moneyos 0.2.1 → 0.3.2

package/dist/cli/index.js

@@ -0,0 +1,2169 @@
+#!/usr/bin/env node
+
+// src/cli/index.ts
+import { Command as Command8 } from "commander";
+
+// src/cli/commands/init.ts
+import { Command } from "commander";
+import { generatePrivateKey, privateKeyToAccount as privateKeyToAccount3 } from "viem/accounts";
+
+// src/core/backup-file.ts
+import {
+  existsSync as existsSync2,
+  readdirSync,
+  statSync as statSync2
+} from "fs";
+import { join as join2, resolve } from "path";
+
+// src/core/encrypted-wallet.ts
+import {
+  createCipheriv,
+  createDecipheriv,
+  randomBytes,
+  scryptSync
+} from "crypto";
+import {
+  chmodSync,
+  closeSync,
+  existsSync,
+  fsyncSync,
+  mkdirSync,
+  openSync,
+  readFileSync,
+  renameSync,
+  statSync,
+  unlinkSync,
+  writeSync
+} from "fs";
+import { basename, dirname, join } from "path";
+import { recoverMessageAddress } from "viem";
+import { privateKeyToAccount } from "viem/accounts";
+var DEFAULT_KDF = {
+  name: "scrypt",
+  N: 131072,
+  r: 8,
+  p: 1,
+  keyLength: 32
+};
+var SECURE_FILE_MODE = 384;
+var SECURE_PARENT_MODE = 448;
+function normalizePassphrase(passphrase) {
+  return passphrase.normalize("NFC");
+}
+function walletProofMessage(wallet) {
+  return [
+    "MoneyOS wallet metadata",
+    `v=${wallet.version}`,
+    `kind=${wallet.kind}`,
+    `address=${wallet.address}`,
+    `createdAt=${wallet.createdAt}`
+  ].join("|");
+}
+function ensureParentDir(path) {
+  const dir = dirname(path);
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true, mode: SECURE_PARENT_MODE });
+    return;
+  }
+  const mode = statSync(dir).mode & 511;
+  if ((mode & 63) !== 0) {
+    throw new Error(
+      `Wallet directory ${dir} has insecure permissions (${mode.toString(8)}). Restrict it to 700 before continuing.`
+    );
+  }
+}
+function assertSecureFileMode(path, label) {
+  if (!existsSync(path)) {
+    return;
+  }
+  const mode = statSync(path).mode & 511;
+  if ((mode & 63) !== 0) {
+    throw new Error(
+      `${label} at ${path} has insecure permissions (${mode.toString(8)}). Restrict it to 600 before continuing.`
+    );
+  }
+}
+function parseWalletFile(raw, path) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (error) {
+    throw new Error(
+      `Encrypted wallet at ${path} is not valid JSON: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+  if (!parsed || typeof parsed !== "object") {
+    throw new Error(`Encrypted wallet at ${path} must be a JSON object`);
+  }
+  const wallet = parsed;
+  if (wallet.version !== 1) {
+    throw new Error(`Encrypted wallet at ${path} has unsupported version`);
+  }
+  if (wallet.kind !== "encrypted-local-eoa") {
+    throw new Error(`Encrypted wallet at ${path} has unsupported kind`);
+  }
+  if (typeof wallet.address !== "string") {
+    throw new Error(`Encrypted wallet at ${path} is missing address metadata`);
+  }
+  if (typeof wallet.addressProof !== "string") {
+    throw new Error(`Encrypted wallet at ${path} is missing address proof`);
+  }
+  if (!wallet.kdf || wallet.kdf.name !== "scrypt" || !Number.isInteger(wallet.kdf.N) || !Number.isInteger(wallet.kdf.r) || !Number.isInteger(wallet.kdf.p) || !Number.isInteger(wallet.kdf.keyLength)) {
+    throw new Error(`Encrypted wallet at ${path} has invalid KDF parameters`);
+  }
+  if (!wallet.crypto || wallet.crypto.cipher !== "aes-256-gcm" || typeof wallet.crypto.salt !== "string" || typeof wallet.crypto.nonce !== "string" || typeof wallet.crypto.authTag !== "string" || typeof wallet.crypto.ciphertext !== "string") {
+    throw new Error(`Encrypted wallet at ${path} has invalid crypto metadata`);
+  }
+  if (typeof wallet.createdAt !== "string") {
+    throw new Error(`Encrypted wallet at ${path} is missing createdAt`);
+  }
+  return wallet;
+}
+function toMetadata(wallet) {
+  return {
+    version: wallet.version,
+    kind: wallet.kind,
+    address: wallet.address,
+    createdAt: wallet.createdAt
+  };
+}
+async function verifyWalletAddressProof(wallet, path) {
+  let recovered;
+  try {
+    recovered = await recoverMessageAddress({
+      message: walletProofMessage(wallet),
+      signature: wallet.addressProof
+    });
+  } catch {
+    throw new Error(`Encrypted wallet at ${path} has an invalid address proof`);
+  }
+  if (recovered.toLowerCase() !== wallet.address.toLowerCase()) {
+    throw new Error(`Encrypted wallet at ${path} failed address proof validation`);
+  }
+}
+function deriveKey(passphrase, salt, kdf) {
+  return scryptSync(normalizePassphrase(passphrase), salt, kdf.keyLength, {
+    N: kdf.N,
+    r: kdf.r,
+    p: kdf.p,
+    maxmem: 256 * 1024 * 1024
+  });
+}
+function walletAad(kdf) {
+  return Buffer.from(
+    JSON.stringify({
+      name: kdf.name,
+      N: kdf.N,
+      r: kdf.r,
+      p: kdf.p,
+      keyLength: kdf.keyLength
+    }),
+    "utf8"
+  );
+}
+function writeFileAtomicSecure(path, contents) {
+  ensureParentDir(path);
+  assertSecureFileMode(path, "Wallet file");
+  const tmpPath = join(
+    dirname(path),
+    `.${basename(path)}.${randomBytes(6).toString("hex")}.tmp`
+  );
+  const fd = openSync(tmpPath, "wx", SECURE_FILE_MODE);
+  let writeError;
+  try {
+    writeSync(fd, contents);
+    fsyncSync(fd);
+  } catch (error) {
+    writeError = error;
+  } finally {
+    closeSync(fd);
+  }
+  if (writeError) {
+    try {
+      unlinkSync(tmpPath);
+    } catch {
+    }
+    throw writeError;
+  }
+  renameSync(tmpPath, path);
+  chmodSync(path, SECURE_FILE_MODE);
+}
+async function encryptWallet(params) {
+  const account = privateKeyToAccount(params.privateKey);
+  const createdAt = (/* @__PURE__ */ new Date()).toISOString();
+  const salt = randomBytes(16);
+  const nonce = randomBytes(12);
+  const key = deriveKey(params.passphrase, salt, DEFAULT_KDF);
+  const cipher = createCipheriv("aes-256-gcm", key, nonce);
+  cipher.setAAD(walletAad(DEFAULT_KDF));
+  const plaintext = Buffer.from(
+    JSON.stringify({ privateKey: params.privateKey }),
+    "utf8"
+  );
+  const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  const addressProof = await account.signMessage({
+    message: walletProofMessage({
+      version: 1,
+      kind: "encrypted-local-eoa",
+      address: account.address,
+      createdAt
+    })
+  });
+  return {
+    version: 1,
+    kind: "encrypted-local-eoa",
+    address: account.address,
+    createdAt,
+    addressProof,
+    kdf: DEFAULT_KDF,
+    crypto: {
+      cipher: "aes-256-gcm",
+      salt: salt.toString("base64"),
+      nonce: nonce.toString("base64"),
+      authTag: authTag.toString("base64"),
+      ciphertext: ciphertext.toString("base64")
+    }
+  };
+}
+async function decryptWalletFile(wallet, passphrase) {
+  try {
+    const salt = Buffer.from(wallet.crypto.salt, "base64");
+    const nonce = Buffer.from(wallet.crypto.nonce, "base64");
+    const authTag = Buffer.from(wallet.crypto.authTag, "base64");
+    const ciphertext = Buffer.from(wallet.crypto.ciphertext, "base64");
+    const key = deriveKey(passphrase, salt, wallet.kdf);
+    const decipher = createDecipheriv("aes-256-gcm", key, nonce);
+    decipher.setAAD(walletAad(wallet.kdf));
+    decipher.setAuthTag(authTag);
+    const plaintext = Buffer.concat([
+      decipher.update(ciphertext),
+      decipher.final()
+    ]).toString("utf8");
+    const parsed = JSON.parse(plaintext);
+    if (typeof parsed.privateKey !== "string") {
+      throw new Error("wallet payload missing privateKey");
+    }
+    const privateKey = parsed.privateKey;
+    const derivedAddress = privateKeyToAccount(privateKey).address;
+    if (derivedAddress.toLowerCase() !== wallet.address.toLowerCase()) {
+      throw new Error("wallet address metadata mismatch");
+    }
+    return privateKey;
+  } catch {
+    throw new Error("Invalid password or corrupted wallet.");
+  }
+}
+var FileEncryptedWalletStore = class {
+  walletPath;
+  constructor(walletPath) {
+    this.walletPath = walletPath;
+  }
+  exists() {
+    return existsSync(this.walletPath);
+  }
+  async metadata() {
+    if (!this.exists()) {
+      return void 0;
+    }
+    assertSecureFileMode(this.walletPath, "Wallet file");
+    const wallet = parseWalletFile(
+      readFileSync(this.walletPath, "utf8"),
+      this.walletPath
+    );
+    await verifyWalletAddressProof(wallet, this.walletPath);
+    return toMetadata(wallet);
+  }
+  async save(params) {
+    const wallet = await encryptWallet(params);
+    writeFileAtomicSecure(this.walletPath, JSON.stringify(wallet, null, 2));
+    return toMetadata(wallet);
+  }
+  async decrypt(passphrase) {
+    if (!this.exists()) {
+      throw new Error("No wallet configured. Run `moneyos init`.");
+    }
+    assertSecureFileMode(this.walletPath, "Wallet file");
+    const wallet = parseWalletFile(
+      readFileSync(this.walletPath, "utf8"),
+      this.walletPath
+    );
+    await verifyWalletAddressProof(wallet, this.walletPath);
+    return decryptWalletFile(wallet, passphrase);
+  }
+  async exportData() {
+    if (!this.exists()) {
+      throw new Error("No wallet configured. Run `moneyos init`.");
+    }
+    assertSecureFileMode(this.walletPath, "Wallet file");
+    const wallet = parseWalletFile(
+      readFileSync(this.walletPath, "utf8"),
+      this.walletPath
+    );
+    await verifyWalletAddressProof(wallet, this.walletPath);
+    return wallet;
+  }
+  async restore(data) {
+    const wallet = parseWalletFile(JSON.stringify(data), this.walletPath);
+    await verifyWalletAddressProof(wallet, this.walletPath);
+    writeFileAtomicSecure(this.walletPath, JSON.stringify(wallet, null, 2));
+    return toMetadata(wallet);
+  }
+};
+async function readEncryptedWalletFile(path) {
+  assertSecureFileMode(path, "Wallet file");
+  const wallet = parseWalletFile(readFileSync(path, "utf8"), path);
+  await verifyWalletAddressProof(wallet, path);
+  return wallet;
+}
+async function verifyEncryptedWalletPassphrase(wallet, passphrase) {
+  await verifyWalletAddressProof(wallet, "(in-memory wallet)");
+  await decryptWalletFile(wallet, passphrase);
+  return toMetadata(wallet);
+}
+
+// src/core/backup-file.ts
+function formatTimestamp(now) {
+  const pad = (value) => value.toString().padStart(2, "0");
+  return [
+    now.getUTCFullYear().toString(),
+    pad(now.getUTCMonth() + 1),
+    pad(now.getUTCDate()),
+    "-",
+    pad(now.getUTCHours()),
+    pad(now.getUTCMinutes()),
+    pad(now.getUTCSeconds())
+  ].join("");
+}
+var FileBackupProvider = class {
+  kind = "file";
+  store;
+  backupDir;
+  constructor(params) {
+    this.store = new FileEncryptedWalletStore(params.walletPath);
+    this.backupDir = params.backupDir;
+  }
+  defaultBackupPath(address) {
+    return join2(
+      this.backupDir,
+      `wallet-${address}-${formatTimestamp(/* @__PURE__ */ new Date())}.json`
+    );
+  }
+  async exportWallet(options = {}) {
+    if (options.outPath === "-") {
+      throw new Error("Refusing to export an encrypted wallet backup to stdout.");
+    }
+    const wallet = await this.store.exportData();
+    const targetPath = options.outPath ? resolve(options.outPath) : this.defaultBackupPath(wallet.address);
+    if (existsSync2(targetPath) && !options.allowOverwrite) {
+      throw new Error(
+        "Backup file already exists. Re-run with `--force` if you really want to overwrite it."
+      );
+    }
+    await new FileEncryptedWalletStore(targetPath).restore(wallet);
+    return targetPath;
+  }
+  async restoreWallet(fromPath, options) {
+    if (this.store.exists() && !options.allowOverwrite) {
+      throw new Error(
+        "A wallet already exists. Re-run with `--force` if you really want to overwrite it."
+      );
+    }
+    const sourcePath = resolve(fromPath);
+    const wallet = await readEncryptedWalletFile(sourcePath);
+    await verifyEncryptedWalletPassphrase(wallet, options.passphrase);
+    return this.store.restore(wallet);
+  }
+  async status() {
+    const exists = this.store.exists();
+    const metadata = exists ? await this.store.metadata() : void 0;
+    if (!existsSync2(this.backupDir)) {
+      return {
+        walletPath: this.store.walletPath,
+        backupDir: this.backupDir,
+        exists,
+        backupCount: 0,
+        address: metadata?.address
+      };
+    }
+    const files = readdirSync(this.backupDir).filter((name) => name.endsWith(".json")).map((name) => join2(this.backupDir, name)).sort(
+      (a, b) => statSync2(b).mtimeMs - statSync2(a).mtimeMs
+    );
+    return {
+      walletPath: this.store.walletPath,
+      backupDir: this.backupDir,
+      exists,
+      latestBackupPath: files[0],
+      backupCount: files.length,
+      address: metadata?.address
+    };
+  }
+};
+
+// src/cli/config.ts
+import { readFileSync as readFileSync2, writeFileSync, existsSync as existsSync3, mkdirSync as mkdirSync2 } from "fs";
+import { createHash } from "crypto";
+import { dirname as dirname2, join as join3 } from "path";
+import { homedir } from "os";
+var CONFIG_DIR = join3(homedir(), ".moneyos");
+var CONFIG_FILE = join3(CONFIG_DIR, "config.json");
+function hasRemovedOnePasswordConfig(config) {
+  return config.keyStore?.kind === "1password";
+}
+function getRemovedOnePasswordCachedAddress(config) {
+  const address = config.keyStore?.address;
+  return typeof address === "string" ? address : void 0;
+}
+function getRemovedOnePasswordStorageMessage() {
+  return "This repo no longer supports the old 1Password-backed private-key storage path. Re-import the wallet into the local file path with `moneyos init --key <privateKey>`.";
+}
+function loadFileConfig(path = CONFIG_FILE) {
+  if (!existsSync3(path)) {
+    return {};
+  }
+  return JSON.parse(readFileSync2(path, "utf-8"));
+}
+function loadConfig() {
+  const config = { ...loadFileConfig() };
+  if (process.env.MONEYOS_PRIVATE_KEY) {
+    config.privateKey = process.env.MONEYOS_PRIVATE_KEY;
+  }
+  if (process.env.MONEYOS_RPC_URL) {
+    config.rpcUrl = process.env.MONEYOS_RPC_URL;
+  }
+  if (process.env.MONEYOS_CHAIN_ID) {
+    const parsed = Number(process.env.MONEYOS_CHAIN_ID);
+    if (!Number.isInteger(parsed) || parsed <= 0) {
+      throw new Error(
+        `Invalid MONEYOS_CHAIN_ID: "${process.env.MONEYOS_CHAIN_ID}" \u2014 must be a positive integer`
+      );
+    }
+    config.chainId = parsed;
+  }
+  return config;
+}
+function saveConfig(config, path = CONFIG_FILE) {
+  const safeConfig = { ...config };
+  delete safeConfig.privateKey;
+  const dir = dirname2(path);
+  if (!existsSync3(dir)) {
+    mkdirSync2(dir, { recursive: true, mode: 448 });
+  }
+  writeFileSync(path, JSON.stringify(safeConfig, null, 2), {
+    mode: 384
+  });
+}
+function getConfigPath() {
+  return CONFIG_FILE;
+}
+function getWalletPath(config) {
+  return config?.walletPath ?? join3(CONFIG_DIR, "wallet.json");
+}
+function getBackupDir(config) {
+  return config?.backupDir ?? join3(CONFIG_DIR, "backups");
+}
+function getSessionSocketPath() {
+  if (process.platform === "win32") {
+    const suffix = createHash("sha256").update(CONFIG_DIR).digest("hex").slice(0, 16);
+    return `\\\\.\\pipe\\moneyos-session-${suffix}`;
+  }
+  return join3(CONFIG_DIR, "session.sock");
+}
+function getSessionTokenPath() {
+  return join3(CONFIG_DIR, "session.token");
+}
+function hasLegacyPlaintextWalletConfig(config) {
+  return typeof config.privateKey === "string";
+}
+function getLegacyPlaintextWalletStorageMessage() {
+  return "Plaintext local wallet configs are no longer used for runtime access. Run `moneyos init` locally to encrypt your wallet into the new MoneyOS wallet file.";
+}
+
+// src/cli/prompt.ts
+async function promptHidden(question) {
+  if (!process.stdin.isTTY || !process.stdout.isTTY) {
+    throw new Error(
+      "This action requires a local terminal. Run it directly in your terminal, not through a non-interactive agent session."
+    );
+  }
+  return new Promise((resolve3, reject) => {
+    const stdin = process.stdin;
+    const stdout = process.stdout;
+    let value = "";
+    const cleanup = () => {
+      stdin.off("data", onData);
+      stdin.pause();
+      if (typeof stdin.setRawMode === "function") {
+        stdin.setRawMode(false);
+      }
+    };
+    const finish = (result, error) => {
+      cleanup();
+      stdout.write("\n");
+      if (error) {
+        reject(error);
+        return;
+      }
+      resolve3(result ?? "");
+    };
+    const onData = (chunk) => {
+      const text = chunk.toString("utf8");
+      for (const char of text) {
+        if (char === "") {
+          finish(void 0, new Error("Cancelled."));
+          return;
+        }
+        if (char === "\r" || char === "\n") {
+          finish(value);
+          return;
+        }
+        if (char === "\x7F" || char === "\b") {
+          value = value.slice(0, -1);
+          continue;
+        }
+        value += char;
+      }
+    };
+    stdout.write(question);
+    if (typeof stdin.setRawMode === "function") {
+      stdin.setRawMode(true);
+    }
+    stdin.resume();
+    stdin.on("data", onData);
+  });
+}
+
+// src/cli/session.ts
+import { randomBytes as randomBytes2, timingSafeEqual } from "crypto";
+import {
+  chmodSync as chmodSync2,
+  existsSync as existsSync4,
+  mkdirSync as mkdirSync3,
+  readFileSync as readFileSync3,
+  rmSync,
+  statSync as statSync3,
+  writeFileSync as writeFileSync2
+} from "fs";
+import net from "net";
+import { EOL } from "os";
+import { dirname as dirname3 } from "path";
+import { spawn } from "child_process";
+
+// src/core/eoa.ts
+import {
+  createPublicClient,
+  createWalletClient,
+  http
+} from "viem";
+import { arbitrum, mainnet, polygon } from "viem/chains";
+
+// packages/core/dist/index.js
+var NATIVE_TOKEN_ADDRESS = "0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE";
+var tokens = {
+  ETH: {
+    symbol: "ETH",
+    name: "Ether",
+    decimals: 18,
+    addresses: {
+      42161: NATIVE_TOKEN_ADDRESS,
+      1: NATIVE_TOKEN_ADDRESS
+    }
+  },
+  POL: {
+    symbol: "POL",
+    name: "POL",
+    decimals: 18,
+    addresses: {
+      137: NATIVE_TOKEN_ADDRESS
+    }
+  },
+  USDC: {
+    symbol: "USDC",
+    name: "USD Coin",
+    decimals: 6,
+    addresses: {
+      42161: "0xaf88d065e77c8cC2239327C5EDb3A432268e5831",
+      1: "0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48",
+      137: "0x3c499c542cEF5E3811e1192ce70d8cC03d5c3359"
+    }
+  },
+  USDT: {
+    symbol: "USDT",
+    name: "Tether USD",
+    decimals: 6,
+    addresses: {
+      42161: "0xFd086bC7CD5C481DCC9C85ebE478A1C0b69FCbb9",
+      1: "0xdAC17F958D2ee523a2206206994597C13D831ec7",
+      137: "0xc2132D05D31c914a87C6611C10748AEb04B58e8F"
+    }
+  },
+  RYZE: {
+    symbol: "RYZE",
+    name: "RYZE",
+    decimals: 18,
+    addresses: {
+      42161: "0x7712da72127d5dD213B621497D6E4899d5989e5C"
+    }
+  }
+};
+function getToken(symbol) {
+  return tokens[symbol.toUpperCase()];
+}
+function getTokenAddress(symbol, chainId) {
+  return getToken(symbol)?.addresses[chainId];
+}
+var chains = {
+  arbitrum: {
+    id: 42161,
+    name: "Arbitrum One",
+    rpcUrl: "https://arb1.arbitrum.io/rpc",
+    nativeCurrency: { name: "Ether", symbol: "ETH", decimals: 18 },
+    blockExplorer: "https://arbiscan.io"
+  },
+  ethereum: {
+    id: 1,
+    name: "Ethereum",
+    rpcUrl: "https://eth.public-rpc.com",
+    nativeCurrency: { name: "Ether", symbol: "ETH", decimals: 18 },
+    blockExplorer: "https://etherscan.io"
+  },
+  polygon: {
+    id: 137,
+    name: "Polygon",
+    rpcUrl: "https://polygon-rpc.com",
+    nativeCurrency: { name: "POL", symbol: "POL", decimals: 18 },
+    blockExplorer: "https://polygonscan.com"
+  }
+};
+var defaultChain = chains.arbitrum;
+function getChain(idOrName) {
+  if (typeof idOrName === "number") {
+    return Object.values(chains).find((c) => c.id === idOrName);
+  }
+  return chains[idOrName.toLowerCase()];
+}
+
+// src/core/signer.ts
+import { nonceManager } from "viem";
+import { privateKeyToAccount as privateKeyToAccount2 } from "viem/accounts";
+function privateKeyToManagedAccount(privateKey) {
+  return privateKeyToAccount2(privateKey, { nonceManager });
+}
+
+// src/core/eoa.ts
+var viemChainMap = {
+  42161: arbitrum,
+  1: mainnet,
+  137: polygon
+};
+function getViemChain(chainId) {
+  return viemChainMap[chainId];
+}
+var ViemReadClient = class {
+  clients = /* @__PURE__ */ new Map();
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  getClient(chainId) {
+    let client = this.clients.get(chainId);
+    if (!client) {
+      const chain = getViemChain(chainId);
+      const chainInfo = getChain(chainId);
+      const rpcUrl = chainId === this.config.defaultChainId ? this.config.rpcUrl : void 0;
+      client = createPublicClient({
+        chain,
+        transport: http(rpcUrl ?? chainInfo?.rpcUrl)
+      });
+      this.clients.set(chainId, client);
+    }
+    return client;
+  }
+  async getBalance(params) {
+    const client = this.getClient(params.chainId);
+    return client.getBalance({ address: params.address });
+  }
+  async readContract(params) {
+    const client = this.getClient(params.chainId);
+    return client.readContract({
+      address: params.address,
+      abi: params.abi,
+      functionName: params.functionName,
+      args: params.args
+    });
+  }
+};
+var EOAExecutor = class _EOAExecutor {
+  mode = "eoa";
+  signer;
+  walletClients = /* @__PURE__ */ new Map();
+  publicClients = /* @__PURE__ */ new Map();
+  config;
+  constructor(signer, config) {
+    this.signer = signer;
+    this.config = config;
+  }
+  /**
+   * Convenience factory: build an EOAExecutor from a raw private key.
+   * Equivalent to `new EOAExecutor(privateKeyToAccount(privateKey), config)`.
+   * Kept as a helper so the common "I have a hex key" path stays one line
+   * while the constructor itself takes a viem `Account` to accommodate
+   * future keystore-backed signers (hardware, KMS, MPC).
+   *
+   * Attach viem's nonce manager so back-to-back live transactions use a
+   * pending-aware nonce source instead of relying on RPC fill behavior.
+   */
+  static fromPrivateKey(privateKey, config) {
+    return new _EOAExecutor(privateKeyToManagedAccount(privateKey), config);
+  }
+  getWalletClient(chainId) {
+    let client = this.walletClients.get(chainId);
+    if (!client) {
+      const chain = getViemChain(chainId);
+      const chainInfo = getChain(chainId);
+      const rpcUrl = chainId === this.config.defaultChainId ? this.config.rpcUrl : void 0;
+      client = createWalletClient({
+        account: this.signer,
+        chain,
+        transport: http(rpcUrl ?? chainInfo?.rpcUrl)
+      });
+      this.walletClients.set(chainId, client);
+    }
+    return client;
+  }
+  getPublicClient(chainId) {
+    let client = this.publicClients.get(chainId);
+    if (!client) {
+      const chain = getViemChain(chainId);
+      const chainInfo = getChain(chainId);
+      const rpcUrl = chainId === this.config.defaultChainId ? this.config.rpcUrl : void 0;
+      client = createPublicClient({
+        chain,
+        transport: http(rpcUrl ?? chainInfo?.rpcUrl)
+      });
+      this.publicClients.set(chainId, client);
+    }
+    return client;
+  }
+  getAddress() {
+    return this.signer.address;
+  }
+  async send(call) {
+    const walletClient = this.getWalletClient(call.chainId);
+    const hash = await walletClient.sendTransaction({
+      account: walletClient.account,
+      to: call.to,
+      data: call.data,
+      value: call.value ?? 0n,
+      chain: walletClient.chain
+    });
+    const publicClient = this.getPublicClient(call.chainId);
+    const receipt = await publicClient.waitForTransactionReceipt({ hash });
+    if (receipt.status !== "success") {
+      throw new Error(
+        `Transaction ${hash} reverted on chain ${call.chainId} (block ${receipt.blockNumber}).`
+      );
+    }
+    return { hash, chainId: call.chainId };
+  }
+  capabilities() {
+    return {
+      sponsoredGas: false,
+      batching: false,
+      simulation: false
+    };
+  }
+};
+
+// src/cli/session.ts
+var SESSION_CONTROL_TIMEOUT_MS = 750;
+var SESSION_SEND_TIMEOUT_MS = 6e4;
+var MAX_MESSAGE_BYTES = 32 * 1024;
+var SECURE_DIR_MODE = 448;
+var SECURE_FILE_MODE2 = 384;
+var SERVER_SOCKET_TIMEOUT_MS = 5e3;
+var SESSION_SHUTDOWN_TIMEOUT_MS = 15e3;
+function isWindowsPipe(path) {
+  return path.startsWith("\\\\.\\pipe\\");
+}
+function removeFileIfPresent(path) {
+  if (existsSync4(path)) {
+    rmSync(path, { force: true });
+  }
+}
+function ensureSecureParent(path) {
+  if (isWindowsPipe(path)) {
+    return;
+  }
+  const dir = dirname3(path);
+  if (!existsSync4(dir)) {
+    mkdirSync3(dir, { recursive: true, mode: SECURE_DIR_MODE });
+    return;
+  }
+  const mode = statSync3(dir).mode & 511;
+  if ((mode & 63) !== 0) {
+    throw new Error(
+      `MoneyOS directory ${dir} has insecure permissions (${mode.toString(8)}). Restrict it to 700 before continuing.`
+    );
+  }
+}
+function createRequestId() {
+  return `${Date.now()}-${Math.random().toString(16).slice(2, 10)}`;
+}
+function loadSessionToken(tokenPath) {
+  try {
+    return readFileSync3(tokenPath, "utf8").trim();
+  } catch {
+    throw new Error("No active local MoneyOS session found.");
+  }
+}
+function writeSecureToken(tokenPath, token) {
+  ensureSecureParent(tokenPath);
+  writeFileSync2(tokenPath, `${token}
+`, { mode: SECURE_FILE_MODE2 });
+  chmodSync2(tokenPath, SECURE_FILE_MODE2);
+}
+function sessionFilesGone(socketPath, tokenPath) {
+  const tokenMissing = !existsSync4(tokenPath);
+  const socketMissing = isWindowsPipe(socketPath) ? true : !existsSync4(socketPath);
+  return tokenMissing && socketMissing;
+}
+async function waitForSessionShutdown(socketPath, tokenPath, timeoutMs = SESSION_SHUTDOWN_TIMEOUT_MS) {
+  const startedAt = Date.now();
+  while (!sessionFilesGone(socketPath, tokenPath)) {
+    if (Date.now() - startedAt > timeoutMs) {
+      throw new Error(
+        "Timed out waiting for the previous MoneyOS session to shut down cleanly."
+      );
+    }
+    await new Promise((resolve3) => setTimeout(resolve3, 25));
+  }
+}
+function tokensMatch(expectedToken, receivedToken) {
+  const expected = Buffer.from(expectedToken, "utf8");
+  const received = Buffer.from(receivedToken, "utf8");
+  return expected.length === received.length && timingSafeEqual(expected, received);
+}
+function readLine(socket) {
+  return new Promise((resolve3, reject) => {
+    let buffer = "";
+    const onData = (chunk) => {
+      buffer += chunk.toString("utf8");
+      if (buffer.length > MAX_MESSAGE_BYTES) {
+        cleanup();
+        reject(new Error("Session response exceeded the maximum allowed size."));
+        return;
+      }
+      const index = buffer.indexOf("\n");
+      if (index >= 0) {
+        cleanup();
+        resolve3(buffer.slice(0, index));
+      }
+    };
+    const onError = (error) => {
+      cleanup();
+      reject(error);
+    };
+    const onClose = () => {
+      cleanup();
+      reject(new Error("Session daemon closed the connection unexpectedly."));
+    };
+    const cleanup = () => {
+      socket.off("data", onData);
+      socket.off("error", onError);
+      socket.off("close", onClose);
+    };
+    socket.on("data", onData);
+    socket.once("error", onError);
+    socket.once("close", onClose);
+  });
+}
+async function sendSessionRequest(socketPath, tokenPath, request, timeoutMs = SESSION_CONTROL_TIMEOUT_MS) {
+  const fullRequest = {
+    ...request,
+    token: loadSessionToken(tokenPath)
+  };
+  const socket = net.createConnection(socketPath);
+  return new Promise((resolve3, reject) => {
+    let settled = false;
+    const timer = setTimeout(() => {
+      settled = true;
+      socket.destroy();
+      reject(new Error("Timed out waiting for local MoneyOS session."));
+    }, timeoutMs);
+    const cleanup = () => {
+      clearTimeout(timer);
+      socket.removeAllListeners();
+    };
+    socket.once("connect", async () => {
+      try {
+        socket.write(`${JSON.stringify(fullRequest)}${EOL}`);
+        const line = await readLine(socket);
+        settled = true;
+        cleanup();
+        socket.end();
+        resolve3(JSON.parse(line));
+      } catch (error) {
+        settled = true;
+        cleanup();
+        socket.destroy();
+        reject(error instanceof Error ? error : new Error(String(error)));
+      }
+    });
+    socket.once("error", (error) => {
+      if (settled) {
+        return;
+      }
+      settled = true;
+      cleanup();
+      reject(error);
+    });
+  });
+}
+async function getSessionStatus(socketPath, tokenPath) {
+  try {
+    const response = await sendSessionRequest(
+      socketPath,
+      tokenPath,
+      {
+        id: createRequestId(),
+        type: "status"
+      },
+      SESSION_CONTROL_TIMEOUT_MS
+    );
+    return response.ok ? response.result : void 0;
+  } catch {
+    removeFileIfPresent(socketPath);
+    removeFileIfPresent(tokenPath);
+    return void 0;
+  }
+}
+async function lockSession(socketPath, tokenPath) {
+  try {
+    const response = await sendSessionRequest(
+      socketPath,
+      tokenPath,
+      {
+        id: createRequestId(),
+        type: "lock"
+      },
+      SESSION_CONTROL_TIMEOUT_MS
+    );
+    return response.ok;
+  } catch {
+    removeFileIfPresent(socketPath);
+    removeFileIfPresent(tokenPath);
+    return false;
+  }
+}
+var SessionExecutionClient = class {
+  mode = "eoa";
+  socketPath;
+  tokenPath;
+  address;
+  constructor(params) {
+    this.socketPath = params.socketPath;
+    this.tokenPath = params.tokenPath;
+    this.address = params.address;
+  }
+  getAddress() {
+    return this.address;
+  }
+  async send(call) {
+    const response = await sendSessionRequest(
+      this.socketPath,
+      this.tokenPath,
+      {
+        id: createRequestId(),
+        type: "send",
+        params: {
+          to: call.to,
+          chainId: call.chainId,
+          data: call.data,
+          value: call.value?.toString()
+        }
+      },
+      SESSION_SEND_TIMEOUT_MS
+    );
+    if (!response.ok) {
+      throw new Error(response.error);
+    }
+    return response.result;
+  }
+  capabilities() {
+    return {
+      sponsoredGas: false,
+      batching: false,
+      simulation: false
+    };
+  }
+};
+async function startSessionServer(start, hooks = {}) {
+  ensureSecureParent(start.tokenPath);
+  ensureSecureParent(start.socketPath);
+  removeFileIfPresent(start.socketPath);
+  removeFileIfPresent(start.tokenPath);
+  const signer = privateKeyToManagedAccount(start.privateKey);
+  const executor = hooks.executor ?? new EOAExecutor(signer, {
+    defaultChainId: start.chainId,
+    rpcUrl: start.rpcUrl
+  });
+  const expiresAt = new Date(Date.now() + start.ttlMs);
+  const token = randomBytes2(32).toString("hex");
+  writeSecureToken(start.tokenPath, token);
+  let closed = false;
+  const close = async () => {
+    if (closed) return;
+    closed = true;
+    await new Promise((resolve3) => {
+      server.close(() => {
+        removeFileIfPresent(start.socketPath);
+        removeFileIfPresent(start.tokenPath);
+        hooks.onExit?.();
+        resolve3();
+      });
+    });
+  };
+  const server = net.createServer((socket) => {
+    let buffer = "";
+    socket.setTimeout(SERVER_SOCKET_TIMEOUT_MS, () => {
+      socket.destroy();
+    });
+    socket.on("data", async (chunk) => {
+      buffer += chunk.toString("utf8");
+      if (buffer.length > MAX_MESSAGE_BYTES) {
+        socket.write(
+          `${JSON.stringify({
+            id: "unknown",
+            ok: false,
+            error: "Session request exceeded the maximum allowed size."
+          })}${EOL}`
+        );
+        socket.end();
+        return;
+      }
+      const index = buffer.indexOf("\n");
+      if (index < 0) {
+        return;
+      }
+      const raw = buffer.slice(0, index);
+      buffer = buffer.slice(index + 1);
+      let request;
+      try {
+        request = JSON.parse(raw);
+      } catch {
+        socket.write(
+          `${JSON.stringify({
+            id: "unknown",
+            ok: false,
+            error: "Invalid session request."
+          })}${EOL}`
+        );
+        socket.end();
+        return;
+      }
+      const respond = (response) => {
+        socket.write(`${JSON.stringify(response)}${EOL}`);
+        socket.end();
+      };
+      try {
+        if (!tokensMatch(token, String(request.token ?? ""))) {
+          respond({
+            id: request.id,
+            ok: false,
+            error: "Session authentication failed."
+          });
+          return;
+        }
+        if (request.type === "status") {
+          respond({
+            id: request.id,
+            ok: true,
+            result: {
+              address: executor.getAddress(),
+              expiresAt: expiresAt.toISOString()
+            }
+          });
+          return;
+        }
+        if (request.type === "lock") {
+          respond({
+            id: request.id,
+            ok: true,
+            result: { locked: true }
+          });
+          setImmediate(() => {
+            void close();
+          });
+          return;
+        }
+        socket.setTimeout(SESSION_SEND_TIMEOUT_MS, () => {
+          socket.destroy();
+        });
+        const result = await executor.send({
+          to: request.params.to,
+          chainId: request.params.chainId,
+          data: request.params.data,
+          value: request.params.value !== void 0 ? BigInt(request.params.value) : void 0
+        });
+        respond({
+          id: request.id,
+          ok: true,
+          result
+        });
+      } catch (error) {
+        respond({
+          id: request.id,
+          ok: false,
+          error: error instanceof Error ? error.message : String(error)
+        });
+      }
+    });
+  });
+  await new Promise((resolve3, reject) => {
+    server.once("error", (error) => {
+      hooks.onError?.(error instanceof Error ? error : new Error(String(error)));
+      reject(error);
+    });
+    server.listen(start.socketPath, () => {
+      if (!isWindowsPipe(start.socketPath)) {
+        chmodSync2(start.socketPath, SECURE_FILE_MODE2);
+      }
+      resolve3();
+    });
+  });
+  const timer = setTimeout(() => {
+    void close();
+  }, start.ttlMs);
+  timer.unref();
+  return {
+    address: executor.getAddress(),
+    expiresAt: expiresAt.toISOString(),
+    close
+  };
+}
+async function startDetachedSessionDaemon(params) {
+  const existing = await getSessionStatus(params.socketPath, params.tokenPath);
+  if (existing) {
+    const locked = await lockSession(params.socketPath, params.tokenPath);
+    if (!locked && !sessionFilesGone(params.socketPath, params.tokenPath)) {
+      throw new Error(
+        "Failed to replace the existing MoneyOS session. Run `moneyos auth lock` and try again."
+      );
+    }
+    if (locked) {
+      await waitForSessionShutdown(params.socketPath, params.tokenPath);
+    }
+  } else {
+    removeFileIfPresent(params.socketPath);
+    removeFileIfPresent(params.tokenPath);
+  }
+  return new Promise((resolve3, reject) => {
+    const child = spawn(
+      process.execPath,
+      [...process.execArgv, process.argv[1], "__session-daemon"],
+      {
+        detached: true,
+        stdio: ["ignore", "ignore", "ignore", "ipc"]
+      }
+    );
+    let settled = false;
+    const finish = (error, status) => {
+      if (settled) return;
+      settled = true;
+      child.removeAllListeners();
+      if (error) {
+        reject(error);
+        return;
+      }
+      resolve3(status);
+    };
+    child.once("error", (error) => finish(error));
+    child.once("exit", (code) => {
+      if (!settled) {
+        finish(
+          new Error(
+            `Session daemon exited unexpectedly with code ${code ?? "unknown"}.`
+          )
+        );
+      }
+    });
+    child.on("message", (message) => {
+      const payload = message;
+      if (payload?.type === "ready") {
+        child.disconnect();
+        child.unref();
+        finish(void 0, {
+          address: payload.address,
+          expiresAt: payload.expiresAt
+        });
+      } else if (payload?.type === "error") {
+        finish(new Error(payload.error));
+      }
+    });
+    child.send(params);
+  });
+}
+async function runSessionDaemonProcess() {
+  if (!process.send) {
+    throw new Error("Session daemon must be started through MoneyOS.");
+  }
+  const start = await new Promise((resolve3, reject) => {
+    const timeout = setTimeout(() => {
+      reject(new Error("Session daemon did not receive startup parameters."));
+    }, 1e3);
+    process.once("message", (message) => {
+      clearTimeout(timeout);
+      const payload = message;
+      if (payload?.type !== "start") {
+        reject(new Error("Session daemon received invalid startup message."));
+        return;
+      }
+      resolve3(payload);
+    });
+  });
+  const shutdown = (code = 0) => {
+    removeFileIfPresent(start.socketPath);
+    removeFileIfPresent(start.tokenPath);
+    process.exit(code);
+  };
+  const handle = await startSessionServer(start, {
+    onError: (error) => {
+      process.send?.({
+        type: "error",
+        error: error.message
+      });
+      shutdown(1);
+    },
+    onExit: () => shutdown()
+  });
+  process.send?.({
+    type: "ready",
+    address: handle.address,
+    expiresAt: handle.expiresAt
+  });
+  process.on("SIGTERM", () => {
+    void handle.close().then(() => shutdown());
+  });
+  process.on("SIGINT", () => {
+    void handle.close().then(() => shutdown());
+  });
+}
+
+// src/cli/commands/init.ts
+function parseChainId(value, fallback) {
+  if (!value) return fallback;
+  const parsed = Number(value);
+  if (!Number.isInteger(parsed) || parsed <= 0) {
+    throw new Error(`Invalid chain ID: "${value}"`);
+  }
+  return parsed;
+}
+var initCommand = new Command("init").description("Initialize MoneyOS with a new or imported encrypted wallet").option("-k, --key <privateKey>", "Import an existing private key").option("--force", "Overwrite the existing encrypted wallet").option("--chain <chainId>", "Default chain ID (default: 42161 Arbitrum)").option("--rpc <url>", "Custom RPC URL").action(async (options) => {
+  const existing = loadFileConfig();
+  const walletPath = getWalletPath(existing);
+  const backupDir = getBackupDir(existing);
+  const wallet = new FileEncryptedWalletStore(walletPath);
+  if (wallet.exists() && !options.force) {
+    const metadata = await wallet.metadata();
+    console.log(`Already initialized.`);
+    if (metadata?.address) {
+      console.log(`Address: ${metadata.address}`);
+    }
+    console.log(`Wallet:  ${walletPath}`);
+    console.log(`Config:  ${getConfigPath()}`);
+    console.log(`
+To reinitialize, run: moneyos init --force --key <privateKey>`);
+    return;
+  }
+  if (hasRemovedOnePasswordConfig(existing) && !options.key) {
+    console.error(getRemovedOnePasswordStorageMessage());
+    console.error(`Config: ${getConfigPath()}`);
+    return;
+  }
+  try {
+    const privateKey = options.key ?? (hasLegacyPlaintextWalletConfig(existing) ? existing.privateKey : generatePrivateKey());
+    const account = privateKeyToAccount3(privateKey);
+    const chainId = parseChainId(options.chain, existing.chainId ?? 42161);
+    const rpcUrl = options.rpc ?? existing.rpcUrl;
+    const passphrase = await promptHidden("Choose wallet password: ");
+    if (passphrase.length < 8) {
+      throw new Error("Wallet password must be at least 8 characters long.");
+    }
+    const confirmPassphrase = await promptHidden("Confirm wallet password: ");
+    if (passphrase !== confirmPassphrase) {
+      throw new Error("Wallet password confirmation did not match.");
+    }
+    await wallet.save({
+      privateKey,
+      passphrase
+    });
+    await lockSession(getSessionSocketPath(), getSessionTokenPath());
+    saveConfig({
+      chainId,
+      rpcUrl,
+      walletPath: existing.walletPath,
+      backupDir: existing.backupDir
+    });
+    const backupProvider = new FileBackupProvider({
+      walletPath,
+      backupDir
+    });
+    const backupPath = await backupProvider.exportWallet();
+    console.log(`MoneyOS initialized.`);
+    console.log(`Address: ${account.address}`);
+    console.log(`Wallet:  ${walletPath}`);
+    console.log(`Config:  ${getConfigPath()}`);
+    console.log(`Backup:  ${backupPath}`);
+    console.log(
+      `
+Save your wallet password in your password manager of choice. MoneyOS does not store or sync it for you.`
+    );
+    if (hasLegacyPlaintextWalletConfig(existing) && !options.key) {
+      console.log(`
+Imported legacy plaintext wallet into the encrypted wallet file.`);
+      console.log(getLegacyPlaintextWalletStorageMessage());
+    } else if (!options.key) {
+      console.log(
+        `
+This is a new account. Fund it before sending transactions.`
+      );
+    }
+  } catch (error) {
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exitCode = 1;
+  }
+});
+
+// src/cli/commands/balance.ts
+import { Command as Command2 } from "commander";
+
+// src/core/client.ts
+import {
+  formatUnits as formatUnits2,
+  parseUnits as parseUnits2,
+  encodeFunctionData as encodeFunctionData2
+} from "viem";
+
+// src/tools/swap.ts
+import {
+  formatUnits,
+  parseUnits,
+  encodeFunctionData
+} from "viem";
+var ERC20_ABI = [
+  {
+    name: "approve",
+    type: "function",
+    stateMutability: "nonpayable",
+    inputs: [
+      { name: "spender", type: "address" },
+      { name: "amount", type: "uint256" }
+    ],
+    outputs: [{ name: "", type: "bool" }]
+  },
+  {
+    name: "allowance",
+    type: "function",
+    stateMutability: "view",
+    inputs: [
+      { name: "owner", type: "address" },
+      { name: "spender", type: "address" }
+    ],
+    outputs: [{ name: "", type: "uint256" }]
+  }
+];
+async function executeSwap(input, ctx) {
+  const { tokenIn, tokenOut, amount, provider, chainId, slippage } = input;
+  const { read, execute, assets } = ctx;
+  const sender = execute.getAddress();
+  const tokenInAddress = assets.getTokenAddress(tokenIn, chainId);
+  const tokenOutAddress = assets.getTokenAddress(tokenOut, chainId);
+  if (!tokenInAddress) {
+    throw new Error(`Token ${tokenIn} not found on chain ${chainId}`);
+  }
+  if (!tokenOutAddress) {
+    throw new Error(`Token ${tokenOut} not found on chain ${chainId}`);
+  }
+  const tokenInInfo = assets.getToken(tokenIn);
+  const amountWei = parseUnits(amount, tokenInInfo.decimals);
+  const quote = await provider.getQuote({
+    chainId,
+    tokenIn: tokenInAddress,
+    tokenOut: tokenOutAddress,
+    amount: amountWei,
+    sender,
+    slippage
+  });
+  const calldata = await provider.getCalldata(quote);
+  const isNativeIn = tokenInAddress === assets.nativeTokenAddress;
+  if (!isNativeIn) {
+    const currentAllowance = await read.readContract({
+      address: tokenInAddress,
+      abi: ERC20_ABI,
+      functionName: "allowance",
+      args: [sender, calldata.to],
+      chainId
+    });
+    if (currentAllowance < amountWei) {
+      const approveData = encodeFunctionData({
+        abi: ERC20_ABI,
+        functionName: "approve",
+        args: [calldata.to, amountWei]
+      });
+      await execute.send({ to: tokenInAddress, data: approveData, chainId });
+    }
+  }
+  const result = await execute.send({
+    to: calldata.to,
+    data: calldata.data,
+    value: isNativeIn ? amountWei : calldata.value,
+    chainId
+  });
+  const tokenOutInfo = assets.getToken(tokenOut);
+  return {
+    hash: result.hash,
+    tokenIn: tokenInInfo.symbol,
+    tokenOut: tokenOutInfo.symbol,
+    amountIn: amount,
+    amountOut: formatUnits(BigInt(quote.expectedOut), tokenOutInfo.decimals),
+    chainId
+  };
+}
+
+// src/core/client.ts
+var ERC20_ABI2 = [
+  {
+    name: "balanceOf",
+    type: "function",
+    stateMutability: "view",
+    inputs: [{ name: "account", type: "address" }],
+    outputs: [{ name: "", type: "uint256" }]
+  },
+  {
+    name: "transfer",
+    type: "function",
+    stateMutability: "nonpayable",
+    inputs: [
+      { name: "to", type: "address" },
+      { name: "amount", type: "uint256" }
+    ],
+    outputs: [{ name: "", type: "bool" }]
+  },
+  {
+    name: "decimals",
+    type: "function",
+    stateMutability: "view",
+    inputs: [],
+    outputs: [{ name: "", type: "uint8" }]
+  },
+  {
+    name: "symbol",
+    type: "function",
+    stateMutability: "view",
+    inputs: [],
+    outputs: [{ name: "", type: "string" }]
+  }
+];
+var DefaultAssetRegistry = class {
+  nativeTokenAddress = NATIVE_TOKEN_ADDRESS;
+  getToken = getToken;
+  getTokenAddress = getTokenAddress;
+  getChain = getChain;
+};
+var MoneyOS = class {
+  read;
+  executor;
+  assets;
+  runtimeConfig;
+  constructor(config) {
+    const provided = [];
+    if (config.execute) provided.push("execute");
+    if (config.privateKey) provided.push("privateKey");
+    if (config.signer) provided.push("signer");
+    if (provided.length > 1) {
+      throw new Error(
+        `MoneyOSConfig: pass at most one of \`execute\`, \`privateKey\`, or \`signer\`. Received: ${provided.join(", ")}.`
+      );
+    }
+    this.runtimeConfig = {
+      defaultChainId: config.chainId ?? defaultChain.id,
+      rpcUrl: config.rpcUrl
+    };
+    this.read = config.read ?? new ViemReadClient(this.runtimeConfig);
+    this.assets = config.assets ?? new DefaultAssetRegistry();
+    if (config.execute) {
+      this.executor = config.execute;
+    } else if (config.signer) {
+      this.executor = new EOAExecutor(config.signer, this.runtimeConfig);
+    } else if (config.privateKey) {
+      this.executor = EOAExecutor.fromPrivateKey(
+        config.privateKey,
+        this.runtimeConfig
+      );
+    }
+  }
+  get runtime() {
+    return {
+      read: this.read,
+      execute: this.requireExecutor(),
+      assets: this.assets,
+      config: this.runtimeConfig
+    };
+  }
+  get address() {
+    return this.requireExecutor().getAddress();
+  }
+  requireExecutor() {
+    if (!this.executor) {
+      throw new Error(
+        "No signing account configured. Set `signer`, `privateKey`, or `execute` in MoneyOS config."
+      );
+    }
+    return this.executor;
+  }
+  async balance(token, options) {
+    const chainId = options?.chainId ?? this.runtimeConfig.defaultChainId;
+    const account = options?.address ?? this.address;
+    const tokenAddress = this.assets.getTokenAddress(token, chainId);
+    if (!tokenAddress) {
+      throw new Error(`Token ${token} not found on chain ${chainId}`);
+    }
+    const tokenInfo = this.assets.getToken(token);
+    if (tokenAddress === NATIVE_TOKEN_ADDRESS) {
+      const raw2 = await this.read.getBalance({ address: account, chainId });
+      return {
+        token: tokenInfo.name,
+        symbol: tokenInfo.symbol,
+        amount: formatUnits2(raw2, tokenInfo.decimals),
+        rawAmount: raw2,
+        decimals: tokenInfo.decimals,
+        chainId
+      };
+    }
+    const raw = await this.read.readContract({
+      address: tokenAddress,
+      abi: ERC20_ABI2,
+      functionName: "balanceOf",
+      args: [account],
+      chainId
+    });
+    return {
+      token: tokenInfo.name,
+      symbol: tokenInfo.symbol,
+      amount: formatUnits2(raw, tokenInfo.decimals),
+      rawAmount: raw,
+      decimals: tokenInfo.decimals,
+      chainId
+    };
+  }
+  async send(token, to, amount, options) {
+    const execute = this.requireExecutor();
+    const chainId = options?.chainId ?? this.runtimeConfig.defaultChainId;
+    const from = execute.getAddress();
+    const tokenAddress = this.assets.getTokenAddress(token, chainId);
+    if (!tokenAddress) {
+      throw new Error(`Token ${token} not found on chain ${chainId}`);
+    }
+    const tokenInfo = this.assets.getToken(token);
+    const value = parseUnits2(amount, tokenInfo.decimals);
+    if (tokenAddress === NATIVE_TOKEN_ADDRESS) {
+      const result2 = await execute.send({ to, value, chainId });
+      return {
+        hash: result2.hash,
+        from,
+        to,
+        amount,
+        token: tokenInfo.symbol,
+        chainId
+      };
+    }
+    const data = encodeFunctionData2({
+      abi: ERC20_ABI2,
+      functionName: "transfer",
+      args: [to, value]
+    });
+    const result = await execute.send({ to: tokenAddress, data, chainId });
+    return {
+      hash: result.hash,
+      from,
+      to,
+      amount,
+      token: tokenInfo.symbol,
+      chainId
+    };
+  }
+  async swap(tokenIn, tokenOut, amount, provider, options) {
+    const execute = this.requireExecutor();
+    const chainId = options?.chainId ?? this.runtimeConfig.defaultChainId;
+    return executeSwap(
+      { tokenIn, tokenOut, amount, provider, chainId, slippage: options?.slippage },
+      { read: this.read, execute, assets: this.assets }
+    );
+  }
+};
+
+// src/cli/wallet.ts
+function resolveEnvPrivateKey(explicit) {
+  return explicit ?? process.env.MONEYOS_PRIVATE_KEY;
+}
+function getWalletStore(config, options = {}) {
+  return new FileEncryptedWalletStore(options.walletPath ?? getWalletPath(config));
+}
+function getSessionPath(options = {}) {
+  return options.sessionSocketPath ?? getSessionSocketPath();
+}
+function getTokenPath(options = {}) {
+  return options.sessionTokenPath ?? getSessionTokenPath();
+}
+async function loadCliAddress(config, options = {}) {
+  const envPrivateKey = resolveEnvPrivateKey(options.envPrivateKey);
+  if (envPrivateKey) {
+    const signer = privateKeyToManagedAccount(envPrivateKey);
+    return {
+      kind: "env",
+      address: signer.address,
+      source: "env"
+    };
+  }
+  if (hasRemovedOnePasswordConfig(config)) {
+    throw new Error(getRemovedOnePasswordStorageMessage());
+  }
+  const wallet = getWalletStore(config, options);
+  const metadata = await wallet.metadata();
+  if (metadata?.address) {
+    return {
+      kind: "wallet-file",
+      address: metadata.address,
+      source: "encrypted-wallet"
+    };
+  }
+  if (hasLegacyPlaintextWalletConfig(config)) {
+    throw new Error(getLegacyPlaintextWalletStorageMessage());
+  }
+  throw new Error("No wallet configured. Run `moneyos init`.");
+}
+async function buildCliMoneyOSConfig(config, options = {}) {
+  const moneyosConfig = {
+    chainId: options.chainId ?? config.chainId ?? 42161,
+    rpcUrl: config.rpcUrl
+  };
+  if (!options.requireSigner) {
+    return moneyosConfig;
+  }
+  const envPrivateKey = resolveEnvPrivateKey(options.envPrivateKey);
+  if (envPrivateKey) {
+    return {
+      ...moneyosConfig,
+      signer: privateKeyToManagedAccount(envPrivateKey)
+    };
+  }
+  if (hasRemovedOnePasswordConfig(config)) {
+    throw new Error(getRemovedOnePasswordStorageMessage());
+  }
+  const socketPath = getSessionPath(options);
+  const tokenPath = getTokenPath(options);
+  const session = await getSessionStatus(socketPath, tokenPath);
+  if (session) {
+    return {
+      ...moneyosConfig,
+      execute: new SessionExecutionClient({
+        socketPath,
+        tokenPath,
+        address: session.address
+      })
+    };
+  }
+  const wallet = getWalletStore(config, options);
+  if (wallet.exists()) {
+    throw new Error(
+      "Wallet is locked. Run `moneyos auth unlock` locally before using write commands."
+    );
+  }
+  if (hasLegacyPlaintextWalletConfig(config)) {
+    throw new Error(getLegacyPlaintextWalletStorageMessage());
+  }
+  throw new Error("No wallet configured. Run `moneyos init`.");
+}
+
+// src/cli/commands/balance.ts
+var balanceCommand = new Command2("balance").description("Check token balance").argument("<token>", "Token symbol (e.g. USDC, ETH, RYZE)").option("-a, --address <address>", "Address to check (defaults to your own)").option("-c, --chain <chainId>", "Chain ID (default: 42161 Arbitrum)").action(async (token, options) => {
+  const config = loadConfig();
+  const chainId = options.chain ? parseInt(options.chain) : config.chainId;
+  let address = options.address;
+  let moneyos;
+  try {
+    if (!address) {
+      const resolved = await loadCliAddress(config);
+      address = resolved.address;
+    }
+    moneyos = new MoneyOS(
+      await buildCliMoneyOSConfig(config, {
+        chainId: chainId ?? 42161,
+        requireSigner: false
+      })
+    );
+  } catch (error) {
+    console.error(
+      error instanceof Error ? error.message : String(error)
+    );
+    process.exitCode = 1;
+    return;
+  }
+  const result = await moneyos.balance(token, {
+    address,
+    chainId
+  });
+  console.log(`${result.amount} ${result.symbol}`);
+});
+
+// src/cli/commands/send.ts
+import { Command as Command3 } from "commander";
+var sendCommand = new Command3("send").description("Send tokens to an address").argument("<amount>", "Amount to send (e.g. 10)").argument("<token>", "Token symbol (e.g. USDC, ETH, RYZE)").argument("<to>", "Recipient address").option("-c, --chain <chainId>", "Chain ID (default: 42161 Arbitrum)").action(async (amount, token, to, options) => {
+  const config = loadConfig();
+  const chainId = options.chain ? parseInt(options.chain) : config.chainId ?? 42161;
+  let moneyos;
+  try {
+    moneyos = new MoneyOS(
+      await buildCliMoneyOSConfig(config, {
+        chainId,
+        requireSigner: true
+      })
+    );
+  } catch (error) {
+    console.error(
+      error instanceof Error ? error.message : String(error)
+    );
+    process.exitCode = 1;
+    return;
+  }
+  const chain = getChain(chainId);
+  console.log(
+    `Sending ${amount} ${token.toUpperCase()} to ${to} on ${chain?.name ?? chainId}...`
+  );
+  const result = await moneyos.send(token, to, amount, {
+    chainId
+  });
+  console.log(`Sent. tx: ${result.hash}`);
+});
+
+// src/cli/commands/swap.ts
+import { Command as Command4 } from "commander";
+
+// src/providers/odos.ts
+var ODOS_API = "https://api.odos.xyz";
+var ODOS_NATIVE_ADDRESS = "0x0000000000000000000000000000000000000000";
+var OdosProvider = class {
+  name = "odos";
+  apiKey;
+  constructor(options) {
+    this.apiKey = options?.apiKey;
+  }
+  toOdosAddress(address) {
+    return address === NATIVE_TOKEN_ADDRESS ? ODOS_NATIVE_ADDRESS : address;
+  }
+  async getQuote(params) {
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    if (this.apiKey) {
+      headers["Authorization"] = `Bearer ${this.apiKey}`;
+    }
+    const response = await fetch(`${ODOS_API}/sor/quote/v2`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        chainId: params.chainId,
+        inputTokens: [
+          {
+            tokenAddress: this.toOdosAddress(params.tokenIn),
+            amount: params.amount.toString()
+          }
+        ],
+        outputTokens: [
+          {
+            tokenAddress: this.toOdosAddress(params.tokenOut),
+            proportion: 1
+          }
+        ],
+        userAddr: params.sender,
+        slippageLimitPercent: params.slippage ?? 1,
+        referralCode: 0,
+        compact: true
+      })
+    });
+    if (!response.ok) {
+      const text = await response.text();
+      throw new Error(`Odos quote failed: ${response.status} ${text}`);
+    }
+    const data = await response.json();
+    return {
+      tokenIn: params.tokenIn,
+      tokenOut: params.tokenOut,
+      amountIn: params.amount.toString(),
+      expectedOut: data.outAmounts[0],
+      router: "",
+      chainId: params.chainId,
+      pathId: data.pathId,
+      sender: params.sender
+    };
+  }
+  async getCalldata(quote) {
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    if (this.apiKey) {
+      headers["Authorization"] = `Bearer ${this.apiKey}`;
+    }
+    const response = await fetch(`${ODOS_API}/sor/assemble`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        userAddr: quote.sender,
+        pathId: quote.pathId,
+        simulate: false
+      })
+    });
+    if (!response.ok) {
+      const text = await response.text();
+      throw new Error(`Odos assemble failed: ${response.status} ${text}`);
+    }
+    const data = await response.json();
+    return {
+      to: data.transaction.to,
+      data: data.transaction.data,
+      value: BigInt(data.transaction.value)
+    };
+  }
+};
+
+// src/cli/commands/swap.ts
+var swapCommand = new Command4("swap").description("Swap tokens").argument("<amount>", "Amount to swap (e.g. 100)").argument("<tokenIn>", "Token to sell (e.g. USDC)").argument("<tokenOut>", "Token to buy (e.g. RYZE)").option("-c, --chain <chainId>", "Chain ID (default: 42161 Arbitrum)").option("-s, --slippage <percent>", "Slippage tolerance in percent (default: 1)").action(async (amount, tokenIn, tokenOut, options) => {
+  const config = loadConfig();
+  const chainId = options.chain ? parseInt(options.chain) : config.chainId ?? 42161;
+  let moneyos;
+  try {
+    moneyos = new MoneyOS(
+      await buildCliMoneyOSConfig(config, {
+        chainId,
+        requireSigner: true
+      })
+    );
+  } catch (error) {
+    console.error(
+      error instanceof Error ? error.message : String(error)
+    );
+    process.exitCode = 1;
+    return;
+  }
+  const provider = new OdosProvider();
+  const chain = getChain(chainId);
+  const slippage = options.slippage ? parseFloat(options.slippage) : void 0;
+  console.log(
+    `Swapping ${amount} ${tokenIn.toUpperCase()} \u2192 ${tokenOut.toUpperCase()} on ${chain?.name ?? chainId}...`
+  );
+  const result = await moneyos.swap(tokenIn, tokenOut, amount, provider, {
+    chainId,
+    slippage
+  });
+  console.log(`Swapped. Expected: ~${result.amountOut} ${result.tokenOut}`);
+  console.log(`tx: ${result.hash}`);
+});
+
+// src/cli/commands/keystore.ts
+import { Command as Command5 } from "commander";
+
+// src/cli/wallet-status.ts
+import { privateKeyToAccount as privateKeyToAccount4 } from "viem/accounts";
+async function resolveWalletStatus(config, walletPath = getWalletPath(config)) {
+  if (hasRemovedOnePasswordConfig(config)) {
+    return {
+      kind: "unsupported",
+      address: getRemovedOnePasswordCachedAddress(config),
+      walletPath,
+      reason: getRemovedOnePasswordStorageMessage()
+    };
+  }
+  const store = new FileEncryptedWalletStore(walletPath);
+  if (store.exists()) {
+    try {
+      const metadata = await store.metadata();
+      return {
+        kind: metadata ? "encrypted" : "none",
+        address: metadata?.address,
+        walletPath
+      };
+    } catch (error) {
+      return {
+        kind: "invalid",
+        walletPath,
+        reason: error instanceof Error ? error.message : String(error)
+      };
+    }
+  }
+  if (hasLegacyPlaintextWalletConfig(config)) {
+    try {
+      const address = privateKeyToAccount4(config.privateKey).address;
+      return {
+        kind: "legacy",
+        walletPath,
+        address,
+        reason: getLegacyPlaintextWalletStorageMessage()
+      };
+    } catch (error) {
+      return {
+        kind: "legacy",
+        walletPath,
+        reason: error instanceof Error ? `${getLegacyPlaintextWalletStorageMessage()} (${error.message})` : getLegacyPlaintextWalletStorageMessage()
+      };
+    }
+  }
+  return {
+    kind: "none",
+    walletPath
+  };
+}
+function formatWalletStatus(status) {
+  const lines = [];
+  if (status.kind === "none") {
+    lines.push("Wallet:    (none)");
+    lines.push(`Path:      ${status.walletPath}`);
+    lines.push("Status:    no wallet configured \u2014 run `moneyos init`");
+    return lines.join("\n");
+  }
+  if (status.kind === "unsupported") {
+    lines.push("Wallet:    removed legacy model");
+    if (status.address) {
+      lines.push(`Address:   ${status.address}  (cached metadata)`);
+    }
+    lines.push(`Path:      ${status.walletPath}`);
+    lines.push(
+      `Status:    removed \u2014 ${status.reason ?? "unsupported legacy config"}`
+    );
+    return lines.join("\n");
+  }
+  if (status.kind === "legacy") {
+    lines.push("Wallet:    legacy plaintext config");
+    if (status.address) {
+      lines.push(`Address:   ${status.address}`);
+    }
+    lines.push(`Path:      ${status.walletPath}`);
+    lines.push(
+      `Status:    upgrade required \u2014 ${status.reason ?? "run `moneyos init`"}`
+    );
+    return lines.join("\n");
+  }
+  if (status.kind === "invalid") {
+    lines.push("Wallet:    encrypted local wallet");
+    lines.push(`Path:      ${status.walletPath}`);
+    lines.push(`Status:    invalid \u2014 ${status.reason ?? "wallet file is unreadable"}`);
+    return lines.join("\n");
+  }
+  lines.push("Wallet:    encrypted local wallet");
+  if (status.address) {
+    lines.push(`Address:   ${status.address}`);
+  }
+  lines.push(`Path:      ${status.walletPath}`);
+  lines.push("Status:    ready");
+  return lines.join("\n");
+}
+
+// src/cli/commands/keystore.ts
+var keystoreCommand = new Command5("keystore").description(
+  "Compatibility alias for wallet status"
+);
+keystoreCommand.command("status").description("Show the current wallet storage status").action(async () => {
+  const config = loadFileConfig();
+  const status = await resolveWalletStatus(config);
+  console.log(formatWalletStatus(status));
+});
+
+// src/cli/commands/auth.ts
+import { Command as Command6 } from "commander";
+var DEFAULT_TTL_MS = 15 * 60 * 1e3;
+function formatSessionStatus(params) {
+  const lines = [];
+  lines.push(`Session:   ${params.state}`);
+  if (params.address) {
+    lines.push(`Address:   ${params.address}`);
+  }
+  if (params.expiresAt) {
+    lines.push(`Expires:   ${params.expiresAt}`);
+  }
+  return lines.join("\n");
+}
+var authCommand = new Command6("auth").description(
+  "Unlock, inspect, and lock the local MoneyOS wallet session"
+);
+authCommand.command("unlock").description("Unlock the local wallet and start a short-lived session").action(async () => {
+  const config = loadFileConfig();
+  const walletPath = getWalletPath(config);
+  const wallet = new FileEncryptedWalletStore(walletPath);
+  if (!wallet.exists()) {
+    console.error("No encrypted wallet found. Run `moneyos init` first.");
+    process.exitCode = 1;
+    return;
+  }
+  try {
+    const passphrase = await promptHidden("Wallet password: ");
+    if (passphrase.length === 0) {
+      throw new Error("Wallet password cannot be empty.");
+    }
+    const privateKey = await wallet.decrypt(passphrase);
+    const status = await startDetachedSessionDaemon({
+      type: "start",
+      privateKey,
+      chainId: config.chainId ?? 42161,
+      rpcUrl: config.rpcUrl,
+      socketPath: getSessionSocketPath(),
+      tokenPath: getSessionTokenPath(),
+      ttlMs: DEFAULT_TTL_MS
+    });
+    console.log("Wallet unlocked.");
+    console.log(
+      formatSessionStatus({
+        state: "unlocked",
+        address: status.address,
+        expiresAt: status.expiresAt
+      })
+    );
+  } catch (error) {
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exitCode = 1;
+  }
+});
+authCommand.command("lock").description("Lock the local MoneyOS wallet session").action(async () => {
+  const locked = await lockSession(
+    getSessionSocketPath(),
+    getSessionTokenPath()
+  );
+  console.log(
+    formatSessionStatus({
+      state: "locked"
+    })
+  );
+  if (!locked) {
+    console.log("No active local session was running.");
+  }
+});
+authCommand.command("status").description("Show whether the local wallet session is unlocked").action(async () => {
+  const status = await getSessionStatus(
+    getSessionSocketPath(),
+    getSessionTokenPath()
+  );
+  if (!status) {
+    console.log(
+      formatSessionStatus({
+        state: "locked"
+      })
+    );
+    return;
+  }
+  console.log(
+    formatSessionStatus({
+      state: "unlocked",
+      address: status.address,
+      expiresAt: status.expiresAt
+    })
+  );
+});
+
+// src/cli/commands/backup.ts
+import { Command as Command7 } from "commander";
+function formatBackupStatus(params) {
+  const lines = [];
+  lines.push(`Wallet:    ${params.exists ? "present" : "missing"}`);
+  if (params.address) {
+    lines.push(`Address:   ${params.address}`);
+  }
+  lines.push(`Wallet at: ${params.walletPath}`);
+  lines.push(`Backups:   ${params.backupCount}`);
+  lines.push(`Directory: ${params.backupDir}`);
+  if (params.latestBackupPath) {
+    lines.push(`Latest:    ${params.latestBackupPath}`);
+  }
+  return lines.join("\n");
+}
+var backupCommand = new Command7("backup").description(
+  "Export, restore, and inspect encrypted wallet backups"
+);
+backupCommand.command("export").description("Write a copy of the encrypted wallet backup").option("-o, --out <path>", "Custom path for the backup file").option("--force", "Overwrite an existing backup file at --out").action(async (options) => {
+  const config = loadFileConfig();
+  const provider = new FileBackupProvider({
+    walletPath: getWalletPath(config),
+    backupDir: getBackupDir(config)
+  });
+  try {
+    const targetPath = await provider.exportWallet({
+      outPath: options.out,
+      allowOverwrite: Boolean(options.force)
+    });
+    console.log(`Backup exported to ${targetPath}`);
+    console.log(
+      "Save your wallet password in your password manager of choice. MoneyOS does not store or sync it for you."
+    );
+  } catch (error) {
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exitCode = 1;
+  }
+});
+backupCommand.command("restore").description("Restore the encrypted wallet from a backup file").argument("<path>", "Path to the encrypted backup file").option("--force", "Overwrite an existing encrypted wallet").action(async (path, options) => {
+  const config = loadFileConfig();
+  const provider = new FileBackupProvider({
+    walletPath: getWalletPath(config),
+    backupDir: getBackupDir(config)
+  });
+  try {
+    const passphrase = await promptHidden(
+      "Wallet password for backup verification: "
+    );
+    const metadata = await provider.restoreWallet(path, {
+      passphrase,
+      allowOverwrite: Boolean(options.force)
+    });
+    await lockSession(getSessionSocketPath(), getSessionTokenPath());
+    console.log("Encrypted wallet restored.");
+    console.log(`Address:   ${metadata.address}`);
+    console.log(`Wallet:    ${getWalletPath(config)}`);
+  } catch (error) {
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exitCode = 1;
+  }
+});
+backupCommand.command("status").description("Show the local wallet backup status").action(async () => {
+  const config = loadFileConfig();
+  const provider = new FileBackupProvider({
+    walletPath: getWalletPath(config),
+    backupDir: getBackupDir(config)
+  });
+  const status = await provider.status();
+  console.log(formatBackupStatus(status));
+});
+
+// src/cli/version.ts
+import { readFileSync as readFileSync4 } from "fs";
+import { fileURLToPath } from "url";
+import { dirname as dirname4, resolve as resolve2 } from "path";
+var packageJsonPath = resolve2(
+  dirname4(fileURLToPath(import.meta.url)),
+  "../../package.json"
+);
+var version = JSON.parse(
+  readFileSync4(packageJsonPath, "utf8")
+).version;
+
+// src/cli/index.ts
+var program = new Command8();
+program.name("moneyos").description("The operating system for money").version(version);
+program.addCommand(initCommand);
+program.addCommand(balanceCommand);
+program.addCommand(sendCommand);
+program.addCommand(swapCommand);
+program.addCommand(keystoreCommand);
+program.addCommand(authCommand);
+program.addCommand(backupCommand);
+program.command("__session-daemon", { hidden: true }).action(async () => {
+  await runSessionDaemonProcess();
+});
+program.parse();
+//# sourceMappingURL=index.js.map