@trigguard/cli 0.1.1 → 0.1.3

package/dist/commands/auth.d.ts

@@ -0,0 +1,4 @@
+export declare function runAuthList(args: string[]): Promise<void>;
+export declare function runAuthRevoke(args: string[]): Promise<void>;
+export declare function runAuthRotate(args: string[]): Promise<void>;
+export declare function runAuth(args: string[]): Promise<void>;

package/dist/commands/auth.js

@@ -0,0 +1,227 @@
+import readline from "node:readline/promises";
+import { stdin as input, stdout as output } from "node:process";
+import { hasFlag } from "../tg/args.js";
+import { formatControlPlaneAuthError, formatCorruptConfigError, formatNotLoggedInError, } from "../cp/errors.js";
+import { formatKeyField, listApiKeys, revokeApiKeyById, rotateApiKey, } from "../cp/apiKeys.js";
+import { loadConfig, saveConfig, configPath, configFileCorrupted } from "../cp/config.js";
+import { envOverridesConfigApiKey } from "../cp/credentials.js";
+import { resolveActiveApiKeyRecord } from "../cp/sessionContext.js";
+import { resolveSessionSnapshot } from "./session.js";
+function flagValue(args, name) {
+    const i = args.indexOf(name);
+    if (i === -1)
+        return undefined;
+    const next = args[i + 1];
+    if (next === undefined || next.startsWith("-"))
+        return undefined;
+    return next;
+}
+async function requireSession() {
+    if (configFileCorrupted()) {
+        throw new Error(formatCorruptConfigError(configPath()));
+    }
+    const config = loadConfig();
+    const snap = await resolveSessionSnapshot();
+    if (!snap.authenticated || !config.sessionToken) {
+        throw new Error(formatNotLoggedInError());
+    }
+    const orgId = snap.activeOrg?.orgId;
+    if (!orgId) {
+        throw new Error([
+            "No active workspace.",
+            "",
+            "Verify your email in the console, then run:",
+            "  tg login",
+        ].join("\n"));
+    }
+    return { config, orgId, orgName: snap.activeOrg?.name ?? orgId };
+}
+function keyRecordForList(key, currentKeyId) {
+    return {
+        keyId: key.keyId,
+        displayName: formatKeyField(key.displayName),
+        workspace: key.orgId,
+        created: formatKeyField(key.createdAt),
+        lastUsed: formatKeyField(key.lastUsedAt ?? undefined),
+        scopes: key.scopes?.length ? key.scopes : ["Not reported"],
+        status: formatKeyField(key.status ?? (key.revoked ? "revoked" : "active")),
+        currentMachine: currentKeyId === key.keyId,
+        expires: formatKeyField(key.expiresAt ?? undefined),
+        lastRotatedFrom: formatKeyField(key.rotatedFromKeyId ?? undefined),
+    };
+}
+export async function runAuthList(args) {
+    const json = hasFlag(args, "--json");
+    const { config, orgId } = await requireSession();
+    try {
+        const keys = await listApiKeys(config, orgId);
+        const activeKeyId = resolveActiveApiKeyRecord(keys, config)?.keyId ?? config.apiKeyId;
+        if (json) {
+            console.log(JSON.stringify({
+                orgId,
+                keys: keys.map((k) => keyRecordForList(k, activeKeyId)),
+            }, null, 2));
+            return;
+        }
+        if (!keys.length) {
+            console.log("No API keys in this workspace.");
+            return;
+        }
+        for (const key of keys) {
+            const current = activeKeyId === key.keyId ? " (this machine)" : "";
+            console.log(`- ${formatKeyField(key.displayName)}${current}`);
+            console.log(`  key id:    ${key.keyId}`);
+            console.log(`  status:    ${formatKeyField(key.status ?? (key.revoked ? "revoked" : "active"))}`);
+            console.log(`  created:   ${formatKeyField(key.createdAt)}`);
+            console.log(`  last used: ${formatKeyField(key.lastUsedAt ?? undefined)}`);
+            console.log(`  scopes:    ${key.scopes?.join(", ") || "Not reported"}`);
+        }
+    }
+    catch (e) {
+        throw new Error(formatControlPlaneAuthError(e, "API key list"));
+    }
+}
+async function confirmPrompt(question) {
+    const rl = readline.createInterface({ input, output });
+    try {
+        const answer = (await rl.question(question)).trim().toLowerCase();
+        return answer === "y" || answer === "yes";
+    }
+    finally {
+        rl.close();
+    }
+}
+export async function runAuthRevoke(args) {
+    const json = hasFlag(args, "--json");
+    const yes = hasFlag(args, "--yes");
+    const keyId = flagValue(args, "--key") ?? flagValue(args, "--id");
+    const { config } = await requireSession();
+    const targetId = keyId ?? config.apiKeyId;
+    if (!targetId) {
+        throw new Error([
+            "No API key specified.",
+            "",
+            "Run:",
+            "  tg auth list",
+            "  tg auth revoke --key <key-id>",
+        ].join("\n"));
+    }
+    if (!yes) {
+        if (input.isTTY) {
+            const ok = await confirmPrompt(`Revoke API key ${targetId}? [y/N] `);
+            if (!ok) {
+                console.log("Revoke cancelled.");
+                return;
+            }
+        }
+        else {
+            throw new Error([
+                "Revoke requires confirmation in non-interactive mode.",
+                "",
+                "TrigGuard will not revoke API keys without an explicit --yes flag.",
+                "",
+                "Run:",
+                `  tg auth revoke --key ${targetId} --yes`,
+            ].join("\n"));
+        }
+    }
+    try {
+        await revokeApiKeyById(config, targetId);
+    }
+    catch (e) {
+        throw new Error(formatControlPlaneAuthError(e, "API key revoke"));
+    }
+    const clearsLocal = config.apiKeyId === targetId;
+    if (clearsLocal) {
+        saveConfig({
+            ...config,
+            apiKey: undefined,
+            apiKeyId: undefined,
+            apiKeyDisplayName: undefined,
+        });
+    }
+    if (json) {
+        console.log(JSON.stringify({ ok: true, revokedKeyId: targetId, clearedLocal: clearsLocal }, null, 2));
+        return;
+    }
+    console.log(`Revoked API key ${targetId}.`);
+    if (clearsLocal) {
+        console.log("Local machine key cleared from ~/.trigguard/config.json.");
+        console.log("Run: tg login");
+    }
+    else {
+        console.log("Run: tg auth list");
+    }
+}
+export async function runAuthRotate(args) {
+    const json = hasFlag(args, "--json");
+    const { config, orgId } = await requireSession();
+    const rotateId = flagValue(args, "--key") ?? flagValue(args, "--id") ?? config.apiKeyId ?? undefined;
+    let rotated;
+    try {
+        rotated = await rotateApiKey(config, orgId, rotateId ?? undefined);
+    }
+    catch (e) {
+        throw new Error(formatControlPlaneAuthError(e, "API key rotation"));
+    }
+    const updatesLocal = !rotateId || rotateId === config.apiKeyId;
+    const envOverrides = envOverridesConfigApiKey(config);
+    if (updatesLocal) {
+        saveConfig({
+            ...config,
+            apiKey: rotated.rawKey,
+            apiKeyId: rotated.keyId,
+            apiKeyDisplayName: rotated.displayName,
+        });
+    }
+    if (json) {
+        console.log(JSON.stringify({
+            ok: true,
+            keyId: rotated.keyId,
+            displayName: rotated.displayName,
+            revokedKeyId: rotated.revokedKeyId ?? null,
+            localConfigUpdated: updatesLocal,
+            activeCredentialSource: envOverrides ? "env" : updatesLocal ? "config" : "remote",
+            envOverrideWarning: envOverrides && updatesLocal,
+        }, null, 2));
+        return;
+    }
+    console.log("API key rotated.");
+    console.log(`New key id: ${rotated.keyId}`);
+    if (updatesLocal && envOverrides) {
+        console.log("Local config updated, but TRIGGUARD_API_KEY overrides ~/.trigguard/config.json.");
+        console.log("Update or unset TRIGGUARD_API_KEY before running tg authorize.");
+        console.log("Run: unset TRIGGUARD_API_KEY");
+    }
+    else if (updatesLocal) {
+        console.log("Local config updated for this machine.");
+        console.log("Run: tg authorize --surface <surface> --actor <actor> --intent \"…\"");
+    }
+    else {
+        console.log("Run: tg auth list");
+    }
+}
+export async function runAuth(args) {
+    const sub = args[0];
+    const rest = args.slice(1);
+    if (sub === "list") {
+        await runAuthList(rest);
+        return;
+    }
+    if (sub === "revoke") {
+        await runAuthRevoke(rest);
+        return;
+    }
+    if (sub === "rotate") {
+        await runAuthRotate(rest);
+        return;
+    }
+    throw new Error([
+        "Unknown auth subcommand.",
+        "",
+        "Run:",
+        "  tg auth list",
+        "  tg auth revoke [--key <id>] [--yes]",
+        "  tg auth rotate [--key <id>]",
+    ].join("\n"));
+}

package/dist/commands/login-web.js

@@ -3,6 +3,7 @@ import { hasFlag } from "../tg/args.js";
 import { loadConfig, saveConfig } from "../cp/config.js";
 import { defaultMachineLabel, ensureCliApiKey, } from "../cp/provisionCliKey.js";
 import { startCliDeviceAuth, waitForCliDeviceAuth, } from "../cp/cliDeviceAuth.js";
+import { formatNextAuthorizeCommand, printActivationEstablished, } from "../tg/activationCopy.js";
 async function openBrowser(url) {
     const platform = process.platform;
     let cmd;
@@ -34,7 +35,8 @@ export async function runLoginWeb(args) {
     if (!json) {
         console.log("Opening browser to sign in to TrigGuard...");
         console.log(`If the browser does not open, visit:\n  ${started.verificationUrl}`);
-        console.log(`Enter code: ${started.userCode}`);
+        console.log("Waiting for approval…");
+        console.log("Once approved, your CLI will continue automatically.");
     }
     try {
         await openBrowser(started.verificationUrl);
@@ -75,6 +77,5 @@ export async function runLoginWeb(args) {
     console.log(`Signed in as ${complete.user.email}`);
     console.log(`Workspace: ${complete.orgName ?? orgId}`);
     console.log("API key configured for this machine.");
-    console.log("");
-    console.log("Next: tg authorize --surface deploy.release --actor demo --intent \"test deploy\"");
+    printActivationEstablished(formatNextAuthorizeCommand());
 }

package/dist/commands/session.js

@@ -1,10 +1,13 @@
 import readline from "node:readline/promises";
 import { stdin as input, stdout as output } from "node:process";
 import { ControlPlaneError, fetchDashboardOrgs, fetchMe, loginWithPassword, resolveActiveOrg, } from "../cp/client.js";
-import { loadConfig, saveConfig, clearSession } from "../cp/config.js";
-import { resolveApiKeySource, storedCliApiKeyForSession } from "../cp/credentials.js";
+import { loadConfig, saveConfig, clearSession, configFileCorrupted, configPath } from "../cp/config.js";
+import { storedCliApiKeyForSession } from "../cp/credentials.js";
+import { formatCorruptConfigError, formatNotLoggedInError, formatRevokedKeyGuidance, } from "../cp/errors.js";
+import { recommendedNextCommand, resolveKeyVisibility } from "../cp/sessionContext.js";
 import { defaultMachineLabel, ensureCliApiKey } from "../cp/provisionCliKey.js";
 import { runLoginWeb } from "./login-web.js";
+import { formatNextAuthorizeCommand, printActivationEstablished, } from "../tg/activationCopy.js";
 function flagValue(args, name) {
     const i = args.indexOf(name);
     if (i === -1)
@@ -188,8 +191,10 @@ export async function runLogin(args) {
         console.log(`Workspace: ${activeOrgId}`);
     else
         console.log("Workspace: (verify email to list organizations)");
-    if (apiKey)
+    if (apiKey) {
         console.log("API key configured for this machine.");
+        printActivationEstablished(formatNextAuthorizeCommand());
+    }
 }
 export async function runLogout(args) {
     const json = hasFlag(args, "--json");
@@ -202,28 +207,41 @@ export async function runLogout(args) {
 }
 export async function runWhoami(args) {
     const json = hasFlag(args, "--json");
+    if (configFileCorrupted()) {
+        throw new Error(formatCorruptConfigError(configPath()));
+    }
     const config = loadConfig();
     const snap = await resolveSessionSnapshot();
-    const apiKeySource = resolveApiKeySource(config);
-    const apiKeyConfigured = apiKeySource !== "none";
+    const key = await resolveKeyVisibility(config, snap);
     if (!snap.authenticated || !snap.user) {
         if (json) {
             console.log(JSON.stringify({ authenticated: false, apiKeyConfigured: false }, null, 2));
         }
         else {
-            console.log("Not signed in. Run: tg login");
+            console.log(formatNotLoggedInError());
         }
-        process.exit(snap.authenticated ? 0 : 1);
+        process.exit(1);
     }
     if (json) {
         console.log(JSON.stringify({
             authenticated: true,
             user: snap.user,
-            activeOrg: snap.activeOrg,
-            controlPlaneUrl: snap.controlPlaneUrl,
+            organization: snap.activeOrg?.name ?? null,
+            workspace: snap.activeOrg?.orgId ?? null,
+            plan: snap.activeOrg?.plan ?? null,
             environment: snap.environment,
-            apiKeyConfigured,
-            apiKeySource,
+            authSource: "session",
+            apiKeyConfigured: key.apiKeyConfigured,
+            apiKeySource: key.apiKeySource,
+            apiKeyId: key.apiKeyId,
+            apiKeyDisplayName: key.apiKeyDisplayName,
+            machineName: key.machineName,
+            configPath: key.configPath,
+            keyStatus: key.keyStatus,
+            keyCreated: key.keyCreated,
+            keyLastUsed: key.keyLastUsed,
+            keyExpires: key.keyExpires,
+            keyScopes: key.keyScopes,
         }, null, 2));
         return;
     }
@@ -238,15 +256,50 @@ export async function runWhoami(args) {
         console.log("Email verification required before workspace listing.");
     }
     console.log(`Environment: ${snap.environment}`);
-    console.log(`API key configured: ${apiKeyConfigured ? "yes" : "no"}`);
-    console.log(`API key source: ${apiKeySource}`);
+    console.log(`Auth source: session`);
+    console.log(`API key configured: ${key.apiKeyConfigured ? "yes" : "no"}`);
+    console.log(`API key source: ${key.apiKeySource}`);
+    console.log(`API key id: ${key.apiKeyId}`);
+    console.log(`API key name: ${key.apiKeyDisplayName}`);
+    console.log(`Machine name: ${key.machineName}`);
+    console.log(`Config path: ${key.configPath}`);
+    console.log(`Key status: ${key.keyStatus}`);
+    console.log(`Key created: ${key.keyCreated}`);
+    console.log(`Key last used: ${key.keyLastUsed}`);
+    console.log(`Key expires: ${key.keyExpires}`);
+    console.log(`Key scopes: ${key.keyScopes}`);
+    if (key.keyRevoked) {
+        console.log(formatRevokedKeyGuidance());
+    }
 }
 export async function runStatus(args) {
     const json = hasFlag(args, "--json");
+    if (configFileCorrupted()) {
+        throw new Error(formatCorruptConfigError(configPath()));
+    }
     const config = loadConfig();
     const snap = await resolveSessionSnapshot();
-    const apiKeySource = resolveApiKeySource(config);
-    const apiKeyConfigured = apiKeySource !== "none";
+    const key = await resolveKeyVisibility(config, snap);
+    const next = recommendedNextCommand(snap, key);
+    let controlPlaneReachable = false;
+    if (snap.authenticated && config.sessionToken) {
+        try {
+            await fetch(`${config.controlPlaneUrl}/me`, {
+                headers: { Authorization: `Bearer ${config.sessionToken}`, Accept: "application/json" },
+                signal: AbortSignal.timeout(5_000),
+            }).then((r) => {
+                controlPlaneReachable = r.ok;
+            });
+        }
+        catch {
+            controlPlaneReachable = false;
+        }
+    }
+    const authorityStatus = snap.authenticated && key.apiKeyConfigured && !key.keyRevoked
+        ? "ready"
+        : key.keyRevoked
+            ? "key_revoked"
+            : "needs_login";
     const payload = {
         authentication: snap.authenticated ? "signed_in" : "signed_out",
         organization: snap.activeOrg?.name ?? null,
@@ -256,25 +309,35 @@ export async function runStatus(args) {
         apiEndpoint: snap.controlPlaneUrl,
         emailVerified: Boolean(snap.user?.emailVerifiedAt),
         user: snap.user?.email ?? null,
-        apiKeyConfigured,
-        apiKeySource,
-        authorityStatus: snap.authenticated && apiKeyConfigured ? "ready" : "needs_login",
+        apiKeyConfigured: key.apiKeyConfigured,
+        apiKeySource: key.apiKeySource,
+        apiKeyId: key.apiKeyId,
+        apiKeyDisplayName: key.apiKeyDisplayName,
+        keyStatus: key.keyStatus,
+        controlPlaneReachable,
+        authorityStatus,
         verificationStatus: "available",
+        recommendedNextCommand: next,
     };
     if (json) {
         console.log(JSON.stringify(payload, null, 2));
         return;
     }
     console.log("TrigGuard CLI status");
-    console.log(`  Authentication: ${payload.authentication}`);
-    console.log(`  User:           ${payload.user ?? "—"}`);
-    console.log(`  Organization:   ${payload.organization ?? "—"}`);
-    console.log(`  Workspace:      ${payload.workspace ?? "—"}`);
-    console.log(`  Plan:           ${payload.plan ?? "—"}`);
-    console.log(`  Environment:    ${payload.environment}`);
-    console.log(`  API endpoint:   ${payload.apiEndpoint}`);
-    console.log(`  Email verified: ${payload.emailVerified ? "yes" : "no"}`);
-    console.log(`  API key:        ${apiKeyConfigured ? `configured (${apiKeySource})` : "not configured"}`);
-    console.log(`  Authority:      ${payload.authorityStatus}`);
-    console.log(`  Verification:   ${payload.verificationStatus}`);
+    console.log(`  Authentication:       ${payload.authentication}`);
+    console.log(`  User:                 ${payload.user ?? "—"}`);
+    console.log(`  Organization:         ${payload.organization ?? "—"}`);
+    console.log(`  Workspace:            ${payload.workspace ?? "—"}`);
+    console.log(`  Plan:                 ${payload.plan ?? "—"}`);
+    console.log(`  Environment:          ${payload.environment}`);
+    console.log(`  API endpoint:         ${payload.apiEndpoint}`);
+    console.log(`  Control plane:        ${controlPlaneReachable ? "reachable" : "unreachable"}`);
+    console.log(`  Email verified:       ${payload.emailVerified ? "yes" : "no"}`);
+    console.log(`  API key:              ${key.apiKeyConfigured ? `configured (${key.apiKeySource})` : "not configured"}`);
+    console.log(`  API key id:           ${key.apiKeyId}`);
+    console.log(`  API key name:         ${key.apiKeyDisplayName}`);
+    console.log(`  Key status:           ${key.keyStatus}`);
+    console.log(`  Authority readiness:  ${authorityStatus}`);
+    console.log(`  Verification:         ${payload.verificationStatus}`);
+    console.log(`  Next command:         ${next}`);
 }

package/dist/commands/tg-setup.js

@@ -5,6 +5,7 @@ import { resolveSessionSnapshot } from "./session.js";
 import { runLoginWeb } from "./login-web.js";
 import { loadExecutionSurfaces } from "./tg-surfaces.js";
 import { shellQuoteArg } from "../tg/shellQuote.js";
+import { printActivationEstablished } from "../tg/activationCopy.js";
 import os from "node:os";
 export async function runTgSetup(args) {
     const json = hasFlag(args, "--json");
@@ -16,6 +17,9 @@ export async function runTgSetup(args) {
             console.log("Step 1/3 — Sign in (browser)");
         await runLoginWeb(json ? ["--json"] : []);
     }
+    else if (!json) {
+        printActivationEstablished(`tg authorize --surface deploy.release --actor ${shellQuoteArg(snap.activeOrg?.name ?? os.userInfo().username ?? "demo")} --intent "setup test"`);
+    }
     const refreshed = loadConfig();
     const snap2 = await resolveSessionSnapshot();
     if (!snap2.authenticated || !resolveApiKey(refreshed)) {

package/dist/cp/apiKeys.d.ts

@@ -0,0 +1,26 @@
+import type { TrigGuardCliConfig } from "./types.js";
+export interface ApiKeyPublicRecord {
+    readonly keyId: string;
+    readonly orgId: string;
+    readonly keyPrefix?: string;
+    readonly status?: string;
+    readonly displayName?: string;
+    readonly environment?: string;
+    readonly createdAt?: string;
+    readonly lastUsedAt?: string | null;
+    readonly expiresAt?: string | null;
+    readonly revokedAt?: string | null;
+    readonly rotatedFromKeyId?: string | null;
+    readonly revoked?: boolean;
+    readonly scopes?: readonly string[];
+}
+export declare function listApiKeys(config: TrigGuardCliConfig, orgId: string): Promise<ApiKeyPublicRecord[]>;
+export declare function revokeApiKeyById(config: TrigGuardCliConfig, keyId: string): Promise<void>;
+export declare function rotateApiKey(config: TrigGuardCliConfig, orgId: string, keyId?: string): Promise<{
+    rawKey: string;
+    keyId: string;
+    displayName: string;
+    revokedKeyId?: string;
+}>;
+/** Display field or explicit not-reported sentinel — never null/undefined in output. */
+export declare function formatKeyField(value: string | null | undefined): string;

package/dist/cp/apiKeys.js

@@ -0,0 +1,38 @@
+import { controlPlaneFetch } from "./client.js";
+export async function listApiKeys(config, orgId) {
+    const data = await controlPlaneFetch(config, `/apikeys?orgId=${encodeURIComponent(orgId)}`, { method: "GET" });
+    return Array.isArray(data.keys) ? data.keys : [];
+}
+export async function revokeApiKeyById(config, keyId) {
+    await controlPlaneFetch(config, `/apikeys/${encodeURIComponent(keyId)}/revoke`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({}),
+    });
+}
+export async function rotateApiKey(config, orgId, keyId) {
+    const data = await controlPlaneFetch(config, "/apikeys/rotate", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ orgId, ...(keyId ? { keyId } : {}) }),
+    });
+    const rawKey = typeof data.rawKey === "string" ? data.rawKey : "";
+    const newKeyId = typeof data.keyId === "string" ? data.keyId : "";
+    const displayName = typeof data.displayName === "string" ? data.displayName : "TrigGuard CLI";
+    if (!rawKey.startsWith("tg_live_") || !newKeyId) {
+        throw new Error("rotate_response_invalid");
+    }
+    return {
+        rawKey,
+        keyId: newKeyId,
+        displayName,
+        revokedKeyId: typeof data.revokedKeyId === "string" ? data.revokedKeyId : undefined,
+    };
+}
+/** Display field or explicit not-reported sentinel — never null/undefined in output. */
+export function formatKeyField(value) {
+    if (value === null || value === undefined || String(value).trim() === "") {
+        return "Not reported";
+    }
+    return String(value);
+}

package/dist/cp/config.d.ts

@@ -1,6 +1,7 @@
 import type { TrigGuardCliConfig, TrigGuardEnvironment } from "./types.js";
 export declare function configDir(): string;
 export declare function configPath(): string;
+export declare function configFileCorrupted(): boolean;
 export declare function defaultControlPlaneUrl(): string;
 export declare function defaultEnvironment(): TrigGuardEnvironment;
 export declare function loadConfig(): TrigGuardCliConfig;

package/dist/cp/config.js

@@ -12,6 +12,18 @@ export function configDir() {
 export function configPath() {
     return path.join(configDir(), "config.json");
 }
+export function configFileCorrupted() {
+    const file = configPath();
+    if (!fs.existsSync(file))
+        return false;
+    try {
+        JSON.parse(fs.readFileSync(file, "utf8"));
+        return false;
+    }
+    catch {
+        return true;
+    }
+}
 function parseEnvironment(raw) {
     switch ((raw ?? "production").trim().toLowerCase()) {
         case "staging":
@@ -43,12 +55,40 @@ function readConfigFile(base) {
         return null;
     }
 }
+function enforceConfigPermissions(dir, file) {
+    try {
+        fs.chmodSync(dir, 0o700);
+    }
+    catch {
+        /* best effort */
+    }
+    if (fs.existsSync(file)) {
+        try {
+            fs.chmodSync(file, 0o600);
+        }
+        catch {
+            /* best effort */
+        }
+    }
+}
+function writeConfigAtomic(payload) {
+    const dir = configDir();
+    const file = configPath();
+    fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+    const tmp = `${file}.${process.pid}.tmp`;
+    fs.writeFileSync(tmp, payload, { mode: 0o600 });
+    fs.renameSync(tmp, file);
+    enforceConfigPermissions(dir, file);
+}
 export function loadConfig() {
     const base = {
         version: CONFIG_VERSION,
         controlPlaneUrl: defaultControlPlaneUrl(),
         environment: defaultEnvironment(),
     };
+    if (configFileCorrupted()) {
+        return base;
+    }
     const parsed = readConfigFile(base);
     if (parsed?.sessionRevoked) {
         return {
@@ -85,8 +125,6 @@ export function loadConfig() {
     };
 }
 export function saveConfig(config) {
-    const dir = configDir();
-    fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
     const payload = {
         version: CONFIG_VERSION,
         controlPlaneUrl: config.controlPlaneUrl.replace(/\/$/, ""),
@@ -99,7 +137,7 @@ export function saveConfig(config) {
         apiKeyDisplayName: config.apiKeyDisplayName,
         ...(config.sessionToken ? {} : config.sessionRevoked ? { sessionRevoked: true } : {}),
     };
-    fs.writeFileSync(configPath(), `${JSON.stringify(payload, null, 2)}\n`, { mode: 0o600 });
+    writeConfigAtomic(`${JSON.stringify(payload, null, 2)}\n`);
 }
 export function clearSession(config) {
     const next = {

package/dist/cp/credentials.d.ts

@@ -3,6 +3,7 @@ export type ApiKeySource = "env" | "config" | "none";
 export declare function resolveApiKeyFromEnv(): string | undefined;
 export declare function resolveApiKey(config: TrigGuardCliConfig): string | undefined;
 export declare function resolveApiKeySource(config: TrigGuardCliConfig): ApiKeySource;
+export declare function envOverridesConfigApiKey(config: TrigGuardCliConfig): boolean;
 export declare function storedCliApiKeyForSession(config: TrigGuardCliConfig, user: {
     email: string;
 }, activeOrgId: string | undefined): string | null;

package/dist/cp/credentials.js

@@ -13,6 +13,9 @@ export function resolveApiKeySource(config) {
         return "config";
     return "none";
 }
+export function envOverridesConfigApiKey(config) {
+    return resolveApiKeySource(config) === "env";
+}
 export function storedCliApiKeyForSession(config, user, activeOrgId) {
     if (!activeOrgId ||
         config.user?.email !== user.email ||
@@ -25,7 +28,12 @@ export function storedCliApiKeyForSession(config, user, activeOrgId) {
 export function missingConfiguredApiKeyMessage() {
     return [
         "No API key configured.",
-        "Run: tg login",
+        "",
+        "TrigGuard CLI requires a machine-scoped API key to authorize execution.",
+        "",
+        "Run:",
+        "  tg login",
+        "",
         "Or export TRIGGUARD_API_KEY for CI/scripts.",
     ].join("\n");
 }

package/dist/cp/errors.d.ts

@@ -0,0 +1,5 @@
+export declare function formatNotLoggedInError(): string;
+export declare function formatNoApiKeyError(): string;
+export declare function formatCorruptConfigError(configPath: string): string;
+export declare function formatControlPlaneAuthError(e: unknown, context: string): string;
+export declare function formatRevokedKeyGuidance(): string;

package/dist/cp/errors.js

@@ -0,0 +1,139 @@
+import { ControlPlaneError } from "./client.js";
+export function formatNotLoggedInError() {
+    return [
+        "Not signed in.",
+        "",
+        "TrigGuard CLI requires an authenticated session to manage API keys.",
+        "",
+        "Run:",
+        "  tg login",
+    ].join("\n");
+}
+export function formatNoApiKeyError() {
+    return [
+        "No API key configured.",
+        "",
+        "TrigGuard CLI requires a machine-scoped API key to authorize execution.",
+        "",
+        "Run:",
+        "  tg login",
+        "",
+        "Or export TRIGGUARD_API_KEY for CI/scripts.",
+    ].join("\n");
+}
+export function formatCorruptConfigError(configPath) {
+    return [
+        "Local TrigGuard config is corrupted and could not be parsed.",
+        "",
+        `Config path: ${configPath}`,
+        "",
+        "Run:",
+        "  tg logout",
+        "  tg login",
+    ].join("\n");
+}
+export function formatControlPlaneAuthError(e, context) {
+    if (e instanceof ControlPlaneError) {
+        switch (e.code) {
+            case "forbidden":
+                return [
+                    "Permission denied.",
+                    "",
+                    `TrigGuard control plane rejected this ${context} request.`,
+                    "",
+                    "Run:",
+                    "  tg whoami",
+                    "  tg status",
+                ].join("\n");
+            case "email_verification_required":
+                return [
+                    "Email verification required.",
+                    "",
+                    "Verify your email in the TrigGuard console, then retry.",
+                    "",
+                    "Run:",
+                    "  tg login",
+                ].join("\n");
+            case "not_found":
+            case "key_not_found":
+                return [
+                    "API key not found.",
+                    "",
+                    "The key may already be revoked or belongs to another workspace.",
+                    "",
+                    "Run:",
+                    "  tg auth list",
+                ].join("\n");
+            case "no_active_key":
+                return [
+                    "No active API key to rotate.",
+                    "",
+                    "Run:",
+                    "  tg login",
+                ].join("\n");
+            case "rotate_failed":
+                return [
+                    "API key rotation failed.",
+                    "",
+                    "The control plane could not rotate this key.",
+                    "",
+                    "Run:",
+                    "  tg auth list",
+                    "  tg login",
+                ].join("\n");
+            default:
+                if (e.status === 401) {
+                    return [
+                        "Session expired or invalid.",
+                        "",
+                        "Run:",
+                        "  tg login",
+                    ].join("\n");
+                }
+                if (e.status >= 500) {
+                    return [
+                        "Control plane unavailable.",
+                        "",
+                        "TrigGuard could not reach the control plane API.",
+                        "",
+                        "Run:",
+                        "  tg status",
+                    ].join("\n");
+                }
+        }
+    }
+    if (e instanceof Error && e.message === "device_code_expired") {
+        return [
+            "Device authorization expired.",
+            "",
+            "Run:",
+            "  tg login",
+        ].join("\n");
+    }
+    if (e instanceof Error && e.message === "device_login_timeout") {
+        return [
+            "Timed out waiting for browser approval.",
+            "",
+            "Run:",
+            "  tg login",
+        ].join("\n");
+    }
+    const msg = e instanceof Error ? e.message : String(e);
+    return [
+        `${context} failed.`,
+        "",
+        msg,
+        "",
+        "Run:",
+        "  tg status",
+    ].join("\n");
+}
+export function formatRevokedKeyGuidance() {
+    return [
+        "Configured API key appears revoked or inactive.",
+        "",
+        "Run:",
+        "  tg auth rotate",
+        "  tg login",
+    ].join("\n");
+}

package/dist/cp/sessionContext.d.ts

@@ -0,0 +1,21 @@
+import { type ApiKeyPublicRecord } from "./apiKeys.js";
+import { resolveApiKeySource } from "./credentials.js";
+import type { SessionSnapshot, TrigGuardCliConfig } from "./types.js";
+export interface KeyVisibility {
+    readonly apiKeyConfigured: boolean;
+    readonly apiKeySource: ReturnType<typeof resolveApiKeySource>;
+    readonly apiKeyId: string;
+    readonly apiKeyDisplayName: string;
+    readonly machineName: string;
+    readonly configPath: string;
+    readonly keyStatus: string;
+    readonly keyCreated: string;
+    readonly keyLastUsed: string;
+    readonly keyExpires: string;
+    readonly keyScopes: string;
+    readonly keyRevoked: boolean;
+}
+export declare function machineNameFromConfig(config: TrigGuardCliConfig): string;
+export declare function resolveActiveApiKeyRecord(keys: readonly ApiKeyPublicRecord[], config: TrigGuardCliConfig): ApiKeyPublicRecord | undefined;
+export declare function resolveKeyVisibility(config: TrigGuardCliConfig, snap: SessionSnapshot): Promise<KeyVisibility>;
+export declare function recommendedNextCommand(snap: SessionSnapshot, key: KeyVisibility): string;

package/dist/cp/sessionContext.js

@@ -0,0 +1,86 @@
+import os from "node:os";
+import { listApiKeys, formatKeyField } from "./apiKeys.js";
+import { configPath } from "./config.js";
+import { resolveApiKeyFromEnv, resolveApiKeySource } from "./credentials.js";
+export function machineNameFromConfig(config) {
+    const label = config.apiKeyDisplayName?.match(/TrigGuard CLI \((.+)\)/)?.[1];
+    return label?.trim() || os.hostname().trim() || "cli";
+}
+function matchByEnvPrefix(keys, envKey) {
+    return keys.find((k) => {
+        const prefix = k.keyPrefix?.trim();
+        return Boolean(prefix && envKey.startsWith(prefix));
+    });
+}
+export function resolveActiveApiKeyRecord(keys, config) {
+    const apiKeySource = resolveApiKeySource(config);
+    const envKey = resolveApiKeyFromEnv();
+    if (apiKeySource === "env" && envKey) {
+        return matchByEnvPrefix(keys, envKey);
+    }
+    if (config.apiKeyId) {
+        return keys.find((k) => k.keyId === config.apiKeyId);
+    }
+    return undefined;
+}
+export async function resolveKeyVisibility(config, snap) {
+    const apiKeySource = resolveApiKeySource(config);
+    const apiKeyConfigured = apiKeySource !== "none";
+    const base = {
+        apiKeyConfigured,
+        apiKeySource,
+        apiKeyId: formatKeyField(config.apiKeyId),
+        apiKeyDisplayName: formatKeyField(config.apiKeyDisplayName),
+        machineName: machineNameFromConfig(config),
+        configPath: configPath(),
+        keyStatus: "Not reported",
+        keyCreated: "Not reported",
+        keyLastUsed: "Not reported",
+        keyExpires: "Not reported",
+        keyScopes: "Not reported",
+        keyRevoked: false,
+    };
+    if (!snap.authenticated || !snap.activeOrg?.orgId || !config.sessionToken) {
+        return base;
+    }
+    try {
+        const keys = await listApiKeys(config, snap.activeOrg.orgId);
+        const stored = resolveActiveApiKeyRecord(keys, config);
+        if (!stored) {
+            if (apiKeySource === "env") {
+                return {
+                    ...base,
+                    apiKeyId: "Not reported",
+                    apiKeyDisplayName: "Not reported",
+                };
+            }
+            return base;
+        }
+        return {
+            ...base,
+            apiKeyId: stored.keyId,
+            apiKeyDisplayName: formatKeyField(stored.displayName ?? config.apiKeyDisplayName),
+            keyStatus: formatKeyField(stored.status ?? (stored.revoked ? "revoked" : "active")),
+            keyCreated: formatKeyField(stored.createdAt),
+            keyLastUsed: formatKeyField(stored.lastUsedAt ?? undefined),
+            keyExpires: formatKeyField(stored.expiresAt ?? undefined),
+            keyScopes: stored.scopes?.length ? stored.scopes.join(", ") : "Not reported",
+            keyRevoked: Boolean(stored.revoked || stored.status === "revoked"),
+        };
+    }
+    catch {
+        return base;
+    }
+}
+export function recommendedNextCommand(snap, key) {
+    if (!snap.authenticated)
+        return "tg login";
+    if (!key.apiKeyConfigured)
+        return "tg login";
+    if (key.keyRevoked) {
+        return key.apiKeySource === "env"
+            ? "unset TRIGGUARD_API_KEY && tg login"
+            : "tg auth rotate";
+    }
+    return 'tg authorize --surface <surface> --actor <actor> --intent "…"';
+}

package/dist/tg/activationCopy.d.ts

@@ -0,0 +1,9 @@
+export declare const ACTIVATION_HEADLINE = "Execution Authority Established";
+export declare const ACTIVATION_STATUS = "Authority Status: Verified";
+export type NextAuthorizeOptions = {
+    surface?: string;
+    actor?: string;
+    intent?: string;
+};
+export declare function formatNextAuthorizeCommand(opts?: NextAuthorizeOptions): string;
+export declare function printActivationEstablished(nextCommand: string): void;

package/dist/tg/activationCopy.js

@@ -0,0 +1,43 @@
+import { spawnSync } from "node:child_process";
+export const ACTIVATION_HEADLINE = "Execution Authority Established";
+export const ACTIVATION_STATUS = "Authority Status: Verified";
+export function formatNextAuthorizeCommand(opts = {}) {
+    const surface = opts.surface ?? "deploy.release";
+    const actor = opts.actor ?? "demo";
+    const intent = opts.intent ?? "test deployment";
+    return `tg authorize --surface ${surface} --actor ${actor} --intent "${intent}"`;
+}
+function tryCopyToClipboard(text) {
+    if (!process.stdout.isTTY)
+        return false;
+    const platform = process.platform;
+    if (platform === "darwin") {
+        const r = spawnSync("pbcopy", [], { input: text, stdio: ["pipe", "ignore", "ignore"] });
+        return r.status === 0;
+    }
+    if (platform === "win32") {
+        const r = spawnSync("clip", [], { input: text, stdio: ["pipe", "ignore", "ignore"], shell: true });
+        return r.status === 0;
+    }
+    for (const [cmd, args] of [
+        ["xclip", ["-selection", "clipboard"]],
+        ["xsel", ["--clipboard", "--input"]],
+    ]) {
+        const r = spawnSync(cmd, [...args], { input: text, stdio: ["pipe", "ignore", "ignore"] });
+        if (r.status === 0)
+            return true;
+    }
+    return false;
+}
+export function printActivationEstablished(nextCommand) {
+    console.log("");
+    console.log(ACTIVATION_HEADLINE);
+    console.log(ACTIVATION_STATUS);
+    console.log("");
+    console.log("Next step:");
+    console.log(`  ${nextCommand}`);
+    if (tryCopyToClipboard(nextCommand)) {
+        console.log("");
+        console.log("(Command copied to clipboard)");
+    }
+}

package/dist/tg/help.js

@@ -13,8 +13,11 @@ COMMANDS
   surfaces      List registered execution surfaces
   login         Sign in (browser device flow by default)
   logout       Clear local session
-  whoami       Current user and workspace
-  status       Auth, org, environment summary
+  whoami       Current user, workspace, and API key metadata
+  status       Auth, connectivity, and next-step guidance
+  auth list     List workspace API keys (no raw secrets)
+  auth revoke   Revoke a machine API key
+  auth rotate   Rotate credentials safely
 
 QUICK START
   npm install -g @trigguard/cli
@@ -30,6 +33,7 @@ ENVIRONMENT
   TRIGGUARD_CONTROL_PLANE_URL   Control plane URL (session commands)
 
 DOCS
+  docs/developer/CLI_SECURITY_MODEL_V1.md
   docs/developer/TRIGGUARD_CLI_ZERO_CONFIG_AUTH.md
   docs/developer/TRIGGUARD_QUICKSTART.md
 `);

package/dist/tg.js

@@ -4,6 +4,7 @@ import { runTgInit } from "./commands/tg-init.js";
 import { runTgSetup } from "./commands/tg-setup.js";
 import { runTgSurfaces } from "./commands/tg-surfaces.js";
 import { runTgVerify } from "./commands/tg-verify.js";
+import { runAuth } from "./commands/auth.js";
 import { runLogin, runLogout, runStatus, runWhoami } from "./commands/session.js";
 import { printAuthorizeHelp, printInitHelp, printLoginHelp, printRootHelp, printSetupHelp, printSurfacesHelp, printVerifyHelp, } from "./tg/help.js";
 async function main() {
@@ -72,6 +73,10 @@ async function main() {
             await runStatus(rest);
             return;
         }
+        if (cmd === "auth") {
+            await runAuth(rest);
+            return;
+        }
     }
     catch (e) {
         if (e instanceof Error && e.message === "login_cancelled") {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@trigguard/cli",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "description": "TrigGuard developer CLI — tg login, authorize, verify",
   "type": "module",
   "bin": {