@zcloak/ai-agent 1.0.0

package/dist/feed.js

@@ -0,0 +1,83 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * zCloak.ai Event/Post Fetching Tool
+ *
+ * Provides global counter query and event fetching by counter range.
+ * Uses @dfinity JS SDK to interact directly with ICP canister, no dfx required.
+ *
+ * Usage:
+ *   zcloak-ai feed counter                Get current global counter value
+ *   zcloak-ai feed fetch <from> <to>      Fetch events by counter range
+ *
+ * All commands support --identity=<pem_path> to specify identity file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.run = run;
+const utils_1 = require("./utils");
+// ========== Help Information ==========
+function showHelp() {
+    console.log('zCloak.ai Event/Post Fetching Tool');
+    console.log('');
+    console.log('Usage:');
+    console.log('  zcloak-ai feed counter              Get current global counter value');
+    console.log('  zcloak-ai feed fetch <from> <to>    Fetch events by counter range');
+    console.log('');
+    console.log('');
+    console.log('Examples:');
+    console.log('  zcloak-ai feed counter');
+    console.log('  zcloak-ai feed fetch 11 16');
+}
+// ========== Command Implementations ==========
+/** Get current global counter value */
+async function cmdCounter(session) {
+    const actor = await session.getAnonymousSignActor();
+    const counter = await actor.get_counter();
+    console.log(`(${counter} : nat32)`);
+}
+/** Fetch events by counter range */
+async function cmdFetch(session, from, to) {
+    if (!from || !to) {
+        console.error('Error: from and to parameters are required');
+        console.error('Usage: zcloak-ai feed fetch <from> <to>');
+        process.exit(1);
+    }
+    const fromNum = parseInt(from, 10);
+    const toNum = parseInt(to, 10);
+    if (isNaN(fromNum) || isNaN(toNum)) {
+        console.error('Error: from and to must be numbers');
+        process.exit(1);
+    }
+    const actor = await session.getAnonymousSignActor();
+    const events = await actor.fetch_events_by_counter(fromNum, toNum);
+    console.log((0, utils_1.formatSignEvents)(events));
+}
+// ========== Exported run() — called by cli.ts ==========
+/**
+ * Entry point when invoked via cli.ts.
+ * Receives a Session instance with pre-parsed arguments.
+ */
+async function run(session) {
+    const command = session.args._args[0];
+    try {
+        switch (command) {
+            case 'counter':
+                await cmdCounter(session);
+                break;
+            case 'fetch':
+                await cmdFetch(session, session.args._args[1], session.args._args[2]);
+                break;
+            default:
+                showHelp();
+                if (command) {
+                    console.error(`\nUnknown command: ${command}`);
+                }
+                process.exit(1);
+        }
+    }
+    catch (err) {
+        console.error(`Operation failed: ${err instanceof Error ? err.message : String(err)}`);
+        process.exit(1);
+    }
+}
+//# sourceMappingURL=feed.js.map

package/dist/feed.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"feed.js","sourceRoot":"","sources":["../src/feed.ts"],"names":[],"mappings":";;AACA;;;;;;;;;;;GAWG;;AAuDH,kBAsBC;AA3ED,mCAA2C;AAG3C,yCAAyC;AACzC,SAAS,QAAQ;IACf,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;IAClD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACtB,OAAO,CAAC,GAAG,CAAC,wEAAwE,CAAC,CAAC;IACtF,OAAO,CAAC,GAAG,CAAC,qEAAqE,CAAC,CAAC;IACnF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACzB,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;IACxC,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;AAC9C,CAAC;AAED,gDAAgD;AAEhD,uCAAuC;AACvC,KAAK,UAAU,UAAU,CAAC,OAAgB;IACxC,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,qBAAqB,EAAE,CAAC;IACpD,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,WAAW,EAAE,CAAC;IAC1C,OAAO,CAAC,GAAG,CAAC,IAAI,OAAO,WAAW,CAAC,CAAC;AACtC,CAAC;AAED,oCAAoC;AACpC,KAAK,UAAU,QAAQ,CAAC,OAAgB,EAAE,IAAwB,EAAE,EAAsB;IACxF,IAAI,CAAC,IAAI,IAAI,CAAC,EAAE,EAAE,CAAC;QACjB,OAAO,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAC5D,OAAO,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;QACzD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACnC,MAAM,KAAK,GAAG,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IAE/B,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;QACnC,OAAO,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,qBAAqB,EAAE,CAAC;IACpD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,uBAAuB,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACnE,OAAO,CAAC,GAAG,CAAC,IAAA,wBAAgB,EAAC,MAAM,CAAC,CAAC,CAAC;AACxC,CAAC;AAED,0DAA0D;AAE1D;;;GAGG;AACI,KAAK,UAAU,GAAG,CAAC,OAAgB;IACxC,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAEtC,IAAI,CAAC;QACH,QAAQ,OAAO,EAAE,CAAC;YAChB,KAAK,SAAS;gBACZ,MAAM,UAAU,CAAC,OAAO,CAAC,CAAC;gBAC1B,MAAM;YACR,KAAK,OAAO;gBACV,MAAM,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBACtE,MAAM;YACR;gBACE,QAAQ,EAAE,CAAC;gBACX,IAAI,OAAO,EAAE,CAAC;oBACZ,OAAO,CAAC,KAAK,CAAC,sBAAsB,OAAO,EAAE,CAAC,CAAC;gBACjD,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,qBAAqB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACvF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/identity.d.ts

@@ -0,0 +1,50 @@
+/**
+ * zCloak.ai Identity Management Module
+ *
+ * Loads ECDSA secp256k1 identity from dfx-compatible PEM files for signing operations.
+ * Replaces the original `dfx identity get-principal` and similar commands.
+ *
+ * dfx generates EC PRIVATE KEY (SEC1/PKCS#1 format, OID 1.3.132.0.10 secp256k1),
+ * which is handled by Secp256k1KeyIdentity from @dfinity/identity-secp256k1.
+ *
+ * PEM file location priority:
+ *   1. --identity=<path> command line argument
+ *   2. ZCLOAK_IDENTITY environment variable
+ *   3. ~/.config/dfx/identity/default/identity.pem (dfx default location)
+ */
+import { Secp256k1KeyIdentity } from '@dfinity/identity-secp256k1';
+/**
+ * dfx default identity PEM file path
+ * Unified for macOS and Linux: ~/.config/dfx/identity/default/identity.pem
+ */
+export declare const DEFAULT_PEM_PATH: string;
+/**
+ * Get PEM file path.
+ * Searches by priority: --identity argument > environment variable > dfx default location.
+ *
+ * When called with an explicit argv array, uses that instead of process.argv.
+ * This enables deterministic, testable behavior without global state dependency.
+ *
+ * @param argv - Optional explicit argument array (defaults to process.argv)
+ * @returns Absolute path to PEM file
+ * @throws {Error} If no PEM file can be found or the specified path does not exist
+ */
+export declare function getPemPath(argv?: string[]): string;
+/**
+ * Load an ECDSA secp256k1 identity directly from a given PEM file path.
+ *
+ * Does NOT read the PEM path from argv/environment variables. It is intended
+ * for cases where the caller already knows the exact path (e.g. after generating
+ * a new key file, or when Session has already resolved the path).
+ *
+ * Uses Secp256k1KeyIdentity.fromPem() which handles the dfx PEM format:
+ *   -----BEGIN EC PRIVATE KEY-----   (SEC1 / RFC 5915 format)
+ *   <base64 encoded DER data>
+ *   -----END EC PRIVATE KEY-----
+ *
+ * @param pemPath - Absolute path to the PEM file
+ * @returns Secp256k1KeyIdentity
+ * @throws {Error} If the PEM file cannot be read or parsed
+ */
+export declare function loadIdentityFromPath(pemPath: string): Secp256k1KeyIdentity;
+//# sourceMappingURL=identity.d.ts.map

package/dist/identity.js

@@ -0,0 +1,99 @@
+"use strict";
+/**
+ * zCloak.ai Identity Management Module
+ *
+ * Loads ECDSA secp256k1 identity from dfx-compatible PEM files for signing operations.
+ * Replaces the original `dfx identity get-principal` and similar commands.
+ *
+ * dfx generates EC PRIVATE KEY (SEC1/PKCS#1 format, OID 1.3.132.0.10 secp256k1),
+ * which is handled by Secp256k1KeyIdentity from @dfinity/identity-secp256k1.
+ *
+ * PEM file location priority:
+ *   1. --identity=<path> command line argument
+ *   2. ZCLOAK_IDENTITY environment variable
+ *   3. ~/.config/dfx/identity/default/identity.pem (dfx default location)
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_PEM_PATH = void 0;
+exports.getPemPath = getPemPath;
+exports.loadIdentityFromPath = loadIdentityFromPath;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const os_1 = __importDefault(require("os"));
+const identity_secp256k1_1 = require("@dfinity/identity-secp256k1");
+// ========== PEM File Lookup ==========
+/**
+ * dfx default identity PEM file path
+ * Unified for macOS and Linux: ~/.config/dfx/identity/default/identity.pem
+ */
+exports.DEFAULT_PEM_PATH = path_1.default.join(os_1.default.homedir(), '.config', 'dfx', 'identity', 'default', 'identity.pem');
+/**
+ * Get PEM file path.
+ * Searches by priority: --identity argument > environment variable > dfx default location.
+ *
+ * When called with an explicit argv array, uses that instead of process.argv.
+ * This enables deterministic, testable behavior without global state dependency.
+ *
+ * @param argv - Optional explicit argument array (defaults to process.argv)
+ * @returns Absolute path to PEM file
+ * @throws {Error} If no PEM file can be found or the specified path does not exist
+ */
+function getPemPath(argv) {
+    const effectiveArgv = argv ?? process.argv;
+    // 1. Get from --identity=<path> argument
+    const identityArg = effectiveArgv.find(a => a.startsWith('--identity='));
+    if (identityArg) {
+        const p = identityArg.split('=').slice(1).join('='); // Support paths containing =
+        const resolved = path_1.default.resolve(p);
+        if (!fs_1.default.existsSync(resolved)) {
+            throw new Error(`Specified PEM file does not exist: ${resolved}`);
+        }
+        return resolved;
+    }
+    // 2. Get from environment variable
+    if (process.env.ZCLOAK_IDENTITY) {
+        const resolved = path_1.default.resolve(process.env.ZCLOAK_IDENTITY);
+        if (!fs_1.default.existsSync(resolved)) {
+            throw new Error(`PEM file specified by ZCLOAK_IDENTITY does not exist: ${resolved}`);
+        }
+        return resolved;
+    }
+    // 3. Use dfx default location
+    if (fs_1.default.existsSync(exports.DEFAULT_PEM_PATH)) {
+        return exports.DEFAULT_PEM_PATH;
+    }
+    throw new Error('Identity PEM file not found. Provide one via:\n' +
+        '  1. --identity=<pem_file_path>\n' +
+        '  2. Set environment variable ZCLOAK_IDENTITY=<pem_file_path>\n' +
+        `  3. Ensure dfx default identity exists: ${exports.DEFAULT_PEM_PATH}`);
+}
+// ========== Identity Management ==========
+/**
+ * Load an ECDSA secp256k1 identity directly from a given PEM file path.
+ *
+ * Does NOT read the PEM path from argv/environment variables. It is intended
+ * for cases where the caller already knows the exact path (e.g. after generating
+ * a new key file, or when Session has already resolved the path).
+ *
+ * Uses Secp256k1KeyIdentity.fromPem() which handles the dfx PEM format:
+ *   -----BEGIN EC PRIVATE KEY-----   (SEC1 / RFC 5915 format)
+ *   <base64 encoded DER data>
+ *   -----END EC PRIVATE KEY-----
+ *
+ * @param pemPath - Absolute path to the PEM file
+ * @returns Secp256k1KeyIdentity
+ * @throws {Error} If the PEM file cannot be read or parsed
+ */
+function loadIdentityFromPath(pemPath) {
+    const pemContent = fs_1.default.readFileSync(pemPath, 'utf-8');
+    try {
+        return identity_secp256k1_1.Secp256k1KeyIdentity.fromPem(pemContent);
+    }
+    catch (err) {
+        throw new Error(`Failed to load ECDSA secp256k1 identity from ${pemPath}: ${err.message}`);
+    }
+}
+//# sourceMappingURL=identity.js.map

package/dist/identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.js","sourceRoot":"","sources":["../src/identity.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;;AA8BH,gCAkCC;AAoBD,oDASC;AA3FD,4CAAoB;AACpB,gDAAwB;AACxB,4CAAoB;AACpB,oEAAmE;AAGnE,wCAAwC;AAExC;;;GAGG;AACU,QAAA,gBAAgB,GAAW,cAAI,CAAC,IAAI,CAC/C,YAAE,CAAC,OAAO,EAAE,EACZ,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,cAAc,CACxD,CAAC;AAEF;;;;;;;;;;GAUG;AACH,SAAgB,UAAU,CAAC,IAAe;IACxC,MAAM,aAAa,GAAG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAE3C,yCAAyC;IACzC,MAAM,WAAW,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC;IACzE,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,6BAA6B;QAClF,MAAM,QAAQ,GAAG,cAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACjC,IAAI,CAAC,YAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;QACpE,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,mCAAmC;IACnC,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAG,cAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC3D,IAAI,CAAC,YAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,yDAAyD,QAAQ,EAAE,CAAC,CAAC;QACvF,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,8BAA8B;IAC9B,IAAI,YAAE,CAAC,UAAU,CAAC,wBAAgB,CAAC,EAAE,CAAC;QACpC,OAAO,wBAAgB,CAAC;IAC1B,CAAC;IAED,MAAM,IAAI,KAAK,CACb,iDAAiD;QACjD,mCAAmC;QACnC,iEAAiE;QACjE,4CAA4C,wBAAgB,EAAE,CAC/D,CAAC;AACJ,CAAC;AAED,4CAA4C;AAE5C;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,oBAAoB,CAAC,OAAe;IAClD,MAAM,UAAU,GAAG,YAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACrD,IAAI,CAAC;QACH,OAAO,yCAAoB,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAClD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,gDAAgD,OAAO,KAAM,GAAa,CAAC,OAAO,EAAE,CACrF,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/identity_cmd.d.ts

@@ -0,0 +1,23 @@
+#!/usr/bin/env node
+/**
+ * zCloak.ai Identity Key Management Script
+ *
+ * Generates and inspects ECDSA secp256k1 identity PEM files without requiring dfx.
+ * Uses Node.js built-in crypto module to produce the same SEC1 PEM format that dfx generates.
+ *
+ * Usage:
+ *   zcloak-ai identity generate [--output=<path>] [--force]
+ *       Generate a new secp256k1 private key PEM file.
+ *       Default output: ~/.config/dfx/identity/default/identity.pem
+ *       Use --force to overwrite an existing file.
+ *
+ *   zcloak-ai identity show
+ *       Print the PEM path and principal ID of the current identity.
+ */
+import { Session } from './session';
+/**
+ * Entry point when invoked via cli.ts.
+ * Receives a Session instance with pre-parsed arguments.
+ */
+export declare function run(session: Session): void;
+//# sourceMappingURL=identity_cmd.d.ts.map

package/dist/identity_cmd.js

@@ -0,0 +1,136 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * zCloak.ai Identity Key Management Script
+ *
+ * Generates and inspects ECDSA secp256k1 identity PEM files without requiring dfx.
+ * Uses Node.js built-in crypto module to produce the same SEC1 PEM format that dfx generates.
+ *
+ * Usage:
+ *   zcloak-ai identity generate [--output=<path>] [--force]
+ *       Generate a new secp256k1 private key PEM file.
+ *       Default output: ~/.config/dfx/identity/default/identity.pem
+ *       Use --force to overwrite an existing file.
+ *
+ *   zcloak-ai identity show
+ *       Print the PEM path and principal ID of the current identity.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.run = run;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const crypto_1 = require("crypto");
+const identity_1 = require("./identity");
+// ========== Help ==========
+function showHelp() {
+    console.log('zCloak.ai Identity Key Management');
+    console.log('');
+    console.log('Usage:');
+    console.log('  zcloak-ai identity generate [--output=<path>] [--force]');
+    console.log('      Generate a new ECDSA secp256k1 PEM key file (no dfx required)');
+    console.log('      Default path: ~/.config/dfx/identity/default/identity.pem');
+    console.log('');
+    console.log('  zcloak-ai identity show');
+    console.log('      Print PEM file path and principal ID of the current identity');
+    console.log('');
+    console.log('Options:');
+    console.log('  --output=<path>    Custom output path for the generated PEM file');
+    console.log('  --force            Overwrite existing PEM file without error');
+    console.log('  --identity=<path>  Use a specific identity PEM (for "show" command)');
+    console.log('');
+    console.log('Examples:');
+    console.log('  zcloak-ai identity generate');
+    console.log('  zcloak-ai identity generate --output=./my-agent.pem');
+    console.log('  zcloak-ai identity generate --force');
+    console.log('  zcloak-ai identity show');
+    console.log('  zcloak-ai identity show --identity=./my-agent.pem');
+}
+// ========== Commands ==========
+/**
+ * Generate a new ECDSA secp256k1 PEM file.
+ *
+ * Node.js `generateKeyPairSync('ec', { namedCurve: 'secp256k1' })` produces an EC key
+ * with OID 1.3.132.0.10 (secp256k1). Exporting with `{ type: 'sec1', format: 'pem' }`
+ * yields the RFC 5915 SEC1 format:
+ *
+ *   -----BEGIN EC PRIVATE KEY-----
+ *   <base64 DER: SEQUENCE { version INTEGER(1), privateKey OCTET STRING(32), [OID], [pubkey] }>
+ *   -----END EC PRIVATE KEY-----
+ *
+ * This is byte-for-byte identical to what `dfx identity new` generates and is directly
+ * loadable by Secp256k1KeyIdentity.fromPem().
+ */
+function cmdGenerate(args) {
+    // Determine output path: --output flag or dfx default
+    const outputRaw = args['output'];
+    const outputPath = typeof outputRaw === 'string'
+        ? path_1.default.resolve(outputRaw)
+        : identity_1.DEFAULT_PEM_PATH;
+    // Safety check: refuse to overwrite without --force
+    if (fs_1.default.existsSync(outputPath) && !args['force']) {
+        console.error(`Error: PEM file already exists: ${outputPath}`);
+        console.error('Use --force to overwrite.');
+        process.exit(1);
+    }
+    // Ensure parent directory exists
+    const dir = path_1.default.dirname(outputPath);
+    if (!fs_1.default.existsSync(dir)) {
+        fs_1.default.mkdirSync(dir, { recursive: true });
+    }
+    // Generate EC key pair and export as SEC1 PEM (same format as dfx)
+    const { privateKey } = (0, crypto_1.generateKeyPairSync)('ec', { namedCurve: 'secp256k1' });
+    const pem = privateKey.export({ type: 'sec1', format: 'pem' });
+    // Write with owner-only permissions (0600), matching how dfx stores identity files
+    fs_1.default.writeFileSync(outputPath, pem, { mode: 0o600 });
+    console.log(`Identity PEM generated: ${outputPath}`);
+    // Derive and display the Principal from the newly written file so the user
+    // can verify immediately. We use loadIdentityFromPath() to bypass the global
+    // argv / cache lookup — no process.argv mutation needed.
+    const identity = (0, identity_1.loadIdentityFromPath)(outputPath);
+    console.log(`Principal ID:          ${identity.getPrincipal().toText()}`);
+}
+/**
+ * Print the PEM path and principal ID of the current identity.
+ * Uses session to resolve PEM path and principal from the argv-based context.
+ */
+function cmdShow(session) {
+    const pemPath = session.getPemPath();
+    const principal = session.getPrincipal();
+    console.log(`PEM file:     ${pemPath}`);
+    console.log(`Principal ID: ${principal}`);
+}
+// ========== Exported run() — called by cli.ts ==========
+/**
+ * Entry point when invoked via cli.ts.
+ * Receives a Session instance with pre-parsed arguments.
+ */
+function run(session) {
+    const args = session.args;
+    const cmd = args._args[0];
+    if (!cmd || cmd === '--help' || cmd === '-h') {
+        showHelp();
+        process.exit(0);
+    }
+    try {
+        switch (cmd) {
+            case 'generate':
+                cmdGenerate(args);
+                break;
+            case 'show':
+                cmdShow(session);
+                break;
+            default:
+                console.error(`Unknown command: ${cmd}`);
+                console.error('Run "zcloak-ai identity" for help.');
+                process.exit(1);
+        }
+    }
+    catch (err) {
+        console.error(`Operation failed: ${err instanceof Error ? err.message : String(err)}`);
+        process.exit(1);
+    }
+}
+//# sourceMappingURL=identity_cmd.js.map

package/dist/identity_cmd.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity_cmd.js","sourceRoot":"","sources":["../src/identity_cmd.ts"],"names":[],"mappings":";;AACA;;;;;;;;;;;;;;GAcG;;;;;AAwGH,kBA0BC;AAhID,4CAAoB;AACpB,gDAAwB;AACxB,mCAA6C;AAC7C,yCAAoE;AAIpE,6BAA6B;AAE7B,SAAS,QAAQ;IACf,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;IACjD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACtB,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;IACzE,OAAO,CAAC,GAAG,CAAC,qEAAqE,CAAC,CAAC;IACnF,OAAO,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAC;IAC/E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;IACzC,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;IAClF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACxB,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;IAClF,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;IAC9E,OAAO,CAAC,GAAG,CAAC,uEAAuE,CAAC,CAAC;IACrF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACzB,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;IAC7C,OAAO,CAAC,GAAG,CAAC,uDAAuD,CAAC,CAAC;IACrE,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;IACrD,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;IACzC,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC;AACrE,CAAC;AAED,iCAAiC;AAEjC;;;;;;;;;;;;;GAaG;AACH,SAAS,WAAW,CAAC,IAAgB;IACnC,sDAAsD;IACtD,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjC,MAAM,UAAU,GAAG,OAAO,SAAS,KAAK,QAAQ;QAC9C,CAAC,CAAC,cAAI,CAAC,OAAO,CAAC,SAAS,CAAC;QACzB,CAAC,CAAC,2BAAgB,CAAC;IAErB,oDAAoD;IACpD,IAAI,YAAE,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAChD,OAAO,CAAC,KAAK,CAAC,mCAAmC,UAAU,EAAE,CAAC,CAAC;QAC/D,OAAO,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC3C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,iCAAiC;IACjC,MAAM,GAAG,GAAG,cAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACrC,IAAI,CAAC,YAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,YAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,CAAC;IAED,mEAAmE;IACnE,MAAM,EAAE,UAAU,EAAE,GAAG,IAAA,4BAAmB,EAAC,IAAI,EAAE,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC,CAAC;IAC9E,MAAM,GAAG,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;IAEzE,mFAAmF;IACnF,YAAE,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAEnD,OAAO,CAAC,GAAG,CAAC,2BAA2B,UAAU,EAAE,CAAC,CAAC;IAErD,2EAA2E;IAC3E,6EAA6E;IAC7E,yDAAyD;IACzD,MAAM,QAAQ,GAAG,IAAA,+BAAoB,EAAC,UAAU,CAAC,CAAC;IAClD,OAAO,CAAC,GAAG,CAAC,0BAA0B,QAAQ,CAAC,YAAY,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAC5E,CAAC;AAED;;;GAGG;AACH,SAAS,OAAO,CAAC,OAAgB;IAC/B,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IACrC,MAAM,SAAS,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IACzC,OAAO,CAAC,GAAG,CAAC,iBAAiB,OAAO,EAAE,CAAC,CAAC;IACxC,OAAO,CAAC,GAAG,CAAC,iBAAiB,SAAS,EAAE,CAAC,CAAC;AAC5C,CAAC;AAED,0DAA0D;AAE1D;;;GAGG;AACH,SAAgB,GAAG,CAAC,OAAgB;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAE1B,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QAC7C,QAAQ,EAAE,CAAC;QACX,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,CAAC;QACH,QAAQ,GAAG,EAAE,CAAC;YACZ,KAAK,UAAU;gBACb,WAAW,CAAC,IAAI,CAAC,CAAC;gBAClB,MAAM;YACR,KAAK,MAAM;gBACT,OAAO,CAAC,OAAO,CAAC,CAAC;gBACjB,MAAM;YACR;gBACE,OAAO,CAAC,KAAK,CAAC,oBAAoB,GAAG,EAAE,CAAC,CAAC;gBACzC,OAAO,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,qBAAqB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACvF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/idl.d.ts

@@ -0,0 +1,99 @@
+/**
+ * zCloak.ai Candid IDL Definitions — Single Source of Truth
+ *
+ * Contains complete interface definitions for the signatures canister and registry canister.
+ * TypeScript type interfaces in types/sign-event.ts and types/registry.ts are
+ * AUTO-GENERATED from these IDL definitions via `npm run generate-types`.
+ *
+ * When the canister API changes:
+ *   1. Update the IDL definitions in this file
+ *   2. Run `npm run generate-types` to regenerate TS types
+ *   3. Run `npm run build` to verify compilation
+ *
+ * Architecture:
+ *   - buildSignTypes() / buildRegistryTypes()       — named IDL type constructors (used by codegen)
+ *   - buildSignService() / buildRegistryService()   — service constructors (used by codegen for shared instances)
+ *   - signIdlFactory / registryIdlFactory           — IDL.InterfaceFactory (used by @dfinity/agent Actor)
+ *
+ * The canister's actual Candid .did schema is the upstream source; this file is derived from
+ * skill.md documentation and verified against actual canister responses.
+ */
+import { IDL } from '@dfinity/candid';
+/**
+ * Build named IDL types for the signatures canister.
+ * Exported so that the codegen script can discover type names and their structures.
+ *
+ * @param I - The IDL module (passed through to allow use in both factory and codegen contexts)
+ */
+export declare function buildSignTypes(I: typeof IDL): {
+    SignEvent: IDL.RecordClass;
+    SignParm: IDL.VariantClass;
+    DecryptionPackage: IDL.RecordClass;
+};
+/**
+ * Build the signatures canister service, reusing pre-built named types.
+ * Exported for codegen to share type instances with the name registry.
+ *
+ * @param I     - The IDL module
+ * @param types - Named types from buildSignTypes() (same instances used in the registry)
+ */
+export declare function buildSignService(I: typeof IDL, types: ReturnType<typeof buildSignTypes>): IDL.ServiceClass<string, {
+    agent_sign: IDL.FuncClass<[IDL.VariantClass, IDL.TextClass], [IDL.VariantClass]>;
+    sign: IDL.FuncClass<[IDL.VariantClass], [IDL.RecordClass]>;
+    mcp_sign: IDL.FuncClass<[IDL.PrincipalClass, IDL.VariantClass], [IDL.RecordClass]>;
+    get_ibe_public_key: IDL.FuncClass<[], [IDL.VecClass<number | bigint>]>;
+    get_kind5_decryption_key: IDL.FuncClass<[IDL.TextClass, IDL.VecClass<number | bigint>], [IDL.RecordClass]>;
+    derive_vetkey: IDL.FuncClass<[IDL.TextClass, IDL.VecClass<number | bigint>], [IDL.VecClass<number | bigint>]>;
+    get_counter: IDL.FuncClass<[], [IDL.FixedNatClass]>;
+    fetch_events_by_counter: IDL.FuncClass<[IDL.FixedNatClass, IDL.FixedNatClass], [IDL.VecClass<Record<string, any>>]>;
+    get_all_sign_events: IDL.FuncClass<[], [IDL.VecClass<Record<string, any>>]>;
+    fetch_user_sign: IDL.FuncClass<[IDL.PrincipalClass, IDL.FixedNatClass, IDL.FixedNatClass], [IDL.FixedNatClass, IDL.VecClass<Record<string, any>>]>;
+    get_user_latest_sign_event_id: IDL.FuncClass<[IDL.PrincipalClass], [IDL.TextClass]>;
+    verify_message: IDL.FuncClass<[IDL.TextClass], [IDL.VecClass<Record<string, any>>]>;
+    verify_msg_hash: IDL.FuncClass<[IDL.TextClass], [IDL.VecClass<Record<string, any>>]>;
+    verify_file_hash: IDL.FuncClass<[IDL.TextClass], [IDL.VecClass<Record<string, any>>]>;
+    get_sign_event_by_id: IDL.FuncClass<[IDL.TextClass], [IDL.OptClass<Record<string, any>>]>;
+    get_kind1_event_by_principal: IDL.FuncClass<[IDL.TextClass], [IDL.OptClass<Record<string, any>>]>;
+    greet: IDL.FuncClass<[IDL.TextClass], [IDL.TextClass]>;
+}>;
+/**
+ * Signatures canister IDL factory (standard @dfinity/agent interface)
+ * Canister ID: zpbbm-piaaa-aaaaj-a3dsq-cai
+ */
+export declare const signIdlFactory: IDL.InterfaceFactory;
+/**
+ * Build named IDL types for the registry canister.
+ * Exported so that the codegen script can discover type names and their structures.
+ *
+ * @param I - The IDL module
+ */
+export declare function buildRegistryTypes(I: typeof IDL): {
+    Position: IDL.RecordClass;
+    AiProfile: IDL.RecordClass;
+    UserProfile: IDL.RecordClass;
+    RegisterResult: IDL.RecordClass;
+    TwoFARecord: IDL.RecordClass;
+};
+/**
+ * Build the registry canister service, reusing pre-built named types.
+ * Exported for codegen to share type instances with the name registry.
+ *
+ * @param I     - The IDL module
+ * @param types - Named types from buildRegistryTypes() (same instances used in the registry)
+ */
+export declare function buildRegistryService(I: typeof IDL, types: ReturnType<typeof buildRegistryTypes>): IDL.ServiceClass<string, {
+    get_username_by_principal: IDL.FuncClass<[IDL.TextClass], [IDL.OptClass<string>]>;
+    get_user_principal: IDL.FuncClass<[IDL.TextClass], [IDL.OptClass<import("@dfinity/principal").Principal>]>;
+    user_profile_get: IDL.FuncClass<[IDL.TextClass], [IDL.OptClass<Record<string, any>>]>;
+    user_profile_get_by_principal: IDL.FuncClass<[IDL.TextClass], [IDL.OptClass<Record<string, any>>]>;
+    register_agent: IDL.FuncClass<[IDL.TextClass], [IDL.VariantClass]>;
+    agent_prepare_bond: IDL.FuncClass<[IDL.TextClass], [IDL.VariantClass]>;
+    prepare_2fa_info: IDL.FuncClass<[IDL.TextClass], [IDL.VariantClass]>;
+    query_2fa_result_by_challenge: IDL.FuncClass<[IDL.TextClass], [IDL.OptClass<Record<string, any>>]>;
+}>;
+/**
+ * Registry canister IDL factory (standard @dfinity/agent interface)
+ * Canister ID: 3spie-caaaa-aaaam-ae3sa-cai
+ */
+export declare const registryIdlFactory: IDL.InterfaceFactory;
+//# sourceMappingURL=idl.d.ts.map