@themoltnet/legreffier 0.6.0 → 0.7.0

package/dist/index.js

@@ -2,14 +2,38 @@
 import { jsxs, jsx } from "react/jsx-runtime";
 import { parseArgs } from "node:util";
 import { useInput, Box, Text, useApp, render } from "ink";
+import { execFileSync } from "node:child_process";
 import { join } from "node:path";
 import { useState, useEffect, useReducer, useRef } from "react";
 import figlet from "figlet";
 import { readFile, writeFile, mkdir, chmod, rm } from "node:fs/promises";
 import { homedir } from "node:os";
-import { randomBytes as randomBytes$2, createHash } from "crypto";
+import { createHash, randomBytes as randomBytes$2 } from "crypto";
 import { parse, stringify } from "smol-toml";
 import open from "open";
+const MOLTNET_GITCONFIG_RE = /\.moltnet\/([^/]+)\/gitconfig$/;
+function resolveAgentName(nameFlag, gitConfigGlobal) {
+  if (nameFlag) return nameFlag;
+  if (gitConfigGlobal) {
+    const match = MOLTNET_GITCONFIG_RE.exec(gitConfigGlobal);
+    if (match) return match[1];
+  }
+  throw new Error(
+    "agent name required — use --name or set GIT_CONFIG_GLOBAL=.moltnet/<name>/gitconfig"
+  );
+}
+function resolveCredentialsPath(agentName, dir2) {
+  return join(dir2, ".moltnet", agentName, "moltnet.json");
+}
+function printGitHubToken(agentName, dir2) {
+  const credPath = resolveCredentialsPath(agentName, dir2);
+  const token = execFileSync(
+    "npx",
+    ["@themoltnet/cli", "github", "token", "--credentials", credPath],
+    { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] }
+  ).trim();
+  process.stdout.write(token);
+}
 const colors = {
   // Primary — teal/cyan (The Network)
   primary: {
@@ -350,13 +374,13 @@ function CliSummaryBox({
     }
   ) });
 }
-const jsonBodySerializer = {
+const jsonBodySerializer$1 = {
   bodySerializer: (body) => JSON.stringify(
     body,
     (_key, value) => typeof value === "bigint" ? value.toString() : value
   )
 };
-const createSseClient = ({
+const createSseClient$1 = ({
   onRequest,
   onSseError,
   onSseEvent,
@@ -490,7 +514,7 @@ const createSseClient = ({
   const stream = createStream();
   return { stream };
 };
-const separatorArrayExplode = (style) => {
+const separatorArrayExplode$1 = (style) => {
   switch (style) {
     case "label":
       return ".";
@@ -502,7 +526,7 @@ const separatorArrayExplode = (style) => {
       return "&";
   }
 };
-const separatorArrayNoExplode = (style) => {
+const separatorArrayNoExplode$1 = (style) => {
   switch (style) {
     case "form":
       return ",";
@@ -514,7 +538,7 @@ const separatorArrayNoExplode = (style) => {
       return ",";
   }
 };
-const separatorObjectExplode = (style) => {
+const separatorObjectExplode$1 = (style) => {
   switch (style) {
     case "label":
       return ".";
@@ -526,7 +550,7 @@ const separatorObjectExplode = (style) => {
       return "&";
   }
 };
-const serializeArrayParam = ({
+const serializeArrayParam$1 = ({
   allowReserved,
   explode,
   name: name2,
@@ -534,7 +558,7 @@ const serializeArrayParam = ({
   value
 }) => {
   if (!explode) {
-    const joinedValues2 = (allowReserved ? value : value.map((v) => encodeURIComponent(v))).join(separatorArrayNoExplode(style));
+    const joinedValues2 = (allowReserved ? value : value.map((v) => encodeURIComponent(v))).join(separatorArrayNoExplode$1(style));
     switch (style) {
       case "label":
         return `.${joinedValues2}`;
@@ -546,12 +570,12 @@ const serializeArrayParam = ({
         return `${name2}=${joinedValues2}`;
     }
   }
-  const separator = separatorArrayExplode(style);
+  const separator = separatorArrayExplode$1(style);
   const joinedValues = value.map((v) => {
     if (style === "label" || style === "simple") {
       return allowReserved ? v : encodeURIComponent(v);
     }
-    return serializePrimitiveParam({
+    return serializePrimitiveParam$1({
       allowReserved,
       name: name2,
       value: v
@@ -559,7 +583,7 @@ const serializeArrayParam = ({
   }).join(separator);
   return style === "label" || style === "matrix" ? separator + joinedValues : joinedValues;
 };
-const serializePrimitiveParam = ({
+const serializePrimitiveParam$1 = ({
   allowReserved,
   name: name2,
   value
@@ -574,7 +598,7 @@ const serializePrimitiveParam = ({
   }
   return `${name2}=${allowReserved ? value : encodeURIComponent(value)}`;
 };
-const serializeObjectParam = ({
+const serializeObjectParam$1 = ({
   allowReserved,
   explode,
   name: name2,
@@ -606,9 +630,9 @@ const serializeObjectParam = ({
         return joinedValues2;
     }
   }
-  const separator = separatorObjectExplode(style);
+  const separator = separatorObjectExplode$1(style);
   const joinedValues = Object.entries(value).map(
-    ([key, v]) => serializePrimitiveParam({
+    ([key, v]) => serializePrimitiveParam$1({
       allowReserved,
       name: style === "deepObject" ? `${name2}[${key}]` : key,
       value: v
@@ -616,10 +640,10 @@ const serializeObjectParam = ({
   ).join(separator);
   return style === "label" || style === "matrix" ? separator + joinedValues : joinedValues;
 };
-const PATH_PARAM_RE = /\{[^{}]+\}/g;
-const defaultPathSerializer = ({ path, url: _url }) => {
+const PATH_PARAM_RE$1 = /\{[^{}]+\}/g;
+const defaultPathSerializer$1 = ({ path, url: _url }) => {
   let url = _url;
-  const matches = _url.match(PATH_PARAM_RE);
+  const matches = _url.match(PATH_PARAM_RE$1);
   if (matches) {
     for (const match of matches) {
       let explode = false;
@@ -643,14 +667,14 @@ const defaultPathSerializer = ({ path, url: _url }) => {
       if (Array.isArray(value)) {
         url = url.replace(
           match,
-          serializeArrayParam({ explode, name: name2, style, value })
+          serializeArrayParam$1({ explode, name: name2, style, value })
         );
         continue;
       }
       if (typeof value === "object") {
         url = url.replace(
           match,
-          serializeObjectParam({
+          serializeObjectParam$1({
             explode,
             name: name2,
             style,
@@ -663,7 +687,7 @@ const defaultPathSerializer = ({ path, url: _url }) => {
       if (style === "matrix") {
         url = url.replace(
           match,
-          `;${serializePrimitiveParam({
+          `;${serializePrimitiveParam$1({
             name: name2,
             value
           })}`
@@ -678,7 +702,7 @@ const defaultPathSerializer = ({ path, url: _url }) => {
   }
   return url;
 };
-const getUrl = ({
+const getUrl$1 = ({
   baseUrl,
   path,
   query,
@@ -688,7 +712,7 @@ const getUrl = ({
   const pathUrl = _url.startsWith("/") ? _url : `/${_url}`;
   let url = (baseUrl ?? "") + pathUrl;
   if (path) {
-    url = defaultPathSerializer({ path, url });
+    url = defaultPathSerializer$1({ path, url });
   }
   let search = query ? querySerializer(query) : "";
   if (search.startsWith("?")) {
@@ -699,7 +723,7 @@ const getUrl = ({
   }
   return url;
 };
-function getValidRequestBody(options) {
+function getValidRequestBody$1(options) {
   const hasBody = options.body !== void 0;
   const isSerializedBody = hasBody && options.bodySerializer;
   if (isSerializedBody) {
@@ -714,7 +738,7 @@ function getValidRequestBody(options) {
   }
   return void 0;
 }
-const getAuthToken = async (auth, callback) => {
+const getAuthToken$1 = async (auth, callback) => {
   const token = typeof callback === "function" ? await callback(auth) : callback;
   if (!token) {
     return;
@@ -727,7 +751,7 @@ const getAuthToken = async (auth, callback) => {
   }
   return token;
 };
-const createQuerySerializer = ({
+const createQuerySerializer$1 = ({
   parameters = {},
   ...args
 } = {}) => {
@@ -741,7 +765,7 @@ const createQuerySerializer = ({
         }
         const options = parameters[name2] || args;
         if (Array.isArray(value)) {
-          const serializedArray = serializeArrayParam({
+          const serializedArray = serializeArrayParam$1({
             allowReserved: options.allowReserved,
             explode: true,
             name: name2,
@@ -751,7 +775,7 @@ const createQuerySerializer = ({
           });
           if (serializedArray) search.push(serializedArray);
         } else if (typeof value === "object") {
-          const serializedObject = serializeObjectParam({
+          const serializedObject = serializeObjectParam$1({
             allowReserved: options.allowReserved,
             explode: true,
             name: name2,
@@ -761,7 +785,7 @@ const createQuerySerializer = ({
           });
           if (serializedObject) search.push(serializedObject);
         } else {
-          const serializedPrimitive = serializePrimitiveParam({
+          const serializedPrimitive = serializePrimitiveParam$1({
             allowReserved: options.allowReserved,
             name: name2,
             value
@@ -774,7 +798,7 @@ const createQuerySerializer = ({
   };
   return querySerializer;
 };
-const getParseAs = (contentType) => {
+const getParseAs$1 = (contentType) => {
   if (!contentType) {
     return "stream";
   }
@@ -798,7 +822,7 @@ const getParseAs = (contentType) => {
   }
   return;
 };
-const checkForExistence = (options, name2) => {
+const checkForExistence$1 = (options, name2) => {
   if (!name2) {
     return false;
   }
@@ -807,15 +831,15 @@ const checkForExistence = (options, name2) => {
   }
   return false;
 };
-const setAuthParams = async ({
+const setAuthParams$1 = async ({
   security,
   ...options
 }) => {
   for (const auth of security) {
-    if (checkForExistence(options, auth.name)) {
+    if (checkForExistence$1(options, auth.name)) {
       continue;
     }
-    const token = await getAuthToken(auth, options.auth);
+    const token = await getAuthToken$1(auth, options.auth);
     if (!token) {
       continue;
     }
@@ -837,35 +861,35 @@ const setAuthParams = async ({
     }
   }
 };
-const buildUrl = (options) => getUrl({
+const buildUrl$1 = (options) => getUrl$1({
   baseUrl: options.baseUrl,
   path: options.path,
   query: options.query,
-  querySerializer: typeof options.querySerializer === "function" ? options.querySerializer : createQuerySerializer(options.querySerializer),
+  querySerializer: typeof options.querySerializer === "function" ? options.querySerializer : createQuerySerializer$1(options.querySerializer),
   url: options.url
 });
-const mergeConfigs = (a, b) => {
+const mergeConfigs$1 = (a, b) => {
   const config = { ...a, ...b };
   if (config.baseUrl?.endsWith("/")) {
     config.baseUrl = config.baseUrl.substring(0, config.baseUrl.length - 1);
   }
-  config.headers = mergeHeaders(a.headers, b.headers);
+  config.headers = mergeHeaders$1(a.headers, b.headers);
   return config;
 };
-const headersEntries = (headers) => {
+const headersEntries$1 = (headers) => {
   const entries = [];
   headers.forEach((value, key) => {
     entries.push([key, value]);
   });
   return entries;
 };
-const mergeHeaders = (...headers) => {
+const mergeHeaders$1 = (...headers) => {
   const mergedHeaders = new Headers();
   for (const header of headers) {
     if (!header) {
       continue;
     }
-    const iterator = header instanceof Headers ? headersEntries(header) : Object.entries(header);
+    const iterator = header instanceof Headers ? headersEntries$1(header) : Object.entries(header);
     for (const [key, value] of iterator) {
       if (value === null) {
         mergedHeaders.delete(key);
@@ -883,7 +907,7 @@ const mergeHeaders = (...headers) => {
   }
   return mergedHeaders;
 };
-class Interceptors {
+let Interceptors$1 = class Interceptors {
   fns = [];
   clear() {
     this.fns = [];
@@ -916,13 +940,13 @@ class Interceptors {
     this.fns.push(fn);
     return this.fns.length - 1;
   }
-}
-const createInterceptors = () => ({
-  error: new Interceptors(),
-  request: new Interceptors(),
-  response: new Interceptors()
+};
+const createInterceptors$1 = () => ({
+  error: new Interceptors$1(),
+  request: new Interceptors$1(),
+  response: new Interceptors$1()
 });
-const defaultQuerySerializer = createQuerySerializer({
+const defaultQuerySerializer$1 = createQuerySerializer$1({
   allowReserved: false,
   array: {
     explode: true,
@@ -933,34 +957,34 @@ const defaultQuerySerializer = createQuerySerializer({
     style: "deepObject"
   }
 });
-const defaultHeaders = {
+const defaultHeaders$1 = {
   "Content-Type": "application/json"
 };
-const createConfig = (override = {}) => ({
-  ...jsonBodySerializer,
-  headers: defaultHeaders,
+const createConfig$1 = (override = {}) => ({
+  ...jsonBodySerializer$1,
+  headers: defaultHeaders$1,
   parseAs: "auto",
-  querySerializer: defaultQuerySerializer,
+  querySerializer: defaultQuerySerializer$1,
   ...override
 });
-const createClient = (config = {}) => {
-  let _config = mergeConfigs(createConfig(), config);
+const createClient$1 = (config = {}) => {
+  let _config = mergeConfigs$1(createConfig$1(), config);
   const getConfig = () => ({ ..._config });
   const setConfig = (config2) => {
-    _config = mergeConfigs(_config, config2);
+    _config = mergeConfigs$1(_config, config2);
     return getConfig();
   };
-  const interceptors = createInterceptors();
+  const interceptors = createInterceptors$1();
   const beforeRequest = async (options) => {
     const opts = {
       ..._config,
       ...options,
       fetch: options.fetch ?? _config.fetch ?? globalThis.fetch,
-      headers: mergeHeaders(_config.headers, options.headers),
+      headers: mergeHeaders$1(_config.headers, options.headers),
       serializedBody: void 0
     };
     if (opts.security) {
-      await setAuthParams({
+      await setAuthParams$1({
         ...opts,
         security: opts.security
       });
@@ -974,7 +998,7 @@ const createClient = (config = {}) => {
     if (opts.body === void 0 || opts.serializedBody === "") {
       opts.headers.delete("Content-Type");
     }
-    const url = buildUrl(opts);
+    const url = buildUrl$1(opts);
     return { opts, url };
   };
   const request = async (options) => {
@@ -982,7 +1006,7 @@ const createClient = (config = {}) => {
     const requestInit = {
       redirect: "follow",
       ...opts,
-      body: getValidRequestBody(opts)
+      body: getValidRequestBody$1(opts)
     };
     let request2 = new Request(url, requestInit);
     for (const fn of interceptors.request.fns) {
@@ -1026,7 +1050,7 @@ const createClient = (config = {}) => {
       response
     };
     if (response.ok) {
-      const parseAs = (opts.parseAs === "auto" ? getParseAs(response.headers.get("Content-Type")) : opts.parseAs) ?? "json";
+      const parseAs = (opts.parseAs === "auto" ? getParseAs$1(response.headers.get("Content-Type")) : opts.parseAs) ?? "json";
       if (response.status === 204 || response.headers.get("Content-Length") === "0") {
         let emptyData;
         switch (parseAs) {
@@ -1104,7 +1128,7 @@ const createClient = (config = {}) => {
   const makeMethodFn = (method) => (options) => request({ ...options, method });
   const makeSseFn = (method) => async (options) => {
     const { opts, url } = await beforeRequest(options);
-    return createSseClient({
+    return createSseClient$1({
       ...opts,
       body: opts.body,
       headers: opts.headers,
@@ -1122,7 +1146,7 @@ const createClient = (config = {}) => {
     });
   };
   return {
-    buildUrl,
+    buildUrl: buildUrl$1,
     connect: makeMethodFn("CONNECT"),
     delete: makeMethodFn("DELETE"),
     get: makeMethodFn("GET"),
@@ -1149,8 +1173,8 @@ const createClient = (config = {}) => {
     trace: makeMethodFn("TRACE")
   };
 };
-const client = createClient(
-  createConfig({ baseUrl: "https://api.themolt.net" })
+const client = createClient$1(
+  createConfig$1({ baseUrl: "https://api.themolt.net" })
 );
 const startLegreffierOnboarding = (options) => (options.client ?? client).post({
   url: "/public/legreffier/start",
@@ -1161,85 +1185,6 @@ const startLegreffierOnboarding = (options) => (options.client ?? client).post({
   }
 });
 const getLegreffierOnboardingStatus = (options) => (options.client ?? client).get({ url: "/public/legreffier/status/{workflowId}", ...options });
-class MoltNetError extends Error {
-  code;
-  statusCode;
-  detail;
-  constructor(message, options) {
-    super(message);
-    this.name = "MoltNetError";
-    this.code = options.code;
-    this.statusCode = options.statusCode;
-    this.detail = options.detail;
-  }
-}
-function problemToError(problem, statusCode) {
-  return new MoltNetError(problem.title ?? "Request failed", {
-    code: problem.type ?? problem.code ?? "UNKNOWN",
-    statusCode,
-    detail: problem.detail
-  });
-}
-async function writeMcpConfig(mcpConfig, dir2) {
-  const targetDir = dir2 ?? process.cwd();
-  const filePath = join(targetDir, ".mcp.json");
-  let existing = {};
-  try {
-    const content = await readFile(filePath, "utf-8");
-    existing = JSON.parse(content);
-  } catch {
-  }
-  const merged = {
-    ...existing,
-    mcpServers: {
-      ...existing.mcpServers ?? {},
-      ...mcpConfig.mcpServers
-    }
-  };
-  await writeFile(filePath, JSON.stringify(merged, null, 2) + "\n");
-  return filePath;
-}
-function getConfigDir() {
-  return join(homedir(), ".config", "moltnet");
-}
-function getConfigPath(configDir) {
-  return join(configDir ?? getConfigDir(), "moltnet.json");
-}
-async function readConfig(configDir) {
-  const dir2 = configDir ?? getConfigDir();
-  try {
-    const content = await readFile(join(dir2, "moltnet.json"), "utf-8");
-    return JSON.parse(content);
-  } catch {
-  }
-  try {
-    const content = await readFile(join(dir2, "credentials.json"), "utf-8");
-    console.warn("Warning: credentials.json is deprecated. New writes use moltnet.json. Support will be removed in 3 minor versions.");
-    return JSON.parse(content);
-  } catch {
-    return null;
-  }
-}
-async function writeConfig(config, configDir) {
-  const dir2 = configDir ?? getConfigDir();
-  await mkdir(dir2, { recursive: true });
-  const filePath = join(dir2, "moltnet.json");
-  await writeFile(filePath, JSON.stringify(config, null, 2) + "\n", {
-    mode: 384
-  });
-  await chmod(filePath, 384);
-  return filePath;
-}
-async function updateConfigSection(section, data, configDir) {
-  const config = await readConfig(configDir);
-  if (!config) {
-    throw new Error("No config found — run `moltnet register` first");
-  }
-  const existing = config[section] ?? {};
-  const updated = { ...existing, ...data };
-  Object.assign(config, { [section]: updated });
-  await writeConfig(config, configDir);
-}
 /*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 function isBytes$1(a) {
   return a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
@@ -3321,193 +3266,901 @@ const wNAF2 = (n) => {
   }
   return { p, f };
 };
-etc.sha512Sync = (...m) => {
-  const hash = createHash("sha512");
-  m.forEach((msg) => hash.update(msg));
-  return hash.digest();
+var __defProp = Object.defineProperty;
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
+const jsonBodySerializer = {
+  bodySerializer: (body) => JSON.stringify(
+    body,
+    (_key, value) => typeof value === "bigint" ? value.toString() : value
+  )
 };
-const DOMAIN_PREFIX = "moltnet:v1";
-function buildSigningBytes(message, nonce) {
-  const msgHash = createHash("sha256").update(Buffer.from(message, "utf-8")).digest();
-  const nonceBytes = Buffer.from(nonce, "utf-8");
-  const prefix = Buffer.from(DOMAIN_PREFIX, "utf-8");
-  const buf = Buffer.alloc(
-    prefix.length + 4 + msgHash.length + 4 + nonceBytes.length
-  );
-  let offset = 0;
-  prefix.copy(buf, offset);
-  offset += prefix.length;
-  buf.writeUInt32BE(msgHash.length, offset);
-  offset += 4;
-  msgHash.copy(buf, offset);
-  offset += msgHash.length;
-  buf.writeUInt32BE(nonceBytes.length, offset);
-  offset += 4;
-  nonceBytes.copy(buf, offset);
-  return new Uint8Array(buf);
-}
-const cryptoService = {
-  /**
-   * Generate a new Ed25519 keypair
-   */
-  async generateKeyPair() {
-    const privateKeyBytes = utils.randomPrivateKey();
-    const publicKeyBytes = await getPublicKeyAsync(privateKeyBytes);
-    const privateKey = Buffer.from(privateKeyBytes).toString("base64");
-    const publicKey = `ed25519:${Buffer.from(publicKeyBytes).toString("base64")}`;
-    const fingerprint = this.generateFingerprint(publicKeyBytes);
-    return { publicKey, privateKey, fingerprint };
-  },
-  /**
-   * Generate human-readable fingerprint from public key
-   * Format: A1B2-C3D4-E5F6-G7H8 (first 16 hex chars of SHA256)
-   */
-  generateFingerprint(publicKeyBytes) {
-    const hash = createHash("sha256").update(publicKeyBytes).digest("hex");
-    const segments = hash.slice(0, 16).toUpperCase().match(/.{4}/g) ?? [];
-    return segments.join("-");
-  },
-  /**
-   * Parse public key from string format
-   */
-  parsePublicKey(publicKey) {
-    const base64 = publicKey.replace(/^ed25519:/, "");
-    return new Uint8Array(Buffer.from(base64, "base64"));
-  },
-  /**
-   * Sign a message with private key
-   */
-  async sign(message, privateKeyBase64) {
-    const privateKeyBytes = new Uint8Array(
-      Buffer.from(privateKeyBase64, "base64")
-    );
-    const messageBytes = new TextEncoder().encode(message);
-    const signature = await signAsync(messageBytes, privateKeyBytes);
-    return Buffer.from(signature).toString("base64");
-  },
-  /**
-   * Verify a signature against a message and public key
-   */
-  async verify(message, signature, publicKey) {
-    try {
-      const publicKeyBytes = this.parsePublicKey(publicKey);
-      const signatureBytes = new Uint8Array(Buffer.from(signature, "base64"));
-      const messageBytes = new TextEncoder().encode(message);
-      return await verifyAsync(signatureBytes, messageBytes, publicKeyBytes);
-    } catch {
-      return false;
-    }
-  },
-  /**
-   * Sign a (message, nonce) pair using deterministic pre-hash.
-   * Uses buildSigningBytes for domain separation and canonical serialization.
-   */
-  async signWithNonce(message, nonce, privateKeyBase64) {
-    const privateKeyBytes = new Uint8Array(
-      Buffer.from(privateKeyBase64, "base64")
-    );
-    const signingBytes = buildSigningBytes(message, nonce);
-    const signature = await signAsync(signingBytes, privateKeyBytes);
-    return Buffer.from(signature).toString("base64");
-  },
-  /**
-   * Verify a signature produced by signWithNonce.
-   */
-  async verifyWithNonce(message, nonce, signature, publicKey) {
-    try {
-      const publicKeyBytes = this.parsePublicKey(publicKey);
-      const signatureBytes = new Uint8Array(Buffer.from(signature, "base64"));
-      const signingBytes = buildSigningBytes(message, nonce);
-      return await verifyAsync(signatureBytes, signingBytes, publicKeyBytes);
-    } catch {
-      return false;
-    }
-  },
-  /**
-   * Create a signed message object
-   */
-  async createSignedMessage(message, privateKeyBase64, publicKey) {
-    const signature = await this.sign(message, privateKeyBase64);
-    return { message, signature, publicKey };
-  },
-  /**
-   * Verify a signed message object
-   */
-  async verifySignedMessage(signedMessage) {
-    return this.verify(
-      signedMessage.message,
-      signedMessage.signature,
-      signedMessage.publicKey
-    );
-  },
-  /**
-   * Generate a random challenge for authentication
-   */
-  generateChallenge() {
-    return `moltnet:challenge:${randomBytes$2(32).toString("hex")}:${Date.now()}`;
-  },
-  /**
-   * Derive public key from private key
-   */
-  async derivePublicKey(privateKeyBase64) {
-    const privateKeyBytes = new Uint8Array(
-      Buffer.from(privateKeyBase64, "base64")
+const createSseClient = ({
+  onRequest,
+  onSseError,
+  onSseEvent,
+  responseTransformer,
+  responseValidator,
+  sseDefaultRetryDelay,
+  sseMaxRetryAttempts,
+  sseMaxRetryDelay,
+  sseSleepFn,
+  url,
+  ...options
+}) => {
+  let lastEventId;
+  const sleep = sseSleepFn ?? ((ms) => new Promise((resolve) => setTimeout(resolve, ms)));
+  const createStream = async function* () {
+    let retryDelay = sseDefaultRetryDelay ?? 3e3;
+    let attempt = 0;
+    const signal = options.signal ?? new AbortController().signal;
+    while (true) {
+      if (signal.aborted) break;
+      attempt++;
+      const headers = options.headers instanceof Headers ? options.headers : new Headers(options.headers);
+      if (lastEventId !== void 0) {
+        headers.set("Last-Event-ID", lastEventId);
+      }
+      try {
+        const requestInit = {
+          redirect: "follow",
+          ...options,
+          body: options.serializedBody,
+          headers,
+          signal
+        };
+        let request = new Request(url, requestInit);
+        if (onRequest) {
+          request = await onRequest(url, requestInit);
+        }
+        const _fetch = options.fetch ?? globalThis.fetch;
+        const response = await _fetch(request);
+        if (!response.ok)
+          throw new Error(
+            `SSE failed: ${response.status} ${response.statusText}`
+          );
+        if (!response.body) throw new Error("No body in SSE response");
+        const reader = response.body.pipeThrough(new TextDecoderStream()).getReader();
+        let buffer = "";
+        const abortHandler = () => {
+          try {
+            reader.cancel();
+          } catch {
+          }
+        };
+        signal.addEventListener("abort", abortHandler);
+        try {
+          while (true) {
+            const { done, value } = await reader.read();
+            if (done) break;
+            buffer += value;
+            buffer = buffer.replace(/\r\n/g, "\n").replace(/\r/g, "\n");
+            const chunks = buffer.split("\n\n");
+            buffer = chunks.pop() ?? "";
+            for (const chunk of chunks) {
+              const lines = chunk.split("\n");
+              const dataLines = [];
+              let eventName;
+              for (const line of lines) {
+                if (line.startsWith("data:")) {
+                  dataLines.push(line.replace(/^data:\s*/, ""));
+                } else if (line.startsWith("event:")) {
+                  eventName = line.replace(/^event:\s*/, "");
+                } else if (line.startsWith("id:")) {
+                  lastEventId = line.replace(/^id:\s*/, "");
+                } else if (line.startsWith("retry:")) {
+                  const parsed = Number.parseInt(
+                    line.replace(/^retry:\s*/, ""),
+                    10
+                  );
+                  if (!Number.isNaN(parsed)) {
+                    retryDelay = parsed;
+                  }
+                }
+              }
+              let data;
+              let parsedJson = false;
+              if (dataLines.length) {
+                const rawData = dataLines.join("\n");
+                try {
+                  data = JSON.parse(rawData);
+                  parsedJson = true;
+                } catch {
+                  data = rawData;
+                }
+              }
+              if (parsedJson) {
+                if (responseValidator) {
+                  await responseValidator(data);
+                }
+                if (responseTransformer) {
+                  data = await responseTransformer(data);
+                }
+              }
+              onSseEvent == null ? void 0 : onSseEvent({
+                data,
+                event: eventName,
+                id: lastEventId,
+                retry: retryDelay
+              });
+              if (dataLines.length) {
+                yield data;
+              }
+            }
+          }
+        } finally {
+          signal.removeEventListener("abort", abortHandler);
+          reader.releaseLock();
+        }
+        break;
+      } catch (error) {
+        onSseError == null ? void 0 : onSseError(error);
+        if (sseMaxRetryAttempts !== void 0 && attempt >= sseMaxRetryAttempts) {
+          break;
+        }
+        const backoff = Math.min(
+          retryDelay * 2 ** (attempt - 1),
+          sseMaxRetryDelay ?? 3e4
+        );
+        await sleep(backoff);
+      }
+    }
+  };
+  const stream = createStream();
+  return { stream };
+};
+const separatorArrayExplode = (style) => {
+  switch (style) {
+    case "label":
+      return ".";
+    case "matrix":
+      return ";";
+    case "simple":
+      return ",";
+    default:
+      return "&";
+  }
+};
+const separatorArrayNoExplode = (style) => {
+  switch (style) {
+    case "form":
+      return ",";
+    case "pipeDelimited":
+      return "|";
+    case "spaceDelimited":
+      return "%20";
+    default:
+      return ",";
+  }
+};
+const separatorObjectExplode = (style) => {
+  switch (style) {
+    case "label":
+      return ".";
+    case "matrix":
+      return ";";
+    case "simple":
+      return ",";
+    default:
+      return "&";
+  }
+};
+const serializeArrayParam = ({
+  allowReserved,
+  explode,
+  name: name2,
+  style,
+  value
+}) => {
+  if (!explode) {
+    const joinedValues2 = (allowReserved ? value : value.map((v) => encodeURIComponent(v))).join(separatorArrayNoExplode(style));
+    switch (style) {
+      case "label":
+        return `.${joinedValues2}`;
+      case "matrix":
+        return `;${name2}=${joinedValues2}`;
+      case "simple":
+        return joinedValues2;
+      default:
+        return `${name2}=${joinedValues2}`;
+    }
+  }
+  const separator = separatorArrayExplode(style);
+  const joinedValues = value.map((v) => {
+    if (style === "label" || style === "simple") {
+      return allowReserved ? v : encodeURIComponent(v);
+    }
+    return serializePrimitiveParam({
+      allowReserved,
+      name: name2,
+      value: v
+    });
+  }).join(separator);
+  return style === "label" || style === "matrix" ? separator + joinedValues : joinedValues;
+};
+const serializePrimitiveParam = ({
+  allowReserved,
+  name: name2,
+  value
+}) => {
+  if (value === void 0 || value === null) {
+    return "";
+  }
+  if (typeof value === "object") {
+    throw new Error(
+      "Deeply-nested arrays/objects aren’t supported. Provide your own `querySerializer()` to handle these."
     );
-    const publicKeyBytes = await getPublicKeyAsync(privateKeyBytes);
-    return `ed25519:${Buffer.from(publicKeyBytes).toString("base64")}`;
-  },
-  /**
-   * Get fingerprint from public key string
-   */
-  getFingerprintFromPublicKey(publicKey) {
-    const publicKeyBytes = this.parsePublicKey(publicKey);
-    return this.generateFingerprint(publicKeyBytes);
-  },
-  /**
-   * Derive an X25519 private key from an Ed25519 private key seed.
-   * Uses SHA-512 expansion + clamping per RFC 7748 / RFC 8032.
-   */
-  deriveX25519PrivateKey(ed25519PrivateKeyBase64) {
-    const seed = new Uint8Array(Buffer.from(ed25519PrivateKeyBase64, "base64"));
-    const x25519Priv = ed25519.utils.toMontgomerySecret(seed);
-    return Buffer.from(x25519Priv).toString("base64");
-  },
-  /**
-   * Derive an X25519 public key from an Ed25519 public key.
-   * Uses the Edwards → Montgomery birational map.
-   */
-  deriveX25519PublicKey(ed25519PublicKey) {
-    const edPubBytes = this.parsePublicKey(ed25519PublicKey);
-    const x25519Pub = ed25519.utils.toMontgomery(edPubBytes);
-    return `x25519:${Buffer.from(x25519Pub).toString("base64")}`;
-  },
-  /**
-   * Create a proof of identity ownership (for DCR metadata)
-   */
-  async createIdentityProof(identityId, privateKeyBase64) {
-    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
-    const message = `moltnet:register:${identityId}:${timestamp}`;
-    const signature = await this.sign(message, privateKeyBase64);
-    return { message, signature, timestamp };
+  }
+  return `${name2}=${allowReserved ? value : encodeURIComponent(value)}`;
+};
+const serializeObjectParam = ({
+  allowReserved,
+  explode,
+  name: name2,
+  style,
+  value,
+  valueOnly
+}) => {
+  if (value instanceof Date) {
+    return valueOnly ? value.toISOString() : `${name2}=${value.toISOString()}`;
+  }
+  if (style !== "deepObject" && !explode) {
+    let values2 = [];
+    Object.entries(value).forEach(([key, v]) => {
+      values2 = [
+        ...values2,
+        key,
+        allowReserved ? v : encodeURIComponent(v)
+      ];
+    });
+    const joinedValues2 = values2.join(",");
+    switch (style) {
+      case "form":
+        return `${name2}=${joinedValues2}`;
+      case "label":
+        return `.${joinedValues2}`;
+      case "matrix":
+        return `;${name2}=${joinedValues2}`;
+      default:
+        return joinedValues2;
+    }
+  }
+  const separator = separatorObjectExplode(style);
+  const joinedValues = Object.entries(value).map(
+    ([key, v]) => serializePrimitiveParam({
+      allowReserved,
+      name: style === "deepObject" ? `${name2}[${key}]` : key,
+      value: v
+    })
+  ).join(separator);
+  return style === "label" || style === "matrix" ? separator + joinedValues : joinedValues;
+};
+const PATH_PARAM_RE = /\{[^{}]+\}/g;
+const defaultPathSerializer = ({ path, url: _url }) => {
+  let url = _url;
+  const matches = _url.match(PATH_PARAM_RE);
+  if (matches) {
+    for (const match of matches) {
+      let explode = false;
+      let name2 = match.substring(1, match.length - 1);
+      let style = "simple";
+      if (name2.endsWith("*")) {
+        explode = true;
+        name2 = name2.substring(0, name2.length - 1);
+      }
+      if (name2.startsWith(".")) {
+        name2 = name2.substring(1);
+        style = "label";
+      } else if (name2.startsWith(";")) {
+        name2 = name2.substring(1);
+        style = "matrix";
+      }
+      const value = path[name2];
+      if (value === void 0 || value === null) {
+        continue;
+      }
+      if (Array.isArray(value)) {
+        url = url.replace(
+          match,
+          serializeArrayParam({ explode, name: name2, style, value })
+        );
+        continue;
+      }
+      if (typeof value === "object") {
+        url = url.replace(
+          match,
+          serializeObjectParam({
+            explode,
+            name: name2,
+            style,
+            value,
+            valueOnly: true
+          })
+        );
+        continue;
+      }
+      if (style === "matrix") {
+        url = url.replace(
+          match,
+          `;${serializePrimitiveParam({
+            name: name2,
+            value
+          })}`
+        );
+        continue;
+      }
+      const replaceValue = encodeURIComponent(
+        style === "label" ? `.${value}` : value
+      );
+      url = url.replace(match, replaceValue);
+    }
+  }
+  return url;
+};
+const getUrl = ({
+  baseUrl,
+  path,
+  query,
+  querySerializer,
+  url: _url
+}) => {
+  const pathUrl = _url.startsWith("/") ? _url : `/${_url}`;
+  let url = (baseUrl ?? "") + pathUrl;
+  if (path) {
+    url = defaultPathSerializer({ path, url });
+  }
+  let search = query ? querySerializer(query) : "";
+  if (search.startsWith("?")) {
+    search = search.substring(1);
+  }
+  if (search) {
+    url += `?${search}`;
+  }
+  return url;
+};
+function getValidRequestBody(options) {
+  const hasBody = options.body !== void 0;
+  const isSerializedBody = hasBody && options.bodySerializer;
+  if (isSerializedBody) {
+    if ("serializedBody" in options) {
+      const hasSerializedBody = options.serializedBody !== void 0 && options.serializedBody !== "";
+      return hasSerializedBody ? options.serializedBody : null;
+    }
+    return options.body !== "" ? options.body : null;
+  }
+  if (hasBody) {
+    return options.body;
+  }
+  return void 0;
+}
+const getAuthToken = async (auth, callback) => {
+  const token = typeof callback === "function" ? await callback(auth) : callback;
+  if (!token) {
+    return;
+  }
+  if (auth.scheme === "bearer") {
+    return `Bearer ${token}`;
+  }
+  if (auth.scheme === "basic") {
+    return `Basic ${btoa(token)}`;
+  }
+  return token;
+};
+const createQuerySerializer = ({
+  parameters = {},
+  ...args
+} = {}) => {
+  const querySerializer = (queryParams) => {
+    const search = [];
+    if (queryParams && typeof queryParams === "object") {
+      for (const name2 in queryParams) {
+        const value = queryParams[name2];
+        if (value === void 0 || value === null) {
+          continue;
+        }
+        const options = parameters[name2] || args;
+        if (Array.isArray(value)) {
+          const serializedArray = serializeArrayParam({
+            allowReserved: options.allowReserved,
+            explode: true,
+            name: name2,
+            style: "form",
+            value,
+            ...options.array
+          });
+          if (serializedArray) search.push(serializedArray);
+        } else if (typeof value === "object") {
+          const serializedObject = serializeObjectParam({
+            allowReserved: options.allowReserved,
+            explode: true,
+            name: name2,
+            style: "deepObject",
+            value,
+            ...options.object
+          });
+          if (serializedObject) search.push(serializedObject);
+        } else {
+          const serializedPrimitive = serializePrimitiveParam({
+            allowReserved: options.allowReserved,
+            name: name2,
+            value
+          });
+          if (serializedPrimitive) search.push(serializedPrimitive);
+        }
+      }
+    }
+    return search.join("&");
+  };
+  return querySerializer;
+};
+const getParseAs = (contentType) => {
+  var _a2;
+  if (!contentType) {
+    return "stream";
+  }
+  const cleanContent = (_a2 = contentType.split(";")[0]) == null ? void 0 : _a2.trim();
+  if (!cleanContent) {
+    return;
+  }
+  if (cleanContent.startsWith("application/json") || cleanContent.endsWith("+json")) {
+    return "json";
+  }
+  if (cleanContent === "multipart/form-data") {
+    return "formData";
+  }
+  if (["application/", "audio/", "image/", "video/"].some(
+    (type) => cleanContent.startsWith(type)
+  )) {
+    return "blob";
+  }
+  if (cleanContent.startsWith("text/")) {
+    return "text";
+  }
+  return;
+};
+const checkForExistence = (options, name2) => {
+  var _a2, _b;
+  if (!name2) {
+    return false;
+  }
+  if (options.headers.has(name2) || ((_a2 = options.query) == null ? void 0 : _a2[name2]) || ((_b = options.headers.get("Cookie")) == null ? void 0 : _b.includes(`${name2}=`))) {
+    return true;
+  }
+  return false;
+};
+const setAuthParams = async ({
+  security,
+  ...options
+}) => {
+  for (const auth of security) {
+    if (checkForExistence(options, auth.name)) {
+      continue;
+    }
+    const token = await getAuthToken(auth, options.auth);
+    if (!token) {
+      continue;
+    }
+    const name2 = auth.name ?? "Authorization";
+    switch (auth.in) {
+      case "query":
+        if (!options.query) {
+          options.query = {};
+        }
+        options.query[name2] = token;
+        break;
+      case "cookie":
+        options.headers.append("Cookie", `${name2}=${token}`);
+        break;
+      case "header":
+      default:
+        options.headers.set(name2, token);
+        break;
+    }
+  }
+};
+const buildUrl = (options) => getUrl({
+  baseUrl: options.baseUrl,
+  path: options.path,
+  query: options.query,
+  querySerializer: typeof options.querySerializer === "function" ? options.querySerializer : createQuerySerializer(options.querySerializer),
+  url: options.url
+});
+const mergeConfigs = (a, b) => {
+  var _a2;
+  const config = { ...a, ...b };
+  if ((_a2 = config.baseUrl) == null ? void 0 : _a2.endsWith("/")) {
+    config.baseUrl = config.baseUrl.substring(0, config.baseUrl.length - 1);
+  }
+  config.headers = mergeHeaders(a.headers, b.headers);
+  return config;
+};
+const headersEntries = (headers) => {
+  const entries = [];
+  headers.forEach((value, key) => {
+    entries.push([key, value]);
+  });
+  return entries;
+};
+const mergeHeaders = (...headers) => {
+  const mergedHeaders = new Headers();
+  for (const header of headers) {
+    if (!header) {
+      continue;
+    }
+    const iterator = header instanceof Headers ? headersEntries(header) : Object.entries(header);
+    for (const [key, value] of iterator) {
+      if (value === null) {
+        mergedHeaders.delete(key);
+      } else if (Array.isArray(value)) {
+        for (const v of value) {
+          mergedHeaders.append(key, v);
+        }
+      } else if (value !== void 0) {
+        mergedHeaders.set(
+          key,
+          typeof value === "object" ? JSON.stringify(value) : value
+        );
+      }
+    }
+  }
+  return mergedHeaders;
+};
+class Interceptors2 {
+  constructor() {
+    __publicField(this, "fns", []);
+  }
+  clear() {
+    this.fns = [];
+  }
+  eject(id) {
+    const index = this.getInterceptorIndex(id);
+    if (this.fns[index]) {
+      this.fns[index] = null;
+    }
+  }
+  exists(id) {
+    const index = this.getInterceptorIndex(id);
+    return Boolean(this.fns[index]);
+  }
+  getInterceptorIndex(id) {
+    if (typeof id === "number") {
+      return this.fns[id] ? id : -1;
+    }
+    return this.fns.indexOf(id);
+  }
+  update(id, fn) {
+    const index = this.getInterceptorIndex(id);
+    if (this.fns[index]) {
+      this.fns[index] = fn;
+      return id;
+    }
+    return false;
+  }
+  use(fn) {
+    this.fns.push(fn);
+    return this.fns.length - 1;
+  }
+}
+const createInterceptors = () => ({
+  error: new Interceptors2(),
+  request: new Interceptors2(),
+  response: new Interceptors2()
+});
+const defaultQuerySerializer = createQuerySerializer({
+  allowReserved: false,
+  array: {
+    explode: true,
+    style: "form"
   },
-  /**
-   * Verify an identity proof
-   */
-  async verifyIdentityProof(proof, publicKey, expectedIdentityId) {
-    const isValid = await this.verify(
-      proof.message,
-      proof.signature,
-      publicKey
+  object: {
+    explode: true,
+    style: "deepObject"
+  }
+});
+const defaultHeaders = {
+  "Content-Type": "application/json"
+};
+const createConfig = (override = {}) => ({
+  ...jsonBodySerializer,
+  headers: defaultHeaders,
+  parseAs: "auto",
+  querySerializer: defaultQuerySerializer,
+  ...override
+});
+const createClient = (config = {}) => {
+  let _config = mergeConfigs(createConfig(), config);
+  const getConfig = () => ({ ..._config });
+  const setConfig = (config2) => {
+    _config = mergeConfigs(_config, config2);
+    return getConfig();
+  };
+  const interceptors = createInterceptors();
+  const beforeRequest = async (options) => {
+    const opts = {
+      ..._config,
+      ...options,
+      fetch: options.fetch ?? _config.fetch ?? globalThis.fetch,
+      headers: mergeHeaders(_config.headers, options.headers),
+      serializedBody: void 0
+    };
+    if (opts.security) {
+      await setAuthParams({
+        ...opts,
+        security: opts.security
+      });
+    }
+    if (opts.requestValidator) {
+      await opts.requestValidator(opts);
+    }
+    if (opts.body !== void 0 && opts.bodySerializer) {
+      opts.serializedBody = opts.bodySerializer(opts.body);
+    }
+    if (opts.body === void 0 || opts.serializedBody === "") {
+      opts.headers.delete("Content-Type");
+    }
+    const url = buildUrl(opts);
+    return { opts, url };
+  };
+  const request = async (options) => {
+    const { opts, url } = await beforeRequest(options);
+    const requestInit = {
+      redirect: "follow",
+      ...opts,
+      body: getValidRequestBody(opts)
+    };
+    let request2 = new Request(url, requestInit);
+    for (const fn of interceptors.request.fns) {
+      if (fn) {
+        request2 = await fn(request2, opts);
+      }
+    }
+    const _fetch = opts.fetch;
+    let response;
+    try {
+      response = await _fetch(request2);
+    } catch (error2) {
+      let finalError2 = error2;
+      for (const fn of interceptors.error.fns) {
+        if (fn) {
+          finalError2 = await fn(
+            error2,
+            void 0,
+            request2,
+            opts
+          );
+        }
+      }
+      finalError2 = finalError2 || {};
+      if (opts.throwOnError) {
+        throw finalError2;
+      }
+      return opts.responseStyle === "data" ? void 0 : {
+        error: finalError2,
+        request: request2,
+        response: void 0
+      };
+    }
+    for (const fn of interceptors.response.fns) {
+      if (fn) {
+        response = await fn(response, request2, opts);
+      }
+    }
+    const result = {
+      request: request2,
+      response
+    };
+    if (response.ok) {
+      const parseAs = (opts.parseAs === "auto" ? getParseAs(response.headers.get("Content-Type")) : opts.parseAs) ?? "json";
+      if (response.status === 204 || response.headers.get("Content-Length") === "0") {
+        let emptyData;
+        switch (parseAs) {
+          case "arrayBuffer":
+          case "blob":
+          case "text":
+            emptyData = await response[parseAs]();
+            break;
+          case "formData":
+            emptyData = new FormData();
+            break;
+          case "stream":
+            emptyData = response.body;
+            break;
+          case "json":
+          default:
+            emptyData = {};
+            break;
+        }
+        return opts.responseStyle === "data" ? emptyData : {
+          data: emptyData,
+          ...result
+        };
+      }
+      let data;
+      switch (parseAs) {
+        case "arrayBuffer":
+        case "blob":
+        case "formData":
+        case "json":
+        case "text":
+          data = await response[parseAs]();
+          break;
+        case "stream":
+          return opts.responseStyle === "data" ? response.body : {
+            data: response.body,
+            ...result
+          };
+      }
+      if (parseAs === "json") {
+        if (opts.responseValidator) {
+          await opts.responseValidator(data);
+        }
+        if (opts.responseTransformer) {
+          data = await opts.responseTransformer(data);
+        }
+      }
+      return opts.responseStyle === "data" ? data : {
+        data,
+        ...result
+      };
+    }
+    const textError = await response.text();
+    let jsonError;
+    try {
+      jsonError = JSON.parse(textError);
+    } catch {
+    }
+    const error = jsonError ?? textError;
+    let finalError = error;
+    for (const fn of interceptors.error.fns) {
+      if (fn) {
+        finalError = await fn(error, response, request2, opts);
+      }
+    }
+    finalError = finalError || {};
+    if (opts.throwOnError) {
+      throw finalError;
+    }
+    return opts.responseStyle === "data" ? void 0 : {
+      error: finalError,
+      ...result
+    };
+  };
+  const makeMethodFn = (method) => (options) => request({ ...options, method });
+  const makeSseFn = (method) => async (options) => {
+    const { opts, url } = await beforeRequest(options);
+    return createSseClient({
+      ...opts,
+      body: opts.body,
+      headers: opts.headers,
+      method,
+      onRequest: async (url2, init) => {
+        let request2 = new Request(url2, init);
+        for (const fn of interceptors.request.fns) {
+          if (fn) {
+            request2 = await fn(request2, opts);
+          }
+        }
+        return request2;
+      },
+      url
+    });
+  };
+  return {
+    buildUrl,
+    connect: makeMethodFn("CONNECT"),
+    delete: makeMethodFn("DELETE"),
+    get: makeMethodFn("GET"),
+    getConfig,
+    head: makeMethodFn("HEAD"),
+    interceptors,
+    options: makeMethodFn("OPTIONS"),
+    patch: makeMethodFn("PATCH"),
+    post: makeMethodFn("POST"),
+    put: makeMethodFn("PUT"),
+    request,
+    setConfig,
+    sse: {
+      connect: makeSseFn("CONNECT"),
+      delete: makeSseFn("DELETE"),
+      get: makeSseFn("GET"),
+      head: makeSseFn("HEAD"),
+      options: makeSseFn("OPTIONS"),
+      patch: makeSseFn("PATCH"),
+      post: makeSseFn("POST"),
+      put: makeSseFn("PUT"),
+      trace: makeSseFn("TRACE")
+    },
+    trace: makeMethodFn("TRACE")
+  };
+};
+createClient(
+  createConfig({ baseUrl: "https://api.themolt.net" })
+);
+class MoltNetError extends Error {
+  constructor(message, options) {
+    super(message);
+    __publicField(this, "code");
+    __publicField(this, "statusCode");
+    __publicField(this, "detail");
+    this.name = "MoltNetError";
+    this.code = options.code;
+    this.statusCode = options.statusCode;
+    this.detail = options.detail;
+  }
+}
+function problemToError(problem, statusCode) {
+  return new MoltNetError(problem.title ?? "Request failed", {
+    code: problem.type ?? problem.code ?? "UNKNOWN",
+    statusCode,
+    detail: problem.detail
+  });
+}
+async function writeMcpConfig(mcpConfig, dir2) {
+  const targetDir = dir2 ?? process.cwd();
+  const filePath = join(targetDir, ".mcp.json");
+  let existing = {};
+  try {
+    const content = await readFile(filePath, "utf-8");
+    existing = JSON.parse(content);
+  } catch {
+  }
+  const merged = {
+    ...existing,
+    mcpServers: {
+      ...existing.mcpServers ?? {},
+      ...mcpConfig.mcpServers
+    }
+  };
+  await writeFile(filePath, JSON.stringify(merged, null, 2) + "\n");
+  return filePath;
+}
+function getConfigDir() {
+  return join(homedir(), ".config", "moltnet");
+}
+function getConfigPath(configDir) {
+  return join(configDir ?? getConfigDir(), "moltnet.json");
+}
+async function readConfig(configDir) {
+  const dir2 = configDir ?? getConfigDir();
+  try {
+    const content = await readFile(join(dir2, "moltnet.json"), "utf-8");
+    return JSON.parse(content);
+  } catch {
+  }
+  try {
+    const content = await readFile(join(dir2, "credentials.json"), "utf-8");
+    console.warn(
+      "Warning: credentials.json is deprecated. New writes use moltnet.json. Support will be removed in 3 minor versions."
     );
-    if (!isValid) return false;
-    const expectedPrefix = `moltnet:register:${expectedIdentityId}:`;
-    if (!proof.message.startsWith(expectedPrefix)) return false;
-    const proofTime = new Date(proof.timestamp).getTime();
-    const now = Date.now();
-    const fiveMinutes = 5 * 60 * 1e3;
-    if (now - proofTime > fiveMinutes) return false;
-    return true;
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+async function writeConfig(config, configDir) {
+  const dir2 = configDir ?? getConfigDir();
+  await mkdir(dir2, { recursive: true });
+  const filePath = join(dir2, "moltnet.json");
+  await writeFile(filePath, JSON.stringify(config, null, 2) + "\n", {
+    mode: 384
+  });
+  await chmod(filePath, 384);
+  return filePath;
+}
+async function updateConfigSection(section, data, configDir) {
+  const config = await readConfig(configDir);
+  if (!config) {
+    throw new Error("No config found — run `moltnet register` first");
   }
+  const existing = config[section] ?? {};
+  const updated = { ...existing, ...data };
+  Object.assign(config, { [section]: updated });
+  await writeConfig(config, configDir);
+}
+etc.sha512Sync = (...m) => {
+  const hash = createHash("sha512");
+  m.forEach((msg) => hash.update(msg));
+  return hash.digest();
 };
 if (!etc.sha512Sync) {
   etc.sha512Sync = (...m) => {
@@ -3613,19 +4266,25 @@ function toSSHPrivateKey(seedBase64) {
   ].join("\n");
 }
 async function exportSSHKey(opts) {
-  const config = await readConfig(opts?.configDir);
+  const config = await readConfig(opts == null ? void 0 : opts.configDir);
   if (!config) {
-    throw new Error(`No config found at ${getConfigPath(opts?.configDir)} — run \`moltnet register\` first`);
+    throw new Error(
+      `No config found at ${getConfigPath(opts == null ? void 0 : opts.configDir)} — run \`moltnet register\` first`
+    );
   }
   const privateKeySSH = toSSHPrivateKey(config.keys.private_key);
   const publicKeySSH = toSSHPublicKey(config.keys.public_key);
-  const outputDir = opts?.outputDir ?? join(opts?.configDir ?? getConfigDir(), "ssh");
+  const outputDir = (opts == null ? void 0 : opts.outputDir) ?? join((opts == null ? void 0 : opts.configDir) ?? getConfigDir(), "ssh");
   await mkdir(outputDir, { recursive: true });
   const privatePath = join(outputDir, "id_ed25519");
   const publicPath = join(outputDir, "id_ed25519.pub");
   await writeFile(privatePath, privateKeySSH, { mode: 384 });
   await writeFile(publicPath, publicKeySSH, { mode: 420 });
-  await updateConfigSection("ssh", { private_key_path: privatePath, public_key_path: publicPath }, opts?.configDir);
+  await updateConfigSection(
+    "ssh",
+    { private_key_path: privatePath, public_key_path: publicPath },
+    opts == null ? void 0 : opts.configDir
+  );
   return { privatePath, publicPath };
 }
 const POLL_INTERVAL_MS = 5e3;
@@ -3643,7 +4302,7 @@ function toErrorMessage(err2) {
 }
 const POLL_TIMEOUT_MS = 5 * 60 * 1e3;
 function makeClient(baseUrl) {
-  return createClient({ baseUrl });
+  return createClient$1({ baseUrl });
 }
 async function startOnboarding(baseUrl, body) {
   const client2 = makeClient(baseUrl);
@@ -3729,6 +4388,24 @@ async function downloadSkills(repoDir, skillDir) {
     await writeFile(join(destDir, "SKILL.md"), content, "utf-8");
   }
 }
+function buildGhTokenRule(agentName) {
+  return [
+    "# GitHub CLI Authentication (LeGreffier)",
+    "",
+    `When \`GIT_CONFIG_GLOBAL\` is set to \`.moltnet/${agentName}/gitconfig\`,`,
+    "authenticate all `gh` CLI commands as the GitHub App by prefixing them with:",
+    "",
+    "```bash",
+    'GH_TOKEN=$(moltnet github token --credentials "$(dirname "$GIT_CONFIG_GLOBAL")/moltnet.json") gh <command>',
+    "```",
+    "",
+    "This ensures `gh pr create`, `gh issue create`, etc. use the",
+    "GitHub App's identity instead of the user's personal token.",
+    "",
+    "The token is short-lived (~1 hour) and generated on each invocation.",
+    ""
+  ].join("\n");
+}
 function buildPermissions(agentName) {
   return [
     // Read-only git commands used by session activation & commit workflow
@@ -3737,8 +4414,12 @@ function buildPermissions(agentName) {
     "Bash(git log *)",
     "Bash(git rev-parse *)",
     "Bash(git worktree list)",
-    // Signing CLI
+    // Signing CLI (native binary)
     "Bash(moltnet sign *)",
+    "Bash(moltnet github token *)",
+    // Signing CLI (npm package — equivalent commands)
+    "Bash(npx @themoltnet/cli sign *)",
+    "Bash(npx @themoltnet/cli github token *)",
     // Worktree symlink creation
     "Bash(ln -s *)",
     // All MCP tools for this agent's server
@@ -3827,6 +4508,15 @@ class ClaudeAdapter {
       clientSecret: opts.clientSecret
     });
   }
+  async writeRules(opts) {
+    const dir2 = join(opts.repoDir, ".claude", "rules");
+    await mkdir(dir2, { recursive: true });
+    await writeFile(
+      join(dir2, "legreffier-gh.md"),
+      buildGhTokenRule(opts.agentName),
+      "utf-8"
+    );
+  }
 }
 class CodexAdapter {
   type = "codex";
@@ -3871,6 +4561,15 @@ class CodexAdapter {
     ];
     await writeFile(join(envDir, "env"), lines.join("\n") + "\n", "utf-8");
   }
+  async writeRules(opts) {
+    const dir2 = join(opts.repoDir, ".codex", "rules");
+    await mkdir(dir2, { recursive: true });
+    await writeFile(
+      join(dir2, "legreffier-gh.md"),
+      buildGhTokenRule(opts.agentName),
+      "utf-8"
+    );
+  }
 }
 const adapters = {
   claude: new ClaudeAdapter(),
@@ -4186,6 +4885,201 @@ async function runGitSetupPhase(opts) {
   );
   dispatch({ type: "step", key: "gitSetup", status: "done" });
 }
+etc.sha512Sync = (...m) => {
+  const hash = createHash("sha512");
+  m.forEach((msg) => hash.update(msg));
+  return hash.digest();
+};
+const DOMAIN_PREFIX = "moltnet:v1";
+function buildSigningBytes(message, nonce) {
+  const msgHash = createHash("sha256").update(Buffer.from(message, "utf-8")).digest();
+  const nonceBytes = Buffer.from(nonce, "utf-8");
+  const prefix = Buffer.from(DOMAIN_PREFIX, "utf-8");
+  const buf = Buffer.alloc(
+    prefix.length + 4 + msgHash.length + 4 + nonceBytes.length
+  );
+  let offset = 0;
+  prefix.copy(buf, offset);
+  offset += prefix.length;
+  buf.writeUInt32BE(msgHash.length, offset);
+  offset += 4;
+  msgHash.copy(buf, offset);
+  offset += msgHash.length;
+  buf.writeUInt32BE(nonceBytes.length, offset);
+  offset += 4;
+  nonceBytes.copy(buf, offset);
+  return new Uint8Array(buf);
+}
+const cryptoService = {
+  /**
+   * Generate a new Ed25519 keypair
+   */
+  async generateKeyPair() {
+    const privateKeyBytes = utils.randomPrivateKey();
+    const publicKeyBytes = await getPublicKeyAsync(privateKeyBytes);
+    const privateKey = Buffer.from(privateKeyBytes).toString("base64");
+    const publicKey = `ed25519:${Buffer.from(publicKeyBytes).toString("base64")}`;
+    const fingerprint = this.generateFingerprint(publicKeyBytes);
+    return { publicKey, privateKey, fingerprint };
+  },
+  /**
+   * Generate human-readable fingerprint from public key
+   * Format: A1B2-C3D4-E5F6-G7H8 (first 16 hex chars of SHA256)
+   */
+  generateFingerprint(publicKeyBytes) {
+    const hash = createHash("sha256").update(publicKeyBytes).digest("hex");
+    const segments = hash.slice(0, 16).toUpperCase().match(/.{4}/g) ?? [];
+    return segments.join("-");
+  },
+  /**
+   * Parse public key from string format
+   */
+  parsePublicKey(publicKey) {
+    const base64 = publicKey.replace(/^ed25519:/, "");
+    return new Uint8Array(Buffer.from(base64, "base64"));
+  },
+  /**
+   * Sign a message with private key
+   */
+  async sign(message, privateKeyBase64) {
+    const privateKeyBytes = new Uint8Array(
+      Buffer.from(privateKeyBase64, "base64")
+    );
+    const messageBytes = new TextEncoder().encode(message);
+    const signature = await signAsync(messageBytes, privateKeyBytes);
+    return Buffer.from(signature).toString("base64");
+  },
+  /**
+   * Verify a signature against a message and public key
+   */
+  async verify(message, signature, publicKey) {
+    try {
+      const publicKeyBytes = this.parsePublicKey(publicKey);
+      const signatureBytes = new Uint8Array(Buffer.from(signature, "base64"));
+      const messageBytes = new TextEncoder().encode(message);
+      return await verifyAsync(signatureBytes, messageBytes, publicKeyBytes);
+    } catch {
+      return false;
+    }
+  },
+  /**
+   * Sign a (message, nonce) pair using deterministic pre-hash.
+   * Uses buildSigningBytes for domain separation and canonical serialization.
+   */
+  async signWithNonce(message, nonce, privateKeyBase64) {
+    const privateKeyBytes = new Uint8Array(
+      Buffer.from(privateKeyBase64, "base64")
+    );
+    const signingBytes = buildSigningBytes(message, nonce);
+    const signature = await signAsync(signingBytes, privateKeyBytes);
+    return Buffer.from(signature).toString("base64");
+  },
+  /**
+   * Verify a signature produced by signWithNonce.
+   */
+  async verifyWithNonce(message, nonce, signature, publicKey) {
+    try {
+      const publicKeyBytes = this.parsePublicKey(publicKey);
+      const signatureBytes = new Uint8Array(Buffer.from(signature, "base64"));
+      const signingBytes = buildSigningBytes(message, nonce);
+      return await verifyAsync(signatureBytes, signingBytes, publicKeyBytes);
+    } catch {
+      return false;
+    }
+  },
+  /**
+   * Create a signed message object
+   */
+  async createSignedMessage(message, privateKeyBase64, publicKey) {
+    const signature = await this.sign(message, privateKeyBase64);
+    return { message, signature, publicKey };
+  },
+  /**
+   * Verify a signed message object
+   */
+  async verifySignedMessage(signedMessage) {
+    return this.verify(
+      signedMessage.message,
+      signedMessage.signature,
+      signedMessage.publicKey
+    );
+  },
+  /**
+   * Generate a random challenge for authentication
+   */
+  generateChallenge() {
+    return `moltnet:challenge:${randomBytes$2(32).toString("hex")}:${Date.now()}`;
+  },
+  /**
+   * Derive public key from private key
+   */
+  async derivePublicKey(privateKeyBase64) {
+    const privateKeyBytes = new Uint8Array(
+      Buffer.from(privateKeyBase64, "base64")
+    );
+    const publicKeyBytes = await getPublicKeyAsync(privateKeyBytes);
+    return `ed25519:${Buffer.from(publicKeyBytes).toString("base64")}`;
+  },
+  /**
+   * Get fingerprint from public key string
+   */
+  getFingerprintFromPublicKey(publicKey) {
+    const publicKeyBytes = this.parsePublicKey(publicKey);
+    return this.generateFingerprint(publicKeyBytes);
+  },
+  /**
+   * Derive an X25519 private key from an Ed25519 private key seed.
+   * Uses SHA-512 expansion + clamping per RFC 7748 / RFC 8032.
+   */
+  deriveX25519PrivateKey(ed25519PrivateKeyBase64) {
+    const seed = new Uint8Array(Buffer.from(ed25519PrivateKeyBase64, "base64"));
+    const x25519Priv = ed25519.utils.toMontgomerySecret(seed);
+    return Buffer.from(x25519Priv).toString("base64");
+  },
+  /**
+   * Derive an X25519 public key from an Ed25519 public key.
+   * Uses the Edwards → Montgomery birational map.
+   */
+  deriveX25519PublicKey(ed25519PublicKey) {
+    const edPubBytes = this.parsePublicKey(ed25519PublicKey);
+    const x25519Pub = ed25519.utils.toMontgomery(edPubBytes);
+    return `x25519:${Buffer.from(x25519Pub).toString("base64")}`;
+  },
+  /**
+   * Create a proof of identity ownership (for DCR metadata)
+   */
+  async createIdentityProof(identityId, privateKeyBase64) {
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    const message = `moltnet:register:${identityId}:${timestamp}`;
+    const signature = await this.sign(message, privateKeyBase64);
+    return { message, signature, timestamp };
+  },
+  /**
+   * Verify an identity proof
+   */
+  async verifyIdentityProof(proof, publicKey, expectedIdentityId) {
+    const isValid = await this.verify(
+      proof.message,
+      proof.signature,
+      publicKey
+    );
+    if (!isValid) return false;
+    const expectedPrefix = `moltnet:register:${expectedIdentityId}:`;
+    if (!proof.message.startsWith(expectedPrefix)) return false;
+    const proofTime = new Date(proof.timestamp).getTime();
+    const now = Date.now();
+    const fiveMinutes = 5 * 60 * 1e3;
+    if (now - proofTime > fiveMinutes) return false;
+    return true;
+  }
+};
+if (!etc.sha512Sync) {
+  etc.sha512Sync = (...m) => {
+    const hash = createHash("sha512");
+    m.forEach((msg) => hash.update(msg));
+    return hash.digest();
+  };
+}
 async function runIdentityPhase(opts) {
   const { apiUrl: apiUrl2, agentName, configDir, dispatch } = opts;
   const existingConfig = await readConfig(configDir);
@@ -4807,6 +5701,8 @@ function SetupApp({
           written.push(`${agentType}: skills`);
           await adapter.writeSettings(opts);
           written.push(`${agentType}: settings`);
+          await adapter.writeRules(opts);
+          written.push(`${agentType}: gh token rule`);
         }
         setFilesWritten(written);
         setSummary({
@@ -4893,6 +5789,19 @@ const name = values["name"];
 const agentFlags = values["agent"] ?? [];
 const apiUrl = values["api-url"] ?? process.env.MOLTNET_API_URL ?? "https://api.themolt.net";
 const dir = values["dir"] ?? process.cwd();
+if (subcommand === "github" && positionals[1] === "token") {
+  try {
+    const agentName = resolveAgentName(name, process.env.GIT_CONFIG_GLOBAL);
+    printGitHubToken(agentName, dir);
+    process.exit(0);
+  } catch (err2) {
+    process.stderr.write(
+      `Error: ${err2 instanceof Error ? err2.message : String(err2)}
+`
+    );
+    process.exit(1);
+  }
+}
 if (!name) {
   const usage = subcommand === "setup" ? "Usage: legreffier setup --name <agent-name> [--agent claude] [--agent codex] [--dir <path>]" : "Usage: legreffier [init] --name <agent-name> [--agent claude] [--agent codex] [--api-url <url>] [--dir <path>]";
   process.stderr.write(usage + "\n");