@zincapp/znvault-cli 2.4.0 → 2.6.0

package/dist/commands/agent.js

@@ -1,16 +1,7 @@
+// Path: znvault-cli/src/commands/agent.ts
 import ora from 'ora';
-import * as fs from 'fs';
-import * as path from 'path';
-import * as os from 'os';
-import { spawn } from 'child_process';
 import * as mode from '../lib/mode.js';
 import * as output from '../lib/output.js';
-import * as config from '../lib/config.js';
-// Config locations - match standalone agent
-const SYSTEM_CONFIG_DIR = '/etc/zn-vault-agent';
-const SYSTEM_CONFIG_FILE = path.join(SYSTEM_CONFIG_DIR, 'config.json');
-const USER_CONFIG_DIR = path.join(os.homedir(), '.config', 'zn-vault-agent');
-const USER_CONFIG_FILE = path.join(USER_CONFIG_DIR, 'config.json');
 /**
  * Format relative time for display
  */
@@ -29,470 +20,10 @@ function formatRelativeTime(dateStr) {
         return `${diffHours}h ago`;
     return `${diffDays}d ago`;
 }
-// State file location
-const STATE_DIR = path.join(os.homedir(), '.local', 'state', 'zn-vault-agent');
-const DEFAULT_STATE_FILE = path.join(STATE_DIR, 'state.json');
-/**
- * Get the appropriate config file path based on privileges
- */
-function getConfigPath() {
-    // If running as root and system config exists, use it
-    if (process.getuid?.() === 0) {
-        return SYSTEM_CONFIG_FILE;
-    }
-    // Check if system config exists (for non-root reading)
-    if (fs.existsSync(SYSTEM_CONFIG_FILE)) {
-        return SYSTEM_CONFIG_FILE;
-    }
-    // Fall back to user config
-    return USER_CONFIG_FILE;
-}
-/**
- * Load agent configuration
- */
-function loadConfig(configPath) {
-    const filePath = configPath ?? getConfigPath();
-    if (!fs.existsSync(filePath)) {
-        return null;
-    }
-    try {
-        return JSON.parse(fs.readFileSync(filePath, 'utf-8'));
-    }
-    catch {
-        return null;
-    }
-}
-/**
- * Save agent configuration
- */
-function saveConfig(agentConfig, configPath) {
-    const filePath = configPath ?? getConfigPath();
-    const dir = path.dirname(filePath);
-    if (!fs.existsSync(dir)) {
-        fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
-    }
-    fs.writeFileSync(filePath, JSON.stringify(agentConfig, null, 2), { mode: 0o600 });
-}
-/**
- * Create default config with current CLI credentials
- */
-function createDefaultConfig() {
-    const cliConfig = config.getConfig();
-    const credentials = config.getCredentials();
-    const envCredentials = config.getEnvCredentials();
-    const apiKey = config.getApiKey();
-    // Get tenant from: env > stored credentials > default tenant
-    const tenantId = process.env.ZNVAULT_TENANT_ID ??
-        credentials?.tenantId ??
-        cliConfig.defaultTenant ??
-        '';
-    return {
-        vaultUrl: cliConfig.url,
-        tenantId,
-        auth: {
-            apiKey: apiKey,
-            username: envCredentials?.username,
-            password: envCredentials?.password,
-        },
-        insecure: cliConfig.insecure,
-        targets: [],
-        pollInterval: 3600,
-    };
-}
 export function registerAgentCommands(program) {
     const agent = program
         .command('agent')
-        .description('Certificate synchronization agent configuration and management');
-    // Initialize agent configuration
-    agent
-        .command('init')
-        .description('Initialize agent configuration')
-        .option('-c, --config <path>', 'Config file path')
-        .action((options) => {
-        const configPath = options.config ?? getConfigPath();
-        if (fs.existsSync(configPath)) {
-            output.error(`Config already exists at ${configPath}`);
-            output.info('Use "znvault agent add" to add certificates');
-            process.exit(1);
-        }
-        const agentConfig = createDefaultConfig();
-        saveConfig(agentConfig, configPath);
-        console.log(`Agent configuration initialized at ${configPath}`);
-        console.log();
-        console.log('Next steps:');
-        console.log('  1. Add certificates: znvault agent add <cert-id> --combined /path/to/cert.pem');
-        console.log('  2. Start the agent: zn-vault-agent start');
-        console.log();
-        console.log('Or install as systemd service:');
-        console.log('  sudo systemctl enable --now zn-vault-agent');
-    });
-    // Add certificate to sync
-    agent
-        .command('add <cert-id>')
-        .description('Add a certificate to sync')
-        .option('-n, --name <name>', 'Human-readable name for the certificate')
-        .option('--combined <path>', 'Output path for combined cert+key file (HAProxy)')
-        .option('--cert <path>', 'Output path for certificate file')
-        .option('--key <path>', 'Output path for private key file')
-        .option('--chain <path>', 'Output path for CA chain file')
-        .option('--fullchain <path>', 'Output path for fullchain file (cert+chain)')
-        .option('--owner <user:group>', 'File ownership (e.g., haproxy:haproxy)')
-        .option('--mode <mode>', 'File permissions (e.g., 0640)', '0640')
-        .option('--reload <command>', 'Command to run after cert update')
-        .option('--health-check <command>', 'Health check command (must return 0)')
-        .option('-c, --config <path>', 'Config file path')
-        .action(async (certId, options) => {
-        const spinner = ora('Validating certificate...').start();
-        try {
-            // Validate the certificate exists
-            const cert = await mode.apiGet(`/v1/certificates/${certId}`);
-            spinner.stop();
-            // Load or create config
-            const configPath = options.config ?? getConfigPath();
-            let agentConfig = loadConfig(configPath);
-            if (!agentConfig) {
-                output.info('No config found, creating with current CLI credentials...');
-                agentConfig = createDefaultConfig();
-            }
-            // Check if already added
-            if (agentConfig.targets.some(t => t.certId === certId)) {
-                output.error(`Certificate ${certId} is already configured`);
-                process.exit(1);
-            }
-            // Validate at least one output is specified
-            if (!options.combined && !options.cert && !options.key && !options.chain && !options.fullchain) {
-                output.error('At least one output path is required (--combined, --cert, --key, --chain, or --fullchain)');
-                process.exit(1);
-            }
-            const target = {
-                certId,
-                name: options.name ?? cert.alias,
-                outputs: {},
-                mode: options.mode,
-            };
-            if (options.combined)
-                target.outputs.combined = options.combined;
-            if (options.cert)
-                target.outputs.cert = options.cert;
-            if (options.key)
-                target.outputs.key = options.key;
-            if (options.chain)
-                target.outputs.chain = options.chain;
-            if (options.fullchain)
-                target.outputs.fullchain = options.fullchain;
-            if (options.owner)
-                target.owner = options.owner;
-            if (options.reload)
-                target.reloadCmd = options.reload;
-            if (options.healthCheck)
-                target.healthCheckCmd = options.healthCheck;
-            agentConfig.targets.push(target);
-            saveConfig(agentConfig, configPath);
-            console.log(`Added certificate: ${target.name} (${certId})`);
-            if (target.outputs.combined)
-                console.log(`  Combined: ${target.outputs.combined}`);
-            if (target.outputs.cert)
-                console.log(`  Certificate: ${target.outputs.cert}`);
-            if (target.outputs.key)
-                console.log(`  Private key: ${target.outputs.key}`);
-            if (target.outputs.chain)
-                console.log(`  Chain: ${target.outputs.chain}`);
-            if (target.outputs.fullchain)
-                console.log(`  Fullchain: ${target.outputs.fullchain}`);
-            if (target.reloadCmd)
-                console.log(`  Reload: ${target.reloadCmd}`);
-        }
-        catch (err) {
-            spinner.fail('Failed to add certificate');
-            output.error(err instanceof Error ? err.message : String(err));
-            process.exit(1);
-        }
-        finally {
-            await mode.closeLocalClient();
-        }
-    });
-    // Remove certificate from sync
-    agent
-        .command('remove <cert-id-or-name>')
-        .description('Remove a certificate from sync')
-        .option('-c, --config <path>', 'Config file path')
-        .action((certIdOrName, options) => {
-        const configPath = options.config ?? getConfigPath();
-        const agentConfig = loadConfig(configPath);
-        if (!agentConfig) {
-            output.error(`Config not found. Run 'znvault agent init' first.`);
-            process.exit(1);
-        }
-        const idx = agentConfig.targets.findIndex(t => t.certId === certIdOrName || t.name === certIdOrName);
-        if (idx === -1) {
-            output.error(`Certificate "${certIdOrName}" not found in configuration`);
-            process.exit(1);
-        }
-        const removed = agentConfig.targets.splice(idx, 1)[0];
-        saveConfig(agentConfig, configPath);
-        console.log(`Removed certificate: ${removed.name} (${removed.certId})`);
-    });
-    // List configured certificates
-    agent
-        .command('list')
-        .description('List configured certificates')
-        .option('-c, --config <path>', 'Config file path')
-        .option('--json', 'Output as JSON')
-        .action((options) => {
-        const configPath = options.config ?? getConfigPath();
-        const agentConfig = loadConfig(configPath);
-        if (!agentConfig) {
-            output.error(`Config not found. Run 'znvault agent init' first.`);
-            process.exit(1);
-        }
-        if (options.json) {
-            output.json(agentConfig);
-            return;
-        }
-        console.log(`Config: ${configPath}`);
-        console.log(`Vault: ${agentConfig.vaultUrl}`);
-        console.log(`Tenant: ${agentConfig.tenantId}`);
-        console.log(`Certificates: ${agentConfig.targets.length}`);
-        console.log();
-        if (agentConfig.targets.length === 0) {
-            console.log('No certificates configured. Use "znvault agent add <cert-id>" to add one.');
-            return;
-        }
-        output.table(['Name', 'Cert ID', 'Outputs', 'Reload'], agentConfig.targets.map(t => [
-            t.name,
-            t.certId.substring(0, 8) + '...',
-            Object.entries(t.outputs).filter(([, v]) => v).map(([k]) => k).join(', '),
-            t.reloadCmd ? t.reloadCmd.substring(0, 30) : '-',
-        ]));
-    });
-    // Sync certificates (one-time)
-    agent
-        .command('sync')
-        .description('Sync all configured certificates (one-time)')
-        .option('-c, --config <path>', 'Config file path')
-        .option('-s, --state <path>', 'State file path', DEFAULT_STATE_FILE)
-        .option('--force', 'Force sync even if unchanged')
-        .action(async (options) => {
-        const spinner = ora('Syncing certificates...').start();
-        try {
-            const configPath = options.config ?? getConfigPath();
-            const agentConfig = loadConfig(configPath);
-            if (!agentConfig) {
-                spinner.fail('Config not found');
-                output.error(`Run 'znvault agent init' first.`);
-                process.exit(1);
-            }
-            if (agentConfig.targets.length === 0) {
-                spinner.fail('No certificates configured');
-                output.error('Use "znvault agent add <cert-id>" to add certificates.');
-                process.exit(1);
-            }
-            // Load or create state
-            let state = { certificates: {}, lastUpdate: new Date().toISOString() };
-            if (fs.existsSync(options.state)) {
-                state = JSON.parse(fs.readFileSync(options.state, 'utf-8'));
-            }
-            let synced = 0;
-            let skipped = 0;
-            let failed = 0;
-            for (const target of agentConfig.targets) {
-                try {
-                    // Get certificate with decrypted data
-                    const cert = await mode.apiPost(`/v1/certificates/${target.certId}/decrypt`, { purpose: 'agent-sync' });
-                    // Check if changed
-                    const certFingerprint = cert.fingerprintSha256;
-                    const existingState = state.certificates[target.certId];
-                    if (!options.force && existingState.fingerprint === certFingerprint) {
-                        skipped++;
-                        continue;
-                    }
-                    // Decode certificate data
-                    const certData = Buffer.from(cert.certificateData, 'base64').toString('utf-8');
-                    const keyData = cert.privateKeyData ? Buffer.from(cert.privateKeyData, 'base64').toString('utf-8') : null;
-                    const chainData = cert.chainData ? Buffer.from(cert.chainData, 'base64').toString('utf-8') : null;
-                    const fileMode = parseInt(target.mode ?? '0640', 8);
-                    // Write certificate file
-                    if (target.outputs.cert) {
-                        ensureDir(path.dirname(target.outputs.cert));
-                        fs.writeFileSync(target.outputs.cert, certData, { mode: fileMode });
-                    }
-                    // Write private key
-                    if (target.outputs.key && keyData) {
-                        ensureDir(path.dirname(target.outputs.key));
-                        fs.writeFileSync(target.outputs.key, keyData, { mode: 0o600 });
-                    }
-                    // Write chain
-                    if (target.outputs.chain && chainData) {
-                        ensureDir(path.dirname(target.outputs.chain));
-                        fs.writeFileSync(target.outputs.chain, chainData, { mode: fileMode });
-                    }
-                    // Write fullchain (cert + chain)
-                    if (target.outputs.fullchain) {
-                        let fullchain = certData;
-                        if (chainData)
-                            fullchain += '\n' + chainData;
-                        ensureDir(path.dirname(target.outputs.fullchain));
-                        fs.writeFileSync(target.outputs.fullchain, fullchain, { mode: fileMode });
-                    }
-                    // Write combined (cert + key + chain)
-                    if (target.outputs.combined) {
-                        let combined = certData;
-                        if (keyData)
-                            combined += '\n' + keyData;
-                        if (chainData)
-                            combined += '\n' + chainData;
-                        ensureDir(path.dirname(target.outputs.combined));
-                        fs.writeFileSync(target.outputs.combined, combined, { mode: 0o600 });
-                    }
-                    // Update state
-                    state.certificates[target.certId] = {
-                        id: target.certId,
-                        alias: cert.alias,
-                        lastSync: new Date().toISOString(),
-                        version: cert.version,
-                        fingerprint: certFingerprint,
-                    };
-                    synced++;
-                }
-                catch (err) {
-                    failed++;
-                    console.error(`\nFailed to sync ${target.name}: ${err instanceof Error ? err.message : String(err)}`);
-                }
-            }
-            // Save state
-            state.lastUpdate = new Date().toISOString();
-            ensureDir(path.dirname(options.state));
-            fs.writeFileSync(options.state, JSON.stringify(state, null, 2));
-            spinner.stop();
-            console.log(`Sync complete: ${synced} synced, ${skipped} unchanged, ${failed} failed`);
-        }
-        catch (err) {
-            spinner.fail('Sync failed');
-            output.error(err instanceof Error ? err.message : String(err));
-            process.exit(1);
-        }
-        finally {
-            await mode.closeLocalClient();
-        }
-    });
-    // Start agent daemon (delegates to standalone agent)
-    agent
-        .command('start')
-        .description('Start the certificate sync agent daemon')
-        .option('-c, --config <path>', 'Config file path')
-        .option('-v, --verbose', 'Enable verbose logging')
-        .option('--health-port <port>', 'Enable health/metrics HTTP server')
-        .option('--foreground', 'Run in foreground')
-        .action((options) => {
-        const configPath = options.config ?? getConfigPath();
-        if (!fs.existsSync(configPath)) {
-            output.error(`Config not found at ${configPath}`);
-            output.info(`Run 'znvault agent init' first.`);
-            process.exit(1);
-        }
-        // Build command arguments
-        const args = ['start'];
-        if (options.verbose)
-            args.push('--verbose');
-        if (options.healthPort)
-            args.push('--health-port', options.healthPort);
-        // Set config path via environment if not default
-        const env = { ...process.env };
-        if (options.config) {
-            env.ZNVAULT_AGENT_CONFIG_DIR = path.dirname(options.config);
-        }
-        console.log('Starting zn-vault-agent daemon...');
-        console.log();
-        // Try to find the standalone agent
-        const agentPaths = [
-            '/usr/local/bin/zn-vault-agent',
-            '/usr/bin/zn-vault-agent',
-            path.join(os.homedir(), '.local', 'bin', 'zn-vault-agent'),
-            // Development: check sibling directory
-            path.resolve(__dirname, '..', '..', '..', '..', 'zn-vault-agent', 'dist', 'index.js'),
-        ];
-        let agentPath = null;
-        for (const p of agentPaths) {
-            if (fs.existsSync(p)) {
-                agentPath = p;
-                break;
-            }
-        }
-        if (!agentPath) {
-            output.error('zn-vault-agent not found');
-            console.log();
-            console.log('Install the standalone agent:');
-            console.log('  cd zn-vault-agent && npm install && npm run build');
-            console.log('  sudo ./deploy/install.sh');
-            console.log();
-            console.log('Or run directly:');
-            console.log('  cd zn-vault-agent && npm run start -- start');
-            process.exit(1);
-        }
-        // Determine how to run it
-        const isJsFile = agentPath.endsWith('.js');
-        const command = isJsFile ? 'node' : agentPath;
-        const spawnArgs = isJsFile ? [agentPath, ...args] : args;
-        // Spawn the agent
-        const child = spawn(command, spawnArgs, {
-            env,
-            stdio: 'inherit',
-            detached: !options.foreground,
-        });
-        if (!options.foreground) {
-            child.unref();
-            console.log(`Agent started with PID ${String(child.pid)}`);
-            process.exit(0);
-        }
-        // In foreground mode, wait for the process
-        child.on('exit', (code) => {
-            process.exit(code ?? 0);
-        });
-    });
-    // Show agent status
-    agent
-        .command('status')
-        .description('Show agent configuration and sync status')
-        .option('-c, --config <path>', 'Config file path')
-        .option('-s, --state <path>', 'State file path', DEFAULT_STATE_FILE)
-        .option('--json', 'Output as JSON')
-        .action((options) => {
-        const configPath = options.config ?? getConfigPath();
-        const agentConfig = loadConfig(configPath);
-        if (!agentConfig) {
-            output.error(`Config not found. Run 'znvault agent init' first.`);
-            process.exit(1);
-        }
-        let state = { certificates: {}, lastUpdate: 'never' };
-        if (fs.existsSync(options.state)) {
-            state = JSON.parse(fs.readFileSync(options.state, 'utf-8'));
-        }
-        if (options.json) {
-            output.json({ config: agentConfig, state });
-            return;
-        }
-        console.log('Agent Configuration:');
-        console.log(`  Config file: ${configPath}`);
-        console.log(`  Vault URL: ${agentConfig.vaultUrl}`);
-        console.log(`  Tenant: ${agentConfig.tenantId}`);
-        console.log(`  Certificates: ${agentConfig.targets.length}`);
-        console.log(`  Last sync: ${state.lastUpdate}`);
-        console.log();
-        if (agentConfig.targets.length === 0) {
-            console.log('No certificates configured.');
-            return;
-        }
-        output.table(['Name', 'Cert ID', 'Last Sync', 'Version', 'Fingerprint'], agentConfig.targets.map(t => {
-            const s = state.certificates[t.certId];
-            return [
-                t.name,
-                t.certId.substring(0, 8) + '...',
-                new Date(s.lastSync).toLocaleString(),
-                String(s.version),
-                s.fingerprint.substring(0, 16) + '...',
-            ];
-        }));
-    });
+        .description('Manage remote agents and registration tokens');
     // ===== Remote Agent Management Commands =====
     const remote = agent
         .command('remote')
@@ -651,10 +182,162 @@ export function registerAgentCommands(program) {
             await mode.closeLocalClient();
         }
     });
-}
-function ensureDir(dir) {
-    if (!fs.existsSync(dir)) {
-        fs.mkdirSync(dir, { recursive: true });
-    }
+    // ===== Registration Token Commands =====
+    const token = agent
+        .command('token')
+        .description('Manage registration tokens for agent bootstrapping');
+    // Create registration token
+    token
+        .command('create')
+        .description('Create a one-time registration token for managed key binding')
+        .requiredOption('-k, --managed-key <name>', 'Name of the managed key to bind')
+        .option('-e, --expires <duration>', 'Token expiration (e.g., "1h", "24h")', '1h')
+        .option('-d, --description <text>', 'Optional description for audit trail')
+        .option('--tenant <tenantId>', 'Target tenant ID (superadmin only)')
+        .action(async (options) => {
+        const spinner = ora('Creating registration token...').start();
+        try {
+            const tenantQuery = options.tenant ? `?tenantId=${encodeURIComponent(options.tenant)}` : '';
+            const response = await mode.apiPost(`/auth/api-keys/managed/${encodeURIComponent(options.managedKey)}/registration-tokens${tenantQuery}`, {
+                expiresIn: options.expires,
+                description: options.description,
+            });
+            spinner.succeed('Registration token created');
+            console.log();
+            console.log('Token (save this - shown only once!):');
+            console.log(`  ${response.token}`);
+            console.log();
+            console.log('Details:');
+            console.log(`  Prefix: ${response.prefix}`);
+            console.log(`  Managed Key: ${response.managedKeyName}`);
+            console.log(`  Tenant: ${response.tenantId}`);
+            console.log(`  Expires: ${new Date(response.expiresAt).toLocaleString()}`);
+            if (response.description) {
+                console.log(`  Description: ${response.description}`);
+            }
+            console.log();
+            console.log('Usage:');
+            console.log(`  curl -sSL https://vault.example.com/agent/bootstrap.sh | ZNVAULT_TOKEN=${response.token} bash`);
+            console.log();
+            console.log('Or manually:');
+            console.log(`  curl -X POST https://vault.example.com/agent/bootstrap \\`);
+            console.log(`    -H "Content-Type: application/json" \\`);
+            console.log(`    -d '{"token": "${response.token}"}'`);
+        }
+        catch (err) {
+            spinner.fail('Failed to create registration token');
+            output.error(err instanceof Error ? err.message : String(err));
+            process.exit(1);
+        }
+        finally {
+            await mode.closeLocalClient();
+        }
+    });
+    // List registration tokens
+    token
+        .command('list')
+        .description('List registration tokens for a managed key')
+        .requiredOption('-k, --managed-key <name>', 'Name of the managed key')
+        .option('--include-used', 'Include already-used tokens')
+        .option('--tenant <tenantId>', 'Target tenant ID (superadmin only)')
+        .option('--json', 'Output as JSON')
+        .action(async (options) => {
+        const spinner = ora('Fetching registration tokens...').start();
+        try {
+            const params = new URLSearchParams();
+            if (options.tenant)
+                params.set('tenantId', options.tenant);
+            if (options.includeUsed)
+                params.set('includeUsed', 'true');
+            const query = params.toString();
+            const response = await mode.apiGet(`/auth/api-keys/managed/${encodeURIComponent(options.managedKey)}/registration-tokens${query ? `?${query}` : ''}`);
+            spinner.stop();
+            if (options.json) {
+                output.json(response);
+                return;
+            }
+            if (response.tokens.length === 0) {
+                console.log('No registration tokens found');
+                return;
+            }
+            console.log(`Registration tokens for ${options.managedKey}:`);
+            console.log();
+            output.table(['Prefix', 'Status', 'Created', 'Expires', 'Description'], response.tokens.map(t => [
+                t.prefix,
+                t.status === 'active' ? '● active' :
+                    t.status === 'used' ? '○ used' :
+                        t.status === 'expired' ? '○ expired' : '○ revoked',
+                formatRelativeTime(t.createdAt),
+                formatRelativeTime(t.expiresAt),
+                t.description?.substring(0, 30) ?? '-',
+            ]));
+        }
+        catch (err) {
+            spinner.fail('Failed to fetch registration tokens');
+            output.error(err instanceof Error ? err.message : String(err));
+            process.exit(1);
+        }
+        finally {
+            await mode.closeLocalClient();
+        }
+    });
+    // Revoke registration token
+    token
+        .command('revoke <token-id>')
+        .description('Revoke a registration token (prevents future use)')
+        .requiredOption('-k, --managed-key <name>', 'Name of the managed key')
+        .option('--tenant <tenantId>', 'Target tenant ID (superadmin only)')
+        .option('-y, --yes', 'Skip confirmation prompt')
+        .action(async (tokenId, options) => {
+        if (!options.yes) {
+            const readline = await import('readline');
+            const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+            const answer = await new Promise(resolve => {
+                rl.question(`Revoke token ${tokenId}? This cannot be undone. [y/N] `, resolve);
+            });
+            rl.close();
+            if (answer.toLowerCase() !== 'y') {
+                console.log('Cancelled');
+                return;
+            }
+        }
+        const spinner = ora('Revoking registration token...').start();
+        try {
+            const tenantQuery = options.tenant ? `?tenantId=${encodeURIComponent(options.tenant)}` : '';
+            await mode.apiDelete(`/auth/api-keys/managed/${encodeURIComponent(options.managedKey)}/registration-tokens/${encodeURIComponent(tokenId)}${tenantQuery}`);
+            spinner.succeed('Registration token revoked');
+        }
+        catch (err) {
+            spinner.fail('Failed to revoke registration token');
+            output.error(err instanceof Error ? err.message : String(err));
+            process.exit(1);
+        }
+        finally {
+            await mode.closeLocalClient();
+        }
+    });
+    // Help text pointing to zn-vault-agent
+    agent
+        .command('help-local')
+        .description('Show help for local agent operations')
+        .action(() => {
+        console.log('Local Agent Operations');
+        console.log('======================');
+        console.log();
+        console.log('For local agent configuration and sync operations, use the standalone agent:');
+        console.log();
+        console.log('  zn-vault-agent login      # Authenticate with vault');
+        console.log('  zn-vault-agent setup      # Interactive setup');
+        console.log('  zn-vault-agent sync       # Sync secrets/certificates');
+        console.log('  zn-vault-agent start      # Start agent daemon');
+        console.log('  zn-vault-agent status     # Show agent status');
+        console.log('  zn-vault-agent exec       # Execute with secrets injected');
+        console.log();
+        console.log('Install the standalone agent:');
+        console.log('  npm install -g @zincapp/zn-vault-agent');
+        console.log();
+        console.log('For more information:');
+        console.log('  zn-vault-agent --help');
+    });
 }
 //# sourceMappingURL=agent.js.map