@promus/cli 0.24.17

package/src/commands/deploy.ts

@@ -0,0 +1,204 @@
+import { cancel, intro, isCancel, note, outro, select, spinner } from '@clack/prompts'
+import { NETWORK_CHAIN_ID, iNFTAgentId } from '@promus/core'
+import type { Address, Hex } from 'viem'
+import { findAndLoadConfig } from '../config/load'
+import { writeConfigTs } from '../config/render'
+import { loadProfileScopeKeyHex } from '../util/profile-key'
+import { loadTelegramHandoffSecrets } from '../util/telegram-secrets'
+import { loadOrPickOperatorSigner } from './init/operator-picker'
+import {
+  publishSandboxEndpoint,
+  runSandboxProvision,
+  unlockAgentKeystore,
+} from './init/sandbox-provision'
+
+/**
+ * `promus deploy` — migrate an existing local-mode agent into 0G Sandbox via
+ * Option 3 ECIES handoff.
+ *
+ * Pre-conditions:
+ *   - Config exists, deployTarget is `local`
+ *   - iNFT minted, agent EOA funded, keystore on 0G Storage
+ *   - Operator wallet can decrypt the keystore (Phase 6.6 sign-derived-key)
+ *
+ * Flow:
+ *   1. Decrypt agent privkey (operator wallet, Phase 6.6 keystore-blob)
+ *   2. Galileo testnet: deposit + acknowledge TEE signer (idempotent)
+ *   3. createSandbox + bootstrap + poll /bootstrap/pubkey
+ *   4. encryptToPubkey(agentPrivkey, bootstrapPubkey) + operator-sign envelope
+ *   5. POST /bootstrap/provision → harness adopts the agent privkey
+ *   6. Wait for /healthz Ready
+ *   7. Update `agent:endpoint` text record on subname (if registered)
+ *   8. Rewrite config with deployTarget=sandbox + sandbox.id/endpoint/etc
+ *
+ * Local mode keystore + mainnet iNFT + agent EOA all stay valid; if the
+ * sandbox container is later deleted, operator can re-`promus deploy`.
+ */
+export async function runDeploy(): Promise<void> {
+  intro('promus deploy')
+
+  const loaded = await findAndLoadConfig()
+  if (!loaded) {
+    cancel('No promus.config.ts found. Run `promus init` first.')
+    return
+  }
+  let { config } = loaded
+
+  if (!config.identity.iNFT || !config.identity.agent) {
+    cancel('Config has no iNFT or agent. Run `promus init` first.')
+    return
+  }
+  if (config.deployTarget === 'sandbox' && config.sandbox?.id) {
+    note(
+      `Already deployed: sandbox=${config.sandbox.id}\nEndpoint: ${config.sandbox.endpoint}\nTo move to a new container, run \`promus upgrade\` instead.`,
+      'sandbox already attached',
+    )
+    cancel('No-op.')
+    return
+  }
+  if (!config.brain.provider) {
+    cancel('Brain provider not configured. Run `promus model` first.')
+    return
+  }
+
+  const target = (await select({
+    message: 'Migrate to which target?',
+    options: [
+      {
+        value: 'sandbox-galileo' as const,
+        label: '0G Sandbox (Galileo testnet, TDX TEE)',
+      },
+    ],
+    initialValue: 'sandbox-galileo',
+  })) as 'sandbox-galileo' | symbol
+  if (isCancel(target)) {
+    cancel('Aborted.')
+    return
+  }
+
+  const contractAddress = config.identity.iNFT.contract as Address
+  const tokenId = BigInt(config.identity.iNFT.tokenId)
+  const agentAddress = config.identity.agent as Address
+
+  const operator = await loadOrPickOperatorSigner({
+    network: config.network,
+    hint: config.operator,
+  })
+  if (!operator) {
+    cancel('No operator wallet available; cannot decrypt keystore.')
+    return
+  }
+
+  const sUnlock = spinner()
+  sUnlock.start('Fetching keystore + decrypting via operator wallet')
+  let agentPrivkey: Hex
+  try {
+    agentPrivkey = await unlockAgentKeystore({
+      operator,
+      network: config.network,
+      contractAddress,
+      tokenId,
+      agentAddress,
+    })
+    sUnlock.stop('unlocked')
+  } catch (e) {
+    sUnlock.stop(`unlock failed: ${(e as Error).message.slice(0, 160)}`)
+    await operator.close?.()
+    return
+  }
+
+  const sBox = spinner()
+  sBox.start('Provisioning 0G Sandbox container (Galileo testnet)')
+  const telegramSecretsPlain = await loadTelegramHandoffSecrets({
+    signer: operator,
+    agentAddress,
+    contractAddress,
+    tokenId,
+    onNotice: msg => sBox.message(msg),
+  })
+  const deployAgentId = iNFTAgentId({ contractAddress, tokenId })
+  const deployProfileKeyHex = loadProfileScopeKeyHex(deployAgentId)
+  if (!deployProfileKeyHex) {
+    sBox.message('no cached PROFILE key; sandbox will boot without profile-slot anchoring')
+  }
+  let sandboxResult: Awaited<ReturnType<typeof runSandboxProvision>>
+  try {
+    sandboxResult = await runSandboxProvision({
+      operator,
+      agentPrivkey,
+      agentAddress,
+      iNFTRef: { contract: contractAddress, tokenId },
+      brain: {
+        provider: config.brain.provider as Address,
+        model: config.brain.model ?? '',
+      },
+      iNFTNetwork: config.network,
+      name: config.subname || 'promus',
+      ref: process.env.PROMUS_BOOTSTRAP_REF ?? 'main',
+      subname: config.subname,
+      telegramSecrets: telegramSecretsPlain,
+      profileScopeKeyHex: deployProfileKeyHex,
+      onProgress: msg => sBox.message(msg),
+    })
+    sBox.stop(`sandbox ${sandboxResult.sandboxId} ready @ ${sandboxResult.endpoint}`)
+  } catch (e) {
+    sBox.stop(`sandbox deploy failed: ${(e as Error).message.slice(0, 200)}`)
+    note(
+      [
+        'Local agent untouched; iNFT + EOA + keystore remain on 0G Storage.',
+        'Common causes:',
+        '  - insufficient testnet 0G at operator wallet',
+        '  - provider 504 / Daytona upstream timeout',
+        '  - npm mode (default): bun add -g failed (registry transient or missing version)',
+        '  - git mode: bootstrap script git clone failed (pin a different ref via PROMUS_BOOTSTRAP_REF)',
+        '  - try forcing the other mode: PROMUS_BOOTSTRAP_MODE=git promus deploy (for unreleased commits)',
+      ].join('\n'),
+      'recoverable',
+    )
+    await operator.close?.()
+    return
+  }
+
+  if (config.subname) {
+    const sEp = spinner()
+    sEp.start(`Updating agent:endpoint on ${config.subname}.promus.0g`)
+    try {
+      await publishSandboxEndpoint({
+        subname: config.subname,
+        agentPrivkey,
+        endpoint: sandboxResult.endpoint,
+      })
+      sEp.stop('agent:endpoint published')
+    } catch (e) {
+      sEp.stop(`agent:endpoint publish failed: ${(e as Error).message.slice(0, 120)}`)
+    }
+  }
+
+  config = {
+    ...config,
+    deployTarget: 'sandbox' as const,
+    sandbox: {
+      ...(config.sandbox ?? {}),
+      id: sandboxResult.sandboxId,
+      providerAddress: sandboxResult.providerAddress,
+      endpoint: sandboxResult.endpoint,
+      snapshotName: sandboxResult.snapshotName,
+    },
+  }
+  await writeConfigTs(loaded.path, config, { subname: config.subname ?? null })
+
+  await operator.close?.()
+
+  outro(
+    [
+      '',
+      `  sandbox id    ${sandboxResult.sandboxId}`,
+      `  endpoint      ${sandboxResult.endpoint}`,
+      `  agent (in TEE) ${agentAddress}`,
+      `  iNFT          #${tokenId.toString()} on chain ${NETWORK_CHAIN_ID[config.network]}`,
+      '',
+      'Next: `promus` to chat (now routes through the sandbox harness)',
+      '      `promus upgrade` to swap the container while preserving identity',
+    ].join('\n'),
+  )
+}

package/src/commands/drain.ts

@@ -0,0 +1,90 @@
+import { cancel, confirm, intro, isCancel, log, outro, spinner } from '@clack/prompts'
+import { NETWORK_RPC, drainAgentEOA, explorerTxUrl } from '@promus/core'
+import { http, type Address, createPublicClient, formatEther, isAddress } from 'viem'
+import { findAndLoadConfig } from '../config/load'
+import { withSilencedConsole } from '../util/silence-console'
+import { unlockAgentSigner } from './_unlock'
+
+export interface DrainOpts {
+  /** Target address. If omitted, defaults to the operator wallet on this config. */
+  to?: string
+  /** Skip the destructive confirmation prompt. */
+  yes?: boolean
+}
+
+export async function runDrain(opts: DrainOpts): Promise<void> {
+  intro('promus drain')
+
+  const loaded = await findAndLoadConfig()
+  if (!loaded) {
+    cancel('No promus.config.ts found. Run `promus init` first.')
+    return
+  }
+  const { config } = loaded
+  if (!config.identity.iNFT || !config.identity.agent) {
+    cancel('Config has no iNFT or agent. Run `promus init` first.')
+    return
+  }
+
+  const network = config.network
+  const agentAddress = config.identity.agent as Address
+
+  const targetRaw = opts.to ?? (config.identity.operator as string | undefined)
+  if (!targetRaw) {
+    cancel('No --to address provided and config has no operator. Pass --to <0x...>.')
+    return
+  }
+  if (!isAddress(targetRaw)) {
+    cancel(`--to is not a valid address: ${targetRaw}`)
+    return
+  }
+  const to = targetRaw as Address
+
+  const publicClient = createPublicClient({ transport: http(NETWORK_RPC[network]) })
+  const before = await publicClient.getBalance({ address: agentAddress })
+  log.info(
+    [
+      `agent      ${agentAddress}`,
+      `balance    ${formatEther(before)} 0G`,
+      `target     ${to}`,
+      `network    ${network}`,
+    ].join('\n'),
+  )
+
+  if (before === 0n) {
+    log.warn('Agent EOA already empty.')
+    outro('nothing to drain')
+    return
+  }
+
+  if (!opts.yes) {
+    const ok = (await confirm({
+      message: `Sweep agent EOA balance (${formatEther(before)} 0G minus gas) to ${to}?`,
+      initialValue: false,
+    })) as boolean | symbol
+    if (isCancel(ok) || !ok) {
+      cancel('Aborted.')
+      return
+    }
+  }
+
+  const unlocked = await unlockAgentSigner(config)
+  if (!unlocked) return
+  try {
+    const sSweep = spinner()
+    sSweep.start(`Sweeping agent EOA → ${to}`)
+    try {
+      const result = await withSilencedConsole(() =>
+        drainAgentEOA({ network, privkeyHex: unlocked.agentPrivkey, to }),
+      )
+      sSweep.stop(
+        `swept ${formatEther(result.amountSent)} 0G (gas reserved ${formatEther(result.gasReserved)} 0G) → ${explorerTxUrl(network, result.txHash)}`,
+      )
+      outro(`agent ${agentAddress} drained to ${to}`)
+    } catch (e) {
+      sSweep.stop(`sweep failed: ${(e as Error).message.slice(0, 160)}`)
+    }
+  } finally {
+    await unlocked.close()
+  }
+}

package/src/commands/gateway-logs.ts

@@ -0,0 +1,47 @@
+/**
+ * `promus gateway logs [--tail N] [-f]` — tail the gateway log.
+ *
+ * v0.19.x: gateway daemon logs to stdout/stderr only (inherited by `gateway run`
+ * or backgrounded by `gateway start`). v0.19.3 wires a log file at
+ * `~/.promus/agents/<id>/gateway.log` for tailing. Until then, this command
+ * informs the user where to look.
+ */
+
+import { spawn } from 'node:child_process'
+import { existsSync } from 'node:fs'
+import { join } from 'node:path'
+import { agentPaths, iNFTAgentId } from '@promus/core'
+import { type Address, getAddress } from 'viem'
+import { findAndLoadConfig } from '../config/load'
+
+export interface GatewayLogsOpts {
+  agentId?: string
+  tail: number
+  follow: boolean
+}
+
+export async function runGatewayLogs(opts: GatewayLogsOpts): Promise<void> {
+  let agentId = opts.agentId
+  if (!agentId) {
+    const found = await findAndLoadConfig()
+    if (!found?.config) {
+      console.error('promus gateway logs: no promus.config.ts and no --agent provided')
+      process.exit(1)
+    }
+    const contractAddress = getAddress(found.config.identity.iNFT!.contract as Address)
+    const tokenId = BigInt(found.config.identity.iNFT!.tokenId)
+    agentId = iNFTAgentId({ contractAddress, tokenId })
+  }
+  const logFile = join(agentPaths.agent(agentId).dir, 'gateway.log')
+  if (!existsSync(logFile)) {
+    console.log(`gateway log not found at ${logFile}`)
+    console.log('v0.19.x: gateway daemon logs to stdout when run via `promus gateway run`.')
+    console.log(
+      'Background it with: nohup bun packages/gateway/bin/@promus/gateway-local > ~/promus-logs/gateway.log 2>&1 &',
+    )
+    return
+  }
+  const args = ['-n', String(opts.tail), ...(opts.follow ? ['-f'] : []), logFile]
+  const proc = spawn('tail', args, { stdio: 'inherit' })
+  proc.on('exit', code => process.exit(code ?? 0))
+}

package/src/commands/gateway-run.ts

@@ -0,0 +1,54 @@
+/**
+ * `promus gateway run` — foreground daemon (blocks; Ctrl+C to stop).
+ *
+ * Spawns `@promus/gateway-local` (the bin in @promus/gateway) with
+ * inherit stdio so the user sees logs live. Reads operator-session for the
+ * cached AES keys; fails loud if no session exists ("run promus gateway start
+ * first").
+ */
+
+import { spawn } from 'node:child_process'
+import { agentPaths } from '@promus/core'
+import { resolveLocalBin } from '../util/gateway-spawn'
+
+export interface GatewayRunOpts {
+  agentId?: string
+}
+
+export async function runGatewayForeground(opts: GatewayRunOpts): Promise<void> {
+  const env = { ...process.env }
+  if (opts.agentId) env.PROMUS_AGENT_ID = opts.agentId
+  // Default PROMUS_CONFIG to the resolved agent config path. agentPaths honors
+  // PROMUS_ROOT, so a custom root (e.g. an existing ~/.anima from before the
+  // rename) is respected instead of hard-coding ~/.promus/config.ts.
+  if (!env.PROMUS_CONFIG) {
+    env.PROMUS_CONFIG = agentPaths.config
+  }
+
+  const localBin = resolveLocalBin()
+  // AWAIT the child for the lifetime of the foreground daemon. Returning early
+  // lets the CLI's top-level `main().then(() => process.exit(0))` fire and kill
+  // the daemon the instant it spawns (the "silent immediate exit" bug). Use the
+  // current bun binary (process.execPath) instead of `bun` on PATH, which the
+  // user's shell may not include (~/.bun/bin).
+  await new Promise<void>(resolve => {
+    const proc = spawn(process.execPath, [localBin], {
+      env,
+      stdio: 'inherit',
+    })
+    const forwardSignal = (sig: NodeJS.Signals): void => {
+      if (!proc.killed) proc.kill(sig)
+    }
+    process.on('SIGINT', () => forwardSignal('SIGINT'))
+    process.on('SIGTERM', () => forwardSignal('SIGTERM'))
+    proc.on('exit', code => {
+      process.exitCode = code ?? 0
+      resolve()
+    })
+    proc.on('error', err => {
+      console.error(`promus gateway run: spawn failed — ${err.message}`)
+      process.exitCode = 1
+      resolve()
+    })
+  })
+}

package/src/commands/gateway-start.ts

@@ -0,0 +1,218 @@
+/**
+ * `promus gateway start` — interactive Touch ID + write operator-session,
+ * then fork the gateway daemon detached.
+ *
+ * Flow:
+ *   1. Load config from ~/.promus/config.ts
+ *   2. Resolve agentId (override via --agent or first agent in config)
+ *   3. Check if gateway already running (lock file). If yes, error.
+ *   4. Pick operator signer + interactive Touch ID via existing operator-picker
+ *   5. Pre-derive scope keys via precomputeAllScopes (keystore + telegram)
+ *   6. Write operator-session file (perm 0600, 24h TTL)
+ *   7. Spawn @promus/gateway-local detached + wait for socket to become readable
+ *      (proves the daemon booted cleanly)
+ *   8. Print pid + socket path
+ */
+
+import { existsSync, readFileSync } from 'node:fs'
+import { join } from 'node:path'
+import { spinner } from '@clack/prompts'
+import {
+  OPERATOR_BLOB_SCOPES,
+  type OperatorBlobScope,
+  agentPaths,
+  buildOperatorSession,
+  decodeKeystoreBytes,
+  decodeOperatorBlobBytes,
+  iNFTAgentId,
+  isOperatorSessionComplete,
+  precomputeAllScopes,
+  readOperatorSession,
+  requiredScopesForAgent,
+  tryDecryptKeystoreWithKey,
+  tryDecryptOperatorBlobWithKey,
+  writeOperatorSession,
+} from '@promus/core'
+import { type Address, getAddress } from 'viem'
+import { findAndLoadConfig } from '../config/load'
+import { spawnGatewayDaemon } from '../util/gateway-spawn'
+import { telegramSecretsPath } from '../util/telegram-secrets'
+import { loadOrPickOperatorSigner } from './init/operator-picker'
+
+export interface GatewayStartOpts {
+  agentId?: string
+}
+
+export async function runGatewayStart(opts: GatewayStartOpts): Promise<void> {
+  const found = await findAndLoadConfig()
+  if (!found?.config) {
+    console.error('promus gateway start: no promus.config.ts found in cwd or ~/.promus/')
+    process.exit(1)
+  }
+  const config = found.config
+  const contractAddress = getAddress(config.identity.iNFT!.contract as Address)
+  const tokenId = BigInt(config.identity.iNFT!.tokenId)
+  const agentId = opts.agentId ?? iNFTAgentId({ contractAddress, tokenId })
+  const paths = agentPaths.agent(agentId)
+  const agentAddress = getAddress(config.identity.agent as Address)
+  const socketPath = join(paths.dir, 'gateway.sock')
+
+  // v0.23.2: if the socket exists, check for version drift. If the running
+  // daemon's version differs from the on-disk CLI binary, auto-restart so
+  // operators don't have to remember `promus gateway restart` after every
+  // `bun add -g promus@N`. If versions match, bail with the
+  // legacy "already running" error.
+  if (existsSync(socketPath)) {
+    const { createHash } = await import('node:crypto')
+    const { homedir } = await import('node:os')
+    const identityHash = createHash('sha256').update(agentId).digest('hex').slice(0, 16)
+    const lockFile = join(homedir(), '.promus', 'locks', `@promus/gateway-${identityHash}.lock`)
+    const { ensureGatewayVersionMatchesCli } = await import('../util/gateway-version')
+    const drift = await ensureGatewayVersionMatchesCli({ socketPath, lockFile })
+    if (drift.action === 'ok' || drift.action === 'no-cli-version') {
+      console.error(
+        `promus gateway start: socket already exists at ${socketPath} — gateway may be running (version ${drift.daemonVersion ?? 'unknown'}). Try \`promus gateway stop\` first.`,
+      )
+      process.exit(1)
+    }
+    console.log(`note: ${drift.note}`)
+  }
+
+  // v0.21.12: derive the set of scope keys this agent's daemon will need
+  // based on what's on disk (always 'keystore'; adds 'telegram' when
+  // telegram-secrets.encrypted is present, etc.). The cached session is only
+  // "complete enough to skip Touch ID" when it contains every required key.
+  // Pre-fix, this used the binary `isOperatorSessionFresh` which returned
+  // true for any non-expired session, even one written by a path that didn't
+  // derive TELEGRAM. The daemon then booted, found no telegram scope key,
+  // and silently dropped all inbound TG messages.
+  const required = requiredScopesForAgent(agentId)
+  const extraScopes = required.filter((s): s is Exclude<typeof s, 'keystore'> => s !== 'keystore')
+  const complete = isOperatorSessionComplete(agentId, required)
+  if (!complete) {
+    const sUnlock = spinner()
+    sUnlock.start('Unlocking operator wallet for session-key derivation')
+    let operator: Awaited<ReturnType<typeof loadOrPickOperatorSigner>>
+    try {
+      operator = await loadOrPickOperatorSigner({
+        network: config.network,
+        hint: config.operator,
+      })
+    } catch (e) {
+      sUnlock.stop(`unlock failed: ${(e as Error).message.slice(0, 160)}`)
+      process.exit(1)
+    }
+    if (!operator) {
+      sUnlock.stop('operator unlock cancelled')
+      process.exit(1)
+    }
+
+    sUnlock.message(`Deriving scope keys (${required.join(' + ')})`)
+    try {
+      // v0.24.10: verify each derived canonical key against the on-disk
+      // encrypted artifact. If verify fails (e.g. fox's pre-v0.24.9 WC
+      // keystore was encrypted with the legacy empty-EIP712Domain hash),
+      // `precomputeAllScopes` falls back to the legacy variant via the WC
+      // signer's escape hatch and caches the WORKING key. Without this,
+      // the daemon would boot with a stale canonical key + the
+      // `precomputedKey skips fallback` semantic and panic on first
+      // AES-GCM decrypt.
+      const verifyKey = buildKeystoreVerifier(agentId)
+      const keys = await precomputeAllScopes(operator, agentAddress, extraScopes, { verifyKey })
+      const sess = buildOperatorSession({ agent: agentAddress, keys })
+      writeOperatorSession(agentId, sess)
+      sUnlock.stop('operator-session written (24h TTL)')
+    } catch (e) {
+      sUnlock.stop(`derive failed: ${(e as Error).message.slice(0, 160)}`)
+      await operator.close?.()
+      process.exit(1)
+    }
+    await operator.close?.()
+  } else {
+    console.log(`operator-session complete (${required.join(' + ')}); skipping Touch ID`)
+  }
+
+  // Spawn gateway daemon detached. Inherit stdio for the first ~3s so the
+  // user sees boot errors, then redirect to log file when ready.
+  const sBoot = spinner()
+  sBoot.start(`Spawning gateway daemon (agent=${agentId.slice(0, 8)}…)`)
+
+  const result = await spawnGatewayDaemon({
+    agentId,
+    configPath: found.path ?? '',
+    socketPath,
+    timeoutMs: 10_000,
+    // v0.21.12: redirect daemon stdout/stderr to gateway.log (default
+    // 'log-file' mode) so boot errors survive the parent's exit. Operators
+    // see the log via `promus gateway logs` or by tailing
+    // ~/.promus/agents/<id>/gateway.log directly.
+  })
+  if (result.ready) {
+    sBoot.stop(`gateway running pid=${result.pid} socket=${socketPath}`)
+    console.log('stop with: promus gateway stop')
+    console.log('logs:      promus gateway logs -f')
+  } else {
+    const reason = result.reason ?? 'unknown'
+    const detail = result.error ? `: ${result.error}` : ''
+    sBoot.stop(
+      `gateway did not bind socket within 10s (reason=${reason} pid=${result.pid ?? '?'})${detail}; check above output`,
+    )
+    process.exit(1)
+  }
+}
+
+// Stub — wired by gateway-status when needed.
+export function _operatorSessionPresent(agentId: string): boolean {
+  return readOperatorSession(agentId) !== null
+}
+
+/**
+ * v0.24.10: returns a verifier that `precomputeAllScopes` calls after each
+ * canonical key derive. The verifier:
+ *
+ * - For 'keystore': trial-decrypts `<agentDir>/keystore.json` with the
+ *   candidate key. Returns true on success, false on AES-GCM auth failure.
+ *   False triggers the legacy empty-EIP712Domain fallback inside
+ *   `precomputeAllScopes` so pre-v0.24.9 WC-init'd keystores (only known
+ *   instance is fox, tokenId #5) can still flip to the correct AES key on
+ *   first boot under v0.24.10+.
+ *
+ * - For TELEGRAM: trial-decrypts `<agentDir>/telegram-secrets.encrypted`
+ *   when present. Same legacy-fallback semantic.
+ *
+ * - For PROFILE / unknown: returns true unconditionally. PROFILE has no
+ *   on-disk artifact to verify against (the encrypted blob lives in iNFT
+ *   slot 3 on chain); the keystore-scope detection above already cascades
+ *   the legacy flag to PROFILE via `precomputeAllScopes`'s
+ *   `useLegacyForRest` branch, so the PROFILE key is derived via the
+ *   matching variant without needing a verify here.
+ *
+ * - On missing keystore (init flow never reached this code path, so this
+ *   is a defensive fallback): returns true so the derive completes; the
+ *   daemon's own decrypt at boot will surface the real error.
+ */
+function buildKeystoreVerifier(agentId: string) {
+  const keystorePath = agentPaths.agent(agentId).keystore
+  const tgSecretsPath = telegramSecretsPath(agentId)
+  return async (scope: 'keystore' | OperatorBlobScope, key: Buffer): Promise<boolean> => {
+    if (scope === 'keystore') {
+      if (!existsSync(keystorePath)) return true
+      try {
+        const ks = decodeKeystoreBytes(new TextEncoder().encode(readFileSync(keystorePath, 'utf8')))
+        return tryDecryptKeystoreWithKey(ks, key)
+      } catch {
+        return true
+      }
+    }
+    if (scope === OPERATOR_BLOB_SCOPES.TELEGRAM) {
+      if (!existsSync(tgSecretsPath)) return true
+      try {
+        const blob = decodeOperatorBlobBytes(new Uint8Array(readFileSync(tgSecretsPath)))
+        return tryDecryptOperatorBlobWithKey(blob, key, OPERATOR_BLOB_SCOPES.TELEGRAM)
+      } catch {
+        return true
+      }
+    }
+    return true
+  }
+}