@fireproof/core-cli 0.24.15 → 0.24.16

package/cmds/device-id-cmd.js

@@ -0,0 +1,762 @@
+import { command, option, string, subcommands, flag } from "cmd-ts";
+import { CertificatePayloadSchema } from "@fireproof/core-types-base";
+import { DeviceIdKey, DeviceIdCSR, DeviceIdCA } from "@fireproof/core-device-id";
+import { getKeyBag } from "@fireproof/core-keybag";
+import { decodeJwt } from "jose";
+import fs from "fs-extra";
+import { Hono } from "hono";
+import { serve } from "@hono/node-server";
+import open from "open";
+import { Future, timeouted, isSuccess, isTimeout, BuildURI, Result, Option, } from "@adviser/cement";
+import { sts } from "@fireproof/core-runtime";
+import { type } from "arktype";
+import { sendMsg, sendProgress } from "../cmd-evento.js";
+function getStdin() {
+    return new Promise((resolve) => {
+        let data = "";
+        process.stdin.setEncoding("utf8");
+        process.stdin.on("readable", () => {
+            let chunk;
+            while ((chunk = process.stdin.read()) !== null) {
+                data += chunk;
+            }
+        });
+        process.stdin.on("end", () => resolve(data));
+    });
+}
+function subjectOptions() {
+    return {
+        commonName: option({
+            long: "common-name",
+            short: "cn",
+            description: "Common Name (required, e.g., 'My Device' or 'device-serial')",
+            type: string,
+        }),
+        organization: option({
+            long: "organization",
+            short: "o",
+            description: "Organization name",
+            type: string,
+            defaultValue: () => "You did not set the Organization",
+        }),
+        locality: option({
+            long: "locality",
+            short: "l",
+            description: "Locality/City",
+            type: string,
+            defaultValue: () => "You did not set the City",
+        }),
+        state: option({
+            long: "state",
+            short: "s",
+            description: "State or Province",
+            type: string,
+            defaultValue: () => "You did not set the State",
+        }),
+        country: option({
+            long: "country",
+            short: "c",
+            description: "Country (2-letter code)",
+            type: string,
+            defaultValue: () => "WD",
+        }),
+    };
+}
+function buildSubject(args) {
+    return {
+        commonName: args.commonName,
+        organization: args.organization,
+        locality: args.locality,
+        stateOrProvinceName: args.state,
+        countryName: args.country,
+    };
+}
+export const ReqDeviceIdCreate = type({
+    type: "'core-cli.device-id-create'",
+    force: "boolean",
+});
+export const ResDeviceIdCreate = type({
+    type: "'core-cli.res-device-id-create'",
+    output: "string",
+});
+export function isResDeviceIdCreate(u) {
+    return !(ResDeviceIdCreate(u) instanceof type.errors);
+}
+export const deviceIdCreateEvento = {
+    hash: "core-cli.device-id-create",
+    validate: (ctx) => {
+        if (!(ReqDeviceIdCreate(ctx.enRequest) instanceof type.errors)) {
+            return Promise.resolve(Result.Ok(Option.Some(ctx.enRequest)));
+        }
+        return Promise.resolve(Result.Ok(Option.None()));
+    },
+    handle: async (ctx) => {
+        const cliCtx = ctx.ctx.getOrThrow("cliCtx");
+        const sthis = cliCtx.sthis;
+        const args = ctx.validated;
+        const keyBag = await getKeyBag(sthis);
+        const existingDeviceIdResult = await keyBag.getDeviceId();
+        if (existingDeviceIdResult.deviceId.IsSome() && !args.force) {
+            const jwk = existingDeviceIdResult.deviceId.unwrap();
+            const deviceIdKey = (await DeviceIdKey.createFromJWK(jwk)).unwrap();
+            const fingerprint = await deviceIdKey.fingerPrint();
+            return sendMsg(ctx, {
+                type: "core-cli.res-device-id-create",
+                output: `Existing Device ID Fingerprint: ${fingerprint}`,
+            });
+        }
+        const deviceIdKey = await DeviceIdKey.create();
+        const jwkPrivate = await deviceIdKey.exportPrivateJWK();
+        await keyBag.setDeviceId(jwkPrivate);
+        const fingerprint = await deviceIdKey.fingerPrint();
+        const lines = [
+            `Created Device ID Fingerprint: ${fingerprint}`,
+            "To generate a Certificate Signing Request (CSR), run: core-cli deviceId csr",
+            "To export the public and private keys, run: core-cli deviceId export",
+        ];
+        return sendMsg(ctx, {
+            type: "core-cli.res-device-id-create",
+            output: lines.join("\n"),
+        });
+    },
+};
+export const ReqDeviceIdCsr = type({
+    type: "'core-cli.device-id-csr'",
+    commonName: "string",
+    organization: "string",
+    locality: "string",
+    state: "string",
+    country: "string",
+});
+export const ResDeviceIdCsr = type({
+    type: "'core-cli.res-device-id-csr'",
+    output: "string",
+});
+export function isResDeviceIdCsr(u) {
+    return !(ResDeviceIdCsr(u) instanceof type.errors);
+}
+export const deviceIdCsrEvento = {
+    hash: "core-cli.device-id-csr",
+    validate: (ctx) => {
+        if (!(ReqDeviceIdCsr(ctx.enRequest) instanceof type.errors)) {
+            return Promise.resolve(Result.Ok(Option.Some(ctx.enRequest)));
+        }
+        return Promise.resolve(Result.Ok(Option.None()));
+    },
+    handle: async (ctx) => {
+        const cliCtx = ctx.ctx.getOrThrow("cliCtx");
+        const sthis = cliCtx.sthis;
+        const args = ctx.validated;
+        const keyBag = await getKeyBag(sthis);
+        const existingDeviceIdResult = await keyBag.getDeviceId();
+        if (existingDeviceIdResult.deviceId.IsNone()) {
+            return Result.Err("No Device ID found. Please create one using 'core-cli deviceId create' first.");
+        }
+        const jwkPrivate = existingDeviceIdResult.deviceId.unwrap();
+        const createResult = await DeviceIdKey.createFromJWK(jwkPrivate);
+        if (createResult.isErr()) {
+            return Result.Err(`Error loading existing device ID: ${createResult.Err()}`);
+        }
+        const deviceIdKey = createResult.Ok();
+        const deviceIdCSR = new DeviceIdCSR(sthis, deviceIdKey);
+        const subject = buildSubject(args);
+        const csrResult = await deviceIdCSR.createCSR(subject);
+        if (csrResult.isErr()) {
+            return Result.Err(`Failed to generate CSR: ${csrResult.Err()}`);
+        }
+        const lines = [
+            "\n--- Certificate Signing Request (CSR) ---",
+            csrResult.Ok(),
+            "---\n",
+            "Please send the above CSR to your Certificate Authority (CA) to get a signed certificate.",
+            "Once you receive the certificate, you can use a future command to import it.",
+        ];
+        return sendMsg(ctx, {
+            type: "core-cli.res-device-id-csr",
+            output: lines.join("\n"),
+        });
+    },
+};
+export const ReqDeviceIdExport = type({
+    type: "'core-cli.device-id-export'",
+    private: "boolean",
+    json: "boolean",
+    public: "boolean",
+    cert: "boolean",
+});
+export const ResDeviceIdExport = type({
+    type: "'core-cli.res-device-id-export'",
+    output: "string",
+});
+export function isResDeviceIdExport(u) {
+    return !(ResDeviceIdExport(u) instanceof type.errors);
+}
+export const deviceIdExportEvento = {
+    hash: "core-cli.device-id-export",
+    validate: (ctx) => {
+        if (!(ReqDeviceIdExport(ctx.enRequest) instanceof type.errors)) {
+            return Promise.resolve(Result.Ok(Option.Some(ctx.enRequest)));
+        }
+        return Promise.resolve(Result.Ok(Option.None()));
+    },
+    handle: async (ctx) => {
+        const cliCtx = ctx.ctx.getOrThrow("cliCtx");
+        const sthis = cliCtx.sthis;
+        const args = ctx.validated;
+        const keyBag = await getKeyBag(sthis);
+        const existingDeviceIdResult = await keyBag.getDeviceId();
+        if (existingDeviceIdResult.deviceId.IsNone()) {
+            return Result.Err("No Device ID found. Please create one using 'core-cli deviceId create' first.");
+        }
+        const jwkPrivate = existingDeviceIdResult.deviceId.unwrap();
+        const createResult = await DeviceIdKey.createFromJWK(jwkPrivate);
+        if (createResult.isErr()) {
+            return Result.Err(`Error loading device ID: ${createResult.Err()}`);
+        }
+        const deviceIdKey = createResult.Ok();
+        let publicKey;
+        let privateKey;
+        let certificate;
+        const exportPublic = args.public || (!args.private && !args.cert);
+        const exportPrivate = args.private;
+        const exportCert = args.cert || (!args.private && !args.public && !args.cert);
+        if (exportPublic) {
+            publicKey = await deviceIdKey.publicKey();
+        }
+        if (exportPrivate) {
+            privateKey = await deviceIdKey.exportPrivateJWK();
+        }
+        if (exportCert && existingDeviceIdResult.cert.IsSome()) {
+            certificate = existingDeviceIdResult.cert.unwrap();
+        }
+        else if (args.cert && existingDeviceIdResult.cert.IsNone()) {
+            return Result.Err("No certificate found for this Device ID.");
+        }
+        let output;
+        if (args.json) {
+            const outputObject = {};
+            if (publicKey)
+                outputObject.publicKey = publicKey;
+            if (privateKey)
+                outputObject.privateKey = privateKey;
+            if (certificate)
+                outputObject.certificate = certificate.certificateJWT;
+            output = JSON.stringify(outputObject);
+        }
+        else {
+            const lines = [];
+            lines.push("--- Device ID Export ---");
+            const fingerprint = await deviceIdKey.fingerPrint();
+            lines.push(`Fingerprint: ${fingerprint}`);
+            if (publicKey) {
+                lines.push("\nPublic Key (JWK):");
+                lines.push(JSON.stringify(publicKey, null, 2));
+            }
+            if (privateKey) {
+                lines.push("\nPrivate Key (JWK):");
+                lines.push(JSON.stringify(privateKey, null, 2));
+            }
+            if (certificate) {
+                lines.push("\nCertificate (JWT):");
+                lines.push(certificate.certificateJWT);
+            }
+            lines.push("---\n");
+            output = lines.join("\n");
+        }
+        return sendMsg(ctx, {
+            type: "core-cli.res-device-id-export",
+            output,
+        });
+    },
+};
+export const ReqDeviceIdCert = type({
+    type: "'core-cli.device-id-cert'",
+    file: "string",
+});
+export const ResDeviceIdCert = type({
+    type: "'core-cli.res-device-id-cert'",
+    output: "string",
+});
+export function isResDeviceIdCert(u) {
+    return !(ResDeviceIdCert(u) instanceof type.errors);
+}
+export const deviceIdCertEvento = {
+    hash: "core-cli.device-id-cert",
+    validate: (ctx) => {
+        if (!(ReqDeviceIdCert(ctx.enRequest) instanceof type.errors)) {
+            return Promise.resolve(Result.Ok(Option.Some(ctx.enRequest)));
+        }
+        return Promise.resolve(Result.Ok(Option.None()));
+    },
+    handle: async (ctx) => {
+        const cliCtx = ctx.ctx.getOrThrow("cliCtx");
+        const sthis = cliCtx.sthis;
+        const args = ctx.validated;
+        const keyBag = await getKeyBag(sthis);
+        const existingDeviceIdResult = await keyBag.getDeviceId();
+        if (existingDeviceIdResult.deviceId.IsNone()) {
+            return Result.Err("No Device ID found. Please create one using 'core-cli deviceId create' first.");
+        }
+        const jwkPrivate = existingDeviceIdResult.deviceId.unwrap();
+        let certificateContent;
+        const lines = [];
+        if (args.file) {
+            certificateContent = await fs.readFile(args.file, "utf8");
+            lines.push(`Certificate read from ${args.file}`);
+        }
+        else {
+            console.log("Waiting for certificate content from stdin (Ctrl+D to finish):");
+            certificateContent = await getStdin();
+            lines.push("Certificate read from stdin.");
+        }
+        const decoded = decodeJwt(certificateContent);
+        const certPayload = CertificatePayloadSchema.parse(decoded);
+        const certToStore = {
+            certificateJWT: certificateContent,
+            certificatePayload: certPayload,
+        };
+        await keyBag.setDeviceId(jwkPrivate, certToStore);
+        lines.push("Certificate successfully stored with the Device ID.");
+        return sendMsg(ctx, {
+            type: "core-cli.res-device-id-cert",
+            output: lines.join("\n"),
+        });
+    },
+};
+export const ReqDeviceIdCaCert = type({
+    type: "'core-cli.device-id-ca-cert'",
+    commonName: "string",
+    organization: "string",
+    locality: "string",
+    state: "string",
+    country: "string",
+    keyFile: "string",
+    outputKey: "string",
+    outputCert: "string",
+    json: "boolean",
+    envVars: "boolean",
+});
+export const ResDeviceIdCaCert = type({
+    type: "'core-cli.res-device-id-ca-cert'",
+    output: "string",
+});
+export function isResDeviceIdCaCert(u) {
+    return !(ResDeviceIdCaCert(u) instanceof type.errors);
+}
+export const deviceIdCaCertEvento = {
+    hash: "core-cli.device-id-ca-cert",
+    validate: (ctx) => {
+        if (!(ReqDeviceIdCaCert(ctx.enRequest) instanceof type.errors)) {
+            return Promise.resolve(Result.Ok(Option.Some(ctx.enRequest)));
+        }
+        return Promise.resolve(Result.Ok(Option.None()));
+    },
+    handle: async (ctx) => {
+        const cliCtx = ctx.ctx.getOrThrow("cliCtx");
+        const sthis = cliCtx.sthis;
+        const args = ctx.validated;
+        const progress = async (message) => {
+            if (!args.json && !args.envVars) {
+                await sendProgress(ctx, "info", message);
+            }
+        };
+        let caKey;
+        let jwkPrivate;
+        if (args.keyFile) {
+            const keyContent = await fs.readFile(args.keyFile, "utf8");
+            jwkPrivate = JSON.parse(keyContent);
+            const keyResult = await DeviceIdKey.createFromJWK(jwkPrivate);
+            if (keyResult.isErr()) {
+                return Result.Err(`Error loading private key from file: ${keyResult.Err()}`);
+            }
+            caKey = keyResult.Ok();
+            await progress(`Loaded private key from ${args.keyFile}`);
+        }
+        else {
+            caKey = await DeviceIdKey.create();
+            jwkPrivate = await caKey.exportPrivateJWK();
+            await progress("Generated new CA private key");
+            if (args.outputKey) {
+                await fs.writeFile(args.outputKey, JSON.stringify(jwkPrivate, null, 2), "utf8");
+                await progress(`Private key saved to ${args.outputKey}`);
+            }
+        }
+        const caSubject = buildSubject(args);
+        const deviceCA = new DeviceIdCA({
+            base64: sthis.txt.base64,
+            caKey,
+            caSubject,
+            actions: {
+                generateSerialNumber: async () => sthis.nextId(32).str,
+            },
+        });
+        const issueCertResult = await deviceCA.issueCertificate({
+            csr: {
+                subject: caSubject,
+                publicKey: await caKey.publicKey(),
+                extensions: {
+                    keyUsage: ["digitalSignature", "keyCertSign", "cRLSign"],
+                    extendedKeyUsage: [],
+                },
+            },
+        });
+        if (issueCertResult.isErr()) {
+            return Result.Err(`Error issuing CA certificate: ${issueCertResult.Err()}`);
+        }
+        const certificateJWT = issueCertResult.Ok().certificateJWT;
+        let output;
+        if (args.envVars) {
+            const lines = [`DEVICE_ID_CA_PRIV_KEY=${await sts.jwk2env(jwkPrivate)}`, `DEVICE_ID_CA_CERT=${certificateJWT}`];
+            output = lines.join("\n");
+        }
+        else if (args.json) {
+            const jsonOutput = {
+                privateKey: jwkPrivate,
+                signedCert: certificateJWT,
+            };
+            output = JSON.stringify(jsonOutput, null, 2);
+        }
+        else {
+            const lines = [];
+            lines.push("\n--- CA Private Key (JWK) ---");
+            lines.push(JSON.stringify(jwkPrivate, null, 2));
+            lines.push("---\n");
+            lines.push("\n--- CA Certificate (JWT) ---");
+            lines.push(certificateJWT);
+            lines.push("---\n");
+            lines.push("\nCA Certificate Details:");
+            lines.push(`  Common Name: ${caSubject.commonName}`);
+            lines.push(`  Organization: ${caSubject.organization}`);
+            lines.push(`  Locality: ${caSubject.locality}`);
+            lines.push(`  State: ${caSubject.stateOrProvinceName}`);
+            lines.push(`  Country: ${caSubject.countryName}`);
+            const fingerprint = await caKey.fingerPrint();
+            lines.push(`  Key Fingerprint: ${fingerprint}`);
+            if (args.outputKey) {
+                lines.push(`\n✓ Private key saved to ${args.outputKey}`);
+            }
+            if (args.outputCert) {
+                await fs.writeFile(args.outputCert, certificateJWT, "utf8");
+                lines.push(`✓ Certificate saved to ${args.outputCert}`);
+            }
+            if (!args.outputKey && !args.keyFile) {
+                lines.push("\n⚠️  Warning: Private key was not saved to a file. Consider using --output-key to save it.");
+            }
+            output = lines.join("\n");
+        }
+        return sendMsg(ctx, {
+            type: "core-cli.res-device-id-ca-cert",
+            output,
+        });
+    },
+};
+export const ReqDeviceIdRegister = type({
+    type: "'core-cli.device-id-register'",
+    commonName: "string",
+    organization: "string",
+    locality: "string",
+    state: "string",
+    country: "string",
+    caUrl: "string",
+    port: "string",
+    timeout: "string",
+    forceRenew: "boolean",
+});
+export const ResDeviceIdRegister = type({
+    type: "'core-cli.res-device-id-register'",
+    output: "string",
+});
+export function isResDeviceIdRegister(u) {
+    return !(ResDeviceIdRegister(u) instanceof type.errors);
+}
+export const deviceIdRegisterEvento = {
+    hash: "core-cli.device-id-register",
+    validate: (ctx) => {
+        if (!(ReqDeviceIdRegister(ctx.enRequest) instanceof type.errors)) {
+            return Promise.resolve(Result.Ok(Option.Some(ctx.enRequest)));
+        }
+        return Promise.resolve(Result.Ok(Option.None()));
+    },
+    handle: async (ctx) => {
+        const cliCtx = ctx.ctx.getOrThrow("cliCtx");
+        const sthis = cliCtx.sthis;
+        const args = ctx.validated;
+        const keyBag = await getKeyBag(sthis);
+        const existingDeviceIdResult = await keyBag.getDeviceId();
+        if (existingDeviceIdResult.cert.IsSome() && !args.forceRenew) {
+            const jwk = existingDeviceIdResult.deviceId.unwrap();
+            const deviceIdKey = (await DeviceIdKey.createFromJWK(jwk)).unwrap();
+            const fingerprint = await deviceIdKey.fingerPrint();
+            return sendMsg(ctx, {
+                type: "core-cli.res-device-id-register",
+                output: [
+                    "Device already has a certificate. Registration not needed.",
+                    "Use --force-renew to renew the certificate.",
+                    `Existing Device ID Fingerprint: ${fingerprint}`,
+                ].join("\n"),
+            });
+        }
+        if (args.forceRenew && existingDeviceIdResult.cert.IsSome()) {
+            await sendProgress(ctx, "info", "Force renewing certificate...");
+        }
+        let deviceIdKey;
+        if (existingDeviceIdResult.deviceId.IsNone()) {
+            await sendProgress(ctx, "info", "Creating new device ID key pair...");
+            deviceIdKey = await DeviceIdKey.create();
+            const jwkPrivate = await deviceIdKey.exportPrivateJWK();
+            await keyBag.setDeviceId(jwkPrivate);
+            const fingerprint = await deviceIdKey.fingerPrint();
+            await sendProgress(ctx, "info", `Created Device ID Fingerprint: ${fingerprint}`);
+        }
+        else {
+            await sendProgress(ctx, "info", "Using existing device ID key...");
+            const jwkPrivate = existingDeviceIdResult.deviceId.unwrap();
+            const createResult = await DeviceIdKey.createFromJWK(jwkPrivate);
+            if (createResult.isErr()) {
+                return Result.Err(`Error loading existing device ID: ${createResult.Err()}`);
+            }
+            deviceIdKey = createResult.Ok();
+            const fingerprint = await deviceIdKey.fingerPrint();
+            await sendProgress(ctx, "info", `Device ID Fingerprint: ${fingerprint}`);
+        }
+        await sendProgress(ctx, "info", "Generating Certificate Signing Request (CSR)...");
+        const deviceIdCSR = new DeviceIdCSR(sthis, deviceIdKey);
+        const subject = buildSubject(args);
+        const csrResult = await deviceIdCSR.createCSR(subject);
+        if (csrResult.isErr()) {
+            return Result.Err(`Failed to generate CSR: ${csrResult.Err()}`);
+        }
+        const csrJWS = csrResult.Ok();
+        await sendProgress(ctx, "info", "CSR generated successfully.");
+        const certFuture = new Future();
+        const app = new Hono();
+        let serverInstance = null;
+        app.get("/cert", (c) => {
+            const cert = c.req.query("cert");
+            if (!cert) {
+                certFuture.reject(new Error("Missing cert parameter"));
+                return c.text("Missing cert parameter", 400);
+            }
+            void sendProgress(ctx, "info", "\nCertificate received from CA!");
+            certFuture.resolve(cert);
+            return c.text("Certificate received successfully. You can close this window.");
+        });
+        const port = args.port ? parseInt(args.port, 10) : Math.floor(Math.random() * (65535 - 49152) + 49152);
+        const callbackUrl = `http://localhost:${port}/cert`;
+        await sendProgress(ctx, "info", `Starting local server on port ${port}...`);
+        serverInstance = serve({
+            fetch: app.fetch,
+            port,
+        });
+        const caUri = BuildURI.from(args.caUrl).setParam("csr", csrJWS).setParam("returnUrl", callbackUrl);
+        const caUrlWithParams = caUri.toString();
+        await sendProgress(ctx, "info", "\nOpening browser to CA for certificate signing...");
+        await sendProgress(ctx, "info", `URL: ${caUrlWithParams}\n`);
+        try {
+            await open(caUrlWithParams);
+        }
+        catch (error) {
+            await sendProgress(ctx, "warn", "Could not automatically open browser. Please open this URL manually:");
+            await sendProgress(ctx, "warn", caUrlWithParams);
+        }
+        await sendProgress(ctx, "info", "Waiting for certificate from CA...");
+        await sendProgress(ctx, "info", "(The browser should redirect back to this application after signing)\n");
+        const timeoutMs = parseInt(args.timeout, 10) * 1000;
+        const result = await timeouted(certFuture.asPromise(), { timeout: timeoutMs });
+        if (serverInstance) {
+            serverInstance.close();
+        }
+        if (!isSuccess(result)) {
+            if (isTimeout(result)) {
+                return Result.Err(`Timeout waiting for certificate from CA (${args.timeout}s).`);
+            }
+            else {
+                return Result.Err(`Failed to receive certificate: ${result.state === "error" ? result.error : result}`);
+            }
+        }
+        const receivedCert = result.value;
+        await sendProgress(ctx, "info", "Storing certificate...");
+        const decoded = decodeJwt(receivedCert);
+        const certPayload = CertificatePayloadSchema.parse(decoded);
+        const jwkPrivate = await deviceIdKey.exportPrivateJWK();
+        const certToStore = {
+            certificateJWT: receivedCert,
+            certificatePayload: certPayload,
+        };
+        await keyBag.setDeviceId(jwkPrivate, certToStore);
+        const fingerprint = await deviceIdKey.fingerPrint();
+        return sendMsg(ctx, {
+            type: "core-cli.res-device-id-register",
+            output: [
+                "\n✓ Registration complete! Certificate successfully stored with Device ID.",
+                `Device ID Fingerprint: ${fingerprint}`,
+            ].join("\n"),
+        });
+    },
+};
+export function deviceIdCmd(ctx) {
+    const createCmd = command({
+        name: "create",
+        description: "Generate a new device ID key pair and store it.",
+        args: {
+            force: flag({
+                long: "force",
+                short: "f",
+                description: "Force creation of a new device ID, overwriting any existing one.",
+            }),
+        },
+        handler: ctx.cliStream.enqueue((args) => {
+            return {
+                type: "core-cli.device-id-create",
+                ...args,
+            };
+        }),
+    });
+    const csrCmd = command({
+        name: "csr",
+        description: "Generate a Certificate Signing Request (CSR) for the current device ID.",
+        args: subjectOptions(),
+        handler: ctx.cliStream.enqueue((args) => {
+            return {
+                type: "core-cli.device-id-csr",
+                ...args,
+            };
+        }),
+    });
+    const exportCmd = command({
+        name: "export",
+        description: "Export the public and private parts of the current device ID.",
+        args: {
+            private: flag({
+                long: "private",
+                short: "p",
+                description: "Export only the private key. Use with caution!",
+            }),
+            json: flag({
+                long: "json",
+                description: "Output in single-line JSON format.",
+            }),
+            public: flag({
+                long: "public",
+                description: "Export only the public key. Default if no other flags specified for key type.",
+            }),
+            cert: flag({
+                long: "cert",
+                description: "Export the certificate if available.",
+            }),
+        },
+        handler: ctx.cliStream.enqueue((args) => {
+            return {
+                type: "core-cli.device-id-export",
+                ...args,
+            };
+        }),
+    });
+    const certCmd = command({
+        name: "cert",
+        description: "Import and store a signed certificate for the current device ID.",
+        args: {
+            file: option({
+                long: "file",
+                short: "f",
+                description: "Path to the certificate file. If not provided, reads from stdin.",
+                type: string,
+                defaultValue: () => "",
+            }),
+        },
+        handler: ctx.cliStream.enqueue((args) => {
+            return {
+                type: "core-cli.device-id-cert",
+                ...args,
+            };
+        }),
+    });
+    const caCertCmd = command({
+        name: "ca-cert",
+        description: "Create a self-signed CA certificate for use in DeviceIdCA.",
+        args: {
+            ...subjectOptions(),
+            keyFile: option({
+                long: "key-file",
+                short: "k",
+                description: "Path to existing private key file (JWK format). If not provided, a new key will be generated.",
+                type: string,
+                defaultValue: () => "",
+            }),
+            outputKey: option({
+                long: "output-key",
+                description: "Path to save the private key (JWK format). Only used when generating a new key.",
+                type: string,
+                defaultValue: () => "",
+            }),
+            outputCert: option({
+                long: "output-cert",
+                description: "Path to save the certificate (JWT format). If not provided, outputs to stdout.",
+                type: string,
+                defaultValue: () => "",
+            }),
+            json: flag({
+                long: "json",
+                description: "Output in JSON format with both privateKey and signedCert.",
+            }),
+            envVars: flag({
+                long: "envVars",
+                description: "Output as environment variables (DEVICE_ID_CA_PRIV_KEY and DEVICE_ID_CA_CERT).",
+            }),
+        },
+        handler: ctx.cliStream.enqueue((args) => {
+            return {
+                type: "core-cli.device-id-ca-cert",
+                ...args,
+            };
+        }),
+    });
+    const registerCmd = command({
+        name: "register",
+        description: "Register device by creating key pair, generating CSR, and obtaining certificate from CA.",
+        args: {
+            ...subjectOptions(),
+            caUrl: option({
+                long: "ca-url",
+                description: "CA URL to open in browser for certificate signing",
+                type: string,
+                defaultValue: () => "http://localhost:7370/fp/cloud/csr2cert",
+            }),
+            port: option({
+                long: "port",
+                description: "Local port for callback server (random port if not specified)",
+                type: string,
+                defaultValue: () => "",
+            }),
+            timeout: option({
+                long: "timeout",
+                description: "Timeout in seconds to wait for certificate from CA",
+                type: string,
+                defaultValue: () => "60",
+            }),
+            forceRenew: flag({
+                long: "force-renew",
+                description: "Force certificate renewal even if one already exists",
+            }),
+        },
+        handler: ctx.cliStream.enqueue((args) => {
+            return {
+                type: "core-cli.device-id-register",
+                ...args,
+            };
+        }),
+    });
+    return subcommands({
+        name: "device-id",
+        description: "Manage device identities.",
+        cmds: {
+            create: createCmd,
+            csr: csrCmd,
+            export: exportCmd,
+            cert: certCmd,
+            "ca-cert": caCertCmd,
+            register: registerCmd,
+        },
+    });
+}
+//# sourceMappingURL=device-id-cmd.js.map