@vultisig/cli 0.8.0 → 0.10.0

package/dist/index.js

@@ -1432,7 +1432,7 @@ var init_sha3 = __esm({
 
 // src/index.ts
 import "dotenv/config";
-import { promises as fs3 } from "node:fs";
+import { promises as fs4 } from "node:fs";
 import { parseKeygenQR, Vultisig as Vultisig7 } from "@vultisig/sdk";
 import chalk15 from "chalk";
 import { program } from "commander";
@@ -1517,6 +1517,9 @@ import chalk from "chalk";
 import ora from "ora";
 var silentMode = false;
 var outputFormat = "table";
+function setSilentMode(silent) {
+  silentMode = silent;
+}
 function isSilent() {
   return silentMode;
 }
@@ -1852,6 +1855,11 @@ function displayVaultInfo(vault) {
   printResult(chalk2.bold("\nPublic Keys:"));
   printResult(`  ECDSA:         ${vault.publicKeys.ecdsa.substring(0, 20)}...`);
   printResult(`  EdDSA:         ${vault.publicKeys.eddsa.substring(0, 20)}...`);
+  if (vault.publicKeyMldsa) {
+    printResult(`  ML-DSA-44:     ${vault.publicKeyMldsa.substring(0, 20)}...`);
+  } else {
+    printResult(`  ML-DSA-44:     ${chalk2.gray("Not available")}`);
+  }
   printResult(`  Chain Code:    ${vault.hexChainCode.substring(0, 20)}...
 `);
 }
@@ -2480,8 +2488,9 @@ Or use this URL: ${qrPayload}
     });
   }
   try {
+    const cosmosChain = params.chain;
     const coin = {
-      chain: params.chain,
+      chain: cosmosChain,
       address,
       decimals: 8,
       // THORChain uses 8 decimals
@@ -2501,7 +2510,7 @@ Or use this URL: ${qrPayload}
       gas: chainConfig.gasLimit
     };
     const keysignPayload = await vault.prepareSignAminoTx({
-      chain: params.chain,
+      chain: cosmosChain,
       coin,
       msgs: [executeContractMsg],
       fee,
@@ -2511,7 +2520,7 @@ Or use this URL: ${qrPayload}
     const signature = await vault.sign(
       {
         transaction: keysignPayload,
-        chain: params.chain,
+        chain: cosmosChain,
         messageHashes
       },
       { signal: params.signal }
@@ -2519,7 +2528,7 @@ Or use this URL: ${qrPayload}
     signSpinner.succeed("Transaction signed");
     const broadcastSpinner = createSpinner("Broadcasting transaction...");
     const txHash = await vault.broadcastTx({
-      chain: params.chain,
+      chain: cosmosChain,
       keysignPayload,
       signature
     });
@@ -2603,7 +2612,8 @@ Or use this URL: ${qrPayload}
     const result = {
       signature: sigBase64,
       recovery: signature.recovery,
-      format: signature.format
+      format: signature.format,
+      mldsaSignature: signature.mldsaSignature
     };
     if (isJsonOutput()) {
       outputJson(result);
@@ -2613,6 +2623,9 @@ Or use this URL: ${qrPayload}
         printResult(`Recovery: ${result.recovery}`);
       }
       printResult(`Format: ${result.format}`);
+      if (result.mldsaSignature) {
+        printResult(`ML-DSA-44 Signature: ${result.mldsaSignature.substring(0, 40)}...`);
+      }
     }
     return result;
   } finally {
@@ -2733,7 +2746,11 @@ function withAbortSignal(promise, signal) {
   ]);
 }
 async function executeCreateFast(ctx2, options) {
-  const { name, password, email, signal, twoStep } = options;
+  const twoStep = options.twoStep || !process.stdin.isTTY;
+  const { name, password, email, signal } = options;
+  if (!options.twoStep && twoStep) {
+    info("Non-interactive terminal detected. Using --two-step mode automatically.");
+  }
   const spinner = createSpinner("Creating vault...");
   const vaultId = await withAbortSignal(
     ctx2.sdk.createFastVault({
@@ -2749,6 +2766,16 @@ async function executeCreateFast(ctx2, options) {
   );
   spinner.succeed(`Vault keys generated: ${name}`);
   if (twoStep) {
+    if (isJsonOutput()) {
+      outputJson({
+        vaultId,
+        status: "pending_verification",
+        message: "Vault created. Verify with email OTP to activate.",
+        verifyCommand: `vultisig verify ${vaultId} --code <OTP>`,
+        resendCommand: `vultisig verify ${vaultId} --resend --email ${email} --password <password>`
+      });
+      return void 0;
+    }
     success("\n+ Vault created and saved to disk (pending verification)");
     info(`
 Vault ID: ${vaultId}`);
@@ -2897,15 +2924,19 @@ Important: Save your vault backup file (.vult) in a secure location.`);
     throw err;
   }
 }
-async function executeImport(ctx2, file) {
-  const { password } = await inquirer4.prompt([
-    {
-      type: "password",
-      name: "password",
-      message: "Enter vault password (if encrypted):",
-      mask: "*"
-    }
-  ]);
+async function executeImport(ctx2, file, flagPassword) {
+  let password = flagPassword || process.env.VAULT_PASSWORD || "";
+  if (!password) {
+    const answers = await inquirer4.prompt([
+      {
+        type: "password",
+        name: "password",
+        message: "Enter vault password (if encrypted):",
+        mask: "*"
+      }
+    ]);
+    password = answers.password;
+  }
   const spinner = createSpinner("Importing vault...");
   const vultContent = await fs.readFile(file, "utf-8");
   const vault = await ctx2.sdk.importVault(vultContent, password || void 0);
@@ -2973,11 +3004,25 @@ async function executeVerify(ctx2, vaultId, options = {}) {
     spinner.succeed("Vault verified successfully!");
     setupVaultEvents(vault);
     await ctx2.setActiveVault(vault);
+    if (isJsonOutput()) {
+      outputJson({
+        verified: true,
+        vault: { id: vaultId, name: vault.name, type: "fast" }
+      });
+      return true;
+    }
     success(`
 + Vault "${vault.name}" is now ready to use!`);
     return true;
   } catch (err) {
     spinner.fail("Verification failed");
+    if (isJsonOutput()) {
+      outputJson({
+        verified: false,
+        error: err.message || "Verification failed. Please check the code and try again."
+      });
+      return false;
+    }
     error(`
 \u2717 ${err.message || "Verification failed. Please check the code and try again."}`);
     warn("\nTip: Use --resend to get a new verification code:");
@@ -3058,10 +3103,28 @@ async function executeVaults(ctx2) {
 }
 async function executeSwitch(ctx2, vaultId) {
   const spinner = createSpinner("Loading vault...");
-  const vault = await ctx2.sdk.getVaultById(vaultId);
+  let vault = await ctx2.sdk.getVaultById(vaultId);
+  if (!vault) {
+    const allVaults = await ctx2.sdk.listVaults();
+    const byName = allVaults.filter((v) => v.name.toLowerCase() === vaultId.toLowerCase());
+    if (byName.length === 1) {
+      vault = await ctx2.sdk.getVaultById(byName[0].id);
+    } else if (byName.length > 1) {
+      spinner.fail("Ambiguous vault name");
+      throw new Error(`Multiple vaults match name "${vaultId}". Use the full vault ID instead.`);
+    } else {
+      const byPrefix = allVaults.filter((v) => v.id.startsWith(vaultId));
+      if (byPrefix.length === 1) {
+        vault = await ctx2.sdk.getVaultById(byPrefix[0].id);
+      } else if (byPrefix.length > 1) {
+        spinner.fail("Ambiguous vault ID prefix");
+        throw new Error(`Multiple vaults match prefix "${vaultId}". Use a longer prefix or the full ID.`);
+      }
+    }
+  }
   if (!vault) {
     spinner.fail("Vault not found");
-    throw new Error(`No vault found with ID: ${vaultId}`);
+    throw new Error(`No vault found matching: ${vaultId}`);
   }
   await ctx2.setActiveVault(vault);
   setupVaultEvents(vault);
@@ -3103,6 +3166,7 @@ async function executeInfo(ctx2) {
         publicKeys: {
           ecdsa: vault.publicKeys.ecdsa,
           eddsa: vault.publicKeys.eddsa,
+          ...vault.publicKeyMldsa ? { mldsa: vault.publicKeyMldsa } : {},
           chainCode: vault.hexChainCode
         }
       }
@@ -4101,6 +4165,89 @@ function displayDiscountTier(tierInfo) {
 import chalk9 from "chalk";
 import Table from "cli-table3";
 
+// src/agent/ask.ts
+var AskInterface = class {
+  session;
+  verbose;
+  responseParts = [];
+  toolCalls = [];
+  transactions = [];
+  constructor(session, verbose = false) {
+    this.session = session;
+    this.verbose = verbose;
+  }
+  /**
+   * Get UI callbacks that silently collect results.
+   * Tool progress is logged to stderr in verbose mode.
+   */
+  getCallbacks() {
+    return {
+      onTextDelta: (_delta) => {
+      },
+      onToolCall: (_id, action, params) => {
+        if (this.verbose) {
+          const paramStr = params ? ` ${JSON.stringify(params)}` : "";
+          process.stderr.write(`[tool] ${action}${paramStr} ...
+`);
+        }
+      },
+      onToolResult: (_id, action, success2, data, error2) => {
+        this.toolCalls.push({ action, success: success2, data, error: error2 });
+        if (this.verbose) {
+          const status = success2 ? "ok" : `error: ${error2}`;
+          process.stderr.write(`[tool] ${action}: ${status}
+`);
+        }
+      },
+      onAssistantMessage: (content) => {
+        if (content) {
+          this.responseParts.push(content);
+        }
+      },
+      onSuggestions: (_suggestions) => {
+      },
+      onTxStatus: (txHash, chain, _status, explorerUrl) => {
+        this.transactions.push({ hash: txHash, chain, explorerUrl });
+        if (this.verbose) {
+          process.stderr.write(`[tx] ${chain}: ${txHash}
+`);
+        }
+      },
+      onError: (message) => {
+        process.stderr.write(`[error] ${message}
+`);
+      },
+      onDone: () => {
+      },
+      requestPassword: async () => {
+        throw new Error(
+          "Password required but not provided. Use --password flag."
+        );
+      },
+      requestConfirmation: async (_message) => {
+        return true;
+      }
+    };
+  }
+  /**
+   * Send a message and wait for the complete response.
+   * All tool calls and actions are executed automatically.
+   */
+  async ask(message) {
+    this.responseParts = [];
+    this.toolCalls = [];
+    this.transactions = [];
+    const callbacks = this.getCallbacks();
+    await this.session.sendMessage(message, callbacks);
+    return {
+      sessionId: this.session.getConversationId() || "",
+      response: this.responseParts[this.responseParts.length - 1] || "",
+      toolCalls: this.toolCalls,
+      transactions: this.transactions
+    };
+  }
+};
+
 // src/agent/auth.ts
 init_sha3();
 import { randomBytes } from "node:crypto";
@@ -4376,8 +4523,8 @@ var AgentClient = class {
   // ============================================================================
   // Private helpers
   // ============================================================================
-  async post(path3, body) {
-    const res = await fetch(`${this.baseUrl}${path3}`, {
+  async post(path4, body) {
+    const res = await fetch(`${this.baseUrl}${path4}`, {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
@@ -4391,8 +4538,8 @@ var AgentClient = class {
     }
     return await res.json();
   }
-  async delete(path3, body) {
-    const res = await fetch(`${this.baseUrl}${path3}`, {
+  async delete(path4, body) {
+    const res = await fetch(`${this.baseUrl}${path4}`, {
       method: "DELETE",
       headers: {
         "Content-Type": "application/json",
@@ -4412,7 +4559,8 @@ import { Chain as Chain8 } from "@vultisig/sdk";
 async function buildMessageContext(vault) {
   const context = {
     vault_address: vault.publicKeys.ecdsa,
-    vault_name: vault.name
+    vault_name: vault.name,
+    mldsa_public_key: vault.publicKeyMldsa
   };
   try {
     const chains = vault.chains;
@@ -4472,6 +4620,30 @@ async function buildMessageContext(vault) {
   }
   return context;
 }
+async function buildMinimalContext(vault) {
+  const context = {
+    vault_address: vault.publicKeys.ecdsa,
+    vault_name: vault.name
+  };
+  try {
+    const chains = vault.chains;
+    const addressEntries = await Promise.allSettled(
+      chains.map(async (chain) => ({
+        chain: chain.toString(),
+        address: await vault.address(chain)
+      }))
+    );
+    const addresses = {};
+    for (const result of addressEntries) {
+      if (result.status === "fulfilled") {
+        addresses[result.value.chain] = result.value.address;
+      }
+    }
+    context.addresses = addresses;
+  } catch {
+  }
+  return context;
+}
 function getNativeTokenTicker(chain) {
   const tickers = {
     [Chain8.Ethereum]: "ETH",
@@ -4532,6 +4704,161 @@ function getNativeTokenDecimals(chain) {
 // src/agent/executor.ts
 import { Chain as Chain9, Vultisig as Vultisig6 } from "@vultisig/sdk";
 
+// src/core/VaultStateStore.ts
+import * as fs2 from "node:fs";
+import * as os from "node:os";
+import * as path2 from "node:path";
+var LOCK_STALE_MS = 6e4;
+var LOCK_RETRY_INIT_MS = 100;
+var LOCK_MAX_WAIT_MS = 3e4;
+var STATE_TTL_MS = 10 * 6e4;
+var VaultStateStore = class {
+  baseDir;
+  constructor(vaultId) {
+    const safeId = vaultId.replace(/[^a-zA-Z0-9]/g, "").slice(0, 40);
+    if (!safeId) {
+      throw new Error("Invalid vaultId: must contain alphanumeric characters");
+    }
+    this.baseDir = path2.join(os.homedir(), ".vultisig", "vault-state", safeId);
+    fs2.mkdirSync(this.baseDir, { recursive: true });
+  }
+  // -------------------------------------------------------------------------
+  // Chain-level locking
+  // -------------------------------------------------------------------------
+  /**
+   * Acquire an exclusive file lock for the given chain.
+   * Blocks (with exponential backoff) until the lock is available or timeout.
+   *
+   * @returns A release function — caller MUST call it when done.
+   */
+  async acquireChainLock(chain) {
+    const lockPath = path2.join(this.baseDir, `${chain}.lock`);
+    const startTime = Date.now();
+    let delay = LOCK_RETRY_INIT_MS;
+    while (true) {
+      try {
+        const fd = fs2.openSync(lockPath, "wx");
+        const lockToken = `${process.pid}-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+        const info2 = { pid: process.pid, timestamp: Date.now(), token: lockToken };
+        fs2.writeSync(fd, JSON.stringify(info2));
+        fs2.closeSync(fd);
+        return async () => {
+          try {
+            const content = fs2.readFileSync(lockPath, "utf8");
+            const current = JSON.parse(content);
+            if (current.token === lockToken) {
+              fs2.unlinkSync(lockPath);
+            }
+          } catch {
+          }
+        };
+      } catch (err) {
+        if (err.code !== "EEXIST") throw err;
+        if (this.tryCleanStaleLock(lockPath)) {
+          continue;
+        }
+        if (Date.now() - startTime > LOCK_MAX_WAIT_MS) {
+          throw new Error(
+            `Timeout after ${LOCK_MAX_WAIT_MS}ms waiting for ${chain} chain lock. Another process may be stuck. Lock file: ${lockPath}`
+          );
+        }
+        await sleep2(delay);
+        delay = Math.min(delay * 1.5, 2e3);
+      }
+    }
+  }
+  // -------------------------------------------------------------------------
+  // EVM nonce management
+  // -------------------------------------------------------------------------
+  /**
+   * Get the next nonce to use for an EVM chain.
+   *
+   * Takes the on-chain nonce (from `getTransactionCount`) and returns
+   * `max(onChainNonce, localLastUsed + 1)`. This ensures that:
+   *   - Locally queued txs get incrementing nonces
+   *   - External txs (MetaMask, other wallets) are respected
+   *
+   * MUST be called while holding the chain lock.
+   */
+  getNextEvmNonce(chain, onChainNonce) {
+    const state = this.readEvmState(chain);
+    if (!state) return onChainNonce;
+    if (Date.now() - state.updatedAt > STATE_TTL_MS) return onChainNonce;
+    const localNext = BigInt(state.lastUsedNonce) + 1n;
+    return localNext > onChainNonce ? localNext : onChainNonce;
+  }
+  /**
+   * Clear persisted nonce state for a chain (e.g. when pending txs were evicted).
+   */
+  clearEvmState(chain) {
+    const filePath = path2.join(this.baseDir, `${chain}.state.json`);
+    try {
+      fs2.unlinkSync(filePath);
+    } catch {
+    }
+  }
+  /**
+   * Record that we broadcast a tx using the given nonce.
+   * For approve+swap flows, pass the HIGHEST nonce used.
+   *
+   * MUST be called while holding the chain lock (before releasing).
+   */
+  recordEvmNonce(chain, nonce) {
+    const state = {
+      lastUsedNonce: nonce.toString(),
+      updatedAt: Date.now()
+    };
+    this.writeEvmState(chain, state);
+  }
+  // -------------------------------------------------------------------------
+  // Internal helpers
+  // -------------------------------------------------------------------------
+  readEvmState(chain) {
+    const filePath = path2.join(this.baseDir, `${chain}.state.json`);
+    try {
+      const content = fs2.readFileSync(filePath, "utf8");
+      return JSON.parse(content);
+    } catch {
+      return null;
+    }
+  }
+  writeEvmState(chain, state) {
+    const filePath = path2.join(this.baseDir, `${chain}.state.json`);
+    const tmpPath = filePath + `.tmp.${process.pid}`;
+    fs2.writeFileSync(tmpPath, JSON.stringify(state, null, 2));
+    fs2.renameSync(tmpPath, filePath);
+  }
+  /**
+   * Check if a lock file is stale and remove it if so.
+   * @returns true if a stale lock was removed.
+   */
+  tryCleanStaleLock(lockPath) {
+    try {
+      const content = fs2.readFileSync(lockPath, "utf8");
+      const info2 = JSON.parse(content);
+      if (Date.now() - info2.timestamp > LOCK_STALE_MS) {
+        fs2.unlinkSync(lockPath);
+        return true;
+      }
+    } catch {
+      try {
+        const stat = fs2.statSync(lockPath);
+        if (Date.now() - stat.mtimeMs > LOCK_STALE_MS) {
+          fs2.unlinkSync(lockPath);
+          return true;
+        }
+      } catch {
+        return true;
+      }
+      return false;
+    }
+    return false;
+  }
+};
+function sleep2(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
 // src/agent/types.ts
 var AUTO_EXECUTE_ACTIONS = /* @__PURE__ */ new Set([
   "add_chain",
@@ -4559,14 +4886,50 @@ var AUTO_EXECUTE_ACTIONS = /* @__PURE__ */ new Set([
 var PASSWORD_REQUIRED_ACTIONS = /* @__PURE__ */ new Set(["sign_tx", "sign_typed_data", "build_custom_tx"]);
 
 // src/agent/executor.ts
+var EVM_CHAINS = /* @__PURE__ */ new Set([
+  "Ethereum",
+  "BSC",
+  "Polygon",
+  "Avalanche",
+  "Arbitrum",
+  "Optimism",
+  "Base",
+  "Blast",
+  "Zksync",
+  "Mantle",
+  "CronosChain",
+  "Hyperliquid",
+  "Sei"
+]);
+var EVM_GAS_RPC = {
+  Ethereum: "https://eth.llamarpc.com",
+  BSC: "https://bsc-dataseed.binance.org",
+  Polygon: "https://polygon-rpc.com",
+  Avalanche: "https://api.avax.network/ext/bc/C/rpc",
+  Arbitrum: "https://arb1.arbitrum.io/rpc",
+  Optimism: "https://mainnet.optimism.io",
+  Base: "https://mainnet.base.org",
+  Blast: "https://rpc.blast.io",
+  Zksync: "https://mainnet.era.zksync.io",
+  Mantle: "https://rpc.mantle.xyz",
+  CronosChain: "https://cronos-evm-rpc.publicnode.com",
+  Hyperliquid: "https://rpc.hyperliquid.xyz/evm",
+  Sei: "https://evm-rpc.sei-apis.com"
+};
 var AgentExecutor = class {
   vault;
   pendingPayloads = /* @__PURE__ */ new Map();
   password = null;
   verbose;
-  constructor(vault, verbose = false) {
+  stateStore = null;
+  /** Held chain lock release functions, keyed by chain name */
+  chainLockReleases = /* @__PURE__ */ new Map();
+  constructor(vault, verbose = false, vaultId) {
     this.vault = vault;
     this.verbose = verbose;
+    if (vaultId) {
+      this.stateStore = new VaultStateStore(vaultId);
+    }
   }
   setPassword(password) {
     this.password = password;
@@ -4791,40 +5154,47 @@ var AgentExecutor = class {
     const amountStr = params.amount;
     if (!toAddress) throw new Error("Destination address is required");
     if (!amountStr) throw new Error("Amount is required");
-    const address = await this.vault.address(chain);
-    const balance = await this.vault.balance(chain, params.token_id);
-    const coin = {
-      chain,
-      address,
-      decimals: balance.decimals,
-      ticker: symbol || balance.symbol,
-      id: params.token_id
-    };
-    const amount = parseAmount(amountStr, balance.decimals);
-    const memo = params.memo;
-    const payload = await this.vault.prepareSendTx({ coin, receiver: toAddress, amount, memo });
-    this.pendingPayloads.clear();
-    const payloadId = `tx_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`;
-    this.pendingPayloads.set(payloadId, { payload, coin, chain, timestamp: Date.now() });
-    this.pendingPayloads.set("latest", { payload, coin, chain, timestamp: Date.now() });
-    const messageHashes = await this.vault.extractMessageHashes(payload);
-    return {
-      keysign_payload: payloadId,
-      from_chain: chain.toString(),
-      from_symbol: coin.ticker,
-      amount: amountStr,
-      sender: address,
-      destination: toAddress,
-      memo: memo || void 0,
-      message_hashes: messageHashes,
-      tx_details: {
-        chain: chain.toString(),
-        from: address,
-        to: toAddress,
+    await this.acquireEvmLockIfNeeded(chain);
+    try {
+      const address = await this.vault.address(chain);
+      const balance = await this.vault.balance(chain, params.token_id);
+      const coin = {
+        chain,
+        address,
+        decimals: balance.decimals,
+        ticker: symbol || balance.symbol,
+        id: params.token_id
+      };
+      const amount = parseAmount(amountStr, balance.decimals);
+      const memo = params.memo;
+      const payload = await this.vault.prepareSendTx({ coin, receiver: toAddress, amount, memo });
+      await this.patchEvmNonce(chain, payload);
+      const messageHashes = await this.vault.extractMessageHashes(payload);
+      this.pendingPayloads.clear();
+      const payloadId = `tx_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`;
+      this.pendingPayloads.set(payloadId, { payload, coin, chain, timestamp: Date.now() });
+      this.pendingPayloads.set("latest", { payload, coin, chain, timestamp: Date.now() });
+      return {
+        keysign_payload: payloadId,
+        from_chain: chain.toString(),
+        from_symbol: coin.ticker,
         amount: amountStr,
-        symbol: coin.ticker
-      }
-    };
+        sender: address,
+        destination: toAddress,
+        memo: memo || void 0,
+        message_hashes: messageHashes,
+        tx_details: {
+          chain: chain.toString(),
+          from: address,
+          to: toAddress,
+          amount: amountStr,
+          symbol: coin.ticker
+        }
+      };
+    } catch (err) {
+      await this.releaseEvmLock(chain);
+      throw err;
+    }
   }
   async buildSwapTx(params) {
     if (this.verbose) process.stderr.write(`[build_swap_tx] called with params: ${JSON.stringify(params).slice(0, 500)}
@@ -4834,43 +5204,50 @@ var AgentExecutor = class {
     const fromChain = resolveChain(fromChainName);
     const toChain = toChainName ? resolveChain(toChainName) : null;
     if (!fromChain) throw new Error(`Unknown from_chain: ${fromChainName}`);
-    const amountStr = params.amount;
-    const fromSymbol = params.from_symbol || params.from_token || "";
-    const toSymbol = params.to_symbol || params.to_token || "";
-    const fromToken = params.from_contract || params.from_token_id;
-    const toToken = params.to_contract || params.to_token_id;
-    const fromCoin = { chain: fromChain, token: fromToken || void 0 };
-    const toCoin = { chain: toChain || fromChain, token: toToken || void 0 };
-    const quote = await this.vault.getSwapQuote({
-      fromCoin,
-      toCoin,
-      amount: parseFloat(amountStr)
-    });
-    const swapResult = await this.vault.prepareSwapTx({
-      fromCoin,
-      toCoin,
-      amount: parseFloat(amountStr),
-      swapQuote: quote,
-      autoApprove: true
-    });
-    const chain = fromChain;
-    const payload = swapResult.keysignPayload;
-    this.pendingPayloads.clear();
-    const payloadId = `swap_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`;
-    this.pendingPayloads.set(payloadId, { payload, coin: { chain, address: "", decimals: 18, ticker: fromSymbol }, chain, timestamp: Date.now() });
-    this.pendingPayloads.set("latest", { payload, coin: { chain, address: "", decimals: 18, ticker: fromSymbol }, chain, timestamp: Date.now() });
-    const messageHashes = await this.vault.extractMessageHashes(payload);
-    return {
-      keysign_payload: payloadId,
-      from_chain: fromChain.toString(),
-      to_chain: (toChain || fromChain).toString(),
-      from_symbol: fromSymbol,
-      to_symbol: toSymbol,
-      amount: amountStr,
-      estimated_output: quote.estimatedOutput?.toString(),
-      provider: quote.provider,
-      message_hashes: messageHashes
-    };
+    await this.acquireEvmLockIfNeeded(fromChain);
+    try {
+      const amountStr = params.amount;
+      const fromSymbol = params.from_symbol || params.from_token || "";
+      const toSymbol = params.to_symbol || params.to_token || "";
+      const fromToken = params.from_contract || params.from_token_id;
+      const toToken = params.to_contract || params.to_token_id;
+      const fromCoin = { chain: fromChain, token: fromToken || void 0 };
+      const toCoin = { chain: toChain || fromChain, token: toToken || void 0 };
+      const quote = await this.vault.getSwapQuote({
+        fromCoin,
+        toCoin,
+        amount: parseFloat(amountStr)
+      });
+      const swapResult = await this.vault.prepareSwapTx({
+        fromCoin,
+        toCoin,
+        amount: parseFloat(amountStr),
+        swapQuote: quote,
+        autoApprove: true
+      });
+      const chain = fromChain;
+      const payload = swapResult.keysignPayload;
+      await this.patchEvmNonce(chain, payload);
+      const messageHashes = await this.vault.extractMessageHashes(payload);
+      this.pendingPayloads.clear();
+      const payloadId = `swap_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`;
+      this.pendingPayloads.set(payloadId, { payload, coin: { chain, address: "", decimals: 18, ticker: fromSymbol }, chain, timestamp: Date.now() });
+      this.pendingPayloads.set("latest", { payload, coin: { chain, address: "", decimals: 18, ticker: fromSymbol }, chain, timestamp: Date.now() });
+      return {
+        keysign_payload: payloadId,
+        from_chain: fromChain.toString(),
+        to_chain: (toChain || fromChain).toString(),
+        from_symbol: fromSymbol,
+        to_symbol: toSymbol,
+        amount: amountStr,
+        estimated_output: quote.estimatedOutput?.toString(),
+        provider: quote.provider,
+        message_hashes: messageHashes
+      };
+    } catch (err) {
+      await this.releaseEvmLock(fromChain);
+      throw err;
+    }
   }
   async buildTx(params) {
     if (params.function_name && params.contract_address) {
@@ -4951,6 +5328,18 @@ var AgentExecutor = class {
     }
     const { payload, chain } = stored;
     if (payload.__serverTx) {
+      if (chain === "Solana" && (payload.swap_tx || payload.provider)) {
+        try {
+          return await this.buildAndSignSolanaSwapLocally(payload);
+        } catch (e) {
+          if (e._phase === "prepare") {
+            if (this.verbose) process.stderr.write(`[sign_tx] Solana local build failed (${e.message}), falling back to signServerTx
+`);
+          } else {
+            throw e;
+          }
+        }
+      }
       return this.signServerTx(payload, chain, params);
     }
     return this.signSdkTx(payload, chain, payloadId);
@@ -4959,33 +5348,45 @@ var AgentExecutor = class {
    * Sign and broadcast an SDK-built transaction (keysign payload from local build methods).
    */
   async signSdkTx(payload, chain, _payloadId) {
-    if (this.vault.isEncrypted && !this.vault.isUnlocked?.()) {
-      if (this.password) {
-        await this.vault.unlock?.(this.password);
+    try {
+      if (this.vault.isEncrypted && !this.vault.isUnlocked?.()) {
+        if (this.password) {
+          await this.vault.unlock?.(this.password);
+        }
       }
+      await this.patchEvmGas(chain, payload);
+      const messageHashes = await this.vault.extractMessageHashes(payload);
+      const signature = await this.vault.sign(
+        {
+          transaction: payload,
+          chain: payload.coin?.chain || chain,
+          messageHashes
+        },
+        {}
+      );
+      const txHash = await this.vault.broadcastTx({
+        chain,
+        keysignPayload: payload,
+        signature
+      });
+      try {
+        this.recordEvmNonceFromPayload(chain, payload, messageHashes.length);
+      } catch (nonceErr) {
+        console.warn(`[nonce] failed to persist nonce for ${chain}:`, nonceErr);
+      }
+      await this.releaseEvmLock(chain);
+      this.pendingPayloads.clear();
+      const explorerUrl = Vultisig6.getTxExplorerUrl(chain, txHash);
+      return {
+        tx_hash: txHash,
+        chain: chain.toString(),
+        status: "pending",
+        explorer_url: explorerUrl
+      };
+    } catch (err) {
+      await this.releaseEvmLock(chain);
+      throw err;
     }
-    const messageHashes = await this.vault.extractMessageHashes(payload);
-    const signature = await this.vault.sign(
-      {
-        transaction: payload,
-        chain: payload.coin?.chain || chain,
-        messageHashes
-      },
-      {}
-    );
-    const txHash = await this.vault.broadcastTx({
-      chain,
-      keysignPayload: payload,
-      signature
-    });
-    this.pendingPayloads.clear();
-    const explorerUrl = Vultisig6.getTxExplorerUrl(chain, txHash);
-    return {
-      tx_hash: txHash,
-      chain: chain.toString(),
-      status: "pending",
-      explorer_url: explorerUrl
-    };
   }
   /**
    * Sign and broadcast a server-built transaction (raw EVM tx from tx_ready SSE).
@@ -5004,38 +5405,121 @@ var AgentExecutor = class {
     } else if (chainId) {
       chain = resolveChainId(chainId) || defaultChain;
     }
-    const address = await this.vault.address(chain);
-    const balance = await this.vault.balance(chain);
-    const coin = {
-      chain,
-      address,
-      decimals: balance.decimals || 18,
-      ticker: balance.symbol || chain.toString()
-    };
-    const amount = BigInt(swapTx.value || "0");
-    const hasCalldata = !!(swapTx.data && swapTx.data !== "0x");
-    if (this.verbose) process.stderr.write(`[sign_server_tx] chain=${chain}, to=${swapTx.to}, value=${swapTx.value}, amount=${amount}, hasCalldata=${hasCalldata}
+    await this.acquireEvmLockIfNeeded(chain);
+    try {
+      const address = await this.vault.address(chain);
+      const balance = await this.vault.balance(chain);
+      const coin = {
+        chain,
+        address,
+        decimals: balance.decimals || 18,
+        ticker: balance.symbol || chain.toString()
+      };
+      const amount = BigInt(swapTx.value || "0");
+      const hasCalldata = !!(swapTx.data && swapTx.data !== "0x");
+      if (this.verbose) process.stderr.write(`[sign_server_tx] chain=${chain}, to=${swapTx.to}, value=${swapTx.value}, amount=${amount}, hasCalldata=${hasCalldata}
+`);
+      if (this.vault.isEncrypted && !this.vault.isUnlocked?.()) {
+        if (this.password) {
+          await this.vault.unlock?.(this.password);
+        }
+      }
+      const buildAmount = amount === 0n && hasCalldata ? 1n : amount;
+      const keysignPayload = await this.vault.prepareSendTx({
+        coin,
+        receiver: swapTx.to,
+        amount: buildAmount,
+        memo: swapTx.data
+      });
+      if (amount === 0n && hasCalldata) {
+        ;
+        keysignPayload.toAmount = "0";
+      }
+      await this.patchEvmNonce(chain, keysignPayload);
+      await this.patchEvmGas(chain, keysignPayload);
+      const messageHashes = await this.vault.extractMessageHashes(keysignPayload);
+      const signature = await this.vault.sign(
+        {
+          transaction: keysignPayload,
+          chain,
+          messageHashes
+        },
+        {}
+      );
+      const txHash = await this.vault.broadcastTx({
+        chain,
+        keysignPayload,
+        signature
+      });
+      try {
+        this.recordEvmNonceFromPayload(chain, keysignPayload, messageHashes.length);
+      } catch (nonceErr) {
+        console.warn(`[nonce] failed to persist nonce for ${chain}:`, nonceErr);
+      }
+      await this.releaseEvmLock(chain);
+      this.pendingPayloads.clear();
+      const explorerUrl = Vultisig6.getTxExplorerUrl(chain, txHash);
+      return {
+        tx_hash: txHash,
+        chain: chain.toString(),
+        status: "pending",
+        explorer_url: explorerUrl
+      };
+    } catch (err) {
+      await this.releaseEvmLock(chain);
+      throw err;
+    }
+  }
+  /**
+   * Build, sign, and broadcast a Solana swap locally using the SDK's swap flow.
+   * Uses swap params from the tx_ready event to call vault.getSwapQuote → prepareSwapTx.
+   */
+  async buildAndSignSolanaSwapLocally(serverTxData) {
+    const fromChainName = serverTxData.from_chain || serverTxData.chain || "Solana";
+    const toChainName = serverTxData.to_chain;
+    const fromChain = resolveChain(fromChainName);
+    if (!fromChain) throw Object.assign(new Error(`Unknown from_chain: ${fromChainName}`), { _phase: "prepare" });
+    const toChain = toChainName ? resolveChain(toChainName) : fromChain;
+    if (!toChain) throw Object.assign(new Error(`Unknown to_chain: ${toChainName}`), { _phase: "prepare" });
+    const amountStr = serverTxData.amount;
+    if (!amountStr) throw Object.assign(new Error("Missing amount in tx_ready data for local Solana swap build"), { _phase: "prepare" });
+    const fromToken = serverTxData.from_address;
+    const toToken = serverTxData.to_address;
+    const fromDecimals = serverTxData.from_decimals;
+    if (fromDecimals == null) throw Object.assign(new Error("Missing from_decimals in tx_ready data for local Solana swap build"), { _phase: "prepare" });
+    const fromCoin = { chain: fromChain, token: fromToken || void 0 };
+    const toCoin = { chain: toChain, token: toToken || void 0 };
+    const humanAmount = Number(amountStr) / Math.pow(10, fromDecimals);
+    if (this.verbose) process.stderr.write(`[solana_local_swap] from=${fromChainName} to=${toChainName || fromChainName} amount=${amountStr}
 `);
     if (this.vault.isEncrypted && !this.vault.isUnlocked?.()) {
       if (this.password) {
         await this.vault.unlock?.(this.password);
       }
     }
-    const buildAmount = amount === 0n && hasCalldata ? 1n : amount;
-    const keysignPayload = await this.vault.prepareSendTx({
-      coin,
-      receiver: swapTx.to,
-      amount: buildAmount,
-      memo: swapTx.data
-    });
-    if (amount === 0n && hasCalldata) {
-      ;
-      keysignPayload.toAmount = "0";
+    let quote, swapResult;
+    try {
+      quote = await this.vault.getSwapQuote({
+        fromCoin,
+        toCoin,
+        amount: humanAmount
+      });
+      swapResult = await this.vault.prepareSwapTx({
+        fromCoin,
+        toCoin,
+        amount: humanAmount,
+        swapQuote: quote,
+        autoApprove: true
+      });
+    } catch (e) {
+      throw Object.assign(e, { _phase: "prepare" });
     }
-    const messageHashes = await this.vault.extractMessageHashes(keysignPayload);
+    const payload = swapResult.keysignPayload;
+    const chain = fromChain;
+    const messageHashes = await this.vault.extractMessageHashes(payload);
     const signature = await this.vault.sign(
       {
-        transaction: keysignPayload,
+        transaction: payload,
         chain,
         messageHashes
       },
@@ -5043,7 +5527,7 @@ var AgentExecutor = class {
     );
     const txHash = await this.vault.broadcastTx({
       chain,
-      keysignPayload,
+      keysignPayload: payload,
       signature
     });
     this.pendingPayloads.clear();
@@ -5056,6 +5540,147 @@ var AgentExecutor = class {
     };
   }
   // ============================================================================
+  // EVM Nonce Management
+  // ============================================================================
+  /**
+   * Acquire chain-level file lock if the chain is EVM.
+   * Releases any previously held lock first (e.g. from an abandoned build).
+   */
+  async acquireEvmLockIfNeeded(chain) {
+    if (!this.stateStore || !EVM_CHAINS.has(chain)) return;
+    await this.releaseEvmLock(chain);
+    const release = await this.stateStore.acquireChainLock(chain);
+    this.chainLockReleases.set(chain, release);
+    if (this.verbose) process.stderr.write(`[nonce] Acquired lock for ${chain}
+`);
+  }
+  /**
+   * Release the held chain lock (no-op if not held).
+   */
+  async releaseEvmLock(chain) {
+    const release = this.chainLockReleases.get(chain);
+    if (release) {
+      await release();
+      this.chainLockReleases.delete(chain);
+      if (this.verbose) process.stderr.write(`[nonce] Released lock for ${chain}
+`);
+    }
+  }
+  /**
+   * Patch the EVM nonce in a keysign payload if our local state is ahead of on-chain.
+   * The payload's blockchainSpecific.ethereumSpecific.nonce was set from RPC during
+   * prepareSendTx(). If we have locally-tracked pending txs, we override with a higher value.
+   *
+   * Also detects evicted txs: if local state claims a higher nonce but there are
+   * no pending txs in the mempool (pending == latest), the intermediate txs were
+   * dropped and local state is stale.
+   */
+  async patchEvmNonce(chain, payload) {
+    if (!this.stateStore || !EVM_CHAINS.has(chain)) return;
+    const bs = payload.blockchainSpecific;
+    if (!bs || bs.case !== "ethereumSpecific") return;
+    const rpcNonce = bs.value.nonce;
+    const nextNonce = this.stateStore.getNextEvmNonce(chain, rpcNonce);
+    if (nextNonce !== rpcNonce) {
+      const pendingNonce = await this.fetchEvmPendingNonce(chain);
+      if (pendingNonce !== null && pendingNonce === rpcNonce) {
+        if (this.verbose) process.stderr.write(`[nonce] Stale local state for ${chain}: local=${nextNonce}, on-chain=${rpcNonce}, no pending txs \u2014 using on-chain nonce
+`);
+        this.stateStore.clearEvmState(chain);
+        return;
+      }
+      const nonceGap = nextNonce - rpcNonce;
+      if (pendingNonce === null && nonceGap > 3n) {
+        if (this.verbose) process.stderr.write(`[nonce] Large nonce gap for ${chain} (${nonceGap}) and couldn't verify pending txs \u2014 using on-chain nonce ${rpcNonce}
+`);
+        this.stateStore.clearEvmState(chain);
+        return;
+      }
+      bs.value.nonce = nextNonce;
+      if (this.verbose) process.stderr.write(`[nonce] Patched ${chain} nonce: ${rpcNonce} \u2192 ${nextNonce}
+`);
+    }
+  }
+  /**
+   * Ensure the keysign payload's maxFeePerGas covers current network base fee.
+   * Re-fetches latest base fee from RPC and bumps maxFeePerGas if it's too low.
+   * Compensates for gas price drift between build time and sign time.
+   */
+  async patchEvmGas(chain, payload) {
+    if (!EVM_CHAINS.has(chain)) return;
+    const bs = payload.blockchainSpecific;
+    if (!bs || bs.case !== "ethereumSpecific") return;
+    const rpcUrl = EVM_GAS_RPC[chain];
+    if (!rpcUrl) return;
+    try {
+      const res = await fetch(rpcUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          jsonrpc: "2.0",
+          method: "eth_getBlockByNumber",
+          params: ["latest", false],
+          id: 1
+        }),
+        signal: AbortSignal.timeout(5e3)
+      });
+      const data = await res.json();
+      const baseFee = BigInt(data.result?.baseFeePerGas || "0");
+      if (baseFee === 0n) return;
+      const currentPriorityFee = BigInt(bs.value.priorityFee || "0");
+      const currentMaxFee = BigInt(bs.value.maxFeePerGasWei || "0");
+      const minMaxFee = baseFee * 25n / 10n + currentPriorityFee;
+      if (currentMaxFee < minMaxFee) {
+        bs.value.maxFeePerGasWei = minMaxFee.toString();
+        if (this.verbose) process.stderr.write(`[gas] Bumped ${chain} maxFeePerGas: ${currentMaxFee} \u2192 ${minMaxFee} (baseFee=${baseFee})
+`);
+      }
+    } catch {
+      if (this.verbose) process.stderr.write(`[gas] Failed to refresh base fee for ${chain}, keeping original
+`);
+    }
+  }
+  /**
+   * Fetch the pending nonce from RPC (eth_getTransactionCount with "pending" tag).
+   * Returns null if the RPC call fails (non-fatal).
+   */
+  async fetchEvmPendingNonce(chain) {
+    const rpcUrl = EVM_GAS_RPC[chain];
+    if (!rpcUrl) return null;
+    try {
+      const address = await this.vault.address(chain);
+      const res = await fetch(rpcUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          jsonrpc: "2.0",
+          method: "eth_getTransactionCount",
+          params: [address, "pending"],
+          id: 1
+        }),
+        signal: AbortSignal.timeout(5e3)
+      });
+      const data = await res.json();
+      return BigInt(data.result || "0");
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Record the nonce(s) used after a successful broadcast.
+   * For approve+swap flows with N message hashes, the highest nonce used is base + N - 1.
+   */
+  recordEvmNonceFromPayload(chain, payload, numTxs) {
+    if (!this.stateStore || !EVM_CHAINS.has(chain)) return;
+    const bs = payload.blockchainSpecific;
+    if (!bs || bs.case !== "ethereumSpecific") return;
+    const baseNonce = bs.value.nonce;
+    const highestNonce = baseNonce + BigInt(Math.max(0, numTxs - 1));
+    this.stateStore.recordEvmNonce(chain, highestNonce);
+    if (this.verbose) process.stderr.write(`[nonce] Recorded ${chain} nonce: ${highestNonce}
+`);
+  }
+  // ============================================================================
   // EIP-712 Typed Data Signing
   // ============================================================================
   /**
@@ -5636,9 +6261,9 @@ var PipeInterface = class {
 };
 
 // src/agent/session.ts
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
-import { homedir } from "node:os";
-import { join } from "node:path";
+import { existsSync, mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "node:fs";
+import { homedir as homedir2 } from "node:os";
+import { join as join2 } from "node:path";
 var AgentSession = class {
   client;
   vault;
@@ -5654,7 +6279,7 @@ var AgentSession = class {
     this.config = config;
     this.client = new AgentClient(config.backendUrl);
     this.client.verbose = !!config.verbose;
-    this.executor = new AgentExecutor(vault, !!config.verbose);
+    this.executor = new AgentExecutor(vault, !!config.verbose, vault.publicKeys.ecdsa);
     this.publicKey = vault.publicKeys.ecdsa;
     if (config.password) {
       this.executor.setPassword(config.password);
@@ -5709,7 +6334,7 @@ var AgentSession = class {
       const conv = await this.client.createConversation(this.publicKey);
       this.conversationId = conv.id;
     }
-    this.cachedContext = await buildMessageContext(this.vault);
+    this.cachedContext = this.config.viaAgent || this.config.askMode ? await buildMinimalContext(this.vault) : await buildMessageContext(this.vault);
   }
   getConversationId() {
     return this.conversationId;
@@ -5736,7 +6361,7 @@ var AgentSession = class {
     }
     this.abortController = new AbortController();
     try {
-      this.cachedContext = await buildMessageContext(this.vault);
+      this.cachedContext = this.config.viaAgent || this.config.askMode ? await buildMinimalContext(this.vault) : await buildMessageContext(this.vault);
     } catch {
     }
     try {
@@ -5765,6 +6390,9 @@ var AgentSession = class {
       public_key: this.publicKey,
       context: this.cachedContext
     };
+    if (this.config.viaAgent || this.config.askMode) {
+      request.via_agent = true;
+    }
     if (content) {
       request.content = content;
     }
@@ -5798,6 +6426,12 @@ var AgentSession = class {
           ui.onSuggestions(suggestions);
         },
         onTxReady: (tx) => {
+          const txData = tx?.swap_tx || tx?.send_tx || tx?.tx;
+          if (txData?.status === "error" || txData?.error) {
+            if (this.config.verbose) process.stderr.write(`[session] skipping error tx_ready: ${txData.error || "unknown error"}
+`);
+            return;
+          }
           this.executor.storeServerTransaction(tx);
           if (this.config.password) {
             this.executor.setPassword(this.config.password);
@@ -5959,23 +6593,23 @@ function parseInlineToolCalls(text) {
   return actions;
 }
 function getTokenCachePath() {
-  const dir = process.env.VULTISIG_CONFIG_DIR ?? join(homedir(), ".vultisig");
-  return join(dir, "agent-tokens.json");
+  const dir = process.env.VULTISIG_CONFIG_DIR ?? join2(homedir2(), ".vultisig");
+  return join2(dir, "agent-tokens.json");
 }
 function readTokenStore() {
   try {
-    const path3 = getTokenCachePath();
-    if (!existsSync(path3)) return {};
-    return JSON.parse(readFileSync(path3, "utf-8"));
+    const path4 = getTokenCachePath();
+    if (!existsSync(path4)) return {};
+    return JSON.parse(readFileSync2(path4, "utf-8"));
   } catch {
     return {};
   }
 }
 function writeTokenStore(store) {
-  const path3 = getTokenCachePath();
-  const dir = join(path3, "..");
-  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
-  writeFileSync(path3, JSON.stringify(store, null, 2), { mode: 384 });
+  const path4 = getTokenCachePath();
+  const dir = join2(path4, "..");
+  if (!existsSync(dir)) mkdirSync2(dir, { recursive: true });
+  writeFileSync2(path4, JSON.stringify(store, null, 2), { mode: 384 });
 }
 function loadCachedToken(publicKey) {
   const store = readTokenStore();
@@ -6353,6 +6987,68 @@ async function executeAgent(ctx2, options) {
     }
   }
 }
+async function executeAgentAsk(ctx2, message, options) {
+  setSilentMode(true);
+  const originalConsoleLog = console.log;
+  console.log = (...args) => {
+    process.stderr.write(args.map(String).join(" ") + "\n");
+  };
+  try {
+    const vault = await ctx2.ensureActiveVault();
+    const config = {
+      backendUrl: options.backendUrl || process.env.VULTISIG_AGENT_URL || "http://localhost:9998",
+      vaultName: vault.name,
+      password: options.password,
+      sessionId: options.session,
+      verbose: options.verbose,
+      askMode: true
+    };
+    const session = new AgentSession(vault, config);
+    const ask = new AskInterface(session, !!config.verbose);
+    const callbacks = ask.getCallbacks();
+    await session.initialize(callbacks);
+    const result = await ask.ask(message);
+    if (options.json) {
+      process.stdout.write(
+        JSON.stringify({
+          session_id: result.sessionId,
+          response: result.response,
+          tool_calls: result.toolCalls,
+          transactions: result.transactions
+        }) + "\n"
+      );
+    } else {
+      process.stdout.write(`session:${result.sessionId}
+`);
+      if (result.response) {
+        process.stdout.write(`
+${result.response}
+`);
+      }
+      for (const tx of result.transactions) {
+        process.stdout.write(`
+tx:${tx.chain}:${tx.hash}
+`);
+        if (tx.explorerUrl) {
+          process.stdout.write(`explorer:${tx.explorerUrl}
+`);
+        }
+      }
+    }
+  } catch (err) {
+    if (options.json) {
+      process.stdout.write(JSON.stringify({ error: err.message }) + "\n");
+    } else {
+      process.stderr.write(`Error: ${err.message}
+`);
+    }
+    process.exit(1);
+  } finally {
+    console.log = originalConsoleLog;
+    setSilentMode(false);
+  }
+  process.exit(0);
+}
 async function executeAgentSessionsList(ctx2, options) {
   const vault = await ctx2.ensureActiveVault();
   const backendUrl = options.backendUrl || process.env.VULTISIG_AGENT_URL || "http://localhost:9998";
@@ -6429,8 +7125,8 @@ function formatDate(iso) {
 
 // src/interactive/completer.ts
 import { Chain as Chain10 } from "@vultisig/sdk";
-import fs2 from "fs";
-import path2 from "path";
+import fs3 from "fs";
+import path3 from "path";
 var COMMANDS = [
   // Vault management
   "vaults",
@@ -6525,28 +7221,28 @@ function createCompleter(ctx2) {
 }
 function completeFilePath(partial, filterVult) {
   try {
-    const endsWithSeparator = partial.endsWith("/") || partial.endsWith(path2.sep);
+    const endsWithSeparator = partial.endsWith("/") || partial.endsWith(path3.sep);
     let dir;
     let basename;
     if (endsWithSeparator) {
       dir = partial;
       basename = "";
     } else {
-      dir = path2.dirname(partial);
-      basename = path2.basename(partial);
-      if (fs2.existsSync(partial) && fs2.statSync(partial).isDirectory()) {
+      dir = path3.dirname(partial);
+      basename = path3.basename(partial);
+      if (fs3.existsSync(partial) && fs3.statSync(partial).isDirectory()) {
         dir = partial;
         basename = "";
       }
     }
-    const resolvedDir = path2.resolve(dir);
-    if (!fs2.existsSync(resolvedDir) || !fs2.statSync(resolvedDir).isDirectory()) {
+    const resolvedDir = path3.resolve(dir);
+    if (!fs3.existsSync(resolvedDir) || !fs3.statSync(resolvedDir).isDirectory()) {
       return [[], partial];
     }
-    const files = fs2.readdirSync(resolvedDir);
+    const files = fs3.readdirSync(resolvedDir);
     const matches = files.filter((file) => file.startsWith(basename)).map((file) => {
-      const fullPath = path2.join(dir, file);
-      const stats = fs2.statSync(path2.join(resolvedDir, file));
+      const fullPath = path3.join(dir, file);
+      const stats = fs3.statSync(path3.join(resolvedDir, file));
       if (stats.isDirectory()) {
         return fullPath + "/";
       }
@@ -7825,19 +8521,19 @@ import chalk13 from "chalk";
 
 // src/lib/version.ts
 import chalk14 from "chalk";
-import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, mkdirSync as mkdirSync2, existsSync as existsSync2 } from "fs";
-import { homedir as homedir2 } from "os";
-import { join as join2 } from "path";
+import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync3, existsSync as existsSync2 } from "fs";
+import { homedir as homedir3 } from "os";
+import { join as join3 } from "path";
 var cachedVersion = null;
 function getVersion() {
   if (cachedVersion) return cachedVersion;
   if (true) {
-    cachedVersion = "0.8.0";
+    cachedVersion = "0.10.0";
     return cachedVersion;
   }
   try {
     const packagePath = new URL("../../package.json", import.meta.url);
-    const pkg = JSON.parse(readFileSync2(packagePath, "utf-8"));
+    const pkg = JSON.parse(readFileSync3(packagePath, "utf-8"));
     cachedVersion = pkg.version;
     return cachedVersion;
   } catch {
@@ -7845,13 +8541,13 @@ function getVersion() {
     return cachedVersion;
   }
 }
-var CACHE_DIR = join2(homedir2(), ".vultisig", "cache");
-var VERSION_CACHE_FILE = join2(CACHE_DIR, "version-check.json");
+var CACHE_DIR = join3(homedir3(), ".vultisig", "cache");
+var VERSION_CACHE_FILE = join3(CACHE_DIR, "version-check.json");
 var CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
 function readVersionCache() {
   try {
     if (!existsSync2(VERSION_CACHE_FILE)) return null;
-    const data = readFileSync2(VERSION_CACHE_FILE, "utf-8");
+    const data = readFileSync3(VERSION_CACHE_FILE, "utf-8");
     return JSON.parse(data);
   } catch {
     return null;
@@ -7860,9 +8556,9 @@ function readVersionCache() {
 function writeVersionCache(cache) {
   try {
     if (!existsSync2(CACHE_DIR)) {
-      mkdirSync2(CACHE_DIR, { recursive: true });
+      mkdirSync3(CACHE_DIR, { recursive: true });
     }
-    writeFileSync2(VERSION_CACHE_FILE, JSON.stringify(cache, null, 2));
+    writeFileSync3(VERSION_CACHE_FILE, JSON.stringify(cache, null, 2));
   } catch {
   }
 }
@@ -7967,9 +8663,9 @@ function getUpdateCommand() {
 }
 
 // src/lib/completion.ts
-import { homedir as homedir3 } from "os";
-import { join as join3 } from "path";
-import { readFileSync as readFileSync3, existsSync as existsSync3 } from "fs";
+import { homedir as homedir4 } from "os";
+import { join as join4 } from "path";
+import { readFileSync as readFileSync4, existsSync as existsSync3 } from "fs";
 var tabtab = null;
 async function getTabtab() {
   if (!tabtab) {
@@ -8034,7 +8730,7 @@ var CHAINS = [
 ];
 function getVaultNames() {
   try {
-    const vaultDir = join3(homedir3(), ".vultisig", "vaults");
+    const vaultDir = join4(homedir4(), ".vultisig", "vaults");
     if (!existsSync3(vaultDir)) return [];
     const { readdirSync } = __require("fs");
     const files = readdirSync(vaultDir);
@@ -8042,7 +8738,7 @@ function getVaultNames() {
     for (const file of files) {
       if (file.startsWith("vault:") && file.endsWith(".json")) {
         try {
-          const content = readFileSync3(join3(vaultDir, file), "utf-8");
+          const content = readFileSync4(join4(vaultDir, file), "utf-8");
           const vault = JSON.parse(content);
           if (vault.name) names.push(vault.name);
           if (vault.id) names.push(vault.id);
@@ -8365,10 +9061,10 @@ createCmd.command("secure").description("Create a secure vault (multi-device MPC
     });
   })
 );
-program.command("import <file>").description("Import vault from .vult file").action(
-  withExit(async (file) => {
+program.command("import <file>").description("Import vault from .vult file").option("--password <password>", "Password to decrypt the vault file").action(
+  withExit(async (file, options) => {
     const context = await init(program.opts().vault);
-    await executeImport(context, file);
+    await executeImport(context, file, options.password);
   })
 );
 var createFromSeedphraseCmd = program.command("create-from-seedphrase").description("Create vault from BIP39 seedphrase");
@@ -8485,7 +9181,7 @@ joinCmd.command("secure").description("Join a SecureVault creation session").opt
       const context = await init(program.opts().vault);
       let qrPayload = options.qr;
       if (!qrPayload && options.qrFile) {
-        qrPayload = (await fs3.readFile(options.qrFile, "utf-8")).trim();
+        qrPayload = (await fs4.readFile(options.qrFile, "utf-8")).trim();
       }
       if (!qrPayload) {
         qrPayload = await promptQrPayload();
@@ -8635,10 +9331,10 @@ program.command("discount").description("Show your VULT discount tier for swap f
   })
 );
 program.command("export [path]").description("Export vault to file").option("--password <password>", "Password to unlock the vault (for encrypted vaults)").option("--exportPassword <password>", "Password to encrypt the exported file (defaults to --password)").action(
-  withExit(async (path3, options) => {
+  withExit(async (path4, options) => {
     const context = await init(program.opts().vault, options.password);
     await executeExport(context, {
-      outputPath: path3,
+      outputPath: path4,
       password: options.password,
       exportPassword: options.exportPassword
     });
@@ -8856,6 +9552,21 @@ var agentCmd = program.command("agent").description("AI-powered chat interface f
     sessionId: options.sessionId
   });
 });
+agentCmd.command("ask <message>").description("Send a single message and get the response (for AI agent integration)").option("--session <id>", "Continue an existing conversation").option("--backend-url <url>", "Agent backend URL (default: http://localhost:9998)").option("--password <password>", "Vault password for signing operations").option("--verbose", "Show tool calls and debug info on stderr").option("--json", "Output structured JSON instead of text").action(
+  async (message, options) => {
+    const parentOpts = agentCmd.opts();
+    const context = await init(
+      program.opts().vault,
+      options.password || parentOpts.password
+    );
+    await executeAgentAsk(context, message, {
+      ...options,
+      backendUrl: options.backendUrl || parentOpts.backendUrl,
+      password: options.password || parentOpts.password,
+      verbose: options.verbose || parentOpts.verbose
+    });
+  }
+);
 var sessionsCmd = agentCmd.command("sessions").description("Manage agent chat sessions");
 sessionsCmd.command("list").description("List chat sessions for the current vault").option("--backend-url <url>", "Agent backend URL (default: http://localhost:9998)").option("--password <password>", "Vault password for authentication").action(
   withExit(async (options) => {