@thecorporation/cli 26.3.17 → 26.3.18

package/dist/index.js

@@ -10,40 +10,239 @@ var __export = (target, all) => {
 };
 
 // src/config.ts
-var config_exports = {};
-__export(config_exports, {
-  configForDisplay: () => configForDisplay,
-  getValue: () => getValue,
-  loadConfig: () => loadConfig,
-  maskKey: () => maskKey,
-  requireConfig: () => requireConfig,
-  resolveEntityId: () => resolveEntityId,
-  saveConfig: () => saveConfig,
-  setValue: () => setValue
-});
-import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
-import { join } from "path";
+import {
+  chmodSync,
+  existsSync,
+  mkdirSync,
+  readFileSync,
+  renameSync,
+  rmSync,
+  writeFileSync
+} from "fs";
 import { homedir } from "os";
-function deepMerge(base, override) {
-  for (const [key, value] of Object.entries(override)) {
-    if (key in base && typeof base[key] === "object" && base[key] !== null && !Array.isArray(base[key]) && typeof value === "object" && value !== null && !Array.isArray(value)) {
-      deepMerge(base[key], value);
-    } else {
-      base[key] = value;
+import { join } from "path";
+function sleepSync(ms) {
+  Atomics.wait(CONFIG_WAIT_SIGNAL, 0, 0, ms);
+}
+function withConfigLock(fn) {
+  mkdirSync(CONFIG_DIR, { recursive: true, mode: 448 });
+  const startedAt = Date.now();
+  while (true) {
+    try {
+      mkdirSync(CONFIG_LOCK_DIR, { mode: 448 });
+      break;
+    } catch (err) {
+      if (err.code !== "EEXIST") {
+        throw err;
+      }
+      if (Date.now() - startedAt >= CONFIG_LOCK_TIMEOUT_MS) {
+        throw new Error("timed out waiting for the corp config lock");
+      }
+      sleepSync(CONFIG_LOCK_RETRY_MS);
     }
   }
+  try {
+    return fn();
+  } finally {
+    rmSync(CONFIG_LOCK_DIR, { recursive: true, force: true });
+  }
 }
-function loadConfig() {
-  const cfg = structuredClone(DEFAULTS);
+function ensureSecurePermissions() {
+  mkdirSync(CONFIG_DIR, { recursive: true, mode: 448 });
+  try {
+    chmodSync(CONFIG_DIR, 448);
+  } catch {
+  }
   if (existsSync(CONFIG_FILE)) {
-    const saved = JSON.parse(readFileSync(CONFIG_FILE, "utf-8"));
-    deepMerge(cfg, saved);
+    try {
+      chmodSync(CONFIG_FILE, 384);
+    } catch {
+    }
+  }
+}
+function isObject(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isLoopbackHost(hostname) {
+  return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1";
+}
+function validateApiUrl(value) {
+  let parsed;
+  try {
+    parsed = new URL(value.trim());
+  } catch {
+    throw new Error("api_url must be a valid absolute URL");
+  }
+  if (parsed.username || parsed.password) {
+    throw new Error("api_url must not include embedded credentials");
+  }
+  const protocol = parsed.protocol.toLowerCase();
+  const hostname = parsed.hostname.toLowerCase();
+  if (protocol !== "https:" && !(protocol === "http:" && isLoopbackHost(hostname))) {
+    throw new Error("api_url must use https, or http only for localhost/loopback development");
+  }
+  parsed.hash = "";
+  return parsed.toString().replace(/\/+$/, "");
+}
+function normalizeString(value) {
+  return typeof value === "string" ? value : void 0;
+}
+function normalizeActiveEntityMap(value) {
+  if (!isObject(value)) {
+    return void 0;
+  }
+  const entries = Object.entries(value).filter(
+    ([workspaceId, entityId]) => typeof workspaceId === "string" && typeof entityId === "string" && entityId.length > 0
+  );
+  if (entries.length === 0) {
+    return void 0;
+  }
+  return Object.fromEntries(entries);
+}
+function normalizeConfig(raw) {
+  const cfg = structuredClone(DEFAULTS);
+  if (!isObject(raw)) {
+    return cfg;
+  }
+  const savedApiUrl = normalizeString(raw.api_url);
+  if (savedApiUrl) {
+    try {
+      cfg.api_url = validateApiUrl(savedApiUrl);
+    } catch {
+      cfg.api_url = DEFAULTS.api_url;
+    }
+  }
+  cfg.api_key = normalizeString(raw.api_key) ?? cfg.api_key;
+  cfg.workspace_id = normalizeString(raw.workspace_id) ?? cfg.workspace_id;
+  cfg.hosting_mode = normalizeString(raw.hosting_mode) ?? cfg.hosting_mode;
+  cfg.active_entity_id = normalizeString(raw.active_entity_id) ?? cfg.active_entity_id;
+  if (isObject(raw.llm)) {
+    cfg.llm.provider = normalizeString(raw.llm.provider) ?? cfg.llm.provider;
+    cfg.llm.api_key = normalizeString(raw.llm.api_key) ?? cfg.llm.api_key;
+    cfg.llm.model = normalizeString(raw.llm.model) ?? cfg.llm.model;
+    const baseUrl = normalizeString(raw.llm.base_url);
+    if (baseUrl && baseUrl.trim()) {
+      cfg.llm.base_url = baseUrl.trim();
+    }
+  }
+  if (isObject(raw.user)) {
+    cfg.user.name = normalizeString(raw.user.name) ?? cfg.user.name;
+    cfg.user.email = normalizeString(raw.user.email) ?? cfg.user.email;
+  }
+  const activeEntityIds = normalizeActiveEntityMap(raw.active_entity_ids);
+  if (activeEntityIds) {
+    cfg.active_entity_ids = activeEntityIds;
+  }
+  if (cfg.workspace_id && cfg.active_entity_id) {
+    cfg.active_entity_ids = {
+      ...cfg.active_entity_ids ?? {},
+      [cfg.workspace_id]: cfg.active_entity_id
+    };
   }
   return cfg;
 }
+function serializeConfig(cfg) {
+  const normalized = normalizeConfig(cfg);
+  const serialized = {
+    api_url: normalized.api_url,
+    api_key: normalized.api_key,
+    workspace_id: normalized.workspace_id,
+    hosting_mode: normalized.hosting_mode,
+    llm: {
+      provider: normalized.llm.provider,
+      api_key: normalized.llm.api_key,
+      model: normalized.llm.model,
+      ...normalized.llm.base_url ? { base_url: normalized.llm.base_url } : {}
+    },
+    user: {
+      name: normalized.user.name,
+      email: normalized.user.email
+    },
+    active_entity_id: normalized.active_entity_id
+  };
+  if (normalized.active_entity_ids && Object.keys(normalized.active_entity_ids).length > 0) {
+    serialized.active_entity_ids = normalized.active_entity_ids;
+  }
+  return JSON.stringify(serialized, null, 2) + "\n";
+}
+function requireSupportedConfigKey(dotPath) {
+  if (!ALLOWED_CONFIG_KEYS.has(dotPath)) {
+    throw new Error(`unsupported config key: ${dotPath}`);
+  }
+}
+function validateSensitiveConfigUpdate(dotPath, forceSensitive = false) {
+  if (SENSITIVE_CONFIG_KEYS.has(dotPath) && !forceSensitive) {
+    throw new Error(`refusing to update security-sensitive key '${dotPath}' without --force`);
+  }
+}
+function setKnownConfigValue(cfg, dotPath, value) {
+  switch (dotPath) {
+    case "api_url":
+      cfg.api_url = validateApiUrl(value);
+      return;
+    case "api_key":
+      cfg.api_key = value.trim();
+      return;
+    case "workspace_id":
+      cfg.workspace_id = value.trim();
+      return;
+    case "hosting_mode":
+      cfg.hosting_mode = value.trim();
+      return;
+    case "llm.provider":
+      cfg.llm.provider = value.trim();
+      return;
+    case "llm.api_key":
+      cfg.llm.api_key = value.trim();
+      return;
+    case "llm.model":
+      cfg.llm.model = value.trim();
+      return;
+    case "llm.base_url":
+      cfg.llm.base_url = value.trim() || void 0;
+      return;
+    case "user.name":
+      cfg.user.name = value.trim();
+      return;
+    case "user.email":
+      cfg.user.email = value.trim();
+      return;
+    case "active_entity_id":
+      setActiveEntityId(cfg, value.trim());
+      return;
+    default:
+      throw new Error(`unsupported config key: ${dotPath}`);
+  }
+}
+function readConfigUnlocked() {
+  ensureSecurePermissions();
+  if (!existsSync(CONFIG_FILE)) {
+    return normalizeConfig(DEFAULTS);
+  }
+  return normalizeConfig(JSON.parse(readFileSync(CONFIG_FILE, "utf-8")));
+}
+function loadConfig() {
+  return readConfigUnlocked();
+}
 function saveConfig(cfg) {
-  mkdirSync(CONFIG_DIR, { recursive: true, mode: 448 });
-  writeFileSync(CONFIG_FILE, JSON.stringify(cfg, null, 2) + "\n", { mode: 384 });
+  withConfigLock(() => {
+    ensureSecurePermissions();
+    const tempFile = `${CONFIG_FILE}.${process.pid}.tmp`;
+    writeFileSync(tempFile, serializeConfig(cfg), { mode: 384 });
+    renameSync(tempFile, CONFIG_FILE);
+    ensureSecurePermissions();
+  });
+}
+function updateConfig(mutator) {
+  return withConfigLock(() => {
+    const cfg = readConfigUnlocked();
+    mutator(cfg);
+    const tempFile = `${CONFIG_FILE}.${process.pid}.tmp`;
+    writeFileSync(tempFile, serializeConfig(cfg), { mode: 384 });
+    renameSync(tempFile, CONFIG_FILE);
+    ensureSecurePermissions();
+    return cfg;
+  });
 }
 function getValue(cfg, dotPath) {
   const keys = dotPath.split(".");
@@ -57,16 +256,10 @@ function getValue(cfg, dotPath) {
   }
   return current;
 }
-function setValue(cfg, dotPath, value) {
-  const keys = dotPath.split(".");
-  let current = cfg;
-  for (const key of keys.slice(0, -1)) {
-    if (!(key in current) || typeof current[key] !== "object" || current[key] === null) {
-      current[key] = {};
-    }
-    current = current[key];
-  }
-  current[keys[keys.length - 1]] = value;
+function setValue(cfg, dotPath, value, options = {}) {
+  requireSupportedConfigKey(dotPath);
+  validateSensitiveConfigUpdate(dotPath, options.forceSensitive);
+  setKnownConfigValue(cfg, dotPath, value);
 }
 function requireConfig(...fields) {
   const cfg = loadConfig();
@@ -92,8 +285,24 @@ function configForDisplay(cfg) {
   }
   return display;
 }
+function getActiveEntityId(cfg) {
+  if (cfg.workspace_id && cfg.active_entity_ids?.[cfg.workspace_id]) {
+    return cfg.active_entity_ids[cfg.workspace_id];
+  }
+  return cfg.active_entity_id;
+}
+function setActiveEntityId(cfg, entityId) {
+  cfg.active_entity_id = entityId;
+  if (!cfg.workspace_id) {
+    return;
+  }
+  cfg.active_entity_ids = {
+    ...cfg.active_entity_ids ?? {},
+    [cfg.workspace_id]: entityId
+  };
+}
 function resolveEntityId(cfg, explicitId) {
-  const eid = explicitId || cfg.active_entity_id;
+  const eid = explicitId || getActiveEntityId(cfg);
   if (!eid) {
     console.error(
       "No entity specified. Use --entity-id or set active_entity_id via 'corp config set active_entity_id <id>'."
@@ -102,21 +311,41 @@ function resolveEntityId(cfg, explicitId) {
   }
   return eid;
 }
-var CONFIG_DIR, CONFIG_FILE, DEFAULTS;
+var CONFIG_DIR, CONFIG_FILE, CONFIG_LOCK_DIR, CONFIG_LOCK_TIMEOUT_MS, CONFIG_LOCK_RETRY_MS, CONFIG_WAIT_BUFFER, CONFIG_WAIT_SIGNAL, ALLOWED_CONFIG_KEYS, SENSITIVE_CONFIG_KEYS, DEFAULTS;
 var init_config = __esm({
   "src/config.ts"() {
     "use strict";
     CONFIG_DIR = process.env.CORP_CONFIG_DIR || join(homedir(), ".corp");
     CONFIG_FILE = join(CONFIG_DIR, "config.json");
+    CONFIG_LOCK_DIR = join(CONFIG_DIR, "config.lock");
+    CONFIG_LOCK_TIMEOUT_MS = 5e3;
+    CONFIG_LOCK_RETRY_MS = 25;
+    CONFIG_WAIT_BUFFER = new SharedArrayBuffer(4);
+    CONFIG_WAIT_SIGNAL = new Int32Array(CONFIG_WAIT_BUFFER);
+    ALLOWED_CONFIG_KEYS = /* @__PURE__ */ new Set([
+      "api_url",
+      "api_key",
+      "workspace_id",
+      "hosting_mode",
+      "llm.provider",
+      "llm.api_key",
+      "llm.model",
+      "llm.base_url",
+      "user.name",
+      "user.email",
+      "active_entity_id"
+    ]);
+    SENSITIVE_CONFIG_KEYS = /* @__PURE__ */ new Set(["api_url", "api_key", "workspace_id"]);
     DEFAULTS = {
       api_url: process.env.CORP_API_URL || "https://api.thecorporation.ai",
-      api_key: "",
-      workspace_id: "",
+      api_key: process.env.CORP_API_KEY || "",
+      workspace_id: process.env.CORP_WORKSPACE_ID || "",
       hosting_mode: "",
       llm: {
         provider: "anthropic",
-        api_key: "",
-        model: "claude-sonnet-4-6"
+        api_key: process.env.CORP_LLM_API_KEY || "",
+        model: "claude-sonnet-4-6",
+        base_url: process.env.CORP_LLM_BASE_URL || void 0
       },
       user: { name: "", email: "" },
       active_entity_id: ""
@@ -341,12 +570,12 @@ function printSafesTable(safes) {
   const table = makeTable("SAFE Notes", ["ID", "Investor", "Amount", "Cap", "Discount", "Date"]);
   for (const s_ of safes) {
     table.push([
-      s(s_.safe_id ?? s_.id, 12),
+      s(s_.safe_note_id ?? s_.safe_id ?? s_.id, 12),
       s(s_.investor_name ?? s_.investor),
-      money(s_.investment_amount ?? s_.amount, false),
-      s(s_.valuation_cap ?? s_.cap),
+      money(s_.principal_amount_cents ?? s_.investment_amount ?? s_.amount, false),
+      money(s_.valuation_cap_cents ?? s_.valuation_cap ?? s_.cap, false),
       s(s_.discount_rate ?? s_.discount),
-      s(s_.date ?? s_.created_at)
+      s(s_.issued_at ?? s_.date ?? s_.created_at)
     ]);
   }
   console.log(table.toString());
@@ -873,12 +1102,16 @@ var status_exports = {};
 __export(status_exports, {
   statusCommand: () => statusCommand
 });
-async function statusCommand() {
+async function statusCommand(opts = {}) {
   const cfg = requireConfig("api_url", "api_key", "workspace_id");
   const client = new CorpAPIClient(cfg.api_url, cfg.api_key, cfg.workspace_id);
   try {
     const data = await withSpinner("Loading", () => client.getStatus());
-    printStatusPanel(data);
+    if (opts.json) {
+      printJson(data);
+    } else {
+      printStatusPanel(data);
+    }
   } catch (err) {
     printError(`Failed to fetch status: ${err}`);
     process.exit(1);
@@ -909,7 +1142,8 @@ async function contextCommand(opts) {
       client.getStatus(),
       client.listEntities()
     ]);
-    const activeEntity = rawCfg.active_entity_id ? entities.find((entity) => entity.entity_id === rawCfg.active_entity_id) ?? null : null;
+    const activeEntityId = getActiveEntityId(rawCfg);
+    const activeEntity = activeEntityId ? entities.find((entity) => entity.entity_id === activeEntityId) ?? null : null;
     const [contactsResult, documentsResult, workItemsResult] = activeEntity ? await Promise.allSettled([
       client.listContacts(String(activeEntity.entity_id)),
       client.getEntityDocuments(String(activeEntity.entity_id)),
@@ -1034,17 +1268,28 @@ var init_schema = __esm({
 });
 
 // src/commands/config.ts
-var config_exports2 = {};
-__export(config_exports2, {
+var config_exports = {};
+__export(config_exports, {
   configGetCommand: () => configGetCommand,
   configListCommand: () => configListCommand,
   configSetCommand: () => configSetCommand
 });
-function configSetCommand(key, value) {
-  const cfg = loadConfig();
-  setValue(cfg, key, value);
-  saveConfig(cfg);
-  console.log(`${key} = ${value}`);
+function configSetCommand(key, value, options = {}) {
+  try {
+    updateConfig((cfg) => {
+      setValue(cfg, key, value, {
+        forceSensitive: options.force
+      });
+    });
+  } catch (err) {
+    printError(`Failed to update config: ${err}`);
+    process.exit(1);
+  }
+  if (key === "api_key" || key === "llm.api_key") {
+    console.log(`${key} updated.`);
+    return;
+  }
+  console.log(`${key} updated.`);
 }
 function configGetCommand(key) {
   const cfg = loadConfig();
@@ -1114,8 +1359,10 @@ async function digestCommand(opts) {
         const value = result.message;
         return typeof value === "string" && value.trim() ? value : null;
       })();
-      printSuccess(result.digest_count > 0 ? "Digest triggered." : "Digest trigger accepted.");
-      if (message) {
+      if (!opts.json) {
+        printSuccess(result.digest_count > 0 ? "Digest triggered." : "Digest trigger accepted.");
+      }
+      if (message && !opts.json) {
         printWarning(message);
       }
       printJson(result);
@@ -1357,9 +1604,9 @@ async function executeTool(name, args, client) {
     dataDir: join2(homedir2(), ".corp"),
     onEntityFormed: (entityId) => {
       try {
-        const cfg = loadConfig();
-        cfg.active_entity_id = entityId;
-        saveConfig(cfg);
+        updateConfig((cfg) => {
+          setActiveEntityId(cfg, entityId);
+        });
       } catch {
       }
     }
@@ -1388,7 +1635,7 @@ async function chatCommand() {
   const messages = [{ role: "system", content: SYSTEM_PROMPT }];
   let totalTokens = 0;
   const rl = createInterface({ input: process.stdin, output: process.stdout });
-  const prompt = () => new Promise((resolve2) => rl.question(chalk3.green.bold("> "), resolve2));
+  const prompt = () => new Promise((resolve3) => rl.question(chalk3.green.bold("> "), resolve3));
   console.log(chalk3.blue.bold("corp chat") + " \u2014 type /help for commands, /quit to exit\n");
   const slashHandlers = {
     "/status": async () => {
@@ -1712,6 +1959,7 @@ async function contactsAddCommand(opts) {
     if (opts.phone) data.phone = opts.phone;
     if (opts.notes) data.notes = opts.notes;
     if (opts.mailingAddress ?? opts.address) data.mailing_address = opts.mailingAddress ?? opts.address;
+    if (opts.capTableAccess) data.cap_table_access = opts.capTableAccess;
     const result = await client.createContact(data);
     printWriteResult(
       result,
@@ -1750,6 +1998,10 @@ async function contactsEditCommand(contactId, opts) {
       data.notes = opts.notes;
       hasUpdates = true;
     }
+    if (opts.capTableAccess != null) {
+      data.cap_table_access = opts.capTableAccess;
+      hasUpdates = true;
+    }
     if (opts.mailingAddress != null || opts.address != null) {
       data.mailing_address = opts.mailingAddress ?? opts.address;
       hasUpdates = true;
@@ -1780,6 +2032,7 @@ __export(cap_table_exports, {
   addSecurityCommand: () => addSecurityCommand,
   approveValuationCommand: () => approveValuationCommand,
   capTableCommand: () => capTableCommand,
+  createInstrumentCommand: () => createInstrumentCommand,
   createValuationCommand: () => createValuationCommand,
   distributeCommand: () => distributeCommand,
   fourOhNineACommand: () => fourOhNineACommand,
@@ -1793,10 +2046,9 @@ __export(cap_table_exports, {
   transfersCommand: () => transfersCommand,
   valuationsCommand: () => valuationsCommand
 });
-import { ensureSafeInstrument } from "@thecorporation/corp-tools";
 import chalk6 from "chalk";
 function normalizedGrantType(grantType) {
-  return grantType.trim().toLowerCase().replaceAll("-", "_");
+  return grantType.trim().toLowerCase().replaceAll("-", "_").replaceAll(" ", "_");
 }
 function expectedInstrumentKinds(grantType) {
   switch (normalizedGrantType(grantType)) {
@@ -1806,8 +2058,11 @@ function expectedInstrumentKinds(grantType) {
     case "preferred":
     case "preferred_stock":
       return ["preferred_equity"];
+    case "unit":
     case "membership_unit":
       return ["membership_unit"];
+    case "option":
+    case "options":
     case "stock_option":
     case "iso":
     case "nso":
@@ -1818,6 +2073,31 @@ function expectedInstrumentKinds(grantType) {
       return [];
   }
 }
+function grantRequiresCurrent409a(grantType, instrumentKind) {
+  return instrumentKind?.toLowerCase() === "option_grant" || expectedInstrumentKinds(grantType).includes("option_grant");
+}
+function buildInstrumentCreationHint(grantType) {
+  const normalized = normalizedGrantType(grantType);
+  switch (normalized) {
+    case "preferred":
+    case "preferred_stock":
+      return "Create one with: corp cap-table create-instrument --kind preferred_equity --symbol SERIES-A --authorized-units <shares>";
+    case "option":
+    case "options":
+    case "stock_option":
+    case "iso":
+    case "nso":
+      return "Create one with: corp cap-table create-instrument --kind option_grant --symbol OPTION-PLAN --authorized-units <shares>";
+    case "membership_unit":
+    case "unit":
+      return "Create one with: corp cap-table create-instrument --kind membership_unit --symbol UNIT --authorized-units <units>";
+    case "common":
+    case "common_stock":
+      return "Create one with: corp cap-table create-instrument --kind common_equity --symbol COMMON --authorized-units <shares>";
+    default:
+      return "Create a matching instrument first, then pass --instrument-id explicitly.";
+  }
+}
 function resolveInstrumentForGrant(instruments, grantType, explicitInstrumentId) {
   if (explicitInstrumentId) {
     const explicit = instruments.find((instrument) => instrument.instrument_id === explicitInstrumentId);
@@ -1828,16 +2108,47 @@ function resolveInstrumentForGrant(instruments, grantType, explicitInstrumentId)
   }
   const expectedKinds = expectedInstrumentKinds(grantType);
   if (expectedKinds.length === 0) {
-    throw new Error(`No default instrument mapping exists for grant type "${grantType}". Pass --instrument-id explicitly.`);
+    throw new Error(
+      `No default instrument mapping exists for grant type "${grantType}". ${buildInstrumentCreationHint(grantType)}`
+    );
   }
   const match = instruments.find((instrument) => expectedKinds.includes(String(instrument.kind).toLowerCase()));
   if (!match) {
     throw new Error(
-      `No instrument found for grant type "${grantType}". Expected one of: ${expectedKinds.join(", ")}.`
+      `No instrument found for grant type "${grantType}". Expected one of: ${expectedKinds.join(", ")}. ${buildInstrumentCreationHint(grantType)}`
     );
   }
   return match;
 }
+async function entityHasActiveBoard(client, entityId) {
+  const bodies = await client.listGovernanceBodies(entityId);
+  return bodies.some(
+    (body) => String(body.body_type ?? "").toLowerCase() === "board_of_directors" && String(body.status ?? "active").toLowerCase() === "active"
+  );
+}
+async function ensureIssuancePreflight(client, entityId, grantType, instrument, meetingId, resolutionId) {
+  if (!meetingId || !resolutionId) {
+    if (await entityHasActiveBoard(client, entityId)) {
+      throw new Error(
+        "Board approval is required before issuing this round. Pass --meeting-id and --resolution-id from a passed board vote."
+      );
+    }
+  }
+  if (!grantRequiresCurrent409a(grantType, instrument?.kind)) {
+    return;
+  }
+  try {
+    await client.getCurrent409a(entityId);
+  } catch (err) {
+    const msg = String(err);
+    if (msg.includes("404")) {
+      throw new Error(
+        "Stock option issuances require a current approved 409A valuation. Create and approve one first with: corp cap-table create-valuation --type four_oh_nine_a --date YYYY-MM-DD --methodology <method>; corp cap-table submit-valuation <id>; corp cap-table approve-valuation <id> --resolution-id <resolution-id>"
+      );
+    }
+    throw err;
+  }
+}
 async function capTableCommand(opts) {
   const cfg = requireConfig("api_url", "api_key", "workspace_id");
   const eid = resolveEntityId(cfg, opts.entityId);
@@ -1950,7 +2261,7 @@ async function issueEquityCommand(opts) {
     }
     const instruments = capTable.instruments ?? [];
     if (!instruments.length) {
-      printError("No instruments found on cap table. Create an instrument first.");
+      printError("No instruments found on cap table. Create one with: corp cap-table create-instrument --kind common_equity --symbol COMMON --authorized-units <shares>");
       process.exit(1);
     }
     const instrument = resolveInstrumentForGrant(instruments, opts.grantType, opts.instrumentId);
@@ -1958,6 +2269,14 @@ async function issueEquityCommand(opts) {
     if (!opts.instrumentId) {
       console.log(`Using instrument: ${instrument.symbol} (${instrument.kind})`);
     }
+    await ensureIssuancePreflight(
+      client,
+      eid,
+      opts.grantType,
+      instrument,
+      opts.meetingId,
+      opts.resolutionId
+    );
     const round = await client.startEquityRound({
       entity_id: eid,
       name: `${opts.grantType} grant \u2014 ${opts.recipient}`,
@@ -2006,33 +2325,25 @@ async function issueSafeCommand(opts) {
       });
       return;
     }
-    const capTable = await client.getCapTable(eid);
-    const issuerLegalEntityId = capTable.issuer_legal_entity_id;
-    if (!issuerLegalEntityId) {
-      printError("No issuer legal entity found. Has this entity been formed with a cap table?");
-      process.exit(1);
-    }
-    const safeInstrument = await ensureSafeInstrument(client, eid);
-    const round = await client.startEquityRound({
-      entity_id: eid,
-      name: `SAFE \u2014 ${opts.investor}`,
-      issuer_legal_entity_id: issuerLegalEntityId
-    });
-    const roundId = round.round_id ?? round.equity_round_id;
-    const securityData = {
+    await ensureIssuancePreflight(
+      client,
+      eid,
+      opts.safeType,
+      void 0,
+      opts.meetingId,
+      opts.resolutionId
+    );
+    const body = {
       entity_id: eid,
-      instrument_id: safeInstrument.instrument_id,
-      quantity: opts.amount,
-      recipient_name: opts.investor,
-      principal_cents: opts.amount,
-      grant_type: opts.safeType
+      investor_name: opts.investor,
+      principal_amount_cents: opts.amount,
+      valuation_cap_cents: opts.valuationCap,
+      safe_type: opts.safeType
     };
-    if (opts.email) securityData.email = opts.email;
-    await client.addRoundSecurity(roundId, securityData);
-    const issuePayload = { entity_id: eid };
-    if (opts.meetingId) issuePayload.meeting_id = opts.meetingId;
-    if (opts.resolutionId) issuePayload.resolution_id = opts.resolutionId;
-    const result = await client.issueRound(roundId, issuePayload);
+    if (opts.email) body.email = opts.email;
+    if (opts.meetingId) body.meeting_id = opts.meetingId;
+    if (opts.resolutionId) body.resolution_id = opts.resolutionId;
+    const result = await client.createSafeNote(body);
     if (opts.json) {
       printJson(result);
       return;
@@ -2145,6 +2456,40 @@ async function startRoundCommand(opts) {
     process.exit(1);
   }
 }
+async function createInstrumentCommand(opts) {
+  const cfg = requireConfig("api_url", "api_key", "workspace_id");
+  const eid = resolveEntityId(cfg, opts.entityId);
+  const client = new CorpAPIClient(cfg.api_url, cfg.api_key, cfg.workspace_id);
+  try {
+    let issuerLegalEntityId = opts.issuerLegalEntityId;
+    if (!issuerLegalEntityId) {
+      const capTable = await client.getCapTable(eid);
+      issuerLegalEntityId = capTable.issuer_legal_entity_id;
+    }
+    if (!issuerLegalEntityId) {
+      throw new Error("No issuer legal entity found. Has this entity been formed with a cap table?");
+    }
+    const terms = opts.termsJson ? JSON.parse(opts.termsJson) : {};
+    const payload = {
+      entity_id: eid,
+      issuer_legal_entity_id: issuerLegalEntityId,
+      kind: opts.kind,
+      symbol: opts.symbol,
+      terms
+    };
+    if (opts.authorizedUnits != null) payload.authorized_units = opts.authorizedUnits;
+    if (opts.issuePriceCents != null) payload.issue_price_cents = opts.issuePriceCents;
+    if (opts.dryRun) {
+      printDryRun("cap_table.create_instrument", payload);
+      return;
+    }
+    const result = await client.createInstrument(payload);
+    printWriteResult(result, `Instrument created: ${result.instrument_id ?? "OK"}`, opts.json);
+  } catch (err) {
+    printError(`Failed to create instrument: ${err}`);
+    process.exit(1);
+  }
+}
 async function addSecurityCommand(opts) {
   const cfg = requireConfig("api_url", "api_key", "workspace_id");
   const eid = resolveEntityId(cfg, opts.entityId);
@@ -2177,10 +2522,23 @@ async function issueRoundCommand(opts) {
   const client = new CorpAPIClient(cfg.api_url, cfg.api_key, cfg.workspace_id);
   try {
     if (opts.dryRun) {
-      printDryRun("cap_table.issue_round", { entity_id: eid, round_id: opts.roundId });
+      printDryRun("cap_table.issue_round", {
+        entity_id: eid,
+        round_id: opts.roundId,
+        meeting_id: opts.meetingId,
+        resolution_id: opts.resolutionId
+      });
       return;
     }
-    const result = await client.issueRound(opts.roundId, { entity_id: eid });
+    if ((!opts.meetingId || !opts.resolutionId) && await entityHasActiveBoard(client, eid)) {
+      throw new Error(
+        "Board approval is required before issuing this round. Pass --meeting-id and --resolution-id from a passed board vote."
+      );
+    }
+    const body = { entity_id: eid };
+    if (opts.meetingId) body.meeting_id = opts.meetingId;
+    if (opts.resolutionId) body.resolution_id = opts.resolutionId;
+    const result = await client.issueRound(opts.roundId, body);
     printWriteResult(result, "Round issued and closed", opts.json);
   } catch (err) {
     printError(`Failed to issue round: ${err}`);
@@ -2307,8 +2665,7 @@ async function financeInvoiceCommand(opts) {
       due_date: opts.dueDate,
       description: opts.description
     });
-    printSuccess(`Invoice created: ${result.invoice_id ?? "OK"}`);
-    printJson(result);
+    printWriteResult(result, `Invoice created: ${result.invoice_id ?? "OK"}`, opts.json);
   } catch (err) {
     printError(`Failed to create invoice: ${err}`);
     process.exit(1);
@@ -2324,8 +2681,7 @@ async function financePayrollCommand(opts) {
       pay_period_start: opts.periodStart,
       pay_period_end: opts.periodEnd
     });
-    printSuccess(`Payroll run created: ${result.payroll_run_id ?? "OK"}`);
-    printJson(result);
+    printWriteResult(result, `Payroll run created: ${result.payroll_run_id ?? "OK"}`, opts.json);
   } catch (err) {
     printError(`Failed to run payroll: ${err}`);
     process.exit(1);
@@ -2343,8 +2699,7 @@ async function financePayCommand(opts) {
       payment_method: opts.method,
       description: `Payment via ${opts.method}`
     });
-    printSuccess(`Payment submitted: ${result.payment_id ?? "OK"}`);
-    printJson(result);
+    printWriteResult(result, `Payment submitted: ${result.payment_id ?? "OK"}`, opts.json);
   } catch (err) {
     printError(`Failed to submit payment: ${err}`);
     process.exit(1);
@@ -2356,8 +2711,7 @@ async function financeOpenAccountCommand(opts) {
   const client = new CorpAPIClient(cfg.api_url, cfg.api_key, cfg.workspace_id);
   try {
     const result = await client.openBankAccount({ entity_id: eid, bank_name: opts.institution });
-    printSuccess(`Bank account opened: ${result.account_id ?? "OK"}`);
-    printJson(result);
+    printWriteResult(result, `Bank account opened: ${result.account_id ?? "OK"}`, opts.json);
   } catch (err) {
     printError(`Failed to open bank account: ${err}`);
     process.exit(1);
@@ -2377,8 +2731,7 @@ async function financeClassifyContractorCommand(opts) {
       duration_months: opts.duration,
       provides_tools: opts.providesTools
     });
-    printSuccess(`Classification: ${result.risk_level ?? "OK"}`);
-    printJson(result);
+    printWriteResult(result, `Classification: ${result.risk_level ?? "OK"}`, opts.json);
   } catch (err) {
     printError(`Failed to classify contractor: ${err}`);
     process.exit(1);
@@ -2394,8 +2747,7 @@ async function financeReconcileCommand(opts) {
       start_date: opts.startDate,
       end_date: opts.endDate
     });
-    printSuccess(`Ledger reconciled: ${result.reconciliation_id ?? "OK"}`);
-    printJson(result);
+    printWriteResult(result, `Ledger reconciled: ${result.reconciliation_id ?? "OK"}`, opts.json);
   } catch (err) {
     printError(`Failed to reconcile ledger: ${err}`);
     process.exit(1);
@@ -3005,7 +3357,8 @@ __export(agents_exports, {
   agentsSkillCommand: () => agentsSkillCommand
 });
 import chalk8 from "chalk";
-import { readFileSync as readFileSync2 } from "fs";
+import { readFileSync as readFileSync2, realpathSync } from "fs";
+import { relative, resolve } from "path";
 async function agentsListCommand(opts) {
   const cfg = requireConfig("api_url", "api_key", "workspace_id");
   const client = new CorpAPIClient(cfg.api_url, cfg.api_key, cfg.workspace_id);
@@ -3100,7 +3453,18 @@ function resolveTextInput(inlineText, filePath, label, required = false) {
     throw new Error(`Pass either --${label} or --${label}-file, not both.`);
   }
   if (filePath) {
-    return readFileSync2(filePath, "utf8");
+    if (process.env.CORP_ALLOW_UNSAFE_FILE_INPUT === "1") {
+      return readFileSync2(filePath, "utf8");
+    }
+    const resolvedFile = realpathSync(resolve(filePath));
+    const workingTreeRoot = realpathSync(process.cwd());
+    const rel = relative(workingTreeRoot, resolvedFile);
+    if (rel === "" || !rel.startsWith("..") && !rel.startsWith("/")) {
+      return readFileSync2(resolvedFile, "utf8");
+    }
+    throw new Error(
+      `--${label}-file must stay inside the current working directory unless CORP_ALLOW_UNSAFE_FILE_INPUT=1 is set.`
+    );
   }
   if (inlineText) {
     return inlineText;
@@ -3483,10 +3847,18 @@ function normalizeFounderInfo(input3) {
 function parseLegacyMemberSpec(raw) {
   const parts = raw.split(",").map((p) => p.trim());
   if (parts.length < 3) {
-    throw new Error(`Invalid member format: ${raw}. Expected: name,email,role[,pct]`);
+    throw new Error(
+      `Invalid member format: ${raw}. Expected: name,email,role[,pct[,address[,officer_title[,is_incorporator]]]]`
+    );
   }
   const founder = { name: parts[0], email: parts[1], role: parts[2] };
   if (parts.length >= 4) founder.ownership_pct = parseFloat(parts[3]);
+  if (parts.length >= 5 && parts[4]) founder.address = parseAddressValue(parts[4]);
+  if (parts.length >= 6 && parts[5]) founder.officer_title = parts[5];
+  if (parts.length >= 7) {
+    const incorporator = parseBoolean(parts[6]);
+    if (incorporator !== void 0) founder.is_incorporator = incorporator;
+  }
   return founder;
 }
 function parseKeyValueMemberSpec(raw) {
@@ -3896,6 +4268,14 @@ async function formFinalizeCommand(entityId, opts) {
       payload.authorized_shares = authorizedShares;
     }
     if (opts.parValue) payload.par_value = opts.parValue;
+    if (opts.boardSize) {
+      const boardSize = parseInt(opts.boardSize, 10);
+      if (!Number.isFinite(boardSize) || boardSize <= 0) {
+        throw new Error(`Invalid board size: ${opts.boardSize}`);
+      }
+      payload.board_size = boardSize;
+    }
+    if (opts.principalName) payload.principal_name = opts.principalName;
     if (opts.registeredAgentName) payload.registered_agent_name = opts.registeredAgentName;
     if (opts.registeredAgentAddress) payload.registered_agent_address = opts.registeredAgentAddress;
     if (opts.formationDate) payload.formation_date = opts.formationDate;
@@ -4040,6 +4420,14 @@ __export(feedback_exports, {
 });
 import chalk12 from "chalk";
 async function feedbackCommand(message, opts) {
+  if (!message || message.trim().length === 0) {
+    printError("Feedback message cannot be empty");
+    process.exit(1);
+  }
+  if (message.length > MAX_FEEDBACK_LENGTH) {
+    printError(`Feedback message must be at most ${MAX_FEEDBACK_LENGTH} characters (got ${message.length})`);
+    process.exit(1);
+  }
   const cfg = requireConfig("api_url", "api_key", "workspace_id");
   const client = new CorpAPIClient(cfg.api_url, cfg.api_key, cfg.workspace_id);
   try {
@@ -4055,12 +4443,14 @@ ${chalk12.green("\u2713")} Feedback submitted (${chalk12.dim(result.feedback_id)
     process.exit(1);
   }
 }
+var MAX_FEEDBACK_LENGTH;
 var init_feedback = __esm({
   "src/commands/feedback.ts"() {
     "use strict";
     init_config();
     init_api_client();
     init_output();
+    MAX_FEEDBACK_LENGTH = 1e4;
   }
 });
 
@@ -4070,7 +4460,7 @@ __export(serve_exports, {
   serveCommand: () => serveCommand
 });
 import { readFileSync as readFileSync4, writeFileSync as writeFileSync2, existsSync as existsSync2 } from "fs";
-import { resolve } from "path";
+import { resolve as resolve2 } from "path";
 import { randomBytes } from "crypto";
 function generateFernetKey() {
   return randomBytes(32).toString("base64url") + "=";
@@ -4122,35 +4512,21 @@ async function serveCommand(opts) {
     console.error(`Error: Invalid port "${opts.port}"`);
     process.exit(1);
   }
-  const envPath = resolve(process.cwd(), ".env");
+  const envPath = resolve2(process.cwd(), ".env");
   ensureEnvFile(envPath);
   loadEnvFile(envPath);
   const localUrl = `http://localhost:${port}`;
-  const { loadConfig: loadConfig2, saveConfig: saveConfig2 } = await Promise.resolve().then(() => (init_config(), config_exports));
-  const cfg = loadConfig2();
-  const previousUrl = cfg.api_url;
-  if (cfg.api_url !== localUrl) {
-    cfg.api_url = localUrl;
-    saveConfig2(cfg);
-    console.log(`CLI configured to use local server: ${localUrl}`);
-    console.log(`  (previous: ${previousUrl})`);
-    console.log(`  To revert: corp config set api_url ${previousUrl}
-`);
-  }
   console.log(`Starting server on port ${port}...`);
   console.log(`Data directory: ${opts.dataDir}`);
+  console.log(`CLI API URL remains unchanged.`);
+  console.log(`  Use CORP_API_URL=${localUrl} for commands against this local server.
+`);
   const child = server.startServer({
     port,
     dataDir: opts.dataDir
   });
   const shutdown = () => {
     console.log("\nShutting down server...");
-    if (previousUrl !== localUrl) {
-      const current = loadConfig2();
-      current.api_url = previousUrl;
-      saveConfig2(current);
-      console.log(`CLI restored to: ${previousUrl}`);
-    }
     child.kill("SIGTERM");
   };
   process.on("SIGINT", shutdown);
@@ -4233,9 +4609,9 @@ program.command("setup").description("Interactive setup wizard").action(async ()
   const { setupCommand: setupCommand2 } = await Promise.resolve().then(() => (init_setup(), setup_exports));
   await setupCommand2();
 });
-program.command("status").description("Workspace summary").action(async () => {
+program.command("status").description("Workspace summary").option("--json", "Output as JSON").action(async (opts) => {
   const { statusCommand: statusCommand2 } = await Promise.resolve().then(() => (init_status(), status_exports));
-  await statusCommand2();
+  await statusCommand2(opts);
 });
 program.command("context").alias("whoami").description("Show the active workspace, user, and entity context").option("--json", "Output as JSON").action(async (opts) => {
   const { contextCommand: contextCommand2 } = await Promise.resolve().then(() => (init_context(), context_exports));
@@ -4246,23 +4622,23 @@ program.command("schema").description("Dump the CLI command catalog as JSON").op
   schemaCommand2(program, opts);
 });
 var configCmd = program.command("config").description("Manage configuration");
-configCmd.command("set <key> <value>").description("Set a config value (dot-path)").action(async (key, value) => {
-  const { configSetCommand: configSetCommand2 } = await Promise.resolve().then(() => (init_config2(), config_exports2));
-  configSetCommand2(key, value);
+configCmd.command("set <key> <value>").description("Set a config value (dot-path)").option("--force", "Allow updating a security-sensitive config key").action(async (key, value, opts) => {
+  const { configSetCommand: configSetCommand2 } = await Promise.resolve().then(() => (init_config2(), config_exports));
+  configSetCommand2(key, value, opts);
 });
 configCmd.command("get <key>").description("Get a config value (dot-path)").action(async (key) => {
-  const { configGetCommand: configGetCommand2 } = await Promise.resolve().then(() => (init_config2(), config_exports2));
+  const { configGetCommand: configGetCommand2 } = await Promise.resolve().then(() => (init_config2(), config_exports));
   configGetCommand2(key);
 });
 configCmd.command("list").description("List all config (API keys masked)").action(async () => {
-  const { configListCommand: configListCommand2 } = await Promise.resolve().then(() => (init_config2(), config_exports2));
+  const { configListCommand: configListCommand2 } = await Promise.resolve().then(() => (init_config2(), config_exports));
   configListCommand2();
 });
 program.command("obligations").description("List obligations with urgency tiers").option("--tier <tier>", "Filter by urgency tier").option("--json", "Output as JSON").action(async (opts) => {
   const { obligationsCommand: obligationsCommand2 } = await Promise.resolve().then(() => (init_obligations(), obligations_exports));
   await obligationsCommand2(opts);
 });
-program.command("digest").description("View or trigger daily digests").option("--trigger", "Trigger digest now").option("--key <key>", "Get specific digest by key").action(async (opts) => {
+program.command("digest").description("View or trigger daily digests").option("--trigger", "Trigger digest now").option("--key <key>", "Get specific digest by key").option("--json", "Output as JSON").action(async (opts) => {
   const { digestCommand: digestCommand2 } = await Promise.resolve().then(() => (init_digest(), digest_exports));
   await digestCommand2(opts);
 });
@@ -4311,7 +4687,7 @@ contactsCmd.command("show <contact-id>").option("--json", "Output as JSON").desc
     json: inheritOption(opts.json, parent.json)
   });
 });
-contactsCmd.command("add").requiredOption("--name <name>", "Contact name").requiredOption("--email <email>", "Contact email").option("--type <type>", "Contact type (individual, organization)", "individual").option("--category <category>", "Category (employee, contractor, board_member, investor, law_firm, valuation_firm, accounting_firm, officer, founder, member, other)").option("--address <address>", "Mailing address").option("--mailing-address <address>", "Alias for --address").option("--phone <phone>", "Phone number").option("--notes <notes>", "Notes").option("--json", "Output as JSON").description("Add a new contact").action(async (opts, cmd) => {
+contactsCmd.command("add").requiredOption("--name <name>", "Contact name").requiredOption("--email <email>", "Contact email").option("--type <type>", "Contact type (individual, organization)", "individual").option("--category <category>", "Category (employee, contractor, board_member, investor, law_firm, valuation_firm, accounting_firm, officer, founder, member, other)").option("--cap-table-access <level>", "Cap table access (none, summary, detailed)").option("--address <address>", "Mailing address").option("--mailing-address <address>", "Alias for --address").option("--phone <phone>", "Phone number").option("--notes <notes>", "Notes").option("--json", "Output as JSON").description("Add a new contact").action(async (opts, cmd) => {
   const parent = cmd.parent.opts();
   const { contactsAddCommand: contactsAddCommand2 } = await Promise.resolve().then(() => (init_contacts(), contacts_exports));
   await contactsAddCommand2({
@@ -4320,7 +4696,7 @@ contactsCmd.command("add").requiredOption("--name <name>", "Contact name").requi
     json: inheritOption(opts.json, parent.json)
   });
 });
-contactsCmd.command("edit <contact-id>").option("--name <name>", "Contact name").option("--email <email>", "Contact email").option("--category <category>", "Contact category").option("--address <address>", "Mailing address").option("--mailing-address <address>", "Alias for --address").option("--phone <phone>", "Phone number").option("--notes <notes>", "Notes").option("--json", "Output as JSON").description("Edit an existing contact").action(async (contactId, opts, cmd) => {
+contactsCmd.command("edit <contact-id>").option("--name <name>", "Contact name").option("--email <email>", "Contact email").option("--category <category>", "Contact category").option("--cap-table-access <level>", "Cap table access (none, summary, detailed)").option("--address <address>", "Mailing address").option("--mailing-address <address>", "Alias for --address").option("--phone <phone>", "Phone number").option("--notes <notes>", "Notes").option("--json", "Output as JSON").description("Edit an existing contact").action(async (contactId, opts, cmd) => {
   const parent = cmd.parent.opts();
   const { contactsEditCommand: contactsEditCommand2 } = await Promise.resolve().then(() => (init_contacts(), contacts_exports));
   await contactsEditCommand2(contactId, {
@@ -4353,6 +4729,15 @@ capTableCmd.command("409a").description("Current 409A valuation").action(async (
   const { fourOhNineACommand: fourOhNineACommand2 } = await Promise.resolve().then(() => (init_cap_table(), cap_table_exports));
   await fourOhNineACommand2(parent);
 });
+capTableCmd.command("create-instrument").requiredOption("--kind <kind>", "Instrument kind (common_equity, preferred_equity, membership_unit, option_grant, safe)").requiredOption("--symbol <symbol>", "Instrument symbol").option("--issuer-legal-entity-id <id>", "Issuer legal entity ID (auto-detected from the cap table if omitted)").option("--authorized-units <n>", "Authorized units", parseInt).option("--issue-price-cents <n>", "Issue price in cents", parseInt).option("--terms-json <json>", "JSON object of instrument terms").option("--json", "Output as JSON").option("--dry-run", "Show the request without creating the instrument").description("Create a cap table instrument").action(async (opts, cmd) => {
+  const parent = cmd.parent.opts();
+  const { createInstrumentCommand: createInstrumentCommand2 } = await Promise.resolve().then(() => (init_cap_table(), cap_table_exports));
+  await createInstrumentCommand2({
+    ...opts,
+    entityId: parent.entityId,
+    json: inheritOption(opts.json, parent.json)
+  });
+});
 capTableCmd.command("issue-equity").requiredOption("--grant-type <type>", "Grant type (common, preferred, membership_unit, stock_option, iso, nso, rsa)").requiredOption("--shares <n>", "Number of shares", parseInt).requiredOption("--recipient <name>", "Recipient name").option("--email <email>", "Recipient email (auto-creates contact if needed)").option("--instrument-id <id>", "Instrument ID (auto-detected from cap table if omitted)").option("--meeting-id <id>", "Board meeting ID required when a board approval already exists or is being recorded").option("--resolution-id <id>", "Board resolution ID required when issuing under a board-governed entity").option("--json", "Output as JSON").option("--dry-run", "Show the request without creating the round").description("Issue an equity grant (creates a round, adds security, and issues it)").action(async (opts, cmd) => {
   const parent = cmd.parent.opts();
   const { issueEquityCommand: issueEquityCommand2 } = await Promise.resolve().then(() => (init_cap_table(), cap_table_exports));
@@ -4407,7 +4792,7 @@ capTableCmd.command("add-security").requiredOption("--round-id <id>", "Round ID"
     json: inheritOption(opts.json, parent.json)
   });
 });
-capTableCmd.command("issue-round").option("--json", "Output as JSON").option("--dry-run", "Show the request without issuing the round").requiredOption("--round-id <id>", "Round ID").description("Issue all securities and close a staged round").action(async (opts, cmd) => {
+capTableCmd.command("issue-round").option("--meeting-id <id>", "Board meeting ID required when issuing under a board-governed entity").option("--resolution-id <id>", "Board resolution ID required when issuing under a board-governed entity").option("--json", "Output as JSON").option("--dry-run", "Show the request without issuing the round").requiredOption("--round-id <id>", "Round ID").description("Issue all securities and close a staged round").action(async (opts, cmd) => {
   const parent = cmd.parent.opts();
   const { issueRoundCommand: issueRoundCommand2 } = await Promise.resolve().then(() => (init_cap_table(), cap_table_exports));
   await issueRoundCommand2({
@@ -4445,36 +4830,60 @@ capTableCmd.command("approve-valuation <valuation-id>").option("--resolution-id
     json: inheritOption(opts.json, parent.json)
   });
 });
-var financeCmd = program.command("finance").description("Invoicing, payroll, payments, banking").option("--entity-id <id>", "Entity ID (overrides active entity)");
-financeCmd.command("invoice").requiredOption("--customer <name>", "Customer name").requiredOption("--amount <n>", "Amount in cents", parseInt).requiredOption("--due-date <date>", "Due date (ISO 8601)").option("--description <desc>", "Description", "Services rendered").description("Create an invoice").action(async (opts, cmd) => {
+var financeCmd = program.command("finance").description("Invoicing, payroll, payments, banking").option("--entity-id <id>", "Entity ID (overrides active entity)").option("--json", "Output as JSON");
+financeCmd.command("invoice").requiredOption("--customer <name>", "Customer name").requiredOption("--amount <n>", "Amount in cents", parseInt).requiredOption("--due-date <date>", "Due date (ISO 8601)").option("--description <desc>", "Description", "Services rendered").option("--json", "Output as JSON").description("Create an invoice").action(async (opts, cmd) => {
   const parent = cmd.parent.opts();
   const { financeInvoiceCommand: financeInvoiceCommand2 } = await Promise.resolve().then(() => (init_finance(), finance_exports));
-  await financeInvoiceCommand2({ ...opts, entityId: parent.entityId });
+  await financeInvoiceCommand2({
+    ...opts,
+    entityId: parent.entityId,
+    json: inheritOption(opts.json, parent.json)
+  });
 });
-financeCmd.command("payroll").requiredOption("--period-start <date>", "Pay period start").requiredOption("--period-end <date>", "Pay period end").description("Run payroll").action(async (opts, cmd) => {
+financeCmd.command("payroll").requiredOption("--period-start <date>", "Pay period start").requiredOption("--period-end <date>", "Pay period end").option("--json", "Output as JSON").description("Run payroll").action(async (opts, cmd) => {
   const parent = cmd.parent.opts();
   const { financePayrollCommand: financePayrollCommand2 } = await Promise.resolve().then(() => (init_finance(), finance_exports));
-  await financePayrollCommand2({ ...opts, entityId: parent.entityId });
+  await financePayrollCommand2({
+    ...opts,
+    entityId: parent.entityId,
+    json: inheritOption(opts.json, parent.json)
+  });
 });
-financeCmd.command("pay").requiredOption("--amount <n>", "Amount in cents", parseInt).requiredOption("--recipient <name>", "Recipient name").option("--method <method>", "Payment method", "ach").description("Submit a payment").action(async (opts, cmd) => {
+financeCmd.command("pay").requiredOption("--amount <n>", "Amount in cents", parseInt).requiredOption("--recipient <name>", "Recipient name").option("--method <method>", "Payment method", "ach").option("--json", "Output as JSON").description("Submit a payment").action(async (opts, cmd) => {
   const parent = cmd.parent.opts();
   const { financePayCommand: financePayCommand2 } = await Promise.resolve().then(() => (init_finance(), finance_exports));
-  await financePayCommand2({ ...opts, entityId: parent.entityId });
+  await financePayCommand2({
+    ...opts,
+    entityId: parent.entityId,
+    json: inheritOption(opts.json, parent.json)
+  });
 });
-financeCmd.command("open-account").option("--institution <name>", "Banking institution", "Mercury").description("Open a business bank account").action(async (opts, cmd) => {
+financeCmd.command("open-account").option("--institution <name>", "Banking institution", "Mercury").option("--json", "Output as JSON").description("Open a business bank account").action(async (opts, cmd) => {
   const parent = cmd.parent.opts();
   const { financeOpenAccountCommand: financeOpenAccountCommand2 } = await Promise.resolve().then(() => (init_finance(), finance_exports));
-  await financeOpenAccountCommand2({ ...opts, entityId: parent.entityId });
+  await financeOpenAccountCommand2({
+    ...opts,
+    entityId: parent.entityId,
+    json: inheritOption(opts.json, parent.json)
+  });
 });
-financeCmd.command("classify-contractor").requiredOption("--name <name>", "Contractor name").requiredOption("--state <code>", "US state code").requiredOption("--hours <n>", "Hours per week", parseInt).option("--exclusive", "Exclusive client", false).requiredOption("--duration <n>", "Duration in months", parseInt).option("--provides-tools", "Company provides tools", false).description("Analyze contractor classification risk").action(async (opts, cmd) => {
+financeCmd.command("classify-contractor").requiredOption("--name <name>", "Contractor name").requiredOption("--state <code>", "US state code").requiredOption("--hours <n>", "Hours per week", parseInt).option("--exclusive", "Exclusive client", false).requiredOption("--duration <n>", "Duration in months", parseInt).option("--provides-tools", "Company provides tools", false).option("--json", "Output as JSON").description("Analyze contractor classification risk").action(async (opts, cmd) => {
   const parent = cmd.parent.opts();
   const { financeClassifyContractorCommand: financeClassifyContractorCommand2 } = await Promise.resolve().then(() => (init_finance(), finance_exports));
-  await financeClassifyContractorCommand2({ ...opts, entityId: parent.entityId });
+  await financeClassifyContractorCommand2({
+    ...opts,
+    entityId: parent.entityId,
+    json: inheritOption(opts.json, parent.json)
+  });
 });
-financeCmd.command("reconcile").requiredOption("--start-date <date>", "Period start").requiredOption("--end-date <date>", "Period end").description("Reconcile ledger").action(async (opts, cmd) => {
+financeCmd.command("reconcile").requiredOption("--start-date <date>", "Period start").requiredOption("--end-date <date>", "Period end").option("--json", "Output as JSON").description("Reconcile ledger").action(async (opts, cmd) => {
   const parent = cmd.parent.opts();
   const { financeReconcileCommand: financeReconcileCommand2 } = await Promise.resolve().then(() => (init_finance(), finance_exports));
-  await financeReconcileCommand2({ ...opts, entityId: parent.entityId });
+  await financeReconcileCommand2({
+    ...opts,
+    entityId: parent.entityId,
+    json: inheritOption(opts.json, parent.json)
+  });
 });
 var governanceCmd = program.command("governance").description("Governance bodies, seats, meetings, resolutions").option("--entity-id <id>", "Entity ID (overrides active entity)").option("--json", "Output as JSON").action(async (opts) => {
   const { governanceListCommand: governanceListCommand2 } = await Promise.resolve().then(() => (init_governance(), governance_exports));
@@ -4790,23 +5199,35 @@ program.command("approvals").description("Approvals are managed through governan
     "Approvals are managed through governance meetings.\n  Use: corp governance convene ... to schedule a board meeting\n  Use: corp governance vote <meeting-id> <item-id> ... to cast votes"
   );
 });
-var formCmd = program.command("form").description("Form a new entity with founders and cap table").option("--entity-type <type>", "Entity type (llc, c_corp)").option("--legal-name <name>", "Legal name").option("--jurisdiction <jurisdiction>", "Jurisdiction (e.g. US-DE, US-WY)").option("--member <member>", "Founder as 'name,email,role[,pct]' or key=value pairs like 'name=...,email=...,role=...,officer_title=cto,is_incorporator=true,address=street|city|state|zip' (repeatable)", (v, a) => [...a, v], []).option("--member-json <json>", "Founder JSON object (repeatable)", (v, a) => [...a, v], []).option("--members-file <path>", 'Path to a JSON array of founders or {"members": [...]}').option("--address <address>", "Company address as 'street,city,state,zip'").option("--fiscal-year-end <date>", "Fiscal year end (MM-DD)", "12-31").option("--s-corp", "Elect S-Corp status").option("--transfer-restrictions", "Enable transfer restrictions").option("--rofr", "Enable right of first refusal").option("--json", "Output as JSON").option("--dry-run", "Show the request without creating the entity").action(async (opts) => {
+var formCmd = program.command("form").description("Form a new entity with founders and cap table").option("--entity-type <type>", "Entity type (llc, c_corp)").option("--legal-name <name>", "Legal name").option("--jurisdiction <jurisdiction>", "Jurisdiction (e.g. US-DE, US-WY)").option("--member <member>", "Founder as 'name,email,role[,pct[,address[,officer_title[,is_incorporator]]]]' with address as street|city|state|zip, or key=value pairs like 'name=...,email=...,role=...,officer_title=cto,is_incorporator=true,address=street|city|state|zip' (repeatable)", (v, a) => [...a, v], []).option("--member-json <json>", "Founder JSON object (repeatable)", (v, a) => [...a, v], []).option("--members-file <path>", 'Path to a JSON array of founders or {"members": [...]}').option("--address <address>", "Company address as 'street,city,state,zip'").option("--fiscal-year-end <date>", "Fiscal year end (MM-DD)", "12-31").option("--s-corp", "Elect S-Corp status").option("--transfer-restrictions", "Enable transfer restrictions").option("--rofr", "Enable right of first refusal").option("--json", "Output as JSON").option("--dry-run", "Show the request without creating the entity").action(async (opts) => {
   if (opts.entityType && !opts.type) opts.type = opts.entityType;
   if (opts.legalName && !opts.name) opts.name = opts.legalName;
   const { formCommand: formCommand2 } = await Promise.resolve().then(() => (init_form(), form_exports));
   await formCommand2(opts);
 });
-formCmd.command("create").description("Create a pending entity (staged flow step 1)").requiredOption("--type <type>", "Entity type (llc, c_corp)").requiredOption("--name <name>", "Legal name").option("--jurisdiction <jurisdiction>", "Jurisdiction (e.g. US-DE, US-WY)").option("--registered-agent-name <name>", "Registered agent legal name").option("--registered-agent-address <address>", "Registered agent address line").option("--formation-date <date>", "Formation date (RFC3339 or YYYY-MM-DD)").option("--fiscal-year-end <date>", "Fiscal year end (MM-DD)").option("--s-corp", "Elect S-Corp status").option("--transfer-restrictions", "Enable transfer restrictions").option("--rofr", "Enable right of first refusal").option("--company-address <address>", "Company address as 'street,city,state,zip'").option("--json", "Output as JSON").option("--dry-run", "Show the request without creating the pending entity").action(async (opts) => {
+formCmd.command("create").description("Create a pending entity (staged flow step 1)").requiredOption("--type <type>", "Entity type (llc, c_corp)").requiredOption("--name <name>", "Legal name").option("--jurisdiction <jurisdiction>", "Jurisdiction (e.g. US-DE, US-WY)").option("--registered-agent-name <name>", "Registered agent legal name").option("--registered-agent-address <address>", "Registered agent address line").option("--formation-date <date>", "Formation date (RFC3339 or YYYY-MM-DD)").option("--fiscal-year-end <date>", "Fiscal year end (MM-DD)").option("--s-corp", "Elect S-Corp status").option("--transfer-restrictions", "Enable transfer restrictions").option("--rofr", "Enable right of first refusal").option("--company-address <address>", "Company address as 'street,city,state,zip'").option("--json", "Output as JSON").option("--dry-run", "Show the request without creating the pending entity").action(async (opts, cmd) => {
   const { formCreateCommand: formCreateCommand2 } = await Promise.resolve().then(() => (init_form(), form_exports));
-  await formCreateCommand2(opts);
+  await formCreateCommand2({
+    ...opts,
+    json: inheritOption(opts.json, cmd.parent.opts().json),
+    dryRun: inheritOption(opts.dryRun, cmd.parent.opts().dryRun)
+  });
 });
-formCmd.command("add-founder <entity-id>").description("Add a founder to a pending entity (staged flow step 2)").requiredOption("--name <name>", "Founder name").requiredOption("--email <email>", "Founder email").requiredOption("--role <role>", "Role: director|officer|manager|member|chair").requiredOption("--pct <pct>", "Ownership percentage").addOption(new Option("--officer-title <title>", "Officer title (corporations only)").choices(["ceo", "cfo", "cto", "coo", "secretary", "treasurer", "president", "vp", "other"])).option("--incorporator", "Mark as sole incorporator (corporations only)").option("--address <address>", "Founder address as 'street,city,state,zip'").option("--json", "Output as JSON").option("--dry-run", "Show the request without adding the founder").action(async (entityId, opts) => {
+formCmd.command("add-founder <entity-id>").description("Add a founder to a pending entity (staged flow step 2)").requiredOption("--name <name>", "Founder name").requiredOption("--email <email>", "Founder email").requiredOption("--role <role>", "Role: director|officer|manager|member|chair").requiredOption("--pct <pct>", "Ownership percentage").addOption(new Option("--officer-title <title>", "Officer title (corporations only)").choices(["ceo", "cfo", "cto", "coo", "secretary", "treasurer", "president", "vp", "other"])).option("--incorporator", "Mark as sole incorporator (corporations only)").option("--address <address>", "Founder address as 'street,city,state,zip'").option("--json", "Output as JSON").option("--dry-run", "Show the request without adding the founder").action(async (entityId, opts, cmd) => {
   const { formAddFounderCommand: formAddFounderCommand2 } = await Promise.resolve().then(() => (init_form(), form_exports));
-  await formAddFounderCommand2(entityId, opts);
+  await formAddFounderCommand2(entityId, {
+    ...opts,
+    json: inheritOption(opts.json, cmd.parent.opts().json),
+    dryRun: inheritOption(opts.dryRun, cmd.parent.opts().dryRun)
+  });
 });
-formCmd.command("finalize <entity-id>").description("Finalize formation and generate documents + cap table (staged flow step 3)").option("--authorized-shares <count>", "Authorized shares for corporations").option("--par-value <value>", "Par value per share, e.g. 0.0001").option("--registered-agent-name <name>", "Registered agent legal name").option("--registered-agent-address <address>", "Registered agent address line").option("--formation-date <date>", "Formation date (RFC3339 or YYYY-MM-DD)").option("--fiscal-year-end <date>", "Fiscal year end (MM-DD)").option("--s-corp", "Elect S-Corp status").option("--transfer-restrictions", "Enable transfer restrictions").option("--rofr", "Enable right of first refusal").option("--company-address <address>", "Company address as 'street,city,state,zip'").option("--incorporator-name <name>", "Incorporator legal name (overrides founder)").option("--incorporator-address <address>", "Incorporator mailing address (overrides founder)").option("--json", "Output as JSON").option("--dry-run", "Show the request without finalizing formation").action(async (entityId, opts) => {
+formCmd.command("finalize <entity-id>").description("Finalize formation and generate documents + cap table (staged flow step 3)").option("--authorized-shares <count>", "Authorized shares for corporations").option("--par-value <value>", "Par value per share, e.g. 0.0001").option("--board-size <count>", "Board size for corporations").option("--principal-name <name>", "Principal or manager name for LLCs").option("--registered-agent-name <name>", "Registered agent legal name").option("--registered-agent-address <address>", "Registered agent address line").option("--formation-date <date>", "Formation date (RFC3339 or YYYY-MM-DD)").option("--fiscal-year-end <date>", "Fiscal year end (MM-DD)").option("--s-corp", "Elect S-Corp status").option("--transfer-restrictions", "Enable transfer restrictions").option("--rofr", "Enable right of first refusal").option("--company-address <address>", "Company address as 'street,city,state,zip'").option("--incorporator-name <name>", "Incorporator legal name (overrides founder)").option("--incorporator-address <address>", "Incorporator mailing address (overrides founder)").option("--json", "Output as JSON").option("--dry-run", "Show the request without finalizing formation").action(async (entityId, opts, cmd) => {
   const { formFinalizeCommand: formFinalizeCommand2 } = await Promise.resolve().then(() => (init_form(), form_exports));
-  await formFinalizeCommand2(entityId, opts);
+  await formFinalizeCommand2(entityId, {
+    ...opts,
+    json: inheritOption(opts.json, cmd.parent.opts().json),
+    dryRun: inheritOption(opts.dryRun, cmd.parent.opts().dryRun)
+  });
 });
 program.command("api-keys").description("List API keys").option("--json", "Output as JSON").action(async (opts) => {
   const { apiKeysCommand: apiKeysCommand2 } = await Promise.resolve().then(() => (init_api_keys(), api_keys_exports));
@@ -4824,5 +5245,5 @@ program.command("serve").description("Start the API server locally").option("--p
   const { serveCommand: serveCommand2 } = await Promise.resolve().then(() => (init_serve(), serve_exports));
   await serveCommand2(opts);
 });
-program.parse();
+await program.parseAsync(process.argv);
 //# sourceMappingURL=index.js.map