@i4ctime/q-ring 0.3.1 → 0.4.0

package/dist/mcp.js

@@ -4,19 +4,26 @@ import {
   collapseEnvironment,
   deleteSecret,
   detectAnomalies,
+  disentangleSecrets,
   entangleSecrets,
+  exportSecrets,
+  fireHooks,
   getEnvelope,
   getSecret,
   hasSecret,
+  listHooks,
   listSecrets,
   logAudit,
   queryAudit,
+  readProjectConfig,
+  registerHook,
+  removeHook,
   setSecret,
   tunnelCreate,
   tunnelDestroy,
   tunnelList,
   tunnelRead
-} from "./chunk-3WTTWJYU.js";
+} from "./chunk-6IQ5SFLI.js";
 
 // src/mcp.ts
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
@@ -147,7 +154,9 @@ function runHealthScan(config = {}) {
         `EXPIRED: ${entry.key} [${entry.scope}] \u2014 expired ${decay.timeRemaining}`
       );
       if (cfg.autoRotate) {
-        const newValue = generateSecret({ format: "api-key" });
+        const fmt = entry.envelope?.meta.rotationFormat ?? "api-key";
+        const prefix = entry.envelope?.meta.rotationPrefix;
+        const newValue = generateSecret({ format: fmt, prefix });
         setSecret(entry.key, newValue, {
           scope: entry.scope,
           projectPath: cfg.projectPaths[0],
@@ -161,6 +170,14 @@ function runHealthScan(config = {}) {
           source: "agent",
           detail: "auto-rotated by agent (expired)"
         });
+        fireHooks({
+          action: "rotate",
+          key: entry.key,
+          scope: entry.scope,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          source: "agent"
+        }, entry.envelope?.meta.tags).catch(() => {
+        });
       }
     } else if (decay.isStale) {
       report.stale++;
@@ -240,6 +257,262 @@ function teleportUnpack(encoded, passphrase) {
   return JSON.parse(decrypted.toString("utf8"));
 }
 
+// src/core/import.ts
+import { readFileSync } from "fs";
+function parseDotenv(content) {
+  const result = /* @__PURE__ */ new Map();
+  const lines = content.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i].trim();
+    if (!line || line.startsWith("#")) continue;
+    const eqIdx = line.indexOf("=");
+    if (eqIdx === -1) continue;
+    const key = line.slice(0, eqIdx).trim();
+    let value = line.slice(eqIdx + 1).trim();
+    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+      value = value.slice(1, -1);
+    }
+    value = value.replace(/\\n/g, "\n").replace(/\\r/g, "\r").replace(/\\t/g, "	").replace(/\\\\/g, "\\").replace(/\\"/g, '"');
+    if (value.includes("#") && !line.includes('"') && !line.includes("'")) {
+      value = value.split("#")[0].trim();
+    }
+    if (key) result.set(key, value);
+  }
+  return result;
+}
+function importDotenv(filePathOrContent, options = {}) {
+  let content;
+  try {
+    content = readFileSync(filePathOrContent, "utf8");
+  } catch {
+    content = filePathOrContent;
+  }
+  const pairs = parseDotenv(content);
+  const result = {
+    imported: [],
+    skipped: [],
+    total: pairs.size
+  };
+  for (const [key, value] of pairs) {
+    if (options.skipExisting && hasSecret(key, {
+      scope: options.scope,
+      projectPath: options.projectPath,
+      source: options.source ?? "cli"
+    })) {
+      result.skipped.push(key);
+      continue;
+    }
+    if (options.dryRun) {
+      result.imported.push(key);
+      continue;
+    }
+    const setOpts = {
+      scope: options.scope ?? "global",
+      projectPath: options.projectPath ?? process.cwd(),
+      source: options.source ?? "cli"
+    };
+    setSecret(key, value, setOpts);
+    result.imported.push(key);
+  }
+  return result;
+}
+
+// src/core/validate.ts
+import { request as httpsRequest } from "https";
+import { request as httpRequest } from "http";
+function makeRequest(url, headers, timeoutMs = 1e4) {
+  return new Promise((resolve, reject) => {
+    const parsedUrl = new URL(url);
+    const reqFn = parsedUrl.protocol === "https:" ? httpsRequest : httpRequest;
+    const req = reqFn(
+      url,
+      { method: "GET", headers, timeout: timeoutMs },
+      (res) => {
+        let body = "";
+        res.on("data", (chunk) => body += chunk);
+        res.on(
+          "end",
+          () => resolve({ statusCode: res.statusCode ?? 0, body })
+        );
+      }
+    );
+    req.on("error", reject);
+    req.on("timeout", () => {
+      req.destroy();
+      reject(new Error("Request timed out"));
+    });
+    req.end();
+  });
+}
+var ProviderRegistry = class {
+  providers = /* @__PURE__ */ new Map();
+  register(provider) {
+    this.providers.set(provider.name, provider);
+  }
+  get(name) {
+    return this.providers.get(name);
+  }
+  detectProvider(value, hints) {
+    if (hints?.provider) {
+      return this.providers.get(hints.provider);
+    }
+    for (const provider of this.providers.values()) {
+      if (provider.prefixes) {
+        for (const pfx of provider.prefixes) {
+          if (value.startsWith(pfx)) return provider;
+        }
+      }
+    }
+    return void 0;
+  }
+  listProviders() {
+    return [...this.providers.values()];
+  }
+};
+var openaiProvider = {
+  name: "openai",
+  description: "OpenAI API key validation",
+  prefixes: ["sk-"],
+  async validate(value) {
+    const start = Date.now();
+    try {
+      const { statusCode } = await makeRequest(
+        "https://api.openai.com/v1/models?limit=1",
+        {
+          Authorization: `Bearer ${value}`,
+          "User-Agent": "q-ring-validator/1.0"
+        }
+      );
+      const latencyMs = Date.now() - start;
+      if (statusCode === 200)
+        return { valid: true, status: "valid", message: "API key is valid", latencyMs, provider: "openai" };
+      if (statusCode === 401)
+        return { valid: false, status: "invalid", message: "Invalid or revoked API key", latencyMs, provider: "openai" };
+      if (statusCode === 429)
+        return { valid: true, status: "error", message: "Rate limited \u2014 key may be valid", latencyMs, provider: "openai" };
+      return { valid: false, status: "error", message: `Unexpected status ${statusCode}`, latencyMs, provider: "openai" };
+    } catch (err) {
+      return { valid: false, status: "error", message: `${err instanceof Error ? err.message : "Network error"}`, latencyMs: Date.now() - start, provider: "openai" };
+    }
+  }
+};
+var stripeProvider = {
+  name: "stripe",
+  description: "Stripe API key validation",
+  prefixes: ["sk_live_", "sk_test_", "rk_live_", "rk_test_", "pk_live_", "pk_test_"],
+  async validate(value) {
+    const start = Date.now();
+    try {
+      const { statusCode } = await makeRequest(
+        "https://api.stripe.com/v1/balance",
+        {
+          Authorization: `Bearer ${value}`,
+          "User-Agent": "q-ring-validator/1.0"
+        }
+      );
+      const latencyMs = Date.now() - start;
+      if (statusCode === 200)
+        return { valid: true, status: "valid", message: "API key is valid", latencyMs, provider: "stripe" };
+      if (statusCode === 401)
+        return { valid: false, status: "invalid", message: "Invalid or revoked API key", latencyMs, provider: "stripe" };
+      if (statusCode === 429)
+        return { valid: true, status: "error", message: "Rate limited \u2014 key may be valid", latencyMs, provider: "stripe" };
+      return { valid: false, status: "error", message: `Unexpected status ${statusCode}`, latencyMs, provider: "stripe" };
+    } catch (err) {
+      return { valid: false, status: "error", message: `${err instanceof Error ? err.message : "Network error"}`, latencyMs: Date.now() - start, provider: "stripe" };
+    }
+  }
+};
+var githubProvider = {
+  name: "github",
+  description: "GitHub token validation",
+  prefixes: ["ghp_", "gho_", "ghu_", "ghs_", "ghr_", "github_pat_"],
+  async validate(value) {
+    const start = Date.now();
+    try {
+      const { statusCode } = await makeRequest(
+        "https://api.github.com/user",
+        {
+          Authorization: `token ${value}`,
+          "User-Agent": "q-ring-validator/1.0",
+          Accept: "application/vnd.github+json"
+        }
+      );
+      const latencyMs = Date.now() - start;
+      if (statusCode === 200)
+        return { valid: true, status: "valid", message: "Token is valid", latencyMs, provider: "github" };
+      if (statusCode === 401)
+        return { valid: false, status: "invalid", message: "Invalid or expired token", latencyMs, provider: "github" };
+      if (statusCode === 403)
+        return { valid: false, status: "invalid", message: "Token lacks required permissions", latencyMs, provider: "github" };
+      if (statusCode === 429)
+        return { valid: true, status: "error", message: "Rate limited \u2014 token may be valid", latencyMs, provider: "github" };
+      return { valid: false, status: "error", message: `Unexpected status ${statusCode}`, latencyMs, provider: "github" };
+    } catch (err) {
+      return { valid: false, status: "error", message: `${err instanceof Error ? err.message : "Network error"}`, latencyMs: Date.now() - start, provider: "github" };
+    }
+  }
+};
+var awsProvider = {
+  name: "aws",
+  description: "AWS access key validation (checks key format only \u2014 full STS validation requires secret key + region)",
+  prefixes: ["AKIA", "ASIA"],
+  async validate(value) {
+    const start = Date.now();
+    const latencyMs = Date.now() - start;
+    if (/^(AKIA|ASIA)[A-Z0-9]{16}$/.test(value)) {
+      return { valid: true, status: "unknown", message: "Valid AWS access key format (STS validation requires secret key)", latencyMs, provider: "aws" };
+    }
+    return { valid: false, status: "invalid", message: "Invalid AWS access key format", latencyMs, provider: "aws" };
+  }
+};
+var httpProvider = {
+  name: "http",
+  description: "Generic HTTP endpoint validation",
+  async validate(value, url) {
+    const start = Date.now();
+    if (!url) {
+      return { valid: false, status: "unknown", message: "No validation URL configured", latencyMs: 0, provider: "http" };
+    }
+    try {
+      const { statusCode } = await makeRequest(url, {
+        Authorization: `Bearer ${value}`,
+        "User-Agent": "q-ring-validator/1.0"
+      });
+      const latencyMs = Date.now() - start;
+      if (statusCode >= 200 && statusCode < 300)
+        return { valid: true, status: "valid", message: `Endpoint returned ${statusCode}`, latencyMs, provider: "http" };
+      if (statusCode === 401 || statusCode === 403)
+        return { valid: false, status: "invalid", message: `Authentication failed (${statusCode})`, latencyMs, provider: "http" };
+      return { valid: false, status: "error", message: `Unexpected status ${statusCode}`, latencyMs, provider: "http" };
+    } catch (err) {
+      return { valid: false, status: "error", message: `${err instanceof Error ? err.message : "Network error"}`, latencyMs: Date.now() - start, provider: "http" };
+    }
+  }
+};
+var registry = new ProviderRegistry();
+registry.register(openaiProvider);
+registry.register(stripeProvider);
+registry.register(githubProvider);
+registry.register(awsProvider);
+registry.register(httpProvider);
+async function validateSecret(value, opts2) {
+  const provider = opts2?.provider ? registry.get(opts2.provider) : registry.detectProvider(value);
+  if (!provider) {
+    return {
+      valid: false,
+      status: "unknown",
+      message: "No provider detected \u2014 set a provider in the manifest or secret metadata",
+      latencyMs: 0,
+      provider: "none"
+    };
+  }
+  if (provider.name === "http" && opts2?.validationUrl) {
+    return provider.validate(value, opts2.validationUrl);
+  }
+  return provider.validate(value);
+}
+
 // src/mcp/server.ts
 function text(t, isError = false) {
   return {
@@ -280,13 +553,37 @@ function createMcpServer() {
   );
   server2.tool(
     "list_secrets",
-    "List all secret keys with quantum metadata (scope, decay status, superposition states, entanglement, access count). Values are never exposed.",
+    "List all secret keys with quantum metadata (scope, decay status, superposition states, entanglement, access count). Values are never exposed. Supports filtering by tag, expiry state, and key pattern.",
     {
       scope: scopeSchema,
-      projectPath: projectPathSchema
+      projectPath: projectPathSchema,
+      tag: z.string().optional().describe("Filter by tag"),
+      expired: z.boolean().optional().describe("Show only expired secrets"),
+      stale: z.boolean().optional().describe("Show only stale secrets (75%+ decay)"),
+      filter: z.string().optional().describe("Glob pattern on key name (e.g., 'API_*')")
     },
     async (params) => {
-      const entries = listSecrets(opts(params));
+      let entries = listSecrets(opts(params));
+      if (params.tag) {
+        entries = entries.filter(
+          (e) => e.envelope?.meta.tags?.includes(params.tag)
+        );
+      }
+      if (params.expired) {
+        entries = entries.filter((e) => e.decay?.isExpired);
+      }
+      if (params.stale) {
+        entries = entries.filter(
+          (e) => e.decay?.isStale && !e.decay?.isExpired
+        );
+      }
+      if (params.filter) {
+        const regex = new RegExp(
+          "^" + params.filter.replace(/\*/g, ".*") + "$",
+          "i"
+        );
+        entries = entries.filter((e) => regex.test(e.key));
+      }
       if (entries.length === 0) return text("No secrets found");
       const lines = entries.map((e) => {
         const parts = [`[${e.scope}] ${e.key}`];
@@ -323,7 +620,9 @@ function createMcpServer() {
       env: z.string().optional().describe("If provided, sets the value for this specific environment (superposition)"),
       ttlSeconds: z.number().optional().describe("Time-to-live in seconds (quantum decay)"),
       description: z.string().optional().describe("Human-readable description"),
-      tags: z.array(z.string()).optional().describe("Tags for organization")
+      tags: z.array(z.string()).optional().describe("Tags for organization"),
+      rotationFormat: z.enum(["hex", "base64", "alphanumeric", "uuid", "api-key", "token", "password"]).optional().describe("Format for auto-rotation when this secret expires"),
+      rotationPrefix: z.string().optional().describe("Prefix for auto-rotation (e.g. 'sk-')")
     },
     async (params) => {
       const o = opts(params);
@@ -340,7 +639,9 @@ function createMcpServer() {
           defaultEnv: existing?.envelope?.defaultEnv ?? params.env,
           ttlSeconds: params.ttlSeconds,
           description: params.description,
-          tags: params.tags
+          tags: params.tags,
+          rotationFormat: params.rotationFormat,
+          rotationPrefix: params.rotationPrefix
         });
         return text(`[${params.scope ?? "global"}] ${params.key} set for env:${params.env}`);
       }
@@ -348,7 +649,9 @@ function createMcpServer() {
         ...o,
         ttlSeconds: params.ttlSeconds,
         description: params.description,
-        tags: params.tags
+        tags: params.tags,
+        rotationFormat: params.rotationFormat,
+        rotationPrefix: params.rotationPrefix
       });
       return text(`[${params.scope ?? "global"}] ${params.key} saved`);
     }
@@ -381,6 +684,152 @@ function createMcpServer() {
       return text(hasSecret(params.key, opts(params)) ? "true" : "false");
     }
   );
+  server2.tool(
+    "export_secrets",
+    "Export secrets as .env or JSON format. Collapses superposition. Supports filtering by specific keys or tags.",
+    {
+      format: z.enum(["env", "json"]).optional().default("env").describe("Output format"),
+      keys: z.array(z.string()).optional().describe("Only export these specific key names"),
+      tags: z.array(z.string()).optional().describe("Only export secrets with any of these tags"),
+      scope: scopeSchema,
+      projectPath: projectPathSchema,
+      env: envSchema
+    },
+    async (params) => {
+      const output = exportSecrets({
+        ...opts(params),
+        format: params.format,
+        keys: params.keys,
+        tags: params.tags
+      });
+      if (!output.trim()) return text("No secrets matched the filters", true);
+      return text(output);
+    }
+  );
+  server2.tool(
+    "import_dotenv",
+    "Import secrets from .env file content. Parses standard dotenv syntax (comments, quotes, multiline escapes) and stores each key/value pair in q-ring.",
+    {
+      content: z.string().describe("The .env file content to parse and import"),
+      scope: scopeSchema.default("global"),
+      projectPath: projectPathSchema,
+      skipExisting: z.boolean().optional().default(false).describe("Skip keys that already exist in q-ring"),
+      dryRun: z.boolean().optional().default(false).describe("Preview what would be imported without saving")
+    },
+    async (params) => {
+      const result = importDotenv(params.content, {
+        scope: params.scope,
+        projectPath: params.projectPath ?? process.cwd(),
+        source: "mcp",
+        skipExisting: params.skipExisting,
+        dryRun: params.dryRun
+      });
+      const lines = [
+        params.dryRun ? "Dry run \u2014 no changes made" : `Imported ${result.imported.length} secret(s)`
+      ];
+      if (result.imported.length > 0) {
+        lines.push(`Keys: ${result.imported.join(", ")}`);
+      }
+      if (result.skipped.length > 0) {
+        lines.push(`Skipped (existing): ${result.skipped.join(", ")}`);
+      }
+      return text(lines.join("\n"));
+    }
+  );
+  server2.tool(
+    "check_project",
+    "Validate project secrets against the .q-ring.json manifest. Returns which required secrets are present, missing, expired, or stale. Use this to verify project readiness.",
+    {
+      projectPath: projectPathSchema
+    },
+    async (params) => {
+      const projectPath = params.projectPath ?? process.cwd();
+      const config = readProjectConfig(projectPath);
+      if (!config?.secrets || Object.keys(config.secrets).length === 0) {
+        return text("No secrets manifest found in .q-ring.json", true);
+      }
+      const results = [];
+      let presentCount = 0;
+      let missingCount = 0;
+      let expiredCount = 0;
+      let staleCount = 0;
+      for (const [key, manifest] of Object.entries(config.secrets)) {
+        const result = getEnvelope(key, { projectPath, source: "mcp" });
+        if (!result) {
+          const status = manifest.required !== false ? "missing" : "optional_missing";
+          if (manifest.required !== false) missingCount++;
+          results.push({ key, status, required: manifest.required !== false, description: manifest.description });
+          continue;
+        }
+        const decay = checkDecay(result.envelope);
+        if (decay.isExpired) {
+          expiredCount++;
+          results.push({ key, status: "expired", timeRemaining: decay.timeRemaining, description: manifest.description });
+        } else if (decay.isStale) {
+          staleCount++;
+          results.push({ key, status: "stale", lifetimePercent: decay.lifetimePercent, timeRemaining: decay.timeRemaining, description: manifest.description });
+        } else {
+          presentCount++;
+          results.push({ key, status: "ok", description: manifest.description });
+        }
+      }
+      const summary = {
+        total: Object.keys(config.secrets).length,
+        present: presentCount,
+        missing: missingCount,
+        expired: expiredCount,
+        stale: staleCount,
+        ready: missingCount === 0 && expiredCount === 0,
+        secrets: results
+      };
+      return text(JSON.stringify(summary, null, 2));
+    }
+  );
+  server2.tool(
+    "env_generate",
+    "Generate .env file content from the project manifest (.q-ring.json). Resolves each declared secret from q-ring, collapses superposition, and returns .env formatted output. Warns about missing or expired secrets.",
+    {
+      projectPath: projectPathSchema,
+      env: envSchema
+    },
+    async (params) => {
+      const projectPath = params.projectPath ?? process.cwd();
+      const config = readProjectConfig(projectPath);
+      if (!config?.secrets || Object.keys(config.secrets).length === 0) {
+        return text("No secrets manifest found in .q-ring.json", true);
+      }
+      const lines = [];
+      const warnings = [];
+      for (const [key, manifest] of Object.entries(config.secrets)) {
+        const value = getSecret(key, {
+          projectPath,
+          env: params.env,
+          source: "mcp"
+        });
+        if (value === null) {
+          if (manifest.required !== false) {
+            warnings.push(`MISSING (required): ${key}`);
+          }
+          lines.push(`# ${key}=`);
+          continue;
+        }
+        const result2 = getEnvelope(key, { projectPath, source: "mcp" });
+        if (result2) {
+          const decay = checkDecay(result2.envelope);
+          if (decay.isExpired) warnings.push(`EXPIRED: ${key}`);
+          else if (decay.isStale) warnings.push(`STALE: ${key}`);
+        }
+        const escaped = value.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/\n/g, "\\n");
+        lines.push(`${key}="${escaped}"`);
+      }
+      const output = lines.join("\n");
+      const result = warnings.length > 0 ? `${output}
+
+# Warnings:
+${warnings.map((w) => `# ${w}`).join("\n")}` : output;
+      return text(result);
+    }
+  );
   server2.tool(
     "inspect_secret",
     "Show full quantum state of a secret: superposition states, decay status, entanglement links, access history. Never reveals the actual value.",
@@ -500,6 +949,35 @@ function createMcpServer() {
       return text(`Entangled: ${params.sourceKey} <-> ${params.targetKey}`);
     }
   );
+  server2.tool(
+    "disentangle_secrets",
+    "Remove a quantum entanglement between two secrets. They will no longer synchronize on rotation.",
+    {
+      sourceKey: z.string().describe("Source secret key"),
+      targetKey: z.string().describe("Target secret key"),
+      sourceScope: scopeSchema.default("global"),
+      targetScope: scopeSchema.default("global"),
+      sourceProjectPath: z.string().optional(),
+      targetProjectPath: z.string().optional()
+    },
+    async (params) => {
+      disentangleSecrets(
+        params.sourceKey,
+        {
+          scope: params.sourceScope,
+          projectPath: params.sourceProjectPath ?? process.cwd(),
+          source: "mcp"
+        },
+        params.targetKey,
+        {
+          scope: params.targetScope,
+          projectPath: params.targetProjectPath ?? process.cwd(),
+          source: "mcp"
+        }
+      );
+      return text(`Disentangled: ${params.sourceKey} </> ${params.targetKey}`);
+    }
+  );
   server2.tool(
     "tunnel_create",
     "Create an ephemeral secret that exists only in memory (quantum tunneling). Never persisted to disk. Optional TTL and max-reads for self-destruction.",
@@ -708,6 +1186,99 @@ ${preview}`);
       return text(summary.join("\n"));
     }
   );
+  server2.tool(
+    "validate_secret",
+    "Test if a secret is actually valid with its target service (e.g., OpenAI, Stripe, GitHub). Uses provider auto-detection based on key prefixes, or accepts an explicit provider name. Never logs the secret value.",
+    {
+      key: z.string().describe("The secret key name"),
+      provider: z.string().optional().describe("Force a specific provider (openai, stripe, github, aws, http)"),
+      scope: scopeSchema,
+      projectPath: projectPathSchema
+    },
+    async (params) => {
+      const value = getSecret(params.key, opts(params));
+      if (value === null) return text(`Secret "${params.key}" not found`, true);
+      const envelope = getEnvelope(params.key, opts(params));
+      const provHint = params.provider ?? envelope?.envelope.meta.provider;
+      const result = await validateSecret(value, { provider: provHint });
+      return text(JSON.stringify(result, null, 2));
+    }
+  );
+  server2.tool(
+    "list_providers",
+    "List all available validation providers for secret liveness testing.",
+    {},
+    async () => {
+      const providers = registry.listProviders().map((p) => ({
+        name: p.name,
+        description: p.description,
+        prefixes: p.prefixes ?? []
+      }));
+      return text(JSON.stringify(providers, null, 2));
+    }
+  );
+  server2.tool(
+    "register_hook",
+    "Register a webhook/callback that fires when a secret is updated, deleted, or rotated. Supports shell commands, HTTP webhooks, and process signals.",
+    {
+      type: z.enum(["shell", "http", "signal"]).describe("Hook type"),
+      key: z.string().optional().describe("Trigger on exact key match"),
+      keyPattern: z.string().optional().describe("Trigger on key glob pattern (e.g. DB_*)"),
+      tag: z.string().optional().describe("Trigger on secrets with this tag"),
+      scope: z.enum(["global", "project"]).optional().describe("Trigger only for this scope"),
+      actions: z.array(z.enum(["write", "delete", "rotate"])).optional().default(["write", "delete", "rotate"]).describe("Which actions trigger this hook"),
+      command: z.string().optional().describe("Shell command to execute (for shell type)"),
+      url: z.string().optional().describe("URL to POST to (for http type)"),
+      signalTarget: z.string().optional().describe("Process name or PID (for signal type)"),
+      signalName: z.string().optional().default("SIGHUP").describe("Signal to send (for signal type)"),
+      description: z.string().optional().describe("Human-readable description")
+    },
+    async (params) => {
+      if (!params.key && !params.keyPattern && !params.tag) {
+        return text("At least one match criterion required: key, keyPattern, or tag", true);
+      }
+      const entry = registerHook({
+        type: params.type,
+        match: {
+          key: params.key,
+          keyPattern: params.keyPattern,
+          tag: params.tag,
+          scope: params.scope,
+          action: params.actions
+        },
+        command: params.command,
+        url: params.url,
+        signal: params.signalTarget ? { target: params.signalTarget, signal: params.signalName } : void 0,
+        description: params.description,
+        enabled: true
+      });
+      return text(JSON.stringify(entry, null, 2));
+    }
+  );
+  server2.tool(
+    "list_hooks",
+    "List all registered secret change hooks with their match criteria, type, and status.",
+    {},
+    async () => {
+      const hooks = listHooks();
+      if (hooks.length === 0) return text("No hooks registered");
+      return text(JSON.stringify(hooks, null, 2));
+    }
+  );
+  server2.tool(
+    "remove_hook",
+    "Remove a registered hook by ID.",
+    {
+      id: z.string().describe("Hook ID to remove")
+    },
+    async (params) => {
+      const removed = removeHook(params.id);
+      return text(
+        removed ? `Removed hook ${params.id}` : `Hook "${params.id}" not found`,
+        !removed
+      );
+    }
+  );
   let dashboardInstance = null;
   server2.tool(
     "status_dashboard",
@@ -719,7 +1290,7 @@ ${preview}`);
       if (dashboardInstance) {
         return text(`Dashboard already running at http://127.0.0.1:${dashboardInstance.port}`);
       }
-      const { startDashboardServer } = await import("./dashboard-QQWKOOI5.js");
+      const { startDashboardServer } = await import("./dashboard-32PCZF7D.js");
       dashboardInstance = startDashboardServer({ port: params.port });
       return text(`Dashboard started at http://127.0.0.1:${dashboardInstance.port}
 Open this URL in a browser to see live quantum status.`);