@huitl/sdk 0.1.0 → 0.2.0

package/README.md

@@ -22,17 +22,19 @@ For questions, partnerships, or enterprise inquiries: [seva@huitlprotocol.com](m
 
 ## Try It Now
 
-No chips, no hardware, no setup. Just run:
+No chips, no hardware, no setup:
 
 ```bash
-npx huitl verify "https://huitlprotocol.com/tap?picc_data=2C309D265CFFD369A4B62C6B9F40B669&cmac=6A6595D519DF58BF" --key 00000000000000000000000000000000
+npm install -g @huitl/sdk
+
+huitl verify "https://huitlprotocol.com/tap?picc_data=2C309D265CFFD369A4B62C6B9F40B669&cmac=6A6595D519DF58BF" --key 00000000000000000000000000000000
 ```
 
 ```json
 { "valid": true, "uid": "04112233445566", "readCounter": 42 }
 ```
 
-That's a real cryptographic verification — the same math that runs on every NFC tap. The URL contains an encrypted chip identity and a one-time signature. The SDK decrypts, derives a session key, and validates the CMAC. All in one command.
+That's a real cryptographic verification — the same math that runs on every NFC tap. The URL contains an encrypted chip identity and a one-time signature. The SDK decrypts, derives a session key, and validates the CMAC.
 
 ## Installation
 

package/dist/cli.cjs

@@ -1156,8 +1156,8 @@ var require_command = __commonJS({
     "use strict";
     var EventEmitter = require("events").EventEmitter;
     var childProcess = require("child_process");
-    var path3 = require("path");
-    var fs2 = require("fs");
+    var path4 = require("path");
+    var fs3 = require("fs");
     var process2 = require("process");
     var { Argument: Argument2, humanReadableArgName } = require_argument();
     var { CommanderError: CommanderError2 } = require_error();
@@ -2138,7 +2138,7 @@ Expecting one of '${allowedValues.join("', '")}'`);
        * @param {string} subcommandName
        */
       _checkForMissingExecutable(executableFile, executableDir, subcommandName) {
-        if (fs2.existsSync(executableFile)) return;
+        if (fs3.existsSync(executableFile)) return;
         const executableDirMessage = executableDir ? `searched for local subcommand relative to directory '${executableDir}'` : "no directory for search for local subcommand, use .executableDir() to supply a custom directory";
         const executableMissing = `'${executableFile}' does not exist
  - if '${subcommandName}' is not meant to be an executable command, remove description parameter from '.command()' and use '.description()' instead
@@ -2156,11 +2156,11 @@ Expecting one of '${allowedValues.join("', '")}'`);
         let launchWithNode = false;
         const sourceExt = [".js", ".ts", ".tsx", ".mjs", ".cjs"];
         function findFile(baseDir, baseName) {
-          const localBin = path3.resolve(baseDir, baseName);
-          if (fs2.existsSync(localBin)) return localBin;
-          if (sourceExt.includes(path3.extname(baseName))) return void 0;
+          const localBin = path4.resolve(baseDir, baseName);
+          if (fs3.existsSync(localBin)) return localBin;
+          if (sourceExt.includes(path4.extname(baseName))) return void 0;
           const foundExt = sourceExt.find(
-            (ext) => fs2.existsSync(`${localBin}${ext}`)
+            (ext) => fs3.existsSync(`${localBin}${ext}`)
           );
           if (foundExt) return `${localBin}${foundExt}`;
           return void 0;
@@ -2172,21 +2172,21 @@ Expecting one of '${allowedValues.join("', '")}'`);
         if (this._scriptPath) {
           let resolvedScriptPath;
           try {
-            resolvedScriptPath = fs2.realpathSync(this._scriptPath);
+            resolvedScriptPath = fs3.realpathSync(this._scriptPath);
           } catch {
             resolvedScriptPath = this._scriptPath;
           }
-          executableDir = path3.resolve(
-            path3.dirname(resolvedScriptPath),
+          executableDir = path4.resolve(
+            path4.dirname(resolvedScriptPath),
             executableDir
           );
         }
         if (executableDir) {
           let localFile = findFile(executableDir, executableFile);
           if (!localFile && !subcommand._executableFile && this._scriptPath) {
-            const legacyName = path3.basename(
+            const legacyName = path4.basename(
               this._scriptPath,
-              path3.extname(this._scriptPath)
+              path4.extname(this._scriptPath)
             );
             if (legacyName !== this._name) {
               localFile = findFile(
@@ -2197,7 +2197,7 @@ Expecting one of '${allowedValues.join("', '")}'`);
           }
           executableFile = localFile || executableFile;
         }
-        launchWithNode = sourceExt.includes(path3.extname(executableFile));
+        launchWithNode = sourceExt.includes(path4.extname(executableFile));
         let proc;
         if (process2.platform !== "win32") {
           if (launchWithNode) {
@@ -3044,7 +3044,7 @@ Expecting one of '${allowedValues.join("', '")}'`);
        * @return {Command}
        */
       nameFromFilename(filename) {
-        this._name = path3.basename(filename, path3.extname(filename));
+        this._name = path4.basename(filename, path4.extname(filename));
         return this;
       }
       /**
@@ -3058,9 +3058,9 @@ Expecting one of '${allowedValues.join("', '")}'`);
        * @param {string} [path]
        * @return {(string|null|Command)}
        */
-      executableDir(path4) {
-        if (path4 === void 0) return this._executableDir;
-        this._executableDir = path4;
+      executableDir(path5) {
+        if (path5 === void 0) return this._executableDir;
+        this._executableDir = path5;
         return this;
       }
       /**
@@ -3713,6 +3713,380 @@ var init_app = __esm({
   }
 });
 
+// src/cli/commands/login.ts
+var login_exports = {};
+__export(login_exports, {
+  getApiKey: () => getApiKey,
+  registerLogin: () => registerLogin,
+  saveApiKey: () => saveApiKey
+});
+function getApiKey() {
+  try {
+    const config = JSON.parse(import_fs2.default.readFileSync(CONFIG_FILE, "utf-8"));
+    return config.apiKey ?? null;
+  } catch {
+    return null;
+  }
+}
+function saveApiKey(apiKey) {
+  if (!import_fs2.default.existsSync(CONFIG_DIR)) import_fs2.default.mkdirSync(CONFIG_DIR, { recursive: true });
+  import_fs2.default.writeFileSync(CONFIG_FILE, JSON.stringify({ apiKey }, null, 2));
+}
+function registerLogin(program3) {
+  program3.command("login").description("Authenticate with HUITL Cloud").option("--api-key <key>", "Set API key directly").action((opts) => {
+    if (opts.apiKey) {
+      saveApiKey(opts.apiKey);
+      console.log("API key saved. You can now use huitl provision.");
+      return;
+    }
+    console.log("To get an API key:");
+    console.log("  1. Visit https://huitl-cloud.vercel.app/api/auth/google");
+    console.log("  2. Sign in with Google");
+    console.log("  3. Copy your API key");
+    console.log("  4. Run: huitl login --api-key <your-key>");
+  });
+}
+var import_fs2, import_path3, import_os, CONFIG_DIR, CONFIG_FILE;
+var init_login = __esm({
+  "src/cli/commands/login.ts"() {
+    "use strict";
+    import_fs2 = __toESM(require("fs"), 1);
+    import_path3 = __toESM(require("path"), 1);
+    import_os = __toESM(require("os"), 1);
+    CONFIG_DIR = import_path3.default.join(import_os.default.homedir(), ".huitl");
+    CONFIG_FILE = import_path3.default.join(CONFIG_DIR, "config.json");
+  }
+});
+
+// src/cloud/client.ts
+var client_exports = {};
+__export(client_exports, {
+  HuitlCloudClient: () => HuitlCloudClient
+});
+var DEFAULT_BASE_URL, HuitlCloudClient;
+var init_client = __esm({
+  "src/cloud/client.ts"() {
+    "use strict";
+    DEFAULT_BASE_URL = "https://huitl-cloud.vercel.app";
+    HuitlCloudClient = class {
+      apiKey;
+      baseUrl;
+      constructor(config) {
+        this.apiKey = config.apiKey;
+        this.baseUrl = config.baseUrl ?? DEFAULT_BASE_URL;
+      }
+      async request(path4, options = {}) {
+        const resp = await fetch(`${this.baseUrl}/api${path4}`, {
+          ...options,
+          headers: {
+            Authorization: `Bearer ${this.apiKey}`,
+            "Content-Type": "application/json",
+            ...options.headers
+          }
+        });
+        const data = await resp.json();
+        if (!resp.ok) throw new Error(data.error || data.message || `API error: ${resp.status}`);
+        return data;
+      }
+      async provision(name) {
+        return this.request("/v1/provision", {
+          method: "POST",
+          body: JSON.stringify({ name })
+        });
+      }
+      async registerUid(chipId, uid) {
+        await this.request("/v1/chips", {
+          method: "PATCH",
+          body: JSON.stringify({ chipId, uid })
+        });
+      }
+      async listChips() {
+        return this.request("/v1/chips");
+      }
+      async me() {
+        return this.request("/v1/me");
+      }
+    };
+  }
+});
+
+// src/nfc/reader.ts
+var reader_exports = {};
+__export(reader_exports, {
+  waitForCard: () => waitForCard
+});
+function loadNfcPcsc() {
+  try {
+    return require("nfc-pcsc");
+  } catch {
+    console.error(
+      "Error: nfc-pcsc is required for chip provisioning.\nInstall it with: npm install nfc-pcsc\n\nYou also need a PC/SC compatible NFC reader (e.g. ACR122U).\nOn macOS, PC/SC is built-in. On Linux, install pcscd:\n  sudo apt install pcscd"
+    );
+    process.exit(1);
+  }
+}
+function waitForCard() {
+  return new Promise((resolve, reject) => {
+    const { NFC } = loadNfcPcsc();
+    const nfc = new NFC();
+    nfc.on("reader", (reader) => {
+      console.log(`Reader found: ${reader.name}`);
+      reader.aid = "D2760000850101";
+      reader.on("card", async (card) => {
+        let uid = card.uid?.toUpperCase() || "";
+        if (!uid || uid.length < 14) {
+          try {
+            const getUid = Buffer.from([255, 202, 0, 0, 0]);
+            const resp = await reader.transmit(getUid, 64);
+            if (resp.length >= 9 && resp[resp.length - 2] === 144) {
+              uid = resp.subarray(0, 7).toString("hex").toUpperCase();
+            }
+          } catch {
+          }
+        }
+        resolve({ uid, reader });
+      });
+      reader.on("error", (err) => reject(err));
+    });
+    nfc.on("error", (err) => {
+      reject(new Error(`NFC error: ${err.message}. Make sure your reader is connected.`));
+    });
+  });
+}
+var init_reader = __esm({
+  "src/nfc/reader.ts"() {
+    "use strict";
+  }
+});
+
+// src/nfc/ntag424.ts
+var ntag424_exports = {};
+__export(ntag424_exports, {
+  authenticateEV2First: () => authenticateEV2First,
+  buildApdu: () => buildApdu,
+  buildNdefUrl: () => buildNdefUrl,
+  calcSessionMac: () => calcSessionMac,
+  calculateOffsets: () => calculateOffsets,
+  changeFileSettings: () => changeFileSettings,
+  changeKey2: () => changeKey2,
+  checkSW: () => checkSW,
+  crc32: () => crc32,
+  deriveAuthSessionKeys: () => deriveAuthSessionKeys,
+  encryptSessionData: () => encryptSessionData,
+  rotateLeft: () => rotateLeft,
+  sendCommand: () => sendCommand,
+  writeNdef: () => writeNdef
+});
+function buildApdu(ins, p1, p2, data) {
+  if (data && data.length > 0) {
+    const apdu2 = Buffer.alloc(5 + data.length + 1);
+    apdu2[0] = 144;
+    apdu2[1] = ins;
+    apdu2[2] = p1;
+    apdu2[3] = p2;
+    apdu2[4] = data.length;
+    data.copy(apdu2, 5);
+    apdu2[5 + data.length] = 0;
+    return apdu2;
+  }
+  const apdu = Buffer.alloc(5);
+  apdu[0] = 144;
+  apdu[1] = ins;
+  apdu[2] = p1;
+  apdu[3] = p2;
+  apdu[4] = 0;
+  return apdu;
+}
+function checkSW(resp, label) {
+  const sw1 = resp[resp.length - 2];
+  const sw2 = resp[resp.length - 1];
+  if (sw1 === 145 && (sw2 === 0 || sw2 === 175)) {
+    return resp.subarray(0, resp.length - 2);
+  }
+  throw new Error(`${label} failed: SW=${resp.subarray(resp.length - 2).toString("hex").toUpperCase()}`);
+}
+function buildNdefUrl(url) {
+  const uriPayload = Buffer.concat([Buffer.from([0]), Buffer.from(url, "ascii")]);
+  const ndefRecord = Buffer.concat([
+    Buffer.from([209]),
+    Buffer.from([1]),
+    Buffer.from([uriPayload.length]),
+    Buffer.from("U", "ascii"),
+    uriPayload
+  ]);
+  const lenBuf = Buffer.alloc(2);
+  lenBuf.writeUInt16BE(ndefRecord.length);
+  return Buffer.concat([lenBuf, ndefRecord]);
+}
+function calculateOffsets(url) {
+  const HEADER = 7;
+  const piccPos = url.indexOf("picc_data=") + "picc_data=".length;
+  const cmacPos = url.indexOf("cmac=") + "cmac=".length;
+  return {
+    piccOffset: HEADER + piccPos,
+    macOffset: HEADER + cmacPos,
+    macInputOffset: HEADER + piccPos
+  };
+}
+function xor2(a, b) {
+  const r = Buffer.alloc(a.length);
+  for (let i = 0; i < a.length; i++) r[i] = a[i] ^ b[i];
+  return r;
+}
+function rotateLeft(buf) {
+  const r = Buffer.alloc(buf.length);
+  buf.copy(r, 0, 1);
+  r[r.length - 1] = buf[0];
+  return r;
+}
+function aesEncrypt(key, iv, data) {
+  const c = import_crypto7.default.createCipheriv("aes-128-cbc", key, iv);
+  c.setAutoPadding(false);
+  return Buffer.concat([c.update(data), c.final()]);
+}
+function aesDecrypt(key, iv, data) {
+  const d = import_crypto7.default.createDecipheriv("aes-128-cbc", key, iv);
+  d.setAutoPadding(false);
+  return Buffer.concat([d.update(data), d.final()]);
+}
+function crc32(data) {
+  let crc = 4294967295;
+  for (let i = 0; i < data.length; i++) {
+    crc ^= data[i];
+    for (let j = 0; j < 8; j++) {
+      if (crc & 1) crc = crc >>> 1 ^ 3988292384;
+      else crc = crc >>> 1;
+    }
+  }
+  crc = crc >>> 0;
+  const buf = Buffer.alloc(4);
+  buf.writeUInt32LE(crc);
+  return buf;
+}
+function deriveAuthSessionKeys(rndA, rndB, key) {
+  const xorPart = Buffer.alloc(6);
+  for (let i = 0; i < 6; i++) xorPart[i] = rndA[2 + i] ^ rndB[i];
+  const svSuffix = Buffer.concat([
+    rndA.subarray(0, 2),
+    xorPart,
+    rndB.subarray(6, 16),
+    rndA.subarray(8, 16)
+  ]);
+  const sv1 = Buffer.concat([Buffer.from("A55A00010080", "hex"), svSuffix]);
+  const sv2 = Buffer.concat([Buffer.from("5AA500010080", "hex"), svSuffix]);
+  return { kEnc: aesCmac(key, sv1), kMac: aesCmac(key, sv2) };
+}
+function calcSessionMac(session, cmd, data) {
+  const ctrLE = Buffer.alloc(2);
+  ctrLE.writeUInt16LE(session.cmdCtr);
+  const macInput = Buffer.concat([Buffer.from([cmd]), ctrLE, session.ti, data]);
+  const full = aesCmac(session.kSesAuthMac, macInput);
+  const t = Buffer.alloc(8);
+  for (let i = 0; i < 8; i++) t[i] = full[i * 2 + 1];
+  return t;
+}
+function encryptSessionData(session, cmd, data) {
+  const ctrLE = Buffer.alloc(2);
+  ctrLE.writeUInt16LE(session.cmdCtr);
+  const ivInput = Buffer.alloc(16, 0);
+  ivInput[0] = 165;
+  ivInput[1] = 90;
+  session.ti.copy(ivInput, 2);
+  ctrLE.copy(ivInput, 6);
+  const ivC = import_crypto7.default.createCipheriv("aes-128-ecb", session.kSesAuthEnc, null);
+  ivC.setAutoPadding(false);
+  const iv = Buffer.concat([ivC.update(ivInput), ivC.final()]);
+  const padLen = (16 - data.length % 16) % 16;
+  const padded = Buffer.alloc(data.length + padLen, 0);
+  data.copy(padded);
+  if (padLen > 0) padded[data.length] = 128;
+  return aesEncrypt(session.kSesAuthEnc, iv, padded);
+}
+async function sendCommand(reader, ins, p1, p2, data) {
+  const apdu = buildApdu(ins, p1, p2, data);
+  return reader.transmit(apdu, 512);
+}
+async function authenticateEV2First(reader, keyNo, key) {
+  const resp1 = await sendCommand(reader, 113, 0, 0, Buffer.from([keyNo, 0]));
+  const encRndB = checkSW(resp1, "AuthEV2First-part1");
+  const rndB = aesDecrypt(key, ZERO16, encRndB);
+  const rndA = import_crypto7.default.randomBytes(16);
+  const rndBrot = rotateLeft(rndB);
+  const encPart2 = aesEncrypt(key, ZERO16, Buffer.concat([rndA, rndBrot]));
+  const resp2 = await sendCommand(reader, 175, 0, 0, encPart2);
+  const data2 = checkSW(resp2, "AuthEV2First-part2");
+  const decResp = aesDecrypt(key, ZERO16, data2);
+  const ti = decResp.subarray(0, 4);
+  const rndACheck = decResp.subarray(4, 20);
+  if (!import_crypto7.default.timingSafeEqual(rndACheck, rotateLeft(rndA))) {
+    throw new Error("Auth failed: RndA mismatch. Key may not be factory default.");
+  }
+  const { kEnc, kMac } = deriveAuthSessionKeys(rndA, rndB, key);
+  return { ti, cmdCtr: 0, kSesAuthEnc: kEnc, kSesAuthMac: kMac };
+}
+async function writeNdef(reader, session, url) {
+  const fileData = buildNdefUrl(url);
+  const offset = Buffer.from([0, 0, 0]);
+  const lenLE = Buffer.alloc(3);
+  lenLE.writeUIntLE(fileData.length, 0, 3);
+  const cmdData = Buffer.concat([Buffer.from([2]), offset, lenLE, fileData]);
+  const resp = await sendCommand(reader, 141, 0, 0, cmdData);
+  checkSW(resp, "WriteData");
+  session.cmdCtr++;
+}
+async function changeKey2(reader, session, newKey) {
+  const oldKey = ZERO16;
+  const xoredKey = xor2(newKey, oldKey);
+  const crc = crc32(newKey);
+  const keyVer = Buffer.from([0]);
+  const plain = Buffer.concat([xoredKey, keyVer, crc]);
+  const padded = Buffer.alloc(32, 0);
+  plain.copy(padded);
+  padded[plain.length] = 128;
+  const encData = encryptSessionData(session, 196, padded);
+  const mac = calcSessionMac(session, 196, Buffer.concat([Buffer.from([2]), encData]));
+  const cmdData = Buffer.concat([Buffer.from([2]), encData, mac]);
+  const resp = await sendCommand(reader, 196, 0, 0, cmdData);
+  checkSW(resp, "ChangeKey");
+  session.cmdCtr++;
+}
+async function changeFileSettings(reader, session, piccOffset, macOffset, macInputOffset) {
+  const fileOption = 64;
+  const accessRights = Buffer.from([0, 224]);
+  const sdmOptions = 193;
+  const sdmAccessRights = Buffer.from([255, 34]);
+  const piccOff = Buffer.alloc(3);
+  piccOff.writeUIntLE(piccOffset, 0, 3);
+  const macInputOff = Buffer.alloc(3);
+  macInputOff.writeUIntLE(macInputOffset, 0, 3);
+  const macOff = Buffer.alloc(3);
+  macOff.writeUIntLE(macOffset, 0, 3);
+  const settingsData = Buffer.concat([
+    Buffer.from([fileOption]),
+    accessRights,
+    Buffer.from([sdmOptions]),
+    sdmAccessRights,
+    piccOff,
+    macInputOff,
+    macOff
+  ]);
+  const encSettings = encryptSessionData(session, 95, settingsData);
+  const mac = calcSessionMac(session, 95, Buffer.concat([Buffer.from([2]), encSettings]));
+  const cmdData = Buffer.concat([Buffer.from([2]), encSettings, mac]);
+  const resp = await sendCommand(reader, 95, 0, 0, cmdData);
+  checkSW(resp, "ChangeFileSettings");
+  session.cmdCtr++;
+}
+var import_crypto7, ZERO16;
+var init_ntag424 = __esm({
+  "src/nfc/ntag424.ts"() {
+    "use strict";
+    import_crypto7 = __toESM(require("crypto"), 1);
+    init_aes_cmac();
+    ZERO16 = Buffer.alloc(16, 0);
+  }
+});
+
 // node_modules/commander/esm.mjs
 var import_index = __toESM(require_commander(), 1);
 var {
@@ -3918,12 +4292,109 @@ function registerInit(program3) {
   });
 }
 
+// src/cli/commands/provision.ts
+function registerProvision(program3) {
+  program3.command("provision").description("Provision an NTAG 424 DNA chip (write AES key + SUN config)").option("--cloud", "Generate key via HUITL Cloud (default)").option("--local", "Use a locally provided key").option("--key <hex>", "AES-128 key for --local mode (32 hex chars)").option("--name <name>", "Chip name/label").option("--base-url <url>", "Base URL for the tap endpoint", "https://huitlprotocol.com").action(async (opts) => {
+    const isLocal = opts.local === true;
+    let aesKeyHex;
+    let chipId;
+    if (isLocal) {
+      if (!opts.key || opts.key.length !== 32 || !/^[0-9a-fA-F]+$/.test(opts.key)) {
+        console.error("Error: --local requires --key with 32 hex characters");
+        process.exit(1);
+      }
+      aesKeyHex = opts.key.toUpperCase();
+    } else {
+      const { getApiKey: getApiKey2 } = await Promise.resolve().then(() => (init_login(), login_exports));
+      const apiKey = getApiKey2();
+      if (!apiKey) {
+        console.error("Not logged in. Run: huitl login --api-key <key>");
+        console.error("Or use --local mode with --key.");
+        process.exit(1);
+      }
+      console.log("Requesting key from HUITL Cloud...");
+      const { HuitlCloudClient: HuitlCloudClient2 } = await Promise.resolve().then(() => (init_client(), client_exports));
+      const client = new HuitlCloudClient2({ apiKey });
+      try {
+        const result = await client.provision(opts.name);
+        aesKeyHex = result.aesKey;
+        chipId = result.chipId;
+        console.log(`Key generated (chip ID: ${chipId})`);
+      } catch (err) {
+        console.error("Error:", err instanceof Error ? err.message : String(err));
+        process.exit(1);
+      }
+    }
+    const aesKey = Buffer.from(aesKeyHex, "hex");
+    const ndefUrl = `${opts.baseUrl}/tap?picc_data=00000000000000000000000000000000&cmac=0000000000000000`;
+    console.log();
+    console.log(`AES Key: ${aesKeyHex}`);
+    console.log(`URL:     ${ndefUrl}`);
+    console.log();
+    console.log("Place your NTAG 424 DNA chip on the reader...");
+    console.log();
+    const { waitForCard: waitForCard2 } = await Promise.resolve().then(() => (init_reader(), reader_exports));
+    const {
+      authenticateEV2First: authenticateEV2First2,
+      writeNdef: writeNdef2,
+      changeKey2: changeKey22,
+      changeFileSettings: changeFileSettings2,
+      calculateOffsets: calculateOffsets2
+    } = await Promise.resolve().then(() => (init_ntag424(), ntag424_exports));
+    const { uid, reader } = await waitForCard2();
+    console.log(`Chip detected \u2014 UID: ${uid}`);
+    console.log();
+    try {
+      console.log("Step 1/5: Authenticating with factory key...");
+      const session = await authenticateEV2First2(reader, 0, Buffer.alloc(16, 0));
+      console.log("Step 2/5: Writing NDEF URL...");
+      await writeNdef2(reader, session, ndefUrl);
+      console.log("Step 3/5: Writing AES key...");
+      try {
+        await changeKey22(reader, session, aesKey);
+      } catch (err) {
+        if (err.message.includes("911E")) {
+          console.log("  Key 2 may already be set. Skipping.");
+        } else throw err;
+      }
+      console.log("Step 4/5: Re-authenticating...");
+      const session2 = await authenticateEV2First2(reader, 0, Buffer.alloc(16, 0));
+      console.log("Step 5/5: Configuring SUN (Secure Unique NFC)...");
+      const { piccOffset, macOffset, macInputOffset } = calculateOffsets2(ndefUrl);
+      await changeFileSettings2(reader, session2, piccOffset, macOffset, macInputOffset);
+      if (chipId) {
+        console.log("Registering UID with HUITL Cloud...");
+        const { getApiKey: getApiKey2 } = await Promise.resolve().then(() => (init_login(), login_exports));
+        const { HuitlCloudClient: HuitlCloudClient2 } = await Promise.resolve().then(() => (init_client(), client_exports));
+        const client = new HuitlCloudClient2({ apiKey: getApiKey2() });
+        await client.registerUid(chipId, uid);
+      }
+      console.log();
+      console.log("Chip provisioned successfully!");
+      console.log(`  UID:     ${uid}`);
+      console.log(`  AES Key: ${aesKeyHex}`);
+      console.log(`  Tap URL: ${opts.baseUrl}/tap`);
+      console.log();
+      console.log("Tap the chip with your phone to test it.");
+      process.exit(0);
+    } catch (err) {
+      console.error();
+      console.error(`Error: ${err instanceof Error ? err.message : String(err)}`);
+      console.error("Make sure you're using an NTAG 424 DNA chip with factory default keys.");
+      process.exit(1);
+    }
+  });
+}
+
 // src/cli/index.ts
+init_login();
 var program2 = new Command();
-program2.name("huitl").description("HUITL Protocol CLI \u2014 NTAG 424 DNA verification tools").version("0.1.0");
+program2.name("huitl").description("HUITL Protocol CLI \u2014 NTAG 424 DNA verification tools").version("0.2.0");
 registerVerify(program2);
 registerKeygen(program2);
 registerDev(program2);
 registerInit(program2);
+registerProvision(program2);
+registerLogin(program2);
 program2.parse();
 //# sourceMappingURL=cli.cjs.map