ccsini 0.1.20 → 0.1.22

package/dist/index.js

@@ -26459,35 +26459,7 @@ var init_dist16 = __esm(() => {
   dist_default12 = inquirer;
 });
 
-// ../../node_modules/.bun/commander@13.1.0/node_modules/commander/esm.mjs
-var import__ = __toESM(require_commander(), 1);
-var {
-  program,
-  createCommand,
-  createArgument,
-  createOption,
-  CommanderError,
-  InvalidArgumentError,
-  InvalidOptionArgumentError,
-  Command,
-  Argument,
-  Option,
-  Help
-} = import__.default;
-
-// src/version.ts
-var VERSION = "0.1.20";
-
-// src/commands/init.ts
-init_source();
-init_ora();
-init_dist16();
-import { platform } from "os";
-
 // ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/lib/buffer_utils.js
-var encoder = new TextEncoder;
-var decoder = new TextDecoder;
-var MAX_INT32 = 2 ** 32;
 function concat(...buffers) {
   const size = buffers.reduce((acc, { length }) => acc + length, 0);
   const buf = new Uint8Array(size);
@@ -26509,6 +26481,12 @@ function encode(string) {
   }
   return bytes;
 }
+var encoder, decoder, MAX_INT32;
+var init_buffer_utils = __esm(() => {
+  encoder = new TextEncoder;
+  decoder = new TextDecoder;
+  MAX_INT32 = 2 ** 32;
+});
 
 // ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/lib/base64.js
 function encodeBase64(input) {
@@ -26562,34 +26540,74 @@ function encode2(input) {
   }
   return encodeBase64(unencoded).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
 }
+var init_base64url = __esm(() => {
+  init_buffer_utils();
+});
 
 // ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/util/errors.js
-class JOSEError extends Error {
-  static code = "ERR_JOSE_GENERIC";
-  code = "ERR_JOSE_GENERIC";
-  constructor(message, options) {
-    super(message, options);
-    this.name = this.constructor.name;
-    Error.captureStackTrace?.(this, this.constructor);
-  }
-}
-class JOSENotSupported extends JOSEError {
-  static code = "ERR_JOSE_NOT_SUPPORTED";
-  code = "ERR_JOSE_NOT_SUPPORTED";
-}
-class JWSInvalid extends JOSEError {
-  static code = "ERR_JWS_INVALID";
-  code = "ERR_JWS_INVALID";
-}
-
-class JWTInvalid extends JOSEError {
-  static code = "ERR_JWT_INVALID";
-  code = "ERR_JWT_INVALID";
-}
+var JOSEError, JWTClaimValidationFailed, JWTExpired, JOSEAlgNotAllowed, JOSENotSupported, JWSInvalid, JWTInvalid, JWSSignatureVerificationFailed;
+var init_errors2 = __esm(() => {
+  JOSEError = class JOSEError extends Error {
+    static code = "ERR_JOSE_GENERIC";
+    code = "ERR_JOSE_GENERIC";
+    constructor(message, options) {
+      super(message, options);
+      this.name = this.constructor.name;
+      Error.captureStackTrace?.(this, this.constructor);
+    }
+  };
+  JWTClaimValidationFailed = class JWTClaimValidationFailed extends JOSEError {
+    static code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+    code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+    claim;
+    reason;
+    payload;
+    constructor(message, payload, claim = "unspecified", reason = "unspecified") {
+      super(message, { cause: { claim, reason, payload } });
+      this.claim = claim;
+      this.reason = reason;
+      this.payload = payload;
+    }
+  };
+  JWTExpired = class JWTExpired extends JOSEError {
+    static code = "ERR_JWT_EXPIRED";
+    code = "ERR_JWT_EXPIRED";
+    claim;
+    reason;
+    payload;
+    constructor(message, payload, claim = "unspecified", reason = "unspecified") {
+      super(message, { cause: { claim, reason, payload } });
+      this.claim = claim;
+      this.reason = reason;
+      this.payload = payload;
+    }
+  };
+  JOSEAlgNotAllowed = class JOSEAlgNotAllowed extends JOSEError {
+    static code = "ERR_JOSE_ALG_NOT_ALLOWED";
+    code = "ERR_JOSE_ALG_NOT_ALLOWED";
+  };
+  JOSENotSupported = class JOSENotSupported extends JOSEError {
+    static code = "ERR_JOSE_NOT_SUPPORTED";
+    code = "ERR_JOSE_NOT_SUPPORTED";
+  };
+  JWSInvalid = class JWSInvalid extends JOSEError {
+    static code = "ERR_JWS_INVALID";
+    code = "ERR_JWS_INVALID";
+  };
+  JWTInvalid = class JWTInvalid extends JOSEError {
+    static code = "ERR_JWT_INVALID";
+    code = "ERR_JWT_INVALID";
+  };
+  JWSSignatureVerificationFailed = class JWSSignatureVerificationFailed extends JOSEError {
+    static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+    code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+    constructor(message = "signature verification failed", options) {
+      super(message, options);
+    }
+  };
+});
 
 // ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/lib/crypto_key.js
-var unusable = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
-var isAlgorithm = (algorithm, name) => algorithm.name === name;
 function getHashLength(hash) {
   return parseInt(hash.name.slice(4), 10);
 }
@@ -26674,6 +26692,7 @@ function checkSigCryptoKey(key, alg, usage) {
   }
   checkUsage(key, usage);
 }
+var unusable = (name, prop = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`), isAlgorithm = (algorithm, name) => algorithm.name === name;
 
 // ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/lib/invalid_key_input.js
 function message(msg, actual, ...types) {
@@ -26697,8 +26716,7 @@ function message(msg, actual, ...types) {
   }
   return msg;
 }
-var invalidKeyInput = (actual, ...types) => message("Key must be ", actual, ...types);
-var withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);
+var invalidKeyInput = (actual, ...types) => message("Key must be ", actual, ...types), withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);
 
 // ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/lib/is_key_like.js
 var isCryptoKey = (key) => {
@@ -26709,9 +26727,7 @@ var isCryptoKey = (key) => {
   } catch {
     return false;
   }
-};
-var isKeyObject = (key) => key?.[Symbol.toStringTag] === "KeyObject";
-var isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);
+}, isKeyObject = (key) => key?.[Symbol.toStringTag] === "KeyObject", isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);
 
 // ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/lib/is_disjoint.js
 function isDisjoint(...headers) {
@@ -26737,7 +26753,6 @@ function isDisjoint(...headers) {
 }
 
 // ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/lib/is_object.js
-var isObjectLike = (value) => typeof value === "object" && value !== null;
 function isObject(input) {
   if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
     return false;
@@ -26751,6 +26766,7 @@ function isObject(input) {
   }
   return Object.getPrototypeOf(input) === proto2;
 }
+var isObjectLike = (value) => typeof value === "object" && value !== null;
 
 // ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/lib/check_key_length.js
 function checkKeyLength(alg, key) {
@@ -26871,6 +26887,9 @@ async function jwkToKey(jwk) {
   delete keyData.use;
   return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
 }
+var init_jwk_to_key = __esm(() => {
+  init_errors2();
+});
 
 // ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/lib/validate_crit.js
 function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
@@ -26902,16 +26921,58 @@ function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader,
   }
   return new Set(protectedHeader.crit);
 }
+var init_validate_crit = __esm(() => {
+  init_errors2();
+});
+
+// ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/lib/validate_algorithms.js
+function validateAlgorithms(option, algorithms) {
+  if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
+    throw new TypeError(`"${option}" option must be an array of strings`);
+  }
+  if (!algorithms) {
+    return;
+  }
+  return new Set(algorithms);
+}
 
 // ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/lib/is_jwk.js
-var isJWK = (key) => isObject(key) && typeof key.kty === "string";
-var isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
-var isPublicJWK = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined;
-var isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
+var isJWK = (key) => isObject(key) && typeof key.kty === "string", isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string"), isPublicJWK = (key) => key.kty !== "oct" && key.d === undefined && key.priv === undefined, isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
+var init_is_jwk = () => {};
 
 // ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/lib/normalize_key.js
-var cache;
-var handleJWK = async (key, jwk, alg, freeze = false) => {
+async function normalizeKey(key, alg) {
+  if (key instanceof Uint8Array) {
+    return key;
+  }
+  if (isCryptoKey(key)) {
+    return key;
+  }
+  if (isKeyObject(key)) {
+    if (key.type === "secret") {
+      return key.export();
+    }
+    if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") {
+      try {
+        return handleKeyObject(key, alg);
+      } catch (err) {
+        if (err instanceof TypeError) {
+          throw err;
+        }
+      }
+    }
+    let jwk = key.export({ format: "jwk" });
+    return handleJWK(key, jwk, alg);
+  }
+  if (isJWK(key)) {
+    if (key.k) {
+      return decode(key.k);
+    }
+    return handleJWK(key, key, alg, true);
+  }
+  throw new Error("unreachable");
+}
+var cache, handleJWK = async (key, jwk, alg, freeze = false) => {
   cache ||= new WeakMap;
   let cached = cache.get(key);
   if (cached?.[alg]) {
@@ -26926,8 +26987,7 @@ var handleJWK = async (key, jwk, alg, freeze = false) => {
     cached[alg] = cryptoKey;
   }
   return cryptoKey;
-};
-var handleKeyObject = (keyObject, alg) => {
+}, handleKeyObject = (keyObject, alg) => {
   cache ||= new WeakMap;
   let cached = cache.get(keyObject);
   if (cached?.[alg]) {
@@ -27048,41 +27108,27 @@ var handleKeyObject = (keyObject, alg) => {
   }
   return cryptoKey;
 };
-async function normalizeKey(key, alg) {
-  if (key instanceof Uint8Array) {
-    return key;
-  }
-  if (isCryptoKey(key)) {
-    return key;
-  }
-  if (isKeyObject(key)) {
-    if (key.type === "secret") {
-      return key.export();
-    }
-    if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") {
-      try {
-        return handleKeyObject(key, alg);
-      } catch (err) {
-        if (err instanceof TypeError) {
-          throw err;
-        }
-      }
-    }
-    let jwk = key.export({ format: "jwk" });
-    return handleJWK(key, jwk, alg);
-  }
-  if (isJWK(key)) {
-    if (key.k) {
-      return decode(key.k);
-    }
-    return handleJWK(key, key, alg, true);
-  }
-  throw new Error("unreachable");
-}
+var init_normalize_key = __esm(() => {
+  init_is_jwk();
+  init_base64url();
+  init_jwk_to_key();
+});
 
 // ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/lib/check_key_type.js
-var tag = (key) => key?.[Symbol.toStringTag];
-var jwkMatchesOp = (alg, key, usage) => {
+function checkKeyType(alg, key, usage) {
+  switch (alg.substring(0, 2)) {
+    case "A1":
+    case "A2":
+    case "di":
+    case "HS":
+    case "PB":
+      symmetricTypeCheck(alg, key, usage);
+      break;
+    default:
+      asymmetricTypeCheck(alg, key, usage);
+  }
+}
+var tag = (key) => key?.[Symbol.toStringTag], jwkMatchesOp = (alg, key, usage) => {
   if (key.use !== undefined) {
     let expected;
     switch (usage) {
@@ -27132,8 +27178,7 @@ var jwkMatchesOp = (alg, key, usage) => {
     }
   }
   return true;
-};
-var symmetricTypeCheck = (alg, key, usage) => {
+}, symmetricTypeCheck = (alg, key, usage) => {
   if (key instanceof Uint8Array)
     return;
   if (isJWK(key)) {
@@ -27147,8 +27192,7 @@ var symmetricTypeCheck = (alg, key, usage) => {
   if (key.type !== "secret") {
     throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type "secret"`);
   }
-};
-var asymmetricTypeCheck = (alg, key, usage) => {
+}, asymmetricTypeCheck = (alg, key, usage) => {
   if (isJWK(key)) {
     switch (usage) {
       case "decrypt":
@@ -27186,19 +27230,9 @@ var asymmetricTypeCheck = (alg, key, usage) => {
     }
   }
 };
-function checkKeyType(alg, key, usage) {
-  switch (alg.substring(0, 2)) {
-    case "A1":
-    case "A2":
-    case "di":
-    case "HS":
-    case "PB":
-      symmetricTypeCheck(alg, key, usage);
-      break;
-    default:
-      asymmetricTypeCheck(alg, key, usage);
-  }
-}
+var init_check_key_type = __esm(() => {
+  init_is_jwk();
+});
 
 // ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/lib/subtle_dsa.js
 function subtleAlgorithm(alg, algorithm) {
@@ -27231,6 +27265,9 @@ function subtleAlgorithm(alg, algorithm) {
       throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
   }
 }
+var init_subtle_dsa = __esm(() => {
+  init_errors2();
+});
 
 // ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/lib/get_sign_verify_key.js
 async function getSigKey(alg, key, usage) {
@@ -27243,15 +27280,161 @@ async function getSigKey(alg, key, usage) {
   checkSigCryptoKey(key, alg, usage);
   return key;
 }
+var init_get_sign_verify_key = () => {};
+
+// ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/lib/verify.js
+async function verify(alg, key, signature, data) {
+  const cryptoKey = await getSigKey(alg, key, "verify");
+  checkKeyLength(alg, cryptoKey);
+  const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
+  try {
+    return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+  } catch {
+    return false;
+  }
+}
+var init_verify = __esm(() => {
+  init_subtle_dsa();
+  init_get_sign_verify_key();
+});
+
+// ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/jws/flattened/verify.js
+async function flattenedVerify(jws, key, options) {
+  if (!isObject(jws)) {
+    throw new JWSInvalid("Flattened JWS must be an object");
+  }
+  if (jws.protected === undefined && jws.header === undefined) {
+    throw new JWSInvalid('Flattened JWS must have either of the "protected" or "header" members');
+  }
+  if (jws.protected !== undefined && typeof jws.protected !== "string") {
+    throw new JWSInvalid("JWS Protected Header incorrect type");
+  }
+  if (jws.payload === undefined) {
+    throw new JWSInvalid("JWS Payload missing");
+  }
+  if (typeof jws.signature !== "string") {
+    throw new JWSInvalid("JWS Signature missing or incorrect type");
+  }
+  if (jws.header !== undefined && !isObject(jws.header)) {
+    throw new JWSInvalid("JWS Unprotected Header incorrect type");
+  }
+  let parsedProt = {};
+  if (jws.protected) {
+    try {
+      const protectedHeader = decode(jws.protected);
+      parsedProt = JSON.parse(decoder.decode(protectedHeader));
+    } catch {
+      throw new JWSInvalid("JWS Protected Header is invalid");
+    }
+  }
+  if (!isDisjoint(parsedProt, jws.header)) {
+    throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+  }
+  const joseHeader = {
+    ...parsedProt,
+    ...jws.header
+  };
+  const extensions = validateCrit(JWSInvalid, new Map([["b64", true]]), options?.crit, parsedProt, joseHeader);
+  let b64 = true;
+  if (extensions.has("b64")) {
+    b64 = parsedProt.b64;
+    if (typeof b64 !== "boolean") {
+      throw new JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+    }
+  }
+  const { alg } = joseHeader;
+  if (typeof alg !== "string" || !alg) {
+    throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+  }
+  const algorithms = options && validateAlgorithms("algorithms", options.algorithms);
+  if (algorithms && !algorithms.has(alg)) {
+    throw new JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter value not allowed');
+  }
+  if (b64) {
+    if (typeof jws.payload !== "string") {
+      throw new JWSInvalid("JWS Payload must be a string");
+    }
+  } else if (typeof jws.payload !== "string" && !(jws.payload instanceof Uint8Array)) {
+    throw new JWSInvalid("JWS Payload must be a string or an Uint8Array instance");
+  }
+  let resolvedKey = false;
+  if (typeof key === "function") {
+    key = await key(parsedProt, jws);
+    resolvedKey = true;
+  }
+  checkKeyType(alg, key, "verify");
+  const data = concat(jws.protected !== undefined ? encode(jws.protected) : new Uint8Array, encode("."), typeof jws.payload === "string" ? b64 ? encode(jws.payload) : encoder.encode(jws.payload) : jws.payload);
+  let signature;
+  try {
+    signature = decode(jws.signature);
+  } catch {
+    throw new JWSInvalid("Failed to base64url decode the signature");
+  }
+  const k = await normalizeKey(key, alg);
+  const verified = await verify(alg, k, signature, data);
+  if (!verified) {
+    throw new JWSSignatureVerificationFailed;
+  }
+  let payload;
+  if (b64) {
+    try {
+      payload = decode(jws.payload);
+    } catch {
+      throw new JWSInvalid("Failed to base64url decode the payload");
+    }
+  } else if (typeof jws.payload === "string") {
+    payload = encoder.encode(jws.payload);
+  } else {
+    payload = jws.payload;
+  }
+  const result = { payload };
+  if (jws.protected !== undefined) {
+    result.protectedHeader = parsedProt;
+  }
+  if (jws.header !== undefined) {
+    result.unprotectedHeader = jws.header;
+  }
+  if (resolvedKey) {
+    return { ...result, key: k };
+  }
+  return result;
+}
+var init_verify2 = __esm(() => {
+  init_base64url();
+  init_verify();
+  init_errors2();
+  init_buffer_utils();
+  init_check_key_type();
+  init_validate_crit();
+  init_normalize_key();
+});
+
+// ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/jws/compact/verify.js
+async function compactVerify(jws, key, options) {
+  if (jws instanceof Uint8Array) {
+    jws = decoder.decode(jws);
+  }
+  if (typeof jws !== "string") {
+    throw new JWSInvalid("Compact JWS must be a string or Uint8Array");
+  }
+  const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split(".");
+  if (length !== 3) {
+    throw new JWSInvalid("Invalid Compact JWS");
+  }
+  const verified = await flattenedVerify({ payload, protected: protectedHeader, signature }, key, options);
+  const result = { payload: verified.payload, protectedHeader: verified.protectedHeader };
+  if (typeof key === "function") {
+    return { ...result, key: verified.key };
+  }
+  return result;
+}
+var init_verify3 = __esm(() => {
+  init_verify2();
+  init_errors2();
+  init_buffer_utils();
+});
 
 // ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/lib/jwt_claims_set.js
-var epoch = (date) => Math.floor(date.getTime() / 1000);
-var minute = 60;
-var hour = minute * 60;
-var day = hour * 24;
-var week = day * 7;
-var year = day * 365.25;
-var REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
 function secs(str) {
   const matched = REGEX.exec(str);
   if (!matched || matched[4] && matched[1]) {
@@ -27307,6 +27490,90 @@ function validateInput(label, input) {
   }
   return input;
 }
+function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {
+  let payload;
+  try {
+    payload = JSON.parse(decoder.decode(encodedPayload));
+  } catch {}
+  if (!isObject(payload)) {
+    throw new JWTInvalid("JWT Claims Set must be a top-level JSON object");
+  }
+  const { typ } = options;
+  if (typ && (typeof protectedHeader.typ !== "string" || normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {
+    throw new JWTClaimValidationFailed('unexpected "typ" JWT header value', payload, "typ", "check_failed");
+  }
+  const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;
+  const presenceCheck = [...requiredClaims];
+  if (maxTokenAge !== undefined)
+    presenceCheck.push("iat");
+  if (audience !== undefined)
+    presenceCheck.push("aud");
+  if (subject !== undefined)
+    presenceCheck.push("sub");
+  if (issuer !== undefined)
+    presenceCheck.push("iss");
+  for (const claim of new Set(presenceCheck.reverse())) {
+    if (!(claim in payload)) {
+      throw new JWTClaimValidationFailed(`missing required "${claim}" claim`, payload, claim, "missing");
+    }
+  }
+  if (issuer && !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) {
+    throw new JWTClaimValidationFailed('unexpected "iss" claim value', payload, "iss", "check_failed");
+  }
+  if (subject && payload.sub !== subject) {
+    throw new JWTClaimValidationFailed('unexpected "sub" claim value', payload, "sub", "check_failed");
+  }
+  if (audience && !checkAudiencePresence(payload.aud, typeof audience === "string" ? [audience] : audience)) {
+    throw new JWTClaimValidationFailed('unexpected "aud" claim value', payload, "aud", "check_failed");
+  }
+  let tolerance;
+  switch (typeof options.clockTolerance) {
+    case "string":
+      tolerance = secs(options.clockTolerance);
+      break;
+    case "number":
+      tolerance = options.clockTolerance;
+      break;
+    case "undefined":
+      tolerance = 0;
+      break;
+    default:
+      throw new TypeError("Invalid clockTolerance option type");
+  }
+  const { currentDate } = options;
+  const now = epoch(currentDate || new Date);
+  if ((payload.iat !== undefined || maxTokenAge) && typeof payload.iat !== "number") {
+    throw new JWTClaimValidationFailed('"iat" claim must be a number', payload, "iat", "invalid");
+  }
+  if (payload.nbf !== undefined) {
+    if (typeof payload.nbf !== "number") {
+      throw new JWTClaimValidationFailed('"nbf" claim must be a number', payload, "nbf", "invalid");
+    }
+    if (payload.nbf > now + tolerance) {
+      throw new JWTClaimValidationFailed('"nbf" claim timestamp check failed', payload, "nbf", "check_failed");
+    }
+  }
+  if (payload.exp !== undefined) {
+    if (typeof payload.exp !== "number") {
+      throw new JWTClaimValidationFailed('"exp" claim must be a number', payload, "exp", "invalid");
+    }
+    if (payload.exp <= now - tolerance) {
+      throw new JWTExpired('"exp" claim timestamp check failed', payload, "exp", "check_failed");
+    }
+  }
+  if (maxTokenAge) {
+    const age = now - payload.iat;
+    const max = typeof maxTokenAge === "number" ? maxTokenAge : secs(maxTokenAge);
+    if (age - tolerance > max) {
+      throw new JWTExpired('"iat" claim timestamp check failed (too far in the past)', payload, "iat", "check_failed");
+    }
+    if (age < 0 - tolerance) {
+      throw new JWTClaimValidationFailed('"iat" claim timestamp check failed (it should be in the past)', payload, "iat", "check_failed");
+    }
+  }
+  return payload;
+}
+
 class JWTClaimsBuilder {
   #payload;
   constructor(payload) {
@@ -27369,6 +27636,48 @@ class JWTClaimsBuilder {
     }
   }
 }
+var epoch = (date) => Math.floor(date.getTime() / 1000), minute = 60, hour, day, week, year, REGEX, normalizeTyp = (value) => {
+  if (value.includes("/")) {
+    return value.toLowerCase();
+  }
+  return `application/${value.toLowerCase()}`;
+}, checkAudiencePresence = (audPayload, audOption) => {
+  if (typeof audPayload === "string") {
+    return audOption.includes(audPayload);
+  }
+  if (Array.isArray(audPayload)) {
+    return audOption.some(Set.prototype.has.bind(new Set(audPayload)));
+  }
+  return false;
+};
+var init_jwt_claims_set = __esm(() => {
+  init_errors2();
+  init_buffer_utils();
+  hour = minute * 60;
+  day = hour * 24;
+  week = day * 7;
+  year = day * 365.25;
+  REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
+});
+
+// ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/jwt/verify.js
+async function jwtVerify(jwt, key, options) {
+  const verified = await compactVerify(jwt, key, options);
+  if (verified.protectedHeader.crit?.includes("b64") && verified.protectedHeader.b64 === false) {
+    throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
+  }
+  const payload = validateClaimsSet(verified.protectedHeader, verified.payload, options);
+  const result = { payload, protectedHeader: verified.protectedHeader };
+  if (typeof key === "function") {
+    return { ...result, key: verified.key };
+  }
+  return result;
+}
+var init_verify4 = __esm(() => {
+  init_verify3();
+  init_jwt_claims_set();
+  init_errors2();
+});
 
 // ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/lib/sign.js
 async function sign(alg, key, data) {
@@ -27377,6 +27686,10 @@ async function sign(alg, key, data) {
   const signature = await crypto.subtle.sign(subtleAlgorithm(alg, cryptoKey.algorithm), cryptoKey, data);
   return new Uint8Array(signature);
 }
+var init_sign = __esm(() => {
+  init_subtle_dsa();
+  init_get_sign_verify_key();
+});
 
 // ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/jws/flattened/sign.js
 class FlattenedSign {
@@ -27461,6 +27774,15 @@ class FlattenedSign {
     return jws;
   }
 }
+var init_sign2 = __esm(() => {
+  init_base64url();
+  init_sign();
+  init_errors2();
+  init_buffer_utils();
+  init_check_key_type();
+  init_validate_crit();
+  init_normalize_key();
+});
 
 // ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/jws/compact/sign.js
 class CompactSign {
@@ -27480,6 +27802,9 @@ class CompactSign {
     return `${jws.protected}.${jws.payload}.${jws.signature}`;
   }
 }
+var init_sign3 = __esm(() => {
+  init_sign2();
+});
 
 // ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/jwt/sign.js
 class SignJWT {
@@ -27529,57 +27854,87 @@ class SignJWT {
     return sig.sign(key, options);
   }
 }
+var init_sign4 = __esm(() => {
+  init_sign3();
+  init_errors2();
+  init_jwt_claims_set();
+});
+
+// ../../node_modules/.bun/jose@6.1.3/node_modules/jose/dist/webapi/index.js
+var init_webapi = __esm(() => {
+  init_verify4();
+  init_sign4();
+});
 // ../shared/src/constants.ts
-var DEFAULT_CATEGORY_PATTERNS = {
-  session: ["projects/**/*.jsonl"],
-  memory: ["projects/*/memory/**/*"],
-  skill: ["skills/**/*"],
-  command: ["commands/**/*"],
-  plan: ["plans/**/*"],
-  config: ["settings.json"],
-  keybinding: ["keybindings.json"],
-  mcp: ["mcp.json"],
-  "file-history": ["file-history/**/*"],
-  "claude-md": ["projects/**/CLAUDE.md"],
-  unknown: []
-};
-var MERGE_STRATEGIES = {
-  session: "append-dedup",
-  memory: "append-sections",
-  skill: "content-hash",
-  command: "content-hash",
-  plan: "merge-by-id",
-  config: "last-write-wins",
-  keybinding: "last-write-wins",
-  mcp: "last-write-wins",
-  "file-history": "append-dedup",
-  "claude-md": "last-write-wins",
-  unknown: "last-write-wins"
-};
-var NEVER_SYNC_PATTERNS = [
-  ".credentials.json",
-  "cache/**",
-  "debug/**",
-  "downloads/**",
-  "paste-cache/**",
-  "session-env/**",
-  "shell-snapshots/**",
-  "statsig/**",
-  "telemetry/**",
-  "stats-cache.json",
-  "image-cache/**",
-  "file-history/**",
-  "**/node_modules/**",
-  "**/cache/**",
-  "**/tool-results/**",
-  "projects/**/*.jsonl",
-  "plugins/**",
-  "plans/**",
-  "todos/**"
-];
-var JWT_EXPIRY_SECONDS = 900;
-var MAX_CONCURRENT_TRANSFERS = 50;
+var DEFAULT_CATEGORY_PATTERNS, MERGE_STRATEGIES, NEVER_SYNC_PATTERNS, JWT_EXPIRY_SECONDS = 900, MAX_CONCURRENT_TRANSFERS = 50;
+var init_constants = __esm(() => {
+  DEFAULT_CATEGORY_PATTERNS = {
+    session: ["projects/**/*.jsonl"],
+    memory: ["projects/*/memory/**/*"],
+    skill: ["skills/**/*"],
+    command: ["commands/**/*"],
+    plan: ["plans/**/*"],
+    config: ["settings.json"],
+    keybinding: ["keybindings.json"],
+    mcp: ["mcp.json"],
+    "file-history": ["file-history/**/*"],
+    "claude-md": ["projects/**/CLAUDE.md"],
+    unknown: []
+  };
+  MERGE_STRATEGIES = {
+    session: "append-dedup",
+    memory: "append-sections",
+    skill: "content-hash",
+    command: "content-hash",
+    plan: "merge-by-id",
+    config: "last-write-wins",
+    keybinding: "last-write-wins",
+    mcp: "last-write-wins",
+    "file-history": "append-dedup",
+    "claude-md": "last-write-wins",
+    unknown: "last-write-wins"
+  };
+  NEVER_SYNC_PATTERNS = [
+    ".credentials.json",
+    "cache/**",
+    "debug/**",
+    "downloads/**",
+    "paste-cache/**",
+    "session-env/**",
+    "shell-snapshots/**",
+    "statsig/**",
+    "telemetry/**",
+    "stats-cache.json",
+    "image-cache/**",
+    "file-history/**",
+    "**/node_modules/**",
+    "**/cache/**",
+    "**/tool-results/**",
+    "projects/**/*.jsonl",
+    "plugins/**",
+    "plans/**",
+    "todos/**"
+  ];
+});
+
+// ../shared/src/index.ts
+var init_src = __esm(() => {
+  init_constants();
+});
+
 // src/core/auth.ts
+var exports_auth = {};
+__export(exports_auth, {
+  verifySignature: () => verifySignature,
+  verifyDeviceJWT: () => verifyDeviceJWT,
+  signData: () => signData,
+  importPublicKey: () => importPublicKey,
+  importPrivateKey: () => importPrivateKey,
+  generateDeviceKeypair: () => generateDeviceKeypair,
+  exportPublicKey: () => exportPublicKey,
+  exportPrivateKey: () => exportPrivateKey,
+  createDeviceJWT: () => createDeviceJWT
+});
 async function generateDeviceKeypair() {
   const keypair = await crypto.subtle.generateKey("Ed25519", true, ["sign", "verify"]);
   return {
@@ -27599,9 +27954,56 @@ async function importPrivateKey(b64) {
   const bytes = Buffer.from(b64, "base64url");
   return crypto.subtle.importKey("pkcs8", bytes, "Ed25519", true, ["sign"]);
 }
+async function importPublicKey(b64) {
+  const bytes = Buffer.from(b64, "base64url");
+  return crypto.subtle.importKey("raw", bytes, "Ed25519", true, ["verify"]);
+}
+async function signData(privateKey, data) {
+  const signature = await crypto.subtle.sign("Ed25519", privateKey, data);
+  return new Uint8Array(signature);
+}
+async function verifySignature(publicKey, data, signature) {
+  return crypto.subtle.verify("Ed25519", publicKey, signature, data);
+}
 async function createDeviceJWT(privateKey, deviceId) {
   return new SignJWT({}).setProtectedHeader({ alg: "EdDSA" }).setIssuer("ccsini").setSubject(deviceId).setIssuedAt().setExpirationTime(`${JWT_EXPIRY_SECONDS}s`).sign(privateKey);
 }
+async function verifyDeviceJWT(token, publicKey) {
+  const { payload } = await jwtVerify(token, publicKey, {
+    issuer: "ccsini"
+  });
+  return payload;
+}
+var init_auth = __esm(() => {
+  init_webapi();
+  init_src();
+});
+
+// ../../node_modules/.bun/commander@13.1.0/node_modules/commander/esm.mjs
+var import__ = __toESM(require_commander(), 1);
+var {
+  program,
+  createCommand,
+  createArgument,
+  createOption,
+  CommanderError,
+  InvalidArgumentError,
+  InvalidOptionArgumentError,
+  Command,
+  Argument,
+  Option,
+  Help
+} = import__.default;
+
+// src/version.ts
+var VERSION = "0.1.22";
+
+// src/commands/init.ts
+init_source();
+init_ora();
+init_dist16();
+init_auth();
+import { platform } from "os";
 
 // ../../node_modules/.bun/hash-wasm@4.12.0/node_modules/hash-wasm/dist/index.esm.js
 /*!
@@ -28312,6 +28714,7 @@ async function loadKeys(configDir) {
 }
 
 // src/core/schema.ts
+init_src();
 import { readFile as readFile2, writeFile as writeFile2 } from "fs/promises";
 import { join as join2 } from "path";
 async function saveDefaultSchema(configDir) {
@@ -28400,6 +28803,15 @@ class CcsiniClient {
     }
     return res.json();
   }
+  async putSalt(salt) {
+    const res = await fetch(`${this.apiUrl}/api/sync/salt`, {
+      method: "PUT",
+      headers: this.getHeaders(),
+      body: JSON.stringify({ salt })
+    });
+    if (!res.ok)
+      throw new Error("Failed to store salt");
+  }
   async getManifest() {
     const res = await fetch(`${this.apiUrl}/api/sync/manifest`, {
       headers: this.getHeaders()
@@ -28496,6 +28908,7 @@ import { readFile as readFile5, writeFile as writeFile4 } from "fs/promises";
 import { join as join5 } from "path";
 
 // src/core/scanner.ts
+init_src();
 import { readdir, readFile as readFile4, stat } from "fs/promises";
 import { join as join4, relative } from "path";
 import { createHash } from "crypto";
@@ -28664,6 +29077,7 @@ function mergeLastWriteWins(localContent, remoteContent, localModified, remoteMo
 }
 
 // src/core/sync.ts
+init_src();
 function getClaudeDir() {
   return join6(homedir2(), ".claude");
 }
@@ -28892,16 +29306,28 @@ function registerInitCommand(program2) {
     ]);
     const spinner = ora("Setting up...").start();
     try {
-      spinner.text = "Generating encryption keys...";
-      const salt = crypto.getRandomValues(new Uint8Array(32));
-      await deriveKeyFromPassphrase(password, salt);
       spinner.text = "Generating device keypair...";
       const keypair = await generateDeviceKeypair();
       const publicKeyB64 = await exportPublicKey(keypair.publicKey);
       const privateKeyB64 = await exportPrivateKey(keypair.privateKey);
       spinner.text = "Registering device...";
       const client = new CcsiniClient("https://ccsini-api.anis-maisara190.workers.dev", "");
-      const { deviceId } = await client.registerDevice(token, deviceName, publicKeyB64, detectPlatform());
+      const { deviceId, salt: existingSalt } = await client.registerDevice(token, deviceName, publicKeyB64, detectPlatform());
+      spinner.text = "Setting up encryption...";
+      let salt;
+      if (existingSalt) {
+        salt = new Uint8Array(Buffer.from(existingSalt, "hex"));
+      } else {
+        salt = crypto.getRandomValues(new Uint8Array(32));
+      }
+      await deriveKeyFromPassphrase(password, salt);
+      if (!existingSalt) {
+        const { importPrivateKey: importPrivateKey2, createDeviceJWT: createDeviceJWT2 } = await Promise.resolve().then(() => (init_auth(), exports_auth));
+        const privateKey = await importPrivateKey2(privateKeyB64);
+        const jwt = await createDeviceJWT2(privateKey, deviceId);
+        const authedClient = new CcsiniClient("https://ccsini-api.anis-maisara190.workers.dev", jwt);
+        await authedClient.putSalt(Buffer.from(salt).toString("hex"));
+      }
       spinner.text = "Saving configuration...";
       await saveKeys(configDir, {
         salt,
@@ -28939,6 +29365,8 @@ function detectPlatform() {
 }
 
 // src/commands/auto.ts
+init_auth();
+init_auth();
 import { readFile as readFile7, writeFile as writeFile6 } from "fs/promises";
 import { join as join7 } from "path";
 async function getMasterKey(configDir) {
@@ -29116,24 +29544,12 @@ function registerSelfCommands(program2) {
     console.log(`Updating...
 `);
     const installedWith = detectInstalledWith();
-    if (installedWith === "bun") {
-      try {
-        console.log("Removing bun global install...");
-        execSync("bun remove -g ccsini", { stdio: "inherit" });
-      } catch {}
-    }
-    const cmd = `npm install -g ccsini@${latest}`;
+    const cmd = installedWith === "bun" ? `bun add -g ccsini@${latest} --force` : `npm install -g ccsini@${latest}`;
     try {
       execSync(cmd, { stdio: "inherit" });
-      const installed = execSync("ccsini --version", { encoding: "utf-8" }).trim();
-      if (installed === latest) {
-        console.log(`
+      console.log(`
 Updated to v${latest}`);
-      } else {
-        console.log(`
-Installed version: ${installed} (expected ${latest})`);
-        console.log("Try: npm install -g ccsini@" + latest);
-      }
+      console.log("Restart your terminal to use the new version.");
     } catch {
       console.error(`
 Update failed. Try manually:`);
@@ -29166,6 +29582,7 @@ Uninstall failed. Try manually:`);
 }
 
 // src/commands/sync.ts
+init_auth();
 import { readFile as readFile8 } from "fs/promises";
 import { join as join9 } from "path";
 async function getMasterKey2(configDir) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ccsini",
-  "version": "0.1.20",
+  "version": "0.1.22",
   "description": "Claude Code seamless sync across devices",
   "type": "module",
   "bin": {