sigild 0.0.1 → 0.0.2

package/dist/src/cli/main.js

@@ -0,0 +1,152 @@
+import { readPassphrase } from '../daemon/passphrase.js';
+import { installInto } from '../hooks/install.js';
+import { ArgsError, parseSubcommand } from './args.js';
+import { resolvePaths } from './paths.js';
+import { portalAdd, portalListFromDisk, portalRemove } from './portal.js';
+import { status } from './status.js';
+import { formatResult, lock, unlock } from './unlock.js';
+const USAGE = `sigil — local signing control for Claude Code
+
+Usage:
+  sigil init [--user]
+  sigil status
+  sigil portal add <handle> --key-file <path> [--no-remove-source]
+  sigil portal list
+  sigil portal remove <handle>
+  sigil unlock
+  sigil lock
+
+"sigil init" writes the MCP server registration + tool hooks into
+.claude/settings.json (or ~/.claude/settings.json with --user).
+"sigil unlock" prompts for the passphrase and pushes it to the running
+sigil-mcp process (spawned by Claude Code) over the control socket.
+Set SIGIL_HOME to override ~/.sigil.
+`;
+/**
+ * Pure dispatcher: takes argv (without the node binary or script path),
+ * returns an exit code. Side effects route through the injected streams
+ * and passphrase reader so tests don't poke at process.stdout etc.
+ */
+export async function runCli(opts) {
+    const out = opts.stdout ?? process.stdout;
+    const err = opts.stderr ?? process.stderr;
+    const paths = resolvePaths(opts.env ?? process.env);
+    const askPassphrase = opts.passphrase ?? (() => readPassphrase('sigil passphrase: '));
+    if (opts.argv.length === 0 || opts.argv[0] === '--help' || opts.argv[0] === '-h') {
+        out.write(USAGE);
+        return { code: 0 };
+    }
+    try {
+        const [head, ...rest] = opts.argv;
+        if (head === 'init') {
+            const sub = parseSubcommand(['init', ...rest], {
+                init: { options: { user: { type: 'boolean' } } },
+            });
+            const scope = sub.options['user'] === true ? 'user' : 'project';
+            const result = installInto({ scope });
+            if (result.changed)
+                out.write(`updated ${result.settingsPath}\n`);
+            else
+                out.write(`${result.settingsPath} is already up to date\n`);
+            return { code: 0 };
+        }
+        if (head === 'status') {
+            const report = await status(paths);
+            out.write(JSON.stringify(report, null, 2) + '\n');
+            return { code: 0 };
+        }
+        if (head === 'unlock') {
+            const passphrase = await askPassphrase();
+            try {
+                const result = await unlock({ paths, passphrase });
+                const { message, code } = formatResult('unlock', result);
+                (code === 0 ? out : err).write(message + '\n');
+                return { code };
+            }
+            finally {
+                passphrase.fill(0);
+            }
+        }
+        if (head === 'lock') {
+            const result = await lock({ paths });
+            const { message, code } = formatResult('lock', result);
+            (code === 0 ? out : err).write(message + '\n');
+            return { code };
+        }
+        if (head === 'portal') {
+            const sub = parseSubcommand(rest, {
+                add: {
+                    options: {
+                        'key-file': { type: 'string' },
+                        'no-remove-source': { type: 'boolean' },
+                    },
+                },
+                list: { options: {} },
+                remove: { options: {} },
+            });
+            if (sub.command === 'add') {
+                const handle = sub.positionals[0];
+                const keyFile = sub.options['key-file'];
+                if (!handle)
+                    throw new ArgsError('portal add: missing handle');
+                if (typeof keyFile !== 'string' || keyFile.length === 0) {
+                    throw new ArgsError('portal add: --key-file is required');
+                }
+                const passphrase = await askPassphrase();
+                try {
+                    const { address, keyfilePath } = portalAdd(paths, {
+                        handle,
+                        keyFile,
+                        passphrase,
+                        ...(sub.options['no-remove-source'] === true ? { removeSource: false } : {}),
+                        ...(opts.kdfParams ? { kdfParams: opts.kdfParams } : {}),
+                    });
+                    out.write(`added ${handle} (${address}) → ${keyfilePath}\n`);
+                }
+                finally {
+                    passphrase.fill(0);
+                }
+                return { code: 0 };
+            }
+            if (sub.command === 'list') {
+                const passphrase = await askPassphrase();
+                try {
+                    const portals = portalListFromDisk(paths, passphrase);
+                    if (portals.length === 0) {
+                        out.write('(no portals)\n');
+                    }
+                    else {
+                        for (const p of portals)
+                            out.write(`${p.handle}\t${p.address}\n`);
+                    }
+                }
+                finally {
+                    passphrase.fill(0);
+                }
+                return { code: 0 };
+            }
+            if (sub.command === 'remove') {
+                const handle = sub.positionals[0];
+                if (!handle)
+                    throw new ArgsError('portal remove: missing handle');
+                const result = portalRemove(paths, handle);
+                if (result.removed)
+                    out.write(`removed ${handle} (${result.path})\n`);
+                else
+                    out.write(`portal "${handle}" not found at ${result.path}\n`);
+                return { code: result.removed ? 0 : 1 };
+            }
+        }
+        throw new ArgsError(`unknown subcommand "${head}"`);
+    }
+    catch (e) {
+        if (e instanceof ArgsError) {
+            err.write(`sigil: ${e.message}\n`);
+            err.write('\n' + USAGE);
+            return { code: 2 };
+        }
+        err.write(`sigil: ${e.message}\n`);
+        return { code: 1 };
+    }
+}
+//# sourceMappingURL=main.js.map

package/dist/src/cli/main.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"main.js","sourceRoot":"","sources":["../../../src/cli/main.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAEzD,OAAO,EAAkB,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AACvD,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC1E,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAEzD,MAAM,KAAK,GAAG;;;;;;;;;;;;;;;;CAgBb,CAAC;AAsBF;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,IAAgB;IAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAC1C,MAAM,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC;IACpD,MAAM,aAAa,GAAG,IAAI,CAAC,UAAU,IAAI,CAAC,GAAG,EAAE,CAAC,cAAc,CAAC,oBAAoB,CAAC,CAAC,CAAC;IAEtF,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACjF,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACjB,OAAO,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IACrB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC;QAClC,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;YACpB,MAAM,GAAG,GAAG,eAAe,CAAC,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,EAAE;gBAC7C,IAAI,EAAE,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE;aACjD,CAAC,CAAC;YACH,MAAM,KAAK,GAAc,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;YAC3E,MAAM,MAAM,GAAG,WAAW,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;YACtC,IAAI,MAAM,CAAC,OAAO;gBAAE,GAAG,CAAC,KAAK,CAAC,WAAW,MAAM,CAAC,YAAY,IAAI,CAAC,CAAC;;gBAC7D,GAAG,CAAC,KAAK,CAAC,GAAG,MAAM,CAAC,YAAY,0BAA0B,CAAC,CAAC;YACjE,OAAO,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QACrB,CAAC;QACD,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtB,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,CAAC;YACnC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;YAClD,OAAO,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QACrB,CAAC;QACD,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtB,MAAM,UAAU,GAAG,MAAM,aAAa,EAAE,CAAC;YACzC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC;gBACnD,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;gBACzD,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;gBAC/C,OAAO,EAAE,IAAI,EAAE,CAAC;YAClB,CAAC;oBAAS,CAAC;gBACT,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACrB,CAAC;QACH,CAAC;QACD,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;YACpB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;YACrC,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,YAAY,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YACvD,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;YAC/C,OAAO,EAAE,IAAI,EAAE,CAAC;QAClB,CAAC;QACD,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtB,MAAM,GAAG,GAAG,eAAe,CAAC,IAAI,EAAE;gBAChC,GAAG,EAAE;oBACH,OAAO,EAAE;wBACP,UAAU,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBAC9B,kBAAkB,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;qBACxC;iBACF;gBACD,IAAI,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;gBACrB,MAAM,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;aACxB,CAAC,CAAC;YACH,IAAI,GAAG,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;gBAC1B,MAAM,MAAM,GAAG,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;gBAClC,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;gBACxC,IAAI,CAAC,MAAM;oBAAE,MAAM,IAAI,SAAS,CAAC,4BAA4B,CAAC,CAAC;gBAC/D,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBACxD,MAAM,IAAI,SAAS,CAAC,oCAAoC,CAAC,CAAC;gBAC5D,CAAC;gBACD,MAAM,UAAU,GAAG,MAAM,aAAa,EAAE,CAAC;gBACzC,IAAI,CAAC;oBACH,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,SAAS,CAAC,KAAK,EAAE;wBAChD,MAAM;wBACN,OAAO;wBACP,UAAU;wBACV,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBAC5E,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;qBACzD,CAAC,CAAC;oBACH,GAAG,CAAC,KAAK,CAAC,SAAS,MAAM,KAAK,OAAO,OAAO,WAAW,IAAI,CAAC,CAAC;gBAC/D,CAAC;wBAAS,CAAC;oBACT,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBACrB,CAAC;gBACD,OAAO,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;YACrB,CAAC;YACD,IAAI,GAAG,CAAC,OAAO,KAAK,MAAM,EAAE,CAAC;gBAC3B,MAAM,UAAU,GAAG,MAAM,aAAa,EAAE,CAAC;gBACzC,IAAI,CAAC;oBACH,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;oBACtD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBACzB,GAAG,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;oBAC9B,CAAC;yBAAM,CAAC;wBACN,KAAK,MAAM,CAAC,IAAI,OAAO;4BAAE,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC;oBACpE,CAAC;gBACH,CAAC;wBAAS,CAAC;oBACT,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBACrB,CAAC;gBACD,OAAO,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;YACrB,CAAC;YACD,IAAI,GAAG,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;gBAC7B,MAAM,MAAM,GAAG,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;gBAClC,IAAI,CAAC,MAAM;oBAAE,MAAM,IAAI,SAAS,CAAC,+BAA+B,CAAC,CAAC;gBAClE,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;gBAC3C,IAAI,MAAM,CAAC,OAAO;oBAAE,GAAG,CAAC,KAAK,CAAC,WAAW,MAAM,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,CAAC;;oBACjE,GAAG,CAAC,KAAK,CAAC,WAAW,MAAM,kBAAkB,MAAM,CAAC,IAAI,IAAI,CAAC,CAAC;gBACnE,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC1C,CAAC;QACH,CAAC;QACD,MAAM,IAAI,SAAS,CAAC,uBAAuB,IAAI,GAAG,CAAC,CAAC;IACtD,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,CAAC,YAAY,SAAS,EAAE,CAAC;YAC3B,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC;YACnC,GAAG,CAAC,KAAK,CAAC,IAAI,GAAG,KAAK,CAAC,CAAC;YACxB,OAAO,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QACrB,CAAC;QACD,GAAG,CAAC,KAAK,CAAC,UAAW,CAAW,CAAC,OAAO,IAAI,CAAC,CAAC;QAC9C,OAAO,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IACrB,CAAC;AACH,CAAC"}

package/dist/src/cli/paths.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Resolves the locations sigil cares about, honouring SIGIL_HOME env override.
+ * One source of truth used by the CLI, daemon entrypoint, and tests.
+ *
+ * The control socket is where the running sigil-mcp listens for unlock/lock/
+ * status commands from the `sigil` CLI. It lives inside ~/.sigil so it
+ * inherits the 0o700 directory permission; the socket file itself is also
+ * chmod'd to 0o600 by the server on bind.
+ */
+export interface SigilPaths {
+    readonly home: string;
+    readonly keysDir: string;
+    readonly controlSocket: string;
+    readonly auditLog: string;
+}
+export declare function resolvePaths(env?: NodeJS.ProcessEnv): SigilPaths;
+//# sourceMappingURL=paths.d.ts.map

package/dist/src/cli/paths.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"paths.d.ts","sourceRoot":"","sources":["../../../src/cli/paths.ts"],"names":[],"mappings":"AAGA;;;;;;;;GAQG;AACH,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED,wBAAgB,YAAY,CAAC,GAAG,GAAE,MAAM,CAAC,UAAwB,GAAG,UAAU,CAQ7E"}

package/dist/src/cli/paths.js

@@ -0,0 +1,12 @@
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+export function resolvePaths(env = process.env) {
+    const home = env['SIGIL_HOME'] ?? join(homedir(), '.sigil');
+    return {
+        home,
+        keysDir: join(home, 'keys'),
+        controlSocket: env['SIGIL_CONTROL_SOCK'] ?? join(home, 'control.sock'),
+        auditLog: join(home, 'audit.log'),
+    };
+}
+//# sourceMappingURL=paths.js.map

package/dist/src/cli/paths.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"paths.js","sourceRoot":"","sources":["../../../src/cli/paths.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAkBjC,MAAM,UAAU,YAAY,CAAC,MAAyB,OAAO,CAAC,GAAG;IAC/D,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,QAAQ,CAAC,CAAC;IAC5D,OAAO;QACL,IAAI;QACJ,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC;QAC3B,aAAa,EAAE,GAAG,CAAC,oBAAoB,CAAC,IAAI,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC;QACtE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC;KAClC,CAAC;AACJ,CAAC"}

package/dist/src/cli/portal.d.ts

@@ -0,0 +1,50 @@
+import { type KdfParams, SecretBuffer } from '../crypto/index.js';
+import type { SigilPaths } from './paths.js';
+export interface PortalAddOpts {
+    handle: string;
+    keyFile: string;
+    passphrase: Buffer;
+    /**
+     * If true, the source key file is deleted after successful encryption.
+     * Defaults to true — leaving plaintext keys lying around is the whole
+     * thing sigil is trying to prevent.
+     */
+    removeSource?: boolean;
+    /**
+     * Override KDF parameters. Production code path uses DEFAULT_KDF_PARAMS
+     * (64MiB / 3 iters / 4 parallelism). Tests pass weaker params to keep
+     * the suite fast. The CLI binary never sets this.
+     */
+    kdfParams?: KdfParams;
+}
+/**
+ * Reads a private key from disk, encrypts it with the passphrase, writes it
+ * to the keys directory under <handle>.sigil, and (by default) deletes the
+ * source file. Returns the derived address.
+ *
+ * Accepts the key file as either:
+ *  - 32 raw bytes (binary)
+ *  - 64 hex characters (optionally 0x-prefixed, optionally with trailing whitespace)
+ */
+export declare function portalAdd(paths: SigilPaths, opts: PortalAddOpts): {
+    address: string;
+    keyfilePath: string;
+};
+export interface PortalInfo {
+    handle: string;
+    kind: 'eth';
+    address: string;
+}
+/**
+ * Lists portals by reading the keys directory and decrypting each keyfile
+ * just long enough to derive the address. Requires the passphrase.
+ * Returns an empty list if the directory doesn't exist.
+ */
+export declare function portalListFromDisk(paths: SigilPaths, passphrase: Buffer): PortalInfo[];
+export interface PortalRemoveResult {
+    removed: boolean;
+    path: string;
+}
+export declare function portalRemove(paths: SigilPaths, handle: string): PortalRemoveResult;
+export { SecretBuffer };
+//# sourceMappingURL=portal.d.ts.map

package/dist/src/cli/portal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"portal.d.ts","sourceRoot":"","sources":["../../../src/cli/portal.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,SAAS,EAAW,YAAY,EAAa,MAAM,oBAAoB,CAAC;AAGtF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB;;;;OAIG;IACH,SAAS,CAAC,EAAE,SAAS,CAAC;CACvB;AAED;;;;;;;;GAQG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,aAAa,GAAG;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,CA4B1G;AAED,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,KAAK,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,GAAG,UAAU,EAAE,CAgBtF;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,wBAAgB,YAAY,CAAC,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,GAAG,kBAAkB,CAMlF;AAqBD,OAAO,EAAE,YAAY,EAAE,CAAC"}

package/dist/src/cli/portal.js

@@ -0,0 +1,93 @@
+import { existsSync, mkdirSync, readdirSync, readFileSync, unlinkSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { sealKey, SecretBuffer, unsealKey } from '../crypto/index.js';
+import { addressFromPrivateKey } from '../eth/index.js';
+import { HandleTable } from '../daemon/handles.js';
+/**
+ * Reads a private key from disk, encrypts it with the passphrase, writes it
+ * to the keys directory under <handle>.sigil, and (by default) deletes the
+ * source file. Returns the derived address.
+ *
+ * Accepts the key file as either:
+ *  - 32 raw bytes (binary)
+ *  - 64 hex characters (optionally 0x-prefixed, optionally with trailing whitespace)
+ */
+export function portalAdd(paths, opts) {
+    HandleTable.parseHandle(opts.handle); // validates format
+    mkdirSync(paths.keysDir, { recursive: true, mode: 0o700 });
+    const destPath = join(paths.keysDir, `${opts.handle}.sigil`);
+    if (existsSync(destPath)) {
+        throw new Error(`portal "${opts.handle}" already exists at ${destPath}; remove it first`);
+    }
+    const raw = readFileSync(opts.keyFile);
+    const priv = normalizePrivateKey(raw);
+    let address;
+    try {
+        address = addressFromPrivateKey(priv);
+        const sealed = opts.kdfParams
+            ? sealKey(priv, opts.passphrase, opts.kdfParams)
+            : sealKey(priv, opts.passphrase);
+        writeFileSync(destPath, sealed, { mode: 0o600 });
+    }
+    finally {
+        priv.fill(0);
+    }
+    if (opts.removeSource !== false) {
+        try {
+            unlinkSync(opts.keyFile);
+        }
+        catch { /* best-effort cleanup; file may already be gone */ }
+    }
+    return { address, keyfilePath: destPath };
+}
+/**
+ * Lists portals by reading the keys directory and decrypting each keyfile
+ * just long enough to derive the address. Requires the passphrase.
+ * Returns an empty list if the directory doesn't exist.
+ */
+export function portalListFromDisk(paths, passphrase) {
+    if (!existsSync(paths.keysDir))
+        return [];
+    const entries = readdirSync(paths.keysDir).sort();
+    const out = [];
+    for (const filename of entries) {
+        const handle = HandleTable.handleFromFilename(filename);
+        if (handle === null)
+            continue;
+        const blob = readFileSync(join(paths.keysDir, filename));
+        const sb = unsealKey(blob, passphrase);
+        try {
+            out.push({ handle, kind: 'eth', address: addressFromPrivateKey(sb.bytes()) });
+        }
+        finally {
+            sb.dispose();
+        }
+    }
+    return out;
+}
+export function portalRemove(paths, handle) {
+    HandleTable.parseHandle(handle); // validates format
+    const destPath = join(paths.keysDir, `${handle}.sigil`);
+    if (!existsSync(destPath))
+        return { removed: false, path: destPath };
+    unlinkSync(destPath);
+    return { removed: true, path: destPath };
+}
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function normalizePrivateKey(raw) {
+    if (raw.length === 32)
+        return Buffer.from(raw); // raw 32 bytes
+    // Otherwise: expect ASCII hex, possibly with 0x prefix + trailing whitespace.
+    const text = raw.toString('utf8').trim();
+    const stripped = text.startsWith('0x') ? text.slice(2) : text;
+    if (!/^[0-9a-fA-F]{64}$/.test(stripped)) {
+        throw new Error('key file must be either 32 raw bytes or 64 hex chars (with optional 0x prefix)');
+    }
+    return Buffer.from(stripped, 'hex');
+}
+// Re-export SecretBuffer so tests can assert it disposes correctly without
+// reaching into the crypto module directly.
+export { SecretBuffer };
+//# sourceMappingURL=portal.js.map

package/dist/src/cli/portal.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"portal.js","sourceRoot":"","sources":["../../../src/cli/portal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,EAAE,YAAY,EAAY,UAAU,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAChH,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAkB,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACtF,OAAO,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAqBnD;;;;;;;;GAQG;AACH,MAAM,UAAU,SAAS,CAAC,KAAiB,EAAE,IAAmB;IAC9D,WAAW,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,mBAAmB;IACzD,SAAS,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAE3D,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,MAAM,QAAQ,CAAC,CAAC;IAC7D,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,WAAW,IAAI,CAAC,MAAM,uBAAuB,QAAQ,mBAAmB,CAAC,CAAC;IAC5F,CAAC;IAED,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACvC,MAAM,IAAI,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC;QACH,OAAO,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAC;QACtC,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS;YAC3B,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC;YAChD,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QACnC,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACnD,CAAC;YAAS,CAAC;QACT,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACf,CAAC;IAED,IAAI,IAAI,CAAC,YAAY,KAAK,KAAK,EAAE,CAAC;QAChC,IAAI,CAAC;YAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAAC,CAAC;QACjC,MAAM,CAAC,CAAC,mDAAmD,CAAC,CAAC;IAC/D,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,CAAC;AAC5C,CAAC;AAQD;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAiB,EAAE,UAAkB;IACtE,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC;QAAE,OAAO,EAAE,CAAC;IAC1C,MAAM,OAAO,GAAG,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;IAClD,MAAM,GAAG,GAAiB,EAAE,CAAC;IAC7B,KAAK,MAAM,QAAQ,IAAI,OAAO,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,WAAW,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACxD,IAAI,MAAM,KAAK,IAAI;YAAE,SAAS;QAC9B,MAAM,IAAI,GAAG,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;QACzD,MAAM,EAAE,GAAG,SAAS,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QACvC,IAAI,CAAC;YACH,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,qBAAqB,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;QAChF,CAAC;gBAAS,CAAC;YACT,EAAE,CAAC,OAAO,EAAE,CAAC;QACf,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAOD,MAAM,UAAU,YAAY,CAAC,KAAiB,EAAE,MAAc;IAC5D,WAAW,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,mBAAmB;IACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,MAAM,QAAQ,CAAC,CAAC;IACxD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IACrE,UAAU,CAAC,QAAQ,CAAC,CAAC;IACrB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;AAC3C,CAAC;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,SAAS,mBAAmB,CAAC,GAAW;IACtC,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,eAAe;IAC/D,8EAA8E;IAC9E,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;IACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9D,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CACb,gFAAgF,CACjF,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;AACtC,CAAC;AAED,2EAA2E;AAC3E,4CAA4C;AAC5C,OAAO,EAAE,YAAY,EAAE,CAAC"}

package/dist/src/cli/status.d.ts

@@ -0,0 +1,28 @@
+import { type PortalSummary } from '../control/index.js';
+import type { SigilPaths } from './paths.js';
+export interface StatusReport {
+    /** Number of *.sigil files in the keys directory. */
+    keyfilesOnDisk: number;
+    /** Path the audit log lives at. Useful for `tail`-ing during incidents. */
+    auditLog: string;
+    /** True if the control socket responded — i.e. sigil-mcp is alive. */
+    mcpRunning: boolean;
+    /** Process ID of the running sigil-mcp; null when not running. */
+    mcpPid: number | null;
+    /** True if the HandleTable has been unlocked. False when mcp is down or locked. */
+    unlocked: boolean;
+    /** Portals currently loaded in the running sigil-mcp. Empty when locked or down. */
+    portals: PortalSummary[];
+}
+/**
+ * Reports the on-disk + live state of sigil. Does NOT require the passphrase.
+ *
+ * Disk side: counts encrypted keyfiles.
+ * Live side: probes the control socket. If the server is unreachable, marks
+ * mcpRunning=false; this is the common case when no Claude Code session is
+ * open. Any other client error is also treated as not-running — the user
+ * can re-run "sigil unlock" or check the socket file directly for more
+ * detailed diagnosis.
+ */
+export declare function status(paths: SigilPaths): Promise<StatusReport>;
+//# sourceMappingURL=status.d.ts.map

package/dist/src/cli/status.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"status.d.ts","sourceRoot":"","sources":["../../../src/cli/status.ts"],"names":[],"mappings":"AACA,OAAO,EAIL,KAAK,aAAa,EACnB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,MAAM,WAAW,YAAY;IAC3B,qDAAqD;IACrD,cAAc,EAAE,MAAM,CAAC;IACvB,2EAA2E;IAC3E,QAAQ,EAAE,MAAM,CAAC;IACjB,sEAAsE;IACtE,UAAU,EAAE,OAAO,CAAC;IACpB,kEAAkE;IAClE,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,mFAAmF;IACnF,QAAQ,EAAE,OAAO,CAAC;IAClB,oFAAoF;IACpF,OAAO,EAAE,aAAa,EAAE,CAAC;CAC1B;AAED;;;;;;;;;GASG;AACH,wBAAsB,MAAM,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,YAAY,CAAC,CA8BrE"}

package/dist/src/cli/status.js

@@ -0,0 +1,59 @@
+import { existsSync, readdirSync, statSync } from 'node:fs';
+import { ControlClientError, controlRequest, isControlError, } from '../control/index.js';
+/**
+ * Reports the on-disk + live state of sigil. Does NOT require the passphrase.
+ *
+ * Disk side: counts encrypted keyfiles.
+ * Live side: probes the control socket. If the server is unreachable, marks
+ * mcpRunning=false; this is the common case when no Claude Code session is
+ * open. Any other client error is also treated as not-running — the user
+ * can re-run "sigil unlock" or check the socket file directly for more
+ * detailed diagnosis.
+ */
+export async function status(paths) {
+    const keyfilesOnDisk = countKeyfiles(paths.keysDir);
+    let mcpRunning = false;
+    let mcpPid = null;
+    let unlocked = false;
+    let portals = [];
+    try {
+        const resp = await controlRequest({
+            socketPath: paths.controlSocket,
+            request: { method: 'status' },
+            timeoutMs: 1_000,
+        });
+        if (!isControlError(resp)) {
+            mcpRunning = true;
+            mcpPid = resp.pid;
+            unlocked = resp.unlocked;
+            portals = resp.portals;
+        }
+    }
+    catch (err) {
+        if (!(err instanceof ControlClientError))
+            throw err;
+        // SERVER_DOWN / CONNECT_FAILED / TIMEOUT all → mcpRunning=false.
+    }
+    return {
+        keyfilesOnDisk,
+        auditLog: paths.auditLog,
+        mcpRunning,
+        mcpPid,
+        unlocked,
+        portals,
+    };
+}
+function countKeyfiles(dir) {
+    if (!existsSync(dir))
+        return 0;
+    try {
+        const stat = statSync(dir);
+        if (!stat.isDirectory())
+            return 0;
+    }
+    catch {
+        return 0;
+    }
+    return readdirSync(dir).filter((f) => f.endsWith('.sigil')).length;
+}
+//# sourceMappingURL=status.js.map

package/dist/src/cli/status.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"status.js","sourceRoot":"","sources":["../../../src/cli/status.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC5D,OAAO,EACL,kBAAkB,EAClB,cAAc,EACd,cAAc,GAEf,MAAM,qBAAqB,CAAC;AAkB7B;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,KAAiB;IAC5C,MAAM,cAAc,GAAG,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACpD,IAAI,UAAU,GAAG,KAAK,CAAC;IACvB,IAAI,MAAM,GAAkB,IAAI,CAAC;IACjC,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,OAAO,GAAoB,EAAE,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC;YAChC,UAAU,EAAE,KAAK,CAAC,aAAa;YAC/B,OAAO,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE;YAC7B,SAAS,EAAE,KAAK;SACjB,CAAC,CAAC;QACH,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,UAAU,GAAG,IAAI,CAAC;YAClB,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC;YAClB,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;YACzB,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QACzB,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,CAAC,GAAG,YAAY,kBAAkB,CAAC;YAAE,MAAM,GAAG,CAAC;QACpD,iEAAiE;IACnE,CAAC;IACD,OAAO;QACL,cAAc;QACd,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,UAAU;QACV,MAAM;QACN,QAAQ;QACR,OAAO;KACR,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,GAAW;IAChC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,CAAC,CAAC;IAC/B,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC3B,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE;YAAE,OAAO,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,CAAC;IACX,CAAC;IACD,OAAO,WAAW,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC;AACrE,CAAC"}

package/dist/src/cli/unlock.d.ts

@@ -0,0 +1,36 @@
+import { ControlClientError, type ControlResponse } from '../control/index.js';
+import type { SigilPaths } from './paths.js';
+export interface UnlockOpts {
+    paths: SigilPaths;
+    /** Buffer holding the passphrase. Caller is responsible for zeroizing it. */
+    passphrase: Buffer;
+    /** Optional connect timeout in ms (default 5000). */
+    timeoutMs?: number;
+}
+export interface UnlockResult {
+    /** Server-side response, or null if the server is unreachable. */
+    response: ControlResponse | null;
+    /** Set when the control socket couldn't be reached. */
+    clientError?: ControlClientError;
+}
+/**
+ * Send an unlock request to the running sigil-mcp. Encodes the passphrase as
+ * base64 for transport; does NOT clear the caller's buffer (the caller owns
+ * lifetime). Returns the parsed response, or a client error if the server
+ * was unreachable.
+ */
+export declare function unlock(opts: UnlockOpts): Promise<UnlockResult>;
+export interface LockOpts {
+    paths: SigilPaths;
+    timeoutMs?: number;
+}
+export declare function lock(opts: LockOpts): Promise<UnlockResult>;
+/**
+ * Format a result for human-readable CLI output. Returns the message and the
+ * exit code the CLI should use.
+ */
+export declare function formatResult(action: 'unlock' | 'lock', result: UnlockResult): {
+    message: string;
+    code: number;
+};
+//# sourceMappingURL=unlock.d.ts.map

package/dist/src/cli/unlock.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"unlock.d.ts","sourceRoot":"","sources":["../../../src/cli/unlock.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,kBAAkB,EAGlB,KAAK,eAAe,EACrB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,UAAU,CAAC;IAClB,6EAA6E;IAC7E,UAAU,EAAE,MAAM,CAAC;IACnB,qDAAqD;IACrD,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,YAAY;IAC3B,kEAAkE;IAClE,QAAQ,EAAE,eAAe,GAAG,IAAI,CAAC;IACjC,uDAAuD;IACvD,WAAW,CAAC,EAAE,kBAAkB,CAAC;CAClC;AAED;;;;;GAKG;AACH,wBAAsB,MAAM,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,YAAY,CAAC,CAapE;AAED,MAAM,WAAW,QAAQ;IACvB,KAAK,EAAE,UAAU,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,wBAAsB,IAAI,CAAC,IAAI,EAAE,QAAQ,GAAG,OAAO,CAAC,YAAY,CAAC,CAYhE;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,QAAQ,GAAG,MAAM,EAAE,MAAM,EAAE,YAAY,GAAG;IAC7E,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;CACd,CAkCA"}

package/dist/src/cli/unlock.js

@@ -0,0 +1,77 @@
+import { ControlClientError, controlRequest, isControlError, } from '../control/index.js';
+/**
+ * Send an unlock request to the running sigil-mcp. Encodes the passphrase as
+ * base64 for transport; does NOT clear the caller's buffer (the caller owns
+ * lifetime). Returns the parsed response, or a client error if the server
+ * was unreachable.
+ */
+export async function unlock(opts) {
+    const passphraseB64 = opts.passphrase.toString('base64');
+    try {
+        const response = await controlRequest({
+            socketPath: opts.paths.controlSocket,
+            request: { method: 'unlock', passphraseB64 },
+            ...(opts.timeoutMs !== undefined ? { timeoutMs: opts.timeoutMs } : {}),
+        });
+        return { response };
+    }
+    catch (err) {
+        if (err instanceof ControlClientError)
+            return { response: null, clientError: err };
+        throw err;
+    }
+}
+export async function lock(opts) {
+    try {
+        const response = await controlRequest({
+            socketPath: opts.paths.controlSocket,
+            request: { method: 'lock' },
+            ...(opts.timeoutMs !== undefined ? { timeoutMs: opts.timeoutMs } : {}),
+        });
+        return { response };
+    }
+    catch (err) {
+        if (err instanceof ControlClientError)
+            return { response: null, clientError: err };
+        throw err;
+    }
+}
+/**
+ * Format a result for human-readable CLI output. Returns the message and the
+ * exit code the CLI should use.
+ */
+export function formatResult(action, result) {
+    if (result.clientError) {
+        if (result.clientError.code === 'SERVER_DOWN') {
+            return {
+                message: `sigil-mcp is not running. Start a Claude Code session (which spawns it via your MCP config) and try again.`,
+                code: 1,
+            };
+        }
+        return { message: `sigil ${action}: ${result.clientError.message}`, code: 1 };
+    }
+    const resp = result.response;
+    if (isControlError(resp)) {
+        if (resp.code === 'WRONG_PASSPHRASE') {
+            return { message: `sigil ${action}: wrong passphrase`, code: 2 };
+        }
+        if (resp.code === 'ALREADY_UNLOCKED') {
+            return {
+                message: `sigil ${action}: already unlocked; run "sigil lock" first if you want to re-unlock`,
+                code: 1,
+            };
+        }
+        return { message: `sigil ${action}: ${resp.error} (${resp.code})`, code: 1 };
+    }
+    if (action === 'unlock') {
+        const n = resp.portals.length;
+        return {
+            message: n === 0
+                ? 'unlocked (no portals on disk yet — add one with "sigil portal add")'
+                : `unlocked ${n} portal${n === 1 ? '' : 's'}: ${resp.portals.map((p) => p.handle).join(', ')}`,
+            code: 0,
+        };
+    }
+    return { message: 'locked', code: 0 };
+}
+//# sourceMappingURL=unlock.js.map

package/dist/src/cli/unlock.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"unlock.js","sourceRoot":"","sources":["../../../src/cli/unlock.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,kBAAkB,EAClB,cAAc,EACd,cAAc,GAEf,MAAM,qBAAqB,CAAC;AAkB7B;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,IAAgB;IAC3C,MAAM,aAAa,GAAG,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACzD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC;YACpC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,aAAa;YACpC,OAAO,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE;YAC5C,GAAG,CAAC,IAAI,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACvE,CAAC,CAAC;QACH,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,kBAAkB;YAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC;QACnF,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAOD,MAAM,CAAC,KAAK,UAAU,IAAI,CAAC,IAAc;IACvC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC;YACpC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,aAAa;YACpC,OAAO,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;YAC3B,GAAG,CAAC,IAAI,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACvE,CAAC,CAAC;QACH,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,kBAAkB;YAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC;QACnF,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,MAAyB,EAAE,MAAoB;IAI1E,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;QACvB,IAAI,MAAM,CAAC,WAAW,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;YAC9C,OAAO;gBACL,OAAO,EACL,4GAA4G;gBAC9G,IAAI,EAAE,CAAC;aACR,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,SAAS,MAAM,KAAK,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IAChF,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,CAAC,QAAS,CAAC;IAC9B,IAAI,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;YACrC,OAAO,EAAE,OAAO,EAAE,SAAS,MAAM,oBAAoB,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QACnE,CAAC;QACD,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;YACrC,OAAO;gBACL,OAAO,EAAE,SAAS,MAAM,qEAAqE;gBAC7F,IAAI,EAAE,CAAC;aACR,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,SAAS,MAAM,KAAK,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC,IAAI,GAAG,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IAC/E,CAAC;IACD,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;QACxB,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;QAC9B,OAAO;YACL,OAAO,EAAE,CAAC,KAAK,CAAC;gBACd,CAAC,CAAC,qEAAqE;gBACvE,CAAC,CAAC,YAAY,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YAChG,IAAI,EAAE,CAAC;SACR,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;AACxC,CAAC"}

package/dist/src/control/client.d.ts

@@ -0,0 +1,26 @@
+import type { ControlRequest, ControlResponse } from './protocol.js';
+export interface ControlRequestOpts {
+    /** Path of the control socket (defaults provided by callers). */
+    socketPath: string;
+    /** The request to send. */
+    request: ControlRequest;
+    /** Connect + I/O timeout (ms). Defaults to 5s. */
+    timeoutMs?: number;
+}
+/**
+ * Sends a single request to the running sigil-mcp control socket and returns
+ * the parsed response. Throws ControlClientError if:
+ *   - the socket file is missing or refused (server not running)
+ *   - the connection times out
+ *   - the response is not valid JSON
+ *
+ * Note: a server-side denial (wrong passphrase, etc.) is NOT thrown — it
+ * comes back as a ControlResponse with `ok: false`. Callers branch on that.
+ */
+export declare function controlRequest(opts: ControlRequestOpts): Promise<ControlResponse>;
+export type ControlClientErrorCode = 'SERVER_DOWN' | 'CONNECT_FAILED' | 'TIMEOUT' | 'BAD_RESPONSE' | 'NO_RESPONSE';
+export declare class ControlClientError extends Error {
+    readonly code: ControlClientErrorCode;
+    constructor(message: string, code: ControlClientErrorCode);
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/src/control/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../src/control/client.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAIrE,MAAM,WAAW,kBAAkB;IACjC,iEAAiE;IACjE,UAAU,EAAE,MAAM,CAAC;IACnB,2BAA2B;IAC3B,OAAO,EAAE,cAAc,CAAC;IACxB,kDAAkD;IAClD,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;;;;GASG;AACH,wBAAsB,cAAc,CAAC,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,eAAe,CAAC,CA8DvF;AAED,MAAM,MAAM,sBAAsB,GAC9B,aAAa,GACb,gBAAgB,GAChB,SAAS,GACT,cAAc,GACd,aAAa,CAAC;AAElB,qBAAa,kBAAmB,SAAQ,KAAK;IAC3C,QAAQ,CAAC,IAAI,EAAE,sBAAsB,CAAC;gBAC1B,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,sBAAsB;CAK1D"}