@layr-labs/ecloud-cli 0.0.1-rfc.1 → 0.1.0-dev

package/README.md

@@ -1,87 +1,304 @@
-# ECloud SDK
+# ECloud SDK and CLI
 
-A TypeScript SDK and CLI for deploying and managing applications on eigenx TEE (Trusted Execution Environment). This monorepo provides both programmatic SDK access and a command-line interface for interacting with ecloud's decentralized compute platform.
+A TypeScript SDK and CLI for deploying and managing applications on EigenCloud TEE (Trusted Execution Environment). This monorepo provides both programmatic SDK access and a command-line interface for interacting with ecloud's decentralized compute platform.
 
 ## Overview
 
-ECloud SDK enables developers to:
+ECloud SDK and CLI enables developers to:
+
 - Deploy containerized applications to ecloud TEE
 - Manage application lifecycle (start, stop, terminate)
 - Build and push Docker images with encryption
-- Interact with ecloud smart contracts on Ethereum networks
 - Monitor application status and logs
 
-## Packages
+## Prerequsites
+* Docker - To package and publish application images ([Download](https://www.docker.com/get-started/))
+* ETH for gas - For deployment transactions
 
-This monorepo contains two main packages:
+## Mainnet Alpha Limitations
+* Not recommended for customer funds - Mainnet Alpha is intended to enable developers to build, test and ship applications. We do not recommend holding significant customer funds at this stage in Mainnet Alpha.
+* Developer is still trusted - Mainnet Alpha does not enable full verifiable and trustless execution. * A later version will ensure developers can not upgrade code maliciously, and liveness guarantees.
+No SLA - Mainnet Alpha does not have SLAs around support, and uptime of infrastructure.
 
-### `@layr-labs/ecloud-sdk`
 
-The core TypeScript SDK for programmatic access to ecloud services.
+## Quick Start
+### Installation
 
-**Features:**
-- Type-safe client for ecloud operations
-- Docker image building and pushing
-- KMS encryption for secure deployments
-- Smart contract interactions (EIP7702)
-- Environment configuration management
+```bash
+npm install -g @layr-labs/ecloud-cli
+```
 
-### `@layr-labs/ecloud-cli`
+### Initial Setup 
+```bash
+# Log in to your Docker registry (required to push images)
+docker login
 
-Command-line interface built with oclif for deploying and managing applications.
+# Log in with an existing private key
+ecloud auth login
+```
 
-**Features:**
-- Deploy applications from Docker images
-- Manage application lifecycle
-- Environment-aware configuration
-- Support for multiple networks
+**Don't have a private key?** Use `ecloud auth generate --store` instead
 
-## Installation
+**Need ETH for gas?** Run `ecloud auth whoami` to see your address. For sepolia, get funds from [Google Cloud](https://cloud.google.com/application/web3/faucet/ethereum/sepolia) or [Alchemy](https://sepoliafaucet.com/)
 
-### Prerequisites
+### Get a billing account
+This is required to create apps
+```bash
+ecloud billing subscribe
+```
 
-- Node.js 18+ 
-- pnpm (recommended) or npm
-- Docker (for building and pushing images)
+### **Create & Deploy**
+
+```bash
+# Create your app (choose: typescript | python | golang | rust)
+ecloud compute app create my-app typescript
+cd my-app
+
+# Configure environment variables
+cp .env.example .env
+
+# Deploy to TEE
+ecloud compute app deploy
+```
+
+### **Working with Existing Projects**
 
-### Install Dependencies
+Have an existing project? You don't need `ecloud compute app create` - the CLI works with any Docker-based project:
 
 ```bash
-pnpm install
+# From your existing project directory
+cd my-existing-project
+
+# Ensure you have a Dockerfile and .env file
+# The CLI will prompt for these if not found in standard locations
+
+# Deploy directly - the CLI will detect your project
+ecloud compute app deploy
+```
+
+**What you need:**
+- **Dockerfile** - Must target `linux/amd64` and run as root user
+- **.env file** - For environment variables (optional but recommended)
+
+The CLI will automatically prompt for the Dockerfile and .env paths if they're not in the default locations. This means you can use ecloud with any existing containerized application without restructuring your project.
+
+**Need TLS/HTTPS?** Run `ecloud compute app configure tls` to add the necessary configuration files for domain setup with private traffic termination in the TEE.
+
+### **View Your App**
+
+```bash
+# View app information and logs
+ecloud compute app info
+ecloud compute app logs
+
+# Add --watch (or -w) to continuously poll for live updates
+ecloud compute app info --watch
+ecloud compute app logs --watch
 ```
 
-### Build
+That's it! Your starter app is now running in a TEE with access to a MNEMONIC that only it can access.
+
+**Ready to customize?** Edit your application code, update `.env` with any API keys you need, then run `ecloud compute app upgrade my-app` to deploy your changes
+
+## Application Environment
+
+Your TEE application runs with these capabilities:
+
+1. **Secure Execution** - Your code runs in an Intel TDX instance with hardware-level isolation
+2. **Auto-Generated Wallet** - Access a private mnemonic via `process.env.MNEMONIC`
+    - Derive wallet accounts using standard libraries (e.g., viem’s `mnemonicToAccount(process.env.MNEMONIC)`)
+    - Only your TEE can decrypt and use this mnemonic
+3. **Environment Variables** - All variables from your `.env` file are available in your container
+   - Variables with `_PUBLIC` suffix are visible to users for transparency
+   - Standard variables remain private and encrypted within the TEE
+4. **Onchain Management** - Your app's lifecycle is controlled via Ethereum smart contracts
+
+### Working with Your App
 
 ```bash
-pnpm build
+# List all your apps
+ecloud compute app list
+
+# Stop/start your app
+ecloud compute app stop my-app
+ecloud compute app start my-app
+
+# Terminate your app
+ecloud compute app terminate my-app
 ```
 
-## Usage
+## Authentication
+
+Ecloud CLI needs a private key to sign transactions. Three options:
+
+### 1. OS Keyring (Recommended)
+
+```bash
+ecloud auth generate --store # Generate new key and store it
+ecloud auth login            # Store an existing key securely
+ecloud auth whoami           # Check authentication
+ecloud auth logout           # Remove key
+```
+
+### 2. Environment Variable
+
+```bash
+export ECLOUD_PRIVATE_KEY=0x1234...
+ecloud compute app deploy
+```
+
+### 3. Command Flag
+
+```bash
+ecloud compute app deploy --private-key 0x1234...
+```
+
+**Priority:** Flag → Environment → Keyring
+
+## TLS/HTTPS Setup
+
+### Enable TLS
+
+```bash
+# Add TLS configuration to your project
+ecloud compute app configure tls
 
-### CLI Usage
+# Add variables to .env
+cat .env.example.tls >> .env
+```
+
+### Configure
+
+Required in `.env`:
+```bash
+DOMAIN=yourdomain.com
+APP_PORT=3000
+```
+
+Recommended for first deployment:
+```bash
+ENABLE_CADDY_LOGS=true  # Debug logs
+ACME_STAGING=true       # Test certificates (avoid rate limits)
+```
+
+### DNS Setup
+
+Create A record pointing to instance IP:
+- Type: A
+- Name: yourdomain.com
+- Value: `<instance-ip>` (get from `ecloud compute app info`)
+
+### Deploy
+
+```bash
+ecloud compute app upgrade
+```
+
+### Production Certificates
+
+To switch from staging to production:
+```bash
+# Set in .env:
+ACME_STAGING=false
+ACME_FORCE_ISSUE=true  # Only if staging cert exists
+
+# Deploy, then set ACME_FORCE_ISSUE=false for future deploys
+```
+
+**Notes:**
+- Let's Encrypt rate limit: 5 certificates/week per domain
+- Test with staging certificates first to avoid rate limits
+- DNS changes may take a few minutes to propagate
 
-The CLI is available via the `ecloud` command after building:
+## Advanced Usage
+
+### Building and Pushing Images Manually
+
+If you prefer to build and push Docker images yourself instead of letting the CLI handle it, or already have an existing image:
 
 ```bash
-# Deploy an application
-npx ecloud app deploy \
-  --private-key <your-private-key> \
-  --environment sepolia \
-  --image <docker-image-reference>
+# Build and push your image manually
+docker build --platform linux/amd64 -t myregistry/myapp:v1.0 .
+docker push myregistry/myapp:v1.0
+
+# Deploy using the image reference
+ecloud compute app deploy myregistry/myapp:v1.0
 ```
 
-**Common Flags:**
-- `--private-key`: Your Ethereum private key (or set `ECLOUD_PRIVATE_KEY` env var)
-- `--environment`: Target environment (`sepolia` or `mainnet-alpha`)
-- `--rpc-url`: Custom RPC URL (optional, or set `ECLOUD_RPC_URL` env var)
+**Requirements:**
+
+- Image must target `linux/amd64` architecture
+- Application must run as root user (TEE requirement)
+
+## Telemetry
+
+Ecloud collects anonymous usage data to help us improve the CLI and understand how it's being used. This telemetry is enabled by default but can be easily disabled.
+
+### What We Collect
+
+- Commands used (e.g., `ecloud compute app create`, `ecloud compute app deploy`)
+- Error counts and types to identify common issues
+- Performance metrics (command execution times)
+- System information (OS, architecture)
+- Deployment environment (e.g., sepolia, mainnet-alpha)
+- User Ethereum address
+
+### What We DON'T Collect
+
+- Personal information or identifiers
+- Private keys or sensitive credentials
+- Application source code or configurations
+- Specific file paths or project names
+
+## Architecture
+
+For a detailed understanding of how Ecloud enables verifiable applications with deterministic identities, see our [Architecture Documentation](docs/ECLOUD_ARCHITECTURE.md).
+
+### Key Components
+
+- **Hardware Isolation** - Intel TDX secure enclaves with memory encryption
+- **Attestation** - Cryptographic proof of exact Docker image integrity
+- **Deterministic Keys** - Apps receive consistent identities via KMS
+- **Smart Contracts** - Onchain configuration and lifecycle management
+
+## Development
+
+### Prerequisites
+
+- Node.js 18+
+- pnpm (recommended) or npm
+- Docker (for building and pushing images)
+
+### Build from source
 
-**Example:**
 ```bash
-npx ecloud app deploy \
-  --private-key 0x... \
-  --environment sepolia
+git clone https://github.com/Layr-Labs/ecloud
+cd ecloud
+pnpm install
+pnpm build
+pnpm ecloud version
 ```
 
+
+## SDK Packages
+
+This monorepo contains two main packages:
+
+### `@layr-labs/ecloud-sdk`
+
+The core TypeScript SDK for programmatic access to ecloud services.
+
+**Features:**
+
+- Type-safe client for ecloud operations
+- Docker image building and pushing
+- KMS encryption for secure deployments
+- Smart contract interactions (EIP7702)
+- Environment configuration management
+
+
+## Usage
+
 ### SDK Usage
 
 ```typescript
@@ -90,7 +307,7 @@ import { createECloudClient } from "@layr-labs/ecloud-sdk";
 // Create a client
 const client = createECloudClient({
   privateKey: "0x...",
-  environment: "sepolia", // or "sepolia-dev" or "mainnet-alpha"
+  environment: "sepolia", // or "sepolia" or "mainnet-alpha"
   rpcUrl: "https://sepolia.infura.io/v3/...",
 });
 
@@ -192,4 +409,3 @@ The deployment process involves several steps:
 ## Support
 
 For issues and questions, please open an issue on GitHub.
-

package/VERSION

@@ -0,0 +1,2 @@
+version=0.1.0-dev
+commit=77a74ce3558ed2d1331016cab7356a0c36c2833f

package/dist/commands/auth/generate.js

@@ -3,13 +3,121 @@
 // src/commands/auth/generate.ts
 import { Command, Flags } from "@oclif/core";
 import { confirm } from "@inquirer/prompts";
-import {
-  generateNewPrivateKey,
-  storePrivateKey,
-  keyExists,
-  showPrivateKey,
-  displayWarning
-} from "@layr-labs/ecloud-sdk";
+import { generateNewPrivateKey, storePrivateKey, keyExists } from "@layr-labs/ecloud-sdk";
+
+// src/utils/security.ts
+import { spawn, execSync } from "child_process";
+import { platform } from "os";
+import { select, password } from "@inquirer/prompts";
+async function showPrivateKey(content) {
+  const pager = detectPager();
+  if (pager) {
+    try {
+      await runPager(pager, content);
+      return true;
+    } catch (err) {
+      console.error(`Failed to run pager: ${err}`);
+    }
+  }
+  console.log("\nNo pager (less/more) found on PATH.");
+  console.log("For security, avoid printing private keys to the terminal.");
+  console.log("");
+  const choice = await select({
+    message: "Choose an option:",
+    choices: [
+      { name: "Abort (recommended)", value: "abort" },
+      { name: "Print and clear screen", value: "print" }
+    ]
+  });
+  if (choice === "print") {
+    console.log(content);
+    console.log("");
+    console.log("Press Enter after you have securely saved the key.");
+    console.log("The screen will be cleared...");
+    await password({
+      message: "",
+      mask: ""
+    });
+    clearTerminal();
+    return true;
+  }
+  return false;
+}
+function detectPager() {
+  if (process.env.PAGER) {
+    const pagerEnv = process.env.PAGER.trim();
+    if (/^[a-zA-Z0-9_-]+$/.test(pagerEnv)) {
+      return pagerEnv;
+    }
+  }
+  const pagers = ["less", "more"];
+  for (const pagerCmd of pagers) {
+    if (commandExists(pagerCmd)) {
+      return pagerCmd;
+    }
+  }
+  return null;
+}
+function runPager(pager, content) {
+  return new Promise((resolve, reject) => {
+    const child = spawn(pager, [], {
+      stdio: ["pipe", "inherit", "inherit"]
+    });
+    child.on("error", reject);
+    child.on("exit", (code) => {
+      if (code === 0) {
+        resolve();
+      } else {
+        reject(new Error(`Pager exited with code ${code}`));
+      }
+    });
+    try {
+      const written = child.stdin.write(content);
+      if (!written) {
+        child.stdin.once("drain", () => {
+          try {
+            child.stdin.end();
+          } catch (err) {
+            reject(err);
+          }
+        });
+      } else {
+        child.stdin.end();
+      }
+    } catch (err) {
+      reject(err);
+    }
+  });
+}
+function commandExists(command) {
+  try {
+    const cmd = platform() === "win32" ? `where ${command}` : `which ${command}`;
+    execSync(cmd, { stdio: "ignore" });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function clearTerminal() {
+  if (platform() === "win32") {
+    process.stdout.write("\x1Bc");
+  } else {
+    process.stdout.write("\x1B[2J\x1B[3J\x1B[H");
+  }
+}
+function displayWarning(lines) {
+  const width = lines.length > 0 ? Math.max(...lines.map((l) => l.length)) + 4 : 4;
+  const border = "\u26A0".repeat(width);
+  console.log("");
+  console.log(border);
+  for (const line of lines) {
+    console.log(`\u26A0  ${line}`);
+  }
+  console.log(border);
+  console.log("");
+}
+
+// src/commands/auth/generate.ts
 var AuthGenerate = class _AuthGenerate extends Command {
   static description = "Generate a new private key";
   static aliases = ["auth:gen", "auth:new"];
@@ -83,9 +191,7 @@ Press 'q' to exit and continue...
         this.log(`
 \u2713 Private key stored in OS keyring`);
         this.log(`\u2713 Address: ${address}`);
-        this.log(
-          "\nYou can now use ecloud commands without --private-key flag."
-        );
+        this.log("\nYou can now use ecloud commands without --private-key flag.");
       } catch (err) {
         this.error(`Failed to store key: ${err.message}`);
       }

package/dist/commands/auth/generate.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/commands/auth/generate.ts"],"sourcesContent":["/**\n * Auth Generate Command\n *\n * Generate a new private key and optionally store it in OS keyring\n */\n\nimport { Command, Flags } from \"@oclif/core\";\nimport { confirm } from \"@inquirer/prompts\";\nimport {\n  generateNewPrivateKey,\n  storePrivateKey,\n  keyExists,\n  showPrivateKey,\n  displayWarning,\n} from \"@layr-labs/ecloud-sdk\";\n\nexport default class AuthGenerate extends Command {\n  static description = \"Generate a new private key\";\n\n  static aliases = [\"auth:gen\", \"auth:new\"];\n\n  static examples = [\n    \"<%= config.bin %> <%= command.id %>\",\n    \"<%= config.bin %> <%= command.id %> --store\",\n  ];\n\n  static flags = {\n    store: Flags.boolean({\n      description: \"Automatically store in OS keyring\",\n      default: false,\n    }),\n  };\n\n  async run(): Promise<void> {\n    const { flags } = await this.parse(AuthGenerate);\n\n    // Generate new key\n    this.log(\"Generating new private key...\\n\");\n    const { privateKey, address } = generateNewPrivateKey();\n\n    // Display key securely\n    const content = `\n━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\nA new private key was generated for you.\n\nIMPORTANT: You MUST backup this key now.\n           It will never be shown again.\n\nAddress:     ${address}\nPrivate key: ${privateKey}\n\n⚠️  SECURITY WARNING:\n   • Anyone with this key can control your account\n   • Never share it or commit it to version control\n   • Store it in a secure password manager\n━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n\nPress 'q' to exit and continue...\n`;\n\n    const displayed = await showPrivateKey(content);\n\n    if (!displayed) {\n      this.log(\"Key generation cancelled.\");\n      return;\n    }\n\n    // Ask about storing\n    let shouldStore = flags.store;\n\n    if (!shouldStore && displayed) {\n      shouldStore = await confirm({\n        message: \"Store this key in your OS keyring?\",\n        default: true,\n      });\n    }\n\n    if (shouldStore) {\n      // Check if key already exists\n      const exists = await keyExists();\n\n      if (exists) {\n        displayWarning([\n          `WARNING: A private key for ecloud already exists!`,\n          \"If you continue, the existing key will be PERMANENTLY REPLACED.\",\n          \"This cannot be undone!\",\n          \"\",\n          \"The previous key will be lost forever if you haven't backed it up.\",\n        ]);\n\n        const confirmReplace = await confirm({\n          message: `Replace existing key for ecloud?`,\n          default: false,\n        });\n\n        if (!confirmReplace) {\n          this.log(\n            \"\\nKey not stored. If you did not save your new key when it was displayed, it is now lost and cannot be recovered.\"\n          );\n          return;\n        }\n      }\n\n      // Store the key\n      try {\n        await storePrivateKey(privateKey);\n        this.log(`\\n✓ Private key stored in OS keyring`);\n        this.log(`✓ Address: ${address}`);\n        this.log(\n          \"\\nYou can now use ecloud commands without --private-key flag.\"\n        );\n      } catch (err: any) {\n        this.error(`Failed to store key: ${err.message}`);\n      }\n    } else {\n      this.log(\"\\nKey not stored in keyring.\");\n      this.log(\"Remember to save the key shown above in a secure location.\");\n    }\n  }\n}\n"],"mappings":";;;AAMA,SAAS,SAAS,aAAa;AAC/B,SAAS,eAAe;AACxB;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAEP,IAAqB,eAArB,MAAqB,sBAAqB,QAAQ;AAAA,EAChD,OAAO,cAAc;AAAA,EAErB,OAAO,UAAU,CAAC,YAAY,UAAU;AAAA,EAExC,OAAO,WAAW;AAAA,IAChB;AAAA,IACA;AAAA,EACF;AAAA,EAEA,OAAO,QAAQ;AAAA,IACb,OAAO,MAAM,QAAQ;AAAA,MACnB,aAAa;AAAA,MACb,SAAS;AAAA,IACX,CAAC;AAAA,EACH;AAAA,EAEA,MAAM,MAAqB;AACzB,UAAM,EAAE,MAAM,IAAI,MAAM,KAAK,MAAM,aAAY;AAG/C,SAAK,IAAI,iCAAiC;AAC1C,UAAM,EAAE,YAAY,QAAQ,IAAI,sBAAsB;AAGtD,UAAM,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,eAOL,OAAO;AAAA,eACP,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAWrB,UAAM,YAAY,MAAM,eAAe,OAAO;AAE9C,QAAI,CAAC,WAAW;AACd,WAAK,IAAI,2BAA2B;AACpC;AAAA,IACF;AAGA,QAAI,cAAc,MAAM;AAExB,QAAI,CAAC,eAAe,WAAW;AAC7B,oBAAc,MAAM,QAAQ;AAAA,QAC1B,SAAS;AAAA,QACT,SAAS;AAAA,MACX,CAAC;AAAA,IACH;AAEA,QAAI,aAAa;AAEf,YAAM,SAAS,MAAM,UAAU;AAE/B,UAAI,QAAQ;AACV,uBAAe;AAAA,UACb;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF,CAAC;AAED,cAAM,iBAAiB,MAAM,QAAQ;AAAA,UACnC,SAAS;AAAA,UACT,SAAS;AAAA,QACX,CAAC;AAED,YAAI,CAAC,gBAAgB;AACnB,eAAK;AAAA,YACH;AAAA,UACF;AACA;AAAA,QACF;AAAA,MACF;AAGA,UAAI;AACF,cAAM,gBAAgB,UAAU;AAChC,aAAK,IAAI;AAAA,wCAAsC;AAC/C,aAAK,IAAI,mBAAc,OAAO,EAAE;AAChC,aAAK;AAAA,UACH;AAAA,QACF;AAAA,MACF,SAAS,KAAU;AACjB,aAAK,MAAM,wBAAwB,IAAI,OAAO,EAAE;AAAA,MAClD;AAAA,IACF,OAAO;AACL,WAAK,IAAI,8BAA8B;AACvC,WAAK,IAAI,4DAA4D;AAAA,IACvE;AAAA,EACF;AACF;","names":[]}
+{"version":3,"sources":["../../../src/commands/auth/generate.ts","../../../src/utils/security.ts"],"sourcesContent":["/**\n * Auth Generate Command\n *\n * Generate a new private key and optionally store it in OS keyring\n */\n\nimport { Command, Flags } from \"@oclif/core\";\nimport { confirm } from \"@inquirer/prompts\";\nimport { generateNewPrivateKey, storePrivateKey, keyExists } from \"@layr-labs/ecloud-sdk\";\nimport { showPrivateKey, displayWarning } from \"../../utils/security\";\n\nexport default class AuthGenerate extends Command {\n  static description = \"Generate a new private key\";\n\n  static aliases = [\"auth:gen\", \"auth:new\"];\n\n  static examples = [\n    \"<%= config.bin %> <%= command.id %>\",\n    \"<%= config.bin %> <%= command.id %> --store\",\n  ];\n\n  static flags = {\n    store: Flags.boolean({\n      description: \"Automatically store in OS keyring\",\n      default: false,\n    }),\n  };\n\n  async run(): Promise<void> {\n    const { flags } = await this.parse(AuthGenerate);\n\n    // Generate new key\n    this.log(\"Generating new private key...\\n\");\n    const { privateKey, address } = generateNewPrivateKey();\n\n    // Display key securely\n    const content = `\n━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\nA new private key was generated for you.\n\nIMPORTANT: You MUST backup this key now.\n           It will never be shown again.\n\nAddress:     ${address}\nPrivate key: ${privateKey}\n\n⚠️  SECURITY WARNING:\n   • Anyone with this key can control your account\n   • Never share it or commit it to version control\n   • Store it in a secure password manager\n━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n\nPress 'q' to exit and continue...\n`;\n\n    const displayed = await showPrivateKey(content);\n\n    if (!displayed) {\n      this.log(\"Key generation cancelled.\");\n      return;\n    }\n\n    // Ask about storing\n    let shouldStore = flags.store;\n\n    if (!shouldStore && displayed) {\n      shouldStore = await confirm({\n        message: \"Store this key in your OS keyring?\",\n        default: true,\n      });\n    }\n\n    if (shouldStore) {\n      // Check if key already exists\n      const exists = await keyExists();\n\n      if (exists) {\n        displayWarning([\n          `WARNING: A private key for ecloud already exists!`,\n          \"If you continue, the existing key will be PERMANENTLY REPLACED.\",\n          \"This cannot be undone!\",\n          \"\",\n          \"The previous key will be lost forever if you haven't backed it up.\",\n        ]);\n\n        const confirmReplace = await confirm({\n          message: `Replace existing key for ecloud?`,\n          default: false,\n        });\n\n        if (!confirmReplace) {\n          this.log(\n            \"\\nKey not stored. If you did not save your new key when it was displayed, it is now lost and cannot be recovered.\",\n          );\n          return;\n        }\n      }\n\n      // Store the key\n      try {\n        await storePrivateKey(privateKey);\n        this.log(`\\n✓ Private key stored in OS keyring`);\n        this.log(`✓ Address: ${address}`);\n        this.log(\"\\nYou can now use ecloud commands without --private-key flag.\");\n      } catch (err: any) {\n        this.error(`Failed to store key: ${err.message}`);\n      }\n    } else {\n      this.log(\"\\nKey not stored in keyring.\");\n      this.log(\"Remember to save the key shown above in a secure location.\");\n    }\n  }\n}\n","/**\n * Security utilities for CLI\n *\n * Functions for securely displaying and handling sensitive content\n * like private keys.\n */\n\nimport { spawn, execSync } from \"child_process\";\nimport { platform } from \"os\";\nimport { select, password } from \"@inquirer/prompts\";\n\n/**\n * Display sensitive content using system pager (less/more)\n * Returns true if content was displayed, false if user aborted\n */\nexport async function showPrivateKey(content: string): Promise<boolean> {\n  // Try to use system pager\n  const pager = detectPager();\n\n  if (pager) {\n    try {\n      await runPager(pager, content);\n      return true;\n    } catch (err) {\n      console.error(`Failed to run pager: ${err}`);\n      // Fall through to fallback\n    }\n  }\n\n  // No pager available - give user a choice\n  console.log(\"\\nNo pager (less/more) found on PATH.\");\n  console.log(\"For security, avoid printing private keys to the terminal.\");\n  console.log(\"\");\n\n  const choice = await select({\n    message: \"Choose an option:\",\n    choices: [\n      { name: \"Abort (recommended)\", value: \"abort\" },\n      { name: \"Print and clear screen\", value: \"print\" },\n    ],\n  });\n\n  if (choice === \"print\") {\n    console.log(content);\n    console.log(\"\");\n    console.log(\"Press Enter after you have securely saved the key.\");\n    console.log(\"The screen will be cleared...\");\n\n    // Wait for Enter\n    await password({\n      message: \"\",\n      mask: \"\",\n    });\n\n    clearTerminal();\n    return true;\n  }\n\n  return false; // User aborted\n}\n\n/**\n * Detect system pager (less or more)\n */\nfunction detectPager(): string | null {\n  // Check PAGER env var first\n  if (process.env.PAGER) {\n    const pagerEnv = process.env.PAGER.trim();\n    // Only allow simple command names without arguments or special characters\n    if (/^[a-zA-Z0-9_-]+$/.test(pagerEnv)) {\n      return pagerEnv;\n    }\n  }\n\n  // Try common pagers\n  const pagers = [\"less\", \"more\"];\n\n  for (const pagerCmd of pagers) {\n    if (commandExists(pagerCmd)) {\n      return pagerCmd;\n    }\n  }\n\n  return null;\n}\n\n/**\n * Run pager with content\n */\nfunction runPager(pager: string, content: string): Promise<void> {\n  return new Promise((resolve, reject) => {\n    const child = spawn(pager, [], {\n      stdio: [\"pipe\", \"inherit\", \"inherit\"],\n    });\n\n    child.on(\"error\", reject);\n    child.on(\"exit\", (code) => {\n      if (code === 0) {\n        resolve();\n      } else {\n        reject(new Error(`Pager exited with code ${code}`));\n      }\n    });\n\n    try {\n      const written = child.stdin!.write(content);\n      if (!written) {\n        child.stdin!.once(\"drain\", () => {\n          try {\n            child.stdin!.end();\n          } catch (err) {\n            reject(err);\n          }\n        });\n      } else {\n        child.stdin!.end();\n      }\n    } catch (err) {\n      reject(err);\n    }\n  });\n}\n\n/**\n * Check if command exists\n */\nfunction commandExists(command: string): boolean {\n  try {\n    const cmd = platform() === \"win32\" ? `where ${command}` : `which ${command}`;\n    execSync(cmd, { stdio: \"ignore\" });\n    return true;\n  } catch {\n    return false;\n  }\n}\n\n/**\n * Clear terminal screen\n */\nexport function clearTerminal(): void {\n  if (platform() === \"win32\") {\n    process.stdout.write(\"\\x1Bc\");\n  } else {\n    process.stdout.write(\"\\x1B[2J\\x1B[3J\\x1B[H\");\n  }\n}\n\n/**\n * Get hidden input (password-style)\n */\nexport async function getHiddenInput(message: string): Promise<string> {\n  return await password({\n    message,\n    mask: \"*\",\n  });\n}\n\n/**\n * Display multi-line warning for destructive operations\n */\nexport function displayWarning(lines: string[]): void {\n  const width = lines.length > 0 ? Math.max(...lines.map((l) => l.length)) + 4 : 4;\n  const border = \"⚠\".repeat(width);\n\n  console.log(\"\");\n  console.log(border);\n  for (const line of lines) {\n    console.log(`⚠  ${line}`);\n  }\n  console.log(border);\n  console.log(\"\");\n}\n"],"mappings":";;;AAMA,SAAS,SAAS,aAAa;AAC/B,SAAS,eAAe;AACxB,SAAS,uBAAuB,iBAAiB,iBAAiB;;;ACDlE,SAAS,OAAO,gBAAgB;AAChC,SAAS,gBAAgB;AACzB,SAAS,QAAQ,gBAAgB;AAMjC,eAAsB,eAAe,SAAmC;AAEtE,QAAM,QAAQ,YAAY;AAE1B,MAAI,OAAO;AACT,QAAI;AACF,YAAM,SAAS,OAAO,OAAO;AAC7B,aAAO;AAAA,IACT,SAAS,KAAK;AACZ,cAAQ,MAAM,wBAAwB,GAAG,EAAE;AAAA,IAE7C;AAAA,EACF;AAGA,UAAQ,IAAI,uCAAuC;AACnD,UAAQ,IAAI,4DAA4D;AACxE,UAAQ,IAAI,EAAE;AAEd,QAAM,SAAS,MAAM,OAAO;AAAA,IAC1B,SAAS;AAAA,IACT,SAAS;AAAA,MACP,EAAE,MAAM,uBAAuB,OAAO,QAAQ;AAAA,MAC9C,EAAE,MAAM,0BAA0B,OAAO,QAAQ;AAAA,IACnD;AAAA,EACF,CAAC;AAED,MAAI,WAAW,SAAS;AACtB,YAAQ,IAAI,OAAO;AACnB,YAAQ,IAAI,EAAE;AACd,YAAQ,IAAI,oDAAoD;AAChE,YAAQ,IAAI,+BAA+B;AAG3C,UAAM,SAAS;AAAA,MACb,SAAS;AAAA,MACT,MAAM;AAAA,IACR,CAAC;AAED,kBAAc;AACd,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAKA,SAAS,cAA6B;AAEpC,MAAI,QAAQ,IAAI,OAAO;AACrB,UAAM,WAAW,QAAQ,IAAI,MAAM,KAAK;AAExC,QAAI,mBAAmB,KAAK,QAAQ,GAAG;AACrC,aAAO;AAAA,IACT;AAAA,EACF;AAGA,QAAM,SAAS,CAAC,QAAQ,MAAM;AAE9B,aAAW,YAAY,QAAQ;AAC7B,QAAI,cAAc,QAAQ,GAAG;AAC3B,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAKA,SAAS,SAAS,OAAe,SAAgC;AAC/D,SAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAM,QAAQ,MAAM,OAAO,CAAC,GAAG;AAAA,MAC7B,OAAO,CAAC,QAAQ,WAAW,SAAS;AAAA,IACtC,CAAC;AAED,UAAM,GAAG,SAAS,MAAM;AACxB,UAAM,GAAG,QAAQ,CAAC,SAAS;AACzB,UAAI,SAAS,GAAG;AACd,gBAAQ;AAAA,MACV,OAAO;AACL,eAAO,IAAI,MAAM,0BAA0B,IAAI,EAAE,CAAC;AAAA,MACpD;AAAA,IACF,CAAC;AAED,QAAI;AACF,YAAM,UAAU,MAAM,MAAO,MAAM,OAAO;AAC1C,UAAI,CAAC,SAAS;AACZ,cAAM,MAAO,KAAK,SAAS,MAAM;AAC/B,cAAI;AACF,kBAAM,MAAO,IAAI;AAAA,UACnB,SAAS,KAAK;AACZ,mBAAO,GAAG;AAAA,UACZ;AAAA,QACF,CAAC;AAAA,MACH,OAAO;AACL,cAAM,MAAO,IAAI;AAAA,MACnB;AAAA,IACF,SAAS,KAAK;AACZ,aAAO,GAAG;AAAA,IACZ;AAAA,EACF,CAAC;AACH;AAKA,SAAS,cAAc,SAA0B;AAC/C,MAAI;AACF,UAAM,MAAM,SAAS,MAAM,UAAU,SAAS,OAAO,KAAK,SAAS,OAAO;AAC1E,aAAS,KAAK,EAAE,OAAO,SAAS,CAAC;AACjC,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAKO,SAAS,gBAAsB;AACpC,MAAI,SAAS,MAAM,SAAS;AAC1B,YAAQ,OAAO,MAAM,OAAO;AAAA,EAC9B,OAAO;AACL,YAAQ,OAAO,MAAM,sBAAsB;AAAA,EAC7C;AACF;AAeO,SAAS,eAAe,OAAuB;AACpD,QAAM,QAAQ,MAAM,SAAS,IAAI,KAAK,IAAI,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,IAAI;AAC/E,QAAM,SAAS,SAAI,OAAO,KAAK;AAE/B,UAAQ,IAAI,EAAE;AACd,UAAQ,IAAI,MAAM;AAClB,aAAW,QAAQ,OAAO;AACxB,YAAQ,IAAI,WAAM,IAAI,EAAE;AAAA,EAC1B;AACA,UAAQ,IAAI,MAAM;AAClB,UAAQ,IAAI,EAAE;AAChB;;;ADhKA,IAAqB,eAArB,MAAqB,sBAAqB,QAAQ;AAAA,EAChD,OAAO,cAAc;AAAA,EAErB,OAAO,UAAU,CAAC,YAAY,UAAU;AAAA,EAExC,OAAO,WAAW;AAAA,IAChB;AAAA,IACA;AAAA,EACF;AAAA,EAEA,OAAO,QAAQ;AAAA,IACb,OAAO,MAAM,QAAQ;AAAA,MACnB,aAAa;AAAA,MACb,SAAS;AAAA,IACX,CAAC;AAAA,EACH;AAAA,EAEA,MAAM,MAAqB;AACzB,UAAM,EAAE,MAAM,IAAI,MAAM,KAAK,MAAM,aAAY;AAG/C,SAAK,IAAI,iCAAiC;AAC1C,UAAM,EAAE,YAAY,QAAQ,IAAI,sBAAsB;AAGtD,UAAM,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,eAOL,OAAO;AAAA,eACP,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAWrB,UAAM,YAAY,MAAM,eAAe,OAAO;AAE9C,QAAI,CAAC,WAAW;AACd,WAAK,IAAI,2BAA2B;AACpC;AAAA,IACF;AAGA,QAAI,cAAc,MAAM;AAExB,QAAI,CAAC,eAAe,WAAW;AAC7B,oBAAc,MAAM,QAAQ;AAAA,QAC1B,SAAS;AAAA,QACT,SAAS;AAAA,MACX,CAAC;AAAA,IACH;AAEA,QAAI,aAAa;AAEf,YAAM,SAAS,MAAM,UAAU;AAE/B,UAAI,QAAQ;AACV,uBAAe;AAAA,UACb;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF,CAAC;AAED,cAAM,iBAAiB,MAAM,QAAQ;AAAA,UACnC,SAAS;AAAA,UACT,SAAS;AAAA,QACX,CAAC;AAED,YAAI,CAAC,gBAAgB;AACnB,eAAK;AAAA,YACH;AAAA,UACF;AACA;AAAA,QACF;AAAA,MACF;AAGA,UAAI;AACF,cAAM,gBAAgB,UAAU;AAChC,aAAK,IAAI;AAAA,wCAAsC;AAC/C,aAAK,IAAI,mBAAc,OAAO,EAAE;AAChC,aAAK,IAAI,+DAA+D;AAAA,MAC1E,SAAS,KAAU;AACjB,aAAK,MAAM,wBAAwB,IAAI,OAAO,EAAE;AAAA,MAClD;AAAA,IACF,OAAO;AACL,WAAK,IAAI,8BAA8B;AACvC,WAAK,IAAI,4DAA4D;AAAA,IACvE;AAAA,EACF;AACF;","names":[]}

package/dist/commands/auth/login.js

@@ -2,18 +2,40 @@
 
 // src/commands/auth/login.ts
 import { Command } from "@oclif/core";
-import { confirm, select } from "@inquirer/prompts";
+import { confirm, select as select2 } from "@inquirer/prompts";
 import {
   storePrivateKey,
   keyExists,
-  getHiddenInput,
   validatePrivateKey,
   getAddressFromPrivateKey,
-  displayWarning,
   getLegacyKeys,
   getLegacyPrivateKey,
   deleteLegacyPrivateKey
 } from "@layr-labs/ecloud-sdk";
+
+// src/utils/security.ts
+import { spawn, execSync } from "child_process";
+import { platform } from "os";
+import { select, password } from "@inquirer/prompts";
+async function getHiddenInput(message) {
+  return await password({
+    message,
+    mask: "*"
+  });
+}
+function displayWarning(lines) {
+  const width = lines.length > 0 ? Math.max(...lines.map((l) => l.length)) + 4 : 4;
+  const border = "\u26A0".repeat(width);
+  console.log("");
+  console.log(border);
+  for (const line of lines) {
+    console.log(`\u26A0  ${line}`);
+  }
+  console.log(border);
+  console.log("");
+}
+
+// src/commands/auth/login.ts
 var AuthLogin = class extends Command {
   static description = "Store your private key in OS keyring";
   static examples = ["<%= config.bin %> <%= command.id %>"];
@@ -55,23 +77,16 @@ var AuthLogin = class extends Command {
           name: `${key.address} (${key.environment} - ${key.source})`,
           value: key
         }));
-        selectedKey = await select({
+        selectedKey = await select2({
           message: "Select a key to import:",
           choices
         });
-        privateKey = await getLegacyPrivateKey(
-          selectedKey.environment,
-          selectedKey.source
-        );
+        privateKey = await getLegacyPrivateKey(selectedKey.environment, selectedKey.source);
         if (!privateKey) {
-          this.error(
-            `Failed to retrieve legacy key for ${selectedKey.environment}`
-          );
+          this.error(`Failed to retrieve legacy key for ${selectedKey.environment}`);
         }
-        this.log(
-          `
-Importing key from ${selectedKey.source}:${selectedKey.environment}`
-        );
+        this.log(`
+Importing key from ${selectedKey.source}:${selectedKey.environment}`);
       }
     }
     if (!privateKey) {
@@ -96,9 +111,7 @@ Address: ${address}`);
       await storePrivateKey(privateKey);
       this.log("\n\u2713 Private key stored in OS keyring");
       this.log(`\u2713 Address: ${address}`);
-      this.log(
-        "\nNote: This key will be used for all environments (mainnet, sepolia, etc.)"
-      );
+      this.log("\nNote: This key will be used for all environments (mainnet, sepolia, etc.)");
       this.log("You can now use ecloud commands without --private-key flag.");
       if (selectedKey) {
         this.log("");
@@ -107,21 +120,14 @@ Address: ${address}`);
           default: false
         });
         if (confirmDelete) {
-          const deleted = await deleteLegacyPrivateKey(
-            selectedKey.environment,
-            selectedKey.source
-          );
+          const deleted = await deleteLegacyPrivateKey(selectedKey.environment, selectedKey.source);
           if (deleted) {
             this.log(
               `
 \u2713 Legacy key deleted from ${selectedKey.source}:${selectedKey.environment}`
             );
-            this.log(
-              "\nNote: The key is now only stored in ecloud. You can still use it with"
-            );
-            this.log(
-              "eigenx-cli by providing --private-key flag or EIGENX_PRIVATE_KEY env var."
-            );
+            this.log("\nNote: The key is now only stored in ecloud. You can still use it with");
+            this.log("eigenx-cli by providing --private-key flag or EIGENX_PRIVATE_KEY env var.");
           } else {
             this.log(
               `
@@ -130,13 +136,9 @@ Address: ${address}`);
             this.log("The key may have already been removed.");
           }
         } else {
-          this.log(
-            `
-Legacy key kept in ${selectedKey.source}:${selectedKey.environment}`
-          );
-          this.log(
-            "You can delete it later using 'eigenx auth logout' if needed."
-          );
+          this.log(`
+Legacy key kept in ${selectedKey.source}:${selectedKey.environment}`);
+          this.log("You can delete it later using 'eigenx auth logout' if needed.");
         }
       }
     } catch (err) {