@vidos-id/openid4vc-wallet-cli 0.0.0-rc.1

package/README.md

@@ -0,0 +1,158 @@
+# @vidos-id/openid4vc-wallet-cli
+
+CLI for OpenID4VCI credential receipt, `dc+sd-jwt` wallet storage, IETF credential status resolution, and OpenID4VP presentation. Wraps the [`@vidos-id/openid4vc-wallet`](../wallet/) library.
+
+For the full issue-hold-present flow, see the [root README](../../).
+
+Prefer using this CLI for wallet tasks instead of re-implementing protocol steps in agent code. In particular, `openid4vc-wallet receive` already handles the supported OID4VCI offer redemption flow end to end.
+
+Running `openid4vc-wallet` with no subcommand starts the interactive mode by default.
+
+## Install
+
+Download the latest GitHub Release artifact and make it executable:
+
+```bash
+curl -L -o openid4vc-wallet https://github.com/vidos-id/openid4vc-tools/releases/latest/download/openid4vc-wallet.js
+chmod +x openid4vc-wallet
+./openid4vc-wallet --help
+```
+
+Release artifacts do not bundle the repo's `examples/` directory. For remote example requests, pass raw GitHub content via `--request` or raw offer content via `--offer`.
+
+For development in this repo, you can run the bin entry directly with Bun:
+
+```bash
+bun packages/wallet-cli/src/index.ts --help
+```
+
+## Files in `--wallet-dir`
+
+- `holder-key.json` - Holder key pair (private + public JWK)
+- `wallet.json` - Wallet manifest with credential index
+- `credentials/<credential-id>.json` - Stored credentials
+
+## Interactive Mode
+
+Run the CLI with no subcommand:
+
+```bash
+openid4vc-wallet
+openid4vc-wallet --wallet-dir ./my-wallet
+```
+
+Interactive mode can:
+
+- initialize a wallet if one does not exist yet
+- receive credentials from OpenID4VCI offers
+- browse stored credentials
+- show credential details and status
+- present credentials to verifiers
+- import raw credentials as a fallback
+
+## Commands
+
+### `init`
+
+Initialize a wallet directory and create (or import) a holder key.
+
+```bash
+openid4vc-wallet init --wallet-dir ./my-wallet
+openid4vc-wallet init --wallet-dir ./my-wallet --alg EdDSA
+openid4vc-wallet init --wallet-dir ./my-wallet --holder-key-file ./existing-key.jwk.json
+openid4vc-wallet init --wallet-dir ./my-wallet --output json
+```
+
+### `receive`
+
+Receive and store a credential from a minimal OpenID4VCI credential offer.
+
+This is the primary way to add credentials into the wallet.
+
+```bash
+# From an openid-credential-offer URI
+openid4vc-wallet receive \
+  --wallet-dir ./my-wallet \
+  --offer 'openid-credential-offer://?credential_offer=...'
+
+# From inline credential-offer JSON
+openid4vc-wallet receive \
+  --wallet-dir ./my-wallet \
+  --offer '{"credential_issuer":"https://issuer.example",...}'
+
+# From a by-reference offer URI
+openid4vc-wallet receive \
+  --wallet-dir ./my-wallet \
+  --offer 'openid-credential-offer://?credential_offer_uri=https%3A%2F%2Fissuer.example%2Foffers%2Fperson-1'
+```
+
+Notes:
+- default output is a concise text summary; use `--output json` for full details
+- supports by-value `credential_offer` and by-reference `credential_offer_uri`
+- resolves issuer metadata from `/.well-known/openid-credential-issuer[issuer-path]`
+- uses advertised metadata endpoints instead of hardcoding paths
+
+### `import`
+
+Import an already-issued compact `dc+sd-jwt` credential.
+
+Use this only when you already have the raw credential blob. Prefer `receive` whenever you have an OpenID4VCI offer.
+
+```bash
+openid4vc-wallet import \
+  --wallet-dir ./my-wallet \
+  --credential-file ./issuer/credential.txt
+```
+
+### `list`
+
+List stored credentials.
+
+```bash
+openid4vc-wallet list --wallet-dir ./my-wallet
+openid4vc-wallet list --wallet-dir ./my-wallet --vct urn:eudi:pid:1
+openid4vc-wallet list --wallet-dir ./my-wallet --issuer https://issuer.example
+```
+
+### `show`
+
+Show a single stored credential by id.
+
+```bash
+openid4vc-wallet show --wallet-dir ./my-wallet --credential-id <id>
+openid4vc-wallet show --wallet-dir ./my-wallet --credential-id <id> --output raw
+openid4vc-wallet show --wallet-dir ./my-wallet --credential-id <id> --output json
+```
+
+### `present`
+
+Create a DCQL-based OpenID4VP presentation from wallet credentials.
+
+```bash
+openid4vc-wallet present \
+  --wallet-dir ./my-wallet \
+  --request 'openid4vp://authorize?...'
+```
+
+## Global options
+
+- running `openid4vc-wallet` with no subcommand starts interactive mode
+- `--wallet-dir <dir>` - wallet directory for interactive mode
+- `--verbose` - enable verbose logging to stderr
+- `--version` - show version number
+- `--help` - show help for a command
+
+## Notes
+
+- `receive` is the primary credential-ingest path
+- `import` is a local raw-credential fallback
+- `present` auto-submits `direct_post` and `direct_post.jwt` responses unless `--dry-run` is set
+- when multiple credentials match a query, `present` prompts interactively in a TTY or returns an error with a `--credential-id` suggestion in non-interactive environments
+- only by-value DCQL requests are supported
+- `show` automatically fetches, verifies, and decodes IETF status list JWTs for stored credentials that include a `status.status_list` reference
+
+## Test
+
+```bash
+bun test packages/wallet-cli/src/index.test.ts
+```

package/dist/index.d.mts

@@ -0,0 +1,197 @@
+import * as _$_vidos_id_openid4vc_wallet0 from "@vidos-id/openid4vc-wallet";
+import { Command } from "commander";
+
+//#region src/program.d.ts
+declare function createProgram(version: string): Command;
+//#endregion
+//#region src/actions/delete.d.ts
+declare function deleteCredentialAction(rawOptions: unknown): Promise<{
+  credentialId: string;
+}>;
+declare function deleteAllCredentialsAction(rawOptions: unknown): Promise<{
+  deleted: number;
+}>;
+declare function deleteWalletAction(rawOptions: unknown): Promise<{
+  walletDir: string;
+}>;
+//#endregion
+//#region src/actions/import.d.ts
+declare function importCredentialAction(rawOptions: unknown): Promise<{
+  credential: {
+    id: string;
+    format: "dc+sd-jwt";
+    compactSdJwt: string;
+    issuer: string;
+    vct: string;
+    holderKeyId: string;
+    claims: Record<string, unknown>;
+    importedAt: string;
+    status?: {
+      status_list: {
+        idx: number;
+        uri: string;
+      };
+    } | undefined;
+    issuerKeyMaterial?: {
+      issuer: string;
+      jwks: {
+        keys: Record<string, unknown>[];
+      };
+    } | {
+      issuer: string;
+      jwk: Record<string, unknown>;
+    } | undefined;
+  };
+}>;
+//#endregion
+//#region src/actions/init.d.ts
+declare function initWalletAction(rawOptions: unknown): Promise<{
+  holderKey: {
+    id: string;
+    algorithm: "ES256" | "ES384" | "EdDSA";
+    publicJwk: Record<string, unknown>;
+    privateJwk: Record<string, unknown>;
+    createdAt: string;
+  };
+  imported: boolean;
+}>;
+//#endregion
+//#region src/actions/interactive.d.ts
+declare function interactiveWalletAction(rawOptions: unknown): Promise<void>;
+//#endregion
+//#region src/actions/list.d.ts
+declare function listCredentialsAction(rawOptions: unknown): Promise<{
+  credentials: {
+    id: string;
+    format: "dc+sd-jwt";
+    compactSdJwt: string;
+    issuer: string;
+    vct: string;
+    holderKeyId: string;
+    claims: Record<string, unknown>;
+    importedAt: string;
+    status?: {
+      status_list: {
+        idx: number;
+        uri: string;
+      };
+    } | undefined;
+    issuerKeyMaterial?: {
+      issuer: string;
+      jwks: {
+        keys: Record<string, unknown>[];
+      };
+    } | {
+      issuer: string;
+      jwk: Record<string, unknown>;
+    } | undefined;
+  }[];
+}>;
+//#endregion
+//#region src/actions/present.d.ts
+declare function presentCredentialAction(rawOptions: unknown): Promise<{
+  submitted: boolean;
+  submission: _$_vidos_id_openid4vc_wallet0.OpenId4VpResponseSubmissionResult | undefined;
+  query: _$_vidos_id_openid4vc_wallet0.ParsedDcqlQuery;
+  vpToken: string;
+  dcqlPresentation: Record<string, string[]>;
+  matchedCredentials: _$_vidos_id_openid4vc_wallet0.MatchedCredential[];
+}>;
+//#endregion
+//#region src/actions/receive.d.ts
+declare function receiveCredentialAction(rawOptions: unknown): Promise<{
+  credential: {
+    id: string;
+    format: "dc+sd-jwt";
+    compactSdJwt: string;
+    issuer: string;
+    vct: string;
+    holderKeyId: string;
+    claims: Record<string, unknown>;
+    importedAt: string;
+    status?: {
+      status_list: {
+        idx: number;
+        uri: string;
+      };
+    } | undefined;
+    issuerKeyMaterial?: {
+      issuer: string;
+      jwks: {
+        keys: Record<string, unknown>[];
+      };
+    } | {
+      issuer: string;
+      jwk: Record<string, unknown>;
+    } | undefined;
+  };
+}>;
+//#endregion
+//#region src/actions/show.d.ts
+declare function showCredentialAction(rawOptions: unknown): Promise<{
+  credential: {
+    id: string;
+    format: "dc+sd-jwt";
+    compactSdJwt: string;
+    issuer: string;
+    vct: string;
+    holderKeyId: string;
+    claims: Record<string, unknown>;
+    importedAt: string;
+    status?: {
+      status_list: {
+        idx: number;
+        uri: string;
+      };
+    } | undefined;
+    issuerKeyMaterial?: {
+      issuer: string;
+      jwks: {
+        keys: Record<string, unknown>[];
+      };
+    } | {
+      issuer: string;
+      jwk: Record<string, unknown>;
+    } | undefined;
+  };
+  status: _$_vidos_id_openid4vc_wallet0.ResolvedCredentialStatus | null;
+  statusWarning: undefined;
+} | {
+  credential: {
+    id: string;
+    format: "dc+sd-jwt";
+    compactSdJwt: string;
+    issuer: string;
+    vct: string;
+    holderKeyId: string;
+    claims: Record<string, unknown>;
+    importedAt: string;
+    status?: {
+      status_list: {
+        idx: number;
+        uri: string;
+      };
+    } | undefined;
+    issuerKeyMaterial?: {
+      issuer: string;
+      jwks: {
+        keys: Record<string, unknown>[];
+      };
+    } | {
+      issuer: string;
+      jwk: Record<string, unknown>;
+    } | undefined;
+  };
+  status: null;
+  statusWarning: string;
+}>;
+//#endregion
+//#region src/index.d.ts
+type InteractiveCliOptions = {
+  walletDir?: string;
+  verbose?: boolean;
+};
+declare function parseInteractiveCliOptions(argv: string[]): InteractiveCliOptions;
+declare function runCli(argv?: string[]): Promise<void>;
+//#endregion
+export { createProgram, deleteAllCredentialsAction, deleteCredentialAction, deleteWalletAction, importCredentialAction, initWalletAction, interactiveWalletAction, listCredentialsAction, parseInteractiveCliOptions, presentCredentialAction, receiveCredentialAction, runCli, showCredentialAction };

package/dist/index.mjs

@@ -0,0 +1,936 @@
+#!/usr/bin/env node
+import { pathToFileURL } from "node:url";
+import { handleCliError, outputFormatSchema, printResult, resolveCliVersion, resolvePackageJsonPath, setVerbose, textOutputFormatSchema, verbose } from "@vidos-id/openid4vc-cli-common";
+import { access, mkdir, readFile, readdir, rm, unlink, writeFile } from "node:fs/promises";
+import { stdout } from "node:process";
+import inquirer from "inquirer";
+import { z } from "zod";
+import { join } from "node:path";
+import { HolderKeyRecordSchema, StoredCredentialRecordSchema, Wallet, createOpenId4VpAuthorizationResponse, parseOpenid4VpAuthorizationUrl, receiveCredentialFromOffer, resolveOpenId4VpRequest, submitOpenId4VpAuthorizationResponse } from "@vidos-id/openid4vc-wallet";
+import { Command } from "commander";
+//#region src/format.ts
+function formatInitResult(input) {
+	const source = input.imported ? "imported" : "generated";
+	return [`Initialized wallet at ${input.walletDir}`, `Holder key: ${input.holderKey.id} (${input.holderKey.algorithm ?? "unknown"}, ${source})`].join("\n");
+}
+function formatCredentialSummary(action, credential) {
+	return [
+		`${action} credential ${credential.id}`,
+		`VCT: ${credential.vct}`,
+		`Issuer: ${credential.issuer}`
+	].join("\n");
+}
+function formatCredentialList(credentials) {
+	if (credentials.length === 0) return "0 credentials found";
+	const lines = [`${credentials.length} credential${credentials.length === 1 ? "" : "s"} found`];
+	for (const credential of credentials) lines.push(`${credential.id} | ${credential.vct} | ${credential.issuer}`);
+	return lines.join("\n");
+}
+function formatCredentialDetails(input) {
+	const { credential, status, statusWarning } = input;
+	const lines = [
+		"Credential",
+		`ID: ${credential.id}`,
+		`Issuer: ${credential.issuer}`,
+		`VCT: ${credential.vct}`,
+		"",
+		"Claims"
+	];
+	const claimEntries = Object.entries(credential.claims);
+	if (claimEntries.length === 0) lines.push("none");
+	else for (const [key, value] of claimEntries) lines.push(`${key}: ${formatValue(value)}`);
+	lines.push("", "Status");
+	if (status) {
+		lines.push(`State: ${status.status.label}`);
+		lines.push(`Valid: ${status.status.isValid ? "yes" : "no"}`);
+		lines.push(`Value: ${status.status.value}`);
+		lines.push(`Reference: ${status.statusReference.uri}#${status.statusReference.idx}`);
+		if (status.statusList.ttl !== void 0) lines.push(`TTL: ${status.statusList.ttl}`);
+	} else if (credential.status?.status_list) {
+		lines.push("State: unresolved");
+		lines.push(`Reference: ${credential.status.status_list.uri}#${credential.status.status_list.idx}`);
+		if (statusWarning) lines.push(`Warning: ${statusWarning}`);
+	} else lines.push("State: not present");
+	return lines.join("\n");
+}
+function formatPresentationSummary(result) {
+	const lines = ["Presentation created"];
+	if (result.matchedCredentials.length === 0) lines.push("Matched credentials: none");
+	else {
+		lines.push("Matched credentials:");
+		for (const credential of result.matchedCredentials) lines.push(`${credential.credentialId} | ${credential.vct} | ${credential.issuer}`);
+	}
+	lines.push(`Submitted: ${result.submitted ? "yes" : "no"}`);
+	if (result.submission !== void 0) lines.push(`Submission response: ${formatValue(result.submission)}`);
+	return lines.join("\n");
+}
+function formatDeleteCredentialSummary(credentialId) {
+	return `Deleted credential ${credentialId}`;
+}
+function formatDeleteAllCredentialsSummary(deleted) {
+	return `Deleted ${deleted} credential${deleted === 1 ? "" : "s"}`;
+}
+function formatDeleteWalletSummary(walletDir) {
+	return `Deleted wallet at ${walletDir}`;
+}
+function formatValue(value) {
+	if (typeof value === "string") return value;
+	if (typeof value === "number" || typeof value === "boolean") return String(value);
+	if (value === null || value === void 0) return String(value);
+	return JSON.stringify(value);
+}
+//#endregion
+//#region src/prompts.ts
+var PromptSession = class {
+	close() {}
+	async text(label, options) {
+		const { value } = await inquirer.prompt([{
+			type: options?.password ? "password" : "input",
+			name: "value",
+			message: label,
+			default: options?.defaultValue,
+			mask: options?.password ? "*" : void 0,
+			validate: (input) => {
+				if (input.trim() || options?.allowEmpty || options?.defaultValue !== void 0) return true;
+				return "A value is required";
+			}
+		}]);
+		return value.trim() || options?.defaultValue || "";
+	}
+	async choose(label, choices) {
+		const { value } = await inquirer.prompt([{
+			type: "list",
+			name: "value",
+			message: label,
+			choices: choices.map((choice) => ({
+				name: choice.label,
+				value: choice.value
+			}))
+		}]);
+		return value;
+	}
+	async confirm(label, defaultValue = true) {
+		const { value } = await inquirer.prompt([{
+			type: "confirm",
+			name: "value",
+			message: label,
+			default: defaultValue
+		}]);
+		return value;
+	}
+};
+//#endregion
+//#region src/schemas.ts
+const importOptionsSchema = z.object({
+	walletDir: z.string().min(1),
+	credential: z.string().optional(),
+	credentialFile: z.string().optional(),
+	output: textOutputFormatSchema.default("text")
+}).superRefine((value, ctx) => {
+	if (!value.credential && !value.credentialFile) ctx.addIssue({
+		code: z.ZodIssueCode.custom,
+		message: "Provide --credential or --credential-file",
+		path: ["credential"]
+	});
+	if (value.credential && value.credentialFile) ctx.addIssue({
+		code: z.ZodIssueCode.custom,
+		message: "Use only one of --credential or --credential-file",
+		path: ["credential"]
+	});
+});
+const receiveOptionsSchema = z.object({
+	walletDir: z.string().min(1),
+	offer: z.string().min(1),
+	output: textOutputFormatSchema.default("text")
+});
+const listOptionsSchema = z.object({
+	walletDir: z.string().min(1),
+	vct: z.string().optional(),
+	issuer: z.string().optional(),
+	output: textOutputFormatSchema.default("text")
+});
+const deleteOptionsSchema = z.object({
+	walletDir: z.string().min(1),
+	credentialId: z.string().min(1)
+});
+const initOptionsSchema = z.object({
+	walletDir: z.string().min(1),
+	alg: z.enum([
+		"ES256",
+		"ES384",
+		"EdDSA"
+	]).optional(),
+	holderKeyFile: z.string().optional(),
+	output: textOutputFormatSchema.default("text")
+});
+const showOptionsSchema = z.object({
+	walletDir: z.string().min(1),
+	credentialId: z.string().min(1),
+	output: outputFormatSchema.default("text")
+});
+const presentOptionsSchema = z.object({
+	walletDir: z.string().min(1),
+	request: z.string().min(1),
+	credentialId: z.string().optional(),
+	dryRun: z.boolean().optional().default(false),
+	output: outputFormatSchema.default("text")
+});
+//#endregion
+//#region src/storage.ts
+const walletManifestSchema = z.object({
+	version: z.literal(1),
+	credentials: z.array(z.object({
+		id: z.string().min(1),
+		fileName: z.string().min(1),
+		issuer: z.string().min(1),
+		vct: z.string().min(1),
+		importedAt: z.string().datetime()
+	})).default([]),
+	updatedAt: z.string().datetime()
+});
+const defaultManifest = () => ({
+	version: 1,
+	credentials: [],
+	updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+});
+const isMissingFileError = (error) => error instanceof Error && "code" in error && error.code === "ENOENT";
+var FileSystemWalletStorage = class {
+	walletDir;
+	holderKeyPath;
+	manifestPath;
+	credentialsDir;
+	constructor(walletDir) {
+		this.walletDir = walletDir;
+		this.holderKeyPath = join(walletDir, "holder-key.json");
+		this.manifestPath = join(walletDir, "wallet.json");
+		this.credentialsDir = join(walletDir, "credentials");
+	}
+	async getHolderKey() {
+		return await readJsonFile(this.holderKeyPath, HolderKeyRecordSchema) ?? null;
+	}
+	async setHolderKey(record) {
+		await this.ensureLayout();
+		await writeJsonFile(this.holderKeyPath, HolderKeyRecordSchema.parse(record));
+	}
+	async listCredentials() {
+		await this.ensureLayout();
+		const manifest = await this.readManifest() ?? defaultManifest();
+		return (await Promise.all(manifest.credentials.map(async ({ id }) => this.getCredential(id)))).filter((record) => record !== null);
+	}
+	async getCredential(id) {
+		await this.ensureLayout();
+		return await readJsonFile(this.credentialPath(id), StoredCredentialRecordSchema) ?? null;
+	}
+	async setCredential(record) {
+		await this.ensureLayout();
+		const parsed = StoredCredentialRecordSchema.parse(record);
+		await writeJsonFile(this.credentialPath(parsed.id), parsed);
+		const manifest = await this.readManifest() ?? defaultManifest();
+		const entry = {
+			id: parsed.id,
+			fileName: this.credentialFileName(parsed.id),
+			issuer: parsed.issuer,
+			vct: parsed.vct,
+			importedAt: parsed.importedAt
+		};
+		const existingIndex = manifest.credentials.findIndex((candidate) => candidate.id === parsed.id);
+		if (existingIndex >= 0) manifest.credentials[existingIndex] = entry;
+		else manifest.credentials.push(entry);
+		manifest.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+		await writeJsonFile(this.manifestPath, manifest);
+	}
+	async deleteCredential(id) {
+		await this.ensureLayout();
+		const manifest = await this.readManifest() ?? defaultManifest();
+		const nextCredentials = manifest.credentials.filter((candidate) => candidate.id !== id);
+		if (nextCredentials.length === manifest.credentials.length) return false;
+		await unlinkIfExists(this.credentialPath(id));
+		manifest.credentials = nextCredentials;
+		manifest.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+		await writeJsonFile(this.manifestPath, manifest);
+		return true;
+	}
+	async deleteAllCredentials() {
+		await this.ensureLayout();
+		const manifest = await this.readManifest() ?? defaultManifest();
+		const deleted = manifest.credentials.length;
+		await Promise.all(manifest.credentials.map(({ id }) => unlinkIfExists(this.credentialPath(id))));
+		manifest.credentials = [];
+		manifest.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+		await writeJsonFile(this.manifestPath, manifest);
+		return deleted;
+	}
+	async deleteWallet() {
+		await rm(this.walletDir, {
+			recursive: true,
+			force: true
+		});
+	}
+	async ensureLayout() {
+		await mkdir(this.credentialsDir, { recursive: true });
+		if (await this.readManifest() === null) await writeJsonFile(this.manifestPath, defaultManifest());
+	}
+	async readManifest() {
+		const parsed = await readJsonFile(this.manifestPath, walletManifestSchema);
+		if (parsed) return parsed;
+		const fileNames = await readDirectoryNames(this.credentialsDir);
+		if (fileNames.length === 0) return null;
+		const manifest = {
+			version: 1,
+			credentials: (await Promise.all(fileNames.filter((fileName) => fileName.endsWith(".json")).map(async (fileName) => {
+				const record = await readJsonFile(join(this.credentialsDir, fileName), StoredCredentialRecordSchema);
+				return record ? {
+					id: record.id,
+					fileName,
+					issuer: record.issuer,
+					vct: record.vct,
+					importedAt: record.importedAt
+				} : null;
+			}))).filter((record) => record !== null),
+			updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+		};
+		await writeJsonFile(this.manifestPath, manifest);
+		return manifest;
+	}
+	credentialPath(id) {
+		return join(this.credentialsDir, this.credentialFileName(id));
+	}
+	credentialFileName(id) {
+		return `${encodeURIComponent(id)}.json`;
+	}
+};
+async function readJsonFile(filePath, schema) {
+	try {
+		const content = await readFile(filePath, "utf8");
+		return schema.parse(JSON.parse(content));
+	} catch (error) {
+		if (isMissingFileError(error)) return null;
+		throw error;
+	}
+}
+async function writeJsonFile(filePath, value) {
+	await writeFile(filePath, JSON.stringify(value, null, 2), "utf8");
+}
+async function unlinkIfExists(filePath) {
+	try {
+		await unlink(filePath);
+	} catch (error) {
+		if (isMissingFileError(error)) return;
+		throw error;
+	}
+}
+async function readDirectoryNames(directoryPath) {
+	try {
+		return await readdir(directoryPath);
+	} catch (error) {
+		if (isMissingFileError(error)) return [];
+		throw error;
+	}
+}
+//#endregion
+//#region src/actions/delete.ts
+const deleteWalletOptionsSchema = deleteOptionsSchema.omit({ credentialId: true });
+async function deleteCredentialAction(rawOptions) {
+	const options = deleteOptionsSchema.parse(rawOptions);
+	await new FileSystemWalletStorage(options.walletDir).deleteCredential(options.credentialId);
+	return { credentialId: options.credentialId };
+}
+async function deleteAllCredentialsAction(rawOptions) {
+	return { deleted: await new FileSystemWalletStorage(deleteWalletOptionsSchema.parse(rawOptions).walletDir).deleteAllCredentials() };
+}
+async function deleteWalletAction(rawOptions) {
+	const options = deleteWalletOptionsSchema.parse(rawOptions);
+	await new FileSystemWalletStorage(options.walletDir).deleteWallet();
+	return { walletDir: options.walletDir };
+}
+//#endregion
+//#region src/actions/list.ts
+async function listCredentialsAction(rawOptions) {
+	const options = listOptionsSchema.parse(rawOptions);
+	return { credentials: (await new Wallet(new FileSystemWalletStorage(options.walletDir)).listCredentials()).filter((credential) => {
+		if (options.vct && credential.vct !== options.vct) return false;
+		if (options.issuer && credential.issuer !== options.issuer) return false;
+		return true;
+	}) };
+}
+//#endregion
+//#region src/actions/delete-helpers.ts
+async function chooseCredentialId(prompt, walletDir) {
+	const list = await listCredentialsAction({ walletDir });
+	if (list.credentials.length === 0) {
+		stdout.write("0 credentials found\n\n");
+		return null;
+	}
+	return prompt.choose("Select a credential", list.credentials.map((credential) => ({
+		label: `${credential.id} | ${credential.vct} | ${credential.issuer}`,
+		value: credential.id
+	})));
+}
+//#endregion
+//#region src/actions/import.ts
+async function importCredentialAction(rawOptions) {
+	const options = importOptionsSchema.parse(rawOptions);
+	const wallet = new Wallet(new FileSystemWalletStorage(options.walletDir));
+	const credential = (options.credential ?? await readFile(options.credentialFile, "utf8")).trim();
+	return { credential: await wallet.importCredential({ credential }) };
+}
+//#endregion
+//#region src/actions/init.ts
+async function initWalletAction(rawOptions) {
+	const options = initOptionsSchema.parse(rawOptions);
+	const wallet = new Wallet(new FileSystemWalletStorage(options.walletDir));
+	if (options.holderKeyFile) {
+		const raw = JSON.parse(await readFile(options.holderKeyFile, "utf8"));
+		const privateJwk = raw.privateJwk ?? raw;
+		const publicJwk = raw.publicJwk ?? raw;
+		const algorithm = detectAlgorithm(publicJwk, options.alg);
+		return {
+			holderKey: await wallet.importHolderKey({
+				privateJwk,
+				publicJwk,
+				algorithm
+			}),
+			imported: true
+		};
+	}
+	return {
+		holderKey: await wallet.getOrCreateHolderKey(options.alg),
+		imported: false
+	};
+}
+function detectAlgorithm(jwk, explicit) {
+	if (explicit) return explicit;
+	const kty = jwk.kty;
+	const crv = jwk.crv;
+	if (kty === "EC" && crv === "P-384") return "ES384";
+	if (kty === "EC") return "ES256";
+	if (kty === "OKP") return "EdDSA";
+	throw new Error("Cannot infer algorithm from key type. Use --alg to specify.");
+}
+//#endregion
+//#region src/selected-storage.ts
+var SelectedCredentialStorage = class {
+	constructor(base, selectedCredential) {
+		this.base = base;
+		this.selectedCredential = selectedCredential;
+	}
+	getHolderKey() {
+		return this.base.getHolderKey();
+	}
+	setHolderKey(record) {
+		if (!record) throw new Error("holder key is required");
+		return this.base.setHolderKey(record);
+	}
+	async listCredentials() {
+		return [this.selectedCredential];
+	}
+	async getCredential(id) {
+		if (id !== this.selectedCredential.id) return null;
+		return this.selectedCredential;
+	}
+	setCredential(record) {
+		return this.base.setCredential(record);
+	}
+};
+//#endregion
+//#region src/actions/present.ts
+async function presentCredentialAction(rawOptions) {
+	const options = presentOptionsSchema.parse(rawOptions);
+	const request = await parsePresentationRequest(options.request);
+	const storage = new FileSystemWalletStorage(options.walletDir);
+	const wallet = options.credentialId ? await createSelectedWallet(storage, options.credentialId) : new Wallet(storage);
+	const selectedCredentials = options.credentialId ? void 0 : await maybeSelectCredentials(wallet, request, rawOptions.prompt);
+	const presentation = await wallet.createPresentation(request, { selectedCredentials });
+	const authorizationResponse = createOpenId4VpAuthorizationResponse(request, presentation);
+	const submission = !options.dryRun && (request.response_mode === "direct_post" || request.response_mode === "direct_post.jwt") ? await submitOpenId4VpAuthorizationResponse(request, authorizationResponse) : void 0;
+	return {
+		...presentation,
+		submitted: submission !== void 0,
+		submission
+	};
+}
+async function parsePresentationRequest(value) {
+	const trimmed = unwrapQuotedInput(value.trim());
+	if (trimmed.startsWith("openid4vp:")) {
+		verbose("Parsing openid4vp:// authorization URL");
+		return parseOpenid4VpAuthorizationUrl(trimmed);
+	}
+	verbose("Parsing inline OpenID4VP request JSON");
+	return resolveOpenId4VpRequest(JSON.parse(trimmed));
+}
+function unwrapQuotedInput(value) {
+	if (value.length < 2) return value;
+	const quote = value[0];
+	if ((quote === "\"" || quote === "'") && value.at(-1) === quote) return value.slice(1, -1).trim();
+	return value;
+}
+async function maybeSelectCredentials(wallet, request, prompt) {
+	const ambiguousQueries = (await wallet.inspectDcqlQuery(request)).queries.filter((queryMatch) => queryMatch.credentials.length > 1);
+	if (ambiguousQueries.length === 0) return;
+	const selections = {};
+	for (const queryMatch of ambiguousQueries) selections[queryMatch.queryId] = prompt ? await prompt(queryMatch) : await promptForCredentialSelection(queryMatch);
+	return selections;
+}
+async function promptForCredentialSelection(queryMatch) {
+	if (!process.stdin.isTTY || !process.stdout.isTTY) {
+		const candidates = queryMatch.credentials.map((c) => `  ${c.credentialId} (${c.vct}, ${c.issuer})`).join("\n");
+		throw new Error(`Multiple credentials match query "${queryMatch.queryId}":\n${candidates}\n\nRerun with --credential-id to select one, for example:\n  openid4vc-wallet present --wallet-dir <dir> --request <value> --credential-id ${queryMatch.credentials[0]?.credentialId ?? "<id>"}`);
+	}
+	const prompt = new PromptSession();
+	try {
+		return await prompt.choose(`Multiple credentials match query ${queryMatch.queryId}`, queryMatch.credentials.map((credential) => ({
+			label: `${credential.credentialId} | ${credential.vct} | ${credential.issuer} | ${formatClaimPreview(credential.claims)}`,
+			value: credential.credentialId
+		})));
+	} finally {
+		prompt.close();
+	}
+}
+function formatClaimPreview(claims) {
+	const preview = Object.entries(claims).slice(0, 2).map(([key, value]) => `${key}=${formatClaimValue(value)}`).join(", ");
+	return preview.length > 0 ? preview : "no disclosed claims";
+}
+function formatClaimValue(value) {
+	if (typeof value === "string" || typeof value === "number") return String(value);
+	if (typeof value === "boolean") return value ? "true" : "false";
+	if (value && typeof value === "object") return JSON.stringify(value);
+	return "?";
+}
+async function createSelectedWallet(storage, credentialId) {
+	const credential = await storage.getCredential(credentialId);
+	if (!credential) throw new Error(`Credential ${credentialId} not found`);
+	return new Wallet(new SelectedCredentialStorage(storage, credential));
+}
+//#endregion
+//#region src/actions/receive.ts
+async function receiveCredentialAction(rawOptions) {
+	const options = receiveOptionsSchema.parse(rawOptions);
+	return { credential: await receiveCredentialFromOffer(new Wallet(new FileSystemWalletStorage(options.walletDir)), options.offer) };
+}
+//#endregion
+//#region src/actions/show.ts
+async function showCredentialAction(rawOptions) {
+	const options = showOptionsSchema.parse(rawOptions);
+	const storage = new FileSystemWalletStorage(options.walletDir);
+	const wallet = new Wallet(storage);
+	const credential = await storage.getCredential(options.credentialId);
+	if (!credential) throw new Error(`Credential ${options.credentialId} not found`);
+	try {
+		return {
+			credential,
+			status: await wallet.getCredentialStatus(options.credentialId),
+			statusWarning: void 0
+		};
+	} catch (error) {
+		return {
+			credential,
+			status: null,
+			statusWarning: error instanceof Error ? error.message : String(error)
+		};
+	}
+}
+//#endregion
+//#region src/actions/interactive.ts
+const interactiveChoices = [
+	{
+		label: "Receive credential offer",
+		value: "receive"
+	},
+	{
+		label: "List credentials",
+		value: "list"
+	},
+	{
+		label: "Show credential",
+		value: "show"
+	},
+	{
+		label: "Delete credential",
+		value: "delete"
+	},
+	{
+		label: "Delete all credentials",
+		value: "delete-all"
+	},
+	{
+		label: "Present credential",
+		value: "present"
+	},
+	{
+		label: "Import raw credential",
+		value: "import"
+	},
+	{
+		label: "Reinitialize wallet",
+		value: "init"
+	},
+	{
+		label: "Delete wallet initialization",
+		value: "delete-wallet"
+	},
+	{
+		label: "Switch wallet directory",
+		value: "switch"
+	},
+	{
+		label: "Exit",
+		value: "exit"
+	}
+];
+async function interactiveWalletAction(rawOptions) {
+	if (!process.stdin.isTTY || !process.stdout.isTTY) throw new Error("Interactive mode requires a TTY. Use an explicit subcommand for non-interactive usage.");
+	const options = rawOptions ?? {};
+	const prompt = new PromptSession();
+	let walletDir = await prompt.text("Wallet directory", { defaultValue: options.walletDir ?? "./wallet-data" });
+	try {
+		while (true) {
+			const choice = await prompt.choose("Wallet CLI", [...interactiveChoices]);
+			stdout.write("\n");
+			try {
+				const nextWalletDir = await runInteractiveChoice({
+					prompt,
+					walletDir,
+					choice
+				});
+				if (nextWalletDir === void 0) return;
+				walletDir = nextWalletDir;
+			} catch (error) {
+				process.stderr.write(`${formatInteractiveError(error)}\n\n`);
+			}
+		}
+	} finally {
+		prompt.close();
+	}
+}
+async function runInteractiveChoice({ prompt, walletDir, choice }) {
+	switch (choice) {
+		case "exit": return;
+		case "switch": {
+			const nextWalletDir = await prompt.text("Wallet directory", { defaultValue: walletDir });
+			stdout.write(`Using wallet ${nextWalletDir}.\n\n`);
+			return nextWalletDir;
+		}
+		case "init": {
+			const result = await initWalletAction({
+				walletDir,
+				alg: await prompt.choose("Holder key algorithm", [
+					{
+						label: "ES256",
+						value: "ES256"
+					},
+					{
+						label: "ES384",
+						value: "ES384"
+					},
+					{
+						label: "EdDSA",
+						value: "EdDSA"
+					}
+				])
+			});
+			stdout.write(`${formatInitResult({
+				walletDir,
+				holderKey: result.holderKey,
+				imported: result.imported
+			})}\n\n`);
+			return walletDir;
+		}
+		case "receive": {
+			if (!await ensureWalletReady(prompt, walletDir)) return walletDir;
+			const result = await receiveCredentialAction({
+				walletDir,
+				offer: await prompt.text("Credential offer or offer URI")
+			});
+			stdout.write(`${formatCredentialSummary("Received", result.credential)}\n\n`);
+			return walletDir;
+		}
+		case "import": {
+			if (!await ensureWalletReady(prompt, walletDir)) return walletDir;
+			const result = await importCredentialAction({
+				walletDir,
+				credential: await prompt.text("Compact dc+sd-jwt credential")
+			});
+			stdout.write(`${formatCredentialSummary("Imported", result.credential)}\n\n`);
+			return walletDir;
+		}
+		case "list": {
+			if (!await ensureWalletReady(prompt, walletDir)) return walletDir;
+			const result = await listCredentialsAction({ walletDir });
+			stdout.write(`${formatCredentialList(result.credentials)}\n\n`);
+			return walletDir;
+		}
+		case "show": {
+			if (!await ensureWalletReady(prompt, walletDir)) return walletDir;
+			const credentialId = await chooseCredentialId(prompt, walletDir);
+			if (credentialId === null) return walletDir;
+			const result = await showCredentialAction({
+				walletDir,
+				credentialId
+			});
+			if (result.statusWarning) process.stderr.write(`Warning: failed to resolve credential status: ${result.statusWarning}\n`);
+			stdout.write(`${formatCredentialDetails({
+				credential: result.credential,
+				status: result.status,
+				statusWarning: result.statusWarning
+			})}\n\n`);
+			return walletDir;
+		}
+		case "delete": {
+			if (!await ensureWalletReady(prompt, walletDir)) return walletDir;
+			const credentialId = await chooseCredentialId(prompt, walletDir);
+			if (credentialId === null) return walletDir;
+			if (!await prompt.confirm(`Delete credential ${credentialId}?`, false)) {
+				stdout.write("Action cancelled.\n\n");
+				return walletDir;
+			}
+			await deleteCredentialAction({
+				walletDir,
+				credentialId
+			});
+			stdout.write(`${formatDeleteCredentialSummary(credentialId)}\n\n`);
+			return walletDir;
+		}
+		case "delete-all": {
+			if (!await ensureWalletReady(prompt, walletDir)) return walletDir;
+			if (!await prompt.confirm("Delete all credentials?", false)) {
+				stdout.write("Action cancelled.\n\n");
+				return walletDir;
+			}
+			const result = await deleteAllCredentialsAction({ walletDir });
+			stdout.write(`${formatDeleteAllCredentialsSummary(result.deleted)}\n\n`);
+			return walletDir;
+		}
+		case "present": {
+			if (!await ensureWalletReady(prompt, walletDir)) return walletDir;
+			const result = await presentCredentialAction({
+				walletDir,
+				request: await prompt.text("OpenID4VP request JSON or openid4vp:// URL")
+			});
+			stdout.write(`${formatPresentationSummary(result)}\n\n`);
+			return walletDir;
+		}
+		case "delete-wallet":
+			if (!await walletExists(walletDir)) {
+				stdout.write(`Wallet ${walletDir} is not initialized yet.\n\n`);
+				return walletDir;
+			}
+			if (!await prompt.confirm(`Delete wallet initialization at ${walletDir} and exit?`, false)) {
+				stdout.write("Action cancelled.\n\n");
+				return walletDir;
+			}
+			await deleteWalletAction({ walletDir });
+			stdout.write(`${formatDeleteWalletSummary(walletDir)}\n\n`);
+			return;
+	}
+}
+async function ensureWalletReady(prompt, walletDir) {
+	if (await walletExists(walletDir)) return true;
+	stdout.write(`Wallet ${walletDir} is not initialized yet.\n`);
+	if (!await prompt.confirm("Create it now?", true)) {
+		stdout.write("Action cancelled.\n\n");
+		return false;
+	}
+	const result = await initWalletAction({
+		walletDir,
+		alg: await prompt.choose("Holder key algorithm", [
+			{
+				label: "ES256",
+				value: "ES256"
+			},
+			{
+				label: "ES384",
+				value: "ES384"
+			},
+			{
+				label: "EdDSA",
+				value: "EdDSA"
+			}
+		])
+	});
+	stdout.write(`${formatInitResult({
+		walletDir,
+		holderKey: result.holderKey,
+		imported: result.imported
+	})}\n\n`);
+	return true;
+}
+async function walletExists(walletDir) {
+	try {
+		await access(walletDir);
+		await access(`${walletDir}/wallet.json`);
+		await access(`${walletDir}/holder-key.json`);
+		return true;
+	} catch {
+		return false;
+	}
+}
+function formatInteractiveError(error) {
+	if (error instanceof Error && error.message.trim()) return error.message;
+	return String(error);
+}
+//#endregion
+//#region src/program.ts
+function createProgram(version) {
+	const program = new Command().name("openid4vc-wallet").version(version).description("Demo wallet CLI for OpenID4VCI receipt, credential storage, status resolution, and OpenID4VP presentation. Run without a subcommand to start interactive mode.").addHelpText("after", "\nInteractive mode:\n  Run `openid4vc-wallet` without a subcommand to open the prompt-driven workflow.").option("--verbose", "Enable verbose logging to stderr", false).hook("preAction", (_thisCommand, actionCommand) => {
+		if (actionCommand.optsWithGlobals().verbose) setVerbose(true);
+	});
+	program.command("init").description("Initialize a wallet directory and create a holder key").requiredOption("--wallet-dir <dir>", "Path to the wallet storage directory (created if it does not exist)").option("--alg <algorithm>", "Holder key algorithm: ES256, ES384, or EdDSA (default: ES256)").option("--holder-key-file <file>", "Import an existing holder key from a JWK JSON file instead of generating one").option("--output <format>", "Output format: text or json", "text").addHelpText("after", `\nExamples:\n  $ openid4vc-wallet init --wallet-dir ./my-wallet\n  $ openid4vc-wallet init --wallet-dir ./my-wallet --alg EdDSA\n  $ openid4vc-wallet init --wallet-dir ./my-wallet --holder-key-file ./existing-key.jwk.json\n  $ openid4vc-wallet init --wallet-dir ./my-wallet --output json\n\nNotes:\n  - Default output is a concise text summary; use --output json for full details\n  - --holder-key-file accepts either a bare private JWK or an object with privateJwk/publicJwk fields\n  - If the key algorithm cannot be inferred from the JWK, pass --alg explicitly`).action(async (options) => {
+		verbose(`Initializing wallet in ${options.walletDir}`);
+		const result = await initWalletAction(options);
+		if (options.output === "json") {
+			printResult(result, "json");
+			return;
+		}
+		printResult(formatInitResult({
+			walletDir: options.walletDir,
+			holderKey: result.holderKey,
+			imported: result.imported
+		}), "text");
+	});
+	program.command("receive").description("Receive and store a credential from an OpenID4VCI credential offer using issuer metadata discovery").requiredOption("--wallet-dir <dir>", "Path to the wallet storage directory").requiredOption("--offer <value>", "Credential offer JSON or an openid-credential-offer:// URI").option("--output <format>", "Output format: text or json", "text").addHelpText("after", `\nExamples:\n  $ openid4vc-wallet receive \\
+      --wallet-dir ./my-wallet \\
+      --offer 'openid-credential-offer://?credential_offer=...'\n\n  $ openid4vc-wallet receive \\
+      --wallet-dir ./my-wallet \\
+      --offer '{"credential_issuer":"https://issuer.example",...}'\n\n  $ openid4vc-wallet receive \\
+      --wallet-dir ./my-wallet \\
+      --offer 'openid-credential-offer://?credential_offer=...' \\
+      --output json\n\nNotes:\n  - Default output is a concise text summary; use --output json for full details\n  - Supports by-value credential_offer and by-reference credential_offer_uri inputs\n  - Resolves issuer metadata from credential_issuer via /.well-known/openid-credential-issuer[issuer-path]\n  - Uses token_endpoint, credential_endpoint, and optional nonce_endpoint from the fetched metadata\n  - Does not hardcode endpoint paths and does not expose manual endpoint overrides\n  - Current flow covers the minimal OpenID4VCI subset: pre-authorized code, JWT proof, and single dc+sd-jwt issuance\n  - A credential_offer_uri is fetched first, then redeemed like an inline offer`).action(async (options) => {
+		verbose(`Receiving credential into ${options.walletDir}`);
+		const result = await receiveCredentialAction(options);
+		if (options.output === "json") {
+			printResult(result, "json");
+			return;
+		}
+		printResult(formatCredentialSummary("Received", result.credential), "text");
+	});
+	program.command("import").description("Import an already-issued dc+sd-jwt credential into the wallet").requiredOption("--wallet-dir <dir>", "Path to the wallet storage directory").option("--credential <value>", "Inline credential text (compact dc+sd-jwt)").option("--credential-file <file>", "Path to a credential file (compact dc+sd-jwt text)").option("--output <format>", "Output format: text or json", "text").addHelpText("after", `\nExamples:\n  $ openid4vc-wallet import \\
+      --wallet-dir ./my-wallet \\
+      --credential-file ./issuer/credential.txt\n\n  $ openid4vc-wallet import \\
+      --wallet-dir ./my-wallet \\
+      --credential 'eyJ...'\n\n  $ openid4vc-wallet import \\
+      --wallet-dir ./my-wallet \\
+      --credential-file ./issuer/credential.txt \\
+      --output json\n\nNotes:\n  - Default output is a concise text summary; use --output json for full details\n  - Provide exactly one of --credential or --credential-file\n  - Prefer openid4vc-wallet receive when you have an OpenID4VCI credential offer\n  - This command imports an already-issued compact dc+sd-jwt; it does not resolve credential offers`).action(async (options) => {
+		verbose(`Importing credential`);
+		const result = await importCredentialAction(options);
+		if (options.output === "json") {
+			printResult(result, "json");
+			return;
+		}
+		printResult(formatCredentialSummary("Imported", result.credential), "text");
+	});
+	program.command("list").description("List stored credentials in the wallet").requiredOption("--wallet-dir <dir>", "Path to the wallet storage directory").option("--vct <uri>", "Filter by Verifiable Credential Type URI (e.g. urn:eudi:pid:1)").option("--issuer <url>", "Filter by issuer identifier URL (e.g. https://issuer.example)").option("--output <format>", "Output format: text or json", "text").addHelpText("after", `\nExamples:\n  $ openid4vc-wallet list --wallet-dir ./my-wallet\n  $ openid4vc-wallet list --wallet-dir ./my-wallet --vct urn:eudi:pid:1\n  $ openid4vc-wallet list --wallet-dir ./my-wallet --issuer https://issuer.example\n  $ openid4vc-wallet list --wallet-dir ./my-wallet --output json`).action(async (options) => {
+		verbose(`Listing credentials in ${options.walletDir}`);
+		const result = await listCredentialsAction(options);
+		if (options.output === "json") {
+			printResult(result, "json");
+			return;
+		}
+		printResult(formatCredentialList(result.credentials), "text");
+	});
+	program.command("show").description("Show a single stored credential by id").requiredOption("--wallet-dir <dir>", "Path to the wallet storage directory").requiredOption("--credential-id <id>", "Credential id (from list output) to display").option("--output <format>", "Output format: text, json, or raw (compact sd-jwt text)", "text").addHelpText("after", `\nExamples:\n  $ openid4vc-wallet show --wallet-dir ./my-wallet --credential-id <id>\n  $ openid4vc-wallet show --wallet-dir ./my-wallet --credential-id <id> --output raw\n  $ openid4vc-wallet show --wallet-dir ./my-wallet --credential-id <id> --output json\n\nNotes:\n  - Status resolution runs automatically when the stored credential has a status reference\n  - If status resolution fails, the credential is still shown and a warning is printed\n  - Default output is a sectioned text view; use --output json for full details\n  - --output raw prints only the compact sd-jwt credential text`).action(async (options) => {
+		verbose(`Showing credential ${options.credentialId}`);
+		const result = await showCredentialAction(options);
+		if (options.output === "raw") {
+			process.stdout.write(`${result.credential.compactSdJwt}\n`);
+			return;
+		}
+		if (result.statusWarning) process.stderr.write(`Warning: failed to resolve credential status: ${result.statusWarning}\n`);
+		if (options.output === "text") {
+			printResult(formatCredentialDetails({
+				credential: result.credential,
+				status: result.status,
+				statusWarning: result.statusWarning
+			}), "text");
+			return;
+		}
+		printResult(result, options.output);
+	});
+	program.command("present").description("Create a DCQL-based OpenID4VP presentation from wallet credentials").requiredOption("--wallet-dir <dir>", "Path to the wallet storage directory").requiredOption("--request <value>", "OpenID4VP request JSON or an openid4vp:// authorization URL").option("--credential-id <id>", "Use a specific credential for the presentation (skip selection prompt)").option("--dry-run", "Build the VP response but do not submit it to the verifier").option("--output <format>", "Output format: text, json, or raw (vp_token text only)", "text").addHelpText("after", `\nExamples:\n  $ openid4vc-wallet present \\
+      --wallet-dir ./my-wallet \\
+      --request 'openid4vp://authorize?...'\n\n  $ openid4vc-wallet present \\
+      --wallet-dir ./my-wallet \\
+      --request '{"client_id":"https://verifier.example","nonce":"...","dcql_query":{...}}' \\
+      --credential-id <id> \\
+      --dry-run\n\n  $ openid4vc-wallet present \\
+      --wallet-dir ./my-wallet \\
+      --request 'openid4vp://authorize?...' \\
+      --output raw\n\n  $ openid4vc-wallet present \\
+      --wallet-dir ./my-wallet \\
+      --request 'openid4vp://authorize?...' \\
+      --output json\n\nNotes:\n  - Default output is a concise text summary; use --output json for full details\n  - --output raw prints only the vp_token\n  - direct_post and direct_post.jwt requests are auto-submitted unless --dry-run is set\n  - If multiple credentials match and --credential-id is omitted, the CLI prompts in a TTY and errors in non-interactive environments`).action(async (options) => {
+		verbose(`Creating presentation from ${options.walletDir}`);
+		const result = await presentCredentialAction(options);
+		if (options.output === "raw") {
+			process.stdout.write(`${result.vpToken}\n`);
+			return;
+		}
+		if (options.output === "text") {
+			printResult(formatPresentationSummary(result), "text");
+			return;
+		}
+		printResult(result, options.output);
+	});
+	return program;
+}
+//#endregion
+//#region src/index.ts
+function parseInteractiveCliOptions(argv) {
+	const options = {};
+	for (let index = 2; index < argv.length; index += 1) {
+		const arg = argv[index];
+		if (!arg) continue;
+		if (arg === "--") break;
+		if (arg === "--verbose") {
+			options.verbose = true;
+			continue;
+		}
+		if (arg === "--wallet-dir") {
+			const value = argv[index + 1];
+			if (!value || value.startsWith("-")) throw new Error("option '--wallet-dir <dir>' argument missing");
+			options.walletDir = value;
+			index += 1;
+			continue;
+		}
+		if (arg.startsWith("--wallet-dir=")) options.walletDir = arg.slice(13);
+	}
+	return options;
+}
+function findFirstPositionalArg(argv) {
+	for (let index = 2; index < argv.length; index += 1) {
+		const arg = argv[index];
+		if (!arg) continue;
+		if (arg === "--") return argv[index + 1];
+		if (arg === "--wallet-dir") {
+			index += 1;
+			continue;
+		}
+		if (arg.startsWith("-")) continue;
+		return arg;
+	}
+}
+async function runCli(argv = process.argv) {
+	const program = createProgram(await resolveCliVersion(resolvePackageJsonPath(import.meta.url)));
+	try {
+		const firstPositionalArg = findFirstPositionalArg(argv);
+		const commandNames = new Set(program.commands.map((command) => command.name()));
+		if (firstPositionalArg === void 0 && !argv.includes("--help") && !argv.includes("-h") && !argv.includes("--version") && !argv.includes("-V")) {
+			const interactiveOptions = parseInteractiveCliOptions(argv);
+			if (interactiveOptions.verbose) setVerbose(true);
+			await interactiveWalletAction(interactiveOptions);
+			return;
+		}
+		if (firstPositionalArg !== void 0 && !commandNames.has(firstPositionalArg)) {
+			await program.parseAsync(argv);
+			return;
+		}
+		await program.parseAsync(argv);
+	} catch (error) {
+		handleCliError(error);
+	}
+}
+if (import.meta.url === pathToFileURL(process.argv[1] ?? process.cwd()).href) runCli().catch((error) => {
+	handleCliError(error);
+});
+//#endregion
+export { createProgram, deleteAllCredentialsAction, deleteCredentialAction, deleteWalletAction, importCredentialAction, initWalletAction, interactiveWalletAction, listCredentialsAction, parseInteractiveCliOptions, presentCredentialAction, receiveCredentialAction, runCli, showCredentialAction };

package/package.json

@@ -0,0 +1,50 @@
+{
+	"name": "@vidos-id/openid4vc-wallet-cli",
+	"description": "CLI for dc+sd-jwt wallet storage and OpenID4VP presentation.",
+	"version": "0.0.0-rc.1",
+	"repository": {
+		"type": "git",
+		"url": "git+https://github.com/vidos-id/openid4vc-tools.git",
+		"directory": "packages/wallet-cli"
+	},
+	"type": "module",
+	"engines": {
+		"node": ">=20"
+	},
+	"main": "./dist/index.mjs",
+	"types": "./dist/index.d.mts",
+	"bin": {
+		"openid4vc-wallet": "./dist/index.mjs"
+	},
+	"exports": {
+		".": {
+			"development": {
+				"types": "./src/index.ts",
+				"default": "./src/index.ts"
+			},
+			"types": "./dist/index.d.mts",
+			"default": "./dist/index.mjs"
+		}
+	},
+	"publishConfig": {
+		"registry": "https://registry.npmjs.org/",
+		"access": "public"
+	},
+	"scripts": {
+		"build": "tsdown",
+		"check-types": "tsc --noEmit --project ../../tsconfig.json",
+		"package-publish": "bun publish",
+		"test": "bun --conditions=development test --pass-with-no-tests"
+	},
+	"files": [
+		"dist",
+		"README.md"
+	],
+	"dependencies": {
+		"@vidos-id/openid4vc-cli-common": "0.0.0-rc.1",
+		"@vidos-id/openid4vc-wallet": "0.0.0-rc.1",
+		"commander": "^14.0.3",
+		"inquirer": "^12.9.6",
+		"zod": "^4.3.6"
+	}
+}