@wlfi-agent/cli 1.4.13 → 1.4.14

package/dist/wlfc/index.cjs

@@ -1,1839 +0,0 @@
-#!/usr/bin/env node
-"use strict"; function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }
-// src/wlfc/index.ts
-var _promises = require('fs/promises');
-var _http = require('http');
-var _os = require('os');
-var _path = require('path'); var _path2 = _interopRequireDefault(_path);
-var _process = require('process'); var _process2 = _interopRequireDefault(_process);
-
-
-
-var _prompts = require('@inquirer/prompts');
-
-
-
-
-var _agentwalletsdk = require('@wlfi-agent/agent-wallet-sdk');
-var _commander = require('commander');
-var CONFIG_DIR = _path2.default.join(_os.homedir.call(void 0, ), ".config", "wlfc-agent");
-var CONFIG_FILE = _path2.default.join(CONFIG_DIR, "config.json");
-var OTP_DIR = _path2.default.join(_os.homedir.call(void 0, ), ".test_otp");
-var DEFAULT_CALLBACK_PORT = 54545;
-var DEFAULT_LOGIN_TIMEOUT_MS = 15 * 60 * 1e3;
-var DEFAULT_WALLET_CHAIN_ID = 56;
-var DEFAULT_WALLET_NETWORK = "evm";
-var MAX_CALLBACK_BODY_BYTES = 1024 * 1024;
-var MAX_LIST_ITEMS_TO_PRINT = 20;
-var createEmptyAliases = () => ({
-  destination: {},
-  project: {},
-  wallet: {}
-});
-var normalizeAliasMap = (raw) => {
-  const defaults = createEmptyAliases();
-  if (!(raw && typeof raw === "object")) {
-    return defaults;
-  }
-  for (const type of Object.keys(defaults)) {
-    const source = raw[type];
-    if (!(source && typeof source === "object")) {
-      continue;
-    }
-    const entries = Object.entries(source);
-    for (const [alias, id] of entries) {
-      const normalizedAlias = alias.trim();
-      const normalizedId = typeof id === "string" ? id.trim() : "";
-      if (!(normalizedAlias && normalizedId)) {
-        continue;
-      }
-      defaults[type][normalizedAlias] = normalizedId;
-    }
-  }
-  return defaults;
-};
-var resolveBaseUrl = () => (_nullishCoalesce(_nullishCoalesce(_process2.default.env.WLFI_AGENT_BACKEND_URL, () => ( _process2.default.env.WLF_AGENT_BACKEND_URL)), () => ( _agentwalletsdk.DEFAULT_BASE_URL))).trim();
-var toFlagKey = (key) => key.replace(/[A-Z]/g, (letter) => `-${letter.toLowerCase()}`);
-var optionsToFlags = (options) => {
-  const flags = {};
-  for (const [key, value] of Object.entries(options)) {
-    if (value === void 0 || value === null) {
-      continue;
-    }
-    const flagKey = toFlagKey(key);
-    if (typeof value === "boolean") {
-      if (value) {
-        flags[flagKey] = "true";
-      }
-      continue;
-    }
-    if (typeof value === "number" || typeof value === "string") {
-      flags[flagKey] = String(value);
-    }
-  }
-  return flags;
-};
-var collectFlags = (command) => {
-  const lineage = [];
-  let cursor = command;
-  while (cursor) {
-    lineage.unshift(cursor);
-    cursor = _nullishCoalesce(cursor.parent, () => ( null));
-  }
-  const flags = {};
-  for (const node of lineage) {
-    Object.assign(flags, optionsToFlags(node.opts()));
-  }
-  return flags;
-};
-var withJsonOption = (command) => command.option("--json", "Print machine-readable JSON output");
-var withTokenOption = (command) => command.option("--token <token>", "Session token override");
-var withUnsupportedBaseUrlOption = (command) => command.addOption(new (0, _commander.Option)("--base-url <url>").hideHelp());
-var assertNoBaseUrlFlag = (flags) => {
-  if (flags["base-url"]) {
-    throw new Error(
-      "--base-url is not supported. Use WLFI_AGENT_BACKEND_URL or WLF_AGENT_BACKEND_URL instead."
-    );
-  }
-};
-var getCommandFlags = (command) => {
-  const flags = collectFlags(command);
-  assertNoBaseUrlFlag(flags);
-  return flags;
-};
-var loadConfig = async () => {
-  try {
-    const raw = await _promises.readFile.call(void 0, CONFIG_FILE, "utf8");
-    const parsed = JSON.parse(raw);
-    const token = typeof parsed.token === "string" && parsed.token.trim().length > 0 ? parsed.token.trim() : void 0;
-    const aliases = normalizeAliasMap(parsed.aliases);
-    return { aliases, token };
-  } catch (e) {
-    return {
-      aliases: createEmptyAliases()
-    };
-  }
-};
-var saveConfig = async (config) => {
-  await _promises.mkdir.call(void 0, CONFIG_DIR, { mode: 448, recursive: true });
-  await _promises.writeFile.call(void 0, CONFIG_FILE, JSON.stringify(config, null, 2), {
-    mode: 384
-  });
-  await _promises.chmod.call(void 0, CONFIG_FILE, 384);
-};
-var parseCallbackPort = (value) => {
-  if (!value) {
-    return DEFAULT_CALLBACK_PORT;
-  }
-  const parsed = Number(value);
-  if (!Number.isInteger(parsed) || parsed <= 0 || parsed > 65535) {
-    throw new Error("--callback-port must be a valid TCP port (1-65535)");
-  }
-  return parsed;
-};
-var parsePositiveInteger = (value, flagName) => {
-  const parsed = Number(value);
-  if (!Number.isInteger(parsed) || parsed <= 0) {
-    throw new Error(`${flagName} must be a positive integer`);
-  }
-  return parsed;
-};
-var readRequestBody = async (request) => new Promise((resolve, reject) => {
-  const chunks = [];
-  let size = 0;
-  request.on("data", (chunk) => {
-    size += chunk.length;
-    if (size > MAX_CALLBACK_BODY_BYTES) {
-      reject(new Error("Callback request body is too large"));
-      request.destroy();
-      return;
-    }
-    chunks.push(chunk);
-  });
-  request.on("end", () => {
-    resolve(Buffer.concat(chunks).toString("utf8"));
-  });
-  request.on("error", (error) => {
-    reject(error);
-  });
-});
-var getErrorPayload = (error) => {
-  if (error instanceof _agentwalletsdk.AgentWalletSdkError) {
-    if (typeof error.payload === "object" && error.payload !== null) {
-      return {
-        ...error.payload,
-        message: error.message
-      };
-    }
-    return { message: error.message };
-  }
-  if (error instanceof Error) {
-    return { message: error.message };
-  }
-  return { message: String(error) };
-};
-var getErrorMessage = (error) => {
-  if (error instanceof Error) {
-    return error.message;
-  }
-  return String(error);
-};
-var WC_STATUS_POLL_INTERVAL_MS = 1500;
-var sleep = (ms) => new Promise((resolve) => {
-  setTimeout(resolve, ms);
-});
-var waitForWcCompletionToken = async (client, requestId) => {
-  const deadline = Date.now() + DEFAULT_LOGIN_TIMEOUT_MS;
-  while (Date.now() < deadline) {
-    const status = await client.wcStatus({
-      consume: true,
-      requestId
-    });
-    const completed = status.completed === true;
-    const token = typeof status.token === "string" ? status.token.trim() : void 0;
-    if (completed && token) {
-      return token;
-    }
-    if (completed && !token) {
-      throw new Error(
-        "Backend reported wc completion without a session token payload"
-      );
-    }
-    await sleep(WC_STATUS_POLL_INTERVAL_MS);
-  }
-  throw new Error("Timed out waiting for wc completion; request expired");
-};
-var printJson = (value) => {
-  console.log(JSON.stringify(value, null, 2));
-};
-var shouldOutputJson = (flags) => flags.json === "true";
-var summarizeRecord = (record) => {
-  const priorityKeys = [
-    "id",
-    "type",
-    "alias",
-    "name",
-    "label",
-    "ok",
-    "statusCode",
-    "status",
-    "eventType",
-    "webhookId",
-    "webhookUrl",
-    "walletId",
-    "projectId",
-    "address",
-    "approveId",
-    "paymentId",
-    "txHash",
-    "url",
-    "message"
-  ];
-  const parts = [];
-  for (const key of priorityKeys) {
-    if (!(key in record)) {
-      continue;
-    }
-    const value = record[key];
-    if (value === null || value === void 0) {
-      continue;
-    }
-    const rendered = typeof value === "string" || typeof value === "number" ? String(value) : JSON.stringify(value);
-    parts.push(`${key}=${rendered}`);
-  }
-  if (parts.length > 0) {
-    return parts.join(" | ");
-  }
-  const fallback = Object.entries(record).slice(0, 4).map(([key, value]) => {
-    let rendered = String(value);
-    if (typeof value === "string" || typeof value === "number") {
-      rendered = String(value);
-    } else if (Array.isArray(value)) {
-      rendered = `array(${value.length})`;
-    } else if (value && typeof value === "object") {
-      rendered = "object";
-    }
-    return `${key}=${rendered}`;
-  });
-  return fallback.join(" | ");
-};
-var printHumanValue = (value, title) => {
-  if (title) {
-    console.log(title);
-  }
-  if (Array.isArray(value)) {
-    if (value.length === 0) {
-      console.log("No results.");
-      return;
-    }
-    console.log(`Found ${value.length} item(s):`);
-    const visibleItems = value.slice(0, MAX_LIST_ITEMS_TO_PRINT);
-    for (const [index, item] of visibleItems.entries()) {
-      if (item && typeof item === "object" && !Array.isArray(item)) {
-        console.log(`${index + 1}. ${summarizeRecord(item)}`);
-      } else {
-        console.log(`${index + 1}. ${String(item)}`);
-      }
-    }
-    if (value.length > MAX_LIST_ITEMS_TO_PRINT) {
-      console.log(
-        `... ${value.length - MAX_LIST_ITEMS_TO_PRINT} more item(s). Use --json for full output.`
-      );
-    }
-    return;
-  }
-  if (value && typeof value === "object") {
-    const record = value;
-    const hasOnlyOkResult = Object.keys(record).every(
-      (key) => key === "ok" || key === "message"
-    );
-    if (hasOnlyOkResult && "ok" in record && typeof record.ok === "boolean") {
-      console.log(record.ok ? "Success." : "Failed.");
-      if (typeof record.message === "string" && record.message.trim()) {
-        console.log(record.message);
-      }
-      return;
-    }
-    console.log(summarizeRecord(record));
-    return;
-  }
-  console.log(String(value));
-};
-var printValue = (flags, value, options) => {
-  if (shouldOutputJson(flags)) {
-    printJson(value);
-    return;
-  }
-  printHumanValue(value, _optionalChain([options, 'optionalAccess', _ => _.title]));
-  if (_optionalChain([options, 'optionalAccess', _2 => _2.nextSteps]) && options.nextSteps.length > 0) {
-    console.log("\nNext steps:");
-    for (const step of options.nextSteps) {
-      console.log(`- ${step}`);
-    }
-  }
-};
-var parseAliasType = (value, flagName = "--type") => {
-  if (value === "destination" || value === "project" || value === "wallet") {
-    return value;
-  }
-  throw new Error(`${flagName} must be one of: wallet, project, destination`);
-};
-var resolveAliasId = async (type, rawValue) => {
-  const value = rawValue.trim();
-  if (!value) {
-    return "";
-  }
-  const config = await loadConfig();
-  return _nullishCoalesce(config.aliases[type][value], () => ( value));
-};
-var parseNetwork = (value) => {
-  if (value !== "evm" && value !== "solana") {
-    throw new Error("--network must be either evm or solana");
-  }
-  return value;
-};
-var parseApprovalPayload = async (flags) => {
-  const inline = flags["approval-payload-json"];
-  const file = flags["approval-payload-file"];
-  if (!(inline || file)) {
-    return void 0;
-  }
-  if (inline && file) {
-    throw new Error(
-      "Use either --approval-payload-json or --approval-payload-file, not both"
-    );
-  }
-  const raw = inline ? inline : await _promises.readFile.call(void 0, file, "utf8");
-  try {
-    const parsed = JSON.parse(raw);
-    if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
-      throw new Error("approval payload must be a JSON object");
-    }
-    return parsed;
-  } catch (error) {
-    throw new Error(
-      `Failed to parse approval payload JSON: ${getErrorMessage(error)}`
-    );
-  }
-};
-var parsePolicyDestinations = async (flags) => {
-  const inline = flags["destinations-json"];
-  const file = flags["destinations-file"];
-  if (!(inline || file)) {
-    throw new Error(
-      "policy put requires exactly one of --destinations-json or --destinations-file"
-    );
-  }
-  if (inline && file) {
-    throw new Error(
-      "policy put requires exactly one of --destinations-json or --destinations-file"
-    );
-  }
-  const raw = inline ? inline : await _promises.readFile.call(void 0, file, "utf8");
-  try {
-    const parsed = JSON.parse(raw);
-    if (!Array.isArray(parsed)) {
-      throw new Error("Policy destinations must be a JSON array");
-    }
-    return parsed;
-  } catch (error) {
-    throw new Error(
-      `Failed to parse policy destinations JSON: ${getErrorMessage(error)}`
-    );
-  }
-};
-var getAuthedClient = async (flags) => {
-  const config = await loadConfig();
-  const token = (_nullishCoalesce(_nullishCoalesce(flags.token, () => ( config.token)), () => ( ""))).trim();
-  if (!token) {
-    throw new Error(
-      "Token is missing. Run `wlfc login --token <token>` or `wlfc login --email <email>` first."
-    );
-  }
-  return _agentwalletsdk.createAgentWalletClient.call(void 0, {
-    baseUrl: resolveBaseUrl(),
-    token
-  });
-};
-var verifySessionToken = async (token) => {
-  const authedClient = _agentwalletsdk.createAgentWalletClient.call(void 0, {
-    baseUrl: resolveBaseUrl(),
-    token
-  });
-  try {
-    await authedClient.listProjects();
-  } catch (error) {
-    if (error instanceof _agentwalletsdk.AgentWalletSdkError && (error.status === 401 || error.status === 403)) {
-      throw new Error("Session token is not authorized");
-    }
-    console.warn(
-      `Warning: session token saved, but backend project query failed: ${getErrorMessage(error)}`
-    );
-  }
-};
-var saveSessionToken = async (token) => {
-  const config = await loadConfig();
-  await saveConfig({
-    ...config,
-    token
-  });
-  console.log("Saved credentials to ~/.config/wlfc-agent/config.json");
-};
-var startCallbackServer = async (options) => {
-  const { port } = options;
-  const client = _agentwalletsdk.createAgentWalletClient.call(void 0, { baseUrl: resolveBaseUrl() });
-  const server = _http.createServer.call(void 0, async (request, response) => {
-    const requestUrl = new URL(_nullishCoalesce(request.url, () => ( "/")), `http://127.0.0.1:${port}`);
-    if (request.method === "GET" && requestUrl.pathname === "/") {
-      response.statusCode = 200;
-      response.setHeader("Content-Type", "text/html; charset=utf-8");
-      response.end(`<!doctype html>
-<html>
-  <head>
-    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
-    <title>wlfc callback server</title>
-  </head>
-  <body style="font-family: ui-sans-serif, -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; margin: 24px; line-height: 1.5;">
-    <h1>wlfc callback server is running</h1>
-    <p>Open the link from your email. For manual testing:</p>
-    <ul>
-      <li><a href="/login">/login?requestId=&lt;id&gt;</a></li>
-      <li><a href="/register">/register?requestId=&lt;id&gt;</a></li>
-    </ul>
-    <p>This server hosts local login/register pages while your terminal polls backend status.</p>
-  </body>
-</html>`);
-      return;
-    }
-    if (request.method === "GET" && requestUrl.pathname === "/login") {
-      response.statusCode = 200;
-      response.setHeader("Content-Type", "text/html; charset=utf-8");
-      response.end(`<!doctype html>
-<html lang="en">
-  <head>
-    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
-    <title>wlfc login</title>
-    <style>
-      body { font-family: ui-sans-serif, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; margin: 24px; color: #10212f; background: #f2f5f8; }
-      .panel { max-width: 720px; margin: 0 auto; background: #fff; border: 1px solid #dce3ea; border-radius: 12px; padding: 20px; box-shadow: 0 10px 25px rgba(2, 30, 62, 0.06); }
-      h1 { margin-top: 0; }
-      textarea { width: 100%; min-height: 130px; border: 1px solid #cfd9e3; border-radius: 8px; padding: 10px; box-sizing: border-box; font-size: 14px; }
-      button { border: 0; border-radius: 8px; background: #0d5f4f; color: #fff; padding: 10px 14px; font-weight: 600; cursor: pointer; margin-top: 12px; }
-      code { font-family: ui-monospace, SFMono-Regular, Menlo, monospace; background: #f5f8fb; padding: 2px 6px; border-radius: 6px; border: 1px solid #dbe4ee; }
-      .status { margin-top: 12px; min-height: 20px; font-size: 14px; }
-      .status.error { color: #ab2d2d; }
-      .status.ok { color: #1b7a36; }
-    </style>
-  </head>
-  <body>
-    <main class="panel">
-      <h1>wlfc login</h1>
-      <p>Request ID: <code id="request-id">(missing)</code></p>
-      <p>Paste OTP signature from your CubeSigner login email.</p>
-      <form id="login-form">
-        <textarea id="otp-signature" placeholder="Paste OTP signature or full token" required></textarea>
-        <button type="submit">Complete login</button>
-      </form>
-      <div id="status" class="status"></div>
-    </main>
-    <script>
-      const requestId = (new URLSearchParams(window.location.search).get("requestId") || "").trim();
-      const requestIdEl = document.getElementById("request-id");
-      const form = document.getElementById("login-form");
-      const otpInput = document.getElementById("otp-signature");
-      const statusEl = document.getElementById("status");
-      requestIdEl.textContent = requestId || "(missing)";
-      const setStatus = (text, isError = false) => {
-        statusEl.textContent = text;
-        statusEl.className = "status " + (isError ? "error" : "ok");
-      };
-
-      if (!requestId) {
-        setStatus("Missing requestId query parameter", true);
-        form.style.display = "none";
-      }
-
-      form.addEventListener("submit", async (event) => {
-        event.preventDefault();
-        const otpSignature = (otpInput.value || "").trim();
-        if (!otpSignature) {
-          setStatus("OTP signature is required", true);
-          return;
-        }
-
-        setStatus("Submitting OTP...");
-        try {
-          const response = await fetch("/internal/login/complete", {
-            method: "POST",
-            headers: { "Content-Type": "application/json" },
-            body: JSON.stringify({ requestId, otpSignature }),
-          });
-          const payload = await response.json().catch(() => ({}));
-          if (!response.ok) {
-            throw new Error(payload?.message || ("HTTP " + response.status));
-          }
-          setStatus("Success. Login completed. Return to terminal; it is polling for your session.");
-          form.style.display = "none";
-        } catch (error) {
-          const message = error instanceof Error ? error.message : String(error);
-          setStatus(message, true);
-        }
-      });
-    </script>
-  </body>
-</html>`);
-      return;
-    }
-    if (request.method === "GET" && (requestUrl.pathname === "/register" || requestUrl.pathname === "/agent-wallet/register")) {
-      response.statusCode = 200;
-      response.setHeader("Content-Type", "text/html; charset=utf-8");
-      response.end(`<!doctype html>
-<html lang="en">
-  <head>
-    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
-    <title>wlfc register</title>
-    <style>
-      body { font-family: ui-sans-serif, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; margin: 24px; color: #10212f; background: #f2f5f8; }
-      .panel { max-width: 760px; margin: 0 auto; background: #fff; border: 1px solid #dce3ea; border-radius: 12px; padding: 20px; box-shadow: 0 10px 25px rgba(2, 30, 62, 0.06); }
-      h1 { margin-top: 0; }
-      label { display: block; margin: 10px 0 6px; font-weight: 600; }
-      input { width: 100%; border: 1px solid #cfd9e3; border-radius: 8px; padding: 10px; box-sizing: border-box; font-size: 14px; }
-      button { border: 0; border-radius: 8px; background: #0d5f4f; color: #fff; padding: 10px 14px; font-weight: 600; cursor: pointer; margin-top: 12px; }
-      code { font-family: ui-monospace, SFMono-Regular, Menlo, monospace; background: #f5f8fb; padding: 2px 6px; border-radius: 6px; border: 1px solid #dbe4ee; word-break: break-all; }
-      .status { margin-top: 12px; min-height: 20px; font-size: 14px; }
-      .status.error { color: #ab2d2d; }
-      .status.ok { color: #1b7a36; }
-      .totp-box { margin-top: 16px; padding-top: 16px; border-top: 1px solid #e5ebf2; display: none; }
-      .qr { margin: 10px 0; width: 220px; height: 220px; border: 1px solid #dce3ea; border-radius: 8px; }
-    </style>
-    <script src="https://cdn.jsdelivr.net/npm/qrcodejs@1.0.0/qrcode.min.js"></script>
-  </head>
-  <body>
-    <main class="panel">
-      <h1>wlfc register</h1>
-      <p>Request ID: <code id="request-id">(from query)</code></p>
-      <ol>
-        <li>Open the invite link from your CubeSigner email.</li>
-        <li>Set a password and submit below.</li>
-        <li>Scan TOTP QR, then enter the OTP code.</li>
-      </ol>
-
-      <form id="accept-form">
-        <label for="password">Password</label>
-        <input id="password" type="password" autocomplete="new-password" required />
-        <button type="submit">Accept invite</button>
-      </form>
-
-      <section id="totp-section" class="totp-box">
-        <h2>Set up OTP</h2>
-        <p>Scan this QR code with your authenticator app:</p>
-        <div id="totp-qr" class="qr" aria-label="TOTP QR code"></div>
-        <p><strong>Fallback URL:</strong> <code id="totp-url"></code></p>
-        <form id="totp-form">
-          <label for="otp-code">Current OTP code</label>
-          <input id="otp-code" type="text" inputmode="numeric" pattern="[0-9]*" required />
-          <button type="submit">Complete registration</button>
-        </form>
-      </section>
-
-      <div id="status" class="status"></div>
-    </main>
-    <script>
-      const searchParams = new URLSearchParams(window.location.search);
-      let requestId = (searchParams.get("requestId") || "").trim();
-      const inviteTokenFromQuery = (
-        searchParams.get("inviteToken") ||
-        searchParams.get("token") ||
-        ""
-      ).trim();
-      const inviteProofFromQuery = (
-        searchParams.get("inviteProof") ||
-        searchParams.get("proof") ||
-        ""
-      ).trim();
-      const requestIdEl = document.getElementById("request-id");
-      const acceptForm = document.getElementById("accept-form");
-      const totpSection = document.getElementById("totp-section");
-      const totpForm = document.getElementById("totp-form");
-      const passwordInput = document.getElementById("password");
-      const otpCodeInput = document.getElementById("otp-code");
-      const totpQr = document.getElementById("totp-qr");
-      const totpUrlEl = document.getElementById("totp-url");
-      const statusEl = document.getElementById("status");
-      let totpId = "";
-
-      requestIdEl.textContent = requestId || "(from query)";
-      const setStatus = (text, isError = false) => {
-        statusEl.textContent = text;
-        statusEl.className = "status " + (isError ? "error" : "ok");
-      };
-
-      if (!requestId) {
-        setStatus("Missing requestId query parameter in invite link.", true);
-      }
-
-      if (!(inviteTokenFromQuery || inviteProofFromQuery)) {
-        setStatus("Invite link is missing inviteToken/inviteProof.", true);
-      }
-
-      if (inviteTokenFromQuery && inviteProofFromQuery) {
-        setStatus("Invite link contains both inviteToken and inviteProof; expected only one.", true);
-      }
-
-      acceptForm.addEventListener("submit", async (event) => {
-        event.preventDefault();
-        const password = (passwordInput.value || "").trim();
-
-        if (!password) {
-          setStatus("Password is required", true);
-          return;
-        }
-
-        if (!requestId) {
-          setStatus("Missing requestId query parameter in invite link.", true);
-          return;
-        }
-
-        if (!(inviteTokenFromQuery || inviteProofFromQuery)) {
-          setStatus("Invite link is missing inviteToken/inviteProof.", true);
-          return;
-        }
-
-        if (inviteTokenFromQuery && inviteProofFromQuery) {
-          setStatus("Invite link contains both inviteToken and inviteProof; expected only one.", true);
-          return;
-        }
-
-        setStatus("Accepting invite...");
-        try {
-          const payloadBody = {
-            ...(inviteProofFromQuery
-              ? { inviteProof: inviteProofFromQuery }
-              : { inviteToken: inviteTokenFromQuery }),
-            password,
-            requestId,
-          };
-
-          const response = await fetch("/internal/register/accept", {
-            method: "POST",
-            headers: { "Content-Type": "application/json" },
-            body: JSON.stringify(payloadBody),
-          });
-          const payload = await response.json().catch(() => ({}));
-          if (!response.ok) {
-            throw new Error(payload?.message || ("HTTP " + response.status));
-          }
-
-          const nextRequestId = (payload?.requestId || "").trim();
-          totpId = (payload?.totpId || "").trim();
-          const totpUrl = (payload?.totpUrl || "").trim();
-          if (!nextRequestId || !totpId || !totpUrl) {
-            throw new Error("Missing TOTP challenge response");
-          }
-
-          if (typeof window.QRCode !== "function") {
-            throw new Error("QR code library did not load");
-          }
-
-          requestId = nextRequestId;
-          requestIdEl.textContent = requestId;
-          totpQr.innerHTML = "";
-          new window.QRCode(totpQr, {
-            height: 220,
-            text: totpUrl,
-            width: 220,
-          });
-          totpUrlEl.textContent = totpUrl;
-          totpSection.style.display = "block";
-          setStatus("Invite accepted. Scan QR and enter OTP code.");
-          acceptForm.style.display = "none";
-        } catch (error) {
-          const message = error instanceof Error ? error.message : String(error);
-          setStatus(message, true);
-        }
-      });
-
-      totpForm.addEventListener("submit", async (event) => {
-        event.preventDefault();
-        const otpCode = (otpCodeInput.value || "").trim();
-        if (!(requestId && totpId && otpCode)) {
-          setStatus("Request ID, TOTP challenge, and OTP code are required", true);
-          return;
-        }
-
-        setStatus("Verifying OTP...");
-        try {
-          const response = await fetch("/internal/register/complete", {
-            method: "POST",
-            headers: { "Content-Type": "application/json" },
-            body: JSON.stringify({ otpCode, requestId, totpId }),
-          });
-          const payload = await response.json().catch(() => ({}));
-          if (!response.ok) {
-            throw new Error(payload?.message || ("HTTP " + response.status));
-          }
-
-          setStatus("Success. Registration completed. Return to terminal; it is polling for your session.");
-          totpForm.style.display = "none";
-        } catch (error) {
-          const message = error instanceof Error ? error.message : String(error);
-          setStatus(message, true);
-        }
-      });
-    </script>
-  </body>
-</html>`);
-      return;
-    }
-    if (request.method === "POST" && requestUrl.pathname === "/internal/login/complete") {
-      try {
-        const rawBody = await readRequestBody(request);
-        const parsed = JSON.parse(rawBody);
-        const payload = await client.wcLoginComplete({
-          otpSignature: typeof parsed.otpSignature === "string" ? parsed.otpSignature : "",
-          requestId: typeof parsed.requestId === "string" ? parsed.requestId : ""
-        });
-        response.statusCode = 200;
-        response.setHeader("Content-Type", "application/json");
-        response.end(JSON.stringify(payload));
-      } catch (error) {
-        const status = error instanceof _agentwalletsdk.AgentWalletSdkError ? error.status : 400;
-        response.statusCode = status;
-        response.setHeader("Content-Type", "application/json");
-        response.end(JSON.stringify(getErrorPayload(error)));
-      }
-      return;
-    }
-    if (request.method === "POST" && requestUrl.pathname === "/internal/register/accept") {
-      try {
-        const rawBody = await readRequestBody(request);
-        const parsed = JSON.parse(rawBody);
-        const payload = await client.wcRegisterAcceptInvite({
-          callbackUrl: typeof parsed.callbackUrl === "string" ? parsed.callbackUrl : "",
-          email: typeof parsed.email === "string" ? parsed.email : "",
-          inviteProof: typeof parsed.inviteProof === "string" ? parsed.inviteProof : "",
-          inviteToken: typeof parsed.inviteToken === "string" ? parsed.inviteToken : "",
-          password: typeof parsed.password === "string" ? parsed.password : "",
-          requestId: typeof parsed.requestId === "string" ? parsed.requestId : ""
-        });
-        response.statusCode = 200;
-        response.setHeader("Content-Type", "application/json");
-        response.end(JSON.stringify(payload));
-      } catch (error) {
-        const status = error instanceof _agentwalletsdk.AgentWalletSdkError ? error.status : 400;
-        response.statusCode = status;
-        response.setHeader("Content-Type", "application/json");
-        response.end(JSON.stringify(getErrorPayload(error)));
-      }
-      return;
-    }
-    if (request.method === "POST" && requestUrl.pathname === "/internal/register/complete") {
-      try {
-        const rawBody = await readRequestBody(request);
-        const parsed = JSON.parse(rawBody);
-        const payload = await client.wcRegisterComplete({
-          otpCode: typeof parsed.otpCode === "string" ? parsed.otpCode : "",
-          requestId: typeof parsed.requestId === "string" ? parsed.requestId : "",
-          totpId: typeof parsed.totpId === "string" ? parsed.totpId : ""
-        });
-        response.statusCode = 200;
-        response.setHeader("Content-Type", "application/json");
-        response.end(JSON.stringify(payload));
-      } catch (error) {
-        const status = error instanceof _agentwalletsdk.AgentWalletSdkError ? error.status : 400;
-        response.statusCode = status;
-        response.setHeader("Content-Type", "application/json");
-        response.end(JSON.stringify(getErrorPayload(error)));
-      }
-      return;
-    }
-    if (requestUrl.pathname === "/callback") {
-      response.statusCode = 410;
-      response.setHeader("Content-Type", "application/json");
-      response.end(
-        JSON.stringify({
-          message: "Callback endpoint is no longer used. Complete the flow in browser and wait for CLI polling."
-        })
-      );
-      return;
-    }
-    response.statusCode = 404;
-    response.setHeader("Content-Type", "application/json");
-    response.end(JSON.stringify({ message: "Not found" }));
-  });
-  await new Promise((resolve, reject) => {
-    server.once("error", (error) => {
-      reject(error);
-    });
-    server.listen(port, "127.0.0.1", () => {
-      resolve();
-    });
-  });
-  const close = async () => {
-    await new Promise((resolve) => {
-      server.close(() => resolve());
-    });
-  };
-  return {
-    callbackUrl: `http://127.0.0.1:${port}/callback`,
-    close
-  };
-};
-var login = async (args, flags) => {
-  const token = (_nullishCoalesce(flags.token, () => ( ""))).trim();
-  if (token) {
-    await verifySessionToken(token);
-    await saveSessionToken(token);
-    return;
-  }
-  const email = (_nullishCoalesce(_nullishCoalesce(flags.email, () => ( args[0])), () => ( ""))).trim().toLowerCase();
-  if (!email) {
-    throw new Error(
-      "login requires --token <token> or --email <email>. Run `wlfc login --help` for details."
-    );
-  }
-  const password = (await _prompts.password.call(void 0, { message: `Password for ${email}` })).trim();
-  if (!password) {
-    throw new Error("Password is required");
-  }
-  const client = _agentwalletsdk.createAgentWalletClient.call(void 0, { baseUrl: resolveBaseUrl() });
-  let otpCode = (_nullishCoalesce(flags.otp, () => ( ""))).trim();
-  let loginResult;
-  try {
-    loginResult = await client.wcLoginPassword({
-      email,
-      ...otpCode ? { otpCode } : {},
-      password
-    });
-  } catch (error) {
-    const message = getErrorMessage(error);
-    if (!otpCode && message.includes("TOTP code is required")) {
-      otpCode = (await _prompts.input.call(void 0, { message: "TOTP code" })).trim();
-      if (!otpCode) {
-        throw new Error("TOTP code is required");
-      }
-      loginResult = await client.wcLoginPassword({
-        email,
-        otpCode,
-        password
-      });
-    } else {
-      throw error;
-    }
-  }
-  if (!loginResult.token) {
-    throw new Error("Login response did not include a session token");
-  }
-  await verifySessionToken(loginResult.token);
-  await saveSessionToken(loginResult.token);
-};
-var register = async (args, flags) => {
-  const email = _optionalChain([args, 'access', _3 => _3[0], 'optionalAccess', _4 => _4.trim, 'call', _5 => _5(), 'access', _6 => _6.toLowerCase, 'call', _7 => _7()]);
-  if (!email) {
-    throw new Error("register requires an email argument");
-  }
-  const callbackPort = parseCallbackPort(flags["callback-port"]);
-  const callback = await startCallbackServer({
-    port: callbackPort
-  });
-  const client = _agentwalletsdk.createAgentWalletClient.call(void 0, {
-    baseUrl: resolveBaseUrl()
-  });
-  try {
-    const start = await client.wcRegisterStart({
-      callbackUrl: callback.callbackUrl,
-      email
-    });
-    console.log("Check your email. We sent you a registration link.");
-    console.log(
-      "Open the link from your email. It already includes requestId and invite token/proof."
-    );
-    if (!start.emailSent) {
-      console.log(
-        `Email delivery is unavailable in this environment. Open this local link instead:
-${start.setupUrl}`
-      );
-    }
-    console.log("Waiting for registration completion...");
-    const callbackToken = await waitForWcCompletionToken(
-      client,
-      start.requestId
-    );
-    await verifySessionToken(callbackToken);
-    await saveSessionToken(callbackToken);
-  } finally {
-    await callback.close();
-  }
-};
-var logout = async () => {
-  const config = await loadConfig();
-  await saveConfig({
-    aliases: config.aliases
-  });
-  console.log("Cleared session token from ~/.config/wlfc-agent/config.json");
-};
-var printDoctorReport = (flags, report) => {
-  if (shouldOutputJson(flags)) {
-    printJson(report);
-    return;
-  }
-  console.log(`Doctor report (${report.generatedAt})`);
-  console.log(`Backend URL: ${report.baseUrl}`);
-  for (const check of report.checks) {
-    let marker = "[FAIL]";
-    if (check.status === "ok") {
-      marker = "[OK] ";
-    } else if (check.status === "warn") {
-      marker = "[WARN]";
-    }
-    console.log(`${marker} ${check.name}: ${check.detail}`);
-  }
-};
-var doctor = async (flags) => {
-  const baseUrl = resolveBaseUrl();
-  const checks = [];
-  try {
-    const response = await fetch(`${baseUrl}/rest/custody/agent/pay`, {
-      body: "{}",
-      headers: {
-        "content-type": "application/json"
-      },
-      method: "POST"
-    });
-    checks.push({
-      detail: `Reachable (HTTP ${response.status})`,
-      name: "backend",
-      status: "ok"
-    });
-  } catch (error) {
-    checks.push({
-      detail: getErrorMessage(error),
-      name: "backend",
-      status: "fail"
-    });
-  }
-  const config = await loadConfig();
-  if (config.token) {
-    checks.push({
-      detail: "Session token is configured",
-      name: "token",
-      status: "ok"
-    });
-  } else {
-    checks.push({
-      detail: "No session token configured. Run `wlfc login`.",
-      name: "token",
-      status: "warn"
-    });
-  }
-  const aliasCount = Object.values(config.aliases).reduce(
-    (count, aliasMap) => count + Object.keys(aliasMap).length,
-    0
-  );
-  checks.push({
-    detail: aliasCount > 0 ? `${aliasCount} alias(es) configured` : "No aliases configured",
-    name: "aliases",
-    status: aliasCount > 0 ? "ok" : "warn"
-  });
-  try {
-    const files = await _promises.readdir.call(void 0, OTP_DIR);
-    const otpFileContents = await Promise.all(
-      files.map(async (filename) => {
-        const fullPath = _path2.default.join(OTP_DIR, filename);
-        return (await _promises.readFile.call(void 0, fullPath, "utf8")).trim();
-      })
-    );
-    const otpSecrets = otpFileContents.reduce((count, content) => {
-      if (!content.startsWith("otpauth://")) {
-        return count;
-      }
-      const secret = new URL(content).searchParams.get("secret");
-      return _optionalChain([secret, 'optionalAccess', _8 => _8.trim, 'call', _9 => _9()]) ? count + 1 : count;
-    }, 0);
-    checks.push({
-      detail: otpSecrets > 0 ? `${otpSecrets} OTP secret file(s) found in ${OTP_DIR}` : `No valid OTP secret found in ${OTP_DIR}`,
-      name: "otp",
-      status: otpSecrets > 0 ? "ok" : "warn"
-    });
-  } catch (e2) {
-    checks.push({
-      detail: `Directory not found: ${OTP_DIR}`,
-      name: "otp",
-      status: "warn"
-    });
-  }
-  if (config.token) {
-    const client = _agentwalletsdk.createAgentWalletClient.call(void 0, {
-      baseUrl,
-      token: config.token
-    });
-    try {
-      const projects = await client.listProjects();
-      checks.push({
-        detail: `Token valid (${projects.length} visible project(s))`,
-        name: "auth",
-        status: "ok"
-      });
-    } catch (error) {
-      checks.push({
-        detail: getErrorMessage(error),
-        name: "auth",
-        status: "fail"
-      });
-    }
-    try {
-      const wallets = await client.listWallets();
-      checks.push({
-        detail: `${wallets.length} wallet(s) visible`,
-        name: "wallet visibility",
-        status: wallets.length > 0 ? "ok" : "warn"
-      });
-    } catch (error) {
-      checks.push({
-        detail: getErrorMessage(error),
-        name: "wallet visibility",
-        status: "fail"
-      });
-    }
-    try {
-      const configs = await client.listWalletConfigs();
-      const activePolicies = configs.filter(
-        (configItem) => Boolean(configItem.policy) && _optionalChain([configItem, 'access', _10 => _10.policy, 'optionalAccess', _11 => _11.status]) !== "deleted"
-      ).length;
-      checks.push({
-        detail: `${activePolicies} wallet policy config(s) visible`,
-        name: "policy visibility",
-        status: activePolicies > 0 ? "ok" : "warn"
-      });
-    } catch (error) {
-      checks.push({
-        detail: getErrorMessage(error),
-        name: "policy visibility",
-        status: "fail"
-      });
-    }
-  }
-  printDoctorReport(flags, {
-    baseUrl,
-    checks,
-    generatedAt: (/* @__PURE__ */ new Date()).toISOString()
-  });
-};
-var aliasList = async (flags) => {
-  const config = await loadConfig();
-  const typeRaw = (_nullishCoalesce(flags.type, () => ( ""))).trim();
-  if (!typeRaw) {
-    const entries2 = Object.keys(config.aliases).flatMap(
-      (aliasType) => Object.entries(config.aliases[aliasType]).map(([alias, id]) => ({
-        alias,
-        id,
-        type: aliasType
-      }))
-    );
-    printValue(flags, entries2, {
-      title: "Aliases"
-    });
-    return;
-  }
-  const type = parseAliasType(typeRaw);
-  const entries = Object.entries(config.aliases[type]).map(([alias, id]) => ({
-    alias,
-    id,
-    type
-  }));
-  printValue(flags, entries, {
-    title: `${type} aliases`
-  });
-};
-var aliasSet = async (flags) => {
-  const type = parseAliasType((_nullishCoalesce(flags.type, () => ( ""))).trim());
-  const name = (_nullishCoalesce(flags.name, () => ( ""))).trim();
-  const id = (_nullishCoalesce(flags.id, () => ( ""))).trim();
-  if (!(name && id)) {
-    throw new Error("alias set requires --type, --name, and --id");
-  }
-  const config = await loadConfig();
-  const nextAliases = {
-    ...config.aliases,
-    [type]: {
-      ...config.aliases[type],
-      [name]: id
-    }
-  };
-  await saveConfig({
-    ...config,
-    aliases: nextAliases
-  });
-  printValue(
-    flags,
-    { alias: name, id, type },
-    {
-      nextSteps: [
-        `Use --${type}-id ${name} in CLI commands to resolve to ${id}`
-      ],
-      title: "Alias saved"
-    }
-  );
-};
-var aliasRemove = async (flags) => {
-  const type = parseAliasType((_nullishCoalesce(flags.type, () => ( ""))).trim());
-  const name = (_nullishCoalesce(flags.name, () => ( ""))).trim();
-  if (!name) {
-    throw new Error("alias rm requires --type and --name");
-  }
-  const config = await loadConfig();
-  if (!(name in config.aliases[type])) {
-    throw new Error(`Alias not found: ${name}`);
-  }
-  const nextTypeAliases = { ...config.aliases[type] };
-  delete nextTypeAliases[name];
-  await saveConfig({
-    ...config,
-    aliases: {
-      ...config.aliases,
-      [type]: nextTypeAliases
-    }
-  });
-  printValue(
-    flags,
-    { ok: true },
-    {
-      title: `Removed alias ${name} (${type})`
-    }
-  );
-};
-var walletList = async (flags) => {
-  const client = await getAuthedClient(flags);
-  const wallets = await client.listWallets();
-  printValue(flags, wallets, {
-    title: "Wallets"
-  });
-};
-var walletNew = async (flags) => {
-  const projectIdInput = (_nullishCoalesce(flags["project-id"], () => ( ""))).trim();
-  const label = (_nullishCoalesce(flags.label, () => ( ""))).trim();
-  const network = (_nullishCoalesce(flags.network, () => ( DEFAULT_WALLET_NETWORK))).trim();
-  const chainId = (_nullishCoalesce(flags["chain-id"], () => ( String(DEFAULT_WALLET_CHAIN_ID)))).trim();
-  if (!(projectIdInput && label)) {
-    throw new Error("wallet new requires --project-id and --label");
-  }
-  const projectId = await resolveAliasId("project", projectIdInput);
-  const client = await getAuthedClient(flags);
-  const wallet = await client.createWallet({
-    chainId: parsePositiveInteger(chainId, "--chain-id"),
-    label,
-    network: parseNetwork(network),
-    projectId
-  });
-  printValue(flags, wallet, {
-    nextSteps: [
-      `wlfc alias set --type wallet --name <name> --id ${_nullishCoalesce(wallet.id, () => ( "<wallet-id>"))}`,
-      `wlfc agent-key new --wallet-id ${_nullishCoalesce(wallet.id, () => ( "<wallet-id>"))}`
-    ],
-    title: "Wallet created"
-  });
-};
-var walletBalances = async (flags) => {
-  const client = await getAuthedClient(flags);
-  const balances = await client.listWalletBalances();
-  printValue(flags, balances, {
-    title: "Wallet balances"
-  });
-};
-var walletConfigs = async (flags) => {
-  const client = await getAuthedClient(flags);
-  const configs = await client.listWalletConfigs();
-  printValue(flags, configs, {
-    title: "Wallet configs"
-  });
-};
-var walletAuditLogs = async (flags) => {
-  const walletIdInput = (_nullishCoalesce(flags["wallet-id"], () => ( ""))).trim();
-  if (!walletIdInput) {
-    throw new Error("wallet audit-logs requires --wallet-id <id>");
-  }
-  const limitRaw = (_nullishCoalesce(flags.limit, () => ( ""))).trim();
-  const walletId = await resolveAliasId("wallet", walletIdInput);
-  const client = await getAuthedClient(flags);
-  const logs = await client.listWalletAuditLogs({
-    action: flags.action,
-    browser: flags.browser,
-    cursor: flags.cursor,
-    ipAddress: flags["ip-address"],
-    ...limitRaw ? { limit: parsePositiveInteger(limitRaw, "--limit") } : {},
-    location: flags.location,
-    query: flags.query,
-    user: flags.user,
-    walletId
-  });
-  printValue(flags, logs, {
-    title: "Wallet audit logs"
-  });
-};
-var destinationList = async (flags) => {
-  const client = await getAuthedClient(flags);
-  const destinations = await client.listDestinations();
-  printValue(flags, destinations, {
-    title: "Destinations"
-  });
-};
-var destinationNew = async (flags) => {
-  const projectIdInput = (_nullishCoalesce(flags["project-id"], () => ( ""))).trim();
-  const label = (_nullishCoalesce(flags.label, () => ( ""))).trim();
-  const network = (_nullishCoalesce(flags.network, () => ( ""))).trim();
-  const chainId = (_nullishCoalesce(flags["chain-id"], () => ( ""))).trim();
-  const address = (_nullishCoalesce(_nullishCoalesce(_nullishCoalesce(flags.address, () => ( flags["vendor-address"])), () => ( flags["destination-address"])), () => ( ""))).trim();
-  if (!(projectIdInput && label && network && chainId && address)) {
-    throw new Error(
-      "destination new requires --project-id, --label, --network, --chain-id, and --address"
-    );
-  }
-  const projectId = await resolveAliasId("project", projectIdInput);
-  const client = await getAuthedClient(flags);
-  const destination = await client.createDestination({
-    chainId: parsePositiveInteger(chainId, "--chain-id"),
-    label,
-    network: parseNetwork(network),
-    projectId,
-    vendor_address: address
-  });
-  printValue(flags, destination, {
-    nextSteps: [
-      `wlfc alias set --type destination --name <name> --id ${_nullishCoalesce(destination.id, () => ( "<destination-id>"))}`,
-      "wlfc policy put --wallet-id <wallet-id-or-alias> --destinations-file ./policy.json"
-    ],
-    title: "Destination created"
-  });
-};
-var agentKeyList = async (flags) => {
-  const client = await getAuthedClient(flags);
-  const agentKeys = await client.listAgentKeys();
-  printValue(flags, agentKeys, {
-    title: "Agent keys"
-  });
-};
-var agentKeyGet = async (flags) => {
-  const id = (_nullishCoalesce(_nullishCoalesce(flags.id, () => ( flags["agent-key-id"])), () => ( ""))).trim();
-  if (!id) {
-    throw new Error("agent-key get requires --id <agent-key-id>");
-  }
-  const client = await getAuthedClient(flags);
-  const agentKey = await client.getAgentKey(id);
-  printValue(flags, agentKey, {
-    title: "Agent key"
-  });
-};
-var agentKeyNew = async (flags) => {
-  const walletIdInput = (_nullishCoalesce(flags["wallet-id"], () => ( ""))).trim();
-  if (!walletIdInput) {
-    throw new Error("agent-key new requires --wallet-id <id>");
-  }
-  const walletId = await resolveAliasId("wallet", walletIdInput);
-  const client = await getAuthedClient(flags);
-  const created = await client.createAgentKey({ walletId });
-  const keyValue = typeof created.key === "string" ? _nullishCoalesce(created.key, () => ( "")) : "";
-  printValue(flags, created, {
-    nextSteps: [
-      keyValue ? `wlfa login --agent-key ${keyValue}` : "wlfa login --agent-key <key-from-output>",
-      "wlfa pay --address <destination> --amount <amount>"
-    ],
-    title: "Agent key created"
-  });
-};
-var agentKeyRemove = async (flags) => {
-  const id = (_nullishCoalesce(_nullishCoalesce(flags.id, () => ( flags["agent-key-id"])), () => ( ""))).trim();
-  if (!id) {
-    throw new Error("agent-key rm requires --id <agent-key-id>");
-  }
-  const client = await getAuthedClient(flags);
-  const deleted = await client.deleteAgentKey(id);
-  printValue(flags, deleted, {
-    title: "Agent key revoked"
-  });
-};
-var policyGet = async (flags) => {
-  const walletIdInput = (_nullishCoalesce(flags["wallet-id"], () => ( ""))).trim();
-  if (!walletIdInput) {
-    throw new Error("policy get requires --wallet-id <id>");
-  }
-  const walletId = await resolveAliasId("wallet", walletIdInput);
-  const client = await getAuthedClient(flags);
-  const policy = await client.getPolicy(walletId);
-  printValue(flags, policy, {
-    title: "Policy"
-  });
-};
-var policyPut = async (flags) => {
-  const walletIdInput = (_nullishCoalesce(flags["wallet-id"], () => ( ""))).trim();
-  if (!walletIdInput) {
-    throw new Error("policy put requires --wallet-id <id>");
-  }
-  const walletId = await resolveAliasId("wallet", walletIdInput);
-  const destinations = await parsePolicyDestinations(flags);
-  const client = await getAuthedClient(flags);
-  const updated = await client.putPolicy({
-    destinations,
-    walletId
-  });
-  printValue(flags, updated, {
-    nextSteps: [
-      "wlfa pay --address <destination-address> --amount <amount>",
-      `wlfc wallet audit-logs --wallet-id ${walletId}`
-    ],
-    title: "Policy updated"
-  });
-};
-var policyRemove = async (flags) => {
-  const walletIdInput = (_nullishCoalesce(flags["wallet-id"], () => ( ""))).trim();
-  if (!walletIdInput) {
-    throw new Error("policy rm requires --wallet-id <id>");
-  }
-  const walletId = await resolveAliasId("wallet", walletIdInput);
-  const client = await getAuthedClient(flags);
-  const removed = await client.deletePolicy(walletId);
-  printValue(flags, removed, {
-    title: "Policy removed"
-  });
-};
-var projectList = async (flags) => {
-  const client = await getAuthedClient(flags);
-  const projects = await client.listProjects();
-  printValue(flags, projects, {
-    title: "Projects"
-  });
-};
-var projectNew = async (args, flags) => {
-  const projectName = (_nullishCoalesce(_nullishCoalesce(_nullishCoalesce(flags.name, () => ( flags["project-name"])), () => ( args[0])), () => ( ""))).trim();
-  if (!projectName) {
-    throw new Error("project new requires --name <project-name>");
-  }
-  const client = await getAuthedClient(flags);
-  const project = await client.createProject({ projectName });
-  printValue(flags, project, {
-    nextSteps: [
-      `wlfc alias set --type project --name <name> --id ${_nullishCoalesce(project.id, () => ( "<project-id>"))}`,
-      `wlfc wallet new --project-id ${_nullishCoalesce(project.id, () => ( "<project-id>"))} --label <wallet-label>`
-    ],
-    title: "Project created"
-  });
-};
-var approvalList = async (flags) => {
-  const limitRaw = (_nullishCoalesce(flags.limit, () => ( ""))).trim();
-  const walletIdInput = (_nullishCoalesce(flags["wallet-id"], () => ( ""))).trim();
-  const walletId = walletIdInput ? await resolveAliasId("wallet", walletIdInput) : void 0;
-  const client = await getAuthedClient(flags);
-  const approvals = await client.listPendingApprovals({
-    ...limitRaw ? { limit: parsePositiveInteger(limitRaw, "--limit") } : {},
-    ...walletId ? { walletId } : {}
-  });
-  printValue(flags, approvals, {
-    title: "Pending approvals"
-  });
-};
-var approvalApprove = async (flags) => {
-  const approveId = (_nullishCoalesce(_nullishCoalesce(flags.id, () => ( flags["approve-id"])), () => ( ""))).trim();
-  const mfaType = (_nullishCoalesce(flags["mfa-type"], () => ( ""))).trim();
-  const otp = (_nullishCoalesce(flags.otp, () => ( ""))).trim();
-  if (!approveId) {
-    throw new Error("approval approve requires --id <approve-id>");
-  }
-  const approvalPayload = await parseApprovalPayload(flags);
-  const client = await getAuthedClient(flags);
-  const runApprove = async (otpCode) => client.approveManual({
-    ...approvalPayload ? { approvalPayload } : {},
-    approveId,
-    ...mfaType ? { mfaType } : {},
-    ...otpCode ? { otp: otpCode } : {}
-  });
-  let approved;
-  try {
-    approved = await runApprove(otp || void 0);
-  } catch (error) {
-    if (!otp && getErrorMessage(error).toLowerCase().includes("otp code is required")) {
-      const promptedOtp = (await _prompts.input.call(void 0, { message: "TOTP code" })).trim();
-      if (!promptedOtp) {
-        throw new Error("TOTP code is required");
-      }
-      approved = await runApprove(promptedOtp);
-    } else {
-      throw error;
-    }
-  }
-  printValue(flags, approved, {
-    nextSteps: [
-      "wlfc approval ls",
-      "wlfc wallet audit-logs --wallet-id <wallet-id-or-alias>"
-    ],
-    title: "Approval submitted"
-  });
-};
-var parseWebhookEventType = (value) => {
-  if (value === "approval" || value === "payment") {
-    return value;
-  }
-  throw new Error("--event-type must be either approval or payment");
-};
-var parseWebhookStatus = (value) => {
-  if (value === "active" || value === "disabled") {
-    return value;
-  }
-  throw new Error("--status must be either active or disabled");
-};
-var webhookList = async (flags) => {
-  const client = await getAuthedClient(flags);
-  const webhooks = await client.listWebhooks();
-  printValue(flags, webhooks, {
-    title: "Webhooks"
-  });
-};
-var webhookGet = async (flags) => {
-  const webhookId = (_nullishCoalesce(_nullishCoalesce(flags.id, () => ( flags["webhook-id"])), () => ( ""))).trim();
-  if (!webhookId) {
-    throw new Error("webhook get requires --id <webhook-id>");
-  }
-  const client = await getAuthedClient(flags);
-  const webhook = await client.getWebhook(webhookId);
-  printValue(flags, webhook, {
-    title: "Webhook"
-  });
-};
-var webhookNew = async (flags) => {
-  const projectIdInput = (_nullishCoalesce(flags["project-id"], () => ( ""))).trim();
-  const eventTypeRaw = (_nullishCoalesce(flags["event-type"], () => ( ""))).trim();
-  const url = (_nullishCoalesce(flags.url, () => ( ""))).trim();
-  const secret = (_nullishCoalesce(flags.secret, () => ( ""))).trim();
-  if (!(projectIdInput && eventTypeRaw && url)) {
-    throw new Error(
-      "webhook new requires --project-id, --event-type, and --url"
-    );
-  }
-  const projectId = await resolveAliasId("project", projectIdInput);
-  const client = await getAuthedClient(flags);
-  const webhook = await client.createWebhook({
-    eventType: parseWebhookEventType(eventTypeRaw),
-    projectId,
-    ...secret ? { secret } : {},
-    url
-  });
-  printValue(flags, webhook, {
-    nextSteps: [
-      `wlfc webhook test --id ${_nullishCoalesce(webhook.id, () => ( "<webhook-id>"))}`,
-      `wlfc webhook deliveries --id ${_nullishCoalesce(webhook.id, () => ( "<webhook-id>"))}`
-    ],
-    title: "Webhook created"
-  });
-};
-var webhookUpdate = async (flags) => {
-  const webhookId = (_nullishCoalesce(_nullishCoalesce(flags.id, () => ( flags["webhook-id"])), () => ( ""))).trim();
-  const eventTypeRaw = (_nullishCoalesce(flags["event-type"], () => ( ""))).trim();
-  const statusRaw = (_nullishCoalesce(flags.status, () => ( ""))).trim();
-  const url = (_nullishCoalesce(flags.url, () => ( ""))).trim();
-  const secret = (_nullishCoalesce(flags.secret, () => ( ""))).trim();
-  if (!webhookId) {
-    throw new Error("webhook update requires --id <webhook-id>");
-  }
-  if (!(eventTypeRaw || statusRaw || url || secret)) {
-    throw new Error(
-      "webhook update requires at least one of --event-type, --status, --url, or --secret"
-    );
-  }
-  const client = await getAuthedClient(flags);
-  const updated = await client.updateWebhook({
-    ...eventTypeRaw ? { eventType: parseWebhookEventType(eventTypeRaw) } : {},
-    ...secret ? { secret } : {},
-    ...statusRaw ? { status: parseWebhookStatus(statusRaw) } : {},
-    ...url ? { url } : {},
-    webhookId
-  });
-  printValue(flags, updated, {
-    title: "Webhook updated"
-  });
-};
-var webhookRemove = async (flags) => {
-  const webhookId = (_nullishCoalesce(_nullishCoalesce(flags.id, () => ( flags["webhook-id"])), () => ( ""))).trim();
-  if (!webhookId) {
-    throw new Error("webhook rm requires --id <webhook-id>");
-  }
-  const client = await getAuthedClient(flags);
-  const removed = await client.deleteWebhook(webhookId);
-  printValue(flags, removed, {
-    title: "Webhook removed"
-  });
-};
-var webhookDeliveries = async (flags) => {
-  const webhookId = (_nullishCoalesce(_nullishCoalesce(flags.id, () => ( flags["webhook-id"])), () => ( ""))).trim();
-  if (!webhookId) {
-    throw new Error("webhook deliveries requires --id <webhook-id>");
-  }
-  const limitRaw = (_nullishCoalesce(flags.limit, () => ( ""))).trim();
-  const config = await loadConfig();
-  const token = (_nullishCoalesce(_nullishCoalesce(flags.token, () => ( config.token)), () => ( ""))).trim();
-  if (!token) {
-    throw new Error(
-      "Token is missing. Run `wlfc login --token <token>` or `wlfc login --email <email>` first."
-    );
-  }
-  const url = new URL(
-    `${resolveBaseUrl()}/rest/custody/agent/webhooks/${encodeURIComponent(webhookId)}/deliveries`
-  );
-  if (limitRaw) {
-    url.searchParams.set(
-      "limit",
-      String(parsePositiveInteger(limitRaw, "--limit"))
-    );
-  }
-  const response = await fetch(url, {
-    headers: {
-      Authorization: token
-    },
-    method: "GET"
-  });
-  const payload = await response.json().catch(async () => ({
-    message: await response.text().catch(() => "Unknown error")
-  }));
-  if (!response.ok) {
-    if (typeof payload === "object" && payload !== null && "message" in payload && typeof payload.message === "string") {
-      throw new Error(payload.message);
-    }
-    throw new Error(
-      `Failed to list webhook deliveries (HTTP ${response.status})`
-    );
-  }
-  printValue(flags, payload, {
-    title: "Webhook deliveries"
-  });
-};
-var webhookTest = async (flags) => {
-  const webhookId = (_nullishCoalesce(_nullishCoalesce(flags.id, () => ( flags["webhook-id"])), () => ( ""))).trim();
-  if (!webhookId) {
-    throw new Error("webhook test requires --id <webhook-id>");
-  }
-  const client = await getAuthedClient(flags);
-  const webhook = await client.getWebhook(webhookId);
-  const eventType = webhook.eventType === "approval" ? "approval" : "payment";
-  const payload = eventType === "approval" ? {
-    approveId: `test_approve_${Date.now()}`,
-    paymentId: `test_payment_${Date.now()}`,
-    status: "success",
-    txHash: `0xtest${Date.now().toString(16)}`,
-    walletId: "test_wallet"
-  } : {
-    destinationAddress: "0x0000000000000000000000000000000000000000",
-    paymentId: `test_payment_${Date.now()}`,
-    reason: "webhook_test_event",
-    status: "failed",
-    walletId: "test_wallet"
-  };
-  const response = await fetch(webhook.url, {
-    body: JSON.stringify(payload),
-    headers: {
-      "content-type": "application/json",
-      "x-wlfc-webhook-test": "true"
-    },
-    method: "POST"
-  });
-  const responseBody = (await response.text()).slice(0, 1e3);
-  printValue(
-    flags,
-    {
-      eventType,
-      ok: response.ok,
-      responseBody,
-      statusCode: response.status,
-      webhookId,
-      webhookUrl: webhook.url
-    },
-    {
-      nextSteps: [`wlfc webhook deliveries --id ${webhookId}`],
-      title: "Webhook test result"
-    }
-  );
-};
-var withCommandOptions = (command, options = {}) => {
-  const { auth = false, json = true } = options;
-  if (json) {
-    withJsonOption(command);
-  }
-  if (auth) {
-    withTokenOption(command);
-  }
-  withUnsupportedBaseUrlOption(command);
-  return command;
-};
-var createProgram = () => {
-  const program = new (0, _commander.Command)();
-  program.name("wlfc").description("WLFI Custody CLI").showHelpAfterError().showSuggestionAfterError().addHelpText(
-    "after",
-    `
-Environment:
-  WLFI_AGENT_BACKEND_URL  Backend URL override (default: ${_agentwalletsdk.DEFAULT_BASE_URL})
-`
-  );
-  withUnsupportedBaseUrlOption(program);
-  withCommandOptions(
-    program.command("login [email]").description("Login with token or email/password").option("--email <email>", "Email address").option("--otp <code>", "TOTP code"),
-    { auth: true, json: false }
-  ).action(async (emailArg, _options, command) => {
-    const flags = getCommandFlags(command);
-    await login(emailArg ? [emailArg] : [], flags);
-  });
-  withCommandOptions(
-    program.command("register <email>").description("Start registration flow").option(
-      "--callback-port <port>",
-      "Local callback TCP port",
-      String(DEFAULT_CALLBACK_PORT)
-    ),
-    { json: false }
-  ).action(async (emailArg, _options, command) => {
-    const flags = getCommandFlags(command);
-    await register([emailArg], flags);
-  });
-  withCommandOptions(program.command("doctor").description("Run diagnostics"), {
-    json: true
-  }).action(async (_options, command) => {
-    await doctor(getCommandFlags(command));
-  });
-  withCommandOptions(
-    program.command("logout").description("Clear saved session token"),
-    { json: false }
-  ).action(async () => {
-    await logout();
-  });
-  const alias = program.command("alias").description("Manage aliases");
-  withCommandOptions(
-    alias.command("ls").description("List aliases").option("--type <wallet|project|destination>", "Filter alias type"),
-    { json: true }
-  ).action(async (_options, command) => {
-    await aliasList(getCommandFlags(command));
-  });
-  withCommandOptions(
-    alias.command("set").description("Set alias mapping").requiredOption("--type <wallet|project|destination>", "Alias type").requiredOption("--name <alias>", "Alias name").requiredOption("--id <resource-id>", "Resource id"),
-    { json: true }
-  ).action(async (_options, command) => {
-    await aliasSet(getCommandFlags(command));
-  });
-  withCommandOptions(
-    alias.command("rm").description("Remove alias mapping").requiredOption("--type <wallet|project|destination>", "Alias type").requiredOption("--name <alias>", "Alias name"),
-    { json: true }
-  ).action(async (_options, command) => {
-    await aliasRemove(getCommandFlags(command));
-  });
-  const destination = program.command("destination").description("Manage destinations");
-  withCommandOptions(
-    destination.command("ls").description("List destinations"),
-    { auth: true, json: true }
-  ).action(async (_options, command) => {
-    await destinationList(getCommandFlags(command));
-  });
-  withCommandOptions(
-    destination.command("new").description("Create destination").requiredOption("--project-id <id>", "Project id or alias").requiredOption("--label <label>", "Destination label").requiredOption("--network <evm|solana>", "Destination network").requiredOption("--chain-id <id>", "Chain id").requiredOption("--address <address>", "Destination address").addOption(new (0, _commander.Option)("--vendor-address <address>").hideHelp()).addOption(new (0, _commander.Option)("--destination-address <address>").hideHelp()),
-    { auth: true, json: true }
-  ).action(async (_options, command) => {
-    await destinationNew(getCommandFlags(command));
-  });
-  const agentKey = program.command("agent-key").description("Manage agent keys");
-  withCommandOptions(agentKey.command("ls").description("List agent keys"), {
-    auth: true,
-    json: true
-  }).action(async (_options, command) => {
-    await agentKeyList(getCommandFlags(command));
-  });
-  withCommandOptions(
-    agentKey.command("get").description("Get one agent key").option("--id <agent-key-id>", "Agent key id").addOption(new (0, _commander.Option)("--agent-key-id <agent-key-id>").hideHelp()),
-    { auth: true, json: true }
-  ).action(async (_options, command) => {
-    await agentKeyGet(getCommandFlags(command));
-  });
-  withCommandOptions(
-    agentKey.command("new").description("Create agent key").requiredOption("--wallet-id <id>", "Wallet id or alias"),
-    { auth: true, json: true }
-  ).action(async (_options, command) => {
-    await agentKeyNew(getCommandFlags(command));
-  });
-  withCommandOptions(
-    agentKey.command("rm").description("Revoke agent key").option("--id <agent-key-id>", "Agent key id").addOption(new (0, _commander.Option)("--agent-key-id <agent-key-id>").hideHelp()),
-    { auth: true, json: true }
-  ).action(async (_options, command) => {
-    await agentKeyRemove(getCommandFlags(command));
-  });
-  const policy = program.command("policy").description("Manage wallet policy");
-  withCommandOptions(
-    policy.command("get").description("Get policy").requiredOption("--wallet-id <id>", "Wallet id or alias"),
-    { auth: true, json: true }
-  ).action(async (_options, command) => {
-    await policyGet(getCommandFlags(command));
-  });
-  withCommandOptions(
-    policy.command("put").description("Create or update policy").requiredOption("--wallet-id <id>", "Wallet id or alias").option("--destinations-json <json>", "Inline JSON destinations array").option("--destinations-file <path>", "Path to destinations JSON"),
-    { auth: true, json: true }
-  ).action(async (_options, command) => {
-    await policyPut(getCommandFlags(command));
-  });
-  withCommandOptions(
-    policy.command("rm").description("Delete policy").requiredOption("--wallet-id <id>", "Wallet id or alias"),
-    { auth: true, json: true }
-  ).action(async (_options, command) => {
-    await policyRemove(getCommandFlags(command));
-  });
-  const project = program.command("project").description("Manage projects");
-  withCommandOptions(project.command("ls").description("List projects"), {
-    auth: true,
-    json: true
-  }).action(async (_options, command) => {
-    await projectList(getCommandFlags(command));
-  });
-  withCommandOptions(
-    project.command("new [name]").description("Create project").option("--name <project-name>", "Project name").addOption(new (0, _commander.Option)("--project-name <project-name>").hideHelp()),
-    { auth: true, json: true }
-  ).action(async (nameArg, _options, command) => {
-    const flags = getCommandFlags(command);
-    await projectNew(nameArg ? [nameArg] : [], flags);
-  });
-  const wallet = program.command("wallet").description("Manage wallets");
-  withCommandOptions(wallet.command("ls").description("List wallets"), {
-    auth: true,
-    json: true
-  }).action(async (_options, command) => {
-    await walletList(getCommandFlags(command));
-  });
-  withCommandOptions(
-    wallet.command("new").description("Create wallet").requiredOption("--project-id <id>", "Project id or alias").requiredOption("--label <label>", "Wallet label").option(
-      "--network <evm|solana>",
-      "Wallet network",
-      DEFAULT_WALLET_NETWORK
-    ).option("--chain-id <id>", "Chain id", String(DEFAULT_WALLET_CHAIN_ID)),
-    { auth: true, json: true }
-  ).action(async (_options, command) => {
-    await walletNew(getCommandFlags(command));
-  });
-  withCommandOptions(
-    wallet.command("balances").description("List balances for each wallet"),
-    { auth: true, json: true }
-  ).action(async (_options, command) => {
-    await walletBalances(getCommandFlags(command));
-  });
-  withCommandOptions(
-    wallet.command("configs").description("List config for each wallet"),
-    { auth: true, json: true }
-  ).action(async (_options, command) => {
-    await walletConfigs(getCommandFlags(command));
-  });
-  withCommandOptions(
-    wallet.command("audit-logs").description("List wallet audit logs").requiredOption("--wallet-id <id>", "Wallet id or alias").option("--limit <n>", "Result limit").option("--cursor <cursor>", "Pagination cursor").option("--query <query>", "Free text query").option("--action <action>", "Action filter").option("--user <user>", "User filter").option("--browser <browser>", "Browser filter").option("--ip-address <ip>", "IP filter").option("--location <location>", "Location filter"),
-    { auth: true, json: true }
-  ).action(async (_options, command) => {
-    await walletAuditLogs(getCommandFlags(command));
-  });
-  const webhook = program.command("webhook").description("Manage webhooks");
-  withCommandOptions(webhook.command("ls").description("List webhooks"), {
-    auth: true,
-    json: true
-  }).action(async (_options, command) => {
-    await webhookList(getCommandFlags(command));
-  });
-  withCommandOptions(
-    webhook.command("get").description("Get webhook").option("--id <webhook-id>", "Webhook id").addOption(new (0, _commander.Option)("--webhook-id <webhook-id>").hideHelp()),
-    { auth: true, json: true }
-  ).action(async (_options, command) => {
-    await webhookGet(getCommandFlags(command));
-  });
-  withCommandOptions(
-    webhook.command("new").description("Create webhook").requiredOption("--project-id <id>", "Project id or alias").requiredOption("--event-type <approval|payment>", "Webhook event type").requiredOption("--url <https://...>", "Webhook destination URL").option("--secret <value>", "Webhook secret"),
-    { auth: true, json: true }
-  ).action(async (_options, command) => {
-    await webhookNew(getCommandFlags(command));
-  });
-  withCommandOptions(
-    webhook.command("update").description("Update webhook").option("--id <webhook-id>", "Webhook id").option("--event-type <approval|payment>", "Webhook event type").option("--status <active|disabled>", "Webhook status").option("--url <https://...>", "Webhook destination URL").option("--secret <value>", "Webhook secret").addOption(new (0, _commander.Option)("--webhook-id <webhook-id>").hideHelp()),
-    { auth: true, json: true }
-  ).action(async (_options, command) => {
-    await webhookUpdate(getCommandFlags(command));
-  });
-  withCommandOptions(
-    webhook.command("rm").description("Delete webhook").option("--id <webhook-id>", "Webhook id").addOption(new (0, _commander.Option)("--webhook-id <webhook-id>").hideHelp()),
-    { auth: true, json: true }
-  ).action(async (_options, command) => {
-    await webhookRemove(getCommandFlags(command));
-  });
-  withCommandOptions(
-    webhook.command("deliveries").description("List webhook deliveries").option("--id <webhook-id>", "Webhook id").option("--limit <n>", "Result limit").addOption(new (0, _commander.Option)("--webhook-id <webhook-id>").hideHelp()),
-    { auth: true, json: true }
-  ).action(async (_options, command) => {
-    await webhookDeliveries(getCommandFlags(command));
-  });
-  withCommandOptions(
-    webhook.command("test").description("Send webhook test payload").option("--id <webhook-id>", "Webhook id").addOption(new (0, _commander.Option)("--webhook-id <webhook-id>").hideHelp()),
-    { auth: true, json: true }
-  ).action(async (_options, command) => {
-    await webhookTest(getCommandFlags(command));
-  });
-  const approval = program.command("approval").description("Manage pending approvals");
-  withCommandOptions(
-    approval.command("ls").description("List pending approvals").option("--wallet-id <id>", "Wallet id or alias").option("--limit <n>", "Result limit"),
-    { auth: true, json: true }
-  ).action(async (_options, command) => {
-    await approvalList(getCommandFlags(command));
-  });
-  withCommandOptions(
-    approval.command("approve").description("Submit manual approval").option("--id <approve-id>", "Approval id").option("--mfa-type <type>", "MFA type").option("--otp <code>", "TOTP code").option("--approval-payload-json <json>", "Inline approval payload JSON").option("--approval-payload-file <path>", "Path to approval payload JSON").addOption(new (0, _commander.Option)("--approve-id <approve-id>").hideHelp()),
-    { auth: true, json: true }
-  ).action(async (_options, command) => {
-    await approvalApprove(getCommandFlags(command));
-  });
-  return program;
-};
-var main = async () => {
-  const program = createProgram();
-  if (_process2.default.argv.length <= 2) {
-    program.outputHelp();
-    return;
-  }
-  await program.parseAsync(_process2.default.argv);
-};
-main().catch((error) => {
-  console.error(getErrorMessage(error));
-  _process2.default.exit(1);
-});