@agentlayer.tech/wallet 0.1.0

package/agent-wallet/agent_wallet/providers/wdk_evm_local.py

@@ -0,0 +1,205 @@
+"""Client helpers for the local wdk-evm-wallet service."""
+
+from __future__ import annotations
+
+import os
+from pathlib import Path
+from typing import Any
+from urllib.parse import urlparse
+
+import httpx
+
+from agent_wallet.config import resolve_openclaw_home, settings
+from agent_wallet.wallet_layer.base import WalletBackendError
+
+LOCAL_WDK_EVM_HOSTS = {"127.0.0.1", "localhost", "::1"}
+LONG_RUNNING_SEND_PATHS = {
+    "/v1/evm/aave/supply/send",
+    "/v1/evm/aave/withdraw/send",
+    "/v1/evm/aave/borrow/send",
+    "/v1/evm/aave/repay/send",
+    "/v1/evm/lido/stake_eth_for_wsteth/send",
+    "/v1/evm/lido/wrap_steth/send",
+    "/v1/evm/lido/unwrap_wsteth/send",
+    "/v1/evm/lido/request_withdrawal_steth/send",
+    "/v1/evm/lido/request_withdrawal_wsteth/send",
+    "/v1/evm/lido/claim_withdrawal/send",
+    "/v1/evm/swap/send",
+    "/v1/evm/lifi/send",
+    "/v1/evm/transfer/send",
+    "/v1/evm/token-transfer/send",
+}
+LONG_RUNNING_SEND_TIMEOUT_SECONDS = 120.0
+
+
+def _error_details_from_payload(payload: dict[str, Any]) -> dict[str, Any] | None:
+    details = payload.get("error_details")
+    return dict(details) if isinstance(details, dict) else None
+
+
+def _normalize_base_url(value: str) -> str:
+    text = str(value or "").strip()
+    if not text:
+        raise WalletBackendError("WDK EVM service URL is not configured.")
+    parsed = urlparse(text)
+    if parsed.scheme not in {"http", "https"} or parsed.hostname not in LOCAL_WDK_EVM_HOSTS:
+        raise WalletBackendError("WDK EVM service URL must point to a localhost HTTP endpoint.")
+    return text.rstrip("/")
+
+
+def _resolve_local_token_path() -> Path:
+    configured = os.getenv("WDK_EVM_LOCAL_TOKEN_PATH", "").strip()
+    if configured:
+        return Path(configured).expanduser()
+    return resolve_openclaw_home() / "wdk-evm-wallet" / "local-auth-token"
+
+
+def _load_local_token() -> str:
+    direct = os.getenv("WDK_EVM_LOCAL_TOKEN", "").strip()
+    if direct:
+        return direct
+    token_path = _resolve_local_token_path()
+    if not token_path.exists():
+        raise WalletBackendError(
+            f"WDK EVM local auth token file not found: {token_path}. Start the local wdk-evm-wallet service first."
+        )
+    token = token_path.read_text(encoding="utf-8").strip()
+    if not token:
+        raise WalletBackendError(f"WDK EVM local auth token file is empty: {token_path}")
+    return token
+
+
+def _timeout_for_path(path: str) -> float:
+    normalized = str(path or "").strip()
+    base_timeout = float(settings.http_timeout)
+    if normalized in LONG_RUNNING_SEND_PATHS:
+        return max(base_timeout, LONG_RUNNING_SEND_TIMEOUT_SECONDS)
+    return base_timeout
+
+
+def _unwrap_payload(response: httpx.Response) -> dict[str, Any]:
+    try:
+        payload = response.json()
+    except Exception as exc:  # pragma: no cover - defensive
+        raise WalletBackendError(
+            f"wdk-evm-wallet returned a non-JSON response ({response.status_code}).",
+            code="network_unavailable",
+            details={
+                "service": "wdk-evm-wallet",
+                "http_status": response.status_code,
+            },
+        ) from exc
+    if response.status_code >= 400 or payload.get("ok") is False:
+        detail = payload.get("error") or f"HTTP {response.status_code}"
+        raise WalletBackendError(
+            str(detail),
+            code=str(payload.get("error_code") or "").strip() or None,
+            details=_error_details_from_payload(payload),
+        )
+    data = payload.get("data")
+    if not isinstance(data, dict):
+        raise WalletBackendError("wdk-evm-wallet returned an invalid response payload.")
+    return data
+
+
+class WdkEvmLocalClient:
+    """Small client for the local EVM wallet service."""
+
+    def __init__(self, base_url: str):
+        self.base_url = _normalize_base_url(base_url)
+        self._headers = {
+            "Accept": "application/json",
+            "Authorization": f"Bearer {_load_local_token()}",
+        }
+
+    async def post(self, path: str, payload: dict[str, Any]) -> dict[str, Any]:
+        try:
+            async with httpx.AsyncClient(
+                timeout=_timeout_for_path(path),
+                headers=self._headers,
+                follow_redirects=False,
+                trust_env=False,
+            ) as client:
+                response = await client.post(f"{self.base_url}{path}", json=payload)
+        except httpx.TimeoutException as exc:
+            raise WalletBackendError(
+                "wdk-evm-wallet request timed out.",
+                code="network_unavailable",
+                details={"service": "wdk-evm-wallet", "path": path},
+            ) from exc
+        except httpx.RequestError as exc:
+            raise WalletBackendError(
+                f"wdk-evm-wallet request failed: {exc}",
+                code="network_unavailable",
+                details={"service": "wdk-evm-wallet", "path": path},
+            ) from exc
+        return _unwrap_payload(response)
+
+    async def get(self, path: str) -> dict[str, Any]:
+        try:
+            async with httpx.AsyncClient(
+                timeout=_timeout_for_path(path),
+                headers=self._headers,
+                follow_redirects=False,
+                trust_env=False,
+            ) as client:
+                response = await client.get(f"{self.base_url}{path}")
+        except httpx.TimeoutException as exc:
+            raise WalletBackendError(
+                "wdk-evm-wallet request timed out.",
+                code="network_unavailable",
+                details={"service": "wdk-evm-wallet", "path": path},
+            ) from exc
+        except httpx.RequestError as exc:
+            raise WalletBackendError(
+                f"wdk-evm-wallet request failed: {exc}",
+                code="network_unavailable",
+                details={"service": "wdk-evm-wallet", "path": path},
+            ) from exc
+        return _unwrap_payload(response)
+
+    def post_sync(self, path: str, payload: dict[str, Any]) -> dict[str, Any]:
+        try:
+            with httpx.Client(
+                timeout=_timeout_for_path(path),
+                headers=self._headers,
+                follow_redirects=False,
+                trust_env=False,
+            ) as client:
+                response = client.post(f"{self.base_url}{path}", json=payload)
+        except httpx.TimeoutException as exc:
+            raise WalletBackendError(
+                "wdk-evm-wallet request timed out.",
+                code="network_unavailable",
+                details={"service": "wdk-evm-wallet", "path": path},
+            ) from exc
+        except httpx.RequestError as exc:
+            raise WalletBackendError(
+                f"wdk-evm-wallet request failed: {exc}",
+                code="network_unavailable",
+                details={"service": "wdk-evm-wallet", "path": path},
+            ) from exc
+        return _unwrap_payload(response)
+
+    def get_sync(self, path: str) -> dict[str, Any]:
+        try:
+            with httpx.Client(
+                timeout=_timeout_for_path(path),
+                headers=self._headers,
+                follow_redirects=False,
+                trust_env=False,
+            ) as client:
+                response = client.get(f"{self.base_url}{path}")
+        except httpx.TimeoutException as exc:
+            raise WalletBackendError(
+                "wdk-evm-wallet request timed out.",
+                code="network_unavailable",
+                details={"service": "wdk-evm-wallet", "path": path},
+            ) from exc
+        except httpx.RequestError as exc:
+            raise WalletBackendError(
+                f"wdk-evm-wallet request failed: {exc}",
+                code="network_unavailable",
+                details={"service": "wdk-evm-wallet", "path": path},
+            ) from exc
+        return _unwrap_payload(response)

package/agent-wallet/agent_wallet/sealed_keys.py

@@ -0,0 +1,61 @@
+"""Sealed key storage backed by one boot key and an encrypted file on disk."""
+
+from __future__ import annotations
+
+import json
+from pathlib import Path
+
+from agent_wallet.encrypted_storage import decrypt_secret_material, encrypt_secret_material
+from agent_wallet.file_ops import atomic_write_text
+from agent_wallet.wallet_layer.base import WalletBackendError
+
+SEALED_KEYS_FILENAME = "sealed_keys.json"
+
+
+def resolve_sealed_keys_path() -> Path:
+    """Resolve the encrypted secret bundle path under the OpenClaw home directory."""
+    from agent_wallet.config import resolve_openclaw_home
+
+    return resolve_openclaw_home() / SEALED_KEYS_FILENAME
+
+
+def seal_keys(boot_key: str, secrets: dict[str, str]) -> Path:
+    """Encrypt all secrets into a single sealed file."""
+    if not boot_key.strip():
+        raise WalletBackendError("AGENT_WALLET_BOOT_KEY is required to seal secrets.")
+    normalized: dict[str, str] = {}
+    for key, value in secrets.items():
+        if not isinstance(key, str) or not key.strip():
+            raise WalletBackendError("Sealed secret names must be non-empty strings.")
+        if not isinstance(value, str):
+            raise WalletBackendError(f"Sealed secret '{key}' must be a string.")
+        normalized[key.strip()] = value
+
+    payload = json.dumps(normalized, indent=2)
+    encrypted = encrypt_secret_material(payload, master_key=boot_key)
+    path = resolve_sealed_keys_path()
+    atomic_write_text(path, encrypted, mode=0o600)
+    return path
+
+
+def unseal_keys(boot_key: str) -> dict[str, str]:
+    """Decrypt all secrets from the sealed file."""
+    if not boot_key.strip():
+        return {}
+
+    path = resolve_sealed_keys_path()
+    if not path.exists():
+        return {}
+
+    plaintext = decrypt_secret_material(path.read_text(encoding="utf-8"), master_key=boot_key)
+    try:
+        payload = json.loads(plaintext)
+    except json.JSONDecodeError as exc:
+        raise WalletBackendError("Sealed secret file is malformed.") from exc
+    if not isinstance(payload, dict):
+        raise WalletBackendError("Sealed secret file is malformed.")
+    secrets: dict[str, str] = {}
+    for key, value in payload.items():
+        if isinstance(key, str) and isinstance(value, str):
+            secrets[key] = value
+    return secrets

package/agent-wallet/agent_wallet/solana_stake.py

@@ -0,0 +1,103 @@
+"""Helpers for native Solana stake program instructions."""
+
+from __future__ import annotations
+
+import struct
+
+from solders.instruction import AccountMeta, Instruction
+from solders.pubkey import Pubkey
+
+
+STAKE_PROGRAM_ID = Pubkey.from_string("Stake11111111111111111111111111111111111111")
+STAKE_CONFIG_ID = Pubkey.from_string("StakeConfig11111111111111111111111111111111")
+SYSVAR_CLOCK_ID = Pubkey.from_string("SysvarC1ock11111111111111111111111111111111")
+SYSVAR_STAKE_HISTORY_ID = Pubkey.from_string("SysvarStakeHistory1111111111111111111111111")
+SYSVAR_RENT_ID = Pubkey.from_string("SysvarRent111111111111111111111111111111111")
+STAKE_STATE_V2_SIZE = 200
+
+STAKE_INSTR_DELEGATE = 2
+STAKE_INSTR_WITHDRAW = 4
+STAKE_INSTR_DEACTIVATE = 5
+STAKE_INSTR_INITIALIZE_CHECKED = 9
+
+
+def _stake_variant(index: int) -> bytes:
+    return struct.pack("<I", index)
+
+
+def initialize_checked(
+    *,
+    stake_account: Pubkey,
+    staker: Pubkey,
+    withdrawer: Pubkey,
+) -> Instruction:
+    """Build InitializeChecked for a new stake account."""
+    return Instruction(
+        STAKE_PROGRAM_ID,
+        _stake_variant(STAKE_INSTR_INITIALIZE_CHECKED),
+        [
+            AccountMeta(stake_account, is_signer=False, is_writable=True),
+            AccountMeta(SYSVAR_RENT_ID, is_signer=False, is_writable=False),
+            AccountMeta(staker, is_signer=False, is_writable=False),
+            AccountMeta(withdrawer, is_signer=False, is_writable=False),
+        ],
+    )
+
+
+def delegate_stake(
+    *,
+    stake_account: Pubkey,
+    vote_account: Pubkey,
+    authority: Pubkey,
+) -> Instruction:
+    """Build DelegateStake for an initialized stake account."""
+    return Instruction(
+        STAKE_PROGRAM_ID,
+        _stake_variant(STAKE_INSTR_DELEGATE),
+        [
+            AccountMeta(stake_account, is_signer=False, is_writable=True),
+            AccountMeta(vote_account, is_signer=False, is_writable=False),
+            AccountMeta(SYSVAR_CLOCK_ID, is_signer=False, is_writable=False),
+            AccountMeta(SYSVAR_STAKE_HISTORY_ID, is_signer=False, is_writable=False),
+            AccountMeta(STAKE_CONFIG_ID, is_signer=False, is_writable=False),
+            AccountMeta(authority, is_signer=True, is_writable=False),
+        ],
+    )
+
+
+def deactivate_stake(
+    *,
+    stake_account: Pubkey,
+    authority: Pubkey,
+) -> Instruction:
+    """Build Deactivate for a delegated stake account."""
+    return Instruction(
+        STAKE_PROGRAM_ID,
+        _stake_variant(STAKE_INSTR_DEACTIVATE),
+        [
+            AccountMeta(stake_account, is_signer=False, is_writable=True),
+            AccountMeta(SYSVAR_CLOCK_ID, is_signer=False, is_writable=False),
+            AccountMeta(authority, is_signer=True, is_writable=False),
+        ],
+    )
+
+
+def withdraw_stake(
+    *,
+    stake_account: Pubkey,
+    recipient: Pubkey,
+    authority: Pubkey,
+    lamports: int,
+) -> Instruction:
+    """Build Withdraw for an inactive or partially withdrawable stake account."""
+    return Instruction(
+        STAKE_PROGRAM_ID,
+        struct.pack("<IQ", STAKE_INSTR_WITHDRAW, lamports),
+        [
+            AccountMeta(stake_account, is_signer=False, is_writable=True),
+            AccountMeta(recipient, is_signer=False, is_writable=True),
+            AccountMeta(SYSVAR_CLOCK_ID, is_signer=False, is_writable=False),
+            AccountMeta(SYSVAR_STAKE_HISTORY_ID, is_signer=False, is_writable=False),
+            AccountMeta(authority, is_signer=True, is_writable=False),
+        ],
+    )

package/agent-wallet/agent_wallet/solana_tx.py

@@ -0,0 +1,93 @@
+"""Minimal legacy Solana transaction builder for native SOL transfers."""
+
+from __future__ import annotations
+
+import base64
+import struct
+
+from agent_wallet.wallet_layer.base58 import b58decode
+
+SYSTEM_PROGRAM_ID = "11111111111111111111111111111111"
+SYSTEM_TRANSFER_INSTRUCTION = 2
+
+
+def encode_shortvec(value: int) -> bytes:
+    """Encode an integer using Solana's compact-u16/shortvec format."""
+    if value < 0:
+        raise ValueError("shortvec cannot encode negative values")
+
+    encoded = bytearray()
+    remaining = value
+    while True:
+        element = remaining & 0x7F
+        remaining >>= 7
+        if remaining:
+            encoded.append(element | 0x80)
+        else:
+            encoded.append(element)
+            break
+    return bytes(encoded)
+
+
+def build_legacy_sol_transfer_message(
+    sender: str,
+    recipient: str,
+    recent_blockhash: str,
+    lamports: int,
+) -> bytes:
+    """Build a legacy transaction message for a native SOL transfer."""
+    if lamports <= 0:
+        raise ValueError("lamports must be greater than zero")
+
+    sender_key = b58decode(sender)
+    recipient_key = b58decode(recipient)
+    system_program_key = b58decode(SYSTEM_PROGRAM_ID)
+    blockhash_bytes = b58decode(recent_blockhash)
+
+    if len(sender_key) != 32 or len(recipient_key) != 32 or len(system_program_key) != 32:
+        raise ValueError("All account keys must decode to 32 bytes")
+    if len(blockhash_bytes) != 32:
+        raise ValueError("Recent blockhash must decode to 32 bytes")
+
+    header = bytes(
+        [
+            1,  # num_required_signatures
+            0,  # num_readonly_signed_accounts
+            1,  # num_readonly_unsigned_accounts (system program)
+        ]
+    )
+    account_keys = [sender_key, recipient_key, system_program_key]
+    message = bytearray()
+    message.extend(header)
+    message.extend(encode_shortvec(len(account_keys)))
+    for account_key in account_keys:
+        message.extend(account_key)
+    message.extend(blockhash_bytes)
+
+    instruction_data = struct.pack("<IQ", SYSTEM_TRANSFER_INSTRUCTION, lamports)
+    compiled_instruction = bytearray()
+    compiled_instruction.append(2)  # system program index
+    compiled_instruction.extend(encode_shortvec(2))
+    compiled_instruction.extend(bytes([0, 1]))  # sender, recipient
+    compiled_instruction.extend(encode_shortvec(len(instruction_data)))
+    compiled_instruction.extend(instruction_data)
+
+    message.extend(encode_shortvec(1))
+    message.extend(compiled_instruction)
+    return bytes(message)
+
+
+def serialize_legacy_transaction(signature: bytes, message: bytes) -> bytes:
+    """Serialize a signed legacy transaction."""
+    if len(signature) != 64:
+        raise ValueError("Solana signatures must be 64 bytes")
+    payload = bytearray()
+    payload.extend(encode_shortvec(1))
+    payload.extend(signature)
+    payload.extend(message)
+    return bytes(payload)
+
+
+def encode_transaction_base64(transaction_bytes: bytes) -> str:
+    """Encode serialized transaction bytes for sendTransaction RPC."""
+    return base64.b64encode(transaction_bytes).decode("ascii")

package/agent-wallet/agent_wallet/spending_limits.py

@@ -0,0 +1,101 @@
+"""In-process spending ledger with configurable per-transaction, hourly, and daily limits.
+
+All limits default to ``0`` (unlimited).  When a limit is set, every
+``check_and_record`` call verifies that the requested spend would not
+exceed the configured thresholds.  If a limit would be breached, a
+``WalletBackendError`` is raised *before* the on-chain transaction is
+submitted.
+
+Thread-safe: uses ``threading.Lock`` for concurrent access.  For
+multi-instance deployments, replace ``SpendingLedger`` with a shared
+store (Redis / SQLite) behind the same interface.
+"""
+
+from __future__ import annotations
+
+import threading
+import time
+from dataclasses import dataclass
+
+from agent_wallet.wallet_layer.base import WalletBackendError
+
+# ---------------------------------------------------------------------------
+# 1 SOL = 1_000_000_000 lamports
+# ---------------------------------------------------------------------------
+LAMPORTS_PER_SOL = 1_000_000_000
+
+
+@dataclass(frozen=True)
+class SpendingConfig:
+    """Configurable spending limits (all values in lamports, 0 = unlimited)."""
+
+    max_per_tx_lamports: int = 0
+    max_hourly_lamports: int = 0
+    max_daily_lamports: int = 0
+    max_txs_per_minute: int = 0
+
+
+class SpendingLedger:
+    """Records executed spends and rejects operations that exceed limits."""
+
+    def __init__(self, config: SpendingConfig) -> None:
+        self.config = config
+        self._entries: list[tuple[float, int]] = []  # (monotonic-ts, lamports)
+        self._lock = threading.Lock()
+
+    # -- public API ----------------------------------------------------------
+
+    def check_and_record(self, lamports: int) -> None:
+        """Validate *lamports* against limits and record the spend.
+
+        Raises ``WalletBackendError`` if any limit would be exceeded.
+        """
+        with self._lock:
+            now = time.monotonic()
+            self._cleanup(now)
+
+            # Per-transaction cap
+            if self.config.max_per_tx_lamports > 0:
+                if lamports > self.config.max_per_tx_lamports:
+                    raise WalletBackendError(
+                        f"Transaction exceeds per-tx limit: "
+                        f"{lamports} > {self.config.max_per_tx_lamports} lamports "
+                        f"({self.config.max_per_tx_lamports / LAMPORTS_PER_SOL:.4f} SOL)."
+                    )
+
+            # Transactions-per-minute rate limit
+            if self.config.max_txs_per_minute > 0:
+                recent_count = sum(1 for ts, _ in self._entries if now - ts < 60)
+                if recent_count >= self.config.max_txs_per_minute:
+                    raise WalletBackendError(
+                        f"Transaction rate limit exceeded: "
+                        f"max {self.config.max_txs_per_minute} txs/minute."
+                    )
+
+            # Hourly cumulative cap
+            if self.config.max_hourly_lamports > 0:
+                hourly_total = sum(lam for ts, lam in self._entries if now - ts < 3600)
+                if hourly_total + lamports > self.config.max_hourly_lamports:
+                    raise WalletBackendError(
+                        f"Hourly spending limit exceeded: "
+                        f"would reach {(hourly_total + lamports) / LAMPORTS_PER_SOL:.4f} SOL, "
+                        f"limit is {self.config.max_hourly_lamports / LAMPORTS_PER_SOL:.4f} SOL."
+                    )
+
+            # Daily cumulative cap
+            if self.config.max_daily_lamports > 0:
+                daily_total = sum(lam for ts, lam in self._entries if now - ts < 86400)
+                if daily_total + lamports > self.config.max_daily_lamports:
+                    raise WalletBackendError(
+                        f"Daily spending limit exceeded: "
+                        f"would reach {(daily_total + lamports) / LAMPORTS_PER_SOL:.4f} SOL, "
+                        f"limit is {self.config.max_daily_lamports / LAMPORTS_PER_SOL:.4f} SOL."
+                    )
+
+            self._entries.append((now, lamports))
+
+    # -- internal ------------------------------------------------------------
+
+    def _cleanup(self, now: float) -> None:
+        """Evict entries older than 24 h to bound memory usage."""
+        self._entries = [(ts, lam) for ts, lam in self._entries if now - ts < 86400]