npm - @vidos-id/openid4vc-issuer-cli - Versions diffs - 0.10.0 → 0.10.2 - Mend

@vidos-id/openid4vc-issuer-cli 0.10.0 → 0.10.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/src-DBuvoW80.mjs ADDED Viewed

@@ -0,0 +1,1050 @@
+import { handleCliError, printResult, readTextInput, resolveCliVersion, resolvePackageJsonPath, setVerbose, verbose } from "@vidos-id/openid4vc-cli-common";
+import { Command } from "commander";
+import { ACTIVE_TOKEN_STATUS, REVOKED_TOKEN_STATUS, SUSPENDED_TOKEN_STATUS, createIssuanceInputSchema, createTemplateInputSchema, deleteResponseSchema, getTokenStatusLabel, issuanceDetailSchema, issuanceSchema, sessionResponseSchema, templateSchema, updateIssuanceStatusInputSchema } from "@vidos-id/openid4vc-issuer-web-shared";
+import { z } from "zod";
+import { mkdir, readFile, rm, writeFile } from "node:fs/promises";
+import { homedir } from "node:os";
+import { dirname, join } from "node:path";
+import { stdout } from "node:process";
+import inquirer from "inquirer";
+//#region src/schemas.ts
+const serverUrlSchema = z.url();
+const sessionFileSchema = z.object({
+	serverUrl: serverUrlSchema,
+	cookieHeader: z.string().min(1),
+	user: sessionResponseSchema.shape.user
+});
+const baseCliOptionsSchema = z.object({
+	serverUrl: serverUrlSchema.optional(),
+	sessionFile: z.string().min(1).optional()
+});
+const authSignInOptionsSchema = baseCliOptionsSchema.extend({
+	anonymous: z.boolean().optional(),
+	username: z.string().min(1).optional(),
+	password: z.string().min(1).optional()
+}).superRefine((value, ctx) => {
+	if (value.anonymous) {
+		if (value.username || value.password) ctx.addIssue({
+			code: z.ZodIssueCode.custom,
+			message: "Anonymous sign-in cannot be combined with --username or --password",
+			path: ["anonymous"]
+		});
+		return;
+	}
+	if (!value.username || !value.password) ctx.addIssue({
+		code: z.ZodIssueCode.custom,
+		message: "Provide --anonymous or both --username and --password",
+		path: ["username"]
+	});
+});
+const authSignUpOptionsSchema = baseCliOptionsSchema.extend({
+	username: z.string().min(1),
+	password: z.string().min(1)
+});
+const claimsInputSchema = z.object({
+	claims: z.string().optional(),
+	claimsFile: z.string().min(1).optional()
+}).superRefine((value, ctx) => {
+	if (value.claims && value.claimsFile) ctx.addIssue({
+		code: z.ZodIssueCode.custom,
+		message: "Use only one of --claims or --claims-file",
+		path: ["claims"]
+	});
+});
+const templateCreateOptionsSchema = baseCliOptionsSchema.extend({
+	name: z.string().min(1),
+	vct: z.string().min(1)
+}).and(claimsInputSchema);
+const templateDeleteOptionsSchema = baseCliOptionsSchema.extend({ templateId: z.string().min(1) });
+const issuanceStatusLabelSchema = z.enum([
+	"active",
+	"revoked",
+	"suspended"
+]);
+const issuanceCreateOptionsSchema = baseCliOptionsSchema.extend({
+	templateId: z.string().min(1),
+	status: issuanceStatusLabelSchema.optional()
+}).and(claimsInputSchema);
+const issuanceIdOptionsSchema = baseCliOptionsSchema.extend({ issuanceId: z.string().min(1) });
+const issuanceStatusUpdateOptionsSchema = issuanceIdOptionsSchema.extend({ status: issuanceStatusLabelSchema });
+const interactiveOptionsSchema = baseCliOptionsSchema;
+const authApiResponseSchema = z.object({
+	token: z.string().nullable().optional(),
+	user: z.record(z.string(), z.unknown()).optional(),
+	message: z.string().optional(),
+	error: z.string().optional(),
+	code: z.string().optional()
+});
+const appErrorResponseSchema = z.object({
+	error: z.string().optional(),
+	message: z.string().optional(),
+	code: z.string().optional()
+});
+const templateListSchema = z.array(templateSchema);
+const issuanceListSchema = z.array(issuanceSchema);
+const issuerMetadataSchema = z.object({
+	credential_issuer: z.string().url(),
+	token_endpoint: z.string().url(),
+	credential_endpoint: z.string().url(),
+	nonce_endpoint: z.string().url().optional(),
+	jwks: z.object({ keys: z.array(z.record(z.string(), z.unknown())).min(1) }),
+	credential_configurations_supported: z.record(z.string(), z.record(z.string(), z.unknown()))
+});
+//#endregion
+//#region src/client.ts
+var IssuerWebClient = class {
+	cookieHeader = "";
+	constructor(options) {
+		this.options = options;
+		this.cookieHeader = options.session?.cookieHeader ?? "";
+	}
+	get serverUrl() {
+		return this.options.serverUrl;
+	}
+	getCookieHeader() {
+		return this.cookieHeader;
+	}
+	async signInAnonymous() {
+		const response = await this.request("/api/auth/sign-in/anonymous", { method: "POST" });
+		authApiResponseSchema.parse(await this.parseJson(response, "anonymous sign-in"));
+		return this.getSession();
+	}
+	async signInUsername(input) {
+		const response = await this.request("/api/auth/sign-in/username", {
+			method: "POST",
+			body: input
+		});
+		authApiResponseSchema.parse(await this.parseJson(response, "username sign-in"));
+		return this.getSession();
+	}
+	async signUpUsername(input) {
+		const username = input.username.trim();
+		const response = await this.request("/api/auth/sign-up/email", {
+			method: "POST",
+			body: {
+				email: `temp-${crypto.randomUUID()}@issuer-web.local`,
+				name: username,
+				username,
+				password: input.password
+			}
+		});
+		authApiResponseSchema.parse(await this.parseJson(response, "sign-up"));
+		return this.getSession();
+	}
+	async signOut() {
+		await this.request("/api/auth/sign-out", { method: "POST" });
+		this.cookieHeader = "";
+	}
+	async getSession() {
+		const response = await this.request("/api/session");
+		return sessionResponseSchema.parse(await this.parseJson(response, "session"));
+	}
+	async getMetadata() {
+		const response = await this.request("/.well-known/openid-credential-issuer");
+		return issuerMetadataSchema.parse(await this.parseJson(response, "issuer metadata"));
+	}
+	async listTemplates() {
+		const response = await this.request("/api/templates");
+		return templateListSchema.parse(await this.parseJson(response, "template list"));
+	}
+	async createTemplate(input) {
+		const payload = createTemplateInputSchema.parse(input);
+		const response = await this.request("/api/templates", {
+			method: "POST",
+			body: payload
+		});
+		return templateSchema.parse(await this.parseJson(response, "template creation"));
+	}
+	async deleteTemplate(templateId) {
+		const response = await this.request(`/api/templates/${templateId}`, { method: "DELETE" });
+		deleteResponseSchema.parse(await this.parseJson(response, "template deletion"));
+	}
+	async listIssuances() {
+		const response = await this.request("/api/issuances");
+		return issuanceListSchema.parse(await this.parseJson(response, "issuance list"));
+	}
+	async createIssuance(input) {
+		const payload = createIssuanceInputSchema.parse(input);
+		const response = await this.request("/api/issuances", {
+			method: "POST",
+			body: payload
+		});
+		return issuanceDetailSchema.parse(await this.parseJson(response, "issuance creation"));
+	}
+	async getIssuance(issuanceId) {
+		const response = await this.request(`/api/issuances/${issuanceId}`);
+		return issuanceDetailSchema.parse(await this.parseJson(response, "issuance detail"));
+	}
+	async updateIssuanceStatus(issuanceId, input) {
+		const payload = updateIssuanceStatusInputSchema.parse(input);
+		const response = await this.request(`/api/issuances/${issuanceId}/status`, {
+			method: "PATCH",
+			body: payload
+		});
+		return issuanceDetailSchema.parse(await this.parseJson(response, "issuance status update"));
+	}
+	async request(path, init = {}) {
+		const headers = new Headers(init.headers);
+		headers.set("accept", "application/json");
+		if (this.cookieHeader) headers.set("cookie", this.cookieHeader);
+		let body = init.body;
+		if (body && typeof body === "object" && !(body instanceof FormData) && !(body instanceof URLSearchParams) && !(body instanceof Blob) && !(body instanceof ArrayBuffer)) {
+			headers.set("content-type", "application/json");
+			body = JSON.stringify(body);
+		}
+		const url = new URL(path, this.options.serverUrl);
+		verbose(`Requesting ${init.method ?? "GET"} ${url}`);
+		const response = await (this.options.fetchImpl ?? fetch)(url, {
+			...init,
+			headers,
+			body
+		});
+		this.updateCookies(response);
+		if (!response.ok) throw await this.createRequestError(response);
+		return response;
+	}
+	updateCookies(response) {
+		const setCookies = getSetCookies(response.headers);
+		if (setCookies.length === 0) return;
+		this.cookieHeader = setCookies.map((value) => value.split(";")[0]).filter(Boolean).join("; ");
+	}
+	async createRequestError(response) {
+		let message = `Request failed with status ${response.status}`;
+		try {
+			const payload = appErrorResponseSchema.safeParse(await response.json());
+			if (payload.success) message = payload.data.message ?? payload.data.error ?? message;
+		} catch {
+			try {
+				const text = (await response.text()).trim();
+				if (text) message = text;
+			} catch {}
+		}
+		return new Error(message);
+	}
+	async parseJson(response, label) {
+		try {
+			return await response.json();
+		} catch {
+			throw new Error(`Failed to parse ${label} response`);
+		}
+	}
+};
+function statusLabelToValue(label) {
+	if (label === "active") return ACTIVE_TOKEN_STATUS;
+	if (label === "revoked") return REVOKED_TOKEN_STATUS;
+	return SUSPENDED_TOKEN_STATUS;
+}
+function getSetCookies(headers) {
+	const withGetSetCookie = headers;
+	if (typeof withGetSetCookie.getSetCookie === "function") return withGetSetCookie.getSetCookie();
+	const combined = headers.get("set-cookie");
+	if (!combined) return [];
+	return combined.split(", ").filter((part) => part.includes("="));
+}
+//#endregion
+//#region src/session.ts
+const DEFAULT_SERVER_URL = "http://localhost:3001";
+function resolveDefaultSessionFilePath() {
+	return join(homedir(), ".config", "vidos-id", "openid4vc-issuer-session.json");
+}
+function resolveSessionFilePath(options) {
+	return options?.sessionFile ?? resolveDefaultSessionFilePath();
+}
+async function readStoredSession(options) {
+	const filePath = resolveSessionFilePath(options);
+	try {
+		const raw = JSON.parse(await readFile(filePath, "utf8"));
+		return sessionFileSchema.parse(raw);
+	} catch (error) {
+		if (error.code === "ENOENT") return null;
+		throw error;
+	}
+}
+async function writeStoredSession(session, options) {
+	const filePath = resolveSessionFilePath(options);
+	await mkdir(dirname(filePath), { recursive: true });
+	await writeFile(filePath, `${JSON.stringify(session, null, 2)}\n`, "utf8");
+	verbose(`Saved openid4vc-issuer session to ${filePath}`);
+	return filePath;
+}
+async function clearStoredSession(options) {
+	const filePath = resolveSessionFilePath(options);
+	await rm(filePath, { force: true });
+	verbose(`Cleared openid4vc-issuer session at ${filePath}`);
+	return filePath;
+}
+async function requireStoredSession(options) {
+	const session = await readStoredSession(options);
+	if (!session) throw new Error("No saved issuer session. Run `openid4vc-issuer auth signin` or `openid4vc-issuer` first.");
+	return session;
+}
+function resolveServerUrl(options, session) {
+	return options?.serverUrl ?? session?.serverUrl ?? DEFAULT_SERVER_URL;
+}
+function assertSessionMatchesServerUrl(serverUrl, session) {
+	if (session.serverUrl !== serverUrl) throw new Error(`Saved session targets ${session.serverUrl}. Sign in again for ${serverUrl} or omit --server-url.`);
+}
+//#endregion
+//#region src/actions/auth.ts
+async function authSignInAction(rawOptions, deps = {}) {
+	const options = authSignInOptionsSchema.parse(rawOptions);
+	const serverUrl = resolveServerUrl(options);
+	const client = new IssuerWebClient({
+		serverUrl,
+		fetchImpl: deps.fetchImpl
+	});
+	const user = requireUser(options.anonymous ? await client.signInAnonymous() : await signInWithUsernamePassword(client, options));
+	await writeStoredSession({
+		serverUrl,
+		cookieHeader: client.getCookieHeader(),
+		user
+	}, options);
+	return {
+		serverUrl,
+		user
+	};
+}
+async function authSignUpAction(rawOptions, deps = {}) {
+	const options = authSignUpOptionsSchema.parse(rawOptions);
+	const serverUrl = resolveServerUrl(options);
+	const client = new IssuerWebClient({
+		serverUrl,
+		fetchImpl: deps.fetchImpl
+	});
+	const user = requireUser(await client.signUpUsername({
+		username: options.username,
+		password: options.password
+	}));
+	await writeStoredSession({
+		serverUrl,
+		cookieHeader: client.getCookieHeader(),
+		user
+	}, options);
+	return {
+		serverUrl,
+		user
+	};
+}
+async function authWhoAmIAction(rawOptions, deps = {}) {
+	const options = baseCliOptionsSchema.parse(rawOptions);
+	const stored = await requireStoredSession(options);
+	const serverUrl = resolveServerUrl(options, stored);
+	assertSessionMatchesServerUrl(serverUrl, stored);
+	const client = new IssuerWebClient({
+		serverUrl,
+		fetchImpl: deps.fetchImpl,
+		session: stored
+	});
+	const user = requireUser(await client.getSession());
+	await writeStoredSession({
+		serverUrl,
+		cookieHeader: client.getCookieHeader(),
+		user
+	}, options);
+	return {
+		serverUrl,
+		user
+	};
+}
+async function authSignOutAction(rawOptions, deps = {}) {
+	const options = baseCliOptionsSchema.parse(rawOptions);
+	const stored = await requireStoredSession(options);
+	const serverUrl = resolveServerUrl(options, stored);
+	assertSessionMatchesServerUrl(serverUrl, stored);
+	const client = new IssuerWebClient({
+		serverUrl,
+		fetchImpl: deps.fetchImpl,
+		session: stored
+	});
+	try {
+		await client.signOut();
+	} finally {
+		await clearStoredSession(options);
+	}
+	return { serverUrl };
+}
+async function signInWithUsernamePassword(client, options) {
+	if (!options.username || !options.password) throw new Error("Provide --anonymous or both --username and --password");
+	return client.signInUsername({
+		username: options.username,
+		password: options.password
+	});
+}
+function requireUser(session) {
+	if (!session.user) throw new Error("Authentication succeeded but no active session was returned.");
+	return session.user;
+}
+//#endregion
+//#region src/format.ts
+function section(title, lines) {
+	return [title, ...lines.map((line) => `  ${line}`)].join("\n");
+}
+function jsonBlock(value) {
+	return JSON.stringify(value, null, 2).split("\n").map((line) => `  ${line}`).join("\n");
+}
+function x5cToPem(x5c) {
+	const lines = ["-----BEGIN CERTIFICATE-----"];
+	for (let i = 0; i < x5c.length; i += 64) lines.push(x5c.slice(i, i + 64));
+	lines.push("-----END CERTIFICATE-----");
+	return lines.join("\n");
+}
+function formatSessionSummary(input) {
+	return section("Session", [
+		`server: ${input.serverUrl}`,
+		`user: ${input.user.username ?? input.user.name}`,
+		`name: ${input.user.name}`,
+		`mode: ${input.user.isAnonymous ? "guest" : "username"}`,
+		`user id: ${input.user.id}`
+	]);
+}
+function formatTemplateList(templates) {
+	if (templates.length === 0) return "No templates found.";
+	return [`Templates (${templates.length})`, ...templates.flatMap((template, index) => [
+		`${index + 1}. ${template.name} [${template.kind}]`,
+		`   id: ${template.id}`,
+		`   vct: ${template.vct}`,
+		`   configuration: ${template.credentialConfigurationId}`
+	])].join("\n");
+}
+function formatTemplateSummary(template) {
+	return [
+		section("Template", [
+			`name: ${template.name}`,
+			`id: ${template.id}`,
+			`kind: ${template.kind}`,
+			`vct: ${template.vct}`,
+			`configuration: ${template.credentialConfigurationId}`
+		]),
+		"",
+		"Default claims",
+		jsonBlock(template.defaultClaims)
+	].join("\n");
+}
+function formatIssuanceList(issuances) {
+	if (issuances.length === 0) return "No issuances found.";
+	return [`Issuances (${issuances.length})`, ...issuances.flatMap((issuance, index) => [
+		`${index + 1}. ${issuance.vct}`,
+		`   id: ${issuance.id}`,
+		`   state: ${issuance.state}`,
+		`   status: ${getTokenStatusLabel(issuance.status)}`,
+		`   created: ${issuance.createdAt}`
+	])].join("\n");
+}
+function formatIssuanceSummary(detail) {
+	const { issuance } = detail;
+	return [
+		section("Issuance", [
+			`id: ${issuance.id}`,
+			`template: ${issuance.templateId}`,
+			`vct: ${issuance.vct}`,
+			`state: ${issuance.state}`,
+			`status: ${getTokenStatusLabel(issuance.status)}`,
+			`created: ${issuance.createdAt}`
+		]),
+		"",
+		"Offer URI",
+		`  ${issuance.offerUri}`,
+		"",
+		"Claims",
+		jsonBlock(issuance.claims)
+	].join("\n");
+}
+function formatDeletedTemplate(templateId) {
+	return `Deleted template ${templateId}.`;
+}
+function formatSignedOut(serverUrl) {
+	return serverUrl ? `Signed out from ${serverUrl}.` : "Signed out.";
+}
+function formatIssuerMetadata(metadata) {
+	const endpointLines = [
+		`credential issuer: ${metadata.credential_issuer}`,
+		`token endpoint: ${metadata.token_endpoint}`,
+		`credential endpoint: ${metadata.credential_endpoint}`
+	];
+	if (metadata.nonce_endpoint) endpointLines.push(`nonce endpoint: ${metadata.nonce_endpoint}`);
+	const signingKeyLines = metadata.jwks.keys.flatMap((key, index) => {
+		const lines = [
+			`Key ${index + 1}`,
+			`  kid: ${typeof key.kid === "string" ? key.kid : "-"}`,
+			`  alg: ${typeof key.alg === "string" ? key.alg : "-"}`,
+			`  kty: ${typeof key.kty === "string" ? key.kty : "-"}`,
+			"  jwk:",
+			jsonBlock(Object.fromEntries(Object.entries(key).filter(([name]) => name !== "x5c")))
+		];
+		const x5cValues = Array.isArray(key.x5c) ? key.x5c.filter((value) => typeof value === "string") : [];
+		if (x5cValues.length === 0) {
+			lines.push("  x5c: none");
+			return lines;
+		}
+		for (const [certIndex, cert] of x5cValues.entries()) {
+			lines.push(`  certificate ${certIndex + 1}:`);
+			lines.push(...x5cToPem(cert).split("\n").map((line) => `    ${line}`));
+		}
+		return lines;
+	});
+	const credentialConfigurationLines = Object.entries(metadata.credential_configurations_supported).flatMap(([configId, config]) => [configId, jsonBlock(config)]);
+	return [
+		section("Endpoints", endpointLines),
+		"",
+		section("Signing Keys", signingKeyLines),
+		"",
+		section("Credential Configurations Supported", credentialConfigurationLines)
+	].join("\n");
+}
+//#endregion
+//#region src/prompts.ts
+var PromptSession = class {
+	close() {}
+	async text(label, options) {
+		const { value } = await inquirer.prompt([{
+			type: options?.password ? "password" : "input",
+			name: "value",
+			message: label,
+			default: options?.defaultValue,
+			mask: options?.password ? "*" : void 0,
+			validate: (input) => {
+				if (input.trim() || options?.allowEmpty || options?.defaultValue !== void 0) return true;
+				return "A value is required";
+			}
+		}]);
+		return value.trim() || options?.defaultValue || "";
+	}
+	async choose(label, choices) {
+		const { value } = await inquirer.prompt([{
+			type: "list",
+			name: "value",
+			message: label,
+			choices: choices.map((choice) => ({
+				name: choice.label,
+				value: choice.value
+			}))
+		}]);
+		return value;
+	}
+	async confirm(label, defaultValue = true) {
+		const { value } = await inquirer.prompt([{
+			type: "confirm",
+			name: "value",
+			message: label,
+			default: defaultValue
+		}]);
+		return value;
+	}
+};
+//#endregion
+//#region src/actions/issuances.ts
+async function listIssuancesAction(rawOptions, deps = {}) {
+	const { client, options, serverUrl, session } = await getAuthenticatedClient$1(baseCliOptionsSchema.parse(rawOptions), deps);
+	const issuances = await client.listIssuances();
+	await writeStoredSession({
+		...session,
+		serverUrl,
+		cookieHeader: client.getCookieHeader()
+	}, options);
+	return {
+		serverUrl,
+		issuances
+	};
+}
+async function createIssuanceAction(rawOptions, deps = {}) {
+	const options = issuanceCreateOptionsSchema.parse(rawOptions);
+	const { client, serverUrl, session } = await getAuthenticatedClient$1(options, deps);
+	const claimsText = await readTextInput(options.claims, options.claimsFile).catch(() => void 0);
+	const input = { templateId: options.templateId };
+	if (claimsText) input.claims = parseJsonObject$1(claimsText, "issuance claims");
+	if (options.status) input.status = statusLabelToValue(options.status);
+	const detail = await client.createIssuance(input);
+	await writeStoredSession({
+		...session,
+		serverUrl,
+		cookieHeader: client.getCookieHeader()
+	}, options);
+	return {
+		serverUrl,
+		detail
+	};
+}
+async function showIssuanceAction(rawOptions, deps = {}) {
+	const options = issuanceIdOptionsSchema.parse(rawOptions);
+	const { client, serverUrl, session } = await getAuthenticatedClient$1(options, deps);
+	const detail = await client.getIssuance(options.issuanceId);
+	await writeStoredSession({
+		...session,
+		serverUrl,
+		cookieHeader: client.getCookieHeader()
+	}, options);
+	return {
+		serverUrl,
+		detail
+	};
+}
+async function updateIssuanceStatusAction(rawOptions, deps = {}) {
+	const options = issuanceStatusUpdateOptionsSchema.parse(rawOptions);
+	const { client, serverUrl, session } = await getAuthenticatedClient$1(options, deps);
+	const detail = await client.updateIssuanceStatus(options.issuanceId, { status: statusLabelToValue(options.status) });
+	await writeStoredSession({
+		...session,
+		serverUrl,
+		cookieHeader: client.getCookieHeader()
+	}, options);
+	return {
+		serverUrl,
+		detail
+	};
+}
+async function getAuthenticatedClient$1(options, deps) {
+	const session = await requireStoredSession(options);
+	const serverUrl = resolveServerUrl(options, session);
+	assertSessionMatchesServerUrl(serverUrl, session);
+	return {
+		client: new IssuerWebClient({
+			serverUrl,
+			fetchImpl: deps.fetchImpl,
+			session
+		}),
+		options,
+		serverUrl,
+		session
+	};
+}
+function parseJsonObject$1(value, label) {
+	let parsed;
+	try {
+		parsed = JSON.parse(value);
+	} catch {
+		throw new Error(`${label} must be valid JSON`);
+	}
+	if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) throw new Error(`${label} must be a JSON object`);
+	return parsed;
+}
+//#endregion
+//#region src/actions/metadata.ts
+async function metadataAction(rawOptions, deps = {}) {
+	const serverUrl = resolveServerUrl(baseCliOptionsSchema.parse(rawOptions));
+	return {
+		serverUrl,
+		metadata: await new IssuerWebClient({
+			serverUrl,
+			fetchImpl: deps.fetchImpl
+		}).getMetadata()
+	};
+}
+//#endregion
+//#region src/actions/templates.ts
+async function listTemplatesAction(rawOptions, deps = {}) {
+	const { client, options, serverUrl, session } = await getAuthenticatedClient(baseCliOptionsSchema.parse(rawOptions), deps);
+	const templates = await client.listTemplates();
+	await writeStoredSession({
+		...session,
+		serverUrl,
+		cookieHeader: client.getCookieHeader()
+	}, options);
+	return {
+		serverUrl,
+		templates
+	};
+}
+async function createTemplateAction(rawOptions, deps = {}) {
+	const options = templateCreateOptionsSchema.parse(rawOptions);
+	const { client, serverUrl, session } = await getAuthenticatedClient(options, deps);
+	const claimsText = options.claims !== void 0 || options.claimsFile !== void 0 ? await readTextInput(options.claims, options.claimsFile) : void 0;
+	const template = await client.createTemplate({
+		name: options.name,
+		vct: options.vct,
+		defaultClaims: claimsText ? parseJsonObject(claimsText, "template claims") : {}
+	});
+	await writeStoredSession({
+		...session,
+		serverUrl,
+		cookieHeader: client.getCookieHeader()
+	}, options);
+	return {
+		serverUrl,
+		template
+	};
+}
+async function deleteTemplateAction(rawOptions, deps = {}) {
+	const options = templateDeleteOptionsSchema.parse(rawOptions);
+	const { client, serverUrl, session } = await getAuthenticatedClient(options, deps);
+	await client.deleteTemplate(options.templateId);
+	await writeStoredSession({
+		...session,
+		serverUrl,
+		cookieHeader: client.getCookieHeader()
+	}, options);
+	return {
+		serverUrl,
+		templateId: options.templateId
+	};
+}
+async function getAuthenticatedClient(options, deps) {
+	const session = await requireStoredSession(options);
+	const serverUrl = resolveServerUrl(options, session);
+	assertSessionMatchesServerUrl(serverUrl, session);
+	return {
+		client: new IssuerWebClient({
+			serverUrl,
+			fetchImpl: deps.fetchImpl,
+			session
+		}),
+		options,
+		serverUrl,
+		session
+	};
+}
+function parseJsonObject(value, label) {
+	let parsed;
+	try {
+		parsed = JSON.parse(value);
+	} catch {
+		throw new Error(`${label} must be valid JSON`);
+	}
+	if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) throw new Error(`${label} must be a JSON object`);
+	return parsed;
+}
+//#endregion
+//#region src/actions/interactive.ts
+async function interactiveAction(rawOptions, deps = {}) {
+	if (!process.stdin.isTTY || !process.stdout.isTTY) throw new Error("Interactive mode requires a TTY. Use an explicit subcommand for non-interactive usage.");
+	const options = interactiveOptionsSchema.parse(rawOptions);
+	const prompt = new PromptSession();
+	let serverUrl = await resolveInteractiveServerUrl(prompt, options);
+	try {
+		while (true) {
+			const session = await readStoredSession(options);
+			if (!session || session.serverUrl !== serverUrl) await authenticateInteractive(prompt, {
+				...options,
+				serverUrl
+			}, deps);
+			const choice = await prompt.choose("Issuer CLI", [
+				{
+					label: "Who am I",
+					value: "whoami"
+				},
+				{
+					label: "Show issuer metadata",
+					value: "metadata"
+				},
+				{
+					label: "List templates",
+					value: "templates-list"
+				},
+				{
+					label: "Create template",
+					value: "templates-create"
+				},
+				{
+					label: "Delete template",
+					value: "templates-delete"
+				},
+				{
+					label: "List issuances",
+					value: "issuances-list"
+				},
+				{
+					label: "Create issuance",
+					value: "issuances-create"
+				},
+				{
+					label: "Show issuance",
+					value: "issuances-show"
+				},
+				{
+					label: "Update issuance status",
+					value: "issuances-status"
+				},
+				{
+					label: "Switch server",
+					value: "switch-server"
+				},
+				{
+					label: "Sign out",
+					value: "signout"
+				},
+				{
+					label: "Exit",
+					value: "exit"
+				}
+			]);
+			stdout.write("\n");
+			if (choice === "exit") return;
+			if (choice === "switch-server") {
+				serverUrl = await resolveInteractiveServerUrl(prompt, {
+					...options,
+					serverUrl
+				});
+				continue;
+			}
+			if (choice === "whoami") {
+				const result = await authWhoAmIAction({
+					...options,
+					serverUrl
+				}, deps);
+				stdout.write(`${formatSessionSummary(result)}\n\n`);
+				continue;
+			}
+			if (choice === "metadata") {
+				const result = await metadataAction({
+					...options,
+					serverUrl
+				}, deps);
+				stdout.write(`${formatIssuerMetadata(result.metadata)}\n\n`);
+				continue;
+			}
+			if (choice === "templates-list") {
+				const result = await listTemplatesAction({
+					...options,
+					serverUrl
+				}, deps);
+				stdout.write(`${formatTemplateList(result.templates)}\n\n`);
+				continue;
+			}
+			if (choice === "templates-create") {
+				const name = await prompt.text("Template name");
+				const vct = await prompt.text("VCT");
+				const claims = await prompt.text("Default claims JSON", { defaultValue: "{}" });
+				const result = await createTemplateAction({
+					...options,
+					serverUrl,
+					name,
+					vct,
+					claims
+				}, deps);
+				stdout.write(`${formatTemplateSummary(result.template)}\n\n`);
+				continue;
+			}
+			if (choice === "templates-delete") {
+				const result = await listTemplatesAction({
+					...options,
+					serverUrl
+				}, deps);
+				if (result.templates.length === 0) {
+					stdout.write("No templates found.\n\n");
+					continue;
+				}
+				const selectable = result.templates.filter((template) => template.kind === "custom");
+				if (selectable.length === 0) {
+					stdout.write("No custom templates can be deleted.\n\n");
+					continue;
+				}
+				const templateId = await prompt.choose("Select a template to delete", selectable.map((template) => ({
+					label: `${template.name} (${template.id})`,
+					value: template.id
+				})));
+				if (!await prompt.confirm(`Delete template ${templateId}?`, false)) {
+					stdout.write("Cancelled.\n\n");
+					continue;
+				}
+				const deleted = await deleteTemplateAction({
+					...options,
+					serverUrl,
+					templateId
+				}, deps);
+				stdout.write(`${formatDeletedTemplate(deleted.templateId)}\n\n`);
+				continue;
+			}
+			if (choice === "issuances-list") {
+				const result = await listIssuancesAction({
+					...options,
+					serverUrl
+				}, deps);
+				stdout.write(`${formatIssuanceList(result.issuances)}\n\n`);
+				continue;
+			}
+			if (choice === "issuances-create") {
+				const templates = await listTemplatesAction({
+					...options,
+					serverUrl
+				}, deps);
+				if (templates.templates.length === 0) {
+					stdout.write("No templates available. Create one first.\n\n");
+					continue;
+				}
+				const templateId = await prompt.choose("Select a template", templates.templates.map((template) => ({
+					label: `${template.name} (${template.vct})`,
+					value: template.id
+				})));
+				const claims = await prompt.text("Issuance claims JSON", { defaultValue: "{}" });
+				const status = await prompt.choose("Initial status", [
+					{
+						label: "active",
+						value: "active"
+					},
+					{
+						label: "suspended",
+						value: "suspended"
+					},
+					{
+						label: "revoked",
+						value: "revoked"
+					}
+				]);
+				const created = await createIssuanceAction({
+					...options,
+					serverUrl,
+					templateId,
+					claims,
+					status
+				}, deps);
+				stdout.write(`${formatIssuanceSummary(created.detail)}\n\n`);
+				continue;
+			}
+			if (choice === "issuances-show") {
+				const issuanceId = await prompt.text("Issuance id");
+				const result = await showIssuanceAction({
+					...options,
+					serverUrl,
+					issuanceId
+				}, deps);
+				stdout.write(`${formatIssuanceSummary(result.detail)}\n\n`);
+				continue;
+			}
+			if (choice === "issuances-status") {
+				const issuanceId = await prompt.text("Issuance id");
+				const status = await prompt.choose("New status", [
+					{
+						label: "active",
+						value: "active"
+					},
+					{
+						label: "suspended",
+						value: "suspended"
+					},
+					{
+						label: "revoked",
+						value: "revoked"
+					}
+				]);
+				const result = await updateIssuanceStatusAction({
+					...options,
+					serverUrl,
+					issuanceId,
+					status
+				}, deps);
+				stdout.write(`${formatIssuanceSummary(result.detail)}\n\n`);
+				continue;
+			}
+			if (choice === "signout") {
+				const result = await authSignOutAction({
+					...options,
+					serverUrl
+				}, deps);
+				stdout.write(`${formatSignedOut(result.serverUrl)}\n\n`);
+			}
+		}
+	} finally {
+		prompt.close();
+	}
+}
+async function authenticateInteractive(prompt, options, deps) {
+	stdout.write(`No saved session for ${options.serverUrl}.\n`);
+	const choice = await prompt.choose("Choose authentication mode", [
+		{
+			label: "Continue as guest",
+			value: "guest"
+		},
+		{
+			label: "Sign in",
+			value: "signin"
+		},
+		{
+			label: "Create account",
+			value: "signup"
+		}
+	]);
+	if (choice === "guest") {
+		const result = await authSignInAction({
+			...options,
+			anonymous: true
+		}, deps);
+		stdout.write(`${formatSessionSummary(result)}\n\n`);
+		return;
+	}
+	const username = await prompt.text("Username");
+	const password = await prompt.text("Password", { password: true });
+	if (choice === "signup") {
+		const result = await authSignUpAction({
+			...options,
+			username,
+			password
+		}, deps);
+		stdout.write(`${formatSessionSummary(result)}\n\n`);
+		return;
+	}
+	const result = await authSignInAction({
+		...options,
+		username,
+		password
+	}, deps);
+	stdout.write(`${formatSessionSummary(result)}\n\n`);
+}
+async function resolveInteractiveServerUrl(prompt, options) {
+	const saved = await readStoredSession(options);
+	return prompt.text("Issuer web server URL", { defaultValue: resolveServerUrl(options, saved ?? void 0) });
+}
+//#endregion
+//#region src/program.ts
+function withCommonOptions(command) {
+	return command.option("--server-url <url>", "Issuer web server base URL (default: saved session, ISSUER_WEB_SERVER_URL, or http://localhost:3001)").option("--session-file <file>", "Override the saved session file location");
+}
+function createProgram(version) {
+	const program = withCommonOptions(new Command().name("openid4vc-issuer").version(version).description("Terminal client for openid4vc-issuer-web-server. Run without a subcommand to start interactive mode.").addHelpText("after", "\nInteractive mode:\n  Run `openid4vc-issuer` without a subcommand to open the prompt-driven workflow.").showHelpAfterError().option("--verbose", "Enable verbose logging to stderr", false).hook("preAction", (_thisCommand, actionCommand) => {
+		if (actionCommand.optsWithGlobals().verbose) setVerbose(true);
+	})).action(async (options) => {
+		await interactiveAction(options);
+	});
+	withCommonOptions(program.command("metadata").description("Show issuer metadata from /.well-known/openid-credential-issuer").option("--output <format>", "Output format: text or json", "text")).action(async (options) => {
+		const result = await metadataAction(options);
+		printResult(options.output === "json" ? result.metadata : formatIssuerMetadata(result.metadata), options.output);
+	});
+	const auth = program.command("auth").description("Authenticate and inspect the current session");
+	withCommonOptions(auth.command("signin").description("Sign in with a guest session or username/password").option("--anonymous", "Start a guest session").option("--username <name>", "Username for sign-in").option("--password <password>", "Password for sign-in").addHelpText("after", `\nExamples:\n  $ openid4vc-issuer auth signin --anonymous\n  $ openid4vc-issuer auth signin --server-url http://localhost:3001 --username ada --password secret`)).action(async (options) => {
+		verbose(`Signing in to ${options.serverUrl ?? "saved/default server"}`);
+		printResult(formatSessionSummary(await authSignInAction(options)), "text");
+	});
+	withCommonOptions(auth.command("signup").description("Create an account and save the resulting session").requiredOption("--username <name>", "Username for the new account").requiredOption("--password <password>", "Password for the new account")).action(async (options) => {
+		printResult(formatSessionSummary(await authSignUpAction(options)), "text");
+	});
+	withCommonOptions(auth.command("whoami").description("Show the currently saved session")).action(async (options) => {
+		printResult(formatSessionSummary(await authWhoAmIAction(options)), "text");
+	});
+	withCommonOptions(auth.command("signout").description("Sign out and clear the saved session")).action(async (options) => {
+		printResult(formatSignedOut((await authSignOutAction(options)).serverUrl), "text");
+	});
+	const templates = program.command("templates").description("Manage credential templates through openid4vc-issuer-web-server");
+	withCommonOptions(templates.command("list").description("List templates visible to the current user")).action(async (options) => {
+		printResult(formatTemplateList((await listTemplatesAction(options)).templates), "text");
+	});
+	withCommonOptions(templates.command("create").description("Create a custom template").requiredOption("--name <value>", "Template name").requiredOption("--vct <value>", "Verifiable Credential Type").option("--claims <json>", "Inline JSON object for default claims").option("--claims-file <file>", "Path to a JSON file with default claims").addHelpText("after", `\nExamples:\n  $ openid4vc-issuer templates create --name "Conference Pass" --vct urn:eudi:pid:1 --claims '{"given_name":"Ada"}'\n  $ openid4vc-issuer templates create --name "PID" --vct urn:eudi:pid:1 --claims-file ./claims.json`)).action(async (options) => {
+		printResult(formatTemplateSummary((await createTemplateAction(options)).template), "text");
+	});
+	withCommonOptions(templates.command("delete").description("Delete a custom template by id").requiredOption("--template-id <id>", "Template id")).action(async (options) => {
+		printResult(formatDeletedTemplate((await deleteTemplateAction(options)).templateId), "text");
+	});
+	const issuances = program.command("issuances").description("Create and manage credential offers");
+	withCommonOptions(issuances.command("list").description("List issuances for the current user")).action(async (options) => {
+		printResult(formatIssuanceList((await listIssuancesAction(options)).issuances), "text");
+	});
+	withCommonOptions(issuances.command("create").description("Create a new issuance offer from a template").requiredOption("--template-id <id>", "Template id").option("--claims <json>", "Inline JSON object with issuance claims").option("--claims-file <file>", "Path to a JSON file with issuance claims").option("--status <value>", "Initial credential status: active, suspended, or revoked").addHelpText("after", `\nExample:\n  $ openid4vc-issuer issuances create --template-id <template-id> --claims '{"seat":"A-12"}' --status active`)).action(async (options) => {
+		printResult(formatIssuanceSummary((await createIssuanceAction(options)).detail), "text");
+	});
+	withCommonOptions(issuances.command("show").description("Show one issuance including the offer URI").requiredOption("--issuance-id <id>", "Issuance id")).action(async (options) => {
+		printResult(formatIssuanceSummary((await showIssuanceAction(options)).detail), "text");
+	});
+	withCommonOptions(issuances.command("status").description("Update the credential status for an issuance").requiredOption("--issuance-id <id>", "Issuance id").requiredOption("--status <value>", "New credential status: active, suspended, or revoked")).action(async (options) => {
+		printResult(formatIssuanceSummary((await updateIssuanceStatusAction(options)).detail), "text");
+	});
+	return program;
+}
+//#endregion
+//#region src/index.ts
+async function runCli(argv = process.argv) {
+	const version = await resolveCliVersion(resolvePackageJsonPath(import.meta.url));
+	try {
+		await createProgram(version).parseAsync(argv);
+	} catch (error) {
+		handleCliError(error);
+	}
+}
+//#endregion
+export { deleteTemplateAction as a, createIssuanceAction as c, updateIssuanceStatusAction as d, authSignInAction as f, authWhoAmIAction as h, createTemplateAction as i, listIssuancesAction as l, authSignUpAction as m, createProgram as n, listTemplatesAction as o, authSignOutAction as p, interactiveAction as r, metadataAction as s, runCli as t, showIssuanceAction as u };