@vidos-id/openid4vc-issuer-cli 0.0.0-test1

package/dist/index.mjs

@@ -0,0 +1,1055 @@
+#!/usr/bin/env node
+import { pathToFileURL } from "node:url";
+import { handleCliError, printResult, readTextInput, resolveCliVersion, resolvePackageJsonPath, setVerbose, verbose } from "@vidos-id/openid4vc-cli-common";
+import { Command } from "commander";
+import { ACTIVE_TOKEN_STATUS, REVOKED_TOKEN_STATUS, SUSPENDED_TOKEN_STATUS, createIssuanceInputSchema, createTemplateInputSchema, deleteResponseSchema, getTokenStatusLabel, issuanceDetailSchema, issuanceSchema, sessionResponseSchema, templateSchema, updateIssuanceStatusInputSchema } from "@vidos-id/openid4vc-issuer-web-shared";
+import { z } from "zod";
+import { mkdir, readFile, rm, writeFile } from "node:fs/promises";
+import { homedir } from "node:os";
+import { dirname, join } from "node:path";
+import { stdout } from "node:process";
+import inquirer from "inquirer";
+//#region src/schemas.ts
+const serverUrlSchema = z.url();
+const sessionFileSchema = z.object({
+	serverUrl: serverUrlSchema,
+	cookieHeader: z.string().min(1),
+	user: sessionResponseSchema.shape.user
+});
+const baseCliOptionsSchema = z.object({
+	serverUrl: serverUrlSchema.optional(),
+	sessionFile: z.string().min(1).optional()
+});
+const authSignInOptionsSchema = baseCliOptionsSchema.extend({
+	anonymous: z.boolean().optional(),
+	username: z.string().min(1).optional(),
+	password: z.string().min(1).optional()
+}).superRefine((value, ctx) => {
+	if (value.anonymous) {
+		if (value.username || value.password) ctx.addIssue({
+			code: z.ZodIssueCode.custom,
+			message: "Anonymous sign-in cannot be combined with --username or --password",
+			path: ["anonymous"]
+		});
+		return;
+	}
+	if (!value.username || !value.password) ctx.addIssue({
+		code: z.ZodIssueCode.custom,
+		message: "Provide --anonymous or both --username and --password",
+		path: ["username"]
+	});
+});
+const authSignUpOptionsSchema = baseCliOptionsSchema.extend({
+	username: z.string().min(1),
+	password: z.string().min(1)
+});
+const claimsInputSchema = z.object({
+	claims: z.string().optional(),
+	claimsFile: z.string().min(1).optional()
+}).superRefine((value, ctx) => {
+	if (value.claims && value.claimsFile) ctx.addIssue({
+		code: z.ZodIssueCode.custom,
+		message: "Use only one of --claims or --claims-file",
+		path: ["claims"]
+	});
+});
+const templateCreateOptionsSchema = baseCliOptionsSchema.extend({
+	name: z.string().min(1),
+	vct: z.string().min(1)
+}).and(claimsInputSchema);
+const templateDeleteOptionsSchema = baseCliOptionsSchema.extend({ templateId: z.string().min(1) });
+const issuanceStatusLabelSchema = z.enum([
+	"active",
+	"revoked",
+	"suspended"
+]);
+const issuanceCreateOptionsSchema = baseCliOptionsSchema.extend({
+	templateId: z.string().min(1),
+	status: issuanceStatusLabelSchema.optional()
+}).and(claimsInputSchema);
+const issuanceIdOptionsSchema = baseCliOptionsSchema.extend({ issuanceId: z.string().min(1) });
+const issuanceStatusUpdateOptionsSchema = issuanceIdOptionsSchema.extend({ status: issuanceStatusLabelSchema });
+const interactiveOptionsSchema = baseCliOptionsSchema;
+const authApiResponseSchema = z.object({
+	token: z.string().nullable().optional(),
+	user: z.record(z.string(), z.unknown()).optional(),
+	message: z.string().optional(),
+	error: z.string().optional(),
+	code: z.string().optional()
+});
+const appErrorResponseSchema = z.object({
+	error: z.string().optional(),
+	message: z.string().optional(),
+	code: z.string().optional()
+});
+const templateListSchema = z.array(templateSchema);
+const issuanceListSchema = z.array(issuanceSchema);
+const issuerMetadataSchema = z.object({
+	credential_issuer: z.string().url(),
+	token_endpoint: z.string().url(),
+	credential_endpoint: z.string().url(),
+	nonce_endpoint: z.string().url().optional(),
+	jwks: z.object({ keys: z.array(z.record(z.string(), z.unknown())).min(1) }),
+	credential_configurations_supported: z.record(z.string(), z.record(z.string(), z.unknown()))
+});
+//#endregion
+//#region src/client.ts
+var IssuerWebClient = class {
+	cookieHeader = "";
+	constructor(options) {
+		this.options = options;
+		this.cookieHeader = options.session?.cookieHeader ?? "";
+	}
+	get serverUrl() {
+		return this.options.serverUrl;
+	}
+	getCookieHeader() {
+		return this.cookieHeader;
+	}
+	async signInAnonymous() {
+		const response = await this.request("/api/auth/sign-in/anonymous", { method: "POST" });
+		authApiResponseSchema.parse(await this.parseJson(response, "anonymous sign-in"));
+		return this.getSession();
+	}
+	async signInUsername(input) {
+		const response = await this.request("/api/auth/sign-in/username", {
+			method: "POST",
+			body: input
+		});
+		authApiResponseSchema.parse(await this.parseJson(response, "username sign-in"));
+		return this.getSession();
+	}
+	async signUpUsername(input) {
+		const username = input.username.trim();
+		const response = await this.request("/api/auth/sign-up/email", {
+			method: "POST",
+			body: {
+				email: `temp-${crypto.randomUUID()}@issuer-web.local`,
+				name: username,
+				username,
+				password: input.password
+			}
+		});
+		authApiResponseSchema.parse(await this.parseJson(response, "sign-up"));
+		return this.getSession();
+	}
+	async signOut() {
+		await this.request("/api/auth/sign-out", { method: "POST" });
+		this.cookieHeader = "";
+	}
+	async getSession() {
+		const response = await this.request("/api/session");
+		return sessionResponseSchema.parse(await this.parseJson(response, "session"));
+	}
+	async getMetadata() {
+		const response = await this.request("/.well-known/openid-credential-issuer");
+		return issuerMetadataSchema.parse(await this.parseJson(response, "issuer metadata"));
+	}
+	async listTemplates() {
+		const response = await this.request("/api/templates");
+		return templateListSchema.parse(await this.parseJson(response, "template list"));
+	}
+	async createTemplate(input) {
+		const payload = createTemplateInputSchema.parse(input);
+		const response = await this.request("/api/templates", {
+			method: "POST",
+			body: payload
+		});
+		return templateSchema.parse(await this.parseJson(response, "template creation"));
+	}
+	async deleteTemplate(templateId) {
+		const response = await this.request(`/api/templates/${templateId}`, { method: "DELETE" });
+		deleteResponseSchema.parse(await this.parseJson(response, "template deletion"));
+	}
+	async listIssuances() {
+		const response = await this.request("/api/issuances");
+		return issuanceListSchema.parse(await this.parseJson(response, "issuance list"));
+	}
+	async createIssuance(input) {
+		const payload = createIssuanceInputSchema.parse(input);
+		const response = await this.request("/api/issuances", {
+			method: "POST",
+			body: payload
+		});
+		return issuanceDetailSchema.parse(await this.parseJson(response, "issuance creation"));
+	}
+	async getIssuance(issuanceId) {
+		const response = await this.request(`/api/issuances/${issuanceId}`);
+		return issuanceDetailSchema.parse(await this.parseJson(response, "issuance detail"));
+	}
+	async updateIssuanceStatus(issuanceId, input) {
+		const payload = updateIssuanceStatusInputSchema.parse(input);
+		const response = await this.request(`/api/issuances/${issuanceId}/status`, {
+			method: "PATCH",
+			body: payload
+		});
+		return issuanceDetailSchema.parse(await this.parseJson(response, "issuance status update"));
+	}
+	async request(path, init = {}) {
+		const headers = new Headers(init.headers);
+		headers.set("accept", "application/json");
+		if (this.cookieHeader) headers.set("cookie", this.cookieHeader);
+		let body = init.body;
+		if (body && typeof body === "object" && !(body instanceof FormData) && !(body instanceof URLSearchParams) && !(body instanceof Blob) && !(body instanceof ArrayBuffer)) {
+			headers.set("content-type", "application/json");
+			body = JSON.stringify(body);
+		}
+		const url = new URL(path, this.options.serverUrl);
+		verbose(`Requesting ${init.method ?? "GET"} ${url}`);
+		const response = await (this.options.fetchImpl ?? fetch)(url, {
+			...init,
+			headers,
+			body
+		});
+		this.updateCookies(response);
+		if (!response.ok) throw await this.createRequestError(response);
+		return response;
+	}
+	updateCookies(response) {
+		const setCookies = getSetCookies(response.headers);
+		if (setCookies.length === 0) return;
+		this.cookieHeader = setCookies.map((value) => value.split(";")[0]).filter(Boolean).join("; ");
+	}
+	async createRequestError(response) {
+		let message = `Request failed with status ${response.status}`;
+		try {
+			const payload = appErrorResponseSchema.safeParse(await response.json());
+			if (payload.success) message = payload.data.message ?? payload.data.error ?? message;
+		} catch {
+			try {
+				const text = (await response.text()).trim();
+				if (text) message = text;
+			} catch {}
+		}
+		return new Error(message);
+	}
+	async parseJson(response, label) {
+		try {
+			return await response.json();
+		} catch {
+			throw new Error(`Failed to parse ${label} response`);
+		}
+	}
+};
+function statusLabelToValue(label) {
+	if (label === "active") return ACTIVE_TOKEN_STATUS;
+	if (label === "revoked") return REVOKED_TOKEN_STATUS;
+	return SUSPENDED_TOKEN_STATUS;
+}
+function getSetCookies(headers) {
+	const withGetSetCookie = headers;
+	if (typeof withGetSetCookie.getSetCookie === "function") return withGetSetCookie.getSetCookie();
+	const combined = headers.get("set-cookie");
+	if (!combined) return [];
+	return combined.split(", ").filter((part) => part.includes("="));
+}
+//#endregion
+//#region src/session.ts
+const DEFAULT_SERVER_URL = "http://localhost:3001";
+function resolveDefaultSessionFilePath() {
+	return join(homedir(), ".config", "vidos-id", "openid4vc-issuer-session.json");
+}
+function resolveSessionFilePath(options) {
+	return options?.sessionFile ?? resolveDefaultSessionFilePath();
+}
+async function readStoredSession(options) {
+	const filePath = resolveSessionFilePath(options);
+	try {
+		const raw = JSON.parse(await readFile(filePath, "utf8"));
+		return sessionFileSchema.parse(raw);
+	} catch (error) {
+		if (error.code === "ENOENT") return null;
+		throw error;
+	}
+}
+async function writeStoredSession(session, options) {
+	const filePath = resolveSessionFilePath(options);
+	await mkdir(dirname(filePath), { recursive: true });
+	await writeFile(filePath, `${JSON.stringify(session, null, 2)}\n`, "utf8");
+	verbose(`Saved openid4vc-issuer session to ${filePath}`);
+	return filePath;
+}
+async function clearStoredSession(options) {
+	const filePath = resolveSessionFilePath(options);
+	await rm(filePath, { force: true });
+	verbose(`Cleared openid4vc-issuer session at ${filePath}`);
+	return filePath;
+}
+async function requireStoredSession(options) {
+	const session = await readStoredSession(options);
+	if (!session) throw new Error("No saved issuer session. Run `openid4vc-issuer auth signin` or `openid4vc-issuer` first.");
+	return session;
+}
+function resolveServerUrl(options, session) {
+	return options?.serverUrl ?? session?.serverUrl ?? DEFAULT_SERVER_URL;
+}
+function assertSessionMatchesServerUrl(serverUrl, session) {
+	if (session.serverUrl !== serverUrl) throw new Error(`Saved session targets ${session.serverUrl}. Sign in again for ${serverUrl} or omit --server-url.`);
+}
+//#endregion
+//#region src/actions/auth.ts
+async function authSignInAction(rawOptions, deps = {}) {
+	const options = authSignInOptionsSchema.parse(rawOptions);
+	const serverUrl = resolveServerUrl(options);
+	const client = new IssuerWebClient({
+		serverUrl,
+		fetchImpl: deps.fetchImpl
+	});
+	const user = requireUser(options.anonymous ? await client.signInAnonymous() : await signInWithUsernamePassword(client, options));
+	await writeStoredSession({
+		serverUrl,
+		cookieHeader: client.getCookieHeader(),
+		user
+	}, options);
+	return {
+		serverUrl,
+		user
+	};
+}
+async function authSignUpAction(rawOptions, deps = {}) {
+	const options = authSignUpOptionsSchema.parse(rawOptions);
+	const serverUrl = resolveServerUrl(options);
+	const client = new IssuerWebClient({
+		serverUrl,
+		fetchImpl: deps.fetchImpl
+	});
+	const user = requireUser(await client.signUpUsername({
+		username: options.username,
+		password: options.password
+	}));
+	await writeStoredSession({
+		serverUrl,
+		cookieHeader: client.getCookieHeader(),
+		user
+	}, options);
+	return {
+		serverUrl,
+		user
+	};
+}
+async function authWhoAmIAction(rawOptions, deps = {}) {
+	const options = baseCliOptionsSchema.parse(rawOptions);
+	const stored = await requireStoredSession(options);
+	const serverUrl = resolveServerUrl(options, stored);
+	assertSessionMatchesServerUrl(serverUrl, stored);
+	const client = new IssuerWebClient({
+		serverUrl,
+		fetchImpl: deps.fetchImpl,
+		session: stored
+	});
+	const user = requireUser(await client.getSession());
+	await writeStoredSession({
+		serverUrl,
+		cookieHeader: client.getCookieHeader(),
+		user
+	}, options);
+	return {
+		serverUrl,
+		user
+	};
+}
+async function authSignOutAction(rawOptions, deps = {}) {
+	const options = baseCliOptionsSchema.parse(rawOptions);
+	const stored = await requireStoredSession(options);
+	const serverUrl = resolveServerUrl(options, stored);
+	assertSessionMatchesServerUrl(serverUrl, stored);
+	const client = new IssuerWebClient({
+		serverUrl,
+		fetchImpl: deps.fetchImpl,
+		session: stored
+	});
+	try {
+		await client.signOut();
+	} finally {
+		await clearStoredSession(options);
+	}
+	return { serverUrl };
+}
+async function signInWithUsernamePassword(client, options) {
+	if (!options.username || !options.password) throw new Error("Provide --anonymous or both --username and --password");
+	return client.signInUsername({
+		username: options.username,
+		password: options.password
+	});
+}
+function requireUser(session) {
+	if (!session.user) throw new Error("Authentication succeeded but no active session was returned.");
+	return session.user;
+}
+//#endregion
+//#region src/format.ts
+function section(title, lines) {
+	return [title, ...lines.map((line) => `  ${line}`)].join("\n");
+}
+function jsonBlock(value) {
+	return JSON.stringify(value, null, 2).split("\n").map((line) => `  ${line}`).join("\n");
+}
+function x5cToPem(x5c) {
+	const lines = ["-----BEGIN CERTIFICATE-----"];
+	for (let i = 0; i < x5c.length; i += 64) lines.push(x5c.slice(i, i + 64));
+	lines.push("-----END CERTIFICATE-----");
+	return lines.join("\n");
+}
+function formatSessionSummary(input) {
+	return section("Session", [
+		`server: ${input.serverUrl}`,
+		`user: ${input.user.username ?? input.user.name}`,
+		`name: ${input.user.name}`,
+		`mode: ${input.user.isAnonymous ? "guest" : "username"}`,
+		`user id: ${input.user.id}`
+	]);
+}
+function formatTemplateList(templates) {
+	if (templates.length === 0) return "No templates found.";
+	return [`Templates (${templates.length})`, ...templates.flatMap((template, index) => [
+		`${index + 1}. ${template.name} [${template.kind}]`,
+		`   id: ${template.id}`,
+		`   vct: ${template.vct}`,
+		`   configuration: ${template.credentialConfigurationId}`
+	])].join("\n");
+}
+function formatTemplateSummary(template) {
+	return [
+		section("Template", [
+			`name: ${template.name}`,
+			`id: ${template.id}`,
+			`kind: ${template.kind}`,
+			`vct: ${template.vct}`,
+			`configuration: ${template.credentialConfigurationId}`
+		]),
+		"",
+		"Default claims",
+		jsonBlock(template.defaultClaims)
+	].join("\n");
+}
+function formatIssuanceList(issuances) {
+	if (issuances.length === 0) return "No issuances found.";
+	return [`Issuances (${issuances.length})`, ...issuances.flatMap((issuance, index) => [
+		`${index + 1}. ${issuance.vct}`,
+		`   id: ${issuance.id}`,
+		`   state: ${issuance.state}`,
+		`   status: ${getTokenStatusLabel(issuance.status)}`,
+		`   created: ${issuance.createdAt}`
+	])].join("\n");
+}
+function formatIssuanceSummary(detail) {
+	const { issuance } = detail;
+	return [
+		section("Issuance", [
+			`id: ${issuance.id}`,
+			`template: ${issuance.templateId}`,
+			`vct: ${issuance.vct}`,
+			`state: ${issuance.state}`,
+			`status: ${getTokenStatusLabel(issuance.status)}`,
+			`created: ${issuance.createdAt}`
+		]),
+		"",
+		"Offer URI",
+		`  ${issuance.offerUri}`,
+		"",
+		"Claims",
+		jsonBlock(issuance.claims)
+	].join("\n");
+}
+function formatDeletedTemplate(templateId) {
+	return `Deleted template ${templateId}.`;
+}
+function formatSignedOut(serverUrl) {
+	return serverUrl ? `Signed out from ${serverUrl}.` : "Signed out.";
+}
+function formatIssuerMetadata(metadata) {
+	const endpointLines = [
+		`credential issuer: ${metadata.credential_issuer}`,
+		`token endpoint: ${metadata.token_endpoint}`,
+		`credential endpoint: ${metadata.credential_endpoint}`
+	];
+	if (metadata.nonce_endpoint) endpointLines.push(`nonce endpoint: ${metadata.nonce_endpoint}`);
+	const signingKeyLines = metadata.jwks.keys.flatMap((key, index) => {
+		const lines = [
+			`Key ${index + 1}`,
+			`  kid: ${typeof key.kid === "string" ? key.kid : "-"}`,
+			`  alg: ${typeof key.alg === "string" ? key.alg : "-"}`,
+			`  kty: ${typeof key.kty === "string" ? key.kty : "-"}`,
+			"  jwk:",
+			jsonBlock(Object.fromEntries(Object.entries(key).filter(([name]) => name !== "x5c")))
+		];
+		const x5cValues = Array.isArray(key.x5c) ? key.x5c.filter((value) => typeof value === "string") : [];
+		if (x5cValues.length === 0) {
+			lines.push("  x5c: none");
+			return lines;
+		}
+		for (const [certIndex, cert] of x5cValues.entries()) {
+			lines.push(`  certificate ${certIndex + 1}:`);
+			lines.push(...x5cToPem(cert).split("\n").map((line) => `    ${line}`));
+		}
+		return lines;
+	});
+	const credentialConfigurationLines = Object.entries(metadata.credential_configurations_supported).flatMap(([configId, config]) => [configId, jsonBlock(config)]);
+	return [
+		section("Endpoints", endpointLines),
+		"",
+		section("Signing Keys", signingKeyLines),
+		"",
+		section("Credential Configurations Supported", credentialConfigurationLines)
+	].join("\n");
+}
+//#endregion
+//#region src/prompts.ts
+var PromptSession = class {
+	close() {}
+	async text(label, options) {
+		const { value } = await inquirer.prompt([{
+			type: options?.password ? "password" : "input",
+			name: "value",
+			message: label,
+			default: options?.defaultValue,
+			mask: options?.password ? "*" : void 0,
+			validate: (input) => {
+				if (input.trim() || options?.allowEmpty || options?.defaultValue !== void 0) return true;
+				return "A value is required";
+			}
+		}]);
+		return value.trim() || options?.defaultValue || "";
+	}
+	async choose(label, choices) {
+		const { value } = await inquirer.prompt([{
+			type: "list",
+			name: "value",
+			message: label,
+			choices: choices.map((choice) => ({
+				name: choice.label,
+				value: choice.value
+			}))
+		}]);
+		return value;
+	}
+	async confirm(label, defaultValue = true) {
+		const { value } = await inquirer.prompt([{
+			type: "confirm",
+			name: "value",
+			message: label,
+			default: defaultValue
+		}]);
+		return value;
+	}
+};
+//#endregion
+//#region src/actions/issuances.ts
+async function listIssuancesAction(rawOptions, deps = {}) {
+	const { client, options, serverUrl, session } = await getAuthenticatedClient$1(baseCliOptionsSchema.parse(rawOptions), deps);
+	const issuances = await client.listIssuances();
+	await writeStoredSession({
+		...session,
+		serverUrl,
+		cookieHeader: client.getCookieHeader()
+	}, options);
+	return {
+		serverUrl,
+		issuances
+	};
+}
+async function createIssuanceAction(rawOptions, deps = {}) {
+	const options = issuanceCreateOptionsSchema.parse(rawOptions);
+	const { client, serverUrl, session } = await getAuthenticatedClient$1(options, deps);
+	const claimsText = await readTextInput(options.claims, options.claimsFile).catch(() => void 0);
+	const input = { templateId: options.templateId };
+	if (claimsText) input.claims = parseJsonObject$1(claimsText, "issuance claims");
+	if (options.status) input.status = statusLabelToValue(options.status);
+	const detail = await client.createIssuance(input);
+	await writeStoredSession({
+		...session,
+		serverUrl,
+		cookieHeader: client.getCookieHeader()
+	}, options);
+	return {
+		serverUrl,
+		detail
+	};
+}
+async function showIssuanceAction(rawOptions, deps = {}) {
+	const options = issuanceIdOptionsSchema.parse(rawOptions);
+	const { client, serverUrl, session } = await getAuthenticatedClient$1(options, deps);
+	const detail = await client.getIssuance(options.issuanceId);
+	await writeStoredSession({
+		...session,
+		serverUrl,
+		cookieHeader: client.getCookieHeader()
+	}, options);
+	return {
+		serverUrl,
+		detail
+	};
+}
+async function updateIssuanceStatusAction(rawOptions, deps = {}) {
+	const options = issuanceStatusUpdateOptionsSchema.parse(rawOptions);
+	const { client, serverUrl, session } = await getAuthenticatedClient$1(options, deps);
+	const detail = await client.updateIssuanceStatus(options.issuanceId, { status: statusLabelToValue(options.status) });
+	await writeStoredSession({
+		...session,
+		serverUrl,
+		cookieHeader: client.getCookieHeader()
+	}, options);
+	return {
+		serverUrl,
+		detail
+	};
+}
+async function getAuthenticatedClient$1(options, deps) {
+	const session = await requireStoredSession(options);
+	const serverUrl = resolveServerUrl(options, session);
+	assertSessionMatchesServerUrl(serverUrl, session);
+	return {
+		client: new IssuerWebClient({
+			serverUrl,
+			fetchImpl: deps.fetchImpl,
+			session
+		}),
+		options,
+		serverUrl,
+		session
+	};
+}
+function parseJsonObject$1(value, label) {
+	let parsed;
+	try {
+		parsed = JSON.parse(value);
+	} catch {
+		throw new Error(`${label} must be valid JSON`);
+	}
+	if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) throw new Error(`${label} must be a JSON object`);
+	return parsed;
+}
+//#endregion
+//#region src/actions/metadata.ts
+async function metadataAction(rawOptions, deps = {}) {
+	const serverUrl = resolveServerUrl(baseCliOptionsSchema.parse(rawOptions));
+	return {
+		serverUrl,
+		metadata: await new IssuerWebClient({
+			serverUrl,
+			fetchImpl: deps.fetchImpl
+		}).getMetadata()
+	};
+}
+//#endregion
+//#region src/actions/templates.ts
+async function listTemplatesAction(rawOptions, deps = {}) {
+	const { client, options, serverUrl, session } = await getAuthenticatedClient(baseCliOptionsSchema.parse(rawOptions), deps);
+	const templates = await client.listTemplates();
+	await writeStoredSession({
+		...session,
+		serverUrl,
+		cookieHeader: client.getCookieHeader()
+	}, options);
+	return {
+		serverUrl,
+		templates
+	};
+}
+async function createTemplateAction(rawOptions, deps = {}) {
+	const options = templateCreateOptionsSchema.parse(rawOptions);
+	const { client, serverUrl, session } = await getAuthenticatedClient(options, deps);
+	const claimsText = options.claims !== void 0 || options.claimsFile !== void 0 ? await readTextInput(options.claims, options.claimsFile) : void 0;
+	const template = await client.createTemplate({
+		name: options.name,
+		vct: options.vct,
+		defaultClaims: claimsText ? parseJsonObject(claimsText, "template claims") : {}
+	});
+	await writeStoredSession({
+		...session,
+		serverUrl,
+		cookieHeader: client.getCookieHeader()
+	}, options);
+	return {
+		serverUrl,
+		template
+	};
+}
+async function deleteTemplateAction(rawOptions, deps = {}) {
+	const options = templateDeleteOptionsSchema.parse(rawOptions);
+	const { client, serverUrl, session } = await getAuthenticatedClient(options, deps);
+	await client.deleteTemplate(options.templateId);
+	await writeStoredSession({
+		...session,
+		serverUrl,
+		cookieHeader: client.getCookieHeader()
+	}, options);
+	return {
+		serverUrl,
+		templateId: options.templateId
+	};
+}
+async function getAuthenticatedClient(options, deps) {
+	const session = await requireStoredSession(options);
+	const serverUrl = resolveServerUrl(options, session);
+	assertSessionMatchesServerUrl(serverUrl, session);
+	return {
+		client: new IssuerWebClient({
+			serverUrl,
+			fetchImpl: deps.fetchImpl,
+			session
+		}),
+		options,
+		serverUrl,
+		session
+	};
+}
+function parseJsonObject(value, label) {
+	let parsed;
+	try {
+		parsed = JSON.parse(value);
+	} catch {
+		throw new Error(`${label} must be valid JSON`);
+	}
+	if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) throw new Error(`${label} must be a JSON object`);
+	return parsed;
+}
+//#endregion
+//#region src/actions/interactive.ts
+async function interactiveAction(rawOptions, deps = {}) {
+	if (!process.stdin.isTTY || !process.stdout.isTTY) throw new Error("Interactive mode requires a TTY. Use an explicit subcommand for non-interactive usage.");
+	const options = interactiveOptionsSchema.parse(rawOptions);
+	const prompt = new PromptSession();
+	let serverUrl = await resolveInteractiveServerUrl(prompt, options);
+	try {
+		while (true) {
+			const session = await readStoredSession(options);
+			if (!session || session.serverUrl !== serverUrl) await authenticateInteractive(prompt, {
+				...options,
+				serverUrl
+			}, deps);
+			const choice = await prompt.choose("Issuer CLI", [
+				{
+					label: "Who am I",
+					value: "whoami"
+				},
+				{
+					label: "Show issuer metadata",
+					value: "metadata"
+				},
+				{
+					label: "List templates",
+					value: "templates-list"
+				},
+				{
+					label: "Create template",
+					value: "templates-create"
+				},
+				{
+					label: "Delete template",
+					value: "templates-delete"
+				},
+				{
+					label: "List issuances",
+					value: "issuances-list"
+				},
+				{
+					label: "Create issuance",
+					value: "issuances-create"
+				},
+				{
+					label: "Show issuance",
+					value: "issuances-show"
+				},
+				{
+					label: "Update issuance status",
+					value: "issuances-status"
+				},
+				{
+					label: "Switch server",
+					value: "switch-server"
+				},
+				{
+					label: "Sign out",
+					value: "signout"
+				},
+				{
+					label: "Exit",
+					value: "exit"
+				}
+			]);
+			stdout.write("\n");
+			if (choice === "exit") return;
+			if (choice === "switch-server") {
+				serverUrl = await resolveInteractiveServerUrl(prompt, {
+					...options,
+					serverUrl
+				});
+				continue;
+			}
+			if (choice === "whoami") {
+				const result = await authWhoAmIAction({
+					...options,
+					serverUrl
+				}, deps);
+				stdout.write(`${formatSessionSummary(result)}\n\n`);
+				continue;
+			}
+			if (choice === "metadata") {
+				const result = await metadataAction({
+					...options,
+					serverUrl
+				}, deps);
+				stdout.write(`${formatIssuerMetadata(result.metadata)}\n\n`);
+				continue;
+			}
+			if (choice === "templates-list") {
+				const result = await listTemplatesAction({
+					...options,
+					serverUrl
+				}, deps);
+				stdout.write(`${formatTemplateList(result.templates)}\n\n`);
+				continue;
+			}
+			if (choice === "templates-create") {
+				const name = await prompt.text("Template name");
+				const vct = await prompt.text("VCT");
+				const claims = await prompt.text("Default claims JSON", { defaultValue: "{}" });
+				const result = await createTemplateAction({
+					...options,
+					serverUrl,
+					name,
+					vct,
+					claims
+				}, deps);
+				stdout.write(`${formatTemplateSummary(result.template)}\n\n`);
+				continue;
+			}
+			if (choice === "templates-delete") {
+				const result = await listTemplatesAction({
+					...options,
+					serverUrl
+				}, deps);
+				if (result.templates.length === 0) {
+					stdout.write("No templates found.\n\n");
+					continue;
+				}
+				const selectable = result.templates.filter((template) => template.kind === "custom");
+				if (selectable.length === 0) {
+					stdout.write("No custom templates can be deleted.\n\n");
+					continue;
+				}
+				const templateId = await prompt.choose("Select a template to delete", selectable.map((template) => ({
+					label: `${template.name} (${template.id})`,
+					value: template.id
+				})));
+				if (!await prompt.confirm(`Delete template ${templateId}?`, false)) {
+					stdout.write("Cancelled.\n\n");
+					continue;
+				}
+				const deleted = await deleteTemplateAction({
+					...options,
+					serverUrl,
+					templateId
+				}, deps);
+				stdout.write(`${formatDeletedTemplate(deleted.templateId)}\n\n`);
+				continue;
+			}
+			if (choice === "issuances-list") {
+				const result = await listIssuancesAction({
+					...options,
+					serverUrl
+				}, deps);
+				stdout.write(`${formatIssuanceList(result.issuances)}\n\n`);
+				continue;
+			}
+			if (choice === "issuances-create") {
+				const templates = await listTemplatesAction({
+					...options,
+					serverUrl
+				}, deps);
+				if (templates.templates.length === 0) {
+					stdout.write("No templates available. Create one first.\n\n");
+					continue;
+				}
+				const templateId = await prompt.choose("Select a template", templates.templates.map((template) => ({
+					label: `${template.name} (${template.vct})`,
+					value: template.id
+				})));
+				const claims = await prompt.text("Issuance claims JSON", { defaultValue: "{}" });
+				const status = await prompt.choose("Initial status", [
+					{
+						label: "active",
+						value: "active"
+					},
+					{
+						label: "suspended",
+						value: "suspended"
+					},
+					{
+						label: "revoked",
+						value: "revoked"
+					}
+				]);
+				const created = await createIssuanceAction({
+					...options,
+					serverUrl,
+					templateId,
+					claims,
+					status
+				}, deps);
+				stdout.write(`${formatIssuanceSummary(created.detail)}\n\n`);
+				continue;
+			}
+			if (choice === "issuances-show") {
+				const issuanceId = await prompt.text("Issuance id");
+				const result = await showIssuanceAction({
+					...options,
+					serverUrl,
+					issuanceId
+				}, deps);
+				stdout.write(`${formatIssuanceSummary(result.detail)}\n\n`);
+				continue;
+			}
+			if (choice === "issuances-status") {
+				const issuanceId = await prompt.text("Issuance id");
+				const status = await prompt.choose("New status", [
+					{
+						label: "active",
+						value: "active"
+					},
+					{
+						label: "suspended",
+						value: "suspended"
+					},
+					{
+						label: "revoked",
+						value: "revoked"
+					}
+				]);
+				const result = await updateIssuanceStatusAction({
+					...options,
+					serverUrl,
+					issuanceId,
+					status
+				}, deps);
+				stdout.write(`${formatIssuanceSummary(result.detail)}\n\n`);
+				continue;
+			}
+			if (choice === "signout") {
+				const result = await authSignOutAction({
+					...options,
+					serverUrl
+				}, deps);
+				stdout.write(`${formatSignedOut(result.serverUrl)}\n\n`);
+			}
+		}
+	} finally {
+		prompt.close();
+	}
+}
+async function authenticateInteractive(prompt, options, deps) {
+	stdout.write(`No saved session for ${options.serverUrl}.\n`);
+	const choice = await prompt.choose("Choose authentication mode", [
+		{
+			label: "Continue as guest",
+			value: "guest"
+		},
+		{
+			label: "Sign in",
+			value: "signin"
+		},
+		{
+			label: "Create account",
+			value: "signup"
+		}
+	]);
+	if (choice === "guest") {
+		const result = await authSignInAction({
+			...options,
+			anonymous: true
+		}, deps);
+		stdout.write(`${formatSessionSummary(result)}\n\n`);
+		return;
+	}
+	const username = await prompt.text("Username");
+	const password = await prompt.text("Password", { password: true });
+	if (choice === "signup") {
+		const result = await authSignUpAction({
+			...options,
+			username,
+			password
+		}, deps);
+		stdout.write(`${formatSessionSummary(result)}\n\n`);
+		return;
+	}
+	const result = await authSignInAction({
+		...options,
+		username,
+		password
+	}, deps);
+	stdout.write(`${formatSessionSummary(result)}\n\n`);
+}
+async function resolveInteractiveServerUrl(prompt, options) {
+	const saved = await readStoredSession(options);
+	return prompt.text("Issuer web server URL", { defaultValue: resolveServerUrl(options, saved ?? void 0) });
+}
+//#endregion
+//#region src/program.ts
+function withCommonOptions(command) {
+	return command.option("--server-url <url>", "Issuer web server base URL (default: saved session, ISSUER_WEB_SERVER_URL, or http://localhost:3001)").option("--session-file <file>", "Override the saved session file location");
+}
+function createProgram(version) {
+	const program = withCommonOptions(new Command().name("openid4vc-issuer").version(version).description("Terminal client for openid4vc-issuer-web-server. Run without a subcommand to start interactive mode.").addHelpText("after", "\nInteractive mode:\n  Run `openid4vc-issuer` without a subcommand to open the prompt-driven workflow.").showHelpAfterError().option("--verbose", "Enable verbose logging to stderr", false).hook("preAction", (_thisCommand, actionCommand) => {
+		if (actionCommand.optsWithGlobals().verbose) setVerbose(true);
+	})).action(async (options) => {
+		await interactiveAction(options);
+	});
+	withCommonOptions(program.command("metadata").description("Show issuer metadata from /.well-known/openid-credential-issuer").option("--output <format>", "Output format: text or json", "text")).action(async (options) => {
+		const result = await metadataAction(options);
+		printResult(options.output === "json" ? result.metadata : formatIssuerMetadata(result.metadata), options.output);
+	});
+	const auth = program.command("auth").description("Authenticate and inspect the current session");
+	withCommonOptions(auth.command("signin").description("Sign in with a guest session or username/password").option("--anonymous", "Start a guest session").option("--username <name>", "Username for sign-in").option("--password <password>", "Password for sign-in").addHelpText("after", `\nExamples:\n  $ openid4vc-issuer auth signin --anonymous\n  $ openid4vc-issuer auth signin --server-url http://localhost:3001 --username ada --password secret`)).action(async (options) => {
+		verbose(`Signing in to ${options.serverUrl ?? "saved/default server"}`);
+		printResult(formatSessionSummary(await authSignInAction(options)), "text");
+	});
+	withCommonOptions(auth.command("signup").description("Create an account and save the resulting session").requiredOption("--username <name>", "Username for the new account").requiredOption("--password <password>", "Password for the new account")).action(async (options) => {
+		printResult(formatSessionSummary(await authSignUpAction(options)), "text");
+	});
+	withCommonOptions(auth.command("whoami").description("Show the currently saved session")).action(async (options) => {
+		printResult(formatSessionSummary(await authWhoAmIAction(options)), "text");
+	});
+	withCommonOptions(auth.command("signout").description("Sign out and clear the saved session")).action(async (options) => {
+		printResult(formatSignedOut((await authSignOutAction(options)).serverUrl), "text");
+	});
+	const templates = program.command("templates").description("Manage credential templates through openid4vc-issuer-web-server");
+	withCommonOptions(templates.command("list").description("List templates visible to the current user")).action(async (options) => {
+		printResult(formatTemplateList((await listTemplatesAction(options)).templates), "text");
+	});
+	withCommonOptions(templates.command("create").description("Create a custom template").requiredOption("--name <value>", "Template name").requiredOption("--vct <value>", "Verifiable Credential Type").option("--claims <json>", "Inline JSON object for default claims").option("--claims-file <file>", "Path to a JSON file with default claims").addHelpText("after", `\nExamples:\n  $ openid4vc-issuer templates create --name "Conference Pass" --vct urn:eudi:pid:1 --claims '{"given_name":"Ada"}'\n  $ openid4vc-issuer templates create --name "PID" --vct urn:eudi:pid:1 --claims-file ./claims.json`)).action(async (options) => {
+		printResult(formatTemplateSummary((await createTemplateAction(options)).template), "text");
+	});
+	withCommonOptions(templates.command("delete").description("Delete a custom template by id").requiredOption("--template-id <id>", "Template id")).action(async (options) => {
+		printResult(formatDeletedTemplate((await deleteTemplateAction(options)).templateId), "text");
+	});
+	const issuances = program.command("issuances").description("Create and manage credential offers");
+	withCommonOptions(issuances.command("list").description("List issuances for the current user")).action(async (options) => {
+		printResult(formatIssuanceList((await listIssuancesAction(options)).issuances), "text");
+	});
+	withCommonOptions(issuances.command("create").description("Create a new issuance offer from a template").requiredOption("--template-id <id>", "Template id").option("--claims <json>", "Inline JSON object with issuance claims").option("--claims-file <file>", "Path to a JSON file with issuance claims").option("--status <value>", "Initial credential status: active, suspended, or revoked").addHelpText("after", `\nExample:\n  $ openid4vc-issuer issuances create --template-id <template-id> --claims '{"seat":"A-12"}' --status active`)).action(async (options) => {
+		printResult(formatIssuanceSummary((await createIssuanceAction(options)).detail), "text");
+	});
+	withCommonOptions(issuances.command("show").description("Show one issuance including the offer URI").requiredOption("--issuance-id <id>", "Issuance id")).action(async (options) => {
+		printResult(formatIssuanceSummary((await showIssuanceAction(options)).detail), "text");
+	});
+	withCommonOptions(issuances.command("status").description("Update the credential status for an issuance").requiredOption("--issuance-id <id>", "Issuance id").requiredOption("--status <value>", "New credential status: active, suspended, or revoked")).action(async (options) => {
+		printResult(formatIssuanceSummary((await updateIssuanceStatusAction(options)).detail), "text");
+	});
+	return program;
+}
+//#endregion
+//#region src/index.ts
+async function runCli(argv = process.argv) {
+	const version = await resolveCliVersion(resolvePackageJsonPath(import.meta.url));
+	try {
+		await createProgram(version).parseAsync(argv);
+	} catch (error) {
+		handleCliError(error);
+	}
+}
+if (import.meta.url === pathToFileURL(process.argv[1] ?? process.cwd()).href) runCli().catch((error) => {
+	handleCliError(error);
+});
+//#endregion
+export { authSignInAction, authSignOutAction, authSignUpAction, authWhoAmIAction, createIssuanceAction, createProgram, createTemplateAction, deleteTemplateAction, interactiveAction, listIssuancesAction, listTemplatesAction, metadataAction, runCli, showIssuanceAction, updateIssuanceStatusAction };