One-Prompt Demo

Run the BattleChain security demo end to end, explaining each step as you go.

1. Read https://docs.battlechain.com/llms-full.txt for context on BattleChain.

2. Make a fresh folder for this demo so it stays out of my current project — e.g. `mkdir -p ~/battlechain-demo && cd ~/battlechain-demo` — and do all the work there. Make sure I have `just` (https://just.systems) and Foundry on the NIGHTLY channel — run `foundryup -i nightly` (browser-wallet signing needs nightly). Then clone https://github.com/Cyfrin/battlechain-starter-foundry, cd into it, and run `forge install`.

3. Set up signing — default to my own wallet (MetaMask):
   - Confirm I've added BattleChain Testnet to MetaMask (chain ID 627). If not, point me to the one-click button at https://docs.battlechain.com/battlechain/how-to/add-battlechain-to-metamask.
   - Ask me for my wallet address, and set both SENDER_ADDRESS and RECOVERY_ADDRESS to it in `.env`.
   - (Don't want MetaMask? Instead run `just generate-key`, set SENDER_ADDRESS to the address it prints, and use the non-browser targets — `just deploy-protocol`, `create-agreement`, `adopt-agreement`, `request-attack-mode`, `attack`. Never ask me to paste a private key.)

4. Make sure that wallet has BattleChain Testnet ETH for gas. If it's empty, walk me through getting Sepolia ETH (https://cloud.google.com/application/web3/faucet/ethereum/sepolia) and bridging it (https://portal.battlechain.com/bridge).

5. Run the demo ONE STEP AT A TIME, in order. Each browser step opens my wallet and BLOCKS until I sign, so for EVERY one: run it in the FOREGROUND, then tell me "approve it in your wallet now," and WAIT for the command to finish on its own. Never run a `-browser` command in the background, never add `&`, never poll its output, never move on until it returns. After each, explain what the transaction did and give me the explorer link (https://explorer.testnet.battlechain.com/tx/HASH).
   a. `just deploy-protocol-browser` — deploys the vulnerable vault, which deploys + seeds its own token. When done, read the deployed VulnerableVault address from the receipt's logs (`cast receipt <hash> --rpc-url https://testnet.battlechain.com` shows them — it's the ContractCreation event), set VAULT_ADDRESS in `.env`, then run `cast call $VAULT_ADDRESS "TOKEN()(address)" --rpc-url https://testnet.battlechain.com` and set TOKEN_ADDRESS. Run `just verify-protocol-browser` (verifies by address — the browser deploy writes no broadcast file) and show me both contracts on the explorer.
   b. `just create-agreement-browser` — registers the Safe Harbor agreement scoping the vault. Read the new agreement address from the receipt, set AGREEMENT_ADDRESS in `.env`, and show it on the explorer.
   c. `just set-commitment-window-browser` — locks the agreement's terms ~30 days out. REQUIRED: the AttackRegistry rejects an attack-mode request until the commitment window is set (you'd see `AttackRegistry__InsufficientCommitment` otherwise).
   d. `just adopt-agreement-browser` — adopts the agreement (makes it live for attack mode).
   e. `just request-attack-mode-browser` — requests attack mode for the agreement.
   f. `just attack-browser` — deploys the Exploit, which approves attack mode and drains the vault via reentrancy, all in one transaction.

6. Finish by showing me the bounty split — 90% returned to my recovery address, 10% kept as the whitehat bounty — with the final balances on the explorer.

Remember: every `-browser` step opens my wallet and blocks until I sign. Always run them in the foreground and wait — never in the background.