npm - @vultisig/cli - Versions diffs - 0.8.0 → 0.9.0 - Mend

@vultisig/cli 0.8.0 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -1432,7 +1432,7 @@ var init_sha3 = __esm({
 // src/index.ts
 import "dotenv/config";
-import { promises as fs3 } from "node:fs";
+import { promises as fs4 } from "node:fs";
 import { parseKeygenQR, Vultisig as Vultisig7 } from "@vultisig/sdk";
 import chalk15 from "chalk";
 import { program } from "commander";
@@ -1517,6 +1517,9 @@ import chalk from "chalk";
 import ora from "ora";
 var silentMode = false;
 var outputFormat = "table";
+function setSilentMode(silent) {
+  silentMode = silent;
+}
 function isSilent() {
   return silentMode;
 }
@@ -1852,6 +1855,11 @@ function displayVaultInfo(vault) {
   printResult(chalk2.bold("\nPublic Keys:"));
   printResult(`  ECDSA:         ${vault.publicKeys.ecdsa.substring(0, 20)}...`);
   printResult(`  EdDSA:         ${vault.publicKeys.eddsa.substring(0, 20)}...`);
+  if (vault.publicKeyMldsa) {
+    printResult(`  ML-DSA-44:     ${vault.publicKeyMldsa.substring(0, 20)}...`);
+  } else {
+    printResult(`  ML-DSA-44:     ${chalk2.gray("Not available")}`);
+  }
   printResult(`  Chain Code:    ${vault.hexChainCode.substring(0, 20)}...
 `);
 }
@@ -2480,8 +2488,9 @@ Or use this URL: ${qrPayload}
     });
   }
   try {
+    const cosmosChain = params.chain;
     const coin = {
-      chain: params.chain,
+      chain: cosmosChain,
       address,
       decimals: 8,
       // THORChain uses 8 decimals
@@ -2501,7 +2510,7 @@ Or use this URL: ${qrPayload}
       gas: chainConfig.gasLimit
     };
     const keysignPayload = await vault.prepareSignAminoTx({
-      chain: params.chain,
+      chain: cosmosChain,
       coin,
       msgs: [executeContractMsg],
       fee,
@@ -2511,7 +2520,7 @@ Or use this URL: ${qrPayload}
     const signature = await vault.sign(
       {
         transaction: keysignPayload,
-        chain: params.chain,
+        chain: cosmosChain,
         messageHashes
       },
       { signal: params.signal }
@@ -2519,7 +2528,7 @@ Or use this URL: ${qrPayload}
     signSpinner.succeed("Transaction signed");
     const broadcastSpinner = createSpinner("Broadcasting transaction...");
     const txHash = await vault.broadcastTx({
-      chain: params.chain,
+      chain: cosmosChain,
       keysignPayload,
       signature
     });
@@ -2603,7 +2612,8 @@ Or use this URL: ${qrPayload}
     const result = {
       signature: sigBase64,
       recovery: signature.recovery,
-      format: signature.format
+      format: signature.format,
+      mldsaSignature: signature.mldsaSignature
     };
     if (isJsonOutput()) {
       outputJson(result);
@@ -2613,6 +2623,9 @@ Or use this URL: ${qrPayload}
         printResult(`Recovery: ${result.recovery}`);
       }
       printResult(`Format: ${result.format}`);
+      if (result.mldsaSignature) {
+        printResult(`ML-DSA-44 Signature: ${result.mldsaSignature.substring(0, 40)}...`);
+      }
     }
     return result;
   } finally {
@@ -2733,7 +2746,11 @@ function withAbortSignal(promise, signal) {
   ]);
 }
 async function executeCreateFast(ctx2, options) {
-  const { name, password, email, signal, twoStep } = options;
+  const twoStep = options.twoStep || !process.stdin.isTTY;
+  const { name, password, email, signal } = options;
+  if (!options.twoStep && twoStep) {
+    info("Non-interactive terminal detected. Using --two-step mode automatically.");
+  }
   const spinner = createSpinner("Creating vault...");
   const vaultId = await withAbortSignal(
     ctx2.sdk.createFastVault({
@@ -2749,6 +2766,16 @@ async function executeCreateFast(ctx2, options) {
   );
   spinner.succeed(`Vault keys generated: ${name}`);
   if (twoStep) {
+    if (isJsonOutput()) {
+      outputJson({
+        vaultId,
+        status: "pending_verification",
+        message: "Vault created. Verify with email OTP to activate.",
+        verifyCommand: `vultisig verify ${vaultId} --code <OTP>`,
+        resendCommand: `vultisig verify ${vaultId} --resend --email ${email} --password <password>`
+      });
+      return void 0;
+    }
     success("\n+ Vault created and saved to disk (pending verification)");
     info(`
 Vault ID: ${vaultId}`);
@@ -2897,15 +2924,19 @@ Important: Save your vault backup file (.vult) in a secure location.`);
     throw err;
   }
 }
-async function executeImport(ctx2, file) {
-  const { password } = await inquirer4.prompt([
-    {
-      type: "password",
-      name: "password",
-      message: "Enter vault password (if encrypted):",
-      mask: "*"
-    }
-  ]);
+async function executeImport(ctx2, file, flagPassword) {
+  let password = flagPassword || process.env.VAULT_PASSWORD || "";
+  if (!password) {
+    const answers = await inquirer4.prompt([
+      {
+        type: "password",
+        name: "password",
+        message: "Enter vault password (if encrypted):",
+        mask: "*"
+      }
+    ]);
+    password = answers.password;
+  }
   const spinner = createSpinner("Importing vault...");
   const vultContent = await fs.readFile(file, "utf-8");
   const vault = await ctx2.sdk.importVault(vultContent, password || void 0);
@@ -2973,11 +3004,25 @@ async function executeVerify(ctx2, vaultId, options = {}) {
     spinner.succeed("Vault verified successfully!");
     setupVaultEvents(vault);
     await ctx2.setActiveVault(vault);
+    if (isJsonOutput()) {
+      outputJson({
+        verified: true,
+        vault: { id: vaultId, name: vault.name, type: "fast" }
+      });
+      return true;
+    }
     success(`
 + Vault "${vault.name}" is now ready to use!`);
     return true;
   } catch (err) {
     spinner.fail("Verification failed");
+    if (isJsonOutput()) {
+      outputJson({
+        verified: false,
+        error: err.message || "Verification failed. Please check the code and try again."
+      });
+      return false;
+    }
     error(`
 \u2717 ${err.message || "Verification failed. Please check the code and try again."}`);
     warn("\nTip: Use --resend to get a new verification code:");
@@ -3058,10 +3103,28 @@ async function executeVaults(ctx2) {
 }
 async function executeSwitch(ctx2, vaultId) {
   const spinner = createSpinner("Loading vault...");
-  const vault = await ctx2.sdk.getVaultById(vaultId);
+  let vault = await ctx2.sdk.getVaultById(vaultId);
+  if (!vault) {
+    const allVaults = await ctx2.sdk.listVaults();
+    const byName = allVaults.filter((v) => v.name.toLowerCase() === vaultId.toLowerCase());
+    if (byName.length === 1) {
+      vault = await ctx2.sdk.getVaultById(byName[0].id);
+    } else if (byName.length > 1) {
+      spinner.fail("Ambiguous vault name");
+      throw new Error(`Multiple vaults match name "${vaultId}". Use the full vault ID instead.`);
+    } else {
+      const byPrefix = allVaults.filter((v) => v.id.startsWith(vaultId));
+      if (byPrefix.length === 1) {
+        vault = await ctx2.sdk.getVaultById(byPrefix[0].id);
+      } else if (byPrefix.length > 1) {
+        spinner.fail("Ambiguous vault ID prefix");
+        throw new Error(`Multiple vaults match prefix "${vaultId}". Use a longer prefix or the full ID.`);
+      }
+    }
+  }
   if (!vault) {
     spinner.fail("Vault not found");
-    throw new Error(`No vault found with ID: ${vaultId}`);
+    throw new Error(`No vault found matching: ${vaultId}`);
   }
   await ctx2.setActiveVault(vault);
   setupVaultEvents(vault);
@@ -3103,6 +3166,7 @@ async function executeInfo(ctx2) {
         publicKeys: {
           ecdsa: vault.publicKeys.ecdsa,
           eddsa: vault.publicKeys.eddsa,
+          ...vault.publicKeyMldsa ? { mldsa: vault.publicKeyMldsa } : {},
           chainCode: vault.hexChainCode
         }
       }
@@ -4101,6 +4165,89 @@ function displayDiscountTier(tierInfo) {
 import chalk9 from "chalk";
 import Table from "cli-table3";
+// src/agent/ask.ts
+var AskInterface = class {
+  session;
+  verbose;
+  responseParts = [];
+  toolCalls = [];
+  transactions = [];
+  constructor(session, verbose = false) {
+    this.session = session;
+    this.verbose = verbose;
+  }
+  /**
+   * Get UI callbacks that silently collect results.
+   * Tool progress is logged to stderr in verbose mode.
+   */
+  getCallbacks() {
+    return {
+      onTextDelta: (_delta) => {
+      },
+      onToolCall: (_id, action, params) => {
+        if (this.verbose) {
+          const paramStr = params ? ` ${JSON.stringify(params)}` : "";
+          process.stderr.write(`[tool] ${action}${paramStr} ...
+`);
+        }
+      },
+      onToolResult: (_id, action, success2, data, error2) => {
+        this.toolCalls.push({ action, success: success2, data, error: error2 });
+        if (this.verbose) {
+          const status = success2 ? "ok" : `error: ${error2}`;
+          process.stderr.write(`[tool] ${action}: ${status}
+`);
+        }
+      },
+      onAssistantMessage: (content) => {
+        if (content) {
+          this.responseParts.push(content);
+        }
+      },
+      onSuggestions: (_suggestions) => {
+      },
+      onTxStatus: (txHash, chain, _status, explorerUrl) => {
+        this.transactions.push({ hash: txHash, chain, explorerUrl });
+        if (this.verbose) {
+          process.stderr.write(`[tx] ${chain}: ${txHash}
+`);
+        }
+      },
+      onError: (message) => {
+        process.stderr.write(`[error] ${message}
+`);
+      },
+      onDone: () => {
+      },
+      requestPassword: async () => {
+        throw new Error(
+          "Password required but not provided. Use --password flag."
+        );
+      },
+      requestConfirmation: async (_message) => {
+        return true;
+      }
+    };
+  }
+  /**
+   * Send a message and wait for the complete response.
+   * All tool calls and actions are executed automatically.
+   */
+  async ask(message) {
+    this.responseParts = [];
+    this.toolCalls = [];
+    this.transactions = [];
+    const callbacks = this.getCallbacks();
+    await this.session.sendMessage(message, callbacks);
+    return {
+      sessionId: this.session.getConversationId() || "",
+      response: this.responseParts[this.responseParts.length - 1] || "",
+      toolCalls: this.toolCalls,
+      transactions: this.transactions
+    };
+  }
+};
 // src/agent/auth.ts
 init_sha3();
 import { randomBytes } from "node:crypto";
@@ -4376,8 +4523,8 @@ var AgentClient = class {
   // ============================================================================
   // Private helpers
   // ============================================================================
-  async post(path3, body) {
-    const res = await fetch(`${this.baseUrl}${path3}`, {
+  async post(path4, body) {
+    const res = await fetch(`${this.baseUrl}${path4}`, {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
@@ -4391,8 +4538,8 @@ var AgentClient = class {
     }
     return await res.json();
   }
-  async delete(path3, body) {
-    const res = await fetch(`${this.baseUrl}${path3}`, {
+  async delete(path4, body) {
+    const res = await fetch(`${this.baseUrl}${path4}`, {
       method: "DELETE",
       headers: {
         "Content-Type": "application/json",
@@ -4412,7 +4559,8 @@ import { Chain as Chain8 } from "@vultisig/sdk";
 async function buildMessageContext(vault) {
   const context = {
     vault_address: vault.publicKeys.ecdsa,
-    vault_name: vault.name
+    vault_name: vault.name,
+    mldsa_public_key: vault.publicKeyMldsa
   };
   try {
     const chains = vault.chains;
@@ -4472,6 +4620,30 @@ async function buildMessageContext(vault) {
   }
   return context;
 }
+async function buildMinimalContext(vault) {
+  const context = {
+    vault_address: vault.publicKeys.ecdsa,
+    vault_name: vault.name
+  };
+  try {
+    const chains = vault.chains;
+    const addressEntries = await Promise.allSettled(
+      chains.map(async (chain) => ({
+        chain: chain.toString(),
+        address: await vault.address(chain)
+      }))
+    );
+    const addresses = {};
+    for (const result of addressEntries) {
+      if (result.status === "fulfilled") {
+        addresses[result.value.chain] = result.value.address;
+      }
+    }
+    context.addresses = addresses;
+  } catch {
+  }
+  return context;
+}
 function getNativeTokenTicker(chain) {
   const tickers = {
     [Chain8.Ethereum]: "ETH",
@@ -4532,6 +4704,161 @@ function getNativeTokenDecimals(chain) {
 // src/agent/executor.ts
 import { Chain as Chain9, Vultisig as Vultisig6 } from "@vultisig/sdk";
+// src/core/VaultStateStore.ts
+import * as fs2 from "node:fs";
+import * as os from "node:os";
+import * as path2 from "node:path";
+var LOCK_STALE_MS = 6e4;
+var LOCK_RETRY_INIT_MS = 100;
+var LOCK_MAX_WAIT_MS = 3e4;
+var STATE_TTL_MS = 10 * 6e4;
+var VaultStateStore = class {
+  baseDir;
+  constructor(vaultId) {
+    const safeId = vaultId.replace(/[^a-zA-Z0-9]/g, "").slice(0, 40);
+    if (!safeId) {
+      throw new Error("Invalid vaultId: must contain alphanumeric characters");
+    }
+    this.baseDir = path2.join(os.homedir(), ".vultisig", "vault-state", safeId);
+    fs2.mkdirSync(this.baseDir, { recursive: true });
+  }
+  // -------------------------------------------------------------------------
+  // Chain-level locking
+  // -------------------------------------------------------------------------
+  /**
+   * Acquire an exclusive file lock for the given chain.
+   * Blocks (with exponential backoff) until the lock is available or timeout.
+   *
+   * @returns A release function — caller MUST call it when done.
+   */
+  async acquireChainLock(chain) {
+    const lockPath = path2.join(this.baseDir, `${chain}.lock`);
+    const startTime = Date.now();
+    let delay = LOCK_RETRY_INIT_MS;
+    while (true) {
+      try {
+        const fd = fs2.openSync(lockPath, "wx");
+        const lockToken = `${process.pid}-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+        const info2 = { pid: process.pid, timestamp: Date.now(), token: lockToken };
+        fs2.writeSync(fd, JSON.stringify(info2));
+        fs2.closeSync(fd);
+        return async () => {
+          try {
+            const content = fs2.readFileSync(lockPath, "utf8");
+            const current = JSON.parse(content);
+            if (current.token === lockToken) {
+              fs2.unlinkSync(lockPath);
+            }
+          } catch {
+          }
+        };
+      } catch (err) {
+        if (err.code !== "EEXIST") throw err;
+        if (this.tryCleanStaleLock(lockPath)) {
+          continue;
+        }
+        if (Date.now() - startTime > LOCK_MAX_WAIT_MS) {
+          throw new Error(
+            `Timeout after ${LOCK_MAX_WAIT_MS}ms waiting for ${chain} chain lock. Another process may be stuck. Lock file: ${lockPath}`
+          );
+        }
+        await sleep2(delay);
+        delay = Math.min(delay * 1.5, 2e3);
+      }
+    }
+  }
+  // -------------------------------------------------------------------------
+  // EVM nonce management
+  // -------------------------------------------------------------------------
+  /**
+   * Get the next nonce to use for an EVM chain.
+   *
+   * Takes the on-chain nonce (from `getTransactionCount`) and returns
+   * `max(onChainNonce, localLastUsed + 1)`. This ensures that:
+   *   - Locally queued txs get incrementing nonces
+   *   - External txs (MetaMask, other wallets) are respected
+   *
+   * MUST be called while holding the chain lock.
+   */
+  getNextEvmNonce(chain, onChainNonce) {
+    const state = this.readEvmState(chain);
+    if (!state) return onChainNonce;
+    if (Date.now() - state.updatedAt > STATE_TTL_MS) return onChainNonce;
+    const localNext = BigInt(state.lastUsedNonce) + 1n;
+    return localNext > onChainNonce ? localNext : onChainNonce;
+  }
+  /**
+   * Clear persisted nonce state for a chain (e.g. when pending txs were evicted).
+   */
+  clearEvmState(chain) {
+    const filePath = path2.join(this.baseDir, `${chain}.state.json`);
+    try {
+      fs2.unlinkSync(filePath);
+    } catch {
+    }
+  }
+  /**
+   * Record that we broadcast a tx using the given nonce.
+   * For approve+swap flows, pass the HIGHEST nonce used.
+   *
+   * MUST be called while holding the chain lock (before releasing).
+   */
+  recordEvmNonce(chain, nonce) {
+    const state = {
+      lastUsedNonce: nonce.toString(),
+      updatedAt: Date.now()
+    };
+    this.writeEvmState(chain, state);
+  }
+  // -------------------------------------------------------------------------
+  // Internal helpers
+  // -------------------------------------------------------------------------
+  readEvmState(chain) {
+    const filePath = path2.join(this.baseDir, `${chain}.state.json`);
+    try {
+      const content = fs2.readFileSync(filePath, "utf8");
+      return JSON.parse(content);
+    } catch {
+      return null;
+    }
+  }
+  writeEvmState(chain, state) {
+    const filePath = path2.join(this.baseDir, `${chain}.state.json`);
+    const tmpPath = filePath + `.tmp.${process.pid}`;
+    fs2.writeFileSync(tmpPath, JSON.stringify(state, null, 2));
+    fs2.renameSync(tmpPath, filePath);
+  }
+  /**
+   * Check if a lock file is stale and remove it if so.
+   * @returns true if a stale lock was removed.
+   */
+  tryCleanStaleLock(lockPath) {
+    try {
+      const content = fs2.readFileSync(lockPath, "utf8");
+      const info2 = JSON.parse(content);
+      if (Date.now() - info2.timestamp > LOCK_STALE_MS) {
+        fs2.unlinkSync(lockPath);
+        return true;
+      }
+    } catch {
+      try {
+        const stat = fs2.statSync(lockPath);
+        if (Date.now() - stat.mtimeMs > LOCK_STALE_MS) {
+          fs2.unlinkSync(lockPath);
+          return true;
+        }
+      } catch {
+        return true;
+      }
+      return false;
+    }
+    return false;
+  }
+};
+function sleep2(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
 // src/agent/types.ts
 var AUTO_EXECUTE_ACTIONS = /* @__PURE__ */ new Set([
   "add_chain",
@@ -4559,14 +4886,50 @@ var AUTO_EXECUTE_ACTIONS = /* @__PURE__ */ new Set([
 var PASSWORD_REQUIRED_ACTIONS = /* @__PURE__ */ new Set(["sign_tx", "sign_typed_data", "build_custom_tx"]);
 // src/agent/executor.ts
+var EVM_CHAINS = /* @__PURE__ */ new Set([
+  "Ethereum",
+  "BSC",
+  "Polygon",
+  "Avalanche",
+  "Arbitrum",
+  "Optimism",
+  "Base",
+  "Blast",
+  "Zksync",
+  "Mantle",
+  "CronosChain",
+  "Hyperliquid",
+  "Sei"
+]);
+var EVM_GAS_RPC = {
+  Ethereum: "https://eth.llamarpc.com",
+  BSC: "https://bsc-dataseed.binance.org",
+  Polygon: "https://polygon-rpc.com",
+  Avalanche: "https://api.avax.network/ext/bc/C/rpc",
+  Arbitrum: "https://arb1.arbitrum.io/rpc",
+  Optimism: "https://mainnet.optimism.io",
+  Base: "https://mainnet.base.org",
+  Blast: "https://rpc.blast.io",
+  Zksync: "https://mainnet.era.zksync.io",
+  Mantle: "https://rpc.mantle.xyz",
+  CronosChain: "https://cronos-evm-rpc.publicnode.com",
+  Hyperliquid: "https://rpc.hyperliquid.xyz/evm",
+  Sei: "https://evm-rpc.sei-apis.com"
+};
 var AgentExecutor = class {
   vault;
   pendingPayloads = /* @__PURE__ */ new Map();
   password = null;
   verbose;
-  constructor(vault, verbose = false) {
+  stateStore = null;
+  /** Held chain lock release functions, keyed by chain name */
+  chainLockReleases = /* @__PURE__ */ new Map();
+  constructor(vault, verbose = false, vaultId) {
     this.vault = vault;
     this.verbose = verbose;
+    if (vaultId) {
+      this.stateStore = new VaultStateStore(vaultId);
+    }
   }
   setPassword(password) {
     this.password = password;
@@ -4791,40 +5154,47 @@ var AgentExecutor = class {
     const amountStr = params.amount;
     if (!toAddress) throw new Error("Destination address is required");
     if (!amountStr) throw new Error("Amount is required");
-    const address = await this.vault.address(chain);
-    const balance = await this.vault.balance(chain, params.token_id);
-    const coin = {
-      chain,
-      address,
-      decimals: balance.decimals,
-      ticker: symbol || balance.symbol,
-      id: params.token_id
-    };
-    const amount = parseAmount(amountStr, balance.decimals);
-    const memo = params.memo;
-    const payload = await this.vault.prepareSendTx({ coin, receiver: toAddress, amount, memo });
-    this.pendingPayloads.clear();
-    const payloadId = `tx_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`;
-    this.pendingPayloads.set(payloadId, { payload, coin, chain, timestamp: Date.now() });
-    this.pendingPayloads.set("latest", { payload, coin, chain, timestamp: Date.now() });
-    const messageHashes = await this.vault.extractMessageHashes(payload);
-    return {
-      keysign_payload: payloadId,
-      from_chain: chain.toString(),
-      from_symbol: coin.ticker,
-      amount: amountStr,
-      sender: address,
-      destination: toAddress,
-      memo: memo || void 0,
-      message_hashes: messageHashes,
-      tx_details: {
-        chain: chain.toString(),
-        from: address,
-        to: toAddress,
+    await this.acquireEvmLockIfNeeded(chain);
+    try {
+      const address = await this.vault.address(chain);
+      const balance = await this.vault.balance(chain, params.token_id);
+      const coin = {
+        chain,
+        address,
+        decimals: balance.decimals,
+        ticker: symbol || balance.symbol,
+        id: params.token_id
+      };
+      const amount = parseAmount(amountStr, balance.decimals);
+      const memo = params.memo;
+      const payload = await this.vault.prepareSendTx({ coin, receiver: toAddress, amount, memo });
+      await this.patchEvmNonce(chain, payload);
+      const messageHashes = await this.vault.extractMessageHashes(payload);
+      this.pendingPayloads.clear();
+      const payloadId = `tx_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`;
+      this.pendingPayloads.set(payloadId, { payload, coin, chain, timestamp: Date.now() });
+      this.pendingPayloads.set("latest", { payload, coin, chain, timestamp: Date.now() });
+      return {
+        keysign_payload: payloadId,
+        from_chain: chain.toString(),
+        from_symbol: coin.ticker,
         amount: amountStr,
-        symbol: coin.ticker
-      }
-    };
+        sender: address,
+        destination: toAddress,
+        memo: memo || void 0,
+        message_hashes: messageHashes,
+        tx_details: {
+          chain: chain.toString(),
+          from: address,
+          to: toAddress,
+          amount: amountStr,
+          symbol: coin.ticker
+        }
+      };
+    } catch (err) {
+      await this.releaseEvmLock(chain);
+      throw err;
+    }
   }
   async buildSwapTx(params) {
     if (this.verbose) process.stderr.write(`[build_swap_tx] called with params: ${JSON.stringify(params).slice(0, 500)}
@@ -4834,43 +5204,50 @@ var AgentExecutor = class {
     const fromChain = resolveChain(fromChainName);
     const toChain = toChainName ? resolveChain(toChainName) : null;
     if (!fromChain) throw new Error(`Unknown from_chain: ${fromChainName}`);
-    const amountStr = params.amount;
-    const fromSymbol = params.from_symbol || params.from_token || "";
-    const toSymbol = params.to_symbol || params.to_token || "";
-    const fromToken = params.from_contract || params.from_token_id;
-    const toToken = params.to_contract || params.to_token_id;
-    const fromCoin = { chain: fromChain, token: fromToken || void 0 };
-    const toCoin = { chain: toChain || fromChain, token: toToken || void 0 };
-    const quote = await this.vault.getSwapQuote({
-      fromCoin,
-      toCoin,
-      amount: parseFloat(amountStr)
-    });
-    const swapResult = await this.vault.prepareSwapTx({
-      fromCoin,
-      toCoin,
-      amount: parseFloat(amountStr),
-      swapQuote: quote,
-      autoApprove: true
-    });
-    const chain = fromChain;
-    const payload = swapResult.keysignPayload;
-    this.pendingPayloads.clear();
-    const payloadId = `swap_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`;
-    this.pendingPayloads.set(payloadId, { payload, coin: { chain, address: "", decimals: 18, ticker: fromSymbol }, chain, timestamp: Date.now() });
-    this.pendingPayloads.set("latest", { payload, coin: { chain, address: "", decimals: 18, ticker: fromSymbol }, chain, timestamp: Date.now() });
-    const messageHashes = await this.vault.extractMessageHashes(payload);
-    return {
-      keysign_payload: payloadId,
-      from_chain: fromChain.toString(),
-      to_chain: (toChain || fromChain).toString(),
-      from_symbol: fromSymbol,
-      to_symbol: toSymbol,
-      amount: amountStr,
-      estimated_output: quote.estimatedOutput?.toString(),
-      provider: quote.provider,
-      message_hashes: messageHashes
-    };
+    await this.acquireEvmLockIfNeeded(fromChain);
+    try {
+      const amountStr = params.amount;
+      const fromSymbol = params.from_symbol || params.from_token || "";
+      const toSymbol = params.to_symbol || params.to_token || "";
+      const fromToken = params.from_contract || params.from_token_id;
+      const toToken = params.to_contract || params.to_token_id;
+      const fromCoin = { chain: fromChain, token: fromToken || void 0 };
+      const toCoin = { chain: toChain || fromChain, token: toToken || void 0 };
+      const quote = await this.vault.getSwapQuote({
+        fromCoin,
+        toCoin,
+        amount: parseFloat(amountStr)
+      });
+      const swapResult = await this.vault.prepareSwapTx({
+        fromCoin,
+        toCoin,
+        amount: parseFloat(amountStr),
+        swapQuote: quote,
+        autoApprove: true
+      });
+      const chain = fromChain;
+      const payload = swapResult.keysignPayload;
+      await this.patchEvmNonce(chain, payload);
+      const messageHashes = await this.vault.extractMessageHashes(payload);
+      this.pendingPayloads.clear();
+      const payloadId = `swap_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`;
+      this.pendingPayloads.set(payloadId, { payload, coin: { chain, address: "", decimals: 18, ticker: fromSymbol }, chain, timestamp: Date.now() });
+      this.pendingPayloads.set("latest", { payload, coin: { chain, address: "", decimals: 18, ticker: fromSymbol }, chain, timestamp: Date.now() });
+      return {
+        keysign_payload: payloadId,
+        from_chain: fromChain.toString(),
+        to_chain: (toChain || fromChain).toString(),
+        from_symbol: fromSymbol,
+        to_symbol: toSymbol,
+        amount: amountStr,
+        estimated_output: quote.estimatedOutput?.toString(),
+        provider: quote.provider,
+        message_hashes: messageHashes
+      };
+    } catch (err) {
+      await this.releaseEvmLock(fromChain);
+      throw err;
+    }
   }
   async buildTx(params) {
     if (params.function_name && params.contract_address) {
@@ -4951,6 +5328,18 @@ var AgentExecutor = class {
     }
     const { payload, chain } = stored;
     if (payload.__serverTx) {
+      if (chain === "Solana" && (payload.swap_tx || payload.provider)) {
+        try {
+          return await this.buildAndSignSolanaSwapLocally(payload);
+        } catch (e) {
+          if (e._phase === "prepare") {
+            if (this.verbose) process.stderr.write(`[sign_tx] Solana local build failed (${e.message}), falling back to signServerTx
+`);
+          } else {
+            throw e;
+          }
+        }
+      }
       return this.signServerTx(payload, chain, params);
     }
     return this.signSdkTx(payload, chain, payloadId);
@@ -4959,33 +5348,45 @@ var AgentExecutor = class {
    * Sign and broadcast an SDK-built transaction (keysign payload from local build methods).
    */
   async signSdkTx(payload, chain, _payloadId) {
-    if (this.vault.isEncrypted && !this.vault.isUnlocked?.()) {
-      if (this.password) {
-        await this.vault.unlock?.(this.password);
+    try {
+      if (this.vault.isEncrypted && !this.vault.isUnlocked?.()) {
+        if (this.password) {
+          await this.vault.unlock?.(this.password);
+        }
       }
+      await this.patchEvmGas(chain, payload);
+      const messageHashes = await this.vault.extractMessageHashes(payload);
+      const signature = await this.vault.sign(
+        {
+          transaction: payload,
+          chain: payload.coin?.chain || chain,
+          messageHashes
+        },
+        {}
+      );
+      const txHash = await this.vault.broadcastTx({
+        chain,
+        keysignPayload: payload,
+        signature
+      });
+      try {
+        this.recordEvmNonceFromPayload(chain, payload, messageHashes.length);
+      } catch (nonceErr) {
+        console.warn(`[nonce] failed to persist nonce for ${chain}:`, nonceErr);
+      }
+      await this.releaseEvmLock(chain);
+      this.pendingPayloads.clear();
+      const explorerUrl = Vultisig6.getTxExplorerUrl(chain, txHash);
+      return {
+        tx_hash: txHash,
+        chain: chain.toString(),
+        status: "pending",
+        explorer_url: explorerUrl
+      };
+    } catch (err) {
+      await this.releaseEvmLock(chain);
+      throw err;
     }
-    const messageHashes = await this.vault.extractMessageHashes(payload);
-    const signature = await this.vault.sign(
-      {
-        transaction: payload,
-        chain: payload.coin?.chain || chain,
-        messageHashes
-      },
-      {}
-    );
-    const txHash = await this.vault.broadcastTx({
-      chain,
-      keysignPayload: payload,
-      signature
-    });
-    this.pendingPayloads.clear();
-    const explorerUrl = Vultisig6.getTxExplorerUrl(chain, txHash);
-    return {
-      tx_hash: txHash,
-      chain: chain.toString(),
-      status: "pending",
-      explorer_url: explorerUrl
-    };
   }
   /**
    * Sign and broadcast a server-built transaction (raw EVM tx from tx_ready SSE).
@@ -5004,38 +5405,121 @@ var AgentExecutor = class {
     } else if (chainId) {
       chain = resolveChainId(chainId) || defaultChain;
     }
-    const address = await this.vault.address(chain);
-    const balance = await this.vault.balance(chain);
-    const coin = {
-      chain,
-      address,
-      decimals: balance.decimals || 18,
-      ticker: balance.symbol || chain.toString()
-    };
-    const amount = BigInt(swapTx.value || "0");
-    const hasCalldata = !!(swapTx.data && swapTx.data !== "0x");
-    if (this.verbose) process.stderr.write(`[sign_server_tx] chain=${chain}, to=${swapTx.to}, value=${swapTx.value}, amount=${amount}, hasCalldata=${hasCalldata}
+    await this.acquireEvmLockIfNeeded(chain);
+    try {
+      const address = await this.vault.address(chain);
+      const balance = await this.vault.balance(chain);
+      const coin = {
+        chain,
+        address,
+        decimals: balance.decimals || 18,
+        ticker: balance.symbol || chain.toString()
+      };
+      const amount = BigInt(swapTx.value || "0");
+      const hasCalldata = !!(swapTx.data && swapTx.data !== "0x");
+      if (this.verbose) process.stderr.write(`[sign_server_tx] chain=${chain}, to=${swapTx.to}, value=${swapTx.value}, amount=${amount}, hasCalldata=${hasCalldata}
+`);
+      if (this.vault.isEncrypted && !this.vault.isUnlocked?.()) {
+        if (this.password) {
+          await this.vault.unlock?.(this.password);
+        }
+      }
+      const buildAmount = amount === 0n && hasCalldata ? 1n : amount;
+      const keysignPayload = await this.vault.prepareSendTx({
+        coin,
+        receiver: swapTx.to,
+        amount: buildAmount,
+        memo: swapTx.data
+      });
+      if (amount === 0n && hasCalldata) {
+        ;
+        keysignPayload.toAmount = "0";
+      }
+      await this.patchEvmNonce(chain, keysignPayload);
+      await this.patchEvmGas(chain, keysignPayload);
+      const messageHashes = await this.vault.extractMessageHashes(keysignPayload);
+      const signature = await this.vault.sign(
+        {
+          transaction: keysignPayload,
+          chain,
+          messageHashes
+        },
+        {}
+      );
+      const txHash = await this.vault.broadcastTx({
+        chain,
+        keysignPayload,
+        signature
+      });
+      try {
+        this.recordEvmNonceFromPayload(chain, keysignPayload, messageHashes.length);
+      } catch (nonceErr) {
+        console.warn(`[nonce] failed to persist nonce for ${chain}:`, nonceErr);
+      }
+      await this.releaseEvmLock(chain);
+      this.pendingPayloads.clear();
+      const explorerUrl = Vultisig6.getTxExplorerUrl(chain, txHash);
+      return {
+        tx_hash: txHash,
+        chain: chain.toString(),
+        status: "pending",
+        explorer_url: explorerUrl
+      };
+    } catch (err) {
+      await this.releaseEvmLock(chain);
+      throw err;
+    }
+  }
+  /**
+   * Build, sign, and broadcast a Solana swap locally using the SDK's swap flow.
+   * Uses swap params from the tx_ready event to call vault.getSwapQuote → prepareSwapTx.
+   */
+  async buildAndSignSolanaSwapLocally(serverTxData) {
+    const fromChainName = serverTxData.from_chain || serverTxData.chain || "Solana";
+    const toChainName = serverTxData.to_chain;
+    const fromChain = resolveChain(fromChainName);
+    if (!fromChain) throw Object.assign(new Error(`Unknown from_chain: ${fromChainName}`), { _phase: "prepare" });
+    const toChain = toChainName ? resolveChain(toChainName) : fromChain;
+    if (!toChain) throw Object.assign(new Error(`Unknown to_chain: ${toChainName}`), { _phase: "prepare" });
+    const amountStr = serverTxData.amount;
+    if (!amountStr) throw Object.assign(new Error("Missing amount in tx_ready data for local Solana swap build"), { _phase: "prepare" });
+    const fromToken = serverTxData.from_address;
+    const toToken = serverTxData.to_address;
+    const fromDecimals = serverTxData.from_decimals;
+    if (fromDecimals == null) throw Object.assign(new Error("Missing from_decimals in tx_ready data for local Solana swap build"), { _phase: "prepare" });
+    const fromCoin = { chain: fromChain, token: fromToken || void 0 };
+    const toCoin = { chain: toChain, token: toToken || void 0 };
+    const humanAmount = Number(amountStr) / Math.pow(10, fromDecimals);
+    if (this.verbose) process.stderr.write(`[solana_local_swap] from=${fromChainName} to=${toChainName || fromChainName} amount=${amountStr}
 `);
     if (this.vault.isEncrypted && !this.vault.isUnlocked?.()) {
       if (this.password) {
         await this.vault.unlock?.(this.password);
       }
     }
-    const buildAmount = amount === 0n && hasCalldata ? 1n : amount;
-    const keysignPayload = await this.vault.prepareSendTx({
-      coin,
-      receiver: swapTx.to,
-      amount: buildAmount,
-      memo: swapTx.data
-    });
-    if (amount === 0n && hasCalldata) {
-      ;
-      keysignPayload.toAmount = "0";
+    let quote, swapResult;
+    try {
+      quote = await this.vault.getSwapQuote({
+        fromCoin,
+        toCoin,
+        amount: humanAmount
+      });
+      swapResult = await this.vault.prepareSwapTx({
+        fromCoin,
+        toCoin,
+        amount: humanAmount,
+        swapQuote: quote,
+        autoApprove: true
+      });
+    } catch (e) {
+      throw Object.assign(e, { _phase: "prepare" });
     }
-    const messageHashes = await this.vault.extractMessageHashes(keysignPayload);
+    const payload = swapResult.keysignPayload;
+    const chain = fromChain;
+    const messageHashes = await this.vault.extractMessageHashes(payload);
     const signature = await this.vault.sign(
       {
-        transaction: keysignPayload,
+        transaction: payload,
         chain,
         messageHashes
       },
@@ -5043,7 +5527,7 @@ var AgentExecutor = class {
     );
     const txHash = await this.vault.broadcastTx({
       chain,
-      keysignPayload,
+      keysignPayload: payload,
       signature
     });
     this.pendingPayloads.clear();
@@ -5056,6 +5540,147 @@ var AgentExecutor = class {
     };
   }
   // ============================================================================
+  // EVM Nonce Management
+  // ============================================================================
+  /**
+   * Acquire chain-level file lock if the chain is EVM.
+   * Releases any previously held lock first (e.g. from an abandoned build).
+   */
+  async acquireEvmLockIfNeeded(chain) {
+    if (!this.stateStore || !EVM_CHAINS.has(chain)) return;
+    await this.releaseEvmLock(chain);
+    const release = await this.stateStore.acquireChainLock(chain);
+    this.chainLockReleases.set(chain, release);
+    if (this.verbose) process.stderr.write(`[nonce] Acquired lock for ${chain}
+`);
+  }
+  /**
+   * Release the held chain lock (no-op if not held).
+   */
+  async releaseEvmLock(chain) {
+    const release = this.chainLockReleases.get(chain);
+    if (release) {
+      await release();
+      this.chainLockReleases.delete(chain);
+      if (this.verbose) process.stderr.write(`[nonce] Released lock for ${chain}
+`);
+    }
+  }
+  /**
+   * Patch the EVM nonce in a keysign payload if our local state is ahead of on-chain.
+   * The payload's blockchainSpecific.ethereumSpecific.nonce was set from RPC during
+   * prepareSendTx(). If we have locally-tracked pending txs, we override with a higher value.
+   *
+   * Also detects evicted txs: if local state claims a higher nonce but there are
+   * no pending txs in the mempool (pending == latest), the intermediate txs were
+   * dropped and local state is stale.
+   */
+  async patchEvmNonce(chain, payload) {
+    if (!this.stateStore || !EVM_CHAINS.has(chain)) return;
+    const bs = payload.blockchainSpecific;
+    if (!bs || bs.case !== "ethereumSpecific") return;
+    const rpcNonce = bs.value.nonce;
+    const nextNonce = this.stateStore.getNextEvmNonce(chain, rpcNonce);
+    if (nextNonce !== rpcNonce) {
+      const pendingNonce = await this.fetchEvmPendingNonce(chain);
+      if (pendingNonce !== null && pendingNonce === rpcNonce) {
+        if (this.verbose) process.stderr.write(`[nonce] Stale local state for ${chain}: local=${nextNonce}, on-chain=${rpcNonce}, no pending txs \u2014 using on-chain nonce
+`);
+        this.stateStore.clearEvmState(chain);
+        return;
+      }
+      const nonceGap = nextNonce - rpcNonce;
+      if (pendingNonce === null && nonceGap > 3n) {
+        if (this.verbose) process.stderr.write(`[nonce] Large nonce gap for ${chain} (${nonceGap}) and couldn't verify pending txs \u2014 using on-chain nonce ${rpcNonce}
+`);
+        this.stateStore.clearEvmState(chain);
+        return;
+      }
+      bs.value.nonce = nextNonce;
+      if (this.verbose) process.stderr.write(`[nonce] Patched ${chain} nonce: ${rpcNonce} \u2192 ${nextNonce}
+`);
+    }
+  }
+  /**
+   * Ensure the keysign payload's maxFeePerGas covers current network base fee.
+   * Re-fetches latest base fee from RPC and bumps maxFeePerGas if it's too low.
+   * Compensates for gas price drift between build time and sign time.
+   */
+  async patchEvmGas(chain, payload) {
+    if (!EVM_CHAINS.has(chain)) return;
+    const bs = payload.blockchainSpecific;
+    if (!bs || bs.case !== "ethereumSpecific") return;
+    const rpcUrl = EVM_GAS_RPC[chain];
+    if (!rpcUrl) return;
+    try {
+      const res = await fetch(rpcUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          jsonrpc: "2.0",
+          method: "eth_getBlockByNumber",
+          params: ["latest", false],
+          id: 1
+        }),
+        signal: AbortSignal.timeout(5e3)
+      });
+      const data = await res.json();
+      const baseFee = BigInt(data.result?.baseFeePerGas || "0");
+      if (baseFee === 0n) return;
+      const currentPriorityFee = BigInt(bs.value.priorityFee || "0");
+      const currentMaxFee = BigInt(bs.value.maxFeePerGasWei || "0");
+      const minMaxFee = baseFee * 25n / 10n + currentPriorityFee;
+      if (currentMaxFee < minMaxFee) {
+        bs.value.maxFeePerGasWei = minMaxFee.toString();
+        if (this.verbose) process.stderr.write(`[gas] Bumped ${chain} maxFeePerGas: ${currentMaxFee} \u2192 ${minMaxFee} (baseFee=${baseFee})
+`);
+      }
+    } catch {
+      if (this.verbose) process.stderr.write(`[gas] Failed to refresh base fee for ${chain}, keeping original
+`);
+    }
+  }
+  /**
+   * Fetch the pending nonce from RPC (eth_getTransactionCount with "pending" tag).
+   * Returns null if the RPC call fails (non-fatal).
+   */
+  async fetchEvmPendingNonce(chain) {
+    const rpcUrl = EVM_GAS_RPC[chain];
+    if (!rpcUrl) return null;
+    try {
+      const address = await this.vault.address(chain);
+      const res = await fetch(rpcUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          jsonrpc: "2.0",
+          method: "eth_getTransactionCount",
+          params: [address, "pending"],
+          id: 1
+        }),
+        signal: AbortSignal.timeout(5e3)
+      });
+      const data = await res.json();
+      return BigInt(data.result || "0");
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Record the nonce(s) used after a successful broadcast.
+   * For approve+swap flows with N message hashes, the highest nonce used is base + N - 1.
+   */
+  recordEvmNonceFromPayload(chain, payload, numTxs) {
+    if (!this.stateStore || !EVM_CHAINS.has(chain)) return;
+    const bs = payload.blockchainSpecific;
+    if (!bs || bs.case !== "ethereumSpecific") return;
+    const baseNonce = bs.value.nonce;
+    const highestNonce = baseNonce + BigInt(Math.max(0, numTxs - 1));
+    this.stateStore.recordEvmNonce(chain, highestNonce);
+    if (this.verbose) process.stderr.write(`[nonce] Recorded ${chain} nonce: ${highestNonce}
+`);
+  }
+  // ============================================================================
   // EIP-712 Typed Data Signing
   // ============================================================================
   /**
@@ -5636,9 +6261,9 @@ var PipeInterface = class {
 };
 // src/agent/session.ts
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
-import { homedir } from "node:os";
-import { join } from "node:path";
+import { existsSync, mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "node:fs";
+import { homedir as homedir2 } from "node:os";
+import { join as join2 } from "node:path";
 var AgentSession = class {
   client;
   vault;
@@ -5654,7 +6279,7 @@ var AgentSession = class {
     this.config = config;
     this.client = new AgentClient(config.backendUrl);
     this.client.verbose = !!config.verbose;
-    this.executor = new AgentExecutor(vault, !!config.verbose);
+    this.executor = new AgentExecutor(vault, !!config.verbose, vault.publicKeys.ecdsa);
     this.publicKey = vault.publicKeys.ecdsa;
     if (config.password) {
       this.executor.setPassword(config.password);
@@ -5709,7 +6334,7 @@ var AgentSession = class {
       const conv = await this.client.createConversation(this.publicKey);
       this.conversationId = conv.id;
     }
-    this.cachedContext = await buildMessageContext(this.vault);
+    this.cachedContext = this.config.viaAgent || this.config.askMode ? await buildMinimalContext(this.vault) : await buildMessageContext(this.vault);
   }
   getConversationId() {
     return this.conversationId;
@@ -5736,7 +6361,7 @@ var AgentSession = class {
     }
     this.abortController = new AbortController();
     try {
-      this.cachedContext = await buildMessageContext(this.vault);
+      this.cachedContext = this.config.viaAgent || this.config.askMode ? await buildMinimalContext(this.vault) : await buildMessageContext(this.vault);
     } catch {
     }
     try {
@@ -5765,6 +6390,9 @@ var AgentSession = class {
       public_key: this.publicKey,
       context: this.cachedContext
     };
+    if (this.config.viaAgent || this.config.askMode) {
+      request.via_agent = true;
+    }
     if (content) {
       request.content = content;
     }
@@ -5959,23 +6587,23 @@ function parseInlineToolCalls(text) {
   return actions;
 }
 function getTokenCachePath() {
-  const dir = process.env.VULTISIG_CONFIG_DIR ?? join(homedir(), ".vultisig");
-  return join(dir, "agent-tokens.json");
+  const dir = process.env.VULTISIG_CONFIG_DIR ?? join2(homedir2(), ".vultisig");
+  return join2(dir, "agent-tokens.json");
 }
 function readTokenStore() {
   try {
-    const path3 = getTokenCachePath();
-    if (!existsSync(path3)) return {};
-    return JSON.parse(readFileSync(path3, "utf-8"));
+    const path4 = getTokenCachePath();
+    if (!existsSync(path4)) return {};
+    return JSON.parse(readFileSync2(path4, "utf-8"));
   } catch {
     return {};
   }
 }
 function writeTokenStore(store) {
-  const path3 = getTokenCachePath();
-  const dir = join(path3, "..");
-  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
-  writeFileSync(path3, JSON.stringify(store, null, 2), { mode: 384 });
+  const path4 = getTokenCachePath();
+  const dir = join2(path4, "..");
+  if (!existsSync(dir)) mkdirSync2(dir, { recursive: true });
+  writeFileSync2(path4, JSON.stringify(store, null, 2), { mode: 384 });
 }
 function loadCachedToken(publicKey) {
   const store = readTokenStore();
@@ -6353,6 +6981,68 @@ async function executeAgent(ctx2, options) {
     }
   }
 }
+async function executeAgentAsk(ctx2, message, options) {
+  setSilentMode(true);
+  const originalConsoleLog = console.log;
+  console.log = (...args) => {
+    process.stderr.write(args.map(String).join(" ") + "\n");
+  };
+  try {
+    const vault = await ctx2.ensureActiveVault();
+    const config = {
+      backendUrl: options.backendUrl || process.env.VULTISIG_AGENT_URL || "http://localhost:9998",
+      vaultName: vault.name,
+      password: options.password,
+      sessionId: options.session,
+      verbose: options.verbose,
+      askMode: true
+    };
+    const session = new AgentSession(vault, config);
+    const ask = new AskInterface(session, !!config.verbose);
+    const callbacks = ask.getCallbacks();
+    await session.initialize(callbacks);
+    const result = await ask.ask(message);
+    if (options.json) {
+      process.stdout.write(
+        JSON.stringify({
+          session_id: result.sessionId,
+          response: result.response,
+          tool_calls: result.toolCalls,
+          transactions: result.transactions
+        }) + "\n"
+      );
+    } else {
+      process.stdout.write(`session:${result.sessionId}
+`);
+      if (result.response) {
+        process.stdout.write(`
+${result.response}
+`);
+      }
+      for (const tx of result.transactions) {
+        process.stdout.write(`
+tx:${tx.chain}:${tx.hash}
+`);
+        if (tx.explorerUrl) {
+          process.stdout.write(`explorer:${tx.explorerUrl}
+`);
+        }
+      }
+    }
+  } catch (err) {
+    if (options.json) {
+      process.stdout.write(JSON.stringify({ error: err.message }) + "\n");
+    } else {
+      process.stderr.write(`Error: ${err.message}
+`);
+    }
+    process.exit(1);
+  } finally {
+    console.log = originalConsoleLog;
+    setSilentMode(false);
+  }
+  process.exit(0);
+}
 async function executeAgentSessionsList(ctx2, options) {
   const vault = await ctx2.ensureActiveVault();
   const backendUrl = options.backendUrl || process.env.VULTISIG_AGENT_URL || "http://localhost:9998";
@@ -6429,8 +7119,8 @@ function formatDate(iso) {
 // src/interactive/completer.ts
 import { Chain as Chain10 } from "@vultisig/sdk";
-import fs2 from "fs";
-import path2 from "path";
+import fs3 from "fs";
+import path3 from "path";
 var COMMANDS = [
   // Vault management
   "vaults",
@@ -6525,28 +7215,28 @@ function createCompleter(ctx2) {
 }
 function completeFilePath(partial, filterVult) {
   try {
-    const endsWithSeparator = partial.endsWith("/") || partial.endsWith(path2.sep);
+    const endsWithSeparator = partial.endsWith("/") || partial.endsWith(path3.sep);
     let dir;
     let basename;
     if (endsWithSeparator) {
       dir = partial;
       basename = "";
     } else {
-      dir = path2.dirname(partial);
-      basename = path2.basename(partial);
-      if (fs2.existsSync(partial) && fs2.statSync(partial).isDirectory()) {
+      dir = path3.dirname(partial);
+      basename = path3.basename(partial);
+      if (fs3.existsSync(partial) && fs3.statSync(partial).isDirectory()) {
         dir = partial;
         basename = "";
       }
     }
-    const resolvedDir = path2.resolve(dir);
-    if (!fs2.existsSync(resolvedDir) || !fs2.statSync(resolvedDir).isDirectory()) {
+    const resolvedDir = path3.resolve(dir);
+    if (!fs3.existsSync(resolvedDir) || !fs3.statSync(resolvedDir).isDirectory()) {
       return [[], partial];
     }
-    const files = fs2.readdirSync(resolvedDir);
+    const files = fs3.readdirSync(resolvedDir);
     const matches = files.filter((file) => file.startsWith(basename)).map((file) => {
-      const fullPath = path2.join(dir, file);
-      const stats = fs2.statSync(path2.join(resolvedDir, file));
+      const fullPath = path3.join(dir, file);
+      const stats = fs3.statSync(path3.join(resolvedDir, file));
       if (stats.isDirectory()) {
         return fullPath + "/";
       }
@@ -7825,19 +8515,19 @@ import chalk13 from "chalk";
 // src/lib/version.ts
 import chalk14 from "chalk";
-import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, mkdirSync as mkdirSync2, existsSync as existsSync2 } from "fs";
-import { homedir as homedir2 } from "os";
-import { join as join2 } from "path";
+import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync3, existsSync as existsSync2 } from "fs";
+import { homedir as homedir3 } from "os";
+import { join as join3 } from "path";
 var cachedVersion = null;
 function getVersion() {
   if (cachedVersion) return cachedVersion;
   if (true) {
-    cachedVersion = "0.8.0";
+    cachedVersion = "0.9.0";
     return cachedVersion;
   }
   try {
     const packagePath = new URL("../../package.json", import.meta.url);
-    const pkg = JSON.parse(readFileSync2(packagePath, "utf-8"));
+    const pkg = JSON.parse(readFileSync3(packagePath, "utf-8"));
     cachedVersion = pkg.version;
     return cachedVersion;
   } catch {
@@ -7845,13 +8535,13 @@ function getVersion() {
     return cachedVersion;
   }
 }
-var CACHE_DIR = join2(homedir2(), ".vultisig", "cache");
-var VERSION_CACHE_FILE = join2(CACHE_DIR, "version-check.json");
+var CACHE_DIR = join3(homedir3(), ".vultisig", "cache");
+var VERSION_CACHE_FILE = join3(CACHE_DIR, "version-check.json");
 var CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
 function readVersionCache() {
   try {
     if (!existsSync2(VERSION_CACHE_FILE)) return null;
-    const data = readFileSync2(VERSION_CACHE_FILE, "utf-8");
+    const data = readFileSync3(VERSION_CACHE_FILE, "utf-8");
     return JSON.parse(data);
   } catch {
     return null;
@@ -7860,9 +8550,9 @@ function readVersionCache() {
 function writeVersionCache(cache) {
   try {
     if (!existsSync2(CACHE_DIR)) {
-      mkdirSync2(CACHE_DIR, { recursive: true });
+      mkdirSync3(CACHE_DIR, { recursive: true });
     }
-    writeFileSync2(VERSION_CACHE_FILE, JSON.stringify(cache, null, 2));
+    writeFileSync3(VERSION_CACHE_FILE, JSON.stringify(cache, null, 2));
   } catch {
   }
 }
@@ -7967,9 +8657,9 @@ function getUpdateCommand() {
 }
 // src/lib/completion.ts
-import { homedir as homedir3 } from "os";
-import { join as join3 } from "path";
-import { readFileSync as readFileSync3, existsSync as existsSync3 } from "fs";
+import { homedir as homedir4 } from "os";
+import { join as join4 } from "path";
+import { readFileSync as readFileSync4, existsSync as existsSync3 } from "fs";
 var tabtab = null;
 async function getTabtab() {
   if (!tabtab) {
@@ -8034,7 +8724,7 @@ var CHAINS = [
 ];
 function getVaultNames() {
   try {
-    const vaultDir = join3(homedir3(), ".vultisig", "vaults");
+    const vaultDir = join4(homedir4(), ".vultisig", "vaults");
     if (!existsSync3(vaultDir)) return [];
     const { readdirSync } = __require("fs");
     const files = readdirSync(vaultDir);
@@ -8042,7 +8732,7 @@ function getVaultNames() {
     for (const file of files) {
       if (file.startsWith("vault:") && file.endsWith(".json")) {
         try {
-          const content = readFileSync3(join3(vaultDir, file), "utf-8");
+          const content = readFileSync4(join4(vaultDir, file), "utf-8");
           const vault = JSON.parse(content);
           if (vault.name) names.push(vault.name);
           if (vault.id) names.push(vault.id);
@@ -8365,10 +9055,10 @@ createCmd.command("secure").description("Create a secure vault (multi-device MPC
     });
   })
 );
-program.command("import <file>").description("Import vault from .vult file").action(
-  withExit(async (file) => {
+program.command("import <file>").description("Import vault from .vult file").option("--password <password>", "Password to decrypt the vault file").action(
+  withExit(async (file, options) => {
     const context = await init(program.opts().vault);
-    await executeImport(context, file);
+    await executeImport(context, file, options.password);
   })
 );
 var createFromSeedphraseCmd = program.command("create-from-seedphrase").description("Create vault from BIP39 seedphrase");
@@ -8485,7 +9175,7 @@ joinCmd.command("secure").description("Join a SecureVault creation session").opt
       const context = await init(program.opts().vault);
       let qrPayload = options.qr;
       if (!qrPayload && options.qrFile) {
-        qrPayload = (await fs3.readFile(options.qrFile, "utf-8")).trim();
+        qrPayload = (await fs4.readFile(options.qrFile, "utf-8")).trim();
       }
       if (!qrPayload) {
         qrPayload = await promptQrPayload();
@@ -8635,10 +9325,10 @@ program.command("discount").description("Show your VULT discount tier for swap f
   })
 );
 program.command("export [path]").description("Export vault to file").option("--password <password>", "Password to unlock the vault (for encrypted vaults)").option("--exportPassword <password>", "Password to encrypt the exported file (defaults to --password)").action(
-  withExit(async (path3, options) => {
+  withExit(async (path4, options) => {
     const context = await init(program.opts().vault, options.password);
     await executeExport(context, {
-      outputPath: path3,
+      outputPath: path4,
       password: options.password,
       exportPassword: options.exportPassword
     });
@@ -8856,6 +9546,21 @@ var agentCmd = program.command("agent").description("AI-powered chat interface f
     sessionId: options.sessionId
   });
 });
+agentCmd.command("ask <message>").description("Send a single message and get the response (for AI agent integration)").option("--session <id>", "Continue an existing conversation").option("--backend-url <url>", "Agent backend URL (default: http://localhost:9998)").option("--password <password>", "Vault password for signing operations").option("--verbose", "Show tool calls and debug info on stderr").option("--json", "Output structured JSON instead of text").action(
+  async (message, options) => {
+    const parentOpts = agentCmd.opts();
+    const context = await init(
+      program.opts().vault,
+      options.password || parentOpts.password
+    );
+    await executeAgentAsk(context, message, {
+      ...options,
+      backendUrl: options.backendUrl || parentOpts.backendUrl,
+      password: options.password || parentOpts.password,
+      verbose: options.verbose || parentOpts.verbose
+    });
+  }
+);
 var sessionsCmd = agentCmd.command("sessions").description("Manage agent chat sessions");
 sessionsCmd.command("list").description("List chat sessions for the current vault").option("--backend-url <url>", "Agent backend URL (default: http://localhost:9998)").option("--password <password>", "Vault password for authentication").action(
   withExit(async (options) => {