run402 1.69.5 → 1.69.7

package/lib/blob.mjs

@@ -24,6 +24,7 @@ import {
   readFileSync,
   writeFileSync,
   mkdirSync,
+  chmodSync,
   existsSync,
   unlinkSync,
   readdirSync,
@@ -61,7 +62,7 @@ Options:
   --json              NDJSON progress events (for agent consumption)
   --prefix <p>        Prefix filter (ls only)
   --limit <n>         Max results (ls only; default 100, max 1000)
-  --ttl <seconds>     Signed-URL TTL (sign only; default 3600, max 604800)
+  --ttl <seconds>     Signed-URL TTL (sign only; default 3600, min 60, max 604800)
 
 Examples:
   run402 blob put ./artifact.tgz --project prj_abc123
@@ -151,7 +152,7 @@ Arguments:
 
 Options:
   --project <id>      Project ID (defaults to active project)
-  --ttl <seconds>     Signed-URL TTL (default 3600, max 604800)
+  --ttl <seconds>     Signed-URL TTL (default 3600, min 60, max 604800)
 
 Examples:
   run402 blob sign reports/2025-q4.pdf --project prj_abc123 --ttl 600
@@ -184,7 +185,9 @@ Examples:
 `,
 };
 
-const UPLOAD_STATE_DIR = join(homedir(), ".run402", "uploads");
+function uploadStateDir() {
+  return join(homedir(), ".run402", "uploads");
+}
 
 function die(msg, exit_code = 1) {
   fail({ code: "BAD_USAGE", message: msg, exit_code });
@@ -226,7 +229,7 @@ function parseArgs(rawArgs) {
     else if (a === "--prefix") out.prefix = args[++i];
     else if (a === "--limit") out.limit = parseIntegerFlag("--limit", args[++i], { min: 1, max: 1000 });
     else if (a === "--output" || a === "-o") out.output = args[++i];
-    else if (a === "--ttl") out.ttl = parseIntegerFlag("--ttl", args[++i], { min: 1, max: 604800 });
+    else if (a === "--ttl") out.ttl = parseIntegerFlag("--ttl", args[++i], { min: 60, max: 604800 });
     else if (!a.startsWith("--")) out.positional.push(a);
   }
   return out;
@@ -259,30 +262,71 @@ async function sha256File(filePath) {
   return h.digest("hex");
 }
 
+function sha256BufferHexAndBase64(body) {
+  const digest = createHash("sha256").update(body).digest();
+  return {
+    hex: digest.toString("hex"),
+    base64: digest.toString("base64"),
+  };
+}
+
+function checksumHeadersForPresignedUrl(url, checksumBase64) {
+  let urlHasChecksum = false;
+  try {
+    urlHasChecksum = new URL(url).searchParams.has("x-amz-checksum-sha256");
+  } catch {
+    urlHasChecksum = false;
+  }
+  return urlHasChecksum ? {} : { "x-amz-checksum-sha256": checksumBase64 };
+}
+
 function loadState(uploadId) {
-  const path = join(UPLOAD_STATE_DIR, `${uploadId}.json`);
+  const path = join(uploadStateDir(), `${uploadId}.json`);
   if (!existsSync(path)) return null;
   try { return JSON.parse(readFileSync(path, "utf8")); }
   catch { return null; }
 }
 
 function saveState(state) {
-  mkdirSync(UPLOAD_STATE_DIR, { recursive: true });
-  writeFileSync(join(UPLOAD_STATE_DIR, `${state.upload_id}.json`), JSON.stringify(state, null, 2));
+  const dir = uploadStateDir();
+  mkdirSync(dir, { recursive: true, mode: 0o700 });
+  chmodSync(dir, 0o700);
+  const diskState = { ...state };
+  delete diskState.parts;
+  const path = join(dir, `${state.upload_id}.json`);
+  writeFileSync(path, JSON.stringify(diskState, null, 2), { mode: 0o600 });
+  chmodSync(path, 0o600);
 }
 
 function removeState(uploadId) {
-  const path = join(UPLOAD_STATE_DIR, `${uploadId}.json`);
+  const path = join(uploadStateDir(), `${uploadId}.json`);
   if (existsSync(path)) unlinkSync(path);
 }
 
-function findResumableStateForFile(projectId, localPath, key) {
-  if (!existsSync(UPLOAD_STATE_DIR)) return null;
-  for (const f of readdirSync(UPLOAD_STATE_DIR)) {
+function fileFingerprint(stat) {
+  return {
+    file_size: stat.size,
+    file_mtime_ms: stat.mtimeMs,
+  };
+}
+
+function stateMatchesFile(state, fingerprint) {
+  return state.file_size === fingerprint.file_size &&
+    typeof state.file_mtime_ms === "number" &&
+    state.file_mtime_ms === fingerprint.file_mtime_ms;
+}
+
+function findResumableStateForFile(projectId, localPath, key, fingerprint) {
+  const dir = uploadStateDir();
+  if (!existsSync(dir)) return null;
+  for (const f of readdirSync(dir)) {
     if (!f.endsWith(".json")) continue;
     try {
-      const s = JSON.parse(readFileSync(join(UPLOAD_STATE_DIR, f), "utf8"));
-      if (s.project_id === projectId && s.local_path === localPath && s.key === key) return s;
+      const s = JSON.parse(readFileSync(join(dir, f), "utf8"));
+      if (s.project_id === projectId && s.local_path === localPath && s.key === key) {
+        if (stateMatchesFile(s, fingerprint)) return s;
+        removeState(s.upload_id);
+      }
     } catch { /* ignore */ }
   }
   return null;
@@ -295,16 +339,15 @@ function findResumableStateForFile(projectId, localPath, key) {
 async function putOne(projectId, filePath, opts) {
   const stat = statSync(filePath);
   const size = stat.size;
+  const fingerprint = fileFingerprint(stat);
   const destKey = computeDestKey(filePath, opts.key);
   const absLocal = resolvePath(filePath);
 
-  // Compute sha256 for immutable uploads up front; otherwise lazy.
-  const needSha = opts.immutable;
-  const sha256 = needSha ? await sha256File(filePath) : undefined;
+  const sha256 = await sha256File(filePath);
 
   // Attempt to resume
   let state = opts.resume
-    ? findResumableStateForFile(projectId, absLocal, destKey)
+    ? findResumableStateForFile(projectId, absLocal, destKey, fingerprint)
     : null;
   let initRes;
   if (state) {
@@ -315,7 +358,7 @@ async function putOne(projectId, filePath, opts) {
       initRes = {
         upload_id: state.upload_id,
         mode: poll.mode ?? state.mode,
-        parts: poll.parts ?? state.parts,
+        parts: poll.parts ?? state.parts ?? [],
         part_count: poll.part_count ?? state.part_count,
         part_size_bytes: poll.part_size_bytes ?? state.part_size_bytes,
       };
@@ -345,6 +388,7 @@ async function putOne(projectId, filePath, opts) {
       parts: initRes.parts,
       parts_done: {},
       sha256,
+      ...fingerprint,
       started_at: new Date().toISOString(),
     };
     if (opts.resume) saveState(state);
@@ -360,22 +404,18 @@ async function putOne(projectId, filePath, opts) {
     etags[parseInt(pn, 10) - 1] = typeof pd === "string" ? { etag: pd, sha256: undefined } : pd;
   }
 
-  // Presigned URLs are signed WITHOUT ChecksumAlgorithm (see gateway
-  // s3-presign.ts). The client-asserted sha256 declared at init is the
-  // integrity attestation — no x-amz-checksum-sha256 header on PUTs, and
-  // the gateway trusts the declared value at complete when S3 has none.
   const todo = initRes.parts.filter((p) => !(state.parts_done || {})[String(p.part_number)]);
   await withConcurrency(todo, opts.concurrency, async (part) => {
-    const { etag } = await putPart(filePath, part);
-    etags[part.part_number - 1] = { etag };
-    state.parts_done[String(part.part_number)] = { etag };
+    const { etag, sha256: partSha256 } = await putPart(filePath, part);
+    etags[part.part_number - 1] = { etag, sha256: partSha256 };
+    state.parts_done[String(part.part_number)] = { etag, sha256: partSha256 };
     if (opts.resume) saveState(state);
-    log(opts, { event: "part", upload_id: state.upload_id, part_number: part.part_number, etag });
+    log(opts, { event: "part", upload_id: state.upload_id, part_number: part.part_number, etag, sha256: partSha256 });
   });
 
   // Complete
   const body = initRes.mode === "multipart"
-    ? { parts: etags.map((e, i) => ({ part_number: i + 1, etag: e.etag })) }
+    ? { parts: etags.map((e, i) => ({ part_number: i + 1, etag: e.etag, sha256: e.sha256 })) }
     : {};
   const result = await getSdk().blobs.completeUploadSession(projectId, state.upload_id, body, {
     contentType: opts.contentType ?? guessContentType(destKey),
@@ -399,37 +439,31 @@ async function putPart(filePath, part) {
   const chunks = [];
   for await (const c of stream) chunks.push(c);
   const body = Buffer.concat(chunks);
+  const checksum = sha256BufferHexAndBase64(body);
 
-  const res = await fetch(part.url, { method: "PUT", body });
+  const res = await fetch(part.url, {
+    method: "PUT",
+    headers: checksumHeadersForPresignedUrl(part.url, checksum.base64),
+    body,
+  });
   if (!res.ok) {
     const errBody = await res.text().catch(() => "");
     throw new Error(`Part ${part.part_number} PUT failed: ${res.status} ${res.statusText}${errBody ? " — " + errBody.slice(0, 200) : ""}`);
   }
   const etag = res.headers.get("etag") ?? "";
-  return { etag };
+  return { etag, sha256: checksum.hex };
 }
 
 async function withConcurrency(items, limit, worker) {
-  const running = [];
-  for (const item of items) {
-    const p = Promise.resolve().then(() => worker(item));
-    running.push(p);
-    if (running.length >= limit) {
-      await Promise.race(running.map((r) => r.catch(() => {})));
-      for (let i = running.length - 1; i >= 0; i--) {
-        if (isSettled(running[i])) running.splice(i, 1);
-      }
+  let index = 0;
+  const workerCount = Math.min(limit, items.length);
+  async function runWorker() {
+    while (index < items.length) {
+      const item = items[index++];
+      await worker(item);
     }
   }
-  await Promise.all(running);
-}
-
-function isSettled(p) {
-  const marker = {};
-  return Promise.race([p, marker]).then(
-    (v) => v !== marker,
-    () => true,
-  );
+  await Promise.all(Array.from({ length: workerCount }, runWorker));
 }
 
 async function put(projectId, argv) {
@@ -438,8 +472,8 @@ async function put(projectId, argv) {
   const resolvedId = resolveProjectId(opts.project);
 
   if (opts.positional.length === 0) die("At least one file path is required");
-  if (opts.immutable && opts.positional.length > 1 && opts.key && !opts.key.endsWith("/")) {
-    die("--key with --immutable across multiple files requires a directory prefix (ending with /)");
+  if (opts.positional.length > 1 && opts.key && !opts.key.endsWith("/")) {
+    die("--key across multiple files requires a directory prefix (ending with /)");
   }
 
   const results = [];
@@ -464,6 +498,7 @@ async function get(projectId, argv) {
   opts.project = opts.project || projectId;
   const resolvedId = resolveProjectId(opts.project);
   if (opts.positional.length === 0) die("Key required");
+  if (opts.positional.length > 1) die("blob get expects exactly one key");
   if (!opts.output) die("--output <file> required");
   const key = opts.positional[0];
 
@@ -510,6 +545,7 @@ async function rm(projectId, argv) {
   opts.project = opts.project || projectId;
   const resolvedId = resolveProjectId(opts.project);
   if (opts.positional.length === 0) die("Key required");
+  if (opts.positional.length > 1) die("blob rm expects exactly one key");
   const key = opts.positional[0];
 
   try {
@@ -529,6 +565,7 @@ async function diagnose(projectId, argv) {
   opts.project = opts.project || projectId;
   const resolvedId = resolveProjectId(opts.project);
   if (opts.positional.length === 0) die("URL required");
+  if (opts.positional.length > 1) die("blob diagnose expects exactly one URL");
   const url = opts.positional[0];
 
   try {
@@ -556,6 +593,7 @@ async function sign(projectId, argv) {
   opts.project = opts.project || projectId;
   const resolvedId = resolveProjectId(opts.project);
   if (opts.positional.length === 0) die("Key required");
+  if (opts.positional.length > 1) die("blob sign expects exactly one key");
   const key = opts.positional[0];
 
   try {

package/lib/cdn.mjs

@@ -16,6 +16,7 @@
 import { resolveProjectId } from "./config.mjs";
 import { getSdk } from "./sdk.mjs";
 import { reportSdkError, fail } from "./sdk-errors.mjs";
+import { assertKnownFlags, flagValue, normalizeArgv, parseIntegerFlag, positionalArgs } from "./argparse.mjs";
 
 const HELP = `run402 cdn — CloudFront CDN diagnostics for public blob URLs
 
@@ -73,14 +74,19 @@ function die(msg, exit_code = 1) {
 }
 
 function parseArgs(args) {
-  const opts = { positional: [] };
-  for (let i = 0; i < args.length; i++) {
-    const a = args[i];
-    if (a === "--sha") opts.sha = args[++i];
-    else if (a === "--timeout") opts.timeout = Number(args[++i]);
-    else if (a === "--project") opts.project = args[++i];
-    else if (a.startsWith("--")) die(`Unknown option: ${a}`);
-    else opts.positional.push(a);
+  const normalized = normalizeArgv(args);
+  const valueFlags = ["--sha", "--timeout", "--project"];
+  assertKnownFlags(normalized, [...valueFlags, "--help", "-h"], valueFlags);
+  const opts = {
+    positional: positionalArgs(normalized, valueFlags),
+    sha: flagValue(normalized, "--sha"),
+    timeout: normalized.includes("--timeout")
+      ? parseIntegerFlag("--timeout", flagValue(normalized, "--timeout"), { min: 1 })
+      : undefined,
+    project: flagValue(normalized, "--project"),
+  };
+  if (opts.positional.length > 1) {
+    die(`Unexpected argument for cdn wait-fresh: ${opts.positional[1]}`);
   }
   return opts;
 }
@@ -92,6 +98,13 @@ async function waitFresh(projectId, argv) {
   if (opts.positional.length === 0) die("URL required");
   const url = opts.positional[0];
   if (!opts.sha) die("--sha is required");
+  if (!/^[a-fA-F0-9]{64}$/.test(opts.sha)) {
+    fail({
+      code: "BAD_FLAG",
+      message: "--sha must be a 64-character hex SHA-256 digest",
+      details: { flag: "--sha", value: opts.sha },
+    });
+  }
 
   const timeoutMs = (opts.timeout ?? 60) * 1000;
   try {

package/lib/contracts.mjs

@@ -1,5 +1,13 @@
 import { getSdk } from "./sdk.mjs";
 import { reportSdkError, fail, parseFlagJson } from "./sdk-errors.mjs";
+import {
+  assertAllowedValue,
+  assertKnownFlags,
+  flagValue,
+  normalizeArgv,
+  positionalArgs,
+  validateEvmAddress,
+} from "./argparse.mjs";
 
 const HELP = `run402 contracts — KMS-backed Ethereum wallets for smart-contract calls
 
@@ -126,12 +134,6 @@ Examples:
 `,
 };
 
-function parseFlag(args, flag) {
-  for (let i = 0; i < args.length; i++) {
-    if (args[i] === flag && args[i + 1]) return args[i + 1];
-  }
-  return null;
-}
 function hasFlag(args, flag) {
   return args.includes(flag);
 }
@@ -146,21 +148,30 @@ function validateWeiFlag(flag, value) {
 }
 
 async function provisionWallet(projectId, args) {
-  const chain = parseFlag(args, "--chain");
+  const parsedArgs = normalizeArgv(args);
+  const valueFlags = ["--chain", "--recovery"];
+  assertKnownFlags(parsedArgs, [...valueFlags, "--yes", "--help", "-h"], valueFlags);
+  const extra = positionalArgs(parsedArgs, valueFlags);
+  if (extra.length > 0) {
+    fail({ code: "BAD_USAGE", message: `Unexpected argument for contracts provision-wallet: ${extra[0]}` });
+  }
+  const chain = flagValue(parsedArgs, "--chain");
   if (!chain) {
     fail({
       code: "BAD_USAGE",
       message: "Missing --chain (base-mainnet or base-sepolia)",
     });
   }
-  const recovery = parseFlag(args, "--recovery");
+  assertAllowedValue(chain, ["base-mainnet", "base-sepolia"], "--chain");
+  const recovery = flagValue(parsedArgs, "--recovery");
+  if (recovery) validateEvmAddress(recovery, "--recovery");
   // Soft default of one wallet — confirm if project already has one.
   let activeWallets = null;
   try {
     const list = await getSdk().contracts.listWallets(projectId);
     activeWallets = (list.wallets || []).filter((w) => w.status === "active").length;
   } catch { /* best-effort */ }
-  if (activeWallets !== null && activeWallets >= 1 && !hasFlag(args, "--yes")) {
+  if (activeWallets !== null && activeWallets >= 1 && !hasFlag(parsedArgs, "--yes")) {
     fail({
       code: "CONFIRMATION_REQUIRED",
       message: `This project already has ${activeWallets} active wallet(s). Adding another costs $0.04/day each ($1.20/month). Re-run with --yes to confirm.`,
@@ -179,7 +190,13 @@ async function provisionWallet(projectId, args) {
   }
 }
 
-async function getWallet(projectId, walletId) {
+async function getWallet(projectId, walletId, args = []) {
+  const parsedArgs = normalizeArgv(args);
+  assertKnownFlags(parsedArgs, ["--help", "-h"]);
+  const extra = positionalArgs(parsedArgs);
+  if (extra.length > 0) {
+    fail({ code: "BAD_USAGE", message: `Unexpected argument for contracts get-wallet: ${extra[0]}` });
+  }
   try {
     const data = await getSdk().contracts.getWallet(projectId, walletId);
     console.log(JSON.stringify(data, null, 2));
@@ -188,7 +205,13 @@ async function getWallet(projectId, walletId) {
   }
 }
 
-async function listWallets(projectId) {
+async function listWallets(projectId, args = []) {
+  const parsedArgs = normalizeArgv(args);
+  assertKnownFlags(parsedArgs, ["--help", "-h"]);
+  const extra = positionalArgs(parsedArgs);
+  if (extra.length > 0) {
+    fail({ code: "BAD_USAGE", message: `Unexpected argument for contracts list-wallets: ${extra[0]}` });
+  }
   try {
     const data = await getSdk().contracts.listWallets(projectId);
     console.log(JSON.stringify(data, null, 2));
@@ -198,14 +221,25 @@ async function listWallets(projectId) {
 }
 
 async function setRecovery(projectId, walletId, args) {
-  const clear = hasFlag(args, "--clear");
-  const address = parseFlag(args, "--address");
+  const parsedArgs = normalizeArgv(args);
+  const valueFlags = ["--address"];
+  assertKnownFlags(parsedArgs, [...valueFlags, "--clear", "--help", "-h"], valueFlags);
+  const extra = positionalArgs(parsedArgs, valueFlags);
+  if (extra.length > 0) {
+    fail({ code: "BAD_USAGE", message: `Unexpected argument for contracts set-recovery: ${extra[0]}` });
+  }
+  const clear = hasFlag(parsedArgs, "--clear");
+  const address = flagValue(parsedArgs, "--address");
+  if (clear && address) {
+    fail({ code: "BAD_USAGE", message: "Provide either --address or --clear, not both." });
+  }
   if (!clear && !address) {
     fail({
       code: "BAD_USAGE",
       message: "Provide --address 0x... or --clear",
     });
   }
+  if (address) validateEvmAddress(address, "--address");
   try {
     await getSdk().contracts.setRecovery(projectId, walletId, clear ? null : address);
     console.log(JSON.stringify({ status: "ok", wallet_id: walletId, recovery_address: clear ? null : address }));
@@ -215,7 +249,14 @@ async function setRecovery(projectId, walletId, args) {
 }
 
 async function setAlert(projectId, walletId, args) {
-  const threshold = parseFlag(args, "--threshold-wei");
+  const parsedArgs = normalizeArgv(args);
+  const valueFlags = ["--threshold-wei"];
+  assertKnownFlags(parsedArgs, [...valueFlags, "--help", "-h"], valueFlags);
+  const extra = positionalArgs(parsedArgs, valueFlags);
+  if (extra.length > 0) {
+    fail({ code: "BAD_USAGE", message: `Unexpected argument for contracts set-alert: ${extra[0]}` });
+  }
+  const threshold = flagValue(parsedArgs, "--threshold-wei");
   if (!threshold) {
     fail({ code: "BAD_USAGE", message: "Missing --threshold-wei <n>" });
   }
@@ -229,13 +270,20 @@ async function setAlert(projectId, walletId, args) {
 }
 
 async function call(projectId, walletId, args) {
-  const to = parseFlag(args, "--to");
-  const abi = parseFlag(args, "--abi");
-  const fn = parseFlag(args, "--fn");
-  const argsJson = parseFlag(args, "--args");
-  const value = parseFlag(args, "--value-wei");
-  const chain = parseFlag(args, "--chain") || "base-mainnet";
-  const idempotency = parseFlag(args, "--idempotency-key");
+  const parsedArgs = normalizeArgv(args);
+  const valueFlags = ["--to", "--abi", "--fn", "--args", "--value-wei", "--chain", "--idempotency-key"];
+  assertKnownFlags(parsedArgs, [...valueFlags, "--help", "-h"], valueFlags);
+  const extra = positionalArgs(parsedArgs, valueFlags);
+  if (extra.length > 0) {
+    fail({ code: "BAD_USAGE", message: `Unexpected argument for contracts call: ${extra[0]}` });
+  }
+  const to = flagValue(parsedArgs, "--to");
+  const abi = flagValue(parsedArgs, "--abi");
+  const fn = flagValue(parsedArgs, "--fn");
+  const argsJson = flagValue(parsedArgs, "--args");
+  const value = flagValue(parsedArgs, "--value-wei");
+  const chain = flagValue(parsedArgs, "--chain") || "base-mainnet";
+  const idempotency = flagValue(parsedArgs, "--idempotency-key");
   if (!to || !abi || !fn || !argsJson) {
     fail({
       code: "BAD_USAGE",
@@ -243,9 +291,11 @@ async function call(projectId, walletId, args) {
       hint: "Cost: chain gas + $0.000005 KMS sign fee.",
     });
   }
+  assertAllowedValue(chain, ["base-mainnet", "base-sepolia"], "--chain");
   if (value !== null) validateWeiFlag("--value-wei", value);
   const abiFragment = parseFlagJson("--abi", abi);
   const callArgs = parseFlagJson("--args", argsJson);
+  validateEvmAddress(to, "--to");
   try {
     const data = await getSdk().contracts.call(projectId, {
       walletId,
@@ -264,19 +314,28 @@ async function call(projectId, walletId, args) {
 }
 
 async function read(args) {
-  const chain = parseFlag(args, "--chain");
-  const to = parseFlag(args, "--to");
-  const abi = parseFlag(args, "--abi");
-  const fn = parseFlag(args, "--fn");
-  const argsJson = parseFlag(args, "--args");
+  const parsedArgs = normalizeArgv(args);
+  const valueFlags = ["--chain", "--to", "--abi", "--fn", "--args"];
+  assertKnownFlags(parsedArgs, [...valueFlags, "--help", "-h"], valueFlags);
+  const extra = positionalArgs(parsedArgs, valueFlags);
+  if (extra.length > 0) {
+    fail({ code: "BAD_USAGE", message: `Unexpected argument for contracts read: ${extra[0]}` });
+  }
+  const chain = flagValue(parsedArgs, "--chain");
+  const to = flagValue(parsedArgs, "--to");
+  const abi = flagValue(parsedArgs, "--abi");
+  const fn = flagValue(parsedArgs, "--fn");
+  const argsJson = flagValue(parsedArgs, "--args");
   if (!chain || !to || !abi || !fn || !argsJson) {
     fail({
       code: "BAD_USAGE",
       message: "Required flags: --chain, --to, --abi, --fn, --args",
     });
   }
+  assertAllowedValue(chain, ["base-mainnet", "base-sepolia"], "--chain");
   const abiFragment = parseFlagJson("--abi", abi);
   const callArgs = parseFlagJson("--args", argsJson);
+  validateEvmAddress(to, "--to");
   try {
     const data = await getSdk().contracts.read({
       chain,
@@ -291,7 +350,13 @@ async function read(args) {
   }
 }
 
-async function status(projectId, callId) {
+async function status(projectId, callId, args = []) {
+  const parsedArgs = normalizeArgv(args);
+  assertKnownFlags(parsedArgs, ["--help", "-h"]);
+  const extra = positionalArgs(parsedArgs);
+  if (extra.length > 0) {
+    fail({ code: "BAD_USAGE", message: `Unexpected argument for contracts status: ${extra[0]}` });
+  }
   try {
     const data = await getSdk().contracts.callStatus(projectId, callId);
     console.log(JSON.stringify(data, null, 2));
@@ -301,14 +366,22 @@ async function status(projectId, callId) {
 }
 
 async function drain(projectId, walletId, args) {
-  const to = parseFlag(args, "--to");
-  if (!to || !hasFlag(args, "--confirm")) {
+  const parsedArgs = normalizeArgv(args);
+  const valueFlags = ["--to"];
+  assertKnownFlags(parsedArgs, [...valueFlags, "--confirm", "--help", "-h"], valueFlags);
+  const extra = positionalArgs(parsedArgs, valueFlags);
+  if (extra.length > 0) {
+    fail({ code: "BAD_USAGE", message: `Unexpected argument for contracts drain: ${extra[0]}` });
+  }
+  const to = flagValue(parsedArgs, "--to");
+  if (!to || !hasFlag(parsedArgs, "--confirm")) {
     fail({
       code: "BAD_USAGE",
       message: "Required: --to 0x... and --confirm.",
       hint: "Cost: chain gas + $0.000005 KMS sign fee.",
     });
   }
+  validateEvmAddress(to, "--to");
   try {
     const data = await getSdk().contracts.drain(projectId, walletId, to);
     console.log(JSON.stringify(data, null, 2));
@@ -318,7 +391,13 @@ async function drain(projectId, walletId, args) {
 }
 
 async function deleteWallet(projectId, walletId, args) {
-  if (!hasFlag(args, "--confirm")) {
+  const parsedArgs = normalizeArgv(args);
+  assertKnownFlags(parsedArgs, ["--confirm", "--help", "-h"]);
+  const extra = positionalArgs(parsedArgs);
+  if (extra.length > 0) {
+    fail({ code: "BAD_USAGE", message: `Unexpected argument for contracts delete: ${extra[0]}` });
+  }
+  if (!hasFlag(parsedArgs, "--confirm")) {
     fail({ code: "BAD_USAGE", message: "Required: --confirm" });
   }
   try {
@@ -334,13 +413,13 @@ export async function run(sub, args) {
   if (Array.isArray(args) && (args.includes("--help") || args.includes("-h"))) { console.log(SUB_HELP[sub] || HELP); process.exit(0); }
   switch (sub) {
     case "provision-wallet": await provisionWallet(args[0], args.slice(1)); break;
-    case "get-wallet":       await getWallet(args[0], args[1]); break;
-    case "list-wallets":     await listWallets(args[0]); break;
+    case "get-wallet":       await getWallet(args[0], args[1], args.slice(2)); break;
+    case "list-wallets":     await listWallets(args[0], args.slice(1)); break;
     case "set-recovery":     await setRecovery(args[0], args[1], args.slice(2)); break;
     case "set-alert":        await setAlert(args[0], args[1], args.slice(2)); break;
     case "call":             await call(args[0], args[1], args.slice(2)); break;
     case "read":             await read(args); break;
-    case "status":           await status(args[0], args[1]); break;
+    case "status":           await status(args[0], args[1], args.slice(2)); break;
     case "drain":            await drain(args[0], args[1], args.slice(2)); break;
     case "delete":           await deleteWallet(args[0], args[1], args.slice(2)); break;
     default: