feat: add @metamask/wallet-cli package scaffold

[sirtimid]

Explanation

This adds @metamask/wallet-cli — an oclif-based mm CLI for @metamask/wallet, intended to run the wallet as a background daemon and dispatch messenger actions to it.

This first PR is the package scaffold only: a buildable, lintable, and testable package with the mm binary launcher (bin/run.mjs) and a couple of pure daemon path helpers, but no subcommands yet. oclif renders mm --help / mm --version even with no commands registered, so the package is exercisable end to end. Functionality is added incrementally in follow-up PRs (SQLite persistence, the Unix-socket daemon transport, the Wallet factory, and the daemon subcommands) so each stays small and self-contained.

Because the package is a CLI tool rather than a published library, it is registered in the TOOLS list in yarn.config.cjs — which exempts it from the library exports / main / types and build:docs constraints — matching how @metamask/messenger-cli is handled. The remaining changes outside packages/wallet-cli/ are the standard new-package registration: ESLint overrides, root tsconfig project references, CODEOWNERS, teams.json, and the generated root README dependency graph.

References

N/A

Checklist

• I've updated the test suite for new or updated code as appropriate (the getDaemonPaths helper is covered to 100%)
• I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
• I've communicated my changes to consumers by updating changelogs for packages I've changed
• I've introduced breaking changes in this PR and have prepared draft pull requests for clients and consumer packages to resolve them

---

Note

Low Risk
New CLI package and lint/yarn config only; no wallet runtime, daemon, or messenger integration in this diff.

Overview
Introduces @metamask/wallet-cli, an oclif-based mm CLI aimed at running @metamask/wallet as a background daemon. This PR is scaffold only: bin/run.mjs / run.cmd, oclif metadata pointing at ./dist/commands, and @oclif/core as a runtime dependency—no subcommands yet (help/version still work via oclif).

The package is reshaped as a tool, not a library: library main / types / full exports and typedoc tooling are removed; published files include bin/; yarn.config.cjs adds it to TOOLS (same pattern as messenger-cli). Adds getDaemonPaths plus DaemonPaths types for socket, PID, log, and DB paths under a data dir, with a unit test. Placeholder greeter index is deleted.

Repo wiring: ESLint overrides for wallet-cli src, tests, and bin; tsconfig includes ./bin; changelog Unreleased entry.

^{Reviewed by Cursor Bugbot for commit 5ef15ec. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	semver@​7.8.1 ⏵ 7.8.2	+1		+1
	@​oclif/​core@​4.11.4

View full report

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring alerts on:

• ejs@3.1.10
• jake@10.9.4
• filelist@1.0.6

View full report

[sirtimid]

@SocketSecurity ignore npm/jake@10.9.4
@SocketSecurity ignore npm/ejs@3.1.10
@SocketSecurity ignore npm/filelist@1.0.6

All three are transitive dependencies of @oclif/core (@oclif/core → ejs → jake → filelist) and are not imported by our code — this package only imports @oclif/core (in bin/run.mjs) and node:path.

Research:

• The jake "system shell access" flag is its legitimate task-runner use of child_process — that's the entire purpose of "JavaScript make." Not a compromise signal.
• The AI code-anomaly notes for all three confirm no malware: ejs is the "standard EJS template engine… no indicators of intentional malware (no network exfiltration, no reverse shells, no obfuscated backdoors)"; filelist is a "legitimate file-listing utility… no evidence of malicious activity"; jake is a "conventional CLI bootstrap for a build tool… no clear signs of malicious activity."
• No CVEs (Socket Vulnerability score 100/100 on @oclif/core).
• ejs's only real risk surface (template compilation via the Function constructor) is not reachable here: we only call oclif's execute() and never render untrusted templates. jake/filelist are ejs's build tooling, not on its render path.
• These are mature, widely-used packages (@oclif/core supply-chain score 98), and this exact dependency subtree already shipped via the prior CI-green @oclif/core@^4.10.5 work.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit c85b8d2. Configure here.}

[grypez]

LGTM