@veil-cash/sdk 0.5.0 → 0.6.1

package/dist/cli/index.cjs

@@ -3917,6 +3917,7 @@ var ErrorCode = {
   DEPOSIT_KEY_MISSING: "DEPOSIT_KEY_MISSING",
   CONFIG_CONFLICT: "CONFIG_CONFLICT",
   INVALID_ADDRESS: "INVALID_ADDRESS",
+  INVALID_SLOT: "INVALID_SLOT",
   INVALID_AMOUNT: "INVALID_AMOUNT",
   INSUFFICIENT_BALANCE: "INSUFFICIENT_BALANCE",
   USER_NOT_REGISTERED: "USER_NOT_REGISTERED",
@@ -3952,6 +3953,9 @@ function inferErrorCode(message) {
   if (msg.includes("invalid") && msg.includes("address")) {
     return ErrorCode.INVALID_ADDRESS;
   }
+  if (msg.includes("invalid") && msg.includes("slot")) {
+    return ErrorCode.INVALID_SLOT;
+  }
   if (msg.includes("insufficient balance") || msg.includes("not enough")) {
     return ErrorCode.INSUFFICIENT_BALANCE;
   }
@@ -4616,6 +4620,170 @@ var ERC20_ABI = [
     type: "function"
   }
 ];
+var FORWARDER_FACTORY_ABI = [
+  {
+    inputs: [],
+    name: "CONTRACT_VERSION",
+    outputs: [{ internalType: "string", name: "", type: "string" }],
+    stateMutability: "view",
+    type: "function"
+  },
+  {
+    inputs: [
+      { internalType: "bytes32", name: "_salt", type: "bytes32" },
+      { internalType: "bytes", name: "_childDepositKey", type: "bytes" },
+      { internalType: "address", name: "_owner", type: "address" }
+    ],
+    name: "computeAddress",
+    outputs: [{ internalType: "address", name: "", type: "address" }],
+    stateMutability: "view",
+    type: "function"
+  },
+  {
+    inputs: [
+      { internalType: "bytes32", name: "_salt", type: "bytes32" },
+      { internalType: "bytes", name: "_childDepositKey", type: "bytes" },
+      { internalType: "address", name: "_owner", type: "address" }
+    ],
+    name: "deploy",
+    outputs: [{ internalType: "address", name: "forwarder", type: "address" }],
+    stateMutability: "nonpayable",
+    type: "function"
+  },
+  {
+    inputs: [],
+    name: "relayer",
+    outputs: [{ internalType: "address", name: "", type: "address" }],
+    stateMutability: "view",
+    type: "function"
+  },
+  {
+    inputs: [],
+    name: "veilEntry",
+    outputs: [{ internalType: "address payable", name: "", type: "address" }],
+    stateMutability: "view",
+    type: "function"
+  },
+  {
+    inputs: [],
+    name: "usdc",
+    outputs: [{ internalType: "address", name: "", type: "address" }],
+    stateMutability: "view",
+    type: "function"
+  },
+  {
+    inputs: [],
+    name: "owner",
+    outputs: [{ internalType: "address", name: "", type: "address" }],
+    stateMutability: "view",
+    type: "function"
+  }
+];
+var FORWARDER_ABI = [
+  {
+    inputs: [],
+    name: "CONTRACT_VERSION",
+    outputs: [{ internalType: "string", name: "", type: "string" }],
+    stateMutability: "view",
+    type: "function"
+  },
+  {
+    inputs: [
+      { internalType: "address", name: "_token", type: "address" },
+      { internalType: "address", name: "_to", type: "address" },
+      { internalType: "uint256", name: "_amount", type: "uint256" },
+      { internalType: "uint256", name: "_nonce", type: "uint256" },
+      { internalType: "uint256", name: "_deadline", type: "uint256" },
+      { internalType: "bytes", name: "_signature", type: "bytes" }
+    ],
+    name: "withdraw",
+    outputs: [],
+    stateMutability: "nonpayable",
+    type: "function"
+  },
+  {
+    inputs: [{ internalType: "uint256", name: "", type: "uint256" }],
+    name: "usedNonces",
+    outputs: [{ internalType: "bool", name: "", type: "bool" }],
+    stateMutability: "view",
+    type: "function"
+  },
+  {
+    inputs: [],
+    name: "owner",
+    outputs: [{ internalType: "address", name: "", type: "address" }],
+    stateMutability: "view",
+    type: "function"
+  },
+  {
+    inputs: [],
+    name: "factory",
+    outputs: [{ internalType: "address", name: "", type: "address" }],
+    stateMutability: "view",
+    type: "function"
+  },
+  {
+    inputs: [],
+    name: "childDepositKey",
+    outputs: [{ internalType: "bytes", name: "", type: "bytes" }],
+    stateMutability: "view",
+    type: "function"
+  },
+  {
+    inputs: [],
+    name: "entry",
+    outputs: [{ internalType: "address", name: "", type: "address" }],
+    stateMutability: "view",
+    type: "function"
+  },
+  {
+    inputs: [],
+    name: "usdc",
+    outputs: [{ internalType: "address", name: "", type: "address" }],
+    stateMutability: "view",
+    type: "function"
+  },
+  {
+    inputs: [],
+    name: "sweepETH",
+    outputs: [],
+    stateMutability: "nonpayable",
+    type: "function"
+  },
+  {
+    inputs: [],
+    name: "sweepUSDC",
+    outputs: [],
+    stateMutability: "nonpayable",
+    type: "function"
+  },
+  {
+    inputs: [],
+    name: "eip712Domain",
+    outputs: [
+      { internalType: "bytes1", name: "fields", type: "bytes1" },
+      { internalType: "string", name: "name", type: "string" },
+      { internalType: "string", name: "version", type: "string" },
+      { internalType: "uint256", name: "chainId", type: "uint256" },
+      { internalType: "address", name: "verifyingContract", type: "address" },
+      { internalType: "bytes32", name: "salt", type: "bytes32" },
+      { internalType: "uint256[]", name: "extensions", type: "uint256[]" }
+    ],
+    stateMutability: "view",
+    type: "function"
+  },
+  { type: "error", name: "ZeroAddress", inputs: [] },
+  { type: "error", name: "ZeroAmount", inputs: [] },
+  { type: "error", name: "InvalidDepositKey", inputs: [] },
+  { type: "error", name: "NotRelayer", inputs: [] },
+  { type: "error", name: "NoETHBalance", inputs: [] },
+  { type: "error", name: "NoTokenBalance", inputs: [] },
+  { type: "error", name: "TokenApproveFailed", inputs: [] },
+  { type: "error", name: "ETHTransferFailed", inputs: [] },
+  { type: "error", name: "NonceUsed", inputs: [] },
+  { type: "error", name: "Unauthorized", inputs: [] },
+  { type: "error", name: "DeadlineExpired", inputs: [] }
+];
 
 // src/addresses.ts
 var ADDRESSES = {
@@ -4625,9 +4793,11 @@ var ADDRESSES = {
   usdcPool: "0x5c50d58E49C59d112680c187De2Bf989d2a91242",
   usdcQueue: "0x5530241b24504bF05C9a22e95A1F5458888e6a9B",
   usdcToken: "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
+  forwarderFactory: "0x2848Fd62293A1ff3b4a897E9FcD0e5962dcc8101",
   chainId: 8453,
   relayUrl: "https://veil-relay.up.railway.app"
 };
+var FORWARDER_CONTRACT_VERSION = "1";
 var POOL_CONFIG = {
   eth: {
     decimals: 18,
@@ -4667,6 +4837,9 @@ function getQueueAddress(pool) {
       throw new Error(`Unknown pool: ${pool}`);
   }
 }
+function getForwarderFactoryAddress() {
+  return getAddresses().forwarderFactory;
+}
 function getRelayUrl() {
   return ADDRESSES.relayUrl;
 }
@@ -4731,7 +4904,7 @@ function decodeCustomError(error) {
     const possibleData = anyError.data || anyError.cause?.data || anyError.cause?.cause?.data;
     if (possibleData && typeof possibleData === "string" && possibleData.startsWith("0x")) {
       try {
-        for (const abi of [ENTRY_ABI]) {
+        for (const abi of [ENTRY_ABI, FORWARDER_ABI]) {
           try {
             const decoded = viem.decodeErrorResult({
               abi,
@@ -6500,6 +6673,27 @@ var RelayError = class extends Error {
     this.network = network;
   }
 };
+async function postRelayJson(endpoint, body, relayUrl) {
+  const url = relayUrl || getRelayUrl();
+  const response = await fetch(`${url}${endpoint}`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify(body)
+  });
+  const data = await response.json();
+  if (!response.ok) {
+    const errorData = data;
+    throw new RelayError(
+      errorData.error || errorData.message || "Relay request failed",
+      response.status,
+      errorData.retryAfter,
+      errorData.network
+    );
+  }
+  return data;
+}
 async function submitRelay(options) {
   const {
     type,
@@ -6519,30 +6713,17 @@ async function submitRelay(options) {
     throw new RelayError("Missing proofArgs or extData", 400);
   }
   const relayUrl = customRelayUrl || getRelayUrl();
-  const endpoint = `${relayUrl}/relay/${pool}`;
-  const response = await fetch(endpoint, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json"
-    },
-    body: JSON.stringify({
+  const endpoint = `/relay/${pool}`;
+  return postRelayJson(
+    endpoint,
+    {
       type,
       proofArgs,
       extData,
       metadata
-    })
-  });
-  const data = await response.json();
-  if (!response.ok) {
-    const errorData = data;
-    throw new RelayError(
-      errorData.error || errorData.message || "Relay request failed",
-      response.status,
-      errorData.retryAfter,
-      errorData.network
-    );
-  }
-  return data;
+    },
+    relayUrl
+  );
 }
 async function checkRelayHealth(relayUrl) {
   const url = relayUrl || getRelayUrl();
@@ -7332,16 +7513,618 @@ function maskUrl(url) {
     return maskValue(url);
   }
 }
+var SUBACCOUNT_CHILD_DOMAIN = "veil-sua-child";
+var SUBACCOUNT_SALT_DOMAIN = "veil-sua-salt";
+var ETH_ADDRESS = "0x0000000000000000000000000000000000000000";
+var DEFAULT_WITHDRAW_DEADLINE_SECONDS = 3600n;
+var DEFAULT_MAX_NONCE_SCAN = 100n;
+var MAX_SUBACCOUNT_SLOTS = 3;
+function createBaseClient(rpcUrl) {
+  return viem.createPublicClient({
+    chain: chains.base,
+    transport: viem.http(rpcUrl)
+  });
+}
+function assertPrivateKey(value, label) {
+  if (!/^0x[a-fA-F0-9]{64}$/.test(value)) {
+    throw new Error(`${label} must be a 0x-prefixed 32-byte hex string`);
+  }
+}
+function normalizeSlot(slot) {
+  if (!Number.isInteger(slot) || slot < 0) {
+    throw new Error("slot must be a non-negative integer");
+  }
+  if (slot >= MAX_SUBACCOUNT_SLOTS) {
+    throw new Error(`slot must be less than ${MAX_SUBACCOUNT_SLOTS} (supported slots: 0-${MAX_SUBACCOUNT_SLOTS - 1})`);
+  }
+  return slot;
+}
+function normalizeAsset(asset) {
+  if (asset !== "eth" && asset !== "usdc") {
+    throw new Error('asset must be "eth" or "usdc"');
+  }
+  return asset;
+}
+function normalizeNonce(value) {
+  const nonce = typeof value === "bigint" ? value : BigInt(value);
+  if (nonce < 0n) {
+    throw new Error("nonce must be non-negative");
+  }
+  return nonce;
+}
+function normalizeDeadline(deadline) {
+  const nextDeadline = deadline === void 0 ? BigInt(Math.floor(Date.now() / 1e3)) + DEFAULT_WITHDRAW_DEADLINE_SECONDS : typeof deadline === "bigint" ? deadline : BigInt(deadline);
+  if (nextDeadline <= 0n) {
+    throw new Error("deadline must be greater than 0");
+  }
+  return nextDeadline;
+}
+function deriveSubaccountChildPrivateKey(rootPrivateKey, slot) {
+  assertPrivateKey(rootPrivateKey, "rootPrivateKey");
+  const normalizedSlot = normalizeSlot(slot);
+  return viem.keccak256(
+    viem.encodePacked(
+      ["bytes32", "string", "uint256"],
+      [rootPrivateKey, SUBACCOUNT_CHILD_DOMAIN, BigInt(normalizedSlot)]
+    )
+  );
+}
+function deriveSubaccountSalt(rootPrivateKey, slot) {
+  assertPrivateKey(rootPrivateKey, "rootPrivateKey");
+  const normalizedSlot = normalizeSlot(slot);
+  return viem.keccak256(
+    viem.encodePacked(
+      ["bytes32", "string", "uint256"],
+      [rootPrivateKey, SUBACCOUNT_SALT_DOMAIN, BigInt(normalizedSlot)]
+    )
+  );
+}
+function deriveSubaccountChildOwner(childPrivateKey) {
+  assertPrivateKey(childPrivateKey, "childPrivateKey");
+  return accounts.privateKeyToAddress(childPrivateKey);
+}
+function deriveSubaccountChildDepositKey(childPrivateKey) {
+  assertPrivateKey(childPrivateKey, "childPrivateKey");
+  return new Keypair(childPrivateKey).depositKey();
+}
+async function predictSubaccountForwarder(options) {
+  const publicClient = createBaseClient(options.rpcUrl);
+  return publicClient.readContract({
+    abi: FORWARDER_FACTORY_ABI,
+    address: getForwarderFactoryAddress(),
+    functionName: "computeAddress",
+    args: [options.salt, options.childDepositKey, options.childOwner]
+  });
+}
+async function deriveSubaccountSlot(options) {
+  const normalizedSlot = normalizeSlot(options.slot);
+  const childPrivateKey = deriveSubaccountChildPrivateKey(options.rootPrivateKey, normalizedSlot);
+  const salt = deriveSubaccountSalt(options.rootPrivateKey, normalizedSlot);
+  const childOwner = deriveSubaccountChildOwner(childPrivateKey);
+  const childDepositKey = deriveSubaccountChildDepositKey(childPrivateKey);
+  const forwarderAddress = await predictSubaccountForwarder({
+    salt,
+    childDepositKey,
+    childOwner,
+    rpcUrl: options.rpcUrl
+  });
+  return {
+    slot: normalizedSlot,
+    childOwner,
+    childDepositKey,
+    salt,
+    forwarderAddress
+  };
+}
+async function isSubaccountForwarderDeployed(options) {
+  if (!viem.isAddress(options.forwarderAddress)) {
+    throw new Error("forwarderAddress must be a valid Ethereum address");
+  }
+  const publicClient = createBaseClient(options.rpcUrl);
+  const code = await publicClient.getCode({ address: options.forwarderAddress });
+  return !!code && code !== "0x";
+}
+async function deploySubaccountForwarder(options) {
+  const slot = await deriveSubaccountSlot({
+    rootPrivateKey: options.rootPrivateKey,
+    slot: options.slot,
+    rpcUrl: options.rpcUrl
+  });
+  return postRelayJson(
+    "/stealth/deploy",
+    {
+      salt: slot.salt,
+      childDepositKey: slot.childDepositKey,
+      childOwner: slot.childOwner,
+      expectedForwarder: slot.forwarderAddress
+    },
+    options.relayUrl
+  );
+}
+async function sweepSubaccountForwarder(options) {
+  const asset = normalizeAsset(options.asset);
+  if (!viem.isAddress(options.forwarderAddress)) {
+    throw new Error("forwarderAddress must be a valid Ethereum address");
+  }
+  return postRelayJson(
+    "/stealth/sweep",
+    {
+      forwarder: options.forwarderAddress,
+      asset
+    },
+    options.relayUrl
+  );
+}
+function toQueueStatus(asset, result) {
+  return {
+    asset,
+    queueBalance: result.queueBalance,
+    queueBalanceWei: result.queueBalanceWei,
+    pendingCount: result.pendingCount,
+    pendingDeposits: result.pendingDeposits
+  };
+}
+async function getSubaccountStatus(options) {
+  const slot = await deriveSubaccountSlot(options);
+  const publicClient = createBaseClient(options.rpcUrl);
+  const addresses = getAddresses();
+  const [deployed, ethWei, usdcWei, ethQueue, usdcQueue] = await Promise.all([
+    isSubaccountForwarderDeployed({
+      forwarderAddress: slot.forwarderAddress,
+      rpcUrl: options.rpcUrl
+    }),
+    publicClient.getBalance({ address: slot.forwarderAddress }),
+    publicClient.readContract({
+      address: addresses.usdcToken,
+      abi: ERC20_ABI,
+      functionName: "balanceOf",
+      args: [slot.forwarderAddress]
+    }),
+    getQueueBalance({
+      address: slot.forwarderAddress,
+      pool: "eth",
+      rpcUrl: options.rpcUrl
+    }),
+    getQueueBalance({
+      address: slot.forwarderAddress,
+      pool: "usdc",
+      rpcUrl: options.rpcUrl
+    })
+  ]);
+  return {
+    slot,
+    deployed,
+    balances: {
+      eth: {
+        balance: viem.formatEther(ethWei),
+        balanceWei: ethWei.toString()
+      },
+      usdc: {
+        balance: viem.formatUnits(usdcWei, 6),
+        balanceWei: usdcWei.toString()
+      }
+    },
+    queues: {
+      eth: toQueueStatus("eth", ethQueue),
+      usdc: toQueueStatus("usdc", usdcQueue)
+    }
+  };
+}
+var WITHDRAW_TYPES = {
+  Withdraw: [
+    { name: "token", type: "address" },
+    { name: "to", type: "address" },
+    { name: "amount", type: "uint256" },
+    { name: "nonce", type: "uint256" },
+    { name: "deadline", type: "uint256" }
+  ]
+};
+function buildSubaccountWithdrawTypedData(options) {
+  if (!viem.isAddress(options.forwarderAddress)) {
+    throw new Error("forwarderAddress must be a valid Ethereum address");
+  }
+  if (!viem.isAddress(options.token)) {
+    throw new Error("token must be a valid Ethereum address");
+  }
+  if (!viem.isAddress(options.to)) {
+    throw new Error("to must be a valid Ethereum address");
+  }
+  return {
+    domain: {
+      name: "VeilForwarder",
+      version: FORWARDER_CONTRACT_VERSION,
+      chainId: getAddresses().chainId,
+      verifyingContract: options.forwarderAddress
+    },
+    types: WITHDRAW_TYPES,
+    primaryType: "Withdraw",
+    message: {
+      token: options.token,
+      to: options.to,
+      amount: options.amount,
+      nonce: options.nonce,
+      deadline: options.deadline
+    }
+  };
+}
+async function signSubaccountWithdraw(options) {
+  assertPrivateKey(options.childPrivateKey, "childPrivateKey");
+  const account = accounts.privateKeyToAccount(options.childPrivateKey);
+  return account.signTypedData({
+    domain: options.typedData.domain,
+    types: options.typedData.types,
+    primaryType: options.typedData.primaryType,
+    message: options.typedData.message
+  });
+}
+async function isSubaccountWithdrawNonceUsed(options) {
+  if (!viem.isAddress(options.forwarderAddress)) {
+    throw new Error("forwarderAddress must be a valid Ethereum address");
+  }
+  const publicClient = createBaseClient(options.rpcUrl);
+  try {
+    return await publicClient.readContract({
+      abi: FORWARDER_ABI,
+      address: options.forwarderAddress,
+      functionName: "usedNonces",
+      args: [normalizeNonce(options.nonce)]
+    });
+  } catch (error) {
+    if (String(error).includes("returned no data")) {
+      throw new Error("Subaccount forwarder is not deployed");
+    }
+    throw error;
+  }
+}
+async function findNextSubaccountWithdrawNonce(options) {
+  const startNonce = normalizeNonce(options.startNonce ?? 0n);
+  const maxScan = normalizeNonce(options.maxScan ?? DEFAULT_MAX_NONCE_SCAN);
+  const limit = startNonce + maxScan;
+  let nonce = startNonce;
+  while (await isSubaccountWithdrawNonceUsed({
+    forwarderAddress: options.forwarderAddress,
+    nonce,
+    rpcUrl: options.rpcUrl
+  })) {
+    nonce += 1n;
+    if (nonce > limit) {
+      throw new Error("Unable to find an unused withdraw nonce within the scan limit");
+    }
+  }
+  return nonce;
+}
+async function buildSubaccountRecoveryTx(options) {
+  if (!viem.isAddress(options.to)) {
+    throw new Error("to must be a valid Ethereum address");
+  }
+  const asset = normalizeAsset(options.asset);
+  const slot = await deriveSubaccountSlot({
+    rootPrivateKey: options.rootPrivateKey,
+    slot: options.slot,
+    rpcUrl: options.rpcUrl
+  });
+  const deployed = await isSubaccountForwarderDeployed({
+    forwarderAddress: slot.forwarderAddress,
+    rpcUrl: options.rpcUrl
+  });
+  if (!deployed) {
+    throw new Error("Subaccount forwarder is not deployed");
+  }
+  const childPrivateKey = deriveSubaccountChildPrivateKey(options.rootPrivateKey, options.slot);
+  const tokenAddress = asset === "eth" ? ETH_ADDRESS : getAddresses().usdcToken;
+  const amountWei = asset === "eth" ? viem.parseEther(options.amount) : viem.parseUnits(options.amount, 6);
+  const nonce = options.nonce === void 0 ? await findNextSubaccountWithdrawNonce({
+    forwarderAddress: slot.forwarderAddress,
+    rpcUrl: options.rpcUrl
+  }) : normalizeNonce(options.nonce);
+  const deadline = normalizeDeadline(options.deadline);
+  const typedData = buildSubaccountWithdrawTypedData({
+    forwarderAddress: slot.forwarderAddress,
+    token: tokenAddress,
+    to: options.to,
+    amount: amountWei,
+    nonce,
+    deadline
+  });
+  const signature = await signSubaccountWithdraw({
+    childPrivateKey,
+    typedData
+  });
+  return {
+    transaction: {
+      to: slot.forwarderAddress,
+      data: viem.encodeFunctionData({
+        abi: FORWARDER_ABI,
+        functionName: "withdraw",
+        args: [tokenAddress, options.to, amountWei, nonce, deadline, signature]
+      })
+    },
+    forwarderAddress: slot.forwarderAddress,
+    asset,
+    amount: options.amount,
+    amountWei: amountWei.toString(),
+    nonce: nonce.toString(),
+    deadline: deadline.toString(),
+    recipient: options.to,
+    tokenAddress,
+    signature
+  };
+}
+
+// src/cli/commands/subaccount.ts
+function parseSlotValue(raw) {
+  const normalized = raw.trim();
+  if (!/^\d+$/.test(normalized)) {
+    throw new CLIError(ErrorCode.INVALID_SLOT, "--slot must be a non-negative integer");
+  }
+  const slot = Number(normalized);
+  if (slot >= MAX_SUBACCOUNT_SLOTS) {
+    throw new CLIError(
+      ErrorCode.INVALID_SLOT,
+      `--slot must be 0-${MAX_SUBACCOUNT_SLOTS - 1} (max ${MAX_SUBACCOUNT_SLOTS} subaccounts supported)`
+    );
+  }
+  return slot;
+}
+function getRequiredVeilKey() {
+  const veilKey = process.env.VEIL_KEY;
+  if (!veilKey) {
+    throw new CLIError(ErrorCode.VEIL_KEY_MISSING, "VEIL_KEY required. Set VEIL_KEY env");
+  }
+  if (!/^0x[a-fA-F0-9]{64}$/.test(veilKey)) {
+    throw new CLIError(ErrorCode.VEIL_KEY_MISSING, "VEIL_KEY must be a 0x-prefixed 32-byte hex string");
+  }
+  return veilKey;
+}
+function parseAsset(raw) {
+  const asset = raw.toLowerCase();
+  if (asset !== "eth" && asset !== "usdc") {
+    throw new CLIError(ErrorCode.INVALID_AMOUNT, `Unsupported asset: ${raw}. Supported: eth, usdc`);
+  }
+  return asset;
+}
+function printQueueHuman(title, queue) {
+  printSection(title);
+  printFields([
+    { label: "Queue balance", value: queue.queueBalance },
+    { label: "Pending", value: queue.pendingCount }
+  ]);
+  if (queue.pendingDeposits.length > 0) {
+    printList(
+      queue.pendingDeposits.map((deposit) => `nonce ${deposit.nonce}: ${deposit.amount} (${deposit.status})`)
+    );
+  }
+}
+function createSubaccountCommand() {
+  const subaccount = new Command("subaccount").description("Manage Veil subaccounts").addHelpText("after", `
+Examples:
+  veil subaccount derive --slot 0
+  veil subaccount status --slot 0
+  veil subaccount deploy --slot 0
+  veil subaccount sweep --slot 0 --asset eth
+  veil subaccount recover --slot 0 --asset usdc --to 0xRecipientAddress --amount 25
+  veil subaccount address --slot 0
+`);
+  subaccount.command("derive").description("Derive subaccount metadata for a slot").requiredOption("--slot <n>", "Subaccount slot", parseSlotValue).option("--json", "Output as JSON").action(async (options) => {
+    try {
+      const rootPrivateKey = getRequiredVeilKey();
+      const rpcUrl = process.env.RPC_URL;
+      const slot = await deriveSubaccountSlot({
+        rootPrivateKey,
+        slot: options.slot,
+        rpcUrl
+      });
+      const deployed = await isSubaccountForwarderDeployed({
+        forwarderAddress: slot.forwarderAddress,
+        rpcUrl
+      });
+      const output = {
+        ...slot,
+        deployed
+      };
+      if (options.json) {
+        printJson(output);
+        return;
+      }
+      printHeader(`Subaccount Slot ${slot.slot}`);
+      printFields([
+        { label: "Child owner", value: slot.childOwner },
+        { label: "Deposit key", value: slot.childDepositKey },
+        { label: "Salt", value: slot.salt },
+        { label: "Forwarder", value: slot.forwarderAddress },
+        { label: "Deployed", value: deployed }
+      ]);
+      printLine();
+    } catch (error) {
+      handleCLIError(error);
+    }
+  });
+  subaccount.command("status").description("Show subaccount deployment, balances, and queue state").requiredOption("--slot <n>", "Subaccount slot", parseSlotValue).option("--json", "Output as JSON").action(async (options) => {
+    try {
+      const rootPrivateKey = getRequiredVeilKey();
+      const status = await getSubaccountStatus({
+        rootPrivateKey,
+        slot: options.slot,
+        rpcUrl: process.env.RPC_URL
+      });
+      if (options.json) {
+        printJson(status);
+        return;
+      }
+      printHeader(`Subaccount Slot ${status.slot.slot}`);
+      printFields([
+        { label: "Forwarder", value: status.slot.forwarderAddress },
+        { label: "Child owner", value: status.slot.childOwner },
+        { label: "Deposit key", value: status.slot.childDepositKey },
+        { label: "Salt", value: status.slot.salt },
+        { label: "Deployed", value: status.deployed }
+      ]);
+      printSection("Forwarder Balances");
+      printFields([
+        { label: "ETH", value: `${status.balances.eth.balance} ETH` },
+        { label: "USDC", value: `${status.balances.usdc.balance} USDC` }
+      ]);
+      printQueueHuman("ETH Queue", status.queues.eth);
+      printQueueHuman("USDC Queue", status.queues.usdc);
+      printLine();
+    } catch (error) {
+      handleCLIError(error);
+    }
+  });
+  subaccount.command("deploy").description("Deploy a subaccount forwarder through the relay").requiredOption("--slot <n>", "Subaccount slot", parseSlotValue).option("--json", "Output as JSON").action(async (options) => {
+    try {
+      const rootPrivateKey = getRequiredVeilKey();
+      const slot = await deriveSubaccountSlot({
+        rootPrivateKey,
+        slot: options.slot,
+        rpcUrl: process.env.RPC_URL
+      });
+      const result = await deploySubaccountForwarder({
+        rootPrivateKey,
+        slot: options.slot,
+        rpcUrl: process.env.RPC_URL,
+        relayUrl: process.env.RELAY_URL
+      });
+      const output = {
+        ...result,
+        slot: options.slot,
+        forwarderAddress: slot.forwarderAddress
+      };
+      if (options.json) {
+        printJson(output);
+        return;
+      }
+      printHeader("Subaccount Deploy Submitted");
+      printFields([
+        { label: "Slot", value: options.slot },
+        { label: "Forwarder", value: slot.forwarderAddress },
+        { label: "Transaction", value: txUrl(result.transactionHash) },
+        { label: "Block", value: result.blockNumber }
+      ]);
+      printLine();
+    } catch (error) {
+      handleCLIError(error);
+    }
+  });
+  subaccount.command("sweep").description("Sweep ETH or USDC from a subaccount forwarder through the relay").requiredOption("--slot <n>", "Subaccount slot", parseSlotValue).requiredOption("--asset <asset>", "Asset to sweep (eth or usdc)", parseAsset).option("--json", "Output as JSON").action(async (options) => {
+    try {
+      const rootPrivateKey = getRequiredVeilKey();
+      const slot = await deriveSubaccountSlot({
+        rootPrivateKey,
+        slot: options.slot,
+        rpcUrl: process.env.RPC_URL
+      });
+      const result = await sweepSubaccountForwarder({
+        forwarderAddress: slot.forwarderAddress,
+        asset: options.asset,
+        relayUrl: process.env.RELAY_URL
+      });
+      const output = {
+        ...result,
+        slot: options.slot,
+        asset: options.asset,
+        forwarderAddress: slot.forwarderAddress
+      };
+      if (options.json) {
+        printJson(output);
+        return;
+      }
+      printHeader("Subaccount Sweep Submitted");
+      printFields([
+        { label: "Slot", value: options.slot },
+        { label: "Asset", value: options.asset.toUpperCase() },
+        { label: "Forwarder", value: slot.forwarderAddress },
+        { label: "Transaction", value: txUrl(result.transactionHash) },
+        { label: "Block", value: result.blockNumber }
+      ]);
+      printLine();
+    } catch (error) {
+      handleCLIError(error);
+    }
+  });
+  subaccount.command("recover").description("Recover assets sitting on the subaccount forwarder with a direct withdraw transaction").requiredOption("--slot <n>", "Subaccount slot", parseSlotValue).requiredOption("--asset <asset>", "Asset to recover (eth or usdc)", parseAsset).requiredOption("--to <address>", "Recipient address").requiredOption("--amount <value>", "Amount to recover").option("--json", "Output as JSON").action(async (options) => {
+    try {
+      const rootPrivateKey = getRequiredVeilKey();
+      if (!viem.isAddress(options.to)) {
+        throw new CLIError(ErrorCode.INVALID_ADDRESS, `Invalid recipient address: ${options.to}`);
+      }
+      const config = getConfig({});
+      const recovery = await buildSubaccountRecoveryTx({
+        rootPrivateKey,
+        slot: options.slot,
+        asset: options.asset,
+        to: options.to,
+        amount: options.amount,
+        rpcUrl: process.env.RPC_URL
+      });
+      const result = await sendTransaction(config, recovery.transaction);
+      const output = {
+        success: result.receipt.status === "success",
+        slot: options.slot,
+        asset: recovery.asset,
+        amount: recovery.amount,
+        amountWei: recovery.amountWei,
+        forwarderAddress: recovery.forwarderAddress,
+        recipient: recovery.recipient,
+        nonce: recovery.nonce,
+        deadline: recovery.deadline,
+        signature: recovery.signature,
+        transactionHash: result.hash,
+        blockNumber: result.receipt.blockNumber.toString()
+      };
+      if (options.json) {
+        printJson(output);
+        return;
+      }
+      printHeader("Subaccount Recovery Submitted");
+      printFields([
+        { label: "Slot", value: options.slot },
+        { label: "Asset", value: recovery.asset.toUpperCase() },
+        { label: "Amount", value: recovery.amount },
+        { label: "Recipient", value: recovery.recipient },
+        { label: "Forwarder", value: recovery.forwarderAddress },
+        { label: "Nonce", value: recovery.nonce },
+        { label: "Transaction", value: txUrl(result.hash) },
+        { label: "Block", value: result.receipt.blockNumber }
+      ]);
+      printLine();
+    } catch (error) {
+      handleCLIError(error);
+    }
+  });
+  subaccount.command("address").description("Print the predicted forwarder address for a subaccount slot").requiredOption("--slot <n>", "Subaccount slot", parseSlotValue).option("--json", "Output as JSON").action(async (options) => {
+    try {
+      const rootPrivateKey = getRequiredVeilKey();
+      const slot = await deriveSubaccountSlot({
+        rootPrivateKey,
+        slot: options.slot,
+        rpcUrl: process.env.RPC_URL
+      });
+      if (options.json) {
+        printJson({
+          slot: options.slot,
+          forwarderAddress: slot.forwarderAddress
+        });
+        return;
+      }
+      printLine(slot.forwarderAddress);
+    } catch (error) {
+      handleCLIError(error);
+    }
+  });
+  return subaccount;
+}
 
 // src/cli/index.ts
 loadEnv();
 var program2 = new Command();
-program2.name("veil").description("CLI for Veil Cash privacy pools on Base").version("0.5.0").addHelpText("after", `
+program2.name("veil").description("CLI for Veil Cash privacy pools on Base").version("0.6.0").addHelpText("after", `
 Getting started:
   veil init
   veil register
   veil deposit ETH 0.1
   veil balance
+  veil subaccount status --slot 0
 `);
 program2.addCommand(createInitCommand());
 program2.addCommand(createKeypairCommand());
@@ -7354,6 +8137,7 @@ program2.addCommand(createWithdrawCommand());
 program2.addCommand(createTransferCommand());
 program2.addCommand(createMergeCommand());
 program2.addCommand(createStatusCommand());
+program2.addCommand(createSubaccountCommand());
 var knownTopLevelCommands = /* @__PURE__ */ new Set([
   ...program2.commands.map((command) => command.name()),
   "help"