vigthoria-cli 1.10.1 → 1.10.37

package/dist/commands/config.js

@@ -5,6 +5,7 @@ import chalk from 'chalk';
 import inquirer from 'inquirer';
 import * as fs from 'fs';
 import * as path from 'path';
+import { normalizePersonaMode } from '../utils/persona.js';
 import { CH } from '../utils/logger.js';
 export class ConfigCommand {
     config;
@@ -164,6 +165,12 @@ export class ConfigCommand {
             'modelsApiUrl': (v) => this.config.set('modelsApiUrl', v),
             'wsUrl': (v) => this.config.set('wsUrl', v),
             'selfHostedModelsApiUrl': (v) => this.config.set('selfHostedModelsApiUrl', v === 'null' || v === 'off' ? null : v),
+            'persona': (v) => {
+                const mode = normalizePersonaMode(v);
+                if (!mode)
+                    throw new Error('Invalid persona. Use: default or wiener_grant');
+                this.config.set('persona', mode);
+            },
         };
         if (configMap[key]) {
             configMap[key](value);
@@ -171,7 +178,7 @@ export class ConfigCommand {
         }
         else {
             this.logger.error(`Unknown config key: ${key}`);
-            console.log(chalk.gray('Available keys: model, theme, autoApply, showDiffs, maxTokens, apiUrl, modelsApiUrl, wsUrl, selfHostedModelsApiUrl'));
+            console.log(chalk.gray('Available keys: model, theme, autoApply, showDiffs, maxTokens, persona, apiUrl, modelsApiUrl, wsUrl, selfHostedModelsApiUrl'));
         }
     }
     formatConfigValueForDisplay(key, value) {
@@ -214,6 +221,7 @@ export class ConfigCommand {
             maxTokens: all.preferences.maxTokens,
             email: all.email,
             plan: all.subscription.plan,
+            persona: all.persona,
         };
         if (key in flatConfig) {
             console.log(flatConfig[key]);
@@ -231,7 +239,7 @@ export class ConfigCommand {
         console.log(chalk.gray('  URL: ') + chalk.cyan(this.redactConfigUrl(all.apiUrl)));
         console.log(chalk.gray('  Models API: ') + chalk.cyan(this.redactConfigUrl(all.modelsApiUrl)));
         console.log(chalk.gray('  WebSocket: ') + chalk.cyan(this.redactConfigUrl(all.wsUrl)));
-        console.log(chalk.gray('  Self-hosted Models: ') + chalk.cyan(all.selfHostedModelsApiUrl || 'disabled'));
+        console.log(chalk.gray('  Vigthoria Model Endpoint: ') + chalk.cyan(all.selfHostedModelsApiUrl || 'default'));
         console.log();
         console.log(chalk.white('Preferences:'));
         console.log(chalk.gray('  Default Model: ') + chalk.cyan(all.preferences.defaultModel));
@@ -239,6 +247,7 @@ export class ConfigCommand {
         console.log(chalk.gray('  Auto Apply Fixes: ') + chalk.cyan(all.preferences.autoApplyFixes));
         console.log(chalk.gray('  Show Diffs: ') + chalk.cyan(all.preferences.showDiffs));
         console.log(chalk.gray('  Max Tokens: ') + chalk.cyan(all.preferences.maxTokens));
+        console.log(chalk.gray('  Persona: ') + chalk.cyan(all.persona));
         console.log();
         console.log(chalk.white('Project:'));
         console.log(chalk.gray('  Ignore Patterns: ') + chalk.gray(all.project.ignorePatterns.join(', ')));

package/dist/commands/legion.js

@@ -68,7 +68,6 @@ export class LegionCommand {
         const serviceKey = this.getLegionServiceKey();
         if (serviceKey) {
             headers['X-Service-Key'] = serviceKey;
-            return headers;
         }
         const token = this.config.get('authToken');
         if (token) {
@@ -861,6 +860,7 @@ export class LegionCommand {
         }
         const endpoints = [
             '/api/viagen6/vigcoin/balance',
+            '/api/user/vigcoin/balance',
             '/api/user/subscription',
             '/api/user/info',
             '/api/user/profile',
@@ -868,6 +868,7 @@ export class LegionCommand {
             '/api/billing/wallet',
             '/api/billing/credits',
         ];
+        let sawUnauthorized = false;
         for (const endpoint of endpoints) {
             try {
                 const response = await fetch(`${baseUrl}${endpoint}`, {
@@ -876,6 +877,9 @@ export class LegionCommand {
                     headers,
                 });
                 if (!response.ok) {
+                    if (response.status === 401 || response.status === 403) {
+                        sawUnauthorized = true;
+                    }
                     continue;
                 }
                 const payload = await this.readJsonResponse(response, `wallet balance request ${endpoint}`);
@@ -901,7 +905,9 @@ export class LegionCommand {
             vigcoinBalance: null,
             source: null,
             purchaseUrl: `${baseUrl}/music/store#vigcoins`,
-            error: 'Wallet endpoint unavailable from current gateway session',
+            error: sawUnauthorized
+                ? 'Wallet session expired or unauthorized. Run: vigthoria login'
+                : 'Wallet endpoint unavailable from current gateway session',
         };
     }
     async attemptDirectCharge(vigcoinNeeded) {

package/dist/commands/wallet.d.ts

@@ -0,0 +1,25 @@
+/**
+ * wallet.ts — VigCoin wallet management for Vigthoria CLI.
+ *
+ *   vigthoria wallet balance          — show current balance
+ *   vigthoria wallet history [--n 20] — recent transactions
+ *   vigthoria wallet cloud-status     — show cloud access and model pricing
+ */
+export interface WalletOptions {
+    n?: number;
+    json?: boolean;
+}
+export declare class WalletCommand {
+    private config;
+    private logger;
+    constructor();
+    private getBaseUrl;
+    private getToken;
+    private getRefreshToken;
+    private refreshAccessToken;
+    private parseResponseBody;
+    private apiFetch;
+    showBalance(opts?: WalletOptions): Promise<void>;
+    showHistory(opts?: WalletOptions): Promise<void>;
+    showCloudStatus(opts?: WalletOptions): Promise<void>;
+}

package/dist/commands/wallet.js

@@ -0,0 +1,191 @@
+/**
+ * wallet.ts — VigCoin wallet management for Vigthoria CLI.
+ *
+ *   vigthoria wallet balance          — show current balance
+ *   vigthoria wallet history [--n 20] — recent transactions
+ *   vigthoria wallet cloud-status     — show cloud access and model pricing
+ */
+import chalk from 'chalk';
+import { Config } from '../utils/config.js';
+import { Logger } from '../utils/logger.js';
+export class WalletCommand {
+    config;
+    logger;
+    constructor() {
+        this.config = new Config();
+        this.logger = new Logger();
+    }
+    getBaseUrl() {
+        return String(this.config.get('apiUrl') || 'https://coder.vigthoria.io').replace(/\/$/, '');
+    }
+    getToken() {
+        return this.config.get('authToken') || null;
+    }
+    getRefreshToken() {
+        return this.config.get('refreshToken') || null;
+    }
+    async refreshAccessToken() {
+        const refreshToken = this.getRefreshToken();
+        if (!refreshToken)
+            return false;
+        try {
+            const response = await fetch(`${this.getBaseUrl()}/api/token/refresh`, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ refresh_token: refreshToken }),
+            });
+            if (!response.ok)
+                return false;
+            const payload = await response.json();
+            const nextToken = payload.token || payload.access_token;
+            if (!nextToken)
+                return false;
+            this.config.set('authToken', nextToken);
+            if (payload.refresh_token) {
+                this.config.set('refreshToken', payload.refresh_token);
+            }
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async parseResponseBody(resp) {
+        const raw = await resp.text();
+        if (!raw.trim())
+            return {};
+        try {
+            return JSON.parse(raw);
+        }
+        catch {
+            return { error: raw.slice(0, 240) };
+        }
+    }
+    async apiFetch(path) {
+        const url = `${this.getBaseUrl()}${path}`;
+        const runRequest = async (token) => fetch(url, {
+            headers: {
+                Authorization: `Bearer ${token}`,
+                Cookie: `vigthoria-auth-token=${token}`,
+            },
+        });
+        let token = this.getToken();
+        if (!token)
+            throw new Error('Not authenticated. Run: vigthoria login');
+        let resp = await runRequest(token);
+        if (resp.status === 401 || resp.status === 403) {
+            const refreshed = await this.refreshAccessToken();
+            if (refreshed) {
+                token = this.getToken();
+                if (token) {
+                    resp = await runRequest(token);
+                }
+            }
+        }
+        const body = await this.parseResponseBody(resp);
+        if (!resp.ok) {
+            const err = body.error
+                || body.message
+                || `HTTP ${resp.status}`;
+            throw new Error(err);
+        }
+        return body;
+    }
+    async showBalance(opts = {}) {
+        try {
+            const data = await this.apiFetch('/api/user/vigcoin/balance');
+            if (opts.json) {
+                console.log(JSON.stringify(data, null, 2));
+                return;
+            }
+            console.log('');
+            console.log(chalk.bold.cyan('  VigCoin Wallet'));
+            console.log(chalk.gray('  ─────────────────────────────'));
+            console.log(`  Balance:         ${chalk.bold.yellow(data.balance.toLocaleString())} ⓥ`);
+            console.log(`  Lifetime earned: ${chalk.green(data.lifetimeEarned.toLocaleString())} ⓥ`);
+            console.log(`  Lifetime spent:  ${chalk.red(data.lifetimeSpent.toLocaleString())} ⓥ`);
+            if (data.lastUpdated) {
+                console.log(`  Last updated:    ${chalk.gray(new Date(data.lastUpdated).toLocaleString())}`);
+            }
+            console.log('');
+            console.log(chalk.gray('  Top up at: https://hub.vigthoria.io/credits'));
+            console.log('');
+        }
+        catch (err) {
+            this.logger.error(err.message);
+            process.exit(1);
+        }
+    }
+    async showHistory(opts = {}) {
+        const limit = Math.max(1, Math.min(100, opts.n || 20));
+        try {
+            const data = await this.apiFetch(`/api/user/vigcoin/transactions?limit=${limit}`);
+            if (opts.json) {
+                console.log(JSON.stringify(data, null, 2));
+                return;
+            }
+            const txs = data.transactions || [];
+            console.log('');
+            console.log(chalk.bold.cyan(`  VigCoin Transaction History (last ${txs.length})`));
+            console.log(chalk.gray('  ──────────────────────────────────────────────────────────'));
+            if (txs.length === 0) {
+                console.log(chalk.gray('  No transactions found.'));
+            }
+            else {
+                for (const tx of txs) {
+                    const sign = tx.amount >= 0 ? chalk.green(`+${tx.amount}`) : chalk.red(String(tx.amount));
+                    const date = new Date(tx.created_at).toLocaleString();
+                    const desc = tx.description || tx.action || tx.type;
+                    console.log(`  ${chalk.gray(date)}  ${sign.padStart(8)} ⓥ  ${chalk.gray(`→`)} ${chalk.yellow(tx.balance_after)} ⓥ  ${desc}`);
+                }
+            }
+            console.log('');
+        }
+        catch (err) {
+            this.logger.error(err.message);
+            process.exit(1);
+        }
+    }
+    async showCloudStatus(opts = {}) {
+        try {
+            const data = await this.apiFetch('/api/user/cloud-access/status');
+            if (opts.json) {
+                console.log(JSON.stringify(data, null, 2));
+                return;
+            }
+            console.log('');
+            console.log(chalk.bold.cyan('  Cloud Access Status'));
+            console.log(chalk.gray('  ─────────────────────────────'));
+            if (data.isMasterAdmin) {
+                console.log(`  Access: ${chalk.bold.green('Master Admin — unlimited cloud access')}`);
+            }
+            else if (data.hasGrant) {
+                const models = data.grantDetails?.allowedModels === '*' ? 'All models' : data.grantDetails?.allowedModels;
+                const exp = data.grantDetails?.expiresAt ? ` (expires ${new Date(data.grantDetails.expiresAt).toLocaleDateString()})` : '';
+                console.log(`  Access: ${chalk.green(`Granted — ${models}${exp}`)}`);
+            }
+            else if (data.cloudAccessAllowed) {
+                console.log(`  Access: ${chalk.yellow('Enabled — pay per request with VigCoins')}`);
+            }
+            else {
+                console.log(`  Access: ${chalk.red('Not enabled — contact admin to request cloud access')}`);
+            }
+            console.log('');
+            if (data.cloudModels) {
+                console.log(chalk.bold('  Cloud Model Pricing'));
+                console.log(chalk.gray('  ─────────────────────────────'));
+                for (const [alias, cost] of Object.entries(data.cloudModels)) {
+                    const displayName = alias.replace('vigthoria-cloud-', '').replace(/\b\w/g, c => c.toUpperCase());
+                    console.log(`  ${chalk.cyan(`vigthoria-cloud-${displayName.toLowerCase()}`).padEnd(36)}  ${chalk.yellow(String(cost))} credits minimum reserve, then token-priced`);
+                }
+                console.log('');
+                console.log(chalk.gray('  Use --model vigthoria-cloud-fast|balanced|code|power|maximum in vigthoria chat'));
+            }
+            console.log('');
+        }
+        catch (err) {
+            this.logger.error(err.message);
+            process.exit(1);
+        }
+    }
+}

package/dist/index.js

@@ -15,7 +15,7 @@
  *   vigthoria workflow          - Manage repeatable VigFlow workflows
  *   vigthoria operator          - Start BMAD operator mode
  */
-import { Command } from 'commander';
+import { Command, Option } from 'commander';
 import { ChatCommand } from './commands/chat.js';
 import { EditCommand } from './commands/edit.js';
 import { GenerateCommand } from './commands/generate.js';
@@ -36,6 +36,7 @@ import { ReplayCommand } from './commands/replay.js';
 import { ForkCommand } from './commands/fork.js';
 import { CancelCommand } from './commands/cancel.js';
 import { SecurityCommand } from './commands/security.js';
+import { WalletCommand } from './commands/wallet.js';
 import { Config } from './utils/config.js';
 import { Logger, CH } from './utils/logger.js';
 import chalk from 'chalk';
@@ -63,6 +64,56 @@ function getInvokedBinaryName() {
     const executable = process.argv[1] || 'vigthoria';
     return path.basename(executable, path.extname(executable)).toLowerCase();
 }
+function detectRuntimeEnvironment(cwd) {
+    const osPlatform = process.platform;
+    const normalizedPlatform = osPlatform === 'win32'
+        ? 'windows'
+        : osPlatform === 'darwin'
+            ? 'macos'
+            : osPlatform === 'linux'
+                ? 'linux'
+                : 'unknown';
+    const release = os.release();
+    const isWSL = normalizedPlatform === 'linux' && (/microsoft/i.test(release)
+        || Boolean(process.env.WSL_DISTRO_NAME)
+        || Boolean(process.env.WSL_INTEROP));
+    let isContainer = false;
+    try {
+        if (fs.existsSync('/.dockerenv')) {
+            isContainer = true;
+        }
+        else if (fs.existsSync('/proc/1/cgroup')) {
+            const cgroup = fs.readFileSync('/proc/1/cgroup', 'utf8');
+            isContainer = /(docker|containerd|kubepods|podman)/i.test(cgroup);
+        }
+    }
+    catch {
+        isContainer = false;
+    }
+    const isCodespaces = String(process.env.CODESPACES || '').toLowerCase() === 'true';
+    const isCI = String(process.env.CI || '').toLowerCase() === 'true';
+    const isMobileLikeRuntime = Boolean(process.env.TERMUX_VERSION
+        || process.env.ANDROID_ROOT
+        || process.env.IOS_SIMULATOR_DEVICE_NAME
+        || /\/var\/mobile\//.test(cwd));
+    const workspaceKind = cwd.startsWith('/var/www/') || cwd.startsWith('/opt/vigthoria')
+        ? 'server-workspace'
+        : 'local-machine';
+    return {
+        osPlatform,
+        normalizedPlatform,
+        arch: process.arch,
+        release,
+        isWSL,
+        isContainer,
+        isCodespaces,
+        isCI,
+        isMobileLikeRuntime,
+        workspaceKind,
+        cwd,
+        shell: process.env.SHELL || process.env.ComSpec || null,
+    };
+}
 // Get version from package.json dynamically
 function getPackageMetadataPaths() {
     return [
@@ -149,7 +200,21 @@ function compareVersions(v1, v2) {
     return 0;
 }
 const VERSION = getVersion();
+function hiddenGrantOption() {
+    return new Option('--grant', 'Use optional Wiener Grantler persona for this invocation').hideHelp();
+}
+function allowInsecureCliVersionInstall() {
+    return /^(1|true|yes)$/i.test(String(process.env.VIGTHORIA_ALLOW_INSECURE_CLI_VERSION || ''));
+}
+function extractVersionFromUpdateTarget(target) {
+    const match = target.match(/(?:@|[-_])([0-9]+\.[0-9]+\.[0-9]+)(?:\.tgz)?(?:$|[^0-9])/);
+    return match ? match[1] : null;
+}
+function isBelowSecureCliBaseline(version) {
+    return compareVersions(version, VIGTHORIA_MIN_SECURE_CLI_VERSION) < 0;
+}
 const VIGTHORIA_DEFAULT_MANIFEST_URL = process.env.VIGTHORIA_UPDATE_MANIFEST_URL || "https://coder.vigthoria.io/releases/manifest.json";
+const VIGTHORIA_MIN_SECURE_CLI_VERSION = '1.10.22';
 function resolveManifestEntry(manifest, channel) {
     const normalized = String(channel || 'stable').trim() || 'stable';
     if (manifest.channels && manifest.channels[normalized]) {
@@ -524,7 +589,8 @@ export async function main(args) {
     program
         .name(invokedBinaryName === 'vigthoria-chat' ? 'vigthoria-chat' : 'vigthoria')
         .description('AI-powered terminal coding assistant for Vigthoria Coder subscribers')
-        .version(VERSION);
+        .version(VERSION)
+        .addOption(hiddenGrantOption());
     // Chat command - Interactive mode (Agent mode is default for best results)
     program
         .command('chat')
@@ -541,6 +607,7 @@ export async function main(args) {
         .option('--json', 'Emit machine-readable JSON output for direct prompt runs', false)
         .option('--auto-approve', 'Auto-approve agent actions (dangerous!)', false)
         .option('--bridge <url>', 'Connect to Vigthoria Commando Bridge for remote admin observability')
+        .addOption(hiddenGrantOption())
         .action(async (options) => {
         const chat = new ChatCommand(config, logger);
         await chat.run({
@@ -555,6 +622,7 @@ export async function main(args) {
             resume: options.resume,
             prompt: options.prompt,
             bridge: options.bridge,
+            grant: options.grant || program.opts().grant === true,
         });
     });
     program
@@ -570,6 +638,7 @@ export async function main(args) {
         .option('--json', 'Emit machine-readable JSON output for direct prompt runs', false)
         .option('--auto-approve', 'Auto-approve agent actions (dangerous!)', false)
         .option('--bridge <url>', 'Connect to Vigthoria Commando Bridge for remote admin observability')
+        .addOption(hiddenGrantOption())
         .action(async (options) => {
         const chat = new ChatCommand(config, logger);
         await chat.run({
@@ -584,6 +653,7 @@ export async function main(args) {
             resume: true,
             prompt: options.prompt,
             bridge: options.bridge,
+            grant: options.grant || program.opts().grant === true,
         });
     });
     // Agent command - Agentic mode (Vigthoria Autonomous)
@@ -600,6 +670,7 @@ export async function main(args) {
         .option('--json', 'Emit machine-readable JSON output for direct prompt runs', false)
         .option('--auto-approve', 'Auto-approve all actions (dangerous!)', false)
         .option('--bridge <url>', 'Connect to Vigthoria Commando Bridge for remote admin observability')
+        .addOption(hiddenGrantOption())
         .action(async (options) => {
         const chat = new ChatCommand(config, logger);
         await chat.run({
@@ -614,6 +685,7 @@ export async function main(args) {
             autoApprove: options.autoApprove,
             prompt: options.prompt,
             bridge: options.bridge,
+            grant: options.grant || program.opts().grant === true,
         });
     });
     program
@@ -628,6 +700,7 @@ export async function main(args) {
         .option('--save-plan', 'Save the completed BMAD plan into VigFlow for rerun and audit', false)
         .option('--json', 'Emit machine-readable JSON output for direct prompt runs', false)
         .option('--bridge <url>', 'Connect to Vigthoria Commando Bridge for remote admin observability')
+        .addOption(hiddenGrantOption())
         .action(async (options) => {
         const chat = new ChatCommand(config, logger);
         await chat.run({
@@ -642,6 +715,7 @@ export async function main(args) {
             json: options.json,
             prompt: options.prompt,
             bridge: options.bridge,
+            grant: options.grant || program.opts().grant === true,
         });
     });
     program
@@ -1295,10 +1369,25 @@ Examples:
         const offline = isOfflineMode();
         const updateSuppressed = isUpdateCheckSuppressed();
         const subscription = config.get('subscription') || { plan: null, status: null, expiresAt: null };
+        const runtime = detectRuntimeEnvironment(process.cwd());
+        const warnings = [];
+        if (runtime.normalizedPlatform === 'unknown') {
+            warnings.push('Unknown OS platform detected. Run `vigthoria doctor --check-api` before agent tasks.');
+        }
+        if (runtime.isMobileLikeRuntime) {
+            warnings.push('Mobile-like runtime detected (Termux/iOS-style path). Vigthoria CLI agent tooling is optimized for desktop/server shells.');
+        }
+        if (runtime.isWSL) {
+            warnings.push('WSL detected. Prefer Linux-style paths and keep projects inside the WSL filesystem for stable tool execution.');
+        }
+        if (/127\.0\.0\.1:1/.test(modelsApiUrl)) {
+            warnings.push('modelsApiUrl is set to 127.0.0.1:1 (unreachable). Set modelsApiUrl to https://api.vigthoria.io or your local model router.');
+        }
         const report = {
             cliVersion: VERSION,
             nodeVersion: process.version,
             platform: `${process.platform} ${process.arch}`,
+            runtimeEnvironment: runtime,
             cwd: process.cwd(),
             homeDir: os.homedir(),
             configPath: config.getConfigPath(),
@@ -1310,6 +1399,7 @@ Examples:
             subscriptionStatus: subscription.status || null,
             offlineMode: offline,
             updateCheckSuppressed: updateSuppressed,
+            warnings,
             envOverrides: {
                 VIGTHORIA_API_URL: process.env.VIGTHORIA_API_URL || null,
                 VIGTHORIA_V3_AGENT_URL: process.env.VIGTHORIA_V3_AGENT_URL || null,
@@ -1354,6 +1444,12 @@ Examples:
             if (!options.checkApi) {
                 console.log(chalk.gray('\nTip: pass --check-api to verify API reachability.'));
             }
+            if (warnings.length > 0) {
+                console.log(chalk.yellow('\nEnvironment warnings:'));
+                for (const warning of warnings) {
+                    console.log(chalk.yellow(`- ${warning}`));
+                }
+            }
         }
         process.exitCode = 0;
     });
@@ -1428,6 +1524,21 @@ Examples:
                 return;
             }
             try {
+                if (!allowInsecureCliVersionInstall()) {
+                    const detectedVersion = extractVersionFromUpdateTarget(updateTarget);
+                    if (!detectedVersion) {
+                        console.error(chalk.red('Refusing custom update source: unable to verify CLI version in update target.'));
+                        console.error(chalk.gray(`Allowed floor: ${VIGTHORIA_MIN_SECURE_CLI_VERSION}. Set VIGTHORIA_ALLOW_INSECURE_CLI_VERSION=1 only for trusted admin recovery.`));
+                        process.exitCode = 1;
+                        return;
+                    }
+                    if (isBelowSecureCliBaseline(detectedVersion)) {
+                        console.error(chalk.red(`Refusing insecure CLI version ${detectedVersion}.`));
+                        console.error(chalk.gray(`Minimum secure CLI version is ${VIGTHORIA_MIN_SECURE_CLI_VERSION}.`));
+                        process.exitCode = 1;
+                        return;
+                    }
+                }
                 if (options.check) {
                     console.log(chalk.cyan(`Update source configured: ${updateTarget}`));
                     console.log(chalk.gray('Run `vigthoria update --from <target>` to install from this source'));
@@ -1465,6 +1576,12 @@ Examples:
                     process.exitCode = 1;
                     return;
                 }
+                if (!allowInsecureCliVersionInstall() && isBelowSecureCliBaseline(entry.version)) {
+                    console.error(chalk.red(`Refusing insecure manifest CLI version ${entry.version} for channel ${channel}.`));
+                    console.error(chalk.gray(`Minimum secure CLI version is ${VIGTHORIA_MIN_SECURE_CLI_VERSION}.`));
+                    process.exitCode = 1;
+                    return;
+                }
                 const currentVersion = VERSION;
                 const comparison = compareVersions(entry.version, currentVersion);
                 if (!allowDowngrade && comparison <= 0) {
@@ -1533,6 +1650,12 @@ Examples:
                 windowsHide: true,
             }).trim();
             const currentVersion = VERSION;
+            if (!allowInsecureCliVersionInstall() && isBelowSecureCliBaseline(latestVersion)) {
+                console.error(chalk.red(`Refusing insecure npm latest CLI version ${latestVersion}.`));
+                console.error(chalk.gray(`Minimum secure CLI version is ${VIGTHORIA_MIN_SECURE_CLI_VERSION}.`));
+                process.exitCode = 1;
+                return;
+            }
             // Use semantic version comparison (1.6.0 > 1.5.9)
             const comparison = compareVersions(latestVersion, currentVersion);
             if (comparison <= 0) {
@@ -1627,6 +1750,39 @@ Examples:
             });
         });
     }
+    // Wallet command — balance, transaction history, cloud access status
+    const walletCommand = program
+        .command('wallet')
+        .alias('w')
+        .description('Manage your VigCoin wallet and cloud access');
+    walletCommand
+        .command('balance')
+        .alias('bal')
+        .description('Show current VigCoin balance')
+        .option('--json', 'Emit JSON output', false)
+        .action(async (options) => {
+        const wallet = new WalletCommand();
+        await wallet.showBalance({ json: options.json });
+    });
+    walletCommand
+        .command('history')
+        .alias('hist')
+        .description('Show recent VigCoin transactions')
+        .option('-n, --n <number>', 'Number of transactions to show (default: 20)', parseInt)
+        .option('--json', 'Emit JSON output', false)
+        .action(async (options) => {
+        const wallet = new WalletCommand();
+        await wallet.showHistory({ n: options.n, json: options.json });
+    });
+    walletCommand
+        .command('cloud-status')
+        .alias('cs')
+        .description('Show cloud model access status and pricing')
+        .option('--json', 'Emit JSON output', false)
+        .action(async (options) => {
+        const wallet = new WalletCommand();
+        await wallet.showCloudStatus({ json: options.json });
+    });
     try {
         // Default to chat if no command
         if (args.length === 2) {