npm - arc402-cli - Versions diffs - 0.6.0 → 0.7.1 - Mend

arc402-cli 0.6.0 → 0.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (56) hide show

package/dist/commands/backup.d.ts +3 -0
package/dist/commands/backup.d.ts.map +1 -0
package/dist/commands/backup.js +106 -0
package/dist/commands/backup.js.map +1 -0
package/dist/commands/config.d.ts.map +1 -1
package/dist/commands/config.js +11 -1
package/dist/commands/config.js.map +1 -1
package/dist/commands/discover.d.ts.map +1 -1
package/dist/commands/discover.js +60 -15
package/dist/commands/discover.js.map +1 -1
package/dist/commands/doctor.d.ts +3 -0
package/dist/commands/doctor.d.ts.map +1 -0
package/dist/commands/doctor.js +205 -0
package/dist/commands/doctor.js.map +1 -0
package/dist/commands/wallet.d.ts.map +1 -1
package/dist/commands/wallet.js +192 -58
package/dist/commands/wallet.js.map +1 -1
package/dist/commands/watch.d.ts.map +1 -1
package/dist/commands/watch.js +146 -9
package/dist/commands/watch.js.map +1 -1
package/dist/config.d.ts +9 -0
package/dist/config.d.ts.map +1 -1
package/dist/config.js +35 -3
package/dist/config.js.map +1 -1
package/dist/daemon/index.d.ts.map +1 -1
package/dist/daemon/index.js +359 -220
package/dist/daemon/index.js.map +1 -1
package/dist/endpoint-notify.d.ts +9 -1
package/dist/endpoint-notify.d.ts.map +1 -1
package/dist/endpoint-notify.js +116 -3
package/dist/endpoint-notify.js.map +1 -1
package/dist/index.js +26 -0
package/dist/index.js.map +1 -1
package/dist/program.d.ts.map +1 -1
package/dist/program.js +4 -0
package/dist/program.js.map +1 -1
package/dist/repl.d.ts.map +1 -1
package/dist/repl.js +45 -34
package/dist/repl.js.map +1 -1
package/dist/ui/format.d.ts.map +1 -1
package/dist/ui/format.js +2 -0
package/dist/ui/format.js.map +1 -1
package/package.json +1 -1
package/src/commands/backup.ts +117 -0
package/src/commands/config.ts +12 -2
package/src/commands/discover.ts +74 -21
package/src/commands/doctor.ts +172 -0
package/src/commands/wallet.ts +194 -57
package/src/commands/watch.ts +207 -10
package/src/config.ts +48 -2
package/src/daemon/index.ts +297 -152
package/src/endpoint-notify.ts +86 -3
package/src/index.ts +26 -0
package/src/program.ts +4 -0
package/src/repl.ts +53 -42
package/src/ui/format.ts +1 -0

package/src/commands/wallet.ts CHANGED Viewed

@@ -23,6 +23,27 @@ import { c } from "../ui/colors";
 import { formatAddress } from "../ui/format";
 const POLICY_ENGINE_DEFAULT = "0x44102e70c2A366632d98Fe40d892a2501fC7fFF2";
+const GUARDIAN_KEY_PATH = path.join(os.homedir(), ".arc402", "guardian.key");
+/** Save guardian private key to a restricted standalone file (never to config.json). */
+function saveGuardianKey(privateKey: string): void {
+  fs.mkdirSync(path.dirname(GUARDIAN_KEY_PATH), { recursive: true, mode: 0o700 });
+  fs.writeFileSync(GUARDIAN_KEY_PATH, privateKey + "\n", { mode: 0o400 });
+}
+/** Load guardian private key from file, falling back to config for backwards compat. */
+function loadGuardianKey(config: Arc402Config): string | null {
+  try {
+    return fs.readFileSync(GUARDIAN_KEY_PATH, "utf-8").trim();
+  } catch {
+    // Migration: if key still in config, migrate it to the file now
+    if (config.guardianPrivateKey) {
+      saveGuardianKey(config.guardianPrivateKey);
+      return config.guardianPrivateKey;
+    }
+    return null;
+  }
+}
 function parseAmount(raw: string): bigint {
   const lower = raw.toLowerCase();
@@ -182,6 +203,9 @@ async function runCompleteOnboardingCeremony(
     );
     console.log(" " + c.success + " Machine key authorized");
   }
+  // Save progress after machine key step
+  config.onboardingProgress = { walletAddress, step: 2, completedSteps: ["machineKey"] };
+  saveConfig(config);
   // ── Step 3: Passkey ───────────────────────────────────────────────────────
   console.log("\n" + c.dim("── Step 3: Passkey (Face ID / WebAuthn) ──────────────────────"));
@@ -213,6 +237,9 @@ async function runCompleteOnboardingCeremony(
       console.log(" " + c.success + " Passkey set (via browser)");
     }
   }
+  // Save progress after passkey step
+  config.onboardingProgress = { walletAddress, step: 3, completedSteps: ["machineKey", "passkey"] };
+  saveConfig(config);
   // ── Step 4: Policy ────────────────────────────────────────────────────────
   console.log("\n" + c.dim("── Step 4: Policy ─────────────────────────────────────────────"));
@@ -267,12 +294,15 @@ async function runCompleteOnboardingCeremony(
     const guardianInput = (guardianAns.guardian as string | undefined)?.trim() ?? "";
     if (guardianInput.toLowerCase() === "g") {
       const generatedGuardian = ethers.Wallet.createRandom();
-      config.guardianPrivateKey = generatedGuardian.privateKey;
+      // Save guardian private key to a separate restricted file, NOT config.json
+      const guardianKeyPath = path.join(os.homedir(), ".arc402", "guardian.key");
+      fs.mkdirSync(path.dirname(guardianKeyPath), { recursive: true, mode: 0o700 });
+      fs.writeFileSync(guardianKeyPath, generatedGuardian.privateKey + "\n", { mode: 0o400 });
+      // Only save address (not private key) to config
       config.guardianAddress = generatedGuardian.address;
       saveConfig(config);
       guardianAddress = generatedGuardian.address;
-      console.log("\n " + c.warning + " IMPORTANT: Save this guardian private key (emergency freeze key):");
-      console.log("   " + c.dim(generatedGuardian.privateKey));
+      console.log("\n " + c.warning + " Guardian key saved to ~/.arc402/guardian.key — move offline for security");
       console.log("   " + c.dim("Address: ") + c.white(generatedGuardian.address) + "\n");
       const guardianIface = new ethers.Interface(["function setGuardian(address _guardian) external"]);
       await sendTx(
@@ -337,6 +367,9 @@ async function runCompleteOnboardingCeremony(
   saveConfig(config);
   console.log(" " + c.success + " Policy configured");
+  // Save progress after policy step
+  config.onboardingProgress = { walletAddress, step: 4, completedSteps: ["machineKey", "passkey", "policy"] };
+  saveConfig(config);
   // ── Step 5: Agent Registration ─────────────────────────────────────────────
   console.log("\n" + c.dim("── Step 5: Agent Registration ─────────────────────────────────"));
@@ -425,6 +458,9 @@ async function runCompleteOnboardingCeremony(
   } else {
     console.log(" " + c.warning + " AgentRegistry address not configured — skipping");
   }
+  // Save progress after agent step, then clear on ceremony complete
+  config.onboardingProgress = { walletAddress, step: 5, completedSteps: ["machineKey", "passkey", "policy", "agent"] };
+  saveConfig(config);
   // ── Step 7: Workroom Init ─────────────────────────────────────────────────
   console.log("\n" + c.dim("── Step 7: Workroom ────────────────────────────────────────────"));
@@ -520,6 +556,10 @@ async function runCompleteOnboardingCeremony(
     ? c.white(agentEndpoint) + c.dim(` → localhost:${relayPort}`)
     : c.dim("—");
+  // Clear onboarding progress — ceremony complete
+  delete (config as unknown as Record<string, unknown>).onboardingProgress;
+  saveConfig(config);
   console.log("\n " + c.success + c.white(" Onboarding complete"));
   renderTree([
     { label: "Wallet",     value: c.white(walletAddress) },
@@ -686,16 +726,40 @@ export function registerWalletCommands(program: Command): void {
   // ─── import ────────────────────────────────────────────────────────────────
-  wallet.command("import <privateKey>")
-    .description("Import an existing private key")
+  wallet.command("import")
+    .description("Import an existing private key (use --key-file or stdin prompt)")
     .option("--network <network>", "Network (base-mainnet or base-sepolia)", "base-sepolia")
-    .action(async (privateKey, opts) => {
+    .option("--key-file <path>", "Read private key from file instead of prompting")
+    .action(async (opts) => {
       const network = opts.network as "base-mainnet" | "base-sepolia";
       const defaults = NETWORK_DEFAULTS[network];
       if (!defaults) {
         console.error(`Unknown network: ${network}. Use base-mainnet or base-sepolia.`);
         process.exit(1);
       }
+      let privateKey: string;
+      if (opts.keyFile) {
+        try {
+          privateKey = fs.readFileSync(opts.keyFile, "utf-8").trim();
+        } catch (e) {
+          console.error(`Cannot read key file: ${e instanceof Error ? e.message : String(e)}`);
+          process.exit(1);
+        }
+      } else {
+        // Interactive prompt — hidden input avoids shell history
+        const answer = await prompts({
+          type: "password",
+          name: "key",
+          message: "Paste private key (hidden):",
+        });
+        privateKey = ((answer.key as string | undefined) ?? "").trim();
+        if (!privateKey) {
+          console.error("No private key entered.");
+          process.exit(1);
+        }
+      }
       let imported: ethers.Wallet;
       try {
         imported = new ethers.Wallet(privateKey);
@@ -850,8 +914,32 @@ export function registerWalletCommands(program: Command): void {
     .option("--smart-wallet", "Connect via Base Smart Wallet (Coinbase Wallet SDK) instead of WalletConnect")
     .option("--hardware", "Hardware wallet mode: show raw wc: URI only (for Ledger Live, Trezor Suite, etc.)")
     .option("--sponsored", "Use CDP paymaster for gas sponsorship (requires paymasterUrl + cdpKeyName + CDP_PRIVATE_KEY env)")
+    .option("--dry-run", "Simulate the deployment ceremony without sending transactions")
     .action(async (opts) => {
       const config = loadConfig();
+      if (opts.dryRun) {
+        const factoryAddr = config.walletFactoryAddress ?? NETWORK_DEFAULTS[config.network]?.walletFactoryAddress ?? "(not configured)";
+        const chainId = config.network === "base-mainnet" ? 8453 : 84532;
+        console.log();
+        console.log(" " + c.dim("── Dry run: wallet deploy ──────────────────────────────────────"));
+        console.log(" " + c.dim("Network:         ") + c.white(config.network));
+        console.log(" " + c.dim("Chain ID:        ") + c.white(String(chainId)));
+        console.log(" " + c.dim("RPC:             ") + c.white(config.rpcUrl));
+        console.log(" " + c.dim("WalletFactory:   ") + c.white(factoryAddr));
+        console.log(" " + c.dim("Signing method:  ") + c.white(opts.smartWallet ? "Base Smart Wallet" : opts.hardware ? "Hardware (WC URI)" : "WalletConnect"));
+        console.log(" " + c.dim("Sponsored:       ") + c.white(opts.sponsored ? "yes" : "no"));
+        console.log();
+        console.log(" " + c.dim("Steps that would run:"));
+        console.log("   1. Connect " + (opts.smartWallet ? "Coinbase Smart Wallet" : "WalletConnect") + " session");
+        console.log("   2. Call WalletFactory.createWallet() → deploy ARC402Wallet");
+        console.log("   3. Save walletContractAddress to config");
+        console.log("   4. Run onboarding ceremony (PolicyEngine, machine key, agent registration)");
+        console.log();
+        console.log(" " + c.dim("No transactions sent (--dry-run mode)."));
+        console.log();
+        return;
+      }
       const factoryAddress = config.walletFactoryAddress ?? NETWORK_DEFAULTS[config.network]?.walletFactoryAddress;
       if (!factoryAddress) {
         console.error("walletFactoryAddress not found in config or NETWORK_DEFAULTS. Add walletFactoryAddress to your config.");
@@ -1015,19 +1103,54 @@ export function registerWalletCommands(program: Command): void {
           ? { botToken: config.telegramBotToken, chatId: config.telegramChatId, threadId: config.telegramThreadId }
           : undefined;
+        // ── Resume check ──────────────────────────────────────────────────────
+        const resumeProgress = config.onboardingProgress;
+        const isResuming = !!(
+          resumeProgress?.walletAddress &&
+          resumeProgress.walletAddress === config.walletContractAddress &&
+          config.ownerAddress
+        );
+        if (isResuming) {
+          const stepNames: Record<number, string> = {
+            2: "machine key", 3: "passkey", 4: "policy setup", 5: "agent registration",
+          };
+          const nextStep = (resumeProgress!.step ?? 1) + 1;
+          console.log(" " + c.dim(`◈ Resuming onboarding from step ${nextStep} (${stepNames[nextStep] ?? "ceremony"})...`));
+        }
+        // ── Gas estimation ─────────────────────────────────────────────────────
+        if (!isResuming) {
+          let gasMsg = "~0.003 ETH (6 transactions on Base)";
+          try {
+            const feeData = await provider.getFeeData();
+            const gasPrice = feeData.maxFeePerGas ?? feeData.gasPrice ?? BigInt(1_500_000_000);
+            const deployGas = await provider.estimateGas({
+              to: factoryAddress,
+              data: factoryInterface.encodeFunctionData("createWallet", ["0x0000000071727De22E5E9d8BAf0edAc6f37da032"]),
+            }).catch(() => BigInt(280_000));
+            const ceremonyGas = BigInt(700_000); // ~5 ceremony txs × ~140k each
+            const totalGasEth = parseFloat(ethers.formatEther((deployGas + ceremonyGas) * gasPrice));
+            gasMsg = `~${totalGasEth.toFixed(4)} ETH (6 transactions on Base)`;
+          } catch { /* use default */ }
+          console.log(" " + c.dim(`◈ Estimated gas: ${gasMsg}`));
+        }
         // ── Step 1: Connect ────────────────────────────────────────────────────
+        const connectPrompt = isResuming
+          ? "Connect wallet to resume onboarding"
+          : "Approve ARC402Wallet deployment — you will be set as owner";
         const { client, session, account } = await connectPhoneWallet(
           config.walletConnectProjectId,
           chainId,
           config,
-          { telegramOpts, prompt: "Approve ARC402Wallet deployment — you will be set as owner", hardware: !!opts.hardware }
+          { telegramOpts, prompt: connectPrompt, hardware: !!opts.hardware }
         );
         const networkName = chainId === 8453 ? "Base" : "Base Sepolia";
         const shortAddr = `${account.slice(0, 6)}...${account.slice(-5)}`;
         console.log("\n" + c.success + c.white(` Connected: ${shortAddr} on ${networkName}`));
-        if (telegramOpts) {
+        if (telegramOpts && !isResuming) {
           // Send "connected" message with a deploy confirmation button.
           // TODO: wire up full callback_data round-trip when a persistent bot process is available.
           await sendTelegramMessage({
@@ -1039,48 +1162,57 @@ export function registerWalletCommands(program: Command): void {
           });
         }
-        // ── Step 2: Confirm & Deploy ───────────────────────────────────────────
-        // WalletConnect approval already confirmed intent — sending automatically
+        let walletAddress: string;
-        console.log("Deploying...");
-        const txHash = await sendTransactionWithSession(client, session, account, chainId, {
-          to: factoryAddress,
-          data: factoryInterface.encodeFunctionData("createWallet", ["0x0000000071727De22E5E9d8BAf0edAc6f37da032"]),
-          value: "0x0",
-        });
+        if (isResuming) {
+          // Resume: skip deploy, use existing wallet
+          walletAddress = config.walletContractAddress!;
+          console.log(" " + c.dim(`◈ Using existing wallet: ${walletAddress}`));
+        } else {
+          // ── Step 2: Confirm & Deploy ─────────────────────────────────────────
+          // WalletConnect approval already confirmed intent — sending automatically
-        console.log(`\nTransaction submitted: ${txHash}`);
-        console.log("Waiting for confirmation...");
-        const receipt = await provider.waitForTransaction(txHash);
-        if (!receipt) {
-          console.error("Transaction not confirmed. Check on-chain.");
-          process.exit(1);
-        }
-        let walletAddress: string | null = null;
-        const factoryContract = new ethers.Contract(factoryAddress, WALLET_FACTORY_ABI, provider);
-        for (const log of receipt.logs) {
-          try {
-            const parsed = factoryContract.interface.parseLog(log);
-            if (parsed?.name === "WalletCreated") {
-              walletAddress = parsed.args.walletAddress as string;
-              break;
-            }
-          } catch { /* skip unparseable logs */ }
-        }
-        if (!walletAddress) {
-          console.error("Could not find WalletCreated event in receipt. Check the transaction on-chain.");
-          process.exit(1);
+          console.log("Deploying...");
+          const txHash = await sendTransactionWithSession(client, session, account, chainId, {
+            to: factoryAddress,
+            data: factoryInterface.encodeFunctionData("createWallet", ["0x0000000071727De22E5E9d8BAf0edAc6f37da032"]),
+            value: "0x0",
+          });
+          console.log(`\nTransaction submitted: ${txHash}`);
+          console.log("Waiting for confirmation...");
+          const receipt = await provider.waitForTransaction(txHash);
+          if (!receipt) {
+            console.error("Transaction not confirmed. Check on-chain.");
+            process.exit(1);
+          }
+          let deployedWallet: string | null = null;
+          const factoryContract = new ethers.Contract(factoryAddress, WALLET_FACTORY_ABI, provider);
+          for (const log of receipt.logs) {
+            try {
+              const parsed = factoryContract.interface.parseLog(log);
+              if (parsed?.name === "WalletCreated") {
+                deployedWallet = parsed.args.walletAddress as string;
+                break;
+              }
+            } catch { /* skip unparseable logs */ }
+          }
+          if (!deployedWallet) {
+            console.error("Could not find WalletCreated event in receipt. Check the transaction on-chain.");
+            process.exit(1);
+          }
+          walletAddress = deployedWallet;
+          // ── Step 1 complete: save wallet + owner immediately ─────────────────
+          config.walletContractAddress = walletAddress;
+          config.ownerAddress = account;
+          saveConfig(config);
+          try { fs.chmodSync(getConfigPath(), 0o600); } catch { /* best-effort */ }
+          console.log("\n " + c.success + c.white(" Wallet deployed"));
+          renderTree([
+            { label: "Wallet", value: walletAddress },
+            { label: "Owner", value: account, last: true },
+          ]);
         }
-        // ── Step 1 complete: save wallet + owner immediately ─────────────────
-        config.walletContractAddress = walletAddress;
-        config.ownerAddress = account;
-        saveConfig(config);
-        try { fs.chmodSync(getConfigPath(), 0o600); } catch { /* best-effort */ }
-        console.log("\n " + c.success + c.white(" Wallet deployed"));
-        renderTree([
-          { label: "Wallet", value: walletAddress },
-          { label: "Owner", value: account, last: true },
-        ]);
         // ── Steps 2–6: Complete onboarding ceremony (same WalletConnect session)
         const sendTxCeremony = async (
@@ -1124,8 +1256,10 @@ export function registerWalletCommands(program: Command): void {
         const guardianWallet = ethers.Wallet.createRandom();
         config.walletContractAddress = walletAddress;
         config.ownerAddress = address;
-        config.guardianPrivateKey = guardianWallet.privateKey;
         config.guardianAddress = guardianWallet.address;
+        // Save key to restricted file — never store in config.json
+        saveGuardianKey(guardianWallet.privateKey);
+        if (config.guardianPrivateKey) delete (config as unknown as Record<string, unknown>).guardianPrivateKey;
         saveConfig(config);
         // Call setGuardian on the deployed wallet
@@ -1155,7 +1289,7 @@ export function registerWalletCommands(program: Command): void {
           { label: "Wallet", value: walletAddress },
           { label: "Guardian", value: guardianWallet.address, last: true },
         ]);
-        console.log(`Guardian private key saved to config (keep it safe — used for emergency freeze only)`);
+        console.log(`Guardian private key saved to ~/.arc402/guardian.key (chmod 400 — keep it safe, used for emergency freeze only)`);
         console.log(`Your wallet contract is ready for policy enforcement`);
         printOpenShellHint();
       }
@@ -1387,12 +1521,13 @@ export function registerWalletCommands(program: Command): void {
         console.error("walletContractAddress not set in config. Run `arc402 wallet deploy` first.");
         process.exit(1);
       }
-      if (!config.guardianPrivateKey) {
-        console.error("guardianPrivateKey not set in config. Guardian key was generated during `arc402 wallet deploy`.");
+      const guardianKey = loadGuardianKey(config);
+      if (!guardianKey) {
+        console.error(`Guardian key not found. Expected at ~/.arc402/guardian.key (or guardianPrivateKey in config for legacy setups).`);
         process.exit(1);
       }
       const provider = new ethers.JsonRpcProvider(config.rpcUrl);
-      const guardianSigner = new ethers.Wallet(config.guardianPrivateKey, provider);
+      const guardianSigner = new ethers.Wallet(guardianKey, provider);
       const walletContract = new ethers.Contract(config.walletContractAddress, ARC402_WALLET_GUARDIAN_ABI, guardianSigner);
       let tx;
@@ -1536,12 +1671,13 @@ export function registerWalletCommands(program: Command): void {
       });
       await provider.waitForTransaction(txHash);
-      config.guardianPrivateKey = guardianWallet.privateKey;
+      saveGuardianKey(guardianWallet.privateKey);
+      if (config.guardianPrivateKey) delete (config as unknown as Record<string, unknown>).guardianPrivateKey;
       config.guardianAddress = guardianWallet.address;
       saveConfig(config);
       console.log("\n" + c.success + c.white(` Guardian set to: ${guardianWallet.address}`));
       console.log(" " + c.dim("Tx:") + " " + c.white(txHash));
-      console.log(" " + c.dim("Guardian private key saved to config."));
+      console.log(" " + c.dim("Guardian private key saved to ~/.arc402/guardian.key (chmod 400)."));
       console.log(" " + c.warning + " " + c.yellow("The guardian key can freeze your wallet. Store it separately from your hot key."));
     });
@@ -2368,9 +2504,10 @@ export function registerWalletCommands(program: Command): void {
         }
       }
-      // Persist guardian key if generated
+      // Persist guardian key if generated — save to restricted file, not config.json
       if (guardianWallet) {
-        config.guardianPrivateKey = guardianWallet.privateKey;
+        saveGuardianKey(guardianWallet.privateKey);
+        if (config.guardianPrivateKey) delete (config as unknown as Record<string, unknown>).guardianPrivateKey;
         config.guardianAddress = guardianWallet.address;
         saveConfig(config);
       }
@@ -2382,7 +2519,7 @@ export function registerWalletCommands(program: Command): void {
         txHashes.forEach((h, i) => console.log(" " + c.dim(`Tx ${i + 1}:`) + " " + c.white(h)));
       }
       if (guardianWallet) {
-        console.log(" " + c.success + c.dim(` Guardian key saved to config — address: ${guardianWallet.address}`));
+        console.log(" " + c.success + c.dim(` Guardian key saved to ~/.arc402/guardian.key — address: ${guardianWallet.address}`));
         console.log(" " + c.warning + " " + c.yellow("Store the guardian private key separately from your hot key."));
       }
       console.log(c.dim("\nVerify with: arc402 wallet status && arc402 wallet policy show"));

package/src/commands/watch.ts CHANGED Viewed

@@ -1,21 +1,218 @@
 import { Command } from "commander";
-import { c } from "../ui/colors";
+import { ethers } from "ethers";
 import { loadConfig } from "../config";
+import { getClient } from "../client";
+import { c } from "../ui/colors";
+// ─── Minimal ABIs for event watching ─────────────────────────────────────────
+const AGENT_REGISTRY_WATCH_ABI = [
+  "event AgentRegistered(address indexed wallet, string name, string serviceType, uint256 timestamp)",
+  "event AgentUpdated(address indexed wallet, string name, string serviceType)",
+  "event AgentDeactivated(address indexed wallet)",
+];
+const SERVICE_AGREEMENT_WATCH_ABI = [
+  "event AgreementProposed(uint256 indexed id, address indexed client, address indexed provider, string serviceType, uint256 price, address token, uint256 deadline)",
+  "event AgreementAccepted(uint256 indexed id, address indexed provider)",
+  "event AgreementFulfilled(uint256 indexed id, address indexed provider, bytes32 deliverablesHash)",
+  "event AgreementDisputed(uint256 indexed id, address indexed initiator, string reason)",
+  "event AgreementCancelled(uint256 indexed id, address indexed client)",
+];
+const HANDSHAKE_WATCH_ABI = [
+  "event HandshakeSent(uint256 indexed handshakeId, address indexed from, address indexed to, uint8 hsType, address token, uint256 amount, string note, uint256 timestamp)",
+];
+const DISPUTE_MODULE_WATCH_ABI = [
+  "event DisputeRaised(uint256 indexed agreementId, address indexed initiator, string reason)",
+  "event DisputeResolved(uint256 indexed agreementId, bool favorProvider, string resolution)",
+];
+const HS_TYPE_LABELS: Record<number, string> = {
+  0: "Respected",
+  1: "Curious",
+  2: "Endorsed",
+  3: "Thanked",
+  4: "Collaborated",
+  5: "Challenged",
+  6: "Referred",
+  7: "Hello",
+};
+function shortAddr(addr: string): string {
+  return addr.length > 10 ? `${addr.slice(0, 6)}...${addr.slice(-4)}` : addr;
+}
+function nowHHMM(): string {
+  const d = new Date();
+  const h = d.getHours().toString().padStart(2, "0");
+  const m = d.getMinutes().toString().padStart(2, "0");
+  return `${h}:${m}`;
+}
+function printEvent(label: string, detail: string, status?: "ok" | "warn" | "err"): void {
+  const ts = c.dim(`[${nowHHMM()}]`);
+  const col = status === "ok" ? c.green : status === "err" ? c.red : status === "warn" ? c.yellow : c.white;
+  process.stdout.write(`  ${ts}  ${col(label)}  ${c.dim(detail)}\n`);
+}
 export function registerWatchCommand(program: Command): void {
   program
     .command("watch")
-    .description("Watch wallet activity in real-time")
+    .description("Watch wallet activity in real-time (live onchain event feed)")
     .action(async () => {
       const config = loadConfig();
-      const wallet = config.walletContractAddress ?? "(no wallet)";
-      const shortWallet = wallet.length > 10
-        ? `${wallet.slice(0, 6)}...${wallet.slice(-4)}`
-        : wallet;
-      const line = "─".repeat(20);
-      console.log(`${c.mark}  ARC-402  Watching ${c.white(shortWallet)} ${c.dim(line)}`);
-      console.log(`${c.dim("···")}  ${c.dim("waiting")}`);
+      const { provider } = await getClient(config);
+      const myWallet = (config.walletContractAddress ?? "").toLowerCase();
+      const shortMe = myWallet ? shortAddr(config.walletContractAddress!) : "(no wallet)";
+      const line = "─".repeat(22);
+      console.log(`\n  ${c.mark} ${c.white("ARC-402  Live Feed")}  ${c.dim(line)}`);
+      console.log(`  ${c.dim("Watching")} ${c.brightCyan(shortMe)} ${c.dim("on")} ${c.dim(config.network)}`);
+      console.log(`  ${c.dim("Ctrl+C to exit")}\n`);
+      // ── Build contract instances ───────────────────────────────────────────
+      const contractLabels: string[] = [];
+      if (config.agentRegistryAddress) contractLabels.push("AgentRegistry");
+      if (config.serviceAgreementAddress) contractLabels.push("ServiceAgreement");
+      if (config.handshakeAddress) contractLabels.push("Handshake");
+      if (config.disputeModuleAddress) contractLabels.push("DisputeModule");
+      if (contractLabels.length === 0) {
+        console.log(`  ${c.warning} No contract addresses configured. Run arc402 config init.`);
+        process.exit(1);
+      }
+      console.log(`  ${c.dim(`Monitoring ${contractLabels.length} contract${contractLabels.length !== 1 ? "s" : ""}: ${contractLabels.join(", ")}`)}\n`);
+      // ── Helpers ────────────────────────────────────────────────────────────
+      function isMe(addr: string): boolean {
+        return myWallet !== "" && addr.toLowerCase() === myWallet;
+      }
+      function fmtAddr(addr: string): string {
+        return isMe(addr) ? c.brightCyan("you") : c.dim(shortAddr(addr));
+      }
+      // ── AgentRegistry ──────────────────────────────────────────────────────
+      if (config.agentRegistryAddress) {
+        const reg = new ethers.Contract(config.agentRegistryAddress, AGENT_REGISTRY_WATCH_ABI, provider);
+        reg.on("AgentRegistered", (wallet: string, name: string, serviceType: string) => {
+          printEvent(`Agent registered: ${name}`, `${fmtAddr(wallet)}  ${c.dim(serviceType)}`, "ok");
+        });
+        reg.on("AgentUpdated", (wallet: string, name: string, serviceType: string) => {
+          printEvent(`Agent updated: ${name}`, `${fmtAddr(wallet)}  ${c.dim(serviceType)}`);
+        });
+        reg.on("AgentDeactivated", (wallet: string) => {
+          printEvent(`Agent deactivated`, fmtAddr(wallet), "warn");
+        });
+      }
+      // ── ServiceAgreement ───────────────────────────────────────────────────
+      if (config.serviceAgreementAddress) {
+        const sa = new ethers.Contract(config.serviceAgreementAddress, SERVICE_AGREEMENT_WATCH_ABI, provider);
+        sa.on("AgreementProposed", (id: bigint, client: string, agentProvider: string, serviceType: string) => {
+          const involved = isMe(client) || isMe(agentProvider);
+          printEvent(
+            `Agreement #${id} proposed`,
+            `${fmtAddr(client)} → ${fmtAddr(agentProvider)}  ${c.dim(serviceType)}`,
+            involved ? "ok" : undefined
+          );
+        });
+        sa.on("AgreementAccepted", (id: bigint, agentProvider: string) => {
+          printEvent(`Agreement #${id} → ${c.green("ACCEPTED")}`, fmtAddr(agentProvider));
+        });
+        sa.on("AgreementFulfilled", (id: bigint, agentProvider: string, deliverablesHash: string) => {
+          printEvent(
+            `Agreement #${id} → ${c.green("DELIVERED")}`,
+            `${fmtAddr(agentProvider)}  ${c.dim(deliverablesHash.slice(0, 10) + "...")}`,
+            "ok"
+          );
+        });
+        sa.on("AgreementDisputed", (id: bigint, initiator: string, reason: string) => {
+          printEvent(
+            `Agreement #${id} → ${c.red("DISPUTED")}`,
+            `${fmtAddr(initiator)}  ${c.dim(reason.slice(0, 40))}`,
+            "err"
+          );
+        });
+        sa.on("AgreementCancelled", (id: bigint, client: string) => {
+          printEvent(`Agreement #${id} → ${c.yellow("CANCELLED")}`, fmtAddr(client), "warn");
+        });
+      }
+      // ── Handshake ──────────────────────────────────────────────────────────
+      if (config.handshakeAddress) {
+        const hs = new ethers.Contract(config.handshakeAddress, HANDSHAKE_WATCH_ABI, provider);
+        hs.on("HandshakeSent", (_id: bigint, from: string, to: string, hsType: number, _token: string, _amount: bigint, note: string) => {
+          const typeLabel = HS_TYPE_LABELS[hsType] ?? `type ${hsType}`;
+          const toMe = isMe(to);
+          const noteStr = note ? `  ${c.dim(`(${note.slice(0, 30)})`)}` : "";
+          printEvent(
+            `Handshake from ${fmtAddr(from)} → ${fmtAddr(to)}`,
+            `${c.dim(typeLabel)}${noteStr}`,
+            toMe ? "ok" : undefined
+          );
+        });
+      }
+      // ── DisputeModule ──────────────────────────────────────────────────────
+      if (config.disputeModuleAddress) {
+        const dm = new ethers.Contract(config.disputeModuleAddress, DISPUTE_MODULE_WATCH_ABI, provider);
+        dm.on("DisputeRaised", (agreementId: bigint, initiator: string, reason: string) => {
+          printEvent(
+            `Dispute raised on #${agreementId}`,
+            `${fmtAddr(initiator)}  ${c.dim(reason.slice(0, 40))}`,
+            "err"
+          );
+        });
+        dm.on("DisputeResolved", (agreementId: bigint, favorProvider: boolean, resolution: string) => {
+          printEvent(
+            `Dispute #${agreementId} → ${c.green("RESOLVED")}`,
+            `${c.dim(favorProvider ? "provider wins" : "client wins")}  ${c.dim(resolution.slice(0, 30))}`,
+            "ok"
+          );
+        });
+      }
+      // ── Block heartbeat (shows feed is alive) ──────────────────────────────
+      let lastBlock = 0;
+      provider.on("block", (blockNumber: number) => {
+        if (blockNumber > lastBlock) {
+          lastBlock = blockNumber;
+          if (blockNumber % 10 === 0) {
+            process.stdout.write(`  ${c.dim(`· block ${blockNumber}`)}\n`);
+          }
+        }
+      });
+      // ── Clean exit ─────────────────────────────────────────────────────────
+      process.on("SIGINT", () => {
+        console.log(`\n  ${c.dim("Feed stopped.")}`);
+        provider.removeAllListeners();
+        process.exit(0);
+      });
       // Keep process alive
       process.stdin.resume();