@zcloak/ai-agent 1.0.0

package/README.md

@@ -0,0 +1,5 @@
+# zcloak-ai-agent
+
+A SKILL for zCloak.ai AI agents — register, sign, verify and interact with canisters directly.
+
+Read SKILL.md and enjoy.

package/dist/bind.d.ts

@@ -0,0 +1,22 @@
+#!/usr/bin/env node
+/**
+ * zCloak.ai Agent-Owner Binding Tool
+ *
+ * Executes the agent-owner WebAuthn/passkey binding flow.
+ * Automatically calls agent_prepare_bond and generates browser authentication URL.
+ * Includes passkey pre-check to ensure the target user has a registered passkey.
+ * Uses @dfinity JS SDK to interact directly with ICP canister, no dfx required.
+ *
+ * Usage:
+ *   zcloak-ai bind prepare <user_principal>         Prepare binding and generate authentication URL
+ *   zcloak-ai bind check-passkey <user_principal>   Check if a principal has a registered passkey
+ *
+ * All commands support --identity=<pem_path> to specify identity file.
+ */
+import { Session } from './session';
+/**
+ * Entry point when invoked via cli.ts.
+ * Receives a Session instance with pre-parsed arguments.
+ */
+export declare function run(session: Session): Promise<void>;
+//# sourceMappingURL=bind.d.ts.map

package/dist/bind.js

@@ -0,0 +1,145 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * zCloak.ai Agent-Owner Binding Tool
+ *
+ * Executes the agent-owner WebAuthn/passkey binding flow.
+ * Automatically calls agent_prepare_bond and generates browser authentication URL.
+ * Includes passkey pre-check to ensure the target user has a registered passkey.
+ * Uses @dfinity JS SDK to interact directly with ICP canister, no dfx required.
+ *
+ * Usage:
+ *   zcloak-ai bind prepare <user_principal>         Prepare binding and generate authentication URL
+ *   zcloak-ai bind check-passkey <user_principal>   Check if a principal has a registered passkey
+ *
+ * All commands support --identity=<pem_path> to specify identity file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.run = run;
+// ========== Help Information ==========
+function showHelp() {
+    console.log('zCloak.ai Agent-Owner Binding Tool');
+    console.log('');
+    console.log('Usage:');
+    console.log('  zcloak-ai bind prepare <user_principal>         Prepare binding and generate authentication URL');
+    console.log('  zcloak-ai bind check-passkey <user_principal>   Check if a principal has a registered passkey');
+    console.log('');
+    console.log('Options:');
+    console.log('  --identity=<pem_path>     Specify identity PEM file');
+    console.log('');
+    console.log('Flow:');
+    console.log('  1. Script checks if target principal has a registered passkey (pre-check)');
+    console.log('  2. Script calls agent_prepare_bond to get WebAuthn challenge');
+    console.log('  3. Script generates authentication URL');
+    console.log('  4. User opens the URL in browser and completes authentication with passkey');
+    console.log('');
+    console.log('Examples:');
+    console.log('  zcloak-ai bind prepare "57odc-ymip7-b7edu-aevpq-nu54m-q4paq-vsrtd-nlnmm-lkos3-d4h3t-7qe"');
+    console.log('  zcloak-ai bind check-passkey "57odc-ymip7-b7edu-aevpq-nu54m-q4paq-vsrtd-nlnmm-lkos3-d4h3t-7qe"');
+}
+// ========== Passkey Pre-check Helper ==========
+/**
+ * Check if a principal has a registered passkey via user_profile_get_by_principal.
+ * Returns true if the user has at least one passkey, false otherwise.
+ * Throws if the principal is not found in the registry.
+ */
+async function hasPasskey(session, userPrincipal) {
+    const actor = await session.getAnonymousRegistryActor();
+    const profile = await actor.user_profile_get_by_principal(userPrincipal);
+    // opt UserProfile — empty array means no profile found
+    if (!profile || profile.length === 0) {
+        throw new Error(`No user profile found for principal: ${userPrincipal}`);
+    }
+    const user = profile[0];
+    // passkey_name is a vec text — empty vec means no passkey registered
+    return user.passkey_name.length > 0;
+}
+// ========== Command Implementations ==========
+/** Check if a principal has a registered passkey (standalone command) */
+async function cmdCheckPasskey(session, userPrincipal) {
+    if (!userPrincipal) {
+        console.error('Error: user principal ID is required');
+        console.error('Usage: zcloak-ai bind check-passkey <user_principal>');
+        process.exit(1);
+    }
+    console.error('Checking passkey status...');
+    const result = await hasPasskey(session, userPrincipal);
+    if (result) {
+        console.log('Passkey registered: yes');
+        console.log('This principal is ready for agent binding.');
+    }
+    else {
+        console.log('Passkey registered: no');
+        console.log('');
+        console.log('This principal was created via OAuth and has no passkey yet.');
+        console.log('Please go to https://id.zcloak.xyz/setting and bind a passkey first.');
+    }
+}
+/** Prepare binding and generate authentication URL */
+async function cmdPrepare(session, userPrincipal) {
+    if (!userPrincipal) {
+        console.error('Error: user principal ID is required');
+        console.error('Usage: zcloak-ai bind prepare <user_principal>');
+        process.exit(1);
+    }
+    // Pre-check: ensure the target principal has a passkey before proceeding
+    console.error('Pre-check: verifying passkey status...');
+    const passkeyOk = await hasPasskey(session, userPrincipal);
+    if (!passkeyOk) {
+        console.error('Error: target principal has no passkey registered.');
+        console.error('This principal was created via OAuth and has no passkey yet.');
+        console.error('Please go to https://id.zcloak.xyz/setting and bind a passkey for this user first.');
+        process.exit(1);
+    }
+    console.error('Pre-check passed: passkey found.');
+    const bindBase = session.getBindUrl();
+    // Step 1: Call agent_prepare_bond (requires identity, update call)
+    console.error('Calling agent_prepare_bond...');
+    const actor = await session.getRegistryActor();
+    const result = await actor.agent_prepare_bond(userPrincipal);
+    // Check return result — variant { Ok: text } | { Err: text }
+    if ('Err' in result) {
+        console.error('Binding preparation failed:');
+        console.log(`(variant { Err = "${result.Err}" })`);
+        process.exit(1);
+    }
+    // Step 2: Extract JSON and generate URL
+    const authContent = result.Ok;
+    // Step 3: Build URL
+    const url = `${bindBase}?auth_content=${encodeURIComponent(authContent)}`;
+    console.log('');
+    console.log('=== Binding Authentication URL ===');
+    console.log('');
+    console.log(url);
+    console.log('');
+    console.log('Please open the URL above in your browser and complete authentication with passkey.');
+}
+// ========== Exported run() — called by cli.ts ==========
+/**
+ * Entry point when invoked via cli.ts.
+ * Receives a Session instance with pre-parsed arguments.
+ */
+async function run(session) {
+    const command = session.args._args[0];
+    try {
+        switch (command) {
+            case 'prepare':
+                await cmdPrepare(session, session.args._args[1]);
+                break;
+            case 'check-passkey':
+                await cmdCheckPasskey(session, session.args._args[1]);
+                break;
+            default:
+                showHelp();
+                if (command) {
+                    console.error(`\nUnknown command: ${command}`);
+                }
+                process.exit(1);
+        }
+    }
+    catch (err) {
+        console.error(`Operation failed: ${err instanceof Error ? err.message : String(err)}`);
+        process.exit(1);
+    }
+}
+//# sourceMappingURL=bind.js.map

package/dist/bind.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bind.js","sourceRoot":"","sources":["../src/bind.ts"],"names":[],"mappings":";;AACA;;;;;;;;;;;;;GAaG;;AA4HH,kBAsBC;AA9ID,yCAAyC;AACzC,SAAS,QAAQ;IACf,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;IAClD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACtB,OAAO,CAAC,GAAG,CAAC,mGAAmG,CAAC,CAAC;IACjH,OAAO,CAAC,GAAG,CAAC,iGAAiG,CAAC,CAAC;IAC/G,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACxB,OAAO,CAAC,GAAG,CAAC,uDAAuD,CAAC,CAAC;IACrE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACrB,OAAO,CAAC,GAAG,CAAC,6EAA6E,CAAC,CAAC;IAC3F,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;IAC9E,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;IACxD,OAAO,CAAC,GAAG,CAAC,8EAA8E,CAAC,CAAC;IAC5F,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACzB,OAAO,CAAC,GAAG,CAAC,4FAA4F,CAAC,CAAC;IAC1G,OAAO,CAAC,GAAG,CAAC,kGAAkG,CAAC,CAAC;AAClH,CAAC;AAED,iDAAiD;AAEjD;;;;GAIG;AACH,KAAK,UAAU,UAAU,CAAC,OAAgB,EAAE,aAAqB;IAC/D,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,yBAAyB,EAAE,CAAC;IACxD,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,6BAA6B,CAAC,aAAa,CAAC,CAAC;IAEzE,uDAAuD;IACvD,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CAAC,wCAAwC,aAAa,EAAE,CAAC,CAAC;IAC3E,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC;IACzB,qEAAqE;IACrE,OAAO,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC;AACtC,CAAC;AAED,gDAAgD;AAEhD,yEAAyE;AACzE,KAAK,UAAU,eAAe,CAAC,OAAgB,EAAE,aAAiC;IAChF,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;QACtD,OAAO,CAAC,KAAK,CAAC,sDAAsD,CAAC,CAAC;QACtE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,CAAC,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAC5C,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;IAExD,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;QACvC,OAAO,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAC;IAC5D,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;QACtC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,8DAA8D,CAAC,CAAC;QAC5E,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;IACtF,CAAC;AACH,CAAC;AAED,sDAAsD;AACtD,KAAK,UAAU,UAAU,CAAC,OAAgB,EAAE,aAAiC;IAC3E,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;QACtD,OAAO,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAChE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,yEAAyE;IACzE,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;IACxD,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;IAC3D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,oDAAoD,CAAC,CAAC;QACpE,OAAO,CAAC,KAAK,CAAC,8DAA8D,CAAC,CAAC;QAC9E,OAAO,CAAC,KAAK,CAAC,oFAAoF,CAAC,CAAC;QACpG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;IAElD,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAEtC,mEAAmE;IACnE,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;IAC/C,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,gBAAgB,EAAE,CAAC;IAC/C,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,kBAAkB,CAAC,aAAa,CAAC,CAAC;IAE7D,6DAA6D;IAC7D,IAAI,KAAK,IAAI,MAAM,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,qBAAqB,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC;QACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,wCAAwC;IACxC,MAAM,WAAW,GAAG,MAAM,CAAC,EAAE,CAAC;IAE9B,oBAAoB;IACpB,MAAM,GAAG,GAAG,GAAG,QAAQ,iBAAiB,kBAAkB,CAAC,WAAW,CAAC,EAAE,CAAC;IAE1E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;IAClD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACjB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,qFAAqF,CAAC,CAAC;AACrG,CAAC;AAED,0DAA0D;AAE1D;;;GAGG;AACI,KAAK,UAAU,GAAG,CAAC,OAAgB;IACxC,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAEtC,IAAI,CAAC;QACH,QAAQ,OAAO,EAAE,CAAC;YAChB,KAAK,SAAS;gBACZ,MAAM,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBACjD,MAAM;YACR,KAAK,eAAe;gBAClB,MAAM,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBACtD,MAAM;YACR;gBACE,QAAQ,EAAE,CAAC;gBACX,IAAI,OAAO,EAAE,CAAC;oBACZ,OAAO,CAAC,KAAK,CAAC,sBAAsB,OAAO,EAAE,CAAC,CAAC;gBACjD,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,qBAAqB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACvF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/cli.d.ts

@@ -0,0 +1,31 @@
+#!/usr/bin/env node
+/**
+ * zCloak.ai Agent CLI
+ *
+ * Unified command entry point. After installation, invoke via `zcloak-ai <module> <command> [args]`.
+ *
+ * Usage:
+ *   zcloak-ai identity <command> [args]   Identity key management (generate PEM, show principal)
+ *   zcloak-ai register <command> [args]   Registration management
+ *   zcloak-ai sign <command> [args]       Signing operations
+ *   zcloak-ai verify <command> [args]     Verification operations
+ *   zcloak-ai feed <command> [args]       Event queries
+ *   zcloak-ai bind <command> [args]       Agent-Owner binding
+ *   zcloak-ai doc <command> [args]        Document tools
+ *   zcloak-ai pow <base> <zeros>          PoW computation
+ *   zcloak-ai vetkey <command> [args]     VetKey encryption/decryption and daemon
+ *
+ * Architecture:
+ *   cli.ts creates a Session from a constructed sub-argv array and passes it
+ *   to the sub-script's run(session) function. This eliminates the previous
+ *   process.argv rewriting (global mutable state) while preserving the same
+ *   argument-parsing behavior in each sub-script.
+ *
+ * Examples:
+ *   zcloak-ai register get-principal
+ *   zcloak-ai sign post "Hello world!" --sub=web3
+ *   zcloak-ai feed counter
+ *   zcloak-ai verify file ./report.pdf
+ */
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.js

@@ -0,0 +1,126 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * zCloak.ai Agent CLI
+ *
+ * Unified command entry point. After installation, invoke via `zcloak-ai <module> <command> [args]`.
+ *
+ * Usage:
+ *   zcloak-ai identity <command> [args]   Identity key management (generate PEM, show principal)
+ *   zcloak-ai register <command> [args]   Registration management
+ *   zcloak-ai sign <command> [args]       Signing operations
+ *   zcloak-ai verify <command> [args]     Verification operations
+ *   zcloak-ai feed <command> [args]       Event queries
+ *   zcloak-ai bind <command> [args]       Agent-Owner binding
+ *   zcloak-ai doc <command> [args]        Document tools
+ *   zcloak-ai pow <base> <zeros>          PoW computation
+ *   zcloak-ai vetkey <command> [args]     VetKey encryption/decryption and daemon
+ *
+ * Architecture:
+ *   cli.ts creates a Session from a constructed sub-argv array and passes it
+ *   to the sub-script's run(session) function. This eliminates the previous
+ *   process.argv rewriting (global mutable state) while preserving the same
+ *   argument-parsing behavior in each sub-script.
+ *
+ * Examples:
+ *   zcloak-ai register get-principal
+ *   zcloak-ai sign post "Hello world!" --sub=web3
+ *   zcloak-ai feed counter
+ *   zcloak-ai verify file ./report.pdf
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const path_1 = __importDefault(require("path"));
+const session_1 = require("./session");
+/** Supported modules and their corresponding script files (compiled in dist/ directory) */
+const MODULES = {
+    identity: 'identity_cmd',
+    register: 'register',
+    sign: 'sign',
+    verify: 'verify',
+    feed: 'feed',
+    bind: 'bind',
+    delete: 'delete',
+    doc: 'doc',
+    pow: 'pow',
+    vetkey: 'vetkey',
+};
+function showHelp() {
+    console.log('zCloak.ai Agent CLI');
+    console.log('');
+    console.log('Usage: zcloak-ai <module> <command> [args] [options]');
+    console.log('');
+    console.log('Modules:');
+    console.log('  identity    Identity key management (generate, show)');
+    console.log('  register    Registration management (get-principal, lookup, register, ...)');
+    console.log('  sign        Signing operations (post, like, reply, profile, sign-file, ...)');
+    console.log('  verify      Verification operations (message, file, folder, profile)');
+    console.log('  feed        Event queries (counter, fetch)');
+    console.log('  bind        Agent-Owner binding (prepare, check-passkey)');
+    console.log('  delete      File deletion with 2FA verification (prepare, check, confirm)');
+    console.log('  doc         Document tools (manifest, verify-manifest, hash, info)');
+    console.log('  pow         PoW computation (<base_string> <zeros>)');
+    console.log('  vetkey      VetKey encryption/decryption (encrypt-sign, decrypt, serve, ...)');
+    console.log('');
+    console.log('Global options:');
+    console.log('  --identity=<pem_path>     Specify identity PEM file');
+    console.log('');
+    console.log('Examples:');
+    console.log('  zcloak-ai register get-principal');
+    console.log('  zcloak-ai sign post "Hello world!" --sub=web3 --tags=t:crypto');
+    console.log('  zcloak-ai feed counter');
+    console.log('  zcloak-ai verify file ./report.pdf');
+    console.log('  zcloak-ai doc hash ./report.pdf');
+    console.log('');
+    console.log('Module help:');
+    console.log('  zcloak-ai <module>     (run without command to show module help)');
+}
+/**
+ * CLI entry point.
+ *
+ * Instead of rewriting process.argv (global mutable state), we construct a
+ * synthetic sub-argv array that looks like what the sub-script would see if
+ * invoked directly, and pass it via a Session instance.
+ *
+ * Original process.argv: ['node', 'cli.js', 'register', 'get-principal']
+ * Constructed sub-argv:  ['node', 'register.js', 'get-principal']
+ *
+ * The Session constructor calls parseArgs(subArgv) which skips [0] and [1],
+ * so the sub-script receives the same parsed arguments as before.
+ */
+async function main() {
+    // Get module name (skip node and script path)
+    const moduleName = process.argv[2];
+    if (!moduleName || moduleName === '--help' || moduleName === '-h') {
+        showHelp();
+        process.exit(0);
+    }
+    // Find the corresponding script
+    const scriptFile = MODULES[moduleName];
+    if (!scriptFile) {
+        console.error(`Unknown module: ${moduleName}`);
+        console.error('');
+        console.error('Available modules: ' + Object.keys(MODULES).join(', '));
+        console.error('Run zcloak-ai --help for help');
+        process.exit(1);
+    }
+    // Construct sub-argv without mutating process.argv.
+    // Format: [node_binary, script_path, ...remaining_args]
+    // This preserves the same index layout that parseArgs() expects (skips first 2 elements).
+    const scriptPath = path_1.default.join(__dirname, scriptFile);
+    const subArgv = [process.argv[0], scriptPath, ...process.argv.slice(3)];
+    // Create a Session from the constructed argv
+    const session = new session_1.Session(subArgv);
+    // Load and execute sub-script's run() function.
+    // After compilation, __dirname points to dist/, sub-scripts are in the same directory.
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const mod = require(scriptPath);
+    await mod.run(session);
+}
+main().catch((err) => {
+    console.error(`Error: ${err instanceof Error ? err.message : String(err)}`);
+    process.exit(1);
+});
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";;AACA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;;;;;AAEH,gDAAwB;AACxB,uCAAoC;AAEpC,2FAA2F;AAC3F,MAAM,OAAO,GAA2B;IACtC,QAAQ,EAAE,cAAc;IACxB,QAAQ,EAAE,UAAU;IACpB,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,QAAQ;IAChB,IAAI,EAAE,MAAM;IACZ,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,QAAQ;IAChB,GAAG,EAAE,KAAK;IACV,GAAG,EAAE,KAAK;IACV,MAAM,EAAE,QAAQ;CACjB,CAAC;AAEF,SAAS,QAAQ;IACf,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;IACnC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;IACpE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACxB,OAAO,CAAC,GAAG,CAAC,wDAAwD,CAAC,CAAC;IACtE,OAAO,CAAC,GAAG,CAAC,8EAA8E,CAAC,CAAC;IAC5F,OAAO,CAAC,GAAG,CAAC,+EAA+E,CAAC,CAAC;IAC7F,OAAO,CAAC,GAAG,CAAC,wEAAwE,CAAC,CAAC;IACtF,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;IAC5D,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;IAC1E,OAAO,CAAC,GAAG,CAAC,6EAA6E,CAAC,CAAC;IAC3F,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;IACpF,OAAO,CAAC,GAAG,CAAC,uDAAuD,CAAC,CAAC;IACrE,OAAO,CAAC,GAAG,CAAC,gFAAgF,CAAC,CAAC;IAC9F,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAC/B,OAAO,CAAC,GAAG,CAAC,uDAAuD,CAAC,CAAC;IACrE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACzB,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;IAClD,OAAO,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAC;IAC/E,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;IACxC,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;IACpD,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;IACjD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAC5B,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;AACpF,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,KAAK,UAAU,IAAI;IACjB,8CAA8C;IAC9C,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAEnC,IAAI,CAAC,UAAU,IAAI,UAAU,KAAK,QAAQ,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;QAClE,QAAQ,EAAE,CAAC;QACX,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,gCAAgC;IAChC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACvC,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,mBAAmB,UAAU,EAAE,CAAC,CAAC;QAC/C,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAClB,OAAO,CAAC,KAAK,CAAC,qBAAqB,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QACvE,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;QAC/C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,oDAAoD;IACpD,wDAAwD;IACxD,0FAA0F;IAC1F,MAAM,UAAU,GAAG,cAAI,CAAC,IAAI,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IACpD,MAAM,OAAO,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAE,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAEzE,6CAA6C;IAC7C,MAAM,OAAO,GAAG,IAAI,iBAAO,CAAC,OAAO,CAAC,CAAC;IAErC,gDAAgD;IAChD,uFAAuF;IACvF,iEAAiE;IACjE,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAChC,MAAM,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AACzB,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;IAC5B,OAAO,CAAC,KAAK,CAAC,UAAU,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC5E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/config.d.ts

@@ -0,0 +1,14 @@
+/**
+ * zCloak.ai Application Configuration
+ *
+ * Contains canister IDs and related URL configurations.
+ * All scripts obtain configuration through this file.
+ */
+import type { AppConfig, CanisterIds } from './types/config';
+declare const config: AppConfig;
+export default config;
+/**
+ * Get canister ID configuration.
+ */
+export declare function getCanisterIds(): CanisterIds;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.js

@@ -0,0 +1,34 @@
+"use strict";
+/**
+ * zCloak.ai Application Configuration
+ *
+ * Contains canister IDs and related URL configurations.
+ * All scripts obtain configuration through this file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getCanisterIds = getCanisterIds;
+const config = {
+    // Canister IDs
+    canisterIds: {
+        registry: '3spie-caaaa-aaaam-ae3sa-cai', // Registry canister
+        signatures: 'zpbbm-piaaa-aaaaj-a3dsq-cai', // Signatures canister
+    },
+    // PoW required leading zeros count
+    pow_zeros: 5,
+    // Agent binding page URL
+    bind_url: 'https://id.zcloak.xyz/agent/bind',
+    // Agent profile page URL prefix
+    profile_url: 'https://id.zcloak.xyz/profile/',
+    // 2FA verification page URL
+    twofa_url: 'https://id.zcloak.xyz/agent/2fa',
+    // Event view page URL prefix (append event ID to form the full URL)
+    event_url: 'https://social.zcloak.xyz/post/',
+};
+exports.default = config;
+/**
+ * Get canister ID configuration.
+ */
+function getCanisterIds() {
+    return config.canisterIds;
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AA2BH,wCAEC;AAzBD,MAAM,MAAM,GAAc;IACxB,eAAe;IACf,WAAW,EAAE;QACX,QAAQ,EAAE,6BAA6B,EAAK,oBAAoB;QAChE,UAAU,EAAE,6BAA6B,EAAG,sBAAsB;KACnE;IACD,mCAAmC;IACnC,SAAS,EAAE,CAAC;IACZ,yBAAyB;IACzB,QAAQ,EAAE,kCAAkC;IAC5C,gCAAgC;IAChC,WAAW,EAAE,gCAAgC;IAC7C,4BAA4B;IAC5B,SAAS,EAAE,iCAAiC;IAC5C,oEAAoE;IACpE,SAAS,EAAE,iCAAiC;CAC7C,CAAC;AAEF,kBAAe,MAAM,CAAC;AAEtB;;GAEG;AACH,SAAgB,cAAc;IAC5B,OAAO,MAAM,CAAC,WAAW,CAAC;AAC5B,CAAC"}

package/dist/crypto.d.ts

@@ -0,0 +1,113 @@
+/**
+ * Cryptographic Primitives for VetKey Operations
+ *
+ * Two categories of operations:
+ *
+ * 1. IBE (Identity-Based Encryption) — Uses @dfinity/vetkeys for BLS12-381 operations.
+ *    Used for per-operation Kind5 PrivatePost encryption.
+ *
+ * 2. AES-256-GCM — Uses Node.js built-in crypto module.
+ *    Used for daemon mode fast file encryption/decryption.
+ *    VKDA binary format: [magic "VKDA":4B][version:1B][nonce:12B][ciphertext+GCM tag]
+ *
+ * All formats are byte-level compatible with the Rust vetkey-tool implementation.
+ */
+import { TransportSecretKey } from '@dfinity/vetkeys';
+/**
+ * Generate an ephemeral transport key pair for secure VetKey delivery.
+ *
+ * The transport secret key is used to decrypt the EncryptedVetKey received
+ * from the canister. The public key is sent to the canister so it can
+ * encrypt the VetKey for this specific requester.
+ *
+ * @returns [transportSecretKey, transportPublicKeyBytes (48 bytes, compressed G1)]
+ */
+export declare function generateTransportKeypair(): [TransportSecretKey, Uint8Array];
+/**
+ * IBE-encrypt plaintext using the derived public key and identity string.
+ *
+ * Uses the Fujisaki-Okamoto transform internally (handled by @dfinity/vetkeys).
+ * Output format: [header:8B][C1:96B][C2:32B][C3:plaintext_len+16B] (152 bytes overhead)
+ *
+ * @param dpkBytes - IBE derived public key (96 bytes, compressed G2 point)
+ * @param ibeIdentity - IBE identity string (e.g. "{principal}:{hash}:{timestamp}")
+ * @param plaintext - Data to encrypt
+ * @returns IBE ciphertext bytes
+ */
+export declare function ibeEncrypt(dpkBytes: Uint8Array, ibeIdentity: string, plaintext: Uint8Array): Uint8Array;
+/**
+ * Full IBE decrypt: transport-decrypt VetKey, then IBE-decrypt ciphertext.
+ *
+ * Complete flow:
+ *   1. Deserialize EncryptedVetKey (192 bytes)
+ *   2. Transport-decrypt and verify BLS signature → VetKey
+ *   3. Deserialize IBE ciphertext
+ *   4. IBE-decrypt using VetKey → plaintext
+ *
+ * @param encryptedKeyBytes - Transport-encrypted VetKey (192 bytes)
+ * @param dpkBytes - IBE derived public key (96 bytes)
+ * @param ibeIdentity - IBE identity string
+ * @param ciphertextBytes - IBE ciphertext
+ * @param transportSecret - Transport secret key (for decrypting the VetKey)
+ * @returns Decrypted plaintext
+ */
+export declare function ibeDecrypt(encryptedKeyBytes: Uint8Array, dpkBytes: Uint8Array, ibeIdentity: string, ciphertextBytes: Uint8Array, transportSecret: TransportSecretKey): Uint8Array;
+/**
+ * Transport-decrypt an EncryptedVetKey and return raw VetKey bytes.
+ *
+ * Used by daemon mode to obtain the VetKey for AES-256 key derivation.
+ * The derivation ID serves as the IBE identity in this context.
+ *
+ * @param encryptedKeyBytes - Transport-encrypted VetKey (192 bytes)
+ * @param dpkBytes - IBE derived public key (96 bytes)
+ * @param derivationId - Derivation ID string (used as IBE identity)
+ * @param transportSecret - Transport secret key
+ * @returns Raw VetKey bytes (48 bytes, compressed G1 point)
+ */
+export declare function decryptVetkey(encryptedKeyBytes: Uint8Array, dpkBytes: Uint8Array, derivationId: string, transportSecret: TransportSecretKey): Uint8Array;
+/**
+ * Generate an IBE identity string for Kind5 PrivatePost.
+ *
+ * Format: "{principal}:{short_hash_16_hex}:{timestamp_ms}"
+ * - short_hash: first 16 hex chars of SHA-256(content)
+ * - timestamp_ms: current time in milliseconds
+ *
+ * Must match the Rust implementation exactly for cross-compatibility.
+ *
+ * @param principal - ICP principal text
+ * @param content - Content bytes to hash
+ * @returns IBE identity string
+ */
+export declare function makeIbeIdentity(principal: string, content: Uint8Array): string;
+/**
+ * Derive an AES-256 key from VetKey bytes using HKDF-SHA256.
+ *
+ * Domain separator: "vetkey-aes256-file-encryption" (must match Rust implementation)
+ *
+ * @param vetkeyBytes - Raw VetKey bytes (48 bytes, compressed G1 point)
+ * @returns AES-256 key (32 bytes)
+ */
+export declare function vetkeyToAes256(vetkeyBytes: Uint8Array): Buffer;
+/**
+ * Encrypt plaintext using AES-256-GCM in VKDA format.
+ *
+ * Output format: [magic "VKDA":4B][version 0x01:1B][nonce:12B][ciphertext+GCM tag]
+ * This format is byte-level compatible with the Rust vetkey-tool implementation.
+ *
+ * @param key - AES-256 key (32 bytes)
+ * @param plaintext - Data to encrypt
+ * @returns VKDA-formatted ciphertext
+ */
+export declare function aes256Encrypt(key: Buffer, plaintext: Uint8Array): Buffer;
+/**
+ * Decrypt VKDA-formatted ciphertext using AES-256-GCM.
+ *
+ * Validates the VKDA magic header and version, then performs
+ * authenticated GCM decryption.
+ *
+ * @param key - AES-256 key (32 bytes)
+ * @param data - VKDA-formatted ciphertext
+ * @returns Decrypted plaintext
+ */
+export declare function aes256Decrypt(key: Buffer, data: Uint8Array): Buffer;
+//# sourceMappingURL=crypto.d.ts.map