From 0f1697386e8ba079a520a9b246ccbe5ba23cb661 Mon Sep 17 00:00:00 2001
From: Cho Young-Hwi <cyh76507707@gmail.com>
Date: Sun, 15 Mar 2026 14:43:43 +0000
Subject: [PATCH] [#133] Add isAddress() validation before Address casts in CLI

---
 packages/cli/src/commands/agent-register.ts | 7 ++++++-
 packages/cli/src/commands/claim.ts          | 5 +++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/packages/cli/src/commands/agent-register.ts b/packages/cli/src/commands/agent-register.ts
index 1efd30bb..9f578b18 100644
--- a/packages/cli/src/commands/agent-register.ts
+++ b/packages/cli/src/commands/agent-register.ts
@@ -1,5 +1,6 @@
 import type { Command } from "commander";
 import type { Address } from "viem";
+import { isAddress } from "viem";
 import { buildClient } from "../sdk.js";
 
 export function registerAgentRegister(program: Command): void {
@@ -26,9 +27,13 @@ export function registerAgentRegister(program: Command): void {
         skipWallet?: boolean;
       }) => {
         try {
-          // Resolve wallet key from env BEFORE spending gas on registration
+          // Validate wallet address and key BEFORE spending gas on registration
           let walletKey: string | undefined;
           if (opts.wallet && !opts.skipWallet) {
+            if (!isAddress(opts.wallet)) {
+              console.error(`Invalid address: ${opts.wallet}`);
+              process.exit(1);
+            }
             walletKey = process.env.PLOTLINK_AGENT_WALLET_KEY;
             if (!walletKey) {
               console.error(
diff --git a/packages/cli/src/commands/claim.ts b/packages/cli/src/commands/claim.ts
index e6150bb8..0e5c7fd1 100644
--- a/packages/cli/src/commands/claim.ts
+++ b/packages/cli/src/commands/claim.ts
@@ -1,5 +1,6 @@
 import type { Command } from "commander";
 import type { Address } from "viem";
+import { isAddress } from "viem";
 import { buildClient } from "../sdk.js";
 
 export function registerClaim(program: Command): void {
@@ -9,6 +10,10 @@ export function registerClaim(program: Command): void {
     .requiredOption("-a, --address <tokenAddress>", "Storyline ERC-20 token address")
     .action(async (opts: { address: string }) => {
       try {
+        if (!isAddress(opts.address)) {
+          console.error(`Invalid address: ${opts.address}`);
+          process.exit(1);
+        }
         const tokenAddress = opts.address as Address;
         const client = buildClient({ ipfs: false });