@permission-slip/cli 0.1.0

package/dist/api/client.d.ts

@@ -0,0 +1,91 @@
+/**
+ * HTTP client for the Permission Slip API.
+ *
+ * Transparently handles:
+ *  - Request signing (X-Permission-Slip-Signature)
+ *  - JSON serialization / deserialization
+ *  - Error formatting
+ *
+ * Endpoints follow docs/agents.md. Signing paths use the router path
+ * (e.g. /agents/42/verify), not the full URL including the /api/v1 prefix.
+ */
+export interface ApiError {
+    code: string;
+    message: string;
+    retryable: boolean;
+    details?: Record<string, unknown>;
+    trace_id?: string;
+}
+export declare class PermissionSlipApiError extends Error {
+    readonly statusCode: number;
+    readonly apiError: ApiError;
+    constructor(statusCode: number, apiError: ApiError);
+}
+export interface ClientOptions {
+    /** Base URL of the Permission Slip server, e.g. https://app.permissionslip.dev */
+    serverUrl: string;
+    /** Agent ID — use REGISTRATION_AGENT_ID during registration */
+    agentId: number | string;
+}
+interface RequestOptions {
+    method: "GET" | "POST" | "DELETE";
+    routerPath: string;
+    apiPath?: string;
+    body?: unknown;
+    /** Override agentId just for this request (e.g. REGISTRATION_AGENT_ID) */
+    agentIdOverride?: number | string;
+    /** Whether this is a public endpoint (no signing required) */
+    public?: boolean;
+}
+export declare class ApiClient {
+    private base;
+    private agentId;
+    constructor(opts: ClientOptions);
+    request<T>(opts: RequestOptions): Promise<T>;
+    /** POST /invite/{code} — register with an invite code */
+    register(inviteCode: string, publicKey: string, name: string, version?: string): Promise<{
+        agent_id: number;
+        expires_at: string;
+        verification_required: boolean;
+    }>;
+    /** POST /agents/{id}/verify — verify registration with confirmation code */
+    verify(agentId: number, confirmationCode: string): Promise<{
+        status: string;
+        registered_at: string;
+    }>;
+    /** GET /agents/me — get own agent record */
+    status(): Promise<{
+        agent_id: number;
+        status: string;
+        metadata: Record<string, unknown>;
+        registered_at: string;
+        last_active_at: string;
+        created_at: string;
+    }>;
+    /** GET /agents/{id}/capabilities */
+    capabilities(agentId: number): Promise<unknown>;
+    /** GET /connectors — public, no auth */
+    connectors(): Promise<unknown>;
+    /** GET /connectors/{id} — public, no auth */
+    connector(id: string): Promise<unknown>;
+    /** POST /approvals/request */
+    requestApproval(actionId: string, params: unknown, context?: {
+        description?: string;
+        risk_level?: string;
+    }): Promise<{
+        approval_id: string;
+        approval_url: string;
+        status: string;
+        expires_at: string;
+        verification_required: boolean;
+    }>;
+    /** POST /actions/execute */
+    execute(tokenOrConfigId: {
+        token: string;
+    } | {
+        configuration_id: string;
+        request_id?: string;
+    }, actionId: string | undefined, params: unknown): Promise<unknown>;
+}
+export {};
+//# sourceMappingURL=client.d.ts.map

package/dist/api/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/api/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAKH,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,qBAAa,sBAAuB,SAAQ,KAAK;aAE7B,UAAU,EAAE,MAAM;aAClB,QAAQ,EAAE,QAAQ;gBADlB,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,QAAQ;CAKrC;AAED,MAAM,WAAW,aAAa;IAC5B,kFAAkF;IAClF,SAAS,EAAE,MAAM,CAAC;IAClB,+DAA+D;IAC/D,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC;CAC1B;AAiBD,UAAU,cAAc;IACtB,MAAM,EAAE,KAAK,GAAG,MAAM,GAAG,QAAQ,CAAC;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,0EAA0E;IAC1E,eAAe,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAClC,8DAA8D;IAC9D,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,qBAAa,SAAS;IACpB,OAAO,CAAC,IAAI,CAAS;IACrB,OAAO,CAAC,OAAO,CAAkB;gBAErB,IAAI,EAAE,aAAa;IAkBzB,OAAO,CAAC,CAAC,EAAE,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC,CAAC,CAAC;IAwDlD,yDAAyD;IACnD,QAAQ,CACZ,UAAU,EAAE,MAAM,EAClB,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,EACZ,OAAO,SAAU;kBAIL,MAAM;oBACJ,MAAM;+BACK,OAAO;;IAclC,4EAA4E;IACtE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM;gBAEtB,MAAM;uBAAiB,MAAM;;IAQ7D,4CAA4C;IACtC,MAAM;kBAEE,MAAM;gBACR,MAAM;kBACJ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;uBAClB,MAAM;wBACL,MAAM;oBACV,MAAM;;IAOtB,oCAAoC;IAC9B,YAAY,CAAC,OAAO,EAAE,MAAM;IAQlC,wCAAwC;IAClC,UAAU;IAQhB,6CAA6C;IACvC,SAAS,CAAC,EAAE,EAAE,MAAM;IAQ1B,8BAA8B;IACxB,eAAe,CACnB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,OAAO,EACf,OAAO,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE;qBAIxC,MAAM;sBACL,MAAM;gBACZ,MAAM;oBACF,MAAM;+BACK,OAAO;;IAQlC,4BAA4B;IACtB,OAAO,CACX,eAAe,EAAE;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG;QAAE,gBAAgB,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,EACtF,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,MAAM,EAAE,OAAO;CAmBlB"}

package/dist/api/client.js

@@ -0,0 +1,190 @@
+/**
+ * HTTP client for the Permission Slip API.
+ *
+ * Transparently handles:
+ *  - Request signing (X-Permission-Slip-Signature)
+ *  - JSON serialization / deserialization
+ *  - Error formatting
+ *
+ * Endpoints follow docs/agents.md. Signing paths use the router path
+ * (e.g. /agents/42/verify), not the full URL including the /api/v1 prefix.
+ */
+import crypto from "node:crypto";
+import { buildSignatureHeader, REGISTRATION_AGENT_ID } from "../auth/signing.js";
+export class PermissionSlipApiError extends Error {
+    statusCode;
+    apiError;
+    constructor(statusCode, apiError) {
+        super(apiError.message);
+        this.statusCode = statusCode;
+        this.apiError = apiError;
+        this.name = "PermissionSlipApiError";
+    }
+}
+/**
+ * Strips trailing slashes from a URL.
+ */
+function normalizeBase(url) {
+    return url.replace(/\/+$/, "");
+}
+/**
+ * Extracts the router path (without /api/v1) for signing purposes.
+ * The invite endpoint is at the host root (no /api/v1 prefix).
+ */
+function signingPath(routerPath) {
+    return routerPath;
+}
+export class ApiClient {
+    base;
+    agentId;
+    constructor(opts) {
+        // Reject non-http(s) schemes before ever making a request.
+        let parsed;
+        try {
+            parsed = new URL(opts.serverUrl);
+        }
+        catch {
+            throw new Error(`Invalid server URL: ${opts.serverUrl}`);
+        }
+        if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
+            throw new Error(`Server URL must use http or https (got ${parsed.protocol}). ` +
+                "Check the --server flag.");
+        }
+        this.base = normalizeBase(opts.serverUrl);
+        this.agentId = opts.agentId;
+    }
+    async request(opts) {
+        const bodyStr = opts.body !== undefined ? JSON.stringify(opts.body) : undefined;
+        const headers = {
+            "Content-Type": "application/json",
+            "User-Agent": "@permission-slip/cli",
+        };
+        if (!opts.public) {
+            const agentId = opts.agentIdOverride ?? this.agentId;
+            headers["X-Permission-Slip-Signature"] = buildSignatureHeader({
+                agentId,
+                method: opts.method,
+                path: signingPath(opts.routerPath),
+                body: bodyStr,
+            });
+        }
+        const fullPath = opts.apiPath ?? `/api/v1${opts.routerPath}`;
+        const url = `${this.base}${fullPath}`;
+        const res = await fetch(url, {
+            method: opts.method,
+            headers,
+            body: bodyStr,
+        });
+        if (!res.ok) {
+            let apiError;
+            try {
+                const errBody = (await res.json());
+                apiError = errBody.error ?? {
+                    code: "unknown",
+                    message: `HTTP ${res.status}`,
+                    retryable: false,
+                };
+            }
+            catch {
+                apiError = {
+                    code: "unknown",
+                    message: `HTTP ${res.status} ${res.statusText}`,
+                    retryable: false,
+                };
+            }
+            throw new PermissionSlipApiError(res.status, apiError);
+        }
+        // Some responses may be empty (204)
+        if (res.status === 204) {
+            return undefined;
+        }
+        return res.json();
+    }
+    // ---------- Typed API methods ----------
+    /** POST /invite/{code} — register with an invite code */
+    async register(inviteCode, publicKey, name, version = "1.0.0") {
+        const requestId = crypto.randomUUID();
+        return this.request({
+            method: "POST",
+            routerPath: `/invite/${inviteCode}`,
+            apiPath: `/invite/${inviteCode}`,
+            body: {
+                request_id: requestId,
+                public_key: publicKey,
+                metadata: { name, version },
+            },
+            agentIdOverride: REGISTRATION_AGENT_ID,
+        });
+    }
+    /** POST /agents/{id}/verify — verify registration with confirmation code */
+    async verify(agentId, confirmationCode) {
+        const requestId = crypto.randomUUID();
+        return this.request({
+            method: "POST",
+            routerPath: `/agents/${agentId}/verify`,
+            body: { request_id: requestId, confirmation_code: confirmationCode },
+            agentIdOverride: agentId,
+        });
+    }
+    /** GET /agents/me — get own agent record */
+    async status() {
+        return this.request({
+            method: "GET",
+            routerPath: "/agents/me",
+        });
+    }
+    /** GET /agents/{id}/capabilities */
+    async capabilities(agentId) {
+        return this.request({
+            method: "GET",
+            routerPath: `/agents/${agentId}/capabilities`,
+            agentIdOverride: agentId,
+        });
+    }
+    /** GET /connectors — public, no auth */
+    async connectors() {
+        return this.request({
+            method: "GET",
+            routerPath: "/connectors",
+            public: true,
+        });
+    }
+    /** GET /connectors/{id} — public, no auth */
+    async connector(id) {
+        return this.request({
+            method: "GET",
+            routerPath: `/connectors/${id}`,
+            public: true,
+        });
+    }
+    /** POST /approvals/request */
+    async requestApproval(actionId, params, context) {
+        const requestId = crypto.randomUUID();
+        return this.request({
+            method: "POST",
+            routerPath: "/approvals/request",
+            body: { request_id: requestId, action_id: actionId, parameters: params, context },
+        });
+    }
+    /** POST /actions/execute */
+    async execute(tokenOrConfigId, actionId, params) {
+        const requestId = crypto.randomUUID();
+        let body;
+        if ("token" in tokenOrConfigId) {
+            body = { token: tokenOrConfigId.token, action_id: actionId, parameters: params };
+        }
+        else {
+            body = {
+                request_id: tokenOrConfigId.request_id ?? requestId,
+                configuration_id: tokenOrConfigId.configuration_id,
+                parameters: params,
+            };
+        }
+        return this.request({
+            method: "POST",
+            routerPath: "/actions/execute",
+            body,
+        });
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/api/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/api/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAUjF,MAAM,OAAO,sBAAuB,SAAQ,KAAK;IAE7B;IACA;IAFlB,YACkB,UAAkB,EAClB,QAAkB;QAElC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAHR,eAAU,GAAV,UAAU,CAAQ;QAClB,aAAQ,GAAR,QAAQ,CAAU;QAGlC,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAC;IACvC,CAAC;CACF;AASD;;GAEG;AACH,SAAS,aAAa,CAAC,GAAW;IAChC,OAAO,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACjC,CAAC;AAED;;;GAGG;AACH,SAAS,WAAW,CAAC,UAAkB;IACrC,OAAO,UAAU,CAAC;AACpB,CAAC;AAaD,MAAM,OAAO,SAAS;IACZ,IAAI,CAAS;IACb,OAAO,CAAkB;IAEjC,YAAY,IAAmB;QAC7B,2DAA2D;QAC3D,IAAI,MAAW,CAAC;QAChB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,uBAAuB,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;QAC3D,CAAC;QACD,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YAChE,MAAM,IAAI,KAAK,CACb,0CAA0C,MAAM,CAAC,QAAQ,KAAK;gBAC9D,0BAA0B,CAC3B,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC1C,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,OAAO,CAAI,IAAoB;QACnC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAChF,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,kBAAkB;YAClC,YAAY,EAAE,sBAAsB;SACrC,CAAC;QAEF,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,IAAI,IAAI,CAAC,OAAO,CAAC;YACrD,OAAO,CAAC,6BAA6B,CAAC,GAAG,oBAAoB,CAAC;gBAC5D,OAAO;gBACP,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,IAAI,EAAE,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC;gBAClC,IAAI,EAAE,OAAO;aACd,CAAC,CAAC;QACL,CAAC;QAED,MAAM,QAAQ,GACZ,IAAI,CAAC,OAAO,IAAI,UAAU,IAAI,CAAC,UAAU,EAAE,CAAC;QAC9C,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,IAAI,GAAG,QAAQ,EAAE,CAAC;QAEtC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAC3B,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,OAAO;YACP,IAAI,EAAE,OAAO;SACd,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,IAAI,QAAkB,CAAC;YACvB,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAyB,CAAC;gBAC3D,QAAQ,GAAG,OAAO,CAAC,KAAK,IAAI;oBAC1B,IAAI,EAAE,SAAS;oBACf,OAAO,EAAE,QAAQ,GAAG,CAAC,MAAM,EAAE;oBAC7B,SAAS,EAAE,KAAK;iBACjB,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,QAAQ,GAAG;oBACT,IAAI,EAAE,SAAS;oBACf,OAAO,EAAE,QAAQ,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,EAAE;oBAC/C,SAAS,EAAE,KAAK;iBACjB,CAAC;YACJ,CAAC;YACD,MAAM,IAAI,sBAAsB,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACzD,CAAC;QAED,oCAAoC;QACpC,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YACvB,OAAO,SAAc,CAAC;QACxB,CAAC;QAED,OAAO,GAAG,CAAC,IAAI,EAAgB,CAAC;IAClC,CAAC;IAED,0CAA0C;IAE1C,yDAAyD;IACzD,KAAK,CAAC,QAAQ,CACZ,UAAkB,EAClB,SAAiB,EACjB,IAAY,EACZ,OAAO,GAAG,OAAO;QAEjB,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QACtC,OAAO,IAAI,CAAC,OAAO,CAIhB;YACD,MAAM,EAAE,MAAM;YACd,UAAU,EAAE,WAAW,UAAU,EAAE;YACnC,OAAO,EAAE,WAAW,UAAU,EAAE;YAChC,IAAI,EAAE;gBACJ,UAAU,EAAE,SAAS;gBACrB,UAAU,EAAE,SAAS;gBACrB,QAAQ,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE;aAC5B;YACD,eAAe,EAAE,qBAAqB;SACvC,CAAC,CAAC;IACL,CAAC;IAED,4EAA4E;IAC5E,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,gBAAwB;QACpD,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QACtC,OAAO,IAAI,CAAC,OAAO,CAA4C;YAC7D,MAAM,EAAE,MAAM;YACd,UAAU,EAAE,WAAW,OAAO,SAAS;YACvC,IAAI,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,iBAAiB,EAAE,gBAAgB,EAAE;YACpE,eAAe,EAAE,OAAO;SACzB,CAAC,CAAC;IACL,CAAC;IAED,4CAA4C;IAC5C,KAAK,CAAC,MAAM;QACV,OAAO,IAAI,CAAC,OAAO,CAOhB;YACD,MAAM,EAAE,KAAK;YACb,UAAU,EAAE,YAAY;SACzB,CAAC,CAAC;IACL,CAAC;IAED,oCAAoC;IACpC,KAAK,CAAC,YAAY,CAAC,OAAe;QAChC,OAAO,IAAI,CAAC,OAAO,CAAU;YAC3B,MAAM,EAAE,KAAK;YACb,UAAU,EAAE,WAAW,OAAO,eAAe;YAC7C,eAAe,EAAE,OAAO;SACzB,CAAC,CAAC;IACL,CAAC;IAED,wCAAwC;IACxC,KAAK,CAAC,UAAU;QACd,OAAO,IAAI,CAAC,OAAO,CAAU;YAC3B,MAAM,EAAE,KAAK;YACb,UAAU,EAAE,aAAa;YACzB,MAAM,EAAE,IAAI;SACb,CAAC,CAAC;IACL,CAAC;IAED,6CAA6C;IAC7C,KAAK,CAAC,SAAS,CAAC,EAAU;QACxB,OAAO,IAAI,CAAC,OAAO,CAAU;YAC3B,MAAM,EAAE,KAAK;YACb,UAAU,EAAE,eAAe,EAAE,EAAE;YAC/B,MAAM,EAAE,IAAI;SACb,CAAC,CAAC;IACL,CAAC;IAED,8BAA8B;IAC9B,KAAK,CAAC,eAAe,CACnB,QAAgB,EAChB,MAAe,EACf,OAAuD;QAEvD,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QACtC,OAAO,IAAI,CAAC,OAAO,CAMhB;YACD,MAAM,EAAE,MAAM;YACd,UAAU,EAAE,oBAAoB;YAChC,IAAI,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE;SAClF,CAAC,CAAC;IACL,CAAC;IAED,4BAA4B;IAC5B,KAAK,CAAC,OAAO,CACX,eAAsF,EACtF,QAA4B,EAC5B,MAAe;QAEf,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QACtC,IAAI,IAA6B,CAAC;QAClC,IAAI,OAAO,IAAI,eAAe,EAAE,CAAC;YAC/B,IAAI,GAAG,EAAE,KAAK,EAAE,eAAe,CAAC,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC;QACnF,CAAC;aAAM,CAAC;YACN,IAAI,GAAG;gBACL,UAAU,EAAE,eAAe,CAAC,UAAU,IAAI,SAAS;gBACnD,gBAAgB,EAAE,eAAe,CAAC,gBAAgB;gBAClD,UAAU,EAAE,MAAM;aACnB,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC,OAAO,CAAU;YAC3B,MAAM,EAAE,MAAM;YACd,UAAU,EAAE,kBAAkB;YAC9B,IAAI;SACL,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/auth/keys.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Ed25519 key management for Permission Slip.
+ *
+ * Keys are stored in OpenSSH format:
+ *   Private: ~/.ssh/permission_slip_agent
+ *   Public:  ~/.ssh/permission_slip_agent.pub
+ *
+ * We use Node's built-in `crypto` module and `child_process` (ssh-keygen) to
+ * generate the key pair, matching the existing manual flow agents used to do.
+ */
+import crypto from "node:crypto";
+export interface KeyPair {
+    privateKeyFile: string;
+    publicKey: string;
+}
+/**
+ * Returns true if a Permission Slip key pair already exists.
+ */
+export declare function keyPairExists(): boolean;
+/**
+ * Reads the public key from disk.
+ * Returns the full "ssh-ed25519 AAAA..." string (just key type + base64, no comment).
+ */
+export declare function readPublicKey(): string;
+/**
+ * Loads the private key from disk as a Node KeyObject.
+ */
+export declare function loadPrivateKey(): crypto.KeyObject;
+/**
+ * Generates a new Ed25519 key pair using ssh-keygen and saves it to
+ * ~/.ssh/permission_slip_agent{,.pub}.
+ *
+ * Throws if ssh-keygen is not available or if keys already exist and
+ * overwrite is false.
+ */
+export declare function generateKeyPair(overwrite?: boolean): KeyPair;
+/**
+ * Returns a path relative to home for display purposes.
+ */
+export declare function displayPath(absPath: string): string;
+//# sourceMappingURL=keys.d.ts.map

package/dist/auth/keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../../src/auth/keys.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AAMjC,MAAM,WAAW,OAAO;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,OAAO,CAIvC;AAED;;;GAGG;AACH,wBAAgB,aAAa,IAAI,MAAM,CAatC;AAED;;GAEG;AACH,wBAAgB,cAAc,IAAI,MAAM,CAAC,SAAS,CAQjD;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,SAAS,UAAQ,GAAG,OAAO,CAoC1D;AAgDD;;GAEG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAGnD"}

package/dist/auth/keys.js

@@ -0,0 +1,133 @@
+/**
+ * Ed25519 key management for Permission Slip.
+ *
+ * Keys are stored in OpenSSH format:
+ *   Private: ~/.ssh/permission_slip_agent
+ *   Public:  ~/.ssh/permission_slip_agent.pub
+ *
+ * We use Node's built-in `crypto` module and `child_process` (ssh-keygen) to
+ * generate the key pair, matching the existing manual flow agents used to do.
+ */
+import crypto from "node:crypto";
+import fs from "node:fs";
+import os from "node:os";
+import { execFileSync } from "node:child_process";
+import { PUBLIC_KEY_FILE, PRIVATE_KEY_FILE, SSH_DIR } from "../config/store.js";
+/**
+ * Returns true if a Permission Slip key pair already exists.
+ */
+export function keyPairExists() {
+    return (fs.existsSync(PRIVATE_KEY_FILE) && fs.existsSync(PUBLIC_KEY_FILE));
+}
+/**
+ * Reads the public key from disk.
+ * Returns the full "ssh-ed25519 AAAA..." string (just key type + base64, no comment).
+ */
+export function readPublicKey() {
+    if (!fs.existsSync(PUBLIC_KEY_FILE)) {
+        throw new Error(`Public key not found at ${PUBLIC_KEY_FILE}. Run 'permission-slip register' to generate one.`);
+    }
+    const raw = fs.readFileSync(PUBLIC_KEY_FILE, "utf-8").trim();
+    // Take only type + key, drop optional comment
+    const parts = raw.split(/\s+/);
+    if (parts.length < 2) {
+        throw new Error(`Invalid public key format in ${PUBLIC_KEY_FILE}`);
+    }
+    return `${parts[0]} ${parts[1]}`;
+}
+/**
+ * Loads the private key from disk as a Node KeyObject.
+ */
+export function loadPrivateKey() {
+    if (!fs.existsSync(PRIVATE_KEY_FILE)) {
+        throw new Error(`Private key not found at ${PRIVATE_KEY_FILE}. Run 'permission-slip register' to generate one.`);
+    }
+    const pem = fs.readFileSync(PRIVATE_KEY_FILE);
+    return crypto.createPrivateKey({ key: pem, format: "pem" });
+}
+/**
+ * Generates a new Ed25519 key pair using ssh-keygen and saves it to
+ * ~/.ssh/permission_slip_agent{,.pub}.
+ *
+ * Throws if ssh-keygen is not available or if keys already exist and
+ * overwrite is false.
+ */
+export function generateKeyPair(overwrite = false) {
+    if (!overwrite && keyPairExists()) {
+        return {
+            privateKeyFile: PRIVATE_KEY_FILE,
+            publicKey: readPublicKey(),
+        };
+    }
+    if (!fs.existsSync(SSH_DIR)) {
+        fs.mkdirSync(SSH_DIR, { recursive: true, mode: 0o700 });
+    }
+    // Remove existing key files if overwriting to avoid ssh-keygen prompt
+    if (overwrite) {
+        if (fs.existsSync(PRIVATE_KEY_FILE))
+            fs.unlinkSync(PRIVATE_KEY_FILE);
+        if (fs.existsSync(PUBLIC_KEY_FILE))
+            fs.unlinkSync(PUBLIC_KEY_FILE);
+    }
+    try {
+        // Use execFileSync (not execSync) to avoid shell interpolation of the key path.
+        execFileSync("ssh-keygen", ["-t", "ed25519", "-f", PRIVATE_KEY_FILE, "-N", "", "-C", "permission-slip"], { stdio: "pipe" });
+    }
+    catch (err) {
+        // Fallback: generate key using Node crypto and write in OpenSSH format
+        const { privateKey, publicKey } = crypto.generateKeyPairSync("ed25519");
+        writeOpenSSHPrivateKey(privateKey, PRIVATE_KEY_FILE);
+        writeOpenSSHPublicKey(publicKey, PUBLIC_KEY_FILE);
+    }
+    return {
+        privateKeyFile: PRIVATE_KEY_FILE,
+        publicKey: readPublicKey(),
+    };
+}
+/**
+ * Writes an Ed25519 private key in PKCS8 PEM format.
+ * Used as a fallback when ssh-keygen is not available.
+ *
+ * NOTE: This produces PKCS8 PEM (`-----BEGIN PRIVATE KEY-----`), not the
+ * OpenSSH native format (`-----BEGIN OPENSSH PRIVATE KEY-----`). Node's
+ * `crypto.createPrivateKey` accepts both, so signing works correctly.
+ * However, standard SSH tooling (e.g. `ssh-add`, `ssh-keygen -y`) will
+ * not recognize PKCS8 PEM — if interoperability with SSH tools is required,
+ * use a platform that has `ssh-keygen` available.
+ */
+function writeOpenSSHPrivateKey(key, filePath) {
+    const pem = key.export({ type: "pkcs8", format: "pem" });
+    fs.writeFileSync(filePath, pem, { mode: 0o600 });
+}
+/**
+ * Writes the public key in OpenSSH authorized_keys format: "ssh-ed25519 <base64> permission-slip"
+ */
+function writeOpenSSHPublicKey(key, filePath) {
+    // Export as SubjectPublicKeyInfo DER, then convert to OpenSSH wire format
+    const derBuf = key.export({ type: "spki", format: "der" });
+    // The last 32 bytes of the SPKI DER for ed25519 are the raw public key bytes
+    const rawPubKey = derBuf.slice(-32);
+    // Build OpenSSH wire format: length-prefixed "ssh-ed25519" + length-prefixed key bytes
+    const keyType = Buffer.from("ssh-ed25519");
+    const buf = Buffer.alloc(4 + keyType.length + 4 + rawPubKey.length);
+    let offset = 0;
+    buf.writeUInt32BE(keyType.length, offset);
+    offset += 4;
+    keyType.copy(buf, offset);
+    offset += keyType.length;
+    buf.writeUInt32BE(rawPubKey.length, offset);
+    offset += 4;
+    rawPubKey.copy(buf, offset);
+    const b64 = buf.toString("base64");
+    fs.writeFileSync(filePath, `ssh-ed25519 ${b64} permission-slip\n`, {
+        mode: 0o644,
+    });
+}
+/**
+ * Returns a path relative to home for display purposes.
+ */
+export function displayPath(absPath) {
+    const home = os.homedir();
+    return absPath.startsWith(home) ? absPath.replace(home, "~") : absPath;
+}
+//# sourceMappingURL=keys.js.map

package/dist/auth/keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.js","sourceRoot":"","sources":["../../src/auth/keys.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAOhF;;GAEG;AACH,MAAM,UAAU,aAAa;IAC3B,OAAO,CACL,EAAE,CAAC,UAAU,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,CAClE,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa;IAC3B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CACb,2BAA2B,eAAe,mDAAmD,CAC9F,CAAC;IACJ,CAAC;IACD,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;IAC7D,8CAA8C;IAC9C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,gCAAgC,eAAe,EAAE,CAAC,CAAC;IACrE,CAAC;IACD,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc;IAC5B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,4BAA4B,gBAAgB,mDAAmD,CAChG,CAAC;IACJ,CAAC;IACD,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,gBAAgB,CAAC,CAAC;IAC9C,OAAO,MAAM,CAAC,gBAAgB,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;AAC9D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAAC,SAAS,GAAG,KAAK;IAC/C,IAAI,CAAC,SAAS,IAAI,aAAa,EAAE,EAAE,CAAC;QAClC,OAAO;YACL,cAAc,EAAE,gBAAgB;YAChC,SAAS,EAAE,aAAa,EAAE;SAC3B,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC1D,CAAC;IAED,sEAAsE;IACtE,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,EAAE,CAAC,UAAU,CAAC,gBAAgB,CAAC;YAAE,EAAE,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC;QACrE,IAAI,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC;YAAE,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC;IACrE,CAAC;IAED,IAAI,CAAC;QACH,gFAAgF;QAChF,YAAY,CACV,YAAY,EACZ,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,iBAAiB,CAAC,EAC5E,EAAE,KAAK,EAAE,MAAM,EAAE,CAClB,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,uEAAuE;QACvE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;QACxE,sBAAsB,CAAC,UAAU,EAAE,gBAAgB,CAAC,CAAC;QACrD,qBAAqB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IACpD,CAAC;IAED,OAAO;QACL,cAAc,EAAE,gBAAgB;QAChC,SAAS,EAAE,aAAa,EAAE;KAC3B,CAAC;AACJ,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,sBAAsB,CAC7B,GAAqB,EACrB,QAAgB;IAEhB,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;IACnE,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AACnD,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,GAAqB,EAAE,QAAgB;IACpE,0EAA0E;IAC1E,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;IACrE,6EAA6E;IAC7E,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;IAEpC,uFAAuF;IACvF,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;IACpE,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,GAAG,CAAC,aAAa,CAAC,OAAO,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C,MAAM,IAAI,CAAC,CAAC;IACZ,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC1B,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IACzB,GAAG,CAAC,aAAa,CAAC,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5C,MAAM,IAAI,CAAC,CAAC;IACZ,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAE5B,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACnC,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,eAAe,GAAG,oBAAoB,EAAE;QACjE,IAAI,EAAE,KAAK;KACZ,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,OAAe;IACzC,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;IAC1B,OAAO,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;AACzE,CAAC"}

package/dist/auth/signing.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Request signing for Permission Slip.
+ *
+ * Implements the X-Permission-Slip-Signature header as documented in docs/agents.md.
+ *
+ * Header format:
+ *   agent_id="42", algorithm="Ed25519", timestamp="1708617600", signature="<base64url>"
+ *
+ * Canonical string (5 lines joined by \n):
+ *   METHOD\nPATH\nQUERY\nTIMESTAMP\nBODY_HASH
+ *
+ * During registration, use MAX_INT64 as the agent_id placeholder.
+ */
+export declare const REGISTRATION_AGENT_ID = "9223372036854775807";
+export interface SignatureOptions {
+    agentId: number | string;
+    method: string;
+    path: string;
+    query?: string;
+    body?: string;
+    timestamp?: number;
+}
+/**
+ * Computes the X-Permission-Slip-Signature header value.
+ */
+export declare function buildSignatureHeader(opts: SignatureOptions): string;
+//# sourceMappingURL=signing.d.ts.map

package/dist/auth/signing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.d.ts","sourceRoot":"","sources":["../../src/auth/signing.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAMH,eAAO,MAAM,qBAAqB,wBAAwB,CAAC;AAE3D,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,gBAAgB,GAAG,MAAM,CAYnE"}

package/dist/auth/signing.js

@@ -0,0 +1,61 @@
+/**
+ * Request signing for Permission Slip.
+ *
+ * Implements the X-Permission-Slip-Signature header as documented in docs/agents.md.
+ *
+ * Header format:
+ *   agent_id="42", algorithm="Ed25519", timestamp="1708617600", signature="<base64url>"
+ *
+ * Canonical string (5 lines joined by \n):
+ *   METHOD\nPATH\nQUERY\nTIMESTAMP\nBODY_HASH
+ *
+ * During registration, use MAX_INT64 as the agent_id placeholder.
+ */
+import crypto from "node:crypto";
+import { loadPrivateKey } from "./keys.js";
+// Placeholder agent_id used during registration before we have a real ID
+export const REGISTRATION_AGENT_ID = "9223372036854775807";
+/**
+ * Computes the X-Permission-Slip-Signature header value.
+ */
+export function buildSignatureHeader(opts) {
+    const privateKey = loadPrivateKey();
+    const timestamp = opts.timestamp ?? Math.floor(Date.now() / 1000);
+    const method = opts.method.toUpperCase();
+    const urlPath = opts.path;
+    const query = canonicalizeQuery(opts.query ?? "");
+    const bodyHash = hashBody(opts.body ?? "");
+    const canonical = `${method}\n${urlPath}\n${query}\n${timestamp}\n${bodyHash}`;
+    const sig = signCanonical(privateKey, canonical);
+    return `agent_id="${opts.agentId}", algorithm="Ed25519", timestamp="${timestamp}", signature="${sig}"`;
+}
+function canonicalizeQuery(raw) {
+    if (!raw)
+        return "";
+    const pairs = new URLSearchParams(raw);
+    const sorted = Array.from(pairs.entries()).sort(([a], [b]) => a.localeCompare(b));
+    return sorted
+        .map(([k, v]) => `${encodeRFC3986(k)}=${encodeRFC3986(v)}`)
+        .join("&");
+}
+function encodeRFC3986(str) {
+    return encodeURIComponent(str).replace(/[!'()*]/g, (c) => `%${c.charCodeAt(0).toString(16).toUpperCase()}`);
+}
+function hashBody(body) {
+    if (!body) {
+        // SHA-256 of empty string
+        return "e3b0c44298fc1c149afbf4c8996fb924" +
+            "27ae41e4649b934ca495991b7852b855";
+    }
+    return crypto.createHash("sha256").update(body, "utf-8").digest("hex");
+}
+function signCanonical(privateKey, canonical) {
+    const sig = crypto.sign(null, Buffer.from(canonical, "utf-8"), privateKey);
+    // base64url without padding
+    return sig
+        .toString("base64")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/, "");
+}
+//# sourceMappingURL=signing.js.map

package/dist/auth/signing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.js","sourceRoot":"","sources":["../../src/auth/signing.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAE3C,yEAAyE;AACzE,MAAM,CAAC,MAAM,qBAAqB,GAAG,qBAAqB,CAAC;AAW3D;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,IAAsB;IACzD,MAAM,UAAU,GAAG,cAAc,EAAE,CAAC;IACpC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAClE,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;IACzC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC;IAC1B,MAAM,KAAK,GAAG,iBAAiB,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;IAClD,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IAE3C,MAAM,SAAS,GAAG,GAAG,MAAM,KAAK,OAAO,KAAK,KAAK,KAAK,SAAS,KAAK,QAAQ,EAAE,CAAC;IAC/E,MAAM,GAAG,GAAG,aAAa,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;IAEjD,OAAO,aAAa,IAAI,CAAC,OAAO,sCAAsC,SAAS,iBAAiB,GAAG,GAAG,CAAC;AACzG,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAW;IACpC,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,CAAC;IACpB,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAC3D,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CACnB,CAAC;IACF,OAAO,MAAM;SACV,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,IAAI,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC;SAC1D,IAAI,CAAC,GAAG,CAAC,CAAC;AACf,CAAC;AAED,SAAS,aAAa,CAAC,GAAW;IAChC,OAAO,kBAAkB,CAAC,GAAG,CAAC,CAAC,OAAO,CACpC,UAAU,EACV,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,EAAE,CACxD,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ,CAAC,IAAY;IAC5B,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,0BAA0B;QAC1B,OAAO,kCAAkC;YACvC,kCAAkC,CAAC;IACvC,CAAC;IACD,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzE,CAAC;AAED,SAAS,aAAa,CAAC,UAA4B,EAAE,SAAiB;IACpE,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE,UAAU,CAAC,CAAC;IAC3E,4BAA4B;IAC5B,OAAO,GAAG;SACP,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC"}

package/dist/commands/capabilities.d.ts

@@ -0,0 +1,8 @@
+/**
+ * permission-slip capabilities [--server <url>]
+ *
+ * Lists the action configurations and standing approvals available to this agent.
+ */
+import type { Command } from "commander";
+export declare function capabilitiesCommand(program: Command): void;
+//# sourceMappingURL=capabilities.d.ts.map

package/dist/commands/capabilities.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"capabilities.d.ts","sourceRoot":"","sources":["../../src/commands/capabilities.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAKzC,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CA2B1D"}

package/dist/commands/capabilities.js

@@ -0,0 +1,30 @@
+/**
+ * permission-slip capabilities [--server <url>]
+ *
+ * Lists the action configurations and standing approvals available to this agent.
+ */
+import { ApiClient } from "../api/client.js";
+import { resolveAgentId } from "./status.js";
+import { output } from "../output.js";
+export function capabilitiesCommand(program) {
+    program
+        .command("capabilities")
+        .description("List available action configurations and standing approvals")
+        .option("--server <url>", "Permission Slip server URL", "https://app.permissionslip.dev")
+        .option("--agent-id <id>", "Agent ID (auto-detected from saved registration)")
+        .option("--pretty", "Pretty-printed JSON (default is compact JSON)")
+        .action(async (opts) => {
+        const outputOpts = { pretty: opts.pretty ?? false };
+        try {
+            const agentId = resolveAgentId(opts.server, opts.agentId);
+            const client = new ApiClient({ serverUrl: opts.server, agentId });
+            const result = await client.capabilities(agentId);
+            output(result, outputOpts);
+        }
+        catch (err) {
+            output({ error: err instanceof Error ? err.message : String(err) }, outputOpts);
+            process.exit(1);
+        }
+    });
+}
+//# sourceMappingURL=capabilities.js.map

package/dist/commands/capabilities.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"capabilities.js","sourceRoot":"","sources":["../../src/commands/capabilities.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,MAAM,EAAsB,MAAM,cAAc,CAAC;AAE1D,MAAM,UAAU,mBAAmB,CAAC,OAAgB;IAClD,OAAO;SACJ,OAAO,CAAC,cAAc,CAAC;SACvB,WAAW,CAAC,6DAA6D,CAAC;SAC1E,MAAM,CACL,gBAAgB,EAChB,4BAA4B,EAC5B,gCAAgC,CACjC;SACA,MAAM,CAAC,iBAAiB,EAAE,kDAAkD,CAAC;SAC7E,MAAM,CAAC,UAAU,EAAE,+CAA+C,CAAC;SACnE,MAAM,CAAC,KAAK,EAAE,IAId,EAAE,EAAE;QACH,MAAM,UAAU,GAAkB,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,KAAK,EAAE,CAAC;QACnE,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;YAC1D,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;YAClE,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;YAClD,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QAC7B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,EAAE,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC;YAChF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/commands/config.d.ts

@@ -0,0 +1,8 @@
+/**
+ * permission-slip config [--server <url>]
+ *
+ * Shows all saved registrations or the registration for a specific server.
+ */
+import type { Command } from "commander";
+export declare function configCommand(program: Command): void;
+//# sourceMappingURL=config.d.ts.map

package/dist/commands/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/commands/config.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAYzC,wBAAgB,aAAa,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CA2BpD"}