@agentlayer.tech/wallet 0.1.10 → 0.1.12

package/agent-wallet/scripts/bootstrap_openclaw_evm.py

@@ -0,0 +1,291 @@
+#!/usr/bin/env python3
+"""One-command host bootstrap for the local OpenClaw EVM wallet flow."""
+
+from __future__ import annotations
+
+import argparse
+import json
+import os
+import subprocess
+import sys
+import time
+from pathlib import Path
+from urllib.error import URLError
+from urllib.parse import urlparse
+from urllib.request import urlopen
+
+sys.path.insert(0, str(Path(__file__).resolve().parents[1]))
+
+from agent_wallet.file_ops import atomic_write_text, chmod_if_exists
+
+
+def _default_config_path() -> Path:
+    return Path(os.path.expanduser("~/.openclaw/openclaw.json"))
+
+
+def _default_user_id() -> str:
+    return f"{os.getenv('USER', 'openclaw-user')}-local"
+
+
+def _default_python_bin() -> str:
+    return os.getenv("OPENCLAW_AGENT_WALLET_PYTHON", sys.executable)
+
+
+def _package_root() -> Path:
+    return Path(__file__).resolve().parents[1]
+
+
+def _repo_root() -> Path:
+    return Path(__file__).resolve().parents[2]
+
+
+def _script_path(name: str) -> Path:
+    return _package_root() / "scripts" / name
+
+
+def _normalize_network(value: str) -> str:
+    network = str(value or "").strip().lower()
+    aliases = {
+        "mainnet": "ethereum",
+        "eth": "ethereum",
+        "eth-mainnet": "ethereum",
+        "base-mainnet": "base",
+        "base_sepolia": "base-sepolia",
+    }
+    network = aliases.get(network, network)
+    if network not in {"ethereum", "sepolia", "base", "base-sepolia"}:
+        return "ethereum"
+    return network
+
+
+def build_parser() -> argparse.ArgumentParser:
+    parser = argparse.ArgumentParser(description=__doc__)
+    parser.add_argument("--config-path", default=str(_default_config_path()))
+    parser.add_argument("--plugin-id", default="agent-wallet")
+    parser.add_argument("--user-id", default=_default_user_id())
+    parser.add_argument("--network", default="base")
+    parser.add_argument("--service-url", default="http://127.0.0.1:8081")
+    parser.add_argument("--wdk-wallet-root", default=str(_repo_root() / "wdk-evm-wallet"))
+    parser.add_argument("--label", default="Agent EVM Wallet")
+    parser.add_argument("--account-index", type=int, default=0)
+    parser.add_argument("--python-bin", default=_default_python_bin())
+    parser.add_argument("--package-root", default=str(_package_root()))
+    parser.add_argument("--password-stdin", action=argparse.BooleanOptionalAction, default=False)
+    parser.add_argument("--sign-only", action=argparse.BooleanOptionalAction, default=False)
+    parser.add_argument("--auto-start-service", action=argparse.BooleanOptionalAction, default=True)
+    parser.add_argument("--bind-network-pair", action=argparse.BooleanOptionalAction, default=True)
+    return parser
+
+
+def _ensure_openclaw_config(config_path: Path) -> bool:
+    if config_path.exists():
+        return False
+    config_path.parent.mkdir(parents=True, exist_ok=True)
+    atomic_write_text(
+        config_path,
+        json.dumps({"plugins": {"entries": {}}, "tools": {"alsoAllow": []}}, indent=2) + "\n",
+        mode=0o600,
+    )
+    chmod_if_exists(config_path, 0o600)
+    return True
+
+
+def _run_script(
+    python_bin: str,
+    script_name: str,
+    args: list[str],
+    *,
+    stdin_text: str | None = None,
+) -> dict:
+    completed = subprocess.run(
+        [python_bin, str(_script_path(script_name)), *args],
+        check=True,
+        capture_output=True,
+        text=True,
+        input=stdin_text,
+        env=os.environ.copy(),
+    )
+    return json.loads(completed.stdout)
+
+
+def _health_url(service_url: str) -> str:
+    return f"{service_url.rstrip('/')}/health"
+
+
+def _service_is_healthy(service_url: str) -> bool:
+    try:
+        with urlopen(_health_url(service_url), timeout=1.5) as response:
+            return int(getattr(response, "status", 0) or 0) == 200
+    except (URLError, TimeoutError, OSError):
+        return False
+
+
+def _is_local_service_url(service_url: str) -> bool:
+    parsed = urlparse(service_url)
+    return parsed.scheme in {"http", "https"} and parsed.hostname in {"127.0.0.1", "localhost", "::1"}
+
+
+def _require_local_service_url(service_url: str) -> None:
+    if not _is_local_service_url(service_url):
+        raise SystemExit(
+            f"EVM bootstrap only supports a localhost service URL. Refusing non-local endpoint: {service_url}"
+        )
+
+
+def _service_log_dir(config_path: Path) -> Path:
+    return config_path.expanduser().parent / "logs"
+
+
+def _service_log_path(config_path: Path) -> Path:
+    return _service_log_dir(config_path) / "wdk-evm-wallet.log"
+
+
+def _auto_start_local_service(
+    *,
+    service_url: str,
+    network: str,
+    wdk_wallet_root: Path,
+    config_path: Path,
+) -> dict[str, object]:
+    if _service_is_healthy(service_url):
+        return {"started": False, "already_healthy": True}
+
+    if not _is_local_service_url(service_url):
+        raise SystemExit(
+            f"EVM service at {service_url} is unreachable and auto-start is only supported for localhost URLs."
+        )
+
+    run_local = wdk_wallet_root / "run-local.sh"
+    if not run_local.exists():
+        raise SystemExit(f"Could not find wdk-evm-wallet launcher: {run_local}")
+
+    parsed = urlparse(service_url)
+    host = parsed.hostname or "127.0.0.1"
+    port = parsed.port or 8081
+    log_dir = _service_log_dir(config_path)
+    log_dir.mkdir(parents=True, exist_ok=True)
+    log_path = _service_log_path(config_path)
+
+    env = os.environ.copy()
+    env["HOST"] = host
+    env["PORT"] = str(port)
+    env["WDK_EVM_NETWORK"] = network
+
+    with log_path.open("a", encoding="utf-8") as log_file:
+        process = subprocess.Popen(  # noqa: S603
+            ["sh", str(run_local)],
+            cwd=str(wdk_wallet_root),
+            env=env,
+            stdin=subprocess.DEVNULL,
+            stdout=log_file,
+            stderr=log_file,
+            start_new_session=True,
+        )
+
+    deadline = time.time() + 30.0
+    while time.time() < deadline:
+        if _service_is_healthy(service_url):
+            return {
+                "started": True,
+                "already_healthy": False,
+                "pid": process.pid,
+                "log_path": str(log_path),
+            }
+        if process.poll() is not None:
+            raise SystemExit(
+                f"wdk-evm-wallet exited before becoming healthy. Check log: {log_path}"
+            )
+        time.sleep(0.5)
+
+    raise SystemExit(
+        f"Timed out waiting for wdk-evm-wallet health at {_health_url(service_url)}. Check log: {log_path}"
+    )
+
+
+def main() -> int:
+    args = build_parser().parse_args()
+    effective_network = _normalize_network(args.network)
+    _require_local_service_url(args.service_url)
+    config_path = Path(args.config_path).expanduser()
+    config_created = _ensure_openclaw_config(config_path)
+    service_bootstrap: dict[str, object] | None = None
+    if args.auto_start_service:
+        service_bootstrap = _auto_start_local_service(
+            service_url=args.service_url,
+            network=effective_network,
+            wdk_wallet_root=Path(args.wdk_wallet_root).expanduser(),
+            config_path=config_path,
+        )
+    elif not _service_is_healthy(args.service_url):
+        raise SystemExit(
+            f"EVM service is not healthy at {_health_url(args.service_url)} and --no-auto-start-service was set."
+        )
+
+    stdin_text = sys.stdin.read() if args.password_stdin else None
+    setup_payload = _run_script(
+        args.python_bin,
+        "manage_openclaw_evm_wallet.py",
+        [
+            "setup",
+            "--user-id",
+            args.user_id,
+            "--network",
+            effective_network,
+            "--service-url",
+            args.service_url,
+            "--label",
+            args.label,
+            "--account-index",
+            str(args.account_index),
+            *([] if not args.password_stdin else ["--password-stdin"]),
+            *(["--bind-network-pair"] if args.bind_network_pair else ["--no-bind-network-pair"]),
+        ],
+        stdin_text=stdin_text,
+    )
+
+    wallet = dict(setup_payload.get("wallet") or {})
+    install_args = [
+        "--config-path",
+        str(config_path),
+        "--plugin-id",
+        args.plugin_id,
+        "--user-id",
+        args.user_id,
+        "--backend",
+        "wdk_evm_local",
+        "--network",
+        effective_network,
+        "--wdk-evm-service-url",
+        args.service_url,
+        "--wdk-evm-wallet-id",
+        str(wallet.get("wallet_id") or ""),
+        "--wdk-evm-account-index",
+        str(wallet.get("account_index") or args.account_index),
+        "--package-root",
+        args.package_root,
+        "--python-bin",
+        args.python_bin,
+        "--sign-only" if args.sign_only else "--no-sign-only",
+    ]
+    install_payload = _run_script(
+        args.python_bin,
+        "install_openclaw_local_config.py",
+        install_args,
+    )
+
+    print(
+        json.dumps(
+            {
+                "ok": True,
+                "config_created": config_created,
+                "service_bootstrap": service_bootstrap,
+                "evm_setup": setup_payload,
+                "openclaw_install": install_payload,
+            }
+        )
+    )
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

package/agent-wallet/scripts/install_agent_wallet.py

@@ -26,6 +26,7 @@ INCLUDED_RUNTIME_TOP_LEVEL_DIRS = [
     ".openclaw",
     "agent-wallet",
     "agent-a2a-gateway",
+    "hermes",
     "wdk-btc-wallet",
     "wdk-evm-wallet",
 ]

package/agent-wallet/scripts/install_openclaw_local_config.py

@@ -72,6 +72,9 @@ def build_parser() -> argparse.ArgumentParser:
     parser.add_argument("--wdk-btc-service-url", default="")
     parser.add_argument("--wdk-btc-wallet-id", default="")
     parser.add_argument("--wdk-btc-account-index", type=int, default=0)
+    parser.add_argument("--wdk-evm-service-url", default="")
+    parser.add_argument("--wdk-evm-wallet-id", default="")
+    parser.add_argument("--wdk-evm-account-index", type=int, default=0)
     parser.add_argument("--sign-only", action=argparse.BooleanOptionalAction, default=False)
     parser.add_argument("--encrypt-user-wallets", action=argparse.BooleanOptionalAction, default=True)
     parser.add_argument(
@@ -183,6 +186,12 @@ def main() -> None:
         plugin_config["wdkBtcWalletId"] = args.wdk_btc_wallet_id.strip()
     if args.wdk_btc_account_index is not None:
         plugin_config["wdkBtcAccountIndex"] = int(args.wdk_btc_account_index)
+    if args.wdk_evm_service_url.strip():
+        plugin_config["wdkEvmServiceUrl"] = args.wdk_evm_service_url.strip()
+    if args.wdk_evm_wallet_id.strip():
+        plugin_config["wdkEvmWalletId"] = args.wdk_evm_wallet_id.strip()
+    if args.wdk_evm_account_index is not None:
+        plugin_config["wdkEvmAccountIndex"] = int(args.wdk_evm_account_index)
     if args.write_master_key:
         raise SystemExit(
             "Refusing to write masterKey into config. Runtime secrets must live in sealed_keys.json."

package/agent-wallet/scripts/manage_openclaw_evm_wallet.py

@@ -0,0 +1,343 @@
+#!/usr/bin/env python3
+"""Host-side helper for managing a local OpenClaw EVM wallet binding."""
+
+from __future__ import annotations
+
+import argparse
+import json
+import sys
+from getpass import getpass
+from pathlib import Path
+from urllib.error import URLError
+from urllib.request import urlopen
+
+PACKAGE_ROOT = Path(__file__).resolve().parents[1]
+if str(PACKAGE_ROOT) not in sys.path:
+    sys.path.insert(0, str(PACKAGE_ROOT))
+
+from agent_wallet.config import settings  # noqa: E402
+from agent_wallet.evm_user_wallets import (  # noqa: E402
+    bind_user_evm_wallet,
+    create_user_evm_wallet,
+    get_user_evm_wallet_binding,
+    import_user_evm_wallet,
+    list_user_evm_wallet_bindings,
+    lock_user_evm_wallet,
+    unlock_user_evm_wallet,
+)
+from agent_wallet.providers.wdk_evm_local import WdkEvmLocalClient  # noqa: E402
+
+
+def _normalize_network(value: str) -> str:
+    network = str(value or "").strip().lower()
+    aliases = {
+        "mainnet": "ethereum",
+        "eth": "ethereum",
+        "eth-mainnet": "ethereum",
+        "base-mainnet": "base",
+        "base_sepolia": "base-sepolia",
+    }
+    network = aliases.get(network, network)
+    if network not in {"ethereum", "sepolia", "base", "base-sepolia"}:
+        return "ethereum"
+    return network
+
+
+def _paired_network(network: str) -> str | None:
+    mapping = {
+        "ethereum": "base",
+        "base": "ethereum",
+        "sepolia": "base-sepolia",
+        "base-sepolia": "sepolia",
+    }
+    return mapping.get(_normalize_network(network))
+
+
+def _read_secret(
+    *,
+    prompt: str,
+    confirm_prompt: str | None = None,
+    stdin_mode: bool = False,
+) -> str:
+    if stdin_mode:
+        value = sys.stdin.read().strip()
+        if not value:
+            raise SystemExit(f"{prompt.rstrip(':')} is required on stdin.")
+        return value
+    value = getpass(prompt)
+    if confirm_prompt is not None:
+        confirmed = getpass(confirm_prompt)
+        if value != confirmed:
+            raise SystemExit("Secrets did not match.")
+    if not value.strip():
+        raise SystemExit(f"{prompt.rstrip(':')} is required.")
+    return value.strip()
+
+
+def _read_password_and_seed_from_stdin() -> tuple[str, str]:
+    raw = sys.stdin.read().strip()
+    if not raw:
+        raise SystemExit("Password and seed phrase payload is required on stdin.")
+    lines = raw.splitlines()
+    if len(lines) < 2:
+        raise SystemExit(
+            "For import via stdin, provide password on the first line and the seed phrase on the remaining lines."
+        )
+    password = lines[0].strip()
+    seed_phrase = " ".join(line.strip() for line in lines[1:] if line.strip())
+    if not password or not seed_phrase:
+        raise SystemExit("Both password and seed phrase are required.")
+    return password, seed_phrase
+
+
+def _service_health(service_url: str | None) -> dict[str, object]:
+    target = str(service_url or "").strip()
+    if not target:
+        return {"service_url": None, "healthy": False, "error": "service_url is not configured"}
+    health_url = f"{target.rstrip('/')}/health"
+    try:
+        with urlopen(health_url, timeout=1.5) as response:
+            payload = json.loads(response.read().decode("utf-8"))
+            return {
+                "service_url": target,
+                "healthy": int(getattr(response, "status", 0) or 0) == 200,
+                "health": payload,
+            }
+    except (URLError, TimeoutError, OSError, ValueError) as exc:
+        return {"service_url": target, "healthy": False, "error": str(exc)}
+
+
+def _status_payload(user_id: str | None, network: str | None, service_url: str | None) -> dict[str, object]:
+    target_service_url = str(service_url or settings.wdk_evm_service_url).strip() or None
+    payload: dict[str, object] = {
+        "ok": True,
+        "network": _normalize_network(network or "ethereum"),
+        "service": _service_health(target_service_url),
+    }
+    target_network = _normalize_network(network or "ethereum")
+    if target_service_url:
+        try:
+            payload["network_info"] = WdkEvmLocalClient(target_service_url).get_sync("/v1/evm/network")
+        except Exception as exc:  # pragma: no cover - defensive
+            payload["network_info_error"] = str(exc)
+    if user_id:
+        payload["bindings"] = list_user_evm_wallet_bindings(user_id)
+        try:
+            payload["binding"] = get_user_evm_wallet_binding(user_id, network=target_network)
+        except Exception as exc:
+            payload["binding_error"] = str(exc)
+    return payload
+
+
+def main() -> int:
+    parser = argparse.ArgumentParser(description="Manage a local OpenClaw EVM wallet binding")
+    subparsers = parser.add_subparsers(dest="command", required=True)
+
+    common_parent = argparse.ArgumentParser(add_help=False)
+    common_parent.add_argument("--network", default="ethereum")
+    common_parent.add_argument("--service-url")
+
+    get_parser = subparsers.add_parser("get", parents=[common_parent])
+    get_parser.add_argument("--user-id", required=True)
+
+    list_parser = subparsers.add_parser("list", parents=[common_parent])
+    list_parser.add_argument("--user-id", required=True)
+
+    status_parser = subparsers.add_parser("status", parents=[common_parent])
+    status_parser.add_argument("--user-id", default="")
+
+    setup_parser = subparsers.add_parser("setup", parents=[common_parent])
+    setup_parser.add_argument("--user-id", required=True)
+    setup_parser.add_argument("--label")
+    setup_parser.add_argument("--account-index", type=int)
+    setup_parser.add_argument("--password-stdin", action="store_true")
+    setup_parser.add_argument("--bind-network-pair", action=argparse.BooleanOptionalAction, default=True)
+
+    create_parser = subparsers.add_parser("create", parents=[common_parent])
+    create_parser.add_argument("--user-id", required=True)
+    create_parser.add_argument("--label")
+    create_parser.add_argument("--account-index", type=int)
+    create_parser.add_argument("--reveal-seed", action="store_true")
+    create_parser.add_argument("--password-stdin", action="store_true")
+    create_parser.add_argument("--bind-network-pair", action=argparse.BooleanOptionalAction, default=True)
+
+    import_parser = subparsers.add_parser("import", parents=[common_parent])
+    import_parser.add_argument("--user-id", required=True)
+    import_parser.add_argument("--label")
+    import_parser.add_argument("--account-index", type=int)
+    import_parser.add_argument("--password-stdin", action="store_true")
+    import_parser.add_argument("--seed-stdin", action="store_true")
+    import_parser.add_argument("--bind-network-pair", action=argparse.BooleanOptionalAction, default=True)
+
+    unlock_parser = subparsers.add_parser("unlock", parents=[common_parent])
+    unlock_parser.add_argument("--user-id", required=True)
+    unlock_parser.add_argument("--password-stdin", action="store_true")
+    unlock_parser.add_argument("--wallet-id", default="")
+    unlock_parser.add_argument("--account-index", type=int)
+    unlock_parser.add_argument("--bind-network-pair", action=argparse.BooleanOptionalAction, default=True)
+
+    lock_parser = subparsers.add_parser("lock", parents=[common_parent])
+    lock_parser.add_argument("--user-id", required=True)
+    lock_parser.add_argument("--wallet-id", default="")
+    lock_parser.add_argument("--account-index", type=int)
+
+    args = parser.parse_args()
+    effective_network = _normalize_network(args.network)
+
+    def _config_hint(wallet: dict[str, object]) -> dict[str, object]:
+        return {
+            "backend": "wdk_evm_local",
+            "network": effective_network,
+            "wdkEvmServiceUrl": args.service_url,
+            "wdkEvmWalletId": wallet.get("wallet_id"),
+            "wdkEvmAccountIndex": wallet.get("account_index"),
+        }
+
+    def _bind_pair(wallet: dict[str, object]) -> dict[str, object] | None:
+        if not getattr(args, "bind_network_pair", False):
+            return None
+        paired = _paired_network(effective_network)
+        if not paired:
+            return None
+        return bind_user_evm_wallet(
+            args.user_id,
+            wallet_id=str(wallet.get("wallet_id") or ""),
+            network=paired,
+            service_url=args.service_url,
+            account_index=wallet.get("account_index"),
+            tolerate_locked=True,
+            fallback_address=str(wallet.get("address") or "").strip() or None,
+        )
+
+    if args.command == "status":
+        payload = _status_payload(args.user_id or None, effective_network, args.service_url)
+    elif args.command == "list":
+        payload = {"ok": True, "wallets": list_user_evm_wallet_bindings(args.user_id)}
+    elif args.command == "get":
+        wallet = get_user_evm_wallet_binding(args.user_id, network=effective_network)
+        payload = {"ok": True, "wallet": wallet, "openclaw_config_hint": _config_hint(wallet)}
+    elif args.command == "setup":
+        password = _read_secret(
+            prompt="EVM wallet password: ",
+            confirm_prompt=None,
+            stdin_mode=bool(args.password_stdin),
+        )
+        try:
+            existing = get_user_evm_wallet_binding(args.user_id, network=effective_network)
+        except Exception:
+            existing = None
+
+        if existing is None:
+            wallet = create_user_evm_wallet(
+                args.user_id,
+                password=password,
+                label=args.label,
+                network=effective_network,
+                service_url=args.service_url,
+                account_index=args.account_index,
+            )
+            paired_binding = _bind_pair(wallet)
+            payload = {
+                "ok": True,
+                "action": "created",
+                "wallet": wallet,
+                "paired_binding": paired_binding,
+                "openclaw_config_hint": _config_hint(wallet),
+            }
+        else:
+            wallet = unlock_user_evm_wallet(
+                args.user_id,
+                password=password,
+                network=effective_network,
+                service_url=args.service_url,
+                account_index=args.account_index,
+            )
+            paired_binding = _bind_pair(wallet)
+            payload = {
+                "ok": True,
+                "action": "unlocked",
+                "wallet": wallet,
+                "paired_binding": paired_binding,
+                "openclaw_config_hint": _config_hint(wallet),
+            }
+    elif args.command == "create":
+        wallet = create_user_evm_wallet(
+            args.user_id,
+            password=_read_secret(
+                prompt="EVM wallet password: ",
+                confirm_prompt="Confirm EVM wallet password: ",
+                stdin_mode=bool(args.password_stdin),
+            ),
+            label=args.label,
+            network=effective_network,
+            service_url=args.service_url,
+            reveal_seed_phrase=bool(args.reveal_seed),
+            account_index=args.account_index,
+        )
+        payload = {
+            "ok": True,
+            "wallet": wallet,
+            "paired_binding": _bind_pair(wallet),
+        }
+    elif args.command == "import":
+        if args.password_stdin and args.seed_stdin:
+            password, seed_phrase = _read_password_and_seed_from_stdin()
+        else:
+            password = _read_secret(
+                prompt="EVM wallet password: ",
+                confirm_prompt="Confirm EVM wallet password: ",
+                stdin_mode=bool(args.password_stdin),
+            )
+            seed_phrase = _read_secret(
+                prompt="EVM seed phrase: ",
+                stdin_mode=bool(args.seed_stdin),
+            )
+        wallet = import_user_evm_wallet(
+            args.user_id,
+            password=password,
+            seed_phrase=seed_phrase,
+            label=args.label,
+            network=effective_network,
+            service_url=args.service_url,
+            account_index=args.account_index,
+        )
+        payload = {
+            "ok": True,
+            "wallet": wallet,
+            "paired_binding": _bind_pair(wallet),
+        }
+    elif args.command == "unlock":
+        wallet = unlock_user_evm_wallet(
+            args.user_id,
+            password=_read_secret(
+                prompt="EVM wallet password: ",
+                stdin_mode=bool(args.password_stdin),
+            ),
+            network=effective_network,
+            service_url=args.service_url,
+            wallet_id=args.wallet_id or None,
+            account_index=args.account_index,
+        )
+        payload = {
+            "ok": True,
+            "wallet": wallet,
+            "paired_binding": _bind_pair(wallet),
+        }
+    else:
+        payload = {
+            "ok": True,
+            "wallet": lock_user_evm_wallet(
+                args.user_id,
+                network=effective_network,
+                service_url=args.service_url,
+                wallet_id=args.wallet_id or None,
+                account_index=args.account_index,
+            ),
+        }
+
+    print(json.dumps(payload))
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())