unotoken 0.1.0

package/dist/cli.js

@@ -0,0 +1,1207 @@
+#!/usr/bin/env node
+/**
+ * unotoken CLI — yokotoken + cloud features.
+ *
+ * Wraps the yokotoken CLI and extends it with OAuth-related commands:
+ * - auth link <provider>    Link an OAuth identity for passwordless unlock
+ * - auth unlink <provider>  Remove an OAuth identity link
+ * - auth list               List linked OAuth providers
+ * - auth config             Configure custom OAuth client credentials
+ * - unlock --oauth          Unlock the vault using linked OAuth identity
+ * - config email <address>  Register and verify email for device signatures
+ * - device guard check on all vault operations (unlock, get, set, list)
+ *
+ * All other commands are delegated to the underlying yokotoken CLI.
+ */
+import { Command } from 'commander';
+import { spawn } from 'node:child_process';
+import { fileURLToPath } from 'node:url';
+import path from 'node:path';
+import { createInterface } from 'node:readline';
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const VERSION = '0.1.0';
+const program = new Command();
+program
+    .name('unotoken')
+    .description('yokotoken + cloud features (OAuth unlock, team vaults, key escrow)')
+    .version(VERSION);
+// ─── auth command group ────────────────────────────────────────────
+const auth = program
+    .command('auth')
+    .description('OAuth identity management for passwordless vault unlock');
+auth
+    .command('link <provider>')
+    .description('Link an OAuth identity (google, github) for passwordless unlock')
+    .option('--vault-path <path>', 'Path to the vault database')
+    .option('--device-dir <path>', 'Directory for device.key storage')
+    .action(async (provider, opts) => {
+    try {
+        const { authLink, isValidProvider } = await import('./oauth/commands.js');
+        if (!isValidProvider(provider)) {
+            process.stderr.write(`Error: Unsupported provider '${provider}'. Supported: google, github\n`);
+            process.exit(1);
+        }
+        // Read passphrase from stdin
+        const passphrase = await readPassphraseFromTerminal('Enter vault passphrase to verify ownership: ');
+        process.stderr.write(`\nLinking ${provider} account...\n`);
+        process.stderr.write('A browser window will open for authentication.\n\n');
+        const result = await authLink(provider, {
+            passphrase,
+            vaultPath: opts.vaultPath,
+            deviceDir: opts.deviceDir,
+        });
+        const display = result.email ?? result.name ?? result.subjectId;
+        process.stdout.write(`${provider} account linked: ${display}\n`);
+        process.stdout.write(`You can now unlock with: unotoken unlock --oauth\n`);
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        process.stderr.write(`Error: ${msg}\n`);
+        process.exit(1);
+    }
+});
+auth
+    .command('unlink <provider>')
+    .description('Remove an OAuth identity link')
+    .option('--vault-path <path>', 'Path to the vault database')
+    .option('--yes', 'Skip confirmation prompt')
+    .action(async (provider, opts) => {
+    try {
+        const { isValidProvider, listLinkedProviders, unlinkProvider } = await import('./oauth/commands.js');
+        if (!isValidProvider(provider)) {
+            process.stderr.write(`Error: Unsupported provider '${provider}'. Supported: google, github\n`);
+            process.exit(1);
+        }
+        // Check how many providers are linked
+        const linked = await listLinkedProviders(opts.vaultPath);
+        const isLinked = linked.some((l) => l.provider === provider);
+        if (!isLinked) {
+            process.stderr.write(`Error: No OAuth link found for '${provider}'.\n` +
+                (linked.length > 0
+                    ? `Linked providers: ${linked.map((l) => l.provider).join(', ')}\n`
+                    : 'No OAuth providers are currently linked.\n'));
+            process.exit(1);
+        }
+        // Warn if this is the last provider
+        if (linked.length === 1) {
+            process.stderr.write(`Warning: '${provider}' is the only linked OAuth provider.\n` +
+                'Removing it means passphrase will be the only unlock method.\n\n');
+        }
+        // Confirm before deletion (unless --yes)
+        if (!opts.yes) {
+            const answer = await readLineFromTerminal(`Remove ${provider} OAuth link? [y/N] `);
+            if (answer.trim().toLowerCase() !== 'y') {
+                process.stderr.write('Cancelled.\n');
+                process.exit(0);
+            }
+        }
+        const result = await unlinkProvider(provider, opts.vaultPath);
+        process.stdout.write(`${capitalize(result.provider)} OAuth link removed.\n`);
+        if (result.wasLastProvider) {
+            process.stdout.write('No OAuth providers remaining. Use your passphrase to unlock.\n');
+        }
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        process.stderr.write(`Error: ${msg}\n`);
+        process.exit(1);
+    }
+});
+auth
+    .command('list')
+    .description('List linked OAuth providers')
+    .option('--vault-path <path>', 'Path to the vault database')
+    .option('--json', 'Output as JSON')
+    .action(async (opts) => {
+    try {
+        const { listLinkedProviders } = await import('./oauth/commands.js');
+        const linked = await listLinkedProviders(opts.vaultPath);
+        if (linked.length === 0) {
+            if (opts.json) {
+                process.stdout.write('[]\n');
+            }
+            else {
+                process.stdout.write('No OAuth providers linked.\n');
+                process.stdout.write('Link one with: unotoken auth link <google|github>\n');
+            }
+            return;
+        }
+        if (opts.json) {
+            process.stdout.write(JSON.stringify(linked, null, 2) + '\n');
+            return;
+        }
+        process.stdout.write('Linked OAuth providers:\n\n');
+        for (const link of linked) {
+            process.stdout.write(`  ${capitalize(link.provider)}\n`);
+            process.stdout.write(`    Subject ID:  ${link.subjectId}\n`);
+            process.stdout.write(`    Linked:      ${formatDate(link.createdAt)}\n`);
+            process.stdout.write(`    Last used:   ${formatDate(link.lastUsedAt)}\n`);
+            process.stdout.write('\n');
+        }
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        process.stderr.write(`Error: ${msg}\n`);
+        process.exit(1);
+    }
+});
+auth
+    .command('config')
+    .description('Configure custom OAuth client credentials')
+    .option('--google-client-id <id>', 'Set custom Google OAuth client ID')
+    .option('--google-client-secret <secret>', 'Set custom Google OAuth client secret')
+    .option('--github-client-id <id>', 'Set custom GitHub OAuth client ID')
+    .option('--github-client-secret <secret>', 'Set custom GitHub OAuth client secret')
+    .option('--show', 'Display current OAuth configuration')
+    .option('--reset', 'Reset to built-in Indigo OAuth apps')
+    .option('--config-dir <path>', 'Directory for oauth-config.json (default: ~/.yokotoken)')
+    .action(async (opts) => {
+    try {
+        const { loadOAuthConfig, updateOAuthConfig, resetOAuthConfig, formatConfigForDisplay, } = await import('./oauth/config.js');
+        // --show: display current config
+        if (opts.show) {
+            const config = loadOAuthConfig(opts.configDir);
+            process.stdout.write('OAuth Configuration:\n');
+            process.stdout.write(formatConfigForDisplay(config) + '\n');
+            return;
+        }
+        // --reset: remove custom config
+        if (opts.reset) {
+            const removed = resetOAuthConfig(opts.configDir);
+            if (removed) {
+                process.stdout.write('OAuth configuration reset to built-in Indigo OAuth apps.\n');
+            }
+            else {
+                process.stdout.write('No custom configuration to reset.\n');
+            }
+            return;
+        }
+        // Set custom credentials
+        const hasUpdate = opts.googleClientId !== undefined ||
+            opts.googleClientSecret !== undefined ||
+            opts.githubClientId !== undefined ||
+            opts.githubClientSecret !== undefined;
+        if (!hasUpdate) {
+            // No flags — show help
+            process.stderr.write('Usage: unotoken auth config [options]\n\n' +
+                'Options:\n' +
+                '  --google-client-id <id>       Set custom Google OAuth client ID\n' +
+                '  --google-client-secret <s>    Set custom Google OAuth client secret\n' +
+                '  --github-client-id <id>       Set custom GitHub OAuth client ID\n' +
+                '  --github-client-secret <s>    Set custom GitHub OAuth client secret\n' +
+                '  --show                        Display current OAuth configuration\n' +
+                '  --reset                       Reset to built-in Indigo OAuth apps\n');
+            return;
+        }
+        const updated = updateOAuthConfig({
+            googleClientId: opts.googleClientId,
+            googleClientSecret: opts.googleClientSecret,
+            githubClientId: opts.githubClientId,
+            githubClientSecret: opts.githubClientSecret,
+        }, opts.configDir);
+        process.stdout.write('OAuth configuration updated:\n');
+        process.stdout.write(formatConfigForDisplay(updated) + '\n');
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        process.stderr.write(`Error: ${msg}\n`);
+        process.exit(1);
+    }
+});
+// ─── unlock command (unotoken-specific OAuth unlock) ──────────────────
+program
+    .command('unlock')
+    .description('Unlock the vault (passphrase or OAuth)')
+    .option('--oauth', 'Unlock using a linked OAuth provider')
+    .option('--provider <name>', 'Specify which OAuth provider to use (google or github)')
+    .option('--vault-path <path>', 'Path to the vault database')
+    .option('--device-dir <path>', 'Directory for device.key storage')
+    .option('--skip-device-check', 'Skip device approval check')
+    .action(async (opts) => {
+    try {
+        // Device guard check (runs BEFORE vault unlock)
+        if (!opts.skipDeviceCheck) {
+            const guardResult = await runDeviceGuard();
+            if (!guardResult.allowed) {
+                process.exit(1);
+            }
+        }
+        if (opts.oauth || opts.provider) {
+            // OAuth-based unlock
+            const { unlockWithOAuth, isValidProvider, MultipleProvidersError } = await import('./oauth/commands.js');
+            let provider;
+            if (opts.provider) {
+                if (!isValidProvider(opts.provider)) {
+                    process.stderr.write(`Error: Unsupported provider '${opts.provider}'. Supported: google, github\n`);
+                    process.exit(1);
+                }
+                provider = opts.provider;
+            }
+            process.stderr.write('Unlocking with OAuth...\n');
+            process.stderr.write('A browser window will open for authentication.\n\n');
+            try {
+                const result = await unlockWithOAuth({
+                    provider,
+                    vaultPath: opts.vaultPath,
+                    deviceDir: opts.deviceDir,
+                });
+                const display = result.email ?? result.name ?? result.provider;
+                process.stdout.write(`Vault unlocked via ${result.provider} (${display})\n`);
+                if (result.serverNotified) {
+                    process.stdout.write('Vault server is unlocked.\n');
+                }
+            }
+            catch (err) {
+                if (err instanceof MultipleProvidersError) {
+                    // Present choices to user
+                    process.stderr.write(`${err.message}\n`);
+                    process.exit(1);
+                }
+                throw err;
+            }
+        }
+        else {
+            // Check if OAuth providers are linked — offer interactive choice
+            const { listLinkedProviders } = await import('./oauth/commands.js');
+            let hasLinked = false;
+            try {
+                const linked = await listLinkedProviders(opts.vaultPath);
+                hasLinked = linked.length > 0;
+                if (hasLinked) {
+                    process.stderr.write('Unlock methods available:\n');
+                    process.stderr.write('  1. Passphrase\n');
+                    for (let i = 0; i < linked.length; i++) {
+                        process.stderr.write(`  ${i + 2}. ${capitalize(linked[i].provider)} (OAuth)\n`);
+                    }
+                    process.stderr.write('\n');
+                    const choice = await readLineFromTerminal('Choose unlock method [1]: ');
+                    const choiceNum = parseInt(choice.trim(), 10);
+                    if (!isNaN(choiceNum) && choiceNum >= 2 && choiceNum <= linked.length + 1) {
+                        // User chose an OAuth provider
+                        const chosenProvider = linked[choiceNum - 2].provider;
+                        process.stderr.write(`\nUnlocking with ${chosenProvider}...\n`);
+                        process.stderr.write('A browser window will open for authentication.\n\n');
+                        const { unlockWithOAuth, isValidProvider } = await import('./oauth/commands.js');
+                        if (isValidProvider(chosenProvider)) {
+                            const result = await unlockWithOAuth({
+                                provider: chosenProvider,
+                                vaultPath: opts.vaultPath,
+                                deviceDir: opts.deviceDir,
+                            });
+                            const display = result.email ?? result.name ?? result.provider;
+                            process.stdout.write(`Vault unlocked via ${result.provider} (${display})\n`);
+                            return;
+                        }
+                    }
+                    // Fall through to passphrase unlock
+                }
+            }
+            catch {
+                // If listing fails (e.g., no vault), fall through to passphrase
+            }
+            // Passphrase unlock — delegate to yokotoken
+            delegateToYokotoken(['unlock']);
+        }
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        process.stderr.write(`Error: ${msg}\n`);
+        process.exit(1);
+    }
+});
+// ─── config command group ─────────────────────────────────────────
+const config = program
+    .command('config')
+    .description('Manage unotoken configuration (email for device signatures)');
+config
+    .command('email [address]')
+    .description('Register and verify an email address for device approval codes')
+    .option('--show', 'Display current email configuration')
+    .option('--clear', 'Remove email configuration')
+    .option('--resend-key <key>', 'Set a custom Resend API key')
+    .option('--config-dir <path>', 'Directory for email-config.json (default: ~/.yokotoken)')
+    .action(async (address, opts) => {
+    try {
+        const { loadEmailConfig, clearEmailConfig, formatEmailConfigForDisplay, isValidEmail, setResendApiKey, } = await import('./signatures/email-config.js');
+        const { initiateVerification, verifyCode, completeVerification, } = await import('./signatures/email.js');
+        const { generateDeviceFingerprint, getDefaultDeviceName, } = await import('./signatures/fingerprint.js');
+        // --show: display current email config
+        if (opts.show) {
+            const emailConfig = loadEmailConfig(opts.configDir);
+            process.stdout.write('Email Configuration:\n');
+            process.stdout.write(formatEmailConfigForDisplay(emailConfig) + '\n');
+            return;
+        }
+        // --clear: remove email config
+        if (opts.clear) {
+            process.stderr.write('Warning: Removing your email configuration means device approval codes\n' +
+                'cannot be sent. New devices will have unrestricted access unless email\n' +
+                'is re-configured.\n\n');
+            const answer = await readLineFromTerminal('Remove email configuration? [y/N] ');
+            if (answer.trim().toLowerCase() !== 'y') {
+                process.stderr.write('Cancelled.\n');
+                return;
+            }
+            const removed = clearEmailConfig(opts.configDir);
+            if (removed) {
+                process.stdout.write('Email configuration removed.\n');
+            }
+            else {
+                process.stdout.write('No email configuration to remove.\n');
+            }
+            return;
+        }
+        // --resend-key without address: update key on existing config
+        if (opts.resendKey && !address) {
+            try {
+                const updated = setResendApiKey(opts.resendKey, opts.configDir);
+                process.stdout.write('Resend API key updated.\n');
+                process.stdout.write(formatEmailConfigForDisplay(updated) + '\n');
+            }
+            catch (err) {
+                const msg = err instanceof Error ? err.message : String(err);
+                process.stderr.write(`Error: ${msg}\n`);
+                process.exit(1);
+            }
+            return;
+        }
+        // No address and no flags — show help
+        if (!address) {
+            process.stderr.write('Usage: unotoken config email <address> [options]\n\n' +
+                'Register and verify an email address for device approval codes.\n\n' +
+                'Options:\n' +
+                '  --show            Display current email configuration\n' +
+                '  --clear           Remove email configuration\n' +
+                '  --resend-key <k>  Set a custom Resend API key\n\n' +
+                'Examples:\n' +
+                '  unotoken config email user@example.com\n' +
+                '  unotoken config email --show\n' +
+                '  unotoken config email --clear\n' +
+                '  unotoken config email --resend-key re_xxxx\n');
+            return;
+        }
+        // Validate email
+        if (!isValidEmail(address)) {
+            process.stderr.write(`Error: Invalid email address: ${address}\n`);
+            process.exit(1);
+        }
+        // Get device info for context
+        const fingerprint = generateDeviceFingerprint(opts.configDir);
+        const deviceName = getDefaultDeviceName();
+        // Initiate verification
+        process.stderr.write(`Sending verification code to ${address}...\n`);
+        const initResult = await initiateVerification(address, fingerprint, deviceName, opts.configDir);
+        if (!initResult.sent || !initResult.pending) {
+            process.stderr.write(`Error: ${initResult.error ?? 'Failed to send verification email'}\n`);
+            process.exit(1);
+        }
+        process.stderr.write('Verification code sent! Check your inbox.\n\n');
+        // Prompt for code (up to 3 attempts)
+        let verified = false;
+        const pending = initResult.pending;
+        while (!verified) {
+            const code = await readLineFromTerminal('Enter 6-digit code: ');
+            const result = verifyCode(pending, code);
+            if (result.success) {
+                verified = true;
+                // Save verified config
+                completeVerification(address, opts.resendKey, opts.configDir);
+                process.stdout.write('\nEmail verified successfully!\n');
+                process.stdout.write(`Device approval codes will be sent to ${address}\n`);
+            }
+            else if (result.reason === 'expired') {
+                process.stderr.write('Code expired. Run the command again to get a new code.\n');
+                process.exit(1);
+            }
+            else if (result.reason === 'max_attempts') {
+                process.stderr.write('Maximum attempts reached. Run the command again to get a new code.\n');
+                process.exit(1);
+            }
+            else {
+                process.stderr.write(`Invalid code. ${result.remainingAttempts} attempt${result.remainingAttempts === 1 ? '' : 's'} remaining.\n`);
+            }
+        }
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        process.stderr.write(`Error: ${msg}\n`);
+        process.exit(1);
+    }
+});
+// ─── device command group ─────────────────────────────────────────
+const device = program
+    .command('device')
+    .description('Manage approved devices for vault access');
+device
+    .command('list')
+    .description('List all approved devices')
+    .option('--json', 'Output as JSON array for scripting')
+    .option('--base-dir <path>', 'Base directory for config/database files')
+    .action(async (opts) => {
+    try {
+        const { listDevicesCommand, formatDeviceList } = await import('./signatures/commands.js');
+        const result = await listDevicesCommand(opts.baseDir);
+        if (opts.json) {
+            process.stdout.write(JSON.stringify(result.devices, null, 2) + '\n');
+            return;
+        }
+        process.stdout.write(formatDeviceList(result));
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        process.stderr.write(`Error: ${msg}\n`);
+        process.exit(1);
+    }
+});
+device
+    .command('rename <fingerprint-prefix> <new-name>')
+    .description('Rename an approved device (fingerprint prefix match, minimum 8 chars)')
+    .option('--base-dir <path>', 'Base directory for config/database files')
+    .action(async (prefix, newName, opts) => {
+    try {
+        const { renameDeviceCommand, formatAmbiguousMatches, resolvePrefix } = await import('./signatures/commands.js');
+        const { DevicesDatabase } = await import('./signatures/devices.js');
+        // Check for ambiguous matches to show helpful output
+        const db = await DevicesDatabase.open(opts.baseDir);
+        try {
+            const match = resolvePrefix(db, prefix);
+            if (!match.exact && match.matches.length > 1) {
+                process.stderr.write(formatAmbiguousMatches(match.matches));
+                process.exit(1);
+            }
+        }
+        finally {
+            db.close();
+        }
+        const result = await renameDeviceCommand(prefix, newName, opts.baseDir);
+        if (!result.success) {
+            process.stderr.write(`Error: ${result.error}\n`);
+            process.exit(1);
+        }
+        process.stdout.write(`Device renamed: '${result.oldName}' -> '${result.newName}'\n`);
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        process.stderr.write(`Error: ${msg}\n`);
+        process.exit(1);
+    }
+});
+device
+    .command('remove [fingerprint-prefix]')
+    .description('Remove an approved device (requires confirmation)')
+    .option('--all', 'Remove all devices except current')
+    .option('--yes', 'Skip confirmation prompt')
+    .option('--base-dir <path>', 'Base directory for config/database files')
+    .action(async (prefix, opts) => {
+    try {
+        if (opts.all) {
+            // Remove all devices except current
+            const { removeAllDevicesCommand } = await import('./signatures/commands.js');
+            if (!opts.yes) {
+                const answer = await readLineFromTerminal('Remove ALL approved devices except the current one? This cannot be undone. [y/N] ');
+                if (answer.trim().toLowerCase() !== 'y') {
+                    process.stderr.write('Cancelled.\n');
+                    process.exit(0);
+                }
+            }
+            const result = await removeAllDevicesCommand(opts.baseDir);
+            if (!result.success) {
+                process.stderr.write(`Error: ${result.error}\n`);
+                process.exit(1);
+            }
+            process.stdout.write(`Removed ${result.removedCount} device(s). Only the current device remains.\n`);
+            return;
+        }
+        // Remove a single device
+        if (!prefix) {
+            process.stderr.write('Error: Provide a fingerprint prefix, or use --all to remove all devices except current.\n');
+            process.exit(1);
+        }
+        const { removeDeviceCommand, formatAmbiguousMatches, resolvePrefix, } = await import('./signatures/commands.js');
+        const { DevicesDatabase } = await import('./signatures/devices.js');
+        // Pre-check for ambiguous or missing matches
+        const db = await DevicesDatabase.open(opts.baseDir);
+        let matchedDevice = null;
+        try {
+            const { generateDeviceFingerprint } = await import('./signatures/fingerprint.js');
+            const currentFp = generateDeviceFingerprint(opts.baseDir);
+            const match = resolvePrefix(db, prefix);
+            if (!match.exact && match.matches.length > 1) {
+                process.stderr.write(formatAmbiguousMatches(match.matches));
+                process.exit(1);
+            }
+            if (match.exact) {
+                matchedDevice = {
+                    fingerprint: match.matches[0].fingerprint,
+                    name: match.matches[0].name,
+                    is_current: match.matches[0].fingerprint === currentFp,
+                };
+            }
+        }
+        finally {
+            db.close();
+        }
+        // Confirm before removal
+        if (!opts.yes && matchedDevice) {
+            let prompt = `Remove device '${matchedDevice.name}'?`;
+            if (matchedDevice.is_current) {
+                prompt += ' (WARNING: This is the current device. You will need to re-approve on next use.)';
+            }
+            prompt += ' [y/N] ';
+            const answer = await readLineFromTerminal(prompt);
+            if (answer.trim().toLowerCase() !== 'y') {
+                process.stderr.write('Cancelled.\n');
+                process.exit(0);
+            }
+        }
+        const result = await removeDeviceCommand(prefix, opts.baseDir);
+        if (!result.success) {
+            process.stderr.write(`Error: ${result.error}\n`);
+            process.exit(1);
+        }
+        process.stdout.write(`Device removed: ${result.name}\n`);
+        if (result.wasCurrentDevice) {
+            process.stdout.write('You will need to re-approve this device on next use.\n');
+        }
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        process.stderr.write(`Error: ${msg}\n`);
+        process.exit(1);
+    }
+});
+// ─── token command group (prefix-scoped tokens — US-001) ────────────
+const tokenCmd = program
+    .command('token')
+    .description('Manage access tokens (with prefix scoping)');
+tokenCmd
+    .command('create')
+    .description('Create a new access token with optional prefix scopes')
+    .requiredOption('--name <name>', 'Human-readable name for the token')
+    .option('--prefix <prefixes...>', 'Restrict token to specific vault prefixes (e.g., levelfit/ synesis/)')
+    .option('--ttl <duration>', 'Time-to-live (e.g. 1h, 30m, 7d). Default: no expiry')
+    .option('--max-uses <count>', 'Maximum number of uses. Default: unlimited')
+    .action(async (opts) => {
+    try {
+        const { vaultRequest, readTokenFile, getDefaultTokenFile, readServerPort, getDefaultPortFile } = await import('yokotoken');
+        const { storeTokenScopes } = await import('./tokens.js');
+        const portFile = getDefaultPortFile();
+        const port = readServerPort(portFile);
+        if (!port) {
+            process.stderr.write('Error: Vault server is not running. Start it with: unotoken server\n');
+            process.exit(1);
+        }
+        const tokenFile = getDefaultTokenFile();
+        const serverToken = readTokenFile(tokenFile);
+        if (!serverToken) {
+            process.stderr.write('Error: No server token found. Is the vault server running?\n');
+            process.exit(1);
+        }
+        const body = { name: opts.name };
+        if (opts.ttl)
+            body.ttl = opts.ttl;
+        if (opts.maxUses)
+            body.max_uses = parseInt(opts.maxUses, 10);
+        const res = await vaultRequest({ port, host: '127.0.0.1', token: serverToken }, 'POST', '/v1/tokens', body);
+        if (res.statusCode === 201) {
+            const rawToken = res.body.token;
+            const meta = res.body.metadata;
+            const prefixes = opts.prefix ?? null;
+            // Store prefix scopes
+            storeTokenScopes(rawToken, opts.name, prefixes);
+            process.stderr.write(`Token created: ${opts.name}\n`);
+            if (prefixes && prefixes.length > 0) {
+                process.stderr.write(`Scopes: ${prefixes.map((p) => `${p}*`).join(', ')}\n`);
+            }
+            else {
+                process.stderr.write('Scopes: * (full access)\n');
+            }
+            process.stderr.write('\n');
+            // Display the token ONCE
+            process.stdout.write(`${rawToken}\n`);
+            process.stderr.write('\nIMPORTANT: Save this token now. It cannot be retrieved again.\n');
+            if (meta.expiresAt) {
+                process.stderr.write(`Expires: ${meta.expiresAt}\n`);
+            }
+            if (meta.maxUses) {
+                process.stderr.write(`Max uses: ${meta.maxUses}\n`);
+            }
+        }
+        else {
+            process.stderr.write(`Error: ${res.body.error}\n`);
+            process.exit(1);
+        }
+    }
+    catch (err) {
+        process.stderr.write(`Error: ${err instanceof Error ? err.message : err}\n`);
+        process.exit(1);
+    }
+});
+tokenCmd
+    .command('list')
+    .description('List all access tokens with scopes')
+    .action(async () => {
+    try {
+        const { vaultRequest, readTokenFile, getDefaultTokenFile, readServerPort, getDefaultPortFile } = await import('yokotoken');
+        const { buildScopesByName, formatScopes } = await import('./tokens.js');
+        const portFile = getDefaultPortFile();
+        const port = readServerPort(portFile);
+        if (!port) {
+            process.stderr.write('Error: Vault server is not running. Start it with: unotoken server\n');
+            process.exit(1);
+        }
+        const tokenFile = getDefaultTokenFile();
+        const serverToken = readTokenFile(tokenFile);
+        if (!serverToken) {
+            process.stderr.write('Error: No server token found. Is the vault server running?\n');
+            process.exit(1);
+        }
+        const res = await vaultRequest({ port, host: '127.0.0.1', token: serverToken }, 'GET', '/v1/tokens');
+        if (res.statusCode === 200) {
+            const tokens = res.body.tokens;
+            if (tokens.length === 0) {
+                process.stderr.write('No access tokens found.\n');
+                return;
+            }
+            const scopesByName = buildScopesByName();
+            // Table output with SCOPES column
+            process.stdout.write(`${'NAME'.padEnd(25)} ${'SCOPES'.padEnd(30)} ${'CREATED'.padEnd(20)} ${'EXPIRES'.padEnd(20)} ${'USES'.padEnd(10)}\n`);
+            process.stdout.write(`${'─'.repeat(25)} ${'─'.repeat(30)} ${'─'.repeat(20)} ${'─'.repeat(20)} ${'─'.repeat(10)}\n`);
+            for (const t of tokens) {
+                const name = t.name;
+                const nameCol = name.padEnd(25);
+                const scopes = scopesByName.get(name) ?? null;
+                const scopeCol = formatScopes(scopes).padEnd(30);
+                const createdCol = (t.createdAt || '-').substring(0, 19).padEnd(20);
+                const expiresCol = (t.expiresAt ? t.expiresAt.substring(0, 19) : 'never').padEnd(20);
+                const usesCol = (t.maxUses !== null ? `${t.useCount}/${t.maxUses}` : `${t.useCount}`).padEnd(10);
+                process.stdout.write(`${nameCol} ${scopeCol} ${createdCol} ${expiresCol} ${usesCol}\n`);
+            }
+            process.stderr.write(`\n${tokens.length} token(s) found.\n`);
+        }
+        else {
+            process.stderr.write(`Error: ${res.body.error}\n`);
+            process.exit(1);
+        }
+    }
+    catch (err) {
+        process.stderr.write(`Error: ${err instanceof Error ? err.message : err}\n`);
+        process.exit(1);
+    }
+});
+tokenCmd
+    .command('revoke <name>')
+    .description('Revoke (delete) an access token and its scopes')
+    .action(async (tokenName) => {
+    try {
+        const { vaultRequest, readTokenFile, getDefaultTokenFile, readServerPort, getDefaultPortFile } = await import('yokotoken');
+        const { revokeTokenScopes } = await import('./tokens.js');
+        const portFile = getDefaultPortFile();
+        const port = readServerPort(portFile);
+        if (!port) {
+            process.stderr.write('Error: Vault server is not running. Start it with: unotoken server\n');
+            process.exit(1);
+        }
+        const tokenFile = getDefaultTokenFile();
+        const serverToken = readTokenFile(tokenFile);
+        if (!serverToken) {
+            process.stderr.write('Error: No server token found. Is the vault server running?\n');
+            process.exit(1);
+        }
+        const res = await vaultRequest({ port, host: '127.0.0.1', token: serverToken }, 'DELETE', `/v1/tokens/${encodeURIComponent(tokenName)}`);
+        if (res.statusCode === 200) {
+            // Also remove scope entry
+            revokeTokenScopes(tokenName);
+            process.stderr.write(`Token revoked: ${tokenName}\n`);
+        }
+        else {
+            process.stderr.write(`Error: ${res.body.error}\n`);
+            process.exit(1);
+        }
+    }
+    catch (err) {
+        process.stderr.write(`Error: ${err instanceof Error ? err.message : err}\n`);
+        process.exit(1);
+    }
+});
+// ─── token request workflow (approval — US-004) ─────────────────────
+tokenCmd
+    .command('request')
+    .description('Request access to a vault prefix (creates a pending request for owner approval)')
+    .requiredOption('--name <name>', 'Name for the requested token')
+    .requiredOption('--prefix <prefixes...>', 'Vault prefix(es) to request access to')
+    .option('--reason <reason>', 'Reason for the request', '')
+    .option('--status', 'Check the status of your pending request (by name)')
+    .option('--requests-path <path>', 'Path to token-requests.json (auto-detected)')
+    .action(async (opts) => {
+    try {
+        const { createRequest, getRequestByName, formatRequest } = await import('./token-requests.js');
+        if (opts.status) {
+            // Poll mode: check status of request by name
+            const req = getRequestByName(opts.name, opts.requestsPath);
+            if (!req) {
+                process.stderr.write(`No request found for name '${opts.name}'.\n`);
+                process.exit(1);
+            }
+            process.stdout.write(formatRequest(req) + '\n');
+            return;
+        }
+        // Read owner email from env (optional, for notifications)
+        const ownerEmail = process.env.UNOTOKEN_OWNER_EMAIL;
+        const request = createRequest({ name: opts.name, prefixes: opts.prefix, reason: opts.reason }, ownerEmail, opts.requestsPath);
+        process.stderr.write(`Token request created:\n`);
+        process.stderr.write(`  ID: ${request.id}\n`);
+        process.stderr.write(`  Name: ${request.name}\n`);
+        process.stderr.write(`  Prefixes: ${request.prefixes.map((p) => `${p}*`).join(', ')}\n`);
+        process.stderr.write(`  Status: pending\n`);
+        process.stderr.write(`\nThe vault owner must approve this request.\n`);
+        process.stderr.write(`Check status: unotoken token request --name ${request.name} --prefix ${request.prefixes[0]} --status\n`);
+    }
+    catch (err) {
+        process.stderr.write(`Error: ${err instanceof Error ? err.message : err}\n`);
+        process.exit(1);
+    }
+});
+tokenCmd
+    .command('requests')
+    .description('List pending token requests (owner/admin only)')
+    .option('--all', 'Show all requests (including approved/denied)')
+    .option('--requests-path <path>', 'Path to token-requests.json (auto-detected)')
+    .action(async (opts) => {
+    try {
+        const { listRequests, formatRequest } = await import('./token-requests.js');
+        const statusFilter = opts.all ? undefined : 'pending';
+        const requests = listRequests(statusFilter, opts.requestsPath);
+        if (requests.length === 0) {
+            process.stderr.write(opts.all ? 'No token requests found.\n' : 'No pending token requests.\n');
+            return;
+        }
+        for (const req of requests) {
+            process.stdout.write(formatRequest(req) + '\n\n');
+        }
+        process.stderr.write(`${requests.length} request(s) found.\n`);
+    }
+    catch (err) {
+        process.stderr.write(`Error: ${err instanceof Error ? err.message : err}\n`);
+        process.exit(1);
+    }
+});
+tokenCmd
+    .command('approve <requestId>')
+    .description('Approve a pending token request (creates the scoped token)')
+    .option('--requests-path <path>', 'Path to token-requests.json (auto-detected)')
+    .action(async (requestId, opts) => {
+    try {
+        const { vaultRequest, readTokenFile, getDefaultTokenFile, readServerPort, getDefaultPortFile } = await import('yokotoken');
+        const { storeTokenScopes } = await import('./tokens.js');
+        const { approveRequest, getRequest } = await import('./token-requests.js');
+        // Verify the request exists and is pending
+        const request = getRequest(requestId, opts.requestsPath);
+        if (!request) {
+            process.stderr.write(`Error: Token request '${requestId}' not found.\n`);
+            process.exit(1);
+        }
+        if (request.status !== 'pending') {
+            process.stderr.write(`Error: Token request '${requestId}' is already ${request.status}.\n`);
+            process.exit(1);
+        }
+        // Verify vault server is running
+        const portFile = getDefaultPortFile();
+        const port = readServerPort(portFile);
+        if (!port) {
+            process.stderr.write('Error: Vault server is not running. Start it with: unotoken server\n');
+            process.exit(1);
+        }
+        const tokenFile = getDefaultTokenFile();
+        const serverToken = readTokenFile(tokenFile);
+        if (!serverToken) {
+            process.stderr.write('Error: No server token found. Is the vault server running?\n');
+            process.exit(1);
+        }
+        // Create the scoped token via yokotoken API
+        const res = await vaultRequest({ port, host: '127.0.0.1', token: serverToken }, 'POST', '/v1/tokens', { name: request.name });
+        if (res.statusCode !== 201) {
+            process.stderr.write(`Error creating token: ${res.body.error}\n`);
+            process.exit(1);
+        }
+        const rawToken = res.body.token;
+        // Store prefix scopes
+        storeTokenScopes(rawToken, request.name, request.prefixes);
+        // Mark request as approved
+        const reviewer = process.env.USER || process.env.USERNAME || 'vault-owner';
+        approveRequest(requestId, reviewer, opts.requestsPath);
+        process.stderr.write(`Request approved: ${request.name}\n`);
+        process.stderr.write(`Scopes: ${request.prefixes.map((p) => `${p}*`).join(', ')}\n\n`);
+        // Display the token ONCE
+        process.stdout.write(`${rawToken}\n`);
+        process.stderr.write('\nIMPORTANT: Save this token now. It cannot be retrieved again.\n');
+        process.stderr.write('If the requester misses this token, they must submit a new request.\n');
+    }
+    catch (err) {
+        process.stderr.write(`Error: ${err instanceof Error ? err.message : err}\n`);
+        process.exit(1);
+    }
+});
+tokenCmd
+    .command('deny <requestId>')
+    .description('Deny a pending token request')
+    .option('--reason <reason>', 'Reason for denial')
+    .option('--requests-path <path>', 'Path to token-requests.json (auto-detected)')
+    .action(async (requestId, opts) => {
+    try {
+        const { denyRequest } = await import('./token-requests.js');
+        const reviewer = process.env.USER || process.env.USERNAME || 'vault-owner';
+        const request = denyRequest(requestId, reviewer, opts.reason, opts.requestsPath);
+        process.stderr.write(`Request denied: ${request.name}\n`);
+        if (opts.reason) {
+            process.stderr.write(`Reason: ${opts.reason}\n`);
+        }
+    }
+    catch (err) {
+        process.stderr.write(`Error: ${err instanceof Error ? err.message : err}\n`);
+        process.exit(1);
+    }
+});
+// ─── exec command (build-time env injection — US-002) ────────────────
+program
+    .command('exec')
+    .description('Run a command with vault secrets injected as environment variables')
+    .requiredOption('--prefix <prefix>', 'Vault prefix to fetch secrets from (e.g., levelfit/)')
+    .option('--token <token>', 'Bearer token for authentication (default: UNOTOKEN_TOKEN or ~/.yokotoken/token)')
+    .option('--vault-url <url>', 'Vault server URL (default: UNOTOKEN_URL or local vault)')
+    .option('--force', 'Vault values override existing env vars (default behavior)')
+    .option('--no-force', 'Existing env vars take precedence over vault values')
+    .option('--env-file <path>', 'Supplementary .env file for non-secret config')
+    .allowUnknownOption(true)
+    .action(async (opts, cmd) => {
+    try {
+        const { resolveToken, resolveVaultConnection, execWithVaultSecrets } = await import('./exec.js');
+        // Extract the child command from args after --
+        const rawArgs = cmd.args;
+        if (rawArgs.length === 0) {
+            process.stderr.write('Error: No command specified. Usage: unotoken exec --prefix <prefix> -- <command>\n');
+            process.exit(1);
+        }
+        // Resolve token
+        let token;
+        try {
+            token = await resolveToken(opts.token);
+        }
+        catch (err) {
+            process.stderr.write(`Error: ${err instanceof Error ? err.message : err}\n`);
+            process.exit(1);
+        }
+        // Resolve vault connection
+        let connection;
+        try {
+            connection = await resolveVaultConnection(opts.vaultUrl);
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            if (msg.includes('Cannot reach vault')) {
+                process.stderr.write('Error: Cannot reach vault. Unlock with: unotoken unlock\n');
+            }
+            else {
+                process.stderr.write(`Error: ${msg}\n`);
+            }
+            process.exit(1);
+        }
+        // Execute
+        const exitCode = await execWithVaultSecrets({
+            prefix: opts.prefix,
+            command: rawArgs,
+            token,
+            host: connection.host,
+            port: connection.port,
+            force: opts.force,
+            envFile: opts.envFile,
+        });
+        process.exit(exitCode);
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        // Provide friendly messages for common errors
+        if (msg.includes('ECONNREFUSED') || msg.includes('ENOTFOUND')) {
+            process.stderr.write('Error: Cannot reach vault. Is the vault server running?\n');
+            process.stderr.write('Start it with: unotoken server\n');
+        }
+        else {
+            process.stderr.write(`Error: ${msg}\n`);
+        }
+        process.exit(1);
+    }
+});
+// ─── dotenv command (build-time .env generation — US-003) ────────────
+program
+    .command('dotenv')
+    .description('Generate a .env file from vault secrets')
+    .requiredOption('--prefix <prefix>', 'Vault prefix to fetch secrets from (e.g., levelfit/)')
+    .option('--out <path>', 'Output file path (default: stdout)')
+    .option('--token <token>', 'Bearer token for authentication (default: UNOTOKEN_TOKEN or ~/.yokotoken/token)')
+    .option('--vault-url <url>', 'Vault server URL (default: UNOTOKEN_URL or local vault)')
+    .option('--force', 'Overwrite file even if it has non-unotoken content')
+    .option('--clean <path>', 'Delete a unotoken-generated .env file')
+    .action(async (opts) => {
+    try {
+        // --clean mode: delete a generated .env file and exit
+        if (opts.clean) {
+            const { cleanDotenv } = await import('./dotenv.js');
+            cleanDotenv(opts.clean);
+            process.stderr.write(`Cleaned: ${opts.clean}\n`);
+            return;
+        }
+        const { resolveToken, resolveVaultConnection } = await import('./exec.js');
+        const { writeDotenv } = await import('./dotenv.js');
+        // Resolve token
+        let token;
+        try {
+            token = await resolveToken(opts.token);
+        }
+        catch (err) {
+            process.stderr.write(`Error: ${err instanceof Error ? err.message : err}\n`);
+            process.exit(1);
+        }
+        // Resolve vault connection
+        let connection;
+        try {
+            connection = await resolveVaultConnection(opts.vaultUrl);
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            if (msg.includes('Cannot reach vault')) {
+                process.stderr.write('Error: Cannot reach vault. Unlock with: unotoken unlock\n');
+            }
+            else {
+                process.stderr.write(`Error: ${msg}\n`);
+            }
+            process.exit(1);
+        }
+        // Generate dotenv
+        await writeDotenv({
+            prefix: opts.prefix,
+            token,
+            host: connection.host,
+            port: connection.port,
+            out: opts.out,
+            force: opts.force,
+        });
+        if (opts.out) {
+            process.stderr.write(`Generated: ${opts.out}\n`);
+        }
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        if (msg.includes('ECONNREFUSED') || msg.includes('ENOTFOUND')) {
+            process.stderr.write('Error: Cannot reach vault. Is the vault server running?\n');
+            process.stderr.write('Start it with: unotoken server\n');
+        }
+        else {
+            process.stderr.write(`Error: ${msg}\n`);
+        }
+        process.exit(1);
+    }
+});
+// ─── Helpers ─────────────────────────────────────────────────────────
+/**
+ * Read a passphrase from the terminal (stdin) with hidden input.
+ */
+function readPassphraseFromTerminal(prompt) {
+    return new Promise((resolve, reject) => {
+        // Check if stdin is a TTY
+        if (process.stdin.isTTY) {
+            const rl = createInterface({
+                input: process.stdin,
+                output: process.stderr,
+                terminal: true,
+            });
+            // Temporarily mute output for passphrase entry
+            process.stderr.write(prompt);
+            const stdin = process.stdin;
+            const oldRawMode = stdin.isRaw;
+            // On Windows, readline handles the echo suppression
+            rl.question('', (answer) => {
+                rl.close();
+                if (stdin.setRawMode && oldRawMode !== undefined) {
+                    stdin.setRawMode(oldRawMode);
+                }
+                resolve(answer);
+            });
+            // Suppress echo by using raw mode if available
+            if (stdin.setRawMode) {
+                stdin.setRawMode(true);
+                let passphrase = '';
+                const onData = (data) => {
+                    const char = data.toString('utf-8');
+                    if (char === '\n' || char === '\r') {
+                        stdin.removeListener('data', onData);
+                        stdin.setRawMode(false);
+                        rl.close();
+                        process.stderr.write('\n');
+                        resolve(passphrase);
+                    }
+                    else if (char === '\u0003') {
+                        // Ctrl+C
+                        stdin.removeListener('data', onData);
+                        stdin.setRawMode(false);
+                        rl.close();
+                        reject(new Error('Cancelled'));
+                    }
+                    else if (char === '\u007f' || char === '\b') {
+                        // Backspace
+                        passphrase = passphrase.slice(0, -1);
+                    }
+                    else {
+                        passphrase += char;
+                    }
+                };
+                stdin.on('data', onData);
+                // Close the readline question to avoid double-resolve
+                rl.close();
+            }
+        }
+        else {
+            // Non-TTY (piped input) — just read a line
+            const rl = createInterface({
+                input: process.stdin,
+                output: process.stderr,
+            });
+            rl.question(prompt, (answer) => {
+                rl.close();
+                resolve(answer);
+            });
+        }
+    });
+}
+/**
+ * Read a line of input from the terminal.
+ */
+function readLineFromTerminal(prompt) {
+    return new Promise((resolve) => {
+        const rl = createInterface({
+            input: process.stdin,
+            output: process.stderr,
+        });
+        rl.question(prompt, (answer) => {
+            rl.close();
+            resolve(answer);
+        });
+    });
+}
+function capitalize(s) {
+    return s.charAt(0).toUpperCase() + s.slice(1);
+}
+function formatDate(isoDate) {
+    try {
+        const d = new Date(isoDate);
+        if (isNaN(d.getTime()))
+            return isoDate;
+        return d.toLocaleString();
+    }
+    catch {
+        return isoDate;
+    }
+}
+// ─── Device guard helper ──────────────────────────────────────────
+/**
+ * Run the device guard check interactively.
+ *
+ * Uses TTY readline for code entry when a new device is detected.
+ */
+async function runDeviceGuard() {
+    const { deviceGuard, DeviceApprovalRequired } = await import('./signatures/guard.js');
+    try {
+        const result = await deviceGuard({
+            isTTY: process.stdin.isTTY === true,
+            readLine: readLineFromTerminal,
+            writeOutput: (msg) => process.stderr.write(msg),
+            writeError: (msg) => process.stderr.write(msg),
+        });
+        return { allowed: result.allowed };
+    }
+    catch (err) {
+        if (err instanceof DeviceApprovalRequired) {
+            process.stderr.write(`Error: ${err.message}\n`);
+            return { allowed: false };
+        }
+        throw err;
+    }
+}
+// ─── Vault command interception (device guard for delegated commands) ──
+/** Commands that require device approval before delegation to yokotoken */
+const GUARDED_VAULT_COMMANDS = new Set(['get', 'set', 'list', 'delete', 'server']);
+/**
+ * Run the device guard, then delegate to yokotoken if approved.
+ */
+async function guardAndDelegate(args) {
+    const guardResult = await runDeviceGuard();
+    if (!guardResult.allowed) {
+        process.exit(1);
+    }
+    delegateToYokotoken(args);
+}
+// ─── Delegate all other commands to yokotoken CLI ──────────────────
+/**
+ * Resolve the path to the yokotoken CLI binary.
+ */
+function resolveYokotokenBin() {
+    const localBin = path.resolve(__dirname, '..', 'node_modules', '.bin', 'yokotoken');
+    return localBin;
+}
+/**
+ * Delegate a command invocation to the yokotoken CLI.
+ * Passes through all arguments and inherits stdio.
+ */
+function delegateToYokotoken(args) {
+    const bin = resolveYokotokenBin();
+    const child = spawn(bin, args, {
+        stdio: 'inherit',
+        shell: true,
+    });
+    child.on('error', (err) => {
+        // If local bin not found, try global yokotoken
+        const fallback = spawn('yokotoken', args, {
+            stdio: 'inherit',
+            shell: true,
+        });
+        fallback.on('error', () => {
+            process.stderr.write(`Error: Could not find yokotoken CLI. Install it with: npm install -g yokotoken\n` +
+                `Original error: ${err.message}\n`);
+            process.exit(1);
+        });
+        fallback.on('exit', (code) => {
+            process.exit(code ?? 1);
+        });
+    });
+    child.on('exit', (code) => {
+        process.exit(code ?? 0);
+    });
+}
+// Check if the first argument is a known unotoken command
+const unotokenCommands = new Set([
+    'auth',
+    'config',
+    'unlock',
+    'device',
+    'token',
+    'exec',
+    'help',
+    '--help',
+    '-h',
+    '--version',
+    '-V',
+]);
+const args = process.argv.slice(2);
+if (args.length === 0 || unotokenCommands.has(args[0])) {
+    // Let commander handle it (unotoken-specific commands + help/version)
+    program.parse();
+}
+else if (GUARDED_VAULT_COMMANDS.has(args[0])) {
+    // Vault operations -- run device guard first, then delegate
+    guardAndDelegate(args);
+}
+else {
+    // Delegate everything else to yokotoken
+    delegateToYokotoken(args);
+}
+//# sourceMappingURL=cli.js.map