@quint-security/cli 0.1.2

package/dist/commands/auth.d.ts

@@ -0,0 +1,3 @@
+import { Command } from "commander";
+export declare const authCommand: Command;
+//# sourceMappingURL=auth.d.ts.map

package/dist/commands/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/commands/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAQpC,eAAO,MAAM,WAAW,SACuC,CAAC"}

package/dist/commands/auth.js

@@ -0,0 +1,87 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authCommand = void 0;
+const commander_1 = require("commander");
+const core_1 = require("@quint-security/core");
+exports.authCommand = new commander_1.Command("auth")
+    .description("Manage authentication (API keys and sessions)");
+exports.authCommand
+    .command("create-key")
+    .description("Create a new API key")
+    .requiredOption("--label <name>", "Human-readable label for the key")
+    .option("--scopes <scopes>", "Comma-separated scopes (e.g. proxy:read,audit:write)")
+    .option("--ttl <seconds>", "Time-to-live in seconds (0 = no expiry)", "0")
+    .action((opts) => {
+    const policy = (0, core_1.loadPolicy)();
+    const dataDir = (0, core_1.resolveDataDir)(policy.data_dir);
+    const db = (0, core_1.openAuthDb)(dataDir);
+    const scopes = opts.scopes ? opts.scopes.split(",").map((s) => s.trim()) : [];
+    const ttl = parseInt(opts.ttl, 10);
+    const { rawKey, apiKey } = (0, core_1.generateApiKey)(db, {
+        label: opts.label,
+        scopes,
+        ttlSeconds: ttl > 0 ? ttl : undefined,
+    });
+    console.log(`API key created.\n`);
+    console.log(`  ID:      ${apiKey.id}`);
+    console.log(`  Label:   ${apiKey.label}`);
+    console.log(`  Scopes:  ${apiKey.scopes || "(all)"}`);
+    console.log(`  Expires: ${apiKey.expires_at ?? "never"}`);
+    console.log(`\n  Raw key (SAVE THIS — shown only once):\n`);
+    console.log(`  ${rawKey}\n`);
+    db.close();
+});
+exports.authCommand
+    .command("list-keys")
+    .description("List all API keys")
+    .action(() => {
+    const policy = (0, core_1.loadPolicy)();
+    const dataDir = (0, core_1.resolveDataDir)(policy.data_dir);
+    const db = (0, core_1.openAuthDb)(dataDir);
+    const keys = db.listApiKeys();
+    if (keys.length === 0) {
+        console.log("No API keys found. Create one with `quint auth create-key`.");
+        db.close();
+        return;
+    }
+    console.log(`${keys.length} API key(s):\n`);
+    for (const key of keys) {
+        const status = key.revoked
+            ? "REVOKED"
+            : key.expires_at && new Date(key.expires_at) < new Date()
+                ? "EXPIRED"
+                : "active";
+        const icon = status === "active" ? "●" : "○";
+        console.log(`  ${icon} ${key.id}  ${key.label}  [${status}]  scopes=${key.scopes || "*"}  created=${key.created_at}`);
+    }
+    db.close();
+});
+exports.authCommand
+    .command("revoke-key")
+    .description("Revoke an API key")
+    .requiredOption("--id <id>", "API key ID to revoke")
+    .action((opts) => {
+    const policy = (0, core_1.loadPolicy)();
+    const dataDir = (0, core_1.resolveDataDir)(policy.data_dir);
+    const db = (0, core_1.openAuthDb)(dataDir);
+    const key = db.getApiKeyById(opts.id);
+    if (!key) {
+        console.error(`API key not found: ${opts.id}`);
+        db.close();
+        process.exit(1);
+    }
+    if (key.revoked) {
+        console.log(`Key ${opts.id} is already revoked.`);
+        db.close();
+        return;
+    }
+    db.revokeApiKey(opts.id);
+    // Also revoke any sessions issued to this key
+    const revoked = db.revokeSessionsBySubject(opts.id);
+    console.log(`Revoked key ${opts.id} (${key.label}).`);
+    if (revoked > 0) {
+        console.log(`  Also revoked ${revoked} active session(s).`);
+    }
+    db.close();
+});
+//# sourceMappingURL=auth.js.map

package/dist/commands/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/commands/auth.ts"],"names":[],"mappings":";;;AAAA,yCAAoC;AACpC,+CAK8B;AAEjB,QAAA,WAAW,GAAG,IAAI,mBAAO,CAAC,MAAM,CAAC;KAC3C,WAAW,CAAC,+CAA+C,CAAC,CAAC;AAEhE,mBAAW;KACR,OAAO,CAAC,YAAY,CAAC;KACrB,WAAW,CAAC,sBAAsB,CAAC;KACnC,cAAc,CAAC,gBAAgB,EAAE,kCAAkC,CAAC;KACpE,MAAM,CAAC,mBAAmB,EAAE,sDAAsD,CAAC;KACnF,MAAM,CAAC,iBAAiB,EAAE,yCAAyC,EAAE,GAAG,CAAC;KACzE,MAAM,CAAC,CAAC,IAAqD,EAAE,EAAE;IAChE,MAAM,MAAM,GAAG,IAAA,iBAAU,GAAE,CAAC;IAC5B,MAAM,OAAO,GAAG,IAAA,qBAAc,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChD,MAAM,EAAE,GAAG,IAAA,iBAAU,EAAC,OAAO,CAAC,CAAC;IAE/B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC9E,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IAEnC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,qBAAc,EAAC,EAAE,EAAE;QAC5C,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,MAAM;QACN,UAAU,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;KACtC,CAAC,CAAC;IAEH,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAClC,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC;IACvC,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;IAC1C,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,MAAM,IAAI,OAAO,EAAE,CAAC,CAAC;IACtD,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,UAAU,IAAI,OAAO,EAAE,CAAC,CAAC;IAC1D,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;IAC5D,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,IAAI,CAAC,CAAC;IAE7B,EAAE,CAAC,KAAK,EAAE,CAAC;AACb,CAAC,CAAC,CAAC;AAEL,mBAAW;KACR,OAAO,CAAC,WAAW,CAAC;KACpB,WAAW,CAAC,mBAAmB,CAAC;KAChC,MAAM,CAAC,GAAG,EAAE;IACX,MAAM,MAAM,GAAG,IAAA,iBAAU,GAAE,CAAC;IAC5B,MAAM,OAAO,GAAG,IAAA,qBAAc,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChD,MAAM,EAAE,GAAG,IAAA,iBAAU,EAAC,OAAO,CAAC,CAAC;IAE/B,MAAM,IAAI,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC;IAC9B,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,CAAC,GAAG,CAAC,6DAA6D,CAAC,CAAC;QAC3E,EAAE,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;IACT,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,gBAAgB,CAAC,CAAC;IAC5C,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO;YACxB,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,GAAG,CAAC,UAAU,IAAI,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,IAAI,IAAI,EAAE;gBACvD,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,QAAQ,CAAC;QACf,MAAM,IAAI,GAAG,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,IAAI,GAAG,CAAC,EAAE,KAAK,GAAG,CAAC,KAAK,MAAM,MAAM,aAAa,GAAG,CAAC,MAAM,IAAI,GAAG,aAAa,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;IACxH,CAAC;IAED,EAAE,CAAC,KAAK,EAAE,CAAC;AACb,CAAC,CAAC,CAAC;AAEL,mBAAW;KACR,OAAO,CAAC,YAAY,CAAC;KACrB,WAAW,CAAC,mBAAmB,CAAC;KAChC,cAAc,CAAC,WAAW,EAAE,sBAAsB,CAAC;KACnD,MAAM,CAAC,CAAC,IAAoB,EAAE,EAAE;IAC/B,MAAM,MAAM,GAAG,IAAA,iBAAU,GAAE,CAAC;IAC5B,MAAM,OAAO,GAAG,IAAA,qBAAc,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChD,MAAM,EAAE,GAAG,IAAA,iBAAU,EAAC,OAAO,CAAC,CAAC;IAE/B,MAAM,GAAG,GAAG,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACtC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,CAAC,KAAK,CAAC,sBAAsB,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;QAC/C,EAAE,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,CAAC,EAAE,sBAAsB,CAAC,CAAC;QAClD,EAAE,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;IACT,CAAC;IAED,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACzB,8CAA8C;IAC9C,MAAM,OAAO,GAAG,EAAE,CAAC,uBAAuB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACpD,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,CAAC,EAAE,KAAK,GAAG,CAAC,KAAK,IAAI,CAAC,CAAC;IACtD,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,kBAAkB,OAAO,qBAAqB,CAAC,CAAC;IAC9D,CAAC;IAED,EAAE,CAAC,KAAK,EAAE,CAAC;AACb,CAAC,CAAC,CAAC"}

package/dist/commands/http-proxy.d.ts

@@ -0,0 +1,3 @@
+import { Command } from "commander";
+export declare const httpProxyCommand: Command;
+//# sourceMappingURL=http-proxy.d.ts.map

package/dist/commands/http-proxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-proxy.d.ts","sourceRoot":"","sources":["../../src/commands/http-proxy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIpC,eAAO,MAAM,gBAAgB,SA6BzB,CAAC"}

package/dist/commands/http-proxy.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.httpProxyCommand = void 0;
+const commander_1 = require("commander");
+const core_1 = require("@quint-security/core");
+const proxy_1 = require("@quint-security/proxy");
+exports.httpProxyCommand = new commander_1.Command("http-proxy")
+    .description("Run as HTTP proxy in front of a remote MCP server")
+    .requiredOption("--name <name>", "Name identifier for the proxied server")
+    .requiredOption("--port <port>", "Local port to listen on", parseInt)
+    .requiredOption("--target <url>", "Remote MCP server URL to proxy to")
+    .option("--policy <path>", "Path to policy.json (default: ~/.quint/policy.json)")
+    .option("--require-auth", "Require API key authentication on all requests")
+    .action(async (opts) => {
+    if (isNaN(opts.port) || opts.port < 1 || opts.port > 65535) {
+        process.stderr.write("quint: --port must be a valid port number (1-65535)\n");
+        process.exit(1);
+    }
+    try {
+        new URL(opts.target);
+    }
+    catch {
+        process.stderr.write(`quint: --target must be a valid URL\n`);
+        process.exit(1);
+    }
+    const policy = (0, core_1.loadPolicy)(opts.policy ? opts.policy : undefined);
+    await (0, proxy_1.startHttpProxy)({
+        serverName: opts.name,
+        port: opts.port,
+        targetUrl: opts.target,
+        policy,
+        requireAuth: opts.requireAuth,
+    });
+});
+//# sourceMappingURL=http-proxy.js.map

package/dist/commands/http-proxy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-proxy.js","sourceRoot":"","sources":["../../src/commands/http-proxy.ts"],"names":[],"mappings":";;;AAAA,yCAAoC;AACpC,+CAAkD;AAClD,iDAAuD;AAE1C,QAAA,gBAAgB,GAAG,IAAI,mBAAO,CAAC,YAAY,CAAC;KACtD,WAAW,CAAC,mDAAmD,CAAC;KAChE,cAAc,CAAC,eAAe,EAAE,wCAAwC,CAAC;KACzE,cAAc,CAAC,eAAe,EAAE,yBAAyB,EAAE,QAAQ,CAAC;KACpE,cAAc,CAAC,gBAAgB,EAAE,mCAAmC,CAAC;KACrE,MAAM,CAAC,iBAAiB,EAAE,qDAAqD,CAAC;KAChF,MAAM,CAAC,gBAAgB,EAAE,gDAAgD,CAAC;KAC1E,MAAM,CAAC,KAAK,EAAE,IAA4F,EAAE,EAAE;IAC7G,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,GAAG,CAAC,IAAI,IAAI,CAAC,IAAI,GAAG,KAAK,EAAE,CAAC;QAC3D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAC;QAC9E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,CAAC;QACH,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC9D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,MAAM,GAAG,IAAA,iBAAU,EAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAEjE,MAAM,IAAA,sBAAc,EAAC;QACnB,UAAU,EAAE,IAAI,CAAC,IAAI;QACrB,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,SAAS,EAAE,IAAI,CAAC,MAAM;QACtB,MAAM;QACN,WAAW,EAAE,IAAI,CAAC,WAAW;KAC9B,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/commands/init.d.ts

@@ -0,0 +1,3 @@
+import { Command } from "commander";
+export declare const initCommand: Command;
+//# sourceMappingURL=init.d.ts.map

package/dist/commands/init.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AA0NpC,eAAO,MAAM,WAAW,SA6LpB,CAAC"}

package/dist/commands/init.js

@@ -0,0 +1,343 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.initCommand = void 0;
+const commander_1 = require("commander");
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const node_os_1 = require("node:os");
+const core_1 = require("@quint-security/core");
+const ROLE_PRESETS = {
+    "coding-assistant": {
+        name: "Coding Assistant",
+        description: "Read/write project files, run builds and tests. Block destructive ops, shell access outside project, and sensitive file access.",
+        defaultAction: "allow",
+        tools: [
+            { tool: "Delete*", action: "deny" },
+            { tool: "Remove*", action: "deny" },
+            { tool: "Drop*", action: "deny" },
+            { tool: "MechanicRun*", action: "deny" },
+            { tool: "TicketingWrite*", action: "deny" },
+        ],
+    },
+    "research-agent": {
+        name: "Research Agent",
+        description: "Read-only access. Can fetch web pages and search. All write/execute operations denied.",
+        defaultAction: "deny",
+        tools: [
+            { tool: "Read*", action: "allow" },
+            { tool: "Get*", action: "allow" },
+            { tool: "List*", action: "allow" },
+            { tool: "Search*", action: "allow" },
+            { tool: "Fetch*", action: "allow" },
+            { tool: "ReadInternalWebsites", action: "allow" },
+            { tool: "MechanicDiscoverTools", action: "allow" },
+            { tool: "MechanicDescribeTool", action: "allow" },
+        ],
+    },
+    "strict": {
+        name: "Strict",
+        description: "Deny everything by default. Manually allowlist tools as needed.",
+        defaultAction: "deny",
+        tools: [],
+    },
+    "permissive": {
+        name: "Permissive",
+        description: "Allow everything, deny only known-dangerous operations. Good for trusted environments.",
+        defaultAction: "allow",
+        tools: [
+            { tool: "Delete*", action: "deny" },
+            { tool: "Remove*", action: "deny" },
+            { tool: "Drop*", action: "deny" },
+        ],
+    },
+};
+function detectMcpServers() {
+    const claudeConfigPath = (0, node_path_1.join)((0, node_os_1.homedir)(), ".claude.json");
+    if (!(0, node_fs_1.existsSync)(claudeConfigPath)) {
+        return [];
+    }
+    const raw = (0, node_fs_1.readFileSync)(claudeConfigPath, "utf-8");
+    let config;
+    try {
+        config = JSON.parse(raw);
+    }
+    catch {
+        return [];
+    }
+    const servers = [];
+    const seen = new Set();
+    // Global MCP servers
+    const globalServers = config.mcpServers;
+    if (globalServers && typeof globalServers === "object") {
+        for (const [name, srv] of Object.entries(globalServers)) {
+            if (!seen.has(name)) {
+                seen.add(name);
+                servers.push({
+                    name,
+                    config: srv,
+                    source: "global",
+                    alreadyProxied: isAlreadyProxied(srv),
+                });
+            }
+        }
+    }
+    // Project-level MCP servers (current working directory)
+    const projects = config.projects;
+    if (projects) {
+        const cwd = process.cwd();
+        for (const [projectPath, proj] of Object.entries(projects)) {
+            if (cwd.startsWith(projectPath) && proj.mcpServers) {
+                for (const [name, srv] of Object.entries(proj.mcpServers)) {
+                    if (!seen.has(name)) {
+                        seen.add(name);
+                        servers.push({
+                            name,
+                            config: srv,
+                            source: "project",
+                            alreadyProxied: isAlreadyProxied(srv),
+                        });
+                    }
+                }
+            }
+        }
+    }
+    return servers;
+}
+function isAlreadyProxied(srv) {
+    return srv.command === "quint" || srv.command === "node" && (srv.args ?? []).some(a => a.includes("quint"));
+}
+// ── Generate wrapped config ─────────────────────────────────────
+function generateWrappedConfig(server) {
+    if (server.alreadyProxied)
+        return null;
+    if (server.config.type === "stdio") {
+        return {
+            type: "stdio",
+            command: "quint",
+            args: [
+                "proxy",
+                "--name", server.name,
+                "--",
+                server.config.command,
+                ...(server.config.args ?? []),
+            ],
+            env: server.config.env ?? {},
+        };
+    }
+    if (server.config.type === "http" && server.config.url) {
+        return {
+            type: "stdio",
+            command: "quint",
+            args: [
+                "http-proxy",
+                "--name", server.name,
+                "--target", server.config.url,
+            ],
+            env: server.config.env ?? {},
+        };
+    }
+    return null;
+}
+// ── Apply changes to claude.json ────────────────────────────────
+function applyToClaudeConfig(servers) {
+    const claudeConfigPath = (0, node_path_1.join)((0, node_os_1.homedir)(), ".claude.json");
+    const raw = (0, node_fs_1.readFileSync)(claudeConfigPath, "utf-8");
+    const config = JSON.parse(raw);
+    let applied = 0;
+    for (const server of servers) {
+        if (server.alreadyProxied)
+            continue;
+        const wrapped = generateWrappedConfig(server);
+        if (!wrapped)
+            continue;
+        if (server.source === "global" && config.mcpServers?.[server.name]) {
+            config.mcpServers[server.name] = wrapped;
+            applied++;
+        }
+        else if (server.source === "project") {
+            // Find the project entry
+            for (const [projectPath, proj] of Object.entries(config.projects)) {
+                if (proj.mcpServers?.[server.name]) {
+                    proj.mcpServers[server.name] = wrapped;
+                    applied++;
+                    break;
+                }
+            }
+        }
+    }
+    (0, node_fs_1.writeFileSync)(claudeConfigPath, JSON.stringify(config, null, 2) + "\n");
+    return { applied, path: claudeConfigPath };
+}
+// ── The init command ────────────────────────────────────────────
+exports.initCommand = new commander_1.Command("init")
+    .description("Set up Quint: detect MCP servers, generate keys, create policy, and optionally wrap your config")
+    .option("--role <role>", "Use a pre-built role preset (coding-assistant, research-agent, strict, permissive)")
+    .option("--apply", "Apply changes to ~/.claude.json (wraps MCP servers through Quint)")
+    .option("--revert", "Revert all Quint-proxied MCP servers back to direct connections")
+    .option("--dry-run", "Show what would change without modifying anything")
+    .option("--list-roles", "Show available role presets")
+    .action((opts) => {
+    // ── List roles ──
+    if (opts.listRoles) {
+        console.log("Available role presets:\n");
+        for (const [id, preset] of Object.entries(ROLE_PRESETS)) {
+            console.log(`  ${id}`);
+            console.log(`    ${preset.description}`);
+            console.log(`    Default: ${preset.defaultAction}, ${preset.tools.length} tool rules`);
+            console.log("");
+        }
+        return;
+    }
+    // ── Revert ──
+    if (opts.revert) {
+        const servers = detectMcpServers();
+        const proxied = servers.filter(s => s.alreadyProxied);
+        if (proxied.length === 0) {
+            console.log("No Quint-proxied servers found. Nothing to revert.");
+            return;
+        }
+        if (opts.dryRun) {
+            console.log("Would revert these servers to direct connections:\n");
+            for (const s of proxied) {
+                // Extract the original command from quint proxy args
+                const args = s.config.args ?? [];
+                const dashDashIdx = args.indexOf("--");
+                if (dashDashIdx >= 0) {
+                    const origCmd = args[dashDashIdx + 1];
+                    const origArgs = args.slice(dashDashIdx + 2);
+                    console.log(`  ${s.name}: quint proxy → ${origCmd} ${origArgs.join(" ")}`);
+                }
+            }
+            return;
+        }
+        const claudeConfigPath = (0, node_path_1.join)((0, node_os_1.homedir)(), ".claude.json");
+        const raw = (0, node_fs_1.readFileSync)(claudeConfigPath, "utf-8");
+        const config = JSON.parse(raw);
+        let reverted = 0;
+        for (const s of proxied) {
+            const args = s.config.args ?? [];
+            const dashDashIdx = args.indexOf("--");
+            if (dashDashIdx < 0)
+                continue;
+            const origCmd = args[dashDashIdx + 1];
+            const origArgs = args.slice(dashDashIdx + 2);
+            const restored = {
+                type: "stdio",
+                command: origCmd,
+                args: origArgs,
+                env: s.config.env ?? {},
+            };
+            // Restore in the correct location
+            if (s.source === "global" && config.mcpServers?.[s.name]) {
+                config.mcpServers[s.name] = restored;
+                reverted++;
+            }
+            else if (s.source === "project" && config.projects) {
+                for (const proj of Object.values(config.projects)) {
+                    if (proj.mcpServers?.[s.name]) {
+                        proj.mcpServers[s.name] = restored;
+                        reverted++;
+                        break;
+                    }
+                }
+            }
+        }
+        (0, node_fs_1.writeFileSync)(claudeConfigPath, JSON.stringify(config, null, 2) + "\n");
+        console.log(`Reverted ${reverted} server(s) to direct connections.`);
+        console.log("Restart Claude Code for changes to take effect.");
+        return;
+    }
+    // ── Normal init flow ──
+    console.log("Quint Setup\n");
+    // Step 1: Detect MCP servers
+    const servers = detectMcpServers();
+    if (servers.length === 0) {
+        console.log("  No MCP servers found in ~/.claude.json");
+        console.log("  Quint works by wrapping existing MCP servers.");
+        console.log("  Add MCP servers to Claude Code first, then run quint init again.");
+        return;
+    }
+    console.log(`  Found ${servers.length} MCP server(s):\n`);
+    for (const s of servers) {
+        const status = s.alreadyProxied ? " (already proxied)" : "";
+        const type = s.config.type === "http" ? ` [HTTP: ${s.config.url}]` : ` [stdio: ${s.config.command}]`;
+        console.log(`    ${s.name}${type} (${s.source})${status}`);
+    }
+    const toWrap = servers.filter(s => !s.alreadyProxied);
+    if (toWrap.length === 0) {
+        console.log("\n  All servers are already proxied through Quint.");
+    }
+    // Step 2: Generate keys
+    console.log("");
+    const dataDir = (0, core_1.resolveDataDir)("~/.quint");
+    const kp = (0, core_1.ensureKeyPair)(dataDir);
+    console.log(`  Keys:   ${(0, core_1.publicKeyFingerprint)(kp.publicKey)} (ready)`);
+    // Step 3: Generate policy
+    const role = opts.role ? ROLE_PRESETS[opts.role] : undefined;
+    if (opts.role && !role) {
+        console.error(`\n  Unknown role: ${opts.role}`);
+        console.error(`  Available: ${Object.keys(ROLE_PRESETS).join(", ")}`);
+        process.exit(1);
+    }
+    const serverPolicies = [];
+    for (const s of servers) {
+        if (role) {
+            serverPolicies.push({
+                server: s.name,
+                default_action: role.defaultAction,
+                tools: [...role.tools],
+            });
+        }
+        else {
+            serverPolicies.push({
+                server: s.name,
+                default_action: "allow",
+                tools: [],
+            });
+        }
+    }
+    // Always add wildcard fallback
+    serverPolicies.push({ server: "*", default_action: "allow", tools: [] });
+    const policy = {
+        version: 1,
+        data_dir: "~/.quint",
+        log_level: "info",
+        servers: serverPolicies,
+    };
+    const policyPath = (0, node_path_1.join)(dataDir, "policy.json");
+    if (!(0, node_fs_1.existsSync)(policyPath)) {
+        (0, node_fs_1.writeFileSync)(policyPath, JSON.stringify(policy, null, 2) + "\n");
+        console.log(`  Policy: ${policyPath} (created${role ? `, role: ${role.name}` : ""})`);
+    }
+    else {
+        console.log(`  Policy: ${policyPath} (exists, not overwritten)`);
+    }
+    // Step 4: Show or apply config changes
+    if (toWrap.length > 0) {
+        console.log(`\n  Config changes needed for ${toWrap.length} server(s):\n`);
+        for (const s of toWrap) {
+            const wrapped = generateWrappedConfig(s);
+            if (!wrapped)
+                continue;
+            console.log(`    ${s.name}:`);
+            console.log(`      before: ${JSON.stringify({ command: s.config.command, args: s.config.args ?? [] })}`);
+            console.log(`      after:  ${JSON.stringify({ command: wrapped.command, args: wrapped.args })}`);
+            console.log("");
+        }
+        if (opts.apply && !opts.dryRun) {
+            const result = applyToClaudeConfig(toWrap);
+            console.log(`  Applied ${result.applied} change(s) to ${result.path}`);
+            console.log("  Restart Claude Code for changes to take effect.");
+        }
+        else if (opts.dryRun) {
+            console.log("  (dry run — no changes made)");
+        }
+        else {
+            console.log("  Run with --apply to modify ~/.claude.json automatically.");
+            console.log("  Run with --dry-run to preview without changes.");
+            console.log("  Run with --revert to undo Quint proxying.");
+        }
+    }
+    console.log("\n  Setup complete. Run `quint status` to verify.");
+});
+//# sourceMappingURL=init.js.map

package/dist/commands/init.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":";;;AAAA,yCAAoC;AACpC,qCAAkE;AAClE,yCAAiC;AACjC,qCAAkC;AAClC,+CAO8B;AAW9B,MAAM,YAAY,GAA+B;IAC/C,kBAAkB,EAAE;QAClB,IAAI,EAAE,kBAAkB;QACxB,WAAW,EAAE,iIAAiI;QAC9I,aAAa,EAAE,OAAO;QACtB,KAAK,EAAE;YACL,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE;YACnC,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE;YACnC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE;YACjC,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE;YACxC,EAAE,IAAI,EAAE,iBAAiB,EAAE,MAAM,EAAE,MAAM,EAAE;SAC5C;KACF;IACD,gBAAgB,EAAE;QAChB,IAAI,EAAE,gBAAgB;QACtB,WAAW,EAAE,wFAAwF;QACrG,aAAa,EAAE,MAAM;QACrB,KAAK,EAAE;YACL,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE;YAClC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE;YACjC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE;YAClC,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE;YACpC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE;YACnC,EAAE,IAAI,EAAE,sBAAsB,EAAE,MAAM,EAAE,OAAO,EAAE;YACjD,EAAE,IAAI,EAAE,uBAAuB,EAAE,MAAM,EAAE,OAAO,EAAE;YAClD,EAAE,IAAI,EAAE,sBAAsB,EAAE,MAAM,EAAE,OAAO,EAAE;SAClD;KACF;IACD,QAAQ,EAAE;QACR,IAAI,EAAE,QAAQ;QACd,WAAW,EAAE,iEAAiE;QAC9E,aAAa,EAAE,MAAM;QACrB,KAAK,EAAE,EAAE;KACV;IACD,YAAY,EAAE;QACZ,IAAI,EAAE,YAAY;QAClB,WAAW,EAAE,wFAAwF;QACrG,aAAa,EAAE,OAAO;QACtB,KAAK,EAAE;YACL,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE;YACnC,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE;YACnC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE;SAClC;KACF;CACF,CAAC;AAmBF,SAAS,gBAAgB;IACvB,MAAM,gBAAgB,GAAG,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,cAAc,CAAC,CAAC;IACzD,IAAI,CAAC,IAAA,oBAAU,EAAC,gBAAgB,CAAC,EAAE,CAAC;QAClC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,GAAG,GAAG,IAAA,sBAAY,EAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;IACpD,IAAI,MAA+B,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,OAAO,GAAqB,EAAE,CAAC;IACrC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,qBAAqB;IACrB,MAAM,aAAa,GAAG,MAAM,CAAC,UAAyD,CAAC;IACvF,IAAI,aAAa,IAAI,OAAO,aAAa,KAAK,QAAQ,EAAE,CAAC;QACvD,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YACxD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACpB,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACf,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI;oBACJ,MAAM,EAAE,GAAG;oBACX,MAAM,EAAE,QAAQ;oBAChB,cAAc,EAAE,gBAAgB,CAAC,GAAG,CAAC;iBACtC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,wDAAwD;IACxD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAwF,CAAC;IACjH,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QAC1B,KAAK,MAAM,CAAC,WAAW,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC3D,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBACnD,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;oBAC1D,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;wBACpB,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;wBACf,OAAO,CAAC,IAAI,CAAC;4BACX,IAAI;4BACJ,MAAM,EAAE,GAAG;4BACX,MAAM,EAAE,SAAS;4BACjB,cAAc,EAAE,gBAAgB,CAAC,GAAG,CAAC;yBACtC,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAoB;IAC5C,OAAO,GAAG,CAAC,OAAO,KAAK,OAAO,IAAI,GAAG,CAAC,OAAO,KAAK,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;AAC9G,CAAC;AAED,mEAAmE;AAEnE,SAAS,qBAAqB,CAAC,MAAsB;IACnD,IAAI,MAAM,CAAC,cAAc;QAAE,OAAO,IAAI,CAAC;IAEvC,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACnC,OAAO;YACL,IAAI,EAAE,OAAO;YACb,OAAO,EAAE,OAAO;YAChB,IAAI,EAAE;gBACJ,OAAO;gBACP,QAAQ,EAAE,MAAM,CAAC,IAAI;gBACrB,IAAI;gBACJ,MAAM,CAAC,MAAM,CAAC,OAAQ;gBACtB,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;aAC9B;YACD,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE;SAC7B,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QACvD,OAAO;YACL,IAAI,EAAE,OAAO;YACb,OAAO,EAAE,OAAO;YAChB,IAAI,EAAE;gBACJ,YAAY;gBACZ,QAAQ,EAAE,MAAM,CAAC,IAAI;gBACrB,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG;aAC9B;YACD,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE;SAC7B,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,mEAAmE;AAEnE,SAAS,mBAAmB,CAAC,OAAyB;IACpD,MAAM,gBAAgB,GAAG,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,cAAc,CAAC,CAAC;IACzD,MAAM,GAAG,GAAG,IAAA,sBAAY,EAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAE/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,MAAM,CAAC,cAAc;YAAE,SAAS;QAEpC,MAAM,OAAO,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;QAC9C,IAAI,CAAC,OAAO;YAAE,SAAS;QAEvB,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YACnE,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC;YACzC,OAAO,EAAE,CAAC;QACZ,CAAC;aAAM,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YACvC,yBAAyB;YACzB,KAAK,MAAM,CAAC,WAAW,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,QAA4E,CAAC,EAAE,CAAC;gBACtI,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;oBACnC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC;oBACvC,OAAO,EAAE,CAAC;oBACV,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAA,uBAAa,EAAC,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IACxE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,gBAAgB,EAAE,CAAC;AAC7C,CAAC;AAED,mEAAmE;AAEtD,QAAA,WAAW,GAAG,IAAI,mBAAO,CAAC,MAAM,CAAC;KAC3C,WAAW,CAAC,iGAAiG,CAAC;KAC9G,MAAM,CAAC,eAAe,EAAE,oFAAoF,CAAC;KAC7G,MAAM,CAAC,SAAS,EAAE,mEAAmE,CAAC;KACtF,MAAM,CAAC,UAAU,EAAE,iEAAiE,CAAC;KACrF,MAAM,CAAC,WAAW,EAAE,mDAAmD,CAAC;KACxE,MAAM,CAAC,cAAc,EAAE,6BAA6B,CAAC;KACrD,MAAM,CAAC,CAAC,IAAiG,EAAE,EAAE;IAE5G,mBAAmB;IACnB,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACnB,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;QACzC,KAAK,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;YACxD,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,OAAO,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;YACzC,OAAO,CAAC,GAAG,CAAC,gBAAgB,MAAM,CAAC,aAAa,KAAK,MAAM,CAAC,KAAK,CAAC,MAAM,aAAa,CAAC,CAAC;YACvF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;QACD,OAAO;IACT,CAAC;IAED,eAAe;IACf,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QAChB,MAAM,OAAO,GAAG,gBAAgB,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;QAEtD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAC;YAClE,OAAO;QACT,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC;YACnE,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;gBACxB,qDAAqD;gBACrD,MAAM,IAAI,GAAG,CAAC,CAAC,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;gBACjC,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBACvC,IAAI,WAAW,IAAI,CAAC,EAAE,CAAC;oBACrB,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC;oBACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC;oBAC7C,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,mBAAmB,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAC7E,CAAC;YACH,CAAC;YACD,OAAO;QACT,CAAC;QAED,MAAM,gBAAgB,GAAG,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,cAAc,CAAC,CAAC;QACzD,MAAM,GAAG,GAAG,IAAA,sBAAY,EAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;QACpD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAE/B,IAAI,QAAQ,GAAG,CAAC,CAAC;QACjB,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,MAAM,IAAI,GAAG,CAAC,CAAC,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;YACjC,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACvC,IAAI,WAAW,GAAG,CAAC;gBAAE,SAAS;YAE9B,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC;YACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC;YAC7C,MAAM,QAAQ,GAAG;gBACf,IAAI,EAAE,OAAgB;gBACtB,OAAO,EAAE,OAAO;gBAChB,IAAI,EAAE,QAAQ;gBACd,GAAG,EAAE,CAAC,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE;aACxB,CAAC;YAEF,kCAAkC;YAClC,IAAI,CAAC,CAAC,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;gBACzD,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC;gBACrC,QAAQ,EAAE,CAAC;YACb,CAAC;iBAAM,IAAI,CAAC,CAAC,MAAM,KAAK,SAAS,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACrD,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,QAA4E,CAAC,EAAE,CAAC;oBACtH,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC9B,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC;wBACnC,QAAQ,EAAE,CAAC;wBACX,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAA,uBAAa,EAAC,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QACxE,OAAO,CAAC,GAAG,CAAC,YAAY,QAAQ,mCAAmC,CAAC,CAAC;QACrE,OAAO,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;QAC/D,OAAO;IACT,CAAC;IAED,yBAAyB;IAEzB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAE7B,6BAA6B;IAC7B,MAAM,OAAO,GAAG,gBAAgB,EAAE,CAAC;IACnC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;QAC/D,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;QAClF,OAAO;IACT,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,WAAW,OAAO,CAAC,MAAM,mBAAmB,CAAC,CAAC;IAC1D,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,MAAM,MAAM,GAAG,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5D,MAAM,IAAI,GAAG,CAAC,CAAC,MAAM,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,OAAO,GAAG,CAAC;QACrG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,GAAG,IAAI,KAAK,CAAC,CAAC,MAAM,IAAI,MAAM,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;IACtD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAC;IACpE,CAAC;IAED,wBAAwB;IACxB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,MAAM,OAAO,GAAG,IAAA,qBAAc,EAAC,UAAU,CAAC,CAAC;IAC3C,MAAM,EAAE,GAAG,IAAA,oBAAa,EAAC,OAAO,CAAC,CAAC;IAClC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAA,2BAAoB,EAAC,EAAE,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IAEvE,0BAA0B;IAC1B,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC7D,IAAI,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACvB,OAAO,CAAC,KAAK,CAAC,qBAAqB,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QAChD,OAAO,CAAC,KAAK,CAAC,gBAAgB,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACtE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,cAAc,GAAmB,EAAE,CAAC;IAE1C,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,IAAI,EAAE,CAAC;YACT,cAAc,CAAC,IAAI,CAAC;gBAClB,MAAM,EAAE,CAAC,CAAC,IAAI;gBACd,cAAc,EAAE,IAAI,CAAC,aAAa;gBAClC,KAAK,EAAE,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC;aACvB,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,cAAc,CAAC,IAAI,CAAC;gBAClB,MAAM,EAAE,CAAC,CAAC,IAAI;gBACd,cAAc,EAAE,OAAO;gBACvB,KAAK,EAAE,EAAE;aACV,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,cAAc,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,GAAG,EAAE,cAAc,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;IAEzE,MAAM,MAAM,GAAiB;QAC3B,OAAO,EAAE,CAAC;QACV,QAAQ,EAAE,UAAU;QACpB,SAAS,EAAE,MAAM;QACjB,OAAO,EAAE,cAAc;KACxB,CAAC;IAEF,MAAM,UAAU,GAAG,IAAA,gBAAI,EAAC,OAAO,EAAE,aAAa,CAAC,CAAC;IAChD,IAAI,CAAC,IAAA,oBAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,IAAA,uBAAa,EAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,aAAa,UAAU,YAAY,IAAI,CAAC,CAAC,CAAC,WAAW,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACxF,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,aAAa,UAAU,4BAA4B,CAAC,CAAC;IACnE,CAAC;IAED,uCAAuC;IACvC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,OAAO,CAAC,GAAG,CAAC,iCAAiC,MAAM,CAAC,MAAM,eAAe,CAAC,CAAC;QAE3E,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;YACvB,MAAM,OAAO,GAAG,qBAAqB,CAAC,CAAC,CAAC,CAAC;YACzC,IAAI,CAAC,OAAO;gBAAE,SAAS;YAEvB,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC;YAC9B,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;YACzG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC,CAAC;YACjG,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,IAAI,CAAC,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YAC/B,MAAM,MAAM,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;YAC3C,OAAO,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,OAAO,iBAAiB,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YACvE,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;QACnE,CAAC;aAAM,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;QAC/C,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;YAC1E,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC;YAChE,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;AACnE,CAAC,CAAC,CAAC"}

package/dist/commands/keys.d.ts

@@ -0,0 +1,3 @@
+import { Command } from "commander";
+export declare const keysCommand: Command;
+//# sourceMappingURL=keys.d.ts.map

package/dist/commands/keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../../src/commands/keys.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAYpC,eAAO,MAAM,WAAW,SACqB,CAAC"}

package/dist/commands/keys.js

@@ -0,0 +1,58 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.keysCommand = void 0;
+const commander_1 = require("commander");
+const core_1 = require("@quint-security/core");
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+exports.keysCommand = new commander_1.Command("keys")
+    .description("Manage Ed25519 signing keys");
+exports.keysCommand
+    .command("generate")
+    .description("Generate a new Ed25519 keypair")
+    .option("--force", "Overwrite existing keys")
+    .action((opts) => {
+    const policy = (0, core_1.loadPolicy)();
+    const dataDir = (0, core_1.resolveDataDir)(policy.data_dir);
+    const privPath = (0, node_path_1.join)(dataDir, "keys", "quint.key");
+    if ((0, node_fs_1.existsSync)(privPath) && !opts.force) {
+        console.log("Keys already exist. Use --force to overwrite.");
+        return;
+    }
+    const kp = (0, core_1.generateKeyPair)();
+    (0, core_1.saveKeyPair)(dataDir, kp);
+    const fp = (0, core_1.publicKeyFingerprint)(kp.publicKey);
+    console.log(`Ed25519 keypair generated.`);
+    console.log(`  Private key: ${(0, node_path_1.join)(dataDir, "keys", "quint.key")} (mode 0600)`);
+    console.log(`  Public key:  ${(0, node_path_1.join)(dataDir, "keys", "quint.pub")}`);
+    console.log(`  Fingerprint: ${fp}`);
+});
+exports.keysCommand
+    .command("show")
+    .description("Show current public key")
+    .action(() => {
+    const policy = (0, core_1.loadPolicy)();
+    const dataDir = (0, core_1.resolveDataDir)(policy.data_dir);
+    const kp = (0, core_1.loadKeyPair)(dataDir);
+    if (!kp) {
+        console.log("No keys found. Run `quint keys generate` first.");
+        return;
+    }
+    const fp = (0, core_1.publicKeyFingerprint)(kp.publicKey);
+    console.log(`Public key fingerprint: ${fp}`);
+    console.log(`\n${kp.publicKey.trim()}`);
+});
+exports.keysCommand
+    .command("export")
+    .description("Export public key to stdout")
+    .action(() => {
+    const policy = (0, core_1.loadPolicy)();
+    const dataDir = (0, core_1.resolveDataDir)(policy.data_dir);
+    const kp = (0, core_1.loadKeyPair)(dataDir);
+    if (!kp) {
+        console.error("No keys found. Run `quint keys generate` first.");
+        process.exit(1);
+    }
+    process.stdout.write(kp.publicKey);
+});
+//# sourceMappingURL=keys.js.map

package/dist/commands/keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.js","sourceRoot":"","sources":["../../src/commands/keys.ts"],"names":[],"mappings":";;;AAAA,yCAAoC;AACpC,+CAO8B;AAC9B,qCAAqC;AACrC,yCAAiC;AAEpB,QAAA,WAAW,GAAG,IAAI,mBAAO,CAAC,MAAM,CAAC;KAC3C,WAAW,CAAC,6BAA6B,CAAC,CAAC;AAE9C,mBAAW;KACR,OAAO,CAAC,UAAU,CAAC;KACnB,WAAW,CAAC,gCAAgC,CAAC;KAC7C,MAAM,CAAC,SAAS,EAAE,yBAAyB,CAAC;KAC5C,MAAM,CAAC,CAAC,IAAyB,EAAE,EAAE;IACpC,MAAM,MAAM,GAAG,IAAA,iBAAU,GAAE,CAAC;IAC5B,MAAM,OAAO,GAAG,IAAA,qBAAc,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChD,MAAM,QAAQ,GAAG,IAAA,gBAAI,EAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;IAEpD,IAAI,IAAA,oBAAU,EAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QACxC,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;QAC7D,OAAO;IACT,CAAC;IAED,MAAM,EAAE,GAAG,IAAA,sBAAe,GAAE,CAAC;IAC7B,IAAA,kBAAW,EAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IACzB,MAAM,EAAE,GAAG,IAAA,2BAAoB,EAAC,EAAE,CAAC,SAAS,CAAC,CAAC;IAC9C,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;IAC1C,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAA,gBAAI,EAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,cAAc,CAAC,CAAC;IAChF,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAA,gBAAI,EAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC;IACpE,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC;AACtC,CAAC,CAAC,CAAC;AAEL,mBAAW;KACR,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,yBAAyB,CAAC;KACtC,MAAM,CAAC,GAAG,EAAE;IACX,MAAM,MAAM,GAAG,IAAA,iBAAU,GAAE,CAAC;IAC5B,MAAM,OAAO,GAAG,IAAA,qBAAc,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChD,MAAM,EAAE,GAAG,IAAA,kBAAW,EAAC,OAAO,CAAC,CAAC;IAEhC,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;QAC/D,OAAO;IACT,CAAC;IAED,MAAM,EAAE,GAAG,IAAA,2BAAoB,EAAC,EAAE,CAAC,SAAS,CAAC,CAAC;IAC9C,OAAO,CAAC,GAAG,CAAC,2BAA2B,EAAE,EAAE,CAAC,CAAC;IAC7C,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAC1C,CAAC,CAAC,CAAC;AAEL,mBAAW;KACR,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,6BAA6B,CAAC;KAC1C,MAAM,CAAC,GAAG,EAAE;IACX,MAAM,MAAM,GAAG,IAAA,iBAAU,GAAE,CAAC;IAC5B,MAAM,OAAO,GAAG,IAAA,qBAAc,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChD,MAAM,EAAE,GAAG,IAAA,kBAAW,EAAC,OAAO,CAAC,CAAC;IAEhC,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;QACjE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC;AACrC,CAAC,CAAC,CAAC"}

package/dist/commands/logs.d.ts

@@ -0,0 +1,3 @@
+import { Command } from "commander";
+export declare const logsCommand: Command;
+//# sourceMappingURL=logs.d.ts.map

package/dist/commands/logs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logs.d.ts","sourceRoot":"","sources":["../../src/commands/logs.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGpC,eAAO,MAAM,WAAW,SA+CpB,CAAC"}