@ilalv3/cli 0.1.0

package/dist/commands/proof.js

@@ -0,0 +1,132 @@
+import { readFileSync } from "fs";
+import { createPublicClient, createWalletClient, encodeAbiParameters, http, isAddress, } from "viem";
+import { privateKeyToAccount } from "viem/accounts";
+import { base, baseSepolia } from "viem/chains";
+import { fmt, log, die } from "../ui.js";
+const CHAINS = { "8453": base, "84532": baseSepolia };
+const CNF_ISSUER_ABI = [
+    {
+        name: "mintWithProof",
+        type: "function",
+        stateMutability: "nonpayable",
+        inputs: [
+            { name: "proof", type: "bytes" },
+            { name: "publicInputs", type: "uint256[]" },
+        ],
+        outputs: [{ name: "tokenId", type: "uint256" }],
+    },
+    {
+        name: "renewWithProof",
+        type: "function",
+        stateMutability: "nonpayable",
+        inputs: [
+            { name: "proof", type: "bytes" },
+            { name: "publicInputs", type: "uint256[]" },
+        ],
+        outputs: [],
+    },
+    {
+        name: "isValid",
+        type: "function",
+        stateMutability: "view",
+        inputs: [{ name: "wallet", type: "address" }],
+        outputs: [{ type: "bool" }],
+    },
+];
+function loadSnarkjsProof(proofPath, publicPath) {
+    let rawProof;
+    let rawPublic;
+    try {
+        rawProof = JSON.parse(readFileSync(proofPath, "utf8"));
+    }
+    catch {
+        die(`Cannot read proof file: ${proofPath}`);
+    }
+    try {
+        rawPublic = JSON.parse(readFileSync(publicPath, "utf8"));
+    }
+    catch {
+        die(`Cannot read public inputs file: ${publicPath}`);
+    }
+    if (rawProof.protocol !== "groth16") {
+        log.warn(`Unexpected proof protocol: ${rawProof.protocol} (expected groth16)`);
+    }
+    // snarkjs bn128 proofs store G2 points in reversed coordinate order
+    const a = [BigInt(rawProof.pi_a[0]), BigInt(rawProof.pi_a[1])];
+    const b = [
+        [BigInt(rawProof.pi_b[0][1]), BigInt(rawProof.pi_b[0][0])],
+        [BigInt(rawProof.pi_b[1][1]), BigInt(rawProof.pi_b[1][0])],
+    ];
+    const c = [BigInt(rawProof.pi_c[0]), BigInt(rawProof.pi_c[1])];
+    const proofBytes = encodeAbiParameters([
+        { type: "uint256[2]" },
+        { type: "uint256[2][2]" },
+        { type: "uint256[2]" },
+    ], [a, b, c]);
+    const publicInputs = rawPublic.map((x) => BigInt(x));
+    return { proofBytes, publicInputs };
+}
+export async function proofMint(opts) {
+    await sendProofTx("mint", opts);
+}
+export async function proofRenew(opts) {
+    await sendProofTx("renew", opts);
+}
+async function sendProofTx(mode, opts) {
+    const rawKey = opts.privateKey ?? process.env["PRIVATE_KEY"];
+    if (!rawKey)
+        die("Private key required. Use --private-key or set PRIVATE_KEY env var.");
+    if (!isAddress(opts.issuer))
+        die(`Invalid issuer address: ${opts.issuer}`);
+    const chain = CHAINS[opts.chain] ?? baseSepolia;
+    const account = privateKeyToAccount(rawKey);
+    const transport = opts.rpc ? http(opts.rpc) : http();
+    const publicClient = createPublicClient({ chain, transport });
+    const walletClient = createWalletClient({ account, chain, transport });
+    console.log();
+    console.log(fmt.bold(`  ILAL Credential ZK ${mode === "mint" ? "Mint" : "Renew"}`));
+    log.line();
+    log.kv("wallet", account.address);
+    log.kv("issuer", opts.issuer);
+    log.kv("chain", chain.name);
+    log.kv("proof", opts.proof);
+    log.kv("public", opts.public);
+    log.line();
+    log.step("Loading snarkjs proof…");
+    const { proofBytes, publicInputs } = loadSnarkjsProof(opts.proof, opts.public);
+    log.ok(`Proof loaded — ${publicInputs.length} public input(s)`);
+    // Show key public input fields (PI_WALLET_HASH=0, PI_EXPIRES_AT=3)
+    if (publicInputs.length > 0)
+        log.kv("walletHash (PI[0])", publicInputs[0].toString(16).slice(0, 16) + "…");
+    if (publicInputs.length > 3) {
+        const expiresAt = Number(publicInputs[3]);
+        log.kv("expiresAt (PI[3])", new Date(expiresAt * 1000).toISOString());
+    }
+    log.line();
+    log.step(`Sending ${mode === "mint" ? "mintWithProof" : "renewWithProof"} transaction…`);
+    const hash = await walletClient.writeContract({
+        address: opts.issuer,
+        abi: CNF_ISSUER_ABI,
+        functionName: mode === "mint" ? "mintWithProof" : "renewWithProof",
+        args: [proofBytes, publicInputs],
+    });
+    log.step(`Tx sent: ${hash}`);
+    log.step("Waiting for confirmation…");
+    const receipt = await publicClient.waitForTransactionReceipt({ hash });
+    if (receipt.status === "success") {
+        log.ok(fmt.bold(fmt.green(`CNF ${mode === "mint" ? "minted" : "renewed"} via ZK proof`)));
+        log.kv("tx hash", hash);
+        log.kv("block", receipt.blockNumber.toString());
+        const valid = await publicClient.readContract({
+            address: opts.issuer,
+            abi: CNF_ISSUER_ABI,
+            functionName: "isValid",
+            args: [account.address],
+        });
+        log.kv("isValid()", valid ? fmt.green("true") : fmt.red("false"));
+    }
+    else {
+        die(`Transaction reverted. Hash: ${hash}`);
+    }
+    console.log();
+}

package/dist/commands/prove.d.ts

@@ -0,0 +1,26 @@
+/**
+ * prove.ts — `ilal credential prove`
+ *
+ * All-in-one command: builds Merkle tree, generates Groth16 ZK proof,
+ * (optionally) updates the on-chain merkleRoot, then mints or renews the CNF.
+ *
+ * Usage:
+ *   ilal credential prove \
+ *     --wallet  0x1b869... \
+ *     --issuer  0x319c0... \
+ *     --chain   84532 \
+ *     --action  mint          # or renew (default: auto-detect)
+ *     --update-root           # call setMerkleRoot before minting
+ *     --circuit-dir ./circuits/build
+ */
+export declare function credentialProve(opts: {
+    wallet?: string;
+    issuer?: string;
+    chain?: string;
+    action?: string;
+    updateRoot: boolean;
+    circuitDir?: string;
+    outDir?: string;
+    rpc?: string;
+    privateKey?: string;
+}): Promise<void>;

package/dist/commands/prove.js

@@ -0,0 +1,292 @@
+/**
+ * prove.ts — `ilal credential prove`
+ *
+ * All-in-one command: builds Merkle tree, generates Groth16 ZK proof,
+ * (optionally) updates the on-chain merkleRoot, then mints or renews the CNF.
+ *
+ * Usage:
+ *   ilal credential prove \
+ *     --wallet  0x1b869... \
+ *     --issuer  0x319c0... \
+ *     --chain   84532 \
+ *     --action  mint          # or renew (default: auto-detect)
+ *     --update-root           # call setMerkleRoot before minting
+ *     --circuit-dir ./circuits/build
+ */
+import { execSync } from "child_process";
+import { mkdirSync, writeFileSync, readFileSync } from "fs";
+import { resolve, dirname } from "path";
+import { fileURLToPath } from "url";
+import { createPublicClient, createWalletClient, encodeAbiParameters, http, isAddress, keccak256, } from "viem";
+import { privateKeyToAccount } from "viem/accounts";
+import { base, baseSepolia } from "viem/chains";
+// eslint-disable-next-line @typescript-eslint/ban-ts-comment
+// @ts-ignore — no bundled types for this package
+import { IncrementalMerkleTree } from "@zk-kit/incremental-merkle-tree";
+import { poseidon2, poseidon4 } from "poseidon-lite";
+import { fmt, log, header, Spinner, die, dieOnContract } from "../ui.js";
+import { withConfig } from "../config.js";
+import { COINBASE_SCHEMA_UID } from "../constants.js";
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const CHAINS = { "8453": base, "84532": baseSepolia };
+const DEPTH = 20;
+// ─── ABI ──────────────────────────────────────────────────────────────────────
+const CNF_ABI = [
+    {
+        name: "mintWithProof", type: "function", stateMutability: "nonpayable",
+        inputs: [{ name: "proof", type: "bytes" }, { name: "publicInputs", type: "uint256[]" }],
+        outputs: [{ name: "tokenId", type: "uint256" }],
+    },
+    {
+        name: "renewWithProof", type: "function", stateMutability: "nonpayable",
+        inputs: [{ name: "proof", type: "bytes" }, { name: "publicInputs", type: "uint256[]" }],
+        outputs: [],
+    },
+    {
+        name: "setMerkleRoot", type: "function", stateMutability: "nonpayable",
+        inputs: [{ name: "_root", type: "uint256" }],
+        outputs: [],
+    },
+    {
+        name: "isValid", type: "function", stateMutability: "view",
+        inputs: [{ name: "wallet", type: "address" }],
+        outputs: [{ type: "bool" }],
+    },
+    {
+        name: "credentialOf", type: "function", stateMutability: "view",
+        inputs: [{ name: "wallet", type: "address" }],
+        outputs: [{ name: "tokenId", type: "uint256" }],
+    },
+];
+// ─── Helpers ──────────────────────────────────────────────────────────────────
+function addressToField(addr) {
+    return BigInt(addr.toLowerCase());
+}
+function addressToBitsLSBFirst(addr) {
+    const field = addressToField(addr);
+    const bits = [];
+    for (let i = 0; i < 160; i++)
+        bits.push(Number((field >> BigInt(i)) & 1n));
+    return bits;
+}
+/** keccak256(wallet_20_bytes) >> 4  — matches the circuit constraint. */
+function computeWalletHash(walletAddr) {
+    const checksummed = walletAddr;
+    // viem's keccak256 takes hex bytes — the address as 20 raw bytes
+    const hash = keccak256(checksummed);
+    return BigInt(hash) >> 4n;
+}
+function poseidonField(value) {
+    return poseidon2([value, 0n]);
+}
+function schemaHash(schemaUID) {
+    const schemaHex = schemaUID.replace("0x", "").padStart(64, "0");
+    const schemaLo = BigInt("0x" + schemaHex.slice(32));
+    const schemaHi = BigInt("0x" + schemaHex.slice(0, 32));
+    return poseidon2([schemaLo, schemaHi]);
+}
+function findCircuitDir(override) {
+    if (override)
+        return resolve(override);
+    // Look relative to the CLI package root (cli/ → circuits/build)
+    const candidates = [
+        resolve(__dirname, "../../../../circuits/build"), // dev: cli/src/commands → circuits/build
+        resolve(__dirname, "../../../circuits/build"),
+        resolve(process.cwd(), "circuits/build"),
+        resolve(process.cwd(), "build"),
+    ];
+    for (const p of candidates) {
+        try {
+            readFileSync(resolve(p, "ilal.zkey"));
+            return p;
+        }
+        catch { /* not found */ }
+    }
+    die("Circuit build directory not found.\n" +
+        "  Run: bash circuits/scripts/compile.sh\n" +
+        "  Or pass: --circuit-dir <path/to/circuits/build>");
+}
+function generateProof(opts) {
+    const { walletAddr, issuerAddr, circuitDir, outDir } = opts;
+    mkdirSync(outDir, { recursive: true });
+    const walletField = addressToField(walletAddr);
+    const walletBits = addressToBitsLSBFirst(walletAddr);
+    const walletHash = computeWalletHash(walletAddr);
+    const issuerHash = poseidonField(addressToField(issuerAddr));
+    const schemaHashValue = schemaHash(COINBASE_SCHEMA_UID);
+    const expiresAt = BigInt(Math.floor(Date.now() / 1000) + 90 * 24 * 3600); // +90 days
+    // Build single-leaf Poseidon Merkle tree
+    const leaf = poseidon4([walletField, 2n, 840n, expiresAt]);
+    const tree = new IncrementalMerkleTree(poseidon2, DEPTH, 0n, 2);
+    tree.insert(leaf);
+    const merkleProof = tree.createProof(0);
+    const merkleRoot = tree.root;
+    // Build input.json
+    const input = {
+        walletField: walletField.toString(),
+        walletBits: walletBits.map(String),
+        kycLevel: "2",
+        countryCode: "840",
+        merklePathElements: merkleProof.siblings.map((s) => s[0].toString()),
+        merklePathIndices: merkleProof.pathIndices.map(String),
+        walletHash: walletHash.toString(),
+        issuerHash: issuerHash.toString(),
+        schemaHash: schemaHashValue.toString(),
+        expiresAt: expiresAt.toString(),
+        revealFlags: "0",
+        merkleRoot: merkleRoot.toString(),
+    };
+    const inputPath = resolve(outDir, "input.json");
+    const wtnsPath = resolve(outDir, "witness.wtns");
+    const proofPath = resolve(outDir, "proof.json");
+    const publicPath = resolve(outDir, "public.json");
+    const wasmPath = resolve(circuitDir, "ilal_js/ilal.wasm");
+    const witnessJs = resolve(circuitDir, "ilal_js/generate_witness.js");
+    const zkeyPath = resolve(circuitDir, "ilal.zkey");
+    writeFileSync(inputPath, JSON.stringify(input, null, 2));
+    // Generate witness
+    execSync(`node "${witnessJs}" "${wasmPath}" "${inputPath}" "${wtnsPath}"`, {
+        stdio: "pipe",
+        cwd: dirname(witnessJs),
+    });
+    // Generate proof
+    execSync(`npx snarkjs groth16 prove "${zkeyPath}" "${wtnsPath}" "${proofPath}" "${publicPath}"`, {
+        stdio: "pipe",
+    });
+    // Verify locally
+    const vkeyPath = resolve(circuitDir, "ilal_vkey.json");
+    execSync(`npx snarkjs groth16 verify "${vkeyPath}" "${publicPath}" "${proofPath}"`, {
+        stdio: "pipe",
+    });
+    const publicJson = JSON.parse(readFileSync(publicPath, "utf8"));
+    // Read merkleRoot from circuit output (public.json[5]) — guaranteed to match
+    // what we'll pass to the contract, eliminating any JS/circuit hash discrepancy.
+    const circuitMerkleRoot = BigInt(publicJson[5]);
+    return {
+        proofJson: JSON.parse(readFileSync(proofPath, "utf8")),
+        publicJson,
+        merkleRoot: circuitMerkleRoot,
+    };
+}
+function encodeProof(proofJson, publicJson) {
+    const p = proofJson;
+    const a = [BigInt(p.pi_a[0]), BigInt(p.pi_a[1])];
+    const b = [
+        [BigInt(p.pi_b[0][1]), BigInt(p.pi_b[0][0])],
+        [BigInt(p.pi_b[1][1]), BigInt(p.pi_b[1][0])],
+    ];
+    const c = [BigInt(p.pi_c[0]), BigInt(p.pi_c[1])];
+    const proofBytes = encodeAbiParameters([{ type: "uint256[2]" }, { type: "uint256[2][2]" }, { type: "uint256[2]" }], [a, b, c]);
+    return { proofBytes, publicInputs: publicJson.map((x) => BigInt(x)) };
+}
+// ─── Main export ──────────────────────────────────────────────────────────────
+export async function credentialProve(opts) {
+    const cfg = withConfig(opts);
+    const rawKey = cfg.privateKey ?? process.env["PRIVATE_KEY"];
+    if (!rawKey)
+        die("Private key required. Use --private-key or set PRIVATE_KEY env var.");
+    if (!cfg.wallet)
+        die("Wallet address required. Use --wallet or set issuer in .ilal.json");
+    if (!cfg.issuer)
+        die("Issuer address required. Use --issuer or run `ilal init`");
+    if (!isAddress(cfg.wallet))
+        die(`Invalid wallet address: ${cfg.wallet}`);
+    if (!isAddress(cfg.issuer))
+        die(`Invalid issuer address: ${cfg.issuer}`);
+    const chain = CHAINS[cfg.chain ?? "84532"] ?? baseSepolia;
+    const account = privateKeyToAccount(rawKey);
+    const transport = cfg.rpc ? http(cfg.rpc) : http();
+    const pubClient = createPublicClient({ chain, transport });
+    const walClient = createWalletClient({ account, chain, transport });
+    header("ILAL Credential ZK Prove", chain.name);
+    log.kv("wallet", fmt.cyan(cfg.wallet));
+    log.kv("issuer", fmt.cyan(cfg.issuer));
+    log.line();
+    // ── Auto-detect mint vs renew ──────────────────────────────────────────────
+    let action = opts.action;
+    if (!action) {
+        const spin = new Spinner("Checking existing credential…").start();
+        const tokenId = await pubClient.readContract({
+            address: cfg.issuer,
+            abi: CNF_ABI,
+            functionName: "credentialOf",
+            args: [cfg.wallet],
+        });
+        action = tokenId === 0n ? "mint" : "renew";
+        spin.succeed(`Action: ${fmt.cyan(action)}${tokenId > 0n ? fmt.gray(` (token #${tokenId})`) : ""}`);
+    }
+    // ── Find circuit build dir ─────────────────────────────────────────────────
+    const circuitDir = findCircuitDir(cfg.circuitDir);
+    const outDir = cfg.outDir
+        ? resolve(cfg.outDir)
+        : resolve(circuitDir, "../../outputs");
+    log.line();
+    // ── Generate proof ─────────────────────────────────────────────────────────
+    const spin = new Spinner("Building Merkle tree & generating ZK proof…").start();
+    let proofResult;
+    try {
+        spin.update("Generating ZK witness…");
+        proofResult = generateProof({ walletAddr: cfg.wallet, issuerAddr: cfg.issuer, circuitDir, outDir });
+        spin.succeed(`Proof generated & verified locally`);
+    }
+    catch (e) {
+        spin.fail("Proof generation failed");
+        die(e instanceof Error ? e.message.split("\n")[0] : String(e));
+    }
+    log.kv("expiresAt", fmt.cyan(new Date((Date.now() + 90 * 24 * 3600 * 1000)).toISOString().split("T")[0]));
+    log.kv("merkleRoot", fmt.gray(proofResult.merkleRoot.toString().slice(0, 22) + "…"));
+    log.line();
+    // ── Update merkle root on-chain ────────────────────────────────────────────
+    if (opts.updateRoot) {
+        const rootSpin = new Spinner("Updating merkleRoot on-chain…").start();
+        try {
+            const rootHash = await walClient.writeContract({
+                address: cfg.issuer,
+                abi: CNF_ABI,
+                functionName: "setMerkleRoot",
+                args: [proofResult.merkleRoot],
+            });
+            await pubClient.waitForTransactionReceipt({ hash: rootHash });
+            rootSpin.succeed(`merkleRoot updated ${fmt.gray(fmt.hash(rootHash))}`);
+        }
+        catch (e) {
+            rootSpin.fail("setMerkleRoot failed");
+            dieOnContract(e);
+        }
+    }
+    // ── Send mint / renew tx ───────────────────────────────────────────────────
+    const { proofBytes, publicInputs } = encodeProof(proofResult.proofJson, proofResult.publicJson);
+    const fnName = action === "mint" ? "mintWithProof" : "renewWithProof";
+    const txSpin = new Spinner(`Sending ${fnName}…`).start();
+    let txHash;
+    try {
+        txHash = await walClient.writeContract({
+            address: cfg.issuer,
+            abi: CNF_ABI,
+            functionName: fnName,
+            args: [proofBytes, publicInputs],
+        });
+        txSpin.update(`Confirming ${fmt.gray(fmt.hash(txHash))}…`);
+        const receipt = await pubClient.waitForTransactionReceipt({ hash: txHash });
+        if (receipt.status !== "success") {
+            txSpin.fail("Transaction reverted");
+            die(`Tx failed: ${txHash}`);
+        }
+        txSpin.succeed(fmt.bold(fmt.green(`CNF ${action === "mint" ? "minted" : "renewed"} via ZK proof`)));
+    }
+    catch (e) {
+        txSpin.fail(`${fnName} failed`);
+        dieOnContract(e);
+    }
+    log.line();
+    log.kv("tx", fmt.gray(txHash));
+    log.kv("block", fmt.gray((await pubClient.getTransactionReceipt({ hash: txHash })).blockNumber.toString()));
+    const valid = await pubClient.readContract({
+        address: cfg.issuer,
+        abi: CNF_ABI,
+        functionName: "isValid",
+        args: [cfg.wallet],
+    });
+    log.kv("isValid()", valid ? fmt.green("✓ true") : fmt.red("✗ false"));
+    console.log();
+}

package/dist/commands/session.d.ts

@@ -0,0 +1,11 @@
+export declare function sessionSign(opts: {
+    user?: string;
+    pool: string;
+    action: string;
+    hook: string;
+    issuer: string;
+    caller?: string;
+    chain: string;
+    ttl: number;
+    privateKey?: string;
+}): Promise<void>;

package/dist/commands/session.js

@@ -0,0 +1,105 @@
+import { createWalletClient, encodeAbiParameters, http, isAddress, isHex, parseAbiParameters, } from "viem";
+import { privateKeyToAccount } from "viem/accounts";
+import { base, baseSepolia } from "viem/chains";
+import { fmt, log, header, die } from "../ui.js";
+const CHAINS = {
+    "8453": base,
+    "84532": baseSepolia,
+};
+const ACTIONS = {
+    swap: 1,
+    addliquidity: 2,
+    removeliquidity: 3,
+};
+const SESSION_TOKEN_TYPE = [
+    { name: "user", type: "address" },
+    { name: "authorizedCaller", type: "address" },
+    { name: "cnfIssuer", type: "address" },
+    { name: "chainId", type: "uint256" },
+    { name: "verifyingHook", type: "address" },
+    { name: "poolId", type: "bytes32" },
+    { name: "action", type: "uint8" },
+    { name: "deadline", type: "uint64" },
+    { name: "nonce", type: "bytes32" },
+];
+const HOOK_DATA_ABI = parseAbiParameters([
+    "(address user, address authorizedCaller, address cnfIssuer, uint256 chainId, address verifyingHook, bytes32 poolId, uint8 action, uint64 deadline, bytes32 nonce) token",
+    "bytes signature",
+]);
+export async function sessionSign(opts) {
+    // Resolve private key
+    const rawKey = opts.privateKey ?? process.env["PRIVATE_KEY"];
+    if (!rawKey)
+        die("Private key required. Use --private-key or set PRIVATE_KEY env var.");
+    if (!isHex(rawKey) || rawKey.length !== 66)
+        die("Invalid private key format (expected 0x + 32 bytes).");
+    const account = privateKeyToAccount(rawKey);
+    const user = (opts.user ?? account.address);
+    const authorizedCaller = (opts.caller ?? user);
+    if (!isAddress(user))
+        die(`Invalid user address: ${user}`);
+    if (!isAddress(authorizedCaller))
+        die(`Invalid authorized caller address: ${authorizedCaller}`);
+    if (!isAddress(opts.hook))
+        die(`Invalid hook address: ${opts.hook}`);
+    if (!isAddress(opts.issuer))
+        die(`Invalid issuer address: ${opts.issuer}`);
+    if (!isHex(opts.pool) || opts.pool.length !== 66)
+        die("poolId must be a 32-byte hex string (0x + 64 chars).");
+    const actionKey = opts.action.toLowerCase().replace(/[^a-z]/g, "");
+    const actionCode = ACTIONS[actionKey];
+    if (actionCode === undefined)
+        die(`Unknown action "${opts.action}". Use: swap | addLiquidity | removeLiquidity`);
+    const chain = CHAINS[opts.chain] ?? baseSepolia;
+    const walletClient = createWalletClient({ account, chain, transport: http() });
+    const deadline = BigInt(Math.floor(Date.now() / 1000) + opts.ttl);
+    const nonce = `0x${Buffer.from(crypto.getRandomValues(new Uint8Array(32))).toString("hex")}`;
+    const token = {
+        user,
+        authorizedCaller,
+        cnfIssuer: opts.issuer,
+        chainId: BigInt(chain.id),
+        verifyingHook: opts.hook,
+        poolId: opts.pool,
+        action: actionCode,
+        deadline,
+        nonce: nonce,
+    };
+    header("Session Sign", chain.name);
+    log.section("Session");
+    log.kv("user", fmt.addr(user));
+    log.kv("caller", fmt.addr(authorizedCaller));
+    log.kv("chain", chain.name);
+    log.kv("pool", fmt.hash(opts.pool));
+    log.kv("action", opts.action);
+    log.kv("hook", fmt.addr(opts.hook));
+    log.kv("issuer", fmt.addr(opts.issuer));
+    log.kv("deadline", new Date(Number(deadline) * 1000).toISOString());
+    log.line();
+    log.step("Signing EIP-712 session token locally…");
+    log.step(fmt.gray("(no ILAL API call — pure local operation)"));
+    const signature = await walletClient.signTypedData({
+        account,
+        domain: {
+            name: "ILAL ComplianceHook",
+            version: "1",
+            chainId: BigInt(chain.id),
+            verifyingContract: opts.hook,
+        },
+        types: { SessionToken: SESSION_TOKEN_TYPE },
+        primaryType: "SessionToken",
+        message: token,
+    });
+    const hookData = encodeAbiParameters(HOOK_DATA_ABI, [token, signature]);
+    log.result("Session signed", fmt.badge("local", "green"), "green");
+    log.section("Output");
+    log.kv("signature", fmt.hash(signature));
+    log.kv("hookData", fmt.hash(hookData));
+    log.line();
+    console.log(`  ${fmt.bold("Full hookData")}`);
+    console.log();
+    console.log(`  ${fmt.cyan(hookData)}`);
+    console.log();
+    console.log(fmt.gray("  verifies: caller, deadline, chainId, hook, pool, action, sig, CNF"));
+    console.log();
+}

package/dist/commands/status.d.ts

@@ -0,0 +1,14 @@
+/**
+ * status.ts — `ilal status`
+ *
+ * Dashboard: credential validity, hook config, pool policy — all in one view.
+ */
+export declare function status(opts: {
+    wallet?: string;
+    issuer?: string;
+    hook?: string;
+    registry?: string;
+    pool?: string;
+    chain?: string;
+    rpc?: string;
+}): Promise<void>;