@did-btcr2/cli 0.10.3 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (94) hide show
  1. package/dist/.tsbuildinfo +1 -1
  2. package/dist/cjs/index.js +1028 -114
  3. package/dist/esm/src/cli.js +31 -13
  4. package/dist/esm/src/cli.js.map +1 -1
  5. package/dist/esm/src/commands/completion.js +36 -0
  6. package/dist/esm/src/commands/completion.js.map +1 -0
  7. package/dist/esm/src/commands/config.js +69 -0
  8. package/dist/esm/src/commands/config.js.map +1 -0
  9. package/dist/esm/src/commands/create.js +109 -30
  10. package/dist/esm/src/commands/create.js.map +1 -1
  11. package/dist/esm/src/commands/deactivate.js +21 -8
  12. package/dist/esm/src/commands/deactivate.js.map +1 -1
  13. package/dist/esm/src/commands/index.js +4 -0
  14. package/dist/esm/src/commands/index.js.map +1 -1
  15. package/dist/esm/src/commands/key.js +175 -0
  16. package/dist/esm/src/commands/key.js.map +1 -0
  17. package/dist/esm/src/commands/profile.js +63 -0
  18. package/dist/esm/src/commands/profile.js.map +1 -0
  19. package/dist/esm/src/commands/update.js +19 -9
  20. package/dist/esm/src/commands/update.js.map +1 -1
  21. package/dist/esm/src/config.js +119 -12
  22. package/dist/esm/src/config.js.map +1 -1
  23. package/dist/esm/src/keystore/atomic.js +64 -0
  24. package/dist/esm/src/keystore/atomic.js.map +1 -0
  25. package/dist/esm/src/keystore/envelope.js +123 -0
  26. package/dist/esm/src/keystore/envelope.js.map +1 -0
  27. package/dist/esm/src/keystore/error.js +16 -0
  28. package/dist/esm/src/keystore/error.js.map +1 -0
  29. package/dist/esm/src/keystore/file-backed-key-manager.js +78 -0
  30. package/dist/esm/src/keystore/file-backed-key-manager.js.map +1 -0
  31. package/dist/esm/src/keystore/file-key-store.js +184 -0
  32. package/dist/esm/src/keystore/file-key-store.js.map +1 -0
  33. package/dist/esm/src/keystore/passphrase.js +87 -0
  34. package/dist/esm/src/keystore/passphrase.js.map +1 -0
  35. package/dist/esm/src/keystore/paths.js +20 -0
  36. package/dist/esm/src/keystore/paths.js.map +1 -0
  37. package/dist/esm/src/keystore/resolve-key-ref.js +47 -0
  38. package/dist/esm/src/keystore/resolve-key-ref.js.map +1 -0
  39. package/dist/types/src/cli.d.ts +6 -2
  40. package/dist/types/src/cli.d.ts.map +1 -1
  41. package/dist/types/src/commands/completion.d.ts +5 -0
  42. package/dist/types/src/commands/completion.d.ts.map +1 -0
  43. package/dist/types/src/commands/config.d.ts +5 -0
  44. package/dist/types/src/commands/config.d.ts.map +1 -0
  45. package/dist/types/src/commands/create.d.ts +19 -1
  46. package/dist/types/src/commands/create.d.ts.map +1 -1
  47. package/dist/types/src/commands/deactivate.d.ts.map +1 -1
  48. package/dist/types/src/commands/index.d.ts +4 -0
  49. package/dist/types/src/commands/index.d.ts.map +1 -1
  50. package/dist/types/src/commands/key.d.ts +10 -0
  51. package/dist/types/src/commands/key.d.ts.map +1 -0
  52. package/dist/types/src/commands/profile.d.ts +5 -0
  53. package/dist/types/src/commands/profile.d.ts.map +1 -0
  54. package/dist/types/src/commands/update.d.ts.map +1 -1
  55. package/dist/types/src/config.d.ts +57 -5
  56. package/dist/types/src/config.d.ts.map +1 -1
  57. package/dist/types/src/keystore/atomic.d.ts +19 -0
  58. package/dist/types/src/keystore/atomic.d.ts.map +1 -0
  59. package/dist/types/src/keystore/envelope.d.ts +64 -0
  60. package/dist/types/src/keystore/envelope.d.ts.map +1 -0
  61. package/dist/types/src/keystore/error.d.ts +14 -0
  62. package/dist/types/src/keystore/error.d.ts.map +1 -0
  63. package/dist/types/src/keystore/file-backed-key-manager.d.ts +41 -0
  64. package/dist/types/src/keystore/file-backed-key-manager.d.ts.map +1 -0
  65. package/dist/types/src/keystore/file-key-store.d.ts +52 -0
  66. package/dist/types/src/keystore/file-key-store.d.ts.map +1 -0
  67. package/dist/types/src/keystore/passphrase.d.ts +20 -0
  68. package/dist/types/src/keystore/passphrase.d.ts.map +1 -0
  69. package/dist/types/src/keystore/paths.d.ts +13 -0
  70. package/dist/types/src/keystore/paths.d.ts.map +1 -0
  71. package/dist/types/src/keystore/resolve-key-ref.d.ts +19 -0
  72. package/dist/types/src/keystore/resolve-key-ref.d.ts.map +1 -0
  73. package/dist/types/src/types.d.ts +93 -5
  74. package/dist/types/src/types.d.ts.map +1 -1
  75. package/package.json +9 -4
  76. package/src/cli.ts +37 -12
  77. package/src/commands/completion.ts +40 -0
  78. package/src/commands/config.ts +84 -0
  79. package/src/commands/create.ts +140 -52
  80. package/src/commands/deactivate.ts +25 -12
  81. package/src/commands/index.ts +4 -0
  82. package/src/commands/key.ts +193 -0
  83. package/src/commands/profile.ts +65 -0
  84. package/src/commands/update.ts +23 -13
  85. package/src/config.ts +165 -20
  86. package/src/keystore/atomic.ts +73 -0
  87. package/src/keystore/envelope.ts +172 -0
  88. package/src/keystore/error.ts +16 -0
  89. package/src/keystore/file-backed-key-manager.ts +99 -0
  90. package/src/keystore/file-key-store.ts +242 -0
  91. package/src/keystore/passphrase.ts +99 -0
  92. package/src/keystore/paths.ts +20 -0
  93. package/src/keystore/resolve-key-ref.ts +62 -0
  94. package/src/types.ts +31 -18
@@ -1,5 +1,23 @@
1
1
  import type { Command } from 'commander';
2
2
  import type { ApiFactory } from '../config.js';
3
3
  import type { GlobalOptions } from '../types.js';
4
- export declare function registerCreateCommand(program: Command, factory: ApiFactory, globals: () => GlobalOptions): void;
4
+ /**
5
+ * Registers the `create` command.
6
+ *
7
+ * A deterministic (`-t k`) identifier has three mutually-exclusive input modes,
8
+ * selected by which is present:
9
+ * - generate (neither `--bytes` nor `--signing-key`): mint a fresh key, persist
10
+ * it to the keystore, set it active, and print the identifier. Sealing the
11
+ * secret prompts for the keystore passphrase.
12
+ * - existing (`--signing-key <ref>`): use a stored key's public key as the
13
+ * genesis bytes. Reading a public key never decrypts, so this never prompts.
14
+ * - raw (`--bytes <hex>`): a 33-byte public key as hex. Offline, keystore-free.
15
+ *
16
+ * An external (`-t x`) identifier is raw-bytes-only: a 32-byte genesis-document
17
+ * hash via `--bytes`. Generation and `--signing-key` apply only to `-t k`.
18
+ *
19
+ * The keystore-free `factory` serves the raw-bytes path; the keystore-aware
20
+ * `keystoreFactory` serves the generate and existing-key paths.
21
+ */
22
+ export declare function registerCreateCommand(program: Command, factory: ApiFactory, keystoreFactory: ApiFactory, globals: () => GlobalOptions): void;
5
23
  //# sourceMappingURL=create.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"create.d.ts","sourceRoot":"","sources":["../../../../src/commands/create.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAG/C,OAAO,KAAK,EAEV,aAAa,EACC,MAAM,aAAa,CAAC;AAWpC,wBAAgB,qBAAqB,CACnC,OAAO,EAAG,OAAO,EACjB,OAAO,EAAG,UAAU,EACpB,OAAO,EAAG,MAAM,aAAa,GAC5B,IAAI,CAwBN"}
1
+ {"version":3,"file":"create.d.ts","sourceRoot":"","sources":["../../../../src/commands/create.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,KAAK,EAAE,UAAU,EAAuB,MAAM,cAAc,CAAC;AAKpE,OAAO,KAAK,EAAiB,aAAa,EAAiB,MAAM,aAAa,CAAC;AAS/E;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAW,OAAO,EACzB,OAAO,EAAW,UAAU,EAC5B,eAAe,EAAG,UAAU,EAC5B,OAAO,EAAW,MAAM,aAAa,GACpC,IAAI,CA2FN"}
@@ -1 +1 @@
1
- {"version":3,"file":"deactivate.d.ts","sourceRoot":"","sources":["../../../../src/commands/deactivate.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAiB,KAAK,UAAU,EAAE,MAAM,cAAc,CAAC;AAE9D,OAAO,KAAK,EAAE,aAAa,EAAwB,MAAM,aAAa,CAAC;AAKvE,wBAAgB,yBAAyB,CACvC,OAAO,EAAG,OAAO,EACjB,OAAO,EAAG,UAAU,EACpB,OAAO,EAAG,MAAM,aAAa,GAC5B,IAAI,CAyDN"}
1
+ {"version":3,"file":"deactivate.d.ts","sourceRoot":"","sources":["../../../../src/commands/deactivate.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAiB,KAAK,UAAU,EAAE,MAAM,cAAc,CAAC;AAI9D,OAAO,KAAK,EAAE,aAAa,EAAwB,MAAM,aAAa,CAAC;AAKvE,wBAAgB,yBAAyB,CACvC,OAAO,EAAG,OAAO,EACjB,OAAO,EAAG,UAAU,EACpB,OAAO,EAAG,MAAM,aAAa,GAC5B,IAAI,CAmEN"}
@@ -2,4 +2,8 @@ export { registerCreateCommand } from './create.js';
2
2
  export { registerResolveCommand } from './resolve.js';
3
3
  export { registerUpdateCommand } from './update.js';
4
4
  export { registerDeactivateCommand } from './deactivate.js';
5
+ export { registerKeyCommand } from './key.js';
6
+ export { registerConfigCommand } from './config.js';
7
+ export { registerProfileCommand } from './profile.js';
8
+ export { registerCompletionCommand } from './completion.js';
5
9
  //# sourceMappingURL=index.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/commands/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AACtD,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/commands/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AACtD,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAC5D,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AACtD,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC"}
@@ -0,0 +1,10 @@
1
+ import type { Command } from 'commander';
2
+ import type { ApiFactory } from '../config.js';
3
+ import type { GlobalOptions } from '../types.js';
4
+ /**
5
+ * Registers the `key` command group for managing keypairs in the encrypted
6
+ * keystore. All subcommands operate offline (no Bitcoin connection) through the
7
+ * keystore-backed KeyManager injected by the factory.
8
+ */
9
+ export declare function registerKeyCommand(program: Command, factory: ApiFactory, globals: () => GlobalOptions): void;
10
+ //# sourceMappingURL=key.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"key.d.ts","sourceRoot":"","sources":["../../../../src/commands/key.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEzC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAI/C,OAAO,KAAK,EAAiB,aAAa,EAAE,MAAM,aAAa,CAAC;AAEhE;;;;GAIG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAG,OAAO,EACjB,OAAO,EAAG,UAAU,EACpB,OAAO,EAAG,MAAM,aAAa,GAC5B,IAAI,CAgHN"}
@@ -0,0 +1,5 @@
1
+ import type { Command } from 'commander';
2
+ import type { GlobalOptions } from '../types.js';
3
+ /** Registers the `profile` command group for managing configuration profiles. */
4
+ export declare function registerProfileCommand(program: Command, globals: () => GlobalOptions): void;
5
+ //# sourceMappingURL=profile.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"profile.d.ts","sourceRoot":"","sources":["../../../../src/commands/profile.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIzC,OAAO,KAAK,EAAiB,aAAa,EAAE,MAAM,aAAa,CAAC;AAEhE,iFAAiF;AACjF,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,GAAG,IAAI,CAyD3F"}
@@ -1 +1 @@
1
- {"version":3,"file":"update.d.ts","sourceRoot":"","sources":["../../../../src/commands/update.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAiB,KAAK,UAAU,EAAE,MAAM,cAAc,CAAC;AAE9D,OAAO,KAAK,EAAE,aAAa,EAAwB,MAAM,aAAa,CAAC;AAEvE,wBAAgB,qBAAqB,CACnC,OAAO,EAAG,OAAO,EACjB,OAAO,EAAG,UAAU,EACpB,OAAO,EAAG,MAAM,aAAa,GAC5B,IAAI,CA+DN"}
1
+ {"version":3,"file":"update.d.ts","sourceRoot":"","sources":["../../../../src/commands/update.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAiB,KAAK,UAAU,EAAE,MAAM,cAAc,CAAC;AAI9D,OAAO,KAAK,EAAE,aAAa,EAAwB,MAAM,aAAa,CAAC;AAEvE,wBAAgB,qBAAqB,CACnC,OAAO,EAAG,OAAO,EACjB,OAAO,EAAG,UAAU,EACpB,OAAO,EAAG,MAAM,aAAa,GAC5B,IAAI,CAsEN"}
@@ -1,5 +1,5 @@
1
1
  import { type DidBtcr2Api } from '@did-btcr2/api';
2
- import { type NetworkOption } from './types.js';
2
+ import { type NetworkOption, type OutputFormat } from './types.js';
3
3
  /**
4
4
  * Endpoint overrides provided via CLI flags, env vars, or config file.
5
5
  * These override the per-network defaults from
@@ -16,6 +16,10 @@ export type ConnectionOverrides = {
16
16
  casGateway?: string;
17
17
  config?: string;
18
18
  profile?: string;
19
+ /** Keystore file path. Overrides the default `$XDG_DATA_HOME/btcr2/keystore.json`. */
20
+ keystore?: string;
21
+ /** Path to a file holding the keystore passphrase (for unattended use). */
22
+ passphraseFile?: string;
19
23
  };
20
24
  /**
21
25
  * On-disk config file schema.
@@ -41,6 +45,14 @@ export type ConnectionOverrides = {
41
45
  * ```
42
46
  */
43
47
  export type ConfigFile = {
48
+ /** Schema version, stamped on every write for forward compatibility. */
49
+ schemaVersion?: number;
50
+ /** Tool-wide defaults applied when not overridden by a flag or environment variable. */
51
+ defaults?: {
52
+ profile?: string;
53
+ network?: NetworkOption;
54
+ output?: OutputFormat;
55
+ };
44
56
  profiles?: Record<string, {
45
57
  btc?: {
46
58
  rest?: string;
@@ -51,8 +63,34 @@ export type ConfigFile = {
51
63
  cas?: {
52
64
  gateway?: string;
53
65
  };
66
+ /** Signing identity references. Never embeds key material; the secret lives in the keystore. */
67
+ identity?: {
68
+ keystore?: string;
69
+ default?: string;
70
+ };
71
+ /** Aggregation transport and cohort defaults, mirroring the aggregation runner inputs. */
72
+ aggregation?: {
73
+ transport?: 'nostr' | 'http' | 'didcomm';
74
+ relays?: string[];
75
+ httpBaseUrl?: string;
76
+ cohort?: Record<string, unknown>;
77
+ };
54
78
  }>;
55
79
  };
80
+ /** Current config-file schema version, stamped on every write. */
81
+ export declare const CONFIG_SCHEMA_VERSION = 1;
82
+ /**
83
+ * Read-modify-write a config file, preserving unknown keys. Reads the raw JSON
84
+ * (so keys outside {@link ConfigFile} survive a rewrite), applies `mutate`,
85
+ * stamps the schema version, and writes atomically (file 0600, dir 0700).
86
+ */
87
+ export declare function writeConfigFile(path: string, mutate: (raw: Record<string, unknown>) => void): void;
88
+ /** Reads the value at a dotted path (e.g. `profiles.regtest.btc.rest`). */
89
+ export declare function getConfigPath(config: Record<string, unknown>, path: string): unknown;
90
+ /** Sets the value at a dotted path, creating intermediate objects. */
91
+ export declare function setConfigPath(config: Record<string, unknown>, path: string, value: unknown): void;
92
+ /** Deletes the value at a dotted path. No-op if the path does not exist. */
93
+ export declare function unsetConfigPath(config: Record<string, unknown>, path: string): void;
56
94
  /**
57
95
  * Factory function that creates a configured {@link DidBtcr2Api} instance.
58
96
  *
@@ -105,18 +143,32 @@ export declare function readConfigFile(path: string): ConfigFile | undefined;
105
143
  * {@link ConfigFile}. Returns an empty object if the profile does not exist.
106
144
  */
107
145
  export declare function profileToOverrides(config: ConfigFile, profileName: string): ConnectionOverrides;
146
+ /**
147
+ * Resolves the default Bitcoin network for offline identifier creation when no
148
+ * `--network` flag is given. Resolution order: the config file's
149
+ * `defaults.network`, then an active profile named for a network (an explicit
150
+ * `--profile` flag or `defaults.profile`), then `regtest` as the development
151
+ * fallback. Generation itself is offline; this only fixes which network the
152
+ * identifier encodes.
153
+ */
154
+ export declare function resolveDefaultNetwork(overrides?: ConnectionOverrides): NetworkOption;
108
155
  /**
109
156
  * Default {@link ApiFactory} backed by network defaults from
110
157
  * `@did-btcr2/bitcoin` (mempool.space for public networks, localhost for
111
- * regtest).
158
+ * regtest). Keystore-free: suitable for offline `create` and read-only
159
+ * `resolve`, which never need a signing identity.
112
160
  *
113
161
  * Override precedence (highest wins):
114
162
  * CLI flags -> env vars -> config file profile -> network defaults.
115
- *
116
- * When no `--profile` is given, the network name is used as the profile
117
- * key (e.g. a regtest DID auto-selects the `"regtest"` profile).
118
163
  */
119
164
  export declare function defaultApiFactory(network?: NetworkOption, overrides?: ConnectionOverrides): DidBtcr2Api;
165
+ /**
166
+ * Keystore-aware {@link ApiFactory} for commands that need a signing identity
167
+ * (key management, update, deactivate). Identical to {@link defaultApiFactory}
168
+ * for Bitcoin and CAS, plus an injected keystore-backed KeyManager. Offline key
169
+ * commands (no network) still get the keystore.
170
+ */
171
+ export declare function keystoreApiFactory(network?: NetworkOption, overrides?: ConnectionOverrides): DidBtcr2Api;
120
172
  /**
121
173
  * Extracts and validates the Bitcoin network from a DID string.
122
174
  *
@@ -1 +1 @@
1
- {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAgD,KAAK,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAKhG,OAAO,EAAsB,KAAK,aAAa,EAAE,MAAM,YAAY,CAAC;AAEpE;;;;;;;GAOG;AACH,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,CAAC,EAAK,MAAM,CAAC;IACpB,SAAS,CAAC,EAAG,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAM,MAAM,CAAC;IACpB,OAAO,CAAC,EAAK,MAAM,CAAC;CACrB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,MAAM,UAAU,GAAG;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QACxB,GAAG,CAAC,EAAE;YACJ,IAAI,CAAC,EAAM,MAAM,CAAC;YAClB,MAAM,CAAC,EAAI,MAAM,CAAC;YAClB,OAAO,CAAC,EAAG,MAAM,CAAC;YAClB,OAAO,CAAC,EAAG,MAAM,CAAC;SACnB,CAAC;QACF,GAAG,CAAC,EAAE;YACJ,OAAO,CAAC,EAAE,MAAM,CAAC;SAClB,CAAC;KACH,CAAC,CAAC;CACJ,CAAC;AAEF;;;;;;;;GAQG;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,EAAE,aAAa,EAAE,SAAS,CAAC,EAAE,mBAAmB,KAAK,WAAW,CAAC;AAEnG;;;;;;;;;;GAUG;AACH,eAAO,MAAM,QAAQ;;;;;;CAMX,CAAC;AAEX;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,mBAAmB,CAStD;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAK1C;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS,CAOnE;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAQ,UAAU,EACxB,WAAW,EAAG,MAAM,GACnB,mBAAmB,CAUrB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,CAAC,EAAE,aAAa,EAAE,SAAS,CAAC,EAAE,mBAAmB,GAAG,WAAW,CAsCvG;AAED;;;;;;;;;GASG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,aAAa,CAUxD"}
1
+ {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAgD,KAAK,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAUhG,OAAO,EAAsB,KAAK,aAAa,EAAE,KAAK,YAAY,EAAE,MAAM,YAAY,CAAC;AAEvF;;;;;;;GAOG;AACH,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,CAAC,EAAU,MAAM,CAAC;IACzB,SAAS,CAAC,EAAQ,MAAM,CAAC;IACzB,UAAU,CAAC,EAAO,MAAM,CAAC;IACzB,UAAU,CAAC,EAAO,MAAM,CAAC;IACzB,UAAU,CAAC,EAAO,MAAM,CAAC;IACzB,MAAM,CAAC,EAAW,MAAM,CAAC;IACzB,OAAO,CAAC,EAAU,MAAM,CAAC;IACzB,sFAAsF;IACtF,QAAQ,CAAC,EAAS,MAAM,CAAC;IACzB,2EAA2E;IAC3E,cAAc,CAAC,EAAG,MAAM,CAAC;CAC1B,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,MAAM,UAAU,GAAG;IACvB,wEAAwE;IACxE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,wFAAwF;IACxF,QAAQ,CAAC,EAAE;QACT,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,OAAO,CAAC,EAAE,aAAa,CAAC;QACxB,MAAM,CAAC,EAAE,YAAY,CAAC;KACvB,CAAC;IACF,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QACxB,GAAG,CAAC,EAAE;YACJ,IAAI,CAAC,EAAM,MAAM,CAAC;YAClB,MAAM,CAAC,EAAI,MAAM,CAAC;YAClB,OAAO,CAAC,EAAG,MAAM,CAAC;YAClB,OAAO,CAAC,EAAG,MAAM,CAAC;SACnB,CAAC;QACF,GAAG,CAAC,EAAE;YACJ,OAAO,CAAC,EAAE,MAAM,CAAC;SAClB,CAAC;QACF,gGAAgG;QAChG,QAAQ,CAAC,EAAE;YACT,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,OAAO,CAAC,EAAE,MAAM,CAAC;SAClB,CAAC;QACF,0FAA0F;QAC1F,WAAW,CAAC,EAAE;YACZ,SAAS,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,SAAS,CAAC;YACzC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;YAClB,WAAW,CAAC,EAAE,MAAM,CAAC;YACrB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;SAClC,CAAC;KACH,CAAC,CAAC;CACJ,CAAC;AAEF,kEAAkE;AAClE,eAAO,MAAM,qBAAqB,IAAI,CAAC;AAEvC;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,GAAG,IAAI,CAMlG;AAED,2EAA2E;AAC3E,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAKpF;AAED,sEAAsE;AACtE,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,IAAI,CAUjG;AAED,4EAA4E;AAC5E,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CAUnF;AAED;;;;;;;;GAQG;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,EAAE,aAAa,EAAE,SAAS,CAAC,EAAE,mBAAmB,KAAK,WAAW,CAAC;AAEnG;;;;;;;;;;GAUG;AACH,eAAO,MAAM,QAAQ;;;;;;CAMX,CAAC;AAEX;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,mBAAmB,CAStD;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAK1C;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS,CAOnE;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAQ,UAAU,EACxB,WAAW,EAAG,MAAM,GACnB,mBAAmB,CAUrB;AAED;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,SAAS,CAAC,EAAE,mBAAmB,GAAG,aAAa,CAapF;AAwDD;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,CAAC,EAAE,aAAa,EAAE,SAAS,CAAC,EAAE,mBAAmB,GAAG,WAAW,CAEvG;AAgBD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,CAAC,EAAE,aAAa,EAAE,SAAS,CAAC,EAAE,mBAAmB,GAAG,WAAW,CAKxG;AAED;;;;;;;;;GASG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,aAAa,CAUxD"}
@@ -0,0 +1,19 @@
1
+ /**
2
+ * Creates a directory (recursively) and, on POSIX systems, tightens it to the
3
+ * requested mode. `mkdir`'s mode is subject to the umask, so it is reapplied
4
+ * with an explicit `chmod`.
5
+ */
6
+ export declare function ensureDir(dir: string, mode: number): void;
7
+ /**
8
+ * Writes a file atomically: serialize to a sibling temporary file, tighten its
9
+ * permissions, then rename over the target so a crash mid-write cannot leave a
10
+ * truncated or partially-written file. The temporary file is removed on failure.
11
+ */
12
+ export declare function writeFileAtomic(path: string, data: string, mode: number): void;
13
+ /**
14
+ * Fails closed if a keystore file is readable or writable by group or other.
15
+ * On Windows, where POSIX mode bits are not enforced, this is a no-op that
16
+ * warns once on standard error.
17
+ */
18
+ export declare function assertSecurePerms(path: string): void;
19
+ //# sourceMappingURL=atomic.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"atomic.d.ts","sourceRoot":"","sources":["../../../../src/keystore/atomic.ts"],"names":[],"mappings":"AAQA;;;;GAIG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CASzD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CAkB9E;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAkBpD"}
@@ -0,0 +1,64 @@
1
+ /** Current keystore secret-envelope format version. */
2
+ export declare const ENVELOPE_VERSION: 1;
3
+ /**
4
+ * argon2id cost parameters. Field names follow RFC 9106: `t` time cost
5
+ * (passes), `m` memory cost in KiB, `p` parallelism (lanes), `dkLen` derived
6
+ * key length in bytes.
7
+ */
8
+ export type ArgonParams = {
9
+ t: number;
10
+ m: number;
11
+ p: number;
12
+ dkLen: number;
13
+ };
14
+ /**
15
+ * Production argon2id parameters: 3 passes over 64 MiB across 4 lanes, deriving
16
+ * a 32-byte key. Recorded in every envelope so the cost can be raised later
17
+ * without making previously sealed envelopes undecryptable.
18
+ */
19
+ export declare const DEFAULT_ARGON_PARAMS: ArgonParams;
20
+ /**
21
+ * A self-describing, versioned envelope sealing one secret at rest. The header
22
+ * (version, key-derivation parameters, cipher) is bound as the AEAD additional
23
+ * data, so a tampered header fails authentication. All byte fields are
24
+ * base64url with no padding.
25
+ */
26
+ export type SecretEnvelope = {
27
+ v: typeof ENVELOPE_VERSION;
28
+ kdf: {
29
+ alg: 'argon2id';
30
+ salt: string;
31
+ t: number;
32
+ m: number;
33
+ p: number;
34
+ dkLen: number;
35
+ };
36
+ cipher: 'xchacha20poly1305';
37
+ nonce: string;
38
+ ciphertext: string;
39
+ };
40
+ /**
41
+ * Seals a secret under a passphrase into a {@link SecretEnvelope}. A fresh
42
+ * random salt and nonce are generated per call, so encrypting the same secret
43
+ * twice yields different envelopes.
44
+ *
45
+ * @param secret - The secret bytes to encrypt. Must be non-empty.
46
+ * @param passphrase - The passphrase the encryption key is derived from.
47
+ * @param params - argon2id cost parameters. Defaults to {@link DEFAULT_ARGON_PARAMS}.
48
+ * @returns The versioned, authenticated envelope.
49
+ * @throws {KeyStoreError} `ENVELOPE_ENCRYPT_ERROR` when `secret` is empty.
50
+ */
51
+ export declare function encryptSecret(secret: Uint8Array, passphrase: string, params?: ArgonParams): SecretEnvelope;
52
+ /**
53
+ * Opens a {@link SecretEnvelope} sealed by {@link encryptSecret} and returns the
54
+ * plaintext secret. A wrong passphrase, corrupted ciphertext, or a tampered
55
+ * header all fail authentication and raise `DECRYPT_ERROR`.
56
+ *
57
+ * @param env - The envelope to open.
58
+ * @param passphrase - The passphrase the envelope was sealed with.
59
+ * @returns The decrypted secret bytes.
60
+ * @throws {KeyStoreError} `ENVELOPE_VERSION_ERROR` for an unknown version or
61
+ * algorithm; `DECRYPT_ERROR` for failed authentication.
62
+ */
63
+ export declare function decryptSecret(env: SecretEnvelope, passphrase: string): Uint8Array;
64
+ //# sourceMappingURL=envelope.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"envelope.d.ts","sourceRoot":"","sources":["../../../../src/keystore/envelope.ts"],"names":[],"mappings":"AAMA,uDAAuD;AACvD,eAAO,MAAM,gBAAgB,EAAG,CAAU,CAAC;AAS3C;;;;GAIG;AACH,MAAM,MAAM,WAAW,GAAG;IACxB,CAAC,EAAO,MAAM,CAAC;IACf,CAAC,EAAO,MAAM,CAAC;IACf,CAAC,EAAO,MAAM,CAAC;IACf,KAAK,EAAG,MAAM,CAAC;CAChB,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,EAAE,WAAwD,CAAC;AAE5F;;;;;GAKG;AACH,MAAM,MAAM,cAAc,GAAG;IAC3B,CAAC,EAAK,OAAO,gBAAgB,CAAC;IAC9B,GAAG,EAAG;QACJ,GAAG,EAAK,UAAU,CAAC;QACnB,IAAI,EAAI,MAAM,CAAC;QACf,CAAC,EAAO,MAAM,CAAC;QACf,CAAC,EAAO,MAAM,CAAC;QACf,CAAC,EAAO,MAAM,CAAC;QACf,KAAK,EAAG,MAAM,CAAC;KAChB,CAAC;IACF,MAAM,EAAO,mBAAmB,CAAC;IACjC,KAAK,EAAQ,MAAM,CAAC;IACpB,UAAU,EAAG,MAAM,CAAC;CACrB,CAAC;AA2CF;;;;;;;;;;GAUG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAO,UAAU,EACvB,UAAU,EAAG,MAAM,EACnB,MAAM,GAAO,WAAkC,GAC9C,cAAc,CAkBhB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,GAAG,UAAU,CA4BjF"}
@@ -0,0 +1,14 @@
1
+ import { DidMethodError } from '@did-btcr2/common';
2
+ /**
3
+ * Error raised by the CLI keystore layer: secret-envelope encryption and
4
+ * decryption, on-disk file permission enforcement, and passphrase acquisition.
5
+ *
6
+ * Unlike {@link CLIError} (whose `name` is fixed to `'CLIError'`), this follows
7
+ * the {@link DidMethodError} sibling convention where `name` mirrors the `type`
8
+ * code, so a thrown error's `name` reflects the specific failure category
9
+ * (for example `DECRYPT_ERROR` or `KEYSTORE_PERMISSION_ERROR`).
10
+ */
11
+ export declare class KeyStoreError extends DidMethodError {
12
+ constructor(message: string, type?: string, data?: Record<string, any>);
13
+ }
14
+ //# sourceMappingURL=error.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"error.d.ts","sourceRoot":"","sources":["../../../../src/keystore/error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAEnD;;;;;;;;GAQG;AACH,qBAAa,aAAc,SAAQ,cAAc;gBACnC,OAAO,EAAE,MAAM,EAAE,IAAI,GAAE,MAAwB,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC;CAGxF"}
@@ -0,0 +1,41 @@
1
+ import type { Bytes, HashBytes, KeyBytes, SignatureBytes } from '@did-btcr2/common';
2
+ import { type GenerateKeyOptions, type ImportKeyOptions, type KeyIdentifier, type KeyManager, type SignOptions, type VerifyOptions } from '@did-btcr2/key-manager';
3
+ import type { SchnorrKeyPair } from '@did-btcr2/keypair';
4
+ import { type FileKeyStoreOptions } from './file-key-store.js';
5
+ /**
6
+ * A {@link KeyManager} backed by the encrypted on-disk {@link FileKeyStore}.
7
+ *
8
+ * It composes a {@link LocalKeyManager} over a {@link FileKeyStore} and adds the
9
+ * one thing the store interface cannot express: persisting the active-key
10
+ * pointer. `LocalKeyManager` tracks the active key only in process memory, so
11
+ * this wrapper mirrors every active-key change to the keystore file and
12
+ * re-applies the persisted pointer at construction. Read and signing
13
+ * operations delegate straight through.
14
+ *
15
+ * Injected as the api's KeyManager so every command reaches it uniformly via
16
+ * `api.kms`, and "the active key" survives across CLI invocations.
17
+ */
18
+ export declare class FileBackedKeyManager implements KeyManager {
19
+ #private;
20
+ /** Capability probe: the local store supports exporting secret material. */
21
+ readonly canExport = true;
22
+ constructor(options: FileKeyStoreOptions);
23
+ get activeKeyId(): KeyIdentifier | undefined;
24
+ setActiveKey(id: KeyIdentifier): void;
25
+ importKey(keyPair: SchnorrKeyPair, options?: ImportKeyOptions): KeyIdentifier;
26
+ generateKey(options?: GenerateKeyOptions): KeyIdentifier;
27
+ removeKey(id: KeyIdentifier, options?: {
28
+ force?: boolean;
29
+ }): void;
30
+ listKeys(): KeyIdentifier[];
31
+ getPublicKey(id?: KeyIdentifier): KeyBytes;
32
+ getEntry(id?: KeyIdentifier): {
33
+ publicKey: KeyBytes;
34
+ tags?: Record<string, string>;
35
+ };
36
+ sign(data: Bytes, id?: KeyIdentifier, options?: SignOptions): SignatureBytes;
37
+ verify(signature: SignatureBytes, data: Bytes, id?: KeyIdentifier, options?: VerifyOptions): boolean;
38
+ digest(data: Uint8Array): HashBytes;
39
+ exportKey(id: KeyIdentifier): SchnorrKeyPair;
40
+ }
41
+ //# sourceMappingURL=file-backed-key-manager.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"file-backed-key-manager.d.ts","sourceRoot":"","sources":["../../../../src/keystore/file-backed-key-manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACpF,OAAO,EAEL,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EAClB,KAAK,UAAU,EACf,KAAK,WAAW,EAChB,KAAK,aAAa,EACnB,MAAM,wBAAwB,CAAC;AAChC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAgB,KAAK,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE7E;;;;;;;;;;;;GAYG;AACH,qBAAa,oBAAqB,YAAW,UAAU;;IACrD,4EAA4E;IAC5E,QAAQ,CAAC,SAAS,QAAQ;gBAKd,OAAO,EAAE,mBAAmB;IAWxC,IAAI,WAAW,IAAI,aAAa,GAAG,SAAS,CAE3C;IAED,YAAY,CAAC,EAAE,EAAE,aAAa,GAAG,IAAI;IAKrC,SAAS,CAAC,OAAO,EAAE,cAAc,EAAE,OAAO,CAAC,EAAE,gBAAgB,GAAG,aAAa;IAM7E,WAAW,CAAC,OAAO,CAAC,EAAE,kBAAkB,GAAG,aAAa;IAMxD,SAAS,CAAC,EAAE,EAAE,aAAa,EAAE,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE,GAAG,IAAI;IAMjE,QAAQ,IAAI,aAAa,EAAE;IAI3B,YAAY,CAAC,EAAE,CAAC,EAAE,aAAa,GAAG,QAAQ;IAI1C,QAAQ,CAAC,EAAE,CAAC,EAAE,aAAa,GAAG;QAAE,SAAS,EAAE,QAAQ,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE;IAIpF,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,EAAE,aAAa,EAAE,OAAO,CAAC,EAAE,WAAW,GAAG,cAAc;IAI5E,MAAM,CAAC,SAAS,EAAE,cAAc,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,EAAE,aAAa,EAAE,OAAO,CAAC,EAAE,aAAa,GAAG,OAAO;IAIpG,MAAM,CAAC,IAAI,EAAE,UAAU,GAAG,SAAS;IAInC,SAAS,CAAC,EAAE,EAAE,aAAa,GAAG,cAAc;CAG7C"}
@@ -0,0 +1,52 @@
1
+ import type { KeyEntry, KeyIdentifier, KeyValueStore } from '@did-btcr2/key-manager';
2
+ import type { ArgonParams } from './envelope.js';
3
+ /** Current on-disk keystore file format version. */
4
+ export declare const KEYSTORE_VERSION: 1;
5
+ /** Options for constructing a {@link FileKeyStore}. */
6
+ export type FileKeyStoreOptions = {
7
+ /** Keystore file path. Defaults to {@link defaultKeystorePath}. */
8
+ path?: string;
9
+ /** Supplies the passphrase lazily, called only when a secret must be sealed or opened. */
10
+ getPassphrase: () => string;
11
+ /** argon2id cost parameters used when sealing new secrets. Defaults to {@link DEFAULT_ARGON_PARAMS}. */
12
+ argonParams?: ArgonParams;
13
+ };
14
+ /**
15
+ * A Node-only, file-backed {@link KeyValueStore} that encrypts secret keys at
16
+ * rest. It satisfies the synchronous store contract by caching the parsed file
17
+ * in memory at construction and flushing the whole file atomically on every
18
+ * mutation.
19
+ *
20
+ * Secrets are materialized only through {@link FileKeyStore.get}. The
21
+ * {@link FileKeyStore.list} and {@link FileKeyStore.entries} projections omit
22
+ * secret keys and never decrypt, so enumerating the store never triggers a
23
+ * passphrase prompt.
24
+ */
25
+ export declare class FileKeyStore implements KeyValueStore<KeyIdentifier, KeyEntry> {
26
+ #private;
27
+ constructor(options: FileKeyStoreOptions);
28
+ get(id: KeyIdentifier): KeyEntry | undefined;
29
+ has(id: KeyIdentifier): boolean;
30
+ set(id: KeyIdentifier, value: KeyEntry): void;
31
+ delete(id: KeyIdentifier): boolean;
32
+ clear(): void;
33
+ /** All stored values with secret keys omitted. Never decrypts, never prompts. */
34
+ list(): Array<KeyEntry>;
35
+ /**
36
+ * All entries as id-value tuples with secret keys omitted. Never decrypts,
37
+ * never prompts: {@link FileKeyStore.get} is the only secret-materializing
38
+ * path, so callers that only need identifiers (such as `listKeys`) do not
39
+ * force a passphrase prompt. This deviates intentionally from the in-memory
40
+ * store, which returns stored values verbatim.
41
+ */
42
+ entries(): Array<[KeyIdentifier, KeyEntry]>;
43
+ close(): void;
44
+ /** The persisted active-key identifier, or undefined if none is set. */
45
+ getActive(): string | undefined;
46
+ /**
47
+ * Persists the active-key pointer in the keystore file. Passing undefined
48
+ * clears it. Throws if the identifier is not a known key.
49
+ */
50
+ setActive(id: KeyIdentifier | undefined): void;
51
+ }
52
+ //# sourceMappingURL=file-key-store.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"file-key-store.d.ts","sourceRoot":"","sources":["../../../../src/keystore/file-key-store.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,QAAQ,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAIrF,OAAO,KAAK,EAAE,WAAW,EAAkB,MAAM,eAAe,CAAC;AAIjE,oDAAoD;AACpD,eAAO,MAAM,gBAAgB,EAAG,CAAU,CAAC;AAwB3C,uDAAuD;AACvD,MAAM,MAAM,mBAAmB,GAAG;IAChC,mEAAmE;IACnE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,0FAA0F;IAC1F,aAAa,EAAE,MAAM,MAAM,CAAC;IAC5B,wGAAwG;IACxG,WAAW,CAAC,EAAE,WAAW,CAAC;CAC3B,CAAC;AAEF;;;;;;;;;;GAUG;AACH,qBAAa,YAAa,YAAW,aAAa,CAAC,aAAa,EAAE,QAAQ,CAAC;;gBAO7D,OAAO,EAAE,mBAAmB;IAyExC,GAAG,CAAC,EAAE,EAAE,aAAa,GAAG,QAAQ,GAAG,SAAS;IA0B5C,GAAG,CAAC,EAAE,EAAE,aAAa,GAAG,OAAO;IAI/B,GAAG,CAAC,EAAE,EAAE,aAAa,EAAE,KAAK,EAAE,QAAQ,GAAG,IAAI;IAa7C,MAAM,CAAC,EAAE,EAAE,aAAa,GAAG,OAAO;IASlC,KAAK,IAAI,IAAI;IAMb,iFAAiF;IACjF,IAAI,IAAI,KAAK,CAAC,QAAQ,CAAC;IAIvB;;;;;;OAMG;IACH,OAAO,IAAI,KAAK,CAAC,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;IAW3C,KAAK,IAAI,IAAI;IAQb,wEAAwE;IACxE,SAAS,IAAI,MAAM,GAAG,SAAS;IAI/B;;;OAGG;IACH,SAAS,CAAC,EAAE,EAAE,aAAa,GAAG,SAAS,GAAG,IAAI;CAO/C"}
@@ -0,0 +1,20 @@
1
+ /** Environment variable that supplies the keystore passphrase for unattended use. */
2
+ export declare const ENV_KEYSTORE_PASSPHRASE = "BTCR2_KEYSTORE_PASSPHRASE";
3
+ /** Options controlling how a passphrase is acquired. */
4
+ export type PassphraseOptions = {
5
+ /** Path to a file whose contents (a trailing newline is trimmed) are the passphrase. */
6
+ passphraseFile?: string;
7
+ /** Prompt label shown on a terminal. */
8
+ prompt?: string;
9
+ /** When true, prompt twice and require the entries to match (for a new keystore). */
10
+ confirm?: boolean;
11
+ };
12
+ /**
13
+ * Acquires a passphrase without ever reading it from a command-line flag value
14
+ * (which would leak into process listings and shell history). Resolution order:
15
+ * the {@link ENV_KEYSTORE_PASSPHRASE} environment variable, a passphrase file,
16
+ * then a non-echoing terminal prompt. Throws if none is available and standard
17
+ * input is not a terminal.
18
+ */
19
+ export declare function acquirePassphrase(options?: PassphraseOptions): string;
20
+ //# sourceMappingURL=passphrase.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"passphrase.d.ts","sourceRoot":"","sources":["../../../../src/keystore/passphrase.ts"],"names":[],"mappings":"AAGA,qFAAqF;AACrF,eAAO,MAAM,uBAAuB,8BAA8B,CAAC;AAEnE,wDAAwD;AACxD,MAAM,MAAM,iBAAiB,GAAG;IAC9B,wFAAwF;IACxF,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wCAAwC;IACxC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qFAAqF;IACrF,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,CAAC;AAEF;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,GAAE,iBAAsB,GAAG,MAAM,CAyBzE"}
@@ -0,0 +1,13 @@
1
+ /**
2
+ * Default keystore file path, following the XDG Base Directory Specification's
3
+ * data directory. Secret key material is data a user accumulates, so it lives
4
+ * under the data directory, kept separate from the configuration directory used
5
+ * for portable settings.
6
+ *
7
+ * Resolution order:
8
+ * 1. `$XDG_DATA_HOME/btcr2/keystore.json`
9
+ * 2. `%LOCALAPPDATA%/btcr2/keystore.json` (Windows)
10
+ * 3. `~/.local/share/btcr2/keystore.json` (fallback)
11
+ */
12
+ export declare function defaultKeystorePath(): string;
13
+ //# sourceMappingURL=paths.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"paths.d.ts","sourceRoot":"","sources":["../../../../src/keystore/paths.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;GAUG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,CAK5C"}
@@ -0,0 +1,19 @@
1
+ import type { KeyIdentifier, KeyManager } from '@did-btcr2/key-manager';
2
+ /**
3
+ * Resolves a user-supplied key reference to a key identifier. Resolution order:
4
+ * 1. No reference: the active key (errors if none is set).
5
+ * 2. Exact URN identifier match.
6
+ * 3. Unique fingerprint-prefix match (against the hex tail of the URN).
7
+ * 4. Unique `name` tag match.
8
+ *
9
+ * Reads only public material (listKeys + getEntry), so resolving a reference
10
+ * never decrypts a secret or prompts for a passphrase.
11
+ *
12
+ * @param kms The key manager to resolve against.
13
+ * @param ref The reference to resolve. When omitted, the active key is used.
14
+ * @returns The resolved key identifier.
15
+ * @throws {CLIError} If no key matches, the reference is ambiguous, or no
16
+ * reference is given and no active key is set.
17
+ */
18
+ export declare function resolveKeyRef(kms: KeyManager, ref?: string): KeyIdentifier;
19
+ //# sourceMappingURL=resolve-key-ref.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"resolve-key-ref.d.ts","sourceRoot":"","sources":["../../../../src/keystore/resolve-key-ref.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAQxE;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,aAAa,CAqC1E"}
@@ -5,11 +5,6 @@ import type { DidResolutionResult } from '@web5/dids';
5
5
  export type NetworkOption = 'bitcoin' | 'testnet3' | 'testnet4' | 'signet' | 'mutinynet' | 'regtest';
6
6
  export type OutputFormat = 'json' | 'text';
7
7
  export declare const SUPPORTED_NETWORKS: NetworkOption[];
8
- export interface CreateCommandOptions {
9
- type: 'k' | 'x';
10
- bytes: string;
11
- network: NetworkOption;
12
- }
13
8
  export interface ResolveCommandOptions {
14
9
  identifier: string;
15
10
  options?: ResolutionOptions;
@@ -24,6 +19,8 @@ export interface UpdateCommandOptions {
24
19
  export type CommandResult = {
25
20
  action: 'create';
26
21
  data: string;
22
+ keyId?: string;
23
+ publicKey?: string;
27
24
  } | {
28
25
  action: 'resolve';
29
26
  data: DidResolutionResult;
@@ -33,6 +30,94 @@ export type CommandResult = {
33
30
  } | {
34
31
  action: 'deactivate';
35
32
  data: SignedBTCR2Update;
33
+ } | {
34
+ action: 'key-generate';
35
+ data: {
36
+ keyId: string;
37
+ publicKey: string;
38
+ active: boolean;
39
+ };
40
+ } | {
41
+ action: 'key-list';
42
+ data: Array<{
43
+ keyId: string;
44
+ fingerprint: string;
45
+ name?: string;
46
+ active: boolean;
47
+ }>;
48
+ } | {
49
+ action: 'key-show';
50
+ data: {
51
+ keyId: string;
52
+ publicKey: string;
53
+ tags?: Record<string, string>;
54
+ };
55
+ } | {
56
+ action: 'key-import';
57
+ data: {
58
+ keyId: string;
59
+ publicKey: string;
60
+ watchOnly: boolean;
61
+ active: boolean;
62
+ };
63
+ } | {
64
+ action: 'key-export';
65
+ data: {
66
+ keyId: string;
67
+ publicKey?: string;
68
+ secretWrittenTo?: string;
69
+ };
70
+ } | {
71
+ action: 'key-delete';
72
+ data: {
73
+ keyId: string;
74
+ deleted: true;
75
+ };
76
+ } | {
77
+ action: 'key-use';
78
+ data: {
79
+ keyId: string;
80
+ active: true;
81
+ };
82
+ } | {
83
+ action: 'config-init';
84
+ data: {
85
+ path: string;
86
+ };
87
+ } | {
88
+ action: 'config-get';
89
+ data: unknown;
90
+ } | {
91
+ action: 'config-set';
92
+ data: {
93
+ path: string;
94
+ };
95
+ } | {
96
+ action: 'config-unset';
97
+ data: {
98
+ path: string;
99
+ };
100
+ } | {
101
+ action: 'config-list';
102
+ data: unknown;
103
+ } | {
104
+ action: 'profile-add';
105
+ data: {
106
+ profile: string;
107
+ };
108
+ } | {
109
+ action: 'profile-use';
110
+ data: {
111
+ profile: string;
112
+ };
113
+ } | {
114
+ action: 'profile-show';
115
+ data: unknown;
116
+ } | {
117
+ action: 'profile-remove';
118
+ data: {
119
+ profile: string;
120
+ };
36
121
  };
37
122
  export interface GlobalOptions {
38
123
  output: OutputFormat;
@@ -45,5 +130,8 @@ export interface GlobalOptions {
45
130
  btcRpcUser?: string;
46
131
  btcRpcPass?: string;
47
132
  casGateway?: string;
133
+ keystore?: string;
134
+ passphraseFile?: string;
135
+ signingKey?: string;
48
136
  }
49
137
  //# sourceMappingURL=types.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAChE,OAAO,KAAK,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAC7E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAEtD,MAAM,MAAM,aAAa,GAAG,SAAS,GAAG,UAAU,GAAG,UAAU,GAAG,QAAQ,GAAG,WAAW,GAAG,SAAS,CAAC;AACrG,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,MAAM,CAAC;AAE3C,eAAO,MAAM,kBAAkB,EAAE,aAAa,EAE7C,CAAC;AAEF,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAM,GAAG,GAAG,GAAG,CAAC;IACpB,KAAK,EAAK,MAAM,CAAC;IACjB,OAAO,EAAG,aAAa,CAAC;CACzB;AAED,MAAM,WAAW,qBAAqB;IACpC,UAAU,EAAG,MAAM,CAAC;IACpB,OAAO,CAAC,EAAK,iBAAiB,CAAC;CAChC;AAED,MAAM,WAAW,oBAAoB;IACnC,cAAc,EAAS,gBAAgB,CAAC;IACxC,OAAO,EAAgB,cAAc,EAAE,CAAC;IACxC,eAAe,EAAQ,MAAM,CAAC;IAC9B,oBAAoB,EAAG,MAAM,CAAC;IAC9B,QAAQ,EAAe,MAAM,CAAC;CAC/B;AAED,MAAM,MAAM,aAAa,GACrB;IAAE,MAAM,EAAE,QAAQ,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAClC;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,mBAAmB,CAAA;CAAE,GAChD;IAAE,MAAM,EAAE,QAAQ,CAAC;IAAC,IAAI,EAAE,iBAAiB,CAAA;CAAE,GAC7C;IAAE,MAAM,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,iBAAiB,CAAA;CAAE,CAAC;AAEtD,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAO,YAAY,CAAC;IAC1B,OAAO,EAAM,OAAO,CAAC;IACrB,KAAK,EAAQ,OAAO,CAAC;IACrB,MAAM,CAAC,EAAM,MAAM,CAAC;IACpB,OAAO,CAAC,EAAK,MAAM,CAAC;IACpB,OAAO,CAAC,EAAK,MAAM,CAAC;IACpB,SAAS,CAAC,EAAG,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB"}
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAChE,OAAO,KAAK,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAC7E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAEtD,MAAM,MAAM,aAAa,GAAG,SAAS,GAAG,UAAU,GAAG,UAAU,GAAG,QAAQ,GAAG,WAAW,GAAG,SAAS,CAAC;AACrG,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,MAAM,CAAC;AAE3C,eAAO,MAAM,kBAAkB,EAAE,aAAa,EAE7C,CAAC;AAEF,MAAM,WAAW,qBAAqB;IACpC,UAAU,EAAG,MAAM,CAAC;IACpB,OAAO,CAAC,EAAK,iBAAiB,CAAC;CAChC;AAED,MAAM,WAAW,oBAAoB;IACnC,cAAc,EAAS,gBAAgB,CAAC;IACxC,OAAO,EAAgB,cAAc,EAAE,CAAC;IACxC,eAAe,EAAQ,MAAM,CAAC;IAC9B,oBAAoB,EAAG,MAAM,CAAC;IAC9B,QAAQ,EAAe,MAAM,CAAC;CAC/B;AAED,MAAM,MAAM,aAAa,GACrB;IAAE,MAAM,EAAE,QAAQ,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,GACtE;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,mBAAmB,CAAA;CAAE,GAChD;IAAE,MAAM,EAAE,QAAQ,CAAC;IAAC,IAAI,EAAE,iBAAiB,CAAA;CAAE,GAC7C;IAAE,MAAM,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,iBAAiB,CAAA;CAAE,GACjD;IAAE,MAAM,EAAE,cAAc,CAAC;IAAC,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,OAAO,CAAA;KAAE,CAAA;CAAE,GACvF;IAAE,MAAM,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,KAAK,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,OAAO,CAAA;KAAE,CAAC,CAAA;CAAE,GAC3G;IAAE,MAAM,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,CAAA;CAAE,GACjG;IAAE,MAAM,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,OAAO,CAAA;KAAE,CAAA;CAAE,GACzG;IAAE,MAAM,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,eAAe,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,GAC/F;IAAE,MAAM,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,IAAI,CAAA;KAAE,CAAA;CAAE,GAChE;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,IAAI,CAAA;KAAE,CAAA;CAAE,GAC5D;IAAE,MAAM,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,GACjD;IAAE,MAAM,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,OAAO,CAAA;CAAE,GACvC;IAAE,MAAM,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,GAChD;IAAE,MAAM,EAAE,cAAc,CAAC;IAAC,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,GAClD;IAAE,MAAM,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,OAAO,CAAA;CAAE,GACxC;IAAE,MAAM,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,GACpD;IAAE,MAAM,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,GACpD;IAAE,MAAM,EAAE,cAAc,CAAC;IAAC,IAAI,EAAE,OAAO,CAAA;CAAE,GACzC;IAAE,MAAM,EAAE,gBAAgB,CAAC;IAAC,IAAI,EAAE;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,CAAC;AAE5D,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAW,YAAY,CAAC;IAC9B,OAAO,EAAU,OAAO,CAAC;IACzB,KAAK,EAAY,OAAO,CAAC;IACzB,MAAM,CAAC,EAAU,MAAM,CAAC;IACxB,OAAO,CAAC,EAAS,MAAM,CAAC;IACxB,OAAO,CAAC,EAAS,MAAM,CAAC;IACxB,SAAS,CAAC,EAAO,MAAM,CAAC;IACxB,UAAU,CAAC,EAAM,MAAM,CAAC;IACxB,UAAU,CAAC,EAAM,MAAM,CAAC;IACxB,UAAU,CAAC,EAAM,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAQ,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,UAAU,CAAC,EAAM,MAAM,CAAC;CACzB"}