@zcloak/ai-agent 1.0.7 → 1.0.9

package/dist/identity.d.ts

@@ -1,35 +1,51 @@
 /**
  * zCloak.ai Identity Management Module
  *
- * Loads ECDSA secp256k1 identity from dfx-compatible PEM files for signing operations.
- * Replaces the original `dfx identity get-principal` and similar commands.
+ * Loads ECDSA secp256k1 identity from a zCloak-managed PEM file for signing operations.
  *
- * dfx generates EC PRIVATE KEY (SEC1/PKCS#1 format, OID 1.3.132.0.10 secp256k1),
- * which is handled by Secp256k1KeyIdentity from @dfinity/identity-secp256k1.
+ * The CLI uses a dedicated default path under ~/.config/zcloak/ai-id.pem rather than
+ * reusing dfx's default identity location. This keeps the agent identity stable and
+ * separate from any existing dfx identity the user may already have.
  *
  * PEM file location priority:
  *   1. --identity=<path> command line argument
- *   2. ZCLOAK_IDENTITY environment variable
- *   3. ~/.config/dfx/identity/default/identity.pem (dfx default location)
+ *   2. ~/.config/zcloak/ai-id.pem (zCloak default location, auto-created if missing)
  */
 import { Secp256k1KeyIdentity } from '@dfinity/identity-secp256k1';
 /**
- * dfx default identity PEM file path
- * Unified for macOS and Linux: ~/.config/dfx/identity/default/identity.pem
+ * zCloak default identity PEM file path
+ * Unified for macOS and Linux: ~/.config/zcloak/ai-id.pem
  */
 export declare const DEFAULT_PEM_PATH: string;
+/**
+ * Expand CLI paths like ~/foo.pem to an absolute path.
+ */
+export declare function resolveCliPath(rawPath: string): string;
+/**
+ * Ensure a PEM file exists at the requested path.
+ * If the file already exists, validate and reuse it unless force=true.
+ * If the file does not exist, create parent directories and generate a new key.
+ */
+export declare function ensureIdentityFile(pemPath: string, options?: {
+    force?: boolean;
+}): {
+    path: string;
+    created: boolean;
+};
 /**
  * Get PEM file path.
- * Searches by priority: --identity argument > environment variable > dfx default location.
+ * Searches by priority: --identity argument > zCloak default location.
+ * The zCloak default location is created automatically on first use.
  *
  * When called with an explicit argv array, uses that instead of process.argv.
  * This enables deterministic, testable behavior without global state dependency.
  *
- * @param argv - Optional explicit argument array (defaults to process.argv)
+  * @param argv - Optional explicit argument array (defaults to process.argv)
+ * @param defaultPemPath - Override for tests
  * @returns Absolute path to PEM file
- * @throws {Error} If no PEM file can be found or the specified path does not exist
+ * @throws {Error} If an explicitly specified path does not exist
  */
-export declare function getPemPath(argv?: string[]): string;
+export declare function getPemPath(argv?: string[], defaultPemPath?: string): string;
 /**
  * Load an ECDSA secp256k1 identity directly from a given PEM file path.
  *

package/dist/identity.js

@@ -1,66 +1,100 @@
 /**
  * zCloak.ai Identity Management Module
  *
- * Loads ECDSA secp256k1 identity from dfx-compatible PEM files for signing operations.
- * Replaces the original `dfx identity get-principal` and similar commands.
+ * Loads ECDSA secp256k1 identity from a zCloak-managed PEM file for signing operations.
  *
- * dfx generates EC PRIVATE KEY (SEC1/PKCS#1 format, OID 1.3.132.0.10 secp256k1),
- * which is handled by Secp256k1KeyIdentity from @dfinity/identity-secp256k1.
+ * The CLI uses a dedicated default path under ~/.config/zcloak/ai-id.pem rather than
+ * reusing dfx's default identity location. This keeps the agent identity stable and
+ * separate from any existing dfx identity the user may already have.
  *
  * PEM file location priority:
  *   1. --identity=<path> command line argument
- *   2. ZCLOAK_IDENTITY environment variable
- *   3. ~/.config/dfx/identity/default/identity.pem (dfx default location)
+ *   2. ~/.config/zcloak/ai-id.pem (zCloak default location, auto-created if missing)
  */
 import fs from 'fs';
 import path from 'path';
 import os from 'os';
+import { generateKeyPairSync } from 'crypto';
 import { Secp256k1KeyIdentity } from '@dfinity/identity-secp256k1';
 // ========== PEM File Lookup ==========
 /**
- * dfx default identity PEM file path
- * Unified for macOS and Linux: ~/.config/dfx/identity/default/identity.pem
+ * zCloak default identity PEM file path
+ * Unified for macOS and Linux: ~/.config/zcloak/ai-id.pem
  */
-export const DEFAULT_PEM_PATH = path.join(os.homedir(), '.config', 'dfx', 'identity', 'default', 'identity.pem');
+export const DEFAULT_PEM_PATH = path.join(os.homedir(), '.config', 'zcloak', 'ai-id.pem');
+/**
+ * Expand CLI paths like ~/foo.pem to an absolute path.
+ */
+export function resolveCliPath(rawPath) {
+    if (rawPath === '~') {
+        return os.homedir();
+    }
+    if (rawPath.startsWith(`~${path.sep}`)) {
+        return path.join(os.homedir(), rawPath.slice(2));
+    }
+    if (rawPath.startsWith('~/')) {
+        return path.join(os.homedir(), rawPath.slice(2));
+    }
+    return path.resolve(rawPath);
+}
+/**
+ * Ensure a PEM file exists at the requested path.
+ * If the file already exists, validate and reuse it unless force=true.
+ * If the file does not exist, create parent directories and generate a new key.
+ */
+export function ensureIdentityFile(pemPath, options) {
+    const resolved = resolveCliPath(pemPath);
+    const force = !!options?.force;
+    if (fs.existsSync(resolved) && !force) {
+        try {
+            loadIdentityFromPath(resolved);
+            return { path: resolved, created: false };
+        }
+        catch {
+            throw new Error(`Identity file exists but is not a valid PEM: ${resolved}`);
+        }
+    }
+    const dir = path.dirname(resolved);
+    if (!fs.existsSync(dir)) {
+        fs.mkdirSync(dir, { recursive: true });
+    }
+    const { privateKey } = generateKeyPairSync('ec', { namedCurve: 'secp256k1' });
+    const pem = privateKey.export({ type: 'sec1', format: 'pem' });
+    fs.writeFileSync(resolved, pem, { mode: 0o600 });
+    return { path: resolved, created: true };
+}
 /**
  * Get PEM file path.
- * Searches by priority: --identity argument > environment variable > dfx default location.
+ * Searches by priority: --identity argument > zCloak default location.
+ * The zCloak default location is created automatically on first use.
  *
  * When called with an explicit argv array, uses that instead of process.argv.
  * This enables deterministic, testable behavior without global state dependency.
  *
- * @param argv - Optional explicit argument array (defaults to process.argv)
+  * @param argv - Optional explicit argument array (defaults to process.argv)
+ * @param defaultPemPath - Override for tests
  * @returns Absolute path to PEM file
- * @throws {Error} If no PEM file can be found or the specified path does not exist
+ * @throws {Error} If an explicitly specified path does not exist
  */
-export function getPemPath(argv) {
+export function getPemPath(argv, defaultPemPath = DEFAULT_PEM_PATH) {
     const effectiveArgv = argv ?? process.argv;
+    const resolvedDefault = resolveCliPath(defaultPemPath);
     // 1. Get from --identity=<path> argument
     const identityArg = effectiveArgv.find(a => a.startsWith('--identity='));
     if (identityArg) {
         const p = identityArg.split('=').slice(1).join('='); // Support paths containing =
-        const resolved = path.resolve(p);
+        const resolved = resolveCliPath(p);
         if (!fs.existsSync(resolved)) {
+            if (resolved === resolvedDefault) {
+                ensureIdentityFile(resolvedDefault);
+                return resolvedDefault;
+            }
             throw new Error(`Specified PEM file does not exist: ${resolved}`);
         }
         return resolved;
     }
-    // 2. Get from environment variable
-    if (process.env.ZCLOAK_IDENTITY) {
-        const resolved = path.resolve(process.env.ZCLOAK_IDENTITY);
-        if (!fs.existsSync(resolved)) {
-            throw new Error(`PEM file specified by ZCLOAK_IDENTITY does not exist: ${resolved}`);
-        }
-        return resolved;
-    }
-    // 3. Use dfx default location
-    if (fs.existsSync(DEFAULT_PEM_PATH)) {
-        return DEFAULT_PEM_PATH;
-    }
-    throw new Error('Identity PEM file not found. Provide one via:\n' +
-        '  1. --identity=<pem_file_path>\n' +
-        '  2. Set environment variable ZCLOAK_IDENTITY=<pem_file_path>\n' +
-        `  3. Ensure dfx default identity exists: ${DEFAULT_PEM_PATH}`);
+    ensureIdentityFile(resolvedDefault);
+    return resolvedDefault;
 }
 // ========== Identity Management ==========
 /**

package/dist/identity.js.map

@@ -1 +1 @@
-{"version":3,"file":"identity.js","sourceRoot":"","sources":["../src/identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AAGnE,wCAAwC;AAExC;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAW,IAAI,CAAC,IAAI,CAC/C,EAAE,CAAC,OAAO,EAAE,EACZ,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,cAAc,CACxD,CAAC;AAEF;;;;;;;;;;GAUG;AACH,MAAM,UAAU,UAAU,CAAC,IAAe;IACxC,MAAM,aAAa,GAAG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAE3C,yCAAyC;IACzC,MAAM,WAAW,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC;IACzE,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,6BAA6B;QAClF,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACjC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;QACpE,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,mCAAmC;IACnC,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC3D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,yDAAyD,QAAQ,EAAE,CAAC,CAAC;QACvF,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,8BAA8B;IAC9B,IAAI,EAAE,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACpC,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IAED,MAAM,IAAI,KAAK,CACb,iDAAiD;QACjD,mCAAmC;QACnC,iEAAiE;QACjE,4CAA4C,gBAAgB,EAAE,CAC/D,CAAC;AACJ,CAAC;AAED,4CAA4C;AAE5C;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAe;IAClD,MAAM,UAAU,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACrD,IAAI,CAAC;QACH,OAAO,oBAAoB,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAClD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,gDAAgD,OAAO,KAAM,GAAa,CAAC,OAAO,EAAE,CACrF,CAAC;IACJ,CAAC;AACH,CAAC"}
+{"version":3,"file":"identity.js","sourceRoot":"","sources":["../src/identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,EAAE,mBAAmB,EAAE,MAAM,QAAQ,CAAC;AAC7C,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AAGnE,wCAAwC;AAExC;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAW,IAAI,CAAC,IAAI,CAC/C,EAAE,CAAC,OAAO,EAAE,EACZ,SAAS,EAAE,QAAQ,EAAE,WAAW,CACjC,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,IAAI,OAAO,KAAK,GAAG,EAAE,CAAC;QACpB,OAAO,EAAE,CAAC,OAAO,EAAE,CAAC;IACtB,CAAC;IACD,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC;QACvC,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACnD,CAAC;IACD,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;AAC/B,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAe,EACf,OAA6B;IAE7B,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,CAAC,CAAC,OAAO,EAAE,KAAK,CAAC;IAE/B,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QACtC,IAAI,CAAC;YACH,oBAAoB,CAAC,QAAQ,CAAC,CAAC;YAC/B,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QAC5C,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,gDAAgD,QAAQ,EAAE,CAAC,CAAC;QAC9E,CAAC;IACH,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACnC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,CAAC;IAED,MAAM,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,IAAI,EAAE,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC,CAAC;IAC9E,MAAM,GAAG,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;IACzE,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACjD,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,UAAU,CAAC,IAAe,EAAE,iBAAyB,gBAAgB;IACnF,MAAM,aAAa,GAAG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAC3C,MAAM,eAAe,GAAG,cAAc,CAAC,cAAc,CAAC,CAAC;IAEvD,yCAAyC;IACzC,MAAM,WAAW,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC;IACzE,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,6BAA6B;QAClF,MAAM,QAAQ,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;QACnC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,IAAI,QAAQ,KAAK,eAAe,EAAE,CAAC;gBACjC,kBAAkB,CAAC,eAAe,CAAC,CAAC;gBACpC,OAAO,eAAe,CAAC;YACzB,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;QACpE,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,kBAAkB,CAAC,eAAe,CAAC,CAAC;IACpC,OAAO,eAAe,CAAC;AACzB,CAAC;AAED,4CAA4C;AAE5C;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAe;IAClD,MAAM,UAAU,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACrD,IAAI,CAAC;QACH,OAAO,oBAAoB,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAClD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,gDAAgD,OAAO,KAAM,GAAa,CAAC,OAAO,EAAE,CACrF,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/identity_cmd.d.ts

@@ -3,18 +3,17 @@
  * zCloak.ai Identity Key Management Script
  *
  * Generates and inspects ECDSA secp256k1 identity PEM files without requiring dfx.
- * Uses Node.js built-in crypto module to produce the same SEC1 PEM format that dfx generates.
+ * Uses a dedicated zCloak identity path by default: ~/.config/zcloak/ai-id.pem.
  *
- * IMPORTANT: The default PEM path (~/.config/dfx/identity/default/identity.pem) is shared
- * with dfx. To avoid accidentally destroying an existing private key, the generate command
- * will detect and reuse any existing PEM file at the target path. Use --force to explicitly
- * regenerate a new key (the old key will be permanently lost).
+ * By default the CLI keeps using the same agent identity at the zCloak-managed path.
+ * If the default file does not exist, it is created automatically and then reused
+ * on subsequent commands.
  *
  * Usage:
- *   zcloak-ai identity generate [--output=<path>] [--force]
+ *   zcloak-ai identity generate [--output=<path>] [--identity=<path>] [--force]
  *       If a PEM file already exists at the target path, read and reuse it.
  *       Only generates a new key when no existing file is found.
- *       Default output: ~/.config/dfx/identity/default/identity.pem
+ *       Default output: ~/.config/zcloak/ai-id.pem
  *       Use --force to overwrite an existing file with a brand-new key.
  *
  *   zcloak-ai identity show

package/dist/identity_cmd.js

@@ -3,45 +3,41 @@
  * zCloak.ai Identity Key Management Script
  *
  * Generates and inspects ECDSA secp256k1 identity PEM files without requiring dfx.
- * Uses Node.js built-in crypto module to produce the same SEC1 PEM format that dfx generates.
+ * Uses a dedicated zCloak identity path by default: ~/.config/zcloak/ai-id.pem.
  *
- * IMPORTANT: The default PEM path (~/.config/dfx/identity/default/identity.pem) is shared
- * with dfx. To avoid accidentally destroying an existing private key, the generate command
- * will detect and reuse any existing PEM file at the target path. Use --force to explicitly
- * regenerate a new key (the old key will be permanently lost).
+ * By default the CLI keeps using the same agent identity at the zCloak-managed path.
+ * If the default file does not exist, it is created automatically and then reused
+ * on subsequent commands.
  *
  * Usage:
- *   zcloak-ai identity generate [--output=<path>] [--force]
+ *   zcloak-ai identity generate [--output=<path>] [--identity=<path>] [--force]
  *       If a PEM file already exists at the target path, read and reuse it.
  *       Only generates a new key when no existing file is found.
- *       Default output: ~/.config/dfx/identity/default/identity.pem
+ *       Default output: ~/.config/zcloak/ai-id.pem
  *       Use --force to overwrite an existing file with a brand-new key.
  *
  *   zcloak-ai identity show
  *       Print the PEM path and principal ID of the current identity.
  */
-import fs from 'fs';
-import path from 'path';
-import { generateKeyPairSync } from 'crypto';
-import { DEFAULT_PEM_PATH, loadIdentityFromPath } from './identity.js';
+import { DEFAULT_PEM_PATH, ensureIdentityFile, loadIdentityFromPath, resolveCliPath } from './identity.js';
 // ========== Help ==========
 function showHelp() {
     console.log('zCloak.ai Identity Key Management');
     console.log('');
     console.log('Usage:');
-    console.log('  zcloak-ai identity generate [--output=<path>] [--force]');
+    console.log('  zcloak-ai identity generate [--output=<path>] [--identity=<path>] [--force]');
     console.log('      Ensure an ECDSA secp256k1 PEM key exists (no dfx required).');
-    console.log('      If a PEM file already exists, reuse it (safe for dfx users).');
-    console.log('      Only generates a new key when no file is found at the path.');
-    console.log('      Default path: ~/.config/dfx/identity/default/identity.pem');
+    console.log('      If a PEM file already exists, reuse it.');
+    console.log('      If the default zCloak identity does not exist yet, create it automatically.');
+    console.log('      Default path: ~/.config/zcloak/ai-id.pem');
     console.log('');
     console.log('  zcloak-ai identity show');
     console.log('      Print PEM file path and principal ID of the current identity');
     console.log('');
     console.log('Options:');
     console.log('  --output=<path>    Custom output path for the PEM file');
+    console.log('  --identity=<path>  Generate to or show from a specific identity PEM path');
     console.log('  --force            Force regenerate a NEW key (overwrites existing!)');
-    console.log('  --identity=<path>  Use a specific identity PEM (for "show" command)');
     console.log('');
     console.log('Examples:');
     console.log('  zcloak-ai identity generate');
@@ -66,45 +62,25 @@ function showHelp() {
  * loadable by Secp256k1KeyIdentity.fromPem().
  */
 function cmdGenerate(args) {
-    // Determine output path: --output flag or dfx default
-    const outputRaw = args['output'];
+    // Determine output path: --output flag or zCloak default
+    const outputRaw = typeof args['output'] === 'string'
+        ? args['output']
+        : typeof args['identity'] === 'string'
+            ? args['identity']
+            : undefined;
     const outputPath = typeof outputRaw === 'string'
-        ? path.resolve(outputRaw)
+        ? resolveCliPath(outputRaw)
         : DEFAULT_PEM_PATH;
-    // Safety: if a PEM file already exists and --force is NOT set, reuse the
-    // existing key instead of overwriting it. This is critical because the default
-    // path is shared with dfx — blindly generating a new key would destroy the
-    // user's existing dfx identity and any associated canister permissions.
-    if (fs.existsSync(outputPath) && !args['force']) {
-        try {
-            const identity = loadIdentityFromPath(outputPath);
-            console.log(`Existing identity found, reusing: ${outputPath}`);
-            console.log(`Principal ID:                     ${identity.getPrincipal().toText()}`);
-            return;
-        }
-        catch {
-            // The existing file is corrupt or not a valid PEM — warn the user and
-            // refuse to silently overwrite it. They must use --force intentionally.
-            console.error(`Error: file exists but is not a valid PEM: ${outputPath}`);
-            console.error('Use --force to overwrite with a new key.');
-            process.exit(1);
-        }
+    const { path: ensuredPath, created } = ensureIdentityFile(outputPath, {
+        force: !!args['force'],
+    });
+    const identity = loadIdentityFromPath(ensuredPath);
+    if (created) {
+        console.log(`Identity PEM generated: ${ensuredPath}`);
     }
-    // Ensure parent directory exists
-    const dir = path.dirname(outputPath);
-    if (!fs.existsSync(dir)) {
-        fs.mkdirSync(dir, { recursive: true });
+    else {
+        console.log(`Existing identity found, reusing: ${ensuredPath}`);
     }
-    // Generate EC key pair and export as SEC1 PEM (same format as dfx)
-    const { privateKey } = generateKeyPairSync('ec', { namedCurve: 'secp256k1' });
-    const pem = privateKey.export({ type: 'sec1', format: 'pem' });
-    // Write with owner-only permissions (0600), matching how dfx stores identity files
-    fs.writeFileSync(outputPath, pem, { mode: 0o600 });
-    console.log(`Identity PEM generated: ${outputPath}`);
-    // Derive and display the Principal from the newly written file so the user
-    // can verify immediately. We use loadIdentityFromPath() to bypass the global
-    // argv / cache lookup — no process.argv mutation needed.
-    const identity = loadIdentityFromPath(outputPath);
     console.log(`Principal ID:          ${identity.getPrincipal().toText()}`);
 }
 /**

package/dist/identity_cmd.js.map

@@ -1 +1 @@
-{"version":3,"file":"identity_cmd.js","sourceRoot":"","sources":["../src/identity_cmd.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,mBAAmB,EAAE,MAAM,QAAQ,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AAIvE,6BAA6B;AAE7B,SAAS,QAAQ;IACf,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;IACjD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACtB,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;IACzE,OAAO,CAAC,GAAG,CAAC,mEAAmE,CAAC,CAAC;IACjF,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;IAClF,OAAO,CAAC,GAAG,CAAC,mEAAmE,CAAC,CAAC;IACjF,OAAO,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAC;IAC/E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;IACzC,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;IAClF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACxB,OAAO,CAAC,GAAG,CAAC,0DAA0D,CAAC,CAAC;IACxE,OAAO,CAAC,GAAG,CAAC,wEAAwE,CAAC,CAAC;IACtF,OAAO,CAAC,GAAG,CAAC,uEAAuE,CAAC,CAAC;IACrF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACzB,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;IAC7C,OAAO,CAAC,GAAG,CAAC,uDAAuD,CAAC,CAAC;IACrE,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;IACrD,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;IACzC,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC;AACrE,CAAC;AAED,iCAAiC;AAEjC;;;;;;;;;;;;;GAaG;AACH,SAAS,WAAW,CAAC,IAAgB;IACnC,sDAAsD;IACtD,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjC,MAAM,UAAU,GAAG,OAAO,SAAS,KAAK,QAAQ;QAC9C,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC;QACzB,CAAC,CAAC,gBAAgB,CAAC;IAErB,yEAAyE;IACzE,+EAA+E;IAC/E,2EAA2E;IAC3E,wEAAwE;IACxE,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAChD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,oBAAoB,CAAC,UAAU,CAAC,CAAC;YAClD,OAAO,CAAC,GAAG,CAAC,qCAAqC,UAAU,EAAE,CAAC,CAAC;YAC/D,OAAO,CAAC,GAAG,CAAC,qCAAqC,QAAQ,CAAC,YAAY,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YACrF,OAAO;QACT,CAAC;QAAC,MAAM,CAAC;YACP,sEAAsE;YACtE,wEAAwE;YACxE,OAAO,CAAC,KAAK,CAAC,8CAA8C,UAAU,EAAE,CAAC,CAAC;YAC1E,OAAO,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;YAC1D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,iCAAiC;IACjC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACrC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,CAAC;IAED,mEAAmE;IACnE,MAAM,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,IAAI,EAAE,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC,CAAC;IAC9E,MAAM,GAAG,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;IAEzE,mFAAmF;IACnF,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAEnD,OAAO,CAAC,GAAG,CAAC,2BAA2B,UAAU,EAAE,CAAC,CAAC;IAErD,2EAA2E;IAC3E,6EAA6E;IAC7E,yDAAyD;IACzD,MAAM,QAAQ,GAAG,oBAAoB,CAAC,UAAU,CAAC,CAAC;IAClD,OAAO,CAAC,GAAG,CAAC,0BAA0B,QAAQ,CAAC,YAAY,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAC5E,CAAC;AAED;;;GAGG;AACH,SAAS,OAAO,CAAC,OAAgB;IAC/B,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IACrC,MAAM,SAAS,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IACzC,OAAO,CAAC,GAAG,CAAC,iBAAiB,OAAO,EAAE,CAAC,CAAC;IACxC,OAAO,CAAC,GAAG,CAAC,iBAAiB,SAAS,EAAE,CAAC,CAAC;AAC5C,CAAC;AAED,0DAA0D;AAE1D;;;GAGG;AACH,MAAM,UAAU,GAAG,CAAC,OAAgB;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAE1B,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QAC7C,QAAQ,EAAE,CAAC;QACX,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,CAAC;QACH,QAAQ,GAAG,EAAE,CAAC;YACZ,KAAK,UAAU;gBACb,WAAW,CAAC,IAAI,CAAC,CAAC;gBAClB,MAAM;YACR,KAAK,MAAM;gBACT,OAAO,CAAC,OAAO,CAAC,CAAC;gBACjB,MAAM;YACR;gBACE,OAAO,CAAC,KAAK,CAAC,oBAAoB,GAAG,EAAE,CAAC,CAAC;gBACzC,OAAO,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,qBAAqB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACvF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}
+{"version":3,"file":"identity_cmd.js","sourceRoot":"","sources":["../src/identity_cmd.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAI3G,6BAA6B;AAE7B,SAAS,QAAQ;IACf,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;IACjD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACtB,OAAO,CAAC,GAAG,CAAC,+EAA+E,CAAC,CAAC;IAC7F,OAAO,CAAC,GAAG,CAAC,mEAAmE,CAAC,CAAC;IACjF,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;IAC7D,OAAO,CAAC,GAAG,CAAC,mFAAmF,CAAC,CAAC;IACjG,OAAO,CAAC,GAAG,CAAC,gDAAgD,CAAC,CAAC;IAC9D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;IACzC,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;IAClF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACxB,OAAO,CAAC,GAAG,CAAC,0DAA0D,CAAC,CAAC;IACxE,OAAO,CAAC,GAAG,CAAC,4EAA4E,CAAC,CAAC;IAC1F,OAAO,CAAC,GAAG,CAAC,wEAAwE,CAAC,CAAC;IACtF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACzB,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;IAC7C,OAAO,CAAC,GAAG,CAAC,uDAAuD,CAAC,CAAC;IACrE,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;IACrD,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;IACzC,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC;AACrE,CAAC;AAED,iCAAiC;AAEjC;;;;;;;;;;;;;GAaG;AACH,SAAS,WAAW,CAAC,IAAgB;IACnC,yDAAyD;IACzD,MAAM,SAAS,GAAG,OAAO,IAAI,CAAC,QAAQ,CAAC,KAAK,QAAQ;QAClD,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC;QAChB,CAAC,CAAC,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,QAAQ;YACpC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC;YAClB,CAAC,CAAC,SAAS,CAAC;IAChB,MAAM,UAAU,GAAG,OAAO,SAAS,KAAK,QAAQ;QAC9C,CAAC,CAAC,cAAc,CAAC,SAAS,CAAC;QAC3B,CAAC,CAAC,gBAAgB,CAAC;IAErB,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,kBAAkB,CAAC,UAAU,EAAE;QACpE,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC;KACvB,CAAC,CAAC;IACH,MAAM,QAAQ,GAAG,oBAAoB,CAAC,WAAW,CAAC,CAAC;IAEnD,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,CAAC,GAAG,CAAC,2BAA2B,WAAW,EAAE,CAAC,CAAC;IACxD,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,qCAAqC,WAAW,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,0BAA0B,QAAQ,CAAC,YAAY,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAC5E,CAAC;AAED;;;GAGG;AACH,SAAS,OAAO,CAAC,OAAgB;IAC/B,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IACrC,MAAM,SAAS,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IACzC,OAAO,CAAC,GAAG,CAAC,iBAAiB,OAAO,EAAE,CAAC,CAAC;IACxC,OAAO,CAAC,GAAG,CAAC,iBAAiB,SAAS,EAAE,CAAC,CAAC;AAC5C,CAAC;AAED,0DAA0D;AAE1D;;;GAGG;AACH,MAAM,UAAU,GAAG,CAAC,OAAgB;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAE1B,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QAC7C,QAAQ,EAAE,CAAC;QACX,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,CAAC;QACH,QAAQ,GAAG,EAAE,CAAC;YACZ,KAAK,UAAU;gBACb,WAAW,CAAC,IAAI,CAAC,CAAC;gBAClB,MAAM;YACR,KAAK,MAAM;gBACT,OAAO,CAAC,OAAO,CAAC,CAAC;gBACjB,MAAM;YACR;gBACE,OAAO,CAAC,KAAK,CAAC,oBAAoB,GAAG,EAAE,CAAC,CAAC;gBACzC,OAAO,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,qBAAqB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACvF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/session.d.ts

@@ -57,14 +57,16 @@ export declare class Session {
     /**
      * Get the resolved PEM file path for this session.
      * Uses the same resolution priority as getIdentity():
-     *   --identity=<path> > ZCLOAK_IDENTITY env > dfx default location
+     *   --identity=<path> > ~/.config/zcloak/ai-id.pem
+     *
+     * The default zCloak identity is created automatically on first use.
      */
     getPemPath(): string;
     /**
      * Get the ECDSA secp256k1 identity for this session.
      * Loaded from PEM file on first call, then cached.
      *
-     * PEM path resolution: --identity=<path> > ZCLOAK_IDENTITY env > dfx default location
+     * PEM path resolution: --identity=<path> > ~/.config/zcloak/ai-id.pem
      */
     getIdentity(): Secp256k1KeyIdentity;
     /** Get the current identity's Principal ID as text */

package/dist/session.js

@@ -58,7 +58,9 @@ export class Session {
     /**
      * Get the resolved PEM file path for this session.
      * Uses the same resolution priority as getIdentity():
-     *   --identity=<path> > ZCLOAK_IDENTITY env > dfx default location
+     *   --identity=<path> > ~/.config/zcloak/ai-id.pem
+     *
+     * The default zCloak identity is created automatically on first use.
      */
     getPemPath() {
         return getPemPath(this._argv);
@@ -67,7 +69,7 @@ export class Session {
      * Get the ECDSA secp256k1 identity for this session.
      * Loaded from PEM file on first call, then cached.
      *
-     * PEM path resolution: --identity=<path> > ZCLOAK_IDENTITY env > dfx default location
+     * PEM path resolution: --identity=<path> > ~/.config/zcloak/ai-id.pem
      */
     getIdentity() {
         if (!this._identity) {

package/dist/session.js.map

@@ -1 +1 @@
-{"version":3,"file":"session.js","sourceRoot":"","sources":["../src/session.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,SAAS,EAAE,KAAK,EAAsB,MAAM,gBAAgB,CAAC;AAGtE,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AACjE,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AACnD,OAAO,MAAM,MAAM,aAAa,CAAC;AAMjC,8BAA8B;AAC9B,MAAM,OAAO,GAAG,iBAAiB,CAAC;AAElC;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,OAAO;IAelB;;;;;;;OAOG;IACH,YAAY,IAAc;QAb1B,kEAAkE;QAC1D,cAAS,GAAgC,IAAI,CAAC;QAC9C,wBAAmB,GAAqB,IAAI,CAAC;QAC7C,oBAAe,GAAqB,IAAI,CAAC;QAW/C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QAClB,IAAI,CAAC,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;QAC5B,IAAI,CAAC,WAAW,GAAG,cAAc,EAAE,CAAC;IACtC,CAAC;IAED,iCAAiC;IAEjC;;;;OAIG;IACH,UAAU;QACR,OAAO,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChC,CAAC;IAED;;;;;OAKG;IACH,WAAW;QACT,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACpB,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACvC,IAAI,CAAC,SAAS,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;QACjD,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED,sDAAsD;IACtD,YAAY;QACV,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,YAAY,EAAE,CAAC,MAAM,EAAE,CAAC;IACpD,CAAC;IAED,kDAAkD;IAClD,eAAe;QACb,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,YAAY,EAAE,CAAC;IAC3C,CAAC;IAED,oCAAoC;IAEpC;;;OAGG;IACH,KAAK,CAAC,qBAAqB;QACzB,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC;YAC9B,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YACpC,IAAI,CAAC,mBAAmB,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC;gBAChD,IAAI,EAAE,OAAO;gBACb,QAAQ;aACT,CAAC,CAAC;QACL,CAAC;QACD,OAAO,IAAI,CAAC,mBAAmB,CAAC;IAClC,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,iBAAiB;QACrB,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC;YAC1B,IAAI,CAAC,eAAe,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC;gBAC5C,IAAI,EAAE,OAAO;aACd,CAAC,CAAC;QACL,CAAC;QACD,OAAO,IAAI,CAAC,eAAe,CAAC;IAC9B,CAAC;IAED,wCAAwC;IAExC,0EAA0E;IAC1E,KAAK,CAAC,YAAY;QAChB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,qBAAqB,EAAE,CAAC;QACjD,OAAO,KAAK,CAAC,WAAW,CAAc,cAAc,EAAE;YACpD,KAAK;YACL,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,UAAU;SACxC,CAAC,CAAC;IACL,CAAC;IAED,wEAAwE;IACxE,KAAK,CAAC,gBAAgB;QACpB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,qBAAqB,EAAE,CAAC;QACjD,OAAO,KAAK,CAAC,WAAW,CAAkB,kBAAkB,EAAE;YAC5D,KAAK;YACL,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;SACtC,CAAC,CAAC;IACL,CAAC;IAED,2DAA2D;IAC3D,KAAK,CAAC,qBAAqB;QACzB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC7C,OAAO,KAAK,CAAC,WAAW,CAAc,cAAc,EAAE;YACpD,KAAK;YACL,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,UAAU;SACxC,CAAC,CAAC;IACL,CAAC;IAED,yDAAyD;IACzD,KAAK,CAAC,yBAAyB;QAC7B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC7C,OAAO,KAAK,CAAC,WAAW,CAAkB,kBAAkB,EAAE;YAC5D,KAAK;YACL,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;SACtC,CAAC,CAAC;IACL,CAAC;IAED,4BAA4B;IAE5B;;;OAGG;IACH,KAAK,CAAC,OAAO;QACX,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAExC,+CAA+C;QAC/C,OAAO,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACtC,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,6BAA6B,CAAC,SAAS,CAAC,CAAC;QAElE,oFAAoF;QACpF,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,8CAA8C,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,oBAAoB;QACpB,OAAO,CAAC,KAAK,CAAC,wBAAwB,MAAM,CAAC,SAAS,MAAM,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;QAClD,OAAO,CAAC,KAAK,CAAC,wBAAwB,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,MAAM,IAAI,CAAC,CAAC;QAE/E,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;IAC1D,CAAC;IAED,oCAAoC;IAEpC,uBAAuB;IACvB,UAAU;QACR,OAAO,MAAM,CAAC,QAAQ,CAAC;IACzB,CAAC;IAED,iCAAiC;IACjC,aAAa;QACX,OAAO,MAAM,CAAC,WAAW,CAAC;IAC5B,CAAC;IAED,mCAAmC;IACnC,WAAW;QACT,OAAO,MAAM,CAAC,SAAS,CAAC;IAC1B,CAAC;IAED,oCAAoC;IACpC,aAAa;QACX,OAAO,MAAM,CAAC,WAAW,CAAC;IAC5B,CAAC;CACF"}
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../src/session.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,SAAS,EAAE,KAAK,EAAsB,MAAM,gBAAgB,CAAC;AAGtE,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AACjE,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AACnD,OAAO,MAAM,MAAM,aAAa,CAAC;AAMjC,8BAA8B;AAC9B,MAAM,OAAO,GAAG,iBAAiB,CAAC;AAElC;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,OAAO;IAelB;;;;;;;OAOG;IACH,YAAY,IAAc;QAb1B,kEAAkE;QAC1D,cAAS,GAAgC,IAAI,CAAC;QAC9C,wBAAmB,GAAqB,IAAI,CAAC;QAC7C,oBAAe,GAAqB,IAAI,CAAC;QAW/C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QAClB,IAAI,CAAC,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;QAC5B,IAAI,CAAC,WAAW,GAAG,cAAc,EAAE,CAAC;IACtC,CAAC;IAED,iCAAiC;IAEjC;;;;;;OAMG;IACH,UAAU;QACR,OAAO,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChC,CAAC;IAED;;;;;OAKG;IACH,WAAW;QACT,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACpB,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACvC,IAAI,CAAC,SAAS,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;QACjD,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED,sDAAsD;IACtD,YAAY;QACV,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,YAAY,EAAE,CAAC,MAAM,EAAE,CAAC;IACpD,CAAC;IAED,kDAAkD;IAClD,eAAe;QACb,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,YAAY,EAAE,CAAC;IAC3C,CAAC;IAED,oCAAoC;IAEpC;;;OAGG;IACH,KAAK,CAAC,qBAAqB;QACzB,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC;YAC9B,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YACpC,IAAI,CAAC,mBAAmB,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC;gBAChD,IAAI,EAAE,OAAO;gBACb,QAAQ;aACT,CAAC,CAAC;QACL,CAAC;QACD,OAAO,IAAI,CAAC,mBAAmB,CAAC;IAClC,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,iBAAiB;QACrB,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC;YAC1B,IAAI,CAAC,eAAe,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC;gBAC5C,IAAI,EAAE,OAAO;aACd,CAAC,CAAC;QACL,CAAC;QACD,OAAO,IAAI,CAAC,eAAe,CAAC;IAC9B,CAAC;IAED,wCAAwC;IAExC,0EAA0E;IAC1E,KAAK,CAAC,YAAY;QAChB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,qBAAqB,EAAE,CAAC;QACjD,OAAO,KAAK,CAAC,WAAW,CAAc,cAAc,EAAE;YACpD,KAAK;YACL,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,UAAU;SACxC,CAAC,CAAC;IACL,CAAC;IAED,wEAAwE;IACxE,KAAK,CAAC,gBAAgB;QACpB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,qBAAqB,EAAE,CAAC;QACjD,OAAO,KAAK,CAAC,WAAW,CAAkB,kBAAkB,EAAE;YAC5D,KAAK;YACL,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;SACtC,CAAC,CAAC;IACL,CAAC;IAED,2DAA2D;IAC3D,KAAK,CAAC,qBAAqB;QACzB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC7C,OAAO,KAAK,CAAC,WAAW,CAAc,cAAc,EAAE;YACpD,KAAK;YACL,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,UAAU;SACxC,CAAC,CAAC;IACL,CAAC;IAED,yDAAyD;IACzD,KAAK,CAAC,yBAAyB;QAC7B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC7C,OAAO,KAAK,CAAC,WAAW,CAAkB,kBAAkB,EAAE;YAC5D,KAAK;YACL,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;SACtC,CAAC,CAAC;IACL,CAAC;IAED,4BAA4B;IAE5B;;;OAGG;IACH,KAAK,CAAC,OAAO;QACX,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAExC,+CAA+C;QAC/C,OAAO,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACtC,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,6BAA6B,CAAC,SAAS,CAAC,CAAC;QAElE,oFAAoF;QACpF,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,8CAA8C,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,oBAAoB;QACpB,OAAO,CAAC,KAAK,CAAC,wBAAwB,MAAM,CAAC,SAAS,MAAM,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;QAClD,OAAO,CAAC,KAAK,CAAC,wBAAwB,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,MAAM,IAAI,CAAC,CAAC;QAE/E,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;IAC1D,CAAC;IAED,oCAAoC;IAEpC,uBAAuB;IACvB,UAAU;QACR,OAAO,MAAM,CAAC,QAAQ,CAAC;IACzB,CAAC;IAED,iCAAiC;IACjC,aAAa;QACX,OAAO,MAAM,CAAC,WAAW,CAAC;IAC5B,CAAC;IAED,mCAAmC;IACnC,WAAW;QACT,OAAO,MAAM,CAAC,SAAS,CAAC;IAC1B,CAAC;IAED,oCAAoC;IACpC,aAAa;QACX,OAAO,MAAM,CAAC,WAAW,CAAC;IAC5B,CAAC;CACF"}

package/dist/types/registry.d.ts

@@ -3,7 +3,7 @@
  *
  * Run `npm run generate-types` to regenerate this file.
  * Source: registryIdlFactory in src/idl.ts
- * Generated: 2026-03-06T03:04:01.548Z
+ * Generated: 2026-03-07T04:58:47.403Z
  *
  * These types are derived from the Candid IDL definitions and correspond to
  * the canister's runtime interface. Edit idl.ts to change type definitions.

package/dist/types/registry.js

@@ -3,7 +3,7 @@
  *
  * Run `npm run generate-types` to regenerate this file.
  * Source: registryIdlFactory in src/idl.ts
- * Generated: 2026-03-06T03:04:01.548Z
+ * Generated: 2026-03-07T04:58:47.403Z
  *
  * These types are derived from the Candid IDL definitions and correspond to
  * the canister's runtime interface. Edit idl.ts to change type definitions.

package/dist/types/sign-event.d.ts

@@ -3,7 +3,7 @@
  *
  * Run `npm run generate-types` to regenerate this file.
  * Source: signIdlFactory in src/idl.ts
- * Generated: 2026-03-06T03:04:01.547Z
+ * Generated: 2026-03-07T04:58:47.402Z
  *
  * These types are derived from the Candid IDL definitions and correspond to
  * the canister's runtime interface. Edit idl.ts to change type definitions.

package/dist/types/sign-event.js

@@ -3,7 +3,7 @@
  *
  * Run `npm run generate-types` to regenerate this file.
  * Source: signIdlFactory in src/idl.ts
- * Generated: 2026-03-06T03:04:01.547Z
+ * Generated: 2026-03-07T04:58:47.402Z
  *
  * These types are derived from the Candid IDL definitions and correspond to
  * the canister's runtime interface. Edit idl.ts to change type definitions.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zcloak/ai-agent",
-  "version": "1.0.7",
+  "version": "1.0.9",
   "description": "zCloak.ai Agent CLI — sign, verify, register",
   "bin": {
     "zcloak-ai": "./dist/cli.js"