@mandate.md/cli 0.1.0

package/dist/index.js

@@ -0,0 +1,493 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { Cli } from "incur";
+
+// src/vars.ts
+import { z } from "incur";
+var cliVars = z.object({
+  client: z.custom(),
+  credentials: z.custom()
+});
+
+// src/middleware.ts
+import { middleware } from "incur";
+import { MandateClient } from "@mandate.md/sdk";
+
+// src/credentials.ts
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+function credentialsPath() {
+  return path.join(os.homedir(), ".mandate", "credentials.json");
+}
+function credentialsDir() {
+  return path.join(os.homedir(), ".mandate");
+}
+function loadCredentials() {
+  const p = credentialsPath();
+  if (!fs.existsSync(p)) return null;
+  try {
+    return JSON.parse(fs.readFileSync(p, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+function saveCredentials(creds) {
+  const dir = credentialsDir();
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+  }
+  const p = credentialsPath();
+  fs.writeFileSync(p, JSON.stringify(creds, null, 2));
+  fs.chmodSync(p, 384);
+}
+function updateCredentials(partial) {
+  const existing = loadCredentials();
+  if (!existing) {
+    throw new Error("No existing credentials. Run: mandate login");
+  }
+  saveCredentials({ ...existing, ...partial });
+}
+
+// src/middleware.ts
+var requireAuth = middleware((c, next) => {
+  const creds = loadCredentials();
+  if (!creds?.runtimeKey) {
+    return c.error({ code: "NOT_AUTHENTICATED", message: "No credentials. Run: mandate login" });
+  }
+  c.set("client", new MandateClient({ runtimeKey: creds.runtimeKey, baseUrl: creds.baseUrl }));
+  c.set("credentials", creds);
+  return next();
+});
+
+// src/commands/login.ts
+import { z as z2 } from "incur";
+import { MandateClient as MandateClient2 } from "@mandate.md/sdk";
+var loginCommand = {
+  description: "Register a new agent and store credentials",
+  options: z2.object({
+    name: z2.string().describe("Agent name"),
+    address: z2.string().optional().describe("EVM address (0x...)"),
+    perTxLimit: z2.number().optional().describe("Per-transaction USD limit"),
+    dailyLimit: z2.number().optional().describe("Daily USD limit"),
+    baseUrl: z2.string().optional().describe("Mandate API base URL"),
+    chainId: z2.number().optional().describe("Chain ID (default: 84532)")
+  }),
+  alias: { perTxLimit: "p", dailyLimit: "d" },
+  examples: [
+    { options: { name: "MyAgent", address: "0x1234567890abcdef1234567890abcdef12345678" }, description: "Register with address" },
+    { options: { name: "MyAgent" }, description: "Register without address (set later via activate)" }
+  ],
+  async run(c) {
+    const { name, address, perTxLimit, dailyLimit, baseUrl, chainId } = c.options;
+    const defaultPolicy = {};
+    if (perTxLimit !== void 0) defaultPolicy.spendLimitPerTxUsd = perTxLimit;
+    if (dailyLimit !== void 0) defaultPolicy.spendLimitPerDayUsd = dailyLimit;
+    const result = await MandateClient2.register({
+      name,
+      evmAddress: address ?? "0x0000000000000000000000000000000000000000",
+      chainId: chainId ?? 84532,
+      defaultPolicy: Object.keys(defaultPolicy).length ? defaultPolicy : void 0,
+      baseUrl
+    });
+    saveCredentials({
+      runtimeKey: result.runtimeKey,
+      agentId: result.agentId,
+      claimUrl: result.claimUrl,
+      evmAddress: result.evmAddress,
+      chainId: result.chainId,
+      baseUrl
+    });
+    const masked = result.runtimeKey.slice(0, 14) + "..." + result.runtimeKey.slice(-3);
+    return {
+      agentId: result.agentId,
+      runtimeKey: masked,
+      claimUrl: result.claimUrl,
+      evmAddress: result.evmAddress || void 0,
+      next: "Run: mandate whoami (verify) or mandate validate (first tx)"
+    };
+  }
+};
+
+// src/commands/activate.ts
+import { z as z3 } from "incur";
+var activateCommand = {
+  description: "Set EVM address after registration",
+  args: z3.object({
+    address: z3.string().describe("EVM address (0x...)")
+  }),
+  examples: [
+    { args: { address: "0x1234567890abcdef1234567890abcdef12345678" }, description: "Set wallet address" }
+  ],
+  async run(c) {
+    const { address } = c.args;
+    const client = c.var.client;
+    const res = await fetch(`${c.var.credentials.baseUrl ?? "https://app.mandate.md"}/api/activate`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${c.var.credentials.runtimeKey}`
+      },
+      body: JSON.stringify({ evmAddress: address })
+    });
+    if (!res.ok) {
+      const data2 = await res.json().catch(() => ({}));
+      return c.error({ code: "ACTIVATE_FAILED", message: data2.message ?? "Activation failed" });
+    }
+    const data = await res.json();
+    updateCredentials({ evmAddress: data.evmAddress });
+    return {
+      activated: true,
+      evmAddress: data.evmAddress,
+      onboardingUrl: data.onboardingUrl,
+      next: "Run: mandate validate (start validating transactions)"
+    };
+  }
+};
+
+// src/commands/whoami.ts
+var whoamiCommand = {
+  description: "Verify credentials and show agent info",
+  async run(c) {
+    const creds = c.var.credentials;
+    const masked = creds.runtimeKey.slice(0, 14) + "..." + creds.runtimeKey.slice(-3);
+    return {
+      agentId: creds.agentId,
+      evmAddress: creds.evmAddress ?? "not set",
+      chainId: creds.chainId ?? 84532,
+      keyPrefix: masked,
+      baseUrl: creds.baseUrl ?? "https://app.mandate.md"
+    };
+  }
+};
+
+// src/commands/validate.ts
+import { z as z4 } from "incur";
+import { computeIntentHash } from "@mandate.md/sdk";
+import { PolicyBlockedError, RiskBlockedError, ApprovalRequiredError } from "@mandate.md/sdk";
+var validateCommand = {
+  description: "Policy-check a transaction (computes intentHash automatically)",
+  options: z4.object({
+    to: z4.string().describe("Recipient address (0x...)"),
+    calldata: z4.string().optional().describe("Transaction calldata (default: 0x)"),
+    valueWei: z4.string().optional().describe("Value in wei (default: 0)"),
+    nonce: z4.number().describe("Transaction nonce"),
+    gasLimit: z4.string().describe("Gas limit"),
+    maxFeePerGas: z4.string().describe("Max fee per gas (wei)"),
+    maxPriorityFeePerGas: z4.string().describe("Max priority fee per gas (wei)"),
+    chainId: z4.number().optional().describe("Chain ID (default from credentials)"),
+    txType: z4.number().optional().describe("Transaction type (default: 2)"),
+    accessList: z4.string().optional().describe("Access list JSON string"),
+    reason: z4.string().describe("Why this transaction is being sent")
+  }),
+  examples: [
+    {
+      options: {
+        to: "0x036CbD53842c5426634e7929541eC2318f3dCF7e",
+        calldata: "0xa9059cbb000000000000000000000000",
+        nonce: 42,
+        gasLimit: "90000",
+        maxFeePerGas: "1000000000",
+        maxPriorityFeePerGas: "1000000000",
+        reason: "Invoice #127 from Alice"
+      },
+      description: "Validate an ERC20 transfer"
+    }
+  ],
+  async run(c) {
+    const client = c.var.client;
+    const creds = c.var.credentials;
+    const opts = c.options;
+    const chainId = opts.chainId ?? creds.chainId ?? 84532;
+    const calldata = opts.calldata ?? "0x";
+    const valueWei = opts.valueWei ?? "0";
+    const txType = opts.txType ?? 2;
+    const accessList = opts.accessList ? JSON.parse(opts.accessList) : [];
+    const intentHash = computeIntentHash({
+      chainId,
+      nonce: opts.nonce,
+      to: opts.to,
+      calldata,
+      valueWei,
+      gasLimit: opts.gasLimit,
+      maxFeePerGas: opts.maxFeePerGas,
+      maxPriorityFeePerGas: opts.maxPriorityFeePerGas,
+      txType,
+      accessList
+    });
+    try {
+      const result = await client.validate({
+        chainId,
+        nonce: opts.nonce,
+        to: opts.to,
+        calldata,
+        valueWei,
+        gasLimit: opts.gasLimit,
+        maxFeePerGas: opts.maxFeePerGas,
+        maxPriorityFeePerGas: opts.maxPriorityFeePerGas,
+        txType,
+        accessList,
+        intentHash,
+        reason: opts.reason
+      });
+      return {
+        ok: true,
+        intentId: result.intentId,
+        feedback: "\u2705 Mandate: policy check passed",
+        next: `Run: mandate event ${result.intentId} --tx-hash 0x...`
+      };
+    } catch (err) {
+      if (err instanceof PolicyBlockedError || err instanceof RiskBlockedError) {
+        return {
+          error: "POLICY_BLOCKED",
+          message: `\u{1F6AB} Mandate: blocked \u2014 ${err.message}`,
+          blockReason: err.blockReason
+        };
+      }
+      if (err instanceof ApprovalRequiredError) {
+        return {
+          ok: true,
+          requiresApproval: true,
+          intentId: err.intentId,
+          feedback: "\u23F3 Mandate: approval required \u2014 waiting for owner decision",
+          next: `Run: mandate approve ${err.intentId}`
+        };
+      }
+      throw err;
+    }
+  }
+};
+
+// src/commands/transfer.ts
+import { z as z5 } from "incur";
+import { encodeFunctionData, parseAbi } from "viem";
+import { computeIntentHash as computeIntentHash2 } from "@mandate.md/sdk";
+import { PolicyBlockedError as PolicyBlockedError2, RiskBlockedError as RiskBlockedError2, ApprovalRequiredError as ApprovalRequiredError2 } from "@mandate.md/sdk";
+var erc20Abi = parseAbi(["function transfer(address to, uint256 amount) returns (bool)"]);
+var transferCommand = {
+  description: "ERC20 transfer with automatic calldata encoding and validation",
+  options: z5.object({
+    to: z5.string().describe("Recipient address (0x...)"),
+    amount: z5.string().describe("Amount in raw token units"),
+    token: z5.string().describe("ERC20 token contract address (0x...)"),
+    reason: z5.string().describe("Why this transfer is being sent"),
+    chainId: z5.number().optional().describe("Chain ID (default from credentials)"),
+    nonce: z5.number().describe("Transaction nonce"),
+    gasLimit: z5.string().optional().describe("Gas limit (default: 65000)"),
+    maxFeePerGas: z5.string().describe("Max fee per gas (wei)"),
+    maxPriorityFeePerGas: z5.string().describe("Max priority fee per gas (wei)")
+  }),
+  examples: [
+    {
+      options: {
+        to: "0xAlice",
+        amount: "10000000",
+        token: "0x036CbD53842c5426634e7929541eC2318f3dCF7e",
+        reason: "Invoice #127",
+        nonce: 42,
+        maxFeePerGas: "1000000000",
+        maxPriorityFeePerGas: "1000000000"
+      },
+      description: "Transfer 10 USDC"
+    }
+  ],
+  async run(c) {
+    const client = c.var.client;
+    const creds = c.var.credentials;
+    const opts = c.options;
+    const chainId = opts.chainId ?? creds.chainId ?? 84532;
+    const gasLimit = opts.gasLimit ?? "65000";
+    const calldata = encodeFunctionData({
+      abi: erc20Abi,
+      functionName: "transfer",
+      args: [opts.to, BigInt(opts.amount)]
+    });
+    const intentHash = computeIntentHash2({
+      chainId,
+      nonce: opts.nonce,
+      to: opts.token,
+      calldata,
+      valueWei: "0",
+      gasLimit,
+      maxFeePerGas: opts.maxFeePerGas,
+      maxPriorityFeePerGas: opts.maxPriorityFeePerGas
+    });
+    try {
+      const result = await client.validate({
+        chainId,
+        nonce: opts.nonce,
+        to: opts.token,
+        calldata,
+        valueWei: "0",
+        gasLimit,
+        maxFeePerGas: opts.maxFeePerGas,
+        maxPriorityFeePerGas: opts.maxPriorityFeePerGas,
+        intentHash,
+        reason: opts.reason
+      });
+      return {
+        ok: true,
+        intentId: result.intentId,
+        feedback: "\u2705 Mandate: policy check passed",
+        unsignedTx: {
+          to: opts.token,
+          calldata,
+          value: "0",
+          gasLimit,
+          maxFeePerGas: opts.maxFeePerGas,
+          maxPriorityFeePerGas: opts.maxPriorityFeePerGas,
+          nonce: opts.nonce,
+          chainId
+        },
+        next: `Run: mandate event ${result.intentId} --tx-hash 0x...`
+      };
+    } catch (err) {
+      if (err instanceof PolicyBlockedError2 || err instanceof RiskBlockedError2) {
+        return {
+          error: "POLICY_BLOCKED",
+          message: `\u{1F6AB} Mandate: blocked \u2014 ${err.message}`,
+          blockReason: err.blockReason
+        };
+      }
+      if (err instanceof ApprovalRequiredError2) {
+        return {
+          ok: true,
+          requiresApproval: true,
+          intentId: err.intentId,
+          feedback: "\u23F3 Mandate: approval required \u2014 waiting for owner decision",
+          next: `Run: mandate approve ${err.intentId}`
+        };
+      }
+      throw err;
+    }
+  }
+};
+
+// src/commands/event.ts
+import { z as z6 } from "incur";
+var eventCommand = {
+  description: "Post txHash after signing and broadcasting",
+  args: z6.object({
+    intentId: z6.string().describe("Intent ID from validate")
+  }),
+  options: z6.object({
+    txHash: z6.string().describe("Transaction hash (0x...)")
+  }),
+  examples: [
+    { args: { intentId: "uuid-1" }, options: { txHash: "0xabc123" }, description: "Post transaction hash" }
+  ],
+  async run(c) {
+    const client = c.var.client;
+    await client.postEvent(c.args.intentId, c.options.txHash);
+    return {
+      posted: true,
+      intentId: c.args.intentId,
+      next: `Run: mandate status ${c.args.intentId}`
+    };
+  }
+};
+
+// src/commands/status.ts
+import { z as z7 } from "incur";
+var CTA = {
+  reserved: "Run: mandate event <intentId> --tx-hash 0x...",
+  approval_pending: "Run: mandate approve <intentId>",
+  broadcasted: "Run: mandate status <intentId> (poll again)"
+};
+var statusCommand = {
+  description: "Check intent state",
+  args: z7.object({
+    intentId: z7.string().describe("Intent ID")
+  }),
+  examples: [
+    { args: { intentId: "uuid-1" }, description: "Check status of an intent" }
+  ],
+  async run(c) {
+    const client = c.var.client;
+    const status = await client.getStatus(c.args.intentId);
+    const result = { ...status };
+    const cta = CTA[status.status];
+    if (cta) result.next = cta;
+    return result;
+  }
+};
+
+// src/commands/approve.ts
+import { z as z8 } from "incur";
+var approveCommand = {
+  description: "Wait for owner approval on a pending intent",
+  args: z8.object({
+    intentId: z8.string().describe("Intent ID awaiting approval")
+  }),
+  options: z8.object({
+    timeout: z8.number().optional().describe("Timeout in seconds (default: 3600)")
+  }),
+  examples: [
+    { args: { intentId: "uuid-1" }, description: "Wait for approval" }
+  ],
+  async run(c) {
+    const client = c.var.client;
+    const timeoutMs = (c.options.timeout ?? 3600) * 1e3;
+    const status = await client.waitForApproval(c.args.intentId, {
+      timeoutMs,
+      onPoll: () => {
+      }
+    });
+    if (status.status === "approved" || status.status === "confirmed") {
+      return {
+        status: "approved",
+        intentId: c.args.intentId,
+        feedback: "\u2705 Approved \u2014 ready to broadcast",
+        next: `Run: mandate event ${c.args.intentId} --tx-hash 0x...`
+      };
+    }
+    return {
+      status: status.status,
+      intentId: c.args.intentId,
+      feedback: `Intent ended with status: ${status.status}`
+    };
+  }
+};
+
+// src/index.ts
+var cli = Cli.create("mandate", {
+  version: "0.1.0",
+  description: "Non-custodial agent wallet policy layer. Validate transactions against spend limits, allowlists, and approval workflows \u2014 without ever touching private keys.",
+  vars: cliVars,
+  sync: {
+    suggestions: [
+      "register a new agent with mandate login",
+      "validate a transaction before signing",
+      "check intent status after broadcasting"
+    ]
+  }
+}).command("login", {
+  ...loginCommand
+}).command("activate", {
+  ...activateCommand,
+  middleware: [requireAuth]
+}).command("whoami", {
+  ...whoamiCommand,
+  middleware: [requireAuth]
+}).command("validate", {
+  ...validateCommand,
+  middleware: [requireAuth]
+}).command("transfer", {
+  ...transferCommand,
+  middleware: [requireAuth]
+}).command("event", {
+  ...eventCommand,
+  middleware: [requireAuth]
+}).command("status", {
+  ...statusCommand,
+  middleware: [requireAuth]
+}).command("approve", {
+  ...approveCommand,
+  middleware: [requireAuth]
+});
+cli.serve();
+var index_default = cli;
+export {
+  index_default as default
+};

package/package.json

@@ -0,0 +1,21 @@
+{
+  "name": "@mandate.md/cli",
+  "version": "0.1.0",
+  "type": "module",
+  "bin": { "mandate": "./dist/index.js" },
+  "exports": { ".": { "import": "./dist/index.js" } },
+  "scripts": {
+    "build": "tsup",
+    "test": "vitest run"
+  },
+  "dependencies": {
+    "@mandate.md/sdk": "workspace:*",
+    "viem": "^2.0.0",
+    "incur": "^0.3.4"
+  },
+  "devDependencies": {
+    "tsup": "^8.0.0",
+    "typescript": "^5.0.0",
+    "vitest": "^2.0.0"
+  }
+}

package/src/__tests__/credentials.test.ts

@@ -0,0 +1,83 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { loadCredentials, saveCredentials, updateCredentials } from '../credentials.js';
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as os from 'node:os';
+
+vi.mock('node:fs');
+vi.mock('node:os');
+
+const CREDS_DIR = '/home/test/.mandate';
+const CREDS_PATH = '/home/test/.mandate/credentials.json';
+
+beforeEach(() => {
+  vi.mocked(os.homedir).mockReturnValue('/home/test');
+});
+
+afterEach(() => {
+  vi.restoreAllMocks();
+});
+
+describe('loadCredentials', () => {
+  it('returns null when file does not exist', () => {
+    vi.mocked(fs.existsSync).mockReturnValue(false);
+    expect(loadCredentials()).toBeNull();
+  });
+
+  it('returns parsed credentials when file exists', () => {
+    const creds = { runtimeKey: 'mndt_test_abc', agentId: 'uuid-1', claimUrl: 'http://x' };
+    vi.mocked(fs.existsSync).mockReturnValue(true);
+    vi.mocked(fs.readFileSync).mockReturnValue(JSON.stringify(creds));
+
+    const result = loadCredentials();
+    expect(result).toEqual(creds);
+    expect(fs.readFileSync).toHaveBeenCalledWith(CREDS_PATH, 'utf-8');
+  });
+
+  it('returns null on parse error', () => {
+    vi.mocked(fs.existsSync).mockReturnValue(true);
+    vi.mocked(fs.readFileSync).mockReturnValue('not json');
+
+    expect(loadCredentials()).toBeNull();
+  });
+});
+
+describe('saveCredentials', () => {
+  it('creates directory and writes file with chmod 600', () => {
+    vi.mocked(fs.existsSync).mockReturnValue(false);
+    vi.mocked(fs.mkdirSync).mockReturnValue(undefined);
+    vi.mocked(fs.writeFileSync).mockReturnValue(undefined);
+    vi.mocked(fs.chmodSync).mockReturnValue(undefined);
+
+    const creds = { runtimeKey: 'mndt_test_abc', agentId: 'uuid-1', claimUrl: 'http://x' };
+    saveCredentials(creds);
+
+    expect(fs.mkdirSync).toHaveBeenCalledWith(CREDS_DIR, { recursive: true });
+    expect(fs.writeFileSync).toHaveBeenCalledWith(CREDS_PATH, JSON.stringify(creds, null, 2));
+    expect(fs.chmodSync).toHaveBeenCalledWith(CREDS_PATH, 0o600);
+  });
+});
+
+describe('updateCredentials', () => {
+  it('merges partial into existing credentials', () => {
+    const existing = { runtimeKey: 'mndt_test_abc', agentId: 'uuid-1', claimUrl: 'http://x' };
+    vi.mocked(fs.existsSync).mockReturnValue(true);
+    vi.mocked(fs.readFileSync).mockReturnValue(JSON.stringify(existing));
+    vi.mocked(fs.writeFileSync).mockReturnValue(undefined);
+    vi.mocked(fs.chmodSync).mockReturnValue(undefined);
+    vi.mocked(fs.mkdirSync).mockReturnValue(undefined);
+    vi.mocked(os.homedir).mockReturnValue('/home/test');
+
+    updateCredentials({ evmAddress: '0xabc' });
+
+    const written = JSON.parse(vi.mocked(fs.writeFileSync).mock.calls[0][1] as string);
+    expect(written.runtimeKey).toBe('mndt_test_abc');
+    expect(written.evmAddress).toBe('0xabc');
+  });
+
+  it('throws when no existing credentials', () => {
+    vi.mocked(fs.existsSync).mockReturnValue(false);
+
+    expect(() => updateCredentials({ evmAddress: '0xabc' })).toThrow();
+  });
+});

package/src/__tests__/event.test.ts

@@ -0,0 +1,73 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+
+vi.mock('node:fs');
+vi.mock('node:os');
+
+import * as fs from 'node:fs';
+import * as os from 'node:os';
+
+const CREDS = {
+  runtimeKey: 'mndt_test_abc123',
+  agentId: 'uuid-1',
+  claimUrl: 'http://x',
+  chainId: 84532,
+};
+
+beforeEach(() => {
+  vi.restoreAllMocks();
+  vi.mocked(os.homedir).mockReturnValue('/home/test');
+  vi.mocked(fs.existsSync).mockReturnValue(true);
+  vi.mocked(fs.readFileSync).mockReturnValue(JSON.stringify(CREDS));
+});
+
+describe('mandate event', () => {
+  it('posts txHash and returns success', async () => {
+    vi.stubGlobal('fetch', vi.fn().mockResolvedValue({
+      ok: true,
+      status: 200,
+      json: () => Promise.resolve({ status: 'broadcasted' }),
+    }));
+
+    const { default: cli } = await import('../index.js');
+
+    let output = '';
+    await cli.serve(['event', 'intent-1', '--tx-hash', '0xdeadbeef'], {
+      stdout(s: string) { output += s; },
+      exit() {},
+    });
+
+    expect(output).toContain('posted');
+    expect(output).toContain('true');
+    expect(output).toContain('intent-1');
+    expect(output).toContain('mandate status');
+
+    vi.unstubAllGlobals();
+  });
+
+  it('sends correct POST request', async () => {
+    const fetchSpy = vi.fn().mockResolvedValue({
+      ok: true,
+      status: 200,
+      json: () => Promise.resolve({ status: 'broadcasted' }),
+    });
+    vi.stubGlobal('fetch', fetchSpy);
+
+    const { default: cli } = await import('../index.js');
+
+    await cli.serve(['event', 'intent-1', '--tx-hash', '0xdeadbeef'], {
+      stdout() {},
+      exit() {},
+    });
+
+    // Verify the POST to /api/intents/intent-1/events
+    expect(fetchSpy).toHaveBeenCalledWith(
+      expect.stringContaining('/api/intents/intent-1/events'),
+      expect.objectContaining({ method: 'POST' }),
+    );
+
+    const body = JSON.parse(fetchSpy.mock.calls[0][1].body);
+    expect(body.txHash).toBe('0xdeadbeef');
+
+    vi.unstubAllGlobals();
+  });
+});