arc402-cli 0.5.0 → 0.7.0

package/dist/commands/wallet.js

@@ -114,6 +114,388 @@ async function runWalletOnboardingCeremony(walletAddress, ownerAddress, config,
     console.log(" " + colors_1.c.dim("arc402 wallet set-velocity-limit <eth>   — wallet-level hourly ETH cap"));
     console.log(" " + colors_1.c.dim("arc402 wallet policy set-daily-limit --category general --amount <eth>   — daily per-category cap"));
 }
+/**
+ * Complete ARC-402 onboarding ceremony — matches web flow at app.arc402.xyz/onboard.
+ * Runs in a single WalletConnect session (or any sendTx provider). Idempotent.
+ *
+ * Steps:
+ *   2. Machine key — generate + authorizeMachineKey
+ *   3. Passkey    — CLI shows browser URL (WebAuthn requires browser)
+ *   4. Policy     — v5 protocol bypass; set hire limit + optional guardian
+ *   5. Agent      — register on AgentRegistry via executeContractCall
+ *   6. Summary    — branded tree
+ */
+async function runCompleteOnboardingCeremony(walletAddress, ownerAddress, config, provider, sendTx) {
+    const policyAddress = config.policyEngineAddress ?? POLICY_ENGINE_DEFAULT;
+    const agentRegistryAddress = config.agentRegistryV2Address ??
+        config_1.NETWORK_DEFAULTS[config.network]?.agentRegistryV2Address;
+    const handshakeAddress = config.handshakeAddress ??
+        config_1.NETWORK_DEFAULTS[config.network]?.handshakeAddress ??
+        "0x4F5A38Bb746d7E5d49d8fd26CA6beD141Ec2DDb3";
+    // ── Step 2: Machine Key ────────────────────────────────────────────────────
+    console.log("\n" + colors_1.c.dim("── Step 2: Machine Key ────────────────────────────────────────"));
+    let machineKeyAddress;
+    if (config.privateKey) {
+        machineKeyAddress = new ethers_1.ethers.Wallet(config.privateKey).address;
+    }
+    else {
+        const mk = ethers_1.ethers.Wallet.createRandom();
+        machineKeyAddress = mk.address;
+        config.privateKey = mk.privateKey;
+        (0, config_1.saveConfig)(config);
+        console.log(" " + colors_1.c.dim("Machine key generated: ") + colors_1.c.white(machineKeyAddress));
+        console.log(" " + colors_1.c.dim("Private key saved to ~/.arc402/config.json (chmod 600)"));
+    }
+    let mkAlreadyAuthorized = false;
+    try {
+        const mkContract = new ethers_1.ethers.Contract(walletAddress, abis_1.ARC402_WALLET_MACHINE_KEY_ABI, provider);
+        mkAlreadyAuthorized = await mkContract.authorizedMachineKeys(machineKeyAddress);
+    }
+    catch { /* older wallet — will try to authorize */ }
+    if (mkAlreadyAuthorized) {
+        console.log(" " + colors_1.c.success + colors_1.c.dim(" Machine key already authorized: ") + colors_1.c.white(machineKeyAddress));
+    }
+    else {
+        console.log(" " + colors_1.c.dim("Authorizing machine key: ") + colors_1.c.white(machineKeyAddress));
+        const mkIface = new ethers_1.ethers.Interface(abis_1.ARC402_WALLET_MACHINE_KEY_ABI);
+        await sendTx({ to: walletAddress, data: mkIface.encodeFunctionData("authorizeMachineKey", [machineKeyAddress]), value: "0x0" }, "authorizeMachineKey");
+        console.log(" " + colors_1.c.success + " Machine key authorized");
+    }
+    // ── Step 3: Passkey ───────────────────────────────────────────────────────
+    console.log("\n" + colors_1.c.dim("── Step 3: Passkey (Face ID / WebAuthn) ──────────────────────"));
+    let passkeyActive = false;
+    try {
+        const walletC = new ethers_1.ethers.Contract(walletAddress, abis_1.ARC402_WALLET_PASSKEY_ABI, provider);
+        const auth = await walletC.ownerAuth();
+        passkeyActive = Number(auth[0]) === 1;
+    }
+    catch { /* ignore */ }
+    if (passkeyActive) {
+        console.log(" " + colors_1.c.success + colors_1.c.dim(" Passkey already active"));
+    }
+    else {
+        const passkeyUrl = `https://app.arc402.xyz/passkey-setup?wallet=${walletAddress}`;
+        console.log("\n " + colors_1.c.white("Open this URL in your browser to set up Face ID:"));
+        console.log("   " + colors_1.c.cyan(passkeyUrl));
+        console.log(" " + colors_1.c.dim("Complete Face ID registration, then press Enter. Type 'n' + Enter to skip.\n"));
+        const passkeyAns = await (0, prompts_1.default)({
+            type: "text",
+            name: "done",
+            message: "Press Enter when done (or type 'n' to skip)",
+            initial: "",
+        });
+        if (passkeyAns.done?.toLowerCase() === "n") {
+            console.log(" " + colors_1.c.warning + " Passkey skipped");
+        }
+        else {
+            passkeyActive = true;
+            console.log(" " + colors_1.c.success + " Passkey set (via browser)");
+        }
+    }
+    // ── Step 4: Policy ────────────────────────────────────────────────────────
+    console.log("\n" + colors_1.c.dim("── Step 4: Policy ─────────────────────────────────────────────"));
+    // 4a) setVelocityLimit
+    let velocityLimitEth = "0.05";
+    let velocityAlreadySet = false;
+    try {
+        const ownerC = new ethers_1.ethers.Contract(walletAddress, abis_1.ARC402_WALLET_OWNER_ABI, provider);
+        const existing = await ownerC.velocityLimit();
+        if (existing > 0n) {
+            velocityAlreadySet = true;
+            velocityLimitEth = ethers_1.ethers.formatEther(existing);
+            console.log(" " + colors_1.c.success + colors_1.c.dim(` Velocity limit already set: ${velocityLimitEth} ETH`));
+        }
+    }
+    catch { /* ignore */ }
+    if (!velocityAlreadySet) {
+        const velAns = await (0, prompts_1.default)({
+            type: "text",
+            name: "limit",
+            message: "Velocity limit (ETH / rolling window)?",
+            initial: "0.05",
+        });
+        velocityLimitEth = velAns.limit || "0.05";
+        const velIface = new ethers_1.ethers.Interface(["function setVelocityLimit(uint256 limit) external"]);
+        await sendTx({ to: walletAddress, data: velIface.encodeFunctionData("setVelocityLimit", [ethers_1.ethers.parseEther(velocityLimitEth)]), value: "0x0" }, `setVelocityLimit: ${velocityLimitEth} ETH`);
+        (0, config_1.saveConfig)(config);
+    }
+    // 4b) setGuardian (optional — address, 'g' to generate, or skip)
+    let guardianAddress = null;
+    try {
+        const guardianC = new ethers_1.ethers.Contract(walletAddress, abis_1.ARC402_WALLET_GUARDIAN_ABI, provider);
+        const existing = await guardianC.guardian();
+        if (existing && existing !== ethers_1.ethers.ZeroAddress) {
+            guardianAddress = existing;
+            console.log(" " + colors_1.c.success + colors_1.c.dim(` Guardian already set: ${existing}`));
+        }
+    }
+    catch { /* ignore */ }
+    if (!guardianAddress) {
+        const guardianAns = await (0, prompts_1.default)({
+            type: "text",
+            name: "guardian",
+            message: "Guardian address? (address, 'g' to generate, Enter to skip)",
+            initial: "",
+        });
+        const guardianInput = guardianAns.guardian?.trim() ?? "";
+        if (guardianInput.toLowerCase() === "g") {
+            const generatedGuardian = ethers_1.ethers.Wallet.createRandom();
+            // Save guardian private key to a separate restricted file, NOT config.json
+            const guardianKeyPath = path_1.default.join(os_1.default.homedir(), ".arc402", "guardian.key");
+            fs_1.default.mkdirSync(path_1.default.dirname(guardianKeyPath), { recursive: true, mode: 0o700 });
+            fs_1.default.writeFileSync(guardianKeyPath, generatedGuardian.privateKey + "\n", { mode: 0o400 });
+            // Only save address (not private key) to config
+            config.guardianAddress = generatedGuardian.address;
+            (0, config_1.saveConfig)(config);
+            guardianAddress = generatedGuardian.address;
+            console.log("\n " + colors_1.c.warning + " Guardian key saved to ~/.arc402/guardian.key — move offline for security");
+            console.log("   " + colors_1.c.dim("Address: ") + colors_1.c.white(generatedGuardian.address) + "\n");
+            const guardianIface = new ethers_1.ethers.Interface(["function setGuardian(address _guardian) external"]);
+            await sendTx({ to: walletAddress, data: guardianIface.encodeFunctionData("setGuardian", [guardianAddress]), value: "0x0" }, "setGuardian");
+            (0, config_1.saveConfig)(config);
+        }
+        else if (guardianInput && ethers_1.ethers.isAddress(guardianInput)) {
+            guardianAddress = guardianInput;
+            config.guardianAddress = guardianInput;
+            const guardianIface = new ethers_1.ethers.Interface(["function setGuardian(address _guardian) external"]);
+            await sendTx({ to: walletAddress, data: guardianIface.encodeFunctionData("setGuardian", [guardianAddress]), value: "0x0" }, "setGuardian");
+            (0, config_1.saveConfig)(config);
+        }
+        else if (guardianInput) {
+            console.log(" " + colors_1.c.warning + " Invalid address — guardian skipped");
+        }
+    }
+    // 4c) setCategoryLimitFor('hire')
+    let hireLimit = "0.1";
+    let hireLimitAlreadySet = false;
+    try {
+        const limitsContract = new ethers_1.ethers.Contract(policyAddress, abis_1.POLICY_ENGINE_LIMITS_ABI, provider);
+        const existing = await limitsContract.categoryLimits(walletAddress, "hire");
+        if (existing > 0n) {
+            hireLimitAlreadySet = true;
+            hireLimit = ethers_1.ethers.formatEther(existing);
+            console.log(" " + colors_1.c.success + colors_1.c.dim(` Hire limit already set: ${hireLimit} ETH`));
+        }
+    }
+    catch { /* ignore */ }
+    if (!hireLimitAlreadySet) {
+        const limitAns = await (0, prompts_1.default)({
+            type: "text",
+            name: "limit",
+            message: "Max price per hire (ETH)?",
+            initial: "0.1",
+        });
+        hireLimit = limitAns.limit || "0.1";
+        const hireLimitWei = ethers_1.ethers.parseEther(hireLimit);
+        const policyIface = new ethers_1.ethers.Interface([
+            "function setCategoryLimitFor(address wallet, string category, uint256 limitPerTx) external",
+        ]);
+        await sendTx({ to: policyAddress, data: policyIface.encodeFunctionData("setCategoryLimitFor", [walletAddress, "hire", hireLimitWei]), value: "0x0" }, `setCategoryLimitFor: hire → ${hireLimit} ETH`);
+        (0, config_1.saveConfig)(config);
+    }
+    // 4d) enableContractInteraction(wallet, Handshake)
+    const contractInteractionIface = new ethers_1.ethers.Interface([
+        "function enableContractInteraction(address wallet, address target) external",
+    ]);
+    await sendTx({ to: policyAddress, data: contractInteractionIface.encodeFunctionData("enableContractInteraction", [walletAddress, handshakeAddress]), value: "0x0" }, "enableContractInteraction: Handshake");
+    (0, config_1.saveConfig)(config);
+    console.log(" " + colors_1.c.success + " Policy configured");
+    // ── Step 5: Agent Registration ─────────────────────────────────────────────
+    console.log("\n" + colors_1.c.dim("── Step 5: Agent Registration ─────────────────────────────────"));
+    let agentAlreadyRegistered = false;
+    let agentName = "";
+    let agentServiceType = "";
+    let agentEndpoint = "";
+    if (agentRegistryAddress) {
+        try {
+            const regContract = new ethers_1.ethers.Contract(agentRegistryAddress, abis_1.AGENT_REGISTRY_ABI, provider);
+            agentAlreadyRegistered = await regContract.isRegistered(walletAddress);
+            if (agentAlreadyRegistered) {
+                const info = await regContract.getAgent(walletAddress);
+                agentName = info.name;
+                agentServiceType = info.serviceType;
+                agentEndpoint = info.endpoint;
+                console.log(" " + colors_1.c.success + colors_1.c.dim(` Agent already registered: ${agentName}`));
+            }
+        }
+        catch { /* ignore */ }
+        if (!agentAlreadyRegistered) {
+            const rawHostname = os_1.default.hostname();
+            const cleanHostname = rawHostname.toLowerCase().replace(/[^a-z0-9-]/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
+            const answers = await (0, prompts_1.default)([
+                { type: "text", name: "name", message: "Agent name?", initial: cleanHostname },
+                { type: "text", name: "serviceType", message: "Service type?", initial: "intelligence" },
+                { type: "text", name: "caps", message: "Capabilities? (comma-separated)", initial: "research" },
+                { type: "text", name: "endpoint", message: "Endpoint?", initial: `https://${cleanHostname}.arc402.xyz` },
+            ]);
+            agentName = answers.name || cleanHostname;
+            agentServiceType = answers.serviceType || "intelligence";
+            agentEndpoint = answers.endpoint || `https://${cleanHostname}.arc402.xyz`;
+            const capabilities = (answers.caps || "research")
+                .split(",").map((s) => s.trim()).filter(Boolean);
+            // 5a) enableDefiAccess (check first)
+            const peExtIface = new ethers_1.ethers.Interface([
+                "function enableDefiAccess(address wallet) external",
+                "function whitelistContract(address wallet, address target) external",
+                "function defiAccessEnabled(address) external view returns (bool)",
+                "function isContractWhitelisted(address wallet, address target) external view returns (bool)",
+            ]);
+            const peContract = new ethers_1.ethers.Contract(policyAddress, peExtIface, provider);
+            const defiEnabled = await peContract.defiAccessEnabled(walletAddress).catch(() => false);
+            if (!defiEnabled) {
+                await sendTx({ to: policyAddress, data: peExtIface.encodeFunctionData("enableDefiAccess", [walletAddress]), value: "0x0" }, "enableDefiAccess on PolicyEngine");
+                (0, config_1.saveConfig)(config);
+            }
+            else {
+                console.log(" " + colors_1.c.success + colors_1.c.dim(" enableDefiAccess — already done"));
+            }
+            // 5b) whitelistContract for AgentRegistry (check first)
+            const whitelisted = await peContract.isContractWhitelisted(walletAddress, agentRegistryAddress).catch(() => false);
+            if (!whitelisted) {
+                await sendTx({ to: policyAddress, data: peExtIface.encodeFunctionData("whitelistContract", [walletAddress, agentRegistryAddress]), value: "0x0" }, "whitelistContract: AgentRegistry on PolicyEngine");
+                (0, config_1.saveConfig)(config);
+            }
+            else {
+                console.log(" " + colors_1.c.success + colors_1.c.dim(" whitelistContract(AgentRegistry) — already done"));
+            }
+            // 5c+d) executeContractCall → register
+            const regIface = new ethers_1.ethers.Interface(abis_1.AGENT_REGISTRY_ABI);
+            const execIface = new ethers_1.ethers.Interface(abis_1.ARC402_WALLET_EXECUTE_ABI);
+            const regData = regIface.encodeFunctionData("register", [agentName, capabilities, agentServiceType, agentEndpoint, ""]);
+            const execData = execIface.encodeFunctionData("executeContractCall", [{
+                    target: agentRegistryAddress,
+                    data: regData,
+                    value: 0n,
+                    minReturnValue: 0n,
+                    maxApprovalAmount: 0n,
+                    approvalToken: ethers_1.ethers.ZeroAddress,
+                }]);
+            await sendTx({ to: walletAddress, data: execData, value: "0x0" }, `register agent: ${agentName}`);
+            console.log(" " + colors_1.c.success + " Agent registered: " + agentName);
+        }
+    }
+    else {
+        console.log(" " + colors_1.c.warning + " AgentRegistry address not configured — skipping");
+    }
+    // ── Step 7: Workroom Init ─────────────────────────────────────────────────
+    console.log("\n" + colors_1.c.dim("── Step 7: Workroom ────────────────────────────────────────────"));
+    let workroomInitialized = false;
+    let dockerFound = false;
+    try {
+        const dockerCheck = (0, child_process_1.spawnSync)("docker", ["--version"], { encoding: "utf-8", timeout: 5000 });
+        dockerFound = dockerCheck.status === 0;
+    }
+    catch {
+        dockerFound = false;
+    }
+    if (dockerFound) {
+        console.log(" " + colors_1.c.dim("Docker found — initializing workroom..."));
+        try {
+            const initResult = (0, child_process_1.spawnSync)(process.execPath, [process.argv[1], "workroom", "init"], {
+                encoding: "utf-8",
+                timeout: 120000,
+                env: { ...process.env },
+            });
+            workroomInitialized = initResult.status === 0;
+            if (workroomInitialized) {
+                console.log(" " + colors_1.c.success + " Workroom initialized");
+            }
+            else {
+                console.log(" " + colors_1.c.warning + " Workroom init incomplete — run: arc402 workroom init");
+            }
+        }
+        catch {
+            console.log(" " + colors_1.c.warning + " Workroom init failed — run: arc402 workroom init");
+        }
+    }
+    else {
+        console.log(" " + colors_1.c.warning + " Docker not found");
+        console.log("   Install Docker: https://docs.docker.com/get-docker/");
+        console.log("   Or run daemon in host mode: " + colors_1.c.white("arc402 daemon start --host"));
+    }
+    // ── Step 8: Daemon Start ──────────────────────────────────────────────────
+    console.log("\n" + colors_1.c.dim("── Step 8: Daemon ──────────────────────────────────────────────"));
+    let daemonRunning = false;
+    const relayPort = 4402;
+    if (workroomInitialized) {
+        try {
+            const startResult = (0, child_process_1.spawnSync)(process.execPath, [process.argv[1], "workroom", "start"], {
+                encoding: "utf-8",
+                timeout: 30000,
+                env: { ...process.env },
+            });
+            daemonRunning = startResult.status === 0;
+            if (daemonRunning) {
+                console.log(" " + colors_1.c.success + " Daemon online (port " + relayPort + ")");
+            }
+            else {
+                console.log(" " + colors_1.c.warning + " Daemon start failed — run: arc402 workroom start");
+            }
+        }
+        catch {
+            console.log(" " + colors_1.c.warning + " Daemon start failed — run: arc402 workroom start");
+        }
+    }
+    else if (!dockerFound) {
+        try {
+            const startResult = (0, child_process_1.spawnSync)(process.execPath, [process.argv[1], "daemon", "start", "--host"], {
+                encoding: "utf-8",
+                timeout: 30000,
+                env: { ...process.env },
+            });
+            daemonRunning = startResult.status === 0;
+            if (daemonRunning) {
+                console.log(" " + colors_1.c.success + " Daemon online — host mode (port " + relayPort + ")");
+            }
+            else {
+                console.log(" " + colors_1.c.warning + " Daemon not started — run: arc402 daemon start --host");
+            }
+        }
+        catch {
+            console.log(" " + colors_1.c.warning + " Daemon not started — run: arc402 daemon start --host");
+        }
+    }
+    else {
+        console.log(" " + colors_1.c.warning + " Daemon not started — run: arc402 workroom init first");
+    }
+    // ── Step 6: Summary ───────────────────────────────────────────────────────
+    const trustScore = await (async () => {
+        try {
+            const trust = new ethers_1.ethers.Contract(config.trustRegistryAddress, abis_1.TRUST_REGISTRY_ABI, provider);
+            const s = await trust.getScore(walletAddress);
+            return s.toString();
+        }
+        catch {
+            return "100";
+        }
+    })();
+    const workroomLabel = dockerFound
+        ? (workroomInitialized ? (daemonRunning ? colors_1.c.green("✓ Running") : colors_1.c.yellow("✓ Initialized")) : colors_1.c.yellow("⚠ Init needed"))
+        : colors_1.c.yellow("⚠ No Docker");
+    const daemonLabel = daemonRunning
+        ? colors_1.c.green("✓ Online (port " + relayPort + ")")
+        : colors_1.c.dim("not started");
+    const endpointLabel = agentEndpoint
+        ? colors_1.c.white(agentEndpoint) + colors_1.c.dim(` → localhost:${relayPort}`)
+        : colors_1.c.dim("—");
+    console.log("\n " + colors_1.c.success + colors_1.c.white(" Onboarding complete"));
+    (0, tree_1.renderTree)([
+        { label: "Wallet", value: colors_1.c.white(walletAddress) },
+        { label: "Owner", value: colors_1.c.white(ownerAddress) },
+        { label: "Machine", value: colors_1.c.white(machineKeyAddress) + colors_1.c.dim(" (authorized)") },
+        { label: "Passkey", value: passkeyActive ? colors_1.c.green("✓ set") : colors_1.c.yellow("⚠ skipped") },
+        { label: "Velocity", value: colors_1.c.white(velocityLimitEth + " ETH") },
+        { label: "Guardian", value: guardianAddress ? colors_1.c.white(guardianAddress) : colors_1.c.dim("none") },
+        { label: "Hire limit", value: colors_1.c.white(hireLimit + " ETH") },
+        { label: "Agent", value: agentName ? colors_1.c.white(agentName) : colors_1.c.dim("not registered") },
+        { label: "Service", value: agentServiceType ? colors_1.c.white(agentServiceType) : colors_1.c.dim("—") },
+        { label: "Workroom", value: workroomLabel },
+        { label: "Daemon", value: daemonLabel },
+        { label: "Endpoint", value: endpointLabel },
+        { label: "Trust", value: colors_1.c.white(`${trustScore}`), last: true },
+    ]);
+    console.log("\n " + colors_1.c.dim("Next: fund your wallet with 0.002 ETH on Base"));
+}
 function printOpenShellHint() {
     const r = (0, child_process_1.spawnSync)("which", ["openshell"], { encoding: "utf-8" });
     if (r.status === 0 && r.stdout.trim()) {
@@ -258,16 +640,40 @@ function registerWalletCommands(program) {
         console.log(colors_1.c.dim("Next: fund your wallet with ETH, then run: arc402 wallet deploy"));
     });
     // ─── import ────────────────────────────────────────────────────────────────
-    wallet.command("import <privateKey>")
-        .description("Import an existing private key")
+    wallet.command("import")
+        .description("Import an existing private key (use --key-file or stdin prompt)")
         .option("--network <network>", "Network (base-mainnet or base-sepolia)", "base-sepolia")
-        .action(async (privateKey, opts) => {
+        .option("--key-file <path>", "Read private key from file instead of prompting")
+        .action(async (opts) => {
         const network = opts.network;
         const defaults = config_1.NETWORK_DEFAULTS[network];
         if (!defaults) {
             console.error(`Unknown network: ${network}. Use base-mainnet or base-sepolia.`);
             process.exit(1);
         }
+        let privateKey;
+        if (opts.keyFile) {
+            try {
+                privateKey = fs_1.default.readFileSync(opts.keyFile, "utf-8").trim();
+            }
+            catch (e) {
+                console.error(`Cannot read key file: ${e instanceof Error ? e.message : String(e)}`);
+                process.exit(1);
+            }
+        }
+        else {
+            // Interactive prompt — hidden input avoids shell history
+            const answer = await (0, prompts_1.default)({
+                type: "password",
+                name: "key",
+                message: "Paste private key (hidden):",
+            });
+            privateKey = (answer.key ?? "").trim();
+            if (!privateKey) {
+                console.error("No private key entered.");
+                process.exit(1);
+            }
+        }
         let imported;
         try {
             imported = new ethers_1.ethers.Wallet(privateKey);
@@ -415,8 +821,31 @@ function registerWalletCommands(program) {
         .option("--smart-wallet", "Connect via Base Smart Wallet (Coinbase Wallet SDK) instead of WalletConnect")
         .option("--hardware", "Hardware wallet mode: show raw wc: URI only (for Ledger Live, Trezor Suite, etc.)")
         .option("--sponsored", "Use CDP paymaster for gas sponsorship (requires paymasterUrl + cdpKeyName + CDP_PRIVATE_KEY env)")
+        .option("--dry-run", "Simulate the deployment ceremony without sending transactions")
         .action(async (opts) => {
         const config = (0, config_1.loadConfig)();
+        if (opts.dryRun) {
+            const factoryAddr = config.walletFactoryAddress ?? config_1.NETWORK_DEFAULTS[config.network]?.walletFactoryAddress ?? "(not configured)";
+            const chainId = config.network === "base-mainnet" ? 8453 : 84532;
+            console.log();
+            console.log(" " + colors_1.c.dim("── Dry run: wallet deploy ──────────────────────────────────────"));
+            console.log(" " + colors_1.c.dim("Network:         ") + colors_1.c.white(config.network));
+            console.log(" " + colors_1.c.dim("Chain ID:        ") + colors_1.c.white(String(chainId)));
+            console.log(" " + colors_1.c.dim("RPC:             ") + colors_1.c.white(config.rpcUrl));
+            console.log(" " + colors_1.c.dim("WalletFactory:   ") + colors_1.c.white(factoryAddr));
+            console.log(" " + colors_1.c.dim("Signing method:  ") + colors_1.c.white(opts.smartWallet ? "Base Smart Wallet" : opts.hardware ? "Hardware (WC URI)" : "WalletConnect"));
+            console.log(" " + colors_1.c.dim("Sponsored:       ") + colors_1.c.white(opts.sponsored ? "yes" : "no"));
+            console.log();
+            console.log(" " + colors_1.c.dim("Steps that would run:"));
+            console.log("   1. Connect " + (opts.smartWallet ? "Coinbase Smart Wallet" : "WalletConnect") + " session");
+            console.log("   2. Call WalletFactory.createWallet() → deploy ARC402Wallet");
+            console.log("   3. Save walletContractAddress to config");
+            console.log("   4. Run onboarding ceremony (PolicyEngine, machine key, agent registration)");
+            console.log();
+            console.log(" " + colors_1.c.dim("No transactions sent (--dry-run mode)."));
+            console.log();
+            return;
+        }
         const factoryAddress = config.walletFactoryAddress ?? config_1.NETWORK_DEFAULTS[config.network]?.walletFactoryAddress;
         if (!factoryAddress) {
             console.error("walletFactoryAddress not found in config or NETWORK_DEFAULTS. Add walletFactoryAddress to your config.");
@@ -604,30 +1033,29 @@ function registerWalletCommands(program) {
                 console.error("Could not find WalletCreated event in receipt. Check the transaction on-chain.");
                 process.exit(1);
             }
+            // ── Step 1 complete: save wallet + owner immediately ─────────────────
             config.walletContractAddress = walletAddress;
             config.ownerAddress = account;
             (0, config_1.saveConfig)(config);
-            console.log("\n" + colors_1.c.success + colors_1.c.white(" ARC402Wallet deployed"));
+            try {
+                fs_1.default.chmodSync((0, config_1.getConfigPath)(), 0o600);
+            }
+            catch { /* best-effort */ }
+            console.log("\n " + colors_1.c.success + colors_1.c.white(" Wallet deployed"));
             (0, tree_1.renderTree)([
                 { label: "Wallet", value: walletAddress },
-                { label: "Owner", value: account + colors_1.c.dim(" (phone wallet)"), last: true },
+                { label: "Owner", value: account, last: true },
             ]);
-            // ── Mandatory onboarding ceremony (same WalletConnect session) ────────
-            console.log("\nStarting mandatory onboarding ceremony in this WalletConnect session...");
-            await runWalletOnboardingCeremony(walletAddress, account, config, provider, async (call, description) => {
-                console.log(" " + colors_1.c.dim(`Sending: ${description}`));
+            // ── Steps 2–6: Complete onboarding ceremony (same WalletConnect session)
+            const sendTxCeremony = async (call, description) => {
+                console.log(" " + colors_1.c.dim(`◈ ${description}`));
                 const hash = await (0, walletconnect_1.sendTransactionWithSession)(client, session, account, chainId, call);
+                console.log(" " + colors_1.c.dim("  waiting for confirmation..."));
                 await provider.waitForTransaction(hash, 1);
-                console.log(" " + colors_1.c.success + " " + colors_1.c.dim(description) + " " + colors_1.c.dim(hash));
+                console.log(" " + colors_1.c.success + " " + colors_1.c.white(description));
                 return hash;
-            });
-            console.log(colors_1.c.dim("Your wallet contract is ready for policy enforcement"));
-            const paymasterUrl2 = config.paymasterUrl ?? config_1.NETWORK_DEFAULTS[config.network]?.paymasterUrl;
-            const deployedBalance = await provider.getBalance(walletAddress);
-            if (paymasterUrl2 && deployedBalance < BigInt(1000000000000000)) {
-                console.log(colors_1.c.dim("Gas sponsorship active — initial setup ops are free"));
-            }
-            console.log(colors_1.c.dim("\nNext: run 'arc402 wallet set-guardian' to configure the emergency guardian key."));
+            };
+            await runCompleteOnboardingCeremony(walletAddress, account, config, provider, sendTxCeremony);
             printOpenShellHint();
         }
         else {
@@ -657,6 +1085,7 @@ function registerWalletCommands(program) {
             // Generate guardian key (separate from hot key) and call setGuardian
             const guardianWallet = ethers_1.ethers.Wallet.createRandom();
             config.walletContractAddress = walletAddress;
+            config.ownerAddress = address;
             config.guardianPrivateKey = guardianWallet.privateKey;
             config.guardianAddress = guardianWallet.address;
             (0, config_1.saveConfig)(config);
@@ -1367,14 +1796,29 @@ function registerWalletCommands(program) {
             console.error("walletConnectProjectId not set in config. Run `arc402 config set walletConnectProjectId <id>`.");
             process.exit(1);
         }
-        const ownerAddress = config.ownerAddress;
-        if (!ownerAddress) {
-            console.error("ownerAddress not set in config. Run `arc402 wallet deploy` first.");
-            process.exit(1);
-        }
         const policyAddress = config.policyEngineAddress ?? POLICY_ENGINE_DEFAULT;
         const chainId = config.network === "base-mainnet" ? 8453 : 84532;
         const provider = new ethers_1.ethers.JsonRpcProvider(config.rpcUrl);
+        let ownerAddress = config.ownerAddress;
+        if (!ownerAddress) {
+            // Fallback 1: WalletConnect session account
+            if (config.wcSession?.account) {
+                ownerAddress = config.wcSession.account;
+                console.log(colors_1.c.dim(`Owner resolved from WalletConnect session: ${ownerAddress}`));
+            }
+            else {
+                // Fallback 2: call owner() on the wallet contract
+                try {
+                    const walletOwnerContract = new ethers_1.ethers.Contract(config.walletContractAddress, ["function owner() external view returns (address)"], provider);
+                    ownerAddress = await walletOwnerContract.owner();
+                    console.log(colors_1.c.dim(`Owner resolved from contract: ${ownerAddress}`));
+                }
+                catch {
+                    console.error("ownerAddress not set in config and could not be resolved from contract or WalletConnect session.");
+                    process.exit(1);
+                }
+            }
+        }
         // Encode registerWallet(wallet, owner) calldata — called on PolicyEngine
         const policyInterface = new ethers_1.ethers.Interface([
             "function registerWallet(address wallet, address owner) external",