npm - @tinycloud/cli - Versions diffs - 0.5.1-beta.0 → 0.6.0-beta.10 - Mend

@tinycloud/cli 0.5.1-beta.0 → 0.6.0-beta.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.js CHANGED Viewed

@@ -548,8 +548,8 @@ var ProfileManager = class _ProfileManager {
 };
 // src/auth/local-key.ts
-import { TCWSessionManager, initPanicHook } from "@tinycloud/node-sdk-wasm";
-import { PrivateKeySigner } from "@tinycloud/node-sdk";
+import { TCWSessionManager, importKey, initPanicHook } from "@tinycloud/node-sdk-wasm";
+import { PrivateKeySigner, pkhDid } from "@tinycloud/node-sdk";
 import { randomBytes } from "crypto";
 var wasmInitialized = false;
 function ensureWasm() {
@@ -568,6 +568,12 @@ function generateKey() {
   const did = mgr.getDID(keyId);
   return { jwk, did };
 }
+function keyToDID(jwk) {
+  ensureWasm();
+  const mgr = new TCWSessionManager();
+  const keyId = importKey(mgr, JSON.stringify(jwk), "imported");
+  return mgr.getDID(keyId);
+}
 function generateEthereumPrivateKey() {
   const keyBytes = randomBytes(32);
   return "0x" + keyBytes.toString("hex");
@@ -577,7 +583,7 @@ async function deriveAddress(privateKey) {
   return signer.getAddress();
 }
 function addressToDID(address, chainId = 1) {
-  return `did:pkh:eip155:${chainId}:${address}`;
+  return pkhDid(address, chainId);
 }
 async function generateLocalIdentity(chainId = 1) {
   const privateKey = generateEthereumPrivateKey();
@@ -594,16 +600,45 @@ async function localKeySignIn(options) {
   });
   await node.signIn();
   const address = await new PrivateKeySigner(options.privateKey).getAddress();
+  const session = node.session;
+  if (!session) {
+    throw new Error("Local key sign-in did not produce a TinyCloud session");
+  }
   return {
-    spaceId: node.spaceId ?? "",
+    spaceId: session.spaceId,
     address,
-    chainId: 1
+    chainId: 1,
+    delegationHeader: session.delegationHeader,
+    delegationCid: session.delegationCid,
+    jwk: session.jwk,
+    verificationMethod: session.verificationMethod,
+    siwe: session.siwe,
+    signature: session.signature
   };
 }
 // src/auth/browser-auth.ts
 import { createServer } from "http";
 import { createInterface } from "readline";
+var PRIVATE_JWK_FIELDS = /* @__PURE__ */ new Set([
+  "d",
+  "p",
+  "q",
+  "dp",
+  "dq",
+  "qi",
+  "oth",
+  "k"
+]);
+function publicJwkForDelegation(jwk) {
+  const publicJwk = {};
+  for (const [key, value] of Object.entries(jwk)) {
+    if (!PRIVATE_JWK_FIELDS.has(key)) {
+      publicJwk[key] = value;
+    }
+  }
+  return publicJwk;
+}
 async function startAuthFlow(did, options = {}) {
   if (options.paste) {
     return pasteFlow(did, options);
@@ -625,7 +660,9 @@ function buildAuthUrl(did, options = {}) {
     params.set("callback", options.callback);
   }
   if (options.jwk) {
-    const jwkB64 = Buffer.from(JSON.stringify(options.jwk)).toString("base64url");
+    const jwkB64 = Buffer.from(
+      JSON.stringify(publicJwkForDelegation(options.jwk))
+    ).toString("base64url");
     params.set("jwk", jwkB64);
   }
   if (options.host) {
@@ -827,7 +864,7 @@ function registerInitCommand(program2) {
       await ProfileManager.setProfile(profileName, {
         ...profileConfig,
         spaceId: delegationData.spaceId,
-        primaryDid: delegationData.primaryDid
+        ownerDid: delegationData.ownerDid
       });
       outputJson({
         profile: profileName,
@@ -843,12 +880,41 @@ function registerInitCommand(program2) {
 }
 // src/commands/auth.ts
+import { get as httpGet } from "http";
+import { get as httpsGet } from "https";
+import { spawn } from "child_process";
+import { mkdir as mkdir2, readFile as readFile3, writeFile as writeFile2 } from "fs/promises";
+import { dirname as dirname2 } from "path";
 import { createInterface as createInterface2 } from "readline";
+// src/config/types.ts
+var CLI_PROFILE_POSTURES = [
+  "owner-openkey",
+  "delegate-session",
+  "local-owner-key"
+];
+var CLI_OPERATOR_TYPES = ["human", "agent"];
+function isCLIProfilePosture(value) {
+  return typeof value === "string" && CLI_PROFILE_POSTURES.includes(value);
+}
+function isCLIOperatorType(value) {
+  return typeof value === "string" && CLI_OPERATOR_TYPES.includes(value);
+}
+function resolveProfilePosture(profile) {
+  if (isCLIProfilePosture(profile.posture)) return profile.posture;
+  if (profile.authMethod === "local") return "local-owner-key";
+  return "owner-openkey";
+}
+function resolveProfileOperatorType(profile) {
+  if (isCLIOperatorType(profile.operatorType)) return profile.operatorType;
+  return "human";
+}
 // src/lib/sdk.ts
 import { TinyCloudNode } from "@tinycloud/node-sdk";
 // src/lib/permissions.ts
+import { randomBytes as randomBytes2 } from "crypto";
 import { appendFile, readFile as readFile2 } from "fs/promises";
 import { join as join4 } from "path";
 import {
@@ -858,13 +924,22 @@ import {
 } from "@tinycloud/node-sdk";
 // src/lib/space.ts
+import {
+  buildSpaceUri,
+  canonicalizeAddress,
+  makePkhSpaceId,
+  parsePkhDid,
+  parseSpaceUri
+} from "@tinycloud/node-sdk";
 function resolveAddress(profile, session) {
   const sessAddr = session?.address;
-  if (typeof sessAddr === "string" && sessAddr.length > 0) return sessAddr;
-  if (profile.address) return profile.address;
-  if (profile.primaryDid) {
-    const match = profile.primaryDid.match(/^did:pkh:eip155:\d+:(0x[a-fA-F0-9]{40})$/);
-    if (match) return match[1];
+  if (typeof sessAddr === "string" && sessAddr.length > 0) {
+    return canonicalizeAddress(sessAddr);
+  }
+  if (profile.address) return canonicalizeAddress(profile.address);
+  if (profile.ownerDid) {
+    const pkh = parsePkhDid(profile.ownerDid);
+    if (pkh) return pkh.address;
   }
   throw new CLIError(
     "ADDRESS_UNKNOWN",
@@ -879,7 +954,17 @@ function resolveChainId(profile, session) {
 }
 async function resolveSpaceUri(input, profileName) {
   if (!input) return void 0;
-  if (input.startsWith("tinycloud:")) return input;
+  if (input.startsWith("tinycloud:")) {
+    const parsed = parseSpaceUri(input);
+    if (!parsed) {
+      throw new CLIError(
+        "INVALID_SPACE",
+        `Invalid --space "${input}". Use a short name ([A-Za-z0-9_-]) or a full tinycloud:... URI.`,
+        ExitCode.USAGE_ERROR
+      );
+    }
+    return buildSpaceUri(parsed.owner, parsed.name);
+  }
   if (!/^[A-Za-z0-9_-]+$/.test(input)) {
     throw new CLIError(
       "INVALID_SPACE",
@@ -891,16 +976,44 @@ async function resolveSpaceUri(input, profileName) {
   const session = await ProfileManager.getSession(profileName);
   const address = resolveAddress(profile, session);
   const chainId = resolveChainId(profile, session);
-  return `tinycloud:pkh:eip155:${chainId}:${address}:${input}`;
+  return makePkhSpaceId(address, chainId, input);
 }
 // src/lib/permissions.ts
 function additionalDelegationsPath(profile) {
   return join4(PROFILES_DIR, profile, "additional-delegations.json");
 }
+function permissionRequestsPath(profile) {
+  return join4(PROFILES_DIR, profile, "auth-requests.json");
+}
 function grantHistoryPath(profile) {
   return join4(PROFILES_DIR, profile, "auth-grants.jsonl");
 }
+function createPermissionRequestArtifact(params) {
+  return {
+    kind: "tinycloud.auth.request",
+    version: 1,
+    requestId: `req_${Date.now().toString(36)}_${randomBytes2(4).toString("hex")}`,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    profile: params.profileName,
+    posture: resolveProfilePosture(params.profile),
+    operatorType: resolveProfileOperatorType(params.profile),
+    host: params.host,
+    sessionDid: didWithoutFragment(params.profile.sessionDid ?? params.profile.did),
+    ownerDid: params.profile.ownerDid,
+    spaceId: params.profile.spaceId,
+    requestedExpiry: params.requestedExpiry,
+    requested: params.requested,
+    command: {
+      argv: params.argv ?? process.argv.slice(2),
+      cwd: params.cwd ?? process.cwd()
+    }
+  };
+}
+function didWithoutFragment(did) {
+  const fragment = did.indexOf("#");
+  return fragment === -1 ? did : did.slice(0, fragment);
+}
 async function loadAdditionalDelegations(profile) {
   const raw = await readJson(
     additionalDelegationsPath(profile)
@@ -918,6 +1031,41 @@ async function appendAdditionalDelegation(profile, entry) {
   next.push(entry);
   await saveAdditionalDelegations(profile, next);
 }
+async function loadPermissionRequestArtifacts(profile) {
+  const raw = await readJson(
+    permissionRequestsPath(profile)
+  );
+  return Array.isArray(raw) ? raw.filter(isPermissionRequestArtifact) : [];
+}
+async function savePermissionRequestArtifacts(profile, entries) {
+  const profileDir = join4(PROFILES_DIR, profile);
+  await ensureDir(profileDir);
+  await writeJson(permissionRequestsPath(profile), entries);
+}
+async function appendPermissionRequestArtifact(profile, artifact) {
+  const existing = await loadPermissionRequestArtifacts(profile);
+  const next = existing.filter((item) => item.requestId !== artifact.requestId);
+  next.push(artifact);
+  await savePermissionRequestArtifacts(profile, next);
+}
+async function getPermissionRequestArtifact(profile, requestId) {
+  const existing = await loadPermissionRequestArtifacts(profile);
+  return existing.find((item) => item.requestId === requestId) ?? null;
+}
+async function getLastPermissionRequestArtifact(profile) {
+  const existing = await loadPermissionRequestArtifacts(profile);
+  return existing.at(-1) ?? null;
+}
+function isPermissionRequestArtifact(value) {
+  if (value === null || typeof value !== "object") return false;
+  const candidate = value;
+  return candidate.kind === "tinycloud.auth.request" && candidate.version === 1 && typeof candidate.requestId === "string" && Array.isArray(candidate.requested);
+}
+function isDelegationImportArtifact(value) {
+  if (value === null || typeof value !== "object") return false;
+  const candidate = value;
+  return candidate.kind === "tinycloud.auth.delegation" && candidate.version === 1 && candidate.delegation !== void 0 && typeof candidate.delegation === "object";
+}
 async function replayAdditionalDelegations(node, profile) {
   const entries = await loadAdditionalDelegations(profile);
   for (const entry of entries) {
@@ -1130,7 +1278,21 @@ async function createSDKInstance(ctx, options) {
       host: ctx.host,
       privateKey: effectivePrivateKey
     });
-    await node2.signIn();
+    if (session && session.delegationHeader && session.delegationCid && session.spaceId) {
+      await node2.restoreSession({
+        delegationHeader: session.delegationHeader,
+        delegationCid: session.delegationCid,
+        spaceId: session.spaceId,
+        jwk: session.jwk ?? key,
+        verificationMethod: session.verificationMethod ?? profile.sessionDid ?? profile.did,
+        address: session.address,
+        chainId: session.chainId,
+        siwe: session.siwe,
+        signature: session.signature
+      });
+    } else {
+      await node2.signIn();
+    }
     await replayAdditionalDelegations(node2, ctx.profile);
     return node2;
   }
@@ -1240,6 +1402,15 @@ function registerAuthCommand(program2) {
       handleError(error);
     }
   });
+  auth.command("rotate").description("Rotate the active profile session key").option("--paste", "Use manual paste mode instead of browser callback").action(async (options, cmd) => {
+    try {
+      const globalOpts = cmd.optsWithGlobals();
+      const ctx = await ProfileManager.resolveContext(globalOpts);
+      await rotateAuthKey(ctx.profile, ctx.host, { paste: options.paste });
+    } catch (error) {
+      handleError(error);
+    }
+  });
   auth.command("status").description("Show current authentication state").action(async (_options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
@@ -1252,17 +1423,22 @@ function registerAuthCommand(program2) {
       } catch {
         profile = null;
       }
+      const posture = profile ? resolveProfilePosture(profile) : null;
+      const operatorType = profile ? resolveProfileOperatorType(profile) : null;
       const authenticated = session !== null;
       if (shouldOutputJson()) {
         outputJson({
           authenticated,
           did: profile?.did ?? null,
-          primaryDid: profile?.primaryDid ?? null,
+          sessionDid: profile?.sessionDid ?? null,
+          ownerDid: profile?.ownerDid ?? null,
           spaceId: profile?.spaceId ?? null,
           host: ctx.host,
           profile: ctx.profile,
           hasKey: hasKey !== null,
           authMethod: profile?.authMethod ?? null,
+          posture,
+          operatorType,
           address: profile?.address ?? null
         });
       } else {
@@ -1270,9 +1446,12 @@ function registerAuthCommand(program2) {
         process.stdout.write(formatField("Profile", ctx.profile) + "\n");
         process.stdout.write(formatField("Authenticated", authenticated) + "\n");
         process.stdout.write(formatField("Auth Method", profile?.authMethod ?? null) + "\n");
+        process.stdout.write(formatField("Posture", posture) + "\n");
+        process.stdout.write(formatField("Operator", operatorType) + "\n");
         process.stdout.write(formatField("Host", ctx.host) + "\n");
         process.stdout.write(formatField("DID", profile?.did ?? null) + "\n");
-        process.stdout.write(formatField("Primary DID", profile?.primaryDid ?? null) + "\n");
+        process.stdout.write(formatField("Session DID", profile?.sessionDid ?? null) + "\n");
+        process.stdout.write(formatField("Owner DID", profile?.ownerDid ?? null) + "\n");
         process.stdout.write(formatField("Address", profile?.address ?? null) + "\n");
         process.stdout.write(formatField("Space ID", profile?.spaceId ?? null) + "\n");
         process.stdout.write(formatField("Has Key", hasKey !== null) + "\n");
@@ -1281,7 +1460,7 @@ function registerAuthCommand(program2) {
       handleError(error);
     }
   });
-  auth.command("request").description("Request additional TinyCloud permissions for the active session").option(
+  auth.command("request").description("Create a TinyCloud permission request artifact").option(
     "--cap <spec>",
     "Capability spec: tinycloud.<service>:<space>:<path>:<actions-csv> (repeatable)",
     (value, previous) => [...previous, value],
@@ -1289,13 +1468,13 @@ function registerAuthCommand(program2) {
   ).option("--permission <file>", 'JSON permission request: { "permissions": PermissionEntry[] }').option("--manifest <fileOrBase64>", "Manifest file, base64:<json>, or raw base64 JSON").option(
     "--expiry <duration>",
     `Lifetime of the granted delegation. ms-format string (e.g. "7d", "30m") or raw milliseconds. Defaults to 7d, capped by the active session's expiry.`
-  ).option("--yes", "Skip local-key TTY confirmation", false).action(async (options, cmd) => {
+  ).option("--emit [file]", "Emit the request artifact to stdout, or write it to file when provided").option("--grant", "Grant the requested permissions immediately with this owner profile").option("--yes", "Skip local-key TTY confirmation", false).action(async (options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
       const profile = await ProfileManager.getProfile(ctx.profile);
-      const session = await ProfileManager.getSession(ctx.profile);
       const requested = await collectRequestedPermissions(options, ctx.profile);
+      const expiryOption = parseExpiryOption(options.expiry);
       if (requested.length === 0) {
         throw new CLIError(
           "NO_CAPS_REQUESTED",
@@ -1303,6 +1482,18 @@ function registerAuthCommand(program2) {
           ExitCode.USAGE_ERROR
         );
       }
+      if (!options.grant) {
+        const artifact = createPermissionRequestArtifact({
+          profileName: ctx.profile,
+          profile,
+          host: ctx.host,
+          requested,
+          requestedExpiry: expiryOption
+        });
+        await appendPermissionRequestArtifact(ctx.profile, artifact);
+        await emitPermissionRequestArtifact(artifact, options.emit);
+        return;
+      }
       const node = await ensureAuthenticated(ctx);
       if (node.hasRuntimePermissions(requested)) {
         outputJson({ changed: false, missing: [], added: [] });
@@ -1316,14 +1507,13 @@ function registerAuthCommand(program2) {
         const delegationCids2 = [];
         let expiry2;
         const openkeyHost = resolveOpenKeyHost(profile);
-        const expiryOption2 = parseExpiryOption(options.expiry);
         for (const group of groupPermissionsBySpace(requested)) {
           const delegationData = await startAuthFlow(profile.did, {
             jwk: key,
             host: ctx.host,
             permissions: group,
             openkeyHost,
-            expiry: expiryOption2
+            expiry: expiryOption
           });
           const delegation = portableFromOpenKeyDelegation(delegationData, group, ctx.host);
           const stored = storedAdditionalDelegation(delegation, group);
@@ -1358,8 +1548,6 @@ function registerAuthCommand(program2) {
           ExitCode.USAGE_ERROR
         );
       }
-      void session;
-      const expiryOption = parseExpiryOption(options.expiry);
       const delegations = await node.grantRuntimePermissions(
         requested,
         expiryOption !== void 0 ? { expiry: expiryOption } : void 0
@@ -1394,6 +1582,136 @@ function registerAuthCommand(program2) {
       handleError(error);
     }
   });
+  auth.command("import [source]").description("Import a TinyCloud delegation or permission request artifact").option("--stdin", "Read the JSON artifact from stdin").option("--paste", "Read the JSON artifact from stdin").action(async (source, options, cmd) => {
+    try {
+      const globalOpts = cmd.optsWithGlobals();
+      const ctx = await ProfileManager.resolveContext(globalOpts);
+      const raw = await readAuthArtifactSource(source, {
+        stdin: options.stdin === true || options.paste === true
+      });
+      const parsed = JSON.parse(raw);
+      if (isPermissionRequestArtifact(parsed)) {
+        await appendPermissionRequestArtifact(ctx.profile, parsed);
+        outputJson({
+          imported: true,
+          kind: parsed.kind,
+          requestId: parsed.requestId,
+          requested: parsed.requested,
+          next: `tc auth retry ${parsed.requestId}`
+        });
+        return;
+      }
+      const imported = normalizeDelegationImport(parsed);
+      const node = await ensureAuthenticated(ctx);
+      await appendAdditionalDelegation(ctx.profile, storedAdditionalDelegation(
+        imported.delegation,
+        imported.permissions
+      ));
+      await node.useRuntimeDelegation(imported.delegation);
+      await appendGrantHistory(ctx.profile, {
+        addedCaps: imported.permissions,
+        source: "cli",
+        delegationCid: imported.delegation.cid,
+        expiry: imported.delegation.expiry.toISOString()
+      });
+      outputJson({
+        imported: true,
+        kind: "tinycloud.auth.delegation",
+        requestId: imported.requestId ?? null,
+        delegationCid: imported.delegation.cid,
+        permissions: imported.permissions,
+        expiry: imported.delegation.expiry.toISOString()
+      });
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  auth.command("grant [request]").description("Grant a TinyCloud permission request artifact to its requester").option("--stdin", "Read the JSON request artifact from stdin").option("--paste", "Read the JSON request artifact from stdin").option("--yes", "Skip local-key TTY confirmation", false).action(async (source, options, cmd) => {
+    try {
+      const globalOpts = cmd.optsWithGlobals();
+      const ctx = await ProfileManager.resolveContext(globalOpts);
+      const profile = await ProfileManager.getProfile(ctx.profile);
+      const raw = await readAuthArtifactSource(source, {
+        stdin: options.stdin === true || options.paste === true
+      });
+      const parsed = JSON.parse(raw);
+      if (!isPermissionRequestArtifact(parsed)) {
+        throw new CLIError(
+          "INVALID_AUTH_REQUEST",
+          "Auth grant requires a tinycloud.auth.request artifact.",
+          ExitCode.USAGE_ERROR
+        );
+      }
+      const node = await ensureAuthenticated(ctx);
+      await ensureDelegationAuthority({
+        ctx,
+        profile,
+        node,
+        requested: parsed.requested,
+        expiryOption: parsed.requestedExpiry,
+        yes: options.yes === true
+      });
+      const result = await node.delegateTo(
+        parsed.sessionDid,
+        parsed.requested,
+        parsed.requestedExpiry !== void 0 ? { expiry: parsed.requestedExpiry } : void 0
+      );
+      outputJson({
+        kind: "tinycloud.auth.delegation",
+        version: 1,
+        requestId: parsed.requestId,
+        delegationCid: result.delegation.cid,
+        delegation: result.delegation,
+        permissions: parsed.requested,
+        expiry: result.delegation.expiry.toISOString(),
+        prompted: result.prompted
+      });
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  auth.command("retry [requestId]").description("Check whether a stored permission request is now satisfied").option("--last", "Use the latest stored permission request for this profile").option("--exec", "Run the captured command when the request is covered").action(async (requestId, options, cmd) => {
+    try {
+      const globalOpts = cmd.optsWithGlobals();
+      const ctx = await ProfileManager.resolveContext(globalOpts);
+      const artifact = options.last ? await getLastPermissionRequestArtifact(ctx.profile) : requestId ? await getPermissionRequestArtifact(ctx.profile, requestId) : null;
+      if (!artifact) {
+        throw new CLIError(
+          "REQUEST_NOT_FOUND",
+          options.last ? `No stored permission requests exist for profile "${ctx.profile}".` : "Provide a requestId or use --last.",
+          ExitCode.NOT_FOUND
+        );
+      }
+      const node = await ensureAuthenticated(ctx);
+      const covered = node.hasRuntimePermissions(artifact.requested);
+      if (options.exec) {
+        if (!covered) {
+          throw new CLIError(
+            "PERMISSIONS_MISSING",
+            `Request ${artifact.requestId} is not covered yet. Import a delegation, then retry with --exec.`,
+            ExitCode.PERMISSION_DENIED
+          );
+        }
+        if (!artifact.command?.argv?.length) {
+          throw new CLIError(
+            "COMMAND_NOT_CAPTURED",
+            `Request ${artifact.requestId} does not include a captured command.`,
+            ExitCode.USAGE_ERROR
+          );
+        }
+        await execCapturedCommand(artifact.command);
+        return;
+      }
+      outputJson({
+        requestId: artifact.requestId,
+        covered,
+        missing: covered ? [] : artifact.requested,
+        command: artifact.command ?? null
+      });
+    } catch (error) {
+      handleError(error);
+    }
+  });
   auth.command("caps").description("Show granted capabilities for the active session").option("--diff <spec>", "Show missing capabilities for a spec").option("--history", "Show recent permission grants").action(async (options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
@@ -1459,23 +1777,31 @@ function registerAuthCommand(program2) {
       const profile = await ProfileManager.getProfile(ctx.profile);
       const session = await ProfileManager.getSession(ctx.profile);
       const authenticated = session !== null;
+      const posture = resolveProfilePosture(profile);
+      const operatorType = resolveProfileOperatorType(profile);
       if (shouldOutputJson()) {
         outputJson({
           profile: ctx.profile,
           did: profile.did,
-          primaryDid: profile.primaryDid ?? null,
+          sessionDid: profile.sessionDid ?? null,
+          ownerDid: profile.ownerDid ?? null,
           spaceId: profile.spaceId ?? null,
           host: profile.host,
           authenticated,
           authMethod: profile.authMethod ?? null,
+          posture,
+          operatorType,
           address: profile.address ?? null
         });
       } else {
         process.stdout.write(theme.heading("Identity") + "\n");
         process.stdout.write(formatField("Profile", ctx.profile) + "\n");
         process.stdout.write(formatField("DID", profile.did) + "\n");
-        process.stdout.write(formatField("Primary DID", profile.primaryDid ?? null) + "\n");
+        process.stdout.write(formatField("Session DID", profile.sessionDid ?? null) + "\n");
+        process.stdout.write(formatField("Owner DID", profile.ownerDid ?? null) + "\n");
         process.stdout.write(formatField("Auth Method", profile.authMethod ?? null) + "\n");
+        process.stdout.write(formatField("Posture", posture) + "\n");
+        process.stdout.write(formatField("Operator", operatorType) + "\n");
         process.stdout.write(formatField("Address", profile.address ?? null) + "\n");
         process.stdout.write(formatField("Space ID", profile.spaceId ?? null) + "\n");
         process.stdout.write(formatField("Host", profile.host) + "\n");
@@ -1486,6 +1812,210 @@ function registerAuthCommand(program2) {
     }
   });
 }
+async function emitPermissionRequestArtifact(artifact, emitOption) {
+  if (typeof emitOption === "string" && emitOption.length > 0) {
+    await mkdir2(dirname2(emitOption), { recursive: true });
+    await writeFile2(emitOption, JSON.stringify(artifact, null, 2) + "\n", "utf8");
+    outputJson({
+      emitted: true,
+      path: emitOption,
+      requestId: artifact.requestId,
+      requested: artifact.requested
+    });
+    return;
+  }
+  outputJson(artifact);
+}
+async function readAuthArtifactSource(source, options) {
+  if (options.stdin || source === "-" || !source && !isInteractive()) {
+    return readStdin();
+  }
+  if (!source) {
+    throw new CLIError(
+      "IMPORT_SOURCE_REQUIRED",
+      "Provide an artifact file, URL, or use --stdin.",
+      ExitCode.USAGE_ERROR
+    );
+  }
+  if (source.startsWith("http://") || source.startsWith("https://")) {
+    return readUrl(source);
+  }
+  return readFile3(source, "utf8");
+}
+async function readStdin() {
+  const chunks = [];
+  for await (const chunk of process.stdin) {
+    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(String(chunk)));
+  }
+  return Buffer.concat(chunks).toString("utf8");
+}
+function readUrl(source) {
+  return new Promise((resolve3, reject) => {
+    const getter = source.startsWith("https://") ? httpsGet : httpGet;
+    const request = getter(source, (response) => {
+      const status = response.statusCode ?? 0;
+      if (status >= 300 && status < 400 && response.headers.location) {
+        response.resume();
+        readUrl(new URL(response.headers.location, source).toString()).then(resolve3, reject);
+        return;
+      }
+      if (status < 200 || status >= 300) {
+        response.resume();
+        reject(new CLIError(
+          "IMPORT_FETCH_FAILED",
+          `Failed to fetch ${source}: HTTP ${status}.`,
+          ExitCode.ERROR
+        ));
+        return;
+      }
+      const chunks = [];
+      response.on("data", (chunk) => {
+        chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+      });
+      response.on("end", () => resolve3(Buffer.concat(chunks).toString("utf8")));
+    });
+    request.on("error", reject);
+  });
+}
+function normalizeDelegationImport(value) {
+  if (isDelegationImportArtifact(value)) {
+    const delegation = normalizePortableDelegation(value.delegation);
+    return {
+      requestId: value.requestId,
+      delegation,
+      permissions: Array.isArray(value.permissions) && value.permissions.length > 0 ? value.permissions : permissionsFromDelegation(delegation)
+    };
+  }
+  if (isStoredDelegationLike(value)) {
+    const delegation = normalizePortableDelegation(value.delegation);
+    return {
+      delegation,
+      permissions: Array.isArray(value.permissions) && value.permissions.length > 0 ? value.permissions : permissionsFromDelegation(delegation)
+    };
+  }
+  if (isPortableDelegationLike(value)) {
+    const delegation = normalizePortableDelegation(value);
+    return {
+      delegation,
+      permissions: permissionsFromDelegation(delegation)
+    };
+  }
+  throw new CLIError(
+    "INVALID_AUTH_IMPORT",
+    "Auth import must be a tinycloud.auth.delegation artifact, a portable delegation, or a tinycloud.auth.request artifact.",
+    ExitCode.USAGE_ERROR
+  );
+}
+function isStoredDelegationLike(value) {
+  if (value === null || typeof value !== "object") return false;
+  const candidate = value;
+  return isPortableDelegationLike(candidate.delegation);
+}
+function isPortableDelegationLike(value) {
+  if (value === null || typeof value !== "object") return false;
+  const candidate = value;
+  return typeof candidate.cid === "string" && typeof candidate.spaceId === "string" && typeof candidate.path === "string" && Array.isArray(candidate.actions) && candidate.delegationHeader !== void 0 && typeof candidate.delegationHeader === "object";
+}
+function normalizePortableDelegation(delegation) {
+  const rawExpiry = delegation.expiry;
+  const expiry = rawExpiry instanceof Date ? rawExpiry : new Date(String(rawExpiry));
+  if (Number.isNaN(expiry.getTime())) {
+    throw new CLIError(
+      "INVALID_AUTH_IMPORT",
+      "Imported delegation must include a valid expiry.",
+      ExitCode.USAGE_ERROR
+    );
+  }
+  return { ...delegation, expiry };
+}
+async function ensureDelegationAuthority(params) {
+  if (!params.force && params.node.hasRuntimePermissions(params.requested)) return;
+  if (params.profile.authMethod === "openkey") {
+    const key = await ProfileManager.getKey(params.ctx.profile);
+    if (!key) {
+      throw new CLIError(
+        "NO_KEY",
+        `No key found for profile "${params.ctx.profile}". Run \`tc init\` first.`,
+        ExitCode.AUTH_REQUIRED
+      );
+    }
+    const openkeyHost = resolveOpenKeyHost(params.profile);
+    for (const group of groupPermissionsBySpace(params.requested)) {
+      const delegationData = await startAuthFlow(params.profile.did, {
+        jwk: key,
+        host: params.ctx.host,
+        permissions: group,
+        openkeyHost,
+        expiry: params.expiryOption
+      });
+      const delegation = portableFromOpenKeyDelegation(delegationData, group, params.ctx.host);
+      await appendAdditionalDelegation(
+        params.ctx.profile,
+        storedAdditionalDelegation(delegation, group)
+      );
+      await params.node.useRuntimeDelegation(delegation);
+      await appendGrantHistory(params.ctx.profile, {
+        addedCaps: group,
+        source: "cli",
+        delegationCid: delegation.cid,
+        expiry: delegation.expiry.toISOString()
+      });
+    }
+    return;
+  }
+  if (isInteractive()) {
+    if (!params.yes) {
+      await confirmPermissionRequest(params.requested);
+    }
+  } else if (!params.yes) {
+    throw new CLIError(
+      "CONFIRMATION_REQUIRED",
+      "Local-key auth grants in non-interactive mode require --yes.",
+      ExitCode.USAGE_ERROR
+    );
+  }
+  const delegations = await params.node.grantRuntimePermissions(
+    params.requested,
+    params.expiryOption !== void 0 ? { expiry: params.expiryOption } : void 0
+  );
+  for (const delegation of delegations) {
+    const covering = permissionsFromDelegation(delegation);
+    await appendAdditionalDelegation(
+      params.ctx.profile,
+      storedAdditionalDelegation(delegation, covering)
+    );
+    await appendGrantHistory(params.ctx.profile, {
+      addedCaps: covering,
+      source: "cli",
+      delegationCid: delegation.cid,
+      expiry: delegation.expiry.toISOString()
+    });
+  }
+}
+function execCapturedCommand(command) {
+  return new Promise((resolve3, reject) => {
+    const child = spawn(process.execPath, [process.argv[1], ...command.argv], {
+      cwd: command.cwd,
+      env: process.env,
+      stdio: "inherit"
+    });
+    child.on("error", reject);
+    child.on("exit", (code, signal) => {
+      if (signal) {
+        reject(new CLIError(
+          "COMMAND_SIGNAL",
+          `Captured command exited from signal ${signal}.`,
+          ExitCode.ERROR
+        ));
+        return;
+      }
+      if (code && code !== 0) {
+        process.exitCode = code;
+      }
+      resolve3();
+    });
+  });
+}
 async function collectRequestedPermissions(options, profile) {
   const permissions = [];
   for (const spec of options.cap ?? []) {
@@ -1545,18 +2075,40 @@ function parseExpiryOption(raw) {
 }
 function groupPermissionsBySpace(permissions) {
   const groups = /* @__PURE__ */ new Map();
+  const rawEntries = [];
   for (const permission of permissions) {
+    if (isRawPermission(permission)) {
+      rawEntries.push(permission);
+      continue;
+    }
     const group = groups.get(permission.space) ?? [];
     group.push(permission);
     groups.set(permission.space, group);
   }
-  return Array.from(groups.values());
+  const grouped = Array.from(groups.values());
+  if (grouped.length === 0) {
+    return rawEntries.length > 0 ? [rawEntries] : [];
+  }
+  grouped[0].push(...rawEntries);
+  return grouped;
+}
+function isRawPermission(permission) {
+  return permission.service === "tinycloud.encryption" && permission.path.startsWith("urn:tinycloud:encryption:");
+}
+function returnedSpaceMatchesExpected(returnedSpace, expectedSpace) {
+  if (returnedSpace === expectedSpace) return true;
+  if (!returnedSpace.startsWith("tinycloud:")) return false;
+  const returnedName = returnedSpace.slice(returnedSpace.lastIndexOf(":") + 1);
+  return returnedName === expectedSpace;
 }
 function portableFromOpenKeyDelegation(data, permissions, host) {
-  const primary = permissions[0];
-  const returnedSpace = String(data.spaceId ?? primary.space);
-  const expectedSpaces = new Set(permissions.map((permission) => permission.space));
-  if (expectedSpaces.size !== 1 || !expectedSpaces.has(returnedSpace)) {
+  const primary = permissions.find((permission) => !isRawPermission(permission)) ?? permissions[0];
+  const returnedSpace = String(data.spaceId ?? primary.space ?? "encryption");
+  const expectedSpaces = new Set(
+    permissions.filter((permission) => !isRawPermission(permission)).map((permission) => permission.space)
+  );
+  const matchesExpectedSpace = expectedSpaces.size === 1 && returnedSpaceMatchesExpected(returnedSpace, Array.from(expectedSpaces)[0]);
+  if (expectedSpaces.size > 0 && !matchesExpectedSpace) {
     throw new CLIError(
       "OPENKEY_SCOPE_MISMATCH",
       `OpenKey returned delegation for ${returnedSpace}, expected ${Array.from(expectedSpaces).join(", ")}.`,
@@ -1591,15 +2143,74 @@ function inferDelegationExpiry(data) {
   }
   return new Date(Date.now() + 60 * 60 * 1e3);
 }
-async function handleLocalAuth(profileName, host) {
+async function rotateAuthKey(profileName, host, options = {}) {
+  const profile = await ProfileManager.getProfile(profileName);
+  const posture = resolveProfilePosture(profile);
+  const oldDid = profile.sessionDid ?? profile.did;
+  if (posture === "delegate-session") {
+    throw new CLIError(
+      "ROTATE_DELEGATE_SESSION_UNSUPPORTED",
+      `Profile "${profileName}" is a delegated session. Request or import a new owner delegation instead of rotating it locally.`,
+      ExitCode.PERMISSION_DENIED
+    );
+  }
+  if (profile.authMethod === "local" || posture === "local-owner-key") {
+    if (!profile.privateKey) {
+      throw new CLIError(
+        "LOCAL_OWNER_KEY_REQUIRED",
+        `Profile "${profileName}" does not have a local owner private key. Run \`tc auth login --method local\` first.`,
+        ExitCode.AUTH_REQUIRED
+      );
+    }
+    await ProfileManager.clearSession(profileName);
+    const result2 = await handleLocalAuth(profileName, host, {
+      emitOutput: false,
+      forceSessionKey: true
+    });
+    outputRotationResult(result2.profile, profileName, oldDid, "local");
+    return;
+  }
+  const { jwk, did } = await withSpinner("Generating session key...", async () => {
+    return generateKey();
+  });
+  await ProfileManager.setKey(profileName, jwk);
+  await ProfileManager.clearSession(profileName);
+  await ProfileManager.setProfile(profileName, {
+    ...profile,
+    host,
+    did,
+    sessionDid: did,
+    posture: profile.posture ?? "owner-openkey",
+    operatorType: profile.operatorType ?? "human",
+    authMethod: "openkey"
+  });
+  const result = await refreshOpenKeySession(profileName, host, {
+    paste: options.paste
+  });
+  outputRotationResult(result.profile, profileName, oldDid, "openkey");
+}
+function outputRotationResult(profile, profileName, oldDid, authMethod) {
+  outputJson({
+    rotated: true,
+    profile: profileName,
+    oldDid,
+    did: profile.did,
+    sessionDid: profile.sessionDid ?? null,
+    authMethod,
+    spaceId: profile.spaceId ?? null
+  });
+}
+async function handleLocalAuth(profileName, host, options = {}) {
   const profile = await ProfileManager.getProfile(profileName).catch(() => null);
+  const posture = profile ? resolveProfilePosture(profile) : null;
   let privateKey;
   let address;
   let did;
-  if (profile?.authMethod === "local" && profile.privateKey && profile.address) {
+  let sessionDid = profile?.sessionDid;
+  if ((profile?.authMethod === "local" || posture === "local-owner-key") && profile.privateKey) {
     privateKey = profile.privateKey;
-    address = profile.address;
-    did = profile.did;
+    address = profile.address ?? await deriveAddress(privateKey);
+    did = profile.did.startsWith("did:pkh:") ? profile.did : addressToDID(address, profile.chainId ?? DEFAULT_CHAIN_ID);
     if (isInteractive()) {
       process.stderr.write(theme.muted("Using existing local key") + "\n");
       process.stderr.write(formatField("Address", address) + "\n");
@@ -1618,11 +2229,14 @@ async function handleLocalAuth(profileName, host) {
     }
   }
   const hasKey = await ProfileManager.getKey(profileName);
-  if (!hasKey) {
-    const { jwk } = await withSpinner("Generating session key...", async () => {
+  if (options.forceSessionKey || !hasKey) {
+    const { jwk, did: generatedSessionDid } = await withSpinner("Generating session key...", async () => {
       return generateKey();
     });
     await ProfileManager.setKey(profileName, jwk);
+    sessionDid = generatedSessionDid;
+  } else if (!sessionDid) {
+    sessionDid = keyToDID(hasKey);
   }
   const sessionResult = await withSpinner("Signing in...", async () => {
     return localKeySignIn({ privateKey, host });
@@ -1631,31 +2245,57 @@ async function handleLocalAuth(profileName, host) {
     authMethod: "local",
     address,
     chainId: DEFAULT_CHAIN_ID,
-    spaceId: sessionResult.spaceId
+    spaceId: sessionResult.spaceId,
+    delegationHeader: sessionResult.delegationHeader,
+    delegationCid: sessionResult.delegationCid,
+    jwk: sessionResult.jwk,
+    verificationMethod: sessionResult.verificationMethod,
+    siwe: sessionResult.siwe,
+    signature: sessionResult.signature
   });
-  await ProfileManager.setProfile(profileName, {
+  sessionDid = sessionResult.verificationMethod;
+  const updatedProfile = {
+    ...profile,
     name: profileName,
     host,
     chainId: DEFAULT_CHAIN_ID,
     spaceName: "default",
     did,
-    primaryDid: did,
+    sessionDid,
+    ownerDid: did,
     spaceId: sessionResult.spaceId,
     createdAt: profile?.createdAt ?? (/* @__PURE__ */ new Date()).toISOString(),
+    posture: profile?.posture ?? "local-owner-key",
+    operatorType: profile?.operatorType ?? "human",
     authMethod: "local",
     privateKey,
     address
-  });
+  };
+  await ProfileManager.setProfile(profileName, updatedProfile);
+  if (options.emitOutput ?? true) {
+    outputJson({
+      authenticated: true,
+      profile: profileName,
+      did,
+      sessionDid,
+      address,
+      spaceId: sessionResult.spaceId,
+      authMethod: "local"
+    });
+  }
+  return { profile: updatedProfile, sessionResult };
+}
+async function handleOpenKeyAuth(profileName, host, paste) {
+  const { profile, delegationData } = await refreshOpenKeySession(profileName, host, { paste });
   outputJson({
     authenticated: true,
     profile: profileName,
-    did,
-    address,
-    spaceId: sessionResult.spaceId,
-    authMethod: "local"
+    did: profile.did,
+    spaceId: delegationData.spaceId,
+    authMethod: "openkey"
   });
 }
-async function handleOpenKeyAuth(profileName, host, paste) {
+async function refreshOpenKeySession(profileName, host, options = {}) {
   const key = await ProfileManager.getKey(profileName);
   if (!key) {
     throw new CLIError(
@@ -1666,7 +2306,7 @@ async function handleOpenKeyAuth(profileName, host, paste) {
   }
   const profile = await ProfileManager.getProfile(profileName);
   const delegationData = await startAuthFlow(profile.did, {
-    paste,
+    paste: options.paste,
     jwk: key,
     host,
     openkeyHost: resolveOpenKeyHost(profile)
@@ -1674,26 +2314,23 @@ async function handleOpenKeyAuth(profileName, host, paste) {
   await ProfileManager.setSession(profileName, delegationData);
   const updatedProfile = {
     ...profile,
+    sessionDid: profile.sessionDid ?? profile.did,
+    posture: profile.posture ?? "owner-openkey",
+    operatorType: profile.operatorType ?? "human",
     authMethod: "openkey"
   };
   if (delegationData.spaceId) {
     updatedProfile.spaceId = delegationData.spaceId;
-    updatedProfile.primaryDid = delegationData.primaryDid;
+    updatedProfile.ownerDid = delegationData.ownerDid;
   }
   await ProfileManager.setProfile(profileName, updatedProfile);
-  outputJson({
-    authenticated: true,
-    profile: profileName,
-    did: profile.did,
-    spaceId: delegationData.spaceId,
-    authMethod: "openkey"
-  });
+  return { profile: updatedProfile, delegationData };
 }
 // src/commands/kv.ts
-import { readFile as readFile3 } from "fs/promises";
-import { writeFile as writeFile2 } from "fs/promises";
-async function readStdin() {
+import { readFile as readFile4 } from "fs/promises";
+import { writeFile as writeFile3 } from "fs/promises";
+async function readStdin2() {
   const chunks = [];
   for await (const chunk of process.stdin) {
     chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk);
@@ -1718,7 +2355,7 @@ function registerKvCommand(program2) {
       const metadata = result.data.headers ?? {};
       if (options.output) {
         const content = typeof data === "string" ? data : JSON.stringify(data);
-        await writeFile2(options.output, content);
+        await writeFile3(options.output, content);
         outputJson({ key, written: options.output });
         return;
       }
@@ -1755,9 +2392,9 @@ function registerKvCommand(program2) {
         throw new CLIError("USAGE_ERROR", "Provide only one of: value argument, --file, or --stdin", ExitCode.USAGE_ERROR);
       }
       if (options.file) {
-        putValue = await readFile3(options.file);
+        putValue = await readFile4(options.file);
       } else if (options.stdin) {
-        putValue = await readStdin();
+        putValue = await readStdin2();
       } else {
         try {
           putValue = JSON.parse(value);
@@ -1952,6 +2589,15 @@ function parseExpiry(input) {
 }
 // src/commands/delegation.ts
+import { principalDidEquals } from "@tinycloud/node-sdk";
+function didMatches(actual, expected) {
+  if (!actual) return false;
+  try {
+    return principalDidEquals(actual, expected);
+  } catch {
+    return actual === expected;
+  }
+}
 function registerDelegationCommand(program2) {
   const delegation = program2.command("delegation").description("Manage delegations");
   delegation.command("create").description("Create a delegation").requiredOption("--to <did>", "Recipient DID").requiredOption("--path <path>", "KV path scope").requiredOption("--actions <actions>", "Comma-separated actions (e.g., kv/get,kv/list)").option("--expiry <duration>", "Expiry duration (e.g., 1h, 7d, ISO date)", "1h").action(async (options, cmd) => {
@@ -1996,10 +2642,10 @@ function registerDelegationCommand(program2) {
       let delegations = result.data;
       if (options.granted) {
         const myDid = node.did;
-        delegations = delegations.filter((d) => d.delegatorDID === myDid);
+        delegations = delegations.filter((d) => didMatches(d.delegatorDID, myDid));
       } else if (options.received) {
         const myDid = node.did;
-        delegations = delegations.filter((d) => d.delegateDID === myDid || d.delegateDID?.includes(myDid));
+        delegations = delegations.filter((d) => didMatches(d.delegateDID, myDid));
       }
       outputJson({
         delegations: delegations.map((d) => ({
@@ -2225,10 +2871,19 @@ function registerProfileCommand(program2) {
               name: p.name,
               host: p.host,
               did: p.did,
+              posture: resolveProfilePosture(p),
+              operatorType: resolveProfileOperatorType(p),
               active: name === config.defaultProfile
             };
           } catch {
-            return { name, host: null, did: null, active: name === config.defaultProfile };
+            return {
+              name,
+              host: null,
+              did: null,
+              posture: null,
+              operatorType: null,
+              active: name === config.defaultProfile
+            };
           }
         })
       );
@@ -2242,7 +2897,8 @@ function registerProfileCommand(program2) {
           const marker = p.active ? theme.success("\u25CF ") : "  ";
           const name = p.active ? theme.brand(p.name) : p.name;
           const host = theme.muted(p.host || "no host");
-          process.stdout.write(`${marker}${name}  ${host}
+          const posture = p.posture ? theme.muted(String(p.posture)) : theme.muted("no posture");
+          process.stdout.write(`${marker}${name}  ${host}  ${posture}
 `);
         }
       }
@@ -2250,10 +2906,18 @@ function registerProfileCommand(program2) {
       handleError(error);
     }
   });
-  profile.command("create <name>").description("Create a new profile").option("--host <url>", "TinyCloud node URL").action(async (name, options, cmd) => {
+  profile.command("create <name>").description("Create a new profile").option("--host <url>", "TinyCloud node URL").option(
+    "--posture <posture>",
+    `Profile posture: ${CLI_PROFILE_POSTURES.join(", ")}. Defaults to owner-openkey.`
+  ).option(
+    "--operator <type>",
+    `Operator type: ${CLI_OPERATOR_TYPES.join(", ")}. Defaults to human.`
+  ).action(async (name, options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const host = options.host ?? globalOpts.host ?? "https://node.tinycloud.xyz";
+      const posture = parseProfilePosture(options.posture);
+      const operatorType = parseOperatorType(options.operator);
       if (await ProfileManager.profileExists(name)) {
         throw new CLIError("PROFILE_EXISTS", `Profile "${name}" already exists`, ExitCode.ERROR);
       }
@@ -2266,9 +2930,12 @@ function registerProfileCommand(program2) {
         chainId: 1,
         spaceName: "default",
         did,
-        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+        sessionDid: did,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+        posture,
+        operatorType
       });
-      outputJson({ profile: name, did, host, created: true });
+      outputJson({ profile: name, did, host, posture, operatorType, created: true });
     } catch (error) {
       handleError(error);
     }
@@ -2283,9 +2950,13 @@ function registerProfileCommand(program2) {
       const hasSession = await ProfileManager.getSession(profileName) !== null;
       const config = await ProfileManager.getConfig();
       const isDefault = profileName === config.defaultProfile;
+      const posture = resolveProfilePosture(p);
+      const operatorType = resolveProfileOperatorType(p);
       if (shouldOutputJson()) {
         outputJson({
           ...p,
+          posture,
+          operatorType,
           hasKey,
           hasSession,
           isDefault
@@ -2295,6 +2966,9 @@ function registerProfileCommand(program2) {
 `);
         process.stdout.write(formatField("Host", p.host) + "\n");
         process.stdout.write(formatField("DID", p.did) + "\n");
+        process.stdout.write(formatField("Session DID", p.sessionDid ?? null) + "\n");
+        process.stdout.write(formatField("Posture", posture) + "\n");
+        process.stdout.write(formatField("Operator", operatorType) + "\n");
         process.stdout.write(formatField("Space", p.spaceId || null) + "\n");
         process.stdout.write(formatField("Key", hasKey) + "\n");
         process.stdout.write(formatField("Session", hasSession) + "\n");
@@ -2336,6 +3010,24 @@ function registerProfileCommand(program2) {
     }
   });
 }
+function parseProfilePosture(raw) {
+  if (raw === void 0 || raw === null || raw === "") return "owner-openkey";
+  if (isCLIProfilePosture(raw)) return raw;
+  throw new CLIError(
+    "INVALID_POSTURE",
+    `Invalid posture "${String(raw)}". Use one of: ${CLI_PROFILE_POSTURES.join(", ")}.`,
+    ExitCode.USAGE_ERROR
+  );
+}
+function parseOperatorType(raw) {
+  if (raw === void 0 || raw === null || raw === "") return "human";
+  if (isCLIOperatorType(raw)) return raw;
+  throw new CLIError(
+    "INVALID_OPERATOR",
+    `Invalid operator "${String(raw)}". Use one of: ${CLI_OPERATOR_TYPES.join(", ")}.`,
+    ExitCode.USAGE_ERROR
+  );
+}
 // src/commands/completion.ts
 function registerCompletionCommand(program2) {
@@ -2364,7 +3056,7 @@ _tc_completions() {
   commands="init auth kv space delegation share node profile completion"
   case "\${COMP_WORDS[1]}" in
-    auth) subcommands="login logout status whoami" ;;
+    auth) subcommands="login logout rotate status whoami" ;;
     kv) subcommands="get put delete list head" ;;
     space) subcommands="list create info switch" ;;
     delegation) subcommands="create list info revoke" ;;
@@ -2414,7 +3106,7 @@ _tc() {
       ;;
     args)
       case $words[1] in
-        auth) _values 'subcommand' login logout status whoami ;;
+        auth) _values 'subcommand' login logout rotate status whoami ;;
         kv) _values 'subcommand' get put delete list head ;;
         space) _values 'subcommand' list create info switch ;;
         delegation) _values 'subcommand' create list info revoke ;;
@@ -2449,7 +3141,7 @@ complete -c tc -n "not __fish_seen_subcommand_from $commands" -a profile -d "Pro
 complete -c tc -n "not __fish_seen_subcommand_from $commands" -a completion -d "Generate shell completions"
 # Subcommands
-complete -c tc -n "__fish_seen_subcommand_from auth" -a "login logout status whoami"
+complete -c tc -n "__fish_seen_subcommand_from auth" -a "login logout rotate status whoami"
 complete -c tc -n "__fish_seen_subcommand_from kv" -a "get put delete list head"
 complete -c tc -n "__fish_seen_subcommand_from space" -a "list create info switch"
 complete -c tc -n "__fish_seen_subcommand_from delegation" -a "create list info revoke"
@@ -2468,10 +3160,10 @@ complete -c tc -l quiet -s q -d "Suppress non-essential output"
 }
 // src/commands/vault.ts
-import { readFile as readFile4 } from "fs/promises";
-import { writeFile as writeFile3 } from "fs/promises";
+import { readFile as readFile5 } from "fs/promises";
+import { writeFile as writeFile4 } from "fs/promises";
 import { PrivateKeySigner as PrivateKeySigner2 } from "@tinycloud/node-sdk";
-async function readStdin2() {
+async function readStdin3() {
   const chunks = [];
   for await (const chunk of process.stdin) {
     chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk);
@@ -2526,9 +3218,9 @@ function registerVaultCommand(program2) {
         throw new CLIError("USAGE_ERROR", "Provide only one of: value argument, --file, or --stdin", ExitCode.USAGE_ERROR);
       }
       if (options.file) {
-        putValue = new Uint8Array(await readFile4(options.file));
+        putValue = new Uint8Array(await readFile5(options.file));
       } else if (options.stdin) {
-        putValue = new Uint8Array(await readStdin2());
+        putValue = new Uint8Array(await readStdin3());
       } else {
         putValue = value;
       }
@@ -2558,7 +3250,7 @@ function registerVaultCommand(program2) {
       const data = result.data.data ?? result.data;
       if (options.output) {
         const content = data instanceof Uint8Array ? Buffer.from(data) : typeof data === "string" ? data : JSON.stringify(data);
-        await writeFile3(options.output, content);
+        await writeFile4(options.output, content);
         outputJson({ key, written: options.output });
         return;
       }
@@ -2641,9 +3333,20 @@ function registerVaultCommand(program2) {
 }
 // src/commands/secrets.ts
-import { readFile as readFile5 } from "fs/promises";
-import { writeFile as writeFile4 } from "fs/promises";
-async function readStdin3() {
+import { readFile as readFile6 } from "fs/promises";
+import { writeFile as writeFile5 } from "fs/promises";
+import {
+  resolveSecretListPrefix,
+  resolveSecretPath
+} from "@tinycloud/node-sdk";
+var SECRETS_SPACE = "secrets";
+var SECRET_KV_ABILITIES = {
+  get: "tinycloud.kv/get",
+  put: "tinycloud.kv/put",
+  del: "tinycloud.kv/del",
+  list: "tinycloud.kv/list"
+};
+async function readStdin4() {
   const chunks = [];
   for await (const chunk of process.stdin) {
     chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk);
@@ -2658,6 +3361,123 @@ function resolveSecretScope(options) {
   const scope = options.scope ?? options.space;
   return scope ? { scope } : void 0;
 }
+async function ensureSecretsNode(ctx, options) {
+  const auth = authOptions(options);
+  if (auth?.privateKey) {
+    return ensureAuthenticated(ctx, auth);
+  }
+  const profile = await ProfileManager.getProfile(ctx.profile).catch(() => null);
+  if (profile?.authMethod === "openkey" && canRequestOwnerPermissions(profile)) {
+    const session = await ProfileManager.getSession(ctx.profile);
+    if (!session || isStoredSessionExpired(session)) {
+      await withSpinner(
+        session ? "Refreshing TinyCloud session..." : "Creating TinyCloud session...",
+        () => refreshOpenKeySession(ctx.profile, ctx.host)
+      );
+    }
+  }
+  return ensureAuthenticated(ctx, auth);
+}
+async function runSecretOperation(params) {
+  const first = await runSecretOperationAttempt(params.label, params.operation);
+  if (first.ok || !shouldRequestSecretPermissions(first.error)) {
+    return first;
+  }
+  const profile = await ProfileManager.getProfile(params.ctx.profile);
+  if (!canRequestOwnerPermissions(profile)) {
+    return first;
+  }
+  const requested = secretPermissionEntries({
+    action: params.action,
+    name: params.name,
+    options: params.scopeOptions,
+    node: params.node
+  });
+  await withSpinner(
+    "Requesting secret permissions...",
+    () => ensureDelegationAuthority({
+      ctx: params.ctx,
+      profile,
+      node: params.node,
+      requested,
+      expiryOption: void 0,
+      yes: true,
+      force: true
+    })
+  );
+  return runSecretOperationAttempt(params.label, params.operation);
+}
+async function runSecretOperationAttempt(label, operation) {
+  try {
+    return await withSpinner(label, operation);
+  } catch (error) {
+    const permissionError = thrownPermissionError(error);
+    if (permissionError) return permissionError;
+    throw error;
+  }
+}
+function canRequestOwnerPermissions(profile) {
+  const posture = resolveProfilePosture(profile);
+  return posture === "owner-openkey" || posture === "local-owner-key";
+}
+function shouldRequestSecretPermissions(error) {
+  if (error.code !== "PERMISSION_DENIED") return false;
+  return /permission|session expired|autosign|capabilit/i.test(error.message);
+}
+function thrownPermissionError(error) {
+  const record = error;
+  const message = typeof record?.message === "string" ? record.message : String(error);
+  const code = typeof record?.code === "string" ? record.code : "PERMISSION_DENIED";
+  if (code !== "PERMISSION_DENIED" && !/permission|session expired|autosign|capabilit/i.test(message)) {
+    return null;
+  }
+  return {
+    ok: false,
+    error: {
+      code: "PERMISSION_DENIED",
+      message
+    }
+  };
+}
+function isStoredSessionExpired(session) {
+  const record = session;
+  const direct = parseDate(record.expiresAt ?? record.expiry ?? record.expirationTime);
+  if (direct) return direct.getTime() <= Date.now();
+  if (typeof record.siwe !== "string") return false;
+  const match = record.siwe.match(/^Expiration Time:\s*(.+)$/im);
+  const expiry = match ? parseDate(match[1].trim()) : null;
+  return expiry !== null && expiry.getTime() <= Date.now();
+}
+function parseDate(value) {
+  if (value instanceof Date) {
+    return Number.isNaN(value.getTime()) ? null : value;
+  }
+  if (typeof value !== "string" || value.trim() === "") return null;
+  const date = new Date(value);
+  return Number.isNaN(date.getTime()) ? null : date;
+}
+function secretKvAbility(action) {
+  return SECRET_KV_ABILITIES[action];
+}
+function secretPermissionEntries(params) {
+  const path = params.action === "list" ? resolveSecretListPrefix(params.options) : resolveSecretPath(params.name ?? "", params.options).permissionPaths.vault;
+  const permissions = [{
+    service: "tinycloud.kv",
+    space: SECRETS_SPACE,
+    path,
+    actions: [secretKvAbility(params.action)],
+    skipPrefix: true
+  }];
+  if (params.action === "get") {
+    permissions.push({
+      service: "tinycloud.encryption",
+      path: params.node.getDefaultEncryptionNetworkId(),
+      actions: ["tinycloud.encryption/decrypt"],
+      skipPrefix: true
+    });
+  }
+  return permissions;
+}
 function registerSecretsCommand(program2) {
   const secrets = program2.command("secrets").description("Encrypted secrets management");
   const network = secrets.command("network").description("Manage the default secrets encryption network");
@@ -2703,12 +3523,16 @@ function registerSecretsCommand(program2) {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
-      const node = await ensureAuthenticated(ctx, authOptions(options));
+      const node = await ensureSecretsNode(ctx, options);
       const scopeOptions = resolveSecretScope(options);
-      const result = await withSpinner(
-        "Listing secrets...",
-        () => node.secrets.list(scopeOptions)
-      );
+      const result = await runSecretOperation({
+        ctx,
+        node,
+        action: "list",
+        scopeOptions,
+        label: "Listing secrets...",
+        operation: () => node.secrets.list(scopeOptions)
+      });
       if (!result.ok) {
         throw new CLIError(result.error.code, result.error.message, ExitCode.ERROR);
       }
@@ -2727,12 +3551,17 @@ function registerSecretsCommand(program2) {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
-      const node = await ensureAuthenticated(ctx, authOptions(options));
+      const node = await ensureSecretsNode(ctx, options);
       const scopeOptions = resolveSecretScope(options);
-      const result = await withSpinner(
-        `Getting secret ${name}...`,
-        () => node.secrets.get(name, scopeOptions)
-      );
+      const result = await runSecretOperation({
+        ctx,
+        node,
+        action: "get",
+        name,
+        scopeOptions,
+        label: `Getting secret ${name}...`,
+        operation: () => node.secrets.get(name, scopeOptions)
+      });
       if (!result.ok) {
         if (result.error.code === "NOT_FOUND" || result.error.code === "KEY_NOT_FOUND") {
           throw new CLIError("NOT_FOUND", `Secret "${name}" not found`, ExitCode.NOT_FOUND);
@@ -2741,7 +3570,7 @@ function registerSecretsCommand(program2) {
       }
       const value = String(result.data);
       if (options.output) {
-        await writeFile4(options.output, value);
+        await writeFile5(options.output, value);
         outputJson({ name, written: options.output });
         return;
       }
@@ -2758,7 +3587,7 @@ function registerSecretsCommand(program2) {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
-      const node = await ensureAuthenticated(ctx, authOptions(options));
+      const node = await ensureSecretsNode(ctx, options);
       let secretValue;
       const sources = [value !== void 0, !!options.file, !!options.stdin].filter(Boolean);
       if (sources.length === 0) {
@@ -2768,17 +3597,22 @@ function registerSecretsCommand(program2) {
         throw new CLIError("USAGE_ERROR", "Provide only one of: value argument, --file, or --stdin", ExitCode.USAGE_ERROR);
       }
       if (options.file) {
-        secretValue = await readFile5(options.file, "utf-8");
+        secretValue = await readFile6(options.file, "utf-8");
       } else if (options.stdin) {
-        secretValue = (await readStdin3()).toString("utf-8");
+        secretValue = (await readStdin4()).toString("utf-8");
       } else {
         secretValue = value;
       }
       const scopeOptions = resolveSecretScope(options);
-      const result = await withSpinner(
-        `Storing secret ${name}...`,
-        () => node.secrets.put(name, secretValue, scopeOptions)
-      );
+      const result = await runSecretOperation({
+        ctx,
+        node,
+        action: "put",
+        name,
+        scopeOptions,
+        label: `Storing secret ${name}...`,
+        operation: () => node.secrets.put(name, secretValue, scopeOptions)
+      });
       if (!result.ok) {
         throw new CLIError(result.error.code, result.error.message, ExitCode.ERROR);
       }
@@ -2791,12 +3625,17 @@ function registerSecretsCommand(program2) {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
-      const node = await ensureAuthenticated(ctx, authOptions(options));
+      const node = await ensureSecretsNode(ctx, options);
       const scopeOptions = resolveSecretScope(options);
-      const result = await withSpinner(
-        `Deleting secret ${name}...`,
-        () => node.secrets.delete(name, scopeOptions)
-      );
+      const result = await runSecretOperation({
+        ctx,
+        node,
+        action: "del",
+        name,
+        scopeOptions,
+        label: `Deleting secret ${name}...`,
+        operation: () => node.secrets.delete(name, scopeOptions)
+      });
       if (!result.ok) {
         throw new CLIError(result.error.code, result.error.message, ExitCode.ERROR);
       }
@@ -2848,10 +3687,10 @@ function registerSecretsCommand(program2) {
 }
 // src/commands/vars.ts
-import { readFile as readFile6 } from "fs/promises";
-import { writeFile as writeFile5 } from "fs/promises";
+import { readFile as readFile7 } from "fs/promises";
+import { writeFile as writeFile6 } from "fs/promises";
 var VARIABLES_PREFIX = "variables/";
-async function readStdin4() {
+async function readStdin5() {
   const chunks = [];
   for await (const chunk of process.stdin) {
     chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk);
@@ -2921,7 +3760,7 @@ function registerVarsCommand(program2) {
         value = typeof data === "string" ? data : JSON.stringify(data);
       }
       if (options.output) {
-        await writeFile5(options.output, value);
+        await writeFile6(options.output, value);
         outputJson({ name, written: options.output });
         return;
       }
@@ -2949,9 +3788,9 @@ function registerVarsCommand(program2) {
         throw new CLIError("USAGE_ERROR", "Provide only one of: value argument, --file, or --stdin", ExitCode.USAGE_ERROR);
       }
       if (options.file) {
-        varValue = await readFile6(options.file, "utf-8");
+        varValue = await readFile7(options.file, "utf-8");
       } else if (options.stdin) {
-        varValue = (await readStdin4()).toString("utf-8");
+        varValue = (await readStdin5()).toString("utf-8");
       } else {
         varValue = value;
       }
@@ -3095,7 +3934,7 @@ function registerDoctorCommand(program2) {
 }
 // src/commands/sql.ts
-import { writeFile as writeFile6 } from "fs/promises";
+import { writeFile as writeFile7 } from "fs/promises";
 import { resolve } from "path";
 async function dbHandle(node, dbName, spaceInput, profileName) {
   const spaceUri = await resolveSpaceUri(spaceInput, profileName);
@@ -3231,7 +4070,7 @@ Output:
       const blob = result.data;
       const buffer = Buffer.from(await blob.arrayBuffer());
       const outputPath = resolve(options.output);
-      await writeFile6(outputPath, buffer);
+      await writeFile7(outputPath, buffer);
       outputJson({
         file: outputPath,
         size: blob.size,
@@ -3360,7 +4199,7 @@ function quoteIdent(name) {
 }
 // src/commands/duckdb.ts
-import { readFile as readFile7, writeFile as writeFile7 } from "fs/promises";
+import { readFile as readFile8, writeFile as writeFile8 } from "fs/promises";
 import { resolve as resolve2 } from "path";
 function registerDuckdbCommand(program2) {
   const duckdb = program2.command("duckdb").description("DuckDB database operations");
@@ -3474,7 +4313,7 @@ ${rowCount} row${rowCount === 1 ? "" : "s"} returned`) + "\n");
       const blob = result.data;
       const buffer = Buffer.from(await blob.arrayBuffer());
       const outputPath = resolve2(options.output);
-      await writeFile7(outputPath, buffer);
+      await writeFile8(outputPath, buffer);
       outputJson({
         file: outputPath,
         size: blob.size,
@@ -3490,7 +4329,7 @@ ${rowCount} row${rowCount === 1 ? "" : "s"} returned`) + "\n");
       const ctx = await ProfileManager.resolveContext(globalOpts);
       const node = await ensureAuthenticated(ctx);
       const filePath = resolve2(file);
-      const bytes = new Uint8Array(await readFile7(filePath));
+      const bytes = new Uint8Array(await readFile8(filePath));
       const result = await withSpinner(
         "Importing database...",
         () => node.duckdb.db(options.db).import(bytes)
@@ -3511,7 +4350,7 @@ ${rowCount} row${rowCount === 1 ? "" : "s"} returned`) + "\n");
 }
 // src/commands/manifest.ts
-import { readFile as readFile8 } from "fs/promises";
+import { readFile as readFile9 } from "fs/promises";
 var DEFAULT_APP_SPACE = "applications";
 function registerManifestCommand(program2) {
   const manifest = program2.command("manifest").description("Inspect TinyCloud app manifests");
@@ -3619,7 +4458,7 @@ async function loadManifestSource(source) {
     }
     return response.text();
   }
-  return readFile8(source, "utf8");
+  return readFile9(source, "utf8");
 }
 function prefixWithAppId(path, appId) {
   const slash = path.indexOf("/");
@@ -3707,6 +4546,358 @@ function registerUpgradeCommand(program2) {
   });
 }
+// src/commands/status.ts
+import {
+  NodeWasmBindings
+} from "@tinycloud/node-sdk";
+var wasmBindings = null;
+function registerStatusCommand(program2) {
+  program2.command("status").description("Show local TinyCloud profile, session, delegation, and permission state").action(async (_options, cmd) => {
+    try {
+      const globalOpts = cmd.optsWithGlobals();
+      const ctx = await ProfileManager.resolveContext(globalOpts);
+      const config = await ProfileManager.getConfig();
+      const names = (await ProfileManager.listProfiles()).sort(
+        (a, b) => a.localeCompare(b)
+      );
+      const generatedAt = (/* @__PURE__ */ new Date()).toISOString();
+      const profiles = await Promise.all(
+        names.map(
+          (name) => inspectProfile({
+            name,
+            activeProfile: ctx.profile,
+            defaultProfile: config.defaultProfile
+          })
+        )
+      );
+      const summary = {
+        generatedAt,
+        activeProfile: ctx.profile,
+        defaultProfile: config.defaultProfile,
+        profileCount: profiles.length,
+        authenticatedProfileCount: profiles.filter((p) => p.authenticated).length,
+        activeDelegationCount: profiles.reduce(
+          (sum, profile) => sum + profile.activeDelegationCount,
+          0
+        ),
+        profiles
+      };
+      if (shouldOutputJson()) {
+        outputJson(summary);
+        return;
+      }
+      process.stdout.write(formatStatus(summary));
+    } catch (error) {
+      handleError(error);
+    }
+  });
+}
+async function inspectProfile(params) {
+  const issues = [];
+  const profile = await readProfile(params.name, issues);
+  const session = await readSession(params.name, issues);
+  const hasKey = await readHasKey(params.name, issues);
+  const storedDelegations = await readDelegations(params.name, issues);
+  const sessionPermissions = session ? sessionPermissionsFromRecap(session) : [];
+  const sessionExpiry = session ? extractSessionExpiry(session) : null;
+  const sessionExpired = sessionExpiry === null ? null : sessionExpiry.getTime() <= Date.now();
+  const statusSession = {
+    present: session !== null,
+    expired: session === null ? null : sessionExpired,
+    expiresAt: sessionExpiry?.toISOString() ?? null,
+    permissions: sessionPermissions,
+    permissionsCompact: compactPermissions(sessionPermissions)
+  };
+  const delegations = storedDelegations.map(inspectDelegation);
+  const activeDelegationPermissions = delegations.filter((delegation) => delegation.active).flatMap((delegation) => delegation.permissions);
+  const permissions = uniquePermissions([
+    ...sessionPermissions,
+    ...activeDelegationPermissions
+  ]);
+  const hasPrivateKey = typeof profile?.privateKey === "string" && profile.privateKey.length > 0;
+  const localKeyAuthenticated = profile?.authMethod === "local" && hasPrivateKey;
+  const sessionAuthenticated = session !== null && sessionExpired !== true;
+  const authenticated = localKeyAuthenticated || sessionAuthenticated;
+  const status = resolveStatus({
+    exists: profile !== null,
+    authenticated,
+    localKeyAuthenticated,
+    sessionExpired
+  });
+  return {
+    name: params.name,
+    active: params.name === params.activeProfile,
+    default: params.name === params.defaultProfile,
+    exists: profile !== null,
+    status,
+    host: profile?.host ?? null,
+    did: profile?.did ?? null,
+    sessionDid: profile?.sessionDid ?? null,
+    ownerDid: profile?.ownerDid ?? null,
+    address: profile?.address ?? null,
+    spaceId: profile?.spaceId ?? null,
+    authMethod: profile?.authMethod ?? null,
+    posture: profile ? resolveProfilePosture(profile) : null,
+    operatorType: profile ? resolveProfileOperatorType(profile) : null,
+    hasKey,
+    hasPrivateKey,
+    authenticated,
+    session: statusSession,
+    delegations,
+    permissions,
+    permissionsCompact: compactPermissions(permissions),
+    permissionCount: permissions.length,
+    activeDelegationCount: delegations.filter((delegation) => delegation.active).length,
+    delegationCount: delegations.length,
+    issues
+  };
+}
+async function readProfile(name, issues) {
+  try {
+    return await ProfileManager.getProfile(name);
+  } catch (error) {
+    issues.push(`profile: ${messageFromError(error)}`);
+    return null;
+  }
+}
+async function readSession(name, issues) {
+  try {
+    return asRecord(await ProfileManager.getSession(name));
+  } catch (error) {
+    issues.push(`session: ${messageFromError(error)}`);
+    return null;
+  }
+}
+async function readHasKey(name, issues) {
+  try {
+    return await ProfileManager.getKey(name) !== null;
+  } catch (error) {
+    issues.push(`key: ${messageFromError(error)}`);
+    return false;
+  }
+}
+async function readDelegations(name, issues) {
+  try {
+    return await loadAdditionalDelegations(name);
+  } catch (error) {
+    issues.push(`delegations: ${messageFromError(error)}`);
+    return [];
+  }
+}
+function inspectDelegation(entry) {
+  const expiry = parseDate2(entry.delegation.expiry);
+  const expired = expiry === null ? null : expiry.getTime() <= Date.now();
+  const permissions = normalizePermissions(
+    Array.isArray(entry.permissions) && entry.permissions.length > 0 ? entry.permissions : permissionsFromDelegation(entry.delegation)
+  );
+  return {
+    cid: entry.delegation.cid,
+    active: expired !== true,
+    expired,
+    expiresAt: expiry?.toISOString() ?? null,
+    permissions,
+    permissionsCompact: compactPermissions(permissions)
+  };
+}
+function resolveStatus(params) {
+  if (!params.exists) return "missing";
+  if (params.localKeyAuthenticated) return "local-key";
+  if (params.authenticated) return "logged-in";
+  if (params.sessionExpired === true) return "expired";
+  return "signed-out";
+}
+function sessionPermissionsFromRecap(session) {
+  if (typeof session.siwe !== "string" || session.siwe.length === 0) return [];
+  try {
+    const rawEntries = getWasmBindings().parseRecapFromSiwe(session.siwe);
+    if (!Array.isArray(rawEntries)) return [];
+    return normalizePermissions(rawEntries.map(permissionFromRawRecap));
+  } catch {
+    return [];
+  }
+}
+function permissionFromRawRecap(value) {
+  const record = asRecord(value);
+  if (!record) return null;
+  const service = stringValue(record.service);
+  const space = stringValue(record.space);
+  const path = stringValue(record.path);
+  const actions = Array.isArray(record.actions) ? record.actions.map(String).filter(Boolean) : [];
+  if (!service || !space || path === null || actions.length === 0) return null;
+  return {
+    service: normalizeService2(service),
+    space,
+    path,
+    actions
+  };
+}
+function normalizePermissions(entries) {
+  const permissions = [];
+  for (const entry of entries) {
+    const permission = permissionFromUnknown(entry);
+    if (permission) permissions.push(permission);
+  }
+  return uniquePermissions(permissions);
+}
+function permissionFromUnknown(value) {
+  const record = asRecord(value);
+  if (!record) return null;
+  const service = stringValue(record.service);
+  const space = stringValue(record.space);
+  const path = stringValue(record.path);
+  const actions = Array.isArray(record.actions) ? record.actions.map(String).filter(Boolean) : [];
+  if (!service || !space || path === null || actions.length === 0) return null;
+  return {
+    service: normalizeService2(service),
+    space,
+    path,
+    actions
+  };
+}
+function uniquePermissions(entries) {
+  const seen = /* @__PURE__ */ new Set();
+  const unique2 = [];
+  for (const entry of entries) {
+    const key = compactPermission(entry);
+    if (seen.has(key)) continue;
+    seen.add(key);
+    unique2.push(entry);
+  }
+  return unique2;
+}
+function compactPermissions(entries) {
+  return entries.map(compactPermission);
+}
+function extractSessionExpiry(session) {
+  for (const key of ["expiresAt", "expiry", "expirationTime"]) {
+    const parsed = parseDate2(session[key]);
+    if (parsed) return parsed;
+  }
+  if (typeof session.siwe !== "string") return null;
+  const match = session.siwe.match(/^Expiration Time:\s*(.+)$/im);
+  return match ? parseDate2(match[1].trim()) : null;
+}
+function parseDate2(value) {
+  if (value instanceof Date) {
+    return Number.isNaN(value.getTime()) ? null : value;
+  }
+  if (typeof value === "number" && Number.isFinite(value)) {
+    const millis = value > 0 && value < 1e12 ? value * 1e3 : value;
+    const date2 = new Date(millis);
+    return Number.isNaN(date2.getTime()) ? null : date2;
+  }
+  if (typeof value !== "string" || value.trim() === "") return null;
+  const date = new Date(value);
+  return Number.isNaN(date.getTime()) ? null : date;
+}
+function getWasmBindings() {
+  wasmBindings ??= new NodeWasmBindings();
+  return wasmBindings;
+}
+function normalizeService2(service) {
+  return service.startsWith("tinycloud.") ? service : `tinycloud.${service}`;
+}
+function asRecord(value) {
+  return value !== null && typeof value === "object" ? value : null;
+}
+function stringValue(value) {
+  return typeof value === "string" ? value : null;
+}
+function messageFromError(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+function formatStatus(summary) {
+  const lines = [];
+  lines.push(theme.heading("TinyCloud Status"));
+  lines.push(`Active profile: ${theme.value(summary.activeProfile)}`);
+  lines.push(`Default profile: ${theme.value(summary.defaultProfile)}`);
+  lines.push("");
+  if (summary.profiles.length === 0) {
+    lines.push(theme.muted("No profiles configured. Run: tc init"));
+    return `${lines.join("\n")}
+`;
+  }
+  lines.push(theme.label("Profiles"));
+  for (const profile of summary.profiles) {
+    lines.push(formatProfile(profile));
+  }
+  return `${lines.join("\n")}
+`;
+}
+function formatProfile(profile) {
+  const marker = profile.active ? theme.success("*") : " ";
+  const name = profile.default ? `${profile.name} (default)` : profile.name;
+  const host = profile.host ? theme.muted(profile.host) : theme.muted("no host");
+  const summary = [
+    `${marker} ${profile.active ? theme.brand(name) : name}`,
+    formatProfileStatus(profile.status),
+    profile.posture ?? "no posture",
+    plural(profile.permissionCount, "permission"),
+    `${profile.activeDelegationCount}/${profile.delegationCount} delegations`,
+    host
+  ].join("  ");
+  const lines = [summary];
+  lines.push(`  session: ${formatSession(profile.session)}`);
+  if (profile.permissionsCompact.length > 0) {
+    lines.push("  permissions:");
+    for (const permission of profile.permissionsCompact) {
+      lines.push(`    ${permission}`);
+    }
+  }
+  if (profile.delegations.length > 0) {
+    lines.push("  delegations:");
+    for (const delegation of profile.delegations) {
+      lines.push(`    ${formatDelegation(delegation)}`);
+    }
+  }
+  if (profile.issues.length > 0) {
+    lines.push("  issues:");
+    for (const issue of profile.issues) {
+      lines.push(`    ${theme.warn(issue)}`);
+    }
+  }
+  return lines.join("\n");
+}
+function formatProfileStatus(status) {
+  switch (status) {
+    case "logged-in":
+      return theme.success("logged in");
+    case "local-key":
+      return theme.success("local key");
+    case "expired":
+      return theme.warn("expired");
+    case "missing":
+      return theme.warn("missing");
+    case "signed-out":
+      return theme.muted("signed out");
+  }
+}
+function formatSession(session) {
+  if (!session.present) return theme.muted("none");
+  if (session.expired === true) {
+    return `${theme.warn("expired")}${formatExpiresAt(session.expiresAt)}`;
+  }
+  if (session.expired === false) {
+    return `${theme.success("active")}${formatExpiresAt(session.expiresAt)}`;
+  }
+  return `${theme.success("present")}${formatExpiresAt(session.expiresAt)}`;
+}
+function formatDelegation(delegation) {
+  const state = delegation.expired === true ? theme.warn("expired") : theme.success("active");
+  return [
+    delegation.cid,
+    state,
+    formatExpiresAt(delegation.expiresAt).trim(),
+    plural(delegation.permissions.length, "permission")
+  ].filter(Boolean).join("  ");
+}
+function formatExpiresAt(expiresAt) {
+  return expiresAt ? ` until ${expiresAt}` : "";
+}
+function plural(count, label) {
+  return `${count} ${label}${count === 1 ? "" : "s"}`;
+}
 // src/index.ts
 var { version } = JSON.parse(
   readFileSync3(new URL("../package.json", import.meta.url), "utf-8")
@@ -3721,7 +4912,7 @@ program.hook("preAction", async (thisCommand) => {
   const commandName = thisCommand.name();
   const parentName = thisCommand.parent?.name();
   const fullCommand = parentName && parentName !== "tc" ? `${parentName} ${commandName}` : commandName;
-  const skipGuard = ["tc", "init", "doctor", "completion", "help", "upgrade"].includes(commandName) || fullCommand === "profile create";
+  const skipGuard = ["tc", "init", "doctor", "completion", "help", "upgrade", "status"].includes(commandName) || fullCommand === "profile create";
   if (!skipGuard && !opts.quiet && isInteractive()) {
     try {
       const config = await ProfileManager.getConfig();
@@ -3756,6 +4947,9 @@ registerSqlCommand(program);
 registerDuckdbCommand(program);
 registerManifestCommand(program);
 registerUpgradeCommand(program);
+registerStatusCommand(program);
+program.addHelpText("before", () => `${theme.label("Version:")} ${theme.value(version)}
+`);
 program.addHelpText("afterAll", () => {
   if (!process.stdout.isTTY) return "";
   return `