@aura-protocol/cli 0.1.3 → 0.3.0

package/dist/commands/confidential.js

@@ -1,77 +1,69 @@
+import { accounts, instructions } from "@aura-protocol/sdk-ts";
 import { PublicKey, SystemProgram } from "@solana/web3.js";
-import {} from "commander";
-import { buildCliContext } from "../context.js";
-import { printBanner, printSuccess, emitJson, serializeInstruction, startSpinner } from "../output.js";
-import { buildDryRunKeypair, deriveEncryptAccounts, ensureEncryptDeposit, getActivePendingProposal, markInstructionSigner, resolvePendingPolicyOutput, resolvePendingRequestAccount, resolveScalarGuardrails, sendInstructionsWithBudget, waitForCiphertextVerified, waitForDecryptionReady, } from "../protocol.js";
-import { encryptU64, encryptU64Batch, readU64Ciphertext, } from "../ika.js";
-import { renderTreasurySections } from "../treasury-view.js";
-import { loadKeypair } from "../wallet.js";
+import BN from "bn.js";
+import { buildCliContext } from "../core/context.js";
+import { CliError } from "../core/errors.js";
+import { runInstructions } from "../core/runner.js";
+import { loadKeypair } from "../core/wallet.js";
+import { encryptU64, encryptU64Batch, readU64Ciphertext } from "../lib/ika.js";
+import { buildDryRunKeypair, deriveEncryptAccounts, ensureEncryptDeposit, getActivePendingProposal, markInstructionSigner, resolvePendingPolicyOutput, resolvePendingRequestAccount, resolveScalarGuardrails, waitForCiphertextVerified, waitForDecryptionReady, } from "../lib/protocol.js";
+import { renderTreasurySections } from "../lib/treasury-view.js";
+import { emitJson, printBanner, printInfo, printNote, printSuccess, startSpinner, } from "../ui/output.js";
+import { style } from "../ui/theme.js";
 import { buildProposeConfidentialArgs, promptChain, promptNumber, promptString, promptTransactionType, resolveTreasuryAccount, } from "./helpers.js";
+function requireWallet(ctx) {
+    if (!ctx.wallet) {
+        throw new CliError("A wallet is required for this command.", {
+            code: "WALLET_REQUIRED",
+            tip: "Run `aura config init` or pass --wallet <path>.",
+        });
+    }
+    return ctx.wallet;
+}
 function parsePublicKey(value, label) {
     try {
         return new PublicKey(value);
     }
     catch {
-        throw new Error(`${label} must be a valid base58 pubkey`);
-    }
-}
-function normalizeDigestHex(value, label) {
-    if (!value) {
-        return null;
-    }
-    if (!/^[0-9a-fA-F]{64}$/.test(value)) {
-        throw new Error(`${label} must be a 32-byte hex digest`);
-    }
-    return value.toLowerCase();
-}
-function normalizePublicKeyHex(value) {
-    if (!value) {
-        return null;
+        throw CliError.invalidInput(label, "base58 public key");
     }
-    if (!/^[0-9a-fA-F]+$/.test(value) || value.length % 2 !== 0) {
-        throw new Error("publicKeyHex must contain valid hex bytes");
-    }
-    return value.toLowerCase();
 }
-async function sendPreparedInstruction(options) {
-    const { ctx, instruction, extraSigners = [] } = options;
-    if (!ctx.wallet) {
-        throw new Error("A wallet is required for this command.");
-    }
-    return await sendInstructionsWithBudget({
-        connection: ctx.connection,
-        payer: ctx.wallet,
-        instructions: [instruction],
-        extraSigners,
-    });
+function nowBn() {
+    return new BN(Math.floor(Date.now() / 1000));
 }
 export function registerConfidentialCommands(program) {
     const confidential = program
         .command("confidential")
-        .description("Manage confidential guardrails and policy decryption");
-    const deposit = confidential.command("deposit").description("Manage Encrypt deposit accounts");
+        .description("Manage confidential guardrails and the policy decryption flow");
+    // --- deposit ---------------------------------------------------------
+    const deposit = confidential
+        .command("deposit")
+        .description("Manage Encrypt deposit accounts");
     deposit
         .command("ensure")
         .description("Ensure the configured wallet has an Encrypt deposit account")
         .action(async function confidentialDepositEnsure() {
         const ctx = buildCliContext(this);
-        if (!ctx.wallet) {
-            throw new Error("A wallet is required to manage Encrypt deposit accounts.");
-        }
-        const dryRunAccounts = deriveEncryptAccounts(ctx.wallet.publicKey, {
+        const wallet = requireWallet(ctx);
+        const derived = deriveEncryptAccounts(wallet.publicKey, {
             auraProgramId: ctx.programId,
         });
         if (ctx.dryRun) {
-            emitJson(ctx.output, {
-                action: "confidential.deposit.ensure",
-                accounts: dryRunAccounts,
-            });
+            if (ctx.output.json) {
+                emitJson(ctx.output, {
+                    action: "confidential.deposit.ensure",
+                    accounts: derived,
+                });
+            }
+            else {
+                printNote(ctx.output, `Dry run: would ensure Encrypt deposit ${derived.deposit.toBase58()}`);
+            }
             return;
         }
         const spinner = startSpinner(ctx.output, "Ensuring Encrypt deposit account...");
         const result = await ensureEncryptDeposit({
             connection: ctx.connection,
-            payer: ctx.wallet,
+            payer: wallet,
             auraProgramId: ctx.programId,
         });
         spinner.succeed(result.created ? "Encrypt deposit created" : "Encrypt deposit ready");
@@ -79,61 +71,62 @@ export function registerConfidentialCommands(program) {
             emitJson(ctx.output, result);
             return;
         }
-        printSuccess(ctx.output, result.created
-            ? `Encrypt deposit created: ${result.accounts.deposit.toBase58()}`
-            : `Encrypt deposit ready: ${result.accounts.deposit.toBase58()}`);
+        printSuccess(ctx.output, `${result.created ? "Encrypt deposit created" : "Encrypt deposit ready"}: ${result.accounts.deposit.toBase58()}`);
     });
+    // --- guardrails ------------------------------------------------------
     const guardrails = confidential
         .command("guardrails")
         .description("Configure confidential guardrail ciphertexts");
     guardrails
         .command("scalar")
-        .description("Attach scalar guardrail ciphertext accounts")
+        .description("Attach scalar guardrail ciphertext accounts (auto-encrypts via Ika Encrypt)")
         .option("--agent-id <id>", "treasury agent ID")
         .option("--treasury <pda>", "treasury PDA")
-        .option("--daily-limit <usd>", "daily limit in USD — auto-encrypted via Ika Encrypt", Number)
-        .option("--per-tx-limit <usd>", "per-transaction limit in USD — auto-encrypted via Ika Encrypt", Number)
-        .option("--spent-today <usd>", "current spent-today counter in USD (default: 0) — auto-encrypted", Number)
-        .option("--daily-limit-ciphertext <pubkey>", "use a pre-created daily limit ciphertext account instead")
-        .option("--per-tx-ciphertext <pubkey>", "use a pre-created per-tx limit ciphertext account instead")
-        .option("--spent-today-ciphertext <pubkey>", "use a pre-created spent-today ciphertext account instead")
+        .option("--daily-limit <usd>", "daily limit in USD", Number)
+        .option("--per-tx-limit <usd>", "per-transaction limit in USD", Number)
+        .option("--spent-today <usd>", "current spent-today counter in USD (default 0)", Number)
+        .option("--daily-limit-ciphertext <pubkey>", "use a pre-created daily limit ciphertext")
+        .option("--per-tx-ciphertext <pubkey>", "use a pre-created per-tx limit ciphertext")
+        .option("--spent-today-ciphertext <pubkey>", "use a pre-created spent-today ciphertext")
         .action(async function confidentialGuardrailsScalar() {
         const ctx = buildCliContext(this);
-        if (!ctx.wallet) {
-            throw new Error("A wallet is required to configure guardrails.");
-        }
+        const wallet = requireWallet(ctx);
         const options = this.opts();
         const treasuryState = await resolveTreasuryAccount(ctx, {
-            agentId: typeof options["agentId"] === "string" ? options["agentId"] : undefined,
-            treasury: typeof options["treasury"] === "string" ? options["treasury"] : undefined,
+            agentId: typeof options.agentId === "string" ? options.agentId : undefined,
+            treasury: typeof options.treasury === "string" ? options.treasury : undefined,
         });
-        const existing = treasuryState.account.confidentialGuardrails;
+        const usingPreCreated = typeof options.dailyLimitCiphertext === "string" &&
+            typeof options.perTxCiphertext === "string" &&
+            typeof options.spentTodayCiphertext === "string";
         let dailyLimitCiphertext;
         let perTxLimitCiphertext;
         let spentTodayCiphertext;
-        // If pre-created ciphertext pubkeys are provided, use them directly.
-        // Otherwise encrypt the plaintext values via the Ika Encrypt gRPC.
-        if (typeof options["dailyLimitCiphertext"] === "string" &&
-            typeof options["perTxCiphertext"] === "string" &&
-            typeof options["spentTodayCiphertext"] === "string") {
-            dailyLimitCiphertext = parsePublicKey(options["dailyLimitCiphertext"], "Daily limit ciphertext");
-            perTxLimitCiphertext = parsePublicKey(options["perTxCiphertext"], "Per-tx limit ciphertext");
-            spentTodayCiphertext = parsePublicKey(options["spentTodayCiphertext"], "Spent-today ciphertext");
+        if (usingPreCreated) {
+            dailyLimitCiphertext = parsePublicKey(options.dailyLimitCiphertext, "daily-limit-ciphertext");
+            perTxLimitCiphertext = parsePublicKey(options.perTxCiphertext, "per-tx-ciphertext");
+            spentTodayCiphertext = parsePublicKey(options.spentTodayCiphertext, "spent-today-ciphertext");
         }
         else {
-            // Prompt for plaintext values and auto-encrypt
-            const dailyLimit = await promptNumber(typeof options["dailyLimit"] === "number" ? options["dailyLimit"] : undefined, "Daily limit (USD)", { validate: (v) => { if (v <= 0)
-                    throw new Error("Must be > 0"); } });
-            const perTxLimit = await promptNumber(typeof options["perTxLimit"] === "number" ? options["perTxLimit"] : undefined, "Per-transaction limit (USD)", { validate: (v) => { if (v <= 0)
-                    throw new Error("Must be > 0"); } });
-            const spentToday = typeof options["spentToday"] === "number" ? options["spentToday"] : 0;
+            const dailyLimit = await promptNumber(typeof options.dailyLimit === "number"
+                ? options.dailyLimit
+                : undefined, "Daily limit (USD)", {
+                validate: (v) => {
+                    if (v <= 0)
+                        throw new Error("Must be > 0");
+                },
+            });
+            const perTxLimit = await promptNumber(typeof options.perTxLimit === "number"
+                ? options.perTxLimit
+                : undefined, "Per-transaction limit (USD)", {
+                validate: (v) => {
+                    if (v <= 0)
+                        throw new Error("Must be > 0");
+                },
+            });
+            const spentToday = typeof options.spentToday === "number" ? options.spentToday : 0;
             if (ctx.dryRun) {
-                emitJson(ctx.output, {
-                    action: "confidential.guardrails.scalar",
-                    treasury: treasuryState.treasury,
-                    note: "dry-run: would encrypt dailyLimit, perTxLimit, spentToday via Ika Encrypt gRPC",
-                    values: { dailyLimit, perTxLimit, spentToday },
-                });
+                printNote(ctx.output, `Dry run: would encrypt daily=$${dailyLimit}, per-tx=$${perTxLimit}, spent=$${spentToday} via Ika Encrypt, then configure scalar guardrails.`);
                 return;
             }
             const spinner = startSpinner(ctx.output, "Encrypting guardrail values via Ika Encrypt...");
@@ -144,64 +137,33 @@ export function registerConfidentialCommands(program) {
                 waitForCiphertextVerified(ctx.connection, perTx),
                 waitForCiphertextVerified(ctx.connection, spent),
             ]);
+            spinner.succeed("Ciphertexts verified");
             dailyLimitCiphertext = daily;
             perTxLimitCiphertext = perTx;
             spentTodayCiphertext = spent;
-            spinner.setText("Configuring scalar guardrails...");
-            const now = Math.floor(Date.now() / 1000);
-            const signature = await ctx.client.configureConfidentialGuardrails(ctx.wallet, {
-                owner: ctx.wallet.publicKey,
+        }
+        const instruction = await instructions.confidential.configureConfidentialGuardrails(ctx.client, {
+            accounts: {
+                owner: wallet.publicKey,
                 treasury: treasuryState.treasury,
                 dailyLimitCiphertext,
                 perTxLimitCiphertext,
                 spentTodayCiphertext,
-            }, now);
-            spinner.succeed("Scalar guardrails configured");
-            if (ctx.output.json) {
-                emitJson(ctx.output, {
-                    treasury: treasuryState.treasury,
-                    signature,
-                    dailyLimitCiphertext,
-                    perTxLimitCiphertext,
-                    spentTodayCiphertext,
-                });
-                return;
-            }
-            printSuccess(ctx.output, `Scalar guardrails configured: ${signature}`);
-            return;
-        }
-        // Pre-created ciphertext path
-        const now = Math.floor(Date.now() / 1000);
-        if (ctx.dryRun) {
-            const instruction = await ctx.client.configureConfidentialGuardrailsInstruction({
-                owner: ctx.wallet.publicKey,
+            },
+            args: { now: nowBn() },
+        });
+        await runInstructions(ctx, [instruction], {
+            action: "Configure scalar guardrails",
+            instructionName: "configure_confidential_guardrails",
+            result: {
                 treasury: treasuryState.treasury,
                 dailyLimitCiphertext,
                 perTxLimitCiphertext,
                 spentTodayCiphertext,
-            }, now);
-            emitJson(ctx.output, {
-                action: "confidential.guardrails.scalar",
-                treasury: treasuryState.treasury,
-                instruction: serializeInstruction(instruction),
-            });
-            return;
-        }
-        const spinner = startSpinner(ctx.output, "Configuring scalar guardrails...");
-        const signature = await ctx.client.configureConfidentialGuardrails(ctx.wallet, {
-            owner: ctx.wallet.publicKey,
-            treasury: treasuryState.treasury,
-            dailyLimitCiphertext,
-            perTxLimitCiphertext,
-            spentTodayCiphertext,
-        }, now);
-        spinner.succeed("Scalar guardrails configured");
-        if (ctx.output.json) {
-            emitJson(ctx.output, { treasury: treasuryState.treasury, signature });
-            return;
-        }
-        printSuccess(ctx.output, `Scalar guardrails configured: ${signature}`);
+            },
+        });
     });
+    // --- status ----------------------------------------------------------
     confidential
         .command("status")
         .description("Show confidential guardrails and pending confidential state")
@@ -211,8 +173,8 @@ export function registerConfidentialCommands(program) {
         const ctx = buildCliContext(this);
         const options = this.opts();
         const treasuryState = await resolveTreasuryAccount(ctx, {
-            agentId: typeof options["agentId"] === "string" ? options["agentId"] : undefined,
-            treasury: typeof options["treasury"] === "string" ? options["treasury"] : undefined,
+            agentId: typeof options.agentId === "string" ? options.agentId : undefined,
+            treasury: typeof options.treasury === "string" ? options.treasury : undefined,
         });
         const sections = renderTreasurySections(treasuryState.treasury, treasuryState.account);
         if (ctx.output.json) {
@@ -224,17 +186,14 @@ export function registerConfidentialCommands(program) {
             return;
         }
         printBanner(ctx.output, `Confidential: ${treasuryState.account.agentId}`);
-        if (sections.confidential) {
-            console.log(sections.confidential);
-        }
-        else {
-            console.log("No confidential guardrails configured.");
-        }
+        console.log(sections.confidential ??
+            style.muted("No confidential guardrails configured."));
         if (sections.pending) {
             console.log("");
             console.log(sections.pending);
         }
     });
+    // --- propose ---------------------------------------------------------
     confidential
         .command("propose")
         .description("Propose a confidential scalar transaction")
@@ -249,199 +208,214 @@ export function registerConfidentialCommands(program) {
         .option("--actual-output <usd>", "actual output in USD", Number)
         .option("--quote-age <secs>", "quote age in seconds", Number)
         .option("--counterparty-risk <score>", "counterparty risk score", Number)
-        .option("--amount-ciphertext <pubkey>", "use a pre-created verified Encrypt ciphertext instead of auto-encrypting")
-        .option("--policy-output-keypair <path>", "optional keypair path for the output ciphertext")
+        .option("--amount-ciphertext <pubkey>", "use a pre-created verified Encrypt ciphertext")
+        .option("--policy-output-keypair <path>", "keypair path for the output ciphertext account")
         .option("--wait", "wait until the policy output ciphertext is verified")
         .action(async function confidentialPropose() {
         const ctx = buildCliContext(this);
-        if (!ctx.wallet) {
-            throw new Error("A wallet is required to submit a confidential proposal.");
-        }
+        const wallet = requireWallet(ctx);
         const options = this.opts();
         const treasuryState = await resolveTreasuryAccount(ctx, {
-            agentId: typeof options["agentId"] === "string" ? options["agentId"] : undefined,
-            treasury: typeof options["treasury"] === "string" ? options["treasury"] : undefined,
+            agentId: typeof options.agentId === "string" ? options.agentId : undefined,
+            treasury: typeof options.treasury === "string" ? options.treasury : undefined,
         });
         const guardrails = resolveScalarGuardrails(treasuryState.account);
-        const amountUsd = await promptNumber(typeof options["amount"] === "number" ? options["amount"] : undefined, "Amount (USD)", { validate: (value) => { if (value <= 0)
-                throw new Error("Amount must be > 0"); } });
-        const chain = await promptChain(typeof options["chain"] === "string" || typeof options["chain"] === "number"
-            ? options["chain"]
+        const amountUsd = await promptNumber(typeof options.amount === "number" ? options.amount : undefined, "Amount (USD)", {
+            validate: (v) => {
+                if (v <= 0)
+                    throw new Error("Amount must be > 0");
+            },
+        });
+        const chain = await promptChain(typeof options.chain === "string" || typeof options.chain === "number"
+            ? options.chain
             : undefined, "Chain");
-        const recipient = await promptString(typeof options["recipient"] === "string" ? options["recipient"] : undefined, "Recipient");
-        const txType = await promptTransactionType(typeof options["txType"] === "string" || typeof options["txType"] === "number"
-            ? options["txType"]
+        const recipient = await promptString(typeof options.recipient === "string" ? options.recipient : undefined, "Recipient");
+        const txType = await promptTransactionType(typeof options.txType === "string" || typeof options.txType === "number"
+            ? options.txType
             : undefined, "Transaction type");
         const args = buildProposeConfidentialArgs({
             amountUsd,
             chain,
             txType,
             recipient,
-            protocolId: typeof options["protocolId"] === "number" ? options["protocolId"] : undefined,
-            expectedOutputUsd: typeof options["expectedOutput"] === "number" ? options["expectedOutput"] : undefined,
-            actualOutputUsd: typeof options["actualOutput"] === "number" ? options["actualOutput"] : undefined,
-            quoteAgeSecs: typeof options["quoteAge"] === "number" ? options["quoteAge"] : undefined,
-            counterpartyRiskScore: typeof options["counterpartyRisk"] === "number"
-                ? options["counterpartyRisk"]
+            protocolId: typeof options.protocolId === "number"
+                ? options.protocolId
+                : undefined,
+            expectedOutputUsd: typeof options.expectedOutput === "number"
+                ? options.expectedOutput
+                : undefined,
+            actualOutputUsd: typeof options.actualOutput === "number"
+                ? options.actualOutput
+                : undefined,
+            quoteAgeSecs: typeof options.quoteAge === "number" ? options.quoteAge : undefined,
+            counterpartyRiskScore: typeof options.counterpartyRisk === "number"
+                ? options.counterpartyRisk
                 : undefined,
-        });
-        const policyOutputSigner = buildDryRunKeypair(typeof options["policyOutputKeypair"] === "string"
-            ? options["policyOutputKeypair"]
-            : undefined, loadKeypair);
-        const encryptAccounts = deriveEncryptAccounts(ctx.wallet.publicKey, {
-            auraProgramId: ctx.programId,
         });
         if (ctx.dryRun) {
-            emitJson(ctx.output, {
-                action: "confidential.propose",
-                treasury: treasuryState.treasury,
-                policyOutputCiphertext: policyOutputSigner.publicKey,
-                encryptAccounts,
-                args,
-                note: typeof options["amountCiphertext"] === "string"
-                    ? "using pre-created amount ciphertext"
-                    : "would auto-encrypt amount via Ika Encrypt gRPC",
-            });
+            printNote(ctx.output, "Dry run: would ensure an Encrypt deposit, encrypt the amount via Ika, then submit propose_confidential_transaction.");
+            if (ctx.output.json) {
+                emitJson(ctx.output, {
+                    action: "confidential.propose",
+                    treasury: treasuryState.treasury,
+                    args,
+                });
+            }
             return;
         }
+        const policyOutputSigner = buildDryRunKeypair(typeof options.policyOutputKeypair === "string"
+            ? options.policyOutputKeypair
+            : undefined, loadKeypair);
+        const encryptAccounts = deriveEncryptAccounts(wallet.publicKey, {
+            auraProgramId: ctx.programId,
+        });
         const spinner = startSpinner(ctx.output, "Ensuring Encrypt deposit account...");
         await ensureEncryptDeposit({
             connection: ctx.connection,
-            payer: ctx.wallet,
+            payer: wallet,
             auraProgramId: ctx.programId,
         });
-        // Resolve the amount ciphertext — auto-encrypt if not provided
         let amountCiphertext;
-        if (typeof options["amountCiphertext"] === "string") {
-            amountCiphertext = parsePublicKey(options["amountCiphertext"], "Amount ciphertext");
+        if (typeof options.amountCiphertext === "string") {
+            amountCiphertext = parsePublicKey(options.amountCiphertext, "amount-ciphertext");
         }
         else {
-            spinner.setText(`Encrypting amount (${amountUsd} USD) via Ika Encrypt...`);
+            spinner.setText(`Encrypting amount ($${amountUsd}) via Ika Encrypt...`);
             amountCiphertext = await encryptU64(amountUsd, ctx.programId);
             spinner.setText("Waiting for amount ciphertext to be verified on-chain...");
             await waitForCiphertextVerified(ctx.connection, amountCiphertext);
         }
-        const instruction = await ctx.client.proposeConfidentialTransactionInstruction({
-            aiAuthority: ctx.wallet.publicKey,
-            treasury: treasuryState.treasury,
-            dailyLimitCiphertext: guardrails.dailyLimitCiphertext,
-            perTxLimitCiphertext: guardrails.perTxLimitCiphertext,
-            spentTodayCiphertext: guardrails.spentTodayCiphertext,
-            amountCiphertext,
-            policyOutputCiphertext: policyOutputSigner.publicKey,
-            encryptProgram: encryptAccounts.encryptProgram,
-            config: encryptAccounts.config,
-            deposit: encryptAccounts.deposit,
-            callerProgram: ctx.programId,
-            cpiAuthority: encryptAccounts.cpiAuthority,
-            networkEncryptionKey: encryptAccounts.networkEncryptionKey,
-            eventAuthority: encryptAccounts.eventAuthority,
-            systemProgram: SystemProgram.programId,
-        }, args);
+        spinner.succeed("Amount ciphertext ready");
+        const instruction = await instructions.confidential.proposeConfidentialTransaction(ctx.client, {
+            accounts: {
+                aiAuthority: wallet.publicKey,
+                treasury: treasuryState.treasury,
+                dailyLimitCiphertext: guardrails.dailyLimitCiphertext,
+                perTxLimitCiphertext: guardrails.perTxLimitCiphertext,
+                spentTodayCiphertext: guardrails.spentTodayCiphertext,
+                amountCiphertext,
+                policyOutputCiphertext: policyOutputSigner.publicKey,
+                encryptProgram: encryptAccounts.encryptProgram,
+                config: encryptAccounts.config,
+                deposit: encryptAccounts.deposit,
+                callerProgram: ctx.programId,
+                cpiAuthority: encryptAccounts.cpiAuthority,
+                networkEncryptionKey: encryptAccounts.networkEncryptionKey,
+                eventAuthority: encryptAccounts.eventAuthority,
+                externalLiveness: null,
+                weeklyLimitCiphertext: null,
+                weeklySpentCiphertext: null,
+                confidentialGuardrails: null,
+                systemProgram: SystemProgram.programId,
+            },
+            args,
+        });
+        // The freshly created output ciphertext account must sign its own creation.
         markInstructionSigner(instruction, policyOutputSigner.publicKey);
-        spinner.setText("Submitting confidential proposal...");
-        const signature = await sendPreparedInstruction({
-            ctx,
-            instruction,
+        const outcome = await runInstructions(ctx, [instruction], {
+            action: "Propose confidential transaction",
+            instructionName: "propose_confidential_transaction",
             extraSigners: [policyOutputSigner],
-        });
-        if (options["wait"] === true) {
-            spinner.setText("Waiting for output ciphertext verification...");
-            await waitForCiphertextVerified(ctx.connection, policyOutputSigner.publicKey);
-        }
-        spinner.succeed("Confidential proposal submitted");
-        if (ctx.output.json) {
-            emitJson(ctx.output, {
+            computeUnits: 1_400_000,
+            heapFrameBytes: 256 * 1024,
+            summary: [
+                ["amount ct", amountCiphertext.toBase58()],
+                ["output ct", policyOutputSigner.publicKey.toBase58()],
+            ],
+            result: {
                 treasury: treasuryState.treasury,
-                signature,
                 amountCiphertext,
                 policyOutputCiphertext: policyOutputSigner.publicKey,
-            });
-            return;
+            },
+        });
+        if (outcome.signature && options.wait === true) {
+            const waitSpinner = startSpinner(ctx.output, "Waiting for output ciphertext verification...");
+            await waitForCiphertextVerified(ctx.connection, policyOutputSigner.publicKey);
+            waitSpinner.succeed("Output ciphertext verified");
         }
-        printSuccess(ctx.output, `Confidential proposal submitted: ${signature}\n  amount ciphertext: ${amountCiphertext.toBase58()}\n  output ciphertext: ${policyOutputSigner.publicKey.toBase58()}`);
     });
+    // --- request-decryption ---------------------------------------------
     confidential
         .command("request-decryption")
         .description("Request Encrypt decryption for the pending policy output")
         .option("--agent-id <id>", "treasury agent ID")
         .option("--treasury <pda>", "treasury PDA")
         .option("--ciphertext <pubkey>", "override the pending policy output ciphertext")
-        .option("--request-keypair <path>", "optional keypair path for the decryption request account")
+        .option("--request-keypair <path>", "keypair path for the decryption request account")
         .option("--wait", "wait until the plaintext is ready on-chain")
         .action(async function confidentialRequestDecryption() {
         const ctx = buildCliContext(this);
-        if (!ctx.wallet) {
-            throw new Error("A wallet is required to request policy decryption.");
-        }
+        const wallet = requireWallet(ctx);
         const options = this.opts();
         const treasuryState = await resolveTreasuryAccount(ctx, {
-            agentId: typeof options["agentId"] === "string" ? options["agentId"] : undefined,
-            treasury: typeof options["treasury"] === "string" ? options["treasury"] : undefined,
+            agentId: typeof options.agentId === "string" ? options.agentId : undefined,
+            treasury: typeof options.treasury === "string" ? options.treasury : undefined,
         });
-        const ciphertext = typeof options["ciphertext"] === "string"
-            ? parsePublicKey(options["ciphertext"], "Ciphertext")
+        const ciphertext = typeof options.ciphertext === "string"
+            ? parsePublicKey(options.ciphertext, "ciphertext")
             : resolvePendingPolicyOutput(treasuryState.account);
-        const requestSigner = buildDryRunKeypair(typeof options["requestKeypair"] === "string"
-            ? options["requestKeypair"]
-            : undefined, loadKeypair);
-        const encryptAccounts = deriveEncryptAccounts(ctx.wallet.publicKey, {
-            auraProgramId: ctx.programId,
-        });
-        const now = Math.floor(Date.now() / 1000);
-        const instruction = await ctx.client.requestPolicyDecryptionInstruction({
-            operator: ctx.wallet.publicKey,
-            treasury: treasuryState.treasury,
-            requestAccount: requestSigner.publicKey,
-            ciphertext,
-            encryptProgram: encryptAccounts.encryptProgram,
-            config: encryptAccounts.config,
-            deposit: encryptAccounts.deposit,
-            callerProgram: ctx.programId,
-            cpiAuthority: encryptAccounts.cpiAuthority,
-            networkEncryptionKey: encryptAccounts.networkEncryptionKey,
-            eventAuthority: encryptAccounts.eventAuthority,
-            systemProgram: SystemProgram.programId,
-        }, now);
-        markInstructionSigner(instruction, requestSigner.publicKey);
         if (ctx.dryRun) {
-            emitJson(ctx.output, {
-                action: "confidential.request-decryption",
-                treasury: treasuryState.treasury,
-                ciphertext,
-                requestAccount: requestSigner.publicKey,
-                instruction: serializeInstruction(instruction),
-            });
+            printNote(ctx.output, "Dry run: would ensure an Encrypt deposit and submit request_policy_decryption.");
+            if (ctx.output.json) {
+                emitJson(ctx.output, {
+                    action: "confidential.request-decryption",
+                    treasury: treasuryState.treasury,
+                    ciphertext,
+                });
+            }
             return;
         }
+        const requestSigner = buildDryRunKeypair(typeof options.requestKeypair === "string"
+            ? options.requestKeypair
+            : undefined, loadKeypair);
+        const encryptAccounts = deriveEncryptAccounts(wallet.publicKey, {
+            auraProgramId: ctx.programId,
+        });
         const spinner = startSpinner(ctx.output, "Ensuring Encrypt deposit account...");
-        const depositResult = await ensureEncryptDeposit({
+        await ensureEncryptDeposit({
             connection: ctx.connection,
-            payer: ctx.wallet,
+            payer: wallet,
             auraProgramId: ctx.programId,
         });
-        spinner.setText("Submitting decryption request...");
-        const signature = await sendPreparedInstruction({
-            ctx,
-            instruction,
-            extraSigners: [requestSigner],
+        spinner.succeed("Encrypt deposit ready");
+        const instruction = await instructions.confidential.requestPolicyDecryption(ctx.client, {
+            accounts: {
+                operator: wallet.publicKey,
+                treasury: treasuryState.treasury,
+                requestAccount: requestSigner.publicKey,
+                ciphertext,
+                encryptProgram: encryptAccounts.encryptProgram,
+                config: encryptAccounts.config,
+                deposit: encryptAccounts.deposit,
+                callerProgram: ctx.programId,
+                cpiAuthority: encryptAccounts.cpiAuthority,
+                networkEncryptionKey: encryptAccounts.networkEncryptionKey,
+                eventAuthority: encryptAccounts.eventAuthority,
+                confidentialGuardrails: null,
+                systemProgram: SystemProgram.programId,
+            },
+            args: { now: nowBn(), currentEpochId: new BN(0) },
         });
-        if (options["wait"] === true) {
-            spinner.setText("Waiting for decrypted plaintext...");
-            await waitForDecryptionReady(ctx.connection, requestSigner.publicKey);
-        }
-        spinner.succeed("Policy decryption requested");
-        if (ctx.output.json) {
-            emitJson(ctx.output, {
+        markInstructionSigner(instruction, requestSigner.publicKey);
+        const outcome = await runInstructions(ctx, [instruction], {
+            action: "Request policy decryption",
+            instructionName: "request_policy_decryption",
+            extraSigners: [requestSigner],
+            computeUnits: 1_400_000,
+            heapFrameBytes: 256 * 1024,
+            summary: [["request", requestSigner.publicKey.toBase58()]],
+            result: {
                 treasury: treasuryState.treasury,
-                signature,
                 requestAccount: requestSigner.publicKey,
-                deposit: depositResult,
-            });
-            return;
+            },
+        });
+        if (outcome.signature && options.wait === true) {
+            const waitSpinner = startSpinner(ctx.output, "Waiting for decrypted plaintext...");
+            await waitForDecryptionReady(ctx.connection, requestSigner.publicKey);
+            waitSpinner.succeed("Plaintext ready");
         }
-        printSuccess(ctx.output, `Policy decryption requested: ${signature} (request ${requestSigner.publicKey.toBase58()})`);
     });
+    // --- confirm-decryption ---------------------------------------------
     confidential
         .command("confirm-decryption")
         .description("Confirm a completed policy decryption request on-chain")
@@ -450,70 +424,51 @@ export function registerConfidentialCommands(program) {
         .option("--request-account <pubkey>", "override the pending decryption request account")
         .action(async function confidentialConfirmDecryption() {
         const ctx = buildCliContext(this);
-        if (!ctx.wallet) {
-            throw new Error("A wallet is required to confirm policy decryption.");
-        }
+        const wallet = requireWallet(ctx);
         const options = this.opts();
         const treasuryState = await resolveTreasuryAccount(ctx, {
-            agentId: typeof options["agentId"] === "string" ? options["agentId"] : undefined,
-            treasury: typeof options["treasury"] === "string" ? options["treasury"] : undefined,
+            agentId: typeof options.agentId === "string" ? options.agentId : undefined,
+            treasury: typeof options.treasury === "string" ? options.treasury : undefined,
         });
-        const requestAccount = typeof options["requestAccount"] === "string"
-            ? parsePublicKey(options["requestAccount"], "Request account")
+        const requestAccount = typeof options.requestAccount === "string"
+            ? parsePublicKey(options.requestAccount, "request-account")
             : resolvePendingRequestAccount(treasuryState.account);
-        const now = Math.floor(Date.now() / 1000);
-        if (ctx.dryRun) {
-            const instruction = await ctx.client.confirmPolicyDecryptionInstruction({
-                operator: ctx.wallet.publicKey,
-                treasury: treasuryState.treasury,
-                requestAccount,
-            }, now);
-            emitJson(ctx.output, {
-                action: "confidential.confirm-decryption",
+        const instruction = await instructions.confidential.confirmPolicyDecryption(ctx.client, {
+            accounts: {
+                operator: wallet.publicKey,
                 treasury: treasuryState.treasury,
                 requestAccount,
-                instruction: serializeInstruction(instruction),
-            });
-            return;
-        }
-        const spinner = startSpinner(ctx.output, "Confirming policy decryption...");
-        const instruction = await ctx.client.confirmPolicyDecryptionInstruction({
-            operator: ctx.wallet.publicKey,
-            treasury: treasuryState.treasury,
-            requestAccount,
-        }, now);
-        const signature = await sendPreparedInstruction({ ctx, instruction });
-        // Read the decrypted scalar violation code for display. The on-chain
-        // treasury remains the source of truth if the read is unavailable.
-        let violationCode = null;
-        try {
-            spinner.setText("Reading decrypted policy result from Encrypt network...");
-            const policyOutput = resolvePendingPolicyOutput(treasuryState.account);
-            violationCode = await readU64Ciphertext(policyOutput, ctx.wallet.publicKey);
-        }
-        catch {
-            // Non-fatal — the on-chain state is the source of truth
-        }
-        spinner.succeed("Policy decryption confirmed");
-        const refreshed = await ctx.client.getTreasuryAccount(treasuryState.treasury);
-        const decision = getActivePendingProposal(refreshed)?.decision;
-        if (ctx.output.json) {
-            emitJson(ctx.output, {
-                treasury: treasuryState.treasury,
-                requestAccount,
-                signature,
-                approved: decision?.approved ?? null,
-                violation: decision?.violation ?? null,
-                violationCode: violationCode !== null ? violationCode.toString() : null,
-            });
-            return;
+                confidentialGuardrails: null,
+            },
+            args: { now: nowBn(), currentEpochId: new BN(0) },
+        });
+        const outcome = await runInstructions(ctx, [instruction], {
+            action: "Confirm policy decryption",
+            instructionName: "confirm_policy_decryption",
+            summary: [["request", requestAccount.toBase58()]],
+            result: { treasury: treasuryState.treasury, requestAccount },
+        });
+        if (outcome.signature && !ctx.output.json) {
+            let violationCode = null;
+            try {
+                violationCode = await readU64Ciphertext(resolvePendingPolicyOutput(treasuryState.account), wallet.publicKey);
+            }
+            catch {
+                // Non-fatal — on-chain state remains the source of truth.
+            }
+            try {
+                const refreshed = await accounts.fetchTreasuryAccount(ctx.client, treasuryState.treasury);
+                const decision = getActivePendingProposal(refreshed)?.decision;
+                if (decision) {
+                    printInfo(ctx.output, decision.approved
+                        ? style.success("result: approved")
+                        : style.danger(`result: denied — violation code ${violationCode ?? decision.violation}`));
+                }
+            }
+            catch {
+                // Non-fatal.
+            }
         }
-        const resultLine = decision
-            ? decision.approved
-                ? "approved ✓"
-                : `denied — violation code ${violationCode ?? decision.violation}`
-            : "";
-        printSuccess(ctx.output, `Policy decryption confirmed: ${signature}${resultLine ? `\n  result: ${resultLine}` : ""}`);
     });
 }
 //# sourceMappingURL=confidential.js.map