arc402-cli 0.5.0 → 0.7.0

package/src/commands/wallet.ts

@@ -9,7 +9,7 @@ import { spawnSync } from "child_process";
 import { Arc402Config, getConfigPath, getUsdcAddress, loadConfig, NETWORK_DEFAULTS, saveConfig } from "../config";
 import { getClient, requireSigner } from "../client";
 import { getTrustTier } from "../utils/format";
-import { ARC402_WALLET_EXECUTE_ABI, ARC402_WALLET_GUARDIAN_ABI, ARC402_WALLET_MACHINE_KEY_ABI, ARC402_WALLET_OWNER_ABI, ARC402_WALLET_PASSKEY_ABI, ARC402_WALLET_PROTOCOL_ABI, ARC402_WALLET_REGISTRY_ABI, POLICY_ENGINE_GOVERNANCE_ABI, POLICY_ENGINE_LIMITS_ABI, TRUST_REGISTRY_ABI, WALLET_FACTORY_ABI } from "../abis";
+import { AGENT_REGISTRY_ABI, ARC402_WALLET_EXECUTE_ABI, ARC402_WALLET_GUARDIAN_ABI, ARC402_WALLET_MACHINE_KEY_ABI, ARC402_WALLET_OWNER_ABI, ARC402_WALLET_PASSKEY_ABI, ARC402_WALLET_PROTOCOL_ABI, ARC402_WALLET_REGISTRY_ABI, POLICY_ENGINE_GOVERNANCE_ABI, POLICY_ENGINE_LIMITS_ABI, TRUST_REGISTRY_ABI, WALLET_FACTORY_ABI } from "../abis";
 import { warnIfPublicRpc } from "../config";
 import { connectPhoneWallet, sendTransactionWithSession, requestPhoneWalletSignature } from "../walletconnect";
 import { BundlerClient, buildSponsoredUserOp, PaymasterClient, DEFAULT_ENTRY_POINT } from "../bundler";
@@ -123,6 +123,425 @@ async function runWalletOnboardingCeremony(
   console.log(" " + c.dim("arc402 wallet policy set-daily-limit --category general --amount <eth>   — daily per-category cap"));
 }
 
+/**
+ * Complete ARC-402 onboarding ceremony — matches web flow at app.arc402.xyz/onboard.
+ * Runs in a single WalletConnect session (or any sendTx provider). Idempotent.
+ *
+ * Steps:
+ *   2. Machine key — generate + authorizeMachineKey
+ *   3. Passkey    — CLI shows browser URL (WebAuthn requires browser)
+ *   4. Policy     — v5 protocol bypass; set hire limit + optional guardian
+ *   5. Agent      — register on AgentRegistry via executeContractCall
+ *   6. Summary    — branded tree
+ */
+async function runCompleteOnboardingCeremony(
+  walletAddress: string,
+  ownerAddress: string,
+  config: Arc402Config,
+  provider: ethers.JsonRpcProvider,
+  sendTx: (call: { to: string; data: string; value: string }, description: string) => Promise<string>,
+): Promise<void> {
+  const policyAddress = config.policyEngineAddress ?? POLICY_ENGINE_DEFAULT;
+  const agentRegistryAddress =
+    config.agentRegistryV2Address ??
+    NETWORK_DEFAULTS[config.network]?.agentRegistryV2Address;
+  const handshakeAddress =
+    config.handshakeAddress ??
+    NETWORK_DEFAULTS[config.network]?.handshakeAddress ??
+    "0x4F5A38Bb746d7E5d49d8fd26CA6beD141Ec2DDb3";
+
+  // ── Step 2: Machine Key ────────────────────────────────────────────────────
+  console.log("\n" + c.dim("── Step 2: Machine Key ────────────────────────────────────────"));
+
+  let machineKeyAddress: string;
+  if (config.privateKey) {
+    machineKeyAddress = new ethers.Wallet(config.privateKey).address;
+  } else {
+    const mk = ethers.Wallet.createRandom();
+    machineKeyAddress = mk.address;
+    config.privateKey = mk.privateKey;
+    saveConfig(config);
+    console.log(" " + c.dim("Machine key generated: ") + c.white(machineKeyAddress));
+    console.log(" " + c.dim("Private key saved to ~/.arc402/config.json (chmod 600)"));
+  }
+
+  let mkAlreadyAuthorized = false;
+  try {
+    const mkContract = new ethers.Contract(walletAddress, ARC402_WALLET_MACHINE_KEY_ABI, provider);
+    mkAlreadyAuthorized = await mkContract.authorizedMachineKeys(machineKeyAddress) as boolean;
+  } catch { /* older wallet — will try to authorize */ }
+
+  if (mkAlreadyAuthorized) {
+    console.log(" " + c.success + c.dim(" Machine key already authorized: ") + c.white(machineKeyAddress));
+  } else {
+    console.log(" " + c.dim("Authorizing machine key: ") + c.white(machineKeyAddress));
+    const mkIface = new ethers.Interface(ARC402_WALLET_MACHINE_KEY_ABI);
+    await sendTx(
+      { to: walletAddress, data: mkIface.encodeFunctionData("authorizeMachineKey", [machineKeyAddress]), value: "0x0" },
+      "authorizeMachineKey",
+    );
+    console.log(" " + c.success + " Machine key authorized");
+  }
+
+  // ── Step 3: Passkey ───────────────────────────────────────────────────────
+  console.log("\n" + c.dim("── Step 3: Passkey (Face ID / WebAuthn) ──────────────────────"));
+
+  let passkeyActive = false;
+  try {
+    const walletC = new ethers.Contract(walletAddress, ARC402_WALLET_PASSKEY_ABI, provider);
+    const auth = await walletC.ownerAuth() as [bigint, string, string];
+    passkeyActive = Number(auth[0]) === 1;
+  } catch { /* ignore */ }
+
+  if (passkeyActive) {
+    console.log(" " + c.success + c.dim(" Passkey already active"));
+  } else {
+    const passkeyUrl = `https://app.arc402.xyz/passkey-setup?wallet=${walletAddress}`;
+    console.log("\n " + c.white("Open this URL in your browser to set up Face ID:"));
+    console.log("   " + c.cyan(passkeyUrl));
+    console.log(" " + c.dim("Complete Face ID registration, then press Enter. Type 'n' + Enter to skip.\n"));
+    const passkeyAns = await prompts({
+      type: "text",
+      name: "done",
+      message: "Press Enter when done (or type 'n' to skip)",
+      initial: "",
+    });
+    if ((passkeyAns.done as string | undefined)?.toLowerCase() === "n") {
+      console.log(" " + c.warning + " Passkey skipped");
+    } else {
+      passkeyActive = true;
+      console.log(" " + c.success + " Passkey set (via browser)");
+    }
+  }
+
+  // ── Step 4: Policy ────────────────────────────────────────────────────────
+  console.log("\n" + c.dim("── Step 4: Policy ─────────────────────────────────────────────"));
+
+  // 4a) setVelocityLimit
+  let velocityLimitEth = "0.05";
+  let velocityAlreadySet = false;
+  try {
+    const ownerC = new ethers.Contract(walletAddress, ARC402_WALLET_OWNER_ABI, provider);
+    const existing = await ownerC.velocityLimit() as bigint;
+    if (existing > 0n) {
+      velocityAlreadySet = true;
+      velocityLimitEth = ethers.formatEther(existing);
+      console.log(" " + c.success + c.dim(` Velocity limit already set: ${velocityLimitEth} ETH`));
+    }
+  } catch { /* ignore */ }
+
+  if (!velocityAlreadySet) {
+    const velAns = await prompts({
+      type: "text",
+      name: "limit",
+      message: "Velocity limit (ETH / rolling window)?",
+      initial: "0.05",
+    });
+    velocityLimitEth = (velAns.limit as string | undefined) || "0.05";
+    const velIface = new ethers.Interface(["function setVelocityLimit(uint256 limit) external"]);
+    await sendTx(
+      { to: walletAddress, data: velIface.encodeFunctionData("setVelocityLimit", [ethers.parseEther(velocityLimitEth)]), value: "0x0" },
+      `setVelocityLimit: ${velocityLimitEth} ETH`,
+    );
+    saveConfig(config);
+  }
+
+  // 4b) setGuardian (optional — address, 'g' to generate, or skip)
+  let guardianAddress: string | null = null;
+  try {
+    const guardianC = new ethers.Contract(walletAddress, ARC402_WALLET_GUARDIAN_ABI, provider);
+    const existing = await guardianC.guardian() as string;
+    if (existing && existing !== ethers.ZeroAddress) {
+      guardianAddress = existing;
+      console.log(" " + c.success + c.dim(` Guardian already set: ${existing}`));
+    }
+  } catch { /* ignore */ }
+
+  if (!guardianAddress) {
+    const guardianAns = await prompts({
+      type: "text",
+      name: "guardian",
+      message: "Guardian address? (address, 'g' to generate, Enter to skip)",
+      initial: "",
+    });
+    const guardianInput = (guardianAns.guardian as string | undefined)?.trim() ?? "";
+    if (guardianInput.toLowerCase() === "g") {
+      const generatedGuardian = ethers.Wallet.createRandom();
+      // Save guardian private key to a separate restricted file, NOT config.json
+      const guardianKeyPath = path.join(os.homedir(), ".arc402", "guardian.key");
+      fs.mkdirSync(path.dirname(guardianKeyPath), { recursive: true, mode: 0o700 });
+      fs.writeFileSync(guardianKeyPath, generatedGuardian.privateKey + "\n", { mode: 0o400 });
+      // Only save address (not private key) to config
+      config.guardianAddress = generatedGuardian.address;
+      saveConfig(config);
+      guardianAddress = generatedGuardian.address;
+      console.log("\n " + c.warning + " Guardian key saved to ~/.arc402/guardian.key — move offline for security");
+      console.log("   " + c.dim("Address: ") + c.white(generatedGuardian.address) + "\n");
+      const guardianIface = new ethers.Interface(["function setGuardian(address _guardian) external"]);
+      await sendTx(
+        { to: walletAddress, data: guardianIface.encodeFunctionData("setGuardian", [guardianAddress]), value: "0x0" },
+        "setGuardian",
+      );
+      saveConfig(config);
+    } else if (guardianInput && ethers.isAddress(guardianInput)) {
+      guardianAddress = guardianInput;
+      config.guardianAddress = guardianInput;
+      const guardianIface = new ethers.Interface(["function setGuardian(address _guardian) external"]);
+      await sendTx(
+        { to: walletAddress, data: guardianIface.encodeFunctionData("setGuardian", [guardianAddress]), value: "0x0" },
+        "setGuardian",
+      );
+      saveConfig(config);
+    } else if (guardianInput) {
+      console.log(" " + c.warning + " Invalid address — guardian skipped");
+    }
+  }
+
+  // 4c) setCategoryLimitFor('hire')
+  let hireLimit = "0.1";
+  let hireLimitAlreadySet = false;
+  try {
+    const limitsContract = new ethers.Contract(policyAddress, POLICY_ENGINE_LIMITS_ABI, provider);
+    const existing = await limitsContract.categoryLimits(walletAddress, "hire") as bigint;
+    if (existing > 0n) {
+      hireLimitAlreadySet = true;
+      hireLimit = ethers.formatEther(existing);
+      console.log(" " + c.success + c.dim(` Hire limit already set: ${hireLimit} ETH`));
+    }
+  } catch { /* ignore */ }
+
+  if (!hireLimitAlreadySet) {
+    const limitAns = await prompts({
+      type: "text",
+      name: "limit",
+      message: "Max price per hire (ETH)?",
+      initial: "0.1",
+    });
+    hireLimit = (limitAns.limit as string | undefined) || "0.1";
+    const hireLimitWei = ethers.parseEther(hireLimit);
+    const policyIface = new ethers.Interface([
+      "function setCategoryLimitFor(address wallet, string category, uint256 limitPerTx) external",
+    ]);
+    await sendTx(
+      { to: policyAddress, data: policyIface.encodeFunctionData("setCategoryLimitFor", [walletAddress, "hire", hireLimitWei]), value: "0x0" },
+      `setCategoryLimitFor: hire → ${hireLimit} ETH`,
+    );
+    saveConfig(config);
+  }
+
+  // 4d) enableContractInteraction(wallet, Handshake)
+  const contractInteractionIface = new ethers.Interface([
+    "function enableContractInteraction(address wallet, address target) external",
+  ]);
+  await sendTx(
+    { to: policyAddress, data: contractInteractionIface.encodeFunctionData("enableContractInteraction", [walletAddress, handshakeAddress]), value: "0x0" },
+    "enableContractInteraction: Handshake",
+  );
+  saveConfig(config);
+
+  console.log(" " + c.success + " Policy configured");
+
+  // ── Step 5: Agent Registration ─────────────────────────────────────────────
+  console.log("\n" + c.dim("── Step 5: Agent Registration ─────────────────────────────────"));
+
+  let agentAlreadyRegistered = false;
+  let agentName = "";
+  let agentServiceType = "";
+  let agentEndpoint = "";
+
+  if (agentRegistryAddress) {
+    try {
+      const regContract = new ethers.Contract(agentRegistryAddress, AGENT_REGISTRY_ABI, provider);
+      agentAlreadyRegistered = await regContract.isRegistered(walletAddress) as boolean;
+      if (agentAlreadyRegistered) {
+        const info = await regContract.getAgent(walletAddress) as { name: string; serviceType: string; endpoint: string };
+        agentName = info.name;
+        agentServiceType = info.serviceType;
+        agentEndpoint = info.endpoint;
+        console.log(" " + c.success + c.dim(` Agent already registered: ${agentName}`));
+      }
+    } catch { /* ignore */ }
+
+    if (!agentAlreadyRegistered) {
+      const rawHostname = os.hostname();
+      const cleanHostname = rawHostname.toLowerCase().replace(/[^a-z0-9-]/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
+      const answers = await prompts([
+        { type: "text", name: "name",        message: "Agent name?",                          initial: cleanHostname },
+        { type: "text", name: "serviceType", message: "Service type?",                        initial: "intelligence" },
+        { type: "text", name: "caps",        message: "Capabilities? (comma-separated)",       initial: "research" },
+        { type: "text", name: "endpoint",    message: "Endpoint?",                            initial: `https://${cleanHostname}.arc402.xyz` },
+      ]);
+
+      agentName        = (answers.name        as string | undefined) || cleanHostname;
+      agentServiceType = (answers.serviceType as string | undefined) || "intelligence";
+      agentEndpoint    = (answers.endpoint    as string | undefined) || `https://${cleanHostname}.arc402.xyz`;
+      const capabilities: string[] = ((answers.caps as string | undefined) || "research")
+        .split(",").map((s) => s.trim()).filter(Boolean);
+
+      // 5a) enableDefiAccess (check first)
+      const peExtIface = new ethers.Interface([
+        "function enableDefiAccess(address wallet) external",
+        "function whitelistContract(address wallet, address target) external",
+        "function defiAccessEnabled(address) external view returns (bool)",
+        "function isContractWhitelisted(address wallet, address target) external view returns (bool)",
+      ]);
+      const peContract = new ethers.Contract(policyAddress, peExtIface, provider);
+
+      const defiEnabled = await peContract.defiAccessEnabled(walletAddress).catch(() => false) as boolean;
+      if (!defiEnabled) {
+        await sendTx(
+          { to: policyAddress, data: peExtIface.encodeFunctionData("enableDefiAccess", [walletAddress]), value: "0x0" },
+          "enableDefiAccess on PolicyEngine",
+        );
+        saveConfig(config);
+      } else {
+        console.log(" " + c.success + c.dim(" enableDefiAccess — already done"));
+      }
+
+      // 5b) whitelistContract for AgentRegistry (check first)
+      const whitelisted = await peContract.isContractWhitelisted(walletAddress, agentRegistryAddress).catch(() => false) as boolean;
+      if (!whitelisted) {
+        await sendTx(
+          { to: policyAddress, data: peExtIface.encodeFunctionData("whitelistContract", [walletAddress, agentRegistryAddress]), value: "0x0" },
+          "whitelistContract: AgentRegistry on PolicyEngine",
+        );
+        saveConfig(config);
+      } else {
+        console.log(" " + c.success + c.dim(" whitelistContract(AgentRegistry) — already done"));
+      }
+
+      // 5c+d) executeContractCall → register
+      const regIface  = new ethers.Interface(AGENT_REGISTRY_ABI);
+      const execIface = new ethers.Interface(ARC402_WALLET_EXECUTE_ABI);
+      const regData   = regIface.encodeFunctionData("register", [agentName, capabilities, agentServiceType, agentEndpoint, ""]);
+      const execData  = execIface.encodeFunctionData("executeContractCall", [{
+        target: agentRegistryAddress,
+        data: regData,
+        value: 0n,
+        minReturnValue: 0n,
+        maxApprovalAmount: 0n,
+        approvalToken: ethers.ZeroAddress,
+      }]);
+      await sendTx({ to: walletAddress, data: execData, value: "0x0" }, `register agent: ${agentName}`);
+      console.log(" " + c.success + " Agent registered: " + agentName);
+    }
+  } else {
+    console.log(" " + c.warning + " AgentRegistry address not configured — skipping");
+  }
+
+  // ── Step 7: Workroom Init ─────────────────────────────────────────────────
+  console.log("\n" + c.dim("── Step 7: Workroom ────────────────────────────────────────────"));
+
+  let workroomInitialized = false;
+  let dockerFound = false;
+  try {
+    const dockerCheck = spawnSync("docker", ["--version"], { encoding: "utf-8", timeout: 5000 });
+    dockerFound = dockerCheck.status === 0;
+  } catch { dockerFound = false; }
+
+  if (dockerFound) {
+    console.log(" " + c.dim("Docker found — initializing workroom..."));
+    try {
+      const initResult = spawnSync(process.execPath, [process.argv[1], "workroom", "init"], {
+        encoding: "utf-8",
+        timeout: 120000,
+        env: { ...process.env },
+      });
+      workroomInitialized = initResult.status === 0;
+      if (workroomInitialized) {
+        console.log(" " + c.success + " Workroom initialized");
+      } else {
+        console.log(" " + c.warning + " Workroom init incomplete — run: arc402 workroom init");
+      }
+    } catch {
+      console.log(" " + c.warning + " Workroom init failed — run: arc402 workroom init");
+    }
+  } else {
+    console.log(" " + c.warning + " Docker not found");
+    console.log("   Install Docker: https://docs.docker.com/get-docker/");
+    console.log("   Or run daemon in host mode: " + c.white("arc402 daemon start --host"));
+  }
+
+  // ── Step 8: Daemon Start ──────────────────────────────────────────────────
+  console.log("\n" + c.dim("── Step 8: Daemon ──────────────────────────────────────────────"));
+
+  let daemonRunning = false;
+  const relayPort = 4402;
+
+  if (workroomInitialized) {
+    try {
+      const startResult = spawnSync(process.execPath, [process.argv[1], "workroom", "start"], {
+        encoding: "utf-8",
+        timeout: 30000,
+        env: { ...process.env },
+      });
+      daemonRunning = startResult.status === 0;
+      if (daemonRunning) {
+        console.log(" " + c.success + " Daemon online (port " + relayPort + ")");
+      } else {
+        console.log(" " + c.warning + " Daemon start failed — run: arc402 workroom start");
+      }
+    } catch {
+      console.log(" " + c.warning + " Daemon start failed — run: arc402 workroom start");
+    }
+  } else if (!dockerFound) {
+    try {
+      const startResult = spawnSync(process.execPath, [process.argv[1], "daemon", "start", "--host"], {
+        encoding: "utf-8",
+        timeout: 30000,
+        env: { ...process.env },
+      });
+      daemonRunning = startResult.status === 0;
+      if (daemonRunning) {
+        console.log(" " + c.success + " Daemon online — host mode (port " + relayPort + ")");
+      } else {
+        console.log(" " + c.warning + " Daemon not started — run: arc402 daemon start --host");
+      }
+    } catch {
+      console.log(" " + c.warning + " Daemon not started — run: arc402 daemon start --host");
+    }
+  } else {
+    console.log(" " + c.warning + " Daemon not started — run: arc402 workroom init first");
+  }
+
+  // ── Step 6: Summary ───────────────────────────────────────────────────────
+  const trustScore = await (async () => {
+    try {
+      const trust = new ethers.Contract(config.trustRegistryAddress, TRUST_REGISTRY_ABI, provider);
+      const s = await trust.getScore(walletAddress) as bigint;
+      return s.toString();
+    } catch { return "100"; }
+  })();
+
+  const workroomLabel = dockerFound
+    ? (workroomInitialized ? (daemonRunning ? c.green("✓ Running") : c.yellow("✓ Initialized")) : c.yellow("⚠ Init needed"))
+    : c.yellow("⚠ No Docker");
+  const daemonLabel = daemonRunning
+    ? c.green("✓ Online (port " + relayPort + ")")
+    : c.dim("not started");
+  const endpointLabel = agentEndpoint
+    ? c.white(agentEndpoint) + c.dim(` → localhost:${relayPort}`)
+    : c.dim("—");
+
+  console.log("\n " + c.success + c.white(" Onboarding complete"));
+  renderTree([
+    { label: "Wallet",     value: c.white(walletAddress) },
+    { label: "Owner",      value: c.white(ownerAddress) },
+    { label: "Machine",    value: c.white(machineKeyAddress) + c.dim(" (authorized)") },
+    { label: "Passkey",    value: passkeyActive ? c.green("✓ set") : c.yellow("⚠ skipped") },
+    { label: "Velocity",   value: c.white(velocityLimitEth + " ETH") },
+    { label: "Guardian",   value: guardianAddress ? c.white(guardianAddress) : c.dim("none") },
+    { label: "Hire limit", value: c.white(hireLimit + " ETH") },
+    { label: "Agent",      value: agentName ? c.white(agentName) : c.dim("not registered") },
+    { label: "Service",    value: agentServiceType ? c.white(agentServiceType) : c.dim("—") },
+    { label: "Workroom",   value: workroomLabel },
+    { label: "Daemon",     value: daemonLabel },
+    { label: "Endpoint",   value: endpointLabel },
+    { label: "Trust",      value: c.white(`${trustScore}`), last: true },
+  ]);
+  console.log("\n " + c.dim("Next: fund your wallet with 0.002 ETH on Base"));
+}
+
 function printOpenShellHint(): void {
   const r = spawnSync("which", ["openshell"], { encoding: "utf-8" });
   if (r.status === 0 && r.stdout.trim()) {
@@ -270,16 +689,40 @@ export function registerWalletCommands(program: Command): void {
 
   // ─── import ────────────────────────────────────────────────────────────────
 
-  wallet.command("import <privateKey>")
-    .description("Import an existing private key")
+  wallet.command("import")
+    .description("Import an existing private key (use --key-file or stdin prompt)")
     .option("--network <network>", "Network (base-mainnet or base-sepolia)", "base-sepolia")
-    .action(async (privateKey, opts) => {
+    .option("--key-file <path>", "Read private key from file instead of prompting")
+    .action(async (opts) => {
       const network = opts.network as "base-mainnet" | "base-sepolia";
       const defaults = NETWORK_DEFAULTS[network];
       if (!defaults) {
         console.error(`Unknown network: ${network}. Use base-mainnet or base-sepolia.`);
         process.exit(1);
       }
+
+      let privateKey: string;
+      if (opts.keyFile) {
+        try {
+          privateKey = fs.readFileSync(opts.keyFile, "utf-8").trim();
+        } catch (e) {
+          console.error(`Cannot read key file: ${e instanceof Error ? e.message : String(e)}`);
+          process.exit(1);
+        }
+      } else {
+        // Interactive prompt — hidden input avoids shell history
+        const answer = await prompts({
+          type: "password",
+          name: "key",
+          message: "Paste private key (hidden):",
+        });
+        privateKey = ((answer.key as string | undefined) ?? "").trim();
+        if (!privateKey) {
+          console.error("No private key entered.");
+          process.exit(1);
+        }
+      }
+
       let imported: ethers.Wallet;
       try {
         imported = new ethers.Wallet(privateKey);
@@ -434,8 +877,32 @@ export function registerWalletCommands(program: Command): void {
     .option("--smart-wallet", "Connect via Base Smart Wallet (Coinbase Wallet SDK) instead of WalletConnect")
     .option("--hardware", "Hardware wallet mode: show raw wc: URI only (for Ledger Live, Trezor Suite, etc.)")
     .option("--sponsored", "Use CDP paymaster for gas sponsorship (requires paymasterUrl + cdpKeyName + CDP_PRIVATE_KEY env)")
+    .option("--dry-run", "Simulate the deployment ceremony without sending transactions")
     .action(async (opts) => {
       const config = loadConfig();
+
+      if (opts.dryRun) {
+        const factoryAddr = config.walletFactoryAddress ?? NETWORK_DEFAULTS[config.network]?.walletFactoryAddress ?? "(not configured)";
+        const chainId = config.network === "base-mainnet" ? 8453 : 84532;
+        console.log();
+        console.log(" " + c.dim("── Dry run: wallet deploy ──────────────────────────────────────"));
+        console.log(" " + c.dim("Network:         ") + c.white(config.network));
+        console.log(" " + c.dim("Chain ID:        ") + c.white(String(chainId)));
+        console.log(" " + c.dim("RPC:             ") + c.white(config.rpcUrl));
+        console.log(" " + c.dim("WalletFactory:   ") + c.white(factoryAddr));
+        console.log(" " + c.dim("Signing method:  ") + c.white(opts.smartWallet ? "Base Smart Wallet" : opts.hardware ? "Hardware (WC URI)" : "WalletConnect"));
+        console.log(" " + c.dim("Sponsored:       ") + c.white(opts.sponsored ? "yes" : "no"));
+        console.log();
+        console.log(" " + c.dim("Steps that would run:"));
+        console.log("   1. Connect " + (opts.smartWallet ? "Coinbase Smart Wallet" : "WalletConnect") + " session");
+        console.log("   2. Call WalletFactory.createWallet() → deploy ARC402Wallet");
+        console.log("   3. Save walletContractAddress to config");
+        console.log("   4. Run onboarding ceremony (PolicyEngine, machine key, agent registration)");
+        console.log();
+        console.log(" " + c.dim("No transactions sent (--dry-run mode)."));
+        console.log();
+        return;
+      }
       const factoryAddress = config.walletFactoryAddress ?? NETWORK_DEFAULTS[config.network]?.walletFactoryAddress;
       if (!factoryAddress) {
         console.error("walletFactoryAddress not found in config or NETWORK_DEFAULTS. Add walletFactoryAddress to your config.");
@@ -655,38 +1122,30 @@ export function registerWalletCommands(program: Command): void {
           console.error("Could not find WalletCreated event in receipt. Check the transaction on-chain.");
           process.exit(1);
         }
+        // ── Step 1 complete: save wallet + owner immediately ─────────────────
         config.walletContractAddress = walletAddress;
         config.ownerAddress = account;
         saveConfig(config);
-        console.log("\n" + c.success + c.white(" ARC402Wallet deployed"));
+        try { fs.chmodSync(getConfigPath(), 0o600); } catch { /* best-effort */ }
+        console.log("\n " + c.success + c.white(" Wallet deployed"));
         renderTree([
           { label: "Wallet", value: walletAddress },
-          { label: "Owner", value: account + c.dim(" (phone wallet)"), last: true },
+          { label: "Owner", value: account, last: true },
         ]);
 
-        // ── Mandatory onboarding ceremony (same WalletConnect session) ────────
-        console.log("\nStarting mandatory onboarding ceremony in this WalletConnect session...");
-        await runWalletOnboardingCeremony(
-          walletAddress,
-          account,
-          config,
-          provider,
-          async (call, description) => {
-            console.log(" " + c.dim(`Sending: ${description}`));
-            const hash = await sendTransactionWithSession(client, session, account, chainId, call);
-            await provider.waitForTransaction(hash, 1);
-            console.log(" " + c.success + " " + c.dim(description) + " " + c.dim(hash));
-            return hash;
-          },
-        );
-
-        console.log(c.dim("Your wallet contract is ready for policy enforcement"));
-        const paymasterUrl2 = config.paymasterUrl ?? NETWORK_DEFAULTS[config.network]?.paymasterUrl;
-        const deployedBalance = await provider.getBalance(walletAddress);
-        if (paymasterUrl2 && deployedBalance < BigInt(1_000_000_000_000_000)) {
-          console.log(c.dim("Gas sponsorship active — initial setup ops are free"));
-        }
-        console.log(c.dim("\nNext: run 'arc402 wallet set-guardian' to configure the emergency guardian key."));
+        // ── Steps 2–6: Complete onboarding ceremony (same WalletConnect session)
+        const sendTxCeremony = async (
+          call: { to: string; data: string; value: string },
+          description: string,
+        ): Promise<string> => {
+          console.log(" " + c.dim(`◈ ${description}`));
+          const hash = await sendTransactionWithSession(client, session, account, chainId, call);
+          console.log(" " + c.dim("  waiting for confirmation..."));
+          await provider.waitForTransaction(hash, 1);
+          console.log(" " + c.success + " " + c.white(description));
+          return hash;
+        };
+        await runCompleteOnboardingCeremony(walletAddress, account, config, provider, sendTxCeremony);
         printOpenShellHint();
       } else {
         console.warn("⚠ WalletConnect not configured. Using stored private key (insecure).");
@@ -715,6 +1174,7 @@ export function registerWalletCommands(program: Command): void {
         // Generate guardian key (separate from hot key) and call setGuardian
         const guardianWallet = ethers.Wallet.createRandom();
         config.walletContractAddress = walletAddress;
+        config.ownerAddress = address;
         config.guardianPrivateKey = guardianWallet.privateKey;
         config.guardianAddress = guardianWallet.address;
         saveConfig(config);
@@ -1572,16 +2032,33 @@ export function registerWalletCommands(program: Command): void {
         console.error("walletConnectProjectId not set in config. Run `arc402 config set walletConnectProjectId <id>`.");
         process.exit(1);
       }
-      const ownerAddress = config.ownerAddress;
-      if (!ownerAddress) {
-        console.error("ownerAddress not set in config. Run `arc402 wallet deploy` first.");
-        process.exit(1);
-      }
-
       const policyAddress = config.policyEngineAddress ?? POLICY_ENGINE_DEFAULT;
       const chainId = config.network === "base-mainnet" ? 8453 : 84532;
       const provider = new ethers.JsonRpcProvider(config.rpcUrl);
 
+      let ownerAddress = config.ownerAddress;
+      if (!ownerAddress) {
+        // Fallback 1: WalletConnect session account
+        if (config.wcSession?.account) {
+          ownerAddress = config.wcSession.account;
+          console.log(c.dim(`Owner resolved from WalletConnect session: ${ownerAddress}`));
+        } else {
+          // Fallback 2: call owner() on the wallet contract
+          try {
+            const walletOwnerContract = new ethers.Contract(
+              config.walletContractAddress!,
+              ["function owner() external view returns (address)"],
+              provider,
+            );
+            ownerAddress = await walletOwnerContract.owner();
+            console.log(c.dim(`Owner resolved from contract: ${ownerAddress}`));
+          } catch {
+            console.error("ownerAddress not set in config and could not be resolved from contract or WalletConnect session.");
+            process.exit(1);
+          }
+        }
+      }
+
       // Encode registerWallet(wallet, owner) calldata — called on PolicyEngine
       const policyInterface = new ethers.Interface([
         "function registerWallet(address wallet, address owner) external",

package/src/config.ts

@@ -51,6 +51,10 @@ export interface Arc402Config {
 const CONFIG_DIR = path.join(os.homedir(), ".arc402");
 const CONFIG_PATH = process.env.ARC402_CONFIG || path.join(CONFIG_DIR, "config.json");
 
+// WalletConnect project ID — get your own at cloud.walletconnect.com
+const DEFAULT_WC_PROJECT_ID = "455e9425343b9156fce1428250c9a54a";
+export const getWcProjectId = () => process.env.WC_PROJECT_ID ?? DEFAULT_WC_PROJECT_ID;
+
 export const getConfigPath = () => CONFIG_PATH;
 
 export function loadConfig(): Arc402Config {
@@ -61,7 +65,8 @@ export function loadConfig(): Arc402Config {
     const autoConfig: Arc402Config = {
       network: "base-mainnet",
       rpcUrl: defaults.rpcUrl ?? "https://mainnet.base.org",
-      walletConnectProjectId: "455e9425343b9156fce1428250c9a54a",
+      walletConnectProjectId: getWcProjectId(),
+      ownerAddress: undefined,
       policyEngineAddress: defaults.policyEngineAddress,
       trustRegistryAddress: defaults.trustRegistryAddress ?? "",
       agentRegistryAddress: d.agentRegistryV2Address ?? defaults.agentRegistryAddress,
@@ -76,6 +81,7 @@ export function loadConfig(): Arc402Config {
     };
     saveConfig(autoConfig);
     console.log(`◈ Config auto-created at ${CONFIG_PATH} (Base Mainnet)`);
+    console.log("⚠ Base Mainnet — real funds at risk. Use arc402 config init for testnet.");
     return autoConfig;
   }
   return JSON.parse(fs.readFileSync(CONFIG_PATH, "utf-8")) as Arc402Config;
@@ -85,6 +91,9 @@ export function saveConfig(config: Arc402Config): void {
   const configDir = path.dirname(CONFIG_PATH);
   fs.mkdirSync(configDir, { recursive: true, mode: 0o700 });
   fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), { mode: 0o600 });
+  if (config.privateKey) {
+    console.warn("⚠ Private key stored in plaintext at ~/.arc402/config.json");
+  }
 }
 
 export const configExists = () => fs.existsSync(CONFIG_PATH);