@ilalv3/cli 0.1.2 → 0.2.0

package/README.md

@@ -25,11 +25,12 @@ ilal init
 # 2. Check credential + pool status
 ilal status
 
-# 3. Mint a CNF via ZK proof (adds your wallet to the Merkle tree)
-PRIVATE_KEY=0x... ilal credential prove --wallet 0xYourWallet --update-root
+# 3. Mint a CNF via ZK proof
+#    Requires the issuer root to already include your wallet.
+PRIVATE_KEY=0x... ilal credential prove --wallet 0xYourWallet
 
 # 4. Execute a compliant swap
-PRIVATE_KEY=0x... ilal swap --amount-in 0.001 --token-in 0x60Fa08963dD59724a188A37C7239fA89F97DB17D
+PRIVATE_KEY=0x... ilal swap --amount-in 0.001 --token-in 0x2E0dEd1CF4ec6106079df4eF1200959c2a454f3A --min-amount-out 0
 ```
 
 ## Getting a CNF credential
@@ -49,10 +50,10 @@ PRIVATE_KEY=0x... ilal swap --amount-in 0.001 --token-in 0x60Fa08963dD59724a188A
 ### Path B — ZK proof (privacy-preserving)
 
 ```bash
-PRIVATE_KEY=0x... ilal credential prove --wallet 0xYourWallet --update-root
+PRIVATE_KEY=0x... ilal credential prove --wallet 0xYourWallet
 ```
 
-Generates a Groth16 proof locally (~5s), verifies it on-chain, and mints/renews your CNF without revealing identity.
+Generates a Groth16 proof locally (~5s), verifies it on-chain, and mints/renews your CNF without revealing identity. If the Merkle root does not match, the issuer/operator must queue the updated root with `ilal oracle propose-root --root <newRoot>` and activate it after the timelock.
 
 ## Command reference
 
@@ -60,14 +61,18 @@ Generates a Groth16 proof locally (~5s), verifies it on-chain, and mints/renews
 |---|---|
 | `ilal init` | Create `.ilal.json` with contract addresses |
 | `ilal status` | Dashboard: credential · issuer config · pool policy |
-| `ilal credential prove` | ZK proof → mint or renew CNF (all-in-one) |
+| `ilal credential prove` | Trader flow: local ZK proof → mint or renew CNF |
 | `ilal credential mint` | Mint CNF via Coinbase EAS attestation |
 | `ilal credential renew` | Renew CNF via EAS attestation |
-| `ilal swap` | Compliant swap via ILALRouter |
+| `ilal swap` | Compliant swap via ILALRouter with optional `--min-amount-out` |
 | `ilal pool add-liquidity` | Add liquidity to a compliant pool |
 | `ilal pool remove-liquidity` | Remove liquidity from a compliant pool |
 | `ilal pool policy set` | Register compliance policy for a pool |
 | `ilal pool policy get` | Read pool compliance policy |
+| `ilal oracle propose-root` | Operator flow: queue a new Merkle root behind the 48h timelock |
+| `ilal oracle activate-root` | Operator flow: activate the pending Merkle root after timelock |
+| `ilal oracle propose-verifier` | Operator flow: queue a new ZK verifier behind the 72h timelock |
+| `ilal oracle activate-verifier` | Operator flow: activate the pending ZK verifier after timelock |
 | `ilal session sign` | Sign a standalone SessionToken |
 | `ilal proof mint` | Mint CNF from existing proof.json + public.json |
 | `ilal deploy` | Deploy full ILAL contract stack |
@@ -78,10 +83,10 @@ The CLI reads `.ilal.json` in the current directory. Run `ilal init` to create i
 
 ```bash
 ilal swap \
-  --router    0x35fE5eE12C102e78f5AbfD24cfe803Ad5824ca7F \
-  --hook      0x6a1e3d7441fE8610fB5e2d2066912326457e8A80 \
-  --issuer    0x319c0F1cb46c85B42E051251c4db04BA6BD265a2 \
-  --pool-id   0xab4f3b0242cd9c33e6564b8a63d21eec62b570e7df9e5ce01e88d26b8223fb59 \
+  --router    0xd0aF4D1EFF36CB2a1E88017eA398dCaDe1Ac0040 \
+  --hook      0x6C57b50Ef9286b132066012B19b291FB120ACa80 \
+  --issuer    0xB13AE2498Df62A85768a4b783109C05fCf5A264a \
+  --pool-id   0x16b3e7a5c52216925f705673b3ab25db5e6025da530cf53b3bcb5affeb18d95f \
   --amount-in 0.001
 ```
 
@@ -89,10 +94,10 @@ ilal swap \
 
 | Contract | Address |
 |---|---|
-| CNFIssuer | `0x319c0F1cb46c85B42E051251c4db04BA6BD265a2` |
-| ComplianceHook | `0x6a1e3d7441fE8610fB5e2d2066912326457e8A80` |
-| ILALRouter | `0x35fE5eE12C102e78f5AbfD24cfe803Ad5824ca7F` |
-| PolicyRegistry | `0x72A425672c1D0FA95C75F5073e6DAf72194A1E0F` |
+| CNFIssuer | `0xB13AE2498Df62A85768a4b783109C05fCf5A264a` |
+| ComplianceHook | `0x6C57b50Ef9286b132066012B19b291FB120ACa80` |
+| ILALRouter | `0xd0aF4D1EFF36CB2a1E88017eA398dCaDe1Ac0040` |
+| PolicyRegistry | `0x19fD4eCF4359fCc8d5E79916691a28c24A22a9B4` |
 
 ## License
 

package/dist/commands/credential.js

@@ -46,8 +46,10 @@ export async function credentialStatus(opts) {
         console.log(`  ${fmt.gray("3.")} Run: ${fmt.cyan("ilal credential mint --attestation <uid>")}`);
         console.log();
         console.log(fmt.bold("  Path B — ZK proof (privacy-preserving, no KYC data on-chain)"));
-        console.log(`  ${fmt.gray("1.")} Operator adds wallet to the attestation Merkle tree`);
-        console.log(`  ${fmt.gray("2.")} Run: ${fmt.cyan("ilal credential prove --wallet " + opts.wallet + " --update-root")}`);
+        console.log(`  ${fmt.gray("1.")} Issuer/operator adds wallet to the Merkle tree`);
+        console.log(`  ${fmt.gray("2.")} Operator queues root: ${fmt.cyan("ilal oracle propose-root --root <newMerkleRoot>")}`);
+        console.log(`  ${fmt.gray("3.")} After timelock, operator activates: ${fmt.cyan("ilal oracle activate-root")}`);
+        console.log(`  ${fmt.gray("4.")} Trader runs: ${fmt.cyan("ilal credential prove --wallet " + opts.wallet)}`);
         console.log();
         return;
     }

package/dist/commands/demo.js

@@ -92,9 +92,9 @@ export async function demo(opts) {
         console.log();
         log.section("Live Demo Commands");
         log.command("ilal status --wallet <wallet>");
-        log.command("ilal credential prove --wallet <wallet> --update-root");
+        log.command("ilal credential prove --wallet <wallet>");
         log.command("ilal session sign --pool <poolId> --action swap --hook <hook> --issuer <issuer> --caller <router>");
-        log.command("ilal swap --amount-in 100 --token-in <token> --pool-id <poolId>");
+        log.command("ilal swap --amount-in 100 --token-in <token> --pool-id <poolId> --min-amount-out 0");
     }
     console.log();
 }

package/dist/commands/oracle.d.ts

@@ -0,0 +1,50 @@
+/**
+ * oracle.ts — `ilal oracle`
+ *
+ * Operator-only commands for managing the CNFIssuer Merkle root and
+ * ZK verifier via the timelock mechanism.
+ *
+ * Merkle root and ZK verifier changes are protected by a 2-step propose → activate
+ * timelock (ROOT_DELAY = 48 h, VERIFIER_DELAY = 72 h). Only the contract
+ * owner can call these.
+ *
+ * Usage:
+ *   # Step 1 — queue a new root (requires owner key, executes immediately)
+ *   PRIVATE_KEY=0x... ilal oracle propose-root \
+ *     --root 0xDEADBEEF... \
+ *     --issuer 0x319c0...
+ *
+ *   # Step 2 — after ROOT_DELAY (48 h) has elapsed, activate it
+ *   PRIVATE_KEY=0x... ilal oracle activate-root \
+ *     --issuer 0x319c0...
+ *
+ *   # Same pattern for the ZK verifier (VERIFIER_DELAY = 72 h)
+ *   PRIVATE_KEY=0x... ilal oracle propose-verifier --verifier 0x... --issuer 0x...
+ *   PRIVATE_KEY=0x... ilal oracle activate-verifier --issuer 0x...
+ */
+export declare function oracleProposeRoot(opts: {
+    root?: string;
+    issuer?: string;
+    chain?: string;
+    rpc?: string;
+    privateKey?: string;
+}): Promise<void>;
+export declare function oracleActivateRoot(opts: {
+    issuer?: string;
+    chain?: string;
+    rpc?: string;
+    privateKey?: string;
+}): Promise<void>;
+export declare function oracleProposeVerifier(opts: {
+    verifier?: string;
+    issuer?: string;
+    chain?: string;
+    rpc?: string;
+    privateKey?: string;
+}): Promise<void>;
+export declare function oracleActivateVerifier(opts: {
+    issuer?: string;
+    chain?: string;
+    rpc?: string;
+    privateKey?: string;
+}): Promise<void>;

package/dist/commands/oracle.js

@@ -0,0 +1,281 @@
+/**
+ * oracle.ts — `ilal oracle`
+ *
+ * Operator-only commands for managing the CNFIssuer Merkle root and
+ * ZK verifier via the timelock mechanism.
+ *
+ * Merkle root and ZK verifier changes are protected by a 2-step propose → activate
+ * timelock (ROOT_DELAY = 48 h, VERIFIER_DELAY = 72 h). Only the contract
+ * owner can call these.
+ *
+ * Usage:
+ *   # Step 1 — queue a new root (requires owner key, executes immediately)
+ *   PRIVATE_KEY=0x... ilal oracle propose-root \
+ *     --root 0xDEADBEEF... \
+ *     --issuer 0x319c0...
+ *
+ *   # Step 2 — after ROOT_DELAY (48 h) has elapsed, activate it
+ *   PRIVATE_KEY=0x... ilal oracle activate-root \
+ *     --issuer 0x319c0...
+ *
+ *   # Same pattern for the ZK verifier (VERIFIER_DELAY = 72 h)
+ *   PRIVATE_KEY=0x... ilal oracle propose-verifier --verifier 0x... --issuer 0x...
+ *   PRIVATE_KEY=0x... ilal oracle activate-verifier --issuer 0x...
+ */
+import { createPublicClient, createWalletClient, http, isAddress, } from "viem";
+import { privateKeyToAccount } from "viem/accounts";
+import { base, baseSepolia } from "viem/chains";
+import { fmt, log, header, Spinner, die, dieOnContract } from "../ui.js";
+import { withConfig } from "../config.js";
+const CHAINS = { "8453": base, "84532": baseSepolia };
+const ORACLE_ABI = [
+    {
+        name: "proposeMerkleRoot", type: "function", stateMutability: "nonpayable",
+        inputs: [{ name: "_root", type: "uint256" }], outputs: [],
+    },
+    {
+        name: "activateMerkleRoot", type: "function", stateMutability: "nonpayable",
+        inputs: [], outputs: [],
+    },
+    {
+        name: "proposeZKVerifier", type: "function", stateMutability: "nonpayable",
+        inputs: [{ name: "_verifier", type: "address" }], outputs: [],
+    },
+    {
+        name: "activateZKVerifier", type: "function", stateMutability: "nonpayable",
+        inputs: [], outputs: [],
+    },
+    {
+        name: "pendingRoot", type: "function", stateMutability: "view",
+        inputs: [], outputs: [{ type: "uint256" }],
+    },
+    {
+        name: "pendingRootActivatesAt", type: "function", stateMutability: "view",
+        inputs: [], outputs: [{ type: "uint256" }],
+    },
+    {
+        name: "pendingZKVerifier", type: "function", stateMutability: "view",
+        inputs: [], outputs: [{ type: "address" }],
+    },
+    {
+        name: "pendingVerifierActivatesAt", type: "function", stateMutability: "view",
+        inputs: [], outputs: [{ type: "uint256" }],
+    },
+    {
+        name: "ROOT_DELAY", type: "function", stateMutability: "view",
+        inputs: [], outputs: [{ type: "uint256" }],
+    },
+    {
+        name: "VERIFIER_DELAY", type: "function", stateMutability: "view",
+        inputs: [], outputs: [{ type: "uint256" }],
+    },
+    {
+        name: "merkleRoot", type: "function", stateMutability: "view",
+        inputs: [], outputs: [{ type: "uint256" }],
+    },
+];
+function txUrl(chain, hash) {
+    const baseUrl = chain.blockExplorers?.default?.url;
+    return baseUrl ? `${baseUrl}/tx/${hash}` : undefined;
+}
+function makeClients(cfg, opts) {
+    const rawKey = opts.privateKey ?? process.env["PRIVATE_KEY"];
+    if (!rawKey)
+        die("Private key required. Use --private-key or set PRIVATE_KEY env var.");
+    const chain = CHAINS[opts.chain ?? "84532"] ?? baseSepolia;
+    const transport = opts.rpc ? http(opts.rpc) : http();
+    const account = privateKeyToAccount(rawKey);
+    return {
+        chain,
+        account,
+        pubClient: createPublicClient({ chain, transport }),
+        walClient: createWalletClient({ account, chain, transport }),
+    };
+}
+// ─── propose-root ─────────────────────────────────────────────────────────────
+export async function oracleProposeRoot(opts) {
+    const cfg = withConfig(opts);
+    if (!cfg.issuer)
+        die("CNFIssuer address required. Use --issuer or set in .ilal.json");
+    if (!isAddress(cfg.issuer))
+        die(`Invalid issuer address: ${cfg.issuer}`);
+    if (!opts.root)
+        die("--root <uint256> required");
+    const root = BigInt(opts.root);
+    const { chain, account, pubClient, walClient } = makeClients(cfg, opts);
+    header("ILAL Oracle — Propose Merkle Root", chain.name);
+    log.kv("issuer", fmt.cyan(cfg.issuer));
+    log.kv("new root", fmt.gray(root.toString().slice(0, 22) + "…"));
+    // Show current root and delay
+    const [currentRoot, delay] = await Promise.all([
+        pubClient.readContract({ address: cfg.issuer, abi: ORACLE_ABI, functionName: "merkleRoot" }),
+        pubClient.readContract({ address: cfg.issuer, abi: ORACLE_ABI, functionName: "ROOT_DELAY" }),
+    ]);
+    log.kv("current root", fmt.gray(currentRoot.toString().slice(0, 22) + "…"));
+    log.kv("timelock delay", `${Number(delay) / 3600} hours`);
+    log.line();
+    const spin = new Spinner("Proposing new Merkle root…").start();
+    let txHash;
+    try {
+        txHash = await walClient.writeContract({
+            account,
+            address: cfg.issuer,
+            abi: ORACLE_ABI,
+            functionName: "proposeMerkleRoot",
+            args: [root],
+        });
+        await pubClient.waitForTransactionReceipt({ hash: txHash });
+        spin.succeed(`Merkle root proposed ${fmt.gray(fmt.hash(txHash))}`);
+    }
+    catch (e) {
+        spin.fail("proposeMerkleRoot failed");
+        dieOnContract(e);
+        return;
+    }
+    const activatesAt = new Date((Date.now() + Number(delay) * 1000));
+    log.line();
+    log.callout("Root queued", `Activate after ${activatesAt.toISOString()}\n  Run: ilal oracle activate-root --issuer ${cfg.issuer}`, "cyan");
+    const explorer = txUrl(chain, txHash);
+    if (explorer)
+        log.kv("explorer", fmt.cyan(explorer));
+    console.log();
+}
+// ─── activate-root ────────────────────────────────────────────────────────────
+export async function oracleActivateRoot(opts) {
+    const cfg = withConfig(opts);
+    if (!cfg.issuer)
+        die("CNFIssuer address required. Use --issuer or set in .ilal.json");
+    if (!isAddress(cfg.issuer))
+        die(`Invalid issuer address: ${cfg.issuer}`);
+    const { chain, account, pubClient, walClient } = makeClients(cfg, opts);
+    header("ILAL Oracle — Activate Merkle Root", chain.name);
+    log.kv("issuer", fmt.cyan(cfg.issuer));
+    const [pendingRoot, activatesAt] = await Promise.all([
+        pubClient.readContract({ address: cfg.issuer, abi: ORACLE_ABI, functionName: "pendingRoot" }),
+        pubClient.readContract({ address: cfg.issuer, abi: ORACLE_ABI, functionName: "pendingRootActivatesAt" }),
+    ]);
+    if (pendingRoot === 0n)
+        die("No pending root — run `ilal oracle propose-root` first");
+    const now = BigInt(Math.floor(Date.now() / 1000));
+    if (activatesAt > now) {
+        const remaining = Number(activatesAt - now);
+        die(`Timelock not elapsed. Activate in ${Math.ceil(remaining / 3600)} hour(s) (${new Date(Number(activatesAt) * 1000).toISOString()})`);
+    }
+    log.kv("pending root", fmt.cyan(pendingRoot.toString().slice(0, 22) + "…"));
+    log.line();
+    const spin = new Spinner("Activating Merkle root…").start();
+    let txHash;
+    try {
+        txHash = await walClient.writeContract({
+            account,
+            address: cfg.issuer,
+            abi: ORACLE_ABI,
+            functionName: "activateMerkleRoot",
+            args: [],
+        });
+        await pubClient.waitForTransactionReceipt({ hash: txHash });
+        spin.succeed(`Merkle root activated ${fmt.gray(fmt.hash(txHash))}`);
+    }
+    catch (e) {
+        spin.fail("activateMerkleRoot failed");
+        dieOnContract(e);
+        return;
+    }
+    log.line();
+    log.callout("Root live", "New Merkle root is now enforced on all ZK proof verifications", "green");
+    const explorer = txUrl(chain, txHash);
+    if (explorer)
+        log.kv("explorer", fmt.cyan(explorer));
+    console.log();
+}
+// ─── propose-verifier ─────────────────────────────────────────────────────────
+export async function oracleProposeVerifier(opts) {
+    const cfg = withConfig(opts);
+    if (!cfg.issuer)
+        die("CNFIssuer address required. Use --issuer or set in .ilal.json");
+    if (!isAddress(cfg.issuer))
+        die(`Invalid issuer address: ${cfg.issuer}`);
+    if (!opts.verifier || !isAddress(opts.verifier))
+        die("--verifier <address> required");
+    const { chain, account, pubClient, walClient } = makeClients(cfg, opts);
+    header("ILAL Oracle — Propose ZK Verifier", chain.name);
+    log.kv("issuer", fmt.cyan(cfg.issuer));
+    log.kv("new verifier", fmt.cyan(opts.verifier));
+    const delay = await pubClient.readContract({
+        address: cfg.issuer, abi: ORACLE_ABI, functionName: "VERIFIER_DELAY",
+    });
+    log.kv("timelock delay", `${Number(delay) / 3600} hours`);
+    log.line();
+    const spin = new Spinner("Proposing new ZK verifier…").start();
+    let txHash;
+    try {
+        txHash = await walClient.writeContract({
+            account,
+            address: cfg.issuer,
+            abi: ORACLE_ABI,
+            functionName: "proposeZKVerifier",
+            args: [opts.verifier],
+        });
+        await pubClient.waitForTransactionReceipt({ hash: txHash });
+        spin.succeed(`ZK verifier proposed ${fmt.gray(fmt.hash(txHash))}`);
+    }
+    catch (e) {
+        spin.fail("proposeZKVerifier failed");
+        dieOnContract(e);
+        return;
+    }
+    const activatesAt = new Date((Date.now() + Number(delay) * 1000));
+    log.line();
+    log.callout("Verifier queued", `Activate after ${activatesAt.toISOString()}\n  Run: ilal oracle activate-verifier --issuer ${cfg.issuer}`, "cyan");
+    const explorer = txUrl(chain, txHash);
+    if (explorer)
+        log.kv("explorer", fmt.cyan(explorer));
+    console.log();
+}
+// ─── activate-verifier ────────────────────────────────────────────────────────
+export async function oracleActivateVerifier(opts) {
+    const cfg = withConfig(opts);
+    if (!cfg.issuer)
+        die("CNFIssuer address required. Use --issuer or set in .ilal.json");
+    if (!isAddress(cfg.issuer))
+        die(`Invalid issuer address: ${cfg.issuer}`);
+    const { chain, account, pubClient, walClient } = makeClients(cfg, opts);
+    header("ILAL Oracle — Activate ZK Verifier", chain.name);
+    const [pending, activatesAt] = await Promise.all([
+        pubClient.readContract({ address: cfg.issuer, abi: ORACLE_ABI, functionName: "pendingZKVerifier" }),
+        pubClient.readContract({ address: cfg.issuer, abi: ORACLE_ABI, functionName: "pendingVerifierActivatesAt" }),
+    ]);
+    if (pending === "0x0000000000000000000000000000000000000000")
+        die("No pending verifier — run `ilal oracle propose-verifier` first");
+    const now = BigInt(Math.floor(Date.now() / 1000));
+    if (activatesAt > now) {
+        const remaining = Number(activatesAt - now);
+        die(`Timelock not elapsed. Activate in ${Math.ceil(remaining / 3600)} hour(s)`);
+    }
+    log.kv("pending verifier", fmt.cyan(pending));
+    log.line();
+    const spin = new Spinner("Activating ZK verifier…").start();
+    let txHash;
+    try {
+        txHash = await walClient.writeContract({
+            account,
+            address: cfg.issuer,
+            abi: ORACLE_ABI,
+            functionName: "activateZKVerifier",
+            args: [],
+        });
+        await pubClient.waitForTransactionReceipt({ hash: txHash });
+        spin.succeed(`ZK verifier activated ${fmt.gray(fmt.hash(txHash))}`);
+    }
+    catch (e) {
+        spin.fail("activateZKVerifier failed");
+        dieOnContract(e);
+        return;
+    }
+    log.line();
+    log.callout("Verifier live", "New ZK verifier is now active for all proof verifications", "green");
+    const explorer = txUrl(chain, txHash);
+    if (explorer)
+        log.kv("explorer", fmt.cyan(explorer));
+    console.log();
+}

package/dist/commands/prove.d.ts

@@ -1,8 +1,8 @@
 /**
  * prove.ts — `ilal credential prove`
  *
- * All-in-one command: builds Merkle tree, generates Groth16 ZK proof,
- * (optionally) updates the on-chain merkleRoot, then mints or renews the CNF.
+ * Trader command: builds a local Merkle proof, generates a Groth16 ZK proof,
+ * then mints or renews the CNF if the issuer's active root already includes it.
  *
  * Usage:
  *   ilal credential prove \
@@ -10,15 +10,16 @@
  *     --issuer  0x319c0... \
  *     --chain   84532 \
  *     --action  mint          # or renew (default: auto-detect)
- *     --update-root           # call setMerkleRoot before minting
  *     --circuit-dir ./circuits/build
+ *
+ * Operator root changes live under `ilal oracle propose-root` and
+ * `ilal oracle activate-root`.
  */
 export declare function credentialProve(opts: {
     wallet?: string;
     issuer?: string;
     chain?: string;
     action?: string;
-    updateRoot: boolean;
     circuitDir?: string;
     outDir?: string;
     rpc?: string;

package/dist/commands/prove.js

@@ -1,8 +1,8 @@
 /**
  * prove.ts — `ilal credential prove`
  *
- * All-in-one command: builds Merkle tree, generates Groth16 ZK proof,
- * (optionally) updates the on-chain merkleRoot, then mints or renews the CNF.
+ * Trader command: builds a local Merkle proof, generates a Groth16 ZK proof,
+ * then mints or renews the CNF if the issuer's active root already includes it.
  *
  * Usage:
  *   ilal credential prove \
@@ -10,8 +10,10 @@
  *     --issuer  0x319c0... \
  *     --chain   84532 \
  *     --action  mint          # or renew (default: auto-detect)
- *     --update-root           # call setMerkleRoot before minting
  *     --circuit-dir ./circuits/build
+ *
+ * Operator root changes live under `ilal oracle propose-root` and
+ * `ilal oracle activate-root`.
  */
 import { execSync } from "child_process";
 import { mkdirSync, writeFileSync, readFileSync } from "fs";
@@ -42,11 +44,6 @@ const CNF_ABI = [
         inputs: [{ name: "proof", type: "bytes" }, { name: "publicInputs", type: "uint256[]" }],
         outputs: [],
     },
-    {
-        name: "setMerkleRoot", type: "function", stateMutability: "nonpayable",
-        inputs: [{ name: "_root", type: "uint256" }],
-        outputs: [],
-    },
     {
         name: "isValid", type: "function", stateMutability: "view",
         inputs: [{ name: "wallet", type: "address" }],
@@ -236,24 +233,6 @@ export async function credentialProve(opts) {
     log.kv("expiresAt", fmt.cyan(new Date((Date.now() + 90 * 24 * 3600 * 1000)).toISOString().split("T")[0]));
     log.kv("merkleRoot", fmt.gray(proofResult.merkleRoot.toString().slice(0, 22) + "…"));
     log.line();
-    // ── Update merkle root on-chain ────────────────────────────────────────────
-    if (opts.updateRoot) {
-        const rootSpin = new Spinner("Updating merkleRoot on-chain…").start();
-        try {
-            const rootHash = await walClient.writeContract({
-                address: cfg.issuer,
-                abi: CNF_ABI,
-                functionName: "setMerkleRoot",
-                args: [proofResult.merkleRoot],
-            });
-            await pubClient.waitForTransactionReceipt({ hash: rootHash });
-            rootSpin.succeed(`merkleRoot updated ${fmt.gray(fmt.hash(rootHash))}`);
-        }
-        catch (e) {
-            rootSpin.fail("setMerkleRoot failed");
-            dieOnContract(e);
-        }
-    }
     // ── Send mint / renew tx ───────────────────────────────────────────────────
     const { proofBytes, publicInputs } = encodeProof(proofResult.proofJson, proofResult.publicJson);
     const fnName = action === "mint" ? "mintWithProof" : "renewWithProof";

package/dist/commands/status.js

@@ -55,7 +55,8 @@ export async function status(opts) {
                 log.kv("issuer", fmt.cyan(cfg.issuer));
                 if (tokenId === 0n) {
                     log.kv("status", fmt.badge("missing", "red"));
-                    log.command("ilal credential prove --wallet " + cfg.wallet + " --update-root");
+                    log.command("ilal credential prove --wallet " + cfg.wallet);
+                    console.log(fmt.gray("If root mismatch occurs, ask the issuer to queue and activate the updated root via `ilal oracle`."));
                     credentialReady = false;
                 }
                 else {

package/dist/commands/swap.d.ts

@@ -20,6 +20,7 @@
  */
 export declare function swap(opts: {
     amountIn: string;
+    minAmountOut?: string;
     tokenIn?: string;
     zeroForOne?: boolean;
     poolId?: string;

package/dist/commands/swap.js

@@ -50,6 +50,7 @@ const ROUTER_ABI = [
                     { name: "amountSpecified", type: "int256" },
                     { name: "sqrtPriceLimitX96", type: "uint160" },
                 ] },
+            { name: "minAmountOut", type: "uint256" },
             { name: "hookData", type: "bytes" },
         ],
         outputs: [{ name: "delta", type: "int256" }],
@@ -250,6 +251,13 @@ export async function swap(opts) {
         amountSpecified: -amountIn, // negative = exactIn
         sqrtPriceLimitX96: zeroForOne ? MIN_SQRT_PRICE : MAX_SQRT_PRICE,
     };
+    // Slippage: parse --min-amount-out if provided (0 = disabled)
+    // We don't know the tokenOut decimals here without another RPC call,
+    // so we accept wei (raw bigint) from the flag.  The CLI documents this.
+    const minAmountOut = opts.minAmountOut ? BigInt(opts.minAmountOut) : 0n;
+    if (minAmountOut > 0n) {
+        log.kv("min-amount-out", `${fmt.cyan(minAmountOut.toString())} wei (slippage protection on)`);
+    }
     // Execute swap
     const txSpin = new Spinner("Sending swap tx…").start();
     let txHash;
@@ -258,7 +266,7 @@ export async function swap(opts) {
             address: cfg.router,
             abi: ROUTER_ABI,
             functionName: "swap",
-            args: [poolKey, swapParams, hookData],
+            args: [poolKey, swapParams, minAmountOut, hookData],
             value: 0n,
         });
         txSpin.update(`Confirming ${fmt.gray(fmt.hash(txHash))}…`);

package/dist/index.js

@@ -2,6 +2,7 @@
 import { Command } from "commander";
 import { credentialStatus } from "./commands/credential.js";
 import { credentialProve } from "./commands/prove.js";
+import { oracleProposeRoot, oracleActivateRoot, oracleProposeVerifier, oracleActivateVerifier } from "./commands/oracle.js";
 import { mintCredential, renewCredential } from "./commands/mint.js";
 import { proofMint, proofRenew } from "./commands/proof.js";
 import { sessionSign } from "./commands/session.js";
@@ -92,7 +93,6 @@ credential
     .option("-w, --wallet <address>", "Wallet address to prove eligibility for")
     .option("-i, --issuer <address>", "CNFIssuer contract address (or set in .ilal.json)")
     .option("-a, --action <action>", "mint or renew (default: auto-detect)")
-    .option("--update-root", "Call setMerkleRoot on-chain before minting (requires owner key)", false)
     .option("--circuit-dir <path>", "Path to circuits/build directory (auto-detected by default)")
     .option("--out-dir <path>", "Directory to write proof/witness files")
     .option("-c, --chain <chainId>", "Chain ID (8453=Base, 84532=Base Sepolia)", "84532")
@@ -243,6 +243,7 @@ program
     .command("swap")
     .description("Execute a compliant token swap through the ILAL channel")
     .requiredOption("--amount-in <amount>", "Input amount in human-readable units (e.g. 100)")
+    .option("--min-amount-out <wei>", "Minimum output amount in wei — reverts if pool gives less (default: 0 = off)")
     .option("--token-in <address>", "Token to sell (defaults to tokenA from config)")
     .option("--token-a <address>", "currency0 token address (or set in .ilal.json)")
     .option("--token-b <address>", "currency1 token address (or set in .ilal.json)")
@@ -260,6 +261,55 @@ program
     .action(async (opts) => {
     await swap(opts).catch(err);
 });
+// ─── oracle ───────────────────────────────────────────────────────────────────
+// Operator-only commands — require owner key.
+// Merkle root and ZK verifier changes are timelocked:
+//   ROOT_DELAY = 48h, VERIFIER_DELAY = 72h.
+const oracle = program
+    .command("oracle")
+    .description("Operator commands for managing timelocked Merkle root and ZK verifier");
+oracle
+    .command("propose-root")
+    .description("Queue a new Merkle root (step 1 of 2 — owner only, ROOT_DELAY = 48 h timelock)")
+    .requiredOption("--root <uint256>", "New Merkle root value (decimal or 0x hex)")
+    .option("-i, --issuer <address>", "CNFIssuer contract address (or set in .ilal.json)")
+    .option("-c, --chain <chainId>", "Chain ID (8453=Base, 84532=Base Sepolia)", "84532")
+    .option("-r, --rpc <url>", "Custom RPC URL")
+    .option("-k, --private-key <hex>", "Private key (or set PRIVATE_KEY env var)")
+    .action(async (opts) => {
+    await oracleProposeRoot(opts).catch(err);
+});
+oracle
+    .command("activate-root")
+    .description("Activate the pending Merkle root after the 48-hour timelock has elapsed (step 2 of 2)")
+    .option("-i, --issuer <address>", "CNFIssuer contract address (or set in .ilal.json)")
+    .option("-c, --chain <chainId>", "Chain ID (8453=Base, 84532=Base Sepolia)", "84532")
+    .option("-r, --rpc <url>", "Custom RPC URL")
+    .option("-k, --private-key <hex>", "Private key (or set PRIVATE_KEY env var)")
+    .action(async (opts) => {
+    await oracleActivateRoot(opts).catch(err);
+});
+oracle
+    .command("propose-verifier")
+    .description("Queue a new ZK verifier contract (step 1 of 2 — owner only, VERIFIER_DELAY = 72 h)")
+    .requiredOption("--verifier <address>", "New IGroth16Verifier contract address")
+    .option("-i, --issuer <address>", "CNFIssuer contract address (or set in .ilal.json)")
+    .option("-c, --chain <chainId>", "Chain ID", "84532")
+    .option("-r, --rpc <url>", "Custom RPC URL")
+    .option("-k, --private-key <hex>", "Private key (or set PRIVATE_KEY env var)")
+    .action(async (opts) => {
+    await oracleProposeVerifier(opts).catch(err);
+});
+oracle
+    .command("activate-verifier")
+    .description("Activate the pending ZK verifier after the 72-hour timelock has elapsed (step 2 of 2)")
+    .option("-i, --issuer <address>", "CNFIssuer contract address (or set in .ilal.json)")
+    .option("-c, --chain <chainId>", "Chain ID", "84532")
+    .option("-r, --rpc <url>", "Custom RPC URL")
+    .option("-k, --private-key <hex>", "Private key (or set PRIVATE_KEY env var)")
+    .action(async (opts) => {
+    await oracleActivateVerifier(opts).catch(err);
+});
 // ─── deploy ───────────────────────────────────────────────────────────────────
 program
     .command("deploy")

package/dist/ui.js

@@ -169,8 +169,8 @@ const CONTRACT_ERRORS = {
     "0x724efe91": "Credential already exists — use `ilal credential prove` to renew",
     "0xe6567cc4": "ZK verifier not set on CNFIssuer — contact the issuer admin",
     "0xd611c318": "ZK proof verification failed — regenerate your proof",
-    "0x9dd854d3": "Invalid Merkle root — re-run with --update-root",
-    "0x0432f01c": "Merkle root mismatch — re-run with --update-root",
+    "0x9dd854d3": "Invalid Merkle root — issuer must queue and activate the updated root with `ilal oracle`",
+    "0x0432f01c": "Merkle root mismatch — issuer must queue and activate the updated root with `ilal oracle`",
     "0xddefae28": "Credential already minted for this wallet",
     "0x30cd7471": "Not the contract owner",
     "0xf6f992e7": "Credential has expired — renew it",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ilalv3/cli",
-  "version": "0.1.2",
+  "version": "0.2.0",
   "description": "ILAL Protocol CLI — compliant swaps and credential management for Uniswap v4",
   "type": "module",
   "bin": {