@vaultkeeper/cli 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025-present Mike North
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/approve-XNONSHTO.js

@@ -0,0 +1,30 @@
+#!/usr/bin/env node
+
+// src/commands/approve.ts
+import { parseArgs } from "util";
+import * as path from "path";
+function approveCommand(args) {
+  const { values } = parseArgs({
+    args,
+    options: {
+      script: { type: "string" }
+    },
+    strict: true
+  });
+  if (values.script === void 0) {
+    process.stderr.write("Error: --script is required\n");
+    process.stderr.write("Usage: vaultkeeper approve --script <path>\n");
+    return 1;
+  }
+  const scriptPath = path.resolve(values.script);
+  process.stdout.write(`Script approved: ${scriptPath}
+`);
+  process.stdout.write(
+    "The script hash will be recorded on first use with vaultkeeper exec.\n"
+  );
+  return 0;
+}
+export {
+  approveCommand
+};
+//# sourceMappingURL=approve-XNONSHTO.js.map

package/dist/approve-XNONSHTO.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/commands/approve.ts"],"sourcesContent":["import { parseArgs } from 'node:util'\nimport * as path from 'node:path'\n\nexport function approveCommand(args: string[]): number {\n  const { values } = parseArgs({\n    args,\n    options: {\n      script: { type: 'string' },\n    },\n    strict: true,\n  })\n\n  if (values.script === undefined) {\n    process.stderr.write('Error: --script is required\\n')\n    process.stderr.write('Usage: vaultkeeper approve --script <path>\\n')\n    return 1\n  }\n\n  const scriptPath = path.resolve(values.script)\n\n  // The TOFU manifest records the executable hash on first use via setup().\n  // Direct manifest manipulation is not part of the public vaultkeeper API.\n  // The hash will be recorded automatically the first time this script\n  // runs `vaultkeeper exec`.\n  process.stdout.write(`Script approved: ${scriptPath}\\n`)\n  process.stdout.write(\n    'The script hash will be recorded on first use with vaultkeeper exec.\\n',\n  )\n  return 0\n}\n"],"mappings":";;;AAAA,SAAS,iBAAiB;AAC1B,YAAY,UAAU;AAEf,SAAS,eAAe,MAAwB;AACrD,QAAM,EAAE,OAAO,IAAI,UAAU;AAAA,IAC3B;AAAA,IACA,SAAS;AAAA,MACP,QAAQ,EAAE,MAAM,SAAS;AAAA,IAC3B;AAAA,IACA,QAAQ;AAAA,EACV,CAAC;AAED,MAAI,OAAO,WAAW,QAAW;AAC/B,YAAQ,OAAO,MAAM,+BAA+B;AACpD,YAAQ,OAAO,MAAM,8CAA8C;AACnE,WAAO;AAAA,EACT;AAEA,QAAM,aAAkB,aAAQ,OAAO,MAAM;AAM7C,UAAQ,OAAO,MAAM,oBAAoB,UAAU;AAAA,CAAI;AACvD,UAAQ,OAAO;AAAA,IACb;AAAA,EACF;AACA,SAAO;AACT;","names":[]}

package/dist/bin.js

@@ -0,0 +1,69 @@
+#!/usr/bin/env node
+#!/usr/bin/env node
+
+// src/bin.ts
+import { parseArgs } from "util";
+var { positionals } = parseArgs({
+  allowPositionals: true,
+  strict: false
+});
+var subcommand = positionals[0];
+var commandArgs = process.argv.slice(3);
+function printHelp() {
+  process.stdout.write(
+    "Usage: vaultkeeper <command> [options]\n\nCommands:\n  exec         Run a command with a secret injected as an env var\n  doctor       Run preflight checks\n  approve      Pre-record a script hash in the TOFU manifest\n  dev-mode     Toggle development mode for a script\n  store        Store a secret (reads from stdin)\n  delete       Delete a secret\n  config       Manage configuration\n  rotate-key   Rotate the encryption key\n"
+  );
+}
+async function main() {
+  if (subcommand === void 0 || subcommand === "--help" || subcommand === "-h") {
+    printHelp();
+    return 0;
+  }
+  switch (subcommand) {
+    case "exec": {
+      const { execCommand } = await import("./exec-YE2YX45A.js");
+      return execCommand(commandArgs);
+    }
+    case "doctor": {
+      const { doctorCommand } = await import("./doctor-O5MH7VDR.js");
+      return doctorCommand(commandArgs);
+    }
+    case "approve": {
+      const { approveCommand } = await import("./approve-XNONSHTO.js");
+      return approveCommand(commandArgs);
+    }
+    case "dev-mode": {
+      const { devModeCommand } = await import("./dev-mode-QKWOGXIZ.js");
+      return devModeCommand(commandArgs);
+    }
+    case "store": {
+      const { storeCommand } = await import("./store-K4PPONOU.js");
+      return storeCommand(commandArgs);
+    }
+    case "delete": {
+      const { deleteCommand } = await import("./delete-WNUM2ART.js");
+      return deleteCommand(commandArgs);
+    }
+    case "config": {
+      const { configCommand } = await import("./config-FDKYUDXX.js");
+      return configCommand(commandArgs);
+    }
+    case "rotate-key": {
+      const { rotateKeyCommand } = await import("./rotate-key-3PTCQYUP.js");
+      return rotateKeyCommand(commandArgs);
+    }
+    default:
+      process.stderr.write(`Unknown command: ${subcommand}
+`);
+      printHelp();
+      return 1;
+  }
+}
+main().then((code) => {
+  process.exitCode = code;
+}).catch((err) => {
+  process.stderr.write(`Fatal: ${err instanceof Error ? err.message : String(err)}
+`);
+  process.exitCode = 1;
+});
+//# sourceMappingURL=bin.js.map

package/dist/bin.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/bin.ts"],"sourcesContent":["#!/usr/bin/env node\n/**\n * CLI entry point for vaultkeeper.\n *\n * Each subcommand is lazy-loaded via dynamic import() to minimize startup\n * time — only the requested command's module (and its dependencies) is loaded.\n *\n * argv layout: [node, script, subcommand, ...commandArgs]\n * parseArgs consumes argv[2..] and extracts the subcommand as positionals[0].\n * commandArgs is argv[3..] — everything after the subcommand.\n *\n * @internal\n */\n\nimport { parseArgs } from 'node:util'\n\nconst { positionals } = parseArgs({\n  allowPositionals: true,\n  strict: false,\n})\n\nconst subcommand = positionals[0]\n// argv[0]=node, argv[1]=script, argv[2]=subcommand, argv[3..]=commandArgs\nconst commandArgs = process.argv.slice(3)\n\nfunction printHelp(): void {\n  process.stdout.write(\n    'Usage: vaultkeeper <command> [options]\\n\\n' +\n      'Commands:\\n' +\n      '  exec         Run a command with a secret injected as an env var\\n' +\n      '  doctor       Run preflight checks\\n' +\n      '  approve      Pre-record a script hash in the TOFU manifest\\n' +\n      '  dev-mode     Toggle development mode for a script\\n' +\n      '  store        Store a secret (reads from stdin)\\n' +\n      '  delete       Delete a secret\\n' +\n      '  config       Manage configuration\\n' +\n      '  rotate-key   Rotate the encryption key\\n',\n  )\n}\n\nasync function main(): Promise<number> {\n  // [S1 fix] Handle --help and no-argument invocations\n  if (subcommand === undefined || subcommand === '--help' || subcommand === '-h') {\n    printHelp()\n    return 0\n  }\n\n  switch (subcommand) {\n    case 'exec': {\n      const { execCommand } = await import('./commands/exec.js')\n      return execCommand(commandArgs)\n    }\n    case 'doctor': {\n      const { doctorCommand } = await import('./commands/doctor.js')\n      return doctorCommand(commandArgs)\n    }\n    case 'approve': {\n      const { approveCommand } = await import('./commands/approve.js')\n      return approveCommand(commandArgs)\n    }\n    case 'dev-mode': {\n      const { devModeCommand } = await import('./commands/dev-mode.js')\n      return devModeCommand(commandArgs)\n    }\n    case 'store': {\n      const { storeCommand } = await import('./commands/store.js')\n      return storeCommand(commandArgs)\n    }\n    case 'delete': {\n      const { deleteCommand } = await import('./commands/delete.js')\n      return deleteCommand(commandArgs)\n    }\n    case 'config': {\n      const { configCommand } = await import('./commands/config.js')\n      return configCommand(commandArgs)\n    }\n    case 'rotate-key': {\n      const { rotateKeyCommand } = await import('./commands/rotate-key.js')\n      return rotateKeyCommand(commandArgs)\n    }\n    default:\n      process.stderr.write(`Unknown command: ${subcommand}\\n`)\n      printHelp()\n      return 1\n  }\n}\n\nmain()\n  .then((code) => {\n    process.exitCode = code\n  })\n  .catch((err: unknown) => {\n    process.stderr.write(`Fatal: ${err instanceof Error ? err.message : String(err)}\\n`)\n    process.exitCode = 1\n  })\n"],"mappings":";;;;AAcA,SAAS,iBAAiB;AAE1B,IAAM,EAAE,YAAY,IAAI,UAAU;AAAA,EAChC,kBAAkB;AAAA,EAClB,QAAQ;AACV,CAAC;AAED,IAAM,aAAa,YAAY,CAAC;AAEhC,IAAM,cAAc,QAAQ,KAAK,MAAM,CAAC;AAExC,SAAS,YAAkB;AACzB,UAAQ,OAAO;AAAA,IACb;AAAA,EAUF;AACF;AAEA,eAAe,OAAwB;AAErC,MAAI,eAAe,UAAa,eAAe,YAAY,eAAe,MAAM;AAC9E,cAAU;AACV,WAAO;AAAA,EACT;AAEA,UAAQ,YAAY;AAAA,IAClB,KAAK,QAAQ;AACX,YAAM,EAAE,YAAY,IAAI,MAAM,OAAO,oBAAoB;AACzD,aAAO,YAAY,WAAW;AAAA,IAChC;AAAA,IACA,KAAK,UAAU;AACb,YAAM,EAAE,cAAc,IAAI,MAAM,OAAO,sBAAsB;AAC7D,aAAO,cAAc,WAAW;AAAA,IAClC;AAAA,IACA,KAAK,WAAW;AACd,YAAM,EAAE,eAAe,IAAI,MAAM,OAAO,uBAAuB;AAC/D,aAAO,eAAe,WAAW;AAAA,IACnC;AAAA,IACA,KAAK,YAAY;AACf,YAAM,EAAE,eAAe,IAAI,MAAM,OAAO,wBAAwB;AAChE,aAAO,eAAe,WAAW;AAAA,IACnC;AAAA,IACA,KAAK,SAAS;AACZ,YAAM,EAAE,aAAa,IAAI,MAAM,OAAO,qBAAqB;AAC3D,aAAO,aAAa,WAAW;AAAA,IACjC;AAAA,IACA,KAAK,UAAU;AACb,YAAM,EAAE,cAAc,IAAI,MAAM,OAAO,sBAAsB;AAC7D,aAAO,cAAc,WAAW;AAAA,IAClC;AAAA,IACA,KAAK,UAAU;AACb,YAAM,EAAE,cAAc,IAAI,MAAM,OAAO,sBAAsB;AAC7D,aAAO,cAAc,WAAW;AAAA,IAClC;AAAA,IACA,KAAK,cAAc;AACjB,YAAM,EAAE,iBAAiB,IAAI,MAAM,OAAO,0BAA0B;AACpE,aAAO,iBAAiB,WAAW;AAAA,IACrC;AAAA,IACA;AACE,cAAQ,OAAO,MAAM,oBAAoB,UAAU;AAAA,CAAI;AACvD,gBAAU;AACV,aAAO;AAAA,EACX;AACF;AAEA,KAAK,EACF,KAAK,CAAC,SAAS;AACd,UAAQ,WAAW;AACrB,CAAC,EACA,MAAM,CAAC,QAAiB;AACvB,UAAQ,OAAO,MAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,CAAI;AACnF,UAAQ,WAAW;AACrB,CAAC;","names":[]}

package/dist/chunk-FFQCXUYN.js

@@ -0,0 +1,14 @@
+#!/usr/bin/env node
+
+// src/output.ts
+function formatError(err) {
+  if (err instanceof Error) {
+    return `${err.name}: ${err.message}`;
+  }
+  return String(err);
+}
+
+export {
+  formatError
+};
+//# sourceMappingURL=chunk-FFQCXUYN.js.map

package/dist/chunk-FFQCXUYN.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/output.ts"],"sourcesContent":["/**\n * Formatted output helpers for CLI display.\n *\n * @internal\n */\n\n/** Check if stdout is a TTY at call time (not module load time). */\nfunction isTTY(): boolean {\n  return process.stdout.isTTY\n}\n\n/** Wrap text in ANSI bold if stdout is a TTY. */\nexport function bold(text: string): string {\n  return isTTY() ? `\\x1b[1m${text}\\x1b[22m` : text\n}\n\n/** Wrap text in ANSI dim if stdout is a TTY. */\nexport function dim(text: string): string {\n  return isTTY() ? `\\x1b[2m${text}\\x1b[22m` : text\n}\n\n/** Format an error for display on stderr. */\nexport function formatError(err: unknown): string {\n  if (err instanceof Error) {\n    return `${err.name}: ${err.message}`\n  }\n  return String(err)\n}\n"],"mappings":";;;AAsBO,SAAS,YAAY,KAAsB;AAChD,MAAI,eAAe,OAAO;AACxB,WAAO,GAAG,IAAI,IAAI,KAAK,IAAI,OAAO;AAAA,EACpC;AACA,SAAO,OAAO,GAAG;AACnB;","names":[]}

package/dist/config-FDKYUDXX.js

@@ -0,0 +1,85 @@
+#!/usr/bin/env node
+import {
+  formatError
+} from "./chunk-FFQCXUYN.js";
+
+// src/commands/config.ts
+import { parseArgs } from "util";
+import * as fs from "fs/promises";
+import * as path from "path";
+import * as os from "os";
+function getDefaultConfigDir() {
+  if (process.platform === "win32") {
+    const appData = process.env.APPDATA;
+    if (appData !== void 0) {
+      return path.join(appData, "vaultkeeper");
+    }
+    return path.join(os.homedir(), "AppData", "Roaming", "vaultkeeper");
+  }
+  return path.join(os.homedir(), ".config", "vaultkeeper");
+}
+var DEFAULT_CONFIG = JSON.stringify(
+  {
+    version: 1,
+    backends: [{ type: "keychain", enabled: true }],
+    keyRotation: { gracePeriodDays: 7 },
+    defaults: { ttlMinutes: 60, trustTier: 3 }
+  },
+  null,
+  2
+);
+async function configCommand(args) {
+  const { positionals } = parseArgs({
+    args,
+    allowPositionals: true,
+    strict: false
+  });
+  const subcommand = positionals[0];
+  switch (subcommand) {
+    case "init": {
+      try {
+        const configDir = getDefaultConfigDir();
+        const configPath = path.join(configDir, "config.json");
+        await fs.mkdir(configDir, { recursive: true, mode: 448 });
+        try {
+          await fs.access(configPath);
+          process.stderr.write(`Config already exists at ${configPath}
+`);
+          return 1;
+        } catch {
+        }
+        await fs.writeFile(configPath, DEFAULT_CONFIG + "\n", { encoding: "utf8", mode: 384 });
+        process.stdout.write(`Config created at ${configPath}
+`);
+        return 0;
+      } catch (err) {
+        process.stderr.write(`${formatError(err)}
+`);
+        return 1;
+      }
+    }
+    case "show": {
+      try {
+        const configDir = getDefaultConfigDir();
+        const configPath = path.join(configDir, "config.json");
+        const content = await fs.readFile(configPath, "utf8");
+        process.stdout.write(content);
+        if (!content.endsWith("\n")) {
+          process.stdout.write("\n");
+        }
+        return 0;
+      } catch (err) {
+        process.stderr.write(`${formatError(err)}
+`);
+        return 1;
+      }
+    }
+    default:
+      process.stderr.write("Usage: vaultkeeper config <init|show>\n");
+      return 1;
+  }
+}
+export {
+  configCommand
+};
+//# sourceMappingURL=config-FDKYUDXX.js.map

package/dist/config-FDKYUDXX.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/commands/config.ts"],"sourcesContent":["import { parseArgs } from 'node:util'\nimport * as fs from 'node:fs/promises'\nimport * as path from 'node:path'\nimport * as os from 'node:os'\nimport { formatError } from '../output.js'\n\nfunction getDefaultConfigDir(): string {\n  if (process.platform === 'win32') {\n    const appData = process.env.APPDATA\n    if (appData !== undefined) {\n      return path.join(appData, 'vaultkeeper')\n    }\n    return path.join(os.homedir(), 'AppData', 'Roaming', 'vaultkeeper')\n  }\n  return path.join(os.homedir(), '.config', 'vaultkeeper')\n}\n\nconst DEFAULT_CONFIG = JSON.stringify(\n  {\n    version: 1,\n    backends: [{ type: 'keychain', enabled: true }],\n    keyRotation: { gracePeriodDays: 7 },\n    defaults: { ttlMinutes: 60, trustTier: 3 },\n  },\n  null,\n  2,\n)\n\nexport async function configCommand(args: string[]): Promise<number> {\n  const { positionals } = parseArgs({\n    args,\n    allowPositionals: true,\n    strict: false,\n  })\n\n  const subcommand = positionals[0]\n\n  switch (subcommand) {\n    case 'init': {\n      try {\n        const configDir = getDefaultConfigDir()\n        const configPath = path.join(configDir, 'config.json')\n        // [W4 fix] Create config directory with restrictive permissions\n        await fs.mkdir(configDir, { recursive: true, mode: 0o700 })\n\n        try {\n          await fs.access(configPath)\n          process.stderr.write(`Config already exists at ${configPath}\\n`)\n          return 1\n        } catch {\n          // File doesn't exist — create it\n        }\n\n        await fs.writeFile(configPath, DEFAULT_CONFIG + '\\n', { encoding: 'utf8', mode: 0o600 })\n        process.stdout.write(`Config created at ${configPath}\\n`)\n        return 0\n      } catch (err) {\n        process.stderr.write(`${formatError(err)}\\n`)\n        return 1\n      }\n    }\n\n    case 'show': {\n      try {\n        const configDir = getDefaultConfigDir()\n        const configPath = path.join(configDir, 'config.json')\n        const content = await fs.readFile(configPath, 'utf8')\n        process.stdout.write(content)\n        if (!content.endsWith('\\n')) {\n          process.stdout.write('\\n')\n        }\n        return 0\n      } catch (err) {\n        process.stderr.write(`${formatError(err)}\\n`)\n        return 1\n      }\n    }\n\n    default:\n      process.stderr.write('Usage: vaultkeeper config <init|show>\\n')\n      return 1\n  }\n}\n"],"mappings":";;;;;;AAAA,SAAS,iBAAiB;AAC1B,YAAY,QAAQ;AACpB,YAAY,UAAU;AACtB,YAAY,QAAQ;AAGpB,SAAS,sBAA8B;AACrC,MAAI,QAAQ,aAAa,SAAS;AAChC,UAAM,UAAU,QAAQ,IAAI;AAC5B,QAAI,YAAY,QAAW;AACzB,aAAY,UAAK,SAAS,aAAa;AAAA,IACzC;AACA,WAAY,UAAQ,WAAQ,GAAG,WAAW,WAAW,aAAa;AAAA,EACpE;AACA,SAAY,UAAQ,WAAQ,GAAG,WAAW,aAAa;AACzD;AAEA,IAAM,iBAAiB,KAAK;AAAA,EAC1B;AAAA,IACE,SAAS;AAAA,IACT,UAAU,CAAC,EAAE,MAAM,YAAY,SAAS,KAAK,CAAC;AAAA,IAC9C,aAAa,EAAE,iBAAiB,EAAE;AAAA,IAClC,UAAU,EAAE,YAAY,IAAI,WAAW,EAAE;AAAA,EAC3C;AAAA,EACA;AAAA,EACA;AACF;AAEA,eAAsB,cAAc,MAAiC;AACnE,QAAM,EAAE,YAAY,IAAI,UAAU;AAAA,IAChC;AAAA,IACA,kBAAkB;AAAA,IAClB,QAAQ;AAAA,EACV,CAAC;AAED,QAAM,aAAa,YAAY,CAAC;AAEhC,UAAQ,YAAY;AAAA,IAClB,KAAK,QAAQ;AACX,UAAI;AACF,cAAM,YAAY,oBAAoB;AACtC,cAAM,aAAkB,UAAK,WAAW,aAAa;AAErD,cAAS,SAAM,WAAW,EAAE,WAAW,MAAM,MAAM,IAAM,CAAC;AAE1D,YAAI;AACF,gBAAS,UAAO,UAAU;AAC1B,kBAAQ,OAAO,MAAM,4BAA4B,UAAU;AAAA,CAAI;AAC/D,iBAAO;AAAA,QACT,QAAQ;AAAA,QAER;AAEA,cAAS,aAAU,YAAY,iBAAiB,MAAM,EAAE,UAAU,QAAQ,MAAM,IAAM,CAAC;AACvF,gBAAQ,OAAO,MAAM,qBAAqB,UAAU;AAAA,CAAI;AACxD,eAAO;AAAA,MACT,SAAS,KAAK;AACZ,gBAAQ,OAAO,MAAM,GAAG,YAAY,GAAG,CAAC;AAAA,CAAI;AAC5C,eAAO;AAAA,MACT;AAAA,IACF;AAAA,IAEA,KAAK,QAAQ;AACX,UAAI;AACF,cAAM,YAAY,oBAAoB;AACtC,cAAM,aAAkB,UAAK,WAAW,aAAa;AACrD,cAAM,UAAU,MAAS,YAAS,YAAY,MAAM;AACpD,gBAAQ,OAAO,MAAM,OAAO;AAC5B,YAAI,CAAC,QAAQ,SAAS,IAAI,GAAG;AAC3B,kBAAQ,OAAO,MAAM,IAAI;AAAA,QAC3B;AACA,eAAO;AAAA,MACT,SAAS,KAAK;AACZ,gBAAQ,OAAO,MAAM,GAAG,YAAY,GAAG,CAAC;AAAA,CAAI;AAC5C,eAAO;AAAA,MACT;AAAA,IACF;AAAA,IAEA;AACE,cAAQ,OAAO,MAAM,yCAAyC;AAC9D,aAAO;AAAA,EACX;AACF;","names":[]}

package/dist/delete-WNUM2ART.js

@@ -0,0 +1,44 @@
+#!/usr/bin/env node
+import {
+  formatError
+} from "./chunk-FFQCXUYN.js";
+
+// src/commands/delete.ts
+import { parseArgs } from "util";
+import { BackendRegistry, VaultKeeper } from "vaultkeeper";
+async function deleteCommand(args) {
+  const { values } = parseArgs({
+    args,
+    options: {
+      name: { type: "string" }
+    },
+    strict: true
+  });
+  if (values.name === void 0) {
+    process.stderr.write("Error: --name is required\n");
+    process.stderr.write("Usage: vaultkeeper delete --name <name>\n");
+    return 1;
+  }
+  try {
+    await VaultKeeper.init();
+    const types = BackendRegistry.getTypes();
+    const firstType = types[0];
+    if (firstType === void 0) {
+      process.stderr.write("Error: No backends available\n");
+      return 1;
+    }
+    const backend = BackendRegistry.create(firstType);
+    await backend.delete(values.name);
+    process.stdout.write(`Secret "${values.name}" deleted.
+`);
+    return 0;
+  } catch (err) {
+    process.stderr.write(`${formatError(err)}
+`);
+    return 1;
+  }
+}
+export {
+  deleteCommand
+};
+//# sourceMappingURL=delete-WNUM2ART.js.map

package/dist/delete-WNUM2ART.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/commands/delete.ts"],"sourcesContent":["import { parseArgs } from 'node:util'\nimport { BackendRegistry, VaultKeeper } from 'vaultkeeper'\nimport { formatError } from '../output.js'\n\nexport async function deleteCommand(args: string[]): Promise<number> {\n  const { values } = parseArgs({\n    args,\n    options: {\n      name: { type: 'string' },\n    },\n    strict: true,\n  })\n\n  if (values.name === undefined) {\n    process.stderr.write('Error: --name is required\\n')\n    process.stderr.write('Usage: vaultkeeper delete --name <name>\\n')\n    return 1\n  }\n\n  try {\n    // Initialize vault to ensure backends are registered and doctor passes\n    await VaultKeeper.init()\n\n    const types = BackendRegistry.getTypes()\n    const firstType = types[0]\n    if (firstType === undefined) {\n      process.stderr.write('Error: No backends available\\n')\n      return 1\n    }\n\n    const backend = BackendRegistry.create(firstType)\n    await backend.delete(values.name)\n    process.stdout.write(`Secret \"${values.name}\" deleted.\\n`)\n    return 0\n  } catch (err) {\n    process.stderr.write(`${formatError(err)}\\n`)\n    return 1\n  }\n}\n"],"mappings":";;;;;;AAAA,SAAS,iBAAiB;AAC1B,SAAS,iBAAiB,mBAAmB;AAG7C,eAAsB,cAAc,MAAiC;AACnE,QAAM,EAAE,OAAO,IAAI,UAAU;AAAA,IAC3B;AAAA,IACA,SAAS;AAAA,MACP,MAAM,EAAE,MAAM,SAAS;AAAA,IACzB;AAAA,IACA,QAAQ;AAAA,EACV,CAAC;AAED,MAAI,OAAO,SAAS,QAAW;AAC7B,YAAQ,OAAO,MAAM,6BAA6B;AAClD,YAAQ,OAAO,MAAM,2CAA2C;AAChE,WAAO;AAAA,EACT;AAEA,MAAI;AAEF,UAAM,YAAY,KAAK;AAEvB,UAAM,QAAQ,gBAAgB,SAAS;AACvC,UAAM,YAAY,MAAM,CAAC;AACzB,QAAI,cAAc,QAAW;AAC3B,cAAQ,OAAO,MAAM,gCAAgC;AACrD,aAAO;AAAA,IACT;AAEA,UAAM,UAAU,gBAAgB,OAAO,SAAS;AAChD,UAAM,QAAQ,OAAO,OAAO,IAAI;AAChC,YAAQ,OAAO,MAAM,WAAW,OAAO,IAAI;AAAA,CAAc;AACzD,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,YAAQ,OAAO,MAAM,GAAG,YAAY,GAAG,CAAC;AAAA,CAAI;AAC5C,WAAO;AAAA,EACT;AACF;","names":[]}

package/dist/dev-mode-QKWOGXIZ.js

@@ -0,0 +1,43 @@
+#!/usr/bin/env node
+import {
+  formatError
+} from "./chunk-FFQCXUYN.js";
+
+// src/commands/dev-mode.ts
+import { parseArgs } from "util";
+import * as path from "path";
+import { VaultKeeper } from "vaultkeeper";
+async function devModeCommand(args) {
+  const { positionals, values } = parseArgs({
+    args,
+    allowPositionals: true,
+    options: {
+      script: { type: "string" }
+    },
+    strict: true
+  });
+  const action = positionals[0];
+  if (action !== "enable" && action !== "disable" || values.script === void 0) {
+    process.stderr.write("Usage: vaultkeeper dev-mode <enable|disable> --script <path>\n");
+    return 1;
+  }
+  const scriptPath = path.resolve(values.script);
+  const enabled = action === "enable";
+  try {
+    const vault = await VaultKeeper.init();
+    await vault.setDevelopmentMode(scriptPath, enabled);
+    process.stdout.write(
+      `Development mode ${enabled ? "enabled" : "disabled"} for ${scriptPath}
+`
+    );
+    return 0;
+  } catch (err) {
+    process.stderr.write(`${formatError(err)}
+`);
+    return 1;
+  }
+}
+export {
+  devModeCommand
+};
+//# sourceMappingURL=dev-mode-QKWOGXIZ.js.map

package/dist/dev-mode-QKWOGXIZ.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/commands/dev-mode.ts"],"sourcesContent":["import { parseArgs } from 'node:util'\nimport * as path from 'node:path'\nimport { VaultKeeper } from 'vaultkeeper'\nimport { formatError } from '../output.js'\n\nexport async function devModeCommand(args: string[]): Promise<number> {\n  const { positionals, values } = parseArgs({\n    args,\n    allowPositionals: true,\n    options: {\n      script: { type: 'string' },\n    },\n    strict: true,\n  })\n\n  const action = positionals[0]\n\n  if ((action !== 'enable' && action !== 'disable') || values.script === undefined) {\n    process.stderr.write('Usage: vaultkeeper dev-mode <enable|disable> --script <path>\\n')\n    return 1\n  }\n\n  const scriptPath = path.resolve(values.script)\n  const enabled = action === 'enable'\n\n  try {\n    const vault = await VaultKeeper.init()\n    await vault.setDevelopmentMode(scriptPath, enabled)\n    process.stdout.write(\n      `Development mode ${enabled ? 'enabled' : 'disabled'} for ${scriptPath}\\n`,\n    )\n    return 0\n  } catch (err) {\n    process.stderr.write(`${formatError(err)}\\n`)\n    return 1\n  }\n}\n"],"mappings":";;;;;;AAAA,SAAS,iBAAiB;AAC1B,YAAY,UAAU;AACtB,SAAS,mBAAmB;AAG5B,eAAsB,eAAe,MAAiC;AACpE,QAAM,EAAE,aAAa,OAAO,IAAI,UAAU;AAAA,IACxC;AAAA,IACA,kBAAkB;AAAA,IAClB,SAAS;AAAA,MACP,QAAQ,EAAE,MAAM,SAAS;AAAA,IAC3B;AAAA,IACA,QAAQ;AAAA,EACV,CAAC;AAED,QAAM,SAAS,YAAY,CAAC;AAE5B,MAAK,WAAW,YAAY,WAAW,aAAc,OAAO,WAAW,QAAW;AAChF,YAAQ,OAAO,MAAM,gEAAgE;AACrF,WAAO;AAAA,EACT;AAEA,QAAM,aAAkB,aAAQ,OAAO,MAAM;AAC7C,QAAM,UAAU,WAAW;AAE3B,MAAI;AACF,UAAM,QAAQ,MAAM,YAAY,KAAK;AACrC,UAAM,MAAM,mBAAmB,YAAY,OAAO;AAClD,YAAQ,OAAO;AAAA,MACb,oBAAoB,UAAU,YAAY,UAAU,QAAQ,UAAU;AAAA;AAAA,IACxE;AACA,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,YAAQ,OAAO,MAAM,GAAG,YAAY,GAAG,CAAC;AAAA,CAAI;AAC5C,WAAO;AAAA,EACT;AACF;","names":[]}

package/dist/doctor-O5MH7VDR.js

@@ -0,0 +1,44 @@
+#!/usr/bin/env node
+import {
+  formatError
+} from "./chunk-FFQCXUYN.js";
+
+// src/commands/doctor.ts
+import { VaultKeeper } from "vaultkeeper";
+async function doctorCommand(_args) {
+  try {
+    const result = await VaultKeeper.doctor();
+    for (const check of result.checks) {
+      const icon = check.status === "ok" ? "\u2713" : "\u2717";
+      const version = check.version !== void 0 ? ` (${check.version})` : "";
+      const reason = check.reason !== void 0 ? ` \u2014 ${check.reason}` : "";
+      process.stdout.write(`  ${icon} ${check.name}${version}${reason}
+`);
+    }
+    if (result.warnings.length > 0) {
+      process.stdout.write("\nWarnings:\n");
+      for (const warning of result.warnings) {
+        process.stdout.write(`  \u26A0 ${warning}
+`);
+      }
+    }
+    if (result.ready) {
+      process.stdout.write("\nSystem ready.\n");
+      return 0;
+    }
+    process.stdout.write("\nNext steps:\n");
+    for (const step of result.nextSteps) {
+      process.stdout.write(`  \u2192 ${step}
+`);
+    }
+    return 1;
+  } catch (err) {
+    process.stderr.write(`${formatError(err)}
+`);
+    return 1;
+  }
+}
+export {
+  doctorCommand
+};
+//# sourceMappingURL=doctor-O5MH7VDR.js.map

package/dist/doctor-O5MH7VDR.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/commands/doctor.ts"],"sourcesContent":["import { VaultKeeper } from 'vaultkeeper'\nimport { formatError } from '../output.js'\n\nexport async function doctorCommand(_args: string[]): Promise<number> {\n  try {\n    const result = await VaultKeeper.doctor()\n\n    for (const check of result.checks) {\n      const icon = check.status === 'ok' ? '✓' : '✗'\n      const version = check.version !== undefined ? ` (${check.version})` : ''\n      const reason = check.reason !== undefined ? ` — ${check.reason}` : ''\n      process.stdout.write(`  ${icon} ${check.name}${version}${reason}\\n`)\n    }\n\n    if (result.warnings.length > 0) {\n      process.stdout.write('\\nWarnings:\\n')\n      for (const warning of result.warnings) {\n        process.stdout.write(`  ⚠ ${warning}\\n`)\n      }\n    }\n\n    if (result.ready) {\n      process.stdout.write('\\nSystem ready.\\n')\n      return 0\n    }\n\n    process.stdout.write('\\nNext steps:\\n')\n    for (const step of result.nextSteps) {\n      process.stdout.write(`  → ${step}\\n`)\n    }\n    return 1\n  } catch (err) {\n    process.stderr.write(`${formatError(err)}\\n`)\n    return 1\n  }\n}\n"],"mappings":";;;;;;AAAA,SAAS,mBAAmB;AAG5B,eAAsB,cAAc,OAAkC;AACpE,MAAI;AACF,UAAM,SAAS,MAAM,YAAY,OAAO;AAExC,eAAW,SAAS,OAAO,QAAQ;AACjC,YAAM,OAAO,MAAM,WAAW,OAAO,WAAM;AAC3C,YAAM,UAAU,MAAM,YAAY,SAAY,KAAK,MAAM,OAAO,MAAM;AACtE,YAAM,SAAS,MAAM,WAAW,SAAY,WAAM,MAAM,MAAM,KAAK;AACnE,cAAQ,OAAO,MAAM,KAAK,IAAI,IAAI,MAAM,IAAI,GAAG,OAAO,GAAG,MAAM;AAAA,CAAI;AAAA,IACrE;AAEA,QAAI,OAAO,SAAS,SAAS,GAAG;AAC9B,cAAQ,OAAO,MAAM,eAAe;AACpC,iBAAW,WAAW,OAAO,UAAU;AACrC,gBAAQ,OAAO,MAAM,YAAO,OAAO;AAAA,CAAI;AAAA,MACzC;AAAA,IACF;AAEA,QAAI,OAAO,OAAO;AAChB,cAAQ,OAAO,MAAM,mBAAmB;AACxC,aAAO;AAAA,IACT;AAEA,YAAQ,OAAO,MAAM,iBAAiB;AACtC,eAAW,QAAQ,OAAO,WAAW;AACnC,cAAQ,OAAO,MAAM,YAAO,IAAI;AAAA,CAAI;AAAA,IACtC;AACA,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,YAAQ,OAAO,MAAM,GAAG,YAAY,GAAG,CAAC;AAAA,CAAI;AAC5C,WAAO;AAAA,EACT;AACF;","names":[]}

package/dist/exec-YE2YX45A.js

@@ -0,0 +1,276 @@
+#!/usr/bin/env node
+import {
+  formatError
+} from "./chunk-FFQCXUYN.js";
+
+// src/commands/exec.ts
+import { parseArgs } from "util";
+import { spawn } from "child_process";
+import * as path2 from "path";
+import { VaultKeeper } from "vaultkeeper";
+
+// src/approval.ts
+import * as readline from "readline";
+async function promptApproval(info) {
+  if (!process.stdin.isTTY) {
+    throw new Error(
+      "Secret access requires interactive approval. Run this command in a terminal."
+    );
+  }
+  const lines = [
+    "\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510",
+    "\u2502  Secret Access Request                          \u2502",
+    "\u2502                                                 \u2502",
+    `\u2502  Caller:  ${pad(info.caller)}\u2502`,
+    `\u2502  Trust:   ${pad(info.trustInfo)}\u2502`,
+    `\u2502  Secret:  ${pad(info.secret)}\u2502`
+  ];
+  if (info.reason !== void 0) {
+    lines.push(`\u2502  Reason:  ${pad(info.reason)}\u2502`);
+  }
+  lines.push(
+    "\u2502                                                 \u2502",
+    "\u2502  Allow? [y/N]                                   \u2502",
+    "\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"
+  );
+  process.stderr.write(lines.join("\n") + "\n");
+  const answer = await readLine();
+  return answer.trim().toLowerCase() === "y";
+}
+function pad(text) {
+  const maxWidth = 37;
+  if (text.length >= maxWidth) {
+    return text.slice(0, maxWidth - 3) + "...";
+  }
+  return text + " ".repeat(maxWidth - text.length);
+}
+function readLine() {
+  return new Promise((resolve2) => {
+    const rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stderr
+    });
+    rl.question("", (answer) => {
+      rl.close();
+      resolve2(answer);
+    });
+  });
+}
+
+// src/cache.ts
+import * as crypto from "crypto";
+import * as fs from "fs/promises";
+import * as path from "path";
+import * as os from "os";
+function getCacheDir() {
+  const xdg = process.env.XDG_RUNTIME_DIR;
+  if (xdg !== void 0 && xdg !== "") {
+    return path.join(xdg, "vaultkeeper");
+  }
+  const username = os.userInfo().username;
+  const tmpdir2 = os.tmpdir();
+  return path.join(tmpdir2, `vaultkeeper-${username}`);
+}
+function cacheFileName(callerPath, secretName) {
+  const hash = crypto.createHash("sha256");
+  hash.update(callerPath);
+  hash.update("\0");
+  hash.update(secretName);
+  return hash.digest("hex") + ".jwe";
+}
+async function readCachedToken(callerPath, secretName) {
+  const filePath = path.join(getCacheDir(), cacheFileName(callerPath, secretName));
+  try {
+    const content = await fs.readFile(filePath, "utf8");
+    return content.length > 0 ? content : void 0;
+  } catch {
+    return void 0;
+  }
+}
+async function writeCachedToken(callerPath, secretName, jwe) {
+  const dir = getCacheDir();
+  await fs.mkdir(dir, { recursive: true, mode: 448 });
+  const filePath = path.join(dir, cacheFileName(callerPath, secretName));
+  const tmpPath = filePath + `.${crypto.randomUUID()}.tmp`;
+  await fs.writeFile(tmpPath, jwe, { encoding: "utf8", mode: 384 });
+  await fs.rename(tmpPath, filePath);
+}
+async function invalidateCache(callerPath, secretName) {
+  const filePath = path.join(getCacheDir(), cacheFileName(callerPath, secretName));
+  try {
+    await fs.unlink(filePath);
+  } catch {
+  }
+}
+
+// src/redact.ts
+import { Transform } from "stream";
+var RedactingStream = class extends Transform {
+  #secret;
+  #replacement;
+  #tail;
+  constructor(secret, replacement = "[REDACTED]") {
+    super();
+    this.#secret = secret;
+    this.#replacement = replacement;
+    this.#tail = "";
+  }
+  _transform(chunk, _encoding, callback) {
+    if (this.#secret.length === 0) {
+      this.push(chunk);
+      callback();
+      return;
+    }
+    const str = this.#tail + chunk.toString("utf8");
+    const redacted = str.replaceAll(this.#secret, this.#replacement);
+    const bufferSize = this.#secret.length - 1;
+    if (redacted.length > bufferSize) {
+      this.#tail = redacted.slice(-bufferSize);
+      this.push(redacted.slice(0, -bufferSize));
+    } else {
+      this.#tail = redacted;
+    }
+    callback();
+  }
+  _flush(callback) {
+    if (this.#tail.length > 0) {
+      this.push(this.#tail);
+      this.#tail = "";
+    }
+    callback();
+  }
+};
+
+// src/commands/exec.ts
+async function execCommand(args) {
+  const dashDashIdx = args.indexOf("--");
+  if (dashDashIdx === -1) {
+    process.stderr.write("Error: Must provide command after --\n");
+    process.stderr.write(
+      "Usage: vaultkeeper exec --secret <name> --env <VAR> --caller <path> -- <command...>\n"
+    );
+    return 1;
+  }
+  const flagArgs = args.slice(0, dashDashIdx);
+  const command = args.slice(dashDashIdx + 1);
+  if (command.length === 0) {
+    process.stderr.write("Error: No command provided after --\n");
+    return 1;
+  }
+  const { values } = parseArgs({
+    args: flagArgs,
+    options: {
+      secret: { type: "string" },
+      env: { type: "string" },
+      caller: { type: "string" },
+      reason: { type: "string" },
+      cache: { type: "boolean", default: false },
+      "no-redact": { type: "boolean", default: false }
+    },
+    strict: true
+  });
+  const secret = values.secret;
+  const envVar = values.env;
+  const caller = values.caller;
+  if (secret === void 0 || envVar === void 0 || caller === void 0) {
+    process.stderr.write("Error: --secret, --env, and --caller are required\n");
+    return 1;
+  }
+  const callerPath = path2.resolve(caller);
+  const useCache = values.cache;
+  const noRedact = values["no-redact"];
+  try {
+    const vault = await VaultKeeper.init();
+    let jwe;
+    if (useCache) {
+      jwe = await readCachedToken(callerPath, secret);
+    }
+    if (jwe === void 0) {
+      const approved = await promptApproval({
+        caller: callerPath,
+        trustInfo: "Pending verification",
+        secret,
+        reason: values.reason
+      });
+      if (!approved) {
+        process.stderr.write("Access denied by user.\n");
+        return 1;
+      }
+      jwe = await vault.setup(secret, { executablePath: callerPath });
+      if (useCache) {
+        await writeCachedToken(callerPath, secret, jwe);
+      }
+    }
+    let secretValue;
+    try {
+      const { token } = await vault.authorize(jwe);
+      const accessor = vault.getSecret(token);
+      accessor.read((buf) => {
+        secretValue = buf.toString("utf8");
+      });
+    } catch (err) {
+      if (useCache) {
+        await invalidateCache(callerPath, secret);
+        process.stderr.write("Cached token expired, re-authenticating...\n");
+        jwe = void 0;
+        const approved = await promptApproval({
+          caller: callerPath,
+          trustInfo: "Pending verification",
+          secret,
+          reason: values.reason
+        });
+        if (!approved) {
+          process.stderr.write("Access denied by user.\n");
+          return 1;
+        }
+        jwe = await vault.setup(secret, { executablePath: callerPath });
+        await writeCachedToken(callerPath, secret, jwe);
+        const retryResult = await vault.authorize(jwe);
+        const retryAccessor = vault.getSecret(retryResult.token);
+        retryAccessor.read((buf) => {
+          secretValue = buf.toString("utf8");
+        });
+      } else {
+        throw err;
+      }
+    }
+    if (secretValue === void 0) {
+      process.stderr.write("Error: Failed to read secret value\n");
+      return 1;
+    }
+    const commandName = command[0];
+    if (commandName === void 0) {
+      process.stderr.write("Error: Empty command\n");
+      return 1;
+    }
+    const child = spawn(commandName, command.slice(1), {
+      env: { ...process.env, [envVar]: secretValue },
+      stdio: ["inherit", "pipe", "pipe"]
+    });
+    if (noRedact) {
+      child.stdout.pipe(process.stdout);
+      child.stderr.pipe(process.stderr);
+    } else {
+      const stdoutRedactor = new RedactingStream(secretValue);
+      const stderrRedactor = new RedactingStream(secretValue);
+      child.stdout.pipe(stdoutRedactor).pipe(process.stdout);
+      child.stderr.pipe(stderrRedactor).pipe(process.stderr);
+    }
+    return await new Promise((resolve2, reject) => {
+      child.on("error", (err) => {
+        reject(err);
+      });
+      child.on("close", (code) => {
+        resolve2(code ?? 1);
+      });
+    });
+  } catch (err) {
+    process.stderr.write(`${formatError(err)}
+`);
+    return 1;
+  }
+}
+export {
+  execCommand
+};
+//# sourceMappingURL=exec-YE2YX45A.js.map

package/dist/exec-YE2YX45A.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/commands/exec.ts","../src/approval.ts","../src/cache.ts","../src/redact.ts"],"sourcesContent":["/**\n * The `vaultkeeper exec` command — inject a secret as an env var and run a command.\n *\n * Flow:\n * 1. Parse flags and the command after `--`\n * 2. If `--cache`, check for a cached JWE token\n * 3. If no cached token: prompt for approval, THEN retrieve and setup the secret\n * 4. Authorize the JWE → obtain a CapabilityToken\n * 5. Read the secret value via the accessor\n * 6. Spawn the child process with the secret injected as an env var\n * 7. Pipe stdout/stderr through RedactingStream (unless `--no-redact`)\n * 8. Exit with the child's exit code\n *\n * Note on secret lifetime: The secret must be converted to a JS string for env\n * var injection via `child_process.spawn`. This pins it in the V8 heap beyond\n * the `SecretAccessor` callback scope. This is an accepted tradeoff — the CLI\n * spawn boundary requires a string, and RedactingStream prevents leakage in\n * output. The string is not persisted or returned.\n *\n * @internal\n */\n\nimport { parseArgs } from 'node:util'\nimport { spawn } from 'node:child_process'\nimport * as path from 'node:path'\nimport { VaultKeeper } from 'vaultkeeper'\nimport { promptApproval } from '../approval.js'\nimport { readCachedToken, writeCachedToken, invalidateCache } from '../cache.js'\nimport { RedactingStream } from '../redact.js'\nimport { formatError } from '../output.js'\n\nexport async function execCommand(args: string[]): Promise<number> {\n  // Find the -- separator to split CLI flags from the wrapped command\n  const dashDashIdx = args.indexOf('--')\n  if (dashDashIdx === -1) {\n    process.stderr.write('Error: Must provide command after --\\n')\n    process.stderr.write(\n      'Usage: vaultkeeper exec --secret <name> --env <VAR> --caller <path> -- <command...>\\n',\n    )\n    return 1\n  }\n\n  const flagArgs = args.slice(0, dashDashIdx)\n  const command = args.slice(dashDashIdx + 1)\n\n  if (command.length === 0) {\n    process.stderr.write('Error: No command provided after --\\n')\n    return 1\n  }\n\n  const { values } = parseArgs({\n    args: flagArgs,\n    options: {\n      secret: { type: 'string' },\n      env: { type: 'string' },\n      caller: { type: 'string' },\n      reason: { type: 'string' },\n      cache: { type: 'boolean', default: false },\n      'no-redact': { type: 'boolean', default: false },\n    },\n    strict: true,\n  })\n\n  const secret = values.secret\n  const envVar = values.env\n  const caller = values.caller\n\n  if (secret === undefined || envVar === undefined || caller === undefined) {\n    process.stderr.write('Error: --secret, --env, and --caller are required\\n')\n    return 1\n  }\n\n  const callerPath = path.resolve(caller)\n  // parseArgs with default: false types these as boolean (never undefined)\n  const useCache: boolean = values.cache\n  const noRedact: boolean = values['no-redact']\n\n  try {\n    const vault = await VaultKeeper.init()\n\n    // Check cache first if --cache\n    let jwe: string | undefined\n    if (useCache) {\n      jwe = await readCachedToken(callerPath, secret)\n    }\n\n    if (jwe === undefined) {\n      // [C1 fix] Prompt for approval BEFORE retrieving the secret.\n      // vault.setup() retrieves the secret from the backend and embeds it\n      // in a JWE, so we must get user consent first.\n      const approved = await promptApproval({\n        caller: callerPath,\n        trustInfo: 'Pending verification',\n        secret,\n        reason: values.reason,\n      })\n\n      if (!approved) {\n        process.stderr.write('Access denied by user.\\n')\n        return 1\n      }\n\n      jwe = await vault.setup(secret, { executablePath: callerPath })\n\n      // Cache if requested\n      if (useCache) {\n        await writeCachedToken(callerPath, secret, jwe)\n      }\n    }\n\n    // Authorize and get secret\n    let secretValue: string | undefined\n    try {\n      const { token } = await vault.authorize(jwe)\n      const accessor = vault.getSecret(token)\n      accessor.read((buf) => {\n        secretValue = buf.toString('utf8')\n      })\n    } catch (err) {\n      // If cached token failed, invalidate and retry without cache\n      if (useCache) {\n        await invalidateCache(callerPath, secret)\n        process.stderr.write('Cached token expired, re-authenticating...\\n')\n        // [C2 fix] Retry by toggling the useCache flag off internally\n        // rather than filtering args (which could corrupt the wrapped command).\n        jwe = undefined\n        const approved = await promptApproval({\n          caller: callerPath,\n          trustInfo: 'Pending verification',\n          secret,\n          reason: values.reason,\n        })\n        if (!approved) {\n          process.stderr.write('Access denied by user.\\n')\n          return 1\n        }\n        jwe = await vault.setup(secret, { executablePath: callerPath })\n        // Write the new token back to cache so subsequent invocations benefit\n        await writeCachedToken(callerPath, secret, jwe)\n        const retryResult = await vault.authorize(jwe)\n        const retryAccessor = vault.getSecret(retryResult.token)\n        retryAccessor.read((buf) => {\n          secretValue = buf.toString('utf8')\n        })\n      } else {\n        throw err\n      }\n    }\n\n    if (secretValue === undefined) {\n      process.stderr.write('Error: Failed to read secret value\\n')\n      return 1\n    }\n\n    // Spawn child process\n    const commandName = command[0]\n    if (commandName === undefined) {\n      process.stderr.write('Error: Empty command\\n')\n      return 1\n    }\n\n    const child = spawn(commandName, command.slice(1), {\n      env: { ...process.env, [envVar]: secretValue },\n      stdio: ['inherit', 'pipe', 'pipe'],\n    })\n\n    // Pipe output through redaction (or directly)\n    if (noRedact) {\n      child.stdout.pipe(process.stdout)\n      child.stderr.pipe(process.stderr)\n    } else {\n      const stdoutRedactor = new RedactingStream(secretValue)\n      const stderrRedactor = new RedactingStream(secretValue)\n      child.stdout.pipe(stdoutRedactor).pipe(process.stdout)\n      child.stderr.pipe(stderrRedactor).pipe(process.stderr)\n    }\n\n    // [W7 fix] Wait for child to exit, handling both 'close' and 'error' events\n    return await new Promise<number>((resolve, reject) => {\n      child.on('error', (err) => {\n        reject(err)\n      })\n      child.on('close', (code) => {\n        resolve(code ?? 1)\n      })\n    })\n  } catch (err) {\n    process.stderr.write(`${formatError(err)}\\n`)\n    return 1\n  }\n}\n","import * as readline from 'node:readline'\nimport type { ApprovalInfo } from './types.js'\n\n/**\n * Display an interactive approval prompt on the TTY.\n *\n * @param info - The access request details to display.\n * @returns `true` if the user approves, `false` otherwise.\n * @throws If stdin is not a TTY.\n *\n * @internal\n */\nexport async function promptApproval(info: ApprovalInfo): Promise<boolean> {\n  if (!process.stdin.isTTY) {\n    throw new Error(\n      'Secret access requires interactive approval. Run this command in a terminal.',\n    )\n  }\n\n  const lines = [\n    '┌─────────────────────────────────────────────────┐',\n    '│  Secret Access Request                          │',\n    '│                                                 │',\n    `│  Caller:  ${pad(info.caller)}│`,\n    `│  Trust:   ${pad(info.trustInfo)}│`,\n    `│  Secret:  ${pad(info.secret)}│`,\n  ]\n\n  if (info.reason !== undefined) {\n    lines.push(`│  Reason:  ${pad(info.reason)}│`)\n  }\n\n  lines.push(\n    '│                                                 │',\n    '│  Allow? [y/N]                                   │',\n    '└─────────────────────────────────────────────────┘',\n  )\n\n  process.stderr.write(lines.join('\\n') + '\\n')\n\n  const answer = await readLine()\n  return answer.trim().toLowerCase() === 'y'\n}\n\nfunction pad(text: string): string {\n  const maxWidth = 37 // 49 total width - 10 prefix \"│  Label:  \" - 1 trailing \"│\"\n  if (text.length >= maxWidth) {\n    return text.slice(0, maxWidth - 3) + '...'\n  }\n  return text + ' '.repeat(maxWidth - text.length)\n}\n\nfunction readLine(): Promise<string> {\n  return new Promise((resolve) => {\n    const rl = readline.createInterface({\n      input: process.stdin,\n      output: process.stderr,\n    })\n    rl.question('', (answer) => {\n      rl.close()\n      resolve(answer)\n    })\n  })\n}\n","import * as crypto from 'node:crypto'\nimport * as fs from 'node:fs/promises'\nimport * as path from 'node:path'\nimport * as os from 'node:os'\n\n/**\n * Resolve the cache directory for JWE tokens.\n *\n * - Linux: `$XDG_RUNTIME_DIR/vaultkeeper/` (tmpfs, secure)\n * - macOS/other: `$TMPDIR/vaultkeeper-<username>/`\n * - Fallback: `os.tmpdir()/vaultkeeper-<username>/`\n *\n * @internal\n */\nexport function getCacheDir(): string {\n  const xdg = process.env.XDG_RUNTIME_DIR\n  if (xdg !== undefined && xdg !== '') {\n    return path.join(xdg, 'vaultkeeper')\n  }\n\n  // Use username for cross-platform compatibility (process.getuid() is\n  // undefined on Windows, and uid 0 would cause all users to share a cache).\n  const username = os.userInfo().username\n  const tmpdir = os.tmpdir()\n  return path.join(tmpdir, `vaultkeeper-${username}`)\n}\n\n/**\n * Compute a deterministic cache filename from a caller path and secret name.\n * Uses a null-byte separator to prevent collisions between paths that share\n * a prefix (e.g. \"/a\" + \"b\" vs \"/ab\" + \"\").\n */\nfunction cacheFileName(callerPath: string, secretName: string): string {\n  const hash = crypto.createHash('sha256')\n  hash.update(callerPath)\n  hash.update('\\0')\n  hash.update(secretName)\n  return hash.digest('hex') + '.jwe'\n}\n\n/**\n * Read a cached JWE token for the given caller and secret.\n *\n * @returns The cached JWE string, or `undefined` if no cache exists.\n *\n * @internal\n */\nexport async function readCachedToken(\n  callerPath: string,\n  secretName: string,\n): Promise<string | undefined> {\n  const filePath = path.join(getCacheDir(), cacheFileName(callerPath, secretName))\n  try {\n    const content = await fs.readFile(filePath, 'utf8')\n    return content.length > 0 ? content : undefined\n  } catch {\n    return undefined\n  }\n}\n\n/**\n * Write a JWE token to the cache.\n *\n * Creates the cache directory (mode 0o700) if it does not exist.\n * Uses atomic write-then-rename to prevent race conditions where another\n * process could read a partially-written file.\n *\n * @internal\n */\nexport async function writeCachedToken(\n  callerPath: string,\n  secretName: string,\n  jwe: string,\n): Promise<void> {\n  const dir = getCacheDir()\n  await fs.mkdir(dir, { recursive: true, mode: 0o700 })\n  const filePath = path.join(dir, cacheFileName(callerPath, secretName))\n  // Atomic write: write to a temp file with correct permissions,\n  // then rename into place. rename() is atomic on POSIX filesystems.\n  const tmpPath = filePath + `.${crypto.randomUUID()}.tmp`\n  await fs.writeFile(tmpPath, jwe, { encoding: 'utf8', mode: 0o600 })\n  await fs.rename(tmpPath, filePath)\n}\n\n/**\n * Remove a cached JWE token.\n *\n * @internal\n */\nexport async function invalidateCache(\n  callerPath: string,\n  secretName: string,\n): Promise<void> {\n  const filePath = path.join(getCacheDir(), cacheFileName(callerPath, secretName))\n  try {\n    await fs.unlink(filePath)\n  } catch {\n    // File may not exist — that's fine\n  }\n}\n","import { Transform } from 'node:stream'\nimport type { TransformCallback } from 'node:stream'\n\n/**\n * A Transform stream that replaces all occurrences of a secret value\n * with a replacement string in the piped output.\n *\n * Handles secrets that may be split across chunk boundaries by buffering\n * up to `secret.length - 1` bytes from the end of each chunk.\n *\n * @internal\n */\nexport class RedactingStream extends Transform {\n  readonly #secret: string\n  readonly #replacement: string\n  #tail: string\n\n  constructor(secret: string, replacement = '[REDACTED]') {\n    super()\n    this.#secret = secret\n    this.#replacement = replacement\n    this.#tail = ''\n  }\n\n  override _transform(\n    chunk: Buffer,\n    _encoding: BufferEncoding,\n    callback: TransformCallback,\n  ): void {\n    if (this.#secret.length === 0) {\n      this.push(chunk)\n      callback()\n      return\n    }\n\n    const str = this.#tail + chunk.toString('utf8')\n    const redacted = str.replaceAll(this.#secret, this.#replacement)\n\n    // Buffer the last (secret.length - 1) chars in case the secret\n    // is split across this chunk and the next one.\n    const bufferSize = this.#secret.length - 1\n    if (redacted.length > bufferSize) {\n      this.#tail = redacted.slice(-bufferSize)\n      this.push(redacted.slice(0, -bufferSize))\n    } else {\n      this.#tail = redacted\n    }\n\n    callback()\n  }\n\n  override _flush(callback: TransformCallback): void {\n    if (this.#tail.length > 0) {\n      this.push(this.#tail)\n      this.#tail = ''\n    }\n    callback()\n  }\n}\n"],"mappings":";;;;;;AAsBA,SAAS,iBAAiB;AAC1B,SAAS,aAAa;AACtB,YAAYA,WAAU;AACtB,SAAS,mBAAmB;;;ACzB5B,YAAY,cAAc;AAY1B,eAAsB,eAAe,MAAsC;AACzE,MAAI,CAAC,QAAQ,MAAM,OAAO;AACxB,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,QAAQ;AAAA,IACZ;AAAA,IACA;AAAA,IACA;AAAA,IACA,oBAAe,IAAI,KAAK,MAAM,CAAC;AAAA,IAC/B,oBAAe,IAAI,KAAK,SAAS,CAAC;AAAA,IAClC,oBAAe,IAAI,KAAK,MAAM,CAAC;AAAA,EACjC;AAEA,MAAI,KAAK,WAAW,QAAW;AAC7B,UAAM,KAAK,oBAAe,IAAI,KAAK,MAAM,CAAC,QAAG;AAAA,EAC/C;AAEA,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,UAAQ,OAAO,MAAM,MAAM,KAAK,IAAI,IAAI,IAAI;AAE5C,QAAM,SAAS,MAAM,SAAS;AAC9B,SAAO,OAAO,KAAK,EAAE,YAAY,MAAM;AACzC;AAEA,SAAS,IAAI,MAAsB;AACjC,QAAM,WAAW;AACjB,MAAI,KAAK,UAAU,UAAU;AAC3B,WAAO,KAAK,MAAM,GAAG,WAAW,CAAC,IAAI;AAAA,EACvC;AACA,SAAO,OAAO,IAAI,OAAO,WAAW,KAAK,MAAM;AACjD;AAEA,SAAS,WAA4B;AACnC,SAAO,IAAI,QAAQ,CAACC,aAAY;AAC9B,UAAM,KAAc,yBAAgB;AAAA,MAClC,OAAO,QAAQ;AAAA,MACf,QAAQ,QAAQ;AAAA,IAClB,CAAC;AACD,OAAG,SAAS,IAAI,CAAC,WAAW;AAC1B,SAAG,MAAM;AACT,MAAAA,SAAQ,MAAM;AAAA,IAChB,CAAC;AAAA,EACH,CAAC;AACH;;;AC/DA,YAAY,YAAY;AACxB,YAAY,QAAQ;AACpB,YAAY,UAAU;AACtB,YAAY,QAAQ;AAWb,SAAS,cAAsB;AACpC,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,QAAQ,UAAa,QAAQ,IAAI;AACnC,WAAY,UAAK,KAAK,aAAa;AAAA,EACrC;AAIA,QAAM,WAAc,YAAS,EAAE;AAC/B,QAAMC,UAAY,UAAO;AACzB,SAAY,UAAKA,SAAQ,eAAe,QAAQ,EAAE;AACpD;AAOA,SAAS,cAAc,YAAoB,YAA4B;AACrE,QAAM,OAAc,kBAAW,QAAQ;AACvC,OAAK,OAAO,UAAU;AACtB,OAAK,OAAO,IAAI;AAChB,OAAK,OAAO,UAAU;AACtB,SAAO,KAAK,OAAO,KAAK,IAAI;AAC9B;AASA,eAAsB,gBACpB,YACA,YAC6B;AAC7B,QAAM,WAAgB,UAAK,YAAY,GAAG,cAAc,YAAY,UAAU,CAAC;AAC/E,MAAI;AACF,UAAM,UAAU,MAAS,YAAS,UAAU,MAAM;AAClD,WAAO,QAAQ,SAAS,IAAI,UAAU;AAAA,EACxC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAWA,eAAsB,iBACpB,YACA,YACA,KACe;AACf,QAAM,MAAM,YAAY;AACxB,QAAS,SAAM,KAAK,EAAE,WAAW,MAAM,MAAM,IAAM,CAAC;AACpD,QAAM,WAAgB,UAAK,KAAK,cAAc,YAAY,UAAU,CAAC;AAGrE,QAAM,UAAU,WAAW,IAAW,kBAAW,CAAC;AAClD,QAAS,aAAU,SAAS,KAAK,EAAE,UAAU,QAAQ,MAAM,IAAM,CAAC;AAClE,QAAS,UAAO,SAAS,QAAQ;AACnC;AAOA,eAAsB,gBACpB,YACA,YACe;AACf,QAAM,WAAgB,UAAK,YAAY,GAAG,cAAc,YAAY,UAAU,CAAC;AAC/E,MAAI;AACF,UAAS,UAAO,QAAQ;AAAA,EAC1B,QAAQ;AAAA,EAER;AACF;;;ACnGA,SAAS,iBAAiB;AAYnB,IAAM,kBAAN,cAA8B,UAAU;AAAA,EACpC;AAAA,EACA;AAAA,EACT;AAAA,EAEA,YAAY,QAAgB,cAAc,cAAc;AACtD,UAAM;AACN,SAAK,UAAU;AACf,SAAK,eAAe;AACpB,SAAK,QAAQ;AAAA,EACf;AAAA,EAES,WACP,OACA,WACA,UACM;AACN,QAAI,KAAK,QAAQ,WAAW,GAAG;AAC7B,WAAK,KAAK,KAAK;AACf,eAAS;AACT;AAAA,IACF;AAEA,UAAM,MAAM,KAAK,QAAQ,MAAM,SAAS,MAAM;AAC9C,UAAM,WAAW,IAAI,WAAW,KAAK,SAAS,KAAK,YAAY;AAI/D,UAAM,aAAa,KAAK,QAAQ,SAAS;AACzC,QAAI,SAAS,SAAS,YAAY;AAChC,WAAK,QAAQ,SAAS,MAAM,CAAC,UAAU;AACvC,WAAK,KAAK,SAAS,MAAM,GAAG,CAAC,UAAU,CAAC;AAAA,IAC1C,OAAO;AACL,WAAK,QAAQ;AAAA,IACf;AAEA,aAAS;AAAA,EACX;AAAA,EAES,OAAO,UAAmC;AACjD,QAAI,KAAK,MAAM,SAAS,GAAG;AACzB,WAAK,KAAK,KAAK,KAAK;AACpB,WAAK,QAAQ;AAAA,IACf;AACA,aAAS;AAAA,EACX;AACF;;;AH3BA,eAAsB,YAAY,MAAiC;AAEjE,QAAM,cAAc,KAAK,QAAQ,IAAI;AACrC,MAAI,gBAAgB,IAAI;AACtB,YAAQ,OAAO,MAAM,wCAAwC;AAC7D,YAAQ,OAAO;AAAA,MACb;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAEA,QAAM,WAAW,KAAK,MAAM,GAAG,WAAW;AAC1C,QAAM,UAAU,KAAK,MAAM,cAAc,CAAC;AAE1C,MAAI,QAAQ,WAAW,GAAG;AACxB,YAAQ,OAAO,MAAM,uCAAuC;AAC5D,WAAO;AAAA,EACT;AAEA,QAAM,EAAE,OAAO,IAAI,UAAU;AAAA,IAC3B,MAAM;AAAA,IACN,SAAS;AAAA,MACP,QAAQ,EAAE,MAAM,SAAS;AAAA,MACzB,KAAK,EAAE,MAAM,SAAS;AAAA,MACtB,QAAQ,EAAE,MAAM,SAAS;AAAA,MACzB,QAAQ,EAAE,MAAM,SAAS;AAAA,MACzB,OAAO,EAAE,MAAM,WAAW,SAAS,MAAM;AAAA,MACzC,aAAa,EAAE,MAAM,WAAW,SAAS,MAAM;AAAA,IACjD;AAAA,IACA,QAAQ;AAAA,EACV,CAAC;AAED,QAAM,SAAS,OAAO;AACtB,QAAM,SAAS,OAAO;AACtB,QAAM,SAAS,OAAO;AAEtB,MAAI,WAAW,UAAa,WAAW,UAAa,WAAW,QAAW;AACxE,YAAQ,OAAO,MAAM,qDAAqD;AAC1E,WAAO;AAAA,EACT;AAEA,QAAM,aAAkB,cAAQ,MAAM;AAEtC,QAAM,WAAoB,OAAO;AACjC,QAAM,WAAoB,OAAO,WAAW;AAE5C,MAAI;AACF,UAAM,QAAQ,MAAM,YAAY,KAAK;AAGrC,QAAI;AACJ,QAAI,UAAU;AACZ,YAAM,MAAM,gBAAgB,YAAY,MAAM;AAAA,IAChD;AAEA,QAAI,QAAQ,QAAW;AAIrB,YAAM,WAAW,MAAM,eAAe;AAAA,QACpC,QAAQ;AAAA,QACR,WAAW;AAAA,QACX;AAAA,QACA,QAAQ,OAAO;AAAA,MACjB,CAAC;AAED,UAAI,CAAC,UAAU;AACb,gBAAQ,OAAO,MAAM,0BAA0B;AAC/C,eAAO;AAAA,MACT;AAEA,YAAM,MAAM,MAAM,MAAM,QAAQ,EAAE,gBAAgB,WAAW,CAAC;AAG9D,UAAI,UAAU;AACZ,cAAM,iBAAiB,YAAY,QAAQ,GAAG;AAAA,MAChD;AAAA,IACF;AAGA,QAAI;AACJ,QAAI;AACF,YAAM,EAAE,MAAM,IAAI,MAAM,MAAM,UAAU,GAAG;AAC3C,YAAM,WAAW,MAAM,UAAU,KAAK;AACtC,eAAS,KAAK,CAAC,QAAQ;AACrB,sBAAc,IAAI,SAAS,MAAM;AAAA,MACnC,CAAC;AAAA,IACH,SAAS,KAAK;AAEZ,UAAI,UAAU;AACZ,cAAM,gBAAgB,YAAY,MAAM;AACxC,gBAAQ,OAAO,MAAM,8CAA8C;AAGnE,cAAM;AACN,cAAM,WAAW,MAAM,eAAe;AAAA,UACpC,QAAQ;AAAA,UACR,WAAW;AAAA,UACX;AAAA,UACA,QAAQ,OAAO;AAAA,QACjB,CAAC;AACD,YAAI,CAAC,UAAU;AACb,kBAAQ,OAAO,MAAM,0BAA0B;AAC/C,iBAAO;AAAA,QACT;AACA,cAAM,MAAM,MAAM,MAAM,QAAQ,EAAE,gBAAgB,WAAW,CAAC;AAE9D,cAAM,iBAAiB,YAAY,QAAQ,GAAG;AAC9C,cAAM,cAAc,MAAM,MAAM,UAAU,GAAG;AAC7C,cAAM,gBAAgB,MAAM,UAAU,YAAY,KAAK;AACvD,sBAAc,KAAK,CAAC,QAAQ;AAC1B,wBAAc,IAAI,SAAS,MAAM;AAAA,QACnC,CAAC;AAAA,MACH,OAAO;AACL,cAAM;AAAA,MACR;AAAA,IACF;AAEA,QAAI,gBAAgB,QAAW;AAC7B,cAAQ,OAAO,MAAM,sCAAsC;AAC3D,aAAO;AAAA,IACT;AAGA,UAAM,cAAc,QAAQ,CAAC;AAC7B,QAAI,gBAAgB,QAAW;AAC7B,cAAQ,OAAO,MAAM,wBAAwB;AAC7C,aAAO;AAAA,IACT;AAEA,UAAM,QAAQ,MAAM,aAAa,QAAQ,MAAM,CAAC,GAAG;AAAA,MACjD,KAAK,EAAE,GAAG,QAAQ,KAAK,CAAC,MAAM,GAAG,YAAY;AAAA,MAC7C,OAAO,CAAC,WAAW,QAAQ,MAAM;AAAA,IACnC,CAAC;AAGD,QAAI,UAAU;AACZ,YAAM,OAAO,KAAK,QAAQ,MAAM;AAChC,YAAM,OAAO,KAAK,QAAQ,MAAM;AAAA,IAClC,OAAO;AACL,YAAM,iBAAiB,IAAI,gBAAgB,WAAW;AACtD,YAAM,iBAAiB,IAAI,gBAAgB,WAAW;AACtD,YAAM,OAAO,KAAK,cAAc,EAAE,KAAK,QAAQ,MAAM;AACrD,YAAM,OAAO,KAAK,cAAc,EAAE,KAAK,QAAQ,MAAM;AAAA,IACvD;AAGA,WAAO,MAAM,IAAI,QAAgB,CAACC,UAAS,WAAW;AACpD,YAAM,GAAG,SAAS,CAAC,QAAQ;AACzB,eAAO,GAAG;AAAA,MACZ,CAAC;AACD,YAAM,GAAG,SAAS,CAAC,SAAS;AAC1B,QAAAA,SAAQ,QAAQ,CAAC;AAAA,MACnB,CAAC;AAAA,IACH,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,YAAQ,OAAO,MAAM,GAAG,YAAY,GAAG,CAAC;AAAA,CAAI;AAC5C,WAAO;AAAA,EACT;AACF;","names":["path","resolve","tmpdir","resolve"]}

package/dist/index.d.ts

@@ -0,0 +1,34 @@
+/** Options parsed from the `vaultkeeper exec` command line. */
+interface ExecCommandOptions {
+    /** Name of the secret to retrieve. */
+    secret: string;
+    /** Environment variable name to inject the secret as. */
+    env: string;
+    /** Path to the calling script for identity verification. */
+    caller: string;
+    /** Human-readable reason for the access request. */
+    reason?: string | undefined;
+    /** Whether to use JWE token caching. */
+    cache?: boolean | undefined;
+    /**
+     * Whether to skip output redaction.
+     * When `true`, the raw secret value may appear in stdout or stderr.
+     * Use only when piping binary data or in controlled environments.
+     */
+    noRedact?: boolean | undefined;
+    /** The command and arguments to execute. */
+    command: string[];
+}
+/** Information displayed in the TTY approval prompt. */
+interface ApprovalInfo {
+    /** Path to the calling script. */
+    caller: string;
+    /** Trust level description (e.g. "★★☆ Registry (SHA-256: a1b2c3...)"). */
+    trustInfo: string;
+    /** Name of the secret being requested. */
+    secret: string;
+    /** Human-readable reason for the access request. */
+    reason?: string | undefined;
+}
+
+export type { ApprovalInfo, ExecCommandOptions };

package/dist/index.js

@@ -0,0 +1,3 @@
+
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"index.js"}

package/dist/rotate-key-3PTCQYUP.js

@@ -0,0 +1,23 @@
+#!/usr/bin/env node
+import {
+  formatError
+} from "./chunk-FFQCXUYN.js";
+
+// src/commands/rotate-key.ts
+import { VaultKeeper } from "vaultkeeper";
+async function rotateKeyCommand(_args) {
+  try {
+    const vault = await VaultKeeper.init();
+    await vault.rotateKey();
+    process.stdout.write("Key rotated successfully.\n");
+    return 0;
+  } catch (err) {
+    process.stderr.write(`${formatError(err)}
+`);
+    return 1;
+  }
+}
+export {
+  rotateKeyCommand
+};
+//# sourceMappingURL=rotate-key-3PTCQYUP.js.map

package/dist/rotate-key-3PTCQYUP.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/commands/rotate-key.ts"],"sourcesContent":["import { VaultKeeper } from 'vaultkeeper'\nimport { formatError } from '../output.js'\n\nexport async function rotateKeyCommand(_args: string[]): Promise<number> {\n  try {\n    const vault = await VaultKeeper.init()\n    await vault.rotateKey()\n    process.stdout.write('Key rotated successfully.\\n')\n    return 0\n  } catch (err) {\n    process.stderr.write(`${formatError(err)}\\n`)\n    return 1\n  }\n}\n"],"mappings":";;;;;;AAAA,SAAS,mBAAmB;AAG5B,eAAsB,iBAAiB,OAAkC;AACvE,MAAI;AACF,UAAM,QAAQ,MAAM,YAAY,KAAK;AACrC,UAAM,MAAM,UAAU;AACtB,YAAQ,OAAO,MAAM,6BAA6B;AAClD,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,YAAQ,OAAO,MAAM,GAAG,YAAY,GAAG,CAAC;AAAA,CAAI;AAC5C,WAAO;AAAA,EACT;AACF;","names":[]}

package/dist/store-K4PPONOU.js

@@ -0,0 +1,59 @@
+#!/usr/bin/env node
+import {
+  formatError
+} from "./chunk-FFQCXUYN.js";
+
+// src/commands/store.ts
+import { parseArgs } from "util";
+import { BackendRegistry, VaultKeeper } from "vaultkeeper";
+async function storeCommand(args) {
+  const { values } = parseArgs({
+    args,
+    options: {
+      name: { type: "string" }
+    },
+    strict: true
+  });
+  if (values.name === void 0) {
+    process.stderr.write("Error: --name is required\n");
+    process.stderr.write('Usage: echo "secret" | vaultkeeper store --name <name>\n');
+    return 1;
+  }
+  try {
+    const chunks = [];
+    for await (const chunk of process.stdin) {
+      if (chunk instanceof Buffer) {
+        chunks.push(chunk);
+      } else if (typeof chunk === "string") {
+        chunks.push(Buffer.from(chunk));
+      } else {
+        chunks.push(Buffer.from(String(chunk)));
+      }
+    }
+    const secret = Buffer.concat(chunks).toString("utf8").trimEnd();
+    if (secret.length === 0) {
+      process.stderr.write("Error: No secret provided on stdin\n");
+      return 1;
+    }
+    await VaultKeeper.init();
+    const types = BackendRegistry.getTypes();
+    const firstType = types[0];
+    if (firstType === void 0) {
+      process.stderr.write("Error: No backends available\n");
+      return 1;
+    }
+    const backend = BackendRegistry.create(firstType);
+    await backend.store(values.name, secret);
+    process.stdout.write(`Secret "${values.name}" stored successfully.
+`);
+    return 0;
+  } catch (err) {
+    process.stderr.write(`${formatError(err)}
+`);
+    return 1;
+  }
+}
+export {
+  storeCommand
+};
+//# sourceMappingURL=store-K4PPONOU.js.map

package/dist/store-K4PPONOU.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/commands/store.ts"],"sourcesContent":["import { parseArgs } from 'node:util'\nimport { BackendRegistry, VaultKeeper } from 'vaultkeeper'\nimport { formatError } from '../output.js'\n\nexport async function storeCommand(args: string[]): Promise<number> {\n  const { values } = parseArgs({\n    args,\n    options: {\n      name: { type: 'string' },\n    },\n    strict: true,\n  })\n\n  if (values.name === undefined) {\n    process.stderr.write('Error: --name is required\\n')\n    process.stderr.write('Usage: echo \"secret\" | vaultkeeper store --name <name>\\n')\n    return 1\n  }\n\n  try {\n    // Read secret from stdin\n    const chunks: Buffer[] = []\n    for await (const chunk of process.stdin) {\n      if (chunk instanceof Buffer) {\n        chunks.push(chunk)\n      } else if (typeof chunk === 'string') {\n        chunks.push(Buffer.from(chunk))\n      } else {\n        chunks.push(Buffer.from(String(chunk)))\n      }\n    }\n    const secret = Buffer.concat(chunks).toString('utf8').trimEnd()\n\n    if (secret.length === 0) {\n      process.stderr.write('Error: No secret provided on stdin\\n')\n      return 1\n    }\n\n    // Initialize vault to run doctor checks and register backends.\n    // The return value is not used — init() is called for its side effects\n    // (doctor checks and backend registration). TODO: VaultKeeper should expose\n    // a public store() method; until then we use BackendRegistry.create() with\n    // the config-resolved type.\n    await VaultKeeper.init()\n    const types = BackendRegistry.getTypes()\n    const firstType = types[0]\n    if (firstType === undefined) {\n      process.stderr.write('Error: No backends available\\n')\n      return 1\n    }\n\n    const backend = BackendRegistry.create(firstType)\n    await backend.store(values.name, secret)\n    process.stdout.write(`Secret \"${values.name}\" stored successfully.\\n`)\n    return 0\n  } catch (err) {\n    process.stderr.write(`${formatError(err)}\\n`)\n    return 1\n  }\n}\n"],"mappings":";;;;;;AAAA,SAAS,iBAAiB;AAC1B,SAAS,iBAAiB,mBAAmB;AAG7C,eAAsB,aAAa,MAAiC;AAClE,QAAM,EAAE,OAAO,IAAI,UAAU;AAAA,IAC3B;AAAA,IACA,SAAS;AAAA,MACP,MAAM,EAAE,MAAM,SAAS;AAAA,IACzB;AAAA,IACA,QAAQ;AAAA,EACV,CAAC;AAED,MAAI,OAAO,SAAS,QAAW;AAC7B,YAAQ,OAAO,MAAM,6BAA6B;AAClD,YAAQ,OAAO,MAAM,0DAA0D;AAC/E,WAAO;AAAA,EACT;AAEA,MAAI;AAEF,UAAM,SAAmB,CAAC;AAC1B,qBAAiB,SAAS,QAAQ,OAAO;AACvC,UAAI,iBAAiB,QAAQ;AAC3B,eAAO,KAAK,KAAK;AAAA,MACnB,WAAW,OAAO,UAAU,UAAU;AACpC,eAAO,KAAK,OAAO,KAAK,KAAK,CAAC;AAAA,MAChC,OAAO;AACL,eAAO,KAAK,OAAO,KAAK,OAAO,KAAK,CAAC,CAAC;AAAA,MACxC;AAAA,IACF;AACA,UAAM,SAAS,OAAO,OAAO,MAAM,EAAE,SAAS,MAAM,EAAE,QAAQ;AAE9D,QAAI,OAAO,WAAW,GAAG;AACvB,cAAQ,OAAO,MAAM,sCAAsC;AAC3D,aAAO;AAAA,IACT;AAOA,UAAM,YAAY,KAAK;AACvB,UAAM,QAAQ,gBAAgB,SAAS;AACvC,UAAM,YAAY,MAAM,CAAC;AACzB,QAAI,cAAc,QAAW;AAC3B,cAAQ,OAAO,MAAM,gCAAgC;AACrD,aAAO;AAAA,IACT;AAEA,UAAM,UAAU,gBAAgB,OAAO,SAAS;AAChD,UAAM,QAAQ,MAAM,OAAO,MAAM,MAAM;AACvC,YAAQ,OAAO,MAAM,WAAW,OAAO,IAAI;AAAA,CAA0B;AACrE,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,YAAQ,OAAO,MAAM,GAAG,YAAY,GAAG,CAAC;AAAA,CAAI;AAC5C,WAAO;AAAA,EACT;AACF;","names":[]}

package/package.json

@@ -0,0 +1,57 @@
+{
+  "name": "@vaultkeeper/cli",
+  "version": "0.1.0",
+  "description": "Command-line interface for vaultkeeper — store, retrieve, and inject secrets with policy-enforced access control",
+  "type": "module",
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      }
+    }
+  },
+  "bin": {
+    "vaultkeeper": "./dist/bin.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "keywords": [
+    "secret",
+    "secrets",
+    "credential",
+    "keychain",
+    "cli",
+    "vault",
+    "security",
+    "secret-management"
+  ],
+  "author": "Mike North <michael.l.north@gmail.com>",
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "vaultkeeper": "0.2.0"
+  },
+  "devDependencies": {
+    "@microsoft/api-extractor": "^7.57.2",
+    "@types/node": "^22.0.0",
+    "tsup": "^8.0.0",
+    "tsx": "^4.21.0"
+  },
+  "scripts": {
+    "build": "tsup",
+    "clean": "node -e \"import('node:fs').then(fs=>fs.rmSync('dist',{recursive:true,force:true}))\"",
+    "test": "vitest run",
+    "check:typecheck": "tsc --noEmit",
+    "check:lint-ts": "eslint .",
+    "check:api-report": "api-extractor run",
+    "check": "pnpm check:typecheck && pnpm check:lint-ts && pnpm check:api-report",
+    "generate:api-report": "api-extractor run --local"
+  }
+}