@trigguard/cli 0.1.1

package/dist/commands/verify.js

@@ -0,0 +1,127 @@
+import { parseArgs } from "node:util";
+import { readFile } from "node:fs/promises";
+import { basename, dirname, join } from "node:path";
+import { readdirSync, writeFileSync } from "node:fs";
+import { verifyReceipt as verifyExternalReceipt, generateEvidencePack, } from "trigguard-verifier";
+function usage() {
+    console.error("Usage: trigguard verify <receipt.json> [--public-key <pem>] [--public-key-file <path>] [--bundle <bundle.json>] " +
+        "[--log-public-key <pem>] [--log-public-key-file <path>] [--engine-version <x.y.z>] [--evidence-pack <path>] " +
+        "[--audit <receipts/*.json>] [--json]");
+    process.exit(1);
+}
+function resolveGlob(pattern) {
+    if (!pattern.includes("*"))
+        return [pattern];
+    const dir = dirname(pattern);
+    const mask = basename(pattern);
+    const [prefix, suffix] = mask.split("*");
+    return readdirSync(dir)
+        .filter((name) => name.startsWith(prefix || "") && name.endsWith(suffix || ""))
+        .map((name) => join(dir, name))
+        .sort((a, b) => a.localeCompare(b, "en"));
+}
+export async function runVerify(argv) {
+    const { values, positionals } = parseArgs({
+        args: argv,
+        options: {
+            "public-key": { type: "string" },
+            "public-key-file": { type: "string" },
+            "log-public-key": { type: "string" },
+            "log-public-key-file": { type: "string" },
+            bundle: { type: "string" },
+            "engine-version": { type: "string" },
+            "evidence-pack": { type: "string" },
+            audit: { type: "string" },
+            json: { type: "boolean", default: false },
+        },
+        allowPositionals: true,
+        strict: true,
+    });
+    const readText = async (p) => readFile(p, "utf8");
+    const pickKey = async (inlineKey, filePath, envVar) => {
+        if (inlineKey?.trim())
+            return inlineKey.trim();
+        if (filePath?.trim())
+            return (await readText(filePath.trim())).trim();
+        return (process.env[envVar] || "").trim();
+    };
+    const authorityPublicKeyPem = await pickKey(typeof values["public-key"] === "string" ? values["public-key"] : undefined, typeof values["public-key-file"] === "string" ? values["public-key-file"] : undefined, "TRIGGUARD_AUTHORITY_PUBLIC_KEY");
+    if (!authorityPublicKeyPem) {
+        console.error("Missing authority public key. Set --public-key, --public-key-file, or TRIGGUARD_AUTHORITY_PUBLIC_KEY.");
+        process.exit(1);
+    }
+    const logPublicKeyPem = await pickKey(typeof values["log-public-key"] === "string" ? values["log-public-key"] : undefined, typeof values["log-public-key-file"] === "string" ? values["log-public-key-file"] : undefined, "TRIGGUARD_LOG_PUBLIC_KEY");
+    const bundlePath = typeof values.bundle === "string" ? values.bundle.trim() : "";
+    const bundle = bundlePath ? JSON.parse(await readText(bundlePath)) : undefined;
+    const expectedEngineVersion = (typeof values["engine-version"] === "string" ? values["engine-version"] : undefined) ||
+        process.env.TRIGGUARD_ENGINE_VERSION ||
+        "1.0.0";
+    const verifyOne = async (receiptPath) => {
+        const raw = await readText(receiptPath);
+        const receipt = JSON.parse(raw);
+        const result = verifyExternalReceipt(receipt, {
+            authorityPublicKeyPem,
+            logPublicKeyPem: logPublicKeyPem || undefined,
+            bundle,
+            expectedEngineVersion,
+        });
+        return { path: receiptPath, result };
+    };
+    const auditPattern = typeof values.audit === "string" ? values.audit.trim() : "";
+    if (auditPattern) {
+        const files = resolveGlob(auditPattern);
+        if (files.length === 0) {
+            console.error(`No receipts matched --audit pattern: ${auditPattern}`);
+            process.exit(1);
+        }
+        const results = await Promise.all(files.map((f) => verifyOne(f)));
+        const verified = results.filter((r) => r.result.valid).length;
+        const failed = results.length - verified;
+        const bundleVersions = Array.from(new Set(results
+            .map((r) => {
+            if (!r.result.valid)
+                return "";
+            const v = (r.result.verified_bundle_hash || "").trim();
+            return v;
+        })
+            .filter(Boolean)));
+        const policyVersions = Array.from(new Set(results.map(() => expectedEngineVersion)));
+        const summary = {
+            total_receipts: results.length,
+            verified,
+            failed,
+            bundle_versions: bundleVersions,
+            policy_versions: policyVersions,
+            results: results.map((r) => ({ file: r.path, ...r.result })),
+        };
+        writeFileSync("audit-summary.json", `${JSON.stringify(summary, null, 2)}\n`, "utf8");
+        if (values.json)
+            console.log(JSON.stringify(summary));
+        else
+            console.log("Audit complete: audit-summary.json");
+        process.exit(failed === 0 ? 0 : 1);
+    }
+    const file = positionals[0];
+    if (!file)
+        usage();
+    const out = await verifyOne(file);
+    if (values["evidence-pack"] && typeof values["evidence-pack"] === "string") {
+        const receiptRaw = JSON.parse(await readText(file));
+        generateEvidencePack(receiptRaw, out.result, values["evidence-pack"]);
+    }
+    if (values.json) {
+        console.log(JSON.stringify(out.result));
+        process.exit(out.result.valid ? 0 : 1);
+    }
+    if (out.result.valid) {
+        console.log("VERIFIED");
+        console.log(`decision: ${out.result.decision}`);
+        if (out.result.verified_bundle_hash)
+            console.log(`bundle_hash: ${out.result.verified_bundle_hash}`);
+        console.log(`engine_version: ${out.result.verified_engine_version}`);
+        process.exit(0);
+    }
+    console.log("VERIFICATION FAILED");
+    console.log(`${out.result.code}: ${out.result.reason}`);
+    process.exit(1);
+}

package/dist/commands/verifyBundle.d.ts

@@ -0,0 +1 @@
+export declare function runVerifyBundle(argv: string[]): Promise<void>;

package/dist/commands/verifyBundle.js

@@ -0,0 +1,109 @@
+import { parseArgs } from "node:util";
+import { readFile } from "node:fs/promises";
+import { availableParallelism } from "node:os";
+import { verifyReceipt } from "@trigguard/receipt-verify";
+async function mapPool(items, concurrency, fn) {
+    const results = new Array(items.length);
+    let next = 0;
+    async function worker() {
+        for (;;) {
+            const i = next++;
+            if (i >= items.length)
+                return;
+            results[i] = await fn(items[i], i);
+        }
+    }
+    const n = Math.max(1, Math.min(concurrency, items.length));
+    await Promise.all(Array.from({ length: n }, () => worker()));
+    return results;
+}
+export async function runVerifyBundle(argv) {
+    const { values, positionals } = parseArgs({
+        args: argv,
+        options: {
+            "public-key": { type: "string" },
+            "public-key-file": { type: "string" },
+            "keys-url": { type: "string" },
+            concurrency: { type: "string" },
+            json: { type: "boolean", default: false },
+        },
+        allowPositionals: true,
+        strict: true,
+    });
+    const file = positionals[0];
+    if (!file) {
+        console.error("Usage: trigguard verify-bundle <receipts.jsonl> [--public-key …] [--public-key-file …] [--keys-url URL] [--concurrency N]");
+        process.exit(1);
+    }
+    const publicKey = values["public-key"]?.trim();
+    const publicKeyFile = values["public-key-file"]?.trim();
+    if (!publicKey && !publicKeyFile && !process.env.TRIGGUARD_KEYS_URL?.trim()) {
+        console.error("Provide --public-key or --public-key-file (offline), or TRIGGUARD_KEYS_URL / --keys-url for key fetch.");
+        process.exit(1);
+    }
+    const keysUrl = values["keys-url"]?.trim() || process.env.TRIGGUARD_KEYS_URL?.trim();
+    const conc = Math.max(1, parseInt(String(values.concurrency || ""), 10) || availableParallelism());
+    const text = await readFile(file, "utf8");
+    const lines = text.split("\n").map((s) => s.trim()).filter(Boolean);
+    const t0 = Date.now();
+    const lineResults = await mapPool(lines, conc, async (line, idx) => {
+        const lineNo = idx + 1;
+        let obj;
+        try {
+            obj = JSON.parse(line);
+        }
+        catch {
+            return { line: lineNo, valid: false, reason: "invalid_json" };
+        }
+        if (typeof obj !== "object" || obj === null || Array.isArray(obj)) {
+            return { line: lineNo, valid: false, reason: "not_object" };
+        }
+        const rec = "receipt" in obj && typeof obj.receipt === "object"
+            ? obj.receipt
+            : obj;
+        try {
+            const vr = await verifyReceipt(rec, {
+                ...(publicKey ? { publicKey } : {}),
+                ...(publicKeyFile ? { publicKeyFile } : {}),
+                ...(keysUrl ? { keysUrl } : {}),
+            });
+            return {
+                line: lineNo,
+                valid: Boolean(vr.valid),
+                reason: vr.reason,
+                receipt_id: vr.receipt_id,
+            };
+        }
+        catch (e) {
+            return {
+                line: lineNo,
+                valid: false,
+                reason: e instanceof Error ? e.message : String(e),
+            };
+        }
+    });
+    const valid = lineResults.filter((r) => r.valid).length;
+    const invalid = lineResults.length - valid;
+    const ms = Date.now() - t0;
+    if (values.json) {
+        console.log(JSON.stringify({
+            total: lineResults.length,
+            valid,
+            invalid,
+            ms,
+            results: lineResults,
+        }));
+    }
+    else {
+        console.log(`Total receipts: ${lineResults.length}`);
+        console.log(`Valid: ${valid}`);
+        console.log(`Invalid: ${invalid}`);
+        console.log(`Verification time: ${ms} ms (concurrency=${conc})`);
+        for (const r of lineResults) {
+            if (!r.valid) {
+                console.log(`  line ${r.line}: FAIL ${r.reason ?? ""}`);
+            }
+        }
+    }
+    process.exit(invalid > 0 ? 1 : 0);
+}

package/dist/commands/verifyReceiptCmd.d.ts

@@ -0,0 +1 @@
+export declare function runVerifyReceipt(argv: string[]): Promise<void>;

package/dist/commands/verifyReceiptCmd.js

@@ -0,0 +1,49 @@
+import { createRequire } from "node:module";
+import { parseArgs } from "node:util";
+import { readFile } from "node:fs/promises";
+import { readStdin } from "../stdin.js";
+// eslint-disable-next-line @typescript-eslint/no-require-imports, @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-member-access
+const { verifyReceipt } = createRequire(import.meta.url)("@trigguard/decision");
+export async function runVerifyReceipt(argv) {
+    const { values, positionals } = parseArgs({
+        args: argv,
+        options: {
+            "public-key": { type: "string" },
+            json: { type: "boolean", default: false },
+        },
+        allowPositionals: true,
+        strict: true,
+    });
+    const pub = values["public-key"]?.trim() ||
+        process.env.TRIGGUARD_AUTHORITY_PUBLIC_KEY?.trim() ||
+        process.env.AUTHORITY_PUBLIC_KEY?.trim();
+    if (!pub) {
+        console.error("Usage: trigguard verify-receipt <file.json> [--public-key 64-hex] (or set TRIGGUARD_AUTHORITY_PUBLIC_KEY)");
+        process.exit(1);
+    }
+    const first = positionals[0];
+    if (!first) {
+        console.error("Usage: trigguard verify-receipt <file.json|-");
+        process.exit(1);
+    }
+    const text = first === "-" ? await readStdin() : await readFile(first, "utf8");
+    const body = JSON.parse(text);
+    const decision = String(body.decision ?? "");
+    const reason = String(body.reason ?? "");
+    const policyFingerprint = String(body.policyFingerprint ?? "");
+    const timestamp = String(body.timestamp ?? "");
+    const receiptSignature = String(body.receiptSignature ||
+        String(body.receipt?.signature || ""));
+    if (!receiptSignature) {
+        console.error("JSON must include receiptSignature (Execution Authority /decide response shape)");
+        process.exit(1);
+    }
+    const ok = verifyReceipt({ decision, reason, policyFingerprint, timestamp }, receiptSignature, pub);
+    if (values.json) {
+        console.log(JSON.stringify({ valid: ok, decision, reason }));
+    }
+    else {
+        console.log(ok ? "OK  receipt signature is valid" : "INVALID  receipt signature");
+    }
+    process.exit(ok ? 0 : 1);
+}

package/dist/commands/witness.d.ts

@@ -0,0 +1 @@
+export declare function runWitness(argv: string[]): Promise<void>;

package/dist/commands/witness.js

@@ -0,0 +1,22 @@
+import { spawn } from "node:child_process";
+export async function runWitness(argv) {
+    const sub = argv[0];
+    if (sub !== "run") {
+        console.error("Usage: trigguard witness run");
+        process.exit(1);
+        return;
+    }
+    const child = spawn("npm", ["--workspace", "packages/trigguard-log-witness", "run", "start"], {
+        stdio: "inherit",
+        env: process.env,
+    });
+    await new Promise((resolve, reject) => {
+        child.on("exit", (code) => {
+            if (code === 0)
+                resolve();
+            else
+                reject(new Error(`witness exited with code ${String(code)}`));
+        });
+        child.on("error", reject);
+    });
+}

package/dist/cp/cliDeviceAuth.d.ts

@@ -0,0 +1,24 @@
+import type { TrigGuardCliConfig } from "./types.js";
+export interface CliDeviceStartResponse {
+    deviceCode: string;
+    userCode: string;
+    expiresIn: number;
+    verificationUrl: string;
+}
+export interface CliDeviceCompleteResponse {
+    status: "complete";
+    token: string;
+    user: {
+        id: string;
+        email: string;
+    };
+    activeOrgId: string | null;
+    orgName: string | null;
+    rawApiKey: string;
+    apiKeyId: string;
+}
+export declare function startCliDeviceAuth(config: TrigGuardCliConfig, machineLabel: string): Promise<CliDeviceStartResponse>;
+export declare function pollCliDeviceAuth(config: TrigGuardCliConfig, deviceCode: string): Promise<{
+    status: "pending";
+} | CliDeviceCompleteResponse>;
+export declare function waitForCliDeviceAuth(config: TrigGuardCliConfig, deviceCode: string, expiresInSec: number): Promise<CliDeviceCompleteResponse>;

package/dist/cp/cliDeviceAuth.js

@@ -0,0 +1,68 @@
+export async function startCliDeviceAuth(config, machineLabel) {
+    const res = await fetch(`${config.controlPlaneUrl}/auth/cli/device/start`, {
+        method: "POST",
+        headers: { Accept: "application/json", "Content-Type": "application/json" },
+        body: JSON.stringify({ machineLabel }),
+        signal: AbortSignal.timeout(30_000),
+    });
+    const body = (await res.json().catch(() => ({})));
+    if (!res.ok) {
+        throw new Error(String(body.error ?? `device_start_failed_${res.status}`));
+    }
+    const deviceCode = typeof body.deviceCode === "string" ? body.deviceCode : "";
+    const userCode = typeof body.userCode === "string" ? body.userCode : "";
+    const verificationUrl = typeof body.verificationUrl === "string" ? body.verificationUrl : "";
+    if (!deviceCode || !userCode || !verificationUrl) {
+        throw new Error("device_start_invalid");
+    }
+    return {
+        deviceCode,
+        userCode,
+        expiresIn: typeof body.expiresIn === "number" ? body.expiresIn : 900,
+        verificationUrl,
+    };
+}
+export async function pollCliDeviceAuth(config, deviceCode) {
+    const url = new URL(`${config.controlPlaneUrl}/auth/cli/device/poll`);
+    url.searchParams.set("device_code", deviceCode);
+    const res = await fetch(url, {
+        headers: { Accept: "application/json" },
+        signal: AbortSignal.timeout(30_000),
+    });
+    const body = (await res.json().catch(() => ({})));
+    if (res.status === 410) {
+        throw new Error("device_code_expired");
+    }
+    if (!res.ok) {
+        throw new Error(String(body.error ?? `device_poll_failed_${res.status}`));
+    }
+    if (body.status === "pending") {
+        return { status: "pending" };
+    }
+    const token = typeof body.token === "string" ? body.token : "";
+    const user = body.user;
+    const rawApiKey = typeof body.rawApiKey === "string" ? body.rawApiKey : "";
+    const apiKeyId = typeof body.apiKeyId === "string" ? body.apiKeyId : "";
+    if (!token || !user?.email || !rawApiKey) {
+        throw new Error("device_complete_invalid");
+    }
+    return {
+        status: "complete",
+        token,
+        user: { id: String(user.id ?? ""), email: user.email },
+        activeOrgId: typeof body.activeOrgId === "string" ? body.activeOrgId : null,
+        orgName: typeof body.orgName === "string" ? body.orgName : null,
+        rawApiKey,
+        apiKeyId,
+    };
+}
+export async function waitForCliDeviceAuth(config, deviceCode, expiresInSec) {
+    const deadline = Date.now() + expiresInSec * 1000;
+    while (Date.now() < deadline) {
+        const polled = await pollCliDeviceAuth(config, deviceCode);
+        if (polled.status === "complete")
+            return polled;
+        await new Promise((r) => setTimeout(r, 2000));
+    }
+    throw new Error("device_login_timeout");
+}

package/dist/cp/client.d.ts

@@ -0,0 +1,19 @@
+import type { ControlPlaneOrgSummary, ControlPlaneUser, TrigGuardCliConfig } from "./types.js";
+export declare class ControlPlaneError extends Error {
+    readonly status: number;
+    readonly code: string;
+    constructor(status: number, code: string, message?: string);
+}
+export declare function controlPlaneFetch<T>(config: TrigGuardCliConfig, path: string, init?: RequestInit & {
+    sessionToken?: string | null;
+}): Promise<T>;
+export declare function loginWithPassword(config: TrigGuardCliConfig, email: string, password: string): Promise<{
+    token: string;
+    user: ControlPlaneUser;
+}>;
+export declare function fetchMe(config: TrigGuardCliConfig): Promise<ControlPlaneUser>;
+export declare function fetchDashboardOrgs(config: TrigGuardCliConfig): Promise<{
+    user: ControlPlaneUser;
+    orgs: ControlPlaneOrgSummary[];
+}>;
+export declare function resolveActiveOrg(orgs: readonly ControlPlaneOrgSummary[], activeOrgId: string | undefined): ControlPlaneOrgSummary | null;

package/dist/cp/client.js

@@ -0,0 +1,73 @@
+export class ControlPlaneError extends Error {
+    status;
+    code;
+    constructor(status, code, message) {
+        super(message ?? code);
+        this.status = status;
+        this.code = code;
+    }
+}
+async function parseJson(res) {
+    try {
+        const data = await res.json();
+        return data && typeof data === "object" ? data : {};
+    }
+    catch {
+        return {};
+    }
+}
+export async function controlPlaneFetch(config, path, init = {}) {
+    const token = init.sessionToken !== undefined ? init.sessionToken : config.sessionToken;
+    const headers = new Headers(init.headers);
+    headers.set("Accept", "application/json");
+    if (token)
+        headers.set("Authorization", `Bearer ${token}`);
+    const res = await fetch(`${config.controlPlaneUrl}${path}`, {
+        ...init,
+        headers,
+        signal: AbortSignal.timeout(30_000),
+    });
+    const body = await parseJson(res);
+    if (!res.ok) {
+        const code = typeof body.error === "string" ? body.error : `http_${res.status}`;
+        throw new ControlPlaneError(res.status, code);
+    }
+    return body;
+}
+export async function loginWithPassword(config, email, password) {
+    const data = await controlPlaneFetch(config, "/login", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ email: email.trim(), password }),
+        sessionToken: null,
+    });
+    const token = typeof data.token === "string" ? data.token : "";
+    const user = data.user;
+    if (!token || !user?.id || !user.email) {
+        throw new Error("login_response_invalid");
+    }
+    return { token, user };
+}
+export async function fetchMe(config) {
+    const me = await controlPlaneFetch(config, "/me", { method: "GET" });
+    if (!me.id || !me.email)
+        throw new Error("me_response_invalid");
+    return me;
+}
+export async function fetchDashboardOrgs(config) {
+    const data = await controlPlaneFetch(config, "/dashboard/org", { method: "GET" });
+    return {
+        user: data.user ?? { id: "", email: "", createdAt: "", emailVerifiedAt: null },
+        orgs: Array.isArray(data.orgs) ? data.orgs : [],
+    };
+}
+export function resolveActiveOrg(orgs, activeOrgId) {
+    if (!orgs.length)
+        return null;
+    if (activeOrgId) {
+        const match = orgs.find((o) => o.orgId === activeOrgId);
+        if (match)
+            return match;
+    }
+    return orgs[0] ?? null;
+}

package/dist/cp/config.d.ts

@@ -0,0 +1,8 @@
+import type { TrigGuardCliConfig, TrigGuardEnvironment } from "./types.js";
+export declare function configDir(): string;
+export declare function configPath(): string;
+export declare function defaultControlPlaneUrl(): string;
+export declare function defaultEnvironment(): TrigGuardEnvironment;
+export declare function loadConfig(): TrigGuardCliConfig;
+export declare function saveConfig(config: TrigGuardCliConfig): void;
+export declare function clearSession(config: TrigGuardCliConfig): TrigGuardCliConfig;

package/dist/cp/config.js

@@ -0,0 +1,113 @@
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+const CONFIG_VERSION = 1;
+const DEFAULT_CP_URL = "https://control.trigguardai.com";
+export function configDir() {
+    const override = process.env.TRIGGUARD_CONFIG_DIR?.trim();
+    if (override)
+        return override;
+    return path.join(os.homedir(), ".trigguard");
+}
+export function configPath() {
+    return path.join(configDir(), "config.json");
+}
+function parseEnvironment(raw) {
+    switch ((raw ?? "production").trim().toLowerCase()) {
+        case "staging":
+            return "staging";
+        case "preview":
+            return "preview";
+        case "local":
+        case "dev":
+        case "development":
+            return "local";
+        default:
+            return "production";
+    }
+}
+export function defaultControlPlaneUrl() {
+    return (process.env.TRIGGUARD_CONTROL_PLANE_URL ?? DEFAULT_CP_URL).replace(/\/$/, "");
+}
+export function defaultEnvironment() {
+    return parseEnvironment(process.env.TRIGGUARD_ENVIRONMENT);
+}
+function readConfigFile(base) {
+    const file = configPath();
+    if (!fs.existsSync(file))
+        return null;
+    try {
+        return JSON.parse(fs.readFileSync(file, "utf8"));
+    }
+    catch {
+        return null;
+    }
+}
+export function loadConfig() {
+    const base = {
+        version: CONFIG_VERSION,
+        controlPlaneUrl: defaultControlPlaneUrl(),
+        environment: defaultEnvironment(),
+    };
+    const parsed = readConfigFile(base);
+    if (parsed?.sessionRevoked) {
+        return {
+            version: CONFIG_VERSION,
+            controlPlaneUrl: (parsed.controlPlaneUrl ?? base.controlPlaneUrl).replace(/\/$/, ""),
+            environment: parseEnvironment(parsed.environment ?? base.environment),
+            sessionRevoked: true,
+        };
+    }
+    const envToken = process.env.TRIGGUARD_SESSION_TOKEN?.trim();
+    if (envToken) {
+        return {
+            ...base,
+            sessionToken: envToken,
+            activeOrgId: process.env.TRIGGUARD_ORG_ID?.trim() || parsed?.activeOrgId?.trim() || undefined,
+            user: parsed?.user,
+            apiKey: parsed?.apiKey?.trim() || undefined,
+            apiKeyId: parsed?.apiKeyId?.trim() || undefined,
+            apiKeyDisplayName: parsed?.apiKeyDisplayName?.trim() || undefined,
+        };
+    }
+    if (!parsed)
+        return base;
+    return {
+        version: CONFIG_VERSION,
+        controlPlaneUrl: (parsed.controlPlaneUrl ?? base.controlPlaneUrl).replace(/\/$/, ""),
+        environment: parseEnvironment(parsed.environment ?? base.environment),
+        sessionToken: parsed.sessionToken?.trim() || undefined,
+        activeOrgId: parsed.activeOrgId?.trim() || process.env.TRIGGUARD_ORG_ID?.trim() || undefined,
+        user: parsed.user,
+        apiKey: parsed.apiKey?.trim() || undefined,
+        apiKeyId: parsed.apiKeyId?.trim() || undefined,
+        apiKeyDisplayName: parsed.apiKeyDisplayName?.trim() || undefined,
+    };
+}
+export function saveConfig(config) {
+    const dir = configDir();
+    fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+    const payload = {
+        version: CONFIG_VERSION,
+        controlPlaneUrl: config.controlPlaneUrl.replace(/\/$/, ""),
+        environment: config.environment,
+        sessionToken: config.sessionToken,
+        activeOrgId: config.activeOrgId,
+        user: config.user,
+        apiKey: config.apiKey,
+        apiKeyId: config.apiKeyId,
+        apiKeyDisplayName: config.apiKeyDisplayName,
+        ...(config.sessionToken ? {} : config.sessionRevoked ? { sessionRevoked: true } : {}),
+    };
+    fs.writeFileSync(configPath(), `${JSON.stringify(payload, null, 2)}\n`, { mode: 0o600 });
+}
+export function clearSession(config) {
+    const next = {
+        version: CONFIG_VERSION,
+        controlPlaneUrl: config.controlPlaneUrl,
+        environment: config.environment,
+        sessionRevoked: true,
+    };
+    saveConfig(next);
+    return next;
+}

package/dist/cp/credentials.d.ts

@@ -0,0 +1,9 @@
+import type { TrigGuardCliConfig } from "./types.js";
+export type ApiKeySource = "env" | "config" | "none";
+export declare function resolveApiKeyFromEnv(): string | undefined;
+export declare function resolveApiKey(config: TrigGuardCliConfig): string | undefined;
+export declare function resolveApiKeySource(config: TrigGuardCliConfig): ApiKeySource;
+export declare function storedCliApiKeyForSession(config: TrigGuardCliConfig, user: {
+    email: string;
+}, activeOrgId: string | undefined): string | null;
+export declare function missingConfiguredApiKeyMessage(): string;

package/dist/cp/credentials.js

@@ -0,0 +1,31 @@
+export function resolveApiKeyFromEnv() {
+    return (process.env.TRIGGUARD_API_KEY?.trim() ||
+        process.env.TG_API_KEY?.trim() ||
+        undefined);
+}
+export function resolveApiKey(config) {
+    return resolveApiKeyFromEnv() ?? (config.apiKey?.trim() || undefined);
+}
+export function resolveApiKeySource(config) {
+    if (resolveApiKeyFromEnv())
+        return "env";
+    if (config.apiKey?.trim())
+        return "config";
+    return "none";
+}
+export function storedCliApiKeyForSession(config, user, activeOrgId) {
+    if (!activeOrgId ||
+        config.user?.email !== user.email ||
+        config.activeOrgId !== activeOrgId ||
+        !config.apiKey?.startsWith("tg_live_")) {
+        return null;
+    }
+    return config.apiKey;
+}
+export function missingConfiguredApiKeyMessage() {
+    return [
+        "No API key configured.",
+        "Run: tg login",
+        "Or export TRIGGUARD_API_KEY for CI/scripts.",
+    ].join("\n");
+}