@zcloak/ai-agent 1.0.0

package/dist/crypto.js

@@ -0,0 +1,252 @@
+"use strict";
+/**
+ * Cryptographic Primitives for VetKey Operations
+ *
+ * Two categories of operations:
+ *
+ * 1. IBE (Identity-Based Encryption) — Uses @dfinity/vetkeys for BLS12-381 operations.
+ *    Used for per-operation Kind5 PrivatePost encryption.
+ *
+ * 2. AES-256-GCM — Uses Node.js built-in crypto module.
+ *    Used for daemon mode fast file encryption/decryption.
+ *    VKDA binary format: [magic "VKDA":4B][version:1B][nonce:12B][ciphertext+GCM tag]
+ *
+ * All formats are byte-level compatible with the Rust vetkey-tool implementation.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateTransportKeypair = generateTransportKeypair;
+exports.ibeEncrypt = ibeEncrypt;
+exports.ibeDecrypt = ibeDecrypt;
+exports.decryptVetkey = decryptVetkey;
+exports.makeIbeIdentity = makeIbeIdentity;
+exports.vetkeyToAes256 = vetkeyToAes256;
+exports.aes256Encrypt = aes256Encrypt;
+exports.aes256Decrypt = aes256Decrypt;
+const crypto_1 = __importDefault(require("crypto"));
+const vetkeys_1 = require("@dfinity/vetkeys");
+const error_1 = require("./error");
+// ============================================================================
+// Constants
+// ============================================================================
+/** VKDA magic header bytes ("VKDA" in ASCII) */
+const AES_DAEMON_MAGIC = Buffer.from([0x56, 0x4b, 0x44, 0x41]);
+/** VKDA format version */
+const AES_DAEMON_VERSION = 0x01;
+/** AES-256-GCM nonce size in bytes */
+const AES_GCM_NONCE_BYTES = 12;
+/** AES-256-GCM authentication tag size in bytes */
+const AES_GCM_TAG_BYTES = 16;
+/** VKDA header overhead: magic(4) + version(1) + nonce(12) + tag(16) = 33 bytes */
+const VKDA_OVERHEAD = 4 + 1 + AES_GCM_NONCE_BYTES + AES_GCM_TAG_BYTES;
+/** HKDF domain separator for VetKey → AES-256 key derivation (must match Rust) */
+const VETKEY_AES256_DOMAIN = "vetkey-aes256-file-encryption";
+// ============================================================================
+// IBE Operations (via @dfinity/vetkeys)
+// ============================================================================
+/**
+ * Generate an ephemeral transport key pair for secure VetKey delivery.
+ *
+ * The transport secret key is used to decrypt the EncryptedVetKey received
+ * from the canister. The public key is sent to the canister so it can
+ * encrypt the VetKey for this specific requester.
+ *
+ * @returns [transportSecretKey, transportPublicKeyBytes (48 bytes, compressed G1)]
+ */
+function generateTransportKeypair() {
+    const tsk = vetkeys_1.TransportSecretKey.random();
+    const publicKeyBytes = tsk.publicKeyBytes();
+    return [tsk, publicKeyBytes];
+}
+/**
+ * IBE-encrypt plaintext using the derived public key and identity string.
+ *
+ * Uses the Fujisaki-Okamoto transform internally (handled by @dfinity/vetkeys).
+ * Output format: [header:8B][C1:96B][C2:32B][C3:plaintext_len+16B] (152 bytes overhead)
+ *
+ * @param dpkBytes - IBE derived public key (96 bytes, compressed G2 point)
+ * @param ibeIdentity - IBE identity string (e.g. "{principal}:{hash}:{timestamp}")
+ * @param plaintext - Data to encrypt
+ * @returns IBE ciphertext bytes
+ */
+function ibeEncrypt(dpkBytes, ibeIdentity, plaintext) {
+    try {
+        const dpk = vetkeys_1.DerivedPublicKey.deserialize(dpkBytes);
+        const identity = vetkeys_1.IbeIdentity.fromString(ibeIdentity);
+        const seed = vetkeys_1.IbeSeed.random();
+        const ciphertext = vetkeys_1.IbeCiphertext.encrypt(dpk, identity, plaintext, seed);
+        return ciphertext.serialize();
+    }
+    catch (e) {
+        throw (0, error_1.encryptionError)(`IBE encrypt failed: ${e instanceof Error ? e.message : String(e)}`, e);
+    }
+}
+/**
+ * Full IBE decrypt: transport-decrypt VetKey, then IBE-decrypt ciphertext.
+ *
+ * Complete flow:
+ *   1. Deserialize EncryptedVetKey (192 bytes)
+ *   2. Transport-decrypt and verify BLS signature → VetKey
+ *   3. Deserialize IBE ciphertext
+ *   4. IBE-decrypt using VetKey → plaintext
+ *
+ * @param encryptedKeyBytes - Transport-encrypted VetKey (192 bytes)
+ * @param dpkBytes - IBE derived public key (96 bytes)
+ * @param ibeIdentity - IBE identity string
+ * @param ciphertextBytes - IBE ciphertext
+ * @param transportSecret - Transport secret key (for decrypting the VetKey)
+ * @returns Decrypted plaintext
+ */
+function ibeDecrypt(encryptedKeyBytes, dpkBytes, ibeIdentity, ciphertextBytes, transportSecret) {
+    try {
+        // Step 1-2: Transport-decrypt the VetKey
+        const encryptedVetKey = vetkeys_1.EncryptedVetKey.deserialize(encryptedKeyBytes);
+        const dpk = vetkeys_1.DerivedPublicKey.deserialize(dpkBytes);
+        // decryptAndVerify expects raw bytes for the input (derivation ID / IBE identity)
+        const identityBytes = new TextEncoder().encode(ibeIdentity);
+        const vetKey = encryptedVetKey.decryptAndVerify(transportSecret, dpk, identityBytes);
+        // Step 3-4: IBE-decrypt the ciphertext
+        const ibeCiphertext = vetkeys_1.IbeCiphertext.deserialize(ciphertextBytes);
+        return ibeCiphertext.decrypt(vetKey);
+    }
+    catch (e) {
+        throw (0, error_1.decryptionError)(`IBE decrypt failed: ${e instanceof Error ? e.message : String(e)}`, e);
+    }
+}
+/**
+ * Transport-decrypt an EncryptedVetKey and return raw VetKey bytes.
+ *
+ * Used by daemon mode to obtain the VetKey for AES-256 key derivation.
+ * The derivation ID serves as the IBE identity in this context.
+ *
+ * @param encryptedKeyBytes - Transport-encrypted VetKey (192 bytes)
+ * @param dpkBytes - IBE derived public key (96 bytes)
+ * @param derivationId - Derivation ID string (used as IBE identity)
+ * @param transportSecret - Transport secret key
+ * @returns Raw VetKey bytes (48 bytes, compressed G1 point)
+ */
+function decryptVetkey(encryptedKeyBytes, dpkBytes, derivationId, transportSecret) {
+    try {
+        const encryptedVetKey = vetkeys_1.EncryptedVetKey.deserialize(encryptedKeyBytes);
+        const dpk = vetkeys_1.DerivedPublicKey.deserialize(dpkBytes);
+        // decryptAndVerify expects raw bytes for the input (derivation ID)
+        const derivationIdBytes = new TextEncoder().encode(derivationId);
+        const vetKey = encryptedVetKey.decryptAndVerify(transportSecret, dpk, derivationIdBytes);
+        return vetKey.signatureBytes();
+    }
+    catch (e) {
+        throw (0, error_1.decryptionError)(`VetKey transport decryption failed: ${e instanceof Error ? e.message : String(e)}`, e);
+    }
+}
+// ============================================================================
+// IBE Identity Generation
+// ============================================================================
+/**
+ * Generate an IBE identity string for Kind5 PrivatePost.
+ *
+ * Format: "{principal}:{short_hash_16_hex}:{timestamp_ms}"
+ * - short_hash: first 16 hex chars of SHA-256(content)
+ * - timestamp_ms: current time in milliseconds
+ *
+ * Must match the Rust implementation exactly for cross-compatibility.
+ *
+ * @param principal - ICP principal text
+ * @param content - Content bytes to hash
+ * @returns IBE identity string
+ */
+function makeIbeIdentity(principal, content) {
+    const hash = crypto_1.default.createHash("sha256").update(content).digest("hex");
+    const shortHash = hash.slice(0, 16); // First 16 hex chars
+    const timestamp = Date.now();
+    return `${principal}:${shortHash}:${timestamp}`;
+}
+// ============================================================================
+// AES-256-GCM Operations (Daemon Mode)
+// ============================================================================
+/**
+ * Derive an AES-256 key from VetKey bytes using HKDF-SHA256.
+ *
+ * Domain separator: "vetkey-aes256-file-encryption" (must match Rust implementation)
+ *
+ * @param vetkeyBytes - Raw VetKey bytes (48 bytes, compressed G1 point)
+ * @returns AES-256 key (32 bytes)
+ */
+function vetkeyToAes256(vetkeyBytes) {
+    if (vetkeyBytes.length !== 48) {
+        throw (0, error_1.encryptionError)(`Invalid VetKey length: expected 48, got ${vetkeyBytes.length}`);
+    }
+    // HKDF-SHA256 with VetKey as IKM and domain separator as info
+    // Using empty salt (matches Rust hkdf::Hkdf::new(None, ikm))
+    return Buffer.from(crypto_1.default.hkdfSync("sha256", vetkeyBytes, Buffer.alloc(0), VETKEY_AES256_DOMAIN, 32));
+}
+/**
+ * Encrypt plaintext using AES-256-GCM in VKDA format.
+ *
+ * Output format: [magic "VKDA":4B][version 0x01:1B][nonce:12B][ciphertext+GCM tag]
+ * This format is byte-level compatible with the Rust vetkey-tool implementation.
+ *
+ * @param key - AES-256 key (32 bytes)
+ * @param plaintext - Data to encrypt
+ * @returns VKDA-formatted ciphertext
+ */
+function aes256Encrypt(key, plaintext) {
+    // Generate random 12-byte nonce
+    const nonce = crypto_1.default.randomBytes(AES_GCM_NONCE_BYTES);
+    // Encrypt with AES-256-GCM
+    const cipher = crypto_1.default.createCipheriv("aes-256-gcm", key, nonce);
+    const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const tag = cipher.getAuthTag(); // 16 bytes
+    // Assemble VKDA format: magic + version + nonce + ciphertext + tag
+    return Buffer.concat([
+        AES_DAEMON_MAGIC,
+        Buffer.from([AES_DAEMON_VERSION]),
+        nonce,
+        encrypted,
+        tag,
+    ]);
+}
+/**
+ * Decrypt VKDA-formatted ciphertext using AES-256-GCM.
+ *
+ * Validates the VKDA magic header and version, then performs
+ * authenticated GCM decryption.
+ *
+ * @param key - AES-256 key (32 bytes)
+ * @param data - VKDA-formatted ciphertext
+ * @returns Decrypted plaintext
+ */
+function aes256Decrypt(key, data) {
+    // Validate minimum size
+    if (data.length < VKDA_OVERHEAD) {
+        throw (0, error_1.decryptionError)(`Data too short: ${data.length} bytes (minimum ${VKDA_OVERHEAD} bytes for VKDA format)`);
+    }
+    // Validate magic header
+    if (data[0] !== 0x56 || // 'V'
+        data[1] !== 0x4b || // 'K'
+        data[2] !== 0x44 || // 'D'
+        data[3] !== 0x41 // 'A'
+    ) {
+        throw (0, error_1.decryptionError)("Invalid VKDA magic header (expected 'VKDA')");
+    }
+    // Validate version
+    if (data[4] !== AES_DAEMON_VERSION) {
+        throw (0, error_1.decryptionError)(`Unsupported VKDA version: ${data[4]} (expected ${AES_DAEMON_VERSION})`);
+    }
+    // Extract components
+    const nonce = data.subarray(5, 5 + AES_GCM_NONCE_BYTES); // bytes 5-16
+    const ciphertextWithTag = data.subarray(5 + AES_GCM_NONCE_BYTES); // bytes 17+
+    const ciphertext = ciphertextWithTag.subarray(0, ciphertextWithTag.length - AES_GCM_TAG_BYTES);
+    const tag = ciphertextWithTag.subarray(ciphertextWithTag.length - AES_GCM_TAG_BYTES);
+    // Decrypt with AES-256-GCM
+    try {
+        const decipher = crypto_1.default.createDecipheriv("aes-256-gcm", key, nonce);
+        decipher.setAuthTag(tag);
+        return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    }
+    catch (e) {
+        throw (0, error_1.decryptionError)(`AES-256-GCM decryption failed (authentication tag mismatch or corrupted data): ${e instanceof Error ? e.message : String(e)}`, e);
+    }
+}
+//# sourceMappingURL=crypto.js.map

package/dist/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;AAgDH,4DAIC;AAaD,gCAiBC;AAkBD,gCAwBC;AAcD,sCAmBC;AAmBD,0CAKC;AAcD,wCAUC;AAYD,sCAiBC;AAYD,sCA0CC;AA9RD,oDAA4B;AAC5B,8CAO0B;AAC1B,mCAA2D;AAE3D,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,gDAAgD;AAChD,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;AAE/D,0BAA0B;AAC1B,MAAM,kBAAkB,GAAG,IAAI,CAAC;AAEhC,sCAAsC;AACtC,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAE/B,mDAAmD;AACnD,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAE7B,mFAAmF;AACnF,MAAM,aAAa,GAAG,CAAC,GAAG,CAAC,GAAG,mBAAmB,GAAG,iBAAiB,CAAC;AAEtE,kFAAkF;AAClF,MAAM,oBAAoB,GAAG,+BAA+B,CAAC;AAE7D,+EAA+E;AAC/E,wCAAwC;AACxC,+EAA+E;AAE/E;;;;;;;;GAQG;AACH,SAAgB,wBAAwB;IACtC,MAAM,GAAG,GAAG,4BAAkB,CAAC,MAAM,EAAE,CAAC;IACxC,MAAM,cAAc,GAAG,GAAG,CAAC,cAAc,EAAE,CAAC;IAC5C,OAAO,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;AAC/B,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAgB,UAAU,CACxB,QAAoB,EACpB,WAAmB,EACnB,SAAqB;IAErB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,0BAAgB,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QACnD,MAAM,QAAQ,GAAG,qBAAW,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;QACrD,MAAM,IAAI,GAAG,iBAAO,CAAC,MAAM,EAAE,CAAC;QAC9B,MAAM,UAAU,GAAG,uBAAa,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;QACzE,OAAO,UAAU,CAAC,SAAS,EAAE,CAAC;IAChC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,IAAA,uBAAe,EACnB,uBAAuB,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EACnE,CAAC,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,UAAU,CACxB,iBAA6B,EAC7B,QAAoB,EACpB,WAAmB,EACnB,eAA2B,EAC3B,eAAmC;IAEnC,IAAI,CAAC;QACH,yCAAyC;QACzC,MAAM,eAAe,GAAG,yBAAe,CAAC,WAAW,CAAC,iBAAiB,CAAC,CAAC;QACvE,MAAM,GAAG,GAAG,0BAAgB,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QACnD,kFAAkF;QAClF,MAAM,aAAa,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAC5D,MAAM,MAAM,GAAG,eAAe,CAAC,gBAAgB,CAAC,eAAe,EAAE,GAAG,EAAE,aAAa,CAAC,CAAC;QAErF,uCAAuC;QACvC,MAAM,aAAa,GAAG,uBAAa,CAAC,WAAW,CAAC,eAAe,CAAC,CAAC;QACjE,OAAO,aAAa,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACvC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,IAAA,uBAAe,EACnB,uBAAuB,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EACnE,CAAC,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAgB,aAAa,CAC3B,iBAA6B,EAC7B,QAAoB,EACpB,YAAoB,EACpB,eAAmC;IAEnC,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,yBAAe,CAAC,WAAW,CAAC,iBAAiB,CAAC,CAAC;QACvE,MAAM,GAAG,GAAG,0BAAgB,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QACnD,mEAAmE;QACnE,MAAM,iBAAiB,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QACjE,MAAM,MAAM,GAAG,eAAe,CAAC,gBAAgB,CAAC,eAAe,EAAE,GAAG,EAAE,iBAAiB,CAAC,CAAC;QACzF,OAAO,MAAM,CAAC,cAAc,EAAE,CAAC;IACjC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,IAAA,uBAAe,EACnB,uCAAuC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EACnF,CAAC,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E;;;;;;;;;;;;GAYG;AACH,SAAgB,eAAe,CAAC,SAAiB,EAAE,OAAmB;IACpE,MAAM,IAAI,GAAG,gBAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACvE,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,qBAAqB;IAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,OAAO,GAAG,SAAS,IAAI,SAAS,IAAI,SAAS,EAAE,CAAC;AAClD,CAAC;AAED,+EAA+E;AAC/E,uCAAuC;AACvC,+EAA+E;AAE/E;;;;;;;GAOG;AACH,SAAgB,cAAc,CAAC,WAAuB;IACpD,IAAI,WAAW,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC9B,MAAM,IAAA,uBAAe,EAAC,2CAA2C,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC;IACzF,CAAC;IAED,8DAA8D;IAC9D,6DAA6D;IAC7D,OAAO,MAAM,CAAC,IAAI,CAChB,gBAAM,CAAC,QAAQ,CAAC,QAAQ,EAAE,WAAW,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,oBAAoB,EAAE,EAAE,CAAC,CAClF,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,aAAa,CAAC,GAAW,EAAE,SAAqB;IAC9D,gCAAgC;IAChC,MAAM,KAAK,GAAG,gBAAM,CAAC,WAAW,CAAC,mBAAmB,CAAC,CAAC;IAEtD,2BAA2B;IAC3B,MAAM,MAAM,GAAG,gBAAM,CAAC,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IAChE,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC5E,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,WAAW;IAE5C,mEAAmE;IACnE,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,gBAAgB;QAChB,MAAM,CAAC,IAAI,CAAC,CAAC,kBAAkB,CAAC,CAAC;QACjC,KAAK;QACL,SAAS;QACT,GAAG;KACJ,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,aAAa,CAAC,GAAW,EAAE,IAAgB;IACzD,wBAAwB;IACxB,IAAI,IAAI,CAAC,MAAM,GAAG,aAAa,EAAE,CAAC;QAChC,MAAM,IAAA,uBAAe,EACnB,mBAAmB,IAAI,CAAC,MAAM,mBAAmB,aAAa,yBAAyB,CACxF,CAAC;IACJ,CAAC;IAED,wBAAwB;IACxB,IACE,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,MAAM;QAC1B,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,MAAM;QAC1B,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,MAAM;QAC1B,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,CAAI,MAAM;MAC1B,CAAC;QACD,MAAM,IAAA,uBAAe,EAAC,6CAA6C,CAAC,CAAC;IACvE,CAAC;IAED,mBAAmB;IACnB,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,kBAAkB,EAAE,CAAC;QACnC,MAAM,IAAA,uBAAe,EACnB,6BAA6B,IAAI,CAAC,CAAC,CAAC,cAAc,kBAAkB,GAAG,CACxE,CAAC;IACJ,CAAC;IAED,qBAAqB;IACrB,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,GAAG,mBAAmB,CAAC,CAAC,CAAwB,aAAa;IAC7F,MAAM,iBAAiB,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,GAAG,mBAAmB,CAAC,CAAC,CAAe,YAAY;IAC5F,MAAM,UAAU,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC,EAAE,iBAAiB,CAAC,MAAM,GAAG,iBAAiB,CAAC,CAAC;IAC/F,MAAM,GAAG,GAAG,iBAAiB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,MAAM,GAAG,iBAAiB,CAAC,CAAC;IAErF,2BAA2B;IAC3B,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,gBAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QACpE,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QACzB,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACxE,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,IAAA,uBAAe,EACnB,kFAAkF,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAC9H,CAAC,CACF,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/daemon.d.ts

@@ -0,0 +1,94 @@
+/**
+ * Daemon Lifecycle Management — PID file, socket path, runtime directory
+ *
+ * Manages the daemon's file system footprint:
+ *   - Runtime directory: ~/.vetkey-tool/ (created with 0o700 permissions)
+ *   - PID file:   ~/.vetkey-tool/{sanitized_id}.pid
+ *   - Socket file: ~/.vetkey-tool/{sanitized_id}.sock
+ *
+ * Prevents duplicate daemon instances by checking PID files and verifying
+ * whether the process is still alive. Stale PID/socket files from crashed
+ * daemons are automatically cleaned up.
+ *
+ * The DaemonRuntime class implements cleanup-on-drop semantics via
+ * process exit handlers, ensuring PID and socket files are removed
+ * even on unexpected termination (SIGTERM, SIGINT, uncaught exceptions).
+ */
+/** Get the runtime directory path (~/.vetkey-tool/) */
+export declare function runtimeDir(): string;
+/**
+ * Sanitize a derivation ID for use in file names.
+ *
+ * Replaces special characters (:, /, \) with underscores.
+ * If the resulting path would exceed the Unix socket path limit,
+ * falls back to a SHA-256 hash prefix (16 hex characters) to keep
+ * the path short enough.
+ *
+ * @param derivationId - Raw derivation ID (e.g. "abc-def:default")
+ * @returns Safe file name prefix
+ */
+export declare function sanitizeDerivationId(derivationId: string): string;
+/** Get the socket file path for a derivation ID */
+export declare function socketPath(derivationId: string): string;
+/** Get the PID file path for a derivation ID */
+export declare function pidPath(derivationId: string): string;
+/**
+ * Manages the lifecycle of a daemon instance.
+ *
+ * On creation:
+ *   - Creates the runtime directory if needed
+ *   - Checks for existing running instances (PID file + process alive check)
+ *   - Cleans up stale PID/socket files from crashed daemons
+ *   - Writes the current PID to the PID file
+ *
+ * On cleanup (via destroy() or process exit handlers):
+ *   - Removes the PID file
+ *   - Removes the socket file
+ */
+export declare class DaemonRuntime {
+    private _socketPath;
+    private _pidPath;
+    private _derivationId;
+    private cleanedUp;
+    /** Bound cleanup handler for process exit events */
+    private exitHandler;
+    private constructor();
+    /**
+     * Create a new DaemonRuntime, performing all startup checks.
+     *
+     * @param derivationId - Derivation ID for this daemon instance
+     * @returns Initialized DaemonRuntime
+     * @throws ToolError with code DAEMON if another instance is already running
+     */
+    static create(derivationId: string): DaemonRuntime;
+    /** Socket file path */
+    get socketFilePath(): string;
+    /** PID file path */
+    get pidFilePath(): string;
+    /** Derivation ID */
+    get derivationId(): string;
+    /**
+     * Clean up PID and socket files.
+     *
+     * Safe to call multiple times — subsequent calls are no-ops.
+     * Called automatically on process exit.
+     */
+    cleanup(): void;
+    /**
+     * Explicitly destroy the runtime (alias for cleanup).
+     * Removes PID and socket files, unregisters handlers.
+     */
+    destroy(): void;
+}
+/**
+ * Find the socket path for a running daemon (used by stop/status commands).
+ *
+ * Checks if the socket file exists and the daemon is actually running
+ * (via PID file check).
+ *
+ * @param derivationId - Derivation ID to look up
+ * @returns Socket path if daemon is running
+ * @throws ToolError if no running daemon is found
+ */
+export declare function findRunningDaemon(derivationId: string): string;
+//# sourceMappingURL=daemon.d.ts.map

package/dist/daemon.js

@@ -0,0 +1,271 @@
+"use strict";
+/**
+ * Daemon Lifecycle Management — PID file, socket path, runtime directory
+ *
+ * Manages the daemon's file system footprint:
+ *   - Runtime directory: ~/.vetkey-tool/ (created with 0o700 permissions)
+ *   - PID file:   ~/.vetkey-tool/{sanitized_id}.pid
+ *   - Socket file: ~/.vetkey-tool/{sanitized_id}.sock
+ *
+ * Prevents duplicate daemon instances by checking PID files and verifying
+ * whether the process is still alive. Stale PID/socket files from crashed
+ * daemons are automatically cleaned up.
+ *
+ * The DaemonRuntime class implements cleanup-on-drop semantics via
+ * process exit handlers, ensuring PID and socket files are removed
+ * even on unexpected termination (SIGTERM, SIGINT, uncaught exceptions).
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DaemonRuntime = void 0;
+exports.runtimeDir = runtimeDir;
+exports.sanitizeDerivationId = sanitizeDerivationId;
+exports.socketPath = socketPath;
+exports.pidPath = pidPath;
+exports.findRunningDaemon = findRunningDaemon;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const os_1 = require("os");
+const crypto_1 = __importDefault(require("crypto"));
+const error_1 = require("./error");
+/** Runtime directory name under home directory */
+const RUNTIME_DIR_NAME = ".vetkey-tool";
+/**
+ * Maximum socket path length.
+ * macOS limits Unix socket paths to 104 bytes, Linux to 108 bytes.
+ * We use 100 as a safe threshold.
+ */
+const MAX_SOCKET_PATH_LEN = 100;
+// ============================================================================
+// Path Utilities
+// ============================================================================
+/** Get the runtime directory path (~/.vetkey-tool/) */
+function runtimeDir() {
+    return (0, path_1.join)((0, os_1.homedir)(), RUNTIME_DIR_NAME);
+}
+/**
+ * Sanitize a derivation ID for use in file names.
+ *
+ * Replaces special characters (:, /, \) with underscores.
+ * If the resulting path would exceed the Unix socket path limit,
+ * falls back to a SHA-256 hash prefix (16 hex characters) to keep
+ * the path short enough.
+ *
+ * @param derivationId - Raw derivation ID (e.g. "abc-def:default")
+ * @returns Safe file name prefix
+ */
+function sanitizeDerivationId(derivationId) {
+    const sanitized = derivationId
+        .replace(/:/g, "_")
+        .replace(/\//g, "_")
+        .replace(/\\/g, "_");
+    // Check if the full socket path would be too long
+    const dir = runtimeDir();
+    const fullPath = (0, path_1.join)(dir, `${sanitized}.sock`);
+    if (fullPath.length > MAX_SOCKET_PATH_LEN) {
+        // Use SHA-256 hash prefix for long derivation IDs
+        const hash = crypto_1.default.createHash("sha256").update(derivationId).digest("hex");
+        return `vk_${hash.slice(0, 16)}`;
+    }
+    return sanitized;
+}
+/** Get the socket file path for a derivation ID */
+function socketPath(derivationId) {
+    const name = sanitizeDerivationId(derivationId);
+    return (0, path_1.join)(runtimeDir(), `${name}.sock`);
+}
+/** Get the PID file path for a derivation ID */
+function pidPath(derivationId) {
+    const name = sanitizeDerivationId(derivationId);
+    return (0, path_1.join)(runtimeDir(), `${name}.pid`);
+}
+// ============================================================================
+// Process Detection
+// ============================================================================
+/**
+ * Check if a process with the given PID is still alive.
+ *
+ * Uses `kill -0` which checks process existence without sending a signal.
+ * Works on both macOS and Linux without requiring native dependencies.
+ *
+ * @param pid - Process ID to check
+ * @returns true if the process exists, false otherwise
+ */
+function isProcessAlive(pid) {
+    try {
+        // kill -0 checks existence without actually sending a signal
+        process.kill(pid, 0);
+        return true;
+    }
+    catch (e) {
+        // EPERM = process exists but we don't have permission → still alive
+        if (e && typeof e === "object" && "code" in e && e.code === "EPERM") {
+            return true;
+        }
+        // ESRCH = no such process → dead
+        return false;
+    }
+}
+// ============================================================================
+// DaemonRuntime
+// ============================================================================
+/**
+ * Manages the lifecycle of a daemon instance.
+ *
+ * On creation:
+ *   - Creates the runtime directory if needed
+ *   - Checks for existing running instances (PID file + process alive check)
+ *   - Cleans up stale PID/socket files from crashed daemons
+ *   - Writes the current PID to the PID file
+ *
+ * On cleanup (via destroy() or process exit handlers):
+ *   - Removes the PID file
+ *   - Removes the socket file
+ */
+class DaemonRuntime {
+    constructor(socketFilePath, pidFilePath, derivationId) {
+        this.cleanedUp = false;
+        this._socketPath = socketFilePath;
+        this._pidPath = pidFilePath;
+        this._derivationId = derivationId;
+        // Register cleanup handler for process exit
+        this.exitHandler = () => this.cleanup();
+        process.on("exit", this.exitHandler);
+        // Note: SIGTERM/SIGINT signal handlers are managed by serve.ts
+        // to coordinate with the server shutdown. We only handle 'exit' here.
+    }
+    /**
+     * Create a new DaemonRuntime, performing all startup checks.
+     *
+     * @param derivationId - Derivation ID for this daemon instance
+     * @returns Initialized DaemonRuntime
+     * @throws ToolError with code DAEMON if another instance is already running
+     */
+    static create(derivationId) {
+        const dir = runtimeDir();
+        const sock = socketPath(derivationId);
+        const pid = pidPath(derivationId);
+        // Create runtime directory with restricted permissions (0o700)
+        if (!(0, fs_1.existsSync)(dir)) {
+            (0, fs_1.mkdirSync)(dir, { recursive: true, mode: 0o700 });
+        }
+        // Check for existing running instance
+        if ((0, fs_1.existsSync)(pid)) {
+            try {
+                const pidStr = (0, fs_1.readFileSync)(pid, "utf-8").trim();
+                const existingPid = parseInt(pidStr, 10);
+                if (!isNaN(existingPid) && isProcessAlive(existingPid)) {
+                    throw (0, error_1.daemonError)(`Daemon already running (PID ${existingPid}, derivation_id: ${derivationId}). ` +
+                        `Use 'zcloak-ai vetkey stop --key-name ...' to stop it first.`);
+                }
+                // Stale PID file — clean up
+                console.error(`Removing stale PID file (PID ${pidStr} no longer running)`);
+            }
+            catch (e) {
+                // Re-throw ToolError (daemon already running)
+                if (e instanceof Error && e.name === "ToolError")
+                    throw e;
+                // Other errors (corrupted PID file) — just clean up
+                console.error(`Removing corrupted PID file: ${e}`);
+            }
+            safeUnlink(pid);
+            safeUnlink(sock);
+        }
+        // Remove stale socket file if it exists without a PID file
+        if ((0, fs_1.existsSync)(sock)) {
+            console.error("Removing stale socket file");
+            safeUnlink(sock);
+        }
+        // Write current PID to PID file
+        (0, fs_1.writeFileSync)(pid, `${process.pid}\n`, { mode: 0o600 });
+        return new DaemonRuntime(sock, pid, derivationId);
+    }
+    /** Socket file path */
+    get socketFilePath() {
+        return this._socketPath;
+    }
+    /** PID file path */
+    get pidFilePath() {
+        return this._pidPath;
+    }
+    /** Derivation ID */
+    get derivationId() {
+        return this._derivationId;
+    }
+    /**
+     * Clean up PID and socket files.
+     *
+     * Safe to call multiple times — subsequent calls are no-ops.
+     * Called automatically on process exit.
+     */
+    cleanup() {
+        if (this.cleanedUp)
+            return;
+        this.cleanedUp = true;
+        safeUnlink(this._pidPath);
+        safeUnlink(this._socketPath);
+        // Unregister process exit handler
+        process.removeListener("exit", this.exitHandler);
+    }
+    /**
+     * Explicitly destroy the runtime (alias for cleanup).
+     * Removes PID and socket files, unregisters handlers.
+     */
+    destroy() {
+        this.cleanup();
+    }
+}
+exports.DaemonRuntime = DaemonRuntime;
+/**
+ * Find the socket path for a running daemon (used by stop/status commands).
+ *
+ * Checks if the socket file exists and the daemon is actually running
+ * (via PID file check).
+ *
+ * @param derivationId - Derivation ID to look up
+ * @returns Socket path if daemon is running
+ * @throws ToolError if no running daemon is found
+ */
+function findRunningDaemon(derivationId) {
+    const sock = socketPath(derivationId);
+    const pid = pidPath(derivationId);
+    if (!(0, fs_1.existsSync)(sock)) {
+        throw (0, error_1.daemonError)(`No running daemon found for derivation_id '${derivationId}'. ` +
+            `Socket file not found: ${sock}`);
+    }
+    // Optionally verify the PID is still alive
+    if ((0, fs_1.existsSync)(pid)) {
+        try {
+            const pidStr = (0, fs_1.readFileSync)(pid, "utf-8").trim();
+            const existingPid = parseInt(pidStr, 10);
+            if (!isNaN(existingPid) && !isProcessAlive(existingPid)) {
+                // Stale files — clean up
+                safeUnlink(sock);
+                safeUnlink(pid);
+                throw (0, error_1.daemonError)(`Daemon for '${derivationId}' is no longer running (PID ${existingPid} is dead). ` +
+                    `Stale files have been cleaned up.`);
+            }
+        }
+        catch (e) {
+            if (e instanceof Error && e.name === "ToolError")
+                throw e;
+            // Corrupted PID file but socket exists — try connecting anyway
+        }
+    }
+    return sock;
+}
+// ============================================================================
+// Internal Helpers
+// ============================================================================
+/** Safely delete a file, ignoring errors if it doesn't exist */
+function safeUnlink(filePath) {
+    try {
+        (0, fs_1.unlinkSync)(filePath);
+    }
+    catch {
+        // Ignore — file may not exist
+    }
+}
+//# sourceMappingURL=daemon.js.map

package/dist/daemon.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"daemon.js","sourceRoot":"","sources":["../src/daemon.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;;;;;AAuBH,gCAEC;AAaD,oDAgBC;AAGD,gCAGC;AAGD,0BAGC;AA6KD,8CAgCC;AA7QD,2BAAoF;AACpF,+BAA4B;AAC5B,2BAA6B;AAC7B,oDAA4B;AAC5B,mCAAsC;AAEtC,kDAAkD;AAClD,MAAM,gBAAgB,GAAG,cAAc,CAAC;AAExC;;;;GAIG;AACH,MAAM,mBAAmB,GAAG,GAAG,CAAC;AAEhC,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E,uDAAuD;AACvD,SAAgB,UAAU;IACxB,OAAO,IAAA,WAAI,EAAC,IAAA,YAAO,GAAE,EAAE,gBAAgB,CAAC,CAAC;AAC3C,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAgB,oBAAoB,CAAC,YAAoB;IACvD,MAAM,SAAS,GAAG,YAAY;SAC3B,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAEvB,kDAAkD;IAClD,MAAM,GAAG,GAAG,UAAU,EAAE,CAAC;IACzB,MAAM,QAAQ,GAAG,IAAA,WAAI,EAAC,GAAG,EAAE,GAAG,SAAS,OAAO,CAAC,CAAC;IAChD,IAAI,QAAQ,CAAC,MAAM,GAAG,mBAAmB,EAAE,CAAC;QAC1C,kDAAkD;QAClD,MAAM,IAAI,GAAG,gBAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC5E,OAAO,MAAM,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;IACnC,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,mDAAmD;AACnD,SAAgB,UAAU,CAAC,YAAoB;IAC7C,MAAM,IAAI,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAC;IAChD,OAAO,IAAA,WAAI,EAAC,UAAU,EAAE,EAAE,GAAG,IAAI,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED,gDAAgD;AAChD,SAAgB,OAAO,CAAC,YAAoB;IAC1C,MAAM,IAAI,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAC;IAChD,OAAO,IAAA,WAAI,EAAC,UAAU,EAAE,EAAE,GAAG,IAAI,MAAM,CAAC,CAAC;AAC3C,CAAC;AAED,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;;;;;;;GAQG;AACH,SAAS,cAAc,CAAC,GAAW;IACjC,IAAI,CAAC;QACH,6DAA6D;QAC7D,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACrB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,oEAAoE;QACpE,IAAI,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,MAAM,IAAI,CAAC,IAAK,CAA2B,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC/F,OAAO,IAAI,CAAC;QACd,CAAC;QACD,iCAAiC;QACjC,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,gBAAgB;AAChB,+EAA+E;AAE/E;;;;;;;;;;;;GAYG;AACH,MAAa,aAAa;IASxB,YAAoB,cAAsB,EAAE,WAAmB,EAAE,YAAoB;QAL7E,cAAS,GAAG,KAAK,CAAC;QAMxB,IAAI,CAAC,WAAW,GAAG,cAAc,CAAC;QAClC,IAAI,CAAC,QAAQ,GAAG,WAAW,CAAC;QAC5B,IAAI,CAAC,aAAa,GAAG,YAAY,CAAC;QAElC,4CAA4C;QAC5C,IAAI,CAAC,WAAW,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QACxC,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QACrC,+DAA+D;QAC/D,sEAAsE;IACxE,CAAC;IAED;;;;;;OAMG;IACH,MAAM,CAAC,MAAM,CAAC,YAAoB;QAChC,MAAM,GAAG,GAAG,UAAU,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;QACtC,MAAM,GAAG,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;QAElC,+DAA+D;QAC/D,IAAI,CAAC,IAAA,eAAU,EAAC,GAAG,CAAC,EAAE,CAAC;YACrB,IAAA,cAAS,EAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACnD,CAAC;QAED,sCAAsC;QACtC,IAAI,IAAA,eAAU,EAAC,GAAG,CAAC,EAAE,CAAC;YACpB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAA,iBAAY,EAAC,GAAG,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;gBACjD,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;gBAEzC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;oBACvD,MAAM,IAAA,mBAAW,EACf,+BAA+B,WAAW,oBAAoB,YAAY,KAAK;wBAC/E,8DAA8D,CAC/D,CAAC;gBACJ,CAAC;gBAED,4BAA4B;gBAC5B,OAAO,CAAC,KAAK,CAAC,gCAAgC,MAAM,qBAAqB,CAAC,CAAC;YAC7E,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,8CAA8C;gBAC9C,IAAI,CAAC,YAAY,KAAK,IAAI,CAAC,CAAC,IAAI,KAAK,WAAW;oBAAE,MAAM,CAAC,CAAC;gBAC1D,oDAAoD;gBACpD,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,EAAE,CAAC,CAAC;YACrD,CAAC;YACD,UAAU,CAAC,GAAG,CAAC,CAAC;YAChB,UAAU,CAAC,IAAI,CAAC,CAAC;QACnB,CAAC;QAED,2DAA2D;QAC3D,IAAI,IAAA,eAAU,EAAC,IAAI,CAAC,EAAE,CAAC;YACrB,OAAO,CAAC,KAAK,CAAC,4BAA4B,CAAC,CAAC;YAC5C,UAAU,CAAC,IAAI,CAAC,CAAC;QACnB,CAAC;QAED,gCAAgC;QAChC,IAAA,kBAAa,EAAC,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAExD,OAAO,IAAI,aAAa,CAAC,IAAI,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;IACpD,CAAC;IAED,uBAAuB;IACvB,IAAI,cAAc;QAChB,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAED,oBAAoB;IACpB,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAED,oBAAoB;IACpB,IAAI,YAAY;QACd,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;IAED;;;;;OAKG;IACH,OAAO;QACL,IAAI,IAAI,CAAC,SAAS;YAAE,OAAO;QAC3B,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;QAEtB,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC1B,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAE7B,kCAAkC;QAClC,OAAO,CAAC,cAAc,CAAC,MAAM,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;IACnD,CAAC;IAED;;;OAGG;IACH,OAAO;QACL,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;CACF;AAlHD,sCAkHC;AAED;;;;;;;;;GASG;AACH,SAAgB,iBAAiB,CAAC,YAAoB;IACpD,MAAM,IAAI,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IAElC,IAAI,CAAC,IAAA,eAAU,EAAC,IAAI,CAAC,EAAE,CAAC;QACtB,MAAM,IAAA,mBAAW,EACf,8CAA8C,YAAY,KAAK;YAC/D,0BAA0B,IAAI,EAAE,CACjC,CAAC;IACJ,CAAC;IAED,2CAA2C;IAC3C,IAAI,IAAA,eAAU,EAAC,GAAG,CAAC,EAAE,CAAC;QACpB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAA,iBAAY,EAAC,GAAG,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;YACjD,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YACzC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;gBACxD,yBAAyB;gBACzB,UAAU,CAAC,IAAI,CAAC,CAAC;gBACjB,UAAU,CAAC,GAAG,CAAC,CAAC;gBAChB,MAAM,IAAA,mBAAW,EACf,eAAe,YAAY,+BAA+B,WAAW,aAAa;oBAClF,mCAAmC,CACpC,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC,YAAY,KAAK,IAAI,CAAC,CAAC,IAAI,KAAK,WAAW;gBAAE,MAAM,CAAC,CAAC;YAC1D,+DAA+D;QACjE,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E,gEAAgE;AAChE,SAAS,UAAU,CAAC,QAAgB;IAClC,IAAI,CAAC;QACH,IAAA,eAAU,EAAC,QAAQ,CAAC,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,8BAA8B;IAChC,CAAC;AACH,CAAC"}

package/dist/delete.d.ts

@@ -0,0 +1,22 @@
+#!/usr/bin/env node
+/**
+ * zCloak.ai File Deletion with 2FA Verification Tool
+ *
+ * Implements secure file deletion requiring 2FA (WebAuthn passkey) authorization.
+ * The deletion flow: prepare → user authenticates via browser → confirm & delete.
+ * Uses @dfinity JS SDK to interact directly with ICP canister, no dfx required.
+ *
+ * Usage:
+ *   zcloak-ai delete prepare <file_path>                Prepare 2FA request and generate authentication URL
+ *   zcloak-ai delete check <challenge>                  Check 2FA verification status
+ *   zcloak-ai delete confirm <challenge> <file_path>    Confirm 2FA and delete file if authorized
+ *
+ * All commands support --identity=<pem_path> to specify identity file.
+ */
+import { Session } from './session';
+/**
+ * Entry point when invoked via cli.ts.
+ * Receives a Session instance with pre-parsed arguments.
+ */
+export declare function run(session: Session): Promise<void>;
+//# sourceMappingURL=delete.d.ts.map