@tokamak-private-dapps/private-state-cli 2.4.3 → 3.0.0

package/assets/service-terms.md

@@ -0,0 +1,294 @@
+# Tonigma Terms of Service
+
+Last updated: June 16, 2026
+
+## 1. Definitions
+
+For purposes of these Terms:
+
+- **Terms** means these Terms of Service.
+- **Service** means Tonigma, the Private-State DApp, related Bridge workflows, official software, official interfaces,
+  official documentation, and related materials made available by the Provider.
+- **Tonigma** means the branded user-facing name for Tokamak Private App Channels.
+- **Channel** means an opt-in Tonigma application environment with its own policy, membership rules, accounting records,
+  and Private Note records.
+- **Join Toll** means a Channel entry charge paid when a user joins a Channel.
+- **Ethereum mainnet** means the public Ethereum network.
+- **TON** means the token used with relevant Service workflows. These Terms do not state that TON itself becomes
+  private, anonymous, or untraceable.
+- **Ethereum Account** means the user's externally controlled Ethereum wallet account.
+- **Self-Custody** means that the user, not the Provider or Provider Parties, controls wallet access, keys, secret
+  material, and transaction decisions.
+- **Private Note** means a Channel-local private application record. A Private Note is not a separate asset that an
+  exchange can receive as a deposit.
+- **Bridge** means the Ethereum mainnet smart-contract path through which public deposits, withdrawals, and related
+  accounting updates are recorded.
+- **Provider** means Jehyuk Jang, the individual who officially makes the Service available. The Provider's public
+  privacy and notice contact is `cjhyuck213@gmail.com`. The Provider's stated jurisdiction is Singapore.
+- **Provider Parties** means the Provider and the Provider's affiliates, contractors, agents, service providers, and
+  authorized representatives, to the extent each acts within an authorized Service-related role.
+- **Third-Party Services** means wallets, RPC providers, exchanges, explorers, analytics providers, browsers, software
+  distribution services, operating systems, cloud services, and other services not controlled by Provider Parties.
+- **Privacy Notice** means the Provider's published privacy notice for the Service.
+
+## 2. Service Scope And Product Boundary
+
+These Terms govern access to and use of the Service.
+
+Tonigma is an opt-in private application-channel system used from a Self-Custody Ethereum Account. A Channel is not an
+exchange deposit or withdrawal network. A Private Note is not an exchange-depositable asset.
+
+Tonigma does not alter TON transfer rules on Ethereum mainnet. Provider Parties do not provide exchange deposit services,
+exchange withdrawal services, brokerage, custodial wallet services, hosted transfer services, asset recovery services,
+compliance services, or tax services.
+
+The Service is made available as open software and public-good infrastructure. Provider Parties do not operate the
+Service as a fee-generating custodial, brokerage, exchange, hosted transfer, or paid asset-management service.
+
+Join Tolls paid through the Service must not be monetized by Provider Parties. Channel policy and official on-chain
+records control any Join Toll refund or non-refund treatment. Any non-refunded Join Toll portion is not Provider Party
+revenue.
+
+Nothing in these Terms is a determination of the regulatory status of any person, entity, software, transaction, network,
+token, or service under applicable law.
+
+## 3. Acceptance And Eligibility
+
+These Terms become effective for a user when the user accepts them through an official Service interface or another
+acceptance method provided by the Provider.
+
+If the user does not accept these Terms, the user must not access, install, or use the Service.
+
+The user represents that the user has legal capacity to accept these Terms and to operate a self-custody wallet. If the
+user acts for an organization, the user represents that the user has authority to bind that organization.
+
+The user represents that use of the Service is not prohibited by laws applicable to the user.
+
+## 4. Public Ethereum Mainnet Records
+
+Ethereum mainnet transactions are public by design.
+
+Bridge deposits, Bridge withdrawals, Channel joins, registrations, accounting updates, gas-paying accounts, transaction
+submitters, transaction hashes, token amounts, timing, and related public records may be visible on Ethereum mainnet or
+through services that index Ethereum mainnet.
+
+The Service must not be used or described as a way to hide exchange-facing TON transfer records.
+
+## 5. Private Application-State Limits
+
+Tonigma is designed so public contract state does not, by itself, reconstruct some internal Private Note sender-recipient
+relationships, Private Note plaintext, or Private Note provenance by default.
+
+Tonigma does not make all user activity secret. Public records, metadata, timing, amounts, user behavior, Third-Party
+Services, wallet software, browser behavior, user disclosure, or compromised devices may reveal information.
+
+No privacy, anonymity, unlinkability, confidentiality, exchange acceptance, compliance result, legal result, tax result,
+regulatory outcome, or third-party acceptance of the user's explanation of asset history is guaranteed.
+
+## 6. Self-Custody, Secrets, And No Recovery Method
+
+The Service is designed for Self-Custody use.
+
+Provider Parties do not possess, control, store, or recover the user's Ethereum private keys, seed phrases, wallet
+secrets, spending keys, viewing keys, source files, backup files, or Private Note plaintext.
+
+The user is solely responsible for securing the user's devices, wallet software, files, backups, passwords, private
+keys, seed phrases, wallet secrets, spending keys, viewing keys, and equivalent secret material.
+
+If all required copies of a private key, seed phrase, wallet secret, spending key, viewing key, source file, backup file,
+or other required recovery material are lost, no recovery method exists for the affected access, Private Notes, funds,
+evidence, or disclosure capability.
+
+Provider Parties, support channels, websites, automated tools, and third parties do not need the user's private keys,
+seed phrases, wallet secrets, spending keys, viewing keys, or equivalent secrets to provide ordinary Service access,
+support, explanations, or guidance.
+
+The user must not share private keys, seed phrases, wallet secrets, spending keys, viewing keys, or equivalent secrets
+with any automated tool, Provider Party, support channel, website, or third party.
+
+## 7. Prohibited Use
+
+The user must not use the Service for money laundering, terrorist financing, sanctions evasion, regulatory evasion,
+illegal gambling, fraud, theft, ransomware, market manipulation, tax evasion, criminal-proceeds concealment,
+exchange-monitoring evasion, unauthorized access, cybersecurity abuse, harassment, threats, abuse of any person,
+infringement of intellectual-property, publicity, privacy, or data-protection rights, or any activity prohibited by
+applicable law.
+
+The user must not attempt to use Tonigma to make an unlawful transaction appear lawful or to conceal the source,
+ownership, control, or destination of assets.
+
+## 8. User Responsibilities
+
+The user is solely responsible for determining whether the user's use of the Service is lawful.
+
+The user is solely responsible for wallet selection, network selection, RPC selection, Channel selection, transaction
+parameters, amounts, recipients, note selection, fees, failed transactions, wrong-network use, wrong-address use, and
+irreversible confirmed transactions.
+
+The user is solely responsible for preserving source files, wallet-secret files, backup files, evidence files,
+transaction records, and disclosure material that the user may later need.
+
+The user must review applicable Channel policy before joining a Channel and must use only trustworthy software, package
+sources, websites, wallets, RPC providers, and devices.
+
+## 9. Channel Policy
+
+Joining a Channel means accepting that Channel's policy.
+
+Channel policy may include Join Tolls, refund rules, administrative roles, monitoring practices, fee rules, availability
+practices, or other operating rules.
+
+Channel operators or service operators may publish public information, but they do not control the user's Ethereum
+Account or user secrets and do not guarantee recovery of lost user secrets, lost Private Notes, lost evidence, failed
+transactions, Third-Party Service failures, or rejected exchange deposits.
+
+## 10. Public Monitoring And Evidence
+
+Public blockchain records and public Channel records may be monitored by users, exchanges, analytics providers,
+regulators, Channel operators, service operators, and other observers.
+
+Public observer or indexing services may be delayed, incomplete, unavailable, misconfigured, inconsistent with a user's
+local state, or insufficient for legal, accounting, tax, exchange, audit, or compliance review.
+
+The user may need to preserve local evidence to explain asset history, transaction history, Private Note ownership, or
+facts the user chooses to prove.
+
+Selective disclosure depends on Service features and on records preserved by the user.
+
+## 11. Third-Party Services
+
+The Service may require or interact with Third-Party Services.
+
+Provider Parties do not control Third-Party Services and are not responsible for their security, availability,
+correctness, fees, privacy practices, data retention, terms, sanctions screening, account restrictions, transaction
+policies, or failures.
+
+The user is responsible for reviewing and complying with Third-Party Service terms.
+
+## 12. Privacy And Data
+
+Public blockchain records are public and may be copied, indexed, analyzed, or retained by any person.
+
+Provider Parties may operate official interfaces that process logs, device information, network information, usage data,
+contact information, or other data.
+
+Provider Parties process certain data through official interfaces as described in the Privacy Notice. The current Privacy
+Notice is published at [Tonigma Privacy Notice](https://github.com/tokamak-network/Tokamak-zk-EVM-contracts/blob/main/docs/dapps/private-state/privacy-notice.md).
+
+Third-Party Services may collect or process user data under their own terms and privacy policies.
+
+## 13. No Professional Advice
+
+Provider Parties do not provide legal, tax, accounting, financial, investment, trading, compliance, sanctions, or
+regulatory advice through the Service.
+
+Information provided through the Service is for operational and informational purposes only.
+
+Automated tools selected, configured, or used by the user are not agents, representatives, service providers, or support
+providers of Provider Parties unless an official Service document expressly says otherwise.
+
+Provider Parties do not control and are not responsible for automated tools selected, configured, or used by the user.
+
+The user is responsible for reviewing any recommendation, explanation, or action proposed by an automated tool.
+
+The user should consult qualified professionals before making legal, tax, accounting, financial, compliance, sanctions,
+or regulatory decisions.
+
+## 14. Risk Disclosures
+
+Public blockchain systems, smart contracts, bridges, privacy-preserving cryptographic software, wallets, and RPC
+providers involve significant operational, technical, security, market, regulatory, and legal risks.
+
+Transactions recorded on Ethereum mainnet may be irreversible.
+
+Software bugs, user mistakes, compromised devices, malicious third parties, governance actions, protocol upgrades,
+network congestion, RPC failure, Bridge failure, smart-contract failure, cryptographic implementation defects, or
+changes in law may cause loss, delay, rejected transactions, unavailable services, or loss of access.
+
+Digital assets may be volatile and may lose value.
+
+The user assumes all risks permitted by applicable law.
+
+## 15. No Warranties
+
+The Service is provided "as is" and "as available" to the maximum extent permitted by applicable law.
+
+No Provider Party warrants that the software or services will be uninterrupted, secure, error-free, accurate, complete,
+compatible, available in any jurisdiction, accepted by any exchange, or suitable for any particular purpose.
+
+No Provider Party warrants any token value, transaction result, privacy result, legal result, regulatory result,
+compliance result, tax result, accounting result, third-party acceptance of the user's asset-history explanation, or
+selective-disclosure result.
+
+## 16. Limitation Of Liability
+
+The Service is non-custodial open software and public-good infrastructure, and is not operated for Provider Party
+Service revenue. The user accesses and uses the Service at the user's own risk to the maximum extent permitted by
+applicable law.
+
+To the maximum extent permitted by applicable law, Provider Parties are not liable for indirect, incidental, special,
+consequential, exemplary, punitive, or similar damages.
+
+To the maximum extent permitted by applicable law, Provider Parties are not liable for lost profits, loss of data, lost
+secrets, failed transactions, wrong transactions, loss of access, loss of assets, loss of evidence, business
+interruption, Third-Party Service failures, exchange actions, regulatory actions, tax consequences, user error, device
+compromise, or unauthorized access.
+
+To the maximum extent permitted by applicable law, Provider Parties are not liable for the user's access to, use of,
+inability to use, or reliance on the Service.
+
+Join Tolls are not Provider Party revenue. Non-refunded Join Toll amounts do not create a custodial, refund, credit,
+account-balance, or revenue-sharing relationship between the user and Provider Parties.
+
+Nothing in these Terms excludes or limits liability that cannot be excluded or limited under applicable law, including
+liability for fraud, willful misconduct, gross negligence, death, or personal injury where such exclusion or limitation is
+not permitted.
+
+## 17. User Indemnity
+
+To the maximum extent permitted by applicable law, the user must indemnify, defend, and hold harmless the Provider
+Parties from claims, damages, losses, liabilities, penalties, costs, and expenses arising from the user's breach of the
+Terms, unlawful use, misuse, violation of third-party rights, interaction with Third-Party Services, or use of the
+Service on behalf of another person or organization.
+
+## 18. Changes To Terms And Renewed Acceptance
+
+Provider Parties may update these Terms.
+
+If the current Terms differ from the Terms previously accepted by the user, the user must accept the current Terms before
+continuing to use terms-gated Service operations.
+
+Renewed acceptance may be collected only after the current Terms are displayed to the user.
+
+The Service may store acceptance metadata needed to verify whether the user accepted the current Terms.
+
+If no current acceptance record exists, or if the stored acceptance record is stale, the Service may reject terms-gated
+operations until the current Terms are displayed and the user submits the required acceptance.
+
+The user must not rely on automated output or an automated tool to accept changed Terms on the user's behalf.
+
+## 19. Suspension, Discontinuation, And Software Changes
+
+Provider Parties may modify, suspend, discontinue, or stop supporting software, documentation, official interfaces, or
+related services.
+
+Open-source smart contracts and public blockchain records may continue to exist independently of any supported
+interface.
+
+Provider Parties cannot reverse public Ethereum mainnet transactions or recover user secrets.
+
+## 20. Governing Law, Venue, Dispute Resolution, And Notices
+
+These Terms are governed by the laws of Singapore, excluding conflict-of-law rules.
+
+Subject to non-waivable rights under applicable law, disputes arising from or relating to these Terms or the Service will
+be resolved in the courts located in Singapore.
+
+These Terms do not require arbitration and do not include a class-action waiver, collective-action waiver,
+representative-action waiver, or jury-trial waiver.
+
+Provider Parties may provide notices through official Service interfaces, official websites, release notes, email, or
+other contact methods stated in these Terms.
+
+These Terms do not limit any non-waivable consumer rights or mandatory local-law rights that apply in the user's
+jurisdiction.

package/assets/tx-fees.json

@@ -60,7 +60,7 @@
     },
     {
       "command": "channel join",
-      "description": "Pay the channel join toll and register a wallet identity.",
+      "description": "Pay the channel Join Toll and register a wallet identity.",
       "transactions": [
         {
           "label": "approve",
@@ -68,7 +68,7 @@
           "function": "approve",
           "gasUsed": 45729,
           "source": "cast-local-measurement",
-          "sourceDetail": "Measured on local anvil by deploying bridge/src/mocks/MockERC20.sol and sending approve(address,uint256). channel join sends this approval only when the channel join toll is nonzero."
+          "sourceDetail": "Measured on local anvil by deploying bridge/src/mocks/MockERC20.sol and sending approve(address,uint256). channel join sends this approval only when the channel Join Toll is nonzero."
         },
         {
           "label": "joinChannel",
@@ -82,7 +82,7 @@
     },
     {
       "command": "wallet deposit-channel",
-      "description": "Move bridged funds into the channel L2 accounting vault.",
+      "description": "Move bridged funds into the channel accounting vault.",
       "transactions": [
         {
           "label": "depositToChannelVault",
@@ -98,7 +98,7 @@
     },
     {
       "command": "wallet withdraw-channel",
-      "description": "Move channel L2 accounting vault funds back into the shared bridge vault.",
+      "description": "Move channel accounting vault funds back into the shared bridge vault.",
       "transactions": [
         {
           "label": "withdrawFromChannelVault",

package/commands/account.mjs

@@ -10,15 +10,17 @@ import {
   handleDepositBridge,
   handleWithdrawBridge,
   loadExplicitCommandRuntime,
+  requireCurrentTermsAcceptanceForCommand,
 } from "../lib/runtime.mjs";
 
 export const accountCommands = Object.freeze({
   "account-get-l1-address": async (args) => {
     assertAccountGetL1AddressArgs(args);
-    handleAccountGetL1Address({ args });
+    await handleAccountGetL1Address({ args });
   },
   "account-import": async (args) => {
     assertAccountImportArgs(args);
+    await requireCurrentTermsAcceptanceForCommand(args);
     handleAccountImport({ args });
   },
   "account-get-bridge-fund": async (args) => {
@@ -28,11 +30,13 @@ export const accountCommands = Object.freeze({
   },
   "account-deposit-bridge": async (args) => {
     assertDepositBridgeArgs(args);
+    await requireCurrentTermsAcceptanceForCommand(args);
     const { network, provider } = loadExplicitCommandRuntime(args, { prepareArtifacts: true });
     await handleDepositBridge({ args, network, provider });
   },
   "account-withdraw-bridge": async (args) => {
     assertWithdrawBridgeArgs(args);
+    await requireCurrentTermsAcceptanceForCommand(args);
     const { network, provider } = loadExplicitCommandRuntime(args, { prepareArtifacts: true });
     await handleWithdrawBridge({ args, network, provider });
   },

package/commands/channel.mjs

@@ -1,5 +1,6 @@
 import {
   assertCreateChannelArgs,
+  assertAbandonChannelOperationArgs,
   assertExitChannelArgs,
   assertGetChannelArgs,
   assertJoinChannelArgs,
@@ -7,6 +8,7 @@ import {
   assertRecoverWorkspaceArgs,
   assertSetWorkspaceMirrorArgs,
   handleChannelCreate,
+  handleAbandonChannelOperation,
   handleExitChannel,
   handleGetChannel,
   handleJoinChannel,
@@ -14,16 +16,19 @@ import {
   handleWorkspaceInit,
   loadExplicitCommandRuntime,
   loadWalletCommandRuntime,
+  requireCurrentTermsAcceptanceForCommand,
 } from "../lib/runtime.mjs";
 
 export const channelCommands = Object.freeze({
   "channel-create": async (args) => {
     assertCreateChannelArgs(args);
+    await requireCurrentTermsAcceptanceForCommand(args);
     const { network, provider } = loadExplicitCommandRuntime(args, { prepareArtifacts: true });
     await handleChannelCreate({ args, network, provider });
   },
   "channel-recover-workspace": async (args) => {
     assertRecoverWorkspaceArgs(args);
+    await requireCurrentTermsAcceptanceForCommand(args);
     const { network, provider, rpcUrl } = loadExplicitCommandRuntime(args, { staticNetwork: true, prepareArtifacts: true });
     await assertProviderChainIdMatchesNetwork({ provider, network, rpcUrl });
     await handleWorkspaceInit({ args, network, provider });
@@ -35,16 +40,25 @@ export const channelCommands = Object.freeze({
   },
   "channel-set-workspace-mirror": async (args) => {
     assertSetWorkspaceMirrorArgs(args);
+    await requireCurrentTermsAcceptanceForCommand(args);
     const { network, provider } = loadExplicitCommandRuntime(args, { prepareArtifacts: true });
     await handleSetChannelWorkspaceMirror({ args, network, provider });
   },
+  "channel-abandon-operation": async (args) => {
+    assertAbandonChannelOperationArgs(args);
+    await requireCurrentTermsAcceptanceForCommand(args);
+    const { network, provider } = loadExplicitCommandRuntime(args, { prepareArtifacts: true });
+    await handleAbandonChannelOperation({ args, network, provider });
+  },
   "channel-join": async (args) => {
     assertJoinChannelArgs(args);
+    await requireCurrentTermsAcceptanceForCommand(args);
     const { network, provider, rpcUrl } = loadExplicitCommandRuntime(args, { prepareArtifacts: true });
     await handleJoinChannel({ args, network, provider, rpcUrl });
   },
   "channel-exit": async (args) => {
     assertExitChannelArgs(args);
+    await requireCurrentTermsAcceptanceForCommand(args);
     const { provider } = loadWalletCommandRuntime(args, { prepareArtifacts: true });
     await handleExitChannel({ args, provider });
   },

package/commands/index.mjs

@@ -1,6 +1,7 @@
 import {
   assertHelpCommandsArgs,
   assertVersionArgs,
+  closeBrowserWalletBridgeSession,
   cliOutput,
   configureOutput,
   parseArgs,
@@ -11,6 +12,7 @@ import { accountCommands } from "./account.mjs";
 import { channelCommands } from "./channel.mjs";
 import { investigatorCommands } from "./investigator.mjs";
 import { notesCommands } from "./notes.mjs";
+import { secretCommands } from "./secret.mjs";
 import { systemCommands } from "./system.mjs";
 import { walletCommands } from "./wallet.mjs";
 
@@ -18,6 +20,7 @@ const COMMANDS = Object.freeze({
   ...systemCommands,
   ...investigatorCommands,
   ...accountCommands,
+  ...secretCommands,
   ...channelCommands,
   ...walletCommands,
   ...notesCommands,
@@ -54,5 +57,7 @@ export async function runPrivateStateCli(argv) {
   } catch (error) {
     cliOutput.error(error, args);
     process.exitCode = 1;
+  } finally {
+    await closeBrowserWalletBridgeSession();
   }
 }

package/commands/notes.mjs

@@ -8,26 +8,31 @@ import {
   handleTransferNotes,
   handleWalletGetNotes,
   loadWalletCommandRuntime,
+  requireCurrentTermsAcceptanceForCommand,
 } from "../lib/runtime.mjs";
 
 export const notesCommands = Object.freeze({
   "wallet-mint-notes": async (args) => {
     assertMintNotesArgs(args);
+    await requireCurrentTermsAcceptanceForCommand(args);
     const { provider } = loadWalletCommandRuntime(args, { prepareArtifacts: true });
     await handleMintNotes({ args, provider });
   },
   "wallet-redeem-notes": async (args) => {
     assertRedeemNotesArgs(args);
+    await requireCurrentTermsAcceptanceForCommand(args);
     const { provider } = loadWalletCommandRuntime(args, { prepareArtifacts: true });
     await handleRedeemNotes({ args, provider });
   },
   "wallet-get-notes": async (args) => {
     assertWalletGetNotesArgs(args);
+    await requireCurrentTermsAcceptanceForCommand(args);
     const { provider } = loadWalletCommandRuntime(args, { prepareArtifacts: true });
     await handleWalletGetNotes({ args, provider });
   },
   "wallet-transfer-notes": async (args) => {
     assertTransferNotesArgs(args);
+    await requireCurrentTermsAcceptanceForCommand(args);
     const { provider } = loadWalletCommandRuntime(args, { prepareArtifacts: true });
     await handleTransferNotes({ args, provider });
   },

package/commands/secret.mjs

@@ -0,0 +1,20 @@
+import {
+  assertCreatePrivateKeySourceArgs,
+  assertCreateWalletSecretSourceArgs,
+  handleCreatePrivateKeySource,
+  handleCreateWalletSecretSource,
+  requireCurrentTermsAcceptanceForCommand,
+} from "../lib/runtime.mjs";
+
+export const secretCommands = Object.freeze({
+  "secret-create-private-key-source": async (args) => {
+    assertCreatePrivateKeySourceArgs(args);
+    await requireCurrentTermsAcceptanceForCommand(args);
+    await handleCreatePrivateKeySource({ args });
+  },
+  "secret-create-wallet-secret-source": async (args) => {
+    assertCreateWalletSecretSourceArgs(args);
+    await requireCurrentTermsAcceptanceForCommand(args);
+    await handleCreateWalletSecretSource({ args });
+  },
+});

package/commands/system.mjs

@@ -2,6 +2,7 @@ import {
   assertDoctorArgs,
   assertGuideArgs,
   assertObserverArgs,
+  assertProviderChainIdMatchesNetwork,
   assertInstallZkEvmArgs,
   assertSetRpcArgs,
   assertTransactionFeesArgs,
@@ -16,6 +17,7 @@ import {
   handleUninstall,
   handleUpdate,
   loadExplicitCommandRuntime,
+  requireCurrentTermsAcceptanceForCommand,
 } from "../lib/runtime.mjs";
 
 export const systemCommands = Object.freeze({
@@ -25,7 +27,8 @@ export const systemCommands = Object.freeze({
   },
   uninstall: async (args) => {
     assertUninstallArgs(args);
-    await handleUninstall();
+    await requireCurrentTermsAcceptanceForCommand(args);
+    await handleUninstall({ args });
   },
   "set-rpc": async (args) => {
     assertSetRpcArgs(args);
@@ -45,7 +48,9 @@ export const systemCommands = Object.freeze({
   },
   "help-observer": async (args) => {
     assertObserverArgs(args);
-    handleObserver();
+    const { network, provider, rpcUrl } = loadExplicitCommandRuntime(args, { staticNetwork: true, prepareArtifacts: true });
+    await assertProviderChainIdMatchesNetwork({ provider, network, rpcUrl });
+    await handleObserver({ args, network, provider });
   },
   "help-transaction-fees": async (args) => {
     assertTransactionFeesArgs(args);

package/commands/wallet.mjs

@@ -20,6 +20,7 @@ import {
   handleWalletImportKey,
   loadExplicitCommandRuntime,
   loadWalletCommandRuntime,
+  requireCurrentTermsAcceptanceForCommand,
 } from "../lib/runtime.mjs";
 
 export const walletCommands = Object.freeze({
@@ -29,30 +30,37 @@ export const walletCommands = Object.freeze({
   },
   "wallet-export-backup": async (args) => {
     assertWalletExportBackupArgs(args);
+    await requireCurrentTermsAcceptanceForCommand(args);
     handleWalletExportBackup({ args });
   },
   "wallet-export-viewing-key": async (args) => {
     assertWalletExportKeyArgs(args, "wallet-export-viewing-key");
-    handleWalletExportKey({ args, keyKind: "viewing" });
+    await requireCurrentTermsAcceptanceForCommand(args);
+    await handleWalletExportKey({ args, keyKind: "viewing" });
   },
   "wallet-export-spending-key": async (args) => {
     assertWalletExportKeyArgs(args, "wallet-export-spending-key");
-    handleWalletExportKey({ args, keyKind: "spending" });
+    await requireCurrentTermsAcceptanceForCommand(args);
+    await handleWalletExportKey({ args, keyKind: "spending" });
   },
   "wallet-import-backup": async (args) => {
     assertWalletImportBackupArgs(args);
+    await requireCurrentTermsAcceptanceForCommand(args);
     handleWalletImportBackup({ args });
   },
   "wallet-import-viewing-key": async (args) => {
     assertWalletImportKeyArgs(args, "wallet-import-viewing-key");
+    await requireCurrentTermsAcceptanceForCommand(args);
     handleWalletImportKey({ args, keyKind: "viewing" });
   },
   "wallet-import-spending-key": async (args) => {
     assertWalletImportKeyArgs(args, "wallet-import-spending-key");
+    await requireCurrentTermsAcceptanceForCommand(args);
     handleWalletImportKey({ args, keyKind: "spending" });
   },
   "wallet-recover-workspace": async (args) => {
     assertRecoverWalletArgs(args);
+    await requireCurrentTermsAcceptanceForCommand(args);
     const { network, provider, rpcUrl } = loadExplicitCommandRuntime(args, { staticNetwork: true, prepareArtifacts: true });
     await assertProviderChainIdMatchesNetwork({ provider, network, rpcUrl });
     await handleRecoverWallet({ args, network, provider, rpcUrl });
@@ -69,11 +77,13 @@ export const walletCommands = Object.freeze({
   },
   "wallet-deposit-channel": async (args) => {
     assertWalletChannelMoveArgs(args, "wallet-deposit-channel");
+    await requireCurrentTermsAcceptanceForCommand(args);
     const { provider } = loadWalletCommandRuntime(args, { prepareArtifacts: true });
     await handleGrothVaultMove({ args, provider, direction: "deposit" });
   },
   "wallet-withdraw-channel": async (args) => {
     assertWalletChannelMoveArgs(args, "wallet-withdraw-channel");
+    await requireCurrentTermsAcceptanceForCommand(args);
     const { provider } = loadWalletCommandRuntime(args, { prepareArtifacts: true });
     await handleGrothVaultMove({ args, provider, direction: "withdraw" });
   },

package/investigator/README.md

@@ -6,21 +6,23 @@ This directory contains a static browser tool for filtering a local raw evidence
 private-state-cli wallet get-notes \
   --network <NETWORK> \
   --wallet <WALLET> \
-  --export-evidence ./wallet-evidence.zip \
-  --acknowledge-full-note-plaintext-export
+  --export-evidence ./wallet-evidence.zip
 ```
 
-Open `index.html` in a modern browser, load the raw ZIP, choose the disclosure request type, inspect the graph, and
-build a narrower user-consent disclosure ZIP. From an installed CLI package, `private-state-cli investigator` prints
-the bundled HTML path and opens it in the default browser.
+Mainnet evidence export asks for interactive confirmation before writing plaintext note evidence;
+Sepolia and anvil evidence export do not. User-Controlled AI Agents must not confirm the export or
+receive the raw evidence ZIP. Open `index.html` in a modern browser, load the raw ZIP, choose the
+disclosure request type, inspect the graph, and build a narrower user-consent disclosure ZIP. From
+an installed CLI package, `private-state-cli investigator` prints the bundled HTML path and opens it
+in the default browser.
 
 The tool does not run a server and does not send files over the network. It reads the selected ZIP in
 the browser. It can write a new ZIP with selected note records plus directly referenced transaction,
-receipt, and event files, and it can export a Markdown ASCII-art linkage report.
+receipt, and event files, and it can export a Markdown plain-text linkage report.
 
-The raw evidence bundle contains plaintext for all locally known notes. Do not submit the raw bundle
-as an exchange or auditor package unless full wallet-history disclosure is intended. Use the
-investigator output package for scoped disclosure.
+The raw evidence bundle contains plaintext for all locally known notes and may include retained exited epochs for the
+selected wallet. Do not submit the raw bundle as an exchange or auditor package unless full wallet-history disclosure is
+intended. Use the investigator output package for scoped disclosure.
 
 The investigator accepts current epoch-aware evidence bundles only. Supported note records live under
 `wallets/<wallet>/epochs/<epoch-id>/notes/` inside the ZIP. If a bundle uses an older layout, rebuild the local wallet
@@ -34,7 +36,7 @@ workspace with `wallet recover-workspace` and export a new evidence ZIP with `wa
 - graph edges for external note creation, external note spend, and locally recoverable note-to-note linkage
 - node detail overlays showing commitment, nullifier, value, status, creation reference, spend reference, direction, and
   available counterparty metadata
-- a Markdown ASCII-art report with a compact graph section and separate note detail sections
+- a Markdown plain-text report with a compact graph section and separate note detail sections
 
 ## Supported Filtering Inputs
 
@@ -43,7 +45,7 @@ workspace with `wallet recover-workspace` and export a new evidence ZIP with `wa
 - creation or spend block range
 - current note status
 - relationship direction
-- available counterparty L2 address metadata
+- available counterparty channel-local address metadata
 - user-provided bridge deposit or withdraw transaction context
 
 Counterparty filtering is only as complete as the relationship hints present in the raw evidence