@elytro/cli 0.1.0 → 0.4.0

package/dist/index.js

@@ -363,6 +363,8 @@ var STORAGE_KEY = "keyring";
 var KeyringService = class {
   store;
   vault = null;
+  /** Vault key kept in memory for re-encryption operations (addOwner, switchOwner). */
+  vaultKey = null;
   constructor(store) {
     this.store = store;
   }
@@ -373,9 +375,9 @@ var KeyringService = class {
   }
   /**
    * Create a brand-new vault with one owner.
-   * Called during `elytro init`. Encrypts with device key.
+   * Called during `elytro init`. Encrypts with vault key.
    */
-  async createNewOwner(deviceKey) {
+  async createNewOwner(vaultKey) {
     const privateKey = generatePrivateKey();
     const account = privateKeyToAccount(privateKey);
     const owner = { id: account.address, key: privateKey };
@@ -383,26 +385,32 @@ var KeyringService = class {
       owners: [owner],
       currentOwnerId: account.address
     };
-    const encrypted = await encryptWithKey(deviceKey, vault);
+    const encrypted = await encryptWithKey(vaultKey, vault);
     await this.store.save(STORAGE_KEY, encrypted);
     this.vault = vault;
+    this.vaultKey = new Uint8Array(vaultKey);
     return account.address;
   }
   // ─── Unlock / Access ────────────────────────────────────────────
   /**
-   * Decrypt the vault with the device key.
-   * Called automatically by context at CLI startup.
+   * Decrypt the vault with the vault key.
+   * Called automatically by context at CLI startup via SecretProvider.
    */
-  async unlock(deviceKey) {
+  async unlock(vaultKey) {
     const encrypted = await this.store.load(STORAGE_KEY);
     if (!encrypted) {
       throw new Error("Keyring not initialized. Run `elytro init` first.");
     }
-    this.vault = await decryptWithKey(deviceKey, encrypted);
+    this.vault = await decryptWithKey(vaultKey, encrypted);
+    this.vaultKey = new Uint8Array(vaultKey);
   }
-  /** Lock the vault, clearing decrypted keys from memory. */
+  /** Lock the vault, clearing decrypted keys and vault key from memory. */
   lock() {
     this.vault = null;
+    if (this.vaultKey) {
+      this.vaultKey.fill(0);
+      this.vaultKey = null;
+    }
   }
   get isUnlocked() {
     return this.vault !== null;
@@ -441,22 +449,22 @@ var KeyringService = class {
     return privateKeyToAccount(key);
   }
   // ─── Multi-owner management ─────────────────────────────────────
-  async addOwner(deviceKey) {
+  async addOwner() {
     this.ensureUnlocked();
     const privateKey = generatePrivateKey();
     const account = privateKeyToAccount(privateKey);
     this.vault.owners.push({ id: account.address, key: privateKey });
-    await this.persistVault(deviceKey);
+    await this.persistVault();
     return account.address;
   }
-  async switchOwner(ownerId, deviceKey) {
+  async switchOwner(ownerId) {
     this.ensureUnlocked();
     const exists = this.vault.owners.some((o) => o.id === ownerId);
     if (!exists) {
       throw new Error(`Owner ${ownerId} not found in vault.`);
     }
     this.vault.currentOwnerId = ownerId;
-    await this.persistVault(deviceKey);
+    await this.persistVault();
   }
   // ─── Export / Import (password-based for portability) ───────────
   /**
@@ -469,18 +477,20 @@ var KeyringService = class {
   }
   /**
    * Import vault from a password-encrypted backup.
-   * Decrypts with the backup password, then re-encrypts with device key.
+   * Decrypts with the backup password, then re-encrypts with vault key.
    */
-  async importVault(encrypted, password2, deviceKey) {
+  async importVault(encrypted, password2, vaultKey) {
     const vault = await decrypt(password2, encrypted);
     this.vault = vault;
-    const reEncrypted = await encryptWithKey(deviceKey, vault);
+    this.vaultKey = new Uint8Array(vaultKey);
+    const reEncrypted = await encryptWithKey(vaultKey, vault);
     await this.store.save(STORAGE_KEY, reEncrypted);
   }
-  // ─── Rekey (device key rotation) ───────────────────────────────
-  async rekey(newDeviceKey) {
+  // ─── Rekey (vault key rotation) ───────────────────────────────
+  async rekey(newVaultKey) {
     this.ensureUnlocked();
-    await this.persistVault(newDeviceKey);
+    this.vaultKey = new Uint8Array(newVaultKey);
+    await this.persistVault();
   }
   // ─── Internal ───────────────────────────────────────────────────
   getCurrentKey() {
@@ -498,9 +508,10 @@ var KeyringService = class {
       throw new Error("Keyring is locked. Run `elytro init` first.");
     }
   }
-  async persistVault(deviceKey) {
+  async persistVault() {
     if (!this.vault) throw new Error("No vault to persist.");
-    const encrypted = await encryptWithKey(deviceKey, this.vault);
+    if (!this.vaultKey) throw new Error("No vault key available for re-encryption.");
+    const encrypted = await encryptWithKey(this.vaultKey, this.vault);
     await this.store.save(STORAGE_KEY, encrypted);
   }
 };
@@ -555,11 +566,36 @@ function resolveBundler(chainId, pimlicoKey) {
   return PUBLIC_BUNDLER[chainId] ?? PUBLIC_BUNDLER[11155420];
 }
 var CHAIN_META = [
-  { id: 1, name: "Ethereum", nativeCurrency: { name: "Ether", symbol: "ETH", decimals: 18 }, blockExplorer: "https://etherscan.io" },
-  { id: 10, name: "Optimism", nativeCurrency: { name: "Ether", symbol: "ETH", decimals: 18 }, blockExplorer: "https://optimistic.etherscan.io" },
-  { id: 42161, name: "Arbitrum One", nativeCurrency: { name: "Ether", symbol: "ETH", decimals: 18 }, blockExplorer: "https://arbiscan.io" },
-  { id: 11155111, name: "Sepolia", nativeCurrency: { name: "Sepolia ETH", symbol: "ETH", decimals: 18 }, blockExplorer: "https://sepolia.etherscan.io" },
-  { id: 11155420, name: "Optimism Sepolia", nativeCurrency: { name: "Sepolia ETH", symbol: "ETH", decimals: 18 }, blockExplorer: "https://sepolia-optimism.etherscan.io" }
+  {
+    id: 1,
+    name: "Ethereum",
+    nativeCurrency: { name: "Ether", symbol: "ETH", decimals: 18 },
+    blockExplorer: "https://etherscan.io"
+  },
+  {
+    id: 10,
+    name: "Optimism",
+    nativeCurrency: { name: "Ether", symbol: "ETH", decimals: 18 },
+    blockExplorer: "https://optimistic.etherscan.io"
+  },
+  {
+    id: 42161,
+    name: "Arbitrum One",
+    nativeCurrency: { name: "Ether", symbol: "ETH", decimals: 18 },
+    blockExplorer: "https://arbiscan.io"
+  },
+  {
+    id: 11155111,
+    name: "Sepolia",
+    nativeCurrency: { name: "Sepolia ETH", symbol: "ETH", decimals: 18 },
+    blockExplorer: "https://sepolia.etherscan.io"
+  },
+  {
+    id: 11155420,
+    name: "Optimism Sepolia",
+    nativeCurrency: { name: "Sepolia ETH", symbol: "ETH", decimals: 18 },
+    blockExplorer: "https://sepolia-optimism.etherscan.io"
+  }
 ];
 function buildChains(alchemyKey, pimlicoKey) {
   return CHAIN_META.map((meta) => ({
@@ -1339,10 +1375,11 @@ var AccountService = class {
    * Multiple accounts per chain are allowed — each gets a unique
    * CREATE2 index, producing a different contract address.
    *
-   * @param chainId - Required. The target chain.
-   * @param alias   - Optional. Human-readable name. Auto-generated if omitted.
+   * @param chainId       - Required. The target chain.
+   * @param alias         - Optional. Human-readable name. Auto-generated if omitted.
+   * @param securityIntent - Optional. Security intent (email, dailyLimit) to execute during activate.
    */
-  async createAccount(chainId, alias) {
+  async createAccount(chainId, alias, securityIntent) {
     const owner = this.keyring.currentOwner;
     if (!owner) {
       throw new Error("Keyring is locked. Unlock first.");
@@ -1360,7 +1397,8 @@ var AccountService = class {
       owner,
       index,
       isDeployed: false,
-      isRecoveryEnabled: false
+      isRecoveryEnabled: false,
+      ...securityIntent && { securityIntent }
     };
     this.state.accounts.push(account);
     this.state.currentAddress = address2;
@@ -1431,6 +1469,45 @@ var AccountService = class {
       balance
     };
   }
+  // ─── Security Intent / Status ─────────────────────────────
+  /**
+   * Patch the temporary security intent (e.g. store emailBindingId).
+   * Only valid before activate — intent is deleted after activate.
+   */
+  async updateSecurityIntent(address2, chainId, patch) {
+    const account = this.findAccount(address2, chainId);
+    account.securityIntent = { ...account.securityIntent, ...patch };
+    await this.persist();
+  }
+  /**
+   * Called after activate succeeds with hook install:
+   * 1. Write persistent SecurityStatus
+   * 2. Delete temporary SecurityIntent (consumed)
+   */
+  async finalizeSecurityIntent(address2, chainId) {
+    const account = this.findAccount(address2, chainId);
+    account.securityStatus = { hookInstalled: true };
+    delete account.securityIntent;
+    await this.persist();
+  }
+  /**
+   * Delete security intent without writing status.
+   * Used if activate succeeds but hook batching failed (deploy-only).
+   */
+  async clearSecurityIntent(address2, chainId) {
+    const account = this.findAccount(address2, chainId);
+    delete account.securityIntent;
+    await this.persist();
+  }
+  findAccount(address2, chainId) {
+    const account = this.state.accounts.find(
+      (a) => a.address.toLowerCase() === address2.toLowerCase() && a.chainId === chainId
+    );
+    if (!account) {
+      throw new Error(`Account ${address2} on chain ${chainId} not found.`);
+    }
+    return account;
+  }
   // ─── Import / Export ────────────────────────────────────────────
   async importAccounts(accounts) {
     let imported = 0;
@@ -1751,9 +1828,9 @@ var SecurityHookService = class {
       throw err;
     }
   }
-  isAuthError(error2) {
-    if (!error2 || typeof error2 !== "object") return false;
-    const msg = String(error2.message ?? "").toLowerCase();
+  isAuthError(error) {
+    if (!error || typeof error !== "object") return false;
+    const msg = String(error.message ?? "").toLowerCase();
     return msg.includes("forbidden") || msg.includes("unauthorized") || msg.includes("session") || msg.includes("expired") || msg.includes("failed to authenticate");
   }
   // ─── On-chain Hook Status ────────────────────────────────────
@@ -2064,53 +2141,120 @@ var SecurityHookService = class {
   }
 };
 
-// src/utils/deviceKey.ts
-import { webcrypto as webcrypto2 } from "crypto";
-import { readFile as readFile2, writeFile as writeFile2, stat, chmod } from "fs/promises";
-import { join as join2 } from "path";
-var DEVICE_KEY_FILE = ".device-key";
-var KEY_LENGTH2 = 32;
-var REQUIRED_MODE = 384;
-function generateDeviceKey() {
-  return webcrypto2.getRandomValues(new Uint8Array(KEY_LENGTH2));
-}
-async function saveDeviceKey(dataDir, key) {
-  validateDeviceKey(key);
-  const path = keyPath(dataDir);
-  await writeFile2(path, key, { mode: REQUIRED_MODE });
-  await chmod(path, REQUIRED_MODE);
-}
-async function loadDeviceKey(dataDir) {
-  const path = keyPath(dataDir);
-  try {
-    const st = await stat(path);
-    const mode = st.mode & 511;
-    if (mode !== REQUIRED_MODE) {
-      throw new Error(
-        `Device key has insecure permissions (${modeStr(mode)}). Expected 600. Fix with: chmod 600 ${path}`
-      );
+// src/providers/keychainProvider.ts
+import { execFile } from "child_process";
+import { promisify } from "util";
+var execFileAsync = promisify(execFile);
+var KeychainProvider = class {
+  name = "macos-keychain";
+  service = "elytro-wallet";
+  account = "vault-key";
+  async available() {
+    if (process.platform !== "darwin") return false;
+    try {
+      await execFileAsync("security", ["help"], { timeout: 5e3 });
+      return true;
+    } catch {
+      return process.platform === "darwin";
     }
-    const buf = await readFile2(path);
-    const key = new Uint8Array(buf);
-    validateDeviceKey(key);
-    return key;
-  } catch (err) {
-    if (err.code === "ENOENT") {
-      return null;
+  }
+  async store(secret) {
+    validateKeyLength(secret);
+    const b64 = Buffer.from(secret).toString("base64");
+    try {
+      await execFileAsync("security", [
+        "add-generic-password",
+        "-U",
+        "-s",
+        this.service,
+        "-a",
+        this.account,
+        "-w",
+        b64
+      ]);
+    } catch (err) {
+      throw new Error(`Failed to store vault key in Keychain: ${err.message}`);
     }
-    throw err;
   }
-}
-function validateDeviceKey(key) {
-  if (key.length !== KEY_LENGTH2) {
-    throw new Error(`Invalid device key: expected ${KEY_LENGTH2} bytes, got ${key.length}.`);
+  async load() {
+    try {
+      const { stdout } = await execFileAsync("security", [
+        "find-generic-password",
+        "-s",
+        this.service,
+        "-a",
+        this.account,
+        "-w"
+      ]);
+      const trimmed = stdout.trim();
+      if (!trimmed) return null;
+      const key = Buffer.from(trimmed, "base64");
+      if (key.length !== 32) {
+        throw new Error(`Keychain vault key has invalid length: expected 32 bytes, got ${key.length}.`);
+      }
+      return new Uint8Array(key);
+    } catch (err) {
+      const msg = err.message || "";
+      if (msg.includes("could not be found") || msg.includes("SecKeychainSearchCopyNext")) {
+        return null;
+      }
+      throw new Error(`Failed to load vault key from Keychain: ${msg}`);
+    }
+  }
+  async delete() {
+    try {
+      await execFileAsync("security", ["delete-generic-password", "-s", this.service, "-a", this.account]);
+    } catch {
+    }
+  }
+};
+function validateKeyLength(key) {
+  if (key.length !== 32) {
+    throw new Error(`Invalid vault key: expected 32 bytes, got ${key.length}.`);
   }
 }
-function keyPath(dataDir) {
-  return join2(dataDir, DEVICE_KEY_FILE);
-}
-function modeStr(mode) {
-  return "0o" + mode.toString(8).padStart(3, "0");
+
+// src/providers/envVarProvider.ts
+var ENV_KEY = "ELYTRO_VAULT_SECRET";
+var EnvVarProvider = class {
+  name = "env-var";
+  async available() {
+    return !!process.env[ENV_KEY];
+  }
+  async store(_secret) {
+    throw new Error(
+      "EnvVarProvider is read-only. Cannot store vault key in an environment variable. Use a persistent provider (macOS Keychain) or store the secret manually."
+    );
+  }
+  async load() {
+    const raw = process.env[ENV_KEY];
+    if (!raw) return null;
+    delete process.env[ENV_KEY];
+    const key = Buffer.from(raw, "base64");
+    if (key.length !== 32) {
+      throw new Error(
+        `${ENV_KEY} has invalid length: expected 32 bytes (base64), got ${key.length}. The value must be a base64-encoded 256-bit key.`
+      );
+    }
+    return new Uint8Array(key);
+  }
+  async delete() {
+    delete process.env[ENV_KEY];
+  }
+};
+
+// src/providers/resolveProvider.ts
+async function resolveProvider() {
+  const keychainProvider = new KeychainProvider();
+  const envProvider = new EnvVarProvider();
+  const initProvider = await keychainProvider.available() ? keychainProvider : null;
+  let loadProvider = null;
+  if (await keychainProvider.available()) {
+    loadProvider = keychainProvider;
+  } else if (await envProvider.available()) {
+    loadProvider = envProvider;
+  }
+  return { initProvider, loadProvider };
 }
 
 // src/context.ts
@@ -2125,9 +2269,31 @@ async function createAppContext() {
   const defaultChain = chain.currentChain;
   walletClient.initForChain(defaultChain);
   await sdk.initForChain(defaultChain);
-  const deviceKey = await loadDeviceKey(store.dataDir);
-  if (deviceKey && await keyring.isInitialized()) {
-    await keyring.unlock(deviceKey);
+  const { loadProvider } = await resolveProvider();
+  const isInitialized = await keyring.isInitialized();
+  if (isInitialized) {
+    if (!loadProvider) {
+      throw new Error(
+        "Wallet is initialized but no secret provider is available.\n" + (process.platform === "darwin" ? "Keychain access failed. Check macOS Keychain permissions." : "Set the ELYTRO_VAULT_SECRET environment variable.")
+      );
+    }
+    const vaultKey = await loadProvider.load();
+    if (!vaultKey) {
+      throw new Error(
+        `Wallet is initialized but vault key not found in ${loadProvider.name}.
+` + (process.platform === "darwin" ? "The Keychain item may have been deleted. Re-run `elytro init` to create a new wallet,\nor import a backup with `elytro import`." : "Set ELYTRO_VAULT_SECRET to the base64-encoded vault key.")
+      );
+    }
+    try {
+      await keyring.unlock(vaultKey);
+    } catch (err) {
+      vaultKey.fill(0);
+      throw new Error(
+        `Wallet unlock failed: ${err.message}
+The vault key may not match the encrypted keyring. Re-run \`elytro init\` or import a backup.`
+      );
+    }
+    vaultKey.fill(0);
   }
   const account = new AccountService({
     store,
@@ -2148,31 +2314,15 @@ async function createAppContext() {
       }
     }
   }
-  return { store, keyring, chain, sdk, walletClient, account, deviceKey };
+  return { store, keyring, chain, sdk, walletClient, account, secretProvider: loadProvider };
 }
 
 // src/commands/init.ts
+import { webcrypto as webcrypto2 } from "crypto";
 import ora from "ora";
 
 // src/utils/display.ts
 import chalk from "chalk";
-function heading(text) {
-  console.log(chalk.bold.cyan(`
-${text}
-`));
-}
-function info(label, value) {
-  console.log(`  ${chalk.gray(label + ":")} ${value}`);
-}
-function success(text) {
-  console.log(chalk.green(`\u2714 ${text}`));
-}
-function warn(text) {
-  console.log(chalk.yellow(`\u26A0 ${text}`));
-}
-function error(text) {
-  console.error(chalk.red(`\u2716 ${text}`));
-}
 function txError(payload) {
   const output = {
     success: false,
@@ -2184,15 +2334,6 @@ function txError(payload) {
   };
   console.error(chalk.red(JSON.stringify(output, null, 2)));
 }
-function table(rows, columns) {
-  const header = columns.map((c) => c.label.padEnd(c.width ?? 20)).join("  ");
-  console.log(chalk.bold(header));
-  console.log(chalk.gray("\u2500".repeat(header.length)));
-  for (const row of rows) {
-    const line = columns.map((c) => (row[c.key] ?? "").padEnd(c.width ?? 20)).join("  ");
-    console.log(line);
-  }
-}
 function address(addr) {
   if (addr.length <= 14) return addr;
   return `${addr.slice(0, 8)}...${addr.slice(-6)}`;
@@ -2206,32 +2347,51 @@ function maskApiKeys(url) {
 function sanitizeErrorMessage(message) {
   return message.replace(/https?:\/\/[^\s"']+/gi, (match) => maskApiKeys(match));
 }
+function outputResult(result) {
+  console.log(JSON.stringify({ success: true, result }, null, 2));
+}
+function outputError(code, message, data) {
+  txError({ code, message: sanitizeErrorMessage(message), data });
+  process.exitCode = 1;
+}
 
 // src/commands/init.ts
 function registerInitCommand(program2, ctx) {
   program2.command("init").description("Initialize a new Elytro wallet").action(async () => {
     if (await ctx.keyring.isInitialized()) {
-      warn("Wallet already initialized.");
-      info("Data", ctx.store.dataDir);
-      info("Hint", "Use `elytro account create` to create a smart account.");
+      outputResult({
+        status: "already_initialized",
+        dataDir: ctx.store.dataDir,
+        hint: "Use `elytro account create` to create a smart account."
+      });
       return;
     }
-    heading("Initialize Elytro Wallet");
     const spinner = ora("Setting up wallet...").start();
     try {
-      const deviceKey = generateDeviceKey();
-      await saveDeviceKey(ctx.store.dataDir, deviceKey);
-      await ctx.keyring.createNewOwner(deviceKey);
-      ctx.deviceKey = deviceKey;
-      spinner.succeed("Wallet initialized.");
-      console.log("");
-      info("Data", ctx.store.dataDir);
-      console.log("");
-      success("Run `elytro account create --chain <chainId>` to create your first smart account.");
+      const vaultKey = webcrypto2.getRandomValues(new Uint8Array(32));
+      const { initProvider } = await resolveProvider();
+      let providerName = null;
+      let vaultSecretB64 = null;
+      if (initProvider) {
+        await initProvider.store(vaultKey);
+        providerName = initProvider.name;
+      } else {
+        vaultSecretB64 = Buffer.from(vaultKey).toString("base64");
+      }
+      await ctx.keyring.createNewOwner(vaultKey);
+      vaultKey.fill(0);
+      spinner.stop();
+      outputResult({
+        status: "initialized",
+        dataDir: ctx.store.dataDir,
+        secretProvider: providerName,
+        ...vaultSecretB64 ? { vaultSecret: vaultSecretB64 } : {},
+        ...vaultSecretB64 ? { hint: "Save ELYTRO_VAULT_SECRET \u2014 it will NOT be shown again." } : {},
+        nextStep: "Run `elytro account create --chain <chainId>` to create your first smart account."
+      });
     } catch (err) {
       spinner.fail("Failed to initialize wallet.");
-      error(sanitizeErrorMessage(err.message));
-      process.exitCode = 1;
+      outputError(-32e3, sanitizeErrorMessage(err.message));
     }
   });
 }
@@ -2254,20 +2414,67 @@ async function askInput(message, defaultValue) {
 
 // src/commands/account.ts
 init_sponsor();
+
+// src/utils/contracts/securityHook.ts
+import { encodeFunctionData, parseAbi as parseAbi2, pad, toHex as toHex5 } from "viem";
+function encodeInstallHook(walletAddress, hookAddress, safetyDelay = DEFAULT_SAFETY_DELAY, capabilityFlags = DEFAULT_CAPABILITY) {
+  const safetyDelayHex = pad(toHex5(safetyDelay), { size: 4 }).slice(2);
+  const hookAndData = hookAddress + safetyDelayHex;
+  const callData = encodeFunctionData({
+    abi: parseAbi2(["function installHook(bytes calldata hookAndData, uint8 capabilityFlags)"]),
+    functionName: "installHook",
+    args: [hookAndData, capabilityFlags]
+  });
+  return { to: walletAddress, value: "0", data: callData };
+}
+function encodeUninstallHook(walletAddress, hookAddress) {
+  const callData = encodeFunctionData({
+    abi: parseAbi2(["function uninstallHook(address)"]),
+    functionName: "uninstallHook",
+    args: [hookAddress]
+  });
+  return { to: walletAddress, value: "0", data: callData };
+}
+function encodeForcePreUninstall(hookAddress) {
+  const callData = encodeFunctionData({
+    abi: parseAbi2(["function forcePreUninstall()"]),
+    functionName: "forcePreUninstall",
+    args: []
+  });
+  return { to: hookAddress, value: "0", data: callData };
+}
+
+// src/commands/account.ts
+var ERR_INVALID_PARAMS = -32602;
+var ERR_ACCOUNT_NOT_READY = -32002;
+var ERR_SPONSOR_FAILED = -32003;
+var ERR_SEND_FAILED = -32005;
+var ERR_REVERTED = -32006;
+var ERR_INTERNAL = -32e3;
 function registerAccountCommand(program2, ctx) {
   const account = program2.command("account").description("Manage smart accounts");
-  account.command("create").description("Create a new smart account").requiredOption("-c, --chain <chainId>", "Target chain ID").option("-a, --alias <alias>", "Human-readable alias (default: random)").action(async (opts) => {
-    if (!ctx.deviceKey) {
-      error("Wallet not initialized. Run `elytro init` first.");
-      process.exitCode = 1;
+  account.command("create").description("Create a new smart account").requiredOption("-c, --chain <chainId>", "Target chain ID").option("-a, --alias <alias>", "Human-readable alias (default: random)").option("-e, --email <email>", "2FA email for SecurityHook OTP (strongly recommended)").option("-l, --daily-limit <usd>", 'Daily spending limit in USD (e.g. "100")').action(async (opts) => {
+    if (!ctx.keyring.isUnlocked) {
+      outputError(ERR_ACCOUNT_NOT_READY, "Wallet not initialized. Run `elytro init` first.");
       return;
     }
     const chainId = Number(opts.chain);
     if (Number.isNaN(chainId)) {
-      error("Invalid chain ID.");
-      process.exitCode = 1;
+      outputError(ERR_INVALID_PARAMS, "Invalid chain ID.", { chain: opts.chain });
       return;
     }
+    let dailyLimitUsd;
+    if (opts.dailyLimit !== void 0) {
+      dailyLimitUsd = parseFloat(opts.dailyLimit);
+      if (isNaN(dailyLimitUsd) || dailyLimitUsd < 0) {
+        outputError(ERR_INVALID_PARAMS, 'Invalid --daily-limit. Provide a positive number in USD (e.g. "100").');
+        return;
+      }
+    }
+    const securityIntent = opts.email || dailyLimitUsd !== void 0 ? {
+      ...opts.email && { email: opts.email },
+      ...dailyLimitUsd !== void 0 && { dailyLimitUsd }
+    } : void 0;
     const spinner = ora2("Creating smart account...").start();
     try {
       const chainConfig = ctx.chain.chains.find((c) => c.id === chainId);
@@ -2276,7 +2483,7 @@ function registerAccountCommand(program2, ctx) {
         await ctx.sdk.initForChain(chainConfig);
         ctx.walletClient.initForChain(chainConfig);
       }
-      const accountInfo = await ctx.account.createAccount(chainId, opts.alias);
+      const accountInfo = await ctx.account.createAccount(chainId, opts.alias, securityIntent);
       spinner.text = "Registering with backend...";
       const { guardianHash, guardianSafePeriod } = ctx.sdk.initDefaults;
       const paddedKey = padHex2(accountInfo.owner, { size: 32 });
@@ -2289,56 +2496,107 @@ function registerAccountCommand(program2, ctx) {
         guardianHash,
         guardianSafePeriod
       );
-      spinner.succeed(`Account "${accountInfo.alias}" created.`);
-      console.log("");
-      info("Alias", accountInfo.alias);
-      info("Address", accountInfo.address);
-      info("Chain", `${chainName} (${chainId})`);
-      info("Status", "Not deployed (run `elytro account activate` to deploy)");
-      if (regError) {
-        warn(`Backend registration failed: ${regError}`);
-        warn("Sponsorship may not work. You can still activate with ETH.");
+      let emailBindingStarted = false;
+      if (opts.email && chainConfig) {
+        spinner.text = "Initiating email binding...";
+        try {
+          const hookService = createHookServiceForAccount(ctx, chainConfig);
+          const bindingResult = await hookService.requestEmailBinding(
+            accountInfo.address,
+            chainId,
+            opts.email
+          );
+          await ctx.account.updateSecurityIntent(accountInfo.address, chainId, {
+            emailBindingId: bindingResult.bindingId
+          });
+          emailBindingStarted = true;
+        } catch {
+        }
       }
+      spinner.stop();
+      outputResult({
+        alias: accountInfo.alias,
+        address: accountInfo.address,
+        chain: chainName,
+        chainId,
+        deployed: false,
+        ...securityIntent ? {
+          security: {
+            ...opts.email ? { email: opts.email, emailBindingStarted } : {},
+            ...dailyLimitUsd !== void 0 ? { dailyLimitUsd } : {},
+            hookPending: true
+          }
+        } : { security: null },
+        ...regError ? { warning: `Backend registration failed: ${regError}` } : {}
+      });
     } catch (err) {
-      spinner.fail("Failed to create account.");
-      error(sanitizeErrorMessage(err.message));
-      process.exitCode = 1;
+      spinner.stop();
+      outputError(ERR_INTERNAL, err.message);
     }
   });
   account.command("activate").description("Deploy the smart contract on-chain").argument("[account]", "Alias or address (default: current)").option("--no-sponsor", "Skip sponsorship check (user pays gas)").action(async (target, opts) => {
-    if (!ctx.deviceKey) {
-      error("Wallet not initialized. Run `elytro init` first.");
-      process.exitCode = 1;
+    if (!ctx.keyring.isUnlocked) {
+      outputError(ERR_ACCOUNT_NOT_READY, "Wallet not initialized. Run `elytro init` first.");
       return;
     }
     const identifier = target ?? ctx.account.currentAccount?.alias ?? ctx.account.currentAccount?.address;
     if (!identifier) {
-      warn("No account selected. Specify an alias/address or create an account first.");
+      outputError(ERR_ACCOUNT_NOT_READY, "No account selected. Specify an alias/address or create an account first.");
       return;
     }
     const accountInfo = ctx.account.resolveAccount(identifier);
     if (!accountInfo) {
-      error(`Account "${identifier}" not found.`);
-      process.exitCode = 1;
+      outputError(ERR_ACCOUNT_NOT_READY, `Account "${identifier}" not found.`);
       return;
     }
     if (accountInfo.isDeployed) {
-      warn(`Account "${accountInfo.alias}" is already deployed.`);
+      outputResult({
+        alias: accountInfo.alias,
+        address: accountInfo.address,
+        status: "already_deployed"
+      });
       return;
     }
     const chainConfig = ctx.chain.chains.find((c) => c.id === accountInfo.chainId);
     const chainName = chainConfig?.name ?? String(accountInfo.chainId);
     if (!chainConfig) {
-      error(`Chain ${accountInfo.chainId} not configured.`);
-      process.exitCode = 1;
+      outputError(ERR_ACCOUNT_NOT_READY, `Chain ${accountInfo.chainId} not configured.`);
       return;
     }
     await ctx.sdk.initForChain(chainConfig);
     ctx.walletClient.initForChain(chainConfig);
     const spinner = ora2(`Activating "${accountInfo.alias}" on ${chainName}...`).start();
+    const intent = accountInfo.securityIntent;
+    const hookAddress = SECURITY_HOOK_ADDRESS_MAP[accountInfo.chainId];
+    const shouldInstallHook = !!(intent && hookAddress && (intent.email || intent.dailyLimitUsd !== void 0));
     try {
       spinner.text = "Building deployment UserOp...";
+      let deployCallData;
+      let hookBatched = false;
+      if (shouldInstallHook) {
+        const installTx = encodeInstallHook(
+          accountInfo.address,
+          hookAddress,
+          DEFAULT_SAFETY_DELAY,
+          DEFAULT_CAPABILITY
+        );
+        deployCallData = installTx.data;
+      }
       const userOp = await ctx.sdk.createDeployUserOp(accountInfo.owner, accountInfo.index);
+      if (shouldInstallHook && deployCallData) {
+        try {
+          const hookInstallOp = await ctx.sdk.createSendUserOp(accountInfo.address, [
+            {
+              to: accountInfo.address,
+              value: "0",
+              data: deployCallData
+            }
+          ]);
+          userOp.callData = hookInstallOp.callData;
+          hookBatched = true;
+        } catch {
+        }
+      }
       spinner.text = "Fetching gas prices...";
       const feeData = await ctx.sdk.getFeeData(chainConfig);
       userOp.maxFeePerGas = feeData.maxFeePerGas;
@@ -2364,15 +2622,14 @@ function registerAccountCommand(program2, ctx) {
           spinner.text = "Sponsorship unavailable, checking balance...";
           const { ether: balance } = await ctx.walletClient.getBalance(accountInfo.address);
           if (parseFloat(balance) === 0) {
-            spinner.fail("Activation failed.");
-            error(`Sponsorship failed: ${sponsorError ?? "unknown reason"}`);
-            error(
-              `Account has no ETH to pay gas. Fund ${accountInfo.address} on ${chainName}, or fix sponsorship.`
-            );
-            process.exitCode = 1;
+            spinner.stop();
+            outputError(ERR_SPONSOR_FAILED, `Sponsorship failed: ${sponsorError ?? "unknown"}. Account has no ETH to pay gas.`, {
+              account: accountInfo.alias,
+              address: accountInfo.address,
+              chain: chainName
+            });
             return;
           }
-          spinner.text = "Proceeding without sponsor (user pays gas)...";
         }
       }
       spinner.text = "Signing UserOperation...";
@@ -2384,25 +2641,37 @@ function registerAccountCommand(program2, ctx) {
       spinner.text = "Waiting for on-chain confirmation...";
       const receipt = await ctx.sdk.waitForReceipt(opHash);
       await ctx.account.markDeployed(accountInfo.address, accountInfo.chainId);
+      const hookInstalled = shouldInstallHook && hookBatched && receipt.success;
+      if (hookInstalled) {
+        await ctx.account.finalizeSecurityIntent(accountInfo.address, accountInfo.chainId);
+      } else if (intent) {
+        await ctx.account.clearSecurityIntent(accountInfo.address, accountInfo.chainId);
+      }
+      spinner.stop();
       if (receipt.success) {
-        spinner.succeed(`Account "${accountInfo.alias}" activated!`);
+        outputResult({
+          alias: accountInfo.alias,
+          address: accountInfo.address,
+          chain: chainName,
+          chainId: accountInfo.chainId,
+          transactionHash: receipt.transactionHash,
+          gasCost: `${formatEther2(BigInt(receipt.actualGasCost))} ETH`,
+          sponsored,
+          hookInstalled,
+          ...hookInstalled && intent?.email ? { emailPending: intent.email } : {},
+          ...hookInstalled && intent?.dailyLimitUsd !== void 0 ? { dailyLimitPending: intent.dailyLimitUsd } : {},
+          ...chainConfig.blockExplorer ? { explorer: `${chainConfig.blockExplorer}/tx/${receipt.transactionHash}` } : {}
+        });
       } else {
-        spinner.warn(`UserOp included but execution reverted.`);
-      }
-      console.log("");
-      info("Account", accountInfo.alias);
-      info("Address", accountInfo.address);
-      info("Chain", `${chainName} (${accountInfo.chainId})`);
-      info("Tx Hash", receipt.transactionHash);
-      info("Gas Cost", `${formatEther2(BigInt(receipt.actualGasCost))} ETH`);
-      info("Sponsored", sponsored ? "Yes (gasless)" : "No (user paid)");
-      if (chainConfig.blockExplorer) {
-        info("Explorer", `${chainConfig.blockExplorer}/tx/${receipt.transactionHash}`);
+        outputError(ERR_REVERTED, "UserOp included but execution reverted.", {
+          alias: accountInfo.alias,
+          transactionHash: receipt.transactionHash,
+          block: receipt.blockNumber
+        });
       }
     } catch (err) {
-      spinner.fail("Activation failed.");
-      error(sanitizeErrorMessage(err.message));
-      process.exitCode = 1;
+      spinner.stop();
+      outputError(ERR_SEND_FAILED, err.message);
     }
   });
   account.command("list").description("List all accounts (or query one by alias/address)").argument("[account]", "Filter by alias or address").option("-c, --chain <chainId>", "Filter by chain ID").action(async (target, opts) => {
@@ -2410,53 +2679,40 @@ function registerAccountCommand(program2, ctx) {
     if (target) {
       const matched = ctx.account.resolveAccount(target);
       if (!matched) {
-        error(`Account "${target}" not found.`);
-        process.exitCode = 1;
+        outputError(ERR_ACCOUNT_NOT_READY, `Account "${target}" not found.`);
         return;
       }
       accounts = [matched];
     }
-    if (accounts.length === 0) {
-      warn("No accounts found. Run `elytro account create --chain <chainId>` first.");
-      return;
-    }
     const current = ctx.account.currentAccount;
-    heading("Accounts");
-    table(
-      accounts.map((a) => {
+    outputResult({
+      accounts: accounts.map((a) => {
         const chainConfig = ctx.chain.chains.find((c) => c.id === a.chainId);
         return {
-          active: a.address === current?.address ? "\u2192" : " ",
+          active: a.address === current?.address,
           alias: a.alias,
           address: a.address,
           chain: chainConfig?.name ?? String(a.chainId),
-          deployed: a.isDeployed ? "Yes" : "No",
-          recovery: a.isRecoveryEnabled ? "Yes" : "No"
+          chainId: a.chainId,
+          deployed: a.isDeployed,
+          recovery: a.isRecoveryEnabled
         };
       }),
-      [
-        { key: "active", label: "", width: 3 },
-        { key: "alias", label: "Alias", width: 16 },
-        { key: "address", label: "Address", width: 44 },
-        { key: "chain", label: "Chain", width: 18 },
-        { key: "deployed", label: "Deployed", width: 10 },
-        { key: "recovery", label: "Recovery", width: 10 }
-      ]
-    );
+      total: accounts.length
+    });
   });
   account.command("info").description("Show details for an account").argument("[account]", "Alias or address (default: current)").action(async (target) => {
     const identifier = target ?? ctx.account.currentAccount?.alias ?? ctx.account.currentAccount?.address;
     if (!identifier) {
-      warn("No account selected. Run `elytro account create --chain <chainId>` first.");
+      outputError(ERR_ACCOUNT_NOT_READY, "No account selected. Run `elytro account create` first.");
       return;
     }
     const spinner = ora2("Fetching on-chain data...").start();
     try {
       const accountInfo = ctx.account.resolveAccount(identifier);
       if (!accountInfo) {
-        spinner.fail("Account not found.");
-        error(`Account "${identifier}" not found.`);
-        process.exitCode = 1;
+        spinner.stop();
+        outputError(ERR_ACCOUNT_NOT_READY, `Account "${identifier}" not found.`);
         return;
       }
       const chainConfig = ctx.chain.chains.find((c) => c.id === accountInfo.chainId);
@@ -2465,26 +2721,27 @@ function registerAccountCommand(program2, ctx) {
       }
       const detail = await ctx.account.getAccountDetail(identifier);
       spinner.stop();
-      heading("Account Details");
-      info("Alias", detail.alias);
-      info("Address", detail.address);
-      info("Chain", chainConfig?.name ?? String(detail.chainId));
-      info("Deployed", detail.isDeployed ? "Yes" : "No");
-      info("Balance", `${detail.balance} ${chainConfig?.nativeCurrency.symbol ?? "ETH"}`);
-      info("Recovery", detail.isRecoveryEnabled ? "Enabled" : "Not set");
-      if (chainConfig?.blockExplorer) {
-        info("Explorer", `${chainConfig.blockExplorer}/address/${detail.address}`);
-      }
+      outputResult({
+        alias: detail.alias,
+        address: detail.address,
+        chain: chainConfig?.name ?? String(detail.chainId),
+        chainId: detail.chainId,
+        deployed: detail.isDeployed,
+        balance: `${detail.balance} ${chainConfig?.nativeCurrency.symbol ?? "ETH"}`,
+        recovery: detail.isRecoveryEnabled,
+        ...detail.securityStatus ? { securityStatus: detail.securityStatus } : {},
+        ...detail.securityIntent ? { securityIntent: detail.securityIntent } : {},
+        ...chainConfig?.blockExplorer ? { explorer: `${chainConfig.blockExplorer}/address/${detail.address}` } : {}
+      });
     } catch (err) {
-      spinner.fail("Failed to fetch account info.");
-      error(sanitizeErrorMessage(err.message));
-      process.exitCode = 1;
+      spinner.stop();
+      outputError(ERR_INTERNAL, err.message);
     }
   });
   account.command("switch").description("Switch the active account").argument("[account]", "Alias or address").action(async (target) => {
     const accounts = ctx.account.allAccounts;
     if (accounts.length === 0) {
-      warn("No accounts found.");
+      outputError(ERR_ACCOUNT_NOT_READY, "No accounts found. Run `elytro account create` first.");
       return;
     }
     let identifier = target;
@@ -2505,26 +2762,42 @@ function registerAccountCommand(program2, ctx) {
         ctx.walletClient.initForChain(newChain);
         await ctx.sdk.initForChain(newChain);
       }
-      success(`Switched to "${switched.alias}"`);
-      const spinner = ora2("Fetching on-chain data...").start();
+      let balance = null;
       try {
         const detail = await ctx.account.getAccountDetail(switched.alias);
-        spinner.stop();
-        console.log("");
-        info("Address", detail.address);
-        info("Chain", newChain?.name ?? String(detail.chainId));
-        info("Deployed", detail.isDeployed ? "Yes" : "No");
-        info("Balance", `${detail.balance} ${newChain?.nativeCurrency.symbol ?? "ETH"}`);
-        if (newChain?.blockExplorer) {
-          info("Explorer", `${newChain.blockExplorer}/address/${detail.address}`);
-        }
+        balance = `${detail.balance} ${newChain?.nativeCurrency.symbol ?? "ETH"}`;
       } catch {
-        spinner.stop();
-        warn("Could not fetch on-chain data. Run `elytro account info` to retry.");
       }
+      outputResult({
+        alias: switched.alias,
+        address: switched.address,
+        chain: newChain?.name ?? String(switched.chainId),
+        chainId: switched.chainId,
+        deployed: switched.isDeployed,
+        ...balance ? { balance } : {},
+        ...newChain?.blockExplorer ? { explorer: `${newChain.blockExplorer}/address/${switched.address}` } : {}
+      });
     } catch (err) {
-      error(sanitizeErrorMessage(err.message));
-      process.exitCode = 1;
+      outputError(ERR_INTERNAL, err.message);
+    }
+  });
+}
+function createHookServiceForAccount(ctx, chainConfig) {
+  return new SecurityHookService({
+    store: ctx.store,
+    graphqlEndpoint: ctx.chain.graphqlEndpoint,
+    signMessageForAuth: createSignMessageForAuth({
+      signDigest: (digest) => ctx.keyring.signDigest(digest),
+      packRawHash: (hash) => ctx.sdk.packRawHash(hash),
+      packSignature: (rawSig, valData) => ctx.sdk.packUserOpSignature(rawSig, valData)
+    }),
+    readContract: async (params) => {
+      return ctx.walletClient.readContract(params);
+    },
+    getBlockTimestamp: async () => {
+      const blockNumber = await ctx.walletClient.raw.getBlockNumber();
+      const block = await ctx.walletClient.raw.getBlock({ blockNumber });
+      return block.timestamp;
     }
   });
 }
@@ -2532,15 +2805,15 @@ function registerAccountCommand(program2, ctx) {
 // src/commands/tx.ts
 init_sponsor();
 import ora3 from "ora";
-import { isAddress, isHex, formatEther as formatEther3, parseEther as parseEther2, toHex as toHex5 } from "viem";
-var ERR_INVALID_PARAMS = -32602;
+import { isAddress, isHex, formatEther as formatEther3, parseEther as parseEther2, toHex as toHex6 } from "viem";
+var ERR_INVALID_PARAMS2 = -32602;
 var ERR_INSUFFICIENT_BALANCE = -32001;
-var ERR_ACCOUNT_NOT_READY = -32002;
-var ERR_SPONSOR_FAILED = -32003;
+var ERR_ACCOUNT_NOT_READY2 = -32002;
+var ERR_SPONSOR_FAILED2 = -32003;
 var ERR_BUILD_FAILED = -32004;
-var ERR_SEND_FAILED = -32005;
+var ERR_SEND_FAILED2 = -32005;
 var ERR_EXECUTION_REVERTED = -32006;
-var ERR_INTERNAL = -32e3;
+var ERR_INTERNAL2 = -32e3;
 var TxError = class extends Error {
   code;
   data;
@@ -2553,14 +2826,10 @@ var TxError = class extends Error {
 };
 function handleTxError(err) {
   if (err instanceof TxError) {
-    txError({ code: err.code, message: sanitizeErrorMessage(err.message), data: err.data });
+    outputError(err.code, err.message, err.data);
   } else {
-    txError({
-      code: ERR_INTERNAL,
-      message: sanitizeErrorMessage(err.message ?? String(err))
-    });
+    outputError(ERR_INTERNAL2, err.message ?? String(err));
   }
-  process.exitCode = 1;
 }
 function parseTxSpec(spec, index) {
   const prefix = `--tx #${index + 1}`;
@@ -2568,7 +2837,7 @@ function parseTxSpec(spec, index) {
   for (const part of spec.split(",")) {
     const colonIdx = part.indexOf(":");
     if (colonIdx === -1) {
-      throw new TxError(ERR_INVALID_PARAMS, `${prefix}: invalid segment "${part}". Expected key:value format.`, {
+      throw new TxError(ERR_INVALID_PARAMS2, `${prefix}: invalid segment "${part}". Expected key:value format.`, {
         spec,
         index
       });
@@ -2576,17 +2845,17 @@ function parseTxSpec(spec, index) {
     const key = part.slice(0, colonIdx).trim().toLowerCase();
     const val = part.slice(colonIdx + 1).trim();
     if (!key || !val) {
-      throw new TxError(ERR_INVALID_PARAMS, `${prefix}: empty key or value in "${part}".`, { spec, index });
+      throw new TxError(ERR_INVALID_PARAMS2, `${prefix}: empty key or value in "${part}".`, { spec, index });
     }
     if (fields[key]) {
-      throw new TxError(ERR_INVALID_PARAMS, `${prefix}: duplicate key "${key}".`, { spec, index, key });
+      throw new TxError(ERR_INVALID_PARAMS2, `${prefix}: duplicate key "${key}".`, { spec, index, key });
     }
     fields[key] = val;
   }
   const knownKeys = /* @__PURE__ */ new Set(["to", "value", "data"]);
   for (const key of Object.keys(fields)) {
     if (!knownKeys.has(key)) {
-      throw new TxError(ERR_INVALID_PARAMS, `${prefix}: unknown key "${key}". Allowed: to, value, data.`, {
+      throw new TxError(ERR_INVALID_PARAMS2, `${prefix}: unknown key "${key}". Allowed: to, value, data.`, {
         spec,
         index,
         key
@@ -2594,13 +2863,13 @@ function parseTxSpec(spec, index) {
     }
   }
   if (!fields.to) {
-    throw new TxError(ERR_INVALID_PARAMS, `${prefix}: "to" is required.`, { spec, index });
+    throw new TxError(ERR_INVALID_PARAMS2, `${prefix}: "to" is required.`, { spec, index });
   }
   if (!isAddress(fields.to)) {
-    throw new TxError(ERR_INVALID_PARAMS, `${prefix}: invalid address "${fields.to}".`, { spec, index, to: fields.to });
+    throw new TxError(ERR_INVALID_PARAMS2, `${prefix}: invalid address "${fields.to}".`, { spec, index, to: fields.to });
   }
   if (!fields.value && !fields.data) {
-    throw new TxError(ERR_INVALID_PARAMS, `${prefix}: at least one of "value" or "data" is required.`, { spec, index });
+    throw new TxError(ERR_INVALID_PARAMS2, `${prefix}: at least one of "value" or "data" is required.`, { spec, index });
   }
   if (fields.value) {
     try {
@@ -2608,7 +2877,7 @@ function parseTxSpec(spec, index) {
       if (wei < 0n) throw new Error("negative");
     } catch {
       throw new TxError(
-        ERR_INVALID_PARAMS,
+        ERR_INVALID_PARAMS2,
         `${prefix}: invalid ETH amount "${fields.value}". Use human-readable format (e.g. "0.1").`,
         { spec, index, value: fields.value }
       );
@@ -2616,14 +2885,14 @@ function parseTxSpec(spec, index) {
   }
   if (fields.data) {
     if (!isHex(fields.data)) {
-      throw new TxError(ERR_INVALID_PARAMS, `${prefix}: invalid hex in "data". Must start with 0x.`, {
+      throw new TxError(ERR_INVALID_PARAMS2, `${prefix}: invalid hex in "data". Must start with 0x.`, {
         spec,
         index,
         data: fields.data
       });
     }
     if (fields.data.length > 2 && fields.data.length % 2 !== 0) {
-      throw new TxError(ERR_INVALID_PARAMS, `${prefix}: "data" hex must have even length (complete bytes).`, {
+      throw new TxError(ERR_INVALID_PARAMS2, `${prefix}: "data" hex must have even length (complete bytes).`, {
         spec,
         index,
         data: fields.data
@@ -2645,7 +2914,7 @@ function detectTxType(specs) {
 function specsToTxs(specs) {
   return specs.map((s) => ({
     to: s.to,
-    value: s.value ? toHex5(parseEther2(s.value)) : "0x0",
+    value: s.value ? toHex6(parseEther2(s.value)) : "0x0",
     data: s.data ?? "0x"
   }));
 }
@@ -2666,19 +2935,12 @@ function txTypeLabel(txType) {
       return "Batch Transaction";
   }
 }
-function truncateHex(hex, maxLen = 42) {
-  if (hex.length <= maxLen) return hex;
-  return `${hex.slice(0, 20)}...${hex.slice(-8)} (${(hex.length - 2) / 2} bytes)`;
-}
-function displayTxSpec(spec, index) {
-  const parts = [`#${index + 1}`];
-  parts.push(`\u2192 ${spec.to}`);
-  if (spec.value) parts.push(`${spec.value} ETH`);
-  if (spec.data && spec.data !== "0x") {
-    const selector = spec.data.length >= 10 ? spec.data.slice(0, 10) : spec.data;
-    parts.push(`call ${selector}`);
-  }
-  info("Tx", parts.join("  "));
+function specToJson(spec) {
+  return {
+    to: spec.to,
+    ...spec.value ? { value: spec.value } : {},
+    ...spec.data && spec.data !== "0x" ? { data: spec.data, selector: spec.data.length >= 10 ? spec.data.slice(0, 10) : spec.data } : {}
+  };
 }
 function registerTxCommand(program2, ctx) {
   const tx = program2.command("tx").description("Build, simulate, and send transactions");
@@ -2691,21 +2953,23 @@ function registerTxCommand(program2, ctx) {
         specs,
         opts?.sponsor
       );
-      heading("UserOperation (unsigned)");
-      console.log(JSON.stringify(serializeUserOp(userOp), null, 2));
-      console.log("");
-      info("Account", accountInfo.alias);
-      info("Chain", `${chainConfig.name} (${chainConfig.id})`);
-      info("Type", txTypeLabel(txType));
-      if (txType === "batch") info("Tx Count", specs.length.toString());
-      info("Sponsored", sponsored ? "Yes" : "No");
+      outputResult({
+        userOp: serializeUserOp(userOp),
+        account: accountInfo.alias,
+        address: accountInfo.address,
+        chain: chainConfig.name,
+        chainId: chainConfig.id,
+        txType: txTypeLabel(txType),
+        ...txType === "batch" ? { txCount: specs.length } : {},
+        sponsored
+      });
     } catch (err) {
       handleTxError(err);
     }
   });
   tx.command("send").description("Send a transaction on-chain").argument("[account]", "Source account alias or address (default: current)").option("--tx <spec...>", 'Transaction spec: "to:0xAddr,value:0.1,data:0x..." (repeatable, ordered)').option("--no-sponsor", "Skip sponsorship check").option("--no-hook", "Skip SecurityHook signing (bypass 2FA)").option("--userop <json>", "Send a pre-built UserOp JSON (skips build step)").action(async (target, opts) => {
-    if (!ctx.deviceKey) {
-      handleTxError(new TxError(ERR_ACCOUNT_NOT_READY, "Wallet not initialized. Run `elytro init` first."));
+    if (!ctx.keyring.isUnlocked) {
+      handleTxError(new TxError(ERR_ACCOUNT_NOT_READY2, "Wallet not initialized. Run `elytro init` first."));
       return;
     }
     try {
@@ -2720,7 +2984,7 @@ function registerTxCommand(program2, ctx) {
         sponsored = !!userOp.paymaster;
         const identifier = target ?? ctx.account.currentAccount?.alias ?? ctx.account.currentAccount?.address;
         if (!identifier) {
-          throw new TxError(ERR_ACCOUNT_NOT_READY, "No account selected.", {
+          throw new TxError(ERR_ACCOUNT_NOT_READY2, "No account selected.", {
             hint: "Specify an alias/address or create an account first."
           });
         }
@@ -2737,37 +3001,20 @@ function registerTxCommand(program2, ctx) {
         sponsored = result.sponsored;
         txType = result.txType;
       }
-      console.log("");
-      heading("Transaction Summary");
-      info("Type", txTypeLabel(txType));
-      info("From", `${accountInfo.alias} (${accountInfo.address})`);
-      if (txType === "batch") {
-        info("Tx Count", specs.length.toString());
-        for (let i = 0; i < specs.length; i++) {
-          displayTxSpec(specs[i], i);
-        }
-      } else if (txType === "contract-call") {
-        const s = specs[0];
-        info("To", s.to);
-        info("Calldata", truncateHex(s.data ?? "0x"));
-        if (s.data && s.data.length >= 10) {
-          info("Selector", s.data.slice(0, 10));
-        }
-        if (s.value && s.value !== "0") {
-          info("Value", `${s.value} ETH (payable)`);
-        }
-      } else {
-        const s = specs[0];
-        info("To", s.to);
-        info("Value", `${s.value ?? "0"} ETH`);
-      }
-      info("Sponsored", sponsored ? "Yes (gasless)" : "No (user pays gas)");
       const estimatedGas = userOp.callGasLimit + userOp.verificationGasLimit + userOp.preVerificationGas;
-      info("Est. Gas", estimatedGas.toString());
-      console.log("");
+      console.error(JSON.stringify({
+        summary: {
+          txType: txTypeLabel(txType),
+          from: accountInfo.alias,
+          address: accountInfo.address,
+          transactions: specs.map((s, i) => specToJson(s)),
+          sponsored,
+          estimatedGas: estimatedGas.toString()
+        }
+      }, null, 2));
       const confirmed = await askConfirm("Sign and send this transaction?");
       if (!confirmed) {
-        warn("Transaction cancelled.");
+        outputResult({ status: "cancelled" });
         return;
       }
       const spinner = ora3("Signing UserOperation...").start();
@@ -2810,14 +3057,12 @@ function registerTxCommand(program2, ctx) {
                 spinner.stop();
                 const errCode = hookResult.error.code;
                 if (errCode === "OTP_REQUIRED" || errCode === "SPENDING_LIMIT_EXCEEDED") {
-                  warn(hookResult.error.message ?? `Verification required (${errCode}).`);
-                  if (hookResult.error.maskedEmail) {
-                    info("OTP sent to", hookResult.error.maskedEmail);
-                  }
-                  if (errCode === "SPENDING_LIMIT_EXCEEDED" && hookResult.error.projectedSpendUsdCents !== void 0) {
-                    info("Projected spend", `$${(hookResult.error.projectedSpendUsdCents / 100).toFixed(2)}`);
-                    info("Daily limit", `$${((hookResult.error.dailyLimitUsdCents ?? 0) / 100).toFixed(2)}`);
-                  }
+                  console.error(JSON.stringify({
+                    challenge: errCode,
+                    message: hookResult.error.message ?? `Verification required (${errCode}).`,
+                    ...hookResult.error.maskedEmail ? { maskedEmail: hookResult.error.maskedEmail } : {},
+                    ...errCode === "SPENDING_LIMIT_EXCEEDED" && hookResult.error.projectedSpendUsdCents !== void 0 ? { projectedSpendUsd: (hookResult.error.projectedSpendUsdCents / 100).toFixed(2), dailyLimitUsd: ((hookResult.error.dailyLimitUsdCents ?? 0) / 100).toFixed(2) } : {}
+                  }, null, 2));
                   const otpCode = await askInput("Enter the 6-digit OTP code:");
                   spinner.start("Verifying OTP...");
                   await hookService.verifySecurityOtp(
@@ -2835,13 +3080,13 @@ function registerTxCommand(program2, ctx) {
                   );
                   if (hookResult.error) {
                     throw new TxError(
-                      ERR_SEND_FAILED,
+                      ERR_SEND_FAILED2,
                       `Hook authorization failed after OTP: ${hookResult.error.message}`
                     );
                   }
                 } else {
                   throw new TxError(
-                    ERR_SEND_FAILED,
+                    ERR_SEND_FAILED2,
                     `Hook authorization failed: ${hookResult.error.message ?? errCode}`
                   );
                 }
@@ -2862,48 +3107,41 @@ function registerTxCommand(program2, ctx) {
         spinner.text = "Sending to bundler...";
         opHash = await ctx.sdk.sendUserOp(userOp);
       } catch (err) {
-        spinner.fail("Send failed.");
-        throw new TxError(ERR_SEND_FAILED, err.message, {
+        spinner.stop();
+        throw new TxError(ERR_SEND_FAILED2, err.message, {
           sender: accountInfo.address,
           chain: chainConfig.name
         });
       }
       spinner.text = "Waiting for on-chain confirmation...";
       const receipt = await ctx.sdk.waitForReceipt(opHash);
+      spinner.stop();
       if (receipt.success) {
-        spinner.succeed("Transaction confirmed!");
+        outputResult({
+          status: "confirmed",
+          account: accountInfo.alias,
+          address: accountInfo.address,
+          transactionHash: receipt.transactionHash,
+          block: receipt.blockNumber,
+          gasCost: `${formatEther3(BigInt(receipt.actualGasCost))} ETH`,
+          sponsored,
+          ...chainConfig.blockExplorer ? { explorer: `${chainConfig.blockExplorer}/tx/${receipt.transactionHash}` } : {}
+        });
       } else {
-        spinner.warn("Execution reverted.");
-        txError({
-          code: ERR_EXECUTION_REVERTED,
-          message: "UserOp included but execution reverted on-chain.",
-          data: {
-            txHash: receipt.transactionHash,
-            block: receipt.blockNumber,
-            gasCost: `${formatEther3(BigInt(receipt.actualGasCost))} ETH`,
-            sender: accountInfo.address
-          }
+        outputError(ERR_EXECUTION_REVERTED, "UserOp included but execution reverted on-chain.", {
+          transactionHash: receipt.transactionHash,
+          block: receipt.blockNumber,
+          gasCost: `${formatEther3(BigInt(receipt.actualGasCost))} ETH`,
+          sender: accountInfo.address
         });
       }
-      console.log("");
-      info("Account", accountInfo.alias);
-      info("Tx Hash", receipt.transactionHash);
-      info("Block", receipt.blockNumber);
-      info("Gas Cost", `${formatEther3(BigInt(receipt.actualGasCost))} ETH`);
-      info("Sponsored", sponsored ? "Yes (gasless)" : "No (user paid)");
-      if (chainConfig.blockExplorer) {
-        info("Explorer", `${chainConfig.blockExplorer}/tx/${receipt.transactionHash}`);
-      }
-      if (!receipt.success) {
-        process.exitCode = 1;
-      }
     } catch (err) {
       handleTxError(err);
     }
   });
   tx.command("simulate").description("Preview a transaction (gas estimate, sponsor check)").argument("[account]", "Source account alias or address (default: current)").option("--tx <spec...>", 'Transaction spec: "to:0xAddr,value:0.1,data:0x..." (repeatable, ordered)').option("--no-sponsor", "Skip sponsorship check").action(async (target, opts) => {
-    if (!ctx.deviceKey) {
-      handleTxError(new TxError(ERR_ACCOUNT_NOT_READY, "Wallet not initialized. Run `elytro init` first."));
+    if (!ctx.keyring.isUnlocked) {
+      handleTxError(new TxError(ERR_ACCOUNT_NOT_READY2, "Wallet not initialized. Run `elytro init` first."));
       return;
     }
     try {
@@ -2916,77 +3154,44 @@ function registerTxCommand(program2, ctx) {
       );
       const { wei: ethBalance, ether: ethFormatted } = await ctx.walletClient.getBalance(accountInfo.address);
       const nativeCurrency = chainConfig.nativeCurrency.symbol;
-      console.log("");
-      heading("Transaction Simulation");
-      info("Type", txTypeLabel(txType));
-      info("From", `${accountInfo.alias} (${accountInfo.address})`);
-      info("Chain", `${chainConfig.name} (${chainConfig.id})`);
-      if (txType === "batch") {
-        console.log("");
-        info("Tx Count", specs.length.toString());
-        for (let i = 0; i < specs.length; i++) {
-          displayTxSpec(specs[i], i);
-        }
-        const total = totalEthValue(specs);
-        if (total > 0n) {
-          info("Total ETH", formatEther3(total));
-          if (ethBalance < total) {
-            warn(`Insufficient balance: need ${formatEther3(total)}, have ${ethFormatted} ${nativeCurrency}`);
-          }
-        }
-      } else if (txType === "contract-call") {
-        const s = specs[0];
-        console.log("");
-        info("To", s.to);
-        info("Calldata", truncateHex(s.data ?? "0x"));
-        info("Calldata Size", `${Math.max(0, ((s.data?.length ?? 2) - 2) / 2)} bytes`);
-        if (s.data && s.data.length >= 10) {
-          info("Selector", s.data.slice(0, 10));
-        }
-        if (s.value && s.value !== "0") {
-          info("Value", `${s.value} ${nativeCurrency} (payable)`);
-          const sendValue = parseEther2(s.value);
-          if (ethBalance < sendValue) {
-            warn(`Insufficient balance for value: need ${s.value}, have ${ethFormatted} ${nativeCurrency}`);
-          }
-        }
-        const isContract = await ctx.walletClient.isContractDeployed(s.to);
-        info("Target", isContract ? "Contract" : "EOA (warning: calling non-contract)");
-        if (!isContract) {
-          warn("Target address has no deployed code. The call may be a no-op or revert.");
-        }
-      } else {
-        const s = specs[0];
-        console.log("");
-        info("To", s.to);
-        info("Value", `${s.value ?? "0"} ${nativeCurrency}`);
-        if (s.value) {
-          const sendValue = parseEther2(s.value);
-          if (ethBalance < sendValue) {
-            warn(`Insufficient balance: need ${s.value}, have ${ethFormatted} ${nativeCurrency}`);
-          }
-        }
-      }
-      console.log("");
-      info("callGasLimit", userOp.callGasLimit.toString());
-      info("verificationGasLimit", userOp.verificationGasLimit.toString());
-      info("preVerificationGas", userOp.preVerificationGas.toString());
-      info("maxFeePerGas", `${userOp.maxFeePerGas.toString()} wei`);
-      info("maxPriorityFeePerGas", `${userOp.maxPriorityFeePerGas.toString()} wei`);
       const totalGas = userOp.callGasLimit + userOp.verificationGasLimit + userOp.preVerificationGas;
       const maxCostWei = totalGas * userOp.maxFeePerGas;
-      info("Max Gas Cost", `${formatEther3(maxCostWei)} ${nativeCurrency}`);
-      console.log("");
-      info("Sponsored", sponsored ? "Yes (gasless)" : "No (user pays gas)");
-      if (sponsored && userOp.paymaster) {
-        info("Paymaster", userOp.paymaster);
+      const ethValueSum = totalEthValue(specs);
+      const warnings = [];
+      if (ethValueSum > 0n && ethBalance < ethValueSum) {
+        warnings.push(`Insufficient balance for value: need ${formatEther3(ethValueSum)}, have ${ethFormatted} ${nativeCurrency}`);
       }
-      info(`${nativeCurrency} Balance`, `${ethFormatted} ${nativeCurrency}`);
       if (!sponsored && ethBalance < maxCostWei) {
-        warn(
-          `Insufficient ${nativeCurrency} for gas: need ~${formatEther3(maxCostWei)}, have ${ethFormatted}`
-        );
+        warnings.push(`Insufficient ${nativeCurrency} for gas: need ~${formatEther3(maxCostWei)}, have ${ethFormatted}`);
+      }
+      let targetIsContract;
+      if (txType === "contract-call") {
+        targetIsContract = await ctx.walletClient.isContractDeployed(specs[0].to);
+        if (!targetIsContract) {
+          warnings.push("Target address has no deployed code. The call may be a no-op or revert.");
+        }
       }
+      outputResult({
+        txType: txTypeLabel(txType),
+        account: accountInfo.alias,
+        address: accountInfo.address,
+        chain: chainConfig.name,
+        chainId: chainConfig.id,
+        transactions: specs.map((s) => specToJson(s)),
+        ...txType === "contract-call" && targetIsContract !== void 0 ? { targetIsContract } : {},
+        gas: {
+          callGasLimit: userOp.callGasLimit.toString(),
+          verificationGasLimit: userOp.verificationGasLimit.toString(),
+          preVerificationGas: userOp.preVerificationGas.toString(),
+          maxFeePerGas: userOp.maxFeePerGas.toString(),
+          maxPriorityFeePerGas: userOp.maxPriorityFeePerGas.toString(),
+          maxCost: `${formatEther3(maxCostWei)} ${nativeCurrency}`
+        },
+        sponsored,
+        ...sponsored && userOp.paymaster ? { paymaster: userOp.paymaster } : {},
+        balance: `${ethFormatted} ${nativeCurrency}`,
+        ...warnings.length > 0 ? { warnings } : {}
+      });
     } catch (err) {
       handleTxError(err);
     }
@@ -2994,21 +3199,21 @@ function registerTxCommand(program2, ctx) {
 }
 function parseAllTxSpecs(rawSpecs) {
   if (!rawSpecs || rawSpecs.length === 0) {
-    throw new TxError(ERR_INVALID_PARAMS, 'At least one --tx is required. Format: --tx "to:0xAddr,value:0.1"');
+    throw new TxError(ERR_INVALID_PARAMS2, 'At least one --tx is required. Format: --tx "to:0xAddr,value:0.1"');
   }
   return rawSpecs.map((spec, i) => parseTxSpec(spec, i));
 }
 async function buildUserOp(ctx, target, specs, sponsor) {
   const identifier = target ?? ctx.account.currentAccount?.alias ?? ctx.account.currentAccount?.address;
   if (!identifier) {
-    throw new TxError(ERR_ACCOUNT_NOT_READY, "No account selected.", {
+    throw new TxError(ERR_ACCOUNT_NOT_READY2, "No account selected.", {
       hint: "Specify an alias/address or create an account first."
     });
   }
   const accountInfo = resolveAccountStrict(ctx, identifier);
   const chainConfig = resolveChainStrict(ctx, accountInfo.chainId);
   if (!accountInfo.isDeployed) {
-    throw new TxError(ERR_ACCOUNT_NOT_READY, `Account "${accountInfo.alias}" is not deployed.`, {
+    throw new TxError(ERR_ACCOUNT_NOT_READY2, `Account "${accountInfo.alias}" is not deployed.`, {
       account: accountInfo.alias,
       address: accountInfo.address,
       hint: "Run `elytro account activate` first."
@@ -3037,7 +3242,7 @@ async function buildUserOp(ctx, target, specs, sponsor) {
   try {
     userOp = await ctx.sdk.createSendUserOp(accountInfo.address, txs);
   } catch (err) {
-    spinner.fail("Build failed.");
+    spinner.stop();
     throw new TxError(ERR_BUILD_FAILED, `Failed to build UserOp: ${err.message}`, {
       account: accountInfo.address,
       chain: chainConfig.name
@@ -3054,7 +3259,7 @@ async function buildUserOp(ctx, target, specs, sponsor) {
     userOp.verificationGasLimit = gasEstimate.verificationGasLimit;
     userOp.preVerificationGas = gasEstimate.preVerificationGas;
   } catch (err) {
-    spinner.fail("Gas estimation failed.");
+    spinner.stop();
     throw new TxError(ERR_BUILD_FAILED, `Gas estimation failed: ${err.message}`, {
       account: accountInfo.address,
       chain: chainConfig.name
@@ -3076,8 +3281,8 @@ async function buildUserOp(ctx, target, specs, sponsor) {
       spinner.text = "Sponsorship unavailable, checking balance...";
       const { wei: balance } = await ctx.walletClient.getBalance(accountInfo.address);
       if (balance === 0n) {
-        spinner.fail("Build failed.");
-        throw new TxError(ERR_SPONSOR_FAILED, "Sponsorship failed and account has no ETH to pay gas.", {
+        spinner.stop();
+        throw new TxError(ERR_SPONSOR_FAILED2, "Sponsorship failed and account has no ETH to pay gas.", {
           reason: sponsorError ?? "unknown",
           account: accountInfo.address,
           chain: chainConfig.name,
@@ -3086,38 +3291,38 @@ async function buildUserOp(ctx, target, specs, sponsor) {
       }
     }
   }
-  spinner.succeed("UserOp built.");
+  spinner.stop();
   return { userOp, accountInfo, chainConfig, sponsored, txType };
 }
 function resolveAccountStrict(ctx, identifier) {
   const account = ctx.account.resolveAccount(identifier);
   if (!account) {
-    throw new TxError(ERR_ACCOUNT_NOT_READY, `Account "${identifier}" not found.`, { identifier });
+    throw new TxError(ERR_ACCOUNT_NOT_READY2, `Account "${identifier}" not found.`, { identifier });
   }
   return account;
 }
 function resolveChainStrict(ctx, chainId) {
   const chain = ctx.chain.chains.find((c) => c.id === chainId);
   if (!chain) {
-    throw new TxError(ERR_ACCOUNT_NOT_READY, `Chain ${chainId} not configured.`, { chainId });
+    throw new TxError(ERR_ACCOUNT_NOT_READY2, `Chain ${chainId} not configured.`, { chainId });
   }
   return chain;
 }
 function serializeUserOp(op) {
   return {
     sender: op.sender,
-    nonce: toHex5(op.nonce),
+    nonce: toHex6(op.nonce),
     factory: op.factory,
     factoryData: op.factoryData,
     callData: op.callData,
-    callGasLimit: toHex5(op.callGasLimit),
-    verificationGasLimit: toHex5(op.verificationGasLimit),
-    preVerificationGas: toHex5(op.preVerificationGas),
-    maxFeePerGas: toHex5(op.maxFeePerGas),
-    maxPriorityFeePerGas: toHex5(op.maxPriorityFeePerGas),
+    callGasLimit: toHex6(op.callGasLimit),
+    verificationGasLimit: toHex6(op.verificationGasLimit),
+    preVerificationGas: toHex6(op.preVerificationGas),
+    maxFeePerGas: toHex6(op.maxFeePerGas),
+    maxPriorityFeePerGas: toHex6(op.maxPriorityFeePerGas),
     paymaster: op.paymaster,
-    paymasterVerificationGasLimit: op.paymasterVerificationGasLimit ? toHex5(op.paymasterVerificationGasLimit) : null,
-    paymasterPostOpGasLimit: op.paymasterPostOpGasLimit ? toHex5(op.paymasterPostOpGasLimit) : null,
+    paymasterVerificationGasLimit: op.paymasterVerificationGasLimit ? toHex6(op.paymasterVerificationGasLimit) : null,
+    paymasterPostOpGasLimit: op.paymasterPostOpGasLimit ? toHex6(op.paymasterPostOpGasLimit) : null,
     paymasterData: op.paymasterData,
     signature: op.signature
   };
@@ -3127,10 +3332,10 @@ function deserializeUserOp(json) {
   try {
     raw = JSON.parse(json);
   } catch {
-    throw new TxError(ERR_INVALID_PARAMS, "Invalid UserOp JSON. Pass a JSON-encoded UserOp object.", { json });
+    throw new TxError(ERR_INVALID_PARAMS2, "Invalid UserOp JSON. Pass a JSON-encoded UserOp object.", { json });
   }
   if (!raw.sender || !raw.callData) {
-    throw new TxError(ERR_INVALID_PARAMS, "Invalid UserOp: missing required fields (sender, callData).");
+    throw new TxError(ERR_INVALID_PARAMS2, "Invalid UserOp: missing required fields (sender, callData).");
   }
   return {
     sender: raw.sender,
@@ -3156,7 +3361,7 @@ import ora4 from "ora";
 import { isAddress as isAddress2, formatEther as formatEther4, formatUnits } from "viem";
 
 // src/utils/erc20.ts
-import { encodeFunctionData, parseUnits } from "viem";
+import { encodeFunctionData as encodeFunctionData2, parseUnits } from "viem";
 var ERC20_ABI = [
   {
     name: "transfer",
@@ -3233,7 +3438,7 @@ function registerQueryCommand(program2, ctx) {
           getTokenBalance(ctx.walletClient, opts.token, accountInfo.address)
         ]);
         spinner.stop();
-        outputSuccess({
+        outputResult({
           account: accountInfo.alias,
           address: accountInfo.address,
           chain: chainConfig.name,
@@ -3245,7 +3450,7 @@ function registerQueryCommand(program2, ctx) {
       } else {
         const { ether } = await ctx.walletClient.getBalance(accountInfo.address);
         spinner.stop();
-        outputSuccess({
+        outputResult({
           account: accountInfo.alias,
           address: accountInfo.address,
           chain: chainConfig.name,
@@ -3265,20 +3470,25 @@ function registerQueryCommand(program2, ctx) {
       const rawBalances = await ctx.walletClient.getTokenBalances(accountInfo.address);
       if (rawBalances.length === 0) {
         spinner.stop();
-        heading(`Token Holdings (${accountInfo.alias})`);
-        info("Result", "No ERC-20 tokens found.");
+        outputResult({
+          account: accountInfo.alias,
+          address: accountInfo.address,
+          chain: chainConfig.name,
+          tokens: [],
+          total: 0
+        });
         return;
       }
       spinner.text = `Fetching metadata for ${rawBalances.length} tokens...`;
       const tokens = await Promise.all(
         rawBalances.map(async ({ tokenAddress, balance }) => {
           try {
-            const info2 = await getTokenInfo(ctx.walletClient, tokenAddress);
+            const info = await getTokenInfo(ctx.walletClient, tokenAddress);
             return {
               address: tokenAddress,
-              symbol: info2.symbol,
-              decimals: info2.decimals,
-              balance: formatUnits(balance, info2.decimals),
+              symbol: info.symbol,
+              decimals: info.decimals,
+              balance: formatUnits(balance, info.decimals),
               rawBalance: balance
             };
           } catch {
@@ -3293,25 +3503,18 @@ function registerQueryCommand(program2, ctx) {
         })
       );
       spinner.stop();
-      heading(`Token Holdings (${accountInfo.alias})`);
-      info("Account", accountInfo.address);
-      info("Chain", `${chainConfig.name} (${chainConfig.id})`);
-      info("Tokens", tokens.length.toString());
-      console.log("");
-      table(
-        tokens.map((t) => ({
+      outputResult({
+        account: accountInfo.alias,
+        address: accountInfo.address,
+        chain: chainConfig.name,
+        tokens: tokens.map((t) => ({
           address: t.address,
           symbol: t.symbol,
-          decimals: String(t.decimals),
+          decimals: t.decimals,
           balance: t.balance
         })),
-        [
-          { key: "address", label: "Token Address", width: 44 },
-          { key: "symbol", label: "Symbol", width: 10 },
-          { key: "decimals", label: "Decimals", width: 10 },
-          { key: "balance", label: "Balance", width: 24 }
-        ]
-      );
+        total: tokens.length
+      });
     } catch (err) {
       outputError(-32e3, sanitizeErrorMessage(err.message));
     }
@@ -3337,7 +3540,7 @@ function registerQueryCommand(program2, ctx) {
         return;
       }
       spinner.stop();
-      outputSuccess({
+      outputResult({
         hash: receipt.transactionHash,
         status: receipt.status,
         block: receipt.blockNumber.toString(),
@@ -3360,7 +3563,7 @@ function registerQueryCommand(program2, ctx) {
         ctx.walletClient.getGasPrice()
       ]);
       spinner.stop();
-      outputSuccess({
+      outputResult({
         chainId: chainConfig.id,
         name: chainConfig.name,
         nativeCurrency: chainConfig.nativeCurrency.symbol,
@@ -3390,7 +3593,7 @@ function registerQueryCommand(program2, ctx) {
       const isContract = !!code && code !== "0x";
       const codeSize = isContract ? (code.length - 2) / 2 : 0;
       spinner.stop();
-      outputSuccess({
+      outputResult({
         address: addr,
         chain: chainConfig.name,
         type: isContract ? "contract" : "EOA",
@@ -3431,53 +3634,15 @@ function resolveCurrentChain(ctx) {
 function isHex66(s) {
   return /^0x[0-9a-fA-F]{64}$/.test(s);
 }
-function outputSuccess(result) {
-  console.log(JSON.stringify({ success: true, result }, null, 2));
-}
-function outputError(code, message, data) {
-  txError({ code, message, data });
-  process.exitCode = 1;
-}
 
 // src/commands/security.ts
 import ora5 from "ora";
-
-// src/utils/contracts/securityHook.ts
-import { encodeFunctionData as encodeFunctionData2, parseAbi as parseAbi2, pad, toHex as toHex6 } from "viem";
-function encodeInstallHook(walletAddress, hookAddress, safetyDelay = DEFAULT_SAFETY_DELAY, capabilityFlags = DEFAULT_CAPABILITY) {
-  const safetyDelayHex = pad(toHex6(safetyDelay), { size: 4 }).slice(2);
-  const hookAndData = hookAddress + safetyDelayHex;
-  const callData = encodeFunctionData2({
-    abi: parseAbi2(["function installHook(bytes calldata hookAndData, uint8 capabilityFlags)"]),
-    functionName: "installHook",
-    args: [hookAndData, capabilityFlags]
-  });
-  return { to: walletAddress, value: "0", data: callData };
-}
-function encodeUninstallHook(walletAddress, hookAddress) {
-  const callData = encodeFunctionData2({
-    abi: parseAbi2(["function uninstallHook(address)"]),
-    functionName: "uninstallHook",
-    args: [hookAddress]
-  });
-  return { to: walletAddress, value: "0", data: callData };
-}
-function encodeForcePreUninstall(hookAddress) {
-  const callData = encodeFunctionData2({
-    abi: parseAbi2(["function forcePreUninstall()"]),
-    functionName: "forcePreUninstall",
-    args: []
-  });
-  return { to: hookAddress, value: "0", data: callData };
-}
-
-// src/commands/security.ts
-var ERR_ACCOUNT_NOT_READY2 = -32002;
+var ERR_ACCOUNT_NOT_READY3 = -32002;
 var ERR_HOOK_AUTH_FAILED = -32007;
 var ERR_EMAIL_NOT_BOUND = -32010;
 var ERR_SAFETY_DELAY = -32011;
 var ERR_OTP_VERIFY_FAILED = -32012;
-var ERR_INTERNAL2 = -32e3;
+var ERR_INTERNAL3 = -32e3;
 var SecurityError = class extends Error {
   code;
   data;
@@ -3490,33 +3655,32 @@ var SecurityError = class extends Error {
 };
 function handleSecurityError(err) {
   if (err instanceof SecurityError) {
-    txError({ code: err.code, message: sanitizeErrorMessage(err.message), data: err.data });
+    outputError(err.code, err.message, err.data);
   } else {
-    txError({
-      code: ERR_INTERNAL2,
-      message: sanitizeErrorMessage(err.message ?? String(err))
-    });
+    outputError(ERR_INTERNAL3, err.message ?? String(err));
   }
-  process.exitCode = 1;
 }
 function initSecurityContext(ctx) {
-  if (!ctx.deviceKey) {
-    throw new SecurityError(ERR_ACCOUNT_NOT_READY2, "Wallet not initialized. Run `elytro init` first.");
+  if (!ctx.keyring.isUnlocked) {
+    throw new SecurityError(
+      ERR_ACCOUNT_NOT_READY3,
+      "Keyring is locked. Run `elytro init` to initialize, or check your secret provider (Keychain / ELYTRO_VAULT_SECRET)."
+    );
   }
   const current = ctx.account.currentAccount;
   if (!current) {
-    throw new SecurityError(ERR_ACCOUNT_NOT_READY2, "No account selected. Run `elytro account create` first.");
+    throw new SecurityError(ERR_ACCOUNT_NOT_READY3, "No account selected. Run `elytro account create` first.");
   }
   const account = ctx.account.resolveAccount(current.alias ?? current.address);
   if (!account) {
-    throw new SecurityError(ERR_ACCOUNT_NOT_READY2, "Account not found.");
+    throw new SecurityError(ERR_ACCOUNT_NOT_READY3, "Account not found.");
   }
   if (!account.isDeployed) {
-    throw new SecurityError(ERR_ACCOUNT_NOT_READY2, "Account not deployed. Run `elytro account activate` first.");
+    throw new SecurityError(ERR_ACCOUNT_NOT_READY3, "Account not deployed. Run `elytro account activate` first.");
   }
   const chainConfig = ctx.chain.chains.find((c) => c.id === account.chainId);
   if (!chainConfig) {
-    throw new SecurityError(ERR_ACCOUNT_NOT_READY2, `No chain config for chainId ${account.chainId}.`);
+    throw new SecurityError(ERR_ACCOUNT_NOT_READY3, `No chain config for chainId ${account.chainId}.`);
   }
   ctx.walletClient.initForChain(chainConfig);
   const hookService = new SecurityHookService({
@@ -3575,14 +3739,8 @@ async function signAndSend(ctx, chainConfig, userOp, spinner) {
   spinner.text = "Waiting for receipt...";
   const receipt = await ctx.sdk.waitForReceipt(opHash);
   spinner.stop();
-  if (receipt.success) {
-    success("Transaction confirmed!");
-    info("Tx Hash", receipt.transactionHash);
-    if (chainConfig.blockExplorer) {
-      info("Explorer", `${chainConfig.blockExplorer}/tx/${receipt.transactionHash}`);
-    }
-  } else {
-    throw new SecurityError(ERR_INTERNAL2, "Transaction reverted on-chain.", {
+  if (!receipt.success) {
+    throw new SecurityError(ERR_INTERNAL3, "Transaction reverted on-chain.", {
       txHash: receipt.transactionHash
     });
   }
@@ -3611,14 +3769,8 @@ async function signWithHookAndSend(ctx, chainConfig, account, hookService, userO
   spinner.text = "Waiting for receipt...";
   const receipt = await ctx.sdk.waitForReceipt(opHash);
   spinner.stop();
-  if (receipt.success) {
-    success("Transaction confirmed!");
-    info("Tx Hash", receipt.transactionHash);
-    if (chainConfig.blockExplorer) {
-      info("Explorer", `${chainConfig.blockExplorer}/tx/${receipt.transactionHash}`);
-    }
-  } else {
-    throw new SecurityError(ERR_INTERNAL2, "Transaction reverted on-chain.", {
+  if (!receipt.success) {
+    throw new SecurityError(ERR_INTERNAL3, "Transaction reverted on-chain.", {
       txHash: receipt.transactionHash
     });
   }
@@ -3629,14 +3781,12 @@ async function handleOtpChallenge(hookService, account, ctx, userOp, hookResult)
   if (errCode !== "OTP_REQUIRED" && errCode !== "SPENDING_LIMIT_EXCEEDED") {
     throw new SecurityError(ERR_HOOK_AUTH_FAILED, `Hook authorization failed: ${err.message ?? errCode}`);
   }
-  warn(err.message ?? `Verification required (${errCode}).`);
-  if (err.maskedEmail) {
-    info("OTP sent to", err.maskedEmail);
-  }
-  if (errCode === "SPENDING_LIMIT_EXCEEDED" && err.projectedSpendUsdCents !== void 0) {
-    info("Projected spend", `$${(err.projectedSpendUsdCents / 100).toFixed(2)}`);
-    info("Daily limit", `$${((err.dailyLimitUsdCents ?? 0) / 100).toFixed(2)}`);
-  }
+  console.error(JSON.stringify({
+    challenge: errCode,
+    message: err.message ?? `Verification required (${errCode}).`,
+    ...err.maskedEmail ? { maskedEmail: err.maskedEmail } : {},
+    ...errCode === "SPENDING_LIMIT_EXCEEDED" && err.projectedSpendUsdCents !== void 0 ? { projectedSpendUsd: (err.projectedSpendUsdCents / 100).toFixed(2), dailyLimitUsd: ((err.dailyLimitUsdCents ?? 0) / 100).toFixed(2) } : {}
+  }, null, 2));
   const otpCode = await askInput("Enter the 6-digit OTP code:");
   const verifySpinner = ora5("Verifying OTP...").start();
   try {
@@ -3676,37 +3826,34 @@ function registerSecurityCommand(program2, ctx) {
       } catch {
       }
       spinner.stop();
-      heading("Security Status");
-      info("Account", `${account.alias} (${address(account.address)})`);
-      info("Chain", `${chainConfig.name} (${account.chainId})`);
-      info("Hook Installed", hookStatus.installed ? "Yes" : "No");
-      if (hookStatus.installed) {
-        info("Hook Address", address(hookStatus.hookAddress));
-        info(
-          "Capabilities",
-          [
-            hookStatus.capabilities.preUserOpValidation && "UserOp",
-            hookStatus.capabilities.preIsValidSignature && "Signature"
-          ].filter(Boolean).join(" + ") || "None"
-        );
-        if (hookStatus.forceUninstall.initiated) {
-          info(
-            "Force Uninstall",
-            hookStatus.forceUninstall.canExecute ? "Ready to execute" : `Pending until ${hookStatus.forceUninstall.availableAfter}`
-          );
-        }
-      }
-      if (profile) {
-        console.log("");
-        info("Email", profile.maskedEmail ?? profile.email ?? "Not bound");
-        info("Email Verified", profile.emailVerified ? "Yes" : "No");
-        if (profile.dailyLimitUsdCents !== void 0) {
-          info("Daily Limit", `$${(profile.dailyLimitUsdCents / 100).toFixed(2)}`);
-        }
-      } else if (hookStatus.installed) {
-        console.log("");
-        warn("Security profile not loaded (not yet authenticated or email not bound).");
-      }
+      outputResult({
+        account: account.alias,
+        address: account.address,
+        chain: chainConfig.name,
+        chainId: account.chainId,
+        hookInstalled: hookStatus.installed,
+        ...hookStatus.installed ? {
+          hookAddress: hookStatus.hookAddress,
+          capabilities: {
+            preUserOpValidation: hookStatus.capabilities.preUserOpValidation,
+            preIsValidSignature: hookStatus.capabilities.preIsValidSignature
+          },
+          ...hookStatus.forceUninstall.initiated ? {
+            forceUninstall: {
+              initiated: true,
+              canExecute: hookStatus.forceUninstall.canExecute,
+              availableAfter: hookStatus.forceUninstall.availableAfter
+            }
+          } : {}
+        } : {},
+        ...profile ? {
+          profile: {
+            email: profile.maskedEmail ?? profile.email ?? null,
+            emailVerified: profile.emailVerified,
+            ...profile.dailyLimitUsdCents !== void 0 ? { dailyLimitUsd: (profile.dailyLimitUsdCents / 100).toFixed(2) } : {}
+          }
+        } : {}
+      });
     } catch (err) {
       handleSecurityError(err);
     }
@@ -3724,25 +3871,22 @@ function registerSecurityCommand(program2, ctx) {
       const currentStatus = await hookService.getHookStatus(account.address, account.chainId);
       spinner.stop();
       if (currentStatus.installed) {
-        warn("SecurityHook is already installed on this account.");
+        outputResult({ status: "already_installed", account: account.alias, address: account.address });
         return;
       }
       const hookAddress = SECURITY_HOOK_ADDRESS_MAP[account.chainId];
       if (!hookAddress) {
-        throw new SecurityError(ERR_INTERNAL2, `SecurityHook not deployed on chain ${account.chainId}.`);
+        throw new SecurityError(ERR_INTERNAL3, `SecurityHook not deployed on chain ${account.chainId}.`);
       }
       const capabilityFlags = Number(opts.capability);
       if (![1, 2, 3].includes(capabilityFlags)) {
-        throw new SecurityError(ERR_INTERNAL2, "Invalid capability flags. Use 1, 2, or 3.");
-      }
-      heading("Install SecurityHook");
-      info("Account", `${account.alias} (${address(account.address)})`);
-      info("Hook Address", address(hookAddress));
-      info("Capability", CAPABILITY_LABELS[capabilityFlags]);
-      info("Safety Delay", `${DEFAULT_SAFETY_DELAY}s`);
-      const confirmed = await askConfirm("Proceed with hook installation?");
+        throw new SecurityError(ERR_INTERNAL3, "Invalid capability flags. Use 1, 2, or 3.");
+      }
+      const confirmed = await askConfirm(
+        `Install SecurityHook on ${account.alias} (${address(account.address)})? Capability: ${CAPABILITY_LABELS[capabilityFlags]}, Safety Delay: ${DEFAULT_SAFETY_DELAY}s`
+      );
       if (!confirmed) {
-        warn("Cancelled.");
+        outputResult({ status: "cancelled" });
         return;
       }
       const installTx = encodeInstallHook(account.address, hookAddress, DEFAULT_SAFETY_DELAY, capabilityFlags);
@@ -3750,7 +3894,14 @@ function registerSecurityCommand(program2, ctx) {
       try {
         const userOp = await buildUserOp2(ctx, chainConfig, account, [installTx], buildSpinner);
         await signAndSend(ctx, chainConfig, userOp, buildSpinner);
-        success("SecurityHook installed successfully!");
+        outputResult({
+          status: "installed",
+          account: account.alias,
+          address: account.address,
+          hookAddress,
+          capability: CAPABILITY_LABELS[capabilityFlags],
+          safetyDelay: DEFAULT_SAFETY_DELAY
+        });
       } catch (innerErr) {
         buildSpinner.stop();
         throw innerErr;
@@ -3767,7 +3918,7 @@ function registerSecurityCommand(program2, ctx) {
       const currentStatus = await hookService.getHookStatus(account.address, account.chainId);
       spinner.stop();
       if (!currentStatus.installed) {
-        warn("SecurityHook is not installed on this account.");
+        outputResult({ status: "not_installed", account: account.alias, address: account.address });
         return;
       }
       const hookAddress = currentStatus.hookAddress;
@@ -3796,8 +3947,7 @@ function registerSecurityCommand(program2, ctx) {
         throw new SecurityError(ERR_HOOK_AUTH_FAILED, sanitizeErrorMessage(err.message));
       }
       spinner.stop();
-      info("OTP sent to", bindingResult.maskedEmail);
-      info("Expires at", bindingResult.otpExpiresAt);
+      console.error(JSON.stringify({ otpSentTo: bindingResult.maskedEmail, expiresAt: bindingResult.otpExpiresAt }, null, 2));
       const otpCode = await askInput("Enter the 6-digit OTP code:");
       const confirmSpinner = ora5("Confirming email binding...").start();
       try {
@@ -3808,9 +3958,11 @@ function registerSecurityCommand(program2, ctx) {
           otpCode.trim()
         );
         confirmSpinner.stop();
-        success("Email bound successfully!");
-        info("Email", profile.maskedEmail ?? profile.email ?? emailAddr);
-        info("Verified", profile.emailVerified ? "Yes" : "No");
+        outputResult({
+          status: "email_bound",
+          email: profile.maskedEmail ?? profile.email ?? emailAddr,
+          emailVerified: profile.emailVerified
+        });
       } catch (err) {
         confirmSpinner.stop();
         throw new SecurityError(
@@ -3835,7 +3987,7 @@ function registerSecurityCommand(program2, ctx) {
         throw new SecurityError(ERR_HOOK_AUTH_FAILED, sanitizeErrorMessage(err.message));
       }
       spinner.stop();
-      info("OTP sent to", bindingResult.maskedEmail);
+      console.error(JSON.stringify({ otpSentTo: bindingResult.maskedEmail }, null, 2));
       const otpCode = await askInput("Enter the 6-digit OTP code:");
       const confirmSpinner = ora5("Confirming email change...").start();
       try {
@@ -3846,8 +3998,10 @@ function registerSecurityCommand(program2, ctx) {
           otpCode.trim()
         );
         confirmSpinner.stop();
-        success("Email changed successfully!");
-        info("Email", profile.maskedEmail ?? profile.email ?? emailAddr);
+        outputResult({
+          status: "email_changed",
+          email: profile.maskedEmail ?? profile.email ?? emailAddr
+        });
       } catch (err) {
         confirmSpinner.stop();
         throw new SecurityError(
@@ -3886,11 +4040,9 @@ async function handleForceExecute(ctx, chainConfig, account, currentStatus) {
       `Safety delay not elapsed. Available after ${currentStatus.forceUninstall.availableAfter}.`
     );
   }
-  heading("Execute Force Uninstall");
-  info("Account", `${account.alias} (${address(account.address)})`);
-  const confirmed = await askConfirm("Execute force uninstall? This will remove the SecurityHook.");
+  const confirmed = await askConfirm(`Execute force uninstall on ${account.alias} (${address(account.address)})? This will remove the SecurityHook.`);
   if (!confirmed) {
-    warn("Cancelled.");
+    outputResult({ status: "cancelled" });
     return;
   }
   const uninstallTx = encodeUninstallHook(account.address, currentStatus.hookAddress);
@@ -3898,6 +4050,7 @@ async function handleForceExecute(ctx, chainConfig, account, currentStatus) {
   try {
     const userOp = await buildUserOp2(ctx, chainConfig, account, [uninstallTx], spinner);
     await signAndSend(ctx, chainConfig, userOp, spinner);
+    outputResult({ status: "force_uninstalled", account: account.alias, address: account.address });
   } catch (err) {
     spinner.stop();
     throw err;
@@ -3905,22 +4058,19 @@ async function handleForceExecute(ctx, chainConfig, account, currentStatus) {
 }
 async function handleForceStart(ctx, chainConfig, account, currentStatus, hookAddress) {
   if (currentStatus.forceUninstall.initiated) {
-    if (currentStatus.forceUninstall.canExecute) {
-      info("Force Uninstall", "Ready to execute. Run `security 2fa uninstall --force --execute`.");
-    } else {
-      info(
-        "Force Uninstall",
-        `Already initiated. Available after ${currentStatus.forceUninstall.availableAfter}.`
-      );
-    }
+    outputResult({
+      status: "already_initiated",
+      canExecute: currentStatus.forceUninstall.canExecute,
+      availableAfter: currentStatus.forceUninstall.availableAfter,
+      hint: currentStatus.forceUninstall.canExecute ? "Run `security 2fa uninstall --force --execute`." : `Wait until ${currentStatus.forceUninstall.availableAfter}.`
+    });
     return;
   }
-  heading("Start Force Uninstall");
-  info("Account", `${account.alias} (${address(account.address)})`);
-  warn(`After starting, you must wait the safety delay (${DEFAULT_SAFETY_DELAY}s) before executing.`);
-  const confirmed = await askConfirm("Start force-uninstall countdown?");
+  const confirmed = await askConfirm(
+    `Start force-uninstall countdown on ${account.alias} (${address(account.address)})? You must wait ${DEFAULT_SAFETY_DELAY}s before executing.`
+  );
   if (!confirmed) {
-    warn("Cancelled.");
+    outputResult({ status: "cancelled" });
     return;
   }
   const preUninstallTx = encodeForcePreUninstall(hookAddress);
@@ -3928,17 +4078,21 @@ async function handleForceStart(ctx, chainConfig, account, currentStatus, hookAd
   try {
     const userOp = await buildUserOp2(ctx, chainConfig, account, [preUninstallTx], spinner);
     await signAndSend(ctx, chainConfig, userOp, spinner);
+    outputResult({
+      status: "force_uninstall_started",
+      account: account.alias,
+      address: account.address,
+      safetyDelay: DEFAULT_SAFETY_DELAY
+    });
   } catch (err) {
     spinner.stop();
     throw err;
   }
 }
 async function handleNormalUninstall(ctx, chainConfig, account, hookService, hookAddress) {
-  heading("Uninstall SecurityHook");
-  info("Account", `${account.alias} (${address(account.address)})`);
-  const confirmed = await askConfirm("Proceed with hook uninstall? (requires 2FA approval)");
+  const confirmed = await askConfirm(`Uninstall SecurityHook from ${account.alias} (${address(account.address)})? (requires 2FA approval)`);
   if (!confirmed) {
-    warn("Cancelled.");
+    outputResult({ status: "cancelled" });
     return;
   }
   const uninstallTx = encodeUninstallHook(account.address, hookAddress);
@@ -3946,6 +4100,7 @@ async function handleNormalUninstall(ctx, chainConfig, account, hookService, hoo
   try {
     const userOp = await buildUserOp2(ctx, chainConfig, account, [uninstallTx], spinner);
     await signWithHookAndSend(ctx, chainConfig, account, hookService, userOp, spinner);
+    outputResult({ status: "uninstalled", account: account.alias, address: account.address });
   } catch (err) {
     spinner.stop();
     throw err;
@@ -3962,24 +4117,23 @@ async function showSpendingLimit(hookService, account) {
   }
   spinner.stop();
   if (!profile) {
-    warn("No security profile found. Bind an email first: `elytro security email bind <email>`.");
+    outputResult({
+      status: "no_profile",
+      hint: "Bind an email first: `elytro security email bind <email>`."
+    });
     return;
   }
-  heading("Spending Limit");
-  info(
-    "Daily Limit",
-    profile.dailyLimitUsdCents !== void 0 ? `$${(profile.dailyLimitUsdCents / 100).toFixed(2)}` : "Not set"
-  );
-  info("Email", profile.maskedEmail ?? "Not bound");
+  outputResult({
+    dailyLimitUsd: profile.dailyLimitUsdCents !== void 0 ? (profile.dailyLimitUsdCents / 100).toFixed(2) : null,
+    email: profile.maskedEmail ?? null
+  });
 }
 async function setSpendingLimit(hookService, account, amountStr) {
   const amountUsd = parseFloat(amountStr);
   if (isNaN(amountUsd) || amountUsd < 0) {
-    throw new SecurityError(ERR_INTERNAL2, "Invalid amount. Provide a positive number in USD.");
+    throw new SecurityError(ERR_INTERNAL3, "Invalid amount. Provide a positive number in USD.");
   }
   const dailyLimitUsdCents = Math.round(amountUsd * 100);
-  heading("Set Daily Spending Limit");
-  info("New Limit", `$${amountUsd.toFixed(2)}`);
   const spinner = ora5("Requesting OTP for limit change...").start();
   let otpResult;
   try {
@@ -3993,13 +4147,16 @@ async function setSpendingLimit(hookService, account, amountStr) {
     throw new SecurityError(ERR_HOOK_AUTH_FAILED, sanitizeErrorMessage(msg));
   }
   spinner.stop();
-  info("OTP sent to", otpResult.maskedEmail);
+  console.error(JSON.stringify({ otpSentTo: otpResult.maskedEmail }, null, 2));
   const otpCode = await askInput("Enter the 6-digit OTP code:");
   const setSpinner = ora5("Setting daily limit...").start();
   try {
     await hookService.setDailyLimit(account.address, account.chainId, dailyLimitUsdCents, otpCode.trim());
     setSpinner.stop();
-    success(`Daily limit set to $${amountUsd.toFixed(2)}.`);
+    outputResult({
+      status: "daily_limit_set",
+      dailyLimitUsd: amountUsd.toFixed(2)
+    });
   } catch (err) {
     setSpinner.stop();
     throw new SecurityError(
@@ -4022,58 +4179,51 @@ function maskKey(value) {
 function registerConfigCommand(program2, ctx) {
   const configCmd = program2.command("config").description("Manage CLI configuration (API keys, RPC endpoints)");
   configCmd.command("show").description("Show current endpoint configuration").action(() => {
-    heading("Configuration");
     const keys = ctx.chain.getUserKeys();
-    const hasAlchemy = !!keys.alchemyKey;
-    const hasPimlico = !!keys.pimlicoKey;
-    info("RPC provider", hasAlchemy ? "Alchemy (user-configured)" : "Public (publicnode.com)");
-    info("Bundler provider", hasPimlico ? "Pimlico (user-configured)" : "Public (pimlico.io/public)");
-    if (keys.alchemyKey) {
-      info("Alchemy key", maskKey(keys.alchemyKey));
-    }
-    if (keys.pimlicoKey) {
-      info("Pimlico key", maskKey(keys.pimlicoKey));
-    }
-    console.log("");
     const chain = ctx.chain.currentChain;
-    info("Current chain", `${chain.name} (${chain.id})`);
-    info("RPC endpoint", maskApiKeys(chain.endpoint));
-    info("Bundler", maskApiKeys(chain.bundler));
-    if (!hasAlchemy || !hasPimlico) {
-      console.log("");
-      warn("Public endpoints have rate limits. Set your own keys for production use:");
-      if (!hasAlchemy) console.log("  elytro config set alchemy-key <YOUR_KEY>");
-      if (!hasPimlico) console.log("  elytro config set pimlico-key <YOUR_KEY>");
-    }
+    outputResult({
+      rpcProvider: keys.alchemyKey ? "Alchemy (user-configured)" : "Public (publicnode.com)",
+      bundlerProvider: keys.pimlicoKey ? "Pimlico (user-configured)" : "Public (pimlico.io/public)",
+      ...keys.alchemyKey ? { alchemyKey: maskKey(keys.alchemyKey) } : {},
+      ...keys.pimlicoKey ? { pimlicoKey: maskKey(keys.pimlicoKey) } : {},
+      currentChain: chain.name,
+      chainId: chain.id,
+      rpcEndpoint: maskApiKeys(chain.endpoint),
+      bundler: maskApiKeys(chain.bundler)
+    });
   });
   configCmd.command("set <key> <value>").description(`Set an API key (${VALID_KEYS.join(" | ")})`).action(async (key, value) => {
     const mapped = KEY_MAP[key];
     if (!mapped) {
-      error(`Unknown key "${key}". Valid keys: ${VALID_KEYS.join(", ")}`);
-      process.exitCode = 1;
+      outputError(-32602, `Unknown key "${key}". Valid keys: ${VALID_KEYS.join(", ")}`);
       return;
     }
     await ctx.chain.setUserKey(mapped, value);
-    success(`${key} saved. Endpoints updated.`);
     const chain = ctx.chain.currentChain;
-    info("RPC endpoint", maskApiKeys(chain.endpoint));
-    info("Bundler", maskApiKeys(chain.bundler));
+    outputResult({
+      key,
+      status: "saved",
+      rpcEndpoint: maskApiKeys(chain.endpoint),
+      bundler: maskApiKeys(chain.bundler)
+    });
   });
   configCmd.command("remove <key>").description(`Remove an API key and revert to public endpoint (${VALID_KEYS.join(" | ")})`).action(async (key) => {
     const mapped = KEY_MAP[key];
     if (!mapped) {
-      error(`Unknown key "${key}". Valid keys: ${VALID_KEYS.join(", ")}`);
-      process.exitCode = 1;
+      outputError(-32602, `Unknown key "${key}". Valid keys: ${VALID_KEYS.join(", ")}`);
       return;
     }
     await ctx.chain.removeUserKey(mapped);
-    success(`${key} removed. Reverted to public endpoint.`);
+    outputResult({
+      key,
+      status: "removed"
+    });
   });
 }
 
 // src/index.ts
 var program = new Command();
-program.name("elytro").description("Elytro \u2014 ERC-4337 Smart Account Wallet CLI").version("0.0.1");
+program.name("elytro").description("Elytro \u2014 ERC-4337 Smart Account Wallet CLI").version("0.0.1").addHelpText("after", "\nLearn how to use Elytro skills: https://github.com/Elytro-eth/skills\n");
 async function main() {
   let ctx = null;
   try {
@@ -4086,8 +4236,7 @@ async function main() {
     registerConfigCommand(program, ctx);
     await program.parseAsync(process.argv);
   } catch (err) {
-    error(sanitizeErrorMessage(err.message));
-    process.exitCode = 1;
+    outputError(-32e3, sanitizeErrorMessage(err.message));
   } finally {
     ctx?.keyring.lock();
   }