sandstream-kit 1.2.0 → 1.3.1

package/dist/cli.js

@@ -1,9 +1,9 @@
 #!/usr/bin/env node
-import { readFileSync, existsSync } from "node:fs";
+import { readFileSync, writeFileSync } from "node:fs";
 import { writeFile, access, mkdir } from "node:fs/promises";
 import { fileURLToPath } from "node:url";
-import { resolve, dirname, join, basename } from "node:path";
-import { loadConfig, resolveActiveEnvironment } from "./config.js";
+import { resolve, dirname, join } from "node:path";
+import { loadConfig } from "./config.js";
 import { checkTools } from "./check-tools.js";
 import { checkServices } from "./check-services.js";
 import { checkSecrets } from "./check-secrets.js";
@@ -20,17 +20,16 @@ import { scanPlaintextSecrets } from "./scan-plaintext.js";
 import { planMigration, writeSecretToBackend, commentOutInFile, } from "./secrets-migrate.js";
 import { analyzeRepo, renderClaudeMd, renderRulesMd } from "./analyze.js";
 import { cmdSecretsRotate, pickBackendOpts } from "./secrets-rotate-cli.js";
+import { setSecretValue } from "./secrets-set.js";
 import { detectTools as detectPurgeTools, previewMatches, purgeHistory, } from "./secrets-purge-history.js";
 import { propagate, parseTargets, ALL_TARGETS, } from "./secrets-propagate.js";
 import { initAllowlist, checkAllowlist, addToAllowlist, checkSecretPolicy, } from "./security-policy.js";
 import { clearBumblebeeCache } from "./bumblebee.js";
-import { KNOWN_ENVS, readActiveEnv, writeActiveEnv, } from "./env-switch.js";
 import { scanStagedFiles } from "./scan-staged.js";
 import { scanBuildArtifacts } from "./scan-build.js";
 import { scanTranscripts } from "./scan-transcripts.js";
 import { sampleCosts } from "./cost-monitor.js";
-import { readSecretAuditEvents, groupBySecret, summarize, } from "./audit-secrets.js";
-import { requireElevation, consumeElevation, grantElevation, clearElevation, readElevation, verifyTotp, elevationTtlMinutes, enrollTotp, resolveTotpSecret, } from "./elevation.js";
+import { requireElevation, consumeElevation } from "./elevation.js";
 import { checkGitignore, patchGitignore, findCommittedSensitive, } from "./check-gitignore.js";
 import { auditPull, reportSeverity } from "./post-pull-audit.js";
 import { checkOneCliStatus, registerSecretInOneCli, generatePlaceholder, resolveOneCliConfig, } from "./secrets-onecli.js";
@@ -41,24 +40,28 @@ import { checkForUpdate, printUpdateNotice } from "./update-check.js";
 import { checkSkills } from "./check-skills.js";
 import { checkLockFiles } from "./check-lock.js";
 import { collectEscalations, formatEscalationMessage } from "./escalate.js";
-import { printToolsTable, printServicesTable, printSecretsTable, printSkillsTable, printWebSearchStatus, printSecurityTable, printLockTable, printSummary, printAuditTable, runStep, stepHeader, } from "./output.js";
+import { printToolsTable, printServicesTable, printSecretsTable, printSkillsTable, printWebSearchStatus, printSecurityTable, printLockTable, printSummary, runStep, stepHeader, } from "./output.js";
 import { checkRevocationStatus } from "./revocation.js";
 import { getBudgetStatus, formatBudgetStatus } from "./budget.js";
-import { readAuditLog } from "./audit.js";
 import { formatGovernanceStatus, mergeGovernanceConfigAsync } from "./governance.js";
 import { withGovernance } from "./governance-middleware.js";
-import { installHooks, SKIPPED_COMMITS_LOG } from "./hooks.js";
+import { SKIPPED_COMMITS_LOG } from "./hooks.js";
 import { writeAgentConfig, detectAgentTargets } from "./agent-config.js";
 import { checkHooks, isGitRepository } from "./check-hooks.js";
 import { readkitMeta, readSkillsLock, readCliLock, updateSkillsLock, updateCliLock, } from "./lock.js";
 import { provisionService, listAvailableServices, getServiceInfo } from "./provision.js";
 import { cmdFix } from "./fix.js";
 import { promptConfirm } from "./utils/prompt.js";
-import { startMcpServer } from "./mcp-server.js";
 import { c } from "./utils/colors.js";
 import { gatherStatus } from "./status.js";
+import { KIT_FILE, resolveConfigPath } from "./cli-shared.js";
+import { cmdEnv } from "./commands/env.js";
+import { cmdAuth } from "./commands/auth.js";
+import { cmdAudit } from "./commands/audit.js";
+import { cmdMcp } from "./commands/mcp.js";
+import { cmdHooks } from "./commands/hooks.js";
+import { resolveAllAuth } from "./service-auth.js";
 import { runDoctor } from "./doctor.js";
-import { inspectEnv } from "./env-inspect.js";
 import { detectStack } from "./stack-detector.js";
 import { generateToml } from "./toml-generator.js";
 import { createPlugin } from "./create-plugin.js";
@@ -69,23 +72,9 @@ import { listServices, openService } from "./open.js";
 import { gatherProjectContext } from "./context.js";
 import { runTriage, listTriageTools } from "./triage.js";
 import { parsePkgSpec, installPkg } from "./pkg.js";
-import { openMemoryDb, getStats, getMemoryDbPath, searchMessages } from "./memory/db.js";
-import { indexAllHarnesses } from "./memory/parser.js";
-import { mergeDb } from "./memory/merge.js";
-import { getCurrentProjectRoot } from "./memory/project.js";
-import { scanDbForSecrets } from "./memory/scan.js";
-import { backupEncrypted, restoreEncrypted } from "./memory/backup.js";
-import { shareEntry, listAreas, queryArea, getSharedPath, } from "./memory/shared.js";
-import { userPromptSubmitReminder, runSessionEndIndex, sessionStartRecovery } from "./memory/hook.js";
-import { installMemoryHooks, uninstallMemoryHooks, getClaudeSettingsPath, } from "./memory/install.js";
-import { palAdd, palList, palDone, palSnooze, palAutoVerify, importLegacyLedger, } from "./memory/pal.js";
-import { saveThread, listThreads, removeThread, latestSessionId, resolveThread, } from "./memory/threads.js";
-const KIT_FILE = ".kit.toml";
+import { cmdMemory } from "./commands/memory.js";
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const KIT_VERSION = JSON.parse(readFileSync(join(__dirname, "..", "package.json"), "utf-8")).version;
-function resolveConfigPath() {
-    return resolve(process.cwd(), KIT_FILE);
-}
 async function cmdCheck() {
     const jsonMode = hasFlag(process.argv, "--json");
     const enforceTests = hasFlag(process.argv, "--enforce-tests");
@@ -471,6 +460,23 @@ async function cmdLogin() {
         servicesConfig = { [serviceFilter]: servicesConfig[serviceFilter] };
         console.log(`${c.dim}Filtering to service "${serviceFilter}"${retryCount ? ` (retries=${retryCount})` : ""}${c.reset}`);
     }
+    // `--plan`: read-only. Show the resolved auth strategy per service (vault /
+    // interactive / capture, + passkey warnings) without logging in to anything.
+    if (hasFlag(args, "--plan")) {
+        const plan = resolveAllAuth(servicesConfig);
+        if (hasFlag(args, "--json")) {
+            console.log(JSON.stringify(plan, null, 2));
+            return true;
+        }
+        console.log(`${c.bold}auth plan${c.reset}  ${c.dim}${plan.length} service(s)${c.reset}`);
+        for (const p of plan) {
+            const tag = p.passkey
+                ? `${c.yellow}${p.strategy} ⚿${c.reset}`
+                : `${c.cyan}${p.strategy}${c.reset}`;
+            console.log(`  ${tag}  ${p.name}  ${c.dim}${p.instruction}${c.reset}`);
+        }
+        return true;
+    }
     console.log(`${c.bold}${c.cyan}Authenticating services...${c.reset}`);
     return await withGovernance(config, {
         operation: "services.login",
@@ -548,6 +554,9 @@ async function cmdSecrets() {
     if (process.argv[3] === "propagate") {
         return cmdSecretsPropagateStandalone();
     }
+    if (process.argv[3] === "set") {
+        return cmdSecretsSet();
+    }
     if (process.argv[3] === "revoke-old") {
         return cmdSecretsRevokeOld();
     }
@@ -1025,612 +1034,6 @@ async function offerFirstInstallPrescan() {
     }
     console.log();
 }
-/** Built-in pre-commit hook: scans staged files for known credential patterns. */
-const BUILTIN_HOOKS = {
-    "secret-scan": {
-        hookName: "pre-commit",
-        commands: ["kit security scan-staged"],
-        description: "Block commits that stage known credential patterns (Stripe, AWS, JWT, etc).",
-    },
-    "post-pull-audit": {
-        hookName: "post-merge",
-        commands: ["kit security verify-pull"],
-        description: "After git pull/merge, audit new deps, gitignore drops, and introduced secrets.",
-    },
-};
-async function cmdHooks() {
-    const subcommand = process.argv[3];
-    // Built-in hooks bypass the .kit.toml config path so they're available
-    // on any repo, including ones that haven't run `kit init` yet.
-    if (subcommand === "add") {
-        return cmdHooksAdd();
-    }
-    const config = await loadConfig(resolveConfigPath());
-    if (!config.hooks || Object.keys(config.hooks).length === 0) {
-        console.log(`${c.dim}No hooks configured in ${KIT_FILE}${c.reset}`);
-        return true;
-    }
-    if (!isGitRepository()) {
-        console.log(`${c.red}Not a git repository${c.reset}`);
-        return false;
-    }
-    if (subcommand === "install" || !subcommand) {
-        console.log(`${c.bold}${c.cyan}Installing git hooks...${c.reset}\n`);
-        const results = await installHooks(config.hooks);
-        let allOk = true;
-        for (const r of results) {
-            const icon = r.action === "failed"
-                ? `${c.red}✗${c.reset}`
-                : `${c.green}✓${c.reset}`;
-            const label = r.action === "installed"
-                ? `${c.green}installed${c.reset}`
-                : r.action === "updated"
-                    ? `${c.green}updated${c.reset}`
-                    : r.action === "skipped"
-                        ? `${c.dim}skipped${c.reset}`
-                        : `${c.red}failed${c.reset}`;
-            console.log(`  ${icon} ${r.hookName}  ${label}  ${c.dim}${r.detail}${c.reset}`);
-            if (r.action === "failed")
-                allOk = false;
-        }
-        console.log();
-        return allOk;
-    }
-    else if (subcommand === "check") {
-        console.log(`${c.bold}${c.cyan}Git Hooks${c.reset}\n`);
-        const results = await checkHooks(config.hooks);
-        let allOk = true;
-        for (const r of results) {
-            const icon = !r.installed
-                ? `${c.red}✗${c.reset}`
-                : !r.upToDate
-                    ? `${c.yellow}!${c.reset}`
-                    : `${c.green}✓${c.reset}`;
-            const status = !r.installed
-                ? `${c.red}not installed${c.reset}`
-                : !r.upToDate
-                    ? `${c.yellow}outdated${c.reset}`
-                    : `${c.green}up-to-date${c.reset}`;
-            console.log(`  ${icon} ${r.hookName}  ${status}  ${c.dim}${r.detail}${c.reset}`);
-            if (!r.installed || !r.upToDate)
-                allOk = false;
-        }
-        if (!allOk) {
-            console.log(`\n${c.dim}Run ${c.reset}${c.bold}kit hooks install${c.reset}${c.dim} to install/update hooks${c.reset}`);
-        }
-        console.log();
-        return allOk;
-    }
-    else {
-        console.error(`Unknown hooks subcommand: ${subcommand}`);
-        console.error(`Usage: kit hooks [install|check|add <name>]`);
-        return false;
-    }
-}
-async function cmdHooksAdd() {
-    const name = process.argv[4];
-    if (!name) {
-        console.error(`${c.red}Usage: kit hooks add <name>${c.reset}\n${c.dim}Available built-in hooks:${c.reset}`);
-        for (const [k, v] of Object.entries(BUILTIN_HOOKS)) {
-            console.error(`  ${c.bold}${k}${c.reset} (git ${v.hookName}) — ${v.description}`);
-        }
-        return false;
-    }
-    const builtin = BUILTIN_HOOKS[name];
-    if (!builtin) {
-        console.error(`${c.red}No built-in hook named "${name}"${c.reset}`);
-        console.error(`${c.dim}Available: ${Object.keys(BUILTIN_HOOKS).join(", ")}${c.reset}`);
-        return false;
-    }
-    if (!isGitRepository()) {
-        console.error(`${c.red}Not a git repository${c.reset}`);
-        return false;
-    }
-    console.log(`${c.bold}${c.cyan}kit hooks add ${name}${c.reset}  ${c.dim}(git ${builtin.hookName})${c.reset}`);
-    console.log(`${c.dim}${"─".repeat(50)}${c.reset}\n`);
-    // Check whether the target hook is already present and contains a kit-
-    // managed step. If so, just confirm without re-writing.
-    const { hooksDir } = await ensureHooksDir();
-    const hookPath = `${hooksDir}/${builtin.hookName}`;
-    const { existsSync, readFileSync } = await import("node:fs");
-    if (existsSync(hookPath)) {
-        const existing = readFileSync(hookPath, "utf-8");
-        if (existing.includes(builtin.commands[0])) {
-            console.log(`  ${c.green}✓${c.reset} ${builtin.hookName} already has ${c.bold}${builtin.commands[0]}${c.reset}\n`);
-            return true;
-        }
-        console.log(`${c.yellow}⚠ ${builtin.hookName} already exists at ${hookPath}.${c.reset}`);
-        console.log(`${c.dim}kit will overwrite it with a managed version that calls back into kit.${c.reset}\n`);
-        if (!isNonInteractive()) {
-            const ok = await promptConfirm(`Overwrite? [Y/n] (auto-yes in 8s): `, 8000);
-            if (!ok) {
-                console.log(`${c.dim}Aborted.${c.reset}`);
-                return false;
-            }
-        }
-    }
-    const results = await installHooks({ [builtin.hookName]: builtin.commands });
-    const r = results[0];
-    if (r.action === "failed") {
-        console.error(`${c.red}✗ install failed: ${r.detail}${c.reset}`);
-        return false;
-    }
-    console.log(`  ${c.green}✓${c.reset} ${builtin.hookName}  ${c.green}${r.action}${c.reset}  ${c.dim}${r.detail}${c.reset}`);
-    console.log(`\n${c.dim}Test by staging a file with a fake credential (e.g. ${c.bold}sk_${"test"}_${"A".repeat(20)}${c.reset}${c.dim}) and running ${c.bold}git commit${c.reset}${c.dim} — the commit should be blocked.${c.reset}\n`);
-    return true;
-}
-async function ensureHooksDir() {
-    const { resolve } = await import("node:path");
-    return { hooksDir: resolve(process.cwd(), ".git", "hooks") };
-}
-/**
- * `kit mcp <list|status|auth|set-token|clear>` — declarative
- * MCP-server registry. The block in .kit.toml [mcp.<name>] declares
- * which MCPs the project intends to use; this command surfaces auth-state
- * and stages tokens for the kit-plugins to consume.
- *
- * Browser-OAuth flow itself is delegated — `kit mcp auth <name>`
- * prints the vendor's authorization URL and asks the operator to paste
- * back the callback URL (same pattern as the Sentry MCP auth flow this
- * session walked through). `kit mcp set-token <name>` is the
- * headless alternative for CI: read access-token from an env var.
- */
-async function cmdMcp() {
-    const sub = process.argv[3];
-    // An MCP client launches `kit mcp` and speaks the stdio transport — no
-    // sub-command and a non-TTY stdin. Start the server in that case. Interactive
-    // use (TTY) or any explicit sub falls through to the orchestrator below.
-    if (!sub && !process.stdin.isTTY) {
-        await startMcpServer();
-        return true;
-    }
-    const config = await loadConfig(resolveConfigPath()).catch(() => null);
-    const mcpConfig = config?.mcp;
-    const { statusAll, statusForMcp, clearMcpToken, storeStaticToken, } = await import("./mcp-orchestrator.js");
-    if (!sub || sub === "list" || sub === "status") {
-        console.log(`${c.bold}${c.cyan}kit mcp${c.reset}`);
-        console.log(`${c.dim}${"─".repeat(50)}${c.reset}\n`);
-        const entries = await statusAll(mcpConfig);
-        if (entries.length === 0) {
-            console.log(`${c.dim}No [mcp.*] blocks declared in .kit.toml${c.reset}`);
-            console.log(`${c.dim}Add e.g. [mcp.sentry] scopes = ["org:read", "project:write"]${c.reset}`);
-            return true;
-        }
-        for (const e of entries) {
-            const color = e.status === "ok"
-                ? c.green
-                : e.status === "missing" || e.status === "expired"
-                    ? c.yellow
-                    : c.red;
-            const marker = e.status === "ok" ? "✓" : e.status === "missing" ? "?" : "✗";
-            const scopeStr = e.declared?.scopes ? ` ${c.dim}[${e.declared.scopes.join(", ")}]${c.reset}` : "";
-            console.log(`  ${color}${marker}${c.reset} ${e.name.padEnd(14)} ${color}${e.status}${c.reset}${scopeStr}`);
-            if (e.detail)
-                console.log(`     ${c.dim}${e.detail}${c.reset}`);
-        }
-        console.log();
-        return entries.every((e) => e.status === "ok" || e.status === "missing");
-    }
-    if (sub === "auth") {
-        const name = process.argv[4];
-        if (!name) {
-            console.error(`${c.red}Usage: kit mcp auth <name>${c.reset}`);
-            return false;
-        }
-        const declared = mcpConfig?.[name];
-        if (!declared) {
-            console.error(`${c.red}No [mcp.${name}] block in .kit.toml${c.reset}`);
-            return false;
-        }
-        // For now we surface vendor-specific guidance; full OAuth flow is
-        // delegated to the operator (paste callback URL). When the vendor's
-        // MCP server publishes a stable /authorize endpoint we can fully
-        // automate.
-        const authUrl = declared.url ?? `https://mcp.${name}.dev`;
-        console.log(`${c.bold}Authorize kit for MCP server "${name}"${c.reset}`);
-        console.log(`${c.dim}Vendor URL: ${authUrl}${c.reset}`);
-        console.log(`${c.dim}Required scopes: ${(declared.scopes ?? ["(none declared)"]).join(", ")}${c.reset}\n`);
-        console.log(`${c.yellow}OAuth-flow not yet automated for "${name}". Two options:${c.reset}`);
-        console.log(`  1. Set env var: ${c.bold}kit mcp set-token ${name} --from-env <VAR>${c.reset}`);
-        console.log(`  2. Paste token: ${c.bold}kit mcp set-token ${name} --paste${c.reset}`);
-        return true;
-    }
-    if (sub === "set-token") {
-        const name = process.argv[4];
-        if (!name) {
-            console.error(`${c.red}Usage: kit mcp set-token <name> [--from-env VAR | --paste]${c.reset}`);
-            return false;
-        }
-        const args = process.argv.slice(5);
-        const fromEnvIdx = args.indexOf("--from-env");
-        let accessToken;
-        if (fromEnvIdx >= 0 && args[fromEnvIdx + 1]) {
-            const envVar = args[fromEnvIdx + 1];
-            accessToken = process.env[envVar];
-            if (!accessToken) {
-                console.error(`${c.red}Env var ${envVar} is empty${c.reset}`);
-                return false;
-            }
-        }
-        else if (hasFlag(args, "--paste")) {
-            const readline = await import("node:readline/promises");
-            const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-            try {
-                accessToken = (await rl.question(`Paste access token for "${name}": `)).trim();
-            }
-            finally {
-                rl.close();
-            }
-        }
-        else {
-            console.error(`${c.red}Missing --from-env <VAR> or --paste${c.reset}`);
-            return false;
-        }
-        const declared = mcpConfig?.[name];
-        await storeStaticToken(name, accessToken, {
-            scopes: declared?.scopes,
-        });
-        console.log(`${c.green}✓${c.reset} Token stored for ${name} in ~/.kit/mcp-tokens.json (chmod 0o600)`);
-        const status = await statusForMcp(name, declared ?? null);
-        console.log(`${c.dim}Status: ${status.status}${c.reset}`);
-        return true;
-    }
-    if (sub === "clear") {
-        const name = process.argv[4];
-        if (!name) {
-            console.error(`${c.red}Usage: kit mcp clear <name>${c.reset}`);
-            return false;
-        }
-        await clearMcpToken(name);
-        console.log(`${c.green}✓${c.reset} Cleared token for ${name}`);
-        return true;
-    }
-    console.error(`${c.red}Usage: kit mcp [list | status | auth <name> | set-token <name> | clear <name>]${c.reset}`);
-    return false;
-}
-async function cmdAuth() {
-    const sub = process.argv[3];
-    if (sub === "elevate")
-        return cmdAuthElevate();
-    if (sub === "status")
-        return cmdAuthStatus();
-    if (sub === "revoke")
-        return cmdAuthRevoke();
-    if (sub === "setup-totp")
-        return cmdAuthSetupTotp();
-    console.error(`${c.red}Usage: kit auth [elevate | status | revoke | setup-totp]${c.reset}`);
-    return false;
-}
-async function cmdAuthSetupTotp() {
-    // kit auth setup-totp [--issuer <name>] [--account <user@host>] [--overwrite]
-    const args = process.argv.slice(4);
-    const issuerIdx = args.indexOf("--issuer");
-    const accountIdx = args.indexOf("--account");
-    const overwrite = hasFlag(args, "--overwrite");
-    const issuer = issuerIdx >= 0 ? args[issuerIdx + 1] : "kit";
-    const defaultAccount = `${process.env.USER ?? "user"}@${process.env.HOSTNAME ?? "host"}`;
-    const accountName = accountIdx >= 0 ? args[accountIdx + 1] : defaultAccount;
-    console.log(`${c.bold}${c.cyan}kit auth setup-totp${c.reset}`);
-    console.log(`${c.dim}${"─".repeat(50)}${c.reset}\n`);
-    let result;
-    try {
-        result = await enrollTotp({ accountName, issuer, overwrite });
-    }
-    catch (err) {
-        const msg = err instanceof Error ? err.message : String(err);
-        console.error(`${c.red}✗ ${msg}${c.reset}`);
-        console.error(`${c.dim}If you intentionally want to replace the existing secret, re-run with ${c.bold}--overwrite${c.reset}${c.dim} (your old authenticator entry will stop working).${c.reset}\n`);
-        return false;
-    }
-    console.log(`  ${c.green}✓${c.reset} secret written to ${result.filePath}  ${c.dim}(chmod 600)${c.reset}\n`);
-    console.log(`${c.bold}Provisioning URI:${c.reset}`);
-    console.log(`  ${c.dim}${result.uri}${c.reset}\n`);
-    console.log(`${c.bold}Or enter the secret manually in your authenticator app:${c.reset}`);
-    console.log(`  ${c.bold}Secret:${c.reset}  ${result.secret}`);
-    console.log(`  ${c.bold}Account:${c.reset} ${accountName}`);
-    console.log(`  ${c.bold}Issuer:${c.reset}  ${issuer}\n`);
-    console.log(`${c.bold}Verify enrollment — the next 6-digit code should be:${c.reset}`);
-    console.log(`  ${c.bold}${result.currentCode}${c.reset}  ${c.dim}(or the one shown in your authenticator right now)${c.reset}\n`);
-    console.log(`${c.dim}Future ${c.bold}kit auth elevate${c.reset}${c.dim} runs will prompt for the TOTP code automatically.${c.reset}`);
-    console.log(`${c.dim}Override with ${c.bold}KIT_TOTP_SECRET=...${c.reset}${c.dim} in CI / scripted contexts.${c.reset}\n`);
-    return true;
-}
-async function cmdAuthElevate() {
-    const args = process.argv.slice(4);
-    const scope = flagValue(args, "--scope") ?? "all";
-    const ttlIdx = args.indexOf("--ttl-minutes");
-    if (ttlIdx >= 0 && args[ttlIdx + 1]) {
-        const n = parseInt(args[ttlIdx + 1], 10);
-        if (Number.isFinite(n) && n > 0 && n <= 240) {
-            process.env.KIT_ELEVATION_TTL_MINUTES = String(n);
-        }
-    }
-    console.log(`${c.bold}${c.cyan}kit auth elevate${c.reset}  ${c.dim}(scope=${scope})${c.reset}`);
-    console.log(`${c.dim}${"─".repeat(50)}${c.reset}\n`);
-    if (isNonInteractive()) {
-        console.error(`${c.red}✗ Elevation requires an interactive TTY. Cannot run from agent / CI.${c.reset}`);
-        console.error(`${c.dim}For CI deploy jobs that legitimately need a destructive op, set ${c.bold}KIT_ELEVATED=1${c.reset}${c.dim} (and audit-log the use).${c.reset}\n`);
-        return false;
-    }
-    // Resolve from env first, then ~/.kit/totp-secret (created by
-    // `kit auth setup-totp`).
-    const totpSecret = await resolveTotpSecret();
-    let method = "yes-prompt";
-    if (totpSecret) {
-        method = "totp";
-        const readline = await import("node:readline/promises");
-        const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-        try {
-            const code = (await rl.question(`Enter 6-digit TOTP from your authenticator: `)).trim();
-            if (!verifyTotp(code, totpSecret)) {
-                console.error(`${c.red}✗ Invalid TOTP code.${c.reset}`);
-                return false;
-            }
-        }
-        finally {
-            rl.close();
-        }
-    }
-    else {
-        const ok = await promptConfirm(`Confirm elevation [type YES, default no in 15s]: `, 15_000, false);
-        if (!ok) {
-            console.log(`${c.dim}Aborted.${c.reset}`);
-            return false;
-        }
-    }
-    const state = await grantElevation(scope, method);
-    console.log(`  ${c.green}✓${c.reset} elevated  ${c.dim}scope=${state.scope}  method=${state.method}  expires=${state.expiresAt}${c.reset}`);
-    console.log(`\n${c.dim}Destructive secret ops (rotate, migrate, onecli register, propagate) are unlocked for ${elevationTtlMinutes()}m. Run ${c.bold}kit auth revoke${c.reset}${c.dim} to drop early.${c.reset}\n`);
-    return true;
-}
-async function cmdAuthStatus() {
-    const state = await readElevation(process.cwd());
-    if (!state) {
-        console.log(`${c.dim}Not elevated.${c.reset}`);
-        return true;
-    }
-    const expires = Date.parse(state.expiresAt);
-    const valid = Number.isFinite(expires) && expires > Date.now();
-    const status = valid
-        ? `${c.green}active${c.reset}  ${c.dim}(expires ${state.expiresAt})${c.reset}`
-        : `${c.red}expired${c.reset}  ${c.dim}(at ${state.expiresAt})${c.reset}`;
-    console.log(`${status}  scope=${state.scope}  method=${state.method}  granter=${state.granter}`);
-    return true;
-}
-async function cmdAuthRevoke() {
-    await clearElevation(process.cwd());
-    console.log(`${c.green}✓${c.reset} elevation marker cleared.`);
-    return true;
-}
-async function cmdAuditSecrets() {
-    const args = process.argv.slice(4); // after "audit secrets"
-    const sinceIdx = args.indexOf("--since-days");
-    const sinceDays = sinceIdx >= 0 && args[sinceIdx + 1] ? parseInt(args[sinceIdx + 1], 10) : 30;
-    const keyFilter = flagValue(args, "--key");
-    const jsonMode = hasFlag(args, "--json");
-    const events = await readSecretAuditEvents(process.cwd(), sinceDays);
-    const { reports, unattributed } = groupBySecret(events);
-    const filteredReports = keyFilter
-        ? reports.filter((r) => r.key === keyFilter)
-        : reports;
-    const summary = summarize(filteredReports, sinceDays);
-    if (jsonMode) {
-        console.log(JSON.stringify({ summary, reports: filteredReports, unattributed }, null, 2));
-        return true;
-    }
-    console.log(`${c.bold}${c.cyan}kit audit secrets${c.reset}  ${c.dim}(last ${sinceDays}d)${c.reset}`);
-    console.log(`${c.dim}${"─".repeat(50)}${c.reset}\n`);
-    if (events.length === 0) {
-        console.log(`${c.dim}No secret-related events in audit log (.kit-audit.jsonl).${c.reset}\n`);
-        return true;
-    }
-    console.log(`${c.bold}${summary.totalEvents}${c.reset} event(s) across ${c.bold}${summary.keyCount}${c.reset} key(s)`);
-    if (summary.topKey) {
-        console.log(`${c.dim}Most touched: ${c.bold}${summary.topKey.key}${c.reset}${c.dim} (${summary.topKey.count} events)${c.reset}`);
-    }
-    console.log();
-    for (const r of filteredReports.slice(0, 20)) {
-        console.log(`${c.bold}${r.key}${c.reset}  ${c.dim}(${r.events.length} events)${c.reset}`);
-        for (const e of r.events.slice(-10)) {
-            const icon = e.success ? `${c.green}✓${c.reset}` : `${c.red}✗${c.reset}`;
-            const ts = e.timestamp.slice(0, 19);
-            const agent = e.agent ? `[${e.agent}]` : "";
-            const detail = e.detail ? `  ${c.dim}${e.detail}${c.reset}` : "";
-            console.log(`  ${icon} ${ts}  ${e.operation}  ${c.dim}${agent}${c.reset}${detail}`);
-        }
-        if (r.events.length > 10) {
-            console.log(`  ${c.dim}… ${r.events.length - 10} earlier events truncated${c.reset}`);
-        }
-        console.log();
-    }
-    if (!keyFilter && unattributed.length > 0) {
-        console.log(`${c.dim}+ ${unattributed.length} event(s) couldn't be tied to a specific key. Use ${c.bold}--json${c.reset}${c.dim} for the full set.${c.reset}\n`);
-    }
-    return true;
-}
-async function cmdAudit() {
-    const args = process.argv.slice(3);
-    // Sub-sub: kit audit secrets [--since-days N] [--key NAME] [--json]
-    if (args[0] === "secrets") {
-        return cmdAuditSecrets();
-    }
-    // Parse --limit N
-    let limit = 20;
-    const limitIdx = args.indexOf("--limit");
-    if (limitIdx !== -1 && args[limitIdx + 1]) {
-        const parsed = parseInt(args[limitIdx + 1], 10);
-        if (!isNaN(parsed) && parsed > 0)
-            limit = parsed;
-    }
-    // Parse --operation <name>
-    let operationFilter;
-    const opIdx = args.indexOf("--operation");
-    if (opIdx !== -1 && args[opIdx + 1]) {
-        operationFilter = args[opIdx + 1];
-    }
-    // Determine log file path (use config if available, else default)
-    let logFile = ".kit-audit.jsonl";
-    try {
-        const config = await loadConfig(resolveConfigPath());
-        const govFile = config.governance?.audit?.log_file;
-        if (govFile)
-            logFile = govFile;
-    }
-    catch {
-        // No .kit.toml — use default log file
-    }
-    let events = await readAuditLog(logFile, limit * 5); // read extra to allow filtering
-    if (operationFilter) {
-        events = events.filter((e) => e.operation.includes(operationFilter));
-    }
-    // Apply limit after filter
-    events = events.slice(-limit);
-    printAuditTable(events);
-    if (events.length > 0) {
-        console.log();
-        console.log(`${c.dim}Showing ${events.length} entries from ${logFile}${c.reset}`);
-    }
-    return true;
-}
-async function cmdEnvList() {
-    let config;
-    try {
-        // Load base config without env merge so we can inspect [env.*] sections
-        config = await loadConfig(resolveConfigPath(), "dev");
-    }
-    catch {
-        console.log(`${c.dim}No .kit.toml found — no environments configured.${c.reset}`);
-        return true;
-    }
-    const activeEnv = resolveActiveEnvironment();
-    const envSections = config.env ?? {};
-    const envNames = ["dev", ...Object.keys(envSections).filter((k) => k !== "dev")];
-    console.log(`${c.bold}${c.cyan}Environments${c.reset}  ${c.dim}(active: ${activeEnv})${c.reset}\n`);
-    for (const name of envNames) {
-        const isActive = name === activeEnv;
-        const marker = isActive ? `${c.green}●${c.reset} ` : "  ";
-        const override = envSections[name];
-        if (!override) {
-            console.log(`  ${marker}${c.bold}${name}${c.reset}  ${c.dim}base config (default)${c.reset}`);
-            continue;
-        }
-        // Summarise which keys are overridden
-        const overrideKeys = [];
-        if (override.tools)
-            overrideKeys.push(`tools(${Object.keys(override.tools).join(",")})`);
-        if (override.secrets)
-            overrideKeys.push(`secrets.store=${override.secrets.store ?? "?"}`);
-        if (override.services)
-            overrideKeys.push(`services(${Object.keys(override.services).join(",")})`);
-        if (override.governance)
-            overrideKeys.push("governance");
-        if (override.skills)
-            overrideKeys.push("skills");
-        const summary = overrideKeys.length > 0 ? overrideKeys.join(", ") : "no overrides";
-        console.log(`  ${marker}${c.bold}${name}${c.reset}  ${c.dim}${summary}${c.reset}`);
-    }
-    if (Object.keys(envSections).length === 0) {
-        console.log(`${c.dim}\nNo [env.*] sections defined in .kit.toml.${c.reset}`);
-        console.log(`${c.dim}Add [env.staging.*] or [env.production.*] to configure per-environment overrides.${c.reset}`);
-    }
-    console.log();
-    return true;
-}
-async function cmdEnvSwitch() {
-    // argv layout: [node, cli.js, "env", "switch", "<target>"]
-    const target = process.argv[4];
-    if (!target || !KNOWN_ENVS.includes(target)) {
-        console.error(`${c.red}Usage: kit env switch <${KNOWN_ENVS.join("|")}>${c.reset}`);
-        return false;
-    }
-    const env = target;
-    console.log(`${c.bold}${c.cyan}kit env switch ${env}${c.reset}`);
-    console.log(`${c.dim}${"─".repeat(50)}${c.reset}\n`);
-    if (env === "prod" && !isNonInteractive()) {
-        console.log(`${c.red}⚠ Switching to ${c.bold}prod${c.reset}${c.red} unlocks production credentials in this shell.${c.reset}`);
-        console.log(`${c.dim}Anything that reads ${c.bold}.env.local${c.reset}${c.dim} after this point can call live services.${c.reset}\n`);
-        const ok = await promptConfirm(`Continue? [y/N] (auto-no in 10s): `, 10_000, false);
-        if (!ok) {
-            console.log(`${c.dim}Aborted — active env unchanged.${c.reset}`);
-            return false;
-        }
-    }
-    const state = await writeActiveEnv(env, process.cwd());
-    console.log(`  ${c.green}✓${c.reset} active env is now ${c.bold}${state.env}${c.reset}  ${c.dim}(by ${state.switchedBy} at ${state.switchedAt})${c.reset}`);
-    if (env === "prod") {
-        console.log(`\n${c.dim}Re-run ${c.bold}kit secrets${c.reset}${c.dim} to materialize prod values into .env.local. ${c.bold}kit env switch dev${c.reset}${c.dim} when done.${c.reset}\n`);
-    }
-    else {
-        console.log(`\n${c.dim}Prod-scoped keys are now refused unless you switch back or set ${c.bold}KIT_PROD_OK=1${c.reset}${c.dim}.${c.reset}\n`);
-    }
-    return true;
-}
-async function cmdEnvCurrent() {
-    const state = await readActiveEnv(process.cwd());
-    if (!state) {
-        console.log(`${c.dim}No active env set (defaulting to ${c.bold}dev${c.reset}${c.dim}). Run ${c.bold}kit env switch <env>${c.reset}${c.dim} to set one.${c.reset}`);
-        console.log(`dev`);
-        return true;
-    }
-    const color = state.env === "prod" ? c.red : state.env === "staging" ? c.yellow : c.green;
-    console.log(`${color}${state.env}${c.reset}  ${c.dim}(set ${state.switchedAt} by ${state.switchedBy})${c.reset}`);
-    return true;
-}
-async function cmdEnv() {
-    const args = process.argv.slice(2); // includes "env"
-    // Route subcommand: kit env list / switch / current / validate
-    if (args[1] === "list")
-        return cmdEnvList();
-    if (args[1] === "switch")
-        return cmdEnvSwitch();
-    if (args[1] === "current")
-        return cmdEnvCurrent();
-    const showValues = hasFlag(args, "--show-values");
-    const missingOnly = hasFlag(args, "--missing");
-    const jsonMode = hasFlag(args, "--json");
-    let config = {};
-    try {
-        config = await loadConfig(resolveConfigPath());
-    }
-    catch {
-        // Works without .kit.toml — shows .env.local contents only
-    }
-    const result = await inspectEnv(config, { showValues, missingOnly, cwd: process.cwd() });
-    if (jsonMode) {
-        console.log(JSON.stringify(result, null, 2));
-        return result.ok;
-    }
-    console.log(`${c.bold}${c.cyan}Environment${c.reset}`);
-    console.log(`${c.dim}${"─".repeat(50)}${c.reset}\n`);
-    if (!result.envLocalExists) {
-        console.log(`${c.yellow}⚠${c.reset}  .env.local not found — run ${c.bold}kit secrets${c.reset} to generate it\n`);
-    }
-    if (result.keys.length === 0) {
-        if (missingOnly) {
-            console.log(`${c.green}✓${c.reset}  All keys are set\n`);
-        }
-        else {
-            console.log(`${c.dim}No keys configured or found${c.reset}\n`);
-        }
-        return result.ok;
-    }
-    for (const key of result.keys) {
-        const icon = key.set ? `${c.green}✓${c.reset}` : `${c.red}✗${c.reset}`;
-        const valueStr = key.set
-            ? showValues
-                ? `${c.dim}${key.value}${c.reset}`
-                : `${c.dim}${key.redacted}${c.reset}`
-            : `${c.red}not set${c.reset}`;
-        const src = `${c.dim}[${key.source}]${c.reset}`;
-        console.log(`  ${icon} ${key.name}  ${valueStr}  ${src}`);
-    }
-    console.log();
-    if (!result.ok && !missingOnly) {
-        console.log(`${c.dim}Run ${c.reset}${c.bold}kit env --missing${c.reset}${c.dim} to see only unset keys${c.reset}`);
-        console.log(`${c.dim}Run ${c.reset}${c.bold}kit secrets${c.reset}${c.dim} to generate .env.local${c.reset}\n`);
-    }
-    return result.ok;
-}
 async function cmdDoctor() {
     console.log(`${c.bold}${c.cyan}kit doctor${c.reset}`);
     console.log(`${c.dim}${"─".repeat(50)}${c.reset}\n`);
@@ -1934,6 +1337,52 @@ async function cmdSecretsRevokeOld() {
     console.log(`\n${c.dim}Verify with ${c.bold}kit secrets onecli status${c.reset}${c.dim} or the Supabase Dashboard.${c.reset}\n`);
     return true;
 }
+async function cmdSecretsSet() {
+    // kit secrets set <KEY> [--value <v> | --stdin] [--store <backend>]
+    // Capture-to-vault: write a user-provided value to the configured vault. This
+    // is the execution behind a service's `auth = "capture"` strategy. The value
+    // is read via --stdin (safer — not in argv/ps) or --value; kit reuses the
+    // existing setSecretValue path, so it never echoes or logs the secret.
+    const args = process.argv.slice(3);
+    const keyName = process.argv[4];
+    if (!keyName || keyName.startsWith("--")) {
+        console.error(`${c.red}Usage: kit secrets set <KEY> [--value <v> | --stdin] [--store <backend>]${c.reset}`);
+        return false;
+    }
+    const config = await loadConfig(resolveConfigPath());
+    // Read value: --value <v> (visible in argv/ps) or --stdin (safer).
+    let value;
+    const valueIdx = args.indexOf("--value");
+    if (valueIdx >= 0)
+        value = args[valueIdx + 1];
+    if (!value && hasFlag(args, "--stdin")) {
+        value = await new Promise((resolve) => {
+            let buf = "";
+            process.stdin.setEncoding("utf-8");
+            process.stdin.on("data", (chunk) => {
+                buf += chunk;
+            });
+            process.stdin.on("end", () => resolve(buf.trim()));
+        });
+    }
+    if (!value) {
+        console.error(`${c.red}Provide the value via --stdin (safer) or --value <v> (visible in argv/ps).${c.reset}`);
+        return false;
+    }
+    const storeIdx = args.indexOf("--store");
+    const storeOverride = storeIdx >= 0 ? args[storeIdx + 1] : undefined;
+    const backendOpts = pickBackendOpts(config.secrets ?? {}, keyName, { envFallback: true });
+    const result = await setSecretValue(config.secrets, keyName, value, {
+        ...backendOpts,
+        store: storeOverride,
+    });
+    if (!result.ok) {
+        console.error(`${c.red}✗ ${result.detail}${c.reset}`);
+        return false;
+    }
+    console.log(`${c.green}✓${c.reset} captured ${c.bold}${keyName}${c.reset} to the vault ${c.dim}(${result.detail})${c.reset}`);
+    return true;
+}
 async function cmdSecretsPropagateStandalone() {
     // kit secrets propagate <KEY> --value <v> | --stdin --to <targets> [opts]
     const args = process.argv.slice(4);
@@ -2227,7 +1676,7 @@ async function cmdSecretsVaultMigrate() {
         console.log("");
         console.log("Migration is gated by elevation (one-shot — consumed on use):");
         console.log("  kit auth elevate --scope vault-migrate");
-        return !fromArg || !toArg ? false : true;
+        return !(!fromArg || !toArg);
     }
     console.log(`${c.bold}${c.cyan}kit secrets vault-migrate${c.reset}`);
     console.log(`${c.dim}${"─".repeat(50)}${c.reset}\n`);
@@ -2354,8 +1803,9 @@ function emitGitlabJunit(checks, allOk) {
     }
     lines.push(`  </testsuite>`, `</testsuites>`);
     const xml = lines.join("\n");
-    // Write to file for GitLab artifact collection
-    import("node:fs/promises").then(({ writeFile }) => writeFile("kit-report.xml", xml, "utf8"));
+    // Write to file for GitLab artifact collection — synchronous so the report is
+    // guaranteed flushed before this (sync) function returns.
+    writeFileSync("kit-report.xml", xml, "utf8");
     if (!allOk || warnings.length > 0) {
         console.log(`CI report written to kit-report.xml (${failures.length} failures, ${warnings.length} warnings)`);
     }
@@ -3220,7 +2670,7 @@ async function cmdOpen() {
     const args = process.argv.slice(2);
     const serviceName = args[1];
     // Load env from .env.local for dashboard URL resolution
-    let env = {};
+    const env = {};
     try {
         const envPath = resolve(process.cwd(), ".env.local");
         const { readFileSync } = await import("node:fs");
@@ -3423,6 +2873,7 @@ const COMMAND_HELP = {
     "memory index": "Index ~/.claude transcripts into the SQLite memory store",
     "memory search": "Full-text search memory (current project; --global for all)",
     "memory stats": "Show what the local memory store contains",
+    "memory suggest": "Emit a BYO-LLM review prompt (recent activity + open items) — pipe to your own model",
     "memory merge": "Merge another machine's memory.db into this one (dedup by uuid)",
     "memory install": "Wire UserPromptSubmit + SessionEnd + SessionStart (recovery) hooks into ~/.claude/settings.json",
     "memory scan": "Scan the memory store for stored secrets (exit 1 if any found)",
@@ -3439,9 +2890,11 @@ const COMMAND_HELP = {
     upgrade: "Update lock files from .kit.toml",
     install: "Install missing tools via mise",
     login: "Guided login to all configured services",
+    "login --plan": "Show the resolved auth strategy per service (vault/interactive/capture + passkey) without logging in",
     secrets: "Generate .env.local from template + secret store",
     "secrets sync": "Push resolved secrets to GitHub Actions / .env.ci / stdout",
     "secrets migrate": "Migrate plaintext secrets in .env* → configured vault",
+    "secrets set": "Capture a value to the vault: kit secrets set <KEY> --stdin (safer) | --value <v>",
     "secrets rotate": "Rotate a key: write new value to vault (explicit / random)",
     "secrets onecli": "Register a key with OneCLI gateway so agent never sees the real value",
     "secrets purge-history": "Destructive: rewrite git history to remove a leaked value (--force-history)",
@@ -3906,470 +3359,6 @@ async function showSkippedCommitBanner() {
  * `kit memory` — local conversation memory (SQLite + FTS5). Deterministic and
  * zero-LLM: it stores raw transcripts and searches them; it never calls a model.
  */
-async function cmdMemory() {
-    const subcommand = process.argv[3];
-    const jsonMode = hasFlag(process.argv, "--json");
-    if (!subcommand || subcommand === "--help" || subcommand === "-h") {
-        console.log("kit memory — local conversation memory (SQLite + FTS5)");
-        console.log("\nUsage:");
-        console.log("  kit memory index            Index ~/.claude transcripts into the memory store");
-        console.log("  kit memory search <query>   Search memory (current project; --global for all)");
-        console.log("  kit memory stats            Show what the memory store contains");
-        console.log("  kit memory merge <file>     Merge another machine's memory.db into this one");
-        console.log("  kit memory install          Wire the 2 hooks into ~/.claude/settings.json");
-        console.log("  kit memory uninstall        Remove the hooks");
-        console.log("  kit memory pal [list|add|done|snooze|verify|import]   Pending action ledger");
-        console.log("  kit memory save <name>      Bookmark the current session as a named copilot");
-        console.log("  kit memory threads          List saved copilots (--global for all)");
-        console.log("  kit memory resume <name|n>  Print the resume command for a saved copilot");
-        console.log("  kit memory forget <name>    Remove a saved copilot");
-        console.log("  kit memory scan             Scan the store for stored secrets");
-        console.log("  kit memory backup <file>    Encrypted backup (set KIT_MEMORY_PASSPHRASE)");
-        console.log("  kit memory restore <file>   Restore an encrypted backup (new machine)");
-        console.log("  kit memory share …          Promote a curated entry to shared (team) memory");
-        console.log("  kit memory areas            List shared responsibility areas");
-        console.log("  kit memory area <name>      Show shared entries for one area");
-        return true;
-    }
-    if (subcommand === "index") {
-        const db = openMemoryDb();
-        const t0 = Date.now();
-        const byHarness = indexAllHarnesses(db);
-        const ms = Date.now() - t0;
-        db.close();
-        if (jsonMode) {
-            console.log(JSON.stringify({ byHarness, ms }));
-            return true;
-        }
-        let messages = 0;
-        let toolUses = 0;
-        let files = 0;
-        let skipped = 0;
-        for (const r of Object.values(byHarness)) {
-            messages += r.messages;
-            toolUses += r.toolUses;
-            files += r.files;
-            skipped += r.filesSkipped;
-        }
-        console.log(`${c.green}✓${c.reset} indexed ${c.bold}${messages}${c.reset} messages + ${toolUses} tool-uses from ${files} sessions${skipped ? `, ${skipped} unchanged` : ""} ${c.dim}(${ms}ms)${c.reset}`);
-        for (const [harness, r] of Object.entries(byHarness)) {
-            if (r.files || r.messages) {
-                console.log(`  ${c.dim}${harness}: ${r.messages} msg · ${r.files} sessions${r.filesSkipped ? ` · ${r.filesSkipped} unchanged` : ""}${c.reset}`);
-            }
-        }
-        return true;
-    }
-    if (subcommand === "merge") {
-        const sourcePath = process.argv[4];
-        if (!sourcePath) {
-            console.error(`${c.red}usage: kit memory merge <other-machine-memory.db>${c.reset}`);
-            return false;
-        }
-        const db = openMemoryDb();
-        try {
-            const r = mergeDb(db, sourcePath);
-            console.log(`${c.green}✓${c.reset} merged ${c.bold}${r.messages}${c.reset} messages + ${r.toolUses} tool-uses · ${r.sessions} sessions · ${r.pending} pending · ${r.threads} copilots ${c.dim}from ${sourcePath}${c.reset}`);
-        }
-        catch (err) {
-            db.close();
-            console.error(`${c.red}${err.message}${c.reset}`);
-            return false;
-        }
-        db.close();
-        return true;
-    }
-    if (subcommand === "stats") {
-        const db = openMemoryDb();
-        const s = getStats(db);
-        db.close();
-        if (jsonMode) {
-            console.log(JSON.stringify(s));
-            return true;
-        }
-        console.log(`${c.bold}kit memory${c.reset}  ${c.dim}${s.dbPath}${c.reset}`);
-        console.log(`  sessions   ${s.sessions}`);
-        console.log(`  messages   ${s.messages}`);
-        console.log(`  tool-uses  ${s.toolUses}`);
-        console.log(`  pending    ${s.pendingOpen} ${c.dim}(open action items)${c.reset}`);
-        console.log(`  size       ${Math.round(s.sizeBytes / 1024)} KB`);
-        return true;
-    }
-    if (subcommand === "search") {
-        const terms = process.argv.slice(4).filter((a) => !a.startsWith("--"));
-        const query = terms.join(" ").trim();
-        if (!query) {
-            console.error(`${c.red}usage: kit memory search <query> [--global] [--project=<path>] [--limit=N]${c.reset}`);
-            return false;
-        }
-        const limit = Number(flagValue(process.argv, "--limit") ?? "20") || 20;
-        const projectPath = hasFlag(process.argv, "--global")
-            ? undefined
-            : (flagValue(process.argv, "--project") ?? getCurrentProjectRoot());
-        const db = openMemoryDb();
-        const hits = searchMessages(db, query, { limit, projectPath });
-        db.close();
-        if (jsonMode) {
-            console.log(JSON.stringify(hits));
-            return true;
-        }
-        const scope = projectPath ? `${c.dim}in ${projectPath}${c.reset}` : `${c.dim}(global)${c.reset}`;
-        if (!hits.length) {
-            console.log(`${c.dim}no matches for "${query}" ${projectPath ?? "(global)"}${c.reset}`);
-            return true;
-        }
-        console.log(`${c.bold}${hits.length}${c.reset} match(es) ${scope}`);
-        for (const h of hits) {
-            const snippet = (h.content ?? "").replace(/\s+/g, " ").slice(0, 120);
-            console.log(`  ${c.dim}${h.timestamp ?? "?"}${c.reset} ${c.bold}${h.role ?? h.uuid ?? ""}${c.reset}  ${snippet}`);
-        }
-        return true;
-    }
-    if (subcommand === "hook") {
-        // Internal: invoked by Claude Code hooks. Fail-open — never block.
-        const event = process.argv[4];
-        if (event === "user-prompt-submit") {
-            const text = userPromptSubmitReminder();
-            if (text)
-                console.log(text);
-            return true;
-        }
-        if (event === "session-end") {
-            runSessionEndIndex();
-            return true;
-        }
-        if (event === "session-start") {
-            const text = sessionStartRecovery();
-            if (text)
-                console.log(text);
-            return true;
-        }
-        console.error(`${c.red}Unknown hook event: ${event ?? "(none)"}${c.reset}`);
-        return false;
-    }
-    if (subcommand === "install") {
-        const { added, alreadyPresent } = installMemoryHooks();
-        for (const e of added)
-            console.log(`${c.green}✓${c.reset} installed ${e} hook`);
-        for (const e of alreadyPresent)
-            console.log(`${c.dim}• ${e} hook already present${c.reset}`);
-        console.log(`${c.dim}settings: ${getClaudeSettingsPath()}${c.reset}`);
-        return true;
-    }
-    if (subcommand === "uninstall") {
-        const { removed } = uninstallMemoryHooks();
-        if (removed.length) {
-            for (const e of removed)
-                console.log(`${c.green}✓${c.reset} removed ${e} hook`);
-        }
-        else {
-            console.log(`${c.dim}no kit memory hooks were installed${c.reset}`);
-        }
-        return true;
-    }
-    if (subcommand === "share") {
-        const area = flagValue(process.argv, "--area");
-        const title = flagValue(process.argv, "--title");
-        const kind = (flagValue(process.argv, "--kind") ?? "note");
-        const body = flagValue(process.argv, "--body") ?? "";
-        const ref = flagValue(process.argv, "--ref");
-        if (!area || !title) {
-            console.error(`${c.red}usage: kit memory share --area <a> --title <t> [--kind decision|convention|how-built|status|security|note] [--body <b>] [--ref <r>]${c.reset}`);
-            return false;
-        }
-        const root = getCurrentProjectRoot();
-        try {
-            const e = shareEntry(root, { area, kind, title, body, refs: ref ? [ref] : [] }, new Date().toISOString());
-            console.log(`${c.green}✓${c.reset} shared ${c.bold}${e.id}${c.reset} to area ${c.bold}${area}${c.reset} ${c.dim}(${getSharedPath(root)})${c.reset}`);
-            console.log(`${c.dim}commit .kit/shared/memory.jsonl + open a PR — shared memory is reviewed like code${c.reset}`);
-        }
-        catch (err) {
-            console.error(`${c.red}${err.message}${c.reset}`);
-            return false;
-        }
-        return true;
-    }
-    if (subcommand === "areas") {
-        const areas = listAreas(getCurrentProjectRoot());
-        if (jsonMode) {
-            console.log(JSON.stringify(areas));
-            return true;
-        }
-        if (!areas.length) {
-            console.log(`${c.dim}no shared areas yet — add one with kit memory share${c.reset}`);
-            return true;
-        }
-        console.log(`${c.bold}${areas.length}${c.reset} responsibility area(s):`);
-        for (const a of areas) {
-            console.log(`  ${c.bold}${a.area}${c.reset} ${c.dim}· ${a.count} entr${a.count === 1 ? "y" : "ies"}${c.reset}`);
-        }
-        return true;
-    }
-    if (subcommand === "area") {
-        const name = process.argv[4];
-        if (!name) {
-            console.error(`${c.red}usage: kit memory area <name>${c.reset}`);
-            return false;
-        }
-        const entries = queryArea(getCurrentProjectRoot(), name);
-        if (jsonMode) {
-            console.log(JSON.stringify(entries));
-            return true;
-        }
-        if (!entries.length) {
-            console.log(`${c.dim}no shared memory for area '${name}'${c.reset}`);
-            return true;
-        }
-        console.log(`${c.bold}${name}${c.reset} ${c.dim}· ${entries.length} entr${entries.length === 1 ? "y" : "ies"}${c.reset}`);
-        for (const e of entries) {
-            const prov = `${e.author}${e.source_ref ? ` @${e.source_ref}` : ""}`;
-            console.log(`  ${c.bold}[${e.kind}]${c.reset} ${e.title} ${c.dim}— ${prov}${c.reset}`);
-            if (e.body)
-                console.log(`    ${e.body}`);
-            if (e.refs.length)
-                console.log(`    ${c.dim}refs: ${e.refs.join(", ")}${c.reset}`);
-        }
-        return true;
-    }
-    if (subcommand === "scan") {
-        const db = openMemoryDb();
-        const findings = scanDbForSecrets(db);
-        db.close();
-        if (jsonMode) {
-            console.log(JSON.stringify(findings));
-            return !findings.some((f) => f.confidence === "high");
-        }
-        if (!findings.length) {
-            console.log(`${c.green}✓${c.reset} no stored secrets found in the memory store`);
-            return true;
-        }
-        const high = findings.filter((f) => f.confidence === "high");
-        const heuristic = findings.filter((f) => f.confidence === "heuristic");
-        const times = (n) => (n > 1 ? ` ×${n}` : "");
-        if (high.length) {
-            console.log(`${c.red}⚠ ${high.length} high-confidence secret(s):${c.reset}`);
-            for (const f of high) {
-                const proj = f.projects.length ? `${c.bold}[${f.projects.join(", ")}]${c.reset}${c.dim} · ` : "";
-                console.log(`  ${c.bold}${f.label}${c.reset} ${c.dim}${f.preview}${times(f.count)} · ${proj}${f.sample}${c.reset}`);
-            }
-        }
-        else {
-            console.log(`${c.green}✓${c.reset} no high-confidence secrets`);
-        }
-        if (heuristic.length) {
-            const showAll = hasFlag(process.argv, "--all");
-            if (showAll) {
-                console.log(`${c.dim}${heuristic.length} heuristic match(es) (KEY=value patterns — usually env vars / paths):${c.reset}`);
-                for (const f of heuristic) {
-                    console.log(`  ${c.dim}${f.label} ${f.preview}${times(f.count)} · ${f.sample}${c.reset}`);
-                }
-            }
-            else {
-                console.log(`${c.dim}+ ${heuristic.length} heuristic match(es) (likely env vars / paths) — run with --all to see${c.reset}`);
-            }
-        }
-        return high.length === 0; // exit non-zero only on high-confidence findings
-    }
-    if (subcommand === "backup") {
-        const out = process.argv[4];
-        const pass = process.env.KIT_MEMORY_PASSPHRASE ?? flagValue(process.argv, "--passphrase");
-        if (!out) {
-            console.error(`${c.red}usage: kit memory backup <file>  (set KIT_MEMORY_PASSPHRASE)${c.reset}`);
-            return false;
-        }
-        if (!pass) {
-            console.error(`${c.red}set KIT_MEMORY_PASSPHRASE (or --passphrase) — the key is never stored${c.reset}`);
-            return false;
-        }
-        try {
-            backupEncrypted(pass, getMemoryDbPath(), out);
-        }
-        catch (err) {
-            console.error(`${c.red}${err.message}${c.reset}`);
-            return false;
-        }
-        console.log(`${c.green}✓${c.reset} encrypted backup → ${out} ${c.dim}(AES-256-GCM · scrypt)${c.reset}`);
-        return true;
-    }
-    if (subcommand === "restore") {
-        const inFile = process.argv[4];
-        const pass = process.env.KIT_MEMORY_PASSPHRASE ?? flagValue(process.argv, "--passphrase");
-        if (!inFile) {
-            console.error(`${c.red}usage: kit memory restore <file> [--to <path>] [--force]${c.reset}`);
-            return false;
-        }
-        if (!pass) {
-            console.error(`${c.red}set KIT_MEMORY_PASSPHRASE (or --passphrase)${c.reset}`);
-            return false;
-        }
-        const dest = flagValue(process.argv, "--to") ?? getMemoryDbPath();
-        if (existsSync(dest) && !hasFlag(process.argv, "--force")) {
-            console.error(`${c.red}${dest} exists — pass --force to overwrite${c.reset}`);
-            return false;
-        }
-        try {
-            restoreEncrypted(pass, inFile, dest);
-        }
-        catch {
-            console.error(`${c.red}restore failed — wrong passphrase or corrupt backup${c.reset}`);
-            return false;
-        }
-        console.log(`${c.green}✓${c.reset} restored → ${dest}`);
-        return true;
-    }
-    if (subcommand === "save") {
-        const name = process.argv.slice(4).filter((a) => !a.startsWith("--")).join(" ").trim();
-        if (!name) {
-            console.error(`${c.red}usage: kit memory save <name> [--session=<id>]${c.reset}`);
-            return false;
-        }
-        const root = getCurrentProjectRoot();
-        const db = openMemoryDb();
-        const sessionId = flagValue(process.argv, "--session") ?? latestSessionId(db, { projectPath: root });
-        if (!sessionId) {
-            db.close();
-            console.error(`${c.red}no session found for ${root} — index first or pass --session=<id>${c.reset}`);
-            return false;
-        }
-        saveThread(db, { name, sessionId, projectPath: root });
-        db.close();
-        console.log(`${c.green}✓${c.reset} saved copilot ${c.bold}${name}${c.reset} ${c.dim}→ ${sessionId}${c.reset}`);
-        return true;
-    }
-    if (subcommand === "threads") {
-        const projectPath = hasFlag(process.argv, "--global") ? undefined : getCurrentProjectRoot();
-        const db = openMemoryDb();
-        const list = listThreads(db, { projectPath });
-        db.close();
-        if (jsonMode) {
-            console.log(JSON.stringify(list));
-            return true;
-        }
-        if (!list.length) {
-            console.log(`${c.dim}no saved copilots${projectPath ? ` in ${projectPath}` : ""}${c.reset}`);
-            return true;
-        }
-        const scope = projectPath ? `${c.dim}in ${projectPath}${c.reset}` : `${c.dim}(global)${c.reset}`;
-        console.log(`${c.bold}${list.length}${c.reset} saved copilot(s) ${scope}:`);
-        list.forEach((t, i) => {
-            console.log(`  ${c.bold}${i + 1}${c.reset}. ${t.name}  ${c.dim}${t.session_id}${c.reset}`);
-        });
-        console.log(`${c.dim}resume with: kit memory resume <name|number>${c.reset}`);
-        return true;
-    }
-    if (subcommand === "resume") {
-        const ref = process.argv[4];
-        if (!ref) {
-            console.error(`${c.red}usage: kit memory resume <name|number>${c.reset}`);
-            return false;
-        }
-        const projectPath = hasFlag(process.argv, "--global") ? undefined : getCurrentProjectRoot();
-        const db = openMemoryDb();
-        const t = resolveThread(db, ref, { projectPath });
-        db.close();
-        if (!t) {
-            console.error(`${c.red}no saved copilot '${ref}'${c.reset}`);
-            return false;
-        }
-        console.log(`${c.bold}${t.name}${c.reset} — run:`);
-        console.log(`  claude --resume ${t.session_id}`);
-        return true;
-    }
-    if (subcommand === "forget") {
-        const name = process.argv.slice(4).filter((a) => !a.startsWith("--")).join(" ").trim();
-        if (!name) {
-            console.error(`${c.red}usage: kit memory forget <name>${c.reset}`);
-            return false;
-        }
-        const db = openMemoryDb();
-        const ok = removeThread(db, name);
-        db.close();
-        console.log(ok ? `${c.green}✓${c.reset} forgot ${name}` : `${c.dim}no copilot '${name}'${c.reset}`);
-        return true;
-    }
-    if (subcommand === "pal") {
-        const action = process.argv[4] && !process.argv[4].startsWith("--") ? process.argv[4] : "list";
-        const db = openMemoryDb();
-        try {
-            if (action === "list") {
-                const scope = hasFlag(process.argv, "--global")
-                    ? undefined
-                    : basename(getCurrentProjectRoot());
-                const items = palList(db, { scope });
-                if (jsonMode) {
-                    console.log(JSON.stringify(items));
-                    return true;
-                }
-                if (!items.length) {
-                    console.log(`${c.dim}no open action items${c.reset}`);
-                    return true;
-                }
-                console.log(`${c.bold}${items.length}${c.reset} open action item(s):`);
-                for (const p of items) {
-                    const tag = p.kind === "auto" ? ` ${c.dim}· auto${c.reset}` : "";
-                    const scope = p.scope ? ` ${c.dim}[${p.scope}]${c.reset}` : "";
-                    console.log(`  ${c.bold}${p.id}${c.reset}  ${p.title}${scope}${tag}`);
-                }
-                return true;
-            }
-            if (action === "add") {
-                const title = process.argv.slice(5).filter((a) => !a.startsWith("--")).join(" ").trim();
-                if (!title) {
-                    console.error(`${c.red}usage: kit memory pal add <title> [--verify=<cmd>] [--scope=<s>]${c.reset}`);
-                    return false;
-                }
-                const id = palAdd(db, {
-                    title,
-                    verifyCmd: flagValue(process.argv, "--verify"),
-                    scope: flagValue(process.argv, "--scope") ?? basename(getCurrentProjectRoot()),
-                });
-                console.log(`${c.green}✓${c.reset} added ${c.bold}${id}${c.reset}`);
-                return true;
-            }
-            if (action === "done") {
-                const id = process.argv[5];
-                if (!id) {
-                    console.error(`${c.red}usage: kit memory pal done <id>${c.reset}`);
-                    return false;
-                }
-                console.log(palDone(db, id)
-                    ? `${c.green}✓${c.reset} closed ${id}`
-                    : `${c.dim}${id} not found or already closed${c.reset}`);
-                return true;
-            }
-            if (action === "snooze") {
-                const id = process.argv[5];
-                const days = Number(process.argv[6] ?? "7") || 7;
-                if (!id) {
-                    console.error(`${c.red}usage: kit memory pal snooze <id> [days]${c.reset}`);
-                    return false;
-                }
-                console.log(palSnooze(db, id, days)
-                    ? `${c.green}✓${c.reset} snoozed ${id} for ${days}d`
-                    : `${c.dim}${id} not found${c.reset}`);
-                return true;
-            }
-            if (action === "verify") {
-                const r = palAutoVerify(db);
-                console.log(`${c.dim}checked ${r.checked} · closed ${r.closed.length} · reopened ${r.reopened.length}${c.reset}`);
-                return true;
-            }
-            if (action === "import") {
-                const r = importLegacyLedger(db);
-                console.log(`${c.green}✓${c.reset} imported ${r.imported} item(s) from the legacy ledger`);
-                return true;
-            }
-            console.error(`${c.red}Unknown pal action: ${action}${c.reset}`);
-            console.error("Use: kit memory pal [list|add|done|snooze|verify|import]");
-            return false;
-        }
-        finally {
-            db.close();
-        }
-    }
-    console.error(`${c.red}Unknown memory subcommand: ${subcommand}${c.reset}`);
-    console.error("Use: kit memory index | search <query> | stats | install | uninstall | pal");
-    return false;
-}
 async function main() {
     const args = process.argv.slice(2);
     const command = args[0];
@@ -4419,138 +3408,71 @@ async function main() {
             process.exitCode = 0;
             return;
         }
-        switch (command) {
-            case "version":
-                ok = cmdVersion();
-                break;
-            case "help":
-                ok = cmdHelp(args[1]);
-                break;
-            case "completions": {
-                const shell = args[1];
-                const script = generateCompletions(shell);
-                if (!script) {
-                    console.error(`Unknown shell: ${shell}. Use: bash, zsh, fish`);
-                    process.exitCode = 1;
-                    return;
-                }
-                process.stdout.write(script);
-                ok = true;
-                break;
+        // version/help/completions need bespoke handling; everything else is a flat
+        // command->fn dispatch (was a ~40-case switch — the main complexity driver).
+        if (command === "version") {
+            ok = cmdVersion();
+        }
+        else if (command === "help") {
+            ok = cmdHelp(args[1]);
+        }
+        else if (command === "completions") {
+            const shell = args[1];
+            const script = generateCompletions(shell);
+            if (!script) {
+                console.error(`Unknown shell: ${shell}. Use: bash, zsh, fish`);
+                process.exitCode = 1;
+                return;
             }
-            case "status":
-                ok = await cmdStatus();
-                break;
-            case "whoami":
-                ok = await cmdWhoami();
-                break;
-            case "check":
-            case undefined:
-                ok = await cmdCheck();
-                break;
-            case "init":
-                ok = await cmdInit();
-                break;
-            case "upgrade":
-                ok = await cmdUpgrade();
-                break;
-            case "install":
-                ok = await cmdInstall();
-                break;
-            case "login":
-                ok = await cmdLogin();
-                break;
-            case "secrets":
-                ok = await cmdSecrets();
-                break;
-            case "setup":
-                ok = await cmdSetup();
-                break;
-            case "skills":
-                ok = await cmdSkills();
-                break;
-            case "fix":
-                ok = await cmdFix();
-                break;
-            case "escalate":
-                ok = await cmdEscalate();
-                break;
-            case "governance":
-                ok = await cmdGovernance();
-                break;
-            case "agent-config":
-                ok = await cmdAgentConfig();
-                break;
-            case "hooks":
-                ok = await cmdHooks();
-                break;
-            case "add":
-                ok = await cmdAdd();
-                break;
-            case "audit":
-                ok = await cmdAudit();
-                break;
-            case "auth":
-                ok = await cmdAuth();
-                break;
-            case "mcp":
-                ok = await cmdMcp();
-                break;
-            case "env":
-                ok = await cmdEnv();
-                break;
-            case "doctor":
-                ok = await cmdDoctor();
-                break;
-            case "analyze":
-                ok = await cmdAnalyze();
-                break;
-            case "security":
-                ok = await cmdSecurity();
-                break;
-            case "create-plugin":
-                ok = await cmdCreatePlugin();
-                break;
-            case "plugin":
-                ok = await cmdPlugin();
-                break;
-            case "ci":
-                ok = await cmdCi();
-                break;
-            case "clone":
-                ok = await cmdClone();
-                break;
-            case "run":
-                ok = await cmdRun();
-                break;
-            case "open":
-                ok = await cmdOpen();
-                break;
-            case "context":
-                ok = await cmdContext();
-                break;
-            case "triage":
-                ok = await cmdTriage();
-                break;
-            case "baseline":
-                ok = await cmdBaseline();
-                break;
-            case "design":
-                ok = await cmdDesign();
-                break;
-            case "review":
-                ok = await cmdReview();
-                break;
-            case "pkg":
-                ok = await cmdPkg();
-                break;
-            case "team":
-                ok = await cmdTeam();
-                break;
-            case "memory":
-                ok = await cmdMemory();
-                break;
-            default: {
+            process.stdout.write(script);
+            ok = true;
+        }
+        else {
+            const COMMANDS = {
+                status: cmdStatus,
+                whoami: cmdWhoami,
+                check: cmdCheck,
+                init: cmdInit,
+                upgrade: cmdUpgrade,
+                install: cmdInstall,
+                login: cmdLogin,
+                secrets: cmdSecrets,
+                setup: cmdSetup,
+                skills: cmdSkills,
+                fix: cmdFix,
+                escalate: cmdEscalate,
+                governance: cmdGovernance,
+                "agent-config": cmdAgentConfig,
+                hooks: cmdHooks,
+                add: cmdAdd,
+                audit: cmdAudit,
+                auth: cmdAuth,
+                mcp: cmdMcp,
+                env: cmdEnv,
+                doctor: cmdDoctor,
+                analyze: cmdAnalyze,
+                security: cmdSecurity,
+                "create-plugin": cmdCreatePlugin,
+                plugin: cmdPlugin,
+                ci: cmdCi,
+                clone: cmdClone,
+                run: cmdRun,
+                open: cmdOpen,
+                context: cmdContext,
+                triage: cmdTriage,
+                baseline: cmdBaseline,
+                design: cmdDesign,
+                review: cmdReview,
+                pkg: cmdPkg,
+                team: cmdTeam,
+                memory: cmdMemory,
+            };
+            // no command → `check` (the prior `case undefined` behaviour).
+            const handler = COMMANDS[command ?? "check"];
+            if (handler) {
+                ok = await handler();
+            }
+            else {
                 console.error(`Unknown command: ${command}`);
                 const { didYouMean } = await import("./utils/didYouMean.js");
                 const knownCommands = [
@@ -4588,5 +3510,7 @@ async function main() {
         }
     }
 }
-main();
+// Entrypoint — fire-and-forget by design; main() handles its own errors and sets
+// process.exitCode. `void` marks the intentional non-await for no-floating-promises.
+void main();
 //# sourceMappingURL=cli.js.map