@trigguard/cli 0.1.1

package/README.md

@@ -0,0 +1,70 @@
+# `@trigguard/cli`
+
+Developer CLI for the execution gateway: **authorize**, **verify** receipts, plus **policy** / **simulate** stubs for future releases.
+
+## Install (from monorepo)
+
+```bash
+cd packages/trigguard-cli && npm ci && npm run build
+node dist/index.js --help
+npm test
+```
+
+Global install after publish: `npm install -g @trigguard/cli`
+
+## Commands
+
+```bash
+export TRIGGUARD_GATEWAY_URL=https://your-run-url.run.app
+export TRIGGUARD_BEARER="$(gcloud auth print-identity-token --audiences=$TRIGGUARD_GATEWAY_URL)"
+
+trigguard authorize --surface deploy.release --json
+trigguard verify ./receipt.json --json
+```
+
+### Provider mode (vendor JSON → gateway)
+
+Map a vendor-shaped payload with a built-in adapter (`packages/trigguard-providers`), then authorize:
+
+```bash
+trigguard authorize --provider stripe --input ./payment.json --json
+cat payment.json | trigguard authorize --provider stripe --input - --json
+```
+
+Use `--surface` + optional `--context <file.json>` when you already have canonical fields and do not need `mapAction`.
+
+Or `TRIGGUARD_USE_GCLOUD=1` to obtain the identity token via `gcloud` automatically.
+
+## CI vs local
+
+| Environment | Auth |
+|-------------|------|
+| GitHub Actions | `TrigGuard-AI/authorize@v1` (OIDC → GCP) |
+| Local / scripts | `TRIGGUARD_BEARER` or `TRIGGUARD_USE_GCLOUD=1` |
+
+## Local execution authority (dev)
+
+```bash
+npm run build
+node dist/index.js dev --port 8787
+# or: npx trigguard dev
+```
+
+- **`trigguard doctor`** — Node version, monorepo detection, optional `/health` on `127.0.0.1:8787`
+- **`trigguard verify-receipt <file.json> --public-key <hex>`** — offline verify for Execution Authority **flat** JSON (same as `sdk/node` `verifyReceipt`)
+- Optional **`--swift`** uses `tg_execution_authority` when `TG_AUTHORITY_PRIVATE_KEY` and a binary are available; otherwise the CLI falls back to the Node mock.
+
+See [../../docs/getting-started/local-authority.md](../../docs/getting-started/local-authority.md).
+
+## Offline receipt verification
+
+`trigguard verify` uses **`@trigguard/receipt-verify`**. When you pass a known authority public key, verification is **fully offline** (no `/.well-known` fetch):
+
+```bash
+trigguard verify ./receipt.json --public-key <64-hex-ed25519-raw-or-pem>
+trigguard verify ./receipt.json --public-key-file ./authority.pem
+```
+
+Precedence: **`--public-key`** → **`--public-key-file`** → keys from **`--keys-url`** / **`TRIGGUARD_KEYS_URL`** (with optional bearer for gated endpoints).
+
+For Execution Authority `/decide`-shaped receipts, this matches the same canonical signing material as **`sdk/node`** / Swift.

package/data/execution-surfaces.json

@@ -0,0 +1,28 @@
+{
+  "version": "1.0.0",
+  "registry_id": "trigguard-core",
+  "surfaces": [
+    "deploy.release",
+    "infra.apply",
+    "artifact.publish",
+    "data.export",
+    "payment.execute",
+    "secrets.access",
+    "database.migrate",
+    "production.write",
+    "pr.docs.write",
+    "pr.tests.write",
+    "pr.examples.write",
+    "pr.scripts.write",
+    "pr.workflows.write",
+    "pr.governance.write",
+    "pr.runtime.write",
+    "pr.kernel.write",
+    "pr.mixed.write",
+    "spendCommit",
+    "timeCommit",
+    "dataExport",
+    "identityAssertion",
+    "externalAuthorityDelegation"
+  ]
+}

package/dist/auth.js

@@ -0,0 +1,20 @@
+import { spawnSync } from "node:child_process";
+/**
+ * Resolve Bearer token: TRIGGUARD_BEARER, or gcloud identity token when TRIGGUARD_USE_GCLOUD=1.
+ */
+export async function resolveBearer(gatewayUrl) {
+    const direct = process.env.TRIGGUARD_BEARER?.trim();
+    if (direct)
+        return direct;
+    if (process.env.TRIGGUARD_USE_GCLOUD === "1") {
+        const aud = gatewayUrl.replace(/\/$/, "");
+        const r = spawnSync("gcloud", ["auth", "print-identity-token", `--audiences=${aud}`], { encoding: "utf8" });
+        if (r.error)
+            throw r.error;
+        if (r.status !== 0) {
+            throw new Error(`gcloud failed: ${r.stderr || r.stdout}`);
+        }
+        return r.stdout.trim();
+    }
+    return undefined;
+}

package/dist/commands/authorize.d.ts

@@ -0,0 +1 @@
+export declare function runAuthorize(argv: string[]): Promise<void>;

package/dist/commands/authorize.js

@@ -0,0 +1,99 @@
+import { parseArgs } from "node:util";
+import { readFile } from "node:fs/promises";
+import { createExecutionClient, fetchPublicKeys, verifyReceiptSignature, } from "@trigguard/execution-sdk";
+import { createDefaultProviderRegistry } from "@trigguard/providers";
+import { resolveBearer } from "../auth.js";
+import { readStdin } from "../stdin.js";
+export async function runAuthorize(argv) {
+    const { values } = parseArgs({
+        args: argv,
+        options: {
+            surface: { type: "string" },
+            provider: { type: "string" },
+            input: { type: "string" },
+            "gateway-url": { type: "string" },
+            "actor-id": { type: "string" },
+            context: { type: "string" },
+            json: { type: "boolean", default: false },
+        },
+        allowPositionals: true,
+        strict: true,
+    });
+    const gatewayUrl = values["gateway-url"] ||
+        process.env.TRIGGUARD_GATEWAY_URL ||
+        "http://127.0.0.1:8080";
+    let actorId = values["actor-id"] || process.env.TRIGGUARD_ACTOR_ID || "trigguard-cli";
+    let surface;
+    let context;
+    let subjectDigest;
+    const providerId = values.provider?.trim();
+    if (providerId) {
+        const registry = createDefaultProviderRegistry();
+        const provider = registry.get(providerId);
+        if (!provider) {
+            console.error(`Unknown --provider "${providerId}". Try: ${registry.listIds().join(", ")}`);
+            process.exit(1);
+        }
+        const inputPath = values.input;
+        if (!inputPath) {
+            console.error("With --provider, pass vendor JSON via --input <file> or --input - (stdin)");
+            process.exit(1);
+        }
+        const raw = inputPath === "-"
+            ? await readStdin()
+            : await readFile(inputPath, "utf8");
+        const vendorPayload = JSON.parse(raw);
+        const req = provider.mapAction(vendorPayload);
+        surface = req.surface;
+        actorId = req.actorId ?? actorId;
+        context = req.context;
+        subjectDigest = req.subjectDigest;
+    }
+    else {
+        const s = values.surface;
+        if (!s) {
+            console.error("Missing required --surface (or use --provider with --input)");
+            process.exit(1);
+        }
+        surface = s;
+        if (values.context) {
+            const raw = await readFile(values.context, "utf8");
+            context = JSON.parse(raw);
+        }
+    }
+    const getBearerToken = () => resolveBearer(gatewayUrl);
+    const client = createExecutionClient({ gatewayUrl, getBearerToken });
+    const result = await client.authorize({ surface, actorId, context, subjectDigest });
+    if (!result.ok || !result.receipt) {
+        if (values.json) {
+            console.log(JSON.stringify({ ok: false, status: result.status, body: result.body }));
+        }
+        else {
+            console.error(`Request failed: HTTP ${result.status}`);
+            console.error(JSON.stringify(result.body, null, 2));
+        }
+        process.exit(1);
+    }
+    const receipt = result.receipt;
+    const keys = await fetchPublicKeys(gatewayUrl, getBearerToken);
+    const valid = verifyReceiptSignature(receipt, keys);
+    if (values.json) {
+        console.log(JSON.stringify({
+            ok: true,
+            decision: result.decision,
+            executionId: result.executionId,
+            receiptValid: valid,
+            receipt,
+        }));
+    }
+    else {
+        console.log(`Decision: ${result.decision}`);
+        console.log(`Receipt signature valid: ${valid}`);
+        console.log(`Execution ID: ${result.executionId ?? ""}`);
+    }
+    if (!valid)
+        process.exit(1);
+    const dec = String(result.decision || "").toUpperCase();
+    if (dec !== "PERMIT")
+        process.exit(1);
+}

package/dist/commands/chaos.d.ts

@@ -0,0 +1 @@
+export declare function runChaos(argv: string[]): Promise<void>;

package/dist/commands/chaos.js

@@ -0,0 +1,35 @@
+import { runChaosScenario } from "@trigguard/chaos";
+function usage() {
+    console.error("Usage:\n" +
+        "  trigguard chaos run engine-crash\n" +
+        "  trigguard chaos run bundle-corruption\n" +
+        "  trigguard chaos run network-delay\n" +
+        "  trigguard chaos run clock-skew\n" +
+        "  trigguard chaos run governance-corruption\n" +
+        "  trigguard chaos run partial-rollout-failure");
+    process.exit(1);
+}
+export async function runChaos(argv) {
+    const sub = argv[0];
+    if (sub !== "run")
+        usage();
+    const scenario = argv[1];
+    if (!scenario)
+        usage();
+    const map = {
+        "engine-crash": "engine-crash",
+        "bundle-corruption": "bundle-corruption",
+        "network-delay": "network-delay",
+        "clock-skew": "clock-skew",
+        "governance-corruption": "governance-corruption",
+        "partial-rollout-failure": "partial-rollout-failure",
+    };
+    const sc = map[scenario];
+    if (!sc)
+        usage();
+    const out = await runChaosScenario(sc);
+    console.log(JSON.stringify(out, null, 2));
+    if (out.result !== "ok") {
+        process.exitCode = 2;
+    }
+}

package/dist/commands/dev.d.ts

@@ -0,0 +1 @@
+export declare function runDev(argv: string[]): Promise<void>;

package/dist/commands/dev.js

@@ -0,0 +1,27 @@
+import { parseArgs } from "node:util";
+import { DEFAULT_DEV_PORT, printDevBanner, startDevAuthority } from "../dev/authority.js";
+export async function runDev(argv) {
+    const { values } = parseArgs({
+        args: argv,
+        options: {
+            port: { type: "string", default: String(DEFAULT_DEV_PORT) },
+            swift: { type: "boolean", default: false },
+        },
+        allowPositionals: false,
+        strict: true,
+    });
+    const port = Math.max(1, Math.min(65535, parseInt(String(values.port), 10) || DEFAULT_DEV_PORT));
+    const running = await startDevAuthority({ port, preferSwift: values.swift });
+    printDevBanner(running);
+    await new Promise((resolve) => {
+        const onExit = () => resolve();
+        running.process.on("exit", onExit);
+        const sig = () => {
+            running.process.removeListener("exit", onExit);
+            running.process.kill("SIGTERM");
+            setTimeout(() => process.exit(0), 200);
+        };
+        process.on("SIGINT", sig);
+        process.on("SIGTERM", sig);
+    });
+}

package/dist/commands/doctor.d.ts

@@ -0,0 +1 @@
+export declare function runDoctor(_argv: string[]): Promise<void>;

package/dist/commands/doctor.js

@@ -0,0 +1,50 @@
+import { createConnection } from "node:net";
+import { findMonorepoRoot } from "../dev/repoRoot.js";
+import { DEFAULT_DEV_PORT, MOCK_AUTHORITY_PUBLIC_KEY_HEX } from "../dev/authority.js";
+function checkPortOpen(port, host) {
+    return new Promise((resolve) => {
+        const c = createConnection({ port, host, timeout: 2000 });
+        c.once("connect", () => {
+            c.destroy();
+            resolve(true);
+        });
+        c.once("error", () => resolve(false));
+    });
+}
+export async function runDoctor(_argv) {
+    const ver = process.version;
+    const major = parseInt(ver.slice(1).split(".")[0] || "0", 10);
+    if (major < 20) {
+        console.log(`❌ Node ${ver} — TrigGuard CLI expects Node 20+`);
+    }
+    else {
+        console.log(`✅ Node ${ver}`);
+    }
+    const root = findMonorepoRoot();
+    if (root) {
+        console.log(`✅ Monorepo root: ${root}`);
+    }
+    else {
+        console.log("⚠️  Monorepo root not detected (no sdk/node @trigguard/decision from cwd). `trigguard dev` needs a TrigGuard clone or TRIGGUARD_MOCK_AUTHORITY_SCRIPT.");
+    }
+    const port = Math.max(1, Math.min(65535, parseInt(process.env.TRIGGUARD_DEV_PORT || String(DEFAULT_DEV_PORT), 10) || DEFAULT_DEV_PORT));
+    const up = await checkPortOpen(port, "127.0.0.1");
+    if (up) {
+        const http = await import("node:http");
+        const ok = await new Promise((resolve) => {
+            http
+                .get(`http://127.0.0.1:${port}/health`, (r) => {
+                resolve(r.statusCode === 200);
+            })
+                .on("error", () => resolve(false));
+        });
+        console.log(ok
+            ? `✅ Local authority on http://127.0.0.1:${port}/health (responding)`
+            : `⚠️  Port ${port} is open but /health did not return 200`);
+    }
+    else {
+        console.log(`ℹ️  No process listening on 127.0.0.1:${port} — run: trigguard dev  (or set TRIGGUARD_DEV_PORT for doctor checks)`);
+    }
+    console.log("Fixture public key (mock authority):", MOCK_AUTHORITY_PUBLIC_KEY_HEX);
+    process.exit(0);
+}

package/dist/commands/log.d.ts

@@ -0,0 +1,3 @@
+export declare function runLogRoot(argv: string[]): Promise<void>;
+export declare function runLogInclusion(argv: string[]): Promise<void>;
+export declare function runLogVerify(argv: string[]): Promise<void>;

package/dist/commands/log.js

@@ -0,0 +1,119 @@
+import { parseArgs } from "node:util";
+import { verifyConsistency } from "trigguard-log-core/consistencyVerifier";
+function baseUrl(values) {
+    const raw = (typeof values["log-url"] === "string" && values["log-url"]) ||
+        process.env.TRIGGUARD_DECISION_LOG_URL ||
+        "http://127.0.0.1:3001";
+    return String(raw).replace(/\/$/, "");
+}
+function asString(value) {
+    if (value === null || value === undefined)
+        return "";
+    return typeof value === "string" || typeof value === "number" || typeof value === "boolean"
+        ? String(value)
+        : "";
+}
+export async function runLogRoot(argv) {
+    const { values } = parseArgs({
+        args: argv,
+        options: { "log-url": { type: "string" }, json: { type: "boolean", default: false } },
+        allowPositionals: true,
+        strict: true,
+    });
+    const res = await fetch(`${baseUrl(values)}/v1/log/root`, { headers: { Accept: "application/json" } });
+    if (!res.ok)
+        throw new Error(`log root failed: HTTP ${res.status}`);
+    const out = (await res.json());
+    if (values.json)
+        console.log(JSON.stringify(out));
+    else {
+        console.log(`log_id: ${asString(out.log_id)}`);
+        console.log(`tree_size: ${asString(out.tree_size)}`);
+        console.log(`root_hash: ${asString(out.root_hash)}`);
+        console.log(`timestamp: ${asString(out.timestamp)}`);
+    }
+}
+export async function runLogInclusion(argv) {
+    const { values, positionals } = parseArgs({
+        args: argv,
+        options: {
+            "log-url": { type: "string" },
+            "execution-id": { type: "string" },
+            "leaf-index": { type: "string" },
+            json: { type: "boolean", default: false },
+        },
+        allowPositionals: true,
+        strict: true,
+    });
+    const executionId = (typeof values["execution-id"] === "string" && values["execution-id"]) || positionals[0];
+    const leafIndex = typeof values["leaf-index"] === "string" ? values["leaf-index"] : undefined;
+    if (!executionId && !leafIndex) {
+        throw new Error("Usage: trigguard log inclusion (--execution-id <id> | --leaf-index <n>) [--log-url URL] [--json]");
+    }
+    const qs = new URLSearchParams();
+    if (executionId)
+        qs.set("execution_id", executionId);
+    if (leafIndex)
+        qs.set("leaf_index", leafIndex);
+    const res = await fetch(`${baseUrl(values)}/v1/log/inclusion?${qs.toString()}`, { headers: { Accept: "application/json" } });
+    if (!res.ok)
+        throw new Error(`log inclusion failed: HTTP ${res.status}`);
+    const out = (await res.json());
+    if (values.json)
+        console.log(JSON.stringify(out));
+    else {
+        console.log(`log_index: ${asString(out.log_index)}`);
+        console.log(`execution_id: ${asString(out.execution_id)}`);
+        const tree = (out.tree_head ?? {});
+        console.log(`tree_size: ${asString(tree.tree_size)}`);
+        console.log(`root_hash: ${asString(tree.root_hash)}`);
+    }
+}
+export async function runLogVerify(argv) {
+    const { values } = parseArgs({
+        args: argv,
+        options: {
+            "log-url": { type: "string" },
+            from: { type: "string" },
+            to: { type: "string" },
+            json: { type: "boolean", default: false },
+        },
+        allowPositionals: true,
+        strict: true,
+    });
+    const from = Number(values.from);
+    const to = Number(values.to);
+    if (!Number.isInteger(from) || !Number.isInteger(to) || from <= 0 || to <= from) {
+        throw new Error("Usage: trigguard log verify --from <oldTreeSize> --to <newTreeSize> [--log-url URL] [--json]");
+    }
+    const b = baseUrl(values);
+    const [consistencyRes, rootRes] = await Promise.all([
+        fetch(`${b}/v1/log/consistency?from=${from}&to=${to}`, { headers: { Accept: "application/json" } }),
+        fetch(`${b}/v1/log/root`, { headers: { Accept: "application/json" } }),
+    ]);
+    if (!consistencyRes.ok)
+        throw new Error(`log consistency fetch failed: HTTP ${consistencyRes.status}`);
+    if (!rootRes.ok)
+        throw new Error(`log root fetch failed: HTTP ${rootRes.status}`);
+    const consistency = (await consistencyRes.json());
+    const currentRoot = (await rootRes.json());
+    const hashes = Array.isArray(consistency.consistency_proof_hashes)
+        ? consistency.consistency_proof_hashes.map(String)
+        : [];
+    const ok = verifyConsistency({
+        treeSize: from,
+        rootHash: asString(consistency.old_root_hash),
+        timestamp: Date.now(),
+    }, {
+        treeSize: to,
+        rootHash: asString(consistency.new_root_hash) || asString(currentRoot.root_hash),
+        timestamp: Date.now(),
+    }, { hashes });
+    const out = { valid: ok, from, to, proof_len: hashes.length };
+    if (values.json)
+        console.log(JSON.stringify(out));
+    else
+        console.log(ok ? `OK append-only consistency verified (${from} -> ${to})` : `INVALID consistency proof (${from} -> ${to})`);
+    if (!ok)
+        process.exit(2);
+}

package/dist/commands/logMonitor.d.ts

@@ -0,0 +1 @@
+export declare function runLogMonitor(argv: string[]): Promise<void>;

package/dist/commands/logMonitor.js

@@ -0,0 +1,65 @@
+import { parseArgs } from "node:util";
+function baseUrlFromArgs(values) {
+    const raw = (typeof values["log-url"] === "string" && values["log-url"]) ||
+        process.env.TRIGGUARD_RECEIPT_LOG_URL ||
+        "http://127.0.0.1:3847";
+    return String(raw).replace(/\/$/, "");
+}
+async function fetchJson(url) {
+    const res = await fetch(url, { headers: { Accept: "application/json" } });
+    if (!res.ok)
+        throw new Error(`HTTP ${res.status}`);
+    return (await res.json());
+}
+export async function runLogMonitor(argv) {
+    const { values } = parseArgs({
+        args: argv,
+        options: {
+            "log-url": { type: "string" },
+            interval: { type: "string" },
+            once: { type: "boolean", default: false },
+            json: { type: "boolean", default: false },
+        },
+        allowPositionals: true,
+        strict: true,
+    });
+    const base = baseUrlFromArgs(values);
+    const intervalMs = Math.max(1000, parseInt(String(values.interval || "5000"), 10) || 5000);
+    let lastRoot = "";
+    let lastCount = -1;
+    const poll = async () => {
+        const list = await fetchJson(`${base}/v1/receipts`);
+        const count = Number(list.count || 0);
+        if (count === 0) {
+            const msg = { ok: true, count, note: "no_receipts" };
+            console.log(values.json ? JSON.stringify(msg) : "log monitor: no receipts");
+            return;
+        }
+        const latestId = list.receipts[count - 1]?.receipt_id;
+        if (!latestId)
+            throw new Error("missing latest receipt id");
+        const proof = await fetchJson(`${base}/v1/receipts/${encodeURIComponent(latestId)}/proof`);
+        if (lastCount === count && lastRoot && proof.merkle_root !== lastRoot) {
+            throw new Error(`fork_detected count=${count} previous_root=${lastRoot} new_root=${proof.merkle_root}`);
+        }
+        lastCount = count;
+        lastRoot = proof.merkle_root;
+        const out = {
+            ok: true,
+            count,
+            merkle_root: proof.merkle_root,
+            latest_receipt_id: latestId,
+            latest_leaf_index: proof.leaf_index,
+            proof_len: Array.isArray(proof.inclusion_proof) ? proof.inclusion_proof.length : 0,
+        };
+        console.log(values.json ? JSON.stringify(out) : `log monitor: count=${count} root=${proof.merkle_root}`);
+    };
+    await poll();
+    if (values.once)
+        return;
+    setInterval(() => {
+        poll().catch((e) => {
+            console.error(`log monitor error: ${e instanceof Error ? e.message : String(e)}`);
+        });
+    }, intervalMs);
+}

package/dist/commands/login-web.d.ts

@@ -0,0 +1 @@
+export declare function runLoginWeb(args: string[]): Promise<void>;

package/dist/commands/login-web.js

@@ -0,0 +1,80 @@
+import { spawn } from "node:child_process";
+import { hasFlag } from "../tg/args.js";
+import { loadConfig, saveConfig } from "../cp/config.js";
+import { defaultMachineLabel, ensureCliApiKey, } from "../cp/provisionCliKey.js";
+import { startCliDeviceAuth, waitForCliDeviceAuth, } from "../cp/cliDeviceAuth.js";
+async function openBrowser(url) {
+    const platform = process.platform;
+    let cmd;
+    let args;
+    if (platform === "darwin") {
+        cmd = "open";
+        args = [url];
+    }
+    else if (platform === "win32") {
+        cmd = "cmd";
+        args = ["/c", "start", "", url];
+    }
+    else {
+        cmd = "xdg-open";
+        args = [url];
+    }
+    await new Promise((resolve, reject) => {
+        const child = spawn(cmd, args, { stdio: "ignore", detached: true });
+        child.on("error", reject);
+        child.unref();
+        resolve();
+    });
+}
+export async function runLoginWeb(args) {
+    const json = hasFlag(args, "--json");
+    const config = loadConfig();
+    const machineLabel = defaultMachineLabel();
+    const started = await startCliDeviceAuth(config, machineLabel);
+    if (!json) {
+        console.log("Opening browser to sign in to TrigGuard...");
+        console.log(`If the browser does not open, visit:\n  ${started.verificationUrl}`);
+        console.log(`Enter code: ${started.userCode}`);
+    }
+    try {
+        await openBrowser(started.verificationUrl);
+    }
+    catch {
+        if (!json) {
+            console.log("Could not launch a browser automatically. Use the URL above.");
+        }
+    }
+    const complete = await waitForCliDeviceAuth(config, started.deviceCode, started.expiresIn);
+    const orgId = complete.activeOrgId;
+    if (!orgId) {
+        throw new Error("No workspace available after login. Verify email in console, then retry.");
+    }
+    const key = await ensureCliApiKey({ ...config, sessionToken: complete.token }, orgId, complete.rawApiKey, machineLabel, complete.apiKeyId);
+    saveConfig({
+        version: 1,
+        controlPlaneUrl: config.controlPlaneUrl,
+        environment: config.environment,
+        sessionToken: complete.token,
+        activeOrgId: orgId,
+        user: { id: complete.user.id, email: complete.user.email },
+        apiKey: key.rawKey,
+        apiKeyId: key.keyId,
+        apiKeyDisplayName: key.displayName,
+    });
+    if (json) {
+        console.log(JSON.stringify({
+            ok: true,
+            user: complete.user,
+            activeOrgId: orgId,
+            orgName: complete.orgName,
+            apiKeyConfigured: true,
+            apiKeySource: "config",
+        }, null, 2));
+        return;
+    }
+    console.log(`Signed in as ${complete.user.email}`);
+    console.log(`Workspace: ${complete.orgName ?? orgId}`);
+    console.log("API key configured for this machine.");
+    console.log("");
+    console.log("Next: tg authorize --surface deploy.release --actor demo --intent \"test deploy\"");
+}

package/dist/commands/policy-distribution.d.ts

@@ -0,0 +1,10 @@
+export declare function runPolicySync(argv: string[]): Promise<void>;
+export declare function runPolicyState(): Promise<void>;
+export declare function runPolicyVerifyManifest(argv: string[]): Promise<void>;
+export declare function runPolicyRequestChange(argv: string[]): Promise<void>;
+export declare function runPolicyApprove(argv: string[]): Promise<void>;
+export declare function runPolicyReject(argv: string[]): Promise<void>;
+export declare function runPolicySetWindow(argv: string[]): Promise<void>;
+export declare function runPolicyBreakGlass(argv: string[]): Promise<void>;
+export declare function runPolicyBreakGlassEnd(): Promise<void>;
+export declare function runPolicyPending(): Promise<void>;