midsummer-sol 0.1.3 → 0.2.0

package/sol-secret-mcp.js

@@ -0,0 +1,3250 @@
+#!/usr/bin/env node
+// @bun
+import { createRequire } from "node:module";
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+var __require = /* @__PURE__ */ createRequire(import.meta.url);
+
+// src/crypto.ts
+var exports_crypto = {};
+__export(exports_crypto, {
+  wrapCekTo: () => wrapCekTo,
+  verifyPubkeySig: () => verifyPubkeySig,
+  unwrapCekWith: () => unwrapCekWith,
+  signPubkey: () => signPubkey,
+  sealWithRecovery: () => sealWithRecovery,
+  sealToAccounts: () => sealToAccounts,
+  sealContent: () => sealContent,
+  sameActor: () => sameActor,
+  rotate: () => rotate,
+  recoveryKeyPair: () => recoveryKeyPair,
+  pubFingerprint: () => pubFingerprint,
+  openWithRecovery: () => openWithRecovery,
+  openContent: () => openContent,
+  isRecipient: () => isRecipient,
+  generateRecoveryCode: () => generateRecoveryCode,
+  deriveIdentity: () => deriveIdentity,
+  ciphertextOf: () => ciphertextOf,
+  UNREADABLE: () => UNREADABLE,
+  KeyRing: () => KeyRing
+});
+import { createCipheriv, createDecipheriv, createHash as createHash2, createPrivateKey, createPublicKey, diffieHellman, generateKeyPairSync, hkdfSync, randomBytes, scryptSync, sign as edSign, timingSafeEqual, verify as edVerify } from "node:crypto";
+
+class KeyRing {
+  keys = new Map;
+  ensure(actor) {
+    let k = this.keys.get(actor);
+    if (!k) {
+      k = randomBytes(32);
+      this.keys.set(actor, k);
+    }
+    return k;
+  }
+  key(actor) {
+    return this.keys.get(actor);
+  }
+  serialize() {
+    const out = {};
+    for (const [a, k] of this.keys)
+      out[a] = k.toString("base64");
+    return out;
+  }
+  load(data) {
+    for (const [a, k] of Object.entries(data))
+      this.keys.set(a, Buffer.from(k, "base64"));
+  }
+}
+function aeadSeal(key, plain) {
+  const iv = randomBytes(12);
+  const c = createCipheriv("aes-256-gcm", key, iv);
+  const ct = Buffer.concat([c.update(plain), c.final()]);
+  return { iv: iv.toString("base64"), ct: ct.toString("base64"), tag: c.getAuthTag().toString("base64") };
+}
+function aeadOpen(key, box) {
+  const d = createDecipheriv("aes-256-gcm", key, Buffer.from(box.iv, "base64"));
+  d.setAuthTag(Buffer.from(box.tag, "base64"));
+  return Buffer.concat([d.update(Buffer.from(box.ct, "base64")), d.final()]);
+}
+function sealContent(ring, content, recipients, epoch = 1) {
+  const cek = randomBytes(32);
+  const body = aeadSeal(cek, Buffer.from(content, "utf8"));
+  const lockboxes = {};
+  for (const r of recipients)
+    lockboxes[r] = aeadSeal(ring.ensure(r), cek);
+  return { body, lockboxes, epoch };
+}
+function openContent(ring, box, actor, self) {
+  if (self) {
+    const alb = box.asym?.[self.accountId];
+    if (alb) {
+      try {
+        const cek = unwrapCekWith(self.privateKey, alb);
+        return aeadOpen(cek, box.body).toString("utf8");
+      } catch {
+        return UNREADABLE;
+      }
+    }
+  }
+  const lb = box.lockboxes[actor];
+  const key = ring.key(actor);
+  if (!lb || !key)
+    return UNREADABLE;
+  try {
+    const cek = aeadOpen(key, lb);
+    return aeadOpen(cek, box.body).toString("utf8");
+  } catch {
+    return UNREADABLE;
+  }
+}
+function isRecipient(box, actor) {
+  return actor in box.lockboxes || !!box.asym?.[actor];
+}
+function ciphertextOf(box) {
+  return box.body.ct;
+}
+function rotate(ring, box, content, newRecipients) {
+  return sealContent(ring, content, newRecipients, box.epoch + 1);
+}
+function sameActor(a, b) {
+  const ab = Buffer.from(a);
+  const bb = Buffer.from(b);
+  return ab.length === bb.length && timingSafeEqual(ab, bb);
+}
+function deriveWrapKey(shared, epkB64, recipientPubB64) {
+  if (shared.every((b) => b === 0))
+    throw new Error("invalid ECDH shared secret");
+  const info = Buffer.concat([RECOVERY_INFO, Buffer.from(epkB64, "base64"), Buffer.from(recipientPubB64, "base64")]);
+  return Buffer.from(hkdfSync("sha256", shared, Buffer.alloc(0), info, 32));
+}
+function recoveryKeyPair() {
+  const { publicKey, privateKey } = generateKeyPairSync("x25519");
+  return { publicKey: publicKey.export({ type: "spki", format: "der" }).toString("base64"), privateKey };
+}
+function wrapCekTo(recipientPublicKeyB64, cek) {
+  const recipientPub = createPublicKey({ key: Buffer.from(recipientPublicKeyB64, "base64"), type: "spki", format: "der" });
+  const eph = generateKeyPairSync("x25519");
+  const epk = eph.publicKey.export({ type: "spki", format: "der" }).toString("base64");
+  const shared = diffieHellman({ privateKey: eph.privateKey, publicKey: recipientPub });
+  return { epk, box: aeadSeal(deriveWrapKey(shared, epk, recipientPublicKeyB64), cek) };
+}
+function unwrapCekWith(privateKey, lb) {
+  const recipientPubB64 = createPublicKey(privateKey).export({ type: "spki", format: "der" }).toString("base64");
+  const epk = createPublicKey({ key: Buffer.from(lb.epk, "base64"), type: "spki", format: "der" });
+  const shared = diffieHellman({ privateKey, publicKey: epk });
+  return aeadOpen(deriveWrapKey(shared, lb.epk, recipientPubB64), lb.box);
+}
+function sealWithRecovery(ring, content, recipients, recoveryPubKeys = {}, epoch = 1) {
+  const cek = randomBytes(32);
+  const body = aeadSeal(cek, Buffer.from(content, "utf8"));
+  const lockboxes = {};
+  for (const r of recipients)
+    lockboxes[r] = aeadSeal(ring.ensure(r), cek);
+  const recovery = {};
+  for (const [id, pub] of Object.entries(recoveryPubKeys))
+    recovery[id] = wrapCekTo(pub, cek);
+  return { body, lockboxes, recovery, epoch };
+}
+function openWithRecovery(privateKey, box, recoveryId) {
+  const lb = box.recovery?.[recoveryId];
+  if (!lb)
+    return UNREADABLE;
+  try {
+    const cek = unwrapCekWith(privateKey, lb);
+    return aeadOpen(cek, box.body).toString("utf8");
+  } catch {
+    return UNREADABLE;
+  }
+}
+function sealToAccounts(content, recipientPubKeys, opts = {}) {
+  const cek = randomBytes(32);
+  const body = aeadSeal(cek, Buffer.from(content, "utf8"));
+  const asym = {};
+  for (const [acct, pub] of Object.entries(recipientPubKeys))
+    asym[acct] = wrapCekTo(pub, cek);
+  const lockboxes = {};
+  if (opts.ring && opts.localRecipients)
+    for (const r of opts.localRecipients)
+      lockboxes[r] = aeadSeal(opts.ring.ensure(r), cek);
+  const recovery = {};
+  for (const [id, pub] of Object.entries(opts.recoveryPubKeys ?? {}))
+    recovery[id] = wrapCekTo(pub, cek);
+  const box = { body, lockboxes, asym, epoch: opts.epoch ?? 1 };
+  if (Object.keys(recovery).length)
+    box.recovery = recovery;
+  return box;
+}
+function x25519FromSeed(seed) {
+  const privateKey = createPrivateKey({ key: Buffer.concat([X25519_PKCS8_PREFIX, seed]), format: "der", type: "pkcs8" });
+  return { publicKey: createPublicKey(privateKey).export({ type: "spki", format: "der" }).toString("base64"), privateKey };
+}
+function ed25519FromSeed(seed) {
+  const privateKey = createPrivateKey({ key: Buffer.concat([ED25519_PKCS8_PREFIX, seed]), format: "der", type: "pkcs8" });
+  return { publicKey: createPublicKey(privateKey).export({ type: "spki", format: "der" }).toString("base64"), privateKey };
+}
+function generateRecoveryCode(words = 12) {
+  const out = [];
+  for (let i = 0;i < words; i++)
+    out.push(WORDLIST[randomBytes(2).readUInt16BE(0) % WORDLIST.length]);
+  return out.join(" ");
+}
+function deriveIdentity(accountId, recoveryCode, keyEpoch = 1) {
+  const salt = Buffer.from(`sol/identity/v1\x00${accountId}\x00epoch=${keyEpoch}`);
+  const xSeed = scryptSync(recoveryCode.normalize("NFKD"), Buffer.concat([salt, Buffer.from("\x00x25519")]), 32, KDF_PARAMS);
+  const eSeed = scryptSync(recoveryCode.normalize("NFKD"), Buffer.concat([salt, Buffer.from("\x00ed25519")]), 32, KDF_PARAMS);
+  const x = x25519FromSeed(xSeed);
+  const e = ed25519FromSeed(eSeed);
+  return { accountId, x25519Pub: x.publicKey, x25519Priv: x.privateKey, edPub: e.publicKey, edPriv: e.privateKey, keyEpoch };
+}
+function pubkeyBindingBytes(accountId, x25519Pub, keyEpoch) {
+  return Buffer.from(`sol/keydir/v1\x00${accountId}\x00${x25519Pub}\x00epoch=${keyEpoch}`);
+}
+function signPubkey(id) {
+  return edSign(null, pubkeyBindingBytes(id.accountId, id.x25519Pub, id.keyEpoch), id.edPriv).toString("base64");
+}
+function verifyPubkeySig(entry) {
+  try {
+    const edPub = createPublicKey({ key: Buffer.from(entry.edPub, "base64"), type: "spki", format: "der" });
+    return edVerify(null, pubkeyBindingBytes(entry.accountId, entry.x25519Pub, entry.keyEpoch), edPub, Buffer.from(entry.sig, "base64"));
+  } catch {
+    return false;
+  }
+}
+function pubFingerprint(x25519Pub) {
+  const h = createHash2("sha256").update(Buffer.from(x25519Pub, "base64")).digest("hex");
+  return h.slice(0, 32).match(/.{4}/g).join("-");
+}
+var UNREADABLE = "<<unreadable>>", RECOVERY_INFO, X25519_PKCS8_PREFIX, ED25519_PKCS8_PREFIX, KDF_PARAMS, WORDLIST;
+var init_crypto = __esm(() => {
+  RECOVERY_INFO = Buffer.from("forge-vcs/recovery/v1\x00");
+  X25519_PKCS8_PREFIX = Buffer.from("302e020100300506032b656e04220420", "hex");
+  ED25519_PKCS8_PREFIX = Buffer.from("302e020100300506032b657004220420", "hex");
+  KDF_PARAMS = { N: 1 << 15, r: 8, p: 1, maxmem: 64 * 1024 * 1024 };
+  WORDLIST = "abandon ability able about above absorb abstract access accident account accuse achieve acid acoustic acquire across action actor actual adapt add address adjust admit adult advance advice aerobic affair afford afraid again age agent agree ahead aim air airport aisle alarm album alert alien all alley allow almost alone alpha already also alter always amateur amazing among amount amused anchor ancient anger angle angry animal ankle announce annual another answer antenna antique anxiety apart apology appear apple approve april arch arctic area arena argue arm armed armor army around arrange arrest arrive arrow art artist artwork ask aspect assault asset assist assume asthma athlete atom attack attend attitude attract auction audit august aunt author auto autumn average avocado avoid awake aware away awesome awful awkward axis".split(" ");
+});
+
+// src/sign.ts
+import { createHash as createHash4, generateKeyPairSync as generateKeyPairSync2, createPrivateKey as createPrivateKey2, createPublicKey as createPublicKey2, sign as edSign2, verify as edVerify2 } from "node:crypto";
+function fingerprintOf(pub) {
+  const der = Buffer.from(pub, "base64");
+  return "sol1:" + createHash4("sha256").update(der).digest("hex").slice(0, 16);
+}
+var ED25519_PKCS8_PREFIX2;
+var init_sign = __esm(() => {
+  ED25519_PKCS8_PREFIX2 = Buffer.from("302e020100300506032b657004220420", "hex");
+});
+
+// src/bin/identity-store.ts
+import { chmodSync as chmodSync2, existsSync as existsSync6, mkdirSync as mkdirSync4, readFileSync as readFileSync7, writeFileSync as writeFileSync6 } from "node:fs";
+import { homedir as homedir2 } from "node:os";
+import { dirname as dirname2, join as join5 } from "node:path";
+function loadIdentity2() {
+  if (!existsSync6(IDENTITY_PATH2))
+    return;
+  try {
+    return JSON.parse(readFileSync7(IDENTITY_PATH2, "utf8"));
+  } catch {
+    return;
+  }
+}
+function loadVerified() {
+  if (!existsSync6(VERIFIED_PATH2))
+    return {};
+  try {
+    return JSON.parse(readFileSync7(VERIFIED_PATH2, "utf8"));
+  } catch {
+    return {};
+  }
+}
+function pinVerified(accountId, fingerprint) {
+  const all = loadVerified();
+  all[accountId] = fingerprint;
+  mkdirSync4(dirname2(VERIFIED_PATH2), { recursive: true });
+  writeFileSync6(VERIFIED_PATH2, JSON.stringify(all, null, 2), { mode: 384 });
+  try {
+    chmodSync2(VERIFIED_PATH2, 384);
+  } catch {}
+}
+var IDENTITY_PATH2, EXPORT_KDF2, VERIFIED_PATH2;
+var init_identity_store = __esm(() => {
+  IDENTITY_PATH2 = join5(homedir2(), ".sol", "identity.json");
+  EXPORT_KDF2 = { N: 1 << 15, r: 8, p: 1, maxmem: 64 * 1024 * 1024 };
+  VERIFIED_PATH2 = join5(homedir2(), ".sol", "verified-keys.json");
+});
+
+// src/bin/seal-audience.ts
+var exports_seal_audience = {};
+__export(exports_seal_audience, {
+  slotForPath: () => slotForPath,
+  resolveRecipient: () => resolveRecipient,
+  recordNameSlot: () => recordNameSlot,
+  recordHiddenPath: () => recordHiddenPath,
+  recordAudience: () => recordAudience,
+  parseRecipient: () => parseRecipient,
+  loadSelfIdentity: () => loadSelfIdentity,
+  loadNameSlots: () => loadNameSlots,
+  loadManageIdentity: () => loadManageIdentity,
+  loadHiddenPaths: () => loadHiddenPaths,
+  loadAudiences: () => loadAudiences,
+  isHiddenPath: () => isHiddenPath,
+  hiddenPathSet: () => hiddenPathSet,
+  forgetHiddenPath: () => forgetHiddenPath,
+  fetchKey: () => fetchKey
+});
+import { existsSync as existsSync7, readFileSync as readFileSync8, writeFileSync as writeFileSync7, chmodSync as chmodSync3 } from "node:fs";
+import { join as join6 } from "node:path";
+function parseRecipient(raw) {
+  const t = raw.startsWith("@") ? raw.slice(1) : raw;
+  const at = t.indexOf("@");
+  if (at > 0)
+    return { raw, display: t.slice(0, at), accountId: t.slice(at + 1) };
+  return { raw, display: t, accountId: t };
+}
+async function fetchKey(dirUrl, accountId) {
+  try {
+    const res = await fetch(`${dirUrl}/keys/${encodeURIComponent(accountId)}`);
+    if (!res.ok)
+      return;
+    return await res.json();
+  } catch {
+    return;
+  }
+}
+async function resolveRecipient(dirUrl, spec) {
+  const entry = await fetchKey(dirUrl, spec.accountId);
+  if (!entry)
+    return;
+  const fingerprint = pubFingerprint(entry.x25519Pub);
+  const selfSigned = verifyPubkeySig(entry);
+  const pins = loadVerified();
+  const pinned = pins[spec.accountId];
+  const pinMismatch = pinned !== undefined && pinned.replace(/-/g, "") !== fingerprint.replace(/-/g, "");
+  if (selfSigned && pinned === undefined)
+    pinVerified(spec.accountId, fingerprint);
+  return { spec, entry, fingerprint, selfSigned, pinned: pinned !== undefined && !pinMismatch, pinMismatch };
+}
+function loadSelfIdentity(opts = {}) {
+  const stored = loadIdentity2();
+  if (!stored)
+    return;
+  const recoveryCode = opts.recoveryCode ?? process.env.SOL_RECOVERY_CODE;
+  if (!recoveryCode)
+    return;
+  const id = deriveIdentity(stored.accountId, recoveryCode, stored.keyEpoch);
+  if (id.x25519Pub !== stored.x25519Pub)
+    throw new Error("SOL_RECOVERY_CODE does not match this identity (derived a different key)");
+  return { accountId: stored.accountId, privateKey: id.x25519Priv };
+}
+function loadManageIdentity(opts = {}) {
+  const stored = loadIdentity2();
+  if (!stored)
+    return;
+  const recoveryCode = opts.recoveryCode ?? process.env.SOL_RECOVERY_CODE;
+  if (!recoveryCode)
+    return;
+  const id = deriveIdentity(stored.accountId, recoveryCode, stored.keyEpoch);
+  if (id.x25519Pub !== stored.x25519Pub)
+    throw new Error("SOL_RECOVERY_CODE does not match this identity (derived a different key)");
+  const signer = { priv: id.edPriv, pub: id.edPub, fingerprint: fingerprintOf(id.edPub) };
+  return {
+    accountId: stored.accountId,
+    x25519Pub: id.x25519Pub,
+    signer,
+    open: { accountId: stored.accountId, privateKey: id.x25519Priv }
+  };
+}
+function loadNameSlots(solDir) {
+  const p = nameSlotsPath(solDir);
+  if (!existsSync7(p))
+    return {};
+  try {
+    return JSON.parse(readFileSync8(p, "utf8"));
+  } catch {
+    return {};
+  }
+}
+function slotForPath(solDir, realPath) {
+  return loadNameSlots(solDir)[realPath];
+}
+function recordNameSlot(solDir, realPath, slotId) {
+  const all = loadNameSlots(solDir);
+  all[realPath] = slotId;
+  writeFileSync7(nameSlotsPath(solDir), JSON.stringify(all, null, 2), { mode: 384 });
+  try {
+    chmodSync3(nameSlotsPath(solDir), 384);
+  } catch {}
+}
+function loadHiddenPaths(solDir) {
+  const p = hiddenPathsPath(solDir);
+  if (!existsSync7(p))
+    return {};
+  try {
+    return JSON.parse(readFileSync8(p, "utf8"));
+  } catch {
+    return {};
+  }
+}
+function isHiddenPath(solDir, realPath) {
+  return loadHiddenPaths(solDir)[realPath] !== undefined;
+}
+function hiddenPathSet(solDir) {
+  return new Set(Object.keys(loadHiddenPaths(solDir)));
+}
+function recordHiddenPath(solDir, realPath, level) {
+  const all = loadHiddenPaths(solDir);
+  if (all[realPath] === "existence" && level === "name")
+    return;
+  all[realPath] = level;
+  writeFileSync7(hiddenPathsPath(solDir), JSON.stringify(all, null, 2), { mode: 384 });
+  try {
+    chmodSync3(hiddenPathsPath(solDir), 384);
+  } catch {}
+}
+function forgetHiddenPath(solDir, realPath) {
+  const all = loadHiddenPaths(solDir);
+  if (all[realPath] === undefined)
+    return;
+  delete all[realPath];
+  writeFileSync7(hiddenPathsPath(solDir), JSON.stringify(all, null, 2), { mode: 384 });
+  try {
+    chmodSync3(hiddenPathsPath(solDir), 384);
+  } catch {}
+}
+function loadAudiences(solDir) {
+  const p = audiencePath2(solDir);
+  if (!existsSync7(p))
+    return {};
+  try {
+    return JSON.parse(readFileSync8(p, "utf8"));
+  } catch {
+    return {};
+  }
+}
+function recordAudience(solDir, a) {
+  const all = loadAudiences(solDir);
+  all[a.path] = a;
+  writeFileSync7(audiencePath2(solDir), JSON.stringify(all, null, 2), { mode: 384 });
+  try {
+    chmodSync3(audiencePath2(solDir), 384);
+  } catch {}
+}
+var audiencePath2 = (solDir) => join6(solDir, "seal-audience.json"), nameSlotsPath = (solDir) => join6(solDir, "name-slots.json"), hiddenPathsPath = (solDir) => join6(solDir, "hidden-paths.json");
+var init_seal_audience = __esm(() => {
+  init_crypto();
+  init_sign();
+  init_identity_store();
+});
+
+// src/bin/sol-secret-mcp.ts
+import { existsSync as existsSync8 } from "fs";
+import { join as join7 } from "path";
+
+// ../vault-sdk/src/sanitizer.ts
+import { createHash } from "node:crypto";
+
+// ../vault-sdk/src/patterns.ts
+var KNOWN_PREFIXES = [
+  {
+    pattern: /\bsk_live_[a-zA-Z0-9]{10,99}\b/g,
+    name: "STRIPE_SECRET",
+    type: "api_key",
+    confidence: "high"
+  },
+  {
+    pattern: /\bsk_test_[a-zA-Z0-9]{10,99}\b/g,
+    name: "STRIPE_TEST",
+    type: "api_key",
+    confidence: "high"
+  },
+  {
+    pattern: /\bpk_live_[a-zA-Z0-9]{10,99}\b/g,
+    name: "STRIPE_PUB",
+    type: "api_key",
+    confidence: "high"
+  },
+  {
+    pattern: /\brk_live_[a-zA-Z0-9]{10,99}\b/g,
+    name: "STRIPE_RESTRICTED",
+    type: "api_key",
+    confidence: "high"
+  },
+  {
+    pattern: /\bwhsec_[a-zA-Z0-9]{10,99}\b/g,
+    name: "STRIPE_WEBHOOK",
+    type: "webhook",
+    confidence: "high"
+  },
+  {
+    pattern: /\bsk-ant-api03-[a-zA-Z0-9_-]{80,}\b/g,
+    name: "ANTHROPIC_KEY",
+    type: "api_key",
+    confidence: "high"
+  },
+  {
+    pattern: /\bsk-proj-[a-zA-Z0-9_-]{40,}\b/g,
+    name: "OPENAI_KEY",
+    type: "api_key",
+    confidence: "high"
+  },
+  {
+    pattern: /\bsk-[a-zA-Z0-9]{40,50}\b/g,
+    name: "OPENAI_LEGACY",
+    type: "api_key",
+    confidence: "medium"
+  },
+  {
+    pattern: /\bAKIA[A-Z2-7]{16}\b/g,
+    name: "AWS_ACCESS_KEY",
+    type: "access_key",
+    confidence: "high"
+  },
+  {
+    pattern: /\bASIA[A-Z2-7]{16}\b/g,
+    name: "AWS_TEMP_KEY",
+    type: "access_key",
+    confidence: "high"
+  },
+  {
+    pattern: /\bAIza[a-zA-Z0-9_-]{35}\b/g,
+    name: "GOOGLE_API_KEY",
+    type: "api_key",
+    confidence: "high"
+  },
+  {
+    pattern: /\bghp_[a-zA-Z0-9]{36,}\b/g,
+    name: "GITHUB_PAT",
+    type: "access_token",
+    confidence: "high"
+  },
+  {
+    pattern: /\bgho_[a-zA-Z0-9]{36,}\b/g,
+    name: "GITHUB_OAUTH",
+    type: "access_token",
+    confidence: "high"
+  },
+  {
+    pattern: /\bghu_[a-zA-Z0-9]{36,}\b/g,
+    name: "GITHUB_USER",
+    type: "access_token",
+    confidence: "high"
+  },
+  {
+    pattern: /\bghs_[a-zA-Z0-9]{36,}\b/g,
+    name: "GITHUB_APP",
+    type: "access_token",
+    confidence: "high"
+  },
+  {
+    pattern: /\bghr_[a-zA-Z0-9]{36,}\b/g,
+    name: "GITHUB_REFRESH",
+    type: "refresh_token",
+    confidence: "high"
+  },
+  {
+    pattern: /\bgithub_pat_[a-zA-Z0-9_]{80,}\b/g,
+    name: "GITHUB_FINE_PAT",
+    type: "access_token",
+    confidence: "high"
+  },
+  {
+    pattern: /\bglpat-[a-zA-Z0-9_-]{20,}\b/g,
+    name: "GITLAB_PAT",
+    type: "access_token",
+    confidence: "high"
+  },
+  {
+    pattern: /\bxoxb-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}\b/g,
+    name: "SLACK_BOT",
+    type: "access_token",
+    confidence: "high"
+  },
+  {
+    pattern: /\bxoxp-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24,}\b/g,
+    name: "SLACK_USER",
+    type: "access_token",
+    confidence: "high"
+  },
+  {
+    pattern: /\bxapp-[0-9]{1}-[A-Za-z0-9]{30,}\b/g,
+    name: "SLACK_APP",
+    type: "access_token",
+    confidence: "high"
+  },
+  {
+    pattern: /\bSG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}\b/g,
+    name: "SENDGRID_KEY",
+    type: "api_key",
+    confidence: "high"
+  },
+  {
+    pattern: /\bre_[a-zA-Z0-9]{30,}\b/g,
+    name: "RESEND_KEY",
+    type: "api_key",
+    confidence: "medium"
+  },
+  {
+    pattern: /\bnpm_[a-zA-Z0-9]{36,}\b/g,
+    name: "NPM_TOKEN",
+    type: "access_token",
+    confidence: "high"
+  },
+  {
+    pattern: /\bpypi-[a-zA-Z0-9_-]{50,}\b/g,
+    name: "PYPI_TOKEN",
+    type: "access_token",
+    confidence: "high"
+  },
+  {
+    pattern: /\bsntrys_[a-zA-Z0-9+/]{50,}\b/g,
+    name: "SENTRY_TOKEN",
+    type: "access_token",
+    confidence: "high"
+  },
+  {
+    pattern: /\bhvs\.[a-zA-Z0-9_-]{24,}\b/g,
+    name: "HASHICORP_TOKEN",
+    type: "access_token",
+    confidence: "high"
+  },
+  {
+    pattern: /\bvercel_[a-zA-Z0-9]{24,}\b/g,
+    name: "VERCEL_TOKEN",
+    type: "access_token",
+    confidence: "high"
+  },
+  {
+    pattern: /\bshpat_[a-fA-F0-9]{32}\b/g,
+    name: "SHOPIFY_PAT",
+    type: "access_token",
+    confidence: "high"
+  }
+];
+var STRUCTURAL_PATTERNS = [
+  {
+    pattern: /\b(ey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9/\\_-]{17,}\.[a-zA-Z0-9/\\_-]{10,}=*)\b/g,
+    name: "JWT",
+    type: "access_token",
+    confidence: "high"
+  },
+  {
+    pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH |PGP )?PRIVATE KEY-----[\s\S]{20,}?-----END/g,
+    name: "PRIVATE_KEY",
+    type: "private_key",
+    confidence: "high"
+  },
+  {
+    pattern: /\b((?:postgres|mysql|mongodb|redis|amqp|mssql)(?:ql)?:\/\/[^\s'"]{10,})\b/g,
+    name: "CONNECTION_STRING",
+    type: "connection_string",
+    confidence: "high"
+  }
+];
+var ENV_NAME_MAP = {
+  STRIPE_SECRET: "STRIPE_SECRET_KEY",
+  STRIPE_TEST: "STRIPE_TEST_KEY",
+  STRIPE_PUB: "STRIPE_PUBLISHABLE_KEY",
+  ANTHROPIC_KEY: "ANTHROPIC_API_KEY",
+  OPENAI_KEY: "OPENAI_API_KEY",
+  OPENAI_LEGACY: "OPENAI_API_KEY",
+  AWS_ACCESS_KEY: "AWS_ACCESS_KEY_ID",
+  GOOGLE_API_KEY: "GOOGLE_API_KEY",
+  GITHUB_PAT: "GITHUB_TOKEN",
+  GITHUB_FINE_PAT: "GITHUB_TOKEN",
+  GITLAB_PAT: "GITLAB_TOKEN",
+  SLACK_BOT: "SLACK_BOT_TOKEN",
+  SENDGRID_KEY: "SENDGRID_API_KEY",
+  RESEND_KEY: "RESEND_API_KEY",
+  NPM_TOKEN: "NPM_TOKEN",
+  SENTRY_TOKEN: "SENTRY_AUTH_TOKEN",
+  VERCEL_TOKEN: "VERCEL_TOKEN",
+  JWT: "AUTH_TOKEN",
+  CONNECTION_STRING: "DATABASE_URL",
+  PRIVATE_KEY: "PRIVATE_KEY"
+};
+function suggestEnvName(baseName) {
+  return ENV_NAME_MAP[baseName] ?? baseName;
+}
+
+// ../vault-sdk/src/entropy.ts
+var BASE64_CHARS = new Set("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=");
+var HEX_CHARS = new Set("0123456789abcdefABCDEF");
+var THRESHOLDS = {
+  hex: 3,
+  base64: 4.5,
+  mixed: 4
+};
+function detectCharset(str) {
+  let b64 = 0;
+  let hex = 0;
+  for (const ch of str) {
+    if (BASE64_CHARS.has(ch))
+      b64++;
+    if (HEX_CHARS.has(ch))
+      hex++;
+  }
+  const len = str.length;
+  if (hex / len > 0.95)
+    return "hex";
+  if (b64 / len > 0.95)
+    return "base64";
+  return "mixed";
+}
+function shannonEntropy(str) {
+  const freq = {};
+  for (const ch of str)
+    freq[ch] = (freq[ch] ?? 0) + 1;
+  let entropy = 0;
+  const len = str.length;
+  for (const count of Object.values(freq)) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+function isHighEntropy(str) {
+  if (str.length < 30)
+    return false;
+  if (/^[a-z]+$/.test(str))
+    return false;
+  if (/^[A-Z_]+$/.test(str))
+    return false;
+  if (str.includes("/") && str.split("/").length > 2)
+    return false;
+  if (/^https?:/.test(str))
+    return false;
+  if (/\$\{\{|\{\{/.test(str))
+    return false;
+  if (/^(.)\1+$/.test(str))
+    return false;
+  if (/^(your|changeme|placeholder|example|xxxxxxx|test)/i.test(str))
+    return false;
+  if (/^\d+$/.test(str))
+    return false;
+  const charset = detectCharset(str);
+  const entropy = shannonEntropy(str);
+  const threshold = THRESHOLDS[charset];
+  if (entropy < threshold)
+    return false;
+  const hasUpper = /[A-Z]/.test(str);
+  const hasLower = /[a-z]/.test(str);
+  const hasDigit = /[0-9]/.test(str);
+  return [hasUpper, hasLower, hasDigit].filter(Boolean).length >= 2;
+}
+var SECRET_KEYWORDS = /\b(password|passwd|pwd|secret|token|key|apikey|api_key|credential|auth|private|access_key|secret_key|bearer|authorization)\b/gi;
+function hasKeywordNearby(text, start, end) {
+  const window = text.substring(Math.max(0, start - 80), Math.min(text.length, end + 80));
+  SECRET_KEYWORDS.lastIndex = 0;
+  return SECRET_KEYWORDS.test(window);
+}
+
+// ../vault-sdk/src/sanitizer.ts
+function shortHash(value) {
+  return createHash("sha256").update(value).digest("hex").substring(0, 8);
+}
+
+class VaultSanitizer {
+  opts;
+  constructor(options = {}) {
+    this.opts = {
+      minEntropyLength: options.minEntropyLength ?? 30,
+      customPatterns: options.customPatterns ?? [],
+      onSecret: options.onSecret ?? (() => {})
+    };
+  }
+  sanitize(input) {
+    let text = input;
+    const secrets = [];
+    const allPrefixes = [
+      ...KNOWN_PREFIXES,
+      ...this.opts.customPatterns.map((p) => ({
+        ...p,
+        confidence: "high"
+      }))
+    ];
+    for (const rule of allPrefixes) {
+      const re = new RegExp(rule.pattern.source, rule.pattern.flags);
+      let m;
+      while ((m = re.exec(text)) !== null) {
+        const val = m[0];
+        if (val.length < 10)
+          continue;
+        const r = this.replace(text, val, rule.name, rule.type, rule.confidence, true);
+        text = r.text;
+        secrets.push(r.secret);
+        re.lastIndex = 0;
+      }
+    }
+    for (const rule of STRUCTURAL_PATTERNS) {
+      const re = new RegExp(rule.pattern.source, rule.pattern.flags);
+      let m;
+      while ((m = re.exec(text)) !== null) {
+        const val = rule.group !== undefined ? m[rule.group] : m[0];
+        if (!val || val.length < 10 || val.includes("[vault:"))
+          continue;
+        const r = this.replace(text, val, rule.name, rule.type, rule.confidence, true);
+        text = r.text;
+        secrets.push(r.secret);
+        re.lastIndex = 0;
+      }
+    }
+    const entropyRe = /(?<![a-zA-Z0-9_/+=\-])([a-zA-Z0-9_/+=\-]{30,})(?![a-zA-Z0-9_/+=\-])/g;
+    let em;
+    while ((em = entropyRe.exec(text)) !== null) {
+      const c = em[1];
+      if (c.includes("[vault:") || c.includes("[REDACTED:"))
+        continue;
+      if (!isHighEntropy(c))
+        continue;
+      const nearKw = hasKeywordNearby(text, em.index, em.index + c.length);
+      const conf = nearKw ? "high" : "medium";
+      const tp = nearKw ? "credential" : "unknown";
+      const r = this.replace(text, c, "SECRET", tp, conf, false);
+      text = r.text;
+      secrets.push(r.secret);
+      entropyRe.lastIndex = 0;
+    }
+    for (const s of secrets)
+      this.opts.onSecret(s);
+    return { sanitized: text, secrets, hasSecrets: secrets.length > 0 };
+  }
+  generateGuidance(secrets) {
+    if (secrets.length === 0)
+      return "";
+    const auto = secrets.filter((s) => s.autoClassified);
+    const unknown = secrets.filter((s) => !s.autoClassified);
+    let g = `
+
+<vault-context>
+`;
+    g += `Secrets were detected and replaced with [vault:REF] references.
+
+`;
+    if (auto.length > 0) {
+      g += `Auto-classified:
+`;
+      for (const s of auto)
+        g += `  - [vault:${s.ref}] (${s.type}) → env var: ${s.suggestedEnvName}
+`;
+    }
+    if (unknown.length > 0) {
+      g += `Needs naming — ask the user what env var to use:
+`;
+      for (const s of unknown)
+        g += `  - [vault:${s.ref}] (${s.type})
+`;
+    }
+    g += `
+Use: vault run -- <command>
+`;
+    g += "</vault-context>";
+    return g;
+  }
+  replace(text, value, name, type, confidence, autoClassified) {
+    const hash = shortHash(value);
+    const ref = `${name}_${hash}`;
+    return {
+      text: text.replace(value, `[vault:${ref}]`),
+      secret: {
+        ref,
+        value,
+        type,
+        confidence,
+        suggestedEnvName: suggestEnvName(name),
+        autoClassified
+      }
+    };
+  }
+}
+
+// src/bin/secret.ts
+import { readFileSync as readFileSync5, readSync, writeSync } from "node:fs";
+import { spawnSync } from "node:child_process";
+
+// src/secret/toml.ts
+function parseToml(src) {
+  const tables = [];
+  let current = { path: [], keys: {} };
+  tables.push(current);
+  const lines = src.split(`
+`);
+  for (let i = 0;i < lines.length; i++) {
+    const raw = lines[i];
+    const line = stripComment(raw).trim();
+    if (!line)
+      continue;
+    if (line.startsWith("[")) {
+      const close = line.indexOf("]");
+      if (close < 0)
+        throw new Error(`toml: unterminated table header on line ${i + 1}: ${raw.trim()}`);
+      const path = parseHeaderPath(line.slice(1, close));
+      current = { path, keys: {} };
+      tables.push(current);
+      continue;
+    }
+    const eq = line.indexOf("=");
+    if (eq < 0)
+      throw new Error(`toml: expected key = value on line ${i + 1}: ${raw.trim()}`);
+    const key = line.slice(0, eq).trim();
+    const valStr = line.slice(eq + 1).trim();
+    current.keys[key] = parseValue(valStr, i + 1);
+  }
+  return { tables };
+}
+function stripComment(line) {
+  let inStr = false;
+  for (let i = 0;i < line.length; i++) {
+    const c = line[i];
+    if (c === '"')
+      inStr = !inStr;
+    else if (!inStr && (c === "#" || c === ";"))
+      return line.slice(0, i);
+  }
+  return line;
+}
+function parseHeaderPath(s) {
+  const out = [];
+  let i = 0;
+  const t = s.trim();
+  while (i < t.length) {
+    if (t[i] === '"') {
+      const end = t.indexOf('"', i + 1);
+      if (end < 0)
+        throw new Error(`toml: unterminated quoted table segment in [${s}]`);
+      out.push(t.slice(i + 1, end));
+      i = end + 1;
+    } else {
+      let j = i;
+      while (j < t.length && t[j] !== ".")
+        j++;
+      const seg = t.slice(i, j).trim();
+      if (seg)
+        out.push(seg);
+      i = j;
+    }
+    while (i < t.length && (t[i] === "." || t[i] === " "))
+      i++;
+  }
+  return out;
+}
+function parseValue(s, lineNo) {
+  if (s.startsWith("[")) {
+    const close = s.lastIndexOf("]");
+    if (close < 0)
+      throw new Error(`toml: unterminated array on line ${lineNo}`);
+    const inner = s.slice(1, close).trim();
+    if (!inner)
+      return [];
+    return splitArray(inner).map((e) => parseScalarString(e.trim(), lineNo));
+  }
+  if (s.startsWith('"'))
+    return parseScalarString(s, lineNo);
+  if (s === "true")
+    return true;
+  if (s === "false")
+    return false;
+  if (/^-?\d+$/.test(s))
+    return parseInt(s, 10);
+  if (/^-?\d+\.\d+$/.test(s))
+    return parseFloat(s);
+  if (/^[A-Za-z0-9_./:+-]+$/.test(s))
+    return s;
+  throw new Error(`toml: unparseable value on line ${lineNo}: ${s}`);
+}
+function splitArray(s) {
+  const out = [];
+  let depth = 0;
+  let inStr = false;
+  let start = 0;
+  for (let i = 0;i < s.length; i++) {
+    const c = s[i];
+    if (c === '"')
+      inStr = !inStr;
+    else if (!inStr && c === "," && depth === 0) {
+      out.push(s.slice(start, i));
+      start = i + 1;
+    }
+  }
+  const last = s.slice(start).trim();
+  if (last)
+    out.push(last);
+  return out;
+}
+function parseScalarString(s, lineNo) {
+  if (s.startsWith('"') && s.endsWith('"') && s.length >= 2) {
+    return s.slice(1, -1).replace(/\\"/g, '"').replace(/\\\\/g, "\\");
+  }
+  throw new Error(`toml: expected a quoted string on line ${lineNo}: ${s}`);
+}
+function serializeToml(doc) {
+  const out = [];
+  for (const table of doc.tables) {
+    if (table.path.length)
+      out.push(`[${table.path.map(headerSegment).join(".")}]`);
+    for (const [k, v] of Object.entries(table.keys))
+      out.push(`${k} = ${serializeValue(v)}`);
+    out.push("");
+  }
+  return out.join(`
+`).replace(/\n+$/, `
+`);
+}
+function headerSegment(seg) {
+  return /^[A-Za-z0-9_-]+$/.test(seg) ? seg : `"${seg}"`;
+}
+function serializeValue(v) {
+  if (Array.isArray(v))
+    return `[${v.map((e) => `"${escapeStr(e)}"`).join(", ")}]`;
+  if (typeof v === "string")
+    return `"${escapeStr(v)}"`;
+  return String(v);
+}
+function escapeStr(s) {
+  return s.replace(/\\/g, "\\\\").replace(/"/g, "\\\"");
+}
+function tableAt(doc, path) {
+  return doc.tables.find((t) => t.path.length === path.length && t.path.every((s, i) => s === path[i]));
+}
+function tablesUnder(doc, prefix) {
+  return doc.tables.filter((t) => t.path.length === prefix.length + 1 && prefix.every((s, i) => s === t.path[i]));
+}
+function topTable(doc) {
+  return doc.tables.find((t) => t.path.length === 0) ?? { path: [], keys: {} };
+}
+// src/secret/manifest.ts
+var SECRET_SLOT_FIELDS = ["type", "seal", "aud", "hide_name"];
+function parseEnvFile(env, src) {
+  const doc = parseToml(src);
+  const top = topTable(doc);
+  const out = { env, config: {}, secrets: [] };
+  if (typeof top.keys["@extends"] === "string")
+    out.extends = top.keys["@extends"];
+  if (Array.isArray(top.keys["@audience"]))
+    out.audience = top.keys["@audience"];
+  const config = tableAt(doc, ["config"]);
+  if (config) {
+    for (const [k, v] of Object.entries(config.keys)) {
+      out.config[k] = Array.isArray(v) ? v.join(",") : String(v);
+    }
+  }
+  for (const t of tablesUnder(doc, ["secret"])) {
+    out.secrets.push(parseSecretSlot(env, t));
+  }
+  return out;
+}
+function parseSecretSlot(env, t) {
+  const name = t.path[1];
+  for (const k of Object.keys(t.keys)) {
+    if (!SECRET_SLOT_FIELDS.includes(k)) {
+      if (k === "value") {
+        throw new Error(`fail-closed: [secret.${name}] in ${env} carries a plaintext \`value\` — secrets are SEALED, never written in cleartext. use \`sol secret set ${name} --env ${env}\` (value via TTY/--stdin), or put plaintext under [config].`);
+      }
+      throw new Error(`[secret.${name}] in ${env}: unknown field \`${k}\` — a secret slot may only set ${SECRET_SLOT_FIELDS.join("/")}.`);
+    }
+  }
+  const slot = { name };
+  if (typeof t.keys.type === "string")
+    slot.type = t.keys.type;
+  if (typeof t.keys.seal === "string")
+    slot.seal = t.keys.seal;
+  if (Array.isArray(t.keys.aud))
+    slot.aud = t.keys.aud;
+  if (t.keys.hide_name === true)
+    slot.hideName = true;
+  return slot;
+}
+function serializeEnvFile(f) {
+  const doc = { tables: [] };
+  const top = { path: [], keys: {} };
+  if (f.extends)
+    top.keys["@extends"] = f.extends;
+  if (f.audience)
+    top.keys["@audience"] = f.audience;
+  doc.tables.push(top);
+  if (Object.keys(f.config).length) {
+    doc.tables.push({ path: ["config"], keys: { ...f.config } });
+  }
+  for (const s of f.secrets) {
+    const keys = {};
+    if (s.type)
+      keys.type = s.type;
+    if (s.seal)
+      keys.seal = s.seal;
+    if (s.aud)
+      keys.aud = s.aud;
+    if (s.hideName)
+      keys.hide_name = true;
+    doc.tables.push({ path: ["secret", s.name], keys });
+  }
+  return serializeToml(doc);
+}
+function resolveEnv(file, base) {
+  const config = { ...base?.config ?? {}, ...file.config };
+  const byName = new Map;
+  for (const s of base?.secrets ?? [])
+    byName.set(s.name, s);
+  for (const s of file.secrets) {
+    const prior = byName.get(s.name);
+    byName.set(s.name, prior ? { ...prior, ...s } : s);
+  }
+  return { env: file.env, audience: file.audience ?? base?.audience, config, secrets: [...byName.values()] };
+}
+function parseManifest(src) {
+  const doc = parseToml(src);
+  const envs = tableAt(doc, ["envs"]);
+  const order = Array.isArray(envs?.keys.order) ? envs.keys.order : [];
+  const extendsOf = {};
+  for (const t of tablesUnder(doc, ["env"])) {
+    const name = t.path[1];
+    if (typeof t.keys.extends === "string")
+      extendsOf[name] = t.keys.extends;
+    else
+      extendsOf[name] = "base";
+  }
+  const runtime = {};
+  const rt = tableAt(doc, ["runtime"]);
+  if (rt) {
+    for (const [k, v] of Object.entries(rt.keys))
+      if (typeof v === "string")
+        runtime[k] = v;
+  }
+  return { order, extendsOf, runtime };
+}
+function serializeManifest(m) {
+  const doc = { tables: [] };
+  doc.tables.push({ path: ["envs"], keys: { order: m.order } });
+  for (const env of m.order)
+    doc.tables.push({ path: ["env", env], keys: { extends: m.extendsOf[env] ?? "base" } });
+  if (Object.keys(m.runtime).length)
+    doc.tables.push({ path: ["runtime"], keys: { ...m.runtime } });
+  return serializeToml(doc);
+}
+function buildSchema(order, resolved) {
+  const vars = {};
+  const audiences = {};
+  for (const r of resolved) {
+    if (r.audience)
+      audiences[r.env] = r.audience;
+    for (const [name, value] of Object.entries(r.config)) {
+      const v = vars[name] ??= { kind: "config", envs: {} };
+      v.envs[r.env] = value;
+    }
+    for (const s of r.secrets) {
+      const v = vars[s.name] ??= { kind: "secret", envs: {}, audience: {} };
+      if (s.type && !v.type)
+        v.type = s.type;
+      if (s.hideName)
+        v.hidden = true;
+      v.envs[r.env] = s.seal ? "sealed" : "unset";
+      if (s.aud)
+        (v.audience ??= {})[r.env] = s.aud;
+    }
+  }
+  return { vars, audiences, order };
+}
+function serializeSchema(schema) {
+  return JSON.stringify(sortDeep(schema), null, 2) + `
+`;
+}
+function sortDeep(v) {
+  if (Array.isArray(v))
+    return v.map(sortDeep);
+  if (v && typeof v === "object") {
+    const out = {};
+    for (const k of Object.keys(v).sort())
+      out[k] = sortDeep(v[k]);
+    return out;
+  }
+  return v;
+}
+// src/secret/audience.ts
+function parseAudienceDoc(src) {
+  const doc = parseToml(src);
+  const handles = {};
+  for (const kind of ["role", "team", "machine"]) {
+    for (const t of tablesUnder(doc, [kind])) {
+      const handle = `${kind}:${t.path[1]}`;
+      handles[handle] = recipientsFromTable(handle, t);
+    }
+  }
+  const clone = {};
+  const cl = tableAt(doc, ["clone"]);
+  if (cl) {
+    for (const [env, v] of Object.entries(cl.keys))
+      if (Array.isArray(v))
+        clone[env] = v;
+  }
+  return { handles, clone };
+}
+function recipientsFromTable(handle, t) {
+  const accounts = Array.isArray(t.keys.accounts) ? t.keys.accounts : [];
+  const pubkeys = Array.isArray(t.keys.pubkeys) ? t.keys.pubkeys : [];
+  const edpubs = Array.isArray(t.keys.edpubs) ? t.keys.edpubs : [];
+  const out = [];
+  for (let i = 0;i < accounts.length; i++) {
+    out.push({ handle, accountId: accounts[i], x25519Pub: pubkeys[i] ?? "", edPub: edpubs[i] || undefined });
+  }
+  return out;
+}
+function serializeAudienceDoc(a) {
+  const doc = { tables: [] };
+  for (const [handle, recips] of Object.entries(a.handles)) {
+    const [kind, name] = splitHandle(handle);
+    doc.tables.push({
+      path: [kind, name],
+      keys: { accounts: recips.map((r) => r.accountId), pubkeys: recips.map((r) => r.x25519Pub), edpubs: recips.map((r) => r.edPub ?? "") }
+    });
+  }
+  if (Object.keys(a.clone).length)
+    doc.tables.push({ path: ["clone"], keys: { ...a.clone } });
+  return serializeToml(doc);
+}
+function splitHandle(handle) {
+  const i = handle.indexOf(":");
+  if (i < 0)
+    return ["role", handle];
+  return [handle.slice(0, i), handle.slice(i + 1)];
+}
+function resolveHandles(gate, handles) {
+  const recipientPubKeys = {};
+  const recipients = [];
+  const accountIds = new Set;
+  const unresolved = [];
+  for (const h of handles) {
+    const recips = gate.handles[h];
+    if (!recips || !recips.length) {
+      unresolved.push(h);
+      continue;
+    }
+    for (const r of recips) {
+      if (!r.x25519Pub) {
+        unresolved.push(`${h} (${r.accountId}: no pinned pubkey)`);
+        continue;
+      }
+      recipientPubKeys[r.accountId] = r.x25519Pub;
+      recipients.push(r);
+      accountIds.add(r.accountId);
+    }
+  }
+  return { recipientPubKeys, recipients, accountIds: [...accountIds], unresolved };
+}
+function audienceHasAccount(gate, handles, accountId) {
+  for (const h of handles)
+    for (const r of gate.handles[h] ?? [])
+      if (r.accountId === accountId)
+        return true;
+  return false;
+}
+// src/secret/store.ts
+init_crypto();
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { createHash as createHash3 } from "node:crypto";
+import { join } from "node:path";
+var envDir = (solDir) => join(solDir, "env");
+var sealDir = (solDir) => join(envDir(solDir), "seal");
+var manifestPath = (solDir) => join(envDir(solDir), "manifest.toml");
+var audiencePath = (solDir) => join(envDir(solDir), "audience.toml");
+var schemaLockPath = (solDir) => join(envDir(solDir), "schema.lock");
+var envFilePath = (solDir, env) => join(envDir(solDir), `${env}.env.toml`);
+var stanzaPath = (solDir, digest) => join(sealDir(solDir), `${digestFile(digest)}.stanzas`);
+function digestFile(digest) {
+  const i = digest.indexOf(":");
+  return i < 0 ? digest : digest.slice(i + 1);
+}
+function sealDigest(boxJson) {
+  return "sha256:" + createHash3("sha256").update(boxJson).digest("hex").slice(0, 32);
+}
+
+class TamperedSealError extends Error {
+  expected;
+  actual;
+  constructor(expected, actual) {
+    super(`tampered sealed leaf: the bytes at ${expected}.stanzas hash to ${actual} — the stanza was overwritten in place (content-address mismatch). a forged box sealed to the public key cannot pass; reseal with \`sol secret set\` or revert the tampering.`);
+    this.expected = expected;
+    this.actual = actual;
+    this.name = "TamperedSealError";
+  }
+}
+function stanzaMatchesAddress(raw, expected) {
+  return sealDigest(raw) === expected;
+}
+function writeSealedValue(solDir, value, recipientPubKeys, epoch = 1) {
+  const box = sealToAccounts(value, recipientPubKeys, { epoch });
+  const boxJson = JSON.stringify(box);
+  const digest = sealDigest(boxJson);
+  mkdirSync(sealDir(solDir), { recursive: true });
+  writeFileSync(stanzaPath(solDir, digest), boxJson, { mode: 384 });
+  return digest;
+}
+function readSealedBox(solDir, digest) {
+  const r = readSealedBoxChecked(solDir, digest);
+  if (r.kind === "absent")
+    return;
+  if (r.kind === "tampered")
+    throw new TamperedSealError(digest, r.actual);
+  return r.box;
+}
+function readSealedBoxChecked(solDir, digest) {
+  const p = stanzaPath(solDir, digest);
+  if (!existsSync(p))
+    return { kind: "absent" };
+  const raw = readFileSync(p, "utf8");
+  if (!stanzaMatchesAddress(raw, digest))
+    return { kind: "tampered", actual: sealDigest(raw) };
+  return { kind: "box", box: JSON.parse(raw) };
+}
+function recipientsOf(box) {
+  return Object.keys(box.asym ?? {});
+}
+function openSealedValue(solDir, digest, actor, self) {
+  const r = readSealedBoxChecked(solDir, digest);
+  if (r.kind === "absent")
+    return;
+  if (r.kind === "tampered")
+    return UNREADABLE;
+  return openContent(new KeyRing, r.box, actor, self);
+}
+function openOutcome(solDir, digest, actor, self) {
+  const r = readSealedBoxChecked(solDir, digest);
+  if (r.kind === "absent")
+    return { kind: "absent" };
+  if (r.kind === "tampered")
+    return { kind: "tampered", actual: r.actual };
+  const box = r.box;
+  const mineAsym = !!(self && box.asym?.[self.accountId]);
+  if (!mineAsym)
+    return { kind: "not-recipient" };
+  const opened = openContent(new KeyRing, box, actor, self);
+  if (opened === UNREADABLE)
+    return { kind: "decrypt-failed" };
+  return { kind: "value", value: opened };
+}
+function canWriteSealed(solDir, digest, actor, self) {
+  const out = openOutcome(solDir, digest, actor, self);
+  return out.kind === "value" || out.kind === "absent";
+}
+function formatSolRef(env, name) {
+  return `sol://${env}/${name}`;
+}
+function projectField(value, field) {
+  if (!field)
+    return value;
+  let doc;
+  try {
+    doc = JSON.parse(value);
+  } catch {
+    throw new Error(`#${field}: the sealed value is not a JSON document — no sub-field to project`);
+  }
+  if (!doc || typeof doc !== "object" || !(field in doc)) {
+    throw new Error(`#${field}: no such field in the sealed value`);
+  }
+  return String(doc[field]);
+}
+// src/secret/identity.ts
+init_sign();
+function handleHasPubkey(gate, handle, x25519Pub) {
+  if (!x25519Pub)
+    return false;
+  return (gate.handles[handle] ?? []).some((r) => r.x25519Pub === x25519Pub);
+}
+var ADMIN_HANDLES = ["role:owner", "role:admin"];
+function isGuardianPubkey(gate, x25519Pub) {
+  if (!x25519Pub)
+    return false;
+  for (const h of ADMIN_HANDLES)
+    if (handleHasPubkey(gate, h, x25519Pub))
+      return true;
+  return false;
+}
+// src/secret/journal.ts
+import { appendFileSync, existsSync as existsSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "node:fs";
+import { createHash as createHash5, sign as edSign3, verify as edVerify3, createPublicKey as createPublicKey3 } from "node:crypto";
+import { join as join2 } from "node:path";
+init_sign();
+var journalPath = (solDir) => join2(envDir(solDir), "journal.jsonl");
+function canonicalJournal(e) {
+  return JSON.stringify({
+    op: e.op,
+    ...e.env !== undefined ? { env: e.env } : {},
+    ...e.name !== undefined ? { name: e.name } : {},
+    ...e.handle !== undefined ? { handle: e.handle } : {},
+    ...e.members !== undefined ? { members: e.members } : {},
+    author: e.author,
+    authorKey: e.authorKey,
+    recipientAtOp: e.recipientAtOp,
+    ...e.prevSeal !== undefined ? { prevSeal: e.prevSeal } : {},
+    ...e.newSeal !== undefined ? { newSeal: e.newSeal } : {},
+    ...e.prevAud !== undefined ? { prevAud: e.prevAud } : {},
+    ...e.newAud !== undefined ? { newAud: e.newAud } : {}
+  });
+}
+function hashEntry(prevHash, e) {
+  return "jh:" + createHash5("sha256").update(canonicalJournal(e) + "\x00" + (prevHash ?? "")).digest("hex").slice(0, 32);
+}
+function chainTip(solDir) {
+  const entries = readJournal(solDir);
+  return entries.length ? entries[entries.length - 1].entryHash : undefined;
+}
+function appendJournal(solDir, body, signer) {
+  const prevHash = chainTip(solDir);
+  const entry = { ...body, authorKey: signer.pub, prevHash };
+  entry.entryHash = hashEntry(prevHash, entry);
+  entry.sig = edSign3(null, Buffer.from(entry.entryHash), signer.priv).toString("base64");
+  appendFileSync(journalPath(solDir), JSON.stringify(entry) + `
+`, { mode: 420 });
+  return entry;
+}
+function readJournal(solDir) {
+  const p = journalPath(solDir);
+  if (!existsSync2(p))
+    return [];
+  return readFileSync2(p, "utf8").split(`
+`).filter((l) => l.trim()).map((l) => JSON.parse(l));
+}
+function verifyJournal(solDir) {
+  return verifyJournalEntries(readJournal(solDir));
+}
+function verifyJournalEntries(entries) {
+  const issues = [];
+  let prev;
+  for (let i = 0;i < entries.length; i++) {
+    const e = entries[i];
+    if (e.prevHash !== prev) {
+      issues.push(`entry ${i} (${e.op} ${e.env ?? ""}/${e.name ?? e.handle ?? ""}): prevHash mismatch — the log was edited/reordered`);
+    }
+    const expect = hashEntry(prev, e);
+    if (e.entryHash !== expect) {
+      issues.push(`entry ${i} (${e.op}): entryHash mismatch — the entry body was tampered`);
+    }
+    if (!e.authorKey || !e.sig) {
+      issues.push(`entry ${i} (${e.op}): unsigned management entry — a fabricated row carries no author signature`);
+    } else {
+      try {
+        const pub = createPublicKey3({ key: Buffer.from(e.authorKey, "base64"), format: "der", type: "spki" });
+        if (!edVerify3(null, Buffer.from(e.entryHash ?? ""), pub, Buffer.from(e.sig, "base64"))) {
+          issues.push(`entry ${i} (${e.op}): bad signature — not signed by the embedded author key`);
+        }
+      } catch {
+        issues.push(`entry ${i} (${e.op}): malformed author key / signature`);
+      }
+    }
+    prev = e.entryHash;
+  }
+  return { ok: issues.length === 0, issues, entries };
+}
+function authorFingerprint(e) {
+  return e.authorKey ? fingerprintOf(e.authorKey) : undefined;
+}
+// src/secret/anchor.ts
+import { existsSync as existsSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync3 } from "node:fs";
+import { join as join3 } from "node:path";
+init_sign();
+var creatorPinPath = (solDir) => join3(envDir(solDir), "creator.pin");
+var headPinPath = (solDir) => join3(envDir(solDir), "head.pin");
+function repoSolDir(solDir) {
+  return solDir;
+}
+function opLogAnchor(solDir) {
+  const p = join3(repoSolDir(solDir), "HEAD");
+  if (!existsSync3(p))
+    return {};
+  try {
+    const h = JSON.parse(readFileSync3(p, "utf8"));
+    return { logTip: h.logTip, head: h.head, seq: h.seq };
+  } catch {
+    return {};
+  }
+}
+function opLogGenesis(solDir) {
+  const p = join3(repoSolDir(solDir), "ops.jsonl");
+  if (!existsSync3(p))
+    return;
+  try {
+    const first = readFileSync3(p, "utf8").split(`
+`).find((l) => l.trim());
+    if (!first)
+      return;
+    const op = JSON.parse(first);
+    return op.entryHash;
+  } catch {
+    return;
+  }
+}
+function readCreatorPin(solDir) {
+  const p = creatorPinPath(solDir);
+  if (!existsSync3(p))
+    return;
+  try {
+    return JSON.parse(readFileSync3(p, "utf8"));
+  } catch {
+    return;
+  }
+}
+function writeCreatorPin(solDir, pin) {
+  const full = { v: 1, ...pin, at: Date.now() };
+  writeFileSync3(creatorPinPath(solDir), JSON.stringify(full, null, 2), { mode: 420 });
+  return full;
+}
+function creatorFingerprint(solDir) {
+  const pin = readCreatorPin(solDir);
+  return pin?.authKey ? fingerprintOf(pin.authKey) : undefined;
+}
+function readHeadPin(solDir) {
+  const p = headPinPath(solDir);
+  if (!existsSync3(p))
+    return;
+  try {
+    return JSON.parse(readFileSync3(p, "utf8"));
+  } catch {
+    return;
+  }
+}
+function updateHeadPin(solDir) {
+  const entries = readJournal(solDir);
+  const journalHead = entries.length ? entries[entries.length - 1].entryHash : undefined;
+  const { logTip } = opLogAnchor(solDir);
+  const pin = { v: 1, journalHead, journalLen: entries.length, opLogTip: logTip, at: Date.now() };
+  writeFileSync3(headPinPath(solDir), JSON.stringify(pin, null, 2), { mode: 420 });
+  return pin;
+}
+function validateMonotonicHead(solDir) {
+  const out = [];
+  const entries = readJournal(solDir);
+  if (!entries.length)
+    return out;
+  const pin = readHeadPin(solDir);
+  if (!pin) {
+    out.push({ severity: "error", check: "journal-monotonic", message: "no head pin (.sol/env/head.pin) for a journal that carries management entries — the monotonic anchor was deleted; rollback/truncation can no longer be ruled out. re-pin via a signed management op or restore the pin." });
+    return out;
+  }
+  if (entries.length < pin.journalLen) {
+    out.push({ severity: "error", check: "journal-monotonic", message: `journal TRUNCATED: ${entries.length} entries on disk but the head pin recorded ${pin.journalLen} — the tail (a later set/rotation) was dropped, resurrecting a stale value. restore the full journal or re-pin from an authoritative copy.` });
+    return out;
+  }
+  if (pin.journalHead && !entries.some((e) => e.entryHash === pin.journalHead)) {
+    out.push({ severity: "error", check: "journal-monotonic", message: `journal ROLLED BACK: the pinned head ${pin.journalHead} is absent from the live chain — \`.sol/env\` was rewound to an earlier snapshot (a rotated/revoked value may be resurrected). restore from the op-log-anchored head or re-validate against the remote.` });
+  }
+  const live = opLogAnchor(solDir);
+  if (pin.opLogTip && live.logTip && pin.opLogTip !== live.logTip) {
+    out.push({
+      severity: "warn",
+      check: "journal-monotonic",
+      message: `the env-journal head pin is anchored to op-log tip ${pin.opLogTip} but the live op-log is at ${live.logTip}. if no unrelated commit advanced the op-log, \`.sol/env\` may have been rolled back to an earlier snapshot (the pin reverted with it). a hard verdict needs an EXTERNAL anchor (the remote tracking the env-journal head) — pure offline total rollback is not locally detectable.`
+    });
+  }
+  return out;
+}
+function validateSealJournalBinding(solDir, liveSeals) {
+  const out = [];
+  const journal = readJournal(solDir);
+  if (!journal.length)
+    return out;
+  const journalSeal = new Map;
+  const sealAuthored = new Set;
+  for (const e of journal) {
+    if (!e.env || !e.name)
+      continue;
+    const key = `${e.env}/${e.name}`;
+    if (e.newSeal)
+      sealAuthored.add(key);
+    if (e.newSeal === e.prevSeal)
+      continue;
+    journalSeal.set(key, e.newSeal);
+  }
+  for (const [key, manifestSeal] of liveSeals) {
+    if (!sealAuthored.has(key)) {
+      out.push({
+        severity: "error",
+        check: "seal-journal-binding",
+        message: `${key}: the manifest pins a seal (${manifestSeal}) but the SIGNED journal records NO authorized set op for it — an unanchored/forged seal. a non-recipient may seal a box to the owner's PUBLIC key and repoint the manifest while rolling the journal back; with no journal authority behind it the seal is REJECTED. reseal with \`sol secret set\` (which writes a signed op) or revert the tampering.`
+      });
+      continue;
+    }
+    const headSeal = journalSeal.get(key);
+    if (headSeal !== undefined && headSeal !== manifestSeal) {
+      out.push({
+        severity: "error",
+        check: "seal-journal-binding",
+        message: `${key}: the manifest seal (${manifestSeal}) does NOT match the seal the signed journal head records (${headSeal}). either the manifest was repointed to an unauthored stanza, or the journal was rewound below the live seal. the live content address must equal the signed-journal head seal.`
+      });
+    }
+  }
+  return out;
+}
+function validateJournalReconciliation(solDir, liveSeals, liveEnvs) {
+  const out = [];
+  const journal = readJournal(solDir);
+  if (!journal.length)
+    return out;
+  const journalHeadSeal = new Map;
+  const journalEnvs = new Set;
+  for (const e of journal) {
+    if (!e.env || !e.name)
+      continue;
+    journalEnvs.add(e.env);
+    if (e.newSeal === e.prevSeal)
+      continue;
+    journalHeadSeal.set(`${e.env}/${e.name}`, e.newSeal);
+  }
+  for (const [key, headSeal] of journalHeadSeal) {
+    if (!headSeal)
+      continue;
+    if (!liveSeals.has(key)) {
+      out.push({
+        severity: "error",
+        check: "journal-reconcile",
+        message: `${key}: the SIGNED journal head records this slot as SEALED (${headSeal}) but it is no longer a declared sealed secret in the working tree — the [secret.${key.split("/")[1]}] stanza was DELETED (a silent destroy/lockout). the journal is the source of truth; restore the declaration or record an authorized unset.`
+      });
+    }
+  }
+  for (const env of journalEnvs) {
+    if (!liveEnvs.has(env)) {
+      out.push({
+        severity: "error",
+        check: "journal-reconcile",
+        message: `${env}: the SIGNED journal records secret ops in env "${env}" but it is missing from manifest order — the env was DROPPED, hiding its sealed secrets (owner reveal -> "unknown env"). restore the env to the manifest order or record an authorized removal.`
+      });
+    }
+  }
+  return out;
+}
+function validateGenesisAnchor(solDir) {
+  const out = [];
+  const pin = readCreatorPin(solDir);
+  const liveGenesis = opLogGenesis(solDir);
+  if (pin?.opGenesis && liveGenesis && pin.opGenesis !== liveGenesis) {
+    out.push({
+      severity: "error",
+      check: "genesis-anchor",
+      message: `creator.pin is anchored to op-log genesis ${pin.opGenesis} but the live op-log genesis is ${liveGenesis} — the creator pin was FORGED (an intruder named themselves creator and rebuilt the journal/gate around their key) OR the op-log was replaced. the pin's genesis MUST equal the content-addressed op-log birth certificate. restore the true creator pin / op-log.`
+    });
+  }
+  const head = readHeadPin(solDir);
+  const live = opLogAnchor(solDir);
+  if (head?.opLogTip && !live.logTip) {
+    out.push({
+      severity: "error",
+      check: "genesis-anchor",
+      message: `head.pin records op-log tip ${head.opLogTip} but the live op-log has NO tip (.sol/HEAD is absent/empty) — the op-log anchor was deleted, removing the external reference the head pin binds to. restore the op-log or re-anchor.`
+    });
+  }
+  return out;
+}
+// src/secret/env-state.ts
+init_sign();
+// src/secret/gate-derive.ts
+init_sign();
+var ADMIN_HANDLES2 = ["role:owner", "role:admin"];
+var isGuardianHandle = (h) => ADMIN_HANDLES2.includes(h);
+function guardianFingerprints(handles) {
+  const fps = new Set;
+  for (const h of ADMIN_HANDLES2)
+    for (const r of handles[h] ?? [])
+      if (r.authKey)
+        fps.add(fingerprintOf(r.authKey));
+  return fps;
+}
+function authorizedFor(handle, handles, authorFpr) {
+  const guardians = guardianFingerprints(handles);
+  if (isGuardianHandle(handle))
+    return !!authorFpr && guardians.has(authorFpr);
+  const existing = handles[handle] ?? [];
+  if (!existing.length)
+    return true;
+  const memberFprs = new Set(existing.filter((r) => r.authKey).map((r) => fingerprintOf(r.authKey)));
+  return !!authorFpr && memberFprs.has(authorFpr) || !!authorFpr && guardians.has(authorFpr);
+}
+function deriveAuthenticGate(solDir) {
+  const v = verifyJournal(solDir);
+  const handles = {};
+  const issues = [...v.issues];
+  if (!v.ok) {
+    return { handles, issues, trustworthy: false };
+  }
+  const creatorFpr = creatorFingerprint(solDir);
+  let bootstrapped = false;
+  for (const e of v.entries) {
+    if (e.op !== "audience-add" && e.op !== "audience-rm" && e.op !== "gate-bootstrap")
+      continue;
+    if (!e.handle)
+      continue;
+    const authorFpr = authorFingerprint(e);
+    const members = (e.members ?? []).map((m) => ({ accountId: m.accountId, pubkey: m.pubkey, authKey: m.authKey }));
+    if (e.op === "gate-bootstrap") {
+      const selfSeeds = members.some((m) => m.authKey && fingerprintOf(m.authKey) === authorFpr);
+      if (!selfSeeds) {
+        issues.push(`gate-bootstrap for ${e.handle}: author is not among the seeded guardians — refused`);
+        continue;
+      }
+      if (creatorFpr && authorFpr !== creatorFpr) {
+        issues.push(`gate-bootstrap for ${e.handle}: authored by ${e.author || "unidentified"} (${authorFpr ?? "no key"}), NOT the pinned repo creator (${creatorFpr}) — a re-bootstrap by a foreign key cannot seize genesis. refused.`);
+        continue;
+      }
+      bootstrapped = true;
+      handles[e.handle] = members;
+      continue;
+    }
+    if (!authorizedFor(e.handle, handles, authorFpr)) {
+      issues.push(`${e.op} on ${e.handle} by ${e.author || "unidentified"} was not authorized (not a member/guardian) — dropped from the authentic gate`);
+      continue;
+    }
+    handles[e.handle] = members;
+  }
+  return { handles, issues, trustworthy: true };
+}
+// src/secret/authz.ts
+function isGateAdmin(gate, id) {
+  return isGuardianPubkey(gate, id?.x25519Pub);
+}
+function isHandleMember(gate, handle, id) {
+  return handleHasPubkey(gate, handle, id?.x25519Pub);
+}
+function isGuardianHandle2(handle) {
+  return ADMIN_HANDLES.includes(handle);
+}
+function canEditHandle(gate, handle, id) {
+  const exists = !!gate.handles[handle] && gate.handles[handle].length > 0;
+  if (isGuardianHandle2(handle)) {
+    if (isGuardianPubkey(gate, id?.x25519Pub))
+      return { allowed: true };
+    return {
+      allowed: false,
+      reason: `refused: ${handle} is a GUARDIAN handle — only a current role:owner/role:admin may add a guardian (self-enrollment into a guardian role is refused even when empty). the repo creator is the bootstrapped guardian.`
+    };
+  }
+  if (!exists)
+    return { allowed: true };
+  if (isHandleMember(gate, handle, id) || isGateAdmin(gate, id))
+    return { allowed: true };
+  return {
+    allowed: false,
+    reason: `refused: only a current member of ${handle} (or a role:owner/role:admin) may add/remove recipients. set SOL_RECOVERY_CODE, or have a member run this. creating a NEW handle stays open.`
+  };
+}
+function canDeclare(solDir, prior, actor, id) {
+  const guarded = !!prior && (!!prior.seal || !!(prior.aud && prior.aud.length));
+  if (!guarded)
+    return { allowed: true, guarded: false };
+  if (prior.seal)
+    return { allowed: canWriteSealed(solDir, prior.seal, actor, id?.open), guarded: true };
+  return { allowed: !!id, guarded: true };
+}
+// src/secret/model.ts
+import { existsSync as existsSync4, mkdirSync as mkdirSync2, readdirSync, readFileSync as readFileSync4, statSync, unlinkSync, writeFileSync as writeFileSync4 } from "node:fs";
+init_sign();
+var BASE_ENV = "base";
+function envInitialized(solDir) {
+  return existsSync4(manifestPath(solDir));
+}
+function loadWorld(solDir) {
+  if (!envInitialized(solDir))
+    throw new Error("no env manifest — run `sol env init` (or `sol secret declare` creates one)");
+  const manifest = parseManifest(readFileSync4(manifestPath(solDir), "utf8"));
+  const gate = existsSync4(audiencePath(solDir)) ? parseAudienceDoc(readFileSync4(audiencePath(solDir), "utf8")) : { handles: {}, clone: {} };
+  const files = {};
+  const baseP = envFilePath(solDir, BASE_ENV);
+  if (existsSync4(baseP))
+    files[BASE_ENV] = parseEnvFile(BASE_ENV, readFileSync4(baseP, "utf8"));
+  for (const env of manifest.order) {
+    const p = envFilePath(solDir, env);
+    if (existsSync4(p))
+      files[env] = parseEnvFile(env, readFileSync4(p, "utf8"));
+  }
+  return { manifest, gate, files };
+}
+function resolveOne(world, env) {
+  const file = world.files[env];
+  if (!file)
+    throw new Error(`unknown env: ${env} (registered: ${world.manifest.order.join(", ") || "none"})`);
+  const base = file.extends ? world.files[file.extends] : undefined;
+  return resolveEnv(file, base);
+}
+function resolveAll(world) {
+  return world.manifest.order.map((e) => resolveOne(world, e));
+}
+function audienceFor(world, env, entryAud) {
+  if (entryAud && entryAud.length)
+    return entryAud;
+  return world.files[env]?.audience ?? [];
+}
+function ensureEnvDir(solDir) {
+  mkdirSync2(envDir(solDir), { recursive: true });
+  mkdirSync2(sealDir(solDir), { recursive: true });
+}
+function writeEnvFile(solDir, f) {
+  ensureEnvDir(solDir);
+  writeFileSync4(envFilePath(solDir, f.env), serializeEnvFile(f), { mode: 420 });
+}
+function writeManifest(solDir, m) {
+  ensureEnvDir(solDir);
+  writeFileSync4(manifestPath(solDir), serializeManifest(m), { mode: 420 });
+}
+function writeAudienceDoc(solDir, a) {
+  ensureEnvDir(solDir);
+  writeFileSync4(audiencePath(solDir), serializeAudienceDoc(a), { mode: 420 });
+}
+function regenerateSchema(solDir, world) {
+  const schema = buildSchema(world.manifest.order, resolveAll(world));
+  const text = serializeSchema(schema);
+  ensureEnvDir(solDir);
+  writeFileSync4(schemaLockPath(solDir), text, { mode: 420 });
+  return text;
+}
+function loadSchema(solDir) {
+  const p = schemaLockPath(solDir);
+  if (!existsSync4(p))
+    return;
+  return JSON.parse(readFileSync4(p, "utf8"));
+}
+function validateWorld(solDir, world, opts = {}) {
+  const issues = [];
+  const resolved = resolveAll(world);
+  const jv = verifyJournal(solDir);
+  for (const m of jv.issues)
+    issues.push({ severity: "error", check: "journal-integrity", message: `journal: ${m}` });
+  const authentic = deriveAuthenticGate(solDir);
+  for (const m of authentic.issues)
+    issues.push({ severity: "error", check: "gate-authenticity", message: `gate: ${m}` });
+  if (authentic.trustworthy && Object.keys(authentic.handles).length) {
+    issues.push(...gateDriftIssues(authentic, world.gate));
+  }
+  for (const r of resolved) {
+    for (const s of r.secrets) {
+      if (!s.seal)
+        continue;
+      const read = readSealedBoxChecked(solDir, s.seal);
+      if (read.kind === "absent") {
+        issues.push({ severity: "error", check: "fail-closed", message: `${r.env}/${s.name}: \`seal\` pins ${s.seal} but no sealed leaf exists at .sol/env/seal/` });
+        continue;
+      }
+      if (read.kind === "tampered") {
+        issues.push({ severity: "error", check: "content-address", message: `${r.env}/${s.name}: the sealed leaf at ${s.seal} was OVERWRITTEN IN PLACE — its bytes hash to ${read.actual}, not the pinned content address. a forged box (sealed to the public key) was substituted. reseal with \`sol secret set\` or revert.` });
+        continue;
+      }
+      const box = read.box;
+      if (!box.body || !box.asym) {
+        issues.push({ severity: "error", check: "fail-closed", message: `${r.env}/${s.name}: the leaf at ${s.seal} is not a SealedBox (plaintext under the secrets namespace is rejected)` });
+      }
+    }
+  }
+  const allNames = new Set;
+  for (const r of resolved)
+    for (const s of r.secrets)
+      allNames.add(s.name);
+  for (const r of resolved)
+    for (const k of Object.keys(r.config))
+      allNames.add(k);
+  for (const name of allNames) {
+    const present = resolved.filter((r) => r.secrets.some((s) => s.name === name) || (name in r.config)).map((r) => r.env);
+    const missing = resolved.filter((r) => !present.includes(r.env)).map((r) => r.env);
+    if (missing.length && present.length) {
+      issues.push({ severity: "warn", check: "cross-env-drift", message: `${name}: declared in [${present.join(", ")}] but missing in [${missing.join(", ")}]` });
+    }
+  }
+  for (const r of resolved) {
+    for (const s of r.secrets) {
+      if (!s.seal)
+        continue;
+      const aud = audienceFor(world, r.env, s.aud);
+      const resolvedAud = resolveHandles(world.gate, aud);
+      for (const u of resolvedAud.unresolved) {
+        issues.push({ severity: "error", check: "audience-integrity", message: `${r.env}/${s.name}: audience handle not in audience.toml: ${u}` });
+      }
+      const read = readSealedBoxChecked(solDir, s.seal);
+      const box = read.kind === "box" ? read.box : undefined;
+      if (box) {
+        const actual = new Set(recipientsOf(box));
+        const expected = new Set(resolvedAud.accountIds);
+        const extra = [...actual].filter((a) => !expected.has(a));
+        const missing = [...expected].filter((a) => !actual.has(a));
+        if (extra.length || missing.length) {
+          issues.push({ severity: "error", check: "audience-integrity", message: `${r.env}/${s.name}: sealed recipients drift from the audience (missing: [${missing.join(", ")}], extra: [${extra.join(", ")}]) — reseal with \`sol secret set\` or \`sol secret audience\`` });
+        }
+      }
+      if (opts.agentAccountId && audienceHasAccount(world.gate, aud, opts.agentAccountId)) {
+        issues.push({ severity: "error", check: "agent-blind", message: `${r.env}/${s.name}: the agent identity ${opts.agentAccountId} is in the seal audience — secrets must be agent-blind` });
+      }
+    }
+    const runtimeHandle = world.manifest.runtime[r.env];
+    if (runtimeHandle && r.secrets.some((s) => s.seal)) {
+      const aud = world.files[r.env]?.audience ?? [];
+      if (!aud.includes(runtimeHandle)) {
+        issues.push({ severity: "warn", check: "audience-integrity", message: `${r.env}: the runtime recipient ${runtimeHandle} is not in the env @audience — the runtime can't inject` });
+      }
+    }
+  }
+  if (opts.schemaOnDisk !== undefined) {
+    const fresh = serializeSchema(buildSchema(world.manifest.order, resolved));
+    if (fresh !== opts.schemaOnDisk) {
+      issues.push({ severity: "error", check: "schema-stale", message: "schema.lock is stale — run `sol env schema --write` to regenerate" });
+    }
+  }
+  issues.push(...validateManagementPlane(solDir, resolved, authentic));
+  if (!readCreatorPin(solDir) && authentic.trustworthy && Object.keys(authentic.handles).length) {
+    issues.push({ severity: "warn", check: "genesis-anchor", message: "this repo has a journal-derived gate but no creator pin (.sol/env/creator.pin) — the genesis is UNANCHORED; a re-bootstrap by a foreign key cannot be distinguished from the true creator. fix: run `sol env anchor` (as the operator, with SOL_RECOVERY_CODE set) to pin the current creator, or restore the lost pin." });
+  }
+  const liveSeals = new Map;
+  for (const r of resolved)
+    for (const s of r.secrets)
+      if (s.seal)
+        liveSeals.set(`${r.env}/${s.name}`, s.seal);
+  const liveEnvs = new Set(world.manifest.order);
+  issues.push(...validateSealJournalBinding(solDir, liveSeals));
+  issues.push(...validateJournalReconciliation(solDir, liveSeals, liveEnvs));
+  issues.push(...validateGenesisAnchor(solDir));
+  issues.push(...validateMonotonicHead(solDir));
+  return issues;
+}
+function gateDriftIssues(authentic, live) {
+  const out = [];
+  const norm = (rs) => {
+    const m = new Map;
+    for (const r of rs)
+      m.set(r.accountId, r.pubkey ?? r.x25519Pub ?? "");
+    return m;
+  };
+  const handles = new Set([...Object.keys(authentic.handles), ...Object.keys(live.handles)]);
+  for (const h of handles) {
+    const a = norm(authentic.handles[h] ?? []);
+    const l = norm(live.handles[h] ?? []);
+    for (const [acct, pub] of a) {
+      if (!l.has(acct))
+        out.push({ severity: "error", check: "gate-authenticity", message: `${h}: ${acct} is in the authentic (journal-signed) gate but MISSING from audience.toml — the gate file was tampered` });
+      else if (l.get(acct) !== pub)
+        out.push({ severity: "error", check: "gate-authenticity", message: `${h}: ${acct}'s pinned pubkey in audience.toml does NOT match the journal-authentic key — a pubkey SWAP (poisoned gate). reseals would target the wrong key.` });
+    }
+    for (const acct of l.keys()) {
+      if (!a.has(acct))
+        out.push({ severity: "error", check: "gate-authenticity", message: `${h}: ${acct} was hand-added to audience.toml but is NOT in the authentic (journal-signed) gate — self-enrollment / gate poisoning. it is IGNORED on reseal.` });
+    }
+  }
+  return out;
+}
+function validateManagementPlane(solDir, resolved, authentic) {
+  const issues = [];
+  const journal = readJournal(solDir);
+  if (!journal.length)
+    return issues;
+  const fprToAccount = new Map;
+  for (const recips of Object.values(authentic.handles))
+    for (const r of recips)
+      if (r.authKey)
+        fprToAccount.set(fingerprintOf(r.authKey), r.accountId);
+  const lastChange = new Map;
+  const blanked = new Map;
+  for (const e of journal) {
+    if (!e.env || !e.name)
+      continue;
+    const key = `${e.env}/${e.name}`;
+    const changesSeal = e.newSeal !== e.prevSeal;
+    const changesAud = JSON.stringify(e.newAud ?? null) !== JSON.stringify(e.prevAud ?? null);
+    if (changesSeal || changesAud)
+      lastChange.set(key, e);
+    if (e.prevSeal && !e.newSeal)
+      blanked.set(key, e);
+    if (e.newSeal && e.recipientAtOp)
+      blanked.delete(key);
+  }
+  for (const [key, e] of lastChange) {
+    if (!e.newSeal)
+      continue;
+    if (!e.recipientAtOp) {
+      issues.push({
+        severity: "error",
+        check: "management-plane",
+        message: `${key}: seal/audience was changed by a non-recipient author (${e.author || "unidentified"}) — a non-recipient cannot repoint a sealed secret. reseal as a recipient or revert the tampering.`
+      });
+      continue;
+    }
+    const read = readSealedBoxChecked(solDir, e.newSeal);
+    const box = read.kind === "box" ? read.box : undefined;
+    if (box) {
+      const fpr = authorFingerprint(e);
+      const acct = fpr ? fprToAccount.get(fpr) : undefined;
+      const boxRecipients = new Set(recipientsOf(box));
+      if (!acct || !boxRecipients.has(acct)) {
+        issues.push({
+          severity: "error",
+          check: "management-plane",
+          message: `${key}: the seal was authored by a key that is NOT among the sealed recipients (claimed author ${e.author || "unidentified"}) — recipientAtOp is unsubstantiated by the ciphertext. a non-recipient cannot author a seal here.`
+        });
+      }
+    }
+  }
+  for (const [key, e] of blanked) {
+    issues.push({
+      severity: "error",
+      check: "management-plane",
+      message: `${key}: an already-sealed secret was BLANKED to unset by ${e.author || "unidentified"} (sealed->unset) — a destructive re-declare. recover the prior ciphertext (${e.prevSeal}) or reseal as a recipient.`
+    });
+  }
+  return issues;
+}
+function diffEnvs(a, b) {
+  const shapeOf = (r) => {
+    const m = new Map;
+    for (const [k] of Object.entries(r.config))
+      m.set(k, "config");
+    for (const s of r.secrets)
+      m.set(s.name, `secret${s.type ? `:${s.type}` : ""}${s.aud ? ` aud=[${s.aud.join(",")}]` : ""}`);
+    return m;
+  };
+  const sa = shapeOf(a);
+  const sb = shapeOf(b);
+  const out = [];
+  for (const [name, shape] of sa) {
+    if (!sb.has(name))
+      out.push({ name, change: "removed", detail: shape });
+    else if (sb.get(name) !== shape)
+      out.push({ name, change: "changed", detail: `${shape} -> ${sb.get(name)}` });
+  }
+  for (const [name, shape] of sb)
+    if (!sa.has(name))
+      out.push({ name, change: "added", detail: shape });
+  return out.sort((x, y) => x.name.localeCompare(y.name));
+}
+function auditEnv(solDir, env) {
+  const world = loadWorld(solDir);
+  const resolved = resolveOne(world, env);
+  const authentic = deriveAuthenticGate(solDir);
+  const whoCanDecrypt = resolved.secrets.map((s) => {
+    const aud = s.aud ?? resolved.audience ?? [];
+    const recipients = aud.flatMap((h) => (authentic.handles[h] ?? []).map((r) => r.accountId));
+    return {
+      name: s.hideName ? "(name-hidden)" : s.name,
+      sealed: !!s.seal,
+      audience: aud,
+      recipients: [...new Set(recipients)]
+    };
+  });
+  const drift = [];
+  for (const [handle, recips] of Object.entries(world.gate.handles)) {
+    const fileAccts = new Set(recips.map((r) => r.accountId));
+    const authAccts = new Set((authentic.handles[handle] ?? []).map((r) => r.accountId));
+    const fileOnly = [...fileAccts].filter((a) => !authAccts.has(a));
+    const authenticOnly = [...authAccts].filter((a) => !fileAccts.has(a));
+    if (fileOnly.length || authenticOnly.length)
+      drift.push({ handle, fileOnly, authenticOnly });
+  }
+  return { env, journalTrustworthy: authentic.trustworthy, journalIssues: authentic.issues, whoCanDecrypt, drift };
+}
+// src/secret/audience-cli.ts
+var HANDLE_KINDS = ["role", "team", "machine"];
+function assertHandle(ctx, handle) {
+  const [kind, name] = splitHandle(handle);
+  if (!handle.includes(":") || !HANDLE_KINDS.includes(kind) || !name) {
+    ctx.die(`bad handle "${handle}" — expected role:NAME | team:NAME | machine:NAME`);
+  }
+}
+async function resolvePub(ctx, account, explicitPub) {
+  if (explicitPub)
+    return explicitPub;
+  const mine = ctx.selfPub(account);
+  if (mine)
+    return mine;
+  const dir = await ctx.dirPub(account);
+  if (dir)
+    return dir;
+  return ctx.die(`no published X25519 key for ${account} — they must \`sol keys publish\` first, ` + `or pass --pubkey <sol1pk_…> to pin it explicitly (offline).`);
+}
+async function audienceAdd(ctx, gate, handle, account, explicitPub) {
+  assertHandle(ctx, handle);
+  if (!account)
+    ctx.die("usage: sol env audience add <handle> <account> [--pubkey <sol1pk_…>]");
+  const pub = await resolvePub(ctx, account, explicitPub);
+  const edPub = ctx.selfEdPub?.(account) ?? await ctx.dirEdPub?.(account) ?? undefined;
+  const recips = gate.handles[handle] ??= [];
+  const existing = recips.find((r) => r.accountId === account);
+  if (existing) {
+    existing.x25519Pub = pub;
+    if (edPub)
+      existing.edPub = edPub;
+  } else
+    recips.push({ handle, accountId: account, x25519Pub: pub, edPub });
+  return { gate, pub };
+}
+function audienceRm(ctx, gate, handle, account) {
+  assertHandle(ctx, handle);
+  const recips = gate.handles[handle];
+  if (!recips || !recips.length)
+    ctx.die(`no such audience handle: ${handle}`);
+  if (!account) {
+    delete gate.handles[handle];
+    return gate;
+  }
+  const next = recips.filter((r) => r.accountId !== account);
+  if (next.length === recips.length)
+    ctx.die(`${account} is not in ${handle}`);
+  if (next.length)
+    gate.handles[handle] = next;
+  else
+    delete gate.handles[handle];
+  return gate;
+}
+function audienceRows(gate) {
+  const rows = [];
+  for (const handle of Object.keys(gate.handles).sort()) {
+    for (const r of gate.handles[handle])
+      rows.push({ handle, account: r.accountId, pubkey: r.x25519Pub });
+  }
+  return rows;
+}
+function recipientsOfHandle(gate, handle) {
+  return gate.handles[handle] ?? [];
+}
+// src/secret/runtime-recipient.ts
+init_crypto();
+function runtimeHandle(env) {
+  return `machine:runtime-${env}`;
+}
+function runtimeAccountId(env) {
+  return `runtime-${env}`;
+}
+var RUNTIME_ROOT_BINDING = "SOL_RUNTIME_ROOT";
+async function provisionRuntimeRecipient(env, roots, opts = {}) {
+  const { generateRecoveryCode: generateRecoveryCode2 } = await Promise.resolve().then(() => (init_crypto(), exports_crypto));
+  const root = (opts.mintRoot ?? generateRecoveryCode2)();
+  const keyEpoch = opts.keyEpoch ?? 1;
+  const accountId = runtimeAccountId(env);
+  const id = deriveIdentity(accountId, root, keyEpoch);
+  await roots.put(env, root);
+  return { env, handle: runtimeHandle(env), accountId, x25519Pub: id.x25519Pub, edPub: id.edPub, keyEpoch };
+}
+function runtimeSelfFromRoot(env, root, keyEpoch = 1) {
+  const id = deriveIdentity(runtimeAccountId(env), root, keyEpoch);
+  return { accountId: runtimeAccountId(env), privateKey: id.x25519Priv };
+}
+
+class ExportError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ExportError";
+  }
+}
+function exportEnvWith(solDir, env, self) {
+  if (!self) {
+    throw new ExportError(`refused to export ${env}: no runtime identity loaded — the bootstrap root is absent (custody it in the CF Secrets Store and read it via env.${RUNTIME_ROOT_BINDING}). a non-recipient cannot export ciphertext.`);
+  }
+  const world = loadWorld(solDir);
+  const resolved = resolveOne(world, env);
+  const secrets = {};
+  const skipped = [];
+  for (const s of resolved.secrets) {
+    if (!s.seal || s.hideName)
+      continue;
+    const out = openOutcome(solDir, s.seal, self.accountId, self);
+    if (out.kind === "tampered") {
+      throw new ExportError(`refused to export ${env}: ${s.name} (${s.seal}) was TAMPERED in place — its bytes hash to ${out.actual}, not the pinned address. no secrets exported.`);
+    }
+    if (out.kind === "value") {
+      secrets[s.name] = out.value;
+      continue;
+    }
+    skipped.push(s.name);
+  }
+  const names = Object.keys(secrets);
+  if (!names.length) {
+    throw new ExportError(`no secrets in ${env} are readable by the runtime recipient (${self.accountId}) — is the runtime in the env audience? add it with \`sol env audience add ${runtimeHandle(env)} ${runtimeAccountId(env)} --pubkey ...\`.`);
+  }
+  return { secrets, names, skipped };
+}
+function renderExport(secrets, format) {
+  if (format === "json")
+    return JSON.stringify(secrets);
+  return Object.entries(secrets).map(([k, v]) => `${k}='${v.replace(/'/g, `'\\''`)}'`).join(`
+`);
+}
+// src/bin/secret.ts
+function flag(args, name) {
+  const i = args.indexOf(name);
+  if (i >= 0 && i + 1 < args.length)
+    return args[i + 1];
+  const pre = args.find((a) => a.startsWith(`${name}=`));
+  return pre ? pre.slice(name.length + 1) : undefined;
+}
+function has(args, name) {
+  return args.includes(name);
+}
+function positionals(args) {
+  const out = [];
+  for (let i = 0;i < args.length; i++) {
+    const a = args[i];
+    if (a.startsWith("-")) {
+      if (!a.includes("=") && i + 1 < args.length && !args[i + 1].startsWith("-") && VALUE_FLAGS.has(a))
+        i++;
+      continue;
+    }
+    out.push(a);
+  }
+  return out;
+}
+var VALUE_FLAGS = new Set(["--env", "--audience", "--fd", "-m", "--field", "--pubkey", "--agent", "--envs", "--type", "--format"]);
+function requireEnv(ctx, args) {
+  const e = flag(args, "--env");
+  if (!e)
+    ctx.die("missing --env <name>");
+  return e;
+}
+function manage(ctx) {
+  return ctx.loadManageIdentity?.();
+}
+function requireSigner(ctx, what) {
+  const id = manage(ctx);
+  if (!id)
+    ctx.die(`refused: ${what} is a management-plane op that must be cryptographically authored — set SOL_RECOVERY_CODE so the op is signed + chained (a keyless caller cannot mutate the gate or a sealed slot).`);
+  return { id, signer: id.signer };
+}
+function journal2(ctx, id, body) {
+  appendJournal(ctx.solDir, { ...body, author: id.accountId }, id.signer);
+  updateHeadPin(ctx.solDir);
+}
+function memberSnapshot(gate, handle) {
+  return (gate.handles[handle] ?? []).map((r) => ({ accountId: r.accountId, pubkey: r.x25519Pub, authKey: r.edPub ?? "" }));
+}
+function readSecretValue(ctx, args) {
+  const fd = flag(args, "--fd");
+  if (fd !== undefined) {
+    const n = parseInt(fd, 10);
+    if (!Number.isInteger(n))
+      ctx.die("--fd expects a file descriptor number");
+    return readAllFromFd(n).replace(/\n$/, "");
+  }
+  if (has(args, "--stdin")) {
+    return readAllFromFd(0).replace(/\n$/, "");
+  }
+  if (!process.stdin.isTTY) {
+    ctx.die("no value source: not a TTY — pass the value via --stdin or --fd <n> (NEVER on the command line)");
+  }
+  return promptNoEcho(ctx);
+}
+function readAllFromFd(fd) {
+  const chunks = [];
+  const buf = Buffer.alloc(65536);
+  for (;; ) {
+    let n = 0;
+    try {
+      n = readSync(fd, buf, 0, buf.length, null);
+    } catch (e) {
+      if (e?.code === "EAGAIN")
+        continue;
+      if (e?.code === "EOF")
+        break;
+      throw e;
+    }
+    if (n === 0)
+      break;
+    chunks.push(Buffer.from(buf.subarray(0, n)));
+  }
+  return Buffer.concat(chunks).toString("utf8");
+}
+function promptNoEcho(ctx) {
+  process.stderr.write("value (input hidden): ");
+  const stty = (mode) => spawnSync("stty", [mode], { stdio: ["inherit", "inherit", "inherit"] });
+  const off = stty("-echo");
+  try {
+    return readLineFromTty();
+  } finally {
+    if (off.status === 0)
+      stty("echo");
+    process.stderr.write(`
+`);
+  }
+}
+function readLineFromTty() {
+  const buf = Buffer.alloc(1);
+  let line = "";
+  for (;; ) {
+    let n = 0;
+    try {
+      n = readSync(0, buf, 0, 1, null);
+    } catch (e) {
+      if (e?.code === "EAGAIN")
+        continue;
+      break;
+    }
+    if (n === 0)
+      break;
+    const c = buf.toString("utf8");
+    if (c === `
+` || c === "\r")
+      break;
+    line += c;
+  }
+  return line;
+}
+function sealRecipients(ctx, world, env, entryAud) {
+  const handles = audienceFor(world, env, entryAud);
+  if (!handles.length)
+    ctx.die(`no seal audience for ${env} — set @audience in the env file or pass --audience on declare`);
+  const resolved = resolveHandles(world.gate, handles);
+  if (resolved.unresolved.length)
+    ctx.die(`unresolved audience handle(s): ${resolved.unresolved.join(", ")} — add them to .sol/env/audience.toml`);
+  if (!Object.keys(resolved.recipientPubKeys).length)
+    ctx.die(`audience [${handles.join(", ")}] resolved to ZERO recipients — refusing to seal an unreadable value`);
+  return { recipientPubKeys: resolved.recipientPubKeys, handles, recipients: resolved.recipients };
+}
+function authenticSealRecipients(ctx, world, env, entryAud) {
+  const handles = audienceFor(world, env, entryAud);
+  if (!handles.length)
+    ctx.die(`no seal audience for ${env} — set @audience in the env file or pass --audience on declare`);
+  const authentic = deriveAuthenticGate(ctx.solDir);
+  if (!authentic.trustworthy)
+    ctx.die(`refused: the management journal does not verify (chain/signature broken) — refusing to seal to an untrustworthy gate. run \`sol env validate\` and revert the tampering.`);
+  if (!Object.keys(authentic.handles).length) {
+    const fb = sealRecipients(ctx, world, env, entryAud);
+    return { recipientPubKeys: fb.recipientPubKeys, handles: fb.handles };
+  }
+  const recipientPubKeys = {};
+  const unresolved = [];
+  for (const h of handles) {
+    const recips = authentic.handles[h];
+    if (!recips || !recips.length) {
+      unresolved.push(h);
+      continue;
+    }
+    for (const r of recips)
+      recipientPubKeys[r.accountId] = r.pubkey;
+  }
+  if (unresolved.length)
+    ctx.die(`audience handle(s) not in the authentic (journal-signed) gate: ${unresolved.join(", ")} — only journal-authored gate membership can be sealed to. add via \`sol env audience add\` (signed).`);
+  if (!Object.keys(recipientPubKeys).length)
+    ctx.die(`audience [${handles.join(", ")}] resolved to ZERO authentic recipients — refusing to seal an unreadable value`);
+  return { recipientPubKeys, handles };
+}
+function runEnv(ctx, sub, args) {
+  const json = has(args, "--json");
+  switch (sub) {
+    case "init":
+      return envInit(ctx, args);
+    case "ls":
+      return envLs(ctx, json);
+    case "show":
+      return envShow(ctx, positionals(args)[0], json);
+    case "schema":
+      return envSchema(ctx, args, json);
+    case "diff":
+      return envDiff(ctx, positionals(args), json);
+    case "validate":
+      return envValidate(ctx, args, json);
+    case "verify":
+      return envValidate(ctx, args.includes("--remote") ? args : [...args, "--remote"], json);
+    case "audience":
+      return envAudience(ctx, args, json);
+    case "audit":
+      return envAudit(ctx, positionals(args)[0], json);
+    case "anchor":
+      return envAnchor(ctx, json);
+    default:
+      ctx.die(`unknown \`sol env\` subcommand: ${sub ?? "(none)"} — try ls | show | schema | diff | validate | verify | audit | anchor | audience | init`);
+  }
+}
+async function envAudience(ctx, args, json) {
+  const pos = positionals(args);
+  const op = pos[0];
+  const me = manage(ctx);
+  const audCtx = {
+    solDir: ctx.solDir,
+    die: ctx.die,
+    selfPub: ctx.selfPub ?? (() => {
+      return;
+    }),
+    dirPub: ctx.dirPub ?? (async () => {
+      return;
+    }),
+    selfEdPub: (account) => me && me.accountId === account ? me.signer.pub : ctx.selfEdPub?.(account),
+    dirEdPub: ctx.dirEdPub ?? (async () => {
+      return;
+    })
+  };
+  if (op === "add" && !envInitialized(ctx.solDir))
+    envInitScaffold(ctx, undefined, manage(ctx));
+  const world = loadWorld(ctx.solDir);
+  if (op === "ls") {
+    const handle = pos[1];
+    const rows = handle ? recipientsOfHandle(world.gate, handle).map((r) => ({ handle, account: r.accountId, pubkey: r.x25519Pub })) : audienceRows(world.gate);
+    if (json)
+      return void console.log(JSON.stringify(rows, null, 2));
+    if (!rows.length)
+      return void console.log(handle ? `no recipients under ${handle}` : "audience.toml is empty — add recipients with `sol env audience add <handle> <account>`");
+    for (const r of rows)
+      console.log(`${r.handle.padEnd(22)} ${r.account.padEnd(28)} ${r.pubkey || "(no pubkey)"}`);
+    return;
+  }
+  if (op === "add") {
+    const handle = pos[1];
+    const account = pos[2];
+    if (!handle || !account)
+      ctx.die("usage: sol env audience add <handle> <account> [--pubkey <sol1pk_…>]");
+    const { id } = requireSigner(ctx, `audience add ${handle}`);
+    guardHandleEdit(ctx, world.gate, handle, id, account);
+    const prevAud = (world.gate.handles[handle] ?? []).map((r) => r.accountId);
+    const { gate, pub } = await audienceAdd(audCtx, world.gate, handle, account, flag(args, "--pubkey"));
+    writeAudienceDoc(ctx.solDir, gate);
+    journal2(ctx, id, { op: "audience-add", handle, members: memberSnapshot(gate, handle), recipientAtOp: true, prevAud, newAud: (gate.handles[handle] ?? []).map((r) => r.accountId), at: Date.now() });
+    if (json)
+      return void console.log(JSON.stringify({ added: { handle, account, pubkey: pub } }, null, 2));
+    console.log(`added ${account} to ${handle} (pubkey ${pub})`);
+    return;
+  }
+  if (op === "rm") {
+    const handle = pos[1];
+    const account = pos[2];
+    if (!handle)
+      ctx.die("usage: sol env audience rm <handle> [<account>]   (no account drops the whole handle)");
+    const { id } = requireSigner(ctx, `audience rm ${handle}`);
+    guardHandleEdit(ctx, world.gate, handle, id, account);
+    const prevAud = (world.gate.handles[handle] ?? []).map((r) => r.accountId);
+    const gate = audienceRm(audCtx, world.gate, handle, account);
+    writeAudienceDoc(ctx.solDir, gate);
+    journal2(ctx, id, { op: "audience-rm", handle, members: memberSnapshot(gate, handle), recipientAtOp: true, prevAud, newAud: (gate.handles[handle] ?? []).map((r) => r.accountId), at: Date.now() });
+    if (json)
+      return void console.log(JSON.stringify({ removed: { handle, account: account ?? null } }, null, 2));
+    console.log(account ? `removed ${account} from ${handle}` : `removed handle ${handle}`);
+    return;
+  }
+  ctx.die("usage: sol env audience add|rm|ls [<handle>] [<account>]");
+}
+function guardHandleEdit(ctx, gate, handle, id, adding) {
+  const verdict = canEditHandle(gate, handle, id);
+  if (verdict.allowed)
+    return;
+  ctx.die(verdict.reason ?? `refused: ${ctx.actor} may not edit ${handle}.`);
+}
+function envInit(ctx, args) {
+  if (envInitialized(ctx.solDir))
+    ctx.die("env manifest already exists at .sol/env/manifest.toml");
+  const order = (flag(args, "--envs") ?? "development,staging,production").split(",").map((s) => s.trim()).filter(Boolean);
+  envInitScaffold(ctx, order, manage(ctx));
+  console.log(`initialized .sol/env/ with envs: ${order.join(", ")}`);
+}
+function envInitScaffold(ctx, order = ["development", "staging", "production"], creator) {
+  const extendsOf = {};
+  for (const e of order)
+    extendsOf[e] = BASE_ENV;
+  writeManifest(ctx.solDir, { order, extendsOf, runtime: {} });
+  writeEnvFile(ctx.solDir, { env: BASE_ENV, config: {}, secrets: [] });
+  for (const e of order)
+    writeEnvFile(ctx.solDir, { env: e, extends: BASE_ENV, config: {}, secrets: [] });
+  const gate = { handles: {}, clone: {} };
+  if (creator)
+    gate.handles["role:owner"] = [{ handle: "role:owner", accountId: creator.accountId, x25519Pub: creator.x25519Pub, edPub: creator.signer.pub }];
+  writeAudienceDoc(ctx.solDir, gate);
+  if (creator) {
+    if (!readCreatorPin(ctx.solDir)) {
+      writeCreatorPin(ctx.solDir, { accountId: creator.accountId, authKey: creator.signer.pub, x25519Pub: creator.x25519Pub, opGenesis: opLogGenesis(ctx.solDir) });
+    }
+    journal2(ctx, creator, {
+      op: "gate-bootstrap",
+      handle: "role:owner",
+      members: [{ accountId: creator.accountId, pubkey: creator.x25519Pub, authKey: creator.signer.pub }],
+      recipientAtOp: true,
+      newAud: [creator.accountId],
+      at: Date.now()
+    });
+  }
+  regenerateSchema(ctx.solDir, loadWorld(ctx.solDir));
+}
+function envLs(ctx, json) {
+  const world = loadWorld(ctx.solDir);
+  const rows = world.manifest.order.map((env) => {
+    const r = resolveOne(world, env);
+    return { env, extends: world.files[env]?.extends, config: Object.keys(r.config).length, secrets: r.secrets.length, runtime: world.manifest.runtime[env] };
+  });
+  if (json)
+    return void console.log(JSON.stringify(rows, null, 2));
+  for (const r of rows)
+    console.log(`${r.env.padEnd(14)} extends=${(r.extends ?? "-").padEnd(8)} config=${r.config} secrets=${r.secrets}${r.runtime ? ` runtime=${r.runtime}` : ""}`);
+}
+function envShow(ctx, env, json) {
+  if (!env)
+    ctx.die("usage: sol env show <env>");
+  const world = loadWorld(ctx.solDir);
+  const r = resolveOne(world, env);
+  const view = {
+    env: r.env,
+    audience: r.audience,
+    config: r.config,
+    secrets: r.secrets.map((s) => ({ name: s.name, type: s.type, audience: s.aud ?? r.audience, set: !!s.seal, hidden: !!s.hideName }))
+  };
+  if (json)
+    return void console.log(JSON.stringify(view, null, 2));
+  console.log(`env: ${r.env}${r.audience ? `  @audience=[${r.audience.join(", ")}]` : ""}`);
+  for (const [k, v] of Object.entries(r.config))
+    console.log(`  config ${k} = ${v}`);
+  for (const s of view.secrets)
+    console.log(`  secret ${s.name}${s.type ? `:${s.type}` : ""} = ${s.set ? "[sealed]" : "[unset]"}  aud=[${(s.audience ?? []).join(", ")}]`);
+}
+function envSchema(ctx, args, json) {
+  const world = loadWorld(ctx.solDir);
+  if (has(args, "--write")) {
+    regenerateSchema(ctx.solDir, world);
+    console.log("wrote .sol/env/schema.lock");
+    return;
+  }
+  const schema = loadSchema(ctx.solDir) ?? JSON.parse(regenerateSchema(ctx.solDir, world));
+  if (json)
+    return void console.log(JSON.stringify(schema, null, 2));
+  for (const [name, v] of Object.entries(schema.vars)) {
+    const per = Object.entries(v.envs).map(([e, st]) => `${e}=${v.kind === "secret" ? `[${st}]` : st}`).join(" ");
+    console.log(`${v.kind === "secret" ? "secret" : "config"} ${name}${v.type ? `:${v.type}` : ""}  ${per}`);
+  }
+}
+function envDiff(ctx, pos, json) {
+  if (pos.length < 2)
+    ctx.die("usage: sol env diff <a> <b>");
+  const world = loadWorld(ctx.solDir);
+  const entries = diffEnvs(resolveOne(world, pos[0]), resolveOne(world, pos[1]));
+  if (json)
+    return void console.log(JSON.stringify(entries, null, 2));
+  if (!entries.length)
+    return void console.log(`${pos[0]} and ${pos[1]} are shape-identical`);
+  for (const e of entries)
+    console.log(`${e.change === "added" ? "+" : e.change === "removed" ? "-" : "~"} ${e.name}: ${e.detail}`);
+}
+async function envValidate(ctx, args, json) {
+  const world = loadWorld(ctx.solDir);
+  const schemaOnDisk = readSchemaText(ctx.solDir);
+  const agentAccountId = flag(args, "--agent") ?? process.env.SOL_AGENT_ACCOUNT;
+  const issues = validateWorld(ctx.solDir, world, { agentAccountId, schemaOnDisk });
+  if (args.includes("--remote") && ctx.remoteAnchorVerify) {
+    const verdict = await ctx.remoteAnchorVerify();
+    if (verdict)
+      issues.push(...verdict.issues);
+    else
+      issues.push({ severity: "warn", check: "remote-anchor", message: "no remote configured (set SOL_TOKEN + `sol remote`) — the EXTERNAL anchor was not consulted; the env root-of-trust is local-only (a local re-key is not detectable offline)." });
+  } else if (args.includes("--remote")) {
+    issues.push({ severity: "warn", check: "remote-anchor", message: "no remote anchor available in this context — run via the `sol` CLI with a configured remote to consult the external owner anchor." });
+  }
+  if (json)
+    return void console.log(JSON.stringify(issues, null, 2));
+  if (!issues.length)
+    return void console.log("valid: fail-closed OK, audiences consistent, schema fresh");
+  for (const i of issues)
+    console.log(`${i.severity === "error" ? "ERROR" : "warn "} [${i.check}] ${i.message}`);
+  if (issues.some((i) => i.severity === "error"))
+    process.exitCode = 1;
+}
+function readSchemaText(solDir) {
+  try {
+    return readFileSync5(schemaLockPath(solDir), "utf8");
+  } catch {
+    return;
+  }
+}
+function envAudit(ctx, env, json) {
+  if (!env)
+    ctx.die("usage: sol env audit <env>   (== sol secret audit --env <env>)");
+  printAudit(auditEnv(ctx.solDir, env), json);
+}
+function printAudit(audit, json) {
+  if (json)
+    return void console.log(JSON.stringify(audit, null, 2));
+  console.log(`audit ${audit.env}  journal=${audit.journalTrustworthy ? "TRUSTWORTHY" : "UNTRUSTWORTHY"}`);
+  if (!audit.journalTrustworthy && audit.journalIssues.length) {
+    for (const i of audit.journalIssues)
+      console.log(`  journal issue: ${i}`);
+  }
+  console.log("  who-can-decrypt (journal-authentic):");
+  for (const s of audit.whoCanDecrypt) {
+    console.log(`    ${s.name.padEnd(24)} ${s.sealed ? "[sealed]" : "[unset] "} aud=[${s.audience.join(", ")}] -> ${s.recipients.length ? s.recipients.join(", ") : "(NO recipient — unreadable)"}`);
+  }
+  if (audit.drift.length) {
+    console.log("  DRIFT (audience.toml vs the signed-journal gate):");
+    for (const d of audit.drift) {
+      if (d.fileOnly.length)
+        console.log(`    ${d.handle}: file-only (NOT journal-authored) -> ${d.fileOnly.join(", ")}`);
+      if (d.authenticOnly.length)
+        console.log(`    ${d.handle}: journal-only (missing from file) -> ${d.authenticOnly.join(", ")}`);
+    }
+  } else {
+    console.log("  no file-vs-journal drift.");
+  }
+}
+function envAnchor(ctx, json) {
+  if (!envInitialized(ctx.solDir))
+    ctx.die("no .sol/env/ to anchor — run `sol env init` (or `sol secret declare`) first");
+  if (readCreatorPin(ctx.solDir))
+    ctx.die("already anchored: .sol/env/creator.pin exists — re-pinning is refused (it would be the re-bootstrap attack). nothing to do.");
+  const { id } = requireSigner(ctx, "env anchor");
+  writeCreatorPin(ctx.solDir, { accountId: id.accountId, authKey: id.signer.pub, x25519Pub: id.x25519Pub, opGenesis: opLogGenesis(ctx.solDir) });
+  if (json)
+    return void console.log(JSON.stringify({ anchored: { accountId: id.accountId, authKey: id.signer.pub, opGenesis: opLogGenesis(ctx.solDir) } }, null, 2));
+  console.log(`anchored .sol/env/ to creator @${id.accountId} (creator.pin written, cross-bound to the op-log genesis). \`sol env validate\` no longer warns UNANCHORED.`);
+}
+function runSecret(ctx, sub, args) {
+  switch (sub) {
+    case "declare":
+      return secretDeclare(ctx, args);
+    case "ref":
+      return secretRef(ctx, args);
+    case "set":
+      return secretSet(ctx, args);
+    case "config":
+      return secretConfig(ctx, args);
+    case "list":
+      return secretList(ctx, args);
+    case "reveal":
+      return secretReveal(ctx, args);
+    case "inject":
+      return secretInject(ctx, args);
+    case "audience":
+      return secretAudience(ctx, args);
+    case "export":
+      return secretExport(ctx, args);
+    case "audit":
+      return printAudit(auditEnv(ctx.solDir, requireEnv(ctx, args)), has(args, "--json"));
+    case "runtime":
+      return secretRuntime(ctx, positionals(args)[0], args);
+    default:
+      ctx.die(`unknown \`sol secret\` subcommand: ${sub ?? "(none)"} — declare | ref | set | config set | list | reveal | inject | export | audit | runtime | audience`);
+  }
+}
+function secretDeclare(ctx, args) {
+  const env = requireEnv(ctx, args);
+  const name = positionals(args)[0];
+  if (!name)
+    ctx.die("usage: sol secret declare NAME --env E [--audience h1,h2] [--hide-name] [--type T]");
+  const world = loadWorld(ctx.solDir);
+  const file = world.files[env];
+  if (!file)
+    ctx.die(`unknown env: ${env}`);
+  const audArg = flag(args, "--audience");
+  const aud = audArg ? audArg.split(",").map((s) => s.trim()).filter(Boolean) : undefined;
+  const prior = file.secrets.find((s) => s.name === name);
+  const id = manage(ctx);
+  const gate = canDeclare(ctx.solDir, prior, ctx.actor, id);
+  const guarded = gate.guarded;
+  if (guarded && !gate.allowed) {
+    ctx.die(`refused: ${ctx.actor} is not an authorized writer of ${name}@${env} — re-declaring an already-sealed secret (or repointing its audience) requires a current recipient (set SOL_RECOVERY_CODE, or have a recipient run this). declaring a NEW slot stays open.`);
+  }
+  if (guarded && !id)
+    requireSigner(ctx, `declare ${name}@${env}`);
+  const slot = { name };
+  if (flag(args, "--type"))
+    slot.type = flag(args, "--type");
+  if (aud)
+    slot.aud = aud;
+  else if (prior?.aud)
+    slot.aud = prior.aud;
+  if (has(args, "--hide-name"))
+    slot.hideName = true;
+  else if (prior?.hideName)
+    slot.hideName = true;
+  const reset = has(args, "--reset");
+  if (prior?.seal && !reset)
+    slot.seal = prior.seal;
+  file.secrets = file.secrets.filter((s) => s.name !== name);
+  file.secrets.push(slot);
+  writeEnvFile(ctx.solDir, file);
+  if (id) {
+    journal2(ctx, id, {
+      op: "declare",
+      env,
+      name,
+      recipientAtOp: recipientAtOp(ctx, prior?.seal, id),
+      prevSeal: prior?.seal,
+      newSeal: slot.seal,
+      prevAud: prior?.aud,
+      newAud: slot.aud,
+      at: Date.now()
+    });
+  }
+  regenerateSchema(ctx.solDir, loadWorld(ctx.solDir));
+  const stateNote = slot.seal ? "(seal preserved)" : prior?.seal && reset ? `(prior ciphertext ${prior.seal} kept for recovery)` : "UNSET";
+  console.log(`declared secret ${name} in ${env} ${slot.seal ? stateNote : `(${stateNote} — value via \`sol secret set ${name} --env ${env}\`)`}`);
+}
+function recipientAtOp(ctx, priorSeal, id) {
+  if (!priorSeal)
+    return true;
+  return canWriteSealed(ctx.solDir, priorSeal, ctx.actor, id?.open);
+}
+function secretRef(ctx, args) {
+  const env = requireEnv(ctx, args);
+  const name = positionals(args)[0];
+  if (!name)
+    ctx.die("usage: sol secret ref NAME --env E");
+  const world = loadWorld(ctx.solDir);
+  const slot = resolveOne(world, env).secrets.find((s) => s.name === name);
+  if (!slot)
+    ctx.die(`${name} is not declared in ${env} — \`sol secret declare\` it first`);
+  console.log(formatSolRef(env, name));
+}
+function secretSet(ctx, args) {
+  const env = requireEnv(ctx, args);
+  const name = positionals(args)[0];
+  if (!name)
+    ctx.die("usage: sol secret set NAME --env E   (value via no-echo TTY / --stdin / --fd, NEVER argv)");
+  const world = loadWorld(ctx.solDir);
+  const file = world.files[env];
+  if (!file)
+    ctx.die(`unknown env: ${env}`);
+  let slot = file.secrets.find((s) => s.name === name);
+  if (!slot) {
+    slot = { name };
+    file.secrets.push(slot);
+  }
+  const id = manage(ctx);
+  if (slot.seal && !canWriteSealed(ctx.solDir, slot.seal, ctx.actor, id?.open)) {
+    ctx.die(`refused: ${ctx.actor} is not an authorized writer of ${name}@${env} — only a current recipient may overwrite a sealed value (set SOL_RECOVERY_CODE, or have a recipient run this). declaring a slot stays open; SETTING a value is gated.`);
+  }
+  if (!id)
+    requireSigner(ctx, `set ${name}@${env}`);
+  const { recipientPubKeys, handles } = authenticSealRecipients(ctx, world, env, slot.aud);
+  const value = readSecretValue(ctx, args);
+  if (!value)
+    ctx.die("refusing to seal an empty value");
+  const priorSeal = slot.seal;
+  const priorAud = slot.aud;
+  const digest = writeSealedValueViaStore(ctx, value, recipientPubKeys);
+  slot.seal = digest;
+  slot.aud = handles;
+  writeEnvFile(ctx.solDir, file);
+  journal2(ctx, id, {
+    op: "set",
+    env,
+    name,
+    recipientAtOp: recipientAtOp(ctx, priorSeal, id),
+    prevSeal: priorSeal,
+    newSeal: digest,
+    prevAud: priorAud,
+    newAud: handles,
+    at: Date.now()
+  });
+  regenerateSchema(ctx.solDir, loadWorld(ctx.solDir));
+  console.log(`sealed ${name} in ${env} to [${handles.join(", ")}] (${digest}) — agent-blind, host-blind.`);
+}
+function secretConfig(ctx, args) {
+  if (positionals(args)[0] !== "set")
+    ctx.die("usage: sol secret config set KEY VAL --env E");
+  const env = requireEnv(ctx, args);
+  const pos = positionals(args).slice(1);
+  const key = pos[0];
+  const val = pos[1];
+  if (!key || val === undefined)
+    ctx.die("usage: sol secret config set KEY VAL --env E");
+  const world = loadWorld(ctx.solDir);
+  const file = world.files[env];
+  if (!file)
+    ctx.die(`unknown env: ${env}`);
+  if (resolveOne(world, env).secrets.some((s) => s.name === key)) {
+    ctx.die(`${key} is a SECRET in ${env} — it cannot be set as plaintext config. use \`sol secret set ${key} --env ${env}\`.`);
+  }
+  file.config[key] = val;
+  writeEnvFile(ctx.solDir, file);
+  regenerateSchema(ctx.solDir, loadWorld(ctx.solDir));
+  console.log(`set config ${key} in ${env}`);
+}
+function secretList(ctx, args) {
+  const env = requireEnv(ctx, args);
+  const world = loadWorld(ctx.solDir);
+  const rows = resolveOne(world, env).secrets.map((s) => ({
+    name: s.name,
+    env,
+    type: s.type,
+    audience: s.aud ?? world.files[env]?.audience ?? [],
+    set: !!s.seal,
+    hidden: !!s.hideName
+  }));
+  if (has(args, "--json"))
+    return void console.log(JSON.stringify(rows, null, 2));
+  for (const r of rows)
+    console.log(`${r.name.padEnd(24)} ${r.set ? "[sealed]" : "[unset] "} aud=[${r.audience.join(", ")}]${r.hidden ? " (name-hidden)" : ""}`);
+}
+function secretReveal(ctx, args) {
+  const env = requireEnv(ctx, args);
+  const name = positionals(args)[0];
+  if (!name)
+    ctx.die("usage: sol secret reveal NAME --env E");
+  const value = openSecret(ctx, env, name, flag(args, "--field"));
+  process.stdout.write(value + `
+`);
+}
+function secretInject(ctx, args) {
+  const env = requireEnv(ctx, args);
+  const dashdash = args.indexOf("--");
+  if (dashdash < 0 || dashdash === args.length - 1)
+    ctx.die("usage: sol secret inject --env E -- <cmd> [args...]");
+  const cmd = args.slice(dashdash + 1);
+  const world = loadWorld(ctx.solDir);
+  const self = ctx.loadSelfIdentity();
+  const injected = {};
+  let revealedCount = 0;
+  for (const s of resolveOne(world, env).secrets) {
+    if (!s.seal || s.hideName)
+      continue;
+    refuseUnanchoredSeal(ctx, env, s.name, s.seal);
+    const out = openOutcome(ctx.solDir, s.seal, ctx.actor, self);
+    if (out.kind === "tampered") {
+      ctx.die(`refused to inject: ${s.name}@${env} (${s.seal}) was TAMPERED in place — its bytes hash to ${out.actual}, not the pinned address. reseal or revert; no secrets injected.`);
+    }
+    if (out.kind !== "value")
+      continue;
+    injected[s.name] = out.value;
+    revealedCount++;
+  }
+  if (!revealedCount)
+    ctx.die(`no secrets in ${env} are readable by ${ctx.actor} — are you a recipient? (set SOL_RECOVERY_CODE)`);
+  process.stderr.write(`sol: injecting ${revealedCount} secret(s) into the subprocess env: ${Object.keys(injected).join(", ")}
+`);
+  const res = spawnSync(cmd[0], cmd.slice(1), { stdio: "inherit", env: { ...process.env, ...injected } });
+  process.exitCode = res.status ?? 1;
+}
+function secretExport(ctx, args) {
+  const env = requireEnv(ctx, args);
+  const format = flag(args, "--format") ?? "dotenv";
+  if (format !== "dotenv" && format !== "json")
+    ctx.die("--format expects dotenv | json");
+  const runtimeRoot = process.env.SOL_RUNTIME_RECOVERY_CODE;
+  const self = runtimeRoot ? runtimeSelfFromRoot(env, runtimeRoot) : ctx.loadSelfIdentity();
+  let result;
+  try {
+    result = exportEnvWith(ctx.solDir, env, self);
+  } catch (e) {
+    if (e instanceof ExportError)
+      ctx.die(e.message);
+    throw e;
+  }
+  const rendered = renderExport(result.secrets, format);
+  const fd = flag(args, "--fd");
+  if (fd !== undefined) {
+    const n = parseInt(fd, 10);
+    if (!Number.isInteger(n))
+      ctx.die("--fd expects a file descriptor number");
+    writeSync(n, rendered + `
+`);
+  } else if (process.stdout.isTTY) {
+    ctx.die(`refused: \`sol secret export\` writes ${result.names.length} secret value(s) — refusing to print onto a TTY. redirect to a file/pipe or pass --fd <n> (the value never belongs in a log/terminal).`);
+  } else {
+    process.stdout.write(rendered + `
+`);
+  }
+  process.stderr.write(`sol: exported ${result.names.length} secret(s) for ${env} as ${format}: ${result.names.join(", ")}${result.skipped.length ? ` (not a recipient of: ${result.skipped.join(", ")})` : ""}
+`);
+}
+function secretRuntime(ctx, op, args) {
+  const json = has(args, "--json");
+  if (op === "ls")
+    return runtimeLs(ctx, json);
+  if (op === "show")
+    return runtimeShow(ctx, requireEnv(ctx, args), json);
+  if (op === "provision")
+    return runtimeProvision(ctx, args);
+  ctx.die("usage: sol secret runtime provision --env E [--fd N] | ls | show --env E");
+}
+function runtimeLs(ctx, json) {
+  const world = loadWorld(ctx.solDir);
+  const rows = world.manifest.order.map((env) => ({ env, runtime: world.manifest.runtime[env] ?? null }));
+  if (json)
+    return void console.log(JSON.stringify(rows, null, 2));
+  for (const r of rows)
+    console.log(`${r.env.padEnd(14)} runtime=${r.runtime ?? "(none — `sol secret runtime provision --env " + r.env + "`)"}`);
+}
+function runtimeShow(ctx, env, json) {
+  const world = loadWorld(ctx.solDir);
+  const handle = world.manifest.runtime[env];
+  const account = runtimeAccountId(env);
+  const authentic = deriveAuthenticGate(ctx.solDir);
+  const inAudience = handle ? (authentic.handles[handle] ?? []).some((r) => r.accountId === account) : false;
+  const view = { env, runtimeHandle: handle ?? null, runtimeAccount: handle ? account : null, inAuthenticGate: inAudience };
+  if (json)
+    return void console.log(JSON.stringify(view, null, 2));
+  if (!handle)
+    return void console.log(`${env}: no runtime recipient — provision one with \`sol secret runtime provision --env ${env}\``);
+  console.log(`${env}: runtime ${handle} (${account})  in-authentic-gate=${inAudience ? "yes" : "NO (add via `sol env audience add` or re-provision)"}`);
+}
+async function runtimeProvision(ctx, args) {
+  const json = has(args, "--json");
+  const env = requireEnv(ctx, args);
+  if (!envInitialized(ctx.solDir))
+    ctx.die(`no .sol/env/ — run \`sol env init\` (or \`sol secret declare\`) first`);
+  const { id } = requireSigner(ctx, `runtime provision ${env}`);
+  const fdArg = flag(args, "--fd");
+  let sinkFd;
+  if (fdArg !== undefined) {
+    const n = parseInt(fdArg, 10);
+    if (!Number.isInteger(n))
+      ctx.die("--fd expects a file descriptor number");
+    sinkFd = n;
+  } else if (process.stdout.isTTY) {
+    ctx.die("refused: provisioning mints the bootstrap ROOT (the env's standing decryptor) — refusing to print it onto a TTY. pass --fd <n> (custody it write-only) or redirect stdout to a secure file/pipe.");
+  } else {
+    sinkFd = 1;
+  }
+  let captured;
+  const sink = {
+    async get() {
+      return;
+    },
+    async put(_e, root) {
+      captured = root;
+    }
+  };
+  const prov = await provisionRuntimeRecipient(env, sink);
+  if (!envInitialized(ctx.solDir))
+    envInitScaffold(ctx, undefined, id);
+  const world = loadWorld(ctx.solDir);
+  const audCtx = {
+    solDir: ctx.solDir,
+    die: ctx.die,
+    selfPub: (a) => a === prov.accountId ? prov.x25519Pub : undefined,
+    dirPub: async () => {
+      return;
+    },
+    selfEdPub: (a) => a === prov.accountId ? prov.edPub : undefined,
+    dirEdPub: async () => {
+      return;
+    }
+  };
+  guardHandleEdit(ctx, world.gate, prov.handle, id, prov.accountId);
+  const prevAud = (world.gate.handles[prov.handle] ?? []).map((r) => r.accountId);
+  const { gate } = await audienceAdd(audCtx, world.gate, prov.handle, prov.accountId, prov.x25519Pub);
+  writeAudienceDoc(ctx.solDir, gate);
+  journal2(ctx, id, { op: "audience-add", handle: prov.handle, members: memberSnapshot(gate, prov.handle), recipientAtOp: true, prevAud, newAud: (gate.handles[prov.handle] ?? []).map((r) => r.accountId), at: Date.now() });
+  world.manifest.runtime[env] = prov.handle;
+  writeManifest(ctx.solDir, world.manifest);
+  regenerateSchema(ctx.solDir, loadWorld(ctx.solDir));
+  if (captured === undefined)
+    ctx.die("provisioning did not mint a bootstrap root (internal error)");
+  writeSync(sinkFd, captured + `
+`);
+  process.stderr.write(`sol: provisioned runtime ${prov.handle} for ${env} (account ${prov.accountId}, X25519 ${prov.x25519Pub.slice(0, 16)}…).
+` + `  the BOOTSTRAP ROOT was written to ${fdArg !== undefined ? `fd ${sinkFd}` : "stdout (non-TTY sink)"} — CUSTODY IT WRITE-ONLY in your runtime secret store
+` + `  (e.g. the CF Secrets Store binding env.SOL_RUNTIME_ROOT). the runtime reads it at boot to export; the agent/host never holds it.
+`);
+  if (json) {
+    const pub = JSON.stringify({ env, handle: prov.handle, accountId: prov.accountId, x25519Pub: prov.x25519Pub, edPub: prov.edPub, keyEpoch: prov.keyEpoch, rootSink: fdArg !== undefined ? `fd:${sinkFd}` : "stdout" }, null, 2);
+    if (fdArg !== undefined)
+      console.log(pub);
+    else
+      process.stderr.write(pub + `
+`);
+  }
+}
+function secretAudience(ctx, args) {
+  const pos = positionals(args);
+  const op = pos[0];
+  const name = pos[1];
+  const handle = pos[2];
+  const env = requireEnv(ctx, args);
+  if (op !== "add" && op !== "rm" || !name || !handle)
+    ctx.die("usage: sol secret audience add|rm NAME --env E <handle>");
+  const world = loadWorld(ctx.solDir);
+  const file = world.files[env];
+  if (!file)
+    ctx.die(`unknown env: ${env}`);
+  const slot = file.secrets.find((s) => s.name === name);
+  if (!slot)
+    ctx.die(`${name} is not declared in ${env}`);
+  const id = manage(ctx);
+  const priorSeal = slot.seal;
+  const priorAud = slot.aud;
+  const current = new Set(slot.aud ?? world.files[env]?.audience ?? []);
+  if (op === "add")
+    current.add(handle);
+  else
+    current.delete(handle);
+  const nextAud = [...current];
+  if (!id)
+    requireSigner(ctx, `secret audience ${op} ${name}@${env}`);
+  if (slot.seal) {
+    const opened = openSealedValue(ctx.solDir, slot.seal, ctx.actor, id?.open);
+    if (opened === undefined || opened === UNREADABLE) {
+      ctx.die(`cannot reseal ${name}: you are not a current recipient (a recipient must run the audience change; set SOL_RECOVERY_CODE)`);
+    }
+    const { recipientPubKeys, handles } = authenticSealRecipients(ctx, { ...world, files: { ...world.files, [env]: { ...file, audience: nextAud } } }, env, nextAud);
+    const box = readSealedBoxEpoch(ctx, slot.seal);
+    const digest = writeSealedValueViaStore(ctx, opened, recipientPubKeys, box + 1);
+    slot.seal = digest;
+    slot.aud = handles;
+  } else {
+    slot.aud = nextAud;
+  }
+  writeEnvFile(ctx.solDir, file);
+  journal2(ctx, id, {
+    op: "secret-audience",
+    env,
+    name,
+    handle,
+    recipientAtOp: recipientAtOp(ctx, priorSeal, id),
+    prevSeal: priorSeal,
+    newSeal: slot.seal,
+    prevAud: priorAud,
+    newAud: slot.aud,
+    at: Date.now()
+  });
+  regenerateSchema(ctx.solDir, loadWorld(ctx.solDir));
+  console.log(`${op === "add" ? "added" : "removed"} ${handle} ${op === "add" ? "to" : "from"} ${name}@${env} -> aud=[${slot.aud.join(", ")}]${slot.seal ? " (resealed, epoch bumped)" : ""}`);
+}
+function writeSealedValueViaStore(ctx, value, recipientPubKeys, epoch = 1) {
+  return writeSealedValue(ctx.solDir, value, recipientPubKeys, epoch);
+}
+function readSealedBoxEpoch(ctx, digest) {
+  return readSealedBox(ctx.solDir, digest)?.epoch ?? 1;
+}
+function refuseUnanchoredSeal(ctx, env, name, seal) {
+  const key = `${env}/${name}`;
+  const issues = validateSealJournalBinding(ctx.solDir, new Map([[key, seal]]));
+  if (issues.length) {
+    ctx.die(`refused: ${key} (${seal}) is sealed under a FORGED/unanchored manifest seal — the SIGNED journal records no authorized set op for it (a non-recipient may seal a box to the owner's PUBLIC key and repoint the manifest while rolling the journal back). the value is NOT returned. run \`sol env validate\` and reseal with \`sol secret set ${name} --env ${env}\` or revert the tampering.`);
+  }
+}
+function openSecret(ctx, env, name, field) {
+  const world = loadWorld(ctx.solDir);
+  const slot = resolveOne(world, env).secrets.find((s) => s.name === name);
+  if (!slot)
+    ctx.die(`${name} is not declared in ${env}`);
+  if (!slot.seal)
+    ctx.die(`${name} in ${env} is declared but UNSET`);
+  refuseUnanchoredSeal(ctx, env, name, slot.seal);
+  const self = ctx.loadSelfIdentity();
+  const out = openOutcome(ctx.solDir, slot.seal, ctx.actor, self);
+  switch (out.kind) {
+    case "value":
+      return projectField(out.value, field);
+    case "absent":
+      ctx.die(`no sealed leaf for ${name} in ${env}`);
+    case "tampered":
+      ctx.die(`refused: the sealed leaf for ${name}@${env} (${slot.seal}) was TAMPERED — its bytes hash to ${out.actual}, not the pinned content address. a forged box was substituted in place. reseal with \`sol secret set ${name} --env ${env}\` or revert the tampering; the value is NOT returned.`);
+    case "not-recipient":
+      ctx.die(`refused: ${ctx.actor} is not in the audience for ${name}@${env} (host-blind / agent-blind — you hold no key)`);
+    case "decrypt-failed":
+      ctx.die(`decrypt failed for ${name}@${env}: a lockbox exists for ${ctx.actor} but the ciphertext won't open — the sealed leaf (${slot.seal}) is corrupted or tampered, or SOL_RECOVERY_CODE is wrong. reseal with \`sol secret set ${name} --env ${env}\`.`);
+  }
+}
+
+// src/secret/mcp-tools.ts
+class AgentRefusal extends Error {
+}
+function agentCtx(cfg) {
+  return {
+    solDir: cfg.solDir,
+    actor: cfg.actor ?? "agent",
+    loadSelfIdentity: () => {
+      return;
+    },
+    loadManageIdentity: cfg.loadManageIdentity,
+    die: (msg) => {
+      throw new AgentRefusal(msg);
+    },
+    selfPub: cfg.selfPub,
+    dirPub: cfg.dirPub,
+    selfEdPub: cfg.selfEdPub,
+    dirEdPub: cfg.dirEdPub,
+    remoteAnchorVerify: cfg.remoteAnchorVerify
+  };
+}
+async function capture(fn) {
+  const lines = [];
+  const orig = console.log;
+  console.log = (...args) => {
+    lines.push(args.map((a) => typeof a === "string" ? a : String(a)).join(" "));
+  };
+  try {
+    await fn();
+  } finally {
+    console.log = orig;
+  }
+  return lines.join(`
+`);
+}
+var sanitizer = new VaultSanitizer;
+function sanitizeEgress(text) {
+  return sanitizer.sanitize(text).sanitized;
+}
+var AGENT_TOOLS = [
+  { name: "env_list", description: "List every environment with inheritance + var counts. Schema only, no values.", inputSchema: { type: "object", properties: {} } },
+  { name: "env_show", description: "Show one resolved environment (base ⊕ overlay) as JSON: config values + per-secret name/type/audience/set?. NEVER a secret value.", inputSchema: { type: "object", properties: { env: { type: "string" } }, required: ["env"] } },
+  { name: "env_schema", description: "The cross-env schema.lock: every var name, kind, type, per-env presence + audience across ALL environments. Values dark.", inputSchema: { type: "object", properties: {} } },
+  { name: "env_diff", description: "Value-blind cross-env diff: added / removed / changed-SHAPE vars between two environments. Never value-equality.", inputSchema: { type: "object", properties: { a: { type: "string" }, b: { type: "string" } }, required: ["a", "b"] } },
+  { name: "env_validate", description: "Schema integrity: fail-closed, cross-env drift, ref + audience consistency, agent-in-no-audience invariant. Set remote=true to also cross-check the external owner anchor.", inputSchema: { type: "object", properties: { remote: { type: "string", description: '"true" to also consult the remote anchor' } } } },
+  { name: "secret_declare", description: "Declare a secret SLOT (name + audience + type) in an env. NO value — the slot is sealed-pending until a human/CI sets it via a side-channel. A brand-new slot is agent-safe; re-pointing an already-sealed slot is recipient-gated.", inputSchema: { type: "object", properties: { env: { type: "string" }, name: { type: "string" }, audience: { type: "string", description: "comma-separated handles, e.g. role:deploy,team:payments" }, type: { type: "string" }, hide_name: { type: "string", description: '"true" to hide the name in the host-visible schema' } }, required: ["env", "name"] } },
+  { name: "secret_ref", description: "Resolve a declared secret to its sol:// reference — the handle the agent puts in code/config. Never a value.", inputSchema: { type: "object", properties: { env: { type: "string" }, name: { type: "string" } }, required: ["env", "name"] } },
+  { name: "secret_list", description: "List declared secrets in an env: name + type + audience + set? status. NEVER values.", inputSchema: { type: "object", properties: { env: { type: "string" } }, required: ["env"] } },
+  { name: "secret_audit", description: "Audit an env: who-can-decrypt (the journal-authentic audience per secret) + drift (file-gate vs authentic-gate divergence, validation issues). Identifiers only, never values.", inputSchema: { type: "object", properties: { env: { type: "string" } }, required: ["env"] } },
+  { name: "secret_audience_ls", description: "List the audience gate (audience.toml): handle -> recipient accounts + pubkeys. Public material only.", inputSchema: { type: "object", properties: { handle: { type: "string", description: "optional — scope to one handle" } } } },
+  { name: "secret_audience_add", description: "Add a recipient account to an audience handle (signed gate op). Authz-gated per the CLI: a guardian handle is never self-enrollable; a keyless agent is refused.", inputSchema: { type: "object", properties: { handle: { type: "string" }, account: { type: "string" }, pubkey: { type: "string", description: "optional sol1pk_… (else fetched from the key directory)" } }, required: ["handle", "account"] } },
+  { name: "secret_audience_rm", description: "Remove a recipient account from an audience handle (signed gate op). No account drops the whole handle. Same authz as the CLI.", inputSchema: { type: "object", properties: { handle: { type: "string" }, account: { type: "string" } }, required: ["handle"] } },
+  { name: "deploy_trigger", description: "Check an environment is deploy-ready and emit the runtime export command the deploy executes. The agent orchestrates; the RUNTIME recipient (holding SOL_RUNTIME_RECOVERY_CODE) is the only decryptor. Returns readiness STATUS (each secret: sealed? runtime-recipient?), never a value.", inputSchema: { type: "object", properties: { env: { type: "string" } }, required: ["env"] } },
+  { name: "secret_export_trigger", description: "Same readiness check as deploy_trigger, plus the masked `sol secret export` invocation a deploy/boot runs to materialize NAME=value into a secure sink. The agent cannot read the output. Returns STATUS + the command, never values.", inputSchema: { type: "object", properties: { env: { type: "string" }, format: { type: "string", description: "dotenv | json (default dotenv)" } }, required: ["env"] } }
+];
+function deployReadiness(solDir, env, format) {
+  const world = loadWorld(solDir);
+  const resolved = resolveOne(world, env);
+  const authentic = deriveAuthenticGate(solDir);
+  const runtimeAcct = runtimeAccountId(env);
+  const runtimeMember = (handles) => handles.some((h) => (authentic.handles[h] ?? []).some((r) => r.accountId === runtimeAcct));
+  const secrets = resolved.secrets.map((s) => {
+    const aud = s.aud ?? resolved.audience ?? [];
+    return {
+      name: s.hideName ? "(name-hidden)" : s.name,
+      sealed: !!s.seal,
+      audience: aud,
+      runtimeRecipient: runtimeMember(aud)
+    };
+  });
+  const sealed = secrets.filter((s) => s.sealed);
+  const unsealed = secrets.filter((s) => !s.sealed).map((s) => s.name);
+  const notRuntime = sealed.filter((s) => !s.runtimeRecipient).map((s) => s.name);
+  const blockers = [];
+  if (unsealed.length)
+    blockers.push(`unsealed (no value yet): ${unsealed.join(", ")}`);
+  if (notRuntime.length)
+    blockers.push(`runtime ${runtimeHandle(env)} is NOT in the audience of: ${notRuntime.join(", ")}`);
+  if (!authentic.trustworthy)
+    blockers.push("the management journal does not verify (run env_validate)");
+  const fmt = format === "json" ? "json" : "dotenv";
+  return {
+    env,
+    runtimeHandle: runtimeHandle(env),
+    runtimeAccount: runtimeAcct,
+    secrets,
+    ready: blockers.length ? "blocked" : "ready",
+    blockers,
+    command: `sol secret export --env ${env} --format ${fmt} --fd 3 3>secrets.out`
+  };
+}
+async function callMcpTool(ctx, name, args = {}) {
+  const str = (k) => typeof args[k] === "string" ? args[k] : undefined;
+  const flag2 = (k) => args[k] === true || args[k] === "true";
+  const env = str("env");
+  const envFlag = env ? ["--env", env] : [];
+  const run = async () => {
+    switch (name) {
+      case "env_list":
+        return capture(() => runEnv(ctx, "ls", ["--json"]));
+      case "env_show":
+        return capture(() => runEnv(ctx, "show", [env, "--json"]));
+      case "env_schema":
+        return capture(() => runEnv(ctx, "schema", ["--json"]));
+      case "env_diff":
+        return capture(() => runEnv(ctx, "diff", [str("a"), str("b"), "--json"]));
+      case "env_validate":
+        return capture(() => runEnv(ctx, "validate", flag2("remote") ? ["--remote", "--json"] : ["--json"]));
+      case "secret_declare": {
+        const a = [str("name"), ...envFlag];
+        if (str("audience"))
+          a.push("--audience", str("audience"));
+        if (str("type"))
+          a.push("--type", str("type"));
+        if (flag2("hide_name"))
+          a.push("--hide-name");
+        return capture(() => runSecret(ctx, "declare", a));
+      }
+      case "secret_ref":
+        return capture(() => runSecret(ctx, "ref", [str("name"), ...envFlag]));
+      case "secret_list":
+        return capture(() => runSecret(ctx, "list", [...envFlag, "--json"]));
+      case "secret_audit":
+        return JSON.stringify(auditEnv(ctx.solDir, env), null, 2);
+      case "secret_audience_ls":
+        return capture(() => runEnv(ctx, "audience", ["ls", ...str("handle") ? [str("handle")] : [], "--json"]));
+      case "secret_audience_add": {
+        const a = ["add", str("handle"), str("account"), "--json"];
+        if (str("pubkey"))
+          a.push("--pubkey", str("pubkey"));
+        return capture(() => runEnv(ctx, "audience", a));
+      }
+      case "secret_audience_rm":
+        return capture(() => runEnv(ctx, "audience", ["rm", str("handle"), ...str("account") ? [str("account")] : [], "--json"]));
+      case "deploy_trigger":
+        return JSON.stringify(deployReadiness(ctx.solDir, env), null, 2);
+      case "secret_export_trigger":
+        return JSON.stringify(deployReadiness(ctx.solDir, env, str("format")), null, 2);
+      case "secret_set":
+      case "secret_reveal":
+      case "secret_inject":
+      case "secret_export":
+        throw new AgentRefusal(`refused: ${name} is not an agent tool — a value INPUT is a human side-channel and a value OUTPUT is recipient-gated. the agent is in no audience and cannot read or write a value.`);
+      default:
+        throw new AgentRefusal(`unknown tool: ${name}`);
+    }
+  };
+  try {
+    const out = await run();
+    return { text: sanitizeEgress(out) };
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : String(e);
+    return { text: sanitizeEgress("sol: " + msg), isError: true };
+  }
+}
+
+// src/bin/identity-store.ts
+import { chmodSync, existsSync as existsSync5, mkdirSync as mkdirSync3, readFileSync as readFileSync6, writeFileSync as writeFileSync5 } from "node:fs";
+import { homedir } from "node:os";
+import { dirname, join as join4 } from "node:path";
+var IDENTITY_PATH = join4(homedir(), ".sol", "identity.json");
+function loadIdentity() {
+  if (!existsSync5(IDENTITY_PATH))
+    return;
+  try {
+    return JSON.parse(readFileSync6(IDENTITY_PATH, "utf8"));
+  } catch {
+    return;
+  }
+}
+var EXPORT_KDF = { N: 1 << 15, r: 8, p: 1, maxmem: 64 * 1024 * 1024 };
+var VERIFIED_PATH = join4(homedir(), ".sol", "verified-keys.json");
+
+// src/bin/sol-secret-mcp.ts
+async function startSecretMcp(opts = {}) {
+  const { Server } = await import("@modelcontextprotocol/sdk/server/index.js");
+  const { StdioServerTransport } = await import("@modelcontextprotocol/sdk/server/stdio.js");
+  const { CallToolRequestSchema, ListToolsRequestSchema } = await import("@modelcontextprotocol/sdk/types.js");
+  const solDir = opts.solDir || process.env.SOL_DIR || join7(process.cwd(), ".sol");
+  if (!existsSync8(solDir)) {
+    process.stderr.write(`sol-secret-mcp: no .sol at ${solDir} \u2014 run \`sol init\` first (or set SOL_DIR)
+`);
+    process.exit(1);
+  }
+  const dirUrl = (process.env.SOL_REMOTE || "https://sol.midsummer.new").replace(/\/+$/, "");
+  async function fetchKey2(account) {
+    const { fetchKey: f } = await Promise.resolve().then(() => (init_seal_audience(), exports_seal_audience));
+    return f(dirUrl, account);
+  }
+  const ctx = agentCtx({
+    solDir,
+    actor: process.env.SOL_ACTOR || "agent",
+    selfPub: (account) => {
+      const id = loadIdentity();
+      return id && id.accountId === account ? id.x25519Pub : undefined;
+    },
+    selfEdPub: (account) => {
+      const id = loadIdentity();
+      return id && id.accountId === account ? id.edPub : undefined;
+    },
+    dirPub: async (account) => (await fetchKey2(account))?.x25519Pub,
+    dirEdPub: async (account) => (await fetchKey2(account))?.edPub
+  });
+  if (process.env.SOL_RECOVERY_CODE) {
+    const { loadManageIdentity: loadManageIdentity2 } = await Promise.resolve().then(() => (init_seal_audience(), exports_seal_audience));
+    ctx.loadManageIdentity = () => loadManageIdentity2();
+  }
+  const server = new Server({ name: "sol-secrets", version: "0.1.0" }, { capabilities: { tools: {} } });
+  server.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: AGENT_TOOLS }));
+  server.setRequestHandler(CallToolRequestSchema, async (req) => {
+    const r = await callMcpTool(ctx, req.params.name, req.params.arguments ?? {});
+    return { content: [{ type: "text", text: r.text }], isError: r.isError };
+  });
+  await server.connect(new StdioServerTransport);
+}
+if (__require.main == __require.module) {
+  startSecretMcp().catch((e) => {
+    process.stderr.write(`sol-secret-mcp: ${e?.message ?? e}
+`);
+    process.exit(1);
+  });
+}
+export {
+  startSecretMcp
+};