@coinfello/agent-cli 0.1.3 → 0.1.5

package/dist/index.js

@@ -2,12 +2,119 @@
 import { Command } from "commander";
 import { toMetaMaskSmartAccount, Implementation, createDelegation } from "@metamask/smart-accounts-kit";
 import { privateKeyToAccount, generatePrivateKey } from "viem/accounts";
+import { toWebAuthnAccount } from "viem/account-abstraction";
 import { createPublicClient, http, serializeErc6492Signature } from "viem";
 import * as chains from "viem/chains";
-import { randomBytes } from "node:crypto";
+import { createHash, randomBytes } from "node:crypto";
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+import { platform, homedir } from "node:os";
 import { readFile, mkdir, writeFile } from "node:fs/promises";
-import { homedir } from "node:os";
-import { join } from "node:path";
+import { createSiweMessage } from "viem/siwe";
+const execFileAsync = promisify(execFile);
+const __filename$1 = fileURLToPath(import.meta.url);
+const __dirname$1 = dirname(__filename$1);
+function getBinaryPath() {
+  return join(__dirname$1, "secure-enclave-signer.app", "Contents", "MacOS", "secure-enclave-signer");
+}
+function isSecureEnclaveAvailable() {
+  return platform() === "darwin";
+}
+async function runCommand(args) {
+  const binaryPath = getBinaryPath();
+  try {
+    const { stdout } = await execFileAsync(binaryPath, args, {
+      timeout: 3e4
+    });
+    return JSON.parse(stdout.trim());
+  } catch (err) {
+    const error = err;
+    if (error.stderr) {
+      try {
+        const parsed = JSON.parse(error.stderr.trim());
+        throw new Error(`SecureEnclave [${parsed.error}]: ${parsed.message}`);
+      } catch (parseErr) {
+        if (parseErr instanceof SyntaxError) {
+          throw new Error(`SecureEnclave error: ${error.stderr}`);
+        }
+        throw parseErr;
+      }
+    }
+    throw new Error(`SecureEnclave command failed: ${error.message ?? "Unknown error"}`);
+  }
+}
+async function generateKey() {
+  const result = await runCommand(["generate"]);
+  return {
+    tag: result.tag,
+    x: BigInt(`0x${result.x}`),
+    y: BigInt(`0x${result.y}`)
+  };
+}
+async function signPayload(tag, payload) {
+  const hex = payload.startsWith("0x") ? payload.slice(2) : payload;
+  const result = await runCommand(["sign", "--tag", tag, "--payload", hex]);
+  return {
+    derSignature: `0x${result.signature}`
+  };
+}
+const RPID = "localhost";
+const ORIGIN = "https://localhost";
+function sha256(data) {
+  return createHash("sha256").update(data).digest();
+}
+function toBase64Url(buf) {
+  return buf.toString("base64url");
+}
+function createSecureEnclaveGetFn(keyTag) {
+  return async function getFn(options) {
+    const challengeBuffer = options?.publicKey?.challenge;
+    if (!challengeBuffer) {
+      throw new Error("No challenge in credential request options");
+    }
+    const challenge = Buffer.from(challengeBuffer);
+    const challengeBase64Url = toBase64Url(challenge);
+    const rpIdHash = sha256(Buffer.from(RPID, "utf-8"));
+    const flags = Buffer.from([5]);
+    const signCount = Buffer.alloc(4);
+    const authenticatorData = Buffer.concat([rpIdHash, flags, signCount]);
+    const clientDataObj = {
+      type: "webauthn.get",
+      challenge: challengeBase64Url,
+      origin: ORIGIN,
+      crossOrigin: false
+    };
+    const clientDataJSON = JSON.stringify(clientDataObj);
+    const clientDataBuffer = Buffer.from(clientDataJSON, "utf-8");
+    const clientDataHash = sha256(clientDataBuffer);
+    const payload = Buffer.concat([authenticatorData, clientDataHash]);
+    const payloadHex = `0x${payload.toString("hex")}`;
+    const { derSignature } = await signPayload(keyTag, payloadHex);
+    const sigHex = derSignature.startsWith("0x") ? derSignature.slice(2) : derSignature;
+    const signatureBuffer = Buffer.from(sigHex, "hex");
+    const credentialId = Buffer.from(keyTag, "utf-8").toString("base64url");
+    return {
+      id: credentialId,
+      type: "public-key",
+      rawId: toArrayBuffer(Buffer.from(keyTag, "utf-8")),
+      authenticatorAttachment: "platform",
+      response: {
+        authenticatorData: toArrayBuffer(authenticatorData),
+        clientDataJSON: toArrayBuffer(clientDataBuffer),
+        signature: toArrayBuffer(signatureBuffer)
+      },
+      getClientExtensionResults: () => ({})
+    };
+  };
+}
+function toArrayBuffer(buf) {
+  const ab = new ArrayBuffer(buf.byteLength);
+  const view = new Uint8Array(ab);
+  view.set(new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength));
+  return ab;
+}
 function resolveChain(chainName) {
   const chain = chains[chainName];
   if (!chain) {
@@ -68,6 +175,77 @@ function createSubdelegation({
     salt: `0x${randomBytes(32).toString("hex")}`
   });
 }
+async function createSmartAccountWithSecureEnclave(chainInput) {
+  const chain = resolveChainInput(chainInput);
+  const publicClient = createPublicClient({ chain, transport: http() });
+  const keyPair = await generateKey();
+  const keyId = `0x${randomBytes(32).toString("hex")}`;
+  const xHex = keyPair.x.toString(16).padStart(64, "0");
+  const yHex = keyPair.y.toString(16).padStart(64, "0");
+  const publicKeyHex = `0x04${xHex}${yHex}`;
+  const credentialId = Buffer.from(keyPair.tag).toString("base64url");
+  const webAuthnAccount = toWebAuthnAccount({
+    credential: {
+      id: credentialId,
+      publicKey: publicKeyHex
+    },
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    getFn: createSecureEnclaveGetFn(keyPair.tag),
+    rpId: "localhost"
+  });
+  const smartAccount = await toMetaMaskSmartAccount({
+    client: publicClient,
+    implementation: Implementation.Hybrid,
+    deployParams: [
+      "0x0000000000000000000000000000000000000000",
+      [keyId],
+      [keyPair.x],
+      [keyPair.y]
+    ],
+    deploySalt: "0x",
+    signer: { webAuthnAccount, keyId }
+  });
+  const address = await smartAccount.getAddress();
+  return {
+    smartAccount,
+    address,
+    keyTag: keyPair.tag,
+    publicKeyX: `0x${xHex}`,
+    publicKeyY: `0x${yHex}`,
+    keyId
+  };
+}
+async function getSmartAccountFromSecureEnclave(keyTag, publicKeyX, publicKeyY, keyId, chainInput) {
+  const chain = resolveChainInput(chainInput);
+  const publicClient = createPublicClient({ chain, transport: http() });
+  const xBigInt = BigInt(publicKeyX);
+  const yBigInt = BigInt(publicKeyY);
+  const xHex = xBigInt.toString(16).padStart(64, "0");
+  const yHex = yBigInt.toString(16).padStart(64, "0");
+  const publicKeyHex = `0x04${xHex}${yHex}`;
+  const credentialId = Buffer.from(keyTag).toString("base64url");
+  const webAuthnAccount = toWebAuthnAccount({
+    credential: {
+      id: credentialId,
+      publicKey: publicKeyHex
+    },
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    getFn: createSecureEnclaveGetFn(keyTag),
+    rpId: "localhost"
+  });
+  return toMetaMaskSmartAccount({
+    client: publicClient,
+    implementation: Implementation.Hybrid,
+    deployParams: [
+      "0x0000000000000000000000000000000000000000",
+      [keyId],
+      [xBigInt],
+      [yBigInt]
+    ],
+    deploySalt: "0x",
+    signer: { webAuthnAccount, keyId }
+  });
+}
 const CONFIG_DIR = join(homedir(), ".clawdbot", "skills", "coinfello");
 const CONFIG_PATH = join(CONFIG_DIR, "config.json");
 async function loadConfig() {
@@ -860,7 +1038,7 @@ function validate(bool, cbOrMessage, message) {
 }
 var ParameterError = class extends Error {
 };
-var version$1 = "6.0.0";
+var version = "6.0.0";
 var PrefixSecurityEnum = {
   SILENT: "silent",
   STRICT: "strict",
@@ -2306,7 +2484,7 @@ var CookieJar = class _CookieJar {
       // The version of tough-cookie that serialized this jar. Generally a good
       // practice since future versions can make data import decisions based on
       // known past behavior. When/if this matters, use `semver`.
-      version: `tough-cookie@${version$1}`,
+      version: `tough-cookie@${version}`,
       // add the store type, to make humans happy:
       storeType: type,
       // CookieJar configuration:
@@ -2720,797 +2898,35 @@ async function getTransactionStatus(txnId) {
   }
   return response.json();
 }
-const U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
-const _32n = /* @__PURE__ */ BigInt(32);
-function fromBig(n, le = false) {
-  if (le)
-    return { h: Number(n & U32_MASK64), l: Number(n >> _32n & U32_MASK64) };
-  return { h: Number(n >> _32n & U32_MASK64) | 0, l: Number(n & U32_MASK64) | 0 };
-}
-function split(lst, le = false) {
-  const len = lst.length;
-  let Ah = new Uint32Array(len);
-  let Al = new Uint32Array(len);
-  for (let i = 0; i < len; i++) {
-    const { h, l } = fromBig(lst[i], le);
-    [Ah[i], Al[i]] = [h, l];
-  }
-  return [Ah, Al];
-}
-const rotlSH = (h, l, s) => h << s | l >>> 32 - s;
-const rotlSL = (h, l, s) => l << s | h >>> 32 - s;
-const rotlBH = (h, l, s) => l << s - 32 | h >>> 64 - s;
-const rotlBL = (h, l, s) => h << s - 32 | l >>> 64 - s;
-function isBytes(a) {
-  return a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
-}
-function anumber(n) {
-  if (!Number.isSafeInteger(n) || n < 0)
-    throw new Error("positive integer expected, got " + n);
-}
-function abytes(b, ...lengths) {
-  if (!isBytes(b))
-    throw new Error("Uint8Array expected");
-  if (lengths.length > 0 && !lengths.includes(b.length))
-    throw new Error("Uint8Array expected of length " + lengths + ", got length=" + b.length);
-}
-function aexists(instance, checkFinished = true) {
-  if (instance.destroyed)
-    throw new Error("Hash instance has been destroyed");
-  if (checkFinished && instance.finished)
-    throw new Error("Hash#digest() has already been called");
-}
-function aoutput(out, instance) {
-  abytes(out);
-  const min = instance.outputLen;
-  if (out.length < min) {
-    throw new Error("digestInto() expects output buffer of length at least " + min);
-  }
-}
-function u32(arr) {
-  return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
-}
-function clean(...arrays) {
-  for (let i = 0; i < arrays.length; i++) {
-    arrays[i].fill(0);
-  }
-}
-const isLE = /* @__PURE__ */ (() => new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68)();
-function byteSwap(word) {
-  return word << 24 & 4278190080 | word << 8 & 16711680 | word >>> 8 & 65280 | word >>> 24 & 255;
-}
-function byteSwap32(arr) {
-  for (let i = 0; i < arr.length; i++) {
-    arr[i] = byteSwap(arr[i]);
-  }
-  return arr;
-}
-const swap32IfBE = isLE ? (u) => u : byteSwap32;
-function utf8ToBytes(str) {
-  if (typeof str !== "string")
-    throw new Error("string expected");
-  return new Uint8Array(new TextEncoder().encode(str));
-}
-function toBytes$1(data) {
-  if (typeof data === "string")
-    data = utf8ToBytes(data);
-  abytes(data);
-  return data;
-}
-class Hash {
-}
-function createHasher(hashCons) {
-  const hashC = (msg) => hashCons().update(toBytes$1(msg)).digest();
-  const tmp = hashCons();
-  hashC.outputLen = tmp.outputLen;
-  hashC.blockLen = tmp.blockLen;
-  hashC.create = () => hashCons();
-  return hashC;
-}
-const _0n = BigInt(0);
-const _1n = BigInt(1);
-const _2n = BigInt(2);
-const _7n = BigInt(7);
-const _256n = BigInt(256);
-const _0x71n = BigInt(113);
-const SHA3_PI = [];
-const SHA3_ROTL = [];
-const _SHA3_IOTA = [];
-for (let round = 0, R = _1n, x = 1, y = 0; round < 24; round++) {
-  [x, y] = [y, (2 * x + 3 * y) % 5];
-  SHA3_PI.push(2 * (5 * y + x));
-  SHA3_ROTL.push((round + 1) * (round + 2) / 2 % 64);
-  let t = _0n;
-  for (let j = 0; j < 7; j++) {
-    R = (R << _1n ^ (R >> _7n) * _0x71n) % _256n;
-    if (R & _2n)
-      t ^= _1n << (_1n << /* @__PURE__ */ BigInt(j)) - _1n;
-  }
-  _SHA3_IOTA.push(t);
-}
-const IOTAS = split(_SHA3_IOTA, true);
-const SHA3_IOTA_H = IOTAS[0];
-const SHA3_IOTA_L = IOTAS[1];
-const rotlH = (h, l, s) => s > 32 ? rotlBH(h, l, s) : rotlSH(h, l, s);
-const rotlL = (h, l, s) => s > 32 ? rotlBL(h, l, s) : rotlSL(h, l, s);
-function keccakP(s, rounds = 24) {
-  const B = new Uint32Array(5 * 2);
-  for (let round = 24 - rounds; round < 24; round++) {
-    for (let x = 0; x < 10; x++)
-      B[x] = s[x] ^ s[x + 10] ^ s[x + 20] ^ s[x + 30] ^ s[x + 40];
-    for (let x = 0; x < 10; x += 2) {
-      const idx1 = (x + 8) % 10;
-      const idx0 = (x + 2) % 10;
-      const B0 = B[idx0];
-      const B1 = B[idx0 + 1];
-      const Th = rotlH(B0, B1, 1) ^ B[idx1];
-      const Tl = rotlL(B0, B1, 1) ^ B[idx1 + 1];
-      for (let y = 0; y < 50; y += 10) {
-        s[x + y] ^= Th;
-        s[x + y + 1] ^= Tl;
-      }
-    }
-    let curH = s[2];
-    let curL = s[3];
-    for (let t = 0; t < 24; t++) {
-      const shift = SHA3_ROTL[t];
-      const Th = rotlH(curH, curL, shift);
-      const Tl = rotlL(curH, curL, shift);
-      const PI = SHA3_PI[t];
-      curH = s[PI];
-      curL = s[PI + 1];
-      s[PI] = Th;
-      s[PI + 1] = Tl;
-    }
-    for (let y = 0; y < 50; y += 10) {
-      for (let x = 0; x < 10; x++)
-        B[x] = s[y + x];
-      for (let x = 0; x < 10; x++)
-        s[y + x] ^= ~B[(x + 2) % 10] & B[(x + 4) % 10];
-    }
-    s[0] ^= SHA3_IOTA_H[round];
-    s[1] ^= SHA3_IOTA_L[round];
-  }
-  clean(B);
-}
-class Keccak extends Hash {
-  // NOTE: we accept arguments in bytes instead of bits here.
-  constructor(blockLen, suffix, outputLen, enableXOF = false, rounds = 24) {
-    super();
-    this.pos = 0;
-    this.posOut = 0;
-    this.finished = false;
-    this.destroyed = false;
-    this.enableXOF = false;
-    this.blockLen = blockLen;
-    this.suffix = suffix;
-    this.outputLen = outputLen;
-    this.enableXOF = enableXOF;
-    this.rounds = rounds;
-    anumber(outputLen);
-    if (!(0 < blockLen && blockLen < 200))
-      throw new Error("only keccak-f1600 function is supported");
-    this.state = new Uint8Array(200);
-    this.state32 = u32(this.state);
-  }
-  clone() {
-    return this._cloneInto();
-  }
-  keccak() {
-    swap32IfBE(this.state32);
-    keccakP(this.state32, this.rounds);
-    swap32IfBE(this.state32);
-    this.posOut = 0;
-    this.pos = 0;
-  }
-  update(data) {
-    aexists(this);
-    data = toBytes$1(data);
-    abytes(data);
-    const { blockLen, state } = this;
-    const len = data.length;
-    for (let pos = 0; pos < len; ) {
-      const take = Math.min(blockLen - this.pos, len - pos);
-      for (let i = 0; i < take; i++)
-        state[this.pos++] ^= data[pos++];
-      if (this.pos === blockLen)
-        this.keccak();
-    }
-    return this;
-  }
-  finish() {
-    if (this.finished)
-      return;
-    this.finished = true;
-    const { state, suffix, pos, blockLen } = this;
-    state[pos] ^= suffix;
-    if ((suffix & 128) !== 0 && pos === blockLen - 1)
-      this.keccak();
-    state[blockLen - 1] ^= 128;
-    this.keccak();
-  }
-  writeInto(out) {
-    aexists(this, false);
-    abytes(out);
-    this.finish();
-    const bufferOut = this.state;
-    const { blockLen } = this;
-    for (let pos = 0, len = out.length; pos < len; ) {
-      if (this.posOut >= blockLen)
-        this.keccak();
-      const take = Math.min(blockLen - this.posOut, len - pos);
-      out.set(bufferOut.subarray(this.posOut, this.posOut + take), pos);
-      this.posOut += take;
-      pos += take;
-    }
-    return out;
-  }
-  xofInto(out) {
-    if (!this.enableXOF)
-      throw new Error("XOF is not possible for this instance");
-    return this.writeInto(out);
-  }
-  xof(bytes) {
-    anumber(bytes);
-    return this.xofInto(new Uint8Array(bytes));
-  }
-  digestInto(out) {
-    aoutput(out, this);
-    if (this.finished)
-      throw new Error("digest() was already called");
-    this.writeInto(out);
-    this.destroy();
-    return out;
-  }
-  digest() {
-    return this.digestInto(new Uint8Array(this.outputLen));
-  }
-  destroy() {
-    this.destroyed = true;
-    clean(this.state);
-  }
-  _cloneInto(to) {
-    const { blockLen, suffix, outputLen, rounds, enableXOF } = this;
-    to || (to = new Keccak(blockLen, suffix, outputLen, enableXOF, rounds));
-    to.state32.set(this.state32);
-    to.pos = this.pos;
-    to.posOut = this.posOut;
-    to.finished = this.finished;
-    to.rounds = rounds;
-    to.suffix = suffix;
-    to.outputLen = outputLen;
-    to.enableXOF = enableXOF;
-    to.destroyed = this.destroyed;
-    return to;
-  }
-}
-const gen = (suffix, blockLen, outputLen) => createHasher(() => new Keccak(blockLen, suffix, outputLen));
-const keccak_256 = /* @__PURE__ */ (() => gen(1, 136, 256 / 8))();
-function isHex(value, { strict = true } = {}) {
-  if (!value)
-    return false;
-  if (typeof value !== "string")
-    return false;
-  return strict ? /^0x[0-9a-fA-F]*$/.test(value) : value.startsWith("0x");
-}
-const version = "2.45.1";
-let errorConfig = {
-  getDocsUrl: ({ docsBaseUrl, docsPath = "", docsSlug }) => docsPath ? `${docsBaseUrl ?? "https://viem.sh"}${docsPath}${docsSlug ? `#${docsSlug}` : ""}` : void 0,
-  version: `viem@${version}`
-};
-class BaseError extends Error {
-  constructor(shortMessage, args = {}) {
-    const details = (() => {
-      if (args.cause instanceof BaseError)
-        return args.cause.details;
-      if (args.cause?.message)
-        return args.cause.message;
-      return args.details;
-    })();
-    const docsPath = (() => {
-      if (args.cause instanceof BaseError)
-        return args.cause.docsPath || args.docsPath;
-      return args.docsPath;
-    })();
-    const docsUrl = errorConfig.getDocsUrl?.({ ...args, docsPath });
-    const message = [
-      shortMessage || "An error occurred.",
-      "",
-      ...args.metaMessages ? [...args.metaMessages, ""] : [],
-      ...docsUrl ? [`Docs: ${docsUrl}`] : [],
-      ...details ? [`Details: ${details}`] : [],
-      ...errorConfig.version ? [`Version: ${errorConfig.version}`] : []
-    ].join("\n");
-    super(message, args.cause ? { cause: args.cause } : void 0);
-    Object.defineProperty(this, "details", {
-      enumerable: true,
-      configurable: true,
-      writable: true,
-      value: void 0
-    });
-    Object.defineProperty(this, "docsPath", {
-      enumerable: true,
-      configurable: true,
-      writable: true,
-      value: void 0
-    });
-    Object.defineProperty(this, "metaMessages", {
-      enumerable: true,
-      configurable: true,
-      writable: true,
-      value: void 0
-    });
-    Object.defineProperty(this, "shortMessage", {
-      enumerable: true,
-      configurable: true,
-      writable: true,
-      value: void 0
-    });
-    Object.defineProperty(this, "version", {
-      enumerable: true,
-      configurable: true,
-      writable: true,
-      value: void 0
-    });
-    Object.defineProperty(this, "name", {
-      enumerable: true,
-      configurable: true,
-      writable: true,
-      value: "BaseError"
-    });
-    this.details = details;
-    this.docsPath = docsPath;
-    this.metaMessages = args.metaMessages;
-    this.name = args.name ?? this.name;
-    this.shortMessage = shortMessage;
-    this.version = version;
-  }
-  walk(fn) {
-    return walk(this, fn);
-  }
-}
-function walk(err, fn) {
-  if (fn?.(err))
-    return err;
-  if (err && typeof err === "object" && "cause" in err && err.cause !== void 0)
-    return walk(err.cause, fn);
-  return fn ? null : err;
-}
-class SizeExceedsPaddingSizeError extends BaseError {
-  constructor({ size: size2, targetSize, type }) {
-    super(`${type.charAt(0).toUpperCase()}${type.slice(1).toLowerCase()} size (${size2}) exceeds padding size (${targetSize}).`, { name: "SizeExceedsPaddingSizeError" });
-  }
-}
-function pad(hexOrBytes, { dir, size: size2 = 32 } = {}) {
-  if (typeof hexOrBytes === "string")
-    return padHex(hexOrBytes, { dir, size: size2 });
-  return padBytes(hexOrBytes, { dir, size: size2 });
-}
-function padHex(hex_, { dir, size: size2 = 32 } = {}) {
-  if (size2 === null)
-    return hex_;
-  const hex = hex_.replace("0x", "");
-  if (hex.length > size2 * 2)
-    throw new SizeExceedsPaddingSizeError({
-      size: Math.ceil(hex.length / 2),
-      targetSize: size2,
-      type: "hex"
-    });
-  return `0x${hex[dir === "right" ? "padEnd" : "padStart"](size2 * 2, "0")}`;
-}
-function padBytes(bytes, { dir, size: size2 = 32 } = {}) {
-  if (size2 === null)
-    return bytes;
-  if (bytes.length > size2)
-    throw new SizeExceedsPaddingSizeError({
-      size: bytes.length,
-      targetSize: size2,
-      type: "bytes"
-    });
-  const paddedBytes = new Uint8Array(size2);
-  for (let i = 0; i < size2; i++) {
-    const padEnd = dir === "right";
-    paddedBytes[padEnd ? i : size2 - i - 1] = bytes[padEnd ? i : bytes.length - i - 1];
-  }
-  return paddedBytes;
-}
-class IntegerOutOfRangeError extends BaseError {
-  constructor({ max, min, signed, size: size2, value }) {
-    super(`Number "${value}" is not in safe ${size2 ? `${size2 * 8}-bit ${signed ? "signed" : "unsigned"} ` : ""}integer range ${max ? `(${min} to ${max})` : `(above ${min})`}`, { name: "IntegerOutOfRangeError" });
-  }
-}
-class SizeOverflowError extends BaseError {
-  constructor({ givenSize, maxSize }) {
-    super(`Size cannot exceed ${maxSize} bytes. Given size: ${givenSize} bytes.`, { name: "SizeOverflowError" });
-  }
-}
-function size(value) {
-  if (isHex(value, { strict: false }))
-    return Math.ceil((value.length - 2) / 2);
-  return value.length;
-}
-function assertSize(hexOrBytes, { size: size$1 }) {
-  if (size(hexOrBytes) > size$1)
-    throw new SizeOverflowError({
-      givenSize: size(hexOrBytes),
-      maxSize: size$1
-    });
-}
-function numberToHex(value_, opts = {}) {
-  const { signed, size: size2 } = opts;
-  const value = BigInt(value_);
-  let maxValue;
-  if (size2) {
-    if (signed)
-      maxValue = (1n << BigInt(size2) * 8n - 1n) - 1n;
-    else
-      maxValue = 2n ** (BigInt(size2) * 8n) - 1n;
-  } else if (typeof value_ === "number") {
-    maxValue = BigInt(Number.MAX_SAFE_INTEGER);
-  }
-  const minValue = typeof maxValue === "bigint" && signed ? -maxValue - 1n : 0;
-  if (maxValue && value > maxValue || value < minValue) {
-    const suffix = typeof value_ === "bigint" ? "n" : "";
-    throw new IntegerOutOfRangeError({
-      max: maxValue ? `${maxValue}${suffix}` : void 0,
-      min: `${minValue}${suffix}`,
-      signed,
-      size: size2,
-      value: `${value_}${suffix}`
-    });
-  }
-  const hex = `0x${(signed && value < 0 ? (1n << BigInt(size2 * 8)) + BigInt(value) : value).toString(16)}`;
-  if (size2)
-    return pad(hex, { size: size2 });
-  return hex;
-}
-const encoder = /* @__PURE__ */ new TextEncoder();
-function toBytes(value, opts = {}) {
-  if (typeof value === "number" || typeof value === "bigint")
-    return numberToBytes(value, opts);
-  if (typeof value === "boolean")
-    return boolToBytes(value, opts);
-  if (isHex(value))
-    return hexToBytes(value, opts);
-  return stringToBytes(value, opts);
-}
-function boolToBytes(value, opts = {}) {
-  const bytes = new Uint8Array(1);
-  bytes[0] = Number(value);
-  if (typeof opts.size === "number") {
-    assertSize(bytes, { size: opts.size });
-    return pad(bytes, { size: opts.size });
-  }
-  return bytes;
-}
-const charCodeMap = {
-  zero: 48,
-  nine: 57,
-  A: 65,
-  F: 70,
-  a: 97,
-  f: 102
-};
-function charCodeToBase16(char) {
-  if (char >= charCodeMap.zero && char <= charCodeMap.nine)
-    return char - charCodeMap.zero;
-  if (char >= charCodeMap.A && char <= charCodeMap.F)
-    return char - (charCodeMap.A - 10);
-  if (char >= charCodeMap.a && char <= charCodeMap.f)
-    return char - (charCodeMap.a - 10);
-  return void 0;
-}
-function hexToBytes(hex_, opts = {}) {
-  let hex = hex_;
-  if (opts.size) {
-    assertSize(hex, { size: opts.size });
-    hex = pad(hex, { dir: "right", size: opts.size });
-  }
-  let hexString = hex.slice(2);
-  if (hexString.length % 2)
-    hexString = `0${hexString}`;
-  const length = hexString.length / 2;
-  const bytes = new Uint8Array(length);
-  for (let index = 0, j = 0; index < length; index++) {
-    const nibbleLeft = charCodeToBase16(hexString.charCodeAt(j++));
-    const nibbleRight = charCodeToBase16(hexString.charCodeAt(j++));
-    if (nibbleLeft === void 0 || nibbleRight === void 0) {
-      throw new BaseError(`Invalid byte sequence ("${hexString[j - 2]}${hexString[j - 1]}" in "${hexString}").`);
-    }
-    bytes[index] = nibbleLeft * 16 + nibbleRight;
-  }
-  return bytes;
-}
-function numberToBytes(value, opts) {
-  const hex = numberToHex(value, opts);
-  return hexToBytes(hex);
-}
-function stringToBytes(value, opts = {}) {
-  const bytes = encoder.encode(value);
-  if (typeof opts.size === "number") {
-    assertSize(bytes, { size: opts.size });
-    return pad(bytes, { dir: "right", size: opts.size });
-  }
-  return bytes;
-}
-function keccak256(value, to_) {
-  const bytes = keccak_256(isHex(value, { strict: false }) ? toBytes(value) : value);
-  return bytes;
-}
-class LruMap extends Map {
-  constructor(size2) {
-    super();
-    Object.defineProperty(this, "maxSize", {
-      enumerable: true,
-      configurable: true,
-      writable: true,
-      value: void 0
-    });
-    this.maxSize = size2;
-  }
-  get(key) {
-    const value = super.get(key);
-    if (super.has(key) && value !== void 0) {
-      this.delete(key);
-      super.set(key, value);
-    }
-    return value;
-  }
-  set(key, value) {
-    super.set(key, value);
-    if (this.maxSize && this.size > this.maxSize) {
-      const firstKey = this.keys().next().value;
-      if (firstKey)
-        this.delete(firstKey);
-    }
-    return this;
-  }
-}
-class InvalidAddressError extends BaseError {
-  constructor({ address }) {
-    super(`Address "${address}" is invalid.`, {
-      metaMessages: [
-        "- Address must be a hex value of 20 bytes (40 hex characters).",
-        "- Address must match its checksum counterpart."
-      ],
-      name: "InvalidAddressError"
-    });
-  }
-}
-const checksumAddressCache = /* @__PURE__ */ new LruMap(8192);
-function checksumAddress(address_, chainId) {
-  if (checksumAddressCache.has(`${address_}.${chainId}`))
-    return checksumAddressCache.get(`${address_}.${chainId}`);
-  const hexAddress = address_.substring(2).toLowerCase();
-  const hash = keccak256(stringToBytes(hexAddress));
-  const address = hexAddress.split("");
-  for (let i = 0; i < 40; i += 2) {
-    if (hash[i >> 1] >> 4 >= 8 && address[i]) {
-      address[i] = address[i].toUpperCase();
-    }
-    if ((hash[i >> 1] & 15) >= 8 && address[i + 1]) {
-      address[i + 1] = address[i + 1].toUpperCase();
-    }
-  }
-  const result = `0x${address.join("")}`;
-  checksumAddressCache.set(`${address_}.${chainId}`, result);
-  return result;
-}
-function getAddress(address, chainId) {
-  if (!isAddress(address, { strict: false }))
-    throw new InvalidAddressError({ address });
-  return checksumAddress(address, chainId);
-}
-const addressRegex = /^0x[a-fA-F0-9]{40}$/;
-const isAddressCache = /* @__PURE__ */ new LruMap(8192);
-function isAddress(address, options) {
-  const { strict = true } = options ?? {};
-  const cacheKey = `${address}.${strict}`;
-  if (isAddressCache.has(cacheKey))
-    return isAddressCache.get(cacheKey);
-  const result = (() => {
-    if (!addressRegex.test(address))
-      return false;
-    if (address.toLowerCase() === address)
-      return true;
-    if (strict)
-      return checksumAddress(address) === address;
-    return true;
-  })();
-  isAddressCache.set(cacheKey, result);
-  return result;
-}
-class SiweInvalidMessageFieldError extends BaseError {
-  constructor(parameters) {
-    const { docsPath, field, metaMessages } = parameters;
-    super(`Invalid Sign-In with Ethereum message field "${field}".`, {
-      docsPath,
-      metaMessages,
-      name: "SiweInvalidMessageFieldError"
-    });
-  }
-}
-function isUri(value) {
-  if (/[^a-z0-9:/?#[\]@!$&'()*+,;=.\-_~%]/i.test(value))
-    return false;
-  if (/%[^0-9a-f]/i.test(value))
-    return false;
-  if (/%[0-9a-f](:?[^0-9a-f]|$)/i.test(value))
-    return false;
-  const splitted = splitUri(value);
-  const scheme = splitted[1];
-  const authority = splitted[2];
-  const path = splitted[3];
-  const query = splitted[4];
-  const fragment = splitted[5];
-  if (!(scheme?.length && path.length >= 0))
-    return false;
-  if (authority?.length) {
-    if (!(path.length === 0 || /^\//.test(path)))
-      return false;
-  } else {
-    if (/^\/\//.test(path))
-      return false;
-  }
-  if (!/^[a-z][a-z0-9+\-.]*$/.test(scheme.toLowerCase()))
-    return false;
-  let out = "";
-  out += `${scheme}:`;
-  if (authority?.length)
-    out += `//${authority}`;
-  out += path;
-  if (query?.length)
-    out += `?${query}`;
-  if (fragment?.length)
-    out += `#${fragment}`;
-  return out;
-}
-function splitUri(value) {
-  return value.match(/(?:([^:/?#]+):)?(?:\/\/([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?/);
-}
-function createSiweMessage(parameters) {
-  const { chainId, domain, expirationTime, issuedAt = /* @__PURE__ */ new Date(), nonce, notBefore, requestId, resources, scheme, uri, version: version2 } = parameters;
-  {
-    if (chainId !== Math.floor(chainId))
-      throw new SiweInvalidMessageFieldError({
-        field: "chainId",
-        metaMessages: [
-          "- Chain ID must be a EIP-155 chain ID.",
-          "- See https://eips.ethereum.org/EIPS/eip-155",
-          "",
-          `Provided value: ${chainId}`
-        ]
-      });
-    if (!(domainRegex.test(domain) || ipRegex.test(domain) || localhostRegex.test(domain)))
-      throw new SiweInvalidMessageFieldError({
-        field: "domain",
-        metaMessages: [
-          "- Domain must be an RFC 3986 authority.",
-          "- See https://www.rfc-editor.org/rfc/rfc3986",
-          "",
-          `Provided value: ${domain}`
-        ]
-      });
-    if (!nonceRegex.test(nonce))
-      throw new SiweInvalidMessageFieldError({
-        field: "nonce",
-        metaMessages: [
-          "- Nonce must be at least 8 characters.",
-          "- Nonce must be alphanumeric.",
-          "",
-          `Provided value: ${nonce}`
-        ]
-      });
-    if (!isUri(uri))
-      throw new SiweInvalidMessageFieldError({
-        field: "uri",
-        metaMessages: [
-          "- URI must be a RFC 3986 URI referring to the resource that is the subject of the signing.",
-          "- See https://www.rfc-editor.org/rfc/rfc3986",
-          "",
-          `Provided value: ${uri}`
-        ]
-      });
-    if (version2 !== "1")
-      throw new SiweInvalidMessageFieldError({
-        field: "version",
-        metaMessages: [
-          "- Version must be '1'.",
-          "",
-          `Provided value: ${version2}`
-        ]
-      });
-    if (scheme && !schemeRegex.test(scheme))
-      throw new SiweInvalidMessageFieldError({
-        field: "scheme",
-        metaMessages: [
-          "- Scheme must be an RFC 3986 URI scheme.",
-          "- See https://www.rfc-editor.org/rfc/rfc3986#section-3.1",
-          "",
-          `Provided value: ${scheme}`
-        ]
-      });
-    const statement2 = parameters.statement;
-    if (statement2?.includes("\n"))
-      throw new SiweInvalidMessageFieldError({
-        field: "statement",
-        metaMessages: [
-          "- Statement must not include '\\n'.",
-          "",
-          `Provided value: ${statement2}`
-        ]
-      });
-  }
-  const address = getAddress(parameters.address);
-  const origin = (() => {
-    if (scheme)
-      return `${scheme}://${domain}`;
-    return domain;
-  })();
-  const statement = (() => {
-    if (!parameters.statement)
-      return "";
-    return `${parameters.statement}
-`;
-  })();
-  const prefix = `${origin} wants you to sign in with your Ethereum account:
-${address}
-
-${statement}`;
-  let suffix = `URI: ${uri}
-Version: ${version2}
-Chain ID: ${chainId}
-Nonce: ${nonce}
-Issued At: ${issuedAt.toISOString()}`;
-  if (expirationTime)
-    suffix += `
-Expiration Time: ${expirationTime.toISOString()}`;
-  if (notBefore)
-    suffix += `
-Not Before: ${notBefore.toISOString()}`;
-  if (requestId)
-    suffix += `
-Request ID: ${requestId}`;
-  if (resources) {
-    let content = "\nResources:";
-    for (const resource of resources) {
-      if (!isUri(resource))
-        throw new SiweInvalidMessageFieldError({
-          field: "resources",
-          metaMessages: [
-            "- Every resource must be a RFC 3986 URI.",
-            "- See https://www.rfc-editor.org/rfc/rfc3986",
-            "",
-            `Provided value: ${resource}`
-          ]
-        });
-      content += `
-- ${resource}`;
-    }
-    suffix += content;
-  }
-  return `${prefix}
-${suffix}`;
-}
-const domainRegex = /^([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}(:[0-9]{1,5})?$/;
-const ipRegex = /^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(:[0-9]{1,5})?$/;
-const localhostRegex = /^localhost(:[0-9]{1,5})?$/;
-const nonceRegex = /^[a-zA-Z0-9]{8,}$/;
-const schemeRegex = /^([a-zA-Z][a-zA-Z0-9+-.]*)$/;
 async function signInWithAgent(baseUrl, config) {
-  if (!config.private_key) {
-    throw new Error("No private key found in config. Run 'create_account' first.");
-  }
   if (!config.smart_account_address) {
     throw new Error("No smart account address found in config. Run 'create_account' first.");
   }
   if (!config.chain) {
     throw new Error("No chain found in config. Run 'create_account' first.");
   }
+  if (config.signer_type !== "secureEnclave" && !config.private_key) {
+    throw new Error("No private key found in config. Run 'create_account' first.");
+  }
   const chain = resolveChain(config.chain);
   const chainId = chain.id;
   const walletAddress = config.smart_account_address;
-  const { smartAccount } = await createSmartAccount(config.private_key, config.chain);
+  let smartAccount;
+  if (config.signer_type === "secureEnclave") {
+    if (!config.secure_enclave) {
+      throw new Error("Secure Enclave config missing. Run 'create_account --secure-enclave' first.");
+    }
+    smartAccount = await getSmartAccountFromSecureEnclave(
+      config.secure_enclave.key_tag,
+      config.secure_enclave.public_key_x,
+      config.secure_enclave.public_key_y,
+      config.secure_enclave.key_id,
+      config.chain
+    );
+  } else {
+    const result2 = await createSmartAccount(config.private_key, config.chain);
+    smartAccount = result2.smartAccount;
+  }
   const url = new URL(baseUrl);
   const domain = url.host;
   console.log("fetching nonce...");
@@ -3615,7 +3031,8 @@ function parseScope(raw) {
       return {
         type: "functionCall",
         targets: (raw.targets ?? []).map((t) => t),
-        selectors: (raw.selectors ?? []).map((s) => s)
+        selectors: (raw.selectors ?? []).map((s) => s),
+        ...raw.valueLte?.maxValue ? { valueLte: { maxValue: BigInt(raw.valueLte.maxValue) } } : {}
       };
     default:
       throw new Error(`Unsupported delegation scope type: "${raw.type}"`);
@@ -3623,24 +3040,67 @@ function parseScope(raw) {
 }
 const program = new Command();
 program.name("openclaw").description("CoinFello CLI - MetaMask Smart Account interactions").version("1.0.0");
-program.command("create_account").description("Create a MetaMask smart account and save its address to local config").argument("<chain>", "Chain name (e.g. sepolia, mainnet, polygon, arbitrum)").action(async (chain) => {
-  try {
-    console.log(`Creating smart account on ${chain}...`);
-    const privateKey = generatePrivateKey();
-    const { address } = await createSmartAccount(privateKey, chain);
-    const config = await loadConfig();
-    config.private_key = privateKey;
-    config.smart_account_address = address;
-    config.chain = chain;
-    await saveConfig(config);
-    console.log("Smart account created successfully.");
-    console.log(`Address: ${address}`);
-    console.log(`Config saved to: ${CONFIG_PATH}`);
-  } catch (err) {
-    console.error(`Failed to create account: ${err.message}`);
-    process.exit(1);
+program.command("create_account").description("Create a MetaMask smart account and save its address to local config").argument("<chain>", "Chain name (e.g. sepolia, mainnet, polygon, arbitrum)").option(
+  "--use-unsafe-private-key",
+  "Use a raw private key instead of hardware-backed key (Secure Enclave / TPM 2.0)"
+).option("--delete-existing-private-key", "Delete the existing account and create a new one").action(
+  async (chain, opts) => {
+    try {
+      const config = await loadConfig();
+      if (config.smart_account_address) {
+        if (!opts.deleteExistingPrivateKey) {
+          console.error(
+            `Error: An account already exists (${config.smart_account_address}). Use --delete-existing-private-key to overwrite it.`
+          );
+          process.exit(1);
+        }
+        console.warn("Deleting existing account and creating a new one...");
+      }
+      const useHardwareKey = !opts.useUnsafePrivateKey && isSecureEnclaveAvailable();
+      if (useHardwareKey) {
+        console.log(`Creating Secure Enclave-backed smart account on ${chain}...`);
+        const { address, keyTag, publicKeyX, publicKeyY, keyId } = await createSmartAccountWithSecureEnclave(chain);
+        const config2 = await loadConfig();
+        config2.signer_type = "secureEnclave";
+        config2.smart_account_address = address;
+        config2.chain = chain;
+        config2.secure_enclave = {
+          key_tag: keyTag,
+          public_key_x: publicKeyX,
+          public_key_y: publicKeyY,
+          key_id: keyId
+        };
+        delete config2.private_key;
+        await saveConfig(config2);
+        console.log("Secure Enclave smart account created successfully.");
+        console.log(`Address: ${address}`);
+        console.log(`Key tag: ${keyTag}`);
+        console.log(`Config saved to: ${CONFIG_PATH}`);
+      } else {
+        if (!opts.useUnsafePrivateKey) {
+          console.warn(
+            "Warning: No hardware key support detected. Falling back to raw private key."
+          );
+        }
+        console.log(`Creating smart account on ${chain}...`);
+        const privateKey = generatePrivateKey();
+        const { address } = await createSmartAccount(privateKey, chain);
+        const config2 = await loadConfig();
+        config2.private_key = privateKey;
+        config2.signer_type = "privateKey";
+        config2.smart_account_address = address;
+        config2.chain = chain;
+        await saveConfig(config2);
+        console.log("Smart account created successfully.");
+        console.log(`Address: ${address}`);
+        console.log(`Config saved to: ${CONFIG_PATH}`);
+      }
+    } catch (err) {
+      console.error(`Failed to create account: ${err.message}`);
+      process.exit(1);
+    }
   }
-});
+);
 program.command("get_account").description("Display the current smart account address from local config").action(async () => {
   try {
     const config = await loadConfig();
@@ -3687,10 +3147,6 @@ program.command("set_delegation").description("Store a signed delegation (JSON)
 program.command("send_prompt").description("Send a prompt to CoinFello, creating a delegation if requested by the server").argument("<prompt>", "The prompt to send").action(async (prompt) => {
   try {
     const config = await loadConfig();
-    if (!config.private_key) {
-      console.error("Error: No private key found in config. Run 'create_account' first.");
-      process.exit(1);
-    }
     if (!config.smart_account_address) {
       console.error("Error: No smart account found. Run 'create_account' first.");
       process.exit(1);
@@ -3699,6 +3155,10 @@ program.command("send_prompt").description("Send a prompt to CoinFello, creating
       console.error("Error: No chain found in config. Run 'create_account' first.");
       process.exit(1);
     }
+    if (config.signer_type !== "secureEnclave" && !config.private_key) {
+      console.error("Error: No private key found in config. Run 'create_account' first.");
+      process.exit(1);
+    }
     if (config.session_token) {
       await loadSessionToken(config.session_token, BASE_URL_V1);
     }
@@ -3728,7 +3188,22 @@ program.command("send_prompt").description("Send a prompt to CoinFello, creating
     console.log("Fetching CoinFello delegate address...");
     const delegateAddress = await getCoinFelloAddress();
     console.log("Loading smart account...");
-    const smartAccount = await getSmartAccount(config.private_key, args.chainId);
+    let smartAccount;
+    if (config.signer_type === "secureEnclave") {
+      if (!config.secure_enclave) {
+        console.error("Error: Secure Enclave config missing. Run 'create_account' first.");
+        process.exit(1);
+      }
+      smartAccount = await getSmartAccountFromSecureEnclave(
+        config.secure_enclave.key_tag,
+        config.secure_enclave.public_key_x,
+        config.secure_enclave.public_key_y,
+        config.secure_enclave.key_id,
+        args.chainId
+      );
+    } else {
+      smartAccount = await getSmartAccount(config.private_key, args.chainId);
+    }
     const scope = parseScope(args.scope);
     console.log("Creating subdelegation...");
     const subdelegation = createSubdelegation({

package/dist/secure-enclave-signer.app/Contents/Info.plist

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>CFBundleIdentifier</key>
+    <string>com.coinfello.agent-cli</string>
+    <key>CFBundleExecutable</key>
+    <string>secure-enclave-signer</string>
+    <key>CFBundleName</key>
+    <string>secure-enclave-signer</string>
+    <key>CFBundleVersion</key>
+    <string>1</string>
+    <key>CFBundleShortVersionString</key>
+    <string>1.0</string>
+    <key>CFBundlePackageType</key>
+    <string>APPL</string>
+    <key>LSMinimumSystemVersion</key>
+    <string>13.0</string>
+</dict>
+</plist>

package/dist/secure-enclave-signer.app/Contents/_CodeSignature/CodeResources

@@ -0,0 +1,123 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>files</key>
+	<dict/>
+	<key>files2</key>
+	<dict>
+		<key>embedded.provisionprofile</key>
+		<dict>
+			<key>hash2</key>
+			<data>
+			oD3tt3NC4z7ziSt9JgVtw936hY3YVeP6PO2HsBqNEQI=
+			</data>
+		</dict>
+	</dict>
+	<key>rules</key>
+	<dict>
+		<key>^Resources/</key>
+		<true/>
+		<key>^Resources/.*\.lproj/</key>
+		<dict>
+			<key>optional</key>
+			<true/>
+			<key>weight</key>
+			<real>1000</real>
+		</dict>
+		<key>^Resources/.*\.lproj/locversion.plist$</key>
+		<dict>
+			<key>omit</key>
+			<true/>
+			<key>weight</key>
+			<real>1100</real>
+		</dict>
+		<key>^Resources/Base\.lproj/</key>
+		<dict>
+			<key>weight</key>
+			<real>1010</real>
+		</dict>
+		<key>^version.plist$</key>
+		<true/>
+	</dict>
+	<key>rules2</key>
+	<dict>
+		<key>.*\.dSYM($|/)</key>
+		<dict>
+			<key>weight</key>
+			<real>11</real>
+		</dict>
+		<key>^(.*/)?\.DS_Store$</key>
+		<dict>
+			<key>omit</key>
+			<true/>
+			<key>weight</key>
+			<real>2000</real>
+		</dict>
+		<key>^(Frameworks|SharedFrameworks|PlugIns|Plug-ins|XPCServices|Helpers|MacOS|Library/(Automator|Spotlight|LoginItems))/</key>
+		<dict>
+			<key>nested</key>
+			<true/>
+			<key>weight</key>
+			<real>10</real>
+		</dict>
+		<key>^.*</key>
+		<true/>
+		<key>^Info\.plist$</key>
+		<dict>
+			<key>omit</key>
+			<true/>
+			<key>weight</key>
+			<real>20</real>
+		</dict>
+		<key>^PkgInfo$</key>
+		<dict>
+			<key>omit</key>
+			<true/>
+			<key>weight</key>
+			<real>20</real>
+		</dict>
+		<key>^Resources/</key>
+		<dict>
+			<key>weight</key>
+			<real>20</real>
+		</dict>
+		<key>^Resources/.*\.lproj/</key>
+		<dict>
+			<key>optional</key>
+			<true/>
+			<key>weight</key>
+			<real>1000</real>
+		</dict>
+		<key>^Resources/.*\.lproj/locversion.plist$</key>
+		<dict>
+			<key>omit</key>
+			<true/>
+			<key>weight</key>
+			<real>1100</real>
+		</dict>
+		<key>^Resources/Base\.lproj/</key>
+		<dict>
+			<key>weight</key>
+			<real>1010</real>
+		</dict>
+		<key>^[^/]+$</key>
+		<dict>
+			<key>nested</key>
+			<true/>
+			<key>weight</key>
+			<real>10</real>
+		</dict>
+		<key>^embedded\.provisionprofile$</key>
+		<dict>
+			<key>weight</key>
+			<real>20</real>
+		</dict>
+		<key>^version\.plist$</key>
+		<dict>
+			<key>weight</key>
+			<real>20</real>
+		</dict>
+	</dict>
+</dict>
+</plist>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coinfello/agent-cli",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "description": "",
   "type": "module",
   "main": "dist/index.js",
@@ -23,6 +23,8 @@
     "viem": "^2.45.1"
   },
   "devDependencies": {
+    "@noble/curves": "^2.0.1",
+    "@noble/hashes": "^2.0.1",
     "@types/node": "^25.2.1",
     "dotenv": "^17.3.1",
     "eslint": "^10.0.0",
@@ -34,8 +36,9 @@
     "vitest": "^4.0.18"
   },
   "scripts": {
-    "build": "vite build",
+    "build": "vite build && pnpm run build:swift",
     "build:swift": "bash swift/SecureEnclaveSigner/build.sh",
+    "build:signed": "vite build && SIGN_IDENTITY=\"Apple Development: Brett Cleary (WF45KCA35Q)\" PROVISIONING_PROFILE=\"$HOME/Agent_Cli_Dev_Profile_1.provisionprofile\" pnpm run build:swift",
     "codecheck": "tsc --noEmit",
     "lint": "eslint src",
     "prettier-fix": "prettier --write src coinfello",