@elytro/cli 0.5.1 → 0.5.3

package/README.md

@@ -1,89 +1,135 @@
 # Elytro CLI
 
-A command-line interface for ERC-4337 smart account wallets. Built for power users and AI Agents managing smart accounts across multiple chains.
+A command-line interface for ERC-4337 smart account wallets. Built for power users and AI agents managing smart accounts across multiple chains.
+
+## Installation
+
+```bash
+npm install -g @elytro/cli
+# or
+bun add -g @elytro/cli
+# or
+pnpm add -g @elytro/cli
+```
 
 ## Quick Start
 
 ```bash
 # Initialize wallet (creates vault + EOA)
-bun dev init
+elytro init
 
-# Create a smart account on Sepolia
-bun dev account create --chain 11155420 --email user@example.com --daily-limit 100
+# Create a smart account on OP Sepolia
+elytro account create --chain 11155420 --email user@example.com --daily-limit 100
 
 # Send a transaction
-bun dev tx send --tx "to:0xRecipient,value:0.1"
+elytro tx send --tx "to:0xRecipient,value:0.1"
 
 # Check balance
-bun dev query balance
+elytro query balance
 ```
 
 ## Key Features
 
 - **Multi-account management** — Create multiple smart accounts per chain with user-friendly aliases
-- **Zero-interaction security** — macOS: vault key stored in Keychain; non-macOS: injected via `ELYTRO_VAULT_SECRET`
+- **Zero-interaction security** — macOS/Linux/Windows: vault key stored in system keychain via `@napi-rs/keyring`; fallback: inject via `ELYTRO_VAULT_SECRET`
 - **Flexible transaction building** — Single transfers, batch operations, contract calls via unified `--tx` syntax
 - **Transaction simulation** — Preview gas, paymaster sponsorship, and balance impact before sending
-- **Cross-chain support** — Manage accounts across Sepolia, OP Sepolia, Arbitrum, and custom networks
-- **Security intents** — Declare email/spending limits at account creation; deployed atomically on activation
+- **Cross-chain support** — Manage accounts across Ethereum, Optimism, Arbitrum, Base, and testnets
+- **SecurityHook (2FA)** — Install on-chain 2FA with email OTP and daily spending limits
+- **Self-updating** — `elytro update` detects your package manager and upgrades in place
+
+## Supported Chains
+
+| Chain            | Chain ID  |
+| ---------------- | --------- |
+| Ethereum         | 1         |
+| Optimism         | 10        |
+| Arbitrum One     | 42161     |
+| Base             | 8453      |
+| Sepolia          | 11155111  |
+| Optimism Sepolia | 11155420  |
+
+Public RPC and bundler endpoints are used by default. Provide your own Alchemy/Pimlico keys for higher rate limits.
 
 ## Architecture
 
 | Component          | Purpose                                          |
 | ------------------ | ------------------------------------------------ |
-| **SecretProvider** | Vault key management (Keychain/env var)          |
+| **SecretProvider** | Vault key management (Keychain / env var)        |
 | **KeyringService** | EOA encryption + decryption (AES-GCM)            |
 | **AccountService** | Smart account lifecycle (CREATE2, multi-account) |
-| **SdkService**     | @elytro/sdk wrapper (UserOp building)            |
+| **SdkService**     | `@elytro/sdk` wrapper (UserOp building)          |
 | **FileStore**      | Persistent state (`~/.elytro/`)                  |
 
-See [docs/architecture.md](docs/architecture.md) for detailed data flow.
-
 ## Security Model
 
-- **No plaintext keys on disk** — vault key stored in macOS Keychain or injected at runtime
+- **No plaintext keys on disk** — vault key stored in system keychain or injected at runtime
 - **AES-GCM encryption** — all private keys encrypted with vault key before storage
 - **Consume-once env var** — `ELYTRO_VAULT_SECRET` deleted from process after load
 - **Memory cleanup** — all key buffers zeroed after use
 
-See [docs/security.md](docs/security.md) for threat model.
-
 ## Configuration
 
-| Variable              | Purpose                       | Required       |
-| --------------------- | ----------------------------- | -------------- |
-| `ELYTRO_VAULT_SECRET` | Base64 vault key (non-macOS)  | Yes, non-macOS |
-| `ELYTRO_ALCHEMY_KEY`  | Alchemy RPC endpoint          | For queries    |
-| `ELYTRO_PIMLICO_KEY`  | Bundler + paymaster           | For tx send    |
-| `ELYTRO_ENV`          | `development` or `production` | Optional       |
+| Variable              | Purpose                                   | Required             |
+| --------------------- | ----------------------------------------- | -------------------- |
+| `ELYTRO_VAULT_SECRET` | Base64 vault key (non-keychain platforms) | Yes, if no keychain  |
+| `ELYTRO_ALCHEMY_KEY`  | Alchemy RPC endpoint                      | Optional (rate limit)|
+| `ELYTRO_PIMLICO_KEY`  | Bundler + paymaster                       | Optional (rate limit)|
+| `ELYTRO_ENV`          | `development` or `production`             | Optional             |
 
-Persist API keys: `bun dev config set alchemy-key <key>`
+Persist API keys:
+```bash
+elytro config set alchemy-key <key>
+elytro config set pimlico-key <key>
+```
 
 ## Commands
 
 ```bash
 # Account Management
-bun dev account create --chain 11155420 [--alias name] [--email addr] [--daily-limit amount]
-bun dev account list [alias|address]
-bun dev account info [alias|address]
-bun dev account switch [alias|address]
-bun dev account activate [alias|address]  # Deploy to chain
+elytro account create --chain <chainId> [--alias name] [--email addr] [--daily-limit amount]
+elytro account list [alias|address]
+elytro account info [alias|address]
+elytro account switch [alias|address]
+elytro account activate [alias|address]   # Deploy to chain
 
 # Transactions
-bun dev tx send --tx "to:0xAddr,value:0.1" [--tx ...]
-bun dev tx build --tx "to:0xAddr,data:0xab..."
-bun dev tx simulate --tx "to:0xAddr,value:0.1"
+elytro tx send --tx "to:0xAddr,value:0.1" [--tx ...]
+elytro tx build --tx "to:0xAddr,data:0xab..."
+elytro tx simulate --tx "to:0xAddr,value:0.1"
 
 # Queries
-bun dev query balance [account] [--token erc20Addr]
-bun dev query tokens [account]
-bun dev query tx <hash>
-bun dev query chain
-bun dev query address <address>
+elytro query balance [account] [--token erc20Addr]
+elytro query tokens [account]
+elytro query tx <hash>
+elytro query chain
+elytro query address <address>
+
+# Security (2FA + spending limits)
+elytro security status
+elytro security 2fa install [--capability 1|2|3]
+elytro security 2fa uninstall
+elytro security 2fa uninstall --force           # Start safety-delay countdown
+elytro security 2fa uninstall --force --execute # Execute after delay
+elytro security email bind <email>
+elytro security email change <email>
+elytro security spending-limit [amount]         # View or set daily USD limit
+
+# Updates
+elytro update              # Check and upgrade to latest
+elytro update check        # Check without installing
+
+# Config
+elytro config set <key> <value>
+elytro config get <key>
+elytro config list
 ```
 
 ## Development
 
 ```bash
-
+bun install
+bun dev <command>      # Run from source
+bun run build          # Build to dist/
+bun run test           # Smoke tests
 ```

package/dist/index.js

@@ -233,9 +233,9 @@ var FileStore = class {
     return join(this.root, `${key}.json`);
   }
   async load(key) {
-    const path = this.filePath(key);
+    const path2 = this.filePath(key);
     try {
-      const raw = await readFile(path, "utf-8");
+      const raw = await readFile(path2, "utf-8");
       return JSON.parse(raw);
     } catch (err) {
       if (err.code === "ENOENT") {
@@ -245,15 +245,15 @@ var FileStore = class {
     }
   }
   async save(key, data) {
-    const path = this.filePath(key);
-    await mkdir(dirname(path), { recursive: true });
-    await writeFile(path, JSON.stringify(data, null, 2), "utf-8");
+    const path2 = this.filePath(key);
+    await mkdir(dirname(path2), { recursive: true });
+    await writeFile(path2, JSON.stringify(data, null, 2), "utf-8");
   }
   async remove(key) {
-    const { unlink } = await import("fs/promises");
-    const path = this.filePath(key);
+    const { unlink: unlink2 } = await import("fs/promises");
+    const path2 = this.filePath(key);
     try {
-      await unlink(path);
+      await unlink2(path2);
     } catch (err) {
       if (err.code !== "ENOENT") {
         throw err;
@@ -261,9 +261,9 @@ var FileStore = class {
     }
   }
   async exists(key) {
-    const path = this.filePath(key);
+    const path2 = this.filePath(key);
     try {
-      await access(path);
+      await access(path2);
       return true;
     } catch {
       return false;
@@ -1444,6 +1444,27 @@ var AccountService = class {
     await this.persist();
     return account;
   }
+  // ─── Rename ───────────────────────────────────────────────────────
+  /**
+   * Rename an account's alias.
+   * @param aliasOrAddress - Current alias or address to identify the account.
+   * @param newAlias       - The new alias. Must be unique.
+   */
+  async renameAccount(aliasOrAddress, newAlias) {
+    const account = this.resolveAccount(aliasOrAddress);
+    if (!account) {
+      throw new Error(`Account "${aliasOrAddress}" not found.`);
+    }
+    const conflict = this.state.accounts.find(
+      (a) => a.alias.toLowerCase() === newAlias.toLowerCase() && a.address !== account.address
+    );
+    if (conflict) {
+      throw new Error(`Alias "${newAlias}" is already taken by ${conflict.address}.`);
+    }
+    account.alias = newAlias;
+    await this.persist();
+    return account;
+  }
   // ─── Activation ───────────────────────────────────────────────────
   /**
    * Mark an account as deployed on-chain.
@@ -2037,15 +2058,17 @@ var SecurityHookService = class {
         if (result.errors && result.errors.length > 0) {
           const ext = result.errors[0].extensions;
           if (ext) {
+            const challengeDetails = typeof ext.challenge === "object" && ext.challenge !== null ? ext.challenge : void 0;
+            const getChallengeValue = (key) => ext[key] ?? (challengeDetails ? challengeDetails[key] : void 0);
             return {
               error: {
                 code: ext.code,
-                challengeId: ext.challengeId,
-                currentSpendUsdCents: ext.currentSpendUsdCents,
-                dailyLimitUsdCents: ext.dailyLimitUsdCents,
-                maskedEmail: ext.maskedEmail,
-                otpExpiresAt: ext.otpExpiresAt,
-                projectedSpendUsdCents: ext.projectedSpendUsdCents,
+                challengeId: getChallengeValue("challengeId"),
+                currentSpendUsdCents: ext.currentSpendUsdCents ?? getChallengeValue("currentSpendUsdCents"),
+                dailyLimitUsdCents: ext.dailyLimitUsdCents ?? getChallengeValue("dailyLimitUsdCents"),
+                maskedEmail: ext.maskedEmail ?? getChallengeValue("maskedEmail"),
+                otpExpiresAt: ext.otpExpiresAt ?? getChallengeValue("otpExpiresAt"),
+                projectedSpendUsdCents: ext.projectedSpendUsdCents ?? getChallengeValue("projectedSpendUsdCents"),
                 message: result.errors[0].message
               }
             };
@@ -2057,15 +2080,17 @@ var SecurityHookService = class {
         if (err instanceof GraphQLClientError && err.errors?.length) {
           const ext = err.errors[0].extensions;
           if (ext?.code) {
+            const challengeDetails = typeof ext.challenge === "object" && ext.challenge !== null ? ext.challenge : void 0;
+            const getChallengeValue = (key) => ext[key] ?? (challengeDetails ? challengeDetails[key] : void 0);
             return {
               error: {
                 code: ext.code,
-                challengeId: ext.challengeId,
-                currentSpendUsdCents: ext.currentSpendUsdCents,
-                dailyLimitUsdCents: ext.dailyLimitUsdCents,
-                maskedEmail: ext.maskedEmail,
-                otpExpiresAt: ext.otpExpiresAt,
-                projectedSpendUsdCents: ext.projectedSpendUsdCents,
+                challengeId: getChallengeValue("challengeId"),
+                currentSpendUsdCents: ext.currentSpendUsdCents ?? getChallengeValue("currentSpendUsdCents"),
+                dailyLimitUsdCents: ext.dailyLimitUsdCents ?? getChallengeValue("dailyLimitUsdCents"),
+                maskedEmail: ext.maskedEmail ?? getChallengeValue("maskedEmail"),
+                otpExpiresAt: ext.otpExpiresAt ?? getChallengeValue("otpExpiresAt"),
+                projectedSpendUsdCents: ext.projectedSpendUsdCents ?? getChallengeValue("projectedSpendUsdCents"),
                 message: err.errors[0].message
               }
             };
@@ -2151,120 +2176,227 @@ var SecurityHookService = class {
   }
 };
 
-// src/providers/keychainProvider.ts
-import { execFile } from "child_process";
-import { promisify } from "util";
-var execFileAsync = promisify(execFile);
-var KeychainProvider = class {
-  name = "macos-keychain";
+// src/providers/keyringProvider.ts
+import { Entry } from "@napi-rs/keyring";
+var KeyringProvider = class {
+  name;
   service = "elytro-wallet";
   account = "vault-key";
+  constructor() {
+    const platform = process.platform;
+    if (platform === "darwin") this.name = "macos-keychain";
+    else if (platform === "win32") this.name = "windows-credential-manager";
+    else this.name = "linux-secret-service";
+  }
   async available() {
-    if (process.platform !== "darwin") return false;
     try {
-      await execFileAsync("security", ["help"], { timeout: 5e3 });
+      const entry = new Entry(this.service, this.account);
+      entry.getSecret();
       return true;
-    } catch {
-      return process.platform === "darwin";
+    } catch (err) {
+      const msg = err.message || "";
+      if (isNotFoundError(msg)) return true;
+      return false;
     }
   }
   async store(secret) {
     validateKeyLength(secret);
+    try {
+      const entry = new Entry(this.service, this.account);
+      entry.setSecret(Buffer.from(secret));
+    } catch (err) {
+      throw new Error(`Failed to store vault key in OS credential store: ${err.message}`);
+    }
+  }
+  async load() {
+    try {
+      const entry = new Entry(this.service, this.account);
+      const raw = entry.getSecret();
+      if (!raw || raw.length === 0) return null;
+      const key = new Uint8Array(raw);
+      if (key.length !== 32) {
+        throw new Error(
+          `OS credential store returned vault key with invalid length: expected 32 bytes, got ${key.length}.`
+        );
+      }
+      return key;
+    } catch (err) {
+      const msg = err.message || "";
+      if (isNotFoundError(msg)) return null;
+      throw new Error(`Failed to load vault key from OS credential store: ${msg}`);
+    }
+  }
+  async delete() {
+    try {
+      const entry = new Entry(this.service, this.account);
+      entry.deleteCredential();
+    } catch {
+    }
+  }
+};
+function isNotFoundError(msg) {
+  const lower = msg.toLowerCase();
+  return lower.includes("not found") || lower.includes("no matching") || lower.includes("no such") || lower.includes("itemnotfound") || lower.includes("element not found") || // Windows
+  lower.includes("no result") || lower.includes("no password");
+}
+function validateKeyLength(key) {
+  if (key.length !== 32) {
+    throw new Error(`Invalid vault key: expected 32 bytes, got ${key.length}.`);
+  }
+}
+
+// src/providers/fileProvider.ts
+import * as fs from "fs/promises";
+import * as path from "path";
+import { constants } from "fs";
+var FileProvider = class {
+  name = "file-protected";
+  keyPath;
+  /**
+   * @param dataDir — the ~/.elytro/ directory path (from FileStore.dataDir).
+   *                   Defaults to ~/.elytro if not provided.
+   */
+  constructor(dataDir) {
+    const base = dataDir ?? path.join(process.env.HOME || "~", ".elytro");
+    this.keyPath = path.join(base, ".vault-key");
+  }
+  /**
+   * FileProvider is always technically available on any OS (filesystem always exists).
+   * But it should only be used on Linux when the KeyringProvider is not available.
+   * The resolution logic in resolveProvider handles this gating — FileProvider
+   * itself does not restrict by platform.
+   */
+  async available() {
+    try {
+      await fs.access(this.keyPath, constants.R_OK);
+      return true;
+    } catch {
+      try {
+        await fs.access(path.dirname(this.keyPath), constants.W_OK);
+        return true;
+      } catch {
+        return false;
+      }
+    }
+  }
+  async store(secret) {
+    validateKeyLength2(secret);
     const b64 = Buffer.from(secret).toString("base64");
+    const tmpPath = this.keyPath + ".tmp";
     try {
-      await execFileAsync("security", [
-        "add-generic-password",
-        "-U",
-        "-s",
-        this.service,
-        "-a",
-        this.account,
-        "-w",
-        b64
-      ]);
+      await fs.writeFile(tmpPath, b64, { encoding: "utf-8", mode: 384 });
+      await fs.rename(tmpPath, this.keyPath);
+      await fs.chmod(this.keyPath, 384);
     } catch (err) {
-      throw new Error(`Failed to store vault key in Keychain: ${err.message}`);
+      try {
+        await fs.unlink(tmpPath);
+      } catch {
+      }
+      throw new Error(`Failed to store vault key to file: ${err.message}`);
     }
   }
   async load() {
     try {
-      const { stdout } = await execFileAsync("security", [
-        "find-generic-password",
-        "-s",
-        this.service,
-        "-a",
-        this.account,
-        "-w"
-      ]);
-      const trimmed = stdout.trim();
+      const stat2 = await fs.stat(this.keyPath);
+      const mode = stat2.mode & 511;
+      if (mode !== 384) {
+        throw new Error(
+          `Vault key file has insecure permissions: ${modeToOctal(mode)} (expected 0600).
+Fix with: chmod 600 ${this.keyPath}
+Refusing to load until permissions are corrected.`
+        );
+      }
+      const raw = await fs.readFile(this.keyPath, "utf-8");
+      const trimmed = raw.trim();
       if (!trimmed) return null;
       const key = Buffer.from(trimmed, "base64");
       if (key.length !== 32) {
-        throw new Error(`Keychain vault key has invalid length: expected 32 bytes, got ${key.length}.`);
+        throw new Error(
+          `Vault key file has invalid content: expected 32 bytes (base64), got ${key.length}.`
+        );
       }
       return new Uint8Array(key);
     } catch (err) {
       const msg = err.message || "";
-      if (msg.includes("could not be found") || msg.includes("SecKeychainSearchCopyNext")) {
-        return null;
-      }
-      throw new Error(`Failed to load vault key from Keychain: ${msg}`);
+      if (msg.includes("ENOENT")) return null;
+      throw err;
     }
   }
   async delete() {
     try {
-      await execFileAsync("security", ["delete-generic-password", "-s", this.service, "-a", this.account]);
+      await fs.unlink(this.keyPath);
     } catch {
     }
   }
 };
-function validateKeyLength(key) {
+function validateKeyLength2(key) {
   if (key.length !== 32) {
     throw new Error(`Invalid vault key: expected 32 bytes, got ${key.length}.`);
   }
 }
+function modeToOctal(mode) {
+  return "0" + mode.toString(8);
+}
 
 // src/providers/envVarProvider.ts
 var ENV_KEY = "ELYTRO_VAULT_SECRET";
+var ENV_ALLOW = "ELYTRO_ALLOW_ENV";
 var EnvVarProvider = class {
   name = "env-var";
   async available() {
-    return !!process.env[ENV_KEY];
+    return !!process.env[ENV_KEY] && process.env[ENV_ALLOW] === "1";
   }
   async store(_secret) {
     throw new Error(
-      "EnvVarProvider is read-only. Cannot store vault key in an environment variable. Use a persistent provider (macOS Keychain) or store the secret manually."
+      "EnvVarProvider is read-only. Cannot store vault key in an environment variable.\nUse a persistent provider (OS keychain or file-protected) or store the secret manually."
     );
   }
   async load() {
+    if (process.env[ENV_ALLOW] !== "1") return null;
     const raw = process.env[ENV_KEY];
     if (!raw) return null;
     delete process.env[ENV_KEY];
+    delete process.env[ENV_ALLOW];
     const key = Buffer.from(raw, "base64");
     if (key.length !== 32) {
       throw new Error(
-        `${ENV_KEY} has invalid length: expected 32 bytes (base64), got ${key.length}. The value must be a base64-encoded 256-bit key.`
+        `${ENV_KEY} has invalid length: expected 32 bytes (base64), got ${key.length}.
+The value must be a base64-encoded 256-bit key.`
       );
     }
     return new Uint8Array(key);
   }
   async delete() {
     delete process.env[ENV_KEY];
+    delete process.env[ENV_ALLOW];
   }
 };
 
 // src/providers/resolveProvider.ts
 async function resolveProvider() {
-  const keychainProvider = new KeychainProvider();
+  const keyringProvider = new KeyringProvider();
+  const fileProvider = new FileProvider();
   const envProvider = new EnvVarProvider();
-  const initProvider = await keychainProvider.available() ? keychainProvider : null;
-  let loadProvider = null;
-  if (await keychainProvider.available()) {
-    loadProvider = keychainProvider;
-  } else if (await envProvider.available()) {
-    loadProvider = envProvider;
-  }
-  return { initProvider, loadProvider };
+  if (await keyringProvider.available()) {
+    return {
+      initProvider: keyringProvider,
+      loadProvider: keyringProvider
+    };
+  }
+  if (process.platform === "linux" && await fileProvider.available()) {
+    return {
+      initProvider: fileProvider,
+      loadProvider: fileProvider
+    };
+  }
+  if (await envProvider.available()) {
+    return {
+      initProvider: null,
+      // Cannot store via env var
+      loadProvider: envProvider
+    };
+  }
+  return { initProvider: null, loadProvider: null };
 }
 
 // src/context.ts
@@ -2284,14 +2416,15 @@ async function createAppContext() {
   if (isInitialized) {
     if (!loadProvider) {
       throw new Error(
-        "Wallet is initialized but no secret provider is available.\n" + (process.platform === "darwin" ? "Keychain access failed. Check macOS Keychain permissions." : "Set the ELYTRO_VAULT_SECRET environment variable.")
+        "Wallet is initialized but no secret provider is available.\n" + noProviderHint()
       );
     }
     const vaultKey = await loadProvider.load();
     if (!vaultKey) {
       throw new Error(
         `Wallet is initialized but vault key not found in ${loadProvider.name}.
-` + (process.platform === "darwin" ? "The Keychain item may have been deleted. Re-run `elytro init` to create a new wallet,\nor import a backup with `elytro import`." : "Set ELYTRO_VAULT_SECRET to the base64-encoded vault key.")
+The credential may have been deleted. Re-run \`elytro init\` to create a new wallet,
+or import a backup with \`elytro import\`.`
       );
     }
     try {
@@ -2326,6 +2459,16 @@ The vault key may not match the encrypted keyring. Re-run \`elytro init\` or imp
   }
   return { store, keyring, chain, sdk, walletClient, account, secretProvider: loadProvider };
 }
+function noProviderHint() {
+  switch (process.platform) {
+    case "darwin":
+      return "macOS Keychain access failed. Check Keychain permissions or security settings.";
+    case "win32":
+      return "Windows Credential Manager access failed. Run as the same user who initialized the wallet.";
+    default:
+      return "No secret provider available. Options:\n  1. Install and start a Secret Service provider (GNOME Keyring or KWallet)\n  2. The vault key file (~/.elytro/.vault-key) may have been deleted\n  3. For CI: set ELYTRO_VAULT_SECRET and ELYTRO_ALLOW_ENV=1";
+  }
+}
 
 // src/commands/init.ts
 import { webcrypto as webcrypto2 } from "crypto";
@@ -2396,7 +2539,9 @@ function registerInitCommand(program2, ctx) {
         dataDir: ctx.store.dataDir,
         secretProvider: providerName,
         ...vaultSecretB64 ? { vaultSecret: vaultSecretB64 } : {},
-        ...vaultSecretB64 ? { hint: "Save ELYTRO_VAULT_SECRET \u2014 it will NOT be shown again." } : {},
+        ...vaultSecretB64 ? {
+          hint: "No persistent secret provider available. Save this vault key securely \u2014 it will NOT be shown again.\nFor CI: set ELYTRO_VAULT_SECRET=<key> and ELYTRO_ALLOW_ENV=1."
+        } : {},
         nextStep: "Run `elytro account create --chain <chainId>` to create your first smart account."
       });
     } catch (err) {
@@ -2473,6 +2618,14 @@ function registerAccountCommand(program2, ctx) {
       outputError(ERR_INVALID_PARAMS, "Invalid chain ID.", { chain: opts.chain });
       return;
     }
+    const chainConfig = ctx.chain.chains.find((c) => c.id === chainId);
+    if (!chainConfig) {
+      const supported = ctx.chain.chains.map((c) => `${c.id} (${c.name})`);
+      outputError(ERR_INVALID_PARAMS, `Chain ${chainId} is not supported.`, {
+        supportedChains: supported
+      });
+      return;
+    }
     let dailyLimitUsd;
     if (opts.dailyLimit !== void 0) {
       dailyLimitUsd = parseFloat(opts.dailyLimit);
@@ -2487,12 +2640,9 @@ function registerAccountCommand(program2, ctx) {
     } : void 0;
     const spinner = ora2("Creating smart account...").start();
     try {
-      const chainConfig = ctx.chain.chains.find((c) => c.id === chainId);
-      const chainName = chainConfig?.name ?? String(chainId);
-      if (chainConfig) {
-        await ctx.sdk.initForChain(chainConfig);
-        ctx.walletClient.initForChain(chainConfig);
-      }
+      const chainName = chainConfig.name;
+      await ctx.sdk.initForChain(chainConfig);
+      ctx.walletClient.initForChain(chainConfig);
       const accountInfo = await ctx.account.createAccount(chainId, opts.alias, securityIntent);
       spinner.text = "Registering with backend...";
       const { guardianHash, guardianSafePeriod } = ctx.sdk.initDefaults;
@@ -2748,6 +2898,20 @@ function registerAccountCommand(program2, ctx) {
       outputError(ERR_INTERNAL, err.message);
     }
   });
+  account.command("rename").description("Rename an account alias").argument("<account>", "Current alias or address").argument("<newAlias>", "New alias").action(async (target, newAlias) => {
+    try {
+      const renamed = await ctx.account.renameAccount(target, newAlias);
+      const chainConfig = ctx.chain.chains.find((c) => c.id === renamed.chainId);
+      outputResult({
+        alias: renamed.alias,
+        address: renamed.address,
+        chain: chainConfig?.name ?? String(renamed.chainId),
+        chainId: renamed.chainId
+      });
+    } catch (err) {
+      outputError(ERR_INTERNAL, err.message);
+    }
+  });
   account.command("switch").description("Switch the active account").argument("[account]", "Alias or address").action(async (target) => {
     const accounts = ctx.account.allAccounts;
     if (accounts.length === 0) {
@@ -3067,10 +3231,38 @@ function registerTxCommand(program2, ctx) {
                 spinner.stop();
                 const errCode = hookResult.error.code;
                 if (errCode === "OTP_REQUIRED" || errCode === "SPENDING_LIMIT_EXCEEDED") {
+                  if (!hookResult.error.challengeId) {
+                    const otpRequestSpinner = ora3("Requesting OTP challenge...").start();
+                    try {
+                      const otpChallenge = await hookService.requestSecurityOtp(
+                        accountInfo.address,
+                        accountInfo.chainId,
+                        ctx.sdk.entryPoint,
+                        userOp
+                      );
+                      hookResult.error.challengeId = otpChallenge.challengeId;
+                      hookResult.error.maskedEmail ??= otpChallenge.maskedEmail;
+                      hookResult.error.otpExpiresAt ??= otpChallenge.otpExpiresAt;
+                      otpRequestSpinner.stop();
+                    } catch (otpErr) {
+                      otpRequestSpinner.fail("Failed to request OTP challenge.");
+                      throw new TxError(
+                        ERR_SEND_FAILED2,
+                        `Unable to request OTP challenge: ${otpErr.message}`
+                      );
+                    }
+                  }
+                  if (!hookResult.error.challengeId) {
+                    throw new TxError(
+                      ERR_SEND_FAILED2,
+                      "OTP challenge ID was not provided by Elytro API. Please try again."
+                    );
+                  }
                   console.error(JSON.stringify({
                     challenge: errCode,
                     message: hookResult.error.message ?? `Verification required (${errCode}).`,
                     ...hookResult.error.maskedEmail ? { maskedEmail: hookResult.error.maskedEmail } : {},
+                    ...hookResult.error.otpExpiresAt ? { otpExpiresAt: hookResult.error.otpExpiresAt } : {},
                     ...errCode === "SPENDING_LIMIT_EXCEEDED" && hookResult.error.projectedSpendUsdCents !== void 0 ? { projectedSpendUsd: (hookResult.error.projectedSpendUsdCents / 100).toFixed(2), dailyLimitUsd: ((hookResult.error.dailyLimitUsdCents ?? 0) / 100).toFixed(2) } : {}
                   }, null, 2));
                   const otpCode = await askInput("Enter the 6-digit OTP code:");
@@ -4238,7 +4430,7 @@ import { execSync } from "child_process";
 import { createRequire } from "module";
 function resolveVersion() {
   if (true) {
-    return "0.5.1";
+    return "0.5.3";
   }
   try {
     const require2 = createRequire(import.meta.url);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elytro/cli",
-  "version": "0.5.1",
+  "version": "0.5.3",
   "description": "Elytro ERC-4337 Smart Account Wallet CLI",
   "type": "module",
   "bin": {
@@ -41,6 +41,7 @@
     "@elytro/abi": "latest",
     "@elytro/sdk": "latest",
     "@inquirer/prompts": "^7.0.0",
+    "@napi-rs/keyring": "^1.2.0",
     "chalk": "^5.3.0",
     "commander": "^13.0.0",
     "graphql": "^16.9.0",