@i4ctime/q-ring 0.3.2 → 0.9.1

package/dist/index.js

@@ -1,22 +1,41 @@
 #!/usr/bin/env node
 import {
   checkDecay,
+  checkExecPolicy,
   collapseEnvironment,
   deleteSecret,
   detectAnomalies,
+  disableHook,
+  disentangleSecrets,
+  enableHook,
   entangleSecrets,
+  exportAudit,
   exportSecrets,
+  fireHooks,
   getEnvelope,
+  getExecMaxRuntime,
+  getPolicySummary,
   getSecret,
+  grantApproval,
+  hasSecret,
+  httpRequest_,
+  listApprovals,
+  listHooks,
   listSecrets,
   logAudit,
   queryAudit,
+  readProjectConfig,
+  registerHook,
+  registry,
+  removeHook,
+  revokeApproval,
   setSecret,
   tunnelCreate,
   tunnelDestroy,
   tunnelList,
-  tunnelRead
-} from "./chunk-F4SPZ774.js";
+  tunnelRead,
+  verifyAuditChain
+} from "./chunk-WG4ZKN7Q.js";
 
 // src/cli/commands.ts
 import { Command } from "commander";
@@ -207,7 +226,9 @@ function runHealthScan(config = {}) {
         `EXPIRED: ${entry.key} [${entry.scope}] \u2014 expired ${decay.timeRemaining}`
       );
       if (cfg.autoRotate) {
-        const newValue = generateSecret({ format: "api-key" });
+        const fmt = entry.envelope?.meta.rotationFormat ?? "api-key";
+        const prefix = entry.envelope?.meta.rotationPrefix;
+        const newValue = generateSecret({ format: fmt, prefix });
         setSecret(entry.key, newValue, {
           scope: entry.scope,
           projectPath: cfg.projectPaths[0],
@@ -221,6 +242,14 @@ function runHealthScan(config = {}) {
           source: "agent",
           detail: "auto-rotated by agent (expired)"
         });
+        fireHooks({
+          action: "rotate",
+          key: entry.key,
+          scope: entry.scope,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          source: "agent"
+        }, entry.envelope?.meta.tags).catch(() => {
+        });
       }
     } else if (decay.isStale) {
       report.stale++;
@@ -353,6 +382,937 @@ function teleportUnpack(encoded, passphrase) {
   return JSON.parse(decrypted.toString("utf8"));
 }
 
+// src/core/import.ts
+import { readFileSync } from "fs";
+function parseDotenv(content) {
+  const result = /* @__PURE__ */ new Map();
+  const lines = content.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i].trim();
+    if (!line || line.startsWith("#")) continue;
+    const eqIdx = line.indexOf("=");
+    if (eqIdx === -1) continue;
+    const key = line.slice(0, eqIdx).trim();
+    let value = line.slice(eqIdx + 1).trim();
+    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+      value = value.slice(1, -1);
+    }
+    value = value.replace(/\\n/g, "\n").replace(/\\r/g, "\r").replace(/\\t/g, "	").replace(/\\\\/g, "\\").replace(/\\"/g, '"');
+    if (value.includes("#") && !line.includes('"') && !line.includes("'")) {
+      value = value.split("#")[0].trim();
+    }
+    if (key) result.set(key, value);
+  }
+  return result;
+}
+function importDotenv(filePathOrContent, options = {}) {
+  let content;
+  try {
+    content = readFileSync(filePathOrContent, "utf8");
+  } catch {
+    content = filePathOrContent;
+  }
+  const pairs = parseDotenv(content);
+  const result = {
+    imported: [],
+    skipped: [],
+    total: pairs.size
+  };
+  for (const [key, value] of pairs) {
+    if (options.skipExisting && hasSecret(key, {
+      scope: options.scope,
+      projectPath: options.projectPath,
+      source: options.source ?? "cli"
+    })) {
+      result.skipped.push(key);
+      continue;
+    }
+    if (options.dryRun) {
+      result.imported.push(key);
+      continue;
+    }
+    const setOpts = {
+      scope: options.scope ?? "global",
+      projectPath: options.projectPath ?? process.cwd(),
+      source: options.source ?? "cli"
+    };
+    setSecret(key, value, setOpts);
+    result.imported.push(key);
+  }
+  return result;
+}
+
+// src/core/exec.ts
+import { spawn } from "child_process";
+import { Transform } from "stream";
+var BUILTIN_PROFILES = {
+  unrestricted: { name: "unrestricted" },
+  restricted: {
+    name: "restricted",
+    denyCommands: ["curl", "wget", "ssh", "scp", "nc", "netcat", "ncat"],
+    maxRuntimeSeconds: 30,
+    allowNetwork: false,
+    stripEnvVars: ["HTTP_PROXY", "HTTPS_PROXY", "ALL_PROXY"]
+  },
+  ci: {
+    name: "ci",
+    maxRuntimeSeconds: 300,
+    allowNetwork: true,
+    denyCommands: ["rm -rf /", "mkfs", "dd if="]
+  }
+};
+function getProfile(name) {
+  if (!name) return BUILTIN_PROFILES.unrestricted;
+  return BUILTIN_PROFILES[name] ?? { name };
+}
+var RedactionTransform = class extends Transform {
+  patterns = [];
+  tail = "";
+  maxLen = 0;
+  constructor(secretsToRedact) {
+    super();
+    const validSecrets = secretsToRedact.filter((s) => s.length > 5);
+    validSecrets.sort((a, b) => b.length - a.length);
+    this.patterns = validSecrets.map((s) => ({
+      value: s,
+      replacement: "[QRING:REDACTED]"
+    }));
+    if (validSecrets.length > 0) {
+      this.maxLen = validSecrets[0].length;
+    }
+  }
+  _transform(chunk, encoding, callback) {
+    if (this.patterns.length === 0) {
+      this.push(chunk);
+      return callback();
+    }
+    const text = this.tail + chunk.toString();
+    let redacted = text;
+    for (const { value, replacement } of this.patterns) {
+      redacted = redacted.split(value).join(replacement);
+    }
+    if (redacted.length < this.maxLen) {
+      this.tail = redacted;
+      return callback();
+    }
+    const outputLen = redacted.length - this.maxLen + 1;
+    const output = redacted.slice(0, outputLen);
+    this.tail = redacted.slice(outputLen);
+    this.push(output);
+    callback();
+  }
+  _flush(callback) {
+    if (this.tail) {
+      let final = this.tail;
+      for (const { value, replacement } of this.patterns) {
+        final = final.split(value).join(replacement);
+      }
+      this.push(final);
+    }
+    callback();
+  }
+};
+async function execCommand(opts) {
+  const profile = getProfile(opts.profile);
+  const fullCommand = [opts.command, ...opts.args].join(" ");
+  const policyDecision = checkExecPolicy(fullCommand, opts.projectPath);
+  if (!policyDecision.allowed) {
+    throw new Error(`Policy Denied: ${policyDecision.reason}`);
+  }
+  if (profile.denyCommands) {
+    const denied = profile.denyCommands.find((d) => fullCommand.includes(d));
+    if (denied) {
+      throw new Error(`Exec profile "${profile.name}" denies command containing "${denied}"`);
+    }
+  }
+  if (profile.allowCommands) {
+    const allowed = profile.allowCommands.some((a) => fullCommand.startsWith(a));
+    if (!allowed) {
+      throw new Error(`Exec profile "${profile.name}" does not allow command "${opts.command}"`);
+    }
+  }
+  const envMap = {};
+  for (const [k, v] of Object.entries(process.env)) {
+    if (v !== void 0) envMap[k] = v;
+  }
+  if (profile.stripEnvVars) {
+    for (const key of profile.stripEnvVars) {
+      delete envMap[key];
+    }
+  }
+  const secretsToRedact = /* @__PURE__ */ new Set();
+  let entries = listSecrets({
+    scope: opts.scope,
+    projectPath: opts.projectPath,
+    source: opts.source ?? "cli",
+    silent: true
+    // list silently
+  });
+  if (opts.keys?.length) {
+    const keySet = new Set(opts.keys);
+    entries = entries.filter((e) => keySet.has(e.key));
+  }
+  if (opts.tags?.length) {
+    entries = entries.filter(
+      (e) => opts.tags.some((t) => e.envelope?.meta.tags?.includes(t))
+    );
+  }
+  for (const entry of entries) {
+    if (entry.envelope) {
+      const decay = checkDecay(entry.envelope);
+      if (decay.isExpired) continue;
+    }
+    const val = getSecret(entry.key, {
+      scope: entry.scope,
+      projectPath: opts.projectPath,
+      env: opts.env,
+      source: opts.source ?? "cli",
+      silent: false
+      // Log access for execution
+    });
+    if (val !== null) {
+      envMap[entry.key] = val;
+      if (val.length > 5) {
+        secretsToRedact.add(val);
+      }
+    }
+  }
+  const maxRuntime = profile.maxRuntimeSeconds ?? getExecMaxRuntime(opts.projectPath);
+  return new Promise((resolve, reject) => {
+    const networkTools = /* @__PURE__ */ new Set([
+      "curl",
+      "wget",
+      "ping",
+      "nc",
+      "netcat",
+      "ssh",
+      "telnet",
+      "ftp",
+      "dig",
+      "nslookup"
+    ]);
+    if (profile.allowNetwork === false && networkTools.has(opts.command)) {
+      const msg = `[QRING] Execution blocked: network access is disabled for profile "${profile.name}", command "${opts.command}" is considered network-related`;
+      if (opts.captureOutput) {
+        return resolve({ code: 126, stdout: "", stderr: msg });
+      }
+      process.stderr.write(msg + "\n");
+      return resolve({ code: 126, stdout: "", stderr: "" });
+    }
+    const child = spawn(opts.command, opts.args, {
+      env: envMap,
+      stdio: ["inherit", "pipe", "pipe"],
+      shell: false
+    });
+    let timedOut = false;
+    let timer;
+    if (maxRuntime) {
+      timer = setTimeout(() => {
+        timedOut = true;
+        child.kill("SIGKILL");
+      }, maxRuntime * 1e3);
+    }
+    const stdoutRedact = new RedactionTransform([...secretsToRedact]);
+    const stderrRedact = new RedactionTransform([...secretsToRedact]);
+    if (child.stdout) child.stdout.pipe(stdoutRedact);
+    if (child.stderr) child.stderr.pipe(stderrRedact);
+    let stdoutStr = "";
+    let stderrStr = "";
+    if (opts.captureOutput) {
+      stdoutRedact.on("data", (d) => stdoutStr += d.toString());
+      stderrRedact.on("data", (d) => stderrStr += d.toString());
+    } else {
+      stdoutRedact.pipe(process.stdout);
+      stderrRedact.pipe(process.stderr);
+    }
+    child.on("close", (code) => {
+      if (timer) clearTimeout(timer);
+      if (timedOut) {
+        resolve({ code: 124, stdout: stdoutStr, stderr: stderrStr + `
+[QRING] Process killed: exceeded ${maxRuntime}s runtime limit` });
+      } else {
+        resolve({ code: code ?? 0, stdout: stdoutStr, stderr: stderrStr });
+      }
+    });
+    child.on("error", (err) => {
+      if (timer) clearTimeout(timer);
+      reject(err);
+    });
+  });
+}
+
+// src/core/scan.ts
+import { readFileSync as readFileSync2, readdirSync, statSync } from "fs";
+import { join } from "path";
+var IGNORE_DIRS = /* @__PURE__ */ new Set([
+  "node_modules",
+  ".git",
+  ".next",
+  "dist",
+  "build",
+  "coverage",
+  ".cursor",
+  "venv",
+  "__pycache__"
+]);
+var IGNORE_EXTS = /* @__PURE__ */ new Set([
+  ".png",
+  ".jpg",
+  ".jpeg",
+  ".gif",
+  ".ico",
+  ".svg",
+  ".webp",
+  ".mp4",
+  ".mp3",
+  ".wav",
+  ".ogg",
+  ".pdf",
+  ".zip",
+  ".tar",
+  ".gz",
+  ".xz",
+  ".ttf",
+  ".woff",
+  ".woff2",
+  ".eot",
+  ".exe",
+  ".dll",
+  ".so",
+  ".dylib",
+  ".lock"
+]);
+var SECRET_KEYWORDS = /((?:api_?key|secret|token|password|auth|credential|access_?key)[a-z0-9_]*)\s*[:=]\s*(['"])([^'"]+)\2/i;
+function calculateEntropy(str) {
+  if (!str) return 0;
+  const len = str.length;
+  const frequencies = /* @__PURE__ */ new Map();
+  for (let i = 0; i < len; i++) {
+    const char = str[i];
+    frequencies.set(char, (frequencies.get(char) || 0) + 1);
+  }
+  let entropy = 0;
+  for (const count of frequencies.values()) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+function scanCodebase(dir) {
+  const results = [];
+  function walk(currentDir) {
+    let entries;
+    try {
+      entries = readdirSync(currentDir);
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      if (IGNORE_DIRS.has(entry)) continue;
+      const fullPath = join(currentDir, entry);
+      let stat;
+      try {
+        stat = statSync(fullPath);
+      } catch {
+        continue;
+      }
+      if (stat.isDirectory()) {
+        walk(fullPath);
+      } else if (stat.isFile()) {
+        const ext = fullPath.slice(fullPath.lastIndexOf(".")).toLowerCase();
+        if (IGNORE_EXTS.has(ext) || entry.endsWith(".lock")) continue;
+        let content;
+        try {
+          content = readFileSync2(fullPath, "utf8");
+        } catch {
+          continue;
+        }
+        if (content.includes("\0")) continue;
+        const lines = content.split(/\r?\n/);
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.length > 500) continue;
+          const match = line.match(SECRET_KEYWORDS);
+          if (match) {
+            const varName = match[1];
+            const value = match[3];
+            if (value.length < 8) continue;
+            const lowerValue = value.toLowerCase();
+            if (lowerValue.includes("example") || lowerValue.includes("your_") || lowerValue.includes("placeholder") || lowerValue.includes("replace_me")) {
+              continue;
+            }
+            const entropy = calculateEntropy(value);
+            if (entropy > 3.5 || value.startsWith("sk-") || value.startsWith("ghp_")) {
+              const relPath = fullPath.startsWith(dir) ? fullPath.slice(dir.length).replace(/^[/\\]+/, "") : fullPath;
+              results.push({
+                file: relPath || fullPath,
+                line: i + 1,
+                keyName: varName,
+                match: value,
+                context: line.trim(),
+                entropy: parseFloat(entropy.toFixed(2))
+              });
+            }
+          }
+        }
+      }
+    }
+  }
+  walk(dir);
+  return results;
+}
+
+// src/core/linter.ts
+import { readFileSync as readFileSync3, writeFileSync, existsSync } from "fs";
+import { basename, extname } from "path";
+var ENV_REF_BY_EXT = {
+  ".ts": (k) => `process.env.${k}`,
+  ".tsx": (k) => `process.env.${k}`,
+  ".js": (k) => `process.env.${k}`,
+  ".jsx": (k) => `process.env.${k}`,
+  ".mjs": (k) => `process.env.${k}`,
+  ".cjs": (k) => `process.env.${k}`,
+  ".py": (k) => `os.environ["${k}"]`,
+  ".rb": (k) => `ENV["${k}"]`,
+  ".go": (k) => `os.Getenv("${k}")`,
+  ".rs": (k) => `std::env::var("${k}")`,
+  ".java": (k) => `System.getenv("${k}")`,
+  ".kt": (k) => `System.getenv("${k}")`,
+  ".cs": (k) => `Environment.GetEnvironmentVariable("${k}")`,
+  ".php": (k) => `getenv('${k}')`,
+  ".sh": (k) => `\${${k}}`,
+  ".bash": (k) => `\${${k}}`
+};
+function getEnvRef(filePath, keyName) {
+  const ext = extname(filePath).toLowerCase();
+  const formatter = ENV_REF_BY_EXT[ext];
+  return formatter ? formatter(keyName) : `process.env.${keyName}`;
+}
+function lintFiles(files, opts = {}) {
+  const results = [];
+  for (const file of files) {
+    if (!existsSync(file)) continue;
+    let content;
+    try {
+      content = readFileSync3(file, "utf8");
+    } catch {
+      continue;
+    }
+    if (content.includes("\0")) continue;
+    const SECRET_KEYWORDS2 = /((?:api_?key|secret|token|password|auth|credential|access_?key)[a-z0-9_]*)\s*[:=]\s*(['"])([^'"]+)\2/gi;
+    const lines = content.split(/\r?\n/);
+    const fixes = [];
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (line.length > 500) continue;
+      let match;
+      SECRET_KEYWORDS2.lastIndex = 0;
+      while ((match = SECRET_KEYWORDS2.exec(line)) !== null) {
+        const varName = match[1].toUpperCase();
+        const quote = match[2];
+        const value = match[3];
+        if (value.length < 8) continue;
+        const lv = value.toLowerCase();
+        if (lv.includes("example") || lv.includes("your_") || lv.includes("placeholder") || lv.includes("replace_me") || lv.includes("xxx")) continue;
+        const entropy = calculateEntropy2(value);
+        if (entropy <= 3.5 && !value.startsWith("sk-") && !value.startsWith("ghp_")) continue;
+        const shouldFix = opts.fix === true;
+        if (shouldFix) {
+          const envRef = getEnvRef(file, varName);
+          fixes.push({
+            line: i,
+            original: `${quote}${value}${quote}`,
+            replacement: envRef,
+            keyName: varName,
+            value
+          });
+        }
+        results.push({
+          file,
+          line: i + 1,
+          keyName: varName,
+          match: value,
+          context: line.trim(),
+          entropy: parseFloat(entropy.toFixed(2)),
+          fixed: shouldFix
+        });
+      }
+    }
+    if (opts.fix && fixes.length > 0) {
+      const fixLines = content.split(/\r?\n/);
+      for (const fix of fixes.reverse()) {
+        const lineIdx = fix.line;
+        if (lineIdx >= 0 && lineIdx < fixLines.length) {
+          fixLines[lineIdx] = fixLines[lineIdx].replace(fix.original, fix.replacement);
+        }
+        if (!hasSecret(fix.keyName, { scope: opts.scope, projectPath: opts.projectPath })) {
+          setSecret(fix.keyName, fix.value, {
+            scope: opts.scope ?? "global",
+            projectPath: opts.projectPath,
+            source: "cli",
+            description: `Auto-imported from ${basename(file)}:${fix.line + 1}`
+          });
+        }
+      }
+      writeFileSync(file, fixLines.join("\n"), "utf8");
+    }
+  }
+  return results;
+}
+function calculateEntropy2(str) {
+  if (!str) return 0;
+  const len = str.length;
+  const frequencies = /* @__PURE__ */ new Map();
+  for (let i = 0; i < len; i++) {
+    const ch = str[i];
+    frequencies.set(ch, (frequencies.get(ch) || 0) + 1);
+  }
+  let entropy = 0;
+  for (const count of frequencies.values()) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+
+// src/core/validate.ts
+function makeRequest(url, headers, timeoutMs = 1e4) {
+  return httpRequest_({ url, method: "GET", headers, timeoutMs });
+}
+var ProviderRegistry = class {
+  providers = /* @__PURE__ */ new Map();
+  register(provider) {
+    this.providers.set(provider.name, provider);
+  }
+  get(name) {
+    return this.providers.get(name);
+  }
+  detectProvider(value, hints) {
+    if (hints?.provider) {
+      return this.providers.get(hints.provider);
+    }
+    for (const provider of this.providers.values()) {
+      if (provider.prefixes) {
+        for (const pfx of provider.prefixes) {
+          if (value.startsWith(pfx)) return provider;
+        }
+      }
+    }
+    return void 0;
+  }
+  listProviders() {
+    return [...this.providers.values()];
+  }
+};
+var openaiProvider = {
+  name: "openai",
+  description: "OpenAI API key validation",
+  prefixes: ["sk-"],
+  async validate(value) {
+    const start = Date.now();
+    try {
+      const { statusCode } = await makeRequest(
+        "https://api.openai.com/v1/models?limit=1",
+        {
+          Authorization: `Bearer ${value}`,
+          "User-Agent": "q-ring-validator/1.0"
+        }
+      );
+      const latencyMs = Date.now() - start;
+      if (statusCode === 200)
+        return { valid: true, status: "valid", message: "API key is valid", latencyMs, provider: "openai" };
+      if (statusCode === 401)
+        return { valid: false, status: "invalid", message: "Invalid or revoked API key", latencyMs, provider: "openai" };
+      if (statusCode === 429)
+        return { valid: true, status: "error", message: "Rate limited \u2014 key may be valid", latencyMs, provider: "openai" };
+      return { valid: false, status: "error", message: `Unexpected status ${statusCode}`, latencyMs, provider: "openai" };
+    } catch (err) {
+      return { valid: false, status: "error", message: `${err instanceof Error ? err.message : "Network error"}`, latencyMs: Date.now() - start, provider: "openai" };
+    }
+  }
+};
+var stripeProvider = {
+  name: "stripe",
+  description: "Stripe API key validation",
+  prefixes: ["sk_live_", "sk_test_", "rk_live_", "rk_test_", "pk_live_", "pk_test_"],
+  async validate(value) {
+    const start = Date.now();
+    try {
+      const { statusCode } = await makeRequest(
+        "https://api.stripe.com/v1/balance",
+        {
+          Authorization: `Bearer ${value}`,
+          "User-Agent": "q-ring-validator/1.0"
+        }
+      );
+      const latencyMs = Date.now() - start;
+      if (statusCode === 200)
+        return { valid: true, status: "valid", message: "API key is valid", latencyMs, provider: "stripe" };
+      if (statusCode === 401)
+        return { valid: false, status: "invalid", message: "Invalid or revoked API key", latencyMs, provider: "stripe" };
+      if (statusCode === 429)
+        return { valid: true, status: "error", message: "Rate limited \u2014 key may be valid", latencyMs, provider: "stripe" };
+      return { valid: false, status: "error", message: `Unexpected status ${statusCode}`, latencyMs, provider: "stripe" };
+    } catch (err) {
+      return { valid: false, status: "error", message: `${err instanceof Error ? err.message : "Network error"}`, latencyMs: Date.now() - start, provider: "stripe" };
+    }
+  }
+};
+var githubProvider = {
+  name: "github",
+  description: "GitHub token validation",
+  prefixes: ["ghp_", "gho_", "ghu_", "ghs_", "ghr_", "github_pat_"],
+  async validate(value) {
+    const start = Date.now();
+    try {
+      const { statusCode } = await makeRequest(
+        "https://api.github.com/user",
+        {
+          Authorization: `token ${value}`,
+          "User-Agent": "q-ring-validator/1.0",
+          Accept: "application/vnd.github+json"
+        }
+      );
+      const latencyMs = Date.now() - start;
+      if (statusCode === 200)
+        return { valid: true, status: "valid", message: "Token is valid", latencyMs, provider: "github" };
+      if (statusCode === 401)
+        return { valid: false, status: "invalid", message: "Invalid or expired token", latencyMs, provider: "github" };
+      if (statusCode === 403)
+        return { valid: false, status: "invalid", message: "Token lacks required permissions", latencyMs, provider: "github" };
+      if (statusCode === 429)
+        return { valid: true, status: "error", message: "Rate limited \u2014 token may be valid", latencyMs, provider: "github" };
+      return { valid: false, status: "error", message: `Unexpected status ${statusCode}`, latencyMs, provider: "github" };
+    } catch (err) {
+      return { valid: false, status: "error", message: `${err instanceof Error ? err.message : "Network error"}`, latencyMs: Date.now() - start, provider: "github" };
+    }
+  }
+};
+var awsProvider = {
+  name: "aws",
+  description: "AWS access key validation (checks key format only \u2014 full STS validation requires secret key + region)",
+  prefixes: ["AKIA", "ASIA"],
+  async validate(value) {
+    const start = Date.now();
+    const latencyMs = Date.now() - start;
+    if (/^(AKIA|ASIA)[A-Z0-9]{16}$/.test(value)) {
+      return { valid: true, status: "unknown", message: "Valid AWS access key format (STS validation requires secret key)", latencyMs, provider: "aws" };
+    }
+    return { valid: false, status: "invalid", message: "Invalid AWS access key format", latencyMs, provider: "aws" };
+  }
+};
+var httpProvider = {
+  name: "http",
+  description: "Generic HTTP endpoint validation",
+  async validate(value, url) {
+    const start = Date.now();
+    if (!url) {
+      return { valid: false, status: "unknown", message: "No validation URL configured", latencyMs: 0, provider: "http" };
+    }
+    try {
+      const { statusCode } = await makeRequest(url, {
+        Authorization: `Bearer ${value}`,
+        "User-Agent": "q-ring-validator/1.0"
+      });
+      const latencyMs = Date.now() - start;
+      if (statusCode >= 200 && statusCode < 300)
+        return { valid: true, status: "valid", message: `Endpoint returned ${statusCode}`, latencyMs, provider: "http" };
+      if (statusCode === 401 || statusCode === 403)
+        return { valid: false, status: "invalid", message: `Authentication failed (${statusCode})`, latencyMs, provider: "http" };
+      return { valid: false, status: "error", message: `Unexpected status ${statusCode}`, latencyMs, provider: "http" };
+    } catch (err) {
+      return { valid: false, status: "error", message: `${err instanceof Error ? err.message : "Network error"}`, latencyMs: Date.now() - start, provider: "http" };
+    }
+  }
+};
+var registry2 = new ProviderRegistry();
+registry2.register(openaiProvider);
+registry2.register(stripeProvider);
+registry2.register(githubProvider);
+registry2.register(awsProvider);
+registry2.register(httpProvider);
+async function validateSecret(value, opts) {
+  const provider = opts?.provider ? registry2.get(opts.provider) : registry2.detectProvider(value);
+  if (!provider) {
+    return {
+      valid: false,
+      status: "unknown",
+      message: "No provider detected \u2014 set a provider in the manifest or secret metadata",
+      latencyMs: 0,
+      provider: "none"
+    };
+  }
+  if (provider.name === "http" && opts?.validationUrl) {
+    return provider.validate(value, opts.validationUrl);
+  }
+  return provider.validate(value);
+}
+async function rotateWithProvider(value, providerName) {
+  const provider = providerName ? registry2.get(providerName) : registry2.detectProvider(value);
+  if (!provider) {
+    return { rotated: false, provider: "none", message: "No provider detected for rotation" };
+  }
+  const rotatable = provider;
+  if (rotatable.supportsRotation && rotatable.rotate) {
+    return rotatable.rotate(value);
+  }
+  const format = "api-key";
+  const newValue = generateSecret({ format, length: 48 });
+  return {
+    rotated: true,
+    provider: provider.name,
+    message: `Provider "${provider.name}" does not support native rotation \u2014 generated new value locally`,
+    newValue
+  };
+}
+async function ciValidateBatch(secrets) {
+  const results = [];
+  for (const s of secrets) {
+    const validation = await validateSecret(s.value, {
+      provider: s.provider,
+      validationUrl: s.validationUrl
+    });
+    results.push({
+      key: s.key,
+      validation,
+      requiresRotation: validation.status === "invalid"
+    });
+  }
+  const failCount = results.filter((r) => !r.validation.valid).length;
+  return { results, allValid: failCount === 0, failCount };
+}
+
+// src/core/context.ts
+function getProjectContext(opts = {}) {
+  const projectPath = opts.projectPath ?? process.cwd();
+  const envResult = collapseEnvironment({ projectPath });
+  const secretsList = listSecrets({
+    ...opts,
+    projectPath,
+    silent: true
+  });
+  let expiredCount = 0;
+  let staleCount = 0;
+  let protectedCount = 0;
+  const secrets = secretsList.map((entry) => {
+    const meta = entry.envelope?.meta;
+    const decay = entry.decay;
+    if (decay?.isExpired) expiredCount++;
+    if (decay?.isStale) staleCount++;
+    if (meta?.requiresApproval) protectedCount++;
+    return {
+      key: entry.key,
+      scope: entry.scope,
+      tags: meta?.tags,
+      description: meta?.description,
+      provider: meta?.provider,
+      requiresApproval: meta?.requiresApproval,
+      jitProvider: meta?.jitProvider,
+      hasStates: !!(entry.envelope?.states && Object.keys(entry.envelope.states).length > 0),
+      isExpired: decay?.isExpired ?? false,
+      isStale: decay?.isStale ?? false,
+      timeRemaining: decay?.timeRemaining ?? null,
+      accessCount: meta?.accessCount ?? 0,
+      lastAccessed: meta?.lastAccessedAt ?? null,
+      rotationFormat: meta?.rotationFormat
+    };
+  });
+  let manifest = null;
+  const config = readProjectConfig(projectPath);
+  if (config?.secrets) {
+    const declaredKeys = Object.keys(config.secrets);
+    const existingKeys = new Set(secrets.map((s) => s.key));
+    const missing = declaredKeys.filter((k) => !existingKeys.has(k));
+    manifest = { declared: declaredKeys.length, missing };
+  }
+  const recentEvents = queryAudit({ limit: 20 });
+  const recentActions = recentEvents.map((e) => ({
+    action: e.action,
+    key: e.key,
+    source: e.source,
+    timestamp: e.timestamp
+  }));
+  return {
+    projectPath,
+    environment: envResult ? { env: envResult.env, source: envResult.source } : null,
+    secrets,
+    totalSecrets: secrets.length,
+    expiredCount,
+    staleCount,
+    protectedCount,
+    manifest,
+    validationProviders: registry2.listProviders().map((p) => p.name),
+    jitProviders: registry.listProviders().map((p) => p.name),
+    hooksCount: listHooks().length,
+    recentActions
+  };
+}
+
+// src/core/memory.ts
+import { existsSync as existsSync2, readFileSync as readFileSync4, writeFileSync as writeFileSync2, mkdirSync } from "fs";
+import { join as join2 } from "path";
+import { homedir, hostname, userInfo } from "os";
+import { createCipheriv as createCipheriv2, createDecipheriv as createDecipheriv2, createHash, randomBytes as randomBytes3 } from "crypto";
+var MEMORY_FILE = "agent-memory.enc";
+function getMemoryDir() {
+  const dir = join2(homedir(), ".config", "q-ring");
+  if (!existsSync2(dir)) {
+    mkdirSync(dir, { recursive: true });
+  }
+  return dir;
+}
+function getMemoryPath() {
+  return join2(getMemoryDir(), MEMORY_FILE);
+}
+function deriveKey2() {
+  const fingerprint = `qring-memory:${hostname()}:${userInfo().username}`;
+  return createHash("sha256").update(fingerprint).digest();
+}
+function encrypt(data) {
+  const key = deriveKey2();
+  const iv = randomBytes3(12);
+  const cipher = createCipheriv2("aes-256-gcm", key, iv);
+  const encrypted = Buffer.concat([cipher.update(data, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return `${iv.toString("base64")}:${tag.toString("base64")}:${encrypted.toString("base64")}`;
+}
+function decrypt(blob) {
+  const parts = blob.split(":");
+  if (parts.length !== 3) throw new Error("Invalid encrypted format");
+  const iv = Buffer.from(parts[0], "base64");
+  const tag = Buffer.from(parts[1], "base64");
+  const encrypted = Buffer.from(parts[2], "base64");
+  const key = deriveKey2();
+  const decipher = createDecipheriv2("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  return decipher.update(encrypted) + decipher.final("utf8");
+}
+function loadStore() {
+  const path = getMemoryPath();
+  if (!existsSync2(path)) {
+    return { entries: {} };
+  }
+  try {
+    const raw = readFileSync4(path, "utf8");
+    const decrypted = decrypt(raw);
+    return JSON.parse(decrypted);
+  } catch {
+    return { entries: {} };
+  }
+}
+function saveStore(store) {
+  const json = JSON.stringify(store);
+  const encrypted = encrypt(json);
+  writeFileSync2(getMemoryPath(), encrypted, "utf8");
+}
+function remember(key, value) {
+  const store = loadStore();
+  store.entries[key] = {
+    value,
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  saveStore(store);
+}
+function recall(key) {
+  const store = loadStore();
+  return store.entries[key]?.value ?? null;
+}
+function listMemory() {
+  const store = loadStore();
+  return Object.entries(store.entries).map(([key, entry]) => ({
+    key,
+    updatedAt: entry.updatedAt
+  }));
+}
+function forget(key) {
+  const store = loadStore();
+  if (key in store.entries) {
+    delete store.entries[key];
+    saveStore(store);
+    return true;
+  }
+  return false;
+}
+function clearMemory() {
+  saveStore({ entries: {} });
+}
+
+// src/hooks/precommit.ts
+import { execSync } from "child_process";
+import { existsSync as existsSync3, writeFileSync as writeFileSync3, chmodSync, readFileSync as readFileSync5, unlinkSync } from "fs";
+import { join as join3 } from "path";
+function getStagedFiles() {
+  try {
+    const output = execSync("git diff --cached --name-only --diff-filter=ACM", {
+      encoding: "utf8",
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    return output.split("\n").map((f) => f.trim()).filter((f) => f.length > 0);
+  } catch {
+    return [];
+  }
+}
+function runPreCommitScan() {
+  const staged = getStagedFiles();
+  if (staged.length === 0) return 0;
+  const results = lintFiles(staged);
+  if (results.length === 0) return 0;
+  console.error("\n[q-ring] Pre-commit scan found hardcoded secrets:\n");
+  for (const r of results) {
+    console.error(`  ${r.file}:${r.line}  ${r.keyName}  (entropy: ${r.entropy})`);
+  }
+  console.error(
+    `
+[q-ring] Commit blocked. Use "qring scan --fix" to auto-migrate, or "git commit --no-verify" to bypass.
+`
+  );
+  return 1;
+}
+var HOOK_SCRIPT = `#!/bin/sh
+# q-ring pre-commit hook \u2014 scans staged files for hardcoded secrets
+npx qring hook:run 2>&1
+exit $?
+`;
+function installPreCommitHook(repoPath) {
+  const root = repoPath ?? process.cwd();
+  const hooksDir = join3(root, ".git", "hooks");
+  if (!existsSync3(join3(root, ".git"))) {
+    return { installed: false, path: "", message: "Not a git repository" };
+  }
+  const hookPath = join3(hooksDir, "pre-commit");
+  if (existsSync3(hookPath)) {
+    const existing = readFileSync5(hookPath, "utf8");
+    if (existing.includes("q-ring")) {
+      return { installed: true, path: hookPath, message: "Hook already installed" };
+    }
+    writeFileSync3(hookPath, HOOK_SCRIPT + "\n" + existing, "utf8");
+  } else {
+    writeFileSync3(hookPath, HOOK_SCRIPT, "utf8");
+  }
+  chmodSync(hookPath, 493);
+  return { installed: true, path: hookPath, message: "Pre-commit hook installed" };
+}
+function uninstallPreCommitHook(repoPath) {
+  const root = repoPath ?? process.cwd();
+  const hookPath = join3(root, ".git", "hooks", "pre-commit");
+  if (!existsSync3(hookPath)) return false;
+  const content = readFileSync5(hookPath, "utf8");
+  if (!content.includes("q-ring")) return false;
+  const lines = content.split("\n");
+  const cleaned = lines.filter(
+    (l) => !l.includes("q-ring") && !l.includes("npx qring hook:run")
+  );
+  if (cleaned.filter((l) => l.trim() && !l.startsWith("#!")).length === 0) {
+    unlinkSync(hookPath);
+  } else {
+    writeFileSync3(hookPath, cleaned.join("\n"), "utf8");
+  }
+  return true;
+}
+
+// src/cli/commands.ts
+import { writeFileSync as writeFileSync4, readFileSync as readFileSync6, existsSync as existsSync4 } from "fs";
+
 // src/utils/prompt.ts
 import { createInterface } from "readline";
 async function promptSecret(message) {
@@ -405,6 +1365,8 @@ function buildOpts(cmd) {
   let scope;
   if (cmd.global) scope = "global";
   else if (cmd.project) scope = "project";
+  else if (cmd.team) scope = "team";
+  else if (cmd.org) scope = "org";
   const projectPath = cmd.projectPath ?? (cmd.project ? process.cwd() : void 0);
   if (scope === "project" && !projectPath) {
     throw new Error("Project path is required for project scope");
@@ -412,6 +1374,8 @@ function buildOpts(cmd) {
   return {
     scope,
     projectPath: projectPath ?? process.cwd(),
+    teamId: cmd.team,
+    orgId: cmd.org,
     env: cmd.env,
     source: "cli"
   };
@@ -419,8 +1383,8 @@ function buildOpts(cmd) {
 function createProgram() {
   const program2 = new Command().name("qring").description(
     `${c.bold("q-ring")} ${c.dim("\u2014 quantum keyring for AI coding tools")}`
-  ).version("0.2.0");
-  program2.command("set <key> [value]").description("Store a secret (with optional quantum metadata)").option("-g, --global", "Store in global scope").option("-p, --project", "Store in project scope (uses cwd)").option("--project-path <path>", "Explicit project path").option("-e, --env <env>", "Set value for a specific environment (superposition)").option("--ttl <seconds>", "Time-to-live in seconds (quantum decay)", parseInt).option("--expires <iso>", "Expiry timestamp (ISO 8601)").option("--description <desc>", "Human-readable description").option("--tags <tags>", "Comma-separated tags").action(async (key, value, cmd) => {
+  ).version("0.4.0");
+  program2.command("set <key> [value]").description("Store a secret (with optional quantum metadata)").option("-g, --global", "Store in global scope").option("-p, --project", "Store in project scope (uses cwd)").option("--team <id>", "Store in team scope").option("--org <id>", "Store in org scope").option("--project-path <path>", "Explicit project path").option("-e, --env <env>", "Set value for a specific environment (superposition)").option("--ttl <seconds>", "Time-to-live in seconds (quantum decay)", parseInt).option("--expires <iso>", "Expiry timestamp (ISO 8601)").option("--description <desc>", "Human-readable description").option("--tags <tags>", "Comma-separated tags").option("--rotation-format <format>", "Format for auto-rotation (api-key, password, uuid, hex, base64, alphanumeric, token)").option("--rotation-prefix <prefix>", "Prefix for auto-rotation (e.g. sk-)").option("--requires-approval", "Require explicit user approval for MCP agents to read").option("--jit-provider <provider>", "Use a Just-In-Time provider to dynamically generate this secret").action(async (key, value, cmd) => {
     const opts = buildOpts(cmd);
     if (!value) {
       value = await promptSecret(`${SYMBOLS.key} Enter value for ${c.bold(key)}: `);
@@ -434,7 +1398,11 @@ function createProgram() {
       ttlSeconds: cmd.ttl,
       expiresAt: cmd.expires,
       description: cmd.description,
-      tags: cmd.tags?.split(",").map((t) => t.trim())
+      tags: cmd.tags?.split(",").map((t) => t.trim()),
+      rotationFormat: cmd.rotationFormat,
+      rotationPrefix: cmd.rotationPrefix,
+      requiresApproval: cmd.requiresApproval,
+      jitProvider: cmd.jitProvider
     };
     if (cmd.env) {
       const existing = getEnvelope(key, opts);
@@ -459,7 +1427,7 @@ function createProgram() {
       );
     }
   });
-  program2.command("get <key>").description("Retrieve a secret (collapses superposition if needed)").option("-g, --global", "Look only in global scope").option("-p, --project", "Look only in project scope").option("--project-path <path>", "Explicit project path").option("-e, --env <env>", "Force a specific environment").action((key, cmd) => {
+  program2.command("get <key>").description("Retrieve a secret (collapses superposition if needed)").option("-g, --global", "Look only in global scope").option("-p, --project", "Look only in project scope").option("--team <id>", "Look only in team scope").option("--org <id>", "Look only in org scope").option("--project-path <path>", "Explicit project path").option("-e, --env <env>", "Force a specific environment").action((key, cmd) => {
     const opts = buildOpts(cmd);
     const value = getSecret(key, opts);
     if (value === null) {
@@ -478,9 +1446,29 @@ function createProgram() {
       process.exit(1);
     }
   });
-  program2.command("list").alias("ls").description("List all secrets with quantum status indicators").option("-g, --global", "List global scope only").option("-p, --project", "List project scope only").option("--project-path <path>", "Explicit project path").option("--show-decay", "Show decay/expiry status").action((cmd) => {
+  program2.command("list").alias("ls").description("List all secrets with quantum status indicators").option("-g, --global", "List global scope only").option("-p, --project", "List project scope only").option("--team <id>", "List team scope only").option("--org <id>", "List org scope only").option("--project-path <path>", "Explicit project path").option("--show-decay", "Show decay/expiry status").option("-t, --tag <tag>", "Filter by tag").option("--expired", "Show only expired secrets").option("--stale", "Show only stale secrets (75%+ decay)").option("-f, --filter <pattern>", "Glob pattern on key name").action((cmd) => {
     const opts = buildOpts(cmd);
-    const entries = listSecrets(opts);
+    let entries = listSecrets(opts);
+    if (cmd.tag) {
+      entries = entries.filter(
+        (e) => e.envelope?.meta.tags?.includes(cmd.tag)
+      );
+    }
+    if (cmd.expired) {
+      entries = entries.filter((e) => e.decay?.isExpired);
+    }
+    if (cmd.stale) {
+      entries = entries.filter(
+        (e) => e.decay?.isStale && !e.decay?.isExpired
+      );
+    }
+    if (cmd.filter) {
+      const regex = new RegExp(
+        "^" + cmd.filter.replace(/\*/g, ".*") + "$",
+        "i"
+      );
+      entries = entries.filter((e) => regex.test(e.key));
+    }
     if (entries.length === 0) {
       console.log(c.dim("No secrets found"));
       return;
@@ -593,50 +1581,605 @@ function createProgram() {
     }
     console.log();
   });
-  program2.command("export").description("Export secrets as .env or JSON (collapses superposition)").option("-f, --format <format>", "Output format: env or json", "env").option("-g, --global", "Export global scope only").option("-p, --project", "Export project scope only").option("--project-path <path>", "Explicit project path").option("-e, --env <env>", "Force environment for collapse").action((cmd) => {
+  program2.command("export").description("Export secrets as .env or JSON (collapses superposition)").option("-f, --format <format>", "Output format: env or json", "env").option("-g, --global", "Export global scope only").option("-p, --project", "Export project scope only").option("--project-path <path>", "Explicit project path").option("-e, --env <env>", "Force environment for collapse").option("-k, --keys <keys>", "Comma-separated key names to export").option("-t, --tags <tags>", "Comma-separated tags to filter by").action((cmd) => {
     const opts = buildOpts(cmd);
-    const output = exportSecrets({ ...opts, format: cmd.format });
+    const output = exportSecrets({
+      ...opts,
+      format: cmd.format,
+      keys: cmd.keys?.split(",").map((k) => k.trim()),
+      tags: cmd.tags?.split(",").map((t) => t.trim())
+    });
     process.stdout.write(output + "\n");
   });
-  program2.command("env").description("Show detected environment (wavefunction collapse context)").option("--project-path <path>", "Project path for detection").action((cmd) => {
-    const result = collapseEnvironment({
-      projectPath: cmd.projectPath ?? process.cwd()
+  program2.command("import <file>").description("Import secrets from a .env file").option("-g, --global", "Import to global scope").option("-p, --project", "Import to project scope").option("--project-path <path>", "Explicit project path").option("-e, --env <env>", "Environment context").option("--skip-existing", "Skip keys that already exist").option("--dry-run", "Preview what would be imported without saving").action((file, cmd) => {
+    const opts = buildOpts(cmd);
+    const result = importDotenv(file, {
+      scope: opts.scope,
+      projectPath: opts.projectPath,
+      source: "cli",
+      skipExisting: cmd.skipExisting,
+      dryRun: cmd.dryRun
     });
-    if (result) {
+    if (cmd.dryRun) {
       console.log(
-        `${SYMBOLS.zap} ${c.bold("Collapsed environment:")} ${envBadge(result.env)} ${c.dim(`(source: ${result.source})`)}`
+        `
+  ${SYMBOLS.package} ${c.bold("Dry run")} \u2014 would import ${result.imported.length} of ${result.total} secrets:
+`
       );
+      for (const key of result.imported) {
+        console.log(`  ${SYMBOLS.key} ${c.bold(key)}`);
+      }
+      if (result.skipped.length > 0) {
+        console.log(`
+  ${c.dim(`Skipped (existing): ${result.skipped.join(", ")}`)}`);
+      }
     } else {
       console.log(
-        c.dim("No environment detected. Set QRING_ENV, NODE_ENV, or create .q-ring.json")
+        `${SYMBOLS.check} ${c.green("imported")} ${result.imported.length} secret(s) from ${c.bold(file)}`
       );
+      if (result.skipped.length > 0) {
+        console.log(
+          c.dim(`  skipped ${result.skipped.length} existing: ${result.skipped.join(", ")}`)
+        );
+      }
     }
+    console.log();
   });
-  program2.command("generate").alias("gen").description("Generate a cryptographic secret (quantum noise)").option(
-    "-f, --format <format>",
-    "Format: hex, base64, alphanumeric, uuid, api-key, token, password",
-    "api-key"
-  ).option("-l, --length <n>", "Length (bytes or chars depending on format)", parseInt).option("--prefix <prefix>", "Prefix for api-key/token format").option("-s, --save <key>", "Save the generated secret to keyring with this key").option("-g, --global", "Save to global scope").option("-p, --project", "Save to project scope").option("--project-path <path>", "Explicit project path").action((cmd) => {
-    const secret = generateSecret({
-      format: cmd.format,
-      length: cmd.length,
-      prefix: cmd.prefix
-    });
-    const entropy = estimateEntropy(secret);
-    if (cmd.save) {
-      const opts = buildOpts(cmd);
-      setSecret(cmd.save, secret, opts);
+  program2.command("check").description("Validate project secrets against .q-ring.json manifest").option("--project-path <path>", "Project path (defaults to cwd)").action((cmd) => {
+    const projectPath = cmd.projectPath ?? process.cwd();
+    const config = readProjectConfig(projectPath);
+    if (!config?.secrets || Object.keys(config.secrets).length === 0) {
+      console.error(
+        c.red(`${SYMBOLS.cross} No secrets manifest found in .q-ring.json`)
+      );
       console.log(
-        `${SYMBOLS.sparkle} ${c.green("generated & saved")} ${c.bold(cmd.save)} ${c.dim(`(${cmd.format}, ${entropy} bits entropy)`)}`
+        c.dim('  Add a "secrets" field to your .q-ring.json to define required secrets.')
       );
-    } else {
-      process.stdout.write(secret);
-      if (process.stdout.isTTY) {
+      process.exit(1);
+    }
+    console.log(
+      c.bold(`
+  ${SYMBOLS.shield} Project secret manifest check
+`)
+    );
+    let present = 0;
+    let missing = 0;
+    let expiredCount = 0;
+    let staleCount = 0;
+    for (const [key, manifest] of Object.entries(config.secrets)) {
+      const result = getEnvelope(key, { projectPath, source: "cli" });
+      if (!result) {
+        if (manifest.required !== false) {
+          missing++;
+          console.log(
+            `  ${c.red(SYMBOLS.cross)} ${c.bold(key)} ${c.red("MISSING")} ${manifest.description ? c.dim(`\u2014 ${manifest.description}`) : ""}`
+          );
+        } else {
+          console.log(
+            `  ${c.dim(SYMBOLS.cross)} ${c.bold(key)} ${c.dim("optional, not set")} ${manifest.description ? c.dim(`\u2014 ${manifest.description}`) : ""}`
+          );
+        }
+        continue;
+      }
+      const decay = checkDecay(result.envelope);
+      if (decay.isExpired) {
+        expiredCount++;
         console.log(
-          `
-${c.dim(`format: ${cmd.format} | entropy: ~${entropy} bits`)}`
+          `  ${c.red(SYMBOLS.warning)} ${c.bold(key)} ${c.bgRed(c.white(" EXPIRED "))} ${manifest.description ? c.dim(`\u2014 ${manifest.description}`) : ""}`
         );
-      }
+      } else if (decay.isStale) {
+        staleCount++;
+        console.log(
+          `  ${c.yellow(SYMBOLS.warning)} ${c.bold(key)} ${c.yellow(`stale (${decay.lifetimePercent}%)`)} ${manifest.description ? c.dim(`\u2014 ${manifest.description}`) : ""}`
+        );
+      } else {
+        present++;
+        console.log(
+          `  ${c.green(SYMBOLS.check)} ${c.bold(key)} ${c.green("OK")} ${manifest.description ? c.dim(`\u2014 ${manifest.description}`) : ""}`
+        );
+      }
+    }
+    const total = Object.keys(config.secrets).length;
+    console.log(
+      `
+  ${c.bold(`${total} declared`)}  ${c.green(`${present} present`)}  ${c.yellow(`${staleCount} stale`)}  ${c.red(`${expiredCount} expired`)}  ${c.red(`${missing} missing`)}`
+    );
+    if (missing > 0) {
+      console.log(
+        `
+  ${c.red("Project is NOT ready \u2014 missing required secrets.")}`
+      );
+    } else if (expiredCount > 0) {
+      console.log(
+        `
+  ${c.yellow("Project has expired secrets that need rotation.")}`
+      );
+    } else {
+      console.log(
+        `
+  ${c.green(`${SYMBOLS.check} Project is ready \u2014 all required secrets present.`)}`
+      );
+    }
+    console.log();
+    if (missing > 0) process.exit(1);
+  });
+  program2.command("validate [key]").description("Test if a secret is actually valid with its target service").option("-g, --global", "Global scope only").option("-p, --project", "Project scope only").option("--project-path <path>", "Explicit project path").option("--provider <name>", "Force a specific provider (openai, stripe, github, aws, http)").option("--all", "Validate all secrets that have a detectable provider").option("--manifest", "Only validate manifest-declared secrets (with --all)").option("--list-providers", "List all available providers").action(async (key, cmd) => {
+    if (cmd.listProviders) {
+      console.log(c.bold(`
+  ${SYMBOLS.shield} Available validation providers
+`));
+      for (const p of registry2.listProviders()) {
+        const prefixes = p.prefixes?.length ? c.dim(` (${p.prefixes.join(", ")})`) : "";
+        console.log(`  ${c.cyan(p.name.padEnd(10))} ${p.description}${prefixes}`);
+      }
+      console.log();
+      return;
+    }
+    if (!key && !cmd.all) {
+      console.error(c.red(`${SYMBOLS.cross} Provide a key name or use --all`));
+      process.exit(1);
+    }
+    const opts = buildOpts(cmd);
+    if (cmd.all) {
+      let entries = listSecrets(opts);
+      const projectPath = cmd.projectPath ?? process.cwd();
+      if (cmd.manifest) {
+        const config = readProjectConfig(projectPath);
+        if (config?.secrets) {
+          const manifestKeys = new Set(Object.keys(config.secrets));
+          entries = entries.filter((e) => manifestKeys.has(e.key));
+        }
+      }
+      console.log(c.bold(`
+  ${SYMBOLS.shield} Validating secrets
+`));
+      let validated = 0;
+      let skipped = 0;
+      for (const entry of entries) {
+        const value2 = getSecret(entry.key, { ...opts, scope: entry.scope });
+        if (!value2) {
+          skipped++;
+          continue;
+        }
+        const provHint2 = entry.envelope?.meta.provider ?? cmd.provider;
+        const result2 = await validateSecret(value2, { provider: provHint2 });
+        if (result2.status === "unknown") {
+          skipped++;
+          continue;
+        }
+        validated++;
+        const icon2 = result2.status === "valid" ? c.green(SYMBOLS.check) : result2.status === "invalid" ? c.red(SYMBOLS.cross) : c.yellow(SYMBOLS.warning);
+        const statusText = result2.status === "valid" ? c.green("valid") : result2.status === "invalid" ? c.red("invalid") : c.yellow("error");
+        console.log(
+          `  ${icon2} ${c.bold(entry.key.padEnd(24))} ${statusText}  ${c.dim(`(${result2.provider}, ${result2.latencyMs}ms)`)}${result2.status !== "valid" ? ` ${c.dim("\u2014 " + result2.message)}` : ""}`
+        );
+      }
+      console.log(`
+  ${c.dim(`${validated} validated, ${skipped} skipped (no provider)`)}
+`);
+      return;
+    }
+    const value = getSecret(key, opts);
+    if (!value) {
+      console.error(c.red(`${SYMBOLS.cross} Secret "${key}" not found`));
+      process.exit(1);
+    }
+    const envelope = getEnvelope(key, opts);
+    const provHint = envelope?.envelope.meta.provider ?? cmd.provider;
+    const result = await validateSecret(value, { provider: provHint });
+    const icon = result.status === "valid" ? c.green(SYMBOLS.check) : result.status === "invalid" ? c.red(SYMBOLS.cross) : result.status === "error" ? c.yellow(SYMBOLS.warning) : c.dim("\u25CB");
+    console.log(`
+  ${icon} ${c.bold(key)}  ${result.status}  ${c.dim(`(${result.provider}, ${result.latencyMs}ms)`)}`);
+    if (result.message && result.status !== "valid") {
+      console.log(`    ${c.dim(result.message)}`);
+    }
+    console.log();
+  });
+  program2.command("exec <command...>").description("Run a command with secrets injected into its environment (output auto-redacted)").option("-g, --global", "Inject global scope secrets only").option("-p, --project", "Inject project scope secrets only").option("--project-path <path>", "Explicit project path").option("-e, --env <env>", "Environment context").option("-k, --keys <keys>", "Comma-separated key names to inject").option("-t, --tags <tags>", "Comma-separated tags to filter by").option("--profile <name>", "Exec profile: unrestricted, restricted, ci").action(async (commandArgs, cmd) => {
+    const opts = buildOpts(cmd);
+    const command = commandArgs[0];
+    const args = commandArgs.slice(1);
+    try {
+      const { code } = await execCommand({
+        ...opts,
+        command,
+        args,
+        keys: cmd.keys?.split(",").map((k) => k.trim()),
+        tags: cmd.tags?.split(",").map((t) => t.trim()),
+        profile: cmd.profile
+      });
+      process.exit(code);
+    } catch (err) {
+      console.error(c.red(`${SYMBOLS.cross} Exec failed: ${err instanceof Error ? err.message : String(err)}`));
+      process.exit(1);
+    }
+  });
+  program2.command("scan [dir]").description("Scan a codebase for hardcoded secrets").option("--fix", "Auto-replace hardcoded secrets with process.env references and store in q-ring").option("-g, --global", "Store fixed secrets in global scope").option("-p, --project", "Store fixed secrets in project scope").option("--project-path <path>", "Explicit project path").action((dir, cmd) => {
+    const targetDir = dir ?? process.cwd();
+    const fixMode = cmd.fix === true;
+    console.log(`
+  ${SYMBOLS.eye} Scanning ${c.bold(targetDir)} for secrets...${fixMode ? c.yellow(" [--fix mode]") : ""}
+`);
+    const results = scanCodebase(targetDir);
+    if (results.length === 0) {
+      console.log(`  ${c.green(SYMBOLS.check)} No hardcoded secrets found. Awesome!
+`);
+      return;
+    }
+    if (fixMode) {
+      const fileSet = new Set(results.map((r) => r.file.startsWith("/") ? r.file : `${targetDir}/${r.file}`));
+      const opts = buildOpts(cmd);
+      const lintResults = lintFiles([...fileSet], { fix: true, scope: opts.scope, projectPath: opts.projectPath });
+      const fixedCount = lintResults.filter((r) => r.fixed).length;
+      console.log(`  ${c.green(SYMBOLS.check)} Fixed ${fixedCount} secrets \u2014 replaced with process.env references and stored in q-ring.
+`);
+      return;
+    }
+    for (const res of results) {
+      console.log(`  ${c.red(SYMBOLS.cross)} ${c.bold(res.file)}:${res.line}`);
+      console.log(`    ${c.dim("Key:")}     ${c.cyan(res.keyName)}`);
+      console.log(`    ${c.dim("Entropy:")} ${res.entropy > 4 ? c.red(res.entropy.toString()) : c.yellow(res.entropy.toString())}`);
+      console.log(`    ${c.dim("Context:")} ${res.context}`);
+      console.log();
+    }
+    console.log(`  ${c.red(`Found ${results.length} potential secrets.`)} Use ${c.bold("qring scan --fix")} to auto-migrate them.
+`);
+  });
+  program2.command("lint <files...>").description("Lint specific files for hardcoded secrets (with optional auto-fix)").option("--fix", "Replace hardcoded secrets with process.env references and store in q-ring").option("-g, --global", "Store fixed secrets in global scope").option("-p, --project", "Store fixed secrets in project scope").option("--project-path <path>", "Explicit project path").action((files, cmd) => {
+    const opts = buildOpts(cmd);
+    const results = lintFiles(files, { fix: cmd.fix, scope: opts.scope, projectPath: opts.projectPath });
+    if (results.length === 0) {
+      console.log(`
+  ${c.green(SYMBOLS.check)} No hardcoded secrets found in ${files.length} file(s).
+`);
+      return;
+    }
+    for (const res of results) {
+      const status = res.fixed ? c.green("fixed") : c.red("found");
+      console.log(`  ${res.fixed ? c.green(SYMBOLS.check) : c.red(SYMBOLS.cross)} ${c.bold(res.file)}:${res.line} [${status}]`);
+      console.log(`    ${c.dim("Key:")}     ${c.cyan(res.keyName)}`);
+      console.log(`    ${c.dim("Entropy:")} ${res.entropy > 4 ? c.red(res.entropy.toString()) : c.yellow(res.entropy.toString())}`);
+      console.log();
+    }
+    const fixedCount = results.filter((r) => r.fixed).length;
+    if (cmd.fix && fixedCount > 0) {
+      console.log(`  ${c.green(`Fixed ${fixedCount} secret(s)`)} \u2014 replaced with env references and stored in q-ring.
+`);
+    } else {
+      console.log(`  ${c.red(`Found ${results.length} potential secret(s).`)} Use ${c.bold("--fix")} to auto-migrate.
+`);
+    }
+  });
+  program2.command("context").alias("describe").description("Show safe, redacted project context for AI agents (no secret values exposed)").option("-g, --global", "Global scope only").option("-p, --project", "Project scope only").option("--project-path <path>", "Explicit project path").option("--json", "Output as JSON (for MCP / programmatic use)").action((cmd) => {
+    const opts = buildOpts(cmd);
+    const context = getProjectContext(opts);
+    if (cmd.json) {
+      console.log(JSON.stringify(context, null, 2));
+      return;
+    }
+    console.log(`
+${SYMBOLS.zap} ${c.bold("Project Context for AI Assistant")}`);
+    console.log(`  Project: ${c.cyan(context.projectPath)}`);
+    if (context.environment) {
+      console.log(`  Environment: ${envBadge(context.environment.env)} ${c.dim(`(${context.environment.source})`)}`);
+    }
+    console.log(`
+${c.bold("  Secrets:")} ${context.totalSecrets} total  ${c.dim(`(${context.expiredCount} expired, ${context.staleCount} stale, ${context.protectedCount} protected)`)}`);
+    for (const s of context.secrets) {
+      const tags = s.tags?.length ? c.dim(` [${s.tags.join(",")}]`) : "";
+      const flags = [];
+      if (s.requiresApproval) flags.push(c.yellow("locked"));
+      if (s.jitProvider) flags.push(c.magenta("jit"));
+      if (s.hasStates) flags.push(c.blue("superposition"));
+      if (s.isExpired) flags.push(c.red("expired"));
+      else if (s.isStale) flags.push(c.yellow("stale"));
+      const flagStr = flags.length ? ` ${flags.join(" ")}` : "";
+      console.log(`    ${c.bold(s.key)} ${scopeColor(s.scope)}${tags}${flagStr}`);
+    }
+    if (context.manifest) {
+      console.log(`
+${c.bold("  Manifest:")} ${context.manifest.declared} declared`);
+      if (context.manifest.missing.length > 0) {
+        console.log(`    ${c.red("Missing:")} ${context.manifest.missing.join(", ")}`);
+      } else {
+        console.log(`    ${c.green(SYMBOLS.check)} All manifest secrets present`);
+      }
+    }
+    console.log(`
+${c.bold("  Providers:")} ${context.validationProviders.join(", ") || "none"}`);
+    console.log(`${c.bold("  JIT Providers:")} ${context.jitProviders.join(", ") || "none"}`);
+    console.log(`${c.bold("  Hooks:")} ${context.hooksCount} registered`);
+    if (context.recentActions.length > 0) {
+      console.log(`
+${c.bold("  Recent Activity:")} (last ${context.recentActions.length})`);
+      for (const a of context.recentActions.slice(0, 8)) {
+        const ts = new Date(a.timestamp).toLocaleTimeString();
+        console.log(`    ${c.dim(ts)} ${a.action}${a.key ? ` ${c.bold(a.key)}` : ""} ${c.dim(`(${a.source})`)}`);
+      }
+    }
+    console.log();
+  });
+  program2.command("remember <key> <value>").description("Store a key-value pair in encrypted agent memory (persists across sessions)").action((key, value) => {
+    remember(key, value);
+    console.log(`${SYMBOLS.check} ${c.green("remembered")} ${c.bold(key)}`);
+  });
+  program2.command("recall [key]").description("Retrieve a value from agent memory, or list all keys").action((key) => {
+    if (!key) {
+      const entries = listMemory();
+      if (entries.length === 0) {
+        console.log(c.dim("Agent memory is empty."));
+        return;
+      }
+      console.log(`
+${SYMBOLS.zap} ${c.bold("Agent Memory")} (${entries.length} entries)
+`);
+      for (const e of entries) {
+        console.log(`  ${c.bold(e.key)}  ${c.dim(new Date(e.updatedAt).toLocaleString())}`);
+      }
+      console.log();
+      return;
+    }
+    const value = recall(key);
+    if (value === null) {
+      console.log(c.dim(`No memory found for "${key}"`));
+    } else {
+      console.log(safeStr(value));
+    }
+  });
+  program2.command("forget <key>").description("Delete a key from agent memory").option("--all", "Clear all agent memory").action((key, cmd) => {
+    if (cmd.all) {
+      clearMemory();
+      console.log(`${SYMBOLS.check} ${c.yellow("cleared")} all agent memory`);
+      return;
+    }
+    const removed = forget(key);
+    if (removed) {
+      console.log(`${SYMBOLS.check} ${c.yellow("forgot")} ${c.bold(key)}`);
+    } else {
+      console.log(c.dim(`No memory found for "${key}"`));
+    }
+  });
+  program2.command("approve <key>").description("Grant a scoped, reasoned, HMAC-verified approval token for MCP secret access").option("-g, --global", "Global scope").option("-p, --project", "Project scope").option("--project-path <path>", "Explicit project path").option("--for <seconds>", "Duration of approval in seconds", parseInt, 3600).option("--reason <text>", "Reason for granting approval").option("--revoke", "Revoke an existing approval").option("--list", "List all approvals").action((key, cmd) => {
+    const opts = buildOpts(cmd);
+    const scope = opts.scope ?? "global";
+    if (cmd.list) {
+      const approvals = listApprovals();
+      if (approvals.length === 0) {
+        console.log(c.dim("  No active approvals"));
+        return;
+      }
+      for (const a of approvals) {
+        const status = a.tampered ? c.red("TAMPERED") : a.valid ? c.green("active") : c.dim("expired");
+        const ttl = Math.max(0, Math.round((new Date(a.expiresAt).getTime() - Date.now()) / 1e3));
+        console.log(`  ${status} ${c.bold(a.key)} [${a.scope}] reason=${c.dim(a.reason)} ttl=${ttl}s granted-by=${a.grantedBy}`);
+      }
+      return;
+    }
+    if (cmd.revoke) {
+      const revoked = revokeApproval(key, scope);
+      if (revoked) {
+        console.log(`${SYMBOLS.check} ${c.yellow("revoked")} approval for ${c.bold(key)}`);
+      } else {
+        console.log(c.dim(`  No active approval found for ${key}`));
+      }
+      return;
+    }
+    const entry = grantApproval(key, scope, cmd.for, {
+      reason: cmd.reason ?? "manual approval"
+    });
+    console.log(`${SYMBOLS.check} ${c.green("approved")} ${c.bold(key)} for ${cmd.for}s`);
+    console.log(c.dim(`  id=${entry.id} reason="${entry.reason}" expires=${entry.expiresAt}`));
+  });
+  program2.command("approvals").description("List all approval tokens with verification status").action(() => {
+    const approvals = listApprovals();
+    if (approvals.length === 0) {
+      console.log(c.dim("  No approvals found"));
+      return;
+    }
+    console.log(c.bold("\n\u{1F510} Approval Tokens\n"));
+    for (const a of approvals) {
+      const status = a.tampered ? c.red(`${SYMBOLS.cross} TAMPERED`) : a.valid ? c.green(`${SYMBOLS.check} active`) : c.dim(`${SYMBOLS.warning} expired`);
+      const ttl = Math.max(0, Math.round((new Date(a.expiresAt).getTime() - Date.now()) / 1e3));
+      console.log(`  ${status} ${c.bold(a.key)} [${a.scope}]`);
+      console.log(c.dim(`    id=${a.id} reason="${a.reason}" ttl=${ttl}s by=${a.grantedBy}`));
+      if (a.workspace) console.log(c.dim(`    workspace=${a.workspace}`));
+    }
+    console.log();
+  });
+  program2.command("hook:install").description("Install a git pre-commit hook that scans for hardcoded secrets").option("--project-path <path>", "Repository path").action((cmd) => {
+    const result = installPreCommitHook(cmd.projectPath);
+    if (result.installed) {
+      console.log(`${SYMBOLS.check} ${c.green(result.message)} at ${c.dim(result.path)}`);
+    } else {
+      console.log(`${SYMBOLS.cross} ${c.red(result.message)}`);
+    }
+  });
+  program2.command("hook:uninstall").description("Remove the q-ring pre-commit hook").option("--project-path <path>", "Repository path").action((cmd) => {
+    const removed = uninstallPreCommitHook(cmd.projectPath);
+    if (removed) {
+      console.log(`${SYMBOLS.check} ${c.green("Pre-commit hook removed")}`);
+    } else {
+      console.log(c.dim("No q-ring pre-commit hook found"));
+    }
+  });
+  program2.command("hook:run").description("Run the pre-commit secret scan (called by the git hook)").action(() => {
+    const code = runPreCommitScan();
+    process.exit(code);
+  });
+  program2.command("wizard <name>").description("Set up a new service integration with secrets, manifest, and hooks").option("--keys <keys>", "Comma-separated secret key names to create (e.g. API_KEY,API_SECRET)").option("--provider <provider>", "Validation provider (e.g. openai, stripe, github)").option("--tags <tags>", "Comma-separated tags for all secrets").option("--hook-exec <cmd>", "Shell command to run when any of these secrets change").option("-g, --global", "Global scope").option("-p, --project", "Project scope").option("--project-path <path>", "Explicit project path").action(async (name, cmd) => {
+    const opts = buildOpts(cmd);
+    const prefix = name.toUpperCase().replace(/[^A-Z0-9]/g, "_");
+    const tags = cmd.tags?.split(",").map((t) => t.trim()) ?? [name.toLowerCase()];
+    const provider = cmd.provider;
+    let keyNames;
+    if (cmd.keys) {
+      keyNames = cmd.keys.split(",").map((k) => k.trim());
+    } else {
+      keyNames = [`${prefix}_API_KEY`, `${prefix}_API_SECRET`];
+    }
+    console.log(`
+${SYMBOLS.zap} ${c.bold(`Setting up service: ${name}`)}
+`);
+    for (const key of keyNames) {
+      const value = generateSecret({ format: "api-key", prefix: `${prefix.toLowerCase()}_` });
+      setSecret(key, value, {
+        ...opts,
+        tags,
+        provider,
+        description: `Auto-generated by wizard for ${name}`
+      });
+      console.log(`  ${c.green(SYMBOLS.check)} Created ${c.bold(key)}`);
+    }
+    const projectPath = opts.projectPath ?? process.cwd();
+    const manifestPath = `${projectPath}/.q-ring.json`;
+    let config = {};
+    try {
+      if (existsSync4(manifestPath)) {
+        config = JSON.parse(readFileSync6(manifestPath, "utf8"));
+      }
+    } catch {
+    }
+    if (!config.secrets) config.secrets = {};
+    for (const key of keyNames) {
+      config.secrets[key] = {
+        required: true,
+        description: `${name} integration`,
+        ...provider ? { provider } : {}
+      };
+    }
+    writeFileSync4(manifestPath, JSON.stringify(config, null, 2) + "\n", "utf8");
+    console.log(`  ${c.green(SYMBOLS.check)} Updated ${c.dim(".q-ring.json")} manifest`);
+    if (cmd.hookExec) {
+      for (const key of keyNames) {
+        registerHook({
+          type: "shell",
+          match: { key, action: ["write", "delete"] },
+          command: cmd.hookExec,
+          description: `${name} wizard hook`,
+          enabled: true
+        });
+      }
+      console.log(`  ${c.green(SYMBOLS.check)} Registered hook: ${c.dim(cmd.hookExec)}`);
+    }
+    console.log(`
+  ${c.green("Done!")} Service "${name}" is ready with ${keyNames.length} secrets.
+`);
+  });
+  program2.command("analyze").description("Analyze secret usage patterns and provide optimization suggestions").option("-g, --global", "Global scope only").option("-p, --project", "Project scope only").option("--project-path <path>", "Explicit project path").action((cmd) => {
+    const opts = buildOpts(cmd);
+    const entries = listSecrets({ ...opts, silent: true });
+    const audit = queryAudit({ limit: 1e3 });
+    console.log(`
+${SYMBOLS.zap} ${c.bold("Secret Usage Analysis")}
+`);
+    const accessMap = /* @__PURE__ */ new Map();
+    for (const e of audit) {
+      if (e.action === "read" && e.key) {
+        accessMap.set(e.key, (accessMap.get(e.key) || 0) + 1);
+      }
+    }
+    const sorted = [...accessMap.entries()].sort((a, b) => b[1] - a[1]);
+    if (sorted.length > 0) {
+      console.log(`  ${c.bold("Most accessed:")}`);
+      for (const [key, count] of sorted.slice(0, 5)) {
+        console.log(`    ${c.bold(key)} \u2014 ${c.cyan(count.toString())} reads`);
+      }
+      console.log();
+    }
+    const neverAccessed = entries.filter((e) => {
+      const count = e.envelope?.meta.accessCount ?? 0;
+      return count === 0;
+    });
+    if (neverAccessed.length > 0) {
+      console.log(`  ${c.bold("Never accessed:")} ${c.yellow(neverAccessed.length.toString())} secrets`);
+      for (const e of neverAccessed.slice(0, 8)) {
+        const age = e.envelope?.meta.createdAt ? c.dim(`(created ${new Date(e.envelope.meta.createdAt).toLocaleDateString()})`) : "";
+        console.log(`    ${c.dim(SYMBOLS.cross)} ${e.key} ${age}`);
+      }
+      console.log();
+    }
+    const expired = entries.filter((e) => e.decay?.isExpired);
+    const stale = entries.filter((e) => e.decay?.isStale && !e.decay?.isExpired);
+    if (expired.length > 0) {
+      console.log(`  ${c.red("Expired:")} ${expired.length} secrets need rotation or cleanup`);
+      for (const e of expired.slice(0, 5)) {
+        console.log(`    ${c.red(SYMBOLS.cross)} ${e.key}`);
+      }
+      console.log();
+    }
+    if (stale.length > 0) {
+      console.log(`  ${c.yellow("Stale (>75% lifetime):")} ${stale.length} secrets approaching expiry`);
+      for (const e of stale.slice(0, 5)) {
+        console.log(`    ${c.yellow(SYMBOLS.warning)} ${e.key} ${c.dim(`(${e.decay?.timeRemaining} remaining)`)}`);
+      }
+      console.log();
+    }
+    const globalOnly = entries.filter((e) => e.scope === "global");
+    const withProjectTags = globalOnly.filter(
+      (e) => e.envelope?.meta.tags?.some((t) => ["backend", "frontend", "db", "api"].includes(t))
+    );
+    if (withProjectTags.length > 0) {
+      console.log(`  ${c.bold("Scope suggestions:")}`);
+      console.log(`    ${withProjectTags.length} global secret(s) have project-specific tags \u2014 consider moving to project scope`);
+      console.log();
+    }
+    const noRotation = entries.filter(
+      (e) => !e.envelope?.meta.rotationFormat && !e.decay?.isExpired
+    );
+    if (noRotation.length > 0) {
+      console.log(`  ${c.bold("Rotation suggestions:")}`);
+      console.log(`    ${noRotation.length} secret(s) have no rotation format set`);
+      console.log(`    Use ${c.bold("qring set <key> <value> --rotation-format api-key")} to enable auto-rotation`);
+      console.log();
+    }
+    console.log(`  ${c.bold("Summary:")}`);
+    console.log(`    Total secrets: ${entries.length}`);
+    console.log(`    Active: ${entries.length - expired.length}`);
+    console.log(`    Expired: ${expired.length}`);
+    console.log(`    Stale: ${stale.length}`);
+    console.log(`    Never accessed: ${neverAccessed.length}`);
+    console.log(`    With rotation config: ${entries.length - noRotation.length}`);
+    console.log();
+  });
+  program2.command("env").description("Show detected environment (wavefunction collapse context)").option("--project-path <path>", "Project path for detection").action((cmd) => {
+    const result = collapseEnvironment({
+      projectPath: cmd.projectPath ?? process.cwd()
+    });
+    if (result) {
+      console.log(
+        `${SYMBOLS.zap} ${c.bold("Collapsed environment:")} ${envBadge(result.env)} ${c.dim(`(source: ${result.source})`)}`
+      );
+    } else {
+      console.log(
+        c.dim("No environment detected. Set QRING_ENV, NODE_ENV, or create .q-ring.json")
+      );
+    }
+  });
+  program2.command("generate").alias("gen").description("Generate a cryptographic secret (quantum noise)").option(
+    "-f, --format <format>",
+    "Format: hex, base64, alphanumeric, uuid, api-key, token, password",
+    "api-key"
+  ).option("-l, --length <n>", "Length (bytes or chars depending on format)", parseInt).option("--prefix <prefix>", "Prefix for api-key/token format").option("-s, --save <key>", "Save the generated secret to keyring with this key").option("-g, --global", "Save to global scope").option("-p, --project", "Save to project scope").option("--project-path <path>", "Explicit project path").action((cmd) => {
+    const secret = generateSecret({
+      format: cmd.format,
+      length: cmd.length,
+      prefix: cmd.prefix
+    });
+    const entropy = estimateEntropy(secret);
+    if (cmd.save) {
+      const opts = buildOpts(cmd);
+      setSecret(cmd.save, secret, opts);
+      console.log(
+        `${SYMBOLS.sparkle} ${c.green("generated & saved")} ${c.bold(cmd.save)} ${c.dim(`(${cmd.format}, ${entropy} bits entropy)`)}`
+      );
+    } else {
+      process.stdout.write(secret);
+      if (process.stdout.isTTY) {
+        console.log(
+          `
+${c.dim(`format: ${cmd.format} | entropy: ~${entropy} bits`)}`
+        );
+      }
     }
   });
   program2.command("entangle <sourceKey> <targetKey>").description("Link two secrets \u2014 rotating one updates the other").option("-g, --global", "Both in global scope").option("--source-project <path>", "Source project path").option("--target-project <path>", "Target project path").action(
@@ -657,6 +2200,24 @@ ${c.dim(`format: ${cmd.format} | entropy: ~${entropy} bits`)}`
       );
     }
   );
+  program2.command("disentangle <sourceKey> <targetKey>").description("Unlink two entangled secrets").option("-g, --global", "Both in global scope").option("--source-project <path>", "Source project path").option("--target-project <path>", "Target project path").action(
+    (sourceKey, targetKey, cmd) => {
+      const sourceOpts = {
+        scope: cmd.sourceProject ? "project" : "global",
+        projectPath: cmd.sourceProject ?? process.cwd(),
+        source: "cli"
+      };
+      const targetOpts = {
+        scope: cmd.targetProject ? "project" : "global",
+        projectPath: cmd.targetProject ?? process.cwd(),
+        source: "cli"
+      };
+      disentangleSecrets(sourceKey, sourceOpts, targetKey, targetOpts);
+      console.log(
+        `${SYMBOLS.link} ${c.yellow("disentangled")} ${c.bold(sourceKey)} ${SYMBOLS.arrow} ${c.bold(targetKey)}`
+      );
+    }
+  );
   const tunnel = program2.command("tunnel").description("Ephemeral in-memory secrets (quantum tunneling)");
   tunnel.command("create <value>").description("Create a tunneled secret (returns tunnel ID)").option("--ttl <seconds>", "Auto-expire after N seconds", parseInt).option("--max-reads <n>", "Self-destruct after N reads", parseInt).action((value, cmd) => {
     const id = tunnelCreate(value, {
@@ -836,6 +2397,36 @@ ${SYMBOLS.warning} ${c.bold(c.yellow(`${anomalies.length} anomaly/anomalies dete
     }
     console.log();
   });
+  program2.command("audit:verify").description("Verify the integrity of the audit hash chain").action(() => {
+    const result = verifyAuditChain();
+    if (result.totalEvents === 0) {
+      console.log(c.dim("  No audit events to verify"));
+      return;
+    }
+    if (result.intact) {
+      console.log(`${SYMBOLS.shield} ${c.green("Audit chain intact")} \u2014 ${result.totalEvents} events verified`);
+    } else {
+      console.log(`${SYMBOLS.cross} ${c.red("Audit chain BROKEN")} at event #${result.brokenAt}`);
+      console.log(c.dim(`  ${result.validEvents}/${result.totalEvents} events valid before break`));
+      if (result.brokenEvent) {
+        console.log(c.dim(`  Broken event: ${result.brokenEvent.timestamp} ${result.brokenEvent.action} ${result.brokenEvent.key ?? ""}`));
+      }
+      process.exitCode = 1;
+    }
+  });
+  program2.command("audit:export").description("Export audit events in a portable format").option("--since <date>", "Start date (ISO 8601)").option("--until <date>", "End date (ISO 8601)").option("--format <fmt>", "Output format: jsonl, json, csv", "jsonl").option("-o, --output <file>", "Write to file instead of stdout").action((cmd) => {
+    const output = exportAudit({
+      since: cmd.since,
+      until: cmd.until,
+      format: cmd.format
+    });
+    if (cmd.output) {
+      writeFileSync4(cmd.output, output);
+      console.log(`${SYMBOLS.check} Exported to ${cmd.output}`);
+    } else {
+      console.log(output);
+    }
+  });
   program2.command("health").description("Check the health of all secrets").option("-g, --global", "Check global scope only").option("-p, --project", "Check project scope only").option("--project-path <path>", "Explicit project path").action((cmd) => {
     const opts = buildOpts(cmd);
     const entries = listSecrets(opts);
@@ -884,8 +2475,166 @@ ${SYMBOLS.warning} ${c.bold(c.yellow(`${anomalies.length} anomaly/anomalies dete
     }
     console.log();
   });
+  const hook = program2.command("hook").description("Manage secret change hooks (callbacks on write/delete/rotate)");
+  hook.command("add").description("Register a new hook").option("--key <key>", "Trigger on exact key match").option("--key-pattern <pattern>", "Trigger on key glob pattern (e.g. DB_*)").option("--tag <tag>", "Trigger on secrets with this tag").option("--scope <scope>", "Trigger only for this scope (global or project)").option("--action <actions>", "Comma-separated actions: write,delete,rotate", "write,delete,rotate").option("--exec <command>", "Shell command to execute").option("--url <url>", "HTTP URL to POST to").option("--signal-target <target>", "Process name or PID to signal").option("--signal-name <signal>", "Signal to send (default: SIGHUP)", "SIGHUP").option("--description <desc>", "Human-readable description").action((cmd) => {
+    let type;
+    if (cmd.exec) type = "shell";
+    else if (cmd.url) type = "http";
+    else if (cmd.signalTarget) type = "signal";
+    else {
+      console.error(c.red(`${SYMBOLS.cross} Specify --exec, --url, or --signal-target`));
+      process.exit(1);
+    }
+    if (!cmd.key && !cmd.keyPattern && !cmd.tag) {
+      console.error(c.red(`${SYMBOLS.cross} Specify at least one match criterion: --key, --key-pattern, or --tag`));
+      process.exit(1);
+    }
+    const actions = cmd.action.split(",").map((a) => a.trim());
+    const entry = registerHook({
+      type,
+      match: {
+        key: cmd.key,
+        keyPattern: cmd.keyPattern,
+        tag: cmd.tag,
+        scope: cmd.scope,
+        action: actions
+      },
+      command: cmd.exec,
+      url: cmd.url,
+      signal: cmd.signalTarget ? { target: cmd.signalTarget, signal: cmd.signalName } : void 0,
+      description: cmd.description,
+      enabled: true
+    });
+    console.log(`${SYMBOLS.check} ${c.green("registered")} hook ${c.bold(entry.id)} (${type})`);
+    if (cmd.key) console.log(c.dim(`  key: ${cmd.key}`));
+    if (cmd.keyPattern) console.log(c.dim(`  pattern: ${cmd.keyPattern}`));
+    if (cmd.tag) console.log(c.dim(`  tag: ${cmd.tag}`));
+  });
+  hook.command("list").alias("ls").description("List all registered hooks").action(() => {
+    const hooks = listHooks();
+    if (hooks.length === 0) {
+      console.log(c.dim("No hooks registered"));
+      return;
+    }
+    console.log(c.bold(`
+  ${SYMBOLS.zap} Registered hooks (${hooks.length})
+`));
+    for (const h of hooks) {
+      const status = h.enabled ? c.green("on") : c.red("off");
+      const matchParts = [];
+      if (h.match.key) matchParts.push(`key=${h.match.key}`);
+      if (h.match.keyPattern) matchParts.push(`pattern=${h.match.keyPattern}`);
+      if (h.match.tag) matchParts.push(`tag=${h.match.tag}`);
+      if (h.match.scope) matchParts.push(`scope=${h.match.scope}`);
+      if (h.match.action?.length) matchParts.push(`actions=${h.match.action.join(",")}`);
+      const target = h.type === "shell" ? h.command : h.type === "http" ? h.url : h.signal ? `${h.signal.target} (${h.signal.signal ?? "SIGHUP"})` : "?";
+      console.log(`  ${c.bold(h.id)}  [${status}]  ${c.cyan(h.type)}  ${c.dim(matchParts.join(" "))}`);
+      console.log(`    ${c.dim("\u2192")} ${target}${h.description ? `  ${c.dim(`\u2014 ${h.description}`)}` : ""}`);
+    }
+    console.log();
+  });
+  hook.command("remove <id>").alias("rm").description("Remove a hook by ID").action((id) => {
+    if (removeHook(id)) {
+      console.log(`${SYMBOLS.check} ${c.green("removed")} hook ${c.bold(id)}`);
+    } else {
+      console.error(c.red(`${SYMBOLS.cross} Hook "${id}" not found`));
+      process.exit(1);
+    }
+  });
+  hook.command("enable <id>").description("Enable a hook").action((id) => {
+    if (enableHook(id)) {
+      console.log(`${SYMBOLS.check} ${c.green("enabled")} hook ${c.bold(id)}`);
+    } else {
+      console.error(c.red(`${SYMBOLS.cross} Hook "${id}" not found`));
+      process.exit(1);
+    }
+  });
+  hook.command("disable <id>").description("Disable a hook").action((id) => {
+    if (disableHook(id)) {
+      console.log(`${SYMBOLS.check} ${c.yellow("disabled")} hook ${c.bold(id)}`);
+    } else {
+      console.error(c.red(`${SYMBOLS.cross} Hook "${id}" not found`));
+      process.exit(1);
+    }
+  });
+  hook.command("test <id>").description("Dry-run a hook with a mock payload").action(async (id) => {
+    const hooks = listHooks();
+    const h = hooks.find((hook2) => hook2.id === id);
+    if (!h) {
+      console.error(c.red(`${SYMBOLS.cross} Hook "${id}" not found`));
+      process.exit(1);
+    }
+    console.log(c.dim(`Testing hook ${id} (${h.type})...
+`));
+    const payload = {
+      action: "write",
+      key: h.match.key ?? "TEST_KEY",
+      scope: h.match.scope ?? "global",
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      source: "cli"
+    };
+    const results = await fireHooks(payload);
+    const result = results.find((r) => r.hookId === id);
+    if (result) {
+      const icon = result.success ? c.green(SYMBOLS.check) : c.red(SYMBOLS.cross);
+      console.log(`  ${icon} ${result.message}`);
+    } else {
+      console.log(c.yellow(`  ${SYMBOLS.warning} Hook did not match the test payload`));
+    }
+    console.log();
+  });
+  program2.command("env:generate").description("Generate a .env file from the project manifest (.q-ring.json)").option("--project-path <path>", "Project path (defaults to cwd)").option("-o, --output <file>", "Output file path (defaults to stdout)").option("-e, --env <env>", "Force environment for superposition collapse").action((cmd) => {
+    const projectPath = cmd.projectPath ?? process.cwd();
+    const config = readProjectConfig(projectPath);
+    if (!config?.secrets || Object.keys(config.secrets).length === 0) {
+      console.error(
+        c.red(`${SYMBOLS.cross} No secrets manifest found in .q-ring.json`)
+      );
+      process.exit(1);
+    }
+    const opts = buildOpts(cmd);
+    const lines = [];
+    const warnings = [];
+    for (const [key, manifest] of Object.entries(config.secrets)) {
+      const value = getSecret(key, { ...opts, projectPath, source: "cli" });
+      if (value === null) {
+        if (manifest.required !== false) {
+          warnings.push(`MISSING (required): ${key}`);
+        }
+        lines.push(`# ${key}= ${manifest.description ? `# ${manifest.description}` : ""}`);
+        continue;
+      }
+      const result = getEnvelope(key, { projectPath, source: "cli" });
+      if (result) {
+        const decay = checkDecay(result.envelope);
+        if (decay.isExpired) {
+          warnings.push(`EXPIRED: ${key}`);
+        } else if (decay.isStale) {
+          warnings.push(`STALE (${decay.lifetimePercent}%): ${key}`);
+        }
+      }
+      const escaped = value.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/\n/g, "\\n");
+      lines.push(`${key}="${escaped}"`);
+    }
+    const output = lines.join("\n") + "\n";
+    if (cmd.output) {
+      writeFileSync4(cmd.output, output);
+      console.log(
+        `${SYMBOLS.check} ${c.green("generated")} ${c.bold(cmd.output)} (${Object.keys(config.secrets).length} keys)`
+      );
+    } else {
+      process.stdout.write(output);
+    }
+    if (warnings.length > 0 && process.stderr.isTTY) {
+      console.error();
+      for (const w of warnings) {
+        console.error(`  ${c.yellow(SYMBOLS.warning)} ${w}`);
+      }
+      console.error();
+    }
+  });
   program2.command("status").description("Launch the quantum status dashboard in your browser").option("--port <port>", "Port to serve on", "9876").option("--no-open", "Don't auto-open the browser").action(async (cmd) => {
-    const { startDashboardServer } = await import("./dashboard-X3ONQFLV.js");
+    const { startDashboardServer } = await import("./dashboard-JT5ZNLT5.js");
     const { exec } = await import("child_process");
     const { platform } = await import("os");
     const port = Number(cmd.port);
@@ -937,6 +2686,96 @@ ${c.dim("  dashboard stopped")}`);
       verbose: cmd.verbose
     });
   });
+  program2.command("rotate <key>").description("Attempt issuer-native rotation of a secret via its provider").option("-g, --global", "Global scope").option("-p, --project", "Project scope").option("--project-path <path>", "Explicit project path").option("--provider <name>", "Force a specific provider").action(async (key, cmd) => {
+    const opts = buildOpts(cmd);
+    const value = getSecret(key, opts);
+    if (!value) {
+      console.error(c.red(`${SYMBOLS.cross} Secret "${key}" not found`));
+      process.exitCode = 1;
+      return;
+    }
+    const result = await rotateWithProvider(value, cmd.provider);
+    if (result.rotated && result.newValue) {
+      setSecret(key, result.newValue, { ...opts, scope: opts.scope ?? "global" });
+      console.log(`${SYMBOLS.check} ${c.green("Rotated")} ${c.bold(key)} via ${result.provider}`);
+      console.log(c.dim(`  ${result.message}`));
+    } else {
+      console.log(c.yellow(`${SYMBOLS.warning} ${result.message}`));
+    }
+  });
+  program2.command("ci:validate").description("CI-oriented batch validation of all secrets (exit code 1 on failure)").option("-g, --global", "Global scope").option("-p, --project", "Project scope").option("--project-path <path>", "Explicit project path").option("--json", "Output as JSON").action(async (cmd) => {
+    const opts = buildOpts(cmd);
+    const entries = listSecrets(opts);
+    const secrets = entries.map((e) => {
+      const val = getSecret(e.key, { ...opts, scope: e.scope, silent: true });
+      if (!val) return null;
+      const provider = e.envelope?.meta.provider;
+      const validationUrl = e.envelope?.meta.validationUrl;
+      return { key: e.key, value: val, provider, validationUrl };
+    }).filter((s) => s !== null);
+    if (secrets.length === 0) {
+      console.log(c.dim("No secrets to validate"));
+      return;
+    }
+    const report = await ciValidateBatch(secrets);
+    if (cmd.json) {
+      console.log(JSON.stringify(report, null, 2));
+    } else {
+      console.log(c.bold(`
+  CI Secret Validation: ${report.results.length} secrets
+`));
+      for (const r of report.results) {
+        const icon = r.validation.valid ? SYMBOLS.check : SYMBOLS.cross;
+        const color = r.validation.valid ? c.green : c.red;
+        console.log(`  ${icon} ${color(r.key)} [${r.validation.provider}] ${r.validation.message}`);
+        if (r.requiresRotation) console.log(c.dim(`    \u2192 rotation required`));
+      }
+      console.log();
+      if (!report.allValid) {
+        console.log(c.red(`  ${report.failCount} secret(s) failed validation`));
+        process.exitCode = 1;
+      } else {
+        console.log(c.green(`  All secrets valid`));
+      }
+    }
+  });
+  program2.command("policy").description("Show project governance policy summary").option("--json", "Output as JSON").action((cmd) => {
+    const summary = getPolicySummary();
+    if (cmd.json) {
+      console.log(JSON.stringify(summary, null, 2));
+      return;
+    }
+    console.log(c.bold("\n\u2696  Governance Policy\n"));
+    if (!summary.hasMcpPolicy && !summary.hasExecPolicy && !summary.hasSecretPolicy) {
+      console.log(c.dim("  No policy configured in .q-ring.json"));
+      console.log(c.dim('  Add a "policy" section to enable governance controls.\n'));
+      return;
+    }
+    if (summary.hasMcpPolicy) {
+      console.log(c.cyan("  MCP Policy:"));
+      const m = summary.details.mcp;
+      if (m.allowTools) console.log(c.green(`    Allow tools: ${m.allowTools.join(", ")}`));
+      if (m.denyTools) console.log(c.red(`    Deny tools:  ${m.denyTools.join(", ")}`));
+      if (m.readableKeys) console.log(c.green(`    Readable keys: ${m.readableKeys.join(", ")}`));
+      if (m.deniedKeys) console.log(c.red(`    Denied keys:   ${m.deniedKeys.join(", ")}`));
+      if (m.deniedTags) console.log(c.red(`    Denied tags:   ${m.deniedTags.join(", ")}`));
+    }
+    if (summary.hasExecPolicy) {
+      console.log(c.cyan("  Exec Policy:"));
+      const e = summary.details.exec;
+      if (e.allowCommands) console.log(c.green(`    Allow commands:    ${e.allowCommands.join(", ")}`));
+      if (e.denyCommands) console.log(c.red(`    Deny commands:     ${e.denyCommands.join(", ")}`));
+      if (e.maxRuntimeSeconds) console.log(`    Max runtime:       ${e.maxRuntimeSeconds}s`);
+      if (e.allowNetwork !== void 0) console.log(`    Allow network:     ${e.allowNetwork}`);
+    }
+    if (summary.hasSecretPolicy) {
+      console.log(c.cyan("  Secret Lifecycle Policy:"));
+      const s = summary.details.secrets;
+      if (s.requireApprovalForTags) console.log(`    Require approval for tags: ${s.requireApprovalForTags.join(", ")}`);
+      if (s.maxTtlSeconds) console.log(`    Max TTL: ${s.maxTtlSeconds}s`);
+    }
+    console.log();
+  });
   return program2;
 }