@zcloak/ai-agent 1.0.0

package/dist/serve.js

@@ -0,0 +1,455 @@
+"use strict";
+/**
+ * Daemon Serve — JSON-RPC over Unix Domain Socket or stdin/stdout
+ *
+ * Two operational modes:
+ *
+ * 1. UDS mode (default): Unix Domain Socket listener, supports concurrent clients.
+ *    The daemon creates a socket file and listens for connections. Each client
+ *    connection is handled independently. "quit" closes the connection;
+ *    "shutdown" stops the entire daemon.
+ *
+ * 2. Stdio mode (--stdio): Legacy stdin/stdout mode, single client.
+ *    Backwards-compatible with the Rust implementation. Reads JSON-RPC from
+ *    stdin and writes responses to stdout. "quit" stops the daemon.
+ *
+ * Both modes share the same request handling logic (handleRequest).
+ *
+ * Trust model:
+ *   - The daemon trusts its callers (local AI agent processes or socket clients).
+ *   - File paths in encrypt/decrypt requests are not sandboxed — the daemon
+ *     operates with the same filesystem permissions as the calling process.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runDaemonUds = runDaemonUds;
+exports.runDaemonStdio = runDaemonStdio;
+const net_1 = require("net");
+const readline_1 = require("readline");
+const fs_1 = require("fs");
+const daemon_1 = require("./daemon");
+const rpc_1 = require("./rpc");
+/** Maximum data size for encrypt/decrypt operations (1 GB) */
+const MAX_DATA_SIZE = 1024 * 1024 * 1024;
+/**
+ * Handle a single JSON-RPC request line.
+ *
+ * Dispatches to the appropriate handler based on the method name.
+ * Returns a response and an action indicating what to do next.
+ */
+function handleRequest(req, keyStore, principal, startedAt, mode, sockPath) {
+    const { id, method } = req;
+    switch (method) {
+        case "encrypt": {
+            const result = handleEncrypt(req.params, keyStore);
+            if ("error" in result) {
+                return { response: (0, rpc_1.errorResponse)(id, result.error), action: "continue" };
+            }
+            return { response: (0, rpc_1.successResponse)(id, result), action: "continue" };
+        }
+        case "decrypt": {
+            const result = handleDecrypt(req.params, keyStore);
+            if ("error" in result) {
+                return { response: (0, rpc_1.errorResponse)(id, result.error), action: "continue" };
+            }
+            return { response: (0, rpc_1.successResponse)(id, result), action: "continue" };
+        }
+        case "status": {
+            const status = {
+                status: "running",
+                derivation_id: keyStore.derivationId,
+                principal,
+                started_at: startedAt,
+                mode,
+                socket_path: sockPath,
+            };
+            return { response: (0, rpc_1.successResponse)(id, status), action: "continue" };
+        }
+        case "quit":
+            // In stdio mode: quit stops the daemon. In UDS mode: quit closes the connection.
+            return {
+                response: (0, rpc_1.successResponse)(id, { message: mode === "stdio" ? "Shutting down, key zeroized" : "Connection closed" }),
+                action: mode === "stdio" ? "shutdown" : "quit",
+            };
+        case "shutdown":
+            // Stop the entire daemon (both modes)
+            return {
+                response: (0, rpc_1.successResponse)(id, { message: "Shutting down, key zeroized" }),
+                action: "shutdown",
+            };
+        default:
+            return {
+                response: (0, rpc_1.errorResponse)(id, `Unknown method '${method}'. Supported: encrypt, decrypt, status, quit, shutdown`),
+                action: "continue",
+            };
+    }
+}
+// ============================================================================
+// Encrypt / Decrypt Handlers
+// ============================================================================
+/**
+ * Handle the "encrypt" method.
+ * Supports file mode (input_file + output_file) and inline mode (data_base64).
+ */
+function handleEncrypt(params, keyStore) {
+    if (!params)
+        return { error: "Missing encrypt params" };
+    if (params.input_file && params.data_base64) {
+        return { error: "Cannot specify both input_file and data_base64" };
+    }
+    if (params.input_file) {
+        // File mode
+        if (!params.output_file) {
+            return { error: "output_file is required in file mode" };
+        }
+        const readResult = readFileChecked(params.input_file);
+        if ("error" in readResult)
+            return readResult;
+        const plaintext = readResult;
+        const plaintextSize = plaintext.length;
+        let ciphertext;
+        try {
+            ciphertext = keyStore.encrypt(plaintext);
+        }
+        catch (e) {
+            return { error: `Encryption failed: ${e instanceof Error ? e.message : String(e)}` };
+        }
+        try {
+            (0, fs_1.writeFileSync)(params.output_file, ciphertext);
+        }
+        catch (e) {
+            return { error: `Failed to write '${params.output_file}': ${e instanceof Error ? e.message : String(e)}` };
+        }
+        return {
+            output_file: params.output_file,
+            plaintext_size: plaintextSize,
+            ciphertext_size: ciphertext.length,
+        };
+    }
+    if (params.data_base64) {
+        // Inline mode — check size before decoding
+        if (params.data_base64.length > MAX_DATA_SIZE * 4 / 3 + 4) {
+            return {
+                error: `data_base64 too large: ${params.data_base64.length} chars (decoded would exceed ${MAX_DATA_SIZE} byte limit)`,
+            };
+        }
+        let plaintext;
+        try {
+            plaintext = Buffer.from(params.data_base64, "base64");
+        }
+        catch (e) {
+            return { error: `Invalid base64 input: ${e instanceof Error ? e.message : String(e)}` };
+        }
+        const plaintextSize = plaintext.length;
+        let ciphertext;
+        try {
+            ciphertext = keyStore.encrypt(plaintext);
+        }
+        catch (e) {
+            return { error: `Encryption failed: ${e instanceof Error ? e.message : String(e)}` };
+        }
+        return {
+            data_base64: ciphertext.toString("base64"),
+            plaintext_size: plaintextSize,
+            ciphertext_size: ciphertext.length,
+        };
+    }
+    return { error: "Either input_file or data_base64 must be provided" };
+}
+/**
+ * Handle the "decrypt" method.
+ * Supports file mode (input_file + output_file) and inline mode (data_base64).
+ */
+function handleDecrypt(params, keyStore) {
+    if (!params)
+        return { error: "Missing decrypt params" };
+    if (params.input_file && params.data_base64) {
+        return { error: "Cannot specify both input_file and data_base64" };
+    }
+    if (params.input_file) {
+        // File mode
+        if (!params.output_file) {
+            return { error: "output_file is required in file mode" };
+        }
+        const readResult = readFileChecked(params.input_file);
+        if ("error" in readResult)
+            return readResult;
+        const ciphertext = readResult;
+        let plaintext;
+        try {
+            plaintext = keyStore.decrypt(ciphertext);
+        }
+        catch (e) {
+            return { error: `Decryption failed: ${e instanceof Error ? e.message : String(e)}` };
+        }
+        try {
+            (0, fs_1.writeFileSync)(params.output_file, plaintext);
+        }
+        catch (e) {
+            return { error: `Failed to write '${params.output_file}': ${e instanceof Error ? e.message : String(e)}` };
+        }
+        return {
+            output_file: params.output_file,
+            plaintext_size: plaintext.length,
+        };
+    }
+    if (params.data_base64) {
+        // Inline mode
+        if (params.data_base64.length > MAX_DATA_SIZE * 4 / 3 + 4) {
+            return {
+                error: `data_base64 too large: ${params.data_base64.length} chars (decoded would exceed ${MAX_DATA_SIZE} byte limit)`,
+            };
+        }
+        let ciphertext;
+        try {
+            ciphertext = Buffer.from(params.data_base64, "base64");
+        }
+        catch (e) {
+            return { error: `Invalid base64 input: ${e instanceof Error ? e.message : String(e)}` };
+        }
+        let plaintext;
+        try {
+            plaintext = keyStore.decrypt(ciphertext);
+        }
+        catch (e) {
+            return { error: `Decryption failed: ${e instanceof Error ? e.message : String(e)}` };
+        }
+        return {
+            data_base64: plaintext.toString("base64"),
+            plaintext_size: plaintext.length,
+        };
+    }
+    return { error: "Either input_file or data_base64 must be provided" };
+}
+/**
+ * Read a file with size validation to limit memory usage.
+ * Rejects files larger than MAX_DATA_SIZE and non-regular files.
+ */
+function readFileChecked(filePath) {
+    try {
+        const stat = (0, fs_1.statSync)(filePath);
+        if (!stat.isFile()) {
+            return { error: `'${filePath}' is not a regular file (refusing to read devices/pipes/sockets)` };
+        }
+        if (stat.size > MAX_DATA_SIZE) {
+            return { error: `File '${filePath}' is too large: ${stat.size} bytes (max ${MAX_DATA_SIZE} bytes)` };
+        }
+        return (0, fs_1.readFileSync)(filePath);
+    }
+    catch (e) {
+        return { error: `Cannot read '${filePath}': ${e instanceof Error ? e.message : String(e)}` };
+    }
+}
+// ============================================================================
+// UDS Mode (Default)
+// ============================================================================
+/**
+ * Run the JSON-RPC daemon over a Unix Domain Socket.
+ *
+ * Lifecycle:
+ *   1. Create DaemonRuntime (PID file, socket path)
+ *   2. Create server and listen on socket
+ *   3. Emit ready info to stderr
+ *   4. Accept connections, handle requests concurrently
+ *   5. On shutdown signal: stop accepting, close connections, cleanup
+ *
+ * @param keyStore - AES-256 key holder
+ * @param principal - Authenticated principal text
+ * @param derivationId - Derivation ID used for the key
+ */
+function runDaemonUds(keyStore, principal, derivationId) {
+    return new Promise((resolve, reject) => {
+        // Step 1: Create daemon runtime (PID file, socket setup)
+        const runtime = daemon_1.DaemonRuntime.create(derivationId);
+        const startedAt = new Date().toISOString();
+        const sockPath = runtime.socketFilePath;
+        // Track active connections for graceful shutdown
+        const activeConnections = new Set();
+        // Step 2: Create server
+        const server = (0, net_1.createServer)((conn) => {
+            activeConnections.add(conn);
+            conn.on("close", () => {
+                activeConnections.delete(conn);
+            });
+            // Handle each connection with line-based JSON-RPC
+            const rl = (0, readline_1.createInterface)({ input: conn });
+            rl.on("line", (line) => {
+                if (!line.trim())
+                    return; // Skip blank lines
+                // Parse the request
+                const parsed = (0, rpc_1.parseRpcRequest)(line);
+                if ((0, rpc_1.isErrorResponse)(parsed)) {
+                    // Parse error — send error response
+                    writeLine(conn, JSON.stringify(parsed));
+                    return;
+                }
+                // Handle the request
+                const { response, action } = handleRequest(parsed, keyStore, principal, startedAt, "uds", sockPath);
+                writeLine(conn, JSON.stringify(response));
+                if (action === "quit") {
+                    // Close this connection only
+                    conn.end();
+                }
+                else if (action === "shutdown") {
+                    // Stop the entire daemon
+                    initiateShutdown();
+                }
+            });
+            rl.on("close", () => {
+                conn.end();
+            });
+            conn.on("error", () => {
+                // Client disconnected unexpectedly — just clean up
+                activeConnections.delete(conn);
+            });
+        });
+        // Step 3: Listen on socket
+        server.listen(sockPath, () => {
+            // Emit ready info to stderr
+            console.error(`Daemon ready. Socket: ${sockPath}`);
+            console.error(`Derivation ID: ${derivationId}`);
+            console.error(`Principal: ${principal}`);
+        });
+        server.on("error", (err) => {
+            runtime.destroy();
+            reject(err);
+        });
+        // Step 4: Signal handling — store references for cleanup in finishShutdown()
+        const onSigterm = () => { console.error("Received SIGTERM, initiating graceful shutdown..."); initiateShutdown(); };
+        const onSigint = () => { console.error("Received SIGINT, initiating graceful shutdown..."); initiateShutdown(); };
+        // SIGHUP: terminal hangup — gracefully shut down instead of crashing
+        const onSighup = () => { console.error("Received SIGHUP, initiating graceful shutdown..."); initiateShutdown(); };
+        process.on("SIGTERM", onSigterm);
+        process.on("SIGINT", onSigint);
+        process.on("SIGHUP", onSighup);
+        // Catch uncaught exceptions / unhandled rejections to ensure key zeroization
+        // and PID file cleanup even on unexpected errors.
+        const onUncaughtException = (err) => {
+            console.error(`Uncaught exception in daemon: ${err.message}`);
+            console.error(err.stack);
+            initiateShutdown();
+        };
+        const onUnhandledRejection = (reason) => {
+            console.error(`Unhandled rejection in daemon: ${reason}`);
+            initiateShutdown();
+        };
+        process.on("uncaughtException", onUncaughtException);
+        process.on("unhandledRejection", onUnhandledRejection);
+        // Shutdown procedure
+        let shuttingDown = false;
+        function initiateShutdown() {
+            if (shuttingDown)
+                return;
+            shuttingDown = true;
+            // Stop accepting new connections
+            server.close();
+            // Close all active connections
+            for (const conn of activeConnections) {
+                conn.end();
+            }
+            // Wait a moment for connections to close, then force cleanup
+            const forceTimer = setTimeout(() => {
+                for (const conn of activeConnections) {
+                    conn.destroy();
+                }
+                finishShutdown();
+            }, 3000); // 3 second grace period
+            // If all connections close before timeout, finish immediately
+            const checkDone = setInterval(() => {
+                if (activeConnections.size === 0) {
+                    clearInterval(checkDone);
+                    clearTimeout(forceTimer);
+                    finishShutdown();
+                }
+            }, 100);
+        }
+        let finished = false;
+        function finishShutdown() {
+            if (finished)
+                return;
+            finished = true;
+            // Remove all process-level event listeners to prevent leaks
+            process.removeListener("SIGTERM", onSigterm);
+            process.removeListener("SIGINT", onSigint);
+            process.removeListener("SIGHUP", onSighup);
+            process.removeListener("uncaughtException", onUncaughtException);
+            process.removeListener("unhandledRejection", onUnhandledRejection);
+            // Cleanup: destroy key, remove files
+            keyStore.destroy();
+            runtime.destroy();
+            console.error("Daemon stopped. Key has been zeroized.");
+            resolve();
+        }
+    });
+}
+// ============================================================================
+// Stdio Mode (Legacy, --stdio)
+// ============================================================================
+/**
+ * Run the JSON-RPC daemon over stdin/stdout (legacy mode).
+ *
+ * Reads one JSON-RPC request per line from stdin, processes it,
+ * and writes the response to stdout. Exits on "quit" or stdin EOF.
+ *
+ * This mode is backwards-compatible with the Rust vetkey-tool implementation.
+ * No PID file or socket file is created.
+ *
+ * @param keyStore - AES-256 key holder (consumed; destroyed on exit)
+ * @param principal - Authenticated principal text
+ * @param derivationId - Derivation ID used for the key
+ * @param input - Optional input stream (defaults to process.stdin, override for testing)
+ * @param output - Optional output stream (defaults to process.stdout, override for testing)
+ */
+function runDaemonStdio(keyStore, principal, derivationId, input, output) {
+    return new Promise((resolve) => {
+        const stdin = input ?? process.stdin;
+        const stdout = output ?? process.stdout;
+        const startedAt = new Date().toISOString();
+        // Emit ready signal to stdout (same format as Rust version)
+        const readyMsg = JSON.stringify({
+            ready: true,
+            derivation_id: derivationId,
+            principal,
+            started_at: startedAt,
+        });
+        stdout.write(readyMsg + "\n");
+        // Read input line by line
+        const rl = (0, readline_1.createInterface)({ input: stdin });
+        rl.on("line", (line) => {
+            if (!line.trim())
+                return; // Skip blank lines
+            // Parse the request
+            const parsed = (0, rpc_1.parseRpcRequest)(line);
+            if ((0, rpc_1.isErrorResponse)(parsed)) {
+                stdout.write(JSON.stringify(parsed) + "\n");
+                return;
+            }
+            // Handle the request
+            const { response, action } = handleRequest(parsed, keyStore, principal, startedAt, "stdio");
+            stdout.write(JSON.stringify(response) + "\n");
+            if (action === "shutdown" || action === "quit") {
+                // In stdio mode, both quit and shutdown stop the daemon
+                rl.close();
+                keyStore.destroy();
+                resolve();
+            }
+        });
+        // stdin EOF — daemon exits
+        rl.on("close", () => {
+            keyStore.destroy();
+            resolve();
+        });
+    });
+}
+// ============================================================================
+// Helpers
+// ============================================================================
+/** Write a line to a socket, handling write errors gracefully */
+function writeLine(socket, line) {
+    try {
+        socket.write(line + "\n");
+    }
+    catch {
+        // Socket may have been closed — ignore write errors
+    }
+}
+//# sourceMappingURL=serve.js.map

package/dist/serve.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"serve.js","sourceRoot":"","sources":["../src/serve.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;;AA4SH,oCA+JC;AAqBD,wCA2DC;AAzhBD,6BAAgD;AAChD,uCAA2C;AAC3C,2BAA2D;AAG3D,qCAAyC;AACzC,+BAYe;AAEf,8DAA8D;AAC9D,MAAM,aAAa,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC;AAazC;;;;;GAKG;AACH,SAAS,aAAa,CACpB,GAAe,EACf,QAAkB,EAClB,SAAiB,EACjB,SAAiB,EACjB,IAAqB,EACrB,QAAiB;IAEjB,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;IAE3B,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,SAAS,CAAC,CAAC,CAAC;YACf,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,MAAmC,EAAE,QAAQ,CAAC,CAAC;YAChF,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;gBACtB,OAAO,EAAE,QAAQ,EAAE,IAAA,mBAAa,EAAC,EAAE,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;YAC3E,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,IAAA,qBAAe,EAAC,EAAE,EAAE,MAAM,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;QACvE,CAAC;QAED,KAAK,SAAS,CAAC,CAAC,CAAC;YACf,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,MAAmC,EAAE,QAAQ,CAAC,CAAC;YAChF,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;gBACtB,OAAO,EAAE,QAAQ,EAAE,IAAA,mBAAa,EAAC,EAAE,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;YAC3E,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,IAAA,qBAAe,EAAC,EAAE,EAAE,MAAM,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;QACvE,CAAC;QAED,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,MAAM,GAAiB;gBAC3B,MAAM,EAAE,SAAS;gBACjB,aAAa,EAAE,QAAQ,CAAC,YAAY;gBACpC,SAAS;gBACT,UAAU,EAAE,SAAS;gBACrB,IAAI;gBACJ,WAAW,EAAE,QAAQ;aACtB,CAAC;YACF,OAAO,EAAE,QAAQ,EAAE,IAAA,qBAAe,EAAC,EAAE,EAAE,MAAM,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;QACvE,CAAC;QAED,KAAK,MAAM;YACT,iFAAiF;YACjF,OAAO;gBACL,QAAQ,EAAE,IAAA,qBAAe,EAAC,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,KAAK,OAAO,CAAC,CAAC,CAAC,6BAA6B,CAAC,CAAC,CAAC,mBAAmB,EAAE,CAAC;gBAClH,MAAM,EAAE,IAAI,KAAK,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM;aAC/C,CAAC;QAEJ,KAAK,UAAU;YACb,sCAAsC;YACtC,OAAO;gBACL,QAAQ,EAAE,IAAA,qBAAe,EAAC,EAAE,EAAE,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC;gBACzE,MAAM,EAAE,UAAU;aACnB,CAAC;QAEJ;YACE,OAAO;gBACL,QAAQ,EAAE,IAAA,mBAAa,EACrB,EAAE,EACF,mBAAmB,MAAM,wDAAwD,CAClF;gBACD,MAAM,EAAE,UAAU;aACnB,CAAC;IACN,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,6BAA6B;AAC7B,+EAA+E;AAE/E;;;GAGG;AACH,SAAS,aAAa,CACpB,MAAiC,EACjC,QAAkB;IAElB,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAC;IAExD,IAAI,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;QAC5C,OAAO,EAAE,KAAK,EAAE,gDAAgD,EAAE,CAAC;IACrE,CAAC;IAED,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACtB,YAAY;QACZ,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YACxB,OAAO,EAAE,KAAK,EAAE,sCAAsC,EAAE,CAAC;QAC3D,CAAC;QAED,MAAM,UAAU,GAAG,eAAe,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QACtD,IAAI,OAAO,IAAI,UAAU;YAAE,OAAO,UAAU,CAAC;QAC7C,MAAM,SAAS,GAAG,UAAU,CAAC;QAC7B,MAAM,aAAa,GAAG,SAAS,CAAC,MAAM,CAAC;QAEvC,IAAI,UAAkB,CAAC;QACvB,IAAI,CAAC;YACH,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,EAAE,KAAK,EAAE,sBAAsB,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QACvF,CAAC;QAED,IAAI,CAAC;YACH,IAAA,kBAAa,EAAC,MAAM,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;QAChD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,EAAE,KAAK,EAAE,oBAAoB,MAAM,CAAC,WAAW,MAAM,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAC7G,CAAC;QAED,OAAO;YACL,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,cAAc,EAAE,aAAa;YAC7B,eAAe,EAAE,UAAU,CAAC,MAAM;SACnC,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;QACvB,2CAA2C;QAC3C,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,GAAG,aAAa,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1D,OAAO;gBACL,KAAK,EAAE,0BAA0B,MAAM,CAAC,WAAW,CAAC,MAAM,gCAAgC,aAAa,cAAc;aACtH,CAAC;QACJ,CAAC;QAED,IAAI,SAAiB,CAAC;QACtB,IAAI,CAAC;YACH,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QACxD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,EAAE,KAAK,EAAE,yBAAyB,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAC1F,CAAC;QAED,MAAM,aAAa,GAAG,SAAS,CAAC,MAAM,CAAC;QAEvC,IAAI,UAAkB,CAAC;QACvB,IAAI,CAAC;YACH,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,EAAE,KAAK,EAAE,sBAAsB,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QACvF,CAAC;QAED,OAAO;YACL,WAAW,EAAE,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC1C,cAAc,EAAE,aAAa;YAC7B,eAAe,EAAE,UAAU,CAAC,MAAM;SACnC,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,mDAAmD,EAAE,CAAC;AACxE,CAAC;AAED;;;GAGG;AACH,SAAS,aAAa,CACpB,MAAiC,EACjC,QAAkB;IAElB,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAC;IAExD,IAAI,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;QAC5C,OAAO,EAAE,KAAK,EAAE,gDAAgD,EAAE,CAAC;IACrE,CAAC;IAED,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACtB,YAAY;QACZ,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YACxB,OAAO,EAAE,KAAK,EAAE,sCAAsC,EAAE,CAAC;QAC3D,CAAC;QAED,MAAM,UAAU,GAAG,eAAe,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QACtD,IAAI,OAAO,IAAI,UAAU;YAAE,OAAO,UAAU,CAAC;QAC7C,MAAM,UAAU,GAAG,UAAU,CAAC;QAE9B,IAAI,SAAiB,CAAC;QACtB,IAAI,CAAC;YACH,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,EAAE,KAAK,EAAE,sBAAsB,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QACvF,CAAC;QAED,IAAI,CAAC;YACH,IAAA,kBAAa,EAAC,MAAM,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;QAC/C,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,EAAE,KAAK,EAAE,oBAAoB,MAAM,CAAC,WAAW,MAAM,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAC7G,CAAC;QAED,OAAO;YACL,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,cAAc,EAAE,SAAS,CAAC,MAAM;SACjC,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;QACvB,cAAc;QACd,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,GAAG,aAAa,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1D,OAAO;gBACL,KAAK,EAAE,0BAA0B,MAAM,CAAC,WAAW,CAAC,MAAM,gCAAgC,aAAa,cAAc;aACtH,CAAC;QACJ,CAAC;QAED,IAAI,UAAkB,CAAC;QACvB,IAAI,CAAC;YACH,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QACzD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,EAAE,KAAK,EAAE,yBAAyB,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAC1F,CAAC;QAED,IAAI,SAAiB,CAAC;QACtB,IAAI,CAAC;YACH,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,EAAE,KAAK,EAAE,sBAAsB,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QACvF,CAAC;QAED,OAAO;YACL,WAAW,EAAE,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACzC,cAAc,EAAE,SAAS,CAAC,MAAM;SACjC,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,mDAAmD,EAAE,CAAC;AACxE,CAAC;AAED;;;GAGG;AACH,SAAS,eAAe,CAAC,QAAgB;IACvC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAA,aAAQ,EAAC,QAAQ,CAAC,CAAC;QAChC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;YACnB,OAAO,EAAE,KAAK,EAAE,IAAI,QAAQ,kEAAkE,EAAE,CAAC;QACnG,CAAC;QACD,IAAI,IAAI,CAAC,IAAI,GAAG,aAAa,EAAE,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,SAAS,QAAQ,mBAAmB,IAAI,CAAC,IAAI,eAAe,aAAa,SAAS,EAAE,CAAC;QACvG,CAAC;QACD,OAAO,IAAA,iBAAY,EAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,EAAE,KAAK,EAAE,gBAAgB,QAAQ,MAAM,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IAC/F,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E;;;;;;;;;;;;;GAaG;AACH,SAAgB,YAAY,CAC1B,QAAkB,EAClB,SAAiB,EACjB,YAAoB;IAEpB,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC3C,yDAAyD;QACzD,MAAM,OAAO,GAAG,sBAAa,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QACnD,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC3C,MAAM,QAAQ,GAAG,OAAO,CAAC,cAAc,CAAC;QAExC,iDAAiD;QACjD,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAU,CAAC;QAE5C,wBAAwB;QACxB,MAAM,MAAM,GAAG,IAAA,kBAAY,EAAC,CAAC,IAAY,EAAE,EAAE;YAC3C,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAE5B,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;gBACpB,iBAAiB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACjC,CAAC,CAAC,CAAC;YAEH,kDAAkD;YAClD,MAAM,EAAE,GAAG,IAAA,0BAAe,EAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;YAE5C,EAAE,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;gBAC7B,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;oBAAE,OAAO,CAAC,mBAAmB;gBAE7C,oBAAoB;gBACpB,MAAM,MAAM,GAAG,IAAA,qBAAe,EAAC,IAAI,CAAC,CAAC;gBACrC,IAAI,IAAA,qBAAe,EAAC,MAAM,CAAC,EAAE,CAAC;oBAC5B,oCAAoC;oBACpC,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;oBACxC,OAAO;gBACT,CAAC;gBAED,qBAAqB;gBACrB,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,aAAa,CACxC,MAAM,EACN,QAAQ,EACR,SAAS,EACT,SAAS,EACT,KAAK,EACL,QAAQ,CACT,CAAC;gBAEF,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC;gBAE1C,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;oBACtB,6BAA6B;oBAC7B,IAAI,CAAC,GAAG,EAAE,CAAC;gBACb,CAAC;qBAAM,IAAI,MAAM,KAAK,UAAU,EAAE,CAAC;oBACjC,yBAAyB;oBACzB,gBAAgB,EAAE,CAAC;gBACrB,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;gBAClB,IAAI,CAAC,GAAG,EAAE,CAAC;YACb,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;gBACpB,mDAAmD;gBACnD,iBAAiB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACjC,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,2BAA2B;QAC3B,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,GAAG,EAAE;YAC3B,4BAA4B;YAC5B,OAAO,CAAC,KAAK,CAAC,yBAAyB,QAAQ,EAAE,CAAC,CAAC;YACnD,OAAO,CAAC,KAAK,CAAC,kBAAkB,YAAY,EAAE,CAAC,CAAC;YAChD,OAAO,CAAC,KAAK,CAAC,cAAc,SAAS,EAAE,CAAC,CAAC;QAC3C,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACzB,OAAO,CAAC,OAAO,EAAE,CAAC;YAClB,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC,CAAC,CAAC;QAEH,6EAA6E;QAC7E,MAAM,SAAS,GAAG,GAAG,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC,CAAC;QACpH,MAAM,QAAQ,GAAG,GAAG,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC,CAAC;QAClH,qEAAqE;QACrE,MAAM,QAAQ,GAAG,GAAG,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC,CAAC;QAElH,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QACjC,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC/B,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAE/B,6EAA6E;QAC7E,kDAAkD;QAClD,MAAM,mBAAmB,GAAG,CAAC,GAAU,EAAE,EAAE;YACzC,OAAO,CAAC,KAAK,CAAC,iCAAiC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YAC9D,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YACzB,gBAAgB,EAAE,CAAC;QACrB,CAAC,CAAC;QACF,MAAM,oBAAoB,GAAG,CAAC,MAAe,EAAE,EAAE;YAC/C,OAAO,CAAC,KAAK,CAAC,kCAAkC,MAAM,EAAE,CAAC,CAAC;YAC1D,gBAAgB,EAAE,CAAC;QACrB,CAAC,CAAC;QAEF,OAAO,CAAC,EAAE,CAAC,mBAAmB,EAAE,mBAAmB,CAAC,CAAC;QACrD,OAAO,CAAC,EAAE,CAAC,oBAAoB,EAAE,oBAAoB,CAAC,CAAC;QAEvD,qBAAqB;QACrB,IAAI,YAAY,GAAG,KAAK,CAAC;QAEzB,SAAS,gBAAgB;YACvB,IAAI,YAAY;gBAAE,OAAO;YACzB,YAAY,GAAG,IAAI,CAAC;YAEpB,iCAAiC;YACjC,MAAM,CAAC,KAAK,EAAE,CAAC;YAEf,+BAA+B;YAC/B,KAAK,MAAM,IAAI,IAAI,iBAAiB,EAAE,CAAC;gBACrC,IAAI,CAAC,GAAG,EAAE,CAAC;YACb,CAAC;YAED,6DAA6D;YAC7D,MAAM,UAAU,GAAG,UAAU,CAAC,GAAG,EAAE;gBACjC,KAAK,MAAM,IAAI,IAAI,iBAAiB,EAAE,CAAC;oBACrC,IAAI,CAAC,OAAO,EAAE,CAAC;gBACjB,CAAC;gBACD,cAAc,EAAE,CAAC;YACnB,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,wBAAwB;YAElC,8DAA8D;YAC9D,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE;gBACjC,IAAI,iBAAiB,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;oBACjC,aAAa,CAAC,SAAS,CAAC,CAAC;oBACzB,YAAY,CAAC,UAAU,CAAC,CAAC;oBACzB,cAAc,EAAE,CAAC;gBACnB,CAAC;YACH,CAAC,EAAE,GAAG,CAAC,CAAC;QACV,CAAC;QAED,IAAI,QAAQ,GAAG,KAAK,CAAC;QAErB,SAAS,cAAc;YACrB,IAAI,QAAQ;gBAAE,OAAO;YACrB,QAAQ,GAAG,IAAI,CAAC;YAEhB,4DAA4D;YAC5D,OAAO,CAAC,cAAc,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;YAC7C,OAAO,CAAC,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YAC3C,OAAO,CAAC,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YAC3C,OAAO,CAAC,cAAc,CAAC,mBAAmB,EAAE,mBAAmB,CAAC,CAAC;YACjE,OAAO,CAAC,cAAc,CAAC,oBAAoB,EAAE,oBAAoB,CAAC,CAAC;YAEnE,qCAAqC;YACrC,QAAQ,CAAC,OAAO,EAAE,CAAC;YACnB,OAAO,CAAC,OAAO,EAAE,CAAC;YAElB,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;YACxD,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,+EAA+E;AAC/E,+BAA+B;AAC/B,+EAA+E;AAE/E;;;;;;;;;;;;;;GAcG;AACH,SAAgB,cAAc,CAC5B,QAAkB,EAClB,SAAiB,EACjB,YAAoB,EACpB,KAAgB,EAChB,MAAiB;IAEjB,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;QACnC,MAAM,KAAK,GAAG,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC;QACrC,MAAM,MAAM,GAAG,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;QACxC,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAE3C,4DAA4D;QAC5D,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;YAC9B,KAAK,EAAE,IAAI;YACX,aAAa,EAAE,YAAY;YAC3B,SAAS;YACT,UAAU,EAAE,SAAS;SACtB,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;QAE9B,0BAA0B;QAC1B,MAAM,EAAE,GAAG,IAAA,0BAAe,EAAC,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QAE7C,EAAE,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YAC7B,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;gBAAE,OAAO,CAAC,mBAAmB;YAE7C,oBAAoB;YACpB,MAAM,MAAM,GAAG,IAAA,qBAAe,EAAC,IAAI,CAAC,CAAC;YACrC,IAAI,IAAA,qBAAe,EAAC,MAAM,CAAC,EAAE,CAAC;gBAC5B,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC;gBAC5C,OAAO;YACT,CAAC;YAED,qBAAqB;YACrB,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,aAAa,CACxC,MAAM,EACN,QAAQ,EACR,SAAS,EACT,SAAS,EACT,OAAO,CACR,CAAC;YAEF,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,CAAC;YAE9C,IAAI,MAAM,KAAK,UAAU,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC/C,wDAAwD;gBACxD,EAAE,CAAC,KAAK,EAAE,CAAC;gBACX,QAAQ,CAAC,OAAO,EAAE,CAAC;gBACnB,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,2BAA2B;QAC3B,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YAClB,QAAQ,CAAC,OAAO,EAAE,CAAC;YACnB,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E,iEAAiE;AACjE,SAAS,SAAS,CAAC,MAAc,EAAE,IAAY;IAC7C,IAAI,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,oDAAoD;IACtD,CAAC;AACH,CAAC"}

package/dist/session.d.ts

@@ -0,0 +1,104 @@
+/**
+ * Session — Single CLI Invocation Context
+ *
+ * Replaces global mutable state (process.argv rewriting, module-level caches)
+ * with an explicit, per-invocation context object. All sub-scripts receive a
+ * Session instance instead of reading process.argv or relying on module singletons.
+ *
+ * Lifecycle:
+ *   1. cli.ts (or standalone script) creates a Session from argv
+ *   2. Session is passed to the sub-script's run() function
+ *   3. Sub-script uses session.getSignActor(), session.autoPoW(), etc.
+ *   4. Session is garbage-collected when the process exits
+ *
+ * Lazy initialization:
+ *   Identity, HttpAgent, and Actor instances are created on first use and cached
+ *   within the Session. This avoids unnecessary PEM reads or HTTP connections
+ *   for commands that don't need them (e.g. `doc hash`).
+ */
+import { HttpAgent, type ActorSubclass } from '@dfinity/agent';
+import type { Secp256k1KeyIdentity } from '@dfinity/identity-secp256k1';
+import type { Principal } from '@dfinity/principal';
+import type { SignService } from './types/sign-event';
+import type { RegistryService } from './types/registry';
+import type { ParsedArgs, AutoPowResult } from './types/common';
+import type { CanisterIds } from './types/config';
+/**
+ * Session encapsulates all state for a single CLI command invocation.
+ *
+ * It holds:
+ * - Parsed arguments and configuration (immutable after construction)
+ * - Lazy-loaded identity, HTTP agents, and canister actors (cached per session)
+ *
+ * This design eliminates:
+ * - process.argv rewriting in cli.ts
+ * - Module-level singleton caches (_identity, _authenticatedAgent, _anonymousAgent)
+ * - Implicit global state reads in domain functions
+ */
+export declare class Session {
+    /** Raw argv array (preserved for functions that need it, like getPemPath) */
+    private readonly _argv;
+    /** Parsed command-line arguments */
+    readonly args: ParsedArgs;
+    /** Canister IDs */
+    readonly canisterIds: CanisterIds;
+    private _identity;
+    private _authenticatedAgent;
+    private _anonymousAgent;
+    /**
+     * Create a new Session from a raw argv array.
+     *
+     * @param argv - Full argument array (same format as process.argv).
+     *               The first two elements (node binary, script path) are skipped
+     *               by parseArgs. Global options (--identity) are extracted
+     *               by getPemPath.
+     */
+    constructor(argv: string[]);
+    /**
+     * Get the resolved PEM file path for this session.
+     * Uses the same resolution priority as getIdentity():
+     *   --identity=<path> > ZCLOAK_IDENTITY env > dfx default location
+     */
+    getPemPath(): string;
+    /**
+     * Get the ECDSA secp256k1 identity for this session.
+     * Loaded from PEM file on first call, then cached.
+     *
+     * PEM path resolution: --identity=<path> > ZCLOAK_IDENTITY env > dfx default location
+     */
+    getIdentity(): Secp256k1KeyIdentity;
+    /** Get the current identity's Principal ID as text */
+    getPrincipal(): string;
+    /** Get the current identity's Principal object */
+    getPrincipalObj(): Principal;
+    /**
+     * Get an authenticated HttpAgent (with identity, for update calls).
+     * Created on first call, then cached for the session duration.
+     */
+    getAuthenticatedAgent(): Promise<HttpAgent>;
+    /**
+     * Get an anonymous HttpAgent (no identity, for query calls).
+     * Created on first call, then cached for the session duration.
+     */
+    getAnonymousAgent(): Promise<HttpAgent>;
+    /** Get authenticated signatures canister Actor (supports update calls) */
+    getSignActor(): Promise<ActorSubclass<SignService>>;
+    /** Get authenticated registry canister Actor (supports update calls) */
+    getRegistryActor(): Promise<ActorSubclass<RegistryService>>;
+    /** Get anonymous signatures canister Actor (query only) */
+    getAnonymousSignActor(): Promise<ActorSubclass<SignService>>;
+    /** Get anonymous registry canister Actor (query only) */
+    getAnonymousRegistryActor(): Promise<ActorSubclass<RegistryService>>;
+    /**
+     * Automatically fetch PoW base and compute nonce.
+     * Complete PoW flow: get latest sign event ID → compute nonce.
+     */
+    autoPoW(): Promise<AutoPowResult>;
+    /** Get the bind URL */
+    getBindUrl(): string;
+    /** Get the profile URL prefix */
+    getProfileUrl(): string;
+    /** Get the 2FA verification URL */
+    getTwoFAUrl(): string;
+}
+//# sourceMappingURL=session.d.ts.map