@ilalv3/cli 0.2.3 → 0.2.4

package/README.md

@@ -52,6 +52,10 @@ PRIVATE_KEY=0x... ilal credential mint \
   --attestation <AttestationUID> \
   --chain 84532
 
+# Or, with the MockEAS owner key, create a fresh test attestation:
+PRIVATE_KEY=0x... ilal demo attest --wallet 0xYourWallet
+PRIVATE_KEY=0xYourWalletKey ilal credential mint --attestation <uid>
+
 # If the wallet needs more demo tokens:
 PRIVATE_KEY=0x... ilal demo faucet --wallet 0xYourWallet
 ```
@@ -99,9 +103,12 @@ Generates a Groth16 proof locally (~5s), verifies it on-chain, and mints/renews
 | `ilal session sign` | Sign a standalone SessionToken |
 | `ilal proof mint` | Mint CNF from existing proof.json + public.json |
 | `ilal deploy --mock` | Deploy a seeded testnet demo stack with MockEAS, tokens, router, hook, and policy |
+| `ilal demo attest` | Create a MockEAS test attestation so a wallet can mint CNF |
 | `ilal demo faucet` | Mint mock demo TOKA/TOKB to a wallet |
 | `ilal deploy` | Deploy full ILAL contract stack |
 
+Session note: ILAL hookData is a one-time EIP-712 authorization with a deadline and nonce. The expensive compliance step is the CNF issuance or renewal; swaps do not verify a fresh ZK proof. Use `ilal session sign` to export hookData, and `ilal swap --hook-data <hex>` to execute with an externally signed authorization.
+
 ## Configuration
 
 The CLI reads `.ilal.json` in the current directory. Run `ilal init` to create it, or pass flags directly:

package/dist/commands/demo.d.ts

@@ -10,3 +10,8 @@ export declare function demoFaucet(opts: {
     amount?: string;
     privateKey?: string;
 }): Promise<void>;
+export declare function demoAttest(opts: {
+    wallet: string;
+    privateKey?: string;
+    expiresInDays?: string;
+}): Promise<void>;

package/dist/commands/demo.js

@@ -1,4 +1,4 @@
-import { createPublicClient, createWalletClient, formatUnits, http, isAddress, isHex, parseUnits, } from "viem";
+import { createPublicClient, createWalletClient, decodeEventLog, formatUnits, http, isAddress, isHex, parseUnits, } from "viem";
 import { privateKeyToAccount } from "viem/accounts";
 import { base, baseSepolia } from "viem/chains";
 import { loadConfig } from "../config.js";
@@ -39,6 +39,30 @@ const ERC20_ABI = [
     { name: "allowance", type: "function", stateMutability: "view", inputs: [{ name: "owner", type: "address" }, { name: "spender", type: "address" }], outputs: [{ type: "uint256" }] },
     { name: "mint", type: "function", stateMutability: "nonpayable", inputs: [{ name: "to", type: "address" }, { name: "amount", type: "uint256" }], outputs: [] },
 ];
+const MOCK_EAS_ABI = [
+    {
+        type: "event",
+        name: "AttestationCreated",
+        inputs: [
+            { name: "uid", type: "bytes32", indexed: true },
+            { name: "recipient", type: "address", indexed: true },
+            { name: "attester", type: "address", indexed: true },
+        ],
+    },
+    {
+        name: "attest",
+        type: "function",
+        stateMutability: "nonpayable",
+        inputs: [
+            { name: "schema", type: "bytes32" },
+            { name: "recipient", type: "address" },
+            { name: "attester", type: "address" },
+            { name: "expirationTime", type: "uint64" },
+            { name: "data", type: "bytes" },
+        ],
+        outputs: [{ type: "bytes32" }],
+    },
+];
 function stage(n, title, subtitle) {
     console.log();
     console.log(`  ${fmt.badge(`step ${n}`, "cyan")} ${fmt.bold(title)}`);
@@ -441,3 +465,75 @@ export async function demoFaucet(opts) {
     log.callout("Demo tokens ready", "wallet can now pass token-balance preflight checks", "green");
     console.log();
 }
+export async function demoAttest(opts) {
+    const cfg = loadConfig();
+    const chain = CHAINS[cfg.chain ?? "84532"] ?? baseSepolia;
+    const rawKey = opts.privateKey ?? process.env["PRIVATE_KEY"];
+    if (!rawKey || !isHex(rawKey) || rawKey.length !== 66) {
+        die("Private key required. Use --private-key or set PRIVATE_KEY env var.");
+    }
+    if (!cfg.issuer || !isAddress(cfg.issuer))
+        die("CNFIssuer required. Run `ilal init` first.");
+    if (!isAddress(opts.wallet))
+        die(`Invalid wallet address: ${opts.wallet}`);
+    const account = privateKeyToAccount(rawKey);
+    const client = createPublicClient({ chain, transport: http(cfg.rpc) });
+    const walletClient = createWalletClient({ account, chain, transport: http(cfg.rpc) });
+    const [eas, schemaUID, trustedAttester] = await Promise.all([
+        client.readContract({ address: cfg.issuer, abi: CNF_ABI, functionName: "eas" }),
+        client.readContract({ address: cfg.issuer, abi: [
+                { name: "schemaUID", type: "function", stateMutability: "view", inputs: [], outputs: [{ type: "bytes32" }] },
+            ], functionName: "schemaUID" }),
+        client.readContract({ address: cfg.issuer, abi: [
+                { name: "trustedAttester", type: "function", stateMutability: "view", inputs: [], outputs: [{ type: "address" }] },
+            ], functionName: "trustedAttester" }),
+    ]);
+    if (eas === ZERO)
+        die("Configured issuer has no EAS/MockEAS path. Use a mock demo issuer or Coinbase EAS attestation.");
+    const days = BigInt(parseInt(opts.expiresInDays ?? "90", 10));
+    const expiration = BigInt(Math.floor(Date.now() / 1000)) + days * 24n * 60n * 60n;
+    header("ILAL Demo Attestation", chain.name);
+    log.kv("mockEAS", fmt.addr(eas));
+    log.kv("issuer", fmt.addr(cfg.issuer));
+    log.kv("recipient", fmt.addr(opts.wallet));
+    log.kv("attester", fmt.addr(trustedAttester));
+    log.line();
+    const spin = new Spinner("Creating MockEAS attestation…").start();
+    const hash = await walletClient.writeContract({
+        address: eas,
+        abi: MOCK_EAS_ABI,
+        functionName: "attest",
+        args: [
+            schemaUID,
+            opts.wallet,
+            trustedAttester,
+            expiration,
+            "0x",
+        ],
+    });
+    const receipt = await client.waitForTransactionReceipt({ hash });
+    spin.succeed(`Attestation created ${fmt.gray(fmt.hash(hash))}`);
+    let uid;
+    for (const logItem of receipt.logs) {
+        if (logItem.address.toLowerCase() !== eas.toLowerCase())
+            continue;
+        try {
+            const decoded = decodeEventLog({ abi: MOCK_EAS_ABI, data: logItem.data, topics: logItem.topics });
+            if (decoded.eventName === "AttestationCreated") {
+                uid = decoded.args.uid;
+                break;
+            }
+        }
+        catch { }
+    }
+    log.line();
+    if (uid)
+        log.kv("attestation", fmt.cyan(uid));
+    log.kv("tx", fmt.gray(hash));
+    log.callout("CNF mint path ready", "the recipient wallet can now run `ilal credential mint --attestation <uid>`", "green");
+    if (uid) {
+        console.log();
+        log.command(`PRIVATE_KEY=0x... ilal credential mint --issuer ${cfg.issuer} --attestation ${uid} --chain ${chain.id}`);
+    }
+    console.log();
+}

package/dist/commands/session.d.ts

@@ -1,11 +1,11 @@
 export declare function sessionSign(opts: {
     user?: string;
-    pool: string;
+    pool?: string;
     action: string;
-    hook: string;
-    issuer: string;
+    hook?: string;
+    issuer?: string;
     caller?: string;
-    chain: string;
+    chain?: string;
     ttl: number;
     privateKey?: string;
 }): Promise<void>;

package/dist/commands/session.js

@@ -2,6 +2,7 @@ import { createWalletClient, encodeAbiParameters, http, isAddress, isHex, parseA
 import { privateKeyToAccount } from "viem/accounts";
 import { base, baseSepolia } from "viem/chains";
 import { fmt, log, header, die } from "../ui.js";
+import { withConfig } from "../config.js";
 const CHAINS = {
     "8453": base,
     "84532": baseSepolia,
@@ -27,6 +28,7 @@ const HOOK_DATA_ABI = parseAbiParameters([
     "bytes signature",
 ]);
 export async function sessionSign(opts) {
+    const cfg = withConfig({ chain: opts.chain, hook: opts.hook, issuer: opts.issuer });
     // Resolve private key
     const rawKey = opts.privateKey ?? process.env["PRIVATE_KEY"];
     if (!rawKey)
@@ -35,32 +37,36 @@ export async function sessionSign(opts) {
         die("Invalid private key format (expected 0x + 32 bytes).");
     const account = privateKeyToAccount(rawKey);
     const user = (opts.user ?? account.address);
-    const authorizedCaller = (opts.caller ?? user);
+    const pool = opts.pool ?? cfg.poolId;
+    const hook = opts.hook ?? cfg.hook;
+    const issuer = opts.issuer ?? cfg.issuer;
+    const authorizedCaller = (opts.caller ?? cfg.router ?? user);
+    const chainId = opts.chain ?? cfg.chain ?? "84532";
     if (!isAddress(user))
         die(`Invalid user address: ${user}`);
     if (!isAddress(authorizedCaller))
         die(`Invalid authorized caller address: ${authorizedCaller}`);
-    if (!isAddress(opts.hook))
-        die(`Invalid hook address: ${opts.hook}`);
-    if (!isAddress(opts.issuer))
-        die(`Invalid issuer address: ${opts.issuer}`);
-    if (!isHex(opts.pool) || opts.pool.length !== 66)
-        die("poolId must be a 32-byte hex string (0x + 64 chars).");
+    if (!hook || !isAddress(hook))
+        die(`Invalid hook address: ${hook ?? "<missing>"}. Use --hook or run ilal init.`);
+    if (!issuer || !isAddress(issuer))
+        die(`Invalid issuer address: ${issuer ?? "<missing>"}. Use --issuer or run ilal init.`);
+    if (!pool || !isHex(pool) || pool.length !== 66)
+        die("poolId must be a 32-byte hex string. Use --pool or run ilal init.");
     const actionKey = opts.action.toLowerCase().replace(/[^a-z]/g, "");
     const actionCode = ACTIONS[actionKey];
     if (actionCode === undefined)
         die(`Unknown action "${opts.action}". Use: swap | addLiquidity | removeLiquidity`);
-    const chain = CHAINS[opts.chain] ?? baseSepolia;
+    const chain = CHAINS[chainId] ?? baseSepolia;
     const walletClient = createWalletClient({ account, chain, transport: http() });
     const deadline = BigInt(Math.floor(Date.now() / 1000) + opts.ttl);
     const nonce = `0x${Buffer.from(crypto.getRandomValues(new Uint8Array(32))).toString("hex")}`;
     const token = {
         user,
         authorizedCaller,
-        cnfIssuer: opts.issuer,
+        cnfIssuer: issuer,
         chainId: BigInt(chain.id),
-        verifyingHook: opts.hook,
-        poolId: opts.pool,
+        verifyingHook: hook,
+        poolId: pool,
         action: actionCode,
         deadline,
         nonce: nonce,
@@ -69,11 +75,11 @@ export async function sessionSign(opts) {
     log.section("Session");
     log.kv("user", fmt.addr(user));
     log.kv("caller", fmt.addr(authorizedCaller));
-    log.kv("chain", chain.name);
-    log.kv("pool", fmt.hash(opts.pool));
+    log.kv("chain", `${chain.name} (${chain.id})`);
+    log.kv("pool", fmt.hash(pool));
     log.kv("action", opts.action);
-    log.kv("hook", fmt.addr(opts.hook));
-    log.kv("issuer", fmt.addr(opts.issuer));
+    log.kv("hook", fmt.addr(hook));
+    log.kv("issuer", fmt.addr(issuer));
     log.kv("deadline", new Date(Number(deadline) * 1000).toISOString());
     log.line();
     log.step("Signing EIP-712 session token locally…");
@@ -84,7 +90,7 @@ export async function sessionSign(opts) {
             name: "ILAL ComplianceHook",
             version: "1",
             chainId: BigInt(chain.id),
-            verifyingContract: opts.hook,
+            verifyingContract: hook,
         },
         types: { SessionToken: SESSION_TOKEN_TYPE },
         primaryType: "SessionToken",
@@ -101,5 +107,6 @@ export async function sessionSign(opts) {
     console.log(`  ${fmt.cyan(hookData)}`);
     console.log();
     console.log(fmt.gray("  verifies: caller, deadline, chainId, hook, pool, action, sig, CNF"));
+    console.log(fmt.gray("  note: this hookData is a one-time authorization; nonce replay is blocked on-chain"));
     console.log();
 }

package/dist/commands/swap.d.ts

@@ -35,5 +35,6 @@ export declare function swap(opts: {
     rpc?: string;
     privateKey?: string;
     ttl?: string;
+    hookData?: string;
     simulate?: boolean;
 }): Promise<void>;

package/dist/commands/swap.js

@@ -18,7 +18,7 @@
  *     --pool-id   0xPOOLID \
  *     --chain     84532
  */
-import { createPublicClient, createWalletClient, encodeAbiParameters, http, isAddress, isHex, parseAbiParameters, parseUnits, } from "viem";
+import { createPublicClient, createWalletClient, decodeAbiParameters, encodeAbiParameters, http, isAddress, isHex, parseAbiParameters, parseUnits, } from "viem";
 import { privateKeyToAccount } from "viem/accounts";
 import { base, baseSepolia } from "viem/chains";
 import { fmt, log, header, Spinner, die, dieOnContract } from "../ui.js";
@@ -214,42 +214,78 @@ export async function swap(opts) {
         { label: "ILAL fee", value: protocolFeePips > 0 ? pipsToPercent(protocolFeePips) : "off", note: protocolFeePips > 0 ? "protocol revenue" : "legacy router", tone: protocolFeePips > 0 ? "cyan" : "gray" },
     ]);
     log.line();
-    // Sign session token
-    const signSpin = new Spinner("Signing session token…").start();
     const ttl = parseInt(opts.ttl ?? "600");
     const deadline = BigInt(Math.floor(Date.now() / 1000) + ttl);
     const nonce = `0x${Buffer.from(crypto.getRandomValues(new Uint8Array(32))).toString("hex")}`;
-    const token = {
-        user: account.address,
-        authorizedCaller: cfg.router,
-        cnfIssuer: cfg.issuer,
-        chainId: BigInt(chain.id),
-        verifyingHook: cfg.hook,
-        poolId: cfg.poolId,
-        action: 1, // ACTION_SWAP
-        deadline,
-        nonce,
-    };
-    const signature = await walClient.signTypedData({
-        account,
-        domain: {
-            name: "ILAL ComplianceHook",
-            version: "1",
+    let hookData;
+    let sessionNonce = nonce;
+    if (opts.hookData) {
+        if (!isHex(opts.hookData))
+            die("--hook-data must be 0x-prefixed ABI-encoded hookData.");
+        try {
+            const [externalToken] = decodeAbiParameters(HOOK_DATA_ABI, opts.hookData);
+            const issues = [];
+            if (externalToken.user.toLowerCase() !== account.address.toLowerCase())
+                issues.push("user does not match signer wallet");
+            if (externalToken.authorizedCaller.toLowerCase() !== cfg.router.toLowerCase())
+                issues.push("authorizedCaller does not match router");
+            if (externalToken.cnfIssuer.toLowerCase() !== cfg.issuer.toLowerCase())
+                issues.push("cnfIssuer does not match config");
+            if (externalToken.chainId !== BigInt(chain.id))
+                issues.push(`chainId mismatch: hookData=${externalToken.chainId.toString()} config=${chain.id}`);
+            if (externalToken.verifyingHook.toLowerCase() !== cfg.hook.toLowerCase())
+                issues.push("verifyingHook does not match config");
+            if (externalToken.poolId.toLowerCase() !== cfg.poolId.toLowerCase())
+                issues.push("poolId does not match config");
+            if (externalToken.action !== 1)
+                issues.push("action is not swap");
+            if (externalToken.deadline < BigInt(Math.floor(Date.now() / 1000)))
+                issues.push("session deadline has expired");
+            if (issues.length > 0)
+                die(`Invalid --hook-data for this swap: ${issues.join("; ")}`);
+            sessionNonce = externalToken.nonce;
+            hookData = opts.hookData;
+            log.ok("Using externally supplied one-time session authorization");
+        }
+        catch (e) {
+            die(`Could not decode --hook-data: ${e instanceof Error ? e.message : String(e)}`);
+        }
+    }
+    else {
+        // Sign session token
+        const signSpin = new Spinner("Signing one-time session authorization…").start();
+        const token = {
+            user: account.address,
+            authorizedCaller: cfg.router,
+            cnfIssuer: cfg.issuer,
             chainId: BigInt(chain.id),
-            verifyingContract: cfg.hook,
-        },
-        types: { SessionToken: SESSION_TOKEN_TYPE },
-        primaryType: "SessionToken",
-        message: token,
-    });
-    const hookData = encodeAbiParameters(HOOK_DATA_ABI, [token, signature]);
-    signSpin.succeed(`Session signed (expires in ${ttl}s)`);
+            verifyingHook: cfg.hook,
+            poolId: cfg.poolId,
+            action: 1, // ACTION_SWAP
+            deadline,
+            nonce,
+        };
+        const signature = await walClient.signTypedData({
+            account,
+            domain: {
+                name: "ILAL ComplianceHook",
+                version: "1",
+                chainId: BigInt(chain.id),
+                verifyingContract: cfg.hook,
+            },
+            types: { SessionToken: SESSION_TOKEN_TYPE },
+            primaryType: "SessionToken",
+            message: token,
+        });
+        hookData = encodeAbiParameters(HOOK_DATA_ABI, [token, signature]);
+        signSpin.succeed(`Session authorization signed (expires in ${ttl}s, one-time nonce)`);
+    }
     const fee = parseInt(cfg.fee ?? "3000");
     const tickSpacing = parseInt(cfg.tickSpacing ?? "60");
     log.section("Gate Checks");
     log.kv("credential", `${fmt.badge("required", "cyan")} issuer ${fmt.addr(cfg.issuer)}`);
     log.kv("caller", `${fmt.badge("bound", "green")} ${fmt.addr(cfg.router)}`);
-    log.kv("nonce", `${fmt.badge("fresh", "green")} ${fmt.hash(nonce)}`);
+    log.kv("nonce", `${opts.hookData ? fmt.badge("external", "cyan") : fmt.badge("fresh", "green")} ${fmt.hash(sessionNonce)}`);
     log.kv("fee", feeLabel(fee));
     if (protocolFeePips > 0) {
         log.kv("protocol fee", `${fmt.badge("ILAL", "cyan")} ${pipsToPercent(protocolFeePips)} to ${treasury ? fmt.addr(treasury) : "treasury"}`);

package/dist/index.js

@@ -8,7 +8,7 @@ import { proofMint, proofRenew } from "./commands/proof.js";
 import { sessionSign } from "./commands/session.js";
 import { poolPolicySet, poolPolicyGet } from "./commands/pool.js";
 import { deploy } from "./commands/deploy.js";
-import { demo, demoCheck, demoFaucet } from "./commands/demo.js";
+import { demo, demoCheck, demoFaucet, demoAttest } from "./commands/demo.js";
 import { init } from "./commands/init.js";
 import { status } from "./commands/status.js";
 import { swap } from "./commands/swap.js";
@@ -19,7 +19,7 @@ const program = new Command();
 program
     .name("ilal")
     .description("ILAL Protocol CLI — Uniswap v4 compliance hook toolkit")
-    .version("0.2.3")
+    .version("0.2.4")
     .addHelpText("before", `\n  ${fmt.bold(fmt.cyan("◆"))} ${fmt.bold("ILAL Protocol")}  ${fmt.gray("Uniswap v4 Compliance Hook")}\n`);
 // ─── init ─────────────────────────────────────────────────────────────────────
 program
@@ -81,6 +81,15 @@ demoCommand
     .action(async (opts) => {
     await demoFaucet(opts).catch(err);
 });
+demoCommand
+    .command("attest")
+    .description("Create a MockEAS test attestation for a wallet (demo issuer owner only)")
+    .requiredOption("-w, --wallet <address>", "Recipient wallet that will mint the CNF")
+    .option("--expires-in-days <days>", "Attestation lifetime in days", "90")
+    .option("-k, --private-key <hex>", "MockEAS owner private key")
+    .action(async (opts) => {
+    await demoAttest(opts).catch(err);
+});
 const err = (e) => {
     console.error(fmt.red(`\nError: ${e instanceof Error ? e.message : String(e)}\n`));
     process.exit(1);
@@ -165,13 +174,13 @@ const session = program.command("session").description("Session token operations
 session
     .command("sign")
     .description("Sign an EIP-712 session token locally — no ILAL API call")
-    .requiredOption("-p, --pool <bytes32>", "Pool ID (bytes32 hex)")
+    .option("-p, --pool <bytes32>", "Pool ID (bytes32 hex, defaults to .ilal.json poolId)")
     .requiredOption("-a, --action <action>", "Action: swap | addLiquidity | removeLiquidity")
-    .requiredOption("-H, --hook <address>", "ComplianceHook contract address")
-    .requiredOption("-i, --issuer <address>", "CNFIssuer contract address")
+    .option("-H, --hook <address>", "ComplianceHook contract address (defaults to .ilal.json hook)")
+    .option("-i, --issuer <address>", "CNFIssuer contract address (defaults to .ilal.json issuer)")
     .option("-u, --user <address>", "Trader address (defaults to key's address)")
-    .option("--caller <address>", "Authorized v4 caller (defaults to user; use ILALRouter address for router flows)")
-    .option("-c, --chain <chainId>", "Chain ID", "8453")
+    .option("--caller <address>", "Authorized v4 caller (defaults to .ilal.json router, then user)")
+    .option("-c, --chain <chainId>", "Chain ID (defaults to .ilal.json chain, then 84532)")
     .option("-t, --ttl <seconds>", "Session lifetime in seconds", "600")
     .option("-k, --private-key <hex>", "Private key (or set PRIVATE_KEY env var)")
     .action(async (opts) => {
@@ -266,6 +275,7 @@ program
     .option("-r, --rpc <url>", "Custom RPC URL")
     .option("-k, --private-key <hex>", "Private key (or set PRIVATE_KEY env var)")
     .option("--ttl <seconds>", "Session token lifetime in seconds", "600")
+    .option("--hook-data <hex>", "Use externally signed one-time hookData instead of signing inside swap")
     .option("--simulate", "Sign session without sending tx", false)
     .action(async (opts) => {
     await swap(opts).catch(err);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ilalv3/cli",
-  "version": "0.2.3",
+  "version": "0.2.4",
   "description": "ILAL Protocol CLI — compliant swaps and credential management for Uniswap v4",
   "type": "module",
   "bin": {