@openfort/cli 0.1.4 → 0.1.5

package/README.md

@@ -1,40 +1,17 @@
-![Illustration_02](https://github.com/user-attachments/assets/7733bc34-9fa7-4e43-bde0-bbbf5518738c)
-
-
-<div align="center">
-  <h4>
-    <a href="https://www.openfort.io/">
-      Website
-    </a>
-    <span> | </span>
-    <a href="https://www.openfort.io/docs/overview/building-with-cli">
-      Documentation
-    </a>
-    <span> | </span>
-    <a href="https://x.com/openfort_hq">
-      X
-    </a>
-  </h4>
-</div>
-
 # Openfort CLI
 
-[![License](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
-[![Documentation](https://img.shields.io/badge/docs-openfort.io-blue)](https://www.openfort.io/docs/overview/building-with-cli)
-[![Version](https://img.shields.io/npm/v/@openfort/cli.svg)](https://www.npmjs.org/package/@openfort/cli)
+The official CLI for [Openfort](https://openfort.io).
 
-**Manage wallets, policies, and transactions from the terminal.** CLI for Openfort's wallet infrastructure.
+Built for humans, AI agents, and CI/CD pipelines.
 
-## Features
-- 💼 **Account Management** — create and list smart accounts
-- 📜 **Contracts** — register and manage on-chain contracts
-- ⚡ **Transactions** — send and estimate transactions
-- 🔐 **Session Keys** — create and manage session keys
-- 💸 **Gas Sponsorship** — configure policies and sponsorship rules
-- 👥 **Users** — manage users and wallet keys
-- 🔒 **Shield** — wallet encryption and recovery
-- 🔔 **Subscriptions** — set up webhooks and event subscriptions
-- 🤖 **AI-friendly** — works as an MCP tool for LLM agents
+```
+██████╗ ██████╗ ███████╗███╗   ██╗███████╗ ██████╗ ██████╗ ████████╗
+██╔═══██╗██╔══██╗██╔════╝████╗  ██║██╔════╝██╔═══██╗██╔══██╗╚══██╔══╝
+██║   ██║██████╔╝█████╗  ██╔██╗ ██║█████╗  ██║   ██║██████╔╝   ██║   
+██║   ██║██╔═══╝ ██╔══╝  ██║╚██╗██║██╔══╝  ██║   ██║██╔══██╗   ██║   
+╚██████╔╝██║     ███████╗██║ ╚████║██║     ╚██████╔╝██║  ██║   ██║   
+ ╚═════╝ ╚═╝     ╚══════╝╚═╝  ╚═══╝╚═╝      ╚═════╝ ╚═╝  ╚═╝   ╚═╝  
+```
 
 ## Quick Start
 
@@ -48,46 +25,86 @@ npm install -g @openfort/cli
 openfort login
 ```
 
-### 3. Use
+### 3. Set up backend wallet signing keys
+```bash
+openfort backend-wallet setup
+```
+
+### 4. Use
 ```bash
-# List accounts
+# List all accounts across chains
 openfort accounts list
 
-# Create a backend wallet
-openfort accounts create --chainId 80002
+# Create an EVM backend wallet
+openfort accounts evm create
+
+# Create a Solana backend wallet
+openfort accounts solana create
 
 # List policies
 openfort policies list
 
 # Send a transaction
-openfort transactions create --policy <policy_id> --interactions '[...]'
+openfort transactions create --account acc_1a2b3c4d --chainId 137 --interactions '[{"to":"0x...","value":"0"}]'
+
+# Estimate gas cost
+openfort transactions estimate --account acc_1a2b3c4d --chainId 137 --interactions '[{"to":"0x...","value":"0"}]'
+```
+
+## AI Agent Integration
+
+### MCP (Model Context Protocol)
+
+Register the CLI as an MCP server for your AI agent:
+
+```bash
+openfort mcp add
+```
+
+This registers Openfort tools in Claude Code, Cursor, and Amp. Agents can then call any CLI command as a tool.
+
+### Skills
+
+Install agent skill files for discovery:
+
+```bash
+openfort skills add
 ```
 
 ## Environment Variables
 
-| Variable | Description |
-|---|---|
-| `OPENFORT_API_KEY` | Secret API key (`sk_test_...` or `sk_live_...`) |
-| `OPENFORT_WALLET_SECRET` | Wallet encryption secret |
-| `OPENFORT_PUBLISHABLE_KEY` | Publishable key for client-side ops |
-| `OPENFORT_BASE_URL` | Custom API base URL |
+| Variable                   | Description                                     |
+| -------------------------- | ----------------------------------------------- |
+| `OPENFORT_API_KEY`         | Secret API key (`sk_test_...` or `sk_live_...`) |
+| `OPENFORT_WALLET_SECRET`   | Wallet encryption secret                        |
+| `OPENFORT_PUBLISHABLE_KEY` | Publishable key for client-side ops             |
+| `OPENFORT_BASE_URL`        | Custom API base URL                             |
 
 ## Commands
 
-| Command | Description |
-|---|---|
-| `login` | Authenticate with your Openfort API key |
-| `accounts` | Create and manage smart accounts |
-| `contracts` | Register and manage contracts |
-| `paymasters` | Manage paymasters |
-| `policies` | Configure gas policies |
-| `sponsorship` | Set up gas sponsorship rules |
-| `sessions` | Manage session keys |
-| `subscriptions` | Set up webhooks and subscriptions |
-| `transactions` | Send and estimate transactions |
-| `users` | Manage users |
-| `wallet-keys` | Manage wallet keys |
-| `shield` | Wallet encryption and recovery |
+| Command           | Description                                                         |
+| ----------------- | ------------------------------------------------------------------- |
+| `login`           | Log in to Openfort via browser and save your API key                |
+| `accounts`        | Manage wallets and accounts (EVM and Solana subcommands)            |
+| `contracts`       | Manage smart contracts                                              |
+| `paymasters`      | Manage ERC-4337 paymasters                                          |
+| `policies`        | Manage rules and conditions for backend wallets and fee sponsorship |
+| `sponsorship`     | Manage fee sponsorship strategies linked to policies                |
+| `sessions`        | Manage session keys                                                 |
+| `subscriptions`   | Manage webhook subscriptions and triggers                           |
+| `transactions`    | Manage transaction intents                                          |
+| `users`           | Manage authenticated users                                          |
+| `backend-wallet`  | Configure backend wallet signing keys                               |
+| `embedded-wallet` | Configure embedded wallet (Shield) API keys                         |
+| `message`         | Message utilities (e.g. keccak256 hashing)                          |
+
+## Alias
+
+The CLI is also available as `of`:
+
+```bash
+of accounts list
+```
 
 ## Documentation
 

package/dist/cli.js

@@ -5,6 +5,7 @@ import {
 } from "./chunk-QJGHQ7ID.js";
 
 // src/cli.ts
+import { readFileSync as readFileSync2 } from "fs";
 import { Cli as Cli13, z as z15, Errors as Errors4 } from "incur";
 import Openfort from "@openfort/openfort-node";
 
@@ -198,10 +199,12 @@ var loginConfig = {
     const authUrl = new URL(`${AUTH_PAGE_URL}/oauth/consent`);
     authUrl.searchParams.set("redirect_uri", redirectUri);
     authUrl.searchParams.set("state", state);
-    console.log("\nOpen this URL in your browser to log in:\n");
-    console.log(`  ${authUrl.toString()}
+    if (!c.agent) {
+      console.log("\nOpen this URL in your browser to log in:\n");
+      console.log(`  ${authUrl.toString()}
 `);
-    console.log("Waiting for authentication...\n");
+      console.log("Waiting for authentication...\n");
+    }
     const { apiKey, publishableKey, projectId, project } = await waitForCallback(port, state);
     ensureConfigDir();
     writeEnvKey(CREDENTIALS_PATH, "OPENFORT_API_KEY", apiKey);
@@ -211,14 +214,16 @@ var loginConfig = {
     if (projectId) {
       writeEnvKey(CREDENTIALS_PATH, "OPENFORT_PROJECT_ID", projectId);
     }
-    console.log(`Saved API key for project "${project}" to ${CREDENTIALS_PATH}`);
+    if (!c.agent) {
+      console.log(`Saved API key for project "${project}" to ${CREDENTIALS_PATH}`);
+    }
     return c.ok(
       { apiKey, project, credentialsPath: CREDENTIALS_PATH },
       {
         cta: {
           description: "Next steps:",
           commands: [
-            { command: `wallet-keys create`, description: "Create and save wallet keys necessary for backend wallet creation" }
+            { command: `backend-wallet setup`, description: "Set up signing keys for backend wallets" }
           ]
         }
       }
@@ -227,19 +232,23 @@ var loginConfig = {
 };
 
 // src/commands/accounts.ts
-import { Cli, z as z3, Errors } from "incur";
-function requireWalletCredentials() {
+import { Cli, z as z3, middleware } from "incur";
+var requireWallet = middleware((c, next) => {
   const missing = [];
   if (!process.env.OPENFORT_WALLET_SECRET) missing.push("OPENFORT_WALLET_SECRET");
   if (!process.env.OPENFORT_PUBLISHABLE_KEY) missing.push("OPENFORT_PUBLISHABLE_KEY");
   if (missing.length > 0) {
-    throw new Errors.IncurError({
+    return c.error({
       code: "MISSING_CREDENTIALS",
       message: `Missing required credentials: ${missing.join(", ")}`,
-      hint: "Run: openfort wallet-keys create"
+      cta: {
+        description: "Set up wallet credentials:",
+        commands: [{ command: "backend-wallet setup", description: "Set up signing keys for backend wallets" }]
+      }
     });
   }
-}
+  return next();
+});
 var evm = Cli.create("evm", {
   description: "EVM wallet management.",
   vars: varsSchema
@@ -247,15 +256,16 @@ var evm = Cli.create("evm", {
 evm.command("create", {
   description: "Create a new EVM backend wallet.",
   examples: [
-    { description: "Create a new EVM wallet" }
+    { description: "Create a new EVM backend wallet (developer custody)" }
   ],
+  hint: "Requires OPENFORT_WALLET_SECRET and OPENFORT_PUBLISHABLE_KEY.",
+  middleware: [requireWallet],
   output: z3.object({
     id: z3.string().describe("Account ID"),
     address: z3.string().describe("Wallet address"),
     custody: z3.string().describe("Custody type")
   }),
   async run(c) {
-    requireWalletCredentials();
     const account = await c.var.openfort.accounts.evm.backend.create();
     return c.ok(
       { id: account.id, address: account.address, custody: account.custody },
@@ -421,7 +431,7 @@ evm.command("update", {
   }),
   options: z3.object({
     chainId: z3.number().describe("Chain ID to deploy on"),
-    implementationType: z3.string().describe("Smart account implementation type we will update to")
+    implementationType: z3.string().describe("Target implementation type (e.g. CaliburV9)")
   }),
   examples: [
     { args: { id: "acc_1a2b3c4d" }, options: { chainId: 8453, implementationType: "CaliburV9" }, description: "Upgrade to delegated account on Base" }
@@ -453,7 +463,7 @@ evm.command("update", {
         cta: {
           description: "Next steps:",
           commands: [
-            { command: `accounts evm list-delegated`, description: "To see all accounts which were updated to delegated ones" }
+            { command: `accounts evm list-delegated`, description: "List all delegated accounts" }
           ]
         }
       }
@@ -471,11 +481,12 @@ evm.command("sign", {
   examples: [
     { args: { id: "acc_1a2b3c4d" }, options: { data: "0xdeadbeef" }, description: "Sign a message hash" }
   ],
+  hint: "Requires OPENFORT_WALLET_SECRET and OPENFORT_PUBLISHABLE_KEY.",
+  middleware: [requireWallet],
   output: z3.object({
     signature: z3.string()
   }),
   async run(c) {
-    requireWalletCredentials();
     const signature = await c.var.openfort.accounts.evm.backend.sign({
       id: c.args.id,
       data: c.options.data
@@ -491,13 +502,14 @@ evm.command("import", {
   examples: [
     { options: { privateKey: "0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80" }, description: "Import a private key" }
   ],
+  hint: "Requires OPENFORT_WALLET_SECRET and OPENFORT_PUBLISHABLE_KEY.",
+  middleware: [requireWallet],
   output: z3.object({
     id: z3.string(),
     address: z3.string(),
     custody: z3.string()
   }),
   async run(c) {
-    requireWalletCredentials();
     const account = await c.var.openfort.accounts.evm.backend.import({
       privateKey: c.options.privateKey
     });
@@ -516,11 +528,11 @@ evm.command("export", {
   examples: [
     { args: { id: "acc_1a2b3c4d" }, description: "Export private key" }
   ],
+  middleware: [requireWallet],
   output: z3.object({
     privateKey: z3.string()
   }),
   async run(c) {
-    requireWalletCredentials();
     const privateKey = await c.var.openfort.accounts.evm.backend.export({
       id: c.args.id
     });
@@ -535,7 +547,7 @@ evm.command("send-transaction", {
   options: z3.object({
     chainId: z3.number().describe("Chain ID"),
     interactions: z3.string().describe('Interactions as JSON: [{"to":"0x...","data":"0x...","value":"0"}]'),
-    policy: z3.string().optional().describe("Policy ID for gas sponsorship (pol_...)")
+    policy: z3.string().optional().describe("Fee sponsorship ID (pol_...)")
   }),
   examples: [
     {
@@ -547,6 +559,7 @@ evm.command("send-transaction", {
       description: "Send a gasless transaction on Base"
     }
   ],
+  middleware: [requireWallet],
   output: z3.object({
     id: z3.string(),
     chainId: z3.number(),
@@ -575,15 +588,16 @@ var solana = Cli.create("solana", {
 solana.command("create", {
   description: "Create a new Solana backend wallet.",
   examples: [
-    { description: "Create a new Solana wallet" }
+    { description: "Create a new Solana backend wallet (developer custody)" }
   ],
+  hint: "Requires OPENFORT_WALLET_SECRET and OPENFORT_PUBLISHABLE_KEY.",
+  middleware: [requireWallet],
   output: z3.object({
     id: z3.string().describe("Account ID"),
     address: z3.string().describe("Wallet address"),
     custody: z3.string().describe("Custody type")
   }),
   async run(c) {
-    requireWalletCredentials();
     const account = await c.var.openfort.accounts.solana.backend.create();
     return c.ok(
       { id: account.id, address: account.address, custody: account.custody },
@@ -662,6 +676,8 @@ solana.command("sign", {
     data: z3.string().describe("Data to sign (base64-encoded)")
   }),
   alias: { data: "d" },
+  hint: "Requires OPENFORT_WALLET_SECRET and OPENFORT_PUBLISHABLE_KEY.",
+  middleware: [requireWallet],
   output: z3.object({
     account: z3.string(),
     signature: z3.string()
@@ -674,7 +690,6 @@ solana.command("sign", {
     }
   ],
   async run(c) {
-    requireWalletCredentials();
     const signature = await c.var.openfort.accounts.solana.backend.sign(c.args.id, c.options.data);
     return c.ok({ account: c.args.id, signature });
   }
@@ -696,26 +711,6 @@ solana.command("delete", {
     return c.ok({ id: res.id, deleted: res.deleted });
   }
 });
-solana.command("sign", {
-  description: "Sign data with a Solana backend wallet.",
-  args: z3.object({
-    id: z3.string().describe("Account ID (acc_...)")
-  }),
-  options: z3.object({
-    data: z3.string().describe("Data to sign")
-  }),
-  examples: [
-    { args: { id: "acc_1a2b3c4d" }, options: { data: "hello" }, description: "Sign a message" }
-  ],
-  output: z3.object({
-    signature: z3.string()
-  }),
-  async run(c) {
-    requireWalletCredentials();
-    const signature = await c.var.openfort.accounts.solana.backend.sign(c.args.id, c.options.data);
-    return c.ok({ signature });
-  }
-});
 solana.command("import", {
   description: "Import a private key as a Solana backend wallet.",
   options: z3.object({
@@ -724,13 +719,14 @@ solana.command("import", {
   examples: [
     { options: { privateKey: "abc123..." }, description: "Import a Solana private key" }
   ],
+  hint: "Requires OPENFORT_WALLET_SECRET and OPENFORT_PUBLISHABLE_KEY.",
+  middleware: [requireWallet],
   output: z3.object({
     id: z3.string(),
     address: z3.string(),
     custody: z3.string()
   }),
   async run(c) {
-    requireWalletCredentials();
     const account = await c.var.openfort.accounts.solana.backend.import({
       privateKey: c.options.privateKey
     });
@@ -749,11 +745,11 @@ solana.command("export", {
   examples: [
     { args: { id: "acc_1a2b3c4d" }, description: "Export private key" }
   ],
+  middleware: [requireWallet],
   output: z3.object({
     privateKey: z3.string()
   }),
   async run(c) {
-    requireWalletCredentials();
     const privateKey = await c.var.openfort.accounts.solana.backend.export({
       id: c.args.id
     });
@@ -783,6 +779,7 @@ solana.command("transfer", {
       description: "Transfer 1 USDC on devnet"
     }
   ],
+  middleware: [requireWallet],
   output: z3.object({
     signature: z3.string()
   }),
@@ -924,7 +921,7 @@ contracts.command("create", {
       description: "Register USDC on Polygon"
     },
     {
-      options: { name: "My NFT", address: "0x1234...", chainId: 1, abi: '[{"type":"function","name":"mint",...}]' },
+      options: { name: "My Token", address: "0x1234...", chainId: 1, abi: '[{"type":"function","name":"mint","inputs":[],"outputs":[],"stateMutability":"nonpayable"}]' },
       description: "Register contract with ABI"
     }
   ],
@@ -1109,7 +1106,7 @@ paymasters.command("update", {
     id: z5.string().describe("Paymaster ID (pay_...)")
   }),
   options: z5.object({
-    address: z5.string().describe("Paymaster address"),
+    address: z5.string().optional().describe("Paymaster address"),
     name: z5.string().optional().describe("New name"),
     url: z5.string().optional().describe("New URL")
   }),
@@ -1154,7 +1151,7 @@ paymasters.command("delete", {
 import { Cli as Cli4, z as z6 } from "incur";
 var policyScopes = ["project", "account", "transaction"];
 var policies = Cli4.create("policies", {
-  description: "Manage access-control policies.",
+  description: "Manage rules and conditions for backend wallets and fee sponsorship.",
   vars: varsSchema
 });
 policies.command("list", {
@@ -1227,6 +1224,14 @@ policies.command("create", {
         rules: '[{"action":"accept","operation":"sponsorEvmTransaction","criteria":[{"type":"evmNetwork","operator":"in","chainIds":[137]}]}]'
       },
       description: "Create a policy to sponsor transactions on Polygon"
+    },
+    {
+      options: {
+        scope: "account",
+        description: "Allow signing for a specific account",
+        rules: '[{"action":"accept","operation":"signEvmTransaction"}]'
+      },
+      description: "Allow EVM transaction signing"
     }
   ],
   async run(c) {
@@ -1401,7 +1406,7 @@ var sponsorshipItem = z7.object({
   policyId: z7.string().nullable()
 });
 var sponsorship = Cli5.create("sponsorship", {
-  description: "Manage fee sponsorships for gas costs.",
+  description: "Manage fee sponsorship strategies linked to policies.",
   vars: varsSchema
 });
 sponsorship.command("list", {
@@ -1937,7 +1942,7 @@ sessions.command("create", {
     player: z9.string().optional().describe("Player ID (pla_...)"),
     account: z9.string().optional().describe("Account ID (acc_...)"),
     limit: z9.number().optional().describe("Max session uses"),
-    policy: z9.string().optional().describe("Policy ID for gas sponsorship (pol_...)"),
+    policy: z9.string().optional().describe("Policy ID (ply_...) for gas sponsorship"),
     whitelist: z9.string().optional().describe("Whitelisted contract addresses as JSON array")
   }),
   examples: [
@@ -2018,7 +2023,7 @@ sessions.command("revoke", {
     address: z9.string().describe("Session key address to revoke"),
     chainId: z9.number().describe("Chain ID"),
     player: z9.string().optional().describe("Player ID (pla_...)"),
-    policy: z9.string().optional().describe("Policy ID (pol_...)")
+    policy: z9.string().optional().describe("Policy ID (ply_...) for gas sponsorship")
   }),
   examples: [
     { options: { address: "0x1234...", chainId: 137 }, description: "Revoke a session key" }
@@ -2153,7 +2158,7 @@ transactions.command("create", {
     account: z10.string().describe("Account ID (acc_...)"),
     chainId: z10.number().describe("Chain ID"),
     interactions: z10.string().describe('Interactions as JSON: [{"to":"0x...","data":"0x...","value":"0"}]'),
-    policy: z10.string().optional().describe("Policy ID for gas sponsorship"),
+    policy: z10.string().optional().describe("Policy ID (ply_...) for gas sponsorship"),
     signedAuthorization: z10.string().optional().describe("Signed EIP-7702 authorization hex (for delegated accounts)")
   }),
   output: transactionIntentItem,
@@ -2171,9 +2176,9 @@ transactions.command("create", {
         account: "acc_1a2b3c4d",
         chainId: 137,
         interactions: '[{"to":"0x742d35Cc6634C0532925a3b844Bc9e7595f92cD5","value":"1000000000000000000"}]',
-        policy: "ply_1a2b3c4d"
+        policy: "pol_1a2b3c4d"
       },
-      description: "Send 1 MATIC with gas sponsorship"
+      description: "Send 1 POL with gas sponsorship"
     }
   ],
   async run(c) {
@@ -2280,7 +2285,7 @@ transactions.command("estimate", {
     account: z10.string().describe("Account ID (acc_...)"),
     chainId: z10.number().describe("Chain ID"),
     interactions: z10.string().describe("Interactions as JSON"),
-    policy: z10.string().optional().describe("Policy ID for gas sponsorship")
+    policy: z10.string().optional().describe("Fee sponsorship ID (pol_...) for gas sponsorship")
   }),
   examples: [
     {
@@ -2313,15 +2318,15 @@ transactions.command("estimate", {
   }
 });
 
-// src/commands/shield.ts
+// src/commands/embedded-wallet.ts
 import { Cli as Cli9, z as z11, Errors as Errors2 } from "incur";
 var SHIELD_API_URL = OPENFORT_SHIELD_URL;
-var shield = Cli9.create("shield", {
-  description: "Manage Shield (embedded wallet) API keys.",
+var embeddedWallet = Cli9.create("embedded-wallet", {
+  description: "Configure embedded wallet (Shield) API keys.",
   vars: varsSchema
 });
-shield.command("create", {
-  description: "Create Shield API keys for embedded wallets.",
+embeddedWallet.command("setup", {
+  description: "Generate and register embedded wallet (Shield) API keys.",
   options: z11.object({
     project: z11.string().optional().describe("Project ID (pro_...). Defaults to OPENFORT_PROJECT_ID env var.")
   }),
@@ -2333,9 +2338,10 @@ shield.command("create", {
   examples: [
     {
       options: { project: "pro_abc123" },
-      description: "Create Shield keys for a project"
+      description: "Set up embedded wallet keys for a project"
     }
   ],
+  hint: 'Requires OPENFORT_PUBLISHABLE_KEY and OPENFORT_PROJECT_ID. Run "openfort login" first.',
   async run(c) {
     const publishableKey = process.env.OPENFORT_PUBLISHABLE_KEY;
     if (!publishableKey) {
@@ -2371,7 +2377,8 @@ shield.command("create", {
       const text = await registerRes.text();
       throw new Errors2.IncurError({
         code: "SHIELD_REGISTER_FAILED",
-        message: `Shield registration failed: ${text}`
+        message: `Shield registration failed: ${text}`,
+        retryable: true
       });
     }
     const shieldData = await registerRes.json();
@@ -2394,7 +2401,8 @@ shield.command("create", {
         const text = await res.text();
         throw new Errors2.IncurError({
           code: "PERSIST_KEY_FAILED",
-          message: `Failed to persist ${type} key: ${text}`
+          message: `Failed to persist ${type} key: ${text}`,
+          retryable: true
         });
       }
     };
@@ -2421,7 +2429,8 @@ shield.command("create", {
       const text = await linkRes.text();
       throw new Errors2.IncurError({
         code: "SHIELD_LINK_FAILED",
-        message: `Failed to link Openfort provider to Shield: ${text}`
+        message: `Failed to link Openfort provider to Shield: ${text}`,
+        retryable: true
       });
     }
     ensureConfigDir();
@@ -2429,7 +2438,7 @@ shield.command("create", {
     writeEnvKey(CREDENTIALS_PATH, "SHIELD_SECRET_KEY", shieldData.api_secret);
     writeEnvKey(CREDENTIALS_PATH, "SHIELD_ENCRYPTION_SHARE", shieldData.encryption_part);
     return c.ok(
-      { message: `Shield keys were created and saved to ${CREDENTIALS_PATH}`, credentialsPath: CREDENTIALS_PATH },
+      { message: `Embedded wallet keys were created and saved to ${CREDENTIALS_PATH}`, credentialsPath: CREDENTIALS_PATH },
       {
         cta: {
           description: "Next steps:",
@@ -2551,7 +2560,7 @@ users.command("delete", {
   }
 });
 
-// src/commands/wallet-keys.ts
+// src/commands/backend-wallet.ts
 import { randomBytes as randomBytes2, subtle } from "crypto";
 import { Cli as Cli11, z as z13, Errors as Errors3 } from "incur";
 function arrayBufferToBase64(buffer) {
@@ -2623,21 +2632,22 @@ async function signWalletAuthJwt(privateKey, method, path, body) {
   );
   return `${signingInput}.${arrayBufferToBase64Url(signature)}`;
 }
-var walletKeys = Cli11.create("wallet-keys", {
-  description: "Manage backend wallet keys.",
+var backendWallet = Cli11.create("backend-wallet", {
+  description: "Configure backend wallet signing keys.",
   vars: varsSchema
 });
-walletKeys.command("create", {
-  description: "Create backend wallet keys (ECDSA P-256).",
+backendWallet.command("setup", {
+  description: "Generate and register backend wallet signing keys (ECDSA P-256).",
   output: z13.object({
     message: z13.string(),
     credentialsPath: z13.string()
   }),
   examples: [
     {
-      description: "Create backend wallet keys and save to credentials"
+      description: "Set up backend wallet signing keys and save to credentials"
     }
   ],
+  hint: 'Requires OPENFORT_API_KEY. Run "openfort login" first.',
   async run(c) {
     const apiKey = process.env.OPENFORT_API_KEY;
     const { publicKey, privateKey, privateKeyCrypto } = await generateKeyPair();
@@ -2663,7 +2673,8 @@ ${publicKey}
       const text = await registerRes.text();
       throw new Errors3.IncurError({
         code: "REGISTER_SECRET_FAILED",
-        message: `Failed to register wallet secret: ${text}`
+        message: `Failed to register wallet secret: ${text}`,
+        retryable: true
       });
     }
     const storeRes = await fetch(`${API_BASE_URL}/v1/project/apikey`, {
@@ -2678,7 +2689,8 @@ ${publicKey}
       const text = await storeRes.text();
       throw new Errors3.IncurError({
         code: "STORE_KEY_FAILED",
-        message: `Failed to store wallet key reference: ${text}`
+        message: `Failed to store wallet key reference: ${text}`,
+        retryable: true
       });
     }
     ensureConfigDir();
@@ -2691,15 +2703,15 @@ ${publicKey}
         cta: {
           description: "Next steps:",
           commands: [
-            { command: `shield create`, description: "Create and save Shield API keys" }
+            { command: `embedded-wallet setup`, description: "Set up embedded wallet keys" }
           ]
         }
       }
     );
   }
 });
-walletKeys.command("revoke", {
-  description: "Revoke the current backend wallet secret.",
+backendWallet.command("revoke", {
+  description: "Revoke the current backend wallet signing secret.",
   output: z13.object({
     keyId: z13.string(),
     revoked: z13.boolean(),
@@ -2710,6 +2722,7 @@ walletKeys.command("revoke", {
       description: "Revoke the current wallet secret"
     }
   ],
+  hint: 'Requires OPENFORT_WALLET_KEY_ID and OPENFORT_WALLET_SECRET. Run "openfort backend-wallet setup" first.',
   async run(c) {
     const apiKey = process.env.OPENFORT_API_KEY;
     const keyId = process.env.OPENFORT_WALLET_KEY_ID;
@@ -2717,7 +2730,8 @@ walletKeys.command("revoke", {
     if (!keyId || !privateKeyBase64) {
       throw new Errors3.IncurError({
         code: "MISSING_WALLET_KEY",
-        message: "OPENFORT_WALLET_KEY_ID and OPENFORT_WALLET_SECRET must be set. Create a wallet secret first with `wallet-keys create`."
+        message: "OPENFORT_WALLET_KEY_ID and OPENFORT_WALLET_SECRET must be set. Run `backend-wallet setup` first.",
+        hint: "Run: openfort backend-wallet setup"
       });
     }
     const privateKeyCrypto = await importPrivateKey(privateKeyBase64);
@@ -2737,15 +2751,16 @@ walletKeys.command("revoke", {
       const text = await res.text();
       throw new Errors3.IncurError({
         code: "REVOKE_SECRET_FAILED",
-        message: `Failed to revoke wallet secret: ${text}`
+        message: `Failed to revoke wallet secret: ${text}`,
+        retryable: true
       });
     }
     const data = await res.json();
     return c.ok(data);
   }
 });
-walletKeys.command("rotate", {
-  description: "Rotate backend wallet secret (generates new ECDSA P-256 key pair).",
+backendWallet.command("rotate", {
+  description: "Rotate backend wallet signing secret (generates new ECDSA P-256 key pair).",
   output: z13.object({
     message: z13.string(),
     credentialsPath: z13.string()
@@ -2755,6 +2770,7 @@ walletKeys.command("rotate", {
       description: "Rotate wallet secret and save new keys to credentials"
     }
   ],
+  hint: 'Requires OPENFORT_API_KEY. Run "openfort login" first.',
   async run(c) {
     const apiKey = process.env.OPENFORT_API_KEY;
     const { publicKey, privateKey, privateKeyCrypto } = await generateKeyPair();
@@ -2780,7 +2796,8 @@ ${publicKey}
       const text = await rotateRes.text();
       throw new Errors3.IncurError({
         code: "ROTATE_SECRET_FAILED",
-        message: `Failed to rotate wallet secret: ${text}`
+        message: `Failed to rotate wallet secret: ${text}`,
+        retryable: true
       });
     }
     const storeRes = await fetch(`${API_BASE_URL}/v1/project/apikey`, {
@@ -2795,7 +2812,8 @@ ${publicKey}
       const text = await storeRes.text();
       throw new Errors3.IncurError({
         code: "STORE_KEY_FAILED",
-        message: `Failed to store rotated wallet key reference: ${text}`
+        message: `Failed to store rotated wallet key reference: ${text}`,
+        retryable: true
       });
     }
     ensureConfigDir();
@@ -2831,9 +2849,11 @@ message.command("hash", {
 });
 
 // src/cli.ts
+var pkg = JSON.parse(readFileSync2(new URL("../package.json", import.meta.url), "utf-8"));
 var cli = Cli13.create("openfort", {
-  version: "0.1.0",
-  description: "Openfort CLI \u2014 manage wallets, policies, and transactions. If you are LLM read this doc first https://www.openfort.io/docs/overview/building-with-cli",
+  version: pkg.version,
+  aliases: ["of"],
+  description: "Openfort CLI \u2014 manage wallets, policies, and transactions from the terminal.",
   vars: varsSchema,
   env: z15.object({
     OPENFORT_API_KEY: z15.string().optional().describe("Openfort secret API key (sk_test_... or sk_live_...)"),
@@ -2843,14 +2863,17 @@ var cli = Cli13.create("openfort", {
   }),
   sync: {
     depth: 2,
-    include: ["accounts", "transactions", "policies", "sponsorship", "contracts", "users", "sessions", "subscriptions"],
+    include: ["_root", "accounts", "transactions", "policies", "sponsorship", "contracts", "users", "sessions", "subscriptions", "backend-wallet", "embedded-wallet"],
     suggestions: [
       "create an EVM backend wallet",
       "list all accounts",
-      "create a gas sponsorship policy",
+      "create a policy for gas sponsorship",
       "list users",
       "estimate transaction gas cost"
     ]
+  },
+  mcp: {
+    agents: ["claude-code", "cursor", "amp"]
   }
 });
 cli.command("login", loginConfig);
@@ -2875,7 +2898,7 @@ cli.use(async (c, next) => {
   }));
   await next();
 });
-cli.command(accounts).command(contracts).command(paymasters).command(policies).command(shield).command(sponsorship).command(sessions).command(subscriptions).command(transactions).command(users).command(walletKeys).command(message);
+cli.command(accounts).command(contracts).command(paymasters).command(policies).command(embeddedWallet).command(sponsorship).command(sessions).command(subscriptions).command(transactions).command(users).command(backendWallet).command(message);
 var cli_default = cli;
 export {
   cli_default as default

package/package.json

@@ -1,11 +1,14 @@
 {
   "name": "@openfort/cli",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "description": "Openfort CLI — manage wallets, policies, and transactions from the terminal.",
   "author": "Openfort (https://www.openfort.io)",
   "bugs": "https://github.com/openfort-xyz/cli/issues",
   "homepage": "https://github.com/openfort-xyz/cli#readme",
-  "repository": "github.com/openfort-xyz/cli.git",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/openfort-xyz/cli"
+  },
   "type": "module",
   "bin": {
     "openfort": "./dist/bin.js",
@@ -31,6 +34,7 @@
   "scripts": {
     "dev": "node --import tsx src/bin.ts",
     "build": "tsup",
+    "gen": "pnpm build && incur gen --entry ./dist/cli.js",
     "openfort": "node --import tsx src/bin.ts",
     "skills": "pnpm openfort skills add",
     "changeset": "changeset",