@towns-labs/wallet 7.1.0 → 7.3.0

package/README.md

@@ -1,468 +1,579 @@
-# towns wallet-cli
+# tw — Towns Wallet CLI
 
-CLI for `tw` account onboarding, session key lifecycle, and relayed transactions.
+Your keys. Your account. No signup. No login. Just run it.
 
-Built on [incur](https://github.com/wevm/incur) — every command supports `--help`, `--json`, `--format`, and can run as an MCP server via `--mcp`.
-
-## Run with bunx
+`tw` is a local-first CLI for managing smart accounts, session keys, and on-chain permissions on Towns Protocol. It works for humans at the terminal and for agents over `--json` or `--mcp`.
 
 ```bash
 bunx @towns-labs/wallet --help
 ```
 
-## Permissionless
+---
 
-`tw` is fully permissionless: no signup, no account registration, and no login flow. You can run it immediately with local keys.
+## Quick Start
 
-## Output Modes
+Create an account and send USDC in under a minute:
 
-incur handles output formatting automatically:
+```bash
+# 1. Create a local account (interactive password prompt)
+tw account create --profile main
 
-- `--json` — structured JSON output
-- `--format table` — tabular output
-- Default: human-readable text
+# 2. Fund it
+tw address --qr --amount 100
 
-## Help and Discovery
+# 3. Send USDC
+tw account send 10 vitalik.eth
+```
 
-```bash
-# Show all commands
-tw --help
+No custody service. No API key. Everything runs locally with encrypted keystores.
 
-# Show help for a specific command
-tw account create --help
+---
 
-# Machine-readable command manifest (for LLMs/agents)
-tw --llms
+## How It Works
 
-# Run as an MCP server
-tw --mcp
+`tw` manages a local keystore that holds your root key and session keys. Your root key creates and controls your on-chain smart account. Session keys are scoped signers — they can send transactions through the Towns relayer without exposing your root key.
 
-# Version
-tw --version
+```text
+~/.config/towns/tw/profiles/<env>/<profile>/default.keystore.json
+~/.config/towns/tw/profiles/<env>/<profile>/sessions/<session-name>.json
 ```
 
-## Account Create
+For agents, the session daemon keeps decrypted keys in memory for a bounded duration so automated workflows can sign without prompting for a password on every call.
+
+---
+
+## Commands
+
+### Account
 
-Create a new account (interactive password prompt):
+#### `account create` — Create a new account
 
 ```bash
-tw account create
+tw account create --profile agent
 ```
 
-Create a named profile in local dev:
+Resume a previously interrupted flow:
 
 ```bash
-tw account create --env dev --profile agent
+tw account create --resume --profile agent
 ```
 
-Keystore layout:
+Non-interactive (stdin password + JSON):
 
-```text
-~/.config/towns/tw/profiles/<env>/<profile>/default.keystore.json
-~/.config/towns/tw/profiles/<env>/<profile>/sessions/<session-name>.json
+```bash
+echo "my-password" | tw account create --password-stdin --json
 ```
 
-Resume a previously created profile:
+Use an explicit keystore path:
 
 ```bash
-tw account create --resume --env dev --profile agent
+tw account create --keystore-path ~/.config/towns/tw/profiles/prod/team/default.keystore.json
 ```
 
-Non-interactive mode (stdin password + JSON output):
+#### `account status` — Check readiness
 
 ```bash
-echo "my-password" | tw account create --password-stdin --json
+tw account status --profile agent --json
 ```
 
-Use an explicit keystore path:
+#### `account balance` — Check USDC balance
 
 ```bash
-tw account create --keystore-path ~/.config/towns/tw/profiles/dev/team/default.keystore.json --env dev
+tw account balance --profile agent
+tw account balance --profile agent --chain polygon
 ```
 
-## Account Export
-
-Export metadata only (safe default):
+#### `account address` — Print root address
 
 ```bash
-tw account export --env dev --profile agent
+tw account address --profile agent
 ```
 
-Export metadata in JSON:
+#### `account send` — Send USDC
 
 ```bash
-tw account export --env dev --profile agent --json
+tw account send 1 0x1111111111111111111111111111111111111111
+tw account send 2.5 vitalik.eth --chain base
+tw account send 10 treasury --chain polygon --json
 ```
 
-Export decrypted private keys (interactive confirmation required):
+Use a specific local session (without changing active session):
 
 ```bash
-tw account export --env dev --profile agent --show-private
+tw account send 1 0x... --profile agent --session worker-2
 ```
 
-## Account Address
-
-Print the main/root account address:
+Use a portable session file (no root keystore required):
 
 ```bash
-tw account address --env dev --profile agent
+tw account send 1 0x... --chain base --session-file ./worker-1.session.json
 ```
 
-## Address (Root Alias)
+`--session` and `--session-file` are mutually exclusive.
 
-`tw address` is a root alias for `tw account address` with optional funding display helpers.
+#### `account swap` — Swap tokens on the same chain
 
-Print address + default funding context (USDC on Base):
+Powered by [relay.link](https://relay.link). Interactive confirmation by default.
 
 ```bash
-tw address
+tw account swap --from ETH --to USDC --amount 0.1 --chain base
+tw account swap --from USDC --to ETH --amount 50 --chain base --yes --json
 ```
 
-Show a funding payment link:
+#### `account bridge` — Bridge tokens cross-chain
 
 ```bash
-tw address --link --amount 100
+tw account bridge --token USDC --amount 100 --to-chain polygon
+tw account bridge --token ETH --amount 0.5 --to-chain base --recipient 0x... --yes --json
 ```
 
-Show a QR for the same payment payload:
+#### `account delegate` — Delegate on additional chains
+
+If your account was created on Base and you need it on Polygon:
 
 ```bash
-tw address --qr --amount 100
+echo "my-password" | tw account delegate --chain polygon --profile agent --password-stdin
 ```
 
-Custom token amount requires explicit decimals:
+#### `account history` — Relayer call history
 
 ```bash
-tw address --token 0x1111111111111111111111111111111111111111 --amount 1 --decimals 18 --link
+tw account history --profile agent
+tw account history --address 0x... --limit 10 --offset 20
+tw account history --chain base,polygon --json
 ```
 
-## Account Balance
+`--limit` defaults to 20 (max 100). `offset + limit` must be <= 1000.
+
+#### `account export` — Export metadata or private keys
+
+```bash
+tw account export --profile agent --json
+tw account export --profile agent --show-private
+```
 
-Check USDC balance for the main/root account on Base (default):
+#### `account nonce` — Read account nonce
 
 ```bash
-tw account balance --env dev --profile agent
+tw account nonce --profile agent
 ```
 
-Check USDC balance on Polygon:
+#### `account update password` — Rotate keystore password
 
 ```bash
-tw account balance --env prod --profile agent --chain polygon
+tw account update password --profile agent
+printf "old\nnew\n" | tw account update password --current-password-stdin --new-password-stdin --json
 ```
 
-For local dev (`--env dev`), default chain is Anvil (`http://127.0.0.1:8545`).
+---
 
-## Account Send
+### Address
 
-Send USDC to an address:
+`tw address` is a top-level shortcut for showing your funding address with optional payment helpers.
 
 ```bash
-tw account send 1 0x1111111111111111111111111111111111111111
+tw address
+tw address --link --amount 100
+tw address --qr --amount 100
 ```
 
-Send USDC to ENS on Base:
+Custom token:
 
 ```bash
-tw account send 2.5 vitalik.eth --chain base
+tw address --token 0x... --amount 1 --decimals 18 --link
 ```
 
-Send USDC on Polygon with JSON output:
+---
+
+### Session Keys
+
+Session keys are scoped signers that can act on behalf of your account without exposing the root key.
+
+#### `session create` — Create and authorize a session key
 
 ```bash
-tw account send 10 0x1111111111111111111111111111111111111111 --chain polygon --env prod --json
+echo "my-password" | tw session create worker-1 --profile agent --password-stdin --json
 ```
 
-Send using a specific local session by name (without changing active session):
+Create and activate immediately:
 
 ```bash
-tw account send 1 0x1111111111111111111111111111111111111111 --profile agent --session worker-2
+echo "my-password" | tw session create worker-2 --profile agent --activate --password-stdin
 ```
 
-Local dev defaults to Anvil:
+Grant full wildcard access:
 
 ```bash
-tw account send 1 0x1111111111111111111111111111111111111111 --env dev
+echo "my-password" | tw session create worker-admin --profile agent --full-access --password-stdin
 ```
 
-## Contacts
+`--full-access` is mutually exclusive with `--target`, `--selector`, `--spend-limit`, `--spend-limit-raw`, and `--spend-period`. Omitting both `--target` and `--selector` uses wildcard call permissions by default.
 
-Store aliases in a global contacts file:
+Resume an interrupted flow:
 
-```text
-~/.config/towns/tw/contacts.json
+```bash
+echo "my-password" | tw session create worker-1 --profile agent --resume --password-stdin --json
 ```
 
-Add contact aliases:
+#### `session list` — List local sessions
 
 ```bash
-tw contacts add vitalik vitalik.eth
-tw contacts add treasury 0x1111111111111111111111111111111111111111
+tw session list --profile agent --json
+tw session list --profile agent --on-chain --json
 ```
 
-List or show contacts:
+#### `session rotate` — Rotate the active session
 
 ```bash
-tw contacts list --json
-tw contacts show vitalik --json
+echo "my-password" | tw session rotate --profile agent --password-stdin --json
+echo "my-password" | tw session rotate --profile agent --new-name worker-3 --password-stdin
+echo "my-password" | tw session rotate --profile agent --resume --password-stdin --json
 ```
 
-Update, rename, and remove:
+#### `session revoke` — Revoke a session on-chain
 
 ```bash
-tw contacts update vitalik 0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045
-tw contacts rename vitalik vitalik-main
-tw contacts remove vitalik-main
+echo "my-password" | tw session revoke worker-1 --profile agent --password-stdin --json
+echo "my-password" | tw session revoke worker-2 --profile agent --force --password-stdin
+echo "my-password" | tw session revoke worker-2 --profile agent --resume --password-stdin --json
 ```
 
-Export and import:
+#### `session export` — Export as portable file
 
 ```bash
-tw contacts export --json
-tw contacts import ./contacts.json --json
-tw contacts import ./contacts.json --force --json
+TW_PASSWORD="my-password" TW_EXPORT_PASSWORD="export-password" \
+  tw session export worker-1 --profile agent --output ./worker-1.session.json
 ```
 
-Import returns deterministic summary fields:
+Or via stdin:
 
-- `importedCount`
-- `skippedInvalidCount`
-- `skippedConflictCount`
-- `overwrittenCount`
+```bash
+echo "export-password" | tw session export worker-1 --profile agent \
+  --output ./worker-1.session.json --export-password-stdin
+```
 
-Send via alias:
+#### `session import` — Import a portable session
 
 ```bash
-tw account send 10 vitalik
+tw session import ./worker-1.session.json --profile worker-1
 ```
 
-ENS safety behavior for ENS-backed contacts:
+Creates a session-only profile that can execute `account send` but cannot run manager commands requiring a root keystore.
 
-- If ENS re-resolution fails, `tw account send` falls back to the stored address.
-- If ENS re-resolution succeeds but points to a different address than stored, send aborts and requires explicit `tw contacts update`.
+---
 
-Send with a portable session file (no root keystore required):
+### Session Daemon
+
+The daemon holds decrypted session keys in memory so automated workflows can sign without re-entering passwords.
+
+#### `session start` — Start the daemon
 
 ```bash
-tw account send 1 0x1111111111111111111111111111111111111111 \
-  --env prod --chain base --session-file ./worker-1.session.json
+tw session start --json
+tw session start --foreground --json
 ```
 
-`--session` and `--session-file` are mutually exclusive.
+Idempotent — if already running, returns the active pid/socket.
 
-## Account Status
-
-Show compact readiness status:
+#### `session unlock` — Load a key into daemon memory
 
 ```bash
-tw account status --env dev --profile agent
+echo "my-password" | tw session unlock worker-1 --profile agent --password-stdin --duration 15m --json
 ```
 
-JSON output for automation:
+Key material stays in daemon memory only; encrypted files remain unchanged.
+
+#### `session lock` — Remove a key from daemon memory
 
 ```bash
-tw account status --env prod --profile agent --chain polygon --json
+tw session lock worker-1 --json
 ```
 
-## Account Update Password
-
-Rotate local keystore encryption password (interactive):
+#### `session status` — Check daemon health
 
 ```bash
-tw account update password --env dev --profile agent
+tw session status --json
 ```
 
-Rotate password non-interactively using stdin lines:
+#### `session stop` — Shut down the daemon
 
 ```bash
-printf "old-password\nnew-password\n" | tw account update password --current-password-stdin --new-password-stdin --json
+tw session stop --json
 ```
 
-## Session Create
+---
+
+### Permissions
+
+Fine-grained on-chain permission rules for session keys.
 
-Create and authorize a scoped session key in one intent:
+#### `permissions list` — List keys and their permissions
 
 ```bash
-echo "my-password" | tw session create worker-1 --profile agent --password-stdin --json
+tw permissions list --profile agent --json
 ```
 
-Create and activate immediately:
+#### `permissions show` — Show rules for a specific key
 
 ```bash
-echo "my-password" | tw session create worker-2 --profile agent --activate --password-stdin
+tw permissions show agent-key --profile agent --json
+tw permissions show --key-hash 0xaaa... --profile agent --json
 ```
 
-Resume a previously interrupted create flow:
+#### `permissions grant` — Grant a permission rule
+
+Wildcard call permission:
 
 ```bash
-echo "my-password" | tw session create worker-1 --profile agent --resume --password-stdin --json
+echo "my-password" | tw permissions grant agent-key --type call --target any --selector any --profile agent --password-stdin --json
 ```
 
-Grant full wildcard access (explicit opt-in):
+Daily USDC spend limit:
 
 ```bash
-echo "my-password" | tw session create worker-admin --profile agent --full-access --password-stdin
+echo "my-password" | tw permissions grant agent-key --type spend --token USDC --spend-limit 100 --period day --profile agent --password-stdin --json
 ```
 
-`--full-access` is mutually exclusive with `--target`, `--selector`, `--spend-limit`, `--spend-limit-raw`, and `--spend-period`.
-Omitting both `--target` and `--selector` uses wildcard call permissions by default; you do not need to pass magic wildcard values.
-`--spend-limit` accepts human USDC amounts (for example `10` = `10 USDC`). Use `--spend-limit-raw` for base units.
+Use `--spend-limit-raw` for base units instead of human amounts.
 
-## Session List
+#### `permissions revoke` — Revoke permission rules
 
-List local sessions:
+Revoke a single rule:
 
 ```bash
-tw session list --profile agent --json
+echo "my-password" | tw permissions revoke agent-key --rule call:0x...:0xa9059cbb --profile agent --password-stdin --json
 ```
 
-Include on-chain key status:
+Revoke all rules for a key:
 
 ```bash
-tw session list --profile agent --on-chain --json
+echo "my-password" | tw permissions revoke agent-key --all --profile agent --password-stdin --json
 ```
 
-## Session Export
+---
+
+### Escrow
+
+USDC escrow: lock funds as buyer with a seller and oracle; settle (oracle signs) or refund after deadline.
 
-Export a session key as a portable file:
+#### `escrow create` — Create a new USDC escrow
 
 ```bash
-TW_PASSWORD="my-password" TW_EXPORT_PASSWORD="export-password" \
-  tw session export worker-1 --profile agent --output ./worker-1.session.json
+tw escrow create 50 0x1111111111111111111111111111111111111111 \
+  --oracle 0x2222222222222222222222222222222222222222 --deadline 24h
+tw escrow create 100 0x... --oracle 0x... --deadline 2d --chain base --env prod --json
 ```
 
-Or provide the export password via stdin:
+- **Amount** and **seller** are positional; **oracle** and **deadline** are required options.
+- **Deadline**: relative (`1h`, `2d`, `30m`, `1w`) or unix timestamp. After deadline, anyone can call `escrow refund`.
+- Optional **salt** (hex, up to 12 bytes) for unique escrow IDs on repeated orders.
+- Uses session key (daemon or direct) to sign; supports `--session-file` like `account send`.
+
+#### `escrow status` — Check on-chain status
 
 ```bash
-echo "export-password" | tw session export worker-1 --profile agent \
-  --output ./worker-1.session.json --export-password-stdin
+tw escrow status 0x<64 hex chars> --env prod
+tw escrow status 0x... --chain base --json
 ```
 
-## Session Import
+Escrow ID must be the full 32-byte hex (0x + 64 hex chars), e.g. from `escrow create` output.
 
-Import a portable session as a session-only profile:
+#### `escrow settle` — Settle (release USDC to seller)
+
+Oracle signs a settlement; any account can submit the signed settlement via relayer.
 
 ```bash
-tw session import ./worker-1.session.json --profile worker-1
+TW_ORACLE_PRIVATE_KEY=0x... tw escrow settle 0x<escrowId> \
+  --settlement-id 0x<orderId> --oracle 0x2222... --profile agent
 ```
 
-This creates:
+Or with pre-signed signature (oracle signs offline):
 
 ```bash
-~/.config/towns/tw/profiles/worker-1/session.json
+tw escrow settle 0x<escrowId> --settlement-id 0x... --oracle 0x... --signature 0x... --profile agent
 ```
 
-Session-only profiles can execute `account send` but cannot run manager commands that require a root keystore.
+Settlement ID is the bytes32 order ID used at creation (see create output or `escrow status`).
 
-## Session Rotate
+#### `escrow refund` — Refund to buyer after deadline
 
-Rotate the active session (auto-generates new name):
+Permissionless: after the escrow deadline, anyone can trigger refund to the buyer.
 
 ```bash
-echo "my-password" | tw session rotate --profile agent --password-stdin --json
+tw escrow refund 0x<escrowId> --profile agent
+tw escrow refund 0x<escrowId> --env prod --json
 ```
 
-Rotate to an explicit new session name:
+---
 
-```bash
-echo "my-password" | tw session rotate --profile agent --new-name worker-3 --password-stdin
+### Contacts
+
+Store recipient aliases so you never have to copy-paste addresses.
+
+```text
+~/.config/towns/tw/contacts.json
 ```
 
-`--full-access` is mutually exclusive with `--target`, `--selector`, `--spend-limit`, `--spend-limit-raw`, and `--spend-period`.
-Omitting both `--target` and `--selector` uses wildcard call permissions by default; you do not need to pass magic wildcard values.
-`--spend-limit` accepts human USDC amounts (for example `10` = `10 USDC`). Use `--spend-limit-raw` for base units.
+```bash
+tw contacts add vitalik vitalik.eth
+tw contacts add treasury 0x1111111111111111111111111111111111111111
+tw contacts list --json
+tw contacts show vitalik --json
+tw contacts update vitalik 0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045
+tw contacts rename vitalik vitalik-main
+tw contacts remove vitalik-main
+```
 
-Resume interrupted rotation:
+Export and import:
 
 ```bash
-echo "my-password" | tw session rotate --profile agent --resume --password-stdin --json
+tw contacts export --json
+tw contacts import ./contacts.json --json
+tw contacts import ./contacts.json --force --json
 ```
 
-## Session Revoke
+Import returns `importedCount`, `skippedInvalidCount`, `skippedConflictCount`, and `overwrittenCount`.
 
-Revoke a non-active session on-chain, verify, then delete local file:
+Send via alias:
 
 ```bash
-echo "my-password" | tw session revoke worker-1 --profile agent --password-stdin --json
+tw account send 10 vitalik
 ```
 
-Force revoke active session:
+ENS safety: if ENS re-resolves to a different address than stored, send aborts and requires `tw contacts update`.
 
-```bash
-echo "my-password" | tw session revoke worker-2 --profile agent --force --password-stdin
+---
+
+### Agents
+
+Agents are session-key-backed Towns identities with their own encryption device and named channel bindings — built for autonomous agent-to-agent communication.
+
+```text
+~/.config/towns/tw/profiles/<env>/<profile>/sessions/agent-<name>.json
+~/.config/towns/tw/profiles/<env>/<profile>/agent-channels.json
 ```
 
-Idempotent retry/cleanup when already revoked on-chain:
+#### `agent create` / `agent list` / `agent remove`
 
 ```bash
-echo "my-password" | tw session revoke worker-2 --profile agent --resume --password-stdin --json
+TW_PASSWORD="my-password" tw agent create alice --profile agent
+TW_PASSWORD="my-password" tw agent create bob --profile agent
+TW_PASSWORD="my-password" tw agent list --profile agent --json
+TW_PASSWORD="my-password" tw agent remove bob --profile agent
 ```
 
-## Permissions List
+#### `agent connect` — Create or bind a named channel
 
-List all on-chain keys with summarized call/spend permissions:
+First side creates the channel and returns the shared secret:
 
 ```bash
-tw permissions list --profile agent --json
+TW_PASSWORD="my-password" tw agent connect --from alice --channel art --to bob --profile agent
 ```
 
-## Permissions Show
-
-Show full permission rules for a key using positional `<key-ref>`:
+Second side binds using that secret:
 
 ```bash
-tw permissions show agent-key --profile agent --json
+TW_PASSWORD="my-password" tw agent connect --from bob --channel art --secret "<shared-secret>" --to alice --profile agent
 ```
 
-Explicit selectors are also supported:
+#### `agent send` — Send a message
+
+To a named channel:
 
 ```bash
-tw permissions show --key-hash 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa --profile agent --json
+TW_PASSWORD="my-password" tw agent send --from alice --channel art "hello from alice" --profile agent
 ```
 
-## Permissions Grant
-
-Grant wildcard call permission:
+To a raw stream ID:
 
 ```bash
-echo "my-password" | tw permissions grant agent-key --type call --target any --selector any --profile agent --password-stdin --json
+TW_PASSWORD="my-password" tw agent send --from alice 77aaa... "debug message" --profile agent
 ```
 
-Grant spend permission for daily USDC limit:
+#### `agent listen` — Listen for messages
 
 ```bash
-echo "my-password" | tw permissions grant agent-key --type spend --token USDC --spend-limit 100 --period day --profile agent --password-stdin --json
+TW_PASSWORD="my-password" tw agent listen --from bob --channel art --profile agent
+TW_PASSWORD="my-password" tw agent listen --from bob --stream 77aaa... --profile agent
+```
+
+Messages arrive as NDJSON:
+
+```json
+{
+  "type": "message",
+  "streamId": "77...",
+  "senderId": "0x...",
+  "eventId": "0x...",
+  "timestamp": 1709654400,
+  "content": "hello from alice"
+}
 ```
 
-For raw base units instead of human USDC amounts, use:
+#### `agent channels` — Inspect bindings
 
 ```bash
-echo "my-password" | tw permissions grant agent-key --type spend --token USDC --spend-limit-raw 100000000 --period day --profile agent --password-stdin --json
+TW_PASSWORD="my-password" tw agent channels --from alice --profile agent --json
 ```
 
-## Permissions Revoke
+#### Agent Quickstart
+
+```bash
+# Create profile + two agents
+tw account create --profile agent
+TW_PASSWORD="pw" tw agent create alice --profile agent
+TW_PASSWORD="pw" tw agent create bob --profile agent
+
+# Alice creates a channel → copy the returned secret
+TW_PASSWORD="pw" tw agent connect --from alice --channel art --to bob --profile agent
+
+# Bob binds with that secret
+TW_PASSWORD="pw" tw agent connect --from bob --channel art --secret "<secret>" --to alice --profile agent
 
-Revoke one rule by stable rule id:
+# Terminal 1: listen
+TW_PASSWORD="pw" tw agent listen --from bob --channel art --profile agent
+
+# Terminal 2: send
+TW_PASSWORD="pw" tw agent send --from alice --channel art "hello" --profile agent
+```
+
+Smoke test:
 
 ```bash
-echo "my-password" | tw permissions revoke agent-key --rule call:0x2222222222222222222222222222222222222222:0xa9059cbb --profile agent --password-stdin --json
+cd packages/wallet
+TW_PASSWORD="my-password" bun run smoke:agent
 ```
 
-Revoke all call/spend rules for a key:
+---
+
+## Agent & Automation Integration
+
+Every command supports `--json` for machine-readable output. Treat JSON output schemas as the stable contract.
 
 ```bash
-echo "my-password" | tw permissions revoke agent-key --all --profile agent --password-stdin --json
+tw <command> --json
 ```
 
-## Password Automation
+### Password Automation
 
-Use `TW_PASSWORD` for non-interactive flows:
+Use `TW_PASSWORD` to skip interactive prompts:
 
 ```bash
 TW_PASSWORD="my-password" tw session list --profile agent --json
 ```
 
-Stdin is supported for commands requiring keystore decryption/signing:
+Or pipe via stdin for commands that accept `--password-stdin`:
 
 ```bash
 echo "my-password" | tw session rotate --profile agent --password-stdin --json
 ```
+
+### Discovery
+
+```bash
+tw --help              # All commands
+tw account send --help # Command-specific help
+tw --llms              # Machine-readable command manifest
+tw --mcp               # Run as MCP server
+tw --version           # Version
+```