@mainlayer/cli 0.1.1

package/dist/cli/index.js

@@ -0,0 +1,2330 @@
+#!/usr/bin/env node
+import { i as configurePlatforms, n as generateSkillsMd, r as PLATFORMS, t as SKILLS_FILENAME } from "../skills-template-CBLbA5-E.js";
+import { Command } from "commander";
+import chalk from "chalk";
+import ora from "ora";
+import * as clack from "@clack/prompts";
+import { existsSync, mkdirSync, readFileSync, readdirSync, writeFileSync } from "node:fs";
+import { homedir } from "node:os";
+import { dirname, join } from "node:path";
+import ky, { HTTPError } from "ky";
+import Conf from "conf";
+import { createCipheriv, createDecipheriv, pbkdf2, randomBytes } from "node:crypto";
+import { promisify } from "node:util";
+import { address, createKeyPairFromPrivateKeyBytes, createSolanaRpc, getAddressDecoder, getAddressEncoder, getAddressFromPublicKey } from "@solana/kit";
+import { mnemonicToSeedSync, validateMnemonic } from "@scure/bip39";
+import { wordlist } from "@scure/bip39/wordlists/english.js";
+import { findAssociatedTokenPda } from "@solana-program/token";
+import latestVersion from "latest-version";
+//#region src/services/config-service.ts
+var ConfigService = class {
+	conf;
+	confCwd;
+	defaultConf;
+	constructor(cwd) {
+		this.confCwd = cwd ?? join(homedir(), ".mainlayer");
+		this.conf = new Conf({
+			cwd: this.confCwd,
+			configName: "config"
+		});
+		this.defaultConf = new Conf({
+			cwd: this.confCwd,
+			configName: "config"
+		});
+	}
+	get(key) {
+		return this.conf.get(key);
+	}
+	set(key, value) {
+		this.conf.set(key, value);
+	}
+	delete(key) {
+		this.conf.delete(key);
+	}
+	getAll() {
+		return this.conf.store;
+	}
+	getApiUrl() {
+		return this.get("apiUrl") ?? process.env["MAINLAYER_API_URL"] ?? "https://api.mainlayer.fr";
+	}
+	clear() {
+		this.conf.clear();
+	}
+	/**
+	* Switch the active profile. Reinitializes this.conf to point at
+	* config.<name>.json (or config.json for 'default').
+	*/
+	setProfile(name) {
+		const configName = name === "default" ? "config" : `config.${name}`;
+		this.conf = new Conf({
+			cwd: this.confCwd,
+			configName
+		});
+	}
+	/**
+	* Persist the active profile name to the default config.json.
+	* Always writes to the default conf, regardless of what profile is currently active.
+	*/
+	setActiveProfile(name) {
+		this.defaultConf.set("activeProfile", name);
+	}
+	/**
+	* Returns the active profile name. Reads from MAINLAYER_PROFILE env var first,
+	* then from the default config.json, then defaults to 'default'.
+	*/
+	getActiveProfile() {
+		return process.env["MAINLAYER_PROFILE"] ?? this.defaultConf.get("activeProfile") ?? "default";
+	}
+};
+const configService = new ConfigService();
+//#endregion
+//#region src/utils/errors.ts
+const EXIT_CODES = {
+	SUCCESS: 0,
+	GENERAL: 1,
+	AUTH_ERROR: 2,
+	NOT_FOUND: 3,
+	VALIDATION_ERROR: 4,
+	ALREADY_EXISTS: 5
+};
+var AppError = class extends Error {
+	constructor(message, exitCode = EXIT_CODES.GENERAL, meta) {
+		super(message);
+		this.exitCode = exitCode;
+		this.meta = meta;
+		this.name = "AppError";
+	}
+};
+//#endregion
+//#region src/services/api-client.ts
+var ApiClient = class {
+	apiKeyOverride;
+	setApiKeyOverride(key) {
+		this.apiKeyOverride = key;
+	}
+	createHttp() {
+		return ky.extend({
+			prefixUrl: configService.getApiUrl(),
+			hooks: { beforeRequest: [(request) => {
+				const apiKey = this.apiKeyOverride ?? process.env["MAINLAYER_API_KEY"];
+				const jwt = configService.get("jwt");
+				if (apiKey) request.headers.set("Authorization", `Bearer ${apiKey}`);
+				else if (jwt) request.headers.set("Authorization", `Bearer ${jwt}`);
+			}] }
+		});
+	}
+	async handleError(err) {
+		if (err instanceof HTTPError) {
+			const body = await err.response.json().catch(() => ({ error: "Unknown error" }));
+			const detail = body.detail;
+			let msg;
+			if (body.message) msg = body.message;
+			else if (body.error) msg = body.error;
+			else if (Array.isArray(detail)) msg = detail.map((d) => d.msg).join("; ");
+			else msg = `HTTP ${err.response.status}`;
+			const status = err.response.status;
+			if (status === 401) throw new AppError(msg, EXIT_CODES.AUTH_ERROR, {
+				type: "auth_error",
+				hint: "Run: mainlayer auth login"
+			});
+			if (status === 404) throw new AppError(msg, EXIT_CODES.NOT_FOUND, { type: "not_found" });
+			if (status === 409) throw new AppError(msg, EXIT_CODES.ALREADY_EXISTS, { type: "already_exists" });
+			if (status === 422) throw new AppError(msg, EXIT_CODES.VALIDATION_ERROR, { type: "validation_error" });
+			throw new AppError(msg, EXIT_CODES.GENERAL, { type: "api_error" });
+		}
+		throw err;
+	}
+	async post(path, body) {
+		try {
+			return await this.createHttp().post(path, { json: body }).json();
+		} catch (err) {
+			return this.handleError(err);
+		}
+	}
+	async put(path, body) {
+		try {
+			return await this.createHttp().put(path, { json: body }).json();
+		} catch (err) {
+			return this.handleError(err);
+		}
+	}
+	async patch(path, body) {
+		try {
+			return await this.createHttp().patch(path, { json: body }).json();
+		} catch (err) {
+			return this.handleError(err);
+		}
+	}
+	async get(path, searchParams) {
+		try {
+			return await this.createHttp().get(path, searchParams ? { searchParams } : void 0).json();
+		} catch (err) {
+			return this.handleError(err);
+		}
+	}
+	async delete(path) {
+		try {
+			return await this.createHttp().delete(path).json();
+		} catch (err) {
+			return this.handleError(err);
+		}
+	}
+};
+const apiClient = new ApiClient();
+//#endregion
+//#region src/utils/output.ts
+function formatOutput(data, opts) {
+	if (opts.json || !process.stdout.isTTY) console.log(JSON.stringify(data));
+	else for (const [key, value] of Object.entries(data)) console.log(`${chalk.cyan(key + ":")}  ${value}`);
+}
+function printError(message) {
+	console.error(chalk.red(message));
+}
+function printSuccess(message) {
+	console.error(chalk.green(message));
+}
+function printTable(headers, rows) {
+	if (rows.length === 0) return;
+	const widths = headers.map((h, i) => Math.max(h.length, ...rows.map((r) => (r[i] ?? "").length)));
+	const fmt = (cols) => cols.map((c, i) => c.padEnd(widths[i])).join("  ");
+	console.log(chalk.bold(fmt(headers)));
+	console.log(widths.map((w) => "-".repeat(w)).join("  "));
+	for (const row of rows) console.log(fmt(row));
+}
+function truncate(str, maxLen) {
+	return str.length > maxLen ? str.slice(0, maxLen - 3) + "..." : str;
+}
+//#endregion
+//#region src/utils/prompt.ts
+async function getCredentials(opts) {
+	const email = opts.email ?? process.env["MAINLAYER_EMAIL"];
+	const password = opts.password ?? process.env["MAINLAYER_PASSWORD"];
+	if (email && password) return {
+		email,
+		password
+	};
+	if (!process.stdin.isTTY) {
+		printError("Set MAINLAYER_EMAIL / MAINLAYER_PASSWORD or pass --email / --password flags");
+		process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+		process.exit();
+	}
+	clack.intro("Mainlayer");
+	const resolvedEmail = email ?? await clack.text({
+		message: "Email address",
+		validate: (v) => v.includes("@") ? void 0 : "Enter a valid email"
+	});
+	const resolvedPassword = password ?? await clack.password({ message: "Password" });
+	if (clack.isCancel(resolvedEmail) || clack.isCancel(resolvedPassword)) {
+		clack.cancel("Cancelled.");
+		process.exitCode = EXIT_CODES.GENERAL;
+		process.exit();
+	}
+	return {
+		email: resolvedEmail,
+		password: resolvedPassword
+	};
+}
+async function getPassphrase(opts) {
+	const envPassphrase = process.env["MAINLAYER_WALLET_PASSPHRASE"];
+	if (envPassphrase) return envPassphrase;
+	if (!process.stdin.isTTY) {
+		printError("Set MAINLAYER_WALLET_PASSPHRASE env var or run in an interactive terminal");
+		process.exitCode = EXIT_CODES.AUTH_ERROR;
+		process.exit();
+	}
+	const passphrase = await clack.password({ message: "Enter wallet passphrase" });
+	if (clack.isCancel(passphrase)) {
+		clack.cancel("Cancelled.");
+		process.exitCode = EXIT_CODES.GENERAL;
+		process.exit();
+	}
+	if (opts?.confirm) {
+		const confirmation = await clack.password({ message: "Confirm wallet passphrase" });
+		if (clack.isCancel(confirmation)) {
+			clack.cancel("Cancelled.");
+			process.exitCode = EXIT_CODES.GENERAL;
+			process.exit();
+		}
+		if (passphrase !== confirmation) {
+			printError("Passphrases do not match");
+			process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+			process.exit();
+		}
+	}
+	return passphrase;
+}
+//#endregion
+//#region src/cli/auth.ts
+function authCommand() {
+	const auth = new Command("auth").description("Authentication commands");
+	auth.command("register").description("Create a new Mainlayer account").option("--email <email>", "Email address").option("--password <password>", "Password").option("--json", "Output as JSON").action(async (opts) => {
+		try {
+			const { email, password } = await getCredentials(opts);
+			const spinner = ora({
+				text: "Creating account...",
+				stream: process.stderr
+			}).start();
+			let response;
+			try {
+				response = await apiClient.post("auth/register", {
+					email,
+					password
+				});
+			} finally {
+				spinner.stop();
+			}
+			configService.set("jwt", response.token);
+			configService.set("jwtExpiresAt", response.expiresAt);
+			configService.set("userId", response.userId);
+			configService.set("email", response.email);
+			const json = opts.json ?? false;
+			formatOutput({
+				email: response.email,
+				userId: response.userId
+			}, { json });
+			if (process.stdout.isTTY && !json) clack.outro("Account created");
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	auth.command("login").description("Log in to your Mainlayer account").option("--email <email>", "Email address").option("--password <password>", "Password").option("--json", "Output as JSON").action(async (opts) => {
+		try {
+			const { email, password } = await getCredentials(opts);
+			const spinner = ora({
+				text: "Logging in...",
+				stream: process.stderr
+			}).start();
+			let response;
+			try {
+				response = await apiClient.post("auth/login", {
+					email,
+					password
+				});
+			} finally {
+				spinner.stop();
+			}
+			configService.set("jwt", response.token);
+			configService.set("jwtExpiresAt", response.expiresAt);
+			configService.set("userId", response.userId);
+			configService.set("email", response.email);
+			const json = opts.json ?? false;
+			formatOutput({
+				email: response.email,
+				authenticated: true
+			}, { json });
+			if (process.stdout.isTTY && !json) clack.outro("Logged in");
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	auth.command("logout").description("Log out of your Mainlayer account").option("--json", "Output as JSON").action((opts) => {
+		configService.delete("jwt");
+		configService.delete("jwtExpiresAt");
+		configService.delete("userId");
+		configService.delete("email");
+		const json = opts.json ?? false;
+		formatOutput({ loggedOut: true }, { json });
+		if (process.stdout.isTTY && !json) clack.outro("Logged out");
+	});
+	auth.command("status").description("Show current authentication status").option("--json", "Output as JSON").action((opts) => {
+		const email = configService.get("email");
+		const jwt = configService.get("jwt");
+		const jwtExpiresAt = configService.get("jwtExpiresAt");
+		const authenticated = !!jwt;
+		const expired = jwtExpiresAt ? new Date(jwtExpiresAt) < /* @__PURE__ */ new Date() : false;
+		const json = opts.json ?? false;
+		formatOutput({
+			email: email ?? "",
+			authenticated,
+			expired
+		}, { json });
+	});
+	const apiKey = new Command("api-key").description("Manage API keys");
+	apiKey.command("create").description("Create a new API key").option("--label <label>", "Label for the API key").option("--json", "Output as JSON").action(async (opts) => {
+		if (!opts.label) {
+			printError("--label is required");
+			process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+			return;
+		}
+		try {
+			const response = await apiClient.post("auth/api-keys", { label: opts.label });
+			const json = opts.json ?? false;
+			if (!json && process.stdout.isTTY) printError("This is the only time the API key value will be shown. Save it now.");
+			formatOutput({
+				id: response.id,
+				label: response.label,
+				key: response.key ?? ""
+			}, { json });
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	apiKey.command("list").description("List all active API keys").option("--json", "Output as JSON").action(async (opts) => {
+		try {
+			const keys = await apiClient.get("auth/api-keys");
+			if ((opts.json ?? false) || !process.stdout.isTTY) console.log(JSON.stringify(keys));
+			else for (const k of keys) console.log(`id: ${k.id}  label: ${k.label}  created: ${k.createdAt}`);
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	apiKey.command("revoke <id>").description("Revoke an API key by ID").option("--json", "Output as JSON").action(async (id, opts) => {
+		try {
+			await apiClient.delete(`auth/api-keys/${id}`);
+			const json = opts.json ?? false;
+			formatOutput({
+				revoked: true,
+				id
+			}, { json });
+			if (process.stdout.isTTY && !json) clack.outro("API key revoked");
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	auth.addCommand(apiKey);
+	auth.command("switch <profile>").description("Switch to a named profile").option("--json", "Output as JSON").action((profile, opts) => {
+		configService.setActiveProfile(profile);
+		const json = opts.json ?? !process.stdout.isTTY;
+		formatOutput({ activeProfile: profile }, { json });
+		if (process.stdout.isTTY && !json) clack.outro(`Switched to profile: ${profile}`);
+	});
+	auth.command("list").description("List all profiles").option("--json", "Output as JSON").action((opts) => {
+		let profiles = ["default"];
+		try {
+			profiles = readdirSync(join(homedir(), ".mainlayer")).filter((f) => f === "config.json" || /^config\..+\.json$/.test(f)).map((f) => f === "config.json" ? "default" : f.replace(/^config\./, "").replace(/\.json$/, ""));
+			if (!profiles.includes("default")) profiles.unshift("default");
+		} catch {}
+		const active = configService.getActiveProfile();
+		const json = opts.json ?? !process.stdout.isTTY;
+		formatOutput({
+			profiles,
+			active
+		}, { json });
+	});
+	return auth;
+}
+//#endregion
+//#region src/services/wallet-service.ts
+const pbkdf2Async = promisify(pbkdf2);
+const DEFAULT_WALLET_PATH = join(homedir(), ".mainlayer", "wallet.json");
+const PBKDF2_ITERATIONS = 2e5;
+const USDC_MINT$1 = "EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v";
+var WalletService = class {
+	walletPath;
+	constructor(walletPath) {
+		this.walletPath = walletPath ?? DEFAULT_WALLET_PATH;
+	}
+	async encryptKeystore(privateKeyBytes, pubkey, passphrase) {
+		const salt = randomBytes(16);
+		const iv = randomBytes(12);
+		const cipher = createCipheriv("aes-256-gcm", await pbkdf2Async(passphrase, salt, PBKDF2_ITERATIONS, 32, "sha256"), iv);
+		const encrypted = Buffer.concat([cipher.update(privateKeyBytes), cipher.final()]);
+		const authTag = cipher.getAuthTag();
+		return {
+			version: 1,
+			pubkey,
+			salt: salt.toString("hex"),
+			iv: iv.toString("hex"),
+			ciphertext: encrypted.toString("hex"),
+			authTag: authTag.toString("hex")
+		};
+	}
+	async decryptKeystore(keystore, passphrase) {
+		const salt = Buffer.from(keystore.salt, "hex");
+		const iv = Buffer.from(keystore.iv, "hex");
+		const ciphertext = Buffer.from(keystore.ciphertext, "hex");
+		const authTag = Buffer.from(keystore.authTag, "hex");
+		const decipher = createDecipheriv("aes-256-gcm", await pbkdf2Async(passphrase, salt, PBKDF2_ITERATIONS, 32, "sha256"), iv);
+		decipher.setAuthTag(authTag);
+		try {
+			const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+			return new Uint8Array(decrypted);
+		} catch {
+			throw new AppError("Invalid passphrase", EXIT_CODES.AUTH_ERROR);
+		}
+	}
+	readKeystore() {
+		if (!existsSync(this.walletPath)) throw new AppError("No wallet found. Run: mainlayer wallet create", EXIT_CODES.NOT_FOUND);
+		const raw = readFileSync(this.walletPath, "utf8");
+		const keystore = JSON.parse(raw);
+		if (keystore.version !== 1) throw new AppError("Unsupported wallet format version", EXIT_CODES.GENERAL);
+		return keystore;
+	}
+	writeKeystore(keystore) {
+		mkdirSync(dirname(this.walletPath), { recursive: true });
+		writeFileSync(this.walletPath, JSON.stringify(keystore, null, 2), { mode: 384 });
+	}
+	async encryptKeystorePublic(privateKeyBytes, pubkey, passphrase) {
+		return this.encryptKeystore(privateKeyBytes, pubkey, passphrase);
+	}
+	async decryptKeystorePublic(keystore, passphrase) {
+		return this.decryptKeystore(keystore, passphrase);
+	}
+	async create(passphrase) {
+		if (existsSync(this.walletPath)) throw new AppError("Wallet already exists", EXIT_CODES.ALREADY_EXISTS);
+		const keyPair = await crypto.subtle.generateKey({ name: "Ed25519" }, true, ["sign", "verify"]);
+		const privateKeyBytes = new Uint8Array(await crypto.subtle.exportKey("pkcs8", keyPair.privateKey)).slice(16);
+		const addr = await getAddressFromPublicKey(keyPair.publicKey);
+		const keystore = await this.encryptKeystore(privateKeyBytes, addr, passphrase);
+		this.writeKeystore(keystore);
+		return addr;
+	}
+	async importFromBase58(base58Key, passphrase) {
+		const keyBytes = getAddressEncoder().encode(base58Key);
+		const addr = await getAddressFromPublicKey((await createKeyPairFromPrivateKeyBytes(keyBytes)).publicKey);
+		const keystore = await this.encryptKeystore(keyBytes, addr, passphrase);
+		this.writeKeystore(keystore);
+		return addr;
+	}
+	async importFromMnemonic(mnemonic, passphrase) {
+		if (!validateMnemonic(mnemonic, wordlist)) throw new AppError("Invalid mnemonic phrase", EXIT_CODES.VALIDATION_ERROR);
+		const privateKeyBytes = mnemonicToSeedSync(mnemonic).slice(0, 32);
+		const addr = await getAddressFromPublicKey((await createKeyPairFromPrivateKeyBytes(privateKeyBytes)).publicKey);
+		const keystore = await this.encryptKeystore(privateKeyBytes, addr, passphrase);
+		this.writeKeystore(keystore);
+		return addr;
+	}
+	async getAddress() {
+		return this.readKeystore().pubkey;
+	}
+	async exportPrivateKey(passphrase) {
+		const keystore = this.readKeystore();
+		const privateKeyBytes = await this.decryptKeystore(keystore, passphrase);
+		return getAddressDecoder().decode(privateKeyBytes);
+	}
+	async getBalance() {
+		const addr = await this.getAddress();
+		const rpc = createSolanaRpc(configService.get("solanaRpcUrl") ?? process.env["MAINLAYER_SOLANA_RPC_URL"] ?? "https://api.mainnet-beta.solana.com");
+		const balanceResult = await rpc.getBalance(address(addr)).send();
+		const sol = Number(balanceResult.value) / 1e9;
+		let usdc = 0;
+		try {
+			const tokenAccounts = await rpc.getTokenAccountsByOwner(address(addr), { mint: address(USDC_MINT$1) }, { encoding: "jsonParsed" }).send();
+			for (const account of tokenAccounts.value) {
+				const parsed = account.account.data;
+				if (parsed && typeof parsed === "object" && "parsed" in parsed && parsed.parsed && typeof parsed.parsed === "object" && "info" in parsed.parsed) {
+					const info = parsed.parsed.info;
+					usdc += info.tokenAmount?.uiAmount ?? 0;
+				}
+			}
+		} catch {}
+		return {
+			sol,
+			usdc
+		};
+	}
+	async signTransaction(passphrase, unsignedTxB64) {
+		const keystore = this.readKeystore();
+		const keyPair = await createKeyPairFromPrivateKeyBytes(await this.decryptKeystore(keystore, passphrase));
+		const txBytes = Buffer.from(unsignedTxB64, "base64");
+		const messageBytes = txBytes.subarray(65);
+		const sigBytes = new Uint8Array(await crypto.subtle.sign("Ed25519", keyPair.privateKey, messageBytes));
+		const signedTx = Buffer.from(txBytes);
+		for (let i = 0; i < 64; i++) signedTx[1 + i] = sigBytes[i];
+		return signedTx.toString("base64");
+	}
+	async signMessage(passphrase, messageText) {
+		const keystore = this.readKeystore();
+		const keyPair = await createKeyPairFromPrivateKeyBytes(await this.decryptKeystore(keystore, passphrase));
+		const msgBytes = new TextEncoder().encode(messageText);
+		const sigBytes = new Uint8Array(await crypto.subtle.sign("Ed25519", keyPair.privateKey, msgBytes));
+		const { getBase58Codec } = await import("@solana/kit");
+		return getBase58Codec().encode(sigBytes);
+	}
+};
+const walletService = new WalletService();
+//#endregion
+//#region src/cli/wallet.ts
+function walletCommand() {
+	const wallet = new Command("wallet").description("Manage your Solana wallet");
+	wallet.command("create").description("Generate a new Solana keypair and store it encrypted").option("--json", "Output as JSON").action(async (opts) => {
+		try {
+			const passphrase = await getPassphrase({ confirm: true });
+			formatOutput({ address: await walletService.create(passphrase) }, { json: opts.json ?? !process.stdout.isTTY });
+			if (process.stdout.isTTY && !opts.json) clack.outro("Wallet created");
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else {
+				printError(String(err));
+				process.exitCode = EXIT_CODES.GENERAL;
+			}
+		}
+	});
+	wallet.command("import").description("Import an existing Solana keypair (base58 or mnemonic)").option("--base58 <key>", "Import from base58-encoded private key").option("--mnemonic <words>", "Import from BIP39 mnemonic phrase").option("--json", "Output as JSON").action(async (opts) => {
+		if (!opts.base58 && !opts.mnemonic || opts.base58 && opts.mnemonic) {
+			printError("Provide exactly one of --base58 <key> or --mnemonic <words>");
+			process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+			return;
+		}
+		try {
+			const passphrase = await getPassphrase({ confirm: true });
+			let address;
+			if (opts.base58) address = await walletService.importFromBase58(opts.base58, passphrase);
+			else address = await walletService.importFromMnemonic(opts.mnemonic, passphrase);
+			formatOutput({ address }, { json: opts.json ?? !process.stdout.isTTY });
+			if (process.stdout.isTTY && !opts.json) clack.outro("Wallet imported");
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else {
+				printError(String(err));
+				process.exitCode = EXIT_CODES.GENERAL;
+			}
+		}
+	});
+	wallet.command("address").description("Print the wallet public key (no passphrase required)").option("--json", "Output as JSON").action(async (opts) => {
+		try {
+			const address = await walletService.getAddress();
+			if (opts.json || !process.stdout.isTTY) formatOutput({ address }, { json: true });
+			else console.log(address);
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else {
+				printError(String(err));
+				process.exitCode = EXIT_CODES.GENERAL;
+			}
+		}
+	});
+	wallet.command("balance").description("Show SOL and USDC balances").option("--json", "Output as JSON").action(async (opts) => {
+		const spinner = process.stderr.isTTY ? ora({
+			text: "Checking balance...",
+			stream: process.stderr
+		}).start() : null;
+		try {
+			const { sol, usdc } = await walletService.getBalance();
+			spinner?.succeed("Balance loaded");
+			formatOutput({
+				sol,
+				usdc
+			}, { json: opts.json ?? !process.stdout.isTTY });
+		} catch (err) {
+			spinner?.fail("Failed to fetch balance");
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else {
+				printError(String(err));
+				process.exitCode = EXIT_CODES.GENERAL;
+			}
+		}
+	});
+	wallet.command("export").description("Export the private key (always requires interactive passphrase entry)").option("--json", "Output as JSON").action(async (opts) => {
+		if (!process.stdin.isTTY) {
+			printError("wallet export requires interactive passphrase entry");
+			process.exitCode = EXIT_CODES.AUTH_ERROR;
+			return;
+		}
+		try {
+			const passphrase = await clack.password({ message: "Enter wallet passphrase to export private key" });
+			if (clack.isCancel(passphrase)) {
+				clack.cancel("Cancelled.");
+				process.exitCode = EXIT_CODES.GENERAL;
+				return;
+			}
+			const privateKey = await walletService.exportPrivateKey(passphrase);
+			if (opts.json || !process.stdout.isTTY) formatOutput({ privateKey }, { json: true });
+			else console.log(privateKey);
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else {
+				printError(String(err));
+				process.exitCode = EXIT_CODES.GENERAL;
+			}
+		}
+	});
+	return wallet;
+}
+//#endregion
+//#region src/types/config.ts
+const KNOWN_CONFIG_KEYS = [
+	"apiUrl",
+	"jwt",
+	"jwtExpiresAt",
+	"userId",
+	"email",
+	"lastUpdateCheck",
+	"activeProfile"
+];
+//#endregion
+//#region src/cli/config.ts
+function configCommand() {
+	const config = new Command("config").description("Read and write CLI configuration");
+	config.option("--list", "List all configuration values").option("--json", "Output as JSON").action((opts) => {
+		if (opts.list) {
+			const display = { ...configService.getAll() };
+			if (display.jwt) display.jwt = "***";
+			formatOutput(display, { json: opts.json ?? !process.stdout.isTTY });
+		}
+	});
+	config.command("get <key>").description("Get a configuration value").option("--json", "Output as JSON").action((key, opts) => {
+		if (!KNOWN_CONFIG_KEYS.includes(key)) {
+			printError(`Unknown config key: ${key}. Known keys: ${KNOWN_CONFIG_KEYS.join(", ")}`);
+			process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+			return;
+		}
+		const value = configService.get(key);
+		if (value === void 0) {
+			printError(`Key '${key}' is not set`);
+			process.exitCode = EXIT_CODES.NOT_FOUND;
+			return;
+		}
+		if (opts.json ?? !process.stdout.isTTY) formatOutput({ [key]: value }, { json: true });
+		else console.log(value);
+	});
+	config.command("set <key> <value>").description("Set a configuration value").option("--json", "Output as JSON").action((key, value, opts) => {
+		if (!KNOWN_CONFIG_KEYS.includes(key)) {
+			printError(`Unknown config key: ${key}. Known keys: ${KNOWN_CONFIG_KEYS.join(", ")}`);
+			process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+			return;
+		}
+		configService.set(key, value);
+		if (opts.json ?? !process.stdout.isTTY) formatOutput({ [key]: value }, { json: true });
+		else printSuccess(`Set ${key}`);
+	});
+	config.command("unset <key>").description("Remove a configuration value").option("--json", "Output as JSON").action((key, opts) => {
+		if (!KNOWN_CONFIG_KEYS.includes(key)) {
+			printError(`Unknown config key: ${key}. Known keys: ${KNOWN_CONFIG_KEYS.join(", ")}`);
+			process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+			return;
+		}
+		configService.delete(key);
+		const json = opts.json ?? !process.stdout.isTTY;
+		formatOutput({ unset: key }, { json });
+	});
+	return config;
+}
+//#endregion
+//#region src/cli/webhook.ts
+function webhookCommand() {
+	const webhook = new Command("webhook").description("Webhook management commands");
+	webhook.command("update").description("Update the webhook callback URL for a resource").requiredOption("--resource-id <id>", "Resource ID").requiredOption("--callback-url <url>", "New callback URL").option("--json", "Output as JSON").action(async (opts) => {
+		const resourceId = opts.resourceId;
+		const callbackUrl = opts.callbackUrl;
+		const json = opts.json ?? false;
+		if (!resourceId || !callbackUrl) {
+			printError("--resource-id and --callback-url are required");
+			process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+			return;
+		}
+		const spinner = ora({
+			text: "Updating webhook...",
+			stream: process.stderr
+		}).start();
+		try {
+			await apiClient.put("webhooks/" + resourceId, { callback_url: callbackUrl });
+			spinner.stop();
+			formatOutput({
+				resource_id: resourceId,
+				callback_url: callbackUrl,
+				updated: true
+			}, { json });
+		} catch (err) {
+			spinner.stop();
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	webhook.command("logs").description("View webhook delivery logs").option("--status <status>", "Filter by status").option("--limit <n>", "Max results to return", "20").option("--json", "Output as JSON").action(async (opts) => {
+		const json = opts.json ?? false;
+		const params = {};
+		if (opts.status) params["status"] = opts.status;
+		if (opts.limit) params["limit"] = opts.limit;
+		const spinner = ora({
+			text: "Loading webhook logs...",
+			stream: process.stderr
+		}).start();
+		try {
+			const logs = await apiClient.get("webhooks/logs", params);
+			spinner.stop();
+			if (json) {
+				console.log(JSON.stringify(logs));
+				return;
+			}
+			if (logs.length === 0) {
+				console.log("No webhook logs found.");
+				return;
+			}
+			printTable([
+				"LOG_ID",
+				"PAYMENT_ID",
+				"STATUS",
+				"HTTP",
+				"ATTEMPTS"
+			], logs.map((l) => [
+				truncate(l.id, 12),
+				truncate(l.payment_id, 12),
+				l.status,
+				String(l.http_status ?? "-"),
+				String(l.attempts)
+			]));
+		} catch (err) {
+			spinner.stop();
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	webhook.command("retry <log-id>").description("Retry a failed webhook delivery").option("--json", "Output as JSON").action(async (logId, opts) => {
+		const json = opts.json ?? false;
+		const spinner = ora({
+			text: "Retrying webhook delivery...",
+			stream: process.stderr
+		}).start();
+		try {
+			await apiClient.post("webhooks/logs/" + logId + "/retry");
+			spinner.stop();
+			formatOutput({
+				retried: true,
+				log_id: logId
+			}, { json });
+		} catch (err) {
+			spinner.stop();
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	webhook.command("rotate-secret").description("Rotate the webhook secret for a resource").requiredOption("--resource-id <id>", "Resource ID").option("--force", "Confirm secret rotation").option("--json", "Output as JSON").action(async (opts) => {
+		const resourceId = opts.resourceId;
+		const json = opts.json ?? false;
+		if (!resourceId) {
+			printError("--resource-id is required");
+			process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+			return;
+		}
+		if (!opts.force) {
+			printError("Error: This will rotate the webhook secret for resource '" + resourceId + "'. The old secret remains valid for 24 hours. Run with --force to confirm.");
+			process.exitCode = EXIT_CODES.GENERAL;
+			return;
+		}
+		const spinner = ora({
+			text: "Rotating webhook secret...",
+			stream: process.stderr
+		}).start();
+		try {
+			const response = await apiClient.post("webhooks/" + resourceId + "/rotate-secret");
+			spinner.stop();
+			if (json) {
+				console.log(JSON.stringify(response));
+				return;
+			}
+			printSuccess("New webhook secret:");
+			console.log(response.webhook_secret);
+			console.error(chalk.yellow("Save this secret now. It will not be shown again in this form."));
+		} catch (err) {
+			spinner.stop();
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	return webhook;
+}
+//#endregion
+//#region src/utils/price.ts
+/**
+* Parse a price string to micro-units (integer).
+* Decimal presence (contains '.') means USDC dollars -> multiply by 1_000_000.
+* No decimal means raw micro-units.
+* Per D-06 from 02-CONTEXT.md.
+*/
+function parsePrice(raw) {
+	if (raw.includes(".")) {
+		const parsed = parseFloat(raw);
+		if (Number.isNaN(parsed) || parsed <= 0) throw new Error(`Invalid price: "${raw}". Must be a positive number.`);
+		return Math.round(parsed * 1e6);
+	}
+	const parsed = parseInt(raw, 10);
+	if (Number.isNaN(parsed) || parsed <= 0) throw new Error(`Invalid price: "${raw}". Must be a positive integer (micro-units).`);
+	return parsed;
+}
+/**
+* Format micro-units to human-readable USDC string.
+* Example: 1000000 -> "$1.00 USDC"
+*/
+function formatPrice(microUnits) {
+	return `$${(microUnits / 1e6).toFixed(2)} USDC`;
+}
+//#endregion
+//#region src/cli/resource-plans.ts
+function buildPlanCommand() {
+	const plan = new Command("plan").description("Manage pricing plans for a resource");
+	plan.command("create").description("Create a pricing plan for a resource").option("--resource-id <id>", "Resource ID (required)").option("--name <name>", "Plan name (required)").option("--price <price>", "Price in USDC or micro-units (required)").option("--fee-model <model>", "Fee model: pay_per_call | subscription | one_time (required)").option("--credits-per-payment <n>", "Credits included per payment").option("--duration-seconds <n>", "Subscription duration in seconds").option("--max-calls-per-day <n>", "Max calls per day").option("--json", "Output as JSON").action(async (opts) => {
+		try {
+			const json = opts.json ?? false;
+			const missing = [];
+			if (!opts.resourceId) missing.push("--resource-id");
+			if (!opts.name) missing.push("--name");
+			if (!opts.price) missing.push("--price");
+			if (!opts.feeModel) missing.push("--fee-model");
+			if (missing.length > 0) {
+				printError(`Missing required flags: ${missing.join(", ")}`);
+				process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+				return;
+			}
+			const resourceId = opts.resourceId;
+			const parsedPrice = parsePrice(opts.price);
+			const body = {
+				name: opts.name,
+				price_usdc: parsedPrice,
+				fee_model: opts.feeModel,
+				...opts.creditsPerPayment !== void 0 && { credits_per_payment: Number(opts.creditsPerPayment) },
+				...opts.durationSeconds !== void 0 && { duration_seconds: Number(opts.durationSeconds) },
+				...opts.maxCallsPerDay !== void 0 && { max_calls_per_day: Number(opts.maxCallsPerDay) }
+			};
+			const spinner = ora({
+				text: "Creating plan...",
+				stream: process.stderr
+			}).start();
+			let response;
+			try {
+				response = await apiClient.post(`resources/${resourceId}/plans`, body);
+			} finally {
+				spinner.stop();
+			}
+			formatOutput({
+				id: response.id,
+				name: response.name,
+				price: formatPrice(response.price_usdc),
+				fee_model: response.fee_model
+			}, { json });
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	plan.command("list").description("List pricing plans for a resource").option("--resource-id <id>", "Resource ID (required)").option("--json", "Output as JSON").action(async (opts) => {
+		try {
+			const json = opts.json ?? false;
+			if (!opts.resourceId) {
+				printError("Missing required flag: --resource-id");
+				process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+				return;
+			}
+			const resourceId = opts.resourceId;
+			const spinner = ora({
+				text: "Loading plans...",
+				stream: process.stderr
+			}).start();
+			let plans;
+			try {
+				plans = await apiClient.get(`resources/${resourceId}/plans`);
+			} finally {
+				spinner.stop();
+			}
+			if (json || !process.stdout.isTTY) {
+				console.log(JSON.stringify(plans));
+				return;
+			}
+			if (plans.length === 0) {
+				console.log("No plans for this resource. Run `mainlayer resource plan create` to add one.");
+				return;
+			}
+			printTable([
+				"NAME",
+				"PRICE",
+				"FEE MODEL",
+				"CREDITS",
+				"DURATION"
+			], plans.map((p) => [
+				p.name,
+				formatPrice(p.price_usdc),
+				p.fee_model,
+				String(p.credits_per_payment ?? "-"),
+				String(p.duration_seconds ?? "-")
+			]));
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	plan.command("update <plan-name>").description("Update a pricing plan by name").option("--resource-id <id>", "Resource ID (required)").option("--price <price>", "New price in USDC or micro-units").option("--fee-model <model>", "New fee model: pay_per_call | subscription | one_time").option("--credits-per-payment <n>", "New credits per payment").option("--duration-seconds <n>", "New duration in seconds").option("--max-calls-per-day <n>", "New max calls per day").option("--json", "Output as JSON").action(async (planName, opts) => {
+		try {
+			const json = opts.json ?? false;
+			if (!opts.resourceId) {
+				printError("Missing required flag: --resource-id");
+				process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+				return;
+			}
+			const resourceId = opts.resourceId;
+			const body = {
+				...opts.price !== void 0 && { price_usdc: parsePrice(opts.price) },
+				...opts.feeModel !== void 0 && { fee_model: opts.feeModel },
+				...opts.creditsPerPayment !== void 0 && { credits_per_payment: Number(opts.creditsPerPayment) },
+				...opts.durationSeconds !== void 0 && { duration_seconds: Number(opts.durationSeconds) },
+				...opts.maxCallsPerDay !== void 0 && { max_calls_per_day: Number(opts.maxCallsPerDay) }
+			};
+			const spinner = ora({
+				text: "Updating plan...",
+				stream: process.stderr
+			}).start();
+			let response;
+			try {
+				response = await apiClient.put(`resources/${resourceId}/plans/${planName}`, body);
+			} finally {
+				spinner.stop();
+			}
+			formatOutput({
+				id: response.id,
+				name: response.name,
+				price: formatPrice(response.price_usdc),
+				fee_model: response.fee_model
+			}, { json });
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	plan.command("delete <plan-name>").description("Delete a pricing plan by name").option("--resource-id <id>", "Resource ID (required)").option("--force", "Confirm deletion without prompt").option("--json", "Output as JSON").action(async (planName, opts) => {
+		try {
+			const json = opts.json ?? false;
+			if (!opts.resourceId) {
+				printError("Missing required flag: --resource-id");
+				process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+				return;
+			}
+			const resourceId = opts.resourceId;
+			if (!opts.force) {
+				printError(`Error: This will delete plan '${planName}'. Run with --force to confirm.`);
+				process.exitCode = EXIT_CODES.GENERAL;
+				return;
+			}
+			const spinner = ora({
+				text: "Deleting plan...",
+				stream: process.stderr
+			}).start();
+			try {
+				await apiClient.delete(`resources/${resourceId}/plans/${planName}`);
+			} finally {
+				spinner.stop();
+			}
+			formatOutput({
+				deleted: true,
+				plan_name: planName
+			}, { json });
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	return plan;
+}
+//#endregion
+//#region src/cli/resource-quota.ts
+function buildQuotaCommand() {
+	const quota = new Command("quota").description("Manage per-wallet quota limits");
+	quota.command("set").description("Set per-wallet quota limits for a resource").option("--resource-id <id>", "Resource ID (required)").option("--max-purchases <n>", "Max purchases per wallet").option("--max-calls-per-day <n>", "Max calls per day per wallet").option("--json", "Output as JSON").action(async (opts) => {
+		try {
+			const json = opts.json ?? false;
+			if (!opts.resourceId) {
+				printError("Missing required flag: --resource-id");
+				process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+				return;
+			}
+			if (!opts.maxPurchases && !opts.maxCallsPerDay) {
+				printError("At least one of --max-purchases or --max-calls-per-day must be provided");
+				process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+				return;
+			}
+			const resourceId = opts.resourceId;
+			const body = {
+				...opts.maxPurchases !== void 0 && { max_purchases_per_wallet: Number(opts.maxPurchases) },
+				...opts.maxCallsPerDay !== void 0 && { max_calls_per_day_per_wallet: Number(opts.maxCallsPerDay) }
+			};
+			const spinner = ora({
+				text: "Setting quota...",
+				stream: process.stderr
+			}).start();
+			let response;
+			try {
+				response = await apiClient.put(`resources/${resourceId}/quota`, body);
+			} finally {
+				spinner.stop();
+			}
+			formatOutput({
+				resource_id: response.resource_id,
+				max_purchases_per_wallet: response.max_purchases_per_wallet ?? "unlimited",
+				max_calls_per_day_per_wallet: response.max_calls_per_day_per_wallet ?? "unlimited"
+			}, { json });
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	quota.command("get").description("Get quota limits for a resource").option("--resource-id <id>", "Resource ID (required)").option("--json", "Output as JSON").action(async (opts) => {
+		try {
+			const json = opts.json ?? false;
+			if (!opts.resourceId) {
+				printError("Missing required flag: --resource-id");
+				process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+				return;
+			}
+			const resourceId = opts.resourceId;
+			const spinner = ora({
+				text: "Loading quota...",
+				stream: process.stderr
+			}).start();
+			let response;
+			try {
+				response = await apiClient.get(`resources/${resourceId}/quota`);
+			} finally {
+				spinner.stop();
+			}
+			formatOutput({
+				resource_id: response.resource_id,
+				max_purchases_per_wallet: response.max_purchases_per_wallet ?? "unlimited",
+				max_calls_per_day_per_wallet: response.max_calls_per_day_per_wallet ?? "unlimited"
+			}, { json });
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	quota.command("delete").description("Remove quota limits for a resource").option("--resource-id <id>", "Resource ID (required)").option("--json", "Output as JSON").action(async (opts) => {
+		try {
+			const json = opts.json ?? false;
+			if (!opts.resourceId) {
+				printError("Missing required flag: --resource-id");
+				process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+				return;
+			}
+			const resourceId = opts.resourceId;
+			const spinner = ora({
+				text: "Removing quota...",
+				stream: process.stderr
+			}).start();
+			try {
+				await apiClient.delete(`resources/${resourceId}/quota`);
+			} finally {
+				spinner.stop();
+			}
+			formatOutput({
+				removed: true,
+				resource_id: resourceId
+			}, { json });
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	return quota;
+}
+//#endregion
+//#region src/cli/resource.ts
+const VALID_TYPES = [
+	"api",
+	"file",
+	"endpoint",
+	"page"
+];
+const VALID_FEE_MODELS = [
+	"one_time",
+	"subscription",
+	"pay_per_call",
+	"hybrid"
+];
+async function resolveVendorWallet(vendorWallet, json) {
+	if (vendorWallet) return vendorWallet;
+	try {
+		const addr = await walletService.getAddress();
+		if (process.stdout.isTTY && !json) process.stderr.write(`Using wallet: ${addr}\n`);
+		return addr;
+	} catch {
+		return;
+	}
+}
+async function fetchResourceById(id) {
+	const resource = (await apiClient.get("resources")).find((r) => r.id === id);
+	if (!resource) throw new AppError("Resource not found", EXIT_CODES.NOT_FOUND);
+	return resource;
+}
+function formatResourceDetail(r) {
+	return {
+		id: r.id,
+		slug: r.slug,
+		type: r.type,
+		price: formatPrice(r.price_usdc),
+		fee_model: r.fee_model,
+		vendor_wallet: r.vendor_wallet,
+		description: r.description ?? "",
+		discoverable: r.discoverable,
+		active: r.active,
+		created_at: r.created_at
+	};
+}
+function resourceCommand() {
+	const resource = new Command("resource").description("Manage vendor resources");
+	resource.command("create").description("Create a new resource").option("--slug <slug>", "Resource slug (URL-friendly identifier)").option("--type <type>", "Resource type: api | file | endpoint | page").option("--price <price>", "Price in USDC (e.g. 1.00) or micro-units (e.g. 1000000)").option("--fee-model <model>", "Fee model: one_time | subscription | pay_per_call | hybrid").option("--vendor-wallet <address>", "Vendor wallet address (auto-fills from local wallet)").option("--description <text>", "Resource description").option("--discoverable", "Make resource discoverable in marketplace").option("--callback-url <url>", "Webhook callback URL").option("--json", "Output as JSON").action(async (opts) => {
+		try {
+			const json = opts.json ?? false;
+			let slug = opts.slug;
+			let type = opts.type;
+			let price = opts.price;
+			let feeModel = opts.feeModel;
+			const isTTY = process.stdin.isTTY;
+			if ((!slug || !type || !price || !feeModel) && isTTY && !json) {
+				clack.intro("Create resource");
+				if (!slug) {
+					const result = await clack.text({
+						message: "Slug",
+						placeholder: "my-api"
+					});
+					if (clack.isCancel(result)) {
+						process.exitCode = EXIT_CODES.GENERAL;
+						return;
+					}
+					slug = result;
+				}
+				if (!type) {
+					const result = await clack.select({
+						message: "Type",
+						options: VALID_TYPES.map((t) => ({
+							value: t,
+							label: t
+						}))
+					});
+					if (clack.isCancel(result)) {
+						process.exitCode = EXIT_CODES.GENERAL;
+						return;
+					}
+					type = result;
+				}
+				if (!price) {
+					const result = await clack.text({
+						message: "Price (USDC)",
+						placeholder: "1.00"
+					});
+					if (clack.isCancel(result)) {
+						process.exitCode = EXIT_CODES.GENERAL;
+						return;
+					}
+					price = result;
+				}
+				if (!feeModel) {
+					const result = await clack.select({
+						message: "Fee model",
+						options: VALID_FEE_MODELS.map((m) => ({
+							value: m,
+							label: m
+						}))
+					});
+					if (clack.isCancel(result)) {
+						process.exitCode = EXIT_CODES.GENERAL;
+						return;
+					}
+					feeModel = result;
+				}
+			} else {
+				const missing = [];
+				if (!slug) missing.push("--slug");
+				if (!type) missing.push("--type");
+				if (!price) missing.push("--price");
+				if (!feeModel) missing.push("--fee-model");
+				if (missing.length > 0) {
+					printError(`Missing required flags: ${missing.join(", ")}`);
+					process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+					return;
+				}
+			}
+			const parsedPrice = parsePrice(price);
+			const vendorWallet = await resolveVendorWallet(opts.vendorWallet, json);
+			const body = {
+				slug,
+				type,
+				price_usdc: parsedPrice,
+				fee_model: feeModel,
+				vendor_wallet: vendorWallet ?? "",
+				...opts.description !== void 0 && { description: opts.description },
+				...opts.discoverable !== void 0 && { discoverable: opts.discoverable },
+				...opts.callbackUrl !== void 0 && { callback_url: opts.callbackUrl }
+			};
+			const spinner = ora({
+				text: "Creating resource...",
+				stream: process.stderr
+			}).start();
+			let response;
+			try {
+				response = await apiClient.post("resources", body);
+			} finally {
+				spinner.stop();
+			}
+			formatOutput({
+				id: response.id,
+				slug: response.slug,
+				type: response.type,
+				price: formatPrice(response.price_usdc),
+				fee_model: response.fee_model,
+				active: response.active
+			}, { json });
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	resource.command("list").description("List all your resources").option("--json", "Output as JSON").action(async (opts) => {
+		try {
+			const json = opts.json ?? false;
+			const spinner = ora({
+				text: "Loading resources...",
+				stream: process.stderr
+			}).start();
+			let resources;
+			try {
+				resources = await apiClient.get("resources");
+			} finally {
+				spinner.stop();
+			}
+			if (json || !process.stdout.isTTY) {
+				console.log(JSON.stringify(resources));
+				return;
+			}
+			if (resources.length === 0) {
+				console.log("No resources yet. Run `mainlayer resource create` to register your first one.");
+				return;
+			}
+			printTable([
+				"ID",
+				"SLUG",
+				"TYPE",
+				"PRICE",
+				"FEE MODEL",
+				"ACTIVE"
+			], resources.map((r) => [
+				truncate(r.id, 12),
+				truncate(r.slug, 20),
+				r.type,
+				formatPrice(r.price_usdc),
+				r.fee_model,
+				r.active ? "yes" : "no"
+			]));
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	resource.command("get <id>").description("Get details of a resource by ID").option("--json", "Output as JSON").action(async (id, opts) => {
+		try {
+			const json = opts.json ?? false;
+			const spinner = ora({
+				text: "Loading resource...",
+				stream: process.stderr
+			}).start();
+			let res;
+			try {
+				res = await fetchResourceById(id);
+			} finally {
+				spinner.stop();
+			}
+			formatOutput(formatResourceDetail(res), { json });
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	resource.command("update <id>").description("Update a resource").option("--slug <slug>", "New slug").option("--type <type>", "New type: api | file | endpoint | page").option("--price <price>", "New price in USDC or micro-units").option("--fee-model <model>", "New fee model").option("--vendor-wallet <address>", "New vendor wallet address").option("--description <text>", "New description").option("--discoverable", "Set discoverable to true").option("--no-discoverable", "Set discoverable to false").option("--callback-url <url>", "New callback URL").option("--json", "Output as JSON").action(async (id, opts) => {
+		try {
+			const json = opts.json ?? false;
+			const spinner = ora({
+				text: "Loading resource...",
+				stream: process.stderr
+			}).start();
+			let existing;
+			try {
+				existing = await fetchResourceById(id);
+			} finally {
+				spinner.stop();
+			}
+			const parsedPrice = opts.price !== void 0 ? parsePrice(opts.price) : existing.price_usdc;
+			const body = {
+				slug: opts.slug ?? existing.slug,
+				type: opts.type ?? existing.type,
+				price_usdc: parsedPrice,
+				fee_model: opts.feeModel ?? existing.fee_model,
+				vendor_wallet: opts.vendorWallet ?? existing.vendor_wallet,
+				description: opts.description ?? existing.description ?? void 0,
+				discoverable: opts.discoverable ?? existing.discoverable,
+				callback_url: opts.callbackUrl ?? existing.callback_url ?? void 0
+			};
+			const updateSpinner = ora({
+				text: "Updating resource...",
+				stream: process.stderr
+			}).start();
+			let updated;
+			try {
+				updated = await apiClient.put(`resources/${id}`, body);
+			} finally {
+				updateSpinner.stop();
+			}
+			formatOutput(formatResourceDetail(updated), { json });
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	resource.command("delete <id>").description("Delete a resource").option("--force", "Confirm deletion without prompt").option("--json", "Output as JSON").action(async (id, opts) => {
+		try {
+			const json = opts.json ?? false;
+			if (!opts.force) {
+				const spinner = ora({
+					text: "Loading resource...",
+					stream: process.stderr
+				}).start();
+				let res;
+				try {
+					res = await fetchResourceById(id);
+				} finally {
+					spinner.stop();
+				}
+				printError(`Error: This will permanently delete resource '${res.slug}'. Run with --force to confirm.`);
+				process.exitCode = EXIT_CODES.GENERAL;
+				return;
+			}
+			const spinner = ora({
+				text: "Deleting resource...",
+				stream: process.stderr
+			}).start();
+			try {
+				await apiClient.delete(`resources/${id}`);
+			} finally {
+				spinner.stop();
+			}
+			formatOutput({
+				deleted: true,
+				id
+			}, { json });
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	resource.addCommand(buildPlanCommand());
+	resource.addCommand(buildQuotaCommand());
+	return resource;
+}
+//#endregion
+//#region src/cli/coupon.ts
+function couponCommand() {
+	const coupon = new Command("coupon").description("Manage discount coupons for a resource");
+	coupon.command("create").description("Create a discount coupon for a resource").option("--resource-id <id>", "Resource ID (required)").option("--code <code>", "Coupon code (required, auto-uppercased)").option("--discount-type <type>", "Discount type: percent | fixed (required)").option("--discount-value <n>", "Discount amount (required)").option("--max-uses <n>", "Maximum number of uses").option("--expires-at <iso-date>", "Expiry date (ISO 8601)").option("--json", "Output as JSON").action(async (opts) => {
+		try {
+			const json = opts.json ?? false;
+			const missing = [];
+			if (!opts.resourceId) missing.push("--resource-id");
+			if (!opts.code) missing.push("--code");
+			if (!opts.discountType) missing.push("--discount-type");
+			if (!opts.discountValue) missing.push("--discount-value");
+			if (missing.length > 0) {
+				printError(`Missing required flags: ${missing.join(", ")}`);
+				process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+				return;
+			}
+			const resourceId = opts.resourceId;
+			const body = {
+				code: opts.code.toUpperCase(),
+				discount_type: opts.discountType,
+				discount_value: Number(opts.discountValue),
+				...opts.maxUses !== void 0 && { max_uses: Number(opts.maxUses) },
+				...opts.expiresAt !== void 0 && { expires_at: opts.expiresAt }
+			};
+			const spinner = ora({
+				text: "Creating coupon...",
+				stream: process.stderr
+			}).start();
+			let response;
+			try {
+				response = await apiClient.post(`resources/${resourceId}/coupons`, body);
+			} finally {
+				spinner.stop();
+			}
+			formatOutput({
+				id: response.id,
+				code: response.code,
+				discount_type: response.discount_type,
+				discount_value: response.discount_value,
+				active: response.active
+			}, { json });
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	coupon.command("list").description("List coupons for a resource").option("--resource-id <id>", "Resource ID (required)").option("--json", "Output as JSON").action(async (opts) => {
+		try {
+			const json = opts.json ?? false;
+			if (!opts.resourceId) {
+				printError("Missing required flag: --resource-id");
+				process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+				return;
+			}
+			const resourceId = opts.resourceId;
+			const spinner = ora({
+				text: "Loading coupons...",
+				stream: process.stderr
+			}).start();
+			let coupons;
+			try {
+				coupons = await apiClient.get(`resources/${resourceId}/coupons`);
+			} finally {
+				spinner.stop();
+			}
+			if (json || !process.stdout.isTTY) {
+				console.log(JSON.stringify(coupons));
+				return;
+			}
+			if (coupons.length === 0) {
+				console.log("No coupons for this resource. Run `mainlayer coupon create` to add one.");
+				return;
+			}
+			printTable([
+				"CODE",
+				"TYPE",
+				"VALUE",
+				"USES",
+				"MAX",
+				"EXPIRES"
+			], coupons.map((c) => [
+				c.code,
+				c.discount_type,
+				String(c.discount_value),
+				String(c.uses_count),
+				String(c.max_uses ?? "unlimited"),
+				c.expires_at ?? "-"
+			]));
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	coupon.command("delete <code>").description("Delete a coupon by code").option("--resource-id <id>", "Resource ID (required)").option("--force", "Confirm deletion without prompt").option("--json", "Output as JSON").action(async (rawCode, opts) => {
+		try {
+			const json = opts.json ?? false;
+			if (!opts.resourceId) {
+				printError("Missing required flag: --resource-id");
+				process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+				return;
+			}
+			const resourceId = opts.resourceId;
+			const code = rawCode.toUpperCase();
+			if (!opts.force) {
+				printError(`Error: This will delete coupon '${code}'. Run with --force to confirm.`);
+				process.exitCode = EXIT_CODES.GENERAL;
+				return;
+			}
+			const spinner = ora({
+				text: "Deleting coupon...",
+				stream: process.stderr
+			}).start();
+			try {
+				await apiClient.delete(`resources/${resourceId}/coupons/${code}`);
+			} finally {
+				spinner.stop();
+			}
+			formatOutput({
+				deleted: true,
+				code
+			}, { json });
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+	return coupon;
+}
+//#endregion
+//#region src/cli/earnings.ts
+function expandPeriod(period) {
+	const to = /* @__PURE__ */ new Date();
+	const days = {
+		"7d": 7,
+		"30d": 30,
+		"90d": 90
+	}[period];
+	return {
+		from: (/* @__PURE__ */ new Date(to.getTime() - days * 864e5)).toISOString().slice(0, 10),
+		to: to.toISOString().slice(0, 10)
+	};
+}
+function earningsCommand() {
+	return new Command("earnings").description("View earnings summary").option("--period <period>", "Time period (7d, 30d, 90d)").option("--from <date>", "Start date (YYYY-MM-DD)").option("--to <date>", "End date (YYYY-MM-DD)").option("--resource-id <id>", "Filter by resource ID").option("--json", "Output as JSON").action(async (opts) => {
+		let fromDate;
+		let toDate;
+		if (opts.period) {
+			if (![
+				"7d",
+				"30d",
+				"90d"
+			].includes(opts.period)) {
+				printError("--period must be one of: 7d, 30d, 90d");
+				process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+				return;
+			}
+			const expanded = expandPeriod(opts.period);
+			fromDate = expanded.from;
+			toDate = expanded.to;
+		} else if (opts.from || opts.to) {
+			if (!opts.from || !opts.to) {
+				printError("Both --from and --to are required when using date range");
+				process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+				return;
+			}
+			fromDate = opts.from;
+			toDate = opts.to;
+		} else {
+			const expanded = expandPeriod("30d");
+			fromDate = expanded.from;
+			toDate = expanded.to;
+		}
+		const params = {
+			from: fromDate,
+			to: toDate
+		};
+		if (opts.resourceId) params["resource_id"] = opts.resourceId;
+		const spinner = ora({
+			text: "Loading earnings...",
+			stream: process.stderr
+		}).start();
+		let data;
+		try {
+			data = await apiClient.get("vendor/earnings", params);
+		} catch (err) {
+			spinner.stop();
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+			return;
+		} finally {
+			spinner.stop();
+		}
+		if ((opts.json ?? false) || !process.stdout.isTTY) {
+			console.log(JSON.stringify(data));
+			return;
+		}
+		formatOutput({
+			period: `${fromDate} to ${toDate}`,
+			total_calls: data.total_calls,
+			total_revenue: formatPrice(data.total_revenue_usdc),
+			unique_buyers: data.unique_buyers
+		}, { json: false });
+		if (data.daily.length > 0) {
+			console.log("");
+			printTable([
+				"DATE",
+				"CALLS",
+				"REVENUE"
+			], data.daily.map((d) => [
+				d.date,
+				String(d.calls),
+				formatPrice(d.revenue_usdc)
+			]));
+		}
+	});
+}
+//#endregion
+//#region src/cli/metrics.ts
+function metricsCommand() {
+	return new Command("metrics").description("View resource metrics").option("--resource-id <id>", "Resource ID (required)").option("--json", "Output as JSON").action(async (opts) => {
+		if (!opts.resourceId) {
+			printError("--resource-id is required");
+			process.exitCode = EXIT_CODES.VALIDATION_ERROR;
+			return;
+		}
+		const spinner = ora({
+			text: "Loading metrics...",
+			stream: process.stderr
+		}).start();
+		let data;
+		try {
+			data = await apiClient.get("vendor/metrics", { resource_id: opts.resourceId });
+		} catch (err) {
+			spinner.stop();
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+			return;
+		} finally {
+			spinner.stop();
+		}
+		if ((opts.json ?? false) || !process.stdout.isTTY) {
+			console.log(JSON.stringify(data));
+			return;
+		}
+		formatOutput({
+			resource_id: data.resource_id,
+			total_calls: data.total_calls,
+			total_revenue: formatPrice(data.total_revenue_usdc),
+			unique_buyers: data.unique_buyers,
+			quota_calls: data.quota_calls ?? "unlimited",
+			buyers_over_quota: data.buyers_over_quota ?? 0
+		}, { json: false });
+	});
+}
+//#endregion
+//#region src/cli/discover.ts
+function discoverCommand() {
+	return new Command("discover").description("Search discoverable resources on Mainlayer").option("--json", "Output as JSON").option("--query <text>", "Text search on slug and description").option("--fee-model <model>", "Filter by fee model (one_time, subscription, pay_per_call, hybrid)").option("--max-price <usdc>", "Maximum price in USDC (decimal or micro-units)").option("--type <type>", "Filter by resource type (api, file, endpoint, page)").option("--limit <n>", "Number of results (default: 20, max: 100)", "20").action(async (opts) => {
+		const json = opts.json ?? !process.stdout.isTTY;
+		const params = {};
+		const limit = Math.min(Math.max(parseInt(opts.limit, 10) || 20, 1), 100);
+		params["limit"] = String(limit);
+		if (opts.query) params["q"] = opts.query;
+		if (opts.feeModel) params["fee_model"] = opts.feeModel;
+		if (opts.maxPrice) params["max_price"] = String(parsePrice(opts.maxPrice));
+		if (opts.type) params["type"] = opts.type;
+		const spinner = ora({
+			text: "Searching resources...",
+			stream: process.stderr
+		}).start();
+		let items;
+		try {
+			items = await apiClient.get("resources/discover", params);
+		} finally {
+			spinner.stop();
+		}
+		if (json) {
+			console.log(JSON.stringify(items));
+			return;
+		}
+		if (items.length === 0) {
+			printSuccess("No resources found.");
+			return;
+		}
+		printTable([
+			"ID",
+			"SLUG",
+			"TYPE",
+			"PRICE",
+			"FEE MODEL"
+		], items.map((r) => [
+			truncate(r.id, 12),
+			truncate(r.slug, 24),
+			r.type,
+			formatPrice(r.price_usdc),
+			r.fee_model
+		]));
+	});
+}
+//#endregion
+//#region src/cli/buy.ts
+function buyCommand() {
+	return new Command("buy").description("Purchase a resource via X402 Solana USDC payment").argument("<resource-id>", "Resource ID to purchase").option("--json", "Output as JSON").option("--plan <name>", "Select pricing plan").option("--coupon <code>", "Apply discount coupon code").option("--chain <chain>", "Blockchain to use (solana, base, polygon)", "solana").action(async (resourceId, opts) => {
+		try {
+			const json = opts.json ?? !process.stdout.isTTY;
+			const passphrase = await getPassphrase();
+			const walletAddr = await walletService.getAddress();
+			const spinner = ora({
+				text: "Preparing transaction...",
+				stream: process.stderr
+			}).start();
+			let prepare;
+			try {
+				prepare = await apiClient.post("pay/prepare", {
+					resource_id: resourceId,
+					payer_wallet: walletAddr,
+					chain: opts.chain,
+					plan: opts.plan,
+					coupon_code: opts.coupon
+				});
+			} catch (err) {
+				spinner.stop();
+				if (err instanceof AppError && err.message.includes("plan_required")) throw new AppError("This resource requires a pricing plan. Re-run with --plan <name>. Use \"mainlayer discover\" to see available plans.", EXIT_CODES.VALIDATION_ERROR);
+				throw err;
+			}
+			spinner.stop();
+			if (process.stdout.isTTY && !json) {
+				const confirmed = await clack.confirm({ message: `Pay ${formatPrice(prepare.amount_usdc)} for resource ${resourceId}${opts.plan ? ` (plan: ${opts.plan})` : ""}?` });
+				if (!confirmed || clack.isCancel(confirmed)) {
+					process.exitCode = EXIT_CODES.GENERAL;
+					return;
+				}
+			}
+			const signSpinner = ora({
+				text: "Signing transaction...",
+				stream: process.stderr
+			}).start();
+			const signedTxB64 = await walletService.signTransaction(passphrase, prepare.unsigned_transaction);
+			signSpinner.stop();
+			const submitSpinner = ora({
+				text: "Submitting payment...",
+				stream: process.stderr
+			}).start();
+			let result;
+			try {
+				result = await apiClient.post("pay", {
+					resource_id: resourceId,
+					payer_wallet: walletAddr,
+					signed_transaction: signedTxB64,
+					chain: opts.chain,
+					plan: opts.plan,
+					coupon_code: opts.coupon
+				});
+			} catch (err) {
+				submitSpinner.stop();
+				if (err instanceof AppError && err.message.includes("tx_expired")) throw new AppError("Transaction expired (blockhash too old). Please try again.", EXIT_CODES.GENERAL);
+				throw err;
+			}
+			submitSpinner.stop();
+			formatOutput({
+				resource: result.resource_id,
+				amount: formatPrice(result.amount_usdc),
+				tx_hash: result.tx_hash,
+				entitlement_id: result.entitlement_id
+			}, { json });
+		} catch (err) {
+			if (err instanceof AppError) {
+				printError(err.message);
+				process.exitCode = err.exitCode;
+			} else throw err;
+		}
+	});
+}
+//#endregion
+//#region src/cli/entitlements.ts
+function entitlementsCommand() {
+	return new Command("entitlements").description("List your active entitlements (access rights)").option("--json", "Output as JSON").option("--resource-id <id>", "Filter by resource ID").option("--limit <n>", "Number of results (default: 20)", "20").action(async (opts) => {
+		const json = opts.json ?? !process.stdout.isTTY;
+		const params = { limit: opts.limit };
+		const spinner = ora({
+			text: "Fetching entitlements...",
+			stream: process.stderr
+		}).start();
+		let items;
+		try {
+			items = await apiClient.get("entitlements/my", params);
+		} finally {
+			spinner.stop();
+		}
+		if (opts.resourceId) items = items.filter((e) => e.resource_id === opts.resourceId);
+		if (json) {
+			console.log(JSON.stringify(items));
+			return;
+		}
+		if (items.length === 0) {
+			printSuccess("No entitlements found.");
+			return;
+		}
+		printTable([
+			"RESOURCE ID",
+			"SLUG",
+			"STATUS",
+			"EXPIRES",
+			"CREDITS"
+		], items.map((e) => [
+			truncate(e.resource_id, 12),
+			truncate(e.resource_slug, 24),
+			e.status,
+			e.expires_at ?? "never",
+			e.remaining_credits !== null ? String(e.remaining_credits) : "unlimited"
+		]));
+	});
+}
+//#endregion
+//#region src/cli/subscribe.ts
+const USDC_MINT = "EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v";
+const TOKEN_PROGRAM = "TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA";
+const DEFAULT_SOLANA_NETWORK = "solana:mainnet";
+function approveSubcommand() {
+	return new Command("approve").description("Approve auto-renewal for a subscription resource").option("--json", "Output as JSON").requiredOption("--resource-id <id>", "Resource ID to subscribe to").option("--max-renewals <n>", "Max renewal cycles (1-12, default: 1)", "1").option("--plan <name>", "Select pricing plan").option("--chain <chain>", "Blockchain (solana, base, polygon)", "solana").option("--trial-days <n>", "Trial period in days (0-365)").action(async (opts) => {
+		const json = opts.json ?? !process.stdout.isTTY;
+		const maxRenewals = Math.min(Math.max(parseInt(opts.maxRenewals, 10) || 1, 1), 12);
+		const passphrase = await getPassphrase();
+		const walletAddr = await walletService.getAddress();
+		const [ata] = await findAssociatedTokenPda({
+			owner: address(walletAddr),
+			mint: address(USDC_MINT),
+			tokenProgram: address(TOKEN_PROGRAM)
+		});
+		const delegateTokenAccount = ata.toString();
+		const signedAt = (/* @__PURE__ */ new Date()).toISOString();
+		const network = process.env["MAINLAYER_SOLANA_NETWORK"] ?? DEFAULT_SOLANA_NETWORK;
+		const message = `approve:${opts.resourceId}:${maxRenewals}:${delegateTokenAccount}:${signedAt}:${network}`;
+		const spinner = ora({
+			text: "Signing approval...",
+			stream: process.stderr
+		}).start();
+		const signedApproval = await walletService.signMessage(passphrase, message);
+		spinner.stop();
+		const submitSpinner = ora({
+			text: "Submitting approval...",
+			stream: process.stderr
+		}).start();
+		const body = {
+			resource_id: opts.resourceId,
+			payer_wallet: walletAddr,
+			max_renewals: maxRenewals,
+			chain: opts.chain,
+			signed_approval: signedApproval,
+			delegate_token_account: delegateTokenAccount,
+			signed_at: signedAt
+		};
+		if (opts.plan) body["plan"] = opts.plan;
+		if (opts.trialDays !== void 0) body["trial_days"] = parseInt(opts.trialDays, 10);
+		let result;
+		try {
+			result = await apiClient.post("subscriptions/approve", body);
+		} finally {
+			submitSpinner.stop();
+		}
+		formatOutput({
+			approval_id: result.approval_id,
+			status: result.status,
+			max_renewals: result.max_renewals,
+			renewals_used: result.renewals_used
+		}, { json });
+	});
+}
+function pauseSubcommand() {
+	return new Command("pause").description("Pause a subscription").option("--json", "Output as JSON").requiredOption("--approval-id <id>", "Subscription approval ID").action(async (opts) => {
+		const json = opts.json ?? !process.stdout.isTTY;
+		const passphrase = await getPassphrase();
+		const walletAddr = await walletService.getAddress();
+		const message = `pause:${opts.approvalId}`;
+		const signedMessage = await walletService.signMessage(passphrase, message);
+		const spinner = ora({
+			text: "Pausing subscription...",
+			stream: process.stderr
+		}).start();
+		let result;
+		try {
+			result = await apiClient.post(`subscriptions/${opts.approvalId}/pause`, {
+				payer_wallet: walletAddr,
+				signed_message: signedMessage
+			});
+		} finally {
+			spinner.stop();
+		}
+		formatOutput({
+			approval_id: opts.approvalId,
+			status: result.status
+		}, { json });
+	});
+}
+function resumeSubcommand() {
+	return new Command("resume").description("Resume a paused subscription").option("--json", "Output as JSON").requiredOption("--approval-id <id>", "Subscription approval ID").action(async (opts) => {
+		const json = opts.json ?? !process.stdout.isTTY;
+		const passphrase = await getPassphrase();
+		const walletAddr = await walletService.getAddress();
+		const message = `resume:${opts.approvalId}`;
+		const signedMessage = await walletService.signMessage(passphrase, message);
+		const spinner = ora({
+			text: "Resuming subscription...",
+			stream: process.stderr
+		}).start();
+		let result;
+		try {
+			result = await apiClient.post(`subscriptions/${opts.approvalId}/resume`, {
+				payer_wallet: walletAddr,
+				signed_message: signedMessage
+			});
+		} finally {
+			spinner.stop();
+		}
+		formatOutput({
+			approval_id: opts.approvalId,
+			status: result.status
+		}, { json });
+	});
+}
+function cancelSubcommand() {
+	return new Command("cancel").description("Cancel a subscription").option("--json", "Output as JSON").requiredOption("--resource-id <id>", "Resource ID to cancel subscription for").action(async (opts) => {
+		const json = opts.json ?? !process.stdout.isTTY;
+		const passphrase = await getPassphrase();
+		const walletAddr = await walletService.getAddress();
+		const message = `cancel:${opts.resourceId}`;
+		const signedMessage = await walletService.signMessage(passphrase, message);
+		const spinner = ora({
+			text: "Cancelling subscription...",
+			stream: process.stderr
+		}).start();
+		let result;
+		try {
+			result = await apiClient.post("subscriptions/cancel", {
+				resource_id: opts.resourceId,
+				payer_wallet: walletAddr,
+				signed_message: signedMessage
+			});
+		} finally {
+			spinner.stop();
+		}
+		formatOutput({
+			resource_id: opts.resourceId,
+			status: result.status
+		}, { json });
+	});
+}
+function listSubcommand$2() {
+	return new Command("list").description("List your subscriptions (active only)").option("--json", "Output as JSON").action(async (opts) => {
+		const json = opts.json ?? !process.stdout.isTTY;
+		const walletAddr = await walletService.getAddress();
+		const spinner = ora({
+			text: "Fetching subscriptions...",
+			stream: process.stderr
+		}).start();
+		let items;
+		try {
+			items = await apiClient.get("subscriptions/my", { payer_wallet: walletAddr });
+		} finally {
+			spinner.stop();
+		}
+		if (json) {
+			console.log(JSON.stringify(items));
+			return;
+		}
+		if (items.length === 0) {
+			printSuccess("No active subscriptions found.");
+			return;
+		}
+		printTable([
+			"APPROVAL ID",
+			"RESOURCE",
+			"PLAN",
+			"RENEWALS",
+			"STATUS"
+		], items.map((s) => [
+			truncate(s.approval_id, 12),
+			truncate(s.resource_id, 12),
+			s.plan_name ?? "-",
+			`${s.renewals_used}/${s.max_renewals}`,
+			s.status
+		]));
+	});
+}
+function getSubcommand$1() {
+	return new Command("get").description("Get details of a single subscription").argument("<approval-id>", "Subscription approval ID").option("--json", "Output as JSON").action(async (approvalId, opts) => {
+		const json = opts.json ?? !process.stdout.isTTY;
+		const walletAddr = await walletService.getAddress();
+		const spinner = ora({
+			text: "Fetching subscription...",
+			stream: process.stderr
+		}).start();
+		let items;
+		try {
+			items = await apiClient.get("subscriptions/my", { payer_wallet: walletAddr });
+		} finally {
+			spinner.stop();
+		}
+		const sub = items.find((s) => s.approval_id === approvalId);
+		if (!sub) throw new AppError(`Subscription ${approvalId} not found`, EXIT_CODES.NOT_FOUND);
+		formatOutput(sub, { json });
+	});
+}
+function subscribeCommand() {
+	return new Command("subscribe").description("Manage subscriptions").addCommand(approveSubcommand()).addCommand(pauseSubcommand()).addCommand(resumeSubcommand()).addCommand(cancelSubcommand()).addCommand(listSubcommand$2()).addCommand(getSubcommand$1());
+}
+//#endregion
+//#region src/cli/invoices.ts
+function listSubcommand$1() {
+	return new Command("list").description("List invoices for resources you own").option("--json", "Output as JSON").option("--limit <n>", "Number of results (default: 20)", "20").action(async (opts) => {
+		const json = opts.json ?? !process.stdout.isTTY;
+		const params = { limit: opts.limit };
+		const spinner = ora({
+			text: "Fetching invoices...",
+			stream: process.stderr
+		}).start();
+		let items;
+		try {
+			items = await apiClient.get("invoices", params);
+		} finally {
+			spinner.stop();
+		}
+		if (json) {
+			console.log(JSON.stringify(items));
+			return;
+		}
+		if (items.length === 0) {
+			printSuccess("No invoices found.");
+			return;
+		}
+		printTable([
+			"ID",
+			"RESOURCE",
+			"AMOUNT",
+			"STATUS",
+			"DATE"
+		], items.map((inv) => [
+			truncate(inv.id, 12),
+			truncate(inv.resource_id, 12),
+			formatPrice(inv.amount_usdc),
+			inv.status,
+			inv.created_at.split("T")[0] ?? inv.created_at
+		]));
+	});
+}
+function getSubcommand() {
+	return new Command("get").description("Get details of a single invoice").argument("<invoice-id>", "Invoice ID").option("--json", "Output as JSON").action(async (invoiceId, opts) => {
+		const json = opts.json ?? !process.stdout.isTTY;
+		const spinner = ora({
+			text: "Fetching invoice...",
+			stream: process.stderr
+		}).start();
+		let invoice;
+		try {
+			invoice = await apiClient.get(`invoices/${invoiceId}`);
+		} finally {
+			spinner.stop();
+		}
+		formatOutput({
+			id: invoice.id,
+			resource_id: invoice.resource_id,
+			amount: formatPrice(invoice.amount_usdc),
+			status: invoice.status,
+			created_at: invoice.created_at
+		}, { json });
+	});
+}
+function invoicesCommand() {
+	return new Command("invoices").description("View invoices for resources you own").addCommand(listSubcommand$1()).addCommand(getSubcommand());
+}
+//#endregion
+//#region src/cli/refund.ts
+function requestSubcommand() {
+	return new Command("request").description("Request a refund for a payment (requires ownership of the associated resource)").option("--json", "Output as JSON").requiredOption("--payment-id <id>", "Payment ID to refund").requiredOption("--reason <text>", "Reason for refund").option("--amount <usdc>", "Refund amount in USDC (defaults to full payment amount)").action(async (opts) => {
+		const json = opts.json ?? !process.stdout.isTTY;
+		const body = {
+			payment_id: opts.paymentId,
+			reason: opts.reason
+		};
+		if (opts.amount) body["amount_usdc"] = parsePrice(opts.amount);
+		const spinner = ora({
+			text: "Submitting refund request...",
+			stream: process.stderr
+		}).start();
+		let result;
+		try {
+			result = await apiClient.post("refunds", body);
+		} finally {
+			spinner.stop();
+		}
+		formatOutput({
+			id: result.id,
+			payment_id: result.payment_id,
+			status: result.status
+		}, { json });
+	});
+}
+function refundCommand() {
+	return new Command("refund").description("Manage refunds").addCommand(requestSubcommand());
+}
+//#endregion
+//#region src/cli/dispute.ts
+function createSubcommand() {
+	return new Command("create").description("Create a dispute for a payment").option("--json", "Output as JSON").requiredOption("--payment-id <id>", "Payment ID to dispute").requiredOption("--reason <text>", "Reason for dispute").action(async (opts) => {
+		const json = opts.json ?? !process.stdout.isTTY;
+		const walletAddr = await walletService.getAddress();
+		const spinner = ora({
+			text: "Creating dispute...",
+			stream: process.stderr
+		}).start();
+		let result;
+		try {
+			result = await apiClient.post("disputes", {
+				payment_id: opts.paymentId,
+				reason: opts.reason,
+				payer_wallet: walletAddr
+			});
+		} finally {
+			spinner.stop();
+		}
+		formatOutput({
+			dispute_id: result.dispute_id,
+			payment_id: result.payment_id,
+			status: result.status,
+			reason: result.reason
+		}, { json });
+	});
+}
+function listSubcommand() {
+	return new Command("list").description("List disputes (for resources you own)").option("--json", "Output as JSON").option("--limit <n>", "Number of results (default: 20)", "20").action(async (opts) => {
+		const json = opts.json ?? !process.stdout.isTTY;
+		const params = { limit: opts.limit };
+		const spinner = ora({
+			text: "Fetching disputes...",
+			stream: process.stderr
+		}).start();
+		let items;
+		try {
+			items = await apiClient.get("disputes", params);
+		} finally {
+			spinner.stop();
+		}
+		if (json) {
+			console.log(JSON.stringify(items));
+			return;
+		}
+		if (items.length === 0) {
+			printSuccess("No disputes found.");
+			return;
+		}
+		printTable([
+			"DISPUTE ID",
+			"PAYMENT ID",
+			"STATUS",
+			"REASON"
+		], items.map((d) => [
+			truncate(d.dispute_id, 12),
+			truncate(d.payment_id, 12),
+			d.status,
+			truncate(d.reason, 30)
+		]));
+	});
+}
+function disputeCommand() {
+	return new Command("dispute").description("Manage disputes").addCommand(createSubcommand()).addCommand(listSubcommand());
+}
+//#endregion
+//#region src/cli/setup.ts
+function setupCommand() {
+	return new Command("setup").description("Detect AI platforms and configure Mainlayer MCP server").option("--force", "Re-write MCP entries even if already configured").option("--json", "Output machine-readable JSON").action(async (opts) => {
+		const json = opts.json ?? !process.stdout.isTTY;
+		let spinner;
+		if (!json) spinner = ora({
+			text: "Detecting AI platforms...",
+			stream: process.stderr
+		}).start();
+		let results;
+		try {
+			results = await configurePlatforms({ force: opts.force ?? false });
+		} catch (err) {
+			if (spinner) spinner.fail("Platform detection failed");
+			printError(err instanceof Error ? err.message : String(err));
+			process.exitCode = 1;
+			return;
+		}
+		for (const result of results) {
+			if (!result.configured) continue;
+			const desc = PLATFORMS.find((p) => p.name === result.name);
+			if (!desc) continue;
+			try {
+				const dir = desc.skillsDir(homedir());
+				mkdirSync(dir, { recursive: true });
+				writeFileSync(join(dir, SKILLS_FILENAME), generateSkillsMd(), "utf8");
+				result.skillsDropped = true;
+			} catch {}
+		}
+		if (!json) {
+			if (spinner) spinner.stop();
+			for (const r of results) if (r.configured) process.stderr.write(chalk.green(`  \u2714 ${r.name}\n`));
+			else if (r.skipped) process.stderr.write(chalk.yellow(`  \u2139 ${r.name}: ${r.error ?? "skipped"}\n`));
+			else if (r.error) process.stderr.write(chalk.red(`  \u2718 ${r.name}: ${r.error}\n`));
+			else process.stderr.write(chalk.gray(`  \u2013 ${r.name} (not detected)\n`));
+			const configuredNames = results.filter((r) => r.configured).map((r) => r.name);
+			if (configuredNames.length > 0) printSuccess(`Configured MCP for: ${configuredNames.join(", ")}`);
+			else process.stderr.write("No AI platforms detected\n");
+		} else formatOutput({ platforms: results.map((r) => ({
+			name: r.name,
+			configured: r.configured,
+			skills_dropped: r.skillsDropped,
+			skipped: r.skipped,
+			error: r.error ?? null
+		})) }, { json: true });
+	});
+}
+//#endregion
+//#region src/utils/update-check.ts
+const CHECK_INTERVAL_MS = 1440 * 60 * 1e3;
+async function checkForUpdates() {
+	if (process.env["NO_UPDATE_NOTIFIER"]) return;
+	if (!process.stdout.isTTY) return;
+	try {
+		const lastCheck = configService.get("lastUpdateCheck");
+		if (lastCheck && Date.now() - parseInt(lastCheck, 10) < CHECK_INTERVAL_MS) return;
+		const current = process.env["npm_package_version"] ?? "0.0.0";
+		const latest = await latestVersion("@mainlayer/cli");
+		configService.set("lastUpdateCheck", String(Date.now()));
+		if (latest !== current) process.stderr.write(`\nUpdate available: ${current} -> ${latest}\nRun: npm i -g @mainlayer/cli\n\n`);
+	} catch {}
+}
+//#endregion
+//#region src/cli/index.ts
+const program = new Command("mainlayer").description("Mainlayer CLI — AI-native payment infrastructure").showSuggestionAfterError(true).version("0.1.0", "-v, --version").option("--json", "Output machine-readable JSON").option("--api-key <key>", "API key override (also: MAINLAYER_API_KEY env)", process.env["MAINLAYER_API_KEY"]).option("--profile <name>", "Use named profile for config/auth isolation", process.env["MAINLAYER_PROFILE"]).addCommand(authCommand()).addCommand(walletCommand()).addCommand(configCommand()).addCommand(webhookCommand()).addCommand(resourceCommand()).addCommand(couponCommand()).addCommand(earningsCommand()).addCommand(metricsCommand()).addCommand(discoverCommand()).addCommand(buyCommand()).addCommand(entitlementsCommand()).addCommand(subscribeCommand()).addCommand(invoicesCommand()).addCommand(refundCommand()).addCommand(disputeCommand()).addCommand(setupCommand());
+program.hook("preAction", () => {
+	const opts = program.opts();
+	if (opts.apiKey) apiClient.setApiKeyOverride(opts.apiKey);
+	const profile = opts.profile ?? configService.getActiveProfile();
+	if (profile !== "default") configService.setProfile(profile);
+	checkForUpdates().catch(() => {});
+});
+program.exitOverride();
+(async () => {
+	try {
+		await program.parseAsync(process.argv);
+	} catch (err) {
+		if (err instanceof AppError) {
+			if (process.argv.includes("--json") || !process.stdout.isTTY) console.log(JSON.stringify({
+				error: true,
+				message: err.message,
+				code: err.exitCode,
+				type: err.meta?.type ?? "error",
+				hint: err.meta?.hint ?? null
+			}));
+			else {
+				printError(err.message);
+				if (err.meta?.hint) process.stderr.write(chalk.yellow(err.meta.hint) + "\n");
+			}
+			process.exitCode = err.exitCode;
+		} else if (err instanceof Error && err.name === "CommanderError") {} else {
+			printError(String(err));
+			process.exitCode = 1;
+		}
+	}
+})();
+//#endregion
+export {};