@agentis-hq/cli 0.1.0

package/dist/index.js

@@ -0,0 +1,1422 @@
+#!/usr/bin/env bun
+
+// src/lib/keychain.ts
+import { Entry } from "@napi-rs/keyring";
+var entry = new Entry("agentis-cli", "account-key");
+async function saveToken(token) {
+  entry.setPassword(token);
+}
+async function getToken() {
+  if (process.env.AGENTIS_ACCOUNT_KEY) return process.env.AGENTIS_ACCOUNT_KEY;
+  try {
+    return entry.getPassword();
+  } catch {
+    return null;
+  }
+}
+async function deleteToken() {
+  try {
+    entry.deletePassword();
+  } catch {
+  }
+}
+
+// src/lib/config.ts
+var API_BASE = process.env.AGENTIS_API_URL ?? "https://api.agentis.systems";
+async function apiFetch(path, opts = {}, token) {
+  const headers = {
+    "content-type": "application/json",
+    ...opts.headers ?? {}
+  };
+  if (token) headers["authorization"] = `Bearer ${token}`;
+  return fetch(`${API_BASE}${path}`, { ...opts, headers });
+}
+
+// src/commands/auth.ts
+async function login() {
+  const existing = await getToken();
+  if (existing) {
+    console.log("Already logged in. Run `agentis logout` first.");
+    return;
+  }
+  const res = await apiFetch("/auth/session", { method: "POST" });
+  if (!res.ok) {
+    console.error("Failed to start login session.");
+    process.exit(1);
+  }
+  const { sessionId, loginUrl } = await res.json();
+  console.log("\nOpen this URL in your browser to authenticate:\n");
+  console.log(`  ${loginUrl}
+`);
+  try {
+    const { exec } = await import("child_process");
+    const open = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
+    exec(`${open} "${loginUrl}"`);
+  } catch {
+  }
+  console.log("Waiting for authentication...");
+  const deadline = Date.now() + 10 * 60 * 1e3;
+  while (Date.now() < deadline) {
+    await new Promise((r) => setTimeout(r, 2e3));
+    const poll = await apiFetch(`/auth/session/${sessionId}`);
+    if (!poll.ok) {
+      if (poll.status === 410) {
+        console.error("\nSession expired. Run `agentis login` again.");
+        process.exit(1);
+      }
+      continue;
+    }
+    const data = await poll.json();
+    if (data.status === "complete" && data.accountKey) {
+      await saveToken(data.accountKey);
+      console.log("\nAuthenticated! You can now use the Agentis CLI.\n");
+      return;
+    }
+  }
+  console.error("\nLogin timed out. Run `agentis login` again.");
+  process.exit(1);
+}
+async function logout() {
+  const token = await getToken();
+  if (!token) {
+    console.log("Not logged in.");
+    return;
+  }
+  await deleteToken();
+  console.log("Logged out.");
+}
+async function whoami() {
+  const token = await getToken();
+  if (!token) {
+    console.log("Not logged in. Run `agentis login`.");
+    return;
+  }
+  const masked = token.slice(0, 13) + "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022" + token.slice(-4);
+  console.log(`Logged in as ${masked}`);
+}
+
+// src/lib/account.ts
+function printExpiredLoginAndExit() {
+  console.error("Stored Agentis login is expired or invalid. Run `agentis logout` and then `agentis login`.");
+  process.exit(1);
+}
+async function fetchAccountAgents(token) {
+  const res = await apiFetch("/account/agents", {}, token);
+  if (res.status === 401) printExpiredLoginAndExit();
+  if (!res.ok) {
+    const data = await res.json().catch(() => ({}));
+    console.error("Failed to fetch hosted agents:", data.error ?? res.statusText);
+    process.exit(1);
+  }
+  return res.json();
+}
+async function findAccountAgent(nameOrId, token) {
+  const agents = await fetchAccountAgents(token);
+  return agents.find((a) => a.id === nameOrId || a.name === nameOrId) ?? null;
+}
+async function resolveAccountAgent(nameOrId, token) {
+  const agent = await findAccountAgent(nameOrId, token);
+  if (!agent) {
+    console.error(`Hosted agent not found: ${nameOrId}`);
+    process.exit(1);
+  }
+  return agent;
+}
+
+// src/lib/local-wallet.ts
+import { generateMnemonic, mnemonicToSeedSync } from "@scure/bip39";
+import { wordlist as englishWordlist } from "@scure/bip39/wordlists/english.js";
+import { HDKey } from "@scure/bip32";
+import { scrypt } from "@noble/hashes/scrypt.js";
+import { gcm } from "@noble/ciphers/aes.js";
+import { randomBytes } from "@noble/hashes/utils.js";
+import { ed25519 } from "@noble/curves/ed25519.js";
+import { v4 as uuidv4 } from "uuid";
+import { join } from "path";
+import { homedir } from "os";
+import { mkdirSync, writeFileSync, readFileSync, readdirSync, chmodSync, existsSync } from "fs";
+import { createKeyPairSignerFromPrivateKeyBytes } from "@solana/kit";
+var VAULT_DIR = join(homedir(), ".agentis", "wallets");
+var DEFAULT_LOCAL_POLICY = {
+  hourlyLimit: null,
+  dailyLimit: null,
+  monthlyLimit: null,
+  maxBudget: null,
+  maxPerTx: null,
+  allowedDomains: [],
+  killSwitch: false
+};
+function ensureVaultDir() {
+  mkdirSync(VAULT_DIR, { recursive: true });
+  chmodSync(join(homedir(), ".agentis"), 448);
+  chmodSync(VAULT_DIR, 448);
+}
+function deriveSolanaAddress(mnemonic) {
+  const privateKey = deriveSolanaPrivateKeyBytes(mnemonic);
+  const pubkey = ed25519.getPublicKey(privateKey);
+  return encodeBase58(pubkey);
+}
+function deriveSolanaPrivateKeyBytes(mnemonic) {
+  const seed = mnemonicToSeedSync(mnemonic);
+  const root = HDKey.fromMasterSeed(seed);
+  const child = root.derive("m/44'/501'/0'/0'");
+  if (!child.privateKey) {
+    throw new Error("Failed to derive Solana private key");
+  }
+  return child.privateKey;
+}
+function encodeBase58(bytes) {
+  const ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+  let num = BigInt("0x" + Buffer.from(bytes).toString("hex"));
+  let result = "";
+  while (num > 0n) {
+    result = ALPHABET[Number(num % 58n)] + result;
+    num = num / 58n;
+  }
+  for (const byte of bytes) {
+    if (byte === 0) result = "1" + result;
+    else break;
+  }
+  return result;
+}
+function encryptMnemonic(mnemonic, passphrase = "") {
+  const salt = randomBytes(32);
+  const iv = randomBytes(12);
+  const key = scrypt(passphrase, salt, { N: 65536, r: 8, p: 1, dkLen: 32 });
+  const cipher = gcm(key, iv);
+  const data = new TextEncoder().encode(mnemonic);
+  const encrypted = cipher.encrypt(data);
+  const ciphertext = encrypted.slice(0, encrypted.length - 16);
+  const authTag = encrypted.slice(encrypted.length - 16);
+  return {
+    cipher: "aes-256-gcm",
+    ciphertext: Buffer.from(ciphertext).toString("hex"),
+    cipherparams: { iv: Buffer.from(iv).toString("hex") },
+    auth_tag: Buffer.from(authTag).toString("hex"),
+    kdf: "scrypt",
+    kdfparams: { dklen: 32, n: 65536, r: 8, p: 1, salt: Buffer.from(salt).toString("hex") }
+  };
+}
+function decryptMnemonic(wallet, passphrase = "") {
+  const { kdfparams, cipherparams, ciphertext, auth_tag } = wallet.crypto;
+  const salt = Buffer.from(kdfparams.salt, "hex");
+  const iv = Buffer.from(cipherparams.iv, "hex");
+  const key = scrypt(passphrase, salt, { N: kdfparams.n, r: kdfparams.r, p: kdfparams.p, dkLen: kdfparams.dklen });
+  const cipher = gcm(key, iv);
+  const encrypted = Buffer.concat([Buffer.from(ciphertext, "hex"), Buffer.from(auth_tag, "hex")]);
+  const decrypted = cipher.decrypt(encrypted);
+  return new TextDecoder().decode(decrypted);
+}
+function createLocalWallet(name) {
+  ensureVaultDir();
+  const mnemonic = generateMnemonic(englishWordlist, 128);
+  const solanaAddress = deriveSolanaAddress(mnemonic);
+  const crypto = encryptMnemonic(mnemonic);
+  const wallet = {
+    id: uuidv4(),
+    name,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    solanaAddress,
+    policy: { ...DEFAULT_LOCAL_POLICY },
+    spendHistory: [],
+    crypto
+  };
+  const path = join(VAULT_DIR, `${wallet.id}.json`);
+  writeFileSync(path, JSON.stringify(wallet, null, 2));
+  chmodSync(path, 384);
+  return { wallet, mnemonic };
+}
+function walletPath(id) {
+  return join(VAULT_DIR, `${id}.json`);
+}
+function normalizeLocalWallet(wallet) {
+  return {
+    ...wallet,
+    policy: { ...DEFAULT_LOCAL_POLICY, ...wallet.policy ?? {} },
+    spendHistory: wallet.spendHistory ?? []
+  };
+}
+function saveLocalWallet(wallet) {
+  ensureVaultDir();
+  const normalized = normalizeLocalWallet(wallet);
+  const path = walletPath(normalized.id);
+  writeFileSync(path, JSON.stringify(normalized, null, 2));
+  chmodSync(path, 384);
+}
+function listLocalWallets() {
+  ensureVaultDir();
+  if (!existsSync(VAULT_DIR)) return [];
+  return readdirSync(VAULT_DIR).filter((f) => f.endsWith(".json")).map((f) => normalizeLocalWallet(JSON.parse(readFileSync(join(VAULT_DIR, f), "utf8")))).sort((a, b) => b.createdAt.localeCompare(a.createdAt));
+}
+function loadLocalWalletByNameOrId(nameOrId) {
+  const wallets = listLocalWallets();
+  return wallets.find((w) => w.id === nameOrId || w.name === nameOrId) ?? null;
+}
+async function getLocalWalletSigner(wallet, passphrase = "") {
+  const mnemonic = decryptMnemonic(wallet, passphrase);
+  const signer = await createKeyPairSignerFromPrivateKeyBytes(deriveSolanaPrivateKeyBytes(mnemonic));
+  if (signer.address !== wallet.solanaAddress) {
+    throw new Error(`Local wallet key derivation mismatch: expected ${wallet.solanaAddress}, got ${signer.address}`);
+  }
+  return signer;
+}
+function recordLocalSpend(wallet, spend) {
+  const updated = normalizeLocalWallet({
+    ...wallet,
+    spendHistory: [...wallet.spendHistory ?? [], spend]
+  });
+  saveLocalWallet(updated);
+  return updated;
+}
+
+// src/commands/agent.ts
+import { checkPolicy } from "@agentis-hq/core";
+import {
+  address,
+  appendTransactionMessageInstruction,
+  createSolanaRpc,
+  createSolanaRpcSubscriptions,
+  createTransactionMessage,
+  devnet,
+  getSignatureFromTransaction,
+  pipe,
+  sendAndConfirmTransactionFactory,
+  setTransactionMessageFeePayerSigner,
+  setTransactionMessageLifetimeUsingBlockhash,
+  signTransactionMessageWithSigners
+} from "@solana/kit";
+import { getTransferSolInstruction } from "@solana-program/system";
+var DEVNET_RPC = "https://api.devnet.solana.com";
+var DEVNET_WS = "wss://api.devnet.solana.com";
+var LAMPORTS_PER_SOL = 1e9;
+var SOL_MINT = "So11111111111111111111111111111111111111112";
+async function requireAuth() {
+  const token = await getToken();
+  if (!token) {
+    console.error("Not logged in. Run `agentis login` first.");
+    process.exit(1);
+  }
+  return token;
+}
+async function findHostedAgent(nameOrId, token) {
+  return findAccountAgent(nameOrId, token);
+}
+async function getSolBalance(walletAddress) {
+  const solRes = await fetch(DEVNET_RPC, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({ jsonrpc: "2.0", id: 1, method: "getBalance", params: [walletAddress, { commitment: "confirmed" }] })
+  });
+  const solData = await solRes.json();
+  return (solData.result?.value ?? 0) / LAMPORTS_PER_SOL;
+}
+var cachedSolPrice = null;
+async function solToUsd(sol) {
+  const now = Date.now();
+  if (cachedSolPrice && now - cachedSolPrice.fetchedAt < 6e4) return sol * cachedSolPrice.usd;
+  const res = await fetch(`https://api.jup.ag/price/v3?ids=${SOL_MINT}`);
+  const data = await res.json();
+  const price = data[SOL_MINT]?.usdPrice ?? 0;
+  cachedSolPrice = { usd: price, fetchedAt: now };
+  return sol * price;
+}
+async function agentList() {
+  const token = await requireAuth();
+  const agents = await fetchAccountAgents(token);
+  if (agents.length === 0) {
+    console.log("No agents found. Run `agentis agent create <name>` to create one.");
+    return;
+  }
+  console.log();
+  for (const a of agents) {
+    console.log(`  ${a.name.padEnd(20)} ${a.walletAddress}  [${a.id}]`);
+  }
+  console.log();
+}
+async function agentCreate(args2) {
+  const parts = Array.isArray(args2) ? args2 : args2 ? [args2] : [];
+  const name = parts.find((part) => !part.startsWith("--"));
+  const policyMode = parts.includes("--onchain-policy") || parts.includes("--policy-onchain") ? "onchain" : "backend";
+  if (!name) {
+    console.error("Usage: agentis agent create <name> [--onchain-policy]");
+    process.exit(1);
+  }
+  const token = await requireAuth();
+  const res = await apiFetch("/account/agents", {
+    method: "POST",
+    body: JSON.stringify({ name, policyMode })
+  }, token);
+  if (!res.ok) {
+    const data = await res.json();
+    console.error("Failed to create agent:", data.error ?? res.statusText);
+    process.exit(1);
+  }
+  const agent = await res.json();
+  console.log(`
+Agent created`);
+  console.log(`  Name:    ${agent.name}`);
+  console.log(`  ID:      ${agent.id}`);
+  console.log(`  Wallet:  ${agent.walletAddress}`);
+  console.log(`  Policy:  ${agent.policyMode ?? "backend"}${agent.onchainPolicy?.initialized ? " (initialized)" : agent.policyMode === "onchain" ? " (pending init)" : ""}`);
+  console.log(`  API Key: ${agent.apiKey}
+`);
+}
+async function agentBalance(nameOrId) {
+  if (!nameOrId) {
+    console.error("Usage: agentis agent balance <name-or-id>");
+    process.exit(1);
+  }
+  const token = await getToken();
+  const hosted = token ? await findHostedAgent(nameOrId, token) : null;
+  const local = hosted ? null : loadLocalWalletByNameOrId(nameOrId);
+  const walletAddress = hosted?.walletAddress ?? local?.solanaAddress;
+  const name = hosted?.name ?? local?.name;
+  if (!walletAddress || !name) {
+    console.error(`Agent or local wallet not found: ${nameOrId}`);
+    process.exit(1);
+  }
+  const KNOWN_TOKENS = {
+    "4zMMC9srt5Ri5X14GAgXhaHii3GnPAEERYPJgZJDncDU": "USDC",
+    "Es9vMFrzaCERmJfrF4H2FYD4KCoNkY11McCe8BenwNYB": "USDT",
+    "2u1tszSeqaGNBXyMBCBMHXHNsJL83PbkSbB5CmEZi69W": "USDG"
+  };
+  const solBalance = await getSolBalance(walletAddress);
+  const tokenRes = await fetch(DEVNET_RPC, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({ jsonrpc: "2.0", id: 2, method: "getTokenAccountsByOwner", params: [walletAddress, { programId: "TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA" }, { encoding: "jsonParsed" }] })
+  });
+  const tokenData = await tokenRes.json();
+  const tokens = (tokenData.result?.value ?? []).map((acc) => {
+    const info = acc.account.data.parsed.info;
+    return { symbol: KNOWN_TOKENS[info.mint] ?? info.mint.slice(0, 8) + "...", uiAmount: info.tokenAmount.uiAmount ?? 0 };
+  }).filter((t) => t.uiAmount > 0);
+  console.log(`
+Balances for ${name} (${walletAddress})${local ? " [local]" : ""}:`);
+  console.log(`  SOL     ${solBalance.toFixed(6)}`);
+  for (const t of tokens) {
+    console.log(`  ${t.symbol.padEnd(6)}  ${t.uiAmount}`);
+  }
+  console.log();
+}
+async function sendLocalSol(nameOrId, to, amountSol, displayAmount) {
+  const wallet = loadLocalWalletByNameOrId(nameOrId);
+  if (!wallet) {
+    console.error(`Agent or local wallet not found: ${nameOrId}`);
+    process.exit(1);
+  }
+  const amountUsd = await solToUsd(amountSol);
+  try {
+    checkPolicy({ ...wallet.policy, allowedDomains: [] }, amountUsd, `solana:${to}`, wallet.spendHistory);
+  } catch (err) {
+    console.error("Policy rejected:", err?.message ?? String(err));
+    process.exit(1);
+  }
+  const signer = await getLocalWalletSigner(wallet);
+  const rpc = createSolanaRpc(devnet(DEVNET_RPC));
+  const rpcSubscriptions = createSolanaRpcSubscriptions(devnet(DEVNET_WS));
+  const sendAndConfirm = sendAndConfirmTransactionFactory({ rpc, rpcSubscriptions });
+  const { value: latestBlockhash } = await rpc.getLatestBlockhash().send();
+  const transactionMessage = pipe(
+    createTransactionMessage({ version: "legacy" }),
+    (m) => setTransactionMessageFeePayerSigner(signer, m),
+    (m) => setTransactionMessageLifetimeUsingBlockhash(latestBlockhash, m),
+    (m) => appendTransactionMessageInstruction(
+      getTransferSolInstruction({
+        source: signer,
+        destination: address(to),
+        amount: BigInt(Math.round(amountSol * LAMPORTS_PER_SOL))
+      }),
+      m
+    )
+  );
+  const signedTransaction = await signTransactionMessageWithSigners(transactionMessage);
+  await sendAndConfirm(signedTransaction, { commitment: "confirmed" });
+  const signature = getSignatureFromTransaction(signedTransaction);
+  recordLocalSpend(wallet, {
+    amount: amountUsd,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    url: `solana:${to}`
+  });
+  console.log(`
+Sent from local wallet ${wallet.name}!`);
+  console.log(`  Amount:    ${displayAmount}`);
+  console.log(`  Signature: ${signature}`);
+  console.log(`  Explorer:  https://explorer.solana.com/tx/${signature}?cluster=devnet
+`);
+}
+async function agentSend(args2) {
+  if (args2.length < 3) {
+    console.error("Usage: agentis agent send <name-or-id> <to> <amount> [--sol] [--token <mint>]");
+    process.exit(1);
+  }
+  const [nameOrId, to, amountStr, ...flags] = args2;
+  const isSol = flags.includes("--sol");
+  const tokenIdx = flags.indexOf("--token");
+  const tokenMint = tokenIdx !== -1 ? flags[tokenIdx + 1] : null;
+  const rawAmount = parseFloat(amountStr);
+  if (isNaN(rawAmount) || rawAmount <= 0) {
+    console.error("Invalid amount");
+    process.exit(1);
+  }
+  let amountSol;
+  const displayAmount = isSol ? `${rawAmount} SOL` : `${rawAmount} lamports`;
+  if (tokenMint) {
+    console.error("SPL token send not yet supported via CLI");
+    process.exit(1);
+  } else if (isSol) {
+    amountSol = rawAmount;
+  } else {
+    amountSol = rawAmount / 1e9;
+  }
+  const token = await getToken();
+  const agent = token ? await findHostedAgent(nameOrId, token) : null;
+  if (!agent) {
+    console.log(`
+Sending ${displayAmount} to ${to} from local wallet...`);
+    await sendLocalSol(nameOrId, to, amountSol, displayAmount);
+    return;
+  }
+  console.log(`
+Sending ${displayAmount} to ${to} from hosted agent...`);
+  const res = await apiFetch(`/agents/${agent.id}/send`, {
+    method: "POST",
+    body: JSON.stringify({ to, amountSol })
+  }, token);
+  if (!res.ok) {
+    const data2 = await res.json();
+    console.error("Send failed:", data2.error ?? res.statusText);
+    process.exit(1);
+  }
+  const data = await res.json();
+  console.log(`
+Sent!`);
+  console.log(`  Signature: ${data.signature}`);
+  console.log(`  Explorer:  https://explorer.solana.com/tx/${data.signature}?cluster=devnet
+`);
+}
+
+// src/commands/wallet.ts
+async function walletCreate(args2) {
+  const nameIdx = args2.indexOf("--name");
+  const name = nameIdx !== -1 ? args2[nameIdx + 1] : void 0;
+  const isLocal = args2.includes("--local");
+  if (!name) {
+    console.error("Usage: agentis wallet create --name <name> [--local]");
+    process.exit(1);
+  }
+  const token = await getToken();
+  if (!token || isLocal) {
+    const { wallet } = createLocalWallet(name);
+    console.log(`
+Wallet created (local)`);
+    console.log(`  Name:    ${wallet.name}`);
+    console.log(`  ID:      ${wallet.id}`);
+    console.log(`  Solana:  ${wallet.solanaAddress}`);
+    console.log(`  Vault:   ~/.agentis/wallets/${wallet.id}.json
+`);
+    if (!token) {
+      console.log(`  tip: run \`agentis login\` to create hosted wallets managed by Agentis.
+`);
+    }
+    return;
+  }
+  const res = await apiFetch("/account/agents", {
+    method: "POST",
+    body: JSON.stringify({ name })
+  }, token);
+  if (!res.ok) {
+    const data = await res.json();
+    console.error("Failed to create hosted wallet:", data.error ?? res.statusText);
+    process.exit(1);
+  }
+  const agent = await res.json();
+  console.log(`
+Wallet created (hosted)`);
+  console.log(`  Name:    ${agent.name}`);
+  console.log(`  ID:      ${agent.id}`);
+  console.log(`  Solana:  ${agent.walletAddress}`);
+  console.log(`  API Key: ${agent.apiKey}
+`);
+}
+async function walletList() {
+  const token = await getToken();
+  const localWallets = listLocalWallets();
+  if (token) {
+    try {
+      const res = await apiFetch("/account/agents", {}, token);
+      if (res.ok) {
+        const hosted = await res.json();
+        if (hosted.length > 0) {
+          console.log("\nHosted wallets:");
+          for (const a of hosted) {
+            console.log(`  ${a.name.padEnd(20)} ${a.walletAddress}  [${a.id}]`);
+          }
+        }
+      }
+    } catch {
+    }
+  }
+  if (localWallets.length > 0) {
+    console.log("\nLocal wallets:");
+    for (const w of localWallets) {
+      console.log(`  ${w.name.padEnd(20)} ${w.solanaAddress}  [${w.id}]`);
+    }
+  }
+  if (localWallets.length === 0 && !token) {
+    console.log("No wallets found. Run `agentis wallet create --name <name>` to create one.");
+  }
+  console.log();
+}
+
+// src/commands/policy.ts
+async function findHostedAgent2(nameOrId, token) {
+  return findAccountAgent(nameOrId, token);
+}
+function printPolicy(name, p, scope) {
+  console.log(`
+Policy for ${name} (${scope}):`);
+  if (scope === "hosted" && p.policyMode) {
+    console.log(`  Mode:           ${p.policyMode}${p.onchainPolicy?.initialized ? " (initialized)" : p.policyMode === "onchain" ? " (pending init)" : ""}`);
+  }
+  console.log(`  Kill switch:    ${p.killSwitch ? "ON (agent halted)" : "off"}`);
+  console.log(`  Max per tx:     ${p.maxPerTx !== null ? `$${p.maxPerTx}` : "unlimited"}`);
+  console.log(`  Hourly limit:   ${p.hourlyLimit !== null ? `$${p.hourlyLimit}` : "unlimited"}`);
+  console.log(`  Daily limit:    ${p.dailyLimit !== null ? `$${p.dailyLimit}` : "unlimited"}`);
+  console.log(`  Monthly limit:  ${p.monthlyLimit !== null ? `$${p.monthlyLimit}` : "unlimited"}`);
+  console.log(`  Total budget:   ${p.maxBudget !== null ? `$${p.maxBudget}` : "unlimited"}`);
+  console.log(`  Allowed domains: ${p.allowedDomains?.length > 0 ? p.allowedDomains.join(", ") : "all"}`);
+  console.log();
+}
+function applyPolicyFlags(existingPolicy, args2) {
+  const policy = { ...DEFAULT_LOCAL_POLICY, ...existingPolicy ?? {} };
+  const get = (flag2) => {
+    const idx = args2.indexOf(flag2);
+    return idx !== -1 ? args2[idx + 1] : void 0;
+  };
+  if (args2.includes("--kill")) policy.killSwitch = true;
+  if (args2.includes("--resume")) policy.killSwitch = false;
+  if (get("--max-per-tx") !== void 0) policy.maxPerTx = parseFloat(get("--max-per-tx"));
+  if (get("--hourly") !== void 0) policy.hourlyLimit = parseFloat(get("--hourly"));
+  if (get("--daily") !== void 0) policy.dailyLimit = parseFloat(get("--daily"));
+  if (get("--monthly") !== void 0) policy.monthlyLimit = parseFloat(get("--monthly"));
+  if (get("--budget") !== void 0) policy.maxBudget = parseFloat(get("--budget"));
+  if (get("--allow")) {
+    const domain = get("--allow").replace(/^https?:\/\//, "").toLowerCase();
+    policy.allowedDomains = [.../* @__PURE__ */ new Set([...policy.allowedDomains ?? [], domain])];
+  }
+  if (get("--disallow")) {
+    const domain = get("--disallow").replace(/^https?:\/\//, "").toLowerCase();
+    policy.allowedDomains = (policy.allowedDomains ?? []).filter((d) => d !== domain);
+  }
+  return policy;
+}
+async function policyGet(nameOrId) {
+  if (!nameOrId) {
+    console.error("Usage: agentis policy get <name-or-id>");
+    process.exit(1);
+  }
+  const token = await getToken();
+  const hosted = token ? await findHostedAgent2(nameOrId, token) : null;
+  if (hosted) {
+    printPolicy(hosted.name, { ...DEFAULT_LOCAL_POLICY, ...hosted.policy ?? {}, policyMode: hosted.policyMode ?? "backend", onchainPolicy: hosted.onchainPolicy }, "hosted");
+    return;
+  }
+  const local = loadLocalWalletByNameOrId(nameOrId);
+  if (local) {
+    printPolicy(local.name, local.policy, "local");
+    return;
+  }
+  console.error(`Agent or local wallet not found: ${nameOrId}`);
+  process.exit(1);
+}
+async function policySet(nameOrId, args2) {
+  if (!nameOrId) {
+    console.error("Usage: agentis policy set <name-or-id> [flags]");
+    process.exit(1);
+  }
+  const token = await getToken();
+  const hosted = token ? await findHostedAgent2(nameOrId, token) : null;
+  if (hosted && token) {
+    const policy = applyPolicyFlags(hosted.policy, args2);
+    const res = await apiFetch(`/agents/${hosted.id}`, {
+      method: "PATCH",
+      body: JSON.stringify({ policy })
+    }, token);
+    if (!res.ok) {
+      const data = await res.json();
+      console.error("Failed to update policy:", data.error ?? res.statusText);
+      process.exit(1);
+    }
+    console.log(`
+Policy updated for ${hosted.name} (hosted).
+`);
+    return;
+  }
+  const local = loadLocalWalletByNameOrId(nameOrId);
+  if (local) {
+    local.policy = applyPolicyFlags(local.policy, args2);
+    saveLocalWallet(local);
+    console.log(`
+Policy updated for ${local.name} (local).
+`);
+    return;
+  }
+  console.error(`Agent or local wallet not found: ${nameOrId}`);
+  process.exit(1);
+}
+async function policyInitOnchain(nameOrId) {
+  if (!nameOrId) {
+    console.error("Usage: agentis policy init-onchain <name-or-id>");
+    process.exit(1);
+  }
+  const token = await getToken();
+  const hosted = token ? await findHostedAgent2(nameOrId, token) : null;
+  if (!hosted || !token) {
+    console.error(`Hosted agent not found: ${nameOrId}`);
+    process.exit(1);
+  }
+  const res = await apiFetch(`/agents/${hosted.id}/policy/onchain/initialize`, {
+    method: "POST"
+  }, token);
+  const data = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    console.error("Failed to initialize on-chain policy:", data.error ?? res.statusText);
+    process.exit(1);
+  }
+  console.log(`
+On-chain policy initialized for ${data.name}.`);
+  console.log(`  Agent PDA:   ${data.onchainPolicy?.agent}`);
+  console.log(`  Policy PDA:  ${data.onchainPolicy?.policy}`);
+  console.log(`  Counter PDA: ${data.onchainPolicy?.spendCounter}`);
+  console.log(`  Signature:   ${data.onchainPolicy?.initializedSignature}
+`);
+}
+
+// src/commands/fetch.ts
+function getFlag(args2, flag2) {
+  const idx = args2.indexOf(flag2);
+  return idx === -1 ? void 0 : args2[idx + 1];
+}
+async function resolveHostedAgent(nameOrId, token) {
+  return resolveAccountAgent(nameOrId, token);
+}
+async function paidFetch(args2) {
+  const url = args2[0];
+  const agentName = getFlag(args2, "--agent");
+  const method = getFlag(args2, "--method") ?? "GET";
+  if (!url || !agentName) {
+    console.error("Usage: agentis fetch <url> --agent <name-or-id> [--method GET]");
+    process.exit(1);
+  }
+  const token = await getToken();
+  if (!token) {
+    console.error("Not logged in. Run `agentis login` first.");
+    process.exit(1);
+  }
+  const agent = await resolveHostedAgent(agentName, token);
+  const res = await apiFetch(`/agents/${agent.id}/fetch`, {
+    method: "POST",
+    body: JSON.stringify({ url, method })
+  }, token);
+  const data = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    console.error("Fetch failed:", data.error ?? res.statusText);
+    process.exit(1);
+  }
+  console.log(`status ${data.status}`);
+  if (data.body) console.log(data.body);
+}
+
+// src/commands/privacy.ts
+function getFlag2(args2, flag2) {
+  const idx = args2.indexOf(flag2);
+  return idx === -1 ? void 0 : args2[idx + 1];
+}
+function hasFlag(args2, flag2) {
+  return args2.includes(flag2);
+}
+async function resolveHostedAgent2(nameOrId, token) {
+  return resolveAccountAgent(nameOrId, token);
+}
+async function getPrivacyContext(args2) {
+  const agentName = getFlag2(args2, "--agent");
+  if (!agentName) {
+    console.error("Missing --agent <name-or-id>");
+    process.exit(1);
+  }
+  const token = await getToken();
+  if (!token) {
+    console.error("Not logged in. Run `agentis login` first.");
+    process.exit(1);
+  }
+  const agent = await resolveHostedAgent2(agentName, token);
+  return { token, agent };
+}
+function printJson(value) {
+  console.log(JSON.stringify(value, null, 2));
+}
+function getAmountOptions(args2) {
+  return {
+    amount: getFlag2(args2, "--amount"),
+    mint: getFlag2(args2, "--mint")
+  };
+}
+async function privacyFetch(context, path, body) {
+  const res = await apiFetch(`/agents/${context.agent.id}/umbra${path}`, body === void 0 ? {} : {
+    method: "POST",
+    body: JSON.stringify(body)
+  }, context.token);
+  const data = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    console.error("Privacy request failed:", data.error ?? res.statusText);
+    process.exit(1);
+  }
+  return data;
+}
+async function privacyCommand(args2) {
+  const sub2 = args2[0];
+  const rest = args2.slice(1);
+  if (!sub2) {
+    console.log("Usage: agentis privacy <status|register|balance|deposit|withdraw|create-utxo|scan|claim-latest> --agent <name-or-id>");
+    return;
+  }
+  const context = await getPrivacyContext(rest);
+  switch (sub2) {
+    case "status":
+      printJson(await privacyFetch(context, "/status"));
+      break;
+    case "register":
+      printJson(await privacyFetch(context, "/register", {
+        confidential: !hasFlag(rest, "--no-confidential"),
+        anonymous: !hasFlag(rest, "--no-anonymous")
+      }));
+      break;
+    case "balance":
+      printJson(await privacyFetch(context, `/balance${getFlag2(rest, "--mint") ? `?mint=${encodeURIComponent(getFlag2(rest, "--mint"))}` : ""}`));
+      break;
+    case "deposit":
+      printJson(await privacyFetch(context, "/deposit", getAmountOptions(rest)));
+      break;
+    case "withdraw":
+      printJson(await privacyFetch(context, "/withdraw", getAmountOptions(rest)));
+      break;
+    case "create-utxo":
+      printJson(await privacyFetch(context, "/create-utxo", {
+        ...getAmountOptions(rest),
+        to: getFlag2(rest, "--to")
+      }));
+      break;
+    case "scan":
+      printJson(await privacyFetch(context, "/scan"));
+      break;
+    case "claim-latest":
+      printJson(await privacyFetch(context, "/claim-latest", {}));
+      break;
+    default:
+      console.log("Usage: agentis privacy <status|register|balance|deposit|withdraw|create-utxo|scan|claim-latest> --agent <name-or-id>");
+  }
+}
+
+// src/commands/facilitator.ts
+import { mkdir, readdir, readFile, stat, writeFile } from "fs/promises";
+import { existsSync as existsSync2 } from "fs";
+import { dirname, join as join2, resolve } from "path";
+import { randomBytes as randomBytes2 } from "crypto";
+var DEVNET_USDC = "4zMMC9srt5Ri5X14GAgXhaHii3GnPAEERYPJgZJDncDU";
+var SOLANA_DEVNET_NETWORK = "solana:EtWTRABZaYq6iMfeYKouRu166VU2xqa1";
+async function requireAuth2() {
+  const token = await getToken();
+  if (!token) {
+    console.error("Not logged in. Run `agentis login` first.");
+    process.exit(1);
+  }
+  return token;
+}
+function flag(args2, name) {
+  const idx = args2.indexOf(name);
+  return idx === -1 ? void 0 : args2[idx + 1];
+}
+function hasFlag2(args2, name) {
+  return args2.includes(name);
+}
+function firstPositional(args2, valueFlags = []) {
+  const skip = /* @__PURE__ */ new Set();
+  for (const valueFlag of valueFlags) {
+    const idx = args2.indexOf(valueFlag);
+    if (idx !== -1) {
+      skip.add(idx);
+      skip.add(idx + 1);
+    }
+  }
+  return args2.find((part, idx) => !skip.has(idx) && !part.startsWith("--"));
+}
+function parseFeeBps(value) {
+  if (!value) return 500;
+  const parsed = Number(value);
+  if (!Number.isFinite(parsed) || parsed < 0 || parsed > 1e4) {
+    console.error("--fee-bps must be between 0 and 10000");
+    process.exit(1);
+  }
+  return parsed;
+}
+async function renderTemplateDir(sourceDir, targetDir, values) {
+  const entries = await readdir(sourceDir);
+  await mkdir(targetDir, { recursive: true });
+  for (const entry2 of entries) {
+    const sourcePath = join2(sourceDir, entry2);
+    const stats = await stat(sourcePath);
+    const targetName = entry2.endsWith(".tpl") ? entry2.slice(0, -4) : entry2;
+    const targetPath = join2(targetDir, targetName);
+    if (stats.isDirectory()) {
+      await renderTemplateDir(sourcePath, targetPath, values);
+      continue;
+    }
+    let content = await readFile(sourcePath, "utf8");
+    for (const [key, value] of Object.entries(values)) {
+      content = content.replaceAll(`{{${key}}}`, value);
+    }
+    await mkdir(dirname(targetPath), { recursive: true });
+    await writeFile(targetPath, content);
+  }
+}
+function facilitatorTemplateDir() {
+  const candidates = [
+    // Source layout: packages/cli/src/commands -> packages/cli/templates
+    join2(import.meta.dir, "../../templates/facilitator"),
+    // Published layout: packages/cli/dist -> packages/cli/templates
+    join2(import.meta.dir, "../templates/facilitator")
+  ];
+  const found = candidates.find((candidate) => existsSync2(candidate));
+  if (!found) {
+    throw new Error("Could not locate facilitator template directory in the Agentis CLI package");
+  }
+  return found;
+}
+async function facilitatorCommand(args2) {
+  const sub2 = args2[0];
+  switch (sub2) {
+    case "create":
+      await facilitatorCreate(args2.slice(1));
+      break;
+    case "list":
+      await facilitatorList();
+      break;
+    case "publish":
+      await facilitatorPublish(args2.slice(1));
+      break;
+    default:
+      console.log("Usage: agentis facilitator <create|list|publish>");
+  }
+}
+async function facilitatorCreate(args2) {
+  const name = firstPositional(args2, ["--dir", "--network", "--mint", "--fee-bps"]);
+  if (!name) {
+    console.error("Usage: agentis facilitator create <name> [--dir <path>] [--network solana-devnet] [--mint <mint>] [--fee-bps <bps>] [--listed]");
+    process.exit(1);
+  }
+  const token = await requireAuth2();
+  const network = flag(args2, "--network") ?? SOLANA_DEVNET_NETWORK;
+  const acceptedMint = flag(args2, "--mint") ?? DEVNET_USDC;
+  const feeBps = parseFeeBps(flag(args2, "--fee-bps"));
+  const targetDir = resolve(flag(args2, "--dir") ?? `agentis-facilitator-${name}`);
+  if (existsSync2(targetDir)) {
+    console.error(`Target directory already exists: ${targetDir}`);
+    process.exit(1);
+  }
+  const res = await apiFetch("/account/facilitators", {
+    method: "POST",
+    body: JSON.stringify({
+      name,
+      network,
+      acceptedMint,
+      feeBps,
+      listed: hasFlag2(args2, "--listed")
+    })
+  }, token);
+  if (!res.ok) {
+    const data = await res.json().catch(() => ({}));
+    console.error("Failed to register facilitator:", data.error ?? res.statusText);
+    process.exit(1);
+  }
+  const facilitator = await res.json();
+  const templateDir = facilitatorTemplateDir();
+  const koraApiKey = "kora_" + randomBytes2(24).toString("hex");
+  await renderTemplateDir(templateDir, targetDir, {
+    NAME: name,
+    FACILITATOR_ID: facilitator.id,
+    HEARTBEAT_SECRET: facilitator.heartbeatSecret,
+    AGENTIS_API_URL: API_BASE,
+    NETWORK: network,
+    ACCEPTED_MINT: acceptedMint,
+    FEE_BPS: String(feeBps),
+    KORA_API_KEY: koraApiKey
+  });
+  console.log("\nFacilitator scaffold created");
+  console.log(`  Name:      ${name}`);
+  console.log(`  ID:        ${facilitator.id}`);
+  console.log(`  Directory: ${targetDir}`);
+  console.log(`  Fee:       ${feeBps} bps`);
+  console.log("\nNext:");
+  console.log(`  cd ${targetDir}`);
+  console.log("  bun install");
+  console.log("  cp .env.example .env");
+  console.log("  # fill KORA_PRIVATE_KEY and fund the Kora signer with SOL");
+  console.log("  bun run dev\n");
+}
+async function facilitatorList() {
+  const token = await requireAuth2();
+  const res = await apiFetch("/account/facilitators", {}, token);
+  if (!res.ok) {
+    console.error("Failed to fetch facilitators");
+    process.exit(1);
+  }
+  const facilitators = await res.json();
+  if (facilitators.length === 0) {
+    console.log("No facilitators found. Run `agentis facilitator create <name>`.");
+    return;
+  }
+  console.log();
+  for (const f of facilitators) {
+    const url = f.publicUrl ? ` ${f.publicUrl}` : "";
+    const listed = f.listed ? " listed" : "";
+    console.log(`  ${f.name.padEnd(24)} ${f.status.padEnd(10)} ${f.id}${listed}${url}`);
+  }
+  console.log();
+}
+async function facilitatorPublish(args2) {
+  const nameOrId = firstPositional(args2, ["--url"]);
+  const publicUrl = flag(args2, "--url");
+  if (!nameOrId || !publicUrl) {
+    console.error("Usage: agentis facilitator publish <name-or-id> --url <public-url> [--listed]");
+    process.exit(1);
+  }
+  const token = await requireAuth2();
+  const list = await apiFetch("/account/facilitators", {}, token);
+  if (!list.ok) {
+    console.error("Failed to fetch facilitators");
+    process.exit(1);
+  }
+  const facilitators = await list.json();
+  const facilitator = facilitators.find((f) => f.id === nameOrId || f.name === nameOrId);
+  if (!facilitator) {
+    console.error(`Facilitator not found: ${nameOrId}`);
+    process.exit(1);
+  }
+  const res = await apiFetch(`/account/facilitators/${facilitator.id}`, {
+    method: "PATCH",
+    body: JSON.stringify({
+      publicUrl,
+      listed: hasFlag2(args2, "--listed") ? true : facilitator.listed
+    })
+  }, token);
+  if (!res.ok) {
+    const data = await res.json().catch(() => ({}));
+    console.error("Failed to publish facilitator:", data.error ?? res.statusText);
+    process.exit(1);
+  }
+  const updated = await res.json();
+  console.log(`Published ${updated.name}: ${updated.publicUrl}`);
+}
+
+// src/commands/earn.ts
+import { address as address2, getAddressEncoder, getProgramDerivedAddress } from "@solana/kit";
+var MAINNET_RPC = process.env.AGENTIS_MAINNET_RPC_URL ?? "https://api.mainnet-beta.solana.com";
+var USDC_MAINNET_MINT = "EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v";
+var TOKEN_PROGRAM = "TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA";
+var ASSOCIATED_TOKEN_PROGRAM = "ATokenGPvbdGVxr1b2hvZbsiqW5xWH25efTNsLJA8knL";
+var addressEncoder = getAddressEncoder();
+function getFlag3(args2, flag2) {
+  const idx = args2.indexOf(flag2);
+  return idx === -1 ? void 0 : args2[idx + 1];
+}
+async function requireAuth3() {
+  const token = await getToken();
+  if (!token) {
+    console.error("Not logged in. Run `agentis login` first.");
+    process.exit(1);
+  }
+  return token;
+}
+async function earnCommand(args2) {
+  const sub2 = args2[0];
+  switch (sub2) {
+    case "deposit":
+      await earnDeposit(args2.slice(1));
+      break;
+    case "positions":
+      await earnPositions(args2.slice(1));
+      break;
+    case "sweep":
+      await earnSweep(args2.slice(1));
+      break;
+    default:
+      console.log("Usage: agentis earn <deposit|positions|sweep>");
+  }
+}
+async function earnDeposit(args2) {
+  const agentName = args2[0];
+  const asset = getFlag3(args2, "--asset") ?? "USDC";
+  const amount = getFlag3(args2, "--amount");
+  const mainnet = args2.includes("--mainnet");
+  if (!agentName || !amount || !mainnet) {
+    console.error("Usage: agentis earn deposit <agent> --asset USDC --amount <amount> --mainnet");
+    process.exit(1);
+  }
+  const amountNum = Number(amount);
+  if (!Number.isFinite(amountNum) || amountNum <= 0) {
+    console.error("Invalid amount");
+    process.exit(1);
+  }
+  const token = await requireAuth3();
+  const agent = await resolveAccountAgent(agentName, token);
+  console.log(`
+Depositing ${amountNum} ${asset.toUpperCase()} into Jupiter Earn from ${agent.name} on mainnet...`);
+  const res = await apiFetch(`/agents/${agent.id}/earn/deposit`, {
+    method: "POST",
+    body: JSON.stringify({
+      network: "mainnet",
+      asset,
+      amount: amountNum
+    })
+  }, token);
+  const data = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    console.error("Earn deposit failed:", data.error ?? res.statusText);
+    process.exit(1);
+  }
+  console.log("\nEarn deposit submitted.");
+  console.log(`  Signature: ${data.signature}`);
+  console.log(`  Amount:    ${data.amount} ${asset.toUpperCase()}`);
+  console.log(`  Explorer:  https://solscan.io/tx/${data.signature}
+`);
+}
+async function earnPositions(args2) {
+  const agentName = args2[0];
+  const mainnet = args2.includes("--mainnet");
+  const showAll = args2.includes("--all");
+  if (!agentName || !mainnet) {
+    console.error("Usage: agentis earn positions <agent> --mainnet [--all]");
+    process.exit(1);
+  }
+  const token = await requireAuth3();
+  const agent = await resolveAccountAgent(agentName, token);
+  const res = await apiFetch(`/agents/${agent.id}/earn/positions?network=mainnet`, {}, token);
+  const data = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    console.error("Earn positions failed:", data.error ?? res.statusText);
+    process.exit(1);
+  }
+  const positions = Array.isArray(data.positions) ? data.positions : [];
+  const visible = showAll ? positions : positions.filter((p) => Number(p.underlyingAssets ?? 0) > 0 || Number(p.shares ?? 0) > 0);
+  console.log(`
+Jupiter Earn positions for ${agent.name} (${data.walletAddress})`);
+  if (visible.length === 0) {
+    console.log(showAll ? "  No positions returned." : "  No non-zero positions. Use --all to show empty vaults.");
+    console.log();
+    return;
+  }
+  for (const p of visible) {
+    const symbol = p.token?.asset?.uiSymbol ?? p.token?.asset?.symbol ?? p.token?.symbol ?? "UNKNOWN";
+    const jlSymbol = p.token?.uiSymbol ?? p.token?.symbol ?? "jlToken";
+    const decimals = Number(p.token?.asset?.decimals ?? p.token?.decimals ?? 6);
+    const underlyingUi = Number(p.underlyingAssets ?? 0) / 10 ** decimals;
+    const sharesUi = Number(p.shares ?? 0) / 10 ** Number(p.token?.decimals ?? decimals);
+    console.log(`  ${symbol.padEnd(8)} ${underlyingUi.toFixed(6)} supplied  (${sharesUi.toFixed(6)} ${jlSymbol})`);
+    console.log(`           token: ${p.token?.address ?? "unknown"}`);
+  }
+  console.log();
+}
+async function mainnetRpc(method, params) {
+  for (let attempt = 0; attempt < 5; attempt++) {
+    const res = await fetch(MAINNET_RPC, {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ jsonrpc: "2.0", id: 1, method, params })
+    });
+    const data = await res.json();
+    if (!data.error) return data.result;
+    const message = data.error.message ?? `RPC ${method} failed`;
+    const isRateLimit = /too many requests|rate/i.test(message);
+    if (!isRateLimit || attempt === 4) throw new Error(message);
+    await new Promise((resolve2) => setTimeout(resolve2, 500 * (attempt + 1)));
+  }
+  throw new Error(`RPC ${method} failed`);
+}
+async function getAssociatedTokenAddress(owner, mint) {
+  const [ata] = await getProgramDerivedAddress({
+    programAddress: address2(ASSOCIATED_TOKEN_PROGRAM),
+    seeds: [
+      addressEncoder.encode(address2(owner)),
+      addressEncoder.encode(address2(TOKEN_PROGRAM)),
+      addressEncoder.encode(address2(mint))
+    ]
+  });
+  return ata;
+}
+function readSplTokenAmountFromBase64(data) {
+  const bytes = Buffer.from(data, "base64");
+  if (bytes.length < 72) return 0n;
+  return bytes.readBigUInt64LE(64);
+}
+async function getMainnetUsdcBalancesAtomic(walletAddresses) {
+  const entries = await Promise.all(
+    walletAddresses.map(async (wallet) => ({
+      wallet,
+      ata: await getAssociatedTokenAddress(wallet, USDC_MAINNET_MINT)
+    }))
+  );
+  const balances = /* @__PURE__ */ new Map();
+  for (let i = 0; i < entries.length; i += 100) {
+    const chunk = entries.slice(i, i + 100);
+    const result = await mainnetRpc("getMultipleAccounts", [
+      chunk.map((entry2) => entry2.ata),
+      { encoding: "base64", commitment: "confirmed" }
+    ]);
+    for (let j = 0; j < chunk.length; j++) {
+      const account = result.value?.[j];
+      const amount = account ? readSplTokenAmountFromBase64(account.data[0]) : 0n;
+      balances.set(chunk[j].wallet, amount);
+    }
+  }
+  return balances;
+}
+function atomicToUiString(amount, decimals = 6) {
+  const base = 10n ** BigInt(decimals);
+  const whole = amount / base;
+  const fraction = amount % base;
+  if (fraction === 0n) return whole.toString();
+  return `${whole}.${fraction.toString().padStart(decimals, "0").replace(/0+$/, "")}`;
+}
+async function buildSweepPlan(token) {
+  const agents = await fetchAccountAgents(token);
+  const plan = [];
+  const balances = await getMainnetUsdcBalancesAtomic(agents.map((agent) => agent.walletAddress));
+  for (const agent of agents) {
+    const usdcAtomic = balances.get(agent.walletAddress) ?? 0n;
+    plan.push({
+      agent,
+      usdcAtomic,
+      amountUi: atomicToUiString(usdcAtomic, 6)
+    });
+  }
+  return plan;
+}
+function printSweepPlan(plan) {
+  const sweepable = plan.filter((item) => item.usdcAtomic > 0n);
+  const totalAtomic = sweepable.reduce((sum, item) => sum + item.usdcAtomic, 0n);
+  console.log("\nJupiter Earn sweep dry-run (mainnet USDC)");
+  if (plan.length === 0) {
+    console.log("  No hosted agents found.\n");
+    return;
+  }
+  for (const item of plan) {
+    const action = item.usdcAtomic > 0n ? "sweep" : "skip";
+    const usdc = atomicToUiString(item.usdcAtomic, 6);
+    console.log(`  ${item.agent.name.padEnd(22)} ${action.padEnd(5)} ${usdc.padStart(12)} USDC`);
+    console.log(`  ${" ".repeat(22)} wallet ${item.agent.walletAddress}`);
+  }
+  console.log(`
+  Total sweepable: ${atomicToUiString(totalAtomic, 6)} USDC across ${sweepable.length} agent(s).
+`);
+}
+async function executeSweep(token, plan) {
+  const sweepable = plan.filter((item) => item.usdcAtomic > 0n);
+  if (sweepable.length === 0) return;
+  console.log("Executing Jupiter Earn sweep...");
+  for (const item of sweepable) {
+    console.log(`
+Depositing ${item.amountUi} USDC from ${item.agent.name}...`);
+    const res = await apiFetch(`/agents/${item.agent.id}/earn/deposit`, {
+      method: "POST",
+      body: JSON.stringify({
+        network: "mainnet",
+        asset: "USDC",
+        amount: item.amountUi
+      })
+    }, token);
+    const data = await res.json().catch(() => ({}));
+    if (!res.ok) {
+      console.error(`  Failed: ${data.error ?? res.statusText}`);
+      continue;
+    }
+    console.log(`  Signature: ${data.signature}`);
+    console.log(`  Explorer:  https://solscan.io/tx/${data.signature}`);
+  }
+  console.log();
+}
+async function earnSweep(args2) {
+  const dryRun = args2.includes("--dry-run");
+  const noDryRun = args2.includes("--no-dry-run");
+  if (dryRun && noDryRun) {
+    console.error("Use either --dry-run or --no-dry-run, not both.");
+    process.exit(1);
+  }
+  const token = await requireAuth3();
+  const plan = await buildSweepPlan(token);
+  if (dryRun) {
+    printSweepPlan(plan);
+    return;
+  }
+  if (!noDryRun) {
+    printSweepPlan(plan);
+  }
+  await executeSweep(token, plan);
+}
+
+// src/index.ts
+var args = process.argv.slice(2);
+var cmd = args[0];
+var sub = args[1];
+var blue = "\x1B[38;5;117m";
+var green = "\x1B[38;5;114m";
+var muted = "\x1B[38;5;244m";
+var bold = "\x1B[1m";
+var reset = "\x1B[0m";
+function showHelp() {
+  console.log(`${blue}${bold}
+ \u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2557   \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557
+\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551\u255A\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255D\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D
+\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2551  \u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557
+\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u255D  \u2588\u2588\u2551\u255A\u2588\u2588\u2557\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2551\u255A\u2550\u2550\u2550\u2550\u2588\u2588\u2551
+\u2588\u2588\u2551  \u2588\u2588\u2551\u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551
+\u255A\u2550\u255D  \u255A\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u255D  \u255A\u2550\u2550\u2550\u255D   \u255A\u2550\u255D   \u255A\u2550\u255D\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D
+${reset}${muted}v0.1.0${reset}
+
+${bold}Agentis${reset} \u2014 financial infrastructure for AI agents
+
+${green}${bold}Commands:${reset}
+  login                                    authenticate with your Agentis account
+  logout                                   remove stored credentials
+  whoami                                   show current account
+
+  wallet create --name <name>              create hosted wallet (requires login)
+  wallet create --name <name> --local      create local encrypted wallet
+  wallet list                              list all wallets (hosted + local)
+
+  agent list                               list your hosted agents
+  agent create <name>                      create a new hosted agent
+    --onchain-policy                       create with Quasar on-chain policy mode
+  agent send <name-or-id> <to> <amount>    send SOL (amount in lamports)
+    --sol                                  treat amount as SOL instead of lamports
+    --token <mint>                         send SPL token (amount in atomic units)
+
+  fetch <url> --agent <name-or-id>         fetch a URL and auto-pay MPP/x402 402s
+    --method <method>                      HTTP method (default GET)
+
+  earn deposit <agent>                     deposit into Jupiter Earn (mainnet only)
+    --asset USDC                           asset to deposit
+    --amount <amount>                      UI amount, e.g. 1 for 1 USDC
+    --mainnet                              required safety flag
+  earn positions <agent> --mainnet         show Jupiter Earn positions
+  earn sweep [--dry-run|--no-dry-run]      sweep all agents' mainnet USDC into Earn
+
+  facilitator create <name>                scaffold a Kora-backed x402 facilitator
+    --dir <path>                           output directory
+    --fee-bps <bps>                        prepaid seller fee rate (default 500)
+    --listed                               opt into public facilitator discovery
+  facilitator list                         list registered facilitators
+  facilitator publish <name-or-id> --url   set public URL and optional listing
+
+  privacy status --agent <name-or-id>      show direct Umbra account status
+  privacy register --agent <name-or-id>    register server-side Privy wallet with Umbra
+  privacy balance --agent <name-or-id>     show encrypted balance
+  privacy deposit --agent <name-or-id>     deposit into encrypted balance
+    --amount <atomic>                      token amount in atomic units
+    --mint <mint>                          token mint (default: devnet wSOL/SOL)
+  privacy withdraw --agent <name-or-id>    withdraw encrypted balance to public balance
+  privacy create-utxo --agent <name-or-id> create receiver-claimable UTXO
+    --to <wallet>                          destination wallet
+  privacy scan --agent <name-or-id>        scan claimable UTXOs
+  privacy claim-latest --agent <name-or-id> claim latest publicReceived UTXO
+
+  policy get <name-or-id>                  show agent policy
+  policy set <name-or-id> [flags]          update agent policy
+  policy init-onchain <name-or-id>         initialize Quasar policy PDAs after funding
+    --kill                                 activate kill switch
+    --resume                               deactivate kill switch
+    --max-per-tx <usd>                     max spend per transaction
+    --hourly <usd>                         hourly spend limit
+    --daily <usd>                          daily spend limit
+    --monthly <usd>                        monthly spend limit
+    --budget <usd>                         total lifetime budget cap
+    --allow <domain>                       add domain to whitelist
+    --disallow <domain>                    remove domain from whitelist
+`);
+}
+async function main() {
+  switch (cmd) {
+    case "login":
+      await login();
+      break;
+    case "logout":
+      await logout();
+      break;
+    case "whoami":
+      await whoami();
+      break;
+    case "wallet":
+      switch (sub) {
+        case "create":
+          await walletCreate(args.slice(2));
+          break;
+        case "list":
+          await walletList();
+          break;
+        default:
+          console.log("Usage: agentis wallet <create|list>");
+      }
+      break;
+    case "agent":
+      switch (sub) {
+        case "list":
+          await agentList();
+          break;
+        case "create":
+          await agentCreate(args.slice(2));
+          break;
+        case "send":
+          await agentSend(args.slice(2));
+          break;
+        case "balance":
+          await agentBalance(args[2]);
+          break;
+        default:
+          console.log("Usage: agentis agent <list|create|send|balance>");
+      }
+      break;
+    case "policy":
+      switch (sub) {
+        case "get":
+          await policyGet(args[2]);
+          break;
+        case "set":
+          await policySet(args[2], args.slice(3));
+          break;
+        case "init-onchain":
+          await policyInitOnchain(args[2]);
+          break;
+        default:
+          console.log("Usage: agentis policy <get|set|init-onchain>");
+      }
+      break;
+    case "fetch":
+      await paidFetch(args.slice(1));
+      break;
+    case "privacy":
+      await privacyCommand(args.slice(1));
+      break;
+    case "facilitator":
+      await facilitatorCommand(args.slice(1));
+      break;
+    case "earn":
+      await earnCommand(args.slice(1));
+      break;
+    default:
+      showHelp();
+  }
+}
+main().catch((err) => {
+  console.error("Error:", err.message);
+  process.exit(1);
+});