@chainstream-io/cli 0.0.5 → 0.0.10

package/dist/index.js

@@ -10,14 +10,12 @@ var __export = (target, all) => {
 };
 
 // src/lib/constants.ts
-var CHAINSTREAM_API_URL, CHAINSTREAM_AUTH_URL, TURNKEY_AUTH_PROXY_CONFIG_ID, TURNKEY_SUB_ORG_PREFIX, SOLANA_RPC_URL, BASE_RPC_URL, BASE_CHAIN_ID;
+var CHAINSTREAM_API_URL, CHAINSTREAM_AUTH_URL, SOLANA_RPC_URL, BASE_RPC_URL, BASE_CHAIN_ID;
 var init_constants = __esm({
   "src/lib/constants.ts"() {
     "use strict";
     CHAINSTREAM_API_URL = process.env.CHAINSTREAM_API_URL ?? "https://api.chainstream.io";
-    CHAINSTREAM_AUTH_URL = process.env.CHAINSTREAM_AUTH_URL ?? "https://auth.chainstream.io";
-    TURNKEY_AUTH_PROXY_CONFIG_ID = process.env.TURNKEY_AUTH_PROXY_CONFIG_ID ?? "7550819d-2607-4910-a3d9-8e6e3ff870f9";
-    TURNKEY_SUB_ORG_PREFIX = "chainstream-personal";
+    CHAINSTREAM_AUTH_URL = process.env.CHAINSTREAM_AUTH_URL ?? "https://api.chainstream.io";
     SOLANA_RPC_URL = process.env.SOLANA_RPC_URL ?? "https://api.mainnet-beta.solana.com";
     BASE_RPC_URL = process.env.BASE_RPC_URL ?? "https://mainnet.base.org";
     BASE_CHAIN_ID = Number(process.env.BASE_CHAIN_ID ?? "8453");
@@ -29,6 +27,8 @@ var config_exports = {};
 __export(config_exports, {
   getConfigDir: () => getConfigDir,
   getWalletMode: () => getWalletMode,
+  isEvmChain: () => isEvmChain,
+  isSolanaChain: () => isSolanaChain,
   loadConfig: () => loadConfig,
   saveConfig: () => saveConfig,
   updateConfig: () => updateConfig
@@ -36,6 +36,12 @@ __export(config_exports, {
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
 import { homedir } from "os";
 import { join } from "path";
+function isEvmChain(chain) {
+  return chain === "base";
+}
+function isSolanaChain(chain) {
+  return chain === "sol";
+}
 function getConfigDir() {
   if (!existsSync(CONFIG_DIR)) {
     mkdirSync(CONFIG_DIR, { recursive: true });
@@ -78,6 +84,16 @@ var init_config = __esm({
   }
 });
 
+// src/wallet/types.ts
+function toSdkChain(chain) {
+  return chain === "sol" ? "solana" : "evm";
+}
+var init_types = __esm({
+  "src/wallet/types.ts"() {
+    "use strict";
+  }
+});
+
 // src/wallet/raw-wallet.ts
 import { privateKeyToAccount } from "viem/accounts";
 import { Keypair, VersionedTransaction } from "@solana/web3.js";
@@ -109,14 +125,18 @@ var RawKeyWallet;
 var init_raw_wallet = __esm({
   "src/wallet/raw-wallet.ts"() {
     "use strict";
+    init_types();
+    init_config();
     RawKeyWallet = class {
       chain;
+      paymentChain;
       address;
       privateKey;
       constructor(key, chain) {
-        this.chain = chain;
+        this.paymentChain = chain;
+        this.chain = toSdkChain(chain);
         this.privateKey = key;
-        if (chain === "evm") {
+        if (isEvmChain(this.paymentChain)) {
           const hex = key.startsWith("0x") ? key : `0x${key}`;
           const account = privateKeyToAccount(hex);
           this.address = account.address;
@@ -127,7 +147,7 @@ var init_raw_wallet = __esm({
         }
       }
       async signMessage(message) {
-        if (this.chain === "evm") {
+        if (isEvmChain(this.paymentChain)) {
           const hex = this.privateKey.startsWith("0x") ? this.privateKey : `0x${this.privateKey}`;
           const account = privateKeyToAccount(hex);
           return account.signMessage({ message });
@@ -142,7 +162,7 @@ var init_raw_wallet = __esm({
       }
       async signTransaction(serializedTx) {
         const txBytes = Buffer.from(serializedTx, "base64");
-        if (this.chain === "solana") {
+        if (!isEvmChain(this.paymentChain)) {
           const tx = VersionedTransaction.deserialize(new Uint8Array(txBytes));
           const decoded = bs58Decode(this.privateKey);
           const keypair = Keypair.fromSecretKey(decoded);
@@ -162,20 +182,12 @@ var init_raw_wallet = __esm({
 var turnkey_exports = {};
 __export(turnkey_exports, {
   TURNKEY_API_BASE: () => TURNKEY_API_BASE,
-  TURNKEY_CONFIG_ID: () => TURNKEY_CONFIG_ID,
-  checkAccount: () => checkAccount,
-  completeLogin: () => completeLogin,
   createApiStamp: () => createApiStamp,
   generateP256KeyPair: () => generateP256KeyPair,
   getEvmAddress: () => getEvmAddress,
   getSolanaAddress: () => getSolanaAddress,
   listWalletAccounts: () => listWalletAccounts,
-  otpInit: () => otpInit,
-  otpLogin: () => otpLogin,
-  otpVerify: () => otpVerify,
   refreshTurnkeySession: () => refreshTurnkeySession,
-  signRawP256: () => signRawP256,
-  signup: () => signup,
   turnkeyRequest: () => turnkeyRequest,
   updateTurnkeyUserEmail: () => updateTurnkeyUserEmail
 });
@@ -199,160 +211,12 @@ function generateP256KeyPair() {
     privateKeyDer: Buffer.from(privateKey).toString("base64")
   };
 }
-function signRawP256(message, privateKeyDerBase64) {
-  const signer = createSign("SHA256");
-  signer.update(message);
-  signer.end();
-  const derSig = signer.sign({
-    key: Buffer.from(privateKeyDerBase64, "base64"),
-    format: "der",
-    type: "pkcs8"
-  });
-  return derToRawSignature(derSig);
-}
-function derToRawSignature(der) {
-  let offset = 0;
-  if (der[offset++] !== 48) throw new Error("Invalid DER signature");
-  offset++;
-  if (der[offset++] !== 2) throw new Error("Invalid DER signature");
-  const rLen = der[offset++];
-  const rBytes = der.subarray(offset, offset + rLen);
-  offset += rLen;
-  if (der[offset++] !== 2) throw new Error("Invalid DER signature");
-  const sLen = der[offset++];
-  const sBytes = der.subarray(offset, offset + sLen);
-  const r = padOrTrimTo32(rBytes);
-  const s = padOrTrimTo32(sBytes);
-  return Buffer.concat([r, s]).toString("hex");
-}
-function padOrTrimTo32(buf) {
-  if (buf.length === 32) return buf;
-  if (buf.length === 33 && buf[0] === 0) return buf.subarray(1);
-  if (buf.length < 32) {
-    const padded = Buffer.alloc(32);
-    buf.copy(padded, 32 - buf.length);
-    return padded;
-  }
-  return buf.subarray(buf.length - 32);
-}
 function decodeJwtPayload(jwt) {
   const parts = jwt.split(".");
   if (parts.length !== 3) throw new Error("Invalid JWT");
   const payloadB64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
   return JSON.parse(Buffer.from(payloadB64, "base64").toString("utf-8"));
 }
-async function proxyRequest(path, body, configId) {
-  if (!configId) throw new Error("TURNKEY_AUTH_PROXY_CONFIG_ID not configured.");
-  const res = await fetch(`${AUTH_PROXY_BASE}${path}`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "X-Auth-Proxy-Config-ID": configId
-    },
-    body: JSON.stringify(body)
-  });
-  if (!res.ok) {
-    const text = await res.text().catch(() => "");
-    let detail = text;
-    try {
-      detail = JSON.parse(text).message ?? text;
-    } catch {
-    }
-    throw new Error(`Turnkey auth proxy error (${res.status}): ${detail}`);
-  }
-  return res.json();
-}
-async function otpInit(email, configId) {
-  return proxyRequest("/v1/otp_init", { otpType: "OTP_TYPE_EMAIL", contact: email }, configId);
-}
-async function otpVerify(otpId, otpCode, publicKeyHex, configId) {
-  return proxyRequest("/v1/otp_verify", { otpId, otpCode, publicKey: publicKeyHex }, configId);
-}
-async function checkAccount(email, configId, verificationToken) {
-  try {
-    const result = await proxyRequest(
-      "/v1/account",
-      { filterType: "EMAIL", filterValue: email, ...verificationToken && { verificationToken } },
-      configId
-    );
-    return { exists: !!result.organizationId, organizationId: result.organizationId };
-  } catch {
-    return { exists: false };
-  }
-}
-async function signup(email, configId, verificationToken, publicKeyHex, privateKeyDer) {
-  const decoded = decodeJwtPayload(verificationToken);
-  const verificationPublicKey = decoded.public_key ?? publicKeyHex;
-  const signupBody = {
-    userName: `${TURNKEY_SUB_ORG_PREFIX}-${email.split("@")[0]}`,
-    organizationName: `${TURNKEY_SUB_ORG_PREFIX}-${email}`,
-    userEmail: email,
-    verificationToken,
-    apiKeys: [],
-    authenticators: [],
-    oauthProviders: [],
-    wallet: {
-      walletName: "ChainStream Wallet",
-      accounts: [
-        { curve: "CURVE_SECP256K1", pathFormat: "PATH_FORMAT_BIP32", path: "m/44'/60'/0'/0/0", addressFormat: "ADDRESS_FORMAT_ETHEREUM" },
-        { curve: "CURVE_ED25519", pathFormat: "PATH_FORMAT_BIP32", path: "m/44'/501'/0'/0'", addressFormat: "ADDRESS_FORMAT_SOLANA" }
-      ]
-    }
-  };
-  const signatureMessage = JSON.stringify({
-    signup: { email, apiKeys: signupBody.apiKeys, authenticators: signupBody.authenticators, oauthProviders: signupBody.oauthProviders },
-    tokenId: decoded.id,
-    type: "USAGE_TYPE_SIGNUP"
-  });
-  const signature = signRawP256(signatureMessage, privateKeyDer);
-  return proxyRequest("/v1/signup", {
-    ...signupBody,
-    clientSignature: {
-      message: signatureMessage,
-      publicKey: verificationPublicKey,
-      scheme: "CLIENT_SIGNATURE_SCHEME_API_P256",
-      signature
-    }
-  }, configId);
-}
-async function otpLogin(verificationToken, publicKeyHex, privateKeyDerBase64, configId) {
-  const decoded = decodeJwtPayload(verificationToken);
-  const tokenUsageMessage = JSON.stringify({
-    login: { publicKey: publicKeyHex },
-    tokenId: decoded.id,
-    type: "USAGE_TYPE_LOGIN"
-  });
-  const signature = signRawP256(tokenUsageMessage, privateKeyDerBase64);
-  return proxyRequest("/v1/otp_login", {
-    verificationToken,
-    publicKey: publicKeyHex,
-    clientSignature: {
-      message: tokenUsageMessage,
-      publicKey: decoded.public_key ?? publicKeyHex,
-      scheme: "CLIENT_SIGNATURE_SCHEME_API_P256",
-      signature
-    }
-  }, configId);
-}
-async function completeLogin(otpId, otpCode, configId, email) {
-  const keyPair = generateP256KeyPair();
-  const { verificationToken } = await otpVerify(otpId, otpCode, keyPair.publicKeyHex, configId);
-  const account = await checkAccount(email, configId, verificationToken);
-  let isNewUser = false;
-  if (!account.exists) {
-    await signup(email, configId, verificationToken, keyPair.publicKeyHex, keyPair.privateKeyDer);
-    isNewUser = true;
-  }
-  const { session } = await otpLogin(verificationToken, keyPair.publicKeyHex, keyPair.privateKeyDer, configId);
-  const sessionPayload = decodeJwtPayload(session);
-  return {
-    session,
-    keyPair,
-    organizationId: sessionPayload.organization_id ?? "",
-    sessionExpiry: sessionPayload.exp,
-    isNewUser
-  };
-}
 function createApiStamp(body, publicKeyHex, privateKeyDerBase64) {
   const signer = createSign("SHA256");
   signer.update(body);
@@ -454,14 +318,11 @@ async function getSolanaAddress(creds) {
   if (!sol) throw new Error("No Solana wallet found in Turnkey.");
   return sol.address;
 }
-var AUTH_PROXY_BASE, TURNKEY_API_BASE, TURNKEY_CONFIG_ID;
+var TURNKEY_API_BASE;
 var init_turnkey = __esm({
   "src/lib/turnkey.ts"() {
     "use strict";
-    init_constants();
-    AUTH_PROXY_BASE = "https://authproxy.turnkey.com";
     TURNKEY_API_BASE = "https://api.turnkey.com";
-    TURNKEY_CONFIG_ID = TURNKEY_AUTH_PROXY_CONFIG_ID;
   }
 });
 
@@ -470,14 +331,18 @@ var TurnkeyWallet;
 var init_turnkey_wallet = __esm({
   "src/wallet/turnkey-wallet.ts"() {
     "use strict";
+    init_types();
+    init_config();
     init_turnkey();
     TurnkeyWallet = class _TurnkeyWallet {
       chain;
+      paymentChain;
       address;
       creds;
       constructor(creds, chain, address) {
         this.creds = creds;
-        this.chain = chain;
+        this.paymentChain = chain;
+        this.chain = toSdkChain(chain);
         this.address = address;
       }
       static async create(creds) {
@@ -486,14 +351,14 @@ var init_turnkey_wallet = __esm({
           getSolanaAddress(creds)
         ]);
         return {
-          evm: new _TurnkeyWallet(creds, "evm", evmAddr),
-          solana: new _TurnkeyWallet(creds, "solana", solAddr)
+          base: new _TurnkeyWallet(creds, "base", evmAddr),
+          sol: new _TurnkeyWallet(creds, "sol", solAddr)
         };
       }
       async signMessage(message) {
         let payloadHex;
         let hashFunction;
-        if (this.chain === "evm") {
+        if (isEvmChain(this.paymentChain)) {
           const prefix = `Ethereum Signed Message:
 ${message.length}`;
           const prefixed = Buffer.concat([Buffer.from(prefix, "utf-8"), Buffer.from(message, "utf-8")]);
@@ -520,7 +385,7 @@ ${message.length}`;
         );
         const sigResult = result.activity?.result?.signRawPayloadResult;
         if (!sigResult) throw new Error("Turnkey signMessage: no signature in response");
-        if (this.chain === "evm") {
+        if (isEvmChain(this.paymentChain)) {
           const v = sigResult.v === "00" ? "1b" : "1c";
           return `0x${sigResult.r}${sigResult.s}${v}`;
         }
@@ -529,7 +394,7 @@ ${message.length}`;
       async signTransaction(serializedTx) {
         const txBytes = Buffer.from(serializedTx, "base64");
         const unsignedHex = txBytes.toString("hex");
-        const txType = this.chain === "evm" ? "TRANSACTION_TYPE_ETHEREUM" : "TRANSACTION_TYPE_SOLANA";
+        const txType = isEvmChain(this.paymentChain) ? "TRANSACTION_TYPE_ETHEREUM" : "TRANSACTION_TYPE_SOLANA";
         const result = await turnkeyRequest(
           "/public/v1/submit/sign_transaction",
           {
@@ -563,13 +428,15 @@ function createWallet(config, mode) {
     return new RawKeyWallet(config.rawWallet.key, config.rawWallet.chain);
   }
   if (mode === "turnkey" && config.turnkey) {
-    const address = config.turnkey.evmAddress;
+    const chain = config.walletChain ?? "base";
+    const address = isEvmChain(chain) ? config.turnkey.evmAddress : config.turnkey.solanaAddress;
     if (!address) {
       throw new Error(
-        "Turnkey wallet address not found in config.\nPlease re-login to resolve addresses: chainstream login"
+        `Turnkey ${chain} address not found in config.
+Please re-login to resolve addresses: chainstream login`
       );
     }
-    return new TurnkeyWallet(config.turnkey, "evm", address);
+    return new TurnkeyWallet(config.turnkey, chain, address);
   }
   throw new Error(
     "No wallet configured. Run:\n  chainstream login           # Create Turnkey wallet\n  chainstream wallet set-raw  # Use raw private key (dev)"
@@ -578,17 +445,18 @@ function createWallet(config, mode) {
 async function createWalletWithAddresses(config, mode) {
   if (mode === "raw" && config.rawWallet) {
     const w = new RawKeyWallet(config.rawWallet.key, config.rawWallet.chain);
-    return config.rawWallet.chain === "evm" ? { evm: w } : { solana: w };
+    return isEvmChain(config.rawWallet.chain) ? { base: w } : { sol: w };
   }
   if (mode === "turnkey" && config.turnkey) {
     const wallets = await TurnkeyWallet.create(config.turnkey);
-    return { evm: wallets.evm, solana: wallets.solana };
+    return { base: wallets.base, sol: wallets.sol };
   }
   throw new Error("No wallet configured.");
 }
 var init_wallet = __esm({
   "src/wallet/index.ts"() {
     "use strict";
+    init_config();
     init_raw_wallet();
     init_turnkey_wallet();
   }
@@ -597,15 +465,18 @@ var init_wallet = __esm({
 // src/lib/x402.ts
 var x402_exports = {};
 __export(x402_exports, {
-  autoPurchaseOnDemand: () => autoPurchaseOnDemand,
   getPricing: () => getPricing,
-  getX402Fetch: () => getX402Fetch
+  getX402Fetch: () => getX402Fetch,
+  selectPlanInteractive: () => selectPlanInteractive
 });
 import { x402Client } from "@x402/core/client";
 import { wrapFetchWithPayment } from "@x402/fetch";
 import { ExactEvmScheme } from "@x402/evm/exact/client";
+import { ExactSvmScheme } from "@x402/svm/exact/client";
 import { privateKeyToAccount as privateKeyToAccount2 } from "viem/accounts";
 import { hashTypedData } from "viem";
+import { createKeyPairSignerFromBytes } from "@solana/kit";
+import * as readline from "readline/promises";
 function createTurnkeyPaymentAccount(creds) {
   const address = creds.evmAddress;
   return {
@@ -637,55 +508,136 @@ function createTurnkeyPaymentAccount(creds) {
     }
   };
 }
-function getX402Fetch(config) {
+async function turnkeySolanaSign(creds, payload) {
+  const payloadHex = Buffer.from(payload).toString("hex");
+  const result = await turnkeyRequest(
+    "/public/v1/submit/sign_raw_payload",
+    {
+      type: "ACTIVITY_TYPE_SIGN_RAW_PAYLOAD_V2",
+      timestampMs: Date.now().toString(),
+      organizationId: creds.organizationId,
+      parameters: {
+        signWith: creds.solanaAddress,
+        payload: payloadHex,
+        encoding: "PAYLOAD_ENCODING_HEXADECIMAL",
+        hashFunction: "HASH_FUNCTION_NOT_APPLICABLE"
+      }
+    },
+    creds
+  );
+  const sig = result.activity?.result?.signRawPayloadResult;
+  if (!sig) throw new Error("Turnkey Solana sign: no signature");
+  return new Uint8Array(Buffer.from(sig.r + sig.s, "hex"));
+}
+async function createTurnkeySolanaSigner(creds) {
+  const { createNoopSigner, address: solAddress } = await import("@solana/kit");
+  return createNoopSigner(solAddress(creds.solanaAddress));
+}
+function createTurnkeySvmScheme(creds, noopSigner) {
+  const inner = new ExactSvmScheme(noopSigner, { rpcUrl: "https://api.mainnet-beta.solana.com" });
+  return {
+    scheme: "exact",
+    async createPaymentPayload(x402Version, paymentRequirements) {
+      const payload = await inner.createPaymentPayload(x402Version, paymentRequirements);
+      const wrapped = payload;
+      const txB64 = wrapped.payload.transaction;
+      const txBytes = new Uint8Array(Buffer.from(txB64, "base64"));
+      const sigCount = txBytes[0];
+      const messageStart = 1 + sigCount * 64;
+      const messageBytes = txBytes.slice(messageStart);
+      const sig = await turnkeySolanaSign(creds, messageBytes);
+      txBytes.set(sig, 1 + 64);
+      wrapped.payload.transaction = Buffer.from(txBytes).toString("base64");
+      return payload;
+    }
+  };
+}
+function bs58Decode2(str) {
+  const ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+  const BASE = 58;
+  const result = [0];
+  for (const char of str) {
+    let carry = ALPHABET.indexOf(char);
+    if (carry < 0) throw new Error(`Invalid base58 character: ${char}`);
+    for (let j = 0; j < result.length; j++) {
+      carry += result[j] * BASE;
+      result[j] = carry & 255;
+      carry >>= 8;
+    }
+    while (carry > 0) {
+      result.push(carry & 255);
+      carry >>= 8;
+    }
+  }
+  for (const char of str) {
+    if (char !== "1") break;
+    result.push(0);
+  }
+  return new Uint8Array(result.reverse());
+}
+async function getX402Fetch(config) {
   if (_x402Fetch) return _x402Fetch;
   const client = new x402Client();
-  if (config.rawWallet?.chain === "evm") {
-    const hex = config.rawWallet.key.startsWith("0x") ? config.rawWallet.key : `0x${config.rawWallet.key}`;
-    const account = privateKeyToAccount2(hex);
-    client.register("eip155:*", new ExactEvmScheme(account));
-  } else if (config.turnkey?.evmAddress && config.turnkey?.organizationId) {
-    const account = createTurnkeyPaymentAccount(config.turnkey);
-    client.register("eip155:*", new ExactEvmScheme(account));
+  if (config.rawWallet) {
+    if (isEvmChain(config.rawWallet.chain)) {
+      const hex = config.rawWallet.key.startsWith("0x") ? config.rawWallet.key : `0x${config.rawWallet.key}`;
+      const account = privateKeyToAccount2(hex);
+      client.register("eip155:8453", new ExactEvmScheme(account));
+    } else if (isSolanaChain(config.rawWallet.chain)) {
+      const decoded = bs58Decode2(config.rawWallet.key);
+      const signer = await createKeyPairSignerFromBytes(new Uint8Array(decoded));
+      client.register("solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp", new ExactSvmScheme(signer, { rpcUrl: "https://api.mainnet-beta.solana.com" }));
+    }
+  } else if (config.turnkey?.organizationId) {
+    const preferredChain = config.walletChain ?? "base";
+    if (isEvmChain(preferredChain) && config.turnkey.evmAddress) {
+      const account = createTurnkeyPaymentAccount(config.turnkey);
+      client.register("eip155:8453", new ExactEvmScheme(account));
+    } else if (isSolanaChain(preferredChain) && config.turnkey.solanaAddress) {
+      const noopSigner = await createTurnkeySolanaSigner(config.turnkey);
+      const scheme = createTurnkeySvmScheme(config.turnkey, noopSigner);
+      client.register("solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp", scheme);
+    }
   }
   _x402Fetch = wrapFetchWithPayment(fetch, client);
   return _x402Fetch;
 }
-async function autoPurchaseOnDemand(config, plan = "nano") {
-  const x402Fetch = getX402Fetch(config);
-  process.stderr.write(`[chainstream] No active subscription. Auto-purchasing ${plan} plan...
-`);
-  try {
-    const resp = await x402Fetch(`${config.baseUrl}/x402/purchase?plan=${encodeURIComponent(plan)}`);
-    if (!resp.ok) {
-      const text = await resp.text().catch(() => "");
-      process.stderr.write(`[chainstream] Purchase failed (${resp.status}): ${text}
-`);
-      return { success: false };
-    }
-    const result = await resp.json();
-    process.stderr.write(`[chainstream] Subscription activated: ${result.plan} (expires: ${result.expires_at})
-`);
-    return {
-      success: true,
-      plan: result.plan,
-      expiresAt: result.expires_at
-    };
-  } catch (err) {
-    process.stderr.write(`[chainstream] Auto-purchase error: ${err instanceof Error ? err.message : err}
-`);
-    return { success: false };
-  }
-}
 async function getPricing(baseUrl) {
   const resp = await fetch(`${baseUrl}/x402/pricing`);
   if (!resp.ok) throw new Error(`Failed to get pricing (${resp.status})`);
   return resp.json();
 }
+async function selectPlanInteractive(baseUrl) {
+  const pricing = await getPricing(baseUrl);
+  const plans = pricing.plans.sort((a, b) => a.price_usd - b.price_usd);
+  process.stderr.write("\n[chainstream] No active subscription. Available plans:\n\n");
+  process.stderr.write("  #  Plan       Price     Quota           Duration\n");
+  process.stderr.write("  \u2500\u2500 \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n");
+  for (let i = 0; i < plans.length; i++) {
+    const p = plans[i];
+    const num = String(i + 1).padStart(2);
+    const name = p.name.padEnd(10);
+    const price = `$${p.price_usd}`.padEnd(8);
+    const quota = p.quota_total.toLocaleString().padStart(14) + " CU";
+    const days = `${p.duration_days} days`;
+    process.stderr.write(`  ${num} ${name} ${price} ${quota}  ${days}
+`);
+  }
+  process.stderr.write("\n");
+  const rl = readline.createInterface({ input: process.stdin, output: process.stderr });
+  const answer = await rl.question(`Select plan (1-${plans.length}): `);
+  rl.close();
+  const idx = parseInt(answer.trim(), 10) - 1;
+  if (idx < 0 || idx >= plans.length || Number.isNaN(idx)) {
+    throw new Error("Invalid plan selection. Aborting purchase.");
+  }
+  return plans[idx].name;
+}
 var _x402Fetch;
 var init_x402 = __esm({
   "src/lib/x402.ts"() {
     "use strict";
+    init_config();
     init_turnkey();
     _x402Fetch = null;
   }
@@ -721,7 +673,7 @@ function createClient() {
     return _client;
   }
   throw new Error(
-    "Not authenticated. Run one of:\n  chainstream login                  # Email OTP (creates Turnkey wallet)\n  chainstream login --key            # P-256 key (no email)\n  chainstream wallet set-raw         # Raw private key (dev)\n  chainstream config set --key apiKey --value <key>  # API key only"
+    "Not authenticated. Run one of:\n  chainstream login                  # Create Turnkey wallet (no email)\n  chainstream login --email          # Email OTP login\n  chainstream wallet set-raw         # Import private key (dev)\n  chainstream config set --key apiKey --value <key>  # API key only"
   );
 }
 function requireWallet() {
@@ -738,27 +690,78 @@ async function callWithAutoPayment(fn, retried = false) {
   try {
     return await fn();
   } catch (err) {
-    const is402 = isPaymentRequired(err);
-    if (is402 && !retried && _wallet) {
+    const paymentInfo = extractPaymentInfo(err);
+    if (paymentInfo && !retried && _wallet) {
       const config = loadConfig();
-      const result = await autoPurchaseOnDemand(config);
-      if (result.success) {
+      let purchaseUrl = resolvePurchaseUrl(config.baseUrl, paymentInfo);
+      if (config.plan) {
+        purchaseUrl = replacePlanInUrl(purchaseUrl, config.plan);
+        process.stderr.write(`[chainstream] No active subscription. Purchasing ${config.plan} plan...
+`);
+      } else if (process.stdin.isTTY) {
+        const chosenPlan = await selectPlanInteractive(config.baseUrl);
+        purchaseUrl = replacePlanInUrl(purchaseUrl, chosenPlan);
+        process.stderr.write(`[chainstream] Purchasing ${chosenPlan} plan...
+`);
+      } else {
+        process.stderr.write(`[chainstream] No active subscription. Purchasing via x402...
+`);
+        process.stderr.write(`[chainstream] Resource: ${purchaseUrl}
+`);
+      }
+      const x402Fetch = await getX402Fetch(config);
+      const resp = await x402Fetch(purchaseUrl);
+      if (resp.ok) {
+        const result = await resp.json();
+        process.stderr.write(`[chainstream] Subscription activated: ${result.plan} (expires: ${result.expires_at})
+`);
         _client = null;
         createClient();
         return callWithAutoPayment(fn, true);
       }
+      const text = await resp.text().catch(() => "");
+      process.stderr.write(`[chainstream] Purchase failed (${resp.status}): ${text}
+`);
     }
     throw err;
   }
 }
-function isPaymentRequired(err) {
-  if (!err || typeof err !== "object") return false;
+function extractPaymentInfo(err) {
+  if (!err || typeof err !== "object") return null;
   const axiosErr = err;
-  if (axiosErr.response?.status === 402) return true;
-  if (axiosErr.status === 402) return true;
-  if (axiosErr.message?.includes("402")) return true;
-  if (axiosErr.message?.includes("PAYMENT_REQUIRED")) return true;
-  return false;
+  const status = axiosErr.response?.status ?? axiosErr.status;
+  const message = axiosErr.message ?? "";
+  if (status === 402) {
+    const header = axiosErr.response?.headers?.["payment-required"] ?? axiosErr.response?.headers?.["x-payment-required"];
+    if (header) {
+      try {
+        const decoded = JSON.parse(Buffer.from(header, "base64").toString());
+        return { resourceUrl: decoded.resource?.url };
+      } catch {
+      }
+    }
+    return {};
+  }
+  if (message.includes("402") || message.includes("PAYMENT_REQUIRED") || message.includes("no active x402 subscription")) {
+    return {};
+  }
+  return null;
+}
+function resolvePurchaseUrl(baseUrl, info) {
+  if (info.resourceUrl) {
+    if (info.resourceUrl.startsWith("http")) return info.resourceUrl;
+    return `${baseUrl}${info.resourceUrl}`;
+  }
+  return `${baseUrl}/x402/purchase?plan=nano`;
+}
+function replacePlanInUrl(url, plan) {
+  try {
+    const u = new URL(url);
+    u.searchParams.set("plan", plan);
+    return u.toString();
+  } catch {
+    return url.replace(/plan=[^&]+/, `plan=${encodeURIComponent(plan)}`);
+  }
 }
 
 // src/lib/validate.ts
@@ -971,7 +974,7 @@ function registerMarketCommands(program2) {
 
 // src/commands/wallet.ts
 init_config();
-import * as readline from "readline/promises";
+import * as readline2 from "readline/promises";
 function registerWalletCommands(program2) {
   const wallet = program2.command("wallet").description("Wallet analytics and management");
   wallet.command("profile").description("Wallet profile: PnL + net worth + top holdings").requiredOption("--chain <chain>", "Chain: sol/bsc/eth").requiredOption("--address <address>", "Wallet address").option("--raw", "Single-line JSON output").action(async (opts) => {
@@ -1040,22 +1043,22 @@ function registerWalletCommands(program2) {
       const walletMode = (await Promise.resolve().then(() => (init_config(), config_exports))).getWalletMode(config);
       if (walletMode === "turnkey" && config.turnkey) {
         if (config.turnkey.evmAddress || config.turnkey.solanaAddress) {
-          if (config.turnkey.evmAddress) process.stdout.write(`EVM:    ${config.turnkey.evmAddress}
+          if (config.turnkey.evmAddress) process.stdout.write(`Base:   ${config.turnkey.evmAddress}
 `);
           if (config.turnkey.solanaAddress) process.stdout.write(`Solana: ${config.turnkey.solanaAddress}
 `);
         } else {
           const { createWalletWithAddresses: createWalletWithAddresses2 } = await Promise.resolve().then(() => (init_wallet(), wallet_exports));
           const wallets = await createWalletWithAddresses2(config, "turnkey");
-          if (wallets.evm) process.stdout.write(`EVM:    ${wallets.evm.address}
+          if (wallets.base) process.stdout.write(`Base:   ${wallets.base.address}
 `);
-          if (wallets.solana) process.stdout.write(`Solana: ${wallets.solana.address}
+          if (wallets.sol) process.stdout.write(`Solana: ${wallets.sol.address}
 `);
         }
       } else if (config.rawWallet) {
         const { createWallet: createWallet2 } = await Promise.resolve().then(() => (init_wallet(), wallet_exports));
         const w = createWallet2(config, "raw");
-        process.stdout.write(`${w.chain.toUpperCase()}: ${w.address}
+        process.stdout.write(`${w.paymentChain.toUpperCase()}: ${w.address}
 `);
       } else {
         process.stdout.write("No wallet configured. Run: chainstream login\n");
@@ -1091,9 +1094,9 @@ function registerWalletCommands(program2) {
       exitOnError(err);
     }
   });
-  wallet.command("set-raw").description("Set raw private key (dev/testing only)").requiredOption("--chain <chain>", "Chain: evm/solana").action(async (opts) => {
+  wallet.command("set-raw").description("Set raw private key (dev/testing only)").requiredOption("--chain <chain>", "Chain: base/sol").action(async (opts) => {
     try {
-      const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+      const rl = readline2.createInterface({ input: process.stdin, output: process.stdout });
       process.stdout.write("\u26A0 WARNING: Raw private key will be stored in plaintext.\n");
       process.stdout.write("  Use Turnkey (chainstream login) for production.\n\n");
       const key = await rl.question("Enter private key: ");
@@ -1139,7 +1142,7 @@ function registerKytCommands(program2) {
 }
 
 // src/commands/dex.ts
-import * as readline2 from "readline/promises";
+import * as readline3 from "readline/promises";
 function registerDexCommands(program2) {
   const dex = program2.command("dex").description("DEX swap, quote, and token creation");
   dex.command("quote").description("Get swap quote (read-only)").requiredOption("--chain <chain>", "Chain: sol/bsc/eth").requiredOption("--input-token <addr>", "Input token (address or SOL/ETH/BNB/USDC)").requiredOption("--output-token <addr>", "Output token (address or SOL/ETH/BNB/USDC)").requiredOption("--amount <amount>", "Input amount (smallest unit)").option("--raw", "Single-line JSON output").action(async (opts) => {
@@ -1191,7 +1194,7 @@ function registerDexCommands(program2) {
 `);
       process.stderr.write("--------------------\n\n");
       if (!opts.yes) {
-        const rl = readline2.createInterface({ input: process.stdin, output: process.stderr });
+        const rl = readline3.createInterface({ input: process.stdin, output: process.stderr });
         const answer = await rl.question("Confirm swap? (y/N): ");
         rl.close();
         if (answer.toLowerCase() !== "y") {
@@ -1346,7 +1349,7 @@ function saveKey(keyPair, profile = DEFAULT_PROFILE) {
 // src/commands/auth.ts
 init_turnkey();
 init_constants();
-import * as readline3 from "readline/promises";
+import * as readline4 from "readline/promises";
 async function resolveAndStoreAddresses(turnkeyCreds) {
   process.stderr.write("Resolving wallet addresses...\n");
   const [evmAddress, solanaAddress] = await Promise.all([
@@ -1358,7 +1361,7 @@ async function resolveAndStoreAddresses(turnkeyCreds) {
   });
 }
 function registerAuthCommands(program2) {
-  program2.command("login").description("Create wallet (default) or login via email OTP (--email)").argument("[email]", "Email address for OTP login (optional)").option("--email", "Use email OTP login instead of key-based").action(async (emailArg, opts) => {
+  program2.command("login").description("Create wallet (default: --key) or login via email OTP").argument("[email]", "Email address for OTP login").option("--key", "Key-based login \u2014 no email required (default)").option("--email", "Email OTP login").action(async (emailArg, opts) => {
     try {
       if (opts.email || emailArg) {
         await doEmailLogin(emailArg);
@@ -1371,35 +1374,7 @@ function registerAuthCommands(program2) {
   });
   program2.command("verify").description("Verify email OTP (second step of login)").requiredOption("--otp-id <id>", "OTP ID from login step").requiredOption("--code <code>", "OTP code from email").requiredOption("--email <email>", "Email used in login step").action(async (opts) => {
     try {
-      const configId = TURNKEY_CONFIG_ID;
-      if (!configId) throw new Error("TURNKEY_AUTH_PROXY_CONFIG_ID not set.");
-      process.stderr.write("Verifying OTP...\n");
-      const result = await completeLogin(opts.otpId, opts.code, configId, opts.email);
-      saveKey({
-        publicKeyHex: result.keyPair.publicKeyHex,
-        uncompressedPublicKeyHex: result.keyPair.uncompressedPublicKeyHex,
-        privateKeyDer: result.keyPair.privateKeyDer,
-        organizationId: result.organizationId
-      });
-      const turnkeyCreds = {
-        publicKeyHex: result.keyPair.publicKeyHex,
-        privateKeyDer: result.keyPair.privateKeyDer,
-        organizationId: result.organizationId,
-        sessionToken: result.session,
-        sessionExpiry: result.sessionExpiry
-      };
-      updateConfig({ turnkey: turnkeyCreds });
-      await resolveAndStoreAddresses(turnkeyCreds);
-      const config = loadConfig();
-      if (result.isNewUser) {
-        process.stdout.write("Welcome! Your ChainStream wallet has been created.\n");
-      } else {
-        process.stdout.write("Logged in successfully.\n");
-      }
-      process.stdout.write(`  EVM:    ${config.turnkey?.evmAddress}
-`);
-      process.stdout.write(`  Solana: ${config.turnkey?.solanaAddress}
-`);
+      await completeEmailLogin(opts.otpId, opts.code, opts.email);
     } catch (err) {
       exitOnError(err);
     }
@@ -1433,12 +1408,12 @@ function signTimestamp(timestampMs, privateKeyDerBase64) {
   });
   return sig.toString("hex");
 }
-async function callKeyAuth(publicKeyHex, uncompressedPublicKeyHex, timestampMs, signature) {
+async function authServiceRequest(path, body) {
   const authUrl = loadConfig().authUrl ?? CHAINSTREAM_AUTH_URL;
-  const res = await fetch(`${authUrl}/api/auth/key`, {
+  const res = await fetch(`${authUrl}${path}`, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ publicKeyHex, uncompressedPublicKeyHex, timestampMs, signature })
+    body: JSON.stringify(body)
   });
   if (!res.ok) {
     const text = await res.text().catch(() => "");
@@ -1451,6 +1426,15 @@ async function callKeyAuth(publicKeyHex, uncompressedPublicKeyHex, timestampMs,
   }
   return res.json();
 }
+async function callKeyAuth(publicKeyHex, uncompressedPublicKeyHex, timestampMs, signature) {
+  return authServiceRequest("/api/auth/key", { publicKeyHex, uncompressedPublicKeyHex, timestampMs, signature });
+}
+async function callOtpInit(email, organizationId) {
+  return authServiceRequest("/api/auth/otp-init", { email, ...organizationId && { organizationId } });
+}
+async function callOtpVerify(otpId, otpCode, targetPublicKey, organizationId) {
+  return authServiceRequest("/api/auth/otp-verify", { otpId, otpCode, targetPublicKey, ...organizationId && { organizationId } });
+}
 async function doKeyLogin() {
   const existingKey = loadKey();
   if (existingKey?.organizationId) {
@@ -1537,10 +1521,8 @@ async function doKeyLogin() {
 `);
 }
 async function doEmailLogin(email) {
-  const configId = TURNKEY_CONFIG_ID;
-  if (!configId) throw new Error("TURNKEY_AUTH_PROXY_CONFIG_ID not set. Contact ChainStream support.");
   if (!email) {
-    const rl2 = readline3.createInterface({ input: process.stdin, output: process.stderr });
+    const rl2 = readline4.createInterface({ input: process.stdin, output: process.stderr });
     email = await rl2.question("Enter your email: ");
     rl2.close();
     if (!email?.trim()) throw new Error("Email required.");
@@ -1548,7 +1530,7 @@ async function doEmailLogin(email) {
   }
   process.stderr.write(`Sending OTP to ${email}...
 `);
-  const { otpId } = await otpInit(email, configId);
+  const { otpId } = await callOtpInit(email);
   if (!process.stdin.isTTY) {
     process.stdout.write(JSON.stringify({ otpId, email }) + "\n");
     process.stderr.write("Non-interactive mode: complete login with:\n");
@@ -1556,36 +1538,47 @@ async function doEmailLogin(email) {
 `);
     return;
   }
-  const rl = readline3.createInterface({ input: process.stdin, output: process.stderr });
+  const rl = readline4.createInterface({ input: process.stdin, output: process.stderr });
   const code = await rl.question("Enter OTP code: ");
   rl.close();
   if (!code?.trim()) throw new Error("OTP code required.");
+  await completeEmailLogin(otpId, code.trim(), email);
+}
+async function completeEmailLogin(otpId, code, email) {
+  const keyPair = generateP256KeyPair();
   process.stderr.write("Verifying...\n");
-  const result = await completeLogin(otpId, code.trim(), configId, email);
+  const result = await authServiceRequest("/api/auth/email-login", {
+    otpId,
+    otpCode: code,
+    email,
+    publicKeyHex: keyPair.publicKeyHex,
+    uncompressedPublicKeyHex: keyPair.uncompressedPublicKeyHex
+  });
   saveKey({
-    publicKeyHex: result.keyPair.publicKeyHex,
-    uncompressedPublicKeyHex: result.keyPair.uncompressedPublicKeyHex,
-    privateKeyDer: result.keyPair.privateKeyDer,
-    organizationId: result.organizationId
+    publicKeyHex: keyPair.publicKeyHex,
+    uncompressedPublicKeyHex: keyPair.uncompressedPublicKeyHex,
+    privateKeyDer: keyPair.privateKeyDer,
+    organizationId: result.orgId
+  });
+  updateConfig({
+    turnkey: {
+      publicKeyHex: keyPair.publicKeyHex,
+      privateKeyDer: keyPair.privateKeyDer,
+      organizationId: result.orgId,
+      sessionToken: "",
+      sessionExpiry: 0,
+      evmAddress: result.evmAddress,
+      solanaAddress: result.solanaAddress
+    }
   });
-  const turnkeyCreds = {
-    publicKeyHex: result.keyPair.publicKeyHex,
-    privateKeyDer: result.keyPair.privateKeyDer,
-    organizationId: result.organizationId,
-    sessionToken: result.session,
-    sessionExpiry: result.sessionExpiry
-  };
-  updateConfig({ turnkey: turnkeyCreds });
-  await resolveAndStoreAddresses(turnkeyCreds);
-  const config = loadConfig();
   if (result.isNewUser) {
     process.stdout.write("Welcome! Your ChainStream wallet has been created.\n");
   } else {
     process.stdout.write("Logged in successfully.\n");
   }
-  process.stdout.write(`  EVM:    ${config.turnkey?.evmAddress}
+  process.stdout.write(`  EVM:    ${result.evmAddress}
 `);
-  process.stdout.write(`  Solana: ${config.turnkey?.solanaAddress}
+  process.stdout.write(`  Solana: ${result.solanaAddress}
 `);
 }
 async function doBindEmail(email) {
@@ -1593,10 +1586,8 @@ async function doBindEmail(email) {
   if (!config.turnkey?.organizationId) {
     throw new Error("No wallet found. Run 'chainstream login' first.");
   }
-  const configId = TURNKEY_CONFIG_ID;
-  if (!configId) throw new Error("TURNKEY_AUTH_PROXY_CONFIG_ID not set.");
   if (!email) {
-    const rl2 = readline3.createInterface({ input: process.stdin, output: process.stderr });
+    const rl2 = readline4.createInterface({ input: process.stdin, output: process.stderr });
     email = await rl2.question("Enter email to bind: ");
     rl2.close();
     if (!email?.trim()) throw new Error("Email required.");
@@ -1604,24 +1595,29 @@ async function doBindEmail(email) {
   }
   process.stderr.write(`Sending verification code to ${email}...
 `);
-  const { otpId } = await otpInit(email, configId);
+  const { otpId } = await callOtpInit(email);
   if (!process.stdin.isTTY) {
-    process.stdout.write(JSON.stringify({ otpId, email }) + "\n");
-    process.stderr.write("Non-interactive mode. To complete binding, verify the OTP\n");
-    process.stderr.write("and call the Turnkey update_user_email API with the verificationToken.\n");
+    process.stdout.write(JSON.stringify({ otpId, email, step: "verify" }) + "\n");
+    process.stderr.write("Non-interactive mode. Complete with:\n");
+    process.stderr.write(`  chainstream bind-email-verify --otp-id ${otpId} --code <code> --email ${email}
+`);
     return;
   }
-  const rl = readline3.createInterface({ input: process.stdin, output: process.stderr });
+  const rl = readline4.createInterface({ input: process.stdin, output: process.stderr });
   const code = await rl.question("Enter verification code: ");
   rl.close();
   if (!code?.trim()) throw new Error("Verification code required.");
   process.stderr.write("Verifying...\n");
-  const { verificationToken } = await otpVerify(otpId, code.trim(), config.turnkey.publicKeyHex, configId);
-  process.stderr.write("Binding email to Turnkey wallet...\n");
+  const { verificationToken } = await callOtpVerify(
+    otpId,
+    code.trim(),
+    config.turnkey.publicKeyHex
+  );
+  process.stderr.write("Binding email to wallet...\n");
   await updateTurnkeyUserEmail(email, verificationToken, config.turnkey);
   process.stdout.write(`Email ${email} bound successfully.
 `);
-  process.stdout.write("You can now use this email for account recovery.\n");
+  process.stdout.write("You can now use 'chainstream login --email' with this email.\n");
 }
 
 // src/commands/config-cmd.ts
@@ -1630,7 +1626,7 @@ function registerConfigCommands(program2) {
   const config = program2.command("config").description("Configuration management");
   config.command("set").description("Set a configuration value").requiredOption("--key <key>", "Config key (apiKey, baseUrl)").requiredOption("--value <value>", "Config value").action((opts) => {
     try {
-      const allowedKeys = ["apiKey", "baseUrl"];
+      const allowedKeys = ["apiKey", "baseUrl", "walletChain", "plan"];
       if (!allowedKeys.includes(opts.key)) {
         throw new Error(`Invalid key "${opts.key}". Allowed: ${allowedKeys.join(", ")}`);
       }
@@ -1690,7 +1686,7 @@ function registerConfigCommands(program2) {
       } else {
         process.stdout.write("Auth: Not configured\n");
         process.stdout.write("  Run: chainstream login           # Turnkey wallet\n");
-        process.stdout.write("  Run: chainstream config set apiKey <key>  # API key\n");
+        process.stdout.write("  Run: chainstream config set --key apiKey --value <key>  # API key\n");
       }
     } catch (err) {
       exitOnError(err);