@ilalv3/cli 0.2.3 → 0.2.5

package/README.md

@@ -34,7 +34,7 @@ ilal status --wallet 0xc0807D4778a9E5FE15ad68A8500e64d65BA78D58
 ilal demo check --wallet 0xc0807D4778a9E5FE15ad68A8500e64d65BA78D58
 
 # 4. Execute a compliant swap with the seeded reviewer key
-PRIVATE_KEY=0x... ilal swap --amount-in 1 --token-in 0x582362E608F36850F6f641510d5D19C1EaB4cb27 --min-amount-out 0
+PRIVATE_KEY=0x... ilal swap --amount-in 1 --token-in 0x589dDBdf4Bd6d605bD809a540FF4BC1066f6895e --min-amount-out 0
 ```
 
 For a fully seeded local/testnet demo, deploy mock EAS + demo pool pieces:
@@ -52,6 +52,10 @@ PRIVATE_KEY=0x... ilal credential mint \
   --attestation <AttestationUID> \
   --chain 84532
 
+# Or, with the MockEAS owner key, create a fresh test attestation:
+PRIVATE_KEY=0x... ilal demo attest --wallet 0xYourWallet
+PRIVATE_KEY=0xYourWalletKey ilal credential mint --attestation <uid>
+
 # If the wallet needs more demo tokens:
 PRIVATE_KEY=0x... ilal demo faucet --wallet 0xYourWallet
 ```
@@ -72,8 +76,22 @@ PRIVATE_KEY=0x... ilal demo faucet --wallet 0xYourWallet
 
 ### Path B — ZK proof (privacy-preserving)
 
+Operator prepares the active Merkle root. For a fresh demo deployment this root
+can be passed into the CNFIssuer constructor as `INITIAL_MERKLE_ROOT`, avoiding a
+48-hour wait while still keeping future root updates timelocked.
+
 ```bash
-PRIVATE_KEY=0x... ilal credential prove --wallet 0xYourWallet
+ilal credential zk-root \
+  --wallet 0xYourWallet \
+  --expires-at 1800000000
+```
+
+Trader proves against the same expiry:
+
+```bash
+PRIVATE_KEY=0x... ilal credential prove \
+  --wallet 0xYourWallet \
+  --expires-at 1800000000
 ```
 
 Generates a Groth16 proof locally (~5s), verifies it on-chain, and mints/renews your CNF without revealing identity. If the Merkle root does not match, the issuer/operator must queue the updated root with `ilal oracle propose-root --root <newRoot>` and activate it after the timelock.
@@ -84,6 +102,7 @@ Generates a Groth16 proof locally (~5s), verifies it on-chain, and mints/renews
 |---|---|
 | `ilal init` | Create `.ilal.json` with contract addresses |
 | `ilal status` | Dashboard: credential · issuer config · pool policy |
+| `ilal credential zk-root` | Operator helper: compute the ZK Merkle root for a demo wallet/expiry |
 | `ilal credential prove` | Trader flow: local ZK proof → mint or renew CNF |
 | `ilal credential mint` | Mint CNF via Coinbase EAS attestation |
 | `ilal credential renew` | Renew CNF via EAS attestation |
@@ -99,19 +118,22 @@ Generates a Groth16 proof locally (~5s), verifies it on-chain, and mints/renews
 | `ilal session sign` | Sign a standalone SessionToken |
 | `ilal proof mint` | Mint CNF from existing proof.json + public.json |
 | `ilal deploy --mock` | Deploy a seeded testnet demo stack with MockEAS, tokens, router, hook, and policy |
+| `ilal demo attest` | Create a MockEAS test attestation so a wallet can mint CNF |
 | `ilal demo faucet` | Mint mock demo TOKA/TOKB to a wallet |
 | `ilal deploy` | Deploy full ILAL contract stack |
 
+Session note: ILAL hookData is a one-time EIP-712 authorization with a deadline and nonce. The expensive compliance step is the CNF issuance or renewal; swaps do not verify a fresh ZK proof. Use `ilal session sign` to export hookData, and `ilal swap --hook-data <hex>` to execute with an externally signed authorization.
+
 ## Configuration
 
 The CLI reads `.ilal.json` in the current directory. Run `ilal init` to create it, or pass flags directly:
 
 ```bash
 ilal swap \
-  --router    0x7727F0f3EBe99A558487394D001950ee6B33BB86 \
-  --hook      0xF5066ad9c25F3f54cfb19609A60187C48C184A80 \
-  --issuer    0xc4E032A7574016bd0e3d1a5BbFdE886af09CeD9A \
-  --pool-id   0xc1c8f29d6f03b5cd18bf2b862d48f45cc338022a154945b89c4bcb0a3e11e87f \
+  --router    0xf7DBe6721AE935FA25D963076cd202994E0D5e17 \
+  --hook      0x1623276697B4e6609F8887C9Caa9dB6A6fa08A80 \
+  --issuer    0x18EF418Ca1C81d37BD3247D34c19Adc42306535F \
+  --pool-id   0xf32ae7435348041d4e979a24ce417bfe71d0f6642d2dcb2326e01acfe660fa0d \
   --amount-in 0.001
 ```
 
@@ -119,19 +141,21 @@ ilal swap \
 
 | Contract | Address |
 |---|---|
-| CNFIssuer | `0xc4E032A7574016bd0e3d1a5BbFdE886af09CeD9A` |
-| ComplianceHook | `0xF5066ad9c25F3f54cfb19609A60187C48C184A80` |
-| ILALRouter | `0x7727F0f3EBe99A558487394D001950ee6B33BB86` |
-| PolicyRegistry | `0x910a3efDc426f3216738106dd0DC6EA696477233` |
-| TokenA / TOKA | `0x582362E608F36850F6f641510d5D19C1EaB4cb27` |
-| TokenB / TOKB | `0x6eBBdAC70EC422C512727B25c7F0D9120ed101Ff` |
-| Pool ID | `0xc1c8f29d6f03b5cd18bf2b862d48f45cc338022a154945b89c4bcb0a3e11e87f` |
+| CNFIssuer | `0x18EF418Ca1C81d37BD3247D34c19Adc42306535F` |
+| MockEAS | `0x1B1867e5A98EA90865E3E3a21b31c2edAdBA7c09` |
+| ZKVerifierAdapter | `0x9C918604069CFA897606760E53aB854BA38303Ca` |
+| ComplianceHook | `0x1623276697B4e6609F8887C9Caa9dB6A6fa08A80` |
+| ILALRouter | `0xf7DBe6721AE935FA25D963076cd202994E0D5e17` |
+| PolicyRegistry | `0xB2A94DE0432c1dEDfa941816A450002C6581B0aD` |
+| Currency0 / TOKB | `0x589dDBdf4Bd6d605bD809a540FF4BC1066f6895e` |
+| Currency1 / TOKA | `0xA9C0AB8e7Bc6a79649903EdE052E1B41585cCd08` |
+| Pool ID | `0xf32ae7435348041d4e979a24ce417bfe71d0f6642d2dcb2326e01acfe660fa0d` |
 
 Live proof:
 
-- CNF mint tx: `0x676ca67698eb8fed6c905c2b3a9536d4d056e89c199c41c44085a29db8b4d462`
-- Add liquidity tx: `0x531fac3678878e4855471318b8ea39b2b2f3ced3d890d9d7c40721af296084ca`
-- Swap tx: `0xdaf4136d305e546d6936715cc0101efb4dc88abcb779add9ee03591fdf555a5a`
+- CNF ZK mint tx: `0x3e770104228abc547664df2958ce8f88ddd6d66dd11a78fa1ba1b3569a75a8dc`
+- Add liquidity tx: `0x39f82fdc8e8a8aa6fe1d6cd98adac15f79fdce2b99cc82955dd35eedef89b9d0`
+- Swap tx: `0x3ff5b22707eb4172816359d61b1d97f0086b08c47f396fd44ee1c68471a7b8cc`
 
 ## License
 

package/dist/commands/demo.d.ts

@@ -10,3 +10,8 @@ export declare function demoFaucet(opts: {
     amount?: string;
     privateKey?: string;
 }): Promise<void>;
+export declare function demoAttest(opts: {
+    wallet: string;
+    privateKey?: string;
+    expiresInDays?: string;
+}): Promise<void>;

package/dist/commands/demo.js

@@ -1,4 +1,4 @@
-import { createPublicClient, createWalletClient, formatUnits, http, isAddress, isHex, parseUnits, } from "viem";
+import { createPublicClient, createWalletClient, decodeEventLog, formatUnits, http, isAddress, isHex, parseUnits, } from "viem";
 import { privateKeyToAccount } from "viem/accounts";
 import { base, baseSepolia } from "viem/chains";
 import { loadConfig } from "../config.js";
@@ -10,10 +10,10 @@ const POOL_MANAGER = {
 };
 const SAMPLE = {
     wallet: "0xc0807D4778a9E5FE15ad68A8500e64d65BA78D58",
-    issuer: "0xc4E032A7574016bd0e3d1a5BbFdE886af09CeD9A",
-    hook: "0xF5066ad9c25F3f54cfb19609A60187C48C184A80",
-    router: "0x7727F0f3EBe99A558487394D001950ee6B33BB86",
-    pool: "0xc1c8f29d6f03b5cd18bf2b862d48f45cc338022a154945b89c4bcb0a3e11e87f",
+    issuer: "0x18EF418Ca1C81d37BD3247D34c19Adc42306535F",
+    hook: "0x1623276697B4e6609F8887C9Caa9dB6A6fa08A80",
+    router: "0xf7DBe6721AE935FA25D963076cd202994E0D5e17",
+    pool: "0xf32ae7435348041d4e979a24ce417bfe71d0f6642d2dcb2326e01acfe660fa0d",
     proof: "0x91f2b8a0c43e902f7f1a8c0d",
     session: "0x6b84eac5e0db21f8d5d43b7a",
 };
@@ -24,6 +24,12 @@ const CNF_ABI = [
     { name: "merkleRoot", type: "function", stateMutability: "view", inputs: [], outputs: [{ type: "uint256" }] },
     { name: "zkVerifier", type: "function", stateMutability: "view", inputs: [], outputs: [{ type: "address" }] },
     { name: "eas", type: "function", stateMutability: "view", inputs: [], outputs: [{ type: "address" }] },
+    { name: "issuerMetadata", type: "function", stateMutability: "view", inputs: [], outputs: [
+            { name: "name", type: "string" },
+            { name: "jurisdiction", type: "string" },
+            { name: "credentialStandard", type: "string" },
+            { name: "uri", type: "string" },
+        ] },
 ];
 const REGISTRY_ABI = [
     { name: "getPolicy", type: "function", stateMutability: "view", inputs: [{ name: "poolId", type: "bytes32" }], outputs: [{ type: "tuple", components: [{ name: "cnfIssuer", type: "address" }, { name: "requiredCredentialType", type: "bytes32" }, { name: "enabled", type: "bool" }] }] },
@@ -39,6 +45,30 @@ const ERC20_ABI = [
     { name: "allowance", type: "function", stateMutability: "view", inputs: [{ name: "owner", type: "address" }, { name: "spender", type: "address" }], outputs: [{ type: "uint256" }] },
     { name: "mint", type: "function", stateMutability: "nonpayable", inputs: [{ name: "to", type: "address" }, { name: "amount", type: "uint256" }], outputs: [] },
 ];
+const MOCK_EAS_ABI = [
+    {
+        type: "event",
+        name: "AttestationCreated",
+        inputs: [
+            { name: "uid", type: "bytes32", indexed: true },
+            { name: "recipient", type: "address", indexed: true },
+            { name: "attester", type: "address", indexed: true },
+        ],
+    },
+    {
+        name: "attest",
+        type: "function",
+        stateMutability: "nonpayable",
+        inputs: [
+            { name: "schema", type: "bytes32" },
+            { name: "recipient", type: "address" },
+            { name: "attester", type: "address" },
+            { name: "expirationTime", type: "uint64" },
+            { name: "data", type: "bytes" },
+        ],
+        outputs: [{ type: "bytes32" }],
+    },
+];
 function stage(n, title, subtitle) {
     console.log();
     console.log(`  ${fmt.badge(`step ${n}`, "cyan")} ${fmt.bold(title)}`);
@@ -250,6 +280,24 @@ export async function demoCheck(opts) {
             ]);
             const hasEASPath = eas !== ZERO;
             const hasZKPath = root !== 0n && verifier !== ZERO;
+            try {
+                const meta = await client.readContract({
+                    address: cfg.issuer,
+                    abi: CNF_ABI,
+                    functionName: "issuerMetadata",
+                });
+                if (meta[0])
+                    ok("issuer name", meta[0]);
+                if (meta[1])
+                    ok("jurisdiction", meta[1]);
+                if (meta[2])
+                    ok("standard", meta[2]);
+                if (meta[3])
+                    ok("metadata uri", fmt.gray(meta[3]));
+            }
+            catch {
+                warn("issuer metadata", fmt.badge("legacy issuer", "yellow"));
+            }
             if (hasEASPath)
                 ok("issuance path", `${fmt.badge("EAS/mock", "green")} ${fmt.addr(eas)}`);
             else if (hasZKPath)
@@ -441,3 +489,75 @@ export async function demoFaucet(opts) {
     log.callout("Demo tokens ready", "wallet can now pass token-balance preflight checks", "green");
     console.log();
 }
+export async function demoAttest(opts) {
+    const cfg = loadConfig();
+    const chain = CHAINS[cfg.chain ?? "84532"] ?? baseSepolia;
+    const rawKey = opts.privateKey ?? process.env["PRIVATE_KEY"];
+    if (!rawKey || !isHex(rawKey) || rawKey.length !== 66) {
+        die("Private key required. Use --private-key or set PRIVATE_KEY env var.");
+    }
+    if (!cfg.issuer || !isAddress(cfg.issuer))
+        die("CNFIssuer required. Run `ilal init` first.");
+    if (!isAddress(opts.wallet))
+        die(`Invalid wallet address: ${opts.wallet}`);
+    const account = privateKeyToAccount(rawKey);
+    const client = createPublicClient({ chain, transport: http(cfg.rpc) });
+    const walletClient = createWalletClient({ account, chain, transport: http(cfg.rpc) });
+    const [eas, schemaUID, trustedAttester] = await Promise.all([
+        client.readContract({ address: cfg.issuer, abi: CNF_ABI, functionName: "eas" }),
+        client.readContract({ address: cfg.issuer, abi: [
+                { name: "schemaUID", type: "function", stateMutability: "view", inputs: [], outputs: [{ type: "bytes32" }] },
+            ], functionName: "schemaUID" }),
+        client.readContract({ address: cfg.issuer, abi: [
+                { name: "trustedAttester", type: "function", stateMutability: "view", inputs: [], outputs: [{ type: "address" }] },
+            ], functionName: "trustedAttester" }),
+    ]);
+    if (eas === ZERO)
+        die("Configured issuer has no EAS/MockEAS path. Use a mock demo issuer or Coinbase EAS attestation.");
+    const days = BigInt(parseInt(opts.expiresInDays ?? "90", 10));
+    const expiration = BigInt(Math.floor(Date.now() / 1000)) + days * 24n * 60n * 60n;
+    header("ILAL Demo Attestation", chain.name);
+    log.kv("mockEAS", fmt.addr(eas));
+    log.kv("issuer", fmt.addr(cfg.issuer));
+    log.kv("recipient", fmt.addr(opts.wallet));
+    log.kv("attester", fmt.addr(trustedAttester));
+    log.line();
+    const spin = new Spinner("Creating MockEAS attestation…").start();
+    const hash = await walletClient.writeContract({
+        address: eas,
+        abi: MOCK_EAS_ABI,
+        functionName: "attest",
+        args: [
+            schemaUID,
+            opts.wallet,
+            trustedAttester,
+            expiration,
+            "0x",
+        ],
+    });
+    const receipt = await client.waitForTransactionReceipt({ hash });
+    spin.succeed(`Attestation created ${fmt.gray(fmt.hash(hash))}`);
+    let uid;
+    for (const logItem of receipt.logs) {
+        if (logItem.address.toLowerCase() !== eas.toLowerCase())
+            continue;
+        try {
+            const decoded = decodeEventLog({ abi: MOCK_EAS_ABI, data: logItem.data, topics: logItem.topics });
+            if (decoded.eventName === "AttestationCreated") {
+                uid = decoded.args.uid;
+                break;
+            }
+        }
+        catch { }
+    }
+    log.line();
+    if (uid)
+        log.kv("attestation", fmt.cyan(uid));
+    log.kv("tx", fmt.gray(hash));
+    log.callout("CNF mint path ready", "the recipient wallet can now run `ilal credential mint --attestation <uid>`", "green");
+    if (uid) {
+        console.log();
+        log.command(`PRIVATE_KEY=0x... ilal credential mint --issuer ${cfg.issuer} --attestation ${uid} --chain ${chain.id}`);
+    }
+    console.log();
+}

package/dist/commands/init.js

@@ -10,14 +10,14 @@ import { fmt, log, header, die } from "../ui.js";
 // Known testnet / mainnet addresses for quick init
 const PRESETS = {
     "84532": {
-        issuer: "0xc4E032A7574016bd0e3d1a5BbFdE886af09CeD9A",
-        hook: "0xF5066ad9c25F3f54cfb19609A60187C48C184A80",
-        registry: "0x910a3efDc426f3216738106dd0DC6EA696477233",
-        router: "0x7727F0f3EBe99A558487394D001950ee6B33BB86",
+        issuer: "0x18EF418Ca1C81d37BD3247D34c19Adc42306535F",
+        hook: "0x1623276697B4e6609F8887C9Caa9dB6A6fa08A80",
+        registry: "0xB2A94DE0432c1dEDfa941816A450002C6581B0aD",
+        router: "0xf7DBe6721AE935FA25D963076cd202994E0D5e17",
         treasury: "0x1804c8AB1F12E6bbf3894d4083f33e07309d1f38",
-        tokenA: "0x582362E608F36850F6f641510d5D19C1EaB4cb27",
-        tokenB: "0x6eBBdAC70EC422C512727B25c7F0D9120ed101Ff",
-        poolId: "0xc1c8f29d6f03b5cd18bf2b862d48f45cc338022a154945b89c4bcb0a3e11e87f",
+        tokenA: "0x589dDBdf4Bd6d605bD809a540FF4BC1066f6895e",
+        tokenB: "0xA9C0AB8e7Bc6a79649903EdE052E1B41585cCd08",
+        poolId: "0xf32ae7435348041d4e979a24ce417bfe71d0f6642d2dcb2326e01acfe660fa0d",
         fee: "8388608",
         tickSpacing: "60",
         rpc: "https://sepolia.base.org",

package/dist/commands/prove.d.ts

@@ -24,4 +24,10 @@ export declare function credentialProve(opts: {
     outDir?: string;
     rpc?: string;
     privateKey?: string;
+    expiresAt?: string;
+}): Promise<void>;
+export declare function credentialRoot(opts: {
+    wallet?: string;
+    issuer?: string;
+    expiresAt?: string;
 }): Promise<void>;

package/dist/commands/prove.js

@@ -103,6 +103,21 @@ function findCircuitDir(override) {
         "  Run: bash circuits/scripts/compile.sh\n" +
         "  Or pass: --circuit-dir <path/to/circuits/build>");
 }
+function resolveExpiresAt(expiresAt) {
+    if (!expiresAt)
+        return BigInt(Math.floor(Date.now() / 1000) + 90 * 24 * 3600);
+    const parsed = BigInt(expiresAt);
+    if (parsed <= BigInt(Math.floor(Date.now() / 1000)))
+        die("--expires-at must be a future Unix timestamp");
+    return parsed;
+}
+function computeZKLeafAndRoot(walletAddr, expiresAt) {
+    const walletField = addressToField(walletAddr);
+    const leaf = poseidon4([walletField, 2n, 840n, expiresAt]);
+    const tree = new IncrementalMerkleTree(poseidon2, DEPTH, 0n, 2);
+    tree.insert(leaf);
+    return { leaf, merkleRoot: tree.root };
+}
 function generateProof(opts) {
     const { walletAddr, issuerAddr, circuitDir, outDir } = opts;
     mkdirSync(outDir, { recursive: true });
@@ -111,13 +126,12 @@ function generateProof(opts) {
     const walletHash = computeWalletHash(walletAddr);
     const issuerHash = poseidonField(addressToField(issuerAddr));
     const schemaHashValue = schemaHash(COINBASE_SCHEMA_UID);
-    const expiresAt = BigInt(Math.floor(Date.now() / 1000) + 90 * 24 * 3600); // +90 days
+    const expiresAt = resolveExpiresAt(opts.expiresAt);
     // Build single-leaf Poseidon Merkle tree
-    const leaf = poseidon4([walletField, 2n, 840n, expiresAt]);
+    const { leaf, merkleRoot } = computeZKLeafAndRoot(walletAddr, expiresAt);
     const tree = new IncrementalMerkleTree(poseidon2, DEPTH, 0n, 2);
     tree.insert(leaf);
     const merkleProof = tree.createProof(0);
-    const merkleRoot = tree.root;
     // Build input.json
     const input = {
         walletField: walletField.toString(),
@@ -223,14 +237,21 @@ export async function credentialProve(opts) {
     let proofResult;
     try {
         spin.update("Generating ZK witness…");
-        proofResult = generateProof({ walletAddr: cfg.wallet, issuerAddr: cfg.issuer, circuitDir, outDir });
+        proofResult = generateProof({
+            walletAddr: cfg.wallet,
+            issuerAddr: cfg.issuer,
+            circuitDir,
+            outDir,
+            expiresAt: opts.expiresAt,
+        });
         spin.succeed(`Proof generated & verified locally`);
     }
     catch (e) {
         spin.fail("Proof generation failed");
         die(e instanceof Error ? e.message.split("\n")[0] : String(e));
     }
-    log.kv("expiresAt", fmt.cyan(new Date((Date.now() + 90 * 24 * 3600 * 1000)).toISOString().split("T")[0]));
+    const proofExpiresAt = BigInt(proofResult.publicJson[3]);
+    log.kv("expiresAt", fmt.cyan(new Date(Number(proofExpiresAt) * 1000).toISOString().split("T")[0]));
     log.kv("merkleRoot", fmt.gray(proofResult.merkleRoot.toString().slice(0, 22) + "…"));
     log.line();
     // ── Send mint / renew tx ───────────────────────────────────────────────────
@@ -269,3 +290,28 @@ export async function credentialProve(opts) {
     log.kv("isValid()", valid ? fmt.green("✓ true") : fmt.red("✗ false"));
     console.log();
 }
+export async function credentialRoot(opts) {
+    if (!opts.wallet)
+        die("Wallet address required. Use --wallet <address>.");
+    if (!isAddress(opts.wallet))
+        die(`Invalid wallet address: ${opts.wallet}`);
+    const expiresAt = resolveExpiresAt(opts.expiresAt);
+    const { leaf, merkleRoot } = computeZKLeafAndRoot(opts.wallet, expiresAt);
+    header("ILAL ZK Root Preparation", "operator pre-deploy / pre-root");
+    log.kv("wallet", fmt.cyan(opts.wallet));
+    log.kv("kycLevel", "2");
+    log.kv("countryCode", "840");
+    log.kv("expiresAt", `${expiresAt.toString()} ${fmt.gray(new Date(Number(expiresAt) * 1000).toISOString())}`);
+    log.kv("leaf", leaf.toString());
+    log.kv("merkleRoot", fmt.cyan(merkleRoot.toString()));
+    if (opts.issuer) {
+        if (!isAddress(opts.issuer))
+            die(`Invalid issuer address: ${opts.issuer}`);
+        log.kv("issuerHash", poseidonField(addressToField(opts.issuer)).toString());
+        log.kv("schemaHash", schemaHash(COINBASE_SCHEMA_UID).toString());
+    }
+    log.line();
+    log.command(`INITIAL_MERKLE_ROOT=${merkleRoot.toString()} forge script contracts/script/DeployDemo.s.sol ...`);
+    log.command(`PRIVATE_KEY=0x... ilal credential prove --wallet ${opts.wallet} --expires-at ${expiresAt.toString()}`);
+    console.log();
+}

package/dist/commands/session.d.ts

@@ -1,11 +1,11 @@
 export declare function sessionSign(opts: {
     user?: string;
-    pool: string;
+    pool?: string;
     action: string;
-    hook: string;
-    issuer: string;
+    hook?: string;
+    issuer?: string;
     caller?: string;
-    chain: string;
+    chain?: string;
     ttl: number;
     privateKey?: string;
 }): Promise<void>;

package/dist/commands/session.js

@@ -2,6 +2,7 @@ import { createWalletClient, encodeAbiParameters, http, isAddress, isHex, parseA
 import { privateKeyToAccount } from "viem/accounts";
 import { base, baseSepolia } from "viem/chains";
 import { fmt, log, header, die } from "../ui.js";
+import { withConfig } from "../config.js";
 const CHAINS = {
     "8453": base,
     "84532": baseSepolia,
@@ -27,6 +28,7 @@ const HOOK_DATA_ABI = parseAbiParameters([
     "bytes signature",
 ]);
 export async function sessionSign(opts) {
+    const cfg = withConfig({ chain: opts.chain, hook: opts.hook, issuer: opts.issuer });
     // Resolve private key
     const rawKey = opts.privateKey ?? process.env["PRIVATE_KEY"];
     if (!rawKey)
@@ -35,32 +37,36 @@ export async function sessionSign(opts) {
         die("Invalid private key format (expected 0x + 32 bytes).");
     const account = privateKeyToAccount(rawKey);
     const user = (opts.user ?? account.address);
-    const authorizedCaller = (opts.caller ?? user);
+    const pool = opts.pool ?? cfg.poolId;
+    const hook = opts.hook ?? cfg.hook;
+    const issuer = opts.issuer ?? cfg.issuer;
+    const authorizedCaller = (opts.caller ?? cfg.router ?? user);
+    const chainId = opts.chain ?? cfg.chain ?? "84532";
     if (!isAddress(user))
         die(`Invalid user address: ${user}`);
     if (!isAddress(authorizedCaller))
         die(`Invalid authorized caller address: ${authorizedCaller}`);
-    if (!isAddress(opts.hook))
-        die(`Invalid hook address: ${opts.hook}`);
-    if (!isAddress(opts.issuer))
-        die(`Invalid issuer address: ${opts.issuer}`);
-    if (!isHex(opts.pool) || opts.pool.length !== 66)
-        die("poolId must be a 32-byte hex string (0x + 64 chars).");
+    if (!hook || !isAddress(hook))
+        die(`Invalid hook address: ${hook ?? "<missing>"}. Use --hook or run ilal init.`);
+    if (!issuer || !isAddress(issuer))
+        die(`Invalid issuer address: ${issuer ?? "<missing>"}. Use --issuer or run ilal init.`);
+    if (!pool || !isHex(pool) || pool.length !== 66)
+        die("poolId must be a 32-byte hex string. Use --pool or run ilal init.");
     const actionKey = opts.action.toLowerCase().replace(/[^a-z]/g, "");
     const actionCode = ACTIONS[actionKey];
     if (actionCode === undefined)
         die(`Unknown action "${opts.action}". Use: swap | addLiquidity | removeLiquidity`);
-    const chain = CHAINS[opts.chain] ?? baseSepolia;
+    const chain = CHAINS[chainId] ?? baseSepolia;
     const walletClient = createWalletClient({ account, chain, transport: http() });
     const deadline = BigInt(Math.floor(Date.now() / 1000) + opts.ttl);
     const nonce = `0x${Buffer.from(crypto.getRandomValues(new Uint8Array(32))).toString("hex")}`;
     const token = {
         user,
         authorizedCaller,
-        cnfIssuer: opts.issuer,
+        cnfIssuer: issuer,
         chainId: BigInt(chain.id),
-        verifyingHook: opts.hook,
-        poolId: opts.pool,
+        verifyingHook: hook,
+        poolId: pool,
         action: actionCode,
         deadline,
         nonce: nonce,
@@ -69,11 +75,11 @@ export async function sessionSign(opts) {
     log.section("Session");
     log.kv("user", fmt.addr(user));
     log.kv("caller", fmt.addr(authorizedCaller));
-    log.kv("chain", chain.name);
-    log.kv("pool", fmt.hash(opts.pool));
+    log.kv("chain", `${chain.name} (${chain.id})`);
+    log.kv("pool", fmt.hash(pool));
     log.kv("action", opts.action);
-    log.kv("hook", fmt.addr(opts.hook));
-    log.kv("issuer", fmt.addr(opts.issuer));
+    log.kv("hook", fmt.addr(hook));
+    log.kv("issuer", fmt.addr(issuer));
     log.kv("deadline", new Date(Number(deadline) * 1000).toISOString());
     log.line();
     log.step("Signing EIP-712 session token locally…");
@@ -84,7 +90,7 @@ export async function sessionSign(opts) {
             name: "ILAL ComplianceHook",
             version: "1",
             chainId: BigInt(chain.id),
-            verifyingContract: opts.hook,
+            verifyingContract: hook,
         },
         types: { SessionToken: SESSION_TOKEN_TYPE },
         primaryType: "SessionToken",
@@ -101,5 +107,6 @@ export async function sessionSign(opts) {
     console.log(`  ${fmt.cyan(hookData)}`);
     console.log();
     console.log(fmt.gray("  verifies: caller, deadline, chainId, hook, pool, action, sig, CNF"));
+    console.log(fmt.gray("  note: this hookData is a one-time authorization; nonce replay is blocked on-chain"));
     console.log();
 }

package/dist/commands/status.js

@@ -15,6 +15,12 @@ const CNF_ABI = [
     { name: "merkleRoot", type: "function", stateMutability: "view", inputs: [], outputs: [{ type: "uint256" }] },
     { name: "zkVerifier", type: "function", stateMutability: "view", inputs: [], outputs: [{ type: "address" }] },
     { name: "eas", type: "function", stateMutability: "view", inputs: [], outputs: [{ type: "address" }] },
+    { name: "issuerMetadata", type: "function", stateMutability: "view", inputs: [], outputs: [
+            { name: "name", type: "string" },
+            { name: "jurisdiction", type: "string" },
+            { name: "credentialStandard", type: "string" },
+            { name: "uri", type: "string" },
+        ] },
 ];
 const HOOK_ABI = [
     { name: "issuer", type: "function", stateMutability: "view", inputs: [], outputs: [{ type: "address" }] },
@@ -100,6 +106,24 @@ export async function status(opts) {
             const hasZKPath = root !== 0n && verifier !== ZERO_ADDRESS;
             log.section("Issuer");
             log.kv("address", fmt.cyan(cfg.issuer));
+            try {
+                const meta = await client.readContract({
+                    address: cfg.issuer,
+                    abi: CNF_ABI,
+                    functionName: "issuerMetadata",
+                });
+                if (meta[0])
+                    log.kv("name", meta[0]);
+                if (meta[1])
+                    log.kv("jurisdiction", meta[1]);
+                if (meta[2])
+                    log.kv("standard", meta[2]);
+                if (meta[3])
+                    log.kv("uri", fmt.gray(meta[3]));
+            }
+            catch {
+                log.kv("metadata", fmt.badge("legacy issuer", "yellow"));
+            }
             log.kv("issuance", hasEASPath
                 ? `${fmt.badge("EAS", "green")} ${fmt.addr(eas)}`
                 : hasZKPath

package/dist/commands/swap.d.ts

@@ -35,5 +35,6 @@ export declare function swap(opts: {
     rpc?: string;
     privateKey?: string;
     ttl?: string;
+    hookData?: string;
     simulate?: boolean;
 }): Promise<void>;

package/dist/commands/swap.js

@@ -18,7 +18,7 @@
  *     --pool-id   0xPOOLID \
  *     --chain     84532
  */
-import { createPublicClient, createWalletClient, encodeAbiParameters, http, isAddress, isHex, parseAbiParameters, parseUnits, } from "viem";
+import { createPublicClient, createWalletClient, decodeAbiParameters, encodeAbiParameters, http, isAddress, isHex, parseAbiParameters, parseUnits, } from "viem";
 import { privateKeyToAccount } from "viem/accounts";
 import { base, baseSepolia } from "viem/chains";
 import { fmt, log, header, Spinner, die, dieOnContract } from "../ui.js";
@@ -214,42 +214,78 @@ export async function swap(opts) {
         { label: "ILAL fee", value: protocolFeePips > 0 ? pipsToPercent(protocolFeePips) : "off", note: protocolFeePips > 0 ? "protocol revenue" : "legacy router", tone: protocolFeePips > 0 ? "cyan" : "gray" },
     ]);
     log.line();
-    // Sign session token
-    const signSpin = new Spinner("Signing session token…").start();
     const ttl = parseInt(opts.ttl ?? "600");
     const deadline = BigInt(Math.floor(Date.now() / 1000) + ttl);
     const nonce = `0x${Buffer.from(crypto.getRandomValues(new Uint8Array(32))).toString("hex")}`;
-    const token = {
-        user: account.address,
-        authorizedCaller: cfg.router,
-        cnfIssuer: cfg.issuer,
-        chainId: BigInt(chain.id),
-        verifyingHook: cfg.hook,
-        poolId: cfg.poolId,
-        action: 1, // ACTION_SWAP
-        deadline,
-        nonce,
-    };
-    const signature = await walClient.signTypedData({
-        account,
-        domain: {
-            name: "ILAL ComplianceHook",
-            version: "1",
+    let hookData;
+    let sessionNonce = nonce;
+    if (opts.hookData) {
+        if (!isHex(opts.hookData))
+            die("--hook-data must be 0x-prefixed ABI-encoded hookData.");
+        try {
+            const [externalToken] = decodeAbiParameters(HOOK_DATA_ABI, opts.hookData);
+            const issues = [];
+            if (externalToken.user.toLowerCase() !== account.address.toLowerCase())
+                issues.push("user does not match signer wallet");
+            if (externalToken.authorizedCaller.toLowerCase() !== cfg.router.toLowerCase())
+                issues.push("authorizedCaller does not match router");
+            if (externalToken.cnfIssuer.toLowerCase() !== cfg.issuer.toLowerCase())
+                issues.push("cnfIssuer does not match config");
+            if (externalToken.chainId !== BigInt(chain.id))
+                issues.push(`chainId mismatch: hookData=${externalToken.chainId.toString()} config=${chain.id}`);
+            if (externalToken.verifyingHook.toLowerCase() !== cfg.hook.toLowerCase())
+                issues.push("verifyingHook does not match config");
+            if (externalToken.poolId.toLowerCase() !== cfg.poolId.toLowerCase())
+                issues.push("poolId does not match config");
+            if (externalToken.action !== 1)
+                issues.push("action is not swap");
+            if (externalToken.deadline < BigInt(Math.floor(Date.now() / 1000)))
+                issues.push("session deadline has expired");
+            if (issues.length > 0)
+                die(`Invalid --hook-data for this swap: ${issues.join("; ")}`);
+            sessionNonce = externalToken.nonce;
+            hookData = opts.hookData;
+            log.ok("Using externally supplied one-time session authorization");
+        }
+        catch (e) {
+            die(`Could not decode --hook-data: ${e instanceof Error ? e.message : String(e)}`);
+        }
+    }
+    else {
+        // Sign session token
+        const signSpin = new Spinner("Signing one-time session authorization…").start();
+        const token = {
+            user: account.address,
+            authorizedCaller: cfg.router,
+            cnfIssuer: cfg.issuer,
             chainId: BigInt(chain.id),
-            verifyingContract: cfg.hook,
-        },
-        types: { SessionToken: SESSION_TOKEN_TYPE },
-        primaryType: "SessionToken",
-        message: token,
-    });
-    const hookData = encodeAbiParameters(HOOK_DATA_ABI, [token, signature]);
-    signSpin.succeed(`Session signed (expires in ${ttl}s)`);
+            verifyingHook: cfg.hook,
+            poolId: cfg.poolId,
+            action: 1, // ACTION_SWAP
+            deadline,
+            nonce,
+        };
+        const signature = await walClient.signTypedData({
+            account,
+            domain: {
+                name: "ILAL ComplianceHook",
+                version: "1",
+                chainId: BigInt(chain.id),
+                verifyingContract: cfg.hook,
+            },
+            types: { SessionToken: SESSION_TOKEN_TYPE },
+            primaryType: "SessionToken",
+            message: token,
+        });
+        hookData = encodeAbiParameters(HOOK_DATA_ABI, [token, signature]);
+        signSpin.succeed(`Session authorization signed (expires in ${ttl}s, one-time nonce)`);
+    }
     const fee = parseInt(cfg.fee ?? "3000");
     const tickSpacing = parseInt(cfg.tickSpacing ?? "60");
     log.section("Gate Checks");
     log.kv("credential", `${fmt.badge("required", "cyan")} issuer ${fmt.addr(cfg.issuer)}`);
     log.kv("caller", `${fmt.badge("bound", "green")} ${fmt.addr(cfg.router)}`);
-    log.kv("nonce", `${fmt.badge("fresh", "green")} ${fmt.hash(nonce)}`);
+    log.kv("nonce", `${opts.hookData ? fmt.badge("external", "cyan") : fmt.badge("fresh", "green")} ${fmt.hash(sessionNonce)}`);
     log.kv("fee", feeLabel(fee));
     if (protocolFeePips > 0) {
         log.kv("protocol fee", `${fmt.badge("ILAL", "cyan")} ${pipsToPercent(protocolFeePips)} to ${treasury ? fmt.addr(treasury) : "treasury"}`);

package/dist/index.js

@@ -1,14 +1,14 @@
 #!/usr/bin/env node
 import { Command } from "commander";
 import { credentialStatus } from "./commands/credential.js";
-import { credentialProve } from "./commands/prove.js";
+import { credentialProve, credentialRoot } from "./commands/prove.js";
 import { oracleProposeRoot, oracleActivateRoot, oracleProposeVerifier, oracleActivateVerifier } from "./commands/oracle.js";
 import { mintCredential, renewCredential } from "./commands/mint.js";
 import { proofMint, proofRenew } from "./commands/proof.js";
 import { sessionSign } from "./commands/session.js";
 import { poolPolicySet, poolPolicyGet } from "./commands/pool.js";
 import { deploy } from "./commands/deploy.js";
-import { demo, demoCheck, demoFaucet } from "./commands/demo.js";
+import { demo, demoCheck, demoFaucet, demoAttest } from "./commands/demo.js";
 import { init } from "./commands/init.js";
 import { status } from "./commands/status.js";
 import { swap } from "./commands/swap.js";
@@ -19,7 +19,7 @@ const program = new Command();
 program
     .name("ilal")
     .description("ILAL Protocol CLI — Uniswap v4 compliance hook toolkit")
-    .version("0.2.3")
+    .version("0.2.5")
     .addHelpText("before", `\n  ${fmt.bold(fmt.cyan("◆"))} ${fmt.bold("ILAL Protocol")}  ${fmt.gray("Uniswap v4 Compliance Hook")}\n`);
 // ─── init ─────────────────────────────────────────────────────────────────────
 program
@@ -81,6 +81,15 @@ demoCommand
     .action(async (opts) => {
     await demoFaucet(opts).catch(err);
 });
+demoCommand
+    .command("attest")
+    .description("Create a MockEAS test attestation for a wallet (demo issuer owner only)")
+    .requiredOption("-w, --wallet <address>", "Recipient wallet that will mint the CNF")
+    .option("--expires-in-days <days>", "Attestation lifetime in days", "90")
+    .option("-k, --private-key <hex>", "MockEAS owner private key")
+    .action(async (opts) => {
+    await demoAttest(opts).catch(err);
+});
 const err = (e) => {
     console.error(fmt.red(`\nError: ${e instanceof Error ? e.message : String(e)}\n`));
     process.exit(1);
@@ -107,9 +116,19 @@ credential
     .option("-c, --chain <chainId>", "Chain ID (8453=Base, 84532=Base Sepolia)", "84532")
     .option("-r, --rpc <url>", "Custom RPC URL")
     .option("-k, --private-key <hex>", "Private key (or set PRIVATE_KEY env var)")
+    .option("--expires-at <unix>", "Unix timestamp used in the ZK proof/root (must match issuer root)")
     .action(async (opts) => {
     await credentialProve(opts).catch(err);
 });
+credential
+    .command("zk-root")
+    .description("Compute the Merkle root needed for a one-wallet ZK credential demo")
+    .requiredOption("-w, --wallet <address>", "Wallet address included in the ZK tree")
+    .option("-i, --issuer <address>", "Issuer address, used to print matching public-input hashes")
+    .requiredOption("--expires-at <unix>", "Future Unix timestamp; pass the same value to credential prove")
+    .action(async (opts) => {
+    await credentialRoot(opts).catch(err);
+});
 credential
     .command("mint")
     .description("Mint a CNF credential using a Coinbase EAS attestation")
@@ -165,13 +184,13 @@ const session = program.command("session").description("Session token operations
 session
     .command("sign")
     .description("Sign an EIP-712 session token locally — no ILAL API call")
-    .requiredOption("-p, --pool <bytes32>", "Pool ID (bytes32 hex)")
+    .option("-p, --pool <bytes32>", "Pool ID (bytes32 hex, defaults to .ilal.json poolId)")
     .requiredOption("-a, --action <action>", "Action: swap | addLiquidity | removeLiquidity")
-    .requiredOption("-H, --hook <address>", "ComplianceHook contract address")
-    .requiredOption("-i, --issuer <address>", "CNFIssuer contract address")
+    .option("-H, --hook <address>", "ComplianceHook contract address (defaults to .ilal.json hook)")
+    .option("-i, --issuer <address>", "CNFIssuer contract address (defaults to .ilal.json issuer)")
     .option("-u, --user <address>", "Trader address (defaults to key's address)")
-    .option("--caller <address>", "Authorized v4 caller (defaults to user; use ILALRouter address for router flows)")
-    .option("-c, --chain <chainId>", "Chain ID", "8453")
+    .option("--caller <address>", "Authorized v4 caller (defaults to .ilal.json router, then user)")
+    .option("-c, --chain <chainId>", "Chain ID (defaults to .ilal.json chain, then 84532)")
     .option("-t, --ttl <seconds>", "Session lifetime in seconds", "600")
     .option("-k, --private-key <hex>", "Private key (or set PRIVATE_KEY env var)")
     .action(async (opts) => {
@@ -266,6 +285,7 @@ program
     .option("-r, --rpc <url>", "Custom RPC URL")
     .option("-k, --private-key <hex>", "Private key (or set PRIVATE_KEY env var)")
     .option("--ttl <seconds>", "Session token lifetime in seconds", "600")
+    .option("--hook-data <hex>", "Use externally signed one-time hookData instead of signing inside swap")
     .option("--simulate", "Sign session without sending tx", false)
     .action(async (opts) => {
     await swap(opts).catch(err);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ilalv3/cli",
-  "version": "0.2.3",
+  "version": "0.2.5",
   "description": "ILAL Protocol CLI — compliant swaps and credential management for Uniswap v4",
   "type": "module",
   "bin": {