npm - arc402-cli - Versions diffs - 1.0.0-rc.1 → 1.0.0 - Mend

arc402-cli 1.0.0-rc.1 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (253) hide show

package/README.md +41 -2
package/dist/abis.d.ts +1 -0
package/dist/abis.d.ts.map +1 -1
package/dist/abis.js +29 -1
package/dist/abis.js.map +1 -1
package/dist/commands/backup.d.ts +3 -0
package/dist/commands/backup.d.ts.map +1 -0
package/dist/commands/backup.js +106 -0
package/dist/commands/backup.js.map +1 -0
package/dist/commands/compute.d.ts +14 -0
package/dist/commands/compute.d.ts.map +1 -0
package/dist/commands/compute.js +466 -0
package/dist/commands/compute.js.map +1 -0
package/dist/commands/config.d.ts.map +1 -1
package/dist/commands/config.js +11 -1
package/dist/commands/config.js.map +1 -1
package/dist/commands/daemon.d.ts.map +1 -1
package/dist/commands/daemon.js +67 -0
package/dist/commands/daemon.js.map +1 -1
package/dist/commands/discover.d.ts.map +1 -1
package/dist/commands/discover.js +60 -15
package/dist/commands/discover.js.map +1 -1
package/dist/commands/doctor.d.ts +3 -0
package/dist/commands/doctor.d.ts.map +1 -0
package/dist/commands/doctor.js +205 -0
package/dist/commands/doctor.js.map +1 -0
package/dist/commands/wallet.d.ts.map +1 -1
package/dist/commands/wallet.js +299 -65
package/dist/commands/wallet.js.map +1 -1
package/dist/commands/watch.d.ts.map +1 -1
package/dist/commands/watch.js +146 -9
package/dist/commands/watch.js.map +1 -1
package/dist/commands/workroom.d.ts.map +1 -1
package/dist/commands/workroom.js +112 -6
package/dist/commands/workroom.js.map +1 -1
package/dist/config.d.ts +12 -0
package/dist/config.d.ts.map +1 -1
package/dist/config.js +41 -4
package/dist/config.js.map +1 -1
package/dist/daemon/compute-metering.d.ts +61 -0
package/dist/daemon/compute-metering.d.ts.map +1 -0
package/dist/daemon/compute-metering.js +299 -0
package/dist/daemon/compute-metering.js.map +1 -0
package/dist/daemon/compute-session.d.ts +100 -0
package/dist/daemon/compute-session.d.ts.map +1 -0
package/dist/daemon/compute-session.js +231 -0
package/dist/daemon/compute-session.js.map +1 -0
package/dist/daemon/config.d.ts +33 -1
package/dist/daemon/config.d.ts.map +1 -1
package/dist/daemon/config.js +69 -0
package/dist/daemon/config.js.map +1 -1
package/dist/daemon/credentials.d.ts +24 -0
package/dist/daemon/credentials.d.ts.map +1 -0
package/dist/daemon/credentials.js +80 -0
package/dist/daemon/credentials.js.map +1 -0
package/dist/daemon/delivery-client.d.ts +35 -0
package/dist/daemon/delivery-client.d.ts.map +1 -0
package/dist/daemon/delivery-client.js +231 -0
package/dist/daemon/delivery-client.js.map +1 -0
package/dist/daemon/file-delivery.d.ts +98 -0
package/dist/daemon/file-delivery.d.ts.map +1 -0
package/dist/daemon/file-delivery.js +461 -0
package/dist/daemon/file-delivery.js.map +1 -0
package/dist/daemon/index.d.ts +1 -0
package/dist/daemon/index.d.ts.map +1 -1
package/dist/daemon/index.js +793 -227
package/dist/daemon/index.js.map +1 -1
package/dist/daemon/notify.d.ts +35 -6
package/dist/daemon/notify.d.ts.map +1 -1
package/dist/daemon/notify.js +176 -48
package/dist/daemon/notify.js.map +1 -1
package/dist/daemon/worker-executor.d.ts +71 -0
package/dist/daemon/worker-executor.d.ts.map +1 -0
package/dist/daemon/worker-executor.js +382 -0
package/dist/daemon/worker-executor.js.map +1 -0
package/dist/drain-v4.js +2 -2
package/dist/drain-v4.js.map +1 -1
package/dist/endpoint-notify.d.ts +9 -1
package/dist/endpoint-notify.d.ts.map +1 -1
package/dist/endpoint-notify.js +116 -3
package/dist/endpoint-notify.js.map +1 -1
package/dist/index.js +81 -1
package/dist/index.js.map +1 -1
package/dist/program.d.ts.map +1 -1
package/dist/program.js +6 -0
package/dist/program.js.map +1 -1
package/dist/repl.d.ts.map +1 -1
package/dist/repl.js +69 -486
package/dist/repl.js.map +1 -1
package/dist/tui/App.d.ts +12 -0
package/dist/tui/App.d.ts.map +1 -0
package/dist/tui/App.js +154 -0
package/dist/tui/App.js.map +1 -0
package/dist/tui/Footer.d.ts +11 -0
package/dist/tui/Footer.d.ts.map +1 -0
package/dist/tui/Footer.js +13 -0
package/dist/tui/Footer.js.map +1 -0
package/dist/tui/Header.d.ts +14 -0
package/dist/tui/Header.d.ts.map +1 -0
package/dist/tui/Header.js +19 -0
package/dist/tui/Header.js.map +1 -0
package/dist/tui/InputLine.d.ts +11 -0
package/dist/tui/InputLine.d.ts.map +1 -0
package/dist/tui/InputLine.js +145 -0
package/dist/tui/InputLine.js.map +1 -0
package/dist/tui/Viewport.d.ts +14 -0
package/dist/tui/Viewport.d.ts.map +1 -0
package/dist/tui/Viewport.js +48 -0
package/dist/tui/Viewport.js.map +1 -0
package/dist/tui/WalletConnectPairing.d.ts +23 -0
package/dist/tui/WalletConnectPairing.d.ts.map +1 -0
package/dist/tui/WalletConnectPairing.js +61 -0
package/dist/tui/WalletConnectPairing.js.map +1 -0
package/dist/tui/components/Button.d.ts +7 -0
package/dist/tui/components/Button.d.ts.map +1 -0
package/dist/tui/components/Button.js +21 -0
package/dist/tui/components/Button.js.map +1 -0
package/dist/tui/components/CeremonyView.d.ts +13 -0
package/dist/tui/components/CeremonyView.d.ts.map +1 -0
package/dist/tui/components/CeremonyView.js +10 -0
package/dist/tui/components/CeremonyView.js.map +1 -0
package/dist/tui/components/CompletionDropdown.d.ts +7 -0
package/dist/tui/components/CompletionDropdown.d.ts.map +1 -0
package/dist/tui/components/CompletionDropdown.js +23 -0
package/dist/tui/components/CompletionDropdown.js.map +1 -0
package/dist/tui/components/ConfirmPrompt.d.ts +9 -0
package/dist/tui/components/ConfirmPrompt.d.ts.map +1 -0
package/dist/tui/components/ConfirmPrompt.js +10 -0
package/dist/tui/components/ConfirmPrompt.js.map +1 -0
package/dist/tui/components/CustomTextInput.d.ts +15 -0
package/dist/tui/components/CustomTextInput.d.ts.map +1 -0
package/dist/tui/components/CustomTextInput.js +99 -0
package/dist/tui/components/CustomTextInput.js.map +1 -0
package/dist/tui/components/InteractiveTable.d.ts +14 -0
package/dist/tui/components/InteractiveTable.d.ts.map +1 -0
package/dist/tui/components/InteractiveTable.js +61 -0
package/dist/tui/components/InteractiveTable.js.map +1 -0
package/dist/tui/components/StepSpinner.d.ts +11 -0
package/dist/tui/components/StepSpinner.d.ts.map +1 -0
package/dist/tui/components/StepSpinner.js +32 -0
package/dist/tui/components/StepSpinner.js.map +1 -0
package/dist/tui/components/Toast.d.ts +18 -0
package/dist/tui/components/Toast.d.ts.map +1 -0
package/dist/tui/components/Toast.js +29 -0
package/dist/tui/components/Toast.js.map +1 -0
package/dist/tui/index.d.ts +2 -0
package/dist/tui/index.d.ts.map +1 -0
package/dist/tui/index.js +55 -0
package/dist/tui/index.js.map +1 -0
package/dist/tui/useChat.d.ts +11 -0
package/dist/tui/useChat.d.ts.map +1 -0
package/dist/tui/useChat.js +91 -0
package/dist/tui/useChat.js.map +1 -0
package/dist/tui/useCommand.d.ts +12 -0
package/dist/tui/useCommand.d.ts.map +1 -0
package/dist/tui/useCommand.js +137 -0
package/dist/tui/useCommand.js.map +1 -0
package/dist/tui/useNotifications.d.ts +9 -0
package/dist/tui/useNotifications.d.ts.map +1 -0
package/dist/tui/useNotifications.js +17 -0
package/dist/tui/useNotifications.js.map +1 -0
package/dist/tui/useScroll.d.ts +17 -0
package/dist/tui/useScroll.d.ts.map +1 -0
package/dist/tui/useScroll.js +46 -0
package/dist/tui/useScroll.js.map +1 -0
package/dist/ui/format.d.ts.map +1 -1
package/dist/ui/format.js +2 -0
package/dist/ui/format.js.map +1 -1
package/dist/ui/qr-render.d.ts +25 -0
package/dist/ui/qr-render.d.ts.map +1 -0
package/dist/ui/qr-render.js +90 -0
package/dist/ui/qr-render.js.map +1 -0
package/dist/ui/rpc-fallback.d.ts +11 -0
package/dist/ui/rpc-fallback.d.ts.map +1 -0
package/dist/ui/rpc-fallback.js +58 -0
package/dist/ui/rpc-fallback.js.map +1 -0
package/dist/walletconnect.d.ts +4 -0
package/dist/walletconnect.d.ts.map +1 -1
package/dist/walletconnect.js.map +1 -1
package/package.json +10 -2
package/scripts/authorize-machine-key.ts +0 -43
package/scripts/drain-wallet.ts +0 -149
package/scripts/execute-spend-only.ts +0 -81
package/scripts/register-agent-userop.ts +0 -186
package/src/abis.ts +0 -187
package/src/bundler.ts +0 -235
package/src/client.ts +0 -36
package/src/coinbase-smart-wallet.ts +0 -51
package/src/commands/accept.ts +0 -64
package/src/commands/agent-handshake.ts +0 -72
package/src/commands/agent.ts +0 -691
package/src/commands/agreements.ts +0 -350
package/src/commands/arbitrator.ts +0 -180
package/src/commands/arena-handshake.ts +0 -257
package/src/commands/arena.ts +0 -122
package/src/commands/cancel.ts +0 -35
package/src/commands/channel.ts +0 -218
package/src/commands/coldstart.ts +0 -165
package/src/commands/config.ts +0 -58
package/src/commands/contract-interaction.ts +0 -166
package/src/commands/daemon.ts +0 -978
package/src/commands/deliver.ts +0 -148
package/src/commands/discover.ts +0 -297
package/src/commands/dispute.ts +0 -375
package/src/commands/endpoint.ts +0 -620
package/src/commands/feed.ts +0 -229
package/src/commands/hire.ts +0 -245
package/src/commands/migrate.ts +0 -177
package/src/commands/negotiate.ts +0 -271
package/src/commands/openshell.ts +0 -1055
package/src/commands/owner.ts +0 -35
package/src/commands/policy.ts +0 -263
package/src/commands/relay.ts +0 -273
package/src/commands/remediate.ts +0 -24
package/src/commands/reputation.ts +0 -79
package/src/commands/setup.ts +0 -343
package/src/commands/trust.ts +0 -27
package/src/commands/verify.ts +0 -91
package/src/commands/wallet.ts +0 -3280
package/src/commands/watch.ts +0 -23
package/src/commands/watchtower.ts +0 -248
package/src/commands/workroom.ts +0 -959
package/src/config.ts +0 -174
package/src/daemon/config.ts +0 -308
package/src/daemon/hire-listener.ts +0 -226
package/src/daemon/index.ts +0 -955
package/src/daemon/job-lifecycle.ts +0 -215
package/src/daemon/notify.ts +0 -157
package/src/daemon/token-metering.ts +0 -183
package/src/daemon/userops.ts +0 -119
package/src/daemon/wallet-monitor.ts +0 -90
package/src/drain-v4.ts +0 -159
package/src/endpoint-config.ts +0 -83
package/src/endpoint-notify.ts +0 -46
package/src/index.ts +0 -26
package/src/openshell-runtime.ts +0 -277
package/src/program.ts +0 -83
package/src/repl.ts +0 -680
package/src/signing.ts +0 -28
package/src/telegram-notify.ts +0 -88
package/src/ui/banner.ts +0 -51
package/src/ui/colors.ts +0 -30
package/src/ui/format.ts +0 -77
package/src/ui/spinner.ts +0 -56
package/src/ui/tree.ts +0 -16
package/src/utils/format.ts +0 -48
package/src/utils/hash.ts +0 -5
package/src/utils/time.ts +0 -15
package/src/wallet-router.ts +0 -178
package/src/walletconnect-session.ts +0 -27
package/src/walletconnect.ts +0 -294
package/test/time.test.js +0 -11
package/tsconfig.json +0 -19

package/dist/commands/wallet.js CHANGED Viewed

@@ -26,6 +26,26 @@ const tree_1 = require("../ui/tree");
 const spinner_1 = require("../ui/spinner");
 const colors_1 = require("../ui/colors");
 const POLICY_ENGINE_DEFAULT = "0x44102e70c2A366632d98Fe40d892a2501fC7fFF2";
+const GUARDIAN_KEY_PATH = path_1.default.join(os_1.default.homedir(), ".arc402", "guardian.key");
+/** Save guardian private key to a restricted standalone file (never to config.json). */
+function saveGuardianKey(privateKey) {
+    fs_1.default.mkdirSync(path_1.default.dirname(GUARDIAN_KEY_PATH), { recursive: true, mode: 0o700 });
+    fs_1.default.writeFileSync(GUARDIAN_KEY_PATH, privateKey + "\n", { mode: 0o400 });
+}
+/** Load guardian private key from file, falling back to config for backwards compat. */
+function loadGuardianKey(config) {
+    try {
+        return fs_1.default.readFileSync(GUARDIAN_KEY_PATH, "utf-8").trim();
+    }
+    catch {
+        // Migration: if key still in config, migrate it to the file now
+        if (config.guardianPrivateKey) {
+            saveGuardianKey(config.guardianPrivateKey);
+            return config.guardianPrivateKey;
+        }
+        return null;
+    }
+}
 function parseAmount(raw) {
     const lower = raw.toLowerCase();
     if (lower.endsWith("eth")) {
@@ -161,6 +181,9 @@ async function runCompleteOnboardingCeremony(walletAddress, ownerAddress, config
         await sendTx({ to: walletAddress, data: mkIface.encodeFunctionData("authorizeMachineKey", [machineKeyAddress]), value: "0x0" }, "authorizeMachineKey");
         console.log(" " + colors_1.c.success + " Machine key authorized");
     }
+    // Save progress after machine key step
+    config.onboardingProgress = { walletAddress, step: 2, completedSteps: ["machineKey"] };
+    (0, config_1.saveConfig)(config);
     // ── Step 3: Passkey ───────────────────────────────────────────────────────
     console.log("\n" + colors_1.c.dim("── Step 3: Passkey (Face ID / WebAuthn) ──────────────────────"));
     let passkeyActive = false;
@@ -192,6 +215,9 @@ async function runCompleteOnboardingCeremony(walletAddress, ownerAddress, config
             console.log(" " + colors_1.c.success + " Passkey set (via browser)");
         }
     }
+    // Save progress after passkey step
+    config.onboardingProgress = { walletAddress, step: 3, completedSteps: ["machineKey", "passkey"] };
+    (0, config_1.saveConfig)(config);
     // ── Step 4: Policy ────────────────────────────────────────────────────────
     console.log("\n" + colors_1.c.dim("── Step 4: Policy ─────────────────────────────────────────────"));
     // 4a) setVelocityLimit
@@ -240,12 +266,15 @@ async function runCompleteOnboardingCeremony(walletAddress, ownerAddress, config
         const guardianInput = guardianAns.guardian?.trim() ?? "";
         if (guardianInput.toLowerCase() === "g") {
             const generatedGuardian = ethers_1.ethers.Wallet.createRandom();
-            config.guardianPrivateKey = generatedGuardian.privateKey;
+            // Save guardian private key to a separate restricted file, NOT config.json
+            const guardianKeyPath = path_1.default.join(os_1.default.homedir(), ".arc402", "guardian.key");
+            fs_1.default.mkdirSync(path_1.default.dirname(guardianKeyPath), { recursive: true, mode: 0o700 });
+            fs_1.default.writeFileSync(guardianKeyPath, generatedGuardian.privateKey + "\n", { mode: 0o400 });
+            // Only save address (not private key) to config
             config.guardianAddress = generatedGuardian.address;
             (0, config_1.saveConfig)(config);
             guardianAddress = generatedGuardian.address;
-            console.log("\n " + colors_1.c.warning + " IMPORTANT: Save this guardian private key (emergency freeze key):");
-            console.log("   " + colors_1.c.dim(generatedGuardian.privateKey));
+            console.log("\n " + colors_1.c.warning + " Guardian key saved to ~/.arc402/guardian.key — move offline for security");
             console.log("   " + colors_1.c.dim("Address: ") + colors_1.c.white(generatedGuardian.address) + "\n");
             const guardianIface = new ethers_1.ethers.Interface(["function setGuardian(address _guardian) external"]);
             await sendTx({ to: walletAddress, data: guardianIface.encodeFunctionData("setGuardian", [guardianAddress]), value: "0x0" }, "setGuardian");
@@ -297,6 +326,9 @@ async function runCompleteOnboardingCeremony(walletAddress, ownerAddress, config
     await sendTx({ to: policyAddress, data: contractInteractionIface.encodeFunctionData("enableContractInteraction", [walletAddress, handshakeAddress]), value: "0x0" }, "enableContractInteraction: Handshake");
     (0, config_1.saveConfig)(config);
     console.log(" " + colors_1.c.success + " Policy configured");
+    // Save progress after policy step
+    config.onboardingProgress = { walletAddress, step: 4, completedSteps: ["machineKey", "passkey", "policy"] };
+    (0, config_1.saveConfig)(config);
     // ── Step 5: Agent Registration ─────────────────────────────────────────────
     console.log("\n" + colors_1.c.dim("── Step 5: Agent Registration ─────────────────────────────────"));
     let agentAlreadyRegistered = false;
@@ -374,6 +406,90 @@ async function runCompleteOnboardingCeremony(walletAddress, ownerAddress, config
     else {
         console.log(" " + colors_1.c.warning + " AgentRegistry address not configured — skipping");
     }
+    // Save progress after agent step, then clear on ceremony complete
+    config.onboardingProgress = { walletAddress, step: 5, completedSteps: ["machineKey", "passkey", "policy", "agent"] };
+    (0, config_1.saveConfig)(config);
+    // ── Step 7: Workroom Init ─────────────────────────────────────────────────
+    console.log("\n" + colors_1.c.dim("── Step 7: Workroom ────────────────────────────────────────────"));
+    let workroomInitialized = false;
+    let dockerFound = false;
+    try {
+        const dockerCheck = (0, child_process_1.spawnSync)("docker", ["--version"], { encoding: "utf-8", timeout: 5000 });
+        dockerFound = dockerCheck.status === 0;
+    }
+    catch {
+        dockerFound = false;
+    }
+    if (dockerFound) {
+        console.log(" " + colors_1.c.dim("Docker found — initializing workroom..."));
+        try {
+            const initResult = (0, child_process_1.spawnSync)(process.execPath, [process.argv[1], "workroom", "init"], {
+                encoding: "utf-8",
+                timeout: 120000,
+                env: { ...process.env },
+            });
+            workroomInitialized = initResult.status === 0;
+            if (workroomInitialized) {
+                console.log(" " + colors_1.c.success + " Workroom initialized");
+            }
+            else {
+                console.log(" " + colors_1.c.warning + " Workroom init incomplete — run: arc402 workroom init");
+            }
+        }
+        catch {
+            console.log(" " + colors_1.c.warning + " Workroom init failed — run: arc402 workroom init");
+        }
+    }
+    else {
+        console.log(" " + colors_1.c.warning + " Docker not found");
+        console.log("   Install Docker: https://docs.docker.com/get-docker/");
+        console.log("   Or run daemon in host mode: " + colors_1.c.white("arc402 daemon start --host"));
+    }
+    // ── Step 8: Daemon Start ──────────────────────────────────────────────────
+    console.log("\n" + colors_1.c.dim("── Step 8: Daemon ──────────────────────────────────────────────"));
+    let daemonRunning = false;
+    const relayPort = 4402;
+    if (workroomInitialized) {
+        try {
+            const startResult = (0, child_process_1.spawnSync)(process.execPath, [process.argv[1], "workroom", "start"], {
+                encoding: "utf-8",
+                timeout: 30000,
+                env: { ...process.env },
+            });
+            daemonRunning = startResult.status === 0;
+            if (daemonRunning) {
+                console.log(" " + colors_1.c.success + " Daemon online (port " + relayPort + ")");
+            }
+            else {
+                console.log(" " + colors_1.c.warning + " Daemon start failed — run: arc402 workroom start");
+            }
+        }
+        catch {
+            console.log(" " + colors_1.c.warning + " Daemon start failed — run: arc402 workroom start");
+        }
+    }
+    else if (!dockerFound) {
+        try {
+            const startResult = (0, child_process_1.spawnSync)(process.execPath, [process.argv[1], "daemon", "start", "--host"], {
+                encoding: "utf-8",
+                timeout: 30000,
+                env: { ...process.env },
+            });
+            daemonRunning = startResult.status === 0;
+            if (daemonRunning) {
+                console.log(" " + colors_1.c.success + " Daemon online — host mode (port " + relayPort + ")");
+            }
+            else {
+                console.log(" " + colors_1.c.warning + " Daemon not started — run: arc402 daemon start --host");
+            }
+        }
+        catch {
+            console.log(" " + colors_1.c.warning + " Daemon not started — run: arc402 daemon start --host");
+        }
+    }
+    else {
+        console.log(" " + colors_1.c.warning + " Daemon not started — run: arc402 workroom init first");
+    }
     // ── Step 6: Summary ───────────────────────────────────────────────────────
     const trustScore = await (async () => {
         try {
@@ -385,6 +501,18 @@ async function runCompleteOnboardingCeremony(walletAddress, ownerAddress, config
             return "100";
         }
     })();
+    const workroomLabel = dockerFound
+        ? (workroomInitialized ? (daemonRunning ? colors_1.c.green("✓ Running") : colors_1.c.yellow("✓ Initialized")) : colors_1.c.yellow("⚠ Init needed"))
+        : colors_1.c.yellow("⚠ No Docker");
+    const daemonLabel = daemonRunning
+        ? colors_1.c.green("✓ Online (port " + relayPort + ")")
+        : colors_1.c.dim("not started");
+    const endpointLabel = agentEndpoint
+        ? colors_1.c.white(agentEndpoint) + colors_1.c.dim(` → localhost:${relayPort}`)
+        : colors_1.c.dim("—");
+    // Clear onboarding progress — ceremony complete
+    delete config.onboardingProgress;
+    (0, config_1.saveConfig)(config);
     console.log("\n " + colors_1.c.success + colors_1.c.white(" Onboarding complete"));
     (0, tree_1.renderTree)([
         { label: "Wallet", value: colors_1.c.white(walletAddress) },
@@ -396,11 +524,12 @@ async function runCompleteOnboardingCeremony(walletAddress, ownerAddress, config
         { label: "Hire limit", value: colors_1.c.white(hireLimit + " ETH") },
         { label: "Agent", value: agentName ? colors_1.c.white(agentName) : colors_1.c.dim("not registered") },
         { label: "Service", value: agentServiceType ? colors_1.c.white(agentServiceType) : colors_1.c.dim("—") },
-        { label: "Endpoint", value: agentEndpoint ? colors_1.c.white(agentEndpoint) : colors_1.c.dim("—") },
+        { label: "Workroom", value: workroomLabel },
+        { label: "Daemon", value: daemonLabel },
+        { label: "Endpoint", value: endpointLabel },
         { label: "Trust", value: colors_1.c.white(`${trustScore}`), last: true },
     ]);
     console.log("\n " + colors_1.c.dim("Next: fund your wallet with 0.002 ETH on Base"));
-    console.log(" " + colors_1.c.dim("      arc402 daemon start"));
 }
 function printOpenShellHint() {
     const r = (0, child_process_1.spawnSync)("which", ["openshell"], { encoding: "utf-8" });
@@ -422,11 +551,20 @@ function registerWalletCommands(program) {
         const usdcAddress = (0, config_1.getUsdcAddress)(config);
         const usdc = new ethers_1.ethers.Contract(usdcAddress, ["function balanceOf(address owner) external view returns (uint256)"], provider);
         const trust = new sdk_1.TrustClient(config.trustRegistryAddress, provider);
-        const [ethBalance, usdcBalance, score] = await Promise.all([
-            provider.getBalance(address),
-            usdc.balanceOf(address),
-            trust.getScore(address),
-        ]);
+        const statusSpinner = opts.json ? null : (0, spinner_1.startSpinner)("Loading wallet status…");
+        let ethBalance, usdcBalance, score;
+        try {
+            [ethBalance, usdcBalance, score] = await Promise.all([
+                provider.getBalance(address),
+                usdc.balanceOf(address),
+                trust.getScore(address),
+            ]);
+            statusSpinner?.succeed("Wallet status loaded");
+        }
+        catch (err) {
+            statusSpinner?.fail("Failed to load wallet status");
+            throw err;
+        }
         // Query contract wallet for frozen/guardian state if deployed
         let contractFrozen = null;
         let contractGuardian = null;
@@ -546,16 +684,40 @@ function registerWalletCommands(program) {
         console.log(colors_1.c.dim("Next: fund your wallet with ETH, then run: arc402 wallet deploy"));
     });
     // ─── import ────────────────────────────────────────────────────────────────
-    wallet.command("import <privateKey>")
-        .description("Import an existing private key")
+    wallet.command("import")
+        .description("Import an existing private key (use --key-file or stdin prompt)")
         .option("--network <network>", "Network (base-mainnet or base-sepolia)", "base-sepolia")
-        .action(async (privateKey, opts) => {
+        .option("--key-file <path>", "Read private key from file instead of prompting")
+        .action(async (opts) => {
         const network = opts.network;
         const defaults = config_1.NETWORK_DEFAULTS[network];
         if (!defaults) {
             console.error(`Unknown network: ${network}. Use base-mainnet or base-sepolia.`);
             process.exit(1);
         }
+        let privateKey;
+        if (opts.keyFile) {
+            try {
+                privateKey = fs_1.default.readFileSync(opts.keyFile, "utf-8").trim();
+            }
+            catch (e) {
+                console.error(`Cannot read key file: ${e instanceof Error ? e.message : String(e)}`);
+                process.exit(1);
+            }
+        }
+        else {
+            // Interactive prompt — hidden input avoids shell history
+            const answer = await (0, prompts_1.default)({
+                type: "password",
+                name: "key",
+                message: "Paste private key (hidden):",
+            });
+            privateKey = (answer.key ?? "").trim();
+            if (!privateKey) {
+                console.error("No private key entered.");
+                process.exit(1);
+            }
+        }
         let imported;
         try {
             imported = new ethers_1.ethers.Wallet(privateKey);
@@ -703,8 +865,31 @@ function registerWalletCommands(program) {
         .option("--smart-wallet", "Connect via Base Smart Wallet (Coinbase Wallet SDK) instead of WalletConnect")
         .option("--hardware", "Hardware wallet mode: show raw wc: URI only (for Ledger Live, Trezor Suite, etc.)")
         .option("--sponsored", "Use CDP paymaster for gas sponsorship (requires paymasterUrl + cdpKeyName + CDP_PRIVATE_KEY env)")
+        .option("--dry-run", "Simulate the deployment ceremony without sending transactions")
         .action(async (opts) => {
         const config = (0, config_1.loadConfig)();
+        if (opts.dryRun) {
+            const factoryAddr = config.walletFactoryAddress ?? config_1.NETWORK_DEFAULTS[config.network]?.walletFactoryAddress ?? "(not configured)";
+            const chainId = config.network === "base-mainnet" ? 8453 : 84532;
+            console.log();
+            console.log(" " + colors_1.c.dim("── Dry run: wallet deploy ──────────────────────────────────────"));
+            console.log(" " + colors_1.c.dim("Network:         ") + colors_1.c.white(config.network));
+            console.log(" " + colors_1.c.dim("Chain ID:        ") + colors_1.c.white(String(chainId)));
+            console.log(" " + colors_1.c.dim("RPC:             ") + colors_1.c.white(config.rpcUrl));
+            console.log(" " + colors_1.c.dim("WalletFactory:   ") + colors_1.c.white(factoryAddr));
+            console.log(" " + colors_1.c.dim("Signing method:  ") + colors_1.c.white(opts.smartWallet ? "Base Smart Wallet" : opts.hardware ? "Hardware (WC URI)" : "WalletConnect"));
+            console.log(" " + colors_1.c.dim("Sponsored:       ") + colors_1.c.white(opts.sponsored ? "yes" : "no"));
+            console.log();
+            console.log(" " + colors_1.c.dim("Steps that would run:"));
+            console.log("   1. Connect " + (opts.smartWallet ? "Coinbase Smart Wallet" : "WalletConnect") + " session");
+            console.log("   2. Call WalletFactory.createWallet() → deploy ARC402Wallet");
+            console.log("   3. Save walletContractAddress to config");
+            console.log("   4. Run onboarding ceremony (PolicyEngine, machine key, agent registration)");
+            console.log();
+            console.log(" " + colors_1.c.dim("No transactions sent (--dry-run mode)."));
+            console.log();
+            return;
+        }
         const factoryAddress = config.walletFactoryAddress ?? config_1.NETWORK_DEFAULTS[config.network]?.walletFactoryAddress;
         if (!factoryAddress) {
             console.error("walletFactoryAddress not found in config or NETWORK_DEFAULTS. Add walletFactoryAddress to your config.");
@@ -845,12 +1030,44 @@ function registerWalletCommands(program) {
             const telegramOpts = config.telegramBotToken && config.telegramChatId
                 ? { botToken: config.telegramBotToken, chatId: config.telegramChatId, threadId: config.telegramThreadId }
                 : undefined;
+            // ── Resume check ──────────────────────────────────────────────────────
+            const resumeProgress = config.onboardingProgress;
+            const isResuming = !!(resumeProgress?.walletAddress &&
+                resumeProgress.walletAddress === config.walletContractAddress &&
+                config.ownerAddress);
+            if (isResuming) {
+                const stepNames = {
+                    2: "machine key", 3: "passkey", 4: "policy setup", 5: "agent registration",
+                };
+                const nextStep = (resumeProgress.step ?? 1) + 1;
+                console.log(" " + colors_1.c.dim(`◈ Resuming onboarding from step ${nextStep} (${stepNames[nextStep] ?? "ceremony"})...`));
+            }
+            // ── Gas estimation ─────────────────────────────────────────────────────
+            if (!isResuming) {
+                let gasMsg = "~0.003 ETH (6 transactions on Base)";
+                try {
+                    const feeData = await provider.getFeeData();
+                    const gasPrice = feeData.maxFeePerGas ?? feeData.gasPrice ?? BigInt(1500000000);
+                    const deployGas = await provider.estimateGas({
+                        to: factoryAddress,
+                        data: factoryInterface.encodeFunctionData("createWallet", ["0x0000000071727De22E5E9d8BAf0edAc6f37da032"]),
+                    }).catch(() => BigInt(280000));
+                    const ceremonyGas = BigInt(700000); // ~5 ceremony txs × ~140k each
+                    const totalGasEth = parseFloat(ethers_1.ethers.formatEther((deployGas + ceremonyGas) * gasPrice));
+                    gasMsg = `~${totalGasEth.toFixed(4)} ETH (6 transactions on Base)`;
+                }
+                catch { /* use default */ }
+                console.log(" " + colors_1.c.dim(`◈ Estimated gas: ${gasMsg}`));
+            }
             // ── Step 1: Connect ────────────────────────────────────────────────────
-            const { client, session, account } = await (0, walletconnect_1.connectPhoneWallet)(config.walletConnectProjectId, chainId, config, { telegramOpts, prompt: "Approve ARC402Wallet deployment — you will be set as owner", hardware: !!opts.hardware });
+            const connectPrompt = isResuming
+                ? "Connect wallet to resume onboarding"
+                : "Approve ARC402Wallet deployment — you will be set as owner";
+            const { client, session, account } = await (0, walletconnect_1.connectPhoneWallet)(config.walletConnectProjectId, chainId, config, { telegramOpts, prompt: connectPrompt, hardware: !!opts.hardware });
             const networkName = chainId === 8453 ? "Base" : "Base Sepolia";
             const shortAddr = `${account.slice(0, 6)}...${account.slice(-5)}`;
             console.log("\n" + colors_1.c.success + colors_1.c.white(` Connected: ${shortAddr} on ${networkName}`));
-            if (telegramOpts) {
+            if (telegramOpts && !isResuming) {
                 // Send "connected" message with a deploy confirmation button.
                 // TODO: wire up full callback_data round-trip when a persistent bot process is available.
                 await (0, telegram_notify_1.sendTelegramMessage)({
@@ -861,50 +1078,59 @@ function registerWalletCommands(program) {
                     buttons: [[{ text: "🚀 Deploy ARC-402 Wallet", callback_data: "arc402_deploy_confirm" }]],
                 });
             }
-            // ── Step 2: Confirm & Deploy ───────────────────────────────────────────
-            // WalletConnect approval already confirmed intent — sending automatically
-            console.log("Deploying...");
-            const txHash = await (0, walletconnect_1.sendTransactionWithSession)(client, session, account, chainId, {
-                to: factoryAddress,
-                data: factoryInterface.encodeFunctionData("createWallet", ["0x0000000071727De22E5E9d8BAf0edAc6f37da032"]),
-                value: "0x0",
-            });
-            console.log(`\nTransaction submitted: ${txHash}`);
-            console.log("Waiting for confirmation...");
-            const receipt = await provider.waitForTransaction(txHash);
-            if (!receipt) {
-                console.error("Transaction not confirmed. Check on-chain.");
-                process.exit(1);
+            let walletAddress;
+            if (isResuming) {
+                // Resume: skip deploy, use existing wallet
+                walletAddress = config.walletContractAddress;
+                console.log(" " + colors_1.c.dim(`◈ Using existing wallet: ${walletAddress}`));
             }
-            let walletAddress = null;
-            const factoryContract = new ethers_1.ethers.Contract(factoryAddress, abis_1.WALLET_FACTORY_ABI, provider);
-            for (const log of receipt.logs) {
-                try {
-                    const parsed = factoryContract.interface.parseLog(log);
-                    if (parsed?.name === "WalletCreated") {
-                        walletAddress = parsed.args.walletAddress;
-                        break;
+            else {
+                // ── Step 2: Confirm & Deploy ─────────────────────────────────────────
+                // WalletConnect approval already confirmed intent — sending automatically
+                console.log("Deploying...");
+                const txHash = await (0, walletconnect_1.sendTransactionWithSession)(client, session, account, chainId, {
+                    to: factoryAddress,
+                    data: factoryInterface.encodeFunctionData("createWallet", ["0x0000000071727De22E5E9d8BAf0edAc6f37da032"]),
+                    value: "0x0",
+                });
+                console.log(`\nTransaction submitted: ${txHash}`);
+                console.log("Waiting for confirmation...");
+                const receipt = await provider.waitForTransaction(txHash);
+                if (!receipt) {
+                    console.error("Transaction not confirmed. Check on-chain.");
+                    process.exit(1);
+                }
+                let deployedWallet = null;
+                const factoryContract = new ethers_1.ethers.Contract(factoryAddress, abis_1.WALLET_FACTORY_ABI, provider);
+                for (const log of receipt.logs) {
+                    try {
+                        const parsed = factoryContract.interface.parseLog(log);
+                        if (parsed?.name === "WalletCreated") {
+                            deployedWallet = parsed.args.walletAddress;
+                            break;
+                        }
                     }
+                    catch { /* skip unparseable logs */ }
                 }
-                catch { /* skip unparseable logs */ }
-            }
-            if (!walletAddress) {
-                console.error("Could not find WalletCreated event in receipt. Check the transaction on-chain.");
-                process.exit(1);
-            }
-            // ── Step 1 complete: save wallet + owner immediately ─────────────────
-            config.walletContractAddress = walletAddress;
-            config.ownerAddress = account;
-            (0, config_1.saveConfig)(config);
-            try {
-                fs_1.default.chmodSync((0, config_1.getConfigPath)(), 0o600);
+                if (!deployedWallet) {
+                    console.error("Could not find WalletCreated event in receipt. Check the transaction on-chain.");
+                    process.exit(1);
+                }
+                walletAddress = deployedWallet;
+                // ── Step 1 complete: save wallet + owner immediately ─────────────────
+                config.walletContractAddress = walletAddress;
+                config.ownerAddress = account;
+                (0, config_1.saveConfig)(config);
+                try {
+                    fs_1.default.chmodSync((0, config_1.getConfigPath)(), 0o600);
+                }
+                catch { /* best-effort */ }
+                console.log("\n " + colors_1.c.success + colors_1.c.white(" Wallet deployed"));
+                (0, tree_1.renderTree)([
+                    { label: "Wallet", value: walletAddress },
+                    { label: "Owner", value: account, last: true },
+                ]);
             }
-            catch { /* best-effort */ }
-            console.log("\n " + colors_1.c.success + colors_1.c.white(" Wallet deployed"));
-            (0, tree_1.renderTree)([
-                { label: "Wallet", value: walletAddress },
-                { label: "Owner", value: account, last: true },
-            ]);
             // ── Steps 2–6: Complete onboarding ceremony (same WalletConnect session)
             const sendTxCeremony = async (call, description) => {
                 console.log(" " + colors_1.c.dim(`◈ ${description}`));
@@ -945,8 +1171,11 @@ function registerWalletCommands(program) {
             const guardianWallet = ethers_1.ethers.Wallet.createRandom();
             config.walletContractAddress = walletAddress;
             config.ownerAddress = address;
-            config.guardianPrivateKey = guardianWallet.privateKey;
             config.guardianAddress = guardianWallet.address;
+            // Save key to restricted file — never store in config.json
+            saveGuardianKey(guardianWallet.privateKey);
+            if (config.guardianPrivateKey)
+                delete config.guardianPrivateKey;
             (0, config_1.saveConfig)(config);
             // Call setGuardian on the deployed wallet
             const walletContract = new ethers_1.ethers.Contract(walletAddress, abis_1.ARC402_WALLET_GUARDIAN_ABI, signer);
@@ -967,7 +1196,7 @@ function registerWalletCommands(program) {
                 { label: "Wallet", value: walletAddress },
                 { label: "Guardian", value: guardianWallet.address, last: true },
             ]);
-            console.log(`Guardian private key saved to config (keep it safe — used for emergency freeze only)`);
+            console.log(`Guardian private key saved to ~/.arc402/guardian.key (chmod 400 — keep it safe, used for emergency freeze only)`);
             console.log(`Your wallet contract is ready for policy enforcement`);
             printOpenShellHint();
         }
@@ -1164,12 +1393,13 @@ function registerWalletCommands(program) {
             console.error("walletContractAddress not set in config. Run `arc402 wallet deploy` first.");
             process.exit(1);
         }
-        if (!config.guardianPrivateKey) {
-            console.error("guardianPrivateKey not set in config. Guardian key was generated during `arc402 wallet deploy`.");
+        const guardianKey = loadGuardianKey(config);
+        if (!guardianKey) {
+            console.error(`Guardian key not found. Expected at ~/.arc402/guardian.key (or guardianPrivateKey in config for legacy setups).`);
             process.exit(1);
         }
         const provider = new ethers_1.ethers.JsonRpcProvider(config.rpcUrl);
-        const guardianSigner = new ethers_1.ethers.Wallet(config.guardianPrivateKey, provider);
+        const guardianSigner = new ethers_1.ethers.Wallet(guardianKey, provider);
         const walletContract = new ethers_1.ethers.Contract(config.walletContractAddress, abis_1.ARC402_WALLET_GUARDIAN_ABI, guardianSigner);
         let tx;
         if (opts.drain) {
@@ -1289,12 +1519,14 @@ function registerWalletCommands(program) {
             value: "0x0",
         });
         await provider.waitForTransaction(txHash);
-        config.guardianPrivateKey = guardianWallet.privateKey;
+        saveGuardianKey(guardianWallet.privateKey);
+        if (config.guardianPrivateKey)
+            delete config.guardianPrivateKey;
         config.guardianAddress = guardianWallet.address;
         (0, config_1.saveConfig)(config);
         console.log("\n" + colors_1.c.success + colors_1.c.white(` Guardian set to: ${guardianWallet.address}`));
         console.log(" " + colors_1.c.dim("Tx:") + " " + colors_1.c.white(txHash));
-        console.log(" " + colors_1.c.dim("Guardian private key saved to config."));
+        console.log(" " + colors_1.c.dim("Guardian private key saved to ~/.arc402/guardian.key (chmod 400)."));
         console.log(" " + colors_1.c.warning + " " + colors_1.c.yellow("The guardian key can freeze your wallet. Store it separately from your hot key."));
     });
     // ─── policy-engine freeze / unfreeze (legacy — for PolicyEngine-level freeze) ──
@@ -2005,9 +2237,11 @@ function registerWalletCommands(program) {
                 txHashes.push(txHash);
             }
         }
-        // Persist guardian key if generated
+        // Persist guardian key if generated — save to restricted file, not config.json
         if (guardianWallet) {
-            config.guardianPrivateKey = guardianWallet.privateKey;
+            saveGuardianKey(guardianWallet.privateKey);
+            if (config.guardianPrivateKey)
+                delete config.guardianPrivateKey;
             config.guardianAddress = guardianWallet.address;
             (0, config_1.saveConfig)(config);
         }
@@ -2019,7 +2253,7 @@ function registerWalletCommands(program) {
             txHashes.forEach((h, i) => console.log(" " + colors_1.c.dim(`Tx ${i + 1}:`) + " " + colors_1.c.white(h)));
         }
         if (guardianWallet) {
-            console.log(" " + colors_1.c.success + colors_1.c.dim(` Guardian key saved to config — address: ${guardianWallet.address}`));
+            console.log(" " + colors_1.c.success + colors_1.c.dim(` Guardian key saved to ~/.arc402/guardian.key — address: ${guardianWallet.address}`));
             console.log(" " + colors_1.c.warning + " " + colors_1.c.yellow("Store the guardian private key separately from your hot key."));
         }
         console.log(colors_1.c.dim("\nVerify with: arc402 wallet status && arc402 wallet policy show"));