@openfort/cli 0.1.0

package/dist/cli.js

@@ -0,0 +1,2886 @@
+import {
+  CREDENTIALS_PATH,
+  ensureConfigDir
+} from "./chunk-SZO4OB6U.js";
+
+// src/cli.ts
+import { Cli as Cli12, z as z14, Errors as Errors4 } from "incur";
+import Openfort from "@openfort/openfort-node";
+
+// src/vars.ts
+import { z } from "incur";
+var varsSchema = z.object({
+  openfort: z.custom()
+});
+
+// src/constants.ts
+var API_BASE_URL = process.env.OPENFORT_BASE_URL || "https://api.openfort.io";
+var OPENFORT_SHIELD_URL = process.env.OPENFORT_SHIELD_URL || "https://shield.openfort.io";
+var AUTH_PAGE_URL = process.env.OPENFORT_AUTH_PAGE_URL || "https://dashboard.openfort.io";
+var CLI_CALLBACK_PORT = Number(process.env.OPENFORT_CLI_CALLBACK_PORT) || 8271;
+
+// src/commands/login.ts
+import { randomBytes } from "crypto";
+import { createServer } from "http";
+import { z as z2 } from "incur";
+
+// src/env.ts
+import { readFileSync, writeFileSync, existsSync } from "fs";
+function loadEnvFile(envPath) {
+  const entries = /* @__PURE__ */ new Map();
+  if (!existsSync(envPath)) return entries;
+  const content = readFileSync(envPath, "utf-8");
+  for (const line of content.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eqIndex = trimmed.indexOf("=");
+    if (eqIndex === -1) continue;
+    const key = trimmed.slice(0, eqIndex).trim();
+    const value = trimmed.slice(eqIndex + 1).trim();
+    entries.set(key, value);
+  }
+  return entries;
+}
+function writeEnvKey(envPath, key, value) {
+  const entries = loadEnvFile(envPath);
+  entries.set(key, value);
+  const lines = [];
+  for (const [k, v] of entries) {
+    lines.push(`${k}=${v}`);
+  }
+  writeFileSync(envPath, `${lines.join("\n")}
+`);
+}
+
+// src/commands/login.ts
+function base64url(buffer) {
+  return buffer.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function generateState() {
+  return base64url(randomBytes(16));
+}
+function callbackPage(title, description, variant = "success") {
+  const iconColor = variant === "success" ? "hsl(142 71% 45%)" : "hsl(0 84% 60%)";
+  const icon = variant === "success" ? `<svg width="48" height="48" viewBox="0 0 24 24" fill="none" stroke="${iconColor}" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M22 11.08V12a10 10 0 1 1-5.93-9.14"/><polyline points="22 4 12 14.01 9 11.01"/></svg>` : `<svg width="48" height="48" viewBox="0 0 24 24" fill="none" stroke="${iconColor}" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"/><line x1="15" y1="9" x2="9" y2="15"/><line x1="9" y1="9" x2="15" y2="15"/></svg>`;
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>${title} - Openfort CLI</title>
+  <style>
+    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+    :root {
+      --background: hsl(0 0% 100%);
+      --foreground: hsl(20 14.3% 4.1%);
+      --card: hsl(0 0% 100%);
+      --card-foreground: hsl(20 14.3% 4.1%);
+      --border: hsl(20 5.9% 90%);
+      --muted-foreground: hsl(25 5.3% 44.7%);
+      --radius: 0.3rem;
+    }
+    @media (prefers-color-scheme: dark) {
+      :root {
+        --background: hsl(20 14.3% 4.1%);
+        --foreground: hsl(60 9.1% 97.8%);
+        --card: hsl(20 14.3% 4.1%);
+        --card-foreground: hsl(60 9.1% 97.8%);
+        --border: hsl(12 6.5% 15.1%);
+        --muted-foreground: hsl(24 5.4% 63.9%);
+      }
+    }
+    body {
+      font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
+      background-color: var(--background);
+      color: var(--foreground);
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      min-height: 100vh;
+      padding: 1rem;
+    }
+    .card {
+      background-color: var(--card);
+      color: var(--card-foreground);
+      border: 1px solid var(--border);
+      border-radius: var(--radius);
+      width: 100%;
+      max-width: 28rem;
+      box-shadow: 0 1px 3px 0 rgb(0 0 0 / 0.1), 0 1px 2px -1px rgb(0 0 0 / 0.1);
+    }
+    .card-header {
+      display: flex;
+      flex-direction: column;
+      align-items: center;
+      gap: 0.5rem;
+      padding: 1.5rem;
+      text-align: center;
+    }
+    .card-icon { margin-bottom: 0.5rem; }
+    .card-title {
+      font-size: 1.5rem;
+      font-weight: 600;
+      line-height: 1.2;
+      letter-spacing: -0.025em;
+    }
+    .card-description {
+      font-size: 0.875rem;
+      color: var(--muted-foreground);
+      line-height: 1.5;
+    }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <div class="card-header">
+      <div class="card-icon">${icon}</div>
+      <h1 class="card-title">${title}</h1>
+      <p class="card-description">${description}</p>
+    </div>
+  </div>
+</body>
+</html>`;
+}
+function waitForCallback(port, state) {
+  return new Promise((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      server.close();
+      reject(new Error("Login timed out after 5 minutes. Please try again."));
+    }, 5 * 60 * 1e3);
+    const server = createServer((req, res) => {
+      const url = new URL(req.url, `http://localhost:${port}`);
+      if (url.pathname === "/callback") {
+        const apiKey = url.searchParams.get("api_key");
+        const publishableKey = url.searchParams.get("publishable_key");
+        const projectId = url.searchParams.get("project_id");
+        const project = url.searchParams.get("project");
+        const returnedState = url.searchParams.get("state");
+        const error = url.searchParams.get("error");
+        const errorDescription = url.searchParams.get("error_description");
+        if (error) {
+          res.writeHead(200, { "Content-Type": "text/html" });
+          res.end(callbackPage("Login failed", "Something went wrong. You can close this window.", "error"));
+          clearTimeout(timeout);
+          server.close();
+          reject(new Error(errorDescription || error));
+          return;
+        }
+        if (!apiKey || returnedState !== state) {
+          res.writeHead(400, { "Content-Type": "text/html" });
+          res.end(callbackPage("Invalid callback", "Missing API key or state mismatch. Please try logging in again.", "error"));
+          return;
+        }
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(callbackPage("Login successful!", "You can close this window and return to your terminal."));
+        clearTimeout(timeout);
+        server.close();
+        resolve({ apiKey, publishableKey: publishableKey || void 0, projectId: projectId || void 0, project: project || "unknown" });
+      } else {
+        res.writeHead(404);
+        res.end();
+      }
+    });
+    server.listen(port);
+  });
+}
+var loginConfig = {
+  description: "Log in to Openfort via browser and save your API key.",
+  output: z2.object({
+    apiKey: z2.string().describe("The API key saved to credentials"),
+    project: z2.string().describe("The project name"),
+    credentialsPath: z2.string().describe("Path to the credentials file")
+  }),
+  async run(c) {
+    const state = generateState();
+    const port = CLI_CALLBACK_PORT;
+    const redirectUri = `http://localhost:${port}/callback`;
+    const authUrl = new URL(`${AUTH_PAGE_URL}/oauth/consent`);
+    authUrl.searchParams.set("redirect_uri", redirectUri);
+    authUrl.searchParams.set("state", state);
+    console.log("\nOpen this URL in your browser to log in:\n");
+    console.log(`  ${authUrl.toString()}
+`);
+    console.log("Waiting for authentication...\n");
+    const { apiKey, publishableKey, projectId, project } = await waitForCallback(port, state);
+    ensureConfigDir();
+    writeEnvKey(CREDENTIALS_PATH, "OPENFORT_API_KEY", apiKey);
+    if (publishableKey) {
+      writeEnvKey(CREDENTIALS_PATH, "OPENFORT_PUBLISHABLE_KEY", publishableKey);
+    }
+    if (projectId) {
+      writeEnvKey(CREDENTIALS_PATH, "OPENFORT_PROJECT_ID", projectId);
+    }
+    console.log(`Saved API key for project "${project}" to ${CREDENTIALS_PATH}`);
+    return c.ok(
+      { apiKey, project, credentialsPath: CREDENTIALS_PATH },
+      {
+        cta: {
+          description: "Next steps:",
+          commands: [
+            { command: `wallet-keys create`, description: "Create and save wallet keys necessary for backend wallet creation" }
+          ]
+        }
+      }
+    );
+  }
+};
+
+// src/commands/accounts.ts
+import { Cli, z as z3, Errors } from "incur";
+function requireWalletCredentials() {
+  const missing = [];
+  if (!process.env.OPENFORT_WALLET_SECRET) missing.push("OPENFORT_WALLET_SECRET");
+  if (!process.env.OPENFORT_PUBLISHABLE_KEY) missing.push("OPENFORT_PUBLISHABLE_KEY");
+  if (missing.length > 0) {
+    throw new Errors.IncurError({
+      code: "MISSING_CREDENTIALS",
+      message: `Missing required credentials: ${missing.join(", ")}`,
+      hint: "Run: openfort wallet-keys create"
+    });
+  }
+}
+var evm = Cli.create("evm", {
+  description: "EVM wallet management.",
+  vars: varsSchema
+});
+evm.command("create", {
+  description: "Create a new EVM backend wallet.",
+  examples: [
+    { description: "Create a new EVM wallet" }
+  ],
+  output: z3.object({
+    id: z3.string().describe("Account ID"),
+    address: z3.string().describe("Wallet address"),
+    custody: z3.string().describe("Custody type")
+  }),
+  async run(c) {
+    requireWalletCredentials();
+    const account = await c.var.openfort.accounts.evm.backend.create();
+    return c.ok(
+      { id: account.id, address: account.address, custody: account.custody },
+      {
+        cta: {
+          description: "Next steps:",
+          commands: [
+            { command: `accounts evm get ${account.id}`, description: "View this account" },
+            { command: "policies create", description: "Create an access policy" }
+          ]
+        }
+      }
+    );
+  }
+});
+evm.command("list", {
+  description: "List EVM backend wallets.",
+  options: z3.object({
+    limit: z3.number().optional().describe("Max results"),
+    skip: z3.number().optional().describe("Offset")
+  }),
+  alias: { limit: "l" },
+  examples: [
+    { description: "List all EVM backend wallets" },
+    { options: { limit: 5 }, description: "Show first 5 wallets" }
+  ],
+  output: z3.object({
+    accounts: z3.array(z3.object({
+      id: z3.string(),
+      address: z3.string(),
+      custody: z3.string()
+    })),
+    total: z3.number().optional()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.accounts.evm.backend.list({
+      limit: c.options.limit,
+      skip: c.options.skip
+    });
+    return c.ok({
+      accounts: res.accounts.map((a) => ({
+        id: a.id,
+        address: a.address,
+        custody: a.custody
+      })),
+      total: res.total
+    });
+  }
+});
+evm.command("list-delegated", {
+  description: "List EVM delegated accounts.",
+  options: z3.object({
+    limit: z3.number().optional().describe("Max results"),
+    skip: z3.number().optional().describe("Offset")
+  }),
+  alias: { limit: "l" },
+  examples: [
+    { description: "List all EVM delegated accounts" },
+    { options: { limit: 5 }, description: "Show first 5 accounts" }
+  ],
+  output: z3.object({
+    accounts: z3.array(z3.object({
+      id: z3.string(),
+      address: z3.string(),
+      custody: z3.string()
+    })),
+    total: z3.number().optional()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.accounts.evm.list({
+      accountType: "Delegated Account",
+      limit: c.options.limit,
+      skip: c.options.skip
+    });
+    return c.ok({
+      accounts: res.data.map((a) => ({
+        id: a.id,
+        address: a.address,
+        custody: a.custody
+      })),
+      total: res.total
+    });
+  }
+});
+evm.command("list-smart", {
+  description: "List EVM smart accounts.",
+  options: z3.object({
+    limit: z3.number().optional().describe("Max results"),
+    skip: z3.number().optional().describe("Offset")
+  }),
+  alias: { limit: "l" },
+  examples: [
+    { description: "List all EVM smart accounts" },
+    { options: { limit: 5 }, description: "Show first 5 accounts" }
+  ],
+  output: z3.object({
+    accounts: z3.array(z3.object({
+      id: z3.string(),
+      address: z3.string(),
+      custody: z3.string()
+    })),
+    total: z3.number().optional()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.accounts.evm.list({
+      accountType: "Smart Account",
+      limit: c.options.limit,
+      skip: c.options.skip
+    });
+    return c.ok({
+      accounts: res.data.map((a) => ({
+        id: a.id,
+        address: a.address,
+        custody: a.custody
+      })),
+      total: res.total
+    });
+  }
+});
+evm.command("get", {
+  description: "Get an EVM backend wallet by ID or address.",
+  args: z3.object({
+    id: z3.string().describe("Account ID or address")
+  }),
+  examples: [
+    { args: { id: "acc_1a2b3c4d" }, description: "Get wallet by ID" }
+  ],
+  output: z3.object({
+    id: z3.string(),
+    address: z3.string(),
+    custody: z3.string()
+  }),
+  async run(c) {
+    const a = await c.var.openfort.accounts.evm.backend.get({ id: c.args.id });
+    return c.ok({
+      id: a.id,
+      address: a.address,
+      custody: a.custody
+    });
+  }
+});
+evm.command("sign", {
+  description: "Sign data with an EVM backend wallet.",
+  args: z3.object({
+    id: z3.string().describe("Account ID (acc_...)")
+  }),
+  options: z3.object({
+    data: z3.string().describe("Data to sign (hex-encoded)")
+  }),
+  alias: { data: "d" },
+  output: z3.object({
+    account: z3.string(),
+    signature: z3.string()
+  }),
+  examples: [
+    {
+      args: { id: "acc_abc123" },
+      options: { data: "0x1234abcd" },
+      description: "Sign a message hash with a backend wallet"
+    }
+  ],
+  async run(c) {
+    requireWalletCredentials();
+    const signature = await c.var.openfort.accounts.evm.backend.sign({
+      id: c.args.id,
+      data: c.options.data
+    });
+    return c.ok({ account: c.args.id, signature });
+  }
+});
+evm.command("delete", {
+  description: "Delete an EVM backend wallet.",
+  args: z3.object({
+    id: z3.string().describe("Account ID (acc_...)")
+  }),
+  examples: [
+    { args: { id: "acc_1a2b3c4d" }, description: "Delete a wallet" }
+  ],
+  output: z3.object({
+    id: z3.string(),
+    deleted: z3.boolean()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.accounts.evm.backend.delete(c.args.id);
+    return c.ok({ id: res.id, deleted: res.deleted });
+  }
+});
+evm.command("update", {
+  description: "Upgrade an EVM backend wallet to a delegated account (EIP-7702).",
+  args: z3.object({
+    id: z3.string().describe("Account ID (acc_...)")
+  }),
+  options: z3.object({
+    chainId: z3.number().describe("Chain ID to deploy on"),
+    implementationType: z3.string().describe("Smart account implementation type we will update to")
+  }),
+  examples: [
+    { args: { id: "acc_1a2b3c4d" }, options: { chainId: 8453, implementationType: "CaliburV9" }, description: "Upgrade to delegated account on Base" }
+  ],
+  output: z3.object({
+    id: z3.string(),
+    address: z3.string(),
+    accountType: z3.string(),
+    chainId: z3.number().optional(),
+    chainType: z3.string()
+  }),
+  async run(c) {
+    const account = await c.var.openfort.accounts.evm.backend.get({ id: c.args.id });
+    const res = await c.var.openfort.accounts.evm.backend.update({
+      walletId: account.walletId,
+      chainId: c.options.chainId,
+      accountId: account.id,
+      implementationType: c.options.implementationType
+    });
+    return c.ok(
+      {
+        id: res.id,
+        address: res.address,
+        accountType: res.accountType,
+        chainId: res.chainId,
+        chainType: res.chainType
+      },
+      {
+        cta: {
+          description: "Next steps:",
+          commands: [
+            { command: `accounts evm list-delegated`, description: "To see all accounts which were updated to delegated ones" }
+          ]
+        }
+      }
+    );
+  }
+});
+evm.command("sign", {
+  description: "Sign data with an EVM backend wallet.",
+  args: z3.object({
+    id: z3.string().describe("Account ID (acc_...)")
+  }),
+  options: z3.object({
+    data: z3.string().describe("Hex-encoded data to sign")
+  }),
+  examples: [
+    { args: { id: "acc_1a2b3c4d" }, options: { data: "0xdeadbeef" }, description: "Sign a message hash" }
+  ],
+  output: z3.object({
+    signature: z3.string()
+  }),
+  async run(c) {
+    requireWalletCredentials();
+    const signature = await c.var.openfort.accounts.evm.backend.sign({
+      id: c.args.id,
+      data: c.options.data
+    });
+    return c.ok({ signature });
+  }
+});
+evm.command("import", {
+  description: "Import a private key as an EVM backend wallet.",
+  options: z3.object({
+    privateKey: z3.string().describe("Private key (hex string)")
+  }),
+  examples: [
+    { options: { privateKey: "0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80" }, description: "Import a private key" }
+  ],
+  output: z3.object({
+    id: z3.string(),
+    address: z3.string(),
+    custody: z3.string()
+  }),
+  async run(c) {
+    requireWalletCredentials();
+    const account = await c.var.openfort.accounts.evm.backend.import({
+      privateKey: c.options.privateKey
+    });
+    return c.ok({
+      id: account.id,
+      address: account.address,
+      custody: account.custody
+    });
+  }
+});
+evm.command("export", {
+  description: "Export an EVM backend wallet private key.",
+  args: z3.object({
+    id: z3.string().describe("Account ID (acc_...)")
+  }),
+  examples: [
+    { args: { id: "acc_1a2b3c4d" }, description: "Export private key" }
+  ],
+  output: z3.object({
+    privateKey: z3.string()
+  }),
+  async run(c) {
+    requireWalletCredentials();
+    const privateKey = await c.var.openfort.accounts.evm.backend.export({
+      id: c.args.id
+    });
+    return c.ok({ privateKey });
+  }
+});
+evm.command("send-transaction", {
+  description: "Send a gasless EVM transaction (auto-delegates via EIP-7702 if needed).",
+  args: z3.object({
+    id: z3.string().describe("Account ID (acc_...)")
+  }),
+  options: z3.object({
+    chainId: z3.number().describe("Chain ID"),
+    interactions: z3.string().describe('Interactions as JSON: [{"to":"0x...","data":"0x...","value":"0"}]'),
+    policy: z3.string().optional().describe("Policy ID for gas sponsorship (pol_...)")
+  }),
+  examples: [
+    {
+      args: { id: "acc_1a2b3c4d" },
+      options: {
+        chainId: 8453,
+        interactions: '[{"to":"0x3c499c542cEF5E3811e1192ce70d8cC03d5c3359","data":"0xa9059cbb...","value":"0"}]'
+      },
+      description: "Send a gasless transaction on Base"
+    }
+  ],
+  output: z3.object({
+    id: z3.string(),
+    chainId: z3.number(),
+    transactionHash: z3.string().optional()
+  }),
+  async run(c) {
+    const account = await c.var.openfort.accounts.evm.backend.get({ id: c.args.id });
+    const interactions = JSON.parse(c.options.interactions);
+    const res = await c.var.openfort.accounts.evm.backend.sendTransaction({
+      account,
+      chainId: c.options.chainId,
+      interactions,
+      policy: c.options.policy
+    });
+    return c.ok({
+      id: res.id,
+      chainId: res.chainId,
+      transactionHash: res.response?.transactionHash
+    });
+  }
+});
+var solana = Cli.create("solana", {
+  description: "Solana wallet management.",
+  vars: varsSchema
+});
+solana.command("create", {
+  description: "Create a new Solana backend wallet.",
+  examples: [
+    { description: "Create a new Solana wallet" }
+  ],
+  output: z3.object({
+    id: z3.string().describe("Account ID"),
+    address: z3.string().describe("Wallet address"),
+    custody: z3.string().describe("Custody type")
+  }),
+  async run(c) {
+    requireWalletCredentials();
+    const account = await c.var.openfort.accounts.solana.backend.create();
+    return c.ok(
+      { id: account.id, address: account.address, custody: account.custody },
+      {
+        cta: {
+          description: "Next steps:",
+          commands: [
+            { command: `accounts solana get ${account.id}`, description: "View this account" }
+          ]
+        }
+      }
+    );
+  }
+});
+solana.command("list", {
+  description: "List Solana backend wallets.",
+  options: z3.object({
+    limit: z3.number().optional().describe("Max results"),
+    skip: z3.number().optional().describe("Offset")
+  }),
+  alias: { limit: "l" },
+  examples: [
+    { description: "List all Solana wallets" }
+  ],
+  output: z3.object({
+    accounts: z3.array(z3.object({
+      id: z3.string(),
+      address: z3.string(),
+      custody: z3.string()
+    })),
+    total: z3.number().optional()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.accounts.solana.backend.list({
+      limit: c.options.limit,
+      skip: c.options.skip
+    });
+    return c.ok({
+      accounts: res.accounts.map((a) => ({
+        id: a.id,
+        address: a.address,
+        custody: a.custody
+      })),
+      total: res.total
+    });
+  }
+});
+solana.command("get", {
+  description: "Get a Solana backend wallet by ID or address.",
+  args: z3.object({
+    id: z3.string().describe("Account ID or address")
+  }),
+  examples: [
+    { args: { id: "acc_1a2b3c4d" }, description: "Get wallet by ID" }
+  ],
+  output: z3.object({
+    id: z3.string(),
+    address: z3.string(),
+    custody: z3.string()
+  }),
+  async run(c) {
+    const a = await c.var.openfort.accounts.solana.backend.get({ id: c.args.id });
+    return c.ok({
+      id: a.id,
+      address: a.address,
+      custody: a.custody
+    });
+  }
+});
+solana.command("sign", {
+  description: "Sign data with a Solana backend wallet.",
+  args: z3.object({
+    id: z3.string().describe("Account ID (acc_...)")
+  }),
+  options: z3.object({
+    data: z3.string().describe("Data to sign (base64-encoded)")
+  }),
+  alias: { data: "d" },
+  output: z3.object({
+    account: z3.string(),
+    signature: z3.string()
+  }),
+  examples: [
+    {
+      args: { id: "acc_abc123" },
+      options: { data: "SGVsbG8gV29ybGQ=" },
+      description: "Sign a message with a Solana backend wallet"
+    }
+  ],
+  async run(c) {
+    requireWalletCredentials();
+    const signature = await c.var.openfort.accounts.solana.backend.sign(c.args.id, c.options.data);
+    return c.ok({ account: c.args.id, signature });
+  }
+});
+solana.command("delete", {
+  description: "Delete a Solana backend wallet.",
+  args: z3.object({
+    id: z3.string().describe("Account ID (acc_...)")
+  }),
+  examples: [
+    { args: { id: "acc_1a2b3c4d" }, description: "Delete a wallet" }
+  ],
+  output: z3.object({
+    id: z3.string(),
+    deleted: z3.boolean()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.accounts.solana.backend.delete(c.args.id);
+    return c.ok({ id: res.id, deleted: res.deleted });
+  }
+});
+solana.command("sign", {
+  description: "Sign data with a Solana backend wallet.",
+  args: z3.object({
+    id: z3.string().describe("Account ID (acc_...)")
+  }),
+  options: z3.object({
+    data: z3.string().describe("Data to sign")
+  }),
+  examples: [
+    { args: { id: "acc_1a2b3c4d" }, options: { data: "hello" }, description: "Sign a message" }
+  ],
+  output: z3.object({
+    signature: z3.string()
+  }),
+  async run(c) {
+    requireWalletCredentials();
+    const signature = await c.var.openfort.accounts.solana.backend.sign(c.args.id, c.options.data);
+    return c.ok({ signature });
+  }
+});
+solana.command("import", {
+  description: "Import a private key as a Solana backend wallet.",
+  options: z3.object({
+    privateKey: z3.string().describe("Private key (hex-encoded 32 bytes or base58)")
+  }),
+  examples: [
+    { options: { privateKey: "abc123..." }, description: "Import a Solana private key" }
+  ],
+  output: z3.object({
+    id: z3.string(),
+    address: z3.string(),
+    custody: z3.string()
+  }),
+  async run(c) {
+    requireWalletCredentials();
+    const account = await c.var.openfort.accounts.solana.backend.import({
+      privateKey: c.options.privateKey
+    });
+    return c.ok({
+      id: account.id,
+      address: account.address,
+      custody: account.custody
+    });
+  }
+});
+solana.command("export", {
+  description: "Export a Solana backend wallet private key.",
+  args: z3.object({
+    id: z3.string().describe("Account ID (acc_...)")
+  }),
+  examples: [
+    { args: { id: "acc_1a2b3c4d" }, description: "Export private key" }
+  ],
+  output: z3.object({
+    privateKey: z3.string()
+  }),
+  async run(c) {
+    requireWalletCredentials();
+    const privateKey = await c.var.openfort.accounts.solana.backend.export({
+      id: c.args.id
+    });
+    return c.ok({ privateKey });
+  }
+});
+solana.command("transfer", {
+  description: "Transfer SOL or SPL tokens.",
+  args: z3.object({
+    id: z3.string().describe("Account ID (acc_...)")
+  }),
+  options: z3.object({
+    to: z3.string().describe("Destination address (base58)"),
+    amount: z3.string().describe("Amount in base units (lamports for SOL)"),
+    token: z3.string().optional().describe('Token: "sol" (default), "usdc", or mint address'),
+    cluster: z3.enum(["devnet", "mainnet-beta"]).default("mainnet-beta").describe("Cluster: devnet or mainnet-beta")
+  }),
+  examples: [
+    {
+      args: { id: "acc_1a2b3c4d" },
+      options: { to: "FDx9mf...", amount: "1000000", cluster: "devnet" },
+      description: "Transfer 0.001 SOL on devnet"
+    },
+    {
+      args: { id: "acc_1a2b3c4d" },
+      options: { to: "FDx9mf...", amount: "1000000", token: "usdc", cluster: "devnet" },
+      description: "Transfer 1 USDC on devnet"
+    }
+  ],
+  output: z3.object({
+    signature: z3.string()
+  }),
+  async run(c) {
+    const account = await c.var.openfort.accounts.solana.backend.get({ id: c.args.id });
+    const res = await c.var.openfort.accounts.solana.backend.transfer({
+      account,
+      to: c.options.to,
+      amount: BigInt(c.options.amount),
+      token: c.options.token,
+      cluster: c.options.cluster
+    });
+    return c.ok({ signature: res.signature });
+  }
+});
+var accounts = Cli.create("accounts", {
+  description: "Manage wallets and accounts.",
+  vars: varsSchema
+});
+accounts.command("list", {
+  description: "List all accounts across chains.",
+  options: z3.object({
+    limit: z3.number().optional().describe("Max results"),
+    skip: z3.number().optional().describe("Offset"),
+    chainType: z3.enum(["EVM", "SVM"]).optional().describe("Filter by chain type"),
+    custody: z3.enum(["Developer", "User"]).optional().describe("Filter by custody")
+  }),
+  alias: { limit: "l" },
+  examples: [
+    { description: "List all accounts across chains" },
+    { options: { chainType: "EVM" }, description: "Filter to EVM accounts only" },
+    { options: { custody: "Developer", limit: 10 }, description: "List developer-custody wallets" }
+  ],
+  output: z3.object({
+    data: z3.array(z3.object({
+      id: z3.string(),
+      wallet: z3.string().describe("Wallet ID"),
+      accountType: z3.string().describe("Account type"),
+      address: z3.string(),
+      ownerAddress: z3.string().optional(),
+      chainType: z3.string(),
+      chainId: z3.number().optional(),
+      custody: z3.string(),
+      createdAt: z3.number(),
+      updatedAt: z3.number()
+    })),
+    total: z3.number()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.accounts.list({
+      limit: c.options.limit,
+      skip: c.options.skip,
+      chainType: c.options.chainType,
+      custody: c.options.custody
+    });
+    return c.ok({
+      data: res.data.map((a) => ({
+        id: a.id,
+        wallet: a.wallet,
+        accountType: a.accountType,
+        address: a.address,
+        ownerAddress: a.ownerAddress,
+        chainType: a.chainType,
+        chainId: a.chainId,
+        custody: a.custody,
+        createdAt: a.createdAt,
+        updatedAt: a.updatedAt
+      })),
+      total: res.total
+    });
+  }
+});
+accounts.command(evm);
+accounts.command(solana);
+
+// src/commands/contracts.ts
+import { Cli as Cli2, z as z4 } from "incur";
+var contractItem = z4.object({
+  id: z4.string(),
+  createdAt: z4.number(),
+  name: z4.string().nullable(),
+  chainId: z4.number(),
+  address: z4.string(),
+  deleted: z4.boolean(),
+  abi: z4.array(z4.any()),
+  publicVerification: z4.boolean()
+});
+var contracts = Cli2.create("contracts", {
+  description: "Manage smart contracts.",
+  vars: varsSchema
+});
+contracts.command("list", {
+  description: "List registered contracts.",
+  options: z4.object({
+    limit: z4.number().optional().describe("Max results"),
+    skip: z4.number().optional().describe("Offset")
+  }),
+  alias: { limit: "l" },
+  examples: [
+    { description: "List all contracts" },
+    { options: { limit: 5 }, description: "List first 5 contracts" }
+  ],
+  output: z4.object({
+    data: z4.array(contractItem),
+    total: z4.number()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.contracts.list({
+      limit: c.options.limit,
+      skip: c.options.skip
+    });
+    return c.ok({
+      data: res.data.map((ct) => ({
+        id: ct.id,
+        createdAt: ct.createdAt,
+        name: ct.name,
+        chainId: ct.chainId,
+        address: ct.address,
+        deleted: ct.deleted,
+        abi: ct.abi,
+        publicVerification: ct.publicVerification
+      })),
+      total: res.total
+    });
+  }
+});
+contracts.command("create", {
+  description: "Register a smart contract.",
+  options: z4.object({
+    name: z4.string().describe("Contract name"),
+    address: z4.string().describe("Contract address"),
+    chainId: z4.number().describe("Chain ID"),
+    abi: z4.string().optional().describe("Contract ABI as JSON string")
+  }),
+  output: contractItem,
+  examples: [
+    {
+      options: { name: "USDC", address: "0x3c499c542cEF5E3811e1192ce70d8cC03d5c3359", chainId: 137 },
+      description: "Register USDC on Polygon"
+    },
+    {
+      options: { name: "My NFT", address: "0x1234...", chainId: 1, abi: '[{"type":"function","name":"mint",...}]' },
+      description: "Register contract with ABI"
+    }
+  ],
+  async run(c) {
+    const res = await c.var.openfort.contracts.create({
+      name: c.options.name,
+      address: c.options.address,
+      chainId: c.options.chainId,
+      abi: c.options.abi ? JSON.parse(c.options.abi) : void 0
+    });
+    return c.ok(
+      {
+        id: res.id,
+        createdAt: res.createdAt,
+        name: res.name,
+        chainId: res.chainId,
+        address: res.address,
+        deleted: res.deleted,
+        abi: res.abi,
+        publicVerification: res.publicVerification
+      },
+      {
+        cta: {
+          description: "Next steps:",
+          commands: [
+            { command: `contracts get ${res.id}`, description: "View this contract" },
+            { command: "policies create", description: "Create a policy for this contract" }
+          ]
+        }
+      }
+    );
+  }
+});
+contracts.command("get", {
+  description: "Get a contract by ID.",
+  args: z4.object({
+    id: z4.string().describe("Contract ID (con_...)")
+  }),
+  examples: [
+    { args: { id: "con_1a2b3c4d" }, description: "Get contract details" }
+  ],
+  output: contractItem,
+  async run(c) {
+    const ct = await c.var.openfort.contracts.get(c.args.id);
+    return c.ok({
+      id: ct.id,
+      createdAt: ct.createdAt,
+      name: ct.name,
+      chainId: ct.chainId,
+      address: ct.address,
+      deleted: ct.deleted,
+      abi: ct.abi,
+      publicVerification: ct.publicVerification
+    });
+  }
+});
+contracts.command("update", {
+  description: "Update a contract.",
+  args: z4.object({
+    id: z4.string().describe("Contract ID (con_...)")
+  }),
+  options: z4.object({
+    name: z4.string().optional().describe("New name"),
+    address: z4.string().optional().describe("New address"),
+    chainId: z4.number().optional().describe("New chain ID"),
+    abi: z4.string().optional().describe("New ABI as JSON string")
+  }),
+  examples: [
+    { args: { id: "con_1a2b3c4d" }, options: { name: "USDC v2" }, description: "Rename a contract" }
+  ],
+  output: contractItem,
+  async run(c) {
+    const res = await c.var.openfort.contracts.update(c.args.id, {
+      name: c.options.name,
+      address: c.options.address,
+      chainId: c.options.chainId,
+      abi: c.options.abi ? JSON.parse(c.options.abi) : void 0
+    });
+    return c.ok({
+      id: res.id,
+      createdAt: res.createdAt,
+      name: res.name,
+      chainId: res.chainId,
+      address: res.address,
+      deleted: res.deleted,
+      abi: res.abi,
+      publicVerification: res.publicVerification
+    });
+  }
+});
+contracts.command("delete", {
+  description: "Delete a contract.",
+  args: z4.object({
+    id: z4.string().describe("Contract ID (con_...)")
+  }),
+  examples: [
+    { args: { id: "con_1a2b3c4d" }, description: "Delete a contract" }
+  ],
+  output: z4.object({
+    id: z4.string(),
+    deleted: z4.boolean()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.contracts.delete(c.args.id);
+    return c.ok({ id: res.id, deleted: res.deleted });
+  }
+});
+
+// src/commands/paymasters.ts
+import { Cli as Cli3, z as z5 } from "incur";
+var paymasterItem = z5.object({
+  id: z5.string(),
+  createdAt: z5.number(),
+  address: z5.string(),
+  url: z5.string().optional(),
+  context: z5.record(z5.string(), z5.unknown()).optional()
+});
+var paymasters = Cli3.create("paymasters", {
+  description: "Manage ERC-4337 paymasters.",
+  vars: varsSchema
+});
+paymasters.command("create", {
+  description: "Create a paymaster.",
+  options: z5.object({
+    address: z5.string().describe("Paymaster contract address"),
+    name: z5.string().optional().describe("Paymaster name"),
+    url: z5.string().optional().describe("Paymaster URL")
+  }),
+  examples: [
+    { options: { address: "0x5FF137D4b0FDCD49DcA30c7CF57E578a026d2789", name: "EntryPoint v0.6 Paymaster" }, description: "Create a paymaster for ERC-4337 v0.6" }
+  ],
+  output: paymasterItem,
+  async run(c) {
+    const res = await c.var.openfort.paymasters.create({
+      address: c.options.address,
+      name: c.options.name,
+      url: c.options.url
+    });
+    return c.ok(
+      {
+        id: res.id,
+        createdAt: res.createdAt,
+        address: res.address,
+        url: res.url,
+        context: res.context
+      },
+      {
+        cta: {
+          description: "Next steps:",
+          commands: [
+            { command: `paymasters get ${res.id}`, description: "View this paymaster" },
+            { command: "sponsorship create", description: "Create a fee sponsorship" }
+          ]
+        }
+      }
+    );
+  }
+});
+paymasters.command("get", {
+  description: "Get a paymaster by ID.",
+  args: z5.object({
+    id: z5.string().describe("Paymaster ID (pay_...)")
+  }),
+  examples: [
+    { args: { id: "pay_1a2b3c4d" }, description: "Get paymaster details" }
+  ],
+  output: paymasterItem,
+  async run(c) {
+    const p = await c.var.openfort.paymasters.get(c.args.id);
+    return c.ok({
+      id: p.id,
+      createdAt: p.createdAt,
+      address: p.address,
+      url: p.url,
+      context: p.context
+    });
+  }
+});
+paymasters.command("update", {
+  description: "Update a paymaster.",
+  args: z5.object({
+    id: z5.string().describe("Paymaster ID (pay_...)")
+  }),
+  options: z5.object({
+    address: z5.string().describe("Paymaster address"),
+    name: z5.string().optional().describe("New name"),
+    url: z5.string().optional().describe("New URL")
+  }),
+  examples: [
+    { args: { id: "pay_1a2b3c4d" }, options: { address: "0x5FF137D4b0FDCD49DcA30c7CF57E578a026d2789", name: "Updated Paymaster" }, description: "Update paymaster name" }
+  ],
+  output: paymasterItem,
+  async run(c) {
+    const res = await c.var.openfort.paymasters.update(c.args.id, {
+      address: c.options.address,
+      name: c.options.name,
+      url: c.options.url
+    });
+    return c.ok({
+      id: res.id,
+      createdAt: res.createdAt,
+      address: res.address,
+      url: res.url,
+      context: res.context
+    });
+  }
+});
+paymasters.command("delete", {
+  description: "Delete a paymaster.",
+  args: z5.object({
+    id: z5.string().describe("Paymaster ID (pay_...)")
+  }),
+  examples: [
+    { args: { id: "pay_1a2b3c4d" }, description: "Delete a paymaster" }
+  ],
+  output: z5.object({
+    id: z5.string(),
+    deleted: z5.boolean()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.paymasters.delete(c.args.id);
+    return c.ok({ id: res.id, deleted: res.deleted });
+  }
+});
+
+// src/commands/policies.ts
+import { Cli as Cli4, z as z6 } from "incur";
+var policyScopes = ["project", "account", "transaction"];
+var policies = Cli4.create("policies", {
+  description: "Manage access-control policies.",
+  vars: varsSchema
+});
+policies.command("list", {
+  description: "List policies.",
+  options: z6.object({
+    limit: z6.number().optional().describe("Max results"),
+    skip: z6.number().optional().describe("Offset"),
+    scope: z6.enum(policyScopes).optional().describe("Filter by scope"),
+    enabled: z6.boolean().optional().describe("Filter by enabled status")
+  }),
+  alias: { limit: "l" },
+  examples: [
+    { description: "List all policies" },
+    { options: { scope: "project", enabled: true }, description: "List enabled project-scope policies" }
+  ],
+  output: z6.object({
+    data: z6.array(z6.object({
+      id: z6.string(),
+      createdAt: z6.number(),
+      scope: z6.string(),
+      description: z6.string().nullable(),
+      accountId: z6.string().nullable(),
+      enabled: z6.boolean(),
+      priority: z6.number()
+    })),
+    total: z6.number()
+  }),
+  async run(c) {
+    const scopeFilter = c.options.scope ? [c.options.scope] : void 0;
+    const res = await c.var.openfort.policies.list({
+      limit: c.options.limit,
+      skip: c.options.skip,
+      scope: scopeFilter,
+      enabled: c.options.enabled
+    });
+    return c.ok({
+      data: res.data.map((p) => ({
+        id: p.id,
+        createdAt: p.createdAt,
+        scope: p.scope,
+        description: p.description,
+        accountId: p.accountId,
+        enabled: p.enabled,
+        priority: p.priority
+      })),
+      total: res.total
+    });
+  }
+});
+policies.command("create", {
+  description: "Create a policy with criteria-based rules.",
+  options: z6.object({
+    scope: z6.enum(policyScopes).describe("Policy scope"),
+    description: z6.string().optional().describe("Policy description"),
+    priority: z6.number().optional().describe("Priority (higher = evaluated first)"),
+    rules: z6.string().describe("Rules as JSON string")
+  }),
+  output: z6.object({
+    id: z6.string(),
+    createdAt: z6.number(),
+    scope: z6.string(),
+    description: z6.string().nullable(),
+    enabled: z6.boolean(),
+    priority: z6.number()
+  }),
+  examples: [
+    {
+      options: {
+        scope: "project",
+        rules: '[{"action":"accept","operation":"sponsorEvmTransaction","criteria":[{"type":"evmNetwork","operator":"in","chainIds":[137]}]}]'
+      },
+      description: "Create a policy to sponsor transactions on Polygon"
+    }
+  ],
+  async run(c) {
+    const rules = JSON.parse(c.options.rules);
+    const scope = c.options.scope;
+    const res = await c.var.openfort.policies.create({
+      scope,
+      description: c.options.description,
+      priority: c.options.priority,
+      rules
+    });
+    return c.ok(
+      {
+        id: res.id,
+        createdAt: res.createdAt,
+        scope: res.scope,
+        description: res.description,
+        enabled: res.enabled,
+        priority: res.priority
+      },
+      {
+        cta: {
+          description: "Next steps:",
+          commands: [
+            { command: `policies get ${res.id}`, description: "View this policy" },
+            { command: `sponsorship create --policyId ${res.id}`, description: "Create a fee sponsorship" }
+          ]
+        }
+      }
+    );
+  }
+});
+policies.command("get", {
+  description: "Get a policy by ID.",
+  args: z6.object({
+    id: z6.string().describe("Policy ID (ply_...)")
+  }),
+  examples: [
+    { args: { id: "ply_1a2b3c4d" }, description: "Get policy details with rules" }
+  ],
+  output: z6.object({
+    id: z6.string(),
+    createdAt: z6.number(),
+    scope: z6.string(),
+    description: z6.string().nullable(),
+    accountId: z6.string().nullable(),
+    enabled: z6.boolean(),
+    priority: z6.number(),
+    rules: z6.array(z6.any())
+  }),
+  async run(c) {
+    const p = await c.var.openfort.policies.get(c.args.id);
+    return c.ok({
+      id: p.id,
+      createdAt: p.createdAt,
+      scope: p.scope,
+      description: p.description,
+      accountId: p.accountId,
+      enabled: p.enabled,
+      priority: p.priority,
+      rules: p.rules
+    });
+  }
+});
+policies.command("update", {
+  description: "Update a policy.",
+  args: z6.object({
+    id: z6.string().describe("Policy ID (ply_...)")
+  }),
+  options: z6.object({
+    description: z6.string().optional().describe("New description"),
+    enabled: z6.boolean().optional().describe("Enable or disable"),
+    priority: z6.number().optional().describe("New priority"),
+    rules: z6.string().optional().describe("New rules as JSON string")
+  }),
+  examples: [
+    { args: { id: "ply_1a2b3c4d" }, options: { enabled: false }, description: "Disable a policy" },
+    { args: { id: "ply_1a2b3c4d" }, options: { priority: 10 }, description: "Change policy priority" }
+  ],
+  output: z6.object({
+    id: z6.string(),
+    createdAt: z6.number(),
+    scope: z6.string(),
+    description: z6.string().nullable(),
+    enabled: z6.boolean(),
+    priority: z6.number()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.policies.update(c.args.id, {
+      description: c.options.description,
+      enabled: c.options.enabled,
+      priority: c.options.priority,
+      rules: c.options.rules ? JSON.parse(c.options.rules) : void 0
+    });
+    return c.ok({
+      id: res.id,
+      createdAt: res.createdAt,
+      scope: res.scope,
+      description: res.description,
+      enabled: res.enabled,
+      priority: res.priority
+    });
+  }
+});
+policies.command("delete", {
+  description: "Delete a policy.",
+  args: z6.object({
+    id: z6.string().describe("Policy ID (ply_...)")
+  }),
+  examples: [
+    { args: { id: "ply_1a2b3c4d" }, description: "Delete a policy" }
+  ],
+  output: z6.object({
+    id: z6.string(),
+    deleted: z6.boolean()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.policies.delete(c.args.id);
+    return c.ok({ id: res.id, deleted: res.deleted });
+  }
+});
+policies.command("evaluate", {
+  description: "Pre-flight check if an operation would be allowed.",
+  options: z6.object({
+    operation: z6.string().describe("Operation to evaluate (e.g. signEvmTransaction)"),
+    accountId: z6.string().optional().describe("Account ID")
+  }),
+  examples: [
+    { options: { operation: "signEvmTransaction", accountId: "acc_1a2b3c4d" }, description: "Check if EVM signing is allowed" },
+    { options: { operation: "sponsorEvmTransaction" }, description: "Check if gas sponsorship is allowed" }
+  ],
+  output: z6.object({
+    allowed: z6.boolean(),
+    reason: z6.string(),
+    operation: z6.string(),
+    accountId: z6.string().optional(),
+    matchedPolicyId: z6.string().optional(),
+    matchedRuleId: z6.string().optional()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.policies.evaluate({
+      operation: c.options.operation,
+      accountId: c.options.accountId
+    });
+    return c.ok({
+      allowed: res.allowed,
+      reason: res.reason,
+      operation: res.operation,
+      accountId: res.accountId,
+      matchedPolicyId: res.matchedPolicyId,
+      matchedRuleId: res.matchedRuleId
+    });
+  }
+});
+
+// src/commands/sponsorship.ts
+import { Cli as Cli5, z as z7 } from "incur";
+var sponsorSchemas = ["pay_for_user", "charge_custom_tokens", "fixed_rate"];
+var sponsorshipItem = z7.object({
+  id: z7.string(),
+  createdAt: z7.number(),
+  name: z7.string().nullable(),
+  chainId: z7.number().nullable(),
+  enabled: z7.boolean(),
+  strategy: z7.object({
+    sponsorSchema: z7.string(),
+    tokenContract: z7.string().optional(),
+    tokenContractAmount: z7.string().optional(),
+    dynamicExchangeRate: z7.boolean().optional()
+  }),
+  paymasterId: z7.string().nullable(),
+  policyId: z7.string().nullable()
+});
+var sponsorship = Cli5.create("sponsorship", {
+  description: "Manage fee sponsorships for gas costs.",
+  vars: varsSchema
+});
+sponsorship.command("list", {
+  description: "List fee sponsorships.",
+  options: z7.object({
+    limit: z7.number().optional().describe("Max results"),
+    skip: z7.number().optional().describe("Offset"),
+    enabled: z7.boolean().optional().describe("Filter by enabled status")
+  }),
+  alias: { limit: "l" },
+  examples: [
+    { description: "List all sponsorships" },
+    { options: { enabled: true }, description: "List active sponsorships only" }
+  ],
+  output: z7.object({
+    data: z7.array(sponsorshipItem),
+    total: z7.number()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.feeSponsorship.list({
+      limit: c.options.limit,
+      skip: c.options.skip,
+      enabled: c.options.enabled
+    });
+    return c.ok({
+      data: res.data.map((s) => ({
+        id: s.id,
+        createdAt: s.createdAt,
+        name: s.name,
+        chainId: s.chainId,
+        enabled: s.enabled,
+        strategy: s.strategy,
+        paymasterId: s.paymasterId,
+        policyId: s.policyId
+      })),
+      total: res.total
+    });
+  }
+});
+sponsorship.command("create", {
+  description: "Create a fee sponsorship linked to a policy.",
+  options: z7.object({
+    policyId: z7.string().describe("Policy ID to link (ply_...)"),
+    name: z7.string().optional().describe("Sponsorship name"),
+    strategy: z7.enum(sponsorSchemas).default("pay_for_user").describe("Sponsorship strategy"),
+    chainId: z7.number().optional().describe("Chain ID")
+  }),
+  output: sponsorshipItem,
+  examples: [
+    {
+      options: { policyId: "ply_1a2b3c4d", strategy: "pay_for_user", name: "Polygon Gas Sponsor" },
+      description: "Sponsor gas fees for users on Polygon"
+    },
+    {
+      options: { policyId: "ply_1a2b3c4d", strategy: "charge_custom_tokens", chainId: 137 },
+      description: "Pay gas with custom tokens on chain 137"
+    }
+  ],
+  async run(c) {
+    const strategy = { sponsorSchema: c.options.strategy };
+    const res = await c.var.openfort.feeSponsorship.create({
+      policyId: c.options.policyId,
+      name: c.options.name,
+      strategy,
+      chainId: c.options.chainId
+    });
+    return c.ok(
+      {
+        id: res.id,
+        createdAt: res.createdAt,
+        name: res.name,
+        chainId: res.chainId,
+        enabled: res.enabled,
+        strategy: res.strategy,
+        paymasterId: res.paymasterId,
+        policyId: res.policyId
+      },
+      {
+        cta: {
+          description: "Next steps:",
+          commands: [
+            { command: `sponsorship get ${res.id}`, description: "View this sponsorship" },
+            { command: "transactions create", description: "Create a sponsored transaction" }
+          ]
+        }
+      }
+    );
+  }
+});
+sponsorship.command("get", {
+  description: "Get a fee sponsorship by ID.",
+  args: z7.object({
+    id: z7.string().describe("Fee sponsorship ID (pol_...)")
+  }),
+  examples: [
+    { args: { id: "pol_1a2b3c4d" }, description: "Get sponsorship details" }
+  ],
+  output: sponsorshipItem,
+  async run(c) {
+    const s = await c.var.openfort.feeSponsorship.get(c.args.id);
+    return c.ok({
+      id: s.id,
+      createdAt: s.createdAt,
+      name: s.name,
+      chainId: s.chainId,
+      enabled: s.enabled,
+      strategy: s.strategy,
+      paymasterId: s.paymasterId,
+      policyId: s.policyId
+    });
+  }
+});
+sponsorship.command("update", {
+  description: "Update a fee sponsorship.",
+  args: z7.object({
+    id: z7.string().describe("Fee sponsorship ID (pol_...)")
+  }),
+  options: z7.object({
+    name: z7.string().optional().describe("New name"),
+    strategy: z7.enum(sponsorSchemas).optional().describe("New strategy"),
+    policyId: z7.string().optional().describe("New policy ID")
+  }),
+  examples: [
+    { args: { id: "pol_1a2b3c4d" }, options: { name: "Mainnet Gas Sponsor" }, description: "Rename a sponsorship" }
+  ],
+  output: sponsorshipItem,
+  async run(c) {
+    const strategy = c.options.strategy ? { sponsorSchema: c.options.strategy } : void 0;
+    const res = await c.var.openfort.feeSponsorship.update(c.args.id, {
+      name: c.options.name,
+      strategy,
+      policyId: c.options.policyId
+    });
+    return c.ok({
+      id: res.id,
+      createdAt: res.createdAt,
+      name: res.name,
+      chainId: res.chainId,
+      enabled: res.enabled,
+      strategy: res.strategy,
+      paymasterId: res.paymasterId,
+      policyId: res.policyId
+    });
+  }
+});
+sponsorship.command("enable", {
+  description: "Enable a fee sponsorship.",
+  args: z7.object({
+    id: z7.string().describe("Fee sponsorship ID (pol_...)")
+  }),
+  examples: [
+    { args: { id: "pol_1a2b3c4d" }, description: "Enable a sponsorship" }
+  ],
+  output: sponsorshipItem,
+  async run(c) {
+    const res = await c.var.openfort.feeSponsorship.enable(c.args.id);
+    return c.ok({
+      id: res.id,
+      createdAt: res.createdAt,
+      name: res.name,
+      chainId: res.chainId,
+      enabled: res.enabled,
+      strategy: res.strategy,
+      paymasterId: res.paymasterId,
+      policyId: res.policyId
+    });
+  }
+});
+sponsorship.command("disable", {
+  description: "Disable a fee sponsorship.",
+  args: z7.object({
+    id: z7.string().describe("Fee sponsorship ID (pol_...)")
+  }),
+  examples: [
+    { args: { id: "pol_1a2b3c4d" }, description: "Disable a sponsorship" }
+  ],
+  output: sponsorshipItem,
+  async run(c) {
+    const res = await c.var.openfort.feeSponsorship.disable(c.args.id);
+    return c.ok({
+      id: res.id,
+      createdAt: res.createdAt,
+      name: res.name,
+      chainId: res.chainId,
+      enabled: res.enabled,
+      strategy: res.strategy,
+      paymasterId: res.paymasterId,
+      policyId: res.policyId
+    });
+  }
+});
+sponsorship.command("delete", {
+  description: "Delete a fee sponsorship.",
+  args: z7.object({
+    id: z7.string().describe("Fee sponsorship ID (pol_...)")
+  }),
+  examples: [
+    { args: { id: "pol_1a2b3c4d" }, description: "Delete a sponsorship" }
+  ],
+  output: z7.object({
+    id: z7.string(),
+    deleted: z7.boolean()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.feeSponsorship.delete(c.args.id);
+    return c.ok({ id: res.id, deleted: res.deleted });
+  }
+});
+
+// src/commands/subscriptions.ts
+import { Cli as Cli6, z as z8 } from "incur";
+var apiTopics = [
+  "transaction_intent.broadcast",
+  "transaction_intent.successful",
+  "transaction_intent.cancelled",
+  "transaction_intent.failed",
+  "balance.project",
+  "balance.contract",
+  "balance.dev_account",
+  "test",
+  "user.created",
+  "user.updated",
+  "user.deleted",
+  "account.created"
+];
+var apiTriggerTypes = ["webhook", "email"];
+var triggers = Cli6.create("triggers", {
+  description: "Manage subscription triggers.",
+  vars: varsSchema
+});
+triggers.command("list", {
+  description: "List triggers for a subscription.",
+  args: z8.object({
+    subscriptionId: z8.string().describe("Subscription ID (sub_...)")
+  }),
+  examples: [
+    { args: { subscriptionId: "sub_1a2b3c4d" }, description: "List triggers" }
+  ],
+  output: z8.object({
+    data: z8.array(z8.object({
+      id: z8.string(),
+      createdAt: z8.number(),
+      target: z8.string(),
+      type: z8.string()
+    }))
+  }),
+  async run(c) {
+    const res = await c.var.openfort.triggers.list(c.args.subscriptionId);
+    return c.ok({
+      data: res.data.map((t) => ({
+        id: t.id,
+        createdAt: t.createdAt,
+        target: t.target,
+        type: t.type
+      }))
+    });
+  }
+});
+triggers.command("create", {
+  description: "Create a trigger for a subscription.",
+  args: z8.object({
+    subscriptionId: z8.string().describe("Subscription ID (sub_...)")
+  }),
+  options: z8.object({
+    target: z8.string().describe("Webhook URL or email address"),
+    type: z8.enum(apiTriggerTypes).default("webhook").describe("Trigger type: webhook or email")
+  }),
+  examples: [
+    {
+      args: { subscriptionId: "sub_1a2b3c4d" },
+      options: { target: "https://myapp.com/webhooks", type: "webhook" },
+      description: "Create a webhook trigger"
+    }
+  ],
+  output: z8.object({
+    id: z8.string(),
+    createdAt: z8.number(),
+    target: z8.string(),
+    type: z8.string()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.triggers.create(c.args.subscriptionId, {
+      target: c.options.target,
+      type: c.options.type
+    });
+    return c.ok({
+      id: res.id,
+      createdAt: res.createdAt,
+      target: res.target,
+      type: res.type
+    });
+  }
+});
+triggers.command("get", {
+  description: "Get a trigger by ID.",
+  args: z8.object({
+    subscriptionId: z8.string().describe("Subscription ID (sub_...)"),
+    triggerId: z8.string().describe("Trigger ID (tri_...)")
+  }),
+  examples: [
+    { args: { subscriptionId: "sub_1a2b3c4d", triggerId: "tri_1a2b3c4d" }, description: "Get trigger details" }
+  ],
+  output: z8.object({
+    id: z8.string(),
+    createdAt: z8.number(),
+    target: z8.string(),
+    type: z8.string()
+  }),
+  async run(c) {
+    const t = await c.var.openfort.triggers.get(c.args.subscriptionId, c.args.triggerId);
+    return c.ok({
+      id: t.id,
+      createdAt: t.createdAt,
+      target: t.target,
+      type: t.type
+    });
+  }
+});
+triggers.command("delete", {
+  description: "Delete a trigger.",
+  args: z8.object({
+    subscriptionId: z8.string().describe("Subscription ID (sub_...)"),
+    triggerId: z8.string().describe("Trigger ID (tri_...)")
+  }),
+  examples: [
+    { args: { subscriptionId: "sub_1a2b3c4d", triggerId: "tri_1a2b3c4d" }, description: "Delete a trigger" }
+  ],
+  output: z8.object({
+    id: z8.string(),
+    deleted: z8.boolean()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.triggers.delete(c.args.subscriptionId, c.args.triggerId);
+    return c.ok({ id: res.id, deleted: res.deleted });
+  }
+});
+var subscriptions = Cli6.create("subscriptions", {
+  description: "Manage webhook subscriptions.",
+  vars: varsSchema
+});
+subscriptions.command("list", {
+  description: "List webhook subscriptions.",
+  examples: [
+    { description: "List all subscriptions" }
+  ],
+  output: z8.object({
+    data: z8.array(z8.object({
+      id: z8.string(),
+      createdAt: z8.number(),
+      topic: z8.string(),
+      triggers: z8.array(z8.object({
+        id: z8.string(),
+        target: z8.string(),
+        type: z8.string()
+      }))
+    })),
+    total: z8.number()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.subscriptions.list();
+    return c.ok({
+      data: res.data.map((s) => ({
+        id: s.id,
+        createdAt: s.createdAt,
+        topic: s.topic,
+        triggers: s.triggers
+      })),
+      total: res.total
+    });
+  }
+});
+subscriptions.command("create", {
+  description: "Create a webhook subscription.",
+  options: z8.object({
+    topic: z8.enum(apiTopics).describe("Event topic (e.g. transaction_intent.successful, user.created)"),
+    triggers: z8.string().describe('Triggers as JSON: [{"type":"webhook","target":"https://..."}]')
+  }),
+  examples: [
+    {
+      options: {
+        topic: "transaction_intent.successful",
+        triggers: '[{"type":"webhook","target":"https://myapp.com/webhooks/openfort"}]'
+      },
+      description: "Get notified when transactions succeed"
+    }
+  ],
+  output: z8.object({
+    id: z8.string(),
+    createdAt: z8.number(),
+    topic: z8.string(),
+    triggers: z8.array(z8.object({
+      id: z8.string(),
+      target: z8.string(),
+      type: z8.string()
+    }))
+  }),
+  async run(c) {
+    const parsedTriggers = JSON.parse(c.options.triggers);
+    const res = await c.var.openfort.subscriptions.create({
+      topic: c.options.topic,
+      triggers: parsedTriggers
+    });
+    return c.ok(
+      {
+        id: res.id,
+        createdAt: res.createdAt,
+        topic: res.topic,
+        triggers: res.triggers
+      },
+      {
+        cta: {
+          description: "Next steps:",
+          commands: [
+            { command: `subscriptions get ${res.id}`, description: "View this subscription" },
+            { command: "subscriptions list", description: "List all subscriptions" }
+          ]
+        }
+      }
+    );
+  }
+});
+subscriptions.command("get", {
+  description: "Get a subscription by ID.",
+  args: z8.object({
+    id: z8.string().describe("Subscription ID (sub_...)")
+  }),
+  examples: [
+    { args: { id: "sub_1a2b3c4d" }, description: "Get subscription details" }
+  ],
+  output: z8.object({
+    id: z8.string(),
+    createdAt: z8.number(),
+    topic: z8.string(),
+    triggers: z8.array(z8.object({
+      id: z8.string(),
+      target: z8.string(),
+      type: z8.string()
+    }))
+  }),
+  async run(c) {
+    const s = await c.var.openfort.subscriptions.get(c.args.id);
+    return c.ok({
+      id: s.id,
+      createdAt: s.createdAt,
+      topic: s.topic,
+      triggers: s.triggers
+    });
+  }
+});
+subscriptions.command("delete", {
+  description: "Delete a subscription.",
+  args: z8.object({
+    id: z8.string().describe("Subscription ID (sub_...)")
+  }),
+  examples: [
+    { args: { id: "sub_1a2b3c4d" }, description: "Delete a subscription" }
+  ],
+  output: z8.object({
+    id: z8.string(),
+    deleted: z8.boolean()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.subscriptions.delete(c.args.id);
+    return c.ok({ id: res.id, deleted: res.deleted });
+  }
+});
+subscriptions.command(triggers);
+
+// src/commands/sessions.ts
+import { Cli as Cli7, z as z9 } from "incur";
+var sessionItem = z9.object({
+  id: z9.string(),
+  createdAt: z9.number(),
+  updatedAt: z9.number(),
+  address: z9.string(),
+  validAfter: z9.string(),
+  validUntil: z9.string(),
+  whitelist: z9.array(z9.string()).optional(),
+  isActive: z9.boolean(),
+  nextAction: z9.object({
+    type: z9.string(),
+    payload: z9.any().optional()
+  }).optional()
+});
+var sessions = Cli7.create("sessions", {
+  description: "Manage session keys.",
+  vars: varsSchema
+});
+sessions.command("list", {
+  description: "List session keys for a player.",
+  options: z9.object({
+    player: z9.string().describe("Player ID (pla_...)"),
+    limit: z9.number().optional().describe("Max results"),
+    skip: z9.number().optional().describe("Offset")
+  }),
+  alias: { limit: "l" },
+  examples: [
+    { options: { player: "pla_1a2b3c4d" }, description: "List sessions for a player" }
+  ],
+  output: z9.object({
+    data: z9.array(z9.object({
+      id: z9.string(),
+      createdAt: z9.number(),
+      address: z9.string(),
+      isActive: z9.boolean()
+    })),
+    total: z9.number()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.sessions.list({
+      player: c.options.player,
+      limit: c.options.limit,
+      skip: c.options.skip
+    });
+    return c.ok({
+      data: res.data.map((s) => ({
+        id: s.id,
+        createdAt: s.createdAt,
+        address: s.address,
+        isActive: s.isActive
+      })),
+      total: res.total
+    });
+  }
+});
+sessions.command("create", {
+  description: "Create a session key.",
+  options: z9.object({
+    address: z9.string().describe("Session key address"),
+    chainId: z9.number().describe("Chain ID"),
+    validAfter: z9.number().describe("Valid after (unix timestamp in seconds)"),
+    validUntil: z9.number().describe("Valid until (unix timestamp in seconds)"),
+    player: z9.string().optional().describe("Player ID (pla_...)"),
+    account: z9.string().optional().describe("Account ID (acc_...)"),
+    limit: z9.number().optional().describe("Max session uses"),
+    policy: z9.string().optional().describe("Policy ID for gas sponsorship (pol_...)"),
+    whitelist: z9.string().optional().describe("Whitelisted contract addresses as JSON array")
+  }),
+  examples: [
+    {
+      options: {
+        address: "0x1234...",
+        chainId: 137,
+        validAfter: 17e8,
+        validUntil: 1700086400,
+        player: "pla_1a2b3c4d"
+      },
+      description: "Create a 24h session key on Polygon"
+    }
+  ],
+  output: sessionItem,
+  async run(c) {
+    const res = await c.var.openfort.sessions.create({
+      address: c.options.address,
+      chainId: c.options.chainId,
+      validAfter: c.options.validAfter,
+      validUntil: c.options.validUntil,
+      player: c.options.player,
+      account: c.options.account,
+      limit: c.options.limit,
+      policy: c.options.policy,
+      whitelist: c.options.whitelist ? JSON.parse(c.options.whitelist) : void 0
+    });
+    return c.ok(
+      {
+        id: res.id,
+        createdAt: res.createdAt,
+        updatedAt: res.updatedAt,
+        address: res.address,
+        validAfter: res.validAfter,
+        validUntil: res.validUntil,
+        whitelist: res.whitelist,
+        isActive: res.isActive,
+        nextAction: res.nextAction
+      },
+      {
+        cta: {
+          description: "Next steps:",
+          commands: [
+            { command: `sessions get ${res.id}`, description: "View this session" }
+          ]
+        }
+      }
+    );
+  }
+});
+sessions.command("get", {
+  description: "Get a session key by ID.",
+  args: z9.object({
+    id: z9.string().describe("Session ID (ses_...)")
+  }),
+  examples: [
+    { args: { id: "ses_1a2b3c4d" }, description: "Get session details" }
+  ],
+  output: sessionItem,
+  async run(c) {
+    const s = await c.var.openfort.sessions.get(c.args.id);
+    return c.ok({
+      id: s.id,
+      createdAt: s.createdAt,
+      updatedAt: s.updatedAt,
+      address: s.address,
+      validAfter: s.validAfter,
+      validUntil: s.validUntil,
+      whitelist: s.whitelist,
+      isActive: s.isActive,
+      nextAction: s.nextAction
+    });
+  }
+});
+sessions.command("revoke", {
+  description: "Revoke a session key.",
+  options: z9.object({
+    address: z9.string().describe("Session key address to revoke"),
+    chainId: z9.number().describe("Chain ID"),
+    player: z9.string().optional().describe("Player ID (pla_...)"),
+    policy: z9.string().optional().describe("Policy ID (pol_...)")
+  }),
+  examples: [
+    { options: { address: "0x1234...", chainId: 137 }, description: "Revoke a session key" }
+  ],
+  output: sessionItem,
+  async run(c) {
+    const res = await c.var.openfort.sessions.revoke({
+      address: c.options.address,
+      chainId: c.options.chainId,
+      player: c.options.player,
+      policy: c.options.policy
+    });
+    return c.ok({
+      id: res.id,
+      createdAt: res.createdAt,
+      updatedAt: res.updatedAt,
+      address: res.address,
+      validAfter: res.validAfter,
+      validUntil: res.validUntil,
+      whitelist: res.whitelist,
+      isActive: res.isActive,
+      nextAction: res.nextAction
+    });
+  }
+});
+sessions.command("sign", {
+  description: "Sign and broadcast a session userOperationHash.",
+  args: z9.object({
+    id: z9.string().describe("Session ID (ses_...)")
+  }),
+  options: z9.object({
+    signature: z9.string().describe("Hex signature"),
+    optimistic: z9.boolean().optional().describe("Return before on-chain confirmation")
+  }),
+  examples: [
+    { args: { id: "ses_1a2b3c4d" }, options: { signature: "0xabcd1234..." }, description: "Sign a session" }
+  ],
+  output: sessionItem,
+  async run(c) {
+    const res = await c.var.openfort.sessions.signature(c.args.id, {
+      signature: c.options.signature,
+      optimistic: c.options.optimistic
+    });
+    return c.ok({
+      id: res.id,
+      createdAt: res.createdAt,
+      updatedAt: res.updatedAt,
+      address: res.address,
+      validAfter: res.validAfter,
+      validUntil: res.validUntil,
+      whitelist: res.whitelist,
+      isActive: res.isActive,
+      nextAction: res.nextAction
+    });
+  }
+});
+
+// src/commands/transactions.ts
+import { Cli as Cli8, z as z10 } from "incur";
+var transactionIntentItem = z10.object({
+  id: z10.string(),
+  createdAt: z10.number(),
+  updatedAt: z10.number(),
+  chainId: z10.number(),
+  abstractionType: z10.string().describe("e.g. accountAbstractionV6, standard"),
+  userOperationHash: z10.string().optional(),
+  response: z10.object({
+    createdAt: z10.number(),
+    blockNumber: z10.number().optional(),
+    transactionHash: z10.string().optional(),
+    gasUsed: z10.string().optional(),
+    gasFee: z10.string().optional(),
+    status: z10.number().optional(),
+    to: z10.string().optional(),
+    error: z10.any().optional()
+  }).optional(),
+  interactions: z10.array(z10.object({
+    to: z10.string().optional(),
+    data: z10.string().optional(),
+    value: z10.string().optional()
+  })).optional(),
+  nextAction: z10.object({
+    type: z10.string(),
+    payload: z10.any().optional()
+  }).optional()
+});
+var transactions = Cli8.create("transactions", {
+  description: "Manage transaction intents.",
+  vars: varsSchema
+});
+transactions.command("list", {
+  description: "List transaction intents.",
+  options: z10.object({
+    limit: z10.number().optional().describe("Max results"),
+    skip: z10.number().optional().describe("Offset")
+  }),
+  alias: { limit: "l" },
+  examples: [
+    { description: "List all transactions" },
+    { options: { limit: 10 }, description: "List last 10 transactions" }
+  ],
+  output: z10.object({
+    data: z10.array(z10.object({
+      id: z10.string(),
+      createdAt: z10.number(),
+      updatedAt: z10.number(),
+      chainId: z10.number(),
+      abstractionType: z10.string()
+    })),
+    total: z10.number()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.transactionIntents.list({
+      limit: c.options.limit,
+      skip: c.options.skip
+    });
+    return c.ok({
+      data: res.data.map((t) => ({
+        id: t.id,
+        createdAt: t.createdAt,
+        updatedAt: t.updatedAt,
+        chainId: t.chainId,
+        abstractionType: t.abstractionType
+      })),
+      total: res.total
+    });
+  }
+});
+transactions.command("create", {
+  description: "Create a transaction intent.",
+  options: z10.object({
+    account: z10.string().describe("Account ID (acc_...)"),
+    chainId: z10.number().describe("Chain ID"),
+    interactions: z10.string().describe('Interactions as JSON: [{"to":"0x...","data":"0x...","value":"0"}]'),
+    policy: z10.string().optional().describe("Policy ID for gas sponsorship"),
+    signedAuthorization: z10.string().optional().describe("Signed EIP-7702 authorization hex (for delegated accounts)")
+  }),
+  output: transactionIntentItem,
+  examples: [
+    {
+      options: {
+        account: "acc_1a2b3c4d",
+        chainId: 137,
+        interactions: '[{"to":"0x3c499c542cEF5E3811e1192ce70d8cC03d5c3359","data":"0xa9059cbb000000...","value":"0"}]'
+      },
+      description: "Transfer USDC on Polygon"
+    },
+    {
+      options: {
+        account: "acc_1a2b3c4d",
+        chainId: 137,
+        interactions: '[{"to":"0x742d35Cc6634C0532925a3b844Bc9e7595f92cD5","value":"1000000000000000000"}]',
+        policy: "ply_1a2b3c4d"
+      },
+      description: "Send 1 MATIC with gas sponsorship"
+    }
+  ],
+  async run(c) {
+    const interactions = JSON.parse(c.options.interactions);
+    const res = await c.var.openfort.transactionIntents.create({
+      account: c.options.account,
+      chainId: c.options.chainId,
+      interactions,
+      policy: c.options.policy,
+      signedAuthorization: c.options.signedAuthorization
+    });
+    return c.ok(
+      {
+        id: res.id,
+        createdAt: res.createdAt,
+        updatedAt: res.updatedAt,
+        chainId: res.chainId,
+        abstractionType: res.abstractionType,
+        userOperationHash: res.userOperationHash,
+        response: res.response,
+        interactions: res.interactions,
+        nextAction: res.nextAction
+      },
+      {
+        cta: {
+          description: "Next steps:",
+          commands: [
+            { command: `transactions get ${res.id}`, description: "Check transaction status" }
+          ]
+        }
+      }
+    );
+  }
+});
+transactions.command("get", {
+  description: "Get a transaction intent by ID.",
+  args: z10.object({
+    id: z10.string().describe("Transaction intent ID (tin_...)")
+  }),
+  examples: [
+    { args: { id: "tin_1a2b3c4d" }, description: "Get transaction status and receipt" }
+  ],
+  output: transactionIntentItem,
+  async run(c) {
+    const t = await c.var.openfort.transactionIntents.get(c.args.id);
+    return c.ok({
+      id: t.id,
+      createdAt: t.createdAt,
+      updatedAt: t.updatedAt,
+      chainId: t.chainId,
+      abstractionType: t.abstractionType,
+      userOperationHash: t.userOperationHash,
+      response: t.response,
+      interactions: t.interactions,
+      nextAction: t.nextAction
+    });
+  }
+});
+transactions.command("sign", {
+  description: "Sign and broadcast a transaction intent.",
+  args: z10.object({
+    id: z10.string().describe("Transaction intent ID (tin_...)")
+  }),
+  options: z10.object({
+    signature: z10.string().describe("Hex signature"),
+    optimistic: z10.boolean().optional().describe("Return before on-chain confirmation")
+  }),
+  examples: [
+    { args: { id: "tin_1a2b3c4d" }, options: { signature: "0xabcd1234..." }, description: "Sign and broadcast a transaction" },
+    { args: { id: "tin_1a2b3c4d" }, options: { signature: "0xabcd1234...", optimistic: true }, description: "Sign without waiting for on-chain confirmation" }
+  ],
+  output: transactionIntentItem,
+  async run(c) {
+    const res = await c.var.openfort.transactionIntents.signature(c.args.id, {
+      signature: c.options.signature,
+      optimistic: c.options.optimistic
+    });
+    return c.ok(
+      {
+        id: res.id,
+        createdAt: res.createdAt,
+        updatedAt: res.updatedAt,
+        chainId: res.chainId,
+        abstractionType: res.abstractionType,
+        userOperationHash: res.userOperationHash,
+        response: res.response,
+        interactions: res.interactions,
+        nextAction: res.nextAction
+      },
+      {
+        cta: {
+          description: "Next steps:",
+          commands: [
+            { command: `transactions get ${res.id}`, description: "Check transaction status" }
+          ]
+        }
+      }
+    );
+  }
+});
+transactions.command("estimate", {
+  description: "Estimate gas cost for a transaction.",
+  options: z10.object({
+    account: z10.string().describe("Account ID (acc_...)"),
+    chainId: z10.number().describe("Chain ID"),
+    interactions: z10.string().describe("Interactions as JSON"),
+    policy: z10.string().optional().describe("Policy ID for gas sponsorship")
+  }),
+  examples: [
+    {
+      options: { account: "acc_1a2b3c4d", chainId: 137, interactions: '[{"to":"0x3c499c542cEF5E3811e1192ce70d8cC03d5c3359","data":"0xa9059cbb...","value":"0"}]' },
+      description: "Estimate gas for a USDC transfer on Polygon"
+    }
+  ],
+  output: z10.object({
+    estimatedTXGas: z10.string(),
+    estimatedTXGasFee: z10.string(),
+    estimatedTXGasFeeUSD: z10.string(),
+    estimatedTXGasFeeToken: z10.string().optional(),
+    gasPrice: z10.string()
+  }),
+  async run(c) {
+    const interactions = JSON.parse(c.options.interactions);
+    const res = await c.var.openfort.transactionIntents.estimateCost({
+      account: c.options.account,
+      chainId: c.options.chainId,
+      interactions,
+      policy: c.options.policy
+    });
+    return c.ok({
+      estimatedTXGas: res.estimatedTXGas,
+      estimatedTXGasFee: res.estimatedTXGasFee,
+      estimatedTXGasFeeUSD: res.estimatedTXGasFeeUSD,
+      estimatedTXGasFeeToken: res.estimatedTXGasFeeToken,
+      gasPrice: res.gasPrice
+    });
+  }
+});
+
+// src/commands/shield.ts
+import { Cli as Cli9, z as z11, Errors as Errors2 } from "incur";
+var SHIELD_API_URL = OPENFORT_SHIELD_URL;
+var shield = Cli9.create("shield", {
+  description: "Manage Shield (embedded wallet) API keys.",
+  vars: varsSchema
+});
+shield.command("create", {
+  description: "Create Shield API keys for embedded wallets.",
+  options: z11.object({
+    project: z11.string().optional().describe("Project ID (pro_...). Defaults to OPENFORT_PROJECT_ID env var.")
+  }),
+  alias: { project: "p" },
+  output: z11.object({
+    message: z11.string(),
+    credentialsPath: z11.string()
+  }),
+  examples: [
+    {
+      options: { project: "pro_abc123" },
+      description: "Create Shield keys for a project"
+    }
+  ],
+  async run(c) {
+    const publishableKey = process.env.OPENFORT_PUBLISHABLE_KEY;
+    if (!publishableKey) {
+      throw new Errors2.IncurError({
+        code: "MISSING_PUBLISHABLE_KEY",
+        message: "OPENFORT_PUBLISHABLE_KEY environment variable is required to create Shield keys.",
+        hint: "Run: openfort login"
+      });
+    }
+    const apiKey = process.env.OPENFORT_API_KEY;
+    const environment = apiKey.startsWith("sk_live_") ? "live" : "test";
+    const projectId = c.options.project || process.env.OPENFORT_PROJECT_ID;
+    if (!projectId) {
+      throw new Errors2.IncurError({
+        code: "MISSING_PROJECT_ID",
+        message: "Project ID is required. Pass --project or set OPENFORT_PROJECT_ID.",
+        hint: "Run: openfort login"
+      });
+    }
+    const registerRes = await fetch(`${SHIELD_API_URL}/register`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "x-api-key": publishableKey
+      },
+      body: JSON.stringify({
+        name: `${projectId}-${environment}`,
+        generate_encryption_key: true,
+        enable_2fa: false
+      })
+    });
+    if (!registerRes.ok) {
+      const text = await registerRes.text();
+      throw new Errors2.IncurError({
+        code: "SHIELD_REGISTER_FAILED",
+        message: `Shield registration failed: ${text}`
+      });
+    }
+    const shieldData = await registerRes.json();
+    if (shieldData.error) {
+      throw new Errors2.IncurError({
+        code: "SHIELD_REGISTER_ERROR",
+        message: `Shield registration error: ${shieldData.error}`
+      });
+    }
+    const persistKey = async (type, uuid) => {
+      const res = await fetch(`${API_BASE_URL}/v1/project/apikey`, {
+        method: "PUT",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${apiKey}`
+        },
+        body: JSON.stringify({ type, uuid })
+      });
+      if (!res.ok) {
+        const text = await res.text();
+        throw new Errors2.IncurError({
+          code: "PERSIST_KEY_FAILED",
+          message: `Failed to persist ${type} key: ${text}`
+        });
+      }
+    };
+    await Promise.all([
+      persistKey("pk_shield", shieldData.api_key),
+      persistKey("sk_shield", shieldData.api_secret)
+    ]);
+    const linkRes = await fetch(`${SHIELD_API_URL}/project/providers`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "x-api-key": shieldData.api_key,
+        "x-api-secret": shieldData.api_secret
+      },
+      body: JSON.stringify({
+        providers: {
+          openfort: {
+            publishable_key: `pk_${environment}_${publishableKey}`
+          }
+        }
+      })
+    });
+    if (!linkRes.ok) {
+      const text = await linkRes.text();
+      throw new Errors2.IncurError({
+        code: "SHIELD_LINK_FAILED",
+        message: `Failed to link Openfort provider to Shield: ${text}`
+      });
+    }
+    ensureConfigDir();
+    writeEnvKey(CREDENTIALS_PATH, "SHIELD_PUBLISHABLE_KEY", shieldData.api_key);
+    writeEnvKey(CREDENTIALS_PATH, "SHIELD_SECRET_KEY", shieldData.api_secret);
+    writeEnvKey(CREDENTIALS_PATH, "SHIELD_ENCRYPTION_SHARE", shieldData.encryption_part);
+    return c.ok(
+      { message: `Shield keys were created and saved to ${CREDENTIALS_PATH}`, credentialsPath: CREDENTIALS_PATH },
+      {
+        cta: {
+          description: "Next steps:",
+          commands: [
+            { command: "accounts evm list", description: "List your accounts" },
+            { command: "contracts list", description: "List your contracts" },
+            { command: "policies list", description: "List your policies" }
+          ]
+        }
+      }
+    );
+  }
+});
+
+// src/commands/users.ts
+import { Cli as Cli10, z as z12 } from "incur";
+var userItem = z12.object({
+  id: z12.string(),
+  createdAt: z12.number(),
+  name: z12.string(),
+  email: z12.string().nullable(),
+  emailVerified: z12.boolean(),
+  phoneNumber: z12.string().nullable(),
+  phoneNumberVerified: z12.boolean(),
+  isAnonymous: z12.boolean().optional(),
+  linkedAccounts: z12.array(z12.object({
+    provider: z12.string(),
+    createdAt: z12.number(),
+    updatedAt: z12.number(),
+    accountId: z12.string().optional(),
+    chainType: z12.string().optional(),
+    connectorType: z12.string().optional(),
+    walletClientType: z12.string().optional()
+  }))
+});
+var users = Cli10.create("users", {
+  description: "Manage authenticated users.",
+  vars: varsSchema
+});
+users.command("list", {
+  description: "List users.",
+  options: z12.object({
+    limit: z12.number().optional().describe("Max results"),
+    skip: z12.number().optional().describe("Offset"),
+    email: z12.string().optional().describe("Filter by email"),
+    name: z12.string().optional().describe("Filter by name")
+  }),
+  alias: { limit: "l" },
+  examples: [
+    { description: "List all users" },
+    { options: { email: "user@example.com" }, description: "Find user by email" }
+  ],
+  output: z12.object({
+    data: z12.array(userItem),
+    total: z12.number()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.iam.users.list({
+      limit: c.options.limit,
+      skip: c.options.skip,
+      email: c.options.email,
+      name: c.options.name
+    });
+    return c.ok({
+      data: res.data.map((u) => ({
+        id: u.id,
+        createdAt: u.createdAt,
+        name: u.name,
+        email: u.email,
+        emailVerified: u.emailVerified,
+        phoneNumber: u.phoneNumber,
+        phoneNumberVerified: u.phoneNumberVerified,
+        isAnonymous: u.isAnonymous,
+        linkedAccounts: u.linkedAccounts
+      })),
+      total: res.total
+    });
+  }
+});
+users.command("get", {
+  description: "Get a user by ID.",
+  args: z12.object({
+    id: z12.string().describe("User ID (usr_...)")
+  }),
+  examples: [
+    { args: { id: "usr_1a2b3c4d" }, description: "Get user profile and linked accounts" }
+  ],
+  output: userItem,
+  async run(c) {
+    const u = await c.var.openfort.iam.users.get(c.args.id);
+    return c.ok({
+      id: u.id,
+      createdAt: u.createdAt,
+      name: u.name,
+      email: u.email,
+      emailVerified: u.emailVerified,
+      phoneNumber: u.phoneNumber,
+      phoneNumberVerified: u.phoneNumberVerified,
+      isAnonymous: u.isAnonymous,
+      linkedAccounts: u.linkedAccounts
+    });
+  }
+});
+users.command("delete", {
+  description: "Delete a user.",
+  args: z12.object({
+    id: z12.string().describe("User ID (usr_...)")
+  }),
+  examples: [
+    { args: { id: "usr_1a2b3c4d" }, description: "Delete a user and their accounts" }
+  ],
+  output: z12.object({
+    id: z12.string(),
+    deleted: z12.boolean()
+  }),
+  async run(c) {
+    const res = await c.var.openfort.iam.users.delete(c.args.id);
+    return c.ok({ id: res.id, deleted: res.deleted });
+  }
+});
+
+// src/commands/wallet-keys.ts
+import { randomBytes as randomBytes2, subtle } from "crypto";
+import { Cli as Cli11, z as z13, Errors as Errors3 } from "incur";
+function arrayBufferToBase64(buffer) {
+  return Buffer.from(buffer).toString("base64");
+}
+function arrayBufferToBase64Url(buffer) {
+  return Buffer.from(buffer).toString("base64url");
+}
+function stringToArrayBuffer(str) {
+  return new TextEncoder().encode(str).buffer;
+}
+function formatPEMBody(base64) {
+  return base64.match(/.{1,64}/g)?.join("\n") || base64;
+}
+function sortObjectKeys(obj) {
+  if (obj === null || typeof obj !== "object") return obj;
+  if (Array.isArray(obj)) return obj.map(sortObjectKeys);
+  const sorted = {};
+  for (const key of Object.keys(obj).sort()) {
+    sorted[key] = sortObjectKeys(obj[key]);
+  }
+  return sorted;
+}
+async function importPrivateKey(base64) {
+  const binaryDer = Buffer.from(base64, "base64");
+  return subtle.importKey(
+    "pkcs8",
+    binaryDer,
+    { name: "ECDSA", namedCurve: "P-256" },
+    false,
+    ["sign"]
+  );
+}
+async function generateKeyPair() {
+  const keyPair = await subtle.generateKey(
+    { name: "ECDSA", namedCurve: "P-256" },
+    true,
+    ["sign", "verify"]
+  );
+  const spki = await subtle.exportKey("spki", keyPair.publicKey);
+  const pkcs8 = await subtle.exportKey("pkcs8", keyPair.privateKey);
+  return {
+    publicKey: formatPEMBody(arrayBufferToBase64(spki)),
+    privateKey: formatPEMBody(arrayBufferToBase64(pkcs8)),
+    privateKeyCrypto: keyPair.privateKey
+  };
+}
+async function signWalletAuthJwt(privateKey, method, path, body) {
+  const sortedJson = JSON.stringify(sortObjectKeys(body));
+  const hashBuffer = await subtle.digest("SHA-256", stringToArrayBuffer(sortedJson));
+  const reqHash = Buffer.from(hashBuffer).toString("hex");
+  const now = Math.floor(Date.now() / 1e3);
+  const jti = randomBytes2(16).toString("hex");
+  const header = { alg: "ES256", typ: "JWT" };
+  const payload = {
+    uris: [`${method.toUpperCase()} ${path}`],
+    reqHash,
+    iat: now,
+    nbf: now,
+    jti
+  };
+  const headerB64 = arrayBufferToBase64Url(stringToArrayBuffer(JSON.stringify(header)));
+  const payloadB64 = arrayBufferToBase64Url(stringToArrayBuffer(JSON.stringify(payload)));
+  const signingInput = `${headerB64}.${payloadB64}`;
+  const signature = await subtle.sign(
+    { name: "ECDSA", hash: { name: "SHA-256" } },
+    privateKey,
+    stringToArrayBuffer(signingInput)
+  );
+  return `${signingInput}.${arrayBufferToBase64Url(signature)}`;
+}
+var walletKeys = Cli11.create("wallet-keys", {
+  description: "Manage backend wallet keys.",
+  vars: varsSchema
+});
+walletKeys.command("create", {
+  description: "Create backend wallet keys (ECDSA P-256).",
+  output: z13.object({
+    message: z13.string(),
+    credentialsPath: z13.string()
+  }),
+  examples: [
+    {
+      description: "Create backend wallet keys and save to credentials"
+    }
+  ],
+  async run(c) {
+    const apiKey = process.env.OPENFORT_API_KEY;
+    const { publicKey, privateKey, privateKeyCrypto } = await generateKeyPair();
+    const publicKeyPEM = `-----BEGIN PUBLIC KEY-----
+${publicKey}
+-----END PUBLIC KEY-----`;
+    const path = "/v2/accounts/backend/register-secret";
+    const keyId = `ws_${Date.now()}`;
+    const bodyWithoutToken = { publicKey: publicKeyPEM, keyId };
+    const jwt = await signWalletAuthJwt(privateKeyCrypto, "POST", path, bodyWithoutToken);
+    const registerRes = await fetch(`${API_BASE_URL}${path}`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${apiKey}`
+      },
+      body: JSON.stringify({
+        ...bodyWithoutToken,
+        walletAuthToken: jwt
+      })
+    });
+    if (!registerRes.ok) {
+      const text = await registerRes.text();
+      throw new Errors3.IncurError({
+        code: "REGISTER_SECRET_FAILED",
+        message: `Failed to register wallet secret: ${text}`
+      });
+    }
+    const storeRes = await fetch(`${API_BASE_URL}/v1/project/apikey`, {
+      method: "PUT",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${apiKey}`
+      },
+      body: JSON.stringify({ type: "pk_wallet", uuid: publicKey })
+    });
+    if (!storeRes.ok) {
+      const text = await storeRes.text();
+      throw new Errors3.IncurError({
+        code: "STORE_KEY_FAILED",
+        message: `Failed to store wallet key reference: ${text}`
+      });
+    }
+    ensureConfigDir();
+    writeEnvKey(CREDENTIALS_PATH, "OPENFORT_WALLET_PUBLIC_KEY", publicKey.replaceAll("\n", ""));
+    writeEnvKey(CREDENTIALS_PATH, "OPENFORT_WALLET_SECRET", privateKey.replaceAll("\n", ""));
+    writeEnvKey(CREDENTIALS_PATH, "OPENFORT_WALLET_KEY_ID", keyId);
+    return c.ok(
+      { message: `Backend wallet keys were created and saved to ${CREDENTIALS_PATH}`, credentialsPath: CREDENTIALS_PATH },
+      {
+        cta: {
+          description: "Next steps:",
+          commands: [
+            { command: `shield create`, description: "Create and save Shield API keys" }
+          ]
+        }
+      }
+    );
+  }
+});
+walletKeys.command("revoke", {
+  description: "Revoke the current backend wallet secret.",
+  output: z13.object({
+    keyId: z13.string(),
+    revoked: z13.boolean(),
+    revokedAt: z13.number()
+  }),
+  examples: [
+    {
+      description: "Revoke the current wallet secret"
+    }
+  ],
+  async run(c) {
+    const apiKey = process.env.OPENFORT_API_KEY;
+    const keyId = process.env.OPENFORT_WALLET_KEY_ID;
+    const privateKeyBase64 = process.env.OPENFORT_WALLET_SECRET;
+    if (!keyId || !privateKeyBase64) {
+      throw new Errors3.IncurError({
+        code: "MISSING_WALLET_KEY",
+        message: "OPENFORT_WALLET_KEY_ID and OPENFORT_WALLET_SECRET must be set. Create a wallet secret first with `wallet-keys create`."
+      });
+    }
+    const privateKeyCrypto = await importPrivateKey(privateKeyBase64);
+    const path = "/v2/accounts/backend/revoke-secret";
+    const body = { keyId };
+    const jwt = await signWalletAuthJwt(privateKeyCrypto, "POST", path, body);
+    const res = await fetch(`${API_BASE_URL}${path}`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${apiKey}`,
+        "x-wallet-auth": jwt
+      },
+      body: JSON.stringify(body)
+    });
+    if (!res.ok) {
+      const text = await res.text();
+      throw new Errors3.IncurError({
+        code: "REVOKE_SECRET_FAILED",
+        message: `Failed to revoke wallet secret: ${text}`
+      });
+    }
+    const data = await res.json();
+    return c.ok(data);
+  }
+});
+walletKeys.command("rotate", {
+  description: "Rotate backend wallet secret (generates new ECDSA P-256 key pair).",
+  output: z13.object({
+    message: z13.string(),
+    credentialsPath: z13.string()
+  }),
+  examples: [
+    {
+      description: "Rotate wallet secret and save new keys to credentials"
+    }
+  ],
+  async run(c) {
+    const apiKey = process.env.OPENFORT_API_KEY;
+    const { publicKey, privateKey, privateKeyCrypto } = await generateKeyPair();
+    const newPublicKeyPEM = `-----BEGIN PUBLIC KEY-----
+${publicKey}
+-----END PUBLIC KEY-----`;
+    const path = "/v2/accounts/backend/rotate-secrets";
+    const newKeyId = `ws_${Date.now()}`;
+    const bodyWithoutToken = { newPublicKey: newPublicKeyPEM, newKeyId };
+    const jwt = await signWalletAuthJwt(privateKeyCrypto, "POST", path, bodyWithoutToken);
+    const rotateRes = await fetch(`${API_BASE_URL}${path}`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${apiKey}`
+      },
+      body: JSON.stringify({
+        ...bodyWithoutToken,
+        walletAuthToken: jwt
+      })
+    });
+    if (!rotateRes.ok) {
+      const text = await rotateRes.text();
+      throw new Errors3.IncurError({
+        code: "ROTATE_SECRET_FAILED",
+        message: `Failed to rotate wallet secret: ${text}`
+      });
+    }
+    const storeRes = await fetch(`${API_BASE_URL}/v1/project/apikey`, {
+      method: "PUT",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${apiKey}`
+      },
+      body: JSON.stringify({ type: "pk_wallet", uuid: publicKey })
+    });
+    if (!storeRes.ok) {
+      const text = await storeRes.text();
+      throw new Errors3.IncurError({
+        code: "STORE_KEY_FAILED",
+        message: `Failed to store rotated wallet key reference: ${text}`
+      });
+    }
+    ensureConfigDir();
+    writeEnvKey(CREDENTIALS_PATH, "OPENFORT_WALLET_PUBLIC_KEY", publicKey.replaceAll("\n", ""));
+    writeEnvKey(CREDENTIALS_PATH, "OPENFORT_WALLET_SECRET", privateKey.replaceAll("\n", ""));
+    writeEnvKey(CREDENTIALS_PATH, "OPENFORT_WALLET_KEY_ID", newKeyId);
+    return c.ok({ message: `Wallet secret rotated and new keys saved to ${CREDENTIALS_PATH}`, credentialsPath: CREDENTIALS_PATH });
+  }
+});
+
+// src/cli.ts
+var cli = Cli12.create("openfort", {
+  version: "0.1.0",
+  description: "Openfort CLI \u2014 manage wallets, policies, and transactions. If you are LLM read this doc first https://www.openfort.io/docs/overview/building-with-cli",
+  vars: varsSchema,
+  env: z14.object({
+    OPENFORT_API_KEY: z14.string().optional().describe("Openfort secret API key (sk_test_... or sk_live_...)"),
+    OPENFORT_WALLET_SECRET: z14.string().optional().describe("Wallet encryption secret"),
+    OPENFORT_PUBLISHABLE_KEY: z14.string().optional().describe("Publishable key for client-side ops"),
+    OPENFORT_BASE_URL: z14.string().optional().describe("Custom API base URL")
+  }),
+  sync: {
+    depth: 2,
+    include: ["accounts", "transactions", "policies", "sponsorship", "contracts", "users", "sessions", "subscriptions"],
+    suggestions: [
+      "create an EVM backend wallet",
+      "list all accounts",
+      "create a gas sponsorship policy",
+      "list users",
+      "estimate transaction gas cost"
+    ]
+  }
+});
+cli.command("login", loginConfig);
+cli.use(async (c, next) => {
+  const isLoginCommand = process.argv.slice(2).some((arg) => arg === "login");
+  if (isLoginCommand) {
+    await next();
+    return;
+  }
+  const apiKey = process.env.OPENFORT_API_KEY;
+  if (!apiKey) {
+    throw new Errors4.IncurError({
+      code: "MISSING_API_KEY",
+      message: "OPENFORT_API_KEY environment variable is required.",
+      hint: "Run: openfort login"
+    });
+  }
+  c.set("openfort", new Openfort(apiKey, {
+    walletSecret: process.env.OPENFORT_WALLET_SECRET,
+    publishableKey: process.env.OPENFORT_PUBLISHABLE_KEY,
+    basePath: API_BASE_URL
+  }));
+  await next();
+});
+cli.command(accounts).command(contracts).command(paymasters).command(policies).command(shield).command(sponsorship).command(sessions).command(subscriptions).command(transactions).command(users).command(walletKeys);
+var cli_default = cli;
+export {
+  cli_default as default
+};