enact-cli 1.0.4 → 1.0.7

package/dist/index.js

@@ -1,3 +1,4 @@
+#!/usr/bin/env node
 import { createRequire } from "node:module";
 var __create = Object.create;
 var __getProtoOf = Object.getPrototypeOf;
@@ -7049,7 +7050,7 @@ var require_public_api = __commonJS((exports) => {
 });
 
 // src/index.ts
-var import_picocolors10 = __toESM(require_picocolors(), 1);
+var import_picocolors12 = __toESM(require_picocolors(), 1);
 import { parseArgs } from "util";
 
 // node_modules/@clack/prompts/dist/index.mjs
@@ -7781,9 +7782,11 @@ ${import_picocolors3.default.bold("Usage:")}
 
 ${import_picocolors3.default.bold("Commands:")}
   ${import_picocolors3.default.green("auth")}       Manage authentication (login, logout, status, token)
+  ${import_picocolors3.default.green("exec")}       Execute a tool by fetching and running it
   ${import_picocolors3.default.green("init")}       Create a new tool definition
   ${import_picocolors3.default.green("publish")}    Publish a tool to the registry
   ${import_picocolors3.default.green("search")}     Search for tools in the registry
+  ${import_picocolors3.default.green("sign")}       Sign and verify tools with cryptographic signatures
   ${import_picocolors3.default.green("remote")}     Manage remote servers (add, list, remove)
   ${import_picocolors3.default.green("user")}       User operations (get public key)
 
@@ -7792,11 +7795,13 @@ ${import_picocolors3.default.bold("Global Options:")}
   ${import_picocolors3.default.yellow("--version, -v")}  Show version information
 
 ${import_picocolors3.default.bold("Examples:")}
-  ${import_picocolors3.default.cyan("enact")}                    ${import_picocolors3.default.dim("# Interactive mode")}
-  ${import_picocolors3.default.cyan("enact")} ${import_picocolors3.default.green("search")} ${import_picocolors3.default.yellow("--tags")} web,api     ${import_picocolors3.default.dim("# Search tools by tags")}
-  ${import_picocolors3.default.cyan("enact")} ${import_picocolors3.default.green("publish")} my-tool.yaml        ${import_picocolors3.default.dim("# Publish a tool")}
-  ${import_picocolors3.default.cyan("enact")} ${import_picocolors3.default.green("auth")} login               ${import_picocolors3.default.dim("# Login with OAuth")}
-  ${import_picocolors3.default.cyan("enact")} ${import_picocolors3.default.green("init")} ${import_picocolors3.default.yellow("--minimal")}           ${import_picocolors3.default.dim("# Create minimal tool template")}
+  ${import_picocolors3.default.cyan("enact")}                           ${import_picocolors3.default.dim("# Interactive mode")}
+  ${import_picocolors3.default.cyan("enact")} ${import_picocolors3.default.green("search")} ${import_picocolors3.default.yellow("--tags")} web,api         ${import_picocolors3.default.dim("# Search tools by tags")}
+  ${import_picocolors3.default.cyan("enact")} ${import_picocolors3.default.green("exec")} enact/text/slugify      ${import_picocolors3.default.dim("# Execute a tool")}
+  ${import_picocolors3.default.cyan("enact")} ${import_picocolors3.default.green("sign")} verify my-tool.yaml     ${import_picocolors3.default.dim("# Verify tool signatures")}
+  ${import_picocolors3.default.cyan("enact")} ${import_picocolors3.default.green("publish")} my-tool.yaml           ${import_picocolors3.default.dim("# Publish a tool")}
+  ${import_picocolors3.default.cyan("enact")} ${import_picocolors3.default.green("auth")} login                   ${import_picocolors3.default.dim("# Login with OAuth")}
+  ${import_picocolors3.default.cyan("enact")} ${import_picocolors3.default.green("init")} ${import_picocolors3.default.yellow("--minimal")}               ${import_picocolors3.default.dim("# Create minimal tool template")}
 
 ${import_picocolors3.default.bold("More Help:")}
   ${import_picocolors3.default.cyan("enact")} ${import_picocolors3.default.green("<command>")} ${import_picocolors3.default.yellow("--help")}          ${import_picocolors3.default.dim("# Show command-specific help")}
@@ -9441,6 +9446,7 @@ Options:
   --limit <number>    Maximum number of results (default: 20)
   --tags <tags>       Filter by tags (comma-separated)
   --format <format>   Output format: table, json, list (default: table)
+  --json              Output results as JSON (shorthand for --format json)
   --author <author>   Filter by author
 
 Examples:
@@ -9448,6 +9454,7 @@ Examples:
   enact search formatter --tags cli,text
   enact search --author myorg
   enact search prettier --limit 5 --format json
+  enact search prettier --limit 5 --json
 `);
     return;
   }
@@ -9819,6 +9826,1102 @@ ${import_picocolors9.default.bold("EXAMPLES")}
 `);
 }
 
+// src/commands/exec.ts
+import { spawn } from "child_process";
+import { readFileSync as readFileSync3, existsSync as existsSync7 } from "fs";
+import { resolve } from "path";
+var import_picocolors10 = __toESM(require_picocolors(), 1);
+
+// src/security/sign.ts
+import * as crypto from "crypto";
+import * as fs from "fs";
+import * as path from "path";
+function createCanonicalToolDefinition(tool) {
+  const canonical = {};
+  const orderedFields = [
+    "name",
+    "description",
+    "command",
+    "protocol_version",
+    "version",
+    "timeout",
+    "tags",
+    "input_schema",
+    "output_schema",
+    "annotations",
+    "env_vars",
+    "examples",
+    "resources",
+    "doc",
+    "authors",
+    "enact"
+  ];
+  for (const field of orderedFields) {
+    if (tool[field] !== undefined) {
+      canonical[field] = tool[field];
+    }
+  }
+  const remainingFields = Object.keys(tool).filter((key) => !orderedFields.includes(key)).sort();
+  for (const field of remainingFields) {
+    if (tool[field] !== undefined) {
+      canonical[field] = tool[field];
+    }
+  }
+  return canonical;
+}
+function createCanonicalToolJson(toolData) {
+  const toolRecord = {
+    name: toolData.name,
+    description: toolData.description,
+    command: toolData.command,
+    protocol_version: toolData.protocol_version,
+    version: toolData.version,
+    timeout: toolData.timeout,
+    tags: toolData.tags,
+    input_schema: toolData.input_schema,
+    output_schema: toolData.output_schema,
+    annotations: toolData.annotations,
+    env_vars: toolData.env_vars,
+    examples: toolData.examples,
+    resources: toolData.resources,
+    doc: toolData.doc,
+    authors: toolData.authors,
+    enact: toolData.enact || "1.0.0"
+  };
+  const canonical = createCanonicalToolDefinition(toolRecord);
+  return JSON.stringify(canonical, Object.keys(canonical).sort());
+}
+var DEFAULT_POLICY = {
+  minimumSignatures: 1,
+  allowedAlgorithms: ["sha256"]
+};
+var TRUSTED_KEYS_DIR = path.join(process.env.HOME || ".", ".enact", "trusted-keys");
+function getTrustedPublicKeysMap() {
+  const trustedKeys = new Map;
+  if (fs.existsSync(TRUSTED_KEYS_DIR)) {
+    try {
+      const files = fs.readdirSync(TRUSTED_KEYS_DIR);
+      for (const file of files) {
+        if (file.endsWith(".pem")) {
+          const keyPath = path.join(TRUSTED_KEYS_DIR, file);
+          const pemContent = fs.readFileSync(keyPath, "utf8");
+          const base64Key = pemToBase64(pemContent);
+          trustedKeys.set(base64Key, pemContent);
+        }
+      }
+    } catch (error) {
+      console.error(`Error reading trusted keys: ${error.message}`);
+    }
+  }
+  return trustedKeys;
+}
+function pemToBase64(pem) {
+  return pem.replace(/-----BEGIN PUBLIC KEY-----/, "").replace(/-----END PUBLIC KEY-----/, "").replace(/\s/g, "");
+}
+function base64ToPem(base64) {
+  return `-----BEGIN PUBLIC KEY-----
+${base64.match(/.{1,64}/g)?.join(`
+`)}
+-----END PUBLIC KEY-----`;
+}
+async function signTool(toolPath, privateKeyPath, publicKeyPath, signerInfo, outputPath) {
+  const toolYaml = fs.readFileSync(toolPath, "utf8");
+  const privateKey = fs.readFileSync(privateKeyPath, "utf8");
+  const publicKeyPem = fs.readFileSync(publicKeyPath, "utf8");
+  const tool = $parse(toolYaml);
+  const toolForSigning = { ...tool };
+  delete toolForSigning.signatures;
+  const canonicalJson = createCanonicalToolJson(toolForSigning);
+  console.log("=== SIGNING DEBUG (WEBAPP COMPATIBLE) ===");
+  console.log("Tool for signing:", JSON.stringify(toolForSigning, null, 2));
+  console.log("Canonical JSON (webapp format):", canonicalJson);
+  console.log("Canonical JSON length:", canonicalJson.length);
+  console.log("==========================================");
+  const toolHashBytes = await hashTool(toolForSigning);
+  const { webcrypto } = await import("node:crypto");
+  const privateKeyData = crypto.createPrivateKey({
+    key: privateKey,
+    format: "pem",
+    type: "pkcs8"
+  }).export({ format: "der", type: "pkcs8" });
+  const privateKeyObj = await webcrypto.subtle.importKey("pkcs8", privateKeyData, { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"]);
+  const signatureArrayBuffer = await webcrypto.subtle.sign({ name: "ECDSA", hash: { name: "SHA-256" } }, privateKeyObj, toolHashBytes);
+  const signature = new Uint8Array(signatureArrayBuffer);
+  const signatureB64 = Buffer.from(signature).toString("base64");
+  console.log("Generated signature (Web Crypto API):", signatureB64);
+  console.log("Signature length:", signature.length, "bytes (should be 64 for P-256)");
+  const publicKeyBase64 = pemToBase64(publicKeyPem);
+  if (!tool.signatures) {
+    tool.signatures = {};
+  }
+  tool.signatures[publicKeyBase64] = {
+    algorithm: "sha256",
+    type: "ecdsa-p256",
+    signer: signerInfo.id,
+    created: new Date().toISOString(),
+    value: signatureB64,
+    ...signerInfo.role && { role: signerInfo.role }
+  };
+  const signedToolYaml = $stringify(tool);
+  if (outputPath) {
+    fs.writeFileSync(outputPath, signedToolYaml);
+  }
+  return signedToolYaml;
+}
+async function hashTool(tool) {
+  const canonical = createCanonicalToolDefinition(tool);
+  const { signature, ...toolForSigning } = canonical;
+  const canonicalJson = JSON.stringify(toolForSigning, Object.keys(toolForSigning).sort());
+  console.log("\uD83D\uDD0D Canonical JSON for hashing:", canonicalJson);
+  console.log("\uD83D\uDD0D Canonical JSON length:", canonicalJson.length);
+  const encoder = new TextEncoder;
+  const data = encoder.encode(canonicalJson);
+  const { webcrypto } = await import("node:crypto");
+  const hashBuffer = await webcrypto.subtle.digest("SHA-256", data);
+  const hashBytes = new Uint8Array(hashBuffer);
+  console.log("\uD83D\uDD0D SHA-256 hash length:", hashBytes.length, "bytes (should be 32)");
+  return hashBytes;
+}
+async function verifyToolSignature(toolObject, signatureB64, publicKeyObj) {
+  try {
+    const toolHash = await hashTool(toolObject);
+    const signatureBytes = new Uint8Array(atob(signatureB64).split("").map((char) => char.charCodeAt(0)));
+    console.log("\uD83D\uDD0D Tool hash byte length:", toolHash.length, "(should be 32 for SHA-256)");
+    console.log("\uD83D\uDD0D Signature bytes length:", signatureBytes.length, "(should be 64 for P-256)");
+    const { webcrypto } = await import("node:crypto");
+    const isValid = await webcrypto.subtle.verify({ name: "ECDSA", hash: { name: "SHA-256" } }, publicKeyObj, signatureBytes, toolHash);
+    console.log("\uD83C\uDFAF Web Crypto API verification result:", isValid);
+    return isValid;
+  } catch (error) {
+    console.error("❌ Verification error:", error);
+    return false;
+  }
+}
+async function verifyTool(toolYaml, policy = DEFAULT_POLICY) {
+  const errors2 = [];
+  const verifiedSigners = [];
+  try {
+    const trustedKeys = getTrustedPublicKeysMap();
+    if (trustedKeys.size === 0) {
+      return {
+        isValid: false,
+        message: "No trusted public keys available",
+        validSignatures: 0,
+        totalSignatures: 0,
+        verifiedSigners: [],
+        errors: ["No trusted keys configured"]
+      };
+    }
+    if (process.env.DEBUG) {
+      console.log("Trusted keys available:");
+      for (const [key, pem] of trustedKeys.entries()) {
+        console.log(`  Key: ${key.substring(0, 20)}...`);
+      }
+    }
+    const tool = typeof toolYaml === "string" ? $parse(toolYaml) : toolYaml;
+    if (!tool.signatures || Object.keys(tool.signatures).length === 0) {
+      return {
+        isValid: false,
+        message: "No signatures found in the tool",
+        validSignatures: 0,
+        totalSignatures: 0,
+        verifiedSigners: [],
+        errors: ["No signatures found"]
+      };
+    }
+    const totalSignatures = Object.keys(tool.signatures).length;
+    const toolForVerification = { ...tool };
+    delete toolForVerification.signatures;
+    const toolHashBytes = await hashTool(toolForVerification);
+    if (true) {
+      console.log("=== VERIFICATION DEBUG (WEBAPP COMPATIBLE) ===");
+      console.log("Original tool signature field:", Object.keys(tool.signatures || {}));
+      console.log("Tool before removing signatures:", JSON.stringify(tool, null, 2));
+      console.log("Tool for verification:", JSON.stringify(toolForVerification, null, 2));
+      console.log("Tool hash bytes length:", toolHashBytes.length, "(should be 32 for SHA-256)");
+      console.log("==============================================");
+    }
+    let validSignatures = 0;
+    for (const [publicKeyBase64, signatureData] of Object.entries(tool.signatures)) {
+      try {
+        if (policy.allowedAlgorithms && !policy.allowedAlgorithms.includes(signatureData.algorithm)) {
+          errors2.push(`Signature by ${signatureData.signer}: unsupported algorithm ${signatureData.algorithm}`);
+          continue;
+        }
+        if (policy.trustedSigners && !policy.trustedSigners.includes(signatureData.signer)) {
+          errors2.push(`Signature by ${signatureData.signer}: signer not in trusted list`);
+          continue;
+        }
+        const publicKeyPem = trustedKeys.get(publicKeyBase64);
+        if (!publicKeyPem) {
+          const reconstructedPem = base64ToPem(publicKeyBase64);
+          if (!trustedKeys.has(pemToBase64(reconstructedPem))) {
+            errors2.push(`Signature by ${signatureData.signer}: public key not trusted`);
+            continue;
+          }
+        }
+        if (process.env.DEBUG) {
+          console.log("Looking for public key:", publicKeyBase64);
+          console.log("Key found in trusted keys:", !!publicKeyPem);
+        }
+        let isValid2 = false;
+        try {
+          const publicKeyToUse = publicKeyPem || base64ToPem(publicKeyBase64);
+          if (process.env.DEBUG) {
+            console.log("Signature base64:", signatureData.value);
+            console.log("Signature buffer length (should be 64):", Buffer.from(signatureData.value, "base64").length);
+            console.log("Public key base64:", publicKeyBase64);
+          }
+          if (signatureData.type === "ecdsa-p256") {
+            const { webcrypto } = await import("node:crypto");
+            const publicKeyData = crypto.createPublicKey({
+              key: publicKeyToUse,
+              format: "pem",
+              type: "spki"
+            }).export({ format: "der", type: "spki" });
+            const publicKeyObj = await webcrypto.subtle.importKey("spki", publicKeyData, { name: "ECDSA", namedCurve: "P-256" }, false, ["verify"]);
+            isValid2 = await verifyToolSignature(toolForVerification, signatureData.value, publicKeyObj);
+            if (process.env.DEBUG) {
+              console.log("Web Crypto API verification result (webapp compatible):", isValid2);
+            }
+          } else {
+            const verify = crypto.createVerify("SHA256");
+            const canonicalJson = createCanonicalToolJson(toolForVerification);
+            verify.update(canonicalJson, "utf8");
+            const signature = Buffer.from(signatureData.value, "base64");
+            isValid2 = verify.verify(publicKeyToUse, signature);
+          }
+        } catch (verifyError) {
+          errors2.push(`Signature by ${signatureData.signer}: verification error - ${verifyError.message}`);
+          continue;
+        }
+        if (isValid2) {
+          validSignatures++;
+          verifiedSigners.push({
+            signer: signatureData.signer,
+            role: signatureData.role,
+            keyId: publicKeyBase64.substring(0, 8)
+          });
+        } else {
+          errors2.push(`Signature by ${signatureData.signer}: cryptographic verification failed`);
+        }
+      } catch (error) {
+        errors2.push(`Signature by ${signatureData.signer}: verification error - ${error.message}`);
+      }
+    }
+    const policyErrors = [];
+    if (policy.minimumSignatures && validSignatures < policy.minimumSignatures) {
+      policyErrors.push(`Policy requires ${policy.minimumSignatures} signatures, but only ${validSignatures} valid`);
+    }
+    if (policy.requireRoles && policy.requireRoles.length > 0) {
+      const verifiedRoles = verifiedSigners.map((s) => s.role).filter(Boolean);
+      const missingRoles = policy.requireRoles.filter((role) => !verifiedRoles.includes(role));
+      if (missingRoles.length > 0) {
+        policyErrors.push(`Policy requires roles: ${missingRoles.join(", ")}`);
+      }
+    }
+    const isValid = policyErrors.length === 0 && validSignatures > 0;
+    const allErrors = [...errors2, ...policyErrors];
+    let message;
+    if (isValid) {
+      message = `Tool "${tool.name}" verified with ${validSignatures}/${totalSignatures} valid signatures`;
+      if (verifiedSigners.length > 0) {
+        const signerInfo = verifiedSigners.map((s) => `${s.signer}${s.role ? ` (${s.role})` : ""}`).join(", ");
+        message += ` from: ${signerInfo}`;
+      }
+    } else {
+      message = `Tool "${tool.name}" verification failed: ${allErrors[0] || "Unknown error"}`;
+    }
+    return {
+      isValid,
+      message,
+      validSignatures,
+      totalSignatures,
+      verifiedSigners,
+      errors: allErrors
+    };
+  } catch (error) {
+    return {
+      isValid: false,
+      message: `Verification error: ${error.message}`,
+      validSignatures: 0,
+      totalSignatures: 0,
+      verifiedSigners: [],
+      errors: [error.message]
+    };
+  }
+}
+var VERIFICATION_POLICIES = {
+  PERMISSIVE: {
+    minimumSignatures: 1,
+    allowedAlgorithms: ["sha256"]
+  },
+  ENTERPRISE: {
+    minimumSignatures: 2,
+    requireRoles: ["author", "reviewer"],
+    allowedAlgorithms: ["sha256"]
+  },
+  PARANOID: {
+    minimumSignatures: 3,
+    requireRoles: ["author", "reviewer", "approver"],
+    allowedAlgorithms: ["sha256"]
+  }
+};
+
+// src/commands/exec.ts
+async function loadLocalTool(filePath) {
+  const resolvedPath = resolve(filePath);
+  if (!existsSync7(resolvedPath)) {
+    throw new Error(`Tool file not found: ${resolvedPath}`);
+  }
+  try {
+    const fileContent = readFileSync3(resolvedPath, "utf8");
+    const toolData = $parse(fileContent);
+    const toolDefinition = {
+      ...toolData,
+      raw_content: fileContent
+    };
+    if (!toolDefinition.name) {
+      throw new Error("Tool must have a name");
+    }
+    if (!toolDefinition.command) {
+      throw new Error("Tool must have a command");
+    }
+    return toolDefinition;
+  } catch (error) {
+    if (error instanceof $YAMLParseError) {
+      throw new Error(`Invalid YAML in tool file: ${error.message}`);
+    }
+    throw error;
+  }
+}
+function isLocalToolPath(toolIdentifier) {
+  return toolIdentifier.includes("/") && (toolIdentifier.endsWith(".yaml") || toolIdentifier.endsWith(".yml") || existsSync7(resolve(toolIdentifier)));
+}
+async function handleExecCommand(args, options) {
+  if (options.help) {
+    console.log(`
+Usage: enact exec <tool-name-or-path> [options]
+
+Execute an Enact tool by fetching its definition from the registry or loading from a local file.
+
+Arguments:
+  tool-name-or-path   Name of the tool (e.g., "enact/text/slugify") or path to local YAML file
+
+Options:
+  --help, -h          Show this help message
+  --input <data>      Input data as JSON string or stdin
+  --params <params>   Parameters as JSON object
+  --timeout <time>    Override tool timeout (Go duration format: 30s, 5m, 1h)
+  --dry               Show command that would be executed without running it
+  --verbose, -v       Show detailed execution information
+  --skip-verification Skip signature verification (not recommended)
+  --verify-policy     Verification policy: permissive, enterprise, paranoid (default: permissive)
+  --force             Force execution even if signature verification fails
+
+Security Options:
+  permissive          Require 1+ valid signatures from trusted keys (default)
+  enterprise          Require author + reviewer signatures  
+  paranoid            Require author + reviewer + approver signatures
+
+Examples:
+  enact exec enact/text/slugify --input "Hello World"
+  enact exec org/ai/review --params '{"file": "README.md"}' --verify-policy enterprise
+  enact exec ./my-tool.yaml --input "test data"
+  enact exec untrusted/tool --skip-verification  # Not recommended
+`);
+    return;
+  }
+  let toolIdentifier = args[0];
+  if (!toolIdentifier) {
+    Ie(import_picocolors10.default.bgMagenta(import_picocolors10.default.white(" Execute Enact Tool ")));
+    toolIdentifier = await he({
+      message: "Enter the tool name or path to execute:",
+      placeholder: "e.g., enact/text/slugify, ./my-tool.yaml",
+      validate: (value) => {
+        if (!value.trim())
+          return "Please enter a tool name or file path";
+        const trimmed = value.trim();
+        if (isLocalToolPath(trimmed)) {
+          return;
+        }
+        if (!/^[a-zA-Z0-9_-]+\/[a-zA-Z0-9_\/-]+$/.test(trimmed)) {
+          return "Tool name must follow hierarchical format: org/category/tool-name, or be a path to a YAML file";
+        }
+        return;
+      }
+    });
+    if (!toolIdentifier) {
+      Se(import_picocolors10.default.yellow("Execution cancelled"));
+      return;
+    }
+  }
+  const isLocalFile = isLocalToolPath(toolIdentifier);
+  const spinner = Y2();
+  spinner.start(isLocalFile ? "Loading local tool definition..." : "Fetching tool definition...");
+  let toolDefinition;
+  try {
+    if (isLocalFile) {
+      toolDefinition = await loadLocalTool(toolIdentifier);
+      spinner.stop("Local tool definition loaded");
+    } else {
+      toolDefinition = await enactApi.getTool(toolIdentifier);
+      spinner.stop("Tool definition fetched");
+    }
+  } catch (error) {
+    spinner.stop(isLocalFile ? "Failed to load local tool" : "Failed to fetch tool definition");
+    if (!isLocalFile && error instanceof EnactApiError && error.statusCode === 404) {
+      Se(import_picocolors10.default.red(`✗ Tool "${toolIdentifier}" not found`));
+    } else {
+      Se(import_picocolors10.default.red(`✗ Failed to ${isLocalFile ? "load" : "fetch"} tool: ${error instanceof Error ? error.message : "Unknown error"}`));
+    }
+    return;
+  }
+  if (!options.skipVerification) {
+    spinner.start("Verifying tool signatures...");
+    try {
+      const policyName = (options.verifyPolicy || "permissive").toUpperCase();
+      const policy = VERIFICATION_POLICIES[policyName] || VERIFICATION_POLICIES.PERMISSIVE;
+      if (options.verbose) {
+        console.log(import_picocolors10.default.cyan(`
+\uD83D\uDD10 Using verification policy: ${policyName.toLowerCase()}`));
+        if (policy.minimumSignatures)
+          console.log(`  - Minimum signatures: ${policy.minimumSignatures}`);
+      }
+      let toolForVerification;
+      if (isLocalFile) {
+        toolForVerification = toolDefinition.raw_content;
+      } else if (toolDefinition.raw_content && toolDefinition.signatures) {
+        const originalTool = JSON.parse(toolDefinition.raw_content);
+        if (!originalTool.enact) {
+          originalTool.enact = "1.0.0";
+        }
+        toolForVerification = {
+          ...originalTool,
+          signatures: toolDefinition.signatures
+        };
+      } else {
+        toolForVerification = toolDefinition;
+        if (!toolForVerification.enact) {
+          toolForVerification.enact = "1.0.0";
+        }
+      }
+      const verification = await verifyTool(toolForVerification, policy);
+      spinner.stop("Signature verification completed");
+      if (verification.isValid) {
+        console.log(import_picocolors10.default.green(`✅ ${verification.message}`));
+        if (options.verbose && verification.verifiedSigners.length > 0) {
+          console.log(import_picocolors10.default.cyan(`
+\uD83D\uDD12 Verified signers:`));
+          verification.verifiedSigners.forEach((signer) => {
+            console.log(`  - ${signer.signer}${signer.role ? ` (${signer.role})` : ""} [${signer.keyId}]`);
+          });
+        }
+      } else {
+        console.log(import_picocolors10.default.red(`❌ ${verification.message}`));
+        if (verification.errors.length > 0) {
+          console.log(import_picocolors10.default.red(`
+Verification errors:`));
+          verification.errors.forEach((error) => {
+            console.log(import_picocolors10.default.red(`  - ${error}`));
+          });
+        }
+        if (!options.force) {
+          const shouldContinue = await ye({
+            message: "Tool signature verification failed. Continue anyway?",
+            initialValue: false
+          });
+          if (!shouldContinue) {
+            Se(import_picocolors10.default.yellow("Execution cancelled for security"));
+            return;
+          }
+        } else {
+          console.log(import_picocolors10.default.yellow("⚠️  Proceeding due to --force flag"));
+        }
+      }
+    } catch (error) {
+      spinner.stop("Verification failed");
+      console.log(import_picocolors10.default.red(`❌ Signature verification error: ${error.message}`));
+      if (!options.force) {
+        const shouldContinue = await ye({
+          message: "Signature verification failed with error. Continue anyway?",
+          initialValue: false
+        });
+        if (!shouldContinue) {
+          Se(import_picocolors10.default.yellow("Execution cancelled for security"));
+          return;
+        }
+      }
+    }
+  } else {
+    console.log(import_picocolors10.default.yellow("⚠️  Signature verification skipped - tool may be untrusted"));
+  }
+  if (options.verbose) {
+    console.log(import_picocolors10.default.cyan(`
+\uD83D\uDCCB Tool Information:`));
+    console.log(`Name: ${toolDefinition.name}`);
+    console.log(`Description: ${toolDefinition.description}`);
+    console.log(`Command: ${toolDefinition.command}`);
+    if (toolDefinition.timeout)
+      console.log(`Timeout: ${toolDefinition.timeout}`);
+    if (toolDefinition.tags)
+      console.log(`Tags: ${toolDefinition.tags.join(", ")}`);
+    if (toolDefinition.signatures) {
+      const sigCount = Object.keys(toolDefinition.signatures).length;
+      console.log(`Signatures: ${sigCount} signature(s) found`);
+    } else {
+      console.log(`Signatures: No signatures found`);
+    }
+  }
+  let params = {};
+  if (options.params) {
+    try {
+      params = JSON.parse(options.params);
+    } catch (error) {
+      Se(import_picocolors10.default.red(`✗ Invalid JSON in --params: ${error instanceof Error ? error.message : "Unknown error"}`));
+      return;
+    }
+  }
+  if (options.input) {
+    try {
+      const inputData = JSON.parse(options.input);
+      params = { ...params, ...inputData };
+    } catch {
+      params.input = options.input;
+    }
+  }
+  const remainingArgs = args.slice(1);
+  for (const arg of remainingArgs) {
+    if (arg.includes("=")) {
+      const [key, ...valueParts] = arg.split("=");
+      const value = valueParts.join("=");
+      const cleanValue = value.replace(/^["']|["']$/g, "");
+      params[key] = cleanValue;
+    }
+  }
+  if (toolDefinition.inputSchema && Object.keys(params).length === 0) {
+    const needsParams = await ye({
+      message: "This tool requires parameters. Would you like to provide them interactively?",
+      initialValue: true
+    });
+    if (needsParams) {
+      params = await collectParametersInteractively(toolDefinition.inputSchema);
+    }
+  }
+  const command = await buildCommand(toolDefinition.command, params);
+  if (options.dry) {
+    console.log(import_picocolors10.default.cyan(`
+\uD83D\uDD0D Command that would be executed:`));
+    console.log(import_picocolors10.default.white(command));
+    console.log(import_picocolors10.default.cyan(`
+Environment variables:`));
+    if (toolDefinition.env) {
+      Object.entries(toolDefinition.env).forEach(([key, config]) => {
+        const value = process.env[key] || config.default || "<not set>";
+        console.log(`  ${key}=${value}`);
+      });
+    } else {
+      console.log("  (none required)");
+    }
+    return;
+  }
+  if (toolDefinition.env) {
+    const missingEnvVars = await checkEnvironmentVariables(toolDefinition.env);
+    if (missingEnvVars.length > 0) {
+      Se(import_picocolors10.default.red(`✗ Missing required environment variables: ${missingEnvVars.join(", ")}`));
+      return;
+    }
+  }
+  const timeout = options.timeout || toolDefinition.timeout || "30s";
+  await executeCommand(command, timeout, options.verbose);
+  if (!isLocalFile) {
+    try {
+      await enactApi.logToolUsage(toolIdentifier, {
+        action: "execute",
+        metadata: {
+          hasParams: Object.keys(params).length > 0,
+          timeout,
+          verificationSkipped: options.skipVerification || false,
+          verificationPolicy: options.verifyPolicy || "permissive",
+          timestamp: new Date().toISOString()
+        }
+      });
+    } catch (error) {
+      if (options.verbose) {
+        console.log(import_picocolors10.default.yellow("⚠ Failed to log usage statistics"));
+      }
+    }
+  }
+}
+async function collectParametersInteractively(inputSchema) {
+  const params = {};
+  if (inputSchema.properties) {
+    for (const [key, schema] of Object.entries(inputSchema.properties)) {
+      const prop = schema;
+      const isRequired = inputSchema.required?.includes(key) || false;
+      let value;
+      if (prop.type === "string") {
+        value = await he({
+          message: `Enter ${key}:`,
+          placeholder: prop.description || `Value for ${key}`,
+          validate: isRequired ? (val) => val.trim() ? undefined : `${key} is required` : undefined
+        });
+      } else if (prop.type === "number" || prop.type === "integer") {
+        value = await he({
+          message: `Enter ${key} (number):`,
+          placeholder: prop.description || `Number value for ${key}`,
+          validate: (val) => {
+            if (!val.trim() && isRequired)
+              return `${key} is required`;
+            if (val.trim() && isNaN(Number(val)))
+              return "Must be a valid number";
+            return;
+          }
+        });
+        if (value)
+          value = Number(value);
+      } else if (prop.type === "boolean") {
+        value = await ye({
+          message: `${key}:`,
+          initialValue: false
+        });
+      } else {
+        value = await he({
+          message: `Enter ${key} (JSON):`,
+          placeholder: prop.description || `JSON value for ${key}`,
+          validate: (val) => {
+            if (!val.trim() && isRequired)
+              return `${key} is required`;
+            if (val.trim()) {
+              try {
+                JSON.parse(val);
+              } catch {
+                return "Must be valid JSON";
+              }
+            }
+            return;
+          }
+        });
+        if (value) {
+          try {
+            value = JSON.parse(value);
+          } catch {}
+        }
+      }
+      if (value !== null && value !== undefined && value !== "") {
+        params[key] = value;
+      }
+    }
+  }
+  return params;
+}
+async function buildCommand(template, params) {
+  let command = template;
+  for (const [key, value] of Object.entries(params)) {
+    const placeholder = `\${${key}}`;
+    const escapedValue = typeof value === "string" ? value.replace(/'/g, `'"'"'`) : String(value);
+    command = command.replace(new RegExp(placeholder.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"), "g"), escapedValue);
+  }
+  return command;
+}
+async function checkEnvironmentVariables(envConfig) {
+  const missing = [];
+  for (const [key, config] of Object.entries(envConfig)) {
+    if (config.required && !process.env[key] && !config.default) {
+      missing.push(key);
+    }
+  }
+  return missing;
+}
+async function executeCommand(command, timeout, verbose = false) {
+  return new Promise((resolve2, reject) => {
+    if (verbose) {
+      console.log(import_picocolors10.default.cyan(`
+\uD83D\uDE80 Executing command:`));
+      console.log(import_picocolors10.default.white(command));
+    }
+    const spinner = Y2();
+    spinner.start("Executing tool...");
+    const timeoutMs = parseTimeout(timeout);
+    const child = spawn("sh", ["-c", command], {
+      stdio: ["pipe", "pipe", "pipe"],
+      timeout: timeoutMs
+    });
+    let stdout = "";
+    let stderr = "";
+    child.stdout.on("data", (data) => {
+      stdout += data.toString();
+    });
+    child.stderr.on("data", (data) => {
+      stderr += data.toString();
+    });
+    child.on("close", (code) => {
+      spinner.stop("Execution completed");
+      if (code === 0) {
+        console.log(import_picocolors10.default.green(`
+✅ Tool executed successfully`));
+        if (stdout.trim()) {
+          console.log(import_picocolors10.default.cyan(`
+\uD83D\uDCE4 Output:`));
+          console.log(stdout.trim());
+        }
+        resolve2();
+      } else {
+        console.log(import_picocolors10.default.red(`
+❌ Tool execution failed (exit code: ${code})`));
+        if (stderr.trim()) {
+          console.log(import_picocolors10.default.red(`
+\uD83D\uDCE4 Error output:`));
+          console.log(stderr.trim());
+        }
+        if (stdout.trim()) {
+          console.log(import_picocolors10.default.yellow(`
+\uD83D\uDCE4 Standard output:`));
+          console.log(stdout.trim());
+        }
+        reject(new Error(`Command failed with exit code ${code}`));
+      }
+    });
+    child.on("error", (error) => {
+      spinner.stop("Execution failed");
+      console.log(import_picocolors10.default.red(`
+❌ Failed to execute command: ${error.message}`));
+      reject(error);
+    });
+  });
+}
+function parseTimeout(timeout) {
+  const match = timeout.match(/^(\d+)([smh])$/);
+  if (!match)
+    return 30000;
+  const [, value, unit] = match;
+  const num = parseInt(value);
+  switch (unit) {
+    case "s":
+      return num * 1000;
+    case "m":
+      return num * 60 * 1000;
+    case "h":
+      return num * 60 * 60 * 1000;
+    default:
+      return 30000;
+  }
+}
+
+// src/commands/sign.ts
+var import_picocolors11 = __toESM(require_picocolors(), 1);
+import * as fs2 from "fs";
+import * as path2 from "path";
+async function handleSignCommand(args, options) {
+  if (options.help) {
+    console.log(`
+Usage: enact sign <subcommand> [options]
+
+Manage tool signatures and verification.
+
+Subcommands:
+  verify <tool-path> [policy]    Verify tool signatures
+  list-keys                      List trusted public keys
+  sign <tool-path>               Sign a tool (requires private key)
+
+Options:
+  --help, -h          Show this help message
+  --policy <policy>   Verification policy: permissive, enterprise, paranoid
+  --private-key <path> Path to private key for signing
+  --role <role>       Role for signature: author, reviewer, approver
+  --signer <name>     Signer identifier
+  --verbose, -v       Show detailed information
+
+Verification Policies:
+  permissive          Require 1+ valid signatures from trusted keys (default)
+  enterprise          Require author + reviewer signatures  
+  paranoid            Require author + reviewer + approver signatures
+
+Examples:
+  enact sign verify my-tool.yaml
+  enact sign verify my-tool.yaml enterprise
+  enact sign list-keys
+  enact sign sign my-tool.yaml --private-key ~/.enact/private.pem --role author
+`);
+    return;
+  }
+  const subcommand = args[0];
+  if (!subcommand) {
+    Ie(import_picocolors11.default.bgBlue(import_picocolors11.default.white(" Enact Tool Signing ")));
+    const action = await ve({
+      message: "What would you like to do?",
+      options: [
+        { value: "verify", label: "\uD83D\uDD0D Verify tool signatures" },
+        { value: "list-keys", label: "\uD83D\uDD11 List trusted keys" },
+        { value: "sign", label: "✍️ Sign a tool" },
+        { value: "help", label: "❓ Show help" }
+      ]
+    });
+    if (action === null) {
+      Se(import_picocolors11.default.yellow("Operation cancelled"));
+      return;
+    }
+    if (action === "help") {
+      await handleSignCommand(["help"], { help: true });
+      return;
+    }
+    if (action === "verify") {
+      await handleVerifyCommand([], options);
+      return;
+    }
+    if (action === "list-keys") {
+      await handleListKeysCommand([], options);
+      return;
+    }
+    if (action === "sign") {
+      await handleSignToolCommand([], options);
+      return;
+    }
+    return;
+  }
+  switch (subcommand.toLowerCase()) {
+    case "verify":
+      await handleVerifyCommand(args.slice(1), options);
+      break;
+    case "list-keys":
+      await handleListKeysCommand(args.slice(1), options);
+      break;
+    case "sign":
+      await handleSignToolCommand(args.slice(1), options);
+      break;
+    default:
+      console.error(import_picocolors11.default.red(`Unknown subcommand: ${subcommand}`));
+      console.log(import_picocolors11.default.yellow('Use "enact sign --help" for available commands'));
+      process.exit(1);
+  }
+}
+async function handleVerifyCommand(args, options) {
+  let toolPath = args[0];
+  let policyName = args[1] || options.policy || "permissive";
+  if (!toolPath) {
+    Ie(import_picocolors11.default.bgGreen(import_picocolors11.default.white(" Verify Tool Signatures ")));
+    toolPath = await he({
+      message: "Enter path to tool YAML file:",
+      placeholder: "./my-tool.yaml",
+      validate: (value) => {
+        if (!value.trim())
+          return "Please enter a file path";
+        if (!fs2.existsSync(value.trim()))
+          return "File does not exist";
+        return;
+      }
+    });
+    if (!toolPath) {
+      Se(import_picocolors11.default.yellow("Verification cancelled"));
+      return;
+    }
+    policyName = await ve({
+      message: "Select verification policy:",
+      options: [
+        { value: "permissive", label: "Permissive - Require 1+ valid signatures (default)" },
+        { value: "enterprise", label: "Enterprise - Require author + reviewer signatures" },
+        { value: "paranoid", label: "Paranoid - Require author + reviewer + approver signatures" }
+      ]
+    });
+  }
+  const policyKey = policyName.toUpperCase();
+  const policy = VERIFICATION_POLICIES[policyKey] || VERIFICATION_POLICIES.PERMISSIVE;
+  if (options.verbose) {
+    console.log(import_picocolors11.default.cyan(`
+\uD83D\uDCCB Verification Details:`));
+    console.log(`Tool: ${toolPath}`);
+    console.log(`Policy: ${policyName}`);
+    if (policy.minimumSignatures)
+      console.log(`Minimum signatures: ${policy.minimumSignatures}`);
+    if (policy.requireRoles)
+      console.log(`Required roles: ${policy.requireRoles.join(", ")}`);
+  }
+  try {
+    const spinner = Y2();
+    spinner.start("Verifying tool signatures...");
+    const toolYaml = fs2.readFileSync(toolPath, "utf8");
+    const result = await verifyTool(toolYaml, policy);
+    spinner.stop("Verification completed");
+    if (result.isValid) {
+      console.log(import_picocolors11.default.green(`
+✅ VERIFICATION PASSED`));
+      console.log(import_picocolors11.default.green(`${result.message}`));
+    } else {
+      console.log(import_picocolors11.default.red(`
+❌ VERIFICATION FAILED`));
+      console.log(import_picocolors11.default.red(`${result.message}`));
+    }
+    console.log(import_picocolors11.default.cyan(`
+\uD83D\uDCCA Signature Summary:`));
+    console.log(`Valid signatures: ${result.validSignatures}/${result.totalSignatures}`);
+    if (result.verifiedSigners.length > 0) {
+      console.log(import_picocolors11.default.cyan(`
+\uD83D\uDD12 Verified signers:`));
+      result.verifiedSigners.forEach((signer) => {
+        console.log(`  - ${signer.signer}${signer.role ? ` (${signer.role})` : ""} [${signer.keyId}]`);
+      });
+    }
+    if (result.errors.length > 0) {
+      console.log(import_picocolors11.default.yellow(`
+⚠️ Issues found:`));
+      result.errors.forEach((error) => console.log(`  - ${error}`));
+    }
+    if (!result.isValid) {
+      Se(import_picocolors11.default.red("Tool verification failed"));
+      process.exit(1);
+    } else {
+      Se(import_picocolors11.default.green("Tool verification passed"));
+    }
+  } catch (error) {
+    console.error(import_picocolors11.default.red(`
+❌ Error verifying tool: ${error.message}`));
+    process.exit(1);
+  }
+}
+async function handleListKeysCommand(args, options) {
+  Ie(import_picocolors11.default.bgCyan(import_picocolors11.default.white(" Trusted Public Keys ")));
+  try {
+    const trustedKeys = getTrustedPublicKeysMap();
+    if (trustedKeys.size === 0) {
+      console.log(import_picocolors11.default.yellow(`
+\uD83D\uDCED No trusted keys found`));
+      console.log(import_picocolors11.default.dim("Add trusted keys to: ~/.enact/trusted-keys/"));
+      return;
+    }
+    console.log(import_picocolors11.default.cyan(`
+\uD83D\uDD11 Found ${trustedKeys.size} trusted key(s):
+`));
+    let keyIndex = 1;
+    for (const [base64Key, pemContent] of trustedKeys.entries()) {
+      const keyId = base64Key.substring(0, 16);
+      const shortKey = base64Key.substring(0, 32) + "...";
+      console.log(`${keyIndex}. Key ID: ${import_picocolors11.default.green(keyId)}`);
+      console.log(`   Preview: ${import_picocolors11.default.dim(shortKey)}`);
+      if (options.verbose) {
+        console.log(`   Full PEM:
+${import_picocolors11.default.dim(pemContent)}`);
+      }
+      console.log("");
+      keyIndex++;
+    }
+    if (!options.verbose) {
+      console.log(import_picocolors11.default.dim("Use --verbose to see full PEM content"));
+    }
+    const trustedKeysDir = path2.join(process.env.HOME || ".", ".enact", "trusted-keys");
+    console.log(import_picocolors11.default.cyan(`\uD83D\uDCC1 Trusted keys directory: ${trustedKeysDir}`));
+    Se(import_picocolors11.default.green(`Listed ${trustedKeys.size} trusted keys`));
+  } catch (error) {
+    console.error(import_picocolors11.default.red(`
+❌ Error listing keys: ${error.message}`));
+    process.exit(1);
+  }
+}
+async function handleSignToolCommand(args, options) {
+  let toolPath = args[0];
+  let privateKeyPath = options.privateKey;
+  let role = options.role;
+  let signerName = options.signer;
+  if (!toolPath) {
+    Ie(import_picocolors11.default.bgMagenta(import_picocolors11.default.white(" Sign Tool ")));
+    toolPath = await he({
+      message: "Enter path to tool YAML file:",
+      placeholder: "./my-tool.yaml",
+      validate: (value) => {
+        if (!value.trim())
+          return "Please enter a file path";
+        if (!fs2.existsSync(value.trim()))
+          return "File does not exist";
+        return;
+      }
+    });
+    if (!toolPath) {
+      Se(import_picocolors11.default.yellow("Signing cancelled"));
+      return;
+    }
+  }
+  if (!privateKeyPath) {
+    privateKeyPath = await he({
+      message: "Enter path to private key PEM file:",
+      placeholder: "~/.enact/private.pem",
+      validate: (value) => {
+        if (!value.trim())
+          return "Please enter a private key path";
+        const expandedPath = value.replace(/^~/, process.env.HOME || "");
+        if (!fs2.existsSync(expandedPath))
+          return "Private key file does not exist";
+        return;
+      }
+    });
+    if (!privateKeyPath) {
+      Se(import_picocolors11.default.yellow("Signing cancelled"));
+      return;
+    }
+  }
+  const expandedPrivateKeyPath = privateKeyPath.replace(/^~/, process.env.HOME || "");
+  const publicKeyPath = expandedPrivateKeyPath.replace(/private\.pem$/, "public.pem").replace(/-private\.pem$/, "-public.pem");
+  if (!fs2.existsSync(publicKeyPath)) {
+    console.error(import_picocolors11.default.red(`
+❌ Public key not found at: ${publicKeyPath}`));
+    console.log(import_picocolors11.default.yellow("Expected public key file alongside private key"));
+    return;
+  }
+  if (!role) {
+    role = await ve({
+      message: "Select your role for this signature:",
+      options: [
+        { value: "author", label: "Author - Original creator of the tool" },
+        { value: "reviewer", label: "Reviewer - Code reviewer/auditor" },
+        { value: "approver", label: "Approver - Final approver for production use" }
+      ]
+    });
+  }
+  if (!signerName) {
+    signerName = await he({
+      message: "Enter your signer identifier:",
+      placeholder: "your-username or email@domain.com",
+      validate: (value) => {
+        if (!value.trim())
+          return "Please enter a signer identifier";
+        return;
+      }
+    });
+    if (!signerName) {
+      Se(import_picocolors11.default.yellow("Signing cancelled"));
+      return;
+    }
+  }
+  try {
+    const spinner = Y2();
+    spinner.start("Signing tool...");
+    const signedYaml = await signTool(toolPath, expandedPrivateKeyPath, publicKeyPath, { id: signerName, role }, toolPath);
+    spinner.stop("Tool signed successfully");
+    console.log(import_picocolors11.default.green(`
+✅ Tool signed successfully!`));
+    console.log(import_picocolors11.default.cyan(`
+\uD83D\uDCCB Signature Details:`));
+    console.log(`Tool: ${toolPath}`);
+    console.log(`Signer: ${signerName}`);
+    console.log(`Role: ${role}`);
+    console.log(`Private key: ${expandedPrivateKeyPath}`);
+    console.log(`Public key: ${publicKeyPath}`);
+    if (options.verbose) {
+      console.log(import_picocolors11.default.cyan(`
+\uD83D\uDCC4 Signed YAML preview:`));
+      const lines = signedYaml.split(`
+`);
+      const previewLines = lines.slice(0, 10).join(`
+`);
+      console.log(import_picocolors11.default.dim(previewLines + (lines.length > 10 ? `
+...` : "")));
+    }
+    Se(import_picocolors11.default.green("Tool signature added to YAML file"));
+  } catch (error) {
+    console.error(import_picocolors11.default.red(`
+❌ Error signing tool: ${error.message}`));
+    process.exit(1);
+  }
+}
+
 // src/index.ts
 var { values, positionals } = parseArgs({
   args: process.argv,
@@ -9861,9 +10964,38 @@ var { values, positionals } = parseArgs({
       type: "string",
       short: "f"
     },
+    json: {
+      type: "boolean"
+    },
     author: {
       type: "string",
       short: "a"
+    },
+    input: {
+      type: "string",
+      short: "i"
+    },
+    params: {
+      type: "string"
+    },
+    dry: {
+      type: "boolean"
+    },
+    verbose: {
+      type: "boolean",
+      short: "v"
+    },
+    policy: {
+      type: "string"
+    },
+    "private-key": {
+      type: "string"
+    },
+    role: {
+      type: "string"
+    },
+    signer: {
+      type: "string"
     }
   },
   allowPositionals: true,
@@ -9901,7 +11033,7 @@ async function main() {
           help: values.help,
           limit: values.limit ? parseInt(values.limit) : undefined,
           tags: values.tags ? (values.tags + "").split(",").map((t) => t.trim()) : undefined,
-          format: values.format,
+          format: values.json ? "json" : values.format,
           author: values.author
         });
         break;
@@ -9924,17 +11056,39 @@ async function main() {
           format: values.format
         });
         break;
+      case "exec":
+        await handleExecCommand(commandArgs, {
+          help: values.help,
+          input: values.input,
+          params: values.params,
+          timeout: values.timeout,
+          dry: values.dry,
+          verbose: values.verbose
+        });
+        break;
+      case "sign":
+        await handleSignCommand(commandArgs, {
+          help: values.help,
+          policy: values.policy,
+          privateKey: values["private-key"],
+          role: values.role,
+          signer: values.signer,
+          verbose: values.verbose
+        });
+        break;
       case undefined:
         if (values.help) {
           showHelp();
         } else {
-          Ie(import_picocolors10.default.bgCyan(import_picocolors10.default.black(" Enact CLI ")));
+          Ie(import_picocolors12.default.bgCyan(import_picocolors12.default.black(" Enact CLI ")));
           const action = await ve({
             message: "What would you like to do?",
             options: [
               { value: "search", label: "\uD83D\uDD0D Search for tools" },
+              { value: "exec", label: "⚡ Execute a tool" },
               { value: "publish", label: "\uD83D\uDCE4 Publish a tool" },
               { value: "init", label: "\uD83D\uDCDD Create a new tool definition" },
+              { value: "sign", label: "✍️ Sign & verify tools" },
               { value: "auth", label: "\uD83D\uDD10 Manage authentication" },
               { value: "remote", label: "\uD83C\uDF10 Manage remote servers" },
               { value: "user", label: "\uD83D\uDC64 User operations" },
@@ -9954,6 +11108,14 @@ async function main() {
             await handleSearchCommand([], {});
             return;
           }
+          if (action === "exec") {
+            await handleExecCommand([], {});
+            return;
+          }
+          if (action === "sign") {
+            await handleSignCommand([], {});
+            return;
+          }
           if (action === "auth") {
             const authAction = await ve({
               message: "Authentication:",
@@ -10006,12 +11168,12 @@ async function main() {
         }
         break;
       default:
-        console.error(import_picocolors10.default.red(`Unknown command: ${command}`));
+        console.error(import_picocolors12.default.red(`Unknown command: ${command}`));
         showHelp();
         process.exit(1);
     }
   } catch (error) {
-    console.error(import_picocolors10.default.red(`Error: ${error.message}`));
+    console.error(import_picocolors12.default.red(`Error: ${error.message}`));
     process.exit(1);
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "enact-cli",
-  "version": "1.0.4",
+  "version": "1.0.7",
   "description": "Official CLI for the Enact Protocol - package, secure, and discover AI tools",
   "type": "module",
   "main": "./dist/index.js",
@@ -13,7 +13,7 @@
     "LICENSE"
   ],
   "scripts": {
-    "build": "bun build ./src/index.ts --outdir ./dist --target node",
+    "build": "bun build ./src/index.ts --outdir ./dist --target node && echo '#!/usr/bin/env node' | cat - ./dist/index.js > temp && mv temp ./dist/index.js && chmod +x ./dist/index.js",
     "prepublishOnly": "npm run build",
     "start": "bun ./dist/index.js",
     "dev": "bun run --watch src/index.ts",