@elytro/cli 0.5.3 → 0.6.1

package/README.md

@@ -36,6 +36,7 @@ elytro query balance
 - **Transaction simulation** — Preview gas, paymaster sponsorship, and balance impact before sending
 - **Cross-chain support** — Manage accounts across Ethereum, Optimism, Arbitrum, Base, and testnets
 - **SecurityHook (2FA)** — Install on-chain 2FA with email OTP and daily spending limits
+- **Deferred OTP** — Commands that require OTP exit immediately after sending the code; complete later with `elytro otp submit <id> <code>`
 - **Self-updating** — `elytro update` detects your package manager and upgrades in place
 
 ## Supported Chains
@@ -115,6 +116,11 @@ elytro security email bind <email>
 elytro security email change <email>
 elytro security spending-limit [amount]         # View or set daily USD limit
 
+# OTP (deferred verification)
+elytro otp submit <id> <code>   # Complete a pending OTP verification
+elytro otp cancel [id]          # Cancel pending OTP(s)
+elytro otp list                 # List pending OTPs for current account
+
 # Updates
 elytro update              # Check and upgrade to latest
 elytro update check        # Check without installing
@@ -125,6 +131,15 @@ elytro config get <key>
 elytro config list
 ```
 
+## Deferred OTP Flow
+
+When a command requires OTP verification (e.g. `security email bind`, `tx send` with 2FA), the CLI sends the OTP to your email and exits immediately instead of blocking for input. To complete the action:
+
+1. Check your email for the 6-digit code.
+2. Run `elytro otp submit <id> <code>`, where `<id>` is printed in the command output (e.g. `elytro otp submit abc123 654321`).
+
+The `<id>` is returned in the JSON output as `otpPending.id` and in the stderr hint. Use `elytro otp list` to see all pending OTPs for the current account, or `elytro otp cancel [id]` to cancel.
+
 ## Development
 
 ```bash

package/dist/index.js

@@ -2018,9 +2018,10 @@ var SecurityHookService = class {
   }
   /**
    * Verify a security OTP challenge.
+   * @param authSessionIdOverride - If provided, use this session instead of getAuthSession (for deferred OTP resume)
    */
-  async verifySecurityOtp(walletAddress, chainId, challengeId, otpCode) {
-    const sessionId = await this.getAuthSession(walletAddress, chainId);
+  async verifySecurityOtp(walletAddress, chainId, challengeId, otpCode, authSessionIdOverride) {
+    const sessionId = authSessionIdOverride ?? await this.getAuthSession(walletAddress, chainId);
     const result = await this.gqlMutate(GQL_VERIFY_SECURITY_OTP, {
       input: { authSessionId: sessionId, challengeId, otpCode }
     });
@@ -2036,14 +2037,17 @@ var SecurityHookService = class {
    *
    * Handles auth retry automatically.
    */
-  async getHookSignature(walletAddress, chainId, entryPoint, userOp) {
+  /**
+   * @param authSessionIdOverride - If provided, use this session (for deferred OTP resume with session-bound challenge)
+   */
+  async getHookSignature(walletAddress, chainId, entryPoint, userOp, authSessionIdOverride) {
     const op = this.formatUserOpForGraphQL(userOp);
     for (let attempt = 0; attempt <= 1; attempt++) {
       try {
-        if (attempt > 0) {
+        if (attempt > 0 && !authSessionIdOverride) {
           await this.clearAuthSession(walletAddress, chainId);
         }
-        const sessionId = await this.getAuthSession(walletAddress, chainId);
+        const sessionId = authSessionIdOverride ?? await this.getAuthSession(walletAddress, chainId);
         const result = await this.gqlRaw(GQL_AUTHORIZE_USER_OPERATION, {
           input: {
             authSessionId: sessionId,
@@ -2556,16 +2560,10 @@ import ora2 from "ora";
 import { formatEther as formatEther2, padHex as padHex2 } from "viem";
 
 // src/utils/prompt.ts
-import { password, confirm, select, input } from "@inquirer/prompts";
-async function askConfirm(message, defaultValue = false) {
-  return confirm({ message, default: defaultValue });
-}
+import { password, select, input } from "@inquirer/prompts";
 async function askSelect(message, choices) {
   return select({ message, choices });
 }
-async function askInput(message, defaultValue) {
-  return input({ message, default: defaultValue });
-}
 
 // src/commands/account.ts
 init_sponsor();
@@ -2979,7 +2977,92 @@ function createHookServiceForAccount(ctx, chainConfig) {
 // src/commands/tx.ts
 init_sponsor();
 import ora3 from "ora";
-import { isAddress, isHex, formatEther as formatEther3, parseEther as parseEther2, toHex as toHex6 } from "viem";
+import { isAddress, isHex, formatEther as formatEther3, parseEther as parseEther2, toHex as toHex7 } from "viem";
+
+// src/services/pendingOtp.ts
+import { randomBytes } from "crypto";
+var PENDING_OTPS_KEY = "pending-otps";
+function generateOtpId() {
+  return randomBytes(4).toString("hex");
+}
+async function loadPendingOtps(store) {
+  const data = await store.load(PENDING_OTPS_KEY);
+  return data ?? {};
+}
+async function savePendingOtp(store, id, state) {
+  const all = await loadPendingOtps(store);
+  all[id] = state;
+  await store.save(PENDING_OTPS_KEY, all);
+}
+async function removePendingOtp(store, id) {
+  const all = await loadPendingOtps(store);
+  delete all[id];
+  await store.save(PENDING_OTPS_KEY, all);
+}
+async function clearPendingOtps(store, options) {
+  const all = await loadPendingOtps(store);
+  if (options?.id) {
+    delete all[options.id];
+  } else if (options?.account) {
+    const accountLower = options.account.toLowerCase();
+    for (const id of Object.keys(all)) {
+      if (all[id].account.toLowerCase() === accountLower) {
+        delete all[id];
+      }
+    }
+  } else {
+    for (const id of Object.keys(all)) {
+      delete all[id];
+    }
+  }
+  await store.save(PENDING_OTPS_KEY, all);
+}
+async function savePendingOtpAndOutput(store, state) {
+  await savePendingOtp(store, state.id, state);
+  const submitCommand = `elytro otp submit ${state.id} <6-digit-code>`;
+  outputResult({
+    status: "otp_pending",
+    otpPending: {
+      id: state.id,
+      maskedEmail: state.maskedEmail,
+      otpExpiresAt: state.otpExpiresAt,
+      submitCommand
+    }
+  });
+  console.error(
+    `OTP sent to ${state.maskedEmail ?? "your email"}.${state.otpExpiresAt ? ` Expires at ${state.otpExpiresAt}.` : ""}
+To complete, run:
+  ${submitCommand}`
+  );
+}
+async function getPendingOtp(store, id) {
+  const all = await loadPendingOtps(store);
+  return all[id] ?? null;
+}
+
+// src/utils/userOpSerialization.ts
+import { toHex as toHex6 } from "viem";
+function serializeUserOpForPending(op) {
+  return {
+    sender: op.sender,
+    nonce: toHex6(op.nonce),
+    factory: op.factory,
+    factoryData: op.factoryData,
+    callData: op.callData,
+    callGasLimit: toHex6(op.callGasLimit),
+    verificationGasLimit: toHex6(op.verificationGasLimit),
+    preVerificationGas: toHex6(op.preVerificationGas),
+    maxFeePerGas: toHex6(op.maxFeePerGas),
+    maxPriorityFeePerGas: toHex6(op.maxPriorityFeePerGas),
+    paymaster: op.paymaster,
+    paymasterVerificationGasLimit: op.paymasterVerificationGasLimit ? toHex6(op.paymasterVerificationGasLimit) : null,
+    paymasterPostOpGasLimit: op.paymasterPostOpGasLimit ? toHex6(op.paymasterPostOpGasLimit) : null,
+    paymasterData: op.paymasterData,
+    signature: op.signature
+  };
+}
+
+// src/commands/tx.ts
 var ERR_INVALID_PARAMS2 = -32602;
 var ERR_INSUFFICIENT_BALANCE = -32001;
 var ERR_ACCOUNT_NOT_READY2 = -32002;
@@ -3088,7 +3171,7 @@ function detectTxType(specs) {
 function specsToTxs(specs) {
   return specs.map((s) => ({
     to: s.to,
-    value: s.value ? toHex6(parseEther2(s.value)) : "0x0",
+    value: s.value ? toHex7(parseEther2(s.value)) : "0x0",
     data: s.data ?? "0x"
   }));
 }
@@ -3186,11 +3269,6 @@ function registerTxCommand(program2, ctx) {
           estimatedGas: estimatedGas.toString()
         }
       }, null, 2));
-      const confirmed = await askConfirm("Sign and send this transaction?");
-      if (!confirmed) {
-        outputResult({ status: "cancelled" });
-        return;
-      }
       const spinner = ora3("Signing UserOperation...").start();
       let opHash;
       try {
@@ -3258,34 +3336,25 @@ function registerTxCommand(program2, ctx) {
                       "OTP challenge ID was not provided by Elytro API. Please try again."
                     );
                   }
-                  console.error(JSON.stringify({
-                    challenge: errCode,
-                    message: hookResult.error.message ?? `Verification required (${errCode}).`,
-                    ...hookResult.error.maskedEmail ? { maskedEmail: hookResult.error.maskedEmail } : {},
-                    ...hookResult.error.otpExpiresAt ? { otpExpiresAt: hookResult.error.otpExpiresAt } : {},
-                    ...errCode === "SPENDING_LIMIT_EXCEEDED" && hookResult.error.projectedSpendUsdCents !== void 0 ? { projectedSpendUsd: (hookResult.error.projectedSpendUsdCents / 100).toFixed(2), dailyLimitUsd: ((hookResult.error.dailyLimitUsdCents ?? 0) / 100).toFixed(2) } : {}
-                  }, null, 2));
-                  const otpCode = await askInput("Enter the 6-digit OTP code:");
-                  spinner.start("Verifying OTP...");
-                  await hookService.verifySecurityOtp(
-                    accountInfo.address,
-                    accountInfo.chainId,
-                    hookResult.error.challengeId,
-                    otpCode.trim()
-                  );
-                  spinner.text = "OTP verified. Retrying authorization...";
-                  hookResult = await hookService.getHookSignature(
-                    accountInfo.address,
-                    accountInfo.chainId,
-                    ctx.sdk.entryPoint,
-                    userOp
-                  );
-                  if (hookResult.error) {
-                    throw new TxError(
-                      ERR_SEND_FAILED2,
-                      `Hook authorization failed after OTP: ${hookResult.error.message}`
-                    );
-                  }
+                  const challengeId = hookResult.error.challengeId;
+                  const authSessionId = await hookService.getAuthSession(accountInfo.address, accountInfo.chainId);
+                  await savePendingOtpAndOutput(ctx.store, {
+                    id: challengeId,
+                    account: accountInfo.address,
+                    chainId: accountInfo.chainId,
+                    action: "tx_send",
+                    challengeId,
+                    authSessionId,
+                    maskedEmail: hookResult.error.maskedEmail,
+                    otpExpiresAt: hookResult.error.otpExpiresAt,
+                    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+                    data: {
+                      userOp: serializeUserOpForPending(userOp),
+                      entryPoint: ctx.sdk.entryPoint,
+                      txSpec: opts?.tx
+                    }
+                  });
+                  return;
                 } else {
                   throw new TxError(
                     ERR_SEND_FAILED2,
@@ -3513,18 +3582,18 @@ function resolveChainStrict(ctx, chainId) {
 function serializeUserOp(op) {
   return {
     sender: op.sender,
-    nonce: toHex6(op.nonce),
+    nonce: toHex7(op.nonce),
     factory: op.factory,
     factoryData: op.factoryData,
     callData: op.callData,
-    callGasLimit: toHex6(op.callGasLimit),
-    verificationGasLimit: toHex6(op.verificationGasLimit),
-    preVerificationGas: toHex6(op.preVerificationGas),
-    maxFeePerGas: toHex6(op.maxFeePerGas),
-    maxPriorityFeePerGas: toHex6(op.maxPriorityFeePerGas),
+    callGasLimit: toHex7(op.callGasLimit),
+    verificationGasLimit: toHex7(op.verificationGasLimit),
+    preVerificationGas: toHex7(op.preVerificationGas),
+    maxFeePerGas: toHex7(op.maxFeePerGas),
+    maxPriorityFeePerGas: toHex7(op.maxPriorityFeePerGas),
     paymaster: op.paymaster,
-    paymasterVerificationGasLimit: op.paymasterVerificationGasLimit ? toHex6(op.paymasterVerificationGasLimit) : null,
-    paymasterPostOpGasLimit: op.paymasterPostOpGasLimit ? toHex6(op.paymasterPostOpGasLimit) : null,
+    paymasterVerificationGasLimit: op.paymasterVerificationGasLimit ? toHex7(op.paymasterVerificationGasLimit) : null,
+    paymasterPostOpGasLimit: op.paymasterPostOpGasLimit ? toHex7(op.paymasterPostOpGasLimit) : null,
     paymasterData: op.paymasterData,
     signature: op.signature
   };
@@ -3843,7 +3912,6 @@ var ERR_ACCOUNT_NOT_READY3 = -32002;
 var ERR_HOOK_AUTH_FAILED = -32007;
 var ERR_EMAIL_NOT_BOUND = -32010;
 var ERR_SAFETY_DELAY = -32011;
-var ERR_OTP_VERIFY_FAILED = -32012;
 var ERR_INTERNAL3 = -32e3;
 var SecurityError = class extends Error {
   code;
@@ -3855,7 +3923,16 @@ var SecurityError = class extends Error {
     this.data = data;
   }
 };
+var OtpDeferredError = class extends Error {
+  constructor() {
+    super("OTP deferred");
+    this.name = "OtpDeferredError";
+  }
+};
 function handleSecurityError(err) {
+  if (err instanceof OtpDeferredError) {
+    return;
+  }
   if (err instanceof SecurityError) {
     outputError(err.code, err.message, err.data);
   } else {
@@ -3956,7 +4033,7 @@ async function signWithHookAndSend(ctx, chainConfig, account, hookService, userO
   let hookResult = await hookService.getHookSignature(account.address, account.chainId, ctx.sdk.entryPoint, userOp);
   if (hookResult.error) {
     spinner.stop();
-    hookResult = await handleOtpChallenge(hookService, account, ctx, userOp, hookResult);
+    hookResult = await handleOtpChallenge(hookService, account, ctx, userOp, hookResult, "2fa_uninstall");
   }
   if (!spinner.isSpinning) spinner.start("Packing signature...");
   const hookAddress = SECURITY_HOOK_ADDRESS_MAP[account.chainId];
@@ -3977,42 +4054,48 @@ async function signWithHookAndSend(ctx, chainConfig, account, hookService, userO
     });
   }
 }
-async function handleOtpChallenge(hookService, account, ctx, userOp, hookResult) {
+async function handleOtpChallenge(hookService, account, ctx, userOp, hookResult, action) {
   const err = hookResult.error;
   const errCode = err.code ?? "UNKNOWN";
   if (errCode !== "OTP_REQUIRED" && errCode !== "SPENDING_LIMIT_EXCEEDED") {
     throw new SecurityError(ERR_HOOK_AUTH_FAILED, `Hook authorization failed: ${err.message ?? errCode}`);
   }
-  console.error(JSON.stringify({
-    challenge: errCode,
-    message: err.message ?? `Verification required (${errCode}).`,
-    ...err.maskedEmail ? { maskedEmail: err.maskedEmail } : {},
-    ...errCode === "SPENDING_LIMIT_EXCEEDED" && err.projectedSpendUsdCents !== void 0 ? { projectedSpendUsd: (err.projectedSpendUsdCents / 100).toFixed(2), dailyLimitUsd: ((err.dailyLimitUsdCents ?? 0) / 100).toFixed(2) } : {}
-  }, null, 2));
-  const otpCode = await askInput("Enter the 6-digit OTP code:");
-  const verifySpinner = ora5("Verifying OTP...").start();
-  try {
-    await hookService.verifySecurityOtp(account.address, account.chainId, err.challengeId, otpCode.trim());
-    verifySpinner.text = "OTP verified. Retrying authorization...";
-    const retryResult = await hookService.getHookSignature(
-      account.address,
-      account.chainId,
-      ctx.sdk.entryPoint,
-      userOp
-    );
-    verifySpinner.stop();
-    if (retryResult.error) {
-      throw new SecurityError(ERR_HOOK_AUTH_FAILED, `Authorization failed after OTP: ${retryResult.error.message}`);
-    }
-    return retryResult;
-  } catch (e) {
-    verifySpinner.stop();
-    if (e instanceof SecurityError) throw e;
-    throw new SecurityError(
-      ERR_OTP_VERIFY_FAILED,
-      `OTP verification failed: ${sanitizeErrorMessage(e.message)}`
-    );
-  }
+  let challengeId = err.challengeId;
+  let maskedEmail = err.maskedEmail;
+  let otpExpiresAt = err.otpExpiresAt;
+  if (!challengeId) {
+    try {
+      const otpChallenge = await hookService.requestSecurityOtp(
+        account.address,
+        account.chainId,
+        ctx.sdk.entryPoint,
+        userOp
+      );
+      challengeId = otpChallenge.challengeId;
+      maskedEmail ??= otpChallenge.maskedEmail;
+      otpExpiresAt ??= otpChallenge.otpExpiresAt;
+    } catch {
+      challengeId = generateOtpId();
+    }
+  }
+  const id = challengeId;
+  const authSessionId = await hookService.getAuthSession(account.address, account.chainId);
+  await savePendingOtpAndOutput(ctx.store, {
+    id,
+    account: account.address,
+    chainId: account.chainId,
+    action,
+    challengeId,
+    authSessionId,
+    maskedEmail,
+    otpExpiresAt,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    data: {
+      userOp: serializeUserOpForPending(userOp),
+      entryPoint: ctx.sdk.entryPoint
+    }
+  });
+  throw new OtpDeferredError();
 }
 function registerSecurityCommand(program2, ctx) {
   const security = program2.command("security").description("SecurityHook (2FA & spending limits)");
@@ -4084,13 +4167,6 @@ function registerSecurityCommand(program2, ctx) {
       if (![1, 2, 3].includes(capabilityFlags)) {
         throw new SecurityError(ERR_INTERNAL3, "Invalid capability flags. Use 1, 2, or 3.");
       }
-      const confirmed = await askConfirm(
-        `Install SecurityHook on ${account.alias} (${address(account.address)})? Capability: ${CAPABILITY_LABELS[capabilityFlags]}, Safety Delay: ${DEFAULT_SAFETY_DELAY}s`
-      );
-      if (!confirmed) {
-        outputResult({ status: "cancelled" });
-        return;
-      }
       const installTx = encodeInstallHook(account.address, hookAddress, DEFAULT_SAFETY_DELAY, capabilityFlags);
       const buildSpinner = ora5("Building UserOp...").start();
       try {
@@ -4149,29 +4225,18 @@ function registerSecurityCommand(program2, ctx) {
         throw new SecurityError(ERR_HOOK_AUTH_FAILED, sanitizeErrorMessage(err.message));
       }
       spinner.stop();
-      console.error(JSON.stringify({ otpSentTo: bindingResult.maskedEmail, expiresAt: bindingResult.otpExpiresAt }, null, 2));
-      const otpCode = await askInput("Enter the 6-digit OTP code:");
-      const confirmSpinner = ora5("Confirming email binding...").start();
-      try {
-        const profile = await hookService.confirmEmailBinding(
-          account.address,
-          account.chainId,
-          bindingResult.bindingId,
-          otpCode.trim()
-        );
-        confirmSpinner.stop();
-        outputResult({
-          status: "email_bound",
-          email: profile.maskedEmail ?? profile.email ?? emailAddr,
-          emailVerified: profile.emailVerified
-        });
-      } catch (err) {
-        confirmSpinner.stop();
-        throw new SecurityError(
-          ERR_OTP_VERIFY_FAILED,
-          `OTP verification failed: ${sanitizeErrorMessage(err.message)}`
-        );
-      }
+      const id = bindingResult.bindingId;
+      await savePendingOtpAndOutput(ctx.store, {
+        id,
+        account: account.address,
+        chainId: account.chainId,
+        action: "email_bind",
+        bindingId: bindingResult.bindingId,
+        maskedEmail: bindingResult.maskedEmail,
+        otpExpiresAt: bindingResult.otpExpiresAt,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+        data: { email: emailAddr }
+      });
     } catch (err) {
       handleSecurityError(err);
     }
@@ -4189,28 +4254,18 @@ function registerSecurityCommand(program2, ctx) {
         throw new SecurityError(ERR_HOOK_AUTH_FAILED, sanitizeErrorMessage(err.message));
       }
       spinner.stop();
-      console.error(JSON.stringify({ otpSentTo: bindingResult.maskedEmail }, null, 2));
-      const otpCode = await askInput("Enter the 6-digit OTP code:");
-      const confirmSpinner = ora5("Confirming email change...").start();
-      try {
-        const profile = await hookService.confirmEmailBinding(
-          account.address,
-          account.chainId,
-          bindingResult.bindingId,
-          otpCode.trim()
-        );
-        confirmSpinner.stop();
-        outputResult({
-          status: "email_changed",
-          email: profile.maskedEmail ?? profile.email ?? emailAddr
-        });
-      } catch (err) {
-        confirmSpinner.stop();
-        throw new SecurityError(
-          ERR_OTP_VERIFY_FAILED,
-          `OTP verification failed: ${sanitizeErrorMessage(err.message)}`
-        );
-      }
+      const id = bindingResult.bindingId;
+      await savePendingOtpAndOutput(ctx.store, {
+        id,
+        account: account.address,
+        chainId: account.chainId,
+        action: "email_change",
+        bindingId: bindingResult.bindingId,
+        maskedEmail: bindingResult.maskedEmail,
+        otpExpiresAt: bindingResult.otpExpiresAt,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+        data: { email: emailAddr }
+      });
     } catch (err) {
       handleSecurityError(err);
     }
@@ -4222,7 +4277,7 @@ function registerSecurityCommand(program2, ctx) {
       if (!amountStr) {
         await showSpendingLimit(hookService, account);
       } else {
-        await setSpendingLimit(hookService, account, amountStr);
+        await setSpendingLimit(ctx.store, hookService, account, amountStr);
       }
     } catch (err) {
       handleSecurityError(err);
@@ -4242,11 +4297,6 @@ async function handleForceExecute(ctx, chainConfig, account, currentStatus) {
       `Safety delay not elapsed. Available after ${currentStatus.forceUninstall.availableAfter}.`
     );
   }
-  const confirmed = await askConfirm(`Execute force uninstall on ${account.alias} (${address(account.address)})? This will remove the SecurityHook.`);
-  if (!confirmed) {
-    outputResult({ status: "cancelled" });
-    return;
-  }
   const uninstallTx = encodeUninstallHook(account.address, currentStatus.hookAddress);
   const spinner = ora5("Executing force uninstall...").start();
   try {
@@ -4268,13 +4318,6 @@ async function handleForceStart(ctx, chainConfig, account, currentStatus, hookAd
     });
     return;
   }
-  const confirmed = await askConfirm(
-    `Start force-uninstall countdown on ${account.alias} (${address(account.address)})? You must wait ${DEFAULT_SAFETY_DELAY}s before executing.`
-  );
-  if (!confirmed) {
-    outputResult({ status: "cancelled" });
-    return;
-  }
   const preUninstallTx = encodeForcePreUninstall(hookAddress);
   const spinner = ora5("Starting force-uninstall countdown...").start();
   try {
@@ -4292,11 +4335,6 @@ async function handleForceStart(ctx, chainConfig, account, currentStatus, hookAd
   }
 }
 async function handleNormalUninstall(ctx, chainConfig, account, hookService, hookAddress) {
-  const confirmed = await askConfirm(`Uninstall SecurityHook from ${account.alias} (${address(account.address)})? (requires 2FA approval)`);
-  if (!confirmed) {
-    outputResult({ status: "cancelled" });
-    return;
-  }
   const uninstallTx = encodeUninstallHook(account.address, hookAddress);
   const spinner = ora5("Building UserOp...").start();
   try {
@@ -4330,7 +4368,7 @@ async function showSpendingLimit(hookService, account) {
     email: profile.maskedEmail ?? null
   });
 }
-async function setSpendingLimit(hookService, account, amountStr) {
+async function setSpendingLimit(store, hookService, account, amountStr) {
   const amountUsd = parseFloat(amountStr);
   if (isNaN(amountUsd) || amountUsd < 0) {
     throw new SecurityError(ERR_INTERNAL3, "Invalid amount. Provide a positive number in USD.");
@@ -4349,24 +4387,240 @@ async function setSpendingLimit(hookService, account, amountStr) {
     throw new SecurityError(ERR_HOOK_AUTH_FAILED, sanitizeErrorMessage(msg));
   }
   spinner.stop();
-  console.error(JSON.stringify({ otpSentTo: otpResult.maskedEmail }, null, 2));
-  const otpCode = await askInput("Enter the 6-digit OTP code:");
-  const setSpinner = ora5("Setting daily limit...").start();
-  try {
-    await hookService.setDailyLimit(account.address, account.chainId, dailyLimitUsdCents, otpCode.trim());
-    setSpinner.stop();
+  const id = generateOtpId();
+  await savePendingOtpAndOutput(store, {
+    id,
+    account: account.address,
+    chainId: account.chainId,
+    action: "spending_limit",
+    maskedEmail: otpResult.maskedEmail,
+    otpExpiresAt: otpResult.otpExpiresAt,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    data: { dailyLimitUsdCents }
+  });
+}
+
+// src/commands/otp.ts
+import ora6 from "ora";
+var ERR_OTP_NOT_FOUND = -32013;
+var ERR_OTP_EXPIRED = -32014;
+var ERR_ACCOUNT_NOT_READY4 = -32002;
+function isOtpExpired(otpExpiresAt) {
+  if (!otpExpiresAt) return false;
+  return new Date(otpExpiresAt).getTime() < Date.now();
+}
+function registerOtpCommand(program2, ctx) {
+  const otp = program2.command("otp").description("Complete or manage deferred OTP verification");
+  otp.command("submit").description("Complete a pending OTP verification").argument("<id>", "OTP id from the command that triggered OTP").argument("<code>", "6-digit OTP code").action(async (id, code) => {
+    const pending = await getPendingOtp(ctx.store, id);
+    if (!pending) {
+      outputError(
+        ERR_OTP_NOT_FOUND,
+        "Unknown OTP id. It may have expired or been completed.",
+        { id }
+      );
+      return;
+    }
+    if (isOtpExpired(pending.otpExpiresAt)) {
+      await removePendingOtp(ctx.store, id);
+      outputError(ERR_OTP_EXPIRED, "OTP has expired. Please re-run the original command.", {
+        id,
+        action: pending.action
+      });
+      return;
+    }
+    const current = ctx.account.currentAccount;
+    if (!current || current.address.toLowerCase() !== pending.account.toLowerCase()) {
+      outputError(ERR_ACCOUNT_NOT_READY4, `Switch to the account that initiated this OTP first: elytro account switch <alias>`, {
+        pendingAccount: pending.account
+      });
+      return;
+    }
+    const accountInfo = ctx.account.resolveAccount(current.alias ?? current.address);
+    if (!accountInfo) {
+      outputError(ERR_ACCOUNT_NOT_READY4, "Account not found.");
+      return;
+    }
+    const chainConfig = ctx.chain.chains.find((c) => c.id === pending.chainId);
+    if (!chainConfig) {
+      outputError(ERR_ACCOUNT_NOT_READY4, `Chain ${pending.chainId} not configured.`);
+      return;
+    }
+    await ctx.sdk.initForChain(chainConfig);
+    ctx.walletClient.initForChain(chainConfig);
+    const hookService = new SecurityHookService({
+      store: ctx.store,
+      graphqlEndpoint: ctx.chain.graphqlEndpoint,
+      signMessageForAuth: createSignMessageForAuth({
+        signDigest: (digest) => ctx.keyring.signDigest(digest),
+        packRawHash: (hash) => ctx.sdk.packRawHash(hash),
+        packSignature: (rawSig, valData) => ctx.sdk.packUserOpSignature(rawSig, valData)
+      }),
+      readContract: async (params) => ctx.walletClient.readContract(params),
+      getBlockTimestamp: async () => {
+        const blockNum = await ctx.walletClient.raw.getBlockNumber();
+        const block = await ctx.walletClient.raw.getBlock({ blockNumber: blockNum });
+        return block.timestamp;
+      }
+    });
+    const spinner = ora6("Completing OTP verification...").start();
+    try {
+      await completePendingOtp(ctx, hookService, accountInfo, pending, code.trim(), spinner);
+      await removePendingOtp(ctx.store, id);
+    } catch (err) {
+      spinner.stop();
+      outputError(-32e3, err.message);
+    }
+  });
+  otp.command("cancel").description("Cancel pending OTP(s)").argument("[id]", "OTP id to cancel. Omit to cancel all for current account.").action(async (id) => {
+    if (id) {
+      const pending = await getPendingOtp(ctx.store, id);
+      if (!pending) {
+        outputError(ERR_OTP_NOT_FOUND, "Unknown OTP id.", { id });
+        return;
+      }
+      await removePendingOtp(ctx.store, id);
+      outputResult({ status: "cancelled", id });
+    } else {
+      const current = ctx.account.currentAccount;
+      if (!current) {
+        outputError(ERR_ACCOUNT_NOT_READY4, "No account selected.");
+        return;
+      }
+      await clearPendingOtps(ctx.store, { account: current.address });
+      outputResult({ status: "cancelled", scope: "account", account: current.address });
+    }
+  });
+  otp.command("list").description("List pending OTPs for current account").action(async () => {
+    const all = await loadPendingOtps(ctx.store);
+    const current = ctx.account.currentAccount;
+    const pendings = current ? Object.values(all).filter(
+      (p) => p.account.toLowerCase() === current.address.toLowerCase()
+    ) : Object.values(all);
+    if (pendings.length === 0) {
+      outputResult({ pendings: [], total: 0 });
+      return;
+    }
     outputResult({
-      status: "daily_limit_set",
-      dailyLimitUsd: amountUsd.toFixed(2)
+      pendings: pendings.map((p) => ({
+        id: p.id,
+        action: p.action,
+        maskedEmail: p.maskedEmail,
+        otpExpiresAt: p.otpExpiresAt,
+        submitCommand: `elytro otp submit ${p.id} <6-digit-code>`
+      })),
+      total: pendings.length
     });
-  } catch (err) {
-    setSpinner.stop();
-    throw new SecurityError(
-      ERR_OTP_VERIFY_FAILED,
-      `Failed to set limit: ${sanitizeErrorMessage(err.message)}`
-    );
+  });
+}
+async function completePendingOtp(ctx, hookService, account, pending, code, spinner) {
+  switch (pending.action) {
+    case "email_bind":
+    case "email_change": {
+      spinner.stop();
+      if (!pending.bindingId) throw new Error("Missing bindingId for email action.");
+      const email = "email" in pending.data ? pending.data.email : "";
+      const profile = await hookService.confirmEmailBinding(
+        account.address,
+        account.chainId,
+        pending.bindingId,
+        code
+      );
+      outputResult({
+        status: pending.action === "email_bind" ? "email_bound" : "email_changed",
+        email: profile.maskedEmail ?? profile.email ?? email,
+        emailVerified: profile.emailVerified
+      });
+      break;
+    }
+    case "spending_limit": {
+      spinner.stop();
+      const dailyLimitUsdCents = pending.data.dailyLimitUsdCents;
+      await hookService.setDailyLimit(
+        account.address,
+        account.chainId,
+        dailyLimitUsdCents,
+        code
+      );
+      outputResult({
+        status: "daily_limit_set",
+        dailyLimitUsd: (dailyLimitUsdCents / 100).toFixed(2)
+      });
+      break;
+    }
+    case "tx_send":
+    case "2fa_uninstall": {
+      if (!pending.challengeId) throw new Error("Missing challengeId for tx/2fa action.");
+      spinner.text = "Verifying OTP...";
+      const { userOp: userOpJson, entryPoint } = pending.data;
+      const userOp = deserializeUserOp2(userOpJson);
+      const authSessionId = pending.authSessionId;
+      await hookService.verifySecurityOtp(
+        account.address,
+        account.chainId,
+        pending.challengeId,
+        code,
+        authSessionId
+      );
+      spinner.text = "Retrying authorization...";
+      const hookResult = await hookService.getHookSignature(
+        account.address,
+        account.chainId,
+        entryPoint,
+        userOp,
+        authSessionId
+      );
+      if (hookResult.error) {
+        throw new Error(`Authorization failed after OTP: ${hookResult.error.message}`);
+      }
+      const hookAddress = SECURITY_HOOK_ADDRESS_MAP[account.chainId];
+      if (!hookAddress) throw new Error(`SecurityHook not deployed on chain ${account.chainId}.`);
+      const { packedHash, validationData } = await ctx.sdk.getUserOpHash(userOp);
+      const rawSignature = await ctx.keyring.signDigest(packedHash);
+      userOp.signature = await ctx.sdk.packUserOpSignatureWithHook(
+        rawSignature,
+        validationData,
+        hookAddress,
+        hookResult.signature
+      );
+      spinner.text = "Sending UserOp...";
+      const opHash = await ctx.sdk.sendUserOp(userOp);
+      spinner.text = "Waiting for receipt...";
+      const receipt = await ctx.sdk.waitForReceipt(opHash);
+      if (!receipt.success) {
+        throw new Error(`Transaction reverted: ${receipt.reason ?? "unknown"}`);
+      }
+      spinner.stop();
+      outputResult({
+        status: pending.action === "tx_send" ? "sent" : "uninstalled",
+        userOpHash: opHash,
+        transactionHash: receipt.transactionHash
+      });
+      break;
+    }
+    default:
+      throw new Error(`Unknown action: ${pending.action}`);
   }
 }
+function deserializeUserOp2(raw) {
+  return {
+    sender: raw.sender,
+    nonce: BigInt(raw.nonce ?? "0x0"),
+    factory: raw.factory ?? null,
+    factoryData: raw.factoryData ?? null,
+    callData: raw.callData,
+    callGasLimit: BigInt(raw.callGasLimit ?? "0x0"),
+    verificationGasLimit: BigInt(raw.verificationGasLimit ?? "0x0"),
+    preVerificationGas: BigInt(raw.preVerificationGas ?? "0x0"),
+    maxFeePerGas: BigInt(raw.maxFeePerGas ?? "0x0"),
+    maxPriorityFeePerGas: BigInt(raw.maxPriorityFeePerGas ?? "0x0"),
+    paymaster: raw.paymaster ?? null,
+    paymasterVerificationGasLimit: raw.paymasterVerificationGasLimit ? BigInt(raw.paymasterVerificationGasLimit) : null,
+    paymasterPostOpGasLimit: raw.paymasterPostOpGasLimit ? BigInt(raw.paymasterPostOpGasLimit) : null,
+    paymasterData: raw.paymasterData ?? null,
+    signature: raw.signature ?? "0x"
+  };
+}
 
 // src/commands/config.ts
 var KEY_MAP = {
@@ -4430,7 +4684,7 @@ import { execSync } from "child_process";
 import { createRequire } from "module";
 function resolveVersion() {
   if (true) {
-    return "0.5.3";
+    return "0.6.1";
   }
   try {
     const require2 = createRequire(import.meta.url);
@@ -4443,7 +4697,7 @@ function resolveVersion() {
 var VERSION = resolveVersion();
 
 // src/commands/update.ts
-import ora6 from "ora";
+import ora7 from "ora";
 import chalk2 from "chalk";
 import { realpathSync } from "fs";
 import { fileURLToPath } from "url";
@@ -4519,7 +4773,7 @@ function registerUpdateCommand(program2) {
     }
   });
   updateCmd.action(async () => {
-    const spinner = ora6("Checking for updates\u2026").start();
+    const spinner = ora7("Checking for updates\u2026").start();
     try {
       const latest = await fetchLatestVersion();
       const cmp = compareSemver(VERSION, latest);
@@ -4550,6 +4804,41 @@ function registerUpdateCommand(program2) {
   });
 }
 
+// src/commands/prune.ts
+import { rm } from "fs/promises";
+import { join as join3 } from "path";
+import { homedir as homedir2 } from "os";
+var DATA_DIR = join3(homedir2(), ".elytro");
+async function runPrune() {
+  try {
+    const keyringProvider = new KeyringProvider();
+    try {
+      await keyringProvider.delete();
+    } catch {
+    }
+    const fileProvider = new FileProvider(DATA_DIR);
+    try {
+      await fileProvider.delete();
+    } catch {
+    }
+    try {
+      await rm(DATA_DIR, { recursive: true, force: true });
+    } catch (err) {
+      const code = err.code;
+      if (code !== "ENOENT") {
+        throw err;
+      }
+    }
+    outputResult({
+      status: "pruned",
+      dataDir: DATA_DIR,
+      hint: "All local data cleared. Run `elytro init` to create a new wallet."
+    });
+  } catch (err) {
+    outputError(-32e3, err.message);
+  }
+}
+
 // src/index.ts
 var program = new Command();
 program.name("elytro").description("Elytro \u2014 ERC-4337 Smart Account Wallet CLI").version(VERSION).addHelpText(
@@ -4557,6 +4846,10 @@ program.name("elytro").description("Elytro \u2014 ERC-4337 Smart Account Wallet
   "\nLearn how to use Elytro skills: https://github.com/Elytro-eth/skills\n"
 );
 async function main() {
+  if (process.argv.includes("prune")) {
+    await runPrune();
+    return;
+  }
   let ctx = null;
   try {
     ctx = await createAppContext();
@@ -4565,6 +4858,7 @@ async function main() {
     registerTxCommand(program, ctx);
     registerQueryCommand(program, ctx);
     registerSecurityCommand(program, ctx);
+    registerOtpCommand(program, ctx);
     registerConfigCommand(program, ctx);
     registerUpdateCommand(program);
     await program.parseAsync(process.argv);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elytro/cli",
-  "version": "0.5.3",
+  "version": "0.6.1",
   "description": "Elytro ERC-4337 Smart Account Wallet CLI",
   "type": "module",
   "bin": {