@i4ctime/q-ring 0.3.2 → 0.4.0

package/dist/index.js

@@ -4,19 +4,28 @@ import {
   collapseEnvironment,
   deleteSecret,
   detectAnomalies,
+  disableHook,
+  disentangleSecrets,
+  enableHook,
   entangleSecrets,
   exportSecrets,
+  fireHooks,
   getEnvelope,
   getSecret,
+  hasSecret,
+  listHooks,
   listSecrets,
   logAudit,
   queryAudit,
+  readProjectConfig,
+  registerHook,
+  removeHook,
   setSecret,
   tunnelCreate,
   tunnelDestroy,
   tunnelList,
   tunnelRead
-} from "./chunk-F4SPZ774.js";
+} from "./chunk-IGNU622R.js";
 
 // src/cli/commands.ts
 import { Command } from "commander";
@@ -207,7 +216,9 @@ function runHealthScan(config = {}) {
         `EXPIRED: ${entry.key} [${entry.scope}] \u2014 expired ${decay.timeRemaining}`
       );
       if (cfg.autoRotate) {
-        const newValue = generateSecret({ format: "api-key" });
+        const fmt = entry.envelope?.meta.rotationFormat ?? "api-key";
+        const prefix = entry.envelope?.meta.rotationPrefix;
+        const newValue = generateSecret({ format: fmt, prefix });
         setSecret(entry.key, newValue, {
           scope: entry.scope,
           projectPath: cfg.projectPaths[0],
@@ -221,6 +232,14 @@ function runHealthScan(config = {}) {
           source: "agent",
           detail: "auto-rotated by agent (expired)"
         });
+        fireHooks({
+          action: "rotate",
+          key: entry.key,
+          scope: entry.scope,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          source: "agent"
+        }, entry.envelope?.meta.tags).catch(() => {
+        });
       }
     } else if (decay.isStale) {
       report.stale++;
@@ -353,6 +372,265 @@ function teleportUnpack(encoded, passphrase) {
   return JSON.parse(decrypted.toString("utf8"));
 }
 
+// src/core/import.ts
+import { readFileSync } from "fs";
+function parseDotenv(content) {
+  const result = /* @__PURE__ */ new Map();
+  const lines = content.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i].trim();
+    if (!line || line.startsWith("#")) continue;
+    const eqIdx = line.indexOf("=");
+    if (eqIdx === -1) continue;
+    const key = line.slice(0, eqIdx).trim();
+    let value = line.slice(eqIdx + 1).trim();
+    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+      value = value.slice(1, -1);
+    }
+    value = value.replace(/\\n/g, "\n").replace(/\\r/g, "\r").replace(/\\t/g, "	").replace(/\\\\/g, "\\").replace(/\\"/g, '"');
+    if (value.includes("#") && !line.includes('"') && !line.includes("'")) {
+      value = value.split("#")[0].trim();
+    }
+    if (key) result.set(key, value);
+  }
+  return result;
+}
+function importDotenv(filePathOrContent, options = {}) {
+  let content;
+  try {
+    content = readFileSync(filePathOrContent, "utf8");
+  } catch {
+    content = filePathOrContent;
+  }
+  const pairs = parseDotenv(content);
+  const result = {
+    imported: [],
+    skipped: [],
+    total: pairs.size
+  };
+  for (const [key, value] of pairs) {
+    if (options.skipExisting && hasSecret(key, {
+      scope: options.scope,
+      projectPath: options.projectPath,
+      source: options.source ?? "cli"
+    })) {
+      result.skipped.push(key);
+      continue;
+    }
+    if (options.dryRun) {
+      result.imported.push(key);
+      continue;
+    }
+    const setOpts = {
+      scope: options.scope ?? "global",
+      projectPath: options.projectPath ?? process.cwd(),
+      source: options.source ?? "cli"
+    };
+    setSecret(key, value, setOpts);
+    result.imported.push(key);
+  }
+  return result;
+}
+
+// src/core/validate.ts
+import { request as httpsRequest } from "https";
+import { request as httpRequest } from "http";
+function makeRequest(url, headers, timeoutMs = 1e4) {
+  return new Promise((resolve, reject) => {
+    const parsedUrl = new URL(url);
+    const reqFn = parsedUrl.protocol === "https:" ? httpsRequest : httpRequest;
+    const req = reqFn(
+      url,
+      { method: "GET", headers, timeout: timeoutMs },
+      (res) => {
+        let body = "";
+        res.on("data", (chunk) => body += chunk);
+        res.on(
+          "end",
+          () => resolve({ statusCode: res.statusCode ?? 0, body })
+        );
+      }
+    );
+    req.on("error", reject);
+    req.on("timeout", () => {
+      req.destroy();
+      reject(new Error("Request timed out"));
+    });
+    req.end();
+  });
+}
+var ProviderRegistry = class {
+  providers = /* @__PURE__ */ new Map();
+  register(provider) {
+    this.providers.set(provider.name, provider);
+  }
+  get(name) {
+    return this.providers.get(name);
+  }
+  detectProvider(value, hints) {
+    if (hints?.provider) {
+      return this.providers.get(hints.provider);
+    }
+    for (const provider of this.providers.values()) {
+      if (provider.prefixes) {
+        for (const pfx of provider.prefixes) {
+          if (value.startsWith(pfx)) return provider;
+        }
+      }
+    }
+    return void 0;
+  }
+  listProviders() {
+    return [...this.providers.values()];
+  }
+};
+var openaiProvider = {
+  name: "openai",
+  description: "OpenAI API key validation",
+  prefixes: ["sk-"],
+  async validate(value) {
+    const start = Date.now();
+    try {
+      const { statusCode } = await makeRequest(
+        "https://api.openai.com/v1/models?limit=1",
+        {
+          Authorization: `Bearer ${value}`,
+          "User-Agent": "q-ring-validator/1.0"
+        }
+      );
+      const latencyMs = Date.now() - start;
+      if (statusCode === 200)
+        return { valid: true, status: "valid", message: "API key is valid", latencyMs, provider: "openai" };
+      if (statusCode === 401)
+        return { valid: false, status: "invalid", message: "Invalid or revoked API key", latencyMs, provider: "openai" };
+      if (statusCode === 429)
+        return { valid: true, status: "error", message: "Rate limited \u2014 key may be valid", latencyMs, provider: "openai" };
+      return { valid: false, status: "error", message: `Unexpected status ${statusCode}`, latencyMs, provider: "openai" };
+    } catch (err) {
+      return { valid: false, status: "error", message: `${err instanceof Error ? err.message : "Network error"}`, latencyMs: Date.now() - start, provider: "openai" };
+    }
+  }
+};
+var stripeProvider = {
+  name: "stripe",
+  description: "Stripe API key validation",
+  prefixes: ["sk_live_", "sk_test_", "rk_live_", "rk_test_", "pk_live_", "pk_test_"],
+  async validate(value) {
+    const start = Date.now();
+    try {
+      const { statusCode } = await makeRequest(
+        "https://api.stripe.com/v1/balance",
+        {
+          Authorization: `Bearer ${value}`,
+          "User-Agent": "q-ring-validator/1.0"
+        }
+      );
+      const latencyMs = Date.now() - start;
+      if (statusCode === 200)
+        return { valid: true, status: "valid", message: "API key is valid", latencyMs, provider: "stripe" };
+      if (statusCode === 401)
+        return { valid: false, status: "invalid", message: "Invalid or revoked API key", latencyMs, provider: "stripe" };
+      if (statusCode === 429)
+        return { valid: true, status: "error", message: "Rate limited \u2014 key may be valid", latencyMs, provider: "stripe" };
+      return { valid: false, status: "error", message: `Unexpected status ${statusCode}`, latencyMs, provider: "stripe" };
+    } catch (err) {
+      return { valid: false, status: "error", message: `${err instanceof Error ? err.message : "Network error"}`, latencyMs: Date.now() - start, provider: "stripe" };
+    }
+  }
+};
+var githubProvider = {
+  name: "github",
+  description: "GitHub token validation",
+  prefixes: ["ghp_", "gho_", "ghu_", "ghs_", "ghr_", "github_pat_"],
+  async validate(value) {
+    const start = Date.now();
+    try {
+      const { statusCode } = await makeRequest(
+        "https://api.github.com/user",
+        {
+          Authorization: `token ${value}`,
+          "User-Agent": "q-ring-validator/1.0",
+          Accept: "application/vnd.github+json"
+        }
+      );
+      const latencyMs = Date.now() - start;
+      if (statusCode === 200)
+        return { valid: true, status: "valid", message: "Token is valid", latencyMs, provider: "github" };
+      if (statusCode === 401)
+        return { valid: false, status: "invalid", message: "Invalid or expired token", latencyMs, provider: "github" };
+      if (statusCode === 403)
+        return { valid: false, status: "invalid", message: "Token lacks required permissions", latencyMs, provider: "github" };
+      if (statusCode === 429)
+        return { valid: true, status: "error", message: "Rate limited \u2014 token may be valid", latencyMs, provider: "github" };
+      return { valid: false, status: "error", message: `Unexpected status ${statusCode}`, latencyMs, provider: "github" };
+    } catch (err) {
+      return { valid: false, status: "error", message: `${err instanceof Error ? err.message : "Network error"}`, latencyMs: Date.now() - start, provider: "github" };
+    }
+  }
+};
+var awsProvider = {
+  name: "aws",
+  description: "AWS access key validation (checks key format only \u2014 full STS validation requires secret key + region)",
+  prefixes: ["AKIA", "ASIA"],
+  async validate(value) {
+    const start = Date.now();
+    const latencyMs = Date.now() - start;
+    if (/^(AKIA|ASIA)[A-Z0-9]{16}$/.test(value)) {
+      return { valid: true, status: "unknown", message: "Valid AWS access key format (STS validation requires secret key)", latencyMs, provider: "aws" };
+    }
+    return { valid: false, status: "invalid", message: "Invalid AWS access key format", latencyMs, provider: "aws" };
+  }
+};
+var httpProvider = {
+  name: "http",
+  description: "Generic HTTP endpoint validation",
+  async validate(value, url) {
+    const start = Date.now();
+    if (!url) {
+      return { valid: false, status: "unknown", message: "No validation URL configured", latencyMs: 0, provider: "http" };
+    }
+    try {
+      const { statusCode } = await makeRequest(url, {
+        Authorization: `Bearer ${value}`,
+        "User-Agent": "q-ring-validator/1.0"
+      });
+      const latencyMs = Date.now() - start;
+      if (statusCode >= 200 && statusCode < 300)
+        return { valid: true, status: "valid", message: `Endpoint returned ${statusCode}`, latencyMs, provider: "http" };
+      if (statusCode === 401 || statusCode === 403)
+        return { valid: false, status: "invalid", message: `Authentication failed (${statusCode})`, latencyMs, provider: "http" };
+      return { valid: false, status: "error", message: `Unexpected status ${statusCode}`, latencyMs, provider: "http" };
+    } catch (err) {
+      return { valid: false, status: "error", message: `${err instanceof Error ? err.message : "Network error"}`, latencyMs: Date.now() - start, provider: "http" };
+    }
+  }
+};
+var registry = new ProviderRegistry();
+registry.register(openaiProvider);
+registry.register(stripeProvider);
+registry.register(githubProvider);
+registry.register(awsProvider);
+registry.register(httpProvider);
+async function validateSecret(value, opts) {
+  const provider = opts?.provider ? registry.get(opts.provider) : registry.detectProvider(value);
+  if (!provider) {
+    return {
+      valid: false,
+      status: "unknown",
+      message: "No provider detected \u2014 set a provider in the manifest or secret metadata",
+      latencyMs: 0,
+      provider: "none"
+    };
+  }
+  if (provider.name === "http" && opts?.validationUrl) {
+    return provider.validate(value, opts.validationUrl);
+  }
+  return provider.validate(value);
+}
+
+// src/cli/commands.ts
+import { writeFileSync } from "fs";
+
 // src/utils/prompt.ts
 import { createInterface } from "readline";
 async function promptSecret(message) {
@@ -419,8 +697,8 @@ function buildOpts(cmd) {
 function createProgram() {
   const program2 = new Command().name("qring").description(
     `${c.bold("q-ring")} ${c.dim("\u2014 quantum keyring for AI coding tools")}`
-  ).version("0.2.0");
-  program2.command("set <key> [value]").description("Store a secret (with optional quantum metadata)").option("-g, --global", "Store in global scope").option("-p, --project", "Store in project scope (uses cwd)").option("--project-path <path>", "Explicit project path").option("-e, --env <env>", "Set value for a specific environment (superposition)").option("--ttl <seconds>", "Time-to-live in seconds (quantum decay)", parseInt).option("--expires <iso>", "Expiry timestamp (ISO 8601)").option("--description <desc>", "Human-readable description").option("--tags <tags>", "Comma-separated tags").action(async (key, value, cmd) => {
+  ).version("0.4.0");
+  program2.command("set <key> [value]").description("Store a secret (with optional quantum metadata)").option("-g, --global", "Store in global scope").option("-p, --project", "Store in project scope (uses cwd)").option("--project-path <path>", "Explicit project path").option("-e, --env <env>", "Set value for a specific environment (superposition)").option("--ttl <seconds>", "Time-to-live in seconds (quantum decay)", parseInt).option("--expires <iso>", "Expiry timestamp (ISO 8601)").option("--description <desc>", "Human-readable description").option("--tags <tags>", "Comma-separated tags").option("--rotation-format <format>", "Format for auto-rotation (api-key, password, uuid, hex, base64, alphanumeric, token)").option("--rotation-prefix <prefix>", "Prefix for auto-rotation (e.g. sk-)").action(async (key, value, cmd) => {
     const opts = buildOpts(cmd);
     if (!value) {
       value = await promptSecret(`${SYMBOLS.key} Enter value for ${c.bold(key)}: `);
@@ -434,7 +712,9 @@ function createProgram() {
       ttlSeconds: cmd.ttl,
       expiresAt: cmd.expires,
       description: cmd.description,
-      tags: cmd.tags?.split(",").map((t) => t.trim())
+      tags: cmd.tags?.split(",").map((t) => t.trim()),
+      rotationFormat: cmd.rotationFormat,
+      rotationPrefix: cmd.rotationPrefix
     };
     if (cmd.env) {
       const existing = getEnvelope(key, opts);
@@ -478,9 +758,29 @@ function createProgram() {
       process.exit(1);
     }
   });
-  program2.command("list").alias("ls").description("List all secrets with quantum status indicators").option("-g, --global", "List global scope only").option("-p, --project", "List project scope only").option("--project-path <path>", "Explicit project path").option("--show-decay", "Show decay/expiry status").action((cmd) => {
+  program2.command("list").alias("ls").description("List all secrets with quantum status indicators").option("-g, --global", "List global scope only").option("-p, --project", "List project scope only").option("--project-path <path>", "Explicit project path").option("--show-decay", "Show decay/expiry status").option("-t, --tag <tag>", "Filter by tag").option("--expired", "Show only expired secrets").option("--stale", "Show only stale secrets (75%+ decay)").option("-f, --filter <pattern>", "Glob pattern on key name").action((cmd) => {
     const opts = buildOpts(cmd);
-    const entries = listSecrets(opts);
+    let entries = listSecrets(opts);
+    if (cmd.tag) {
+      entries = entries.filter(
+        (e) => e.envelope?.meta.tags?.includes(cmd.tag)
+      );
+    }
+    if (cmd.expired) {
+      entries = entries.filter((e) => e.decay?.isExpired);
+    }
+    if (cmd.stale) {
+      entries = entries.filter(
+        (e) => e.decay?.isStale && !e.decay?.isExpired
+      );
+    }
+    if (cmd.filter) {
+      const regex = new RegExp(
+        "^" + cmd.filter.replace(/\*/g, ".*") + "$",
+        "i"
+      );
+      entries = entries.filter((e) => regex.test(e.key));
+    }
     if (entries.length === 0) {
       console.log(c.dim("No secrets found"));
       return;
@@ -593,11 +893,200 @@ function createProgram() {
     }
     console.log();
   });
-  program2.command("export").description("Export secrets as .env or JSON (collapses superposition)").option("-f, --format <format>", "Output format: env or json", "env").option("-g, --global", "Export global scope only").option("-p, --project", "Export project scope only").option("--project-path <path>", "Explicit project path").option("-e, --env <env>", "Force environment for collapse").action((cmd) => {
+  program2.command("export").description("Export secrets as .env or JSON (collapses superposition)").option("-f, --format <format>", "Output format: env or json", "env").option("-g, --global", "Export global scope only").option("-p, --project", "Export project scope only").option("--project-path <path>", "Explicit project path").option("-e, --env <env>", "Force environment for collapse").option("-k, --keys <keys>", "Comma-separated key names to export").option("-t, --tags <tags>", "Comma-separated tags to filter by").action((cmd) => {
     const opts = buildOpts(cmd);
-    const output = exportSecrets({ ...opts, format: cmd.format });
+    const output = exportSecrets({
+      ...opts,
+      format: cmd.format,
+      keys: cmd.keys?.split(",").map((k) => k.trim()),
+      tags: cmd.tags?.split(",").map((t) => t.trim())
+    });
     process.stdout.write(output + "\n");
   });
+  program2.command("import <file>").description("Import secrets from a .env file").option("-g, --global", "Import to global scope").option("-p, --project", "Import to project scope").option("--project-path <path>", "Explicit project path").option("-e, --env <env>", "Environment context").option("--skip-existing", "Skip keys that already exist").option("--dry-run", "Preview what would be imported without saving").action((file, cmd) => {
+    const opts = buildOpts(cmd);
+    const result = importDotenv(file, {
+      scope: opts.scope,
+      projectPath: opts.projectPath,
+      source: "cli",
+      skipExisting: cmd.skipExisting,
+      dryRun: cmd.dryRun
+    });
+    if (cmd.dryRun) {
+      console.log(
+        `
+  ${SYMBOLS.package} ${c.bold("Dry run")} \u2014 would import ${result.imported.length} of ${result.total} secrets:
+`
+      );
+      for (const key of result.imported) {
+        console.log(`  ${SYMBOLS.key} ${c.bold(key)}`);
+      }
+      if (result.skipped.length > 0) {
+        console.log(`
+  ${c.dim(`Skipped (existing): ${result.skipped.join(", ")}`)}`);
+      }
+    } else {
+      console.log(
+        `${SYMBOLS.check} ${c.green("imported")} ${result.imported.length} secret(s) from ${c.bold(file)}`
+      );
+      if (result.skipped.length > 0) {
+        console.log(
+          c.dim(`  skipped ${result.skipped.length} existing: ${result.skipped.join(", ")}`)
+        );
+      }
+    }
+    console.log();
+  });
+  program2.command("check").description("Validate project secrets against .q-ring.json manifest").option("--project-path <path>", "Project path (defaults to cwd)").action((cmd) => {
+    const projectPath = cmd.projectPath ?? process.cwd();
+    const config = readProjectConfig(projectPath);
+    if (!config?.secrets || Object.keys(config.secrets).length === 0) {
+      console.error(
+        c.red(`${SYMBOLS.cross} No secrets manifest found in .q-ring.json`)
+      );
+      console.log(
+        c.dim('  Add a "secrets" field to your .q-ring.json to define required secrets.')
+      );
+      process.exit(1);
+    }
+    console.log(
+      c.bold(`
+  ${SYMBOLS.shield} Project secret manifest check
+`)
+    );
+    let present = 0;
+    let missing = 0;
+    let expiredCount = 0;
+    let staleCount = 0;
+    for (const [key, manifest] of Object.entries(config.secrets)) {
+      const result = getEnvelope(key, { projectPath, source: "cli" });
+      if (!result) {
+        if (manifest.required !== false) {
+          missing++;
+          console.log(
+            `  ${c.red(SYMBOLS.cross)} ${c.bold(key)} ${c.red("MISSING")} ${manifest.description ? c.dim(`\u2014 ${manifest.description}`) : ""}`
+          );
+        } else {
+          console.log(
+            `  ${c.dim(SYMBOLS.cross)} ${c.bold(key)} ${c.dim("optional, not set")} ${manifest.description ? c.dim(`\u2014 ${manifest.description}`) : ""}`
+          );
+        }
+        continue;
+      }
+      const decay = checkDecay(result.envelope);
+      if (decay.isExpired) {
+        expiredCount++;
+        console.log(
+          `  ${c.red(SYMBOLS.warning)} ${c.bold(key)} ${c.bgRed(c.white(" EXPIRED "))} ${manifest.description ? c.dim(`\u2014 ${manifest.description}`) : ""}`
+        );
+      } else if (decay.isStale) {
+        staleCount++;
+        console.log(
+          `  ${c.yellow(SYMBOLS.warning)} ${c.bold(key)} ${c.yellow(`stale (${decay.lifetimePercent}%)`)} ${manifest.description ? c.dim(`\u2014 ${manifest.description}`) : ""}`
+        );
+      } else {
+        present++;
+        console.log(
+          `  ${c.green(SYMBOLS.check)} ${c.bold(key)} ${c.green("OK")} ${manifest.description ? c.dim(`\u2014 ${manifest.description}`) : ""}`
+        );
+      }
+    }
+    const total = Object.keys(config.secrets).length;
+    console.log(
+      `
+  ${c.bold(`${total} declared`)}  ${c.green(`${present} present`)}  ${c.yellow(`${staleCount} stale`)}  ${c.red(`${expiredCount} expired`)}  ${c.red(`${missing} missing`)}`
+    );
+    if (missing > 0) {
+      console.log(
+        `
+  ${c.red("Project is NOT ready \u2014 missing required secrets.")}`
+      );
+    } else if (expiredCount > 0) {
+      console.log(
+        `
+  ${c.yellow("Project has expired secrets that need rotation.")}`
+      );
+    } else {
+      console.log(
+        `
+  ${c.green(`${SYMBOLS.check} Project is ready \u2014 all required secrets present.`)}`
+      );
+    }
+    console.log();
+    if (missing > 0) process.exit(1);
+  });
+  program2.command("validate [key]").description("Test if a secret is actually valid with its target service").option("-g, --global", "Global scope only").option("-p, --project", "Project scope only").option("--project-path <path>", "Explicit project path").option("--provider <name>", "Force a specific provider (openai, stripe, github, aws, http)").option("--all", "Validate all secrets that have a detectable provider").option("--manifest", "Only validate manifest-declared secrets (with --all)").option("--list-providers", "List all available providers").action(async (key, cmd) => {
+    if (cmd.listProviders) {
+      console.log(c.bold(`
+  ${SYMBOLS.shield} Available validation providers
+`));
+      for (const p of registry.listProviders()) {
+        const prefixes = p.prefixes?.length ? c.dim(` (${p.prefixes.join(", ")})`) : "";
+        console.log(`  ${c.cyan(p.name.padEnd(10))} ${p.description}${prefixes}`);
+      }
+      console.log();
+      return;
+    }
+    if (!key && !cmd.all) {
+      console.error(c.red(`${SYMBOLS.cross} Provide a key name or use --all`));
+      process.exit(1);
+    }
+    const opts = buildOpts(cmd);
+    if (cmd.all) {
+      let entries = listSecrets(opts);
+      const projectPath = cmd.projectPath ?? process.cwd();
+      if (cmd.manifest) {
+        const config = readProjectConfig(projectPath);
+        if (config?.secrets) {
+          const manifestKeys = new Set(Object.keys(config.secrets));
+          entries = entries.filter((e) => manifestKeys.has(e.key));
+        }
+      }
+      console.log(c.bold(`
+  ${SYMBOLS.shield} Validating secrets
+`));
+      let validated = 0;
+      let skipped = 0;
+      for (const entry of entries) {
+        const value2 = getSecret(entry.key, { ...opts, scope: entry.scope });
+        if (!value2) {
+          skipped++;
+          continue;
+        }
+        const provHint2 = entry.envelope?.meta.provider ?? cmd.provider;
+        const result2 = await validateSecret(value2, { provider: provHint2 });
+        if (result2.status === "unknown") {
+          skipped++;
+          continue;
+        }
+        validated++;
+        const icon2 = result2.status === "valid" ? c.green(SYMBOLS.check) : result2.status === "invalid" ? c.red(SYMBOLS.cross) : c.yellow(SYMBOLS.warning);
+        const statusText = result2.status === "valid" ? c.green("valid") : result2.status === "invalid" ? c.red("invalid") : c.yellow("error");
+        console.log(
+          `  ${icon2} ${c.bold(entry.key.padEnd(24))} ${statusText}  ${c.dim(`(${result2.provider}, ${result2.latencyMs}ms)`)}${result2.status !== "valid" ? ` ${c.dim("\u2014 " + result2.message)}` : ""}`
+        );
+      }
+      console.log(`
+  ${c.dim(`${validated} validated, ${skipped} skipped (no provider)`)}
+`);
+      return;
+    }
+    const value = getSecret(key, opts);
+    if (!value) {
+      console.error(c.red(`${SYMBOLS.cross} Secret "${key}" not found`));
+      process.exit(1);
+    }
+    const envelope = getEnvelope(key, opts);
+    const provHint = envelope?.envelope.meta.provider ?? cmd.provider;
+    const result = await validateSecret(value, { provider: provHint });
+    const icon = result.status === "valid" ? c.green(SYMBOLS.check) : result.status === "invalid" ? c.red(SYMBOLS.cross) : result.status === "error" ? c.yellow(SYMBOLS.warning) : c.dim("\u25CB");
+    console.log(`
+  ${icon} ${c.bold(key)}  ${result.status}  ${c.dim(`(${result.provider}, ${result.latencyMs}ms)`)}`);
+    if (result.message && result.status !== "valid") {
+      console.log(`    ${c.dim(result.message)}`);
+    }
+    console.log();
+  });
   program2.command("env").description("Show detected environment (wavefunction collapse context)").option("--project-path <path>", "Project path for detection").action((cmd) => {
     const result = collapseEnvironment({
       projectPath: cmd.projectPath ?? process.cwd()
@@ -657,6 +1146,24 @@ ${c.dim(`format: ${cmd.format} | entropy: ~${entropy} bits`)}`
       );
     }
   );
+  program2.command("disentangle <sourceKey> <targetKey>").description("Unlink two entangled secrets").option("-g, --global", "Both in global scope").option("--source-project <path>", "Source project path").option("--target-project <path>", "Target project path").action(
+    (sourceKey, targetKey, cmd) => {
+      const sourceOpts = {
+        scope: cmd.sourceProject ? "project" : "global",
+        projectPath: cmd.sourceProject ?? process.cwd(),
+        source: "cli"
+      };
+      const targetOpts = {
+        scope: cmd.targetProject ? "project" : "global",
+        projectPath: cmd.targetProject ?? process.cwd(),
+        source: "cli"
+      };
+      disentangleSecrets(sourceKey, sourceOpts, targetKey, targetOpts);
+      console.log(
+        `${SYMBOLS.link} ${c.yellow("disentangled")} ${c.bold(sourceKey)} ${SYMBOLS.arrow} ${c.bold(targetKey)}`
+      );
+    }
+  );
   const tunnel = program2.command("tunnel").description("Ephemeral in-memory secrets (quantum tunneling)");
   tunnel.command("create <value>").description("Create a tunneled secret (returns tunnel ID)").option("--ttl <seconds>", "Auto-expire after N seconds", parseInt).option("--max-reads <n>", "Self-destruct after N reads", parseInt).action((value, cmd) => {
     const id = tunnelCreate(value, {
@@ -884,8 +1391,166 @@ ${SYMBOLS.warning} ${c.bold(c.yellow(`${anomalies.length} anomaly/anomalies dete
     }
     console.log();
   });
+  const hook = program2.command("hook").description("Manage secret change hooks (callbacks on write/delete/rotate)");
+  hook.command("add").description("Register a new hook").option("--key <key>", "Trigger on exact key match").option("--key-pattern <pattern>", "Trigger on key glob pattern (e.g. DB_*)").option("--tag <tag>", "Trigger on secrets with this tag").option("--scope <scope>", "Trigger only for this scope (global or project)").option("--action <actions>", "Comma-separated actions: write,delete,rotate", "write,delete,rotate").option("--exec <command>", "Shell command to execute").option("--url <url>", "HTTP URL to POST to").option("--signal-target <target>", "Process name or PID to signal").option("--signal-name <signal>", "Signal to send (default: SIGHUP)", "SIGHUP").option("--description <desc>", "Human-readable description").action((cmd) => {
+    let type;
+    if (cmd.exec) type = "shell";
+    else if (cmd.url) type = "http";
+    else if (cmd.signalTarget) type = "signal";
+    else {
+      console.error(c.red(`${SYMBOLS.cross} Specify --exec, --url, or --signal-target`));
+      process.exit(1);
+    }
+    if (!cmd.key && !cmd.keyPattern && !cmd.tag) {
+      console.error(c.red(`${SYMBOLS.cross} Specify at least one match criterion: --key, --key-pattern, or --tag`));
+      process.exit(1);
+    }
+    const actions = cmd.action.split(",").map((a) => a.trim());
+    const entry = registerHook({
+      type,
+      match: {
+        key: cmd.key,
+        keyPattern: cmd.keyPattern,
+        tag: cmd.tag,
+        scope: cmd.scope,
+        action: actions
+      },
+      command: cmd.exec,
+      url: cmd.url,
+      signal: cmd.signalTarget ? { target: cmd.signalTarget, signal: cmd.signalName } : void 0,
+      description: cmd.description,
+      enabled: true
+    });
+    console.log(`${SYMBOLS.check} ${c.green("registered")} hook ${c.bold(entry.id)} (${type})`);
+    if (cmd.key) console.log(c.dim(`  key: ${cmd.key}`));
+    if (cmd.keyPattern) console.log(c.dim(`  pattern: ${cmd.keyPattern}`));
+    if (cmd.tag) console.log(c.dim(`  tag: ${cmd.tag}`));
+  });
+  hook.command("list").alias("ls").description("List all registered hooks").action(() => {
+    const hooks = listHooks();
+    if (hooks.length === 0) {
+      console.log(c.dim("No hooks registered"));
+      return;
+    }
+    console.log(c.bold(`
+  ${SYMBOLS.zap} Registered hooks (${hooks.length})
+`));
+    for (const h of hooks) {
+      const status = h.enabled ? c.green("on") : c.red("off");
+      const matchParts = [];
+      if (h.match.key) matchParts.push(`key=${h.match.key}`);
+      if (h.match.keyPattern) matchParts.push(`pattern=${h.match.keyPattern}`);
+      if (h.match.tag) matchParts.push(`tag=${h.match.tag}`);
+      if (h.match.scope) matchParts.push(`scope=${h.match.scope}`);
+      if (h.match.action?.length) matchParts.push(`actions=${h.match.action.join(",")}`);
+      const target = h.type === "shell" ? h.command : h.type === "http" ? h.url : h.signal ? `${h.signal.target} (${h.signal.signal ?? "SIGHUP"})` : "?";
+      console.log(`  ${c.bold(h.id)}  [${status}]  ${c.cyan(h.type)}  ${c.dim(matchParts.join(" "))}`);
+      console.log(`    ${c.dim("\u2192")} ${target}${h.description ? `  ${c.dim(`\u2014 ${h.description}`)}` : ""}`);
+    }
+    console.log();
+  });
+  hook.command("remove <id>").alias("rm").description("Remove a hook by ID").action((id) => {
+    if (removeHook(id)) {
+      console.log(`${SYMBOLS.check} ${c.green("removed")} hook ${c.bold(id)}`);
+    } else {
+      console.error(c.red(`${SYMBOLS.cross} Hook "${id}" not found`));
+      process.exit(1);
+    }
+  });
+  hook.command("enable <id>").description("Enable a hook").action((id) => {
+    if (enableHook(id)) {
+      console.log(`${SYMBOLS.check} ${c.green("enabled")} hook ${c.bold(id)}`);
+    } else {
+      console.error(c.red(`${SYMBOLS.cross} Hook "${id}" not found`));
+      process.exit(1);
+    }
+  });
+  hook.command("disable <id>").description("Disable a hook").action((id) => {
+    if (disableHook(id)) {
+      console.log(`${SYMBOLS.check} ${c.yellow("disabled")} hook ${c.bold(id)}`);
+    } else {
+      console.error(c.red(`${SYMBOLS.cross} Hook "${id}" not found`));
+      process.exit(1);
+    }
+  });
+  hook.command("test <id>").description("Dry-run a hook with a mock payload").action(async (id) => {
+    const hooks = listHooks();
+    const h = hooks.find((hook2) => hook2.id === id);
+    if (!h) {
+      console.error(c.red(`${SYMBOLS.cross} Hook "${id}" not found`));
+      process.exit(1);
+    }
+    console.log(c.dim(`Testing hook ${id} (${h.type})...
+`));
+    const payload = {
+      action: "write",
+      key: h.match.key ?? "TEST_KEY",
+      scope: h.match.scope ?? "global",
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      source: "cli"
+    };
+    const results = await fireHooks(payload);
+    const result = results.find((r) => r.hookId === id);
+    if (result) {
+      const icon = result.success ? c.green(SYMBOLS.check) : c.red(SYMBOLS.cross);
+      console.log(`  ${icon} ${result.message}`);
+    } else {
+      console.log(c.yellow(`  ${SYMBOLS.warning} Hook did not match the test payload`));
+    }
+    console.log();
+  });
+  program2.command("env:generate").description("Generate a .env file from the project manifest (.q-ring.json)").option("--project-path <path>", "Project path (defaults to cwd)").option("-o, --output <file>", "Output file path (defaults to stdout)").option("-e, --env <env>", "Force environment for superposition collapse").action((cmd) => {
+    const projectPath = cmd.projectPath ?? process.cwd();
+    const config = readProjectConfig(projectPath);
+    if (!config?.secrets || Object.keys(config.secrets).length === 0) {
+      console.error(
+        c.red(`${SYMBOLS.cross} No secrets manifest found in .q-ring.json`)
+      );
+      process.exit(1);
+    }
+    const opts = buildOpts(cmd);
+    const lines = [];
+    const warnings = [];
+    for (const [key, manifest] of Object.entries(config.secrets)) {
+      const value = getSecret(key, { ...opts, projectPath, source: "cli" });
+      if (value === null) {
+        if (manifest.required !== false) {
+          warnings.push(`MISSING (required): ${key}`);
+        }
+        lines.push(`# ${key}= ${manifest.description ? `# ${manifest.description}` : ""}`);
+        continue;
+      }
+      const result = getEnvelope(key, { projectPath, source: "cli" });
+      if (result) {
+        const decay = checkDecay(result.envelope);
+        if (decay.isExpired) {
+          warnings.push(`EXPIRED: ${key}`);
+        } else if (decay.isStale) {
+          warnings.push(`STALE (${decay.lifetimePercent}%): ${key}`);
+        }
+      }
+      const escaped = value.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/\n/g, "\\n");
+      lines.push(`${key}="${escaped}"`);
+    }
+    const output = lines.join("\n") + "\n";
+    if (cmd.output) {
+      writeFileSync(cmd.output, output);
+      console.log(
+        `${SYMBOLS.check} ${c.green("generated")} ${c.bold(cmd.output)} (${Object.keys(config.secrets).length} keys)`
+      );
+    } else {
+      process.stdout.write(output);
+    }
+    if (warnings.length > 0 && process.stderr.isTTY) {
+      console.error();
+      for (const w of warnings) {
+        console.error(`  ${c.yellow(SYMBOLS.warning)} ${w}`);
+      }
+      console.error();
+    }
+  });
   program2.command("status").description("Launch the quantum status dashboard in your browser").option("--port <port>", "Port to serve on", "9876").option("--no-open", "Don't auto-open the browser").action(async (cmd) => {
-    const { startDashboardServer } = await import("./dashboard-X3ONQFLV.js");
+    const { startDashboardServer } = await import("./dashboard-HVIQO6NT.js");
     const { exec } = await import("child_process");
     const { platform } = await import("os");
     const port = Number(cmd.port);