From ccc02004722de8fdcd1eaedf84bb04685d892af6 Mon Sep 17 00:00:00 2001
From: everbarry <alessandro.preiti@protonmail.com>
Date: Thu, 16 Apr 2026 01:29:59 +0200
Subject: [PATCH] add cli

---
 cli/README.md                                 | 121 +++++
 cli/pyproject.toml                            |  17 +
 cli/zkac_cli/__init__.py                      |   3 +
 .../__pycache__/__init__.cpython-314.pyc      | Bin 0 -> 255 bytes
 .../__pycache__/client_ops.cpython-314.pyc    | Bin 0 -> 3888 bytes
 .../__pycache__/creds.cpython-314.pyc         | Bin 0 -> 6454 bytes
 .../__pycache__/issuance_util.cpython-314.pyc | Bin 0 -> 1617 bytes
 cli/zkac_cli/__pycache__/main.cpython-314.pyc | Bin 0 -> 29163 bytes
 .../__pycache__/paths.cpython-314.pyc         | Bin 0 -> 1490 bytes
 .../registry_local.cpython-314.pyc            | Bin 0 -> 4576 bytes
 .../__pycache__/registry_log.cpython-314.pyc  | Bin 0 -> 4140 bytes
 .../__pycache__/server_app.cpython-314.pyc    | Bin 0 -> 16150 bytes
 cli/zkac_cli/client_ops.py                    |  64 +++
 cli/zkac_cli/creds.py                         |  84 ++++
 cli/zkac_cli/issuance_util.py                 |  26 ++
 cli/zkac_cli/main.py                          | 416 ++++++++++++++++++
 cli/zkac_cli/paths.py                         |  19 +
 cli/zkac_cli/registry_local.py                |  68 +++
 cli/zkac_cli/registry_log.py                  |  59 +++
 cli/zkac_cli/server_app.py                    | 272 ++++++++++++
 20 files changed, 1149 insertions(+)
 create mode 100644 cli/README.md
 create mode 100644 cli/pyproject.toml
 create mode 100644 cli/zkac_cli/__init__.py
 create mode 100644 cli/zkac_cli/__pycache__/__init__.cpython-314.pyc
 create mode 100644 cli/zkac_cli/__pycache__/client_ops.cpython-314.pyc
 create mode 100644 cli/zkac_cli/__pycache__/creds.cpython-314.pyc
 create mode 100644 cli/zkac_cli/__pycache__/issuance_util.cpython-314.pyc
 create mode 100644 cli/zkac_cli/__pycache__/main.cpython-314.pyc
 create mode 100644 cli/zkac_cli/__pycache__/paths.cpython-314.pyc
 create mode 100644 cli/zkac_cli/__pycache__/registry_local.cpython-314.pyc
 create mode 100644 cli/zkac_cli/__pycache__/registry_log.cpython-314.pyc
 create mode 100644 cli/zkac_cli/__pycache__/server_app.cpython-314.pyc
 create mode 100644 cli/zkac_cli/client_ops.py
 create mode 100644 cli/zkac_cli/creds.py
 create mode 100644 cli/zkac_cli/issuance_util.py
 create mode 100644 cli/zkac_cli/main.py
 create mode 100644 cli/zkac_cli/paths.py
 create mode 100644 cli/zkac_cli/registry_local.py
 create mode 100644 cli/zkac_cli/registry_log.py
 create mode 100644 cli/zkac_cli/server_app.py

diff --git a/cli/README.md b/cli/README.md
new file mode 100644
index 0000000..741fb30
--- /dev/null
+++ b/cli/README.md
@@ -0,0 +1,121 @@
+# zkac-node CLI
+
+Command-line interface for [ZKAC](../README.md) using the **Python bindings only** (`zkac` package). It runs a **registry-capable server** (management + client-managed registries + optional issuance relay) and **per-user** material under `~/.zkac/` (or `$ZKAC_HOME`).
+
+## Prerequisites
+
+- Python ≥ 3.9  
+- The **`zkac`** extension built and installed from the repository root, for example:
+
+  ```bash
+  cd /path/to/ZKAC
+  maturin develop
+  # or: pip install -e .
+  ```
+
+## Installation
+
+```bash
+cd /path/to/ZKAC/cli
+pip install -e .
+```
+
+This installs the **`zkac-node`** console script.
+
+## Environment
+
+| Variable    | Meaning |
+|------------|---------|
+| `ZKAC_HOME` | Base directory for users (default: `~/.zkac`). Each user lives at `$ZKAC_HOME/<userid>/`. |
+
+## Server vs client
+
+- **Server** (`zkac-node serve`): a node that can **accept registry create/update** from an operator with the **`zkac.mgmt`** credential. It also serves **managed** sessions (BBS+ auth against stored client-managed registries) and optionally a **relay** port for blind issuance queues.
+- **Client**: a **userid** with files under `$ZKAC_HOME/<userid>/` (transport key, registries, credentials).
+
+## Ports (defaults)
+
+| Port role   | Default | Purpose |
+|------------|---------|---------|
+| Management | 7400    | ZKAC + static role `zkac.mgmt`; JSON commands (create/update registry, issuance peek/grant). |
+| Managed    | 7401    | ZKAC + `RegistryManager`; member proves a role in a client-managed registry. |
+| Relay      | 7402    | Optional **plaintext** JSON line protocol for enqueue/poll of issuance requests. Use `--relay-port 0` on `serve` to disable. Binds with `--relay-bind` (default `127.0.0.1`). |
+
+## Layout on disk
+
+**Per user** (`$ZKAC_HOME/<userid>/`):
+
+- `transport.json` — Ristretto **client** transport keypair (`zkac.Keypair`).
+- `profile.json` — `userid` and metadata.
+- `registries/<slug>/` — one directory per logical registry:
+  - `admin.json` / `registry.json` — produced by `registry-init` (admin issuer material + public state + state cert).
+  - `roles/<name>.json` — member credential payloads for `connect`.
+  - `issued/` — files from `issue-member` (handoff).
+- `pending/<request_id>.json` — saved by `issuance-request` until `issuance-poll` finalizes.
+- `servers/<label>/server.json` — from `pin-server` (pinned server pubkey + host/ports).
+
+**Server data** (`serve --data <dir>`):
+
+- `transport.json` — server transport keypair.
+- `mgmt_issuer.json` — BBS issuer secret for the static `zkac.mgmt` role only.
+- `mgmt_member.json` — member credential for `zkac.mgmt` (give to operators who push registries).
+- `registry_events.json` — append-only log to rebuild `RegistryManager` after restart (registry state; **not** the issuance queue).
+
+## Commands
+
+Run `zkac-node --help` and `zkac-node <command> --help` for full flags.
+
+| Command | Description |
+|---------|-------------|
+| `serve` | Start server; `--init` creates keys and mgmt credential in `--data`. |
+| `user-create` | Create a new userid directory with a client transport key. |
+| `pin-server` | Save server pubkey + host/ports for a user (from server’s `transport.json`). |
+| `registry-init` | Offline: build a client-managed registry (`RegistryState` + state cert) under the user’s `registries/<slug>/`. |
+| `registry-push` | Push create (or `--update`) to the server over the **management** port using `mgmt_member.json` from the server data dir. |
+| `registry-import-public` | Copy `registry.json` from another user (public metadata for peers). |
+| `connect` | Open a **managed** ZKAC session and send a JSON command (`--command`, default `whoami`). |
+| `issue-member` | Admin: blind-issue a role credential to a file under `issued/` (out-of-band handoff). |
+| `import-credential` | Install a member JSON into `roles/<name>.json`. |
+| `issuance-request` | Enqueue a blind commitment on the **relay** (see caveats below). |
+| `issuance-grant` | Admin: list pending via mgmt peek, `issue_blind`, `grant_credential`. |
+| `issuance-poll` | Poll relay for blind signature; finalize credential into `roles/<role>.json` when ready. |
+
+## Typical flows
+
+**Operator: first-time server**
+
+```bash
+export ZKAC_HOME=~/.zkac   # optional
+zkac-node serve --data ./myserver --init --mgmt-port 7400 --managed-port 7401 --relay-port 7402
+```
+
+Distribute **`myserver/transport.json`** (public key) and **`myserver/mgmt_member.json`** (sensitive) to admins who push registries.
+
+**Admin: create registry offline and push**
+
+```bash
+zkac-node user-create alice
+zkac-node registry-init --user alice --slug demo --roles analyst reader
+zkac-node registry-push --user alice --slug demo --server-data ./myserver --host 127.0.0.1 --mgmt-port 7400
+```
+
+**Member: pin server, import public registry + credential, connect**
+
+```bash
+zkac-node pin-server --user bob --name prod --transport-file ./myserver/transport.json \
+  --host 10.0.0.1 --mgmt-port 7400 --managed-port 7401 --relay-port 7402
+zkac-node registry-import-public --from-user alice --to-user bob --slug demo
+# copy or issue credential file into bob/registries/demo/roles/analyst.json
+zkac-node connect --user bob --slug demo --credential roles/analyst.json \
+  --server-file ~/.zkac/bob/servers/prod/server.json --host 10.0.0.1 --managed-port 7401
+```
+
+## Caveats
+
+1. **Issuance relay queue is in-memory.** Pending grants are lost if `serve` restarts before `issuance-grant` / `issuance-poll` complete. Registry snapshots are persisted via `registry_events.json`; the relay queue is not.
+2. **Relay is a localhost-oriented, plaintext JSON line protocol** (not the full E2E design in the Rust layer). Use `--relay-bind 127.0.0.1` and do not expose the relay port untrusted networks without additional protection.
+3. **`zkac.mgmt`** is a **separate** BBS role from the client-managed registry admin; it only authorizes **management RPCs** to the server (push registry, peek/grant issuance). Registry state integrity still comes from BBS+ state certificates inside `RegistryManager`.
+
+## Development
+
+The CLI package name is **`zkac-node-cli`** (see `pyproject.toml`). It declares no PyPI dependency on `zkac`; install the `zkac` wheel from the parent project first.
diff --git a/cli/pyproject.toml b/cli/pyproject.toml
new file mode 100644
index 0000000..ab97ed7
--- /dev/null
+++ b/cli/pyproject.toml
@@ -0,0 +1,17 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "zkac-node-cli"
+version = "0.1.0"
+description = "ZKAC node CLI (server + client) using the zkac Python bindings"
+readme = "README.md"
+requires-python = ">=3.9"
+dependencies = []
+
+[project.scripts]
+zkac-node = "zkac_cli.main:main"
+
+[tool.hatch.build.targets.wheel]
+packages = ["zkac_cli"]
diff --git a/cli/zkac_cli/__init__.py b/cli/zkac_cli/__init__.py
new file mode 100644
index 0000000..d7e6f28
--- /dev/null
+++ b/cli/zkac_cli/__init__.py
@@ -0,0 +1,3 @@
+"""ZKAC node CLI — server (registry-capable) and client commands."""
+
+__version__ = "0.1.0"
diff --git a/cli/zkac_cli/__pycache__/__init__.cpython-314.pyc b/cli/zkac_cli/__pycache__/__init__.cpython-314.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..04e06b05efbde59739b8929ed7345278b9298616
GIT binary patch
literal 255
zcmdPq<K<!if;yQ8nQ=h+F^B^Lj8MjBJ|LrkA&8-bA&9YrF^EZ-L6f=E0Vo*d?dYtK
zm!FcV;Oyh6@Tg&mLUC$QS!$7jMp0^dW^qYTrEYR!L1I!)s-{9>UW!6;PG)Lei9&LI
zZZ42ptXIWqpl7IO;HSxSi#<L*B|kYn{uXz9JkW&V%>2Cg_>~NwL2kIEtDljdo2s9b
zSX5N0UtE-|53*PvXqtXic4Bfoh!G#3nU`4-AFo$Xd5gm)H$SB`C)KWq9jF`RjbdIP
W@qw9<k?|&j+XFt)Chj6upa=l<Per}}

literal 0
HcmV?d00001

diff --git a/cli/zkac_cli/__pycache__/client_ops.cpython-314.pyc b/cli/zkac_cli/__pycache__/client_ops.cpython-314.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..3ac448c35703ffbfb2ca0aef82c7b317f251c54a
GIT binary patch
literal 3888
zcmchaPiz}m9mn5z{&+m&*iM>kLz*^D+%33GVs;zYR6tRcuq4|hYi1)yf{>9jGfBMh
zpV6C1!M)%EhqP#wWm|27IFQpSd*jHp+6zKlii>I<MO$gbfty!lRg@FI-~6%DP}Bx3
zJjuV`cix+M&+~il_wmmc5<Lomb};;?q(%w(6feRS@dfvof@lzpxMYQB+&niIaU&zB
zBlEn=dtPt_@cg_uC%IBE7ImZ0C(O%pF*i1+xXPUBsv|@bPZCW!Ny;fVu0=u1p6=0N
zpcPLiv`B_z)$7xXGx@YpE?HIANw3vtx>Bqb*R2X%j|bWuPZz6Znp)*zJ#B0ht5vJ)
zOlCQzf~>hkw^XY-3vkU}sn)YR>v^3PE0+1T<v1|HQvU2ZJZL%_#Z8M19_`WnMNNZ)
zFyIGU96mf;KK?3*1}Tu0$n?($F`;jme4pFkG){|Xye4R(CTUSk)?%8XshX0L;LYNH
z$JjDqqvp7bcU;N@yGB8lsxFH;7QJRs-QGM%T;D7jlliUHa>=-A)mf~vUU7AUTINC0
z8=3(L!6+5Wj5jLgLBcE<?hj$Y@ie^dkC;R)cZ*g(A`k!x0$3@!4!*(|%jGs|6)U$|
zq_m!MsFC}@)hjbOc=sGmtfL45QL~*%yUyae9z@jAb$Sve>4A?k3#LJykR&(o8Jd>T
z)8@fH0xyDZOC)us9YrOR)JQvqN+HT%TSXNoQvYW?pdQ0K#1PR2O#<(Q`1kOQ8)P}`
zC;8xDb~-?e9v&ACkNA3&Oa+}&!4}%$GOpmYyd0{oA0<oN#YpFF=@eO3!_g&cDKizU
zVn>%T5MEnap9;R4Ef?f`GVJgA<y5HieWB|5QBn}X74rk#{!nQo91Z;lIW*%-;eA~X
zGs^idb+1DeMk9YJ?CJV{U!@@BPj|;d70xk2G9*nFpL0)%e1kttO58`>fw<+aO-yH#
zOu)0ogoT=Eu_zpHyI7)3a%#q=<+5Hl=SA1jjT+>%fq6{vcu<Tx6CA5*GT|Kua#%FC
zDz?KUt7_mxV!2i{9VSrAxW**Y@;i-k&9SmE8pA1YBPs40#Vw+}V3<(FhXq`mMV$Z-
z(wavL2cJ5JEe(xgoWoo!mdkVkuDxWq4WdE*ks$HZ&ZV1|ZZF<het-GaN>e@Cn0=`B
zK2S4%R5N>vdv7+?R~obJh$Id?>>Jyg+OIeJX1Ajcd(Z5;&EAP^sU;_N)EnyU**kB%
z|HiI!>#Ya<=kN8O-+!&yfAPLN^)Pv2=lad-yXSs=;g=VFHSu6*^4`$o{*RkOuQij?
zkL37{azlAH{?Bc}7Y7c0yStGq-<nC0k5hd!WBgMvOTeg?X}F`ufLUDY(c-x%04+f=
zgZ$v)4~idQgrpy4T!9G)E{X}jRBEl408@3nWHNEJ?pltw3lx)ro<P$NCd*OG0v}mk
z*gf!gW&{Toz#x56NFOjBeZYJ40Uyu@l}yy3b_|t5`cAf0RB_}`52^%mC<%%V!jwjb
z3~&KIi+*(e@W0`ZbSw@<pW@K9r3?@wpr$P!BGFGeB#ISc{}qYEkTG8viDF*>iJ~t+
zqUYQbl86q$&SsNz7#u~u(KBf9V9_)hJOv(Z=qRc&G#NB!(Y%c29GWkq`3jh<a+EJQ
z9KssGKi*kX=h0k1GY-bVeDT<F2rluU=Fkn~%SE`uJMJHV0KTM-#h3H@Q@^SIPHpxr
z{vQZ)d8U_q+}k&kd73at2ahlqr57NKloNm|@_(cX<7=z$90L}w!m^IP_7jpoSb%x&
z?KZkS-gEntp8M^JH|ApizH+Bwl6kN2Vi+iNN(YVLHis=ABx`t$UgN@4v-xAeKsW^j
zL%vg%bmuJa;fzpkM{H5!3*sffmkEb<7@xr(gd<JslpeNJknl`nTZe*Xn0!xJDvTd`
z#ul%_0WOHo0*l74a3OqF$T%ih(4bTbCCPURp-vYRafN6e;eVuc;}gCWyumZdqay{$
zbM6T-kQEuHP^^QzO@9nwB1(zC_sgnBbH2j{ED@?ECMObriH=<^xjquQG>{L`;A?nW
z)GpSsI`I&|_|>g7CK?-C)lDXpOI6FkGzp4~pvq9ZKQ=m!(r?44caT2>(I8<Fkooyf
z_xk^oeEC6Q;$C86f4!ObdgHs#sy0+{par!-{6_q}rTg;fR-$*CZzWFbUc8?;)9N3*
zGyjYEUGvsk+u!-*#9%8m(26JDee>o_E7`YGzfs>E*yEbXvAtJdrEMWx`z#h9d+W`i
z$!0S5til6#^RD<RP~q<M6}bZksQse4Zq^K4XNs<`ZNa}3{9A$5vmbMeG?U!AU8=5A
z%tH^;O!ofvxQ6X>8I#G!^aLsdr57fzdhoW>FV^I5R%+%}*}6<;;TGIs2a~eRa~$_)
oa`|s$>{Futh4lQDyaeJCvT%<qd@jM?lF!dVP4MI#V8Wa2Uqz0vS^xk5

literal 0
HcmV?d00001

diff --git a/cli/zkac_cli/__pycache__/creds.cpython-314.pyc b/cli/zkac_cli/__pycache__/creds.cpython-314.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..d464f06e232933e320fe09f3fcfedcdf57f13d45
GIT binary patch
literal 6454
zcmeHL-A^0Y6`!%k_V|OZ1W2I7F-c6~4d8`k37e3xA!G?5G0r%#qLjok_7J>)?Y%SX
z2DVXIsZyJ5t7W&9!b4i+ArGKdYT7<De+Fijjyuh&k)l5I%~3=n<*Db~8Gir{u-m?@
z)GN)sXYQQ)b<Xd6+&NxZ;b5SA-t;W-4?Dv=$CrFD=>+@oPe9Bw0wXiG7=ayPFPLQ0
zL8MJXX4y<zPUfIB4_Pi)Wh?#04cRX6GH>wNWxHV6#|YMa%v81P5Nts6ly(YspdFNU
z2~MD0l&%mefUcx;rBDTQHKnVB8ld-3x?0!^bS<T8ggT(>DZNK99cFy{=K4Y+Nkpd-
zbE3!ZA)+Lwi0J9>4;}YRi_>Ew@x+K27n3sZNS<gi?vY6}DWy|H_DqViQoE1UoY7=5
zB}e5%Dk%lvoeM_g324n{ld~}v1cMJ2D?Da+eR%|kc_z%<GWGm~VdBu&#9Uz~Sb-Hx
zf?41Mi(vJeVSl!Np@cOq4Kos8V>EMW>_fsKWhJ6KLy{U7NF~K(1{SoAr^s|vmT<j8
z+FSmK)U@ayixM*Hmq^TiWBBYje{3q@pPP)vB1qubr1tcz=88m&Lx_<Gsf6(r@JKCC
z%`>kU6ML3@LF<Kq9BmgRy?rR_{V#!&i5YM}nz6w{5Bn7mc-SEJZYn`M)21Q-j0E<C
zG1oyHY1zaAucIhTT7rC@Dz?o`n7w5ZO!-+*sCoJzBUnJR)~h~~W=ls2C|A;W@lHaL
zBdJLgV<L$fe{GqO$J=_AS@@WYrQ(U??SRjsS@j{BWqLB6Ae!S7l90uSEZ&hd?n5b+
z)GYCt>9piC5tIPI%}IEcmKK6C)$CIAV=;o9qzT@soV$RSXR;js)8WsCRjw|>)h))C
zuC8!(Uvr(<J@VPeuLtg5{OaPOwAAr+ZQB#u{K#Lq_em8D+yF5|29>&pPWfht`4RpW
zf>P8sikcu`-wZ_;aRTLIi3=JXPjvSb8noJj9~z-Te6VcK3#<?w&@6`NTXA>5MoYl}
z0`NM|j2hhx6D&oJ(F-~(t9gnJ!=$>57S3WKwJ?y>LFF?O+?i&XN=4(6W+!4aPBjDv
zLZ#3H<<)^ax;mQS6FnB{WuAHJtoq{Q=O-89_mf{Hmu@d4mHKYQd18e-Q9PKjJcDAQ
zVt<<seY4oXvQ2_junD|i7aW4qZ-uS9s2Vi;*c2cyA|-BXma$n`lr%FDKbosSb8YX(
zZ-V&I47e!GMp9E^BoWsvVmcL@(9DUXtl1NiG$WEodNMy`ObX7xoUvhXmTLBOWjqm+
ze<;bM)dRli=8j6Phto&{^hmFmO4j-Ut87(m&J67{dt=T5ZO+P6?#<bd;u%*}&W@CW
zscz0Wk#aHC+7}f-=~62-WkfHP+HXOQ7(K$KU|yo|DPPb!un26}ESN?MPziE+e`$@N
z$%7(@y53X@bD4LXhYg}NY%2NjyIO<W#Tsa5o65IZ!?NQVTo8TCrt)pppcu7kP6Kq2
z3Gog&3iD|d1;9qey1TR*Jz_>A5#owWyQ<S9^)X;lXGEsDJW44tBM?K8(Pz`lFs)`C
zi%KGJ*`bd*T~V{fMR2~NR<U7r%~d+H#>=S)H5qVehhb~Pixq}1x>Mo<N<!$hV9_0M
zr7>YTI*UGl^uT8d_}>6A&*Z8Zd;P*E_dose(_h`q@>L6US$^MxdbPo~+TdIADGgm}
z!>LTeDW&0bmjA(nuzH|v^+4NFOl|MWwD&3PXO#o}>Vcumfg$C<aF%a;@PXRYy4uvb
z6jIwxXWC9HZGB49`)bo*rfE=V8p`qqAJwbP9jnb9k9}(AK&Ep*>HI)x9#oqHndX4f
z9L!bNT-F?8vly0ymXfy?v;=BN9=i88`=1iGuW|9H93^kT2<jc?s;HwmSIBpEbPouE
zLJV-Adw}YpJBQ8V5&BkimB332CX;llPpHvv9|OKq<OfI6ivHgyc~i}|X?Bz*wD`H4
zX@tSilpCKmmFyK$q)jDQv#A4Kcg#{CK`yt}F2<R^<2bI|xUgw-Z+`c1eoI*%w#&%5
zFnb~x=}0S9ZCJHq<;Mz9;d5vlqDgc0mjofrF-}s`x}lOzV54@f+c!Ca?>1yWN8l*J
zP~*oFNt&UPV>q>$oJ3YrdJ^JeA}#@#m==#mH|lyC&JD{3H)N#l<UBA@xIP2|V!ORU
zwKrz$jjG+7v3nnlt1aEDE!~ghmEO?WiK|M>HN_sD?|<s3`l9V#+akAkb8Y`|#nC!{
z4zq&3dwr_&aK?G~DPO7b`&aq>i?xfXwT5<u_m_07xI5MwIu-t%4SjE~HFPL^XO?$9
z<()qpSlIW=%L?C^<sC1#vF}3Sgi_kg&0*QLDYer~lj+wkYT=L$q@xL<CwpiLI~qDh
z3#pkd{fe=np+ohs7Mu}lUFxOHlL6YP+j}8I!;pf#n{<26yDSLQ0<&ZAVz&$8d5hjI
zPz&rX*4QQpm-7%?g6B4gg5T6-NCWO2m~)%8N+UoTu}`Z^Z-|8f&>d!=)I!KRKxx&b
zBQP^0xCPBo97s+;$FgzfxB&EqJ4Zdea};i_7<DNEt^gy|EqXSv3a%o{yPmn49*nE*
z_EmTL5>fsA8GpaxA5h%qRrjTg`;y`gWJ@{zaCiCc?|!WM2Q&Ub#XqFDFRJb<8TS>%
z9m-kEcE`Uh*8e(UEtkKj48g8<#O@gshMS%bFR~-_B0It&dhu<k6)&(O?AAb4u(@B*
z!J{R>%>xfYNdfBRve9zj9W7i}gM}~z3m642uG@z%fDlWDfqmIZ&?HGORGQ5&YORX8
z*dktZ6!js$jt-5Lb!=?#m|L-N1BOu9bpQd_;A<9+{Jd)ZEIPp6d%ddjXvTT;_g3{-
z&+4(BCp9alhS%P^q#V1fI0GwOpeW9~*b3s@tqUWAu<(xRJqJu%T@$CfrdHiGb^YHp
zfs_g*@4m{oraDO^n6DS{L(}+tchTQqcYs`mISKyP+2C#JsJAg@DgcW_fRAcxqq8~u
zD6D$lUG={Ecuegc%5)DY-NTCalIjg*ydlMVE$b@b_{;Pkr~jN%y91f-fYKdQyjN83
z^^Etr;=S=db2jDwip*8g*jc<#@AQKNWmDpJLe%es48Id%m)g<qguZ8f=N23aa=)VA
zu@?n`&Z6jT$aOqFddHRxj>dpR5lJKlJXBa^9L<?~XH@5rjPpnVB+-?gku|D$#VM?C
z!d6Ga!F-StvM)VAY?mwHU5JE$X-6j`08@!B!&H}Hb}^1IB+Nei5$ZDhJ=5h)Joz=O
zwy0_^&7uue<&%YRV5Nd6qo=X~L0Ee)q#V1dIIpd6*QlO+do^1m5>Le<5zP^ajL*Oi
zZ2aMjFwvny|J%V|S$SeAF{c0Vw#u_<`1h*+mc(GEXGau+cxR`%J;79lV9cU^hJuRV
zj;U_x;`#-F@10J?XQsq6WD>q&aFQ^X=FBY1{*5{RPv+2brsD66^BZRWH%$F=#<_0A
mzu)T)_^-Ln!*8thLvXuYZ-mTuy%rOPb%#NQ*jJ7M3jPC6nP?UO

literal 0
HcmV?d00001

diff --git a/cli/zkac_cli/__pycache__/issuance_util.cpython-314.pyc b/cli/zkac_cli/__pycache__/issuance_util.cpython-314.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..405ed7adf1f534c67f5515fcb3b17ef97886cb44
GIT binary patch
literal 1617
zcmbu9&1)N15Wr_YB};NFaFmpg){EmLR-;OhKT4sc5Yn2sZi2nw6(l6fdi5eLmUcJq
zy`{EKI`rVuLv!dMx%pQ7AN1Z!k1<UXXL|{R9(uDe#q`#BPf}9cKo5PeGxNSi^JadU
zE2l<tfa8brFN2>nfLCHN9BSWCjy^=A2R3lH2ez`P+)%kXA#8O~<C?9V1zSH0og&w5
z18q~<hOJ(Ja%OAk2I<6vGRvb;5;iTHv;xNI=1nj3T7+5wV~H2~#CnjBgfMG*d6T!J
z(7Lv~Xf>%9gv`Pj_tr_dT2|7$7lsk{co2o`makxB;uFKf51*hMO`*{P2kxmKeGSmW
zwezr|v=v*iRa>($NZYJw7hpH@hj?PDbz5}n^wzrPS5E|&=IJ0>H)y8D+9oF~H7Vf<
z4Yw|L@Evz}5_iZQxl^&;qVC?^1q|D~AJMMInFw|=ovF2>E~%|~ly24-^=r46u3fMB
zouDS7aD_2Ui<|JEQ;j#%g6j^RPF$CcqMs~&tpC_!$SGroLhO&cd!PwjsZ0IRs2mzN
zKf=S{4@xR*c^z|O9DR=yk+0=pCgpZtILh2$HCC$-YmQokg(^U-JNj2T0Cnhwqb;MK
zlcV7@HfHtV?Fr%EIC%!3QEIfD?A%~y0+y}<jKF)~V13HU){-rAZN(&P24TyZrUWrz
z9LrI$Xw)InAaUD`*DIDE#BD-3+2Cc%L)0kwKtg5lHtAN&T3QkqxdUhJz!z53i^W=c
zMxJ(Gr+#ptJVFIqG=m~F0#3Rt)uM!_8WvyR@IcU!8HAIX{cuu^ggzU=JC`n5{Xq-D
zLn$U?{a-=QbGRof+CZZR2U!>`J}+F{D_q=J|D`a~`+R?PzIXk%vD4ey{^j@gvQyjU
zqci*2{CBx;at{}FoG0V;r`Z`?c%Gfy%TDfm{A1?l@n_kahZ!iA&|6`w_XRzLzW?8!
zhGNlyil$LkXdYD`Y56osr4%KxF@>TB$6zQkheAj+g%)U{mT02xNA*uMg?ou+C|&$F
zngYvJZB<`2R?WnyLZU994+-cTbsBRGXI8(ZE@A!!T!|5zu@UPrLY81BdovFNbPJz}
zw)2{~K0?!8vnv*9<P*lQPYJ-f3FB6adLg$WYIPz;kU0q`6U~YiG5m7o4Lx)m7gEJb
zm9<pyQ>DoSQv*KwDHK=aJ(<EeoV|^O7gw%6%hz}3AK!kovQyt)d07AU%iZ~>`T7&R
z{@1VhIuliTT&(5FW}0!`X5_nWnseRz3AQfLKV;+6MYoaQ$zPOJmBr|Tn*F33HIokc
il!{7<Ho)FNaiA%R@&Z<Vhsjrv|I@_ga(r%B#=ik(c!nGR

literal 0
HcmV?d00001

diff --git a/cli/zkac_cli/__pycache__/main.cpython-314.pyc b/cli/zkac_cli/__pycache__/main.cpython-314.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..389222e78aa6537a64ecff8ab75241c5d81b01ac
GIT binary patch
literal 29163
zcmdsgTWlQHm0&l!`u!x;5+CBD_z=aG_>f5I{jwzLK|QE;iKZ-vR;$HsNiC7=c6HM>
zJBdvPnK7kgM^utsQHgiO41zI@@vfQ00HJ|d#93f5o}Zm+He21PFbiXoU?+>+g$!9(
zAix59&aJvt)vc09C*uKjOX96tw@%&Xx#ygF&bha@dfW~JT$A;m#cGcj48Oq#dX-5L
z<Kx$j2E&wrGo%cc44kpwc(N>2)`0P{epAXs?o5gycXP^2?v|8=+^s1qx!Y1UxSRUz
zCmkt={H-(Pgfyn#b<&-3lQc8LJt+@~TOjUDc}d&~abL<u;x>qvr^*`)ua*Z}XjRpF
zs)Dmu8aPL#Vbqse$2lSHB5^<GhPa2s*K=No`$&8PR}S$C60hXeLEKN`Ror@rZy@n%
zt`g!^BwoW+L%fE>H*y;xUQ6P&Tph&gNxY70fH+Iy^;{#wn@GHYYle6WiL<XZa+`L)
zY%oM%1ZoYhvW<pbxfu=6v(4l$(3-AJ-wcm*jK?EU_UM^@Haec-Clm45c&amC6rJJm
z@pvknip9s11MtiQ!>Q|VH;?eqND?BBk<l1@5{f7A$((@K81eAYYq2Ec6dH|>ghvrD
z8RcJ(@}Y1dF#^MFz(2eg_%p%dV-_M)h9SeHvfbZ?N<&($;YH(hBWL8wI1|ToL6tu+
z{~nP>WWxNlWV!;vM3_%TI|ssJ(PSb#5*00cG&RAGi_AcLJo<qF3btI0^JC#u5({h+
z16|kSW6`cFVV<AtO7bIJube)7v<n*1h20Rs$XGZw-kF#bU7?WN`e-P`SHS1h@Rw|W
zV9M~n4OPY$jh~ZH@V7o9k@;RJ;W2<1NGmadmks_%EB^x8J7pNAt%vpo<!M0R<e*o6
zA2e%Ir8phLgb}{AJpF#NoOBH;T5A|Ga)x%N3Kg`gaT=pJ(l3u0ul-2+HmLcMLc@5#
zi0qPU-C!7Y(KkU4jj4AP=@MlcNS_KpV;V@)kSVy1rmJ^a&jh2%$*;bru|~u21{$Y5
znJ{a<siJSyyQXvtl)h1YLt{ghU>%LCcUq?*^Ce?1j4)matEQ}aDNP#&8?{eT{KD(O
z=BHDY+%3UP&v^@F4>7$mE+lNjtrRxcMq}!|@hO}bD(h88Q~h>}`VEbdZ%tZ!;+Wxf
z`Zm}}W9l8gFa@`(&oo9`M#m@EL*J-(3e#oOtsi}@eqd-cTzDNv0(wK9ISIR_H=flZ
zv$jP;c1>x!Xy%+{$mlY3m(ltH-mCAdYAVdh-Sivve#t-xF`;Rk?W|KDD&c_iz3Nvq
zmT(U5r}5xH8dLAkYG3dL^_j*Xw<9#J-Y@($?HgbNwq`@X{s&Kr5057kaX!^~BN-nb
z{Gd#<0$~NZo)m4-H-V6c;y2U2v1?<gP%N38i1GwZESDZa$tbXcROrgi-akk{W6`lI
zGEjPB|9C7F3y;Rq(FiLs0X7m&h1u9Rn?8Fqo|t4w#+q-~RGf_`qI@_N=ac)`1VGB%
zBQbGhG&T~t8J%RW^6@dYxZ(qWCLZUY$Y24Ym5(OlqpwFrCI(dyt+8b2YHTzrn#XQN
zV!X&8#TTuoqmzj+Jlc<3N%oV*i4L_G$Rs`*4aFj&{p^XegCXwRnPcMm1Rurz2|;DX
zBOyNe+C(&&5}l+wq(pK3NPKK8mKsCm_(m*sJ(S?%@vEZaC@@Y)gANgGS7YO(UqrXm
zc)24*7r-K~B-!)8F%07RWcc+cyeB+VX|-r4$v9}D<w`gi-PtSJVHl$0Bf!r^pFA+o
zU7;(Jsc2HPM55%4M=mfCo*a#bBfz+M;P|40kB){XLx>49eg#^{Bl{A~q;%0vMvH*B
z#=_&_Ytab#AmHMW6YxknMY~!>i-aU%S>mQ>8M_wZp)XC)Wuhq=yCxb#qH#<#lXCf;
z@M#h=X=T-mFDDs}j78+;ABAVaiT?_?<dk8>>78Nj+3(uFb13g@$~c>{&X%dZg4Ox%
z<hzqole2z--IlA~map2AsoImT+Lx``SFpM6IBq#+d*@rG9m}?^6@S&eGv7P&{efxw
zO8NSG_1~+{mN!mY3hs4zcYVfPpLMg-W%#D{d$sSyvgK{lmK9G$-qW_^Y0G-HOq&WG
zf8N7pJnY=MeB<6s<KArJ{>7`GgtMNL)20=d@6Nef=kl(WjH{*K^5)B%GUZL#@|L-g
zeCy6k>&|TJ?#0$m8b9G4o66jdY2z0bgWZ$2H80tk=lX=L`*JP&7B4Q_PORA6cf7Z~
z1(#1)w<+h^RB*FDY0WovFEw>9?9BI^%JiJd_MFK!oy|85W|{`GO+$j~!WU+f-SLIZ
z;I7EK*d-U#aDL~)_Ju21*PdykoZ~DbG;GgRZC}{FY})~8f^X}5-~3L&)4go#!Dr8_
z%eG4e=%sUa&&|EI>~Fi(Hy`;Z{y}`|SOL1F;cmm!sTIbPXZ%Zye`fH(!TSg2d-GfO
zXSVKNj6P(7JaY3tUhLyRf;I472m(ePMF&ZkBbY%1GZG*_NFw&3bY?N``5XhGru`A#
z7yRT=tq8!8%L*aT4CCV_f=xg(<rmsp!Z@r*X+fNiB^UBV$^$^oQKYgUPMnfUBWak1
zv0>y2DpC|pF#tCkDl3-WhD;jXq<*U_cfq$tEnnlxhKxm=6z3JWIMa}EZ<!00N~Pri
z$75)_fLoY>TUhw@@KG8`6cSU35m+XGHpC)n^Gk4N)3&|r8+<$!Wd{Ow{y2d1*dwAd
zI-Z;Ws)@ini^(VmN%U<4A!G{GKnjmknMaX=$B_*%guIBR37{Xwh*)+rk;IWeQX!ED
zFOmq%I|SS)oQm>i;59*tI7Frl1&8O()>~VrjsiyKZPiP*>e=S3t$yn8irsyu_IB-e
z>ZgvZF!nsdE-~y}xv*(Ru5rf#zs&4~)OXK)>)g!YSx?U2I$yQWGw)qyc0=;?v6<$(
zm9sVqF0eZV$F7IWZWYl0t;mIyC5XmCWVMCP+A#hA<fLFcV{HE10D(~3`3Ua|uo!`x
zS`h#ymxA#}2*wZ7blsH*;GjVd<0)3aDx_qE0q_d`D_O634Fa=A#cTaJp_~6OQU`KD
z`8ul$T3?WLQ9^(#VH#G}7{h)k&0q*BD+iiF=Ar2l%qF_#p?OKm=zs}XC0XspqR9_n
z!3i7_IQ#%GMC=Iu1Oy_3h$%A3(TQt(EvDiqh#MqK1qni4Enk@!kAQ^2jDpMsToFW%
zB*A`>Aw1q3nHYnGwmcOW<oKc~K9LfQe92@e$H|~%i}DYT15GgIDnyWP`tr`&C1>sI
z;Dd|zFJ_&afolRUZO=LD=lt(i|F}Bm+>&?nWE?$N#}1q|8}hb}C0hqj{@4exzx6Lh
zetzTQ8`(YmpY~*J=U^H!_V2db*>Zc!%!{+HEjt<?GEFM-eTB2251OOQ0+(^q=LQJK
zEPy-C0=TIa0bp_|v)~}$!#~xEd^O4sxT#<_tq9O4xpPWry+MyBXes)0wF70t3RlpZ
z4}`ZA@dsK9m=~*k3G07tJ(Mq*HGEmLdQ`qN52JpCTtQ_n(iE7Lm1>;EhLu%(u!g3o
zcW9rPW7;)uXj$~0uxM(FQ?lfO92DM{uySV3!dZt*oK2f2XNMHKHl@pyu)!$ntok?0
z`A48FwZKa`$6E6nW@*)eO*E$7359M^pJ@zg(Msd${lc{&8(sgw+BiVp3~!;aU^|Ve
zcPPUS6ws+d0bL*yxcPGc`v*6rH$*7lvG0kn0E-uC-J&k5aIGksfJTYl5)ueY8qhbw
z(h2~)auk;?B*7ykj6`{|+7!JL30Ubx6+*|O@HP;rlvaUGxma8bN<<gwv1lVQ0;~Xe
z4r_QG0|sB%aVZo+LQA9*(H<nLO;{j`4qR<YYbd^pz(W1xwbTaknY^Ha*3jjhMXDT+
znh1H-1gg+ck+~iR%_wRK2x;dpVC-cG0uE^fbqzm&#p|^YE>leq5zEG4sg#1gkvsAx
z%@B&?!<fM<5G0YfsB0%lEGp&%iHYQO{tW;lRC7C#09GnC%%t*_n=_T0vlVUmifx&S
zZP|+MsnaW7|DCsPzcm|q5W64CdfVpr=e)ZXTYet+IFR!m&3n#dJZG|=fvFQK4)2|=
z+g-Dp=g#G7fL-(gyRduiG~8~O-6(9{ldIm7weJP#N?O3oI)&DqxvHI6+b-Z5KL0(>
zT~FQ@$oK*uw&u6&UD~pDal3F}Ft_ie?3SUd@4{67if?`1*S_RypXai^ZBzXPr%$M8
zp8MKDv#|3-uKT2L>J?!)BwSA9hF=pL{M1og{(b%3uTOow;Pnd|HqUQd7!mfK&h0!S
z3|tZ}j|h=e?(&4-c^y_~4u9TJzvQT&O+A>rKRMs>QRfGpivb~cKI<5SW++VU{9O66
zqxm7zqVkfjkf|Y7DokyovGsEU1j2^4M|htfB#&xE0GM2;+$Az*1t2sqH8~jwsIq)f
zl5lzPT+!|+c7(I1<kGT%=c$&7m{`Pa5@kbWdg^5q*zr=xC6M{rRh7&j*2#mBFr7UC
z?a~nel^o$65a2R>s4gSq(5i}toay<(A;(an2r5BTOOOkc!E$}B8$mgzVM7#R%{`}8
zb}NjT=0b#1l}%}t-1;odOzQ>gPZ6*675Bqv=^z*M6e~wHH=5J)6xYwg3Hm*#%Ufu+
zdMqobFewUUFs#b1fMILdGA)bVK}n7)OLFO{r-7}P>3t6@vs?L&qAE>*JDF3c#wxj>
z2a({HTtl`Y%a9#Z%erb`Sggx4F5yt|aWz%&kOLUCmEt6AFIDvtM$Lzy9-^0WYfx^6
zu1DWYpE?Vgy4d(NmcAftypts=T1ne_J<5h7W1x<0lUR9xjq_|GoJ_JE9rUY?SfmqH
zK@4gK_{&g|#GfS2%t}k5>zJ%^Uqn?NMJB?B`544RC(RG4CoO?Y$w^RPCQ}j69*B<f
zlgU(c?AV*2*mbB(mmkAiaD^vQ?oU*{j_8|-@OT6{KjH2C4TQUi0kU&`6u&S_I#MgP
z6*@#>+=`A9c{iUx;5`UzMg1;hsbSwviG9C@uWeBM5L!cd9v|&kMd|r4X7LUtS|o1H
zPhiS7F@?Djk4z@f=%#XUS-auH1>Hz|d^|dm;=c<JghPx0m4T()TKROryJ5B==WUxh
zS+IKZ*2;{vGH<P3vR1En*4>HUj?Z4tdN$uO73}W3y&C=t_UeL{oofLlW2UKF@bug=
z{nq9#xL#f<_us3zTk}L#E_$nH%fB-w*fti*s~#M>e<)YJCGYFW_<FLw9l*V1wr|hc
znt<V#Z^)N-ER}c6hqL9|KyT=-xD&b^dT)>xldbE?*B#8%9n99fkgq$LsXLjiJC${x
zo;t2CE9?}GT+HozCA;NoS>G^}R#ADc<8H^CNod)TV|QjNc7Y({To1b8C1(?Ae(ksH
za03lc##UXhl^1Lk1>3rU-2+-=*Ik!jt9$IWx-3(DU-%4WhrFU4oNHWmv^-=q3rU&2
z8-UaPQ|omQgA_Y+gYgvDnK1+<?IRLdh)4-f3joL<0Q=34t3c{pT>u!y%9Be^XG4gY
zjs}wwm16xO5HX##t(MI_W7TL}jS+!{$)rn+%Z3#;AFQA)QSVw!D_9{>Z&`9t3Jw-!
zMeh>?fur<lG+bh7tHF}Ic32DORLy$UWLh$3hJMpw)tr_+>#QbWY)pD~WSTFn?emy3
zw~C#bl<^$9^P0-A!RQsOkU7UCW0wV({-1_>PAz7^n%fqn@||YzI2ZhLQ)UPPn(|KH
zGJfIDo;OyYA@_6_X+DOmsy?3caz3scT3fEg)n|_HYIsor{suZ;2y}e8b(&eDj~|Ly
z_&gkdk+82SOd0en`+&FGl<rg_U_D3f3l|72JyHzBHCk;$P)9fdJVT+yPsfSk6^xgX
z1GoP9W5ap0Y6~rH6kF}N4WO^6OrL*oB02%W3`<O`ESf08<0DZJeTXR+<QvH_3U64|
zkjoMQVINC;ns5~l@L(@x<Kv@~fliHVRY@}pm8d+xFNzc(%Uq(JSeM7aeMu}YvH=ry
zhfiw<CMoMBV`^!(8;MjV+vZDOnxl#M$aS#jN5>-|-VO3dzW!jAlr&+8i`M8k)C$b{
zX?$`-6JV{ri87(+l=}e-C(4y{&3Q0HM_4&C7CfuK@)I6Kll?%TRu$lM1wBR9l7ukS
zPw{P}29l*ZDLPZ}o6&LET5ZBAFxW*rq8h&y1C+mc9BdxfCz64Ps90p<HJIe1lAN{!
z-y`NdEu#^kjM(dO*rB!jL4ZTA2gx1|Ze*{a(cdEV1%D6UG6|xOiC?)PX<KyVG(XB|
z%J9p>&A$)d6Ry5O1h(Hw`jYoHJ?Q*l=e+-;>JO^3H9ZTXxtb%N4F284UtG-93<xh?
z&edGbI>MlYsHn<UG%Zy$&GiVIU&u8d&Q=@&p~m6KJ6e_;Em=n^XgoaSdC%sIXLHsQ
z0ELX(pLerMZg#FB>uv$bspR<)n3$_)TOVw>zvV~mApXn@-n)4BV!^iYy`g+v$5LI#
z{7Am@P^R-xw)1ed?nu6_KU3GAtvg+?)x38+U)#P^+dh9j-*F(*aUk1qC|mnNzV<|>
z_C&U}zhG;aTPJKfl50F#uz6?7AGxhw%hU-Frd;KB4&FXE+wvfAKL9rRxyhV!8<-pz
z+q<XUIW?1-i%gwbX0}pWTi=5l_iy}YboSEx4q@Z=oPYbmu4QH)*4r~ZSpeHzkI=9!
zw{g3s@>Obs{4-bY-MD+>`=bTh`X9Uwx~-+k&GXi5<+gm~u1w{wY~>!Pm(wzJ6zT=C
zp`&5R(J;rnZ~w7<zW1X;9~@ddnsvPJwDxD2X@U9)uGYEKN9hmJfBlWcYq_ptxy{Fg
z))Ru`<U^)k70JFr`SAOIO^STjY`g;UA%?`}fe|!%;9ac@d_XQYgg~E-kGo-M`IXCu
zMOMEx$cIG=BFY64vi~P=)*^jA;jAvXU78zc;8(YO81&>tsG(nzksK|u7=rFzx>mJ5
zpvBPgG)Duet&ZlQ-Z{mCjI*Jq*s-$638MB=K=c)Of1(U!*YZhdy-sg}%;PAQd6aQs
zh84LZ$SM_8B6?EC^A$ZH2QZvdD?QP&=pAHlwM=9jB^SxTrI!P!yILr)o{|Y=UCyoh
zrBzd=VkMz@foiowjnmlBDk?2fPmf+{tJad?yn5daS%#6hk_&p#rwe1I3MG)N{xs?P
z%g*d_Ev6A^eLJnKdgm(O-#R*HKxO3z8Ca13RX8e4a=z8u%(*o^N<UPyLWP|&_kz1L
zFXSlwg!4eJ7L6F^g_NSP;GCuSi_-OlZ*xT$`SgqeNm(gaPfZB^ogb*{jA4ZaaqFSH
zqP&S0&xRpKvEPp7i^||Wr6?s*nhTw6^bR9Y1=|JSFHo%txkRl8GEp4VVkkHAGZ+LR
zKqXx`HIYQOzHnrc2v7VhzWo6PcM-%bxlV!$AQ3IUhcA$=@&5{gAqXTn74(3T|0PjT
zdM?H%*y|vGvY5)IH|%3o-5-lCL=hB3(>q^EM)$Jn#s*n$#&&jgf~HdQ31*Y*`uetS
z5@~oKQ2%@Z7Ck+v{7%$^{2W#{fq{;+DVnZDQ$*AiUEp1+m=jABk33Q)9<|&&(ihPL
zu9%W=`)@Ffh`vPXMU^%2e+$T}MigWDzrp~`e=ryz;`944YC<<lyVA*`6}&`<Ing35
zGr&a_Tvqi}jl^Q8h_GaUKZZPs)WLxv2^5ZBPJaE&=AM4NNM@@7F|g}?*CQ)KgfPdK
z6v7Ht$GdO5^Tza>S!>noiJY|=HK1?be*3+N2XFoGEy+P8+pv3aPp+Zw)0The`ui@S
z{}thtkZ|I1uHkal8=huX+~tyUXWkvixK+zzukgZ!+`gByTP|kZuYlL5r{d1&?a|rZ
zIcIKTd)Ctd7DInc-rut1Z<#wk-;mq1C+pt}exsmR^xpF3ZEVKI7F_FBT;Ok6yW|4z
z8lh=Nu5M@6wW}ztH&?eK>)HwapertLV4b<}FWp&JeZl4V!fgeIO`l<1)xFN|bxNK%
z*@~_6qq&N`i-SME`0>SD#qm!oa}~j9D@fRP+_&7bk@>-C_p+_~GZ)Ck4|d((^`kun
z*Sa5^pY_jP``2~Z^_vSWRkDv|>vres4rS^NW$O+XTn%%6p><ELac{v@KgS50cIDXJ
z1y}Rjps?j|ZqpHvlPet4mPbB=uX1i<uC_zi*f}2+s(W+ZUg$+xwaYBqHbH#GGn<+_
zoom>ZsqYbb`af;?bc5gtF56y&cY^15-g7qNIs0iuIDaWO5XyQkKeUBE-(j%*^O#f-
zhZU1*0R4m@5bC-f;eDZxJU%Tk``{}gG5=7~s8X^1PujWj|B0Va1@sNM^yKD0%4g>p
zW;e=-Ku@cfK=n+#z|B!tj0<!5Qob~=;Y&vMON+)gNk>x~RLrEbOwe~JI%GZ5FVxb!
zih0tisV%GKOJk6OMQNFBSn&$d+pq|*x}HFgsv|)US%+-s>BONIla938Ri=6m4cYZ%
zU(QZzw$Dgave#e+)fyTMouC!u90});!)G`S{g!YIxr!xzC{;1c($*Tt?ineM)3ACP
zbS0b(hO=dML%m_hc@+u)2LVN%<Xq1;(H7~06^T!4uwQlboW+tLZEwOoyqnfpSI%-4
z%Zti)AX^3x&@a{dh5w@2Q|A2&M%nkQQ3gp?cO1BKP2Zr#tmFb*^U_uY50|`zM=DKs
zsr$2h>c|Zrp<e|1XiU9B-ac4USJ3qVEeE7i2S}#tBp);f(S#CdPOL1_imIEGh*O&6
zo^~1Xmjqe2D)2<3HzkSo9=shOa&5Xn75rG(5sRCbs0vh4oqip2`Vj{I4g%4mWOohr
zR;BoVi*Hak4m1<<G=B{fkesNBQc<eB<R5<?U*RH+n8S$>$>Tg1y~Gtw-PxlWur)?)
zVg^U8C?Cgw2&jmg#LUbuVC*9da6tICFnAk-DGa`i!JlD((^n&YUckqfAqbSKj%xgC
zkRX~#SM#{I;8PeRF(8KR*YQ0_rqHR_pP~hv@jxsVjS0~rsn&`73)XksOeJYn%K=bh
z0S6a<xFmPBiX#20)VZGmIN|QKl61PdKU@5MJnQXTsLgo~e8T*l{TKF}w?FUUG9E7L
z83gqy=qk_MJ~w+}ZZuchoptq09Rqps&ZS$I^6sq}_tp=O=iB!$weMeiNjN&3JMe0@
z{ZiH)0yV3igPWcs+#log_FFV!H!L|DR3r8s&n*uzVV9%*+AB16FZAVm`!c<Kg6-I2
zrv=T}k30tNx;xizU7wlEdKy7TEO<80aZ@J>?((VQzjFJhjRmJmaMz*Rcgy=-Kkj<y
z++J9}Vfy$lUFDx!4W9LnYzCX>TW=8&uIq0`es<%hH*&VaE1oLZ=D&j5r0SO3b+cFJ
zUd`3_WZk{c6W~xVc57_*_}qb9?e?sv8wx~`xIW{mpM8D7n00kSpHkmDy%v4uDi_u@
z7hH9-seD6MrlG3<!gS;TjGR`Ojb`h5^L6_&b^Ee)2OinYcE@9<ldLJKRO|geuj}6L
z02>uK(`9Tx2lNJk?S6#!g%o*wTF$h>SHLCBk41vR8jS!vmtKUYBXKCXC{29IGA}z4
zX~DI!&hy-~VDFP+*Voe!LS3Ha559^XR&S5@^PTOWEI125Pq#%|p1{51)!KGSamsm$
zBuE{%Jkql|Ql65(R*qD3k!pDwp99=S-l)EzG0<r>)3|!4^()y&uJ(M33QJ?47b@ND
zjMnxdDHiy+PHR91g?<NUe=E7*jitLN2e1#Twa}3mp%$|m?G)PR$OYc*_7dAG*=?LY
zaG1D|A%l!2*|4O_(dcA|b#-)-Z3C4>NBnBX74WhGrO$XIe)TG~vi>a;!T$#cV7CqC
z6X9RLlvxPUmJ9OUvkfY1<v+pKgr{P6=rLCQ7x+T8P~sp-nwbX}!@iOjBK85_0|6K-
z2`iHrHc`&tFj6;eWQ_cO#DK8H{TTZj3{Y_54`J|^5QsKZ&5(mLu%A`7C-J-Wl;1@|
zvVoX5*8OJyC4|NT3(_gWZxs))uZXi1?B2Y+CS$M3+H1j)8@AH5-)^5t-J85SnRPUR
zrL5Q(>G0(pwHZh4?D>4%&J1Wj>UJ+SFTR#_90pL&y1b`p$phBR`SS~n3&3)B19t$|
zw5pu9aW3`#<c}xkZZ4EB^yYhxW_pea-F=@N6IxE?yr-s4QuE-+Wu_J4)5m9a&ukGK
zbq|?(m8L?MkP9g!(A2e^EwZ*PcV9r33URj>_u{V7y`VI~O{RMnL5To2wIWhA3<ia`
z&ymp@rs;p2Uv`n145sla#J$+<Y86ti)=Zi7N|J#PM;#*(C5~T~?GPVuubMxN!ErBe
z;0qP>!C2v=Z}iM|K!7TW+o&N&iqjVmJUGAsd~M5$VT)DeoE4T5wsb%7d6j%Oirrz^
zHnIhU-OA!76gD{lPN4i`Kst>e3@d}{umP4(FczInHBKRtK09rNtYe_2{sY5y90ZpM
zr%I$mI}z=Pld4LpPC(m5Ybq{L8CW!<e*OAHDh4}AM&R@WBEttvL?VYh^*kJD5P<_5
zz*Qj$xR3NiA|y3PNK~iVG2Fo~yNd7y03?|G7Z3qz;`GU;`p)~ES!ZDWOwPG`vG?bD
zKHiga_I>hp&N-BKgffnh<eh-?xnaqJ26WetU7#afaOFJv7gIl<{CG0wISF%{alU)@
zowKto^Zu!`%S`7A<9PS<w@%NPX5Y@O?_6fOa3-IaIXbgrmYKaU_co|Yh1y+$WA{U5
zk2;yY!dd-)pxMf-HXGYNH$Xr{Hn^k61~;`L08B20yj+!LHLc)Rs~S{x7OZKjtcO-s
zy(_b|)QG3dG8I-UBtA8}74@GA4>PQ+*jx<T2^IRJrzV8i+pU?el{7Edlx`{!9~hXM
zX2}4B1|o^uSN0Q3h8d+1A&4`QOIm1u13^oeKGul8jsb@OPBxK2FRZ8boAVD5U?T>L
z5R~k)m6)?MmDJ+-6@Vlt^(I8nTH={b-I=^K`JJx3qcP)X%sQHZ4Z<Wlbo<b3PuAHm
z)rU_--Z9_EIeQi&Ka2e|mUABZWOL5h|7q$UCjWl&)0@J@OTw8@&KZKQ<c;Zl%S;2r
z1yI}f&A|@zEf1NkD!x*@RPdE0)q4I>TWe#7X2@IdMDZD422T_Wh3c)3NMwPL64c5-
z(d3dnQOu9)rS%T2<o_#^r<4h=GI_|lWF2k1dWW;kU`3;0b*oGk@KPv}&Vj9!73-48
zc9IQh2{Z=sxIxdindks@Rzk41Rd?;sW!6krWJl!U@a!U;J|Grp)F$c>BJ$2v+9H_r
zif$Wpdv2KYo^(HY9n#Z-WWEeXL;xE`HkM@Jj5k<GAm?P;$W|3;YsKbd$q7M$PSGm8
zO3M6L-X<b>LtciqXq07p@Dc60X-_Z)J1>;;i_#8KA}Np00Kh=NC+#{>k5VFM4e1gd
z<meLN`4z^n4<)*jz}RjKl#(UxE^qiZr^t?y6hfSWpoAKEki)}aN%A>4{C@=yGC>81
z09SYUX8if`mP~m|*0m|`>d3e{vaT*r!^m1IvveAUayo|Osb@n^J=?a0-k<IH>7JZz
z|J30EV}AF<J11uP=6a`2EHiB~6)M>5(`R$G>d$}*y(nxxnA>y+R6a9(_xkVl7hILI
z{s;B<!N6HF+n2BH$kcWeT+|Bew1CCaY&ToJ@PpE3dSJHq!Jhkj?sv?k7g~N6_-Wv$
zb&HWtwtw=?+|fbd$V-A_=pl1Kr6`ng03DH}eI)kJI$)#A2>4{;(L%%{2})NghX@|#
zuT9`_O+h?TkYDw<nJOfG$gc3X8Qy4ge@;SSLx&WRDhThDOI`&SAJ0R{t2^Iua2BR|
z&|U%wBWiR@E|ioxGbJFn&oYSRlw6WYM}fk<m$+B7<l;0-eaO`T8@?F{qyZE!x?g~M
zJ?G)PyHM1G>zQyq)m@z{2POV$@EZ4a&c6ou^_u)QaFtxusx`0XYPgNGM@YSORwC-k
zgR9*oBO1W!_i-Ip&)H~>gy8G-aRZgVARkjuuS`X*T0@yE*QhCz0Yj2rnN2X7&9r7v
zu0B)?KyBh$HDjX>w;ABt)&Lh+Q>o9!4E@rdjT!pz#h9VRJVv+o{Sqb{;M~<!M|=yn
zRnz-s*y^*E-q(j}FX=6Ps1B|Z;JP$pWY%qkA^@zR72CM&npRjqLAjPz=tGsZLLaJI
zRVhMidWz_b{uhCg*{ToqY+TZZ?*;0$qlkK0bbGVvOW?##ZkMJvtwYu|^`<^lX>aO7
z?dJAyd%1lYoY05c&mG_nt^w{4jL8c{^IJc^()q0q_3Zho4}X|DQbd=nx+9_ptZTsU
zqg<b6L~yIvTJT#Rs&qv3p^lZzWqqhpoYseWHvO{c_6$lt<XS_|9Oq7Gdd3b89c$?s
zeW=o&(T6$-J=4#f(%`B-Txs9vLp{51?7DrU7;M(iH>bHXn!a%iIduExY{^LLLzVW8
zK2$MP9MJTUKKy<t`&?09>cc(V=lXD^eXbAnY#Qs(?Q>Q}$F=a&AorrC&z(cgHTAhZ
zRB4~<LzT`{eJHMEl%2XQZTb=|J<knlS_*DZx-ESP${i{iVSTs@0Qd45;7a?%rQ42{
zFVT*R+$)-PxQE=j?I@K$^`S~@rw@fv>eq_6lRn(AM#gwmBm25_+uW+#W&<o1FQx5@
zBYC<3kBbKfAo;NTHc6L&)&O!0ejrc=t}cB1n&<@g>JdJcz?1X&cOmn^KpD{>;>i%N
zO~mlrrd^PnZsI2B>BejuRnK>fgcIQ_;NgxX1>g{S=6ZBAk+yVn;8|Ab_2<bkP|`8V
zpy-DqA>v?!Fo{fR5{^y&Z;&tlkC-`pK#o3kBmp2AO7RoXbccE#vyuVZrkuP9ZNUS6
z$(GnCj}5YfM@TD3j?Rt_eBFU+m)Ji7uYqR$9*P2^L-cBRVl<WZ0EBcbumtpb07|>?
zd=S_wD<%DROgbJMg@g7}(KqQXTGZiCuPK%|Rk3aAPFrb@E&Eb3%5Fm+|41x}J=6({
zc`Tp*A4;Q@vhe8Qw0(Q`uFh@nZ#$eFi$K_$S0~0t(oR(0;AQ~W!kTV9O72vNq;x6^
z2Qq?E>8-9#M1n5<IOLFafRd#{8v1mrRx>5<Gk`G%2eGShjamwa0?UI+;PBuh>YLN+
z&xEf;M+so+I&3zUa)nM+2hrEjp^Q!k8h_IbK{!|hJ3)eeO3Q`0<M!mVav~c+gLIqH
zNC{o(Kq)3J7EJ88e-<;qqbk!@7&qJ^AsV*=CYZ-TS(20*pk|Fnilw`P5UTkk$HR%_
zb?}o@D#^AHv>E|J{&;jWkaj}}1dAn<4xBGW>8CMLHh%}wHt0!m>>Knw>~~;G&VYlS
zhm&E#5oimV1YmIStQK-^O1kT;gqbXv#>pt0cLPHOr^}_-wl}WF!(*{7a7|OJWC6rm
z$U{ESEnO~c7m@7nL}Qq4<p8ZyF;GsTYEH%$c^boUpk4d18xMBDfT{=zO;;v5?9wo#
zPxN0^x{hRv+s?yRlAw%gXJHSt@{)~3U~4-19+H#k)by)h?MrDpmEcKJk=9bmnP^8f
z_-lt2N+;Qf7O4x;J~|7bnq;?2djBzLgSfn1Ub7<}x=-2zuTIr{fR<6H_Gkin_D!f2
zAQN_6T5+)iDlj^lt`9;ee~oir+KLZ5g2rL<5FeFj1}Pto6e8}5bXuS#Cari_b`U4P
zbQf_e*((t)H8U2yM-W9>0;VD)=1;s9rFkilF=^U;6Z3Zw$C3_du+v+Ma#wKz^TWO-
zGgx*~LEM%+LrB)?4eDr*A>HhdMlXGoSefZd&G1k=GSM%~M=h~McIUBZDvYckkOqQ`
zLrO~Gm$2e6qN%v_oW<wzm{h7->GU>Ia+sAG$KsKPFm0eIk`5gR3au5iYZM4zy7o9U
z5-Apoht9HX(avj~(6!-FIEE>}e*?+^%7%nE;1_LFr7C)gb*iE#9D!5ZC$5lRZQ+yX
z@QSA*p}tjgVI00BI#|hc_wOM;(UpW5DKnQOe-x6)!OldxP0q9>#~G3%k;pcC9z8+%
zPcc9z8DiTe7P)|j|4)zrHu8xpa2kD5EK5$nJtmg%_?HmNMn=RkIB~Ho25~r>zAQEd
zd$I6EES5z31$v>Xmt<CVU73iD(nj#;jYAZ}{|i*LVEME8^0tO0*b@IW;b3Ulb{UlC
z4rks`lX29{*%$f*M@`nTXX@x@cGsQyTlKS6q4m^seb#<@>PUgHynF7Qb2BG@(!0<C
zry)+ATV`HT66c16-PbVbI!!wJp=p5t?Uhpmf6IqGiwpuCkdq3w4J&S6!RIfyUwULW
znEhWE%x23Ym%(f$Wev=qM)2J-_<Pm()J!Yq7TO1~axZBrx6IU0;06Q^P+*s^^*jO(
zYJlfb2+}TpFmrM)C3N>=(kVF!en@A*FYJF6(=KViiauLQLuUp)T(=Ox&-T&k)#Fne
zt)5rtd>N~E@wwG2Dz|^`{6a6L(C%5T-hz)?HF<_G&&zAi^W29mi+-Umj`<|i2H(Wz
zZu<OGgJ(|7eM8uL1%XCnpwhb7g|>@Wmsi$amjR*ukZ^n)bB)Wn7HpLTUq!(^^vFt(
zg#l!7P-Hnb9})IEcc^qQaOU)Um9}y3ZN#Tdau>qs5(W3^M`nYg>aoG(uuL5R-(wj!
z0b3AMi#@A67x&^*7_nU4ff;mahHn77?A({=viZS97iMydj@8MzRZA^G8lkF9=(>!>
zhSg#R=E+1>5TLZ_1Z%L^gS1!}i^V!j0aqJ|Y(O5XRP8CWTCU!TS+vs*@dzESV9ma^
z_L@Ca(|Ixpd*oUzS9f9wU7tDJcRFu%7GS5On}gwYR>N?k(>4yb4Sq!;1HU5iDzv~U
zF#cr*&Iqx}iC>%VU5Jsy7u3X;=NXdJp(HKW^pcbva$AI|twMJM8xvI<Q(9S_XQ4ZY
z6@HQS>hYiW@wv6MJx<ru$$uh)B#(?{RpaBoK;t926QJ?2%;^6dgXsvlJ#BbIV;lS#
zAHPh#P=9@_7oPD7B1FkW-#yFlIHa6g4pw?xC>sZ0Ertvbem@6UIx_Pl|34vH5Dn04
zko;<g?2X3YudMM7fF@0;gV(?=ot57?n0K~hoGn>rt8_L@|2zHDkv~628YS97A^a{B
z3N(q<P$&`~357&QD0FoKB}Vv_Hnairk1-&QycaO`9tO)8;6@ib<0o}}G<HQ2F<4Bp
z;o1&=`%Ur-Mk}l2m1o764TDV>sKUoEKE8p$cQJS$gJ;PdlB9wiL)wdtKtT#>i^f0F
zFiDiK?H`LrCPt$N`Eme;|AypWLh#6BG#Y<tX!xC>={E-NuMF;A8Jxc|cu2(YYeUs<
z49?#fYJP2K_%(*j5P?&2+?DWiFBum*Wq)G9U#feu6Mh8cNd^2M#1jvkhySD=juC#c
zA5Rs0(r3i8VxF8a!Zz3^FB@T#!jpRNVtrBpPH#_q=+5(`746$kZkPbcfB`VB>GZOx
S`j?FD&yRm@GB7oy4gVJvBGV%P

literal 0
HcmV?d00001

diff --git a/cli/zkac_cli/__pycache__/paths.cpython-314.pyc b/cli/zkac_cli/__pycache__/paths.cpython-314.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..6d77798e7b817625971a194f9eafff735c829fe9
GIT binary patch
literal 1490
zcmb7E-Afcv6hC+7?(XcaUr>G&)@~Zwmbeg01w~*Qx=FQ7vJW8+>+aYtuDfz)Hq>4=
z3JQ8rDBMRMvw~jxGYpkvPzZeTO%d_6bMAg<B2;JDbANa4z32Sy@0^)y4fQ@iTe<Kn
z^N|5;)1+!j8L<5a2#PQUI*Y;(vsr+!5>;#kM>VPrahnG~=dGZ-S|QtHyL2~VkHl_W
zL+q8<qbr>d^6gOI5Oe&ATrO`X>`XpqJ;FJUCG2z(X#oAnh=PjK{dNRJh{Kq2>kU8(
zpS8mimS#HBl`zAg>JII7+`_aAA}2UbmMMpOA}^*AwnY&;oU7q<e##7wCxn;{TOt{L
zHr&@APG&RVxyeM*ATW&_tlsHar_L}c{7l0Temw8Nztw`S2#3Jf0Nay(K2jd{aRrj(
zszwJS{dWk8Fj~D9j8?P-h!N8h7Nc_~Oo!3hlbBY6HE;<c6|A!!B3rRYB~zr58>Lbl
zFJ0Rhdi?PIoU4~^9&$;=93^i#9y9kMBl0;%eQw$gC&2_I6m{gNT^z4eORk*3xzwc_
zK@m3njUSXn--2(kVWFY)^6S92=;!E{;qTq+J$<W9_g4M=E4*Ju`lHSyf)pw!qnuu6
zUDbIQ8)(@j+_=qg7c5g`QjTibLJ$Xe2gx<Wgcl!_t1daq0!l~XSm)7|s~Du>1?Qjc
z(oh<avm=7IO<JuHFXQxhC9A5(;kfFkGQ*A*qz(?$Gm=YJSwD@K8>x&C=Ws<5YLsy|
z{b%3bF14)t11mgm#G=|a|0R=X#*lwigYwqY;H-WR(3R9(8kV@69r3`u(p>0exn>ZY
zrbY}`Pnr(+V>c`P7=TfVA}tQp?wn?E_Ah7S^vWwE*vg*igfMfq<!I(i#<Gq4WJr~=
zJFcn8s=^^fmcU^ti_&)m%VqGJIjbN{gQ_8dxFE&2fdCts*S{YA$(w)h=2Gg@$O>;>
z<JUK}rumjtt*zL%!Ch|$Uk%O=EJccgYy8TFzpgkWg$iko&oCwm_!*+_1_>c3E-|&!
z+01ykOQ|zt^=0CdFPL^`DxWH3&AXx#_fh$+i|BS$#@H5gY=d_T+78_G4LZ=UZx1yr
HmrVZ~!&>~c

literal 0
HcmV?d00001

diff --git a/cli/zkac_cli/__pycache__/registry_local.cpython-314.pyc b/cli/zkac_cli/__pycache__/registry_local.cpython-314.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..9ed201376da52c5a2e8c094fe64897f6ef7fdef5
GIT binary patch
literal 4576
zcmc&&Pizxc8h`#j9^0{FCxj*t8&7a>fEb8@X!)m-0tqI>3}7S(j3)LZnT`L<&Wvf3
zu2k=8rCy<`6e=N=0|!>xLyk!8fod;%WHPPBealKnw1>T=3sSYW{odFUJ7G)G%kGox
z_r34``@L_*-}C;C0F7V-cfS<9K)oUhYuFov?KKNT4Y5c?cMxlvu#MYQdz8@j35V)1
zXQ%3f*)ic7cdPEE%%ggM=bWI%y{b2gSXU2X-94xnQfb!CprmK%`qb=fQ7j9wd{Gq2
z>cJ9U=I4Y$Ocv%uMU@w0d0F69u~LrhQ}~h)170<+R%Ic^E3tx5s-zS_tx8<ejw7t(
zaMFf-e7RgvO;hDEtesh2orl>44hu@&1{)$DGAQ^sVEK9<5H*xTckH8oLZ|?|UFeE!
z-p1NkJL_Pbtc!KC9+pZuA$RXT2|C!R6svRC0eN9st`r5X3~4G$-Xf%b3%Iwjr&3k9
zf+)-24`H_q`O4*`j)Iss6%LR+-TpIz+}yJjxx}jqNi2>>QuCFPkecCTc`>EP`P9wK
z`(r7<DYdk~=Q%=HC~?I~o-Yndi`dU`&5a8jCkMe%2Yi%c@Kr-Uqhq#l+fU|qoer!y
z$ns_Ay)_ph*4(Hgyyh`U3c0&}@)GhjSfV^h-5L=fVC{PS!ehc^&ssoQ8ZZN70NU|p
z0Y%YtlR_x#Y*TBJdr-PbNsgQ&3w}3`b-A<66FIm|qs^16P17v#jjC;$ZipG!C?%_$
zJ4*oEG^|W=t~)5*#6|M7#R_dQfMu3owrSkBo9*7jg5|n*cedvpQiz>%rriw<iE4|!
z^KGlPoqBV&5V}rR?Zc>QKfenhiEgv){cpB8I^8_qob!%t#Btf4=|{+m`jO<@U=7|j
zk8E@^2ca7i**$M_t$p9IvEiIA?P_R9{+vI{{Ia$b0Qugx<vGgAS?U0d!M8Q6cv6sc
z<lq%GO`d&oWQQ!OHSa-CAqQJ)i?X~}(XuH^(wZ$D*0p5}XZCQ*&Y~>)ZN+eJ8N>aq
zs@ql!&o*Mbqjt9ygW58NXIp-}Tl(>4M=YdU^RL33-bRdfRQ$H~;mZZHM_c(>l$B@7
zD}|=XJKh}GQHyHLP{DTAf56w`<U;B7x3l>SY!QPEY`M?Cw)WDom7nPoR+hOA%cC{_
z-=DDm#c2m~wv<Qe+{TH9Hk@c@+lg*<nw`_9)={=w=%%14t3qQ}wM(>!l98p~(`Tz<
zu@K{9W#PkCQ}&^#&d2ydNi4@iMX3sM>{N_2Kh_HRm>6Fy#z+%HnmG_D!}JYVR0XAB
zH~d?rQa-Tm(Okx=<pQ{BwoAkGwWJ+;BwmKTP{EY&5jf*23o_{raE}?CYeeT10lGSs
zn>m)oeH#Q)b*3ohxdma-6gI6&LTN^j+pTsqtR%T|7X)BaE|><92EV~j#JL8OMCHqQ
zq1{8zI&)LZ;ChoL7Pxugqb1t(Y3>*Y6=+cfZe|gHF@1M57<oZ%Y{z9{w-m6PG|Ze5
zG_y*~I>2|#$tZS}7NGmYPSQ1E@7Wn;!aOoew-UvH#y-skRxIFdNfrq3O(bODcU3`A
zvCo9N!NlG9N~t8OB{&_9)B^|LRc0|g2K_bgM81frS+UF)#U%j;Hb9R3?LgxoNr>Q?
z5f&vLQuSDQ1lZ;^;3|O$yJko+;!rE`26EV|2r>jDkvs%Cadr{=EXX+6kb8z#1gH)#
zl!#EyR|*0SHH*fq4T3**7X(v6sg<T*zg1YK+ySR2lkOGb@plD|lrZE(WHM<*lVP(q
zWiQY&={T{!0jmj{jH$*-TEN~W+>n_Az=i9BIENc`!IAq(18K9w79{K>R|@PmK>=iC
z5ps2zb%K3u^@HhF?a1Uu%{o<yUo2L5a0-ZU&4m&Mg+w9|+c;!$TfjRY2U3>n2+qKh
zSrp_92+iw+9s1rHS_>nW|I^7oOg<QR(p8)M);atl(zAT}v(tKnsa>iE`;1^h3nuj7
zzS{VUP?r&kuZH4!XrMOn1KnZJ1FQ6aPA6((b$W+E$2B_sXvAPnYRpNUIsMH0x5GL;
zSsQ!N*}WXSA2m9YT4%CO`HVon7U<Ulu}6#%KcdBt=<)Q5_^k8U_-ltf?5<sWL!n5I
z5l*az6MA@GE%W`^OL}DTo1v!zpI=*^{%rcufZjd$War9Zz3b>VL$yoKBa=V)Lx#U!
z^Y<J60nI;9r$R<}SPKv9;X^BXR;Hhw1lIv~?Ht^YB0HB;_fvY9sb%V&JC=9f-~C`o
z?;NUKtcM{eqlFngytkGCO>gj?vrg@Ke9T}*R+*8NOGf&NmcF8=uj<S-gSn+Kw{+%q
zo!a~Ot}%Fgb@2F8${3x{Mkn;qj6QhD7`&<tUeyP$xBD0~(&x1FIX!(rXT}X?N@J#U
z=1QH4Jx%}^tMMZ%BgV*>HZrD<oYUjyjrgP%pVZ@1b!zv+yGAs%8cnS@^k~|Mp3tHv
z^ysN}fzLQJt{ocJ4_(xw86(PSQC5#$YY(3>(pfE?)zhrbTs4@R8go-;rt8#u4^Dh}
z=8H3W-+{FV-R-VTzS)6X^rusQoVs`6LGin;p(jurzgfqmr4FVKj~RXYSNrxq$>@Ef
zM&B8&5B$7er*=L}7`;QQy+eOFy3(ufKdJYgGI~GIdOy&6&;L5mektqVz23DT6>--x
zZ=jH^bSvL=9encfx6TtU{ktE0{N*QKe4<AWtt7r?p3Z%B;JNR@bLWMB|7*;Kx-Q!k
za{v14uJ}~ane<@~#}z7hj>9y^%~r`@6mS729hOYGH0(6r7VvYX&KJcQ^S=O@bcL9*
zZu91=#eBwOKQSZs$j0+Xoh(%f)uM1(z5+aQ8#CYiYYv;u_C31wBZ|L5fxjc)KhVxs
Q$oC`a{n<^f?xu(T0Jprq)c^nh

literal 0
HcmV?d00001

diff --git a/cli/zkac_cli/__pycache__/registry_log.cpython-314.pyc b/cli/zkac_cli/__pycache__/registry_log.cpython-314.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..fe4ca0717b35f04a019dab2ba2317efc54a39ad3
GIT binary patch
literal 4140
zcmbtX&2JmW6`%d!a!HC5S$)`&ZHlr4IfP}>mK9rZ6}PGl*Ro=p*&1})C?+WGN@mP2
z%&z1}Ck8DLIW1s02x0+s0bK$pw;X!NF@J(2rlvYk00VB(_9j6#4CK`JW_PKURU@>0
zz|Op#ee?C+Z{Ga&WGLt-Aiq2MEI;BU<T<{$BHD_uI|oXYXv89Sh$f5+S4B(gL0ue|
zEQ!~$B||NZd#);$!oSJm-m9vmI(9zGr+E$$O*upgVau<1L07pR(0ri#x!$4$KyTrC
zP!sz|Jh*TnWl%G3S~1O-fr`#w&z7<?28~V4$EZ;$WasmxnOKe*S<6VyR&=Oh#+*^I
z%tTyZfo!Q%wz5{fTrzLKyPV2eccGTXO7l4Z_Jt3M0*?f*yZxY4Nt)adM}AF+4sA!t
z+rnKz6EsniG+Fa#N>YNQdH;?MVsZsWq+mvvV$b_sdjS^uj-Jn1@4$iwV=&jd?=poN
z)+{YC`9`^9d`@5y%5<3)vzCc#IL^)_@0N>3aw<#deA1-3<S!@2E+un?d~)GlHkUz#
zIxff*$}@?|JZs5hoc$S@3~hyBg7BCpps12pL=;lO4lkGVZC<bSkJ!qWx9ktQU`ldM
zq){h;0^1Rvf`X1nVQZ75aKBBW0YWt4yfao0_VhHF!0RMBnoCM`wY|C*FqIaP!X0q6
zI}*Cw)q4Oz==xi6k$EdwieYA|@jm!FQ@%%WMD%OEq{El*JhRsHsgchGuqfrqI^g6+
z+`|;RAM+IN>3Pch_i5fTGM4ea#pL(Qa*28L*<!_vixgeK$24(M0|PV!6$_ZzIU{3-
znjV7|?(;W5sgg}u{cz%giMrgeE_W>JtGCwVj<4k*Y`*!y%}*{rzV`986?JuBt>?^_
zy<fMFes#Zk^QnB3hN1Vrz)^+<4#yZD_dmliiKoOv(W~})F)|bnHT7Z90!3V)e2pAu
zd=nfiy!ZipH;+JpfRTmQcCbLWK(*F$mcQ;T5A3)!PRk$Qm4n1RM~(qj!;X${M45r5
z9VH3UM<yG9OW{VFq!*!szHbr^FK3=%r>+Q-xJ@o;Ar)}-y;>6!WZ0R{?FBBAXb0HP
zPAoWV6z0vFndyANpy&?fDU`Fi$$XGlbO#-HteG@pSPnLr4A~}YgCpjE1ADpP7=UrO
zf5$)pa0FT(jy@QDc=4l)o2`*W-xj=I_~^ot{<!q0v^uj?s&$^L1<qG5!-pmLvHD0|
zKD;ti3lG!+C)VT>dr@$GjlTP@L4upLp@AS-XvgG|Xv(bzqNWSFnn$5P)N~51J6Nn8
zNpACc_$q(jTQC@MadL}iw*UdDl1aCnq#A%|G?Cs0fGR?gRKzq1lPeWMD$*owoJ*>a
zP23g&{nC;q40i9exM8oz|1{%1*=Ilaq~%6$Pui2hbJQd*%qvP-OkoaglC-i1z*MB^
zBfO?1cZMD^K?(7ZD1njM{@v1@3H<OeA@{*&bSCXhA&{Fy6X70}&O1QqA(Mw(gS6M3
z4Mw@=jPk4h!=nesLf$tPzO;IWjQkv~*mg_{aCi|^O>%qOJ-XnVUx2TK6dukdxvi&t
z!<hF#z^-WfaN-lkmjY(Ug)5pdHJdN!v7*BtrfInttJvhi&>hYYd#yNIu=16H0px=7
zjl5yT%-Kq%Of5r?Cz#I!I$>m{&JFW~ZO>}+2MC$43z0bx+W*VNn1<_hKS#RZ+z-4i
zV88(ajl;s?3X}1`v!Hw8e}=nZ0o^bSn$H&U3kFlBvZirvnE7Cjx&arb!Mt<mr*a7{
zSHa+X#kmaC(L%O3rDrcPhm2($_a;UQ<y^L4UIfLq=!f~uv)nsR`s>|;>)nI(?veHG
zk*#oNJsjHz$5tXMKm06O3!mPV#3P}<hB_Y1{3gHc5sw_^sRSmM?iuqeWJe%pPz%El
z57Cn_Dr<GO<Pb!ffL5BsVi1c{XcTawI-kkw%x@Z&ZcJw(;!Md_Dn?0X9v}lnlgTE;
zoB52=Y|)_TA;o5xOtC3u+|O?fCKYEWIBY&c^Ey3)Gl+0UC`d=9-eVH9GRc@TnUH5P
zF4)ARI}mflzBEEMk9A!~e+o7{!y-Gal0W-Hb$@ijAFcUg)k~YFhpJb;3AQZ?Tfw$^
z@YqK1*m8Cy@cU9NcxqAHigeT?ee03FdL+3XNq!;LB4-zs%}{$i6k89)YN6wc(xw`!
zt6l4A*K*%7t*OWBYJ6Rdul7Dw2X}lV)V}Q}9Y-F&_2{inZ#+=ZJn&F`pzerb<nXpc
ze32JK_W56cQFJ*6CYKk-wjzh>k=~6+?@I5=#Ak_G<jmqvw%WStZG9VUeJf*Y1LywO
zf4<f>vUqv3HM}(T+qunf+hhMD|MJk&aQ`z$Kf7}IX*j+cBprP_SZsHbme%UEy<5b+
z_Rxj=+QYCS`S?Dnu6Z>@Q#D`G1Bbxh#FLm<t}qEWI*>a1RL@(6$vjiM^6%lyCRE5S
z4!jzNz{ot!SN4kdgy;?yOV&14D{Z{`;&onqW$<b(1za3H+8dRjrz?$({ta5-x^x`?
zTXs)<MNZ56lkqhCu^gDzMR%N3gGITM@9{THJaC-G7507OBpX(6AvKuVZFw)nYxrL!
z({We>PgnGH&~C&PicE^Wfdw9Fo|!nMhjVFXC{DzI2P4C<`%j>D9SgkaP5c!Z0C9L)
zi+$W}rbgd}k34R7K&g_g;Nj)=S}<C@vMKvNy#B%UXD#8S<C`sqo^;l`;u~G@)swZZ
zbM>w_*Sp@Vb^U0w<>-^?dNi>SO{^}|q8IAXvGwR!EqZC&iw8wgJj#m@@r0M;r}8l#
z<#>pBGa0>{%Vd~8lbN1{A4B|uLl$JGElxq<568M&$WJ+cm)3j*eqksggl9ayXWKQH
zG59VxJoy}UYEegvWqr0_T%>6*K>(SU5w|5l5dK7d{1<ZkISGD40^gFu-;&PfB=Azf
Tzs8q-p#LvJK<Zu%xzPLvL0u5^

literal 0
HcmV?d00001

diff --git a/cli/zkac_cli/__pycache__/server_app.cpython-314.pyc b/cli/zkac_cli/__pycache__/server_app.cpython-314.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..b5d84d8f67645d70fe1ab4a6daf6201897b526cb
GIT binary patch
literal 16150
zcmds8Yj7Lab>0OQ@5LM78zT4?M2fUTTB0OM3Pn*8C6R)cG89{s5s+9>6d!;Wpd~WR
zl#|Icq~k=CovG;BGlm<trW3benl@Ia(-}|OX`D{d0t95x8+xLdOn+piolucfC(e)d
zoV!>6gkVX2B%St3JooJ0_qlh^J?Fa@%_gIsf^e(q=Gc4n6!mj_kb^>E=-dAS%pAp0
zQR*p*qx<M%im0L*c}1Txsw6QJWk{@wsz|Jks!6PgY9LnjX^-imI#Pz|(;qWL4Vm(6
zl!bIvpYfO}YC2|)nvYqc7Lum!vmUcWZG_hVZ;#rmDNY-8aJo{8)0a{cmZ+060M8P>
zgfjwfB77-l2HryWGR_LTjqv51qK@*|X9rLBc-;|Rc!n1ud)-f-=<ab(2Brd|{3JgW
zZOMNTbO*xW7WYJGBrtIy6p6Y8ej+gA-Z~=iLC8B6m~cNm%}?{5Ru3&20#j3=XdpTk
znu-j-Gvf_JFF>sA2~11`h9`KBQZybB0+W1jkdH(ln`n`G;lB`=3Pvsj#(A-<@Qq*U
zS`aESjzuEVfvFMRKOG&LfETR5kB&v6!i;|+G&-xB9S@AOPL57SM`)Nb{KLS&pAsH#
zyMdXbeAH8l&aY5Z5Z+Z$kI@%sj^-4cl4IIXI;vmbyo)+)iWmIh@mVXW_Rw&|J3Txx
zHgbZW5!C`8off7tNnB`x=Q166gMx0U&xeG`Ks16qs1@7VE`%oew&8#v%(O*>kv0@~
z+sMRN8&>Q`CNpM`b!&J=Wc~h(BzeDIutFuJ@E559GDm$tDQWX9B=Lq_8zkO$l04sr
zbc&1|84N1;BP0JKVCJYHd`E&ev$o}DjBBWl%ww4L(OxWD5c0~a3zFcmh8oh!Z#y!w
z2U*h{&;tzBl#d4a(!anok4j{4^dg%tJkco4C&*m@nTi^u{;{B_>p$9m+RvRj+3QgV
zER+|OkTZg#Xmkq}eBm6P9-9dIBe?!X{PMaGDj|(X?-5|;sCB(5t*>0wS0?qYxt=vf
zlV+R=#`(?QwTb5^UfYu_*}gn;y(YzUtr<*n#|0Y{+O(ET@PbGbWp%%`#Hlznr{T1m
zj$=4IXW&@Q*rtK;n*;+C6`7IH)YON@NN8l7kG4vYs0{|90e^5z5Kv~Ka&lDo&_Pz8
zyuA9!XDZ|^{IOtURv+P`XNPB^eB_*H;GcmHGvW`!w<j7SfoJ%vFg~=&AL7}w=UUtY
zp(*~HU?jakUckY5Xu%ATv~-DN$pR$Ag$ZYX;41XewDT6BYx>d+B|hFX*)~+jY^W*y
zmJJPIwUphpp(CuGvXyKY2+LBA#tkE3O_W-H%Z#if?);@?hsKDw@93~qP?dBab&L+H
zK@}>(no7#2F1Ap8G^cDqF=v9j9K+h7Z0+9cVwH2@6834cd3AYt$tID@hnyD$R}h9!
zf+ToxO%?>GUG2pY6$I!lQ>?d~s-+^ARqmG@hxJ2FIn}54;u<dq^5>i_VHhfxvz*cS
z4DyG02|gp?Cq84|c=OtoOTg!i3Wx-`#?DKiMjfa|VJ0YVwVa-d<v!qi)low=a>^OD
zBcp=C8lT2nC%@0da>=l1s9t{SZIroO3{o|DJ-KI@<J595<v48inK@0qOv4tRh0}I^
z9!Bv^9K{3Y&&=ua%V%r0K14}<(ULZw!rLtOIT!n^K3i5ocAwI_J(nhPKD*q0H8s>K
zzxAS`D+nMXhBJ^l87T>ru_~wVVRk@0aVDSL+g?x<9_5*6Q-mG8ivDGgnVHD!`~O=q
z%Uh{(=kmJk-JSQ4VSQFvR$-^l>D_a04!NSR9cE<Tz3DzXksm5%2oEK3%V#2Sy8o9T
zaVwGd9}<aoNqqnvbWrAUF|2V@(Uped>dxhpx!fv3JrK5rOUPQ#<*n#La^74FD=I6|
zVqc#uO-}#7dP?M(xnDhPN?3bz|3#35jYtAkd6l$k?L)nCzkEu$E(`T|>9nGinpPYE
zjT<iYmELb<4=7H6F4a+6Ab+@&taG}*1KM(sw!Zyoq&{>+?w$9T%;jQ`qXK3?)`ew6
z_D)|J^uPS^ipNVHubftqQ9MOam*CqCmxn9DCE-f0#8-a55pkuyiu<OQ`AY7aUjD#&
ztCVGZ-+5y|wqMA|Ru!&<zE_0HQNsOS0r^%C`A&Z-`9A1tC@K0iROOAY_+D-1DvOqM
z!FO~bH-j<<`k~6_lK0eN`n8RQQR`rat2h_8#b;ruoeGo$?0@}oEx9;v*Bi*al{r{9
zj;#D2li%jzdv`zR(L?Oe)8N?RH!ubixa^FLQEqC8lj~PgL9isMPz#=x-+6s9my7dv
z7#DT2dyLwrbWvlpn>zh~zQ{Q})xW^%-k?Plx}1@L4^2@aFck@hglOx<NN8%-g8rUg
z^47>3(VB7HB0Lm{`iFOQe5jg^p5NXnDn}-Rq8Z)>qB*Nr)S=J7V?NO&u_L@d%86<z
zuc!!(pBBxsQvn`{{{nwmG*5@YV9%>bExi!gQD|4rEt)65MU@}N_=sqclc1sqsVV2!
zhIxKm)P(t|;MmltXcBmEuc36NMMK6RB8BvP_yYK+gg1l(GZUdeP#Q(nO&$eVMMWdH
ztyAC{jg4aR5mChpLP(fpr>DlJLYJo8AQiW#MbygfsIU!0F4{?b8P9Z_p9u%RFF})2
zWClV(Uetj{+((>b(R^MAP5LwPhODA`I1u4Mo;qkR$d8chq&l23;**K`F!84SkX=Bd
zTqr|=1}aSTL<rhN4^(6Xe&iXE!E&MstB8ndsYYQZrYi%%pa9MRC9>c>gV_AU{}Giq
zK}Oka8pIhE4M85N1<Yb>79R2@LD)r_B_5Qh!NFi@CCnlj0Y61XppL+z<AVY^4x$q$
z%Ac7hm|QYVFttSDeq5^(JR&j?=#;1mPEUrR>zS%_y_ZM$Fajl_4%YJsKO7ht7j<D_
zY%1#KFOPV(2<U7HXi*DpB(+G;Ocu}@mS#wOo?t1WA~G&AQz&G$wDd)N&J7kd5eaJ{
z0tUZ1a0wjC$f$r8BNUB-D+<dU62Q+^hNj^e)>}xVM@0I9fQFDr2Sj>Uq=N{1JdN(S
ziY%ze7D#L)!Tk|Ia?S0C?tmjtzErt4m!U9mD63#wo1^YpC{^`Mqjm1chN72NIoFJ~
zw6QT^Y>Zuw?>uy)=}^+xGp|@T+po+#JF{f_+Lz{;b*uB*maALR*0zMTZJo8H*{W5x
zYU%M;{4e^KKOgTreq;Obr0Ycdr2mHN3rRL`TdA<==hb)AR7vylu5@!(qPZ*Cd?4vO
zIImx?Y+gQmU7xJ%NodRFHERZ29wd-5Y+qw-8<%NHXS||c(0_xybBU&G)l1Q&b^E+}
z&E&W;zA*l^$$90v$#&)9vlo}_uT;EP5j&bJZ%LZA&nwqV*2RXeUj)WrireZ^hPriY
zY1&$|YORUY#l~;c?o3+S=MSyh%hUF{ReN2mC%(1wM*W_oeee9?HJkI=wyWEgxR@hp
zYn<;{W6NNq2^i^Mimh44r-oIwAvV6!d7XRPkz$X$$Cf{LYRz7{<cL>4vQqa})AyRb
z?}^*Gp6yvPTH=m|l(FGsw7+gIP1_q1_J*{5N5Z~ir8a4Q6nj;Yw$&zVwMkn&_Q`zZ
z_`>nU$kL%0lVTe_cCQu(QpVbKTj{m!SGUKM@%l$^xOXLOyP;-B>9wO*k1qARaB`t{
z{?H<Q)8beRu30Ky_N86hS6$nehm)=yX;){$)tPkdU9-4fYfRVfT&>-?vLjjhXu7s5
zQQMWQJ+Pr+?51aXHuRLqDv2N?pdJ6@d*@`T_lactlZoCZ-lkW&-|GEd?+=c`L!$l3
zxa};F+Ty8{v94JE)=TQrC3{v&_FS*K9!Zw;%pc8ku>6*ZYHIy2v$o1cxEJ+H^wN%{
zK+L*fpvpbVHQ#M`qv1PEYh?|wr(d6bb^2SE*2?N*f!Fz0`EQNF+t;2+H|<_++I^i)
zHtkI}btjs-lTAIhbt-4cEf#9NgEeoc40h8(&qf&;Rej1>U$l?TifiYto{P1|n|9x*
z>r6WL%pX~IRHPmCtB(5E;BxhihCNBg-uYgb#x(0ru<n>Wc7B;pu^qXkwAixHa}(B-
zGp1SYx~^QAj(hgUZ3ke6w5BVD1;aNFUpxN%@ukQMr_zpX3CFhO-APA#O53ra&3-k%
z`PDwE<1GD~yDW75*LSv3tn&^<tG29bt!ZuLs<!f7t!qOGFMbOElJu#4o&7L!5;VoL
zJq&k{`p24Moe=%Fyqw#q|MAXlJv{uRtGk}tZTUBM4+T%FJB>&Wx(92O$!f)51C^|y
zk*`%E-(VZut=t6Yp)w~3(^g;}2GDC`0L0S~5Kq$4s0AfOjlQ9ztr6!S$eMtN#RGx0
zFl36L-;TiAR>akS5LgXjf~rBB0o9PxB4nlmPD0EwJ}H!^sO)$|c$<fqDXS5qQGNtk
zrYMF#g_%4*8|y6yh$_f7XjnCr#oNxPd<xkPz68AxMge!rqGe~)S#L+@(|HkWEC{mi
z2nbi!GWQ}9TM(dqy*G=2<r2B97ntpx!DlFjkO4HS%Jzo!v7DOtBVQu^2-+hgco9P`
z2tLDRBq`gH5xj#USe(x&=OAd?F9|TL&mn4FTtx)|#%GdC6&t54C(iJ|ddv?~5BS)Y
zeh#F-5-GsS1rHkmY((g?$X%|J+4hY-?fue8y^WtmO`M4{w=sa)>53tSd8?&9*GriL
zX<D*UXp-ON;(J#O@tE3jIb=>AH=t&gI`oTBb&!zf7oiDFg11HHa&duQ)FFF2#4oyU
zi*innRlrsS1U?1C4+R7WC7X^3gX<t52qs`xg?1pP1ynD>4j`iX(uGi9a!lBd4`4S&
z`B_(BI(h*O))BCigPFs?ARG~rQ@R09nb3p9aZtixB>340h`R_HBxtG&=)?->s|u%(
zc#%AT<O~u3St;Qdk|&W2A^}i?68uQMfFyuq7|93{)cY{b0z;VefyeaoNXC$$>nZsU
zLF6tX8ApOPt}umU0?E@rL}oY?oQYV01=Dr2-I_61h3P5z(2*QWPJq7z$Qu=gzsU16
zF<13qu5K_j4`--u{oLD*cLtMNA4_N(<~2*B>((tF$9B9jx-h!PFZq(DdSXH@wx$g3
zVjF#dvGmDJC5LI@Ffo-Dk3HwlR8te%_xizC4<_q6)-0~2ORs$K#V@|}B`~W<UK3??
zqFGin)0(9uUbcHfr*fF)4{xxP&YWj3M3avCw4*uUXkI>=babS&kLFnnzrLe+NFxEi
z`1vDcM|M*GywiQusr;c$akPy3p@T-=sYJfac68hCWb=1J+X5;`$v1024)?o<+x%aG
zoY~F488?3*Wb=pkrp~pYf*3Y`I55*7CvE<~-DmUvHiL__67DR7l^pF;?tw)c1dULI
zAQ13{fm6t;G0gZFSv!t8umm~Ufo;4n<f%br9d)LoCA-DLm!doY+NHR;!O?PCXdHx9
z)l^vhKtn_2&6*dvesEdyL#`1IlQtilg|$9yW?Nq&+d3<kFJ^i`=}iYj*?M((n@e$1
z1kQSk!iD;w2enxINXhWPa>Wmn*ddrTDR@g{E*HZ#sNoDnduoJJf5cx3!kL%Oyb0zD
zs(1*nDJt@}FX`Y2wq-@w)c*p=+Cq$nuYM|7e?o~t|BIMvXI{#hc;?N0_nFUwS(`aV
zFmYBgh8>v^**JTiB(q1Kk`$1FBy(m}k<}@GA7K8N`qfaYgL85v*hX<6Ht!p7=US1u
zd}EL+ZINF?T+9@@_sby0%mcq-FlJDZl8|T2pc6xaH*4z1Z}RVrR0E)Ma<egW-xjmR
zOc_ySw^1?a$0!R$4dj_K8h(mgF(Sr{s3QpI6x<;a5cn4kAi-lW$;=Veh<r^0(niVz
zMJ61Yn2=yB72v+X8KE089})0OYt||wpwg`-M2Bg;$0=DdCm{zwaseSahCp4RWs@^%
zh%H3WOJd&iVYw30Jb|UjeWeUQD3(Uyj+38&gnTd$CL~4?LUmI?xGVLMHj&37nL}=9
zgKRdUa(MbY0HzmUBq9SaFE7&m0^0{LRJcYXJcIpG0%i;r&_rlh2;nn58Ub<NV+l!y
zkRyZJ5$OQDON>F`k0C$Vv;Gt2YmVB`H-ZslvVvt|vM;r#Ok36*W!L(y_ALcpI5pq<
zGkY0q{~L#L*x5!mO&Kj;KMA;svy9*pk0za-1^qlTA6T@?2%6)S$`>nRXOiXHlcrXz
zJBOexdQyhUV&)GZRoA+n?}{m7CvLbON!oYJA6_p8eaJ9V?Bosij-+kpd`}+owrspn
zzbk3q4G<TiA&m*PF&0@ld_9_C59iR3rOV4@aof%XMAR0KJa?{WcZ#&VX0fL&%?V5M
za!=CIIo~bSXtq2%vsPNUbUN0#{6xHD_f;kA_s;UA`ZY(@(&(C_?loV!;nCHGM^^&L
zhR$@u!9>HsWJ5O?U!^w43zuoi5SNL2y5hF|h{&*4*aa34%!|)ojM-lZEi*StTGGyr
zgtKGiOwzeOr9JS8j4bpvzFc#xf_m$y73ez^?qmCv@9b5;l7FX*Mt;8%_#aWWKHFwX
z3pG0E0{ZqNz&rqEVX`-;;NDc58sHXIf?Eh0jv7VO5hxiCfkY)h<|3Q9Bj_iu^wNSw
zepV03?mr-Roy5%hVK@vCm2hkDV;E^af>sF-g$T`2ns(hHbPaAiDe>{98L&8HVB+j0
z8ydoDDQo41j<9;l>ew(4mPPQ!h^%D5Wj0o5fTGZuB4T<9Xn+dP0YyL=U;_GpA;1QV
zbJQT1bop3KNI#S{=j071#187cD5ioSr_1JD@K4Dm&B)ojYMIN$aO)?R4x43RsG$b+
zvXLamA;ZI$u~0{b&<GsT%Qbtmo4@>qY_%$mE^4%>2ianV-2Kh9VrYsldtay+ek03H
z9%D6i0-RU8G0^YKYb%Qx<@a4K8!~VTxQeU9tGFQ}$CQFG?$i5dpTWoajO}Vp1u5DI
zOIX9HNt(iEXjgKY%v&v|g|`MD<5NOz2Co5=+`6IcZ7pwcGev_J5O*u2KHdM8)&uL(
zK73t+N*<OP+^Tv||8x&uXI@?IoQ!2IXP6c<isX5~+fJZVjI)mH5ukKuk{llspkxz7
zjDoYH?n3E)l<sPy>!>%BlAd}f-%qS0N2{$}<ZgB3Kx_V`UlCf0K%3Cq2Y`^neP19;
z9VC*p2Bc*JY5>wf{DASII*g7UAgHrM&|@K6x@0p{6|}tRk|=2!b<!O5p4KEah7HJS
z=Aoq_#IRKpkdL}k`YNQo4}aN_8dW8?C?Jbb65Tse9pok>O+k0M)SIp}LsDS??Uj91
z?8<XqDwEBaWwLGqI?bq=3qoG$BAPKTHLKfl6>Pc|UGy#~M-Qsnvu-&t-_5!5GWS&W
zzAD_sKun7SPBEy$+a)<|MVxqCPz6E$CI~8R%d3I$DK^)T=L{8fD~GbW&qog`2i1d`
zL1s`3T20BRc4u~@V(yvT1JJ0aVX3GE2Xyg6%_FVk-)zlU-0IIsze&K06#NvRo9@t*
zJCkGY=~;6o4_>L}N22aGl%hHs5b*e(fe3F51o+9&l*a__0l9E3YPyg3`v!VXi-y5d
zJtzEwr@7wlemFMgqnIHSj*9xhQz!kH2$|TyQ+}@Z@xk8i!-qLApV5F&OPvu_<j`JJ
z2S)HjACB`cpqqi0H`J#ID_n*Fi7N0*gs4X+(h&kf3K4iK9UIjlw}ixvq!vj%kO;1J
z04V23kW6yP@R<mO!kHgR<n#wIi7<tHQs0BJzlQtntnEtwv;8kOzS8<)>zj?~ZC#0N
zT}gKTJiVsX5hKx;b~YxQjc=;cTlXcl?z{e2N_!B~)C=lG-O`@8xgn)(#24BH?V|NL
z!@AZOx9nK)tW?HLXh?zyv}Si)>%7|e!rq0$^WE#Lb@5cJ8x9+7O(}NkI_s3q<=0EM
zt(BB6mBreZ*_H9P_s5-&fysME!x&8;XeqN}f&a$n?_Asb2Z|Lx1JtXswpptG2yKJv
z6f)Dd{}r{3^8dNEVLpYnVK(cE-@CR^ft~d5dgigLo)P{Wrg*mgY{q@KznZb-vdNl8
zcpb{aPddH>k?<yxzd-VrNWO~%Fh@$jZ&COwB;QB!*GT>b$q$g=$%60}5YT<sk$)OV
z1PO6?{scKUkO;0vNgqhcAnWxIeNbpm$Sx5kl68;$`wUb<SKPccrS%l5gpQS=m4Uda
zC#5}HL?y%>jj^X=BXQfd6x&=xC&ZmizkhA;TNEmM;6xjk(e?nc#E|G-+as$DZlX3|
zz!y`UhkXs;L$J5<c6+F=F#KP(Ltq#G<aP)>2$~^djby=kaub0n_DdMq7WnL~k&mw*
z24>x7365~i9i9jPiojovx{nW@8gL`Z7C{R{q`~;G$hkgCoq!mdq!ToSI>C)eFC#$^
zPBIkGIL#Oel4i&t9Yimb7g+leID$!J{r?@51+B1VaIP9$@3FQ|XEErPj>pYSDecxm
z_3+3_#R_}9`})P}Lvhpbl=ehXB~c%H4DP<!wx(E5o|0%r!@<5Z8F#i6R}!b;SAokY
zjc)@P@Yn#|0ozYA7V)1S1LPC!D7;Dw^Ei_^*cC(rxsNJ2e$u&gAJzbSL*{fFtWipM
z9ElHzXqNAiW`2T~r@>Kqi>hAy-JQr>3XDZzM<A-37<EK{lexlK6KP&Li~d`z`R|eZ
z0}^5cx{=G-f9N}%#{hHdc7G0nG`lJ?qr#6N`A6^<X#s`w-!O+8CdytJceUTJwa=Yc
zudaP*dhX<!#+KGpBs3LiP1UNVYTZ<kHhES}o;O?4+YYU6JM{Lx<hD~ulNatTT3u<Y
zXVvOiZhqIg3k<pJ6~&s^i9c&iT6fGJ%HBPE`E=UVmT<MDUHcNQeb)~qT?f;y6A9Oe
zq^tj3cHmbk%C`Fsn05BFsdm*=OHQuuGT_91pa!$+F4|rnYyt8si37cR8<p>!T1sU~
zGmcfpvDCL5Ofl_gW>13IlVbL*GsaB9$rVS6*_CFx5=>W$Ik2X&u4-K54q4f%wk)P!
zfkWiZwDv$kdmyF#9F+U&sV|>OGR`zpkzgv`WvYm7_f&`)zdsln@%u%+-+z7@e$b0Q
zw^iUA5Fmd5IkK~p&3YIf;bu1cta4&(So(pcIyyt{TA=eNU5zGps9U2WVd+W)?itbz
zi5}$8O(d(4+;b-Ppow=N*#P9D$4M=4+C^>GWGFa2!5<J-Ar&T@is0get8z5`9`(e(
zQ?);*j6bCeKSgSR|L;>}?^BgOrwl)%1`^Z&WO$#d0c6rxHmAF*hMx}KW%2ixch4)}
S4%uBF4Ts4e4AEIg@_zvE6Rz|C

literal 0
HcmV?d00001

diff --git a/cli/zkac_cli/client_ops.py b/cli/zkac_cli/client_ops.py
new file mode 100644
index 0000000..183cd61
--- /dev/null
+++ b/cli/zkac_cli/client_ops.py
@@ -0,0 +1,64 @@
+"""TCP clients for management, managed, and relay channels."""
+
+from __future__ import annotations
+
+import json
+import socket
+from typing import Any
+
+import zkac
+from zkac.tcp import FramedSession, client_handshake, client_handshake_managed
+
+
+def mgmt_call(
+    host: str,
+    port: int,
+    server_pk: zkac.PublicKey,
+    mgmt_cred: zkac.Credential,
+    cmd: dict[str, Any],
+) -> dict[str, Any]:
+    node = zkac.Node(zkac.Keypair())
+    sock = socket.create_connection((host, port))
+    try:
+        session = client_handshake(sock, node, server_pk, mgmt_cred)
+        framed = FramedSession(sock, session)
+        framed.send(json.dumps(cmd).encode("utf-8"))
+        return json.loads(framed.recv().decode("utf-8"))
+    finally:
+        sock.close()
+
+
+def managed_call(
+    host: str,
+    port: int,
+    server_pk: zkac.PublicKey,
+    cred: zkac.Credential,
+    registry_id: bytes,
+    cmd: dict[str, Any],
+) -> dict[str, Any]:
+    node = zkac.Node(zkac.Keypair())
+    sock = socket.create_connection((host, port))
+    try:
+        session = client_handshake_managed(sock, node, server_pk, cred, registry_id)
+        framed = FramedSession(sock, session)
+        framed.send(json.dumps(cmd).encode("utf-8"))
+        return json.loads(framed.recv().decode("utf-8"))
+    finally:
+        sock.close()
+
+
+def relay_line(host: str, port: int, obj: dict[str, Any]) -> dict[str, Any]:
+    payload = (json.dumps(obj) + "\n").encode("utf-8")
+    sock = socket.create_connection((host, port))
+    try:
+        sock.sendall(payload)
+        buf = b""
+        while b"\n" not in buf:
+            chunk = sock.recv(4096)
+            if not chunk:
+                break
+            buf += chunk
+        line = buf.split(b"\n", 1)[0]
+        return json.loads(line.decode("utf-8"))
+    finally:
+        sock.close()
diff --git a/cli/zkac_cli/creds.py b/cli/zkac_cli/creds.py
new file mode 100644
index 0000000..1d903f9
--- /dev/null
+++ b/cli/zkac_cli/creds.py
@@ -0,0 +1,84 @@
+"""Serialize / restore BBS+ member credentials and transport keys."""
+
+from __future__ import annotations
+
+import base64
+import json
+from pathlib import Path
+from typing import Any
+
+import zkac
+
+
+def save_json(path: Path, obj: Any) -> None:
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text(json.dumps(obj, indent=2), encoding="utf-8")
+
+
+def load_json(path: Path) -> Any:
+    return json.loads(path.read_text(encoding="utf-8"))
+
+
+def member_payload(
+    blind_sig: bytes,
+    req: zkac.BlindRequest,
+    role_id: bytes,
+    epoch: int,
+    issuer_pk: zkac.BbsPublicKey,
+) -> dict[str, Any]:
+    return {
+        "role_id_hex": role_id.hex(),
+        "epoch": epoch,
+        "blind_sig_b64": base64.b64encode(blind_sig).decode(),
+        "member_secret_b64": base64.b64encode(req.member_secret()).decode(),
+        "prover_blind_b64": base64.b64encode(req.prover_blind()).decode(),
+        "issuer_public_key_b64": base64.b64encode(issuer_pk.to_bytes()).decode(),
+    }
+
+
+def load_member_credential(data: dict[str, Any]) -> zkac.Credential:
+    pk = zkac.BbsPublicKey.from_bytes(base64.b64decode(data["issuer_public_key_b64"]))
+    rid = bytes.fromhex(data["role_id_hex"])
+    return zkac.Credential.finalize(
+        base64.b64decode(data["blind_sig_b64"]),
+        base64.b64decode(data["member_secret_b64"]),
+        base64.b64decode(data["prover_blind_b64"]),
+        rid,
+        int(data["epoch"]),
+        pk,
+    )
+
+
+def save_transport_keypair(path: Path, kp: zkac.Keypair) -> None:
+    save_json(
+        path,
+        {
+            "secret_key_b64": base64.b64encode(kp.secret_key_bytes()).decode(),
+            "public_key_b64": base64.b64encode(kp.public_key().to_bytes()).decode(),
+        },
+    )
+
+
+def load_transport_keypair(path: Path) -> zkac.Keypair:
+    t = load_json(path)
+    return zkac.Keypair.from_secret_key(base64.b64decode(t["secret_key_b64"]))
+
+
+def save_server_transport(path: Path, kp: zkac.Keypair) -> None:
+    save_json(
+        path,
+        {
+            "server_secret_key_b64": base64.b64encode(kp.secret_key_bytes()).decode(),
+            "server_public_key_b64": base64.b64encode(kp.public_key().to_bytes()).decode(),
+        },
+    )
+
+
+def load_server_public_key(path: Path) -> zkac.PublicKey:
+    t = load_json(path)
+    return zkac.PublicKey.from_bytes(base64.b64decode(t["server_public_key_b64"]))
+
+
+def load_server_keypair(path: Path) -> zkac.Keypair:
+    t = load_json(path)
+    return zkac.Keypair.from_secret_key(base64.b64decode(t["server_secret_key_b64"]))
diff --git a/cli/zkac_cli/issuance_util.py b/cli/zkac_cli/issuance_util.py
new file mode 100644
index 0000000..f59eb97
--- /dev/null
+++ b/cli/zkac_cli/issuance_util.py
@@ -0,0 +1,26 @@
+"""Helpers around RegistryManager issuance queues (Python API drains on take)."""
+
+from __future__ import annotations
+
+import zkac
+
+
+def peek_pending_requests(
+    mgr: zkac.RegistryManager, registry_id: bytes
+) -> list[tuple[bytes, bytes, bytes, bytes]]:
+    """Return pending (request_id, role_id, eph_pk, ciphertext) and re-queue them."""
+    items = mgr.take_pending_requests(registry_id)
+    out: list[tuple[bytes, bytes, bytes, bytes]] = []
+    for tup in items:
+        req_id, role_id, eph_pk, enc = tup
+        out.append((req_id, role_id, eph_pk, enc))
+        mgr.queue_issuance_request(registry_id, req_id, role_id, eph_pk, enc)
+    return out
+
+
+def take_pending_requests(
+    mgr: zkac.RegistryManager, registry_id: bytes
+) -> list[tuple[bytes, bytes, bytes, bytes]]:
+    """Drain pending queue (admin processes and must grant or lose requests)."""
+    items = mgr.take_pending_requests(registry_id)
+    return [(a, b, c, d) for a, b, c, d in items]
diff --git a/cli/zkac_cli/main.py b/cli/zkac_cli/main.py
new file mode 100644
index 0000000..0a3e003
--- /dev/null
+++ b/cli/zkac_cli/main.py
@@ -0,0 +1,416 @@
+"""zkac-node CLI entrypoint."""
+
+from __future__ import annotations
+
+import argparse
+import base64
+import json
+import secrets
+import shutil
+import sys
+from pathlib import Path
+
+import zkac
+
+from zkac_cli import creds
+from zkac_cli import client_ops
+from zkac_cli import paths
+from zkac_cli import registry_local
+from zkac_cli import server_app
+
+
+MGMT_ROLE = server_app.MGMT_ROLE
+
+
+def cmd_serve(args: argparse.Namespace) -> None:
+    data = Path(args.data).resolve()
+    if args.init or not (data / "transport.json").is_file():
+        data.mkdir(parents=True, exist_ok=True)
+        transport = zkac.Keypair()
+        issuer = zkac.BbsIssuer()
+        pk = issuer.public_key()
+        mg_rid = zkac.role_id(MGMT_ROLE)
+        req = zkac.prepare_blind_request()
+        sig = issuer.issue_blind(req.commitment_with_proof(), mg_rid, 1)
+        _ = zkac.Credential.finalize(
+            sig, req.member_secret(), req.prover_blind(), mg_rid, 1, pk
+        )
+        creds.save_server_transport(data / "transport.json", transport)
+        creds.save_json(
+            data / "mgmt_issuer.json",
+            {"issuer_secret_b64": base64.b64encode(issuer.secret_key_bytes()).decode()},
+        )
+        m = creds.member_payload(sig, req, mg_rid, 1, pk)
+        creds.save_json(data / "mgmt_member.json", m)
+        print(f"Initialized server data in {data}", flush=True)
+        print(
+            "Copy mgmt_member.json for operators; distribute server_public_key from transport.json",
+            flush=True,
+        )
+    relay = None if args.relay_port == 0 else args.relay_port
+    relay_bind = args.relay_bind
+    print(
+        f"Starting: mgmt={args.mgmt_port} managed={args.managed_port} relay={relay!r} bind={relay_bind}",
+        flush=True,
+    )
+    server_app.serve(data, args.mgmt_port, args.managed_port, relay, relay_bind)
+
+
+def cmd_user_create(args: argparse.Namespace) -> None:
+    uid = args.userid
+    d = paths.ensure_user(uid)
+    kp = zkac.Keypair()
+    creds.save_transport_keypair(d / "transport.json", kp)
+    creds.save_json(d / "profile.json", {"userid": uid})
+    print(f"User {uid!r}: wrote {d / 'transport.json'}")
+
+
+def cmd_registry_init(args: argparse.Namespace) -> None:
+    base = paths.ensure_user(args.user)
+    out = (base / "registries" / args.slug).resolve()
+    r = registry_local.create_registry_bundle(args.slug, list(args.roles), out)
+    print(json.dumps(r, indent=2))
+
+
+def cmd_registry_push(args: argparse.Namespace) -> None:
+    server_data = Path(args.server_data).resolve()
+    reg_dir = (paths.user_dir(args.user) / "registries" / args.slug).resolve()
+    reg = creds.load_json(reg_dir / "registry.json")
+    mg = creds.load_json(server_data / "mgmt_member.json")
+    t = creds.load_json(server_data / "transport.json")
+    server_pk = zkac.PublicKey.from_bytes(base64.b64decode(t["server_public_key_b64"]))
+    mgmt_cred = creds.load_member_credential(mg)
+    cmd = {"cmd": "create_registry", "state_b64": reg["state_bytes_b64"], "state_cert_b64": reg["state_cert_b64"]}
+    if args.update:
+        cmd = {"cmd": "update_registry", "state_b64": reg["state_bytes_b64"], "state_cert_b64": reg["state_cert_b64"]}
+    out = client_ops.mgmt_call(args.host, args.mgmt_port, server_pk, mgmt_cred, cmd)
+    print(json.dumps(out, indent=2))
+
+
+def cmd_connect(args: argparse.Namespace) -> None:
+    reg_dir = (paths.user_dir(args.user) / "registries" / args.slug).resolve()
+    reg_path = reg_dir / "registry.json"
+    if reg_path.is_file():
+        reg = creds.load_json(reg_path)
+    elif args.registry_id:
+        reg = {"registry_id_hex": args.registry_id}
+    else:
+        print(
+            "Missing registry.json. Copy from the admin (public) or pass --registry-id.",
+            file=sys.stderr,
+        )
+        raise SystemExit(1)
+    cred_path = (reg_dir / args.credential).resolve()
+    m = creds.load_json(cred_path)
+    credential = creds.load_member_credential(m)
+    server = creds.load_json(Path(args.server_file).expanduser().resolve())
+    server_pk = zkac.PublicKey.from_bytes(base64.b64decode(server["server_public_key_b64"]))
+    registry_id = bytes.fromhex(reg["registry_id_hex"])
+    body = client_ops.managed_call(
+        args.host,
+        args.managed_port,
+        server_pk,
+        credential,
+        registry_id,
+        {"cmd": args.command},
+    )
+    print(json.dumps(body, indent=2))
+
+
+def cmd_issuance_request(args: argparse.Namespace) -> None:
+    """Queue a blind issuance request (payload is commitment bytes; localhost relay only)."""
+    reg = creds.load_json(paths.user_dir(args.user) / "registries" / args.slug / "registry.json")
+    issuance_pk = base64.b64decode(reg["issuance_public_key_b64"])
+    req = zkac.prepare_blind_request()
+    payload = req.commitment_with_proof()
+    req_id = secrets.token_bytes(32)
+    eph_pk = secrets.token_bytes(32)
+    # Store locally for finalize
+    pending = {
+        "request_id_hex": req_id.hex(),
+        "role_name": args.role,
+        "member_secret_b64": base64.b64encode(req.member_secret()).decode(),
+        "prover_blind_b64": base64.b64encode(req.prover_blind()).decode(),
+        "issuer_public_key_b64": reg["admin_issuer_public_key_b64"],
+        "epoch": 1,
+    }
+    pdir = paths.user_dir(args.user) / "pending"
+    pdir.mkdir(parents=True, exist_ok=True)
+    creds.save_json(pdir / f"{req_id.hex()}.json", pending)
+
+    obj = {
+        "cmd": "enqueue",
+        "registry_id_hex": reg["registry_id_hex"],
+        "role_name": args.role,
+        "request_id_hex": req_id.hex(),
+        "eph_pk_hex": eph_pk.hex(),
+        "payload_b64": base64.b64encode(payload).decode(),
+    }
+    out = client_ops.relay_line(args.host, args.relay_port, obj)
+    print(json.dumps(out, indent=2))
+    print(f"Saved pending material to {pdir / (req_id.hex() + '.json')}")
+
+
+def cmd_issuance_poll(args: argparse.Namespace) -> None:
+    reg = creds.load_json(paths.user_dir(args.user) / "registries" / args.slug / "registry.json")
+    obj = {
+        "cmd": "poll",
+        "registry_id_hex": reg["registry_id_hex"],
+        "request_id_hex": args.request_id,
+    }
+    out = client_ops.relay_line(args.host, args.relay_port, obj)
+    print(json.dumps(out, indent=2))
+    if out.get("status") == "ready":
+        pend = creds.load_json(paths.user_dir(args.user) / "pending" / f"{args.request_id}.json")
+        pk = zkac.BbsPublicKey.from_bytes(base64.b64decode(pend["issuer_public_key_b64"]))
+        rid = zkac.role_id(pend["role_name"])
+        blind_sig = base64.b64decode(out["blind_sig_b64"])
+        zkac.Credential.finalize(
+            blind_sig,
+            base64.b64decode(pend["member_secret_b64"]),
+            base64.b64decode(pend["prover_blind_b64"]),
+            rid,
+            int(pend["epoch"]),
+            pk,
+        )
+        out_dir = paths.user_dir(args.user) / "registries" / args.slug / "roles"
+        out_dir.mkdir(parents=True, exist_ok=True)
+        member = {
+            "role_id_hex": rid.hex(),
+            "epoch": int(pend["epoch"]),
+            "blind_sig_b64": base64.b64encode(blind_sig).decode(),
+            "member_secret_b64": pend["member_secret_b64"],
+            "prover_blind_b64": pend["prover_blind_b64"],
+            "issuer_public_key_b64": pend["issuer_public_key_b64"],
+        }
+        dest = out_dir / f"{pend['role_name']}.json"
+        creds.save_json(dest, member)
+        print(f"You have role {pend['role_name']!r}; credential saved to {dest}")
+        print("Use: zkac-node connect ... --credential roles/{0}.json".format(pend["role_name"]))
+
+
+def cmd_issuance_grant(args: argparse.Namespace) -> None:
+    server_data = Path(args.server_data).resolve()
+    reg_dir = (paths.user_dir(args.admin_user) / "registries" / args.slug).resolve()
+    admin = creds.load_json(reg_dir / "admin.json")
+    issuer = zkac.BbsIssuer.from_secret_key(base64.b64decode(admin["admin_issuer_secret_b64"]))
+    t = creds.load_json(server_data / "transport.json")
+    mg = creds.load_json(server_data / "mgmt_member.json")
+    server_pk = zkac.PublicKey.from_bytes(base64.b64decode(t["server_public_key_b64"]))
+    mgmt_cred = creds.load_member_credential(mg)
+
+    peek = client_ops.mgmt_call(
+        args.host,
+        args.mgmt_port,
+        server_pk,
+        mgmt_cred,
+        {"cmd": "issuance_peek", "registry_id_hex": args.registry_id},
+    )
+    pending = peek.get("pending") or []
+    target = None
+    for p in pending:
+        if p["request_id_hex"] == args.request_id:
+            target = p
+            break
+    if target is None:
+        print("request_id not in pending queue", file=sys.stderr)
+        raise SystemExit(1)
+    commit = base64.b64decode(target["payload_b64"])
+    role_id = bytes.fromhex(target["role_id_hex"])
+    blind = issuer.issue_blind(commit, role_id, 1)
+    out = client_ops.mgmt_call(
+        args.host,
+        args.mgmt_port,
+        server_pk,
+        mgmt_cred,
+        {
+            "cmd": "issuance_grant",
+            "registry_id_hex": args.registry_id,
+            "request_id_hex": args.request_id,
+            "blind_sig_b64": base64.b64encode(blind).decode(),
+        },
+    )
+    print(json.dumps(out, indent=2))
+
+
+def cmd_issue_member_file(args: argparse.Namespace) -> None:
+    """Admin issues a role credential locally (out-of-band handoff)."""
+    reg_dir = (paths.user_dir(args.admin_user) / "registries" / args.slug).resolve()
+    admin = creds.load_json(reg_dir / "admin.json")
+    issuer = zkac.BbsIssuer.from_secret_key(base64.b64decode(admin["admin_issuer_secret_b64"]))
+    pk = issuer.public_key()
+    rid = zkac.role_id(args.role)
+    req = zkac.prepare_blind_request()
+    sig = issuer.issue_blind(req.commitment_with_proof(), rid, 1)
+    payload = creds.member_payload(sig, req, rid, 1, pk)
+    out_path = reg_dir / "issued" / f"{args.role}_{args.target_user}.json"
+    creds.save_json(out_path, payload)
+    print(f"Wrote {out_path}")
+
+
+def cmd_registry_import_public(args: argparse.Namespace) -> None:
+    """Copy public registry.json (state + cert summary) from another local user."""
+    src = (paths.user_dir(args.from_user) / "registries" / args.slug / "registry.json").resolve()
+    dst_dir = paths.ensure_user(args.to_user) / "registries" / args.slug
+    dst_dir.mkdir(parents=True, exist_ok=True)
+    shutil.copy(src, dst_dir / "registry.json")
+    print(f"Copied {src} -> {dst_dir / 'registry.json'}")
+
+
+def cmd_import_credential(args: argparse.Namespace) -> None:
+    src = Path(args.file).resolve()
+    data = creds.load_json(src)
+    dest = paths.user_dir(args.user) / "registries" / args.slug / "roles" / f"{args.name}.json"
+    creds.save_json(dest, data)
+    print(f"Imported credential to {dest}")
+
+
+def cmd_pin_server(args: argparse.Namespace) -> None:
+    """Save server public key + ports for a user (from server's transport.json)."""
+    tpath = Path(args.transport_file).resolve()
+    t = creds.load_json(tpath)
+    d = paths.ensure_user(args.user) / "servers" / args.name
+    d.mkdir(parents=True, exist_ok=True)
+    creds.save_json(
+        d / "server.json",
+        {
+            "server_public_key_b64": t["server_public_key_b64"],
+            "host": args.host,
+            "mgmt_port": args.mgmt_port,
+            "managed_port": args.managed_port,
+            "relay_port": args.relay_port,
+        },
+    )
+    print(f"Pinned server {args.name!r} for user {args.user!r} -> {d / 'server.json'}")
+
+
+def build_parser() -> argparse.ArgumentParser:
+    p = argparse.ArgumentParser(
+        prog="zkac-node",
+        description="ZKAC node CLI (server + client). "
+        "Requires the 'zkac' package from this repo (maturin develop). "
+        "Set ZKAC_HOME to override ~/.zkac/. "
+        "Issuance relay queues are in-memory — use the same server process between request and grant.",
+    )
+    sub = p.add_subparsers(dest="command", required=True)
+
+    ps = sub.add_parser("serve", help="Run server (registry-capable node)")
+    ps.add_argument("--data", type=Path, required=True, help="Server data directory")
+    ps.add_argument("--init", action="store_true", help="Initialize data dir (transport + mgmt issuer)")
+    ps.add_argument("--mgmt-port", type=int, default=7400)
+    ps.add_argument("--managed-port", type=int, default=7401)
+    ps.add_argument(
+        "--relay-port",
+        type=int,
+        default=7402,
+        help="Plaintext relay for issuance queue (localhost only). Use 0 to disable.",
+    )
+    ps.add_argument("--relay-bind", default="127.0.0.1")
+    ps.set_defaults(func=cmd_serve)
+
+    su = sub.add_parser("user-create", help="Create a user directory under ~/.zkac/")
+    su.add_argument("userid")
+    su.set_defaults(func=cmd_user_create)
+
+    pi = sub.add_parser("pin-server", help="Save server connection info for a user")
+    pi.add_argument("--user", required=True)
+    pi.add_argument("--name", required=True, help="Label for this server")
+    pi.add_argument("--transport-file", required=True, help="Path to server's transport.json")
+    pi.add_argument("--host", required=True)
+    pi.add_argument("--mgmt-port", type=int, default=7400)
+    pi.add_argument("--managed-port", type=int, default=7401)
+    pi.add_argument("--relay-port", type=int, default=7402)
+    pi.set_defaults(func=cmd_pin_server)
+
+    ri = sub.add_parser("registry-init", help="Create a client-managed registry offline")
+    ri.add_argument("--user", required=True)
+    ri.add_argument("--slug", required=True)
+    ri.add_argument("--roles", nargs="+", required=True)
+    ri.set_defaults(func=cmd_registry_init)
+
+    rp = sub.add_parser("registry-push", help="Push registry snapshot to server (mgmt channel)")
+    rp.add_argument("--user", required=True)
+    rp.add_argument("--slug", required=True)
+    rp.add_argument("--server-data", type=Path, required=True, help="Server data dir (transport + mgmt_member)")
+    rp.add_argument("--host", default="127.0.0.1")
+    rp.add_argument("--mgmt-port", type=int, default=7400)
+    rp.add_argument("--update", action="store_true", help="Send update_registry instead of create")
+    rp.set_defaults(func=cmd_registry_push)
+
+    cc = sub.add_parser("connect", help="Managed ZKAC session test (whoami/get_registry)")
+    cc.add_argument("--user", required=True)
+    cc.add_argument("--slug", required=True)
+    cc.add_argument("--credential", default="roles/member.json", help="Relative path under registries/<slug>/")
+    cc.add_argument(
+        "--registry-id",
+        default="",
+        help="If registry.json is absent, hex registry id (pin public registry first)",
+    )
+    cc.add_argument("--server-file", required=True, help="Pinned server.json from pin-server")
+    cc.add_argument("--host", required=True)
+    cc.add_argument("--managed-port", type=int, default=7401)
+    cc.add_argument("--command", default="whoami")
+    cc.set_defaults(func=cmd_connect)
+
+    ir = sub.add_parser(
+        "issuance-request",
+        help="Enqueue blind commitment on relay (localhost; see help text)",
+    )
+    ir.add_argument("--user", required=True)
+    ir.add_argument("--slug", required=True)
+    ir.add_argument("--role", required=True)
+    ir.add_argument("--host", default="127.0.0.1")
+    ir.add_argument("--relay-port", type=int, default=7402)
+    ir.set_defaults(func=cmd_issuance_request)
+
+    ip = sub.add_parser("issuance-poll", help="Poll relay for blind signature")
+    ip.add_argument("--user", required=True)
+    ip.add_argument("--slug", required=True)
+    ip.add_argument("--request-id", required=True, dest="request_id")
+    ip.add_argument("--host", default="127.0.0.1")
+    ip.add_argument("--relay-port", type=int, default=7402)
+    ip.set_defaults(func=cmd_issuance_poll)
+
+    ig = sub.add_parser("issuance-grant", help="Admin: issue blind sig and push grant to server")
+    ig.add_argument("--admin-user", required=True)
+    ig.add_argument("--slug", required=True)
+    ig.add_argument("--server-data", type=Path, required=True)
+    ig.add_argument("--registry-id", required=True, dest="registry_id")
+    ig.add_argument("--request-id", required=True, dest="request_id")
+    ig.add_argument("--host", default="127.0.0.1")
+    ig.add_argument("--mgmt-port", type=int, default=7400)
+    ig.set_defaults(func=cmd_issuance_grant)
+
+    im = sub.add_parser("issue-member", help="Admin: issue credential to file for handoff")
+    im.add_argument("--admin-user", required=True)
+    im.add_argument("--slug", required=True)
+    im.add_argument("--role", required=True)
+    im.add_argument("--target-user", required=True)
+    im.set_defaults(func=cmd_issue_member_file)
+
+    irp = sub.add_parser(
+        "registry-import-public",
+        help="Copy registry.json from another user (public state + cert metadata)",
+    )
+    irp.add_argument("--from-user", required=True, dest="from_user")
+    irp.add_argument("--to-user", required=True, dest="to_user")
+    irp.add_argument("--slug", required=True)
+    irp.set_defaults(func=cmd_registry_import_public)
+
+    ii = sub.add_parser("import-credential", help="Copy a member json into a user's registry folder")
+    ii.add_argument("--user", required=True)
+    ii.add_argument("--slug", required=True)
+    ii.add_argument("--name", required=True, help="Filename base (e.g. analyst)")
+    ii.add_argument("file", type=Path)
+    ii.set_defaults(func=cmd_import_credential)
+
+    return p
+
+
+def main() -> None:
+    args = build_parser().parse_args()
+    args.func(args)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/cli/zkac_cli/paths.py b/cli/zkac_cli/paths.py
new file mode 100644
index 0000000..4748614
--- /dev/null
+++ b/cli/zkac_cli/paths.py
@@ -0,0 +1,19 @@
+from __future__ import annotations
+
+import os
+from pathlib import Path
+
+
+def zkac_home() -> Path:
+    return Path(os.environ.get("ZKAC_HOME", Path.home() / ".zkac"))
+
+
+def user_dir(userid: str) -> Path:
+    return zkac_home() / userid
+
+
+def ensure_user(userid: str) -> Path:
+    zkac_home().mkdir(parents=True, exist_ok=True)
+    d = user_dir(userid)
+    d.mkdir(parents=True, exist_ok=True)
+    return d
diff --git a/cli/zkac_cli/registry_local.py b/cli/zkac_cli/registry_local.py
new file mode 100644
index 0000000..5bfde57
--- /dev/null
+++ b/cli/zkac_cli/registry_local.py
@@ -0,0 +1,68 @@
+"""Offline client-managed registry creation (same structure as demo/setup_managed_demo)."""
+
+from __future__ import annotations
+
+import base64
+import json
+from pathlib import Path
+
+import zkac
+
+from zkac_cli import creds
+
+
+def create_registry_bundle(
+    slug: str,
+    role_names: list[str],
+    out_dir: Path,
+) -> dict[str, str]:
+    """
+    Build a new registry with admin issuer = role issuer for all listed roles.
+    Writes admin.json, registry.json under out_dir.
+    """
+    out_dir.mkdir(parents=True, exist_ok=True)
+    admin_issuer = zkac.BbsIssuer()
+    admin_pk = admin_issuer.public_key()
+    admin_rid = zkac.admin_role_id()
+
+    req = zkac.prepare_blind_request()
+    sig = admin_issuer.issue_blind(req.commitment_with_proof(), admin_rid, 0)
+    admin_cred = zkac.Credential.finalize(
+        sig, req.member_secret(), req.prover_blind(), admin_rid, 0, admin_pk
+    )
+
+    issuance_kp = zkac.IssuanceKeypair()
+    role_entries = [(zkac.role_id(name), admin_pk, 1) for name in role_names]
+
+    state = zkac.RegistryState.build(
+        admin_pk, issuance_kp.public_key_bytes(), 1, b"\x00" * 32, role_entries
+    )
+    state_bytes = state.serialize()
+    state_cert = state.certify(admin_cred)
+    registry_id = state.registry_id()
+
+    admin_payload = {
+        "slug": slug,
+        "admin_issuer_secret_b64": base64.b64encode(admin_issuer.secret_key_bytes()).decode(),
+        "admin_issuer_public_key_b64": base64.b64encode(admin_pk.to_bytes()).decode(),
+        "admin_member_secret_b64": base64.b64encode(req.member_secret()).decode(),
+        "admin_prover_blind_b64": base64.b64encode(req.prover_blind()).decode(),
+        "admin_blind_sig_b64": base64.b64encode(sig).decode(),
+        "issuance_secret_b64": base64.b64encode(issuance_kp.secret_bytes()).decode(),
+        "issuance_public_key_b64": base64.b64encode(issuance_kp.public_key_bytes()).decode(),
+        "registry_id_hex": registry_id.hex(),
+    }
+    creds.save_json(out_dir / "admin.json", admin_payload)
+
+    reg_payload = {
+        "slug": slug,
+        "registry_id_hex": registry_id.hex(),
+        "state_bytes_b64": base64.b64encode(state_bytes).decode(),
+        "state_cert_b64": base64.b64encode(bytes(state_cert)).decode(),
+        "admin_issuer_public_key_b64": base64.b64encode(admin_pk.to_bytes()).decode(),
+        "issuance_public_key_b64": base64.b64encode(issuance_kp.public_key_bytes()).decode(),
+        "roles": role_names,
+    }
+    creds.save_json(out_dir / "registry.json", reg_payload)
+
+    return {"registry_id_hex": registry_id.hex(), "path": str(out_dir)}
diff --git a/cli/zkac_cli/registry_log.py b/cli/zkac_cli/registry_log.py
new file mode 100644
index 0000000..ac67709
--- /dev/null
+++ b/cli/zkac_cli/registry_log.py
@@ -0,0 +1,59 @@
+"""Persist RegistryManager by replaying create/update events."""
+
+from __future__ import annotations
+
+import base64
+import json
+from pathlib import Path
+from typing import Any
+
+import zkac
+
+
+def save_events(path: Path, events: list[dict[str, Any]]) -> None:
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text(json.dumps({"events": events}, indent=2), encoding="utf-8")
+
+
+def load_events(path: Path) -> list[dict[str, Any]]:
+    if not path.is_file():
+        return []
+    data = json.loads(path.read_text(encoding="utf-8"))
+    return list(data.get("events", []))
+
+
+def replay_manager(events: list[dict[str, Any]]) -> zkac.RegistryManager:
+    """Rebuild manager from persisted events (multiple registries supported)."""
+    mgr = zkac.RegistryManager()
+    by_rid: dict[bytes, list[dict[str, Any]]] = {}
+    for e in events:
+        st = base64.b64decode(e["state_b64"])
+        st_obj = zkac.RegistryState.deserialize(st)
+        rid = st_obj.registry_id()
+        by_rid.setdefault(rid, []).append(e)
+    for rid, evs in by_rid.items():
+        evs.sort(
+            key=lambda e: zkac.RegistryState.deserialize(
+                base64.b64decode(e["state_b64"])
+            ).version()
+        )
+        for i, e in enumerate(evs):
+            st = base64.b64decode(e["state_b64"])
+            cert = base64.b64decode(e["state_cert_b64"])
+            if i == 0:
+                mgr.create(st, cert)
+            else:
+                mgr.update(rid, st, cert)
+    return mgr
+
+
+def append_event(path: Path, op: str, state_bytes: bytes, state_cert: bytes) -> None:
+    events = load_events(path)
+    events.append(
+        {
+            "op": op,
+            "state_b64": base64.b64encode(state_bytes).decode(),
+            "state_cert_b64": base64.b64encode(state_cert).decode(),
+        }
+    )
+    save_events(path, events)
diff --git a/cli/zkac_cli/server_app.py b/cli/zkac_cli/server_app.py
new file mode 100644
index 0000000..d43346c
--- /dev/null
+++ b/cli/zkac_cli/server_app.py
@@ -0,0 +1,272 @@
+"""TCP servers: ZKAC management, ZKAC managed app, localhost relay (credential queue)."""
+
+from __future__ import annotations
+
+import base64
+import json
+import socket
+import threading
+import traceback
+from pathlib import Path
+from typing import Callable
+
+import zkac
+from zkac.tcp import FramedSession, server_handshake, server_handshake_managed
+
+from zkac_cli import issuance_util
+from zkac_cli import registry_log
+
+
+MGMT_ROLE = "zkac.mgmt"
+
+
+def build_static_registry(issuer_pk: zkac.BbsPublicKey) -> zkac.RoleRegistry:
+    reg = zkac.RoleRegistry()
+    reg.register_role(zkac.role_id(MGMT_ROLE), issuer_pk, 1)
+    return reg
+
+
+def handle_mgmt_session(
+    conn: socket.socket,
+    data_dir: Path,
+    mgr: zkac.RegistryManager,
+    registry_ids: set[bytes],
+    events_path: Path,
+    save_registry: Callable[[], None],
+) -> None:
+    from zkac_cli import creds
+
+    framed = None
+    try:
+        sk = creds.load_server_keypair(data_dir / "transport.json")
+        node = zkac.Node(sk)
+        issuer = zkac.BbsIssuer.from_secret_key(
+            base64.b64decode(creds.load_json(data_dir / "mgmt_issuer.json")["issuer_secret_b64"])
+        )
+        static_reg = build_static_registry(issuer.public_key())
+        session, role_id = server_handshake(conn, node, static_reg)
+        if role_id != zkac.role_id(MGMT_ROLE):
+            return
+        framed = FramedSession(conn, session)
+        raw = framed.recv()
+        msg = json.loads(raw.decode("utf-8"))
+        cmd = msg["cmd"]
+        if cmd == "create_registry":
+            st = base64.b64decode(msg["state_b64"])
+            cert = base64.b64decode(msg["state_cert_b64"])
+            rid = mgr.create(st, cert)
+            registry_ids.add(rid)
+            registry_log.append_event(events_path, "create", st, cert)
+            save_registry()
+            out = {"ok": True, "registry_id_hex": rid.hex()}
+        elif cmd == "update_registry":
+            st = base64.b64decode(msg["state_b64"])
+            cert = base64.b64decode(msg["state_cert_b64"])
+            st_o = zkac.RegistryState.deserialize(st)
+            rid = st_o.registry_id()
+            mgr.update(rid, st, cert)
+            registry_log.append_event(events_path, "update", st, cert)
+            save_registry()
+            out = {"ok": True, "registry_id_hex": rid.hex()}
+        elif cmd == "get_registry":
+            rid = bytes.fromhex(msg["registry_id_hex"])
+            st, c = mgr.get(rid)
+            out = {
+                "ok": True,
+                "state_b64": base64.b64encode(st).decode(),
+                "state_cert_b64": base64.b64encode(c).decode(),
+            }
+        elif cmd == "list_registries":
+            out = {"ok": True, "registry_ids_hex": [h.hex() for h in sorted(registry_ids)]}
+        elif cmd == "issuance_peek":
+            rid = bytes.fromhex(msg["registry_id_hex"])
+            pending = issuance_util.peek_pending_requests(mgr, rid)
+            out = {
+                "ok": True,
+                "pending": [
+                    {
+                        "request_id_hex": a.hex(),
+                        "role_id_hex": b.hex(),
+                        "eph_pk_hex": c.hex(),
+                        "payload_b64": base64.b64encode(d).decode(),
+                    }
+                    for a, b, c, d in pending
+                ],
+            }
+        elif cmd == "issuance_grant":
+            rid = bytes.fromhex(msg["registry_id_hex"])
+            req_id = bytes.fromhex(msg["request_id_hex"])
+            blind = base64.b64decode(msg["blind_sig_b64"])
+            mgr.grant_credential(rid, req_id, blind)
+            save_registry()
+            out = {"ok": True}
+        else:
+            out = {"ok": False, "error": f"unknown cmd {cmd}"}
+        framed.send(json.dumps(out).encode("utf-8"))
+    except Exception:
+        traceback.print_exc()
+    finally:
+        conn.close()
+
+
+def run_managed_handler(
+    conn: socket.socket,
+    data_dir: Path,
+    mgr: zkac.RegistryManager,
+) -> None:
+    from zkac_cli import creds
+
+    try:
+        sk = creds.load_server_keypair(data_dir / "transport.json")
+        node = zkac.Node(sk)
+        session, registry_id, role_id = server_handshake_managed(conn, node, mgr)
+        framed = FramedSession(conn, session)
+        raw = framed.recv()
+        msg = json.loads(raw.decode("utf-8"))
+        cmd = msg.get("cmd", "ping")
+        if cmd == "get_registry":
+            rid = bytes.fromhex(msg["registry_id_hex"])
+            st, c = mgr.get(rid)
+            body = {
+                "ok": True,
+                "state_b64": base64.b64encode(st).decode(),
+                "state_cert_b64": base64.b64encode(c).decode(),
+            }
+        elif cmd == "whoami":
+            body = {
+                "ok": True,
+                "registry_id_hex": registry_id.hex(),
+                "role_id_hex": role_id.hex(),
+            }
+        else:
+            body = {
+                "ok": True,
+                "registry_id_hex": registry_id.hex(),
+                "role_id_hex": role_id.hex(),
+                "note": "authenticated managed session",
+            }
+        framed.send(json.dumps(body).encode("utf-8"))
+    except Exception:
+        traceback.print_exc()
+    finally:
+        conn.close()
+
+
+def handle_relay_session(
+    conn: socket.socket,
+    mgr: zkac.RegistryManager,
+    save_registry: Callable[[], None],
+) -> None:
+    try:
+        buf = b""
+        while b"\n" not in buf:
+            chunk = conn.recv(4096)
+            if not chunk:
+                return
+            buf += chunk
+        line, _, _ = buf.partition(b"\n")
+        msg = json.loads(line.decode("utf-8"))
+        cmd = msg["cmd"]
+        if cmd == "enqueue":
+            rid = bytes.fromhex(msg["registry_id_hex"])
+            role = zkac.role_id(msg["role_name"])
+            req_id = bytes.fromhex(msg["request_id_hex"])
+            eph = bytes.fromhex(msg["eph_pk_hex"])
+            blob = base64.b64decode(msg["payload_b64"])
+            mgr.queue_issuance_request(rid, req_id, role, eph, blob)
+            save_registry()
+            out = {"ok": True, "status": "queued"}
+        elif cmd == "poll":
+            rid = bytes.fromhex(msg["registry_id_hex"])
+            req_id = bytes.fromhex(msg["request_id_hex"])
+            g = mgr.take_granted_credential(rid, req_id)
+            save_registry()
+            if g is None:
+                out = {"ok": True, "status": "pending"}
+            else:
+                out = {
+                    "ok": True,
+                    "status": "ready",
+                    "blind_sig_b64": base64.b64encode(g).decode(),
+                }
+        else:
+            out = {"ok": False, "error": "unknown relay cmd"}
+        conn.sendall((json.dumps(out) + "\n").encode("utf-8"))
+    except Exception:
+        traceback.print_exc()
+    finally:
+        conn.close()
+
+
+def serve(
+    data_dir: Path,
+    mgmt_port: int,
+    managed_port: int,
+    relay_port: int | None,
+    relay_bind: str,
+) -> None:
+    events_path = data_dir / "registry_events.json"
+    registry_ids: set[bytes] = set()
+    if events_path.is_file():
+        mgr = registry_log.replay_manager(registry_log.load_events(events_path))
+        for e in registry_log.load_events(events_path):
+            st = base64.b64decode(e["state_b64"])
+            registry_ids.add(zkac.RegistryState.deserialize(st).registry_id())
+    else:
+        mgr = zkac.RegistryManager()
+
+    def save_registry() -> None:
+        return
+
+    def mgmt_loop() -> None:
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+        s.bind(("0.0.0.0", mgmt_port))
+        s.listen(8)
+        print(f"[mgmt] ZKAC listening on 0.0.0.0:{mgmt_port}")
+        while True:
+            c, a = s.accept()
+            print(f"[mgmt] connect {a}")
+            threading.Thread(
+                target=handle_mgmt_session,
+                args=(c, data_dir, mgr, registry_ids, events_path, save_registry),
+                daemon=True,
+            ).start()
+
+    def managed_loop() -> None:
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+        s.bind(("0.0.0.0", managed_port))
+        s.listen(8)
+        print(f"[managed] ZKAC listening on 0.0.0.0:{managed_port}")
+        while True:
+            c, a = s.accept()
+            print(f"[managed] connect {a}")
+            threading.Thread(
+                target=run_managed_handler,
+                args=(c, data_dir, mgr),
+                daemon=True,
+            ).start()
+
+    def relay_loop() -> None:
+        if relay_port is None:
+            return
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+        s.bind((relay_bind, relay_port))
+        s.listen(8)
+        print(f"[relay] plaintext JSON lines on {relay_bind}:{relay_port}")
+        while True:
+            c, a = s.accept()
+            print(f"[relay] connect {a}")
+            threading.Thread(
+                target=handle_relay_session,
+                args=(c, mgr, save_registry),
+                daemon=True,
+            ).start()
+
+    threading.Thread(target=mgmt_loop, daemon=True).start()
+    threading.Thread(target=managed_loop, daemon=True).start()
+    if relay_port is not None:
+        threading.Thread(target=relay_loop, daemon=True).start()
+    threading.Event().wait()