@id-wispera/cli 0.1.0

package/README.md

@@ -0,0 +1,250 @@
+# @id-wispera/cli
+
+Command-line interface for ID Wispera - the Identity Whisperer for AI Agents.
+
+## Installation
+
+```bash
+# Install globally
+npm install -g @id-wispera/cli
+
+# Or use npx
+npx @id-wispera/cli --help
+```
+
+## Commands
+
+### Auth
+
+Manage authentication sessions and tokens. The `auth` command group implements the zero-plaintext credential architecture -- passphrases are never stored in environment variables or passed as CLI arguments.
+
+```bash
+# Log in interactively (passphrase is cached in OS keychain)
+idw auth login
+
+# Log out (clears cached key from keychain)
+idw auth logout
+
+# Check current auth status
+idw auth status
+
+# Create a scoped session token (for CI/headless use)
+idw auth token create --name "ci-deploy" --scope read,list --ttl 24h
+
+# List active session tokens
+idw auth token list
+
+# Revoke a session token
+idw auth token revoke <token-id>
+
+# Bootstrap a new vault with admin passport for provisioning
+idw auth bootstrap
+```
+
+| Subcommand | Description |
+|------------|-------------|
+| `login` | Authenticate interactively; derived key is cached in OS keychain |
+| `logout` | Clear cached authentication from keychain |
+| `status` | Show current authentication state (logged in, token, expiry) |
+| `token create` | Create a scoped session token for headless/CI environments |
+| `token list` | List all active session tokens |
+| `token revoke` | Revoke a session token by ID |
+| `bootstrap` | Initialize vault and create an admin passport for provisioning |
+
+### Initialize Vault
+
+```bash
+# Create a new encrypted vault
+idw init
+
+# Initialize with custom path
+idw init --path ~/.my-vault/vault.json
+```
+
+### Create Passport
+
+```bash
+# Interactive creation
+idw create
+
+# Non-interactive (pipe credential value via stdin)
+echo "sk-..." | idw create \
+  --name "OpenAI Production" \
+  --type api-key \
+  --stdin \
+  --visa access \
+  --platform openai \
+  --scope "chat,completions" \
+  --owner "alice@company.com"
+```
+
+> **Breaking change**: The `--value` flag has been removed. Use `--stdin` to pipe credential values, which prevents secrets from appearing in shell history and process listings.
+
+### List Passports
+
+```bash
+# List all passports
+idw list
+
+# Filter by status
+idw list --status active
+
+# Filter by platform
+idw list --platform openai
+
+# Filter by visa type
+idw list --visa privilege
+
+# Search by name
+idw list --search "production"
+```
+
+### Show Passport Details
+
+```bash
+# Show passport by ID
+idw show <passport-id>
+
+# Show with credential value (requires confirmation)
+idw show <passport-id> --reveal
+```
+
+### Revoke Passport
+
+```bash
+# Revoke a passport
+idw revoke <passport-id> --reason "Security concern"
+```
+
+### Share Passport
+
+```bash
+# Create a share link
+idw share <passport-id>
+
+# Share with options
+idw share <passport-id> \
+  --scope read-only \
+  --expires 24h \
+  --max-views 1
+```
+
+### View Audit Log
+
+```bash
+# View all audit entries
+idw audit
+
+# View for specific passport
+idw audit <passport-id>
+
+# Export audit log
+idw audit --export audit.csv
+```
+
+### Scan for Credentials
+
+```bash
+# Scan current directory
+idw scan
+
+# Scan specific path
+idw scan ./config
+
+# Scan with verbose output
+idw scan -v
+
+# Export results
+idw scan --output report.json
+```
+
+### import - Import credentials
+
+```bash
+# From a single file
+idw import .env
+idw import config.json --owner dev@company.com
+
+# Scan a directory and import all detected credentials
+idw import ./project --all --owner dev@company.com -y
+
+# Scan and import only high-confidence detections
+idw import ./project --min-confidence 0.9 --owner dev@company.com
+
+# Import from OpenClaw
+idw import --format openclaw
+```
+
+#### Import Options
+
+| Option | Description |
+|--------|-------------|
+| `--all` | Import all detected credentials from scan |
+| `--min-confidence <level>` | Minimum confidence threshold (0-1) |
+| `--format <format>` | Import format (env, json, openclaw) |
+| `--owner <owner>` | Human owner email |
+| `--auto-name` | Auto-generate passport names |
+| `-y, --yes` | Import without confirmation |
+| `-p, --path <path>` | Custom vault path |
+
+#### What Gets Imported
+
+Each imported passport stores:
+- Source filename in tags (e.g., `file:config-json`)
+- Confidence level tag (`confidence-high`, `confidence-medium`, `confidence-low`)
+- Detection details in notes (file path, line number, confidence score, pattern)
+
+## Configuration
+
+The CLI stores its configuration in `~/.id-wispera/`:
+
+- `vault.json` - Encrypted credential vault
+- `config.json` - CLI configuration
+
+### Environment Variables
+
+| Variable | Description | Notes |
+|----------|-------------|-------|
+| `IDW_SESSION_TOKEN` | Session token for headless/CI authentication | Recommended for non-interactive use |
+| `IDW_VAULT_PATH` | Custom vault location | Defaults to `~/.id-wispera/vault.json` |
+| `IDW_NO_COLOR` | Disable colored output | |
+| `IDW_PASSPHRASE` | Vault passphrase | Also read from `$CWD/.env` or `~/.id-wispera/.env` |
+
+## Examples
+
+### Quick Setup
+
+```bash
+# Initialize, authenticate, and create your first passport
+idw init
+idw auth login
+echo "sk-..." | idw create --name "My API Key" --type api-key --stdin --platform openai --owner "me@company.com"
+idw list
+```
+
+### Security Audit
+
+```bash
+# Scan project for exposed credentials
+idw scan ./project
+
+# Review audit history
+idw audit
+
+# Export compliance report
+idw audit --export compliance-report.csv --format csv
+```
+
+### Credential Rotation
+
+```bash
+# Revoke old credential
+idw revoke <old-passport-id> --reason "Scheduled rotation"
+
+# Create new one
+idw create --name "API Key v2" ...
+```
+
+## License
+
+MIT

package/dist/commands/audit.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Audit command: idw audit [id]
+ */
+import { Command } from 'commander';
+export declare function createAuditCommand(): Command;
+//# sourceMappingURL=audit.d.ts.map

package/dist/commands/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/commands/audit.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAWpC,wBAAgB,kBAAkB,IAAI,OAAO,CAqF5C"}

package/dist/commands/audit.js

@@ -0,0 +1,82 @@
+/**
+ * Audit command: idw audit [id]
+ */
+import { Command } from 'commander';
+import ora from 'ora';
+import { getAuditLog, exportAuditLog, } from '@id-wispera/core';
+import { error, displayAuditLog, title, info } from '../utils/display.js';
+import { withUnlockedVault } from '../utils/vault-helpers.js';
+import { writeFile } from 'fs/promises';
+export function createAuditCommand() {
+    const command = new Command('audit')
+        .description('View audit log')
+        .argument('[id]', 'Passport ID (optional, shows all if omitted)')
+        .option('--action <action>', 'Filter by action (created, viewed, shared, modified, revoked, accessed)')
+        .option('--actor <actor>', 'Filter by actor')
+        .option('--since <date>', 'Show entries since date (YYYY-MM-DD)')
+        .option('--until <date>', 'Show entries until date (YYYY-MM-DD)')
+        .option('--limit <count>', 'Maximum entries to show', parseInt)
+        .option('--export <file>', 'Export to file')
+        .option('--format <format>', 'Export format (json, csv)', 'json')
+        .option('--json', 'Output as JSON')
+        .option('-p, --path <path>', 'Custom vault path')
+        .action(async (id, options) => {
+        const vault = await withUnlockedVault(options);
+        // Build filters
+        const filters = {};
+        if (options.action) {
+            filters.action = options.action;
+        }
+        if (options.actor) {
+            filters.actor = options.actor;
+        }
+        if (options.since) {
+            filters.startDate = new Date(options.since).toISOString();
+        }
+        if (options.until) {
+            filters.endDate = new Date(options.until).toISOString();
+        }
+        if (options.limit) {
+            filters.limit = options.limit;
+        }
+        // Get audit log
+        const spinner = ora('Loading audit log...').start();
+        try {
+            const entries = await getAuditLog(vault, id, Object.keys(filters).length > 0 ? filters : undefined);
+            spinner.stop();
+            // Export if requested
+            if (options.export) {
+                const format = options.format === 'csv' ? 'csv' : 'json';
+                const exported = await exportAuditLog(vault, format, filters);
+                await writeFile(options.export, exported, 'utf-8');
+                info(`Audit log exported to ${options.export}`);
+                return;
+            }
+            // JSON output
+            if (options.json) {
+                console.log(JSON.stringify(entries, null, 2));
+                return;
+            }
+            // Display
+            console.log();
+            title(`Audit Log${id ? ` for ${id}` : ''} (${entries.length} entries)`);
+            console.log();
+            if (entries.length === 0) {
+                console.log('No audit entries found.');
+                return;
+            }
+            console.log(displayAuditLog(entries));
+            if (options.limit && entries.length === options.limit) {
+                console.log();
+                info(`Showing ${options.limit} entries. Use --limit to see more.`);
+            }
+        }
+        catch (err) {
+            spinner.fail('Failed to load audit log');
+            error(err instanceof Error ? err.message : 'Unknown error');
+            process.exit(1);
+        }
+    });
+    return command;
+}
+//# sourceMappingURL=audit.js.map

package/dist/commands/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/commands/audit.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,EACL,WAAW,EACX,cAAc,GACf,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,qBAAqB,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAExC,MAAM,UAAU,kBAAkB;IAChC,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC;SACjC,WAAW,CAAC,gBAAgB,CAAC;SAC7B,QAAQ,CAAC,MAAM,EAAE,8CAA8C,CAAC;SAChE,MAAM,CAAC,mBAAmB,EAAE,yEAAyE,CAAC;SACtG,MAAM,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;SAC5C,MAAM,CAAC,gBAAgB,EAAE,sCAAsC,CAAC;SAChE,MAAM,CAAC,gBAAgB,EAAE,sCAAsC,CAAC;SAChE,MAAM,CAAC,iBAAiB,EAAE,yBAAyB,EAAE,QAAQ,CAAC;SAC9D,MAAM,CAAC,iBAAiB,EAAE,gBAAgB,CAAC;SAC3C,MAAM,CAAC,mBAAmB,EAAE,2BAA2B,EAAE,MAAM,CAAC;SAChE,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,mBAAmB,EAAE,mBAAmB,CAAC;SAChD,MAAM,CAAC,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE;QAC5B,MAAM,KAAK,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAE/C,gBAAgB;QAChB,MAAM,OAAO,GAAiB,EAAE,CAAC;QAEjC,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,OAAO,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAClC,CAAC;QAED,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAChC,CAAC;QAED,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,CAAC,SAAS,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;QAC5D,CAAC;QAED,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,CAAC,OAAO,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;QAC1D,CAAC;QAED,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAChC,CAAC;QAED,gBAAgB;QAChB,MAAM,OAAO,GAAG,GAAG,CAAC,sBAAsB,CAAC,CAAC,KAAK,EAAE,CAAC;QAEpD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;YACpG,OAAO,CAAC,IAAI,EAAE,CAAC;YAEf,sBAAsB;YACtB,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACnB,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,KAAK,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC;gBACzD,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;gBAC9D,MAAM,SAAS,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;gBACnD,IAAI,CAAC,yBAAyB,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;gBAChD,OAAO;YACT,CAAC;YAED,cAAc;YACd,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC9C,OAAO;YACT,CAAC;YAED,UAAU;YACV,OAAO,CAAC,GAAG,EAAE,CAAC;YACd,KAAK,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,OAAO,CAAC,MAAM,WAAW,CAAC,CAAC;YACxE,OAAO,CAAC,GAAG,EAAE,CAAC;YAEd,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACzB,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;gBACvC,OAAO;YACT,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC;YAEtC,IAAI,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,MAAM,KAAK,OAAO,CAAC,KAAK,EAAE,CAAC;gBACtD,OAAO,CAAC,GAAG,EAAE,CAAC;gBACd,IAAI,CAAC,WAAW,OAAO,CAAC,KAAK,oCAAoC,CAAC,CAAC;YACrE,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;YACzC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC;YAC5D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/commands/auth.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Auth command group: idw auth <subcommand>
+ * Manages vault authentication, OS keychain, session tokens, and admin bootstrapping.
+ */
+import { Command } from 'commander';
+export declare function createAuthCommand(): Command;
+//# sourceMappingURL=auth.d.ts.map

package/dist/commands/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/commands/auth.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AA+UpC,wBAAgB,iBAAiB,IAAI,OAAO,CAW3C"}

package/dist/commands/auth.js

@@ -0,0 +1,310 @@
+/**
+ * Auth command group: idw auth <subcommand>
+ * Manages vault authentication, OS keychain, session tokens, and admin bootstrapping.
+ */
+import { Command } from 'commander';
+import ora from 'ora';
+import chalk from 'chalk';
+import inquirer from 'inquirer';
+import { SessionTokenManager, KeychainProvider, unlockVault, vaultExists, } from '@id-wispera/core';
+import { createAdminPassport } from '@id-wispera/core/provisioning';
+import { promptPassphrase } from '../utils/prompts.js';
+import { error, success, info, warning, title } from '../utils/display.js';
+import { resolveVaultPath, withUnlockedVault } from '../utils/vault-helpers.js';
+// ============================================================================
+// idw auth login
+// ============================================================================
+function createLoginCommand() {
+    return new Command('login')
+        .description('Store vault passphrase in OS keychain')
+        .option('-p, --path <path>', 'Custom vault path')
+        .action(async (options) => {
+        const keychain = new KeychainProvider();
+        const available = await keychain.isAvailable();
+        if (!available) {
+            error('OS keychain is not available on this system.');
+            info('Use session tokens for headless environments: idw auth token create');
+            process.exit(1);
+        }
+        const vaultPath = resolveVaultPath(options);
+        if (!(await vaultExists(vaultPath))) {
+            error('Vault not found. Run `idw init` first.');
+            process.exit(1);
+        }
+        // Prompt for passphrase and verify it unlocks the vault
+        const passphrase = await promptPassphrase('Enter vault passphrase to store in keychain:');
+        const spinner = ora('Verifying passphrase...').start();
+        try {
+            await unlockVault(passphrase, vaultPath);
+            spinner.succeed('Passphrase verified');
+        }
+        catch {
+            spinner.fail('Invalid passphrase');
+            process.exit(1);
+        }
+        const stored = await keychain.store(passphrase);
+        if (stored) {
+            success('Passphrase stored in OS keychain.');
+            info('The vault will now unlock automatically without prompting.');
+        }
+        else {
+            error('Failed to store passphrase in keychain.');
+            process.exit(1);
+        }
+    });
+}
+// ============================================================================
+// idw auth logout
+// ============================================================================
+function createLogoutCommand() {
+    return new Command('logout')
+        .description('Remove vault passphrase from OS keychain')
+        .action(async () => {
+        const keychain = new KeychainProvider();
+        const removed = await keychain.remove();
+        if (removed) {
+            success('Passphrase removed from OS keychain.');
+        }
+        else {
+            info('No passphrase was stored in the keychain (or keychain unavailable).');
+        }
+    });
+}
+// ============================================================================
+// idw auth status
+// ============================================================================
+function createStatusCommand() {
+    return new Command('status')
+        .description('Show current authentication status')
+        .option('-p, --path <path>', 'Custom vault path')
+        .action(async (options) => {
+        console.log();
+        title('Auth Status');
+        console.log();
+        const vaultPath = resolveVaultPath(options);
+        const vaultFound = await vaultExists(vaultPath);
+        console.log(`  Vault:         ${vaultFound ? chalk.green('found') : chalk.red('not found')} (${chalk.dim(vaultPath)})`);
+        // Check keychain
+        const keychain = new KeychainProvider();
+        const keychainAvailable = await keychain.isAvailable();
+        const keychainStored = keychainAvailable ? (await keychain.retrieve()) !== null : false;
+        console.log(`  OS keychain:   ${keychainAvailable ? (keychainStored ? chalk.green('passphrase stored') : chalk.yellow('available, no passphrase')) : chalk.dim('not available')}`);
+        // Check session token env var
+        const token = SessionTokenManager.getTokenFromEnv();
+        console.log(`  Session token: ${token ? chalk.green('IDW_SESSION_TOKEN set') : chalk.dim('not set')}`);
+        // Check IDW_PASSPHRASE env var
+        const envPassphrase = process.env.IDW_PASSPHRASE;
+        if (envPassphrase) {
+            console.log(`  IDW_PASSPHRASE: ${chalk.green('set')}`);
+        }
+        // List session tokens
+        const tokenMgr = new SessionTokenManager();
+        const tokens = await tokenMgr.list();
+        if (tokens.length > 0) {
+            console.log();
+            console.log(`  Session tokens: ${tokens.length}`);
+            for (const t of tokens) {
+                const expired = t.expiresAt && new Date(t.expiresAt) < new Date();
+                const status = expired ? chalk.red('expired') : chalk.green('active');
+                const hash = t.tokenHash.substring(0, 8);
+                console.log(`    ${chalk.dim(hash)}  ${t.label}  ${status}  created ${chalk.dim(t.createdAt)}`);
+            }
+        }
+        console.log();
+    });
+}
+// ============================================================================
+// idw auth token create / list / revoke
+// ============================================================================
+function createTokenCommand() {
+    const token = new Command('token').description('Manage session tokens');
+    token
+        .command('create')
+        .description('Create a new session token for headless / CI environments')
+        .option('-l, --label <label>', 'Label for the token', 'default')
+        .option('-e, --expires <duration>', 'Expiry duration (e.g., 24h, 7d, 30d)')
+        .option('-p, --path <path>', 'Custom vault path')
+        .action(async (options) => {
+        const vaultPath = resolveVaultPath(options);
+        if (!(await vaultExists(vaultPath))) {
+            error('Vault not found. Run `idw init` first.');
+            process.exit(1);
+        }
+        // Prompt for passphrase and verify
+        const passphrase = await promptPassphrase('Enter vault passphrase:');
+        const spinner = ora('Verifying passphrase...').start();
+        try {
+            await unlockVault(passphrase, vaultPath);
+            spinner.succeed('Passphrase verified');
+        }
+        catch {
+            spinner.fail('Invalid passphrase');
+            process.exit(1);
+        }
+        // Parse expiry
+        let expiresInSeconds;
+        if (options.expires) {
+            const match = options.expires.match(/^(\d+)(h|d)$/);
+            if (!match) {
+                error('Invalid expiry format. Use e.g., 24h, 7d, 30d');
+                process.exit(1);
+            }
+            const num = parseInt(match[1], 10);
+            const unit = match[2];
+            expiresInSeconds = unit === 'h' ? num * 3600 : num * 86400;
+        }
+        const tokenMgr = new SessionTokenManager();
+        const tokenValue = await tokenMgr.create(passphrase, {
+            label: options.label,
+            expiresInSeconds,
+        });
+        console.log();
+        success('Session token created.');
+        console.log();
+        console.log(`  ${chalk.bold('Token:')} ${chalk.cyan(tokenValue)}`);
+        console.log();
+        warning('This token is shown once. Store it securely.');
+        console.log();
+        info('Set it as an environment variable in your CI/headless environment:');
+        console.log(`  ${chalk.dim('export IDW_SESSION_TOKEN=')}${chalk.cyan(tokenValue)}`);
+        console.log();
+    });
+    token
+        .command('list')
+        .description('List all session tokens')
+        .action(async () => {
+        const tokenMgr = new SessionTokenManager();
+        const tokens = await tokenMgr.list();
+        if (tokens.length === 0) {
+            info('No session tokens found.');
+            return;
+        }
+        console.log();
+        title('Session Tokens');
+        console.log();
+        for (const t of tokens) {
+            const expired = t.expiresAt && new Date(t.expiresAt) < new Date();
+            const status = expired ? chalk.red('expired') : chalk.green('active');
+            const hash = t.tokenHash.substring(0, 12);
+            console.log(`  ${chalk.cyan(hash)}  ${chalk.bold(t.label)}  ${status}`);
+            console.log(`    Created: ${chalk.dim(t.createdAt)}${t.expiresAt ? `  Expires: ${chalk.dim(t.expiresAt)}` : ''}`);
+            console.log();
+        }
+    });
+    token
+        .command('revoke <hash-prefix>')
+        .description('Revoke a session token by its hash prefix')
+        .action(async (hashPrefix) => {
+        const tokenMgr = new SessionTokenManager();
+        const revoked = await tokenMgr.revoke(hashPrefix);
+        if (revoked) {
+            success(`Token ${hashPrefix}... revoked.`);
+        }
+        else {
+            error(`No token found matching prefix '${hashPrefix}'.`);
+            info("Run 'idw auth token list' to see available tokens.");
+        }
+    });
+    return token;
+}
+// ============================================================================
+// idw auth bootstrap <provider>
+// ============================================================================
+function createBootstrapCommand() {
+    return new Command('bootstrap')
+        .description('Store admin credentials for a provisioning provider')
+        .argument('<provider>', 'Provider name (openai, aws, google-cloud, azure-entra, github, twilio, sendgrid, anthropic)')
+        .option('-p, --path <path>', 'Custom vault path')
+        .action(async (provider, options) => {
+        const validProviders = ['openai', 'aws', 'google-cloud', 'azure-entra', 'github', 'twilio', 'sendgrid', 'anthropic'];
+        if (!validProviders.includes(provider)) {
+            error(`Unknown provider: ${provider}`);
+            info(`Valid providers: ${validProviders.join(', ')}`);
+            process.exit(1);
+        }
+        console.log();
+        title(`Bootstrap: ${provider}`);
+        console.log();
+        info('This will store admin credentials for the provisioning provider in your vault.');
+        info('The credentials will be encrypted at rest and used only during provisioning.');
+        console.log();
+        // Collect auth based on provider type
+        let auth;
+        if (provider === 'aws') {
+            const answers = await inquirer.prompt([
+                { type: 'password', name: 'accessKeyId', message: 'AWS Access Key ID:', mask: '*' },
+                { type: 'password', name: 'secretAccessKey', message: 'AWS Secret Access Key:', mask: '*' },
+                { type: 'input', name: 'region', message: 'AWS Region:', default: 'us-east-1' },
+            ]);
+            auth = { type: 'aws-sigv4', ...answers };
+        }
+        else if (provider === 'azure-entra') {
+            const answers = await inquirer.prompt([
+                { type: 'password', name: 'token', message: 'Azure OAuth2 Token:', mask: '*' },
+                { type: 'input', name: 'tenantId', message: 'Tenant ID:' },
+            ]);
+            auth = { type: 'oauth2', ...answers };
+        }
+        else if (provider === 'github') {
+            const answers = await inquirer.prompt([
+                { type: 'password', name: 'privateKey', message: 'GitHub App Private Key (PEM):', mask: '*' },
+                { type: 'input', name: 'appId', message: 'GitHub App ID:' },
+            ]);
+            auth = { type: 'jwt', ...answers };
+        }
+        else if (provider === 'twilio') {
+            const answers = await inquirer.prompt([
+                { type: 'input', name: 'username', message: 'Twilio Account SID:' },
+                { type: 'password', name: 'password', message: 'Twilio Auth Token:', mask: '*' },
+            ]);
+            auth = { type: 'basic', ...answers };
+        }
+        else {
+            // openai, google-cloud, sendgrid, anthropic — all use api-key
+            const answers = await inquirer.prompt([
+                { type: 'password', name: 'key', message: `${provider} Admin API Key:`, mask: '*' },
+            ]);
+            auth = { type: 'api-key', ...answers };
+        }
+        // Get human owner
+        const { owner } = await inquirer.prompt([
+            {
+                type: 'input',
+                name: 'owner',
+                message: 'Human owner email:',
+                validate: (input) => input.includes('@') || 'Valid email required',
+            },
+        ]);
+        // Unlock vault
+        const vault = await withUnlockedVault(options);
+        // Store admin passport
+        const spinner = ora('Storing admin credentials...').start();
+        try {
+            await createAdminPassport(vault, provider, auth, owner);
+            spinner.succeed('Admin credentials stored');
+        }
+        catch (err) {
+            spinner.fail('Failed to store admin credentials');
+            error(err instanceof Error ? err.message : 'Unknown error');
+            process.exit(1);
+        }
+        console.log();
+        success(`Admin credentials for ${provider} are now stored in the vault.`);
+        info(`Use 'idw auth status' to verify, or provision keys with the provisioning commands.`);
+        console.log();
+    });
+}
+// ============================================================================
+// Root: idw auth
+// ============================================================================
+export function createAuthCommand() {
+    const auth = new Command('auth')
+        .description('Manage vault authentication and provider credentials');
+    auth.addCommand(createLoginCommand());
+    auth.addCommand(createLogoutCommand());
+    auth.addCommand(createStatusCommand());
+    auth.addCommand(createTokenCommand());
+    auth.addCommand(createBootstrapCommand());
+    return auth;
+}
+//# sourceMappingURL=auth.js.map