@tokamak-private-dapps/private-state-cli 0.1.8 → 1.0.0

package/cli-assistant.html

@@ -390,16 +390,21 @@
               </li>
               <li>
                 Even if you lose the channel wallet file, only your Ethereum private key, together with the correct
-                channel context, can recover your channel wallet as long as you still know the wallet password.
+                channel context, can recover your channel wallet as long as you still know the wallet secret.
               </li>
               <li>
-                If your channel wallet file and wallet password are both stolen, your channel funds can be stolen.
+                If your channel wallet file and wallet secret are both stolen, your channel funds can be stolen.
               </li>
               <li>
-                If you lose your wallet password, you lose the ability to derive your channel L2 private key. In that
+                If you lose your wallet secret, you lose the ability to derive your channel L2 private key. In that
                 case, you lose ownership of all notes because you can no longer use them, and that ownership cannot be
                 recovered.
               </li>
+              <li>
+                Channel policy is immutable after creation. Joining a channel means accepting its verifier bindings,
+                DApp metadata, function layout, managed storage vector, and refund policy; later policy-level fixes
+                require a new channel or migration.
+              </li>
             </ul>
           </div>
         </section>
@@ -411,29 +416,29 @@
               <li>
                 <span class="guide-label">Join a channel:</span> <code>join-channel</code>
                 <div class="guide-example">
-                  <code>join-channel --channel-name 'my-private-channel' --password '__WALLET_PASSWORD__' --network 'sepolia' --private-key '__L1_PRIVATE_KEY__' --alchemy-api-key '__ALCHEMY_API_KEY__'</code>
+                  <code>join-channel --channel-name 'my-private-channel' --network 'sepolia' --account 'my-account' --wallet-secret-path '/path/to/wallet-secret' --rpc-url '__RPC_URL__'</code>
                 </div>
               </li>
               <li>
                 <span class="guide-label">Create notes:</span> <code>deposit-bridge</code> -&gt; <code>deposit-channel</code> -&gt; <code>mint-notes</code>
                 <div class="guide-example">
-                  <code>deposit-bridge --amount '100' --network 'sepolia' --private-key '__L1_PRIVATE_KEY__' --alchemy-api-key '__ALCHEMY_API_KEY__'</code><br />
-                  <code>deposit-channel --wallet 'my-private-channel-0xYourL1Address' --password '__WALLET_PASSWORD__' --network 'sepolia' --amount '100'</code><br />
-                  <code>mint-notes --wallet 'my-private-channel-0xYourL1Address' --password '__WALLET_PASSWORD__' --network 'sepolia' --amounts '[&quot;50&quot;,&quot;50&quot;,&quot;0&quot;]'</code>
+                  <code>deposit-bridge --amount '100' --network 'sepolia' --account 'my-account' --rpc-url '__RPC_URL__'</code><br />
+                  <code>deposit-channel --wallet 'my-private-channel-0xYourL1Address' --network 'sepolia' --amount '100'</code><br />
+                  <code>mint-notes --wallet 'my-private-channel-0xYourL1Address' --network 'sepolia' --amounts '[&quot;50&quot;,&quot;50&quot;,&quot;0&quot;]'</code>
                 </div>
               </li>
               <li>
                 <span class="guide-label">Split, merge, or transfer note ownership:</span> <code>transfer-notes</code>
                 <div class="guide-example">
-                  <code>transfer-notes --wallet 'my-private-channel-0xYourL1Address' --password '__WALLET_PASSWORD__' --network 'sepolia' --note-ids '[&quot;0xNoteIdA&quot;]' --recipients '[&quot;0xRecipientL2AddressA&quot;,&quot;0xRecipientL2AddressB&quot;]' --amounts '[&quot;25&quot;,&quot;25&quot;]'</code>
+                  <code>transfer-notes --wallet 'my-private-channel-0xYourL1Address' --network 'sepolia' --note-ids '[&quot;0xNoteIdA&quot;]' --recipients '[&quot;0xRecipientL2AddressA&quot;,&quot;0xRecipientL2AddressB&quot;]' --amounts '[&quot;25&quot;,&quot;25&quot;]'</code>
                 </div>
               </li>
               <li>
                 <span class="guide-label">Redeem notes back to L1:</span> <code>redeem-notes</code> -&gt; <code>withdraw-channel</code> -&gt; <code>withdraw-bridge</code>
                 <div class="guide-example">
-                  <code>redeem-notes --wallet 'my-private-channel-0xYourL1Address' --password '__WALLET_PASSWORD__' --network 'sepolia' --note-ids '[&quot;0xNoteIdA&quot;]'</code><br />
-                  <code>withdraw-channel --wallet 'my-private-channel-0xYourL1Address' --password '__WALLET_PASSWORD__' --network 'sepolia' --amount '25'</code><br />
-                  <code>withdraw-bridge --amount '25' --network 'sepolia' --private-key '__L1_PRIVATE_KEY__' --alchemy-api-key '__ALCHEMY_API_KEY__'</code>
+                  <code>redeem-notes --wallet 'my-private-channel-0xYourL1Address' --network 'sepolia' --note-ids '[&quot;0xNoteIdA&quot;]'</code><br />
+                  <code>withdraw-channel --wallet 'my-private-channel-0xYourL1Address' --network 'sepolia' --amount '25'</code><br />
+                  <code>withdraw-bridge --amount '25' --network 'sepolia' --account 'my-account' --rpc-url '__RPC_URL__'</code>
                 </div>
               </li>
             </ol>
@@ -443,111 +448,32 @@
     </main>
 
     <script src="../../../node_modules/ethers/dist/ethers.umd.js"></script>
-    <script>
+    <script type="module">
+      import {
+        PRIVATE_STATE_CLI_COMMANDS,
+        PRIVATE_STATE_CLI_FIELD_CATALOG,
+      } from "./lib/private-state-cli-command-registry.mjs";
+
       const storageKey = "private-state-cli-assistant:v2";
-      const windowNameKey = "private-state-cli-assistant-state:";
       const cliEntry = "node packages/apps/private-state/cli/private-state-bridge-cli.mjs";
       const defaultWorkspaceRootLabel = navigator.userAgent.includes("Windows")
         ? "%USERPROFILE%\\\\tokamak-private-channels\\\\workspace"
         : "~/tokamak-private-channels/workspace";
-      const walletEncryptionVersion = 1;
-      const walletEncryptionAlgorithm = "aes-256-gcm";
-      const textEncoder = new TextEncoder();
-      const textDecoder = new TextDecoder();
-
-      const fieldCatalog = {
-        channelName: {
-          label: "Channel Name",
-          type: "text",
-          placeholder: "demo-channel",
-        },
-        network: {
-          label: "Network",
-          type: "select",
-          options: ["sepolia", "mainnet", "anvil"],
-        },
-        alchemyApiKey: {
-          label: "Alchemy API Key",
-          type: "password",
-          placeholder: "alchemy-key",
-        },
-        privateKey: {
-          label: "L1 Private Key",
-          type: "password",
-          placeholder: "0x...",
-        },
-        password: {
-          label: "Wallet Password",
-          type: "password",
-          placeholder: "channel-password",
-        },
-        wallet: {
-          label: "Wallet Name",
-          type: "text",
-          placeholder: "channel-0xYourL1Address",
-        },
-        amount: {
-          label: "Amount",
-          type: "text",
-          placeholder: "3",
-        },
-        amounts: {
-          label: "Amounts",
-          type: "textarea",
-          placeholder: "[1,2,3]",
-        },
-        noteIds: {
-          label: "Note IDs",
-          type: "textarea",
-          placeholder: "[\"0x...\"]",
-        },
-        recipients: {
-          label: "Recipients JSON",
-          type: "textarea",
-          placeholder: "[\"0xRecipientL2Address\"]",
-        },
-        force: {
-          label: "Force Exit",
-          type: "checkbox",
-          hint: "Bypass the CLI zero-balance guard for exit-channel.",
-        },
-        docker: {
-          label: "Docker Install Mode",
-          type: "checkbox",
-          hint: "Forward --docker to install-zk-evm. This mode is supported only on Linux hosts by the Tokamak CLI.",
-        },
-      };
-
-      const commands = [
-        { id: "install-zk-evm", description: "Install the local Tokamak zk-EVM toolchain. Optionally forward --docker for Linux-host Docker installs.", fields: ["docker"] },
-        { id: "uninstall-zk-evm", description: "Remove the Tokamak zk-EVM CLI runtime workspace.", fields: [] },
-        { id: "create-channel", description: "Create the bridge channel and initialize its workspace.", fields: ["channelName", "network", "privateKey", "alchemyApiKey"] },
-        { id: "recover-workspace", description: "Rebuild the saved channel workspace from bridge state.", fields: ["channelName", "network", "alchemyApiKey"] },
-        { id: "deposit-bridge", description: "Deposit canonical tokens into the shared bridge vault.", fields: ["amount", "network", "privateKey", "alchemyApiKey"] },
-        { id: "withdraw-bridge", description: "Withdraw shared bridge-vault funds back to the L1 wallet.", fields: ["amount", "network", "privateKey", "alchemyApiKey"] },
-        { id: "get-my-bridge-fund", description: "Read the current bridge-vault balance.", fields: ["network", "privateKey", "alchemyApiKey"] },
-        { id: "join-channel", description: "Bind the caller to a channel-specific L2 identity.", fields: ["channelName", "password", "network", "privateKey", "alchemyApiKey"] },
-        { id: "recover-wallet", description: "Rebuild the recoverable portion of a wallet.", fields: ["channelName", "password", "network", "privateKey", "alchemyApiKey"] },
-        { id: "get-my-wallet-meta", description: "Check whether a saved wallet matches on-chain registration.", fields: ["wallet", "password", "network"] },
-        { id: "get-my-l1-address", description: "Derive the L1 address for a private key.", fields: ["privateKey"] },
-        { id: "list-local-wallets", description: "List saved local wallet names that can be reused with --wallet.", fields: ["network", "channelName"] },
-        { id: "deposit-channel", description: "Move bridged funds into the channel L2 accounting balance.", fields: ["wallet", "password", "network", "amount"] },
-        { id: "withdraw-channel", description: "Move channel L2 balance back into the shared bridge vault.", fields: ["wallet", "password", "network", "amount"] },
-        { id: "get-my-channel-fund", description: "Read the current channel L2 accounting balance.", fields: ["wallet", "password", "network"] },
-        { id: "exit-channel", description: "Exit a channel. The assistant keeps the CLI zero-balance guard unless Force Exit is enabled.", fields: ["wallet", "password", "network", "force"] },
-        { id: "mint-notes", description: "Mint one or two private-state notes from the wallet channel balance.", fields: ["wallet", "password", "network", "amounts"] },
-        { id: "transfer-notes", description: "Spend tracked notes into the registered 1->1, 1->2, or 2->1 encrypted transfer shapes.", fields: ["wallet", "password", "network", "noteIds", "recipients", "amounts"] },
-        { id: "redeem-notes", description: "Redeem exactly one tracked note back into liquid accounting balance.", fields: ["wallet", "password", "network", "noteIds"] },
-        { id: "get-my-notes", description: "Refresh encrypted note-log recovery and show current wallet notes.", fields: ["wallet", "password", "network"] },
-      ];
+      const fieldCatalog = PRIVATE_STATE_CLI_FIELD_CATALOG;
+      const commands = PRIVATE_STATE_CLI_COMMANDS.map((command) => ({
+        ...command,
+        fields: [...new Set([...command.fields, "json"])],
+      }));
 
       const defaultState = {
         commandId: "join-channel",
         channelName: "",
+        joinToll: "1",
         network: "sepolia",
-        alchemyApiKey: "",
-        privateKey: "",
-        password: "",
+        rpcUrl: "",
+        account: "",
+        privateKeyFile: "",
+        walletSecretPath: "",
         wallet: "",
         amount: "",
         amounts: "",
@@ -559,14 +485,19 @@
         transferAmount1: "",
         transferRecipient2: "",
         transferAmount2: "",
-        force: false,
         docker: false,
+        includeLocalArtifacts: false,
+        groth16CliVersion: "",
+        tokamakZkEvmCliVersion: "",
+        fromGenesis: false,
+        gpu: false,
+        json: false,
       };
 
       const sharedFieldKeys = [
         "network",
-        "alchemyApiKey",
-        "privateKey",
+        "rpcUrl",
+        "account",
       ];
 
       const state = loadState();
@@ -584,14 +515,6 @@
         statusMessage: "",
         hasLoaded: false,
       };
-      const privateKeyAddressState = {
-        inputValue: "",
-        derivedAddress: "",
-        statusMessage: "",
-      };
-      let scryptModulePromise = null;
-      let ethersModulePromise = null;
-      let privateKeyLookupGeneration = 0;
       let walletNoteRefreshTimer = null;
 
       const workspacePickerEl = document.getElementById("workspace-picker");
@@ -606,9 +529,8 @@
       const workspacePathLabelEl = document.getElementById("workspace-path-label");
       let workspaceStatusEl = null;
       const maskedSecretValues = {
-        alchemyApiKey: "__ALCHEMY_API_KEY__",
-        privateKey: "__L1_PRIVATE_KEY__",
-        password: "__WALLET_PASSWORD__",
+        rpcUrl: "__RPC_URL__",
+        privateKeyFile: "__PRIVATE_KEY_FILE__",
       };
 
       document.getElementById("copy-command").addEventListener("click", async () => {
@@ -630,17 +552,6 @@
           if (parsed) {
             return parsed;
           }
-        } catch {
-          // Fallback to window.name below.
-        }
-
-        try {
-          if (typeof window.name === "string" && window.name.startsWith(windowNameKey)) {
-            const parsed = parseSerializedState(window.name.slice(windowNameKey.length));
-            if (parsed) {
-              return parsed;
-            }
-          }
         } catch {
           // Fall through to defaults.
         }
@@ -653,12 +564,7 @@
         try {
           window.localStorage.setItem(storageKey, serialized);
         } catch {
-          // window.name fallback below still preserves state across refreshes in the current tab.
-        }
-        try {
-          window.name = `${windowNameKey}${serialized}`;
-        } catch {
-          // Ignore window.name failures.
+          // Ignore storage failures; the generated command remains available in the preview.
         }
       }
 
@@ -729,19 +635,7 @@
 
       function walletOptionsForCommand(command = currentCommand()) {
         const options = currentWorkspaceOptions();
-        if (!commandNeedsWallet(command)) {
-          return options.walletOptions;
-        }
-        const derivedAddress = privateKeyAddressState.derivedAddress.trim().toLowerCase();
-        if (!derivedAddress) {
-          return [];
-        }
-        return options.walletOptions.filter((walletName) => {
-          const walletEntry = options.walletEntriesByName?.[walletName];
-          return walletEntry?.l1Address
-            && derivedAddress
-            && ethers.toBigInt(walletEntry.l1Address) === ethers.toBigInt(derivedAddress);
-        });
+        return options.walletOptions;
       }
 
       function buildWorkspaceStatusMessage() {
@@ -928,175 +822,15 @@
         }, 250);
       }
 
-      function addHexPrefix(value) {
-        const normalized = String(value ?? "");
-        return normalized.startsWith("0x") || normalized.startsWith("0X") ? normalized : `0x${normalized}`;
-      }
-
-      function hexToBytes(value) {
-        const normalizedWithPrefix = addHexPrefix(value);
-        const normalized = normalizedWithPrefix.slice(2);
-        if (normalized.length === 0) {
-          return new Uint8Array();
-        }
-        return Uint8Array.from(
-          normalized.match(/.{1,2}/g).map((pair) => Number.parseInt(pair, 16)),
-        );
-      }
-
-      async function deriveScryptKeyBytes(password, saltHex) {
-        const browserEthers = window.ethers?.ethers ?? window.ethers;
-        if (browserEthers?.scryptSync) {
-          return browserEthers.getBytes(
-            browserEthers.scryptSync(textEncoder.encode(String(password)), saltHex, 16384, 8, 1, 32),
-          );
-        }
-        if (!scryptModulePromise) {
-          scryptModulePromise = import("../../../node_modules/@noble/hashes/esm/scrypt.js");
-        }
-        const { scrypt } = await scryptModulePromise;
-        return scrypt(textEncoder.encode(String(password)), hexToBytes(saltHex), {
-          N: 16384,
-          r: 8,
-          p: 1,
-          dkLen: 32,
-        });
-      }
-
-      async function deriveAddressFromPrivateKey(privateKey) {
-        const browserWalletClass = window.ethers?.Wallet ?? window.ethers?.ethers?.Wallet;
-        if (browserWalletClass) {
-          return new browserWalletClass(String(privateKey)).address;
-        }
-        if (!ethersModulePromise) {
-          ethersModulePromise = import("../../../node_modules/ethers/lib.esm/index.js");
-        }
-        const { Wallet } = await ethersModulePromise;
-        return new Wallet(String(privateKey)).address;
-      }
-
-      async function refreshPrivateKeyAddressState(privateKeyValue) {
-        const normalizedValue = String(privateKeyValue ?? "").trim();
-        privateKeyAddressState.inputValue = normalizedValue;
-
-        if (normalizedValue.length === 0) {
-          privateKeyAddressState.derivedAddress = "";
-          privateKeyAddressState.statusMessage = "";
-          return;
-        }
-
-        const currentGeneration = ++privateKeyLookupGeneration;
-        try {
-          const derivedAddress = await deriveAddressFromPrivateKey(normalizedValue);
-          if (currentGeneration !== privateKeyLookupGeneration) {
-            return;
-          }
-          privateKeyAddressState.derivedAddress = derivedAddress;
-          privateKeyAddressState.statusMessage = `L1 address: ${derivedAddress}`;
-        } catch {
-          if (currentGeneration !== privateKeyLookupGeneration) {
-            return;
-          }
-          privateKeyAddressState.derivedAddress = "";
-          privateKeyAddressState.statusMessage = "Invalid private key.";
-        }
-      }
-
-      async function decryptWalletJson(envelope, walletPassword) {
-        if (
-          envelope?.version !== walletEncryptionVersion
-          || envelope?.algorithm !== walletEncryptionAlgorithm
-          || envelope?.kdf !== "scrypt"
-        ) {
-          throw new Error("Unsupported wallet encryption envelope.");
-        }
-
-        const encryptionKeyBytes = await deriveScryptKeyBytes(walletPassword, envelope.salt);
-        const cryptoKey = await crypto.subtle.importKey("raw", encryptionKeyBytes, "AES-GCM", false, ["decrypt"]);
-        const ciphertext = hexToBytes(envelope.ciphertext);
-        const tag = hexToBytes(envelope.tag);
-        const combinedCiphertext = new Uint8Array(ciphertext.length + tag.length);
-        combinedCiphertext.set(ciphertext, 0);
-        combinedCiphertext.set(tag, ciphertext.length);
-        const plaintextBuffer = await crypto.subtle.decrypt(
-          {
-            name: "AES-GCM",
-            iv: hexToBytes(envelope.iv),
-            tagLength: 128,
-          },
-          cryptoKey,
-          combinedCiphertext,
-        );
-        return JSON.parse(textDecoder.decode(new Uint8Array(plaintextBuffer)));
-      }
-
-      function extractUnusedNoteOptions(walletJson) {
-        const notes = walletJson?.notes ?? {};
-        const unusedNotes = notes.unused ?? {};
-        const unusedOrder = Array.isArray(notes.unusedOrder) ? notes.unusedOrder : Object.keys(unusedNotes);
-        return unusedOrder
-          .map((commitment) => unusedNotes[commitment])
-          .filter((note) => note && typeof note.commitment === "string")
-          .map((note) => ({
-            value: note.commitment,
-            amountBaseUnits: String(note.value ?? "0"),
-            label: typeof note.value === "string"
-              ? `${note.commitment} (${note.value})`
-              : note.commitment,
-          }));
-      }
-
       async function refreshWalletNoteOptions() {
         if (!commandNeedsWalletNotes()) {
           return;
         }
-        if (!workspaceDirectoryState.loaded) {
-          clearWalletNoteState("Select a workspace directory to load wallet note IDs.");
-          return;
-        }
-        if (!state.wallet) {
-          clearWalletNoteState("Choose a wallet to load note IDs.");
-          return;
-        }
-        if (!state.password) {
-          clearWalletNoteState("Enter the wallet password to load note IDs.");
-          return;
-        }
-
-        const walletEntry = currentWalletEntry();
-        if (!walletEntry) {
-          clearWalletNoteState("Selected wallet is unavailable for the current network.");
-          return;
-        }
-
-        const cacheKey = `${state.network}::${state.wallet}::${state.password}`;
-        if (walletNoteState.cacheKey === cacheKey && walletNoteState.hasLoaded) {
-          return;
-        }
-
-        walletNoteState.cacheKey = cacheKey;
-        walletNoteState.statusMessage = "Loading wallet note IDs...";
-        walletNoteState.hasLoaded = false;
-
-        try {
-          const walletFileHandle = await walletEntry.handle.getFileHandle("wallet.json");
-          const walletEnvelope = JSON.parse(await (await walletFileHandle.getFile()).text());
-          const walletJson = await decryptWalletJson(walletEnvelope, state.password);
-          walletNoteState.options = extractUnusedNoteOptions(walletJson);
-          walletNoteState.canonicalAssetDecimals = Number(walletJson?.canonicalAssetDecimals ?? 18);
-          walletNoteState.walletL2Address = typeof walletJson?.l2Address === "string" ? walletJson.l2Address : "";
-          walletNoteState.statusMessage = walletNoteState.options.length === 0
-            ? "This wallet has no unused note IDs."
-            : `Loaded ${walletNoteState.options.length} unused note ID${walletNoteState.options.length === 1 ? "" : "s"}.`;
-          walletNoteState.hasLoaded = true;
-          syncSelectedNoteIdsToAvailableOptions();
-        } catch {
-          clearWalletNoteState("Unable to decrypt the selected wallet. Check the wallet and password.");
-        }
+        clearWalletNoteState("Enter note IDs manually. The CLI uses the wallet-local default secret file and the assistant does not request wallet secrets.");
       }
 
-      function needsAlchemy(command) {
-        return command.fields.includes("alchemyApiKey") && state.network !== "anvil";
+      function acceptsRpcUrl(command) {
+        return command.fields.includes("rpcUrl");
       }
 
       function currentCommand() {
@@ -1107,8 +841,9 @@
         const transferOutputs = command.id === "transfer-notes"
           ? currentTransferOutputs()
           : null;
+        const optionalFields = new Set(command.optionalFields ?? []);
         return command.fields.filter((fieldKey) => {
-          if (fieldKey === "alchemyApiKey" && !needsAlchemy(command)) {
+          if (fieldCatalog[fieldKey]?.optional || optionalFields.has(fieldKey)) {
             return false;
           }
           if (fieldKey === "amounts" && command.id === "mint-notes") {
@@ -1132,7 +867,7 @@
           : null;
 
         for (const fieldKey of command.fields) {
-          if (fieldKey === "alchemyApiKey" && !needsAlchemy(command)) {
+          if (fieldKey === "rpcUrl" && !String(state.rpcUrl ?? "").trim()) {
             continue;
           }
 
@@ -1154,45 +889,11 @@
             ? maskedSecretValues[fieldKey]
             : value;
 
-          switch (fieldKey) {
-            case "channelName":
-              appendOption(parts, "--channel-name", renderedValue);
-              break;
-            case "network":
-              appendOption(parts, "--network", renderedValue);
-              break;
-            case "alchemyApiKey":
-              appendOption(parts, "--alchemy-api-key", renderedValue);
-              break;
-            case "privateKey":
-              appendOption(parts, "--private-key", renderedValue);
-              break;
-            case "password":
-              appendOption(parts, "--password", renderedValue);
-              break;
-            case "wallet":
-              appendOption(parts, "--wallet", renderedValue);
-              break;
-            case "amount":
-              appendOption(parts, "--amount", renderedValue);
-              break;
-            case "amounts":
-              appendOption(parts, "--amounts", renderedValue);
-              break;
-            case "noteIds":
-              appendOption(parts, "--note-ids", renderedValue);
-              break;
-            case "recipients":
-              appendOption(parts, "--recipients", renderedValue);
-              break;
-            case "force":
-              parts.push("--force");
-              break;
-            case "docker":
-              parts.push("--docker");
-              break;
-            default:
-              break;
+          const fieldConfig = fieldCatalog[fieldKey];
+          if (fieldConfig?.type === "checkbox") {
+            parts.push(fieldConfig.option);
+          } else if (fieldConfig?.option) {
+            appendOption(parts, fieldConfig.option, renderedValue);
           }
         }
 
@@ -1375,11 +1076,9 @@
         placeholder.value = "";
         placeholder.textContent = !workspaceDirectoryState.loaded
           ? "Select a workspace directory for this network first"
-          : commandNeedsWallet(currentCommand()) && !privateKeyAddressState.derivedAddress
-            ? "Enter a valid L1 private key first"
-            : walletOptions.length === 0
-              ? "No wallet matches the current L1 private key"
-              : "Choose wallet";
+          : walletOptions.length === 0
+            ? "No wallet exists for this network"
+            : "Choose wallet";
         select.appendChild(placeholder);
         for (const option of walletOptions) {
           const optionEl = document.createElement("option");
@@ -1484,7 +1183,7 @@
 
         const hint = document.createElement("p");
         hint.className = "hint";
-        hint.textContent = walletNoteState.statusMessage || `Choose a wallet and enter its password to load up to ${noteSelectionLimit()} note IDs.`;
+        hint.textContent = walletNoteState.statusMessage || "Enter note IDs manually. Wallet secrets are not requested by this assistant.";
         wrapper.appendChild(hint);
 
         const totalHint = document.createElement("p");
@@ -1686,19 +1385,6 @@
             workspaceDirectoryState.statusMessage = buildWorkspaceStatusMessage();
             clearWalletNoteState();
           }
-          if (fieldKey === "privateKey") {
-            await refreshPrivateKeyAddressState(event.target.value);
-            if (memoryStatusEl) {
-              memoryStatusEl.textContent = privateKeyAddressState.statusMessage;
-            }
-            syncWorkspaceSelectionsForCurrentNetwork();
-          }
-          if (fieldKey === "password") {
-            clearWalletNoteState();
-            if (commandNeedsWalletNotes()) {
-              walletNoteState.statusMessage = "Loading wallet note IDs...";
-            }
-          }
           persistState();
           if (fieldKey === "network") {
             await refreshWalletNoteOptions();
@@ -1707,34 +1393,9 @@
           if (fieldKey === "network") {
             renderWorkspacePicker();
             renderCommandFields();
-          } else if (fieldKey === "privateKey" && commandNeedsWallet()) {
-            renderCommandFields();
-          } else if (fieldKey === "password" && commandNeedsWalletNotes()) {
-            rerenderCommandField("noteIds");
-            if (currentCommand().id === "transfer-notes") {
-              rerenderCommandField("recipients");
-            }
-            scheduleWalletNoteRefresh();
           }
         });
 
-        if (fieldKey === "password") {
-          input.addEventListener("blur", async () => {
-            if (walletNoteRefreshTimer) {
-              window.clearTimeout(walletNoteRefreshTimer);
-              walletNoteRefreshTimer = null;
-            }
-            await refreshWalletNoteOptions();
-            if (commandNeedsWalletNotes()) {
-              rerenderCommandField("noteIds");
-              if (currentCommand().id === "transfer-notes") {
-                rerenderCommandField("recipients");
-              }
-            }
-            renderPreview();
-          });
-        }
-
         label.appendChild(input);
         if (config.type === "checkbox" && config.hint) {
           const hint = document.createElement("p");
@@ -1749,20 +1410,12 @@
         memoryFieldsEl.innerHTML = "";
         [
           "network",
-          "alchemyApiKey",
-          "privateKey",
+          "rpcUrl",
+          "account",
         ].forEach((fieldKey) => {
           memoryFieldsEl.appendChild(createField(fieldKey));
         });
-        memoryStatusEl.textContent = privateKeyAddressState.statusMessage;
-        void refreshPrivateKeyAddressState(state.privateKey).then(() => {
-          memoryStatusEl.textContent = privateKeyAddressState.statusMessage;
-          syncWorkspaceSelectionsForCurrentNetwork();
-          if (currentCommand().fields.includes("wallet")) {
-            renderCommandFields();
-            renderPreview();
-          }
-        });
+        memoryStatusEl.textContent = "Use account import --private-key-file before signing commands. Optional --rpc-url is saved as the network RPC_URL for later commands.";
       }
 
       function renderCommandSelect() {
@@ -1794,7 +1447,7 @@
         }
 
         for (const fieldKey of commandOnlyFields) {
-          if (fieldKey === "alchemyApiKey" && !needsAlchemy(command)) {
+          if (fieldKey === "rpcUrl" && !acceptsRpcUrl(command)) {
             continue;
           }
           if (fieldKey === "amounts" && command.id === "transfer-notes") {
@@ -1822,9 +1475,7 @@
             : "",
         ].join("");
         warningEl.textContent = missing.length === 0
-          ? state.network === "anvil"
-            ? `Ready. --alchemy-api-key is omitted automatically on anvil.${workspaceWarnings}`
-            : `Ready.${workspaceWarnings}`
+          ? `Ready. If --rpc-url is omitted, the CLI uses the saved network RPC_URL.${workspaceWarnings}`
           : `Missing inputs: ${missing.map((fieldKey) => fieldCatalog[fieldKey].label).join(", ")}.${workspaceWarnings}`;
       }