arc402-cli 0.7.0 → 0.7.1

package/src/commands/wallet.ts

@@ -23,6 +23,27 @@ import { c } from "../ui/colors";
 import { formatAddress } from "../ui/format";
 
 const POLICY_ENGINE_DEFAULT = "0x44102e70c2A366632d98Fe40d892a2501fC7fFF2";
+const GUARDIAN_KEY_PATH = path.join(os.homedir(), ".arc402", "guardian.key");
+
+/** Save guardian private key to a restricted standalone file (never to config.json). */
+function saveGuardianKey(privateKey: string): void {
+  fs.mkdirSync(path.dirname(GUARDIAN_KEY_PATH), { recursive: true, mode: 0o700 });
+  fs.writeFileSync(GUARDIAN_KEY_PATH, privateKey + "\n", { mode: 0o400 });
+}
+
+/** Load guardian private key from file, falling back to config for backwards compat. */
+function loadGuardianKey(config: Arc402Config): string | null {
+  try {
+    return fs.readFileSync(GUARDIAN_KEY_PATH, "utf-8").trim();
+  } catch {
+    // Migration: if key still in config, migrate it to the file now
+    if (config.guardianPrivateKey) {
+      saveGuardianKey(config.guardianPrivateKey);
+      return config.guardianPrivateKey;
+    }
+    return null;
+  }
+}
 
 function parseAmount(raw: string): bigint {
   const lower = raw.toLowerCase();
@@ -182,6 +203,9 @@ async function runCompleteOnboardingCeremony(
     );
     console.log(" " + c.success + " Machine key authorized");
   }
+  // Save progress after machine key step
+  config.onboardingProgress = { walletAddress, step: 2, completedSteps: ["machineKey"] };
+  saveConfig(config);
 
   // ── Step 3: Passkey ───────────────────────────────────────────────────────
   console.log("\n" + c.dim("── Step 3: Passkey (Face ID / WebAuthn) ──────────────────────"));
@@ -213,6 +237,9 @@ async function runCompleteOnboardingCeremony(
       console.log(" " + c.success + " Passkey set (via browser)");
     }
   }
+  // Save progress after passkey step
+  config.onboardingProgress = { walletAddress, step: 3, completedSteps: ["machineKey", "passkey"] };
+  saveConfig(config);
 
   // ── Step 4: Policy ────────────────────────────────────────────────────────
   console.log("\n" + c.dim("── Step 4: Policy ─────────────────────────────────────────────"));
@@ -340,6 +367,9 @@ async function runCompleteOnboardingCeremony(
   saveConfig(config);
 
   console.log(" " + c.success + " Policy configured");
+  // Save progress after policy step
+  config.onboardingProgress = { walletAddress, step: 4, completedSteps: ["machineKey", "passkey", "policy"] };
+  saveConfig(config);
 
   // ── Step 5: Agent Registration ─────────────────────────────────────────────
   console.log("\n" + c.dim("── Step 5: Agent Registration ─────────────────────────────────"));
@@ -428,6 +458,9 @@ async function runCompleteOnboardingCeremony(
   } else {
     console.log(" " + c.warning + " AgentRegistry address not configured — skipping");
   }
+  // Save progress after agent step, then clear on ceremony complete
+  config.onboardingProgress = { walletAddress, step: 5, completedSteps: ["machineKey", "passkey", "policy", "agent"] };
+  saveConfig(config);
 
   // ── Step 7: Workroom Init ─────────────────────────────────────────────────
   console.log("\n" + c.dim("── Step 7: Workroom ────────────────────────────────────────────"));
@@ -523,6 +556,10 @@ async function runCompleteOnboardingCeremony(
     ? c.white(agentEndpoint) + c.dim(` → localhost:${relayPort}`)
     : c.dim("—");
 
+  // Clear onboarding progress — ceremony complete
+  delete (config as unknown as Record<string, unknown>).onboardingProgress;
+  saveConfig(config);
+
   console.log("\n " + c.success + c.white(" Onboarding complete"));
   renderTree([
     { label: "Wallet",     value: c.white(walletAddress) },
@@ -1066,19 +1103,54 @@ export function registerWalletCommands(program: Command): void {
           ? { botToken: config.telegramBotToken, chatId: config.telegramChatId, threadId: config.telegramThreadId }
           : undefined;
 
+        // ── Resume check ──────────────────────────────────────────────────────
+        const resumeProgress = config.onboardingProgress;
+        const isResuming = !!(
+          resumeProgress?.walletAddress &&
+          resumeProgress.walletAddress === config.walletContractAddress &&
+          config.ownerAddress
+        );
+        if (isResuming) {
+          const stepNames: Record<number, string> = {
+            2: "machine key", 3: "passkey", 4: "policy setup", 5: "agent registration",
+          };
+          const nextStep = (resumeProgress!.step ?? 1) + 1;
+          console.log(" " + c.dim(`◈ Resuming onboarding from step ${nextStep} (${stepNames[nextStep] ?? "ceremony"})...`));
+        }
+
+        // ── Gas estimation ─────────────────────────────────────────────────────
+        if (!isResuming) {
+          let gasMsg = "~0.003 ETH (6 transactions on Base)";
+          try {
+            const feeData = await provider.getFeeData();
+            const gasPrice = feeData.maxFeePerGas ?? feeData.gasPrice ?? BigInt(1_500_000_000);
+            const deployGas = await provider.estimateGas({
+              to: factoryAddress,
+              data: factoryInterface.encodeFunctionData("createWallet", ["0x0000000071727De22E5E9d8BAf0edAc6f37da032"]),
+            }).catch(() => BigInt(280_000));
+            const ceremonyGas = BigInt(700_000); // ~5 ceremony txs × ~140k each
+            const totalGasEth = parseFloat(ethers.formatEther((deployGas + ceremonyGas) * gasPrice));
+            gasMsg = `~${totalGasEth.toFixed(4)} ETH (6 transactions on Base)`;
+          } catch { /* use default */ }
+          console.log(" " + c.dim(`◈ Estimated gas: ${gasMsg}`));
+        }
+
         // ── Step 1: Connect ────────────────────────────────────────────────────
+        const connectPrompt = isResuming
+          ? "Connect wallet to resume onboarding"
+          : "Approve ARC402Wallet deployment — you will be set as owner";
         const { client, session, account } = await connectPhoneWallet(
           config.walletConnectProjectId,
           chainId,
           config,
-          { telegramOpts, prompt: "Approve ARC402Wallet deployment — you will be set as owner", hardware: !!opts.hardware }
+          { telegramOpts, prompt: connectPrompt, hardware: !!opts.hardware }
         );
 
         const networkName = chainId === 8453 ? "Base" : "Base Sepolia";
         const shortAddr = `${account.slice(0, 6)}...${account.slice(-5)}`;
         console.log("\n" + c.success + c.white(` Connected: ${shortAddr} on ${networkName}`));
 
-        if (telegramOpts) {
+        if (telegramOpts && !isResuming) {
           // Send "connected" message with a deploy confirmation button.
           // TODO: wire up full callback_data round-trip when a persistent bot process is available.
           await sendTelegramMessage({
@@ -1090,48 +1162,57 @@ export function registerWalletCommands(program: Command): void {
           });
         }
 
-        // ── Step 2: Confirm & Deploy ───────────────────────────────────────────
-        // WalletConnect approval already confirmed intent — sending automatically
+        let walletAddress: string;
 
-        console.log("Deploying...");
-        const txHash = await sendTransactionWithSession(client, session, account, chainId, {
-          to: factoryAddress,
-          data: factoryInterface.encodeFunctionData("createWallet", ["0x0000000071727De22E5E9d8BAf0edAc6f37da032"]),
-          value: "0x0",
-        });
+        if (isResuming) {
+          // Resume: skip deploy, use existing wallet
+          walletAddress = config.walletContractAddress!;
+          console.log(" " + c.dim(`◈ Using existing wallet: ${walletAddress}`));
+        } else {
+          // ── Step 2: Confirm & Deploy ─────────────────────────────────────────
+          // WalletConnect approval already confirmed intent — sending automatically
 
-        console.log(`\nTransaction submitted: ${txHash}`);
-        console.log("Waiting for confirmation...");
-        const receipt = await provider.waitForTransaction(txHash);
-        if (!receipt) {
-          console.error("Transaction not confirmed. Check on-chain.");
-          process.exit(1);
-        }
-        let walletAddress: string | null = null;
-        const factoryContract = new ethers.Contract(factoryAddress, WALLET_FACTORY_ABI, provider);
-        for (const log of receipt.logs) {
-          try {
-            const parsed = factoryContract.interface.parseLog(log);
-            if (parsed?.name === "WalletCreated") {
-              walletAddress = parsed.args.walletAddress as string;
-              break;
-            }
-          } catch { /* skip unparseable logs */ }
-        }
-        if (!walletAddress) {
-          console.error("Could not find WalletCreated event in receipt. Check the transaction on-chain.");
-          process.exit(1);
+          console.log("Deploying...");
+          const txHash = await sendTransactionWithSession(client, session, account, chainId, {
+            to: factoryAddress,
+            data: factoryInterface.encodeFunctionData("createWallet", ["0x0000000071727De22E5E9d8BAf0edAc6f37da032"]),
+            value: "0x0",
+          });
+
+          console.log(`\nTransaction submitted: ${txHash}`);
+          console.log("Waiting for confirmation...");
+          const receipt = await provider.waitForTransaction(txHash);
+          if (!receipt) {
+            console.error("Transaction not confirmed. Check on-chain.");
+            process.exit(1);
+          }
+          let deployedWallet: string | null = null;
+          const factoryContract = new ethers.Contract(factoryAddress, WALLET_FACTORY_ABI, provider);
+          for (const log of receipt.logs) {
+            try {
+              const parsed = factoryContract.interface.parseLog(log);
+              if (parsed?.name === "WalletCreated") {
+                deployedWallet = parsed.args.walletAddress as string;
+                break;
+              }
+            } catch { /* skip unparseable logs */ }
+          }
+          if (!deployedWallet) {
+            console.error("Could not find WalletCreated event in receipt. Check the transaction on-chain.");
+            process.exit(1);
+          }
+          walletAddress = deployedWallet;
+          // ── Step 1 complete: save wallet + owner immediately ─────────────────
+          config.walletContractAddress = walletAddress;
+          config.ownerAddress = account;
+          saveConfig(config);
+          try { fs.chmodSync(getConfigPath(), 0o600); } catch { /* best-effort */ }
+          console.log("\n " + c.success + c.white(" Wallet deployed"));
+          renderTree([
+            { label: "Wallet", value: walletAddress },
+            { label: "Owner", value: account, last: true },
+          ]);
         }
-        // ── Step 1 complete: save wallet + owner immediately ─────────────────
-        config.walletContractAddress = walletAddress;
-        config.ownerAddress = account;
-        saveConfig(config);
-        try { fs.chmodSync(getConfigPath(), 0o600); } catch { /* best-effort */ }
-        console.log("\n " + c.success + c.white(" Wallet deployed"));
-        renderTree([
-          { label: "Wallet", value: walletAddress },
-          { label: "Owner", value: account, last: true },
-        ]);
 
         // ── Steps 2–6: Complete onboarding ceremony (same WalletConnect session)
         const sendTxCeremony = async (
@@ -1175,8 +1256,10 @@ export function registerWalletCommands(program: Command): void {
         const guardianWallet = ethers.Wallet.createRandom();
         config.walletContractAddress = walletAddress;
         config.ownerAddress = address;
-        config.guardianPrivateKey = guardianWallet.privateKey;
         config.guardianAddress = guardianWallet.address;
+        // Save key to restricted file — never store in config.json
+        saveGuardianKey(guardianWallet.privateKey);
+        if (config.guardianPrivateKey) delete (config as unknown as Record<string, unknown>).guardianPrivateKey;
         saveConfig(config);
 
         // Call setGuardian on the deployed wallet
@@ -1206,7 +1289,7 @@ export function registerWalletCommands(program: Command): void {
           { label: "Wallet", value: walletAddress },
           { label: "Guardian", value: guardianWallet.address, last: true },
         ]);
-        console.log(`Guardian private key saved to config (keep it safe — used for emergency freeze only)`);
+        console.log(`Guardian private key saved to ~/.arc402/guardian.key (chmod 400 — keep it safe, used for emergency freeze only)`);
         console.log(`Your wallet contract is ready for policy enforcement`);
         printOpenShellHint();
       }
@@ -1438,12 +1521,13 @@ export function registerWalletCommands(program: Command): void {
         console.error("walletContractAddress not set in config. Run `arc402 wallet deploy` first.");
         process.exit(1);
       }
-      if (!config.guardianPrivateKey) {
-        console.error("guardianPrivateKey not set in config. Guardian key was generated during `arc402 wallet deploy`.");
+      const guardianKey = loadGuardianKey(config);
+      if (!guardianKey) {
+        console.error(`Guardian key not found. Expected at ~/.arc402/guardian.key (or guardianPrivateKey in config for legacy setups).`);
         process.exit(1);
       }
       const provider = new ethers.JsonRpcProvider(config.rpcUrl);
-      const guardianSigner = new ethers.Wallet(config.guardianPrivateKey, provider);
+      const guardianSigner = new ethers.Wallet(guardianKey, provider);
       const walletContract = new ethers.Contract(config.walletContractAddress, ARC402_WALLET_GUARDIAN_ABI, guardianSigner);
 
       let tx;
@@ -1587,12 +1671,13 @@ export function registerWalletCommands(program: Command): void {
       });
 
       await provider.waitForTransaction(txHash);
-      config.guardianPrivateKey = guardianWallet.privateKey;
+      saveGuardianKey(guardianWallet.privateKey);
+      if (config.guardianPrivateKey) delete (config as unknown as Record<string, unknown>).guardianPrivateKey;
       config.guardianAddress = guardianWallet.address;
       saveConfig(config);
       console.log("\n" + c.success + c.white(` Guardian set to: ${guardianWallet.address}`));
       console.log(" " + c.dim("Tx:") + " " + c.white(txHash));
-      console.log(" " + c.dim("Guardian private key saved to config."));
+      console.log(" " + c.dim("Guardian private key saved to ~/.arc402/guardian.key (chmod 400)."));
       console.log(" " + c.warning + " " + c.yellow("The guardian key can freeze your wallet. Store it separately from your hot key."));
     });
 
@@ -2419,9 +2504,10 @@ export function registerWalletCommands(program: Command): void {
         }
       }
 
-      // Persist guardian key if generated
+      // Persist guardian key if generated — save to restricted file, not config.json
       if (guardianWallet) {
-        config.guardianPrivateKey = guardianWallet.privateKey;
+        saveGuardianKey(guardianWallet.privateKey);
+        if (config.guardianPrivateKey) delete (config as unknown as Record<string, unknown>).guardianPrivateKey;
         config.guardianAddress = guardianWallet.address;
         saveConfig(config);
       }
@@ -2433,7 +2519,7 @@ export function registerWalletCommands(program: Command): void {
         txHashes.forEach((h, i) => console.log(" " + c.dim(`Tx ${i + 1}:`) + " " + c.white(h)));
       }
       if (guardianWallet) {
-        console.log(" " + c.success + c.dim(` Guardian key saved to config — address: ${guardianWallet.address}`));
+        console.log(" " + c.success + c.dim(` Guardian key saved to ~/.arc402/guardian.key — address: ${guardianWallet.address}`));
         console.log(" " + c.warning + " " + c.yellow("Store the guardian private key separately from your hot key."));
       }
       console.log(c.dim("\nVerify with: arc402 wallet status && arc402 wallet policy show"));

package/src/commands/watch.ts

@@ -1,21 +1,218 @@
 import { Command } from "commander";
-import { c } from "../ui/colors";
+import { ethers } from "ethers";
 import { loadConfig } from "../config";
+import { getClient } from "../client";
+import { c } from "../ui/colors";
+
+// ─── Minimal ABIs for event watching ─────────────────────────────────────────
+
+const AGENT_REGISTRY_WATCH_ABI = [
+  "event AgentRegistered(address indexed wallet, string name, string serviceType, uint256 timestamp)",
+  "event AgentUpdated(address indexed wallet, string name, string serviceType)",
+  "event AgentDeactivated(address indexed wallet)",
+];
+
+const SERVICE_AGREEMENT_WATCH_ABI = [
+  "event AgreementProposed(uint256 indexed id, address indexed client, address indexed provider, string serviceType, uint256 price, address token, uint256 deadline)",
+  "event AgreementAccepted(uint256 indexed id, address indexed provider)",
+  "event AgreementFulfilled(uint256 indexed id, address indexed provider, bytes32 deliverablesHash)",
+  "event AgreementDisputed(uint256 indexed id, address indexed initiator, string reason)",
+  "event AgreementCancelled(uint256 indexed id, address indexed client)",
+];
+
+const HANDSHAKE_WATCH_ABI = [
+  "event HandshakeSent(uint256 indexed handshakeId, address indexed from, address indexed to, uint8 hsType, address token, uint256 amount, string note, uint256 timestamp)",
+];
+
+const DISPUTE_MODULE_WATCH_ABI = [
+  "event DisputeRaised(uint256 indexed agreementId, address indexed initiator, string reason)",
+  "event DisputeResolved(uint256 indexed agreementId, bool favorProvider, string resolution)",
+];
+
+const HS_TYPE_LABELS: Record<number, string> = {
+  0: "Respected",
+  1: "Curious",
+  2: "Endorsed",
+  3: "Thanked",
+  4: "Collaborated",
+  5: "Challenged",
+  6: "Referred",
+  7: "Hello",
+};
+
+function shortAddr(addr: string): string {
+  return addr.length > 10 ? `${addr.slice(0, 6)}...${addr.slice(-4)}` : addr;
+}
+
+function nowHHMM(): string {
+  const d = new Date();
+  const h = d.getHours().toString().padStart(2, "0");
+  const m = d.getMinutes().toString().padStart(2, "0");
+  return `${h}:${m}`;
+}
+
+function printEvent(label: string, detail: string, status?: "ok" | "warn" | "err"): void {
+  const ts = c.dim(`[${nowHHMM()}]`);
+  const col = status === "ok" ? c.green : status === "err" ? c.red : status === "warn" ? c.yellow : c.white;
+  process.stdout.write(`  ${ts}  ${col(label)}  ${c.dim(detail)}\n`);
+}
 
 export function registerWatchCommand(program: Command): void {
   program
     .command("watch")
-    .description("Watch wallet activity in real-time")
+    .description("Watch wallet activity in real-time (live onchain event feed)")
     .action(async () => {
       const config = loadConfig();
-      const wallet = config.walletContractAddress ?? "(no wallet)";
-      const shortWallet = wallet.length > 10
-        ? `${wallet.slice(0, 6)}...${wallet.slice(-4)}`
-        : wallet;
-      const line = "─".repeat(20);
-
-      console.log(`${c.mark}  ARC-402  Watching ${c.white(shortWallet)} ${c.dim(line)}`);
-      console.log(`${c.dim("···")}  ${c.dim("waiting")}`);
+      const { provider } = await getClient(config);
+      const myWallet = (config.walletContractAddress ?? "").toLowerCase();
+      const shortMe = myWallet ? shortAddr(config.walletContractAddress!) : "(no wallet)";
+
+      const line = "─".repeat(22);
+      console.log(`\n  ${c.mark} ${c.white("ARC-402  Live Feed")}  ${c.dim(line)}`);
+      console.log(`  ${c.dim("Watching")} ${c.brightCyan(shortMe)} ${c.dim("on")} ${c.dim(config.network)}`);
+      console.log(`  ${c.dim("Ctrl+C to exit")}\n`);
+
+      // ── Build contract instances ───────────────────────────────────────────
+
+      const contractLabels: string[] = [];
+
+      if (config.agentRegistryAddress) contractLabels.push("AgentRegistry");
+      if (config.serviceAgreementAddress) contractLabels.push("ServiceAgreement");
+      if (config.handshakeAddress) contractLabels.push("Handshake");
+      if (config.disputeModuleAddress) contractLabels.push("DisputeModule");
+
+      if (contractLabels.length === 0) {
+        console.log(`  ${c.warning} No contract addresses configured. Run arc402 config init.`);
+        process.exit(1);
+      }
+
+      console.log(`  ${c.dim(`Monitoring ${contractLabels.length} contract${contractLabels.length !== 1 ? "s" : ""}: ${contractLabels.join(", ")}`)}\n`);
+
+      // ── Helpers ────────────────────────────────────────────────────────────
+
+      function isMe(addr: string): boolean {
+        return myWallet !== "" && addr.toLowerCase() === myWallet;
+      }
+
+      function fmtAddr(addr: string): string {
+        return isMe(addr) ? c.brightCyan("you") : c.dim(shortAddr(addr));
+      }
+
+      // ── AgentRegistry ──────────────────────────────────────────────────────
+
+      if (config.agentRegistryAddress) {
+        const reg = new ethers.Contract(config.agentRegistryAddress, AGENT_REGISTRY_WATCH_ABI, provider);
+
+        reg.on("AgentRegistered", (wallet: string, name: string, serviceType: string) => {
+          printEvent(`Agent registered: ${name}`, `${fmtAddr(wallet)}  ${c.dim(serviceType)}`, "ok");
+        });
+
+        reg.on("AgentUpdated", (wallet: string, name: string, serviceType: string) => {
+          printEvent(`Agent updated: ${name}`, `${fmtAddr(wallet)}  ${c.dim(serviceType)}`);
+        });
+
+        reg.on("AgentDeactivated", (wallet: string) => {
+          printEvent(`Agent deactivated`, fmtAddr(wallet), "warn");
+        });
+      }
+
+      // ── ServiceAgreement ───────────────────────────────────────────────────
+
+      if (config.serviceAgreementAddress) {
+        const sa = new ethers.Contract(config.serviceAgreementAddress, SERVICE_AGREEMENT_WATCH_ABI, provider);
+
+        sa.on("AgreementProposed", (id: bigint, client: string, agentProvider: string, serviceType: string) => {
+          const involved = isMe(client) || isMe(agentProvider);
+          printEvent(
+            `Agreement #${id} proposed`,
+            `${fmtAddr(client)} → ${fmtAddr(agentProvider)}  ${c.dim(serviceType)}`,
+            involved ? "ok" : undefined
+          );
+        });
+
+        sa.on("AgreementAccepted", (id: bigint, agentProvider: string) => {
+          printEvent(`Agreement #${id} → ${c.green("ACCEPTED")}`, fmtAddr(agentProvider));
+        });
+
+        sa.on("AgreementFulfilled", (id: bigint, agentProvider: string, deliverablesHash: string) => {
+          printEvent(
+            `Agreement #${id} → ${c.green("DELIVERED")}`,
+            `${fmtAddr(agentProvider)}  ${c.dim(deliverablesHash.slice(0, 10) + "...")}`,
+            "ok"
+          );
+        });
+
+        sa.on("AgreementDisputed", (id: bigint, initiator: string, reason: string) => {
+          printEvent(
+            `Agreement #${id} → ${c.red("DISPUTED")}`,
+            `${fmtAddr(initiator)}  ${c.dim(reason.slice(0, 40))}`,
+            "err"
+          );
+        });
+
+        sa.on("AgreementCancelled", (id: bigint, client: string) => {
+          printEvent(`Agreement #${id} → ${c.yellow("CANCELLED")}`, fmtAddr(client), "warn");
+        });
+      }
+
+      // ── Handshake ──────────────────────────────────────────────────────────
+
+      if (config.handshakeAddress) {
+        const hs = new ethers.Contract(config.handshakeAddress, HANDSHAKE_WATCH_ABI, provider);
+
+        hs.on("HandshakeSent", (_id: bigint, from: string, to: string, hsType: number, _token: string, _amount: bigint, note: string) => {
+          const typeLabel = HS_TYPE_LABELS[hsType] ?? `type ${hsType}`;
+          const toMe = isMe(to);
+          const noteStr = note ? `  ${c.dim(`(${note.slice(0, 30)})`)}` : "";
+          printEvent(
+            `Handshake from ${fmtAddr(from)} → ${fmtAddr(to)}`,
+            `${c.dim(typeLabel)}${noteStr}`,
+            toMe ? "ok" : undefined
+          );
+        });
+      }
+
+      // ── DisputeModule ──────────────────────────────────────────────────────
+
+      if (config.disputeModuleAddress) {
+        const dm = new ethers.Contract(config.disputeModuleAddress, DISPUTE_MODULE_WATCH_ABI, provider);
+
+        dm.on("DisputeRaised", (agreementId: bigint, initiator: string, reason: string) => {
+          printEvent(
+            `Dispute raised on #${agreementId}`,
+            `${fmtAddr(initiator)}  ${c.dim(reason.slice(0, 40))}`,
+            "err"
+          );
+        });
+
+        dm.on("DisputeResolved", (agreementId: bigint, favorProvider: boolean, resolution: string) => {
+          printEvent(
+            `Dispute #${agreementId} → ${c.green("RESOLVED")}`,
+            `${c.dim(favorProvider ? "provider wins" : "client wins")}  ${c.dim(resolution.slice(0, 30))}`,
+            "ok"
+          );
+        });
+      }
+
+      // ── Block heartbeat (shows feed is alive) ──────────────────────────────
+
+      let lastBlock = 0;
+      provider.on("block", (blockNumber: number) => {
+        if (blockNumber > lastBlock) {
+          lastBlock = blockNumber;
+          if (blockNumber % 10 === 0) {
+            process.stdout.write(`  ${c.dim(`· block ${blockNumber}`)}\n`);
+          }
+        }
+      });
+
+      // ── Clean exit ─────────────────────────────────────────────────────────
+
+      process.on("SIGINT", () => {
+        console.log(`\n  ${c.dim("Feed stopped.")}`);
+        provider.removeAllListeners();
+        process.exit(0);
+      });
 
       // Keep process alive
       process.stdin.resume();

package/src/config.ts

@@ -1,6 +1,7 @@
 import * as fs from "fs";
 import * as path from "path";
 import * as os from "os";
+import { randomUUID } from "crypto";
 
 export interface Arc402Config {
   network: "base-mainnet" | "base-sepolia";
@@ -40,16 +41,25 @@ export interface Arc402Config {
   telegramBotToken?: string;
   telegramChatId?: string;
   telegramThreadId?: number;
+  /** Tracks onboarding progress so `wallet deploy` can resume after interruption. */
+  onboardingProgress?: {
+    walletAddress: string;
+    step: number;          // last completed step number (2=machineKey, 3=passkey, 4=policy, 5=agent)
+    completedSteps: string[];
+  };
   wcSession?: {
     topic: string;
     expiry: number;    // Unix timestamp
     account: string;   // Phone wallet address
     chainId: number;
   };
+  deviceId?: string;        // UUID identifying the device this config was created on
+  lastCliVersion?: string;  // Last CLI version that wrote this config (for upgrade detection)
 }
 
 const CONFIG_DIR = path.join(os.homedir(), ".arc402");
 const CONFIG_PATH = process.env.ARC402_CONFIG || path.join(CONFIG_DIR, "config.json");
+const DEVICE_ID_PATH = path.join(CONFIG_DIR, "device.id");
 
 // WalletConnect project ID — get your own at cloud.walletconnect.com
 const DEFAULT_WC_PROJECT_ID = "455e9425343b9156fce1428250c9a54a";
@@ -57,7 +67,20 @@ export const getWcProjectId = () => process.env.WC_PROJECT_ID ?? DEFAULT_WC_PROJ
 
 export const getConfigPath = () => CONFIG_PATH;
 
+/** Returns this device's stable UUID, creating it on first call. */
+function getOrCreateDeviceId(): string {
+  if (fs.existsSync(DEVICE_ID_PATH)) {
+    return fs.readFileSync(DEVICE_ID_PATH, "utf-8").trim();
+  }
+  const id = randomUUID();
+  fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+  fs.writeFileSync(DEVICE_ID_PATH, id, { mode: 0o600 });
+  return id;
+}
+
 export function loadConfig(): Arc402Config {
+  const thisDeviceId = getOrCreateDeviceId();
+
   if (!fs.existsSync(CONFIG_PATH)) {
     // Auto-create with Base Mainnet defaults — zero friction
     const defaults = NETWORK_DEFAULTS["base-mainnet"] ?? {};
@@ -78,13 +101,28 @@ export function loadConfig(): Arc402Config {
       walletFactoryAddress: defaults.walletFactoryAddress,
       sessionChannelsAddress: defaults.sessionChannelsAddress,
       disputeModuleAddress: defaults.disputeModuleAddress,
+      deviceId: thisDeviceId,
     };
     saveConfig(autoConfig);
     console.log(`◈ Config auto-created at ${CONFIG_PATH} (Base Mainnet)`);
     console.log("⚠ Base Mainnet — real funds at risk. Use arc402 config init for testnet.");
     return autoConfig;
   }
-  return JSON.parse(fs.readFileSync(CONFIG_PATH, "utf-8")) as Arc402Config;
+
+  const config = JSON.parse(fs.readFileSync(CONFIG_PATH, "utf-8")) as Arc402Config;
+
+  // Multi-device awareness: warn if config was created on a different device
+  if (config.deviceId && config.deviceId !== thisDeviceId) {
+    console.warn("⚠ This config was created on a different device. Some keys may not work.");
+  }
+
+  // Backfill deviceId if missing (older config)
+  if (!config.deviceId) {
+    config.deviceId = thisDeviceId;
+    saveConfig(config);
+  }
+
+  return config;
 }
 
 export function saveConfig(config: Arc402Config): void {