@cavos/cli 0.0.1

package/dist/cli.js

@@ -0,0 +1,1918 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// src/cli.ts
+var import_commander = require("commander");
+
+// src/CavosAgent.ts
+var import_starknet7 = require("starknet");
+
+// src/core/SessionKeyManager.ts
+var import_starknet3 = require("starknet");
+
+// src/utils/crypto.ts
+var import_crypto = require("crypto");
+function getRandomBytes(length) {
+  return new Uint8Array((0, import_crypto.randomBytes)(length));
+}
+function randomFieldElement() {
+  const bytes = getRandomBytes(32);
+  const hex = Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+  return BigInt("0x" + hex) % 2n ** 251n;
+}
+
+// src/utils/encoding.ts
+var import_starknet = require("starknet");
+function base64UrlToBase64(base64url) {
+  return base64url.replace(/-/g, "+").replace(/_/g, "/").padEnd(base64url.length + (4 - base64url.length % 4) % 4, "=");
+}
+function base64UrlToBytes(base64url) {
+  const base64 = base64UrlToBase64(base64url);
+  const buf = Buffer.from(base64, "base64");
+  return new Uint8Array(buf);
+}
+function bytesToU128Limbs(bytes) {
+  const limbs = [];
+  for (let i = 15; i >= 0; i--) {
+    let limb = 0n;
+    for (let j = 0; j < 16; j++) {
+      const byteIdx = i * 16 + j;
+      if (byteIdx < bytes.length) {
+        limb = limb * 256n + BigInt(bytes[byteIdx]);
+      }
+    }
+    limbs.push(import_starknet.num.toHex(limb));
+  }
+  return limbs;
+}
+function subToFelt(sub) {
+  try {
+    const subBigInt = BigInt(sub);
+    if (subBigInt < 2n ** 251n) {
+      return import_starknet.num.toHex(subBigInt);
+    }
+  } catch {
+  }
+  return stringToFelt(sub);
+}
+function stringToFelt(str) {
+  const bytes = Buffer.from(str, "utf-8");
+  let result = 0n;
+  for (let i = 0; i < bytes.length && i < 31; i++) {
+    result = result * 256n + BigInt(bytes[i]);
+  }
+  return import_starknet.num.toHex(result);
+}
+function parseJWT(jwt) {
+  const parts = jwt.split(".");
+  if (parts.length !== 3) {
+    throw new Error("Invalid JWT format");
+  }
+  const payload = JSON.parse(Buffer.from(base64UrlToBase64(parts[1]), "base64").toString("utf-8"));
+  return {
+    sub: payload.sub,
+    nonce: payload.nonce,
+    exp: payload.exp,
+    iss: payload.iss,
+    aud: Array.isArray(payload.aud) ? payload.aud[0] : payload.aud
+  };
+}
+function extractKidFromJwt(jwt) {
+  const parts = jwt.split(".");
+  const header = JSON.parse(Buffer.from(base64UrlToBase64(parts[0]), "base64").toString("utf-8"));
+  return header.kid || "";
+}
+function findClaimOffsets(jwt) {
+  const parts = jwt.split(".");
+  const headerJson = JSON.parse(Buffer.from(base64UrlToBase64(parts[0]), "base64").toString("utf-8"));
+  const payloadJson = JSON.parse(Buffer.from(base64UrlToBase64(parts[1]), "base64").toString("utf-8"));
+  const subValue = payloadJson.sub || "";
+  const nonceValue = payloadJson.nonce || "";
+  const kidValue = headerJson.kid || "";
+  const decodedPayload = Buffer.from(base64UrlToBase64(parts[1]), "base64").toString("utf-8");
+  const decodedHeader = Buffer.from(base64UrlToBase64(parts[0]), "base64").toString("utf-8");
+  const findClaimValueOffset = (decoded, key, value) => {
+    const exactPattern = `"${key}":"${value}"`;
+    let idx = decoded.indexOf(exactPattern);
+    if (idx >= 0) return idx + key.length + 4;
+    const spacedPattern = `"${key}": "${value}"`;
+    idx = decoded.indexOf(spacedPattern);
+    if (idx >= 0) return idx + key.length + 5;
+    const keyPattern = `"${key}"`;
+    idx = decoded.indexOf(keyPattern);
+    if (idx >= 0) {
+      const colonIdx = decoded.indexOf(":", idx + key.length + 2);
+      if (colonIdx >= 0) {
+        const valueQuoteIdx = decoded.indexOf('"', colonIdx + 1);
+        if (valueQuoteIdx >= 0) return valueQuoteIdx + 1;
+      }
+    }
+    return -1;
+  };
+  const subValueStart = findClaimValueOffset(decodedPayload, "sub", subValue);
+  if (subValueStart < 0) throw new Error("Failed to find sub claim in JWT payload");
+  const nonceValueStart = findClaimValueOffset(decodedPayload, "nonce", nonceValue);
+  if (nonceValueStart < 0) throw new Error("Failed to find nonce claim in JWT payload");
+  const kidValueStart = findClaimValueOffset(decodedHeader, "kid", kidValue);
+  if (kidValueStart < 0) throw new Error("Failed to find kid claim in JWT header");
+  return {
+    sub_offset: subValueStart,
+    sub_len: subValue.length,
+    nonce_offset: nonceValueStart,
+    nonce_len: nonceValue.length,
+    kid_offset: kidValueStart,
+    kid_len: kidValue.length
+  };
+}
+
+// src/core/MerkleTree.ts
+var import_starknet2 = require("starknet");
+function computeMerkleRoot(contracts) {
+  if (contracts.length === 0) return "0x0";
+  let leaves = contracts.map(
+    (c) => import_starknet2.hash.computePoseidonHashOnElements([import_starknet2.num.toHex(c)])
+  );
+  leaves.sort((a, b) => {
+    const aBig = BigInt(a);
+    const bBig = BigInt(b);
+    if (aBig < bBig) return -1;
+    if (aBig > bBig) return 1;
+    return 0;
+  });
+  while (leaves.length > 1) {
+    const nextLevel = [];
+    for (let i = 0; i < leaves.length; i += 2) {
+      if (i + 1 < leaves.length) {
+        const left = leaves[i];
+        const right = leaves[i + 1];
+        const leftBig = BigInt(left);
+        const rightBig = BigInt(right);
+        if (leftBig < rightBig) {
+          nextLevel.push(import_starknet2.hash.computePoseidonHashOnElements([left, right]));
+        } else {
+          nextLevel.push(import_starknet2.hash.computePoseidonHashOnElements([right, left]));
+        }
+      } else {
+        nextLevel.push(leaves[i]);
+      }
+    }
+    leaves = nextLevel;
+  }
+  return leaves[0];
+}
+function computeMerkleProof(contracts, targetContract) {
+  if (contracts.length === 0) return [];
+  let leaves = contracts.map(
+    (c) => import_starknet2.hash.computePoseidonHashOnElements([import_starknet2.num.toHex(c)])
+  );
+  leaves.sort((a, b) => {
+    const aBig = BigInt(a);
+    const bBig = BigInt(b);
+    if (aBig < bBig) return -1;
+    if (aBig > bBig) return 1;
+    return 0;
+  });
+  const targetLeaf = import_starknet2.hash.computePoseidonHashOnElements([import_starknet2.num.toHex(targetContract)]);
+  let targetIdx = leaves.indexOf(targetLeaf);
+  if (targetIdx === -1) return [];
+  const proof = [];
+  let currentLevel = [...leaves];
+  while (currentLevel.length > 1) {
+    const nextLevel = [];
+    let nextTargetIdx = -1;
+    for (let i = 0; i < currentLevel.length; i += 2) {
+      if (i + 1 < currentLevel.length) {
+        const left = currentLevel[i];
+        const right = currentLevel[i + 1];
+        if (i === targetIdx || i + 1 === targetIdx) {
+          proof.push(i === targetIdx ? right : left);
+          nextTargetIdx = Math.floor(i / 2);
+        }
+        const leftBig = BigInt(left);
+        const rightBig = BigInt(right);
+        if (leftBig < rightBig) {
+          nextLevel.push(import_starknet2.hash.computePoseidonHashOnElements([left, right]));
+        } else {
+          nextLevel.push(import_starknet2.hash.computePoseidonHashOnElements([right, left]));
+        }
+      } else {
+        if (i === targetIdx) {
+          nextTargetIdx = Math.floor(i / 2);
+        }
+        nextLevel.push(currentLevel[i]);
+      }
+    }
+    currentLevel = nextLevel;
+    targetIdx = nextTargetIdx;
+  }
+  return proof;
+}
+
+// src/utils/constants.ts
+var OAUTH_JWT_V1_MAGIC = "0x4f415554485f4a57545f5631";
+var SESSION_V1_MAGIC = "0x53455353494f4e5f5631";
+var STARK_CURVE_ORDER = BigInt("0x800000000000010ffffffffffffffffb781126dcae7b2321e66a241adc64d2f");
+var TOKENS_SEPOLIA = {
+  STRK: "0x04718f5a0Fc34cC1AF16A1cdee98fFB20C31f5cD61D6Ab07201858f4287c938D",
+  ETH: "0x049d36570d4e46f48e99674bd3fcc84644ddd6b96f7c741b1562b82f9e004dc7"
+};
+var TOKENS_MAINNET = {
+  STRK: "0x04718f5a0Fc34cC1AF16A1cdee98fFB20C31f5cD61D6Ab07201858f4287c938D",
+  ETH: "0x049d36570d4e46f48e99674bd3fcc84644ddd6b96f7c741b1562b82f9e004dc7"
+};
+var DEFAULT_RPC = {
+  mainnet: "https://starknet-mainnet.g.alchemy.com/starknet/version/rpc/v0_10/dql5pMT88iueZWl7L0yzT56uVk0EBU4L",
+  sepolia: "https://starknet-sepolia.g.alchemy.com/starknet/version/rpc/v0_10/dql5pMT88iueZWl7L0yzT56uVk0EBU4L"
+};
+var DEFAULT_OAUTH_CONFIG_SEPOLIA = {
+  jwksRegistryAddress: "0x05a19f14719dec9e27eb2aa38c5b68277bdb5c41570e548504722f737a3da6c6",
+  cavosAccountClassHash: "0x40f4075372d7b9b964910755dcdf96935280c8b675272f656b2d43d1ae4bbf4"
+};
+var DEFAULT_OAUTH_CONFIG_MAINNET = {
+  jwksRegistryAddress: "0x07787f624d6869ae306dc17b49174b284dbadd1e999c1c8733ce72eb7ac518c2",
+  cavosAccountClassHash: "0x40f4075372d7b9b964910755dcdf96935280c8b675272f656b2d43d1ae4bbf4"
+};
+var DEFAULT_BACKEND_URL = "https://cavos.xyz";
+var DEFAULT_PAYMASTER_KEY = "c37c52b7-ea5a-4426-8121-329a78354b0b";
+
+// src/core/SessionKeyManager.ts
+function generateSessionKeyPair() {
+  const randomBytes2 = getRandomBytes(32);
+  let pk = BigInt("0x" + Array.from(randomBytes2).map((b) => b.toString(16).padStart(2, "0")).join(""));
+  pk = pk % (STARK_CURVE_ORDER - 1n) + 1n;
+  const privateKey = "0x" + pk.toString(16);
+  const publicKey = import_starknet3.ec.starkCurve.getStarkKey(privateKey);
+  return { privateKey, publicKey };
+}
+function buildSessionSignature(transactionHash, sessionPrivateKey, sessionPubKey, calls, policy2) {
+  const signature = import_starknet3.ec.starkCurve.sign(transactionHash, sessionPrivateKey);
+  const sig = [
+    SESSION_V1_MAGIC,
+    import_starknet3.num.toHex(signature.r),
+    import_starknet3.num.toHex(signature.s),
+    sessionPubKey
+  ];
+  if (calls && policy2?.allowedContracts?.length) {
+    for (const call of calls) {
+      const proof = computeMerkleProof(policy2.allowedContracts, call.contractAddress);
+      sig.push(import_starknet3.num.toHex(proof.length));
+      sig.push(...proof);
+    }
+  }
+  return sig;
+}
+async function buildJWTSignatureData(transactionHash, session2, salt, backendUrl) {
+  const { jwt, sessionPrivateKey, sessionPubKey, nonceParams, jwtClaims } = session2;
+  const signature = import_starknet3.ec.starkCurve.sign(transactionHash, sessionPrivateKey);
+  const jwtParts = jwt.split(".");
+  const rsaSignature = base64UrlToBytes(jwtParts[2]);
+  const rsaLimbs = bytesToU128Limbs(rsaSignature);
+  const signedData = `${jwtParts[0]}.${jwtParts[1]}`;
+  const signedDataBytes = Buffer.from(signedData, "utf-8");
+  const offsets = findClaimOffsets(jwt);
+  const jwt_sub_felt = subToFelt(jwtClaims.sub);
+  const salt_hex = import_starknet3.num.toHex(salt);
+  const packedBytes = [];
+  const PACK_SIZE = 31;
+  for (let i = 0; i < signedDataBytes.length; i += PACK_SIZE) {
+    let chunk = 0n;
+    const end = Math.min(i + PACK_SIZE, signedDataBytes.length);
+    for (let j = i; j < end; j++) {
+      chunk = chunk * 256n + BigInt(signedDataBytes[j]);
+    }
+    packedBytes.push(import_starknet3.num.toHex(chunk));
+  }
+  const kid = extractKidFromJwt(jwt);
+  const iss = jwtClaims.iss;
+  const modulusLimbs = await fetchModulusForKid(kid, iss, backendUrl);
+  const { n_prime, r_sq } = calculateMontgomeryConstants(modulusLimbs);
+  const sig = [
+    OAUTH_JWT_V1_MAGIC,
+    import_starknet3.num.toHex(signature.r),
+    import_starknet3.num.toHex(signature.s),
+    sessionPubKey,
+    import_starknet3.num.toHex(nonceParams.validUntil),
+    import_starknet3.num.toHex(nonceParams.randomness),
+    jwt_sub_felt,
+    session2.nonce,
+    import_starknet3.num.toHex(jwtClaims.exp),
+    stringToFelt(kid),
+    stringToFelt(jwtClaims.iss),
+    stringToFelt(jwtClaims.aud),
+    salt_hex,
+    import_starknet3.num.toHex(offsets.sub_offset),
+    import_starknet3.num.toHex(offsets.sub_len),
+    import_starknet3.num.toHex(offsets.nonce_offset),
+    import_starknet3.num.toHex(offsets.nonce_len),
+    import_starknet3.num.toHex(offsets.kid_offset),
+    import_starknet3.num.toHex(offsets.kid_len),
+    import_starknet3.num.toHex(16),
+    ...rsaLimbs,
+    import_starknet3.num.toHex(16),
+    ...n_prime,
+    import_starknet3.num.toHex(16),
+    ...r_sq,
+    import_starknet3.num.toHex(signedDataBytes.length),
+    ...packedBytes
+  ];
+  sig.push(import_starknet3.num.toHex(nonceParams.validAfter));
+  const policy2 = session2.sessionPolicy;
+  if (policy2) {
+    const merkleRoot = policy2.allowedContracts.length > 0 ? computeMerkleRoot(policy2.allowedContracts) : "0x0";
+    sig.push(merkleRoot);
+    sig.push(import_starknet3.num.toHex(policy2.maxCallsPerTx));
+    sig.push(import_starknet3.num.toHex(policy2.spendingLimits.length));
+    for (const limit of policy2.spendingLimits) {
+      sig.push(import_starknet3.num.toHex(limit.token));
+      const limitBig = BigInt(limit.limit);
+      sig.push(import_starknet3.num.toHex(limitBig & (1n << 128n) - 1n));
+      sig.push(import_starknet3.num.toHex(limitBig >> 128n));
+    }
+  } else {
+    sig.push("0x0");
+    sig.push(import_starknet3.num.toHex(10));
+    sig.push(import_starknet3.num.toHex(0));
+  }
+  return sig;
+}
+async function fetchModulusForKid(kid, issuer, backendUrl) {
+  let jwksUrl = "https://www.googleapis.com/oauth2/v3/certs";
+  if (issuer === "https://appleid.apple.com") {
+    jwksUrl = "https://appleid.apple.com/auth/keys";
+  } else if (issuer === "https://cavos.app/firebase") {
+    jwksUrl = `${backendUrl}/api/jwks/firebase`;
+  }
+  const response = await fetch(jwksUrl);
+  const data = await response.json();
+  const jwks = data.jwks || data;
+  if (!jwks.keys || !Array.isArray(jwks.keys)) {
+    throw new Error(`Invalid JWKS response from ${jwksUrl}`);
+  }
+  const key = jwks.keys.find((k) => k.kid === kid);
+  if (!key || !key.n) {
+    throw new Error(`Key not found for kid: ${kid}`);
+  }
+  const modulusBytes = base64UrlToBytes(key.n);
+  const limbs = bytesToU128Limbs(modulusBytes);
+  return limbs.map((l) => BigInt(l));
+}
+function calculateMontgomeryConstants(n_limbs) {
+  let n = 0n;
+  for (let i = 0; i < n_limbs.length; i++) {
+    n += n_limbs[i] * (1n << BigInt(i) * 128n);
+  }
+  const R = 1n << 2048n;
+  function modInverse(a, mod) {
+    let t = 0n, newt = 1n, r = mod, newr = a;
+    while (newr !== 0n) {
+      const q = r / newr;
+      [t, newt] = [newt, t - q * newt];
+      [r, newr] = [newr, r - q * newr];
+    }
+    if (r > 1n) throw new Error("n is not invertible");
+    if (t < 0n) t += mod;
+    return t;
+  }
+  const n_inv = modInverse(n, R);
+  const n_prime_val = (R - n_inv) % R;
+  const r_sq_val = R * R % n;
+  const toLimbs = (val) => {
+    const limbs = [];
+    for (let i = 0; i < 16; i++) {
+      const limb = val >> BigInt(i) * 128n & (1n << 128n) - 1n;
+      limbs.push(import_starknet3.num.toHex(limb));
+    }
+    return limbs;
+  };
+  return { n_prime: toLimbs(n_prime_val), r_sq: toLimbs(r_sq_val) };
+}
+
+// src/core/NonceManager.ts
+var import_starknet4 = require("starknet");
+function computeNonce(params) {
+  return import_starknet4.hash.computePoseidonHashOnElements([
+    params.sessionPubKey,
+    import_starknet4.num.toHex(params.validUntil),
+    import_starknet4.num.toHex(params.randomness)
+  ]);
+}
+function generateNonceParams(sessionPubKey, currentTimestamp, sessionDurationSeconds = 86400n, renewalGraceSeconds = 172800n) {
+  const randomness = randomFieldElement();
+  return {
+    sessionPubKey,
+    validAfter: currentTimestamp,
+    validUntil: currentTimestamp + sessionDurationSeconds,
+    renewalDeadline: currentTimestamp + renewalGraceSeconds,
+    randomness
+  };
+}
+
+// src/core/AddressSeedManager.ts
+var import_starknet5 = require("starknet");
+function computeAddressSeed(sub, salt, walletName) {
+  const subFeltVal = subToFelt(sub);
+  let saltFelt = import_starknet5.num.toHex(salt);
+  if (walletName) {
+    const nameFelt = stringToFelt(walletName);
+    saltFelt = import_starknet5.hash.computePoseidonHashOnElements([saltFelt, nameFelt]);
+  }
+  return import_starknet5.hash.computePoseidonHashOnElements([subFeltVal, saltFelt]);
+}
+function computeContractAddress(sub, salt, classHash, jwksRegistryAddress, walletName) {
+  const addressSeed = computeAddressSeed(sub, salt, walletName);
+  const constructorCalldata = [addressSeed, jwksRegistryAddress];
+  return import_starknet5.hash.calculateContractAddressFromHash(
+    addressSeed,
+    classHash,
+    constructorCalldata,
+    0
+  );
+}
+
+// src/core/TransactionManager.ts
+var import_starknet6 = require("starknet");
+async function isDeployed(provider, address) {
+  try {
+    const classHash = await provider.getClassHashAt(address, "latest");
+    return !!classHash;
+  } catch {
+    return false;
+  }
+}
+async function getSessionStatus(provider, walletAddress, sessionPubKey) {
+  try {
+    const result = await provider.callContract({
+      contractAddress: walletAddress,
+      entrypoint: "get_session",
+      calldata: [sessionPubKey]
+    }, "latest");
+    const nonce = BigInt(result[0]);
+    const validUntil = BigInt(result[2]);
+    const renewalDeadline = BigInt(result[3]);
+    const registered = nonce !== 0n;
+    if (!registered) {
+      return { registered: false, expired: false, canRenew: false };
+    }
+    const block = await provider.getBlock("latest");
+    const now = BigInt(block.timestamp);
+    const expired = now >= validUntil;
+    const canRenew = expired && now < renewalDeadline;
+    return { registered, expired, canRenew, validUntil, renewalDeadline };
+  } catch {
+    return { registered: false, expired: false, canRenew: false };
+  }
+}
+async function deployAccount(provider, session2, classHash, jwksRegistryAddress, salt, paymasterApiKey, network, backendUrl) {
+  const deployed = await isDeployed(provider, session2.walletAddress);
+  if (deployed) return "already-deployed";
+  const constructorCalldata = [
+    import_starknet6.num.toHex(session2.addressSeed),
+    import_starknet6.num.toHex(jwksRegistryAddress)
+  ];
+  const baseUrl = network === "mainnet" ? "https://starknet.api.avnu.fi" : "https://sepolia.api.avnu.fi";
+  const buildResponse = await fetch(`${baseUrl}/paymaster/v1/build-typed-data`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "api-key": paymasterApiKey
+    },
+    body: JSON.stringify({
+      userAddress: session2.walletAddress,
+      calls: [],
+      accountClassHash: classHash,
+      accountCalldata: constructorCalldata
+    })
+  });
+  if (!buildResponse.ok) {
+    const errText = await buildResponse.text();
+    if (errText.includes("already deployed")) return "already-deployed";
+    throw new Error(`Deploy build-typed-data failed: ${errText}`);
+  }
+  const paymasterTypedData = await buildResponse.json();
+  const messageHash = computeTypedDataHash(paymasterTypedData, session2.walletAddress);
+  const signature = await buildJWTSignatureData(messageHash, session2, salt, backendUrl);
+  const executeResponse = await fetch(`${baseUrl}/paymaster/v1/execute`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "api-key": paymasterApiKey
+    },
+    body: JSON.stringify({
+      userAddress: session2.walletAddress,
+      typedData: JSON.stringify(paymasterTypedData),
+      signature
+    })
+  });
+  if (!executeResponse.ok) {
+    const errText = await executeResponse.text();
+    if (errText.includes("already deployed")) return "already-deployed";
+    throw new Error(`Deploy execute failed: ${errText}`);
+  }
+  const result = await executeResponse.json();
+  await provider.waitForTransaction(result.transactionHash);
+  return result.transactionHash;
+}
+async function execute(provider, session2, calls, salt, paymasterApiKey, network, backendUrl) {
+  const callsArray = Array.isArray(calls) ? calls : [calls];
+  const status = await getSessionStatus(provider, session2.walletAddress, session2.sessionPubKey);
+  if (!status.registered) {
+    return executeWithAVNU(provider, session2, callsArray, salt, paymasterApiKey, network, backendUrl, true);
+  }
+  if (status.expired && status.canRenew) {
+    throw new Error("SESSION_RENEWABLE: Session expired but can be renewed. Call renewSession() first.");
+  }
+  if (status.expired && !status.canRenew) {
+    throw new Error("SESSION_EXPIRED: Session expired outside grace period. Please login again.");
+  }
+  return executeWithAVNU(provider, session2, callsArray, salt, paymasterApiKey, network, backendUrl, false);
+}
+async function executeWithAVNU(provider, session2, calls, salt, paymasterApiKey, network, backendUrl, forceJWT) {
+  const baseUrl = network === "mainnet" ? "https://starknet.api.avnu.fi" : "https://sepolia.api.avnu.fi";
+  const formattedCalls = calls.map((call) => ({
+    contractAddress: call.contractAddress,
+    entrypoint: call.entrypoint,
+    calldata: call.calldata ? call.calldata.map((c) => import_starknet6.num.toHex(c)) : []
+  }));
+  const buildResponse = await fetch(`${baseUrl}/paymaster/v1/build-typed-data`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "api-key": paymasterApiKey
+    },
+    body: JSON.stringify({
+      userAddress: session2.walletAddress,
+      calls: formattedCalls
+    })
+  });
+  if (!buildResponse.ok) {
+    throw new Error(`Build typed data failed: ${await buildResponse.text()}`);
+  }
+  const paymasterTypedData = await buildResponse.json();
+  const messageHash = computeTypedDataHash(paymasterTypedData, session2.walletAddress);
+  const signature = forceJWT ? await buildJWTSignatureData(messageHash, session2, salt, backendUrl) : buildSessionSignature(
+    messageHash,
+    session2.sessionPrivateKey,
+    session2.sessionPubKey,
+    calls.map((c) => ({ contractAddress: c.contractAddress })),
+    session2.sessionPolicy
+  );
+  const executeResponse = await fetch(`${baseUrl}/paymaster/v1/execute`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "api-key": paymasterApiKey
+    },
+    body: JSON.stringify({
+      userAddress: session2.walletAddress,
+      typedData: JSON.stringify(paymasterTypedData),
+      signature
+    })
+  });
+  if (!executeResponse.ok) {
+    const errorText = await executeResponse.text();
+    if (errorText.includes("Session expired")) {
+      throw new Error("SESSION_EXPIRED: Session has expired. Call renewSession() first.");
+    }
+    throw new Error(`Execute failed: ${errorText}`);
+  }
+  const result = await executeResponse.json();
+  return result.transactionHash;
+}
+async function renewSession(provider, oldSession, newSession, paymasterApiKey, network) {
+  const policy2 = newSession.sessionPolicy;
+  const allowedContractsRoot = policy2?.allowedContracts?.length ? computeMerkleRoot(policy2.allowedContracts) : "0x0";
+  const maxCallsPerTx = policy2?.maxCallsPerTx ?? 10;
+  const message = import_starknet6.hash.computePoseidonHashOnElements([
+    newSession.sessionPubKey,
+    newSession.nonce,
+    import_starknet6.num.toHex(newSession.nonceParams.validAfter),
+    import_starknet6.num.toHex(newSession.nonceParams.validUntil),
+    import_starknet6.num.toHex(newSession.nonceParams.renewalDeadline),
+    allowedContractsRoot,
+    import_starknet6.num.toHex(maxCallsPerTx)
+  ]);
+  const oldSignature = import_starknet6.ec.starkCurve.sign(message, oldSession.sessionPrivateKey);
+  const spendingCalldata = [];
+  if (policy2?.spendingLimits?.length) {
+    spendingCalldata.push(import_starknet6.num.toHex(policy2.spendingLimits.length));
+    for (const limit of policy2.spendingLimits) {
+      spendingCalldata.push(import_starknet6.num.toHex(limit.token));
+      const limitBig = BigInt(limit.limit);
+      spendingCalldata.push(import_starknet6.num.toHex(limitBig & (1n << 128n) - 1n));
+      spendingCalldata.push(import_starknet6.num.toHex(limitBig >> 128n));
+    }
+  } else {
+    spendingCalldata.push(import_starknet6.num.toHex(0));
+  }
+  const renewCall = {
+    contractAddress: oldSession.walletAddress,
+    entrypoint: "renew_session",
+    calldata: [
+      oldSession.sessionPubKey,
+      import_starknet6.num.toHex(oldSignature.r),
+      import_starknet6.num.toHex(oldSignature.s),
+      newSession.sessionPubKey,
+      newSession.nonce,
+      import_starknet6.num.toHex(newSession.nonceParams.validAfter),
+      import_starknet6.num.toHex(newSession.nonceParams.validUntil),
+      import_starknet6.num.toHex(newSession.nonceParams.renewalDeadline),
+      allowedContractsRoot,
+      import_starknet6.num.toHex(maxCallsPerTx),
+      ...spendingCalldata
+    ]
+  };
+  const baseUrl = network === "mainnet" ? "https://starknet.api.avnu.fi" : "https://sepolia.api.avnu.fi";
+  const buildResponse = await fetch(`${baseUrl}/paymaster/v1/build-typed-data`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "api-key": paymasterApiKey
+    },
+    body: JSON.stringify({
+      userAddress: oldSession.walletAddress,
+      calls: [{
+        contractAddress: renewCall.contractAddress,
+        entrypoint: renewCall.entrypoint,
+        calldata: renewCall.calldata
+      }]
+    })
+  });
+  if (!buildResponse.ok) {
+    throw new Error(`Renew build-typed-data failed: ${await buildResponse.text()}`);
+  }
+  const paymasterTypedData = await buildResponse.json();
+  const messageHash = computeTypedDataHash(paymasterTypedData, oldSession.walletAddress);
+  const signature = buildSessionSignature(
+    messageHash,
+    oldSession.sessionPrivateKey,
+    oldSession.sessionPubKey
+  );
+  const executeResponse = await fetch(`${baseUrl}/paymaster/v1/execute`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "api-key": paymasterApiKey
+    },
+    body: JSON.stringify({
+      userAddress: oldSession.walletAddress,
+      typedData: JSON.stringify(paymasterTypedData),
+      signature
+    })
+  });
+  if (!executeResponse.ok) {
+    const errorText = await executeResponse.text();
+    if (errorText.includes("Renewal period expired")) {
+      throw new Error("Grace period expired. Please login again.");
+    }
+    throw new Error(`Renew session failed: ${errorText}`);
+  }
+  const result = await executeResponse.json();
+  return result.transactionHash;
+}
+async function revokeSession(provider, session2, sessionKeyToRevoke, salt, paymasterApiKey, network, backendUrl) {
+  const revokeCall = {
+    contractAddress: session2.walletAddress,
+    entrypoint: "revoke_session",
+    calldata: [sessionKeyToRevoke]
+  };
+  return execute(provider, session2, [revokeCall], salt, paymasterApiKey, network, backendUrl);
+}
+async function emergencyRevokeAllSessions(provider, session2, salt, paymasterApiKey, network, backendUrl) {
+  const revokeCall = {
+    contractAddress: session2.walletAddress,
+    entrypoint: "emergency_revoke",
+    calldata: []
+  };
+  return execute(provider, session2, [revokeCall], salt, paymasterApiKey, network, backendUrl);
+}
+async function getBalance(provider, tokenAddress, walletAddress) {
+  const result = await provider.callContract({
+    contractAddress: tokenAddress,
+    entrypoint: "balanceOf",
+    calldata: [walletAddress]
+  });
+  const low = BigInt(result[0]);
+  const high = BigInt(result[1]);
+  return low + (high << 128n);
+}
+function computeTypedDataHash(paymasterTypedData, address) {
+  return import_starknet6.typedData.getMessageHash(paymasterTypedData, address);
+}
+
+// src/auth/FirebaseAuth.ts
+async function firebaseLogin(backendUrl, appId, email, password, nonce) {
+  const response = await fetch(`${backendUrl}/api/oauth/firebase/login`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ email, password, nonce, app_id: appId })
+  });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({ error: "Login failed" }));
+    if (error.error === "email_not_verified") {
+      throw new Error("Email not verified. Please verify your email on agent.cavos.xyz first.");
+    }
+    throw new Error(error.error || "Login failed");
+  }
+  const { jwt } = await response.json();
+  const claims = parseJWT(jwt);
+  if (claims.nonce !== nonce) {
+    throw new Error("JWT nonce mismatch. Possible replay attack.");
+  }
+  return { jwt, claims };
+}
+async function validateApp(backendUrl, appId, network) {
+  try {
+    const response = await fetch(
+      `${backendUrl}/api/apps/${appId}/validate?network=${network}`
+    );
+    if (!response.ok) return { allowed: true };
+    const result = await response.json();
+    return { allowed: result.allowed !== false, appSalt: result.app_salt };
+  } catch {
+    return { allowed: true };
+  }
+}
+
+// src/storage/FileStorage.ts
+var fs = __toESM(require("fs"));
+var path = __toESM(require("path"));
+var os = __toESM(require("os"));
+var CAVOS_DIR = path.join(os.homedir(), ".cavos");
+var SESSIONS_DIR = path.join(CAVOS_DIR, "sessions");
+var CONFIG_FILE = path.join(CAVOS_DIR, "config.json");
+function ensureDir(dir) {
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true, mode: 448 });
+  }
+}
+function saveSession(appId, session2) {
+  ensureDir(SESSIONS_DIR);
+  const stored = {
+    sessionPrivateKey: session2.sessionPrivateKey,
+    sessionPubKey: session2.sessionPubKey,
+    nonceParams: {
+      sessionPubKey: session2.nonceParams.sessionPubKey,
+      validAfter: session2.nonceParams.validAfter.toString(),
+      validUntil: session2.nonceParams.validUntil.toString(),
+      renewalDeadline: session2.nonceParams.renewalDeadline.toString(),
+      randomness: session2.nonceParams.randomness.toString()
+    },
+    nonce: session2.nonce,
+    jwt: session2.jwt,
+    jwtClaims: session2.jwtClaims,
+    walletAddress: session2.walletAddress,
+    addressSeed: session2.addressSeed,
+    sessionPolicy: session2.sessionPolicy ? {
+      spendingLimits: session2.sessionPolicy.spendingLimits.map((sl) => ({
+        token: sl.token,
+        limit: sl.limit.toString()
+      })),
+      allowedContracts: session2.sessionPolicy.allowedContracts,
+      maxCallsPerTx: session2.sessionPolicy.maxCallsPerTx
+    } : void 0,
+    appSalt: session2.appSalt,
+    walletName: session2.walletName
+  };
+  const filePath = path.join(SESSIONS_DIR, `${appId}.json`);
+  fs.writeFileSync(filePath, JSON.stringify(stored, null, 2), { mode: 384 });
+}
+function loadSession(appId) {
+  const filePath = path.join(SESSIONS_DIR, `${appId}.json`);
+  if (!fs.existsSync(filePath)) return null;
+  try {
+    const stored = JSON.parse(fs.readFileSync(filePath, "utf-8"));
+    return {
+      sessionPrivateKey: stored.sessionPrivateKey,
+      sessionPubKey: stored.sessionPubKey,
+      nonceParams: {
+        sessionPubKey: stored.nonceParams.sessionPubKey,
+        validAfter: BigInt(stored.nonceParams.validAfter),
+        validUntil: BigInt(stored.nonceParams.validUntil),
+        renewalDeadline: BigInt(stored.nonceParams.renewalDeadline),
+        randomness: BigInt(stored.nonceParams.randomness)
+      },
+      nonce: stored.nonce,
+      jwt: stored.jwt,
+      jwtClaims: stored.jwtClaims,
+      walletAddress: stored.walletAddress,
+      addressSeed: stored.addressSeed,
+      sessionPolicy: stored.sessionPolicy ? {
+        spendingLimits: stored.sessionPolicy.spendingLimits.map((sl) => ({
+          token: sl.token,
+          limit: BigInt(sl.limit)
+        })),
+        allowedContracts: stored.sessionPolicy.allowedContracts,
+        maxCallsPerTx: stored.sessionPolicy.maxCallsPerTx
+      } : void 0,
+      appSalt: stored.appSalt,
+      walletName: stored.walletName
+    };
+  } catch {
+    return null;
+  }
+}
+function deleteSession(appId) {
+  const filePath = path.join(SESSIONS_DIR, `${appId}.json`);
+  if (fs.existsSync(filePath)) {
+    fs.unlinkSync(filePath);
+  }
+}
+var POLICY_FILE = path.join(CAVOS_DIR, "policy.json");
+function loadPolicy() {
+  if (!fs.existsSync(POLICY_FILE)) return void 0;
+  try {
+    const stored = JSON.parse(fs.readFileSync(POLICY_FILE, "utf-8"));
+    return {
+      spendingLimits: (stored.spendingLimits || []).map((sl) => ({
+        token: sl.token,
+        limit: BigInt(sl.limit)
+      })),
+      allowedContracts: stored.allowedContracts || [],
+      maxCallsPerTx: stored.maxCallsPerTx || 10
+    };
+  } catch {
+    return void 0;
+  }
+}
+function savePolicy(policy2) {
+  ensureDir(CAVOS_DIR);
+  const stored = {
+    spendingLimits: policy2.spendingLimits.map((sl) => ({
+      token: sl.token,
+      limit: sl.limit.toString()
+    })),
+    allowedContracts: policy2.allowedContracts,
+    maxCallsPerTx: policy2.maxCallsPerTx
+  };
+  fs.writeFileSync(POLICY_FILE, JSON.stringify(stored, null, 2), { mode: 384 });
+}
+function saveConfig(config) {
+  ensureDir(CAVOS_DIR);
+  const existing = loadConfig();
+  const merged = { ...existing, ...config };
+  fs.writeFileSync(CONFIG_FILE, JSON.stringify(merged, null, 2), { mode: 384 });
+}
+function loadConfig() {
+  if (!fs.existsSync(CONFIG_FILE)) return {};
+  try {
+    return JSON.parse(fs.readFileSync(CONFIG_FILE, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+
+// src/CavosAgent.ts
+var CavosAgent = class {
+  constructor(config) {
+    this.session = null;
+    this.appSalt = null;
+    const network = config.network ?? "sepolia";
+    const backendUrl = config.backendUrl ?? DEFAULT_BACKEND_URL;
+    const rpcUrl = config.starknetRpcUrl ?? DEFAULT_RPC[network];
+    this.config = { ...config, network, backendUrl };
+    this.provider = new import_starknet7.RpcProvider({ nodeUrl: rpcUrl });
+    const envToken = process.env.CAVOS_TOKEN || process.env.CAVOS_SESSION_TOKEN;
+    if (envToken) {
+      try {
+        const sessionData = JSON.parse(Buffer.from(envToken, "base64").toString());
+        this.session = sessionData;
+        this.appSalt = sessionData.appSalt ?? null;
+      } catch (e) {
+        console.warn(`[CavosAgent] Failed to parse session token: ${e}`);
+      }
+    } else {
+      this.restoreSession();
+    }
+  }
+  // ============ Auth ============
+  /**
+   * Login with Firebase email/password.
+   * Generates session keys, authenticates, and persists the session.
+   */
+  async login(email, password, walletName) {
+    const { appId, network, backendUrl } = this.config;
+    const { allowed, appSalt } = await validateApp(backendUrl, appId, network);
+    if (!allowed) {
+      throw new Error("App not allowed or subscription limit reached.");
+    }
+    this.appSalt = appSalt ?? "0x0";
+    const { privateKey, publicKey } = generateSessionKeyPair();
+    const now = BigInt(Math.floor(Date.now() / 1e3));
+    const duration = BigInt(this.config.sessionDuration ?? 86400);
+    const grace = BigInt(this.config.renewalGracePeriod ?? 172800);
+    const nonceParams = generateNonceParams(publicKey, now, duration, grace);
+    const nonce = computeNonce(nonceParams);
+    const { jwt, claims } = await firebaseLogin(backendUrl, appId, email, password, nonce);
+    const oauthConfig = network === "mainnet" ? DEFAULT_OAUTH_CONFIG_MAINNET : DEFAULT_OAUTH_CONFIG_SEPOLIA;
+    const addressSeed = computeAddressSeed(claims.sub, this.appSalt, walletName);
+    const walletAddress = computeContractAddress(
+      claims.sub,
+      this.appSalt,
+      oauthConfig.cavosAccountClassHash,
+      oauthConfig.jwksRegistryAddress,
+      walletName
+    );
+    this.session = {
+      jwt,
+      sessionPrivateKey: privateKey,
+      sessionPubKey: publicKey,
+      nonce,
+      nonceParams,
+      jwtClaims: claims,
+      walletAddress,
+      addressSeed,
+      appSalt: this.appSalt,
+      sessionPolicy: this.config.policy,
+      walletName
+    };
+    saveSession(appId, this.session);
+    saveConfig({ defaultAppId: appId, network });
+  }
+  /**
+   * Login using a pre-existing JWT token.
+   * Useful for non-interactive agents or CI/CD.
+   */
+  async loginWithJWT(jwt, walletName) {
+    const { appId, network, backendUrl } = this.config;
+    const { allowed, appSalt } = await validateApp(backendUrl, appId, network);
+    if (!allowed) {
+      throw new Error("App not allowed or subscription limit reached.");
+    }
+    this.appSalt = appSalt ?? "0x0";
+    const claims = parseJWT(jwt);
+    const { privateKey, publicKey } = generateSessionKeyPair();
+    const now = BigInt(Math.floor(Date.now() / 1e3));
+    const duration = BigInt(this.config.sessionDuration ?? 86400);
+    const grace = BigInt(this.config.renewalGracePeriod ?? 172800);
+    const nonceParams = generateNonceParams(publicKey, now, duration, grace);
+    const nonce = computeNonce(nonceParams);
+    const oauthConfig = network === "mainnet" ? DEFAULT_OAUTH_CONFIG_MAINNET : DEFAULT_OAUTH_CONFIG_SEPOLIA;
+    const addressSeed = computeAddressSeed(claims.sub, this.appSalt, walletName);
+    const walletAddress = computeContractAddress(
+      claims.sub,
+      this.appSalt,
+      oauthConfig.cavosAccountClassHash,
+      oauthConfig.jwksRegistryAddress,
+      walletName
+    );
+    this.session = {
+      jwt,
+      sessionPrivateKey: privateKey,
+      sessionPubKey: publicKey,
+      nonce,
+      nonceParams,
+      jwtClaims: claims,
+      walletAddress,
+      addressSeed,
+      appSalt: this.appSalt,
+      sessionPolicy: this.config.policy,
+      walletName
+    };
+    saveSession(appId, this.session);
+    saveConfig({ defaultAppId: appId, network });
+  }
+  /**
+   * Check if the agent has a valid session.
+   */
+  isAuthenticated() {
+    return this.session !== null;
+  }
+  /**
+   * Get the wallet address.
+   */
+  getAddress() {
+    return this.session?.walletAddress ?? null;
+  }
+  /**
+   * Logout — clear the persisted session.
+   */
+  logout() {
+    deleteSession(this.config.appId);
+    this.session = null;
+    this.appSalt = null;
+  }
+  // ============ Transactions ============
+  /**
+   * Execute one or more calls via paymaster.
+   * Handles session registration automatically on first call.
+   */
+  async execute(calls) {
+    this.ensureSession();
+    return execute(
+      this.provider,
+      this.session,
+      calls,
+      this.getSalt(),
+      this.getPaymasterKey(),
+      this.config.network,
+      this.config.backendUrl
+    );
+  }
+  /**
+   * Transfer ERC-20 tokens.
+   */
+  async transfer(tokenAddress, to, amount) {
+    const low = import_starknet7.num.toHex(amount & (1n << 128n) - 1n);
+    const high = import_starknet7.num.toHex(amount >> 128n);
+    return this.execute({
+      contractAddress: tokenAddress,
+      entrypoint: "transfer",
+      calldata: [to, low, high]
+    });
+  }
+  /**
+   * Approve ERC-20 spending.
+   */
+  async approve(tokenAddress, spender, amount) {
+    const low = import_starknet7.num.toHex(amount & (1n << 128n) - 1n);
+    const high = import_starknet7.num.toHex(amount >> 128n);
+    return this.execute({
+      contractAddress: tokenAddress,
+      entrypoint: "approve",
+      calldata: [spender, low, high]
+    });
+  }
+  /**
+   * Deploy the account contract.
+   */
+  async deploy() {
+    this.ensureSession();
+    const oauthConfig = this.config.network === "mainnet" ? DEFAULT_OAUTH_CONFIG_MAINNET : DEFAULT_OAUTH_CONFIG_SEPOLIA;
+    return deployAccount(
+      this.provider,
+      this.session,
+      oauthConfig.cavosAccountClassHash,
+      oauthConfig.jwksRegistryAddress,
+      this.getSalt(),
+      this.getPaymasterKey(),
+      this.config.network,
+      this.config.backendUrl
+    );
+  }
+  // ============ Queries ============
+  /**
+   * Get ERC-20 balance.
+   */
+  async getBalance(tokenAddress) {
+    this.ensureSession();
+    const tokens = this.config.network === "mainnet" ? TOKENS_MAINNET : TOKENS_SEPOLIA;
+    const token = tokenAddress ?? tokens.STRK;
+    return getBalance(this.provider, token, this.session.walletAddress);
+  }
+  /**
+   * Check if the account is deployed.
+   */
+  async isDeployed() {
+    this.ensureSession();
+    return isDeployed(this.provider, this.session.walletAddress);
+  }
+  /**
+   * Get on-chain session status.
+   */
+  async getSessionStatus() {
+    this.ensureSession();
+    return getSessionStatus(this.provider, this.session.walletAddress, this.session.sessionPubKey);
+  }
+  // ============ Session Management ============
+  /**
+   * Renew the current session (if in grace period).
+   */
+  async renewSession() {
+    this.ensureSession();
+    const oldSession = this.session;
+    const { privateKey, publicKey } = generateSessionKeyPair();
+    const now = BigInt(Math.floor(Date.now() / 1e3));
+    const duration = BigInt(this.config.sessionDuration ?? 86400);
+    const grace = BigInt(this.config.renewalGracePeriod ?? 172800);
+    const nonceParams = generateNonceParams(publicKey, now, duration, grace);
+    const nonce = computeNonce(nonceParams);
+    const txHash = await renewSession(
+      this.provider,
+      oldSession,
+      { sessionPubKey: publicKey, nonce, nonceParams, sessionPolicy: this.config.policy },
+      this.getPaymasterKey(),
+      this.config.network
+    );
+    this.session = {
+      ...oldSession,
+      sessionPrivateKey: privateKey,
+      sessionPubKey: publicKey,
+      nonce,
+      nonceParams,
+      sessionPolicy: this.config.policy
+    };
+    saveSession(this.config.appId, this.session);
+    return txHash;
+  }
+  /**
+   * Revoke a specific session key (defaults to current).
+   */
+  async revokeSession(sessionKey) {
+    this.ensureSession();
+    const keyToRevoke = sessionKey ?? this.session.sessionPubKey;
+    return revokeSession(
+      this.provider,
+      this.session,
+      keyToRevoke,
+      this.getSalt(),
+      this.getPaymasterKey(),
+      this.config.network,
+      this.config.backendUrl
+    );
+  }
+  /**
+   * Emergency revoke all sessions.
+   */
+  async emergencyRevokeAll() {
+    this.ensureSession();
+    return emergencyRevokeAllSessions(
+      this.provider,
+      this.session,
+      this.getSalt(),
+      this.getPaymasterKey(),
+      this.config.network,
+      this.config.backendUrl
+    );
+  }
+  // ============ Internals ============
+  ensureSession() {
+    if (!this.session) {
+      throw new Error("Not authenticated. Call login() first.");
+    }
+  }
+  getSalt() {
+    return this.appSalt ?? "0x0";
+  }
+  getPaymasterKey() {
+    return this.config.paymasterApiKey ?? DEFAULT_PAYMASTER_KEY;
+  }
+  restoreSession() {
+    const stored = loadSession(this.config.appId);
+    if (!stored) return;
+    this.session = {
+      jwt: stored.jwt ?? "",
+      sessionPrivateKey: stored.sessionPrivateKey,
+      sessionPubKey: stored.sessionPubKey,
+      nonce: stored.nonce,
+      nonceParams: stored.nonceParams,
+      jwtClaims: stored.jwtClaims ?? { sub: "", nonce: "", exp: 0, iss: "", aud: "" },
+      walletAddress: stored.walletAddress ?? "",
+      addressSeed: stored.addressSeed ?? "",
+      sessionPolicy: stored.sessionPolicy,
+      appSalt: stored.appSalt,
+      walletName: stored.walletName
+    };
+    this.appSalt = stored.appSalt ?? null;
+  }
+};
+
+// src/utils/tools.json
+var tools_default = [
+  {
+    type: "function",
+    function: {
+      name: "cavos_whoami",
+      description: "Show current session info: wallet address, deployment status, and on-chain session validity. Call this first to confirm the agent is authenticated and ready.",
+      parameters: {
+        type: "object",
+        properties: {}
+      }
+    }
+  },
+  {
+    type: "function",
+    function: {
+      name: "cavos_balance",
+      description: "Show token balance for the current wallet. Returns ETH and STRK balances by default, or a specific token if provided. Always check balance before attempting a transfer.",
+      parameters: {
+        type: "object",
+        properties: {
+          token: {
+            type: "string",
+            description: "Token symbol (STRK, ETH) or full contract address. Omit to show both ETH and STRK."
+          }
+        }
+      }
+    }
+  },
+  {
+    type: "function",
+    function: {
+      name: "cavos_transfer",
+      description: "Transfer ERC-20 tokens to another Starknet address. Amounts are in human-readable units (e.g. '1.5' for 1.5 STRK). The session must be active on-chain. Verify balance first.",
+      parameters: {
+        type: "object",
+        properties: {
+          to: {
+            type: "string",
+            description: "Recipient Starknet address (hex, e.g. 0x...)"
+          },
+          amount: {
+            type: "string",
+            description: "Amount in human-readable units (e.g. '1.5', '0.01')"
+          },
+          token: {
+            type: "string",
+            description: "Token symbol (STRK, ETH) or contract address. Defaults to STRK.",
+            default: "STRK"
+          }
+        },
+        required: [
+          "to",
+          "amount"
+        ]
+      }
+    }
+  },
+  {
+    type: "function",
+    function: {
+      name: "cavos_approve",
+      description: "Approve a spender contract to spend up to a specified amount of tokens on behalf of the wallet. Required before interacting with DeFi protocols.",
+      parameters: {
+        type: "object",
+        properties: {
+          spender: {
+            type: "string",
+            description: "Starknet address of the contract being approved to spend tokens"
+          },
+          amount: {
+            type: "string",
+            description: "Maximum amount to approve in human-readable units (e.g. '100')"
+          },
+          token: {
+            type: "string",
+            description: "Token symbol (STRK, ETH) or contract address. Defaults to STRK.",
+            default: "STRK"
+          }
+        },
+        required: [
+          "spender",
+          "amount"
+        ]
+      }
+    }
+  },
+  {
+    type: "function",
+    function: {
+      name: "cavos_execute",
+      description: "Execute an arbitrary contract call on Starknet. Use this for any contract interaction not covered by transfer or approve. Calldata values are comma-separated hex or decimal strings.",
+      parameters: {
+        type: "object",
+        properties: {
+          contract: {
+            type: "string",
+            description: "Target contract address (hex)"
+          },
+          entrypoint: {
+            type: "string",
+            description: "Name of the function/entrypoint to call (e.g. 'swap', 'deposit')"
+          },
+          calldata: {
+            type: "string",
+            description: "Comma-separated calldata values (hex or decimal). Omit if the function takes no arguments."
+          }
+        },
+        required: [
+          "contract",
+          "entrypoint"
+        ]
+      }
+    }
+  },
+  {
+    type: "function",
+    function: {
+      name: "cavos_session_status",
+      description: "Show on-chain session status for the current session key: whether it is registered, active, expired, or renewable. Use this to diagnose transaction failures.",
+      parameters: {
+        type: "object",
+        properties: {}
+      }
+    }
+  },
+  {
+    type: "function",
+    function: {
+      name: "cavos_multicall",
+      description: "Execute multiple contract calls atomically in a single transaction. All calls succeed or all fail together. Use this instead of calling cavos_execute multiple times when you need to batch operations (e.g., approve + swap in one tx). More efficient and safer than sequential calls.",
+      parameters: {
+        type: "object",
+        properties: {
+          calls: {
+            type: "array",
+            description: "Array of contract calls to execute atomically",
+            items: {
+              type: "object",
+              properties: {
+                contract: {
+                  type: "string",
+                  description: "Target contract address (hex)"
+                },
+                entrypoint: {
+                  type: "string",
+                  description: "Name of the function/entrypoint to call"
+                },
+                calldata: {
+                  type: "string",
+                  description: "Comma-separated calldata values (hex or decimal). Omit if the function takes no arguments."
+                }
+              },
+              required: [
+                "contract",
+                "entrypoint"
+              ]
+            },
+            minItems: 2
+          }
+        },
+        required: [
+          "calls"
+        ]
+      }
+    }
+  },
+  {
+    type: "function",
+    function: {
+      name: "cavos_policy_show",
+      description: "Show the local spending policy: allowed contracts and per-token spending limits. The agent will refuse transactions that violate this policy.",
+      parameters: {
+        type: "object",
+        properties: {}
+      }
+    }
+  },
+  {
+    type: "function",
+    function: {
+      name: "cavos_call",
+      description: "Execute a read-only contract call on Starknet. Use this to query state (e.g. balance, allowance, owner) without spending gas.",
+      parameters: {
+        type: "object",
+        properties: {
+          contract: {
+            type: "string",
+            description: "Target contract address (hex)"
+          },
+          entrypoint: {
+            type: "string",
+            description: "Name of the view function to call"
+          },
+          calldata: {
+            type: "string",
+            description: "Comma-separated arguments or JSON array string"
+          }
+        },
+        required: [
+          "contract",
+          "entrypoint"
+        ]
+      }
+    }
+  },
+  {
+    type: "function",
+    function: {
+      name: "cavos_simulate",
+      description: "Simulate a transaction execution to check for errors and gas usage before sending it. Highly recommended for complex interactions.",
+      parameters: {
+        type: "object",
+        properties: {
+          contract: {
+            type: "string",
+            description: "Target contract address (hex)"
+          },
+          entrypoint: {
+            type: "string",
+            description: "Name of the function to simulate"
+          },
+          calldata: {
+            type: "string",
+            description: "Comma-separated arguments or JSON array string"
+          }
+        },
+        required: [
+          "contract",
+          "entrypoint"
+        ]
+      }
+    }
+  },
+  {
+    type: "function",
+    function: {
+      name: "cavos_estimate",
+      description: "Estimate grid fees for a transaction. Useful for checking if the wallet has enough funds to cover gas.",
+      parameters: {
+        type: "object",
+        properties: {
+          contract: {
+            type: "string",
+            description: "Target contract address (hex)"
+          },
+          entrypoint: {
+            type: "string",
+            description: "Name of the function to estimate"
+          },
+          calldata: {
+            type: "string",
+            description: "Comma-separated arguments or JSON array string"
+          }
+        },
+        required: [
+          "contract",
+          "entrypoint"
+        ]
+      }
+    }
+  }
+];
+
+// src/cli.ts
+var program = new import_commander.Command();
+program.name("cavos").description("Cavos CLI \u2014 AI agent wallet toolkit for Starknet").version("0.1.0");
+var DEFAULT_APP_ID = "0c3ff58a-1968-41c2-b0e0-a5c47309e77d";
+var DEFAULT_NETWORK = "mainnet";
+function getAgent(opts) {
+  const config = loadConfig();
+  const appId = opts.appId || config.defaultAppId || process.env.CAVOS_APP_ID || DEFAULT_APP_ID;
+  const network = opts.network || config.network || process.env.CAVOS_NETWORK || DEFAULT_NETWORK;
+  const policy2 = loadPolicy();
+  return new CavosAgent({ appId, network, policy: policy2 });
+}
+function resolveToken(symbol, network) {
+  if (!symbol) return network === "mainnet" ? TOKENS_MAINNET.STRK : TOKENS_SEPOLIA.STRK;
+  const upper = symbol.toUpperCase();
+  const tokens = network === "mainnet" ? TOKENS_MAINNET : TOKENS_SEPOLIA;
+  if (upper === "STRK") return tokens.STRK;
+  if (upper === "ETH") return tokens.ETH;
+  return symbol;
+}
+function formatBalance(raw, decimals = 18) {
+  const whole = raw / BigInt(10 ** decimals);
+  const remainder = raw % BigInt(10 ** decimals);
+  const fractional = remainder.toString().padStart(decimals, "0").slice(0, 6);
+  return `${whole}.${fractional}`;
+}
+function out(json, data, humanFn) {
+  if (json) {
+    console.log(JSON.stringify(data, null, 2));
+  } else {
+    humanFn();
+  }
+}
+function outError(json, message, code = "Error") {
+  if (json) {
+    console.error(JSON.stringify({ status: "error", error_code: code, message }));
+  } else {
+    console.error(`${code}: ${message}`);
+  }
+  process.exit(1);
+}
+async function waitForTx(agent, txHash, timeoutMs = 12e4) {
+  const start = Date.now();
+  while (Date.now() - start < timeoutMs) {
+    try {
+      const receipt = await agent.provider.getTransactionReceipt(txHash);
+      if (receipt) {
+        const status = receipt.execution_status || receipt.finality_status || receipt.status;
+        if (status === "SUCCEEDED" || status === "ACCEPTED_ON_L2" || status === "ACCEPTED_ON_L1") return;
+        if (status === "REVERTED") throw new Error(`Transaction ${txHash} was reverted`);
+      }
+    } catch (e) {
+      if (e.message?.includes("reverted")) throw e;
+    }
+    await new Promise((r) => setTimeout(r, 3e3));
+  }
+  throw new Error(`Transaction confirmation timeout after ${timeoutMs / 1e3}s`);
+}
+program.command("whoami").description("Show current session info").option("--app-id <appId>", "App ID").option("--network <network>", "Network").option("--json", "Output as JSON").action(async (opts) => {
+  try {
+    const agent = getAgent(opts);
+    const mode = process.env.CAVOS_TOKEN || process.env.CAVOS_SESSION_TOKEN ? "env" : "disk";
+    if (!agent.isAuthenticated()) {
+      out(opts.json, { status: "unauthenticated", mode }, () => {
+        console.log("Status: Not authenticated.");
+      });
+      return;
+    }
+    const address = agent.getAddress();
+    const deployed = await agent.isDeployed();
+    let sessionInfo = { registered: false };
+    if (deployed) {
+      const s = await agent.getSessionStatus();
+      sessionInfo = {
+        registered: s.registered,
+        expired: s.expired,
+        can_renew: s.canRenew,
+        valid_until: s.validUntil ? new Date(Number(s.validUntil) * 1e3).toISOString() : null,
+        renewal_deadline: s.renewalDeadline ? new Date(Number(s.renewalDeadline) * 1e3).toISOString() : null
+      };
+    }
+    out(opts.json, { status: "ok", mode, address, deployed, session: sessionInfo }, () => {
+      console.log(`Mode:    ${mode}`);
+      console.log(`Address: ${address}`);
+      console.log(`Deployed: ${deployed ? "Yes" : "No"}`);
+      if (deployed) {
+        const s = sessionInfo;
+        console.log(`Session: ${s.registered ? s.expired ? s.can_renew ? "Renewable" : "Expired" : "Active" : "Not registered"}`);
+        if (s.valid_until) console.log(`Valid until: ${s.valid_until}`);
+      }
+    });
+  } catch (err) {
+    outError(opts.json, err.message);
+  }
+});
+program.command("transfer").description("Transfer ERC-20 tokens").requiredOption("--to <address>", "Recipient address").requiredOption("--amount <amount>", "Amount in human-readable units (e.g. 1.5)").option("--token <token>", "Token symbol (STRK, ETH) or address", "STRK").option("--app-id <appId>", "App ID").option("--network <network>", "Network").option("--wait", "Wait for on-chain confirmation").option("--json", "Output as JSON").action(async (opts) => {
+  try {
+    const agent = getAgent(opts);
+    if (!agent.isAuthenticated()) outError(opts.json, "No session. Import one: cavos session import <token>", "NoSession");
+    const config = loadConfig();
+    const network = opts.network || config.network || DEFAULT_NETWORK;
+    const tokenAddress = resolveToken(opts.token, network);
+    const amount = BigInt(Math.floor(parseFloat(opts.amount) * 1e18));
+    if (!opts.json) console.log(`Transferring ${opts.amount} ${opts.token} to ${opts.to}...`);
+    const txHash = await agent.transfer(tokenAddress, opts.to, amount);
+    if (opts.wait) {
+      if (!opts.json) console.log("Waiting for confirmation...");
+      await waitForTx(agent, txHash);
+    }
+    const explorerBase = network === "mainnet" ? "https://voyager.online/tx" : "https://sepolia.voyager.online/tx";
+    out(opts.json, { status: "ok", transaction_hash: txHash, explorer: `${explorerBase}/${txHash}` }, () => {
+      console.log(`Transaction: ${txHash}`);
+      console.log(`Explorer:    ${explorerBase}/${txHash}`);
+    });
+  } catch (err) {
+    outError(opts.json, err.message, "TransferFailed");
+  }
+});
+program.command("approve").description("Approve ERC-20 spending").requiredOption("--spender <address>", "Spender address").requiredOption("--amount <amount>", "Amount in human-readable units").option("--token <token>", "Token symbol or address", "STRK").option("--app-id <appId>", "App ID").option("--network <network>", "Network").option("--wait", "Wait for on-chain confirmation").option("--json", "Output as JSON").action(async (opts) => {
+  try {
+    const agent = getAgent(opts);
+    if (!agent.isAuthenticated()) outError(opts.json, "No session. Import one: cavos session import <token>", "NoSession");
+    const config = loadConfig();
+    const network = opts.network || config.network || DEFAULT_NETWORK;
+    const tokenAddress = resolveToken(opts.token, network);
+    const amount = BigInt(Math.floor(parseFloat(opts.amount) * 1e18));
+    if (!opts.json) console.log(`Approving ${opts.amount} ${opts.token} for ${opts.spender}...`);
+    const txHash = await agent.approve(tokenAddress, opts.spender, amount);
+    if (opts.wait) {
+      if (!opts.json) console.log("Waiting for confirmation...");
+      await waitForTx(agent, txHash);
+    }
+    const explorerBase = network === "mainnet" ? "https://voyager.online/tx" : "https://sepolia.voyager.online/tx";
+    out(opts.json, { status: "ok", transaction_hash: txHash, explorer: `${explorerBase}/${txHash}` }, () => {
+      console.log(`Transaction: ${txHash}`);
+      console.log(`Explorer:    ${explorerBase}/${txHash}`);
+    });
+  } catch (err) {
+    outError(opts.json, err.message, "ApproveFailed");
+  }
+});
+program.command("execute").description("Execute a raw contract call").requiredOption("--contract <address>", "Contract address").requiredOption("--entrypoint <name>", "Entrypoint name").option("--calldata <data>", "Comma-separated calldata values").option("--app-id <appId>", "App ID").option("--network <network>", "Network").option("--wait", "Wait for on-chain confirmation").option("--json", "Output as JSON").action(async (opts) => {
+  try {
+    const agent = getAgent(opts);
+    if (!agent.isAuthenticated()) outError(opts.json, "No session. Import one: cavos session import <token>", "NoSession");
+    const calldata = opts.calldata ? opts.calldata.split(",").map((s) => s.trim()) : [];
+    const config = loadConfig();
+    const network = opts.network || config.network || DEFAULT_NETWORK;
+    if (!opts.json) console.log(`Executing ${opts.entrypoint} on ${opts.contract}...`);
+    const txHash = await agent.execute({ contractAddress: opts.contract, entrypoint: opts.entrypoint, calldata });
+    if (opts.wait) {
+      if (!opts.json) console.log("Waiting for confirmation...");
+      await waitForTx(agent, txHash);
+    }
+    const explorerBase = network === "mainnet" ? "https://voyager.online/tx" : "https://sepolia.voyager.online/tx";
+    out(opts.json, { status: "ok", transaction_hash: txHash, explorer: `${explorerBase}/${txHash}` }, () => {
+      console.log(`Transaction: ${txHash}`);
+      console.log(`Explorer:    ${explorerBase}/${txHash}`);
+    });
+  } catch (err) {
+    outError(opts.json, err.message, "ExecuteFailed");
+  }
+});
+program.command("multicall").description("Execute multiple contract calls in one transaction").requiredOption("--calls <json>", 'JSON array of calls: [{"contractAddress":"0x...","entrypoint":"fn","calldata":["0x..."]}]').option("--app-id <appId>", "App ID").option("--network <network>", "Network").option("--wait", "Wait for on-chain confirmation").option("--json", "Output as JSON").action(async (opts) => {
+  try {
+    const agent = getAgent(opts);
+    if (!agent.isAuthenticated()) outError(opts.json, "No session. Import one: cavos session import <token>", "NoSession");
+    let calls;
+    try {
+      calls = JSON.parse(opts.calls);
+      if (!Array.isArray(calls) || calls.length === 0) throw new Error("calls must be a non-empty JSON array");
+    } catch (e) {
+      outError(opts.json, `Invalid --calls JSON: ${e.message}`, "InvalidInput");
+      return;
+    }
+    const config = loadConfig();
+    const network = opts.network || config.network || DEFAULT_NETWORK;
+    if (!opts.json) console.log(`Executing ${calls.length} calls...`);
+    const txHash = await agent.execute(calls);
+    if (opts.wait) {
+      if (!opts.json) console.log("Waiting for confirmation...");
+      await waitForTx(agent, txHash);
+    }
+    const explorerBase = network === "mainnet" ? "https://voyager.online/tx" : "https://sepolia.voyager.online/tx";
+    out(opts.json, { status: "ok", transaction_hash: txHash, call_count: calls.length, explorer: `${explorerBase}/${txHash}` }, () => {
+      console.log(`Transaction: ${txHash}`);
+      console.log(`Explorer:    ${explorerBase}/${txHash}`);
+    });
+  } catch (err) {
+    outError(opts.json, err.message, "MulticallFailed");
+  }
+});
+program.command("deploy").description("Deploy the account contract").option("--app-id <appId>", "App ID").option("--network <network>", "Network").option("--json", "Output as JSON").action(async (opts) => {
+  try {
+    const agent = getAgent(opts);
+    if (!agent.isAuthenticated()) outError(opts.json, "No session. Import one: cavos session import <token>", "NoSession");
+    if (!opts.json) console.log("Deploying account...");
+    const result = await agent.deploy();
+    if (result === "already-deployed") {
+      out(opts.json, { status: "ok", deployed: true, message: "Account already deployed" }, () => {
+        console.log("Account is already deployed.");
+      });
+    } else {
+      out(opts.json, { status: "ok", deployed: true, transaction_hash: result }, () => {
+        console.log(`Deployed: ${result}`);
+      });
+    }
+  } catch (err) {
+    outError(opts.json, err.message, "DeployFailed");
+  }
+});
+program.command("balance").description("Show token balance").option("--token <token>", "Token symbol or address").option("--app-id <appId>", "App ID").option("--network <network>", "Network").option("--json", "Output as JSON").action(async (opts) => {
+  try {
+    const agent = getAgent(opts);
+    if (!agent.isAuthenticated()) outError(opts.json, "No session. Import one: cavos session import <token>", "NoSession");
+    const config = loadConfig();
+    const network = opts.network || config.network || DEFAULT_NETWORK;
+    const tokens = network === "mainnet" ? TOKENS_MAINNET : TOKENS_SEPOLIA;
+    if (opts.token) {
+      const tokenAddress = resolveToken(opts.token, network);
+      const balance = await agent.getBalance(tokenAddress);
+      out(opts.json, { status: "ok", token: opts.token, balance: formatBalance(balance), raw: balance.toString() }, () => {
+        console.log(`${opts.token}: ${formatBalance(balance)}`);
+      });
+    } else {
+      const [ethBal, strkBal] = await Promise.all([agent.getBalance(tokens.ETH), agent.getBalance(tokens.STRK)]);
+      out(opts.json, {
+        status: "ok",
+        balances: {
+          ETH: { balance: formatBalance(ethBal), raw: ethBal.toString() },
+          STRK: { balance: formatBalance(strkBal), raw: strkBal.toString() }
+        }
+      }, () => {
+        console.log(`ETH:  ${formatBalance(ethBal)}`);
+        console.log(`STRK: ${formatBalance(strkBal)}`);
+      });
+    }
+  } catch (err) {
+    outError(opts.json, err.message);
+  }
+});
+program.command("session-status").description("Show on-chain session status").option("--app-id <appId>", "App ID").option("--network <network>", "Network").option("--json", "Output as JSON").action(async (opts) => {
+  try {
+    const agent = getAgent(opts);
+    if (!agent.isAuthenticated()) outError(opts.json, "No session. Import one: cavos session import <token>", "NoSession");
+    const s = await agent.getSessionStatus();
+    const state = !s.registered ? "not_registered" : s.expired ? s.canRenew ? "renewable" : "expired" : "active";
+    out(opts.json, {
+      status: "ok",
+      state,
+      registered: s.registered,
+      expired: s.expired,
+      can_renew: s.canRenew,
+      valid_until: s.validUntil ? new Date(Number(s.validUntil) * 1e3).toISOString() : null,
+      renewal_deadline: s.renewalDeadline ? new Date(Number(s.renewalDeadline) * 1e3).toISOString() : null
+    }, () => {
+      console.log(`State:    ${state}`);
+      if (s.validUntil) console.log(`Valid until: ${new Date(Number(s.validUntil) * 1e3).toISOString()}`);
+      if (s.renewalDeadline) console.log(`Renewal deadline: ${new Date(Number(s.renewalDeadline) * 1e3).toISOString()}`);
+    });
+  } catch (err) {
+    outError(opts.json, err.message);
+  }
+});
+var session = program.command("session").description("Manage agent sessions");
+session.command("import").description("Import an agent session token provisioned from the Dashboard").argument("<token>", "Base64 encoded session token").option("--app-id <appId>", "App ID to associate with this session").option("--network <network>", "Network (mainnet | sepolia)").option("--json", "Output as JSON").action((token, opts) => {
+  try {
+    const decoded = Buffer.from(token, "base64").toString();
+    const sessionData = JSON.parse(decoded);
+    if (!sessionData.walletAddress || !sessionData.sessionPrivateKey) {
+      throw new Error("Invalid session token format.");
+    }
+    const config = loadConfig();
+    const appId = opts.appId || config.defaultAppId || DEFAULT_APP_ID;
+    const network = opts.network || config.network || DEFAULT_NETWORK;
+    saveSession(appId, sessionData);
+    saveConfig({ defaultAppId: appId, network });
+    out(opts.json, { status: "ok", address: sessionData.walletAddress, app_id: appId, network }, () => {
+      console.log(`Session imported: ${sessionData.walletAddress}`);
+      console.log(`App ID: ${appId} | Network: ${network}`);
+    });
+  } catch (err) {
+    if (opts.json) {
+      console.error(JSON.stringify({ status: "error", error_code: "ImportFailed", message: err.message }));
+    } else {
+      console.error(`Import failed: ${err.message}`);
+    }
+  }
+});
+program.command("revoke-session").description("Revoke a session key (requires active session)").option("--key <sessionKey>", "Specific session key to revoke (defaults to current)").option("--app-id <appId>", "App ID").option("--network <network>", "Network").option("--json", "Output as JSON").action(async (opts) => {
+  try {
+    const agent = getAgent(opts);
+    if (!agent.isAuthenticated()) outError(opts.json, "No session. Import one: cavos session import <token>", "NoSession");
+    if (!opts.json) console.log("Revoking session...");
+    const txHash = await agent.revokeSession(opts.key);
+    out(opts.json, { status: "ok", transaction_hash: txHash }, () => {
+      console.log(`Session revoked: ${txHash}`);
+    });
+  } catch (err) {
+    const code = err.message?.includes("Session not registered") ? "SessionNotRegistered" : "RevokeFailed";
+    outError(opts.json, err.message, code);
+  }
+});
+program.command("emergency-revoke").description("Emergency revoke all sessions").option("--app-id <appId>", "App ID").option("--network <network>", "Network").option("--json", "Output as JSON").action(async (opts) => {
+  try {
+    const agent = getAgent(opts);
+    if (!agent.isAuthenticated()) outError(opts.json, "No session. Import one: cavos session import <token>", "NoSession");
+    if (!opts.json) console.log("Emergency revoking all sessions...");
+    const txHash = await agent.emergencyRevokeAll();
+    out(opts.json, { status: "ok", transaction_hash: txHash }, () => {
+      console.log(`All sessions revoked: ${txHash}`);
+    });
+  } catch (err) {
+    outError(opts.json, err.message, "EmergencyRevokeFailed");
+  }
+});
+var policy = program.command("policy").description("Manage local spending policies");
+policy.command("import").description("Import a policy JSON exported from the Dashboard").argument("<json>", "Policy JSON string").action((jsonStr) => {
+  try {
+    const imported = JSON.parse(jsonStr);
+    if (!imported.spendingLimits || !imported.allowedContracts) {
+      throw new Error("Invalid policy format. Missing spendingLimits or allowedContracts.");
+    }
+    const policyParams = {
+      ...imported,
+      spendingLimits: imported.spendingLimits.map((sl) => ({ ...sl, limit: BigInt(sl.limit) }))
+    };
+    savePolicy(policyParams);
+    console.log("Policy imported successfully.");
+  } catch (err) {
+    console.error(`Import failed: ${err.message}`);
+  }
+});
+policy.command("clear").description("Clear the local policy").action(() => {
+  savePolicy({ spendingLimits: [], allowedContracts: [], maxCallsPerTx: 10 });
+  console.log("Policy cleared.");
+});
+policy.command("show").description("Show the current local policy").option("--json", "Output as JSON").action((opts) => {
+  const p = loadPolicy();
+  if (!p || p.spendingLimits.length === 0 && p.allowedContracts.length === 0) {
+    out(opts.json, { status: "ok", policy: null, message: "No local policy defined." }, () => {
+      console.log("No local policy defined. The agent will follow default app constraints.");
+    });
+    return;
+  }
+  out(opts.json, {
+    status: "ok",
+    policy: {
+      spending_limits: p.spendingLimits.map((sl) => ({ token: sl.token, limit: formatBalance(sl.limit) })),
+      allowed_contracts: p.allowedContracts,
+      max_calls_per_tx: p.maxCallsPerTx
+    }
+  }, () => {
+    console.log("--- Current Local Policy ---");
+    console.log("Spending Limits:");
+    if (p.spendingLimits.length === 0) console.log("  (None)");
+    p.spendingLimits.forEach((sl) => console.log(`  ${sl.token}: ${formatBalance(sl.limit)}`));
+    console.log("\nAllowed Contracts:");
+    if (p.allowedContracts.length === 0) console.log("  (None \u2014 all allowed)");
+    p.allowedContracts.forEach((addr) => console.log(`  ${addr}`));
+  });
+});
+var tools = program.command("tools").description("AI Agent tool definitions");
+tools.command("list").description("List tools in OpenAI-compatible JSON format").action(() => {
+  console.log(JSON.stringify(tools_default, null, 2));
+});
+program.command("call").description("Call a contract entrypoint (read-only)").requiredOption("--contract <address>", "Contract address").requiredOption("--entrypoint <name>", "Entrypoint name").option("--calldata <data>", "Comma-separated calldata or JSON array", "[]").option("--block <blockId>", "Block identifier (default: latest)", "latest").option("--json", "Output as JSON").action(async (opts) => {
+  try {
+    const agent = getAgent(opts);
+    let calldata = [];
+    if (opts.calldata.startsWith("[")) {
+      calldata = JSON.parse(opts.calldata);
+    } else {
+      calldata = opts.calldata.split(",").filter((x) => x);
+    }
+    const result = await agent.provider.callContract({
+      contractAddress: opts.contract,
+      entrypoint: opts.entrypoint,
+      calldata
+    }, opts.block);
+    out(opts.json, { success: true, result }, () => {
+      console.log("Result:", result);
+    });
+  } catch (e) {
+    outError(opts.json, e.message);
+  }
+});
+program.command("simulate").description("Simulate a transaction execution").requiredOption("--contract <address>", "Contract address").requiredOption("--entrypoint <name>", "Entrypoint name").option("--calldata <data>", "Comma-separated calldata or JSON array", "[]").option("--json", "Output as JSON").action(async (opts) => {
+  try {
+    const agent = getAgent(opts);
+    let calldata = [];
+    if (opts.calldata.startsWith("[")) {
+      calldata = JSON.parse(opts.calldata);
+    } else {
+      calldata = opts.calldata.split(",").filter((x) => x);
+    }
+    if (!agent.isAuthenticated()) {
+      throw new Error("Authentication required for simulation");
+    }
+    const account = agent.sessionAccount || agent.account;
+    const invocation = {
+      contractAddress: opts.contract,
+      entrypoint: opts.entrypoint,
+      calldata
+    };
+    const simulation = await account.simulateTransaction([invocation]);
+    out(opts.json, { success: true, simulation }, () => {
+      console.log("Simulation Check:", simulation);
+      console.log("Logs:", simulation[0].transaction_trace.execution_resources);
+    });
+  } catch (e) {
+    outError(opts.json, e.message);
+  }
+});
+program.command("estimate").description("Estimate fee for a transaction").requiredOption("--contract <address>", "Contract address").requiredOption("--entrypoint <name>", "Entrypoint name").option("--calldata <data>", "Comma-separated calldata or JSON array", "[]").option("--json", "Output as JSON").action(async (opts) => {
+  try {
+    const agent = getAgent(opts);
+    let calldata = [];
+    if (opts.calldata.startsWith("[")) {
+      calldata = JSON.parse(opts.calldata);
+    } else {
+      calldata = opts.calldata.split(",").filter((x) => x);
+    }
+    if (!agent.isAuthenticated()) {
+      throw new Error("Authentication required for estimation");
+    }
+    const account = agent.sessionAccount || agent.account;
+    const invocation = {
+      contractAddress: opts.contract,
+      entrypoint: opts.entrypoint,
+      calldata
+    };
+    const estimate = await account.estimateFee([invocation]);
+    out(opts.json, { success: true, estimate }, () => {
+      console.log(`Estimated Fee: ${formatBalance(estimate.amount)} ETH`);
+      console.log(`Gas Usage: ${estimate.overall_fee}`);
+    });
+  } catch (e) {
+    outError(opts.json, e.message);
+  }
+});
+program.command("policy").description("Manage agent spending policy").argument("[action]", "Action: show, set-limit, reset", "show").option("--json", "Output as JSON").action((action, opts) => {
+  const agent = getAgent(opts);
+  const policy2 = agent.policy || loadPolicy() || {};
+  if (action === "show") {
+    out(opts.json, {
+      policy: policy2,
+      status: {
+        is_loaded: !!agent.policy,
+        source: process.env.CAVOS_POLICY ? "env" : "disk"
+      }
+    }, () => {
+      console.log("--- Agent Policy ---");
+      console.log(`Allowed Contracts: ${policy2.allowedContracts?.length || 0}`);
+      console.log(`Spending Limits:`);
+      policy2.spendingLimits?.forEach((sl) => {
+        console.log(`  - ${sl.token}: ${sl.limit}`);
+      });
+      console.log(`Max Calls/Tx: ${policy2.maxCallsPerTx || "Unlimited"}`);
+    });
+  }
+});
+program.parse();
+//# sourceMappingURL=cli.js.map