@tinycloud/cli 0.6.0-beta.1 → 0.6.0-beta.10

package/dist/index.js

@@ -549,7 +549,7 @@ var ProfileManager = class _ProfileManager {
 
 // src/auth/local-key.ts
 import { TCWSessionManager, importKey, initPanicHook } from "@tinycloud/node-sdk-wasm";
-import { PrivateKeySigner } from "@tinycloud/node-sdk";
+import { PrivateKeySigner, pkhDid } from "@tinycloud/node-sdk";
 import { randomBytes } from "crypto";
 var wasmInitialized = false;
 function ensureWasm() {
@@ -583,7 +583,7 @@ async function deriveAddress(privateKey) {
   return signer.getAddress();
 }
 function addressToDID(address, chainId = 1) {
-  return `did:pkh:eip155:${chainId}:${address}`;
+  return pkhDid(address, chainId);
 }
 async function generateLocalIdentity(chainId = 1) {
   const privateKey = generateEthereumPrivateKey();
@@ -620,6 +620,25 @@ async function localKeySignIn(options) {
 // src/auth/browser-auth.ts
 import { createServer } from "http";
 import { createInterface } from "readline";
+var PRIVATE_JWK_FIELDS = /* @__PURE__ */ new Set([
+  "d",
+  "p",
+  "q",
+  "dp",
+  "dq",
+  "qi",
+  "oth",
+  "k"
+]);
+function publicJwkForDelegation(jwk) {
+  const publicJwk = {};
+  for (const [key, value] of Object.entries(jwk)) {
+    if (!PRIVATE_JWK_FIELDS.has(key)) {
+      publicJwk[key] = value;
+    }
+  }
+  return publicJwk;
+}
 async function startAuthFlow(did, options = {}) {
   if (options.paste) {
     return pasteFlow(did, options);
@@ -641,7 +660,9 @@ function buildAuthUrl(did, options = {}) {
     params.set("callback", options.callback);
   }
   if (options.jwk) {
-    const jwkB64 = Buffer.from(JSON.stringify(options.jwk)).toString("base64url");
+    const jwkB64 = Buffer.from(
+      JSON.stringify(publicJwkForDelegation(options.jwk))
+    ).toString("base64url");
     params.set("jwk", jwkB64);
   }
   if (options.host) {
@@ -843,7 +864,7 @@ function registerInitCommand(program2) {
       await ProfileManager.setProfile(profileName, {
         ...profileConfig,
         spaceId: delegationData.spaceId,
-        primaryDid: delegationData.primaryDid
+        ownerDid: delegationData.ownerDid
       });
       outputJson({
         profile: profileName,
@@ -903,13 +924,22 @@ import {
 } from "@tinycloud/node-sdk";
 
 // src/lib/space.ts
+import {
+  buildSpaceUri,
+  canonicalizeAddress,
+  makePkhSpaceId,
+  parsePkhDid,
+  parseSpaceUri
+} from "@tinycloud/node-sdk";
 function resolveAddress(profile, session) {
   const sessAddr = session?.address;
-  if (typeof sessAddr === "string" && sessAddr.length > 0) return sessAddr;
-  if (profile.address) return profile.address;
-  if (profile.primaryDid) {
-    const match = profile.primaryDid.match(/^did:pkh:eip155:\d+:(0x[a-fA-F0-9]{40})$/);
-    if (match) return match[1];
+  if (typeof sessAddr === "string" && sessAddr.length > 0) {
+    return canonicalizeAddress(sessAddr);
+  }
+  if (profile.address) return canonicalizeAddress(profile.address);
+  if (profile.ownerDid) {
+    const pkh = parsePkhDid(profile.ownerDid);
+    if (pkh) return pkh.address;
   }
   throw new CLIError(
     "ADDRESS_UNKNOWN",
@@ -924,7 +954,17 @@ function resolveChainId(profile, session) {
 }
 async function resolveSpaceUri(input, profileName) {
   if (!input) return void 0;
-  if (input.startsWith("tinycloud:")) return input;
+  if (input.startsWith("tinycloud:")) {
+    const parsed = parseSpaceUri(input);
+    if (!parsed) {
+      throw new CLIError(
+        "INVALID_SPACE",
+        `Invalid --space "${input}". Use a short name ([A-Za-z0-9_-]) or a full tinycloud:... URI.`,
+        ExitCode.USAGE_ERROR
+      );
+    }
+    return buildSpaceUri(parsed.owner, parsed.name);
+  }
   if (!/^[A-Za-z0-9_-]+$/.test(input)) {
     throw new CLIError(
       "INVALID_SPACE",
@@ -936,7 +976,7 @@ async function resolveSpaceUri(input, profileName) {
   const session = await ProfileManager.getSession(profileName);
   const address = resolveAddress(profile, session);
   const chainId = resolveChainId(profile, session);
-  return `tinycloud:pkh:eip155:${chainId}:${address}:${input}`;
+  return makePkhSpaceId(address, chainId, input);
 }
 
 // src/lib/permissions.ts
@@ -959,8 +999,8 @@ function createPermissionRequestArtifact(params) {
     posture: resolveProfilePosture(params.profile),
     operatorType: resolveProfileOperatorType(params.profile),
     host: params.host,
-    did: didWithoutFragment(params.profile.sessionDid ?? params.profile.did),
-    primaryDid: params.profile.primaryDid,
+    sessionDid: didWithoutFragment(params.profile.sessionDid ?? params.profile.did),
+    ownerDid: params.profile.ownerDid,
     spaceId: params.profile.spaceId,
     requestedExpiry: params.requestedExpiry,
     requested: params.requested,
@@ -1362,6 +1402,15 @@ function registerAuthCommand(program2) {
       handleError(error);
     }
   });
+  auth.command("rotate").description("Rotate the active profile session key").option("--paste", "Use manual paste mode instead of browser callback").action(async (options, cmd) => {
+    try {
+      const globalOpts = cmd.optsWithGlobals();
+      const ctx = await ProfileManager.resolveContext(globalOpts);
+      await rotateAuthKey(ctx.profile, ctx.host, { paste: options.paste });
+    } catch (error) {
+      handleError(error);
+    }
+  });
   auth.command("status").description("Show current authentication state").action(async (_options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
@@ -1382,7 +1431,7 @@ function registerAuthCommand(program2) {
           authenticated,
           did: profile?.did ?? null,
           sessionDid: profile?.sessionDid ?? null,
-          primaryDid: profile?.primaryDid ?? null,
+          ownerDid: profile?.ownerDid ?? null,
           spaceId: profile?.spaceId ?? null,
           host: ctx.host,
           profile: ctx.profile,
@@ -1402,7 +1451,7 @@ function registerAuthCommand(program2) {
         process.stdout.write(formatField("Host", ctx.host) + "\n");
         process.stdout.write(formatField("DID", profile?.did ?? null) + "\n");
         process.stdout.write(formatField("Session DID", profile?.sessionDid ?? null) + "\n");
-        process.stdout.write(formatField("Primary DID", profile?.primaryDid ?? null) + "\n");
+        process.stdout.write(formatField("Owner DID", profile?.ownerDid ?? null) + "\n");
         process.stdout.write(formatField("Address", profile?.address ?? null) + "\n");
         process.stdout.write(formatField("Space ID", profile?.spaceId ?? null) + "\n");
         process.stdout.write(formatField("Has Key", hasKey !== null) + "\n");
@@ -1603,7 +1652,7 @@ function registerAuthCommand(program2) {
         yes: options.yes === true
       });
       const result = await node.delegateTo(
-        parsed.did,
+        parsed.sessionDid,
         parsed.requested,
         parsed.requestedExpiry !== void 0 ? { expiry: parsed.requestedExpiry } : void 0
       );
@@ -1735,7 +1784,7 @@ function registerAuthCommand(program2) {
           profile: ctx.profile,
           did: profile.did,
           sessionDid: profile.sessionDid ?? null,
-          primaryDid: profile.primaryDid ?? null,
+          ownerDid: profile.ownerDid ?? null,
           spaceId: profile.spaceId ?? null,
           host: profile.host,
           authenticated,
@@ -1749,7 +1798,7 @@ function registerAuthCommand(program2) {
         process.stdout.write(formatField("Profile", ctx.profile) + "\n");
         process.stdout.write(formatField("DID", profile.did) + "\n");
         process.stdout.write(formatField("Session DID", profile.sessionDid ?? null) + "\n");
-        process.stdout.write(formatField("Primary DID", profile.primaryDid ?? null) + "\n");
+        process.stdout.write(formatField("Owner DID", profile.ownerDid ?? null) + "\n");
         process.stdout.write(formatField("Auth Method", profile.authMethod ?? null) + "\n");
         process.stdout.write(formatField("Posture", posture) + "\n");
         process.stdout.write(formatField("Operator", operatorType) + "\n");
@@ -1880,7 +1929,7 @@ function normalizePortableDelegation(delegation) {
   return { ...delegation, expiry };
 }
 async function ensureDelegationAuthority(params) {
-  if (params.node.hasRuntimePermissions(params.requested)) return;
+  if (!params.force && params.node.hasRuntimePermissions(params.requested)) return;
   if (params.profile.authMethod === "openkey") {
     const key = await ProfileManager.getKey(params.ctx.profile);
     if (!key) {
@@ -2026,18 +2075,40 @@ function parseExpiryOption(raw) {
 }
 function groupPermissionsBySpace(permissions) {
   const groups = /* @__PURE__ */ new Map();
+  const rawEntries = [];
   for (const permission of permissions) {
+    if (isRawPermission(permission)) {
+      rawEntries.push(permission);
+      continue;
+    }
     const group = groups.get(permission.space) ?? [];
     group.push(permission);
     groups.set(permission.space, group);
   }
-  return Array.from(groups.values());
+  const grouped = Array.from(groups.values());
+  if (grouped.length === 0) {
+    return rawEntries.length > 0 ? [rawEntries] : [];
+  }
+  grouped[0].push(...rawEntries);
+  return grouped;
+}
+function isRawPermission(permission) {
+  return permission.service === "tinycloud.encryption" && permission.path.startsWith("urn:tinycloud:encryption:");
+}
+function returnedSpaceMatchesExpected(returnedSpace, expectedSpace) {
+  if (returnedSpace === expectedSpace) return true;
+  if (!returnedSpace.startsWith("tinycloud:")) return false;
+  const returnedName = returnedSpace.slice(returnedSpace.lastIndexOf(":") + 1);
+  return returnedName === expectedSpace;
 }
 function portableFromOpenKeyDelegation(data, permissions, host) {
-  const primary = permissions[0];
-  const returnedSpace = String(data.spaceId ?? primary.space);
-  const expectedSpaces = new Set(permissions.map((permission) => permission.space));
-  if (expectedSpaces.size !== 1 || !expectedSpaces.has(returnedSpace)) {
+  const primary = permissions.find((permission) => !isRawPermission(permission)) ?? permissions[0];
+  const returnedSpace = String(data.spaceId ?? primary.space ?? "encryption");
+  const expectedSpaces = new Set(
+    permissions.filter((permission) => !isRawPermission(permission)).map((permission) => permission.space)
+  );
+  const matchesExpectedSpace = expectedSpaces.size === 1 && returnedSpaceMatchesExpected(returnedSpace, Array.from(expectedSpaces)[0]);
+  if (expectedSpaces.size > 0 && !matchesExpectedSpace) {
     throw new CLIError(
       "OPENKEY_SCOPE_MISMATCH",
       `OpenKey returned delegation for ${returnedSpace}, expected ${Array.from(expectedSpaces).join(", ")}.`,
@@ -2072,16 +2143,74 @@ function inferDelegationExpiry(data) {
   }
   return new Date(Date.now() + 60 * 60 * 1e3);
 }
-async function handleLocalAuth(profileName, host) {
+async function rotateAuthKey(profileName, host, options = {}) {
+  const profile = await ProfileManager.getProfile(profileName);
+  const posture = resolveProfilePosture(profile);
+  const oldDid = profile.sessionDid ?? profile.did;
+  if (posture === "delegate-session") {
+    throw new CLIError(
+      "ROTATE_DELEGATE_SESSION_UNSUPPORTED",
+      `Profile "${profileName}" is a delegated session. Request or import a new owner delegation instead of rotating it locally.`,
+      ExitCode.PERMISSION_DENIED
+    );
+  }
+  if (profile.authMethod === "local" || posture === "local-owner-key") {
+    if (!profile.privateKey) {
+      throw new CLIError(
+        "LOCAL_OWNER_KEY_REQUIRED",
+        `Profile "${profileName}" does not have a local owner private key. Run \`tc auth login --method local\` first.`,
+        ExitCode.AUTH_REQUIRED
+      );
+    }
+    await ProfileManager.clearSession(profileName);
+    const result2 = await handleLocalAuth(profileName, host, {
+      emitOutput: false,
+      forceSessionKey: true
+    });
+    outputRotationResult(result2.profile, profileName, oldDid, "local");
+    return;
+  }
+  const { jwk, did } = await withSpinner("Generating session key...", async () => {
+    return generateKey();
+  });
+  await ProfileManager.setKey(profileName, jwk);
+  await ProfileManager.clearSession(profileName);
+  await ProfileManager.setProfile(profileName, {
+    ...profile,
+    host,
+    did,
+    sessionDid: did,
+    posture: profile.posture ?? "owner-openkey",
+    operatorType: profile.operatorType ?? "human",
+    authMethod: "openkey"
+  });
+  const result = await refreshOpenKeySession(profileName, host, {
+    paste: options.paste
+  });
+  outputRotationResult(result.profile, profileName, oldDid, "openkey");
+}
+function outputRotationResult(profile, profileName, oldDid, authMethod) {
+  outputJson({
+    rotated: true,
+    profile: profileName,
+    oldDid,
+    did: profile.did,
+    sessionDid: profile.sessionDid ?? null,
+    authMethod,
+    spaceId: profile.spaceId ?? null
+  });
+}
+async function handleLocalAuth(profileName, host, options = {}) {
   const profile = await ProfileManager.getProfile(profileName).catch(() => null);
+  const posture = profile ? resolveProfilePosture(profile) : null;
   let privateKey;
   let address;
   let did;
   let sessionDid = profile?.sessionDid;
-  if (profile?.authMethod === "local" && profile.privateKey && profile.address) {
+  if ((profile?.authMethod === "local" || posture === "local-owner-key") && profile.privateKey) {
     privateKey = profile.privateKey;
-    address = profile.address;
-    did = profile.did;
+    address = profile.address ?? await deriveAddress(privateKey);
+    did = profile.did.startsWith("did:pkh:") ? profile.did : addressToDID(address, profile.chainId ?? DEFAULT_CHAIN_ID);
     if (isInteractive()) {
       process.stderr.write(theme.muted("Using existing local key") + "\n");
       process.stderr.write(formatField("Address", address) + "\n");
@@ -2100,7 +2229,7 @@ async function handleLocalAuth(profileName, host) {
     }
   }
   const hasKey = await ProfileManager.getKey(profileName);
-  if (!hasKey) {
+  if (options.forceSessionKey || !hasKey) {
     const { jwk, did: generatedSessionDid } = await withSpinner("Generating session key...", async () => {
       return generateKey();
     });
@@ -2125,7 +2254,7 @@ async function handleLocalAuth(profileName, host) {
     signature: sessionResult.signature
   });
   sessionDid = sessionResult.verificationMethod;
-  await ProfileManager.setProfile(profileName, {
+  const updatedProfile = {
     ...profile,
     name: profileName,
     host,
@@ -2133,7 +2262,7 @@ async function handleLocalAuth(profileName, host) {
     spaceName: "default",
     did,
     sessionDid,
-    primaryDid: did,
+    ownerDid: did,
     spaceId: sessionResult.spaceId,
     createdAt: profile?.createdAt ?? (/* @__PURE__ */ new Date()).toISOString(),
     posture: profile?.posture ?? "local-owner-key",
@@ -2141,18 +2270,32 @@ async function handleLocalAuth(profileName, host) {
     authMethod: "local",
     privateKey,
     address
-  });
+  };
+  await ProfileManager.setProfile(profileName, updatedProfile);
+  if (options.emitOutput ?? true) {
+    outputJson({
+      authenticated: true,
+      profile: profileName,
+      did,
+      sessionDid,
+      address,
+      spaceId: sessionResult.spaceId,
+      authMethod: "local"
+    });
+  }
+  return { profile: updatedProfile, sessionResult };
+}
+async function handleOpenKeyAuth(profileName, host, paste) {
+  const { profile, delegationData } = await refreshOpenKeySession(profileName, host, { paste });
   outputJson({
     authenticated: true,
     profile: profileName,
-    did,
-    sessionDid,
-    address,
-    spaceId: sessionResult.spaceId,
-    authMethod: "local"
+    did: profile.did,
+    spaceId: delegationData.spaceId,
+    authMethod: "openkey"
   });
 }
-async function handleOpenKeyAuth(profileName, host, paste) {
+async function refreshOpenKeySession(profileName, host, options = {}) {
   const key = await ProfileManager.getKey(profileName);
   if (!key) {
     throw new CLIError(
@@ -2163,7 +2306,7 @@ async function handleOpenKeyAuth(profileName, host, paste) {
   }
   const profile = await ProfileManager.getProfile(profileName);
   const delegationData = await startAuthFlow(profile.did, {
-    paste,
+    paste: options.paste,
     jwk: key,
     host,
     openkeyHost: resolveOpenKeyHost(profile)
@@ -2178,16 +2321,10 @@ async function handleOpenKeyAuth(profileName, host, paste) {
   };
   if (delegationData.spaceId) {
     updatedProfile.spaceId = delegationData.spaceId;
-    updatedProfile.primaryDid = delegationData.primaryDid;
+    updatedProfile.ownerDid = delegationData.ownerDid;
   }
   await ProfileManager.setProfile(profileName, updatedProfile);
-  outputJson({
-    authenticated: true,
-    profile: profileName,
-    did: profile.did,
-    spaceId: delegationData.spaceId,
-    authMethod: "openkey"
-  });
+  return { profile: updatedProfile, delegationData };
 }
 
 // src/commands/kv.ts
@@ -2452,6 +2589,15 @@ function parseExpiry(input) {
 }
 
 // src/commands/delegation.ts
+import { principalDidEquals } from "@tinycloud/node-sdk";
+function didMatches(actual, expected) {
+  if (!actual) return false;
+  try {
+    return principalDidEquals(actual, expected);
+  } catch {
+    return actual === expected;
+  }
+}
 function registerDelegationCommand(program2) {
   const delegation = program2.command("delegation").description("Manage delegations");
   delegation.command("create").description("Create a delegation").requiredOption("--to <did>", "Recipient DID").requiredOption("--path <path>", "KV path scope").requiredOption("--actions <actions>", "Comma-separated actions (e.g., kv/get,kv/list)").option("--expiry <duration>", "Expiry duration (e.g., 1h, 7d, ISO date)", "1h").action(async (options, cmd) => {
@@ -2496,10 +2642,10 @@ function registerDelegationCommand(program2) {
       let delegations = result.data;
       if (options.granted) {
         const myDid = node.did;
-        delegations = delegations.filter((d) => d.delegatorDID === myDid);
+        delegations = delegations.filter((d) => didMatches(d.delegatorDID, myDid));
       } else if (options.received) {
         const myDid = node.did;
-        delegations = delegations.filter((d) => d.delegateDID === myDid || d.delegateDID?.includes(myDid));
+        delegations = delegations.filter((d) => didMatches(d.delegateDID, myDid));
       }
       outputJson({
         delegations: delegations.map((d) => ({
@@ -2910,7 +3056,7 @@ _tc_completions() {
   commands="init auth kv space delegation share node profile completion"
 
   case "\${COMP_WORDS[1]}" in
-    auth) subcommands="login logout status whoami" ;;
+    auth) subcommands="login logout rotate status whoami" ;;
     kv) subcommands="get put delete list head" ;;
     space) subcommands="list create info switch" ;;
     delegation) subcommands="create list info revoke" ;;
@@ -2960,7 +3106,7 @@ _tc() {
       ;;
     args)
       case $words[1] in
-        auth) _values 'subcommand' login logout status whoami ;;
+        auth) _values 'subcommand' login logout rotate status whoami ;;
         kv) _values 'subcommand' get put delete list head ;;
         space) _values 'subcommand' list create info switch ;;
         delegation) _values 'subcommand' create list info revoke ;;
@@ -2995,7 +3141,7 @@ complete -c tc -n "not __fish_seen_subcommand_from $commands" -a profile -d "Pro
 complete -c tc -n "not __fish_seen_subcommand_from $commands" -a completion -d "Generate shell completions"
 
 # Subcommands
-complete -c tc -n "__fish_seen_subcommand_from auth" -a "login logout status whoami"
+complete -c tc -n "__fish_seen_subcommand_from auth" -a "login logout rotate status whoami"
 complete -c tc -n "__fish_seen_subcommand_from kv" -a "get put delete list head"
 complete -c tc -n "__fish_seen_subcommand_from space" -a "list create info switch"
 complete -c tc -n "__fish_seen_subcommand_from delegation" -a "create list info revoke"
@@ -3189,6 +3335,17 @@ function registerVaultCommand(program2) {
 // src/commands/secrets.ts
 import { readFile as readFile6 } from "fs/promises";
 import { writeFile as writeFile5 } from "fs/promises";
+import {
+  resolveSecretListPrefix,
+  resolveSecretPath
+} from "@tinycloud/node-sdk";
+var SECRETS_SPACE = "secrets";
+var SECRET_KV_ABILITIES = {
+  get: "tinycloud.kv/get",
+  put: "tinycloud.kv/put",
+  del: "tinycloud.kv/del",
+  list: "tinycloud.kv/list"
+};
 async function readStdin4() {
   const chunks = [];
   for await (const chunk of process.stdin) {
@@ -3204,6 +3361,123 @@ function resolveSecretScope(options) {
   const scope = options.scope ?? options.space;
   return scope ? { scope } : void 0;
 }
+async function ensureSecretsNode(ctx, options) {
+  const auth = authOptions(options);
+  if (auth?.privateKey) {
+    return ensureAuthenticated(ctx, auth);
+  }
+  const profile = await ProfileManager.getProfile(ctx.profile).catch(() => null);
+  if (profile?.authMethod === "openkey" && canRequestOwnerPermissions(profile)) {
+    const session = await ProfileManager.getSession(ctx.profile);
+    if (!session || isStoredSessionExpired(session)) {
+      await withSpinner(
+        session ? "Refreshing TinyCloud session..." : "Creating TinyCloud session...",
+        () => refreshOpenKeySession(ctx.profile, ctx.host)
+      );
+    }
+  }
+  return ensureAuthenticated(ctx, auth);
+}
+async function runSecretOperation(params) {
+  const first = await runSecretOperationAttempt(params.label, params.operation);
+  if (first.ok || !shouldRequestSecretPermissions(first.error)) {
+    return first;
+  }
+  const profile = await ProfileManager.getProfile(params.ctx.profile);
+  if (!canRequestOwnerPermissions(profile)) {
+    return first;
+  }
+  const requested = secretPermissionEntries({
+    action: params.action,
+    name: params.name,
+    options: params.scopeOptions,
+    node: params.node
+  });
+  await withSpinner(
+    "Requesting secret permissions...",
+    () => ensureDelegationAuthority({
+      ctx: params.ctx,
+      profile,
+      node: params.node,
+      requested,
+      expiryOption: void 0,
+      yes: true,
+      force: true
+    })
+  );
+  return runSecretOperationAttempt(params.label, params.operation);
+}
+async function runSecretOperationAttempt(label, operation) {
+  try {
+    return await withSpinner(label, operation);
+  } catch (error) {
+    const permissionError = thrownPermissionError(error);
+    if (permissionError) return permissionError;
+    throw error;
+  }
+}
+function canRequestOwnerPermissions(profile) {
+  const posture = resolveProfilePosture(profile);
+  return posture === "owner-openkey" || posture === "local-owner-key";
+}
+function shouldRequestSecretPermissions(error) {
+  if (error.code !== "PERMISSION_DENIED") return false;
+  return /permission|session expired|autosign|capabilit/i.test(error.message);
+}
+function thrownPermissionError(error) {
+  const record = error;
+  const message = typeof record?.message === "string" ? record.message : String(error);
+  const code = typeof record?.code === "string" ? record.code : "PERMISSION_DENIED";
+  if (code !== "PERMISSION_DENIED" && !/permission|session expired|autosign|capabilit/i.test(message)) {
+    return null;
+  }
+  return {
+    ok: false,
+    error: {
+      code: "PERMISSION_DENIED",
+      message
+    }
+  };
+}
+function isStoredSessionExpired(session) {
+  const record = session;
+  const direct = parseDate(record.expiresAt ?? record.expiry ?? record.expirationTime);
+  if (direct) return direct.getTime() <= Date.now();
+  if (typeof record.siwe !== "string") return false;
+  const match = record.siwe.match(/^Expiration Time:\s*(.+)$/im);
+  const expiry = match ? parseDate(match[1].trim()) : null;
+  return expiry !== null && expiry.getTime() <= Date.now();
+}
+function parseDate(value) {
+  if (value instanceof Date) {
+    return Number.isNaN(value.getTime()) ? null : value;
+  }
+  if (typeof value !== "string" || value.trim() === "") return null;
+  const date = new Date(value);
+  return Number.isNaN(date.getTime()) ? null : date;
+}
+function secretKvAbility(action) {
+  return SECRET_KV_ABILITIES[action];
+}
+function secretPermissionEntries(params) {
+  const path = params.action === "list" ? resolveSecretListPrefix(params.options) : resolveSecretPath(params.name ?? "", params.options).permissionPaths.vault;
+  const permissions = [{
+    service: "tinycloud.kv",
+    space: SECRETS_SPACE,
+    path,
+    actions: [secretKvAbility(params.action)],
+    skipPrefix: true
+  }];
+  if (params.action === "get") {
+    permissions.push({
+      service: "tinycloud.encryption",
+      path: params.node.getDefaultEncryptionNetworkId(),
+      actions: ["tinycloud.encryption/decrypt"],
+      skipPrefix: true
+    });
+  }
+  return permissions;
+}
 function registerSecretsCommand(program2) {
   const secrets = program2.command("secrets").description("Encrypted secrets management");
   const network = secrets.command("network").description("Manage the default secrets encryption network");
@@ -3249,12 +3523,16 @@ function registerSecretsCommand(program2) {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
-      const node = await ensureAuthenticated(ctx, authOptions(options));
+      const node = await ensureSecretsNode(ctx, options);
       const scopeOptions = resolveSecretScope(options);
-      const result = await withSpinner(
-        "Listing secrets...",
-        () => node.secrets.list(scopeOptions)
-      );
+      const result = await runSecretOperation({
+        ctx,
+        node,
+        action: "list",
+        scopeOptions,
+        label: "Listing secrets...",
+        operation: () => node.secrets.list(scopeOptions)
+      });
       if (!result.ok) {
         throw new CLIError(result.error.code, result.error.message, ExitCode.ERROR);
       }
@@ -3273,12 +3551,17 @@ function registerSecretsCommand(program2) {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
-      const node = await ensureAuthenticated(ctx, authOptions(options));
+      const node = await ensureSecretsNode(ctx, options);
       const scopeOptions = resolveSecretScope(options);
-      const result = await withSpinner(
-        `Getting secret ${name}...`,
-        () => node.secrets.get(name, scopeOptions)
-      );
+      const result = await runSecretOperation({
+        ctx,
+        node,
+        action: "get",
+        name,
+        scopeOptions,
+        label: `Getting secret ${name}...`,
+        operation: () => node.secrets.get(name, scopeOptions)
+      });
       if (!result.ok) {
         if (result.error.code === "NOT_FOUND" || result.error.code === "KEY_NOT_FOUND") {
           throw new CLIError("NOT_FOUND", `Secret "${name}" not found`, ExitCode.NOT_FOUND);
@@ -3304,7 +3587,7 @@ function registerSecretsCommand(program2) {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
-      const node = await ensureAuthenticated(ctx, authOptions(options));
+      const node = await ensureSecretsNode(ctx, options);
       let secretValue;
       const sources = [value !== void 0, !!options.file, !!options.stdin].filter(Boolean);
       if (sources.length === 0) {
@@ -3321,10 +3604,15 @@ function registerSecretsCommand(program2) {
         secretValue = value;
       }
       const scopeOptions = resolveSecretScope(options);
-      const result = await withSpinner(
-        `Storing secret ${name}...`,
-        () => node.secrets.put(name, secretValue, scopeOptions)
-      );
+      const result = await runSecretOperation({
+        ctx,
+        node,
+        action: "put",
+        name,
+        scopeOptions,
+        label: `Storing secret ${name}...`,
+        operation: () => node.secrets.put(name, secretValue, scopeOptions)
+      });
       if (!result.ok) {
         throw new CLIError(result.error.code, result.error.message, ExitCode.ERROR);
       }
@@ -3337,12 +3625,17 @@ function registerSecretsCommand(program2) {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
-      const node = await ensureAuthenticated(ctx, authOptions(options));
+      const node = await ensureSecretsNode(ctx, options);
       const scopeOptions = resolveSecretScope(options);
-      const result = await withSpinner(
-        `Deleting secret ${name}...`,
-        () => node.secrets.delete(name, scopeOptions)
-      );
+      const result = await runSecretOperation({
+        ctx,
+        node,
+        action: "del",
+        name,
+        scopeOptions,
+        label: `Deleting secret ${name}...`,
+        operation: () => node.secrets.delete(name, scopeOptions)
+      });
       if (!result.ok) {
         throw new CLIError(result.error.code, result.error.message, ExitCode.ERROR);
       }
@@ -4253,6 +4546,358 @@ function registerUpgradeCommand(program2) {
   });
 }
 
+// src/commands/status.ts
+import {
+  NodeWasmBindings
+} from "@tinycloud/node-sdk";
+var wasmBindings = null;
+function registerStatusCommand(program2) {
+  program2.command("status").description("Show local TinyCloud profile, session, delegation, and permission state").action(async (_options, cmd) => {
+    try {
+      const globalOpts = cmd.optsWithGlobals();
+      const ctx = await ProfileManager.resolveContext(globalOpts);
+      const config = await ProfileManager.getConfig();
+      const names = (await ProfileManager.listProfiles()).sort(
+        (a, b) => a.localeCompare(b)
+      );
+      const generatedAt = (/* @__PURE__ */ new Date()).toISOString();
+      const profiles = await Promise.all(
+        names.map(
+          (name) => inspectProfile({
+            name,
+            activeProfile: ctx.profile,
+            defaultProfile: config.defaultProfile
+          })
+        )
+      );
+      const summary = {
+        generatedAt,
+        activeProfile: ctx.profile,
+        defaultProfile: config.defaultProfile,
+        profileCount: profiles.length,
+        authenticatedProfileCount: profiles.filter((p) => p.authenticated).length,
+        activeDelegationCount: profiles.reduce(
+          (sum, profile) => sum + profile.activeDelegationCount,
+          0
+        ),
+        profiles
+      };
+      if (shouldOutputJson()) {
+        outputJson(summary);
+        return;
+      }
+      process.stdout.write(formatStatus(summary));
+    } catch (error) {
+      handleError(error);
+    }
+  });
+}
+async function inspectProfile(params) {
+  const issues = [];
+  const profile = await readProfile(params.name, issues);
+  const session = await readSession(params.name, issues);
+  const hasKey = await readHasKey(params.name, issues);
+  const storedDelegations = await readDelegations(params.name, issues);
+  const sessionPermissions = session ? sessionPermissionsFromRecap(session) : [];
+  const sessionExpiry = session ? extractSessionExpiry(session) : null;
+  const sessionExpired = sessionExpiry === null ? null : sessionExpiry.getTime() <= Date.now();
+  const statusSession = {
+    present: session !== null,
+    expired: session === null ? null : sessionExpired,
+    expiresAt: sessionExpiry?.toISOString() ?? null,
+    permissions: sessionPermissions,
+    permissionsCompact: compactPermissions(sessionPermissions)
+  };
+  const delegations = storedDelegations.map(inspectDelegation);
+  const activeDelegationPermissions = delegations.filter((delegation) => delegation.active).flatMap((delegation) => delegation.permissions);
+  const permissions = uniquePermissions([
+    ...sessionPermissions,
+    ...activeDelegationPermissions
+  ]);
+  const hasPrivateKey = typeof profile?.privateKey === "string" && profile.privateKey.length > 0;
+  const localKeyAuthenticated = profile?.authMethod === "local" && hasPrivateKey;
+  const sessionAuthenticated = session !== null && sessionExpired !== true;
+  const authenticated = localKeyAuthenticated || sessionAuthenticated;
+  const status = resolveStatus({
+    exists: profile !== null,
+    authenticated,
+    localKeyAuthenticated,
+    sessionExpired
+  });
+  return {
+    name: params.name,
+    active: params.name === params.activeProfile,
+    default: params.name === params.defaultProfile,
+    exists: profile !== null,
+    status,
+    host: profile?.host ?? null,
+    did: profile?.did ?? null,
+    sessionDid: profile?.sessionDid ?? null,
+    ownerDid: profile?.ownerDid ?? null,
+    address: profile?.address ?? null,
+    spaceId: profile?.spaceId ?? null,
+    authMethod: profile?.authMethod ?? null,
+    posture: profile ? resolveProfilePosture(profile) : null,
+    operatorType: profile ? resolveProfileOperatorType(profile) : null,
+    hasKey,
+    hasPrivateKey,
+    authenticated,
+    session: statusSession,
+    delegations,
+    permissions,
+    permissionsCompact: compactPermissions(permissions),
+    permissionCount: permissions.length,
+    activeDelegationCount: delegations.filter((delegation) => delegation.active).length,
+    delegationCount: delegations.length,
+    issues
+  };
+}
+async function readProfile(name, issues) {
+  try {
+    return await ProfileManager.getProfile(name);
+  } catch (error) {
+    issues.push(`profile: ${messageFromError(error)}`);
+    return null;
+  }
+}
+async function readSession(name, issues) {
+  try {
+    return asRecord(await ProfileManager.getSession(name));
+  } catch (error) {
+    issues.push(`session: ${messageFromError(error)}`);
+    return null;
+  }
+}
+async function readHasKey(name, issues) {
+  try {
+    return await ProfileManager.getKey(name) !== null;
+  } catch (error) {
+    issues.push(`key: ${messageFromError(error)}`);
+    return false;
+  }
+}
+async function readDelegations(name, issues) {
+  try {
+    return await loadAdditionalDelegations(name);
+  } catch (error) {
+    issues.push(`delegations: ${messageFromError(error)}`);
+    return [];
+  }
+}
+function inspectDelegation(entry) {
+  const expiry = parseDate2(entry.delegation.expiry);
+  const expired = expiry === null ? null : expiry.getTime() <= Date.now();
+  const permissions = normalizePermissions(
+    Array.isArray(entry.permissions) && entry.permissions.length > 0 ? entry.permissions : permissionsFromDelegation(entry.delegation)
+  );
+  return {
+    cid: entry.delegation.cid,
+    active: expired !== true,
+    expired,
+    expiresAt: expiry?.toISOString() ?? null,
+    permissions,
+    permissionsCompact: compactPermissions(permissions)
+  };
+}
+function resolveStatus(params) {
+  if (!params.exists) return "missing";
+  if (params.localKeyAuthenticated) return "local-key";
+  if (params.authenticated) return "logged-in";
+  if (params.sessionExpired === true) return "expired";
+  return "signed-out";
+}
+function sessionPermissionsFromRecap(session) {
+  if (typeof session.siwe !== "string" || session.siwe.length === 0) return [];
+  try {
+    const rawEntries = getWasmBindings().parseRecapFromSiwe(session.siwe);
+    if (!Array.isArray(rawEntries)) return [];
+    return normalizePermissions(rawEntries.map(permissionFromRawRecap));
+  } catch {
+    return [];
+  }
+}
+function permissionFromRawRecap(value) {
+  const record = asRecord(value);
+  if (!record) return null;
+  const service = stringValue(record.service);
+  const space = stringValue(record.space);
+  const path = stringValue(record.path);
+  const actions = Array.isArray(record.actions) ? record.actions.map(String).filter(Boolean) : [];
+  if (!service || !space || path === null || actions.length === 0) return null;
+  return {
+    service: normalizeService2(service),
+    space,
+    path,
+    actions
+  };
+}
+function normalizePermissions(entries) {
+  const permissions = [];
+  for (const entry of entries) {
+    const permission = permissionFromUnknown(entry);
+    if (permission) permissions.push(permission);
+  }
+  return uniquePermissions(permissions);
+}
+function permissionFromUnknown(value) {
+  const record = asRecord(value);
+  if (!record) return null;
+  const service = stringValue(record.service);
+  const space = stringValue(record.space);
+  const path = stringValue(record.path);
+  const actions = Array.isArray(record.actions) ? record.actions.map(String).filter(Boolean) : [];
+  if (!service || !space || path === null || actions.length === 0) return null;
+  return {
+    service: normalizeService2(service),
+    space,
+    path,
+    actions
+  };
+}
+function uniquePermissions(entries) {
+  const seen = /* @__PURE__ */ new Set();
+  const unique2 = [];
+  for (const entry of entries) {
+    const key = compactPermission(entry);
+    if (seen.has(key)) continue;
+    seen.add(key);
+    unique2.push(entry);
+  }
+  return unique2;
+}
+function compactPermissions(entries) {
+  return entries.map(compactPermission);
+}
+function extractSessionExpiry(session) {
+  for (const key of ["expiresAt", "expiry", "expirationTime"]) {
+    const parsed = parseDate2(session[key]);
+    if (parsed) return parsed;
+  }
+  if (typeof session.siwe !== "string") return null;
+  const match = session.siwe.match(/^Expiration Time:\s*(.+)$/im);
+  return match ? parseDate2(match[1].trim()) : null;
+}
+function parseDate2(value) {
+  if (value instanceof Date) {
+    return Number.isNaN(value.getTime()) ? null : value;
+  }
+  if (typeof value === "number" && Number.isFinite(value)) {
+    const millis = value > 0 && value < 1e12 ? value * 1e3 : value;
+    const date2 = new Date(millis);
+    return Number.isNaN(date2.getTime()) ? null : date2;
+  }
+  if (typeof value !== "string" || value.trim() === "") return null;
+  const date = new Date(value);
+  return Number.isNaN(date.getTime()) ? null : date;
+}
+function getWasmBindings() {
+  wasmBindings ??= new NodeWasmBindings();
+  return wasmBindings;
+}
+function normalizeService2(service) {
+  return service.startsWith("tinycloud.") ? service : `tinycloud.${service}`;
+}
+function asRecord(value) {
+  return value !== null && typeof value === "object" ? value : null;
+}
+function stringValue(value) {
+  return typeof value === "string" ? value : null;
+}
+function messageFromError(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+function formatStatus(summary) {
+  const lines = [];
+  lines.push(theme.heading("TinyCloud Status"));
+  lines.push(`Active profile: ${theme.value(summary.activeProfile)}`);
+  lines.push(`Default profile: ${theme.value(summary.defaultProfile)}`);
+  lines.push("");
+  if (summary.profiles.length === 0) {
+    lines.push(theme.muted("No profiles configured. Run: tc init"));
+    return `${lines.join("\n")}
+`;
+  }
+  lines.push(theme.label("Profiles"));
+  for (const profile of summary.profiles) {
+    lines.push(formatProfile(profile));
+  }
+  return `${lines.join("\n")}
+`;
+}
+function formatProfile(profile) {
+  const marker = profile.active ? theme.success("*") : " ";
+  const name = profile.default ? `${profile.name} (default)` : profile.name;
+  const host = profile.host ? theme.muted(profile.host) : theme.muted("no host");
+  const summary = [
+    `${marker} ${profile.active ? theme.brand(name) : name}`,
+    formatProfileStatus(profile.status),
+    profile.posture ?? "no posture",
+    plural(profile.permissionCount, "permission"),
+    `${profile.activeDelegationCount}/${profile.delegationCount} delegations`,
+    host
+  ].join("  ");
+  const lines = [summary];
+  lines.push(`  session: ${formatSession(profile.session)}`);
+  if (profile.permissionsCompact.length > 0) {
+    lines.push("  permissions:");
+    for (const permission of profile.permissionsCompact) {
+      lines.push(`    ${permission}`);
+    }
+  }
+  if (profile.delegations.length > 0) {
+    lines.push("  delegations:");
+    for (const delegation of profile.delegations) {
+      lines.push(`    ${formatDelegation(delegation)}`);
+    }
+  }
+  if (profile.issues.length > 0) {
+    lines.push("  issues:");
+    for (const issue of profile.issues) {
+      lines.push(`    ${theme.warn(issue)}`);
+    }
+  }
+  return lines.join("\n");
+}
+function formatProfileStatus(status) {
+  switch (status) {
+    case "logged-in":
+      return theme.success("logged in");
+    case "local-key":
+      return theme.success("local key");
+    case "expired":
+      return theme.warn("expired");
+    case "missing":
+      return theme.warn("missing");
+    case "signed-out":
+      return theme.muted("signed out");
+  }
+}
+function formatSession(session) {
+  if (!session.present) return theme.muted("none");
+  if (session.expired === true) {
+    return `${theme.warn("expired")}${formatExpiresAt(session.expiresAt)}`;
+  }
+  if (session.expired === false) {
+    return `${theme.success("active")}${formatExpiresAt(session.expiresAt)}`;
+  }
+  return `${theme.success("present")}${formatExpiresAt(session.expiresAt)}`;
+}
+function formatDelegation(delegation) {
+  const state = delegation.expired === true ? theme.warn("expired") : theme.success("active");
+  return [
+    delegation.cid,
+    state,
+    formatExpiresAt(delegation.expiresAt).trim(),
+    plural(delegation.permissions.length, "permission")
+  ].filter(Boolean).join("  ");
+}
+function formatExpiresAt(expiresAt) {
+  return expiresAt ? ` until ${expiresAt}` : "";
+}
+function plural(count, label) {
+  return `${count} ${label}${count === 1 ? "" : "s"}`;
+}
+
 // src/index.ts
 var { version } = JSON.parse(
   readFileSync3(new URL("../package.json", import.meta.url), "utf-8")
@@ -4267,7 +4912,7 @@ program.hook("preAction", async (thisCommand) => {
   const commandName = thisCommand.name();
   const parentName = thisCommand.parent?.name();
   const fullCommand = parentName && parentName !== "tc" ? `${parentName} ${commandName}` : commandName;
-  const skipGuard = ["tc", "init", "doctor", "completion", "help", "upgrade"].includes(commandName) || fullCommand === "profile create";
+  const skipGuard = ["tc", "init", "doctor", "completion", "help", "upgrade", "status"].includes(commandName) || fullCommand === "profile create";
   if (!skipGuard && !opts.quiet && isInteractive()) {
     try {
       const config = await ProfileManager.getConfig();
@@ -4302,6 +4947,9 @@ registerSqlCommand(program);
 registerDuckdbCommand(program);
 registerManifestCommand(program);
 registerUpgradeCommand(program);
+registerStatusCommand(program);
+program.addHelpText("before", () => `${theme.label("Version:")} ${theme.value(version)}
+`);
 program.addHelpText("afterAll", () => {
   if (!process.stdout.isTTY) return "";
   return `