@positronic/cli 0.0.57 → 0.0.59

package/dist/src/lib/jwt-auth.js

@@ -0,0 +1,364 @@
+function asyncGeneratorStep(gen, resolve, reject, _next, _throw, key, arg) {
+    try {
+        var info = gen[key](arg);
+        var value = info.value;
+    } catch (error) {
+        reject(error);
+        return;
+    }
+    if (info.done) {
+        resolve(value);
+    } else {
+        Promise.resolve(value).then(_next, _throw);
+    }
+}
+function _async_to_generator(fn) {
+    return function() {
+        var self = this, args = arguments;
+        return new Promise(function(resolve, reject) {
+            var gen = fn.apply(self, args);
+            function _next(value) {
+                asyncGeneratorStep(gen, resolve, reject, _next, _throw, "next", value);
+            }
+            function _throw(err) {
+                asyncGeneratorStep(gen, resolve, reject, _next, _throw, "throw", err);
+            }
+            _next(undefined);
+        });
+    };
+}
+function _class_call_check(instance, Constructor) {
+    if (!(instance instanceof Constructor)) {
+        throw new TypeError("Cannot call a class as a function");
+    }
+}
+function _defineProperties(target, props) {
+    for(var i = 0; i < props.length; i++){
+        var descriptor = props[i];
+        descriptor.enumerable = descriptor.enumerable || false;
+        descriptor.configurable = true;
+        if ("value" in descriptor) descriptor.writable = true;
+        Object.defineProperty(target, descriptor.key, descriptor);
+    }
+}
+function _create_class(Constructor, protoProps, staticProps) {
+    if (protoProps) _defineProperties(Constructor.prototype, protoProps);
+    if (staticProps) _defineProperties(Constructor, staticProps);
+    return Constructor;
+}
+function _define_property(obj, key, value) {
+    if (key in obj) {
+        Object.defineProperty(obj, key, {
+            value: value,
+            enumerable: true,
+            configurable: true,
+            writable: true
+        });
+    } else {
+        obj[key] = value;
+    }
+    return obj;
+}
+function _instanceof(left, right) {
+    if (right != null && typeof Symbol !== "undefined" && right[Symbol.hasInstance]) {
+        return !!right[Symbol.hasInstance](left);
+    } else {
+        return left instanceof right;
+    }
+}
+function _ts_generator(thisArg, body) {
+    var f, y, t, _ = {
+        label: 0,
+        sent: function() {
+            if (t[0] & 1) throw t[1];
+            return t[1];
+        },
+        trys: [],
+        ops: []
+    }, g = Object.create((typeof Iterator === "function" ? Iterator : Object).prototype);
+    return g.next = verb(0), g["throw"] = verb(1), g["return"] = verb(2), typeof Symbol === "function" && (g[Symbol.iterator] = function() {
+        return this;
+    }), g;
+    function verb(n) {
+        return function(v) {
+            return step([
+                n,
+                v
+            ]);
+        };
+    }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while(g && (g = 0, op[0] && (_ = 0)), _)try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [
+                op[0] & 2,
+                t.value
+            ];
+            switch(op[0]){
+                case 0:
+                case 1:
+                    t = op;
+                    break;
+                case 4:
+                    _.label++;
+                    return {
+                        value: op[1],
+                        done: false
+                    };
+                case 5:
+                    _.label++;
+                    y = op[1];
+                    op = [
+                        0
+                    ];
+                    continue;
+                case 7:
+                    op = _.ops.pop();
+                    _.trys.pop();
+                    continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) {
+                        _ = 0;
+                        continue;
+                    }
+                    if (op[0] === 3 && (!t || op[1] > t[0] && op[1] < t[3])) {
+                        _.label = op[1];
+                        break;
+                    }
+                    if (op[0] === 6 && _.label < t[1]) {
+                        _.label = t[1];
+                        t = op;
+                        break;
+                    }
+                    if (t && _.label < t[2]) {
+                        _.label = t[2];
+                        _.ops.push(op);
+                        break;
+                    }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop();
+                    continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) {
+            op = [
+                6,
+                e
+            ];
+            y = 0;
+        } finally{
+            f = t = 0;
+        }
+        if (op[0] & 5) throw op[1];
+        return {
+            value: op[0] ? op[1] : void 0,
+            done: true
+        };
+    }
+}
+import { SignJWT, importPKCS8 } from 'jose';
+import { existsSync } from 'fs';
+import { loadPrivateKey, getPrivateKeyFingerprint, resolvePrivateKeyPath } from './ssh-key-utils.js';
+import { ProjectConfigManager } from '../commands/project-config-manager.js';
+/**
+ * JWT Auth Provider for authenticating API requests
+ * Uses SSH private keys to sign short-lived JWTs
+ */ export var JwtAuthProvider = /*#__PURE__*/ function() {
+    "use strict";
+    function JwtAuthProvider() {
+        _class_call_check(this, JwtAuthProvider);
+        _define_property(this, "privateKey", null);
+        _define_property(this, "fingerprint", null);
+        _define_property(this, "initialized", false);
+        _define_property(this, "initError", null);
+        this.initialize();
+    }
+    _create_class(JwtAuthProvider, [
+        {
+            key: "initialize",
+            value: function initialize() {
+                try {
+                    // Get configured path from project config manager
+                    var configManager = new ProjectConfigManager();
+                    var configuredPath = configManager.getPrivateKeyPath();
+                    var keyPath = resolvePrivateKeyPath(configuredPath);
+                    if (!existsSync(keyPath)) {
+                        this.initError = new Error("Private key not found at ".concat(keyPath, ". Run 'px auth login' to configure your SSH key, or set POSITRONIC_PRIVATE_KEY environment variable."));
+                        return;
+                    }
+                    this.privateKey = loadPrivateKey(keyPath);
+                    this.fingerprint = getPrivateKeyFingerprint(this.privateKey);
+                    this.initialized = true;
+                } catch (error) {
+                    this.initError = _instanceof(error, Error) ? error : new Error('Failed to initialize JWT auth provider');
+                }
+            }
+        },
+        {
+            /**
+   * Check if the provider is ready to create JWTs
+   */ key: "isReady",
+            value: function isReady() {
+                return this.initialized && this.privateKey !== null;
+            }
+        },
+        {
+            /**
+   * Get the error that occurred during initialization, if any
+   */ key: "getError",
+            value: function getError() {
+                return this.initError;
+            }
+        },
+        {
+            /**
+   * Get the fingerprint of the loaded private key
+   */ key: "getFingerprint",
+            value: function getFingerprint() {
+                return this.fingerprint;
+            }
+        },
+        {
+            key: "getAlgorithm",
+            value: /**
+   * Map SSH key type to JWT algorithm
+   */ function getAlgorithm() {
+                if (!this.privateKey) {
+                    throw new Error('Private key not loaded');
+                }
+                var keyType = this.privateKey.type;
+                if (keyType === 'rsa') {
+                    return 'RS256';
+                } else if (keyType === 'ecdsa') {
+                    // ECDSA curve determines algorithm
+                    var curve = this.privateKey.curve;
+                    if (curve === 'nistp256') {
+                        return 'ES256';
+                    } else if (curve === 'nistp384') {
+                        return 'ES384';
+                    } else if (curve === 'nistp521') {
+                        return 'ES512';
+                    }
+                    // Default to ES256 for unknown curves
+                    return 'ES256';
+                } else if (keyType === 'ed25519') {
+                    return 'EdDSA';
+                }
+                throw new Error("Unsupported key type: ".concat(keyType));
+            }
+        },
+        {
+            key: "createToken",
+            value: /**
+   * Create a short-lived JWT for authentication
+   */ function createToken() {
+                return _async_to_generator(function() {
+                    var algorithm, pkcs8Pem, joseKey, jwt;
+                    return _ts_generator(this, function(_state) {
+                        switch(_state.label){
+                            case 0:
+                                if (!this.privateKey || !this.fingerprint) {
+                                    throw new Error('JWT auth provider not initialized');
+                                }
+                                algorithm = this.getAlgorithm();
+                                // Convert SSH private key to PKCS8 PEM format
+                                pkcs8Pem = this.privateKey.toString('pkcs8');
+                                return [
+                                    4,
+                                    importPKCS8(pkcs8Pem, algorithm)
+                                ];
+                            case 1:
+                                joseKey = _state.sent();
+                                return [
+                                    4,
+                                    new SignJWT({}).setProtectedHeader({
+                                        alg: algorithm
+                                    }).setSubject(this.fingerprint).setIssuedAt().setExpirationTime('30s').sign(joseKey)
+                                ];
+                            case 2:
+                                jwt = _state.sent();
+                                return [
+                                    2,
+                                    jwt
+                                ];
+                        }
+                    });
+                }).call(this);
+            }
+        }
+    ]);
+    return JwtAuthProvider;
+}();
+// Singleton instance
+var providerInstance = null;
+/**
+ * Get the singleton JWT auth provider instance
+ */ export function getJwtAuthProvider() {
+    if (!providerInstance) {
+        providerInstance = new JwtAuthProvider();
+    }
+    return providerInstance;
+}
+/**
+ * Reset the JWT auth provider singleton
+ * Call this after auth config changes to force reinitialization with new key
+ */ export function resetJwtAuthProvider() {
+    providerInstance = null;
+}
+/**
+ * Check if JWT auth is available
+ */ export function isAuthAvailable() {
+    return getJwtAuthProvider().isReady();
+}
+/**
+ * Get the Authorization header if auth is available
+ * Returns { Authorization: 'Bearer <token>' } or empty object
+ */ export function getAuthHeader() {
+    return _async_to_generator(function() {
+        var provider, token, error;
+        return _ts_generator(this, function(_state) {
+            switch(_state.label){
+                case 0:
+                    provider = getJwtAuthProvider();
+                    if (!provider.isReady()) {
+                        return [
+                            2,
+                            {}
+                        ];
+                    }
+                    _state.label = 1;
+                case 1:
+                    _state.trys.push([
+                        1,
+                        3,
+                        ,
+                        4
+                    ]);
+                    return [
+                        4,
+                        provider.createToken()
+                    ];
+                case 2:
+                    token = _state.sent();
+                    return [
+                        2,
+                        {
+                            Authorization: "Bearer ".concat(token)
+                        }
+                    ];
+                case 3:
+                    error = _state.sent();
+                    console.error('Warning: Failed to create auth token:', error);
+                    return [
+                        2,
+                        {}
+                    ];
+                case 4:
+                    return [
+                        2
+                    ];
+            }
+        });
+    })();
+}

package/dist/src/lib/ssh-key-utils.js

@@ -171,15 +171,6 @@ import { createPublicKey } from 'crypto';
     var publicKey = privateKey.toPublic();
     return publicKey.fingerprint('sha256').toString();
 }
-/**
- * Sign data with an SSH private key
- */ export function signWithPrivateKey(privateKey, data) {
-    var dataBuffer = typeof data === 'string' ? Buffer.from(data) : data;
-    var signer = privateKey.createSign('sha256');
-    signer.update(dataBuffer);
-    var signature = signer.sign();
-    return signature.toBuffer('raw');
-}
 /**
  * Resolve the private key path from environment, config, or default
  * @param configuredPath - Optional configured path from ProjectConfigManager

package/dist/types/cli.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,MAAM,OAAO,CAAC;AAU1B,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAK5D,MAAM,WAAW,UAAU;IACzB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,MAAM,CAAC,EAAE,mBAAmB,CAAC;IAC7B,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,MAAM,EAAE,CAAC,OAAO,EAAE,KAAK,CAAC,YAAY,KAAK,GAAG,CAAC;CAC9C;AAoBD,wBAAgB,QAAQ,CAAC,OAAO,EAAE,UAAU,4BA+3C3C"}
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,MAAM,OAAO,CAAC;AAU1B,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAK5D,MAAM,WAAW,UAAU;IACzB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,MAAM,CAAC,EAAE,mBAAmB,CAAC;IAC7B,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,MAAM,EAAE,CAAC,OAAO,EAAE,KAAK,CAAC,YAAY,KAAK,GAAG,CAAC;CAC9C;AAoBD,wBAAgB,QAAQ,CAAC,OAAO,EAAE,UAAU,4BAu5C3C"}

package/dist/types/commands/auth.d.ts

@@ -8,6 +8,9 @@ interface LoginArgs {
 interface LogoutArgs {
     project?: boolean;
 }
+interface FormatJwkKeyArgs {
+    pubkey?: string;
+}
 export declare class AuthCommand {
     private configManager;
     constructor(configManager?: ProjectConfigManager);
@@ -31,6 +34,11 @@ export declare class AuthCommand {
      * List available SSH keys.
      */
     list(): React.ReactElement;
+    /**
+     * Handles the 'px auth format-jwk-key' command.
+     * Convert an SSH public key to JWK format for ROOT_PUBLIC_KEY configuration.
+     */
+    formatJwkKey({ pubkey }: ArgumentsCamelCase<FormatJwkKeyArgs>): React.ReactElement;
 }
 export {};
 //# sourceMappingURL=auth.d.ts.map

package/dist/types/commands/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/commands/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAChD,OAAO,KAAK,MAAM,OAAO,CAAC;AAK1B,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AAEnE,UAAU,SAAS;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,UAAU,UAAU;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,qBAAa,WAAW;IACtB,OAAO,CAAC,aAAa,CAAuB;gBAEhC,aAAa,CAAC,EAAE,oBAAoB;IAIhD;;;OAGG;IACH,MAAM,IAAI,KAAK,CAAC,YAAY;IAM5B;;;OAGG;IACH,KAAK,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,kBAAkB,CAAC,SAAS,CAAC,GAAG,KAAK,CAAC,YAAY;IAQ3E;;;OAGG;IACH,MAAM,CAAC,EAAE,OAAO,EAAE,EAAE,kBAAkB,CAAC,UAAU,CAAC,GAAG,KAAK,CAAC,YAAY;IAOvE;;;OAGG;IACH,IAAI,IAAI,KAAK,CAAC,YAAY;CAK3B"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/commands/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,OAAO,CAAC;AAChD,OAAO,KAAK,MAAM,OAAO,CAAC;AAM1B,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AAEnE,UAAU,SAAS;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,UAAU,UAAU;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,UAAU,gBAAgB;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,qBAAa,WAAW;IACtB,OAAO,CAAC,aAAa,CAAuB;gBAEhC,aAAa,CAAC,EAAE,oBAAoB;IAIhD;;;OAGG;IACH,MAAM,IAAI,KAAK,CAAC,YAAY;IAM5B;;;OAGG;IACH,KAAK,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,kBAAkB,CAAC,SAAS,CAAC,GAAG,KAAK,CAAC,YAAY;IAQ3E;;;OAGG;IACH,MAAM,CAAC,EAAE,OAAO,EAAE,EAAE,kBAAkB,CAAC,UAAU,CAAC,GAAG,KAAK,CAAC,YAAY;IAOvE;;;OAGG;IACH,IAAI,IAAI,KAAK,CAAC,YAAY;IAM1B;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,EAAE,kBAAkB,CAAC,gBAAgB,CAAC,GAAG,KAAK,CAAC,YAAY;CAKnF"}

package/dist/types/commands/helpers.d.ts

@@ -24,6 +24,10 @@ export declare function isApiLocalDevMode(): boolean;
 export declare function getApiBaseUrl(): string;
 export declare const apiClient: {
     fetch: (apiPath: string, options?: RequestInit) => Promise<Response>;
+    /**
+     * Fetch without authentication - used for unauthenticated endpoints like /auth/setup
+     */
+    fetchUnauthenticated: (apiPath: string, options?: RequestInit) => Promise<Response>;
 };
 export declare function generateProject(projectName: string, projectDir: string): Promise<void>;
 export declare function scanLocalResources(resourcesDir: string): ResourceEntry[];

package/dist/types/commands/helpers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../../src/commands/helpers.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,KAAK,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAUtD,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,MAAM,gBAAgB,GAAG,CAAC,QAAQ,EAAE,YAAY,KAAK,IAAI,CAAC;AAGhE,MAAM,MAAM,SAAS,GAAG,OAAO,SAAS,CAAC;AAMzC;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,GAAE,OAAc,GAAG,IAAI,CAGtF;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,OAAO,CAE3C;AAED;;;GAGG;AACH,wBAAgB,aAAa,IAAI,MAAM,CAOtC;AAGD,eAAO,MAAM,SAAS;qBACG,MAAM,YAAY,WAAW,KAAG,OAAO,CAAC,QAAQ,CAAC;CAgDzE,CAAC;AAEF,wBAAsB,eAAe,CAAC,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,iBAsF5E;AAED,wBAAgB,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,aAAa,EAAE,CAsCxE;AAeD,UAAU,UAAU;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAClD;AAED,MAAM,MAAM,oBAAoB,GAAG,CAAC,QAAQ,EAAE;IAC5C,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,UAAU,GAAG,WAAW,GAAG,UAAU,CAAC;IAC9C,KAAK,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;CAC5B,KAAK,IAAI,CAAC;AAEX;;GAEG;AACH,wBAAsB,aAAa,CACjC,eAAe,EAAE,MAAM,EACvB,MAAM,GAAE,SAAqB,EAC7B,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,UAAU,CAAC,CA+KrB;AAqKD;;GAEG;AACH,wBAAsB,aAAa,CACjC,eAAe,EAAE,MAAM,EACvB,MAAM,GAAE,SAAqB,mBAoB9B;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,CAwCnE;AAED;;GAEG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,CAO3E;AAsCD;;GAEG;AACH,wBAAsB,cAAc,CAClC,IAAI,CAAC,EAAE,MAAM,EACb,SAAS,SAAO,GACf,OAAO,CAAC,OAAO,CAAC,CAsBlB;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,0BAA0B,CAC9C,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,EACjB,MAAM,GAAE,SAAqB,EAC7B,UAAU,CAAC,EAAE,gBAAgB,EAC7B,MAAM,CAAC,EAAE,WAAW,GACnB,OAAO,CAAC,IAAI,CAAC,CA2If"}
+{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../../src/commands/helpers.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,KAAK,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAUtD,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,MAAM,gBAAgB,GAAG,CAAC,QAAQ,EAAE,YAAY,KAAK,IAAI,CAAC;AAGhE,MAAM,MAAM,SAAS,GAAG,OAAO,SAAS,CAAC;AAMzC;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,GAAE,OAAc,GAAG,IAAI,CAGtF;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,OAAO,CAE3C;AAED;;;GAGG;AACH,wBAAgB,aAAa,IAAI,MAAM,CAOtC;AAGD,eAAO,MAAM,SAAS;qBACG,MAAM,YAAY,WAAW,KAAG,OAAO,CAAC,QAAQ,CAAC;IAgDxE;;OAEG;oCACmC,MAAM,YAAY,WAAW,KAAG,OAAO,CAAC,QAAQ,CAAC;CAkBxF,CAAC;AAEF,wBAAsB,eAAe,CAAC,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,iBAsF5E;AAED,wBAAgB,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,aAAa,EAAE,CAsCxE;AAeD,UAAU,UAAU;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAClD;AAED,MAAM,MAAM,oBAAoB,GAAG,CAAC,QAAQ,EAAE;IAC5C,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,UAAU,GAAG,WAAW,GAAG,UAAU,CAAC;IAC9C,KAAK,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;CAC5B,KAAK,IAAI,CAAC;AAEX;;GAEG;AACH,wBAAsB,aAAa,CACjC,eAAe,EAAE,MAAM,EACvB,MAAM,GAAE,SAAqB,EAC7B,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,UAAU,CAAC,CA+KrB;AAqKD;;GAEG;AACH,wBAAsB,aAAa,CACjC,eAAe,EAAE,MAAM,EACvB,MAAM,GAAE,SAAqB,mBAoB9B;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,CAwCnE;AAED;;GAEG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,CAO3E;AAsCD;;GAEG;AACH,wBAAsB,cAAc,CAClC,IAAI,CAAC,EAAE,MAAM,EACb,SAAS,SAAO,GACf,OAAO,CAAC,OAAO,CAAC,CAsBlB;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,0BAA0B,CAC9C,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,EACjB,MAAM,GAAE,SAAqB,EAC7B,UAAU,CAAC,EAAE,gBAAgB,EAC7B,MAAM,CAAC,EAAE,WAAW,GACnB,OAAO,CAAC,IAAI,CAAC,CA2If"}

package/dist/types/components/auth-format-jwk-key.d.ts

@@ -0,0 +1,6 @@
+interface AuthFormatJwkKeyProps {
+    pubkeyPath?: string;
+}
+export declare const AuthFormatJwkKey: ({ pubkeyPath }: AuthFormatJwkKeyProps) => import("react/jsx-runtime").JSX.Element | null;
+export {};
+//# sourceMappingURL=auth-format-jwk-key.d.ts.map

package/dist/types/components/auth-format-jwk-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-format-jwk-key.d.ts","sourceRoot":"","sources":["../../../src/components/auth-format-jwk-key.tsx"],"names":[],"mappings":"AAQA,UAAU,qBAAqB;IAC7B,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAoED,eAAO,MAAM,gBAAgB,GAAI,gBAAgB,qBAAqB,mDAgJrE,CAAC"}

package/dist/types/hooks/useApi.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useApi.d.ts","sourceRoot":"","sources":["../../../src/hooks/useApi.ts"],"names":[],"mappings":"AAmBA,wBAAgB,SAAS,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG;;;;eAIjD,MAAM;iBACJ,MAAM;kBACL,MAAM;;EAoDnB;AAED,wBAAgB,UAAU,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,cAAc,CAAC,EAAE,GAAG;;;;eAIzD,MAAM;iBACJ,MAAM;kBACL,MAAM;;qBAIF,GAAG,YAAY,GAAG;EA8DnC;AAED,wBAAgB,YAAY,CAAC,YAAY,EAAE,MAAM;;;eAGtC,MAAM;iBACJ,MAAM;kBACL,MAAM;;wBAIC,MAAM,YAAY,GAAG;EA0DzC"}
+{"version":3,"file":"useApi.d.ts","sourceRoot":"","sources":["../../../src/hooks/useApi.ts"],"names":[],"mappings":"AA2EA,wBAAgB,SAAS,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG;;;;eAIjD,MAAM;iBACJ,MAAM;kBACL,MAAM;;EAgDnB;AAED,wBAAgB,UAAU,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,cAAc,CAAC,EAAE,GAAG;;;;eAIzD,MAAM;iBACJ,MAAM;kBACL,MAAM;;qBAIF,GAAG,YAAY,GAAG;EA0DnC;AAED,wBAAgB,YAAY,CAAC,YAAY,EAAE,MAAM;;;eAGtC,MAAM;iBACJ,MAAM;kBACL,MAAM;;wBAIC,MAAM,YAAY,GAAG;EAsDzC"}

package/dist/types/lib/jwt-auth.d.ts

@@ -0,0 +1,51 @@
+/**
+ * JWT Auth Provider for authenticating API requests
+ * Uses SSH private keys to sign short-lived JWTs
+ */
+export declare class JwtAuthProvider {
+    private privateKey;
+    private fingerprint;
+    private initialized;
+    private initError;
+    constructor();
+    private initialize;
+    /**
+     * Check if the provider is ready to create JWTs
+     */
+    isReady(): boolean;
+    /**
+     * Get the error that occurred during initialization, if any
+     */
+    getError(): Error | null;
+    /**
+     * Get the fingerprint of the loaded private key
+     */
+    getFingerprint(): string | null;
+    /**
+     * Map SSH key type to JWT algorithm
+     */
+    private getAlgorithm;
+    /**
+     * Create a short-lived JWT for authentication
+     */
+    createToken(): Promise<string>;
+}
+/**
+ * Get the singleton JWT auth provider instance
+ */
+export declare function getJwtAuthProvider(): JwtAuthProvider;
+/**
+ * Reset the JWT auth provider singleton
+ * Call this after auth config changes to force reinitialization with new key
+ */
+export declare function resetJwtAuthProvider(): void;
+/**
+ * Check if JWT auth is available
+ */
+export declare function isAuthAvailable(): boolean;
+/**
+ * Get the Authorization header if auth is available
+ * Returns { Authorization: 'Bearer <token>' } or empty object
+ */
+export declare function getAuthHeader(): Promise<Record<string, string>>;
+//# sourceMappingURL=jwt-auth.d.ts.map

package/dist/types/lib/jwt-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-auth.d.ts","sourceRoot":"","sources":["../../../src/lib/jwt-auth.ts"],"names":[],"mappings":"AAUA;;;GAGG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,UAAU,CAAiC;IACnD,OAAO,CAAC,WAAW,CAAuB;IAC1C,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,SAAS,CAAsB;;IAMvC,OAAO,CAAC,UAAU;IA0BlB;;OAEG;IACH,OAAO,IAAI,OAAO;IAIlB;;OAEG;IACH,QAAQ,IAAI,KAAK,GAAG,IAAI;IAIxB;;OAEG;IACH,cAAc,IAAI,MAAM,GAAG,IAAI;IAI/B;;OAEG;IACH,OAAO,CAAC,YAAY;IA4BpB;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC;CAuBrC;AAKD;;GAEG;AACH,wBAAgB,kBAAkB,IAAI,eAAe,CAKpD;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAE3C;AAED;;GAEG;AACH,wBAAgB,eAAe,IAAI,OAAO,CAEzC;AAED;;;GAGG;AACH,wBAAsB,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAarE"}

package/dist/types/lib/ssh-key-utils.d.ts

@@ -29,10 +29,6 @@ export declare function loadPrivateKey(pathOrEnv?: string): sshpk.PrivateKey;
  * Get the fingerprint of a private key (from its public component)
  */
 export declare function getPrivateKeyFingerprint(privateKey: sshpk.PrivateKey): string;
-/**
- * Sign data with an SSH private key
- */
-export declare function signWithPrivateKey(privateKey: sshpk.PrivateKey, data: Buffer | string): Buffer;
 /**
  * Resolve the private key path from environment, config, or default
  * @param configuredPath - Optional configured path from ProjectConfigManager

package/dist/types/lib/ssh-key-utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ssh-key-utils.d.ts","sourceRoot":"","sources":["../../../src/lib/ssh-key-utils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAI1B,OAAO,EAAmB,UAAU,EAAE,MAAM,QAAQ,CAAC;AAErD,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,UAAU,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,wBAAgB,eAAe,IAAI,aAAa,EAAE,CAkDjD;AA0CD;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,UAAU,EAAE,MAAM,GAAG,UAAU,CAiBpE;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC,UAAU,CAyBnE;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,UAAU,EAAE,KAAK,CAAC,UAAU,GAAG,MAAM,CAG7E;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,UAAU,EAAE,KAAK,CAAC,UAAU,EAC5B,IAAI,EAAE,MAAM,GAAG,MAAM,GACpB,MAAM,CAMR;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,CAoB5E;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAKlD"}
+{"version":3,"file":"ssh-key-utils.d.ts","sourceRoot":"","sources":["../../../src/lib/ssh-key-utils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAI1B,OAAO,EAAmB,UAAU,EAAE,MAAM,QAAQ,CAAC;AAErD,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,UAAU,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,wBAAgB,eAAe,IAAI,aAAa,EAAE,CAkDjD;AA0CD;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,UAAU,EAAE,MAAM,GAAG,UAAU,CAiBpE;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC,UAAU,CAyBnE;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,UAAU,EAAE,KAAK,CAAC,UAAU,GAAG,MAAM,CAG7E;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,CAoB5E;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAKlD"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@positronic/cli",
-  "version": "0.0.57",
+  "version": "0.0.59",
   "publishConfig": {
     "access": "public"
   },
@@ -23,9 +23,9 @@
     "clean": "rm -rf tsconfig.tsbuildinfo dist node_modules"
   },
   "dependencies": {
-    "@positronic/core": "^0.0.57",
-    "@positronic/spec": "^0.0.57",
-    "@positronic/template-new-project": "^0.0.57",
+    "@positronic/core": "^0.0.59",
+    "@positronic/spec": "^0.0.59",
+    "@positronic/template-new-project": "^0.0.59",
     "caz": "^2.0.0",
     "chokidar": "^3.6.0",
     "dotenv": "^16.4.7",
@@ -33,6 +33,7 @@
     "ink": "^5.2.1",
     "ink-text-input": "^6.0.0",
     "istextorbinary": "^9.5.0",
+    "jose": "^5.2.0",
     "node-fetch": "^3.3.2",
     "react": "^18.3.1",
     "react-robot": "^1.2.1",