@i4ctime/q-ring 0.4.0 → 0.9.2

package/dist/index.js

@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 import {
   checkDecay,
+  checkExecPolicy,
   collapseEnvironment,
   deleteSecret,
   detectAnomalies,
@@ -8,24 +9,33 @@ import {
   disentangleSecrets,
   enableHook,
   entangleSecrets,
+  exportAudit,
   exportSecrets,
   fireHooks,
   getEnvelope,
+  getExecMaxRuntime,
+  getPolicySummary,
   getSecret,
+  grantApproval,
   hasSecret,
+  httpRequest_,
+  listApprovals,
   listHooks,
   listSecrets,
   logAudit,
   queryAudit,
   readProjectConfig,
   registerHook,
+  registry,
   removeHook,
+  revokeApproval,
   setSecret,
   tunnelCreate,
   tunnelDestroy,
   tunnelList,
-  tunnelRead
-} from "./chunk-IGNU622R.js";
+  tunnelRead,
+  verifyAuditChain
+} from "./chunk-WG4ZKN7Q.js";
 
 // src/cli/commands.ts
 import { Command } from "commander";
@@ -432,33 +442,443 @@ function importDotenv(filePathOrContent, options = {}) {
   return result;
 }
 
-// src/core/validate.ts
-import { request as httpsRequest } from "https";
-import { request as httpRequest } from "http";
-function makeRequest(url, headers, timeoutMs = 1e4) {
-  return new Promise((resolve, reject) => {
-    const parsedUrl = new URL(url);
-    const reqFn = parsedUrl.protocol === "https:" ? httpsRequest : httpRequest;
-    const req = reqFn(
-      url,
-      { method: "GET", headers, timeout: timeoutMs },
-      (res) => {
-        let body = "";
-        res.on("data", (chunk) => body += chunk);
-        res.on(
-          "end",
-          () => resolve({ statusCode: res.statusCode ?? 0, body })
-        );
+// src/core/exec.ts
+import { spawn } from "child_process";
+import { Transform } from "stream";
+var BUILTIN_PROFILES = {
+  unrestricted: { name: "unrestricted" },
+  restricted: {
+    name: "restricted",
+    denyCommands: ["curl", "wget", "ssh", "scp", "nc", "netcat", "ncat"],
+    maxRuntimeSeconds: 30,
+    allowNetwork: false,
+    stripEnvVars: ["HTTP_PROXY", "HTTPS_PROXY", "ALL_PROXY"]
+  },
+  ci: {
+    name: "ci",
+    maxRuntimeSeconds: 300,
+    allowNetwork: true,
+    denyCommands: ["rm -rf /", "mkfs", "dd if="]
+  }
+};
+function getProfile(name) {
+  if (!name) return BUILTIN_PROFILES.unrestricted;
+  return BUILTIN_PROFILES[name] ?? { name };
+}
+var RedactionTransform = class extends Transform {
+  patterns = [];
+  tail = "";
+  maxLen = 0;
+  constructor(secretsToRedact) {
+    super();
+    const validSecrets = secretsToRedact.filter((s) => s.length > 5);
+    validSecrets.sort((a, b) => b.length - a.length);
+    this.patterns = validSecrets.map((s) => ({
+      value: s,
+      replacement: "[QRING:REDACTED]"
+    }));
+    if (validSecrets.length > 0) {
+      this.maxLen = validSecrets[0].length;
+    }
+  }
+  _transform(chunk, encoding, callback) {
+    if (this.patterns.length === 0) {
+      this.push(chunk);
+      return callback();
+    }
+    const text = this.tail + chunk.toString();
+    let redacted = text;
+    for (const { value, replacement } of this.patterns) {
+      redacted = redacted.split(value).join(replacement);
+    }
+    if (redacted.length < this.maxLen) {
+      this.tail = redacted;
+      return callback();
+    }
+    const outputLen = redacted.length - this.maxLen + 1;
+    const output = redacted.slice(0, outputLen);
+    this.tail = redacted.slice(outputLen);
+    this.push(output);
+    callback();
+  }
+  _flush(callback) {
+    if (this.tail) {
+      let final = this.tail;
+      for (const { value, replacement } of this.patterns) {
+        final = final.split(value).join(replacement);
       }
+      this.push(final);
+    }
+    callback();
+  }
+};
+async function execCommand(opts) {
+  const profile = getProfile(opts.profile);
+  const fullCommand = [opts.command, ...opts.args].join(" ");
+  const policyDecision = checkExecPolicy(fullCommand, opts.projectPath);
+  if (!policyDecision.allowed) {
+    throw new Error(`Policy Denied: ${policyDecision.reason}`);
+  }
+  if (profile.denyCommands) {
+    const denied = profile.denyCommands.find((d) => fullCommand.includes(d));
+    if (denied) {
+      throw new Error(`Exec profile "${profile.name}" denies command containing "${denied}"`);
+    }
+  }
+  if (profile.allowCommands) {
+    const allowed = profile.allowCommands.some((a) => fullCommand.startsWith(a));
+    if (!allowed) {
+      throw new Error(`Exec profile "${profile.name}" does not allow command "${opts.command}"`);
+    }
+  }
+  const envMap = {};
+  for (const [k, v] of Object.entries(process.env)) {
+    if (v !== void 0) envMap[k] = v;
+  }
+  if (profile.stripEnvVars) {
+    for (const key of profile.stripEnvVars) {
+      delete envMap[key];
+    }
+  }
+  const secretsToRedact = /* @__PURE__ */ new Set();
+  let entries = listSecrets({
+    scope: opts.scope,
+    projectPath: opts.projectPath,
+    source: opts.source ?? "cli",
+    silent: true
+    // list silently
+  });
+  if (opts.keys?.length) {
+    const keySet = new Set(opts.keys);
+    entries = entries.filter((e) => keySet.has(e.key));
+  }
+  if (opts.tags?.length) {
+    entries = entries.filter(
+      (e) => opts.tags.some((t) => e.envelope?.meta.tags?.includes(t))
     );
-    req.on("error", reject);
-    req.on("timeout", () => {
-      req.destroy();
-      reject(new Error("Request timed out"));
+  }
+  for (const entry of entries) {
+    if (entry.envelope) {
+      const decay = checkDecay(entry.envelope);
+      if (decay.isExpired) continue;
+    }
+    const val = getSecret(entry.key, {
+      scope: entry.scope,
+      projectPath: opts.projectPath,
+      env: opts.env,
+      source: opts.source ?? "cli",
+      silent: false
+      // Log access for execution
+    });
+    if (val !== null) {
+      envMap[entry.key] = val;
+      if (val.length > 5) {
+        secretsToRedact.add(val);
+      }
+    }
+  }
+  const maxRuntime = profile.maxRuntimeSeconds ?? getExecMaxRuntime(opts.projectPath);
+  return new Promise((resolve, reject) => {
+    const networkTools = /* @__PURE__ */ new Set([
+      "curl",
+      "wget",
+      "ping",
+      "nc",
+      "netcat",
+      "ssh",
+      "telnet",
+      "ftp",
+      "dig",
+      "nslookup"
+    ]);
+    if (profile.allowNetwork === false && networkTools.has(opts.command)) {
+      const msg = `[QRING] Execution blocked: network access is disabled for profile "${profile.name}", command "${opts.command}" is considered network-related`;
+      if (opts.captureOutput) {
+        return resolve({ code: 126, stdout: "", stderr: msg });
+      }
+      process.stderr.write(msg + "\n");
+      return resolve({ code: 126, stdout: "", stderr: "" });
+    }
+    const child = spawn(opts.command, opts.args, {
+      env: envMap,
+      stdio: ["inherit", "pipe", "pipe"],
+      shell: false
+    });
+    let timedOut = false;
+    let timer;
+    if (maxRuntime) {
+      timer = setTimeout(() => {
+        timedOut = true;
+        child.kill("SIGKILL");
+      }, maxRuntime * 1e3);
+    }
+    const stdoutRedact = new RedactionTransform([...secretsToRedact]);
+    const stderrRedact = new RedactionTransform([...secretsToRedact]);
+    if (child.stdout) child.stdout.pipe(stdoutRedact);
+    if (child.stderr) child.stderr.pipe(stderrRedact);
+    let stdoutStr = "";
+    let stderrStr = "";
+    if (opts.captureOutput) {
+      stdoutRedact.on("data", (d) => stdoutStr += d.toString());
+      stderrRedact.on("data", (d) => stderrStr += d.toString());
+    } else {
+      stdoutRedact.pipe(process.stdout);
+      stderrRedact.pipe(process.stderr);
+    }
+    child.on("close", (code) => {
+      if (timer) clearTimeout(timer);
+      if (timedOut) {
+        resolve({ code: 124, stdout: stdoutStr, stderr: stderrStr + `
+[QRING] Process killed: exceeded ${maxRuntime}s runtime limit` });
+      } else {
+        resolve({ code: code ?? 0, stdout: stdoutStr, stderr: stderrStr });
+      }
+    });
+    child.on("error", (err) => {
+      if (timer) clearTimeout(timer);
+      reject(err);
     });
-    req.end();
   });
 }
+
+// src/core/scan.ts
+import { readFileSync as readFileSync2, readdirSync, statSync } from "fs";
+import { join } from "path";
+var IGNORE_DIRS = /* @__PURE__ */ new Set([
+  "node_modules",
+  ".git",
+  ".next",
+  "dist",
+  "build",
+  "coverage",
+  ".cursor",
+  "venv",
+  "__pycache__"
+]);
+var IGNORE_EXTS = /* @__PURE__ */ new Set([
+  ".png",
+  ".jpg",
+  ".jpeg",
+  ".gif",
+  ".ico",
+  ".svg",
+  ".webp",
+  ".mp4",
+  ".mp3",
+  ".wav",
+  ".ogg",
+  ".pdf",
+  ".zip",
+  ".tar",
+  ".gz",
+  ".xz",
+  ".ttf",
+  ".woff",
+  ".woff2",
+  ".eot",
+  ".exe",
+  ".dll",
+  ".so",
+  ".dylib",
+  ".lock"
+]);
+var SECRET_KEYWORDS = /((?:api_?key|secret|token|password|auth|credential|access_?key)[a-z0-9_]*)\s*[:=]\s*(['"])([^'"]+)\2/i;
+function calculateEntropy(str) {
+  if (!str) return 0;
+  const len = str.length;
+  const frequencies = /* @__PURE__ */ new Map();
+  for (let i = 0; i < len; i++) {
+    const char = str[i];
+    frequencies.set(char, (frequencies.get(char) || 0) + 1);
+  }
+  let entropy = 0;
+  for (const count of frequencies.values()) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+function scanCodebase(dir) {
+  const results = [];
+  function walk(currentDir) {
+    let entries;
+    try {
+      entries = readdirSync(currentDir);
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      if (IGNORE_DIRS.has(entry)) continue;
+      const fullPath = join(currentDir, entry);
+      let stat;
+      try {
+        stat = statSync(fullPath);
+      } catch {
+        continue;
+      }
+      if (stat.isDirectory()) {
+        walk(fullPath);
+      } else if (stat.isFile()) {
+        const ext = fullPath.slice(fullPath.lastIndexOf(".")).toLowerCase();
+        if (IGNORE_EXTS.has(ext) || entry.endsWith(".lock")) continue;
+        let content;
+        try {
+          content = readFileSync2(fullPath, "utf8");
+        } catch {
+          continue;
+        }
+        if (content.includes("\0")) continue;
+        const lines = content.split(/\r?\n/);
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.length > 500) continue;
+          const match = line.match(SECRET_KEYWORDS);
+          if (match) {
+            const varName = match[1];
+            const value = match[3];
+            if (value.length < 8) continue;
+            const lowerValue = value.toLowerCase();
+            if (lowerValue.includes("example") || lowerValue.includes("your_") || lowerValue.includes("placeholder") || lowerValue.includes("replace_me")) {
+              continue;
+            }
+            const entropy = calculateEntropy(value);
+            if (entropy > 3.5 || value.startsWith("sk-") || value.startsWith("ghp_")) {
+              const relPath = fullPath.startsWith(dir) ? fullPath.slice(dir.length).replace(/^[/\\]+/, "") : fullPath;
+              results.push({
+                file: relPath || fullPath,
+                line: i + 1,
+                keyName: varName,
+                match: value,
+                context: line.trim(),
+                entropy: parseFloat(entropy.toFixed(2))
+              });
+            }
+          }
+        }
+      }
+    }
+  }
+  walk(dir);
+  return results;
+}
+
+// src/core/linter.ts
+import { readFileSync as readFileSync3, writeFileSync, existsSync } from "fs";
+import { basename, extname } from "path";
+var ENV_REF_BY_EXT = {
+  ".ts": (k) => `process.env.${k}`,
+  ".tsx": (k) => `process.env.${k}`,
+  ".js": (k) => `process.env.${k}`,
+  ".jsx": (k) => `process.env.${k}`,
+  ".mjs": (k) => `process.env.${k}`,
+  ".cjs": (k) => `process.env.${k}`,
+  ".py": (k) => `os.environ["${k}"]`,
+  ".rb": (k) => `ENV["${k}"]`,
+  ".go": (k) => `os.Getenv("${k}")`,
+  ".rs": (k) => `std::env::var("${k}")`,
+  ".java": (k) => `System.getenv("${k}")`,
+  ".kt": (k) => `System.getenv("${k}")`,
+  ".cs": (k) => `Environment.GetEnvironmentVariable("${k}")`,
+  ".php": (k) => `getenv('${k}')`,
+  ".sh": (k) => `\${${k}}`,
+  ".bash": (k) => `\${${k}}`
+};
+function getEnvRef(filePath, keyName) {
+  const ext = extname(filePath).toLowerCase();
+  const formatter = ENV_REF_BY_EXT[ext];
+  return formatter ? formatter(keyName) : `process.env.${keyName}`;
+}
+function lintFiles(files, opts = {}) {
+  const results = [];
+  for (const file of files) {
+    if (!existsSync(file)) continue;
+    let content;
+    try {
+      content = readFileSync3(file, "utf8");
+    } catch {
+      continue;
+    }
+    if (content.includes("\0")) continue;
+    const SECRET_KEYWORDS2 = /((?:api_?key|secret|token|password|auth|credential|access_?key)[a-z0-9_]*)\s*[:=]\s*(['"])([^'"]+)\2/gi;
+    const lines = content.split(/\r?\n/);
+    const fixes = [];
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (line.length > 500) continue;
+      let match;
+      SECRET_KEYWORDS2.lastIndex = 0;
+      while ((match = SECRET_KEYWORDS2.exec(line)) !== null) {
+        const varName = match[1].toUpperCase();
+        const quote = match[2];
+        const value = match[3];
+        if (value.length < 8) continue;
+        const lv = value.toLowerCase();
+        if (lv.includes("example") || lv.includes("your_") || lv.includes("placeholder") || lv.includes("replace_me") || lv.includes("xxx")) continue;
+        const entropy = calculateEntropy2(value);
+        if (entropy <= 3.5 && !value.startsWith("sk-") && !value.startsWith("ghp_")) continue;
+        const shouldFix = opts.fix === true;
+        if (shouldFix) {
+          const envRef = getEnvRef(file, varName);
+          fixes.push({
+            line: i,
+            original: `${quote}${value}${quote}`,
+            replacement: envRef,
+            keyName: varName,
+            value
+          });
+        }
+        results.push({
+          file,
+          line: i + 1,
+          keyName: varName,
+          match: value,
+          context: line.trim(),
+          entropy: parseFloat(entropy.toFixed(2)),
+          fixed: shouldFix
+        });
+      }
+    }
+    if (opts.fix && fixes.length > 0) {
+      const fixLines = content.split(/\r?\n/);
+      for (const fix of fixes.reverse()) {
+        const lineIdx = fix.line;
+        if (lineIdx >= 0 && lineIdx < fixLines.length) {
+          fixLines[lineIdx] = fixLines[lineIdx].replace(fix.original, fix.replacement);
+        }
+        if (!hasSecret(fix.keyName, { scope: opts.scope, projectPath: opts.projectPath })) {
+          setSecret(fix.keyName, fix.value, {
+            scope: opts.scope ?? "global",
+            projectPath: opts.projectPath,
+            source: "cli",
+            description: `Auto-imported from ${basename(file)}:${fix.line + 1}`
+          });
+        }
+      }
+      writeFileSync(file, fixLines.join("\n"), "utf8");
+    }
+  }
+  return results;
+}
+function calculateEntropy2(str) {
+  if (!str) return 0;
+  const len = str.length;
+  const frequencies = /* @__PURE__ */ new Map();
+  for (let i = 0; i < len; i++) {
+    const ch = str[i];
+    frequencies.set(ch, (frequencies.get(ch) || 0) + 1);
+  }
+  let entropy = 0;
+  for (const count of frequencies.values()) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+
+// src/core/validate.ts
+function makeRequest(url, headers, timeoutMs = 1e4) {
+  return httpRequest_({ url, method: "GET", headers, timeoutMs });
+}
 var ProviderRegistry = class {
   providers = /* @__PURE__ */ new Map();
   register(provider) {
@@ -605,14 +1025,14 @@ var httpProvider = {
     }
   }
 };
-var registry = new ProviderRegistry();
-registry.register(openaiProvider);
-registry.register(stripeProvider);
-registry.register(githubProvider);
-registry.register(awsProvider);
-registry.register(httpProvider);
+var registry2 = new ProviderRegistry();
+registry2.register(openaiProvider);
+registry2.register(stripeProvider);
+registry2.register(githubProvider);
+registry2.register(awsProvider);
+registry2.register(httpProvider);
 async function validateSecret(value, opts) {
-  const provider = opts?.provider ? registry.get(opts.provider) : registry.detectProvider(value);
+  const provider = opts?.provider ? registry2.get(opts.provider) : registry2.detectProvider(value);
   if (!provider) {
     return {
       valid: false,
@@ -627,9 +1047,271 @@ async function validateSecret(value, opts) {
   }
   return provider.validate(value);
 }
+async function rotateWithProvider(value, providerName) {
+  const provider = providerName ? registry2.get(providerName) : registry2.detectProvider(value);
+  if (!provider) {
+    return { rotated: false, provider: "none", message: "No provider detected for rotation" };
+  }
+  const rotatable = provider;
+  if (rotatable.supportsRotation && rotatable.rotate) {
+    return rotatable.rotate(value);
+  }
+  const format = "api-key";
+  const newValue = generateSecret({ format, length: 48 });
+  return {
+    rotated: true,
+    provider: provider.name,
+    message: `Provider "${provider.name}" does not support native rotation \u2014 generated new value locally`,
+    newValue
+  };
+}
+async function ciValidateBatch(secrets) {
+  const results = [];
+  for (const s of secrets) {
+    const validation = await validateSecret(s.value, {
+      provider: s.provider,
+      validationUrl: s.validationUrl
+    });
+    results.push({
+      key: s.key,
+      validation,
+      requiresRotation: validation.status === "invalid"
+    });
+  }
+  const failCount = results.filter((r) => !r.validation.valid).length;
+  return { results, allValid: failCount === 0, failCount };
+}
+
+// src/core/context.ts
+function getProjectContext(opts = {}) {
+  const projectPath = opts.projectPath ?? process.cwd();
+  const envResult = collapseEnvironment({ projectPath });
+  const secretsList = listSecrets({
+    ...opts,
+    projectPath,
+    silent: true
+  });
+  let expiredCount = 0;
+  let staleCount = 0;
+  let protectedCount = 0;
+  const secrets = secretsList.map((entry) => {
+    const meta = entry.envelope?.meta;
+    const decay = entry.decay;
+    if (decay?.isExpired) expiredCount++;
+    if (decay?.isStale) staleCount++;
+    if (meta?.requiresApproval) protectedCount++;
+    return {
+      key: entry.key,
+      scope: entry.scope,
+      tags: meta?.tags,
+      description: meta?.description,
+      provider: meta?.provider,
+      requiresApproval: meta?.requiresApproval,
+      jitProvider: meta?.jitProvider,
+      hasStates: !!(entry.envelope?.states && Object.keys(entry.envelope.states).length > 0),
+      isExpired: decay?.isExpired ?? false,
+      isStale: decay?.isStale ?? false,
+      timeRemaining: decay?.timeRemaining ?? null,
+      accessCount: meta?.accessCount ?? 0,
+      lastAccessed: meta?.lastAccessedAt ?? null,
+      rotationFormat: meta?.rotationFormat
+    };
+  });
+  let manifest = null;
+  const config = readProjectConfig(projectPath);
+  if (config?.secrets) {
+    const declaredKeys = Object.keys(config.secrets);
+    const existingKeys = new Set(secrets.map((s) => s.key));
+    const missing = declaredKeys.filter((k) => !existingKeys.has(k));
+    manifest = { declared: declaredKeys.length, missing };
+  }
+  const recentEvents = queryAudit({ limit: 20 });
+  const recentActions = recentEvents.map((e) => ({
+    action: e.action,
+    key: e.key,
+    source: e.source,
+    timestamp: e.timestamp
+  }));
+  return {
+    projectPath,
+    environment: envResult ? { env: envResult.env, source: envResult.source } : null,
+    secrets,
+    totalSecrets: secrets.length,
+    expiredCount,
+    staleCount,
+    protectedCount,
+    manifest,
+    validationProviders: registry2.listProviders().map((p) => p.name),
+    jitProviders: registry.listProviders().map((p) => p.name),
+    hooksCount: listHooks().length,
+    recentActions
+  };
+}
+
+// src/core/memory.ts
+import { existsSync as existsSync2, readFileSync as readFileSync4, writeFileSync as writeFileSync2, mkdirSync } from "fs";
+import { join as join2 } from "path";
+import { homedir, hostname, userInfo } from "os";
+import { createCipheriv as createCipheriv2, createDecipheriv as createDecipheriv2, createHash, randomBytes as randomBytes3 } from "crypto";
+var MEMORY_FILE = "agent-memory.enc";
+function getMemoryDir() {
+  const dir = join2(homedir(), ".config", "q-ring");
+  if (!existsSync2(dir)) {
+    mkdirSync(dir, { recursive: true });
+  }
+  return dir;
+}
+function getMemoryPath() {
+  return join2(getMemoryDir(), MEMORY_FILE);
+}
+function deriveKey2() {
+  const fingerprint = `qring-memory:${hostname()}:${userInfo().username}`;
+  return createHash("sha256").update(fingerprint).digest();
+}
+function encrypt(data) {
+  const key = deriveKey2();
+  const iv = randomBytes3(12);
+  const cipher = createCipheriv2("aes-256-gcm", key, iv);
+  const encrypted = Buffer.concat([cipher.update(data, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return `${iv.toString("base64")}:${tag.toString("base64")}:${encrypted.toString("base64")}`;
+}
+function decrypt(blob) {
+  const parts = blob.split(":");
+  if (parts.length !== 3) throw new Error("Invalid encrypted format");
+  const iv = Buffer.from(parts[0], "base64");
+  const tag = Buffer.from(parts[1], "base64");
+  const encrypted = Buffer.from(parts[2], "base64");
+  const key = deriveKey2();
+  const decipher = createDecipheriv2("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  return decipher.update(encrypted) + decipher.final("utf8");
+}
+function loadStore() {
+  const path = getMemoryPath();
+  if (!existsSync2(path)) {
+    return { entries: {} };
+  }
+  try {
+    const raw = readFileSync4(path, "utf8");
+    const decrypted = decrypt(raw);
+    return JSON.parse(decrypted);
+  } catch {
+    return { entries: {} };
+  }
+}
+function saveStore(store) {
+  const json = JSON.stringify(store);
+  const encrypted = encrypt(json);
+  writeFileSync2(getMemoryPath(), encrypted, "utf8");
+}
+function remember(key, value) {
+  const store = loadStore();
+  store.entries[key] = {
+    value,
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  saveStore(store);
+}
+function recall(key) {
+  const store = loadStore();
+  return store.entries[key]?.value ?? null;
+}
+function listMemory() {
+  const store = loadStore();
+  return Object.entries(store.entries).map(([key, entry]) => ({
+    key,
+    updatedAt: entry.updatedAt
+  }));
+}
+function forget(key) {
+  const store = loadStore();
+  if (key in store.entries) {
+    delete store.entries[key];
+    saveStore(store);
+    return true;
+  }
+  return false;
+}
+function clearMemory() {
+  saveStore({ entries: {} });
+}
+
+// src/hooks/precommit.ts
+import { execSync } from "child_process";
+import { existsSync as existsSync3, writeFileSync as writeFileSync3, chmodSync, readFileSync as readFileSync5, unlinkSync } from "fs";
+import { join as join3 } from "path";
+function getStagedFiles() {
+  try {
+    const output = execSync("git diff --cached --name-only --diff-filter=ACM", {
+      encoding: "utf8",
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    return output.split("\n").map((f) => f.trim()).filter((f) => f.length > 0);
+  } catch {
+    return [];
+  }
+}
+function runPreCommitScan() {
+  const staged = getStagedFiles();
+  if (staged.length === 0) return 0;
+  const results = lintFiles(staged);
+  if (results.length === 0) return 0;
+  console.error("\n[q-ring] Pre-commit scan found hardcoded secrets:\n");
+  for (const r of results) {
+    console.error(`  ${r.file}:${r.line}  ${r.keyName}  (entropy: ${r.entropy})`);
+  }
+  console.error(
+    `
+[q-ring] Commit blocked. Use "qring scan --fix" to auto-migrate, or "git commit --no-verify" to bypass.
+`
+  );
+  return 1;
+}
+var HOOK_SCRIPT = `#!/bin/sh
+# q-ring pre-commit hook \u2014 scans staged files for hardcoded secrets
+npx qring hook:run 2>&1
+exit $?
+`;
+function installPreCommitHook(repoPath) {
+  const root = repoPath ?? process.cwd();
+  const hooksDir = join3(root, ".git", "hooks");
+  if (!existsSync3(join3(root, ".git"))) {
+    return { installed: false, path: "", message: "Not a git repository" };
+  }
+  const hookPath = join3(hooksDir, "pre-commit");
+  if (existsSync3(hookPath)) {
+    const existing = readFileSync5(hookPath, "utf8");
+    if (existing.includes("q-ring")) {
+      return { installed: true, path: hookPath, message: "Hook already installed" };
+    }
+    writeFileSync3(hookPath, HOOK_SCRIPT + "\n" + existing, "utf8");
+  } else {
+    writeFileSync3(hookPath, HOOK_SCRIPT, "utf8");
+  }
+  chmodSync(hookPath, 493);
+  return { installed: true, path: hookPath, message: "Pre-commit hook installed" };
+}
+function uninstallPreCommitHook(repoPath) {
+  const root = repoPath ?? process.cwd();
+  const hookPath = join3(root, ".git", "hooks", "pre-commit");
+  if (!existsSync3(hookPath)) return false;
+  const content = readFileSync5(hookPath, "utf8");
+  if (!content.includes("q-ring")) return false;
+  const lines = content.split("\n");
+  const cleaned = lines.filter(
+    (l) => !l.includes("q-ring") && !l.includes("npx qring hook:run")
+  );
+  if (cleaned.filter((l) => l.trim() && !l.startsWith("#!")).length === 0) {
+    unlinkSync(hookPath);
+  } else {
+    writeFileSync3(hookPath, cleaned.join("\n"), "utf8");
+  }
+  return true;
+}
 
 // src/cli/commands.ts
-import { writeFileSync } from "fs";
+import { writeFileSync as writeFileSync4, readFileSync as readFileSync6, existsSync as existsSync4 } from "fs";
 
 // src/utils/prompt.ts
 import { createInterface } from "readline";
@@ -683,6 +1365,8 @@ function buildOpts(cmd) {
   let scope;
   if (cmd.global) scope = "global";
   else if (cmd.project) scope = "project";
+  else if (cmd.team) scope = "team";
+  else if (cmd.org) scope = "org";
   const projectPath = cmd.projectPath ?? (cmd.project ? process.cwd() : void 0);
   if (scope === "project" && !projectPath) {
     throw new Error("Project path is required for project scope");
@@ -690,6 +1374,8 @@ function buildOpts(cmd) {
   return {
     scope,
     projectPath: projectPath ?? process.cwd(),
+    teamId: cmd.team,
+    orgId: cmd.org,
     env: cmd.env,
     source: "cli"
   };
@@ -698,7 +1384,7 @@ function createProgram() {
   const program2 = new Command().name("qring").description(
     `${c.bold("q-ring")} ${c.dim("\u2014 quantum keyring for AI coding tools")}`
   ).version("0.4.0");
-  program2.command("set <key> [value]").description("Store a secret (with optional quantum metadata)").option("-g, --global", "Store in global scope").option("-p, --project", "Store in project scope (uses cwd)").option("--project-path <path>", "Explicit project path").option("-e, --env <env>", "Set value for a specific environment (superposition)").option("--ttl <seconds>", "Time-to-live in seconds (quantum decay)", parseInt).option("--expires <iso>", "Expiry timestamp (ISO 8601)").option("--description <desc>", "Human-readable description").option("--tags <tags>", "Comma-separated tags").option("--rotation-format <format>", "Format for auto-rotation (api-key, password, uuid, hex, base64, alphanumeric, token)").option("--rotation-prefix <prefix>", "Prefix for auto-rotation (e.g. sk-)").action(async (key, value, cmd) => {
+  program2.command("set <key> [value]").description("Store a secret (with optional quantum metadata)").option("-g, --global", "Store in global scope").option("-p, --project", "Store in project scope (uses cwd)").option("--team <id>", "Store in team scope").option("--org <id>", "Store in org scope").option("--project-path <path>", "Explicit project path").option("-e, --env <env>", "Set value for a specific environment (superposition)").option("--ttl <seconds>", "Time-to-live in seconds (quantum decay)", parseInt).option("--expires <iso>", "Expiry timestamp (ISO 8601)").option("--description <desc>", "Human-readable description").option("--tags <tags>", "Comma-separated tags").option("--rotation-format <format>", "Format for auto-rotation (api-key, password, uuid, hex, base64, alphanumeric, token)").option("--rotation-prefix <prefix>", "Prefix for auto-rotation (e.g. sk-)").option("--requires-approval", "Require explicit user approval for MCP agents to read").option("--jit-provider <provider>", "Use a Just-In-Time provider to dynamically generate this secret").action(async (key, value, cmd) => {
     const opts = buildOpts(cmd);
     if (!value) {
       value = await promptSecret(`${SYMBOLS.key} Enter value for ${c.bold(key)}: `);
@@ -714,7 +1400,9 @@ function createProgram() {
       description: cmd.description,
       tags: cmd.tags?.split(",").map((t) => t.trim()),
       rotationFormat: cmd.rotationFormat,
-      rotationPrefix: cmd.rotationPrefix
+      rotationPrefix: cmd.rotationPrefix,
+      requiresApproval: cmd.requiresApproval,
+      jitProvider: cmd.jitProvider
     };
     if (cmd.env) {
       const existing = getEnvelope(key, opts);
@@ -739,7 +1427,7 @@ function createProgram() {
       );
     }
   });
-  program2.command("get <key>").description("Retrieve a secret (collapses superposition if needed)").option("-g, --global", "Look only in global scope").option("-p, --project", "Look only in project scope").option("--project-path <path>", "Explicit project path").option("-e, --env <env>", "Force a specific environment").action((key, cmd) => {
+  program2.command("get <key>").description("Retrieve a secret (collapses superposition if needed)").option("-g, --global", "Look only in global scope").option("-p, --project", "Look only in project scope").option("--team <id>", "Look only in team scope").option("--org <id>", "Look only in org scope").option("--project-path <path>", "Explicit project path").option("-e, --env <env>", "Force a specific environment").action((key, cmd) => {
     const opts = buildOpts(cmd);
     const value = getSecret(key, opts);
     if (value === null) {
@@ -758,7 +1446,7 @@ function createProgram() {
       process.exit(1);
     }
   });
-  program2.command("list").alias("ls").description("List all secrets with quantum status indicators").option("-g, --global", "List global scope only").option("-p, --project", "List project scope only").option("--project-path <path>", "Explicit project path").option("--show-decay", "Show decay/expiry status").option("-t, --tag <tag>", "Filter by tag").option("--expired", "Show only expired secrets").option("--stale", "Show only stale secrets (75%+ decay)").option("-f, --filter <pattern>", "Glob pattern on key name").action((cmd) => {
+  program2.command("list").alias("ls").description("List all secrets with quantum status indicators").option("-g, --global", "List global scope only").option("-p, --project", "List project scope only").option("--team <id>", "List team scope only").option("--org <id>", "List org scope only").option("--project-path <path>", "Explicit project path").option("--show-decay", "Show decay/expiry status").option("-t, --tag <tag>", "Filter by tag").option("--expired", "Show only expired secrets").option("--stale", "Show only stale secrets (75%+ decay)").option("-f, --filter <pattern>", "Glob pattern on key name").action((cmd) => {
     const opts = buildOpts(cmd);
     let entries = listSecrets(opts);
     if (cmd.tag) {
@@ -1020,7 +1708,7 @@ function createProgram() {
       console.log(c.bold(`
   ${SYMBOLS.shield} Available validation providers
 `));
-      for (const p of registry.listProviders()) {
+      for (const p of registry2.listProviders()) {
         const prefixes = p.prefixes?.length ? c.dim(` (${p.prefixes.join(", ")})`) : "";
         console.log(`  ${c.cyan(p.name.padEnd(10))} ${p.description}${prefixes}`);
       }
@@ -1087,6 +1775,372 @@ function createProgram() {
     }
     console.log();
   });
+  program2.command("exec <command...>").description("Run a command with secrets injected into its environment (output auto-redacted)").option("-g, --global", "Inject global scope secrets only").option("-p, --project", "Inject project scope secrets only").option("--project-path <path>", "Explicit project path").option("-e, --env <env>", "Environment context").option("-k, --keys <keys>", "Comma-separated key names to inject").option("-t, --tags <tags>", "Comma-separated tags to filter by").option("--profile <name>", "Exec profile: unrestricted, restricted, ci").action(async (commandArgs, cmd) => {
+    const opts = buildOpts(cmd);
+    const command = commandArgs[0];
+    const args = commandArgs.slice(1);
+    try {
+      const { code } = await execCommand({
+        ...opts,
+        command,
+        args,
+        keys: cmd.keys?.split(",").map((k) => k.trim()),
+        tags: cmd.tags?.split(",").map((t) => t.trim()),
+        profile: cmd.profile
+      });
+      process.exit(code);
+    } catch (err) {
+      console.error(c.red(`${SYMBOLS.cross} Exec failed: ${err instanceof Error ? err.message : String(err)}`));
+      process.exit(1);
+    }
+  });
+  program2.command("scan [dir]").description("Scan a codebase for hardcoded secrets").option("--fix", "Auto-replace hardcoded secrets with process.env references and store in q-ring").option("-g, --global", "Store fixed secrets in global scope").option("-p, --project", "Store fixed secrets in project scope").option("--project-path <path>", "Explicit project path").action((dir, cmd) => {
+    const targetDir = dir ?? process.cwd();
+    const fixMode = cmd.fix === true;
+    console.log(`
+  ${SYMBOLS.eye} Scanning ${c.bold(targetDir)} for secrets...${fixMode ? c.yellow(" [--fix mode]") : ""}
+`);
+    const results = scanCodebase(targetDir);
+    if (results.length === 0) {
+      console.log(`  ${c.green(SYMBOLS.check)} No hardcoded secrets found. Awesome!
+`);
+      return;
+    }
+    if (fixMode) {
+      const fileSet = new Set(results.map((r) => r.file.startsWith("/") ? r.file : `${targetDir}/${r.file}`));
+      const opts = buildOpts(cmd);
+      const lintResults = lintFiles([...fileSet], { fix: true, scope: opts.scope, projectPath: opts.projectPath });
+      const fixedCount = lintResults.filter((r) => r.fixed).length;
+      console.log(`  ${c.green(SYMBOLS.check)} Fixed ${fixedCount} secrets \u2014 replaced with process.env references and stored in q-ring.
+`);
+      return;
+    }
+    for (const res of results) {
+      console.log(`  ${c.red(SYMBOLS.cross)} ${c.bold(res.file)}:${res.line}`);
+      console.log(`    ${c.dim("Key:")}     ${c.cyan(res.keyName)}`);
+      console.log(`    ${c.dim("Entropy:")} ${res.entropy > 4 ? c.red(res.entropy.toString()) : c.yellow(res.entropy.toString())}`);
+      console.log(`    ${c.dim("Context:")} ${res.context}`);
+      console.log();
+    }
+    console.log(`  ${c.red(`Found ${results.length} potential secrets.`)} Use ${c.bold("qring scan --fix")} to auto-migrate them.
+`);
+  });
+  program2.command("lint <files...>").description("Lint specific files for hardcoded secrets (with optional auto-fix)").option("--fix", "Replace hardcoded secrets with process.env references and store in q-ring").option("-g, --global", "Store fixed secrets in global scope").option("-p, --project", "Store fixed secrets in project scope").option("--project-path <path>", "Explicit project path").action((files, cmd) => {
+    const opts = buildOpts(cmd);
+    const results = lintFiles(files, { fix: cmd.fix, scope: opts.scope, projectPath: opts.projectPath });
+    if (results.length === 0) {
+      console.log(`
+  ${c.green(SYMBOLS.check)} No hardcoded secrets found in ${files.length} file(s).
+`);
+      return;
+    }
+    for (const res of results) {
+      const status = res.fixed ? c.green("fixed") : c.red("found");
+      console.log(`  ${res.fixed ? c.green(SYMBOLS.check) : c.red(SYMBOLS.cross)} ${c.bold(res.file)}:${res.line} [${status}]`);
+      console.log(`    ${c.dim("Key:")}     ${c.cyan(res.keyName)}`);
+      console.log(`    ${c.dim("Entropy:")} ${res.entropy > 4 ? c.red(res.entropy.toString()) : c.yellow(res.entropy.toString())}`);
+      console.log();
+    }
+    const fixedCount = results.filter((r) => r.fixed).length;
+    if (cmd.fix && fixedCount > 0) {
+      console.log(`  ${c.green(`Fixed ${fixedCount} secret(s)`)} \u2014 replaced with env references and stored in q-ring.
+`);
+    } else {
+      console.log(`  ${c.red(`Found ${results.length} potential secret(s).`)} Use ${c.bold("--fix")} to auto-migrate.
+`);
+    }
+  });
+  program2.command("context").alias("describe").description("Show safe, redacted project context for AI agents (no secret values exposed)").option("-g, --global", "Global scope only").option("-p, --project", "Project scope only").option("--project-path <path>", "Explicit project path").option("--json", "Output as JSON (for MCP / programmatic use)").action((cmd) => {
+    const opts = buildOpts(cmd);
+    const context = getProjectContext(opts);
+    if (cmd.json) {
+      console.log(JSON.stringify(context, null, 2));
+      return;
+    }
+    console.log(`
+${SYMBOLS.zap} ${c.bold("Project Context for AI Assistant")}`);
+    console.log(`  Project: ${c.cyan(context.projectPath)}`);
+    if (context.environment) {
+      console.log(`  Environment: ${envBadge(context.environment.env)} ${c.dim(`(${context.environment.source})`)}`);
+    }
+    console.log(`
+${c.bold("  Secrets:")} ${context.totalSecrets} total  ${c.dim(`(${context.expiredCount} expired, ${context.staleCount} stale, ${context.protectedCount} protected)`)}`);
+    for (const s of context.secrets) {
+      const tags = s.tags?.length ? c.dim(` [${s.tags.join(",")}]`) : "";
+      const flags = [];
+      if (s.requiresApproval) flags.push(c.yellow("locked"));
+      if (s.jitProvider) flags.push(c.magenta("jit"));
+      if (s.hasStates) flags.push(c.blue("superposition"));
+      if (s.isExpired) flags.push(c.red("expired"));
+      else if (s.isStale) flags.push(c.yellow("stale"));
+      const flagStr = flags.length ? ` ${flags.join(" ")}` : "";
+      console.log(`    ${c.bold(s.key)} ${scopeColor(s.scope)}${tags}${flagStr}`);
+    }
+    if (context.manifest) {
+      console.log(`
+${c.bold("  Manifest:")} ${context.manifest.declared} declared`);
+      if (context.manifest.missing.length > 0) {
+        console.log(`    ${c.red("Missing:")} ${context.manifest.missing.join(", ")}`);
+      } else {
+        console.log(`    ${c.green(SYMBOLS.check)} All manifest secrets present`);
+      }
+    }
+    console.log(`
+${c.bold("  Providers:")} ${context.validationProviders.join(", ") || "none"}`);
+    console.log(`${c.bold("  JIT Providers:")} ${context.jitProviders.join(", ") || "none"}`);
+    console.log(`${c.bold("  Hooks:")} ${context.hooksCount} registered`);
+    if (context.recentActions.length > 0) {
+      console.log(`
+${c.bold("  Recent Activity:")} (last ${context.recentActions.length})`);
+      for (const a of context.recentActions.slice(0, 8)) {
+        const ts = new Date(a.timestamp).toLocaleTimeString();
+        console.log(`    ${c.dim(ts)} ${a.action}${a.key ? ` ${c.bold(a.key)}` : ""} ${c.dim(`(${a.source})`)}`);
+      }
+    }
+    console.log();
+  });
+  program2.command("remember <key> <value>").description("Store a key-value pair in encrypted agent memory (persists across sessions)").action((key, value) => {
+    remember(key, value);
+    console.log(`${SYMBOLS.check} ${c.green("remembered")} ${c.bold(key)}`);
+  });
+  program2.command("recall [key]").description("Retrieve a value from agent memory, or list all keys").action((key) => {
+    if (!key) {
+      const entries = listMemory();
+      if (entries.length === 0) {
+        console.log(c.dim("Agent memory is empty."));
+        return;
+      }
+      console.log(`
+${SYMBOLS.zap} ${c.bold("Agent Memory")} (${entries.length} entries)
+`);
+      for (const e of entries) {
+        console.log(`  ${c.bold(e.key)}  ${c.dim(new Date(e.updatedAt).toLocaleString())}`);
+      }
+      console.log();
+      return;
+    }
+    const value = recall(key);
+    if (value === null) {
+      console.log(c.dim(`No memory found for "${key}"`));
+    } else {
+      console.log(safeStr(value));
+    }
+  });
+  program2.command("forget <key>").description("Delete a key from agent memory").option("--all", "Clear all agent memory").action((key, cmd) => {
+    if (cmd.all) {
+      clearMemory();
+      console.log(`${SYMBOLS.check} ${c.yellow("cleared")} all agent memory`);
+      return;
+    }
+    const removed = forget(key);
+    if (removed) {
+      console.log(`${SYMBOLS.check} ${c.yellow("forgot")} ${c.bold(key)}`);
+    } else {
+      console.log(c.dim(`No memory found for "${key}"`));
+    }
+  });
+  program2.command("approve <key>").description("Grant a scoped, reasoned, HMAC-verified approval token for MCP secret access").option("-g, --global", "Global scope").option("-p, --project", "Project scope").option("--project-path <path>", "Explicit project path").option("--for <seconds>", "Duration of approval in seconds", parseInt, 3600).option("--reason <text>", "Reason for granting approval").option("--revoke", "Revoke an existing approval").option("--list", "List all approvals").action((key, cmd) => {
+    const opts = buildOpts(cmd);
+    const scope = opts.scope ?? "global";
+    if (cmd.list) {
+      const approvals = listApprovals();
+      if (approvals.length === 0) {
+        console.log(c.dim("  No active approvals"));
+        return;
+      }
+      for (const a of approvals) {
+        const status = a.tampered ? c.red("TAMPERED") : a.valid ? c.green("active") : c.dim("expired");
+        const ttl = Math.max(0, Math.round((new Date(a.expiresAt).getTime() - Date.now()) / 1e3));
+        console.log(`  ${status} ${c.bold(a.key)} [${a.scope}] reason=${c.dim(a.reason)} ttl=${ttl}s granted-by=${a.grantedBy}`);
+      }
+      return;
+    }
+    if (cmd.revoke) {
+      const revoked = revokeApproval(key, scope);
+      if (revoked) {
+        console.log(`${SYMBOLS.check} ${c.yellow("revoked")} approval for ${c.bold(key)}`);
+      } else {
+        console.log(c.dim(`  No active approval found for ${key}`));
+      }
+      return;
+    }
+    const entry = grantApproval(key, scope, cmd.for, {
+      reason: cmd.reason ?? "manual approval"
+    });
+    console.log(`${SYMBOLS.check} ${c.green("approved")} ${c.bold(key)} for ${cmd.for}s`);
+    console.log(c.dim(`  id=${entry.id} reason="${entry.reason}" expires=${entry.expiresAt}`));
+  });
+  program2.command("approvals").description("List all approval tokens with verification status").action(() => {
+    const approvals = listApprovals();
+    if (approvals.length === 0) {
+      console.log(c.dim("  No approvals found"));
+      return;
+    }
+    console.log(c.bold("\n\u{1F510} Approval Tokens\n"));
+    for (const a of approvals) {
+      const status = a.tampered ? c.red(`${SYMBOLS.cross} TAMPERED`) : a.valid ? c.green(`${SYMBOLS.check} active`) : c.dim(`${SYMBOLS.warning} expired`);
+      const ttl = Math.max(0, Math.round((new Date(a.expiresAt).getTime() - Date.now()) / 1e3));
+      console.log(`  ${status} ${c.bold(a.key)} [${a.scope}]`);
+      console.log(c.dim(`    id=${a.id} reason="${a.reason}" ttl=${ttl}s by=${a.grantedBy}`));
+      if (a.workspace) console.log(c.dim(`    workspace=${a.workspace}`));
+    }
+    console.log();
+  });
+  program2.command("hook:install").description("Install a git pre-commit hook that scans for hardcoded secrets").option("--project-path <path>", "Repository path").action((cmd) => {
+    const result = installPreCommitHook(cmd.projectPath);
+    if (result.installed) {
+      console.log(`${SYMBOLS.check} ${c.green(result.message)} at ${c.dim(result.path)}`);
+    } else {
+      console.log(`${SYMBOLS.cross} ${c.red(result.message)}`);
+    }
+  });
+  program2.command("hook:uninstall").description("Remove the q-ring pre-commit hook").option("--project-path <path>", "Repository path").action((cmd) => {
+    const removed = uninstallPreCommitHook(cmd.projectPath);
+    if (removed) {
+      console.log(`${SYMBOLS.check} ${c.green("Pre-commit hook removed")}`);
+    } else {
+      console.log(c.dim("No q-ring pre-commit hook found"));
+    }
+  });
+  program2.command("hook:run").description("Run the pre-commit secret scan (called by the git hook)").action(() => {
+    const code = runPreCommitScan();
+    process.exit(code);
+  });
+  program2.command("wizard <name>").description("Set up a new service integration with secrets, manifest, and hooks").option("--keys <keys>", "Comma-separated secret key names to create (e.g. API_KEY,API_SECRET)").option("--provider <provider>", "Validation provider (e.g. openai, stripe, github)").option("--tags <tags>", "Comma-separated tags for all secrets").option("--hook-exec <cmd>", "Shell command to run when any of these secrets change").option("-g, --global", "Global scope").option("-p, --project", "Project scope").option("--project-path <path>", "Explicit project path").action(async (name, cmd) => {
+    const opts = buildOpts(cmd);
+    const prefix = name.toUpperCase().replace(/[^A-Z0-9]/g, "_");
+    const tags = cmd.tags?.split(",").map((t) => t.trim()) ?? [name.toLowerCase()];
+    const provider = cmd.provider;
+    let keyNames;
+    if (cmd.keys) {
+      keyNames = cmd.keys.split(",").map((k) => k.trim());
+    } else {
+      keyNames = [`${prefix}_API_KEY`, `${prefix}_API_SECRET`];
+    }
+    console.log(`
+${SYMBOLS.zap} ${c.bold(`Setting up service: ${name}`)}
+`);
+    for (const key of keyNames) {
+      const value = generateSecret({ format: "api-key", prefix: `${prefix.toLowerCase()}_` });
+      setSecret(key, value, {
+        ...opts,
+        tags,
+        provider,
+        description: `Auto-generated by wizard for ${name}`
+      });
+      console.log(`  ${c.green(SYMBOLS.check)} Created ${c.bold(key)}`);
+    }
+    const projectPath = opts.projectPath ?? process.cwd();
+    const manifestPath = `${projectPath}/.q-ring.json`;
+    let config = {};
+    try {
+      if (existsSync4(manifestPath)) {
+        config = JSON.parse(readFileSync6(manifestPath, "utf8"));
+      }
+    } catch {
+    }
+    if (!config.secrets) config.secrets = {};
+    for (const key of keyNames) {
+      config.secrets[key] = {
+        required: true,
+        description: `${name} integration`,
+        ...provider ? { provider } : {}
+      };
+    }
+    writeFileSync4(manifestPath, JSON.stringify(config, null, 2) + "\n", "utf8");
+    console.log(`  ${c.green(SYMBOLS.check)} Updated ${c.dim(".q-ring.json")} manifest`);
+    if (cmd.hookExec) {
+      for (const key of keyNames) {
+        registerHook({
+          type: "shell",
+          match: { key, action: ["write", "delete"] },
+          command: cmd.hookExec,
+          description: `${name} wizard hook`,
+          enabled: true
+        });
+      }
+      console.log(`  ${c.green(SYMBOLS.check)} Registered hook: ${c.dim(cmd.hookExec)}`);
+    }
+    console.log(`
+  ${c.green("Done!")} Service "${name}" is ready with ${keyNames.length} secrets.
+`);
+  });
+  program2.command("analyze").description("Analyze secret usage patterns and provide optimization suggestions").option("-g, --global", "Global scope only").option("-p, --project", "Project scope only").option("--project-path <path>", "Explicit project path").action((cmd) => {
+    const opts = buildOpts(cmd);
+    const entries = listSecrets({ ...opts, silent: true });
+    const audit = queryAudit({ limit: 1e3 });
+    console.log(`
+${SYMBOLS.zap} ${c.bold("Secret Usage Analysis")}
+`);
+    const accessMap = /* @__PURE__ */ new Map();
+    for (const e of audit) {
+      if (e.action === "read" && e.key) {
+        accessMap.set(e.key, (accessMap.get(e.key) || 0) + 1);
+      }
+    }
+    const sorted = [...accessMap.entries()].sort((a, b) => b[1] - a[1]);
+    if (sorted.length > 0) {
+      console.log(`  ${c.bold("Most accessed:")}`);
+      for (const [key, count] of sorted.slice(0, 5)) {
+        console.log(`    ${c.bold(key)} \u2014 ${c.cyan(count.toString())} reads`);
+      }
+      console.log();
+    }
+    const neverAccessed = entries.filter((e) => {
+      const count = e.envelope?.meta.accessCount ?? 0;
+      return count === 0;
+    });
+    if (neverAccessed.length > 0) {
+      console.log(`  ${c.bold("Never accessed:")} ${c.yellow(neverAccessed.length.toString())} secrets`);
+      for (const e of neverAccessed.slice(0, 8)) {
+        const age = e.envelope?.meta.createdAt ? c.dim(`(created ${new Date(e.envelope.meta.createdAt).toLocaleDateString()})`) : "";
+        console.log(`    ${c.dim(SYMBOLS.cross)} ${e.key} ${age}`);
+      }
+      console.log();
+    }
+    const expired = entries.filter((e) => e.decay?.isExpired);
+    const stale = entries.filter((e) => e.decay?.isStale && !e.decay?.isExpired);
+    if (expired.length > 0) {
+      console.log(`  ${c.red("Expired:")} ${expired.length} secrets need rotation or cleanup`);
+      for (const e of expired.slice(0, 5)) {
+        console.log(`    ${c.red(SYMBOLS.cross)} ${e.key}`);
+      }
+      console.log();
+    }
+    if (stale.length > 0) {
+      console.log(`  ${c.yellow("Stale (>75% lifetime):")} ${stale.length} secrets approaching expiry`);
+      for (const e of stale.slice(0, 5)) {
+        console.log(`    ${c.yellow(SYMBOLS.warning)} ${e.key} ${c.dim(`(${e.decay?.timeRemaining} remaining)`)}`);
+      }
+      console.log();
+    }
+    const globalOnly = entries.filter((e) => e.scope === "global");
+    const withProjectTags = globalOnly.filter(
+      (e) => e.envelope?.meta.tags?.some((t) => ["backend", "frontend", "db", "api"].includes(t))
+    );
+    if (withProjectTags.length > 0) {
+      console.log(`  ${c.bold("Scope suggestions:")}`);
+      console.log(`    ${withProjectTags.length} global secret(s) have project-specific tags \u2014 consider moving to project scope`);
+      console.log();
+    }
+    const noRotation = entries.filter(
+      (e) => !e.envelope?.meta.rotationFormat && !e.decay?.isExpired
+    );
+    if (noRotation.length > 0) {
+      console.log(`  ${c.bold("Rotation suggestions:")}`);
+      console.log(`    ${noRotation.length} secret(s) have no rotation format set`);
+      console.log(`    Use ${c.bold("qring set <key> <value> --rotation-format api-key")} to enable auto-rotation`);
+      console.log();
+    }
+    console.log(`  ${c.bold("Summary:")}`);
+    console.log(`    Total secrets: ${entries.length}`);
+    console.log(`    Active: ${entries.length - expired.length}`);
+    console.log(`    Expired: ${expired.length}`);
+    console.log(`    Stale: ${stale.length}`);
+    console.log(`    Never accessed: ${neverAccessed.length}`);
+    console.log(`    With rotation config: ${entries.length - noRotation.length}`);
+    console.log();
+  });
   program2.command("env").description("Show detected environment (wavefunction collapse context)").option("--project-path <path>", "Project path for detection").action((cmd) => {
     const result = collapseEnvironment({
       projectPath: cmd.projectPath ?? process.cwd()
@@ -1343,6 +2397,36 @@ ${SYMBOLS.warning} ${c.bold(c.yellow(`${anomalies.length} anomaly/anomalies dete
     }
     console.log();
   });
+  program2.command("audit:verify").description("Verify the integrity of the audit hash chain").action(() => {
+    const result = verifyAuditChain();
+    if (result.totalEvents === 0) {
+      console.log(c.dim("  No audit events to verify"));
+      return;
+    }
+    if (result.intact) {
+      console.log(`${SYMBOLS.shield} ${c.green("Audit chain intact")} \u2014 ${result.totalEvents} events verified`);
+    } else {
+      console.log(`${SYMBOLS.cross} ${c.red("Audit chain BROKEN")} at event #${result.brokenAt}`);
+      console.log(c.dim(`  ${result.validEvents}/${result.totalEvents} events valid before break`));
+      if (result.brokenEvent) {
+        console.log(c.dim(`  Broken event: ${result.brokenEvent.timestamp} ${result.brokenEvent.action} ${result.brokenEvent.key ?? ""}`));
+      }
+      process.exitCode = 1;
+    }
+  });
+  program2.command("audit:export").description("Export audit events in a portable format").option("--since <date>", "Start date (ISO 8601)").option("--until <date>", "End date (ISO 8601)").option("--format <fmt>", "Output format: jsonl, json, csv", "jsonl").option("-o, --output <file>", "Write to file instead of stdout").action((cmd) => {
+    const output = exportAudit({
+      since: cmd.since,
+      until: cmd.until,
+      format: cmd.format
+    });
+    if (cmd.output) {
+      writeFileSync4(cmd.output, output);
+      console.log(`${SYMBOLS.check} Exported to ${cmd.output}`);
+    } else {
+      console.log(output);
+    }
+  });
   program2.command("health").description("Check the health of all secrets").option("-g, --global", "Check global scope only").option("-p, --project", "Check project scope only").option("--project-path <path>", "Explicit project path").action((cmd) => {
     const opts = buildOpts(cmd);
     const entries = listSecrets(opts);
@@ -1534,7 +2618,7 @@ ${SYMBOLS.warning} ${c.bold(c.yellow(`${anomalies.length} anomaly/anomalies dete
     }
     const output = lines.join("\n") + "\n";
     if (cmd.output) {
-      writeFileSync(cmd.output, output);
+      writeFileSync4(cmd.output, output);
       console.log(
         `${SYMBOLS.check} ${c.green("generated")} ${c.bold(cmd.output)} (${Object.keys(config.secrets).length} keys)`
       );
@@ -1550,7 +2634,7 @@ ${SYMBOLS.warning} ${c.bold(c.yellow(`${anomalies.length} anomaly/anomalies dete
     }
   });
   program2.command("status").description("Launch the quantum status dashboard in your browser").option("--port <port>", "Port to serve on", "9876").option("--no-open", "Don't auto-open the browser").action(async (cmd) => {
-    const { startDashboardServer } = await import("./dashboard-HVIQO6NT.js");
+    const { startDashboardServer } = await import("./dashboard-JT5ZNLT5.js");
     const { exec } = await import("child_process");
     const { platform } = await import("os");
     const port = Number(cmd.port);
@@ -1602,6 +2686,96 @@ ${c.dim("  dashboard stopped")}`);
       verbose: cmd.verbose
     });
   });
+  program2.command("rotate <key>").description("Attempt issuer-native rotation of a secret via its provider").option("-g, --global", "Global scope").option("-p, --project", "Project scope").option("--project-path <path>", "Explicit project path").option("--provider <name>", "Force a specific provider").action(async (key, cmd) => {
+    const opts = buildOpts(cmd);
+    const value = getSecret(key, opts);
+    if (!value) {
+      console.error(c.red(`${SYMBOLS.cross} Secret "${key}" not found`));
+      process.exitCode = 1;
+      return;
+    }
+    const result = await rotateWithProvider(value, cmd.provider);
+    if (result.rotated && result.newValue) {
+      setSecret(key, result.newValue, { ...opts, scope: opts.scope ?? "global" });
+      console.log(`${SYMBOLS.check} ${c.green("Rotated")} ${c.bold(key)} via ${result.provider}`);
+      console.log(c.dim(`  ${result.message}`));
+    } else {
+      console.log(c.yellow(`${SYMBOLS.warning} ${result.message}`));
+    }
+  });
+  program2.command("ci:validate").description("CI-oriented batch validation of all secrets (exit code 1 on failure)").option("-g, --global", "Global scope").option("-p, --project", "Project scope").option("--project-path <path>", "Explicit project path").option("--json", "Output as JSON").action(async (cmd) => {
+    const opts = buildOpts(cmd);
+    const entries = listSecrets(opts);
+    const secrets = entries.map((e) => {
+      const val = getSecret(e.key, { ...opts, scope: e.scope, silent: true });
+      if (!val) return null;
+      const provider = e.envelope?.meta.provider;
+      const validationUrl = e.envelope?.meta.validationUrl;
+      return { key: e.key, value: val, provider, validationUrl };
+    }).filter((s) => s !== null);
+    if (secrets.length === 0) {
+      console.log(c.dim("No secrets to validate"));
+      return;
+    }
+    const report = await ciValidateBatch(secrets);
+    if (cmd.json) {
+      console.log(JSON.stringify(report, null, 2));
+    } else {
+      console.log(c.bold(`
+  CI Secret Validation: ${report.results.length} secrets
+`));
+      for (const r of report.results) {
+        const icon = r.validation.valid ? SYMBOLS.check : SYMBOLS.cross;
+        const color = r.validation.valid ? c.green : c.red;
+        console.log(`  ${icon} ${color(r.key)} [${r.validation.provider}] ${r.validation.message}`);
+        if (r.requiresRotation) console.log(c.dim(`    \u2192 rotation required`));
+      }
+      console.log();
+      if (!report.allValid) {
+        console.log(c.red(`  ${report.failCount} secret(s) failed validation`));
+        process.exitCode = 1;
+      } else {
+        console.log(c.green(`  All secrets valid`));
+      }
+    }
+  });
+  program2.command("policy").description("Show project governance policy summary").option("--json", "Output as JSON").action((cmd) => {
+    const summary = getPolicySummary();
+    if (cmd.json) {
+      console.log(JSON.stringify(summary, null, 2));
+      return;
+    }
+    console.log(c.bold("\n\u2696  Governance Policy\n"));
+    if (!summary.hasMcpPolicy && !summary.hasExecPolicy && !summary.hasSecretPolicy) {
+      console.log(c.dim("  No policy configured in .q-ring.json"));
+      console.log(c.dim('  Add a "policy" section to enable governance controls.\n'));
+      return;
+    }
+    if (summary.hasMcpPolicy) {
+      console.log(c.cyan("  MCP Policy:"));
+      const m = summary.details.mcp;
+      if (m.allowTools) console.log(c.green(`    Allow tools: ${m.allowTools.join(", ")}`));
+      if (m.denyTools) console.log(c.red(`    Deny tools:  ${m.denyTools.join(", ")}`));
+      if (m.readableKeys) console.log(c.green(`    Readable keys: ${m.readableKeys.join(", ")}`));
+      if (m.deniedKeys) console.log(c.red(`    Denied keys:   ${m.deniedKeys.join(", ")}`));
+      if (m.deniedTags) console.log(c.red(`    Denied tags:   ${m.deniedTags.join(", ")}`));
+    }
+    if (summary.hasExecPolicy) {
+      console.log(c.cyan("  Exec Policy:"));
+      const e = summary.details.exec;
+      if (e.allowCommands) console.log(c.green(`    Allow commands:    ${e.allowCommands.join(", ")}`));
+      if (e.denyCommands) console.log(c.red(`    Deny commands:     ${e.denyCommands.join(", ")}`));
+      if (e.maxRuntimeSeconds) console.log(`    Max runtime:       ${e.maxRuntimeSeconds}s`);
+      if (e.allowNetwork !== void 0) console.log(`    Allow network:     ${e.allowNetwork}`);
+    }
+    if (summary.hasSecretPolicy) {
+      console.log(c.cyan("  Secret Lifecycle Policy:"));
+      const s = summary.details.secrets;
+      if (s.requireApprovalForTags) console.log(`    Require approval for tags: ${s.requireApprovalForTags.join(", ")}`);
+      if (s.maxTtlSeconds) console.log(`    Max TTL: ${s.maxTtlSeconds}s`);
+    }
+    console.log();
+  });
   return program2;
 }