@zeroxyz/cli 0.0.39 → 0.0.41

package/dist/index.js

@@ -2,12 +2,12 @@
 
 // src/index.ts
 import { homedir as homedir8 } from "os";
-import { join as join9 } from "path";
+import { join as join10 } from "path";
 
 // package.json
 var package_default = {
   name: "@zeroxyz/cli",
-  version: "0.0.39",
+  version: "0.0.41",
   type: "module",
   bin: {
     zero: "dist/index.js",
@@ -205,7 +205,11 @@ var searchResultSchema = z.object({
   reviewCount: z.number().optional(),
   rating: ratingSchema,
   availabilityStatus: z.enum(["healthy", "degraded", "down", "unknown"]).nullable().optional(),
-  displayStatus: z.enum(["healthy", "stable", "degraded", "unhealthy", "unknown"]).optional()
+  displayStatus: z.enum(["healthy", "stable", "degraded", "unhealthy", "unknown"]).optional(),
+  // Pass-through: API stamps this on Zero-published / withzero.{ai,xyz}
+  // services so `zero search --json` consumers can render their own
+  // provenance UI. CLI doesn't render a badge today.
+  isFirstParty: z.boolean().optional().default(false)
 });
 var searchResponseSchema = z.object({
   searchId: z.string(),
@@ -258,7 +262,9 @@ var capabilityResponseSchema = z.object({
   displayStatus: z.enum(["healthy", "stable", "degraded", "unhealthy", "unknown"]).optional(),
   activationCount: z.number().optional(),
   lastUsedAt: z.string().nullable().optional(),
-  lastSuccessfullyRanAt: z.string().nullable().optional()
+  lastSuccessfullyRanAt: z.string().nullable().optional(),
+  // Pass-through (see searchResultSchema). Available on `zero get --json`.
+  isFirstParty: z.boolean().optional().default(false)
 });
 var createRunResponseSchema = z.object({
   runId: z.string()
@@ -344,6 +350,19 @@ var userDtoSchema = z.object({
   createdAt: z.union([z.string(), z.date()]).optional(),
   lastLoginAt: z.union([z.string(), z.date()]).nullable().optional()
 });
+var userWalletDtoSchema = z.object({
+  walletAddress: z.string(),
+  source: z.enum(["self_custody", "privy_embedded"]),
+  isPrimary: z.boolean(),
+  linkedAt: z.union([z.string(), z.date()])
+});
+var signResultSchema = z.object({
+  signature: z.string(),
+  walletAddress: z.string()
+});
+var migrateResultSchema = z.object({
+  transactionHash: z.string()
+});
 var deviceStartResultSchema = z.object({
   deviceCode: z.string(),
   userCode: z.string(),
@@ -361,6 +380,10 @@ var devicePollResponseSchema = z.union([
     user: userDtoSchema
   })
 ]);
+var jsonStringifyBigintSafe = (value) => JSON.stringify(
+  value,
+  (_key, v) => typeof v === "bigint" ? v.toString() : v
+);
 var buildCanonicalMessage = (method, path, body, timestamp, nonce) => {
   const bodyHash = createHash("sha256").update(body ?? "").digest("hex");
   return `${method}:${path}:${bodyHash}:${timestamp}:${nonce}`;
@@ -378,6 +401,9 @@ var ApiService = class _ApiService {
   account;
   credentials;
   onSessionRefreshed;
+  setWalletAddress = (address) => {
+    this.walletAddress = address;
+  };
   withAccount = (account) => new _ApiService(this.baseUrl, account);
   signRequest = async (method, path, body) => {
     if (!this.account) throw new Error("No private key configured");
@@ -392,13 +418,28 @@ var ApiService = class _ApiService {
       "x-zero-signature": signature
     };
   };
-  // Session credentials take precedence over EIP-191. We never combine them
-  // in a single request: if the user has signed in, the JWT is the identity
-  // the API trusts, and the wallet signing path stays out of the picture.
-  buildHeaders = async (method, path, bodyStr) => {
+  // Auth modes per request. `this.account` is only ever the local private key
+  // (the managed Privy proxy lives on PaymentService, never here), so an
+  // account here means a BYO key is present.
+  //  - "default": session JWT takes precedence over EIP-191. If signed in, the
+  //    JWT is the identity the API trusts; otherwise fall back to a wallet
+  //    signature, else anonymous. Used by session-scoped endpoints
+  //    (/users/me, sign-*, wallets) and read endpoints.
+  //  - "wallet-attributed": the action is attributed to a wallet (runs,
+  //    reviews, bug reports). Prefer the local private key (EIP-191) so the run
+  //    is attributed to the wallet that actually paid; when there's no local
+  //    key (managed user) fall back to the session Bearer and let the server
+  //    resolve the wallet from the authenticated user. We never send both — a
+  //    present session would make the server skip EIP-191 verification, so a
+  //    Bearer + wallet headers combo must never happen.
+  buildHeaders = async (method, path, bodyStr, auth) => {
     const base2 = {
       "content-type": "application/json"
     };
+    if (auth === "wallet-attributed" && this.account) {
+      const walletHeaders = await this.signRequest(method, path, bodyStr);
+      return { ...base2, ...walletHeaders };
+    }
     if (this.credentials.kind === "session") {
       base2.authorization = `Bearer ${this.credentials.accessToken}`;
       return base2;
@@ -430,12 +471,13 @@ var ApiService = class _ApiService {
     await this.onSessionRefreshed(body);
     return true;
   };
-  request = async (method, path, body) => {
+  request = async (method, path, body, opts = {}) => {
     const url = `${this.baseUrl}${path}`;
-    const bodyStr = body ? JSON.stringify(body) : void 0;
+    const bodyStr = body ? jsonStringifyBigintSafe(body) : void 0;
+    const auth = opts.auth ?? "default";
     const makeInit = async () => ({
       method,
-      headers: await this.buildHeaders(method, path, bodyStr),
+      headers: await this.buildHeaders(method, path, bodyStr, auth),
       body: bodyStr
     });
     let response = await fetch(url, await makeInit());
@@ -504,7 +546,9 @@ var ApiService = class _ApiService {
     return capabilityResponseSchema.parse(json);
   };
   createRun = async (data) => {
-    const json = await this.request("POST", "/v1/runs", data);
+    const json = await this.request("POST", "/v1/runs", data, {
+      auth: "wallet-attributed"
+    });
     return createRunResponseSchema.parse(json);
   };
   listRuns = async (params = {}) => {
@@ -514,19 +558,32 @@ var ApiService = class _ApiService {
     if (params.limit) qs.set("limit", String(params.limit));
     if (params.cursor) qs.set("cursor", params.cursor);
     const suffix = qs.toString() ? `?${qs.toString()}` : "";
-    const json = await this.request("GET", `/v1/runs${suffix}`);
+    const json = await this.request("GET", `/v1/runs${suffix}`, void 0, {
+      auth: "wallet-attributed"
+    });
     return listRunsResponseSchema.parse(json);
   };
   createReview = async (data) => {
-    const json = await this.request("POST", "/v1/reviews", data);
+    const json = await this.request("POST", "/v1/reviews", data, {
+      auth: "wallet-attributed"
+    });
     return createReviewResponseSchema.parse(json);
   };
   createReviewsBatch = async (reviews) => {
-    const json = await this.request("POST", "/v1/reviews/batch", { reviews });
+    const json = await this.request(
+      "POST",
+      "/v1/reviews/batch",
+      { reviews },
+      {
+        auth: "wallet-attributed"
+      }
+    );
     return batchReviewResponseSchema.parse(json);
   };
   createBugReport = async (data) => {
-    const json = await this.request("POST", "/v1/bug-reports", data);
+    const json = await this.request("POST", "/v1/bug-reports", data, {
+      auth: "wallet-attributed"
+    });
     return createBugReportResponseSchema.parse(json);
   };
   getFundingUrl = async (amount, provider = "coinbase") => {
@@ -543,6 +600,53 @@ var ApiService = class _ApiService {
       return null;
     }
   };
+  getWallets = async () => {
+    const json = await this.request("GET", "/v1/users/me/wallets");
+    return z.array(userWalletDtoSchema).parse(json);
+  };
+  provisionWallet = async () => {
+    const json = await this.request("POST", "/v1/users/me/wallets/provision");
+    return userWalletDtoSchema.parse(json);
+  };
+  // Hands a BYO-wallet-signed EIP-3009 authorization to the server, which
+  // broadcasts it on Base via the gas-paying relayer (sweeping USDC into the
+  // caller's provisioned wallet). Session-authed.
+  migrateWallet = async (authorization) => {
+    const json = await this.request("POST", "/v1/users/me/wallets/migrate", {
+      authorization
+    });
+    return migrateResultSchema.parse(json);
+  };
+  signTypedDataRemote = async (typedData) => {
+    const json = await this.request("POST", "/v1/users/me/sign-typed-data", {
+      typedData
+    });
+    const parsed = signResultSchema.parse(json);
+    return {
+      signature: parsed.signature,
+      walletAddress: parsed.walletAddress
+    };
+  };
+  signMessageRemote = async (message) => {
+    const json = await this.request("POST", "/v1/users/me/sign-message", {
+      message
+    });
+    const parsed = signResultSchema.parse(json);
+    return {
+      signature: parsed.signature,
+      walletAddress: parsed.walletAddress
+    };
+  };
+  signTransactionRemote = async (input) => {
+    const json = await this.request("POST", "/v1/users/me/sign-transaction", {
+      unsignedTransaction: input.unsignedTransaction
+    });
+    const parsed = signResultSchema.parse(json);
+    return {
+      signature: parsed.signature,
+      walletAddress: parsed.walletAddress
+    };
+  };
 };
 
 // src/commands/bug-report-command.ts
@@ -839,6 +943,7 @@ import { Command as Command4 } from "commander";
 import { formatUnits as formatUnits2 } from "viem";
 
 // src/services/payment-service.ts
+import { randomBytes } from "crypto";
 import {
   adaptViemWallet,
   convertViemChainToRelayChain,
@@ -859,7 +964,7 @@ import {
   formatUnits,
   http
 } from "viem";
-import { base, baseSepolia } from "viem/chains";
+import { base, baseSepolia, tempo as viemTempoChain } from "viem/chains";
 var SessionCloseFailedError = class extends Error {
   session;
   response;
@@ -933,6 +1038,32 @@ var ERC20_BALANCE_ABI = [
     type: "function"
   }
 ];
+var ERC20_TRANSFER_ABI = [
+  {
+    inputs: [
+      { name: "to", type: "address" },
+      { name: "amount", type: "uint256" }
+    ],
+    name: "transfer",
+    outputs: [{ name: "", type: "bool" }],
+    stateMutability: "nonpayable",
+    type: "function"
+  }
+];
+var USDC_BASE_SWEEP_DOMAIN = { name: "USD Coin", version: "2" };
+var SWEEP_AUTHORIZATION_TTL_S = 900;
+var TEMPO_FEE_RESERVE_RAW = 10000n;
+var EIP3009_TRANSFER_TYPES = {
+  // biome-ignore lint/style/useNamingConvention: EIP-712 primaryType must match the on-chain type name
+  TransferWithAuthorization: [
+    { name: "from", type: "address" },
+    { name: "to", type: "address" },
+    { name: "value", type: "uint256" },
+    { name: "validAfter", type: "uint256" },
+    { name: "validBefore", type: "uint256" },
+    { name: "nonce", type: "bytes32" }
+  ]
+};
 var decodeSessionReceiptHeader = (header) => {
   if (!header) return null;
   try {
@@ -1378,6 +1509,115 @@ var PaymentService = class {
     ]);
     return { amount: formatUnits(baseRaw + tempoRaw, 6), asset: "USDC" };
   };
+  // Total USDC across both legs (Base + Tempo) for the configured wallet — what
+  // the migrate confirmation prompt quotes. Best-effort: a chain whose RPC read
+  // fails counts as 0 rather than blocking the other leg.
+  getSweepableBalance = async () => {
+    const [baseRaw, tempoRaw] = await Promise.all([
+      this.getBalanceRaw("base").catch(() => 0n),
+      this.getBalanceRaw("tempo").catch(() => 0n)
+    ]);
+    const raw = baseRaw + tempoRaw;
+    return { raw, usdc: formatUnits(raw, 6) };
+  };
+  // Sweeps all USDC from the configured wallet into `to` across Base and Tempo.
+  // Each leg is independent and never throws — failures are captured in the
+  // returned per-chain result so the caller can decide whether to retire the
+  // source key.
+  migrateAllUsdc = async (to, relayer) => {
+    const baseResult = await this.sweepBaseUsdc(to, relayer);
+    const tempoResult = await this.sweepTempoUsdc(to);
+    return [baseResult, tempoResult];
+  };
+  // Base leg: sign an EIP-3009 transferWithAuthorization for the full balance
+  // and hand it to the relayer, which broadcasts it gaslessly.
+  sweepBaseUsdc = async (to, relayer) => {
+    try {
+      if (!this.account) throw new Error("No wallet configured");
+      const balance = await this.getBalanceRaw("base");
+      if (balance <= 0n) return { chain: "base", status: "skipped" };
+      const nowS = Math.floor(Date.now() / 1e3);
+      const message = {
+        from: this.account.address,
+        to,
+        value: balance,
+        validAfter: 0n,
+        validBefore: BigInt(nowS + SWEEP_AUTHORIZATION_TTL_S),
+        nonce: `0x${randomBytes(32).toString("hex")}`
+      };
+      const signature = await this.account.signTypedData({
+        domain: {
+          name: USDC_BASE_SWEEP_DOMAIN.name,
+          version: USDC_BASE_SWEEP_DOMAIN.version,
+          chainId: BASE_CHAIN_ID,
+          verifyingContract: USDC_BASE
+        },
+        types: EIP3009_TRANSFER_TYPES,
+        primaryType: "TransferWithAuthorization",
+        message
+      });
+      const { transactionHash } = await relayer.migrateWallet({
+        from: message.from,
+        to: message.to,
+        value: message.value.toString(),
+        validAfter: message.validAfter.toString(),
+        validBefore: message.validBefore.toString(),
+        nonce: message.nonce,
+        signature
+      });
+      return {
+        chain: "base",
+        status: "swept",
+        amount: formatUnits(balance, 6),
+        txHash: transactionHash
+      };
+    } catch (err) {
+      return { chain: "base", status: "failed", error: err.message };
+    }
+  };
+  // Tempo leg: self-broadcast an ERC-20 transfer paying the fee in USDC via
+  // `feeToken` (no native gas token needed). Uses viem's tempo chain for its
+  // type-0x76 serializer; reserves a tiny amount to cover the fee.
+  sweepTempoUsdc = async (to) => {
+    try {
+      if (!this.account) throw new Error("No wallet configured");
+      const balance = await this.getBalanceRaw("tempo");
+      if (balance <= TEMPO_FEE_RESERVE_RAW) {
+        return { chain: "tempo", status: "skipped" };
+      }
+      const amount = balance - TEMPO_FEE_RESERVE_RAW;
+      const wallet = createWalletClient({
+        account: this.account,
+        chain: viemTempoChain,
+        transport: http()
+      });
+      const txHash = await wallet.writeContract({
+        address: USDC_TEMPO,
+        abi: ERC20_TRANSFER_ABI,
+        functionName: "transfer",
+        args: [to, amount],
+        feeToken: USDC_TEMPO
+        // biome-ignore lint/suspicious/noExplicitAny: tempo feeToken param
+      });
+      const publicClient = createPublicClient({
+        chain: viemTempoChain,
+        transport: http()
+      });
+      await publicClient.waitForTransactionReceipt({ hash: txHash });
+      return {
+        chain: "tempo",
+        status: "swept",
+        amount: formatUnits(amount, 6),
+        txHash
+      };
+    } catch (err) {
+      return {
+        chain: "tempo",
+        status: "failed",
+        error: err.message
+      };
+    }
+  };
 };
 
 // src/util/infer-schema.ts
@@ -1629,55 +1869,6 @@ var fetchCommand = (appContext) => new Command4("fetch").description(
       } else {
         resolvedUrl = url;
       }
-      if (!url && options.capability && !stateService.findSearchContextByCapability(options.capability)) {
-        try {
-          let capName = resolvedCapabilityName;
-          if (capName === void 0) {
-            const cap = await apiService.getCapability(options.capability);
-            capName = cap.name;
-          }
-          const searchResult = await apiService.search({ query: capName });
-          const matchedEntry = searchResult.capabilities.find(
-            (c) => c.slug === options.capability || c.id === options.capability
-          );
-          const slugFoundInResults = Boolean(matchedEntry);
-          stateService.saveLastSearch({
-            searchId: searchResult.searchId,
-            capabilities: searchResult.capabilities.map((c) => ({
-              position: c.position,
-              id: c.id,
-              slug: c.slug,
-              url: c.url,
-              urlTemplate: c.urlTemplate ?? null,
-              displayCostAmount: c.cost.amount
-            }))
-          });
-          analyticsService.capture("search_executed", {
-            query: truncateQuery(capName),
-            queryLength: capName.length,
-            resultCount: searchResult.capabilities.length,
-            searchId: searchResult.searchId,
-            total: searchResult.total,
-            hasMore: searchResult.hasMore,
-            json: false,
-            triggeredBy: "slug_handoff",
-            slugFoundInResults
-          });
-          analyticsService.capture("capability_viewed", {
-            // Existing field preserved as the raw --capability
-            // input for back-compat.
-            capabilityId: options.capability,
-            // New canonical identifier fields hydrated from the
-            // resolved search result (when the slug was found).
-            capabilityUid: matchedEntry?.id,
-            capabilitySlug: matchedEntry?.slug,
-            fromLastSearch: false,
-            searchId: searchResult.searchId,
-            triggeredBy: "slug_handoff"
-          });
-        } catch {
-        }
-      }
       let resolvedBody;
       try {
         resolvedBody = resolveRequestBody(
@@ -1733,6 +1924,7 @@ var fetchCommand = (appContext) => new Command4("fetch").description(
       const capabilitySlug = matchCtx?.capabilitySlug ?? null;
       const searchId = matchCtx?.searchId;
       const resultRank = matchCtx?.resultRank;
+      const fetchOrigin = matchCtx ? "from_search" : options.capability ? "direct_slug" : "direct_url";
       const matchedDisplayCostAmount = matchCtx?.displayCostAmount;
       const skipReasons = [];
       if (!apiService.walletAddress) {
@@ -1950,6 +2142,9 @@ var fetchCommand = (appContext) => new Command4("fetch").description(
         resultRank: resultRank ?? void 0,
         runId: runId ?? void 0,
         runTracked: !!runId,
+        // A NULL searchId on a direct_slug fetch is correct here,
+        // not a funnel gap to paper over.
+        fetchOrigin,
         ...fetchError && { error: truncateError(fetchError.message) }
       });
       const isFetchFailure = Boolean(fetchError) || !finalResponse || typeof status === "number" && (status < 200 || status >= 300);
@@ -3368,14 +3563,30 @@ Read the full terms at: ${TERMS_URL}
 });
 
 // src/commands/wallet-command.ts
-import { existsSync as existsSync3, readFileSync as readFileSync7 } from "fs";
+import { existsSync as existsSync3, readFileSync as readFileSync8 } from "fs";
 import { homedir as homedir4 } from "os";
-import { join as join4 } from "path";
+import { join as join5 } from "path";
+import { confirm, isCancel } from "@clack/prompts";
 import { Command as Command11 } from "commander";
 import open2 from "open";
 import { isAddress } from "viem";
 import { generatePrivateKey as generatePrivateKey2, privateKeyToAccount as privateKeyToAccount2 } from "viem/accounts";
 
+// src/util/migrate-config.ts
+import { readFileSync as readFileSync7 } from "fs";
+import { join as join4 } from "path";
+var backupAndStripPrivateKey = (zeroDir) => {
+  const configPath = join4(zeroDir, "config.json");
+  const backupPath = join4(zeroDir, "config.backup.json");
+  const raw = readFileSync7(configPath, "utf8");
+  ensureSecureDir(zeroDir);
+  writeSecureFile(backupPath, raw);
+  const parsed = JSON.parse(raw);
+  delete parsed.privateKey;
+  writeSecureFile(configPath, JSON.stringify(parsed, null, 2));
+  return { backupPath, configPath };
+};
+
 // src/util/stdin.ts
 var readStdin = async () => {
   const chunks = [];
@@ -3559,11 +3770,11 @@ var walletSetCommand = (appContext) => new Command11("set").description("Set wal
     process.exitCode = 1;
     return;
   }
-  const zeroDir = join4(homedir4(), ".zero");
-  const configPath = join4(zeroDir, "config.json");
+  const zeroDir = join5(homedir4(), ".zero");
+  const configPath = join5(zeroDir, "config.json");
   if (!options.force && existsSync3(configPath)) {
     try {
-      const existing2 = JSON.parse(readFileSync7(configPath, "utf8"));
+      const existing2 = JSON.parse(readFileSync8(configPath, "utf8"));
       if (existing2.privateKey) {
         console.error(
           "Wallet already configured. Use --force to overwrite."
@@ -3575,7 +3786,7 @@ var walletSetCommand = (appContext) => new Command11("set").description("Set wal
     }
   }
   ensureSecureDir(zeroDir);
-  const existing = existsSync3(configPath) ? JSON.parse(readFileSync7(configPath, "utf8")) : {};
+  const existing = existsSync3(configPath) ? JSON.parse(readFileSync8(configPath, "utf8")) : {};
   writeSecureFile(
     configPath,
     JSON.stringify(
@@ -3671,6 +3882,142 @@ var walletGenerateCommand = (appContext) => new Command11("generate").descriptio
     });
   }
 );
+var resolveZeroWalletAddress = async (apiService) => {
+  try {
+    const wallets = await apiService.getWallets();
+    const primary = wallets.find(
+      (w) => w.source === "privy_embedded" && w.isPrimary
+    );
+    if (primary) return primary.walletAddress;
+    const provisioned = await apiService.provisionWallet();
+    return provisioned.walletAddress ?? null;
+  } catch {
+    return null;
+  }
+};
+var walletMigrateCommand = (appContext) => new Command11("migrate").description(
+  "Sweep all USDC from your private-key wallet into your Zero wallet"
+).option("--json", "Emit the migration result as JSON").option("-y, --yes", "Skip the confirmation prompt").action(async (options) => {
+  const { apiService, paymentService } = appContext.services;
+  const zeroDir = join5(homedir4(), ".zero");
+  const configPath = join5(zeroDir, "config.json");
+  const config = existsSync3(configPath) ? readConfig(configPath) : {};
+  const privateKey = appContext.env.ZERO_PRIVATE_KEY ?? config.privateKey;
+  if (!privateKey) {
+    console.error(
+      "No private-key wallet found. Run `zero wallet set <key>` first."
+    );
+    process.exitCode = 1;
+    return;
+  }
+  const hasSession = Boolean(
+    appContext.env.ZERO_SESSION_TOKEN || config.session
+  );
+  if (!hasSession) {
+    console.error("Not logged in. Run `zero auth login` first.");
+    process.exitCode = 1;
+    return;
+  }
+  let source;
+  try {
+    source = privateKeyToAccount2(privateKey);
+  } catch {
+    console.error("Invalid private key in config.");
+    process.exitCode = 1;
+    return;
+  }
+  const to = await resolveZeroWalletAddress(apiService);
+  if (!to) {
+    console.error(
+      "Could not resolve your Zero wallet. Run `zero auth login` and try again."
+    );
+    process.exitCode = 1;
+    return;
+  }
+  if (to.toLowerCase() === source.address.toLowerCase()) {
+    console.error(
+      "Source and destination are the same wallet \u2014 nothing to migrate."
+    );
+    process.exitCode = 1;
+    return;
+  }
+  const balance = await paymentService.getSweepableBalance();
+  if (balance.raw <= 0n) {
+    if (options.json) {
+      console.log(
+        JSON.stringify({ destination: to, legs: [], keyRemoved: false })
+      );
+    } else {
+      console.log("Nothing to migrate (no USDC found).");
+    }
+    return;
+  }
+  if (!options.yes) {
+    if (options.json || !process.stdin.isTTY) {
+      console.error(
+        "Refusing to migrate without confirmation. Re-run with --yes to proceed."
+      );
+      process.exitCode = 1;
+      return;
+    }
+    const proceed = await confirm({
+      message: `Please confirm you would like to transfer $${balance.usdc} from your private wallet to your Zero managed wallet`
+    });
+    if (isCancel(proceed) || !proceed) {
+      console.log("Migration cancelled.");
+      return;
+    }
+  }
+  const results = await paymentService.migrateAllUsdc(to, apiService);
+  const anyFailed = results.some((r) => r.status === "failed");
+  const anySwept = results.some((r) => r.status === "swept");
+  let backupPath = null;
+  if (anySwept && !anyFailed && config.privateKey) {
+    try {
+      backupPath = backupAndStripPrivateKey(zeroDir).backupPath;
+    } catch {
+      backupPath = null;
+    }
+  }
+  if (options.json) {
+    console.log(
+      JSON.stringify({
+        destination: to,
+        legs: results,
+        keyRemoved: backupPath !== null,
+        backupPath
+      })
+    );
+  } else {
+    console.log(`Migrating USDC \u2192 ${to}`);
+    for (const r of results) {
+      if (r.status === "swept") {
+        console.log(
+          `  ${r.chain}: swept ${r.amount} USDC (tx ${r.txHash})`
+        );
+      } else if (r.status === "skipped") {
+        console.log(`  ${r.chain}: skipped (no balance)`);
+      } else {
+        console.log(`  ${r.chain}: FAILED \u2014 ${r.error}`);
+      }
+    }
+    if (backupPath) {
+      console.log("");
+      console.log(
+        `Private key removed from config (backed up to ${backupPath}). Your Zero wallet is now primary.`
+      );
+    } else if (anyFailed) {
+      console.log("");
+      console.log(
+        "A transfer failed \u2014 your private key was kept. Re-run `zero wallet migrate` to retry."
+      );
+    } else if (!anySwept) {
+      console.log("");
+      console.log("Nothing to migrate (no USDC found).");
+    }
+  }
+  if (anyFailed) process.exitCode = 1;
+});
 var walletCommand = (appContext) => {
   const cmd = new Command11("wallet").description("Manage your wallet");
   cmd.addCommand(walletBalanceCommand(appContext));
@@ -3678,22 +4025,23 @@ var walletCommand = (appContext) => {
   cmd.addCommand(walletAddressCommand(appContext));
   cmd.addCommand(walletSetCommand(appContext));
   cmd.addCommand(walletGenerateCommand(appContext));
+  cmd.addCommand(walletMigrateCommand(appContext), { hidden: true });
   return cmd;
 };
 
 // src/commands/welcome-command.ts
-import { existsSync as existsSync4, readFileSync as readFileSync8 } from "fs";
+import { existsSync as existsSync4, readFileSync as readFileSync9 } from "fs";
 import { homedir as homedir5 } from "os";
-import { join as join5 } from "path";
+import { join as join6 } from "path";
 import { Command as Command12 } from "commander";
 import open3 from "open";
 import { getAddress } from "viem";
 import { privateKeyToAccount as privateKeyToAccount3 } from "viem/accounts";
 var readPrivateKey = () => {
-  const configPath = join5(homedir5(), ".zero", "config.json");
+  const configPath = join6(homedir5(), ".zero", "config.json");
   if (!existsSync4(configPath)) return null;
   try {
-    const config = JSON.parse(readFileSync8(configPath, "utf8"));
+    const config = JSON.parse(readFileSync9(configPath, "utf8"));
     if (typeof config.privateKey === "string") {
       return config.privateKey;
     }
@@ -3822,6 +4170,7 @@ var envSchema = z4.object({
   ZERO_API_URL: z4.string().default("https://api.zero.xyz"),
   ZERO_WEB_URL: z4.string().default("https://zero.xyz"),
   ZERO_PRIVATE_KEY: z4.string().optional(),
+  ZERO_SESSION_TOKEN: z4.string().optional(),
   ZERO_ENV: z4.enum(["development", "production"]).default("production")
 });
 var getEnv = () => {
@@ -3838,12 +4187,12 @@ var getEnv = () => {
 import { randomUUID as randomUUID2 } from "crypto";
 import { existsSync as existsSync7 } from "fs";
 import { homedir as homedir6 } from "os";
-import { join as join7 } from "path";
+import { join as join8 } from "path";
 import { privateKeyToAccount as privateKeyToAccount4 } from "viem/accounts";
 
 // src/services/analytics-service.ts
 import { randomUUID } from "crypto";
-import { existsSync as existsSync5, mkdirSync as mkdirSync4, readFileSync as readFileSync9, writeFileSync as writeFileSync4 } from "fs";
+import { existsSync as existsSync5, mkdirSync as mkdirSync4, readFileSync as readFileSync10, writeFileSync as writeFileSync4 } from "fs";
 import { dirname as dirname2 } from "path";
 import { PostHog } from "posthog-node";
 var POSTHOG_API_KEY = "phc_B2vLyNxAf2mnqvdPQajf4d4b2iXc35dep2ZrvebMJLuX";
@@ -3866,7 +4215,7 @@ var AnalyticsService = class {
     let persistedAnonId;
     try {
       if (existsSync5(opts.configPath)) {
-        const config = JSON.parse(readFileSync9(opts.configPath, "utf8"));
+        const config = JSON.parse(readFileSync10(opts.configPath, "utf8"));
         if (config.telemetry === false) {
           telemetryEnabled = false;
         }
@@ -3888,15 +4237,17 @@ var AnalyticsService = class {
     } else {
       const newAnonId = randomUUID();
       this.distinctId = newAnonId;
-      try {
-        const dir = dirname2(opts.configPath);
-        mkdirSync4(dir, { recursive: true });
-        const existing = existsSync5(opts.configPath) ? JSON.parse(readFileSync9(opts.configPath, "utf8")) : {};
-        writeFileSync4(
-          opts.configPath,
-          JSON.stringify({ ...existing, anonId: newAnonId }, null, 2)
-        );
-      } catch {
+      if (!process.env.VITEST) {
+        try {
+          const dir = dirname2(opts.configPath);
+          mkdirSync4(dir, { recursive: true });
+          const existing = existsSync5(opts.configPath) ? JSON.parse(readFileSync10(opts.configPath, "utf8")) : {};
+          writeFileSync4(
+            opts.configPath,
+            JSON.stringify({ ...existing, anonId: newAnonId }, null, 2)
+          );
+        } catch {
+        }
       }
     }
     const originalConsoleError = console.error;
@@ -3931,7 +4282,7 @@ var AnalyticsService = class {
     if (anonId === walletAddress) return;
     let aliasedTo;
     try {
-      const config = JSON.parse(readFileSync9(configPath, "utf8"));
+      const config = JSON.parse(readFileSync10(configPath, "utf8"));
       if (typeof config.aliasedTo === "string") {
         aliasedTo = config.aliasedTo;
       }
@@ -3939,8 +4290,9 @@ var AnalyticsService = class {
     }
     if (aliasedTo === walletAddress) return;
     this.posthog.alias({ distinctId: walletAddress, alias: anonId });
+    if (process.env.VITEST) return;
     try {
-      const config = existsSync5(configPath) ? JSON.parse(readFileSync9(configPath, "utf8")) : {};
+      const config = existsSync5(configPath) ? JSON.parse(readFileSync10(configPath, "utf8")) : {};
       writeFileSync4(
         configPath,
         JSON.stringify({ ...config, aliasedTo: walletAddress }, null, 2)
@@ -4015,15 +4367,43 @@ var AnalyticsService = class {
   }
 };
 
+// src/services/api-account.ts
+import {
+  bytesToHex,
+  parseSignature,
+  serializeTransaction
+} from "viem";
+import { toAccount } from "viem/accounts";
+var createApiAccount = (walletAddress, api) => toAccount({
+  address: walletAddress,
+  async signMessage({ message }) {
+    const asMessage = typeof message === "string" ? message : typeof message.raw === "string" ? message.raw : bytesToHex(message.raw);
+    const { signature } = await api.signMessageRemote(asMessage);
+    return signature;
+  },
+  async signTypedData(typedData) {
+    const { signature } = await api.signTypedDataRemote(typedData);
+    return signature;
+  },
+  async signTransaction(transaction, options) {
+    const serialize = options?.serializer ?? serializeTransaction;
+    const unsigned = await serialize(transaction);
+    const { signature } = await api.signTransactionRemote({
+      unsignedTransaction: unsigned
+    });
+    return await serialize(transaction, parseSignature(signature));
+  }
+});
+
 // src/services/state-service.ts
-import { existsSync as existsSync6, mkdirSync as mkdirSync5, readFileSync as readFileSync10, writeFileSync as writeFileSync5 } from "fs";
-import { join as join6 } from "path";
+import { existsSync as existsSync6, mkdirSync as mkdirSync5, readFileSync as readFileSync11, writeFileSync as writeFileSync5 } from "fs";
+import { join as join7 } from "path";
 var RECENT_SEARCH_LIMIT = 10;
 var StateService = class {
   constructor(zeroDir) {
     this.zeroDir = zeroDir;
-    this.lastSearchPath = join6(zeroDir, "last_search.json");
-    this.recentSearchesPath = join6(zeroDir, "recent_searches.json");
+    this.lastSearchPath = join7(zeroDir, "last_search.json");
+    this.recentSearchesPath = join7(zeroDir, "recent_searches.json");
   }
   lastSearchPath;
   recentSearchesPath;
@@ -4043,7 +4423,7 @@ var StateService = class {
   loadLastSearch = () => {
     try {
       if (!existsSync6(this.lastSearchPath)) return null;
-      const raw = readFileSync10(this.lastSearchPath, "utf8");
+      const raw = readFileSync11(this.lastSearchPath, "utf8");
       return JSON.parse(raw);
     } catch {
       return null;
@@ -4055,7 +4435,7 @@ var StateService = class {
         const last = this.loadLastSearch();
         return { searches: last ? [last] : [] };
       }
-      const raw = readFileSync10(this.recentSearchesPath, "utf8");
+      const raw = readFileSync11(this.recentSearchesPath, "utf8");
       const parsed = JSON.parse(raw);
       return { searches: parsed.searches ?? [] };
     } catch {
@@ -4154,30 +4534,20 @@ var detectAgentHost = (env = process.env) => {
 // src/app/app-services.ts
 var CLI_VERSION = package_default.version;
 var resolveCredentials = (env, config) => {
-  if (config.session) {
-    return {
-      credentials: {
-        kind: "session",
-        accessToken: config.session.accessToken,
-        refreshToken: config.session.refreshToken,
-        userId: config.session.userId
-      },
-      privateKey: null
-    };
-  }
-  if (env.ZERO_PRIVATE_KEY) {
-    return {
-      credentials: { kind: "none" },
-      privateKey: env.ZERO_PRIVATE_KEY
-    };
-  }
-  if (config.privateKey) {
-    return {
-      credentials: { kind: "none" },
-      privateKey: config.privateKey
-    };
-  }
-  return { credentials: { kind: "none" }, privateKey: null };
+  const injectedToken = env.ZERO_SESSION_TOKEN;
+  const credentials = injectedToken ? {
+    kind: "session",
+    accessToken: injectedToken,
+    refreshToken: "",
+    userId: ""
+  } : config.session ? {
+    kind: "session",
+    accessToken: config.session.accessToken,
+    refreshToken: config.session.refreshToken,
+    userId: config.session.userId
+  } : { kind: "none" };
+  const privateKey = env.ZERO_PRIVATE_KEY ?? config.privateKey ?? null;
+  return { credentials, privateKey };
 };
 var buildOnSessionRefreshed = (configPath) => async (tokens) => {
   const current = readConfig(configPath);
@@ -4192,20 +4562,31 @@ var buildOnSessionRefreshed = (configPath) => async (tokens) => {
   };
   writeSecureFile(configPath, JSON.stringify(next, null, 2));
 };
-var getServices = (env) => {
-  const zeroDir = join7(homedir6(), ".zero");
-  const configPath = join7(zeroDir, "config.json");
+var getServices = async (env) => {
+  const zeroDir = join8(homedir6(), ".zero");
+  const configPath = join8(zeroDir, "config.json");
   const config = existsSync7(configPath) ? readConfig(configPath) : {};
   const { credentials, privateKey } = resolveCredentials(env, config);
-  const account = privateKey ? privateKeyToAccount4(privateKey) : null;
   const lowBalanceWarning = typeof config.lowBalanceWarning === "number" ? config.lowBalanceWarning : 1;
   const apiService = new ApiService(
     env.ZERO_API_URL,
-    account,
+    privateKey ? privateKeyToAccount4(privateKey) : null,
     credentials,
     buildOnSessionRefreshed(configPath)
   );
-  const paymentService = new PaymentService(account, { lowBalanceWarning });
+  let account = privateKey ? privateKeyToAccount4(privateKey) : null;
+  if (!account && credentials.kind === "session") {
+    const address = await resolveManagedWalletAddress(apiService);
+    if (address) {
+      account = createApiAccount(address, apiService);
+    }
+  }
+  if (account && !apiService.walletAddress) {
+    apiService.setWalletAddress(account.address);
+  }
+  const paymentService = new PaymentService(account, {
+    lowBalanceWarning
+  });
   const stateService = new StateService(zeroDir);
   const walletService = new WalletService(
     apiService.walletAddress,
@@ -4228,16 +4609,29 @@ var getServices = (env) => {
     walletService
   };
 };
+var resolveManagedWalletAddress = async (api) => {
+  try {
+    const wallets = await api.getWallets();
+    const primary = wallets.find(
+      (w) => w.source === "privy_embedded" && w.isPrimary
+    );
+    if (primary) return primary.walletAddress;
+    const provisioned = await api.provisionWallet();
+    return provisioned.walletAddress ?? null;
+  } catch {
+    return null;
+  }
+};
 
 // src/app/app-context.ts
-var createAppContext = () => {
+var createAppContext = async () => {
   const env = getEnv();
   if (!env) {
     return null;
   }
   return {
     env,
-    services: getServices(env),
+    services: await getServices(env),
     invocation: { current: null }
   };
 };
@@ -4247,12 +4641,12 @@ import {
   existsSync as existsSync8,
   lstatSync,
   mkdirSync as mkdirSync6,
-  readFileSync as readFileSync11,
+  readFileSync as readFileSync12,
   readlinkSync,
   writeFileSync as writeFileSync6
 } from "fs";
 import { homedir as homedir7 } from "os";
-import { dirname as dirname3, join as join8, resolve } from "path";
+import { dirname as dirname3, join as join9, resolve } from "path";
 var CACHE_FILENAME = "update_check.json";
 var NPM_REGISTRY_URL = "https://registry.npmjs.org/@zeroxyz/cli/latest";
 var CHECK_INTERVAL_MS = 60 * 60 * 1e3;
@@ -4279,7 +4673,7 @@ var detectInstallMethod = (opts = {}) => {
   const home = opts.home ?? homedir7();
   if (pkg) return "binary";
   const resolved = resolveExecPath(execPath);
-  const zeroBin = join8(home, ".zero", "bin");
+  const zeroBin = join9(home, ".zero", "bin");
   if (resolved.startsWith(zeroBin)) return "binary";
   return "npm";
 };
@@ -4304,12 +4698,12 @@ var compareVersions = (a, b) => {
   if (pb.pre === null) return -1;
   return pa.pre < pb.pre ? -1 : 1;
 };
-var cachePath = (zeroDir) => join8(zeroDir, CACHE_FILENAME);
+var cachePath = (zeroDir) => join9(zeroDir, CACHE_FILENAME);
 var readCache = (zeroDir) => {
   try {
     const path = cachePath(zeroDir);
     if (!existsSync8(path)) return emptyCache;
-    const raw = readFileSync11(path, "utf8");
+    const raw = readFileSync12(path, "utf8");
     const parsed = JSON.parse(raw);
     return {
       lastCheckedMs: typeof parsed.lastCheckedMs === "number" ? parsed.lastCheckedMs : 0,
@@ -4393,12 +4787,12 @@ var maybePrintUpdateBanner = (zeroDir, currentVersion) => {
 
 // src/index.ts
 var main = async () => {
-  const appContext = createAppContext();
+  const appContext = await createAppContext();
   if (!appContext) {
     console.error("Failed to create app context");
     process.exit(1);
   }
-  const zeroDir = join9(homedir8(), ".zero");
+  const zeroDir = join10(homedir8(), ".zero");
   maybePrintUpdateBanner(zeroDir, package_default.version);
   const app = createApp(appContext);
   let caughtError = null;

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@zeroxyz/cli",
-	"version": "0.0.39",
+	"version": "0.0.41",
 	"type": "module",
 	"bin": {
 		"zero": "dist/index.js",