@wlfi-agent/cli 1.4.10

package/dist/wlfc/index.js

@@ -0,0 +1,1894 @@
+#!/usr/bin/env node
+
+// src/wlfc/index.ts
+import { chmod, mkdir, readdir, readFile, writeFile } from "fs/promises";
+import { createServer } from "http";
+import { homedir } from "os";
+import path from "path";
+import process from "process";
+import {
+  input as promptInput,
+  password as promptPassword
+} from "@inquirer/prompts";
+import {
+  AgentWalletSdkError,
+  createAgentWalletClient,
+  DEFAULT_BASE_URL
+} from "@wlfi-agent/agent-wallet-sdk";
+import { Command, Option } from "commander";
+var CONFIG_DIR = path.join(homedir(), ".config", "wlfc-agent");
+var CONFIG_FILE = path.join(CONFIG_DIR, "config.json");
+var OTP_DIR = path.join(homedir(), ".test_otp");
+var DEFAULT_CALLBACK_PORT = 54545;
+var DEFAULT_LOGIN_TIMEOUT_MS = 15 * 60 * 1e3;
+var DEFAULT_WALLET_CHAIN_ID = 56;
+var DEFAULT_WALLET_NETWORK = "evm";
+var MAX_CALLBACK_BODY_BYTES = 1024 * 1024;
+var MAX_LIST_ITEMS_TO_PRINT = 20;
+var createEmptyAliases = () => ({
+  destination: {},
+  project: {},
+  wallet: {}
+});
+var normalizeAliasMap = (raw) => {
+  const defaults = createEmptyAliases();
+  if (!(raw && typeof raw === "object")) {
+    return defaults;
+  }
+  for (const type of Object.keys(defaults)) {
+    const source = raw[type];
+    if (!(source && typeof source === "object")) {
+      continue;
+    }
+    const entries = Object.entries(source);
+    for (const [alias, id] of entries) {
+      const normalizedAlias = alias.trim();
+      const normalizedId = typeof id === "string" ? id.trim() : "";
+      if (!(normalizedAlias && normalizedId)) {
+        continue;
+      }
+      defaults[type][normalizedAlias] = normalizedId;
+    }
+  }
+  return defaults;
+};
+var resolveBaseUrl = () => (process.env.WLFI_AGENT_BACKEND_URL ?? process.env.WLF_AGENT_BACKEND_URL ?? DEFAULT_BASE_URL).trim();
+var toFlagKey = (key) => key.replace(/[A-Z]/g, (letter) => `-${letter.toLowerCase()}`);
+var optionsToFlags = (options) => {
+  const flags = {};
+  for (const [key, value] of Object.entries(options)) {
+    if (value === void 0 || value === null) {
+      continue;
+    }
+    const flagKey = toFlagKey(key);
+    if (typeof value === "boolean") {
+      if (value) {
+        flags[flagKey] = "true";
+      }
+      continue;
+    }
+    if (typeof value === "number" || typeof value === "string") {
+      flags[flagKey] = String(value);
+    }
+  }
+  return flags;
+};
+var collectFlags = (command) => {
+  const lineage = [];
+  let cursor = command;
+  while (cursor) {
+    lineage.unshift(cursor);
+    cursor = cursor.parent ?? null;
+  }
+  const flags = {};
+  for (const node of lineage) {
+    Object.assign(flags, optionsToFlags(node.opts()));
+  }
+  return flags;
+};
+var withJsonOption = (command) => command.option("--json", "Print machine-readable JSON output");
+var withTokenOption = (command) => command.option("--token <token>", "Session token override");
+var withUnsupportedBaseUrlOption = (command) => command.addOption(new Option("--base-url <url>").hideHelp());
+var assertNoBaseUrlFlag = (flags) => {
+  if (flags["base-url"]) {
+    throw new Error(
+      "--base-url is not supported. Use WLFI_AGENT_BACKEND_URL or WLF_AGENT_BACKEND_URL instead."
+    );
+  }
+};
+var getCommandFlags = (command) => {
+  const flags = collectFlags(command);
+  assertNoBaseUrlFlag(flags);
+  return flags;
+};
+var loadConfig = async () => {
+  try {
+    const raw = await readFile(CONFIG_FILE, "utf8");
+    const parsed = JSON.parse(raw);
+    const token = typeof parsed.token === "string" && parsed.token.trim().length > 0 ? parsed.token.trim() : void 0;
+    const aliases = normalizeAliasMap(parsed.aliases);
+    return { aliases, token };
+  } catch {
+    return {
+      aliases: createEmptyAliases()
+    };
+  }
+};
+var saveConfig = async (config) => {
+  await mkdir(CONFIG_DIR, { mode: 448, recursive: true });
+  await writeFile(CONFIG_FILE, JSON.stringify(config, null, 2), {
+    mode: 384
+  });
+  await chmod(CONFIG_FILE, 384);
+};
+var parseCallbackPort = (value) => {
+  if (!value) {
+    return DEFAULT_CALLBACK_PORT;
+  }
+  const parsed = Number(value);
+  if (!Number.isInteger(parsed) || parsed <= 0 || parsed > 65535) {
+    throw new Error("--callback-port must be a valid TCP port (1-65535)");
+  }
+  return parsed;
+};
+var parsePositiveInteger = (value, flagName) => {
+  const parsed = Number(value);
+  if (!Number.isInteger(parsed) || parsed <= 0) {
+    throw new Error(`${flagName} must be a positive integer`);
+  }
+  return parsed;
+};
+var readRequestBody = async (request) => new Promise((resolve, reject) => {
+  const chunks = [];
+  let size = 0;
+  request.on("data", (chunk) => {
+    size += chunk.length;
+    if (size > MAX_CALLBACK_BODY_BYTES) {
+      reject(new Error("Callback request body is too large"));
+      request.destroy();
+      return;
+    }
+    chunks.push(chunk);
+  });
+  request.on("end", () => {
+    resolve(Buffer.concat(chunks).toString("utf8"));
+  });
+  request.on("error", (error) => {
+    reject(error);
+  });
+});
+var getErrorPayload = (error) => {
+  if (error instanceof AgentWalletSdkError) {
+    if (typeof error.payload === "object" && error.payload !== null) {
+      return {
+        ...error.payload,
+        message: error.message
+      };
+    }
+    return { message: error.message };
+  }
+  if (error instanceof Error) {
+    return { message: error.message };
+  }
+  return { message: String(error) };
+};
+var getErrorMessage = (error) => {
+  if (error instanceof Error) {
+    return error.message;
+  }
+  return String(error);
+};
+var printJson = (value) => {
+  console.log(JSON.stringify(value, null, 2));
+};
+var shouldOutputJson = (flags) => flags.json === "true";
+var summarizeRecord = (record) => {
+  const priorityKeys = [
+    "id",
+    "type",
+    "alias",
+    "name",
+    "label",
+    "ok",
+    "statusCode",
+    "status",
+    "eventType",
+    "webhookId",
+    "webhookUrl",
+    "walletId",
+    "projectId",
+    "address",
+    "approveId",
+    "paymentId",
+    "txHash",
+    "url",
+    "message"
+  ];
+  const parts = [];
+  for (const key of priorityKeys) {
+    if (!(key in record)) {
+      continue;
+    }
+    const value = record[key];
+    if (value === null || value === void 0) {
+      continue;
+    }
+    const rendered = typeof value === "string" || typeof value === "number" ? String(value) : JSON.stringify(value);
+    parts.push(`${key}=${rendered}`);
+  }
+  if (parts.length > 0) {
+    return parts.join(" | ");
+  }
+  const fallback = Object.entries(record).slice(0, 4).map(([key, value]) => {
+    let rendered = String(value);
+    if (typeof value === "string" || typeof value === "number") {
+      rendered = String(value);
+    } else if (Array.isArray(value)) {
+      rendered = `array(${value.length})`;
+    } else if (value && typeof value === "object") {
+      rendered = "object";
+    }
+    return `${key}=${rendered}`;
+  });
+  return fallback.join(" | ");
+};
+var printHumanValue = (value, title) => {
+  if (title) {
+    console.log(title);
+  }
+  if (Array.isArray(value)) {
+    if (value.length === 0) {
+      console.log("No results.");
+      return;
+    }
+    console.log(`Found ${value.length} item(s):`);
+    const visibleItems = value.slice(0, MAX_LIST_ITEMS_TO_PRINT);
+    for (const [index, item] of visibleItems.entries()) {
+      if (item && typeof item === "object" && !Array.isArray(item)) {
+        console.log(`${index + 1}. ${summarizeRecord(item)}`);
+      } else {
+        console.log(`${index + 1}. ${String(item)}`);
+      }
+    }
+    if (value.length > MAX_LIST_ITEMS_TO_PRINT) {
+      console.log(
+        `... ${value.length - MAX_LIST_ITEMS_TO_PRINT} more item(s). Use --json for full output.`
+      );
+    }
+    return;
+  }
+  if (value && typeof value === "object") {
+    const record = value;
+    const hasOnlyOkResult = Object.keys(record).every(
+      (key) => key === "ok" || key === "message"
+    );
+    if (hasOnlyOkResult && "ok" in record && typeof record.ok === "boolean") {
+      console.log(record.ok ? "Success." : "Failed.");
+      if (typeof record.message === "string" && record.message.trim()) {
+        console.log(record.message);
+      }
+      return;
+    }
+    console.log(summarizeRecord(record));
+    return;
+  }
+  console.log(String(value));
+};
+var printValue = (flags, value, options) => {
+  if (shouldOutputJson(flags)) {
+    printJson(value);
+    return;
+  }
+  printHumanValue(value, options?.title);
+  if (options?.nextSteps && options.nextSteps.length > 0) {
+    console.log("\nNext steps:");
+    for (const step of options.nextSteps) {
+      console.log(`- ${step}`);
+    }
+  }
+};
+var parseAliasType = (value, flagName = "--type") => {
+  if (value === "destination" || value === "project" || value === "wallet") {
+    return value;
+  }
+  throw new Error(`${flagName} must be one of: wallet, project, destination`);
+};
+var resolveAliasId = async (type, rawValue) => {
+  const value = rawValue.trim();
+  if (!value) {
+    return "";
+  }
+  const config = await loadConfig();
+  return config.aliases[type][value] ?? value;
+};
+var parseNetwork = (value) => {
+  if (value !== "evm" && value !== "solana") {
+    throw new Error("--network must be either evm or solana");
+  }
+  return value;
+};
+var parseApprovalPayload = async (flags) => {
+  const inline = flags["approval-payload-json"];
+  const file = flags["approval-payload-file"];
+  if (!(inline || file)) {
+    return void 0;
+  }
+  if (inline && file) {
+    throw new Error(
+      "Use either --approval-payload-json or --approval-payload-file, not both"
+    );
+  }
+  const raw = inline ? inline : await readFile(file, "utf8");
+  try {
+    const parsed = JSON.parse(raw);
+    if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+      throw new Error("approval payload must be a JSON object");
+    }
+    return parsed;
+  } catch (error) {
+    throw new Error(
+      `Failed to parse approval payload JSON: ${getErrorMessage(error)}`
+    );
+  }
+};
+var parsePolicyDestinations = async (flags) => {
+  const inline = flags["destinations-json"];
+  const file = flags["destinations-file"];
+  if (!(inline || file)) {
+    throw new Error(
+      "policy put requires exactly one of --destinations-json or --destinations-file"
+    );
+  }
+  if (inline && file) {
+    throw new Error(
+      "policy put requires exactly one of --destinations-json or --destinations-file"
+    );
+  }
+  const raw = inline ? inline : await readFile(file, "utf8");
+  try {
+    const parsed = JSON.parse(raw);
+    if (!Array.isArray(parsed)) {
+      throw new Error("Policy destinations must be a JSON array");
+    }
+    return parsed;
+  } catch (error) {
+    throw new Error(
+      `Failed to parse policy destinations JSON: ${getErrorMessage(error)}`
+    );
+  }
+};
+var getAuthedClient = async (flags) => {
+  const config = await loadConfig();
+  const token = (flags.token ?? config.token ?? "").trim();
+  if (!token) {
+    throw new Error(
+      "Token is missing. Run `wlfc login --token <token>` or `wlfc login --email <email>` first."
+    );
+  }
+  return createAgentWalletClient({
+    baseUrl: resolveBaseUrl(),
+    token
+  });
+};
+var startCallbackServer = async (options) => {
+  const { port } = options;
+  const client = createAgentWalletClient({ baseUrl: resolveBaseUrl() });
+  let resolved = false;
+  let settle = null;
+  let rejectSettle = null;
+  let timeout;
+  const tokenPromise = new Promise((resolve, reject) => {
+    settle = resolve;
+    rejectSettle = reject;
+  });
+  const complete = (token) => {
+    if (resolved) {
+      return false;
+    }
+    resolved = true;
+    if (timeout) {
+      clearTimeout(timeout);
+    }
+    settle?.(token);
+    return true;
+  };
+  const fail = (error) => {
+    if (resolved) {
+      return;
+    }
+    resolved = true;
+    if (timeout) {
+      clearTimeout(timeout);
+    }
+    rejectSettle?.(error);
+  };
+  const server = createServer(async (request, response) => {
+    const requestUrl = new URL(request.url ?? "/", `http://127.0.0.1:${port}`);
+    if (request.method === "GET" && requestUrl.pathname === "/") {
+      response.statusCode = 200;
+      response.setHeader("Content-Type", "text/html; charset=utf-8");
+      response.end(`<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>wlfc callback server</title>
+  </head>
+  <body style="font-family: ui-sans-serif, -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; margin: 24px; line-height: 1.5;">
+    <h1>wlfc callback server is running</h1>
+    <p>Open the link from your email. For manual testing:</p>
+    <ul>
+      <li><a href="/login">/login?requestId=&lt;id&gt;</a></li>
+      <li><a href="/register">/register?requestId=&lt;id&gt;</a></li>
+    </ul>
+    <p>This server will receive your session callback on <code>/callback</code>.</p>
+  </body>
+</html>`);
+      return;
+    }
+    if (request.method === "GET" && requestUrl.pathname === "/login") {
+      response.statusCode = 200;
+      response.setHeader("Content-Type", "text/html; charset=utf-8");
+      response.end(`<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>wlfc login</title>
+    <style>
+      body { font-family: ui-sans-serif, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; margin: 24px; color: #10212f; background: #f2f5f8; }
+      .panel { max-width: 720px; margin: 0 auto; background: #fff; border: 1px solid #dce3ea; border-radius: 12px; padding: 20px; box-shadow: 0 10px 25px rgba(2, 30, 62, 0.06); }
+      h1 { margin-top: 0; }
+      textarea { width: 100%; min-height: 130px; border: 1px solid #cfd9e3; border-radius: 8px; padding: 10px; box-sizing: border-box; font-size: 14px; }
+      button { border: 0; border-radius: 8px; background: #0d5f4f; color: #fff; padding: 10px 14px; font-weight: 600; cursor: pointer; margin-top: 12px; }
+      code { font-family: ui-monospace, SFMono-Regular, Menlo, monospace; background: #f5f8fb; padding: 2px 6px; border-radius: 6px; border: 1px solid #dbe4ee; }
+      .status { margin-top: 12px; min-height: 20px; font-size: 14px; }
+      .status.error { color: #ab2d2d; }
+      .status.ok { color: #1b7a36; }
+    </style>
+  </head>
+  <body>
+    <main class="panel">
+      <h1>wlfc login</h1>
+      <p>Request ID: <code id="request-id">(missing)</code></p>
+      <p>Paste OTP signature from your CubeSigner login email.</p>
+      <form id="login-form">
+        <textarea id="otp-signature" placeholder="Paste OTP signature or full token" required></textarea>
+        <button type="submit">Complete login</button>
+      </form>
+      <div id="status" class="status"></div>
+    </main>
+    <script>
+      const requestId = (new URLSearchParams(window.location.search).get("requestId") || "").trim();
+      const requestIdEl = document.getElementById("request-id");
+      const form = document.getElementById("login-form");
+      const otpInput = document.getElementById("otp-signature");
+      const statusEl = document.getElementById("status");
+      requestIdEl.textContent = requestId || "(missing)";
+      const setStatus = (text, isError = false) => {
+        statusEl.textContent = text;
+        statusEl.className = "status " + (isError ? "error" : "ok");
+      };
+
+      if (!requestId) {
+        setStatus("Missing requestId query parameter", true);
+        form.style.display = "none";
+      }
+
+      form.addEventListener("submit", async (event) => {
+        event.preventDefault();
+        const otpSignature = (otpInput.value || "").trim();
+        if (!otpSignature) {
+          setStatus("OTP signature is required", true);
+          return;
+        }
+
+        setStatus("Submitting OTP...");
+        try {
+          const response = await fetch("/internal/login/complete", {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ requestId, otpSignature }),
+          });
+          const payload = await response.json().catch(() => ({}));
+          if (!response.ok) {
+            throw new Error(payload?.message || ("HTTP " + response.status));
+          }
+          setStatus("Success. Session token has been sent to your terminal callback.");
+          form.style.display = "none";
+        } catch (error) {
+          const message = error instanceof Error ? error.message : String(error);
+          setStatus(message, true);
+        }
+      });
+    </script>
+  </body>
+</html>`);
+      return;
+    }
+    if (request.method === "GET" && (requestUrl.pathname === "/register" || requestUrl.pathname === "/agent-wallet/register")) {
+      response.statusCode = 200;
+      response.setHeader("Content-Type", "text/html; charset=utf-8");
+      response.end(`<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>wlfc register</title>
+    <style>
+      body { font-family: ui-sans-serif, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; margin: 24px; color: #10212f; background: #f2f5f8; }
+      .panel { max-width: 760px; margin: 0 auto; background: #fff; border: 1px solid #dce3ea; border-radius: 12px; padding: 20px; box-shadow: 0 10px 25px rgba(2, 30, 62, 0.06); }
+      h1 { margin-top: 0; }
+      label { display: block; margin: 10px 0 6px; font-weight: 600; }
+      input { width: 100%; border: 1px solid #cfd9e3; border-radius: 8px; padding: 10px; box-sizing: border-box; font-size: 14px; }
+      button { border: 0; border-radius: 8px; background: #0d5f4f; color: #fff; padding: 10px 14px; font-weight: 600; cursor: pointer; margin-top: 12px; }
+      code { font-family: ui-monospace, SFMono-Regular, Menlo, monospace; background: #f5f8fb; padding: 2px 6px; border-radius: 6px; border: 1px solid #dbe4ee; word-break: break-all; }
+      .status { margin-top: 12px; min-height: 20px; font-size: 14px; }
+      .status.error { color: #ab2d2d; }
+      .status.ok { color: #1b7a36; }
+      .totp-box { margin-top: 16px; padding-top: 16px; border-top: 1px solid #e5ebf2; display: none; }
+      .qr { margin: 10px 0; width: 220px; height: 220px; border: 1px solid #dce3ea; border-radius: 8px; }
+    </style>
+    <script src="https://cdn.jsdelivr.net/npm/qrcodejs@1.0.0/qrcode.min.js"></script>
+  </head>
+  <body>
+    <main class="panel">
+      <h1>wlfc register</h1>
+      <p>Request ID: <code id="request-id">(from query)</code></p>
+      <ol>
+        <li>Open the invite link from your CubeSigner email.</li>
+        <li>Set a password and submit below.</li>
+        <li>Scan TOTP QR, then enter the OTP code.</li>
+      </ol>
+
+      <form id="accept-form">
+        <label for="password">Password</label>
+        <input id="password" type="password" autocomplete="new-password" required />
+        <button type="submit">Accept invite</button>
+      </form>
+
+      <section id="totp-section" class="totp-box">
+        <h2>Set up OTP</h2>
+        <p>Scan this QR code with your authenticator app:</p>
+        <div id="totp-qr" class="qr" aria-label="TOTP QR code"></div>
+        <p><strong>Fallback URL:</strong> <code id="totp-url"></code></p>
+        <form id="totp-form">
+          <label for="otp-code">Current OTP code</label>
+          <input id="otp-code" type="text" inputmode="numeric" pattern="[0-9]*" required />
+          <button type="submit">Complete registration</button>
+        </form>
+      </section>
+
+      <div id="status" class="status"></div>
+    </main>
+    <script>
+      const searchParams = new URLSearchParams(window.location.search);
+      let requestId = (searchParams.get("requestId") || "").trim();
+      const inviteTokenFromQuery = (
+        searchParams.get("inviteToken") ||
+        searchParams.get("token") ||
+        ""
+      ).trim();
+      const inviteProofFromQuery = (
+        searchParams.get("inviteProof") ||
+        searchParams.get("proof") ||
+        ""
+      ).trim();
+      const requestIdEl = document.getElementById("request-id");
+      const acceptForm = document.getElementById("accept-form");
+      const totpSection = document.getElementById("totp-section");
+      const totpForm = document.getElementById("totp-form");
+      const passwordInput = document.getElementById("password");
+      const otpCodeInput = document.getElementById("otp-code");
+      const totpQr = document.getElementById("totp-qr");
+      const totpUrlEl = document.getElementById("totp-url");
+      const statusEl = document.getElementById("status");
+      let totpId = "";
+
+      requestIdEl.textContent = requestId || "(from query)";
+      const setStatus = (text, isError = false) => {
+        statusEl.textContent = text;
+        statusEl.className = "status " + (isError ? "error" : "ok");
+      };
+
+      if (!requestId) {
+        setStatus("Missing requestId query parameter in invite link.", true);
+      }
+
+      if (!(inviteTokenFromQuery || inviteProofFromQuery)) {
+        setStatus("Invite link is missing inviteToken/inviteProof.", true);
+      }
+
+      if (inviteTokenFromQuery && inviteProofFromQuery) {
+        setStatus("Invite link contains both inviteToken and inviteProof; expected only one.", true);
+      }
+
+      acceptForm.addEventListener("submit", async (event) => {
+        event.preventDefault();
+        const password = (passwordInput.value || "").trim();
+
+        if (!password) {
+          setStatus("Password is required", true);
+          return;
+        }
+
+        if (!requestId) {
+          setStatus("Missing requestId query parameter in invite link.", true);
+          return;
+        }
+
+        if (!(inviteTokenFromQuery || inviteProofFromQuery)) {
+          setStatus("Invite link is missing inviteToken/inviteProof.", true);
+          return;
+        }
+
+        if (inviteTokenFromQuery && inviteProofFromQuery) {
+          setStatus("Invite link contains both inviteToken and inviteProof; expected only one.", true);
+          return;
+        }
+
+        setStatus("Accepting invite...");
+        try {
+          const payloadBody = {
+            ...(inviteProofFromQuery
+              ? { inviteProof: inviteProofFromQuery }
+              : { inviteToken: inviteTokenFromQuery }),
+            password,
+            requestId,
+          };
+
+          const response = await fetch("/internal/register/accept", {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify(payloadBody),
+          });
+          const payload = await response.json().catch(() => ({}));
+          if (!response.ok) {
+            throw new Error(payload?.message || ("HTTP " + response.status));
+          }
+
+          const nextRequestId = (payload?.requestId || "").trim();
+          totpId = (payload?.totpId || "").trim();
+          const totpUrl = (payload?.totpUrl || "").trim();
+          if (!nextRequestId || !totpId || !totpUrl) {
+            throw new Error("Missing TOTP challenge response");
+          }
+
+          if (typeof window.QRCode !== "function") {
+            throw new Error("QR code library did not load");
+          }
+
+          requestId = nextRequestId;
+          requestIdEl.textContent = requestId;
+          totpQr.innerHTML = "";
+          new window.QRCode(totpQr, {
+            height: 220,
+            text: totpUrl,
+            width: 220,
+          });
+          totpUrlEl.textContent = totpUrl;
+          totpSection.style.display = "block";
+          setStatus("Invite accepted. Scan QR and enter OTP code.");
+          acceptForm.style.display = "none";
+        } catch (error) {
+          const message = error instanceof Error ? error.message : String(error);
+          setStatus(message, true);
+        }
+      });
+
+      totpForm.addEventListener("submit", async (event) => {
+        event.preventDefault();
+        const otpCode = (otpCodeInput.value || "").trim();
+        if (!(requestId && totpId && otpCode)) {
+          setStatus("Request ID, TOTP challenge, and OTP code are required", true);
+          return;
+        }
+
+        setStatus("Verifying OTP...");
+        try {
+          const response = await fetch("/internal/register/complete", {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ otpCode, requestId, totpId }),
+          });
+          const payload = await response.json().catch(() => ({}));
+          if (!response.ok) {
+            throw new Error(payload?.message || ("HTTP " + response.status));
+          }
+
+          setStatus("Success. Session token has been sent to your terminal callback.");
+          totpForm.style.display = "none";
+        } catch (error) {
+          const message = error instanceof Error ? error.message : String(error);
+          setStatus(message, true);
+        }
+      });
+    </script>
+  </body>
+</html>`);
+      return;
+    }
+    if (request.method === "POST" && requestUrl.pathname === "/internal/login/complete") {
+      try {
+        const rawBody = await readRequestBody(request);
+        const parsed = JSON.parse(rawBody);
+        const payload = await client.wcLoginCompleteFromOtpSignature({
+          otpSignature: typeof parsed.otpSignature === "string" ? parsed.otpSignature : "",
+          requestId: typeof parsed.requestId === "string" ? parsed.requestId : ""
+        });
+        response.statusCode = 200;
+        response.setHeader("Content-Type", "application/json");
+        response.end(JSON.stringify(payload));
+      } catch (error) {
+        const status = error instanceof AgentWalletSdkError ? error.status : 400;
+        response.statusCode = status;
+        response.setHeader("Content-Type", "application/json");
+        response.end(JSON.stringify(getErrorPayload(error)));
+      }
+      return;
+    }
+    if (request.method === "POST" && requestUrl.pathname === "/internal/register/accept") {
+      try {
+        const rawBody = await readRequestBody(request);
+        const parsed = JSON.parse(rawBody);
+        const payload = await client.wcRegisterAcceptInvite({
+          callbackUrl: typeof parsed.callbackUrl === "string" ? parsed.callbackUrl : "",
+          email: typeof parsed.email === "string" ? parsed.email : "",
+          inviteProof: typeof parsed.inviteProof === "string" ? parsed.inviteProof : "",
+          inviteToken: typeof parsed.inviteToken === "string" ? parsed.inviteToken : "",
+          password: typeof parsed.password === "string" ? parsed.password : "",
+          requestId: typeof parsed.requestId === "string" ? parsed.requestId : ""
+        });
+        response.statusCode = 200;
+        response.setHeader("Content-Type", "application/json");
+        response.end(JSON.stringify(payload));
+      } catch (error) {
+        const status = error instanceof AgentWalletSdkError ? error.status : 400;
+        response.statusCode = status;
+        response.setHeader("Content-Type", "application/json");
+        response.end(JSON.stringify(getErrorPayload(error)));
+      }
+      return;
+    }
+    if (request.method === "POST" && requestUrl.pathname === "/internal/register/complete") {
+      try {
+        const rawBody = await readRequestBody(request);
+        const parsed = JSON.parse(rawBody);
+        const payload = await client.wcRegisterCompleteTotp({
+          otpCode: typeof parsed.otpCode === "string" ? parsed.otpCode : "",
+          requestId: typeof parsed.requestId === "string" ? parsed.requestId : "",
+          totpId: typeof parsed.totpId === "string" ? parsed.totpId : ""
+        });
+        response.statusCode = 200;
+        response.setHeader("Content-Type", "application/json");
+        response.end(JSON.stringify(payload));
+      } catch (error) {
+        const status = error instanceof AgentWalletSdkError ? error.status : 400;
+        response.statusCode = status;
+        response.setHeader("Content-Type", "application/json");
+        response.end(JSON.stringify(getErrorPayload(error)));
+      }
+      return;
+    }
+    if (request.method === "GET" && requestUrl.pathname === "/callback") {
+      const token = requestUrl.searchParams.get("token")?.trim();
+      if (!token) {
+        response.statusCode = 400;
+        response.setHeader("Content-Type", "application/json");
+        response.end(
+          JSON.stringify({ message: "Missing token query parameter" })
+        );
+        return;
+      }
+      const accepted = complete(token);
+      response.statusCode = accepted ? 200 : 409;
+      response.setHeader("Content-Type", "text/html; charset=utf-8");
+      response.end(`<!doctype html>
+<html>
+  <head><meta charset="utf-8" /><title>wlfc login callback</title></head>
+  <body style="font-family: ui-sans-serif, -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; margin: 24px;">
+    <h1>${accepted ? "wlfc login completed" : "wlfc callback already consumed"}</h1>
+    <p>You can return to your terminal.</p>
+  </body>
+</html>`);
+      return;
+    }
+    if (request.method === "POST" && requestUrl.pathname === "/callback") {
+      try {
+        const rawBody = await readRequestBody(request);
+        const parsed = JSON.parse(rawBody);
+        const token = typeof parsed === "object" && parsed !== null && "token" in parsed && typeof parsed.token === "string" ? parsed.token.trim() : "";
+        if (!token) {
+          response.statusCode = 400;
+          response.setHeader("Content-Type", "application/json");
+          response.end(
+            JSON.stringify({ message: "Missing token in callback payload" })
+          );
+          return;
+        }
+        const accepted = complete(token);
+        response.statusCode = accepted ? 200 : 409;
+        response.setHeader("Content-Type", "application/json");
+        response.end(JSON.stringify({ ok: accepted }));
+      } catch (error) {
+        response.statusCode = 400;
+        response.setHeader("Content-Type", "application/json");
+        response.end(JSON.stringify(getErrorPayload(error)));
+      }
+      return;
+    }
+    response.statusCode = 404;
+    response.setHeader("Content-Type", "application/json");
+    response.end(JSON.stringify({ message: "Not found" }));
+  });
+  await new Promise((resolve, reject) => {
+    server.once("error", (error) => {
+      reject(error);
+    });
+    server.listen(port, "127.0.0.1", () => {
+      resolve();
+    });
+  });
+  timeout = setTimeout(() => {
+    fail(
+      new Error(
+        `Timed out waiting for callback on http://127.0.0.1:${port}/callback`
+      )
+    );
+  }, DEFAULT_LOGIN_TIMEOUT_MS);
+  const close = async () => {
+    await new Promise((resolve) => {
+      server.close(() => resolve());
+    });
+  };
+  return {
+    callbackUrl: `http://127.0.0.1:${port}/callback`,
+    close,
+    waitForToken: async () => {
+      try {
+        return await tokenPromise;
+      } finally {
+        await close();
+      }
+    }
+  };
+};
+var login = async (args, flags) => {
+  const token = (flags.token ?? "").trim();
+  if (token) {
+    const client2 = createAgentWalletClient({
+      baseUrl: resolveBaseUrl(),
+      token
+    });
+    await client2.listProjects();
+    const config2 = await loadConfig();
+    await saveConfig({
+      ...config2,
+      token
+    });
+    console.log("Saved credentials to ~/.config/wlfc-agent/config.json");
+    return;
+  }
+  const email = (flags.email ?? args[0] ?? "").trim().toLowerCase();
+  if (!email) {
+    throw new Error(
+      "login requires --token <token> or --email <email>. Run `wlfc login --help` for details."
+    );
+  }
+  const password = (await promptPassword({ message: `Password for ${email}` })).trim();
+  if (!password) {
+    throw new Error("Password is required");
+  }
+  const client = createAgentWalletClient({ baseUrl: resolveBaseUrl() });
+  let otpCode = (flags.otp ?? "").trim();
+  let loginResult;
+  try {
+    loginResult = await client.wcLoginPassword({
+      email,
+      ...otpCode ? { otpCode } : {},
+      password
+    });
+  } catch (error) {
+    const message = getErrorMessage(error);
+    if (!otpCode && message.includes("TOTP code is required")) {
+      otpCode = (await promptInput({ message: "TOTP code" })).trim();
+      if (!otpCode) {
+        throw new Error("TOTP code is required");
+      }
+      loginResult = await client.wcLoginPassword({
+        email,
+        otpCode,
+        password
+      });
+    } else {
+      throw error;
+    }
+  }
+  if (!loginResult.token) {
+    throw new Error("Login response did not include a session token");
+  }
+  const authedClient = createAgentWalletClient({
+    baseUrl: resolveBaseUrl(),
+    token: loginResult.token
+  });
+  await authedClient.listProjects();
+  const config = await loadConfig();
+  await saveConfig({
+    ...config,
+    token: loginResult.token
+  });
+  console.log("Saved credentials to ~/.config/wlfc-agent/config.json");
+};
+var register = async (args, flags) => {
+  const email = args[0]?.trim().toLowerCase();
+  if (!email) {
+    throw new Error("register requires an email argument");
+  }
+  const callbackPort = parseCallbackPort(flags["callback-port"]);
+  const callback = await startCallbackServer({
+    port: callbackPort
+  });
+  const client = createAgentWalletClient({
+    baseUrl: resolveBaseUrl()
+  });
+  try {
+    const start = await client.wcRegisterStart({
+      callbackUrl: callback.callbackUrl,
+      email
+    });
+    console.log("Check your email. We sent you a registration link.");
+    console.log(
+      "Open the link from your email. It already includes requestId and invite token/proof."
+    );
+    if (!start.emailSent) {
+      console.log(
+        `Email delivery is unavailable in this environment. Open this local link instead:
+${start.setupUrl}`
+      );
+    }
+    const callbackToken = await callback.waitForToken();
+    const authedClient = createAgentWalletClient({
+      baseUrl: resolveBaseUrl(),
+      token: callbackToken
+    });
+    await authedClient.listProjects();
+    const config = await loadConfig();
+    await saveConfig({
+      ...config,
+      token: callbackToken
+    });
+    console.log("Saved credentials to ~/.config/wlfc-agent/config.json");
+  } catch (error) {
+    await callback.close();
+    throw error;
+  }
+};
+var logout = async () => {
+  const config = await loadConfig();
+  await saveConfig({
+    aliases: config.aliases
+  });
+  console.log("Cleared session token from ~/.config/wlfc-agent/config.json");
+};
+var printDoctorReport = (flags, report) => {
+  if (shouldOutputJson(flags)) {
+    printJson(report);
+    return;
+  }
+  console.log(`Doctor report (${report.generatedAt})`);
+  console.log(`Backend URL: ${report.baseUrl}`);
+  for (const check of report.checks) {
+    let marker = "[FAIL]";
+    if (check.status === "ok") {
+      marker = "[OK] ";
+    } else if (check.status === "warn") {
+      marker = "[WARN]";
+    }
+    console.log(`${marker} ${check.name}: ${check.detail}`);
+  }
+};
+var doctor = async (flags) => {
+  const baseUrl = resolveBaseUrl();
+  const checks = [];
+  try {
+    const response = await fetch(`${baseUrl}/rest/custody/agent/pay`, {
+      body: "{}",
+      headers: {
+        "content-type": "application/json"
+      },
+      method: "POST"
+    });
+    checks.push({
+      detail: `Reachable (HTTP ${response.status})`,
+      name: "backend",
+      status: "ok"
+    });
+  } catch (error) {
+    checks.push({
+      detail: getErrorMessage(error),
+      name: "backend",
+      status: "fail"
+    });
+  }
+  const config = await loadConfig();
+  if (config.token) {
+    checks.push({
+      detail: "Session token is configured",
+      name: "token",
+      status: "ok"
+    });
+  } else {
+    checks.push({
+      detail: "No session token configured. Run `wlfc login`.",
+      name: "token",
+      status: "warn"
+    });
+  }
+  const aliasCount = Object.values(config.aliases).reduce(
+    (count, aliasMap) => count + Object.keys(aliasMap).length,
+    0
+  );
+  checks.push({
+    detail: aliasCount > 0 ? `${aliasCount} alias(es) configured` : "No aliases configured",
+    name: "aliases",
+    status: aliasCount > 0 ? "ok" : "warn"
+  });
+  try {
+    const files = await readdir(OTP_DIR);
+    const otpFileContents = await Promise.all(
+      files.map(async (filename) => {
+        const fullPath = path.join(OTP_DIR, filename);
+        return (await readFile(fullPath, "utf8")).trim();
+      })
+    );
+    const otpSecrets = otpFileContents.reduce((count, content) => {
+      if (!content.startsWith("otpauth://")) {
+        return count;
+      }
+      const secret = new URL(content).searchParams.get("secret");
+      return secret?.trim() ? count + 1 : count;
+    }, 0);
+    checks.push({
+      detail: otpSecrets > 0 ? `${otpSecrets} OTP secret file(s) found in ${OTP_DIR}` : `No valid OTP secret found in ${OTP_DIR}`,
+      name: "otp",
+      status: otpSecrets > 0 ? "ok" : "warn"
+    });
+  } catch {
+    checks.push({
+      detail: `Directory not found: ${OTP_DIR}`,
+      name: "otp",
+      status: "warn"
+    });
+  }
+  if (config.token) {
+    const client = createAgentWalletClient({
+      baseUrl,
+      token: config.token
+    });
+    try {
+      const projects = await client.listProjects();
+      checks.push({
+        detail: `Token valid (${projects.length} visible project(s))`,
+        name: "auth",
+        status: "ok"
+      });
+    } catch (error) {
+      checks.push({
+        detail: getErrorMessage(error),
+        name: "auth",
+        status: "fail"
+      });
+    }
+    try {
+      const wallets = await client.listWallets();
+      checks.push({
+        detail: `${wallets.length} wallet(s) visible`,
+        name: "wallet visibility",
+        status: wallets.length > 0 ? "ok" : "warn"
+      });
+    } catch (error) {
+      checks.push({
+        detail: getErrorMessage(error),
+        name: "wallet visibility",
+        status: "fail"
+      });
+    }
+    try {
+      const configs = await client.listWalletConfigs();
+      const activePolicies = configs.filter(
+        (configItem) => Boolean(configItem.policy) && configItem.policy?.status !== "deleted"
+      ).length;
+      checks.push({
+        detail: `${activePolicies} wallet policy config(s) visible`,
+        name: "policy visibility",
+        status: activePolicies > 0 ? "ok" : "warn"
+      });
+    } catch (error) {
+      checks.push({
+        detail: getErrorMessage(error),
+        name: "policy visibility",
+        status: "fail"
+      });
+    }
+  }
+  printDoctorReport(flags, {
+    baseUrl,
+    checks,
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  });
+};
+var aliasList = async (flags) => {
+  const config = await loadConfig();
+  const typeRaw = (flags.type ?? "").trim();
+  if (!typeRaw) {
+    const entries2 = Object.keys(config.aliases).flatMap(
+      (aliasType) => Object.entries(config.aliases[aliasType]).map(([alias, id]) => ({
+        alias,
+        id,
+        type: aliasType
+      }))
+    );
+    printValue(flags, entries2, {
+      title: "Aliases"
+    });
+    return;
+  }
+  const type = parseAliasType(typeRaw);
+  const entries = Object.entries(config.aliases[type]).map(([alias, id]) => ({
+    alias,
+    id,
+    type
+  }));
+  printValue(flags, entries, {
+    title: `${type} aliases`
+  });
+};
+var aliasSet = async (flags) => {
+  const type = parseAliasType((flags.type ?? "").trim());
+  const name = (flags.name ?? "").trim();
+  const id = (flags.id ?? "").trim();
+  if (!(name && id)) {
+    throw new Error("alias set requires --type, --name, and --id");
+  }
+  const config = await loadConfig();
+  const nextAliases = {
+    ...config.aliases,
+    [type]: {
+      ...config.aliases[type],
+      [name]: id
+    }
+  };
+  await saveConfig({
+    ...config,
+    aliases: nextAliases
+  });
+  printValue(
+    flags,
+    { alias: name, id, type },
+    {
+      nextSteps: [
+        `Use --${type}-id ${name} in CLI commands to resolve to ${id}`
+      ],
+      title: "Alias saved"
+    }
+  );
+};
+var aliasRemove = async (flags) => {
+  const type = parseAliasType((flags.type ?? "").trim());
+  const name = (flags.name ?? "").trim();
+  if (!name) {
+    throw new Error("alias rm requires --type and --name");
+  }
+  const config = await loadConfig();
+  if (!(name in config.aliases[type])) {
+    throw new Error(`Alias not found: ${name}`);
+  }
+  const nextTypeAliases = { ...config.aliases[type] };
+  delete nextTypeAliases[name];
+  await saveConfig({
+    ...config,
+    aliases: {
+      ...config.aliases,
+      [type]: nextTypeAliases
+    }
+  });
+  printValue(
+    flags,
+    { ok: true },
+    {
+      title: `Removed alias ${name} (${type})`
+    }
+  );
+};
+var walletList = async (flags) => {
+  const client = await getAuthedClient(flags);
+  const wallets = await client.listWallets();
+  printValue(flags, wallets, {
+    title: "Wallets"
+  });
+};
+var walletNew = async (flags) => {
+  const projectIdInput = (flags["project-id"] ?? "").trim();
+  const label = (flags.label ?? "").trim();
+  const network = (flags.network ?? DEFAULT_WALLET_NETWORK).trim();
+  const chainId = (flags["chain-id"] ?? String(DEFAULT_WALLET_CHAIN_ID)).trim();
+  if (!(projectIdInput && label)) {
+    throw new Error("wallet new requires --project-id and --label");
+  }
+  const projectId = await resolveAliasId("project", projectIdInput);
+  const client = await getAuthedClient(flags);
+  const wallet = await client.createWallet({
+    chainId: parsePositiveInteger(chainId, "--chain-id"),
+    label,
+    network: parseNetwork(network),
+    projectId
+  });
+  printValue(flags, wallet, {
+    nextSteps: [
+      `wlfc alias set --type wallet --name <name> --id ${wallet.id ?? "<wallet-id>"}`,
+      `wlfc agent-key new --wallet-id ${wallet.id ?? "<wallet-id>"}`
+    ],
+    title: "Wallet created"
+  });
+};
+var walletBalances = async (flags) => {
+  const client = await getAuthedClient(flags);
+  const balances = await client.listWalletBalances();
+  printValue(flags, balances, {
+    title: "Wallet balances"
+  });
+};
+var walletConfigs = async (flags) => {
+  const client = await getAuthedClient(flags);
+  const configs = await client.listWalletConfigs();
+  printValue(flags, configs, {
+    title: "Wallet configs"
+  });
+};
+var walletAuditLogs = async (flags) => {
+  const walletIdInput = (flags["wallet-id"] ?? "").trim();
+  if (!walletIdInput) {
+    throw new Error("wallet audit-logs requires --wallet-id <id>");
+  }
+  const limitRaw = (flags.limit ?? "").trim();
+  const walletId = await resolveAliasId("wallet", walletIdInput);
+  const client = await getAuthedClient(flags);
+  const logs = await client.listWalletAuditLogs({
+    action: flags.action,
+    browser: flags.browser,
+    cursor: flags.cursor,
+    ipAddress: flags["ip-address"],
+    ...limitRaw ? { limit: parsePositiveInteger(limitRaw, "--limit") } : {},
+    location: flags.location,
+    query: flags.query,
+    user: flags.user,
+    walletId
+  });
+  printValue(flags, logs, {
+    title: "Wallet audit logs"
+  });
+};
+var destinationList = async (flags) => {
+  const client = await getAuthedClient(flags);
+  const destinations = await client.listDestinations();
+  printValue(flags, destinations, {
+    title: "Destinations"
+  });
+};
+var destinationNew = async (flags) => {
+  const projectIdInput = (flags["project-id"] ?? "").trim();
+  const label = (flags.label ?? "").trim();
+  const network = (flags.network ?? "").trim();
+  const chainId = (flags["chain-id"] ?? "").trim();
+  const address = (flags.address ?? flags["vendor-address"] ?? flags["destination-address"] ?? "").trim();
+  if (!(projectIdInput && label && network && chainId && address)) {
+    throw new Error(
+      "destination new requires --project-id, --label, --network, --chain-id, and --address"
+    );
+  }
+  const projectId = await resolveAliasId("project", projectIdInput);
+  const client = await getAuthedClient(flags);
+  const destination = await client.createDestination({
+    chainId: parsePositiveInteger(chainId, "--chain-id"),
+    label,
+    network: parseNetwork(network),
+    projectId,
+    vendor_address: address
+  });
+  printValue(flags, destination, {
+    nextSteps: [
+      `wlfc alias set --type destination --name <name> --id ${destination.id ?? "<destination-id>"}`,
+      "wlfc policy put --wallet-id <wallet-id-or-alias> --destinations-file ./policy.json"
+    ],
+    title: "Destination created"
+  });
+};
+var agentKeyList = async (flags) => {
+  const client = await getAuthedClient(flags);
+  const agentKeys = await client.listAgentKeys();
+  printValue(flags, agentKeys, {
+    title: "Agent keys"
+  });
+};
+var agentKeyGet = async (flags) => {
+  const id = (flags.id ?? flags["agent-key-id"] ?? "").trim();
+  if (!id) {
+    throw new Error("agent-key get requires --id <agent-key-id>");
+  }
+  const client = await getAuthedClient(flags);
+  const agentKey = await client.getAgentKey(id);
+  printValue(flags, agentKey, {
+    title: "Agent key"
+  });
+};
+var agentKeyNew = async (flags) => {
+  const walletIdInput = (flags["wallet-id"] ?? "").trim();
+  if (!walletIdInput) {
+    throw new Error("agent-key new requires --wallet-id <id>");
+  }
+  const walletId = await resolveAliasId("wallet", walletIdInput);
+  const client = await getAuthedClient(flags);
+  const created = await client.createAgentKey({ walletId });
+  const keyValue = typeof created.key === "string" ? created.key ?? "" : "";
+  printValue(flags, created, {
+    nextSteps: [
+      keyValue ? `wlfa login --agent-key ${keyValue}` : "wlfa login --agent-key <key-from-output>",
+      "wlfa pay --address <destination> --amount <amount>"
+    ],
+    title: "Agent key created"
+  });
+};
+var agentKeyRemove = async (flags) => {
+  const id = (flags.id ?? flags["agent-key-id"] ?? "").trim();
+  if (!id) {
+    throw new Error("agent-key rm requires --id <agent-key-id>");
+  }
+  const client = await getAuthedClient(flags);
+  const deleted = await client.deleteAgentKey(id);
+  printValue(flags, deleted, {
+    title: "Agent key revoked"
+  });
+};
+var policyGet = async (flags) => {
+  const walletIdInput = (flags["wallet-id"] ?? "").trim();
+  if (!walletIdInput) {
+    throw new Error("policy get requires --wallet-id <id>");
+  }
+  const walletId = await resolveAliasId("wallet", walletIdInput);
+  const client = await getAuthedClient(flags);
+  const policy = await client.getPolicy(walletId);
+  printValue(flags, policy, {
+    title: "Policy"
+  });
+};
+var policyPut = async (flags) => {
+  const walletIdInput = (flags["wallet-id"] ?? "").trim();
+  if (!walletIdInput) {
+    throw new Error("policy put requires --wallet-id <id>");
+  }
+  const walletId = await resolveAliasId("wallet", walletIdInput);
+  const destinations = await parsePolicyDestinations(flags);
+  const client = await getAuthedClient(flags);
+  const updated = await client.putPolicy({
+    destinations,
+    walletId
+  });
+  printValue(flags, updated, {
+    nextSteps: [
+      "wlfa pay --address <destination-address> --amount <amount>",
+      `wlfc wallet audit-logs --wallet-id ${walletId}`
+    ],
+    title: "Policy updated"
+  });
+};
+var policyRemove = async (flags) => {
+  const walletIdInput = (flags["wallet-id"] ?? "").trim();
+  if (!walletIdInput) {
+    throw new Error("policy rm requires --wallet-id <id>");
+  }
+  const walletId = await resolveAliasId("wallet", walletIdInput);
+  const client = await getAuthedClient(flags);
+  const removed = await client.deletePolicy(walletId);
+  printValue(flags, removed, {
+    title: "Policy removed"
+  });
+};
+var projectList = async (flags) => {
+  const client = await getAuthedClient(flags);
+  const projects = await client.listProjects();
+  printValue(flags, projects, {
+    title: "Projects"
+  });
+};
+var projectNew = async (args, flags) => {
+  const projectName = (flags.name ?? flags["project-name"] ?? args[0] ?? "").trim();
+  if (!projectName) {
+    throw new Error("project new requires --name <project-name>");
+  }
+  const client = await getAuthedClient(flags);
+  const project = await client.createProject({ projectName });
+  printValue(flags, project, {
+    nextSteps: [
+      `wlfc alias set --type project --name <name> --id ${project.id ?? "<project-id>"}`,
+      `wlfc wallet new --project-id ${project.id ?? "<project-id>"} --label <wallet-label>`
+    ],
+    title: "Project created"
+  });
+};
+var approvalList = async (flags) => {
+  const limitRaw = (flags.limit ?? "").trim();
+  const walletIdInput = (flags["wallet-id"] ?? "").trim();
+  const walletId = walletIdInput ? await resolveAliasId("wallet", walletIdInput) : void 0;
+  const client = await getAuthedClient(flags);
+  const approvals = await client.listPendingApprovals({
+    ...limitRaw ? { limit: parsePositiveInteger(limitRaw, "--limit") } : {},
+    ...walletId ? { walletId } : {}
+  });
+  printValue(flags, approvals, {
+    title: "Pending approvals"
+  });
+};
+var approvalApprove = async (flags) => {
+  const approveId = (flags.id ?? flags["approve-id"] ?? "").trim();
+  const mfaType = (flags["mfa-type"] ?? "").trim();
+  const otp = (flags.otp ?? "").trim();
+  if (!approveId) {
+    throw new Error("approval approve requires --id <approve-id>");
+  }
+  const approvalPayload = await parseApprovalPayload(flags);
+  const client = await getAuthedClient(flags);
+  const runApprove = async (otpCode) => client.approveManual({
+    ...approvalPayload ? { approvalPayload } : {},
+    approveId,
+    ...mfaType ? { mfaType } : {},
+    ...otpCode ? { otp: otpCode } : {}
+  });
+  let approved;
+  try {
+    approved = await runApprove(otp || void 0);
+  } catch (error) {
+    if (!otp && getErrorMessage(error).toLowerCase().includes("otp code is required")) {
+      const promptedOtp = (await promptInput({ message: "TOTP code" })).trim();
+      if (!promptedOtp) {
+        throw new Error("TOTP code is required");
+      }
+      approved = await runApprove(promptedOtp);
+    } else {
+      throw error;
+    }
+  }
+  printValue(flags, approved, {
+    nextSteps: [
+      "wlfc approval ls",
+      "wlfc wallet audit-logs --wallet-id <wallet-id-or-alias>"
+    ],
+    title: "Approval submitted"
+  });
+};
+var parseWebhookEventType = (value) => {
+  if (value === "approval" || value === "payment") {
+    return value;
+  }
+  throw new Error("--event-type must be either approval or payment");
+};
+var parseWebhookStatus = (value) => {
+  if (value === "active" || value === "disabled") {
+    return value;
+  }
+  throw new Error("--status must be either active or disabled");
+};
+var webhookList = async (flags) => {
+  const client = await getAuthedClient(flags);
+  const webhooks = await client.listWebhooks();
+  printValue(flags, webhooks, {
+    title: "Webhooks"
+  });
+};
+var webhookGet = async (flags) => {
+  const webhookId = (flags.id ?? flags["webhook-id"] ?? "").trim();
+  if (!webhookId) {
+    throw new Error("webhook get requires --id <webhook-id>");
+  }
+  const client = await getAuthedClient(flags);
+  const webhook = await client.getWebhook(webhookId);
+  printValue(flags, webhook, {
+    title: "Webhook"
+  });
+};
+var webhookNew = async (flags) => {
+  const projectIdInput = (flags["project-id"] ?? "").trim();
+  const eventTypeRaw = (flags["event-type"] ?? "").trim();
+  const url = (flags.url ?? "").trim();
+  const secret = (flags.secret ?? "").trim();
+  if (!(projectIdInput && eventTypeRaw && url)) {
+    throw new Error(
+      "webhook new requires --project-id, --event-type, and --url"
+    );
+  }
+  const projectId = await resolveAliasId("project", projectIdInput);
+  const client = await getAuthedClient(flags);
+  const webhook = await client.createWebhook({
+    eventType: parseWebhookEventType(eventTypeRaw),
+    projectId,
+    ...secret ? { secret } : {},
+    url
+  });
+  printValue(flags, webhook, {
+    nextSteps: [
+      `wlfc webhook test --id ${webhook.id ?? "<webhook-id>"}`,
+      `wlfc webhook deliveries --id ${webhook.id ?? "<webhook-id>"}`
+    ],
+    title: "Webhook created"
+  });
+};
+var webhookUpdate = async (flags) => {
+  const webhookId = (flags.id ?? flags["webhook-id"] ?? "").trim();
+  const eventTypeRaw = (flags["event-type"] ?? "").trim();
+  const statusRaw = (flags.status ?? "").trim();
+  const url = (flags.url ?? "").trim();
+  const secret = (flags.secret ?? "").trim();
+  if (!webhookId) {
+    throw new Error("webhook update requires --id <webhook-id>");
+  }
+  if (!(eventTypeRaw || statusRaw || url || secret)) {
+    throw new Error(
+      "webhook update requires at least one of --event-type, --status, --url, or --secret"
+    );
+  }
+  const client = await getAuthedClient(flags);
+  const updated = await client.updateWebhook({
+    ...eventTypeRaw ? { eventType: parseWebhookEventType(eventTypeRaw) } : {},
+    ...secret ? { secret } : {},
+    ...statusRaw ? { status: parseWebhookStatus(statusRaw) } : {},
+    ...url ? { url } : {},
+    webhookId
+  });
+  printValue(flags, updated, {
+    title: "Webhook updated"
+  });
+};
+var webhookRemove = async (flags) => {
+  const webhookId = (flags.id ?? flags["webhook-id"] ?? "").trim();
+  if (!webhookId) {
+    throw new Error("webhook rm requires --id <webhook-id>");
+  }
+  const client = await getAuthedClient(flags);
+  const removed = await client.deleteWebhook(webhookId);
+  printValue(flags, removed, {
+    title: "Webhook removed"
+  });
+};
+var webhookDeliveries = async (flags) => {
+  const webhookId = (flags.id ?? flags["webhook-id"] ?? "").trim();
+  if (!webhookId) {
+    throw new Error("webhook deliveries requires --id <webhook-id>");
+  }
+  const limitRaw = (flags.limit ?? "").trim();
+  const config = await loadConfig();
+  const token = (flags.token ?? config.token ?? "").trim();
+  if (!token) {
+    throw new Error(
+      "Token is missing. Run `wlfc login --token <token>` or `wlfc login --email <email>` first."
+    );
+  }
+  const url = new URL(
+    `${resolveBaseUrl()}/rest/custody/agent/webhooks/${encodeURIComponent(webhookId)}/deliveries`
+  );
+  if (limitRaw) {
+    url.searchParams.set(
+      "limit",
+      String(parsePositiveInteger(limitRaw, "--limit"))
+    );
+  }
+  const response = await fetch(url, {
+    headers: {
+      Authorization: token
+    },
+    method: "GET"
+  });
+  const payload = await response.json().catch(async () => ({
+    message: await response.text().catch(() => "Unknown error")
+  }));
+  if (!response.ok) {
+    if (typeof payload === "object" && payload !== null && "message" in payload && typeof payload.message === "string") {
+      throw new Error(payload.message);
+    }
+    throw new Error(
+      `Failed to list webhook deliveries (HTTP ${response.status})`
+    );
+  }
+  printValue(flags, payload, {
+    title: "Webhook deliveries"
+  });
+};
+var webhookTest = async (flags) => {
+  const webhookId = (flags.id ?? flags["webhook-id"] ?? "").trim();
+  if (!webhookId) {
+    throw new Error("webhook test requires --id <webhook-id>");
+  }
+  const client = await getAuthedClient(flags);
+  const webhook = await client.getWebhook(webhookId);
+  const eventType = webhook.eventType === "approval" ? "approval" : "payment";
+  const payload = eventType === "approval" ? {
+    approveId: `test_approve_${Date.now()}`,
+    paymentId: `test_payment_${Date.now()}`,
+    status: "success",
+    txHash: `0xtest${Date.now().toString(16)}`,
+    walletId: "test_wallet"
+  } : {
+    destinationAddress: "0x0000000000000000000000000000000000000000",
+    paymentId: `test_payment_${Date.now()}`,
+    reason: "webhook_test_event",
+    status: "failed",
+    walletId: "test_wallet"
+  };
+  const response = await fetch(webhook.url, {
+    body: JSON.stringify(payload),
+    headers: {
+      "content-type": "application/json",
+      "x-wlfc-webhook-test": "true"
+    },
+    method: "POST"
+  });
+  const responseBody = (await response.text()).slice(0, 1e3);
+  printValue(
+    flags,
+    {
+      eventType,
+      ok: response.ok,
+      responseBody,
+      statusCode: response.status,
+      webhookId,
+      webhookUrl: webhook.url
+    },
+    {
+      nextSteps: [`wlfc webhook deliveries --id ${webhookId}`],
+      title: "Webhook test result"
+    }
+  );
+};
+var withCommandOptions = (command, options = {}) => {
+  const { auth = false, json = true } = options;
+  if (json) {
+    withJsonOption(command);
+  }
+  if (auth) {
+    withTokenOption(command);
+  }
+  withUnsupportedBaseUrlOption(command);
+  return command;
+};
+var createProgram = () => {
+  const program = new Command();
+  program.name("wlfc").description("WLFI Custody CLI").showHelpAfterError().showSuggestionAfterError().addHelpText(
+    "after",
+    `
+Environment:
+  WLFI_AGENT_BACKEND_URL  Backend URL override (default: ${DEFAULT_BASE_URL})
+`
+  );
+  withUnsupportedBaseUrlOption(program);
+  withCommandOptions(
+    program.command("login [email]").description("Login with token or email/password").option("--email <email>", "Email address").option("--otp <code>", "TOTP code"),
+    { auth: true, json: false }
+  ).action(async (emailArg, _options, command) => {
+    const flags = getCommandFlags(command);
+    await login(emailArg ? [emailArg] : [], flags);
+  });
+  withCommandOptions(
+    program.command("register <email>").description("Start registration flow").option(
+      "--callback-port <port>",
+      "Local callback TCP port",
+      String(DEFAULT_CALLBACK_PORT)
+    ),
+    { json: false }
+  ).action(async (emailArg, _options, command) => {
+    const flags = getCommandFlags(command);
+    await register([emailArg], flags);
+  });
+  withCommandOptions(program.command("doctor").description("Run diagnostics"), {
+    json: true
+  }).action(async (_options, command) => {
+    await doctor(getCommandFlags(command));
+  });
+  withCommandOptions(
+    program.command("logout").description("Clear saved session token"),
+    { json: false }
+  ).action(async () => {
+    await logout();
+  });
+  const alias = program.command("alias").description("Manage aliases");
+  withCommandOptions(
+    alias.command("ls").description("List aliases").option("--type <wallet|project|destination>", "Filter alias type"),
+    { json: true }
+  ).action(async (_options, command) => {
+    await aliasList(getCommandFlags(command));
+  });
+  withCommandOptions(
+    alias.command("set").description("Set alias mapping").requiredOption("--type <wallet|project|destination>", "Alias type").requiredOption("--name <alias>", "Alias name").requiredOption("--id <resource-id>", "Resource id"),
+    { json: true }
+  ).action(async (_options, command) => {
+    await aliasSet(getCommandFlags(command));
+  });
+  withCommandOptions(
+    alias.command("rm").description("Remove alias mapping").requiredOption("--type <wallet|project|destination>", "Alias type").requiredOption("--name <alias>", "Alias name"),
+    { json: true }
+  ).action(async (_options, command) => {
+    await aliasRemove(getCommandFlags(command));
+  });
+  const destination = program.command("destination").description("Manage destinations");
+  withCommandOptions(
+    destination.command("ls").description("List destinations"),
+    { auth: true, json: true }
+  ).action(async (_options, command) => {
+    await destinationList(getCommandFlags(command));
+  });
+  withCommandOptions(
+    destination.command("new").description("Create destination").requiredOption("--project-id <id>", "Project id or alias").requiredOption("--label <label>", "Destination label").requiredOption("--network <evm|solana>", "Destination network").requiredOption("--chain-id <id>", "Chain id").requiredOption("--address <address>", "Destination address").addOption(new Option("--vendor-address <address>").hideHelp()).addOption(new Option("--destination-address <address>").hideHelp()),
+    { auth: true, json: true }
+  ).action(async (_options, command) => {
+    await destinationNew(getCommandFlags(command));
+  });
+  const agentKey = program.command("agent-key").description("Manage agent keys");
+  withCommandOptions(agentKey.command("ls").description("List agent keys"), {
+    auth: true,
+    json: true
+  }).action(async (_options, command) => {
+    await agentKeyList(getCommandFlags(command));
+  });
+  withCommandOptions(
+    agentKey.command("get").description("Get one agent key").option("--id <agent-key-id>", "Agent key id").addOption(new Option("--agent-key-id <agent-key-id>").hideHelp()),
+    { auth: true, json: true }
+  ).action(async (_options, command) => {
+    await agentKeyGet(getCommandFlags(command));
+  });
+  withCommandOptions(
+    agentKey.command("new").description("Create agent key").requiredOption("--wallet-id <id>", "Wallet id or alias"),
+    { auth: true, json: true }
+  ).action(async (_options, command) => {
+    await agentKeyNew(getCommandFlags(command));
+  });
+  withCommandOptions(
+    agentKey.command("rm").description("Revoke agent key").option("--id <agent-key-id>", "Agent key id").addOption(new Option("--agent-key-id <agent-key-id>").hideHelp()),
+    { auth: true, json: true }
+  ).action(async (_options, command) => {
+    await agentKeyRemove(getCommandFlags(command));
+  });
+  const policy = program.command("policy").description("Manage wallet policy");
+  withCommandOptions(
+    policy.command("get").description("Get policy").requiredOption("--wallet-id <id>", "Wallet id or alias"),
+    { auth: true, json: true }
+  ).action(async (_options, command) => {
+    await policyGet(getCommandFlags(command));
+  });
+  withCommandOptions(
+    policy.command("put").description("Create or update policy").requiredOption("--wallet-id <id>", "Wallet id or alias").option("--destinations-json <json>", "Inline JSON destinations array").option("--destinations-file <path>", "Path to destinations JSON"),
+    { auth: true, json: true }
+  ).action(async (_options, command) => {
+    await policyPut(getCommandFlags(command));
+  });
+  withCommandOptions(
+    policy.command("rm").description("Delete policy").requiredOption("--wallet-id <id>", "Wallet id or alias"),
+    { auth: true, json: true }
+  ).action(async (_options, command) => {
+    await policyRemove(getCommandFlags(command));
+  });
+  const project = program.command("project").description("Manage projects");
+  withCommandOptions(project.command("ls").description("List projects"), {
+    auth: true,
+    json: true
+  }).action(async (_options, command) => {
+    await projectList(getCommandFlags(command));
+  });
+  withCommandOptions(
+    project.command("new [name]").description("Create project").option("--name <project-name>", "Project name").addOption(new Option("--project-name <project-name>").hideHelp()),
+    { auth: true, json: true }
+  ).action(async (nameArg, _options, command) => {
+    const flags = getCommandFlags(command);
+    await projectNew(nameArg ? [nameArg] : [], flags);
+  });
+  const wallet = program.command("wallet").description("Manage wallets");
+  withCommandOptions(wallet.command("ls").description("List wallets"), {
+    auth: true,
+    json: true
+  }).action(async (_options, command) => {
+    await walletList(getCommandFlags(command));
+  });
+  withCommandOptions(
+    wallet.command("new").description("Create wallet").requiredOption("--project-id <id>", "Project id or alias").requiredOption("--label <label>", "Wallet label").option(
+      "--network <evm|solana>",
+      "Wallet network",
+      DEFAULT_WALLET_NETWORK
+    ).option("--chain-id <id>", "Chain id", String(DEFAULT_WALLET_CHAIN_ID)),
+    { auth: true, json: true }
+  ).action(async (_options, command) => {
+    await walletNew(getCommandFlags(command));
+  });
+  withCommandOptions(
+    wallet.command("balances").description("List balances for each wallet"),
+    { auth: true, json: true }
+  ).action(async (_options, command) => {
+    await walletBalances(getCommandFlags(command));
+  });
+  withCommandOptions(
+    wallet.command("configs").description("List config for each wallet"),
+    { auth: true, json: true }
+  ).action(async (_options, command) => {
+    await walletConfigs(getCommandFlags(command));
+  });
+  withCommandOptions(
+    wallet.command("audit-logs").description("List wallet audit logs").requiredOption("--wallet-id <id>", "Wallet id or alias").option("--limit <n>", "Result limit").option("--cursor <cursor>", "Pagination cursor").option("--query <query>", "Free text query").option("--action <action>", "Action filter").option("--user <user>", "User filter").option("--browser <browser>", "Browser filter").option("--ip-address <ip>", "IP filter").option("--location <location>", "Location filter"),
+    { auth: true, json: true }
+  ).action(async (_options, command) => {
+    await walletAuditLogs(getCommandFlags(command));
+  });
+  const webhook = program.command("webhook").description("Manage webhooks");
+  withCommandOptions(webhook.command("ls").description("List webhooks"), {
+    auth: true,
+    json: true
+  }).action(async (_options, command) => {
+    await webhookList(getCommandFlags(command));
+  });
+  withCommandOptions(
+    webhook.command("get").description("Get webhook").option("--id <webhook-id>", "Webhook id").addOption(new Option("--webhook-id <webhook-id>").hideHelp()),
+    { auth: true, json: true }
+  ).action(async (_options, command) => {
+    await webhookGet(getCommandFlags(command));
+  });
+  withCommandOptions(
+    webhook.command("new").description("Create webhook").requiredOption("--project-id <id>", "Project id or alias").requiredOption("--event-type <approval|payment>", "Webhook event type").requiredOption("--url <https://...>", "Webhook destination URL").option("--secret <value>", "Webhook secret"),
+    { auth: true, json: true }
+  ).action(async (_options, command) => {
+    await webhookNew(getCommandFlags(command));
+  });
+  withCommandOptions(
+    webhook.command("update").description("Update webhook").option("--id <webhook-id>", "Webhook id").option("--event-type <approval|payment>", "Webhook event type").option("--status <active|disabled>", "Webhook status").option("--url <https://...>", "Webhook destination URL").option("--secret <value>", "Webhook secret").addOption(new Option("--webhook-id <webhook-id>").hideHelp()),
+    { auth: true, json: true }
+  ).action(async (_options, command) => {
+    await webhookUpdate(getCommandFlags(command));
+  });
+  withCommandOptions(
+    webhook.command("rm").description("Delete webhook").option("--id <webhook-id>", "Webhook id").addOption(new Option("--webhook-id <webhook-id>").hideHelp()),
+    { auth: true, json: true }
+  ).action(async (_options, command) => {
+    await webhookRemove(getCommandFlags(command));
+  });
+  withCommandOptions(
+    webhook.command("deliveries").description("List webhook deliveries").option("--id <webhook-id>", "Webhook id").option("--limit <n>", "Result limit").addOption(new Option("--webhook-id <webhook-id>").hideHelp()),
+    { auth: true, json: true }
+  ).action(async (_options, command) => {
+    await webhookDeliveries(getCommandFlags(command));
+  });
+  withCommandOptions(
+    webhook.command("test").description("Send webhook test payload").option("--id <webhook-id>", "Webhook id").addOption(new Option("--webhook-id <webhook-id>").hideHelp()),
+    { auth: true, json: true }
+  ).action(async (_options, command) => {
+    await webhookTest(getCommandFlags(command));
+  });
+  const approval = program.command("approval").description("Manage pending approvals");
+  withCommandOptions(
+    approval.command("ls").description("List pending approvals").option("--wallet-id <id>", "Wallet id or alias").option("--limit <n>", "Result limit"),
+    { auth: true, json: true }
+  ).action(async (_options, command) => {
+    await approvalList(getCommandFlags(command));
+  });
+  withCommandOptions(
+    approval.command("approve").description("Submit manual approval").option("--id <approve-id>", "Approval id").option("--mfa-type <type>", "MFA type").option("--otp <code>", "TOTP code").option("--approval-payload-json <json>", "Inline approval payload JSON").option("--approval-payload-file <path>", "Path to approval payload JSON").addOption(new Option("--approve-id <approve-id>").hideHelp()),
+    { auth: true, json: true }
+  ).action(async (_options, command) => {
+    await approvalApprove(getCommandFlags(command));
+  });
+  return program;
+};
+var main = async () => {
+  const program = createProgram();
+  if (process.argv.length <= 2) {
+    program.outputHelp();
+    return;
+  }
+  await program.parseAsync(process.argv);
+};
+main().catch((error) => {
+  console.error(getErrorMessage(error));
+  process.exit(1);
+});