@wlfi-agent/cli 1.4.13 → 1.4.15

package/src/cli.ts

@@ -0,0 +1,2121 @@
+import {
+  type ChainProfile,
+  defaultDaemonSocketPath,
+  deleteConfigKey,
+  ensureWlfiHome,
+  listBuiltinChains,
+  listBuiltinTokens,
+  listConfiguredChains,
+  listConfiguredTokens,
+  readConfig,
+  redactConfig,
+  removeChainProfile,
+  removeTokenChainProfile,
+  removeTokenProfile,
+  resolveChainProfile,
+  resolveConfigPath,
+  resolveTokenProfile,
+  saveChainProfile,
+  saveTokenChainProfile,
+  switchActiveChain,
+  type TokenChainProfile,
+  type WlfiConfig,
+  writeConfig,
+} from '@wlfi-agent/config';
+import {
+  broadcastRawTransaction,
+  estimateFees,
+  estimateGas,
+  getAccountSnapshot,
+  getChainInfo,
+  getCodeAtAddress,
+  getLatestBlockNumber,
+  getNativeBalance,
+  getNonce,
+  getTokenBalance,
+  getTransactionByHash,
+  getTransactionReceiptByHash,
+} from '@wlfi-agent/rpc';
+import { Command, Option } from 'commander';
+import { type Address, type Hex, isAddress, isHex } from 'viem';
+import { assertSafeRpcUrl } from '../packages/config/src/index.js';
+import {
+  blockedRawAdminPassthroughMessage,
+  rewriteAdminHelpText,
+} from './lib/admin-passthrough.js';
+import { runAdminResetCli, runAdminUninstallCli } from './lib/admin-reset.js';
+import { runAdminSetupCli, runAdminTuiCli } from './lib/admin-setup.js';
+import { resolveAgentAuthToken } from './lib/agent-auth.js';
+import { clearAgentAuthToken } from './lib/agent-auth-clear.js';
+import { migrateLegacyAgentAuthToken } from './lib/agent-auth-migrate.js';
+import {
+  buildRevokeAgentKeyAdminArgs,
+  completeAgentKeyRevocation,
+  type RevokeAgentKeyAdminOutput,
+} from './lib/agent-auth-revoke.js';
+import {
+  buildRotateAgentAuthTokenAdminArgs,
+  completeAgentAuthRotation,
+  type RotateAgentAuthTokenAdminOutput,
+} from './lib/agent-auth-rotate.js';
+import { assertValidAgentAuthToken } from './lib/agent-auth-token.js';
+import {
+  completeAssetBroadcast,
+  encodeErc20ApproveData,
+  encodeErc20TransferData,
+  formatBroadcastedAssetOutput,
+  resolveAssetBroadcastPlan,
+  waitForOnchainReceipt,
+} from './lib/asset-broadcast.js';
+import {
+  assertBootstrapSetupSummaryLeaseIsActive,
+  deleteBootstrapAgentCredentialsFile,
+  readBootstrapAgentCredentialsFile,
+  readBootstrapSetupSummaryFile,
+  redactBootstrapAgentCredentialsFile,
+} from './lib/bootstrap-credentials.js';
+import {
+  normalizeAgentAmountOutput,
+  normalizePositiveDecimalInput,
+  parseConfiguredAmount,
+  resolveConfiguredErc20Asset,
+  resolveConfiguredNativeAsset,
+  rewriteAmountPolicyErrorMessage,
+} from './lib/config-amounts.js';
+import {
+  assertWritableConfigKey,
+  resolveConfigMutationCommandLabel,
+  type WritableConfigKey,
+} from './lib/config-mutation.js';
+import {
+  assertTrustedAdminDaemonSocketPath,
+  assertTrustedDaemonSocketPath,
+} from './lib/fs-trust.js';
+import {
+  AGENT_AUTH_TOKEN_KEYCHAIN_SERVICE,
+  hasAgentAuthTokenInKeychain,
+  readAgentAuthTokenFromKeychain,
+  storeAgentAuthTokenInKeychain,
+} from './lib/keychain.js';
+import {
+  withDynamicLocalAdminMutationAccess,
+  withLocalAdminMutationAccess,
+} from './lib/local-admin-access.js';
+import { resolveCliNetworkProfile, resolveCliRpcUrl } from './lib/network-selection.js';
+import { assertRpcChainIdMatches } from './lib/rpc-guard.js';
+import {
+  passthroughRustBinary,
+  RustBinaryExitError,
+  runRustBinary,
+  runRustBinaryJson,
+} from './lib/rust.js';
+import { assertSignedBroadcastTransactionMatchesRequest } from './lib/signed-tx.js';
+import { registerRepairCommand, registerStatusCommand } from './lib/status-repair-cli.js';
+import {
+  formatWalletProfileText,
+  resolveWalletAddress,
+  resolveWalletProfileWithBalances,
+  walletProfileFromBootstrapSummary,
+} from './lib/wallet-profile.js';
+
+interface RustBroadcastOutput {
+  command: string;
+  network: string;
+  asset: string;
+  counterparty: string;
+  amount_wei: string;
+  estimated_max_gas_spend_wei?: string;
+  tx_type?: string;
+  delegation_enabled?: boolean;
+  signature_hex: string;
+  r_hex?: string;
+  s_hex?: string;
+  v?: number;
+  raw_tx_hex?: string;
+  tx_hash_hex?: string;
+}
+
+interface RustManualApprovalRequiredOutput {
+  command: string;
+  approval_request_id: string;
+  relay_url?: string;
+  frontend_url?: string;
+  cli_approval_command: string;
+}
+
+function rewriteAgentAmountError(
+  error: unknown,
+  symbolAwareAsset: { decimals: number; symbol: string; assetId: string },
+): Error {
+  if (!(error instanceof Error)) {
+    return new Error(String(error));
+  }
+
+  const rewritten = rewriteAmountPolicyErrorMessage(error.message, symbolAwareAsset);
+  if (rewritten === error.message) {
+    return error;
+  }
+
+  return new Error(rewritten);
+}
+
+function isManualApprovalRequiredOutput(value: unknown): value is RustManualApprovalRequiredOutput {
+  if (!value || typeof value !== 'object') {
+    return false;
+  }
+  const candidate = value as Partial<RustManualApprovalRequiredOutput>;
+  return (
+    typeof candidate.command === 'string' &&
+    typeof candidate.approval_request_id === 'string' &&
+    typeof candidate.cli_approval_command === 'string'
+  );
+}
+
+function printManualApprovalRequired(output: RustManualApprovalRequiredOutput, asJson: boolean) {
+  if (asJson) {
+    print(output, true);
+    return;
+  }
+
+  const lines = [
+    `Command: ${output.command}`,
+    `Approval Request ID: ${output.approval_request_id}`,
+  ];
+  if (output.frontend_url) {
+    lines.push(`Frontend Approval URL: ${output.frontend_url}`);
+  }
+  if (output.relay_url) {
+    lines.push(`Relay URL: ${output.relay_url}`);
+  }
+  lines.push(`CLI Approval Command: ${output.cli_approval_command}`);
+  print(lines.join('\n'), false);
+}
+
+const MAX_SECRET_STDIN_BYTES = 16 * 1024;
+const AGENT_KEY_ID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/iu;
+
+function requiredString(value: string | undefined, label: string): string {
+  if (!value?.trim()) {
+    throw new Error(`${label} is required`);
+  }
+  return value;
+}
+
+function assertAgentKeyId(value: string | undefined, label = 'agentKeyId'): string {
+  const normalized = requiredString(value, label).trim();
+  if (!AGENT_KEY_ID_PATTERN.test(normalized)) {
+    throw new Error(`${label} must be a valid UUID`);
+  }
+  return normalized;
+}
+
+function hasStoredAgentAuthToken(agentKeyId: string | undefined): boolean {
+  if (!agentKeyId) {
+    return false;
+  }
+
+  try {
+    return hasAgentAuthTokenInKeychain(agentKeyId);
+  } catch {
+    return false;
+  }
+}
+
+function resolveRpcUrl(value: string | undefined, config: WlfiConfig): string {
+  return assertSafeRpcUrl(requiredString(value ?? config.rpcUrl, 'rpcUrl'), 'rpcUrl');
+}
+
+function resolveDaemonSocket(value: string | undefined, config: WlfiConfig): string {
+  if (value !== undefined) {
+    return requiredString(value, 'daemonSocket').trim();
+  }
+  if (config.daemonSocket !== undefined) {
+    return requiredString(config.daemonSocket, 'configured daemonSocket').trim();
+  }
+  return defaultDaemonSocketPath();
+}
+
+function assertAddress(value: string, label: string): Address {
+  if (!isAddress(value)) {
+    throw new Error(`${label} must be a valid EVM address`);
+  }
+  return value as Address;
+}
+
+function assertHex(value: string, label: string): Hex {
+  if (!isHex(value)) {
+    throw new Error(`${label} must be valid hex`);
+  }
+  return value as Hex;
+}
+
+function parseBigIntString(value: string, label: string): bigint {
+  const normalized = value.trim();
+  if (!/^(0|[1-9][0-9]*)$/u.test(normalized)) {
+    throw new Error(`${label} must be a non-negative integer string`);
+  }
+  try {
+    return BigInt(normalized);
+  } catch {
+    throw new Error(`${label} must be a non-negative integer string`);
+  }
+}
+
+function parseIntegerString(value: string, label: string): number {
+  const normalized = value.trim();
+  if (!/^(0|[1-9][0-9]*)$/u.test(normalized)) {
+    throw new Error(`${label} must be a non-negative integer`);
+  }
+  const parsed = Number(normalized);
+  if (!Number.isSafeInteger(parsed)) {
+    throw new Error(`${label} must be a safe integer`);
+  }
+  return parsed;
+}
+
+function parsePositiveBigIntString(value: string, label: string): bigint {
+  const parsed = parseBigIntString(value, label);
+  if (parsed <= 0n) {
+    throw new Error(`${label} must be greater than zero`);
+  }
+  return parsed;
+}
+
+function parsePositiveIntegerString(value: string, label: string): number {
+  const parsed = parseIntegerString(value, label);
+  if (parsed <= 0) {
+    throw new Error(`${label} must be greater than zero`);
+  }
+  return parsed;
+}
+
+async function readTrimmedStdin(label: string): Promise<string> {
+  process.stdin.setEncoding('utf8');
+  let raw = '';
+  for await (const chunk of process.stdin) {
+    raw += chunk;
+    if (Buffer.byteLength(raw, 'utf8') > MAX_SECRET_STDIN_BYTES) {
+      throw new Error(`${label} must not exceed ${MAX_SECRET_STDIN_BYTES} bytes`);
+    }
+  }
+  return requiredString(raw.replace(/[\r\n]+$/u, ''), label);
+}
+
+function formatJson(payload: unknown) {
+  return JSON.stringify(payload, null, 2);
+}
+
+function stringifyOptionalValue(value: { toString(): string } | null | undefined): string | null {
+  return value === null || value === undefined ? null : value.toString();
+}
+
+function print(payload: unknown, asJson: boolean) {
+  if (asJson) {
+    console.log(formatJson(payload));
+    return;
+  }
+  if (typeof payload === 'string') {
+    console.log(payload);
+    return;
+  }
+  console.log(formatJson(payload));
+}
+
+const ONCHAIN_RECEIPT_TIMEOUT_MS = 30_000;
+const ONCHAIN_RECEIPT_POLL_INTERVAL_MS = 2_000;
+
+async function reportOnchainReceiptStatus(input: {
+  rpcUrl: string;
+  txHash: Hex;
+  asJson: boolean;
+}): Promise<void> {
+  if (input.asJson) {
+    console.error(
+      formatJson({
+        event: 'onchainReceiptPending',
+        txHash: input.txHash,
+        timeoutMs: ONCHAIN_RECEIPT_TIMEOUT_MS,
+      }),
+    );
+  } else {
+    console.error(
+      `Waiting up to ${ONCHAIN_RECEIPT_TIMEOUT_MS / 1000}s for on-chain receipt: ${input.txHash}`,
+    );
+  }
+
+  try {
+    const result = await waitForOnchainReceipt(
+      {
+        rpcUrl: input.rpcUrl,
+        txHash: input.txHash,
+        timeoutMs: ONCHAIN_RECEIPT_TIMEOUT_MS,
+        intervalMs: ONCHAIN_RECEIPT_POLL_INTERVAL_MS,
+      },
+      {
+        getTransactionReceiptByHash,
+      },
+    );
+
+    if (result.receipt) {
+      const summary = {
+        event: 'onchainReceipt',
+        txHash: input.txHash,
+        blockNumber: stringifyOptionalValue(result.receipt.blockNumber),
+        transactionIndex: result.receipt.transactionIndex,
+        status: result.receipt.status,
+      };
+      if (input.asJson) {
+        console.error(formatJson(summary));
+      } else {
+        console.error(
+          `On-chain receipt: ${result.receipt.status} block ${result.receipt.blockNumber} txIndex ${result.receipt.transactionIndex}`,
+        );
+      }
+      return;
+    }
+
+    if (input.asJson) {
+      console.error(
+        formatJson({
+          event: 'onchainReceiptTimeout',
+          txHash: input.txHash,
+          timeoutMs: ONCHAIN_RECEIPT_TIMEOUT_MS,
+        }),
+      );
+    } else {
+      console.error(
+        `Timed out after ${ONCHAIN_RECEIPT_TIMEOUT_MS / 1000}s waiting for on-chain receipt`,
+      );
+    }
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    if (input.asJson) {
+      console.error(
+        formatJson({
+          event: 'onchainReceiptPollingError',
+          txHash: input.txHash,
+          error: message,
+        }),
+      );
+    } else {
+      console.error(`On-chain receipt polling failed: ${message}`);
+    }
+  }
+}
+
+function parseConfigValue(key: WritableConfigKey, value: string): WlfiConfig {
+  if (key === 'chainId') {
+    return { [key]: parsePositiveIntegerString(value, key) };
+  }
+  if (key === 'agentKeyId') {
+    return { [key]: assertAgentKeyId(value, key) };
+  }
+  if (key === 'rpcUrl') {
+    return { [key]: assertSafeRpcUrl(value, key) };
+  }
+  return { [key]: value } as WlfiConfig;
+}
+
+function activeChainSummary(config: WlfiConfig) {
+  return {
+    chainId: config.chainId ?? null,
+    chainName: config.chainName ?? null,
+    rpcUrl: config.rpcUrl ?? null,
+  };
+}
+
+function normalizeChainProfile(
+  key: string,
+  options: { chainId: string; name?: string; rpcUrl?: string },
+): ChainProfile {
+  const rpcUrl = options.rpcUrl?.trim();
+  return {
+    chainId: parsePositiveIntegerString(options.chainId, 'chainId'),
+    name: options.name?.trim() || key.trim().toLowerCase(),
+    rpcUrl: rpcUrl ? assertSafeRpcUrl(rpcUrl, 'rpcUrl') : undefined,
+  };
+}
+
+interface AgentCommandAuthOptions {
+  agentKeyId?: string;
+  agentAuthToken?: string;
+  agentAuthTokenStdin?: boolean;
+  allowLegacyAgentAuthSource?: boolean;
+  daemonSocket?: string;
+}
+
+function warnForAgentAuthTokenSource(source: string, agentKeyId: string) {
+  if (source === 'argv') {
+    console.error(
+      'warning: --agent-auth-token exposes secrets in shell history and process listings; prefer --agent-auth-token-stdin',
+    );
+    return;
+  }
+
+  if (source === 'config') {
+    console.error(
+      'warning: agentAuthToken is being loaded from config.json; migrate it with `wlfi-agent config agent-auth set --agent-key-id ' +
+        agentKeyId +
+        ' --agent-auth-token-stdin`',
+    );
+    return;
+  }
+
+  if (source === 'env') {
+    console.error(
+      'warning: WLFI_AGENT_AUTH_TOKEN exposes secrets to child processes and shell sessions; prefer macOS Keychain or --agent-auth-token-stdin',
+    );
+  }
+}
+
+async function resolveAgentCommandContext(
+  options: AgentCommandAuthOptions,
+  config: WlfiConfig,
+): Promise<{ agentKeyId: string; agentAuthToken: string; daemonSocket: string }> {
+  const agentKeyId = assertAgentKeyId(
+    options.agentKeyId ?? config.agentKeyId ?? process.env.WLFI_AGENT_KEY_ID,
+    'agentKeyId',
+  );
+  const keychainAgentAuthToken = readAgentAuthTokenFromKeychain(agentKeyId);
+  const { token: agentAuthToken, source: agentAuthTokenSource } = await resolveAgentAuthToken({
+    agentKeyId,
+    cliToken: options.agentAuthToken,
+    cliTokenStdin: options.agentAuthTokenStdin,
+    keychainToken: keychainAgentAuthToken,
+    configToken: config.agentAuthToken,
+    envToken: process.env.WLFI_AGENT_AUTH_TOKEN,
+    allowLegacySource: options.allowLegacyAgentAuthSource,
+    readFromStdin: readTrimmedStdin,
+  });
+  const daemonSocket = resolveDaemonSocket(
+    options.daemonSocket ?? process.env.WLFI_DAEMON_SOCKET,
+    config,
+  );
+  assertTrustedDaemonSocketPath(daemonSocket);
+
+  warnForAgentAuthTokenSource(agentAuthTokenSource, agentKeyId);
+
+  return { agentKeyId, agentAuthToken, daemonSocket };
+}
+
+async function runAgentCommandJson<T>(input: {
+  commandArgs: string[];
+  auth: AgentCommandAuthOptions;
+  config: WlfiConfig;
+  asJson: boolean;
+}): Promise<T | null> {
+  const { agentKeyId, agentAuthToken, daemonSocket } = await resolveAgentCommandContext(
+    input.auth,
+    input.config,
+  );
+
+  try {
+    return await runRustBinaryJson<T>(
+      'wlfi-agent-agent',
+      [
+        '--json',
+        '--agent-key-id',
+        agentKeyId,
+        '--agent-auth-token-stdin',
+        '--daemon-socket',
+        daemonSocket,
+        ...input.commandArgs,
+      ],
+      input.config,
+      {
+        stdin: `${agentAuthToken}\n`,
+        preSuppliedSecretStdin: 'agentAuthToken',
+        scrubSensitiveEnv: true,
+      },
+    );
+  } catch (error) {
+    if (error instanceof RustBinaryExitError && error.stdout.trim()) {
+      try {
+        const parsed = JSON.parse(error.stdout) as unknown;
+        if (isManualApprovalRequiredOutput(parsed)) {
+          printManualApprovalRequired(parsed, input.asJson);
+          process.exitCode = error.code;
+          return null;
+        }
+      } catch {
+        // fall through to the original error
+      }
+    }
+    throw error;
+  }
+}
+
+function legacyAmountToDecimalString(value: number | undefined): string | undefined {
+  if (value === undefined) {
+    return undefined;
+  }
+  return value.toString();
+}
+
+function describeResolvedToken(token: NonNullable<ReturnType<typeof resolveTokenProfile>>) {
+  return {
+    key: token.key,
+    source: token.source,
+    symbol: token.symbol,
+    chains: Object.entries(token.chains ?? {})
+      .map(([key, value]) => ({ key, ...value }))
+      .sort((left, right) => left.chainId - right.chainId || left.key.localeCompare(right.key)),
+  };
+}
+
+function normalizeTokenChainConfig(
+  tokenKey: string,
+  chainKey: string,
+  options: {
+    symbol?: string;
+    chainId?: string;
+    native?: boolean;
+    address?: string;
+    decimals?: string;
+    perTx?: string;
+    daily?: string;
+    weekly?: string;
+  },
+  config: WlfiConfig,
+): { symbol: string; profile: TokenChainProfile } {
+  const normalizedTokenKey = tokenKey.trim().toLowerCase();
+  const normalizedChainKey = chainKey.trim().toLowerCase();
+  if (!normalizedTokenKey) {
+    throw new Error('token key is required');
+  }
+  if (!normalizedChainKey) {
+    throw new Error('chain key is required');
+  }
+  if (options.native && options.address) {
+    throw new Error('--native conflicts with --address');
+  }
+
+  const existingToken = resolveTokenProfile(normalizedTokenKey, config);
+  const existingChain = existingToken?.chains?.[normalizedChainKey];
+  const resolvedChain = resolveChainProfile(normalizedChainKey, config);
+  const symbol =
+    options.symbol?.trim() || existingToken?.symbol || normalizedTokenKey.toUpperCase();
+  const chainId = options.chainId
+    ? parsePositiveIntegerString(options.chainId, 'chainId')
+    : (existingChain?.chainId ?? resolvedChain?.chainId);
+  if (chainId === undefined) {
+    throw new Error(
+      `chainId is required; pass --chain-id or configure chain '${normalizedChainKey}' first`,
+    );
+  }
+
+  const isNative = options.native ? true : options.address ? false : existingChain?.isNative;
+  if (isNative === undefined) {
+    throw new Error('pass --native or --address for a new token chain');
+  }
+
+  const decimals =
+    options.decimals !== undefined
+      ? parseIntegerString(options.decimals, 'decimals')
+      : existingChain?.decimals;
+  if (decimals === undefined) {
+    throw new Error('decimals is required; pass --decimals or edit an existing token chain');
+  }
+
+  const address = isNative
+    ? undefined
+    : options.address
+      ? assertAddress(options.address, 'address')
+      : existingChain?.address;
+  if (!isNative && !address) {
+    throw new Error('address is required for a non-native token chain');
+  }
+
+  const hasPolicyOverride =
+    options.perTx !== undefined || options.daily !== undefined || options.weekly !== undefined;
+  const defaultPolicy =
+    hasPolicyOverride || existingChain?.defaultPolicy
+      ? {
+          perTxAmountDecimal:
+            options.perTx !== undefined
+              ? normalizePositiveDecimalInput(options.perTx, 'perTx')
+              : (existingChain?.defaultPolicy?.perTxAmountDecimal ??
+                legacyAmountToDecimalString(existingChain?.defaultPolicy?.perTxAmount)),
+          dailyAmountDecimal:
+            options.daily !== undefined
+              ? normalizePositiveDecimalInput(options.daily, 'daily')
+              : (existingChain?.defaultPolicy?.dailyAmountDecimal ??
+                legacyAmountToDecimalString(existingChain?.defaultPolicy?.dailyAmount)),
+          weeklyAmountDecimal:
+            options.weekly !== undefined
+              ? normalizePositiveDecimalInput(options.weekly, 'weekly')
+              : (existingChain?.defaultPolicy?.weeklyAmountDecimal ??
+                legacyAmountToDecimalString(existingChain?.defaultPolicy?.weeklyAmount)),
+        }
+      : undefined;
+
+  return {
+    symbol,
+    profile: {
+      chainId,
+      isNative,
+      decimals,
+      ...(address ? { address } : {}),
+      ...(defaultPolicy && Object.values(defaultPolicy).some((value) => value !== undefined)
+        ? { defaultPolicy }
+        : {}),
+    },
+  };
+}
+
+function buildAdminChainCommand(): Command {
+  const command = new Command('chain')
+    .description(
+      'Manage active chain selection and chain profiles (mutations require verified root access)',
+    )
+    .showHelpAfterError();
+
+  command
+    .command('list')
+    .option('--json', 'Print JSON output', false)
+    .action((options) => {
+      const config = readConfig();
+      print(
+        {
+          active: activeChainSummary(config),
+          configured: listConfiguredChains(config),
+          builtin: listBuiltinChains(),
+        },
+        options.json,
+      );
+    });
+
+  command
+    .command('current')
+    .option('--json', 'Print JSON output', false)
+    .action(async (options) => {
+      const config = readConfig();
+      let rpc = null;
+      if (config.rpcUrl) {
+        try {
+          rpc = await getChainInfo(config.rpcUrl);
+        } catch {
+          rpc = null;
+        }
+      }
+      print(
+        {
+          active: activeChainSummary(config),
+          rpc,
+        },
+        options.json,
+      );
+    });
+
+  command
+    .command('add')
+    .argument('<key>')
+    .requiredOption('--chain-id <id>', 'Chain ID')
+    .option('--name <name>', 'Display name')
+    .option('--rpc-url <url>', 'Default RPC URL for this chain profile')
+    .option('--activate', 'Activate this profile immediately', false)
+    .option('--json', 'Print JSON output', false)
+    .action(
+      withLocalAdminMutationAccess('wlfi-agent admin chain add', (key: string, options) => {
+        const profile = normalizeChainProfile(key, options);
+        let updated = saveChainProfile(key, profile);
+        if (options.activate) {
+          updated = switchActiveChain(key, { rpcUrl: profile.rpcUrl });
+        }
+        print(
+          {
+            saved: { key: key.trim().toLowerCase(), ...profile },
+            active: activeChainSummary(updated),
+          },
+          options.json,
+        );
+      }),
+    );
+
+  command
+    .command('remove')
+    .argument('<key>')
+    .option('--json', 'Print JSON output', false)
+    .action(
+      withLocalAdminMutationAccess('wlfi-agent admin chain remove', (key: string, options) => {
+        const updated = removeChainProfile(key);
+        print(
+          {
+            removed: key.trim().toLowerCase(),
+            configured: listConfiguredChains(updated),
+          },
+          options.json,
+        );
+      }),
+    );
+
+  command
+    .command('switch')
+    .argument('<selector>')
+    .option('--rpc-url <url>', 'RPC URL to save as the active endpoint')
+    .option('--save', 'Persist the active selection as a named profile', false)
+    .option('--json', 'Print JSON output', false)
+    .action(
+      withLocalAdminMutationAccess('wlfi-agent admin chain switch', (selector: string, options) => {
+        const updated = switchActiveChain(selector, {
+          rpcUrl: options.rpcUrl,
+          persistProfile: options.save,
+        });
+        const profile = resolveChainProfile(selector, updated);
+        print(
+          {
+            selected: selector,
+            resolved: profile,
+            active: activeChainSummary(updated),
+          },
+          options.json,
+        );
+      }),
+    );
+
+  return command;
+}
+
+function buildAdminTokenCommand(): Command {
+  const command = new Command('token')
+    .description(
+      'Manage shared token definitions and default policies (mutations require verified root access)',
+    )
+    .showHelpAfterError();
+
+  command
+    .command('list')
+    .option('--json', 'Print JSON output', false)
+    .action((options) => {
+      const config = readConfig();
+      print(
+        {
+          builtin: listBuiltinTokens(),
+          configured: listConfiguredTokens(config),
+        },
+        options.json,
+      );
+    });
+
+  command
+    .command('show')
+    .argument('<selector>')
+    .option('--json', 'Print JSON output', false)
+    .action((selector: string, options) => {
+      const config = readConfig();
+      const resolved = resolveTokenProfile(selector, config);
+      if (!resolved) {
+        throw new Error(`unknown token selector: ${selector}`);
+      }
+      print(describeResolvedToken(resolved), options.json);
+    });
+
+  command
+    .command('set-chain')
+    .argument('<tokenKey>')
+    .argument('<chainKey>')
+    .option('--symbol <symbol>', 'Token symbol')
+    .option('--chain-id <id>', 'Chain ID (defaults from the existing token or configured chain)')
+    .option('--native', 'Mark the token as the native asset on this chain', false)
+    .option('--address <address>', 'ERC-20 token contract address')
+    .option('--decimals <count>', 'Token decimals')
+    .option('--per-tx <amount>', 'Default per-transaction policy amount in token units')
+    .option('--daily <amount>', 'Default daily policy amount in token units')
+    .option('--weekly <amount>', 'Default weekly policy amount in token units')
+    .option('--json', 'Print JSON output', false)
+    .action(
+      withLocalAdminMutationAccess(
+        'wlfi-agent admin token set-chain',
+        (tokenKey: string, chainKey: string, options) => {
+          const config = readConfig();
+          const { symbol, profile } = normalizeTokenChainConfig(
+            tokenKey,
+            chainKey,
+            options,
+            config,
+          );
+          const updated = saveTokenChainProfile(tokenKey, chainKey, profile, { symbol });
+          const resolved = resolveTokenProfile(tokenKey, updated);
+          if (!resolved) {
+            throw new Error(`failed to save token '${tokenKey}'`);
+          }
+          print(
+            {
+              saved: describeResolvedToken(resolved),
+            },
+            options.json,
+          );
+        },
+      ),
+    );
+
+  command
+    .command('remove')
+    .argument('<tokenKey>')
+    .option('--json', 'Print JSON output', false)
+    .action(
+      withLocalAdminMutationAccess('wlfi-agent admin token remove', (tokenKey: string, options) => {
+        const updated = removeTokenProfile(tokenKey);
+        print(
+          {
+            removed: tokenKey.trim().toLowerCase(),
+            configured: listConfiguredTokens(updated),
+          },
+          options.json,
+        );
+      }),
+    );
+
+  command
+    .command('remove-chain')
+    .argument('<tokenKey>')
+    .argument('<chainKey>')
+    .option('--json', 'Print JSON output', false)
+    .action(
+      withLocalAdminMutationAccess(
+        'wlfi-agent admin token remove-chain',
+        (tokenKey: string, chainKey: string, options) => {
+          const updated = removeTokenChainProfile(tokenKey, chainKey);
+          const resolved = resolveTokenProfile(tokenKey, updated);
+          print(
+            {
+              removed: {
+                token: tokenKey.trim().toLowerCase(),
+                chain: chainKey.trim().toLowerCase(),
+              },
+              remaining: resolved ? describeResolvedToken(resolved) : null,
+            },
+            options.json,
+          );
+        },
+      ),
+    );
+
+  return command;
+}
+
+async function runLocalAdminCommand(forwarded: string[]): Promise<boolean> {
+  const target = forwarded[0] === 'help' ? forwarded[1] : forwarded[0];
+  if (target !== 'chain' && target !== 'token' && target !== 'daemon') {
+    return false;
+  }
+
+  const command =
+    target === 'chain'
+      ? buildAdminChainCommand()
+      : target === 'token'
+        ? buildAdminTokenCommand()
+        : buildAdminDaemonCommand();
+  const args = forwarded[0] === 'help' ? ['--help'] : forwarded.slice(1);
+  command.exitOverride();
+
+  try {
+    await command.parseAsync(args, { from: 'user' });
+    return true;
+  } catch (error) {
+    if (error && typeof error === 'object' && 'code' in error) {
+      const code = String((error as { code?: unknown }).code ?? '');
+      if (code === 'commander.helpDisplayed') {
+        return true;
+      }
+    }
+    throw error;
+  }
+}
+
+function buildAdminDaemonCommand(): Command {
+  return new Command()
+    .name('daemon')
+    .description('Daemon launch is managed by wlfi-agent admin setup')
+    .action(() => {
+      throw new Error(
+        'Direct daemon execution is disabled. Use `wlfi-agent admin setup` to install and manage the daemon.',
+      );
+    });
+}
+
+async function main() {
+  ensureWlfiHome();
+  const program = new Command();
+  program
+    .name('wlfi-agent')
+    .description('Single entrypoint for WLFI agent admin and signing operations')
+    .showHelpAfterError();
+
+  const configCommand = program.command('config').description('Manage ~/.wlfi_agent configuration');
+  configCommand
+    .command('show')
+    .option('--json', 'Print JSON output', false)
+    .action((options) => {
+      const config = readConfig();
+      print(
+        {
+          ...redactConfig(config),
+          keychain: {
+            agentAuthTokenStored: hasStoredAgentAuthToken(config.agentKeyId),
+            service: process.platform === 'darwin' ? AGENT_AUTH_TOKEN_KEYCHAIN_SERVICE : null,
+          },
+        },
+        options.json,
+      );
+    });
+  configCommand.command('path').action(() => {
+    console.log(resolveConfigPath());
+  });
+  configCommand
+    .command('set')
+    .argument('<key>')
+    .argument('<value>')
+    .action(
+      withDynamicLocalAdminMutationAccess(
+        (key: string, _value: string) => resolveConfigMutationCommandLabel('set', key),
+        (key: string, value: string) => {
+          const writableKey = assertWritableConfigKey(key);
+          const updated = writeConfig(parseConfigValue(writableKey, value));
+          print(redactConfig(updated), true);
+        },
+      ),
+    );
+  configCommand
+    .command('unset')
+    .argument('<key>')
+    .action(
+      withDynamicLocalAdminMutationAccess(
+        (key: string) => resolveConfigMutationCommandLabel('unset', key),
+        (key: string) => {
+          const writableKey = assertWritableConfigKey(key);
+          const updated = deleteConfigKey(writableKey);
+          print(redactConfig(updated), true);
+        },
+      ),
+    );
+
+  const agentAuthCommand = configCommand
+    .command('agent-auth')
+    .description('Manage the agent auth token in macOS Keychain');
+
+  agentAuthCommand
+    .command('set')
+    .requiredOption('--agent-key-id <uuid>', 'Agent key id')
+    .option('--agent-auth-token <token>', 'Agent auth token')
+    .option('--agent-auth-token-stdin', 'Read agent auth token from stdin', false)
+    .option('--json', 'Print JSON output', false)
+    .action(
+      withLocalAdminMutationAccess('wlfi-agent config agent-auth set', async (options) => {
+        if (options.agentAuthToken && options.agentAuthTokenStdin) {
+          throw new Error('--agent-auth-token conflicts with --agent-auth-token-stdin');
+        }
+
+        const agentKeyId = assertAgentKeyId(options.agentKeyId);
+        const agentAuthToken = options.agentAuthTokenStdin
+          ? assertValidAgentAuthToken(await readTrimmedStdin('agentAuthToken'), 'agentAuthToken')
+          : assertValidAgentAuthToken(
+              requiredString(options.agentAuthToken, 'agentAuthToken'),
+              'agentAuthToken',
+            );
+
+        if (options.agentAuthToken) {
+          console.error(
+            'warning: --agent-auth-token exposes secrets in shell history and process listings; prefer --agent-auth-token-stdin',
+          );
+        }
+
+        storeAgentAuthTokenInKeychain(agentKeyId, agentAuthToken);
+
+        let updated = writeConfig({ agentKeyId });
+        if (updated.agentAuthToken !== undefined) {
+          updated = deleteConfigKey('agentAuthToken');
+        }
+
+        print(
+          {
+            agentKeyId: updated.agentKeyId ?? agentKeyId,
+            keychain: {
+              stored: true,
+              service: AGENT_AUTH_TOKEN_KEYCHAIN_SERVICE,
+            },
+            config: redactConfig(updated),
+          },
+          options.json,
+        );
+      }),
+    );
+
+  agentAuthCommand
+    .command('import')
+    .description('Import agent credentials from a private admin bootstrap JSON file')
+    .argument('<path>', 'Path to bootstrap JSON output with an unredacted agent auth token')
+    .option('--keep-source', 'Keep the imported bootstrap file unchanged after import', false)
+    .option('--delete-source', 'Delete the imported bootstrap file after import', false)
+    .option('--json', 'Print JSON output', false)
+    .action(
+      withLocalAdminMutationAccess(
+        'wlfi-agent config agent-auth import',
+        (inputPath: string, options) => {
+          if (options.keepSource && options.deleteSource) {
+            throw new Error('--keep-source conflicts with --delete-source');
+          }
+
+          const summary = readBootstrapSetupSummaryFile(inputPath);
+          assertBootstrapSetupSummaryLeaseIsActive(summary);
+          const imported = readBootstrapAgentCredentialsFile(inputPath);
+          const agentKeyId = assertAgentKeyId(imported.agentKeyId);
+          if (summary.agentKeyId !== agentKeyId) {
+            throw new Error(
+              'bootstrap credentials file agent_key_id does not match setup summary agent_key_id',
+            );
+          }
+
+          storeAgentAuthTokenInKeychain(agentKeyId, imported.agentAuthToken);
+
+          let sourceCleanup: 'redacted' | 'deleted' | 'kept' = 'kept';
+          if (options.deleteSource) {
+            deleteBootstrapAgentCredentialsFile(imported.sourcePath);
+            sourceCleanup = 'deleted';
+          } else if (!options.keepSource) {
+            redactBootstrapAgentCredentialsFile(imported.sourcePath);
+            sourceCleanup = 'redacted';
+          } else {
+            console.error(
+              'warning: imported bootstrap file still contains a plaintext agent auth token; prefer the default redaction or --delete-source',
+            );
+          }
+
+          let updated = writeConfig({
+            agentKeyId,
+            wallet: walletProfileFromBootstrapSummary(summary),
+          });
+          if (updated.agentAuthToken !== undefined) {
+            updated = deleteConfigKey('agentAuthToken');
+          }
+
+          print(
+            {
+              sourcePath: imported.sourcePath,
+              sourceCleanup,
+              agentKeyId,
+              keychain: {
+                stored: true,
+                service: AGENT_AUTH_TOKEN_KEYCHAIN_SERVICE,
+              },
+              config: redactConfig(updated),
+            },
+            options.json,
+          );
+        },
+      ),
+    );
+
+  agentAuthCommand
+    .command('migrate')
+    .description(
+      'Move a legacy config.json agentAuthToken into macOS Keychain and scrub plaintext storage',
+    )
+    .option('--agent-key-id <uuid>', 'Agent key id (defaults to configured agentKeyId)')
+    .option(
+      '--overwrite-keychain',
+      'Replace a different existing Keychain token for this agent',
+      false,
+    )
+    .option('--json', 'Print JSON output', false)
+    .action(
+      withLocalAdminMutationAccess('wlfi-agent config agent-auth migrate', (options) => {
+        print(
+          migrateLegacyAgentAuthToken({
+            agentKeyId: options.agentKeyId,
+            overwriteKeychain: options.overwriteKeychain,
+          }),
+          options.json,
+        );
+      }),
+    );
+
+  agentAuthCommand
+    .command('rotate')
+    .description('Rotate the agent auth token via Rust admin flow, then store it in macOS Keychain')
+    .option('--agent-key-id <uuid>', 'Agent key id (defaults to configured agentKeyId)')
+    .option('--vault-password-stdin', 'Read vault password from stdin', false)
+    .option('--non-interactive', 'Disable password prompts', false)
+    .option('--daemon-socket <path>', 'Daemon unix socket path')
+    .option('--json', 'Print JSON output', false)
+    .action(async (options) => {
+      const config = readConfig();
+      const agentKeyId = options.agentKeyId
+        ? assertAgentKeyId(options.agentKeyId)
+        : config.agentKeyId
+          ? assertAgentKeyId(config.agentKeyId, 'configured agentKeyId')
+          : undefined;
+      if (!agentKeyId) {
+        throw new Error(
+          'agentKeyId is required; pass --agent-key-id or configure agentKeyId first',
+        );
+      }
+
+      const daemonSocket = resolveDaemonSocket(
+        options.daemonSocket ?? process.env.WLFI_DAEMON_SOCKET,
+        config,
+      );
+      assertTrustedAdminDaemonSocketPath(daemonSocket);
+
+      const rotated = await runRustBinaryJson<RotateAgentAuthTokenAdminOutput>(
+        'wlfi-agent-admin',
+        buildRotateAgentAuthTokenAdminArgs({
+          agentKeyId,
+          vaultPasswordStdin: options.vaultPasswordStdin,
+          nonInteractive: options.nonInteractive,
+          daemonSocket,
+        }),
+        config,
+      );
+
+      print(completeAgentAuthRotation(rotated), options.json);
+    });
+
+  agentAuthCommand
+    .command('revoke')
+    .description('Revoke the agent key via Rust admin flow, then remove local credentials')
+    .option('--agent-key-id <uuid>', 'Agent key id (defaults to configured agentKeyId)')
+    .option('--vault-password-stdin', 'Read vault password from stdin', false)
+    .option('--non-interactive', 'Disable password prompts', false)
+    .option('--daemon-socket <path>', 'Daemon unix socket path')
+    .option('--json', 'Print JSON output', false)
+    .action(async (options) => {
+      const config = readConfig();
+      const agentKeyId = options.agentKeyId
+        ? assertAgentKeyId(options.agentKeyId)
+        : config.agentKeyId
+          ? assertAgentKeyId(config.agentKeyId, 'configured agentKeyId')
+          : undefined;
+      if (!agentKeyId) {
+        throw new Error(
+          'agentKeyId is required; pass --agent-key-id or configure agentKeyId first',
+        );
+      }
+
+      const daemonSocket = resolveDaemonSocket(
+        options.daemonSocket ?? process.env.WLFI_DAEMON_SOCKET,
+        config,
+      );
+      assertTrustedAdminDaemonSocketPath(daemonSocket);
+
+      const revoked = await runRustBinaryJson<RevokeAgentKeyAdminOutput>(
+        'wlfi-agent-admin',
+        buildRevokeAgentKeyAdminArgs({
+          agentKeyId,
+          vaultPasswordStdin: options.vaultPasswordStdin,
+          nonInteractive: options.nonInteractive,
+          daemonSocket,
+        }),
+        config,
+      );
+
+      print(completeAgentKeyRevocation(revoked), options.json);
+    });
+
+  agentAuthCommand
+    .command('status')
+    .option('--agent-key-id <uuid>', 'Agent key id (defaults to configured agentKeyId)')
+    .option('--json', 'Print JSON output', false)
+    .action((options) => {
+      const config = readConfig();
+      const agentKeyId = options.agentKeyId
+        ? assertAgentKeyId(options.agentKeyId)
+        : config.agentKeyId && AGENT_KEY_ID_PATTERN.test(config.agentKeyId.trim())
+          ? config.agentKeyId.trim()
+          : null;
+      print(
+        {
+          agentKeyId,
+          keychain: {
+            supported: process.platform === 'darwin',
+            service: process.platform === 'darwin' ? AGENT_AUTH_TOKEN_KEYCHAIN_SERVICE : null,
+            stored: hasStoredAgentAuthToken(agentKeyId ?? undefined),
+          },
+        },
+        options.json,
+      );
+    });
+
+  agentAuthCommand
+    .command('clear')
+    .option('--agent-key-id <uuid>', 'Agent key id (defaults to configured agentKeyId)')
+    .option('--json', 'Print JSON output', false)
+    .action(
+      withLocalAdminMutationAccess('wlfi-agent config agent-auth clear', (options) => {
+        const config = readConfig();
+        const agentKeyId = options.agentKeyId
+          ? assertAgentKeyId(options.agentKeyId)
+          : config.agentKeyId
+            ? assertAgentKeyId(config.agentKeyId, 'configured agentKeyId')
+            : undefined;
+        if (!agentKeyId) {
+          throw new Error(
+            'agentKeyId is required; pass --agent-key-id or configure agentKeyId first',
+          );
+        }
+
+        print(clearAgentAuthToken(agentKeyId), options.json);
+      }),
+    );
+
+  program
+    .command('wallet')
+    .description('Show the configured wallet public key and associated policy summary')
+    .option('--json', 'Print JSON output', false)
+    .action(async (options) => {
+      const profile = await resolveWalletProfileWithBalances(readConfig(), {
+        getNativeBalance,
+        getTokenBalance,
+      });
+      print(options.json ? profile : formatWalletProfileText(profile), options.json);
+    });
+
+  registerStatusCommand(program, {
+    print: (payload, options) => {
+      print(payload, options.asJson);
+    },
+    setExitCode: (code) => {
+      process.exitCode = code;
+    },
+  });
+
+  registerRepairCommand(program, {
+    print: (payload, options) => {
+      print(payload, options.asJson);
+    },
+    setExitCode: (code) => {
+      process.exitCode = code;
+    },
+  });
+
+  program
+    .command('admin')
+    .helpOption(false)
+    .allowUnknownOption(true)
+    .allowExcessArguments(true)
+    .argument('[args...]')
+    .description('Admin commands and setup passthrough')
+    .action(async () => {
+      const index = process.argv.indexOf('admin');
+      const forwarded = index >= 0 ? process.argv.slice(index + 1) : [];
+      const passthroughTarget = forwarded[0] === 'help' ? forwarded[1] : forwarded[0];
+      const blockedPassthroughMessage = blockedRawAdminPassthroughMessage(passthroughTarget);
+      if (forwarded[0] === 'setup') {
+        await runAdminSetupCli(forwarded.slice(1));
+        return;
+      }
+      if (forwarded[0] === 'tui') {
+        await runAdminTuiCli(forwarded.slice(1));
+        return;
+      }
+      if (forwarded[0] === 'reset') {
+        await runAdminResetCli(forwarded.slice(1));
+        return;
+      }
+      if (forwarded[0] === 'uninstall') {
+        await runAdminUninstallCli(forwarded.slice(1));
+        return;
+      }
+      if (forwarded[0] === 'help' && forwarded[1] === 'tui') {
+        await runAdminTuiCli(['--help']);
+        return;
+      }
+      if (forwarded[0] === 'help' && forwarded[1] === 'setup') {
+        await runAdminSetupCli(['--help']);
+        return;
+      }
+      if (forwarded[0] === 'help' && forwarded[1] === 'reset') {
+        await runAdminResetCli(['--help']);
+        return;
+      }
+      if (forwarded[0] === 'help' && forwarded[1] === 'uninstall') {
+        await runAdminUninstallCli(['--help']);
+        return;
+      }
+      if (blockedPassthroughMessage) {
+        if (forwarded[0] === 'help') {
+          print(blockedPassthroughMessage, false);
+          return;
+        }
+        throw new Error(blockedPassthroughMessage);
+      }
+      if (forwarded[0] === 'bootstrap') {
+        throw new Error(
+          '`wlfi-agent admin bootstrap` has been removed; use `wlfi-agent admin setup`',
+        );
+      }
+      if (await runLocalAdminCommand(forwarded)) {
+        return;
+      }
+      const config = readConfig();
+      const wantsHelp =
+        forwarded.length === 0 ||
+        forwarded[0] === 'help' ||
+        forwarded.includes('--help') ||
+        forwarded.includes('-h');
+      if (wantsHelp) {
+        const rendered = await runRustBinary(
+          'wlfi-agent-admin',
+          forwarded.length === 0 ? ['--help'] : forwarded,
+          config,
+        );
+        if (rendered.stdout) {
+          process.stdout.write(rewriteAdminHelpText(rendered.stdout));
+        }
+        if (rendered.stderr) {
+          process.stderr.write(rewriteAdminHelpText(rendered.stderr));
+        }
+        return;
+      }
+      const code = await passthroughRustBinary('wlfi-agent-admin', forwarded, config);
+      process.exitCode = code;
+    });
+
+  const addAgentCommandAuthOptions = (command: Command) =>
+    command
+      .option('--daemon-socket <path>', 'Daemon socket path')
+      .option('--agent-key-id <uuid>', 'Agent key id')
+      .option('--agent-auth-token <token>', 'Agent auth token')
+      .option('--agent-auth-token-stdin', 'Read agent auth token from stdin', false)
+      .option(
+        '--allow-legacy-agent-auth-source',
+        'Allow deprecated argv/config/env fallback for agent auth token',
+        false,
+      )
+      .option('--json', 'Print JSON output', false);
+
+  addAgentCommandAuthOptions(
+    program
+      .command('transfer')
+      .description('Submit an ERC-20 transfer request through policy checks')
+      .requiredOption('--network <name>', 'Network name')
+      .requiredOption('--token <address>', 'ERC-20 token contract')
+      .requiredOption('--to <address>', 'Recipient address')
+      .requiredOption('--amount <amount>', 'Transfer amount in token units')
+      .option('--broadcast', 'Broadcast the signed transaction through RPC', false)
+      .option('--rpc-url <url>', 'Ethereum RPC URL override used only for broadcast')
+      .option(
+        '--from <address>',
+        'Sender address override for broadcast; defaults to configured wallet address',
+      )
+      .option('--nonce <nonce>', 'Explicit nonce override for broadcast')
+      .option('--gas-limit <gas>', 'Gas limit override for broadcast')
+      .option('--max-fee-per-gas-wei <wei>', 'Max fee per gas override for broadcast')
+      .option('--max-priority-fee-per-gas-wei <wei>', 'Priority fee per gas override for broadcast')
+      .option('--tx-type <type>', 'Typed tx value for broadcast', '0x02')
+      .option('--no-wait', 'Do not wait up to 30s for an on-chain receipt after broadcast')
+      .option(
+        '--reveal-raw-tx',
+        'Include the signed raw transaction bytes in broadcast output',
+        false,
+      )
+      .option('--reveal-signature', 'Include signer r/s/v fields in broadcast output', false)
+      .addOption(new Option('--amount-wei <wei>').hideHelp()),
+  ).action(async (options) => {
+    const config = readConfig();
+    const network = resolveCliNetworkProfile(options.network, config).chainId;
+    const token = assertAddress(options.token, 'token');
+    const recipient = assertAddress(options.to, 'to');
+    const asset = resolveConfiguredErc20Asset(config, network, token);
+    const amountWei = options.amount
+      ? parseConfiguredAmount(options.amount, asset.decimals, 'amount')
+      : parseBigIntString(options.amountWei, 'amountWei');
+    try {
+      if (options.broadcast) {
+        const plan = await resolveAssetBroadcastPlan(
+          {
+            rpcUrl: resolveCliRpcUrl(options.rpcUrl, options.network, config),
+            chainId: network,
+            from: options.from ? assertAddress(options.from, 'from') : resolveWalletAddress(config),
+            to: token,
+            valueWei: 0n,
+            dataHex: encodeErc20TransferData(recipient, amountWei),
+            nonce: options.nonce ? parseIntegerString(options.nonce, 'nonce') : undefined,
+            gasLimit: options.gasLimit
+              ? parsePositiveBigIntString(options.gasLimit, 'gasLimit')
+              : undefined,
+            maxFeePerGasWei: options.maxFeePerGasWei
+              ? parsePositiveBigIntString(options.maxFeePerGasWei, 'maxFeePerGasWei')
+              : undefined,
+            maxPriorityFeePerGasWei: options.maxPriorityFeePerGasWei
+              ? parseBigIntString(options.maxPriorityFeePerGasWei, 'maxPriorityFeePerGasWei')
+              : undefined,
+            txType: options.txType,
+          },
+          {
+            getChainInfo,
+            assertRpcChainIdMatches,
+            getNonce,
+            estimateGas,
+            estimateFees,
+          },
+        );
+        const signed = await runAgentCommandJson<RustBroadcastOutput>({
+          commandArgs: [
+            'broadcast',
+            '--network',
+            String(plan.chainId),
+            '--nonce',
+            String(plan.nonce),
+            '--to',
+            token,
+            '--value-wei',
+            '0',
+            '--data-hex',
+            plan.dataHex,
+            '--gas-limit',
+            plan.gasLimit.toString(),
+            '--max-fee-per-gas-wei',
+            plan.maxFeePerGasWei.toString(),
+            '--max-priority-fee-per-gas-wei',
+            plan.maxPriorityFeePerGasWei.toString(),
+            '--tx-type',
+            plan.txType,
+          ],
+          auth: options,
+          config,
+          asJson: options.json,
+        });
+        if (!signed) {
+          return;
+        }
+        const completed = await completeAssetBroadcast(plan, signed, {
+          assertSignedBroadcastTransactionMatchesRequest,
+          broadcastRawTransaction,
+        });
+        print(
+          formatBroadcastedAssetOutput({
+            command: 'transfer',
+            counterparty: recipient,
+            asset,
+            signed,
+            plan,
+            signedNonce: completed.signedNonce,
+            networkTxHash: completed.networkTxHash,
+            revealRawTx: options.revealRawTx,
+            revealSignature: options.revealSignature,
+          }),
+          options.json,
+        );
+        if (options.wait) {
+          await reportOnchainReceiptStatus({
+            rpcUrl: plan.rpcUrl,
+            txHash: completed.networkTxHash,
+            asJson: options.json,
+          });
+        }
+        return;
+      }
+
+      const result = await runAgentCommandJson<RustBroadcastOutput>({
+        commandArgs: [
+          'transfer',
+          '--network',
+          String(network),
+          '--token',
+          token,
+          '--to',
+          recipient,
+          '--amount-wei',
+          amountWei.toString(),
+        ],
+        auth: options,
+        config,
+        asJson: options.json,
+      });
+      if (result) {
+        print(normalizeAgentAmountOutput(result, asset), options.json);
+      }
+    } catch (error) {
+      throw rewriteAgentAmountError(error, asset);
+    }
+  });
+
+  addAgentCommandAuthOptions(
+    program
+      .command('transfer-native')
+      .description('Submit a native ETH transfer request through policy checks')
+      .requiredOption('--network <name>', 'Network name')
+      .requiredOption('--to <address>', 'Recipient address')
+      .requiredOption('--amount <amount>', 'Transfer amount in configured native token units')
+      .addOption(new Option('--amount-wei <wei>').hideHelp()),
+  ).action(async (options) => {
+    const config = readConfig();
+    const network = resolveCliNetworkProfile(options.network, config).chainId;
+    const asset = resolveConfiguredNativeAsset(config, network);
+    const amountWei = options.amount
+      ? parseConfiguredAmount(options.amount, asset.decimals, 'amount')
+      : parseBigIntString(options.amountWei, 'amountWei');
+    try {
+      const result = await runAgentCommandJson<RustBroadcastOutput>({
+        commandArgs: [
+          'transfer-native',
+          '--network',
+          String(network),
+          '--to',
+          assertAddress(options.to, 'to'),
+          '--amount-wei',
+          amountWei.toString(),
+        ],
+        auth: options,
+        config,
+        asJson: options.json,
+      });
+      if (result) {
+        print(normalizeAgentAmountOutput(result, asset), options.json);
+      }
+    } catch (error) {
+      throw rewriteAgentAmountError(error, asset);
+    }
+  });
+
+  addAgentCommandAuthOptions(
+    program
+      .command('approve')
+      .description('Submit an ERC-20 approve request through policy checks')
+      .requiredOption('--network <name>', 'Network name')
+      .requiredOption('--token <address>', 'ERC-20 token contract')
+      .requiredOption('--spender <address>', 'Spender address')
+      .requiredOption('--amount <amount>', 'Approval amount in token units')
+      .option('--broadcast', 'Broadcast the signed transaction through RPC', false)
+      .option('--rpc-url <url>', 'Ethereum RPC URL override used only for broadcast')
+      .option(
+        '--from <address>',
+        'Sender address override for broadcast; defaults to configured wallet address',
+      )
+      .option('--nonce <nonce>', 'Explicit nonce override for broadcast')
+      .option('--gas-limit <gas>', 'Gas limit override for broadcast')
+      .option('--max-fee-per-gas-wei <wei>', 'Max fee per gas override for broadcast')
+      .option('--max-priority-fee-per-gas-wei <wei>', 'Priority fee per gas override for broadcast')
+      .option('--tx-type <type>', 'Typed tx value for broadcast', '0x02')
+      .option('--no-wait', 'Do not wait up to 30s for an on-chain receipt after broadcast')
+      .option(
+        '--reveal-raw-tx',
+        'Include the signed raw transaction bytes in broadcast output',
+        false,
+      )
+      .option('--reveal-signature', 'Include signer r/s/v fields in broadcast output', false)
+      .addOption(new Option('--amount-wei <wei>').hideHelp()),
+  ).action(async (options) => {
+    const config = readConfig();
+    const network = resolveCliNetworkProfile(options.network, config).chainId;
+    const token = assertAddress(options.token, 'token');
+    const spender = assertAddress(options.spender, 'spender');
+    const asset = resolveConfiguredErc20Asset(config, network, token);
+    const amountWei = options.amount
+      ? parseConfiguredAmount(options.amount, asset.decimals, 'amount')
+      : parseBigIntString(options.amountWei, 'amountWei');
+    try {
+      if (options.broadcast) {
+        const plan = await resolveAssetBroadcastPlan(
+          {
+            rpcUrl: resolveCliRpcUrl(options.rpcUrl, options.network, config),
+            chainId: network,
+            from: options.from ? assertAddress(options.from, 'from') : resolveWalletAddress(config),
+            to: token,
+            valueWei: 0n,
+            dataHex: encodeErc20ApproveData(spender, amountWei),
+            nonce: options.nonce ? parseIntegerString(options.nonce, 'nonce') : undefined,
+            gasLimit: options.gasLimit
+              ? parsePositiveBigIntString(options.gasLimit, 'gasLimit')
+              : undefined,
+            maxFeePerGasWei: options.maxFeePerGasWei
+              ? parsePositiveBigIntString(options.maxFeePerGasWei, 'maxFeePerGasWei')
+              : undefined,
+            maxPriorityFeePerGasWei: options.maxPriorityFeePerGasWei
+              ? parseBigIntString(options.maxPriorityFeePerGasWei, 'maxPriorityFeePerGasWei')
+              : undefined,
+            txType: options.txType,
+          },
+          {
+            getChainInfo,
+            assertRpcChainIdMatches,
+            getNonce,
+            estimateGas,
+            estimateFees,
+          },
+        );
+        const signed = await runAgentCommandJson<RustBroadcastOutput>({
+          commandArgs: [
+            'broadcast',
+            '--network',
+            String(plan.chainId),
+            '--nonce',
+            String(plan.nonce),
+            '--to',
+            token,
+            '--value-wei',
+            '0',
+            '--data-hex',
+            plan.dataHex,
+            '--gas-limit',
+            plan.gasLimit.toString(),
+            '--max-fee-per-gas-wei',
+            plan.maxFeePerGasWei.toString(),
+            '--max-priority-fee-per-gas-wei',
+            plan.maxPriorityFeePerGasWei.toString(),
+            '--tx-type',
+            plan.txType,
+          ],
+          auth: options,
+          config,
+          asJson: options.json,
+        });
+        if (!signed) {
+          return;
+        }
+        const completed = await completeAssetBroadcast(plan, signed, {
+          assertSignedBroadcastTransactionMatchesRequest,
+          broadcastRawTransaction,
+        });
+        print(
+          formatBroadcastedAssetOutput({
+            command: 'approve',
+            counterparty: spender,
+            asset,
+            signed,
+            plan,
+            signedNonce: completed.signedNonce,
+            networkTxHash: completed.networkTxHash,
+            revealRawTx: options.revealRawTx,
+            revealSignature: options.revealSignature,
+          }),
+          options.json,
+        );
+        if (options.wait) {
+          await reportOnchainReceiptStatus({
+            rpcUrl: plan.rpcUrl,
+            txHash: completed.networkTxHash,
+            asJson: options.json,
+          });
+        }
+        return;
+      }
+
+      const result = await runAgentCommandJson<RustBroadcastOutput>({
+        commandArgs: [
+          'approve',
+          '--network',
+          String(network),
+          '--token',
+          token,
+          '--spender',
+          spender,
+          '--amount-wei',
+          amountWei.toString(),
+        ],
+        auth: options,
+        config,
+        asJson: options.json,
+      });
+      if (result) {
+        print(normalizeAgentAmountOutput(result, asset), options.json);
+      }
+    } catch (error) {
+      throw rewriteAgentAmountError(error, asset);
+    }
+  });
+
+  addAgentCommandAuthOptions(
+    program
+      .command('broadcast')
+      .description('Submit a raw transaction broadcast request through policy checks')
+      .requiredOption('--network <name>', 'Network name')
+      .requiredOption('--to <address>', 'Recipient or target contract')
+      .requiredOption('--gas-limit <gas>', 'Gas limit')
+      .requiredOption('--max-fee-per-gas-wei <wei>', 'Max fee per gas in wei')
+      .option('--nonce <nonce>', 'Explicit nonce override', '0')
+      .option('--value-wei <wei>', 'Value in wei', '0')
+      .option('--data-hex <hex>', 'Calldata hex', '0x')
+      .option('--max-priority-fee-per-gas-wei <wei>', 'Priority fee per gas in wei', '0')
+      .option('--tx-type <type>', 'Typed tx value', '2')
+      .option('--delegation-enabled', 'Forward delegation flag to Rust signing request', false),
+  ).action(async (options) => {
+    const config = readConfig();
+    const network = resolveCliNetworkProfile(options.network, config);
+    const result = await runAgentCommandJson<RustBroadcastOutput>({
+      commandArgs: [
+        'broadcast',
+        '--network',
+        String(network.chainId),
+        '--nonce',
+        String(parseIntegerString(options.nonce, 'nonce')),
+        '--to',
+        assertAddress(options.to, 'to'),
+        '--value-wei',
+        parseBigIntString(options.valueWei, 'valueWei').toString(),
+        '--data-hex',
+        assertHex(options.dataHex, 'dataHex'),
+        '--gas-limit',
+        parsePositiveBigIntString(options.gasLimit, 'gasLimit').toString(),
+        '--max-fee-per-gas-wei',
+        parsePositiveBigIntString(options.maxFeePerGasWei, 'maxFeePerGasWei').toString(),
+        '--max-priority-fee-per-gas-wei',
+        parseBigIntString(options.maxPriorityFeePerGasWei, 'maxPriorityFeePerGasWei').toString(),
+        '--tx-type',
+        options.txType,
+        ...(options.delegationEnabled ? ['--delegation-enabled'] : []),
+      ],
+      auth: options,
+      config,
+      asJson: options.json,
+    });
+    if (result) {
+      print(result, options.json);
+    }
+  });
+
+  const rpc = program.command('rpc').description('RPC methods implemented in TypeScript');
+  rpc
+    .command('chain')
+    .option('--rpc-url <url>', 'Ethereum RPC URL')
+    .option('--json', 'Print JSON output', false)
+    .action(async (options) => {
+      const config = readConfig();
+      const rpcUrl = resolveRpcUrl(options.rpcUrl, config);
+      const result = await getChainInfo(rpcUrl);
+      print(
+        {
+          rpcUrl,
+          ...result,
+          configured: activeChainSummary(config),
+        },
+        options.json,
+      );
+    });
+  rpc
+    .command('block-number')
+    .option('--rpc-url <url>', 'Ethereum RPC URL')
+    .option('--json', 'Print JSON output', false)
+    .action(async (options) => {
+      const config = readConfig();
+      const rpcUrl = resolveRpcUrl(options.rpcUrl, config);
+      const blockNumber = await getLatestBlockNumber(rpcUrl);
+      print({ rpcUrl, blockNumber: blockNumber.toString() }, options.json);
+    });
+  rpc
+    .command('account')
+    .requiredOption('--address <address>', 'Account address')
+    .option('--rpc-url <url>', 'Ethereum RPC URL')
+    .option('--json', 'Print JSON output', false)
+    .action(async (options) => {
+      const config = readConfig();
+      const rpcUrl = resolveRpcUrl(options.rpcUrl, config);
+      const address = assertAddress(options.address, 'address');
+      const snapshot = await getAccountSnapshot(rpcUrl, address);
+      print(
+        {
+          ...snapshot,
+          latestBlockNumber: snapshot.latestBlockNumber.toString(),
+          balance: {
+            raw: snapshot.balance.raw.toString(),
+            formatted: snapshot.balance.formatted,
+          },
+        },
+        options.json,
+      );
+    });
+  rpc
+    .command('balance')
+    .requiredOption('--address <address>', 'Account address')
+    .option('--token <address>', 'Optional ERC-20 token address')
+    .option('--rpc-url <url>', 'Ethereum RPC URL')
+    .option('--decimals <decimals>', 'ERC-20 decimals override')
+    .option('--json', 'Print JSON output', false)
+    .action(async (options) => {
+      const config = readConfig();
+      const rpcUrl = resolveRpcUrl(options.rpcUrl, config);
+      const owner = assertAddress(options.address, 'address');
+      if (options.token) {
+        const token = assertAddress(options.token, 'token');
+        const result = await getTokenBalance(
+          rpcUrl,
+          token,
+          owner,
+          options.decimals ? parseIntegerString(options.decimals, 'decimals') : undefined,
+        );
+        print(
+          {
+            kind: 'erc20',
+            token,
+            owner,
+            balanceWei: result.raw.toString(),
+            decimals: result.decimals,
+            name: result.name,
+            symbol: result.symbol,
+            formatted: result.formatted,
+          },
+          options.json,
+        );
+        return;
+      }
+
+      const result = await getNativeBalance(rpcUrl, owner);
+      print(
+        {
+          kind: 'native',
+          owner,
+          balanceWei: result.raw.toString(),
+          formattedEth: result.formatted,
+        },
+        options.json,
+      );
+    });
+  rpc
+    .command('nonce')
+    .requiredOption('--address <address>', 'Account address')
+    .option('--rpc-url <url>', 'Ethereum RPC URL')
+    .option('--json', 'Print JSON output', false)
+    .action(async (options) => {
+      const config = readConfig();
+      const rpcUrl = resolveRpcUrl(options.rpcUrl, config);
+      const address = assertAddress(options.address, 'address');
+      const nonce = await getNonce(rpcUrl, address);
+      print({ address, nonce }, options.json);
+    });
+  rpc
+    .command('fees')
+    .option('--rpc-url <url>', 'Ethereum RPC URL')
+    .option('--json', 'Print JSON output', false)
+    .action(async (options) => {
+      const config = readConfig();
+      const rpcUrl = resolveRpcUrl(options.rpcUrl, config);
+      const fees = await estimateFees(rpcUrl);
+      print(
+        {
+          rpcUrl,
+          gasPrice: stringifyOptionalValue(fees.gasPrice),
+          maxFeePerGas: stringifyOptionalValue(fees.maxFeePerGas),
+          maxPriorityFeePerGas: stringifyOptionalValue(fees.maxPriorityFeePerGas),
+        },
+        options.json,
+      );
+    });
+  rpc
+    .command('gas-estimate')
+    .requiredOption('--from <address>', 'Sender address')
+    .requiredOption('--to <address>', 'Recipient or target contract')
+    .option('--value-wei <wei>', 'Value in wei', '0')
+    .option('--data-hex <hex>', 'Calldata hex', '0x')
+    .option('--rpc-url <url>', 'Ethereum RPC URL')
+    .option('--json', 'Print JSON output', false)
+    .action(async (options) => {
+      const config = readConfig();
+      const rpcUrl = resolveRpcUrl(options.rpcUrl, config);
+      const gas = await estimateGas({
+        rpcUrl,
+        from: assertAddress(options.from, 'from'),
+        to: assertAddress(options.to, 'to'),
+        value: parseBigIntString(options.valueWei, 'valueWei'),
+        data: assertHex(options.dataHex, 'dataHex'),
+      });
+      print({ rpcUrl, gas: gas.toString() }, options.json);
+    });
+  rpc
+    .command('tx')
+    .requiredOption('--hash <hash>', 'Transaction hash')
+    .option('--rpc-url <url>', 'Ethereum RPC URL')
+    .option('--json', 'Print JSON output', false)
+    .action(async (options) => {
+      const config = readConfig();
+      const rpcUrl = resolveRpcUrl(options.rpcUrl, config);
+      const tx = await getTransactionByHash(rpcUrl, assertHex(options.hash, 'hash'));
+      print(tx, options.json);
+    });
+  rpc
+    .command('receipt')
+    .requiredOption('--hash <hash>', 'Transaction hash')
+    .option('--rpc-url <url>', 'Ethereum RPC URL')
+    .option('--json', 'Print JSON output', false)
+    .action(async (options) => {
+      const config = readConfig();
+      const rpcUrl = resolveRpcUrl(options.rpcUrl, config);
+      const receipt = await getTransactionReceiptByHash(rpcUrl, assertHex(options.hash, 'hash'));
+      print(receipt, options.json);
+    });
+  rpc
+    .command('code')
+    .requiredOption('--address <address>', 'Contract address')
+    .option('--rpc-url <url>', 'Ethereum RPC URL')
+    .option('--json', 'Print JSON output', false)
+    .action(async (options) => {
+      const config = readConfig();
+      const rpcUrl = resolveRpcUrl(options.rpcUrl, config);
+      const bytecode = await getCodeAtAddress(rpcUrl, assertAddress(options.address, 'address'));
+      print(
+        {
+          address: options.address,
+          rpcUrl,
+          bytecode: bytecode ?? '0x',
+          hasCode: bytecode !== undefined && bytecode !== '0x',
+        },
+        options.json,
+      );
+    });
+  rpc
+    .command('broadcast-raw')
+    .requiredOption('--raw-tx-hex <hex>', 'Signed raw transaction hex')
+    .option('--rpc-url <url>', 'Ethereum RPC URL')
+    .option('--no-wait', 'Do not wait up to 30s for an on-chain receipt after broadcast')
+    .option('--json', 'Print JSON output', false)
+    .action(async (options) => {
+      const config = readConfig();
+      const rpcUrl = resolveRpcUrl(options.rpcUrl, config);
+      const txHash = await broadcastRawTransaction(rpcUrl, assertHex(options.rawTxHex, 'rawTxHex'));
+      print({ txHash }, options.json);
+      if (options.wait) {
+        await reportOnchainReceiptStatus({
+          rpcUrl,
+          txHash,
+          asJson: options.json,
+        });
+      }
+    });
+
+  const tx = program
+    .command('tx')
+    .description('Sign with Rust, then perform network RPC in TypeScript');
+  tx.command('broadcast')
+    .requiredOption('--from <address>', 'Sender address for nonce/gas estimation')
+    .requiredOption('--to <address>', 'Recipient or target contract')
+    .option('--network <name>', 'Network name')
+    .option('--rpc-url <url>', 'Ethereum RPC URL')
+    .option('--daemon-socket <path>', 'Daemon socket path')
+    .option('--agent-key-id <uuid>', 'Agent key id')
+    .option('--agent-auth-token <token>', 'Agent auth token')
+    .option('--agent-auth-token-stdin', 'Read agent auth token from stdin', false)
+    .option(
+      '--allow-legacy-agent-auth-source',
+      'Allow deprecated argv/config/env fallback for agent auth token',
+      false,
+    )
+    .option('--nonce <nonce>', 'Explicit nonce override')
+    .option('--value-wei <wei>', 'Value in wei', '0')
+    .option('--data-hex <hex>', 'Calldata hex', '0x')
+    .option('--gas-limit <gas>', 'Gas limit override')
+    .option('--max-fee-per-gas-wei <wei>', 'Max fee per gas override')
+    .option('--max-priority-fee-per-gas-wei <wei>', 'Priority fee per gas override')
+    .option('--tx-type <type>', 'Typed tx value', '0x02')
+    .option('--delegation-enabled', 'Forward delegation flag to Rust signing request', false)
+    .option('--no-wait', 'Do not wait up to 30s for an on-chain receipt after broadcast')
+    .option('--reveal-raw-tx', 'Include the signed raw transaction bytes in output', false)
+    .option('--reveal-signature', 'Include signer r/s/v fields in output', false)
+    .option('--json', 'Print JSON output', false)
+    .action(async (options) => {
+      const config = readConfig();
+      const network = resolveCliNetworkProfile(options.network, config);
+      const rpcUrl = resolveCliRpcUrl(options.rpcUrl, options.network, config);
+      const chainId = network.chainId;
+      const chainInfo = await getChainInfo(rpcUrl);
+      assertRpcChainIdMatches(chainId, chainInfo.chainId);
+      const from = assertAddress(options.from, 'from');
+      const to = assertAddress(options.to, 'to');
+      const valueWei = parseBigIntString(options.valueWei, 'valueWei');
+      const dataHex = assertHex(options.dataHex, 'dataHex');
+      const nonce = options.nonce
+        ? parseIntegerString(options.nonce, 'nonce')
+        : await getNonce(rpcUrl, from);
+      const gasLimit = options.gasLimit
+        ? parsePositiveBigIntString(options.gasLimit, 'gasLimit')
+        : await estimateGas({ rpcUrl, from, to, value: valueWei, data: dataHex });
+      const fees = await estimateFees(rpcUrl);
+      const maxFeePerGasWei = options.maxFeePerGasWei
+        ? parsePositiveBigIntString(options.maxFeePerGasWei, 'maxFeePerGasWei')
+        : (fees.maxFeePerGas ?? fees.gasPrice);
+      const maxPriorityFeePerGasWei = options.maxPriorityFeePerGasWei
+        ? parseBigIntString(options.maxPriorityFeePerGasWei, 'maxPriorityFeePerGasWei')
+        : (fees.maxPriorityFeePerGas ?? fees.gasPrice ?? 0n);
+
+      if (maxFeePerGasWei === null || maxFeePerGasWei <= 0n) {
+        throw new Error('Could not determine maxFeePerGas; pass --max-fee-per-gas-wei');
+      }
+
+      const signed = await runAgentCommandJson<RustBroadcastOutput>({
+        commandArgs: [
+          'broadcast',
+          '--network',
+          String(chainId),
+          '--nonce',
+          String(nonce),
+          '--to',
+          to,
+          '--value-wei',
+          valueWei.toString(),
+          '--data-hex',
+          dataHex,
+          '--gas-limit',
+          gasLimit.toString(),
+          '--max-fee-per-gas-wei',
+          maxFeePerGasWei.toString(),
+          '--max-priority-fee-per-gas-wei',
+          maxPriorityFeePerGasWei.toString(),
+          '--tx-type',
+          options.txType,
+          ...(options.delegationEnabled ? ['--delegation-enabled'] : []),
+        ],
+        auth: options,
+        config,
+        asJson: options.json,
+      });
+      if (!signed) {
+        return;
+      }
+
+      if (!signed.raw_tx_hex) {
+        throw new Error('Rust agent did not return raw_tx_hex for broadcast signing');
+      }
+
+      const inspected = await assertSignedBroadcastTransactionMatchesRequest({
+        rawTxHex: signed.raw_tx_hex as Hex,
+        from,
+        to,
+        chainId,
+        nonce,
+        allowHigherNonce: true,
+        value: valueWei,
+        data: dataHex,
+        gasLimit,
+        maxFeePerGas: maxFeePerGasWei,
+        maxPriorityFeePerGas: maxPriorityFeePerGasWei,
+        txType: options.txType,
+      });
+
+      const networkTxHash = await broadcastRawTransaction(rpcUrl, signed.raw_tx_hex as Hex);
+      print(
+        {
+          command: 'broadcast',
+          rpcUrl,
+          chainId,
+          nonce: inspected.nonce,
+          gasLimit: gasLimit.toString(),
+          maxFeePerGasWei: maxFeePerGasWei.toString(),
+          maxPriorityFeePerGasWei: maxPriorityFeePerGasWei.toString(),
+          signedTxHash: signed.tx_hash_hex,
+          networkTxHash,
+          rawTxHex: options.revealRawTx ? signed.raw_tx_hex : '<redacted>',
+          signer: options.revealSignature
+            ? {
+                r: signed.r_hex,
+                s: signed.s_hex,
+                v: signed.v,
+              }
+            : '<redacted>',
+        },
+        options.json,
+      );
+      if (options.wait) {
+        await reportOnchainReceiptStatus({
+          rpcUrl,
+          txHash: networkTxHash,
+          asJson: options.json,
+        });
+      }
+    });
+
+  await program.parseAsync(process.argv);
+}
+
+main().catch((error) => {
+  console.error(error instanceof Error ? error.message : String(error));
+  process.exitCode = 1;
+});