nebulon-escrow-cli 0.1.0 → 0.8.5

package/src/commands/contract.js

@@ -20,24 +20,15 @@ const {
 } = require("@solana/spl-token");
 const { SessionTokenManager } = require("@magicblock-labs/gum-sdk");
 const {
-  createDelegatePermissionInstruction,
-  permissionPdaFromAccount,
-  PERMISSION_PROGRAM_ID,
-  AUTHORITY_FLAG,
-  TX_LOGS_FLAG,
   MAGIC_PROGRAM_ID,
   MAGIC_CONTEXT_ID,
   DELEGATION_PROGRAM_ID,
   ConnectionMagicRouter,
-  getAuthToken,
-  getPermissionStatus,
-  waitUntilPermissionActive,
 } = require("@magicblock-labs/ephemeral-rollups-sdk");
 const { loadConfig, saveConfig } = require("../config");
 const { loadWalletKeypair } = require("../wallets");
 const { ensureHostedSession } = require("../session");
 const { successMessage, errorMessage } = require("../ui");
-const { checkTeeAvailability } = require("./tee");
 const {
   getContracts,
   getContract,
@@ -144,11 +135,6 @@ let cachedValidatorEndpoint = null;
 
 const normalizeEndpoint = (endpoint) => endpoint.replace(/\/$/, "");
 
-const TEE_TOKEN_TTL_SECONDS = 240;
-const teeTokenCache = new Map();
-const teeWsHealthCache = new Map();
-const teeProgramCache = new Map();
-
 const isLocalnetConfig = (config) => {
   const network = (config?.network || config?.solanaNetwork || "").toLowerCase();
   if (network === "localnet") {
@@ -164,210 +150,78 @@ const isLocalnetConfig = (config) => {
   );
 };
 
-const getTeeEndpoint = async (config, keypair, options = {}) => {
-  const base = normalizeEndpoint(
-    config.ephemeralTeeEndpoint ||
-      config.ephemeralPermissionEndpoint ||
-      "https://tee.magicblock.app"
-  );
-  const cacheKey = `${base}:${keypair.publicKey.toBase58()}`;
-  const cached = teeTokenCache.get(cacheKey);
-  const now = Math.floor(Date.now() / 1000);
-  if (!options.forceRefresh && cached && cached.expiresAt > now) {
-    return cached;
-  }
-  const auth = await getAuthToken(
-    base,
-    keypair.publicKey,
-    (message) => nacl.sign.detached(message, keypair.secretKey)
-  );
-  const endpoint = `${base}?token=${auth.token}`;
-  const expiresAt = now + TEE_TOKEN_TTL_SECONDS;
-  const record = { endpoint, token: auth.token, expiresAt };
-  teeTokenCache.set(cacheKey, record);
-  return record;
-};
-
 const getEphemeralProgram = async (config, signerKeypair, options = {}) => {
+  const endpoint = config.ephemeralProviderUrl || config.rpcUrl;
+  const wsEndpoint = config.ephemeralWsUrl || undefined;
   if (isLocalnetConfig(config)) {
-    return getProgram(config, signerKeypair, {
-      endpoint: config.ephemeralProviderUrl || config.rpcUrl,
-      wsEndpoint: config.ephemeralWsUrl || undefined,
-    });
+    return getProgram(config, signerKeypair, { endpoint, wsEndpoint });
   }
-  const cacheKey = signerKeypair.publicKey.toBase58();
-  const cached = teeProgramCache.get(cacheKey);
-  const now = Math.floor(Date.now() / 1000);
-  if (!options.forceRefresh && cached && cached.expiresAt > now + 30) {
-    return cached.bundle;
+  if (options.forceRefresh) {
+    return getProgram(config, signerKeypair, { endpoint, wsEndpoint });
   }
-  const { endpoint, token, expiresAt } = await getTeeEndpoint(
-    config,
-    signerKeypair,
-    options
-  );
-  let wsEndpoint =
-    config.ephemeralTeeWsEndpoint ||
-    endpoint.replace(/^https:/, "wss:").replace(/^http:/, "ws:");
-  if (token && !wsEndpoint.includes("token=")) {
-    wsEndpoint += wsEndpoint.includes("?") ? `&token=${token}` : `?token=${token}`;
-  }
-  if (process.env.NEBULON_TEE_DEBUG === "1") {
-    console.log("TEE signer:", signerKeypair.publicKey.toBase58());
-    console.log("TEE RPC endpoint:", endpoint);
-    console.log("TEE WS endpoint:", wsEndpoint);
-  }
-  const programBundle = getProgram(config, signerKeypair, {
-    endpoint,
-    wsEndpoint,
-  });
-  await ensureTeeWsHealthy(programBundle.provider.connection, wsEndpoint);
-  teeProgramCache.set(cacheKey, { bundle: programBundle, expiresAt });
-  return programBundle;
+  return getProgram(config, signerKeypair, { endpoint, wsEndpoint });
 };
 
-const ensureTeeWsHealthy = async (connection, wsEndpoint) => {
-  if (!connection || !wsEndpoint) {
-    return;
+const getDelegationValidator = async (config) => {
+  const endpoint = (config.ephemeralProviderUrl || "").toLowerCase();
+  const wsEndpoint = (config.ephemeralWsUrl || "").toLowerCase();
+  if (config && config.__verbose) {
+    console.log("DEBUG: delegation resolver endpoints", { endpoint, wsEndpoint });
   }
-  const cacheKey = wsEndpoint;
-  const now = Date.now();
-  const cached = teeWsHealthCache.get(cacheKey);
-  if (cached && cached.expiresAt > now) {
-    return;
+  if (endpoint.includes("localhost") || endpoint.includes("127.0.0.1")) {
+    return LOCAL_VALIDATOR_IDENTITY;
   }
 
-  const timeoutMs = 4000;
-  let subscriptionId = null;
-  let resolved = false;
-  try {
-    if (process.env.NEBULON_TEE_DEBUG === "1") {
-      console.log("TEE WS health check: subscribing for slot change...");
+  const safePublicKey = (value) => {
+    try {
+      return value ? new PublicKey(value) : null;
+    } catch {
+      return null;
     }
-    subscriptionId = connection.onSlotChange((info) => {
-      if (!resolved) {
-        resolved = true;
-        if (process.env.NEBULON_TEE_DEBUG === "1") {
-          console.log(`TEE WS health check: slot ${info.slot}`);
-        }
+  };
+
+  const shouldUseRouter =
+    endpoint.includes("router") ||
+    wsEndpoint.includes("router") ||
+    endpoint.includes("magicblock.app") ||
+    wsEndpoint.includes("magicblock.app");
+  if (shouldUseRouter && config.ephemeralProviderUrl) {
+    const cacheKey = `${endpoint}|${wsEndpoint}`;
+    if (cachedValidator && cachedValidatorEndpoint === cacheKey) {
+      if (config && config.__verbose) {
+        console.log("DEBUG: using cached validator", cachedValidator.toBase58());
       }
-    });
-    await new Promise((resolve, reject) => {
-      const timeout = setTimeout(() => {
-        if (!resolved) {
-          reject(
-            new Error(
-              "TEE WS health check failed (no slot notifications). Check MagicBlock WS connectivity."
-            )
-          );
-        } else {
-          resolve();
-        }
-      }, timeoutMs);
-      const poll = () => {
-        if (resolved) {
-          clearTimeout(timeout);
-          resolve();
-          return;
-        }
-        setTimeout(poll, 50);
-      };
-      poll();
-    });
-    if (process.env.NEBULON_TEE_DEBUG === "1") {
-      console.log("TEE WS health check: OK");
+      return cachedValidator;
     }
-    teeWsHealthCache.set(cacheKey, { expiresAt: now + 15000 });
-  } finally {
-    if (subscriptionId !== null) {
-      try {
-        await connection.removeSlotChangeListener(subscriptionId);
-      } catch {
-        // ignore cleanup errors
+    try {
+      const router = new ConnectionMagicRouter(config.ephemeralProviderUrl, {
+        wsEndpoint: config.ephemeralWsUrl || undefined,
+      });
+      const closest = await router.getClosestValidator();
+      if (config && config.__verbose) {
+        console.log("DEBUG: router closest validator:", closest);
       }
+      const identity =
+        closest?.validatorIdentity || closest?.identity || closest?.validator;
+      const candidate = safePublicKey(identity || closest?.pubkey || closest);
+      if (candidate) {
+        cachedValidator = candidate;
+        cachedValidatorEndpoint = cacheKey;
+        return cachedValidator;
+      }
+    } catch {
+      // fall back to configured identity below
     }
   }
-};
-
-const buildPermissionEndpoint = async (config, keypair) => {
-  const network = (config?.network || config?.solanaNetwork || "").toLowerCase();
-  const rpc = String(config?.rpcUrl || "");
-  const isLocal =
-    network === "localnet" ||
-    rpc.includes("localhost:8899") ||
-    rpc.includes("127.0.0.1:8899");
-  if (isLocal) {
-    return null;
-  }
-  const base = normalizeEndpoint(
-    config.ephemeralPermissionEndpoint || "https://tee.magicblock.app"
-  );
-  if (base.includes("localhost") || base.includes("127.0.0.1")) {
-    return null;
-  }
-  try {
-    const auth = await getAuthToken(
-      base,
-      keypair.publicKey,
-      (message) => nacl.sign.detached(message, keypair.secretKey)
-    );
-    return `${base}?token=${auth.token}`;
-  } catch (error) {
-    console.warn("Permission token fetch failed. Skipping permission checks.");
-    return base;
-  }
-};
-
-const waitForPermissionActive = async (config, keypair, pda, label) => {
-  const network = (config?.network || config?.solanaNetwork || "").toLowerCase();
-  const rpc = String(config?.rpcUrl || "");
-  if (
-    network === "localnet" ||
-    rpc.includes("localhost:8899") ||
-    rpc.includes("127.0.0.1:8899")
-  ) {
-    return;
-  }
-  const endpoint = await buildPermissionEndpoint(config, keypair);
-  if (!endpoint) {
-    return;
-  }
-  try {
-    const ready = await waitUntilPermissionActive(endpoint, pda, 20_000);
-    if (ready) {
-      return;
-    }
-    const status = await getPermissionStatus(endpoint, pda).catch(() => null);
-    const state = status?.status || "unknown";
-    throw new Error(
-      `${label} permission is not active yet (status: ${state}). Try again in a few seconds.`
-    );
-  } catch (error) {
-    console.warn(
-      `Warning: permission check failed for ${label}. Proceeding without confirmation.`
-    );
-  }
-};
-
-const getDelegationValidator = async (config) => {
-  const endpoint = (config.ephemeralProviderUrl || "").toLowerCase();
-  if (endpoint.includes("localhost") || endpoint.includes("127.0.0.1")) {
-    return LOCAL_VALIDATOR_IDENTITY;
-  }
-  if (endpoint.includes("router")) {
-    if (cachedValidator && cachedValidatorEndpoint === endpoint) {
-      return cachedValidator;
+  const fallback = safePublicKey(config.ephemeralValidatorIdentity);
+  if (fallback) {
+    if (config && config.__verbose) {
+      console.log("DEBUG: using configured validator identity", fallback.toBase58());
     }
-    const router = new ConnectionMagicRouter(config.ephemeralProviderUrl, {
-      wsEndpoint: config.ephemeralWsUrl || undefined,
-    });
-    const closest = await router.getClosestValidator();
-    cachedValidator = new PublicKey(closest.pubkey || closest.validator || closest);
-    cachedValidatorEndpoint = endpoint;
-    return cachedValidator;
+    return fallback;
   }
-  if (config.ephemeralValidatorIdentity) {
-    return new PublicKey(config.ephemeralValidatorIdentity);
+  if (config && config.__verbose) {
+    console.warn("DEBUG: no validator identity resolved.");
   }
   return null;
 };
@@ -454,30 +308,6 @@ const ensureEscrowUndelegated = async (config, keypair, escrowPda) => {
     .rpc({ skipPreflight: true });
 };
 
-const ensureEscrowOwnedByProgramL1 = async (config, keypair, escrowPda) => {
-  const { connection, programId } = getProgram(config, keypair);
-  const info = await connection.getAccountInfo(escrowPda, "confirmed");
-  if (!info || !info.owner) {
-    console.error("Escrow not found on-chain.");
-    return false;
-  }
-  if (info.owner.equals(DELEGATION_PROGRAM_ID)) {
-    console.error(
-      "Escrow is delegated to MagicBlock (PER). L1 MODE cannot modify it while delegated."
-    );
-    console.error(
-      "Switch back to PER mode or wait for TEE availability and run `nebulon contract <id> sync` to undelegate."
-    );
-    return false;
-  }
-  if (!info.owner.equals(programId)) {
-    console.error("Escrow is owned by an unexpected program.");
-    console.error(`Owner: ${info.owner.toBase58()}`);
-    return false;
-  }
-  return true;
-};
-
 const buildPrivacyContext = (scope, contractId, index) => {
   const tail = index === undefined ? "" : `:${index}`;
   return `nebulon:${scope}:v1:${contractId}${tail}`;
@@ -748,52 +578,13 @@ const parsePublicKey = (value, label) => {
   }
 };
 
-const getExecutionMode = (contract) => {
-  const mode = (contract?.execution_mode || contract?.executionMode || "per")
-    .toString()
-    .toLowerCase();
-  return mode === "l1" ? "l1" : "per";
-};
-
-const isL1Mode = (contract) => getExecutionMode(contract) === "l1";
-
-const ensureExecutionMode = async (config, contract, keypair, options = {}) => {
-  if (isL1Mode(contract)) {
-    config.__l1_mode = true;
-    return "l1";
-  }
-  config.__l1_mode = false;
-  if (isLocalnetConfig(config)) {
-    config.__l1_mode = false;
-    return "per";
-  }
-  const check = await checkTeeAvailability(config, keypair, {
-    timeoutMs: 4000,
-  });
-  if (check.ok) {
-    config.__l1_mode = false;
-    return "per";
-  }
-  console.warn("Warning: MagicBlock TEE is not available from this location.");
-  console.warn(
-    "You can proceed in L1 MODE (no privacy, but functional on-chain flow)."
-  );
-  const proceed = await confirmAction(
-    options.confirm,
-    "Enable L1 MODE for this contract? yes/no"
-  );
-  if (!proceed) {
-    console.log("Continuing without L1 mode (TEE may still fail).");
-    config.__l1_mode = false;
-    return "per";
+const ensureExecutionMode = async (config) => {
+  if (!isLocalnetConfig(config) && !config.ephemeralProviderUrl) {
+    console.warn(
+      "Warning: MagicBlock ER endpoint is not configured. Run `nebulon init` to fetch endpoints."
+    );
   }
-  await updateContract(config.backendUrl, config.auth.token, contract.id, {
-    executionMode: "l1",
-  });
-  contract.execution_mode = "l1";
-  config.__l1_mode = true;
-  console.log("L1 MODE enabled for this contract.");
-  return "l1";
+  return "per";
 };
 
 const feeFromGross = (amount) => (amount * FEE_BPS) / BPS_DENOMINATOR;
@@ -821,6 +612,15 @@ const normalizeHashBytes = (value) => {
   return Buffer.from(String(value), "utf8").subarray(0, 32);
 };
 
+const logProgress = (message) => {
+  console.log(chalk.gray(message));
+};
+
+const logTx = (label, sig, isEr = false) => {
+  const prefix = isEr ? "ER-tx" : "tx";
+  console.log(`${label} (${prefix}: ${sig})`);
+};
+
 const buildMilestonesHash = (milestones) => {
   const hash = crypto.createHash("sha256");
   const ordered = [...milestones].sort((a, b) => a.index - b.index);
@@ -882,15 +682,6 @@ const getPrivateMilestoneStatus = async (
 ) => {
   const { program, programId } = getProgram(config, keypair);
   const escrowPda = new PublicKey(contract.escrow_pda);
-  if (isL1Mode(contract)) {
-    const milestones = await fetchPublicMilestones(
-      program,
-      escrowPda,
-      programId,
-      [index]
-    );
-    return milestones[0];
-  }
   const { program: erProgram, sessionSigner, sessionPda } =
     await getPerProgramBundle(config, keypair, programId, program.provider);
   const milestones = await fetchPrivateMilestones(
@@ -1248,31 +1039,24 @@ const ensureSessionToken = async (config, provider, programId, authorityKey) =>
 };
 
 const getSessionContext = async (config, keypair, program) => {
-  if (isLocalnetConfig(config)) {
-    const { sessionSigner, sessionPda } = await ensureSessionToken(
-      config,
-      program.provider,
-      program.programId,
-      keypair.publicKey
-    );
-    return { signer: sessionSigner, sessionPda, payer: sessionSigner.publicKey };
-  }
-  return { signer: keypair, sessionPda: null, payer: keypair.publicKey };
+  const { sessionSigner, sessionPda } = await ensureSessionToken(
+    config,
+    program.provider,
+    program.programId,
+    keypair.publicKey
+  );
+  return { signer: sessionSigner, sessionPda, payer: sessionSigner.publicKey };
 };
 
 const getPerProgramBundle = async (config, keypair, programId, provider) => {
-  if (isLocalnetConfig(config)) {
-    const { sessionSigner, sessionPda } = await ensureSessionToken(
-      config,
-      provider,
-      programId,
-      keypair.publicKey
-    );
-    const { program } = getProgram(config, sessionSigner, { useEphemeral: true });
-    return { program, sessionSigner, sessionPda };
-  }
-  const { program } = await getEphemeralProgram(config, keypair);
-  return { program, sessionSigner: keypair, sessionPda: null };
+  const { sessionSigner, sessionPda } = await ensureSessionToken(
+    config,
+    provider,
+    programId,
+    keypair.publicKey
+  );
+  const { program } = await getEphemeralProgram(config, sessionSigner);
+  return { program, sessionSigner, sessionPda };
 };
 
 const isAlreadyExistsError = (error) => {
@@ -1284,91 +1068,28 @@ const isAlreadyExistsError = (error) => {
   );
 };
 
-const ensurePermission = async (
-  _config,
-  program,
-  keypair,
-  permissionedAccount,
-  members
-) => {
-  try {
-    await program.methods
-      .createPermission(members.accountType, members.entries)
-      .accountsPartial({
-        payer: keypair.publicKey,
-        permissionedAccount,
-        permission: permissionPdaFromAccount(permissionedAccount),
-        permissionProgram: PERMISSION_PROGRAM_ID,
-        systemProgram: SystemProgram.programId,
-      })
-      .signers([keypair])
-      .rpc();
-    return true;
-  } catch (error) {
-    if (isAlreadyExistsError(error)) {
-      return false;
-    }
-    throw error;
-  }
-};
-
-const ensureDelegatedPermission = async (
-  config,
-  provider,
-  keypair,
-  permissionedAccount
-) => {
-  if (config && config.__l1_mode) {
-    return;
-  }
-  const permissionPda = permissionPdaFromAccount(permissionedAccount);
-  const info = await provider.connection.getAccountInfo(
-    permissionPda,
-    "confirmed"
-  );
-  if (info && info.owner.equals(DELEGATION_PROGRAM_ID)) {
-    return;
-  }
-  if (info && !info.owner.equals(PERMISSION_PROGRAM_ID)) {
-    throw new Error(
-      `Permission ${permissionPda.toBase58()} is owned by ${info.owner.toBase58()}, expected ${PERMISSION_PROGRAM_ID.toBase58()}.`
-    );
-  }
-  const validator = await getDelegationValidator(config);
-  const ix = createDelegatePermissionInstruction({
-    payer: keypair.publicKey,
-    validator,
-    permissionedAccount: [permissionedAccount, false],
-    authority: [keypair.publicKey, true],
-  });
-  const permissionMeta = ix.keys.find((key) =>
-    key.pubkey.equals(permissionedAccount)
-  );
-  if (permissionMeta) {
-    permissionMeta.isWritable = true;
-  }
-  const tx = new Transaction().add(ix);
-  try {
-    await provider.sendAndConfirm(tx, [keypair]);
-  } catch (error) {
-    if (!isAlreadyExistsError(error)) {
-      throw error;
-    }
-  }
-};
+const isVerbose = (options) => Boolean(options && options.verbose);
 
 const ensureDelegatedAccount = async (
   config,
   program,
   keypair,
   accountType,
-  pda
+  pda,
+  options
 ) => {
-  if (config && config.__l1_mode) {
-    return;
-  }
   const info = await program.provider.connection.getAccountInfo(pda, "confirmed");
+  if (isVerbose(options)) {
+    console.log("DEBUG: delegation check", {
+      pda: pda.toBase58(),
+      owner: info?.owner?.toBase58?.(),
+      delegated: Boolean(info && info.owner.equals(DELEGATION_PROGRAM_ID)),
+    });
+  }
   if (info && info.owner.equals(DELEGATION_PROGRAM_ID)) {
+    if (isVerbose(options)) {
+      console.log(`Delegation already active for ${pda.toBase58()}; skipping.`);
+    }
     return;
   }
   const isPerVault = accountType && Object.prototype.hasOwnProperty.call(accountType, "perVault");
@@ -1383,6 +1104,13 @@ const ensureDelegatedAccount = async (
   }
   try {
     const validator = await getDelegationValidator(config);
+    if (validator) {
+      if (isVerbose(options)) {
+        console.log(`Delegating account to validator: ${validator.toBase58()}`);
+      }
+    } else if (isVerbose(options)) {
+      console.warn("Delegation skipped: no validator identity resolved.");
+    }
     const remainingAccounts = validator
       ? [{ pubkey: validator, isWritable: false, isSigner: false }]
       : [];
@@ -1394,7 +1122,7 @@ const ensureDelegatedAccount = async (
       })
       .remainingAccounts(remainingAccounts)
       .signers([keypair])
-      .rpc();
+      .rpc({ skipPreflight: true });
   } catch (error) {
     if (!isAlreadyExistsError(error)) {
       throw error;
@@ -1408,16 +1136,24 @@ const ensureDelegatedEscrow = async (
   keypair,
   escrowId,
   escrowPda,
-  client
+  client,
+  options
 ) => {
-  if (config && config.__l1_mode) {
-    return;
-  }
   const info = await program.provider.connection.getAccountInfo(
     escrowPda,
     "confirmed"
   );
+  if (isVerbose(options)) {
+    console.log("DEBUG: escrow delegation check", {
+      escrow: escrowPda.toBase58(),
+      owner: info?.owner?.toBase58?.(),
+      delegated: Boolean(info && info.owner.equals(DELEGATION_PROGRAM_ID)),
+    });
+  }
   if (info && info.owner.equals(DELEGATION_PROGRAM_ID)) {
+    if (isVerbose(options)) {
+      console.log(`Delegation already active for ${escrowPda.toBase58()}; skipping.`);
+    }
     return;
   }
   if (info && !info.owner.equals(program.programId)) {
@@ -1427,6 +1163,13 @@ const ensureDelegatedEscrow = async (
   }
   try {
     const validator = await getDelegationValidator(config);
+    if (validator) {
+      if (isVerbose(options)) {
+        console.log(`Delegating escrow to validator: ${validator.toBase58()}`);
+      }
+    } else if (isVerbose(options)) {
+      console.warn("Delegation skipped: no validator identity resolved.");
+    }
     const remainingAccounts = validator
       ? [{ pubkey: validator, isWritable: false, isSigner: false }]
       : [];
@@ -1439,7 +1182,7 @@ const ensureDelegatedEscrow = async (
       })
       .remainingAccounts(remainingAccounts)
       .signers([keypair])
-      .rpc();
+      .rpc({ skipPreflight: true });
   } catch (error) {
     if (!isAlreadyExistsError(error)) {
       throw error;
@@ -1447,16 +1190,6 @@ const ensureDelegatedEscrow = async (
   }
 };
 
-const buildMembers = (contract) => {
-  const flags = AUTHORITY_FLAG | TX_LOGS_FLAG;
-  return {
-    entries: [
-      { flags, pubkey: new PublicKey(contract.client_wallet) },
-      { flags, pubkey: new PublicKey(contract.contractor_wallet) },
-    ],
-  };
-};
-
 const ensureAta = async (connection, payer, owner, mint) => {
   const ata = await getAssociatedTokenAddress(mint, owner, true);
   try {
@@ -1763,7 +1496,7 @@ const runInitContract = async (config, contract, options) => {
       })
       .signers([keypair])
       .rpc();
-    console.log(`Escrow initialized. (tx: ${sig})`);
+    logTx("Escrow initialized.", sig, false);
 
     await linkEscrow(config.backendUrl, config.auth.token, contract.id, {
       escrowPda: escrowPda.toBase58(),
@@ -1832,37 +1565,12 @@ const runAddMilestone = async (config, contract, title, options) => {
     return;
   }
 
-  const executionMode = await ensureExecutionMode(config, contract, keypair, options);
-  const l1Mode = executionMode === "l1";
+  await ensureExecutionMode(config, contract, keypair, options);
 
   console.log("Processing.");
-  if (l1Mode) {
-    const milestonePda = deriveMilestonePda(escrowPda, index, programId);
-    const sig = await program.methods
-      .addMilestone(new anchor.BN(escrowId.toString()), index)
-      .accounts({
-        actor: walletKey,
-        escrow: escrowPda,
-        milestone: milestonePda,
-        systemProgram: SystemProgram.programId,
-      })
-      .signers([keypair])
-      .rpc();
-    console.log(`Milestone created. (tx: ${sig})`);
-
-    const milestones = Array.isArray(contract.milestones)
-      ? [...contract.milestones]
-      : [];
-    milestones.push({ index, details: title, status: "created" });
-    const persisted = await updateContractMilestones(config, contract, milestones);
-    if (!persisted) {
-      console.log(
-        "Warning: backend did not persist milestone status (check backend version)."
-      );
-    }
-    successMessage("Milestone added.");
-    return;
-  }
+  logProgress("Preparing terms for ER submission");
+  await sleep(200);
+  logProgress("Encrypting milestone details");
   let privacyKey;
   try {
     privacyKey = await getContractPrivacyKey(config, contract.id, wallet);
@@ -1878,6 +1586,10 @@ const runAddMilestone = async (config, contract, title, options) => {
     index,
     title
   );
+  if (!isEncryptedPayload(encryptedDetails)) {
+    console.error("Failed to encrypt milestone details.");
+    process.exit(1);
+  }
   
   const encryptedBytes = Buffer.from(encryptedDetails, "utf8");
   
@@ -1893,6 +1605,7 @@ const runAddMilestone = async (config, contract, title, options) => {
     .update(encryptedDetails)
     .digest();
 
+  logProgress("Preparing milestone accounts");
   const privateMilestonePda = derivePrivateMilestonePda(
     escrowPda,
     index,
@@ -1909,26 +1622,13 @@ const runAddMilestone = async (config, contract, title, options) => {
     .signers([keypair])
     .rpc();
 
-  const members = buildMembers(contract);
-  members.accountType = {
-    privateMilestone: {
-      escrow: escrowPda,
-      index,
-    },
-  };
-  await ensurePermission(config, program, keypair, privateMilestonePda, members);
-  await ensureDelegatedPermission(
-    config,
-    program.provider,
-    keypair,
-    privateMilestonePda
-  );
   await ensureDelegatedAccount(
     config,
     program,
     keypair,
-    members.accountType,
-    privateMilestonePda
+    { privateMilestone: { escrow: escrowPda, index } },
+    privateMilestonePda,
+    options
   );
 
   const perVaultPda = derivePerVaultPda(escrowPda, programId);
@@ -1937,7 +1637,8 @@ const runAddMilestone = async (config, contract, title, options) => {
     program,
     keypair,
     { perVault: { escrow: escrowPda } },
-    perVaultPda
+    perVaultPda,
+    options
   );
   await ensureDelegatedEscrow(
     config,
@@ -1945,9 +1646,11 @@ const runAddMilestone = async (config, contract, title, options) => {
     keypair,
     escrowId,
     escrowPda,
-    new PublicKey(contract.client_wallet)
+    new PublicKey(contract.client_wallet),
+    options
   );
 
+  logProgress("Submitting metadata on ER");
   const { program: erProgram, sessionSigner, sessionPda } =
     await getPerProgramBundle(config, keypair, programId, program.provider);
   const metaSig = await erProgram.methods
@@ -1968,8 +1671,7 @@ const runAddMilestone = async (config, contract, title, options) => {
       })
     .signers([sessionSigner])
     .rpc({ skipPreflight: true });
-  console.log("Submitting Metadata...");
-  console.log(`Done. (tx: ${metaSig})`);
+  logTx("Metadata submitted.", metaSig, true);
 
   const milestones = Array.isArray(contract.milestones)
     ? [...contract.milestones]
@@ -2009,61 +1711,7 @@ const runDisableMilestone = async (config, contract, number, options) => {
     console.error("Check the list with: nebulon contract <id> check milestone list");
     return;
   }
-  const executionMode = await ensureExecutionMode(config, contract, keypair, options);
-  const l1Mode = executionMode === "l1";
-  if (l1Mode) {
-    const { program, connection, programId } = getProgram(config, keypair);
-    const escrowPda = new PublicKey(contract.escrow_pda);
-    const escrowState = await getEscrowState(connection, programId, escrowPda);
-    if (!escrowState) {
-      console.error("Escrow not found on-chain.");
-      process.exit(1);
-    }
-    const ok = await ensureEscrowOwnedByProgramL1(config, keypair, escrowPda);
-    if (!ok) {
-      return;
-    }
-    const escrowId = escrowState.escrowId;
-    const milestonePda = deriveMilestonePda(escrowPda, index, programId);
-    console.log("Verify data and confirm actions please.");
-    renderContractSummary(contract, wallet);
-    console.log("-Action-");
-    console.log("Disable milestone");
-    console.log(`Number : ${index + 1}`);
-    const milestones = Array.isArray(contract.milestones) ? contract.milestones : [];
-    const current = milestones.find((m) => m.index === index);
-    console.log(`Details : \"${current ? getMilestoneLabel(current) : "unknown"}\"`);
-    console.log("");
-    const proceed = await confirmAction(options.confirm, "Proceed? yes/no");
-    if (!proceed) {
-      console.log("Canceled.");
-      return;
-    }
-    console.log("Processing.");
-    const sig = await program.methods
-      .disableMilestone(new anchor.BN(escrowId.toString()), index)
-      .accounts({
-        actor: walletKey,
-        escrow: escrowPda,
-        milestone: milestonePda,
-      })
-      .signers([keypair])
-      .rpc();
-    console.log(`Milestone disabled. (tx: ${sig})`);
-    const nextMilestones = milestones.map((milestone) =>
-      milestone.index === index
-        ? { ...milestone, status: "disabled" }
-        : milestone
-    );
-    const persisted = await updateContractMilestones(config, contract, nextMilestones);
-    if (!persisted) {
-      console.log(
-        "Warning: backend did not persist milestone status (check backend version)."
-      );
-    }
-    successMessage("Milestone disabled.");
-    return;
-  }
+  await ensureExecutionMode(config, contract, keypair, options);
   if (!config.ephemeralProviderUrl) {
     console.error(
       "Warning: MagicBlock RPC is not configured; milestone status checks may be unreliable."
@@ -2085,6 +1733,47 @@ const runDisableMilestone = async (config, contract, number, options) => {
     console.error("Current status: disabled");
     return;
   }
+  const programBundle = getProgram(config, keypair);
+  const escrowPda = new PublicKey(contract.escrow_pda);
+  const programId = programBundle.programId;
+  const privateMilestonePda = derivePrivateMilestonePda(
+    escrowPda,
+    index,
+    programId
+  );
+  await ensureDelegatedAccount(
+    config,
+    programBundle.program,
+    keypair,
+    { privateMilestone: { escrow: escrowPda, index } },
+    privateMilestonePda,
+    options
+  );
+  const perVaultPda = derivePerVaultPda(escrowPda, programId);
+  await ensureDelegatedAccount(
+    config,
+    programBundle.program,
+    keypair,
+    { perVault: { escrow: escrowPda } },
+    perVaultPda,
+    options
+  );
+  const escrowState = await getEscrowState(
+    programBundle.connection,
+    programId,
+    escrowPda
+  );
+  if (escrowState) {
+    await ensureDelegatedEscrow(
+      config,
+      programBundle.program,
+      keypair,
+      escrowState.escrowId,
+      escrowPda,
+      new PublicKey(contract.client_wallet),
+      options
+    );
+  }
   let currentStatus = null;
   try {
     const milestone = await getPrivateMilestoneStatus(
@@ -2151,15 +1840,18 @@ const runDisableMilestone = async (config, contract, number, options) => {
   }
 
   console.log("Processing.");
+  logProgress("Submitting milestone update on ER");
+  await sleep(200);
   const sig = await updatePrivateMilestoneStatus(
     config,
     contract,
     keypair,
     walletKey,
     index,
-    4
+    4,
+    options
   );
-  console.log(`Milestone disabled. (tx: ${sig})`);
+  logTx("Milestone disabled.", sig, true);
 
   const nextMilestones = milestones.map((milestone) =>
     milestone.index === index
@@ -2169,6 +1861,8 @@ const runDisableMilestone = async (config, contract, number, options) => {
   await updateContractIfNegotiating(config, contract, {
     milestones: nextMilestones,
   });
+  logProgress("Syncing private state to escrow flags");
+  logProgress("Syncing private state to escrow flags");
   await runSyncFlags(config, contract, { ...options, confirm: true });
   successMessage("Milestone disabled.");
 };
@@ -2178,7 +1872,8 @@ const ensureTermsPrepared = async (
   contract,
   keypair,
   escrowPda,
-  escrowId
+  escrowId,
+  options
 ) => {
   const { program, programId } = getProgram(config, keypair);
   const termsPda = deriveTermsPda(escrowPda, programId);
@@ -2193,17 +1888,13 @@ const ensureTermsPrepared = async (
     .signers([keypair])
     .rpc();
 
-  const members = buildMembers(contract);
-  members.accountType = { terms: { escrow: escrowPda } };
-  await ensurePermission(config, program, keypair, termsPda, members);
-  await ensureDelegatedPermission(config, program.provider, keypair, termsPda);
-  await waitForPermissionActive(config, keypair, termsPda, "Terms");
   await ensureDelegatedAccount(
     config,
     program,
     keypair,
-    members.accountType,
-    termsPda
+    { terms: { escrow: escrowPda } },
+    termsPda,
+    options
   );
 
   const perVaultPda = derivePerVaultPda(escrowPda, programId);
@@ -2212,7 +1903,8 @@ const ensureTermsPrepared = async (
     program,
     keypair,
     { perVault: { escrow: escrowPda } },
-    perVaultPda
+    perVaultPda,
+    options
   );
   await ensureDelegatedEscrow(
     config,
@@ -2220,7 +1912,8 @@ const ensureTermsPrepared = async (
     keypair,
     escrowId,
     escrowPda,
-    new PublicKey(contract.client_wallet)
+    new PublicKey(contract.client_wallet),
+    options
   );
 
   return { termsPda, perVaultPda, program, programId };
@@ -2234,19 +1927,26 @@ const submitTerms = async (
   escrowId,
   totalPayment,
   deadline,
-  encryptedTerms
+  encryptedTerms,
+  options
 ) => {
   const { termsPda, perVaultPda, program, programId } = await ensureTermsPrepared(
     config,
     contract,
     keypair,
     escrowPda,
-    escrowId
+    escrowId,
+    options
   );
 
   const { program: erProgram, sessionSigner, sessionPda } =
     await getPerProgramBundle(config, keypair, programId, program.provider);
   const encryptedBytes = Buffer.from(encryptedTerms || "", "utf8");
+  if (encryptedBytes.length > 256) {
+    throw new Error(
+      `Encrypted terms too large (${encryptedBytes.length} bytes). Max is 256 bytes.`
+    );
+  }
   const attemptCreate = async (forceRefresh = false) => {
     const { program } = forceRefresh
       ? await getEphemeralProgram(config, keypair, { forceRefresh: true })
@@ -2275,7 +1975,7 @@ const submitTerms = async (
   const attemptCreateDirect = async () => {
     const { program: userErProgram } = await getEphemeralProgram(
       config,
-      keypair,
+      sessionSigner,
       { forceRefresh: true }
     );
     return userErProgram.methods
@@ -2329,148 +2029,6 @@ const submitTerms = async (
   throw lastError;
 };
 
-const submitPublicTerms = async (
-  config,
-  contract,
-  keypair,
-  escrowPda,
-  escrowId,
-  totalPayment,
-  deadline
-) => {
-  const { program, programId } = getProgram(config, keypair);
-  const termsPda = deriveTermsPda(escrowPda, programId);
-  const ok = await ensureEscrowOwnedByProgramL1(config, keypair, escrowPda);
-  if (!ok) {
-    return null;
-  }
-  const ix = await program.methods
-    .setPublicTerms(
-      new anchor.BN(escrowId.toString()),
-      buildTermsHash(deadline, totalPayment),
-      new anchor.BN(totalPayment.toString()),
-      new anchor.BN(deadline.toString())
-    )
-    .accounts({
-      user: keypair.publicKey,
-      escrow: escrowPda,
-      terms: termsPda,
-      systemProgram: SystemProgram.programId,
-    })
-    .instruction();
-  ix.keys = ix.keys.map((key) => {
-    if (key.pubkey.equals(escrowPda) || key.pubkey.equals(termsPda)) {
-      return { ...key, isWritable: true };
-    }
-    return key;
-  });
-  const tx = new Transaction().add(ix);
-  const sig = await program.provider.sendAndConfirm(tx, [keypair]);
-  return sig;
-};
-
-const signPublicTermsOnChain = async (
-  config,
-  keypair,
-  escrowPda,
-  escrowId
-) => {
-  const { program, programId } = getProgram(config, keypair);
-  const termsPda = deriveTermsPda(escrowPda, programId);
-  try {
-    const escrowState = await program.account.escrow.fetch(escrowPda);
-    const termsState = await program.account.terms.fetch(termsPda);
-    const escrowIdOnChain = escrowState.escrowId?.toString?.() || String(escrowState.escrowId);
-    const expectedEscrowId = escrowId.toString();
-    if (escrowIdOnChain !== expectedEscrowId) {
-      console.error(
-        `L1 sign precheck: escrow_id mismatch (chain=${escrowIdOnChain}, local=${expectedEscrowId})`
-      );
-    }
-    if (termsState.escrow && termsState.escrow.toBase58) {
-      const termsEscrow = termsState.escrow.toBase58();
-      if (termsEscrow !== escrowPda.toBase58()) {
-        console.error(
-          `L1 sign precheck: terms.escrow mismatch (terms=${termsEscrow}, escrow=${escrowPda.toBase58()})`
-        );
-      }
-    }
-    if (escrowState.fundedAmount && escrowState.fundedAmount.toString) {
-      const funded = escrowState.fundedAmount.toString();
-      if (funded !== "0") {
-        console.error(`L1 sign precheck: funded_amount is ${funded}, expected 0`);
-      }
-    }
-    if (escrowState.fundingOk) {
-      console.error("L1 sign precheck: funding_ok already true");
-    }
-  } catch (error) {
-    console.error("L1 sign precheck failed to fetch escrow/terms.");
-  }
-  const ix = await program.methods
-    .signPublicTerms(new anchor.BN(escrowId.toString()))
-    .accounts({
-      user: keypair.publicKey,
-      escrow: escrowPda,
-      terms: termsPda,
-    })
-    .instruction();
-  ix.keys = ix.keys.map((key) => {
-    if (key.pubkey.equals(escrowPda) || key.pubkey.equals(termsPda)) {
-      return { ...key, isWritable: true };
-    }
-    return key;
-  });
-  const tx = new Transaction().add(ix);
-  const sig = await program.provider.sendAndConfirm(tx, [keypair]);
-  return { sig, termsPda };
-};
-
-const commitPublicTermsOnChain = async (
-  config,
-  keypair,
-  escrowPda,
-  escrowId
-) => {
-  const { program, programId } = getProgram(config, keypair);
-  const termsPda = deriveTermsPda(escrowPda, programId);
-  const ix = await program.methods
-    .commitPublicTerms(new anchor.BN(escrowId.toString()))
-    .accounts({
-      user: keypair.publicKey,
-      escrow: escrowPda,
-      terms: termsPda,
-    })
-    .instruction();
-  ix.keys = ix.keys.map((key) => {
-    if (key.pubkey.equals(escrowPda) || key.pubkey.equals(termsPda)) {
-      return { ...key, isWritable: true };
-    }
-    return key;
-  });
-  const tx = new Transaction().add(ix);
-  return program.provider.sendAndConfirm(tx, [keypair]);
-};
-
-const fetchPublicMilestones = async (
-  program,
-  escrowPda,
-  programId,
-  indices
-) => {
-  const milestones = [];
-  for (const index of indices) {
-    const pda = deriveMilestonePda(escrowPda, index, programId);
-    try {
-      const state = await program.account.milestone.fetch(pda);
-      milestones.push({ index, status: Number(state.status), pda });
-    } catch {
-      milestones.push({ index, status: null, pda });
-    }
-  }
-  return milestones;
-};
-
 const runAddTerm = async (config, contract, field, value, options) => {
   const { keypair, wallet, walletKey } = getWalletContext(config);
   ensureEditableContract(contract);
@@ -2534,35 +2092,34 @@ const runAddTerm = async (config, contract, field, value, options) => {
     return;
   }
 
-  const executionMode = await ensureExecutionMode(config, contract, keypair, options);
-  const l1Mode = executionMode === "l1";
+  await ensureExecutionMode(config, contract, keypair, options);
 
   let encryptedTerms = null;
-  if (!l1Mode) {
-    try {
-      const privacyKey = await getContractPrivacyKey(config, contract.id, wallet);
-      encryptedTerms = encryptTermsPayload(
-        privacyKey,
-        contract.id,
-        deadline,
-        totalPayment
-      );
-    } catch (error) {
-      console.error(
-        "Privacy key exchange pending. Wait for the counterparty to accept."
-      );
-      process.exit(1);
-    }
+  try {
+    const privacyKey = await getContractPrivacyKey(config, contract.id, wallet);
+    encryptedTerms = encryptTermsPayload(
+      privacyKey,
+      contract.id,
+      deadline,
+      totalPayment
+    );
+  } catch (error) {
+    console.error(
+      "Privacy key exchange pending. Wait for the counterparty to accept."
+    );
+    process.exit(1);
   }
 
   await updateContractIfNegotiating(config, contract, {
-    ...(l1Mode ? {} : { termsEncrypted: encryptedTerms }),
+    termsEncrypted: encryptedTerms,
     termsHash: buildTermsHashHex(deadline, totalPayment),
-    ...(l1Mode ? { deadline, totalPayment } : {}),
   });
 
   if (!deadline || !totalPayment) {
-    console.log("Saved term. Set the remaining term to submit on-chain.");
+    const missingLabel = !deadline ? "deadline" : "payment";
+    console.log(
+      `Saved term. Set ${missingLabel} with \`nebulon contract <id> add term ${missingLabel} <value>\` to submit on-chain.`
+    );
     successMessage("Term saved.");
     return;
   }
@@ -2576,32 +2133,27 @@ const runAddTerm = async (config, contract, field, value, options) => {
 
   console.log("Processing.");
   try {
-    const sig = l1Mode
-      ? await submitPublicTerms(
-          config,
-          contract,
-          keypair,
-          escrowPda,
-          escrowId,
-          totalPayment,
-          deadline
-        )
-      : await submitTerms(
-          config,
-          contract,
-          keypair,
-          escrowPda,
-          escrowId,
-          totalPayment,
-          deadline,
-          encryptedTerms
-        );
+    const sig = await submitTerms(
+      config,
+      contract,
+      keypair,
+      escrowPda,
+      escrowId,
+      totalPayment,
+      deadline,
+      encryptedTerms,
+      options
+    );
     if (!sig) {
       return;
     }
-    console.log(`Terms submitted. (tx: ${sig})`);
+    logTx("Terms submitted.", sig, true);
     successMessage("Terms submitted.");
   } catch (error) {
+    console.error(error?.message || error);
+    if (error?.stack) {
+      console.error(error.stack);
+    }
     await printTxLogs(error);
     throw error;
   }
@@ -2613,14 +2165,13 @@ const runSignContract = async (config, contract, options) => {
     console.error("Contract has no escrow. Unable to sign.");
     process.exit(1);
   }
-  const executionMode = await ensureExecutionMode(config, contract, keypair, options);
-  const l1Mode = executionMode === "l1";
+  await ensureExecutionMode(config, contract, keypair, options);
   ensureContractPhase(
     contract,
     ["negotiating", "awaiting_signatures"],
     "Finish terms/milestones, then sign."
   );
-  if (!l1Mode && contract.terms_encrypted && !contract.privacyReady) {
+  if (contract.terms_encrypted && !contract.privacyReady) {
     console.error("Privacy key exchange pending. Unable to read terms.");
     process.exit(1);
   }
@@ -2685,41 +2236,46 @@ const runSignContract = async (config, contract, options) => {
   }
 
   console.log("Processing.");
-  let signSig = null;
-  let commitSig = null;
-  if (l1Mode) {
-    signSig = (await signPublicTermsOnChain(
-      config,
-      keypair,
-      escrowPda,
-      escrowId
-    )).sig;
-    console.log(`Signature submitted. (tx: ${signSig})`);
+  if (isVerbose(options)) {
+    console.log("DEBUG: PER config", {
+      ephemeralProviderUrl: config.ephemeralProviderUrl,
+      ephemeralWsUrl: config.ephemeralWsUrl,
+      ephemeralValidatorIdentity: config.ephemeralValidatorIdentity,
+      rpcUrl: config.rpcUrl,
+      wsUrl: config.wsUrl,
+      network: config.network,
+    });
     try {
-      commitSig = await commitPublicTermsOnChain(
-        config,
-        keypair,
-        escrowPda,
-        escrowId
-      );
+      if (config.ephemeralProviderUrl) {
+        const router = new ConnectionMagicRouter(config.ephemeralProviderUrl, {
+          wsEndpoint: config.ephemeralWsUrl || undefined,
+        });
+        const closest = await router.getClosestValidator();
+        console.log("DEBUG: router closest validator (sign flow):", closest);
+      }
     } catch (error) {
-      commitSig = null;
+      console.log("DEBUG: router closest validator lookup failed:", error?.message || error);
     }
-  } else {
-    const { termsPda } = await ensureTermsPrepared(
+  }
+  logProgress("Submitting signature on ER");
+  let signSig = null;
+  let commitSig = null;
+  const { termsPda } = await ensureTermsPrepared(
+    config,
+    contract,
+    keypair,
+    escrowPda,
+    escrowId,
+    options
+  );
+  const { program: erProgram, sessionSigner, sessionPda } =
+    await getPerProgramBundle(
       config,
-      contract,
       keypair,
-      escrowPda,
-      escrowId
+      programId,
+      program.provider
     );
-    const { program: erProgram, sessionSigner, sessionPda } =
-      await getPerProgramBundle(
-        config,
-        keypair,
-        programId,
-        program.provider
-      );
+  try {
     signSig = await erProgram.methods
       .signPrivateTerms(new anchor.BN(escrowId.toString()))
       .accounts({
@@ -2731,25 +2287,33 @@ const runSignContract = async (config, contract, options) => {
       })
       .signers([sessionSigner])
       .rpc({ skipPreflight: true });
-    console.log(`Signature submitted. (tx: ${signSig})`);
-    try {
-      commitSig = await erProgram.methods
-        .commitTerms(new anchor.BN(escrowId.toString()))
-        .accounts({
-          user: keypair.publicKey,
-          payer: sessionSigner.publicKey,
-          sessionToken: sessionPda,
-          escrow: escrowPda,
-          terms: termsPda,
-        })
-        .signers([sessionSigner])
-        .rpc({ skipPreflight: true });
-    } catch (error) {
-      commitSig = null;
+  } catch (error) {
+    console.error("ERROR: signPrivateTerms failed:", error?.message || error);
+    const msg = (error?.message || "").toLowerCase();
+    if (msg.includes("invalidwritableaccount")) {
+      console.error("HINT: InvalidWritableAccount usually means validator mismatch. Run with --verbose and compare router validator vs delegation.");
     }
+    throw error;
+  }
+  logTx("Signature submitted.", signSig, true);
+  try {
+    logProgress("Committing terms on ER");
+    commitSig = await erProgram.methods
+      .commitTerms(new anchor.BN(escrowId.toString()))
+      .accounts({
+        user: keypair.publicKey,
+        payer: sessionSigner.publicKey,
+        sessionToken: sessionPda,
+        escrow: escrowPda,
+        terms: termsPda,
+      })
+      .signers([sessionSigner])
+      .rpc({ skipPreflight: true });
+  } catch (error) {
+    commitSig = null;
   }
   if (commitSig) {
-    console.log(`Terms committed. (tx: ${commitSig})`);
+    logTx("Terms committed.", commitSig, true);
     console.log("Syncing contract flags...");
     let synced = false;
     for (let attempt = 0; attempt < 2; attempt += 1) {
@@ -2818,7 +2382,7 @@ const runFundContract = async (config, contract, options) => {
     process.exit(1);
   }
   ensureContractPhase(contract, ["waiting_for_funding"], "Run sign first.");
-  if (!isL1Mode(contract) && contract.terms_encrypted && !contract.privacyReady) {
+  if (contract.terms_encrypted && !contract.privacyReady) {
     console.error("Privacy key exchange pending. Unable to read terms.");
     process.exit(1);
   }
@@ -2934,10 +2498,10 @@ const runFundContract = async (config, contract, options) => {
     })
     .signers([keypair])
     .rpc();
-  console.log(`Funding submitted. (tx: ${sig})`);
+  logTx("Funding submitted.", sig, false);
 
   await markFunded(config.backendUrl, config.auth.token, contract.id);
-  console.log("Syncing private state to escrow flags.");
+  logProgress("Syncing private state to escrow flags");
   for (let attempt = 0; attempt < 3; attempt += 1) {
     try {
       await runSyncFlags(config, contract, { ...options, confirm: true });
@@ -2989,75 +2553,7 @@ const runUpdateMilestone = async (config, contract, number, options) => {
     console.error("Check the list with: nebulon contract <id> check milestone list");
     return;
   }
-  const executionMode = await ensureExecutionMode(config, contract, keypair, options);
-  const l1Mode = executionMode === "l1";
-  if (l1Mode) {
-    const { program, connection, programId } = getProgram(config, keypair);
-    const escrowPda = new PublicKey(contract.escrow_pda);
-    const escrowState = await getEscrowState(connection, programId, escrowPda);
-    if (!escrowState) {
-      console.error("Escrow not found on-chain.");
-      process.exit(1);
-    }
-    const ok = await ensureEscrowOwnedByProgramL1(config, keypair, escrowPda);
-    if (!ok) {
-      return;
-    }
-    const escrowId = escrowState.escrowId;
-    const milestonePda = deriveMilestonePda(escrowPda, index, programId);
-
-    console.log("Verify data and confirm actions please.");
-    renderContractSummary(contract, wallet);
-    console.log("-Action-");
-    console.log("Update milestone");
-    console.log(`Number : ${index + 1}`);
-    console.log("Status : ready");
-    console.log("");
-
-    const canProceed = await renderBalancesOrAbort(
-      config,
-      walletKey,
-      contract.mint || config.usdcMint
-    );
-    if (!canProceed) {
-      return;
-    }
-
-    const proceed = await confirmAction(options.confirm, "Proceed? yes/no");
-    if (!proceed) {
-      console.log("Canceled.");
-      return;
-    }
-
-    console.log("Processing.");
-    const sig = await program.methods
-      .submitMilestone(new anchor.BN(escrowId.toString()), index)
-      .accounts({
-        contractor: walletKey,
-        escrow: escrowPda,
-        milestone: milestonePda,
-      })
-      .signers([keypair])
-      .rpc();
-    console.log(`Milestone updated. (tx: ${sig})`);
-
-    const milestones = Array.isArray(contract.milestones)
-      ? contract.milestones.map((milestone) =>
-          milestone.index === index
-            ? { ...milestone, status: "ready" }
-            : milestone
-        )
-      : [];
-    const persisted = await updateContractMilestones(config, contract, milestones);
-    if (!persisted) {
-      console.log(
-        "Warning: backend did not persist milestone status (check backend version)."
-      );
-    }
-    await runSyncFlags(config, contract, { ...options, confirm: true });
-    successMessage("Milestone updated.");
-    return;
-  }
+  await ensureExecutionMode(config, contract, keypair, options);
   if (!config.ephemeralProviderUrl) {
     console.error(
       "Warning: MagicBlock RPC is not configured; milestone status checks may be unreliable."
@@ -3144,9 +2640,10 @@ const runUpdateMilestone = async (config, contract, number, options) => {
     keypair,
     walletKey,
     index,
-    1
+    1,
+    options
   );
-  console.log(`Milestone updated. (tx: ${sig})`);
+  logTx("Milestone updated.", sig, true);
 
   const milestones = Array.isArray(contract.milestones)
     ? contract.milestones.map((milestone) =>
@@ -3161,6 +2658,7 @@ const runUpdateMilestone = async (config, contract, number, options) => {
       "Warning: backend did not persist milestone status (check backend version)."
     );
   }
+  logProgress("Syncing private state to escrow flags");
   await runSyncFlags(config, contract, { ...options, confirm: true });
   successMessage("Milestone updated.");
 };
@@ -3187,80 +2685,7 @@ const runConfirmMilestone = async (config, contract, number, options) => {
     process.exit(1);
   }
 
-  const executionMode = await ensureExecutionMode(config, contract, keypair, options);
-  const l1Mode = executionMode === "l1";
-  if (l1Mode) {
-    const { program, connection, programId } = getProgram(config, keypair);
-    const escrowPda = new PublicKey(contract.escrow_pda);
-    const escrowState = await getEscrowState(connection, programId, escrowPda);
-    if (!escrowState) {
-      console.error("Escrow not found on-chain.");
-      process.exit(1);
-    }
-    const ok = await ensureEscrowOwnedByProgramL1(config, keypair, escrowPda);
-    if (!ok) {
-      return;
-    }
-    const escrowId = escrowState.escrowId;
-    const milestonePda = deriveMilestonePda(escrowPda, index, programId);
-
-    console.log("Verify data and confirm actions please.");
-    renderContractSummary(contract, wallet);
-    console.log("-Action-");
-    console.log("Confirm milestone");
-    console.log(`Number : ${index + 1}`);
-    console.log("");
-
-    const canProceed = await renderBalancesOrAbort(
-      config,
-      walletKey,
-      contract.mint || config.usdcMint
-    );
-    if (!canProceed) {
-      return;
-    }
-
-    const proceed = await confirmAction(options.confirm, "Proceed? yes/no");
-    if (!proceed) {
-      console.log("Canceled.");
-      return;
-    }
-
-    console.log("Processing.");
-    const sig = await program.methods
-      .approveMilestone(new anchor.BN(escrowId.toString()), index)
-      .accounts({
-        client: walletKey,
-        escrow: escrowPda,
-        milestone: milestonePda,
-      })
-      .signers([keypair])
-      .rpc();
-    console.log(`Milestone confirmed. (tx: ${sig})`);
-
-    const milestones = Array.isArray(contract.milestones)
-      ? contract.milestones.map((milestone) =>
-          milestone.index === index
-            ? { ...milestone, status: "approved" }
-            : milestone
-        )
-      : [];
-    const persisted = await updateContractMilestones(config, contract, milestones);
-    if (!persisted) {
-      console.log(
-        "Warning: backend did not persist milestone status (check backend version)."
-      );
-    }
-    await runSyncFlags(config, contract, { ...options, confirm: true });
-    try {
-      const refreshed = await getEscrowState(connection, programId, escrowPda);
-      if (refreshed && refreshed.readyToClaim) {
-        successMessage("Contract funds are now ready to claim by the service provider.");
-      }
-    } catch {}
-    successMessage("Milestone confirmed.");
-    return;
-  }
+  await ensureExecutionMode(config, contract, keypair, options);
 
   console.log("Verify data and confirm actions please.");
   renderContractSummary(contract, wallet);
@@ -3299,26 +2724,68 @@ const runConfirmMilestone = async (config, contract, number, options) => {
     walletKey,
     contract.mint || config.usdcMint
   );
-  if (!canProceed) {
-    return;
-  }
-
-  const proceed = await confirmAction(options.confirm, "Proceed? yes/no");
-  if (!proceed) {
-    console.log("Canceled.");
-    return;
+  if (!canProceed) {
+    return;
+  }
+
+  const proceed = await confirmAction(options.confirm, "Proceed? yes/no");
+  if (!proceed) {
+    console.log("Canceled.");
+    return;
+  }
+
+  console.log("Processing.");
+  const programBundle = getProgram(config, keypair);
+  const escrowPda = new PublicKey(contract.escrow_pda);
+  const programId = programBundle.programId;
+  const privateMilestonePda = derivePrivateMilestonePda(
+    escrowPda,
+    index,
+    programId
+  );
+  await ensureDelegatedAccount(
+    config,
+    programBundle.program,
+    keypair,
+    { privateMilestone: { escrow: escrowPda, index } },
+    privateMilestonePda,
+    options
+  );
+  const perVaultPda = derivePerVaultPda(escrowPda, programId);
+  await ensureDelegatedAccount(
+    config,
+    programBundle.program,
+    keypair,
+    { perVault: { escrow: escrowPda } },
+    perVaultPda,
+    options
+  );
+  const escrowState = await getEscrowState(
+    programBundle.connection,
+    programId,
+    escrowPda
+  );
+  if (escrowState) {
+    await ensureDelegatedEscrow(
+      config,
+      programBundle.program,
+      keypair,
+      escrowState.escrowId,
+      escrowPda,
+      new PublicKey(contract.client_wallet),
+      options
+    );
   }
-
-  console.log("Processing.");
   const sig = await updatePrivateMilestoneStatus(
     config,
     contract,
     keypair,
     walletKey,
     index,
-    3
+    3,
+    options
   );
-  console.log(`Milestone confirmed. (tx: ${sig})`);
+  logTx("Milestone confirmed.", sig, true);
 
   const milestones = Array.isArray(contract.milestones)
     ? contract.milestones.map((milestone) =>
@@ -3415,7 +2882,7 @@ const runClaimFunds = async (config, contract, options) => {
           })
           .signers([keypair])
           .rpc();
-        console.log(`Funds claimed. (tx: ${sig})`);
+        logTx("Funds claimed.", sig, false);
         successMessage(
           `Funds claimed successfully. (+${formatUsdc(rawFunded)} USDC)`
         );
@@ -3445,7 +2912,7 @@ const runClaimFunds = async (config, contract, options) => {
           })
           .signers([keypair])
           .rpc();
-        console.log(`Timeout funds claimed. (tx: ${sig})`);
+        logTx("Timeout funds claimed.", sig, false);
         successMessage(
           `Funds claimed successfully. (+${formatUsdc(rawFunded)} USDC)`
         );
@@ -3504,7 +2971,7 @@ const runClaimFunds = async (config, contract, options) => {
         })
         .signers([keypair])
         .rpc();
-      console.log(`Refund claimed. (tx: ${sig})`);
+      logTx("Refund claimed.", sig, false);
       successMessage("Refund claimed.");
       successMessage("Escrow rent returned to the creator.");
       try {
@@ -3549,7 +3016,8 @@ const updatePrivateMilestoneStatus = async (
   keypair,
   walletKey,
   index,
-  status
+  status,
+  options
 ) => {
   const { program, connection, programId } = getProgram(config, keypair);
   const escrowPda = new PublicKey(contract.escrow_pda);
@@ -3566,26 +3034,13 @@ const updatePrivateMilestoneStatus = async (
     programId
   );
 
-  const members = buildMembers(contract);
-  members.accountType = {
-    privateMilestone: {
-      escrow: escrowPda,
-      index,
-    },
-  };
-  await ensurePermission(config, program, keypair, privateMilestonePda, members);
-  await ensureDelegatedPermission(
-    config,
-    program.provider,
-    keypair,
-    privateMilestonePda
-  );
   await ensureDelegatedAccount(
     config,
     program,
     keypair,
-    members.accountType,
-    privateMilestonePda
+    { privateMilestone: { escrow: escrowPda, index } },
+    privateMilestonePda,
+    options
   );
   await ensureDelegatedEscrow(
     config,
@@ -3593,12 +3048,15 @@ const updatePrivateMilestoneStatus = async (
     keypair,
     escrowId,
     escrowPda,
-    new PublicKey(contract.client_wallet)
+    new PublicKey(contract.client_wallet),
+    options
   );
 
   const { program: erProgram, sessionSigner, sessionPda } =
     await getPerProgramBundle(config, keypair, programId, program.provider);
 
+  logProgress("Submitting milestone update on ER");
+  await sleep(200);
   const sig = await erProgram.methods
     .updatePrivateMilestoneStatus(
       new anchor.BN(escrowId.toString()),
@@ -3618,204 +3076,12 @@ const updatePrivateMilestoneStatus = async (
   return sig;
 };
 
-const runSyncFlagsL1 = async (config, contract, options) => {
-  const { keypair, walletKey } = getWalletContext(config);
-  if (!contract.escrow_pda) {
-    console.error("Contract has no escrow.");
-    process.exit(1);
-  }
-
-  const { program, connection, programId } = getProgram(config, keypair);
-  const escrowPda = new PublicKey(contract.escrow_pda);
-  const escrowState = await getEscrowState(connection, programId, escrowPda);
-  if (!escrowState) {
-    console.error("Escrow not found on-chain.");
-    process.exit(1);
-  }
-  const ok = await ensureEscrowOwnedByProgramL1(config, keypair, escrowPda);
-  if (!ok) {
-    return;
-  }
-
-  const escrowId = escrowState.escrowId;
-  const termsPda = deriveTermsPda(escrowPda, programId);
-
-  let terms;
-  try {
-    terms = await program.account.terms.fetch(termsPda);
-  } catch (error) {
-    console.error("Terms not available on-chain yet.");
-    process.exit(1);
-  }
-
-  const milestoneIndices = Array.isArray(contract.milestones)
-    ? contract.milestones.map((milestone) => milestone.index)
-    : [];
-  milestoneIndices.sort((a, b) => a - b);
-  const milestones = await fetchPublicMilestones(
-    program,
-    escrowPda,
-    programId,
-    milestoneIndices
-  );
-  const milestonesHash = buildMilestonesHash(milestones);
-
-  const fundedAmount =
-    typeof escrowState.fundedAmount === "bigint"
-      ? escrowState.fundedAmount
-      : BigInt(escrowState.fundedAmount || 0);
-  const canCommitMilestones = fundedAmount === 0n && !escrowState.fundingOk;
-  const totalPayment = BigInt(terms.totalPayment.toString());
-  const requiredNet = netFromGross(totalPayment);
-  const fundingOk = fundedAmount >= requiredNet;
-  const hasTermsHash = escrowState.termsHash
-    ? escrowState.termsHash.some((byte) => byte !== 0)
-    : false;
-  if (!hasTermsHash) {
-    console.log("Terms hash not committed on-chain yet.");
-  }
-
-  const deadline = resolveTermsDeadline(
-    Number(terms.deadline.toString()),
-    escrowState.fundedAt
-  );
-  const now = Math.floor(Date.now() / 1000);
-  const deadlinePassed = deadline ? now > deadline : false;
-
-  const statuses = milestones.map((milestone) =>
-    Number.isFinite(milestone.status) ? milestone.status : 0
-  );
-  const allApproved =
-    milestones.length === 0 ||
-    statuses.every((status) => status === 3 || status === 4);
-  const allSubmitted =
-    milestones.length === 0 ||
-    statuses.every((status) => status === 1 || status === 3 || status === 4);
-  const hasUnsubmitted =
-    milestones.length === 0 ||
-    statuses.some((status) => status === 0 || status === 2);
-
-  const milestoneCount = milestones.length;
-  if (milestoneCount > 255) {
-    console.error("Too many milestones to sync.");
-    process.exit(1);
-  }
-
-  const proceed = await confirmAction(options.confirm, "Update escrow flags? yes/no");
-  if (!proceed) {
-    console.log("Canceled.");
-    return;
-  }
-
-  let didUpdate = false;
-  const milestoneAccounts = milestones.map((milestone) => ({
-    pubkey: milestone.pda,
-    isWritable: false,
-    isSigner: false,
-  }));
-
-  if (canCommitMilestones && milestonesHash && escrowState.milestonesHash) {
-    const currentHash = Buffer.from(escrowState.milestonesHash);
-    if (!currentHash.equals(milestonesHash)) {
-      const sig = await program.methods
-        .commitPublicMilestones(
-          new anchor.BN(escrowId.toString()),
-          Array.from(milestonesHash)
-        )
-        .accounts({
-          user: walletKey,
-          escrow: escrowPda,
-        })
-        .signers([keypair])
-        .rpc();
-      console.log(`Milestones committed. (tx: ${sig})`);
-      didUpdate = true;
-    }
-  }
-
-  if (hasTermsHash && fundingOk && !escrowState.fundingOk) {
-    const sig = await program.methods
-      .setFundingOkPublic(new anchor.BN(escrowId.toString()))
-      .accounts({
-        user: walletKey,
-        escrow: escrowPda,
-        terms: termsPda,
-      })
-      .signers([keypair])
-      .rpc();
-    console.log(`Funding verified. (tx: ${sig})`);
-    didUpdate = true;
-  }
-
-  let readyToClaimSet = false;
-  if (hasTermsHash && fundingOk && allApproved && !escrowState.readyToClaim) {
-    const sig = await program.methods
-      .setReadyToClaimPublic(new anchor.BN(escrowId.toString()), milestoneCount)
-      .accounts({
-        user: walletKey,
-        escrow: escrowPda,
-      })
-      .remainingAccounts(milestoneAccounts)
-      .signers([keypair])
-      .rpc();
-    console.log(`Ready to claim set. (tx: ${sig})`);
-    didUpdate = true;
-    readyToClaimSet = true;
-  }
-
-  if (!readyToClaimSet && deadlinePassed && fundingOk && hasUnsubmitted && !escrowState.timeoutRefundReady) {
-    const sig = await program.methods
-      .setTimeoutRefundReadyPublic(
-        new anchor.BN(escrowId.toString()),
-        milestoneCount
-      )
-      .accounts({
-        user: walletKey,
-        escrow: escrowPda,
-        terms: termsPda,
-      })
-      .remainingAccounts(milestoneAccounts)
-      .signers([keypair])
-      .rpc();
-    console.log(`Timeout refund ready set. (tx: ${sig})`);
-    didUpdate = true;
-  }
-
-  if (!readyToClaimSet && deadlinePassed && fundingOk && allSubmitted && !escrowState.timeoutFundsReady) {
-    const sig = await program.methods
-      .setTimeoutFundsReadyPublic(
-        new anchor.BN(escrowId.toString()),
-        milestoneCount
-      )
-      .accounts({
-        user: walletKey,
-        escrow: escrowPda,
-        terms: termsPda,
-      })
-      .remainingAccounts(milestoneAccounts)
-      .signers([keypair])
-      .rpc();
-    console.log(`Timeout funds ready set. (tx: ${sig})`);
-    didUpdate = true;
-  }
-
-  if (didUpdate) {
-    successMessage("Sync completed.");
-    return;
-  }
-  console.log("No updates were required.");
-};
-
 const runSyncFlags = async (config, contract, options) => {
   const { keypair, walletKey } = getWalletContext(config);
   if (!contract.escrow_pda) {
     console.error("Contract has no escrow.");
     process.exit(1);
   }
-  if (isL1Mode(contract)) {
-    await runSyncFlagsL1(config, contract, options);
-    return;
-  }
 
   const { program, connection, programId } = getProgram(config, keypair);
   const escrowPda = new PublicKey(contract.escrow_pda);
@@ -3826,12 +3092,13 @@ const runSyncFlags = async (config, contract, options) => {
   }
 
   const escrowId = escrowState.escrowId;
-  const { termsPda, program: l1Program } = await ensureTermsPrepared(
+  const { termsPda, program: baseProgram } = await ensureTermsPrepared(
     config,
     contract,
     keypair,
     escrowPda,
-    escrowId
+    escrowId,
+    options
   );
 
   const milestoneIndices = Array.isArray(contract.milestones)
@@ -3844,40 +3111,28 @@ const runSyncFlags = async (config, contract, options) => {
       index,
       programId
     );
-    const members = buildMembers(contract);
-    members.accountType = {
-      privateMilestone: {
-        escrow: escrowPda,
-        index,
-      },
-    };
-    await ensurePermission(config, l1Program, keypair, privateMilestonePda, members);
-    await ensureDelegatedPermission(
-      config,
-      l1Program.provider,
-      keypair,
-      privateMilestonePda
-    );
     await ensureDelegatedAccount(
       config,
-      l1Program,
+      baseProgram,
       keypair,
-      members.accountType,
-      privateMilestonePda
+      { privateMilestone: { escrow: escrowPda, index } },
+      privateMilestonePda,
+      options
     );
   }
 
   await ensureDelegatedEscrow(
     config,
-    l1Program,
+    baseProgram,
     keypair,
     escrowId,
     escrowPda,
-    new PublicKey(contract.client_wallet)
+    new PublicKey(contract.client_wallet),
+    options
   );
 
   const { program: erProgram, sessionSigner, sessionPda } =
-    await getPerProgramBundle(config, keypair, programId, l1Program.provider);
+    await getPerProgramBundle(config, keypair, programId, baseProgram.provider);
 
   let terms;
   try {
@@ -3963,7 +3218,7 @@ const runSyncFlags = async (config, contract, options) => {
         })
         .signers([sessionSigner])
         .rpc({ skipPreflight: true });
-      console.log(`Milestones committed. (tx: ${sig})`);
+    logTx("Milestones committed.", sig, false);
       didUpdate = true;
     }
   }
@@ -3980,7 +3235,7 @@ const runSyncFlags = async (config, contract, options) => {
       })
       .signers([sessionSigner])
       .rpc({ skipPreflight: true });
-    console.log(`Funding verified. (tx: ${sig})`);
+    logTx("Funding verified.", sig, false);
     didUpdate = true;
   }
 
@@ -4000,7 +3255,7 @@ const runSyncFlags = async (config, contract, options) => {
       .remainingAccounts(milestoneAccounts)
       .signers([sessionSigner])
       .rpc({ skipPreflight: true });
-    console.log(`Ready to claim set. (tx: ${sig})`);
+    logTx("Ready to claim set.", sig, false);
     didUpdate = true;
     readyToClaimSet = true;
   }
@@ -4027,7 +3282,7 @@ const runSyncFlags = async (config, contract, options) => {
       .remainingAccounts(milestoneAccounts)
       .signers([sessionSigner])
       .rpc({ skipPreflight: true });
-    console.log(`Timeout refund ready set. (tx: ${sig})`);
+    logTx("Timeout refund ready set.", sig, false);
     didUpdate = true;
   }
 
@@ -4053,7 +3308,7 @@ const runSyncFlags = async (config, contract, options) => {
       .remainingAccounts(milestoneAccounts)
       .signers([sessionSigner])
       .rpc({ skipPreflight: true });
-    console.log(`Timeout funds ready set. (tx: ${sig})`);
+    logTx("Timeout funds ready set.", sig, false);
     didUpdate = true;
   }
 
@@ -4069,7 +3324,7 @@ const runSyncFlags = async (config, contract, options) => {
       })
       .signers([sessionSigner])
       .rpc({ skipPreflight: true });
-    console.log(`Escrow committed. (tx: ${sig})`);
+    logTx("Escrow committed.", sig, false);
   } else {
     console.log("No escrow flag changes needed.");
   }
@@ -4116,29 +3371,17 @@ const runMilestoneList = async (config, contract) => {
   milestoneIndices.sort((a, b) => a - b);
 
   let milestones = [];
-  if (isL1Mode(contract)) {
-    milestones = await fetchPublicMilestones(
-      program,
+  const { program: erProgram } = await getEphemeralProgram(config, keypair);
+  try {
+    milestones = await fetchPrivateMilestones(
+      erProgram,
       escrowPda,
       programId,
       milestoneIndices
     );
-  } else {
-    const { program: erProgram } = await getEphemeralProgram(
-      config,
-      keypair
-    );
-    try {
-      milestones = await fetchPrivateMilestones(
-        erProgram,
-        escrowPda,
-        programId,
-        milestoneIndices
-      );
-    } catch (error) {
-      console.error("Private milestones are not available yet.");
-      process.exit(1);
-    }
+  } catch (error) {
+    console.error("Private milestones are not available yet.");
+    process.exit(1);
   }
 
   const metadataByIndex = new Map(
@@ -4191,31 +3434,18 @@ const runMilestoneStatus = async (config, contract, number) => {
   }
 
   let milestone;
-  if (isL1Mode(contract)) {
-    const items = await fetchPublicMilestones(
-      program,
+  const { program: erProgram } = await getEphemeralProgram(config, keypair);
+  try {
+    const items = await fetchPrivateMilestones(
+      erProgram,
       escrowPda,
       programId,
       [index]
     );
     milestone = items[0];
-  } else {
-    const { program: erProgram } = await getEphemeralProgram(
-      config,
-      keypair
-    );
-    try {
-      const items = await fetchPrivateMilestones(
-        erProgram,
-        escrowPda,
-        programId,
-        [index]
-      );
-      milestone = items[0];
-    } catch (error) {
-      console.error("Private milestone is not available yet.");
-      process.exit(1);
-    }
+  } catch (error) {
+    console.error("Private milestone is not available yet.");
+    process.exit(1);
   }
 
   const meta = (contract.milestones || []).find((m) => m.index === index) || {};
@@ -4258,7 +3488,7 @@ const runContractDetails = async (config, contract) => {
   console.log("Contract details");
   console.log(`ID: ${contract.id}`);
   console.log(`Status: ${contract.status}`);
-  console.log(`Execution mode: ${getExecutionMode(contract)}`);
+  console.log("Mode: PER");
   console.log(`Role: ${role}`);
   console.log(
     formatParticipant(
@@ -4279,14 +3509,10 @@ const runContractDetails = async (config, contract) => {
   console.log(`Escrow: ${contract.escrow_pda || "n/a"}`);
   console.log(`Mint: ${contract.mint || "n/a"}`);
   console.log(`Vault: ${contract.vault_token || "n/a"}`);
-  const privacyLabel = isL1Mode(contract)
-    ? "l1"
-    : contract.privacyReady
-      ? "ready"
-      : "pending";
+  const privacyLabel = contract.privacyReady ? "ready" : "pending";
   console.log(`Privacy: ${privacyLabel}`);
 
-  if (!isL1Mode(contract) && contract.terms_encrypted && !contract.privacyReady) {
+  if (contract.terms_encrypted && !contract.privacyReady) {
     console.log("Terms: encrypted (waiting on privacy keys)");
   } else {
     console.log(`Deadline: ${contract.deadline ? formatDeadlineValue(contract.deadline) : "missing"}`);
@@ -4346,7 +3572,7 @@ const runContractStatus = async (config, contract) => {
     console.log(`Role: ${role}`);
   }
   console.log(`Current status: ${contract.status}`);
-  console.log(`Execution mode: ${getExecutionMode(contract)}`);
+  console.log("Mode: PER");
   if (contract.created_at) {
     console.log(`Created: ${formatCreatedAt(contract.created_at)}`);
   }
@@ -4467,46 +3693,6 @@ const runRateContract = async (config, contract, scoreValue) => {
   console.log(`Rating submitted: ${score} star${score === 1 ? "" : "s"}.`);
 };
 
-const runContractMode = async (config, contract, mode, options) => {
-  const { wallet } = getWalletContext(config);
-  const role = getRole(contract, wallet);
-  if (role !== "client" && role !== "contractor") {
-    console.error("Only contract participants can change execution mode.");
-    process.exit(1);
-  }
-  const desired = (mode || "").toString().toLowerCase();
-  if (desired !== "per" && desired !== "l1") {
-    console.error("Usage: nebulon contract <id> mode per|l1");
-    return;
-  }
-  const allowedStatuses = new Set(["waiting_for_init", "negotiating", "awaiting_signatures"]);
-  if (!allowedStatuses.has(contract.status)) {
-    console.error("Execution mode can only be changed before funding.");
-    return;
-  }
-  if (desired === getExecutionMode(contract)) {
-    console.log(`Execution mode is already ${desired.toUpperCase()}.`);
-    return;
-  }
-  const proceed = await confirmAction(
-    options.confirm,
-    `Set execution mode to ${desired.toUpperCase()}? yes/no`
-  );
-  if (!proceed) {
-    console.log("Canceled.");
-    return;
-  }
-  await updateContract(config.backendUrl, config.auth.token, contract.id, {
-    executionMode: desired,
-  });
-  contract.execution_mode = desired;
-  if (desired === "l1") {
-    console.log("L1 MODE enabled for this contract (no TEE privacy).");
-  } else {
-    console.log("PER mode enabled for this contract.");
-  }
-};
-
 const runCheckTerms = async (config, contract) => {
   const { wallet } = getWalletContext(config);
   const role = getRole(contract, wallet);
@@ -4514,7 +3700,7 @@ const runCheckTerms = async (config, contract) => {
     console.error("Only contract participants can view terms.");
     process.exit(1);
   }
-  if (!isL1Mode(contract) && contract.terms_encrypted && !contract.privacyReady) {
+  if (contract.terms_encrypted && !contract.privacyReady) {
     console.error("Privacy key exchange pending. Unable to read terms.");
     process.exit(1);
   }
@@ -4580,7 +3766,7 @@ const runOpenDispute = async (config, contract, options) => {
       })
       .signers([keypair])
       .rpc();
-    console.log(`Dispute opened. (tx: ${sig})`);
+    logTx("Dispute opened.", sig, false);
     console.log("Contact @nortbyt3 on Discord to discuss your case.");
     successMessage("Dispute opened.");
   } catch (error) {
@@ -4673,7 +3859,7 @@ const runResolveDispute = async (
       })
       .signers([keypair])
       .rpc();
-    console.log(`Dispute resolved. (tx: ${sig})`);
+    logTx("Dispute resolved.", sig, false);
     successMessage("Dispute resolved.");
   } catch (error) {
     const message = (error && error.message ? error.message : "").toLowerCase();
@@ -4691,6 +3877,7 @@ const runResolveDispute = async (
 
 const runContractCommand = async (args, options = {}) => {
   const config = loadConfig();
+  config.__verbose = Boolean(options && options.verbose);
   await ensureHosted(config);
 
   if (!args.length) {
@@ -4810,10 +3997,6 @@ const runContractCommand = async (args, options = {}) => {
     await runRateContract(config, contract, rest[1]);
     return;
   }
-  if (action === "mode") {
-    await runContractMode(config, contract, rest[1], options);
-    return;
-  }
 
   if (action === "disable" && rest[1] === "milestone") {
     if (!rest[2]) {