npm - @trucore/atf - Versions diffs - 1.0.2 → 1.3.0 - Mend

@trucore/atf 1.0.2 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -1,48 +1,48 @@
 #!/usr/bin/env node
 "use strict";
-// @trucore/atf v1.0.2 — Agent Transaction Firewall CLI
-// Built: 2026-02-27T23:06:46.876Z
-// Commit: 809c30e
+// @trucore/atf v1.3.0 — Agent Transaction Firewall CLI
+// Built: 2026-02-28T16:06:56.895Z
+// Commit: 1bf6915
 // ---- src/constants.mjs ----
-/**
- * constants.mjs — shared constants for the ATF CLI
- *
- * Build-time placeholders (__BUILD_COMMIT__, __BUILD_DATE__) are replaced
- * by build.mjs during the bundling step.
- */
-const VERSION = "1.0.2";
-const DEFAULT_BASE_URL = "https://api.trucore.xyz";
-const BUILD_COMMIT = "809c30e";
-const BUILD_DATE = "2026-02-27T23:06:46.876Z";
-const SIMULATE_PATHS = ["/api/simulate", "/v1/simulate"];
+/**
+ * constants.mjs — shared constants for the ATF CLI
+ *
+ * Build-time placeholders (__BUILD_COMMIT__, __BUILD_DATE__) are replaced
+ * by build.mjs during the bundling step.
+ */
+const VERSION = "1.3.0";
+const DEFAULT_BASE_URL = "https://api.trucore.xyz";
+const BUILD_COMMIT = "1bf6915";
+const BUILD_DATE = "2026-02-28T16:06:56.895Z";
+const SIMULATE_PATHS = ["/api/simulate", "/v1/simulate"];
 // ---- src/redact.mjs ----
-/**
- * redact.mjs — token redaction utilities
- *
- * Ensures secrets (Bearer tokens, API keys) never appear in CLI output.
- * Used by approve, error handling, and the global catch handler.
- */
-const BEARER_PATTERN = /Bearer\s+[A-Za-z0-9\-\._~\+\/]+=*/g;
-/**
- * Replace any occurrence of `token` with ***REDACTED***.
- * Also scrub Bearer patterns for defense-in-depth.
- */
-function redactToken(str, token) {
-  if (!str || typeof str !== "string") return str || "";
-  let result = str;
-  if (token && typeof token === "string" && token.length > 0) {
-    // split+join: safe literal replacement (no regex special-char issues)
-    result = result.split(token).join("***REDACTED***");
-  }
-  result = result.replace(BEARER_PATTERN, "Bearer ***REDACTED***");
-  return result;
-}
+/**
+ * redact.mjs — token redaction utilities
+ *
+ * Ensures secrets (Bearer tokens, API keys) never appear in CLI output.
+ * Used by approve, error handling, and the global catch handler.
+ */
+const BEARER_PATTERN = /Bearer\s+[A-Za-z0-9\-\._~\+\/]+=*/g;
+/**
+ * Replace any occurrence of `token` with ***REDACTED***.
+ * Also scrub Bearer patterns for defense-in-depth.
+ */
+function redactToken(str, token) {
+  if (!str || typeof str !== "string") return str || "";
+  let result = str;
+  if (token && typeof token === "string" && token.length > 0) {
+    // split+join: safe literal replacement (no regex special-char issues)
+    result = result.split(token).join("***REDACTED***");
+  }
+  result = result.replace(BEARER_PATTERN, "Bearer ***REDACTED***");
+  return result;
+}
 // ---- src/presets.mjs ----
 /**
@@ -181,893 +181,3786 @@ function parseJsonBody(raw) {
   }
 }
-// ---- src/http.mjs ----
+// ---- src/token_map.mjs ----
 /**
- * http.mjs — minimal HTTP helpers using Node 18+ built-in fetch.
- * Zero runtime dependencies.
+ * token_map.mjs — minimal token registry for Solana swap support
+ *
+ * v1 MVP: SOL, USDC, USDT only.  Expand later.
+ * Each entry carries the mint address and decimal count so the CLI
+ * can convert human amounts to base-unit lamports / micro-units.
  */
-const DEFAULT_TIMEOUT_MS = 20_000;
-const MAX_TEXT_CAPTURE = 4096;
+const TOKEN_MAP = {
+  SOL: {
+    symbol: "SOL",
+    mint: "So11111111111111111111111111111111111111112",
+    decimals: 9,
+  },
+  USDC: {
+    symbol: "USDC",
+    mint: "EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v",
+    decimals: 6,
+  },
+  USDT: {
+    symbol: "USDT",
+    mint: "Es9vMFrzaCERmJfrF4H2FYD4KCoNkY11McCe8BenwNYB",
+    decimals: 6,
+  },
+};
-function resolveTimeout(overrideMs) {
-  if (overrideMs && overrideMs > 0) return overrideMs;
-  const envMs = process.env.ATF_TIMEOUT_MS;
-  if (envMs) {
-    const parsed = parseInt(envMs, 10);
-    if (parsed > 0) return parsed;
+/**
+ * Resolve a token symbol or mint to a TOKEN_MAP entry.
+ * Case-insensitive for symbols; exact match for mints.
+ * Returns null if not found.
+ */
+function resolveToken(symbolOrMint) {
+  if (!symbolOrMint || typeof symbolOrMint !== "string") return null;
+  const upper = symbolOrMint.toUpperCase();
+  if (TOKEN_MAP[upper]) return TOKEN_MAP[upper];
+  // Try mint match
+  for (const entry of Object.values(TOKEN_MAP)) {
+    if (entry.mint === symbolOrMint) return entry;
   }
-  return DEFAULT_TIMEOUT_MS;
+  return null;
 }
-function generateRequestId() {
-  const { randomBytes } = require("node:crypto");
-  return randomBytes(8).toString("hex");
+/**
+ * Convert a human-readable amount (e.g. 0.001) to base units (lamports).
+ * Always returns a string to avoid floating-point drift on large values.
+ */
+function toBaseUnits(humanAmount, decimals) {
+  const parts = String(humanAmount).split(".");
+  const whole = parts[0] || "0";
+  let frac = parts[1] || "";
+  if (frac.length > decimals) {
+    frac = frac.slice(0, decimals); // truncate excess precision
+  }
+  frac = frac.padEnd(decimals, "0");
+  // Remove leading zeros from concatenated result
+  const raw = (whole + frac).replace(/^0+/, "") || "0";
+  return raw;
 }
+// ---- src/http.mjs ----
+/**
+ * http.mjs — minimal HTTP helpers using Node 18+ built-in fetch.
+ * Zero runtime dependencies.
+ */
+const DEFAULT_TIMEOUT_MS = 20_000;
+const MAX_TEXT_CAPTURE = 4096;
+function resolveTimeout(overrideMs) {
+  if (overrideMs && overrideMs > 0) return overrideMs;
+  const envMs = process.env.ATF_TIMEOUT_MS;
+  if (envMs) {
+    const parsed = parseInt(envMs, 10);
+    if (parsed > 0) return parsed;
+  }
+  return DEFAULT_TIMEOUT_MS;
+}
+function generateRequestId() {
+  const { randomBytes } = require("node:crypto");
+  return randomBytes(8).toString("hex");
+}
+function stripTrailingSlash(url) {
+  return url.replace(/\/+$/, "");
+}
+async function getHealth(baseUrl, timeoutMs) {
+  const timeout = resolveTimeout(timeoutMs);
+  const requestId = generateRequestId();
+  const url = `${stripTrailingSlash(baseUrl)}/health`;
+  const res = await fetch(url, {
+    headers: { "X-Request-ID": requestId },
+    signal: AbortSignal.timeout(timeout),
+  });
+  const parsed = await parseResponse(res);
+  parsed.requestId = resolveRequestId(parsed, requestId);
+  return parsed;
+}
+async function postSimulate(baseUrl, body, apiKey, timeoutMs, path) {
+  const timeout = resolveTimeout(timeoutMs);
+  const requestId = generateRequestId();
+  const url = `${stripTrailingSlash(baseUrl)}${path || "/api/simulate"}`;
+  const headers = {
+    "Content-Type": "application/json",
+    "X-Request-ID": requestId,
+  };
+  if (apiKey) headers["x-api-key"] = apiKey;
+  const res = await fetch(url, {
+    method: "POST",
+    headers,
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(timeout),
+  });
+  const parsed = await parseResponse(res);
+  parsed.requestId = resolveRequestId(parsed, requestId);
+  return parsed;
+}
+async function postApprove(baseUrl, intentId, token, timeoutMs) {
+  const timeout = resolveTimeout(timeoutMs);
+  const requestId = generateRequestId();
+  const url = `${stripTrailingSlash(baseUrl)}/v1/intents/approve`;
+  const headers = {
+    "Content-Type": "application/json",
+    Authorization: `Bearer ${token}`,
+    "X-Request-ID": requestId,
+  };
+  const res = await fetch(url, {
+    method: "POST",
+    headers,
+    body: JSON.stringify({ intent_id: intentId }),
+    signal: AbortSignal.timeout(timeout),
+  });
+  const parsed = await parseResponse(res);
+  parsed.requestId = resolveRequestId(parsed, requestId);
+  return parsed;
+}
+async function getReceiptSigningKey(baseUrl) {
+  const url = `${stripTrailingSlash(baseUrl)}/api/receipt-signing-key`;
+  try {
+    const res = await fetch(url, { signal: AbortSignal.timeout(10_000) });
+    if (!res.ok) return { available: false };
+    const data = await res.json();
+    return data;
+  } catch {
+    return { available: false };
+  }
+}
+async function parseResponse(res) {
+  const rateLimitHeaders = {};
+  for (const h of ["x-ratelimit-limit", "x-ratelimit-remaining", "x-ratelimit-reset"]) {
+    const v = res.headers.get(h);
+    if (v !== null) rateLimitHeaders[h] = v;
+  }
+  // Capture server-echoed request ID from response header
+  const serverRequestId = res.headers.get("x-request-id") || null;
+  let data;
+  const rawText = await res.text();
+  const text = rawText.slice(0, MAX_TEXT_CAPTURE);
+  try {
+    data = JSON.parse(text);
+  } catch {
+    data = null;
+  }
+  return {
+    ok: res.ok,
+    status: res.status,
+    data,
+    text,
+    rateLimitHeaders,
+    retryAfter: res.headers.get("retry-after"),
+    serverRequestId,
+  };
+}
+/**
+ * Resolve the authoritative request ID.
+ * Precedence: body request_id > response header X-Request-ID > client-generated.
+ */
+function resolveRequestId(parsed, clientRequestId) {
+  const bodyId = parsed.data && typeof parsed.data === "object" ? parsed.data.request_id : undefined;
+  return bodyId || parsed.serverRequestId || clientRequestId;
+}
+// ---- src/format.mjs ----
+/**
+ * format.mjs — shared ANSI color constants
+ *
+ * Each command handles its own output formatting.
+ * COLORS is shared across errors.mjs, health.mjs, approve.mjs,
+ * version_cmd.mjs, simulate.mjs, and cli.mjs.
+ */
+const COLORS = {
+  reset: "\x1b[0m",
+  bold: "\x1b[1m",
+  dim: "\x1b[2m",
+  green: "\x1b[32m",
+  red: "\x1b[31m",
+  yellow: "\x1b[33m",
+  cyan: "\x1b[36m",
+  gray: "\x1b[90m",
+};
+// ---- src/errors.mjs ----
+/**
+ * errors.mjs — structured error model for the ATF CLI
+ *
+ * Error envelope:   { ok: false, error: { code, message, details? } }
+ * Success envelope: { ok: true, ... }
+ *
+ * Exit codes:
+ *   0 — success (allowed, healthy, version)
+ *   1 — user error / denied / verify-failed / 401 / 403 / 404 / 409
+ *   2 — network / server error (fetch throw, timeout, 5xx, rate-limited)
+ */
+const ERROR_CODES = {
+  USER_ERROR: "USER_ERROR",
+  DENIED: "DENIED",
+  NETWORK_ERROR: "NETWORK_ERROR",
+  SERVER_ERROR: "SERVER_ERROR",
+  VALIDATION_ERROR: "VALIDATION_ERROR",
+  AUTH_ERROR: "AUTH_ERROR",
+  VERIFY_FAILED: "VERIFY_FAILED",
+};
+function makeError(code, message, details) {
+  const err = { code, message };
+  if (details && typeof details === "object" && Object.keys(details).length > 0) {
+    err.details = details;
+  }
+  return { ok: false, error: err };
+}
+function exitCodeForError(code) {
+  switch (code) {
+    case ERROR_CODES.NETWORK_ERROR:
+    case ERROR_CODES.SERVER_ERROR:
+      return 2;
+    default:
+      return 1;
+  }
+}
+function formatErrorPretty(errEnvelope) {
+  const e = errEnvelope.error;
+  const noColor = process.env.NO_COLOR;
+  const c = noColor ? { reset: "", bold: "", red: "", dim: "", yellow: "", cyan: "" } : COLORS;
+  const lines = [];
+  lines.push("");
+  lines.push(`${c.bold}${c.red}  \u2717 ERROR [${e.code}]${c.reset}`);
+  lines.push(`  ${e.message}`);
+  if (e.details) {
+    if (e.details.hint) lines.push(`${c.dim}  Hint: ${e.details.hint}${c.reset}`);
+    if (e.details.status) lines.push(`${c.dim}  HTTP status: ${e.details.status}${c.reset}`);
+    if (e.details.request_id) lines.push(`${c.dim}  Request ID: ${e.details.request_id}${c.reset}`);
+  }
+  lines.push("");
+  return lines.join("\n");
+}
+/**
+ * Returns true if `obj` looks like a structured ATF error envelope.
+ * Shape: { ok: false, error: { code: <string>, ... } }
+ * Used to distinguish app-level 404s from endpoint-miss 404s.
+ */
+function isAtfErrorEnvelope(obj) {
+  return (
+    obj !== null &&
+    typeof obj === "object" &&
+    obj.ok === false &&
+    obj.error !== null &&
+    typeof obj.error === "object" &&
+    typeof obj.error.code === "string"
+  );
+}
+function exitWithError(code, message, hint, format, extra) {
+  const details = {};
+  if (hint) details.hint = hint;
+  if (extra && extra.status) details.status = extra.status;
+  if (extra && extra.requestId) details.request_id = extra.requestId;
+  if (extra && extra.path) details.path = extra.path;
+  if (extra && extra.attempted_paths) details.attempted_paths = extra.attempted_paths;
+  if (extra && extra.baseUrl) details.base_url = extra.baseUrl;
+  const err = makeError(code, message, Object.keys(details).length > 0 ? details : undefined);
+  // Top-level request_id for easy grep / support triage
+  if (extra && extra.requestId) err.request_id = extra.requestId;
+  if (format === "pretty") {
+    process.stderr.write(formatErrorPretty(err));
+  } else {
+    process.stdout.write(JSON.stringify(err, null, 2) + "\n");
+  }
+  process.exit(exitCodeForError(code));
+}
+// ---- src/config.mjs ----
+/**
+ * config.mjs — Profile-based configuration system
+ *
+ * Config file locations:
+ *   - Global:  ~/.config/atf/config.json  (Linux/macOS)
+ *              %APPDATA%\atf\config.json  (Windows)
+ *   - Project: ./atf.config.json          (repo-local, optional)
+ *
+ * Merge order: defaults < global < project < env vars < CLI flags
+ *
+ * Profile schema:
+ *   { current_profile: "default", profiles: { "default": { ... } } }
+ */
-function stripTrailingSlash(url) {
-  return url.replace(/\/+$/, "");
+const CONFIG_DIR_NAME = "atf";
+const CONFIG_FILE_NAME = "config.json";
+const PROJECT_CONFIG_NAME = "atf.config.json";
+/** Profile field defaults. */
+const PROFILE_DEFAULTS = {
+  atf_base_url: "https://api.trucore.xyz",
+  solana_cluster: "mainnet",
+  rpc_url: null,
+  helius_api_key_ref: null,
+  helius_endpoint_kind: "solana-rpc",
+  jupiter_quote_url: null,
+  jupiter_swap_url: null,
+  default_slippage_bps: 50,
+  confirm: false,
+  commitment: "confirmed",
+  explorer: "solscan",
+  keypair_path: null,
+  tx: {
+    skip_preflight: false,
+    max_retries: 3,
+    timeout_ms: 60000,
+  },
+};
+/**
+ * Resolve the global config directory path.
+ * @returns {string}
+ */
+function resolveConfigDir() {
+  const { join } = require("node:path");
+  const { homedir, platform } = require("node:os");
+  if (platform() === "win32") {
+    const appData = process.env.APPDATA || join(homedir(), "AppData", "Roaming");
+    return join(appData, CONFIG_DIR_NAME);
+  }
+  return join(homedir(), ".config", CONFIG_DIR_NAME);
 }
-async function getHealth(baseUrl, timeoutMs) {
-  const timeout = resolveTimeout(timeoutMs);
-  const requestId = generateRequestId();
-  const url = `${stripTrailingSlash(baseUrl)}/health`;
-  const res = await fetch(url, {
-    headers: { "X-Request-ID": requestId },
-    signal: AbortSignal.timeout(timeout),
-  });
-  const parsed = await parseResponse(res);
-  parsed.requestId = requestId;
-  return parsed;
-}
-async function postSimulate(baseUrl, body, apiKey, timeoutMs, path) {
-  const timeout = resolveTimeout(timeoutMs);
-  const requestId = generateRequestId();
-  const url = `${stripTrailingSlash(baseUrl)}${path || "/api/simulate"}`;
-  const headers = {
-    "Content-Type": "application/json",
-    "X-Request-ID": requestId,
-  };
-  if (apiKey) headers["x-api-key"] = apiKey;
+/**
+ * Resolve the global config file path.
+ */
+function resolveGlobalConfigPath() {
+  const { join } = require("node:path");
+  return join(resolveConfigDir(), CONFIG_FILE_NAME);
+}
-  const res = await fetch(url, {
-    method: "POST",
-    headers,
-    body: JSON.stringify(body),
-    signal: AbortSignal.timeout(timeout),
-  });
-  const parsed = await parseResponse(res);
-  parsed.requestId = requestId;
-  return parsed;
-}
-async function postApprove(baseUrl, intentId, token, timeoutMs) {
-  const timeout = resolveTimeout(timeoutMs);
-  const requestId = generateRequestId();
-  const url = `${stripTrailingSlash(baseUrl)}/v1/intents/approve`;
-  const headers = {
-    "Content-Type": "application/json",
-    Authorization: `Bearer ${token}`,
-    "X-Request-ID": requestId,
-  };
-  const res = await fetch(url, {
-    method: "POST",
-    headers,
-    body: JSON.stringify({ intent_id: intentId }),
-    signal: AbortSignal.timeout(timeout),
-  });
-  const parsed = await parseResponse(res);
-  parsed.requestId = requestId;
-  return parsed;
+/**
+ * Resolve the project config file path (cwd-relative).
+ */
+function resolveProjectConfigPath() {
+  const { join } = require("node:path");
+  return join(process.cwd(), PROJECT_CONFIG_NAME);
 }
-async function getReceiptSigningKey(baseUrl) {
-  const url = `${stripTrailingSlash(baseUrl)}/api/receipt-signing-key`;
+/**
+ * Read a JSON file or return null.
+ */
+function readJsonFile(filePath) {
+  const { readFileSync, existsSync } = require("node:fs");
+  if (!existsSync(filePath)) return null;
   try {
-    const res = await fetch(url, { signal: AbortSignal.timeout(10_000) });
-    if (!res.ok) return { available: false };
-    const data = await res.json();
-    return data;
+    return JSON.parse(readFileSync(filePath, "utf8"));
   } catch {
-    return { available: false };
+    return null;
   }
 }
-async function parseResponse(res) {
-  const rateLimitHeaders = {};
-  for (const h of ["x-ratelimit-limit", "x-ratelimit-remaining", "x-ratelimit-reset"]) {
-    const v = res.headers.get(h);
-    if (v !== null) rateLimitHeaders[h] = v;
-  }
-  let data;
-  const rawText = await res.text();
-  const text = rawText.slice(0, MAX_TEXT_CAPTURE);
-  try {
-    data = JSON.parse(text);
-  } catch {
-    data = null;
-  }
+/**
+ * Write a JSON file, creating directories as needed.
+ */
+function writeJsonFile(filePath, data) {
+  const { writeFileSync, mkdirSync } = require("node:fs");
+  const { dirname } = require("node:path");
+  mkdirSync(dirname(filePath), { recursive: true });
+  writeFileSync(filePath, JSON.stringify(data, null, 2) + "\n", { mode: 0o644 });
+}
+/**
+ * Build a default, empty config skeleton.
+ */
+function defaultConfig() {
   return {
-    ok: res.ok,
-    status: res.status,
-    data,
-    text,
-    rateLimitHeaders,
-    retryAfter: res.headers.get("retry-after"),
+    current_profile: "default",
+    profiles: {
+      default: { ...PROFILE_DEFAULTS, tx: { ...PROFILE_DEFAULTS.tx } },
+    },
   };
 }
-// ---- src/format.mjs ----
 /**
- * format.mjs — shared ANSI color constants
- *
- * Each command handles its own output formatting.
- * COLORS is shared across errors.mjs, health.mjs, approve.mjs,
- * version_cmd.mjs, simulate.mjs, and cli.mjs.
- */
-const COLORS = {
-  reset: "\x1b[0m",
-  bold: "\x1b[1m",
-  dim: "\x1b[2m",
-  green: "\x1b[32m",
-  red: "\x1b[31m",
-  yellow: "\x1b[33m",
-  cyan: "\x1b[36m",
-  gray: "\x1b[90m",
-};
-// ---- src/errors.mjs ----
+ * Load global config from disk (or return defaults).
+ */
+function loadGlobalConfig() {
+  const data = readJsonFile(resolveGlobalConfigPath());
+  if (!data || typeof data !== "object") return defaultConfig();
+  if (!data.profiles || typeof data.profiles !== "object") data.profiles = {};
+  if (!data.current_profile) data.current_profile = "default";
+  return data;
+}
 /**
- * errors.mjs — structured error model for the ATF CLI
- *
- * Error envelope:   { ok: false, error: { code, message, details? } }
- * Success envelope: { ok: true, ... }
- *
- * Exit codes:
- *   0 — success (allowed, healthy, version)
- *   1 — user error / denied / verify-failed / 401 / 403 / 404 / 409
- *   2 — network / server error (fetch throw, timeout, 5xx, rate-limited)
- */
-const ERROR_CODES = {
-  USER_ERROR: "USER_ERROR",
-  DENIED: "DENIED",
-  NETWORK_ERROR: "NETWORK_ERROR",
-  SERVER_ERROR: "SERVER_ERROR",
-  VALIDATION_ERROR: "VALIDATION_ERROR",
-  AUTH_ERROR: "AUTH_ERROR",
-  VERIFY_FAILED: "VERIFY_FAILED",
-};
+ * Load project config (or return null).
+ */
+function loadProjectConfig() {
+  return readJsonFile(resolveProjectConfigPath());
+}
-function makeError(code, message, details) {
-  const err = { code, message };
-  if (details && typeof details === "object" && Object.keys(details).length > 0) {
-    err.details = details;
+/**
+ * Merge two profile objects (shallow+tx sub-merge).
+ */
+function mergeProfiles(base, override) {
+  if (!override) return { ...base };
+  const merged = { ...base, ...override };
+  if (base.tx || override.tx) {
+    merged.tx = { ...(base.tx || {}), ...(override.tx || {}) };
   }
-  return { ok: false, error: err };
+  return merged;
 }
-function exitCodeForError(code) {
-  switch (code) {
-    case ERROR_CODES.NETWORK_ERROR:
-    case ERROR_CODES.SERVER_ERROR:
-      return 2;
-    default:
-      return 1;
+/**
+ * Resolve the effective profile config.
+ * Merge order: PROFILE_DEFAULTS < global profile < project profile
+ */
+function resolveEffectiveProfile(profileName) {
+  const global = loadGlobalConfig();
+  const project = loadProjectConfig();
+  const name = profileName || global.current_profile || "default";
+  let effective = { ...PROFILE_DEFAULTS, tx: { ...PROFILE_DEFAULTS.tx } };
+  // Merge global profile
+  if (global.profiles && global.profiles[name]) {
+    effective = mergeProfiles(effective, global.profiles[name]);
+  }
+  // Merge project profile
+  if (project && project.profiles && project.profiles[name]) {
+    effective = mergeProfiles(effective, project.profiles[name]);
   }
+  return { name, profile: effective };
+}
+/**
+ * Save global config to disk.
+ */
+function saveGlobalConfig(config) {
+  writeJsonFile(resolveGlobalConfigPath(), config);
 }
-function formatErrorPretty(errEnvelope) {
-  const e = errEnvelope.error;
-  const noColor = process.env.NO_COLOR;
-  const c = noColor ? { reset: "", bold: "", red: "", dim: "", yellow: "", cyan: "" } : COLORS;
-  const lines = [];
-  lines.push("");
-  lines.push(`${c.bold}${c.red}  \u2717 ERROR [${e.code}]${c.reset}`);
-  lines.push(`  ${e.message}`);
-  if (e.details) {
-    if (e.details.hint) lines.push(`${c.dim}  Hint: ${e.details.hint}${c.reset}`);
-    if (e.details.status) lines.push(`${c.dim}  HTTP status: ${e.details.status}${c.reset}`);
-    if (e.details.request_id) lines.push(`${c.dim}  Request ID: ${e.details.request_id}${c.reset}`);
+/**
+ * Detect Solana CLI config at ~/.config/solana/cli/config.yml
+ * Returns { keypair_path, cluster } or null.
+ */
+function detectSolanaConfig() {
+  const { readFileSync, existsSync } = require("node:fs");
+  const { join } = require("node:path");
+  const { homedir } = require("node:os");
+  const solConfigPath = join(homedir(), ".config", "solana", "cli", "config.yml");
+  if (!existsSync(solConfigPath)) return null;
+  try {
+    const raw = readFileSync(solConfigPath, "utf8");
+    const result = {};
+    // Simple YAML parsing for keypair_path and json_rpc_url
+    const kpMatch = raw.match(/keypair_path:\s*(.+)/);
+    if (kpMatch) result.keypair_path = kpMatch[1].trim();
+    const rpcMatch = raw.match(/json_rpc_url:\s*(.+)/);
+    if (rpcMatch) {
+      const url = rpcMatch[1].trim();
+      if (url.includes("devnet")) result.cluster = "devnet";
+      else if (url.includes("mainnet")) result.cluster = "mainnet";
+    }
+    return Object.keys(result).length > 0 ? result : null;
+  } catch {
+    return null;
   }
-  lines.push("");
-  return lines.join("\n");
 }
 /**
- * Returns true if `obj` looks like a structured ATF error envelope.
- * Shape: { ok: false, error: { code: <string>, ... } }
- * Used to distinguish app-level 404s from endpoint-miss 404s.
+ * Set a dotted key in a profile.  e.g. "tx.max_retries" → 5
  */
-function isAtfErrorEnvelope(obj) {
-  return (
-    obj !== null &&
-    typeof obj === "object" &&
-    obj.ok === false &&
-    obj.error !== null &&
-    typeof obj.error === "object" &&
-    typeof obj.error.code === "string"
-  );
+function setProfileKey(profile, key, value) {
+  const parts = key.split(".");
+  if (parts.length === 1) {
+    profile[key] = value;
+  } else if (parts.length === 2) {
+    if (!profile[parts[0]] || typeof profile[parts[0]] !== "object") {
+      profile[parts[0]] = {};
+    }
+    profile[parts[0]][parts[1]] = value;
+  }
 }
-function exitWithError(code, message, hint, format, extra) {
-  const details = {};
-  if (hint) details.hint = hint;
-  if (extra && extra.status) details.status = extra.status;
-  if (extra && extra.requestId) details.request_id = extra.requestId;
-  if (extra && extra.path) details.path = extra.path;
-  if (extra && extra.attempted_paths) details.attempted_paths = extra.attempted_paths;
-  if (extra && extra.baseUrl) details.base_url = extra.baseUrl;
-  const err = makeError(code, message, Object.keys(details).length > 0 ? details : undefined);
-  if (format === "pretty") {
-    process.stderr.write(formatErrorPretty(err));
-  } else {
-    process.stdout.write(JSON.stringify(err, null, 2) + "\n");
+/**
+ * Get a dotted key from a profile.
+ */
+function getProfileKey(profile, key) {
+  const parts = key.split(".");
+  if (parts.length === 1) return profile[key];
+  if (parts.length === 2 && profile[parts[0]] && typeof profile[parts[0]] === "object") {
+    return profile[parts[0]][parts[1]];
   }
-  process.exit(exitCodeForError(code));
+  return undefined;
 }
-// ---- src/health.mjs ----
 /**
- * health.mjs — health command implementation
- *
- * GET {base}/health — check API availability and measure latency.
- * Output: { ok:true, base_url, latency_ms, response:<healthJson> }
+ * Auto-coerce string values for known numeric/boolean profile fields.
  */
+function coerceProfileValue(key, value) {
+  const booleanKeys = ["confirm", "tx.skip_preflight"];
+  const numberKeys = ["default_slippage_bps", "tx.max_retries", "tx.timeout_ms"];
+  if (booleanKeys.includes(key)) {
+    if (value === "true") return true;
+    if (value === "false") return false;
+  }
+  if (numberKeys.includes(key)) {
+    const n = parseInt(value, 10);
+    if (!Number.isNaN(n)) return n;
+  }
+  return value;
+}
-async function runHealth(args) {
-  const baseUrl = args.baseUrl;
+// ── CLI handlers for config/profile commands ───────────────────────
+async function runConfigInit(args) {
   const format = args.format;
-  const timeoutMs = args.timeoutMs;
+  const configPath = resolveGlobalConfigPath();
+  const { existsSync } = require("node:fs");
-  const start = Date.now();
-  let response;
-  try {
-    response = await getHealth(baseUrl, timeoutMs);
-  } catch (err) {
-    exitWithError(
-      ERROR_CODES.NETWORK_ERROR,
-      `Cannot reach ${baseUrl}/health — ${err.message}`,
-      "Check that the API is running and the base URL is correct.",
-      format
-    );
+  if (existsSync(configPath) && !args.yes) {
+    const result = { ok: true, message: "Config already exists.", path: configPath };
+    process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+    process.exit(0);
   }
-  const latencyMs = Date.now() - start;
-  if (!response.ok) {
-    exitWithError(
-      ERROR_CODES.SERVER_ERROR,
-      `Health check failed with HTTP ${response.status}`,
-      "The API may be down or misconfigured.",
-      format,
-      { status: response.status, requestId: response.requestId }
-    );
+  const config = defaultConfig();
+  // Detect Solana CLI config
+  const solana = detectSolanaConfig();
+  if (solana) {
+    const profile = config.profiles.default;
+    if (solana.keypair_path) profile.keypair_path = solana.keypair_path;
+    if (solana.cluster) profile.solana_cluster = solana.cluster;
   }
+  saveGlobalConfig(config);
   const result = {
     ok: true,
-    base_url: baseUrl,
-    latency_ms: latencyMs,
-    response: response.data || {},
+    message: "Config initialized.",
+    path: configPath,
+    solana_detected: !!solana,
+    current_profile: config.current_profile,
   };
+  process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+}
-  if (format === "pretty") {
-    const noColor = process.env.NO_COLOR;
-    const c = noColor ? { reset: "", bold: "", green: "", dim: "" } : COLORS;
-    process.stdout.write(
-      `\n${c.bold}${c.green}  \u2713 HEALTHY${c.reset}\n` +
-        `${c.dim}  Base URL:${c.reset} ${baseUrl}\n` +
-        `${c.dim}  Latency:${c.reset}  ${latencyMs}ms\n` +
-        `${c.dim}  HTTP:${c.reset}     ${response.status}\n\n`
-    );
-  } else {
-    process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+async function runConfigSet(args) {
+  const format = args.format;
+  const key = args._subArgs[0];
+  const rawValue = args._subArgs[1];
+  const profileName = args.profileFlag || null;
+  if (!key || rawValue === undefined) {
+    exitWithError(ERROR_CODES.USER_ERROR, "Usage: atf config set <key> <value> [--profile name]", null, format);
   }
-  process.exit(0);
+  const value = coerceProfileValue(key, rawValue);
+  const config = loadGlobalConfig();
+  const name = profileName || config.current_profile || "default";
+  if (!config.profiles[name]) {
+    exitWithError(ERROR_CODES.USER_ERROR, `Profile "${name}" does not exist. Create it first: atf profile create ${name}`, null, format);
+  }
+  setProfileKey(config.profiles[name], key, value);
+  saveGlobalConfig(config);
+  const result = { ok: true, profile: name, key, value };
+  process.stdout.write(JSON.stringify(result, null, 2) + "\n");
 }
-// ---- src/approve.mjs ----
-/**
- * approve.mjs — approve command implementation
- *
- * POST {base}/v1/intents/approve with Bearer token.
- * Approves a pending intent returned from a previous simulation.
- * Output: { ok:true, base_url, intent, response:<approveJson> }
- */
-async function runApprove(args) {
-  const baseUrl = args.baseUrl;
+async function runConfigGet(args) {
   const format = args.format;
-  const token = args.token || args.apiKey;
-  const intent = args.intent;
-  const timeoutMs = args.timeoutMs;
+  const key = args._subArgs[0];
+  const profileName = args.profileFlag || null;
-  if (!intent) {
-    exitWithError(
-      ERROR_CODES.USER_ERROR,
-      "Missing --intent <id>",
-      "Provide the intent ID returned from a simulation.",
-      format
-    );
+  if (!key) {
+    exitWithError(ERROR_CODES.USER_ERROR, "Usage: atf config get <key> [--profile name]", null, format);
   }
-  if (!token) {
-    exitWithError(
-      ERROR_CODES.AUTH_ERROR,
-      "Missing authentication token",
-      "Provide --token <bearer> or set ATF_API_KEY env var.",
-      format
-    );
-  }
+  const { name, profile } = resolveEffectiveProfile(profileName);
+  const value = getProfileKey(profile, key);
+  const result = { ok: true, profile: name, key, value: value !== undefined ? value : null };
+  process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+}
-  let response;
-  try {
-    response = await postApprove(baseUrl, intent, token, timeoutMs);
-  } catch (err) {
-    exitWithError(
-      ERROR_CODES.NETWORK_ERROR,
-      redactToken(`Cannot reach ${baseUrl} — ${err.message}`, token),
-      "Check your network connection and base URL.",
-      format
-    );
+async function runConfigList(args) {
+  const profileName = args.profileFlag || null;
+  const { name, profile } = resolveEffectiveProfile(profileName);
+  // Redact any fields that might contain secrets
+  const safe = { ...profile };
+  if (safe.rpc_url && typeof safe.rpc_url === "string" && safe.rpc_url.includes("api-key=")) {
+    safe.rpc_url = safe.rpc_url.replace(/api-key=[^&]+/gi, "api-key=***REDACTED***");
+  }
+  if (safe.helius_api_key_ref) {
+    safe.helius_api_key_ref = "***REDACTED***";
   }
-  if (!response.ok) {
-    const data = response.data || {};
-    const errCode =
-      response.status >= 500
-        ? ERROR_CODES.SERVER_ERROR
-        : response.status === 401 || response.status === 403
-          ? ERROR_CODES.AUTH_ERROR
-          : ERROR_CODES.USER_ERROR;
-    const hint =
-      response.status === 401
-        ? "Check your Bearer token."
-        : response.status === 404
-          ? "Intent not found — check the intent ID."
-          : response.status === 409
-            ? "Intent already approved or expired."
-            : null;
-    const msg = redactToken(data.message || data.detail || `HTTP ${response.status}`, token);
-    exitWithError(
-      errCode,
-      msg,
-      hint,
-      format,
-      { status: response.status, requestId: response.requestId || data.request_id }
-    );
+  const result = { ok: true, profile: name, config: safe };
+  process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+}
+async function runProfileUse(args) {
+  const name = args._subArgs[0];
+  if (!name) {
+    exitWithError(ERROR_CODES.USER_ERROR, "Usage: atf profile use <name>", null, args.format);
   }
+  const config = loadGlobalConfig();
+  if (!config.profiles[name]) {
+    exitWithError(ERROR_CODES.USER_ERROR, `Profile "${name}" does not exist.`, null, args.format);
+  }
+  config.current_profile = name;
+  saveGlobalConfig(config);
+  process.stdout.write(JSON.stringify({ ok: true, current_profile: name }, null, 2) + "\n");
+}
-  const data = response.data || {};
-  const result = { ok: true, base_url: baseUrl, intent, response: data };
-  if (args.verbose && args._deprecatedIntentId) {
-    result.warnings = ["--intent-id is deprecated; use --intent"];
+async function runProfileList(args) {
+  const config = loadGlobalConfig();
+  const profiles = Object.keys(config.profiles);
+  const result = { ok: true, current_profile: config.current_profile, profiles };
+  process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+}
+async function runProfileCreate(args) {
+  const name = args._subArgs[0];
+  if (!name) {
+    exitWithError(ERROR_CODES.USER_ERROR, "Usage: atf profile create <name>", null, args.format);
   }
+  const config = loadGlobalConfig();
+  if (config.profiles[name]) {
+    exitWithError(ERROR_CODES.USER_ERROR, `Profile "${name}" already exists.`, null, args.format);
+  }
+  config.profiles[name] = { ...PROFILE_DEFAULTS, tx: { ...PROFILE_DEFAULTS.tx } };
+  saveGlobalConfig(config);
+  process.stdout.write(JSON.stringify({ ok: true, created: name }, null, 2) + "\n");
+}
-  if (format === "pretty") {
-    const noColor = process.env.NO_COLOR;
-    const c = noColor ? { reset: "", bold: "", green: "", dim: "" } : COLORS;
-    process.stdout.write(
-      `\n${c.bold}${c.green}  \u2713 APPROVED${c.reset}\n` +
-        `${c.dim}  Intent:${c.reset}  ${intent}\n` +
-        (data.tx_hash
-          ? `${c.dim}  TX Hash:${c.reset} ${data.tx_hash}\n`
-          : "") +
-        `\n`
-    );
-  } else {
-    process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+async function runProfileDelete(args) {
+  const name = args._subArgs[0];
+  if (!name) {
+    exitWithError(ERROR_CODES.USER_ERROR, "Usage: atf profile delete <name>", null, args.format);
   }
-  process.exit(0);
+  if (name === "default") {
+    exitWithError(ERROR_CODES.USER_ERROR, "Cannot delete the default profile.", null, args.format);
+  }
+  const config = loadGlobalConfig();
+  if (!config.profiles[name]) {
+    exitWithError(ERROR_CODES.USER_ERROR, `Profile "${name}" does not exist.`, null, args.format);
+  }
+  delete config.profiles[name];
+  if (config.current_profile === name) config.current_profile = "default";
+  saveGlobalConfig(config);
+  process.stdout.write(JSON.stringify({ ok: true, deleted: name }, null, 2) + "\n");
 }
-// ---- src/version_cmd.mjs ----
+// ---- src/secret_store.mjs ----
 /**
- * version_cmd.mjs — rich version command
+ * secret_store.mjs — file-based secret store with permission hardening
  *
- * Output: { ok:true, cli_version, node_version, platform, arch, default_base_url, build_commit, build_date }
+ * Stores secrets in ~/.config/atf/secrets.json with chmod 0600 (best-effort).
+ * Structure: { "helius": { "<profile>": "<api_key>" } }
+ *
+ * Never prints secret values. `atf secret list` shows only key names.
  */
-async function runVersion(args) {
-  const format = args.format;
-  const commit = BUILD_COMMIT === "__BUILD_COMMIT__" ? null : BUILD_COMMIT;
-  const buildTime = BUILD_DATE === "__BUILD_DATE__" ? null : BUILD_DATE;
-  const result = {
-    ok: true,
-    cli_version: VERSION,
-    node_version: process.version,
-    platform: process.platform,
-    arch: process.arch,
-    default_base_url: DEFAULT_BASE_URL,
-    build_commit: commit,
-    build_date: buildTime,
-  };
+const SECRETS_FILE_NAME = "secrets.json";
-  if (format === "pretty") {
-    const noColor = process.env.NO_COLOR;
-    const c = noColor ? { reset: "", bold: "", dim: "" } : COLORS;
-    process.stdout.write(
-      `\n${c.bold}  @trucore/atf v${VERSION}${c.reset}\n` +
-        `${c.dim}  Node:${c.reset}     ${process.version}\n` +
-        `${c.dim}  Platform:${c.reset} ${process.platform}/${process.arch}\n` +
-        `${c.dim}  API:${c.reset}      ${DEFAULT_BASE_URL}\n` +
-        `${c.dim}  Commit:${c.reset}   ${commit || "dev"}\n` +
-        `${c.dim}  Built:${c.reset}    ${buildTime || "dev"}\n\n`
-    );
-  } else {
-    process.stdout.write(JSON.stringify(result, null, 2) + "\n");
-  }
-  process.exit(0);
-}
-// ---- src/simulate.mjs ----
 /**
- * simulate.mjs — simulate command implementation
- *
- * Output: { ok:true, base_url, preset?, verified?:boolean, response:<simulateJson> }
+ * Resolve the secrets file path.
  */
+function resolveSecretsPath() {
+  const { join } = require("node:path");
+  return join(resolveConfigDir(), SECRETS_FILE_NAME);
+}
-async function runSimulate(args) {
-  const baseUrl = args.baseUrl;
-  const verify = args.verify;
-  const format = args.format;
-  const quiet = args.quiet;
-  const apiKey = args.apiKey;
-  const timeoutMs = args.timeoutMs;
-  // Resolve body
-  let body;
-  let presetName = null;
-  if (args.json) {
-    const parsed = parseJsonBody(args.json);
-    if (!parsed.ok) {
-      exitWithError(
-        ERROR_CODES.USER_ERROR,
-        parsed.message,
-        "Provide valid JSON via --json '{...}'",
-        format
-      );
-    }
-    body = parsed.body;
-  } else if (args.preset) {
-    presetName = args.preset;
-    const check = validatePreset(presetName);
-    if (!check.ok) {
-      exitWithError(
-        ERROR_CODES.USER_ERROR,
-        check.message,
-        `Available presets: ${PRESET_NAMES.join(", ")}`,
-        format
-      );
-    }
-    body = PRESETS[presetName].transaction;
-    if (!quiet && format === "pretty") {
-      process.stderr.write(
-        `${COLORS.dim}Preset: ${presetName} — ${PRESETS[presetName].description}${COLORS.reset}\n`
-      );
-    }
-  } else {
-    exitWithError(
-      ERROR_CODES.USER_ERROR,
-      "Either --preset <name> or --json '<json>' is required.",
-      `Available presets: ${PRESET_NAMES.join(", ")}`,
-      format
-    );
-  }
+/**
+ * Load secrets from disk (or return empty structure).
+ */
+function loadSecrets() {
+  const path = resolveSecretsPath();
+  const data = readJsonFile(path);
+  if (!data || typeof data !== "object") return {};
+  return data;
+}
-  // Make request — try SIMULATE_PATHS in order; stop on first non-404.
-  // If a 404 carries a structured ATF error envelope ({ok:false, error:{code:...}})
-  // we treat it as an authoritative app-level response and do NOT fallback.
-  let response;
-  const attemptedPaths = [];
+/**
+ * Save secrets to disk with 0600 permissions (best-effort).
+ */
+function saveSecrets(secrets) {
+  const { writeFileSync, mkdirSync, chmodSync } = require("node:fs");
+  const { dirname } = require("node:path");
+  const filePath = resolveSecretsPath();
+  mkdirSync(dirname(filePath), { recursive: true });
+  writeFileSync(filePath, JSON.stringify(secrets, null, 2) + "\n", { mode: 0o600 });
   try {
-    for (const path of SIMULATE_PATHS) {
-      attemptedPaths.push(path);
-      response = await postSimulate(baseUrl, body, apiKey, timeoutMs, path);
-      if (response.status !== 404) break;
-      // 404 with a structured ATF error envelope → authoritative, stop fallback
-      if (isAtfErrorEnvelope(response.data)) break;
-    }
-  } catch (err) {
-    exitWithError(
-      ERROR_CODES.NETWORK_ERROR,
-      `Network failure — ${err.message}`,
-      "Check your network connection and base URL.",
-      format
-    );
+    chmodSync(filePath, 0o600);
+  } catch {
+    // Best-effort — may fail on Windows
   }
+}
-  // Handle non-200
-  if (!response.ok) {
-    let errCode;
-    let msg;
-    let hint = null;
-    if (response.status === 401 || response.status === 403) {
-      errCode = ERROR_CODES.AUTH_ERROR;
-      const data = response.data || {};
-      msg = data.message || data.detail || `HTTP ${response.status}`;
-      hint = response.status === 401
-        ? "Check your API key or Bearer token."
-        : "Access denied. Check your permissions.";
-    } else if (response.status === 404) {
-      if (isAtfErrorEnvelope(response.data)) {
-        // Authoritative ATF 404 — surface the server's error as-is
-        errCode = response.data.error.code || ERROR_CODES.SERVER_ERROR;
-        msg = response.data.error.message || `HTTP 404`;
-        hint = (response.data.error.details && response.data.error.details.hint) || null;
-        exitWithError(errCode, msg, hint, format, {
-          status: 404,
-          attempted_paths: attemptedPaths,
-          baseUrl,
-          requestId: response.requestId,
-        });
-      }
-      // Endpoint miss — none of the paths exist on this server
-      errCode = ERROR_CODES.SERVER_ERROR;
-      msg = "SIMULATE_NOT_AVAILABLE";
-      hint = "The simulate endpoint is not available on this server.";
-      exitWithError(errCode, msg, hint, format, {
-        status: 404,
-        attempted_paths: attemptedPaths,
-        baseUrl,
-        requestId: response.requestId,
-      });
-    } else if (response.status === 422 || response.status === 400) {
-      errCode = ERROR_CODES.VALIDATION_ERROR;
-      const data = response.data || {};
-      msg = data.message || data.detail || data.error || `HTTP ${response.status}`;
-      hint = "Check the request body format and required fields.";
-    } else if (response.status === 429) {
-      errCode = ERROR_CODES.SERVER_ERROR;
-      const data = response.data || {};
-      msg = data.message || data.detail || data.error || `HTTP ${response.status}`;
-      hint = response.retryAfter
-        ? `Rate limited. Retry after ${response.retryAfter}s.`
-        : "Rate limited. Try again later.";
-    } else if (response.status >= 500) {
-      errCode = ERROR_CODES.SERVER_ERROR;
-      const data = response.data || {};
-      msg = data.message || data.detail || data.error || `HTTP ${response.status}`;
+/**
+ * Get a secret value.
+ * @param {string} namespace  e.g. "helius"
+ * @param {string} profile    e.g. "default"
+ * @returns {string|null}
+ */
+function getSecret(namespace, profile) {
+  const secrets = loadSecrets();
+  if (secrets[namespace] && typeof secrets[namespace] === "object") {
+    return secrets[namespace][profile] || null;
+  }
+  return null;
+}
+/**
+ * Set a secret value.
+ */
+function setSecret(namespace, profile, value) {
+  const secrets = loadSecrets();
+  if (!secrets[namespace]) secrets[namespace] = {};
+  secrets[namespace][profile] = value;
+  saveSecrets(secrets);
+}
+/**
+ * Unset a secret value.
+ */
+function unsetSecret(namespace, profile) {
+  const secrets = loadSecrets();
+  if (secrets[namespace] && secrets[namespace][profile]) {
+    delete secrets[namespace][profile];
+    if (Object.keys(secrets[namespace]).length === 0) delete secrets[namespace];
+    saveSecrets(secrets);
+    return true;
+  }
+  return false;
+}
+/**
+ * List secrets — returns key/profile pairs only (no values).
+ */
+function listSecretRefs() {
+  const secrets = loadSecrets();
+  const refs = [];
+  for (const [ns, profiles] of Object.entries(secrets)) {
+    if (typeof profiles === "object" && profiles !== null) {
+      for (const profile of Object.keys(profiles)) {
+        refs.push({ namespace: ns, profile });
+      }
+    }
+  }
+  return refs;
+}
+/**
+ * Resolve the Helius API key for a given profile.
+ * Priority: HELIUS_API_KEY env var > secrets store
+ */
+function resolveHeliusApiKey(profileName) {
+  const envKey = process.env.HELIUS_API_KEY;
+  if (envKey && envKey.length > 0) return envKey;
+  return getSecret("helius", profileName || "default");
+}
+// ── CLI handlers for secret commands ───────────────────────────────
+async function runSecretSet(args) {
+  const namespace = args._subArgs[0];
+  const profileName = args.profileFlag || null;
+  if (!namespace) {
+    exitWithError(ERROR_CODES.USER_ERROR, "Usage: atf secret set <namespace> [--profile name]", "Example: atf secret set helius --profile devnet", args.format);
+  }
+  const config = loadGlobalConfig();
+  const profile = profileName || config.current_profile || "default";
+  // Read from stdin (supports piped input)
+  let value = "";
+  if (process.stdin.isTTY) {
+    process.stderr.write(`Enter value for ${namespace} (profile: ${profile}): `);
+  }
+  const { readFileSync } = require("node:fs");
+  try {
+    value = readFileSync("/dev/stdin", "utf8").trim();
+  } catch {
+    // Fallback for Windows or other environments
+    try {
+      value = readFileSync(0, "utf8").trim();
+    } catch {
+      exitWithError(ERROR_CODES.USER_ERROR, "Failed to read secret from stdin.", "Pipe the value: echo 'key' | atf secret set helius", args.format);
+    }
+  }
+  if (!value) {
+    exitWithError(ERROR_CODES.USER_ERROR, "Empty secret value.", null, args.format);
+  }
+  setSecret(namespace, profile, value);
+  process.stdout.write(JSON.stringify({ ok: true, namespace, profile, message: "Secret saved." }, null, 2) + "\n");
+}
+async function runSecretList(args) {
+  const refs = listSecretRefs();
+  process.stdout.write(JSON.stringify({ ok: true, secrets: refs }, null, 2) + "\n");
+}
+async function runSecretUnset(args) {
+  const namespace = args._subArgs[0];
+  const profileName = args.profileFlag || null;
+  if (!namespace) {
+    exitWithError(ERROR_CODES.USER_ERROR, "Usage: atf secret unset <namespace> [--profile name]", null, args.format);
+  }
+  const config = loadGlobalConfig();
+  const profile = profileName || config.current_profile || "default";
+  const removed = unsetSecret(namespace, profile);
+  if (removed) {
+    process.stdout.write(JSON.stringify({ ok: true, namespace, profile, message: "Secret removed." }, null, 2) + "\n");
+  } else {
+    exitWithError(ERROR_CODES.USER_ERROR, `No secret found for ${namespace} (profile: ${profile}).`, null, args.format);
+  }
+}
+// ---- src/helius.mjs ----
+/**
+ * helius.mjs — Helius RPC URL builder and redaction
+ *
+ * If rpc_url is set to the literal string "helius", the URL is auto-built
+ * from solana_cluster + resolved Helius API key:
+ *   mainnet → https://mainnet.helius-rpc.com/?api-key=<KEY>
+ *   devnet  → https://devnet.helius-rpc.com/?api-key=<KEY>
+ */
+const HELIUS_RPC_HOSTS = {
+  mainnet: "mainnet.helius-rpc.com",
+  devnet: "devnet.helius-rpc.com",
+};
+/**
+ * Build a Helius RPC URL from cluster and API key.
+ */
+function buildHeliusRpcUrl(cluster, apiKey) {
+  const host = HELIUS_RPC_HOSTS[cluster] || HELIUS_RPC_HOSTS.mainnet;
+  return `https://${host}/?api-key=${apiKey}`;
+}
+/**
+ * Redact api-key query param from a URL string.
+ */
+function redactApiKeyInUrl(url) {
+  if (!url || typeof url !== "string") return url || "";
+  return url.replace(/api-key=[^&\s]+/gi, "api-key=***REDACTED***");
+}
+/**
+ * Extract the host portion from an RPC URL (safe for display).
+ */
+function extractRpcHost(url) {
+  if (!url || typeof url !== "string") return null;
+  try {
+    const parsed = new URL(url);
+    return parsed.hostname;
+  } catch {
+    return null;
+  }
+}
+/**
+ * Resolve the effective RPC URL for a profile.
+ * Handles "helius" magic value, env overrides, and devnet defaults.
+ *
+ * Priority: CLI --rpc flag > profile rpc_url > defaults
+ *
+ * @param {object} profile   Resolved effective profile
+ * @param {string} profileName  Profile name (for secret lookup)
+ * @param {string|null} cliRpcOverride  --rpc flag value
+ * @param {boolean} isDevnet  Whether devnet mode is active
+ * @returns {{ rpcUrl: string, rpcHost: string|null }}
+ */
+function resolveRpcUrl(profile, profileName, cliRpcOverride, isDevnet) {
+  // CLI flag takes precedence
+  if (cliRpcOverride && cliRpcOverride !== "helius") {
+    return { rpcUrl: cliRpcOverride, rpcHost: extractRpcHost(cliRpcOverride) };
+  }
+  const rpcSetting = cliRpcOverride || profile.rpc_url;
+  if (rpcSetting === "helius") {
+    const apiKey = resolveHeliusApiKey(profileName);
+    if (!apiKey) {
+      exitWithError(
+        ERROR_CODES.USER_ERROR,
+        "Helius API key not found. Set HELIUS_API_KEY env var or run: atf secret set helius",
+        null,
+        "json"
+      );
+    }
+    const cluster = isDevnet ? "devnet" : (profile.solana_cluster || "mainnet");
+    const url = buildHeliusRpcUrl(cluster, apiKey);
+    return { rpcUrl: url, rpcHost: HELIUS_RPC_HOSTS[cluster] || HELIUS_RPC_HOSTS.mainnet };
+  }
+  if (rpcSetting) {
+    return { rpcUrl: rpcSetting, rpcHost: extractRpcHost(rpcSetting) };
+  }
+  // Defaults
+  if (isDevnet) {
+    const devnetDefault = process.env.ATF_DEVNET_RPC || DEVNET_RPC_DEFAULT;
+    return { rpcUrl: devnetDefault, rpcHost: extractRpcHost(devnetDefault) };
+  }
+  return { rpcUrl: "https://api.mainnet-beta.solana.com", rpcHost: "api.mainnet-beta.solana.com" };
+}
+// ---- src/jupiter.mjs ----
+/**
+ * jupiter.mjs — Jupiter DEX HTTP helpers (v6 API)
+ *
+ * Uses built-in fetch (Node 18+). Zero extra dependencies.
+ * Only called from swap.mjs when ATF decision == allowed.
+ */
+const JUPITER_API_BASE = "https://quote-api.jup.ag/v6";
+/**
+ * Resolve the Jupiter API base URL.
+ * Allows override via ATF_JUPITER_BASE env var (used in tests).
+ */
+function resolveJupiterBase() {
+  return process.env.ATF_JUPITER_BASE || JUPITER_API_BASE;
+}
+/**
+ * Get a swap quote from Jupiter.
+ *
+ * @param {object} opts
+ * @param {string} opts.inputMint   Solana mint address
+ * @param {string} opts.outputMint  Solana mint address
+ * @param {string} opts.amount      Base-unit amount string (lamports / micro-units)
+ * @param {number} opts.slippageBps Slippage tolerance in basis points
+ * @param {number} opts.timeoutMs   HTTP timeout
+ * @returns {Promise<object>}       Jupiter quote response JSON
+ */
+async function jupiterGetQuote(opts) {
+  const url = new URL(`${resolveJupiterBase()}/quote`);
+  url.searchParams.set("inputMint", opts.inputMint);
+  url.searchParams.set("outputMint", opts.outputMint);
+  url.searchParams.set("amount", opts.amount);
+  url.searchParams.set("slippageBps", String(opts.slippageBps));
+  const res = await fetch(url.toString(), {
+    signal: AbortSignal.timeout(opts.timeoutMs || 20_000),
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`Jupiter quote failed: HTTP ${res.status} — ${text.slice(0, 256)}`);
+  }
+  return res.json();
+}
+/**
+ * Request a swap transaction from Jupiter.
+ * Returns the base64 swapTransaction ready for signing.
+ *
+ * @param {object} opts
+ * @param {object} opts.quoteResponse   Full quote response from jupiterGetQuote
+ * @param {string} opts.userPublicKey   Base58 public key of the wallet
+ * @param {number} opts.timeoutMs       HTTP timeout
+ * @returns {Promise<{swapTransaction: string, lastValidBlockHeight: number}>}
+ */
+async function jupiterGetSwapTx(opts) {
+  const body = {
+    quoteResponse: opts.quoteResponse,
+    userPublicKey: opts.userPublicKey,
+    wrapAndUnwrapSol: true,
+    dynamicComputeUnitLimit: true,
+  };
+  const res = await fetch(`${resolveJupiterBase()}/swap`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(opts.timeoutMs || 20_000),
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`Jupiter swap-tx failed: HTTP ${res.status} — ${text.slice(0, 256)}`);
+  }
+  return res.json();
+}
+// ---- src/solana_sign.mjs ----
+/**
+ * solana_sign.mjs — Solana keypair loading, transaction signing, and RPC helpers.
+ *
+ * Runtime dependency: tweetnacl (ed25519).
+ * No @solana/web3.js — we handle raw VersionedTransaction bytes directly.
+ */
+/* global nacl */
+// `nacl` is set up by the build bundle (tweetnacl is required at the top of dist/index.js)
+// In source form it is loaded via require() in the build.
+/**
+ * Load a Solana keypair from the standard id.json format.
+ * id.json is a JSON array of 64 byte values [secretKey(32) + publicKey(32)].
+ *
+ * @param {string} keypairPath  Absolute or relative path to id.json
+ * @returns {{secretKey: Uint8Array, publicKey: Uint8Array}}
+ */
+function loadSolanaKeypair(keypairPath) {
+  const { readFileSync } = require("node:fs");
+  const { resolve } = require("node:path");
+  const resolved = resolve(keypairPath);
+  let raw;
+  try {
+    raw = readFileSync(resolved, "utf8");
+  } catch (err) {
+    throw new Error(`Cannot read keypair file: ${err.message}`);
+  }
+  let arr;
+  try {
+    arr = JSON.parse(raw);
+  } catch {
+    throw new Error("Keypair file is not valid JSON (expected a byte array).");
+  }
+  if (!Array.isArray(arr) || arr.length !== 64) {
+    throw new Error(`Keypair must be a JSON array of 64 bytes, got length ${Array.isArray(arr) ? arr.length : typeof arr}.`);
+  }
+  const secretKey = new Uint8Array(arr);
+  const publicKey = secretKey.slice(32, 64);
+  return { secretKey, publicKey };
+}
+/**
+ * Encode a Uint8Array to base58 (Bitcoin/Solana alphabet).
+ * Compact pure-JS implementation — no external dependency.
+ */
+function base58Encode(bytes) {
+  const ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+  if (bytes.length === 0) return "";
+  // Count leading zeros
+  let zeros = 0;
+  for (let i = 0; i < bytes.length && bytes[i] === 0; i++) zeros++;
+  // Convert to base58
+  const b58 = [];
+  let num = [];
+  for (const byte of bytes) {
+    let carry = byte;
+    for (let j = 0; j < num.length; j++) {
+      carry += num[j] << 8;
+      num[j] = carry % 58;
+      carry = (carry / 58) | 0;
+    }
+    while (carry > 0) {
+      num.push(carry % 58);
+      carry = (carry / 58) | 0;
+    }
+  }
+  // Leading '1's for zero bytes
+  for (let i = 0; i < zeros; i++) b58.push(ALPHABET[0]);
+  for (let i = num.length - 1; i >= 0; i--) b58.push(ALPHABET[num[i]]);
+  return b58.join("");
+}
+/**
+ * Read a compact-u16 from a buffer at the given offset.
+ * Returns { value, bytesRead }.
+ */
+function readCompactU16(buf, offset) {
+  let value = 0;
+  let bytesRead = 0;
+  for (let shift = 0; shift < 21; shift += 7) {
+    if (offset + bytesRead >= buf.length) throw new Error("compact-u16 truncated");
+    const b = buf[offset + bytesRead];
+    bytesRead++;
+    value |= (b & 0x7f) << shift;
+    if ((b & 0x80) === 0) break;
+  }
+  return { value, bytesRead };
+}
+/**
+ * Sign a Solana VersionedTransaction (raw bytes) with a single-signer keypair.
+ *
+ * Transaction wire format:
+ *   [compact-u16 sig_count] [sig_count * 64 bytes sigs] [message bytes]
+ *
+ * We sign the message bytes, then replace the first 64-byte signature slot.
+ *
+ * @param {Uint8Array} txBytes   Raw transaction bytes (from base64 decode)
+ * @param {Uint8Array} secretKey 64-byte ed25519 secret key
+ * @returns {Uint8Array}          Signed transaction bytes
+ */
+function signSolanaTransaction(txBytes, secretKey) {
+  const nacl = require("tweetnacl");
+  const { value: sigCount, bytesRead: headerLen } = readCompactU16(txBytes, 0);
+  if (sigCount < 1) throw new Error("Transaction has 0 signature slots");
+  const sigStart = headerLen;
+  const msgStart = headerLen + sigCount * 64;
+  if (msgStart > txBytes.length) throw new Error("Transaction too short for declared signatures");
+  const messageBytes = txBytes.slice(msgStart);
+  const sig = nacl.sign.detached(messageBytes, secretKey);
+  // Replace first signature slot
+  const signed = new Uint8Array(txBytes);
+  signed.set(sig, sigStart);
+  return signed;
+}
+/**
+ * Send a signed transaction via Solana JSON-RPC.
+ *
+ * @param {string}     rpcUrl         Solana RPC endpoint
+ * @param {Uint8Array} signedTxBytes  Signed transaction bytes
+ * @param {number}     timeoutMs      HTTP timeout
+ * @returns {Promise<string>}         Transaction signature (base58)
+ */
+async function solanaSendTransaction(rpcUrl, signedTxBytes, timeoutMs) {
+  const b64 = Buffer.from(signedTxBytes).toString("base64");
+  const body = {
+    jsonrpc: "2.0",
+    id: 1,
+    method: "sendTransaction",
+    params: [
+      b64,
+      {
+        encoding: "base64",
+        skipPreflight: false,
+        maxRetries: 3,
+      },
+    ],
+  };
+  const res = await fetch(rpcUrl, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(timeoutMs || 30_000),
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`Solana RPC sendTransaction failed: HTTP ${res.status} — ${text.slice(0, 256)}`);
+  }
+  const data = await res.json();
+  if (data.error) {
+    const errMsg = data.error.message || JSON.stringify(data.error);
+    throw new Error(`Solana RPC error: ${errMsg}`);
+  }
+  return data.result; // base58 transaction signature
+}
+/**
+ * Poll getSignatureStatuses until confirmed/finalized or timeout.
+ *
+ * @param {string} rpcUrl     Solana RPC endpoint
+ * @param {string} signature  Base58 transaction signature
+ * @param {number} timeoutMs  Max time to wait
+ * @returns {Promise<object>} Final status object
+ */
+async function solanaConfirmTransaction(rpcUrl, signature, timeoutMs) {
+  const deadline = Date.now() + (timeoutMs || 60_000);
+  const POLL_INTERVAL = 2000;
+  while (Date.now() < deadline) {
+    const body = {
+      jsonrpc: "2.0",
+      id: 1,
+      method: "getSignatureStatuses",
+      params: [[signature], { searchTransactionHistory: true }],
+    };
+    const res = await fetch(rpcUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body),
+      signal: AbortSignal.timeout(10_000),
+    });
+    if (res.ok) {
+      const data = await res.json();
+      const statuses = data.result && data.result.value;
+      if (statuses && statuses[0]) {
+        const s = statuses[0];
+        if (s.err) throw new Error(`Transaction failed on-chain: ${JSON.stringify(s.err)}`);
+        if (s.confirmationStatus === "confirmed" || s.confirmationStatus === "finalized") {
+          return s;
+        }
+      }
+    }
+    await new Promise((r) => setTimeout(r, POLL_INTERVAL));
+  }
+  throw new Error(`Transaction not confirmed within ${timeoutMs}ms`);
+}
+// ---- src/devnet.mjs ----
+/**
+ * devnet.mjs — devnet-specific constants, token map, and RPC helpers.
+ *
+ * Devnet mints are NOT the same as mainnet mints.  This module keeps
+ * the mapping separate so --burner / --devnet never accidentally
+ * touches mainnet tokens or endpoints.
+ */
+const DEVNET_RPC_DEFAULT = "https://api.devnet.solana.com";
+/**
+ * Well-known devnet token mints.
+ * SOL (native) keeps the same system-program mint.
+ * USDC uses the devnet faucet mint deployed by Circle / Solana Foundation.
+ */
+const DEVNET_TOKEN_MAP = {
+  SOL: {
+    symbol: "SOL",
+    mint: "So11111111111111111111111111111111111111112",
+    decimals: 9,
+  },
+  USDC: {
+    symbol: "USDC",
+    mint: "4zMMC9srt5Ri5X14GAgXhaHii3GnPAEERYPJgZJDncDU",
+    decimals: 6,
+  },
+};
+/**
+ * Resolve a devnet token by symbol or mint.
+ */
+function resolveDevnetToken(symbolOrMint) {
+  if (!symbolOrMint || typeof symbolOrMint !== "string") return null;
+  const upper = symbolOrMint.toUpperCase();
+  if (DEVNET_TOKEN_MAP[upper]) return DEVNET_TOKEN_MAP[upper];
+  for (const entry of Object.values(DEVNET_TOKEN_MAP)) {
+    if (entry.mint === symbolOrMint) return entry;
+  }
+  return null;
+}
+/**
+ * Returns true if the given RPC URL is definitely a mainnet endpoint.
+ * Conservative check: match common mainnet hostnames.
+ */
+function isMainnetRpc(url) {
+  if (!url || typeof url !== "string") return false;
+  const lower = url.toLowerCase();
+  return (
+    lower.includes("mainnet-beta") ||
+    lower.includes("mainnet.solana") ||
+    lower.includes("solana-mainnet") ||
+    (lower.includes("api.") && !lower.includes("devnet") && !lower.includes("testnet") && lower.includes("solana.com"))
+  );
+}
+/**
+ * Resolve devnet RPC URL from flags / env.
+ */
+function resolveDevnetRpc(flagRpc) {
+  if (flagRpc) return flagRpc;
+  return process.env.ATF_DEVNET_RPC || DEVNET_RPC_DEFAULT;
+}
+/**
+ * Request a devnet airdrop via JSON-RPC.
+ *
+ * @param {string} rpcUrl    Devnet RPC endpoint
+ * @param {string} pubkeyB58 Base58-encoded public key
+ * @param {number} solAmount SOL amount to airdrop (e.g. 1 = 1 SOL)
+ * @param {number} timeoutMs HTTP timeout
+ * @returns {Promise<string>} Transaction signature
+ */
+async function requestDevnetAirdrop(rpcUrl, pubkeyB58, solAmount, timeoutMs) {
+  const lamports = Math.round(solAmount * 1_000_000_000);
+  const body = {
+    jsonrpc: "2.0",
+    id: 1,
+    method: "requestAirdrop",
+    params: [pubkeyB58, lamports],
+  };
+  const res = await fetch(rpcUrl, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(timeoutMs || 30_000),
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`Airdrop HTTP error: ${res.status} — ${text.slice(0, 256)}`);
+  }
+  const data = await res.json();
+  if (data.error) {
+    throw new Error(`Airdrop RPC error: ${data.error.message || JSON.stringify(data.error)}`);
+  }
+  return data.result; // tx signature
+}
+/**
+ * Build a SOL transfer transaction (system program) as raw bytes.
+ *
+ * This is a minimal Versioned Transaction (v0) with a single
+ * SystemProgram.Transfer instruction — no @solana/web3.js needed.
+ *
+ * @param {string}     fromPubkeyB58  Sender base58 pubkey
+ * @param {string}     toPubkeyB58    Recipient base58 pubkey
+ * @param {number}     lamports       Amount in lamports
+ * @param {string}     recentBlockhash Base58 blockhash
+ * @param {Uint8Array} fromPubkeyBytes 32-byte public key
+ * @param {Uint8Array} toPubkeyBytes   32-byte public key
+ * @returns {Uint8Array} Raw transaction bytes (unsigned, 1 sig slot)
+ */
+function buildSolTransferTx(fromPubkeyBytes, toPubkeyBytes, lamports, recentBlockhashBytes) {
+  // System program address (all zeros)
+  const SYSTEM_PROGRAM = new Uint8Array(32);
+  // ── Build the v0 message ───────────────────────────────────────
+  // Message header: [num_required_signatures, num_readonly_signed, num_readonly_unsigned]
+  const header = new Uint8Array([1, 0, 1]);
+  // Account keys: [from, to, system_program]
+  // from = signer + writable, to = writable, system = readonly
+  const numAccounts = 3;
+  // Compile recent blockhash as 32 bytes (already decoded)
+  // Instructions: single SystemProgram.Transfer
+  // Transfer ix: program_id_index=2, accounts=[0,1], data=<4-byte-ix-index><8-byte-lamports-le>
+  const ixProgramIndex = 2;
+  const ixAccounts = new Uint8Array([0, 1]);
+  // data: 4-byte little-endian transfer instruction index (2) + 8-byte little-endian lamports
+  const ixData = new Uint8Array(12);
+  // instruction index 2 = Transfer
+  ixData[0] = 2; ixData[1] = 0; ixData[2] = 0; ixData[3] = 0;
+  // lamports as 8-byte LE
+  let remaining = lamports;
+  for (let b = 0; b < 8; b++) {
+    ixData[4 + b] = remaining & 0xff;
+    remaining = Math.floor(remaining / 256);
+  }
+  // Compose message body (v0 prefix + legacy-compatible structure)
+  // Legacy message format (no version prefix in the message — v0 is encoded in the tx wrapper)
+  // For simplicity we build a legacy transaction (not v0) since it's better supported for basic transfers.
+  // Format: [header(3)][compact(numAccounts)][...accounts(numAccounts*32)][recentBlockhash(32)][compact(numIx)][ix...]
+  const parts = [];
+  parts.push(header);
+  parts.push(new Uint8Array([numAccounts])); // compact-u16 for 3
+  parts.push(fromPubkeyBytes);
+  parts.push(toPubkeyBytes);
+  parts.push(SYSTEM_PROGRAM);
+  parts.push(recentBlockhashBytes); // 32 bytes
+  parts.push(new Uint8Array([1])); // compact-u16 for 1 instruction
+  // Instruction: [programIdIndex][compact(numAccounts)][...accountIndices][compact(dataLen)][...data]
+  parts.push(new Uint8Array([ixProgramIndex]));
+  parts.push(new Uint8Array([ixAccounts.length]));
+  parts.push(ixAccounts);
+  parts.push(new Uint8Array([ixData.length]));
+  parts.push(ixData);
+  // Total message length
+  let msgLen = 0;
+  for (const p of parts) msgLen += p.length;
+  const message = new Uint8Array(msgLen);
+  let offset = 0;
+  for (const p of parts) { message.set(p, offset); offset += p.length; }
+  // Wrap in transaction: [compact-u16 sigCount=1][64-byte zero sig][message]
+  const sigCount = new Uint8Array([1]);
+  const sigSlot = new Uint8Array(64); // zeroed — to be signed later
+  const tx = new Uint8Array(1 + 64 + message.length);
+  tx.set(sigCount, 0);
+  tx.set(sigSlot, 1);
+  tx.set(message, 65);
+  return tx;
+}
+/**
+ * Fetch a recent blockhash from Solana RPC (devnet).
+ *
+ * @param {string} rpcUrl   Devnet RPC
+ * @param {number} timeoutMs
+ * @returns {Promise<{blockhash: string, blockhashBytes: Uint8Array, lastValidBlockHeight: number}>}
+ */
+async function getRecentBlockhash(rpcUrl, timeoutMs) {
+  const body = {
+    jsonrpc: "2.0",
+    id: 1,
+    method: "getLatestBlockhash",
+    params: [{ commitment: "finalized" }],
+  };
+  const res = await fetch(rpcUrl, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(timeoutMs || 30_000),
+  });
+  if (!res.ok) throw new Error(`getLatestBlockhash HTTP ${res.status}`);
+  const data = await res.json();
+  if (data.error) throw new Error(`getLatestBlockhash RPC error: ${data.error.message}`);
+  const bh = data.result.value.blockhash;
+  const lbh = data.result.value.lastValidBlockHeight;
+  // Decode base58 blockhash to bytes
+  const bhBytes = base58Decode(bh);
+  return { blockhash: bh, blockhashBytes: bhBytes, lastValidBlockHeight: lbh };
+}
+/**
+ * Decode a base58 string to Uint8Array.
+ * Compact pure-JS implementation (inverse of base58Encode in solana_sign.mjs).
+ */
+function base58Decode(str) {
+  const ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+  const ALPHABET_MAP = {};
+  for (let i = 0; i < ALPHABET.length; i++) ALPHABET_MAP[ALPHABET[i]] = i;
+  if (str.length === 0) return new Uint8Array(0);
+  // Count leading '1's
+  let zeros = 0;
+  for (let i = 0; i < str.length && str[i] === "1"; i++) zeros++;
+  // Decode
+  const bytes = [];
+  for (let i = zeros; i < str.length; i++) {
+    const c = ALPHABET_MAP[str[i]];
+    if (c === undefined) throw new Error(`Invalid base58 character: ${str[i]}`);
+    let carry = c;
+    for (let j = 0; j < bytes.length; j++) {
+      carry += bytes[j] * 58;
+      bytes[j] = carry & 0xff;
+      carry >>= 8;
+    }
+    while (carry > 0) {
+      bytes.push(carry & 0xff);
+      carry >>= 8;
+    }
+  }
+  // Add leading zero bytes
+  for (let i = 0; i < zeros; i++) bytes.push(0);
+  return new Uint8Array(bytes.reverse());
+}
+/**
+ * Faucet instructions for the user.
+ */
+function faucetInstructions(pubkey) {
+  return [
+    `Your burner public key: ${pubkey}`,
+    "",
+    "To fund this wallet on devnet:",
+    `  1. CLI airdrop:  solana airdrop 2 ${pubkey} --url devnet`,
+    "  2. Web faucet:   https://faucet.solana.com/",
+    `  3. ATF CLI:      npx @trucore/atf swap --burner --devnet --airdrop 1`,
+    "",
+    "Note: public RPC airdrops are rate-limited. If airdrop fails,",
+    "use the web faucet or a private devnet RPC.",
+  ].join("\n");
+}
+// ---- src/burner.mjs ----
+/**
+ * burner.mjs — ephemeral keypair generation, save, and load for devnet usage.
+ *
+ * Uses tweetnacl (already a dependency) for ed25519 key generation.
+ * Never prints secret key bytes. File permissions set to 0600 where possible.
+ */
+/**
+ * Generate an ephemeral ed25519 keypair using tweetnacl.
+ * Returns { secretKey: Uint8Array(64), publicKey: Uint8Array(32) }.
+ */
+function generateBurnerKeypair() {
+  const nacl = require("tweetnacl");
+  const kp = nacl.sign.keyPair();
+  return { secretKey: kp.secretKey, publicKey: kp.publicKey };
+}
+/**
+ * Save a burner keypair to disk in Solana id.json format (64-byte array).
+ * Sets file permissions to 0600 (owner-only) on supported platforms.
+ * Warns on Windows if unable to set permissions.
+ *
+ * @param {string}     filePath  Absolute or relative path
+ * @param {Uint8Array} secretKey 64-byte ed25519 secret key
+ */
+function saveBurnerKeypair(filePath, secretKey) {
+  const { writeFileSync, chmodSync } = require("node:fs");
+  const { resolve, dirname } = require("node:path");
+  const { mkdirSync, existsSync } = require("node:fs");
+  const resolved = resolve(filePath);
+  const dir = dirname(resolved);
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+  // Solana id.json format: JSON array of 64 byte values
+  const arr = Array.from(secretKey);
+  writeFileSync(resolved, JSON.stringify(arr) + "\n", { mode: 0o600 });
+  // Best-effort chmod for platforms that support it
+  try {
+    chmodSync(resolved, 0o600);
+  } catch {
+    // Windows or other OS that doesn't support chmod — warn but don't fail
+    process.stderr.write("[burner] Warning: unable to set file permissions to 0600. Ensure the file is protected.\n");
+  }
+  return resolved;
+}
+/**
+ * Load a previously saved burner keypair.
+ * Delegates to loadSolanaKeypair from solana_sign.mjs.
+ *
+ * @param {string} filePath Path to saved keypair JSON
+ * @returns {{secretKey: Uint8Array, publicKey: Uint8Array}}
+ */
+function loadBurnerKeypair(filePath) {
+  return loadSolanaKeypair(filePath);
+}
+// ---- src/health.mjs ----
+/**
+ * health.mjs — health command implementation
+ *
+ * GET {base}/health — check API availability and measure latency.
+ * Output: { ok:true, base_url, latency_ms, response:<healthJson> }
+ */
+async function runHealth(args) {
+  const baseUrl = args.baseUrl;
+  const format = args.format;
+  const timeoutMs = args.timeoutMs;
+  const start = Date.now();
+  let response;
+  try {
+    response = await getHealth(baseUrl, timeoutMs);
+  } catch (err) {
+    exitWithError(
+      ERROR_CODES.NETWORK_ERROR,
+      `Cannot reach ${baseUrl}/health — ${err.message}`,
+      "Check that the API is running and the base URL is correct.",
+      format
+    );
+  }
+  const latencyMs = Date.now() - start;
+  if (!response.ok) {
+    exitWithError(
+      ERROR_CODES.SERVER_ERROR,
+      `Health check failed with HTTP ${response.status}`,
+      "The API may be down or misconfigured.",
+      format,
+      { status: response.status, requestId: response.requestId }
+    );
+  }
+  const result = {
+    ok: true,
+    request_id: response.requestId,
+    base_url: baseUrl,
+    latency_ms: latencyMs,
+    response: response.data || {},
+  };
+  if (format === "pretty") {
+    const noColor = process.env.NO_COLOR;
+    const c = noColor ? { reset: "", bold: "", green: "", dim: "" } : COLORS;
+    process.stdout.write(
+      `\n${c.bold}${c.green}  \u2713 HEALTHY${c.reset}\n` +
+        `${c.dim}  Base URL:${c.reset} ${baseUrl}\n` +
+        `${c.dim}  Latency:${c.reset}  ${latencyMs}ms\n` +
+        `${c.dim}  HTTP:${c.reset}     ${response.status}\n\n`
+    );
+  } else {
+    process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+  }
+  process.exit(0);
+}
+// ---- src/approve.mjs ----
+/**
+ * approve.mjs — approve command implementation
+ *
+ * POST {base}/v1/intents/approve with Bearer token.
+ * Approves a pending intent returned from a previous simulation.
+ * Output: { ok:true, base_url, intent, response:<approveJson> }
+ */
+async function runApprove(args) {
+  const baseUrl = args.baseUrl;
+  const format = args.format;
+  const token = args.token || args.apiKey;
+  const intent = args.intent;
+  const timeoutMs = args.timeoutMs;
+  if (!intent) {
+    exitWithError(
+      ERROR_CODES.USER_ERROR,
+      "Missing --intent <id>",
+      "Provide the intent ID returned from a simulation.",
+      format
+    );
+  }
+  if (!token) {
+    exitWithError(
+      ERROR_CODES.AUTH_ERROR,
+      "Missing authentication token",
+      "Provide --token <bearer> or set ATF_API_KEY env var.",
+      format
+    );
+  }
+  let response;
+  try {
+    response = await postApprove(baseUrl, intent, token, timeoutMs);
+  } catch (err) {
+    exitWithError(
+      ERROR_CODES.NETWORK_ERROR,
+      redactToken(`Cannot reach ${baseUrl} — ${err.message}`, token),
+      "Check your network connection and base URL.",
+      format
+    );
+  }
+  if (!response.ok) {
+    const data = response.data || {};
+    const errCode =
+      response.status >= 500
+        ? ERROR_CODES.SERVER_ERROR
+        : response.status === 401 || response.status === 403
+          ? ERROR_CODES.AUTH_ERROR
+          : ERROR_CODES.USER_ERROR;
+    const hint =
+      response.status === 401
+        ? "Check your Bearer token."
+        : response.status === 404
+          ? "Intent not found — check the intent ID."
+          : response.status === 409
+            ? "Intent already approved or expired."
+            : null;
+    const msg = redactToken(data.message || data.detail || `HTTP ${response.status}`, token);
+    exitWithError(
+      errCode,
+      msg,
+      hint,
+      format,
+      { status: response.status, requestId: response.requestId || data.request_id }
+    );
+  }
+  const data = response.data || {};
+  const result = { ok: true, request_id: response.requestId, base_url: baseUrl, intent, response: data };
+  if (args.verbose && args._deprecatedIntentId) {
+    result.warnings = ["--intent-id is deprecated; use --intent"];
+  }
+  if (format === "pretty") {
+    const noColor = process.env.NO_COLOR;
+    const c = noColor ? { reset: "", bold: "", green: "", dim: "" } : COLORS;
+    process.stdout.write(
+      `\n${c.bold}${c.green}  \u2713 APPROVED${c.reset}\n` +
+        `${c.dim}  Intent:${c.reset}  ${intent}\n` +
+        (data.tx_hash
+          ? `${c.dim}  TX Hash:${c.reset} ${data.tx_hash}\n`
+          : "") +
+        `\n`
+    );
+  } else {
+    process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+  }
+  process.exit(0);
+}
+// ---- src/version_cmd.mjs ----
+/**
+ * version_cmd.mjs — rich version command
+ *
+ * Output: { ok:true, cli_version, node_version, platform, arch, default_base_url, build_commit, build_date }
+ */
+async function runVersion(args) {
+  const format = args.format;
+  const commit = BUILD_COMMIT === "__BUILD_COMMIT__" ? null : BUILD_COMMIT;
+  const buildTime = BUILD_DATE === "__BUILD_DATE__" ? null : BUILD_DATE;
+  const result = {
+    ok: true,
+    cli_version: VERSION,
+    node_version: process.version,
+    platform: process.platform,
+    arch: process.arch,
+    default_base_url: DEFAULT_BASE_URL,
+    build_commit: commit,
+    build_date: buildTime,
+  };
+  if (format === "pretty") {
+    const noColor = process.env.NO_COLOR;
+    const c = noColor ? { reset: "", bold: "", dim: "" } : COLORS;
+    process.stdout.write(
+      `\n${c.bold}  @trucore/atf v${VERSION}${c.reset}\n` +
+        `${c.dim}  Node:${c.reset}     ${process.version}\n` +
+        `${c.dim}  Platform:${c.reset} ${process.platform}/${process.arch}\n` +
+        `${c.dim}  API:${c.reset}      ${DEFAULT_BASE_URL}\n` +
+        `${c.dim}  Commit:${c.reset}   ${commit || "dev"}\n` +
+        `${c.dim}  Built:${c.reset}    ${buildTime || "dev"}\n\n`
+    );
+  } else {
+    process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+  }
+  process.exit(0);
+}
+// ---- src/simulate.mjs ----
+/**
+ * simulate.mjs — simulate command implementation
+ *
+ * Output: { ok:true, base_url, preset?, verified?:boolean, response:<simulateJson> }
+ */
+async function runSimulate(args) {
+  const baseUrl = args.baseUrl;
+  const verify = args.verify;
+  const format = args.format;
+  const quiet = args.quiet;
+  const apiKey = args.apiKey;
+  const timeoutMs = args.timeoutMs;
+  // Resolve body
+  let body;
+  let presetName = null;
+  if (args.json) {
+    const parsed = parseJsonBody(args.json);
+    if (!parsed.ok) {
+      exitWithError(
+        ERROR_CODES.USER_ERROR,
+        parsed.message,
+        "Provide valid JSON via --json '{...}'",
+        format
+      );
+    }
+    body = parsed.body;
+  } else if (args.preset) {
+    presetName = args.preset;
+    const check = validatePreset(presetName);
+    if (!check.ok) {
+      exitWithError(
+        ERROR_CODES.USER_ERROR,
+        check.message,
+        `Available presets: ${PRESET_NAMES.join(", ")}`,
+        format
+      );
+    }
+    body = PRESETS[presetName].transaction;
+    if (!quiet && format === "pretty") {
+      process.stderr.write(
+        `${COLORS.dim}Preset: ${presetName} — ${PRESETS[presetName].description}${COLORS.reset}\n`
+      );
+    }
+  } else {
+    exitWithError(
+      ERROR_CODES.USER_ERROR,
+      "Either --preset <name> or --json '<json>' is required.",
+      `Available presets: ${PRESET_NAMES.join(", ")}`,
+      format
+    );
+  }
+  // Make request — try SIMULATE_PATHS in order; stop on first non-404.
+  // If a 404 carries a structured ATF error envelope ({ok:false, error:{code:...}})
+  // we treat it as an authoritative app-level response and do NOT fallback.
+  let response;
+  const attemptedPaths = [];
+  try {
+    for (const path of SIMULATE_PATHS) {
+      attemptedPaths.push(path);
+      response = await postSimulate(baseUrl, body, apiKey, timeoutMs, path);
+      if (response.status !== 404) break;
+      // 404 with a structured ATF error envelope → authoritative, stop fallback
+      if (isAtfErrorEnvelope(response.data)) break;
+    }
+  } catch (err) {
+    exitWithError(
+      ERROR_CODES.NETWORK_ERROR,
+      `Network failure — ${err.message}`,
+      "Check your network connection and base URL.",
+      format
+    );
+  }
+  // Handle non-200
+  if (!response.ok) {
+    let errCode;
+    let msg;
+    let hint = null;
+    if (response.status === 401 || response.status === 403) {
+      errCode = ERROR_CODES.AUTH_ERROR;
+      const data = response.data || {};
+      msg = data.message || data.detail || `HTTP ${response.status}`;
+      hint = response.status === 401
+        ? "Check your API key or Bearer token."
+        : "Access denied. Check your permissions.";
+    } else if (response.status === 404) {
+      if (isAtfErrorEnvelope(response.data)) {
+        // Authoritative ATF 404 — surface the server's error as-is
+        errCode = response.data.error.code || ERROR_CODES.SERVER_ERROR;
+        msg = response.data.error.message || `HTTP 404`;
+        hint = (response.data.error.details && response.data.error.details.hint) || null;
+        exitWithError(errCode, msg, hint, format, {
+          status: 404,
+          attempted_paths: attemptedPaths,
+          baseUrl,
+          requestId: response.requestId,
+        });
+      }
+      // Endpoint miss — none of the paths exist on this server
+      errCode = ERROR_CODES.SERVER_ERROR;
+      msg = "SIMULATE_NOT_AVAILABLE";
+      hint = "The simulate endpoint is not available on this server.";
+      exitWithError(errCode, msg, hint, format, {
+        status: 404,
+        attempted_paths: attemptedPaths,
+        baseUrl,
+        requestId: response.requestId,
+      });
+    } else if (response.status === 422 || response.status === 400) {
+      errCode = ERROR_CODES.VALIDATION_ERROR;
+      const data = response.data || {};
+      msg = data.message || data.detail || data.error || `HTTP ${response.status}`;
+      hint = "Check the request body format and required fields.";
+    } else if (response.status === 429) {
+      errCode = ERROR_CODES.SERVER_ERROR;
+      const data = response.data || {};
+      msg = data.message || data.detail || data.error || `HTTP ${response.status}`;
+      hint = response.retryAfter
+        ? `Rate limited. Retry after ${response.retryAfter}s.`
+        : "Rate limited. Try again later.";
+    } else if (response.status >= 500) {
+      errCode = ERROR_CODES.SERVER_ERROR;
+      const data = response.data || {};
+      msg = data.message || data.detail || data.error || `HTTP ${response.status}`;
+    } else {
+      errCode = ERROR_CODES.USER_ERROR;
+      const data = response.data || {};
+      msg = data.message || data.detail || data.error || `HTTP ${response.status}`;
+    }
+    exitWithError(errCode, msg, hint, format, { status: response.status, requestId: response.requestId });
+  }
+  const data = response.data;
+  if (!data || typeof data !== "object") {
+    exitWithError(
+      ERROR_CODES.SERVER_ERROR,
+      "API returned non-JSON response.",
+      null,
+      format
+    );
+  }
+  // Extract fields — firewall-api returns decision/reasons (array);
+  // legacy servers may return status/reason (string).
+  const decision = (data.decision || data.status || "").toLowerCase();
+  const reasons = Array.isArray(data.reasons) ? data.reasons : [];
+  const reason = data.reason || data.deny_reason || data.message || "";  // legacy display
+  const receipt_hash = data.receipt_hash || data.hash || "";
+  const content_hash = data.content_hash || "";
+  const policy_hash = data.policy_hash !== undefined ? data.policy_hash : null;
+  const params = data.params || null;
+  const displayReason = reasons.length > 0 ? reasons.join(", ") : reason;
+  // Validate receipt_hash
+  if (receipt_hash && !isValidReceiptHash(receipt_hash)) {
+    exitWithError(
+      ERROR_CODES.VALIDATION_ERROR,
+      `API returned invalid receipt_hash: "${receipt_hash}"`,
+      "Expected: 64 lowercase hex characters.",
+      format
+    );
+  }
+  // Validate content_hash if present
+  if (content_hash && !isValidReceiptHash(content_hash)) {
+    exitWithError(
+      ERROR_CODES.VALIDATION_ERROR,
+      `API returned invalid content_hash: "${content_hash}"`,
+      "Expected: 64 lowercase hex characters.",
+      format
+    );
+  }
+  // Verification (--verify only)
+  let verified = undefined;
+  if (verify) {
+    if (content_hash) {
+      const expectedHash = computeContentHash(decision, reasons, policy_hash, params);
+      if (content_hash !== expectedHash) {
+        exitWithError(
+          ERROR_CODES.VERIFY_FAILED,
+          `content_hash does not match local computation.`,
+          `Expected: ${expectedHash.slice(0, 16)}... Got: ${content_hash.slice(0, 16)}... Open ${baseUrl}/verify?hash=${content_hash}`,
+          format
+        );
+      }
+      verified = true;
+    } else if (receipt_hash) {
+      // DEPRECATED legacy path — content_hash not returned by server.
+      if (!quiet) {
+        process.stderr.write(
+          `${COLORS.yellow}[DEPRECATED] server did not return content_hash; falling back to legacy receipt_hash verification.${COLORS.reset}\n`
+        );
+      }
+      const expectedHash = computeLegacyContentHash(decision, reason);
+      if (receipt_hash !== expectedHash) {
+        exitWithError(
+          ERROR_CODES.VERIFY_FAILED,
+          `receipt_hash does not match local computation (legacy).`,
+          `Expected: ${expectedHash.slice(0, 16)}... Got: ${receipt_hash.slice(0, 16)}... Open ${baseUrl}/verify?hash=${receipt_hash}`,
+          format
+        );
+      }
+      verified = true;
+    } else {
+      verified = false;
+    }
+  }
+  // Build result envelope
+  const result = { ok: true, request_id: response.requestId, base_url: baseUrl };
+  result.preset = presetName || null;
+  result.verified = verify ? (verified === true) : null;
+  result.response = data;
+  // Format output (only reached if verify passed or not requested)
+  if (format === "pretty") {
+    const isAllowed = decision === "allowed" || decision === "approved" || decision === "approve";
+    const noColor = process.env.NO_COLOR;
+    const c = noColor
+      ? { reset: "", bold: "", dim: "", green: "", red: "", yellow: "", cyan: "", gray: "" }
+      : COLORS;
+    const statusColor = isAllowed ? c.green : c.red;
+    const statusIcon = isAllowed ? "\u2713" : "\u2717";
+    const lines = [];
+    lines.push("");
+    lines.push(`${c.bold}${statusColor}  ${statusIcon} ${decision.toUpperCase()}${c.reset}`);
+    if (displayReason) lines.push(`${c.dim}  Reason:${c.reset} ${displayReason}`);
+    if (content_hash) lines.push(`${c.dim}  Content hash:${c.reset} ${content_hash}`);
+    if (receipt_hash) lines.push(`${c.dim}  Receipt:${c.reset} ${receipt_hash}`);
+    const verifyHash = content_hash || receipt_hash;
+    if (verify && verifyHash) {
+      lines.push("");
+      lines.push(`${c.cyan}${c.bold}  Trustless Verification${c.reset}`);
+      lines.push(`${c.cyan}  Verify: ${baseUrl}/verify?hash=${verifyHash}${c.reset}`);
+      lines.push(`${c.dim}  Don't trust TruCore \u2014 recompute/verify deterministically.${c.reset}`);
+    }
+    lines.push("");
+    process.stdout.write(lines.join("\n") + "\n");
+  } else {
+    process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+  }
+  // If verify + receipt signing key available, print extra info
+  if (verify && receipt_hash) {
+    try {
+      const keyInfo = await getReceiptSigningKey(baseUrl);
+      if (keyInfo && keyInfo.available === true) {
+        if (!quiet) {
+          process.stderr.write(
+            `${COLORS.dim}  Receipt signing is available. ` +
+              `Public key: ${keyInfo.public_key || "(see /api/receipt-signing-key)"}${COLORS.reset}\n`
+          );
+          process.stderr.write(
+            `${COLORS.dim}  You can verify the receipt signature via POST /api/receipt-signature${COLORS.reset}\n`
+          );
+        }
+      }
+    } catch {
+      // Non-critical — ignore
+    }
+  }
+  // Exit code: allowed=0, denied=1
+  if (decision === "allowed" || decision === "approve" || decision === "approved") {
+    process.exit(0);
+  } else {
+    process.exit(1);
+  }
+}
+// ---- src/swap.mjs ----
+/**
+ * swap.mjs — `swap` command implementation
+ *
+ * Executes a real Solana token swap gated by ATF policy evaluation:
+ *   1) Build intent from CLI flags
+ *   2) POST to ATF /v1/simulate for policy decision
+ *   3) If denied → exit 1, no on-chain action
+ *   4) If allowed → get Jupiter quote + swap tx → sign → send to Solana RPC
+ *
+ * Supports --dry-run (simulate + quote only; no sign/send).
+ *
+ * Devnet / burner mode:
+ *   --burner generates an ephemeral keypair (devnet only).
+ *   --devnet forces devnet RPC, token mints, and explorer links.
+ *   If Jupiter does not support devnet, falls back to a SOL transfer.
+ */
+async function runSwap(args) {
+  const format = args.format;
+  // ── Burner / devnet safety rails ─────────────────────────────────
+  const isBurner = args.burner || !!args.loadBurnerPath;
+  const isDevnet = args.devnet || isBurner; // --burner implies --devnet
+  if (isBurner && !isDevnet) {
+    // Shouldn't happen since we auto-enable, but belt-and-suspenders
+    exitWithError(ERROR_CODES.VALIDATION_ERROR, "--burner requires --devnet.", null, format);
+  }
+  if (isBurner && args.rpcUrl && isMainnetRpc(args.rpcUrl)) {
+    exitWithError(ERROR_CODES.VALIDATION_ERROR, "--burner cannot be used with a mainnet RPC URL.", "Use --devnet or omit --rpc for devnet.", format);
+  }
+  if (isBurner && !args.devnet) {
+    // Auto-enable devnet and warn
+    process.stderr.write(`${COLORS.yellow}[swap] --burner implies --devnet. Forcing devnet mode.${COLORS.reset}\n`);
+  }
+  // ── Generate or load burner keypair ──────────────────────────────
+  let burnerKeypair = null;
+  let burnerPubkey = null;
+  let savedBurnerTo = null;
+  if (args.loadBurnerPath) {
+    try {
+      burnerKeypair = loadBurnerKeypair(args.loadBurnerPath);
+    } catch (err) {
+      exitWithError(ERROR_CODES.VALIDATION_ERROR, `Failed to load burner: ${err.message}`, null, format);
+    }
+    burnerPubkey = base58Encode(burnerKeypair.publicKey);
+  } else if (args.burner) {
+    burnerKeypair = generateBurnerKeypair();
+    burnerPubkey = base58Encode(burnerKeypair.publicKey);
+    if (args.verbose && !args.quiet) {
+      process.stderr.write(`${COLORS.dim}[swap] Generated burner keypair: ${burnerPubkey}${COLORS.reset}\n`);
+    }
+  }
+  // Save burner if requested
+  if (args.saveBurnerPath && burnerKeypair) {
+    try {
+      savedBurnerTo = saveBurnerKeypair(args.saveBurnerPath, burnerKeypair.secretKey);
+      if (!args.quiet) {
+        process.stderr.write(`${COLORS.dim}[swap] Burner keypair saved to: ${savedBurnerTo}${COLORS.reset}\n`);
+      }
+    } catch (err) {
+      exitWithError(ERROR_CODES.VALIDATION_ERROR, `Failed to save burner: ${err.message}`, null, format);
+    }
+  }
+  // ── Faucet mode: print instructions and exit ─────────────────────
+  if (args.faucet) {
+    if (!burnerKeypair) {
+      // Generate one just for faucet info
+      burnerKeypair = generateBurnerKeypair();
+      burnerPubkey = base58Encode(burnerKeypair.publicKey);
+    }
+    const instructions = faucetInstructions(burnerPubkey);
+    const result = {
+      ok: true,
+      network: "devnet",
+      burner: { enabled: true, pubkey: burnerPubkey, saved_to: savedBurnerTo || null },
+      faucet: { suggested: true, instructions },
+    };
+    if (format === "pretty") {
+      process.stdout.write(`\n${instructions}\n\n`);
+    } else {
+      process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+    }
+    process.exit(0);
+  }
+  // ── Airdrop (devnet only) ────────────────────────────────────────
+  const devnetRpc = isDevnet ? resolveDevnetRpc(args.rpcUrl) : null;
+  if (args.airdropSol) {
+    if (!isDevnet) {
+      exitWithError(ERROR_CODES.VALIDATION_ERROR, "--airdrop requires --devnet.", null, format);
+    }
+    if (!burnerKeypair && !args.keypairPath) {
+      exitWithError(ERROR_CODES.VALIDATION_ERROR, "--airdrop requires --burner or --keypair.", null, format);
+    }
+    const airdropPubkey = burnerPubkey || (() => {
+      const kp = loadSolanaKeypair(args.keypairPath);
+      return base58Encode(kp.publicKey);
+    })();
+    if (args.verbose && !args.quiet) {
+      process.stderr.write(`${COLORS.dim}[swap] Requesting airdrop of ${args.airdropSol} SOL to ${airdropPubkey}...${COLORS.reset}\n`);
+    }
+    try {
+      const airdropSig = await requestDevnetAirdrop(devnetRpc, airdropPubkey, args.airdropSol, args.timeoutMs);
+      if (!args.quiet) {
+        process.stderr.write(`${COLORS.green}[swap] Airdrop requested: ${airdropSig}${COLORS.reset}\n`);
+        process.stderr.write(`${COLORS.dim}[swap] Waiting a few seconds for confirmation...${COLORS.reset}\n`);
+      }
+      // Brief delay for airdrop to land
+      await new Promise((r) => setTimeout(r, 3000));
+    } catch (err) {
+      process.stderr.write(`${COLORS.yellow}[swap] Airdrop failed: ${err.message}${COLORS.reset}\n`);
+      process.stderr.write(`${COLORS.dim}[swap] This is common with public devnet RPCs. Try the web faucet:${COLORS.reset}\n`);
+      process.stderr.write(`${COLORS.dim}  https://faucet.solana.com/${COLORS.reset}\n`);
+      // Don't exit — let the swap attempt continue if user has funds
+    }
+  }
+  // ── Validate required flags ──────────────────────────────────────
+  if (!args.swapIn) {
+    exitWithError(ERROR_CODES.VALIDATION_ERROR, "Missing required flag: --in <symbol|mint>", "Example: --in SOL", format);
+  }
+  if (!args.swapOut) {
+    exitWithError(ERROR_CODES.VALIDATION_ERROR, "Missing required flag: --out <symbol|mint>", "Example: --out USDC", format);
+  }
+  if (!args.amountIn || isNaN(parseFloat(args.amountIn)) || parseFloat(args.amountIn) <= 0) {
+    exitWithError(ERROR_CODES.VALIDATION_ERROR, "Missing or invalid flag: --amount-in <number>", "Must be a positive number, e.g. 0.001", format);
+  }
+  if (!burnerKeypair && !args.keypairPath) {
+    exitWithError(ERROR_CODES.VALIDATION_ERROR, "Missing required flag: --keypair <path> or --burner", "Provide a Solana keypair or use --burner for devnet.", format);
+  }
+  // ── Resolve tokens (devnet uses different mints) ─────────────────
+  const resolveTokenFn = isDevnet ? resolveDevnetToken : resolveToken;
+  const tokenMapKeys = isDevnet ? Object.keys(DEVNET_TOKEN_MAP) : Object.keys(TOKEN_MAP);
+  const inputToken = resolveTokenFn(args.swapIn);
+  if (!inputToken) {
+    exitWithError(ERROR_CODES.VALIDATION_ERROR, `Unknown input token: "${args.swapIn}"`, `Supported (${isDevnet ? "devnet" : "mainnet"}): ${tokenMapKeys.join(", ")}`, format);
+  }
+  const outputToken = resolveTokenFn(args.swapOut);
+  if (!outputToken) {
+    exitWithError(ERROR_CODES.VALIDATION_ERROR, `Unknown output token: "${args.swapOut}"`, `Supported (${isDevnet ? "devnet" : "mainnet"}): ${tokenMapKeys.join(", ")}`, format);
+  }
+  if (inputToken.mint === outputToken.mint) {
+    exitWithError(ERROR_CODES.VALIDATION_ERROR, "Input and output tokens must be different.", null, format);
+  }
+  // ── Load keypair ─────────────────────────────────────────────────
+  let keypair;
+  if (burnerKeypair) {
+    keypair = burnerKeypair;
+  } else {
+    try {
+      keypair = loadSolanaKeypair(args.keypairPath);
+    } catch (err) {
+      exitWithError(ERROR_CODES.VALIDATION_ERROR, `Keypair error: ${err.message}`, "Provide a valid Solana id.json file.", format);
+    }
+  }
+  const walletPubkey = base58Encode(keypair.publicKey);
+  // ── Compute base units ───────────────────────────────────────────
+  const amountBase = toBaseUnits(args.amountIn, inputToken.decimals);
+  const slippageBps = args.slippageBps ?? 50;
+  const rpcUrl = isDevnet ? (devnetRpc || resolveDevnetRpc(args.rpcUrl)) : (args.rpcUrl || "https://api.mainnet-beta.solana.com");
+  const networkLabel = isDevnet ? "devnet" : "mainnet";
+  const baseUrl = args.baseUrl;
+  const timeoutMs = args.timeoutMs;
+  // Determine execution mode: devnet uses SOL transfer fallback (Jupiter may not support devnet)
+  const executionMode = isDevnet ? "sol_transfer_devnet" : "jupiter_swap";
+  // ── Step 1: ATF policy gate ──────────────────────────────────────
+  const intentBody = {
+    chain_id: "solana",
+    function_name: isDevnet ? "sol_transfer" : "swap",
+    protocol: isDevnet ? "system_program" : "jupiter",
+    from_address: walletPubkey,
+    params: {
+      input: inputToken.symbol,
+      input_mint: inputToken.mint,
+      output: outputToken.symbol,
+      output_mint: outputToken.mint,
+      amount_in: args.amountIn,
+      amount_in_base: amountBase,
+      slippage_bps: slippageBps,
+      rpc: rpcUrl,
+      network: networkLabel,
+      execution_mode: executionMode,
+    },
+  };
+  if (args.verbose && !args.quiet) {
+    process.stderr.write(`${COLORS.dim}[swap] ATF simulate → ${baseUrl}/v1/simulate${COLORS.reset}\n`);
+  }
+  let atfResponse;
+  try {
+    atfResponse = await postSimulate(baseUrl, intentBody, args.apiKey, timeoutMs, "/v1/simulate");
+  } catch (err) {
+    exitWithError(ERROR_CODES.NETWORK_ERROR, `ATF network failure — ${err.message}`, "Check your connection and --base-url.", format);
+  }
+  if (!atfResponse.ok) {
+    const data = atfResponse.data || {};
+    const msg = data.message || data.detail || `HTTP ${atfResponse.status}`;
+    exitWithError(
+      atfResponse.status >= 500 ? ERROR_CODES.SERVER_ERROR : ERROR_CODES.USER_ERROR,
+      `ATF simulate failed: ${msg}`,
+      null,
+      format,
+      { status: atfResponse.status, requestId: atfResponse.requestId }
+    );
+  }
+  const atfData = atfResponse.data;
+  const decision = (atfData.decision || atfData.status || "").toLowerCase();
+  const receiptHash = atfData.receipt_hash || "";
+  const contentHash = atfData.content_hash || "";
+  const requestId = atfResponse.requestId;
+  // ── Verify if requested ──────────────────────────────────────────
+  let verified = null;
+  if (args.verify && contentHash) {
+    const reasons = Array.isArray(atfData.reasons) ? atfData.reasons : [];
+    const policyHash = atfData.policy_hash !== undefined ? atfData.policy_hash : null;
+    const params = atfData.params || null;
+    const expectedHash = computeContentHash(decision, reasons, policyHash, params);
+    if (contentHash !== expectedHash) {
+      exitWithError(ERROR_CODES.VERIFY_FAILED, "content_hash does not match local computation.", null, format);
+    }
+    verified = true;
+  } else if (args.verify) {
+    verified = false;
+  }
+  // ── Check decision ───────────────────────────────────────────────
+  const isAllowed = decision === "allowed" || decision === "approved" || decision === "approve";
+  if (!isAllowed) {
+    const reasons = Array.isArray(atfData.reasons) ? atfData.reasons : [];
+    const result = {
+      ok: false,
+      request_id: requestId,
+      base_url: baseUrl,
+      preset: null,
+      verified,
+      response: atfData,
+    };
+    if (format === "pretty") {
+      const c = args.noColor ? { reset: "", bold: "", red: "", dim: "" } : COLORS;
+      process.stderr.write(`\n${c.bold}${c.red}  ✗ DENIED${c.reset}\n`);
+      if (reasons.length) process.stderr.write(`${c.dim}  Reasons: ${reasons.join(", ")}${c.reset}\n`);
+      process.stderr.write(`${c.dim}  No on-chain transaction executed.${c.reset}\n\n`);
+    } else {
+      process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+    }
+    process.exit(1);
+  }
+  // ── Execution path branches on network mode ──────────────────────
+  if (executionMode === "sol_transfer_devnet") {
+    // ══════════════════════════════════════════════════════════════
+    //  DEVNET: SOL transfer fallback (Jupiter doesn't support devnet)
+    // ══════════════════════════════════════════════════════════════
+    // Dry-run: stop after ATF gate
+    if (args.dryRun) {
+      const result = {
+        ok: true,
+        request_id: requestId,
+        base_url: baseUrl,
+        preset: null,
+        verified,
+        network: networkLabel,
+        execution_mode: executionMode,
+        burner: isBurner ? { enabled: true, pubkey: walletPubkey, saved_to: savedBurnerTo || null } : undefined,
+        response: atfData,
+        dry_run: true,
+      };
+      if (format === "pretty") {
+        const c = args.noColor ? { reset: "", bold: "", green: "", dim: "", cyan: "" } : COLORS;
+        process.stdout.write(`\n${c.bold}${c.green}  ✓ DRY-RUN ALLOWED (devnet)${c.reset}\n`);
+        process.stdout.write(`${c.dim}  Decision: ${decision}${c.reset}\n`);
+        process.stdout.write(`${c.dim}  Mode: SOL transfer (devnet fallback)${c.reset}\n`);
+        if (contentHash) process.stdout.write(`${c.dim}  Content hash: ${contentHash}${c.reset}\n`);
+        process.stdout.write(`${c.cyan}  No transaction signed or sent (--dry-run).${c.reset}\n\n`);
+      } else {
+        process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+      }
+      process.exit(0);
+    }
+    // Build SOL transfer: send to self (demo) — amount from --amount-in
+    const lamports = Math.round(parseFloat(args.amountIn) * 1_000_000_000);
+    const recipientPubkey = walletPubkey; // self-transfer for devnet demo
+    if (args.verbose && !args.quiet) {
+      process.stderr.write(`${COLORS.dim}[swap] Devnet SOL transfer: ${args.amountIn} SOL (${lamports} lamports) → self${COLORS.reset}\n`);
+    }
+    // Fetch recent blockhash
+    let blockhashInfo;
+    try {
+      blockhashInfo = await getRecentBlockhash(rpcUrl, timeoutMs);
+    } catch (err) {
+      exitWithError(ERROR_CODES.NETWORK_ERROR, `Failed to get blockhash — ${err.message}`, null, format);
+    }
+    // Build transaction
+    const recipientBytes = keypair.publicKey; // self-transfer
+    const txBytes = buildSolTransferTx(
+      keypair.publicKey,
+      recipientBytes,
+      lamports,
+      blockhashInfo.blockhashBytes
+    );
+    // Sign
+    let signedBytes;
+    try {
+      signedBytes = signSolanaTransaction(new Uint8Array(txBytes), keypair.secretKey);
+    } catch (err) {
+      exitWithError(ERROR_CODES.SERVER_ERROR, `Signing failed: ${err.message}`, null, format);
+    }
+    if (args.verbose && !args.quiet) {
+      process.stderr.write(`${COLORS.dim}[swap] sendTransaction → ${rpcUrl}${COLORS.reset}\n`);
+    }
+    // Send
+    let signature;
+    try {
+      signature = await solanaSendTransaction(rpcUrl, signedBytes, timeoutMs);
+    } catch (err) {
+      exitWithError(ERROR_CODES.NETWORK_ERROR, `Solana sendTransaction failed — ${err.message}`, null, format);
+    }
+    // Confirm (optional)
+    let confirmationStatus = null;
+    if (args.confirm) {
+      if (args.verbose && !args.quiet) {
+        process.stderr.write(`${COLORS.dim}[swap] Confirming ${signature.slice(0, 12)}...${COLORS.reset}\n`);
+      }
+      try {
+        const status = await solanaConfirmTransaction(rpcUrl, signature, args.confirmTimeoutMs || 60_000);
+        confirmationStatus = status.confirmationStatus || "confirmed";
+      } catch (err) {
+        confirmationStatus = `unconfirmed: ${err.message}`;
+      }
+    }
+    // Output
+    const explorerUrl = `https://solscan.io/tx/${signature}?cluster=devnet`;
+    const result = {
+      ok: true,
+      request_id: requestId,
+      base_url: baseUrl,
+      preset: null,
+      verified,
+      network: networkLabel,
+      execution_mode: executionMode,
+      burner: isBurner ? { enabled: true, pubkey: walletPubkey, saved_to: savedBurnerTo || null } : undefined,
+      response: {
+        decision,
+        receipt_hash: receiptHash,
+        content_hash: contentHash,
+      },
+      execution: {
+        rpc: rpcUrl,
+        signature,
+        explorer_url: explorerUrl,
+        sol_transfer: {
+          from: walletPubkey,
+          to: recipientPubkey,
+          lamports,
+        },
+        confirmation_status: confirmationStatus,
+        sent_at: new Date().toISOString(),
+      },
+    };
+    if (format === "pretty") {
+      const c = args.noColor ? { reset: "", bold: "", green: "", dim: "", cyan: "" } : COLORS;
+      process.stdout.write(`\n${c.bold}${c.green}  ✓ DEVNET TX EXECUTED (SOL transfer)${c.reset}\n`);
+      process.stdout.write(`${c.dim}  Signature: ${signature}${c.reset}\n`);
+      process.stdout.write(`${c.cyan}  Explorer:  ${explorerUrl}${c.reset}\n`);
+      if (walletPubkey) process.stdout.write(`${c.dim}  Wallet:    ${walletPubkey}${c.reset}\n`);
+      if (contentHash) process.stdout.write(`${c.dim}  Content hash: ${contentHash}${c.reset}\n`);
+      if (confirmationStatus) process.stdout.write(`${c.dim}  Confirmation: ${confirmationStatus}${c.reset}\n`);
+      process.stdout.write("\n");
     } else {
-      errCode = ERROR_CODES.USER_ERROR;
-      const data = response.data || {};
-      msg = data.message || data.detail || data.error || `HTTP ${response.status}`;
+      process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+    }
+    process.exit(0);
+  }
+  // ══════════════════════════════════════════════════════════════════
+  //  MAINNET: Jupiter swap flow (unchanged)
+  // ══════════════════════════════════════════════════════════════════
+  // ── Step 2: Jupiter quote ────────────────────────────────────────
+  if (args.verbose && !args.quiet) {
+    process.stderr.write(`${COLORS.dim}[swap] Jupiter quote → ${inputToken.symbol}→${outputToken.symbol} amount=${amountBase}${COLORS.reset}\n`);
+  }
+  let quoteResponse;
+  try {
+    quoteResponse = await jupiterGetQuote({
+      inputMint: inputToken.mint,
+      outputMint: outputToken.mint,
+      amount: amountBase,
+      slippageBps,
+      timeoutMs,
+    });
+  } catch (err) {
+    exitWithError(ERROR_CODES.NETWORK_ERROR, `Jupiter quote failed — ${err.message}`, null, format);
+  }
+  // ── Dry-run: stop here ───────────────────────────────────────────
+  if (args.dryRun) {
+    const result = {
+      ok: true,
+      request_id: requestId,
+      base_url: baseUrl,
+      preset: null,
+      verified,
+      network: networkLabel,
+      execution_mode: executionMode,
+      response: atfData,
+      dry_run: true,
+      jupiter_quote: {
+        inAmount: quoteResponse.inAmount,
+        outAmount: quoteResponse.outAmount,
+        priceImpactPct: quoteResponse.priceImpactPct,
+        routePlan: quoteResponse.routePlan ? quoteResponse.routePlan.length + " hops" : "unknown",
+      },
+    };
+    if (format === "pretty") {
+      const c = args.noColor ? { reset: "", bold: "", green: "", dim: "", cyan: "" } : COLORS;
+      process.stdout.write(`\n${c.bold}${c.green}  ✓ DRY-RUN ALLOWED${c.reset}\n`);
+      process.stdout.write(`${c.dim}  Decision: ${decision}${c.reset}\n`);
+      process.stdout.write(`${c.dim}  Quote: ${quoteResponse.inAmount} → ${quoteResponse.outAmount}${c.reset}\n`);
+      if (contentHash) process.stdout.write(`${c.dim}  Content hash: ${contentHash}${c.reset}\n`);
+      process.stdout.write(`${c.cyan}  No transaction signed or sent (--dry-run).${c.reset}\n\n`);
+    } else {
+      process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+    }
+    process.exit(0);
+  }
+  // ── Step 3: Jupiter swap transaction ─────────────────────────────
+  if (args.verbose && !args.quiet) {
+    process.stderr.write(`${COLORS.dim}[swap] Jupiter swap-tx → ${walletPubkey.slice(0, 8)}...${COLORS.reset}\n`);
+  }
+  let swapResult;
+  try {
+    swapResult = await jupiterGetSwapTx({
+      quoteResponse,
+      userPublicKey: walletPubkey,
+      timeoutMs,
+    });
+  } catch (err) {
+    exitWithError(ERROR_CODES.NETWORK_ERROR, `Jupiter swap-tx failed — ${err.message}`, null, format);
+  }
+  const swapTxB64 = swapResult.swapTransaction;
+  if (!swapTxB64 || typeof swapTxB64 !== "string") {
+    exitWithError(ERROR_CODES.SERVER_ERROR, "Jupiter returned no swapTransaction.", null, format);
+  }
+  // ── Step 4: Sign and send ────────────────────────────────────────
+  const txBytes = Buffer.from(swapTxB64, "base64");
+  let signedBytes;
+  try {
+    signedBytes = signSolanaTransaction(new Uint8Array(txBytes), keypair.secretKey);
+  } catch (err) {
+    exitWithError(ERROR_CODES.SERVER_ERROR, `Signing failed: ${err.message}`, null, format);
+  }
+  if (args.verbose && !args.quiet) {
+    process.stderr.write(`${COLORS.dim}[swap] sendTransaction → ${rpcUrl}${COLORS.reset}\n`);
+  }
+  let signature;
+  try {
+    signature = await solanaSendTransaction(rpcUrl, signedBytes, timeoutMs);
+  } catch (err) {
+    exitWithError(ERROR_CODES.NETWORK_ERROR, `Solana sendTransaction failed — ${err.message}`, null, format);
+  }
+  // ── Step 5 (optional): Confirm ───────────────────────────────────
+  let confirmationStatus = null;
+  if (args.confirm) {
+    if (args.verbose && !args.quiet) {
+      process.stderr.write(`${COLORS.dim}[swap] Confirming ${signature.slice(0, 12)}...${COLORS.reset}\n`);
+    }
+    try {
+      const status = await solanaConfirmTransaction(rpcUrl, signature, args.confirmTimeoutMs || 60_000);
+      confirmationStatus = status.confirmationStatus || "confirmed";
+    } catch (err) {
+      // Not fatal — tx was sent; just couldn't confirm in time
+      confirmationStatus = `unconfirmed: ${err.message}`;
+    }
+  }
+  // ── Output envelope ──────────────────────────────────────────────
+  const explorerUrl = `https://solscan.io/tx/${signature}`;
+  const result = {
+    ok: true,
+    request_id: requestId,
+    base_url: baseUrl,
+    preset: null,
+    verified,
+    network: networkLabel,
+    execution_mode: executionMode,
+    response: {
+      decision,
+      receipt_hash: receiptHash,
+      content_hash: contentHash,
+    },
+    execution: {
+      rpc: rpcUrl,
+      signature,
+      explorer_url: explorerUrl,
+      jupiter: {
+        inAmount: quoteResponse.inAmount,
+        outAmount: quoteResponse.outAmount,
+        priceImpactPct: quoteResponse.priceImpactPct,
+      },
+      confirmation_status: confirmationStatus,
+      sent_at: new Date().toISOString(),
+    },
+  };
+  if (format === "pretty") {
+    const c = args.noColor ? { reset: "", bold: "", green: "", dim: "", cyan: "" } : COLORS;
+    process.stdout.write(`\n${c.bold}${c.green}  ✓ SWAP EXECUTED${c.reset}\n`);
+    process.stdout.write(`${c.dim}  Signature: ${signature}${c.reset}\n`);
+    process.stdout.write(`${c.cyan}  Explorer:  ${explorerUrl}${c.reset}\n`);
+    if (contentHash) process.stdout.write(`${c.dim}  Content hash: ${contentHash}${c.reset}\n`);
+    if (receiptHash) process.stdout.write(`${c.dim}  Receipt hash: ${receiptHash}${c.reset}\n`);
+    if (confirmationStatus) process.stdout.write(`${c.dim}  Confirmation: ${confirmationStatus}${c.reset}\n`);
+    process.stdout.write("\n");
+  } else {
+    process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+  }
+  process.exit(0);
+}
+// ---- src/rpc_ping.mjs ----
+/**
+ * rpc_ping.mjs — `atf rpc ping` command
+ *
+ * Calls getHealth or getVersion via Solana JSON-RPC.
+ * Uses effective profile config for RPC URL resolution.
+ *
+ * Output: { ok, cluster, rpc_host, latency_ms, version, slot }
+ */
+async function runRpcPing(args) {
+  const format = args.format;
+  const profileName = args.profileFlag || null;
+  const { name: pName, profile } = resolveEffectiveProfile(profileName);
+  const isDevnet = args.devnet || profile.solana_cluster === "devnet";
+  const { rpcUrl, rpcHost } = resolveRpcUrl(profile, pName, args.rpcUrl, isDevnet);
+  const timeoutMs = args.timeoutMs || 10000;
+  // Build JSON-RPC request for getVersion
+  const rpcBody = JSON.stringify({
+    jsonrpc: "2.0",
+    id: 1,
+    method: "getVersion",
+    params: [],
+  });
+  const start = Date.now();
+  let rpcResult;
+  try {
+    const res = await fetch(rpcUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: rpcBody,
+      signal: AbortSignal.timeout(timeoutMs),
+    });
+    rpcResult = await res.json();
+  } catch (err) {
+    exitWithError(ERROR_CODES.NETWORK_ERROR, `RPC ping failed: ${err.message}`, "Check your RPC URL and network connectivity.", format);
+  }
+  const latencyMs = Date.now() - start;
+  // Get slot via getSlot
+  let slot = null;
+  try {
+    const slotRes = await fetch(rpcUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ jsonrpc: "2.0", id: 2, method: "getSlot", params: [] }),
+      signal: AbortSignal.timeout(timeoutMs),
+    });
+    const slotData = await slotRes.json();
+    if (slotData && slotData.result !== undefined) slot = slotData.result;
+  } catch {
+    // Non-fatal — slot is optional
+  }
+  const cluster = isDevnet ? "devnet" : (profile.solana_cluster || "mainnet");
+  const version = rpcResult && rpcResult.result ? rpcResult.result["solana-core"] || null : null;
+  const result = {
+    ok: true,
+    cluster,
+    rpc_host: rpcHost,
+    latency_ms: latencyMs,
+    version,
+    slot,
+  };
+  if (format === "pretty") {
+    const noColor = args.noColor;
+    const c = noColor ? { reset: "", bold: "", green: "", dim: "", cyan: "" } : COLORS;
+    process.stdout.write(`\n${c.bold}${c.green}  ✓ RPC Ping${c.reset}\n`);
+    process.stdout.write(`  Cluster:    ${cluster}\n`);
+    process.stdout.write(`  Host:       ${rpcHost}\n`);
+    process.stdout.write(`  Latency:    ${latencyMs}ms\n`);
+    if (version) process.stdout.write(`  Version:    ${version}\n`);
+    if (slot !== null) process.stdout.write(`  Slot:       ${slot}\n`);
+    process.stdout.write("\n");
+  } else {
+    process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+  }
+}
+// ---- src/tx_sign.mjs ----
+/**
+ * tx_sign.mjs — `atf tx sign` command (offline signing)
+ *
+ * Signs a base64-encoded Solana transaction without sending.
+ * Useful for CI, airgapped workflows, and pipelines.
+ *
+ * Output: { ok, signed_tx_base64 }
+ */
+async function runTxSign(args) {
+  const format = args.format;
+  const profileName = args.profileFlag || null;
+  const { name: pName, profile } = resolveEffectiveProfile(profileName);
+  // Resolve keypair
+  const keypairPath = args.keypairPath || profile.keypair_path;
+  if (!keypairPath) {
+    exitWithError(ERROR_CODES.USER_ERROR, "Keypair path required. Use --keypair or set keypair_path in profile.", null, format);
+  }
+  // Get transaction bytes
+  let txBase64 = args.txBase64 || null;
+  if (args.txFile) {
+    const { readFileSync } = require("node:fs");
+    try {
+      txBase64 = readFileSync(args.txFile, "utf8").trim();
+    } catch (err) {
+      exitWithError(ERROR_CODES.USER_ERROR, `Cannot read tx file: ${err.message}`, null, format);
     }
-    exitWithError(errCode, msg, hint, format, { status: response.status, requestId: response.requestId });
   }
-  const data = response.data;
-  if (!data || typeof data !== "object") {
-    exitWithError(
-      ERROR_CODES.SERVER_ERROR,
-      "API returned non-JSON response.",
-      null,
-      format
-    );
+  if (!txBase64) {
+    exitWithError(ERROR_CODES.USER_ERROR, "Transaction required. Use --tx-base64 or --tx-file.", null, format);
   }
-  // Extract fields — firewall-api returns decision/reasons (array);
-  // legacy servers may return status/reason (string).
-  const decision = (data.decision || data.status || "").toLowerCase();
-  const reasons = Array.isArray(data.reasons) ? data.reasons : [];
-  const reason = data.reason || data.deny_reason || data.message || "";  // legacy display
-  const receipt_hash = data.receipt_hash || data.hash || "";
-  const content_hash = data.content_hash || "";
-  const policy_hash = data.policy_hash !== undefined ? data.policy_hash : null;
-  const params = data.params || null;
-  const displayReason = reasons.length > 0 ? reasons.join(", ") : reason;
+  // Decode, sign, re-encode
+  let txBytes;
+  try {
+    txBytes = Buffer.from(txBase64, "base64");
+  } catch {
+    exitWithError(ERROR_CODES.USER_ERROR, "Invalid base64 transaction.", null, format);
+  }
-  // Validate receipt_hash
-  if (receipt_hash && !isValidReceiptHash(receipt_hash)) {
-    exitWithError(
-      ERROR_CODES.VALIDATION_ERROR,
-      `API returned invalid receipt_hash: "${receipt_hash}"`,
-      "Expected: 64 lowercase hex characters.",
-      format
-    );
+  let keypair;
+  try {
+    keypair = loadSolanaKeypair(keypairPath);
+  } catch (err) {
+    exitWithError(ERROR_CODES.USER_ERROR, `Keypair error: ${err.message}`, null, format);
   }
-  // Validate content_hash if present
-  if (content_hash && !isValidReceiptHash(content_hash)) {
-    exitWithError(
-      ERROR_CODES.VALIDATION_ERROR,
-      `API returned invalid content_hash: "${content_hash}"`,
-      "Expected: 64 lowercase hex characters.",
-      format
-    );
+  let signedBytes;
+  try {
+    signedBytes = signTransaction(txBytes, keypair.secretKey);
+  } catch (err) {
+    exitWithError(ERROR_CODES.USER_ERROR, `Signing failed: ${err.message}`, null, format);
   }
-  // Verification (--verify only)
-  let verified = undefined;
-  if (verify) {
-    if (content_hash) {
-      const expectedHash = computeContentHash(decision, reasons, policy_hash, params);
-      if (content_hash !== expectedHash) {
-        exitWithError(
-          ERROR_CODES.VERIFY_FAILED,
-          `content_hash does not match local computation.`,
-          `Expected: ${expectedHash.slice(0, 16)}... Got: ${content_hash.slice(0, 16)}... Open ${baseUrl}/verify?hash=${content_hash}`,
-          format
-        );
-      }
-      verified = true;
-    } else if (receipt_hash) {
-      // DEPRECATED legacy path — content_hash not returned by server.
-      if (!quiet) {
-        process.stderr.write(
-          `${COLORS.yellow}[DEPRECATED] server did not return content_hash; falling back to legacy receipt_hash verification.${COLORS.reset}\n`
-        );
-      }
-      const expectedHash = computeLegacyContentHash(decision, reason);
-      if (receipt_hash !== expectedHash) {
-        exitWithError(
-          ERROR_CODES.VERIFY_FAILED,
-          `receipt_hash does not match local computation (legacy).`,
-          `Expected: ${expectedHash.slice(0, 16)}... Got: ${receipt_hash.slice(0, 16)}... Open ${baseUrl}/verify?hash=${receipt_hash}`,
-          format
-        );
-      }
-      verified = true;
-    } else {
-      verified = false;
+  const signedBase64 = Buffer.from(signedBytes).toString("base64");
+  const result = { ok: true, signed_tx_base64: signedBase64 };
+  process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+}
+// ---- src/tx_send.mjs ----
+/**
+ * tx_send.mjs — `atf tx send` command
+ *
+ * Signs and sends a base64-encoded Solana transaction.
+ * Prints signature + explorer URL.
+ *
+ * Supports --confirm to poll until finalized.
+ */
+async function runTxSend(args) {
+  const format = args.format;
+  const profileName = args.profileFlag || null;
+  const { name: pName, profile } = resolveEffectiveProfile(profileName);
+  const isDevnet = args.devnet || profile.solana_cluster === "devnet";
+  // Resolve keypair
+  const keypairPath = args.keypairPath || profile.keypair_path;
+  if (!keypairPath) {
+    exitWithError(ERROR_CODES.USER_ERROR, "Keypair path required. Use --keypair or set keypair_path in profile.", null, format);
+  }
+  // Resolve RPC
+  const { rpcUrl, rpcHost } = resolveRpcUrl(profile, pName, args.rpcUrl, isDevnet);
+  // Get transaction bytes
+  let txBase64 = args.txBase64 || null;
+  if (args.txFile) {
+    const { readFileSync } = require("node:fs");
+    try {
+      txBase64 = readFileSync(args.txFile, "utf8").trim();
+    } catch (err) {
+      exitWithError(ERROR_CODES.USER_ERROR, `Cannot read tx file: ${err.message}`, null, format);
     }
   }
-  // Build result envelope
-  const result = { ok: true, base_url: baseUrl };
-  result.preset = presetName || null;
-  result.verified = verify ? (verified === true) : null;
-  result.response = data;
+  if (!txBase64) {
+    exitWithError(ERROR_CODES.USER_ERROR, "Transaction required. Use --tx-base64 or --tx-file.", null, format);
+  }
-  // Format output (only reached if verify passed or not requested)
-  if (format === "pretty") {
-    const isAllowed = decision === "allowed" || decision === "approved" || decision === "approve";
-    const noColor = process.env.NO_COLOR;
-    const c = noColor
-      ? { reset: "", bold: "", dim: "", green: "", red: "", yellow: "", cyan: "", gray: "" }
-      : COLORS;
-    const statusColor = isAllowed ? c.green : c.red;
-    const statusIcon = isAllowed ? "\u2713" : "\u2717";
-    const lines = [];
-    lines.push("");
-    lines.push(`${c.bold}${statusColor}  ${statusIcon} ${decision.toUpperCase()}${c.reset}`);
-    if (displayReason) lines.push(`${c.dim}  Reason:${c.reset} ${displayReason}`);
-    if (content_hash) lines.push(`${c.dim}  Content hash:${c.reset} ${content_hash}`);
-    if (receipt_hash) lines.push(`${c.dim}  Receipt:${c.reset} ${receipt_hash}`);
-    const verifyHash = content_hash || receipt_hash;
-    if (verify && verifyHash) {
-      lines.push("");
-      lines.push(`${c.cyan}${c.bold}  Trustless Verification${c.reset}`);
-      lines.push(`${c.cyan}  Verify: ${baseUrl}/verify?hash=${verifyHash}${c.reset}`);
-      lines.push(`${c.dim}  Don't trust TruCore \u2014 recompute/verify deterministically.${c.reset}`);
+  // Decode and sign
+  let txBytes;
+  try {
+    txBytes = Buffer.from(txBase64, "base64");
+  } catch {
+    exitWithError(ERROR_CODES.USER_ERROR, "Invalid base64 transaction.", null, format);
+  }
+  let keypair;
+  try {
+    keypair = loadSolanaKeypair(keypairPath);
+  } catch (err) {
+    exitWithError(ERROR_CODES.USER_ERROR, `Keypair error: ${err.message}`, null, format);
+  }
+  let signedBytes;
+  try {
+    signedBytes = signTransaction(txBytes, keypair.secretKey);
+  } catch (err) {
+    exitWithError(ERROR_CODES.USER_ERROR, `Signing failed: ${err.message}`, null, format);
+  }
+  const signedBase64 = Buffer.from(signedBytes).toString("base64");
+  // Send to RPC
+  const skipPreflight = profile.tx ? profile.tx.skip_preflight : false;
+  const maxRetries = profile.tx ? profile.tx.max_retries : 3;
+  const commitment = profile.commitment || "confirmed";
+  if (args.verbose && !args.quiet) {
+    process.stderr.write(`${COLORS.dim}[tx send] Sending to ${rpcHost || "RPC"}...${COLORS.reset}\n`);
+  }
+  let signature;
+  try {
+    const sendRes = await fetch(rpcUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        jsonrpc: "2.0",
+        id: 1,
+        method: "sendTransaction",
+        params: [signedBase64, {
+          encoding: "base64",
+          skipPreflight,
+          maxRetries,
+          preflightCommitment: commitment,
+        }],
+      }),
+      signal: AbortSignal.timeout(args.timeoutMs || 30000),
+    });
+    const sendData = await sendRes.json();
+    if (sendData.error) {
+      exitWithError(ERROR_CODES.SERVER_ERROR, `RPC sendTransaction error: ${sendData.error.message || JSON.stringify(sendData.error)}`, null, format);
     }
-    lines.push("");
-    process.stdout.write(lines.join("\n") + "\n");
-  } else {
-    process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+    signature = sendData.result;
+  } catch (err) {
+    exitWithError(ERROR_CODES.NETWORK_ERROR, `Failed to send transaction: ${err.message}`, null, format);
+  }
+  // Build explorer URL
+  const cluster = isDevnet ? "devnet" : (profile.solana_cluster || "mainnet");
+  const explorerPref = profile.explorer || "solscan";
+  const explorerUrl = buildExplorerUrl(signature, cluster, explorerPref);
+  // Optionally poll for confirmation
+  const shouldConfirm = args.confirm || profile.confirm;
+  let confirmStatus = null;
+  if (shouldConfirm) {
+    confirmStatus = await pollSignatureStatus(rpcUrl, signature, commitment, args.confirmTimeoutMs || 60000);
+  }
+  const result = {
+    ok: true,
+    signature,
+    explorer_url: explorerUrl,
+    rpc_host: rpcHost,
+    cluster,
+  };
+  if (confirmStatus !== null) result.confirmation = confirmStatus;
+  process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+}
+/**
+ * Build an explorer URL for a transaction signature.
+ */
+function buildExplorerUrl(signature, cluster, explorer) {
+  if (explorer === "solanafm") {
+    const suffix = cluster === "devnet" ? "?cluster=devnet-solana" : "";
+    return `https://solana.fm/tx/${signature}${suffix}`;
   }
+  // Default: solscan
+  const suffix = cluster === "devnet" ? "?cluster=devnet" : "";
+  return `https://solscan.io/tx/${signature}${suffix}`;
+}
+/**
+ * Poll getSignatureStatuses until confirmed/finalized or timeout.
+ */
+async function pollSignatureStatus(rpcUrl, signature, commitment, timeoutMs) {
+  const deadline = Date.now() + timeoutMs;
+  const pollInterval = 2000;
-  // If verify + receipt signing key available, print extra info
-  if (verify && receipt_hash) {
+  while (Date.now() < deadline) {
     try {
-      const keyInfo = await getReceiptSigningKey(baseUrl);
-      if (keyInfo && keyInfo.available === true) {
-        if (!quiet) {
-          process.stderr.write(
-            `${COLORS.dim}  Receipt signing is available. ` +
-              `Public key: ${keyInfo.public_key || "(see /api/receipt-signing-key)"}${COLORS.reset}\n`
-          );
-          process.stderr.write(
-            `${COLORS.dim}  You can verify the receipt signature via POST /api/receipt-signature${COLORS.reset}\n`
-          );
+      const res = await fetch(rpcUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          jsonrpc: "2.0",
+          id: 1,
+          method: "getSignatureStatuses",
+          params: [[signature], { searchTransactionHistory: true }],
+        }),
+        signal: AbortSignal.timeout(10000),
+      });
+      const data = await res.json();
+      if (data.result && data.result.value && data.result.value[0]) {
+        const status = data.result.value[0];
+        if (status.err) return { status: "failed", error: status.err };
+        if (status.confirmationStatus === "finalized") return { status: "finalized" };
+        if (status.confirmationStatus === commitment || status.confirmationStatus === "confirmed") {
+          return { status: status.confirmationStatus };
         }
       }
     } catch {
-      // Non-critical — ignore
+      // Retry on network errors
     }
+    await new Promise((r) => setTimeout(r, pollInterval));
+  }
+  return { status: "timeout" };
+}
+// ---- src/tx_status.mjs ----
+/**
+ * tx_status.mjs — `atf tx status` command
+ *
+ * Polls a Solana signature status and reports confirmed/finalized.
+ * Output: { ok, signature, status, slot, err }
+ */
+async function runTxStatus(args) {
+  const format = args.format;
+  const sig = args.sig || null;
+  if (!sig) {
+    exitWithError(ERROR_CODES.USER_ERROR, "Signature required. Use --sig <signature>.", null, format);
   }
-  // Exit code: allowed=0, denied=1
-  if (decision === "allowed" || decision === "approve" || decision === "approved") {
-    process.exit(0);
+  const profileName = args.profileFlag || null;
+  const { name: pName, profile } = resolveEffectiveProfile(profileName);
+  const isDevnet = args.devnet || profile.solana_cluster === "devnet";
+  const { rpcUrl, rpcHost } = resolveRpcUrl(profile, pName, args.rpcUrl, isDevnet);
+  const commitment = profile.commitment || "confirmed";
+  if (args.verbose && !args.quiet) {
+    process.stderr.write(`${COLORS.dim}[tx status] Checking ${sig.slice(0, 12)}... on ${rpcHost || "RPC"}${COLORS.reset}\n`);
+  }
+  let statusResult;
+  try {
+    const res = await fetch(rpcUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        jsonrpc: "2.0",
+        id: 1,
+        method: "getSignatureStatuses",
+        params: [[sig], { searchTransactionHistory: true }],
+      }),
+      signal: AbortSignal.timeout(args.timeoutMs || 10000),
+    });
+    statusResult = await res.json();
+  } catch (err) {
+    exitWithError(ERROR_CODES.NETWORK_ERROR, `RPC call failed: ${err.message}`, null, format);
+  }
+  const value = statusResult.result && statusResult.result.value && statusResult.result.value[0];
+  if (!value) {
+    const result = { ok: true, signature: sig, status: "not_found", slot: null, err: null };
+    process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+    return;
+  }
+  const result = {
+    ok: true,
+    signature: sig,
+    status: value.confirmationStatus || "unknown",
+    slot: value.slot || null,
+    err: value.err || null,
+  };
+  if (format === "pretty") {
+    const noColor = args.noColor;
+    const c = noColor ? { reset: "", bold: "", green: "", red: "", dim: "" } : COLORS;
+    const statusColor = value.err ? c.red : c.green;
+    process.stdout.write(`\n${c.bold}  Transaction Status${c.reset}\n`);
+    process.stdout.write(`  Signature:  ${sig}\n`);
+    process.stdout.write(`  Status:     ${statusColor}${result.status}${c.reset}\n`);
+    if (result.slot) process.stdout.write(`  Slot:       ${result.slot}\n`);
+    if (value.err) process.stdout.write(`  Error:      ${c.red}${JSON.stringify(value.err)}${c.reset}\n`);
+    process.stdout.write("\n");
   } else {
-    process.exit(1);
+    process.stdout.write(JSON.stringify(result, null, 2) + "\n");
   }
 }
-// ---- src/cli.mjs ----
+// ---- src/receipts_verify.mjs ----
 /**
- * cli.mjs — argument parsing and entry point (zero deps)
+ * receipts_verify.mjs — `atf receipts verify` command
  *
- * VERSION, DEFAULT_BASE_URL, BUILD_COMMIT, BUILD_DATE are defined
- * in constants.mjs (concatenated above by build.mjs).
- */
-const HELP_TEXT = `
-@trucore/atf v${VERSION} — Agent Transaction Firewall CLI
-USAGE
-  npx @trucore/atf@${VERSION} <command> [options]
-COMMANDS
-  version     Show CLI version and build metadata
-  health      Check API health and latency
-  simulate    Run a transaction simulation
-  approve     Approve a pending intent
-GLOBAL OPTIONS
-  --base-url <url>      API base URL (default: ${DEFAULT_BASE_URL})
-  --timeout-ms <ms>     Request timeout in ms (default: 20000)
-  --format <fmt>        Output format: json | pretty (default: json)
-  --pretty              Shorthand for --format pretty
-  --no-color            Disable ANSI colors
-  --api-key <key>       API key (also: ATF_API_KEY env var)
-SIMULATE OPTIONS
-  --preset <name>       Use a built-in preset: ${PRESET_NAMES.join(", ")}
-  --json '<json>'       Send raw JSON transaction body
-  --verify              Verify content_hash integrity
-  --quiet               Suppress non-essential output
-APPROVE OPTIONS
-  --intent <id>         Intent ID to approve (required)
-  --token <bearer>      Bearer token for auth (also: ATF_API_KEY env var)
-ENVIRONMENT
-  ATF_API_KEY           API key (sent as x-api-key header or Bearer token)
-  ATF_BASE_URL          Override default base URL
-  ATF_TIMEOUT_MS        Override default timeout (ms)
-  NO_COLOR              Disable ANSI colors when set
-EXIT CODES
-  0   Success (allowed, healthy, etc.)
-  1   User error or denied
-  2   Network / server error
-EXAMPLES
-  npx @trucore/atf@${VERSION} version
-  npx @trucore/atf@${VERSION} health
-  npx @trucore/atf@${VERSION} simulate --preset swap_small --verify
-  npx @trucore/atf@${VERSION} approve --intent abc123 --token mytoken
-`;
-function parseArgs(argv) {
-  const defaultTimeout = (() => {
-    const env = process.env.ATF_TIMEOUT_MS;
-    if (env) { const n = parseInt(env, 10); if (n > 0) return n; }
-    return 20000;
-  })();
-  const args = {
-    command: null,
-    preset: null,
-    json: null,
-    baseUrl: process.env.ATF_BASE_URL || DEFAULT_BASE_URL,
-    verify: false,
-    format: "json",
-    quiet: false,
-    apiKey: process.env.ATF_API_KEY || null,
-    help: false,
-    showVersion: false,
-    timeoutMs: defaultTimeout,
-    noColor: !!process.env.NO_COLOR,
-    intent: null,
-    token: null,
-    verbose: false,
-    _deprecatedIntentId: false,
+ * Verifies content_hash / receipt_hash for a given JSON response.
+ * Accepts --file <path> or --stdin.
+ *
+ * Output: { ok, content_hash_valid, receipt_hash_valid, details }
+ */
+async function runReceiptsVerify(args) {
+  const format = args.format;
+  // Read response JSON
+  let rawJson = null;
+  if (args.receiptFile) {
+    const { readFileSync } = require("node:fs");
+    try {
+      rawJson = readFileSync(args.receiptFile, "utf8").trim();
+    } catch (err) {
+      exitWithError(ERROR_CODES.USER_ERROR, `Cannot read file: ${err.message}`, null, format);
+    }
+  } else if (args.receiptStdin) {
+    const { readFileSync } = require("node:fs");
+    try {
+      rawJson = readFileSync("/dev/stdin", "utf8").trim();
+    } catch {
+      try {
+        rawJson = readFileSync(0, "utf8").trim();
+      } catch {
+        exitWithError(ERROR_CODES.USER_ERROR, "Failed to read from stdin.", null, format);
+      }
+    }
+  } else {
+    exitWithError(ERROR_CODES.USER_ERROR, "Provide a response to verify. Use --file <path> or --stdin.", null, format);
+  }
+  if (!rawJson) {
+    exitWithError(ERROR_CODES.USER_ERROR, "Empty input.", null, format);
+  }
+  let data;
+  try {
+    data = JSON.parse(rawJson);
+  } catch {
+    exitWithError(ERROR_CODES.USER_ERROR, "Input is not valid JSON.", null, format);
+  }
+  // Extract fields
+  const decision = data.decision || null;
+  const reasons = data.reasons || [];
+  const reason = data.reason || "";
+  const policyHash = data.policy_hash || null;
+  const params = data.params || null;
+  const contentHash = data.content_hash || null;
+  const receiptHash = data.receipt_hash || null;
+  const results = {
+    ok: true,
+    content_hash_valid: null,
+    receipt_hash_valid: null,
+    details: {},
   };
-  const raw = argv.slice(2);
-  let i = 0;
-  while (i < raw.length) {
-    const arg = raw[i];
-    if (arg === "--help" || arg === "-h") {
-      args.help = true;
-      i++;
-    } else if (arg === "--version" || arg === "-V") {
-      args.showVersion = true;
-      i++;
-    } else if (arg === "--verify") {
-      args.verify = true;
-      i++;
-    } else if (arg === "--quiet" || arg === "-q") {
-      args.quiet = true;
-      i++;
-    } else if (arg === "--pretty") {
-      args.format = "pretty";
-      i++;
-    } else if (arg === "--no-color") {
-      args.noColor = true;
-      i++;
-    } else if (arg === "--verbose") {
-      args.verbose = true;
-      i++;
-    } else if (arg === "--preset") {
-      args.preset = raw[++i] || null;
-      i++;
-    } else if (arg === "--json") {
-      args.json = raw[++i] || null;
-      i++;
-    } else if (arg === "--base-url") {
-      args.baseUrl = raw[++i] || args.baseUrl;
-      i++;
-    } else if (arg === "--format") {
-      args.format = raw[++i] || args.format;
-      i++;
-    } else if (arg === "--api-key") {
-      args.apiKey = raw[++i] || args.apiKey;
-      i++;
-    } else if (arg === "--timeout-ms") {
-      args.timeoutMs = parseInt(raw[++i], 10) || defaultTimeout;
-      i++;
-    } else if (arg === "--intent" || arg === "--intent-id") {
-      if (arg === "--intent-id") args._deprecatedIntentId = true;
-      args.intent = raw[++i] || null;
-      i++;
-    } else if (arg === "--token") {
-      args.token = raw[++i] || null;
-      i++;
-    } else if (!arg.startsWith("-") && !args.command) {
-      args.command = arg;
-      i++;
-    } else {
-      // Unknown argument — structured JSON error, exit 1
-      const err = makeError("USER_ERROR", `Unknown argument: ${arg}`, { hint: "Run with --help for usage." });
-      process.stdout.write(JSON.stringify(err, null, 2) + "\n");
-      process.exit(1);
+  // Verify content_hash (v2 format)
+  if (contentHash && decision) {
+    const expected = computeContentHash(decision, reasons, policyHash, params);
+    results.content_hash_valid = (contentHash === expected);
+    results.details.content_hash = {
+      provided: contentHash,
+      computed: expected,
+      match: results.content_hash_valid,
+    };
+  }
+  // Verify receipt_hash (legacy format)
+  if (receiptHash && decision) {
+    const expectedLegacy = computeLegacyReceiptHash(decision, reason);
+    results.receipt_hash_valid = (receiptHash === expectedLegacy);
+    results.details.receipt_hash = {
+      provided: receiptHash,
+      computed: expectedLegacy,
+      match: results.receipt_hash_valid,
+    };
+  }
+  if (results.content_hash_valid === null && results.receipt_hash_valid === null) {
+    exitWithError(ERROR_CODES.USER_ERROR, "No content_hash or receipt_hash found in input.", "Ensure the input is an ATF simulation response.", format);
+  }
+  // Overall verdict
+  const anyFailed = (results.content_hash_valid === false) || (results.receipt_hash_valid === false);
+  if (anyFailed) {
+    results.ok = false;
+    results.error = { code: "VERIFY_FAILED", message: "Hash verification failed." };
+  }
+  if (format === "pretty") {
+    const noColor = args.noColor;
+    const c = noColor ? { reset: "", bold: "", green: "", red: "", dim: "" } : COLORS;
+    if (results.content_hash_valid !== null) {
+      const icon = results.content_hash_valid ? `${c.green}✓` : `${c.red}✗`;
+      process.stdout.write(`\n  ${icon} content_hash: ${results.content_hash_valid ? "valid" : "INVALID"}${c.reset}\n`);
     }
+    if (results.receipt_hash_valid !== null) {
+      const icon = results.receipt_hash_valid ? `${c.green}✓` : `${c.red}✗`;
+      process.stdout.write(`  ${icon} receipt_hash: ${results.receipt_hash_valid ? "valid" : "INVALID"}${c.reset}\n`);
+    }
+    process.stdout.write("\n");
+  } else {
+    process.stdout.write(JSON.stringify(results, null, 2) + "\n");
   }
-  return args;
+  if (anyFailed) process.exit(1);
+}
+/**
+ * Compute legacy receipt hash (decision + reason).
+ * Must match Python server implementation.
+ */
+function computeLegacyReceiptHash(decision, reason) {
+  const { createHash } = require("node:crypto");
+  const payload = {
+    decision: (decision || "").toLowerCase(),
+    reason: reason || "",
+  };
+  const keys = Object.keys(payload).sort();
+  const sorted = {};
+  for (const k of keys) sorted[k] = payload[k];
+  return createHash("sha256").update(JSON.stringify(sorted), "utf8").digest("hex");
 }
+// ---- src/whoami.mjs ----
+/**
+ * whoami.mjs — `atf whoami` command
+ *
+ * Prints current profile, base URL, RPC host, cluster, and keypair path.
+ * All secret values are redacted.
+ */
-async function main() {
-  const args = parseArgs(process.argv);
+async function runWhoami(args) {
+  const format = args.format;
+  const profileName = args.profileFlag || null;
+  const { name: pName, profile } = resolveEffectiveProfile(profileName);
+  const isDevnet = args.devnet || profile.solana_cluster === "devnet";
-  if (args.showVersion) {
-    process.stdout.write(`${VERSION}\n`);
-    process.exit(0);
+  let rpcHost = null;
+  try {
+    const resolved = resolveRpcUrl(profile, pName, null, isDevnet);
+    rpcHost = resolved.rpcHost;
+  } catch {
+    // RPC resolution might fail if helius key is missing; that's OK for whoami
   }
-  if (args.help || !args.command) {
-    process.stdout.write(HELP_TEXT);
-    process.exit(0);
+  const result = {
+    ok: true,
+    profile: pName,
+    atf_base_url: profile.atf_base_url || DEFAULT_BASE_URL,
+    solana_cluster: profile.solana_cluster || "mainnet",
+    rpc_host: rpcHost,
+    commitment: profile.commitment || "confirmed",
+    explorer: profile.explorer || "solscan",
+    keypair_path: profile.keypair_path || null,
+    default_slippage_bps: profile.default_slippage_bps || 50,
+    cli_version: VERSION,
+  };
+  if (format === "pretty") {
+    const noColor = args.noColor;
+    const c = noColor ? { reset: "", bold: "", dim: "", cyan: "", green: "" } : COLORS;
+    process.stdout.write(`\n${c.bold}${c.cyan}  @trucore/atf v${VERSION}${c.reset}\n`);
+    process.stdout.write(`  Profile:      ${pName}\n`);
+    process.stdout.write(`  Base URL:     ${result.atf_base_url}\n`);
+    process.stdout.write(`  Cluster:      ${result.solana_cluster}\n`);
+    process.stdout.write(`  RPC Host:     ${rpcHost || "(not configured)"}\n`);
+    process.stdout.write(`  Commitment:   ${result.commitment}\n`);
+    process.stdout.write(`  Explorer:     ${result.explorer}\n`);
+    process.stdout.write(`  Keypair:      ${result.keypair_path || "(not set)"}\n`);
+    process.stdout.write(`  Slippage:     ${result.default_slippage_bps} bps\n`);
+    process.stdout.write("\n");
+  } else {
+    process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+  }
+}
+// ---- src/completion.mjs ----
+/**
+ * completion.mjs — `atf completion` command
+ *
+ * Generates shell completion scripts for bash, zsh, fish, and powershell.
+ * Zero dependencies — just prints the script to stdout.
+ */
+const COMPLETION_COMMANDS = [
+  "version", "health", "simulate", "approve", "swap",
+  "config", "profile", "secret", "rpc", "tx", "receipts",
+  "whoami", "ls", "completion",
+];
+const COMPLETION_SUBCOMMANDS = {
+  config: ["init", "set", "get", "list"],
+  profile: ["use", "list", "create", "delete"],
+  secret: ["set", "list", "unset"],
+  rpc: ["ping"],
+  tx: ["sign", "send", "status"],
+  receipts: ["verify"],
+};
+function generateBashCompletion() {
+  const cmds = COMPLETION_COMMANDS.join(" ");
+  const lines = [
+    "# atf bash completion",
+    "# Add to ~/.bashrc: eval \"$(atf completion bash)\"",
+    "_atf_completions() {",
+    "  local cur prev commands",
+    "  COMPREPLY=()",
+    "  cur=\"${COMP_WORDS[COMP_CWORD]}\"",
+    "  prev=\"${COMP_WORDS[COMP_CWORD-1]}\"",
+    `  commands="${cmds}"`,
+    "",
+    "  if [ $COMP_CWORD -eq 1 ]; then",
+    "    COMPREPLY=( $(compgen -W \"$commands\" -- \"$cur\") )",
+    "    return 0",
+    "  fi",
+    "",
+  ];
+  for (const [cmd, subs] of Object.entries(COMPLETION_SUBCOMMANDS)) {
+    lines.push(`  if [ "\${COMP_WORDS[1]}" = "${cmd}" ] && [ $COMP_CWORD -eq 2 ]; then`);
+    lines.push(`    COMPREPLY=( $(compgen -W "${subs.join(" ")}" -- "$cur") )`);
+    lines.push("    return 0");
+    lines.push("  fi");
+  }
+  lines.push("}");
+  lines.push("complete -F _atf_completions atf");
+  return lines.join("\n") + "\n";
+}
+function generateZshCompletion() {
+  const cmds = COMPLETION_COMMANDS.map((c) => `'${c}:${c} command'`).join(" ");
+  const lines = [
+    "#compdef atf",
+    "# atf zsh completion",
+    "# Add to ~/.zshrc: eval \"$(atf completion zsh)\"",
+    "_atf() {",
+    "  local -a commands",
+    `  commands=(${cmds})`,
+    "",
+    "  _arguments -C \\",
+    "    '1:command:->command' \\",
+    "    '*::arg:->args'",
+    "",
+    "  case $state in",
+    "    command)",
+    "      _describe 'atf command' commands",
+    "      ;;",
+    "    args)",
+    "      case ${words[1]} in",
+  ];
+  for (const [cmd, subs] of Object.entries(COMPLETION_SUBCOMMANDS)) {
+    lines.push(`        ${cmd})`);
+    lines.push(`          local -a subcmds=(${subs.map((s) => `'${s}'`).join(" ")})`);
+    lines.push(`          _describe '${cmd} subcommand' subcmds`);
+    lines.push("          ;;");
+  }
+  lines.push("      esac");
+  lines.push("      ;;");
+  lines.push("  esac");
+  lines.push("}");
+  lines.push("_atf");
+  return lines.join("\n") + "\n";
+}
+function generateFishCompletion() {
+  const lines = [
+    "# atf fish completion",
+    "# Save to ~/.config/fish/completions/atf.fish",
+  ];
+  for (const cmd of COMPLETION_COMMANDS) {
+    lines.push(`complete -c atf -n '__fish_use_subcommand' -a '${cmd}' -d '${cmd}'`);
+  }
+  for (const [cmd, subs] of Object.entries(COMPLETION_SUBCOMMANDS)) {
+    for (const sub of subs) {
+      lines.push(`complete -c atf -n '__fish_seen_subcommand_from ${cmd}' -a '${sub}' -d '${sub}'`);
+    }
+  }
+  return lines.join("\n") + "\n";
+}
+function generatePowershellCompletion() {
+  const cmds = COMPLETION_COMMANDS.map((c) => `'${c}'`).join(", ");
+  const lines = [
+    "# atf PowerShell completion",
+    "# Add to $PROFILE: . (atf completion powershell)",
+    "Register-ArgumentCompleter -CommandName atf -ScriptBlock {",
+    "  param($wordToComplete, $commandAst, $cursorPosition)",
+    `  $commands = @(${cmds})`,
+    "  $commands | Where-Object { $_ -like \"$wordToComplete*\" } | ForEach-Object {",
+    "    [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', $_)",
+    "  }",
+    "}",
+  ];
+  return lines.join("\n") + "\n";
+}
+async function runCompletion(args) {
+  const shell = args.subCommand || args._subArgs[0];
+  if (!shell) {
+    exitWithError(ERROR_CODES.USER_ERROR, "Usage: atf completion <bash|zsh|fish|powershell>", null, args.format);
   }
-  switch (args.command) {
-    case "version":
-      await runVersion(args);
+  let script;
+  switch (shell.toLowerCase()) {
+    case "bash":
+      script = generateBashCompletion();
       break;
-    case "health":
-      await runHealth(args);
+    case "zsh":
+      script = generateZshCompletion();
       break;
-    case "simulate":
-      await runSimulate(args);
+    case "fish":
+      script = generateFishCompletion();
       break;
-    case "approve":
-      await runApprove(args);
+    case "powershell":
+    case "pwsh":
+      script = generatePowershellCompletion();
       break;
     default:
-      exitWithError(ERROR_CODES.USER_ERROR, `Unknown command: ${args.command}`, "Run with --help for usage.", args.format);
+      exitWithError(ERROR_CODES.USER_ERROR, `Unsupported shell: ${shell}. Use: bash, zsh, fish, or powershell.`, null, args.format);
   }
-  // Ensure clean exit — fetch() can leave open handles that prevent
-  // the event loop from draining naturally.
-  process.exit(0);
+  process.stdout.write(script);
 }
-main().catch((err) => {
-  const msg = err && err.message ? err.message : String(err);
-  const safeMsg = typeof redactToken === "function" ? redactToken(msg) : msg;
-  process.stderr.write(`Fatal: ${safeMsg}\n`);
-  process.exit(2);
-});
+// ---- src/cli.mjs ----
+/**
+ * cli.mjs — argument parsing and entry point (zero deps)
+ *
+ * VERSION, DEFAULT_BASE_URL, BUILD_COMMIT, BUILD_DATE are defined
+ * in constants.mjs (concatenated above by build.mjs).
+ */
+const HELP_TEXT = `
+@trucore/atf v${VERSION} — Agent Transaction Firewall CLI
+USAGE
+  npx @trucore/atf@${VERSION} <command> [options]
+COMMANDS
+  version             Show CLI version and build metadata
+  health              Check API health and latency
+  simulate            Run a transaction simulation
+  approve             Approve a pending intent
+  swap                Execute a real Solana swap (Jupiter) gated by ATF policy
+  whoami              Show current profile, cluster, and RPC host
+  config init         Initialize global config (detects Solana CLI)
+  config set          Set a profile config key
+  config get          Get a profile config key
+  config list         Show effective merged config (secrets redacted)
+  profile use         Switch active profile
+  profile list        List all profiles
+  profile create      Create a new profile
+  profile delete      Delete a profile
+  secret set          Store a secret (e.g. Helius API key)
+  secret list         List stored secret references (no values)
+  secret unset        Remove a stored secret
+  rpc ping            Ping the configured Solana RPC endpoint
+  tx sign             Sign a transaction offline (no send)
+  tx send             Sign and send a transaction
+  tx status           Check transaction confirmation status
+  receipts verify     Verify content_hash / receipt_hash integrity
+  completion          Generate shell completion (bash|zsh|fish|powershell)
+ALIASES
+  ls                  Alias for config list
+GLOBAL OPTIONS
+  --base-url <url>      API base URL (default: ${DEFAULT_BASE_URL})
+  --timeout-ms <ms>     Request timeout in ms (default: 20000)
+  --format <fmt>        Output format: json | pretty (default: json)
+  --pretty              Shorthand for --format pretty
+  --no-color            Disable ANSI colors
+  --api-key <key>       API key (also: ATF_API_KEY env var)
+  --verbose             Show detailed progress on stderr
+  --profile <name>      Use a specific config profile
+SIMULATE OPTIONS
+  --preset <name>       Use a built-in preset: ${PRESET_NAMES.join(", ")}
+  --json '<json>'       Send raw JSON transaction body
+  --verify              Verify content_hash integrity
+  --quiet               Suppress non-essential output
+APPROVE OPTIONS
+  --intent <id>         Intent ID to approve (required)
+  --token <bearer>      Bearer token for auth (also: ATF_API_KEY env var)
+SWAP OPTIONS
+  --in <symbol|mint>    Input token (e.g. SOL)
+  --out <symbol|mint>   Output token (e.g. USDC)
+  --amount-in <number>  Amount of input token (human units, e.g. 0.001)
+  --slippage-bps <int>  Slippage tolerance in basis points (default: 50)
+  --keypair <path>      Path to Solana id.json keypair file
+  --rpc <url>           Solana RPC URL (or "helius" to auto-build from profile)
+  --execute             Opt-in to real on-chain execution (default: dry-run)
+  --yes                 Skip interactive confirmation (for CI / scripts)
+  --dry-run             Alias: explicit dry-run mode (default without --execute)
+  --confirm             Poll signature status until confirmed or timeout
+  --verify              Verify content_hash integrity
+  DEVNET / BURNER OPTIONS (swap only)
+  --burner              Generate ephemeral keypair (devnet only, never printed)
+  --devnet              Force devnet mode (RPC, token mints, explorer links)
+  --faucet              Print faucet instructions + burner pubkey and exit
+  --airdrop <sol>       Request devnet SOL airdrop (e.g. --airdrop 1)
+  --save-burner <path>  Save burner keypair to disk (explicit opt-in, 0600 perms)
+  --load-burner <path>  Load a previously saved burner keypair (requires --devnet)
+  TX OPTIONS (tx sign / tx send)
+  --tx-base64 <b64>     Base64-encoded transaction
+  --tx-file <path>      Path to file containing base64 transaction
+  --sig <signature>     Transaction signature (for tx status)
+  RECEIPTS OPTIONS
+  --file <path>         Path to ATF response JSON (for receipts verify)
+  --stdin               Read ATF response from stdin (for receipts verify)
+  \u26a0 WARNING: The swap command signs and broadcasts real on-chain transactions.
+  Use a burner wallet.  Start with tiny amounts.  Transactions are irreversible.
+ENVIRONMENT
+  ATF_API_KEY           API key (sent as x-api-key header or Bearer token)
+  ATF_BASE_URL          Override default base URL
+  ATF_TIMEOUT_MS        Override default timeout (ms)
+  ATF_DEVNET_RPC        Override devnet RPC URL (default: https://api.devnet.solana.com)
+  HELIUS_API_KEY        Helius RPC API key (used when rpc_url=helius)
+  NO_COLOR              Disable ANSI colors when set
+EXIT CODES
+  0   Success (allowed, healthy, etc.)
+  1   User error or denied
+  2   Network / server error
+EXAMPLES
+  npx @trucore/atf@${VERSION} version
+  npx @trucore/atf@${VERSION} health
+  npx @trucore/atf@${VERSION} whoami
+  npx @trucore/atf@${VERSION} config init --yes
+  npx @trucore/atf@${VERSION} profile create devnet
+  npx @trucore/atf@${VERSION} config set rpc_url helius --profile devnet
+  npx @trucore/atf@${VERSION} rpc ping --profile devnet
+  npx @trucore/atf@${VERSION} simulate --preset swap_small --verify
+  npx @trucore/atf@${VERSION} approve --intent abc123 --token mytoken
+  npx @trucore/atf@${VERSION} swap --in SOL --out USDC --amount-in 0.001 --keypair ~/.config/solana/id.json --verify
+  npx @trucore/atf@${VERSION} swap --in SOL --out USDC --amount-in 0.001 --execute --yes --confirm --verify
+  npx @trucore/atf@${VERSION} swap --burner --devnet --faucet
+  npx @trucore/atf@${VERSION} swap --burner --devnet --airdrop 1 --in SOL --out USDC --amount-in 0.01 --execute --yes --confirm
+  npx @trucore/atf@${VERSION} tx sign --tx-base64 ... --keypair ~/.config/solana/id.json
+  npx @trucore/atf@${VERSION} tx send --tx-base64 ... --keypair ~/.config/solana/id.json --confirm
+  npx @trucore/atf@${VERSION} tx status --sig <signature>
+  npx @trucore/atf@${VERSION} receipts verify --file response.json
+  npx @trucore/atf@${VERSION} completion bash`;
+function parseArgs(argv) {
+  const defaultTimeout = (() => {
+    const env = process.env.ATF_TIMEOUT_MS;
+    if (env) { const n = parseInt(env, 10); if (n > 0) return n; }
+    return 20000;
+  })();
+  const args = {
+    command: null,
+    subCommand: null,
+    preset: null,
+    json: null,
+    baseUrl: process.env.ATF_BASE_URL || DEFAULT_BASE_URL,
+    verify: false,
+    format: "json",
+    quiet: false,
+    apiKey: process.env.ATF_API_KEY || null,
+    help: false,
+    showVersion: false,
+    timeoutMs: defaultTimeout,
+    noColor: !!process.env.NO_COLOR,
+    intent: null,
+    token: null,
+    verbose: false,
+    _deprecatedIntentId: false,
+    // swap-specific flags
+    swapIn: null,
+    swapOut: null,
+    amountIn: null,
+    slippageBps: 50,
+    keypairPath: null,
+    rpcUrl: null,
+    dryRun: false,
+    execute: false,
+    yes: false,
+    confirm: false,
+    confirmTimeoutMs: 60_000,
+    // burner / devnet flags
+    burner: false,
+    devnet: false,
+    faucet: false,
+    airdropSol: null,
+    saveBurnerPath: null,
+    loadBurnerPath: null,
+    // profile / config flags
+    profileFlag: null,
+    _subArgs: [],
+    // tx flags
+    txBase64: null,
+    txFile: null,
+    sig: null,
+    // receipts flags
+    receiptFile: null,
+    receiptStdin: false,
+  };
+  const raw = argv.slice(2);
+  let i = 0;
+  // Commands that accept subcommands
+  const MULTI_COMMANDS = new Set(["config", "profile", "secret", "rpc", "tx", "receipts", "completion"]);
+  while (i < raw.length) {
+    const arg = raw[i];
+    if (arg === "--help" || arg === "-h") {
+      args.help = true;
+      i++;
+    } else if (arg === "--version" || arg === "-V") {
+      args.showVersion = true;
+      i++;
+    } else if (arg === "--verify") {
+      args.verify = true;
+      i++;
+    } else if (arg === "--quiet" || arg === "-q") {
+      args.quiet = true;
+      i++;
+    } else if (arg === "--pretty") {
+      args.format = "pretty";
+      i++;
+    } else if (arg === "--no-color") {
+      args.noColor = true;
+      i++;
+    } else if (arg === "--verbose") {
+      args.verbose = true;
+      i++;
+    } else if (arg === "--preset") {
+      args.preset = raw[++i] || null;
+      i++;
+    } else if (arg === "--json") {
+      args.json = raw[++i] || null;
+      i++;
+    } else if (arg === "--base-url") {
+      args.baseUrl = raw[++i] || args.baseUrl;
+      i++;
+    } else if (arg === "--format") {
+      args.format = raw[++i] || args.format;
+      i++;
+    } else if (arg === "--api-key") {
+      args.apiKey = raw[++i] || args.apiKey;
+      i++;
+    } else if (arg === "--timeout-ms") {
+      args.timeoutMs = parseInt(raw[++i], 10) || defaultTimeout;
+      i++;
+    } else if (arg === "--intent" || arg === "--intent-id") {
+      if (arg === "--intent-id") args._deprecatedIntentId = true;
+      args.intent = raw[++i] || null;
+      i++;
+    } else if (arg === "--token") {
+      args.token = raw[++i] || null;
+      i++;
+    } else if (arg === "--in") {
+      args.swapIn = raw[++i] || null;
+      i++;
+    } else if (arg === "--out") {
+      args.swapOut = raw[++i] || null;
+      i++;
+    } else if (arg === "--amount-in") {
+      args.amountIn = raw[++i] || null;
+      i++;
+    } else if (arg === "--slippage-bps") {
+      args.slippageBps = parseInt(raw[++i], 10) || 50;
+      i++;
+    } else if (arg === "--keypair") {
+      args.keypairPath = raw[++i] || null;
+      i++;
+    } else if (arg === "--rpc") {
+      args.rpcUrl = raw[++i] || null;
+      i++;
+    } else if (arg === "--profile") {
+      args.profileFlag = raw[++i] || null;
+      i++;
+    } else if (arg === "--dry-run") {
+      args.dryRun = true;
+      i++;
+    } else if (arg === "--execute") {
+      args.execute = true;
+      i++;
+    } else if (arg === "--yes" || arg === "-y") {
+      args.yes = true;
+      i++;
+    } else if (arg === "--confirm") {
+      args.confirm = true;
+      i++;
+    } else if (arg === "--burner") {
+      args.burner = true;
+      i++;
+    } else if (arg === "--devnet") {
+      args.devnet = true;
+      i++;
+    } else if (arg === "--faucet") {
+      args.faucet = true;
+      i++;
+    } else if (arg === "--airdrop") {
+      args.airdropSol = parseFloat(raw[++i]) || null;
+      i++;
+    } else if (arg === "--save-burner") {
+      args.saveBurnerPath = raw[++i] || null;
+      i++;
+    } else if (arg === "--load-burner") {
+      args.loadBurnerPath = raw[++i] || null;
+      i++;
+    } else if (arg === "--tx-base64") {
+      args.txBase64 = raw[++i] || null;
+      i++;
+    } else if (arg === "--tx-file") {
+      args.txFile = raw[++i] || null;
+      i++;
+    } else if (arg === "--sig") {
+      args.sig = raw[++i] || null;
+      i++;
+    } else if (arg === "--file") {
+      args.receiptFile = raw[++i] || null;
+      i++;
+    } else if (arg === "--stdin") {
+      args.receiptStdin = true;
+      i++;
+    } else if (!arg.startsWith("-") && !args.command) {
+      args.command = arg;
+      i++;
+      // Collect subcommand + sub-args for multi-commands
+      if (MULTI_COMMANDS.has(arg)) {
+        while (i < raw.length && !raw[i].startsWith("-")) {
+          if (!args.subCommand) {
+            args.subCommand = raw[i];
+          } else {
+            args._subArgs.push(raw[i]);
+          }
+          i++;
+        }
+      }
+    } else if (!arg.startsWith("-") && args.command && !args.subCommand && MULTI_COMMANDS.has(args.command)) {
+      args.subCommand = arg;
+      i++;
+    } else if (!arg.startsWith("-") && args.command && args.subCommand) {
+      args._subArgs.push(arg);
+      i++;
+    } else {
+      // Unknown argument — structured JSON error, exit 1
+      const err = makeError("USER_ERROR", `Unknown argument: ${arg}`, { hint: "Run with --help for usage." });
+      process.stdout.write(JSON.stringify(err, null, 2) + "\n");
+      process.exit(1);
+    }
+  }
+  return args;
+}
+async function main() {
+  const args = parseArgs(process.argv);
+  if (args.showVersion) {
+    process.stdout.write(`${VERSION}\n`);
+    process.exit(0);
+  }
+  if (args.help || !args.command) {
+    process.stdout.write(HELP_TEXT);
+    process.exit(0);
+  }
+  switch (args.command) {
+    case "version":
+      await runVersion(args);
+      break;
+    case "health":
+      await runHealth(args);
+      break;
+    case "simulate":
+      await runSimulate(args);
+      break;
+    case "approve":
+      await runApprove(args);
+      break;
+    case "swap":
+      await runSwap(args);
+      break;
+    case "whoami":
+      await runWhoami(args);
+      break;
+    case "ls":
+      // Alias: ls → config list
+      await runConfigList(args);
+      break;
+    case "config":
+      switch (args.subCommand) {
+        case "init":
+          await runConfigInit(args);
+          break;
+        case "set":
+          await runConfigSet(args);
+          break;
+        case "get":
+          await runConfigGet(args);
+          break;
+        case "list":
+          await runConfigList(args);
+          break;
+        default:
+          exitWithError(ERROR_CODES.USER_ERROR, `Unknown config subcommand: ${args.subCommand || "(none)"}`, "Available: init, set, get, list", args.format);
+      }
+      break;
+    case "profile":
+      switch (args.subCommand) {
+        case "use":
+          await runProfileUse(args);
+          break;
+        case "list":
+          await runProfileList(args);
+          break;
+        case "create":
+          await runProfileCreate(args);
+          break;
+        case "delete":
+          await runProfileDelete(args);
+          break;
+        default:
+          exitWithError(ERROR_CODES.USER_ERROR, `Unknown profile subcommand: ${args.subCommand || "(none)"}`, "Available: use, list, create, delete", args.format);
+      }
+      break;
+    case "secret":
+      switch (args.subCommand) {
+        case "set":
+          await runSecretSet(args);
+          break;
+        case "list":
+          await runSecretList(args);
+          break;
+        case "unset":
+          await runSecretUnset(args);
+          break;
+        default:
+          exitWithError(ERROR_CODES.USER_ERROR, `Unknown secret subcommand: ${args.subCommand || "(none)"}`, "Available: set, list, unset", args.format);
+      }
+      break;
+    case "rpc":
+      switch (args.subCommand) {
+        case "ping":
+          await runRpcPing(args);
+          break;
+        default:
+          exitWithError(ERROR_CODES.USER_ERROR, `Unknown rpc subcommand: ${args.subCommand || "(none)"}`, "Available: ping", args.format);
+      }
+      break;
+    case "tx":
+      switch (args.subCommand) {
+        case "sign":
+          await runTxSign(args);
+          break;
+        case "send":
+          await runTxSend(args);
+          break;
+        case "status":
+          await runTxStatus(args);
+          break;
+        default:
+          exitWithError(ERROR_CODES.USER_ERROR, `Unknown tx subcommand: ${args.subCommand || "(none)"}`, "Available: sign, send, status", args.format);
+      }
+      break;
+    case "receipts":
+      switch (args.subCommand) {
+        case "verify":
+          await runReceiptsVerify(args);
+          break;
+        default:
+          exitWithError(ERROR_CODES.USER_ERROR, `Unknown receipts subcommand: ${args.subCommand || "(none)"}`, "Available: verify", args.format);
+      }
+      break;
+    case "completion":
+      await runCompletion(args);
+      break;
+    default:
+      exitWithError(ERROR_CODES.USER_ERROR, `Unknown command: ${args.command}`, "Run with --help for usage.", args.format);
+  }
+  // Ensure clean exit — fetch() can leave open handles that prevent
+  // the event loop from draining naturally.
+  process.exit(0);
+}
+main().catch((err) => {
+  const msg = err && err.message ? err.message : String(err);
+  const safeMsg = typeof redactToken === "function" ? redactToken(msg) : msg;
+  process.stderr.write(`Fatal: ${safeMsg}\n`);
+  process.exit(2);
+});