@elytro/cli 0.5.2 → 0.6.0

package/README.md

@@ -1,89 +1,150 @@
 # Elytro CLI
 
-A command-line interface for ERC-4337 smart account wallets. Built for power users and AI Agents managing smart accounts across multiple chains.
+A command-line interface for ERC-4337 smart account wallets. Built for power users and AI agents managing smart accounts across multiple chains.
+
+## Installation
+
+```bash
+npm install -g @elytro/cli
+# or
+bun add -g @elytro/cli
+# or
+pnpm add -g @elytro/cli
+```
 
 ## Quick Start
 
 ```bash
 # Initialize wallet (creates vault + EOA)
-bun dev init
+elytro init
 
-# Create a smart account on Sepolia
-bun dev account create --chain 11155420 --email user@example.com --daily-limit 100
+# Create a smart account on OP Sepolia
+elytro account create --chain 11155420 --email user@example.com --daily-limit 100
 
 # Send a transaction
-bun dev tx send --tx "to:0xRecipient,value:0.1"
+elytro tx send --tx "to:0xRecipient,value:0.1"
 
 # Check balance
-bun dev query balance
+elytro query balance
 ```
 
 ## Key Features
 
 - **Multi-account management** — Create multiple smart accounts per chain with user-friendly aliases
-- **Zero-interaction security** — macOS: vault key stored in Keychain; non-macOS: injected via `ELYTRO_VAULT_SECRET`
+- **Zero-interaction security** — macOS/Linux/Windows: vault key stored in system keychain via `@napi-rs/keyring`; fallback: inject via `ELYTRO_VAULT_SECRET`
 - **Flexible transaction building** — Single transfers, batch operations, contract calls via unified `--tx` syntax
 - **Transaction simulation** — Preview gas, paymaster sponsorship, and balance impact before sending
-- **Cross-chain support** — Manage accounts across Sepolia, OP Sepolia, Arbitrum, and custom networks
-- **Security intents** — Declare email/spending limits at account creation; deployed atomically on activation
+- **Cross-chain support** — Manage accounts across Ethereum, Optimism, Arbitrum, Base, and testnets
+- **SecurityHook (2FA)** — Install on-chain 2FA with email OTP and daily spending limits
+- **Deferred OTP** — Commands that require OTP exit immediately after sending the code; complete later with `elytro otp submit <id> <code>`
+- **Self-updating** — `elytro update` detects your package manager and upgrades in place
+
+## Supported Chains
+
+| Chain            | Chain ID  |
+| ---------------- | --------- |
+| Ethereum         | 1         |
+| Optimism         | 10        |
+| Arbitrum One     | 42161     |
+| Base             | 8453      |
+| Sepolia          | 11155111  |
+| Optimism Sepolia | 11155420  |
+
+Public RPC and bundler endpoints are used by default. Provide your own Alchemy/Pimlico keys for higher rate limits.
 
 ## Architecture
 
 | Component          | Purpose                                          |
 | ------------------ | ------------------------------------------------ |
-| **SecretProvider** | Vault key management (Keychain/env var)          |
+| **SecretProvider** | Vault key management (Keychain / env var)        |
 | **KeyringService** | EOA encryption + decryption (AES-GCM)            |
 | **AccountService** | Smart account lifecycle (CREATE2, multi-account) |
-| **SdkService**     | @elytro/sdk wrapper (UserOp building)            |
+| **SdkService**     | `@elytro/sdk` wrapper (UserOp building)          |
 | **FileStore**      | Persistent state (`~/.elytro/`)                  |
 
-See [docs/architecture.md](docs/architecture.md) for detailed data flow.
-
 ## Security Model
 
-- **No plaintext keys on disk** — vault key stored in macOS Keychain or injected at runtime
+- **No plaintext keys on disk** — vault key stored in system keychain or injected at runtime
 - **AES-GCM encryption** — all private keys encrypted with vault key before storage
 - **Consume-once env var** — `ELYTRO_VAULT_SECRET` deleted from process after load
 - **Memory cleanup** — all key buffers zeroed after use
 
-See [docs/security.md](docs/security.md) for threat model.
-
 ## Configuration
 
-| Variable              | Purpose                       | Required       |
-| --------------------- | ----------------------------- | -------------- |
-| `ELYTRO_VAULT_SECRET` | Base64 vault key (non-macOS)  | Yes, non-macOS |
-| `ELYTRO_ALCHEMY_KEY`  | Alchemy RPC endpoint          | For queries    |
-| `ELYTRO_PIMLICO_KEY`  | Bundler + paymaster           | For tx send    |
-| `ELYTRO_ENV`          | `development` or `production` | Optional       |
+| Variable              | Purpose                                   | Required             |
+| --------------------- | ----------------------------------------- | -------------------- |
+| `ELYTRO_VAULT_SECRET` | Base64 vault key (non-keychain platforms) | Yes, if no keychain  |
+| `ELYTRO_ALCHEMY_KEY`  | Alchemy RPC endpoint                      | Optional (rate limit)|
+| `ELYTRO_PIMLICO_KEY`  | Bundler + paymaster                       | Optional (rate limit)|
+| `ELYTRO_ENV`          | `development` or `production`             | Optional             |
 
-Persist API keys: `bun dev config set alchemy-key <key>`
+Persist API keys:
+```bash
+elytro config set alchemy-key <key>
+elytro config set pimlico-key <key>
+```
 
 ## Commands
 
 ```bash
 # Account Management
-bun dev account create --chain 11155420 [--alias name] [--email addr] [--daily-limit amount]
-bun dev account list [alias|address]
-bun dev account info [alias|address]
-bun dev account switch [alias|address]
-bun dev account activate [alias|address]  # Deploy to chain
+elytro account create --chain <chainId> [--alias name] [--email addr] [--daily-limit amount]
+elytro account list [alias|address]
+elytro account info [alias|address]
+elytro account switch [alias|address]
+elytro account activate [alias|address]   # Deploy to chain
 
 # Transactions
-bun dev tx send --tx "to:0xAddr,value:0.1" [--tx ...]
-bun dev tx build --tx "to:0xAddr,data:0xab..."
-bun dev tx simulate --tx "to:0xAddr,value:0.1"
+elytro tx send --tx "to:0xAddr,value:0.1" [--tx ...]
+elytro tx build --tx "to:0xAddr,data:0xab..."
+elytro tx simulate --tx "to:0xAddr,value:0.1"
 
 # Queries
-bun dev query balance [account] [--token erc20Addr]
-bun dev query tokens [account]
-bun dev query tx <hash>
-bun dev query chain
-bun dev query address <address>
+elytro query balance [account] [--token erc20Addr]
+elytro query tokens [account]
+elytro query tx <hash>
+elytro query chain
+elytro query address <address>
+
+# Security (2FA + spending limits)
+elytro security status
+elytro security 2fa install [--capability 1|2|3]
+elytro security 2fa uninstall
+elytro security 2fa uninstall --force           # Start safety-delay countdown
+elytro security 2fa uninstall --force --execute # Execute after delay
+elytro security email bind <email>
+elytro security email change <email>
+elytro security spending-limit [amount]         # View or set daily USD limit
+
+# OTP (deferred verification)
+elytro otp submit <id> <code>   # Complete a pending OTP verification
+elytro otp cancel [id]          # Cancel pending OTP(s)
+elytro otp list                 # List pending OTPs for current account
+
+# Updates
+elytro update              # Check and upgrade to latest
+elytro update check        # Check without installing
+
+# Config
+elytro config set <key> <value>
+elytro config get <key>
+elytro config list
 ```
 
+## Deferred OTP Flow
+
+When a command requires OTP verification (e.g. `security email bind`, `tx send` with 2FA), the CLI sends the OTP to your email and exits immediately instead of blocking for input. To complete the action:
+
+1. Check your email for the 6-digit code.
+2. Run `elytro otp submit <id> <code>`, where `<id>` is printed in the command output (e.g. `elytro otp submit abc123 654321`).
+
+The `<id>` is returned in the JSON output as `otpPending.id` and in the stderr hint. Use `elytro otp list` to see all pending OTPs for the current account, or `elytro otp cancel [id]` to cancel.
+
 ## Development
 
 ```bash
-
+bun install
+bun dev <command>      # Run from source
+bun run build          # Build to dist/
+bun run test           # Smoke tests
 ```

package/dist/index.js

@@ -2018,9 +2018,10 @@ var SecurityHookService = class {
   }
   /**
    * Verify a security OTP challenge.
+   * @param authSessionIdOverride - If provided, use this session instead of getAuthSession (for deferred OTP resume)
    */
-  async verifySecurityOtp(walletAddress, chainId, challengeId, otpCode) {
-    const sessionId = await this.getAuthSession(walletAddress, chainId);
+  async verifySecurityOtp(walletAddress, chainId, challengeId, otpCode, authSessionIdOverride) {
+    const sessionId = authSessionIdOverride ?? await this.getAuthSession(walletAddress, chainId);
     const result = await this.gqlMutate(GQL_VERIFY_SECURITY_OTP, {
       input: { authSessionId: sessionId, challengeId, otpCode }
     });
@@ -2036,14 +2037,17 @@ var SecurityHookService = class {
    *
    * Handles auth retry automatically.
    */
-  async getHookSignature(walletAddress, chainId, entryPoint, userOp) {
+  /**
+   * @param authSessionIdOverride - If provided, use this session (for deferred OTP resume with session-bound challenge)
+   */
+  async getHookSignature(walletAddress, chainId, entryPoint, userOp, authSessionIdOverride) {
     const op = this.formatUserOpForGraphQL(userOp);
     for (let attempt = 0; attempt <= 1; attempt++) {
       try {
-        if (attempt > 0) {
+        if (attempt > 0 && !authSessionIdOverride) {
           await this.clearAuthSession(walletAddress, chainId);
         }
-        const sessionId = await this.getAuthSession(walletAddress, chainId);
+        const sessionId = authSessionIdOverride ?? await this.getAuthSession(walletAddress, chainId);
         const result = await this.gqlRaw(GQL_AUTHORIZE_USER_OPERATION, {
           input: {
             authSessionId: sessionId,
@@ -2058,15 +2062,17 @@ var SecurityHookService = class {
         if (result.errors && result.errors.length > 0) {
           const ext = result.errors[0].extensions;
           if (ext) {
+            const challengeDetails = typeof ext.challenge === "object" && ext.challenge !== null ? ext.challenge : void 0;
+            const getChallengeValue = (key) => ext[key] ?? (challengeDetails ? challengeDetails[key] : void 0);
             return {
               error: {
                 code: ext.code,
-                challengeId: ext.challengeId,
-                currentSpendUsdCents: ext.currentSpendUsdCents,
-                dailyLimitUsdCents: ext.dailyLimitUsdCents,
-                maskedEmail: ext.maskedEmail,
-                otpExpiresAt: ext.otpExpiresAt,
-                projectedSpendUsdCents: ext.projectedSpendUsdCents,
+                challengeId: getChallengeValue("challengeId"),
+                currentSpendUsdCents: ext.currentSpendUsdCents ?? getChallengeValue("currentSpendUsdCents"),
+                dailyLimitUsdCents: ext.dailyLimitUsdCents ?? getChallengeValue("dailyLimitUsdCents"),
+                maskedEmail: ext.maskedEmail ?? getChallengeValue("maskedEmail"),
+                otpExpiresAt: ext.otpExpiresAt ?? getChallengeValue("otpExpiresAt"),
+                projectedSpendUsdCents: ext.projectedSpendUsdCents ?? getChallengeValue("projectedSpendUsdCents"),
                 message: result.errors[0].message
               }
             };
@@ -2078,15 +2084,17 @@ var SecurityHookService = class {
         if (err instanceof GraphQLClientError && err.errors?.length) {
           const ext = err.errors[0].extensions;
           if (ext?.code) {
+            const challengeDetails = typeof ext.challenge === "object" && ext.challenge !== null ? ext.challenge : void 0;
+            const getChallengeValue = (key) => ext[key] ?? (challengeDetails ? challengeDetails[key] : void 0);
             return {
               error: {
                 code: ext.code,
-                challengeId: ext.challengeId,
-                currentSpendUsdCents: ext.currentSpendUsdCents,
-                dailyLimitUsdCents: ext.dailyLimitUsdCents,
-                maskedEmail: ext.maskedEmail,
-                otpExpiresAt: ext.otpExpiresAt,
-                projectedSpendUsdCents: ext.projectedSpendUsdCents,
+                challengeId: getChallengeValue("challengeId"),
+                currentSpendUsdCents: ext.currentSpendUsdCents ?? getChallengeValue("currentSpendUsdCents"),
+                dailyLimitUsdCents: ext.dailyLimitUsdCents ?? getChallengeValue("dailyLimitUsdCents"),
+                maskedEmail: ext.maskedEmail ?? getChallengeValue("maskedEmail"),
+                otpExpiresAt: ext.otpExpiresAt ?? getChallengeValue("otpExpiresAt"),
+                projectedSpendUsdCents: ext.projectedSpendUsdCents ?? getChallengeValue("projectedSpendUsdCents"),
                 message: err.errors[0].message
               }
             };
@@ -2559,9 +2567,6 @@ async function askConfirm(message, defaultValue = false) {
 async function askSelect(message, choices) {
   return select({ message, choices });
 }
-async function askInput(message, defaultValue) {
-  return input({ message, default: defaultValue });
-}
 
 // src/commands/account.ts
 init_sponsor();
@@ -2975,7 +2980,92 @@ function createHookServiceForAccount(ctx, chainConfig) {
 // src/commands/tx.ts
 init_sponsor();
 import ora3 from "ora";
-import { isAddress, isHex, formatEther as formatEther3, parseEther as parseEther2, toHex as toHex6 } from "viem";
+import { isAddress, isHex, formatEther as formatEther3, parseEther as parseEther2, toHex as toHex7 } from "viem";
+
+// src/services/pendingOtp.ts
+import { randomBytes } from "crypto";
+var PENDING_OTPS_KEY = "pending-otps";
+function generateOtpId() {
+  return randomBytes(4).toString("hex");
+}
+async function loadPendingOtps(store) {
+  const data = await store.load(PENDING_OTPS_KEY);
+  return data ?? {};
+}
+async function savePendingOtp(store, id, state) {
+  const all = await loadPendingOtps(store);
+  all[id] = state;
+  await store.save(PENDING_OTPS_KEY, all);
+}
+async function removePendingOtp(store, id) {
+  const all = await loadPendingOtps(store);
+  delete all[id];
+  await store.save(PENDING_OTPS_KEY, all);
+}
+async function clearPendingOtps(store, options) {
+  const all = await loadPendingOtps(store);
+  if (options?.id) {
+    delete all[options.id];
+  } else if (options?.account) {
+    const accountLower = options.account.toLowerCase();
+    for (const id of Object.keys(all)) {
+      if (all[id].account.toLowerCase() === accountLower) {
+        delete all[id];
+      }
+    }
+  } else {
+    for (const id of Object.keys(all)) {
+      delete all[id];
+    }
+  }
+  await store.save(PENDING_OTPS_KEY, all);
+}
+async function savePendingOtpAndOutput(store, state) {
+  await savePendingOtp(store, state.id, state);
+  const submitCommand = `elytro otp submit ${state.id} <6-digit-code>`;
+  outputResult({
+    status: "otp_pending",
+    otpPending: {
+      id: state.id,
+      maskedEmail: state.maskedEmail,
+      otpExpiresAt: state.otpExpiresAt,
+      submitCommand
+    }
+  });
+  console.error(
+    `OTP sent to ${state.maskedEmail ?? "your email"}.${state.otpExpiresAt ? ` Expires at ${state.otpExpiresAt}.` : ""}
+To complete, run:
+  ${submitCommand}`
+  );
+}
+async function getPendingOtp(store, id) {
+  const all = await loadPendingOtps(store);
+  return all[id] ?? null;
+}
+
+// src/utils/userOpSerialization.ts
+import { toHex as toHex6 } from "viem";
+function serializeUserOpForPending(op) {
+  return {
+    sender: op.sender,
+    nonce: toHex6(op.nonce),
+    factory: op.factory,
+    factoryData: op.factoryData,
+    callData: op.callData,
+    callGasLimit: toHex6(op.callGasLimit),
+    verificationGasLimit: toHex6(op.verificationGasLimit),
+    preVerificationGas: toHex6(op.preVerificationGas),
+    maxFeePerGas: toHex6(op.maxFeePerGas),
+    maxPriorityFeePerGas: toHex6(op.maxPriorityFeePerGas),
+    paymaster: op.paymaster,
+    paymasterVerificationGasLimit: op.paymasterVerificationGasLimit ? toHex6(op.paymasterVerificationGasLimit) : null,
+    paymasterPostOpGasLimit: op.paymasterPostOpGasLimit ? toHex6(op.paymasterPostOpGasLimit) : null,
+    paymasterData: op.paymasterData,
+    signature: op.signature
+  };
+}
+
+// src/commands/tx.ts
 var ERR_INVALID_PARAMS2 = -32602;
 var ERR_INSUFFICIENT_BALANCE = -32001;
 var ERR_ACCOUNT_NOT_READY2 = -32002;
@@ -3084,7 +3174,7 @@ function detectTxType(specs) {
 function specsToTxs(specs) {
   return specs.map((s) => ({
     to: s.to,
-    value: s.value ? toHex6(parseEther2(s.value)) : "0x0",
+    value: s.value ? toHex7(parseEther2(s.value)) : "0x0",
     data: s.data ?? "0x"
   }));
 }
@@ -3227,33 +3317,52 @@ function registerTxCommand(program2, ctx) {
                 spinner.stop();
                 const errCode = hookResult.error.code;
                 if (errCode === "OTP_REQUIRED" || errCode === "SPENDING_LIMIT_EXCEEDED") {
-                  console.error(JSON.stringify({
-                    challenge: errCode,
-                    message: hookResult.error.message ?? `Verification required (${errCode}).`,
-                    ...hookResult.error.maskedEmail ? { maskedEmail: hookResult.error.maskedEmail } : {},
-                    ...errCode === "SPENDING_LIMIT_EXCEEDED" && hookResult.error.projectedSpendUsdCents !== void 0 ? { projectedSpendUsd: (hookResult.error.projectedSpendUsdCents / 100).toFixed(2), dailyLimitUsd: ((hookResult.error.dailyLimitUsdCents ?? 0) / 100).toFixed(2) } : {}
-                  }, null, 2));
-                  const otpCode = await askInput("Enter the 6-digit OTP code:");
-                  spinner.start("Verifying OTP...");
-                  await hookService.verifySecurityOtp(
-                    accountInfo.address,
-                    accountInfo.chainId,
-                    hookResult.error.challengeId,
-                    otpCode.trim()
-                  );
-                  spinner.text = "OTP verified. Retrying authorization...";
-                  hookResult = await hookService.getHookSignature(
-                    accountInfo.address,
-                    accountInfo.chainId,
-                    ctx.sdk.entryPoint,
-                    userOp
-                  );
-                  if (hookResult.error) {
+                  if (!hookResult.error.challengeId) {
+                    const otpRequestSpinner = ora3("Requesting OTP challenge...").start();
+                    try {
+                      const otpChallenge = await hookService.requestSecurityOtp(
+                        accountInfo.address,
+                        accountInfo.chainId,
+                        ctx.sdk.entryPoint,
+                        userOp
+                      );
+                      hookResult.error.challengeId = otpChallenge.challengeId;
+                      hookResult.error.maskedEmail ??= otpChallenge.maskedEmail;
+                      hookResult.error.otpExpiresAt ??= otpChallenge.otpExpiresAt;
+                      otpRequestSpinner.stop();
+                    } catch (otpErr) {
+                      otpRequestSpinner.fail("Failed to request OTP challenge.");
+                      throw new TxError(
+                        ERR_SEND_FAILED2,
+                        `Unable to request OTP challenge: ${otpErr.message}`
+                      );
+                    }
+                  }
+                  if (!hookResult.error.challengeId) {
                     throw new TxError(
                       ERR_SEND_FAILED2,
-                      `Hook authorization failed after OTP: ${hookResult.error.message}`
+                      "OTP challenge ID was not provided by Elytro API. Please try again."
                     );
                   }
+                  const challengeId = hookResult.error.challengeId;
+                  const authSessionId = await hookService.getAuthSession(accountInfo.address, accountInfo.chainId);
+                  await savePendingOtpAndOutput(ctx.store, {
+                    id: challengeId,
+                    account: accountInfo.address,
+                    chainId: accountInfo.chainId,
+                    action: "tx_send",
+                    challengeId,
+                    authSessionId,
+                    maskedEmail: hookResult.error.maskedEmail,
+                    otpExpiresAt: hookResult.error.otpExpiresAt,
+                    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+                    data: {
+                      userOp: serializeUserOpForPending(userOp),
+                      entryPoint: ctx.sdk.entryPoint,
+                      txSpec: opts?.tx
+                    }
+                  });
+                  return;
                 } else {
                   throw new TxError(
                     ERR_SEND_FAILED2,
@@ -3481,18 +3590,18 @@ function resolveChainStrict(ctx, chainId) {
 function serializeUserOp(op) {
   return {
     sender: op.sender,
-    nonce: toHex6(op.nonce),
+    nonce: toHex7(op.nonce),
     factory: op.factory,
     factoryData: op.factoryData,
     callData: op.callData,
-    callGasLimit: toHex6(op.callGasLimit),
-    verificationGasLimit: toHex6(op.verificationGasLimit),
-    preVerificationGas: toHex6(op.preVerificationGas),
-    maxFeePerGas: toHex6(op.maxFeePerGas),
-    maxPriorityFeePerGas: toHex6(op.maxPriorityFeePerGas),
+    callGasLimit: toHex7(op.callGasLimit),
+    verificationGasLimit: toHex7(op.verificationGasLimit),
+    preVerificationGas: toHex7(op.preVerificationGas),
+    maxFeePerGas: toHex7(op.maxFeePerGas),
+    maxPriorityFeePerGas: toHex7(op.maxPriorityFeePerGas),
     paymaster: op.paymaster,
-    paymasterVerificationGasLimit: op.paymasterVerificationGasLimit ? toHex6(op.paymasterVerificationGasLimit) : null,
-    paymasterPostOpGasLimit: op.paymasterPostOpGasLimit ? toHex6(op.paymasterPostOpGasLimit) : null,
+    paymasterVerificationGasLimit: op.paymasterVerificationGasLimit ? toHex7(op.paymasterVerificationGasLimit) : null,
+    paymasterPostOpGasLimit: op.paymasterPostOpGasLimit ? toHex7(op.paymasterPostOpGasLimit) : null,
     paymasterData: op.paymasterData,
     signature: op.signature
   };
@@ -3811,7 +3920,6 @@ var ERR_ACCOUNT_NOT_READY3 = -32002;
 var ERR_HOOK_AUTH_FAILED = -32007;
 var ERR_EMAIL_NOT_BOUND = -32010;
 var ERR_SAFETY_DELAY = -32011;
-var ERR_OTP_VERIFY_FAILED = -32012;
 var ERR_INTERNAL3 = -32e3;
 var SecurityError = class extends Error {
   code;
@@ -3823,7 +3931,16 @@ var SecurityError = class extends Error {
     this.data = data;
   }
 };
+var OtpDeferredError = class extends Error {
+  constructor() {
+    super("OTP deferred");
+    this.name = "OtpDeferredError";
+  }
+};
 function handleSecurityError(err) {
+  if (err instanceof OtpDeferredError) {
+    return;
+  }
   if (err instanceof SecurityError) {
     outputError(err.code, err.message, err.data);
   } else {
@@ -3924,7 +4041,7 @@ async function signWithHookAndSend(ctx, chainConfig, account, hookService, userO
   let hookResult = await hookService.getHookSignature(account.address, account.chainId, ctx.sdk.entryPoint, userOp);
   if (hookResult.error) {
     spinner.stop();
-    hookResult = await handleOtpChallenge(hookService, account, ctx, userOp, hookResult);
+    hookResult = await handleOtpChallenge(hookService, account, ctx, userOp, hookResult, "2fa_uninstall");
   }
   if (!spinner.isSpinning) spinner.start("Packing signature...");
   const hookAddress = SECURITY_HOOK_ADDRESS_MAP[account.chainId];
@@ -3945,42 +4062,48 @@ async function signWithHookAndSend(ctx, chainConfig, account, hookService, userO
     });
   }
 }
-async function handleOtpChallenge(hookService, account, ctx, userOp, hookResult) {
+async function handleOtpChallenge(hookService, account, ctx, userOp, hookResult, action) {
   const err = hookResult.error;
   const errCode = err.code ?? "UNKNOWN";
   if (errCode !== "OTP_REQUIRED" && errCode !== "SPENDING_LIMIT_EXCEEDED") {
     throw new SecurityError(ERR_HOOK_AUTH_FAILED, `Hook authorization failed: ${err.message ?? errCode}`);
   }
-  console.error(JSON.stringify({
-    challenge: errCode,
-    message: err.message ?? `Verification required (${errCode}).`,
-    ...err.maskedEmail ? { maskedEmail: err.maskedEmail } : {},
-    ...errCode === "SPENDING_LIMIT_EXCEEDED" && err.projectedSpendUsdCents !== void 0 ? { projectedSpendUsd: (err.projectedSpendUsdCents / 100).toFixed(2), dailyLimitUsd: ((err.dailyLimitUsdCents ?? 0) / 100).toFixed(2) } : {}
-  }, null, 2));
-  const otpCode = await askInput("Enter the 6-digit OTP code:");
-  const verifySpinner = ora5("Verifying OTP...").start();
-  try {
-    await hookService.verifySecurityOtp(account.address, account.chainId, err.challengeId, otpCode.trim());
-    verifySpinner.text = "OTP verified. Retrying authorization...";
-    const retryResult = await hookService.getHookSignature(
-      account.address,
-      account.chainId,
-      ctx.sdk.entryPoint,
-      userOp
-    );
-    verifySpinner.stop();
-    if (retryResult.error) {
-      throw new SecurityError(ERR_HOOK_AUTH_FAILED, `Authorization failed after OTP: ${retryResult.error.message}`);
-    }
-    return retryResult;
-  } catch (e) {
-    verifySpinner.stop();
-    if (e instanceof SecurityError) throw e;
-    throw new SecurityError(
-      ERR_OTP_VERIFY_FAILED,
-      `OTP verification failed: ${sanitizeErrorMessage(e.message)}`
-    );
-  }
+  let challengeId = err.challengeId;
+  let maskedEmail = err.maskedEmail;
+  let otpExpiresAt = err.otpExpiresAt;
+  if (!challengeId) {
+    try {
+      const otpChallenge = await hookService.requestSecurityOtp(
+        account.address,
+        account.chainId,
+        ctx.sdk.entryPoint,
+        userOp
+      );
+      challengeId = otpChallenge.challengeId;
+      maskedEmail ??= otpChallenge.maskedEmail;
+      otpExpiresAt ??= otpChallenge.otpExpiresAt;
+    } catch {
+      challengeId = generateOtpId();
+    }
+  }
+  const id = challengeId;
+  const authSessionId = await hookService.getAuthSession(account.address, account.chainId);
+  await savePendingOtpAndOutput(ctx.store, {
+    id,
+    account: account.address,
+    chainId: account.chainId,
+    action,
+    challengeId,
+    authSessionId,
+    maskedEmail,
+    otpExpiresAt,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    data: {
+      userOp: serializeUserOpForPending(userOp),
+      entryPoint: ctx.sdk.entryPoint
+    }
+  });
+  throw new OtpDeferredError();
 }
 function registerSecurityCommand(program2, ctx) {
   const security = program2.command("security").description("SecurityHook (2FA & spending limits)");
@@ -4117,29 +4240,18 @@ function registerSecurityCommand(program2, ctx) {
         throw new SecurityError(ERR_HOOK_AUTH_FAILED, sanitizeErrorMessage(err.message));
       }
       spinner.stop();
-      console.error(JSON.stringify({ otpSentTo: bindingResult.maskedEmail, expiresAt: bindingResult.otpExpiresAt }, null, 2));
-      const otpCode = await askInput("Enter the 6-digit OTP code:");
-      const confirmSpinner = ora5("Confirming email binding...").start();
-      try {
-        const profile = await hookService.confirmEmailBinding(
-          account.address,
-          account.chainId,
-          bindingResult.bindingId,
-          otpCode.trim()
-        );
-        confirmSpinner.stop();
-        outputResult({
-          status: "email_bound",
-          email: profile.maskedEmail ?? profile.email ?? emailAddr,
-          emailVerified: profile.emailVerified
-        });
-      } catch (err) {
-        confirmSpinner.stop();
-        throw new SecurityError(
-          ERR_OTP_VERIFY_FAILED,
-          `OTP verification failed: ${sanitizeErrorMessage(err.message)}`
-        );
-      }
+      const id = bindingResult.bindingId;
+      await savePendingOtpAndOutput(ctx.store, {
+        id,
+        account: account.address,
+        chainId: account.chainId,
+        action: "email_bind",
+        bindingId: bindingResult.bindingId,
+        maskedEmail: bindingResult.maskedEmail,
+        otpExpiresAt: bindingResult.otpExpiresAt,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+        data: { email: emailAddr }
+      });
     } catch (err) {
       handleSecurityError(err);
     }
@@ -4157,28 +4269,18 @@ function registerSecurityCommand(program2, ctx) {
         throw new SecurityError(ERR_HOOK_AUTH_FAILED, sanitizeErrorMessage(err.message));
       }
       spinner.stop();
-      console.error(JSON.stringify({ otpSentTo: bindingResult.maskedEmail }, null, 2));
-      const otpCode = await askInput("Enter the 6-digit OTP code:");
-      const confirmSpinner = ora5("Confirming email change...").start();
-      try {
-        const profile = await hookService.confirmEmailBinding(
-          account.address,
-          account.chainId,
-          bindingResult.bindingId,
-          otpCode.trim()
-        );
-        confirmSpinner.stop();
-        outputResult({
-          status: "email_changed",
-          email: profile.maskedEmail ?? profile.email ?? emailAddr
-        });
-      } catch (err) {
-        confirmSpinner.stop();
-        throw new SecurityError(
-          ERR_OTP_VERIFY_FAILED,
-          `OTP verification failed: ${sanitizeErrorMessage(err.message)}`
-        );
-      }
+      const id = bindingResult.bindingId;
+      await savePendingOtpAndOutput(ctx.store, {
+        id,
+        account: account.address,
+        chainId: account.chainId,
+        action: "email_change",
+        bindingId: bindingResult.bindingId,
+        maskedEmail: bindingResult.maskedEmail,
+        otpExpiresAt: bindingResult.otpExpiresAt,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+        data: { email: emailAddr }
+      });
     } catch (err) {
       handleSecurityError(err);
     }
@@ -4190,7 +4292,7 @@ function registerSecurityCommand(program2, ctx) {
       if (!amountStr) {
         await showSpendingLimit(hookService, account);
       } else {
-        await setSpendingLimit(hookService, account, amountStr);
+        await setSpendingLimit(ctx.store, hookService, account, amountStr);
       }
     } catch (err) {
       handleSecurityError(err);
@@ -4298,7 +4400,7 @@ async function showSpendingLimit(hookService, account) {
     email: profile.maskedEmail ?? null
   });
 }
-async function setSpendingLimit(hookService, account, amountStr) {
+async function setSpendingLimit(store, hookService, account, amountStr) {
   const amountUsd = parseFloat(amountStr);
   if (isNaN(amountUsd) || amountUsd < 0) {
     throw new SecurityError(ERR_INTERNAL3, "Invalid amount. Provide a positive number in USD.");
@@ -4317,24 +4419,240 @@ async function setSpendingLimit(hookService, account, amountStr) {
     throw new SecurityError(ERR_HOOK_AUTH_FAILED, sanitizeErrorMessage(msg));
   }
   spinner.stop();
-  console.error(JSON.stringify({ otpSentTo: otpResult.maskedEmail }, null, 2));
-  const otpCode = await askInput("Enter the 6-digit OTP code:");
-  const setSpinner = ora5("Setting daily limit...").start();
-  try {
-    await hookService.setDailyLimit(account.address, account.chainId, dailyLimitUsdCents, otpCode.trim());
-    setSpinner.stop();
+  const id = generateOtpId();
+  await savePendingOtpAndOutput(store, {
+    id,
+    account: account.address,
+    chainId: account.chainId,
+    action: "spending_limit",
+    maskedEmail: otpResult.maskedEmail,
+    otpExpiresAt: otpResult.otpExpiresAt,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    data: { dailyLimitUsdCents }
+  });
+}
+
+// src/commands/otp.ts
+import ora6 from "ora";
+var ERR_OTP_NOT_FOUND = -32013;
+var ERR_OTP_EXPIRED = -32014;
+var ERR_ACCOUNT_NOT_READY4 = -32002;
+function isOtpExpired(otpExpiresAt) {
+  if (!otpExpiresAt) return false;
+  return new Date(otpExpiresAt).getTime() < Date.now();
+}
+function registerOtpCommand(program2, ctx) {
+  const otp = program2.command("otp").description("Complete or manage deferred OTP verification");
+  otp.command("submit").description("Complete a pending OTP verification").argument("<id>", "OTP id from the command that triggered OTP").argument("<code>", "6-digit OTP code").action(async (id, code) => {
+    const pending = await getPendingOtp(ctx.store, id);
+    if (!pending) {
+      outputError(
+        ERR_OTP_NOT_FOUND,
+        "Unknown OTP id. It may have expired or been completed.",
+        { id }
+      );
+      return;
+    }
+    if (isOtpExpired(pending.otpExpiresAt)) {
+      await removePendingOtp(ctx.store, id);
+      outputError(ERR_OTP_EXPIRED, "OTP has expired. Please re-run the original command.", {
+        id,
+        action: pending.action
+      });
+      return;
+    }
+    const current = ctx.account.currentAccount;
+    if (!current || current.address.toLowerCase() !== pending.account.toLowerCase()) {
+      outputError(ERR_ACCOUNT_NOT_READY4, `Switch to the account that initiated this OTP first: elytro account switch <alias>`, {
+        pendingAccount: pending.account
+      });
+      return;
+    }
+    const accountInfo = ctx.account.resolveAccount(current.alias ?? current.address);
+    if (!accountInfo) {
+      outputError(ERR_ACCOUNT_NOT_READY4, "Account not found.");
+      return;
+    }
+    const chainConfig = ctx.chain.chains.find((c) => c.id === pending.chainId);
+    if (!chainConfig) {
+      outputError(ERR_ACCOUNT_NOT_READY4, `Chain ${pending.chainId} not configured.`);
+      return;
+    }
+    await ctx.sdk.initForChain(chainConfig);
+    ctx.walletClient.initForChain(chainConfig);
+    const hookService = new SecurityHookService({
+      store: ctx.store,
+      graphqlEndpoint: ctx.chain.graphqlEndpoint,
+      signMessageForAuth: createSignMessageForAuth({
+        signDigest: (digest) => ctx.keyring.signDigest(digest),
+        packRawHash: (hash) => ctx.sdk.packRawHash(hash),
+        packSignature: (rawSig, valData) => ctx.sdk.packUserOpSignature(rawSig, valData)
+      }),
+      readContract: async (params) => ctx.walletClient.readContract(params),
+      getBlockTimestamp: async () => {
+        const blockNum = await ctx.walletClient.raw.getBlockNumber();
+        const block = await ctx.walletClient.raw.getBlock({ blockNumber: blockNum });
+        return block.timestamp;
+      }
+    });
+    const spinner = ora6("Completing OTP verification...").start();
+    try {
+      await completePendingOtp(ctx, hookService, accountInfo, pending, code.trim(), spinner);
+      await removePendingOtp(ctx.store, id);
+    } catch (err) {
+      spinner.stop();
+      outputError(-32e3, err.message);
+    }
+  });
+  otp.command("cancel").description("Cancel pending OTP(s)").argument("[id]", "OTP id to cancel. Omit to cancel all for current account.").action(async (id) => {
+    if (id) {
+      const pending = await getPendingOtp(ctx.store, id);
+      if (!pending) {
+        outputError(ERR_OTP_NOT_FOUND, "Unknown OTP id.", { id });
+        return;
+      }
+      await removePendingOtp(ctx.store, id);
+      outputResult({ status: "cancelled", id });
+    } else {
+      const current = ctx.account.currentAccount;
+      if (!current) {
+        outputError(ERR_ACCOUNT_NOT_READY4, "No account selected.");
+        return;
+      }
+      await clearPendingOtps(ctx.store, { account: current.address });
+      outputResult({ status: "cancelled", scope: "account", account: current.address });
+    }
+  });
+  otp.command("list").description("List pending OTPs for current account").action(async () => {
+    const all = await loadPendingOtps(ctx.store);
+    const current = ctx.account.currentAccount;
+    const pendings = current ? Object.values(all).filter(
+      (p) => p.account.toLowerCase() === current.address.toLowerCase()
+    ) : Object.values(all);
+    if (pendings.length === 0) {
+      outputResult({ pendings: [], total: 0 });
+      return;
+    }
     outputResult({
-      status: "daily_limit_set",
-      dailyLimitUsd: amountUsd.toFixed(2)
+      pendings: pendings.map((p) => ({
+        id: p.id,
+        action: p.action,
+        maskedEmail: p.maskedEmail,
+        otpExpiresAt: p.otpExpiresAt,
+        submitCommand: `elytro otp submit ${p.id} <6-digit-code>`
+      })),
+      total: pendings.length
     });
-  } catch (err) {
-    setSpinner.stop();
-    throw new SecurityError(
-      ERR_OTP_VERIFY_FAILED,
-      `Failed to set limit: ${sanitizeErrorMessage(err.message)}`
-    );
+  });
+}
+async function completePendingOtp(ctx, hookService, account, pending, code, spinner) {
+  switch (pending.action) {
+    case "email_bind":
+    case "email_change": {
+      spinner.stop();
+      if (!pending.bindingId) throw new Error("Missing bindingId for email action.");
+      const email = "email" in pending.data ? pending.data.email : "";
+      const profile = await hookService.confirmEmailBinding(
+        account.address,
+        account.chainId,
+        pending.bindingId,
+        code
+      );
+      outputResult({
+        status: pending.action === "email_bind" ? "email_bound" : "email_changed",
+        email: profile.maskedEmail ?? profile.email ?? email,
+        emailVerified: profile.emailVerified
+      });
+      break;
+    }
+    case "spending_limit": {
+      spinner.stop();
+      const dailyLimitUsdCents = pending.data.dailyLimitUsdCents;
+      await hookService.setDailyLimit(
+        account.address,
+        account.chainId,
+        dailyLimitUsdCents,
+        code
+      );
+      outputResult({
+        status: "daily_limit_set",
+        dailyLimitUsd: (dailyLimitUsdCents / 100).toFixed(2)
+      });
+      break;
+    }
+    case "tx_send":
+    case "2fa_uninstall": {
+      if (!pending.challengeId) throw new Error("Missing challengeId for tx/2fa action.");
+      spinner.text = "Verifying OTP...";
+      const { userOp: userOpJson, entryPoint } = pending.data;
+      const userOp = deserializeUserOp2(userOpJson);
+      const authSessionId = pending.authSessionId;
+      await hookService.verifySecurityOtp(
+        account.address,
+        account.chainId,
+        pending.challengeId,
+        code,
+        authSessionId
+      );
+      spinner.text = "Retrying authorization...";
+      const hookResult = await hookService.getHookSignature(
+        account.address,
+        account.chainId,
+        entryPoint,
+        userOp,
+        authSessionId
+      );
+      if (hookResult.error) {
+        throw new Error(`Authorization failed after OTP: ${hookResult.error.message}`);
+      }
+      const hookAddress = SECURITY_HOOK_ADDRESS_MAP[account.chainId];
+      if (!hookAddress) throw new Error(`SecurityHook not deployed on chain ${account.chainId}.`);
+      const { packedHash, validationData } = await ctx.sdk.getUserOpHash(userOp);
+      const rawSignature = await ctx.keyring.signDigest(packedHash);
+      userOp.signature = await ctx.sdk.packUserOpSignatureWithHook(
+        rawSignature,
+        validationData,
+        hookAddress,
+        hookResult.signature
+      );
+      spinner.text = "Sending UserOp...";
+      const opHash = await ctx.sdk.sendUserOp(userOp);
+      spinner.text = "Waiting for receipt...";
+      const receipt = await ctx.sdk.waitForReceipt(opHash);
+      if (!receipt.success) {
+        throw new Error(`Transaction reverted: ${receipt.reason ?? "unknown"}`);
+      }
+      spinner.stop();
+      outputResult({
+        status: pending.action === "tx_send" ? "sent" : "uninstalled",
+        userOpHash: opHash,
+        transactionHash: receipt.transactionHash
+      });
+      break;
+    }
+    default:
+      throw new Error(`Unknown action: ${pending.action}`);
   }
 }
+function deserializeUserOp2(raw) {
+  return {
+    sender: raw.sender,
+    nonce: BigInt(raw.nonce ?? "0x0"),
+    factory: raw.factory ?? null,
+    factoryData: raw.factoryData ?? null,
+    callData: raw.callData,
+    callGasLimit: BigInt(raw.callGasLimit ?? "0x0"),
+    verificationGasLimit: BigInt(raw.verificationGasLimit ?? "0x0"),
+    preVerificationGas: BigInt(raw.preVerificationGas ?? "0x0"),
+    maxFeePerGas: BigInt(raw.maxFeePerGas ?? "0x0"),
+    maxPriorityFeePerGas: BigInt(raw.maxPriorityFeePerGas ?? "0x0"),
+    paymaster: raw.paymaster ?? null,
+    paymasterVerificationGasLimit: raw.paymasterVerificationGasLimit ? BigInt(raw.paymasterVerificationGasLimit) : null,
+    paymasterPostOpGasLimit: raw.paymasterPostOpGasLimit ? BigInt(raw.paymasterPostOpGasLimit) : null,
+    paymasterData: raw.paymasterData ?? null,
+    signature: raw.signature ?? "0x"
+  };
+}
 
 // src/commands/config.ts
 var KEY_MAP = {
@@ -4398,7 +4716,7 @@ import { execSync } from "child_process";
 import { createRequire } from "module";
 function resolveVersion() {
   if (true) {
-    return "0.5.2";
+    return "0.6.0";
   }
   try {
     const require2 = createRequire(import.meta.url);
@@ -4411,7 +4729,7 @@ function resolveVersion() {
 var VERSION = resolveVersion();
 
 // src/commands/update.ts
-import ora6 from "ora";
+import ora7 from "ora";
 import chalk2 from "chalk";
 import { realpathSync } from "fs";
 import { fileURLToPath } from "url";
@@ -4487,7 +4805,7 @@ function registerUpdateCommand(program2) {
     }
   });
   updateCmd.action(async () => {
-    const spinner = ora6("Checking for updates\u2026").start();
+    const spinner = ora7("Checking for updates\u2026").start();
     try {
       const latest = await fetchLatestVersion();
       const cmp = compareSemver(VERSION, latest);
@@ -4518,6 +4836,41 @@ function registerUpdateCommand(program2) {
   });
 }
 
+// src/commands/prune.ts
+import { rm } from "fs/promises";
+import { join as join3 } from "path";
+import { homedir as homedir2 } from "os";
+var DATA_DIR = join3(homedir2(), ".elytro");
+async function runPrune() {
+  try {
+    const keyringProvider = new KeyringProvider();
+    try {
+      await keyringProvider.delete();
+    } catch {
+    }
+    const fileProvider = new FileProvider(DATA_DIR);
+    try {
+      await fileProvider.delete();
+    } catch {
+    }
+    try {
+      await rm(DATA_DIR, { recursive: true, force: true });
+    } catch (err) {
+      const code = err.code;
+      if (code !== "ENOENT") {
+        throw err;
+      }
+    }
+    outputResult({
+      status: "pruned",
+      dataDir: DATA_DIR,
+      hint: "All local data cleared. Run `elytro init` to create a new wallet."
+    });
+  } catch (err) {
+    outputError(-32e3, err.message);
+  }
+}
+
 // src/index.ts
 var program = new Command();
 program.name("elytro").description("Elytro \u2014 ERC-4337 Smart Account Wallet CLI").version(VERSION).addHelpText(
@@ -4525,6 +4878,10 @@ program.name("elytro").description("Elytro \u2014 ERC-4337 Smart Account Wallet
   "\nLearn how to use Elytro skills: https://github.com/Elytro-eth/skills\n"
 );
 async function main() {
+  if (process.argv.includes("prune")) {
+    await runPrune();
+    return;
+  }
   let ctx = null;
   try {
     ctx = await createAppContext();
@@ -4533,6 +4890,7 @@ async function main() {
     registerTxCommand(program, ctx);
     registerQueryCommand(program, ctx);
     registerSecurityCommand(program, ctx);
+    registerOtpCommand(program, ctx);
     registerConfigCommand(program, ctx);
     registerUpdateCommand(program);
     await program.parseAsync(process.argv);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elytro/cli",
-  "version": "0.5.2",
+  "version": "0.6.0",
   "description": "Elytro ERC-4337 Smart Account Wallet CLI",
   "type": "module",
   "bin": {