@@ -163,6 +163,8 @@ session
163163 . option ( "--tier <tier>" , "Signer tier (software | totp)." , "software" )
164164 . option ( "--url <url>" , "Control-plane base URL." )
165165 . option ( "--policy-hash <hash>" , "Policy hash to bind into the attestation." )
166+ . option ( "--user-id <id>" , "User identity used for group-policy overlays." )
167+ . option ( "--group <name...>" , "Group memberships used for group-policy overlays." )
166168 . option ( "--code <6-digit>" , "TOTP code (required for --tier totp)." )
167169 . option ( "--passphrase <pp>" , "TOTP passphrase (required for --tier totp)." )
168170 . option ( "--json" , "Emit JSON instead of human output." , false )
@@ -171,6 +173,8 @@ session
171173 tier : string ;
172174 url ?: string ;
173175 policyHash ?: string ;
176+ userId ?: string ;
177+ group ?: string [ ] ;
174178 code ?: string ;
175179 passphrase ?: string ;
176180 json : boolean ;
@@ -197,6 +201,8 @@ session
197201 url : opts . url ,
198202 json : opts . json ,
199203 policyHash : opts . policyHash ,
204+ userId : opts . userId ,
205+ groups : opts . group ,
200206 code : opts . code ,
201207 passphrase : opts . passphrase ,
202208 } ) ;
@@ -220,6 +226,8 @@ session
220226 . option ( "--tier <tier>" , "Signer tier (software | totp)." , "software" )
221227 . option ( "--url <url>" , "Control-plane base URL." )
222228 . option ( "--policy-hash <hash>" , "Policy hash to bind into the rotated attestation." )
229+ . option ( "--user-id <id>" , "User identity used for group-policy overlays." )
230+ . option ( "--group <name...>" , "Group memberships used for group-policy overlays." )
223231 . option ( "--code <6-digit>" , "TOTP code (required for --tier totp)." )
224232 . option ( "--passphrase <pp>" , "TOTP passphrase (required for --tier totp)." )
225233 . option ( "--json" , "Emit JSON instead of human output." , false )
@@ -229,6 +237,8 @@ session
229237 tier : string ;
230238 url ?: string ;
231239 policyHash ?: string ;
240+ userId ?: string ;
241+ group ?: string [ ] ;
232242 code ?: string ;
233243 passphrase ?: string ;
234244 json : boolean ;
@@ -252,6 +262,8 @@ session
252262 url : opts . url ,
253263 json : opts . json ,
254264 policyHash : opts . policyHash ,
265+ userId : opts . userId ,
266+ groups : opts . group ,
255267 code : opts . code ,
256268 passphrase : opts . passphrase ,
257269 } ) ;
@@ -362,6 +374,7 @@ program
362374 . requiredOption ( "--tool <name>" , "Tool name (Bash, Read, Write, mcp__X__Y)." )
363375 . option ( "--command <cmd>" , "Bash command (shorthand for --input.command)." )
364376 . option ( "--file-path <path>" , "File path (shorthand for --input.file_path)." )
377+ . option ( "--cwd <path>" , "Working directory for scoped policy resolution." )
365378 . option ( "--input <json>" , "Raw tool input as JSON." )
366379 . option ( "--url <url>" , "Control-plane base URL." )
367380 . option ( "--json" , "Emit JSON instead of human output." , false )
@@ -372,6 +385,7 @@ program
372385 tool : string ;
373386 command ?: string ;
374387 filePath ?: string ;
388+ cwd ?: string ;
375389 input ?: string ;
376390 url ?: string ;
377391 json : boolean ;
@@ -382,6 +396,7 @@ program
382396 tool : opts . tool ,
383397 command : opts . command ,
384398 filePath : opts . filePath ,
399+ cwd : opts . cwd ,
385400 inputJson : opts . input ,
386401 url : opts . url ,
387402 json : opts . json ,
0 commit comments