@openthink/stamp 1.4.0 → 1.5.0

package/dist/index.js

@@ -1373,13 +1373,13 @@ function readLineSync() {
 function runMerge(opts) {
   const repoRoot = findRepoRoot();
   const config2 = loadConfig(stampConfigFile(repoRoot));
-  const currentBranch2 = git(
+  const currentBranch3 = git(
     ["rev-parse", "--abbrev-ref", "HEAD"],
     repoRoot
   ).trim();
-  if (currentBranch2 !== opts.into) {
+  if (currentBranch3 !== opts.into) {
     throw new Error(
-      `must be on target branch "${opts.into}" to merge into it (currently on "${currentBranch2}"). Run \`git checkout ${opts.into}\` first.`
+      `must be on target branch "${opts.into}" to merge into it (currently on "${currentBranch3}"). Run \`git checkout ${opts.into}\` first.`
     );
   }
   const dirty = git(
@@ -3812,60 +3812,109 @@ function resolveMode(userMode, remoteClass) {
   }
 }
 
-// src/commands/provision.ts
-import { spawnSync as spawnSync6 } from "child_process";
-import { existsSync as existsSync11, mkdtempSync, readFileSync as readFileSync8, rmSync, writeFileSync as writeFileSync9 } from "fs";
-import { tmpdir } from "os";
-import { join as join6, resolve as resolvePath } from "path";
-import { parse as parseYaml5 } from "yaml";
-
-// src/commands/server.ts
+// src/commands/invites.ts
 import { spawnSync as spawnSync5 } from "child_process";
-import { existsSync as existsSync10, mkdirSync as mkdirSync4, renameSync as renameSync3, unlinkSync as unlinkSync2, writeFileSync as writeFileSync8 } from "fs";
-import { dirname as dirname4 } from "path";
-import { stringify as stringifyYaml2 } from "yaml";
-
-// src/lib/perRepoKey.ts
-var VALID_OWNER = /^[A-Za-z0-9-]+$/;
-var VALID_REPO = /^[A-Za-z0-9._-]+$/;
-var SSH_CLIENT_KEY_DIR = "/srv/git/.ssh-client-keys";
-function computePerRepoKeyPath(githubRepo) {
-  if (typeof githubRepo !== "string" || githubRepo.length === 0) {
-    throw new Error("computePerRepoKeyPath: githubRepo must be a non-empty string");
+import { request as httpRequest } from "http";
+import { request as httpsRequest } from "https";
+import { existsSync as existsSync10, readFileSync as readFileSync8 } from "fs";
+import { homedir as homedir2, hostname, userInfo } from "os";
+import { join as join6 } from "path";
+import { createInterface as createInterface2 } from "readline/promises";
+
+// src/lib/inviteUrl.ts
+var TOKEN_RE = /^[A-Za-z0-9_-]{20,128}$/;
+var ShareUrlError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ShareUrlError";
   }
-  if (githubRepo.startsWith("-")) {
-    throw new Error(
-      `computePerRepoKeyPath: githubRepo must not start with '-': ${githubRepo}`
-    );
+};
+function parseShareUrl(input, serverFlag) {
+  const trimmed = input.trim();
+  if (trimmed.startsWith("stamp+invite://")) {
+    const remainder = trimmed.slice("stamp+invite://".length);
+    const firstSlash = remainder.indexOf("/");
+    if (firstSlash < 0) {
+      throw new ShareUrlError(`share URL has no token: ${JSON.stringify(input)}`);
+    }
+    const host = remainder.slice(0, firstSlash);
+    let tokenPart = remainder.slice(firstSlash + 1);
+    let insecure = false;
+    const queryIdx = tokenPart.indexOf("?");
+    if (queryIdx >= 0) {
+      const query2 = tokenPart.slice(queryIdx + 1);
+      tokenPart = tokenPart.slice(0, queryIdx);
+      if (query2 === "insecure=1") insecure = true;
+    }
+    if (!TOKEN_RE.test(tokenPart)) {
+      throw new ShareUrlError(
+        `share URL has a malformed token: ${JSON.stringify(tokenPart)}`
+      );
+    }
+    if (host.length === 0) {
+      throw new ShareUrlError(`share URL has no host: ${JSON.stringify(input)}`);
+    }
+    return { host, token: tokenPart, insecure };
   }
-  if (githubRepo.includes("..")) {
-    throw new Error(
-      `computePerRepoKeyPath: githubRepo must not contain '..': ${githubRepo}`
+  if (!TOKEN_RE.test(trimmed)) {
+    throw new ShareUrlError(
+      `expected a stamp+invite:// URL or a bare token (got ${JSON.stringify(input)})`
     );
   }
-  const slashCount = (githubRepo.match(/\//g) ?? []).length;
-  if (slashCount !== 1) {
-    throw new Error(
-      `computePerRepoKeyPath: githubRepo must be exactly <owner>/<repo>: ${githubRepo}`
+  if (!serverFlag) {
+    throw new ShareUrlError(
+      "bare token requires --server <host>:<port> so we know where to POST"
     );
   }
-  const [owner, repo] = githubRepo.split("/");
-  if (!owner || !repo) {
-    throw new Error(
-      `computePerRepoKeyPath: owner and repo halves must both be non-empty: ${githubRepo}`
-    );
+  return { host: serverFlag, token: trimmed, insecure: false };
+}
+
+// src/lib/sshKeys.ts
+import { createHash as createHash5 } from "crypto";
+var ALLOWED_ALGOS = /* @__PURE__ */ new Set([
+  "ssh-ed25519",
+  "ssh-rsa",
+  "ecdsa-sha2-nistp256",
+  "ecdsa-sha2-nistp384",
+  "ecdsa-sha2-nistp521"
+]);
+function parseSshPubkey(line) {
+  const trimmed = line.trim();
+  if (trimmed.length === 0) {
+    throw new Error("ssh pubkey line is empty");
   }
-  if (!VALID_OWNER.test(owner)) {
-    throw new Error(
-      `computePerRepoKeyPath: owner must match [A-Za-z0-9-]+ (got "${owner}" in "${githubRepo}")`
-    );
+  if (trimmed.startsWith("#")) {
+    throw new Error("ssh pubkey line is a comment");
   }
-  if (!VALID_REPO.test(repo)) {
+  const parts = trimmed.split(/\s+/);
+  if (parts.length < 2) {
     throw new Error(
-      `computePerRepoKeyPath: repo must match [A-Za-z0-9._-]+ (got "${repo}" in "${githubRepo}")`
+      "ssh pubkey line must have at least <algorithm> <base64> tokens"
     );
   }
-  return `${SSH_CLIENT_KEY_DIR}/${owner}_${repo}_ed25519`;
+  const [algorithm, b64, ...rest] = parts;
+  if (!ALLOWED_ALGOS.has(algorithm)) {
+    throw new Error(`unsupported ssh pubkey algorithm: ${algorithm}`);
+  }
+  const keyBlob = Buffer.from(b64, "base64");
+  if (keyBlob.length === 0) {
+    throw new Error("ssh pubkey base64 blob is empty");
+  }
+  if (keyBlob.toString("base64").replace(/=+$/, "") !== b64.replace(/=+$/, "")) {
+    throw new Error("ssh pubkey base64 blob has trailing junk");
+  }
+  return {
+    algorithm,
+    keyBlob,
+    comment: rest.join(" "),
+    full: trimmed,
+    fingerprint: sshFingerprintFromBlob(keyBlob)
+  };
+}
+function sshFingerprintFromBlob(keyBlob) {
+  const hash = createHash5("sha256").update(keyBlob).digest();
+  const b64 = hash.toString("base64").replace(/=+$/, "");
+  return `SHA256:${b64}`;
 }
 
 // src/commands/serverRepo.ts
@@ -4046,12 +4095,301 @@ function validateGithubRepoSpec(spec) {
 }
 function prompt(question) {
   const rl = createInterface({ input: process.stdin, output: process.stdout });
-  return new Promise((resolve2) => {
+  return new Promise((resolve3) => {
     rl.question(question, (answer) => {
       rl.close();
-      resolve2(answer);
+      resolve3(answer);
+    });
+  });
+}
+
+// src/commands/invites.ts
+var MINT_EXIT = {
+  CONFIG: 1,
+  USAGE: 2,
+  ROLE_FORBIDDEN: 3,
+  NAME_TAKEN: 4
+};
+function runInvitesMint(opts) {
+  const server2 = loadServerConfig();
+  if (!server2) {
+    throw new UsageError(
+      "no ~/.stamp/server.yml \u2014 run `stamp server config <host>:<port>` first (or `stamp provision` to set up a new server)"
+    );
+  }
+  const result = spawnSync5(
+    "ssh",
+    [
+      "-p",
+      String(server2.port),
+      "--",
+      `${server2.user}@${server2.host}`,
+      "stamp-mint-invite",
+      opts.shortName,
+      "--role",
+      opts.role
+    ],
+    {
+      // Capture stdout (the share URL) for clean re-emit; let stderr
+      // flow through to the operator's terminal verbatim — the
+      // server-side wrapper writes its prose there.
+      stdio: ["ignore", "pipe", "inherit"],
+      encoding: "utf8"
+    }
+  );
+  if (result.status === 0) {
+    const shareUrl = result.stdout.trim();
+    if (!shareUrl.startsWith("stamp+invite://")) {
+      throw new Error(
+        `unexpected server output (no stamp+invite:// URL on stdout). Got: ${JSON.stringify(shareUrl.slice(0, 120))}`
+      );
+    }
+    process.stdout.write(shareUrl + "\n");
+    return;
+  }
+  switch (result.status) {
+    case MINT_EXIT.ROLE_FORBIDDEN:
+      throw new UsageError(
+        `your account on ${server2.host} doesn't permit minting invites (role must be admin or owner). Ask an admin to mint the invite for you, or to promote your account.`
+      );
+    case MINT_EXIT.NAME_TAKEN:
+      throw new UsageError(
+        `short_name ${JSON.stringify(opts.shortName)} is already in use on ${server2.host}. Pick a different name.`
+      );
+    case MINT_EXIT.USAGE:
+      throw new UsageError(
+        `server rejected the mint request (usage error). Verify the short_name is alphanumerics + . _ - (max 63 chars) and --role is 'admin' or 'member'.`
+      );
+    case MINT_EXIT.CONFIG:
+      throw new Error(
+        `server-side configuration error against ${server2.host}. The server may be missing STAMP_PUBLIC_URL or 'ExposeAuthInfo yes' in sshd_config. See server-side log for specifics.`
+      );
+    default:
+      throw new Error(
+        `mint failed against ${server2.user}@${server2.host}:${server2.port} (exit ${result.status}). Common causes: server unreachable, your SSH key isn't enrolled, or the server image is older than the invite-mint feature \u2014 redeploy if so.`
+      );
+  }
+}
+function defaultSshPubkeyPath() {
+  return join6(homedir2(), ".ssh", "id_ed25519.pub");
+}
+function defaultStampPubkeyPath() {
+  return join6(homedir2(), ".stamp", "keys", "ed25519.pub");
+}
+function defaultShortName() {
+  const u = userInfo().username || "user";
+  const h = hostname().split(".")[0] || "host";
+  return `${u}-${h}`.toLowerCase().replace(/[^a-z0-9._-]/g, "-").replace(/^-+|-+$/g, "").slice(0, 63);
+}
+function loadSshPubkey(path2) {
+  if (!existsSync10(path2)) {
+    throw new UsageError(
+      `SSH pubkey not found at ${path2}. Generate one with \`ssh-keygen -t ed25519\` or pass --ssh-pubkey <path>.`
+    );
+  }
+  const raw = readFileSync8(path2, "utf8");
+  const parsed = parseSshPubkey(raw);
+  return { path: path2, full: parsed.full, fingerprint: parsed.fingerprint };
+}
+function loadStampPubkey(path2) {
+  if (!existsSync10(path2)) return null;
+  const pem = readFileSync8(path2, "utf8");
+  try {
+    const fp = fingerprintFromPem(pem);
+    return { path: path2, pem, fingerprint: fp };
+  } catch (e) {
+    throw new UsageError(
+      `stamp signing pubkey at ${path2} is malformed: ${e.message}`
+    );
+  }
+}
+async function postAccept(target, body) {
+  const payload = Buffer.from(JSON.stringify(body), "utf8");
+  const requestFn = target.insecure ? httpRequest : httpsRequest;
+  return new Promise((resolve3, reject) => {
+    const req = requestFn(
+      `${target.insecure ? "http" : "https"}://${target.host}/invite/accept`,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json; charset=utf-8",
+          "Content-Length": payload.length.toString(),
+          Accept: "application/json"
+        }
+      },
+      (res) => {
+        const chunks = [];
+        res.on("data", (c) => chunks.push(c));
+        res.on("end", () => {
+          const text = Buffer.concat(chunks).toString("utf8");
+          let parsed;
+          try {
+            parsed = JSON.parse(text);
+          } catch {
+            parsed = { raw: text };
+          }
+          resolve3({ status: res.statusCode ?? 0, body: parsed });
+        });
+      }
+    );
+    req.on("error", reject);
+    req.write(payload);
+    req.end();
+  });
+}
+function nextStepForError(error, opts) {
+  switch (error) {
+    case "invite_not_found":
+      return "the token doesn't match any pending invite. Ask the inviter to mint a fresh one.";
+    case "invite_expired":
+      return "the invite expired (15-minute TTL). Ask the inviter to mint a fresh one.";
+    case "invite_already_consumed":
+      return "the invite has already been redeemed. Ask the inviter to mint a fresh one.";
+    case "ssh_pubkey_already_registered":
+      return "your SSH public key is already enrolled on this server. Try `git push` / `stamp` directly \u2014 you may already have access. If not, ask an admin to look up the existing account.";
+    case "short_name_taken":
+      return `pass --short-name <other-name> (current attempt: ${JSON.stringify(opts.shortName ?? defaultShortName())}).`;
+    case "short_name_malformed":
+      return "pass --short-name with alphanumerics + . _ - (must start with alnum, max 63 chars).";
+    case "ssh_pubkey_required":
+    case "token_required":
+      return "this is a client bug \u2014 file an issue at https://github.com/OpenThinkAi/stamp-cli/issues with the command you ran.";
+    case "content_type_must_be_application_json":
+    case "body_too_large":
+    case "body_not_json":
+    case "body_read_failed":
+      return "this is a client bug \u2014 file an issue at https://github.com/OpenThinkAi/stamp-cli/issues with the command you ran.";
+    default:
+      if (error.startsWith("ssh_pubkey_invalid")) {
+        return "the SSH pubkey is malformed. Verify ~/.ssh/id_ed25519.pub or pass --ssh-pubkey <path>.";
+      }
+      return "see the server error code above for context.";
+  }
+}
+async function runInvitesAccept(opts) {
+  let target;
+  try {
+    target = parseShareUrl(opts.urlOrToken, opts.server);
+  } catch (e) {
+    if (e instanceof ShareUrlError) throw new UsageError(e.message);
+    throw e;
+  }
+  const sshPath = opts.sshPubkeyPath ?? defaultSshPubkeyPath();
+  const ssh = loadSshPubkey(sshPath);
+  const stampPath = opts.stampPubkeyPath ?? defaultStampPubkeyPath();
+  const stamp = loadStampPubkey(stampPath);
+  const shortName = opts.shortName ?? defaultShortName();
+  const isInteractive = process.stdin.isTTY === true;
+  let confirmed = opts.yes === true;
+  if (!confirmed) {
+    if (!isInteractive) {
+      throw new UsageError(
+        "non-interactive stdin: pass --yes to skip confirmation (after supplying any overrides via --ssh-pubkey / --stamp-pubkey / --short-name)"
+      );
+    }
+    const rl = createInterface2({
+      input: process.stdin,
+      output: process.stdout
     });
+    try {
+      process.stdout.write(
+        `Accepting invite at ${target.insecure ? "http" : "https"}://${target.host}
+
+  ssh pubkey:     ${ssh.path}
+                  ${ssh.fingerprint}
+` + (stamp ? `  stamp pubkey:   ${stamp.path}
+                  ${stamp.fingerprint}
+` : `  stamp pubkey:   (none detected at ${stampPath} \u2014 okay; trust grants need it later)
+`) + `  short_name:     ${shortName}
+
+`
+      );
+      const answer = (await rl.question("Send these to the server? [Y/n] ")).trim().toLowerCase();
+      if (answer === "" || answer === "y" || answer === "yes") {
+        confirmed = true;
+      } else {
+        process.stdout.write("aborted.\n");
+        return;
+      }
+    } finally {
+      rl.close();
+    }
+  }
+  const response = await postAccept(target, {
+    token: target.token,
+    ssh_pubkey: ssh.full,
+    stamp_pubkey: stamp?.pem ?? null,
+    short_name: shortName
   });
+  const body = response.body;
+  if (response.status === 200 && body.ok) {
+    process.stdout.write(
+      `\u2713 enrolled as ${body.role} (user_id=${body.user_id}). You can now \`git push\` and \`stamp\` against ${target.host}.
+`
+    );
+    return;
+  }
+  const errorText = body.error ?? `http_${response.status}`;
+  const nextStep = nextStepForError(errorText, opts);
+  throw new Error(
+    `accept-invite failed: ${errorText} (status ${response.status}). ${nextStep}`
+  );
+}
+
+// src/commands/provision.ts
+import { spawnSync as spawnSync7 } from "child_process";
+import { existsSync as existsSync12, mkdtempSync, readFileSync as readFileSync9, rmSync, writeFileSync as writeFileSync9 } from "fs";
+import { tmpdir } from "os";
+import { join as join7, resolve as resolvePath } from "path";
+import { parse as parseYaml5 } from "yaml";
+
+// src/commands/server.ts
+import { spawnSync as spawnSync6 } from "child_process";
+import { existsSync as existsSync11, mkdirSync as mkdirSync4, renameSync as renameSync3, unlinkSync as unlinkSync2, writeFileSync as writeFileSync8 } from "fs";
+import { dirname as dirname4 } from "path";
+import { stringify as stringifyYaml2 } from "yaml";
+
+// src/lib/perRepoKey.ts
+var VALID_OWNER = /^[A-Za-z0-9-]+$/;
+var VALID_REPO = /^[A-Za-z0-9._-]+$/;
+var SSH_CLIENT_KEY_DIR = "/srv/git/.ssh-client-keys";
+function computePerRepoKeyPath(githubRepo) {
+  if (typeof githubRepo !== "string" || githubRepo.length === 0) {
+    throw new Error("computePerRepoKeyPath: githubRepo must be a non-empty string");
+  }
+  if (githubRepo.startsWith("-")) {
+    throw new Error(
+      `computePerRepoKeyPath: githubRepo must not start with '-': ${githubRepo}`
+    );
+  }
+  if (githubRepo.includes("..")) {
+    throw new Error(
+      `computePerRepoKeyPath: githubRepo must not contain '..': ${githubRepo}`
+    );
+  }
+  const slashCount = (githubRepo.match(/\//g) ?? []).length;
+  if (slashCount !== 1) {
+    throw new Error(
+      `computePerRepoKeyPath: githubRepo must be exactly <owner>/<repo>: ${githubRepo}`
+    );
+  }
+  const [owner, repo] = githubRepo.split("/");
+  if (!owner || !repo) {
+    throw new Error(
+      `computePerRepoKeyPath: owner and repo halves must both be non-empty: ${githubRepo}`
+    );
+  }
+  if (!VALID_OWNER.test(owner)) {
+    throw new Error(
+      `computePerRepoKeyPath: owner must match [A-Za-z0-9-]+ (got "${owner}" in "${githubRepo}")`
+    );
+  }
+  if (!VALID_REPO.test(repo)) {
+    throw new Error(
+      `computePerRepoKeyPath: repo must match [A-Za-z0-9._-]+ (got "${repo}" in "${githubRepo}")`
+    );
+  }
+  return `${SSH_CLIENT_KEY_DIR}/${owner}_${repo}_ed25519`;
 }
 
 // src/commands/server.ts
@@ -4084,7 +4422,7 @@ function runServerConfig(opts) {
 }
 function showConfig() {
   const path2 = userServerConfigPath();
-  if (!existsSync10(path2)) {
+  if (!existsSync11(path2)) {
     console.log(`note: no stamp server configured (${path2} does not exist)`);
     console.log(`note: run \`stamp server config <host:port>\` to create one`);
     return;
@@ -4102,7 +4440,7 @@ function showConfig() {
 }
 function unsetConfig() {
   const path2 = userServerConfigPath();
-  if (!existsSync10(path2)) {
+  if (!existsSync11(path2)) {
     console.log(`note: ${path2} does not exist; nothing to remove`);
     return;
   }
@@ -4110,7 +4448,7 @@ function unsetConfig() {
   console.log(`removed ${path2}`);
 }
 function fetchServerPubkey(server2, mirror) {
-  const sshArgs = [
+  const sshArgs2 = [
     "-p",
     String(server2.port),
     "--",
@@ -4118,9 +4456,9 @@ function fetchServerPubkey(server2, mirror) {
     "stamp-server-pubkey"
   ];
   if (mirror) {
-    sshArgs.push(`${mirror.owner}/${mirror.repo}`);
+    sshArgs2.push(`${mirror.owner}/${mirror.repo}`);
   }
-  const result = spawnSync5("ssh", sshArgs, {
+  const result = spawnSync6("ssh", sshArgs2, {
     stdio: ["ignore", "pipe", "inherit"],
     encoding: "utf8"
   });
@@ -4168,7 +4506,7 @@ function writeConfig(opts) {
   });
   const path2 = userServerConfigPath();
   const dir = dirname4(path2);
-  if (!existsSync10(dir)) mkdirSync4(dir, { recursive: true, mode: 448 });
+  if (!existsSync11(dir)) mkdirSync4(dir, { recursive: true, mode: 448 });
   const tmp = `${path2}.tmp.${process.pid}`;
   writeFileSync8(tmp, yaml, { mode: 384 });
   renameSync3(tmp, path2);
@@ -4230,7 +4568,7 @@ See docs/quickstart-server.md for how to deploy a stamp server first.`
     return;
   }
   const cloneTarget = resolvePath(opts.into ?? opts.name);
-  if (existsSync11(cloneTarget)) {
+  if (existsSync12(cloneTarget)) {
     throw new Error(
       `clone destination already exists: ${cloneTarget}. Move or remove it, or pass --into <other-path>.`
     );
@@ -4307,7 +4645,7 @@ function printPlan2(args) {
   console.log(bar);
 }
 function provisionBareRepoOnServer(server2, name) {
-  const result = spawnSync6(
+  const result = spawnSync7(
     "ssh",
     [
       "-p",
@@ -4333,7 +4671,7 @@ function createGithubMirrorRepo(owner, repo, privateRepo) {
     );
   }
   const visibility = privateRepo ? "--private" : "--public";
-  const result = spawnSync6(
+  const result = spawnSync7(
     "gh",
     ["repo", "create", `${owner}/${repo}`, visibility],
     { stdio: ["ignore", "inherit", "inherit"] }
@@ -4480,9 +4818,9 @@ async function runMigrateExisting(opts, server2) {
     console.log("\n(dry run \u2014 no changes made)");
     return;
   }
-  const stagingDir = mkdtempSync(join6(tmpdir(), "stamp-migrate-"));
-  const bareCloneDir = join6(stagingDir, `${opts.name}.git`);
-  const tarballPath = join6(stagingDir, `${opts.name}.tar.gz`);
+  const stagingDir = mkdtempSync(join7(tmpdir(), "stamp-migrate-"));
+  const bareCloneDir = join7(stagingDir, `${opts.name}.git`);
+  const tarballPath = join7(stagingDir, `${opts.name}.tar.gz`);
   try {
     console.log(`
 Building bare-clone tarball of existing repo`);
@@ -4518,9 +4856,9 @@ function ensureCwdIsGitRepo(cwd) {
   }
 }
 function ensureStampInitDone(cwd) {
-  if (!existsSync11(join6(cwd, ".stamp", "config.yml"))) {
+  if (!existsSync12(join7(cwd, ".stamp", "config.yml"))) {
     throw new Error(
-      `--migrate-existing expects this repo to already be stamp-init'd (${join6(cwd, ".stamp/config.yml")} not found). Run \`stamp init --mode local-only\` first, calibrate your reviewers, then re-run with --migrate-existing.`
+      `--migrate-existing expects this repo to already be stamp-init'd (${join7(cwd, ".stamp/config.yml")} not found). Run \`stamp init --mode local-only\` first, calibrate your reviewers, then re-run with --migrate-existing.`
     );
   }
 }
@@ -4550,7 +4888,7 @@ function ensureWorkingTreeClean(cwd) {
   }
 }
 function runTarGz(parentDir, dirName, outputPath) {
-  const result = spawnSync6("tar", ["-czf", outputPath, "-C", parentDir, dirName], {
+  const result = spawnSync7("tar", ["-czf", outputPath, "-C", parentDir, dirName], {
     stdio: ["ignore", "inherit", "inherit"]
   });
   if (result.status !== 0) {
@@ -4560,7 +4898,7 @@ function runTarGz(parentDir, dirName, outputPath) {
   }
 }
 function scpToServer(server2, localPath, remotePath) {
-  const result = spawnSync6(
+  const result = spawnSync7(
     "scp",
     [
       "-P",
@@ -4578,7 +4916,7 @@ function scpToServer(server2, localPath, remotePath) {
   }
 }
 function sshRunNewStampRepoFromTarball(server2, name, remoteTarballPath) {
-  const result = spawnSync6(
+  const result = spawnSync7(
     "ssh",
     [
       "-p",
@@ -4645,15 +4983,15 @@ mirror.yml was added to .stamp/. Commit it through the normal stamp flow:`);
   }
 }
 function readMirrorYmlGithubRepo(repoRoot) {
-  const path2 = join6(repoRoot, ".stamp", "mirror.yml");
-  if (!existsSync11(path2)) {
+  const path2 = join7(repoRoot, ".stamp", "mirror.yml");
+  if (!existsSync12(path2)) {
     throw new Error(
       `${path2} not found \u2014 --migrate-bypass operates on an already-server-gated repo, but this cwd has no .stamp/mirror.yml. If the repo is not yet server-gated, provision it first with \`stamp provision --migrate-existing\`.`
     );
   }
   let raw;
   try {
-    raw = readFileSync8(path2, "utf8");
+    raw = readFileSync9(path2, "utf8");
   } catch (err) {
     throw new Error(
       `could not read ${path2}: ${err instanceof Error ? err.message : String(err)}`
@@ -4884,9 +5222,366 @@ Direct \`git push origin main\` from any non-stamp source will be rejected.`
   }
 }
 
+// src/commands/trust.ts
+import { spawnSync as spawnSync8 } from "child_process";
+import {
+  createPublicKey,
+  createHash as createHash6
+} from "crypto";
+import {
+  existsSync as existsSync13,
+  readdirSync as readdirSync2,
+  readFileSync as readFileSync10,
+  writeFileSync as writeFileSync10
+} from "fs";
+import { join as join8, resolve } from "path";
+var USERS_EXIT = {
+  OK: 0,
+  CONFIG: 1,
+  USAGE: 2,
+  AUTHORITY: 3,
+  NOT_FOUND: 4
+};
+var SHORT_NAME_RE = /^[A-Za-z0-9][A-Za-z0-9._-]{0,62}$/;
+function resolveServer2() {
+  const server2 = loadServerConfig();
+  if (!server2) {
+    throw new UsageError(
+      "no ~/.stamp/server.yml \u2014 run `stamp server config <host>:<port>` first"
+    );
+  }
+  return server2;
+}
+function fetchStampPubkey(server2, shortName) {
+  const result = spawnSync8(
+    "ssh",
+    [
+      "-p",
+      String(server2.port),
+      "--",
+      `${server2.user}@${server2.host}`,
+      "stamp-users",
+      "get-stamp-pubkey",
+      shortName
+    ],
+    { stdio: ["ignore", "pipe", "inherit"], encoding: "utf8" }
+  );
+  if (result.status === 0) {
+    return result.stdout;
+  }
+  if (result.status === USERS_EXIT.NOT_FOUND) {
+    throw new UsageError(
+      `${server2.host}: user ${JSON.stringify(shortName)} is either not enrolled or has no stamp signing pubkey on file. Run \`stamp users list\` to confirm enrollment; ask the user to re-run \`stamp invites accept --stamp-pubkey <path>\` if their signing key was missing at invite time.`
+    );
+  }
+  if (result.status === USERS_EXIT.CONFIG) {
+    throw new Error(
+      `server-side identity binding failed against ${server2.host}. Your SSH key may not be enrolled in the membership DB yet, or the server is missing 'ExposeAuthInfo yes' in sshd_config.`
+    );
+  }
+  throw new Error(
+    `fetching stamp_pubkey for ${JSON.stringify(shortName)} from ${server2.user}@${server2.host}:${server2.port} failed (exit ${result.status}). Common causes: server unreachable, your SSH key isn't enrolled, or the server image predates the get-stamp-pubkey subcommand.`
+  );
+}
+function fingerprintFromPem2(pem) {
+  const pub = createPublicKey(pem);
+  const raw = pub.export({ type: "spki", format: "der" });
+  return `sha256:${createHash6("sha256").update(raw).digest("hex")}`;
+}
+function findExistingTrustedKey(repoRoot, fingerprint) {
+  const dir = stampTrustedKeysDir(repoRoot);
+  if (!existsSync13(dir)) return null;
+  for (const f of readdirSync2(dir)) {
+    if (!f.endsWith(".pub")) continue;
+    const fullPath = join8(dir, f);
+    let pem;
+    try {
+      pem = readFileSync10(fullPath, "utf8");
+    } catch {
+      continue;
+    }
+    try {
+      if (fingerprintFromPem2(pem) === fingerprint) return f;
+    } catch {
+    }
+  }
+  return null;
+}
+function runGit2(args, cwd) {
+  const result = spawnSync8("git", args, {
+    cwd,
+    stdio: ["ignore", "pipe", "pipe"],
+    encoding: "utf8"
+  });
+  if (result.status !== 0) {
+    throw new Error(
+      `git ${args.join(" ")} failed (exit ${result.status}):
+${result.stderr ?? ""}`.trim()
+    );
+  }
+  return result.stdout ?? "";
+}
+function workingTreeClean(repoRoot) {
+  const result = spawnSync8("git", ["status", "--porcelain"], {
+    cwd: repoRoot,
+    stdio: ["ignore", "pipe", "inherit"],
+    encoding: "utf8"
+  });
+  if (result.status !== 0) return false;
+  return (result.stdout ?? "").trim().length === 0;
+}
+function branchExists2(repoRoot, branch) {
+  const result = spawnSync8(
+    "git",
+    ["show-ref", "--verify", "--quiet", `refs/heads/${branch}`],
+    { cwd: repoRoot, stdio: "ignore" }
+  );
+  return result.status === 0;
+}
+function currentBranch2(repoRoot) {
+  return runGit2(["rev-parse", "--abbrev-ref", "HEAD"], repoRoot).trim();
+}
+function runTrustGrant(opts) {
+  if (!SHORT_NAME_RE.test(opts.shortName)) {
+    throw new UsageError(
+      `short-name ${JSON.stringify(opts.shortName)} has an invalid shape (allowed: alphanumerics + . _ -, must start with alnum, max 63 chars).`
+    );
+  }
+  const repoRoot = resolve(opts.repoPath ?? process.cwd());
+  if (!existsSync13(join8(repoRoot, ".git"))) {
+    throw new UsageError(`${repoRoot} is not a git repository`);
+  }
+  if (!existsSync13(stampConfigDir(repoRoot))) {
+    throw new UsageError(
+      `${repoRoot} has no .stamp/ directory \u2014 run \`stamp init\` first or pass --repo <path> pointing at a stamp-gated repo`
+    );
+  }
+  if (!opts.forceDirty && !workingTreeClean(repoRoot)) {
+    throw new UsageError(
+      `${repoRoot} has uncommitted changes. Commit or stash them first, then re-run. (Use --force-dirty to override, but the resulting branch will include unrelated changes.)`
+    );
+  }
+  const branch = `stamp-trust/${opts.shortName}`;
+  if (branchExists2(repoRoot, branch)) {
+    throw new UsageError(
+      `branch ${branch} already exists. Delete it (\`git branch -D ${branch}\`) or finish the in-flight grant by switching to it and pushing/merging.`
+    );
+  }
+  const server2 = resolveServer2();
+  const pemRaw = fetchStampPubkey(server2, opts.shortName);
+  const pem = pemRaw.trim() + "\n";
+  let fingerprint;
+  try {
+    fingerprint = fingerprintFromPem2(pem);
+  } catch (e) {
+    throw new Error(
+      `server returned an invalid PEM for ${opts.shortName}: ${e.message}. This is almost always a server-side issue (corrupted membership DB, or a future server version emitting a key format this client can't parse). Contact the server admin with the PEM body.`
+    );
+  }
+  const existingFile = findExistingTrustedKey(repoRoot, fingerprint);
+  if (existingFile) {
+    process.stdout.write(
+      `note: repo already trusts ${opts.shortName}'s stamp signing key (matching .stamp/trusted-keys/${existingFile}). No changes.
+`
+    );
+    return;
+  }
+  const startingBranch = currentBranch2(repoRoot);
+  runGit2(["checkout", "-b", branch], repoRoot);
+  const keysDir = stampTrustedKeysDir(repoRoot);
+  ensureDir(keysDir, 493);
+  const keyFile = join8(keysDir, `${opts.shortName}.pub`);
+  writeFileSync10(keyFile, pem, { mode: 420 });
+  runGit2(["add", keyFile], repoRoot);
+  runGit2(
+    [
+      "commit",
+      "-m",
+      `Trust grant: add ${opts.shortName} to .stamp/trusted-keys/
+
+Stages ${opts.shortName}'s stamp signing pubkey (fingerprint ${fingerprint}) so their stamp-signed merges into protected branches verify against this repo's trust set.
+
+Source: stamp trust grant ${opts.shortName} (server ${server2.host})`
+    ],
+    repoRoot
+  );
+  process.stdout.write(
+    `\u2713 staged trust-grant for ${opts.shortName} on branch ${branch}
+  trusted-keys file: ${keyFile}
+  fingerprint:       ${fingerprint}
+  started from:      ${startingBranch}
+
+Next steps:
+  stamp review --diff ${startingBranch}..${branch}
+  git checkout ${startingBranch}
+  stamp merge ${branch} --into ${startingBranch}
+  stamp push ${startingBranch}
+`
+  );
+}
+
+// src/commands/users.ts
+import { spawnSync as spawnSync9 } from "child_process";
+var EXIT = {
+  OK: 0,
+  CONFIG: 1,
+  USAGE: 2,
+  AUTHORITY: 3,
+  NOT_FOUND: 4,
+  LAST_OWNER: 5,
+  CANNOT_REMOVE_SELF: 6
+};
+function resolveServer3() {
+  const server2 = loadServerConfig();
+  if (!server2) {
+    throw new UsageError(
+      "no ~/.stamp/server.yml \u2014 run `stamp server config <host>:<port>` first"
+    );
+  }
+  return server2;
+}
+function sshArgs(server2, remoteArgs) {
+  return [
+    "-p",
+    String(server2.port),
+    "--",
+    `${server2.user}@${server2.host}`,
+    "stamp-users",
+    ...remoteArgs
+  ];
+}
+function callRemote(server2, remoteArgs) {
+  const result = spawnSync9("ssh", sshArgs(server2, remoteArgs), {
+    // Stdout is always piped: `list` needs it for JSON parsing; write
+    // ops don't emit on stdout so an empty pipe is harmless. Stderr is
+    // always inherited so server-side `note:` confirmations and
+    // `error:` prose land in the operator's terminal verbatim.
+    stdio: ["ignore", "pipe", "inherit"],
+    encoding: "utf8"
+  });
+  return { status: result.status, stdout: result.stdout ?? "" };
+}
+function explainExit(status, context, details) {
+  switch (status) {
+    case EXIT.AUTHORITY:
+      return new UsageError(
+        `${context}: your role on ${details.server.host} doesn't permit this action. Owners may manage any user; admins may manage members only (and may self-promote to owner if no owners exist yet \u2014 the bootstrap path). Ask an existing owner to perform this action.`
+      );
+    case EXIT.NOT_FOUND:
+      return new UsageError(
+        `${context}: short_name ${JSON.stringify(details.shortName ?? "?")} isn't in the membership DB on ${details.server.host}. Run \`stamp users list\` to see who's enrolled.`
+      );
+    case EXIT.LAST_OWNER:
+      return new UsageError(
+        `${context}: this would leave the server with zero owners. Promote another user to owner first (\`stamp users promote <name> --to owner\`).`
+      );
+    case EXIT.CANNOT_REMOVE_SELF:
+      return new UsageError(
+        `${context}: you can't remove your own account. Ask another admin or owner to do it \u2014 prevents accidentally locking yourself out.`
+      );
+    case EXIT.USAGE:
+      return new UsageError(
+        `${context}: server rejected the request as a usage error. Double-check the short_name (alphanumerics + . _ -, must start with alnum, max 63 chars) and --to value.`
+      );
+    case EXIT.CONFIG:
+      return new Error(
+        `${context}: server-side configuration error on ${details.server.host}. Most likely your account isn't in the membership DB yet, or the server is missing 'ExposeAuthInfo yes' in sshd_config. See server logs for specifics.`
+      );
+    default:
+      return new Error(
+        `${context}: failed against ${details.server.user}@${details.server.host}:${details.server.port} (exit ${status}). Common causes: server unreachable, your SSH key isn't enrolled, or the server image is older than the user-management feature.`
+      );
+  }
+}
+function pad(s, width) {
+  return s.length >= width ? s : s + " ".repeat(width - s.length);
+}
+function formatUsersTable(rows) {
+  if (rows.length === 0) return "(no users)\n";
+  const widths = {
+    short_name: Math.max(10, ...rows.map((r) => r.short_name.length)),
+    role: Math.max(6, ...rows.map((r) => r.role.length)),
+    source: Math.max(6, ...rows.map((r) => r.source.length))
+  };
+  const out = [];
+  out.push(
+    pad("short_name", widths.short_name) + "  " + pad("role", widths.role) + "  " + pad("source", widths.source) + "  ssh_fp"
+  );
+  out.push(
+    pad("-".repeat(widths.short_name), widths.short_name) + "  " + pad("-".repeat(widths.role), widths.role) + "  " + pad("-".repeat(widths.source), widths.source) + "  " + "-".repeat(20)
+  );
+  for (const r of rows) {
+    out.push(
+      pad(r.short_name, widths.short_name) + "  " + pad(r.role, widths.role) + "  " + pad(r.source, widths.source) + "  " + r.ssh_fp
+    );
+  }
+  return out.join("\n") + "\n";
+}
+function runUsersList(opts) {
+  const server2 = resolveServer3();
+  const result = callRemote(server2, ["list"]);
+  if (result.status !== 0) {
+    throw explainExit(result.status, "stamp users list", { server: server2 });
+  }
+  if (opts.json) {
+    process.stdout.write(result.stdout);
+    return;
+  }
+  let payload;
+  try {
+    payload = JSON.parse(result.stdout);
+  } catch (e) {
+    throw new Error(
+      `server returned non-JSON output: ${e.message}. Raw: ${JSON.stringify(result.stdout.slice(0, 200))}`
+    );
+  }
+  const rows = payload.users ?? [];
+  process.stdout.write(formatUsersTable(rows));
+}
+function runUsersPromote(opts) {
+  const server2 = resolveServer3();
+  const result = callRemote(server2, [
+    "promote",
+    opts.shortName,
+    "--to",
+    opts.to
+  ]);
+  if (result.status !== 0) {
+    throw explainExit(result.status, `stamp users promote ${opts.shortName}`, {
+      server: server2,
+      shortName: opts.shortName
+    });
+  }
+}
+function runUsersDemote(opts) {
+  const server2 = resolveServer3();
+  const result = callRemote(server2, [
+    "demote",
+    opts.shortName,
+    "--to",
+    opts.to
+  ]);
+  if (result.status !== 0) {
+    throw explainExit(result.status, `stamp users demote ${opts.shortName}`, {
+      server: server2,
+      shortName: opts.shortName
+    });
+  }
+}
+function runUsersRemove(opts) {
+  const server2 = resolveServer3();
+  const result = callRemote(server2, ["remove", opts.shortName]);
+  if (result.status !== 0) {
+    throw explainExit(result.status, `stamp users remove ${opts.shortName}`, {
+      server: server2,
+      shortName: opts.shortName
+    });
+  }
+}
+
 // src/commands/keys.ts
-import { existsSync as existsSync12, readdirSync as readdirSync2, readFileSync as readFileSync9, writeFileSync as writeFileSync10 } from "fs";
-import { basename, join as join7 } from "path";
+import { existsSync as existsSync14, readdirSync as readdirSync3, readFileSync as readFileSync11, writeFileSync as writeFileSync11 } from "fs";
+import { basename, join as join9 } from "path";
 function keysGenerate() {
   const existing = loadUserKeypair();
   if (existing) {
@@ -4919,18 +5614,18 @@ function keysList() {
     const repoRoot = findRepoRoot();
     const trustedDir = stampTrustedKeysDir(repoRoot);
     console.log(`repo trusted keys: ${trustedDir}/`);
-    if (!existsSync12(trustedDir)) {
+    if (!existsSync14(trustedDir)) {
       console.log("  (directory does not exist \u2014 run `stamp init`)");
       return;
     }
-    const pubFiles = readdirSync2(trustedDir).filter((f) => f.endsWith(".pub"));
+    const pubFiles = readdirSync3(trustedDir).filter((f) => f.endsWith(".pub"));
     if (pubFiles.length === 0) {
       console.log("  (none)");
       return;
     }
     for (const file of pubFiles.sort()) {
       try {
-        const pem = readFileSync9(join7(trustedDir, file), "utf8");
+        const pem = readFileSync11(join9(trustedDir, file), "utf8");
         const fp = fingerprintFromPem(pem);
         const marker = local && fp === local.fingerprint ? " (you)" : "";
         console.log(`  ${fp}${marker}  [${file}]`);
@@ -4949,15 +5644,15 @@ function keysExport() {
 function keysTrust(pubFile) {
   const repoRoot = findRepoRoot();
   const trustedDir = stampTrustedKeysDir(repoRoot);
-  if (!existsSync12(trustedDir)) {
+  if (!existsSync14(trustedDir)) {
     throw new Error(
       `no ${trustedDir} \u2014 run \`stamp init\` first to create the trust store`
     );
   }
-  if (!existsSync12(pubFile)) {
+  if (!existsSync14(pubFile)) {
     throw new Error(`public key file not found: ${pubFile}`);
   }
-  const pem = readFileSync9(pubFile, "utf8");
+  const pem = readFileSync11(pubFile, "utf8");
   let fingerprint;
   try {
     fingerprint = fingerprintFromPem(pem);
@@ -4967,12 +5662,12 @@ function keysTrust(pubFile) {
     );
   }
   const filename = publicKeyFingerprintFilename(fingerprint);
-  const dest = join7(trustedDir, filename);
-  if (existsSync12(dest)) {
+  const dest = join9(trustedDir, filename);
+  if (existsSync14(dest)) {
     console.log(`${fingerprint} is already trusted (${basename(dest)})`);
     return;
   }
-  writeFileSync10(dest, pem);
+  writeFileSync11(dest, pem);
   console.log(`trusted ${fingerprint}`);
   console.log(`  \u2192 ${dest}`);
   console.log();
@@ -4980,11 +5675,11 @@ function keysTrust(pubFile) {
 }
 
 // src/commands/log.ts
-import { existsSync as existsSync13 } from "fs";
+import { existsSync as existsSync15 } from "fs";
 function runLog(opts) {
   const repoRoot = findRepoRoot();
   const configPath = stampConfigFile(repoRoot);
-  if (!existsSync13(configPath)) {
+  if (!existsSync15(configPath)) {
     throw new Error(
       `no .stamp/config.yml at ${configPath}. Run \`stamp init\` first.`
     );
@@ -5101,7 +5796,7 @@ function printCommitDetail(sha, repoRoot) {
 }
 function collectReviewProse(repoRoot, payload) {
   const dbPath = stampStateDbPath(repoRoot);
-  if (!existsSync13(dbPath)) return [];
+  if (!existsSync15(dbPath)) return [];
   const db = openDb(dbPath);
   try {
     const rows = latestReviews(db, payload.base_sha, payload.head_sha);
@@ -5115,7 +5810,7 @@ function printReviewHistory(repoRoot, limit, diff) {
   const configPath = stampConfigFile(repoRoot);
   loadConfig(configPath);
   const dbPath = stampStateDbPath(repoRoot);
-  if (!existsSync13(dbPath)) {
+  if (!existsSync15(dbPath)) {
     console.log("No reviews recorded yet.");
     return;
   }
@@ -5156,8 +5851,8 @@ function printReviewHistory(repoRoot, limit, diff) {
 }
 
 // src/commands/prune.ts
-import { existsSync as existsSync14, readdirSync as readdirSync3, statSync as statSync2, unlinkSync as unlinkSync3 } from "fs";
-import { join as join8 } from "path";
+import { existsSync as existsSync16, readdirSync as readdirSync4, statSync as statSync2, unlinkSync as unlinkSync3 } from "fs";
+import { join as join10 } from "path";
 
 // src/lib/duration.ts
 function parseRetentionDuration(input) {
@@ -5186,16 +5881,16 @@ function runPrune(opts) {
   );
   const repoRoot = findRepoRoot();
   const dbPath = stampStateDbPath(repoRoot);
-  const parsesDir = join8(gitCommonDir(repoRoot), "stamp", "failed-parses");
-  const runsDir = join8(gitCommonDir(repoRoot), "stamp", "failed-runs");
+  const parsesDir = join10(gitCommonDir(repoRoot), "stamp", "failed-parses");
+  const runsDir = join10(gitCommonDir(repoRoot), "stamp", "failed-runs");
   const spoolCutoffMs = Date.now() - durationMs;
-  if (!existsSync14(dbPath) && !existsSync14(parsesDir) && !existsSync14(runsDir)) {
+  if (!existsSync16(dbPath) && !existsSync16(parsesDir) && !existsSync16(runsDir)) {
     console.log(
       `note: nothing to prune (none of ${dbPath}, ${parsesDir}, ${runsDir} exist \u2014 all are created on first \`stamp review\`)`
     );
     return;
   }
-  const db = existsSync14(dbPath) ? openDb(dbPath) : null;
+  const db = existsSync16(dbPath) ? openDb(dbPath) : null;
   try {
     if (opts.dryRun) {
       let any2 = false;
@@ -5265,10 +5960,10 @@ function runPrune(opts) {
   }
 }
 function peekSpools(spoolDir, cutoffMs) {
-  if (!existsSync14(spoolDir)) return [];
+  if (!existsSync16(spoolDir)) return [];
   const out = [];
-  for (const entry of readdirSync3(spoolDir)) {
-    const filepath = join8(spoolDir, entry);
+  for (const entry of readdirSync4(spoolDir)) {
+    const filepath = join10(spoolDir, entry);
     let stat;
     try {
       stat = statSync2(filepath);
@@ -5302,7 +5997,7 @@ function printPerReviewer(rows) {
 }
 
 // src/commands/config.ts
-import { existsSync as existsSync15 } from "fs";
+import { existsSync as existsSync17 } from "fs";
 function runConfigReviewersSet(opts) {
   if (!isValidReviewerName(opts.reviewer)) {
     throw new UsageError(
@@ -5375,7 +6070,7 @@ function runConfigReviewersClear(opts) {
 }
 function runConfigReviewersShow() {
   const path2 = userConfigPath();
-  if (!existsSync15(path2)) {
+  if (!existsSync17(path2)) {
     console.log(`note: no per-user stamp config (${path2} does not exist).`);
     console.log(
       `      Defaults will apply on next \`stamp init\` or \`stamp review\`:`
@@ -5420,30 +6115,30 @@ function loadOrEmpty() {
 }
 
 // src/commands/reviewers.ts
-import { spawnSync as spawnSync7 } from "child_process";
+import { spawnSync as spawnSync10 } from "child_process";
 import {
-  existsSync as existsSync17,
-  readFileSync as readFileSync11,
+  existsSync as existsSync19,
+  readFileSync as readFileSync13,
   statSync as statSync3,
   unlinkSync as unlinkSync4,
-  writeFileSync as writeFileSync12
+  writeFileSync as writeFileSync13
 } from "fs";
-import { join as join10, relative, resolve } from "path";
+import { join as join12, relative, resolve as resolve2 } from "path";
 import { parse as parseYaml6, stringify as stringifyYaml3 } from "yaml";
 
 // src/lib/reviewerLock.ts
-import { existsSync as existsSync16, readFileSync as readFileSync10, writeFileSync as writeFileSync11 } from "fs";
-import { join as join9 } from "path";
+import { existsSync as existsSync18, readFileSync as readFileSync12, writeFileSync as writeFileSync12 } from "fs";
+import { join as join11 } from "path";
 var LOCK_FILE_VERSION = 1;
 var LOCK_DRIFT_EXIT = 3;
 function lockFilePath(repoRoot, reviewerName) {
-  return join9(repoRoot, ".stamp", "reviewers", `${reviewerName}.lock.json`);
+  return join11(repoRoot, ".stamp", "reviewers", `${reviewerName}.lock.json`);
 }
 function readLockFile(repoRoot, reviewerName) {
   const path2 = lockFilePath(repoRoot, reviewerName);
-  if (!existsSync16(path2)) return null;
+  if (!existsSync18(path2)) return null;
   try {
-    const raw = readFileSync10(path2, "utf8");
+    const raw = readFileSync12(path2, "utf8");
     const parsed = JSON.parse(raw);
     if (typeof parsed.version !== "number" || typeof parsed.source !== "string" || typeof parsed.ref !== "string" || typeof parsed.reviewer !== "string" || typeof parsed.prompt_sha256 !== "string" || typeof parsed.tools_sha256 !== "string" || typeof parsed.mcp_sha256 !== "string") {
       throw new Error(`malformed lock file at ${path2}`);
@@ -5457,20 +6152,20 @@ function readLockFile(repoRoot, reviewerName) {
 }
 function writeLockFile(repoRoot, reviewerName, lock) {
   const path2 = lockFilePath(repoRoot, reviewerName);
-  writeFileSync11(path2, JSON.stringify(lock, null, 2) + "\n", "utf8");
+  writeFileSync12(path2, JSON.stringify(lock, null, 2) + "\n", "utf8");
 }
 function checkReviewerDrift(repoRoot, reviewerName, def) {
   const lock = readLockFile(repoRoot, reviewerName);
   if (!lock) {
     return unpinnedResult();
   }
-  const promptPath = join9(repoRoot, def.prompt);
-  if (!existsSync16(promptPath)) {
+  const promptPath = join11(repoRoot, def.prompt);
+  if (!existsSync18(promptPath)) {
     throw new Error(
       `reviewer "${reviewerName}" has a lock file but its prompt "${def.prompt}" does not exist on disk. Re-run 'stamp reviewers fetch ${reviewerName} --from ${lock.source}@${lock.ref}' to restore it, or delete the lock file to un-pin the reviewer.`
     );
   }
-  const promptBytes = readFileSync10(promptPath);
+  const promptBytes = readFileSync12(promptPath);
   const observedPrompt = hashPromptBytes(promptBytes);
   const observedTools = hashTools(def.tools);
   const observedMcp = hashMcpServers(def.mcp_servers);
@@ -5549,9 +6244,9 @@ function reviewersList() {
   const maxNameLen = Math.max(...names.map((n) => n.length));
   for (const name of names) {
     const def = config2.reviewers[name];
-    const abs = resolve(repoRoot, def.prompt);
+    const abs = resolve2(repoRoot, def.prompt);
     let annotation = "";
-    if (!existsSync17(abs)) {
+    if (!existsSync19(abs)) {
       annotation = "  MISSING";
     } else {
       const size = statSync3(abs).size;
@@ -5575,7 +6270,7 @@ function reviewersEdit(name) {
       `reviewer "${name}" is not configured. Run \`stamp reviewers list\` to see available reviewers.`
     );
   }
-  const target = resolve(repoRoot, def.prompt);
+  const target = resolve2(repoRoot, def.prompt);
   launchEditor(target);
 }
 function reviewersAdd(name, opts = {}) {
@@ -5589,20 +6284,20 @@ function reviewersAdd(name, opts = {}) {
     );
   }
   const promptRel = `.stamp/reviewers/${name}.md`;
-  const promptAbs = resolve(repoRoot, promptRel);
-  if (existsSync17(promptAbs)) {
+  const promptAbs = resolve2(repoRoot, promptRel);
+  if (existsSync19(promptAbs)) {
     throw new Error(
       `${promptRel} already exists on disk but is not in config. Either delete the file or add it to config manually.`
     );
   }
-  writeFileSync12(
+  writeFileSync13(
     promptAbs,
     `# ${name}
 
 ${EXAMPLE_REVIEWER_PROMPT.split("\n").slice(2).join("\n")}`
   );
   config2.reviewers[name] = { prompt: promptRel };
-  writeFileSync12(configPath, stringifyConfig(config2));
+  writeFileSync13(configPath, stringifyConfig(config2));
   console.log(`reviewer "${name}" added.`);
   console.log(`  prompt file: ${promptRel}`);
   console.log(`  registered in .stamp/config.yml`);
@@ -5637,11 +6332,11 @@ function reviewersRemove(name, opts = {}) {
     );
   }
   delete config2.reviewers[name];
-  writeFileSync12(configPath, stringifyConfig(config2));
+  writeFileSync13(configPath, stringifyConfig(config2));
   console.log(`reviewer "${name}" removed from .stamp/config.yml`);
   if (opts.deleteFile) {
-    const promptAbs = resolve(repoRoot, def.prompt);
-    if (existsSync17(promptAbs)) {
+    const promptAbs = resolve2(repoRoot, def.prompt);
+    if (existsSync19(promptAbs)) {
       unlinkSync4(promptAbs);
       console.log(`deleted ${def.prompt}`);
     }
@@ -5672,8 +6367,8 @@ async function reviewersTest(name, diff) {
   console.log(`  prompt sourced from working tree (test/iteration use case)`);
   console.log();
   const def = config2.reviewers[name];
-  const promptPath = join10(repoRoot, def.prompt);
-  const systemPrompt = readFileSync11(promptPath, "utf8");
+  const promptPath = join12(repoRoot, def.prompt);
+  const systemPrompt = readFileSync13(promptPath, "utf8");
   const result = await invokeReviewer({
     reviewer: name,
     config: config2,
@@ -5700,7 +6395,7 @@ function reviewersShow(name, opts) {
     );
   }
   const dbPath = stampStateDbPath(repoRoot);
-  if (!existsSync17(dbPath)) {
+  if (!existsSync19(dbPath)) {
     console.log("No reviews recorded yet (no state.db).");
     return;
   }
@@ -5790,7 +6485,7 @@ async function reviewersFetch(reviewerName, opts) {
     opts.expectMcpSha
   );
   const reviewersDir = stampReviewersDir(repoRoot);
-  if (!existsSync17(reviewersDir)) {
+  if (!existsSync19(reviewersDir)) {
     throw new Error(
       `${reviewersDir} does not exist \u2014 run \`stamp init\` first.`
     );
@@ -5811,7 +6506,7 @@ async function reviewersFetch(reviewerName, opts) {
       mcpServers = validateMcpServersFromSource(parsed.mcp_servers, source, ref);
     }
   }
-  const promptPath = join10(reviewersDir, `${reviewerName}.md`);
+  const promptPath = join12(reviewersDir, `${reviewerName}.md`);
   const promptBytes = Buffer.from(promptText, "utf8");
   const promptSha = hashPromptBytes(promptBytes);
   const toolsSha = hashTools(tools);
@@ -5835,7 +6530,7 @@ async function reviewersFetch(reviewerName, opts) {
       mcpSha
     );
   }
-  writeFileSync12(promptPath, promptBytes);
+  writeFileSync13(promptPath, promptBytes);
   const lock = {
     version: LOCK_FILE_VERSION,
     source,
@@ -6064,7 +6759,7 @@ function buildConfigYamlHint(reviewerName, tools, mcpServers) {
 }
 function launchEditor(path2) {
   const editor = process.env["EDITOR"] ?? process.env["VISUAL"] ?? (process.platform === "win32" ? "notepad" : "vi");
-  const result = spawnSync7(editor, [path2], { stdio: "inherit" });
+  const result = spawnSync10(editor, [path2], { stdio: "inherit" });
   if (result.error) {
     throw new Error(
       `failed to launch editor "${editor}": ${result.error.message}`
@@ -6076,11 +6771,11 @@ function launchEditor(path2) {
 }
 
 // src/commands/status.ts
-import { existsSync as existsSync18 } from "fs";
+import { existsSync as existsSync20 } from "fs";
 function runStatus(opts) {
   const repoRoot = findRepoRoot();
   const configPath = stampConfigFile(repoRoot);
-  if (!existsSync18(configPath)) {
+  if (!existsSync20(configPath)) {
     throw new Error(
       `no .stamp/config.yml at ${configPath}. Run \`stamp init\` first.`
     );
@@ -6148,17 +6843,17 @@ function printGate(result, base_sha, head_sha) {
 }
 
 // src/commands/update.ts
-import { spawnSync as spawnSync8 } from "child_process";
+import { spawnSync as spawnSync11 } from "child_process";
 
 // src/lib/version.ts
-import { readFileSync as readFileSync12 } from "fs";
-import { dirname as dirname5, join as join11 } from "path";
+import { readFileSync as readFileSync14 } from "fs";
+import { dirname as dirname5, join as join13 } from "path";
 import { fileURLToPath } from "url";
 function readPackageVersion() {
   const here = dirname5(fileURLToPath(import.meta.url));
   for (let dir = here, i = 0; i < 6; i++) {
     try {
-      const raw = readFileSync12(join11(dir, "package.json"), "utf8");
+      const raw = readFileSync14(join13(dir, "package.json"), "utf8");
       const pkg = JSON.parse(raw);
       if (pkg.name === "@openthink/stamp" && pkg.version) return pkg.version;
     } catch {
@@ -6189,7 +6884,7 @@ function runUpdate() {
 `);
   process.stdout.write(`checking npm registry for latest...
 `);
-  const viewResult = spawnSync8("npm", ["view", PKG_NAME, "version"], {
+  const viewResult = spawnSync11("npm", ["view", PKG_NAME, "version"], {
     encoding: "utf8"
   });
   if (viewResult.error || viewResult.status !== 0) {
@@ -6223,7 +6918,7 @@ function runUpdate() {
   }
   process.stdout.write(`installing ${PKG_NAME}@${latest}...
 `);
-  const installResult = spawnSync8(
+  const installResult = spawnSync11(
     "npm",
     ["install", "-g", `${PKG_NAME}@${latest}`],
     { stdio: "inherit" }
@@ -6244,9 +6939,9 @@ through that tool instead \u2014 this command only uses 'npm install -g'.`
 }
 
 // src/commands/verify.ts
-import { execFileSync as execFileSync2, spawnSync as spawnSync9 } from "child_process";
+import { execFileSync as execFileSync2, spawnSync as spawnSync12 } from "child_process";
 function loadConfigAtSha(sha, repoRoot) {
-  const result = spawnSync9(
+  const result = spawnSync12(
     "git",
     ["show", `${sha}:.stamp/config.yml`],
     { cwd: repoRoot, encoding: "utf8", maxBuffer: 16 * 1024 * 1024 }
@@ -6845,6 +7540,88 @@ function wrap(fn) {
     process.exit(1);
   }
 }
+var invites = program.command("invites").description("mint and accept single-use invite tokens for teammate onboarding");
+invites.command("mint <short-name>").description("mint an invite for a teammate (15-min TTL, admin/owner only)").option("--role <admin|member>", "role to grant on accept", "member").action((shortName, opts) => {
+  try {
+    if (opts.role !== "admin" && opts.role !== "member") {
+      throw new Error(
+        `--role must be 'admin' or 'member' (got ${JSON.stringify(opts.role)})`
+      );
+    }
+    runInvitesMint({ shortName, role: opts.role });
+  } catch (err) {
+    handleCliError(err);
+  }
+});
+invites.command("accept <share-url-or-token>").description("redeem an invite token; auto-detects local keys, prompts to confirm").option("--server <host:port>", "server endpoint when passing a bare token (no URL)").option("--ssh-pubkey <path>", "override SSH pubkey path (default ~/.ssh/id_ed25519.pub)").option("--stamp-pubkey <path>", "override stamp signing pubkey path (default ~/.stamp/keys/ed25519.pub)").option("--short-name <name>", "override the short_name (default derived from user@host)").option("--yes", "skip the confirmation prompt (required for non-TTY stdin)").action(
+  async (urlOrToken, opts) => {
+    try {
+      await runInvitesAccept({
+        urlOrToken,
+        server: opts.server,
+        sshPubkeyPath: opts.sshPubkey,
+        stampPubkeyPath: opts.stampPubkey,
+        shortName: opts.shortName,
+        yes: opts.yes
+      });
+    } catch (err) {
+      handleCliError(err);
+    }
+  }
+);
+var users = program.command("users").description("list, promote, demote, and remove enrolled users on the stamp server");
+users.command("list").description("list enrolled users (everyone authenticated may run this)").option("--json", "emit the raw server JSON instead of the formatted table").action((opts) => {
+  try {
+    runUsersList({ json: opts.json });
+  } catch (err) {
+    handleCliError(err);
+  }
+});
+users.command("promote <short-name>").description("promote a user; admins may not promote to admin/owner except for the no-owners bootstrap path").requiredOption("--to <admin|owner>", "target role").action((shortName, opts) => {
+  try {
+    if (opts.to !== "admin" && opts.to !== "owner") {
+      throw new Error(
+        `promote --to must be 'admin' or 'owner' (got ${JSON.stringify(opts.to)})`
+      );
+    }
+    runUsersPromote({ shortName, to: opts.to });
+  } catch (err) {
+    handleCliError(err);
+  }
+});
+users.command("demote <short-name>").description("demote a user (admin/owner only; last-owner guard prevents zeroing out ownership)").requiredOption("--to <admin|member>", "target role").action((shortName, opts) => {
+  try {
+    if (opts.to !== "admin" && opts.to !== "member") {
+      throw new Error(
+        `demote --to must be 'admin' or 'member' (got ${JSON.stringify(opts.to)})`
+      );
+    }
+    runUsersDemote({ shortName, to: opts.to });
+  } catch (err) {
+    handleCliError(err);
+  }
+});
+users.command("remove <short-name>").description("remove a user from the membership DB (admins may remove members only; cannot remove self)").action((shortName) => {
+  try {
+    runUsersRemove({ shortName });
+  } catch (err) {
+    handleCliError(err);
+  }
+});
+var trust = program.command("trust").description("manage per-repo stamp signing trust (committed under .stamp/trusted-keys/)");
+trust.command("grant <short-name>").description("stage a trust-grant for an enrolled user on a new branch; review + merge through the usual gate").option("--repo <path>", "repo root to operate on (default: cwd)").option("--force-dirty", "stage the grant even if the working tree has uncommitted changes").action(
+  (shortName, opts) => {
+    try {
+      runTrustGrant({
+        shortName,
+        repoPath: opts.repo,
+        forceDirty: opts.forceDirty
+      });
+    } catch (err) {
+      handleCliError(err);
+    }
+  }
+);
 var reviewers = program.command("reviewers").description("manage reviewer prompts");
 reviewers.command("list").description("list configured reviewers and their prompt file status").action(() => wrap(() => reviewersList()));
 reviewers.command("add <name>").description("scaffold a new reviewer: create prompt file, register in config, open in editor").option("--no-edit", "skip opening $EDITOR after scaffolding").action(