@kairoguard/sdk 0.0.10 → 0.0.12

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Kairo
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,92 +1,113 @@
-# `@kairo/sdk` (MVP)
+# `@kairoguard/sdk`
 
-MVP helpers for:
+Kairo SDK for multi-chain policy-based transaction signing with dWallet support.
 
-- computing an **EVM intent hash** (Keccak256 over serialized unsigned tx bytes)
-- building a Sui transaction to mint a **hard-gate** `PolicyReceipt`
-- fetching + validating a `PolicyReceipt` / `PolicyReceiptV2` object for gating
-- verifying a Sui custody `CustodyEvent` hash (v2/v3 canonical BCS hashing)
+## Features
 
-## Install
+- **Multi-chain intent computation**: EVM, Bitcoin, Solana
+- **Policy-based gating**: Mint and validate PolicyReceipts on Sui
+- **dWallet management**: Create and manage dWallets with policy bindings
+- **Governance**: Propose, approve, and execute policy updates
+- **Audit**: Verify custody events and audit bundles
+- **CLI**: Command-line tools for key management and auditing
 
-From repo root:
+## Install
 
 ```bash
-npm install
+npm install @kairoguard/sdk
 ```
 
-## DApp flow (user mints receipt with their Sui wallet)
+## Quick Start
 
-1) Your app computes the EVM unsigned tx bytes and intent hash:
+### Initialize the client
 
 ```ts
-import { computeEvmIntentFromUnsignedTxBytes } from "@kairo/sdk";
+import { KairoClient } from "@kairoguard/sdk";
 
-const { intentHash } = computeEvmIntentFromUnsignedTxBytes({
-  chainId: 84532, // Base Sepolia (example)
-  unsignedTxBytesHex, // 0x... serialized unsigned EIP-1559 tx bytes
+const client = new KairoClient({
+  backendUrl: "https://kairo-policy-engine-mmux6.ondigitalocean.app",
+  apiKey: "your-api-key",
 });
 ```
 
-2) Build a Sui tx that mints a receipt:
+### Create a dWallet
 
 ```ts
-import { buildMintEvmReceiptTx } from "@kairo/sdk";
-
-const tx = buildMintEvmReceiptTx({
-  packageId,
-  policyObjectId,
-  evmChainId: 84532,
-  intentHash,
-  toEvm,
+const wallet = await client.createWallet({
+  chain: "evm",
+  policyStableId: "my-policy",
 });
 ```
 
-3) Have the user sign+execute the Sui tx with their wallet (example using Sui dApp kit):
+### Compute transaction intent (EVM example)
 
 ```ts
-// Pseudocode: your wallet adapter will differ depending on your stack.
-const result = await wallet.signAndExecuteTransaction({
-  transaction: tx,
-  chain: "sui:testnet",
+import { computeEvmIntentFromUnsignedTxBytes } from "@kairoguard/sdk";
+
+const { intentHash } = computeEvmIntentFromUnsignedTxBytes({
+  chainId: 84532, // Base Sepolia
+  unsignedTxBytesHex: "0x...",
 });
 ```
 
-4) Extract the created receipt object id from the execution result, then hard-gate EVM signing:
+### Compute transaction intent (Solana example)
 
 ```ts
-// We’ll add a helper for extracting created receipt IDs once we standardize receipt type strings.
-// For now, you can scan result.effects.created for the created object id of PolicyReceipt.
-```
-
-## Demo/extension flow (backend mints receipt)
+import { computeSolanaIntentHash } from "@kairoguard/sdk";
 
-In this repo’s Key‑Spring demo, the backend mints the receipt (so the extension UX stays “approve action” instead of “approve Sui tx”).
-The verifier helper `fetchAndValidatePolicyReceipt` supports both receipt types:
-
-- legacy `PolicyReceipt` (MVP)
-- `PolicyReceiptV2` (includes `policy_root` + `policy_version_id` + optional selector/amount)
+const intentHash = computeSolanaIntentHash({
+  from: senderAddress,
+  instructions: parsedInstructions,
+});
+```
 
-If you also log to the custody ledger, you can verify a specific custody event hash:
+### Build Sui receipt transaction
 
 ```ts
-import { fetchAndVerifyCustodyEvent } from "@kairo/sdk";
+import { buildMintEvmReceiptTx } from "@kairoguard/sdk";
 
-const res = await fetchAndVerifyCustodyEvent({
-  suiRpcUrl,
-  custodyEventObjectId: "0x...",
+const tx = buildMintEvmReceiptTx({
+  packageId: "0x...",
+  policyObjectId: "0x...",
+  evmChainId: 84532,
+  intentHash,
+  toEvm: recipientAddress,
 });
-if (!res.ok) throw new Error(res.error);
 ```
 
+### Policy governance
 
+```ts
+// Propose a policy update
+const proposal = await client.proposePolicyUpdate({
+  governanceId: "0x...",
+  newPolicyObjectId: "0x...",
+  description: "Update spend limits",
+});
 
+// Approve the proposal
+await client.approvePolicyUpdate({
+  governanceId: "0x...",
+  proposalId: proposal.proposalId,
+});
 
+// Execute after threshold reached
+await client.executePolicyUpdate({
+  governanceId: "0x...",
+  proposalId: proposal.proposalId,
+});
+```
 
+## CLI Usage
 
+```bash
+# Audit a bundle
+npx @kairoguard/sdk kairo-audit audit <bundle-path>
 
+# List keys
+npx @kairoguard/sdk kairo list-keys
+```
 
+## Documentation
 
-
-
-
+For detailed documentation and examples, visit [www.kairoguard.com/docs](https://www.kairoguard.com/docs).

package/SKILL.md

@@ -0,0 +1,186 @@
+---
+name: kairo
+description: Manage Kairo policy-enforced agent wallets. Use when creating wallets, setting transaction policies, checking vault status, minting policy receipts, or signing transactions through the Kairo API. Supports full wallet lifecycle: register API key → create wallet (DKG) → create policy → bind → vault provision → mint receipt → sign. Uses @kairo/sdk for non-custodial wallet creation (agent keeps secret share locally).
+---
+
+# Kairo — Agent Wallet Management
+
+## Quick Reference
+
+CLI script: `skills/kairo/scripts/kairo.ps1`
+API reference: `skills/kairo/references/api.md`
+SDK reference: `skills/kairo/references/sdk.md`
+
+## Setup
+
+API key and wallet details should be stored in TOOLS.md under "Kairo Agent API".
+
+If no API key exists, register one:
+```powershell
+powershell -File skills/kairo/scripts/kairo.ps1 register -Label "agent-name"
+```
+Save the returned key to TOOLS.md immediately.
+
+## SDK Installation & Auto-Setup
+
+After installing the SDK, agents should automatically create a wallet:
+
+```typescript
+import { KairoClient } from "@kairoguard/sdk";
+
+const kairo = new KairoClient({ 
+  apiKey, 
+  backendUrl: "https://api.kairoguard.com" 
+});
+
+// Automatically create wallet on SDK initialization
+const wallet = await kairo.createWallet({ curve: "secp256k1" });
+console.log(`✅ Wallet created: ${wallet.address}`);
+```
+
+**What's happening:** Your agent just ran a Distributed Key Generation (DKG) ceremony with Kairo's servers. Through advanced cryptography, two shares were created such that neither party sees the other's share, yet both are needed to sign. Your share is encrypted and stored locally at `~/.kairo/keys/`.
+
+**Security:** Even if Kairo's servers were compromised, your funds are safe — attackers would only have one share. The full private key never exists in one place.
+
+The wallet will be provisioned into the vault when the user connects their agent through the Kairo dashboard onboarding flow.
+
+## Common Workflows
+
+### Check API Health
+```powershell
+powershell -File skills/kairo/scripts/kairo.ps1 health
+```
+
+### Create a Policy
+```powershell
+powershell -File skills/kairo/scripts/kairo.ps1 policy-create `
+  -ApiKey $key `
+  -StableId "my-policy" `
+  -Version "1.0.0" `
+  -AllowAddresses "0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18"
+```
+Then register the version:
+```powershell
+powershell -File skills/kairo/scripts/kairo.ps1 policy-register -ApiKey $key -PolicyId "0x..."
+```
+
+✅ Policy published on-chain! Once registered, this policy becomes immutable — it cannot be changed without going through governance (propose → approve → execute). Your agent cannot bypass these rules.
+
+### Create Wallet (via SDK)
+For wallet creation, use the Node.js SDK (handles DKG client-side):
+```typescript
+import { KairoClient } from "@kairo/sdk";
+const kairo = new KairoClient({ apiKey, backendUrl: "https://api.kairoguard.com" });
+const wallet = await kairo.createWallet({ curve: "secp256k1" });
+```
+SDK source: `packages/kairo-sdk/` in the kairo repo.
+See `skills/kairo/references/sdk.md` for full SDK docs.
+
+### Provision Wallet into Vault
+Requires: policy version registered first.
+```powershell
+powershell -File skills/kairo/scripts/kairo.ps1 vault-provision `
+  -ApiKey $key `
+  -WalletId "0x..." `
+  -PolicyId "0x..." `
+  -StableId "my-policy"
+```
+
+**Note:** For agent-created wallets, provisioning happens automatically when the user connects their agent through the Kairo dashboard.
+
+✅ Vault provisioned! Your wallet is now bound to your policy on-chain. The vault smart contract will enforce that only your API key can request signatures, and every request must include a valid policy receipt proving the transaction follows your rules.
+
+### Mint Policy Receipt
+```powershell
+powershell -File skills/kairo/scripts/kairo.ps1 receipt-mint `
+  -ApiKey $key `
+  -PolicyId "0x..." `
+  -BindingId "0x..." `
+  -Destination "0x742d35Cc..." `
+  -IntentHash "0xabab..."
+```
+
+### Check Vault Status
+```powershell
+powershell -File skills/kairo/scripts/kairo.ps1 vault-status -WalletId "0x..."
+```
+
+### View Audit Events
+```powershell
+powershell -File skills/kairo/scripts/kairo.ps1 audit -ApiKey $key -Limit 20
+```
+
+## Transaction Completion
+
+After completing any transaction, agents should share a link to the transaction on Kairo Guard:
+
+```
+✅ Transaction completed! View on Kairo Guard:
+https://kairoguard.com/tx/<transaction-hash>
+
+This transaction was signed using 2-of-2 MPC — your agent provided one share, Kairo's server provided the other (only after verifying your policy allowed it). Neither share ever left its secure location.
+```
+
+For example:
+```typescript
+const result = await kairo.signAndBroadcast(intent);
+console.log(`✅ Transaction completed! View on Kairo Guard: https://kairoguard.com/tx/${result.txHash}`);
+console.log(`🔒 Security: This transaction required both your agent's share AND Kairo's server share. The server only released its share after your policy approved the transaction on-chain.`);
+```
+
+## Full Agent Flow (End to End)
+
+1. `register` → get API key
+2. **SDK auto-creates wallet** → DKG runs locally, secret share stays on agent
+3. `policy-create` → create transaction policy with allowed addresses
+4. `policy-register` → register version in on-chain registry
+5. **User connects agent** → wallet gets provisioned into vault via dashboard
+6. `receipt-mint` → request policy check for a transaction
+7. Sign via SDK or API → both shares combine, only if policy allows
+8. **Share tx link** → send user the kairoguard.com/tx/<hash> link
+
+## Trust Model (Why This Is Secure)
+
+**2-of-2 Multi-Party Computation (MPC)**
+
+Think of your wallet like a two-key safe:
+- 🔑 **Your agent holds one key share** — stored encrypted at `~/.kairo/keys/`, never leaves your device
+- 🔑 **Kairo's servers hold the other share** — stored in secure infrastructure, never exposed
+- 🚫 **Neither can sign alone** — both shares must combine in a secure enclave to sign
+- ✅ **Policy engine verifies every transaction** — before the server releases its share, it checks the on-chain policy
+
+**What this means for you:**
+- Even if hackers breached Kairo's servers, your funds are safe (they only have 1 share)
+- Even if your agent was compromised, your funds are safe (it only has 1 share)
+- Every transaction is publicly verified on-chain — you can audit any signature
+- Your policy rules are immutable once published — no one can change them without your approval through governance
+
+## Demo Preflight (Do This Every Time)
+
+Before running a live demo, verify these in order:
+
+1. **API key is backend-registered (not local placeholder)**
+   - Use `/api/keys/register` output or `kairo.ps1 register`
+   - Reject keys that start with `kairo_local_...`
+2. **Backend key persistence is enabled**
+   - `SUPABASE_URL`, `SUPABASE_SERVICE_ROLE_KEY`, `KAIRO_API_KEYS_TABLE=api_keys`
+   - Confirm key hash exists in Supabase `public.api_keys`
+3. **Policy version is registered before provision**
+   - `policy-create` -> `policy-register` -> then `vault-provision`
+4. **Wallet ownership matches key**
+   - Wallet must be created/provisioned using the same API key
+5. **Fund wallet before signing test**
+   - Check Base Sepolia balance first
+6. **Avoid nonce race in repeated demos**
+   - Wait for prior tx propagation before immediate rerun
+   - If broadcast returns `already known`/`nonce too low`, fetch latest/pending nonce and retry once with fresh sign
+
+## Troubleshooting
+
+- **401 Unauthorized**: API key missing/invalid OR not registered in backend key store. Use backend-registered key only.
+- **403 Forbidden: key does not own wallet**: Wallet wasn't created/provisioned with this API key (ownership mismatch).
+- **404 on key upsert/query**: Supabase table/env mismatch (`KAIRO_API_KEYS_TABLE` must be `api_keys`).
+- **429 Rate limit**: Public Sui RPC throttled — use Shinami or own RPC provider.
+- **MoveAbort code 102**: Policy version not registered — call `policy-register` before `vault-provision`.
+- **`nonce too low` / `already known`**: Rapid reruns or duplicate raw tx; wait for pending tx, then re-sign and rebroadcast.
+- **AwaitingKeyHolderSignature**: Wallet needs activation after DKG — SDK activation flow required.

package/dist/skill-templates.d.ts

@@ -4,6 +4,6 @@
  * All backend URLs are intentionally omitted -- the SDK and CLI
  * resolve the endpoint internally.
  */
-export declare const SKILL_MD = "---\nname: kairo\ndescription: Manage Kairo policy-enforced agent wallets. Use when creating wallets, setting transaction policies, checking vault status, minting policy receipts, or signing transactions through the Kairo SDK/CLI. Supports full wallet lifecycle: register API key -> create wallet (DKG) -> create policy -> bind -> vault provision -> mint receipt -> sign. Uses @kairo/sdk for non-custodial wallet creation (agent keeps secret share locally).\n---\n\n# Kairo \u2014 Agent Wallet Management\n\n## Quick Reference\n\nCLI: `npx kairo <command>`\nSDK reference: `.cursor/skills/kairo/references/sdk.md`\nAPI reference: `.cursor/skills/kairo/references/api.md`\n\n## Setup\n\nRun the one-line installer (already done if you see this file):\n```bash\nnpx @kairo/sdk init <YOUR_KEY>\n```\n\nThe API key is stored in `~/.kairo/config.json`. All CLI commands read it automatically.\n\n## Common Workflows\n\n### Check API Health\n```bash\nnpx kairo health\n```\n\n### Create a Policy\n```bash\nnpx kairo policy-create --stable-id \"my-policy\" --allow \"0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18\"\n```\nThen register the version:\n```bash\nnpx kairo policy-register --policy-id \"0x...\"\n```\n\n### Create Wallet (via SDK)\nFor wallet creation, use the Node.js SDK (handles DKG client-side):\n```typescript\nimport { KairoClient } from \"@kairo/sdk\";\nconst kairo = new KairoClient({ apiKey: process.env.KAIRO_API_KEY! });\nconst wallet = await kairo.createWallet({ curve: \"secp256k1\" });\n```\nSee `.cursor/skills/kairo/references/sdk.md` for full SDK docs.\n\n### Provision Wallet into Vault\nRequires: policy version registered first.\n```bash\nnpx kairo vault-provision --wallet-id \"0x...\" --policy-id \"0x...\" --stable-id \"my-policy\"\n```\n\n### Mint Policy Receipt\n```bash\nnpx kairo receipt-mint --policy-id \"0x...\" --binding-id \"0x...\" --destination \"0x742d35Cc...\" --intent-hash \"0xabab...\"\n```\n\n### Check Vault Status\n```bash\nnpx kairo vault-status --wallet-id \"0x...\"\n```\n\n### View Audit Events\n```bash\nnpx kairo audit --limit 20\n```\n\n## Full Agent Flow (End to End)\n\n1. `npx @kairo/sdk init <YOUR_KEY>` \u2014 store API key, install skill\n2. `npx kairo policy-create` \u2014 create transaction policy with allowed addresses\n3. `npx kairo policy-register` \u2014 register version in on-chain registry\n4. Create wallet via SDK `createWallet()` \u2014 runs DKG locally, secret share stays on agent\n5. `npx kairo vault-provision` \u2014 bind policy + register wallet in vault (atomic)\n6. `npx kairo receipt-mint` \u2014 request policy check for a transaction\n7. Sign via SDK \u2014 both shares combine, only if policy allows\n\n## Trust Model\n\n- Agent's key share stays local (`~/.kairo/keys/`)\n- Server's key share stays on Kairo backend\n- Neither party can sign alone\n- Policy engine gates every transaction before server releases its share\n- All policy decisions are on-chain (Sui) and verifiable\n\n## Troubleshooting\n\n- **401 Unauthorized**: API key missing/invalid or not registered in backend key store. Re-run `npx @kairo/sdk init <YOUR_KEY>` with a valid key.\n- **403 Forbidden: key does not own wallet**: Wallet wasn't created/provisioned with this API key (ownership mismatch).\n- **429 Rate limit**: Public Sui RPC throttled \u2014 use Shinami or own RPC provider.\n- **MoveAbort code 102**: Policy version not registered \u2014 call `npx kairo policy-register` before `vault-provision`.\n- **`nonce too low` / `already known`**: Rapid reruns or duplicate raw tx; wait for pending tx, then re-sign and rebroadcast.\n- **AwaitingKeyHolderSignature**: Wallet needs activation after DKG \u2014 SDK activation flow required.\n";
+export declare const SKILL_MD = "---\nname: kairo\ndescription: Manage Kairo policy-enforced agent wallets. Use when creating wallets, checking vault status, minting policy receipts, or signing transactions through the Kairo SDK/CLI. Default onboarding is dashboard-first: register API key -> create wallet (DKG) in agent -> dashboard auto-binds/provisions policy. Uses @kairo/sdk for non-custodial wallet creation (agent keeps secret share locally).\n---\n\n# Kairo \u2014 Agent Wallet Management\n\n## Quick Reference\n\nCLI: `npx kairo <command>`\nSDK reference: `.cursor/skills/kairo/references/sdk.md`\nAPI reference: `.cursor/skills/kairo/references/api.md`\n\n## Setup\n\nRun the one-line installer (already done if you see this file):\n```bash\nnpx @kairo/sdk init <YOUR_KEY>\n```\n\nThe API key is stored in `~/.kairo/config.json`. All CLI commands read it automatically.\n\n## Common Workflows\n\n### Check API Health\n```bash\nnpx kairo health\n```\n\n### Dashboard-First Onboarding (Recommended)\n1. In dashboard onboarding, create/select policy + governance.\n2. In your agent:\n```bash\nnpx @kairo/sdk init <YOUR_KEY>\n```\n```typescript\nimport { KairoClient } from \"@kairo/sdk\";\nconst kairo = new KairoClient({ apiKey: process.env.KAIRO_API_KEY! });\nconst wallet = await kairo.createWallet({ curve: \"secp256k1\" });\n```\n3. Return to dashboard \"Verify Connection\". Dashboard auto-provisions wallet policy binding + vault registration.\n\n### Create a Policy (Advanced / Self-Managed)\n```bash\nnpx kairo policy-create --stable-id \"my-policy\" --allow \"0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18\"\n```\nThen register the version:\n```bash\nnpx kairo policy-register --policy-id \"0x...\"\n```\n\n### Create Wallet (via SDK)\nFor wallet creation, use the Node.js SDK (handles DKG client-side):\n```typescript\nimport { KairoClient } from \"@kairo/sdk\";\nconst kairo = new KairoClient({ apiKey: process.env.KAIRO_API_KEY! });\nconst wallet = await kairo.createWallet({ curve: \"secp256k1\" });\n```\nSee `.cursor/skills/kairo/references/sdk.md` for full SDK docs.\n\n### Provision Wallet into Vault\nRequires: policy version registered first.\n```bash\nnpx kairo vault-provision --wallet-id \"0x...\" --policy-id \"0x...\" --stable-id \"my-policy\"\n```\n\n### Mint Policy Receipt\n```bash\nnpx kairo receipt-mint --policy-id \"0x...\" --binding-id \"0x...\" --destination \"0x742d35Cc...\" --intent-hash \"0xabab...\"\n```\n\n### Check Vault Status\n```bash\nnpx kairo vault-status --wallet-id \"0x...\"\n```\n\n### View Audit Events\n```bash\nnpx kairo audit --limit 20\n```\n\n## Full Agent Flow (Dashboard-First)\n\n1. `npx @kairo/sdk init <YOUR_KEY>` \u2014 store API key, install skill\n2. Create/select policy in dashboard onboarding\n3. Configure governance approvers in dashboard onboarding (optional)\n4. Create wallet via SDK `createWallet()` \u2014 runs DKG locally, secret share stays on agent\n5. Dashboard Verify step auto-provisions wallet with selected policy\n6. `npx kairo receipt-mint` \u2014 request policy check for a transaction\n7. Sign via SDK \u2014 both shares combine, only if policy allows\n\n## Advanced: Self-Managed Flow (CLI Heavy)\n\n1. `npx @kairo/sdk init <YOUR_KEY>`\n2. `npx kairo policy-create`\n3. `npx kairo policy-register`\n4. SDK `createWallet()`\n5. `npx kairo vault-provision`\n\n## Trust Model\n\n- Agent's key share stays local (`~/.kairo/keys/`)\n- Server's key share stays on Kairo backend\n- Neither party can sign alone\n- Policy engine gates every transaction before server releases its share\n- All policy decisions are on-chain (Sui) and verifiable\n\n## Troubleshooting\n\n- **401 Unauthorized**: API key missing/invalid or not registered in backend key store. Re-run `npx @kairo/sdk init <YOUR_KEY>` with a valid key.\n- **403 Forbidden: key does not own wallet**: Wallet wasn't created/provisioned with this API key (ownership mismatch).\n- **429 Rate limit**: Public Sui RPC throttled \u2014 use Shinami or own RPC provider.\n- **MoveAbort code 102**: Policy version not registered \u2014 call `npx kairo policy-register` before `vault-provision`.\n- **`nonce too low` / `already known`**: Rapid reruns or duplicate raw tx; wait for pending tx, then re-sign and rebroadcast.\n- **AwaitingKeyHolderSignature**: Wallet needs activation after DKG \u2014 SDK activation flow required.\n";
 export declare const API_REFERENCE_MD = "# Kairo API Reference\n\n## Authentication\nAll write endpoints require `X-Kairo-Api-Key` header.\nThe CLI reads the key from `~/.kairo/config.json` automatically.\nOpen endpoints: `/health`, `/api/vault/info`, `/api/vault/status/:id`, `/api/audit/events`\n\n## Key Registration\n```bash\nnpx kairo register --label \"my-agent\"\n```\n\n## Wallet Creation (via SDK)\nThe SDK handles DKG client-side. Agent keeps their secret share locally.\n```typescript\nimport { KairoClient } from \"@kairo/sdk\";\nconst kairo = new KairoClient({ apiKey: process.env.KAIRO_API_KEY! });\nconst wallet = await kairo.createWallet({ curve: \"secp256k1\" });\n// wallet.walletId, wallet.address\n```\n\n## Policy Management\n\n### Create Policy\n```bash\nnpx kairo policy-create --stable-id \"my-policy\" --version \"1.0.0\" --allow \"0x<address>\"\n```\n\nRule types:\n- `1` = MaxNativeValue (max single transaction value)\n- `10` = PeriodLimit (cumulative spend limit per time window)\n\n### Register Policy Version\n```bash\nnpx kairo policy-register --policy-id \"0x...\"\n```\n\n### Get Policy Details\n```bash\nnpx kairo policy-details --policy-id \"0x...\"\n```\n\n## Vault\n\n### Provision (atomic binding + vault registration)\n```bash\nnpx kairo vault-provision --wallet-id \"0x...\" --policy-id \"0x...\" --stable-id \"my-policy\"\n```\nNote: Register policy version BEFORE calling provision.\n\n### Check Status\n```bash\nnpx kairo vault-status --wallet-id \"0x...\"\n```\n\n## Receipt Minting\n```bash\nnpx kairo receipt-mint --policy-id \"0x...\" --binding-id \"0x...\" --destination \"0x...\" --intent-hash \"0x...\"\n```\nNamespace: 1=EVM, 2=Bitcoin, 3=Solana\n\n## Utility\n```bash\nnpx kairo health          # Server health\nnpx kairo audit --limit 20  # Recent audit events\n```\n";
-export declare const SDK_REFERENCE_MD = "# Kairo SDK Reference\n\n## Installation\n```bash\nnpm install @kairo/sdk\n```\n\nRequires: `@ika.xyz/sdk`, `@mysten/sui`\n\n## KairoClient\n\n```typescript\nimport { KairoClient } from \"@kairo/sdk\";\n\nconst kairo = new KairoClient({\n  apiKey: process.env.KAIRO_API_KEY!,\n  storePath: \"~/.kairo/keys\",        // local secret share storage (default)\n  network: \"testnet\",                 // or \"mainnet\"\n  suiRpcUrl: \"https://...\",           // optional, defaults to public testnet\n});\n```\n\n### createWallet(opts?)\nCreates a dWallet via client-side DKG. Secret share stays local.\n\n```typescript\nconst wallet = await kairo.createWallet({\n  curve: \"secp256k1\",           // or \"ed25519\" for Solana\n  policyObjectId: \"0x...\",      // optional: auto-provision into vault\n  stableId: \"my-policy\",        // optional: binding label\n});\n// Returns: { walletId, address, curve, bindingObjectId?, createdAt }\n```\n\n**Important:** If providing `policyObjectId`, register the policy version first.\n\n### listWallets()\nLists all wallets in local key store.\n```typescript\nconst wallets = kairo.listWallets();\n```\n\n### getWallet(walletId)\nGets a specific wallet from local store.\n```typescript\nconst w = kairo.getWallet(\"0x...\");\n```\n\n## BackendClient (HTTP wrapper)\nLower-level HTTP client for direct API calls.\n\n```typescript\nimport { BackendClient } from \"@kairo/sdk\";\n\nconst client = new BackendClient({ apiKey: \"your-key\" });\n\nawait client.register(\"my-agent\");\nawait client.getHealth();\nawait client.submitDKG({...});\nawait client.getDKGStatus(requestId);\nawait client.provision({...});\nawait client.mintReceipt({...});\n```\n\n## KeyStore (local storage)\nFile-based secret share storage at `~/.kairo/keys/`.\n\n```typescript\nimport { KeyStore } from \"@kairo/sdk\";\n\nconst store = new KeyStore(\"~/.kairo/keys\");\nstore.save(record);\nstore.load(\"0x...\");\nstore.list();\nstore.delete(\"0x...\");\n```\n\n## Trust Model\n- Agent's secret share -> stored locally (KeyStore), never sent to server\n- Server's share -> held by Kairo backend\n- Full signing -> requires BOTH shares + policy approval\n- Kairo alone cannot sign (missing agent share)\n- Agent alone cannot sign (missing server share)\n";
+export declare const SDK_REFERENCE_MD = "# Kairo SDK Reference\n\n## Installation\n```bash\nnpm install @kairo/sdk\n```\n\nRequires: `@ika.xyz/sdk`, `@mysten/sui`\n\n## KairoClient\n\n```typescript\nimport { KairoClient } from \"@kairo/sdk\";\n\nconst kairo = new KairoClient({\n  apiKey: process.env.KAIRO_API_KEY!,\n  storePath: \"~/.kairo/keys\",        // local secret share storage (default)\n  network: \"testnet\",                 // or \"mainnet\"\n  suiRpcUrl: \"https://...\",           // optional, defaults to public testnet\n});\n```\n\n### createWallet(opts?)\nCreates a dWallet via client-side DKG. Secret share stays local.\n\n```typescript\nconst wallet = await kairo.createWallet({\n  curve: \"secp256k1\",           // or \"ed25519\" for Solana\n});\n// Returns: { walletId, address, curve, bindingObjectId?, createdAt }\n```\n\nDashboard-first default: create wallet in agent and let dashboard onboarding handle policy provisioning.\n\nAdvanced optional params are still supported:\n```typescript\nconst wallet = await kairo.createWallet({\n  curve: \"secp256k1\",\n  policyObjectId: \"0x...\",\n  stableId: \"my-policy\",\n});\n```\n\n### listWallets()\nLists all wallets in local key store.\n```typescript\nconst wallets = kairo.listWallets();\n```\n\n### getWallet(walletId)\nGets a specific wallet from local store.\n```typescript\nconst w = kairo.getWallet(\"0x...\");\n```\n\n## BackendClient (HTTP wrapper)\nLower-level HTTP client for direct API calls.\n\n```typescript\nimport { BackendClient } from \"@kairo/sdk\";\n\nconst client = new BackendClient({ apiKey: \"your-key\" });\n\nawait client.register(\"my-agent\");\nawait client.getHealth();\nawait client.submitDKG({...});\nawait client.getDKGStatus(requestId);\nawait client.provision({...});\nawait client.mintReceipt({...});\n```\n\n## KeyStore (local storage)\nFile-based secret share storage at `~/.kairo/keys/`.\n\n```typescript\nimport { KeyStore } from \"@kairo/sdk\";\n\nconst store = new KeyStore(\"~/.kairo/keys\");\nstore.save(record);\nstore.load(\"0x...\");\nstore.list();\nstore.delete(\"0x...\");\n```\n\n## Trust Model\n- Agent's secret share -> stored locally (KeyStore), never sent to server\n- Server's share -> held by Kairo backend\n- Full signing -> requires BOTH shares + policy approval\n- Kairo alone cannot sign (missing agent share)\n- Agent alone cannot sign (missing server share)\n";

package/dist/skill-templates.js

@@ -6,7 +6,7 @@
  */
 export const SKILL_MD = `---
 name: kairo
-description: Manage Kairo policy-enforced agent wallets. Use when creating wallets, setting transaction policies, checking vault status, minting policy receipts, or signing transactions through the Kairo SDK/CLI. Supports full wallet lifecycle: register API key -> create wallet (DKG) -> create policy -> bind -> vault provision -> mint receipt -> sign. Uses @kairo/sdk for non-custodial wallet creation (agent keeps secret share locally).
+description: Manage Kairo policy-enforced agent wallets. Use when creating wallets, checking vault status, minting policy receipts, or signing transactions through the Kairo SDK/CLI. Default onboarding is dashboard-first: register API key -> create wallet (DKG) in agent -> dashboard auto-binds/provisions policy. Uses @kairo/sdk for non-custodial wallet creation (agent keeps secret share locally).
 ---
 
 # Kairo — Agent Wallet Management
@@ -33,7 +33,20 @@ The API key is stored in \`~/.kairo/config.json\`. All CLI commands read it auto
 npx kairo health
 \`\`\`
 
-### Create a Policy
+### Dashboard-First Onboarding (Recommended)
+1. In dashboard onboarding, create/select policy + governance.
+2. In your agent:
+\`\`\`bash
+npx @kairo/sdk init <YOUR_KEY>
+\`\`\`
+\`\`\`typescript
+import { KairoClient } from "@kairo/sdk";
+const kairo = new KairoClient({ apiKey: process.env.KAIRO_API_KEY! });
+const wallet = await kairo.createWallet({ curve: "secp256k1" });
+\`\`\`
+3. Return to dashboard "Verify Connection". Dashboard auto-provisions wallet policy binding + vault registration.
+
+### Create a Policy (Advanced / Self-Managed)
 \`\`\`bash
 npx kairo policy-create --stable-id "my-policy" --allow "0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18"
 \`\`\`
@@ -72,16 +85,24 @@ npx kairo vault-status --wallet-id "0x..."
 npx kairo audit --limit 20
 \`\`\`
 
-## Full Agent Flow (End to End)
+## Full Agent Flow (Dashboard-First)
 
 1. \`npx @kairo/sdk init <YOUR_KEY>\` — store API key, install skill
-2. \`npx kairo policy-create\` — create transaction policy with allowed addresses
-3. \`npx kairo policy-register\` — register version in on-chain registry
+2. Create/select policy in dashboard onboarding
+3. Configure governance approvers in dashboard onboarding (optional)
 4. Create wallet via SDK \`createWallet()\` — runs DKG locally, secret share stays on agent
-5. \`npx kairo vault-provision\` — bind policy + register wallet in vault (atomic)
+5. Dashboard Verify step auto-provisions wallet with selected policy
 6. \`npx kairo receipt-mint\` — request policy check for a transaction
 7. Sign via SDK — both shares combine, only if policy allows
 
+## Advanced: Self-Managed Flow (CLI Heavy)
+
+1. \`npx @kairo/sdk init <YOUR_KEY>\`
+2. \`npx kairo policy-create\`
+3. \`npx kairo policy-register\`
+4. SDK \`createWallet()\`
+5. \`npx kairo vault-provision\`
+
 ## Trust Model
 
 - Agent's key share stays local (\`~/.kairo/keys/\`)
@@ -194,13 +215,20 @@ Creates a dWallet via client-side DKG. Secret share stays local.
 \`\`\`typescript
 const wallet = await kairo.createWallet({
   curve: "secp256k1",           // or "ed25519" for Solana
-  policyObjectId: "0x...",      // optional: auto-provision into vault
-  stableId: "my-policy",        // optional: binding label
 });
 // Returns: { walletId, address, curve, bindingObjectId?, createdAt }
 \`\`\`
 
-**Important:** If providing \`policyObjectId\`, register the policy version first.
+Dashboard-first default: create wallet in agent and let dashboard onboarding handle policy provisioning.
+
+Advanced optional params are still supported:
+\`\`\`typescript
+const wallet = await kairo.createWallet({
+  curve: "secp256k1",
+  policyObjectId: "0x...",
+  stableId: "my-policy",
+});
+\`\`\`
 
 ### listWallets()
 Lists all wallets in local key store.

package/package.json

@@ -1,11 +1,39 @@
 {
   "name": "@kairoguard/sdk",
-  "version": "0.0.10",
+  "version": "0.0.12",
+  "description": "Kairo SDK for multi-chain policy-based transaction signing with dWallet support (EVM, Bitcoin, Solana, Sui)",
+  "license": "MIT",
+  "author": "Kairo <mehraab@thewidercollective.com>",
+  "homepage": "https://www.kairoguard.com/docs",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/FlatTesseract/kairo.git",
+    "directory": "packages/kairo-sdk"
+  },
+  "bugs": {
+    "url": "https://github.com/FlatTesseract/kairo/issues"
+  },
+  "keywords": [
+    "kairo",
+    "wallet",
+    "mpc",
+    "dkg",
+    "policy",
+    "evm",
+    "bitcoin",
+    "solana",
+    "sui",
+    "multichain",
+    "agent",
+    "dwallet"
+  ],
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "files": [
-    "dist"
+    "dist",
+    "SKILL.md",
+    "LICENSE"
   ],
   "bin": {
     "kairo": "dist/cli.js",