npm - @towns-labs/wallet - Versions diffs - 7.2.0 → 7.3.0 - Mend

@towns-labs/wallet 7.2.0 → 7.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -1,74 +1,64 @@
-# towns wallet-cli
+# tw — Towns Wallet CLI
-CLI for `tw` account onboarding, session key lifecycle, and relayed transactions.
+Your keys. Your account. No signup. No login. Just run it.
-Built on [incur](https://github.com/wevm/incur) — every command supports `--help`, `--json`, `--format`, and can run as an MCP server via `--mcp`.
-## Run with bunx
+`tw` is a local-first CLI for managing smart accounts, session keys, and on-chain permissions on Towns Protocol. It works for humans at the terminal and for agents over `--json` or `--mcp`.
 ```bash
 bunx @towns-labs/wallet --help
 ```
-## Permissionless
+---
-`tw` is fully permissionless: no signup, no account registration, and no login flow. You can run it immediately with local keys.
+## Quick Start
-## Output Modes
+Create an account and send USDC in under a minute:
-incur handles output formatting automatically:
+```bash
+# 1. Create a local account (interactive password prompt)
+tw account create --profile main
-- `--json` — structured JSON output
-- `--format table` — tabular output
-- Default: human-readable text
+# 2. Fund it
+tw address --qr --amount 100
-## Help and Discovery
+# 3. Send USDC
+tw account send 10 vitalik.eth
+```
-```bash
-# Show all commands
-tw --help
+No custody service. No API key. Everything runs locally with encrypted keystores.
-# Show help for a specific command
-tw account create --help
+---
-# Machine-readable command manifest (for LLMs/agents)
-tw --llms
+## How It Works
-# Run as an MCP server
-tw --mcp
+`tw` manages a local keystore that holds your root key and session keys. Your root key creates and controls your on-chain smart account. Session keys are scoped signers — they can send transactions through the Towns relayer without exposing your root key.
-# Version
-tw --version
+```text
+~/.config/towns/tw/profiles/<env>/<profile>/default.keystore.json
+~/.config/towns/tw/profiles/<env>/<profile>/sessions/<session-name>.json
 ```
-## Account Create
+For agents, the session daemon keeps decrypted keys in memory for a bounded duration so automated workflows can sign without prompting for a password on every call.
-Create a new account (interactive password prompt):
+---
-```bash
-tw account create
-```
+## Commands
-Create a named profile:
+### Account
+#### `account create` — Create a new account
 ```bash
 tw account create --profile agent
 ```
-Keystore layout:
-```text
-~/.config/towns/tw/profiles/<env>/<profile>/default.keystore.json
-~/.config/towns/tw/profiles/<env>/<profile>/sessions/<session-name>.json
-```
-Resume a previously created profile:
+Resume a previously interrupted flow:
 ```bash
 tw account create --resume --profile agent
 ```
-Non-interactive mode (stdin password + JSON output):
+Non-interactive (stdin password + JSON):
 ```bash
 echo "my-password" | tw account create --password-stdin --json
@@ -80,461 +70,434 @@ Use an explicit keystore path:
 tw account create --keystore-path ~/.config/towns/tw/profiles/prod/team/default.keystore.json
 ```
-## Account Export
-Export metadata only (safe default):
-```bash
-tw account export --profile agent
-```
-Export metadata in JSON:
+#### `account status` — Check readiness
 ```bash
-tw account export --profile agent --json
+tw account status --profile agent --json
 ```
-Export decrypted private keys (interactive confirmation required):
+#### `account balance` — Check USDC balance
 ```bash
-tw account export --profile agent --show-private
+tw account balance --profile agent
+tw account balance --profile agent --chain polygon
 ```
-## Account Address
-Print the main/root account address:
+#### `account address` — Print root address
 ```bash
 tw account address --profile agent
 ```
-## Address (Root Alias)
-`tw address` is a root alias for `tw account address` with optional funding display helpers.
-Print address + default funding context (USDC on Base):
+#### `account send` — Send USDC
 ```bash
-tw address
+tw account send 1 0x1111111111111111111111111111111111111111
+tw account send 2.5 vitalik.eth --chain base
+tw account send 10 treasury --chain polygon --json
 ```
-Show a funding payment link:
+Use a specific local session (without changing active session):
 ```bash
-tw address --link --amount 100
+tw account send 1 0x... --profile agent --session worker-2
 ```
-Show a QR for the same payment payload:
+Use a portable session file (no root keystore required):
 ```bash
-tw address --qr --amount 100
+tw account send 1 0x... --chain base --session-file ./worker-1.session.json
 ```
-Custom token amount requires explicit decimals:
-```bash
-tw address --token 0x1111111111111111111111111111111111111111 --amount 1 --decimals 18 --link
-```
+`--session` and `--session-file` are mutually exclusive.
-## Account Balance
+#### `account swap` — Swap tokens on the same chain
-Check USDC balance for the main/root account on Base (default):
+Powered by [relay.link](https://relay.link). Interactive confirmation by default.
 ```bash
-tw account balance --profile agent
+tw account swap --from ETH --to USDC --amount 0.1 --chain base
+tw account swap --from USDC --to ETH --amount 50 --chain base --yes --json
 ```
-Check USDC balance on Polygon:
+#### `account bridge` — Bridge tokens cross-chain
 ```bash
-tw account balance --profile agent --chain polygon
+tw account bridge --token USDC --amount 100 --to-chain polygon
+tw account bridge --token ETH --amount 0.5 --to-chain base --recipient 0x... --yes --json
 ```
-## Account Send
+#### `account delegate` — Delegate on additional chains
-Send USDC to an address:
+If your account was created on Base and you need it on Polygon:
 ```bash
-tw account send 1 0x1111111111111111111111111111111111111111
+echo "my-password" | tw account delegate --chain polygon --profile agent --password-stdin
 ```
-Send USDC to ENS on Base:
+#### `account history` — Relayer call history
 ```bash
-tw account send 2.5 vitalik.eth --chain base
+tw account history --profile agent
+tw account history --address 0x... --limit 10 --offset 20
+tw account history --chain base,polygon --json
 ```
-Send USDC on Polygon with JSON output:
+`--limit` defaults to 20 (max 100). `offset + limit` must be <= 1000.
+#### `account export` — Export metadata or private keys
 ```bash
-tw account send 10 0x1111111111111111111111111111111111111111 --chain polygon --json
+tw account export --profile agent --json
+tw account export --profile agent --show-private
 ```
-Send using a specific local session by name (without changing active session):
+#### `account nonce` — Read account nonce
 ```bash
-tw account send 1 0x1111111111111111111111111111111111111111 --profile agent --session worker-2
+tw account nonce --profile agent
 ```
-## Account History
-Get paginated relayer call history for an EOA. By default this uses your local profile root EOA from keystore:
+#### `account update password` — Rotate keystore password
 ```bash
-tw account history --profile agent
+tw account update password --profile agent
+printf "old\nnew\n" | tw account update password --current-password-stdin --new-password-stdin --json
 ```
-Query an explicit EOA (without reading local keystore):
+---
+### Address
+`tw address` is a top-level shortcut for showing your funding address with optional payment helpers.
 ```bash
-tw account history --address 0x1111111111111111111111111111111111111111 --limit 10 --offset 20
+tw address
+tw address --link --amount 100
+tw address --qr --amount 100
 ```
-Filter by one or more chains:
+Custom token:
 ```bash
-tw account history --chain base,polygon --json
+tw address --token 0x... --amount 1 --decimals 18 --link
 ```
-Notes:
+---
-- `--limit` defaults to `20` and max is `100`
-- `--offset` defaults to `0`
-- `offset + limit` must be `<= 1000`
-- History queries are EOA-based (root EOA), not delegated account address
+### Session Keys
-## Contacts
+Session keys are scoped signers that can act on behalf of your account without exposing the root key.
-Store aliases in a global contacts file:
+#### `session create` — Create and authorize a session key
-```text
-~/.config/towns/tw/contacts.json
+```bash
+echo "my-password" | tw session create worker-1 --profile agent --password-stdin --json
 ```
-Add contact aliases:
+Create and activate immediately:
 ```bash
-tw contacts add vitalik vitalik.eth
-tw contacts add treasury 0x1111111111111111111111111111111111111111
+echo "my-password" | tw session create worker-2 --profile agent --activate --password-stdin
 ```
-List or show contacts:
+Grant full wildcard access:
 ```bash
-tw contacts list --json
-tw contacts show vitalik --json
+echo "my-password" | tw session create worker-admin --profile agent --full-access --password-stdin
 ```
-Update, rename, and remove:
+`--full-access` is mutually exclusive with `--target`, `--selector`, `--spend-limit`, `--spend-limit-raw`, and `--spend-period`. Omitting both `--target` and `--selector` uses wildcard call permissions by default.
+Resume an interrupted flow:
 ```bash
-tw contacts update vitalik 0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045
-tw contacts rename vitalik vitalik-main
-tw contacts remove vitalik-main
+echo "my-password" | tw session create worker-1 --profile agent --resume --password-stdin --json
 ```
-Export and import:
+#### `session list` — List local sessions
 ```bash
-tw contacts export --json
-tw contacts import ./contacts.json --json
-tw contacts import ./contacts.json --force --json
+tw session list --profile agent --json
+tw session list --profile agent --on-chain --json
 ```
-Import returns deterministic summary fields:
-- `importedCount`
-- `skippedInvalidCount`
-- `skippedConflictCount`
-- `overwrittenCount`
-Send via alias:
+#### `session rotate` — Rotate the active session
 ```bash
-tw account send 10 vitalik
+echo "my-password" | tw session rotate --profile agent --password-stdin --json
+echo "my-password" | tw session rotate --profile agent --new-name worker-3 --password-stdin
+echo "my-password" | tw session rotate --profile agent --resume --password-stdin --json
 ```
-ENS safety behavior for ENS-backed contacts:
-- If ENS re-resolution fails, `tw account send` falls back to the stored address.
-- If ENS re-resolution succeeds but points to a different address than stored, send aborts and requires explicit `tw contacts update`.
-Send with a portable session file (no root keystore required):
+#### `session revoke` — Revoke a session on-chain
 ```bash
-tw account send 1 0x1111111111111111111111111111111111111111 \
-  --chain base --session-file ./worker-1.session.json
+echo "my-password" | tw session revoke worker-1 --profile agent --password-stdin --json
+echo "my-password" | tw session revoke worker-2 --profile agent --force --password-stdin
+echo "my-password" | tw session revoke worker-2 --profile agent --resume --password-stdin --json
 ```
-`--session` and `--session-file` are mutually exclusive.
-## Account Status
-Show compact readiness status:
+#### `session export` — Export as portable file
 ```bash
-tw account status --profile agent
+TW_PASSWORD="my-password" TW_EXPORT_PASSWORD="export-password" \
+  tw session export worker-1 --profile agent --output ./worker-1.session.json
 ```
-JSON output for automation:
+Or via stdin:
 ```bash
-tw account status --profile agent --chain polygon --json
+echo "export-password" | tw session export worker-1 --profile agent \
+  --output ./worker-1.session.json --export-password-stdin
 ```
-## Account Update Password
-Rotate local keystore encryption password (interactive):
+#### `session import` — Import a portable session
 ```bash
-tw account update password --profile agent
+tw session import ./worker-1.session.json --profile worker-1
 ```
-Rotate password non-interactively using stdin lines:
+Creates a session-only profile that can execute `account send` but cannot run manager commands requiring a root keystore.
-```bash
-printf "old-password\nnew-password\n" | tw account update password --current-password-stdin --new-password-stdin --json
-```
+---
-## Session Create
+### Session Daemon
-Create and authorize a scoped session key in one intent:
+The daemon holds decrypted session keys in memory so automated workflows can sign without re-entering passwords.
+#### `session start` — Start the daemon
 ```bash
-echo "my-password" | tw session create worker-1 --profile agent --password-stdin --json
+tw session start --json
+tw session start --foreground --json
 ```
-Create and activate immediately:
+Idempotent — if already running, returns the active pid/socket.
+#### `session unlock` — Load a key into daemon memory
 ```bash
-echo "my-password" | tw session create worker-2 --profile agent --activate --password-stdin
+echo "my-password" | tw session unlock worker-1 --profile agent --password-stdin --duration 15m --json
 ```
-Resume a previously interrupted create flow:
+Key material stays in daemon memory only; encrypted files remain unchanged.
+#### `session lock` — Remove a key from daemon memory
 ```bash
-echo "my-password" | tw session create worker-1 --profile agent --resume --password-stdin --json
+tw session lock worker-1 --json
 ```
-Grant full wildcard access (explicit opt-in):
+#### `session status` — Check daemon health
 ```bash
-echo "my-password" | tw session create worker-admin --profile agent --full-access --password-stdin
+tw session status --json
 ```
-`--full-access` is mutually exclusive with `--target`, `--selector`, `--spend-limit`, `--spend-limit-raw`, and `--spend-period`.
-Omitting both `--target` and `--selector` uses wildcard call permissions by default; you do not need to pass magic wildcard values.
-`--spend-limit` accepts human USDC amounts (for example `10` = `10 USDC`). Use `--spend-limit-raw` for base units.
-## Session List
-List local sessions:
+#### `session stop` — Shut down the daemon
 ```bash
-tw session list --profile agent --json
+tw session stop --json
 ```
-Include on-chain key status:
+---
-```bash
-tw session list --profile agent --on-chain --json
-```
+### Permissions
-## Session Export
+Fine-grained on-chain permission rules for session keys.
-Export a session key as a portable file:
+#### `permissions list` — List keys and their permissions
 ```bash
-TW_PASSWORD="my-password" TW_EXPORT_PASSWORD="export-password" \
-  tw session export worker-1 --profile agent --output ./worker-1.session.json
+tw permissions list --profile agent --json
 ```
-Or provide the export password via stdin:
+#### `permissions show` — Show rules for a specific key
 ```bash
-echo "export-password" | tw session export worker-1 --profile agent \
-  --output ./worker-1.session.json --export-password-stdin
+tw permissions show agent-key --profile agent --json
+tw permissions show --key-hash 0xaaa... --profile agent --json
 ```
-## Session Import
+#### `permissions grant` — Grant a permission rule
-Import a portable session as a session-only profile:
+Wildcard call permission:
 ```bash
-tw session import ./worker-1.session.json --profile worker-1
+echo "my-password" | tw permissions grant agent-key --type call --target any --selector any --profile agent --password-stdin --json
 ```
-This creates:
+Daily USDC spend limit:
 ```bash
-~/.config/towns/tw/profiles/worker-1/session.json
+echo "my-password" | tw permissions grant agent-key --type spend --token USDC --spend-limit 100 --period day --profile agent --password-stdin --json
 ```
-Session-only profiles can execute `account send` but cannot run manager commands that require a root keystore.
+Use `--spend-limit-raw` for base units instead of human amounts.
-## Session Rotate
+#### `permissions revoke` — Revoke permission rules
-Rotate the active session (auto-generates new name):
+Revoke a single rule:
 ```bash
-echo "my-password" | tw session rotate --profile agent --password-stdin --json
+echo "my-password" | tw permissions revoke agent-key --rule call:0x...:0xa9059cbb --profile agent --password-stdin --json
 ```
-Rotate to an explicit new session name:
+Revoke all rules for a key:
 ```bash
-echo "my-password" | tw session rotate --profile agent --new-name worker-3 --password-stdin
+echo "my-password" | tw permissions revoke agent-key --all --profile agent --password-stdin --json
 ```
-`--full-access` is mutually exclusive with `--target`, `--selector`, `--spend-limit`, `--spend-limit-raw`, and `--spend-period`.
-Omitting both `--target` and `--selector` uses wildcard call permissions by default; you do not need to pass magic wildcard values.
-`--spend-limit` accepts human USDC amounts (for example `10` = `10 USDC`). Use `--spend-limit-raw` for base units.
+---
-Resume interrupted rotation:
+### Escrow
-```bash
-echo "my-password" | tw session rotate --profile agent --resume --password-stdin --json
-```
+USDC escrow: lock funds as buyer with a seller and oracle; settle (oracle signs) or refund after deadline.
-## Session Revoke
-Revoke a non-active session on-chain, verify, then delete local file:
+#### `escrow create` — Create a new USDC escrow
 ```bash
-echo "my-password" | tw session revoke worker-1 --profile agent --password-stdin --json
+tw escrow create 50 0x1111111111111111111111111111111111111111 \
+  --oracle 0x2222222222222222222222222222222222222222 --deadline 24h
+tw escrow create 100 0x... --oracle 0x... --deadline 2d --chain base --env prod --json
 ```
-Force revoke active session:
-```bash
-echo "my-password" | tw session revoke worker-2 --profile agent --force --password-stdin
-```
+- **Amount** and **seller** are positional; **oracle** and **deadline** are required options.
+- **Deadline**: relative (`1h`, `2d`, `30m`, `1w`) or unix timestamp. After deadline, anyone can call `escrow refund`.
+- Optional **salt** (hex, up to 12 bytes) for unique escrow IDs on repeated orders.
+- Uses session key (daemon or direct) to sign; supports `--session-file` like `account send`.
-Idempotent retry/cleanup when already revoked on-chain:
+#### `escrow status` — Check on-chain status
 ```bash
-echo "my-password" | tw session revoke worker-2 --profile agent --resume --password-stdin --json
+tw escrow status 0x<64 hex chars> --env prod
+tw escrow status 0x... --chain base --json
 ```
-## Agent Commands
+Escrow ID must be the full 32-byte hex (0x + 64 hex chars), e.g. from `escrow create` output.
-Agents are session-key-backed Towns identities with their own encryption device and named channel bindings.
+#### `escrow settle` — Settle (release USDC to seller)
-Agent keystore files live alongside normal sessions:
+Oracle signs a settlement; any account can submit the signed settlement via relayer.
-```text
-~/.config/towns/tw/profiles/<env>/<profile>/sessions/agent-<name>.json
-~/.config/towns/tw/profiles/<env>/<profile>/agent-channels.json
+```bash
+TW_ORACLE_PRIVATE_KEY=0x... tw escrow settle 0x<escrowId> \
+  --settlement-id 0x<orderId> --oracle 0x2222... --profile agent
 ```
-Create two local agents:
+Or with pre-signed signature (oracle signs offline):
 ```bash
-TW_PASSWORD="my-password" tw agent create alice --profile agent
-TW_PASSWORD="my-password" tw agent create bob --profile agent
+tw escrow settle 0x<escrowId> --settlement-id 0x... --oracle 0x... --signature 0x... --profile agent
 ```
-List local agents:
+Settlement ID is the bytes32 order ID used at creation (see create output or `escrow status`).
-```bash
-TW_PASSWORD="my-password" tw agent list --profile agent --json
-```
+#### `escrow refund` — Refund to buyer after deadline
-Create or bind a named channel:
+Permissionless: after the escrow deadline, anyone can trigger refund to the buyer.
 ```bash
-TW_PASSWORD="my-password" tw agent connect --from alice --channel art --to bob --profile agent
+tw escrow refund 0x<escrowId> --profile agent
+tw escrow refund 0x<escrowId> --env prod --json
 ```
-The first `connect` returns:
+---
-- `streamId` — the underlying GDM stream
-- `secret` — the shared rendezvous secret, returned only when the binding is first created
+### Contacts
-Bind the same named channel from the other side:
+Store recipient aliases so you never have to copy-paste addresses.
-```bash
-TW_PASSWORD="my-password" tw agent connect --from bob --channel art --secret "<shared-secret>" --to alice --profile agent
+```text
+~/.config/towns/tw/contacts.json
 ```
-Send to a named channel:
 ```bash
-TW_PASSWORD="my-password" tw agent send --from alice --channel art "hello from alice" --profile agent
+tw contacts add vitalik vitalik.eth
+tw contacts add treasury 0x1111111111111111111111111111111111111111
+tw contacts list --json
+tw contacts show vitalik --json
+tw contacts update vitalik 0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045
+tw contacts rename vitalik vitalik-main
+tw contacts remove vitalik-main
 ```
-Send directly to a raw stream ID:
+Export and import:
 ```bash
-TW_PASSWORD="my-password" tw agent send --from alice 77aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "debug message" --profile agent
+tw contacts export --json
+tw contacts import ./contacts.json --json
+tw contacts import ./contacts.json --force --json
 ```
-Listen on a named channel:
+Import returns `importedCount`, `skippedInvalidCount`, `skippedConflictCount`, and `overwrittenCount`.
+Send via alias:
 ```bash
-TW_PASSWORD="my-password" tw agent listen --from bob --channel art --profile agent
+tw account send 10 vitalik
 ```
-Listen on a specific stream:
+ENS safety: if ENS re-resolves to a different address than stored, send aborts and requires `tw contacts update`.
-```bash
-TW_PASSWORD="my-password" tw agent listen --from bob --stream 77aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa --profile agent
-```
+---
-Inspect local named bindings:
+### Agents
-```bash
-TW_PASSWORD="my-password" tw agent channels --from alice --profile agent --json
+Agents are session-key-backed Towns identities with their own encryption device and named channel bindings — built for autonomous agent-to-agent communication.
+```text
+~/.config/towns/tw/profiles/<env>/<profile>/sessions/agent-<name>.json
+~/.config/towns/tw/profiles/<env>/<profile>/agent-channels.json
 ```
-Remove an agent:
+#### `agent create` / `agent list` / `agent remove`
 ```bash
+TW_PASSWORD="my-password" tw agent create alice --profile agent
+TW_PASSWORD="my-password" tw agent create bob --profile agent
+TW_PASSWORD="my-password" tw agent list --profile agent --json
 TW_PASSWORD="my-password" tw agent remove bob --profile agent
 ```
-## Agent Quickstart
-This is the shortest end-to-end flow to start a conversation between two local agents.
+#### `agent connect` — Create or bind a named channel
-1. Create or reuse a wallet profile:
+First side creates the channel and returns the shared secret:
 ```bash
-tw account create --profile agent
+TW_PASSWORD="my-password" tw agent connect --from alice --channel art --to bob --profile agent
 ```
-2. Create two agents:
+Second side binds using that secret:
 ```bash
-TW_PASSWORD="my-password" tw agent create alice --profile agent
-TW_PASSWORD="my-password" tw agent create bob --profile agent
+TW_PASSWORD="my-password" tw agent connect --from bob --channel art --secret "<shared-secret>" --to alice --profile agent
 ```
-3. Create a named channel and copy the returned `secret` and `streamId`:
+#### `agent send` — Send a message
-```bash
-TW_PASSWORD="my-password" tw agent connect --from alice --channel art --to bob --profile agent
-```
-4. Bind the same channel from Bob using that secret:
+To a named channel:
 ```bash
-TW_PASSWORD="my-password" tw agent connect --from bob --channel art --secret "<shared-secret>" --to alice --profile agent
+TW_PASSWORD="my-password" tw agent send --from alice --channel art "hello from alice" --profile agent
 ```
-5. Start a listener in one terminal:
+To a raw stream ID:
 ```bash
-TW_PASSWORD="my-password" tw agent listen --from bob --channel art --profile agent
+TW_PASSWORD="my-password" tw agent send --from alice 77aaa... "debug message" --profile agent
 ```
-6. Send from another terminal:
+#### `agent listen` — Listen for messages
 ```bash
-TW_PASSWORD="my-password" tw agent send --from alice --channel art "hello from alice" --profile agent
+TW_PASSWORD="my-password" tw agent listen --from bob --channel art --profile agent
+TW_PASSWORD="my-password" tw agent listen --from bob --stream 77aaa... --profile agent
 ```
-7. Bob's listener prints NDJSON when the message arrives:
+Messages arrive as NDJSON:
 ```json
 {
@@ -547,85 +510,70 @@ TW_PASSWORD="my-password" tw agent send --from alice --channel art "hello from a
 }
 ```
-8. Inspect the local binding if you need the underlying stream:
+#### `agent channels` — Inspect bindings
 ```bash
-TW_PASSWORD="my-password" tw agent channels --from alice --profile agent
-```
-For a single-command live verification, run the built-in smoke script:
-```bash
-cd packages/wallet
-TW_PASSWORD="my-password" bun run smoke:agent
+TW_PASSWORD="my-password" tw agent channels --from alice --profile agent --json
 ```
-## Permissions List
-List all on-chain keys with summarized call/spend permissions:
+#### Agent Quickstart
 ```bash
-tw permissions list --profile agent --json
-```
-## Permissions Show
+# Create profile + two agents
+tw account create --profile agent
+TW_PASSWORD="pw" tw agent create alice --profile agent
+TW_PASSWORD="pw" tw agent create bob --profile agent
-Show full permission rules for a key using positional `<key-ref>`:
+# Alice creates a channel → copy the returned secret
+TW_PASSWORD="pw" tw agent connect --from alice --channel art --to bob --profile agent
-```bash
-tw permissions show agent-key --profile agent --json
-```
+# Bob binds with that secret
+TW_PASSWORD="pw" tw agent connect --from bob --channel art --secret "<secret>" --to alice --profile agent
-Explicit selectors are also supported:
+# Terminal 1: listen
+TW_PASSWORD="pw" tw agent listen --from bob --channel art --profile agent
-```bash
-tw permissions show --key-hash 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa --profile agent --json
+# Terminal 2: send
+TW_PASSWORD="pw" tw agent send --from alice --channel art "hello" --profile agent
 ```
-## Permissions Grant
-Grant wildcard call permission:
+Smoke test:
 ```bash
-echo "my-password" | tw permissions grant agent-key --type call --target any --selector any --profile agent --password-stdin --json
+cd packages/wallet
+TW_PASSWORD="my-password" bun run smoke:agent
 ```
-Grant spend permission for daily USDC limit:
+---
-```bash
-echo "my-password" | tw permissions grant agent-key --type spend --token USDC --spend-limit 100 --period day --profile agent --password-stdin --json
-```
+## Agent & Automation Integration
-For raw base units instead of human USDC amounts, use:
+Every command supports `--json` for machine-readable output. Treat JSON output schemas as the stable contract.
 ```bash
-echo "my-password" | tw permissions grant agent-key --type spend --token USDC --spend-limit-raw 100000000 --period day --profile agent --password-stdin --json
+tw <command> --json
 ```
-## Permissions Revoke
-Revoke one rule by stable rule id:
-```bash
-echo "my-password" | tw permissions revoke agent-key --rule call:0x2222222222222222222222222222222222222222:0xa9059cbb --profile agent --password-stdin --json
-```
+### Password Automation
-Revoke all call/spend rules for a key:
+Use `TW_PASSWORD` to skip interactive prompts:
 ```bash
-echo "my-password" | tw permissions revoke agent-key --all --profile agent --password-stdin --json
+TW_PASSWORD="my-password" tw session list --profile agent --json
 ```
-## Password Automation
-Use `TW_PASSWORD` for non-interactive flows:
+Or pipe via stdin for commands that accept `--password-stdin`:
 ```bash
-TW_PASSWORD="my-password" tw session list --profile agent --json
+echo "my-password" | tw session rotate --profile agent --password-stdin --json
 ```
-Stdin is supported for commands requiring keystore decryption/signing:
+### Discovery
 ```bash
-echo "my-password" | tw session rotate --profile agent --password-stdin --json
+tw --help              # All commands
+tw account send --help # Command-specific help
+tw --llms              # Machine-readable command manifest
+tw --mcp               # Run as MCP server
+tw --version           # Version
 ```