@sage-protocol/cli 0.3.7 → 0.3.9

package/dist/cli/commands/sxxx.js

@@ -350,6 +350,109 @@ function register(program) {
         })
     )
     // authorize-burner related commands removed; now automated at deployment/creation
+    .addCommand(
+      new Command('faucet')
+        .description('Request testnet SXXX tokens from the faucet (Base Sepolia only)')
+        .option('--check', 'Check faucet status without requesting tokens')
+        .action(async (opts) => {
+          try {
+            const faucetAddress = process.env.SXXX_FAUCET_ADDRESS;
+            if (!faucetAddress) {
+              throw new Error('SXXX_FAUCET_ADDRESS not set. Faucet may not be deployed on this network.');
+            }
+
+            const rpcUrl = process.env.RPC_URL || 'https://base-sepolia.publicnode.com';
+            const provider = new ethers.JsonRpcProvider(rpcUrl);
+
+            const faucetAbi = [
+              'function drip() external',
+              'function amountPerDrip() view returns (uint256)',
+              'function cooldown() view returns (uint256)',
+              'function lastDrip(address) view returns (uint256)',
+              'function sxxx() view returns (address)'
+            ];
+            const faucet = new ethers.Contract(faucetAddress, faucetAbi, provider);
+
+            // Get faucet info
+            const [amountPerDrip, cooldown, sxxxAddr] = await Promise.all([
+              faucet.amountPerDrip(),
+              faucet.cooldown(),
+              faucet.sxxx()
+            ]);
+
+            const dripAmount = ethers.formatEther(amountPerDrip);
+            const cooldownHours = Number(cooldown) / 3600;
+
+            console.log('🚰 SXXX Faucet');
+            console.log(`   Faucet: ${faucetAddress}`);
+            console.log(`   Token:  ${sxxxAddr}`);
+            console.log(`   Amount: ${dripAmount} SXXX per request`);
+            console.log(`   Cooldown: ${cooldownHours} hours`);
+            console.log('');
+
+            // Connect wallet to check eligibility and request
+            const WalletManager = require('../wallet-manager');
+            const wm = new WalletManager();
+            await wm.connect();
+            const account = wm.getAccount();
+
+            if (!account) {
+              throw new Error('No wallet connected. Run `sage wallet connect` first.');
+            }
+
+            // Check last drip time
+            const lastDripTime = await faucet.lastDrip(account);
+            const now = Math.floor(Date.now() / 1000);
+            const nextEligible = Number(lastDripTime) + Number(cooldown);
+            const canDrip = now >= nextEligible;
+
+            if (lastDripTime > 0) {
+              const lastDripDate = new Date(Number(lastDripTime) * 1000).toLocaleString();
+              console.log(`   Last request: ${lastDripDate}`);
+            }
+
+            if (!canDrip) {
+              const waitSeconds = nextEligible - now;
+              const waitHours = Math.ceil(waitSeconds / 3600);
+              console.log(`   ⏳ Next eligible: in ~${waitHours} hour(s)`);
+              if (!opts.check) {
+                console.log('\n❌ You must wait before requesting more tokens.');
+              }
+              return;
+            }
+
+            console.log('   ✅ Eligible to request tokens');
+
+            if (opts.check) {
+              return;
+            }
+
+            // Request tokens
+            console.log('\n🔄 Requesting tokens...');
+            const signer = wm.getSigner();
+            const faucetWithSigner = faucet.connect(signer);
+
+            const tx = await faucetWithSigner.drip();
+            console.log(`   TX: ${tx.hash}`);
+            await tx.wait();
+
+            console.log(`\n✅ Received ${dripAmount} SXXX!`);
+            console.log('\nNext steps:');
+            console.log('   sage sxxx balance          # Check your balance');
+            console.log('   sage sxxx delegate-self    # Enable voting power');
+            console.log('   sage dao stake <dao> <amt> # Stake to join a DAO');
+          } catch (error) {
+            if (error.message?.includes('cooldown')) {
+              console.error('❌ Cooldown period not elapsed. Please wait before requesting again.');
+            } else if (error.message?.includes('faucet off')) {
+              console.error('❌ Faucet is currently disabled.');
+            } else {
+              console.error('❌ Faucet request failed:', error.message);
+            }
+            process.exit(1);
+          }
+        })
+    )
     .addCommand(
       new Command('transfer-ownership')
         .description('Owner-only: transfer SXXX ownership (uses Foundry --account deployment-wallet)')

package/dist/cli/commands/timelock.js

@@ -509,8 +509,9 @@ function register(program) {
               } else {
                 console.log(colors.red('❌ Missing PROPOSER_ROLE on Timelock for current signer.'));
                 console.log('   Hint: use one of:');
-                console.log('   - sage timelock fix-roles --subdao <subdao-address> (admin only, interactive)');
-                console.log('   - sage roles plan --subdao <subdao-address> && sage roles apply --subdao <subdao-address>');
+                console.log('   - sage timelock doctor --dao <dao-address>        # inspect roles and minDelay');
+                console.log('   - sage timelock fix-roles --dao <dao-address>     # admin-only safe wiring helper');
+                console.log('   - sage governance enable-proposals --dao <dao-address>  # grant PROPOSER_ROLE via governance');
                 console.log('   Or rerun with --auto if your signer is an admin (schedule will grant proposer automatically).');
                 return process.exit(1);
               }
@@ -528,8 +529,9 @@ function register(program) {
           if (msg.includes('AccessControl') || msg.includes('0xe2517d3f')) {
             console.log(colors.red('❌ Schedule failed: missing PROPOSER_ROLE on Timelock for current signer.'));
             console.log('   Grant role via governance or admin helpers, for example:');
-            console.log('   - sage timelock fix-roles --subdao <subdao-address>');
-            console.log('   - sage roles plan --subdao <subdao-address> && sage roles apply --subdao <subdao-address>');
+            console.log('   - sage timelock doctor --dao <dao-address>');
+            console.log('   - sage timelock fix-roles --dao <dao-address>');
+            console.log('   - sage governance enable-proposals --dao <dao-address>');
             console.log('   Or rerun with --auto if your signer is an admin (schedule will grant proposer automatically).');
           }
           console.error(colors.red('❌ Schedule failed:'), msg);
@@ -758,194 +760,23 @@ function register(program) {
       }
     });
 
-  // Inspect and (optionally) schedule PremiumPrompts role grants via Timelock
+  // SubDAO premium roles - replaced by personal premium model
   cmd
     .command('premium-roles')
-    .description('Doctor/Fix PremiumPrompts roles for Timelock (team mode)')
-    .requiredOption('--prompts <address>', 'PremiumPrompts contract address')
-    .option('--subdao <address>', 'Resolve timelock from a SubDAO context')
-    .option('--gov <address>', 'Resolve timelock via a Governor context')
-    .option('--fix', 'Schedule grantRole(DEFAULT_ADMIN_ROLE and/or MANAGER_ROLE) to Timelock', false)
-    .option('--bootstrap', 'If signer is current admin on PremiumPrompts, directly grant Timelock admin/manager (one-time bootstrap)', false)
-    .action(async (opts) => {
-      try {
-        const WM = require('../wallet-manager');
-        const { ethers } = require('ethers');
-        const wm = new WM(); await wm.connect();
-        const provider = wm.getProvider();
-        const signer = wm.getSigner();
-        const tlAddr = await resolveTimelockAddress(opts, provider);
-        const prompts = ethers.getAddress(opts.prompts);
-        console.log(colors.cyan(`🎯 Timelock=${tlAddr}  PremiumPrompts=${prompts}`));
-
-        // Read roles
-        const pp = new ethers.Contract(prompts, [
-          'function DEFAULT_ADMIN_ROLE() view returns (bytes32)',
-          'function MANAGER_ROLE() view returns (bytes32)',
-          'function hasRole(bytes32,address) view returns (bool)',
-          'function grantRole(bytes32,address)'
-        ], provider);
-        const [ADMIN, MANAGER] = await Promise.all([
-          pp.DEFAULT_ADMIN_ROLE(), pp.MANAGER_ROLE()
-        ]);
-        const [hasAdmin, hasManager] = await Promise.all([
-          pp.hasRole(ADMIN, tlAddr), pp.hasRole(MANAGER, tlAddr)
-        ]);
-        console.log(' DEFAULT_ADMIN_ROLE → Timelock:', hasAdmin ? '✅' : '❌');
-        console.log(' MANAGER_ROLE       → Timelock:', hasManager ? '✅' : '❌');
-
-        // Optional bootstrap path: if signer has admin on PremiumPrompts, perform direct grants now
-        if (opts.bootstrap) {
-          const signerAddr = await signer.getAddress();
-          const ppAs = new ethers.Contract(prompts, [
-            'function DEFAULT_ADMIN_ROLE() view returns (bytes32)',
-            'function MANAGER_ROLE() view returns (bytes32)',
-            'function hasRole(bytes32,address) view returns (bool)',
-            'function grantRole(bytes32,address)'
-          ], signer);
-          const signerIsAdmin = await ppAs.hasRole(ADMIN, signerAddr).catch(()=>false);
-          if (!signerIsAdmin) {
-            console.log(colors.red('❌ Bootstrap requested but current signer is not DEFAULT_ADMIN on PremiumPrompts.'));
-          } else {
-            if (!hasAdmin) {
-              console.log(colors.yellow('⚙️  Granting DEFAULT_ADMIN_ROLE to Timelock directly (bootstrap)...'));
-              const tx1 = await ppAs.grantRole(ADMIN, tlAddr); console.log(' tx:', tx1.hash); await tx1.wait();
-              console.log(colors.green(' ✅ Granted DEFAULT_ADMIN_ROLE'));
-            }
-            if (!hasManager) {
-              console.log(colors.yellow('⚙️  Granting MANAGER_ROLE to Timelock directly (bootstrap)...'));
-              const tx2 = await ppAs.grantRole(MANAGER, tlAddr); console.log(' tx:', tx2.hash); await tx2.wait();
-              console.log(colors.green(' ✅ Granted MANAGER_ROLE'));
-            }
-          }
-        }
-
-        if (!opts.fix) return;
-
-        // Schedule grantRole via Timelock for any missing roles
-        const tl = new ethers.Contract(tlAddr, timelockAbi(), signer);
-        const iface = new ethers.Interface(['function grantRole(bytes32,address)']);
-        const predecessor = ethers.ZeroHash;
-        const saltBase = ethers.hexlify(ethers.randomBytes(16));
-        const delay = await tl.getMinDelay().catch(()=>0n);
-        const ops = [];
-        if (!hasAdmin) ops.push({ role: ADMIN, label: 'DEFAULT_ADMIN_ROLE' });
-        if (!hasManager) ops.push({ role: MANAGER, label: 'MANAGER_ROLE' });
-        if (!ops.length) { console.log(colors.green('✅ No fixes needed.')); return; }
-        for (let i=0;i<ops.length;i++) {
-          const { role, label } = ops[i];
-          const data = iface.encodeFunctionData('grantRole', [role, tlAddr]);
-          const salt = ethers.keccak256(ethers.toUtf8Bytes(`${saltBase}:${label}`));
-          console.log(colors.yellow(`⏳ Scheduling grantRole(${label}, Timelock)`));
-          const stx = await tl.schedule(prompts, 0, data, predecessor, salt, delay);
-          console.log(' ⏳ tx:', stx.hash); await stx.wait(); console.log(colors.green(' ✅ scheduled'));
-          if (delay === 0n) {
-            const etx = await tl.execute(prompts, 0, data, predecessor, salt);
-            console.log(' ⚡ execute tx:', etx.hash); await etx.wait(); console.log(colors.green(' ✅ executed'));
-          } else {
-            console.log(colors.gray(' Next: execute after delay:'));
-            console.log(` cast send ${tlAddr} \"execute(address,uint256,bytes,bytes32,bytes32)\" ${prompts} 0 ${data} ${predecessor} ${salt} --rpc-url ${process.env.RPC_URL || 'https://base-sepolia.publicnode.com'}`);
-          }
-        }
-      } catch (e) {
-        console.error(colors.red('❌ premium-roles failed:'), e.message);
-        process.exit(1);
-      }
+    .description('Use "sage personal" for premium prompts')
+    .action(() => {
+      console.log('SubDAO premium has been replaced by personal premium.');
+      console.log('Use: sage personal sell/buy/access');
+      console.log('See: docs/specs/premium-endorsement-model.md');
     });
 
-  // Inspect and (optionally) schedule SimpleKeyStore role grants via Timelock
   cmd
     .command('keystore-roles')
-    .description('Doctor/Fix SimpleKeyStore roles for Timelock (team mode)')
-    .requiredOption('--keystore <address>', 'SimpleKeyStore contract address')
-    .option('--subdao <address>', 'Resolve timelock from a SubDAO context')
-    .option('--gov <address>', 'Resolve timelock via a Governor context')
-    .option('--fix', 'Schedule grantRole(DEFAULT_ADMIN_ROLE and/or MANAGER_ROLE) to Timelock', false)
-    .option('--bootstrap', 'If signer is current admin on SimpleKeyStore, directly grant Timelock admin/manager (one-time bootstrap)', false)
-    .action(async (opts) => {
-      try {
-        const WM = require('../wallet-manager');
-        const { ethers } = require('ethers');
-        const wm = new WM(); await wm.connect();
-        const provider = wm.getProvider();
-        const signer = wm.getSigner();
-        const tlAddr = await resolveTimelockAddress(opts, provider);
-        const ksAddr = ethers.getAddress(opts.keystore);
-        console.log(colors.cyan(`🎯 Timelock=${tlAddr}  SimpleKeyStore=${ksAddr}`));
-
-        // Read roles
-        const ks = new ethers.Contract(ksAddr, [
-          'function DEFAULT_ADMIN_ROLE() view returns (bytes32)',
-          'function MANAGER_ROLE() view returns (bytes32)',
-          'function hasRole(bytes32,address) view returns (bool)',
-          'function grantRole(bytes32,address)'
-        ], provider);
-        const [ADMIN, MANAGER] = await Promise.all([
-          ks.DEFAULT_ADMIN_ROLE(), ks.MANAGER_ROLE()
-        ]);
-        const [hasAdmin, hasManager] = await Promise.all([
-          ks.hasRole(ADMIN, tlAddr), ks.hasRole(MANAGER, tlAddr)
-        ]);
-        console.log(' DEFAULT_ADMIN_ROLE → Timelock:', hasAdmin ? '✅' : '❌');
-        console.log(' MANAGER_ROLE       → Timelock:', hasManager ? '✅' : '❌');
-
-        // Optional bootstrap path: if signer has admin on SimpleKeyStore, perform direct grants now
-        if (opts.bootstrap) {
-          const signerAddr = await signer.getAddress();
-          const ksAs = new ethers.Contract(ksAddr, [
-            'function DEFAULT_ADMIN_ROLE() view returns (bytes32)',
-            'function MANAGER_ROLE() view returns (bytes32)',
-            'function hasRole(bytes32,address) view returns (bool)',
-            'function grantRole(bytes32,address)'
-          ], signer);
-          const signerIsAdmin = await ksAs.hasRole(ADMIN, signerAddr).catch(()=>false);
-          if (!signerIsAdmin) {
-            console.log(colors.red('❌ Bootstrap requested but current signer is not DEFAULT_ADMIN on SimpleKeyStore.'));
-          } else {
-            if (!hasAdmin) {
-              console.log(colors.yellow('⚙️  Granting DEFAULT_ADMIN_ROLE to Timelock directly (bootstrap)...'));
-              const tx1 = await ksAs.grantRole(ADMIN, tlAddr); console.log(' tx:', tx1.hash); await tx1.wait();
-              console.log(colors.green(' ✅ Granted DEFAULT_ADMIN_ROLE'));
-            }
-            if (!hasManager) {
-              console.log(colors.yellow('⚙️  Granting MANAGER_ROLE to Timelock directly (bootstrap)...'));
-              const tx2 = await ksAs.grantRole(MANAGER, tlAddr); console.log(' tx:', tx2.hash); await tx2.wait();
-              console.log(colors.green(' ✅ Granted MANAGER_ROLE'));
-            }
-          }
-        }
-
-        if (!opts.fix) return;
-
-        // Schedule grantRole via Timelock for any missing roles
-        const tl = new ethers.Contract(tlAddr, timelockAbi(), signer);
-        const iface = new ethers.Interface(['function grantRole(bytes32,address)']);
-        const predecessor = ethers.ZeroHash;
-        const saltBase = ethers.hexlify(ethers.randomBytes(16));
-        const delay = await tl.getMinDelay().catch(()=>0n);
-        const ops = [];
-        if (!hasAdmin) ops.push({ role: ADMIN, label: 'DEFAULT_ADMIN_ROLE' });
-        if (!hasManager) ops.push({ role: MANAGER, label: 'MANAGER_ROLE' });
-        if (!ops.length) { console.log(colors.green('✅ No fixes needed.')); return; }
-        for (let i=0;i<ops.length;i++) {
-          const { role, label } = ops[i];
-          const data = iface.encodeFunctionData('grantRole', [role, tlAddr]);
-          const salt = ethers.keccak256(ethers.toUtf8Bytes(`${saltBase}:${label}`));
-          console.log(colors.yellow(`⏳ Scheduling grantRole(${label}, Timelock)`));
-          const stx = await tl.schedule(ksAddr, 0, data, predecessor, salt, delay);
-          console.log(' ⏳ tx:', stx.hash); await stx.wait(); console.log(colors.green(' ✅ scheduled'));
-          if (delay === 0n) {
-            const etx = await tl.execute(ksAddr, 0, data, predecessor, salt);
-            console.log(' ⚡ execute tx:', etx.hash); await etx.wait(); console.log(colors.green(' ✅ executed'));
-          } else {
-            console.log(colors.gray(' Next: execute after delay:'));
-            console.log(` cast send ${tlAddr} \"execute(address,uint256,bytes,bytes32,bytes32)\" ${ksAddr} 0 ${data} ${predecessor} ${salt} --rpc-url ${process.env.RPC_URL || 'https://base-sepolia.publicnode.com'}`);
-          }
-        }
-      } catch (e) {
-        console.error(colors.red('❌ keystore-roles failed:'), e.message);
-        process.exit(1);
-      }
+    .description('Use "sage personal" for premium prompts')
+    .action(() => {
+      console.log('SubDAO premium has been replaced by personal premium.');
+      console.log('Use: sage personal sell/buy/access');
+      console.log('See: docs/specs/premium-endorsement-model.md');
     });
 
   // Enable factory stable fees via Timelock from environment values

package/dist/cli/index.js

@@ -86,7 +86,7 @@ program
 
 // Reordered to highlight consolidated namespaces ('prompts' and 'gov')
 const commandGroups = [
-  { title: 'Content (new)', modules: ['prompts', 'project', 'prompt', 'premium', 'premium-pre', 'creator', 'contributor', 'bounty'] },
+  { title: 'Content (new)', modules: ['prompts', 'project', 'prompt', 'personal', 'creator', 'contributor', 'bounty'] },
   { title: 'Governance (new)', modules: ['proposals', 'governance', 'dao', 'timelock', 'roles', 'members', 'gov-config', 'stake-status'] },
   { title: 'Treasury', modules: ['treasury', 'safe', 'boost'] },
   { title: 'Ops & Utilities', modules: ['config', 'wallet', 'sxxx', 'ipfs', 'ipns', 'context', 'doctor', 'factory', 'upgrade', 'resolve', 'dry-run-queue', 'mcp', 'start', 'wizard', 'init', 'dao-config', 'pin', 'council', 'sbt', 'completion', 'help', 'hook'] },
@@ -151,10 +151,6 @@ const additionalModules = [
 ];
 additionalModules.forEach((mod) => moduleSet.add(mod));
 
-// Experimental: enable 'personal' module when flagged
-if (flags.isEnabled('SAGE_ENABLE_PERSONAL')) {
-  moduleSet.add('personal');
-}
 
 const cliTestMode = flags.isEnabled('SAGE_CLI_TEST_MODE');
 if (cliTestMode) {

package/dist/cli/utils/aliases.js

@@ -151,6 +151,7 @@ const COMMAND_CATALOG = {
       'allowance',
       'ensure-allowance',
       'ensure-allowance-gov',
+      'faucet',
       'transfer-ownership',
       'transfer',
       'delegate-self',
@@ -158,7 +159,8 @@ const COMMAND_CATALOG = {
     ],
     subcommandAliases: {
       del: 'delegate-self',
-      delegate: 'delegate-self'
+      delegate: 'delegate-self',
+      drip: 'faucet'
     }
   },
   treasury: {

package/dist/cli/utils/error-handler.js

@@ -101,7 +101,7 @@ const ERROR_GUIDANCE = {
     summary: 'The connected signer is missing the required on-chain role or delegation (e.g., PROPOSER_ROLE, EXECUTOR_ROLE, admin).',
     suggestions: [
       () => 'sage dao doctor --subdao <subdao-address>',
-      () => 'sage roles matrix --subdao <subdao-address>',
+      () => 'sage timelock doctor --subdao <subdao-address>',
       () => 'sage sxxx delegate-self'
     ],
     perCommand: {
@@ -110,11 +110,17 @@ const ERROR_GUIDANCE = {
       ],
       'library:push': [
         (ctx) => (ctx?.subdao ? `sage dao doctor --subdao ${ctx.subdao}` : 'sage dao doctor --subdao <subdao-address>'),
-        () => 'sage roles matrix --subdao <subdao-address>'
+        (ctx) =>
+          ctx?.subdao
+            ? `sage timelock doctor --subdao ${ctx.subdao}`
+            : 'sage timelock doctor --subdao <subdao-address>'
       ],
       'prompts:publish': [
         (ctx) => (ctx?.subdao ? `sage dao doctor --subdao ${ctx.subdao}` : 'sage dao doctor --subdao <subdao-address>'),
-        () => 'sage roles matrix --subdao <subdao-address>'
+        (ctx) =>
+          ctx?.subdao
+            ? `sage timelock doctor --subdao ${ctx.subdao}`
+            : 'sage timelock doctor --subdao <subdao-address>'
       ],
       'timelock:execute': [
         (ctx) =>
@@ -122,12 +128,6 @@ const ERROR_GUIDANCE = {
             ? `sage timelock doctor --timelock ${ctx.timelock}`
             : 'sage timelock doctor --subdao <subdao-address>'
       ],
-      'roles:apply': [
-        (ctx) =>
-          ctx?.subdao
-            ? `sage roles matrix --subdao ${ctx.subdao}`
-            : 'sage roles matrix --subdao <subdao-address>'
-      ],
       'governance:vote': [
         () => 'sage sxxx delegate-self',
         () => 'sage governance power'

package/dist/cli/utils/lit.js

@@ -0,0 +1,103 @@
+const { LitNodeClientNodeJs } = require('@lit-protocol/lit-node-client-nodejs');
+const { ethers } = require('ethers');
+const crypto = require('crypto');
+const { encryptAesGcm, toB64 } = require('./aes');
+
+let client;
+
+async function getClient() {
+    if (client) return client;
+    client = new LitNodeClientNodeJs({
+        litNetwork: 'datil-test',
+        debug: false
+    });
+    await client.connect();
+    return client;
+}
+
+async function buildNodeAuthSig(signer, chain = 'ethereum') {
+    const address = await signer.getAddress();
+    const domain = 'localhost';
+    const origin = 'https://localhost/login';
+    const statement = 'Sign in to Lit Protocol';
+    const version = '1';
+    const chainId = 1;
+    const expirationTime = new Date(Date.now() + 1000 * 60 * 60 * 24).toISOString();
+
+    const siweMessage = `localhost wants you to sign in with your Ethereum account:
+${address}
+
+${statement}
+
+URI: ${origin}
+Version: ${version}
+Chain ID: ${chainId}
+Nonce: ${ethers.hexlify(crypto.randomBytes(8))}
+Issued At: ${new Date().toISOString()}
+Expiration Time: ${expirationTime}`;
+
+    const signature = await signer.signMessage(siweMessage);
+
+    return {
+        sig: signature,
+        derivedVia: 'web3.eth.personal.sign',
+        signedMessage: siweMessage,
+        address: address,
+    };
+}
+
+async function encryptStringWithLit({ content, receiptAddress, tokenId, authSig, chain = 'baseSepolia' }) {
+    const litNodeClient = await getClient();
+
+    // 1. Generate symmetric key
+    const symKey = crypto.randomBytes(32);
+
+    // 2. Encrypt content with symmetric key (using local AES)
+    const { ciphertext, iv, tag } = encryptAesGcm(content, symKey);
+    // Combine iv + tag + ciphertext for storage (standard format often used)
+    // Or return as blob?
+    // premium.js expects `encryptedBlob`.
+    // Let's pack it: IV (12) + Tag (16) + Ciphertext
+    const encryptedBlob = Buffer.concat([iv, tag, ciphertext]);
+
+    // 3. Encrypt symmetric key with Lit
+    const accessControlConditions = [
+        {
+            contractAddress: receiptAddress,
+            standardContractType: 'ERC1155',
+            chain,
+            method: 'balanceOf',
+            parameters: [':userAddress', tokenId],
+            returnValueTest: {
+                comparator: '>',
+                value: '0'
+            }
+        }
+    ];
+
+    // Lit v6 encrypt
+    // Note: encrypt() returns { ciphertext, dataToEncryptHash } usually for access control?
+    // No, for encryption key provisioning:
+    // client.encrypt({ accessControlConditions, to_encrypt: symKey, ... })
+    // Convert Buffer to Uint8Array for Lit Protocol v7 compatibility
+    const symKeyUint8 = new Uint8Array(symKey);
+
+    const { ciphertext: litCiphertext, dataToEncryptHash } = await litNodeClient.encrypt({
+        accessControlConditions,
+        dataToEncrypt: symKeyUint8,
+        authSig,
+        chain,
+    });
+
+    // Lit v7 returns ciphertext already as base64-encoded string
+    // No need to re-encode with toB64
+
+    return {
+        encryptedBlob,
+        encryptedSymmetricKey: litCiphertext, // Already base64 in Lit v7
+        dataToEncryptHash, // Include hash for decryption
+        accessControlConditions
+    };
+}
+
+module.exports = { encryptStringWithLit, buildNodeAuthSig };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sage-protocol/cli",
-  "version": "0.3.7",
+  "version": "0.3.9",
   "description": "Sage Protocol CLI for managing AI prompt libraries",
   "bin": {
     "sage": "./bin/sage.js"