autho 1.0.0 → 2.0.0

package/dist/autho.js

@@ -0,0 +1,1873 @@
+#!/usr/bin/env bun
+// @bun
+
+// apps/cli/src/index.ts
+import { spawn } from "child_process";
+import { existsSync as existsSync4 } from "fs";
+import { createInterface } from "readline/promises";
+import { resolve as resolve3 } from "path";
+
+// packages/core/src/daemon.ts
+import { createHash, timingSafeEqual } from "crypto";
+import { existsSync as existsSync3, readFileSync as readFileSync3, rmSync } from "fs";
+
+// packages/storage/src/index.ts
+import { Database } from "bun:sqlite";
+import { chmodSync, existsSync, mkdirSync } from "fs";
+import { dirname } from "path";
+function parseJson(value) {
+  return JSON.parse(value);
+}
+function tryChmod(path, mode) {
+  if (process.platform === "win32") {
+    return;
+  }
+  try {
+    chmodSync(path, mode);
+  } catch {}
+}
+
+class AuthoDatabase {
+  vaultPath;
+  db;
+  constructor(vaultPath) {
+    this.vaultPath = vaultPath;
+    if (vaultPath !== ":memory:") {
+      mkdirSync(dirname(vaultPath), { mode: 448, recursive: true });
+      tryChmod(dirname(vaultPath), 448);
+    }
+    this.db = new Database(vaultPath, { create: true, strict: true });
+    this.migrate();
+    this.hardenStorageFiles();
+  }
+  close() {
+    this.hardenStorageFiles();
+    this.db.close();
+  }
+  hardenStorageFiles() {
+    if (this.vaultPath === ":memory:") {
+      return;
+    }
+    for (const path of [this.vaultPath, `${this.vaultPath}-shm`, `${this.vaultPath}-wal`]) {
+      if (existsSync(path)) {
+        tryChmod(path, 384);
+      }
+    }
+  }
+  migrate() {
+    this.db.exec(`
+      PRAGMA journal_mode = WAL;
+
+      CREATE TABLE IF NOT EXISTS meta (
+        key TEXT PRIMARY KEY,
+        value TEXT NOT NULL
+      );
+
+      CREATE TABLE IF NOT EXISTS secrets (
+        id TEXT PRIMARY KEY,
+        name TEXT NOT NULL UNIQUE,
+        type TEXT NOT NULL,
+        payload TEXT NOT NULL,
+        wrapped_key TEXT NOT NULL,
+        created_at TEXT NOT NULL,
+        updated_at TEXT NOT NULL
+      );
+
+      CREATE TABLE IF NOT EXISTS leases (
+        id TEXT PRIMARY KEY,
+        name TEXT NOT NULL,
+        secret_refs TEXT NOT NULL,
+        expires_at TEXT NOT NULL,
+        revoked_at TEXT,
+        created_at TEXT NOT NULL
+      );
+
+      CREATE TABLE IF NOT EXISTS audit_events (
+        id TEXT PRIMARY KEY,
+        event_type TEXT NOT NULL,
+        subject_type TEXT NOT NULL,
+        subject_ref TEXT,
+        message TEXT NOT NULL,
+        metadata TEXT NOT NULL,
+        created_at TEXT NOT NULL
+      );
+    `);
+  }
+  getVaultConfig() {
+    const row = this.db.query("SELECT value FROM meta WHERE key = ?1").get("vault.config");
+    return row ? parseJson(row.value) : null;
+  }
+  setVaultConfig(config) {
+    this.db.query("INSERT OR REPLACE INTO meta (key, value) VALUES (?1, ?2)").run("vault.config", JSON.stringify(config));
+  }
+  countSecrets() {
+    const row = this.db.query("SELECT COUNT(*) AS count FROM secrets").get();
+    return row.count;
+  }
+  countActiveLeases(nowIso) {
+    const row = this.db.query(`SELECT COUNT(*) AS count
+         FROM leases
+         WHERE revoked_at IS NULL AND expires_at > ?1`).get(nowIso);
+    return row.count;
+  }
+  countAuditEvents() {
+    const row = this.db.query("SELECT COUNT(*) AS count FROM audit_events").get();
+    return row.count;
+  }
+  insertSecret(secret) {
+    this.db.query(`INSERT INTO secrets (id, name, type, payload, wrapped_key, created_at, updated_at)
+         VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7)`).run(secret.id, secret.name, secret.type, secret.payload, secret.wrappedKey, secret.createdAt, secret.updatedAt);
+  }
+  listSecrets() {
+    return this.db.query(`SELECT
+           id,
+           name,
+           type,
+           payload,
+           wrapped_key AS wrappedKey,
+           created_at AS createdAt,
+           updated_at AS updatedAt
+         FROM secrets
+         ORDER BY created_at ASC`).all();
+  }
+  findSecret(ref) {
+    const row = this.db.query(`SELECT
+           id,
+           name,
+           type,
+           payload,
+           wrapped_key AS wrappedKey,
+           created_at AS createdAt,
+           updated_at AS updatedAt
+         FROM secrets
+         WHERE id = ?1 OR name = ?1
+         LIMIT 1`).get(ref);
+    return row ?? null;
+  }
+  deleteSecret(id) {
+    this.db.query("DELETE FROM secrets WHERE id = ?1").run(id);
+  }
+  insertLease(lease) {
+    this.db.query(`INSERT INTO leases (id, name, secret_refs, expires_at, revoked_at, created_at)
+         VALUES (?1, ?2, ?3, ?4, ?5, ?6)`).run(lease.id, lease.name, lease.secretRefs, lease.expiresAt, lease.revokedAt, lease.createdAt);
+  }
+  findLease(id) {
+    const row = this.db.query(`SELECT
+           id,
+           name,
+           secret_refs AS secretRefs,
+           expires_at AS expiresAt,
+           revoked_at AS revokedAt,
+           created_at AS createdAt
+         FROM leases
+         WHERE id = ?1
+         LIMIT 1`).get(id);
+    return row ?? null;
+  }
+  revokeLease(id, revokedAt) {
+    this.db.query("UPDATE leases SET revoked_at = ?2 WHERE id = ?1").run(id, revokedAt);
+  }
+  insertAudit(event) {
+    this.db.query(`INSERT INTO audit_events (id, event_type, subject_type, subject_ref, message, metadata, created_at)
+         VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7)`).run(event.id, event.eventType, event.subjectType, event.subjectRef, event.message, event.metadata, event.createdAt);
+  }
+  listAudit(limit) {
+    return this.db.query(`SELECT
+           id,
+           event_type AS eventType,
+           subject_type AS subjectType,
+           subject_ref AS subjectRef,
+           message,
+           metadata,
+           created_at AS createdAt
+         FROM audit_events
+         ORDER BY created_at DESC
+         LIMIT ?1`).all(limit);
+  }
+}
+
+// packages/crypto/src/index.ts
+import {
+  createCipheriv,
+  createDecipheriv,
+  randomBytes,
+  scryptSync
+} from "crypto";
+var DEFAULT_KDF = {
+  keyLength: 32,
+  name: "scrypt",
+  salt: "",
+  N: 1 << 17,
+  p: 1,
+  r: 8
+};
+function toBuffer(value) {
+  return Buffer.isBuffer(value) ? value : Buffer.from(value, "utf8");
+}
+function randomId(size = 16) {
+  return randomBytes(size).toString("hex");
+}
+function deriveKeyFromPassword(password, config) {
+  return scryptSync(password, Buffer.from(config.salt, "base64"), config.keyLength, {
+    maxmem: 256 * 1024 * 1024,
+    N: config.N,
+    p: config.p,
+    r: config.r
+  });
+}
+function encryptWithKey(value, key, aad) {
+  const iv = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  cipher.setAAD(Buffer.from(aad, "utf8"));
+  const ciphertext = Buffer.concat([cipher.update(toBuffer(value)), cipher.final()]);
+  return {
+    algorithm: "aes-256-gcm",
+    ciphertext: ciphertext.toString("base64"),
+    iv: iv.toString("base64"),
+    tag: cipher.getAuthTag().toString("base64")
+  };
+}
+function decryptWithKey(blob, key, aad) {
+  const decipher = createDecipheriv(blob.algorithm, key, Buffer.from(blob.iv, "base64"));
+  decipher.setAAD(Buffer.from(aad, "utf8"));
+  decipher.setAuthTag(Buffer.from(blob.tag, "base64"));
+  return Buffer.concat([
+    decipher.update(Buffer.from(blob.ciphertext, "base64")),
+    decipher.final()
+  ]);
+}
+function createVaultConfig(password) {
+  const rootKey = randomBytes(32);
+  const kdf = {
+    ...DEFAULT_KDF,
+    salt: randomBytes(16).toString("base64")
+  };
+  const key = deriveKeyFromPassword(password, kdf);
+  return {
+    config: {
+      createdAt: new Date().toISOString(),
+      kdf,
+      version: 1,
+      wrappedRootKey: encryptWithKey(rootKey, key, "autho:vault-root")
+    },
+    rootKey
+  };
+}
+function unlockRootKey(password, config) {
+  const key = deriveKeyFromPassword(password, config.kdf);
+  return decryptWithKey(config.wrappedRootKey, key, "autho:vault-root");
+}
+
+// packages/core/src/index.ts
+import { spawnSync } from "child_process";
+import { createHmac, randomBytes as randomBytes3 } from "crypto";
+import {
+  existsSync as existsSync2,
+  readFileSync as readFileSync2
+} from "fs";
+import { basename as basename2 } from "path";
+
+// packages/core/src/artifacts.ts
+import { randomBytes as randomBytes2 } from "crypto";
+import {
+  readdirSync,
+  readFileSync,
+  statSync
+} from "fs";
+import { basename, join as join2, relative, resolve as resolve2, sep } from "path";
+
+// packages/core/src/paths.ts
+import { chmodSync as chmodSync2, mkdirSync as mkdirSync2, writeFileSync } from "fs";
+import { homedir } from "os";
+import { dirname as dirname2, join, resolve } from "path";
+function normalizePath(path) {
+  return resolve(path).replace(/\\/g, "/");
+}
+function tryChmod2(path, mode) {
+  if (process.platform === "win32") {
+    return;
+  }
+  try {
+    chmodSync2(path, mode);
+  } catch {}
+}
+function authoHomeDir() {
+  return normalizePath(process.env.AUTHO_HOME ?? join(homedir(), ".autho"));
+}
+function defaultVaultPath() {
+  return normalizePath(join(authoHomeDir(), "vault.db"));
+}
+function defaultProjectFilePath() {
+  return normalizePath(join(authoHomeDir(), "project.json"));
+}
+function defaultDaemonStatePath() {
+  return normalizePath(join(authoHomeDir(), "daemon.json"));
+}
+function ensurePrivateDir(path) {
+  mkdirSync2(path, { mode: 448, recursive: true });
+  tryChmod2(path, 448);
+}
+function ensurePrivateParent(path) {
+  ensurePrivateDir(dirname2(path));
+}
+function hardenFilePermissions(path) {
+  tryChmod2(path, 384);
+}
+function writeTextFileSecure(path, content) {
+  ensurePrivateParent(path);
+  writeFileSync(path, content, { encoding: "utf8", mode: 384 });
+  hardenFilePermissions(path);
+}
+function writeBinaryFileSecure(path, content) {
+  ensurePrivateParent(path);
+  writeFileSync(path, content, { mode: 384 });
+  hardenFilePermissions(path);
+}
+
+// packages/core/src/artifacts.ts
+function normalizeRelativePath(input) {
+  return input.replace(/\\/g, "/");
+}
+function walkFiles(rootPath) {
+  const entries = readdirSync(rootPath, { withFileTypes: true });
+  const files = [];
+  for (const entry of entries) {
+    const entryPath = join2(rootPath, entry.name);
+    if (entry.isDirectory()) {
+      files.push(...walkFiles(entryPath));
+      continue;
+    }
+    if (entry.isFile()) {
+      files.push(entryPath);
+    }
+  }
+  return files;
+}
+function defaultEncryptedFilePath(inputPath) {
+  return `${inputPath}.autho`;
+}
+function defaultDecryptedFilePath(inputPath) {
+  return inputPath.endsWith(".autho") ? inputPath.slice(0, -".autho".length) : `${inputPath}.decrypted`;
+}
+function defaultEncryptedFolderPath(inputPath) {
+  return `${inputPath}.autho-folder`;
+}
+function defaultDecryptedFolderPath(inputPath) {
+  return inputPath.endsWith(".autho-folder") ? inputPath.slice(0, -".autho-folder".length) : `${inputPath}.folder`;
+}
+function encryptFileArtifact(inputPath, outputPath, rootKey) {
+  const fileKey = randomBytes2(32);
+  const payload = encryptWithKey(readFileSync(inputPath), fileKey, `autho:file:${basename(inputPath)}`);
+  const envelope = {
+    kind: "file",
+    originalName: basename(inputPath),
+    payload,
+    version: 1,
+    wrappedKey: encryptWithKey(fileKey, rootKey, "autho:file:dek")
+  };
+  writeTextFileSecure(outputPath, JSON.stringify(envelope, null, 2));
+  return { outputPath };
+}
+function decryptFileArtifact(inputPath, outputPath, rootKey) {
+  const envelope = JSON.parse(readFileSync(inputPath, "utf8"));
+  if (envelope.kind !== "file" || envelope.version !== 1) {
+    throw new Error(`Unsupported file artifact: ${inputPath}`);
+  }
+  const fileKey = decryptWithKey(envelope.wrappedKey, rootKey, "autho:file:dek");
+  const content = decryptWithKey(envelope.payload, fileKey, `autho:file:${envelope.originalName}`);
+  writeBinaryFileSecure(outputPath, content);
+  return { outputPath };
+}
+function encryptFolderArtifact(inputPath, outputPath, rootKey) {
+  const folderKey = randomBytes2(32);
+  const files = walkFiles(inputPath);
+  const rootName = basename(inputPath);
+  const envelope = {
+    entries: files.map((filePath) => {
+      const relativePath = normalizeRelativePath(relative(inputPath, filePath));
+      return {
+        path: relativePath,
+        payload: encryptWithKey(readFileSync(filePath), folderKey, `autho:folder:${relativePath}`)
+      };
+    }),
+    kind: "folder",
+    rootName,
+    version: 1,
+    wrappedKey: encryptWithKey(folderKey, rootKey, `autho:folder:dek:${rootName}`)
+  };
+  writeTextFileSecure(outputPath, JSON.stringify(envelope, null, 2));
+  return {
+    fileCount: envelope.entries.length,
+    outputPath
+  };
+}
+function decryptFolderArtifact(inputPath, outputPath, rootKey) {
+  const envelope = JSON.parse(readFileSync(inputPath, "utf8"));
+  if (envelope.kind !== "folder" || envelope.version !== 1) {
+    throw new Error(`Unsupported folder artifact: ${inputPath}`);
+  }
+  const folderKey = decryptWithKey(envelope.wrappedKey, rootKey, `autho:folder:dek:${envelope.rootName}`);
+  const resolvedOutput = resolve2(outputPath);
+  ensurePrivateDir(outputPath);
+  for (const entry of envelope.entries) {
+    const destination = join2(outputPath, entry.path);
+    const resolvedDest = resolve2(destination);
+    if (!resolvedDest.startsWith(resolvedOutput + sep) && resolvedDest !== resolvedOutput) {
+      throw new Error(`Path traversal detected in folder artifact: ${entry.path}`);
+    }
+    ensurePrivateParent(destination);
+    const content = decryptWithKey(entry.payload, folderKey, `autho:folder:${entry.path}`);
+    writeBinaryFileSecure(destination, content);
+  }
+  return {
+    fileCount: envelope.entries.length,
+    outputPath
+  };
+}
+function assertPathIsDirectory(path) {
+  if (!statSync(path).isDirectory()) {
+    throw new Error(`Expected directory: ${path}`);
+  }
+}
+function assertPathIsFile(path) {
+  if (!statSync(path).isFile()) {
+    throw new Error(`Expected file: ${path}`);
+  }
+}
+
+// packages/core/src/index.ts
+function requireValue(value, label) {
+  if (!value) {
+    throw new Error(`Missing required option: ${label}`);
+  }
+  return value;
+}
+function decodeBase32(input) {
+  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+  const normalized = input.toUpperCase().replace(/=+$/g, "").replace(/\s+/g, "");
+  let bits = 0;
+  let value = 0;
+  const output = [];
+  for (const char of normalized) {
+    const index = alphabet.indexOf(char);
+    if (index === -1) {
+      throw new Error("OTP secret must be valid base32");
+    }
+    value = value << 5 | index;
+    bits += 5;
+    if (bits >= 8) {
+      output.push(value >>> bits - 8 & 255);
+      bits -= 8;
+    }
+  }
+  return Uint8Array.from(output);
+}
+function generateTotp(secret, options, now = Date.now()) {
+  const algorithm = (options?.algorithm ?? "sha1").toLowerCase();
+  const digits = options?.digits ?? 6;
+  const key = decodeBase32(secret);
+  const counter = Math.floor(now / 30000);
+  const message = Buffer.alloc(8);
+  let cursor = counter;
+  for (let index = 7;index >= 0; index -= 1) {
+    message[index] = cursor & 255;
+    cursor >>= 8;
+  }
+  const hash = createHmac(algorithm, Buffer.from(key)).update(message).digest();
+  const offset = hash[hash.length - 1] & 15;
+  const binary = (hash[offset] & 127) << 24 | (hash[offset + 1] & 255) << 16 | (hash[offset + 2] & 255) << 8 | hash[offset + 3] & 255;
+  const mod = 10 ** digits;
+  const code = String(binary % mod).padStart(digits, "0");
+  const expiresAt = new Date((counter + 1) * 30000).toISOString();
+  return { code, expiresAt };
+}
+function normalizeSecretType(type) {
+  if (type === "password" || type === "note" || type === "otp") {
+    return type;
+  }
+  throw new Error(`Unsupported secret type: ${type}`);
+}
+function parseProjectMappings(projectFile) {
+  const raw = JSON.parse(readFileSync2(projectFile, "utf8"));
+  return Object.entries(raw.env ?? {}).map(([envName, secretRef]) => ({
+    envName,
+    secretRef
+  }));
+}
+function parseLease(row) {
+  return {
+    createdAt: row.createdAt,
+    expiresAt: row.expiresAt,
+    id: row.id,
+    name: row.name,
+    revokedAt: row.revokedAt,
+    secretRefs: JSON.parse(row.secretRefs)
+  };
+}
+function toAuditEvent(row) {
+  return {
+    createdAt: row.createdAt,
+    eventType: row.eventType,
+    id: row.id,
+    message: row.message,
+    metadata: JSON.parse(row.metadata),
+    subjectRef: row.subjectRef,
+    subjectType: row.subjectType
+  };
+}
+function normalizeMetadata(input) {
+  return Object.fromEntries(Object.entries(input ?? {}).filter(([, value]) => value !== undefined && value !== null && value !== ""));
+}
+function parseLegacySecret(secret) {
+  const type = normalizeSecretType(requireValue(secret.type, "legacy.type"));
+  const name = requireValue(secret.name, "legacy.name");
+  const value = requireValue(secret.secret ?? secret.value, "legacy.secret");
+  if (type === "password") {
+    return {
+      metadata: normalizeMetadata({
+        description: secret.description,
+        url: secret.url
+      }),
+      name,
+      type,
+      username: secret.username,
+      value
+    };
+  }
+  if (type === "otp") {
+    return {
+      metadata: normalizeMetadata({
+        algorithm: secret.algorithm ?? "SHA1",
+        description: secret.description,
+        digits: secret.digits ?? 6
+      }),
+      name,
+      type,
+      username: secret.username,
+      value
+    };
+  }
+  return {
+    metadata: normalizeMetadata({
+      description: secret.description
+    }),
+    name,
+    type,
+    value
+  };
+}
+function quoteEnvValue(value) {
+  return JSON.stringify(value);
+}
+function summarizeCommand(cmd) {
+  return {
+    argCount: Math.max(0, cmd.length - 1),
+    executable: basename2(cmd[0] ?? "unknown")
+  };
+}
+function projectMappingsForStatus(projectFile) {
+  if (!projectFile || !existsSync2(projectFile)) {
+    return {
+      mappings: [],
+      path: projectFile ?? null
+    };
+  }
+  return {
+    mappings: parseProjectMappings(projectFile).map((mapping) => mapping.envName),
+    path: projectFile
+  };
+}
+function resolveMappings(options) {
+  const fromMaps = (options.maps ?? []).map((mapping) => {
+    const splitIndex = mapping.indexOf("=");
+    if (splitIndex === -1) {
+      throw new Error(`Invalid env mapping: ${mapping}`);
+    }
+    return {
+      envName: mapping.slice(0, splitIndex),
+      secretRef: mapping.slice(splitIndex + 1)
+    };
+  });
+  if (options.projectFile) {
+    if (!existsSync2(options.projectFile)) {
+      throw new Error(`Project mapping file not found: ${options.projectFile}`);
+    }
+    return [...parseProjectMappings(options.projectFile), ...fromMaps];
+  }
+  return fromMaps;
+}
+function writeProjectConfig(input) {
+  if (input.mappings.length === 0) {
+    throw new Error("Provide at least one env mapping");
+  }
+  if (!input.force && existsSync2(input.outputPath)) {
+    throw new Error(`Project config already exists: ${input.outputPath}`);
+  }
+  const env = Object.fromEntries(input.mappings.map((mapping) => [mapping.envName, mapping.secretRef]));
+  writeTextFileSecure(input.outputPath, JSON.stringify({
+    env,
+    generatedAt: new Date().toISOString(),
+    version: 1
+  }, null, 2) + `
+`);
+  return {
+    mappingCount: input.mappings.length,
+    outputPath: input.outputPath
+  };
+}
+
+class VaultService {
+  static initialize(vaultPath, password) {
+    const db = new AuthoDatabase(vaultPath);
+    try {
+      if (db.getVaultConfig()) {
+        throw new Error(`Vault already initialized at ${vaultPath}`);
+      }
+      const { config } = createVaultConfig(password);
+      db.setVaultConfig(config);
+      db.insertAudit({
+        createdAt: new Date().toISOString(),
+        eventType: "vault.initialized",
+        id: randomId(),
+        message: "Vault initialized",
+        metadata: JSON.stringify({ version: config.version }),
+        subjectRef: null,
+        subjectType: "vault"
+      });
+      return { vaultPath };
+    } finally {
+      db.close();
+    }
+  }
+  static status(vaultPath, options) {
+    const db = new AuthoDatabase(vaultPath);
+    try {
+      const config = db.getVaultConfig();
+      const project = projectMappingsForStatus(options?.projectFile);
+      if (!config) {
+        return {
+          activeLeaseCount: 0,
+          auditEventCount: 0,
+          initialized: false,
+          projectFile: project.path,
+          projectMappings: project.mappings,
+          secretCount: 0,
+          unlocked: false,
+          vaultPath
+        };
+      }
+      if (!options?.password) {
+        return {
+          activeLeaseCount: 0,
+          auditEventCount: 0,
+          initialized: true,
+          projectFile: project.path,
+          projectMappings: project.mappings,
+          secretCount: 0,
+          unlocked: false,
+          vaultPath
+        };
+      }
+      const rootKey = unlockRootKey(options.password, config);
+      const session = new VaultSession(db, rootKey);
+      return session.status(vaultPath, project.path, project.mappings);
+    } finally {
+      db.close();
+    }
+  }
+  static unlock(vaultPath, password) {
+    const db = new AuthoDatabase(vaultPath);
+    const config = db.getVaultConfig();
+    if (!config) {
+      db.close();
+      throw new Error(`Vault is not initialized at ${vaultPath}`);
+    }
+    try {
+      const rootKey = unlockRootKey(password, config);
+      return new VaultSession(db, rootKey);
+    } catch (error) {
+      db.close();
+      throw new Error("Invalid vault password", { cause: error });
+    }
+  }
+}
+
+class VaultSession {
+  db;
+  rootKey;
+  constructor(db, rootKey) {
+    this.db = db;
+    this.rootKey = rootKey;
+  }
+  close() {
+    this.db.close();
+  }
+  status(vaultPath, projectFile, projectMappings = []) {
+    return {
+      activeLeaseCount: this.db.countActiveLeases(new Date().toISOString()),
+      auditEventCount: this.db.countAuditEvents(),
+      initialized: true,
+      projectFile: projectFile ?? null,
+      projectMappings,
+      secretCount: this.db.countSecrets(),
+      unlocked: true,
+      vaultPath
+    };
+  }
+  audit(eventType, subjectType, subjectRef, message, metadata) {
+    this.db.insertAudit({
+      createdAt: new Date().toISOString(),
+      eventType,
+      id: randomId(),
+      message,
+      metadata: JSON.stringify(metadata),
+      subjectRef,
+      subjectType
+    });
+  }
+  unwrapSecret(row) {
+    const wrappedKey = JSON.parse(row.wrappedKey);
+    const payload = JSON.parse(row.payload);
+    const dek = decryptWithKey(wrappedKey, this.rootKey, `autho:secret:${row.id}:dek`);
+    const secret = JSON.parse(decryptWithKey(payload, dek, `autho:secret:${row.id}:payload`).toString("utf8"));
+    return {
+      createdAt: row.createdAt,
+      id: row.id,
+      metadata: normalizeMetadata(secret.metadata),
+      name: row.name,
+      type: normalizeSecretType(row.type),
+      updatedAt: row.updatedAt,
+      username: secret.username,
+      value: secret.value
+    };
+  }
+  getSecretOrThrow(ref) {
+    const row = this.db.findSecret(ref);
+    if (!row) {
+      throw new Error(`Secret not found: ${ref}`);
+    }
+    return this.unwrapSecret(row);
+  }
+  getLeaseOrThrow(id) {
+    const row = this.db.findLease(id);
+    if (!row) {
+      throw new Error(`Lease not found: ${id}`);
+    }
+    return parseLease(row);
+  }
+  assertLeaseAllows(leaseId, secretRef) {
+    if (!leaseId) {
+      return;
+    }
+    const lease = this.getLeaseOrThrow(leaseId);
+    if (lease.revokedAt) {
+      throw new Error(`Lease revoked: ${lease.id}`);
+    }
+    if (Date.parse(lease.expiresAt) <= Date.now()) {
+      throw new Error(`Lease expired: ${lease.id}`);
+    }
+    const secret = this.getSecretOrThrow(secretRef);
+    if (!lease.secretRefs.includes(secret.id) && !lease.secretRefs.includes(secret.name)) {
+      throw new Error(`Lease ${lease.id} does not allow secret ${secretRef}`);
+    }
+  }
+  addSecret(input) {
+    requireValue(input.name, "--name");
+    requireValue(input.value, "--value");
+    const type = normalizeSecretType(input.type);
+    if (this.db.findSecret(input.name)) {
+      throw new Error(`Secret already exists: ${input.name}`);
+    }
+    const now = new Date().toISOString();
+    const id = randomId();
+    const dek = randomBytes3(32);
+    const payload = encryptWithKey(JSON.stringify({
+      metadata: normalizeMetadata(input.metadata),
+      username: input.username ?? null,
+      value: input.value
+    }), dek, `autho:secret:${id}:payload`);
+    const wrappedKey = encryptWithKey(dek, this.rootKey, `autho:secret:${id}:dek`);
+    this.db.insertSecret({
+      createdAt: now,
+      id,
+      name: input.name,
+      payload: JSON.stringify(payload),
+      type,
+      updatedAt: now,
+      wrappedKey: JSON.stringify(wrappedKey)
+    });
+    this.audit("secret.created", "secret", id, "Secret created", {
+      metadataKeyCount: Object.keys(normalizeMetadata(input.metadata)).length,
+      type
+    });
+    return {
+      createdAt: now,
+      id,
+      name: input.name,
+      type,
+      updatedAt: now
+    };
+  }
+  importLegacyFile(filePath, options) {
+    const raw = JSON.parse(readFileSync2(filePath, "utf8"));
+    let imported = 0;
+    let skipped = 0;
+    for (const entry of raw) {
+      if (!entry) {
+        continue;
+      }
+      const parsed = parseLegacySecret(entry);
+      if (this.db.findSecret(parsed.name)) {
+        if (options?.skipExisting ?? true) {
+          skipped += 1;
+          continue;
+        }
+        throw new Error(`Secret already exists: ${parsed.name}`);
+      }
+      this.addSecret(parsed);
+      imported += 1;
+    }
+    this.audit("import.legacy", "vault", null, "Legacy backup imported", {
+      imported,
+      skipped
+    });
+    return { imported, skipped };
+  }
+  listSecrets() {
+    return this.db.listSecrets().map((row) => ({
+      createdAt: row.createdAt,
+      id: row.id,
+      name: row.name,
+      type: normalizeSecretType(row.type),
+      updatedAt: row.updatedAt
+    }));
+  }
+  getSecret(ref) {
+    const secret = this.getSecretOrThrow(ref);
+    this.audit("secret.read", "secret", secret.id, "Secret read", {
+      metadataKeyCount: Object.keys(secret.metadata).length,
+      type: secret.type
+    });
+    return secret;
+  }
+  removeSecret(ref) {
+    const secret = this.getSecretOrThrow(ref);
+    this.db.deleteSecret(secret.id);
+    this.audit("secret.deleted", "secret", secret.id, "Secret deleted", {
+      type: secret.type
+    });
+    return { id: secret.id, name: secret.name };
+  }
+  generateOtp(ref) {
+    const secret = this.getSecretOrThrow(ref);
+    if (secret.type !== "otp") {
+      throw new Error(`Secret is not an OTP secret: ${ref}`);
+    }
+    const result = generateTotp(secret.value, {
+      algorithm: secret.metadata.algorithm,
+      digits: secret.metadata.digits
+    });
+    this.audit("otp.generated", "secret", secret.id, "OTP code generated", {
+      expiresAt: result.expiresAt
+    });
+    return {
+      code: result.code,
+      expiresAt: result.expiresAt,
+      secret: secret.name
+    };
+  }
+  createLease(input) {
+    if (input.secretRefs.length === 0) {
+      throw new Error("Lease requires at least one --secret");
+    }
+    if (input.ttlSeconds <= 0) {
+      throw new Error("Lease ttl must be greater than zero");
+    }
+    const resolved = input.secretRefs.map((ref) => this.getSecretOrThrow(ref));
+    const now = new Date().toISOString();
+    const expiresAt = new Date(Date.now() + input.ttlSeconds * 1000).toISOString();
+    const lease = {
+      createdAt: now,
+      expiresAt,
+      id: randomId(),
+      name: input.name || "session",
+      revokedAt: null,
+      secretRefs: resolved.map((secret) => secret.id)
+    };
+    this.db.insertLease({
+      createdAt: lease.createdAt,
+      expiresAt: lease.expiresAt,
+      id: lease.id,
+      name: lease.name,
+      revokedAt: lease.revokedAt,
+      secretRefs: JSON.stringify(lease.secretRefs)
+    });
+    this.audit("lease.created", "lease", lease.id, "Lease created", {
+      expiresAt,
+      secretCount: lease.secretRefs.length
+    });
+    return lease;
+  }
+  revokeLease(id) {
+    const lease = this.getLeaseOrThrow(id);
+    const revokedAt = new Date().toISOString();
+    this.db.revokeLease(id, revokedAt);
+    this.audit("lease.revoked", "lease", id, "Lease revoked", {
+      id
+    });
+    return {
+      ...lease,
+      revokedAt
+    };
+  }
+  buildEnv(mappings, leaseId) {
+    if (mappings.length === 0) {
+      throw new Error("Provide at least one env mapping");
+    }
+    const output = {};
+    for (const mapping of mappings) {
+      this.assertLeaseAllows(leaseId, mapping.secretRef);
+      const secret = this.getSecretOrThrow(mapping.secretRef);
+      output[mapping.envName] = secret.value;
+    }
+    return output;
+  }
+  renderEnv(mappings, leaseId) {
+    const env = this.buildEnv(mappings, leaseId);
+    this.audit("env.rendered", "lease", leaseId ?? null, "Environment rendered", {
+      leaseId: leaseId ?? null,
+      varCount: Object.keys(env).length
+    });
+    return env;
+  }
+  syncEnvFile(input) {
+    const env = this.buildEnv(input.mappings, input.leaseId);
+    if (!input.force && existsSync2(input.outputPath)) {
+      throw new Error(`Env file already exists: ${input.outputPath}`);
+    }
+    const createdAt = new Date().toISOString();
+    const expiresAt = input.ttlSeconds ? new Date(Date.now() + input.ttlSeconds * 1000).toISOString() : null;
+    const lines = [
+      "# autho-generated=true",
+      `# autho-created-at=${createdAt}`,
+      `# autho-expires-at=${expiresAt ?? ""}`,
+      ...Object.entries(env).map(([key, value]) => `${key}=${quoteEnvValue(value)}`),
+      ""
+    ];
+    writeTextFileSecure(input.outputPath, lines.join(`
+`));
+    this.audit("env.synced", "lease", input.leaseId ?? null, "Environment file written", {
+      expiresAt,
+      leaseId: input.leaseId ?? null,
+      varCount: Object.keys(env).length
+    });
+    return {
+      expiresAt,
+      outputPath: input.outputPath,
+      varCount: Object.keys(env).length
+    };
+  }
+  runExec(input) {
+    if (input.cmd.length === 0) {
+      throw new Error("Missing command after --");
+    }
+    const injectedEnv = this.buildEnv(input.mappings, input.leaseId);
+    const result = spawnSync(input.cmd[0], input.cmd.slice(1), {
+      env: {
+        ...process.env,
+        ...injectedEnv
+      },
+      stdio: "pipe"
+    });
+    this.audit("exec.run", "lease", input.leaseId ?? null, "Injected command executed", {
+      ...summarizeCommand(input.cmd),
+      envCount: Object.keys(injectedEnv).length,
+      exitCode: result.status ?? 1,
+      leaseId: input.leaseId ?? null
+    });
+    return {
+      exitCode: result.status ?? 1,
+      stderr: (result.stderr ?? Buffer.from("")).toString("utf8"),
+      stdout: (result.stdout ?? Buffer.from("")).toString("utf8")
+    };
+  }
+  encryptFile(inputPath, outputPath, options) {
+    assertPathIsFile(inputPath);
+    const resolvedOutput = outputPath ?? defaultEncryptedFilePath(inputPath);
+    if (!options?.force && existsSync2(resolvedOutput)) {
+      throw new Error(`Output file already exists: ${resolvedOutput}`);
+    }
+    const result = encryptFileArtifact(inputPath, resolvedOutput, this.rootKey);
+    this.audit("file.encrypted", "artifact", null, "File encrypted", {
+      kind: "file"
+    });
+    return result;
+  }
+  decryptFile(inputPath, outputPath, options) {
+    assertPathIsFile(inputPath);
+    const resolvedOutput = outputPath ?? defaultDecryptedFilePath(inputPath);
+    if (!options?.force && existsSync2(resolvedOutput)) {
+      throw new Error(`Output file already exists: ${resolvedOutput}`);
+    }
+    const result = decryptFileArtifact(inputPath, resolvedOutput, this.rootKey);
+    this.audit("file.decrypted", "artifact", null, "File decrypted", {
+      kind: "file"
+    });
+    return result;
+  }
+  encryptFolder(inputPath, outputPath, options) {
+    assertPathIsDirectory(inputPath);
+    const resolvedOutput = outputPath ?? defaultEncryptedFolderPath(inputPath);
+    if (!options?.force && existsSync2(resolvedOutput)) {
+      throw new Error(`Output file already exists: ${resolvedOutput}`);
+    }
+    const result = encryptFolderArtifact(inputPath, resolvedOutput, this.rootKey);
+    this.audit("folder.encrypted", "artifact", null, "Folder encrypted", {
+      fileCount: result.fileCount,
+      kind: "folder"
+    });
+    return result;
+  }
+  decryptFolder(inputPath, outputPath, options) {
+    assertPathIsFile(inputPath);
+    const resolvedOutput = outputPath ?? defaultDecryptedFolderPath(inputPath);
+    if (!options?.force && existsSync2(resolvedOutput)) {
+      throw new Error(`Output path already exists: ${resolvedOutput}`);
+    }
+    const result = decryptFolderArtifact(inputPath, resolvedOutput, this.rootKey);
+    this.audit("folder.decrypted", "artifact", null, "Folder decrypted", {
+      fileCount: result.fileCount,
+      kind: "folder"
+    });
+    return result;
+  }
+  listAudit(limit = 50) {
+    return this.db.listAudit(limit).map(toAuditEvent);
+  }
+}
+
+// packages/core/src/daemon.ts
+var DAEMON_TOKEN_SERVICE = "autho.daemon";
+function daemonTokenName(statePath) {
+  return createHash("sha256").update(statePath).digest("hex");
+}
+async function storeDaemonToken(statePath, token) {
+  const tokenName = daemonTokenName(statePath);
+  if (process.env.AUTHO_DISABLE_OS_SECRETS !== "1") {
+    try {
+      await Bun.secrets.set({
+        name: tokenName,
+        service: DAEMON_TOKEN_SERVICE,
+        value: token
+      });
+      return {
+        token: null,
+        tokenName,
+        tokenStorage: "os"
+      };
+    } catch {}
+  }
+  return {
+    token,
+    tokenName: null,
+    tokenStorage: "file"
+  };
+}
+async function resolveDaemonToken(state) {
+  if (state.tokenStorage === "os") {
+    if (!state.tokenName) {
+      throw new Error("Daemon state is missing tokenName for OS secret storage");
+    }
+    const token = await Bun.secrets.get({
+      name: state.tokenName,
+      service: DAEMON_TOKEN_SERVICE
+    });
+    if (!token) {
+      throw new Error("Daemon token not found in OS secret storage");
+    }
+    return token;
+  }
+  if (!state.token) {
+    throw new Error("Daemon state is missing token");
+  }
+  return state.token;
+}
+async function deleteStoredDaemonToken(state) {
+  if (!state || state.tokenStorage !== "os" || !state.tokenName) {
+    return;
+  }
+  try {
+    await Bun.secrets.delete({
+      name: state.tokenName,
+      service: DAEMON_TOKEN_SERVICE
+    });
+  } catch {}
+}
+function readDaemonState(statePath) {
+  if (!existsSync3(statePath)) {
+    return null;
+  }
+  const stored = JSON.parse(readFileSync3(statePath, "utf8"));
+  return {
+    pid: stored.pid,
+    port: stored.port,
+    startedAt: stored.startedAt,
+    token: stored.token ?? null,
+    tokenName: stored.tokenName ?? null,
+    tokenStorage: stored.tokenStorage ?? (stored.token ? "file" : "os"),
+    vaultPath: stored.vaultPath,
+    version: stored.version
+  };
+}
+async function writeDaemonState(statePath, state) {
+  const tokenState = await storeDaemonToken(statePath, state.token);
+  writeTextFileSecure(statePath, JSON.stringify({
+    pid: state.pid,
+    port: state.port,
+    startedAt: state.startedAt,
+    token: tokenState.token ?? undefined,
+    tokenName: tokenState.tokenName ?? undefined,
+    tokenStorage: tokenState.tokenStorage,
+    vaultPath: state.vaultPath,
+    version: state.version
+  }, null, 2) + `
+`);
+}
+async function deleteDaemonState(statePath) {
+  const state = readDaemonState(statePath);
+  await deleteStoredDaemonToken(state);
+  if (existsSync3(statePath)) {
+    rmSync(statePath, { force: true });
+  }
+}
+function openSessionFromRootKey(rootKey, vaultPath) {
+  return new VaultSession(new AuthoDatabase(vaultPath), rootKey);
+}
+function unlockVaultRootKey(vaultPath, password) {
+  const db = new AuthoDatabase(vaultPath);
+  try {
+    const config = db.getVaultConfig();
+    if (!config) {
+      throw new Error(`Vault is not initialized at ${vaultPath}`);
+    }
+    return unlockRootKey(password, config);
+  } finally {
+    db.close();
+  }
+}
+async function readJson(request) {
+  return await request.json();
+}
+function json(data, status = 200) {
+  return new Response(JSON.stringify(data, null, 2), {
+    headers: {
+      "content-type": "application/json; charset=utf-8"
+    },
+    status
+  });
+}
+function unauthorized() {
+  return json({ error: "Unauthorized daemon request" }, 401);
+}
+function getBearerToken(request) {
+  const header = request.headers.get("authorization");
+  if (!header?.startsWith("Bearer ")) {
+    return null;
+  }
+  return header.slice("Bearer ".length);
+}
+async function startDaemonServer(options) {
+  const sessions = new Map;
+  const startedAt = new Date().toISOString();
+  const token = randomId(24);
+  const cleanupExpiredSessions = () => {
+    const now = Date.now();
+    for (const [id, session] of sessions.entries()) {
+      if (Date.parse(session.expiresAt) <= now) {
+        sessions.delete(id);
+      }
+    }
+  };
+  let server = null;
+  const shutdown = () => {
+    deleteDaemonState(options.statePath).then(() => {
+      server?.stop(true);
+      process.exit(0);
+    });
+  };
+  const auth = (request) => {
+    const provided = getBearerToken(request);
+    if (!provided || provided.length !== token.length || !timingSafeEqual(Buffer.from(provided), Buffer.from(token))) {
+      return unauthorized();
+    }
+    return null;
+  };
+  server = Bun.serve({
+    async fetch(request) {
+      cleanupExpiredSessions();
+      const url = new URL(request.url);
+      if (request.method === "GET" && url.pathname === "/health") {
+        return json({
+          ok: true,
+          running: true,
+          startedAt
+        });
+      }
+      const authResponse = auth(request);
+      if (authResponse) {
+        return authResponse;
+      }
+      try {
+        if (request.method === "POST" && url.pathname === "/status") {
+          const db = new AuthoDatabase(options.vaultPath);
+          try {
+            const config = db.getVaultConfig();
+            const status = {
+              activeLeaseCount: db.countActiveLeases(new Date().toISOString()),
+              auditEventCount: db.countAuditEvents(),
+              initialized: config !== null,
+              projectFile: null,
+              projectMappings: [],
+              secretCount: db.countSecrets(),
+              unlocked: sessions.size > 0,
+              vaultPath: options.vaultPath
+            };
+            return json({
+              activeSessions: sessions.size,
+              daemonStartedAt: startedAt,
+              status
+            });
+          } finally {
+            db.close();
+          }
+        }
+        if (request.method === "POST" && url.pathname === "/unlock") {
+          const body = await readJson(request);
+          const ttlSeconds = body.ttlSeconds ?? 900;
+          if (ttlSeconds <= 0 || ttlSeconds > 86400) {
+            return json({ error: "Unlock ttl must be between 1 and 86400 seconds" }, 400);
+          }
+          const rootKey = unlockVaultRootKey(options.vaultPath, body.password);
+          const sessionId = randomId();
+          const expiresAt = new Date(Date.now() + ttlSeconds * 1000).toISOString();
+          sessions.set(sessionId, {
+            expiresAt,
+            id: sessionId,
+            rootKey,
+            vaultPath: options.vaultPath
+          });
+          return json({
+            expiresAt,
+            sessionId
+          });
+        }
+        if (request.method === "POST" && url.pathname === "/lock") {
+          const body = await readJson(request);
+          sessions.delete(body.sessionId);
+          return json({ locked: true, sessionId: body.sessionId });
+        }
+        if (request.method === "POST" && url.pathname === "/env/render") {
+          const body = await readJson(request);
+          const session = sessions.get(body.sessionId);
+          if (!session) {
+            return json({ error: `Unknown daemon session: ${body.sessionId}` }, 404);
+          }
+          const vaultSession = openSessionFromRootKey(session.rootKey, session.vaultPath);
+          try {
+            return json(vaultSession.renderEnv(body.mappings, body.leaseId));
+          } finally {
+            vaultSession.close();
+          }
+        }
+        if (request.method === "POST" && url.pathname === "/exec") {
+          const body = await readJson(request);
+          const session = sessions.get(body.sessionId);
+          if (!session) {
+            return json({ error: `Unknown daemon session: ${body.sessionId}` }, 404);
+          }
+          const vaultSession = openSessionFromRootKey(session.rootKey, session.vaultPath);
+          try {
+            return json(vaultSession.runExec(body));
+          } finally {
+            vaultSession.close();
+          }
+        }
+        if (request.method === "POST" && url.pathname === "/shutdown") {
+          shutdown();
+          return json({ ok: true, stopped: true });
+        }
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return json({ error: message }, 400);
+      }
+      return json({ error: "Not found" }, 404);
+    },
+    hostname: options.host,
+    port: options.port
+  });
+  await writeDaemonState(options.statePath, {
+    pid: process.pid,
+    port: server.port,
+    startedAt,
+    token,
+    vaultPath: options.vaultPath,
+    version: 1
+  });
+  const onSignal = () => {
+    shutdown();
+    process.exit(0);
+  };
+  process.on("SIGINT", onSignal);
+  process.on("SIGTERM", onSignal);
+  await new Promise(() => {});
+}
+async function waitForDaemonStateDeletion(statePath) {
+  for (let attempt = 0;attempt < 20; attempt += 1) {
+    if (!existsSync3(statePath)) {
+      return true;
+    }
+    await Bun.sleep(25);
+  }
+  return !existsSync3(statePath);
+}
+async function daemonRequest(state, path, body) {
+  const token = await resolveDaemonToken(state);
+  const response = await fetch(`http://127.0.0.1:${state.port}${path}`, {
+    body: JSON.stringify(body ?? {}),
+    headers: {
+      authorization: `Bearer ${token}`,
+      "content-type": "application/json"
+    },
+    method: "POST"
+  });
+  const data = await response.json();
+  if (!response.ok) {
+    throw new Error(data.error ?? `Daemon request failed: ${response.status}`);
+  }
+  return data;
+}
+async function daemonStatus(options) {
+  const state = readDaemonState(options.statePath);
+  if (!state) {
+    throw new Error(`Daemon state not found: ${options.statePath}`);
+  }
+  return daemonRequest(state, "/status", {});
+}
+async function daemonUnlock(options) {
+  const state = readDaemonState(options.statePath);
+  if (!state) {
+    throw new Error(`Daemon state not found: ${options.statePath}`);
+  }
+  return daemonRequest(state, "/unlock", {
+    password: options.password,
+    ttlSeconds: options.ttlSeconds
+  });
+}
+async function daemonLock(options) {
+  const state = readDaemonState(options.statePath);
+  if (!state) {
+    throw new Error(`Daemon state not found: ${options.statePath}`);
+  }
+  return daemonRequest(state, "/lock", { sessionId: options.sessionId });
+}
+async function daemonRenderEnv(options) {
+  const state = readDaemonState(options.statePath);
+  if (!state) {
+    throw new Error(`Daemon state not found: ${options.statePath}`);
+  }
+  return daemonRequest(state, "/env/render", options);
+}
+async function daemonExec(options) {
+  const state = readDaemonState(options.statePath);
+  if (!state) {
+    throw new Error(`Daemon state not found: ${options.statePath}`);
+  }
+  return daemonRequest(state, "/exec", options);
+}
+async function daemonStop(options) {
+  const state = readDaemonState(options.statePath);
+  if (!state) {
+    throw new Error(`Daemon state not found: ${options.statePath}`);
+  }
+  try {
+    const result = await daemonRequest(state, "/shutdown", {});
+    await waitForDaemonStateDeletion(options.statePath);
+    return result;
+  } catch (error) {
+    if (await waitForDaemonStateDeletion(options.statePath)) {
+      return { ok: true, stopped: true };
+    }
+    throw error;
+  }
+}
+
+// apps/cli/src/index.ts
+function parseArgs(argv) {
+  const dashDashIndex = argv.indexOf("--");
+  const main = dashDashIndex === -1 ? argv : argv.slice(0, dashDashIndex);
+  const passthrough = dashDashIndex === -1 ? [] : argv.slice(dashDashIndex + 1);
+  const positionals = [];
+  const options = {};
+  for (let index = 0;index < main.length; index += 1) {
+    const token = main[index];
+    if (!token.startsWith("--")) {
+      positionals.push(token);
+      continue;
+    }
+    const key = token.slice(2);
+    const next = main[index + 1];
+    if (!next || next.startsWith("--")) {
+      options[key] = true;
+      continue;
+    }
+    const current = options[key];
+    if (current === undefined) {
+      options[key] = next;
+    } else if (Array.isArray(current)) {
+      current.push(next);
+    } else {
+      options[key] = [current, next];
+    }
+    index += 1;
+  }
+  return { options, passthrough, positionals };
+}
+function getString(args, key) {
+  const value = args.options[key];
+  return typeof value === "string" ? value : undefined;
+}
+function getStrings(args, key) {
+  const value = args.options[key];
+  if (Array.isArray(value)) {
+    return value.filter((entry) => typeof entry === "string");
+  }
+  if (typeof value === "string") {
+    return [value];
+  }
+  return [];
+}
+function getBoolean(args, key) {
+  return args.options[key] === true;
+}
+function required(value, label) {
+  if (!value) {
+    throw new Error(`Missing required option: ${label}`);
+  }
+  return value;
+}
+function requirePositiveInt(value, label) {
+  const num = Number(value);
+  if (!Number.isFinite(num) || num <= 0 || Math.floor(num) !== num) {
+    throw new Error(`${label} must be a positive integer`);
+  }
+  return num;
+}
+function output(value, jsonMode = false) {
+  if (jsonMode) {
+    console.log(JSON.stringify(value, null, 2));
+    return;
+  }
+  if (Array.isArray(value)) {
+    console.table(value);
+    return;
+  }
+  if (typeof value === "object" && value !== null) {
+    console.log(JSON.stringify(value, null, 2));
+    return;
+  }
+  console.log(value);
+}
+function absolutePath(path) {
+  return resolve3(path);
+}
+function buildSecretMetadata(args) {
+  return Object.fromEntries(Object.entries({
+    algorithm: getString(args, "algorithm"),
+    description: getString(args, "description"),
+    digits: getString(args, "digits") ? Number(getString(args, "digits")) : undefined,
+    url: getString(args, "url")
+  }).filter(([, value]) => value !== undefined));
+}
+async function readBufferedStdin() {
+  process.stdin.setEncoding("utf8");
+  let input = "";
+  for await (const chunk of process.stdin) {
+    input += chunk;
+  }
+  return input.split(/\r?\n/);
+}
+async function createPromptAdapter() {
+  if (process.stdin.isTTY) {
+    const rl = createInterface({
+      input: process.stdin,
+      output: process.stdout
+    });
+    return {
+      ask: async (prompt) => (await rl.question(prompt)).trim(),
+      close: () => rl.close()
+    };
+  }
+  const answers = await readBufferedStdin();
+  let index = 0;
+  return {
+    ask: async (prompt) => {
+      process.stdout.write(prompt);
+      const value = answers[index] ?? "";
+      index += 1;
+      return value.trim();
+    },
+    close: () => {
+      return;
+    }
+  };
+}
+async function askPassword(prompt, initial) {
+  if (initial) {
+    return initial;
+  }
+  return prompt.ask("Master password: ");
+}
+async function runPromptMode(vaultPath, initialPassword) {
+  const prompt = await createPromptAdapter();
+  try {
+    const password = await askPassword(prompt, initialPassword);
+    const session = VaultService.unlock(vaultPath, password);
+    try {
+      const action = (await prompt.ask("Action [create/read/list/delete/otp/exit]: ")).toLowerCase();
+      if (action === "exit") {
+        return;
+      }
+      if (action === "list") {
+        output(session.listSecrets());
+        return;
+      }
+      if (action === "read") {
+        const ref = await prompt.ask("Secret ref: ");
+        output(session.getSecret(ref));
+        return;
+      }
+      if (action === "delete") {
+        const ref = await prompt.ask("Secret ref: ");
+        output(session.removeSecret(ref));
+        return;
+      }
+      if (action === "otp") {
+        const ref = await prompt.ask("OTP ref: ");
+        output(session.generateOtp(ref));
+        return;
+      }
+      if (action === "create") {
+        const name = await prompt.ask("Name: ");
+        const type = (await prompt.ask("Type [password/note/otp]: ")).toLowerCase();
+        const value = await prompt.ask("Value: ");
+        const username = type !== "note" ? await prompt.ask("Username (optional): ") : "";
+        const url = type === "password" ? await prompt.ask("URL (optional): ") : "";
+        const description = await prompt.ask("Description (optional): ");
+        const digits = type === "otp" ? await prompt.ask("Digits [6]: ") : "";
+        const algorithm = type === "otp" ? await prompt.ask("Algorithm [SHA1]: ") : "";
+        output(session.addSecret({
+          metadata: Object.fromEntries(Object.entries({
+            algorithm: algorithm || undefined,
+            description: description || undefined,
+            digits: digits ? Number(digits) : undefined,
+            url: url || undefined
+          }).filter(([, entry]) => entry !== undefined)),
+          name,
+          type,
+          username: username || undefined,
+          value
+        }));
+        return;
+      }
+      throw new Error(`Unknown prompt action: ${action}`);
+    } finally {
+      session.close();
+    }
+  } finally {
+    prompt.close();
+  }
+}
+async function runWebServer(vaultPath, args) {
+  const commandArgs = [
+    "run",
+    absolutePath("./apps/web/src/index.ts"),
+    "serve",
+    "--vault",
+    absolutePath(vaultPath)
+  ];
+  const host = getString(args, "host");
+  const port = getString(args, "port");
+  if (host) {
+    commandArgs.push("--host", host);
+  }
+  if (port) {
+    commandArgs.push("--port", port);
+  }
+  await new Promise((resolvePromise, rejectPromise) => {
+    const child = spawn(process.execPath, commandArgs, {
+      cwd: process.cwd(),
+      stdio: "inherit"
+    });
+    child.on("exit", (code) => {
+      if (code === 0) {
+        resolvePromise();
+        return;
+      }
+      rejectPromise(new Error(`Web server exited with code ${code ?? 1}`));
+    });
+    child.on("error", rejectPromise);
+  });
+}
+function help() {
+  return [
+    "Autho Bun CLI",
+    "",
+    "Commands:",
+    "  prompt [--password <value>] [--vault <path>]",
+    "  init --password <value> [--vault <path>]",
+    "  status [--password <value>] [--vault <path>] [--project-file <path>] [--json]",
+    "  project init --map <ENV_NAME=secretRef> [--map <ENV_NAME=secretRef>] [--output <path>] [--force] [--json]",
+    "  web serve [--vault <path>] [--host <value>] [--port <value>]",
+    "  daemon serve [--vault <path>] [--state-file <path>] [--host <value>] [--port <value>]",
+    "  daemon status [--state-file <path>] [--json]",
+    "  daemon unlock --password <value> [--ttl <seconds>] [--state-file <path>] [--json]",
+    "  daemon lock --session <id> [--state-file <path>] [--json]",
+    "  daemon stop [--state-file <path>] [--json]",
+    "  daemon env render --session <id> --map <ENV_NAME=secretRef> [--project-file <path>] [--lease <lease-id>] [--state-file <path>] [--json]",
+    "  daemon exec --session <id> --map <ENV_NAME=secretRef> [--project-file <path>] [--lease <lease-id>] [--state-file <path>] -- <command>",
+    "  import legacy --password <value> --file <path> [--skip-existing] [--vault <path>] [--json]",
+    "  secrets add --password <value> --name <name> --type <password|note|otp> --value <value> [--username <value>] [--url <value>] [--description <value>] [--digits <value>] [--algorithm <value>] [--vault <path>]",
+    "  secrets list --password <value> [--vault <path>] [--json]",
+    "  secrets get --password <value> --ref <name-or-id> [--vault <path>] [--json]",
+    "  secrets rm --password <value> --ref <name-or-id> [--vault <path>] [--json]",
+    "  otp code --password <value> --ref <name-or-id> [--vault <path>] [--json]",
+    "  lease create --password <value> --secret <name-or-id> [--secret <name-or-id>] --ttl <seconds> [--name <value>] [--vault <path>] [--json]",
+    "  lease revoke --password <value> --lease <lease-id> [--vault <path>] [--json]",
+    "  env render --password <value> --map <ENV_NAME=secretRef> [--map <ENV_NAME=secretRef>] [--project-file <path>] [--lease <lease-id>] [--vault <path>] [--json]",
+    "  env sync --password <value> --map <ENV_NAME=secretRef> [--project-file <path>] [--lease <lease-id>] [--ttl <seconds>] [--output <path>] [--force] [--vault <path>] [--json]",
+    "  exec --password <value> --map <ENV_NAME=secretRef> [--project-file <path>] [--lease <lease-id>] [--vault <path>] -- <command>",
+    "  file encrypt --password <value> --input <path> [--output <path>] [--force] [--vault <path>] [--json]",
+    "  file decrypt --password <value> --input <path> [--output <path>] [--force] [--vault <path>] [--json]",
+    "  files encrypt --password <value> --input <path> [--output <path>] [--force] [--vault <path>] [--json]",
+    "  files decrypt --password <value> --input <path> [--output <path>] [--force] [--vault <path>] [--json]",
+    "  audit list --password <value> [--limit <number>] [--vault <path>] [--json]",
+    "",
+    "Notes:",
+    "  Running `autho` with no command enters interactive prompt mode.",
+    "  The default vault path is ~/.autho/vault.db (or AUTHO_HOME/vault.db).",
+    "  The default project file is ~/.autho/project.json when it exists (or AUTHO_HOME/project.json).",
+    "  The default daemon state file is ~/.autho/daemon.json (or AUTHO_HOME/daemon.json).",
+    "  AUTHO_MASTER_PASSWORD can be used instead of --password."
+  ].join(`
+`);
+}
+async function main() {
+  const args = parseArgs(process.argv.slice(2));
+  const [scope, action, subaction] = args.positionals;
+  const jsonMode = getBoolean(args, "json");
+  const vaultPath = getString(args, "vault") ?? defaultVaultPath();
+  const statePath = absolutePath(getString(args, "state-file") ?? defaultDaemonStatePath());
+  const explicitProjectFile = getString(args, "project-file");
+  const fallbackProjectFile = defaultProjectFilePath();
+  const projectFile = explicitProjectFile ?? (existsSync4(fallbackProjectFile) ? fallbackProjectFile : undefined);
+  const password = getString(args, "password") ?? process.env.AUTHO_MASTER_PASSWORD;
+  if (!scope) {
+    await runPromptMode(vaultPath, password);
+    return;
+  }
+  if (scope === "help" || scope === "--help") {
+    console.log(help());
+    return;
+  }
+  if (scope === "prompt") {
+    await runPromptMode(vaultPath, password);
+    return;
+  }
+  if (scope === "init") {
+    output(VaultService.initialize(vaultPath, required(password, "--password")), jsonMode);
+    return;
+  }
+  if (scope === "status") {
+    output(VaultService.status(vaultPath, {
+      password,
+      projectFile
+    }), jsonMode);
+    return;
+  }
+  if (scope === "project" && action === "init") {
+    output(writeProjectConfig({
+      force: getBoolean(args, "force"),
+      mappings: resolveMappings({ maps: getStrings(args, "map") }),
+      outputPath: absolutePath(getString(args, "output") ?? projectFile ?? defaultProjectFilePath())
+    }), jsonMode);
+    return;
+  }
+  if (scope === "web" && action === "serve") {
+    await runWebServer(vaultPath, args);
+    return;
+  }
+  if (scope === "daemon" && action === "serve") {
+    await startDaemonServer({
+      host: getString(args, "host") ?? "127.0.0.1",
+      port: Number(getString(args, "port") ?? "0"),
+      statePath,
+      vaultPath: absolutePath(vaultPath)
+    });
+    return;
+  }
+  if (scope === "daemon" && action === "status") {
+    output(await daemonStatus({ statePath }), jsonMode);
+    return;
+  }
+  if (scope === "daemon" && action === "unlock") {
+    output(await daemonUnlock({
+      password: required(password, "--password"),
+      statePath,
+      ttlSeconds: getString(args, "ttl") ? Number(getString(args, "ttl")) : undefined
+    }), jsonMode);
+    return;
+  }
+  if (scope === "daemon" && action === "lock") {
+    output(await daemonLock({
+      sessionId: required(getString(args, "session"), "--session"),
+      statePath
+    }), jsonMode);
+    return;
+  }
+  if (scope === "daemon" && action === "stop") {
+    output(await daemonStop({ statePath }), jsonMode);
+    return;
+  }
+  if (scope === "daemon" && action === "env" && subaction === "render") {
+    output(await daemonRenderEnv({
+      leaseId: getString(args, "lease"),
+      mappings: resolveMappings({ maps: getStrings(args, "map"), projectFile }),
+      sessionId: required(getString(args, "session"), "--session"),
+      statePath
+    }), jsonMode);
+    return;
+  }
+  if (scope === "daemon" && action === "exec") {
+    const result = await daemonExec({
+      cmd: args.passthrough,
+      leaseId: getString(args, "lease"),
+      mappings: resolveMappings({ maps: getStrings(args, "map"), projectFile }),
+      sessionId: required(getString(args, "session"), "--session"),
+      statePath
+    });
+    process.stdout.write(result.stdout);
+    process.stderr.write(result.stderr);
+    process.exit(result.exitCode);
+  }
+  const session = VaultService.unlock(vaultPath, required(password, "--password"));
+  try {
+    if (scope === "import" && action === "legacy") {
+      output(session.importLegacyFile(absolutePath(required(getString(args, "file"), "--file")), {
+        skipExisting: !getBoolean(args, "no-skip-existing")
+      }), jsonMode);
+      return;
+    }
+    if (scope === "secrets" && action === "add") {
+      output(session.addSecret({
+        metadata: buildSecretMetadata(args),
+        name: required(getString(args, "name"), "--name"),
+        type: required(getString(args, "type"), "--type"),
+        username: getString(args, "username"),
+        value: required(getString(args, "value"), "--value")
+      }), jsonMode);
+      return;
+    }
+    if (scope === "secrets" && action === "list") {
+      output(session.listSecrets(), jsonMode);
+      return;
+    }
+    if (scope === "secrets" && action === "get") {
+      const ref = getString(args, "ref") ?? getString(args, "name") ?? getString(args, "id");
+      output(session.getSecret(required(ref, "--ref")), jsonMode);
+      return;
+    }
+    if (scope === "secrets" && action === "rm") {
+      const ref = getString(args, "ref") ?? getString(args, "name") ?? getString(args, "id");
+      output(session.removeSecret(required(ref, "--ref")), jsonMode);
+      return;
+    }
+    if (scope === "otp" && action === "code") {
+      const ref = getString(args, "ref") ?? getString(args, "name") ?? getString(args, "id");
+      output(session.generateOtp(required(ref, "--ref")), jsonMode);
+      return;
+    }
+    if (scope === "lease" && action === "create") {
+      output(session.createLease({
+        name: getString(args, "name") ?? "session",
+        secretRefs: getStrings(args, "secret"),
+        ttlSeconds: requirePositiveInt(required(getString(args, "ttl"), "--ttl"), "--ttl")
+      }), jsonMode);
+      return;
+    }
+    if (scope === "lease" && action === "revoke") {
+      output(session.revokeLease(required(getString(args, "lease"), "--lease")), jsonMode);
+      return;
+    }
+    if (scope === "env" && action === "render") {
+      output(session.renderEnv(resolveMappings({
+        maps: getStrings(args, "map"),
+        projectFile
+      }), getString(args, "lease")), jsonMode);
+      return;
+    }
+    if (scope === "env" && action === "sync") {
+      output(session.syncEnvFile({
+        force: getBoolean(args, "force"),
+        leaseId: getString(args, "lease"),
+        mappings: resolveMappings({
+          maps: getStrings(args, "map"),
+          projectFile
+        }),
+        outputPath: absolutePath(getString(args, "output") ?? ".env.autho"),
+        ttlSeconds: getString(args, "ttl") ? requirePositiveInt(getString(args, "ttl"), "--ttl") : undefined
+      }), jsonMode);
+      return;
+    }
+    if (scope === "exec") {
+      const result = session.runExec({
+        cmd: args.passthrough,
+        leaseId: getString(args, "lease"),
+        mappings: resolveMappings({
+          maps: getStrings(args, "map"),
+          projectFile
+        })
+      });
+      process.stdout.write(result.stdout);
+      process.stderr.write(result.stderr);
+      process.exit(result.exitCode);
+    }
+    if (scope === "file" && action === "encrypt") {
+      output(session.encryptFile(absolutePath(required(getString(args, "input"), "--input")), getString(args, "output") ? absolutePath(getString(args, "output")) : undefined, { force: getBoolean(args, "force") }), jsonMode);
+      return;
+    }
+    if (scope === "file" && action === "decrypt") {
+      output(session.decryptFile(absolutePath(required(getString(args, "input"), "--input")), getString(args, "output") ? absolutePath(getString(args, "output")) : undefined, { force: getBoolean(args, "force") }), jsonMode);
+      return;
+    }
+    if (scope === "files" && action === "encrypt") {
+      output(session.encryptFolder(absolutePath(required(getString(args, "input"), "--input")), getString(args, "output") ? absolutePath(getString(args, "output")) : undefined, { force: getBoolean(args, "force") }), jsonMode);
+      return;
+    }
+    if (scope === "files" && action === "decrypt") {
+      output(session.decryptFolder(absolutePath(required(getString(args, "input"), "--input")), getString(args, "output") ? absolutePath(getString(args, "output")) : undefined, { force: getBoolean(args, "force") }), jsonMode);
+      return;
+    }
+    if (scope === "audit" && action === "list") {
+      output(session.listAudit(Number(getString(args, "limit") ?? "50")), jsonMode);
+      return;
+    }
+    throw new Error(`Unknown command: ${[scope, action, subaction].filter(Boolean).join(" ")}`);
+  } finally {
+    session.close();
+  }
+}
+main().catch((error) => {
+  const message = error instanceof Error ? error.message : String(error);
+  console.error(message);
+  process.exit(1);
+});