@pqc-sdk/cli 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 PQC SDK contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,25 @@
+# @pqc-sdk/cli
+
+[![CI](https://github.com/jeloercc/pqc-sdk/actions/workflows/ci.yml/badge.svg)](https://github.com/jeloercc/pqc-sdk/actions/workflows/ci.yml)
+[![npm](https://img.shields.io/npm/v/%40pqc-sdk%2Fcli)](https://www.npmjs.com/package/@pqc-sdk/cli)
+
+CLI de [@pqc-sdk/core](https://www.npmjs.com/package/@pqc-sdk/core): proyectos
+post-cuánticos en un comando.
+
+```bash
+# Inicializar proyecto: config + keys de desarrollo + ejemplo funcional
+npx @pqc-sdk/cli init
+
+# Generar keys serializadas en base64url
+npx @pqc-sdk/cli keygen --algorithm ml-dsa-65 --out keys/
+
+# Detectar crypto pre-cuántico (RSA/ECDSA/ECDH) y qué migrar a PQC
+npx @pqc-sdk/cli audit
+```
+
+`audit` sale con código 1 si encuentra crypto a migrar — usable como gate de CI.
+El output usa colores solo cuando hay TTY: legible en logs y pipes.
+
+## Licencia
+
+[MIT](./LICENSE)

package/dist/index.js

@@ -0,0 +1,285 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { defineCommand as defineCommand4, runMain } from "citty";
+
+// src/commands/audit.ts
+import { readFile, readdir } from "fs/promises";
+import { existsSync } from "fs";
+import { join, relative } from "path";
+import { defineCommand } from "citty";
+import pc2 from "picocolors";
+
+// src/ui.ts
+import pc from "picocolors";
+var ok = (message) => {
+  console.log(`${pc.green("\u2713")} ${message}`);
+};
+var warn = (message) => {
+  console.log(`${pc.yellow("\u26A0")} ${pc.yellow(message)}`);
+};
+var item = (message) => {
+  console.log(`  ${message}`);
+};
+var finding = (location, what, migrateTo) => {
+  console.log(`  ${pc.red("\u25CF")} ${pc.bold(location)} \u2014 ${what}`);
+  console.log(`    ${pc.dim("migrar a:")} ${pc.cyan(migrateTo)}`);
+};
+var heading = (message) => {
+  console.log(pc.bold(message));
+};
+
+// src/commands/audit.ts
+var ML_DSA = "ML-DSA-65 (pqc.sign / pqc.verify)";
+var ML_KEM = "ML-KEM-768 + AES-256-GCM (pqc.encrypt / pqc.decrypt)";
+var RISKY_PACKAGES = {
+  jsonwebtoken: { what: "JWTs firmados con RSA/ECDSA (RS256/ES256)", migrateTo: ML_DSA },
+  jose: { what: "JOSE/JWT con algoritmos RSA/ECDSA", migrateTo: ML_DSA },
+  elliptic: { what: "Curvas el\xEDpticas cl\xE1sicas (ECDSA/ECDH)", migrateTo: `${ML_DSA} y ${ML_KEM}` },
+  secp256k1: { what: "Firmas ECDSA sobre secp256k1", migrateTo: ML_DSA },
+  "node-rsa": { what: "Cifrado y firmas RSA", migrateTo: `${ML_KEM} y ${ML_DSA}` },
+  "node-forge": { what: "RSA/X.509 cl\xE1sico", migrateTo: `${ML_KEM} y ${ML_DSA}` },
+  tweetnacl: { what: "Ed25519/X25519 (pre-cu\xE1ntico)", migrateTo: `${ML_DSA} y ${ML_KEM}` }
+};
+var CODE_PATTERNS = [
+  {
+    re: /create(?:Sign|Verify)\s*\(/,
+    what: "firma RSA/ECDSA v\xEDa node:crypto (createSign/createVerify)",
+    migrateTo: ML_DSA
+  },
+  {
+    re: /createECDH\s*\(|\.diffieHellman\s*\(/,
+    what: "intercambio de claves ECDH/DH",
+    migrateTo: ML_KEM
+  },
+  {
+    re: /publicEncrypt\s*\(|privateDecrypt\s*\(/,
+    what: "cifrado RSA (publicEncrypt/privateDecrypt)",
+    migrateTo: ML_KEM
+  },
+  {
+    re: /generateKeyPair(?:Sync)?\s*\(\s*['"](?:rsa|rsa-pss|dsa|ec|ed25519|ed448|x25519|x448)['"]/,
+    what: "generaci\xF3n de keypair pre-cu\xE1ntico",
+    migrateTo: "pqc.keys.generate (ML-KEM-768 para cifrado, ML-DSA-65 para firmas)"
+  },
+  {
+    re: /['"`](?:RS|ES|PS)(?:256|384|512)['"`]/,
+    what: "JWT con algoritmo de firma RSA/ECDSA",
+    migrateTo: ML_DSA
+  },
+  {
+    re: /['"`](?:RSA-OAEP|ECDH|ECDSA)['"`]/,
+    what: "WebCrypto con algoritmo pre-cu\xE1ntico",
+    migrateTo: `${ML_KEM} o ${ML_DSA}`
+  }
+];
+var SOURCE_EXTENSIONS = /* @__PURE__ */ new Set([".js", ".mjs", ".cjs", ".ts", ".mts", ".cts", ".jsx", ".tsx"]);
+var IGNORED_DIRS = /* @__PURE__ */ new Set(["node_modules", "dist", "build", "coverage", ".git", ".next"]);
+async function collectSourceFiles(root) {
+  const files = [];
+  const pending = [root];
+  while (pending.length > 0) {
+    const dir = pending.pop();
+    for (const entry of await readdir(dir, { withFileTypes: true })) {
+      if (entry.isDirectory()) {
+        if (!IGNORED_DIRS.has(entry.name)) pending.push(join(dir, entry.name));
+        continue;
+      }
+      const dot = entry.name.lastIndexOf(".");
+      if (dot !== -1 && SOURCE_EXTENSIONS.has(entry.name.slice(dot))) {
+        files.push(join(dir, entry.name));
+      }
+    }
+  }
+  return files.sort();
+}
+async function auditPackageJson(cwd) {
+  const path = join(cwd, "package.json");
+  if (!existsSync(path)) return [];
+  const manifest = JSON.parse(await readFile(path, "utf8"));
+  const declared = {
+    ...manifest.dependencies,
+    ...manifest.devDependencies,
+    ...manifest.peerDependencies
+  };
+  return Object.keys(declared).filter((name) => name in RISKY_PACKAGES).map((name) => ({ location: `package.json (${name})`, ...RISKY_PACKAGES[name] }));
+}
+async function auditSources(cwd) {
+  const findings = [];
+  for (const file of await collectSourceFiles(cwd)) {
+    const lines = (await readFile(file, "utf8")).split("\n");
+    lines.forEach((line, index) => {
+      for (const { re, what, migrateTo } of CODE_PATTERNS) {
+        if (re.test(line)) {
+          findings.push({ location: `${relative(cwd, file)}:${index + 1}`, what, migrateTo });
+        }
+      }
+    });
+  }
+  return findings;
+}
+var audit = defineCommand({
+  meta: {
+    name: "audit",
+    description: "Detecta crypto pre-cu\xE1ntico y sugiere el equivalente PQC"
+  },
+  async run() {
+    const cwd = process.cwd();
+    const findings = [...await auditPackageJson(cwd), ...await auditSources(cwd)];
+    if (findings.length === 0) {
+      ok("Sin crypto pre-cu\xE1ntico detectado.");
+      return;
+    }
+    heading(`Crypto pre-cu\xE1ntico detectado (${findings.length} hallazgos):`);
+    for (const f of findings) {
+      finding(f.location, f.what, f.migrateTo);
+    }
+    console.log();
+    console.log(
+      pc2.yellow(
+        `${findings.length} usos a migrar. Gu\xEDa de algoritmos: FIPS 203 (ML-KEM) cifrado, FIPS 204 (ML-DSA) firmas.`
+      )
+    );
+    process.exitCode = 1;
+  }
+});
+
+// src/commands/init.ts
+import { writeFile as writeFile2 } from "fs/promises";
+import { existsSync as existsSync3 } from "fs";
+import { defineCommand as defineCommand2 } from "citty";
+
+// src/keyfiles.ts
+import { chmod, mkdir, writeFile } from "fs/promises";
+import { existsSync as existsSync2 } from "fs";
+import { join as join2 } from "path";
+import { SUPPORTED_ALGORITHMS, pqc } from "@pqc-sdk/core";
+function assertSupportedAlgorithm(value) {
+  if (!SUPPORTED_ALGORITHMS.includes(value)) {
+    throw new Error(
+      `Algoritmo no soportado: ${value} (soportados: ${SUPPORTED_ALGORITHMS.join(", ")})`
+    );
+  }
+  return value;
+}
+async function writeKeyPair(directory, baseName, algorithm, force) {
+  const publicPath = join2(directory, `${baseName}.public.pqc`);
+  const secretPath = join2(directory, `${baseName}.secret.pqc`);
+  if (!force) {
+    for (const path of [publicPath, secretPath]) {
+      if (existsSync2(path)) {
+        throw new Error(`${path} ya existe. Us\xE1 --force para sobreescribirla.`);
+      }
+    }
+  }
+  const pair = await pqc.keys.generate({ algorithm });
+  await mkdir(directory, { recursive: true });
+  await writeFile(publicPath, `${pqc.keys.serialize(pair.publicKey)}
+`);
+  await writeFile(secretPath, `${pqc.keys.serialize(pair.secretKey)}
+`, { mode: 384 });
+  await chmod(secretPath, 384);
+  return { algorithm, publicPath, secretPath };
+}
+
+// src/commands/init.ts
+var CONFIG_FILE = "pqc.config.json";
+var CONFIG = {
+  defaultAlgorithm: "ml-kem-768",
+  keysDir: "keys"
+};
+var EXAMPLE = `import { pqc } from '@pqc-sdk/core';
+
+// Roundtrip completo: generar keys, cifrar y descifrar.
+const pair = await pqc.keys.generate(); // ML-KEM-768 por defecto
+const ciphertext = await pqc.encrypt('hola post-quantum', pair.publicKey);
+const plaintext = await pqc.decrypt(ciphertext, pair.secretKey);
+console.log(new TextDecoder().decode(plaintext)); // "hola post-quantum"
+
+// Firmas digitales (ML-DSA-65):
+const signer = await pqc.keys.generate({ algorithm: 'ml-dsa-65' });
+const signature = await pqc.sign('documento', signer.secretKey);
+console.log(await pqc.verify('documento', signature, signer.publicKey)); // true
+
+// Las keys se serializan a base64url con metadata, listas para persistir:
+const token = pqc.keys.serialize(pair.publicKey);
+console.log(token.slice(0, 48) + '\u2026');
+
+// Para cargar las keys de desarrollo que gener\xF3 \`pqc init\`:
+// import { readFile } from 'node:fs/promises';
+// const publicKey = pqc.keys.deserialize(
+//   (await readFile('keys/dev.public.pqc', 'utf8')).trim(),
+// );
+`;
+var init = defineCommand2({
+  meta: {
+    name: "init",
+    description: "Inicializa un proyecto: config, keys de desarrollo y ejemplo"
+  },
+  async run() {
+    if (existsSync3(CONFIG_FILE)) {
+      throw new Error(`${CONFIG_FILE} ya existe: el proyecto ya est\xE1 inicializado.`);
+    }
+    await writeFile2(CONFIG_FILE, `${JSON.stringify(CONFIG, null, 2)}
+`);
+    const keys = await writeKeyPair(CONFIG.keysDir, "dev", CONFIG.defaultAlgorithm, false);
+    await writeFile2("example.ts", EXAMPLE);
+    heading("Proyecto PQC inicializado:");
+    item(`${CONFIG_FILE} \u2014 configuraci\xF3n con defaults seguros`);
+    item(`${keys.publicPath} / ${keys.secretPath} \u2014 par ${keys.algorithm} de desarrollo`);
+    item("example.ts \u2014 roundtrip completo listo para ejecutar");
+    console.log();
+    warn("Las keys de keys/dev.* son SOLO de desarrollo \u2014 NO usarlas en producci\xF3n.");
+    ok(`Siguiente paso: ejecut\xE1 example.ts (node --experimental-strip-types example.ts o tsx)`);
+  }
+});
+
+// src/commands/keygen.ts
+import { defineCommand as defineCommand3 } from "citty";
+var keygen = defineCommand3({
+  meta: {
+    name: "keygen",
+    description: "Genera un par de keys PQC serializadas en base64url"
+  },
+  args: {
+    algorithm: {
+      type: "string",
+      description: "Algoritmo del par (ml-kem-768 o ml-dsa-65)",
+      default: "ml-kem-768"
+    },
+    out: {
+      type: "string",
+      description: "Directorio de salida",
+      default: "keys"
+    },
+    force: {
+      type: "boolean",
+      description: "Sobreescribir keys existentes",
+      default: false
+    }
+  },
+  async run({ args }) {
+    const algorithm = assertSupportedAlgorithm(args.algorithm);
+    const keys = await writeKeyPair(args.out, algorithm, algorithm, args.force);
+    ok(`Par ${algorithm} generado:`);
+    item(`p\xFAblica: ${keys.publicPath}`);
+    item(`secreta: ${keys.secretPath} (modo 0600)`);
+    warn("La key secreta no debe commitearse ni salir de este entorno.");
+  }
+});
+
+// src/index.ts
+var main = defineCommand4({
+  meta: {
+    name: "pqc",
+    version: "0.0.1",
+    description: "CLI del SDK de criptograf\xEDa post-cu\xE1ntica (@pqc-sdk/core)"
+  },
+  subCommands: {
+    init,
+    keygen,
+    audit
+  }
+});
+await runMain(main);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts","../src/commands/audit.ts","../src/ui.ts","../src/commands/init.ts","../src/keyfiles.ts","../src/commands/keygen.ts"],"sourcesContent":["import { defineCommand, runMain } from 'citty';\n\nimport { audit } from './commands/audit.js';\nimport { init } from './commands/init.js';\nimport { keygen } from './commands/keygen.js';\n\nconst main = defineCommand({\n  meta: {\n    name: 'pqc',\n    version: '0.0.1',\n    description: 'CLI del SDK de criptografía post-cuántica (@pqc-sdk/core)',\n  },\n  subCommands: {\n    init,\n    keygen,\n    audit,\n  },\n});\n\nawait runMain(main);\n","import { readFile, readdir } from 'node:fs/promises';\nimport { existsSync } from 'node:fs';\nimport { join, relative } from 'node:path';\n\nimport { defineCommand } from 'citty';\nimport pc from 'picocolors';\n\nimport { finding, heading, ok } from '../ui.js';\n\ninterface Finding {\n  location: string;\n  what: string;\n  migrateTo: string;\n}\n\nconst ML_DSA = 'ML-DSA-65 (pqc.sign / pqc.verify)';\nconst ML_KEM = 'ML-KEM-768 + AES-256-GCM (pqc.encrypt / pqc.decrypt)';\n\nconst RISKY_PACKAGES: Record<string, { what: string; migrateTo: string }> = {\n  jsonwebtoken: { what: 'JWTs firmados con RSA/ECDSA (RS256/ES256)', migrateTo: ML_DSA },\n  jose: { what: 'JOSE/JWT con algoritmos RSA/ECDSA', migrateTo: ML_DSA },\n  elliptic: { what: 'Curvas elípticas clásicas (ECDSA/ECDH)', migrateTo: `${ML_DSA} y ${ML_KEM}` },\n  secp256k1: { what: 'Firmas ECDSA sobre secp256k1', migrateTo: ML_DSA },\n  'node-rsa': { what: 'Cifrado y firmas RSA', migrateTo: `${ML_KEM} y ${ML_DSA}` },\n  'node-forge': { what: 'RSA/X.509 clásico', migrateTo: `${ML_KEM} y ${ML_DSA}` },\n  tweetnacl: { what: 'Ed25519/X25519 (pre-cuántico)', migrateTo: `${ML_DSA} y ${ML_KEM}` },\n};\n\nconst CODE_PATTERNS: ReadonlyArray<{ re: RegExp; what: string; migrateTo: string }> = [\n  {\n    re: /create(?:Sign|Verify)\\s*\\(/,\n    what: 'firma RSA/ECDSA vía node:crypto (createSign/createVerify)',\n    migrateTo: ML_DSA,\n  },\n  {\n    re: /createECDH\\s*\\(|\\.diffieHellman\\s*\\(/,\n    what: 'intercambio de claves ECDH/DH',\n    migrateTo: ML_KEM,\n  },\n  {\n    re: /publicEncrypt\\s*\\(|privateDecrypt\\s*\\(/,\n    what: 'cifrado RSA (publicEncrypt/privateDecrypt)',\n    migrateTo: ML_KEM,\n  },\n  {\n    re: /generateKeyPair(?:Sync)?\\s*\\(\\s*['\"](?:rsa|rsa-pss|dsa|ec|ed25519|ed448|x25519|x448)['\"]/,\n    what: 'generación de keypair pre-cuántico',\n    migrateTo: 'pqc.keys.generate (ML-KEM-768 para cifrado, ML-DSA-65 para firmas)',\n  },\n  {\n    re: /['\"`](?:RS|ES|PS)(?:256|384|512)['\"`]/,\n    what: 'JWT con algoritmo de firma RSA/ECDSA',\n    migrateTo: ML_DSA,\n  },\n  {\n    re: /['\"`](?:RSA-OAEP|ECDH|ECDSA)['\"`]/,\n    what: 'WebCrypto con algoritmo pre-cuántico',\n    migrateTo: `${ML_KEM} o ${ML_DSA}`,\n  },\n];\n\nconst SOURCE_EXTENSIONS = new Set(['.js', '.mjs', '.cjs', '.ts', '.mts', '.cts', '.jsx', '.tsx']);\nconst IGNORED_DIRS = new Set(['node_modules', 'dist', 'build', 'coverage', '.git', '.next']);\n\nasync function collectSourceFiles(root: string): Promise<string[]> {\n  const files: string[] = [];\n  const pending = [root];\n  while (pending.length > 0) {\n    const dir = pending.pop()!;\n    for (const entry of await readdir(dir, { withFileTypes: true })) {\n      if (entry.isDirectory()) {\n        if (!IGNORED_DIRS.has(entry.name)) pending.push(join(dir, entry.name));\n        continue;\n      }\n      const dot = entry.name.lastIndexOf('.');\n      if (dot !== -1 && SOURCE_EXTENSIONS.has(entry.name.slice(dot))) {\n        files.push(join(dir, entry.name));\n      }\n    }\n  }\n  return files.sort();\n}\n\nasync function auditPackageJson(cwd: string): Promise<Finding[]> {\n  const path = join(cwd, 'package.json');\n  if (!existsSync(path)) return [];\n  const manifest = JSON.parse(await readFile(path, 'utf8')) as Record<\n    string,\n    Record<string, string> | undefined\n  >;\n  const declared = {\n    ...manifest.dependencies,\n    ...manifest.devDependencies,\n    ...manifest.peerDependencies,\n  };\n  return Object.keys(declared)\n    .filter((name) => name in RISKY_PACKAGES)\n    .map((name) => ({ location: `package.json (${name})`, ...RISKY_PACKAGES[name]! }));\n}\n\nasync function auditSources(cwd: string): Promise<Finding[]> {\n  const findings: Finding[] = [];\n  for (const file of await collectSourceFiles(cwd)) {\n    const lines = (await readFile(file, 'utf8')).split('\\n');\n    lines.forEach((line, index) => {\n      for (const { re, what, migrateTo } of CODE_PATTERNS) {\n        if (re.test(line)) {\n          findings.push({ location: `${relative(cwd, file)}:${index + 1}`, what, migrateTo });\n        }\n      }\n    });\n  }\n  return findings;\n}\n\nexport const audit = defineCommand({\n  meta: {\n    name: 'audit',\n    description: 'Detecta crypto pre-cuántico y sugiere el equivalente PQC',\n  },\n  async run() {\n    const cwd = process.cwd();\n    const findings = [...(await auditPackageJson(cwd)), ...(await auditSources(cwd))];\n\n    if (findings.length === 0) {\n      ok('Sin crypto pre-cuántico detectado.');\n      return;\n    }\n\n    heading(`Crypto pre-cuántico detectado (${findings.length} hallazgos):`);\n    for (const f of findings) {\n      finding(f.location, f.what, f.migrateTo);\n    }\n    console.log();\n    console.log(\n      pc.yellow(\n        `${findings.length} usos a migrar. Guía de algoritmos: FIPS 203 (ML-KEM) cifrado, FIPS 204 (ML-DSA) firmas.`,\n      ),\n    );\n    process.exitCode = 1;\n  },\n});\n","import pc from 'picocolors';\n\n/**\n * Helpers de salida. picocolors desactiva los colores automáticamente cuando\n * no hay TTY (y NO_COLOR/FORCE_COLOR se respetan), así el output queda legible\n * en pipes y logs de CI sin códigos ANSI.\n */\nexport const ok = (message: string): void => {\n  console.log(`${pc.green('✓')} ${message}`);\n};\n\nexport const warn = (message: string): void => {\n  console.log(`${pc.yellow('⚠')} ${pc.yellow(message)}`);\n};\n\nexport const item = (message: string): void => {\n  console.log(`  ${message}`);\n};\n\nexport const finding = (location: string, what: string, migrateTo: string): void => {\n  console.log(`  ${pc.red('●')} ${pc.bold(location)} — ${what}`);\n  console.log(`    ${pc.dim('migrar a:')} ${pc.cyan(migrateTo)}`);\n};\n\nexport const heading = (message: string): void => {\n  console.log(pc.bold(message));\n};\n","import { writeFile } from 'node:fs/promises';\nimport { existsSync } from 'node:fs';\n\nimport { defineCommand } from 'citty';\n\nimport { writeKeyPair } from '../keyfiles.js';\nimport { heading, item, ok, warn } from '../ui.js';\n\nconst CONFIG_FILE = 'pqc.config.json';\n\nconst CONFIG = {\n  defaultAlgorithm: 'ml-kem-768',\n  keysDir: 'keys',\n} as const;\n\nconst EXAMPLE = `import { pqc } from '@pqc-sdk/core';\n\n// Roundtrip completo: generar keys, cifrar y descifrar.\nconst pair = await pqc.keys.generate(); // ML-KEM-768 por defecto\nconst ciphertext = await pqc.encrypt('hola post-quantum', pair.publicKey);\nconst plaintext = await pqc.decrypt(ciphertext, pair.secretKey);\nconsole.log(new TextDecoder().decode(plaintext)); // \"hola post-quantum\"\n\n// Firmas digitales (ML-DSA-65):\nconst signer = await pqc.keys.generate({ algorithm: 'ml-dsa-65' });\nconst signature = await pqc.sign('documento', signer.secretKey);\nconsole.log(await pqc.verify('documento', signature, signer.publicKey)); // true\n\n// Las keys se serializan a base64url con metadata, listas para persistir:\nconst token = pqc.keys.serialize(pair.publicKey);\nconsole.log(token.slice(0, 48) + '…');\n\n// Para cargar las keys de desarrollo que generó \\`pqc init\\`:\n// import { readFile } from 'node:fs/promises';\n// const publicKey = pqc.keys.deserialize(\n//   (await readFile('keys/dev.public.pqc', 'utf8')).trim(),\n// );\n`;\n\nexport const init = defineCommand({\n  meta: {\n    name: 'init',\n    description: 'Inicializa un proyecto: config, keys de desarrollo y ejemplo',\n  },\n  async run() {\n    if (existsSync(CONFIG_FILE)) {\n      throw new Error(`${CONFIG_FILE} ya existe: el proyecto ya está inicializado.`);\n    }\n\n    await writeFile(CONFIG_FILE, `${JSON.stringify(CONFIG, null, 2)}\\n`);\n    const keys = await writeKeyPair(CONFIG.keysDir, 'dev', CONFIG.defaultAlgorithm, false);\n    await writeFile('example.ts', EXAMPLE);\n\n    heading('Proyecto PQC inicializado:');\n    item(`${CONFIG_FILE} — configuración con defaults seguros`);\n    item(`${keys.publicPath} / ${keys.secretPath} — par ${keys.algorithm} de desarrollo`);\n    item('example.ts — roundtrip completo listo para ejecutar');\n    console.log();\n    warn('Las keys de keys/dev.* son SOLO de desarrollo — NO usarlas en producción.');\n    ok(`Siguiente paso: ejecutá example.ts (node --experimental-strip-types example.ts o tsx)`);\n  },\n});\n","import { chmod, mkdir, writeFile } from 'node:fs/promises';\nimport { existsSync } from 'node:fs';\nimport { join } from 'node:path';\n\nimport { SUPPORTED_ALGORITHMS, pqc, type SupportedAlgorithm } from '@pqc-sdk/core';\n\nexport interface WrittenKeyPair {\n  algorithm: SupportedAlgorithm;\n  publicPath: string;\n  secretPath: string;\n}\n\nexport function assertSupportedAlgorithm(value: string): SupportedAlgorithm {\n  if (!(SUPPORTED_ALGORITHMS as readonly string[]).includes(value)) {\n    throw new Error(\n      `Algoritmo no soportado: ${value} (soportados: ${SUPPORTED_ALGORITHMS.join(', ')})`,\n    );\n  }\n  return value as SupportedAlgorithm;\n}\n\n/** Genera un par y lo escribe serializado en base64url, un archivo por key. */\nexport async function writeKeyPair(\n  directory: string,\n  baseName: string,\n  algorithm: SupportedAlgorithm,\n  force: boolean,\n): Promise<WrittenKeyPair> {\n  const publicPath = join(directory, `${baseName}.public.pqc`);\n  const secretPath = join(directory, `${baseName}.secret.pqc`);\n\n  if (!force) {\n    for (const path of [publicPath, secretPath]) {\n      if (existsSync(path)) {\n        throw new Error(`${path} ya existe. Usá --force para sobreescribirla.`);\n      }\n    }\n  }\n\n  const pair = await pqc.keys.generate({ algorithm });\n  await mkdir(directory, { recursive: true });\n  await writeFile(publicPath, `${pqc.keys.serialize(pair.publicKey)}\\n`);\n  await writeFile(secretPath, `${pqc.keys.serialize(pair.secretKey)}\\n`, { mode: 0o600 });\n  await chmod(secretPath, 0o600);\n\n  return { algorithm, publicPath, secretPath };\n}\n","import { defineCommand } from 'citty';\n\nimport { assertSupportedAlgorithm, writeKeyPair } from '../keyfiles.js';\nimport { item, ok, warn } from '../ui.js';\n\nexport const keygen = defineCommand({\n  meta: {\n    name: 'keygen',\n    description: 'Genera un par de keys PQC serializadas en base64url',\n  },\n  args: {\n    algorithm: {\n      type: 'string',\n      description: 'Algoritmo del par (ml-kem-768 o ml-dsa-65)',\n      default: 'ml-kem-768',\n    },\n    out: {\n      type: 'string',\n      description: 'Directorio de salida',\n      default: 'keys',\n    },\n    force: {\n      type: 'boolean',\n      description: 'Sobreescribir keys existentes',\n      default: false,\n    },\n  },\n  async run({ args }) {\n    const algorithm = assertSupportedAlgorithm(args.algorithm);\n    const keys = await writeKeyPair(args.out, algorithm, algorithm, args.force);\n\n    ok(`Par ${algorithm} generado:`);\n    item(`pública: ${keys.publicPath}`);\n    item(`secreta: ${keys.secretPath} (modo 0600)`);\n    warn('La key secreta no debe commitearse ni salir de este entorno.');\n  },\n});\n"],"mappings":";;;AAAA,SAAS,iBAAAA,gBAAe,eAAe;;;ACAvC,SAAS,UAAU,eAAe;AAClC,SAAS,kBAAkB;AAC3B,SAAS,MAAM,gBAAgB;AAE/B,SAAS,qBAAqB;AAC9B,OAAOC,SAAQ;;;ACLf,OAAO,QAAQ;AAOR,IAAM,KAAK,CAAC,YAA0B;AAC3C,UAAQ,IAAI,GAAG,GAAG,MAAM,QAAG,CAAC,IAAI,OAAO,EAAE;AAC3C;AAEO,IAAM,OAAO,CAAC,YAA0B;AAC7C,UAAQ,IAAI,GAAG,GAAG,OAAO,QAAG,CAAC,IAAI,GAAG,OAAO,OAAO,CAAC,EAAE;AACvD;AAEO,IAAM,OAAO,CAAC,YAA0B;AAC7C,UAAQ,IAAI,KAAK,OAAO,EAAE;AAC5B;AAEO,IAAM,UAAU,CAAC,UAAkB,MAAc,cAA4B;AAClF,UAAQ,IAAI,KAAK,GAAG,IAAI,QAAG,CAAC,IAAI,GAAG,KAAK,QAAQ,CAAC,WAAM,IAAI,EAAE;AAC7D,UAAQ,IAAI,OAAO,GAAG,IAAI,WAAW,CAAC,IAAI,GAAG,KAAK,SAAS,CAAC,EAAE;AAChE;AAEO,IAAM,UAAU,CAAC,YAA0B;AAChD,UAAQ,IAAI,GAAG,KAAK,OAAO,CAAC;AAC9B;;;ADXA,IAAM,SAAS;AACf,IAAM,SAAS;AAEf,IAAM,iBAAsE;AAAA,EAC1E,cAAc,EAAE,MAAM,6CAA6C,WAAW,OAAO;AAAA,EACrF,MAAM,EAAE,MAAM,qCAAqC,WAAW,OAAO;AAAA,EACrE,UAAU,EAAE,MAAM,gDAA0C,WAAW,GAAG,MAAM,MAAM,MAAM,GAAG;AAAA,EAC/F,WAAW,EAAE,MAAM,gCAAgC,WAAW,OAAO;AAAA,EACrE,YAAY,EAAE,MAAM,wBAAwB,WAAW,GAAG,MAAM,MAAM,MAAM,GAAG;AAAA,EAC/E,cAAc,EAAE,MAAM,wBAAqB,WAAW,GAAG,MAAM,MAAM,MAAM,GAAG;AAAA,EAC9E,WAAW,EAAE,MAAM,oCAAiC,WAAW,GAAG,MAAM,MAAM,MAAM,GAAG;AACzF;AAEA,IAAM,gBAAgF;AAAA,EACpF;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,WAAW;AAAA,EACb;AAAA,EACA;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,WAAW;AAAA,EACb;AAAA,EACA;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,WAAW;AAAA,EACb;AAAA,EACA;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,WAAW;AAAA,EACb;AAAA,EACA;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,WAAW;AAAA,EACb;AAAA,EACA;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,WAAW,GAAG,MAAM,MAAM,MAAM;AAAA,EAClC;AACF;AAEA,IAAM,oBAAoB,oBAAI,IAAI,CAAC,OAAO,QAAQ,QAAQ,OAAO,QAAQ,QAAQ,QAAQ,MAAM,CAAC;AAChG,IAAM,eAAe,oBAAI,IAAI,CAAC,gBAAgB,QAAQ,SAAS,YAAY,QAAQ,OAAO,CAAC;AAE3F,eAAe,mBAAmB,MAAiC;AACjE,QAAM,QAAkB,CAAC;AACzB,QAAM,UAAU,CAAC,IAAI;AACrB,SAAO,QAAQ,SAAS,GAAG;AACzB,UAAM,MAAM,QAAQ,IAAI;AACxB,eAAW,SAAS,MAAM,QAAQ,KAAK,EAAE,eAAe,KAAK,CAAC,GAAG;AAC/D,UAAI,MAAM,YAAY,GAAG;AACvB,YAAI,CAAC,aAAa,IAAI,MAAM,IAAI,EAAG,SAAQ,KAAK,KAAK,KAAK,MAAM,IAAI,CAAC;AACrE;AAAA,MACF;AACA,YAAM,MAAM,MAAM,KAAK,YAAY,GAAG;AACtC,UAAI,QAAQ,MAAM,kBAAkB,IAAI,MAAM,KAAK,MAAM,GAAG,CAAC,GAAG;AAC9D,cAAM,KAAK,KAAK,KAAK,MAAM,IAAI,CAAC;AAAA,MAClC;AAAA,IACF;AAAA,EACF;AACA,SAAO,MAAM,KAAK;AACpB;AAEA,eAAe,iBAAiB,KAAiC;AAC/D,QAAM,OAAO,KAAK,KAAK,cAAc;AACrC,MAAI,CAAC,WAAW,IAAI,EAAG,QAAO,CAAC;AAC/B,QAAM,WAAW,KAAK,MAAM,MAAM,SAAS,MAAM,MAAM,CAAC;AAIxD,QAAM,WAAW;AAAA,IACf,GAAG,SAAS;AAAA,IACZ,GAAG,SAAS;AAAA,IACZ,GAAG,SAAS;AAAA,EACd;AACA,SAAO,OAAO,KAAK,QAAQ,EACxB,OAAO,CAAC,SAAS,QAAQ,cAAc,EACvC,IAAI,CAAC,UAAU,EAAE,UAAU,iBAAiB,IAAI,KAAK,GAAG,eAAe,IAAI,EAAG,EAAE;AACrF;AAEA,eAAe,aAAa,KAAiC;AAC3D,QAAM,WAAsB,CAAC;AAC7B,aAAW,QAAQ,MAAM,mBAAmB,GAAG,GAAG;AAChD,UAAM,SAAS,MAAM,SAAS,MAAM,MAAM,GAAG,MAAM,IAAI;AACvD,UAAM,QAAQ,CAAC,MAAM,UAAU;AAC7B,iBAAW,EAAE,IAAI,MAAM,UAAU,KAAK,eAAe;AACnD,YAAI,GAAG,KAAK,IAAI,GAAG;AACjB,mBAAS,KAAK,EAAE,UAAU,GAAG,SAAS,KAAK,IAAI,CAAC,IAAI,QAAQ,CAAC,IAAI,MAAM,UAAU,CAAC;AAAA,QACpF;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAEO,IAAM,QAAQ,cAAc;AAAA,EACjC,MAAM;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AAAA,EACA,MAAM,MAAM;AACV,UAAM,MAAM,QAAQ,IAAI;AACxB,UAAM,WAAW,CAAC,GAAI,MAAM,iBAAiB,GAAG,GAAI,GAAI,MAAM,aAAa,GAAG,CAAE;AAEhF,QAAI,SAAS,WAAW,GAAG;AACzB,SAAG,uCAAoC;AACvC;AAAA,IACF;AAEA,YAAQ,qCAAkC,SAAS,MAAM,cAAc;AACvE,eAAW,KAAK,UAAU;AACxB,cAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS;AAAA,IACzC;AACA,YAAQ,IAAI;AACZ,YAAQ;AAAA,MACNC,IAAG;AAAA,QACD,GAAG,SAAS,MAAM;AAAA,MACpB;AAAA,IACF;AACA,YAAQ,WAAW;AAAA,EACrB;AACF,CAAC;;;AE7ID,SAAS,aAAAC,kBAAiB;AAC1B,SAAS,cAAAC,mBAAkB;AAE3B,SAAS,iBAAAC,sBAAqB;;;ACH9B,SAAS,OAAO,OAAO,iBAAiB;AACxC,SAAS,cAAAC,mBAAkB;AAC3B,SAAS,QAAAC,aAAY;AAErB,SAAS,sBAAsB,WAAoC;AAQ5D,SAAS,yBAAyB,OAAmC;AAC1E,MAAI,CAAE,qBAA2C,SAAS,KAAK,GAAG;AAChE,UAAM,IAAI;AAAA,MACR,2BAA2B,KAAK,iBAAiB,qBAAqB,KAAK,IAAI,CAAC;AAAA,IAClF;AAAA,EACF;AACA,SAAO;AACT;AAGA,eAAsB,aACpB,WACA,UACA,WACA,OACyB;AACzB,QAAM,aAAaA,MAAK,WAAW,GAAG,QAAQ,aAAa;AAC3D,QAAM,aAAaA,MAAK,WAAW,GAAG,QAAQ,aAAa;AAE3D,MAAI,CAAC,OAAO;AACV,eAAW,QAAQ,CAAC,YAAY,UAAU,GAAG;AAC3C,UAAID,YAAW,IAAI,GAAG;AACpB,cAAM,IAAI,MAAM,GAAG,IAAI,kDAA+C;AAAA,MACxE;AAAA,IACF;AAAA,EACF;AAEA,QAAM,OAAO,MAAM,IAAI,KAAK,SAAS,EAAE,UAAU,CAAC;AAClD,QAAM,MAAM,WAAW,EAAE,WAAW,KAAK,CAAC;AAC1C,QAAM,UAAU,YAAY,GAAG,IAAI,KAAK,UAAU,KAAK,SAAS,CAAC;AAAA,CAAI;AACrE,QAAM,UAAU,YAAY,GAAG,IAAI,KAAK,UAAU,KAAK,SAAS,CAAC;AAAA,GAAM,EAAE,MAAM,IAAM,CAAC;AACtF,QAAM,MAAM,YAAY,GAAK;AAE7B,SAAO,EAAE,WAAW,YAAY,WAAW;AAC7C;;;ADtCA,IAAM,cAAc;AAEpB,IAAM,SAAS;AAAA,EACb,kBAAkB;AAAA,EAClB,SAAS;AACX;AAEA,IAAM,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAwBT,IAAM,OAAOE,eAAc;AAAA,EAChC,MAAM;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AAAA,EACA,MAAM,MAAM;AACV,QAAIC,YAAW,WAAW,GAAG;AAC3B,YAAM,IAAI,MAAM,GAAG,WAAW,kDAA+C;AAAA,IAC/E;AAEA,UAAMC,WAAU,aAAa,GAAG,KAAK,UAAU,QAAQ,MAAM,CAAC,CAAC;AAAA,CAAI;AACnE,UAAM,OAAO,MAAM,aAAa,OAAO,SAAS,OAAO,OAAO,kBAAkB,KAAK;AACrF,UAAMA,WAAU,cAAc,OAAO;AAErC,YAAQ,4BAA4B;AACpC,SAAK,GAAG,WAAW,+CAAuC;AAC1D,SAAK,GAAG,KAAK,UAAU,MAAM,KAAK,UAAU,eAAU,KAAK,SAAS,gBAAgB;AACpF,SAAK,0DAAqD;AAC1D,YAAQ,IAAI;AACZ,SAAK,mFAA2E;AAChF,OAAG,0FAAuF;AAAA,EAC5F;AACF,CAAC;;;AE7DD,SAAS,iBAAAC,sBAAqB;AAKvB,IAAM,SAASC,eAAc;AAAA,EAClC,MAAM;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AAAA,EACA,MAAM;AAAA,IACJ,WAAW;AAAA,MACT,MAAM;AAAA,MACN,aAAa;AAAA,MACb,SAAS;AAAA,IACX;AAAA,IACA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,aAAa;AAAA,MACb,SAAS;AAAA,IACX;AAAA,IACA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,aAAa;AAAA,MACb,SAAS;AAAA,IACX;AAAA,EACF;AAAA,EACA,MAAM,IAAI,EAAE,KAAK,GAAG;AAClB,UAAM,YAAY,yBAAyB,KAAK,SAAS;AACzD,UAAM,OAAO,MAAM,aAAa,KAAK,KAAK,WAAW,WAAW,KAAK,KAAK;AAE1E,OAAG,OAAO,SAAS,YAAY;AAC/B,SAAK,eAAY,KAAK,UAAU,EAAE;AAClC,SAAK,YAAY,KAAK,UAAU,cAAc;AAC9C,SAAK,8DAA8D;AAAA,EACrE;AACF,CAAC;;;AL9BD,IAAM,OAAOC,eAAc;AAAA,EACzB,MAAM;AAAA,IACJ,MAAM;AAAA,IACN,SAAS;AAAA,IACT,aAAa;AAAA,EACf;AAAA,EACA,aAAa;AAAA,IACX;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF,CAAC;AAED,MAAM,QAAQ,IAAI;","names":["defineCommand","pc","pc","writeFile","existsSync","defineCommand","existsSync","join","defineCommand","existsSync","writeFile","defineCommand","defineCommand","defineCommand"]}

package/package.json

@@ -0,0 +1,50 @@
+{
+  "name": "@pqc-sdk/cli",
+  "version": "0.1.0",
+  "description": "CLI del SDK de criptografía post-cuántica",
+  "type": "module",
+  "bin": {
+    "pqc": "./dist/index.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "engines": {
+    "node": ">=20"
+  },
+  "dependencies": {
+    "citty": "^0.2.2",
+    "picocolors": "^1.1.1",
+    "@pqc-sdk/core": "0.1.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.15.29",
+    "tsup": "^8.5.0",
+    "vitest": "^3.2.6"
+  },
+  "license": "MIT",
+  "homepage": "https://github.com/jeloercc/pqc-sdk#readme",
+  "bugs": "https://github.com/jeloercc/pqc-sdk/issues",
+  "publishConfig": {
+    "access": "public"
+  },
+  "keywords": [
+    "post-quantum",
+    "pqc",
+    "cli",
+    "ml-kem",
+    "ml-dsa",
+    "audit"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/jeloercc/pqc-sdk.git",
+    "directory": "packages/cli"
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "lint": "eslint . && tsc --noEmit",
+    "test": "pnpm run build && vitest run"
+  }
+}