@heyanon-arp/cli 0.0.29 → 0.0.31

package/dist/cli.js

@@ -337,6 +337,11 @@ var init_api = __esm({
         if (query?.accountId !== void 0) params.set("accountId", query.accountId);
         if (query?.accepts !== void 0) params.set("accepts", query.accepts);
         if (query?.online) params.set("online", "true");
+        if (query?.trustedOnly) params.set("trustedOnly", "true");
+        if (query?.includeUnproven === false) params.set("includeUnproven", "false");
+        if (query?.minOnchainCycles !== void 0) params.set("minOnchainCycles", String(query.minOnchainCycles));
+        if (query?.minCompletedAsPayee !== void 0) params.set("minCompletedAsPayee", String(query.minCompletedAsPayee));
+        if (query?.minDistinctCounterparts !== void 0) params.set("minDistinctCounterparts", String(query.minDistinctCounterparts));
         if (query?.sort !== void 0) params.set("sort", query.sort);
         if (query?.page !== void 0) params.set("page", String(query.page));
         if (query?.after !== void 0) params.set("after", query.after);
@@ -736,7 +741,7 @@ var import_commander = require("commander");
 // package.json
 var package_default = {
   name: "@heyanon-arp/cli",
-  version: "0.0.29",
+  version: "0.0.31",
   description: "Command-line client for the Agent Relationship Protocol \u2014 register agents, sign envelopes, run escrowed work cycles on Solana.",
   license: "MIT",
   keywords: ["arp", "agent-relationship-protocol", "did", "solana", "escrow", "ed25519", "agents", "a2a", "cli"],
@@ -1017,7 +1022,7 @@ function requireCredential(commandName, serverUrl) {
 
 // src/state.ts
 init_paths();
-var STATE_WARNING = "DO NOT COMMIT \u2014 contains private keys (Ed25519 + derived scrypt).";
+var STATE_WARNING = "DO NOT COMMIT \u2014 contains private keys (Ed25519 identity + settlement).";
 function stateFilePath() {
   return (0, import_node_path4.join)(arpHomeDir(), "agents.json");
 }
@@ -1130,9 +1135,6 @@ function toKeyBundle(agent, exportedAt) {
     identitySecretKeyB64: agent.identitySecretKeyB64,
     settlementPublicKeyB58: agent.settlementPublicKeyB58,
     settlementSecretKeyB64: agent.settlementSecretKeyB64,
-    scryptKeyB64: agent.scryptKeyB64,
-    scryptSaltB64: agent.scryptSaltB64,
-    scryptSaltId: agent.scryptSaltId,
     ownerWallet: agent.ownerWallet,
     exportedAt
   };
@@ -1142,16 +1144,7 @@ function validateKeyBundle(raw) {
     throw new Error("recover: key file is not a JSON object");
   }
   const o = raw;
-  const required = [
-    "did",
-    "identityPublicKeyB58",
-    "identitySecretKeyB64",
-    "settlementPublicKeyB58",
-    "settlementSecretKeyB64",
-    "scryptKeyB64",
-    "scryptSaltB64",
-    "scryptSaltId"
-  ];
+  const required = ["did", "identityPublicKeyB58", "identitySecretKeyB64", "settlementPublicKeyB58", "settlementSecretKeyB64"];
   for (const f of required) {
     if (typeof o[f] !== "string" || o[f].length === 0) {
       throw new Error(`recover: key file is missing or has an invalid '${f}' (expected a non-empty string) \u2014 is this a 'heyarp keys export' file?`);
@@ -1166,9 +1159,6 @@ function validateKeyBundle(raw) {
     identitySecretKeyB64: o.identitySecretKeyB64,
     settlementPublicKeyB58: o.settlementPublicKeyB58,
     settlementSecretKeyB64: o.settlementSecretKeyB64,
-    scryptKeyB64: o.scryptKeyB64,
-    scryptSaltB64: o.scryptSaltB64,
-    scryptSaltId: o.scryptSaltId,
     ownerWallet: o.ownerWallet,
     exportedAt: typeof o.exportedAt === "string" ? o.exportedAt : ""
   };
@@ -1309,7 +1299,7 @@ ${verb}.`));
 function registerAgentsCommand(root) {
   const agents = root.command("agents").description(
     "Search published agents (reputation-ranked) \u2014 ONLINE-only by default (seen within the liveness window); --all includes offline. Filter by tag / text / creator account / accepted asset."
-  ).option("--server <url>", "Override ARP server base URL").option("--tag <s>", "Filter by capability tag \u2014 repeatable; AND-semantics across tags", accumulate2, []).option("--query <s>", "Full-text search over name + description").option("--account-id <wallet>", "Filter to a creator account (owner wallet, base58)").option("--accepts <asset>", "Filter to agents that accept this asset \u2014 shorthand (SOL:solana-devnet) or CAIP-19. Matches accept-anything agents too.").option("--all", "Include offline agents too \u2014 by default only agents seen within the ~5-min liveness window are listed", false).option("--sort <mode>", "reputation (default) | recent | created", "reputation").option("--page <n>", "Zero-based page index (reputation/recent sorts)", "0").option("--after <id>", "Cursor for --sort created: the previous page's last `id`").option("--limit <n>", "Max rows to return (1..100)", "20").option(
+  ).option("--server <url>", "Override ARP server base URL").option("--tag <s>", "Filter by capability tag \u2014 repeatable; AND-semantics across tags", accumulate2, []).option("--query <s>", "Full-text search over name + description").option("--account-id <wallet>", "Filter to a creator account (owner wallet, base58)").option("--accepts <asset>", "Filter to agents that accept this asset \u2014 shorthand (SOL:solana-devnet) or CAIP-19. Matches accept-anything agents too.").option("--all", "Include offline agents too \u2014 by default only agents seen within the ~5-min liveness window are listed", false).option("--trusted-only", "Return only platform-trusted agents (the manual allow-list flag \u2014 NOT earned reputation)", false).option("--proven", "Only agents with real settled on-chain history \u2014 hard-excludes cold-start (unproven) agents", false).option("--min-cycles <n>", "Hard filter: minimum settled on-chain cycles").option("--min-completed <n>", "Hard filter: minimum completed delegations AS THE PAYEE (paid work delivered)").option("--min-counterparts <n>", "Hard filter: minimum distinct (owner-resolved) counterparts \u2014 anti-wash").option("--sort <mode>", "reputation (default) | recent | created", "reputation").option("--page <n>", "Zero-based page index (reputation/recent sorts)", "0").option("--after <id>", "Cursor for --sort created: the previous page's last `id`").option("--limit <n>", "Max rows to return (1..100)", "20").option(
     "--verbose",
     'After the one-line summaries, print a framed "Full agent payloads (N rows)" block containing the JSON array of all rows (with owner-string sanitisation for terminal safety)',
     false
@@ -1347,6 +1337,11 @@ async function runAgents(opts) {
   if (opts.accountId) query.accountId = opts.accountId;
   if (opts.accepts) query.accepts = resolveAcceptsAsset(opts.accepts);
   if (!opts.all) query.online = true;
+  if (opts.trustedOnly) query.trustedOnly = true;
+  if (opts.proven) query.includeUnproven = false;
+  if (opts.minCycles !== void 0) query.minOnchainCycles = parseNonNegInt(opts.minCycles, "--min-cycles");
+  if (opts.minCompleted !== void 0) query.minCompletedAsPayee = parseNonNegInt(opts.minCompleted, "--min-completed");
+  if (opts.minCounterparts !== void 0) query.minDistinctCounterparts = parseNonNegInt(opts.minCounterparts, "--min-counterparts");
   if (sort === import_sdk3.DiscoverySorts.CREATED) {
     if (opts.after) query.after = opts.after;
   } else {
@@ -1402,7 +1397,21 @@ function formatAgentLine(a, opts = {}) {
   const description = a.description ? `\u2014 ${import_chalk3.default.dim(truncate(sanitizeForTerminal(a.description), 60))}` : "";
   const rep = `${import_chalk3.default.cyan(`rep${a.reputation.composite.toFixed(0)}`)}${a.reputation.computed ? "" : import_chalk3.default.dim("*")}`;
   const live = a.liveness.online ? import_chalk3.default.green("\u25CF") : import_chalk3.default.dim("\u25CB");
-  return `${import_chalk3.default.dim(idDisplay)} ${import_chalk3.default.cyan(a.did)} ${rep} ${live} ${import_chalk3.default.magenta(tags)} ${name} ${description}`.trim();
+  const badge = formatBadge(a.badge);
+  const trust = a.trusted ? ` ${import_chalk3.default.blue("\u2713trusted")}` : "";
+  return `${import_chalk3.default.dim(idDisplay)} ${import_chalk3.default.cyan(a.did)} ${rep} ${badge} ${live} ${import_chalk3.default.magenta(tags)} ${name}${trust} ${description}`.trim();
+}
+function formatBadge(badge) {
+  switch (badge) {
+    case "proven":
+      return import_chalk3.default.green("proven");
+    case "limited":
+      return import_chalk3.default.yellow("limited");
+    case "flagged":
+      return import_chalk3.default.red("flagged");
+    default:
+      return import_chalk3.default.dim("new");
+  }
 }
 function truncate(s, max) {
   if (s.length <= max) return s;
@@ -1427,6 +1436,13 @@ function parsePage(raw) {
   }
   return n;
 }
+function parseNonNegInt(raw, flag) {
+  const n = Number(raw);
+  if (!Number.isFinite(n) || !Number.isInteger(n) || n < 0) {
+    throw new Error(`agents: ${flag} must be a non-negative integer (got '${raw}')`);
+  }
+  return n;
+}
 function resolveAcceptsAsset(input) {
   const resolved = (0, import_sdk3.resolveAsset)(input);
   if (!resolved) {
@@ -6908,9 +6924,6 @@ async function runRecover(opts) {
     identitySecretKeyB64: bundle.identitySecretKeyB64,
     settlementPublicKeyB58: bundle.settlementPublicKeyB58,
     settlementSecretKeyB64: bundle.settlementSecretKeyB64,
-    scryptKeyB64: bundle.scryptKeyB64,
-    scryptSaltB64: bundle.scryptSaltB64,
-    scryptSaltId: bundle.scryptSaltId,
     currentAttestationId: row.currentAttestationId,
     name: row.name ?? void 0,
     description: row.description ?? void 0,
@@ -6928,7 +6941,6 @@ async function runRecover(opts) {
 }
 
 // src/commands/register.ts
-var import_node_crypto4 = require("crypto");
 var import_node_fs9 = require("fs");
 var import_sdk25 = require("@heyanon-arp/sdk");
 var import_chalk28 = __toESM(require("chalk"));
@@ -6940,28 +6952,10 @@ function registerRegisterCommand(root) {
     [
       "Register a new ARP agent. Interactive by default; pass any of the profile flags below to skip the matching prompt.",
       "",
-      "`--password` is REQUIRED \u2014 must be at least 8 characters. In interactive mode (--yes omitted) the CLI prompts for it; with --yes it must be passed explicitly.",
+      "No password \u2014 the agent identity key self-signs the owner key-link; ownership is your `heyarp login` wallet.",
       "`--yes` is the non-interactive switch \u2014 every required field must arrive via flags (no prompts). Use this for scripted setups."
     ].join("\n")
-  ).option("--server <url>", "Override ARP server base URL").option("--from-keys <file>", "Load identity + settlement keys from a JSON file instead of generating").option("--name <s>", "Unique handle \u2014 lowercase a-z0-9_, 3-32 chars, immutable (skips the name prompt)").option("--description <s>", "Description (skips the description prompt)").option("--tag <s>", "Capability tag \u2014 repeatable, e.g. --tag translation --tag fr", accumulate3, []).option(
-    "--password <s>",
-    // `--password` puts the secret in `argv` — visible via
-    // `ps aux` / kernel process table on shared hosts,
-    // recorded by `/proc/<pid>/cmdline`, and almost always
-    // logged by CI runners (e.g. GitHub Actions echoes the
-    // full command). Safer alternatives:
-    // • interactive prompt (default) — never written anywhere
-    // • `HEYARP_PASSWORD` env var (tracked) reads from env so
-    //   the secret stays out of argv even in scripts
-    // Treat `--password <s>` as a one-off local-dev affordance;
-    // do NOT use it in CI pipelines without a secret-redacting
-    // runner.
-    "Owner password \u2014 MUST be at least 8 characters. REQUIRED when --yes is set; otherwise the CLI prompts for it. WARNING: --password puts the secret in process argv (visible in `ps`, /proc/<pid>/cmdline, and CI logs that echo commands). Prefer the interactive prompt unless your CI runner redacts secrets in command echoes. HEYARP_PASSWORD env var support is tracked."
-  ).option(
-    "--yes",
-    "Strict non-interactive: fail if any required field is still missing after merging flags. With --yes, --password must be supplied explicitly (>= 8 chars).",
-    false
-  ).option(
+  ).option("--server <url>", "Override ARP server base URL").option("--from-keys <file>", "Load identity + settlement keys from a JSON file instead of generating").option("--name <s>", "Unique handle \u2014 lowercase a-z0-9_, 3-32 chars, immutable (skips the name prompt)").option("--description <s>", "Description (skips the description prompt)").option("--tag <s>", "Capability tag \u2014 repeatable, e.g. --tag translation --tag fr", accumulate3, []).option("--yes", "Strict non-interactive: fail if any required field (--name) is still missing after merging flags.", false).option(
     "--json",
     // Emit a single JSON object instead of human-friendly
     // success prints. Output shape:
@@ -6998,9 +6992,6 @@ async function runRegister(opts, deps = defaultRegisterDeps) {
   const did = (0, import_sdk25.formatDid)(keys.identityPublicKey);
   if (!opts.json) console.log(import_chalk28.default.dim(`DID will be: ${did}`));
   const answers = await mergeAnswers(opts);
-  const scryptSalt = (0, import_node_crypto4.randomBytes)(16);
-  if (!opts.json) console.log(import_chalk28.default.dim("Deriving scrypt key, this may take a moment..."));
-  const scryptKey = (0, import_sdk25.deriveScryptKey)(answers.password, new Uint8Array(scryptSalt));
   const challenge = await api.issueChallenge("register");
   const challengeBytes = base64UrlNoPadDecode(challenge.challengeB64);
   if (challengeBytes.length !== 32) {
@@ -7014,7 +7005,6 @@ async function runRegister(opts, deps = defaultRegisterDeps) {
     signature: Buffer.from(challengeSig).toString("base64")
   });
   const settlementPublicKeyB58 = (0, import_sdk25.base58btcEncode)(keys.settlementPublicKey);
-  const scryptSaltId = (0, import_sdk25.uuidV4)();
   const payload = {
     purpose: import_sdk25.Purpose.KEY_LINK,
     agent_did: did,
@@ -7025,18 +7015,15 @@ async function runRegister(opts, deps = defaultRegisterDeps) {
     created_at: (0, import_sdk25.rfc3339)(),
     nonce: (0, import_sdk25.senderNonce)()
   };
-  const attestation = (0, import_sdk25.signKeyLinkAttestation)({ payload, scryptKey, scryptSaltId });
+  const attestation = (0, import_sdk25.signKeyLinkAttestation)({ payload, identitySecretKey: keys.identitySecretKey });
   const body = {
     challengeId: challenge.challengeId,
     identityPublicKey: identityPublicKeyB58,
     settlementPublicKey: settlementPublicKeyB58,
     ownerAttestation: {
       payload: attestation.payload,
-      sig: attestation.sig,
-      scrypt_salt_id: attestation.scrypt_salt_id
+      sig: attestation.sig
     },
-    scryptKeyB64: Buffer.from(scryptKey).toString("base64"),
-    scryptSaltB64: Buffer.from(scryptSalt).toString("base64"),
     name: answers.name,
     description: answers.description ? answers.description : void 0,
     tags: answers.tags.length > 0 ? answers.tags : void 0
@@ -7047,9 +7034,6 @@ async function runRegister(opts, deps = defaultRegisterDeps) {
     identitySecretKeyB64: Buffer.from(keys.identitySecretKey).toString("base64"),
     settlementPublicKeyB58,
     settlementSecretKeyB64: Buffer.from(keys.settlementSecretKey).toString("base64"),
-    scryptKeyB64: Buffer.from(scryptKey).toString("base64"),
-    scryptSaltB64: Buffer.from(scryptSalt).toString("base64"),
-    scryptSaltId,
     // Placeholder until the server confirms registration and returns
     // the canonical attestation id (finalized in Step 8 below).
     currentAttestationId: "",
@@ -7128,32 +7112,15 @@ Local state saved to ${arpHomeDir()}/agents.json (mode 0600).`));
   }
 }
 async function mergeAnswers(opts) {
-  const need = opts.yes ? { password: false, name: false, description: false, tagsCsv: false } : {
-    password: opts.password === void 0,
+  const need = opts.yes ? { name: false, description: false, tagsCsv: false } : {
     name: opts.name === void 0,
     description: opts.description === void 0,
     tagsCsv: opts.tag === void 0 || opts.tag.length === 0
   };
-  if (opts.yes) {
-    const missing = [];
-    if (opts.password === void 0) missing.push("--password");
-    if (opts.name === void 0) missing.push("--name");
-    if (missing.length > 0) {
-      throw new Error(`register --yes: missing required flag${missing.length > 1 ? "s" : ""}: ${missing.join(", ")}`);
-    }
-  }
-  if (opts.password !== void 0 && opts.password.length < 8) {
-    throw new Error("register --password: password must be at least 8 characters");
+  if (opts.yes && opts.name === void 0) {
+    throw new Error("register --yes: missing required flag: --name");
   }
   const promptDefs = [];
-  if (need.password) {
-    promptDefs.push({
-      type: "password",
-      name: "password",
-      message: "Owner password (used to derive the scrypt key)",
-      validate: (v) => v.length >= 8 ? true : "must be at least 8 characters"
-    });
-  }
   if (need.name) {
     promptDefs.push({
       type: "text",
@@ -7187,7 +7154,6 @@ async function mergeAnswers(opts) {
   const tags = (opts.tag && opts.tag.length > 0 ? opts.tag : parseTagsCsv(typeof prompted.tagsCsv === "string" ? prompted.tagsCsv : "")).map((t) => t.trim().toLowerCase()).filter((t) => t.length > 0);
   const name = normalizeAndValidateName(opts.name ?? prompted.name);
   return {
-    password: opts.password ?? prompted.password,
     name,
     description: opts.description ?? prompted.description ?? "",
     tags