@smonn/ids 0.8.0 → 0.9.1

package/dist/cli.mjs

@@ -1,9 +1,10 @@
 #!/usr/bin/env node
 import { n as isIdsError } from "./error-Cp5qYZcv.mjs";
-import { t as createTimestampId } from "./timestamp-B5_UCzc6.mjs";
-import { i as importOpaqueKey, n as decodeOpaqueKey, r as encodeOpaqueKey, t as createOpaqueTimestampId } from "./opaque-uvjOFY_0.mjs";
-import { t as createReverseTimestampId } from "./reverse-BgFU6JHw.mjs";
-import { i as importWrappingKey, n as decodeWrappingKey, r as encodeWrappingKey, t as createWrappedKeyId } from "./wrapped-0vL72Nje.mjs";
+import { t as createTimestampId } from "./timestamp-BbZL8hwg.mjs";
+import { i as importOpaqueKey, n as decodeOpaqueKey, r as encodeOpaqueKey, t as createOpaqueTimestampId } from "./opaque-BpqxV8oB.mjs";
+import { t as createReverseTimestampId } from "./reverse-d5uEoIET.mjs";
+import { i as importSigningKey, n as decodeSigningKey, r as encodeSigningKey, t as createSignedTimestampId } from "./signed-BnRSC03a.mjs";
+import { i as importWrappingKey, n as decodeWrappingKey, r as encodeWrappingKey, t as createWrappedKeyId } from "./wrapped-BI9UXnAm.mjs";
 //#region src/cli/codec-options.ts
 function codecOpts(opts) {
 	const o = { allowDuplicateBrand: true };
@@ -26,6 +27,14 @@ function formatWrappedInspectOutput(result) {
 		""
 	].join("\n");
 }
+function formatSignedInspectOutput(result) {
+	const relative = formatRelative(result.timestamp.getTime(), result.nowMs);
+	const inputLine = describeInputForm(result.input, result.canonical);
+	const lines = [`brand:     ${result.brand}`, `timestamp: ${result.timestamp.toISOString()} (${relative})`];
+	lines.push(`verification: ${result.verification}`);
+	lines.push(`canonical: ${result.canonical}`, `input:     ${inputLine}`, "");
+	return lines.join("\n");
+}
 function formatInspectOutput(result) {
 	const relative = formatRelative(result.timestamp.getTime(), result.nowMs);
 	const inputLine = describeInputForm(result.input, result.canonical);
@@ -86,19 +95,12 @@ function splitFlagToken(arg) {
 		inlineValue: arg.slice(eq + 1)
 	};
 }
-function splitFlags(args) {
+function splitFlags(args, valueFlags) {
 	const flags = /* @__PURE__ */ new Set();
 	const values = /* @__PURE__ */ new Map();
 	const positionals = [];
 	const errors = [];
 	const seenFlags = /* @__PURE__ */ new Set();
-	const valueFlags = new Set([
-		"--count",
-		"-c",
-		"--bits",
-		"--key-format",
-		"--kind"
-	]);
 	const addFlag = (flag) => {
 		const canonical = canonicalFlag(flag);
 		if (seenFlags.has(canonical)) errors.push(`duplicate flag: ${canonical}`);
@@ -108,11 +110,6 @@ function splitFlags(args) {
 	for (let i = 0; i < args.length; i++) {
 		const raw = args[i];
 		const { flag, inlineValue } = splitFlagToken(raw);
-		if (flag === "--opaque" || flag === "--wrapped" || flag === "--reverse") {
-			addFlag(flag);
-			if (inlineValue !== void 0) errors.push(`flag does not take a value: ${flag}`);
-			continue;
-		}
 		if (valueFlags.has(flag)) {
 			if (inlineValue !== void 0) {
 				addFlag(flag);
@@ -132,6 +129,7 @@ function splitFlags(args) {
 		}
 		if (flag.startsWith("-")) {
 			addFlag(flag);
+			if (inlineValue !== void 0) errors.push(`flag does not take a value: ${flag}`);
 			continue;
 		}
 		positionals.push(raw);
@@ -147,10 +145,11 @@ function canonicalFlag(flag) {
 	if (flag === "-c") return "--count";
 	return flag;
 }
-const knownFlags = new Set([
+const knownFlags = /* @__PURE__ */ new Set([
 	"--opaque",
 	"--wrapped",
 	"--reverse",
+	"--signed",
 	"--kind",
 	"--key-format",
 	"--count",
@@ -189,48 +188,83 @@ function isKindError(result) {
 	return result !== "u32" && result !== "i32" && result !== "u64" && result !== "i64";
 }
 //#endregion
-//#region src/cli/opaque-key.ts
+//#region src/cli/key-io.ts
 function isKeyFormatError(result) {
 	return result !== "hex" && result !== "base64url";
 }
-function parseKeyFormatFlag$1(values) {
+function parseKeyFormatFlag(values) {
 	const fromFlag = values.get("--key-format");
 	if (fromFlag === void 0) return void 0;
 	if (fromFlag === "") return "--key-format requires a value";
 	if (fromFlag === "hex" || fromFlag === "base64url") return fromFlag;
 	return `--key-format must be hex or base64url, got '${fromFlag}'`;
 }
-function parseKeygenFormat(values) {
-	const fromFlag = parseKeyFormatFlag$1(values);
+function parseKeyFormatFromFlag(values) {
+	const fromFlag = parseKeyFormatFlag(values);
 	if (fromFlag === void 0) return "hex";
 	return fromFlag;
 }
-function parseOpaqueKeyFormat(values, opts) {
-	const fromFlag = parseKeyFormatFlag$1(values);
+function parseKeyFormat(values, opts, facet) {
+	const fromFlag = parseKeyFormatFlag(values);
 	if (fromFlag !== void 0) return fromFlag;
-	const fromEnv = (opts.env ?? process.env).IDS_KEY_FORMAT;
+	const fromEnv = (opts.env ?? process.env)[facet.formatEnvVar];
 	if (fromEnv === void 0 || fromEnv === "") return "hex";
 	if (fromEnv === "hex" || fromEnv === "base64url") return fromEnv;
-	return `IDS_KEY_FORMAT must be hex or base64url, got '${fromEnv}'`;
+	return `${facet.formatEnvVar} must be hex or base64url, got '${fromEnv}'`;
 }
-async function loadOpaqueKey(opts, format) {
-	const raw = (opts.env ?? process.env).IDS_KEY;
-	if (raw === void 0 || raw === "") return "missing IDS_KEY environment variable";
+async function loadKey(opts, format, facet) {
+	const raw = (opts.env ?? process.env)[facet.envVar];
+	if (raw === void 0 || raw === "") return `missing ${facet.envVar} environment variable`;
 	try {
-		return importOpaqueKey(decodeOpaqueKey(raw, format));
+		return await facet.import(facet.decode(raw, format));
 	} catch (err) {
 		return err.message;
 	}
 }
 //#endregion
+//#region src/cli/opaque-key.ts
+const opaqueFacet = {
+	envVar: "IDS_KEY",
+	formatEnvVar: "IDS_KEY_FORMAT",
+	decode: decodeOpaqueKey,
+	import: importOpaqueKey
+};
+function parseOpaqueKeyFormat(values, opts) {
+	return parseKeyFormat(values, opts, opaqueFacet);
+}
+async function loadOpaqueKey(opts, format) {
+	return loadKey(opts, format, opaqueFacet);
+}
+//#endregion
+//#region src/cli/signing-key.ts
+const signingFacet = {
+	envVar: "IDS_SIGNING_KEY",
+	formatEnvVar: "IDS_SIGNING_KEY_FORMAT",
+	decode: decodeSigningKey,
+	import: importSigningKey
+};
+function parseSigningKeyFormat(values, opts) {
+	return parseKeyFormat(values, opts, signingFacet);
+}
+async function loadSigningKey(opts, format) {
+	return loadKey(opts, format, signingFacet);
+}
+//#endregion
 //#region src/cli/commands/generate.ts
 function runGenerate(args, opts) {
-	const { flags, values, positionals, errors } = splitFlags(args);
-	const unsupported = unsupportedFlagForCommand("generate", flags, new Set([
+	const { flags, values, positionals, errors } = splitFlags(args, /* @__PURE__ */ new Set([
+		"--count",
+		"-c",
+		"--bits",
+		"--key-format",
+		"--kind"
+	]));
+	const unsupported = unsupportedFlagForCommand("generate", flags, /* @__PURE__ */ new Set([
 		"--count",
 		"-c",
 		"--opaque",
 		"--reverse",
+		"--signed",
 		"--key-format"
 	]));
 	if (unsupported !== void 0) {
@@ -254,12 +288,21 @@ function runGenerate(args, opts) {
 	}
 	const opaque = flags.has("--opaque");
 	const reverse = flags.has("--reverse");
+	const signed = flags.has("--signed");
 	if (reverse && opaque) {
 		opts.stderr("cannot use --reverse and --opaque together\n");
 		return Promise.resolve(1);
 	}
-	if (!opaque && flags.has("--key-format")) {
-		opts.stderr("--key-format requires --opaque\n");
+	if (signed && opaque) {
+		opts.stderr("cannot use --signed and --opaque together\n");
+		return Promise.resolve(1);
+	}
+	if (signed && reverse) {
+		opts.stderr("cannot use --signed and --reverse together\n");
+		return Promise.resolve(1);
+	}
+	if (!opaque && !signed && flags.has("--key-format")) {
+		opts.stderr("--key-format requires --opaque or --signed\n");
 		return Promise.resolve(1);
 	}
 	if (opaque) {
@@ -270,6 +313,14 @@ function runGenerate(args, opts) {
 		}
 		return runOpaqueGenerate(brand ?? "", count, format, opts);
 	}
+	if (signed) {
+		const format = parseSigningKeyFormat(values, opts);
+		if (isKeyFormatError(format)) {
+			opts.stderr(format + "\n");
+			return Promise.resolve(1);
+		}
+		return runSignedGenerate(brand ?? "", count, format, opts);
+	}
 	if (reverse) {
 		let codec;
 		try {
@@ -310,31 +361,39 @@ async function runOpaqueGenerate(brand, count, format, opts) {
 	for (let i = 0; i < count; i++) opts.stdout(await codec.generate() + "\n");
 	return 0;
 }
+async function runSignedGenerate(brand, count, format, opts) {
+	const keyResult = await loadSigningKey(opts, format);
+	if (typeof keyResult === "string") {
+		opts.stderr(keyResult + "\n");
+		return 1;
+	}
+	let codec;
+	try {
+		codec = createSignedTimestampId(brand, {
+			keys: [keyResult],
+			allowDuplicateBrand: true,
+			...codecOpts(opts)
+		});
+	} catch (err) {
+		opts.stderr(formatCliError(err) + "\n");
+		return 1;
+	}
+	for (let i = 0; i < count; i++) opts.stdout(await codec.generate() + "\n");
+	return 0;
+}
 //#endregion
 //#region src/cli/wrapping-key.ts
-function parseKeyFormatFlag(values) {
-	const fromFlag = values.get("--key-format");
-	if (fromFlag === void 0) return void 0;
-	if (fromFlag === "") return "--key-format requires a value";
-	if (fromFlag === "hex" || fromFlag === "base64url") return fromFlag;
-	return `--key-format must be hex or base64url, got '${fromFlag}'`;
-}
+const wrappingFacet = {
+	envVar: "IDS_WRAPPING_KEY",
+	formatEnvVar: "IDS_WRAPPING_KEY_FORMAT",
+	decode: decodeWrappingKey,
+	import: importWrappingKey
+};
 function parseWrappingKeyFormat(values, opts) {
-	const fromFlag = parseKeyFormatFlag(values);
-	if (fromFlag !== void 0) return fromFlag;
-	const fromEnv = (opts.env ?? process.env).IDS_WRAPPING_KEY_FORMAT;
-	if (fromEnv === void 0 || fromEnv === "") return "hex";
-	if (fromEnv === "hex" || fromEnv === "base64url") return fromEnv;
-	return `IDS_WRAPPING_KEY_FORMAT must be hex or base64url, got '${fromEnv}'`;
+	return parseKeyFormat(values, opts, wrappingFacet);
 }
 async function loadWrappingKey(opts, format) {
-	const raw = (opts.env ?? process.env).IDS_WRAPPING_KEY;
-	if (raw === void 0 || raw === "") return "missing IDS_WRAPPING_KEY environment variable";
-	try {
-		return importWrappingKey(decodeWrappingKey(raw, format));
-	} catch (err) {
-		return err.message;
-	}
+	return loadKey(opts, format, wrappingFacet);
 }
 //#endregion
 //#region src/cli/usage.ts
@@ -343,30 +402,41 @@ function usage() {
 		"Usage: ids <subcommand> [args]",
 		"",
 		"Subcommands:",
-		"  inspect, i <id> [--opaque] [--wrapped --kind u32|i32|u64|i64] [--reverse] [--key-format hex|base64url]",
+		"  inspect, i <id> [--opaque] [--wrapped --kind u32|i32|u64|i64] [--reverse] [--signed] [--key-format hex|base64url]",
 		"    Decode an ID and print brand, timestamp (or lookup key), and canonical form.",
 		"    --opaque reads the AES key from IDS_KEY (hex by default; IDS_KEY_FORMAT or --key-format).",
 		"    --wrapped reads the wrapping key from IDS_WRAPPING_KEY (hex by default; IDS_WRAPPING_KEY_FORMAT or --key-format).",
 		"    --kind is required with --wrapped: u32, i32, u64, or i64.",
 		"    --reverse decodes a Reverse Timestamp ID (newest-first sort order).",
-		"  generate, g <brand> [--count, -c N] [--opaque] [--reverse] [--key-format hex|base64url]",
+		"    --signed decodes a Signed Timestamp ID; reads signing key from IDS_SIGNING_KEY (hex by default; IDS_SIGNING_KEY_FORMAT or --key-format).",
+		"    Without IDS_SIGNING_KEY, --signed prints the timestamp only (no verification). With IDS_SIGNING_KEY, prints verification: ok or failed.",
+		"  generate, g <brand> [--count, -c N] [--opaque] [--reverse] [--signed] [--key-format hex|base64url]",
 		`    Mint 1..${maxGenerateCount} canonical IDs for the given brand.`,
 		"    --opaque reads the AES key from IDS_KEY (hex by default; IDS_KEY_FORMAT or --key-format).",
 		"    --reverse mints Reverse Timestamp IDs (newest-first sort order).",
-		"  keygen, k [--wrapped] [--bits 128|192|256] [--key-format hex|base64url]",
-		"    Emit a random AES key for importOpaqueKey (stdout only).",
+		"    --signed mints Signed Timestamp IDs; reads signing key from IDS_SIGNING_KEY (hex by default; IDS_SIGNING_KEY_FORMAT or --key-format).",
+		"  keygen, k [--wrapped] [--signed] [--bits 128|192|256] [--key-format hex|base64url]",
+		"    Emit a random key for importOpaqueKey, importWrappingKey, or importSigningKey (stdout only).",
 		"    --wrapped emits a wrapping key for importWrappingKey instead (IDS_WRAPPING_KEY).",
+		"    --signed emits a signing key for importSigningKey instead (IDS_SIGNING_KEY; hex by default; IDS_SIGNING_KEY_FORMAT or --key-format).",
 		""
 	].join("\n");
 }
 //#endregion
 //#region src/cli/commands/inspect.ts
 function runInspect(args, opts) {
-	const { flags, values, positionals, errors } = splitFlags(args);
-	const unsupported = unsupportedFlagForCommand("inspect", flags, new Set([
+	const { flags, values, positionals, errors } = splitFlags(args, /* @__PURE__ */ new Set([
+		"--count",
+		"-c",
+		"--bits",
+		"--key-format",
+		"--kind"
+	]));
+	const unsupported = unsupportedFlagForCommand("inspect", flags, /* @__PURE__ */ new Set([
 		"--opaque",
 		"--wrapped",
 		"--reverse",
+		"--signed",
 		"--kind",
 		"--key-format"
 	]));
@@ -391,6 +461,7 @@ function runInspect(args, opts) {
 	const opaque = flags.has("--opaque");
 	const wrapped = flags.has("--wrapped");
 	const reverse = flags.has("--reverse");
+	const signed = flags.has("--signed");
 	if (opaque && wrapped) {
 		opts.stderr("cannot use --wrapped and --opaque together\n");
 		return Promise.resolve(1);
@@ -403,8 +474,20 @@ function runInspect(args, opts) {
 		opts.stderr("cannot use --reverse and --wrapped together\n");
 		return Promise.resolve(1);
 	}
-	if (!opaque && !wrapped && flags.has("--key-format")) {
-		opts.stderr("--key-format requires --opaque or --wrapped\n");
+	if (signed && opaque) {
+		opts.stderr("cannot use --signed and --opaque together\n");
+		return Promise.resolve(1);
+	}
+	if (signed && wrapped) {
+		opts.stderr("cannot use --signed and --wrapped together\n");
+		return Promise.resolve(1);
+	}
+	if (signed && reverse) {
+		opts.stderr("cannot use --signed and --reverse together\n");
+		return Promise.resolve(1);
+	}
+	if (!opaque && !wrapped && !signed && flags.has("--key-format")) {
+		opts.stderr("--key-format requires --opaque, --wrapped, or --signed\n");
 		return Promise.resolve(1);
 	}
 	const brand = input.slice(0, 3).toLowerCase();
@@ -433,6 +516,14 @@ function runInspect(args, opts) {
 		}
 		return runOpaqueInspect(brand, input, format, opts);
 	}
+	if (signed) {
+		const format = parseSigningKeyFormat(values, opts);
+		if (isKeyFormatError(format)) {
+			opts.stderr(format + "\n");
+			return Promise.resolve(1);
+		}
+		return runSignedInspect(brand, input, format, opts);
+	}
 	if (reverse) {
 		let reverseCodec;
 		try {
@@ -554,15 +645,186 @@ async function runOpaqueInspect(brand, input, format, opts) {
 	}));
 	return 0;
 }
+async function runSignedInspect(brand, input, format, opts) {
+	let structCodec;
+	try {
+		structCodec = createTimestampId(brand, codecOpts(opts));
+	} catch (err) {
+		opts.stderr(formatCliError(err) + "\n");
+		return 1;
+	}
+	const validation = structCodec["~standard"].validate(input);
+	if (validation.issues) {
+		opts.stderr(validation.issues[0].message + "\n");
+		return 1;
+	}
+	const canonical = validation.value;
+	const timestamp = structCodec.extractTimestamp(canonical);
+	const nowMs = (opts.now ?? Date.now)();
+	const keyResult = await loadSigningKey(opts, format);
+	if (typeof keyResult === "string") {
+		opts.stdout(formatSignedInspectOutput({
+			brand,
+			timestamp,
+			canonical,
+			input,
+			nowMs,
+			verification: "unavailable"
+		}));
+		opts.stderr(keyResult + "\n");
+		return 1;
+	}
+	const verifyResult = await createSignedTimestampId(brand, {
+		keys: [keyResult],
+		allowDuplicateBrand: true,
+		...codecOpts(opts)
+	}).safeVerify(input);
+	if (!verifyResult.ok) {
+		/* v8 ignore next 4 -- defensive: both codecs share the same wire parse so ParseError
+		is unreachable after the createTimestampId pre-validation above passes */
+		if (verifyResult.error !== "verification_failed") {
+			opts.stderr(verifyResult.error + "\n");
+			return 1;
+		}
+		opts.stdout(formatSignedInspectOutput({
+			brand,
+			timestamp,
+			canonical,
+			input,
+			nowMs,
+			verification: "failed"
+		}));
+		opts.stderr("verification_failed: verification failed\n");
+		return 1;
+	}
+	opts.stdout(formatSignedInspectOutput({
+		brand,
+		timestamp,
+		canonical: verifyResult.id,
+		input,
+		nowMs,
+		verification: "ok"
+	}));
+	return 0;
+}
+//#endregion
+//#region src/cli/variants.ts
+const opaqueVariant = {
+	flag: "--opaque",
+	key: {
+		envVar: "IDS_KEY",
+		formatEnvVar: "IDS_KEY_FORMAT",
+		encode: encodeOpaqueKey,
+		decode: decodeOpaqueKey,
+		import: importOpaqueKey
+	},
+	inspectMode: "keyed-readable",
+	construct(brand, opts, key) {
+		try {
+			return createOpaqueTimestampId(brand, {
+				key,
+				...codecOpts(opts)
+			});
+		} catch (err) {
+			return formatCliError(err);
+		}
+	}
+};
+const reverseVariant = {
+	flag: "--reverse",
+	inspectMode: "readable",
+	construct(brand, opts) {
+		try {
+			return createReverseTimestampId(brand, codecOpts(opts));
+		} catch (err) {
+			return formatCliError(err);
+		}
+	}
+};
+const wrappedVariant = {
+	flag: "--wrapped",
+	key: {
+		envVar: "IDS_WRAPPING_KEY",
+		formatEnvVar: "IDS_WRAPPING_KEY_FORMAT",
+		encode: encodeWrappingKey,
+		decode: decodeWrappingKey,
+		import: importWrappingKey
+	},
+	inspectMode: "unwrap",
+	extraFlags: ["--kind"],
+	construct(brand, _opts, key, values) {
+		const kind = parseKind(values ?? /* @__PURE__ */ new Map());
+		if (kind === void 0) return "--kind is required with --wrapped";
+		if (isKindError(kind)) return kind;
+		try {
+			return createWrappedKeyId(brand, {
+				kind,
+				keys: [key],
+				allowDuplicateBrand: true
+			});
+		} catch (err) {
+			return formatCliError(err);
+		}
+	}
+};
+const signedVariant = {
+	flag: "--signed",
+	key: {
+		envVar: "IDS_SIGNING_KEY",
+		formatEnvVar: "IDS_SIGNING_KEY_FORMAT",
+		encode: encodeSigningKey,
+		decode: decodeSigningKey,
+		import: importSigningKey
+	},
+	inspectMode: "verify",
+	construct(brand, opts, key) {
+		try {
+			return createSignedTimestampId(brand, {
+				keys: [key],
+				...codecOpts(opts)
+			});
+		} catch (err) {
+			return formatCliError(err);
+		}
+	}
+};
+const conflictPriorityOrder = [
+	signedVariant,
+	reverseVariant,
+	wrappedVariant,
+	opaqueVariant
+];
+const keygenPolicy = {
+	default: opaqueVariant,
+	selectable: [wrappedVariant, signedVariant],
+	intrinsicFlags: ["--bits"]
+};
+//#endregion
+//#region src/cli/dispatch.ts
+function deriveAllowedFlags(policy) {
+	const flags = new Set(policy.intrinsicFlags);
+	let hasKeyed = policy.default.key !== void 0;
+	for (const v of policy.selectable) {
+		if (v.flag !== void 0) flags.add(v.flag);
+		if (v.key !== void 0) hasKeyed = true;
+		if (v.extraFlags !== void 0) for (const f of v.extraFlags) flags.add(f);
+	}
+	if (hasKeyed) flags.add("--key-format");
+	return flags;
+}
+function resolveVariant(policy, flags) {
+	const selected = conflictPriorityOrder.filter((v) => policy.selectable.includes(v) && v.flag !== void 0 && flags.has(v.flag));
+	if (selected.length === 0) return policy.default;
+	if (selected.length === 1) return selected[0];
+	return `cannot use ${selected[0].flag} and ${selected[1].flag} together`;
+}
 //#endregion
 //#region src/cli/commands/keygen.ts
 function runKeygen(args, opts) {
-	const { flags, values, positionals, errors } = splitFlags(args);
-	const unsupported = unsupportedFlagForCommand("keygen", flags, new Set([
-		"--wrapped",
-		"--bits",
-		"--key-format"
-	]));
+	const allowedFlags = deriveAllowedFlags(keygenPolicy);
+	const variantExtraFlags = new Set(keygenPolicy.selectable.flatMap((v) => v.extraFlags ?? []));
+	const { flags, values, positionals, errors } = splitFlags(args, allowedFlags);
+	const unsupported = unsupportedFlagForCommand("keygen", flags, new Set([...allowedFlags].filter((f) => !variantExtraFlags.has(f))));
 	if (unsupported !== void 0) {
 		opts.stderr(unsupported + "\n");
 		return Promise.resolve(1);
@@ -576,20 +838,29 @@ function runKeygen(args, opts) {
 		opts.stderr(`unexpected argument: ${extra}\n`);
 		return Promise.resolve(1);
 	}
+	const variant = resolveVariant(keygenPolicy, flags);
+	if (typeof variant === "string") {
+		opts.stderr(variant + "\n");
+		return Promise.resolve(1);
+	}
 	const bits = parseBits(values);
 	if (typeof bits === "string") {
 		opts.stderr(bits + "\n");
 		return Promise.resolve(1);
 	}
-	const format = parseKeygenFormat(values);
+	const format = parseKeyFormatFromFlag(values);
 	if (isKeyFormatError(format)) {
 		opts.stderr(format + "\n");
 		return Promise.resolve(1);
 	}
+	/* v8 ignore next 4 -- defensive guard; all keygenPolicy variants have key defined */
+	if (variant.key === void 0) {
+		opts.stderr("internal: keygen policy variant has no key facet\n");
+		return Promise.resolve(1);
+	}
 	const bytes = new Uint8Array(bits / 8);
 	crypto.getRandomValues(bytes);
-	const wrapped = flags.has("--wrapped");
-	opts.stdout((wrapped ? encodeWrappingKey(bytes, format) : encodeOpaqueKey(bytes, format)) + "\n");
+	opts.stdout(variant.key.encode(bytes, format) + "\n");
 	return Promise.resolve(0);
 }
 //#endregion