sign-cli

sign-cli is a consent-gated e-signature tool that runs entirely on your own machine — no signup, no API keys, no third party ever touches your documents. It produces real PAdES (PKCS#7) signed PDFs offline, verifies them cryptographically — checking the signature value against the signer's certificate, not just a digest — and keeps a hash-chained audit trail you can replay. Everything the CLI does is also an MCP server, so an agent can request, stamp, sign, and verify documents through the same human-gated, auditable surface; signing always stays behind explicit consent, never an unguarded auto-sign path. It's the offline, you-hold-the-keys alternative to DocuSign-style SaaS — and it composes with the rest of the contract-ops CLI suite when you need extraction, redlining, or obligation tracking.