sigild 0.0.1 → 0.0.3

package/README.md

@@ -2,69 +2,178 @@
 
 > Claude can sign, but never see.
 
-`sigil` is a local signing daemon and Claude Code integration that lets agentic coding tools use private keys without ever putting key material in the model's context window.
+`sigil` is a local signing tool and Claude Code integration that lets agentic coding tools use private keys without ever putting key material in the model's context window.
 
-**Status:** pre-alpha. Threat model is committed before the code. Do not use this with real funds yet. Build plan and current progress live in the [tracking issue](https://github.com/cdrn/sigil/issues/9).
+**Status:** pre-alpha. The MCP server, CLI, unlock flow, ward hooks, and policy engine (static checks) all work end-to-end. Out-of-band confirmation, rolling-window value caps, and EIP-712 domain allowlists are not yet implemented. Until they land — and until the supply-chain attestations promised for v0.1.0 ship — **do not use this with real funds yet.** Build plan lives in the [tracking issue](https://github.com/cdrn/sigil/issues/9).
 
 ## What it is
 
-Three components that work together:
+One MCP server process, four bins, three runtime deps:
 
-1. **`sigild`** — a long-running local daemon that holds unlocked keys in process memory (zeroized on shutdown; mlock against swap is planned, see [THREAT_MODEL.md](./THREAT_MODEL.md)) and exposes signing operations over a Unix socket. Keys at rest are encrypted with XChaCha20-Poly1305 and an Argon2id-derived key.
-2. **`sigil-mcp`** — an MCP server that Claude (or any agentic tool) talks to. It forwards signing requests to `sigild` and returns signatures. Claude never sees key material — only opaque handles like `eth:executor`.
-3. **Hooks (the wards)** — `sigil init` installs PreToolUse and PostToolUse hooks into `.claude/settings.json` that block `Read` and `Bash` from touching key paths, and redact key-shaped strings from tool output.
+1. **`sigil-mcp`** — the only thing that runs. Claude Code spawns it per session via your `mcpServers` config; it dies when Claude exits. Holds unlocked keys in process memory (zeroized on shutdown, `sigil lock`, or unlock-failure; mlock against swap is planned). Keys at rest are encrypted with XChaCha20-Poly1305 and an Argon2id-derived key. Signs over stdio using a DIY MCP wire protocol (~200 lines, no SDK dep). Claude never sees key material — only opaque handles like `eth:executor`.
+2. **`sigil`** — control CLI. `init`, `status`, `portal add`/`list`/`remove`, `unlock`, `lock`.
+3. **`sigil-hook-pre` / `sigil-hook-post`** — Claude Code hook binaries that block reads of common key paths and redact key-shaped strings from tool output.
+
+`sigil-mcp` boots **locked**: empty in-memory handle table, no keys loaded. Sign methods return `DAEMON_LOCKED` (-32003) with a "run sigil unlock" message until you push the passphrase in from a separate terminal via `sigil unlock`. That CLI connects to a Unix socket at `~/.sigil/control.sock` (0600) that `sigil-mcp` opens at startup. After unlock, signs work for the rest of the session; `sigil lock` zeroizes the table without killing the process.
+
+Sign methods exposed today: EIP-191 personal_sign, EIP-1559 + legacy transactions, EIP-712 typed data.
 
 ## What it isn't
 
 - Not a hardware wallet replacement. If you can use a Ledger or YubiKey, do that.
 - Not a custody solution. It runs on your laptop or VPS and protects you from one specific class of failure: leaking key material through an LLM agent.
-- Not a substitute for policy. The library prevents *ingestion* of keys; the policy engine prevents *misuse* of signing authority. Both matter — see the threat model.
+- A first cut of *bounding signing authority* via the policy engine — but not the full thing. v1 covers static checks (chain ID, destination allowlist, per-tx value cap, function-selector allowlist, on/off toggles for personal_sign and EIP-712). Rolling-window caps, EIP-712 domain allowlists, and out-of-band human confirmation are tracked in [#3](https://github.com/cdrn/sigil/issues/3) + [#4](https://github.com/cdrn/sigil/issues/4) and will land incrementally.
+
+## Install
+
+```sh
+npm install -g sigild
+```
+
+This drops four binaries on your `$PATH`: `sigil`, `sigil-mcp`, `sigil-hook-pre`, `sigil-hook-post`. (The package name on npm is `sigild` for legacy reasons; the bins do not include a daemon any more.)
+
+Requires Node 22+.
 
-## How it will work (sketch)
+## Quick start
 
-```bash
-# one-time setup
-sigil init                          # installs hooks into ~/.claude/settings.json
-sigil up                            # starts the daemon, unlocks keys via OS keychain
+```sh
+# 1. Wire sigil into Claude Code (project-scoped). Pass --user to do it globally.
+sigil init
 
-# register a key with policy
-sigil portal add executor \
-  --type eth \
-  --key-file ~/keys/bot.key \
-  --policy ./policies/executor.toml
+# 2. Encrypt a private key into sigil's keystore. Source key is deleted by default.
+#    Accepts either 32 raw bytes or 64 hex chars (with optional 0x prefix).
+sigil portal add eth:bot --key-file ./bot.key
+# → prompts for a passphrase, derives the address, writes
+#   ~/.sigil/keys/eth:bot.sigil  AND  ~/.sigil/policy/eth:bot.toml (permissive)
+#
+# Pass --strict to start with a locked-down policy template you fill in
+# before any sign succeeds:
+#   sigil portal add eth:bot --key-file ./bot.key --strict
 
-# Claude now sees `eth:executor` as a portal it can sign with,
-# but cannot read the key file or anything under ~/.sigil
+# 3. Open Claude Code. It spawns sigil-mcp automatically via your MCP config.
+#    sigil-mcp boots locked — the first sign attempt will return DAEMON_LOCKED.
+
+# 4. In a separate terminal, push the passphrase to the running sigil-mcp.
+sigil unlock
+# → prompts for the passphrase, decrypts every keyfile in ~/.sigil/keys/
+
+# 5. Use Claude Code. The four sigil_* tools will work for the rest of the session.
+
+# Optional: re-lock without restarting Claude.
+sigil lock
 ```
 
-A policy file looks like:
+If you close Claude Code, `sigil-mcp` exits and its memory is wiped. Open a new session and `sigil unlock` again — the encrypted keyfiles on disk persist.
+
+## CLI reference
+
+```text
+sigil init [--user]
+  Write the MCP server registration and the ward hooks into
+  .claude/settings.json. With --user, writes ~/.claude/settings.json
+  instead. Idempotent — preserves your unrelated settings.
+
+sigil portal add <handle> --key-file <path> [--no-remove-source] [--strict]
+  Encrypt the key with your passphrase and store it at
+  ~/.sigil/keys/<handle>.sigil (mode 0600). Handle format is
+  <kind>:<name> where kind is "eth". The source key file is deleted
+  by default — pass --no-remove-source to keep it.
+  Also writes ~/.sigil/policy/<handle>.toml — permissive by default
+  (signs anything), or use --strict for a locked-down template you
+  fill in before signs succeed.
+
+sigil policy show <handle>
+  Print the current policy file for a portal. Validates schema; exits
+  1 if the file is missing or malformed.
+
+sigil portal list
+  List the encrypted keyfiles on disk with their derived addresses.
+  Requires the passphrase.
+
+sigil portal remove <handle>
+  Delete a keyfile from disk.
+
+sigil unlock
+  Prompt for the passphrase and push it to the running sigil-mcp over
+  the control socket. After unlock, sign calls succeed for the rest
+  of the Claude session. Fails if sigil-mcp is not running (start a
+  Claude Code session first) or if already unlocked.
+
+sigil lock
+  Tell sigil-mcp to zeroize and clear its in-memory keys. Re-unlock
+  with sigil unlock — sigil-mcp keeps running.
+
+sigil status
+  Report whether sigil-mcp is running (probes ~/.sigil/control.sock),
+  its PID, whether it's unlocked, what portals it has loaded, and
+  how many keyfiles exist on disk. Does not require the passphrase.
+```
+
+Set `SIGIL_HOME` to override `~/.sigil`. Set `SIGIL_CONTROL_SOCK` to override the control socket path.
+
+## Multi-window behaviour
+
+Each Claude Code window spawns its own `sigil-mcp`. They share the on-disk keyfiles + audit log but have separate in-memory handle tables — you `sigil unlock` once per window. (The first MCP to start owns `control.sock`; further sessions will get their own socket once flock-based per-instance sockets land in Phase C of [#23](https://github.com/cdrn/sigil/issues/23). Until then, only the first window's `sigil-mcp` is reachable from the CLI.)
+
+OS-keychain integration (planned, v0.3) will make unlock zero-touch for users who set it up.
+
+## Policy engine
+
+Once a portal is unlocked, signing authority over its key is real. To bound the blast radius of a successful prompt injection, every portal has a policy file at `~/.sigil/policy/<handle>.toml`. Two modes:
+
+**Permissive** (default for `sigil portal add`): no rules. Sign anything the agent asks. The key isolation guarantees still hold — your key never enters the agent's context — but the unlocked portal can be made to sign whatever an attacker can get the agent to ask for. Useful for: testnet bots, demo flows, anyone who only cares about the context-window protection.
+
+**Strict** (opt in with `--strict`): every sign request is checked. Generated template:
 
 ```toml
-[portal.executor]
-chain_ids = [1, 42161, 8453]
-allow_to = ["0xRouter...", "0xExecutor..."]
-max_value_wei = "100000000000000000"   # 0.1 ETH per tx
-max_value_per_hour_wei = "500000000000000000"
-allowed_selectors = ["0xa9059cbb", "0x095ea7b3"]   # transfer, approve
-require_confirm_above_wei = "10000000000000000"    # push to phone for human ack
+mode = "strict"
+
+chain_ids = [1]                           # allowed chain IDs
+allow_to = []                             # allowed destination addresses (lowercase 0x)
+max_value_wei = "0"                       # per-tx cap, in wei, as decimal string
+allowed_selectors = []                    # 4-byte function selectors, e.g. "0xa9059cbb"
+
+allow_message_signing = false             # EIP-191 personal_sign (e.g. SIWE)
+allow_typed_data = false                  # EIP-712 (Permit, OpenSea — can be financial)
 ```
 
+A failed rule throws `POLICY_DENIED` (-32001) back to the agent with the human-readable reason ("tx denied — value X exceeds max_value_wei Y"), and the deny is appended to the hash-chained audit log alongside allows. Denies are forensically the more interesting half — they're the prompt-injection canary.
+
+What's deferred to follow-up PRs (still in [#3](https://github.com/cdrn/sigil/issues/3)): rolling-window value caps (e.g. 1 ETH/day per portal), EIP-712 domain + primary-type allowlists, decoded-calldata arg checks, and the `require_confirm_above_wei` outcome that hooks into the OOB push gate ([#4](https://github.com/cdrn/sigil/issues/4)).
+
 ## Supply chain posture
 
 Key-management libraries die from supply chain compromise, not from clever attacks on the code. Given the npm ecosystem in 2026 (Mini Shai-Hulud, Axios, pgserve, TanStack), `sigil` commits to:
 
-- **Zero install scripts.** No `postinstall`, `preinstall`, `prepare`. CI-enforced.
-- **Minimal dependencies.** Core sign path uses [`@noble/secp256k1`](https://github.com/paulmillr/noble-secp256k1) and `@noble/hashes` (audited, zero-dep). No viem in the core daemon.
+- **Zero install scripts.** No `postinstall`, `preinstall`, `prepare`. CI-enforced (planned: a CI guard that fails if any dep adds one).
+- **Three runtime deps, all version-pinned** (no caret ranges):
+  - [`@noble/ciphers`](https://github.com/paulmillr/noble-ciphers) for XChaCha20-Poly1305
+  - [`@noble/hashes`](https://github.com/paulmillr/noble-hashes) for Argon2id, keccak256, sha2, HMAC
+  - [`@noble/secp256k1`](https://github.com/paulmillr/noble-secp256k1) for ECDSA
+  All by paulmillr, audited, zero transitive deps.
+- **No MCP SDK.** The official `@modelcontextprotocol/sdk` pulls 92 transitive deps (ajv, hono, cors, cross-spawn, etc) — unacceptable surface. We implement the MCP wire protocol directly in ~200 lines.
 - **No Bun.** Plain Node only. Bun is currently being weaponized by Mini Shai-Hulud as an evasion layer; we will not give that pattern any cover.
-- **Provenance attestations** on every npm release via GitHub Actions trusted publishing.
-- **Signed standalone binaries** from GitHub Releases for users who'd rather not touch npm.
-- **Reproducible builds + SBOM** published with each release.
-- **No long-lived publish tokens.** OIDC only.
+- **Planned for v0.1.0** (the real release, not this 0.0.1 placeholder):
+  - Provenance attestations on every npm publish via GitHub Actions trusted publishing (OIDC, no long-lived tokens)
+  - SBOM (CycloneDX) attached to every release
+  - Signed standalone binaries from GitHub Releases for users who'd rather not touch npm
+  - Action SHA pinning rotation via Dependabot
 
 ## Threat model
 
 See [THREAT_MODEL.md](./THREAT_MODEL.md). Read it before trusting this with anything.
 
+## Development
+
+```sh
+git clone https://github.com/cdrn/sigil
+cd sigil
+npm install      # respects .npmrc ignore-scripts=true
+npm test         # builds + runs ~330 tests; should finish in under 10s
+```
+
+See [CONTRIBUTING.md](./CONTRIBUTING.md) for the PR-per-layer workflow.
+
 ## License
 
 Apache License 2.0. See [LICENSE](./LICENSE).

package/THREAT_MODEL.md

@@ -13,10 +13,24 @@ This document describes what `sigil` defends against, what it doesn't, and the a
 
 In order of value:
 
-1. **Private key material.** Must never leave `sigild`'s address space.
-2. **Signing authority.** A signature `sigild` produces on behalf of a portal is a financial action. The set of authorized actions is bounded by per-portal policy.
+1. **Private key material.** Must never leave `sigil-mcp`'s address space.
+2. **Signing authority.** A signature `sigil-mcp` produces on behalf of a portal is a financial action. The set of authorized actions is bounded by per-portal policy.
 3. **The audit log.** Append-only record of every sign decision. Tampering with it defeats post-incident forensics.
 
+## Runtime model
+
+There is exactly one long-running sigil process: `sigil-mcp`, spawned by Claude Code per session via your `mcpServers` config. It dies when Claude exits.
+
+Keys at rest are encrypted on disk in `~/.sigil/keys/<handle>.sigil` (XChaCha20-Poly1305, Argon2id-derived key). They are **not** loaded into `sigil-mcp`'s memory at startup. `sigil-mcp` boots with an empty in-memory handle table; sign requests return `DAEMON_LOCKED` until the user explicitly pushes the passphrase in.
+
+The unlock path:
+
+1. `sigil-mcp` opens a Unix socket at `~/.sigil/control.sock` (chmod 0600).
+2. The user runs `sigil unlock` in a separate terminal; the CLI prompts for the passphrase, connects to the socket, and sends `{method: "unlock", passphraseB64: ...}`.
+3. `sigil-mcp` decrypts every keyfile in `~/.sigil/keys/`, populates the in-memory table, zeroizes the passphrase buffer.
+
+This shape was chosen so the agent has no path to trigger unlock — only a human at the local TTY can. `sigil lock` zeroizes the in-memory table without killing the process; subsequent signs return `DAEMON_LOCKED` again until the next `sigil unlock`.
+
 ## In scope
 
 ### 1. Preventing key ingestion by the agent
@@ -24,8 +38,9 @@ In order of value:
 The primary threat. Failure mode: a private key ends up in the agent's context window, then in transcripts, prompt caches, cloud logs, or attacker-controlled exfiltration paths.
 
 Defenses:
-- Keys live in `sigild`'s memory only, unlocked from encrypted at-rest storage. Plaintext is zeroized on shutdown. mlock against swap is planned (requires a native module distributed as bundled prebuilds, see Known limitations).
+- Keys live in `sigil-mcp`'s memory only, unlocked from encrypted at-rest storage. Plaintext is zeroized on shutdown, on `sigil lock`, and on any failed unlock. mlock against swap is planned (requires a native module distributed as bundled prebuilds, see Known limitations).
 - The MCP interface exposes only opaque handles (`eth:executor`), never key bytes.
+- The unlock passphrase is delivered out-of-band via the control socket, not through the agent. The agent has no exposed surface that can trigger an unlock.
 - PreToolUse hooks block `Read` and `Bash` access to `~/.sigil/**`, `*.pem`, `**/.env*`, `**/keystore*`, and a configurable extra list.
 - PostToolUse output filter redacts hex-encoded 32-byte blobs, PEM blocks, and bip39-shaped strings from tool output before it reaches the model.
 
@@ -33,13 +48,24 @@ Defenses:
 
 A defended key still loses you money if the agent can be tricked into signing the wrong payload. Prompt injection through transaction calldata, web content, or repo files can redirect signing intent.
 
-Defenses (policy engine, per portal):
-- Destination allowlists (`allow_to`)
-- Per-tx and rolling-window value caps
-- Allowed function selectors (only `transfer`, `approve`, etc.)
-- Chain ID allowlists
-- Out-of-band human confirmation above a configurable value threshold (push to Pushover / Telegram / Apple Push)
-- Append-only audit log with monotonic counter
+The policy engine (per-portal `~/.sigil/policy/<handle>.toml`) is the layer that bounds this. v1 ships static checks; further work is staged in [#3](https://github.com/cdrn/sigil/issues/3) and [#4](https://github.com/cdrn/sigil/issues/4).
+
+**Shipped (v1):**
+- Two-mode policy. `permissive` mode (default for `sigil portal add`) does no checks — useful for users who only want the key-isolation guarantee. `strict` mode enforces every rule below.
+- Destination allowlist (`allow_to`).
+- Chain ID allowlist (`chain_ids`).
+- Per-tx value cap (`max_value_wei`).
+- Function selector allowlist (`allowed_selectors`) — 4-byte selector match, no calldata decoding.
+- On/off toggles for personal_sign (`allow_message_signing`) and EIP-712 typed data (`allow_typed_data`).
+- Append-only hash-chained audit log records both allow AND deny decisions. Denies are the prompt-injection canary.
+- Runtime fail-closed when the policy file is missing for a portal — keys can't be used without an explicit decision.
+
+**Planned:**
+- Rolling-window value caps (`max_value_per_hour_wei`, etc.) backed by a per-portal ledger with flock for multi-instance safety.
+- EIP-712 domain + primary-type allowlists (today `allow_typed_data` is binary; OpenSea-style approvals deserve finer control).
+- Decoded-calldata arg checks ("allow `transfer(addr, amt)` only when `amt <= 100e18` and `addr in list`"). Needs a BYO-ABI registry per portal.
+- Out-of-band human confirmation above a configurable value threshold (push to ntfy / Pushover / Telegram / Apple Push), [#4](https://github.com/cdrn/sigil/issues/4).
+- `allow_contract_creation` toggle — currently strict mode always denies tx with `to: null`.
 
 ### 3. Supply chain compromise of `sigil` itself
 
@@ -47,16 +73,16 @@ Given the 2026 npm threat landscape, a compromised release of `sigil` would be c
 
 - Zero install scripts (`postinstall`, `preinstall`, `prepare`). CI-enforced.
 - Minimal, audited dependencies (`@noble/*` family, plain Node stdlib).
-- Provenance attestations via GitHub Actions trusted publishing (OIDC, no long-lived tokens).
-- Signed standalone binaries as an alternative distribution channel.
-- Reproducible builds, published SBOM, public release checksums.
+- Provenance attestations via GitHub Actions trusted publishing (OIDC, no long-lived tokens) — planned for v0.1.0, not yet in place.
+- Signed standalone binaries as an alternative distribution channel — planned for v0.1.0.
+- Reproducible builds, published SBOM, public release checksums — planned for v0.1.0.
 - No Bun in any distributed artifact.
 
 ## Out of scope
 
 `sigil` does not defend against:
 
-- **Local code execution as your user.** If an attacker can run code as `$USER`, they can `ptrace` the daemon, read mlock'd memory, or simply ask `sigild` to sign things over the socket. `sigil` makes this harder (audit log will show it, policy still applies) but does not prevent it.
+- **Local code execution as your user.** If an attacker can run code as `$USER`, they can `ptrace` `sigil-mcp`, read mlock'd memory, connect to the control socket and unlock, or simply call the MCP tools. `sigil` makes this harder (audit log will show it, policy will apply once #3 lands) but does not prevent it.
 - **Root or kernel compromise.** mlock prevents swap; it does not prevent a root user from reading process memory.
 - **Side channels on shared hardware.** Cache timing, Rowhammer, etc.
 - **Physical access to an unlocked machine.**
@@ -67,17 +93,19 @@ Given the 2026 npm threat landscape, a compromised release of `sigil` would be c
 ## Assumptions
 
 - The user installs `sigil` through a trusted channel (signed release, verified npm provenance, or built from source).
-- The host OS enforces standard process isolation.
+- The host OS enforces standard process isolation and respects file permissions on `~/.sigil/` (the directory is 0700; keyfiles and the control socket are 0600).
 - The user's OS keychain (or chosen unlock mechanism) is not compromised.
 - Clock skew on the host is bounded (matters for rolling-window policy and audit timestamps).
 
 ## Known limitations
 
-- The hook-based path blocker is best-effort: it covers `Read` and `Bash`, but a sufficiently creative agent could still ask another tool to do the read. The defense in depth is that even if a key file is read, its contents are redacted by the output filter before reaching the model.
+- The hook-based path blocker is best-effort: it covers `Read` and `Bash`, but a sufficiently creative agent could still ask another tool to do the read. The defense in depth is that even if a key file is read, its contents are redacted by the output filter before reaching the model. And, given the unlock model, reading the encrypted keyfile alone yields nothing — the agent would also need the passphrase, which is never in its context.
 - The output redaction filter has false negatives (keys with non-standard encoding) and false positives (legitimate hex blobs). It is not a replacement for the path blocker; it's a second line.
-- The MCP socket is currently unauthenticated within the user's session. Any process running as `$USER` can connect to it. This is consistent with the threat model (we don't defend against local user compromise) but worth stating explicitly.
-- **mlock is not yet implemented.** Plaintext key material lives in a regular `Buffer` that is zeroized on daemon shutdown or unlock-failure. This means keys are vulnerable to being paged to swap on a memory-pressured system. mlock requires a native module, which we will ship as bundled prebuilds (no install scripts) rather than via a compile-on-install dependency. Tracked as a planned layer.
-- Out-of-band confirmation depends on a working push channel. If the push provider is down, high-value signs are denied, not approved.
+- The MCP stdio is the agent's exposed surface; the control socket is the user's exposed surface. Both are unauthenticated within the user's session — any process running as `$USER` can talk to either. This is consistent with the threat model (we don't defend against local user compromise) but worth stating explicitly.
+- **mlock is not yet implemented.** Plaintext key material lives in a regular `Buffer` that is zeroized on `sigil-mcp` shutdown, on `sigil lock`, or on a failed unlock. This means keys are vulnerable to being paged to swap on a memory-pressured system. mlock requires a native module, which we will ship as bundled prebuilds (no install scripts) rather than via a compile-on-install dependency. Tracked as a planned layer.
+- **Passphrase in transit through V8 strings.** The control socket carries the passphrase base64-encoded inside a JSON message. The CLI's `Buffer` and the server's decoded `Buffer` are zeroized after use, but the intermediate JSON string sits in V8's string heap and cannot be reliably wiped. This is the same trade-off as `readPassphrase`'s internal accumulator and is considered acceptable for v0.x; mitigations would require either a custom binary framing or a fully native crypto path.
+- **Multi-window:** the first `sigil-mcp` to start owns `~/.sigil/control.sock`. Subsequent sessions in other Claude windows still run, but their `sigil-mcp` cannot be reached by `sigil unlock` — only the first one is addressable. Phase C of [#23](https://github.com/cdrn/sigil/issues/23) will add per-PID sockets + a flock'd audit log so multi-window sessions coexist cleanly.
+- Out-of-band confirmation (planned, [#4](https://github.com/cdrn/sigil/issues/4)) depends on a working push channel. If the push provider is down, high-value signs are denied, not approved.
 
 ## Reporting issues
 

package/dist/src/bin/sigil-hook-post.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=sigil-hook-post.d.ts.map

package/dist/src/bin/sigil-hook-post.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sigil-hook-post.d.ts","sourceRoot":"","sources":["../../../src/bin/sigil-hook-post.ts"],"names":[],"mappings":""}

package/dist/src/bin/sigil-hook-post.js

@@ -0,0 +1,15 @@
+#!/usr/bin/env node
+import { decidePostToolUse } from '../hooks/post-tool-use.js';
+import { readHookEnvelope } from '../hooks/protocol.js';
+async function main() {
+    const env = await readHookEnvelope();
+    const modification = decidePostToolUse(env);
+    if (modification !== null) {
+        process.stdout.write(JSON.stringify(modification) + '\n');
+    }
+}
+main().catch((err) => {
+    process.stderr.write(`sigil-hook-post: ${err.message}\n`);
+    process.exit(0);
+});
+//# sourceMappingURL=sigil-hook-post.js.map

package/dist/src/bin/sigil-hook-post.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sigil-hook-post.js","sourceRoot":"","sources":["../../../src/bin/sigil-hook-post.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAExD,KAAK,UAAU,IAAI;IACjB,MAAM,GAAG,GAAG,MAAM,gBAAgB,EAAE,CAAC;IACrC,MAAM,YAAY,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC5C,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QAC1B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAU,EAAE,EAAE;IAC1B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oBAAoB,GAAG,CAAC,OAAO,IAAI,CAAC,CAAC;IAC1D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/src/bin/sigil-hook-pre.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=sigil-hook-pre.d.ts.map

package/dist/src/bin/sigil-hook-pre.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sigil-hook-pre.d.ts","sourceRoot":"","sources":["../../../src/bin/sigil-hook-pre.ts"],"names":[],"mappings":""}

package/dist/src/bin/sigil-hook-pre.js

@@ -0,0 +1,18 @@
+#!/usr/bin/env node
+import { decidePreToolUse } from '../hooks/pre-tool-use.js';
+import { readHookEnvelope } from '../hooks/protocol.js';
+async function main() {
+    const env = await readHookEnvelope();
+    const decision = decidePreToolUse(env);
+    if (decision !== null) {
+        process.stdout.write(JSON.stringify(decision) + '\n');
+    }
+    // No decision = allow (exit 0 with empty stdout).
+}
+main().catch((err) => {
+    // On internal failure, default to allow so we don't deadlock the agent —
+    // but log loudly so the user notices something is wrong.
+    process.stderr.write(`sigil-hook-pre: ${err.message}\n`);
+    process.exit(0);
+});
+//# sourceMappingURL=sigil-hook-pre.js.map

package/dist/src/bin/sigil-hook-pre.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sigil-hook-pre.js","sourceRoot":"","sources":["../../../src/bin/sigil-hook-pre.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAExD,KAAK,UAAU,IAAI;IACjB,MAAM,GAAG,GAAG,MAAM,gBAAgB,EAAE,CAAC;IACrC,MAAM,QAAQ,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACvC,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,CAAC;IACxD,CAAC;IACD,kDAAkD;AACpD,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAU,EAAE,EAAE;IAC1B,yEAAyE;IACzE,yDAAyD;IACzD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,GAAG,CAAC,OAAO,IAAI,CAAC,CAAC;IACzD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/src/bin/sigil-mcp.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=sigil-mcp.d.ts.map

package/dist/src/bin/sigil-mcp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sigil-mcp.d.ts","sourceRoot":"","sources":["../../../src/bin/sigil-mcp.ts"],"names":[],"mappings":""}

package/dist/src/bin/sigil-mcp.js

@@ -0,0 +1,90 @@
+#!/usr/bin/env node
+import { mkdirSync } from 'node:fs';
+import { AuditWriter } from '../audit/index.js';
+import { resolvePaths } from '../cli/paths.js';
+import { startControlServer } from '../control/index.js';
+import { HandleTable } from '../daemon/handles.js';
+import { runMcpStdio } from '../mcp/server.js';
+import { FileSystemPolicyResolver } from '../policy/index.js';
+/**
+ * sigil-mcp: single-process MCP server for sigil. Spawned by Claude Code per
+ * session via the .claude/settings.json mcpServers entry.
+ *
+ * Lifecycle:
+ *   - On startup: ensures ~/.sigil/{,keys/} exist (0o700), opens the audit
+ *     log, constructs an EMPTY (locked) HandleTable, binds the control
+ *     socket at ~/.sigil/control.sock (0o600).
+ *   - During the session: runs the MCP wire loop on stdio. Sign methods
+ *     return DAEMON_LOCKED until the user runs `sigil unlock`, which pushes
+ *     the passphrase over the control socket; the HandleTable loads the
+ *     encrypted keyfiles from disk and the session is unlocked.
+ *   - On stdin close (Claude exited): closes the control socket, locks +
+ *     disposes the HandleTable, closes the audit writer, exits.
+ *
+ * The control socket is unref'd so it doesn't keep the loop alive on its own;
+ * stdin alone gates process lifetime.
+ */
+async function main() {
+    const paths = resolvePaths(process.env);
+    mkdirSync(paths.home, { recursive: true, mode: 0o700 });
+    mkdirSync(paths.keysDir, { recursive: true, mode: 0o700 });
+    mkdirSync(paths.policyDir, { recursive: true, mode: 0o700 });
+    const handles = new HandleTable();
+    const audit = new AuditWriter(paths.auditLog);
+    const policy = new FileSystemPolicyResolver(paths.policyDir);
+    let controlClosed = false;
+    let control = null;
+    try {
+        control = await startControlServer({
+            socketPath: paths.controlSocket,
+            keysDir: paths.keysDir,
+            handles,
+            onLog: (e) => process.stderr.write(`control: ${JSON.stringify(e)}\n`),
+        });
+    }
+    catch (err) {
+        // Another sigil-mcp already owns the control socket (or some other bind
+        // failure). Stay up without a control socket so the MCP stdio still
+        // works, but warn — this session will be permanently locked, since the
+        // primary sigil-mcp is what `sigil unlock` reaches.
+        process.stderr.write(`sigil-mcp: control socket unavailable (${err.message}). ` +
+            `This session will stay locked; sign calls will return DAEMON_LOCKED. ` +
+            `Run "sigil unlock" against the primary sigil-mcp from your first ` +
+            `Claude session — phase C of #23 will lift this limitation.\n`);
+    }
+    if (control) {
+        process.stderr.write(`sigil-mcp: ready (locked; run "sigil unlock" to load keys from ${paths.keysDir})\n`);
+    }
+    else {
+        process.stderr.write(`sigil-mcp: ready (permanently locked — no control socket)\n`);
+    }
+    const shutdown = () => {
+        handles.dispose();
+        audit.close();
+        if (!controlClosed && control) {
+            controlClosed = true;
+            control.close().catch(() => { });
+        }
+    };
+    process.on('exit', shutdown);
+    process.on('SIGINT', () => process.exit(0));
+    process.on('SIGTERM', () => process.exit(0));
+    await runMcpStdio({
+        context: { handles, audit, policy },
+        stdin: process.stdin,
+        stdout: process.stdout,
+        onLog: (e) => process.stderr.write(JSON.stringify(e) + '\n'),
+    });
+    // stdin closed (Claude exited) — close the control socket explicitly so
+    // we don't leave a stale socket file behind.
+    if (control && !controlClosed) {
+        controlClosed = true;
+        await control.close();
+    }
+    process.exit(0);
+}
+main().catch((err) => {
+    process.stderr.write(`sigil-mcp: ${err.message}\n`);
+    process.exit(1);
+});
+//# sourceMappingURL=sigil-mcp.js.map

package/dist/src/bin/sigil-mcp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sigil-mcp.js","sourceRoot":"","sources":["../../../src/bin/sigil-mcp.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACpC,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAE9D;;;;;;;;;;;;;;;;;GAiBG;AACH,KAAK,UAAU,IAAI;IACjB,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACxC,SAAS,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACxD,SAAS,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC3D,SAAS,CAAC,KAAK,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAE7D,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,KAAK,GAAG,IAAI,WAAW,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC9C,MAAM,MAAM,GAAG,IAAI,wBAAwB,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAE7D,IAAI,aAAa,GAAG,KAAK,CAAC;IAC1B,IAAI,OAAO,GAA0D,IAAI,CAAC;IAC1E,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,kBAAkB,CAAC;YACjC,UAAU,EAAE,KAAK,CAAC,aAAa;YAC/B,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,OAAO;YACP,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,YAAY,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC;SACtE,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,wEAAwE;QACxE,oEAAoE;QACpE,uEAAuE;QACvE,oDAAoD;QACpD,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,0CAA2C,GAAa,CAAC,OAAO,KAAK;YACrE,uEAAuE;YACvE,mEAAmE;YACnE,8DAA8D,CAC/D,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,kEAAkE,KAAK,CAAC,OAAO,KAAK,CACrF,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,6DAA6D,CAAC,CAAC;IACtF,CAAC;IAED,MAAM,QAAQ,GAAG,GAAS,EAAE;QAC1B,OAAO,CAAC,OAAO,EAAE,CAAC;QAClB,KAAK,CAAC,KAAK,EAAE,CAAC;QACd,IAAI,CAAC,aAAa,IAAI,OAAO,EAAE,CAAC;YAC9B,aAAa,GAAG,IAAI,CAAC;YACrB,OAAO,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAqB,CAAC,CAAC,CAAC;QACrD,CAAC;IACH,CAAC,CAAC;IACF,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC7B,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5C,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAE7C,MAAM,WAAW,CAAC;QAChB,OAAO,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE;QACnC,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;KAC7D,CAAC,CAAC;IAEH,wEAAwE;IACxE,6CAA6C;IAC7C,IAAI,OAAO,IAAI,CAAC,aAAa,EAAE,CAAC;QAC9B,aAAa,GAAG,IAAI,CAAC;QACrB,MAAM,OAAO,CAAC,KAAK,EAAE,CAAC;IACxB,CAAC;IACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAU,EAAE,EAAE;IAC1B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,GAAG,CAAC,OAAO,IAAI,CAAC,CAAC;IACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/src/bin/sigil.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=sigil.d.ts.map

package/dist/src/bin/sigil.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sigil.d.ts","sourceRoot":"","sources":["../../../src/bin/sigil.ts"],"names":[],"mappings":""}

package/dist/src/bin/sigil.js

@@ -0,0 +1,9 @@
+#!/usr/bin/env node
+import { runCli } from '../cli/main.js';
+runCli({ argv: process.argv.slice(2) })
+    .then((exit) => process.exit(exit.code))
+    .catch((err) => {
+    process.stderr.write(`sigil: ${err.message}\n`);
+    process.exit(1);
+});
+//# sourceMappingURL=sigil.js.map

package/dist/src/bin/sigil.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sigil.js","sourceRoot":"","sources":["../../../src/bin/sigil.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AAExC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;KACpC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;KACvC,KAAK,CAAC,CAAC,GAAU,EAAE,EAAE;IACpB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,OAAO,IAAI,CAAC,CAAC;IAChD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/src/cli/args.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Tiny CLI arg-parsing wrapper around node:util.parseArgs.
+ * We support subcommands by consuming the first positional, then re-parsing
+ * the remainder with subcommand-specific options.
+ */
+export interface ParsedSubcommand {
+    command: string;
+    positionals: string[];
+    options: Record<string, string | boolean>;
+}
+export type OptionDef = {
+    type: 'string';
+    short?: string;
+    multiple?: boolean;
+} | {
+    type: 'boolean';
+    short?: string;
+};
+export interface SubcommandSpec {
+    options?: Record<string, OptionDef>;
+}
+export declare function parseSubcommand(argv: string[], specs: Record<string, SubcommandSpec>): ParsedSubcommand;
+export declare class ArgsError extends Error {
+    constructor(message: string);
+}
+//# sourceMappingURL=args.d.ts.map

package/dist/src/cli/args.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"args.d.ts","sourceRoot":"","sources":["../../../src/cli/args.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC;CAC3C;AAID,MAAM,MAAM,SAAS,GACjB;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,OAAO,CAAA;CAAE,GACtD;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAExC,MAAM,WAAW,cAAc;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;CACrC;AAED,wBAAgB,eAAe,CAC7B,IAAI,EAAE,MAAM,EAAE,EACd,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,GACpC,gBAAgB,CA2BlB;AAED,qBAAa,SAAU,SAAQ,KAAK;gBACtB,OAAO,EAAE,MAAM;CAI5B"}

package/dist/src/cli/args.js

@@ -0,0 +1,36 @@
+import { parseArgs } from 'node:util';
+export function parseSubcommand(argv, specs) {
+    if (argv.length === 0) {
+        throw new ArgsError('expected a subcommand');
+    }
+    const [head, ...rest] = argv;
+    if (head === undefined)
+        throw new ArgsError('expected a subcommand');
+    const spec = specs[head];
+    if (!spec) {
+        throw new ArgsError(`unknown subcommand "${head}"; expected one of: ${Object.keys(specs).join(', ')}`);
+    }
+    let parsed;
+    try {
+        parsed = parseArgs({
+            args: rest,
+            allowPositionals: true,
+            options: spec.options ?? {},
+        });
+    }
+    catch (err) {
+        throw new ArgsError(`parsing "${head}": ${err.message}`);
+    }
+    return {
+        command: head,
+        positionals: parsed.positionals,
+        options: parsed.values,
+    };
+}
+export class ArgsError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'ArgsError';
+    }
+}
+//# sourceMappingURL=args.js.map

package/dist/src/cli/args.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"args.js","sourceRoot":"","sources":["../../../src/cli/args.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAwB,MAAM,WAAW,CAAC;AAwB5D,MAAM,UAAU,eAAe,CAC7B,IAAc,EACd,KAAqC;IAErC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,SAAS,CAAC,uBAAuB,CAAC,CAAC;IAC/C,CAAC;IACD,MAAM,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC;IAC7B,IAAI,IAAI,KAAK,SAAS;QAAE,MAAM,IAAI,SAAS,CAAC,uBAAuB,CAAC,CAAC;IACrE,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC;IACzB,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,SAAS,CACjB,uBAAuB,IAAI,uBAAuB,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAClF,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,SAAS,CAAC;YACjB,IAAI,EAAE,IAAI;YACV,gBAAgB,EAAE,IAAI;YACtB,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,EAAE;SACT,CAAC,CAAC;IACxB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,SAAS,CAAC,YAAY,IAAI,MAAO,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;IACtE,CAAC;IACD,OAAO;QACL,OAAO,EAAE,IAAI;QACb,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,OAAO,EAAE,MAAM,CAAC,MAA0C;KAC3D,CAAC;AACJ,CAAC;AAED,MAAM,OAAO,SAAU,SAAQ,KAAK;IAClC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;IAC1B,CAAC;CACF"}

package/dist/src/cli/index.d.ts

@@ -0,0 +1,7 @@
+export { type SigilPaths, resolvePaths } from './paths.js';
+export { ArgsError, parseSubcommand } from './args.js';
+export { type PortalAddOpts, type PortalInfo, type PortalRemoveResult, portalAdd, portalListFromDisk, portalRemove, } from './portal.js';
+export { type StatusReport, status } from './status.js';
+export { type UnlockOpts, type LockOpts, type UnlockResult, formatResult, lock, unlock, } from './unlock.js';
+export { type RunCliOpts, type CliExit, runCli } from './main.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/src/cli/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cli/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,UAAU,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC3D,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AACvD,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,UAAU,EACf,KAAK,kBAAkB,EACvB,SAAS,EACT,kBAAkB,EAClB,YAAY,GACb,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,KAAK,YAAY,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EACL,KAAK,UAAU,EACf,KAAK,QAAQ,EACb,KAAK,YAAY,EACjB,YAAY,EACZ,IAAI,EACJ,MAAM,GACP,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,KAAK,UAAU,EAAE,KAAK,OAAO,EAAE,MAAM,EAAE,MAAM,WAAW,CAAC"}