@zcloak/ai-agent 1.0.0 → 1.0.3

package/dist/verify.js

@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-"use strict";
 /**
  * zCloak.ai Verification Tool
  *
@@ -15,14 +14,9 @@
  *
  * All commands support --identity=<pem_path> to specify identity file.
  */
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.run = run;
-const fs_1 = __importDefault(require("fs"));
-const path_1 = __importDefault(require("path"));
-const utils_1 = require("./utils");
+import fs from 'fs';
+import path from 'path';
+import { hashFile, verifyManifestEntries, formatSignEvent, formatSignEvents, } from './utils.js';
 // ========== Help Information ==========
 function showHelp() {
     console.log('zCloak.ai Verification Tool');
@@ -86,7 +80,7 @@ async function cmdVerifyMessage(session, content) {
     }
     const actor = await session.getAnonymousSignActor();
     const events = await actor.verify_message(content);
-    console.log((0, utils_1.formatSignEvents)(events));
+    console.log(formatSignEvents(events));
     await resolveSigners(session, events);
 }
 /** Verify single file signature */
@@ -95,19 +89,19 @@ async function cmdVerifyFile(session, filePath) {
         console.error('Error: file path is required');
         process.exit(1);
     }
-    if (!fs_1.default.existsSync(filePath)) {
+    if (!fs.existsSync(filePath)) {
         console.error(`Error: file does not exist: ${filePath}`);
         process.exit(1);
     }
     // Compute file hash
-    const fileHash = (0, utils_1.hashFile)(filePath);
-    console.log(`File: ${path_1.default.basename(filePath)}`);
+    const fileHash = hashFile(filePath);
+    console.log(`File: ${path.basename(filePath)}`);
     console.log(`SHA256: ${fileHash}`);
     console.log('');
     // On-chain verification
     const actor = await session.getAnonymousSignActor();
     const events = await actor.verify_file_hash(fileHash);
-    console.log((0, utils_1.formatSignEvents)(events));
+    console.log(formatSignEvents(events));
     await resolveSigners(session, events);
 }
 /** Verify folder signature (MANIFEST.sha256) */
@@ -116,19 +110,19 @@ async function cmdVerifyFolder(session, folderPath) {
         console.error('Error: folder path is required');
         process.exit(1);
     }
-    if (!fs_1.default.existsSync(folderPath) || !fs_1.default.statSync(folderPath).isDirectory()) {
+    if (!fs.existsSync(folderPath) || !fs.statSync(folderPath).isDirectory()) {
         console.error(`Error: directory does not exist: ${folderPath}`);
         process.exit(1);
     }
-    const manifestPath = path_1.default.join(folderPath, 'MANIFEST.sha256');
-    if (!fs_1.default.existsSync(manifestPath)) {
+    const manifestPath = path.join(folderPath, 'MANIFEST.sha256');
+    if (!fs.existsSync(manifestPath)) {
         console.error(`Error: MANIFEST.sha256 not found: ${manifestPath}`);
         process.exit(1);
     }
     // Step 1: Local file integrity verification using shared MANIFEST parser
     console.log('=== Step 1: Local File Integrity Verification ===');
-    const manifestContent = fs_1.default.readFileSync(manifestPath, 'utf-8');
-    const results = (0, utils_1.verifyManifestEntries)(manifestContent, folderPath);
+    const manifestContent = fs.readFileSync(manifestPath, 'utf-8');
+    const results = verifyManifestEntries(manifestContent, folderPath);
     let allPassed = true;
     for (const r of results) {
         if (r.passed) {
@@ -147,11 +141,11 @@ async function cmdVerifyFolder(session, folderPath) {
     console.log('\nLocal verification passed!');
     // Step 2: Compute MANIFEST hash and verify on-chain
     console.log('\n=== Step 2: On-chain Signature Verification ===');
-    const manifestHash = (0, utils_1.hashFile)(manifestPath);
+    const manifestHash = hashFile(manifestPath);
     console.log(`MANIFEST SHA256: ${manifestHash}`);
     const actor = await session.getAnonymousSignActor();
     const events = await actor.verify_file_hash(manifestHash);
-    console.log((0, utils_1.formatSignEvents)(events));
+    console.log(formatSignEvents(events));
     await resolveSigners(session, events);
 }
 /** Query Kind 1 identity profile */
@@ -164,7 +158,7 @@ async function cmdVerifyProfile(session, principal) {
     const result = await actor.get_kind1_event_by_principal(principal);
     // opt SignEvent → formatted output
     if (result && result.length > 0) {
-        console.log(`(opt ${(0, utils_1.formatSignEvent)(result[0])})`);
+        console.log(`(opt ${formatSignEvent(result[0])})`);
     }
     else {
         console.log('(null)');
@@ -175,7 +169,7 @@ async function cmdVerifyProfile(session, principal) {
  * Entry point when invoked via cli.ts.
  * Receives a Session instance with pre-parsed arguments.
  */
-async function run(session) {
+export async function run(session) {
     const command = session.args._args[0];
     try {
         switch (command) {

package/dist/verify.js.map

@@ -1 +1 @@
-{"version":3,"file":"verify.js","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":";;AACA;;;;;;;;;;;;;;GAcG;;;;;AA+LH,kBA4BC;AAzND,4CAAoB;AACpB,gDAAwB;AACxB,mCAKiB;AAIjB,yCAAyC;AACzC,SAAS,QAAQ;IACf,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;IAC3C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACtB,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;IAClF,OAAO,CAAC,GAAG,CAAC,0EAA0E,CAAC,CAAC;IACxF,OAAO,CAAC,GAAG,CAAC,uFAAuF,CAAC,CAAC;IACrG,OAAO,CAAC,GAAG,CAAC,2EAA2E,CAAC,CAAC;IACzF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACzB,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;IAClD,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;IACpD,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;AACvD,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,cAAc,CAAC,OAAgB,EAAE,MAAmB;IACjE,MAAM,WAAW,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAE5C,4BAA4B;IAC5B,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;IAChC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAChB,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAED,IAAI,KAAK,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;QACrB,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QAC9C,OAAO;IACT,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,yBAAyB,EAAE,CAAC;IAExD,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;IAC5C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,EAAE,CAAC,CAAC;QAE1C,mBAAmB;QACnB,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,MAAM,KAAK,CAAC,yBAAyB,CAAC,IAAI,CAAC,CAAC;YAE/D,IAAI,UAAU,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxC,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAE,CAAC;gBAChC,OAAO,CAAC,GAAG,CAAC,eAAe,QAAQ,EAAE,CAAC,CAAC;gBACvC,OAAO,CAAC,GAAG,CAAC,gBAAgB,WAAW,GAAG,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YAC5E,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;AACH,CAAC;AAED,gDAAgD;AAEhD,6BAA6B;AAC7B,KAAK,UAAU,gBAAgB,CAAC,OAAgB,EAAE,OAA2B;IAC3E,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,qBAAqB,EAAE,CAAC;IACpD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;IAEnD,OAAO,CAAC,GAAG,CAAC,IAAA,wBAAgB,EAAC,MAAM,CAAC,CAAC,CAAC;IACtC,MAAM,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AACxC,CAAC;AAED,mCAAmC;AACnC,KAAK,UAAU,aAAa,CAAC,OAAgB,EAAE,QAA4B;IACzE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAC9C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,CAAC,YAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,OAAO,CAAC,KAAK,CAAC,+BAA+B,QAAQ,EAAE,CAAC,CAAC;QACzD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,oBAAoB;IACpB,MAAM,QAAQ,GAAG,IAAA,gBAAQ,EAAC,QAAQ,CAAC,CAAC;IACpC,OAAO,CAAC,GAAG,CAAC,SAAS,cAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAChD,OAAO,CAAC,GAAG,CAAC,WAAW,QAAQ,EAAE,CAAC,CAAC;IACnC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,wBAAwB;IACxB,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,qBAAqB,EAAE,CAAC;IACpD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAEtD,OAAO,CAAC,GAAG,CAAC,IAAA,wBAAgB,EAAC,MAAM,CAAC,CAAC,CAAC;IACtC,MAAM,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AACxC,CAAC;AAED,gDAAgD;AAChD,KAAK,UAAU,eAAe,CAAC,OAAgB,EAAE,UAA8B;IAC7E,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;QAChD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,CAAC,YAAE,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,YAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;QACzE,OAAO,CAAC,KAAK,CAAC,oCAAoC,UAAU,EAAE,CAAC,CAAC;QAChE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,YAAY,GAAG,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC;IAC9D,IAAI,CAAC,YAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACjC,OAAO,CAAC,KAAK,CAAC,qCAAqC,YAAY,EAAE,CAAC,CAAC;QACnE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,yEAAyE;IACzE,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;IACjE,MAAM,eAAe,GAAG,YAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAC/D,MAAM,OAAO,GAAG,IAAA,6BAAqB,EAAC,eAAe,EAAE,UAAU,CAAC,CAAC;IAEnE,IAAI,SAAS,GAAG,IAAI,CAAC;IACrB,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;YACb,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,EAAE,CAAC;YACnE,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,YAAY,GAAG,MAAM,EAAE,CAAC,CAAC;YAClD,SAAS,GAAG,KAAK,CAAC;QACpB,CAAC;IACH,CAAC;IAED,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,iEAAiE,CAAC,CAAC;QACjF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;IAE5C,oDAAoD;IACpD,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;IACjE,MAAM,YAAY,GAAG,IAAA,gBAAQ,EAAC,YAAY,CAAC,CAAC;IAC5C,OAAO,CAAC,GAAG,CAAC,oBAAoB,YAAY,EAAE,CAAC,CAAC;IAEhD,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,qBAAqB,EAAE,CAAC;IACpD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;IAE1D,OAAO,CAAC,GAAG,CAAC,IAAA,wBAAgB,EAAC,MAAM,CAAC,CAAC,CAAC;IACtC,MAAM,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AACxC,CAAC;AAED,oCAAoC;AACpC,KAAK,UAAU,gBAAgB,CAAC,OAAgB,EAAE,SAA6B;IAC7E,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACjD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,qBAAqB,EAAE,CAAC;IACpD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,4BAA4B,CAAC,SAAS,CAAC,CAAC;IAEnE,mCAAmC;IACnC,IAAI,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAA,uBAAe,EAAC,MAAM,CAAC,CAAC,CAAE,CAAC,GAAG,CAAC,CAAC;IACtD,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACxB,CAAC;AACH,CAAC;AAED,0DAA0D;AAE1D;;;GAGG;AACI,KAAK,UAAU,GAAG,CAAC,OAAgB;IACxC,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAEtC,IAAI,CAAC;QACH,QAAQ,OAAO,EAAE,CAAC;YAChB,KAAK,SAAS;gBACZ,MAAM,gBAAgB,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBACvD,MAAM;YACR,KAAK,MAAM;gBACT,MAAM,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBACpD,MAAM;YACR,KAAK,QAAQ;gBACX,MAAM,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBACtD,MAAM;YACR,KAAK,SAAS;gBACZ,MAAM,gBAAgB,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBACvD,MAAM;YACR;gBACE,QAAQ,EAAE,CAAC;gBACX,IAAI,OAAO,EAAE,CAAC;oBACZ,OAAO,CAAC,KAAK,CAAC,sBAAsB,OAAO,EAAE,CAAC,CAAC;gBACjD,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,qBAAqB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACvF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EACL,QAAQ,EACR,qBAAqB,EACrB,eAAe,EACf,gBAAgB,GACjB,MAAM,YAAY,CAAC;AAIpB,yCAAyC;AACzC,SAAS,QAAQ;IACf,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;IAC3C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACtB,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;IAClF,OAAO,CAAC,GAAG,CAAC,0EAA0E,CAAC,CAAC;IACxF,OAAO,CAAC,GAAG,CAAC,uFAAuF,CAAC,CAAC;IACrG,OAAO,CAAC,GAAG,CAAC,2EAA2E,CAAC,CAAC;IACzF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACzB,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;IAClD,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;IACpD,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;AACvD,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,cAAc,CAAC,OAAgB,EAAE,MAAmB;IACjE,MAAM,WAAW,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAE5C,4BAA4B;IAC5B,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;IAChC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAChB,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAED,IAAI,KAAK,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;QACrB,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QAC9C,OAAO;IACT,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,yBAAyB,EAAE,CAAC;IAExD,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;IAC5C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,EAAE,CAAC,CAAC;QAE1C,mBAAmB;QACnB,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,MAAM,KAAK,CAAC,yBAAyB,CAAC,IAAI,CAAC,CAAC;YAE/D,IAAI,UAAU,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxC,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAE,CAAC;gBAChC,OAAO,CAAC,GAAG,CAAC,eAAe,QAAQ,EAAE,CAAC,CAAC;gBACvC,OAAO,CAAC,GAAG,CAAC,gBAAgB,WAAW,GAAG,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YAC5E,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;AACH,CAAC;AAED,gDAAgD;AAEhD,6BAA6B;AAC7B,KAAK,UAAU,gBAAgB,CAAC,OAAgB,EAAE,OAA2B;IAC3E,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,qBAAqB,EAAE,CAAC;IACpD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;IAEnD,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC;IACtC,MAAM,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AACxC,CAAC;AAED,mCAAmC;AACnC,KAAK,UAAU,aAAa,CAAC,OAAgB,EAAE,QAA4B;IACzE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAC9C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,OAAO,CAAC,KAAK,CAAC,+BAA+B,QAAQ,EAAE,CAAC,CAAC;QACzD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,oBAAoB;IACpB,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACpC,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAChD,OAAO,CAAC,GAAG,CAAC,WAAW,QAAQ,EAAE,CAAC,CAAC;IACnC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,wBAAwB;IACxB,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,qBAAqB,EAAE,CAAC;IACpD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAEtD,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC;IACtC,MAAM,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AACxC,CAAC;AAED,gDAAgD;AAChD,KAAK,UAAU,eAAe,CAAC,OAAgB,EAAE,UAA8B;IAC7E,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;QAChD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;QACzE,OAAO,CAAC,KAAK,CAAC,oCAAoC,UAAU,EAAE,CAAC,CAAC;QAChE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC;IAC9D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACjC,OAAO,CAAC,KAAK,CAAC,qCAAqC,YAAY,EAAE,CAAC,CAAC;QACnE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,yEAAyE;IACzE,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;IACjE,MAAM,eAAe,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAC/D,MAAM,OAAO,GAAG,qBAAqB,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;IAEnE,IAAI,SAAS,GAAG,IAAI,CAAC;IACrB,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;YACb,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,EAAE,CAAC;YACnE,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,YAAY,GAAG,MAAM,EAAE,CAAC,CAAC;YAClD,SAAS,GAAG,KAAK,CAAC;QACpB,CAAC;IACH,CAAC;IAED,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,iEAAiE,CAAC,CAAC;QACjF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;IAE5C,oDAAoD;IACpD,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;IACjE,MAAM,YAAY,GAAG,QAAQ,CAAC,YAAY,CAAC,CAAC;IAC5C,OAAO,CAAC,GAAG,CAAC,oBAAoB,YAAY,EAAE,CAAC,CAAC;IAEhD,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,qBAAqB,EAAE,CAAC;IACpD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;IAE1D,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC;IACtC,MAAM,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AACxC,CAAC;AAED,oCAAoC;AACpC,KAAK,UAAU,gBAAgB,CAAC,OAAgB,EAAE,SAA6B;IAC7E,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACjD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,qBAAqB,EAAE,CAAC;IACpD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,4BAA4B,CAAC,SAAS,CAAC,CAAC;IAEnE,mCAAmC;IACnC,IAAI,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,OAAO,CAAC,GAAG,CAAC,QAAQ,eAAe,CAAC,MAAM,CAAC,CAAC,CAAE,CAAC,GAAG,CAAC,CAAC;IACtD,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACxB,CAAC;AACH,CAAC;AAED,0DAA0D;AAE1D;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,GAAG,CAAC,OAAgB;IACxC,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAEtC,IAAI,CAAC;QACH,QAAQ,OAAO,EAAE,CAAC;YAChB,KAAK,SAAS;gBACZ,MAAM,gBAAgB,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBACvD,MAAM;YACR,KAAK,MAAM;gBACT,MAAM,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBACpD,MAAM;YACR,KAAK,QAAQ;gBACX,MAAM,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBACtD,MAAM;YACR,KAAK,SAAS;gBACZ,MAAM,gBAAgB,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBACvD,MAAM;YACR;gBACE,QAAQ,EAAE,CAAC;gBACX,IAAI,OAAO,EAAE,CAAC;oBACZ,OAAO,CAAC,KAAK,CAAC,sBAAsB,OAAO,EAAE,CAAC,CAAC;gBACjD,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,qBAAqB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACvF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/vetkey.d.ts

@@ -13,10 +13,14 @@
  *   serve           Start daemon (UDS or stdio mode)
  *   stop            Stop a running daemon
  *   status          Query daemon status
+ *   grant           Grant Kind5 decryption access to another user
+ *   revoke          Revoke an access grant
+ *   grants-out      List grants issued by the caller (as grantor)
+ *   grants-in       List grants received by the caller (as grantee)
  *
  * Usage: zcloak-ai vetkey <sub-command> [options]
  */
-import type { Session } from './session';
+import type { Session } from './session.js';
 /**
  * Run the vetkey sub-command.
  * Follows the same pattern as other CLI modules (sign.ts, verify.ts, etc.).

package/dist/vetkey.js

@@ -1,4 +1,3 @@
-"use strict";
 /**
  * VetKey CLI Module — VetKey IBE encryption/decryption and daemon management
  *
@@ -14,52 +13,22 @@
  *   serve           Start daemon (UDS or stdio mode)
  *   stop            Stop a running daemon
  *   status          Query daemon status
+ *   grant           Grant Kind5 decryption access to another user
+ *   revoke          Revoke an access grant
+ *   grants-out      List grants issued by the caller (as grantor)
+ *   grants-in       List grants received by the caller (as grantee)
  *
  * Usage: zcloak-ai vetkey <sub-command> [options]
  */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.run = run;
-const fs_1 = require("fs");
-const net_1 = require("net");
-const readline_1 = require("readline");
-const cryptoOps = __importStar(require("./crypto"));
-const key_store_1 = require("./key-store");
-const serve_1 = require("./serve");
-const daemon_1 = require("./daemon");
-const error_1 = require("./error");
+import { readFileSync, writeFileSync } from 'fs';
+import { createConnection } from 'net';
+import { createInterface } from 'readline';
+import { Principal } from '@dfinity/principal';
+import * as cryptoOps from './crypto.js';
+import { KeyStore } from './key-store.js';
+import { runDaemonUds, runDaemonStdio } from './serve.js';
+import { findRunningDaemon } from './daemon.js';
+import { canisterCallError } from './error.js';
 // ============================================================================
 // Module Entry Point
 // ============================================================================
@@ -69,7 +38,7 @@ const error_1 = require("./error");
  *
  * @param session - CLI session with parsed args and canister access
  */
-async function run(session) {
+export async function run(session) {
     const command = session.args._args[0];
     switch (command) {
         case 'encrypt-sign':
@@ -93,6 +62,18 @@ async function run(session) {
         case 'status':
             await cmdStatus(session);
             break;
+        case 'grant':
+            await cmdGrant(session);
+            break;
+        case 'revoke':
+            await cmdRevoke(session);
+            break;
+        case 'grants-out':
+            await cmdGrantsOut(session);
+            break;
+        case 'grants-in':
+            await cmdGrantsIn(session);
+            break;
         default:
             showHelp();
             process.exit(command ? 1 : 0);
@@ -114,17 +95,27 @@ function showHelp() {
     console.log('  stop            Stop a running daemon');
     console.log('  status          Query daemon status');
     console.log('');
+    console.log('Kind5 Access Control:');
+    console.log('  grant           Grant decryption access to another user');
+    console.log('  revoke          Revoke an access grant');
+    console.log('  grants-out      List grants you issued (as grantor)');
+    console.log('  grants-in       List grants you received (as grantee)');
+    console.log('');
     console.log('Options:');
-    console.log('  --text=<content>     Plaintext to encrypt');
-    console.log('  --file=<path>        File to encrypt');
-    console.log('  --event-id=<id>      Event ID for decryption');
-    console.log('  --output=<path>      Output file path');
-    console.log('  --key-name=<name>    Daemon key name (default: "default")');
-    console.log('  --stdio              Use stdin/stdout mode for daemon');
-    console.log('  --public-key=<hex>   IBE public key for offline encryption');
-    console.log('  --ibe-identity=<id>  IBE identity for offline encryption');
-    console.log('  --tags=<json>        Tags as JSON array');
-    console.log('  --json               Output in JSON format');
+    console.log('  --text=<content>        Plaintext to encrypt');
+    console.log('  --file=<path>           File to encrypt');
+    console.log('  --event-id=<id>         Event ID for decryption');
+    console.log('  --output=<path>         Output file path');
+    console.log('  --key-name=<name>       Daemon key name (default: "default")');
+    console.log('  --stdio                 Use stdin/stdout mode for daemon');
+    console.log('  --public-key=<hex>      IBE public key for offline encryption');
+    console.log('  --ibe-identity=<id>     IBE identity for offline encryption');
+    console.log('  --tags=<json>           Tags as JSON array');
+    console.log('  --json                  Output in JSON format');
+    console.log('  --grantee=<principal>   Grantee principal (for grant)');
+    console.log('  --event-ids=<id1,id2>   Event IDs to authorize (for grant, empty=all)');
+    console.log('  --duration=<dur>        Grant duration: 30d, 1y, permanent (for grant)');
+    console.log('  --grant-id=<id>         Grant ID (for revoke)');
 }
 // ============================================================================
 // Command Implementations
@@ -165,7 +156,7 @@ async function cmdEncryptSign(session) {
         dpkBytes = new Uint8Array(result);
     }
     catch (e) {
-        throw (0, error_1.canisterCallError)(`get_ibe_public_key failed: ${e instanceof Error ? e.message : String(e)}`, e);
+        throw canisterCallError(`get_ibe_public_key failed: ${e instanceof Error ? e.message : String(e)}`, e);
     }
     // Step 2: Generate IBE identity
     const ibeIdentity = cryptoOps.makeIbeIdentity(principal, plaintext);
@@ -183,7 +174,7 @@ async function cmdEncryptSign(session) {
         });
     }
     catch (e) {
-        throw (0, error_1.canisterCallError)(`sign Kind5PrivatePost failed: ${e instanceof Error ? e.message : String(e)}`, e);
+        throw canisterCallError(`sign Kind5PrivatePost failed: ${e instanceof Error ? e.message : String(e)}`, e);
     }
     // Step 5: Output
     if (jsonOutput) {
@@ -225,7 +216,7 @@ async function cmdDecrypt(session) {
         dpkBytes = new Uint8Array(result);
     }
     catch (e) {
-        throw (0, error_1.canisterCallError)(`get_ibe_public_key failed: ${e instanceof Error ? e.message : String(e)}`, e);
+        throw canisterCallError(`get_ibe_public_key failed: ${e instanceof Error ? e.message : String(e)}`, e);
     }
     // Request decryption package from canister
     let pkg;
@@ -238,13 +229,13 @@ async function cmdDecrypt(session) {
         };
     }
     catch (e) {
-        throw (0, error_1.canisterCallError)(`get_kind5_decryption_key failed: ${e instanceof Error ? e.message : String(e)}`, e);
+        throw canisterCallError(`get_kind5_decryption_key failed: ${e instanceof Error ? e.message : String(e)}`, e);
     }
     // Full decrypt
     const plaintext = cryptoOps.ibeDecrypt(pkg.encrypted_key, dpkBytes, pkg.ibe_identity, pkg.ciphertext, transportSecret);
     // Output
     if (output) {
-        (0, fs_1.writeFileSync)(output, plaintext);
+        writeFileSync(output, plaintext);
         if (jsonOutput) {
             console.log(JSON.stringify({
                 event_id: eventId,
@@ -302,7 +293,7 @@ async function cmdEncryptOnly(session) {
             dpkBytes = new Uint8Array(result);
         }
         catch (e) {
-            throw (0, error_1.canisterCallError)(`get_ibe_public_key failed: ${e instanceof Error ? e.message : String(e)}`, e);
+            throw canisterCallError(`get_ibe_public_key failed: ${e instanceof Error ? e.message : String(e)}`, e);
         }
     }
     const ibeIdentity = ibeIdentityOverride ?? cryptoOps.makeIbeIdentity(principalText, plaintext);
@@ -336,7 +327,7 @@ async function cmdGetPubkey(session) {
         dpkBytes = new Uint8Array(result);
     }
     catch (e) {
-        throw (0, error_1.canisterCallError)(`get_ibe_public_key failed: ${e instanceof Error ? e.message : String(e)}`, e);
+        throw canisterCallError(`get_ibe_public_key failed: ${e instanceof Error ? e.message : String(e)}`, e);
     }
     if (jsonOutput) {
         console.log(JSON.stringify({
@@ -372,13 +363,13 @@ async function cmdServe(session) {
     }
     // Derive AES-256 key from VetKey via the sign actor
     console.error(`Deriving AES-256 key from VetKey (derivation_id: ${derivationId})...`);
-    const keyStore = await key_store_1.KeyStore.deriveFromActor(actor, derivationId);
+    const keyStore = await KeyStore.deriveFromActor(actor, derivationId);
     console.error("Key derived successfully. Starting JSON-RPC daemon...");
     if (stdio) {
-        await (0, serve_1.runDaemonStdio)(keyStore, principal, derivationId);
+        await runDaemonStdio(keyStore, principal, derivationId);
     }
     else {
-        await (0, serve_1.runDaemonUds)(keyStore, principal, derivationId);
+        await runDaemonUds(keyStore, principal, derivationId);
     }
 }
 /**
@@ -390,7 +381,7 @@ async function cmdStop(session) {
     const jsonOutput = !!args['json'];
     const principal = session.getPrincipal();
     const derivationId = `${principal}:${keyName}`;
-    const sockPath = (0, daemon_1.findRunningDaemon)(derivationId);
+    const sockPath = findRunningDaemon(derivationId);
     // Connect to socket and send shutdown
     const response = await sendRpcToSocket(sockPath, {
         id: 1,
@@ -412,7 +403,7 @@ async function cmdStatus(session) {
     const jsonOutput = !!args['json'];
     const principal = session.getPrincipal();
     const derivationId = `${principal}:${keyName}`;
-    const sockPath = (0, daemon_1.findRunningDaemon)(derivationId);
+    const sockPath = findRunningDaemon(derivationId);
     // Connect to socket and send status
     const response = await sendRpcToSocket(sockPath, {
         id: 1,
@@ -452,7 +443,7 @@ function readInput(text, file) {
     if (text)
         return new TextEncoder().encode(text);
     if (file)
-        return (0, fs_1.readFileSync)(file);
+        return readFileSync(file);
     throw new Error("Either --text or --file must be provided");
 }
 /**
@@ -461,12 +452,12 @@ function readInput(text, file) {
  */
 function sendRpcToSocket(socketPath, request) {
     return new Promise((resolve, reject) => {
-        const conn = (0, net_1.createConnection)(socketPath);
+        const conn = createConnection(socketPath);
         let responded = false;
         conn.on("connect", () => {
             conn.write(JSON.stringify(request) + "\n");
         });
-        const rl = (0, readline_1.createInterface)({ input: conn });
+        const rl = createInterface({ input: conn });
         rl.on("line", (line) => {
             if (!responded) {
                 responded = true;
@@ -504,4 +495,249 @@ function sendRpcToSocket(socketPath, request) {
         }, 10000);
     });
 }
+/**
+ * Parse a human-readable duration string into nanoseconds.
+ *
+ * Supported formats:
+ *   - "permanent" or "perm" → undefined (no expiration)
+ *   - "<number>d" → days
+ *   - "<number>h" → hours
+ *   - "<number>y" → years (365 days)
+ *   - "<number>m" → months (30 days)
+ *   - plain number → treated as seconds
+ *
+ * @returns bigint nanoseconds, or undefined for permanent
+ */
+function parseDuration(input) {
+    const s = input.trim().toLowerCase();
+    if (s === 'permanent' || s === 'perm')
+        return undefined;
+    const NS_PER_SEC = 1000000000n;
+    const match = s.match(/^(\d+)\s*([dhmy]?)$/);
+    if (!match)
+        throw new Error(`Invalid duration format: "${input}". Use e.g. 30d, 24h, 1y, permanent`);
+    const num = BigInt(match[1]);
+    const unit = match[2] || 's';
+    switch (unit) {
+        case 'h': return num * 3600n * NS_PER_SEC;
+        case 'd': return num * 86400n * NS_PER_SEC;
+        case 'm': return num * 30n * 86400n * NS_PER_SEC;
+        case 'y': return num * 365n * 86400n * NS_PER_SEC;
+        case 's': return num * NS_PER_SEC;
+        default: throw new Error(`Unknown duration unit: ${unit}`);
+    }
+}
+/**
+ * Format a nanosecond timestamp to a human-readable date string.
+ * Returns "permanent" for u64::MAX.
+ */
+function formatNsTimestamp(ns) {
+    // u64::MAX = 18446744073709551615
+    if (ns >= 18446744073709551615n)
+        return 'permanent';
+    const ms = Number(ns / 1000000n);
+    return new Date(ms).toISOString();
+}
+// ============================================================================
+// Kind5 Access Control Commands
+// ============================================================================
+/**
+ * grant: Authorize another user to decrypt your Kind5 encrypted posts.
+ *
+ * Options:
+ *   --grantee=<principal>   (required) Recipient's principal ID
+ *   --event-ids=<id1,id2>   (optional) Specific event IDs to authorize; empty = all Kind5 posts
+ *   --duration=<dur>        (optional) Duration: 30d, 1y, permanent (default: permanent)
+ *   --json                  Output in JSON format
+ */
+async function cmdGrant(session) {
+    const args = session.args;
+    const granteePrincipal = args['grantee'];
+    const eventIdsStr = args['event-ids'];
+    const durationStr = args['duration'];
+    const jsonOutput = !!args['json'];
+    if (!granteePrincipal) {
+        throw new Error('--grantee=<principal> is required');
+    }
+    // Validate grantee is a valid principal
+    let grantee;
+    try {
+        grantee = Principal.fromText(granteePrincipal);
+    }
+    catch {
+        throw new Error(`Invalid grantee principal: "${granteePrincipal}"`);
+    }
+    // Parse event IDs (comma-separated, empty list = all Kind5 posts)
+    const eventIds = eventIdsStr
+        ? eventIdsStr.split(',').map(id => id.trim()).filter(Boolean)
+        : [];
+    // Parse duration (default: permanent)
+    const durationNs = durationStr ? parseDuration(durationStr) : undefined;
+    // Candid opt: [bigint] when present, [] when None (permanent)
+    const durationOpt = durationNs !== undefined ? [durationNs] : [];
+    const actor = await session.getSignActor();
+    let result;
+    try {
+        result = await actor.grant_kind5_access({
+            grantee,
+            event_ids: eventIds,
+            duration_ns: durationOpt,
+        });
+    }
+    catch (e) {
+        throw canisterCallError(`grant_kind5_access failed: ${e instanceof Error ? e.message : String(e)}`, e);
+    }
+    if ('Err' in result) {
+        throw new Error(`Grant failed: ${result.Err}`);
+    }
+    const grantId = result.Ok;
+    if (jsonOutput) {
+        console.log(JSON.stringify({
+            grant_id: grantId.toString(),
+            grantee: granteePrincipal,
+            event_ids: eventIds,
+            scope: eventIds.length === 0 ? 'all_kind5_posts' : 'specific_events',
+            duration: durationStr || 'permanent',
+        }));
+    }
+    else {
+        console.log('Kind5 access granted successfully!');
+        console.log(`  Grant ID:  ${grantId}`);
+        console.log(`  Grantee:   ${granteePrincipal}`);
+        console.log(`  Scope:     ${eventIds.length === 0 ? 'All Kind5 posts' : `${eventIds.length} specific event(s)`}`);
+        console.log(`  Duration:  ${durationStr || 'permanent'}`);
+        if (eventIds.length > 0) {
+            console.log(`  Event IDs: ${eventIds.join(', ')}`);
+        }
+    }
+}
+/**
+ * revoke: Revoke an access grant by grant ID.
+ *
+ * Options:
+ *   --grant-id=<id>   (required) The grant ID to revoke
+ *   --json            Output in JSON format
+ */
+async function cmdRevoke(session) {
+    const args = session.args;
+    const grantIdStr = args['grant-id'];
+    const jsonOutput = !!args['json'];
+    if (!grantIdStr) {
+        throw new Error('--grant-id=<id> is required');
+    }
+    let grantId;
+    try {
+        grantId = BigInt(grantIdStr);
+    }
+    catch {
+        throw new Error(`Invalid grant ID: "${grantIdStr}" (must be a number)`);
+    }
+    const actor = await session.getSignActor();
+    let result;
+    try {
+        result = await actor.revoke_kind5_access(grantId);
+    }
+    catch (e) {
+        throw canisterCallError(`revoke_kind5_access failed: ${e instanceof Error ? e.message : String(e)}`, e);
+    }
+    if ('Err' in result) {
+        throw new Error(`Revoke failed: ${result.Err}`);
+    }
+    if (jsonOutput) {
+        console.log(JSON.stringify({ grant_id: grantIdStr, revoked: true }));
+    }
+    else {
+        console.log(`Grant ${grantIdStr} revoked successfully.`);
+    }
+}
+/**
+ * grants-out: List all active grants issued by the caller (as grantor).
+ */
+async function cmdGrantsOut(session) {
+    const jsonOutput = !!session.args['json'];
+    const actor = await session.getSignActor();
+    let grants;
+    try {
+        grants = await actor.get_kind5_grants_by_grantor();
+    }
+    catch (e) {
+        throw canisterCallError(`get_kind5_grants_by_grantor failed: ${e instanceof Error ? e.message : String(e)}`, e);
+    }
+    if (jsonOutput) {
+        console.log(JSON.stringify(formatGrantsForJson(grants)));
+    }
+    else {
+        printGrants(grants, 'issued');
+    }
+}
+/**
+ * grants-in: List all active grants received by the caller (as grantee).
+ */
+async function cmdGrantsIn(session) {
+    const jsonOutput = !!session.args['json'];
+    const actor = await session.getSignActor();
+    let grants;
+    try {
+        grants = await actor.get_kind5_grants_by_grantee();
+    }
+    catch (e) {
+        throw canisterCallError(`get_kind5_grants_by_grantee failed: ${e instanceof Error ? e.message : String(e)}`, e);
+    }
+    if (jsonOutput) {
+        console.log(JSON.stringify(formatGrantsForJson(grants)));
+    }
+    else {
+        printGrants(grants, 'received');
+    }
+}
+/**
+ * Format grant records for JSON output.
+ * Converts bigint fields to strings for JSON serialization.
+ */
+function formatGrantsForJson(grants) {
+    return grants.map(g => ({
+        grant_id: g.grant_id.toString(),
+        grantor: g.grantor.toText(),
+        grantee: g.grantee.toText(),
+        event_ids: g.event_ids,
+        scope: g.event_ids.length === 0 ? 'all_kind5_posts' : 'specific_events',
+        created_at: g.created_at.toString(),
+        expires_at: g.expires_at.toString(),
+        expires_at_human: formatNsTimestamp(g.expires_at),
+        status: 'Active' in g.status ? 'Active' : 'Revoked',
+    }));
+}
+/**
+ * Print grant records in human-readable table format.
+ * @param grants - Array of AccessGrant records from canister
+ * @param direction - "issued" (grants-out) or "received" (grants-in)
+ */
+function printGrants(grants, direction) {
+    if (grants.length === 0) {
+        console.log(`No Kind5 access grants ${direction}.`);
+        return;
+    }
+    console.log(`Kind5 access grants ${direction} (${grants.length} total):`);
+    console.log('');
+    for (const g of grants) {
+        const scope = g.event_ids.length === 0
+            ? 'All Kind5 posts'
+            : `${g.event_ids.length} event(s)`;
+        const peer = direction === 'issued'
+            ? `Grantee: ${g.grantee.toText()}`
+            : `Grantor: ${g.grantor.toText()}`;
+        console.log(`  [Grant #${g.grant_id}]`);
+        console.log(`    ${peer}`);
+        console.log(`    Scope:      ${scope}`);
+        console.log(`    Expires:    ${formatNsTimestamp(g.expires_at)}`);
+        console.log(`    Created:    ${formatNsTimestamp(g.created_at)}`);
+        if (g.event_ids.length > 0 && g.event_ids.length <= 5) {
+            console.log(`    Event IDs:  ${g.event_ids.join(', ')}`);
+        }
+        else if (g.event_ids.length > 5) {
+            console.log(`    Event IDs:  ${g.event_ids.slice(0, 5).join(', ')} ... (+${g.event_ids.length - 5} more)`);
+        }
+        console.log('');
+    }
+}
 //# sourceMappingURL=vetkey.js.map