@papervault/cli 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 PaperVault.xyz
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,212 @@
+# PaperVault CLI — Store secrets on paper using threshold encryption
+
+**PaperVault 📄🔐** is a free open source tool for creating offline paper-based data vaults for your foundational secrets, such as passwords, 2FA recovery codes, digital asset keys, hard drive encryption keys, and other critical data.
+
+This is the **command-line version**. Same crypto, same paper output, same [papervault.xyz/unlock](https://papervault.xyz/unlock) recovery path — but driven from your terminal so you can wire it into shell pipelines, pull straight from secret stores like Azure Key Vault, or import a `.env` file in one command. The browser app lives at [papervault.xyz](https://papervault.xyz).
+
+## 🔐 Overview
+
+PaperVault encrypts your secrets and splits the decryption key into shards that can be printed on paper or saved to digital media. Keys are split using [Shamir's Secret Sharing](https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing). Choose how many keys to create and how many are needed to unlock — for example, 5 keys with any 3 required (3-of-5).
+
+The CLI produces the same v2 vault format as the browser app, so kits made here unlock identically at [papervault.xyz/unlock](https://papervault.xyz/unlock).
+
+## 🚀 Quick Start
+
+```bash
+# Install once
+npm install -g @papervault/cli
+
+# Walk through the wizard
+papervault init
+```
+
+Or run the wizard without installing:
+
+```bash
+npx @papervault/init
+```
+
+The wizard asks where your secrets live. Three common paths:
+
+| Where they are | What to pick | What happens |
+|---|---|---|
+| In your head / on a sticky note | **"I'll add them now"** | Walks you through entering each secret; nothing saved to disk. |
+| In a `.env` file | **"Import from .env file"** | Multiselect which entries to back up; nothing saved to disk. |
+| In Azure Key Vault | **"Azure Key Vault"** | Uses your `az login` cache; writes a `papervault.config.json` so future runs are one command. |
+
+After that, your browser opens with a print-ready kit — print the vault page and each key page, distribute, done.
+
+Requires Node.js ≥ 24.
+
+## 🔑 Key Features
+
+- **Works offline** — No internet required after install; safe to run on an air-gapped machine.
+- **Client-side only** — All crypto runs locally. No data ever leaves your device.
+- **Printable** — Vault and keys come out as standalone HTML pages with embedded QR codes; print or save as PDF.
+- **Flexible thresholds** — Any M-of-N combination (up to 20 keys).
+- **Pluggable sources** — Manual entry, `.env` files, Azure Key Vault today; AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault, 1Password on the roadmap.
+- **Social recovery & digital inheritance** — Keys can be distributed for recovery in emergencies.
+- **Round-trip compatible** — Kits unlock at [papervault.xyz/unlock](https://papervault.xyz/unlock), same as web-app vaults.
+
+## 📄 Vault vs key shares (social recovery)
+
+The encrypted vault page and the key share pages are **separate documents** — keyholders need both the threshold of keys *and* the vault page to recover. See [Vault vs key shares](https://github.com/boazeb/papervault#-vault-vs-key-shares-social-recovery) in the main repo for the full social-recovery model.
+
+## 📖 How It Works
+
+1. **Pick a source** — manual entry, `.env`, JSON file, or a cloud secret store. Secrets only ever live in memory.
+2. **Configure shares** — choose number of keys (N) and recovery threshold (M).
+3. **Encrypt + split** — your secrets are encrypted with a fresh AES-256-GCM key; that key is split via Shamir's algorithm.
+4. **Print & distribute** — the CLI opens your browser to an ephemeral, in-memory page with a single "Print kit" button. The OS print dialog handles the rest (use "Save as PDF" from the dialog if you'd rather save than print).
+5. **Recovery** — go to [papervault.xyz/unlock](https://papervault.xyz/unlock) on any device, scan the vault QR, then scan any M key QRs. Your secrets reappear.
+
+## 🔧 Commands
+
+```bash
+papervault init                    # Interactive wizard (most users start here)
+papervault backup [options]        # Generate a kit (reads papervault.config.json if present)
+papervault sources list            # Show available secret backends
+papervault verify <kit-dir>        # Round-trip check on a saved kit
+```
+
+Run any command with `--help` for the full flag reference.
+
+### Source URIs
+
+| Scheme | Status | Notes |
+|---|---|---|
+| `file://<path>` | ✓ ready | JSON file you maintain — see schema below |
+| `stdin` (`-`) | ✓ ready | Pipe JSON in for scripts |
+| `azure-kv://<vault-name>` | ✓ ready | Uses `az login` cache |
+| `aws-sm://` | roadmap | AWS Secrets Manager |
+| `gcp-sm://` | roadmap | GCP Secret Manager |
+| `vault://` | roadmap | HashiCorp Vault |
+| `1password://` | roadmap | 1Password CLI |
+
+### JSON source schema
+
+For `file://` and stdin sources:
+
+```json
+{
+  "vaultName": "Optional default label",
+  "freeText": "Optional freeform notes",
+  "secrets": [
+    {"kind": "password", "service": "GitHub", "username": "alice", "password": "...", "url": "https://github.com"},
+    {"kind": "wallet",   "name": "BTC cold", "seed": "...", "address": "..."},
+    {"kind": "apikey",   "service": "Stripe live", "key": "sk_live_...", "secret": "..."},
+    {"kind": "note",     "title": "Lawyer contact", "content": "..."},
+    {"kind": "custom",   "label": "anything", "value": "..."}
+  ]
+}
+```
+
+Field names follow the web app's structured-entry format so kits unlock identically there.
+
+### Config file
+
+`papervault init` writes `papervault.config.json` in the current directory for recurring sources:
+
+```json
+{
+  "version": "1",
+  "source": "azure-kv://my-vault",
+  "threshold": 2,
+  "shares": 3,
+  "vaultName": "Production DR Kit",
+  "custodianNames": ["alice", "bob", "carol"],
+  "savePath": "/Users/me/papervault-backups"
+}
+```
+
+`papervault backup` picks this up automatically. CLI flags override config values. Pass `--no-config` to ignore it. **The config never holds secret values** — only how/where to fetch them at backup time.
+
+## 🔍 Audit with AI
+
+This is open source software. Run a quick AI-assisted audit via the [Audit with AI](https://github.com/boazeb/papervault#-audit-with-ai) links in the main repo (ChatGPT / Claude / Gemini / Grok / Perplexity, each one-click).
+
+## 🛡️ Security Model
+
+### Cryptographic Foundation
+
+- **Algorithm**: Shamir's Secret Sharing over GF(2^8) via [shamir-secret-sharing](https://github.com/privy-io/shamir-secret-sharing).
+- **Encryption**: AES-256-GCM (authenticated) via the Web Crypto API (`crypto.subtle`). No JavaScript reimplementation of the cipher.
+- **Key Generation**: Cryptographically secure random number generation via `crypto.getRandomValues()`. Never `Math.random()`.
+- **QR Codes**: Level-M error correction (~15% damage recovery) for reliable scanning from paper.
+- **Vault format**: v2 — byte-identical to vaults produced by the web app, so kits unlock at [papervault.xyz/unlock](https://papervault.xyz/unlock).
+
+### Security Best Practices
+
+1. **Air-Gapped Usage**: Run the CLI on an offline computer for maximum security.
+2. **Source Code Review**: Audit the code before using with critical secrets (see the AI audit links above).
+3. **Physical Security**: Store paper keys and the vault page in separate, secure locations.
+4. **Test Recovery**: Always test your recovery process at papervault.xyz/unlock before relying on it.
+5. **Durable Storage**: For maximum durability, consider archive-grade paper in tamper-evident envelopes.
+6. **Audit Log**: The CLI writes one line per invocation to `~/.papervault/audit.log`. Secret values are **never** logged; secret names are hashed to a 16-char fingerprint by default.
+
+### Threat Model
+
+PaperVault does NOT protect against:
+
+- ❌ Physical compromise of threshold number of keys + vault
+- ❌ Shoulder surfing during secret entry
+- ❌ Malicious modifications to the source code
+- ❌ Compromise of the cloud secret store you're pulling from
+- ❌ Social engineering
+
+## 🔧 Technical Details
+
+### Architecture
+
+- **Crypto core**: [`@papervault/core`](https://www.npmjs.com/package/@papervault/core) — AES-GCM, Shamir, HTML page generation
+- **CLI shell**: this package — interactive wizard, source adapters, ephemeral print server
+- **MCP server**: [`@papervault/mcp`](https://www.npmjs.com/package/@papervault/mcp) — lets AI agents trigger backups as a safety step
+- **Pure JS**, no native deps. Uses Node 24's built-in WebCrypto.
+
+### Print server
+
+By default, `papervault backup` opens an ephemeral localhost HTTP server bound to `127.0.0.1` on a random port. The server holds the kit in memory only, serves a single-page UI with a "Print kit" button, and shuts down (dropping references) when you click "Done". Use `--save <dir>` to also write the HTML files to disk.
+
+### Limits
+
+- **Maximum Keys**: 20 (cryptographic library constraint)
+- **Storage Limit**: 300 characters of user content per vault (QR code optimization — same as the web app)
+
+## 🔗 Related Packages
+
+- [`@papervault/core`](https://www.npmjs.com/package/@papervault/core) — Crypto + Shamir + page generation library
+- [`@papervault/mcp`](https://www.npmjs.com/package/@papervault/mcp) — MCP server for AI agents
+- [`@papervault/init`](https://www.npmjs.com/package/@papervault/init) — `npx` setup wizard
+- [PaperVault web app](https://papervault.xyz) — same crypto, browser version
+- [Main repo](https://github.com/boazeb/papervault) — issues, docs, SECURITY.md
+
+## 🤝 Contributing
+
+Contributions are welcome! See the main repo at [github.com/boazeb/papervault](https://github.com/boazeb/papervault).
+
+## 📄 License
+
+MIT — see [LICENSE](LICENSE).
+
+## 🙏 Acknowledgments
+
+- [Shamir's Secret Sharing](https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing) algorithm by Adi Shamir
+- [shamir-secret-sharing](https://github.com/privy-io/shamir-secret-sharing) — Shamir over GF(2^8)
+- [bip39](https://github.com/bitcoinjs/bip39) — two-word key aliases
+- [qrcode](https://github.com/soldair/node-qrcode) — QR generation
+- [@clack/prompts](https://github.com/natemoo-re/clack) — interactive wizard UX
+
+## 📞 Support
+
+- **Issues**: [GitHub Issues](https://github.com/boazeb/papervault/issues)
+
+## ⚠️ Disclaimer
+
+This software is provided "as is" without warranty. Users are responsible for:
+
+- Verifying the security of their implementation
+- Testing recovery procedures before relying on them
+- Maintaining physical security of printed keys
+- Understanding the cryptographic principles involved
+
+**Always test with non-critical data first!**

package/package.json

@@ -0,0 +1,59 @@
+{
+  "name": "@papervault/cli",
+  "version": "0.1.0",
+  "description": "Command-line PaperVault. Encrypt secrets, split with Shamir Secret Sharing, generate printable disaster-recovery kits from .env files, JSON, Azure Key Vault, and more.",
+  "type": "module",
+  "bin": {
+    "papervault": "./src/index.js"
+  },
+  "exports": {
+    ".": "./src/index.js",
+    "./sources": "./src/sources/index.js",
+    "./audit": "./src/audit.js",
+    "./commands/init.js": "./src/commands/init.js"
+  },
+  "files": [
+    "src",
+    "LICENSE",
+    "README.md"
+  ],
+  "engines": {
+    "node": ">=24.x"
+  },
+  "homepage": "https://papervault.xyz",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/boazeb/papervault.git",
+    "directory": "papervault-cli"
+  },
+  "bugs": {
+    "url": "https://github.com/boazeb/papervault/issues"
+  },
+  "keywords": [
+    "papervault",
+    "cli",
+    "command-line",
+    "cryptography",
+    "shamir-secret-sharing",
+    "aes-256-gcm",
+    "secret-sharing",
+    "paper-wallet",
+    "cold-storage",
+    "disaster-recovery",
+    "key-vault",
+    "azure-key-vault",
+    "secrets-management",
+    "open-source"
+  ],
+  "author": "PaperVault.xyz",
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "@azure/identity": "^4.4.1",
+    "@azure/keyvault-secrets": "^4.9.0",
+    "@clack/prompts": "^0.7.0",
+    "@papervault/core": "^0.1.0"
+  }
+}

package/src/audit.js

@@ -0,0 +1,52 @@
+// Audit logging. Records what was done, NEVER what was in it.
+// Default location: ~/.papervault/audit.log
+// Format: one JSON object per line (jsonl) — easy to grep + parse.
+
+import { appendFile, mkdir } from 'node:fs/promises';
+import { homedir } from 'node:os';
+import { dirname, join } from 'node:path';
+import { createHash } from 'node:crypto';
+
+function auditPath() {
+    return process.env.PAPERVAULT_AUDIT_LOG || join(homedir(), '.papervault', 'audit.log');
+}
+
+/**
+ * @param {object} entry
+ * @param {string} entry.action            e.g. 'backup', 'verify', 'sources.list'
+ * @param {string} [entry.sourceUri]
+ * @param {number} [entry.secretCount]
+ * @param {number} [entry.threshold]
+ * @param {number} [entry.shares]
+ * @param {string} [entry.vaultId]
+ * @param {string} [entry.outcome]         'success' | 'failed' | 'aborted'
+ * @param {string} [entry.error]
+ * @param {string[]} [entry.secretNames]   Hashed before write unless PAPERVAULT_LOG_NAMES=1
+ */
+export async function audit(entry) {
+    const path = auditPath();
+    try {
+        await mkdir(dirname(path), { recursive: true });
+    } catch { /* dir might exist; OK */ }
+
+    const logNamesPlaintext = process.env.PAPERVAULT_LOG_NAMES === '1';
+    const safe = { ...entry };
+    if (Array.isArray(entry.secretNames)) {
+        if (logNamesPlaintext) {
+            safe.secretNames = entry.secretNames;
+        } else {
+            // Deterministic fingerprint of the sorted name list. Lets you tell
+            // two runs covered the same set without revealing the names.
+            const sorted = [...entry.secretNames].sort().join('\n');
+            safe.namesFingerprint = createHash('sha256').update(sorted).digest('hex').slice(0, 16);
+            delete safe.secretNames;
+        }
+    }
+    safe.ts = new Date().toISOString();
+    try {
+        await appendFile(path, JSON.stringify(safe) + '\n', 'utf8');
+    } catch (err) {
+        // Audit log failures should never crash the main flow.
+        process.stderr.write(`audit log warning: ${err.message}\n`);
+    }
+}

package/src/browser.js

@@ -0,0 +1,24 @@
+// Cross-platform "open URL in default browser".
+// Doesn't shell out for the URL itself — uses spawn with no shell.
+
+import { spawn } from 'node:child_process';
+
+export function openUrl(url) {
+    const platform = process.platform;
+    let cmd, args;
+    if (platform === 'darwin') {
+        cmd = 'open';
+        args = [url];
+    } else if (platform === 'win32') {
+        cmd = 'cmd';
+        args = ['/c', 'start', '', url];
+    } else {
+        cmd = 'xdg-open';
+        args = [url];
+    }
+    const child = spawn(cmd, args, { stdio: 'ignore', detached: true });
+    child.unref();
+    child.on('error', err => {
+        process.stderr.write(`Could not open browser automatically (${err.message}). Open this URL: ${url}\n`);
+    });
+}

package/src/cli.js

@@ -0,0 +1,42 @@
+// Command dispatcher. Each subcommand owns its own argument parsing
+// (via util.parseArgs) so flags can vary cleanly per command.
+
+import { backup } from './commands/backup.js';
+import { verify } from './commands/verify.js';
+import { sourcesCmd } from './commands/sources.js';
+import { init } from './commands/init.js';
+
+const HELP = `papervault — disaster-recovery kits from your secret sources
+
+Usage:
+  papervault init                        Interactive setup → papervault.config.json
+  papervault backup [options]            Generate a printable kit
+  papervault verify <path>               Decrypt-check a saved kit
+  papervault sources list                Show configured backends
+  papervault --help
+
+Run 'papervault <command> --help' for command-specific options.
+`;
+
+export async function main(argv) {
+    const [command, ...rest] = argv;
+
+    if (!command || command === '--help' || command === '-h') {
+        process.stdout.write(HELP);
+        return;
+    }
+
+    switch (command) {
+        case 'init':
+            return init(rest);
+        case 'backup':
+            return backup(rest);
+        case 'verify':
+            return verify(rest);
+        case 'sources':
+            return sourcesCmd(rest);
+        default:
+            process.stderr.write(`Unknown command: ${command}\n\n${HELP}`);
+            process.exit(2);
+    }
+}

package/src/commands/backup.js

@@ -0,0 +1,217 @@
+import { parseArgs } from 'node:util';
+import { LIMITS } from '@papervault/core';
+import { resolveSource } from '../sources/index.js';
+import { audit } from '../audit.js';
+import { readConfig, CONFIG_FILENAME } from '../config.js';
+import { runKitFlow } from '../kit-runner.js';
+
+const HELP = `papervault backup — generate a printable disaster-recovery kit
+
+Usage:
+  papervault backup [options]
+
+Source (one of):
+  --source <uri>         file://<path>, azure-kv://<vault-name>, or - for stdin.
+                         Falls back to ${CONFIG_FILENAME}.source if present, then stdin.
+                         Azure uses your 'az login' cache (no creds handled by us).
+                         Other clouds (AWS Secrets Manager, GCP Secret Manager,
+                         HashiCorp Vault, 1Password) are on the roadmap.
+
+Required:
+  --threshold N          Minimum keys required to unlock the vault
+  --shares N             Total number of key shares to generate
+
+Optional:
+  --name <text>          Vault name shown on the printed kit
+  --select <glob,glob>   Filter source secrets by glob pattern (comma-separated)
+  --names <a,b,c>        Custodian names per share (e.g. "alice,bob,carol")
+  --max-secrets N        Hard cap on number of secrets (default 20)
+  --save <dir>           Also write HTML files to <dir>/vault-<id>/
+  --no-print             Skip the ephemeral print server (only useful with --save)
+  --yes                  Skip interactive confirmation (use in scripts)
+  --dry-run              List what would be backed up, then exit
+  --no-config            Ignore ${CONFIG_FILENAME} in the current directory
+  --help
+
+Config: if ${CONFIG_FILENAME} exists in the current directory, its values
+are used as defaults. CLI flags override config. Run \`papervault init\` to
+create one interactively.
+
+Defaults: ephemeral print server, no disk writes.
+`;
+
+const OPTIONS = {
+    source:        { type: 'string' },
+    threshold:     { type: 'string' },
+    shares:        { type: 'string' },
+    name:          { type: 'string' },
+    select:        { type: 'string' },
+    names:         { type: 'string' },
+    'max-secrets': { type: 'string' },
+    save:          { type: 'string' },
+    'no-print':    { type: 'boolean' },
+    yes:           { type: 'boolean' },
+    'dry-run':     { type: 'boolean' },
+    'no-config':   { type: 'boolean' },
+    help:          { type: 'boolean' },
+};
+
+function globToRegex(g) {
+    const parts = g.split('*').map(s => s.replace(/[.+?^${}()|[\]\\]/g, '\\$&'));
+    return new RegExp('^' + parts.join('.*') + '$');
+}
+
+export async function backup(argv) {
+    const { values } = parseArgs({ args: argv, options: OPTIONS, allowPositionals: false });
+
+    if (values.help) {
+        process.stdout.write(HELP);
+        return;
+    }
+
+    // Layer 1: file config (if present + not --no-config)
+    let cfg = null;
+    if (!values['no-config']) {
+        try { cfg = await readConfig(); }
+        catch (err) { process.stderr.write(`Warning: ${err.message}\n`); }
+        if (cfg) process.stderr.write(`Using ${CONFIG_FILENAME} (CLI flags override).\n`);
+    }
+
+    // Layer 2: CLI flags override config. Falls back to stdin if nothing set.
+    const threshold = Number(values.threshold ?? cfg?.threshold);
+    const shares    = Number(values.shares    ?? cfg?.shares);
+    if (!Number.isInteger(threshold) || !Number.isInteger(shares)) {
+        throw new Error('--threshold and --shares are required (or set them in ' + CONFIG_FILENAME + '). See --help.');
+    }
+
+    const maxSecrets = Number(values['max-secrets'] ?? cfg?.maxSecrets ?? 20);
+    if (!Number.isInteger(maxSecrets) || maxSecrets < 1 || maxSecrets > LIMITS.MAX_KEYS * 5) {
+        throw new Error('--max-secrets must be a positive integer.');
+    }
+
+    const sourceUri = values.source ?? cfg?.source ?? '-';
+    const src = resolveSource(sourceUri);
+    await src.authenticate();
+
+    // Phase 1: list — see what would be backed up.
+    const refs = await src.list();
+
+    let selectedRefs = refs;
+    const effectiveSelect = values.select ?? cfg?.select;
+    if (effectiveSelect) {
+        const patterns = effectiveSelect.split(',').map(s => globToRegex(s.trim()));
+        selectedRefs = refs.filter(r => patterns.some(p => p.test(r.name)));
+    }
+
+    if (selectedRefs.length === 0) {
+        throw new Error('No secrets matched the selection.');
+    }
+    if (selectedRefs.length > maxSecrets) {
+        throw new Error(`${selectedRefs.length} secrets matched, but --max-secrets is ${maxSecrets}. ` +
+            'Tighten --select or raise --max-secrets explicitly.');
+    }
+
+    process.stderr.write(`Source: ${src.uri}\n`);
+    process.stderr.write(`Selected ${selectedRefs.length} secret${selectedRefs.length === 1 ? '' : 's'}:\n`);
+    for (const r of selectedRefs) {
+        process.stderr.write(`  - ${r.name} [${r.kind}]\n`);
+    }
+
+    if (values['dry-run']) {
+        await audit({
+            action: 'backup.dryrun',
+            sourceUri: src.uri,
+            secretCount: selectedRefs.length,
+            threshold, shares,
+            secretNames: selectedRefs.map(r => r.name),
+            outcome: 'success',
+        });
+        await src.close();
+        return;
+    }
+
+    if (!values.yes) {
+        process.stderr.write(`\nAbout to encrypt + split into ${shares} keys (threshold ${threshold}). ` +
+            `Pass --yes to skip this confirmation.\nContinue? [y/N] `);
+        const answer = await readOneLineFromStdin();
+        if (!/^y(es)?$/i.test(answer.trim())) {
+            process.stderr.write('Aborted.\n');
+            await audit({
+                action: 'backup',
+                sourceUri: src.uri,
+                secretCount: selectedRefs.length,
+                threshold, shares,
+                outcome: 'aborted',
+            });
+            await src.close();
+            return;
+        }
+    }
+
+    // Phase 2: fetch only the selected refs. Adapter has already filtered
+    // for us, so doc.secrets is exactly what was asked for.
+    const doc = await src.fetch(selectedRefs);
+    const secrets = doc.secrets;
+
+    const vaultName = values.name ?? cfg?.vaultName ?? doc.vaultName ?? 'Disaster Recovery Kit';
+    const custodianNames = values.names
+        ? values.names.split(',').map(s => s.trim())
+        : (cfg?.custodianNames ?? undefined);
+    if (custodianNames && custodianNames.length !== shares) {
+        throw new Error(`names list has ${custodianNames.length} entries but shares is ${shares}.`);
+    }
+
+    let result;
+    try {
+        result = await runKitFlow({
+            secrets,
+            freeText: doc.freeText,
+            vaultName,
+            threshold,
+            shares,
+            custodianNames,
+            savePath: values.save ?? cfg?.savePath,
+            print: !values['no-print'],
+        });
+    } catch (err) {
+        await audit({
+            action: 'backup',
+            sourceUri: src.uri,
+            secretCount: selectedRefs.length,
+            threshold, shares,
+            outcome: 'failed',
+            error: err.message,
+        });
+        await src.close();
+        throw err;
+    }
+    await src.close();
+
+    await audit({
+        action: 'backup',
+        sourceUri: src.uri,
+        secretCount: selectedRefs.length,
+        threshold, shares,
+        vaultId: result.vaultId,
+        savedTo: result.savedTo,
+        printed: result.printed,
+        outcome: 'success',
+    });
+}
+
+function readOneLineFromStdin() {
+    return new Promise(resolve => {
+        let buf = '';
+        const onData = (chunk) => {
+            buf += chunk.toString('utf8');
+            const nl = buf.indexOf('\n');
+            if (nl >= 0) {
+                process.stdin.off('data', onData);
+                process.stdin.pause();
+                resolve(buf.slice(0, nl));
+            }
+        };
+        process.stdin.resume();
+        process.stdin.on('data', onData);
+    });
+}