@elytro/cli 0.1.0

package/dist/index.js

@@ -0,0 +1,4095 @@
+#!/usr/bin/env node
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/utils/graphqlClient.ts
+async function requestGraphQL(options) {
+  const { endpoint, query, variables, headers, timeoutMs = 15e3 } = options;
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "application/json",
+        ...headers
+      },
+      body: JSON.stringify({ query, variables }),
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      const text = await response.text().catch(() => "");
+      throw new GraphQLHttpError(`HTTP ${response.status}: ${text.slice(0, 200)}`, response.status);
+    }
+    const json = await response.json();
+    if (json.errors && json.errors.length > 0) {
+      const messages = json.errors.map((e) => e.message ?? "Unknown GraphQL error").join("; ");
+      throw new GraphQLClientError(`GraphQL errors: ${messages}`, json.errors);
+    }
+    if (!json.data) {
+      throw new Error("No data returned in GraphQL response");
+    }
+    return json.data;
+  } catch (err) {
+    if (err instanceof Error) {
+      if (err.name === "AbortError") {
+        throw new Error(`Request timeout after ${timeoutMs}ms`);
+      }
+      throw err;
+    }
+    throw new Error(`Network error: ${String(err)}`);
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+var GraphQLClientError, GraphQLHttpError;
+var init_graphqlClient = __esm({
+  "src/utils/graphqlClient.ts"() {
+    "use strict";
+    GraphQLClientError = class extends Error {
+      constructor(message, errors) {
+        super(message);
+        this.errors = errors;
+        this.name = "GraphQLClientError";
+      }
+    };
+    GraphQLHttpError = class extends Error {
+      constructor(message, status) {
+        super(message);
+        this.status = status;
+        this.name = "GraphQLHttpError";
+      }
+    };
+  }
+});
+
+// src/utils/sponsor.ts
+var sponsor_exports = {};
+__export(sponsor_exports, {
+  applySponsorToUserOp: () => applySponsorToUserOp,
+  registerAccount: () => registerAccount,
+  requestSponsorship: () => requestSponsorship
+});
+import { toHex as toHex4 } from "viem";
+async function registerAccount(graphqlEndpoint, address2, chainId, index, initialKeys, initialGuardianHash, initialGuardianSafePeriod) {
+  try {
+    await requestGraphQL({
+      endpoint: graphqlEndpoint,
+      query: CREATE_ACCOUNT_MUTATION,
+      variables: {
+        input: {
+          address: address2,
+          chainID: toHex4(chainId),
+          initInfo: {
+            index,
+            initialKeys,
+            initialGuardianHash,
+            initialGuardianSafePeriod: toHex4(initialGuardianSafePeriod)
+          }
+        }
+      }
+    });
+    return { success: true, error: null };
+  } catch (err) {
+    return { success: false, error: err.message };
+  }
+}
+function formatHex(value) {
+  if (typeof value === "string" && value.startsWith("0x")) {
+    return value;
+  }
+  return toHex4(value);
+}
+function paddingBytesToEven(value) {
+  if (!value) return null;
+  const hexValue = value.startsWith("0x") ? value.slice(2) : value;
+  const paddedHex = hexValue.length % 2 === 1 ? "0" + hexValue : hexValue;
+  return "0x" + paddedHex;
+}
+async function requestSponsorship(graphqlEndpoint, chainId, entryPoint, userOp) {
+  try {
+    const data = await requestGraphQL({
+      endpoint: graphqlEndpoint,
+      query: SPONSOR_OP_MUTATION,
+      variables: {
+        input: {
+          chainID: toHex4(chainId),
+          entryPoint,
+          op: {
+            sender: userOp.sender,
+            nonce: formatHex(userOp.nonce),
+            factory: userOp.factory,
+            factoryData: userOp.factory === null ? null : paddingBytesToEven(userOp.factoryData),
+            callData: userOp.callData,
+            callGasLimit: formatHex(userOp.callGasLimit),
+            verificationGasLimit: formatHex(userOp.verificationGasLimit),
+            preVerificationGas: formatHex(userOp.preVerificationGas),
+            maxFeePerGas: formatHex(userOp.maxFeePerGas),
+            maxPriorityFeePerGas: formatHex(userOp.maxPriorityFeePerGas),
+            signature: SPONSOR_DUMMY_SIGNATURE
+          }
+        }
+      }
+    });
+    if (!data.sponsorOp) {
+      return { sponsor: null, error: "No sponsorOp in response data" };
+    }
+    const sponsor = data.sponsorOp;
+    if (!sponsor.paymaster) {
+      return { sponsor: null, error: "Sponsor returned empty paymaster address" };
+    }
+    return {
+      sponsor: {
+        paymaster: sponsor.paymaster,
+        paymasterData: sponsor.paymasterData,
+        callGasLimit: sponsor.callGasLimit,
+        verificationGasLimit: sponsor.verificationGasLimit,
+        preVerificationGas: sponsor.preVerificationGas,
+        paymasterVerificationGasLimit: sponsor.paymasterVerificationGasLimit,
+        paymasterPostOpGasLimit: sponsor.paymasterPostOpGasLimit
+      },
+      error: null
+    };
+  } catch (err) {
+    return { sponsor: null, error: err.message };
+  }
+}
+function applySponsorToUserOp(userOp, sponsor) {
+  userOp.paymaster = sponsor.paymaster;
+  userOp.paymasterData = sponsor.paymasterData;
+  if (sponsor.callGasLimit) {
+    userOp.callGasLimit = BigInt(sponsor.callGasLimit);
+  }
+  if (sponsor.verificationGasLimit) {
+    userOp.verificationGasLimit = BigInt(sponsor.verificationGasLimit);
+  }
+  if (sponsor.preVerificationGas) {
+    userOp.preVerificationGas = BigInt(sponsor.preVerificationGas);
+  }
+  if (sponsor.paymasterVerificationGasLimit) {
+    userOp.paymasterVerificationGasLimit = BigInt(sponsor.paymasterVerificationGasLimit);
+  }
+  if (sponsor.paymasterPostOpGasLimit) {
+    userOp.paymasterPostOpGasLimit = BigInt(sponsor.paymasterPostOpGasLimit);
+  }
+}
+var SPONSOR_DUMMY_SIGNATURE, CREATE_ACCOUNT_MUTATION, SPONSOR_OP_MUTATION;
+var init_sponsor = __esm({
+  "src/utils/sponsor.ts"() {
+    "use strict";
+    init_graphqlClient();
+    SPONSOR_DUMMY_SIGNATURE = "0xea50a2874df3eEC9E0365425ba948989cd63FED6000000620100005f5e0fff000fffffffff0000000000000000000000000000000000000000b91467e570a6466aa9e9876cbcd013baba02900b8979d43fe208a4a4f339f5fd6007e74cd82e037b800186422fc2da167c747ef045e5d18a5f5d4300f8e1a0291c";
+    CREATE_ACCOUNT_MUTATION = `
+  mutation CreateAccount($input: CreateAccountInput!) {
+    createAccount(input: $input) {
+      address
+      chainID
+      initInfo {
+        index
+        initialKeys
+        initialGuardianHash
+        initialGuardianSafePeriod
+      }
+    }
+  }
+`;
+    SPONSOR_OP_MUTATION = `
+  mutation SponsorOp($input: SponsorOpInput!) {
+    sponsorOp(input: $input) {
+      callGasLimit
+      paymaster
+      paymasterData
+      paymasterPostOpGasLimit
+      paymasterVerificationGasLimit
+      preVerificationGas
+      verificationGasLimit
+    }
+  }
+`;
+  }
+});
+
+// src/index.ts
+import { Command } from "commander";
+
+// src/storage/fileStore.ts
+import { readFile, writeFile, mkdir, access } from "fs/promises";
+import { join, dirname } from "path";
+import { homedir } from "os";
+var FileStore = class {
+  root;
+  constructor(root) {
+    this.root = root ?? join(homedir(), ".elytro");
+  }
+  filePath(key) {
+    return join(this.root, `${key}.json`);
+  }
+  async load(key) {
+    const path = this.filePath(key);
+    try {
+      const raw = await readFile(path, "utf-8");
+      return JSON.parse(raw);
+    } catch (err) {
+      if (err.code === "ENOENT") {
+        return null;
+      }
+      throw err;
+    }
+  }
+  async save(key, data) {
+    const path = this.filePath(key);
+    await mkdir(dirname(path), { recursive: true });
+    await writeFile(path, JSON.stringify(data, null, 2), "utf-8");
+  }
+  async remove(key) {
+    const { unlink } = await import("fs/promises");
+    const path = this.filePath(key);
+    try {
+      await unlink(path);
+    } catch (err) {
+      if (err.code !== "ENOENT") {
+        throw err;
+      }
+    }
+  }
+  async exists(key) {
+    const path = this.filePath(key);
+    try {
+      await access(path);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /** Ensure the root directory exists. Call once at startup. */
+  async init() {
+    await mkdir(this.root, { recursive: true });
+  }
+  get dataDir() {
+    return this.root;
+  }
+};
+
+// src/services/keyring.ts
+import { generatePrivateKey, privateKeyToAccount } from "viem/accounts";
+
+// src/utils/passworder.ts
+import { webcrypto } from "crypto";
+var ITERATIONS = 1e5;
+var KEY_LENGTH = 256;
+var ALGORITHM = "AES-GCM";
+var subtle = webcrypto.subtle;
+async function deriveKey(password2, salt) {
+  const encoder = new TextEncoder();
+  const keyMaterial = await subtle.importKey("raw", encoder.encode(password2), "PBKDF2", false, ["deriveKey"]);
+  return subtle.deriveKey(
+    {
+      name: "PBKDF2",
+      salt,
+      iterations: ITERATIONS,
+      hash: "SHA-256"
+    },
+    keyMaterial,
+    { name: ALGORITHM, length: KEY_LENGTH },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+async function encrypt(password2, data) {
+  const salt = webcrypto.getRandomValues(new Uint8Array(16));
+  const iv = webcrypto.getRandomValues(new Uint8Array(12));
+  const key = await deriveKey(password2, salt);
+  const encoder = new TextEncoder();
+  const plaintext = encoder.encode(JSON.stringify(data));
+  const ciphertext = await subtle.encrypt({ name: ALGORITHM, iv }, key, plaintext);
+  return {
+    data: toHex(ciphertext),
+    iv: toHex(iv),
+    salt: toHex(salt),
+    version: 1
+  };
+}
+async function decrypt(password2, encrypted) {
+  const salt = fromHex(encrypted.salt);
+  const iv = fromHex(encrypted.iv);
+  const ciphertext = fromHex(encrypted.data);
+  const key = await deriveKey(password2, salt);
+  const plaintext = await subtle.decrypt({ name: ALGORITHM, iv }, key, ciphertext);
+  const decoder = new TextDecoder();
+  return JSON.parse(decoder.decode(plaintext));
+}
+async function importRawKey(rawKey) {
+  return subtle.importKey("raw", rawKey, { name: ALGORITHM, length: KEY_LENGTH }, false, ["encrypt", "decrypt"]);
+}
+async function encryptWithKey(rawKey, data) {
+  const iv = webcrypto.getRandomValues(new Uint8Array(12));
+  const key = await importRawKey(rawKey);
+  const encoder = new TextEncoder();
+  const plaintext = encoder.encode(JSON.stringify(data));
+  const ciphertext = await subtle.encrypt({ name: ALGORITHM, iv }, key, plaintext);
+  return {
+    data: toHex(ciphertext),
+    iv: toHex(iv),
+    salt: "",
+    version: 2
+  };
+}
+async function decryptWithKey(rawKey, encrypted) {
+  const iv = fromHex(encrypted.iv);
+  const ciphertext = fromHex(encrypted.data);
+  const key = await importRawKey(rawKey);
+  const plaintext = await subtle.decrypt({ name: ALGORITHM, iv }, key, ciphertext);
+  const decoder = new TextDecoder();
+  return JSON.parse(decoder.decode(plaintext));
+}
+function toHex(buffer) {
+  const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
+  return Buffer.from(bytes).toString("hex");
+}
+function fromHex(hex) {
+  return new Uint8Array(Buffer.from(hex, "hex"));
+}
+
+// src/services/keyring.ts
+var STORAGE_KEY = "keyring";
+var KeyringService = class {
+  store;
+  vault = null;
+  constructor(store) {
+    this.store = store;
+  }
+  // ─── Initialization ─────────────────────────────────────────────
+  /** Check if a vault (encrypted keyring) already exists on disk. */
+  async isInitialized() {
+    return this.store.exists(STORAGE_KEY);
+  }
+  /**
+   * Create a brand-new vault with one owner.
+   * Called during `elytro init`. Encrypts with device key.
+   */
+  async createNewOwner(deviceKey) {
+    const privateKey = generatePrivateKey();
+    const account = privateKeyToAccount(privateKey);
+    const owner = { id: account.address, key: privateKey };
+    const vault = {
+      owners: [owner],
+      currentOwnerId: account.address
+    };
+    const encrypted = await encryptWithKey(deviceKey, vault);
+    await this.store.save(STORAGE_KEY, encrypted);
+    this.vault = vault;
+    return account.address;
+  }
+  // ─── Unlock / Access ────────────────────────────────────────────
+  /**
+   * Decrypt the vault with the device key.
+   * Called automatically by context at CLI startup.
+   */
+  async unlock(deviceKey) {
+    const encrypted = await this.store.load(STORAGE_KEY);
+    if (!encrypted) {
+      throw new Error("Keyring not initialized. Run `elytro init` first.");
+    }
+    this.vault = await decryptWithKey(deviceKey, encrypted);
+  }
+  /** Lock the vault, clearing decrypted keys from memory. */
+  lock() {
+    this.vault = null;
+  }
+  get isUnlocked() {
+    return this.vault !== null;
+  }
+  // ─── Current owner ──────────────────────────────────────────────
+  get currentOwner() {
+    return this.vault?.currentOwnerId ?? null;
+  }
+  get owners() {
+    return this.vault?.owners.map((o) => o.id) ?? [];
+  }
+  // ─── Signing ────────────────────────────────────────────────────
+  async signMessage(message) {
+    const key = this.getCurrentKey();
+    const account = privateKeyToAccount(key);
+    return account.signMessage({ message: { raw: message } });
+  }
+  /**
+   * Raw ECDSA sign over a 32-byte digest (no EIP-191 prefix).
+   *
+   * Equivalent to extension's `ethers.SigningKey.signDigest()`.
+   * Used for ERC-4337 UserOperation signing where the hash is
+   * already computed by the SDK (userOpHash → packRawHash).
+   */
+  async signDigest(digest) {
+    const key = this.getCurrentKey();
+    const account = privateKeyToAccount(key);
+    return account.sign({ hash: digest });
+  }
+  /**
+   * Get a viem LocalAccount for the current owner.
+   * Useful for SDK operations that need a signer.
+   */
+  getAccount() {
+    const key = this.getCurrentKey();
+    return privateKeyToAccount(key);
+  }
+  // ─── Multi-owner management ─────────────────────────────────────
+  async addOwner(deviceKey) {
+    this.ensureUnlocked();
+    const privateKey = generatePrivateKey();
+    const account = privateKeyToAccount(privateKey);
+    this.vault.owners.push({ id: account.address, key: privateKey });
+    await this.persistVault(deviceKey);
+    return account.address;
+  }
+  async switchOwner(ownerId, deviceKey) {
+    this.ensureUnlocked();
+    const exists = this.vault.owners.some((o) => o.id === ownerId);
+    if (!exists) {
+      throw new Error(`Owner ${ownerId} not found in vault.`);
+    }
+    this.vault.currentOwnerId = ownerId;
+    await this.persistVault(deviceKey);
+  }
+  // ─── Export / Import (password-based for portability) ───────────
+  /**
+   * Export vault encrypted with a user-provided password.
+   * The output can be imported on another device.
+   */
+  async exportVault(password2) {
+    this.ensureUnlocked();
+    return encrypt(password2, this.vault);
+  }
+  /**
+   * Import vault from a password-encrypted backup.
+   * Decrypts with the backup password, then re-encrypts with device key.
+   */
+  async importVault(encrypted, password2, deviceKey) {
+    const vault = await decrypt(password2, encrypted);
+    this.vault = vault;
+    const reEncrypted = await encryptWithKey(deviceKey, vault);
+    await this.store.save(STORAGE_KEY, reEncrypted);
+  }
+  // ─── Rekey (device key rotation) ───────────────────────────────
+  async rekey(newDeviceKey) {
+    this.ensureUnlocked();
+    await this.persistVault(newDeviceKey);
+  }
+  // ─── Internal ───────────────────────────────────────────────────
+  getCurrentKey() {
+    if (!this.vault) {
+      throw new Error("Keyring is locked. Cannot sign.");
+    }
+    const owner = this.vault.owners.find((o) => o.id === this.vault.currentOwnerId);
+    if (!owner) {
+      throw new Error("Current owner key not found in vault.");
+    }
+    return owner.key;
+  }
+  ensureUnlocked() {
+    if (!this.vault) {
+      throw new Error("Keyring is locked. Run `elytro init` first.");
+    }
+  }
+  async persistVault(deviceKey) {
+    if (!this.vault) throw new Error("No vault to persist.");
+    const encrypted = await encryptWithKey(deviceKey, this.vault);
+    await this.store.save(STORAGE_KEY, encrypted);
+  }
+};
+
+// src/utils/config.ts
+var PUBLIC_RPC = {
+  1: "https://ethereum-rpc.publicnode.com",
+  10: "https://optimism-rpc.publicnode.com",
+  42161: "https://arbitrum-one-rpc.publicnode.com",
+  11155111: "https://ethereum-sepolia-rpc.publicnode.com",
+  11155420: "https://optimism-sepolia-rpc.publicnode.com"
+};
+var PUBLIC_BUNDLER = {
+  1: "https://public.pimlico.io/v2/1/rpc",
+  10: "https://public.pimlico.io/v2/10/rpc",
+  42161: "https://public.pimlico.io/v2/42161/rpc",
+  11155111: "https://public.pimlico.io/v2/11155111/rpc",
+  11155420: "https://public.pimlico.io/v2/11155420/rpc"
+};
+function pimlicoUrl(chainSlug, key) {
+  return `https://api.pimlico.io/v2/${chainSlug}/rpc?apikey=${key}`;
+}
+function alchemyUrl(network, key) {
+  return `https://${network}.g.alchemy.com/v2/${key}`;
+}
+var ALCHEMY_NETWORK = {
+  1: "eth-mainnet",
+  10: "opt-mainnet",
+  42161: "arb-mainnet",
+  11155111: "eth-sepolia",
+  11155420: "opt-sepolia"
+};
+var PIMLICO_SLUG = {
+  1: "ethereum",
+  10: "optimism",
+  42161: "arbitrum",
+  11155111: "sepolia",
+  11155420: "optimism-sepolia"
+};
+function resolveEndpoint(chainId, alchemyKey) {
+  if (alchemyKey) {
+    const network = ALCHEMY_NETWORK[chainId];
+    if (network) return alchemyUrl(network, alchemyKey);
+  }
+  return PUBLIC_RPC[chainId] ?? PUBLIC_RPC[11155420];
+}
+function resolveBundler(chainId, pimlicoKey) {
+  if (pimlicoKey) {
+    const slug = PIMLICO_SLUG[chainId];
+    if (slug) return pimlicoUrl(slug, pimlicoKey);
+  }
+  return PUBLIC_BUNDLER[chainId] ?? PUBLIC_BUNDLER[11155420];
+}
+var CHAIN_META = [
+  { id: 1, name: "Ethereum", nativeCurrency: { name: "Ether", symbol: "ETH", decimals: 18 }, blockExplorer: "https://etherscan.io" },
+  { id: 10, name: "Optimism", nativeCurrency: { name: "Ether", symbol: "ETH", decimals: 18 }, blockExplorer: "https://optimistic.etherscan.io" },
+  { id: 42161, name: "Arbitrum One", nativeCurrency: { name: "Ether", symbol: "ETH", decimals: 18 }, blockExplorer: "https://arbiscan.io" },
+  { id: 11155111, name: "Sepolia", nativeCurrency: { name: "Sepolia ETH", symbol: "ETH", decimals: 18 }, blockExplorer: "https://sepolia.etherscan.io" },
+  { id: 11155420, name: "Optimism Sepolia", nativeCurrency: { name: "Sepolia ETH", symbol: "ETH", decimals: 18 }, blockExplorer: "https://sepolia-optimism.etherscan.io" }
+];
+function buildChains(alchemyKey, pimlicoKey) {
+  return CHAIN_META.map((meta) => ({
+    ...meta,
+    endpoint: resolveEndpoint(meta.id, alchemyKey),
+    bundler: resolveBundler(meta.id, pimlicoKey)
+  }));
+}
+var GRAPHQL_ENDPOINTS = {
+  development: "https://api-dev.soulwallet.io/elytroapi/graphql/",
+  production: "https://api.soulwallet.io/elytroapi/graphql/"
+};
+function getDefaultConfig() {
+  const env = process.env.ELYTRO_ENV ?? "production";
+  return {
+    currentChainId: 11155420,
+    // Default to OP Sepolia for safety
+    chains: buildChains(),
+    graphqlEndpoint: GRAPHQL_ENDPOINTS[env] ?? GRAPHQL_ENDPOINTS["development"]
+  };
+}
+
+// src/services/chain.ts
+var STORAGE_KEY2 = "config";
+var USER_KEYS_KEY = "user-keys";
+var ChainService = class {
+  store;
+  config;
+  userKeys = {};
+  constructor(store) {
+    this.store = store;
+    this.config = getDefaultConfig();
+  }
+  /** Load persisted config and user keys, rebuild chain endpoints. */
+  async init() {
+    this.userKeys = await this.store.load(USER_KEYS_KEY) ?? {};
+    const saved = await this.store.load(STORAGE_KEY2);
+    if (saved) {
+      this.config = { ...getDefaultConfig(), ...saved };
+    }
+    this.config.chains = buildChains(this.userKeys.alchemyKey, this.userKeys.pimlicoKey);
+  }
+  // ─── User Keys ──────────────────────────────────────────────────
+  /** Get current user keys (for display — values are masked). */
+  getUserKeys() {
+    return { ...this.userKeys };
+  }
+  /** Set a user API key and rebuild chain endpoints. */
+  async setUserKey(key, value) {
+    this.userKeys[key] = value;
+    await this.store.save(USER_KEYS_KEY, this.userKeys);
+    this.config.chains = buildChains(this.userKeys.alchemyKey, this.userKeys.pimlicoKey);
+  }
+  /** Remove a user API key and fall back to env / public endpoints. */
+  async removeUserKey(key) {
+    delete this.userKeys[key];
+    await this.store.save(USER_KEYS_KEY, this.userKeys);
+    this.config.chains = buildChains(this.userKeys.alchemyKey, this.userKeys.pimlicoKey);
+  }
+  // ─── Getters ────────────────────────────────────────────────────
+  get currentChain() {
+    const chain = this.config.chains.find((c) => c.id === this.config.currentChainId);
+    if (!chain) {
+      throw new Error(`Chain ${this.config.currentChainId} not found in config.`);
+    }
+    return chain;
+  }
+  get currentChainId() {
+    return this.config.currentChainId;
+  }
+  get chains() {
+    return this.config.chains;
+  }
+  get graphqlEndpoint() {
+    return this.config.graphqlEndpoint;
+  }
+  get fullConfig() {
+    return { ...this.config };
+  }
+  // ─── Mutations ──────────────────────────────────────────────────
+  async switchChain(chainId) {
+    const chain = this.config.chains.find((c) => c.id === chainId);
+    if (!chain) {
+      throw new Error(`Chain ${chainId} is not configured.`);
+    }
+    this.config.currentChainId = chainId;
+    await this.persist();
+    return chain;
+  }
+  async addChain(chain) {
+    if (this.config.chains.some((c) => c.id === chain.id)) {
+      throw new Error(`Chain ${chain.id} already exists.`);
+    }
+    this.config.chains.push(chain);
+    await this.persist();
+  }
+  async removeChain(chainId) {
+    if (chainId === this.config.currentChainId) {
+      throw new Error("Cannot remove the currently selected chain.");
+    }
+    this.config.chains = this.config.chains.filter((c) => c.id !== chainId);
+    await this.persist();
+  }
+  // ─── Internal ───────────────────────────────────────────────────
+  async persist() {
+    await this.store.save(STORAGE_KEY2, this.config);
+  }
+};
+
+// src/services/sdk.ts
+import { padHex, createPublicClient, http, toHex as toHex2, parseEther } from "viem";
+var DEFAULT_GUARDIAN_HASH = "0x0000000000000000000000000000000000000000000000000000000000000001";
+var DEFAULT_GUARDIAN_SAFE_PERIOD = 172800;
+var ENTRYPOINT_CONFIGS = {
+  "v0.7": {
+    entryPoint: "0x0000000071727De22E5E9d8BAf0edAc6f37da032",
+    factory: "0x70B616f23bDDB18c5c412dB367568Dc360e224Bb",
+    fallback: "0xe4eA02c80C3CD86B2f23c8158acF2AAFcCa5A6b3",
+    recovery: "0x36693563E41BcBdC8d295bD3C2608eb7c32b1cCb",
+    validator: "0x162485941bA1FAF21013656DAB1E60e9D7226DC0",
+    elytroWalletLogic: "0x186b91aE45dd22dEF329BF6b4233cf910E157C84"
+  },
+  "v0.8": {
+    entryPoint: "0x4337084d9e255ff0702461cf8895ce9e3b5ff108",
+    factory: "0x82a8B1a5986f565a1546672e8939daA1b20F441E",
+    fallback: "0xB73Ec2FD0189202F6C22067Eeb19EAad25CAB551",
+    recovery: "0xAFEF5D8Fb7b4650B1724a23e40633f720813c731",
+    validator: "0xea50a2874df3eEC9E0365425ba948989cd63FED6",
+    elytroWalletLogic: "0x2CC8A41e26dAC15F1D11F333f74D0451be6caE36"
+  }
+};
+var DEFAULT_VERSION = "v0.8";
+var DUMMY_SIGNATURE = "0xea50a2874df3eEC9E0365425ba948989cd63FED6000000620100005f5e0fff000fffffffff0000000000000000000000000000000000000000b91467e570a6466aa9e9876cbcd013baba02900b8979d43fe208a4a4f339f5fd6007e74cd82e037b800186422fc2da167c747ef045e5d18a5f5d4300f8e1a0291c";
+var SDKService = class {
+  sdk = null;
+  bundlerInstance = null;
+  chainConfig = null;
+  contractConfig = ENTRYPOINT_CONFIGS[DEFAULT_VERSION];
+  async initForChain(chainConfig, entrypointVersion = DEFAULT_VERSION) {
+    this.chainConfig = chainConfig;
+    this.contractConfig = ENTRYPOINT_CONFIGS[entrypointVersion] ?? ENTRYPOINT_CONFIGS[DEFAULT_VERSION];
+    const { ElytroWallet, Bundler } = await import("@elytro/sdk");
+    this.sdk = new ElytroWallet(
+      chainConfig.endpoint,
+      chainConfig.bundler,
+      this.contractConfig.factory,
+      this.contractConfig.fallback,
+      this.contractConfig.recovery,
+      {
+        chainId: chainConfig.id,
+        entryPoint: this.contractConfig.entryPoint,
+        elytroWalletLogic: this.contractConfig.elytroWalletLogic
+      }
+    );
+    this.bundlerInstance = new Bundler(chainConfig.bundler);
+  }
+  // ─── Phase 1: Address Calculation ──────────────────────────────
+  /**
+   * Calculate the counterfactual smart account address via CREATE2.
+   *
+   * The contract doesn't exist on-chain yet, but this address is
+   * deterministic — guaranteed to be where it will deploy.
+   */
+  async calcWalletAddress(eoaAddress, chainId, index = 0, initialGuardianHash = DEFAULT_GUARDIAN_HASH, initialGuardianSafePeriod = DEFAULT_GUARDIAN_SAFE_PERIOD) {
+    const sdk = this.ensureSDK();
+    const paddedKey = padHex(eoaAddress, { size: 32 });
+    const result = await sdk.calcWalletAddress(
+      index,
+      [paddedKey],
+      initialGuardianHash,
+      initialGuardianSafePeriod,
+      chainId
+    );
+    if (result.isErr()) {
+      throw new Error(`Failed to calculate wallet address: ${result.ERR}`);
+    }
+    return result.OK;
+  }
+  // ─── Phase 2: UserOp Lifecycle ─────────────────────────────────
+  /**
+   * Create an unsigned UserOperation from transactions.
+   *
+   * Wraps the SDK's `fromTransaction()` which handles:
+   * - Nonce fetching from the on-chain wallet
+   * - callData encoding (single execute / batch executeBatch)
+   * - Setting factory/factoryData to null (non-deploy op)
+   *
+   * Extension reference: sdk.ts#createUserOpFromTxs (line 1115-1122).
+   *
+   * @param senderAddress  Deployed smart account address
+   * @param txs            Array of { to, value?, data? } in hex string format
+   */
+  async createSendUserOp(senderAddress, txs) {
+    const sdk = this.ensureSDK();
+    const result = await sdk.fromTransaction("0x1", "0x1", senderAddress, txs);
+    if (result.isErr()) {
+      throw new Error(`Failed to build send UserOp: ${result.ERR}`);
+    }
+    return this.normalizeUserOp(result.OK);
+  }
+  /**
+   * Create an unsigned deploy UserOperation.
+   *
+   * Builds a UserOp with factory + factoryData that, when sent to the
+   * bundler, deploys the smart wallet contract at the counterfactual address.
+   */
+  async createDeployUserOp(eoaAddress, index = 0, initialGuardianHash = DEFAULT_GUARDIAN_HASH, initialGuardianSafePeriod = DEFAULT_GUARDIAN_SAFE_PERIOD) {
+    const sdk = this.ensureSDK();
+    const paddedKey = padHex(eoaAddress, { size: 32 });
+    const result = await sdk.createUnsignedDeployWalletUserOp(
+      index,
+      [paddedKey],
+      initialGuardianHash,
+      void 0,
+      // callData
+      initialGuardianSafePeriod
+    );
+    if (result.isErr()) {
+      throw new Error(`Failed to create deploy UserOp: ${result.ERR}`);
+    }
+    return this.normalizeUserOp(result.OK);
+  }
+  /**
+   * Get gas price from Pimlico bundler.
+   *
+   * Uses the non-standard `pimlico_getUserOperationGasPrice` RPC method.
+   * Returns { maxFeePerGas, maxPriorityFeePerGas } from the "fast" tier.
+   */
+  async getFeeData(chainConfig) {
+    const client = createPublicClient({
+      transport: http(chainConfig.bundler)
+    });
+    try {
+      const result = await client.request({
+        method: "pimlico_getUserOperationGasPrice",
+        params: []
+      });
+      const fast = result?.fast;
+      if (!fast) {
+        throw new Error("Unexpected response from pimlico_getUserOperationGasPrice");
+      }
+      return {
+        maxFeePerGas: BigInt(fast.maxFeePerGas),
+        maxPriorityFeePerGas: BigInt(fast.maxPriorityFeePerGas)
+      };
+    } catch {
+      const gasPrice = await createPublicClient({
+        transport: http(chainConfig.endpoint)
+      }).getGasPrice();
+      return {
+        maxFeePerGas: gasPrice,
+        maxPriorityFeePerGas: gasPrice / 10n
+      };
+    }
+  }
+  /**
+   * Estimate gas limits for a UserOperation via the bundler.
+   *
+   * Sets a dummy signature for estimation (same as extension).
+   * For undeployed accounts, pass `fakeBalance: true` to inject a
+   * state override that gives the sender 1 ETH — prevents AA21.
+   *
+   * Extension reference: sdk.ts#estimateGas (lines 602-650).
+   */
+  async estimateUserOp(userOp, opts = {}) {
+    const sdk = this.ensureSDK();
+    const opForEstimate = { ...userOp, signature: DUMMY_SIGNATURE };
+    const stateOverride = opts.fakeBalance ? { [userOp.sender]: { balance: toHex2(parseEther("1")) } } : void 0;
+    const result = await sdk.estimateUserOperationGas(
+      this.contractConfig.validator,
+      this.toSDKUserOp(opForEstimate),
+      stateOverride
+    );
+    if (result.isErr()) {
+      const err = result.ERR;
+      throw new Error(
+        `Gas estimation failed: ${typeof err === "object" && err !== null && "message" in err ? err.message : String(err)}`
+      );
+    }
+    const gas = result.OK;
+    return {
+      callGasLimit: BigInt(gas.callGasLimit),
+      verificationGasLimit: BigInt(gas.verificationGasLimit),
+      preVerificationGas: BigInt(gas.preVerificationGas),
+      paymasterVerificationGasLimit: gas.paymasterVerificationGasLimit ? BigInt(gas.paymasterVerificationGasLimit) : null,
+      paymasterPostOpGasLimit: gas.paymasterPostOpGasLimit ? BigInt(gas.paymasterPostOpGasLimit) : null
+    };
+  }
+  /**
+   * Compute the ERC-4337 UserOperation hash.
+   *
+   * Two-step: userOpHash → packRawHash to get the final digest for signing.
+   */
+  async getUserOpHash(userOp) {
+    const sdk = this.ensureSDK();
+    const hashResult = await sdk.userOpHash(this.toSDKUserOp(userOp));
+    if (hashResult.isErr()) {
+      throw new Error(`Failed to compute userOpHash: ${hashResult.ERR}`);
+    }
+    const packResult = await sdk.packRawHash(hashResult.OK);
+    if (packResult.isErr()) {
+      throw new Error(`Failed to pack raw hash: ${packResult.ERR}`);
+    }
+    return {
+      packedHash: packResult.OK.packedHash,
+      validationData: packResult.OK.validationData
+    };
+  }
+  /**
+   * Pack a raw ECDSA signature into the format expected by the EntryPoint.
+   *
+   * Wraps the signature with validator address and validation data.
+   */
+  async packUserOpSignature(rawSignature, validationData) {
+    const sdk = this.ensureSDK();
+    const result = await sdk.packUserOpEOASignature(this.contractConfig.validator, rawSignature, validationData);
+    if (result.isErr()) {
+      throw new Error(`Failed to pack signature: ${result.ERR}`);
+    }
+    return result.OK;
+  }
+  /**
+   * Pack a raw ECDSA signature with hook input data.
+   *
+   * Used when SecurityHook is installed: the hook signature from the backend
+   * must be included alongside the EOA signature.
+   *
+   * Extension reference: sdk.ts#signUserOperationWithHook (line 239-318)
+   *
+   * @param rawSignature  Raw ECDSA signature from device key
+   * @param validationData  Validation data from packRawHash
+   * @param hookAddress  SecurityHook contract address
+   * @param hookSignature  Hook signature from authorizeUserOperation backend
+   */
+  async packUserOpSignatureWithHook(rawSignature, validationData, hookAddress, hookSignature) {
+    const sdk = this.ensureSDK();
+    const hookInputData = [
+      {
+        hookAddress,
+        inputData: hookSignature
+      }
+    ];
+    const result = await sdk.packUserOpEOASignature(
+      this.contractConfig.validator,
+      rawSignature,
+      validationData,
+      hookInputData
+    );
+    if (result.isErr()) {
+      throw new Error(`Failed to pack signature with hook: ${result.ERR}`);
+    }
+    return result.OK;
+  }
+  /**
+   * Pack a raw hash with validation time bounds.
+   *
+   * Used for EIP-1271 auth signing flow — takes an arbitrary message hash
+   * (not a userOp hash) and returns packedHash + validationData.
+   */
+  async packRawHash(hash) {
+    const sdk = this.ensureSDK();
+    const result = await sdk.packRawHash(hash);
+    if (result.isErr()) {
+      throw new Error(`Failed to pack raw hash: ${result.ERR}`);
+    }
+    return {
+      packedHash: result.OK.packedHash,
+      validationData: result.OK.validationData
+    };
+  }
+  /**
+   * Send a signed UserOperation to the bundler.
+   */
+  async sendUserOp(userOp) {
+    const sdk = this.ensureSDK();
+    const sendResult = await sdk.sendUserOperation(this.toSDKUserOp(userOp));
+    if (sendResult.isErr()) {
+      const err = sendResult.ERR;
+      throw new Error(
+        `Failed to send UserOp: ${typeof err === "object" && err !== null && "message" in err ? err.message : String(err)}`
+      );
+    }
+    const hashResult = await sdk.userOpHash(this.toSDKUserOp(userOp));
+    if (hashResult.isErr()) {
+      throw new Error(`UserOp sent but failed to compute hash for tracking: ${hashResult.ERR}`);
+    }
+    return hashResult.OK;
+  }
+  /**
+   * Poll the bundler for a UserOperation receipt.
+   *
+   * Exponential backoff: 2s → 1.5× → cap 15s, max 30 attempts (~90s).
+   */
+  async waitForReceipt(opHash) {
+    const bundler = this.ensureBundler();
+    let delay = 2e3;
+    const maxDelay = 15e3;
+    const maxAttempts = 30;
+    for (let attempt = 0; attempt < maxAttempts; attempt++) {
+      await sleep(delay);
+      const result = await bundler.eth_getUserOperationReceipt(opHash);
+      if (result.isErr()) {
+        throw new Error(`Failed to poll receipt: ${result.ERR}`);
+      }
+      const receipt = result.OK;
+      if (receipt) {
+        return {
+          success: receipt.success,
+          actualGasCost: String(receipt.actualGasCost),
+          actualGasUsed: String(receipt.actualGasUsed),
+          transactionHash: receipt.receipt?.transactionHash ?? opHash,
+          blockNumber: String(receipt.receipt?.blockNumber ?? "0")
+        };
+      }
+      delay = Math.min(Math.floor(delay * 1.5), maxDelay);
+    }
+    throw new Error(`UserOperation receipt not found after ${maxAttempts} attempts (~90s). Hash: ${opHash}`);
+  }
+  // ─── Accessors ─────────────────────────────────────────────────
+  get isInitialized() {
+    return this.sdk !== null;
+  }
+  get contracts() {
+    return this.contractConfig;
+  }
+  get entryPoint() {
+    return this.contractConfig.entryPoint;
+  }
+  get validatorAddress() {
+    return this.contractConfig.validator;
+  }
+  /** Default init params used for wallet creation — needed for backend registration. */
+  get initDefaults() {
+    return {
+      guardianHash: DEFAULT_GUARDIAN_HASH,
+      guardianSafePeriod: DEFAULT_GUARDIAN_SAFE_PERIOD
+    };
+  }
+  /** Expose the raw SDK instance for advanced operations. */
+  get raw() {
+    return this.ensureSDK();
+  }
+  // ─── Internal ──────────────────────────────────────────────────
+  ensureSDK() {
+    if (!this.sdk) {
+      throw new Error("SDK not initialized. Call initForChain() first.");
+    }
+    return this.sdk;
+  }
+  ensureBundler() {
+    if (!this.bundlerInstance) {
+      throw new Error("Bundler not initialized. Call initForChain() first.");
+    }
+    return this.bundlerInstance;
+  }
+  /**
+   * Normalize SDK UserOp (which uses string/BigNumberish) to our typed format.
+   */
+  normalizeUserOp(sdkOp) {
+    return {
+      sender: sdkOp.sender,
+      nonce: BigInt(sdkOp.nonce),
+      factory: sdkOp.factory ?? null,
+      factoryData: sdkOp.factoryData ?? null,
+      callData: sdkOp.callData ?? "0x",
+      callGasLimit: BigInt(sdkOp.callGasLimit || 0),
+      verificationGasLimit: BigInt(sdkOp.verificationGasLimit || 0),
+      preVerificationGas: BigInt(sdkOp.preVerificationGas || 0),
+      maxFeePerGas: BigInt(sdkOp.maxFeePerGas || 0),
+      maxPriorityFeePerGas: BigInt(sdkOp.maxPriorityFeePerGas || 0),
+      paymaster: sdkOp.paymaster ?? null,
+      paymasterVerificationGasLimit: sdkOp.paymasterVerificationGasLimit ? BigInt(sdkOp.paymasterVerificationGasLimit) : null,
+      paymasterPostOpGasLimit: sdkOp.paymasterPostOpGasLimit ? BigInt(sdkOp.paymasterPostOpGasLimit) : null,
+      paymasterData: sdkOp.paymasterData ?? null,
+      signature: sdkOp.signature ?? "0x"
+    };
+  }
+  /**
+   * Convert our typed UserOp back to the SDK's format (string-based BigNumberish).
+   */
+  toSDKUserOp(op) {
+    return {
+      sender: op.sender,
+      nonce: toHex2(op.nonce),
+      factory: op.factory,
+      factoryData: op.factoryData,
+      callData: op.callData,
+      callGasLimit: toHex2(op.callGasLimit),
+      verificationGasLimit: toHex2(op.verificationGasLimit),
+      preVerificationGas: toHex2(op.preVerificationGas),
+      maxFeePerGas: toHex2(op.maxFeePerGas),
+      maxPriorityFeePerGas: toHex2(op.maxPriorityFeePerGas),
+      paymaster: op.paymaster,
+      paymasterVerificationGasLimit: op.paymasterVerificationGasLimit ? toHex2(op.paymasterVerificationGasLimit) : null,
+      paymasterPostOpGasLimit: op.paymasterPostOpGasLimit ? toHex2(op.paymasterPostOpGasLimit) : null,
+      paymasterData: op.paymasterData,
+      signature: op.signature
+    };
+  }
+};
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+// src/services/walletClient.ts
+import { createPublicClient as createPublicClient2, http as http2, formatEther } from "viem";
+var WalletClientService = class {
+  client = null;
+  chainConfig = null;
+  initForChain(chainConfig) {
+    const viemChain = {
+      id: chainConfig.id,
+      name: chainConfig.name,
+      nativeCurrency: chainConfig.nativeCurrency,
+      rpcUrls: {
+        default: { http: [chainConfig.endpoint] }
+      },
+      blockExplorers: chainConfig.blockExplorer ? {
+        default: {
+          name: chainConfig.name,
+          url: chainConfig.blockExplorer
+        }
+      } : void 0
+    };
+    this.client = createPublicClient2({
+      chain: viemChain,
+      transport: http2(chainConfig.endpoint)
+    });
+    this.chainConfig = chainConfig;
+  }
+  ensureClient() {
+    if (!this.client) {
+      throw new Error("WalletClient not initialized. Call initForChain().");
+    }
+    return this.client;
+  }
+  // ─── Queries ────────────────────────────────────────────────────
+  async getBalance(address2) {
+    const client = this.ensureClient();
+    const wei = await client.getBalance({ address: address2 });
+    return { wei, ether: formatEther(wei) };
+  }
+  async getCode(address2) {
+    const client = this.ensureClient();
+    return client.getCode({ address: address2 });
+  }
+  async isContractDeployed(address2) {
+    const code = await this.getCode(address2);
+    return !!code && code !== "0x";
+  }
+  async getBlockNumber() {
+    const client = this.ensureClient();
+    return client.getBlockNumber();
+  }
+  async readContract(params) {
+    const client = this.ensureClient();
+    return client.readContract(params);
+  }
+  /**
+   * Fetch gas price from the network.
+   */
+  async getGasPrice() {
+    const client = this.ensureClient();
+    return client.getGasPrice();
+  }
+  /**
+   * Fetch a transaction receipt by hash.
+   */
+  async getTransactionReceipt(hash) {
+    const client = this.ensureClient();
+    try {
+      const receipt = await client.getTransactionReceipt({ hash });
+      return {
+        status: receipt.status,
+        blockNumber: receipt.blockNumber,
+        gasUsed: receipt.gasUsed,
+        from: receipt.from,
+        to: receipt.to,
+        transactionHash: receipt.transactionHash
+      };
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Get all ERC-20 token balances for an address via Alchemy's custom RPC method.
+   * Returns only tokens with non-zero balance.
+   *
+   * Requires an Alchemy RPC endpoint.
+   */
+  async getTokenBalances(address2) {
+    const client = this.ensureClient();
+    const result = await client.request({
+      method: "alchemy_getTokenBalances",
+      params: [address2, "erc20"]
+    });
+    if (!result?.tokenBalances) return [];
+    return result.tokenBalances.filter((t) => !t.error && t.tokenBalance && t.tokenBalance !== "0x" && t.tokenBalance !== "0x0").map((t) => ({
+      tokenAddress: t.contractAddress,
+      balance: BigInt(t.tokenBalance)
+    })).filter((t) => t.balance > 0n);
+  }
+  /** Current chain config (after initForChain). */
+  get currentChainConfig() {
+    return this.chainConfig;
+  }
+  /** Expose the raw viem client for advanced use. */
+  get raw() {
+    return this.ensureClient();
+  }
+};
+
+// src/utils/alias.ts
+var ADJECTIVES = [
+  "bold",
+  "calm",
+  "cool",
+  "dark",
+  "deep",
+  "fair",
+  "fast",
+  "firm",
+  "free",
+  "gold",
+  "keen",
+  "kind",
+  "late",
+  "lean",
+  "loud",
+  "mild",
+  "neat",
+  "pale",
+  "pure",
+  "rare",
+  "rich",
+  "safe",
+  "slim",
+  "soft",
+  "sure",
+  "tall",
+  "tiny",
+  "true",
+  "vast",
+  "warm",
+  "wild",
+  "wise",
+  "aged",
+  "arid",
+  "avid",
+  "blue",
+  "busy",
+  "cozy",
+  "deft",
+  "dire",
+  "dull",
+  "edgy",
+  "epic",
+  "even",
+  "fond",
+  "glad",
+  "grim",
+  "hazy",
+  "icy",
+  "idle"
+];
+var NOUNS = [
+  "arch",
+  "bass",
+  "bear",
+  "bell",
+  "bird",
+  "bolt",
+  "cape",
+  "cave",
+  "claw",
+  "clay",
+  "coal",
+  "colt",
+  "core",
+  "dawn",
+  "deer",
+  "dew",
+  "dove",
+  "dune",
+  "dust",
+  "edge",
+  "elm",
+  "fawn",
+  "fern",
+  "fire",
+  "flax",
+  "fog",
+  "fork",
+  "fox",
+  "frost",
+  "gate",
+  "glen",
+  "glow",
+  "grove",
+  "hare",
+  "hawk",
+  "haze",
+  "hill",
+  "jade",
+  "lake",
+  "lark",
+  "leaf",
+  "lion",
+  "lynx",
+  "mist",
+  "moon",
+  "moss",
+  "oak",
+  "owl",
+  "palm",
+  "peak",
+  "pine",
+  "pond",
+  "rain",
+  "reef",
+  "ridge",
+  "ring",
+  "root",
+  "rose",
+  "sage",
+  "sand",
+  "seal",
+  "snow",
+  "star",
+  "stem",
+  "storm",
+  "swan",
+  "thorn",
+  "tide",
+  "vale",
+  "vine",
+  "wave",
+  "wren",
+  "wolf",
+  "yarn",
+  "zinc"
+];
+function pick(list) {
+  return list[Math.floor(Math.random() * list.length)];
+}
+function generateAlias() {
+  return `${pick(ADJECTIVES)}-${pick(NOUNS)}`;
+}
+
+// src/services/account.ts
+var STORAGE_KEY3 = "accounts";
+var AccountService = class {
+  store;
+  keyring;
+  sdk;
+  chain;
+  walletClient;
+  state = { accounts: [], currentAddress: null };
+  constructor(deps) {
+    this.store = deps.store;
+    this.keyring = deps.keyring;
+    this.sdk = deps.sdk;
+    this.chain = deps.chain;
+    this.walletClient = deps.walletClient;
+  }
+  /** Load persisted accounts from disk. */
+  async init() {
+    const saved = await this.store.load(STORAGE_KEY3);
+    if (saved) {
+      this.state = saved;
+    }
+  }
+  // ─── Create ─────────────────────────────────────────────────────
+  /**
+   * Create a new smart account on the specified chain.
+   *
+   * Multiple accounts per chain are allowed — each gets a unique
+   * CREATE2 index, producing a different contract address.
+   *
+   * @param chainId - Required. The target chain.
+   * @param alias   - Optional. Human-readable name. Auto-generated if omitted.
+   */
+  async createAccount(chainId, alias) {
+    const owner = this.keyring.currentOwner;
+    if (!owner) {
+      throw new Error("Keyring is locked. Unlock first.");
+    }
+    const finalAlias = alias ?? this.uniqueAlias();
+    if (this.state.accounts.some((a) => a.alias === finalAlias)) {
+      throw new Error(`Alias "${finalAlias}" is already taken.`);
+    }
+    const index = this.nextIndex(owner, chainId);
+    const address2 = await this.sdk.calcWalletAddress(owner, chainId, index);
+    const account = {
+      address: address2,
+      chainId,
+      alias: finalAlias,
+      owner,
+      index,
+      isDeployed: false,
+      isRecoveryEnabled: false
+    };
+    this.state.accounts.push(account);
+    this.state.currentAddress = address2;
+    await this.persist();
+    return account;
+  }
+  // ─── Query ──────────────────────────────────────────────────────
+  get currentAccount() {
+    if (!this.state.currentAddress) return null;
+    return this.state.accounts.find((a) => a.address === this.state.currentAddress) ?? null;
+  }
+  get allAccounts() {
+    return [...this.state.accounts];
+  }
+  getAccountsByChain(chainId) {
+    return this.state.accounts.filter((a) => a.chainId === chainId);
+  }
+  /**
+   * Resolve an account by alias or address (case-insensitive).
+   * This is the primary lookup method for commands.
+   */
+  resolveAccount(aliasOrAddress) {
+    const needle = aliasOrAddress.toLowerCase();
+    return this.state.accounts.find((a) => a.alias.toLowerCase() === needle || a.address.toLowerCase() === needle) ?? null;
+  }
+  // ─── Switch ─────────────────────────────────────────────────────
+  async switchAccount(aliasOrAddress) {
+    const account = this.resolveAccount(aliasOrAddress);
+    if (!account) {
+      throw new Error(`Account "${aliasOrAddress}" not found.`);
+    }
+    this.state.currentAddress = account.address;
+    await this.persist();
+    return account;
+  }
+  // ─── Activation ───────────────────────────────────────────────────
+  /**
+   * Mark an account as deployed on-chain.
+   * Called after successful UserOp receipt confirms deployment.
+   */
+  async markDeployed(address2, chainId) {
+    const account = this.state.accounts.find(
+      (a) => a.address.toLowerCase() === address2.toLowerCase() && a.chainId === chainId
+    );
+    if (!account) {
+      throw new Error(`Account ${address2} on chain ${chainId} not found.`);
+    }
+    account.isDeployed = true;
+    await this.persist();
+  }
+  // ─── On-chain info ──────────────────────────────────────────────
+  async getAccountDetail(aliasOrAddress) {
+    const account = this.resolveAccount(aliasOrAddress);
+    if (!account) {
+      throw new Error(`Account "${aliasOrAddress}" not found.`);
+    }
+    const [isDeployed, { ether: balance }] = await Promise.all([
+      this.walletClient.isContractDeployed(account.address),
+      this.walletClient.getBalance(account.address)
+    ]);
+    if (isDeployed && !account.isDeployed) {
+      account.isDeployed = true;
+      await this.persist();
+    }
+    return {
+      ...account,
+      isDeployed,
+      balance
+    };
+  }
+  // ─── Import / Export ────────────────────────────────────────────
+  async importAccounts(accounts) {
+    let imported = 0;
+    for (const account of accounts) {
+      const exists = this.state.accounts.some(
+        (a) => a.address.toLowerCase() === account.address.toLowerCase() && a.chainId === account.chainId
+      );
+      if (!exists) {
+        this.state.accounts.push(account);
+        imported++;
+      }
+    }
+    if (imported > 0) {
+      await this.persist();
+    }
+    return imported;
+  }
+  // ─── Internal ───────────────────────────────────────────────────
+  /**
+   * Get the next available CREATE2 index for a given owner+chain.
+   * Simply counts how many accounts this owner already has on this chain.
+   */
+  nextIndex(owner, chainId) {
+    return this.state.accounts.filter((a) => a.owner.toLowerCase() === owner.toLowerCase() && a.chainId === chainId).length;
+  }
+  /** Generate an alias that doesn't collide with existing ones. */
+  uniqueAlias() {
+    const existing = new Set(this.state.accounts.map((a) => a.alias));
+    for (let i = 0; i < 100; i++) {
+      const candidate = generateAlias();
+      if (!existing.has(candidate)) return candidate;
+    }
+    return `account-${this.state.accounts.length + 1}`;
+  }
+  async persist() {
+    await this.store.save(STORAGE_KEY3, this.state);
+  }
+};
+
+// src/services/securityHook.ts
+import {
+  toHex as toHex3,
+  toBytes,
+  parseAbi,
+  keccak256,
+  hashMessage,
+  encodeAbiParameters,
+  encodePacked,
+  parseAbiParameters
+} from "viem";
+
+// src/constants/securityHook.ts
+var SECURITY_HOOK_ADDRESS_MAP = {
+  1: "0xd4e23c76e56532c0620f0b80e62918cc7ca9d442",
+  // Ethereum Mainnet
+  10: "0xd4e23c76e56532c0620f0b80e62918cc7ca9d442",
+  // Optimism
+  42161: "0xd4e23c76e56532c0620f0b80e62918cc7ca9d442",
+  // Arbitrum One
+  11155111: "0xd4e23c76e56532c0620f0b80e62918cc7ca9d442",
+  // Sepolia
+  11155420: "0xd4e23c76e56532c0620f0b80e62918cc7ca9d442"
+  // Optimism Sepolia
+};
+var CAPABILITY_FLAGS = {
+  SIGNATURE_ONLY: 1,
+  USER_OP_ONLY: 2,
+  BOTH: 3
+};
+var CAPABILITY_LABELS = {
+  [CAPABILITY_FLAGS.SIGNATURE_ONLY]: "SIGNATURE_ONLY",
+  [CAPABILITY_FLAGS.USER_OP_ONLY]: "USER_OP_ONLY",
+  [CAPABILITY_FLAGS.BOTH]: "BOTH"
+};
+var DEFAULT_CAPABILITY = CAPABILITY_FLAGS.USER_OP_ONLY;
+var DEFAULT_SAFETY_DELAY = 2;
+
+// src/services/securityHook.ts
+init_graphqlClient();
+var ELYTRO_MSG_TYPE_HASH = keccak256(toBytes("ElytroMessage(bytes32 message)"));
+var DOMAIN_SEPARATOR_TYPE_HASH = "0x47e79534a245952e8b16893a336b85a3d9ea9fa8c573f3d803afb92a79469218";
+function getEncoded1271MessageHash(message) {
+  return keccak256(encodeAbiParameters(parseAbiParameters(["bytes32", "bytes32"]), [ELYTRO_MSG_TYPE_HASH, message]));
+}
+function getDomainSeparator(chainIdHex, walletAddress) {
+  return keccak256(
+    encodeAbiParameters(parseAbiParameters(["bytes32", "uint256", "address"]), [
+      DOMAIN_SEPARATOR_TYPE_HASH,
+      BigInt(chainIdHex),
+      walletAddress
+    ])
+  );
+}
+function getEncodedSHA(domainSeparator, encode1271MessageHash) {
+  return keccak256(
+    encodePacked(["bytes1", "bytes1", "bytes32", "bytes32"], ["0x19", "0x01", domainSeparator, encode1271MessageHash])
+  );
+}
+var GQL_REQUEST_WALLET_AUTH_CHALLENGE = `
+  mutation RequestWalletAuthChallenge($input: RequestWalletAuthChallengeInput!) {
+    requestWalletAuthChallenge(input: $input) {
+      challengeId
+      message
+      expiresAt
+    }
+  }
+`;
+var GQL_CONFIRM_WALLET_AUTH_CHALLENGE = `
+  mutation ConfirmWalletAuthChallenge($input: ConfirmWalletAuthChallengeInput!) {
+    confirmWalletAuthChallenge(input: $input) {
+      sessionId
+      expiresAt
+    }
+  }
+`;
+var GQL_WALLET_SECURITY_PROFILE = `
+  query WalletSecurityProfile($input: WalletSecurityProfileInput!) {
+    walletSecurityProfile(input: $input) {
+      email
+      emailVerified
+      maskedEmail
+      dailyLimitUsdCents
+      createdAt
+      updatedAt
+    }
+  }
+`;
+var GQL_REQUEST_WALLET_EMAIL_BINDING = `
+  mutation RequestWalletEmailBinding($input: RequestWalletEmailBindingInput!) {
+    requestWalletEmailBinding(input: $input) {
+      bindingId
+      maskedEmail
+      otpExpiresAt
+      resendAvailableAt
+    }
+  }
+`;
+var GQL_CONFIRM_WALLET_EMAIL_BINDING = `
+  mutation ConfirmWalletEmailBinding($input: ConfirmWalletEmailBindingInput!) {
+    confirmWalletEmailBinding(input: $input) {
+      email
+      emailVerified
+      maskedEmail
+      dailyLimitUsdCents
+      updatedAt
+    }
+  }
+`;
+var GQL_CHANGE_WALLET_EMAIL = `
+  mutation RequestChangeWalletEmail($input: ChangeWalletEmailInput!) {
+    requestChangeWalletEmail(input: $input) {
+      bindingId
+      maskedEmail
+      otpExpiresAt
+      resendAvailableAt
+    }
+  }
+`;
+var GQL_SET_WALLET_DAILY_LIMIT = `
+  mutation SetWalletDailyLimit($input: SetWalletDailyLimitInput!) {
+    setWalletDailyLimit(input: $input) {
+      dailyLimitUsdCents
+      updatedAt
+    }
+  }
+`;
+var GQL_REQUEST_DAILY_LIMIT_OTP = `
+  mutation RequestChangeWalletDailyLimit($input: RequestWalletDailyLimitInput!) {
+    requestChangeWalletDailyLimit(input: $input) {
+      maskedEmail
+      otpExpiresAt
+      resendAvailableAt
+    }
+  }
+`;
+var GQL_AUTHORIZE_USER_OPERATION = `
+  mutation AuthorizeUserOperation($input: AuthorizeUserOperationInput!) {
+    authorizeUserOperation(input: $input) {
+      decision
+      signature
+      spendDeltaUsdCents
+      totalSpendUsdCents
+      refreshedAt
+    }
+  }
+`;
+var GQL_REQUEST_SECURITY_OTP = `
+  mutation RequestSecurityOtp($input: RequestSecurityOtpInput!) {
+    requestSecurityOtp(input: $input) {
+      challengeId
+      maskedEmail
+      otpExpiresAt
+    }
+  }
+`;
+var GQL_VERIFY_SECURITY_OTP = `
+  mutation VerifySecurityOtp($input: VerifySecurityOtpInput!) {
+    verifySecurityOtp(input: $input) {
+      challengeId
+      status
+      verifiedAt
+    }
+  }
+`;
+var ABI_LIST_HOOK = parseAbi([
+  "function listHook() view returns (address[] preIsValidSignatureHooks, address[] preUserOpValidationHooks)"
+]);
+var ABI_SECURITY_HOOK_USER_DATA = parseAbi([
+  "function userData(address) view returns (bool initialized, uint32 safetyDelay, uint64 forceUninstallAfter)"
+]);
+function createSignMessageForAuth(deps) {
+  return async (message, walletAddress, chainId) => {
+    const hashedMessage = hashMessage({ raw: toBytes(message) });
+    const encoded1271Hash = getEncoded1271MessageHash(hashedMessage);
+    const chainIdHex = `0x${chainId.toString(16)}`;
+    const domainSeparator = getDomainSeparator(chainIdHex, walletAddress.toLowerCase());
+    const messageHash = getEncodedSHA(domainSeparator, encoded1271Hash);
+    const { packedHash, validationData } = await deps.packRawHash(messageHash);
+    const rawSignature = await deps.signDigest(packedHash);
+    return deps.packSignature(rawSignature, validationData);
+  };
+}
+var SecurityHookService = class {
+  store;
+  graphqlEndpoint;
+  signMessageForAuth;
+  readContract;
+  getBlockTimestamp;
+  /**
+   * In-memory cache of the last authenticated session ID.
+   * Prevents re-authentication between getHookSignature → verifySecurityOtp
+   * calls, which would create a new session that doesn't own the OTP challenge.
+   */
+  _cachedSessionId = null;
+  constructor(deps) {
+    this.store = deps.store;
+    this.graphqlEndpoint = deps.graphqlEndpoint;
+    this.signMessageForAuth = deps.signMessageForAuth;
+    this.readContract = deps.readContract;
+    this.getBlockTimestamp = deps.getBlockTimestamp;
+  }
+  // ─── Auth Session ─────────────────────────────────────────────
+  sessionKey(walletAddress, chainId) {
+    return `authSession_${walletAddress.toLowerCase()}_${chainId}`;
+  }
+  async loadAuthSession(walletAddress, chainId) {
+    const key = this.sessionKey(walletAddress, chainId);
+    const session = await this.store.load(key);
+    if (!session) return null;
+    if (Date.now() > session.expiresAt) {
+      await this.store.remove(key);
+      return null;
+    }
+    return session.authSessionId;
+  }
+  async storeAuthSession(walletAddress, chainId, sessionId, expiresAt) {
+    const key = this.sessionKey(walletAddress, chainId);
+    await this.store.save(key, {
+      authSessionId: sessionId,
+      expiresAt: new Date(expiresAt).getTime()
+    });
+  }
+  async clearAuthSession(walletAddress, chainId) {
+    this._cachedSessionId = null;
+    const key = this.sessionKey(walletAddress, chainId);
+    await this.store.remove(key);
+  }
+  /**
+   * Authenticate wallet via challenge-response.
+   *
+   * Flow: requestWalletAuthChallenge → sign challenge message → confirmWalletAuthChallenge → sessionId.
+   */
+  async authenticate(walletAddress, chainId) {
+    const challengeResult = await this.gqlMutate(GQL_REQUEST_WALLET_AUTH_CHALLENGE, {
+      input: {
+        chainID: `0x${chainId.toString(16)}`,
+        address: walletAddress.toLowerCase()
+      }
+    });
+    const challenge = challengeResult.requestWalletAuthChallenge;
+    const signature = await this.signMessageForAuth(toHex3(challenge.message), walletAddress, chainId);
+    const confirmResult = await this.gqlMutate(GQL_CONFIRM_WALLET_AUTH_CHALLENGE, {
+      input: {
+        chainID: `0x${chainId.toString(16)}`,
+        address: walletAddress.toLowerCase(),
+        challengeId: challenge.challengeId,
+        signature
+      }
+    });
+    const { sessionId, expiresAt } = confirmResult.confirmWalletAuthChallenge;
+    await this.storeAuthSession(walletAddress, chainId, sessionId, expiresAt);
+    return sessionId;
+  }
+  /**
+   * Get or create an auth session, with one retry on auth errors.
+   * Caches the session ID in-memory so subsequent calls within the same
+   * service instance (e.g. verifySecurityOtp after getHookSignature)
+   * always use the same session.
+   */
+  async getAuthSession(walletAddress, chainId) {
+    if (this._cachedSessionId) return this._cachedSessionId;
+    let sessionId = await this.loadAuthSession(walletAddress, chainId);
+    if (sessionId) {
+      this._cachedSessionId = sessionId;
+      return sessionId;
+    }
+    try {
+      sessionId = await this.authenticate(walletAddress, chainId);
+      this._cachedSessionId = sessionId;
+      return sessionId;
+    } catch (err) {
+      if (this.isAuthError(err)) {
+        await this.clearAuthSession(walletAddress, chainId);
+        sessionId = await this.authenticate(walletAddress, chainId);
+        this._cachedSessionId = sessionId;
+        return sessionId;
+      }
+      throw err;
+    }
+  }
+  isAuthError(error2) {
+    if (!error2 || typeof error2 !== "object") return false;
+    const msg = String(error2.message ?? "").toLowerCase();
+    return msg.includes("forbidden") || msg.includes("unauthorized") || msg.includes("session") || msg.includes("expired") || msg.includes("failed to authenticate");
+  }
+  // ─── On-chain Hook Status ────────────────────────────────────
+  /**
+   * Query on-chain hook status: which hooks are installed + force-uninstall state.
+   */
+  async getHookStatus(walletAddress, chainId) {
+    const hookAddress = SECURITY_HOOK_ADDRESS_MAP[chainId];
+    if (!hookAddress) {
+      return {
+        installed: false,
+        hookAddress: "0x0000000000000000000000000000000000000000",
+        capabilities: { preUserOpValidation: false, preIsValidSignature: false },
+        forceUninstall: { initiated: false, canExecute: false, availableAfter: null }
+      };
+    }
+    try {
+      const hooks = await this.readContract({
+        address: walletAddress,
+        abi: ABI_LIST_HOOK,
+        functionName: "listHook"
+      });
+      const [preIsValidSignatureHooks, preUserOpValidationHooks] = Array.isArray(hooks) ? hooks : [[], []];
+      const hookLower = hookAddress.toLowerCase();
+      const hasPreIsValidSignature = preIsValidSignatureHooks.some((h) => h.toLowerCase() === hookLower);
+      const hasPreUserOpValidation = preUserOpValidationHooks.some((h) => h.toLowerCase() === hookLower);
+      const installed = hasPreIsValidSignature || hasPreUserOpValidation;
+      let forceUninstall = { initiated: false, canExecute: false, availableAfter: null };
+      if (installed) {
+        try {
+          const userData = await this.readContract({
+            address: hookAddress,
+            abi: ABI_SECURITY_HOOK_USER_DATA,
+            functionName: "userData",
+            args: [walletAddress]
+          });
+          const [_isInstalled, _safetyDelay, forceUninstallAfterRaw] = userData;
+          const forceUninstallAfter = Number(forceUninstallAfterRaw);
+          if (forceUninstallAfter > 0) {
+            const currentTimestamp = Number(await this.getBlockTimestamp());
+            forceUninstall = {
+              initiated: true,
+              canExecute: currentTimestamp >= forceUninstallAfter,
+              availableAfter: new Date(forceUninstallAfter * 1e3).toISOString()
+            };
+          }
+        } catch {
+        }
+      }
+      return {
+        installed,
+        hookAddress,
+        capabilities: {
+          preUserOpValidation: hasPreUserOpValidation,
+          preIsValidSignature: hasPreIsValidSignature
+        },
+        forceUninstall
+      };
+    } catch {
+      return {
+        installed: false,
+        hookAddress,
+        capabilities: { preUserOpValidation: false, preIsValidSignature: false },
+        forceUninstall: { initiated: false, canExecute: false, availableAfter: null }
+      };
+    }
+  }
+  // ─── Security Profile ────────────────────────────────────────
+  /**
+   * Load security profile from backend (email, dailyLimit, etc.).
+   */
+  async loadSecurityProfile(walletAddress, chainId) {
+    try {
+      const sessionId = await this.getAuthSession(walletAddress, chainId);
+      const result = await this.gqlQuery(GQL_WALLET_SECURITY_PROFILE, {
+        input: { authSessionId: sessionId }
+      });
+      return result.walletSecurityProfile;
+    } catch (err) {
+      const msg = String(err.message ?? "");
+      if (msg.includes("NOT_FOUND") || msg.includes("not found")) {
+        return null;
+      }
+      throw err;
+    }
+  }
+  // ─── Email Binding ───────────────────────────────────────────
+  /**
+   * Request email binding — sends OTP to the provided email.
+   */
+  async requestEmailBinding(walletAddress, chainId, email) {
+    const sessionId = await this.getAuthSession(walletAddress, chainId);
+    const result = await this.gqlMutate(GQL_REQUEST_WALLET_EMAIL_BINDING, {
+      input: { authSessionId: sessionId, email, locale: "en-US" }
+    });
+    return result.requestWalletEmailBinding;
+  }
+  /**
+   * Confirm email binding with OTP code.
+   */
+  async confirmEmailBinding(walletAddress, chainId, bindingId, otpCode) {
+    const sessionId = await this.getAuthSession(walletAddress, chainId);
+    const result = await this.gqlMutate(GQL_CONFIRM_WALLET_EMAIL_BINDING, {
+      input: { authSessionId: sessionId, bindingId, otpCode }
+    });
+    return result.confirmWalletEmailBinding;
+  }
+  /**
+   * Request email change — sends OTP to the new email.
+   */
+  async changeWalletEmail(walletAddress, chainId, email) {
+    const sessionId = await this.getAuthSession(walletAddress, chainId);
+    const result = await this.gqlMutate(GQL_CHANGE_WALLET_EMAIL, {
+      input: { authSessionId: sessionId, email, locale: "en-US" }
+    });
+    return result.requestChangeWalletEmail;
+  }
+  // ─── Daily Spending Limit ────────────────────────────────────
+  /**
+   * Request OTP for changing daily limit.
+   */
+  async requestDailyLimitOtp(walletAddress, chainId, dailyLimitUsdCents) {
+    const sessionId = await this.getAuthSession(walletAddress, chainId);
+    const result = await this.gqlMutate(GQL_REQUEST_DAILY_LIMIT_OTP, {
+      input: { authSessionId: sessionId, dailyLimitUsdCents }
+    });
+    return result.requestChangeWalletDailyLimit;
+  }
+  /**
+   * Set daily spending limit (with optional OTP code for confirmation).
+   */
+  async setDailyLimit(walletAddress, chainId, dailyLimitUsdCents, otpCode) {
+    const sessionId = await this.getAuthSession(walletAddress, chainId);
+    await this.gqlMutate(GQL_SET_WALLET_DAILY_LIMIT, {
+      input: { authSessionId: sessionId, dailyLimitUsdCents, ...otpCode && { otpCode } }
+    });
+  }
+  // ─── OTP ─────────────────────────────────────────────────────
+  /**
+   * Request a security OTP for a user operation (proactive escalation).
+   */
+  async requestSecurityOtp(walletAddress, chainId, entryPoint, userOp) {
+    const sessionId = await this.getAuthSession(walletAddress, chainId);
+    const op = this.formatUserOpForGraphQL(userOp);
+    const result = await this.gqlMutate(GQL_REQUEST_SECURITY_OTP, {
+      input: {
+        authSessionId: sessionId,
+        chainID: toHex3(chainId),
+        entryPoint: entryPoint.toLowerCase(),
+        op
+      }
+    });
+    return result.requestSecurityOtp;
+  }
+  /**
+   * Verify a security OTP challenge.
+   */
+  async verifySecurityOtp(walletAddress, chainId, challengeId, otpCode) {
+    const sessionId = await this.getAuthSession(walletAddress, chainId);
+    const result = await this.gqlMutate(GQL_VERIFY_SECURITY_OTP, {
+      input: { authSessionId: sessionId, challengeId, otpCode }
+    });
+    return result.verifySecurityOtp;
+  }
+  // ─── UserOp Authorization ────────────────────────────────────
+  /**
+   * Get hook signature for a user operation.
+   *
+   * Returns either:
+   * - { signature } on success
+   * - { error } when OTP/spending-limit challenge is required
+   *
+   * Handles auth retry automatically.
+   */
+  async getHookSignature(walletAddress, chainId, entryPoint, userOp) {
+    const op = this.formatUserOpForGraphQL(userOp);
+    for (let attempt = 0; attempt <= 1; attempt++) {
+      try {
+        if (attempt > 0) {
+          await this.clearAuthSession(walletAddress, chainId);
+        }
+        const sessionId = await this.getAuthSession(walletAddress, chainId);
+        const result = await this.gqlRaw(GQL_AUTHORIZE_USER_OPERATION, {
+          input: {
+            authSessionId: sessionId,
+            chainID: toHex3(chainId),
+            entryPoint: entryPoint.toLowerCase(),
+            op
+          }
+        });
+        if (result.data?.authorizeUserOperation?.signature) {
+          return { signature: result.data.authorizeUserOperation.signature };
+        }
+        if (result.errors && result.errors.length > 0) {
+          const ext = result.errors[0].extensions;
+          if (ext) {
+            return {
+              error: {
+                code: ext.code,
+                challengeId: ext.challengeId,
+                currentSpendUsdCents: ext.currentSpendUsdCents,
+                dailyLimitUsdCents: ext.dailyLimitUsdCents,
+                maskedEmail: ext.maskedEmail,
+                otpExpiresAt: ext.otpExpiresAt,
+                projectedSpendUsdCents: ext.projectedSpendUsdCents,
+                message: result.errors[0].message
+              }
+            };
+          }
+        }
+        throw new Error("Unknown authorization error");
+      } catch (err) {
+        if (this.isAuthError(err) && attempt === 0) continue;
+        if (err instanceof GraphQLClientError && err.errors?.length) {
+          const ext = err.errors[0].extensions;
+          if (ext?.code) {
+            return {
+              error: {
+                code: ext.code,
+                challengeId: ext.challengeId,
+                currentSpendUsdCents: ext.currentSpendUsdCents,
+                dailyLimitUsdCents: ext.dailyLimitUsdCents,
+                maskedEmail: ext.maskedEmail,
+                otpExpiresAt: ext.otpExpiresAt,
+                projectedSpendUsdCents: ext.projectedSpendUsdCents,
+                message: err.errors[0].message
+              }
+            };
+          }
+        }
+        throw err;
+      }
+    }
+    throw new Error("Hook signature authorization failed after retry");
+  }
+  // ─── Helpers ─────────────────────────────────────────────────
+  /**
+   * Format UserOp fields for GraphQL input (all values as hex strings).
+   */
+  formatUserOpForGraphQL(userOp) {
+    return {
+      sender: userOp.sender.toLowerCase(),
+      nonce: this.formatHex(userOp.nonce),
+      factory: userOp.factory?.toLowerCase() || null,
+      factoryData: userOp.factoryData || "0x",
+      callData: userOp.callData,
+      callGasLimit: this.formatHex(userOp.callGasLimit),
+      verificationGasLimit: this.formatHex(userOp.verificationGasLimit),
+      preVerificationGas: this.formatHex(userOp.preVerificationGas),
+      maxPriorityFeePerGas: this.formatHex(userOp.maxPriorityFeePerGas),
+      maxFeePerGas: this.formatHex(userOp.maxFeePerGas),
+      paymaster: userOp.paymaster?.toLowerCase() || null,
+      paymasterVerificationGasLimit: userOp.paymasterVerificationGasLimit ? this.formatHex(userOp.paymasterVerificationGasLimit) : "0x0",
+      paymasterPostOpGasLimit: userOp.paymasterPostOpGasLimit ? this.formatHex(userOp.paymasterPostOpGasLimit) : "0x0",
+      paymasterData: userOp.paymasterData || "0x",
+      signature: userOp.signature
+    };
+  }
+  /**
+   * Convert a value to hex string. If already a hex string, return as-is.
+   * Mirrors extension's formatHex utility.
+   */
+  formatHex(value) {
+    if (typeof value === "string" && value.startsWith("0x")) {
+      return value;
+    }
+    return toHex3(value);
+  }
+  // ─── GraphQL Wrappers ───────────────────────────────────────
+  async gqlMutate(query, variables) {
+    return requestGraphQL({
+      endpoint: this.graphqlEndpoint,
+      query,
+      variables
+    });
+  }
+  async gqlQuery(query, variables) {
+    return requestGraphQL({
+      endpoint: this.graphqlEndpoint,
+      query,
+      variables
+    });
+  }
+  /**
+   * Raw GraphQL request that returns the full response (data + errors)
+   * instead of throwing on errors. Needed for authorizeUserOperation
+   * which uses GraphQL errors with extensions for challenge responses.
+   */
+  async gqlRaw(query, variables) {
+    const { endpoint } = { endpoint: this.graphqlEndpoint };
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), 15e3);
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", Accept: "application/json" },
+        body: JSON.stringify({ query, variables }),
+        signal: controller.signal
+      });
+      if (!response.ok) {
+        const text = await response.text().catch(() => "");
+        throw new Error(`HTTP ${response.status}: ${text.slice(0, 200)}`);
+      }
+      return await response.json();
+    } finally {
+      clearTimeout(timeoutId);
+    }
+  }
+};
+
+// src/utils/deviceKey.ts
+import { webcrypto as webcrypto2 } from "crypto";
+import { readFile as readFile2, writeFile as writeFile2, stat, chmod } from "fs/promises";
+import { join as join2 } from "path";
+var DEVICE_KEY_FILE = ".device-key";
+var KEY_LENGTH2 = 32;
+var REQUIRED_MODE = 384;
+function generateDeviceKey() {
+  return webcrypto2.getRandomValues(new Uint8Array(KEY_LENGTH2));
+}
+async function saveDeviceKey(dataDir, key) {
+  validateDeviceKey(key);
+  const path = keyPath(dataDir);
+  await writeFile2(path, key, { mode: REQUIRED_MODE });
+  await chmod(path, REQUIRED_MODE);
+}
+async function loadDeviceKey(dataDir) {
+  const path = keyPath(dataDir);
+  try {
+    const st = await stat(path);
+    const mode = st.mode & 511;
+    if (mode !== REQUIRED_MODE) {
+      throw new Error(
+        `Device key has insecure permissions (${modeStr(mode)}). Expected 600. Fix with: chmod 600 ${path}`
+      );
+    }
+    const buf = await readFile2(path);
+    const key = new Uint8Array(buf);
+    validateDeviceKey(key);
+    return key;
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      return null;
+    }
+    throw err;
+  }
+}
+function validateDeviceKey(key) {
+  if (key.length !== KEY_LENGTH2) {
+    throw new Error(`Invalid device key: expected ${KEY_LENGTH2} bytes, got ${key.length}.`);
+  }
+}
+function keyPath(dataDir) {
+  return join2(dataDir, DEVICE_KEY_FILE);
+}
+function modeStr(mode) {
+  return "0o" + mode.toString(8).padStart(3, "0");
+}
+
+// src/context.ts
+async function createAppContext() {
+  const store = new FileStore();
+  await store.init();
+  const keyring = new KeyringService(store);
+  const chain = new ChainService(store);
+  const sdk = new SDKService();
+  const walletClient = new WalletClientService();
+  await chain.init();
+  const defaultChain = chain.currentChain;
+  walletClient.initForChain(defaultChain);
+  await sdk.initForChain(defaultChain);
+  const deviceKey = await loadDeviceKey(store.dataDir);
+  if (deviceKey && await keyring.isInitialized()) {
+    await keyring.unlock(deviceKey);
+  }
+  const account = new AccountService({
+    store,
+    keyring,
+    sdk,
+    chain,
+    walletClient
+  });
+  await account.init();
+  const currentAccount = account.currentAccount;
+  if (currentAccount) {
+    const acctInfo = account.resolveAccount(currentAccount.alias ?? currentAccount.address);
+    if (acctInfo) {
+      const acctChain = chain.chains.find((c) => c.id === acctInfo.chainId);
+      if (acctChain && acctChain.id !== defaultChain.id) {
+        walletClient.initForChain(acctChain);
+        await sdk.initForChain(acctChain);
+      }
+    }
+  }
+  return { store, keyring, chain, sdk, walletClient, account, deviceKey };
+}
+
+// src/commands/init.ts
+import ora from "ora";
+
+// src/utils/display.ts
+import chalk from "chalk";
+function heading(text) {
+  console.log(chalk.bold.cyan(`
+${text}
+`));
+}
+function info(label, value) {
+  console.log(`  ${chalk.gray(label + ":")} ${value}`);
+}
+function success(text) {
+  console.log(chalk.green(`\u2714 ${text}`));
+}
+function warn(text) {
+  console.log(chalk.yellow(`\u26A0 ${text}`));
+}
+function error(text) {
+  console.error(chalk.red(`\u2716 ${text}`));
+}
+function txError(payload) {
+  const output = {
+    success: false,
+    error: {
+      code: payload.code,
+      message: payload.message,
+      ...payload.data && Object.keys(payload.data).length > 0 ? { data: payload.data } : {}
+    }
+  };
+  console.error(chalk.red(JSON.stringify(output, null, 2)));
+}
+function table(rows, columns) {
+  const header = columns.map((c) => c.label.padEnd(c.width ?? 20)).join("  ");
+  console.log(chalk.bold(header));
+  console.log(chalk.gray("\u2500".repeat(header.length)));
+  for (const row of rows) {
+    const line = columns.map((c) => (row[c.key] ?? "").padEnd(c.width ?? 20)).join("  ");
+    console.log(line);
+  }
+}
+function address(addr) {
+  if (addr.length <= 14) return addr;
+  return `${addr.slice(0, 8)}...${addr.slice(-6)}`;
+}
+function maskApiKeys(url) {
+  let masked = url;
+  masked = masked.replace(/(\/v\d+\/)[^/?#]+(\?|#|$)/gi, "$1***$2");
+  masked = masked.replace(/([?&](?:apikey|api_key|key|token|secret))=[^&#]+/gi, "$1=***");
+  return masked;
+}
+function sanitizeErrorMessage(message) {
+  return message.replace(/https?:\/\/[^\s"']+/gi, (match) => maskApiKeys(match));
+}
+
+// src/commands/init.ts
+function registerInitCommand(program2, ctx) {
+  program2.command("init").description("Initialize a new Elytro wallet").action(async () => {
+    if (await ctx.keyring.isInitialized()) {
+      warn("Wallet already initialized.");
+      info("Data", ctx.store.dataDir);
+      info("Hint", "Use `elytro account create` to create a smart account.");
+      return;
+    }
+    heading("Initialize Elytro Wallet");
+    const spinner = ora("Setting up wallet...").start();
+    try {
+      const deviceKey = generateDeviceKey();
+      await saveDeviceKey(ctx.store.dataDir, deviceKey);
+      await ctx.keyring.createNewOwner(deviceKey);
+      ctx.deviceKey = deviceKey;
+      spinner.succeed("Wallet initialized.");
+      console.log("");
+      info("Data", ctx.store.dataDir);
+      console.log("");
+      success("Run `elytro account create --chain <chainId>` to create your first smart account.");
+    } catch (err) {
+      spinner.fail("Failed to initialize wallet.");
+      error(sanitizeErrorMessage(err.message));
+      process.exitCode = 1;
+    }
+  });
+}
+
+// src/commands/account.ts
+import ora2 from "ora";
+import { formatEther as formatEther2, padHex as padHex2 } from "viem";
+
+// src/utils/prompt.ts
+import { password, confirm, select, input } from "@inquirer/prompts";
+async function askConfirm(message, defaultValue = false) {
+  return confirm({ message, default: defaultValue });
+}
+async function askSelect(message, choices) {
+  return select({ message, choices });
+}
+async function askInput(message, defaultValue) {
+  return input({ message, default: defaultValue });
+}
+
+// src/commands/account.ts
+init_sponsor();
+function registerAccountCommand(program2, ctx) {
+  const account = program2.command("account").description("Manage smart accounts");
+  account.command("create").description("Create a new smart account").requiredOption("-c, --chain <chainId>", "Target chain ID").option("-a, --alias <alias>", "Human-readable alias (default: random)").action(async (opts) => {
+    if (!ctx.deviceKey) {
+      error("Wallet not initialized. Run `elytro init` first.");
+      process.exitCode = 1;
+      return;
+    }
+    const chainId = Number(opts.chain);
+    if (Number.isNaN(chainId)) {
+      error("Invalid chain ID.");
+      process.exitCode = 1;
+      return;
+    }
+    const spinner = ora2("Creating smart account...").start();
+    try {
+      const chainConfig = ctx.chain.chains.find((c) => c.id === chainId);
+      const chainName = chainConfig?.name ?? String(chainId);
+      if (chainConfig) {
+        await ctx.sdk.initForChain(chainConfig);
+        ctx.walletClient.initForChain(chainConfig);
+      }
+      const accountInfo = await ctx.account.createAccount(chainId, opts.alias);
+      spinner.text = "Registering with backend...";
+      const { guardianHash, guardianSafePeriod } = ctx.sdk.initDefaults;
+      const paddedKey = padHex2(accountInfo.owner, { size: 32 });
+      const { error: regError } = await registerAccount(
+        ctx.chain.graphqlEndpoint,
+        accountInfo.address,
+        chainId,
+        accountInfo.index,
+        [paddedKey],
+        guardianHash,
+        guardianSafePeriod
+      );
+      spinner.succeed(`Account "${accountInfo.alias}" created.`);
+      console.log("");
+      info("Alias", accountInfo.alias);
+      info("Address", accountInfo.address);
+      info("Chain", `${chainName} (${chainId})`);
+      info("Status", "Not deployed (run `elytro account activate` to deploy)");
+      if (regError) {
+        warn(`Backend registration failed: ${regError}`);
+        warn("Sponsorship may not work. You can still activate with ETH.");
+      }
+    } catch (err) {
+      spinner.fail("Failed to create account.");
+      error(sanitizeErrorMessage(err.message));
+      process.exitCode = 1;
+    }
+  });
+  account.command("activate").description("Deploy the smart contract on-chain").argument("[account]", "Alias or address (default: current)").option("--no-sponsor", "Skip sponsorship check (user pays gas)").action(async (target, opts) => {
+    if (!ctx.deviceKey) {
+      error("Wallet not initialized. Run `elytro init` first.");
+      process.exitCode = 1;
+      return;
+    }
+    const identifier = target ?? ctx.account.currentAccount?.alias ?? ctx.account.currentAccount?.address;
+    if (!identifier) {
+      warn("No account selected. Specify an alias/address or create an account first.");
+      return;
+    }
+    const accountInfo = ctx.account.resolveAccount(identifier);
+    if (!accountInfo) {
+      error(`Account "${identifier}" not found.`);
+      process.exitCode = 1;
+      return;
+    }
+    if (accountInfo.isDeployed) {
+      warn(`Account "${accountInfo.alias}" is already deployed.`);
+      return;
+    }
+    const chainConfig = ctx.chain.chains.find((c) => c.id === accountInfo.chainId);
+    const chainName = chainConfig?.name ?? String(accountInfo.chainId);
+    if (!chainConfig) {
+      error(`Chain ${accountInfo.chainId} not configured.`);
+      process.exitCode = 1;
+      return;
+    }
+    await ctx.sdk.initForChain(chainConfig);
+    ctx.walletClient.initForChain(chainConfig);
+    const spinner = ora2(`Activating "${accountInfo.alias}" on ${chainName}...`).start();
+    try {
+      spinner.text = "Building deployment UserOp...";
+      const userOp = await ctx.sdk.createDeployUserOp(accountInfo.owner, accountInfo.index);
+      spinner.text = "Fetching gas prices...";
+      const feeData = await ctx.sdk.getFeeData(chainConfig);
+      userOp.maxFeePerGas = feeData.maxFeePerGas;
+      userOp.maxPriorityFeePerGas = feeData.maxPriorityFeePerGas;
+      spinner.text = "Estimating gas...";
+      const gasEstimate = await ctx.sdk.estimateUserOp(userOp, { fakeBalance: true });
+      userOp.callGasLimit = gasEstimate.callGasLimit;
+      userOp.verificationGasLimit = gasEstimate.verificationGasLimit;
+      userOp.preVerificationGas = gasEstimate.preVerificationGas;
+      let sponsored = false;
+      if (opts?.sponsor !== false) {
+        spinner.text = "Checking sponsorship...";
+        const { sponsor: sponsorResult, error: sponsorError } = await requestSponsorship(
+          ctx.chain.graphqlEndpoint,
+          accountInfo.chainId,
+          ctx.sdk.entryPoint,
+          userOp
+        );
+        if (sponsorResult) {
+          applySponsorToUserOp(userOp, sponsorResult);
+          sponsored = true;
+        } else {
+          spinner.text = "Sponsorship unavailable, checking balance...";
+          const { ether: balance } = await ctx.walletClient.getBalance(accountInfo.address);
+          if (parseFloat(balance) === 0) {
+            spinner.fail("Activation failed.");
+            error(`Sponsorship failed: ${sponsorError ?? "unknown reason"}`);
+            error(
+              `Account has no ETH to pay gas. Fund ${accountInfo.address} on ${chainName}, or fix sponsorship.`
+            );
+            process.exitCode = 1;
+            return;
+          }
+          spinner.text = "Proceeding without sponsor (user pays gas)...";
+        }
+      }
+      spinner.text = "Signing UserOperation...";
+      const { packedHash, validationData } = await ctx.sdk.getUserOpHash(userOp);
+      const rawSignature = await ctx.keyring.signDigest(packedHash);
+      userOp.signature = await ctx.sdk.packUserOpSignature(rawSignature, validationData);
+      spinner.text = "Sending to bundler...";
+      const opHash = await ctx.sdk.sendUserOp(userOp);
+      spinner.text = "Waiting for on-chain confirmation...";
+      const receipt = await ctx.sdk.waitForReceipt(opHash);
+      await ctx.account.markDeployed(accountInfo.address, accountInfo.chainId);
+      if (receipt.success) {
+        spinner.succeed(`Account "${accountInfo.alias}" activated!`);
+      } else {
+        spinner.warn(`UserOp included but execution reverted.`);
+      }
+      console.log("");
+      info("Account", accountInfo.alias);
+      info("Address", accountInfo.address);
+      info("Chain", `${chainName} (${accountInfo.chainId})`);
+      info("Tx Hash", receipt.transactionHash);
+      info("Gas Cost", `${formatEther2(BigInt(receipt.actualGasCost))} ETH`);
+      info("Sponsored", sponsored ? "Yes (gasless)" : "No (user paid)");
+      if (chainConfig.blockExplorer) {
+        info("Explorer", `${chainConfig.blockExplorer}/tx/${receipt.transactionHash}`);
+      }
+    } catch (err) {
+      spinner.fail("Activation failed.");
+      error(sanitizeErrorMessage(err.message));
+      process.exitCode = 1;
+    }
+  });
+  account.command("list").description("List all accounts (or query one by alias/address)").argument("[account]", "Filter by alias or address").option("-c, --chain <chainId>", "Filter by chain ID").action(async (target, opts) => {
+    let accounts = opts?.chain ? ctx.account.getAccountsByChain(Number(opts.chain)) : ctx.account.allAccounts;
+    if (target) {
+      const matched = ctx.account.resolveAccount(target);
+      if (!matched) {
+        error(`Account "${target}" not found.`);
+        process.exitCode = 1;
+        return;
+      }
+      accounts = [matched];
+    }
+    if (accounts.length === 0) {
+      warn("No accounts found. Run `elytro account create --chain <chainId>` first.");
+      return;
+    }
+    const current = ctx.account.currentAccount;
+    heading("Accounts");
+    table(
+      accounts.map((a) => {
+        const chainConfig = ctx.chain.chains.find((c) => c.id === a.chainId);
+        return {
+          active: a.address === current?.address ? "\u2192" : " ",
+          alias: a.alias,
+          address: a.address,
+          chain: chainConfig?.name ?? String(a.chainId),
+          deployed: a.isDeployed ? "Yes" : "No",
+          recovery: a.isRecoveryEnabled ? "Yes" : "No"
+        };
+      }),
+      [
+        { key: "active", label: "", width: 3 },
+        { key: "alias", label: "Alias", width: 16 },
+        { key: "address", label: "Address", width: 44 },
+        { key: "chain", label: "Chain", width: 18 },
+        { key: "deployed", label: "Deployed", width: 10 },
+        { key: "recovery", label: "Recovery", width: 10 }
+      ]
+    );
+  });
+  account.command("info").description("Show details for an account").argument("[account]", "Alias or address (default: current)").action(async (target) => {
+    const identifier = target ?? ctx.account.currentAccount?.alias ?? ctx.account.currentAccount?.address;
+    if (!identifier) {
+      warn("No account selected. Run `elytro account create --chain <chainId>` first.");
+      return;
+    }
+    const spinner = ora2("Fetching on-chain data...").start();
+    try {
+      const accountInfo = ctx.account.resolveAccount(identifier);
+      if (!accountInfo) {
+        spinner.fail("Account not found.");
+        error(`Account "${identifier}" not found.`);
+        process.exitCode = 1;
+        return;
+      }
+      const chainConfig = ctx.chain.chains.find((c) => c.id === accountInfo.chainId);
+      if (chainConfig) {
+        ctx.walletClient.initForChain(chainConfig);
+      }
+      const detail = await ctx.account.getAccountDetail(identifier);
+      spinner.stop();
+      heading("Account Details");
+      info("Alias", detail.alias);
+      info("Address", detail.address);
+      info("Chain", chainConfig?.name ?? String(detail.chainId));
+      info("Deployed", detail.isDeployed ? "Yes" : "No");
+      info("Balance", `${detail.balance} ${chainConfig?.nativeCurrency.symbol ?? "ETH"}`);
+      info("Recovery", detail.isRecoveryEnabled ? "Enabled" : "Not set");
+      if (chainConfig?.blockExplorer) {
+        info("Explorer", `${chainConfig.blockExplorer}/address/${detail.address}`);
+      }
+    } catch (err) {
+      spinner.fail("Failed to fetch account info.");
+      error(sanitizeErrorMessage(err.message));
+      process.exitCode = 1;
+    }
+  });
+  account.command("switch").description("Switch the active account").argument("[account]", "Alias or address").action(async (target) => {
+    const accounts = ctx.account.allAccounts;
+    if (accounts.length === 0) {
+      warn("No accounts found.");
+      return;
+    }
+    let identifier = target;
+    if (!identifier) {
+      const chainConfig = (chainId) => ctx.chain.chains.find((c) => c.id === chainId);
+      identifier = await askSelect(
+        "Select an account",
+        accounts.map((a) => ({
+          name: `${a.alias}  ${address(a.address)}  ${chainConfig(a.chainId)?.name ?? a.chainId}`,
+          value: a.alias
+        }))
+      );
+    }
+    try {
+      const switched = await ctx.account.switchAccount(identifier);
+      const newChain = ctx.chain.chains.find((c) => c.id === switched.chainId);
+      if (newChain) {
+        ctx.walletClient.initForChain(newChain);
+        await ctx.sdk.initForChain(newChain);
+      }
+      success(`Switched to "${switched.alias}"`);
+      const spinner = ora2("Fetching on-chain data...").start();
+      try {
+        const detail = await ctx.account.getAccountDetail(switched.alias);
+        spinner.stop();
+        console.log("");
+        info("Address", detail.address);
+        info("Chain", newChain?.name ?? String(detail.chainId));
+        info("Deployed", detail.isDeployed ? "Yes" : "No");
+        info("Balance", `${detail.balance} ${newChain?.nativeCurrency.symbol ?? "ETH"}`);
+        if (newChain?.blockExplorer) {
+          info("Explorer", `${newChain.blockExplorer}/address/${detail.address}`);
+        }
+      } catch {
+        spinner.stop();
+        warn("Could not fetch on-chain data. Run `elytro account info` to retry.");
+      }
+    } catch (err) {
+      error(sanitizeErrorMessage(err.message));
+      process.exitCode = 1;
+    }
+  });
+}
+
+// src/commands/tx.ts
+init_sponsor();
+import ora3 from "ora";
+import { isAddress, isHex, formatEther as formatEther3, parseEther as parseEther2, toHex as toHex5 } from "viem";
+var ERR_INVALID_PARAMS = -32602;
+var ERR_INSUFFICIENT_BALANCE = -32001;
+var ERR_ACCOUNT_NOT_READY = -32002;
+var ERR_SPONSOR_FAILED = -32003;
+var ERR_BUILD_FAILED = -32004;
+var ERR_SEND_FAILED = -32005;
+var ERR_EXECUTION_REVERTED = -32006;
+var ERR_INTERNAL = -32e3;
+var TxError = class extends Error {
+  code;
+  data;
+  constructor(code, message, data) {
+    super(message);
+    this.name = "TxError";
+    this.code = code;
+    this.data = data;
+  }
+};
+function handleTxError(err) {
+  if (err instanceof TxError) {
+    txError({ code: err.code, message: sanitizeErrorMessage(err.message), data: err.data });
+  } else {
+    txError({
+      code: ERR_INTERNAL,
+      message: sanitizeErrorMessage(err.message ?? String(err))
+    });
+  }
+  process.exitCode = 1;
+}
+function parseTxSpec(spec, index) {
+  const prefix = `--tx #${index + 1}`;
+  const fields = {};
+  for (const part of spec.split(",")) {
+    const colonIdx = part.indexOf(":");
+    if (colonIdx === -1) {
+      throw new TxError(ERR_INVALID_PARAMS, `${prefix}: invalid segment "${part}". Expected key:value format.`, {
+        spec,
+        index
+      });
+    }
+    const key = part.slice(0, colonIdx).trim().toLowerCase();
+    const val = part.slice(colonIdx + 1).trim();
+    if (!key || !val) {
+      throw new TxError(ERR_INVALID_PARAMS, `${prefix}: empty key or value in "${part}".`, { spec, index });
+    }
+    if (fields[key]) {
+      throw new TxError(ERR_INVALID_PARAMS, `${prefix}: duplicate key "${key}".`, { spec, index, key });
+    }
+    fields[key] = val;
+  }
+  const knownKeys = /* @__PURE__ */ new Set(["to", "value", "data"]);
+  for (const key of Object.keys(fields)) {
+    if (!knownKeys.has(key)) {
+      throw new TxError(ERR_INVALID_PARAMS, `${prefix}: unknown key "${key}". Allowed: to, value, data.`, {
+        spec,
+        index,
+        key
+      });
+    }
+  }
+  if (!fields.to) {
+    throw new TxError(ERR_INVALID_PARAMS, `${prefix}: "to" is required.`, { spec, index });
+  }
+  if (!isAddress(fields.to)) {
+    throw new TxError(ERR_INVALID_PARAMS, `${prefix}: invalid address "${fields.to}".`, { spec, index, to: fields.to });
+  }
+  if (!fields.value && !fields.data) {
+    throw new TxError(ERR_INVALID_PARAMS, `${prefix}: at least one of "value" or "data" is required.`, { spec, index });
+  }
+  if (fields.value) {
+    try {
+      const wei = parseEther2(fields.value);
+      if (wei < 0n) throw new Error("negative");
+    } catch {
+      throw new TxError(
+        ERR_INVALID_PARAMS,
+        `${prefix}: invalid ETH amount "${fields.value}". Use human-readable format (e.g. "0.1").`,
+        { spec, index, value: fields.value }
+      );
+    }
+  }
+  if (fields.data) {
+    if (!isHex(fields.data)) {
+      throw new TxError(ERR_INVALID_PARAMS, `${prefix}: invalid hex in "data". Must start with 0x.`, {
+        spec,
+        index,
+        data: fields.data
+      });
+    }
+    if (fields.data.length > 2 && fields.data.length % 2 !== 0) {
+      throw new TxError(ERR_INVALID_PARAMS, `${prefix}: "data" hex must have even length (complete bytes).`, {
+        spec,
+        index,
+        data: fields.data
+      });
+    }
+  }
+  return {
+    to: fields.to,
+    value: fields.value,
+    data: fields.data
+  };
+}
+function detectTxType(specs) {
+  if (specs.length > 1) return "batch";
+  const tx = specs[0];
+  if (tx.data && tx.data !== "0x") return "contract-call";
+  return "eth-transfer";
+}
+function specsToTxs(specs) {
+  return specs.map((s) => ({
+    to: s.to,
+    value: s.value ? toHex5(parseEther2(s.value)) : "0x0",
+    data: s.data ?? "0x"
+  }));
+}
+function totalEthValue(specs) {
+  let sum = 0n;
+  for (const s of specs) {
+    if (s.value) sum += parseEther2(s.value);
+  }
+  return sum;
+}
+function txTypeLabel(txType) {
+  switch (txType) {
+    case "eth-transfer":
+      return "ETH Transfer";
+    case "contract-call":
+      return "Contract Call";
+    case "batch":
+      return "Batch Transaction";
+  }
+}
+function truncateHex(hex, maxLen = 42) {
+  if (hex.length <= maxLen) return hex;
+  return `${hex.slice(0, 20)}...${hex.slice(-8)} (${(hex.length - 2) / 2} bytes)`;
+}
+function displayTxSpec(spec, index) {
+  const parts = [`#${index + 1}`];
+  parts.push(`\u2192 ${spec.to}`);
+  if (spec.value) parts.push(`${spec.value} ETH`);
+  if (spec.data && spec.data !== "0x") {
+    const selector = spec.data.length >= 10 ? spec.data.slice(0, 10) : spec.data;
+    parts.push(`call ${selector}`);
+  }
+  info("Tx", parts.join("  "));
+}
+function registerTxCommand(program2, ctx) {
+  const tx = program2.command("tx").description("Build, simulate, and send transactions");
+  tx.command("build").description("Build an unsigned UserOp from transaction parameters").argument("[account]", "Source account alias or address (default: current)").option("--tx <spec...>", 'Transaction spec: "to:0xAddr,value:0.1,data:0x..." (repeatable, ordered)').option("--no-sponsor", "Skip sponsorship check").action(async (target, opts) => {
+    try {
+      const specs = parseAllTxSpecs(opts?.tx);
+      const { userOp, accountInfo, chainConfig, sponsored, txType } = await buildUserOp(
+        ctx,
+        target,
+        specs,
+        opts?.sponsor
+      );
+      heading("UserOperation (unsigned)");
+      console.log(JSON.stringify(serializeUserOp(userOp), null, 2));
+      console.log("");
+      info("Account", accountInfo.alias);
+      info("Chain", `${chainConfig.name} (${chainConfig.id})`);
+      info("Type", txTypeLabel(txType));
+      if (txType === "batch") info("Tx Count", specs.length.toString());
+      info("Sponsored", sponsored ? "Yes" : "No");
+    } catch (err) {
+      handleTxError(err);
+    }
+  });
+  tx.command("send").description("Send a transaction on-chain").argument("[account]", "Source account alias or address (default: current)").option("--tx <spec...>", 'Transaction spec: "to:0xAddr,value:0.1,data:0x..." (repeatable, ordered)').option("--no-sponsor", "Skip sponsorship check").option("--no-hook", "Skip SecurityHook signing (bypass 2FA)").option("--userop <json>", "Send a pre-built UserOp JSON (skips build step)").action(async (target, opts) => {
+    if (!ctx.deviceKey) {
+      handleTxError(new TxError(ERR_ACCOUNT_NOT_READY, "Wallet not initialized. Run `elytro init` first."));
+      return;
+    }
+    try {
+      let userOp;
+      let accountInfo;
+      let chainConfig;
+      let sponsored;
+      let txType = "contract-call";
+      let specs = [];
+      if (opts?.userop) {
+        userOp = deserializeUserOp(opts.userop);
+        sponsored = !!userOp.paymaster;
+        const identifier = target ?? ctx.account.currentAccount?.alias ?? ctx.account.currentAccount?.address;
+        if (!identifier) {
+          throw new TxError(ERR_ACCOUNT_NOT_READY, "No account selected.", {
+            hint: "Specify an alias/address or create an account first."
+          });
+        }
+        accountInfo = resolveAccountStrict(ctx, identifier);
+        chainConfig = resolveChainStrict(ctx, accountInfo.chainId);
+        await ctx.sdk.initForChain(chainConfig);
+        ctx.walletClient.initForChain(chainConfig);
+      } else {
+        specs = parseAllTxSpecs(opts?.tx);
+        const result = await buildUserOp(ctx, target, specs, opts?.sponsor);
+        userOp = result.userOp;
+        accountInfo = result.accountInfo;
+        chainConfig = result.chainConfig;
+        sponsored = result.sponsored;
+        txType = result.txType;
+      }
+      console.log("");
+      heading("Transaction Summary");
+      info("Type", txTypeLabel(txType));
+      info("From", `${accountInfo.alias} (${accountInfo.address})`);
+      if (txType === "batch") {
+        info("Tx Count", specs.length.toString());
+        for (let i = 0; i < specs.length; i++) {
+          displayTxSpec(specs[i], i);
+        }
+      } else if (txType === "contract-call") {
+        const s = specs[0];
+        info("To", s.to);
+        info("Calldata", truncateHex(s.data ?? "0x"));
+        if (s.data && s.data.length >= 10) {
+          info("Selector", s.data.slice(0, 10));
+        }
+        if (s.value && s.value !== "0") {
+          info("Value", `${s.value} ETH (payable)`);
+        }
+      } else {
+        const s = specs[0];
+        info("To", s.to);
+        info("Value", `${s.value ?? "0"} ETH`);
+      }
+      info("Sponsored", sponsored ? "Yes (gasless)" : "No (user pays gas)");
+      const estimatedGas = userOp.callGasLimit + userOp.verificationGasLimit + userOp.preVerificationGas;
+      info("Est. Gas", estimatedGas.toString());
+      console.log("");
+      const confirmed = await askConfirm("Sign and send this transaction?");
+      if (!confirmed) {
+        warn("Transaction cancelled.");
+        return;
+      }
+      const spinner = ora3("Signing UserOperation...").start();
+      let opHash;
+      try {
+        const { packedHash, validationData } = await ctx.sdk.getUserOpHash(userOp);
+        const rawSignature = await ctx.keyring.signDigest(packedHash);
+        const useHook = opts?.hook !== false;
+        let hookSigned = false;
+        if (useHook) {
+          const hookAddress = SECURITY_HOOK_ADDRESS_MAP[accountInfo.chainId];
+          if (hookAddress) {
+            const hookService = new SecurityHookService({
+              store: ctx.store,
+              graphqlEndpoint: ctx.chain.graphqlEndpoint,
+              signMessageForAuth: createSignMessageForAuth({
+                signDigest: (digest) => ctx.keyring.signDigest(digest),
+                packRawHash: (hash) => ctx.sdk.packRawHash(hash),
+                packSignature: (rawSig, valData) => ctx.sdk.packUserOpSignature(rawSig, valData)
+              }),
+              readContract: async (params) => ctx.walletClient.readContract(params),
+              getBlockTimestamp: async () => {
+                const blockNum = await ctx.walletClient.raw.getBlockNumber();
+                const block = await ctx.walletClient.raw.getBlock({ blockNumber: blockNum });
+                return block.timestamp;
+              }
+            });
+            spinner.text = "Checking SecurityHook status...";
+            const hookStatus = await hookService.getHookStatus(accountInfo.address, accountInfo.chainId);
+            if (hookStatus.installed && hookStatus.capabilities.preUserOpValidation) {
+              userOp.signature = await ctx.sdk.packUserOpSignature(rawSignature, validationData);
+              spinner.text = "Requesting hook authorization...";
+              let hookResult = await hookService.getHookSignature(
+                accountInfo.address,
+                accountInfo.chainId,
+                ctx.sdk.entryPoint,
+                userOp
+              );
+              if (hookResult.error) {
+                spinner.stop();
+                const errCode = hookResult.error.code;
+                if (errCode === "OTP_REQUIRED" || errCode === "SPENDING_LIMIT_EXCEEDED") {
+                  warn(hookResult.error.message ?? `Verification required (${errCode}).`);
+                  if (hookResult.error.maskedEmail) {
+                    info("OTP sent to", hookResult.error.maskedEmail);
+                  }
+                  if (errCode === "SPENDING_LIMIT_EXCEEDED" && hookResult.error.projectedSpendUsdCents !== void 0) {
+                    info("Projected spend", `$${(hookResult.error.projectedSpendUsdCents / 100).toFixed(2)}`);
+                    info("Daily limit", `$${((hookResult.error.dailyLimitUsdCents ?? 0) / 100).toFixed(2)}`);
+                  }
+                  const otpCode = await askInput("Enter the 6-digit OTP code:");
+                  spinner.start("Verifying OTP...");
+                  await hookService.verifySecurityOtp(
+                    accountInfo.address,
+                    accountInfo.chainId,
+                    hookResult.error.challengeId,
+                    otpCode.trim()
+                  );
+                  spinner.text = "OTP verified. Retrying authorization...";
+                  hookResult = await hookService.getHookSignature(
+                    accountInfo.address,
+                    accountInfo.chainId,
+                    ctx.sdk.entryPoint,
+                    userOp
+                  );
+                  if (hookResult.error) {
+                    throw new TxError(
+                      ERR_SEND_FAILED,
+                      `Hook authorization failed after OTP: ${hookResult.error.message}`
+                    );
+                  }
+                } else {
+                  throw new TxError(
+                    ERR_SEND_FAILED,
+                    `Hook authorization failed: ${hookResult.error.message ?? errCode}`
+                  );
+                }
+              }
+              userOp.signature = await ctx.sdk.packUserOpSignatureWithHook(
+                rawSignature,
+                validationData,
+                hookAddress,
+                hookResult.signature
+              );
+              hookSigned = true;
+            }
+          }
+        }
+        if (!hookSigned) {
+          userOp.signature = await ctx.sdk.packUserOpSignature(rawSignature, validationData);
+        }
+        spinner.text = "Sending to bundler...";
+        opHash = await ctx.sdk.sendUserOp(userOp);
+      } catch (err) {
+        spinner.fail("Send failed.");
+        throw new TxError(ERR_SEND_FAILED, err.message, {
+          sender: accountInfo.address,
+          chain: chainConfig.name
+        });
+      }
+      spinner.text = "Waiting for on-chain confirmation...";
+      const receipt = await ctx.sdk.waitForReceipt(opHash);
+      if (receipt.success) {
+        spinner.succeed("Transaction confirmed!");
+      } else {
+        spinner.warn("Execution reverted.");
+        txError({
+          code: ERR_EXECUTION_REVERTED,
+          message: "UserOp included but execution reverted on-chain.",
+          data: {
+            txHash: receipt.transactionHash,
+            block: receipt.blockNumber,
+            gasCost: `${formatEther3(BigInt(receipt.actualGasCost))} ETH`,
+            sender: accountInfo.address
+          }
+        });
+      }
+      console.log("");
+      info("Account", accountInfo.alias);
+      info("Tx Hash", receipt.transactionHash);
+      info("Block", receipt.blockNumber);
+      info("Gas Cost", `${formatEther3(BigInt(receipt.actualGasCost))} ETH`);
+      info("Sponsored", sponsored ? "Yes (gasless)" : "No (user paid)");
+      if (chainConfig.blockExplorer) {
+        info("Explorer", `${chainConfig.blockExplorer}/tx/${receipt.transactionHash}`);
+      }
+      if (!receipt.success) {
+        process.exitCode = 1;
+      }
+    } catch (err) {
+      handleTxError(err);
+    }
+  });
+  tx.command("simulate").description("Preview a transaction (gas estimate, sponsor check)").argument("[account]", "Source account alias or address (default: current)").option("--tx <spec...>", 'Transaction spec: "to:0xAddr,value:0.1,data:0x..." (repeatable, ordered)').option("--no-sponsor", "Skip sponsorship check").action(async (target, opts) => {
+    if (!ctx.deviceKey) {
+      handleTxError(new TxError(ERR_ACCOUNT_NOT_READY, "Wallet not initialized. Run `elytro init` first."));
+      return;
+    }
+    try {
+      const specs = parseAllTxSpecs(opts?.tx);
+      const { userOp, accountInfo, chainConfig, sponsored, txType } = await buildUserOp(
+        ctx,
+        target,
+        specs,
+        opts?.sponsor
+      );
+      const { wei: ethBalance, ether: ethFormatted } = await ctx.walletClient.getBalance(accountInfo.address);
+      const nativeCurrency = chainConfig.nativeCurrency.symbol;
+      console.log("");
+      heading("Transaction Simulation");
+      info("Type", txTypeLabel(txType));
+      info("From", `${accountInfo.alias} (${accountInfo.address})`);
+      info("Chain", `${chainConfig.name} (${chainConfig.id})`);
+      if (txType === "batch") {
+        console.log("");
+        info("Tx Count", specs.length.toString());
+        for (let i = 0; i < specs.length; i++) {
+          displayTxSpec(specs[i], i);
+        }
+        const total = totalEthValue(specs);
+        if (total > 0n) {
+          info("Total ETH", formatEther3(total));
+          if (ethBalance < total) {
+            warn(`Insufficient balance: need ${formatEther3(total)}, have ${ethFormatted} ${nativeCurrency}`);
+          }
+        }
+      } else if (txType === "contract-call") {
+        const s = specs[0];
+        console.log("");
+        info("To", s.to);
+        info("Calldata", truncateHex(s.data ?? "0x"));
+        info("Calldata Size", `${Math.max(0, ((s.data?.length ?? 2) - 2) / 2)} bytes`);
+        if (s.data && s.data.length >= 10) {
+          info("Selector", s.data.slice(0, 10));
+        }
+        if (s.value && s.value !== "0") {
+          info("Value", `${s.value} ${nativeCurrency} (payable)`);
+          const sendValue = parseEther2(s.value);
+          if (ethBalance < sendValue) {
+            warn(`Insufficient balance for value: need ${s.value}, have ${ethFormatted} ${nativeCurrency}`);
+          }
+        }
+        const isContract = await ctx.walletClient.isContractDeployed(s.to);
+        info("Target", isContract ? "Contract" : "EOA (warning: calling non-contract)");
+        if (!isContract) {
+          warn("Target address has no deployed code. The call may be a no-op or revert.");
+        }
+      } else {
+        const s = specs[0];
+        console.log("");
+        info("To", s.to);
+        info("Value", `${s.value ?? "0"} ${nativeCurrency}`);
+        if (s.value) {
+          const sendValue = parseEther2(s.value);
+          if (ethBalance < sendValue) {
+            warn(`Insufficient balance: need ${s.value}, have ${ethFormatted} ${nativeCurrency}`);
+          }
+        }
+      }
+      console.log("");
+      info("callGasLimit", userOp.callGasLimit.toString());
+      info("verificationGasLimit", userOp.verificationGasLimit.toString());
+      info("preVerificationGas", userOp.preVerificationGas.toString());
+      info("maxFeePerGas", `${userOp.maxFeePerGas.toString()} wei`);
+      info("maxPriorityFeePerGas", `${userOp.maxPriorityFeePerGas.toString()} wei`);
+      const totalGas = userOp.callGasLimit + userOp.verificationGasLimit + userOp.preVerificationGas;
+      const maxCostWei = totalGas * userOp.maxFeePerGas;
+      info("Max Gas Cost", `${formatEther3(maxCostWei)} ${nativeCurrency}`);
+      console.log("");
+      info("Sponsored", sponsored ? "Yes (gasless)" : "No (user pays gas)");
+      if (sponsored && userOp.paymaster) {
+        info("Paymaster", userOp.paymaster);
+      }
+      info(`${nativeCurrency} Balance`, `${ethFormatted} ${nativeCurrency}`);
+      if (!sponsored && ethBalance < maxCostWei) {
+        warn(
+          `Insufficient ${nativeCurrency} for gas: need ~${formatEther3(maxCostWei)}, have ${ethFormatted}`
+        );
+      }
+    } catch (err) {
+      handleTxError(err);
+    }
+  });
+}
+function parseAllTxSpecs(rawSpecs) {
+  if (!rawSpecs || rawSpecs.length === 0) {
+    throw new TxError(ERR_INVALID_PARAMS, 'At least one --tx is required. Format: --tx "to:0xAddr,value:0.1"');
+  }
+  return rawSpecs.map((spec, i) => parseTxSpec(spec, i));
+}
+async function buildUserOp(ctx, target, specs, sponsor) {
+  const identifier = target ?? ctx.account.currentAccount?.alias ?? ctx.account.currentAccount?.address;
+  if (!identifier) {
+    throw new TxError(ERR_ACCOUNT_NOT_READY, "No account selected.", {
+      hint: "Specify an alias/address or create an account first."
+    });
+  }
+  const accountInfo = resolveAccountStrict(ctx, identifier);
+  const chainConfig = resolveChainStrict(ctx, accountInfo.chainId);
+  if (!accountInfo.isDeployed) {
+    throw new TxError(ERR_ACCOUNT_NOT_READY, `Account "${accountInfo.alias}" is not deployed.`, {
+      account: accountInfo.alias,
+      address: accountInfo.address,
+      hint: "Run `elytro account activate` first."
+    });
+  }
+  await ctx.sdk.initForChain(chainConfig);
+  ctx.walletClient.initForChain(chainConfig);
+  const ethValueTotal = totalEthValue(specs);
+  if (ethValueTotal > 0n) {
+    const { wei: ethBalance } = await ctx.walletClient.getBalance(accountInfo.address);
+    if (ethBalance < ethValueTotal) {
+      const have = formatEther3(ethBalance);
+      const need = formatEther3(ethValueTotal);
+      throw new TxError(ERR_INSUFFICIENT_BALANCE, "Insufficient ETH balance for transfer value.", {
+        need: `${need} ETH`,
+        have: `${have} ETH`,
+        account: accountInfo.address,
+        chain: chainConfig.name
+      });
+    }
+  }
+  const txType = detectTxType(specs);
+  const txs = specsToTxs(specs);
+  const spinner = ora3("Building UserOp...").start();
+  let userOp;
+  try {
+    userOp = await ctx.sdk.createSendUserOp(accountInfo.address, txs);
+  } catch (err) {
+    spinner.fail("Build failed.");
+    throw new TxError(ERR_BUILD_FAILED, `Failed to build UserOp: ${err.message}`, {
+      account: accountInfo.address,
+      chain: chainConfig.name
+    });
+  }
+  spinner.text = "Fetching gas prices...";
+  const feeData = await ctx.sdk.getFeeData(chainConfig);
+  userOp.maxFeePerGas = feeData.maxFeePerGas;
+  userOp.maxPriorityFeePerGas = feeData.maxPriorityFeePerGas;
+  spinner.text = "Estimating gas...";
+  try {
+    const gasEstimate = await ctx.sdk.estimateUserOp(userOp, { fakeBalance: true });
+    userOp.callGasLimit = gasEstimate.callGasLimit;
+    userOp.verificationGasLimit = gasEstimate.verificationGasLimit;
+    userOp.preVerificationGas = gasEstimate.preVerificationGas;
+  } catch (err) {
+    spinner.fail("Gas estimation failed.");
+    throw new TxError(ERR_BUILD_FAILED, `Gas estimation failed: ${err.message}`, {
+      account: accountInfo.address,
+      chain: chainConfig.name
+    });
+  }
+  let sponsored = false;
+  if (sponsor !== false) {
+    spinner.text = "Checking sponsorship...";
+    const { sponsor: sponsorResult, error: sponsorError } = await requestSponsorship(
+      ctx.chain.graphqlEndpoint,
+      accountInfo.chainId,
+      ctx.sdk.entryPoint,
+      userOp
+    );
+    if (sponsorResult) {
+      applySponsorToUserOp(userOp, sponsorResult);
+      sponsored = true;
+    } else {
+      spinner.text = "Sponsorship unavailable, checking balance...";
+      const { wei: balance } = await ctx.walletClient.getBalance(accountInfo.address);
+      if (balance === 0n) {
+        spinner.fail("Build failed.");
+        throw new TxError(ERR_SPONSOR_FAILED, "Sponsorship failed and account has no ETH to pay gas.", {
+          reason: sponsorError ?? "unknown",
+          account: accountInfo.address,
+          chain: chainConfig.name,
+          hint: `Fund ${accountInfo.address} on ${chainConfig.name}.`
+        });
+      }
+    }
+  }
+  spinner.succeed("UserOp built.");
+  return { userOp, accountInfo, chainConfig, sponsored, txType };
+}
+function resolveAccountStrict(ctx, identifier) {
+  const account = ctx.account.resolveAccount(identifier);
+  if (!account) {
+    throw new TxError(ERR_ACCOUNT_NOT_READY, `Account "${identifier}" not found.`, { identifier });
+  }
+  return account;
+}
+function resolveChainStrict(ctx, chainId) {
+  const chain = ctx.chain.chains.find((c) => c.id === chainId);
+  if (!chain) {
+    throw new TxError(ERR_ACCOUNT_NOT_READY, `Chain ${chainId} not configured.`, { chainId });
+  }
+  return chain;
+}
+function serializeUserOp(op) {
+  return {
+    sender: op.sender,
+    nonce: toHex5(op.nonce),
+    factory: op.factory,
+    factoryData: op.factoryData,
+    callData: op.callData,
+    callGasLimit: toHex5(op.callGasLimit),
+    verificationGasLimit: toHex5(op.verificationGasLimit),
+    preVerificationGas: toHex5(op.preVerificationGas),
+    maxFeePerGas: toHex5(op.maxFeePerGas),
+    maxPriorityFeePerGas: toHex5(op.maxPriorityFeePerGas),
+    paymaster: op.paymaster,
+    paymasterVerificationGasLimit: op.paymasterVerificationGasLimit ? toHex5(op.paymasterVerificationGasLimit) : null,
+    paymasterPostOpGasLimit: op.paymasterPostOpGasLimit ? toHex5(op.paymasterPostOpGasLimit) : null,
+    paymasterData: op.paymasterData,
+    signature: op.signature
+  };
+}
+function deserializeUserOp(json) {
+  let raw;
+  try {
+    raw = JSON.parse(json);
+  } catch {
+    throw new TxError(ERR_INVALID_PARAMS, "Invalid UserOp JSON. Pass a JSON-encoded UserOp object.", { json });
+  }
+  if (!raw.sender || !raw.callData) {
+    throw new TxError(ERR_INVALID_PARAMS, "Invalid UserOp: missing required fields (sender, callData).");
+  }
+  return {
+    sender: raw.sender,
+    nonce: BigInt(raw.nonce ?? "0x0"),
+    factory: raw.factory ?? null,
+    factoryData: raw.factoryData ?? null,
+    callData: raw.callData,
+    callGasLimit: BigInt(raw.callGasLimit ?? "0x0"),
+    verificationGasLimit: BigInt(raw.verificationGasLimit ?? "0x0"),
+    preVerificationGas: BigInt(raw.preVerificationGas ?? "0x0"),
+    maxFeePerGas: BigInt(raw.maxFeePerGas ?? "0x0"),
+    maxPriorityFeePerGas: BigInt(raw.maxPriorityFeePerGas ?? "0x0"),
+    paymaster: raw.paymaster ?? null,
+    paymasterVerificationGasLimit: raw.paymasterVerificationGasLimit ? BigInt(raw.paymasterVerificationGasLimit) : null,
+    paymasterPostOpGasLimit: raw.paymasterPostOpGasLimit ? BigInt(raw.paymasterPostOpGasLimit) : null,
+    paymasterData: raw.paymasterData ?? null,
+    signature: raw.signature ?? "0x"
+  };
+}
+
+// src/commands/query.ts
+import ora4 from "ora";
+import { isAddress as isAddress2, formatEther as formatEther4, formatUnits } from "viem";
+
+// src/utils/erc20.ts
+import { encodeFunctionData, parseUnits } from "viem";
+var ERC20_ABI = [
+  {
+    name: "transfer",
+    type: "function",
+    stateMutability: "nonpayable",
+    inputs: [
+      { name: "to", type: "address" },
+      { name: "amount", type: "uint256" }
+    ],
+    outputs: [{ name: "", type: "bool" }]
+  },
+  {
+    name: "balanceOf",
+    type: "function",
+    stateMutability: "view",
+    inputs: [{ name: "account", type: "address" }],
+    outputs: [{ name: "", type: "uint256" }]
+  },
+  {
+    name: "decimals",
+    type: "function",
+    stateMutability: "view",
+    inputs: [],
+    outputs: [{ name: "", type: "uint8" }]
+  },
+  {
+    name: "symbol",
+    type: "function",
+    stateMutability: "view",
+    inputs: [],
+    outputs: [{ name: "", type: "string" }]
+  }
+];
+async function getTokenInfo(walletClient, tokenAddress) {
+  const [symbol, decimals] = await Promise.all([
+    walletClient.readContract({
+      address: tokenAddress,
+      abi: ERC20_ABI,
+      functionName: "symbol"
+    }),
+    walletClient.readContract({
+      address: tokenAddress,
+      abi: ERC20_ABI,
+      functionName: "decimals"
+    })
+  ]);
+  return { symbol, decimals };
+}
+async function getTokenBalance(walletClient, tokenAddress, account) {
+  return walletClient.readContract({
+    address: tokenAddress,
+    abi: ERC20_ABI,
+    functionName: "balanceOf",
+    args: [account]
+  });
+}
+
+// src/commands/query.ts
+function registerQueryCommand(program2, ctx) {
+  const query = program2.command("query").description("Query on-chain data");
+  query.command("balance").description("Query ETH or ERC-20 balance").argument("[account]", "Account alias or address (default: current)").option("--token <address>", "ERC-20 token contract address").action(async (target, opts) => {
+    try {
+      const { accountInfo, chainConfig } = resolveAccountAndChain(ctx, target);
+      ctx.walletClient.initForChain(chainConfig);
+      const spinner = ora4("Querying balance...").start();
+      if (opts?.token) {
+        if (!isAddress2(opts.token)) {
+          spinner.fail("Invalid token address.");
+          outputError(-32602, "Invalid token address.", { token: opts.token });
+          return;
+        }
+        const [tokenInfo, tokenBal] = await Promise.all([
+          getTokenInfo(ctx.walletClient, opts.token),
+          getTokenBalance(ctx.walletClient, opts.token, accountInfo.address)
+        ]);
+        spinner.stop();
+        outputSuccess({
+          account: accountInfo.alias,
+          address: accountInfo.address,
+          chain: chainConfig.name,
+          token: opts.token,
+          symbol: tokenInfo.symbol,
+          decimals: tokenInfo.decimals,
+          balance: formatUnits(tokenBal, tokenInfo.decimals)
+        });
+      } else {
+        const { ether } = await ctx.walletClient.getBalance(accountInfo.address);
+        spinner.stop();
+        outputSuccess({
+          account: accountInfo.alias,
+          address: accountInfo.address,
+          chain: chainConfig.name,
+          symbol: chainConfig.nativeCurrency.symbol,
+          balance: ether
+        });
+      }
+    } catch (err) {
+      outputError(-32e3, sanitizeErrorMessage(err.message));
+    }
+  });
+  query.command("tokens").description("List all ERC-20 token holdings").argument("[account]", "Account alias or address (default: current)").action(async (target) => {
+    try {
+      const { accountInfo, chainConfig } = resolveAccountAndChain(ctx, target);
+      ctx.walletClient.initForChain(chainConfig);
+      const spinner = ora4("Fetching token balances...").start();
+      const rawBalances = await ctx.walletClient.getTokenBalances(accountInfo.address);
+      if (rawBalances.length === 0) {
+        spinner.stop();
+        heading(`Token Holdings (${accountInfo.alias})`);
+        info("Result", "No ERC-20 tokens found.");
+        return;
+      }
+      spinner.text = `Fetching metadata for ${rawBalances.length} tokens...`;
+      const tokens = await Promise.all(
+        rawBalances.map(async ({ tokenAddress, balance }) => {
+          try {
+            const info2 = await getTokenInfo(ctx.walletClient, tokenAddress);
+            return {
+              address: tokenAddress,
+              symbol: info2.symbol,
+              decimals: info2.decimals,
+              balance: formatUnits(balance, info2.decimals),
+              rawBalance: balance
+            };
+          } catch {
+            return {
+              address: tokenAddress,
+              symbol: "???",
+              decimals: 18,
+              balance: formatUnits(balance, 18),
+              rawBalance: balance
+            };
+          }
+        })
+      );
+      spinner.stop();
+      heading(`Token Holdings (${accountInfo.alias})`);
+      info("Account", accountInfo.address);
+      info("Chain", `${chainConfig.name} (${chainConfig.id})`);
+      info("Tokens", tokens.length.toString());
+      console.log("");
+      table(
+        tokens.map((t) => ({
+          address: t.address,
+          symbol: t.symbol,
+          decimals: String(t.decimals),
+          balance: t.balance
+        })),
+        [
+          { key: "address", label: "Token Address", width: 44 },
+          { key: "symbol", label: "Symbol", width: 10 },
+          { key: "decimals", label: "Decimals", width: 10 },
+          { key: "balance", label: "Balance", width: 24 }
+        ]
+      );
+    } catch (err) {
+      outputError(-32e3, sanitizeErrorMessage(err.message));
+    }
+  });
+  query.command("tx").description("Query transaction status by hash").argument("<hash>", "Transaction hash (0x...)").action(async (hash) => {
+    try {
+      if (!hash || !isHex66(hash)) {
+        outputError(-32602, "Invalid transaction hash. Must be a 66-character hex string (0x + 64 hex chars).", {
+          hash
+        });
+        return;
+      }
+      const chainConfig = resolveCurrentChain(ctx);
+      ctx.walletClient.initForChain(chainConfig);
+      const spinner = ora4("Querying transaction...").start();
+      const receipt = await ctx.walletClient.getTransactionReceipt(hash);
+      if (!receipt) {
+        spinner.stop();
+        outputError(-32001, "Transaction not found. It may be pending or on a different chain.", {
+          hash,
+          chain: chainConfig.name
+        });
+        return;
+      }
+      spinner.stop();
+      outputSuccess({
+        hash: receipt.transactionHash,
+        status: receipt.status,
+        block: receipt.blockNumber.toString(),
+        from: receipt.from,
+        to: receipt.to,
+        gasUsed: receipt.gasUsed.toString(),
+        chain: chainConfig.name
+      });
+    } catch (err) {
+      outputError(-32e3, sanitizeErrorMessage(err.message));
+    }
+  });
+  query.command("chain").description("Show current chain information").action(async () => {
+    try {
+      const chainConfig = resolveCurrentChain(ctx);
+      ctx.walletClient.initForChain(chainConfig);
+      const spinner = ora4("Fetching chain data...").start();
+      const [blockNumber, gasPrice] = await Promise.all([
+        ctx.walletClient.getBlockNumber(),
+        ctx.walletClient.getGasPrice()
+      ]);
+      spinner.stop();
+      outputSuccess({
+        chainId: chainConfig.id,
+        name: chainConfig.name,
+        nativeCurrency: chainConfig.nativeCurrency.symbol,
+        rpcEndpoint: maskApiKeys(chainConfig.endpoint),
+        bundler: maskApiKeys(chainConfig.bundler),
+        blockExplorer: chainConfig.blockExplorer ?? null,
+        blockNumber: blockNumber.toString(),
+        gasPrice: `${gasPrice.toString()} wei (${formatEther4(gasPrice * 21000n)} ETH per basic tx)`
+      });
+    } catch (err) {
+      outputError(-32e3, sanitizeErrorMessage(err.message));
+    }
+  });
+  query.command("address").description("Inspect any on-chain address").argument("<address>", "Address to inspect (0x...)").action(async (addr) => {
+    try {
+      if (!isAddress2(addr)) {
+        outputError(-32602, "Invalid address.", { address: addr });
+        return;
+      }
+      const chainConfig = resolveCurrentChain(ctx);
+      ctx.walletClient.initForChain(chainConfig);
+      const spinner = ora4("Querying address...").start();
+      const [{ ether: balance }, code] = await Promise.all([
+        ctx.walletClient.getBalance(addr),
+        ctx.walletClient.getCode(addr)
+      ]);
+      const isContract = !!code && code !== "0x";
+      const codeSize = isContract ? (code.length - 2) / 2 : 0;
+      spinner.stop();
+      outputSuccess({
+        address: addr,
+        chain: chainConfig.name,
+        type: isContract ? "contract" : "EOA",
+        balance: `${balance} ${chainConfig.nativeCurrency.symbol}`,
+        ...isContract ? { codeSize: `${codeSize} bytes` } : {}
+      });
+    } catch (err) {
+      outputError(-32e3, sanitizeErrorMessage(err.message));
+    }
+  });
+}
+function resolveAccountAndChain(ctx, target) {
+  const identifier = target ?? ctx.account.currentAccount?.alias ?? ctx.account.currentAccount?.address;
+  if (!identifier) {
+    throw new Error("No account selected. Specify an alias/address or create an account first.");
+  }
+  const accountInfo = ctx.account.resolveAccount(identifier);
+  if (!accountInfo) {
+    throw new Error(`Account "${identifier}" not found.`);
+  }
+  const chainConfig = ctx.chain.chains.find((c) => c.id === accountInfo.chainId);
+  if (!chainConfig) {
+    throw new Error(`Chain ${accountInfo.chainId} not configured.`);
+  }
+  return { accountInfo, chainConfig };
+}
+function resolveCurrentChain(ctx) {
+  const currentAccount = ctx.account.currentAccount;
+  if (currentAccount) {
+    const accountInfo = ctx.account.resolveAccount(currentAccount.alias ?? currentAccount.address);
+    if (accountInfo) {
+      const chain = ctx.chain.chains.find((c) => c.id === accountInfo.chainId);
+      if (chain) return chain;
+    }
+  }
+  return ctx.chain.currentChain;
+}
+function isHex66(s) {
+  return /^0x[0-9a-fA-F]{64}$/.test(s);
+}
+function outputSuccess(result) {
+  console.log(JSON.stringify({ success: true, result }, null, 2));
+}
+function outputError(code, message, data) {
+  txError({ code, message, data });
+  process.exitCode = 1;
+}
+
+// src/commands/security.ts
+import ora5 from "ora";
+
+// src/utils/contracts/securityHook.ts
+import { encodeFunctionData as encodeFunctionData2, parseAbi as parseAbi2, pad, toHex as toHex6 } from "viem";
+function encodeInstallHook(walletAddress, hookAddress, safetyDelay = DEFAULT_SAFETY_DELAY, capabilityFlags = DEFAULT_CAPABILITY) {
+  const safetyDelayHex = pad(toHex6(safetyDelay), { size: 4 }).slice(2);
+  const hookAndData = hookAddress + safetyDelayHex;
+  const callData = encodeFunctionData2({
+    abi: parseAbi2(["function installHook(bytes calldata hookAndData, uint8 capabilityFlags)"]),
+    functionName: "installHook",
+    args: [hookAndData, capabilityFlags]
+  });
+  return { to: walletAddress, value: "0", data: callData };
+}
+function encodeUninstallHook(walletAddress, hookAddress) {
+  const callData = encodeFunctionData2({
+    abi: parseAbi2(["function uninstallHook(address)"]),
+    functionName: "uninstallHook",
+    args: [hookAddress]
+  });
+  return { to: walletAddress, value: "0", data: callData };
+}
+function encodeForcePreUninstall(hookAddress) {
+  const callData = encodeFunctionData2({
+    abi: parseAbi2(["function forcePreUninstall()"]),
+    functionName: "forcePreUninstall",
+    args: []
+  });
+  return { to: hookAddress, value: "0", data: callData };
+}
+
+// src/commands/security.ts
+var ERR_ACCOUNT_NOT_READY2 = -32002;
+var ERR_HOOK_AUTH_FAILED = -32007;
+var ERR_EMAIL_NOT_BOUND = -32010;
+var ERR_SAFETY_DELAY = -32011;
+var ERR_OTP_VERIFY_FAILED = -32012;
+var ERR_INTERNAL2 = -32e3;
+var SecurityError = class extends Error {
+  code;
+  data;
+  constructor(code, message, data) {
+    super(message);
+    this.name = "SecurityError";
+    this.code = code;
+    this.data = data;
+  }
+};
+function handleSecurityError(err) {
+  if (err instanceof SecurityError) {
+    txError({ code: err.code, message: sanitizeErrorMessage(err.message), data: err.data });
+  } else {
+    txError({
+      code: ERR_INTERNAL2,
+      message: sanitizeErrorMessage(err.message ?? String(err))
+    });
+  }
+  process.exitCode = 1;
+}
+function initSecurityContext(ctx) {
+  if (!ctx.deviceKey) {
+    throw new SecurityError(ERR_ACCOUNT_NOT_READY2, "Wallet not initialized. Run `elytro init` first.");
+  }
+  const current = ctx.account.currentAccount;
+  if (!current) {
+    throw new SecurityError(ERR_ACCOUNT_NOT_READY2, "No account selected. Run `elytro account create` first.");
+  }
+  const account = ctx.account.resolveAccount(current.alias ?? current.address);
+  if (!account) {
+    throw new SecurityError(ERR_ACCOUNT_NOT_READY2, "Account not found.");
+  }
+  if (!account.isDeployed) {
+    throw new SecurityError(ERR_ACCOUNT_NOT_READY2, "Account not deployed. Run `elytro account activate` first.");
+  }
+  const chainConfig = ctx.chain.chains.find((c) => c.id === account.chainId);
+  if (!chainConfig) {
+    throw new SecurityError(ERR_ACCOUNT_NOT_READY2, `No chain config for chainId ${account.chainId}.`);
+  }
+  ctx.walletClient.initForChain(chainConfig);
+  const hookService = new SecurityHookService({
+    store: ctx.store,
+    graphqlEndpoint: ctx.chain.graphqlEndpoint,
+    signMessageForAuth: createSignMessageForAuth({
+      signDigest: (digest) => ctx.keyring.signDigest(digest),
+      packRawHash: (hash) => ctx.sdk.packRawHash(hash),
+      packSignature: (rawSig, valData) => ctx.sdk.packUserOpSignature(rawSig, valData)
+    }),
+    readContract: async (params) => {
+      return ctx.walletClient.readContract(params);
+    },
+    getBlockTimestamp: async () => {
+      const blockNumber = await ctx.walletClient.raw.getBlockNumber();
+      const block = await ctx.walletClient.raw.getBlock({ blockNumber });
+      return block.timestamp;
+    }
+  });
+  return { account, chainConfig, hookService };
+}
+async function buildUserOp2(ctx, chainConfig, account, txs, spinner) {
+  const userOp = await ctx.sdk.createSendUserOp(
+    account.address,
+    txs.map((tx) => ({ to: tx.to, value: tx.value, data: tx.data }))
+  );
+  const feeData = await ctx.sdk.getFeeData(chainConfig);
+  userOp.maxFeePerGas = feeData.maxFeePerGas;
+  userOp.maxPriorityFeePerGas = feeData.maxPriorityFeePerGas;
+  spinner.text = "Estimating gas...";
+  const gasEstimate = await ctx.sdk.estimateUserOp(userOp, { fakeBalance: true });
+  userOp.callGasLimit = gasEstimate.callGasLimit;
+  userOp.verificationGasLimit = gasEstimate.verificationGasLimit;
+  userOp.preVerificationGas = gasEstimate.preVerificationGas;
+  spinner.text = "Checking sponsorship...";
+  try {
+    const { requestSponsorship: requestSponsorship2, applySponsorToUserOp: applySponsorToUserOp2 } = await Promise.resolve().then(() => (init_sponsor(), sponsor_exports));
+    const { sponsor: sponsorResult } = await requestSponsorship2(
+      ctx.chain.graphqlEndpoint,
+      account.chainId,
+      ctx.sdk.entryPoint,
+      userOp
+    );
+    if (sponsorResult) applySponsorToUserOp2(userOp, sponsorResult);
+  } catch {
+  }
+  return userOp;
+}
+async function signAndSend(ctx, chainConfig, userOp, spinner) {
+  spinner.text = "Signing...";
+  const { packedHash, validationData } = await ctx.sdk.getUserOpHash(userOp);
+  const rawSignature = await ctx.keyring.signDigest(packedHash);
+  userOp.signature = await ctx.sdk.packUserOpSignature(rawSignature, validationData);
+  spinner.text = "Sending UserOp...";
+  const opHash = await ctx.sdk.sendUserOp(userOp);
+  spinner.text = "Waiting for receipt...";
+  const receipt = await ctx.sdk.waitForReceipt(opHash);
+  spinner.stop();
+  if (receipt.success) {
+    success("Transaction confirmed!");
+    info("Tx Hash", receipt.transactionHash);
+    if (chainConfig.blockExplorer) {
+      info("Explorer", `${chainConfig.blockExplorer}/tx/${receipt.transactionHash}`);
+    }
+  } else {
+    throw new SecurityError(ERR_INTERNAL2, "Transaction reverted on-chain.", {
+      txHash: receipt.transactionHash
+    });
+  }
+}
+async function signWithHookAndSend(ctx, chainConfig, account, hookService, userOp, spinner) {
+  spinner.text = "Signing...";
+  const { packedHash, validationData } = await ctx.sdk.getUserOpHash(userOp);
+  const rawSignature = await ctx.keyring.signDigest(packedHash);
+  userOp.signature = await ctx.sdk.packUserOpSignature(rawSignature, validationData);
+  spinner.text = "Requesting hook authorization...";
+  let hookResult = await hookService.getHookSignature(account.address, account.chainId, ctx.sdk.entryPoint, userOp);
+  if (hookResult.error) {
+    spinner.stop();
+    hookResult = await handleOtpChallenge(hookService, account, ctx, userOp, hookResult);
+  }
+  if (!spinner.isSpinning) spinner.start("Packing signature...");
+  const hookAddress = SECURITY_HOOK_ADDRESS_MAP[account.chainId];
+  userOp.signature = await ctx.sdk.packUserOpSignatureWithHook(
+    rawSignature,
+    validationData,
+    hookAddress,
+    hookResult.signature
+  );
+  spinner.text = "Sending UserOp...";
+  const opHash = await ctx.sdk.sendUserOp(userOp);
+  spinner.text = "Waiting for receipt...";
+  const receipt = await ctx.sdk.waitForReceipt(opHash);
+  spinner.stop();
+  if (receipt.success) {
+    success("Transaction confirmed!");
+    info("Tx Hash", receipt.transactionHash);
+    if (chainConfig.blockExplorer) {
+      info("Explorer", `${chainConfig.blockExplorer}/tx/${receipt.transactionHash}`);
+    }
+  } else {
+    throw new SecurityError(ERR_INTERNAL2, "Transaction reverted on-chain.", {
+      txHash: receipt.transactionHash
+    });
+  }
+}
+async function handleOtpChallenge(hookService, account, ctx, userOp, hookResult) {
+  const err = hookResult.error;
+  const errCode = err.code ?? "UNKNOWN";
+  if (errCode !== "OTP_REQUIRED" && errCode !== "SPENDING_LIMIT_EXCEEDED") {
+    throw new SecurityError(ERR_HOOK_AUTH_FAILED, `Hook authorization failed: ${err.message ?? errCode}`);
+  }
+  warn(err.message ?? `Verification required (${errCode}).`);
+  if (err.maskedEmail) {
+    info("OTP sent to", err.maskedEmail);
+  }
+  if (errCode === "SPENDING_LIMIT_EXCEEDED" && err.projectedSpendUsdCents !== void 0) {
+    info("Projected spend", `$${(err.projectedSpendUsdCents / 100).toFixed(2)}`);
+    info("Daily limit", `$${((err.dailyLimitUsdCents ?? 0) / 100).toFixed(2)}`);
+  }
+  const otpCode = await askInput("Enter the 6-digit OTP code:");
+  const verifySpinner = ora5("Verifying OTP...").start();
+  try {
+    await hookService.verifySecurityOtp(account.address, account.chainId, err.challengeId, otpCode.trim());
+    verifySpinner.text = "OTP verified. Retrying authorization...";
+    const retryResult = await hookService.getHookSignature(
+      account.address,
+      account.chainId,
+      ctx.sdk.entryPoint,
+      userOp
+    );
+    verifySpinner.stop();
+    if (retryResult.error) {
+      throw new SecurityError(ERR_HOOK_AUTH_FAILED, `Authorization failed after OTP: ${retryResult.error.message}`);
+    }
+    return retryResult;
+  } catch (e) {
+    verifySpinner.stop();
+    if (e instanceof SecurityError) throw e;
+    throw new SecurityError(
+      ERR_OTP_VERIFY_FAILED,
+      `OTP verification failed: ${sanitizeErrorMessage(e.message)}`
+    );
+  }
+}
+function registerSecurityCommand(program2, ctx) {
+  const security = program2.command("security").description("SecurityHook (2FA & spending limits)");
+  security.command("status").description("Show SecurityHook status and security profile").action(async () => {
+    try {
+      const { account, chainConfig, hookService } = initSecurityContext(ctx);
+      await ctx.sdk.initForChain(chainConfig);
+      const spinner = ora5("Querying hook status...").start();
+      const hookStatus = await hookService.getHookStatus(account.address, account.chainId);
+      let profile = null;
+      try {
+        profile = await hookService.loadSecurityProfile(account.address, account.chainId);
+      } catch {
+      }
+      spinner.stop();
+      heading("Security Status");
+      info("Account", `${account.alias} (${address(account.address)})`);
+      info("Chain", `${chainConfig.name} (${account.chainId})`);
+      info("Hook Installed", hookStatus.installed ? "Yes" : "No");
+      if (hookStatus.installed) {
+        info("Hook Address", address(hookStatus.hookAddress));
+        info(
+          "Capabilities",
+          [
+            hookStatus.capabilities.preUserOpValidation && "UserOp",
+            hookStatus.capabilities.preIsValidSignature && "Signature"
+          ].filter(Boolean).join(" + ") || "None"
+        );
+        if (hookStatus.forceUninstall.initiated) {
+          info(
+            "Force Uninstall",
+            hookStatus.forceUninstall.canExecute ? "Ready to execute" : `Pending until ${hookStatus.forceUninstall.availableAfter}`
+          );
+        }
+      }
+      if (profile) {
+        console.log("");
+        info("Email", profile.maskedEmail ?? profile.email ?? "Not bound");
+        info("Email Verified", profile.emailVerified ? "Yes" : "No");
+        if (profile.dailyLimitUsdCents !== void 0) {
+          info("Daily Limit", `$${(profile.dailyLimitUsdCents / 100).toFixed(2)}`);
+        }
+      } else if (hookStatus.installed) {
+        console.log("");
+        warn("Security profile not loaded (not yet authenticated or email not bound).");
+      }
+    } catch (err) {
+      handleSecurityError(err);
+    }
+  });
+  const twofa = security.command("2fa").description("Install/uninstall SecurityHook (2FA)");
+  twofa.command("install").description("Install SecurityHook on current account").option(
+    "--capability <flags>",
+    "Capability flags: 1=SIGNATURE_ONLY, 2=USER_OP_ONLY, 3=BOTH",
+    String(DEFAULT_CAPABILITY)
+  ).action(async (opts) => {
+    try {
+      const { account, chainConfig, hookService } = initSecurityContext(ctx);
+      await ctx.sdk.initForChain(chainConfig);
+      const spinner = ora5("Checking hook status...").start();
+      const currentStatus = await hookService.getHookStatus(account.address, account.chainId);
+      spinner.stop();
+      if (currentStatus.installed) {
+        warn("SecurityHook is already installed on this account.");
+        return;
+      }
+      const hookAddress = SECURITY_HOOK_ADDRESS_MAP[account.chainId];
+      if (!hookAddress) {
+        throw new SecurityError(ERR_INTERNAL2, `SecurityHook not deployed on chain ${account.chainId}.`);
+      }
+      const capabilityFlags = Number(opts.capability);
+      if (![1, 2, 3].includes(capabilityFlags)) {
+        throw new SecurityError(ERR_INTERNAL2, "Invalid capability flags. Use 1, 2, or 3.");
+      }
+      heading("Install SecurityHook");
+      info("Account", `${account.alias} (${address(account.address)})`);
+      info("Hook Address", address(hookAddress));
+      info("Capability", CAPABILITY_LABELS[capabilityFlags]);
+      info("Safety Delay", `${DEFAULT_SAFETY_DELAY}s`);
+      const confirmed = await askConfirm("Proceed with hook installation?");
+      if (!confirmed) {
+        warn("Cancelled.");
+        return;
+      }
+      const installTx = encodeInstallHook(account.address, hookAddress, DEFAULT_SAFETY_DELAY, capabilityFlags);
+      const buildSpinner = ora5("Building UserOp...").start();
+      try {
+        const userOp = await buildUserOp2(ctx, chainConfig, account, [installTx], buildSpinner);
+        await signAndSend(ctx, chainConfig, userOp, buildSpinner);
+        success("SecurityHook installed successfully!");
+      } catch (innerErr) {
+        buildSpinner.stop();
+        throw innerErr;
+      }
+    } catch (err) {
+      handleSecurityError(err);
+    }
+  });
+  twofa.command("uninstall").description("Uninstall SecurityHook from current account").option("--force", "Start force-uninstall countdown (bypass hook signature)").option("--execute", "Execute force-uninstall after safety delay has elapsed").action(async (opts) => {
+    try {
+      const { account, chainConfig, hookService } = initSecurityContext(ctx);
+      await ctx.sdk.initForChain(chainConfig);
+      const spinner = ora5("Checking hook status...").start();
+      const currentStatus = await hookService.getHookStatus(account.address, account.chainId);
+      spinner.stop();
+      if (!currentStatus.installed) {
+        warn("SecurityHook is not installed on this account.");
+        return;
+      }
+      const hookAddress = currentStatus.hookAddress;
+      if (opts.force && opts.execute) {
+        await handleForceExecute(ctx, chainConfig, account, currentStatus);
+      } else if (opts.force) {
+        await handleForceStart(ctx, chainConfig, account, currentStatus, hookAddress);
+      } else {
+        await handleNormalUninstall(ctx, chainConfig, account, hookService, hookAddress);
+      }
+    } catch (err) {
+      handleSecurityError(err);
+    }
+  });
+  const email = security.command("email").description("Manage security email for OTP");
+  email.command("bind").description("Bind an email address for OTP delivery").argument("<email>", "Email address to bind").action(async (emailAddr) => {
+    try {
+      const { account, chainConfig, hookService } = initSecurityContext(ctx);
+      await ctx.sdk.initForChain(chainConfig);
+      const spinner = ora5("Requesting email binding...").start();
+      let bindingResult;
+      try {
+        bindingResult = await hookService.requestEmailBinding(account.address, account.chainId, emailAddr);
+      } catch (err) {
+        spinner.stop();
+        throw new SecurityError(ERR_HOOK_AUTH_FAILED, sanitizeErrorMessage(err.message));
+      }
+      spinner.stop();
+      info("OTP sent to", bindingResult.maskedEmail);
+      info("Expires at", bindingResult.otpExpiresAt);
+      const otpCode = await askInput("Enter the 6-digit OTP code:");
+      const confirmSpinner = ora5("Confirming email binding...").start();
+      try {
+        const profile = await hookService.confirmEmailBinding(
+          account.address,
+          account.chainId,
+          bindingResult.bindingId,
+          otpCode.trim()
+        );
+        confirmSpinner.stop();
+        success("Email bound successfully!");
+        info("Email", profile.maskedEmail ?? profile.email ?? emailAddr);
+        info("Verified", profile.emailVerified ? "Yes" : "No");
+      } catch (err) {
+        confirmSpinner.stop();
+        throw new SecurityError(
+          ERR_OTP_VERIFY_FAILED,
+          `OTP verification failed: ${sanitizeErrorMessage(err.message)}`
+        );
+      }
+    } catch (err) {
+      handleSecurityError(err);
+    }
+  });
+  email.command("change").description("Change bound email address").argument("<email>", "New email address").action(async (emailAddr) => {
+    try {
+      const { account, chainConfig, hookService } = initSecurityContext(ctx);
+      await ctx.sdk.initForChain(chainConfig);
+      const spinner = ora5("Requesting email change...").start();
+      let bindingResult;
+      try {
+        bindingResult = await hookService.changeWalletEmail(account.address, account.chainId, emailAddr);
+      } catch (err) {
+        spinner.stop();
+        throw new SecurityError(ERR_HOOK_AUTH_FAILED, sanitizeErrorMessage(err.message));
+      }
+      spinner.stop();
+      info("OTP sent to", bindingResult.maskedEmail);
+      const otpCode = await askInput("Enter the 6-digit OTP code:");
+      const confirmSpinner = ora5("Confirming email change...").start();
+      try {
+        const profile = await hookService.confirmEmailBinding(
+          account.address,
+          account.chainId,
+          bindingResult.bindingId,
+          otpCode.trim()
+        );
+        confirmSpinner.stop();
+        success("Email changed successfully!");
+        info("Email", profile.maskedEmail ?? profile.email ?? emailAddr);
+      } catch (err) {
+        confirmSpinner.stop();
+        throw new SecurityError(
+          ERR_OTP_VERIFY_FAILED,
+          `OTP verification failed: ${sanitizeErrorMessage(err.message)}`
+        );
+      }
+    } catch (err) {
+      handleSecurityError(err);
+    }
+  });
+  security.command("spending-limit").description("View or set daily spending limit (USD)").argument("[amount]", 'Daily limit in USD (e.g. "100" for $100). Omit to view current limit.').action(async (amountStr) => {
+    try {
+      const { account, chainConfig, hookService } = initSecurityContext(ctx);
+      await ctx.sdk.initForChain(chainConfig);
+      if (!amountStr) {
+        await showSpendingLimit(hookService, account);
+      } else {
+        await setSpendingLimit(hookService, account, amountStr);
+      }
+    } catch (err) {
+      handleSecurityError(err);
+    }
+  });
+}
+async function handleForceExecute(ctx, chainConfig, account, currentStatus) {
+  if (!currentStatus.forceUninstall.initiated) {
+    throw new SecurityError(
+      ERR_SAFETY_DELAY,
+      "Force-uninstall not initiated. Run `security 2fa uninstall --force` first."
+    );
+  }
+  if (!currentStatus.forceUninstall.canExecute) {
+    throw new SecurityError(
+      ERR_SAFETY_DELAY,
+      `Safety delay not elapsed. Available after ${currentStatus.forceUninstall.availableAfter}.`
+    );
+  }
+  heading("Execute Force Uninstall");
+  info("Account", `${account.alias} (${address(account.address)})`);
+  const confirmed = await askConfirm("Execute force uninstall? This will remove the SecurityHook.");
+  if (!confirmed) {
+    warn("Cancelled.");
+    return;
+  }
+  const uninstallTx = encodeUninstallHook(account.address, currentStatus.hookAddress);
+  const spinner = ora5("Executing force uninstall...").start();
+  try {
+    const userOp = await buildUserOp2(ctx, chainConfig, account, [uninstallTx], spinner);
+    await signAndSend(ctx, chainConfig, userOp, spinner);
+  } catch (err) {
+    spinner.stop();
+    throw err;
+  }
+}
+async function handleForceStart(ctx, chainConfig, account, currentStatus, hookAddress) {
+  if (currentStatus.forceUninstall.initiated) {
+    if (currentStatus.forceUninstall.canExecute) {
+      info("Force Uninstall", "Ready to execute. Run `security 2fa uninstall --force --execute`.");
+    } else {
+      info(
+        "Force Uninstall",
+        `Already initiated. Available after ${currentStatus.forceUninstall.availableAfter}.`
+      );
+    }
+    return;
+  }
+  heading("Start Force Uninstall");
+  info("Account", `${account.alias} (${address(account.address)})`);
+  warn(`After starting, you must wait the safety delay (${DEFAULT_SAFETY_DELAY}s) before executing.`);
+  const confirmed = await askConfirm("Start force-uninstall countdown?");
+  if (!confirmed) {
+    warn("Cancelled.");
+    return;
+  }
+  const preUninstallTx = encodeForcePreUninstall(hookAddress);
+  const spinner = ora5("Starting force-uninstall countdown...").start();
+  try {
+    const userOp = await buildUserOp2(ctx, chainConfig, account, [preUninstallTx], spinner);
+    await signAndSend(ctx, chainConfig, userOp, spinner);
+  } catch (err) {
+    spinner.stop();
+    throw err;
+  }
+}
+async function handleNormalUninstall(ctx, chainConfig, account, hookService, hookAddress) {
+  heading("Uninstall SecurityHook");
+  info("Account", `${account.alias} (${address(account.address)})`);
+  const confirmed = await askConfirm("Proceed with hook uninstall? (requires 2FA approval)");
+  if (!confirmed) {
+    warn("Cancelled.");
+    return;
+  }
+  const uninstallTx = encodeUninstallHook(account.address, hookAddress);
+  const spinner = ora5("Building UserOp...").start();
+  try {
+    const userOp = await buildUserOp2(ctx, chainConfig, account, [uninstallTx], spinner);
+    await signWithHookAndSend(ctx, chainConfig, account, hookService, userOp, spinner);
+  } catch (err) {
+    spinner.stop();
+    throw err;
+  }
+}
+async function showSpendingLimit(hookService, account) {
+  const spinner = ora5("Loading security profile...").start();
+  let profile;
+  try {
+    profile = await hookService.loadSecurityProfile(account.address, account.chainId);
+  } catch (err) {
+    spinner.stop();
+    throw err;
+  }
+  spinner.stop();
+  if (!profile) {
+    warn("No security profile found. Bind an email first: `elytro security email bind <email>`.");
+    return;
+  }
+  heading("Spending Limit");
+  info(
+    "Daily Limit",
+    profile.dailyLimitUsdCents !== void 0 ? `$${(profile.dailyLimitUsdCents / 100).toFixed(2)}` : "Not set"
+  );
+  info("Email", profile.maskedEmail ?? "Not bound");
+}
+async function setSpendingLimit(hookService, account, amountStr) {
+  const amountUsd = parseFloat(amountStr);
+  if (isNaN(amountUsd) || amountUsd < 0) {
+    throw new SecurityError(ERR_INTERNAL2, "Invalid amount. Provide a positive number in USD.");
+  }
+  const dailyLimitUsdCents = Math.round(amountUsd * 100);
+  heading("Set Daily Spending Limit");
+  info("New Limit", `$${amountUsd.toFixed(2)}`);
+  const spinner = ora5("Requesting OTP for limit change...").start();
+  let otpResult;
+  try {
+    otpResult = await hookService.requestDailyLimitOtp(account.address, account.chainId, dailyLimitUsdCents);
+  } catch (err) {
+    spinner.stop();
+    const msg = err.message ?? "";
+    if (msg.includes("EMAIL") || msg.includes("email") || msg.includes("NOT_FOUND")) {
+      throw new SecurityError(ERR_EMAIL_NOT_BOUND, "Email not bound. Run `elytro security email bind <email>` first.");
+    }
+    throw new SecurityError(ERR_HOOK_AUTH_FAILED, sanitizeErrorMessage(msg));
+  }
+  spinner.stop();
+  info("OTP sent to", otpResult.maskedEmail);
+  const otpCode = await askInput("Enter the 6-digit OTP code:");
+  const setSpinner = ora5("Setting daily limit...").start();
+  try {
+    await hookService.setDailyLimit(account.address, account.chainId, dailyLimitUsdCents, otpCode.trim());
+    setSpinner.stop();
+    success(`Daily limit set to $${amountUsd.toFixed(2)}.`);
+  } catch (err) {
+    setSpinner.stop();
+    throw new SecurityError(
+      ERR_OTP_VERIFY_FAILED,
+      `Failed to set limit: ${sanitizeErrorMessage(err.message)}`
+    );
+  }
+}
+
+// src/commands/config.ts
+var KEY_MAP = {
+  "alchemy-key": "alchemyKey",
+  "pimlico-key": "pimlicoKey"
+};
+var VALID_KEYS = Object.keys(KEY_MAP);
+function maskKey(value) {
+  if (value.length <= 6) return "***";
+  return value.slice(0, 4) + "***" + value.slice(-4);
+}
+function registerConfigCommand(program2, ctx) {
+  const configCmd = program2.command("config").description("Manage CLI configuration (API keys, RPC endpoints)");
+  configCmd.command("show").description("Show current endpoint configuration").action(() => {
+    heading("Configuration");
+    const keys = ctx.chain.getUserKeys();
+    const hasAlchemy = !!keys.alchemyKey;
+    const hasPimlico = !!keys.pimlicoKey;
+    info("RPC provider", hasAlchemy ? "Alchemy (user-configured)" : "Public (publicnode.com)");
+    info("Bundler provider", hasPimlico ? "Pimlico (user-configured)" : "Public (pimlico.io/public)");
+    if (keys.alchemyKey) {
+      info("Alchemy key", maskKey(keys.alchemyKey));
+    }
+    if (keys.pimlicoKey) {
+      info("Pimlico key", maskKey(keys.pimlicoKey));
+    }
+    console.log("");
+    const chain = ctx.chain.currentChain;
+    info("Current chain", `${chain.name} (${chain.id})`);
+    info("RPC endpoint", maskApiKeys(chain.endpoint));
+    info("Bundler", maskApiKeys(chain.bundler));
+    if (!hasAlchemy || !hasPimlico) {
+      console.log("");
+      warn("Public endpoints have rate limits. Set your own keys for production use:");
+      if (!hasAlchemy) console.log("  elytro config set alchemy-key <YOUR_KEY>");
+      if (!hasPimlico) console.log("  elytro config set pimlico-key <YOUR_KEY>");
+    }
+  });
+  configCmd.command("set <key> <value>").description(`Set an API key (${VALID_KEYS.join(" | ")})`).action(async (key, value) => {
+    const mapped = KEY_MAP[key];
+    if (!mapped) {
+      error(`Unknown key "${key}". Valid keys: ${VALID_KEYS.join(", ")}`);
+      process.exitCode = 1;
+      return;
+    }
+    await ctx.chain.setUserKey(mapped, value);
+    success(`${key} saved. Endpoints updated.`);
+    const chain = ctx.chain.currentChain;
+    info("RPC endpoint", maskApiKeys(chain.endpoint));
+    info("Bundler", maskApiKeys(chain.bundler));
+  });
+  configCmd.command("remove <key>").description(`Remove an API key and revert to public endpoint (${VALID_KEYS.join(" | ")})`).action(async (key) => {
+    const mapped = KEY_MAP[key];
+    if (!mapped) {
+      error(`Unknown key "${key}". Valid keys: ${VALID_KEYS.join(", ")}`);
+      process.exitCode = 1;
+      return;
+    }
+    await ctx.chain.removeUserKey(mapped);
+    success(`${key} removed. Reverted to public endpoint.`);
+  });
+}
+
+// src/index.ts
+var program = new Command();
+program.name("elytro").description("Elytro \u2014 ERC-4337 Smart Account Wallet CLI").version("0.0.1");
+async function main() {
+  let ctx = null;
+  try {
+    ctx = await createAppContext();
+    registerInitCommand(program, ctx);
+    registerAccountCommand(program, ctx);
+    registerTxCommand(program, ctx);
+    registerQueryCommand(program, ctx);
+    registerSecurityCommand(program, ctx);
+    registerConfigCommand(program, ctx);
+    await program.parseAsync(process.argv);
+  } catch (err) {
+    error(sanitizeErrorMessage(err.message));
+    process.exitCode = 1;
+  } finally {
+    ctx?.keyring.lock();
+  }
+}
+main();