (!projectPath) {
+      throw new Error("Project path is required for project scope");
+    }
+    return [
+      { scope: "project", service: projectService(projectPath), projectPath }
+    ];
+  }
+  if (projectPath) {
+    return [
+      { scope: "project", service: projectService(projectPath), projectPath },
+      { scope: "global", service: globalService() }
+    ];
+  }
+  return [{ scope: "global", service: globalService() }];
+}
+
+// src/core/envelope.ts
+function createEnvelope(value, opts) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  let expiresAt = opts?.expiresAt;
+  if (!expiresAt && opts?.ttlSeconds) {
+    expiresAt = new Date(Date.now() + opts.ttlSeconds * 1e3).toISOString();
+  }
+  return {
+    v: 1,
+    value: opts?.states ? void 0 : value,
+    states: opts?.states,
+    defaultEnv: opts?.defaultEnv,
+    meta: {
+      createdAt: now,
+      updatedAt: now,
+      expiresAt,
+      ttlSeconds: opts?.ttlSeconds,
+      description: opts?.description,
+      tags: opts?.tags,
+      entangled: opts?.entangled,
+      accessCount: 0
+    }
+  };
+}
+function parseEnvelope(raw) {
+  try {
+    const parsed = JSON.parse(raw);
+    if (parsed && typeof parsed === "object" && parsed.v === 1) {
+      return parsed;
+    }
+  } catch {
+  }
+  return null;
+}
+function wrapLegacy(rawValue) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  return {
+    v: 1,
+    value: rawValue,
+    meta: {
+      createdAt: now,
+      updatedAt: now,
+      accessCount: 0
+    }
+  };
+}
+function serializeEnvelope(envelope) {
+  return JSON.stringify(envelope);
+}
+function collapseValue(envelope, env) {
+  if (envelope.states) {
+    const targetEnv = env ?? envelope.defaultEnv;
+    if (targetEnv && envelope.states[targetEnv]) {
+      return envelope.states[targetEnv];
+    }
+    if (envelope.defaultEnv && envelope.states[envelope.defaultEnv]) {
+      return envelope.states[envelope.defaultEnv];
+    }
+    const keys = Object.keys(envelope.states);
+    if (keys.length > 0) {
+      return envelope.states[keys[0]];
+    }
+    return null;
+  }
+  return envelope.value ?? null;
+}
+function checkDecay(envelope) {
+  if (!envelope.meta.expiresAt) {
+    return {
+      isExpired: false,
+      isStale: false,
+      lifetimePercent: 0,
+      secondsRemaining: null,
+      timeRemaining: null
+    };
+  }
+  const now = Date.now();
+  const expires = new Date(envelope.meta.expiresAt).getTime();
+  const created = new Date(envelope.meta.createdAt).getTime();
+  const totalLifetime = expires - created;
+  const elapsed = now - created;
+  const remaining = expires - now;
+  const lifetimePercent = totalLifetime > 0 ? Math.round(elapsed / totalLifetime * 100) : 100;
+  const secondsRemaining = Math.floor(remaining / 1e3);
+  let timeRemaining = null;
+  if (remaining > 0) {
+    const days = Math.floor(remaining / 864e5);
+    const hours = Math.floor(remaining % 864e5 / 36e5);
+    const minutes = Math.floor(remaining % 36e5 / 6e4);
+    if (days > 0) timeRemaining = `${days}d ${hours}h`;
+    else if (hours > 0) timeRemaining = `${hours}h ${minutes}m`;
+    else timeRemaining = `${minutes}m`;
+  } else {
+    timeRemaining = "expired";
+  }
+  return {
+    isExpired: remaining <= 0,
+    isStale: lifetimePercent >= 75,
+    lifetimePercent,
+    secondsRemaining,
+    timeRemaining
+  };
+}
+function recordAccess(envelope) {
+  return {
+    ...envelope,
+    meta: {
+      ...envelope.meta,
+      accessCount: envelope.meta.accessCount + 1,
+      lastAccessedAt: (/* @__PURE__ */ new Date()).toISOString()
+    }
+  };
+}
+
+// src/core/collapse.ts
+import { execSync } from "child_process";
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
+var BRANCH_ENV_MAP = {
+  main: "prod",
+  master: "prod",
+  production: "prod",
+  develop: "dev",
+  development: "dev",
+  dev: "dev",
+  staging: "staging",
+  stage: "staging",
+  test: "test",
+  testing: "test"
+};
+function detectGitBranch(cwd) {
+  try {
+    const branch = execSync("git rev-parse --abbrev-ref HEAD", {
+      cwd: cwd ?? process.cwd(),
+      stdio: ["pipe", "pipe", "pipe"],
+      encoding: "utf8",
+      timeout: 3e3
+    }).trim();
+    return branch || null;
+  } catch {
+    return null;
+  }
+}
+function readProjectConfig(projectPath) {
+  const configPath = join(projectPath ?? process.cwd(), ".q-ring.json");
+  try {
+    if (existsSync(configPath)) {
+      return JSON.parse(readFileSync(configPath, "utf8"));
+    }
+  } catch {
+  }
+  return null;
+}
+function collapseEnvironment(ctx = {}) {
+  if (ctx.explicit) {
+    return { env: ctx.explicit, source: "explicit" };
+  }
+  const qringEnv = process.env.QRING_ENV;
+  if (qringEnv) {
+    return { env: qringEnv, source: "QRING_ENV" };
+  }
+  const nodeEnv = process.env.NODE_ENV;
+  if (nodeEnv) {
+    const mapped = mapEnvName(nodeEnv);
+    return { env: mapped, source: "NODE_ENV" };
+  }
+  const config = readProjectConfig(ctx.projectPath);
+  if (config?.env) {
+    return { env: config.env, source: "project-config" };
+  }
+  const branch = detectGitBranch(ctx.projectPath);
+  if (branch) {
+    const branchMap = { ...BRANCH_ENV_MAP, ...config?.branchMap };
+    const mapped = branchMap[branch];
+    if (mapped) {
+      return { env: mapped, source: "git-branch" };
+    }
+  }
+  if (config?.defaultEnv) {
+    return { env: config.defaultEnv, source: "project-config" };
+  }
+  return null;
+}
+function mapEnvName(raw) {
+  const lower = raw.toLowerCase();
+  if (lower === "production") return "prod";
+  if (lower === "development") return "dev";
+  return lower;
+}
+
+// src/core/observer.ts
+import { existsSync as existsSync2, mkdirSync, appendFileSync, readFileSync as readFileSync2 } from "fs";
+import { join as join2 } from "path";
+import { homedir } from "os";
+function getAuditDir() {
+  const dir = join2(homedir(), ".config", "q-ring");
+  if (!existsSync2(dir)) {
+    mkdirSync(dir, { recursive: true });
+  }
+  return dir;
+}
+function getAuditPath() {
+  return join2(getAuditDir(), "audit.jsonl");
+}
+function logAudit(event) {
+  const full = {
+    ...event,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    pid: process.pid
+  };
+  try {
+    appendFileSync(getAuditPath(), JSON.stringify(full) + "\n");
+  } catch {
+  }
+}
+function queryAudit(query = {}) {
+  const path = getAuditPath();
+  if (!existsSync2(path)) return [];
+  try {
+    const lines = readFileSync2(path, "utf8").split("\n").filter((l) => l.trim());
+    let events = lines.map((line) => {
+      try {
+        return JSON.parse(line);
+      } catch {
+        return null;
+      }
+    }).filter((e) => e !== null);
+    if (query.key) {
+      events = events.filter((e) => e.key === query.key);
+    }
+    if (query.action) {
+      events = events.filter((e) => e.action === query.action);
+    }
+    if (query.since) {
+      const since = new Date(query.since).getTime();
+      events = events.filter(
+        (e) => new Date(e.timestamp).getTime() >= since
+      );
+    }
+    events.sort(
+      (a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime()
+    );
+    if (query.limit) {
+      events = events.slice(0, query.limit);
+    }
+    return events;
+  } catch {
+    return [];
+  }
+}
+function detectAnomalies(key) {
+  const recent = queryAudit({
+    key,
+    action: "read",
+    since: new Date(Date.now() - 36e5).toISOString()
+    // last hour
+  });
+  const anomalies = [];
+  if (key && recent.length > 50) {
+    anomalies.push({
+      type: "burst",
+      description: `${recent.length} reads of "${key}" in the last hour`,
+      events: recent.slice(0, 10)
+    });
+  }
+  const nightAccess = recent.filter((e) => {
+    const hour = new Date(e.timestamp).getHours();
+    return hour >= 1 && hour < 5;
+  });
+  if (nightAccess.length > 0) {
+    anomalies.push({
+      type: "unusual-hour",
+      description: `${nightAccess.length} access(es) during unusual hours (1am-5am)`,
+      events: nightAccess
+    });
+  }
+  return anomalies;
+}
+
+// src/core/entanglement.ts
+import { existsSync as existsSync3, readFileSync as readFileSync3, writeFileSync, mkdirSync as mkdirSync2 } from "fs";
+import { join as join3 } from "path";
+import { homedir as homedir2 } from "os";
+function getRegistryPath() {
+  const dir = join3(homedir2(), ".config", "q-ring");
+  if (!existsSync3(dir)) {
+    mkdirSync2(dir, { recursive: true });
+  }
+  return join3(dir, "entanglement.json");
+}
+function loadRegistry() {
+  const path = getRegistryPath();
+  if (!existsSync3(path)) {
+    return { pairs: [] };
+  }
+  try {
+    return JSON.parse(readFileSync3(path, "utf8"));
+  } catch {
+    return { pairs: [] };
+  }
+}
+function saveRegistry(registry) {
+  writeFileSync(getRegistryPath(), JSON.stringify(registry, null, 2));
+}
+function entangle(source, target) {
+  const registry = loadRegistry();
+  const exists = registry.pairs.some(
+    (p) => p.source.service === source.service && p.source.key === source.key && p.target.service === target.service && p.target.key === target.key
+  );
+  if (!exists) {
+    registry.pairs.push({
+      source,
+      target,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    registry.pairs.push({
+      source: target,
+      target: source,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    saveRegistry(registry);
+  }
+}
+function findEntangled(source) {
+  const registry = loadRegistry();
+  return registry.pairs.filter(
+    (p) => p.source.service === source.service && p.source.key === source.key
+  ).map((p) => p.target);
+}
+
+// src/core/keyring.ts
+function readEnvelope(service, key) {
+  const entry = new Entry(service, key);
+  const raw = entry.getPassword();
+  if (raw === null) return null;
+  const envelope = parseEnvelope(raw);
+  return envelope ?? wrapLegacy(raw);
+}
+function writeEnvelope(service, key, envelope) {
+  const entry = new Entry(service, key);
+  entry.setPassword(serializeEnvelope(envelope));
+}
+function resolveEnv(opts) {
+  if (opts.env) return opts.env;
+  const result = collapseEnvironment({ projectPath: opts.projectPath });
+  return result?.env;
+}
+function getSecret(key, opts = {}) {
+  const scopes = resolveScope(opts);
+  const env = resolveEnv(opts);
+  const source = opts.source ?? "cli";
+  for (const { service, scope } of scopes) {
+    const envelope = readEnvelope(service, key);
+    if (!envelope) continue;
+    const decay = checkDecay(envelope);
+    if (decay.isExpired) {
+      logAudit({
+        action: "read",
+        key,
+        scope,
+        source,
+        detail: "blocked: secret expired (quantum decay)"
+      });
+      continue;
+    }
+    const value = collapseValue(envelope, env);
+    if (value === null) continue;
+    const updated = recordAccess(envelope);
+    writeEnvelope(service, key, updated);
+    logAudit({ action: "read", key, scope, env, source });
+    return value;
+  }
+  return null;
+}
+function getEnvelope(key, opts = {}) {
+  const scopes = resolveScope(opts);
+  for (const { service, scope } of scopes) {
+    const envelope = readEnvelope(service, key);
+    if (envelope) return { envelope, scope };
+  }
+  return null;
+}
+function setSecret(key, value, opts = {}) {
+  const scope = opts.scope ?? "global";
+  const scopes = resolveScope({ ...opts, scope });
+  const { service } = scopes[0];
+  const source = opts.source ?? "cli";
+  const existing = readEnvelope(service, key);
+  let envelope;
+  if (opts.states) {
+    envelope = createEnvelope("", {
+      states: opts.states,
+      defaultEnv: opts.defaultEnv,
+      description: opts.description,
+      tags: opts.tags,
+      ttlSeconds: opts.ttlSeconds,
+      expiresAt: opts.expiresAt,
+      entangled: existing?.meta.entangled
+    });
+  } else {
+    envelope = createEnvelope(value, {
+      description: opts.description,
+      tags: opts.tags,
+      ttlSeconds: opts.ttlSeconds,
+      expiresAt: opts.expiresAt,
+      entangled: existing?.meta.entangled
+    });
+  }
+  if (existing) {
+    envelope.meta.createdAt = existing.meta.createdAt;
+    envelope.meta.accessCount = existing.meta.accessCount;
+  }
+  writeEnvelope(service, key, envelope);
+  logAudit({ action: "write", key, scope, source });
+  const entangled = findEntangled({ service, key });
+  for (const target of entangled) {
+    try {
+      const targetEnvelope = readEnvelope(target.service, target.key);
+      if (targetEnvelope) {
+        if (opts.states) {
+          targetEnvelope.states = opts.states;
+        } else {
+          targetEnvelope.value = value;
+        }
+        targetEnvelope.meta.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+        writeEnvelope(target.service, target.key, targetEnvelope);
+        logAudit({
+          action: "entangle",
+          key: target.key,
+          scope: "global",
+          source,
+          detail: `propagated from ${key}`
+        });
+      }
+    } catch {
+    }
+  }
+}
+function deleteSecret(key, opts = {}) {
+  const scopes = resolveScope(opts);
+  const source = opts.source ?? "cli";
+  let deleted = false;
+  for (const { service, scope } of scopes) {
+    const entry = new Entry(service, key);
+    try {
+      if (entry.deleteCredential()) {
+        deleted = true;
+        logAudit({ action: "delete", key, scope, source });
+      }
+    } catch {
+    }
+  }
+  return deleted;
+}
+function listSecrets(opts = {}) {
+  const source = opts.source ?? "cli";
+  const services = [];
+  if (!opts.scope || opts.scope === "global") {
+    services.push({ service: globalService(), scope: "global" });
+  }
+  if ((!opts.scope || opts.scope === "project") && opts.projectPath) {
+    services.push({
+      service: projectService(opts.projectPath),
+      scope: "project"
+    });
+  }
+  const results = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const { service, scope } of services) {
+    try {
+      const credentials = findCredentials(service);
+      for (const cred of credentials) {
+        const id = `${scope}:${cred.account}`;
+        if (seen.has(id)) continue;
+        seen.add(id);
+        const envelope = parseEnvelope(cred.password) ?? wrapLegacy(cred.password);
+        const decay = checkDecay(envelope);
+        results.push({
+          key: cred.account,
+          scope,
+          envelope,
+          decay
+        });
+      }
+    } catch {
+    }
+  }
+  logAudit({ action: "list", source });
+  return results.sort((a, b) => a.key.localeCompare(b.key));
+}
+function exportSecrets(opts = {}) {
+  const format = opts.format ?? "env";
+  const env = resolveEnv(opts);
+  const entries = listSecrets(opts);
+  const source = opts.source ?? "cli";
+  const merged = /* @__PURE__ */ new Map();
+  const globalEntries = entries.filter((e) => e.scope === "global");
+  const projectEntries = entries.filter((e) => e.scope === "project");
+  for (const entry of [...globalEntries, ...projectEntries]) {
+    if (entry.envelope) {
+      const decay = checkDecay(entry.envelope);
+      if (decay.isExpired) continue;
+      const value = collapseValue(entry.envelope, env);
+      if (value !== null) {
+        merged.set(entry.key, value);
+      }
+    }
+  }
+  logAudit({ action: "export", source, detail: `format=${format}` });
+  if (format === "json") {
+    const obj = {};
+    for (const [key, value] of merged) {
+      obj[key] = value;
+    }
+    return JSON.stringify(obj, null, 2);
+  }
+  const lines = [];
+  for (const [key, value] of merged) {
+    const escaped = value.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/\n/g, "\\n");
+    lines.push(`${key}="${escaped}"`);
+  }
+  return lines.join("\n");
+}
+function entangleSecrets(sourceKey, sourceOpts, targetKey, targetOpts) {
+  const sourceScopes = resolveScope({ ...sourceOpts, scope: sourceOpts.scope ?? "global" });
+  const targetScopes = resolveScope({ ...targetOpts, scope: targetOpts.scope ?? "global" });
+  const source = { service: sourceScopes[0].service, key: sourceKey };
+  const target = { service: targetScopes[0].service, key: targetKey };
+  entangle(source, target);
+  logAudit({
+    action: "entangle",
+    key: sourceKey,
+    source: sourceOpts.source ?? "cli",
+    detail: `entangled with ${targetKey}`
+  });
+}
+
+// src/core/noise.ts
+import { randomBytes, randomInt } from "crypto";
+var ALPHA_NUM = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+var PASSWORD_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?";
+function randomString(charset, length) {
+  let result = "";
+  for (let i = 0; i < length; i++) {
+    result += charset[randomInt(charset.length)];
+  }
+  return result;
+}
+function generateSecret(opts = {}) {
+  const format = opts.format ?? "api-key";
+  switch (format) {
+    case "hex": {
+      const len = opts.length ?? 32;
+      return randomBytes(len).toString("hex");
+    }
+    case "base64": {
+      const len = opts.length ?? 32;
+      return randomBytes(len).toString("base64url");
+    }
+    case "alphanumeric": {
+      const len = opts.length ?? 32;
+      return randomString(ALPHA_NUM, len);
+    }
+    case "uuid": {
+      const bytes = randomBytes(16);
+      bytes[6] = bytes[6] & 15 | 64;
+      bytes[8] = bytes[8] & 63 | 128;
+      const hex = bytes.toString("hex");
+      return [
+        hex.slice(0, 8),
+        hex.slice(8, 12),
+        hex.slice(12, 16),
+        hex.slice(16, 20),
+        hex.slice(20, 32)
+      ].join("-");
+    }
+    case "api-key": {
+      const prefix = opts.prefix ?? "qr_";
+      const len = opts.length ?? 48;
+      return prefix + randomString(ALPHA_NUM, len);
+    }
+    case "token": {
+      const prefix = opts.prefix ?? "";
+      const len = opts.length ?? 64;
+      return prefix + randomBytes(len).toString("base64url");
+    }
+    case "password": {
+      const len = opts.length ?? 24;
+      let pw = randomString(PASSWORD_CHARS, len);
+      const hasUpper = /[A-Z]/.test(pw);
+      const hasLower = /[a-z]/.test(pw);
+      const hasDigit = /[0-9]/.test(pw);
+      const hasSpecial = /[^A-Za-z0-9]/.test(pw);
+      if (!hasUpper) pw = replaceAt(pw, randomInt(len), randomString("ABCDEFGHIJKLMNOPQRSTUVWXYZ", 1));
+      if (!hasLower) pw = replaceAt(pw, randomInt(len), randomString("abcdefghijklmnopqrstuvwxyz", 1));
+      if (!hasDigit) pw = replaceAt(pw, randomInt(len), randomString("0123456789", 1));
+      if (!hasSpecial) pw = replaceAt(pw, randomInt(len), randomString("!@#$%^&*()-_=+", 1));
+      return pw;
+    }
+    default:
+      return randomBytes(32).toString("hex");
+  }
+}
+function replaceAt(str, index, char) {
+  return str.slice(0, index) + char + str.slice(index + 1);
+}
+function estimateEntropy(secret) {
+  const charsets = [
+    { regex: /[a-z]/, size: 26 },
+    { regex: /[A-Z]/, size: 26 },
+    { regex: /[0-9]/, size: 10 },
+    { regex: /[^A-Za-z0-9]/, size: 32 }
+  ];
+  let poolSize = 0;
+  for (const { regex, size } of charsets) {
+    if (regex.test(secret)) poolSize += size;
+  }
+  return poolSize > 0 ? Math.floor(Math.log2(poolSize) * secret.length) : 0;
+}
+
+// src/utils/colors.ts
+var enabled = process.stdout.isTTY !== false && !process.env.NO_COLOR;
+function wrap(code, text) {
+  return enabled ? `\x1B[${code}m${text}\x1B[0m` : text;
+}
+var c = {
+  bold: (t) => wrap("1", t),
+  dim: (t) => wrap("2", t),
+  italic: (t) => wrap("3", t),
+  underline: (t) => wrap("4", t),
+  red: (t) => wrap("31", t),
+  green: (t) => wrap("32", t),
+  yellow: (t) => wrap("33", t),
+  blue: (t) => wrap("34", t),
+  magenta: (t) => wrap("35", t),
+  cyan: (t) => wrap("36", t),
+  white: (t) => wrap("37", t),
+  gray: (t) => wrap("90", t),
+  bgRed: (t) => wrap("41", t),
+  bgGreen: (t) => wrap("42", t),
+  bgYellow: (t) => wrap("43", t),
+  bgBlue: (t) => wrap("44", t),
+  bgMagenta: (t) => wrap("45", t),
+  bgCyan: (t) => wrap("46", t)
+};
+function scopeColor(scope) {
+  return scope === "project" ? c.cyan(scope) : c.blue(scope);
+}
+function decayIndicator(percent, expired) {
+  if (expired) return c.bgRed(c.white(" EXPIRED "));
+  if (percent >= 90) return c.red(`[decay ${percent}%]`);
+  if (percent >= 75) return c.yellow(`[decay ${percent}%]`);
+  if (percent > 0) return c.green(`[decay ${percent}%]`);
+  return "";
+}
+function envBadge(env) {
+  switch (env) {
+    case "prod":
+      return c.bgRed(c.white(` ${env} `));
+    case "staging":
+      return c.bgYellow(c.white(` ${env} `));
+    case "dev":
+      return c.bgGreen(c.white(` ${env} `));
+    case "test":
+      return c.bgBlue(c.white(` ${env} `));
+    default:
+      return c.bgMagenta(c.white(` ${env} `));
+  }
+}
+var SYMBOLS = {
+  check: enabled ? "\u2713" : "[ok]",
+  cross: enabled ? "\u2717" : "[x]",
+  arrow: enabled ? "\u2192" : "->",
+  dot: enabled ? "\u2022" : "*",
+  lock: enabled ? "\u{1F512}" : "[locked]",
+  key: enabled ? "\u{1F511}" : "[key]",
+  link: enabled ? "\u{1F517}" : "[link]",
+  warning: enabled ? "\u26A0\uFE0F" : "[!]",
+  clock: enabled ? "\u23F0" : "[time]",
+  shield: enabled ? "\u{1F6E1}\uFE0F" : "[shield]",
+  zap: enabled ? "\u26A1" : "[zap]",
+  eye: enabled ? "\u{1F441}\uFE0F" : "[eye]",
+  ghost: enabled ? "\u{1F47B}" : "[ghost]",
+  package: enabled ? "\u{1F4E6}" : "[pkg]",
+  sparkle: enabled ? "\u2728" : "[*]"
+};
+
+// src/core/agent.ts
+function defaultConfig() {
+  return {
+    intervalSeconds: 60,
+    autoRotate: false,
+    projectPaths: [process.cwd()],
+    verbose: false
+  };
+}
+function runHealthScan(config = {}) {
+  const cfg = { ...defaultConfig(), ...config };
+  const report = {
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    totalSecrets: 0,
+    healthy: 0,
+    stale: 0,
+    expired: 0,
+    anomalies: 0,
+    rotated: [],
+    warnings: []
+  };
+  const globalEntries = listSecrets({ scope: "global", source: "agent" });
+  const projectEntries = cfg.projectPaths.flatMap(
+    (pp) => listSecrets({ scope: "project", projectPath: pp, source: "agent" })
+  );
+  const allEntries = [...globalEntries, ...projectEntries];
+  report.totalSecrets = allEntries.length;
+  for (const entry of allEntries) {
+    if (!entry.envelope) continue;
+    const decay = checkDecay(entry.envelope);
+    if (decay.isExpired) {
+      report.expired++;
+      report.warnings.push(
+        `EXPIRED: ${entry.key} [${entry.scope}] \u2014 expired ${decay.timeRemaining}`
+      );
+      if (cfg.autoRotate) {
+        const newValue = generateSecret({ format: "api-key" });
+        setSecret(entry.key, newValue, {
+          scope: entry.scope,
+          projectPath: cfg.projectPaths[0],
+          source: "agent"
+        });
+        report.rotated.push(entry.key);
+        logAudit({
+          action: "write",
+          key: entry.key,
+          scope: entry.scope,
+          source: "agent",
+          detail: "auto-rotated by agent (expired)"
+        });
+      }
+    } else if (decay.isStale) {
+      report.stale++;
+      report.warnings.push(
+        `STALE: ${entry.key} [${entry.scope}] \u2014 ${decay.lifetimePercent}% lifetime, ${decay.timeRemaining} remaining`
+      );
+    } else {
+      report.healthy++;
+    }
+  }
+  const anomalies = detectAnomalies();
+  report.anomalies = anomalies.length;
+  for (const a of anomalies) {
+    report.warnings.push(`ANOMALY [${a.type}]: ${a.description}`);
+  }
+  return report;
+}
+function formatReport(report, verbose) {
+  const lines = [];
+  lines.push(
+    `${c.bold(`${SYMBOLS.shield} q-ring agent scan`)} ${c.dim(report.timestamp)}`
+  );
+  lines.push(
+    `  ${c.dim("secrets:")} ${report.totalSecrets}  ${c.green(`${SYMBOLS.check} ${report.healthy}`)}  ${c.yellow(`${SYMBOLS.warning} ${report.stale}`)}  ${c.red(`${SYMBOLS.cross} ${report.expired}`)}  ${c.dim(`anomalies: ${report.anomalies}`)}`
+  );
+  if (report.rotated.length > 0) {
+    lines.push(
+      `  ${c.cyan(`${SYMBOLS.zap} auto-rotated:`)} ${report.rotated.join(", ")}`
+    );
+  }
+  if (verbose && report.warnings.length > 0) {
+    lines.push("");
+    for (const w of report.warnings) {
+      if (w.startsWith("EXPIRED")) lines.push(`  ${c.red(w)}`);
+      else if (w.startsWith("STALE")) lines.push(`  ${c.yellow(w)}`);
+      else if (w.startsWith("ANOMALY")) lines.push(`  ${c.magenta(w)}`);
+      else lines.push(`  ${w}`);
+    }
+  }
+  return lines.join("\n");
+}
+async function startAgent(config = {}) {
+  const cfg = { ...defaultConfig(), ...config };
+  console.log(
+    `${c.bold(`${SYMBOLS.zap} q-ring agent started`)} ${c.dim(`(interval: ${cfg.intervalSeconds}s, auto-rotate: ${cfg.autoRotate})`)}`
+  );
+  console.log(
+    c.dim(`  monitoring: global + ${cfg.projectPaths.length} project(s)`)
+  );
+  console.log();
+  const scan = () => {
+    const report = runHealthScan(cfg);
+    console.log(formatReport(report, cfg.verbose));
+    if (report.warnings.length > 0 || cfg.verbose) {
+      console.log();
+    }
+  };
+  scan();
+  const interval = setInterval(scan, cfg.intervalSeconds * 1e3);
+  const shutdown = () => {
+    clearInterval(interval);
+    console.log(`
+${c.dim("q-ring agent stopped")}`);
+    process.exit(0);
+  };
+  process.on("SIGINT", shutdown);
+  process.on("SIGTERM", shutdown);
+  await new Promise(() => {
+  });
+}
+
+// src/core/tunnel.ts
+var tunnelStore = /* @__PURE__ */ new Map();
+var cleanupInterval = null;
+function ensureCleanup() {
+  if (cleanupInterval) return;
+  cleanupInterval = setInterval(() => {
+    const now = Date.now();
+    for (const [id, entry] of tunnelStore) {
+      if (entry.expiresAt && now >= entry.expiresAt) {
+        tunnelStore.delete(id);
+      }
+    }
+    if (tunnelStore.size === 0 && cleanupInterval) {
+      clearInterval(cleanupInterval);
+      cleanupInterval = null;
+    }
+  }, 5e3);
+  if (cleanupInterval && typeof cleanupInterval === "object" && "unref" in cleanupInterval) {
+    cleanupInterval.unref();
+  }
+}
+function tunnelCreate(value, opts = {}) {
+  const id = `tun_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`;
+  const now = Date.now();
+  tunnelStore.set(id, {
+    value,
+    createdAt: now,
+    expiresAt: opts.ttlSeconds ? now + opts.ttlSeconds * 1e3 : void 0,
+    accessCount: 0,
+    maxReads: opts.maxReads
+  });
+  ensureCleanup();
+  return id;
+}
+function tunnelRead(id) {
+  const entry = tunnelStore.get(id);
+  if (!entry) return null;
+  if (entry.expiresAt && Date.now() >= entry.expiresAt) {
+    tunnelStore.delete(id);
+    return null;
+  }
+  entry.accessCount++;
+  if (entry.maxReads && entry.accessCount >= entry.maxReads) {
+    const value = entry.value;
+    tunnelStore.delete(id);
+    return value;
+  }
+  return entry.value;
+}
+function tunnelDestroy(id) {
+  return tunnelStore.delete(id);
+}
+function tunnelList() {
+  const now = Date.now();
+  const result = [];
+  for (const [id, entry] of tunnelStore) {
+    if (entry.expiresAt && now >= entry.expiresAt) {
+      tunnelStore.delete(id);
+      continue;
+    }
+    result.push({
+      id,
+      createdAt: entry.createdAt,
+      expiresAt: entry.expiresAt,
+      accessCount: entry.accessCount,
+      maxReads: entry.maxReads
+    });
+  }
+  return result;
+}
+
+// src/core/teleport.ts
+import {
+  randomBytes as randomBytes2,
+  createCipheriv,
+  createDecipheriv,
+  pbkdf2Sync
+} from "crypto";
+var ALGORITHM = "aes-256-gcm";
+var KEY_LENGTH = 32;
+var IV_LENGTH = 16;
+var SALT_LENGTH = 32;
+var PBKDF2_ITERATIONS = 1e5;
+function deriveKey(passphrase, salt) {
+  return pbkdf2Sync(passphrase, salt, PBKDF2_ITERATIONS, KEY_LENGTH, "sha512");
+}
+function teleportPack(secrets, passphrase) {
+  const payload = {
+    secrets,
+    exportedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  const plaintext = JSON.stringify(payload);
+  const salt = randomBytes2(SALT_LENGTH);
+  const iv = randomBytes2(IV_LENGTH);
+  const key = deriveKey(passphrase, salt);
+  const cipher = createCipheriv(ALGORITHM, key, iv);
+  const encrypted = Buffer.concat([
+    cipher.update(plaintext, "utf8"),
+    cipher.final()
+  ]);
+  const tag = cipher.getAuthTag();
+  const bundle = {
+    v: 1,
+    data: encrypted.toString("base64"),
+    salt: salt.toString("base64"),
+    iv: iv.toString("base64"),
+    tag: tag.toString("base64"),
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    count: secrets.length
+  };
+  return Buffer.from(JSON.stringify(bundle)).toString("base64");
+}
+function teleportUnpack(encoded, passphrase) {
+  const bundleJson = Buffer.from(encoded, "base64").toString("utf8");
+  const bundle = JSON.parse(bundleJson);
+  if (bundle.v !== 1) {
+    throw new Error(`Unsupported teleport bundle version: ${bundle.v}`);
+  }
+  const salt = Buffer.from(bundle.salt, "base64");
+  const iv = Buffer.from(bundle.iv, "base64");
+  const tag = Buffer.from(bundle.tag, "base64");
+  const encrypted = Buffer.from(bundle.data, "base64");
+  const key = deriveKey(passphrase, salt);
+  const decipher = createDecipheriv(ALGORITHM, key, iv);
+  decipher.setAuthTag(tag);
+  const decrypted = Buffer.concat([
+    decipher.update(encrypted),
+    decipher.final()
+  ]);
+  return JSON.parse(decrypted.toString("utf8"));
+}
+
+// src/utils/prompt.ts
+import { createInterface } from "readline";
+async function promptSecret(message) {
+  const rl = createInterface({
+    input: process.stdin,
+    output: process.stderr,
+    terminal: true
+  });
+  return new Promise((resolve) => {
+    process.stderr.write(message);
+    const stdin = process.stdin;
+    const wasRaw = stdin.isRaw;
+    if (stdin.isTTY && stdin.setRawMode) {
+      stdin.setRawMode(true);
+    }
+    let input = "";
+    const onData = (chunk) => {
+      const char = chunk.toString("utf8");
+      if (char === "\n" || char === "\r") {
+        stdin.removeListener("data", onData);
+        if (stdin.isTTY && stdin.setRawMode) {
+          stdin.setRawMode(wasRaw ?? false);
+        }
+        process.stderr.write("\n");
+        rl.close();
+        resolve(input);
+      } else if (char === "") {
+        process.exit(1);
+      } else if (char === "\x7F" || char === "\b") {
+        input = input.slice(0, -1);
+      } else {
+        input += char;
+      }
+    };
+    stdin.on("data", onData);
+  });
+}
+
+// src/cli/commands.ts
+function buildOpts(cmd) {
+  let scope;
+  if (cmd.global) scope = "global";
+  else if (cmd.project) scope = "project";
+  const projectPath = cmd.projectPath ?? (cmd.project ? process.cwd() : void 0);
+  if (scope === "project" && !projectPath) {
+    throw new Error("Project path is required for project scope");
+  }
+  return {
+    scope,
+    projectPath: projectPath ?? process.cwd(),
+    env: cmd.env,
+    source: "cli"
+  };
+}
+function createProgram() {
+  const program2 = new Command().name("qring").description(
+    `${c.bold("q-ring")} ${c.dim("\u2014 quantum keyring for AI coding tools")}`
+  ).version("0.2.0");
+  program2.command("set <key> [value]").description("Store a secret (with optional quantum metadata)").option("-g, --global", "Store in global scope").option("-p, --project", "Store in project scope (uses cwd)").option("--project-path <path>", "Explicit project path").option("-e, --env <env>", "Set value for a specific environment (superposition)").option("--ttl <seconds>", "Time-to-live in seconds (quantum decay)", parseInt).option("--expires <iso>", "Expiry timestamp (ISO 8601)").option("--description <desc>", "Human-readable description").option("--tags <tags>", "Comma-separated tags").action(async (key, value, cmd) => {
+    const opts = buildOpts(cmd);
+    if (!value) {
+      value = await promptSecret(`${SYMBOLS.key} Enter value for ${c.bold(key)}: `);
+      if (!value) {
+        console.error(c.red(`${SYMBOLS.cross} No value provided, aborting.`));
+        process.exit(1);
+      }
+    }
+    const setOpts = {
+      ...opts,
+      ttlSeconds: cmd.ttl,
+      expiresAt: cmd.expires,
+      description: cmd.description,
+      tags: cmd.tags?.split(",").map((t) => t.trim())
+    };
+    if (cmd.env) {
+      const existing = getEnvelope(key, opts);
+      const states = existing?.envelope?.states ?? {};
+      states[cmd.env] = value;
+      if (existing?.envelope?.value && !states["default"]) {
+        states["default"] = existing.envelope.value;
+      }
+      setOpts.states = states;
+      setOpts.defaultEnv = existing?.envelope?.defaultEnv ?? cmd.env;
+      setSecret(key, "", setOpts);
+      console.log(
+        `${SYMBOLS.check} ${c.green("saved")} ${c.bold(key)} ${envBadge(cmd.env)} ${c.dim(`[${scopeColor(opts.scope ?? "global")}]`)}`
+      );
+    } else {
+      setSecret(key, value, setOpts);
+      const extras = [];
+      if (cmd.ttl) extras.push(`${SYMBOLS.clock} ttl=${cmd.ttl}s`);
+      if (cmd.description) extras.push(c.dim(cmd.description));
+      console.log(
+        `${SYMBOLS.check} ${c.green("saved")} ${c.bold(key)} ${c.dim(`[${scopeColor(opts.scope ?? "global")}]`)} ${extras.join(" ")}`
+      );
+    }
+  });
+  program2.command("get <key>").description("Retrieve a secret (collapses superposition if needed)").option("-g, --global", "Look only in global scope").option("-p, --project", "Look only in project scope").option("--project-path <path>", "Explicit project path").option("-e, --env <env>", "Force a specific environment").action((key, cmd) => {
+    const opts = buildOpts(cmd);
+    const value = getSecret(key, opts);
+    if (value === null) {
+      console.error(c.red(`${SYMBOLS.cross} Secret "${key}" not found`));
+      process.exit(1);
+    }
+    process.stdout.write(value);
+  });
+  program2.command("delete <key>").alias("rm").description("Remove a secret from the keyring").option("-g, --global", "Delete from global scope only").option("-p, --project", "Delete from project scope only").option("--project-path <path>", "Explicit project path").action((key, cmd) => {
+    const opts = buildOpts(cmd);
+    const deleted = deleteSecret(key, opts);
+    if (deleted) {
+      console.log(`${SYMBOLS.check} ${c.green("deleted")} ${c.bold(key)}`);
+    } else {
+      console.error(c.red(`${SYMBOLS.cross} Secret "${key}" not found`));
+      process.exit(1);
+    }
+  });
+  program2.command("list").alias("ls").description("List all secrets with quantum status indicators").option("-g, --global", "List global scope only").option("-p, --project", "List project scope only").option("--project-path <path>", "Explicit project path").option("--show-decay", "Show decay/expiry status").action((cmd) => {
+    const opts = buildOpts(cmd);
+    const entries = listSecrets(opts);
+    if (entries.length === 0) {
+      console.log(c.dim("No secrets found"));
+      return;
+    }
+    console.log(
+      c.bold(`
+  ${SYMBOLS.key} q-ring secrets (${entries.length})
+`)
+    );
+    const maxKeyLen = Math.max(...entries.map((e) => e.key.length));
+    for (const entry of entries) {
+      const parts = [];
+      parts.push(c.dim("[") + scopeColor(entry.scope) + c.dim("]"));
+      parts.push(c.bold(entry.key.padEnd(maxKeyLen)));
+      if (entry.envelope?.states) {
+        const envs = Object.keys(entry.envelope.states);
+        parts.push(c.magenta(`[${envs.join("|")}]`));
+      }
+      if (entry.decay && (entry.decay.lifetimePercent > 0 || entry.decay.isExpired)) {
+        parts.push(
+          decayIndicator(entry.decay.lifetimePercent, entry.decay.isExpired)
+        );
+        if (entry.decay.timeRemaining && !entry.decay.isExpired) {
+          parts.push(c.dim(entry.decay.timeRemaining));
+        }
+      }
+      if (entry.envelope?.meta.entangled && entry.envelope.meta.entangled.length > 0) {
+        parts.push(
+          c.cyan(`${SYMBOLS.link} ${entry.envelope.meta.entangled.length}`)
+        );
+      }
+      if (entry.envelope && entry.envelope.meta.accessCount > 0) {
+        parts.push(
+          c.dim(`${SYMBOLS.eye} ${entry.envelope.meta.accessCount}`)
+        );
+      }
+      if (entry.envelope?.meta.tags && entry.envelope.meta.tags.length > 0) {
+        parts.push(
+          c.dim(entry.envelope.meta.tags.map((t) => `#${t}`).join(" "))
+        );
+      }
+      console.log(`  ${parts.join("  ")}`);
+    }
+    console.log();
+  });
+  program2.command("inspect <key>").description("Show full quantum state of a secret").option("-g, --global", "Inspect global scope only").option("-p, --project", "Inspect project scope only").option("--project-path <path>", "Explicit project path").action((key, cmd) => {
+    const opts = buildOpts(cmd);
+    const result = getEnvelope(key, opts);
+    if (!result) {
+      console.error(c.red(`${SYMBOLS.cross} Secret "${key}" not found`));
+      process.exit(1);
+    }
+    const { envelope, scope } = result;
+    const decay = checkDecay(envelope);
+    console.log(`
+  ${c.bold(SYMBOLS.key + " " + key)}`);
+    console.log(`  ${c.dim("scope:")}     ${scopeColor(scope)}`);
+    if (envelope.states) {
+      console.log(`  ${c.dim("type:")}      ${c.magenta("superposition")}`);
+      console.log(`  ${c.dim("states:")}`);
+      for (const [env, _] of Object.entries(envelope.states)) {
+        const isDefault = env === envelope.defaultEnv;
+        console.log(
+          `    ${envBadge(env)} ${isDefault ? c.dim("(default)") : ""}`
+        );
+      }
+    } else {
+      console.log(`  ${c.dim("type:")}      ${c.green("collapsed")}`);
+    }
+    console.log(`  ${c.dim("created:")}   ${envelope.meta.createdAt}`);
+    console.log(`  ${c.dim("updated:")}   ${envelope.meta.updatedAt}`);
+    console.log(
+      `  ${c.dim("accessed:")}  ${envelope.meta.accessCount} times`
+    );
+    if (envelope.meta.lastAccessedAt) {
+      console.log(
+        `  ${c.dim("last read:")} ${envelope.meta.lastAccessedAt}`
+      );
+    }
+    if (envelope.meta.description) {
+      console.log(`  ${c.dim("desc:")}      ${envelope.meta.description}`);
+    }
+    if (envelope.meta.tags && envelope.meta.tags.length > 0) {
+      console.log(
+        `  ${c.dim("tags:")}      ${envelope.meta.tags.map((t) => c.cyan(`#${t}`)).join(" ")}`
+      );
+    }
+    if (decay.timeRemaining) {
+      console.log(
+        `  ${c.dim("decay:")}     ${decayIndicator(decay.lifetimePercent, decay.isExpired)} ${decay.timeRemaining}`
+      );
+    }
+    if (envelope.meta.entangled && envelope.meta.entangled.length > 0) {
+      console.log(`  ${c.dim("entangled:")}`);
+      for (const link of envelope.meta.entangled) {
+        console.log(`    ${SYMBOLS.link} ${link.service}/${link.key}`);
+      }
+    }
+    console.log();
+  });
+  program2.command("export").description("Export secrets as .env or JSON (collapses superposition)").option("-f, --format <format>", "Output format: env or json", "env").option("-g, --global", "Export global scope only").option("-p, --project", "Export project scope only").option("--project-path <path>", "Explicit project path").option("-e, --env <env>", "Force environment for collapse").action((cmd) => {
+    const opts = buildOpts(cmd);
+    const output = exportSecrets({ ...opts, format: cmd.format });
+    process.stdout.write(output + "\n");
+  });
+  program2.command("env").description("Show detected environment (wavefunction collapse context)").option("--project-path <path>", "Project path for detection").action((cmd) => {
+    const result = collapseEnvironment({
+      projectPath: cmd.projectPath ?? process.cwd()
+    });
+    if (result) {
+      console.log(
+        `${SYMBOLS.zap} ${c.bold("Collapsed environment:")} ${envBadge(result.env)} ${c.dim(`(source: ${result.source})`)}`
+      );
+    } else {
+      console.log(
+        c.dim("No environment detected. Set QRING_ENV, NODE_ENV, or create .q-ring.json")
+      );
+    }
+  });
+  program2.command("generate").alias("gen").description("Generate a cryptographic secret (quantum noise)").option(
+    "-f, --format <format>",
+    "Format: hex, base64, alphanumeric, uuid, api-key, token, password",
+    "api-key"
+  ).option("-l, --length <n>", "Length (bytes or chars depending on format)", parseInt).option("--prefix <prefix>", "Prefix for api-key/token format").option("-s, --save <key>", "Save the generated secret to keyring with this key").option("-g, --global", "Save to global scope").option("-p, --project", "Save to project scope").option("--project-path <path>", "Explicit project path").action((cmd) => {
+    const secret = generateSecret({
+      format: cmd.format,
+      length: cmd.length,
+      prefix: cmd.prefix
+    });
+    const entropy = estimateEntropy(secret);
+    if (cmd.save) {
+      const opts = buildOpts(cmd);
+      setSecret(cmd.save, secret, opts);
+      console.log(
+        `${SYMBOLS.sparkle} ${c.green("generated & saved")} ${c.bold(cmd.save)} ${c.dim(`(${cmd.format}, ${entropy} bits entropy)`)}`
+      );
+    } else {
+      process.stdout.write(secret);
+      if (process.stdout.isTTY) {
+        console.log(
+          `
+${c.dim(`format: ${cmd.format} | entropy: ~${entropy} bits`)}`
+        );
+      }
+    }
+  });
+  program2.command("entangle <sourceKey> <targetKey>").description("Link two secrets \u2014 rotating one updates the other").option("-g, --global", "Both in global scope").option("--source-project <path>", "Source project path").option("--target-project <path>", "Target project path").action(
+    (sourceKey, targetKey, cmd) => {
+      const sourceOpts = {
+        scope: cmd.sourceProject ? "project" : "global",
+        projectPath: cmd.sourceProject ?? process.cwd(),
+        source: "cli"
+      };
+      const targetOpts = {
+        scope: cmd.targetProject ? "project" : "global",
+        projectPath: cmd.targetProject ?? process.cwd(),
+        source: "cli"
+      };
+      entangleSecrets(sourceKey, sourceOpts, targetKey, targetOpts);
+      console.log(
+        `${SYMBOLS.link} ${c.cyan("entangled")} ${c.bold(sourceKey)} ${SYMBOLS.arrow} ${c.bold(targetKey)}`
+      );
+    }
+  );
+  const tunnel = program2.command("tunnel").description("Ephemeral in-memory secrets (quantum tunneling)");
+  tunnel.command("create <value>").description("Create a tunneled secret (returns tunnel ID)").option("--ttl <seconds>", "Auto-expire after N seconds", parseInt).option("--max-reads <n>", "Self-destruct after N reads", parseInt).action((value, cmd) => {
+    const id = tunnelCreate(value, {
+      ttlSeconds: cmd.ttl,
+      maxReads: cmd.maxReads
+    });
+    console.log(`${SYMBOLS.ghost} ${c.magenta("tunneled")} ${c.bold(id)}`);
+    const extras = [];
+    if (cmd.ttl) extras.push(`ttl=${cmd.ttl}s`);
+    if (cmd.maxReads) extras.push(`max-reads=${cmd.maxReads}`);
+    if (extras.length) console.log(c.dim(`  ${extras.join(" | ")}`));
+  });
+  tunnel.command("read <id>").description("Read a tunneled secret (may self-destruct)").action((id) => {
+    const value = tunnelRead(id);
+    if (value === null) {
+      console.error(
+        c.red(`${SYMBOLS.cross} Tunnel "${id}" not found or expired`)
+      );
+      process.exit(1);
+    }
+    process.stdout.write(value);
+  });
+  tunnel.command("destroy <id>").description("Destroy a tunneled secret immediately").action((id) => {
+    const destroyed = tunnelDestroy(id);
+    if (destroyed) {
+      console.log(`${SYMBOLS.check} ${c.green("destroyed")} ${id}`);
+    } else {
+      console.error(
+        c.red(`${SYMBOLS.cross} Tunnel "${id}" not found`)
+      );
+      process.exit(1);
+    }
+  });
+  tunnel.command("list").alias("ls").description("List active tunnels").action(() => {
+    const tunnels = tunnelList();
+    if (tunnels.length === 0) {
+      console.log(c.dim("No active tunnels"));
+      return;
+    }
+    console.log(c.bold(`
+  ${SYMBOLS.ghost} Active tunnels (${tunnels.length})
+`));
+    for (const t of tunnels) {
+      const parts = [c.bold(t.id)];
+      parts.push(c.dim(`reads: ${t.accessCount}`));
+      if (t.maxReads) parts.push(c.dim(`max: ${t.maxReads}`));
+      if (t.expiresAt) {
+        const remaining = Math.max(0, Math.floor((t.expiresAt - Date.now()) / 1e3));
+        parts.push(c.dim(`expires: ${remaining}s`));
+      }
+      console.log(`  ${SYMBOLS.ghost} ${parts.join("  ")}`);
+    }
+    console.log();
+  });
+  const tp = program2.command("teleport").alias("tp").description("Encrypted secret sharing (quantum teleportation)");
+  tp.command("pack").description("Pack secrets into an encrypted bundle").option("-k, --keys <keys>", "Comma-separated key names to pack").option("-g, --global", "Pack global scope").option("-p, --project", "Pack project scope").option("--project-path <path>", "Explicit project path").action(async (cmd) => {
+    const opts = buildOpts(cmd);
+    const passphrase = await promptSecret(
+      `${SYMBOLS.lock} Enter passphrase for encryption: `
+    );
+    if (!passphrase) {
+      console.error(c.red("Passphrase required"));
+      process.exit(1);
+    }
+    const entries = listSecrets(opts);
+    let keys;
+    if (cmd.keys) {
+      keys = cmd.keys.split(",").map((k) => k.trim());
+    }
+    const secrets = [];
+    for (const entry of entries) {
+      if (keys && !keys.includes(entry.key)) continue;
+      const value = getSecret(entry.key, { ...opts, scope: entry.scope });
+      if (value !== null) {
+        secrets.push({ key: entry.key, value, scope: entry.scope });
+      }
+    }
+    if (secrets.length === 0) {
+      console.error(c.red("No secrets to pack"));
+      process.exit(1);
+    }
+    const bundle = teleportPack(secrets, passphrase);
+    process.stdout.write(bundle);
+    if (process.stdout.isTTY) {
+      console.log(
+        `
+${SYMBOLS.package} ${c.green("packed")} ${secrets.length} secret(s)`
+      );
+    }
+  });
+  tp.command("unpack [bundle]").description("Unpack and import secrets from an encrypted bundle").option("-g, --global", "Import to global scope").option("-p, --project", "Import to project scope").option("--project-path <path>", "Explicit project path").option("--dry-run", "Show what would be imported without saving").action(async (bundle, cmd) => {
+    if (!bundle) {
+      const chunks = [];
+      for await (const chunk of process.stdin) {
+        chunks.push(chunk);
+      }
+      bundle = Buffer.concat(chunks).toString("utf8").trim();
+    }
+    const passphrase = await promptSecret(
+      `${SYMBOLS.lock} Enter passphrase for decryption: `
+    );
+    try {
+      const payload = teleportUnpack(bundle, passphrase);
+      if (cmd.dryRun) {
+        console.log(
+          `
+${SYMBOLS.package} ${c.bold("Would import")} (${payload.secrets.length} secrets):
+`
+        );
+        for (const s of payload.secrets) {
+          console.log(`  ${SYMBOLS.key} ${c.bold(s.key)} ${c.dim(`[${s.scope ?? "global"}]`)}`);
+        }
+        return;
+      }
+      const opts = buildOpts(cmd);
+      for (const s of payload.secrets) {
+        setSecret(s.key, s.value, opts);
+      }
+      console.log(
+        `${SYMBOLS.check} ${c.green("imported")} ${payload.secrets.length} secret(s) from teleport bundle`
+      );
+    } catch {
+      console.error(
+        c.red(`${SYMBOLS.cross} Failed to unpack: wrong passphrase or corrupted bundle`)
+      );
+      process.exit(1);
+    }
+  });
+  program2.command("audit").description("View the audit log (observer effect)").option("-k, --key <key>", "Filter by key").option(
+    "-a, --action <action>",
+    "Filter by action (read, write, delete, etc.)"
+  ).option("-n, --limit <n>", "Number of events to show", parseInt, 20).option("--anomalies", "Detect access anomalies").action((cmd) => {
+    if (cmd.anomalies) {
+      const anomalies = detectAnomalies(cmd.key);
+      if (anomalies.length === 0) {
+        console.log(
+          `${SYMBOLS.shield} ${c.green("No anomalies detected")}`
+        );
+        return;
+      }
+      console.log(
+        `
+${SYMBOLS.warning} ${c.bold(c.yellow(`${anomalies.length} anomaly/anomalies detected`))}
+`
+      );
+      for (const a of anomalies) {
+        console.log(`  ${c.yellow(a.type)} ${a.description}`);
+      }
+      console.log();
+      return;
+    }
+    const events = queryAudit({
+      key: cmd.key,
+      action: cmd.action,
+      limit: cmd.limit
+    });
+    if (events.length === 0) {
+      console.log(c.dim("No audit events found"));
+      return;
+    }
+    console.log(
+      c.bold(`
+  ${SYMBOLS.eye} Audit log (${events.length} events)
+`)
+    );
+    for (const event of events) {
+      const ts = new Date(event.timestamp).toLocaleString();
+      const actionColor = event.action === "read" ? c.blue : event.action === "write" ? c.green : event.action === "delete" ? c.red : c.yellow;
+      const parts = [
+        c.dim(ts),
+        actionColor(event.action.padEnd(8)),
+        event.key ? c.bold(event.key) : "",
+        event.scope ? c.dim(`[${event.scope}]`) : "",
+        event.detail ? c.dim(event.detail) : ""
+      ];
+      console.log(`  ${parts.filter(Boolean).join("  ")}`);
+    }
+    console.log();
+  });
+  program2.command("health").description("Check the health of all secrets").option("-g, --global", "Check global scope only").option("-p, --project", "Check project scope only").option("--project-path <path>", "Explicit project path").action((cmd) => {
+    const opts = buildOpts(cmd);
+    const entries = listSecrets(opts);
+    if (entries.length === 0) {
+      console.log(c.dim("No secrets to check"));
+      return;
+    }
+    console.log(
+      c.bold(`
+  ${SYMBOLS.shield} Secret health report
+`)
+    );
+    let healthy = 0;
+    let stale = 0;
+    let expired = 0;
+    let noDecay = 0;
+    for (const entry of entries) {
+      if (!entry.decay || !entry.decay.timeRemaining) {
+        noDecay++;
+        continue;
+      }
+      if (entry.decay.isExpired) {
+        expired++;
+        console.log(
+          `  ${c.red(SYMBOLS.cross)} ${c.bold(entry.key)} ${c.bgRed(c.white(" EXPIRED "))}`
+        );
+      } else if (entry.decay.isStale) {
+        stale++;
+        console.log(
+          `  ${c.yellow(SYMBOLS.warning)} ${c.bold(entry.key)} ${c.yellow(`stale (${entry.decay.lifetimePercent}%, ${entry.decay.timeRemaining} left)`)}`
+        );
+      } else {
+        healthy++;
+      }
+    }
+    console.log(
+      `
+  ${c.green(`${SYMBOLS.check} ${healthy} healthy`)}  ${c.yellow(`${SYMBOLS.warning} ${stale} stale`)}  ${c.red(`${SYMBOLS.cross} ${expired} expired`)}  ${c.dim(`${noDecay} no decay`)}`
+    );
+    const anomalies = detectAnomalies();
+    if (anomalies.length > 0) {
+      console.log(
+        `
+  ${c.yellow(`${SYMBOLS.warning} ${anomalies.length} access anomaly/anomalies detected`)} ${c.dim("(run: qring audit --anomalies)")}`
+      );
+    }
+    console.log();
+  });
+  program2.command("agent").description("Start the autonomous agent (background monitor)").option(
+    "-i, --interval <seconds>",
+    "Scan interval in seconds",
+    parseInt,
+    60
+  ).option("--auto-rotate", "Auto-rotate expired secrets").option("-v, --verbose", "Verbose output with all warnings").option("--project-path <paths>", "Comma-separated project paths to monitor").option("--once", "Run a single scan and exit (no daemon)").action(async (cmd) => {
+    const projectPaths = cmd.projectPath ? cmd.projectPath.split(",").map((p) => p.trim()) : [process.cwd()];
+    if (cmd.once) {
+      const report = runHealthScan({
+        autoRotate: cmd.autoRotate,
+        projectPaths,
+        verbose: cmd.verbose
+      });
+      console.log(JSON.stringify(report, null, 2));
+      return;
+    }
+    await startAgent({
+      intervalSeconds: cmd.interval,
+      autoRotate: cmd.autoRotate,
+      projectPaths,
+      verbose: cmd.verbose
+    });
+  });
+  return program2;
+}
+
+// src/index.ts
+var program = createProgram();
+program.parse();
+//# sourceMappingURL=index.js.map