@agentlayer.tech/wallet 0.1.17 → 0.1.19

package/.openclaw/AGENTS.md

@@ -7,22 +7,16 @@ These instructions apply to the entire `.openclaw/` tree.
 This tree contains local OpenClaw host-side workspace assets. In the current repo, its main responsibilities are:
 
 - the `agent-wallet` extension that bridges OpenClaw to the authoritative Python `agent-wallet` backend
-- the `pay-bridge` extension that bridges OpenClaw to the local `pay` CLI for paid API discovery and execution
 
 ## Current structure
 - `.openclaw/extensions/agent-wallet/index.ts` — TypeScript extension entrypoint registered by OpenClaw.
 - `.openclaw/extensions/agent-wallet/openclaw.plugin.json` — plugin manifest and config schema.
 - `.openclaw/extensions/agent-wallet/package.json` — extension package metadata.
 - `.openclaw/extensions/agent-wallet/skills/wallet-operator/SKILL.md` — user-facing operational wallet safety guidance.
-- `.openclaw/extensions/pay-bridge/index.ts` — TypeScript entrypoint for the local `pay` CLI bridge.
-- `.openclaw/extensions/pay-bridge/openclaw.plugin.json` — plugin manifest and config schema for pay tools.
-- `.openclaw/extensions/pay-bridge/core.mjs` — local `pay` command execution and output shaping.
-- `.openclaw/extensions/pay-bridge/skills/pay-operator/SKILL.md` — user-facing operational guidance for paid API usage.
 
 ## Design intent
 - Keep the TypeScript extension thin and host-oriented.
 - Let Python own wallet logic, policy, approvals, signing rules, and Solana implementation details.
-- Let `pay` remain the source of truth for paid API wallet/account behavior.
 - Let the extension focus on:
   - resolving config
   - locating the Python package
@@ -35,7 +29,6 @@ This tree contains local OpenClaw host-side workspace assets. In the current rep
 
 ### Keep bridge logic thin
 - Do not duplicate business logic from Python unless OpenClaw requires it at registration time.
-- Do not duplicate payment protocol logic from `pay`; prefer invoking the local CLI and shaping its output.
 - Do not reimplement approval validation, transaction policy, wallet derivation, or Solana-specific rules in TypeScript.
 - Prefer forwarding config into the CLI bridge and letting Python decide runtime behavior.
 - Treat this layer as a transport and schema bridge, not an execution authority.

package/.openclaw/extensions/agent-wallet/README.md

@@ -77,7 +77,7 @@ The ClawHub plugin package only installs the native OpenClaw plugin. It expects
 
 If that runtime is not present, set `plugins.entries.agent-wallet.config.packageRoot` explicitly.
 
-That installs the Python backend, Node dependencies for the local BTC/EVM runtimes, and patches the OpenClaw plugin config. Wallet creation, unlock, and local service start stay as separate host-side steps.
+That installs the Python backend, Node dependencies for the local BTC/EVM runtimes, and patches the OpenClaw plugin config. Solana stays ready immediately; EVM readiness can now be auto-healed during normal wallet switching when the runtime has sealed local vault credentials.
 
 For self-hosted installs, prefer `SOLANA_RPC_URL` / `SOLANA_RPC_URLS` in local env and treat the plugin `rpcUrl` / `rpcUrls` fields as fallback only. If the local runtime exposes `ALCHEMY_API_KEY` or `HELIUS_API_KEY`, the wallet can derive the Solana RPC URL automatically for `mainnet` or `devnet`. Local env always takes precedence over `openclaw.json`.
 
@@ -88,12 +88,13 @@ Important:
 - For a local official OpenClaw install, `userId` should represent the wallet owner for that agent install.
 - The public OpenClaw plugin docs do not document a per-request end-user identifier in `registerTool(...).execute(...)`, so dynamic multi-user wallet selection is intentionally kept in the Python/runtime layer, not inside the TypeScript plugin itself.
 - Helper scripts in `agent-wallet/scripts/` are generic patch/finalize utilities and no longer assume a specific local username, path, or temporary master key.
-- The OpenClaw plugin API in this repo exposes tool registration, not host password prompts, so BTC and EVM wallet create/unlock remain host-shell or CLI flows outside the agent tool surface.
+- The OpenClaw plugin API in this repo exposes tool registration, not host password prompts. EVM wallet create/unlock still is not a public agent tool, but the runtime can now auto-create or auto-unlock the local EVM wallet during `set_wallet_backend` or EVM tool calls when `sealed_keys.json` contains the local EVM vault password.
 - For a one-command local BTC onboarding path, use `agent-wallet/scripts/bootstrap_openclaw_btc.py`, which both sets up the BTC wallet binding and patches local OpenClaw config for `backend=wdk_btc_local`.
 - The BTC flow now only supports local service URLs (`127.0.0.1` / `localhost` / `::1`).
 - The local BTC service is protected with a bearer token loaded from `~/.openclaw/wdk-btc-wallet/local-auth-token`, not from plugin config JSON.
 - When the BTC service URL is local, that bootstrap script can also auto-start `wdk-btc-wallet` before patching OpenClaw config.
 - The EVM flow also only supports local service URLs (`127.0.0.1` / `localhost` / `::1`) and uses a bearer token loaded from `~/.openclaw/wdk-evm-wallet/local-auth-token`.
+- The installer now provisions a sealed local EVM vault password under `sealed_keys.json` by default, and host-side EVM setup helpers refresh that sealed value whenever the operator enters a new password.
 - The EVM tool surface is intentionally narrow: Velora swap quote/execute, Aave V3 account/reserve/position flows, native transfers, ERC-20 transfers, fee quotes, and receipt lookup only. No arbitrary calldata, standalone approvals, or generic contract execution are exposed to the agent.
 - Velora swap and Aave V3 support are currently limited to `ethereum` and `base`. Test carefully because the upstream WDK protocol packages are still beta.
 - Agents can call `set_wallet_backend` to switch the active wallet for the current OpenClaw plugin session between Solana, EVM, and Bitcoin. This does not edit `openclaw.json`; plugin config remains the startup default.

package/.openclaw/extensions/agent-wallet/dist/index.js

@@ -25,6 +25,9 @@ const approvalPreviewCache = new Map();
 const privateSwapOrderCache = new Map();
 const WALLET_TOOL_ONLY_GUIDANCE =
   "Use this wallet tool instead of shelling out to solana CLI, spl-token CLI, curl, or exec. If it fails, surface the wallet-tool error and stop rather than falling back to terminal commands.";
+const APPROVAL_PREVIEW_TOOL_ALIASES = new Map([
+  ["x402_pay_request", "x402_preview_request"],
+]);
 
 function canonicalJsonText(payload) {
   const normalize = (value) => {
@@ -51,6 +54,11 @@ function approvalCacheKey(userId, toolName) {
   return `${userId}::${toolName}`;
 }
 
+function approvalPreviewToolName(toolName) {
+  const normalized = typeof toolName === "string" ? toolName.trim() : "";
+  return APPROVAL_PREVIEW_TOOL_ALIASES.get(normalized) || normalized;
+}
+
 function pruneApprovalPreviewCache() {
   const now = Date.now();
   for (const [key, value] of approvalPreviewCache.entries()) {
@@ -61,29 +69,30 @@ function pruneApprovalPreviewCache() {
 }
 
 function cachePreviewForApproval(userId, toolName, payload) {
+  const cacheToolName = approvalPreviewToolName(toolName);
   if (!payload || payload.ok !== true || !payload.data || typeof payload.data !== "object") return;
   const preview = payload.data;
   if (preview.mode !== "preview") return;
   if (!preview.confirmation_summary || typeof preview.confirmation_summary !== "object") return;
   pruneApprovalPreviewCache();
   const digest = previewDigest(preview);
-  approvalPreviewCache.set(approvalCacheKey(userId, toolName), {
+  approvalPreviewCache.set(approvalCacheKey(userId, cacheToolName), {
     digest,
     expiresAt:
-      toolName === "swap_solana_privately"
+      cacheToolName === "swap_solana_privately"
         ? Date.now() + PRIVATE_SWAP_CACHE_TTL_MS
         : Date.now() + PREVIEW_CACHE_TTL_MS,
     preview,
     summary: preview.confirmation_summary,
   });
-  if (toolName === "swap_solana_privately") {
-    privateSwapOrderCache.delete(approvalCacheKey(userId, toolName));
+  if (cacheToolName === "swap_solana_privately") {
+    privateSwapOrderCache.delete(approvalCacheKey(userId, cacheToolName));
   }
 }
 
 function latestCachedPreview(userId, toolName) {
   pruneApprovalPreviewCache();
-  return approvalPreviewCache.get(approvalCacheKey(userId, toolName)) || null;
+  return approvalPreviewCache.get(approvalCacheKey(userId, approvalPreviewToolName(toolName))) || null;
 }
 
 function approvalTokenPreviewDigest(token) {
@@ -498,8 +507,9 @@ async function issueApprovalToken(api, config, userId, toolName, previewPayload)
   if (!summary || typeof summary !== "object") {
     throw new Error(`No confirmation_summary available for ${toolName}.`);
   }
-  const digest = previewDigest(previewPayload);
-  const summaryForToken = { ...summary, _preview_digest: digest };
+  const summaryForToken = PREVIEW_BOUND_SWAP_TOOLS.has(toolName)
+    ? { ...summary, _preview_digest: previewDigest(previewPayload) }
+    : { ...summary };
   const extraArgs = [
     "--tool",
     toolName,
@@ -819,6 +829,94 @@ const walletSessionToolDefinitions = [
       additionalProperties: false,
     },
   },
+  {
+    name: "x402_search_services",
+    description:
+      "Search x402-paid services through CDP Bazaar or Agentic Market. This is read-only discovery and does not spend funds.",
+    parameters: {
+      type: "object",
+      properties: {
+        query: { type: "string" },
+        discovery_provider: {
+          type: "string",
+          enum: ["auto", "cdp_bazaar", "agentic_market"],
+        },
+        network: { type: "string" },
+        asset: { type: "string" },
+        scheme: { type: "string" },
+        max_usd_price: { type: "string" },
+        limit: { type: "integer" },
+      },
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "x402_get_service_details",
+    description:
+      "Resolve one x402 service or resource into a normalized details payload. Use a resource URL for CDP Bazaar or a domain/service id for Agentic Market.",
+    parameters: {
+      type: "object",
+      properties: {
+        reference: { type: "string" },
+        discovery_provider: {
+          type: "string",
+          enum: ["auto", "cdp_bazaar", "agentic_market"],
+        },
+      },
+      required: ["reference"],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "x402_preview_request",
+    description:
+      "Make an unpaid HTTP request to an x402 endpoint, detect HTTP 402, parse PAYMENT-REQUIRED, and summarize the payment options. This does not pay or execute.",
+    parameters: {
+      type: "object",
+      properties: {
+        url: { type: "string" },
+        method: { type: "string" },
+        headers: { type: "object", additionalProperties: { type: "string" } },
+        query: { type: "object", additionalProperties: true },
+        json_body: {},
+        text_body: { type: "string" },
+      },
+      required: ["url"],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "x402_pay_request",
+    description:
+      "Prepare or execute an x402 paid request using the active wallet backend. This milestone executes the Solana exact buyer flow and keeps EVM as prepare-only.",
+    parameters: {
+      type: "object",
+      properties: {
+        url: { type: "string" },
+        method: { type: "string" },
+        headers: { type: "object", additionalProperties: { type: "string" } },
+        query: { type: "object", additionalProperties: true },
+        json_body: {},
+        text_body: { type: "string" },
+        mode: {
+          type: "string",
+          enum: ["prepare", "execute"],
+          description: "prepare validates the payment plan; execute sends the paid retry.",
+        },
+        purpose: { type: "string" },
+        user_intent: {
+          type: "boolean",
+          description: "Must be true for prepare mode.",
+        },
+        approval_token: {
+          type: "string",
+          description: "Required for execute mode and must be issued against the exact x402 payment summary.",
+        },
+      },
+      required: ["url", "mode", "purpose"],
+      additionalProperties: false,
+    },
+  },
   {
     name: "get_active_wallet_backend",
     description: "Show which wallet backend is active in this OpenClaw plugin session and whether it differs from the startup plugin config.",

package/.openclaw/extensions/agent-wallet/index.ts

@@ -25,6 +25,9 @@ const approvalPreviewCache = new Map();
 const privateSwapOrderCache = new Map();
 const WALLET_TOOL_ONLY_GUIDANCE =
   "Use this wallet tool instead of shelling out to solana CLI, spl-token CLI, curl, or exec. If it fails, surface the wallet-tool error and stop rather than falling back to terminal commands.";
+const APPROVAL_PREVIEW_TOOL_ALIASES = new Map([
+  ["x402_pay_request", "x402_preview_request"],
+]);
 
 function canonicalJsonText(payload) {
   const normalize = (value) => {
@@ -51,6 +54,11 @@ function approvalCacheKey(userId, toolName) {
   return `${userId}::${toolName}`;
 }
 
+function approvalPreviewToolName(toolName) {
+  const normalized = typeof toolName === "string" ? toolName.trim() : "";
+  return APPROVAL_PREVIEW_TOOL_ALIASES.get(normalized) || normalized;
+}
+
 function pruneApprovalPreviewCache() {
   const now = Date.now();
   for (const [key, value] of approvalPreviewCache.entries()) {
@@ -61,29 +69,30 @@ function pruneApprovalPreviewCache() {
 }
 
 function cachePreviewForApproval(userId, toolName, payload) {
+  const cacheToolName = approvalPreviewToolName(toolName);
   if (!payload || payload.ok !== true || !payload.data || typeof payload.data !== "object") return;
   const preview = payload.data;
   if (preview.mode !== "preview") return;
   if (!preview.confirmation_summary || typeof preview.confirmation_summary !== "object") return;
   pruneApprovalPreviewCache();
   const digest = previewDigest(preview);
-  approvalPreviewCache.set(approvalCacheKey(userId, toolName), {
+  approvalPreviewCache.set(approvalCacheKey(userId, cacheToolName), {
     digest,
     expiresAt:
-      toolName === "swap_solana_privately"
+      cacheToolName === "swap_solana_privately"
         ? Date.now() + PRIVATE_SWAP_CACHE_TTL_MS
         : Date.now() + PREVIEW_CACHE_TTL_MS,
     preview,
     summary: preview.confirmation_summary,
   });
-  if (toolName === "swap_solana_privately") {
-    privateSwapOrderCache.delete(approvalCacheKey(userId, toolName));
+  if (cacheToolName === "swap_solana_privately") {
+    privateSwapOrderCache.delete(approvalCacheKey(userId, cacheToolName));
   }
 }
 
 function latestCachedPreview(userId, toolName) {
   pruneApprovalPreviewCache();
-  return approvalPreviewCache.get(approvalCacheKey(userId, toolName)) || null;
+  return approvalPreviewCache.get(approvalCacheKey(userId, approvalPreviewToolName(toolName))) || null;
 }
 
 function approvalTokenPreviewDigest(token) {
@@ -498,8 +507,9 @@ async function issueApprovalToken(api, config, userId, toolName, previewPayload)
   if (!summary || typeof summary !== "object") {
     throw new Error(`No confirmation_summary available for ${toolName}.`);
   }
-  const digest = previewDigest(previewPayload);
-  const summaryForToken = { ...summary, _preview_digest: digest };
+  const summaryForToken = PREVIEW_BOUND_SWAP_TOOLS.has(toolName)
+    ? { ...summary, _preview_digest: previewDigest(previewPayload) }
+    : { ...summary };
   const extraArgs = [
     "--tool",
     toolName,
@@ -819,6 +829,94 @@ const walletSessionToolDefinitions = [
       additionalProperties: false,
     },
   },
+  {
+    name: "x402_search_services",
+    description:
+      "Search x402-paid services through CDP Bazaar or Agentic Market. This is read-only discovery and does not spend funds.",
+    parameters: {
+      type: "object",
+      properties: {
+        query: { type: "string" },
+        discovery_provider: {
+          type: "string",
+          enum: ["auto", "cdp_bazaar", "agentic_market"],
+        },
+        network: { type: "string" },
+        asset: { type: "string" },
+        scheme: { type: "string" },
+        max_usd_price: { type: "string" },
+        limit: { type: "integer" },
+      },
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "x402_get_service_details",
+    description:
+      "Resolve one x402 service or resource into a normalized details payload. Use a resource URL for CDP Bazaar or a domain/service id for Agentic Market.",
+    parameters: {
+      type: "object",
+      properties: {
+        reference: { type: "string" },
+        discovery_provider: {
+          type: "string",
+          enum: ["auto", "cdp_bazaar", "agentic_market"],
+        },
+      },
+      required: ["reference"],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "x402_preview_request",
+    description:
+      "Make an unpaid HTTP request to an x402 endpoint, detect HTTP 402, parse PAYMENT-REQUIRED, and summarize the payment options. This does not pay or execute.",
+    parameters: {
+      type: "object",
+      properties: {
+        url: { type: "string" },
+        method: { type: "string" },
+        headers: { type: "object", additionalProperties: { type: "string" } },
+        query: { type: "object", additionalProperties: true },
+        json_body: {},
+        text_body: { type: "string" },
+      },
+      required: ["url"],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "x402_pay_request",
+    description:
+      "Prepare or execute an x402 paid request using the active wallet backend. This milestone executes the Solana exact buyer flow and keeps EVM as prepare-only.",
+    parameters: {
+      type: "object",
+      properties: {
+        url: { type: "string" },
+        method: { type: "string" },
+        headers: { type: "object", additionalProperties: { type: "string" } },
+        query: { type: "object", additionalProperties: true },
+        json_body: {},
+        text_body: { type: "string" },
+        mode: {
+          type: "string",
+          enum: ["prepare", "execute"],
+          description: "prepare validates the payment plan; execute sends the paid retry.",
+        },
+        purpose: { type: "string" },
+        user_intent: {
+          type: "boolean",
+          description: "Must be true for prepare mode.",
+        },
+        approval_token: {
+          type: "string",
+          description: "Required for execute mode and must be issued against the exact x402 payment summary.",
+        },
+      },
+      required: ["url", "mode", "purpose"],
+      additionalProperties: false,
+    },
+  },
   {
     name: "get_active_wallet_backend",
     description: "Show which wallet backend is active in this OpenClaw plugin session and whether it differs from the startup plugin config.",

package/.openclaw/extensions/agent-wallet/openclaw.plugin.json

@@ -70,7 +70,11 @@
       "transfer_evm_native",
       "transfer_evm_token",
       "transfer_sol",
-      "transfer_spl_token"
+      "transfer_spl_token",
+      "x402_get_service_details",
+      "x402_pay_request",
+      "x402_preview_request",
+      "x402_search_services"
     ]
   },
   "skills": ["skills/wallet-operator"],

package/.openclaw/extensions/agent-wallet/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentlayertech/agent-wallet-plugin",
-  "version": "0.1.17",
+  "version": "0.1.19",
   "description": "OpenClaw plugin bridge for the AgentLayer wallet runtime.",
   "type": "module",
   "license": "SEE LICENSE IN ../../../LICENSE",

package/CHANGELOG.md

@@ -2,6 +2,30 @@
 
 ## Unreleased
 
+## v0.1.18 - 2026-05-19
+
+- Started the native x402 buyer integration inside `agent-wallet` instead of
+  the separate `pay-bridge` wallet path.
+- Added read-only x402 discovery helpers for `CDP Bazaar` and
+  `Agentic Market`, including normalized service/resource search results.
+- Added `x402_preview_request`, which performs an unpaid request, parses
+  `PAYMENT-REQUIRED`, and summarizes accepted payment options without spending
+  funds.
+- Added `x402_pay_request` with `prepare` and `execute` flow for exact buyer
+  payments from the native wallet on Solana, Base, and Base Sepolia.
+- Added buyer-side x402 signing support to the local EVM runtime so Base
+  payments execute without requiring a separate wallet product.
+- Fixed x402 Solana execution against hosted RPC routing by deriving an
+  SDK-compatible direct Solana RPC URL for the x402 SVM client.
+- Fixed x402 payment requirement selection so SDK model objects survive through
+  prepare and execute without crashing on plain dict access.
+- Added automatic host approval-token issuance for `x402_pay_request` from the
+  cached `x402_preview_request` summary in the OpenClaw bridge.
+- Fixed x402 approval-token binding so execute validates against the exact
+  `confirmation_summary` used by the Python wallet policy gate.
+- Synced the OpenClaw coding profile allowlist and runtime bundle so the new
+  x402 tools are exposed correctly in packaged installs.
+
 ## v0.1.17 - 2026-05-17
 
 - Added Flash Trade collateral-aware perp opens so the Solana wallet flow can

package/README.md

@@ -18,7 +18,7 @@ AgentLayer is a beta local-first wallet and finance stack for agents.
 The repository includes:
 
 - `agent-wallet/` - the main wallet backend for AgentLayer
-- `.openclaw/` - the local AgentLayer bridge layer, including the OpenClaw wallet bridge and the `pay.sh` API-payments bridge
+- `.openclaw/` - the local AgentLayer bridge layer for the OpenClaw wallet integration
 - `hermes/` - optional Hermes Agent plugin bridge for the same wallet backend
 - `wdk-btc-wallet/` - the local Bitcoin wallet service
 - `wdk-evm-wallet/` - the local EVM wallet service
@@ -55,7 +55,6 @@ Install the native OpenClaw plugins from ClawHub:
 
 ```bash
 openclaw plugins install clawhub:@agentlayertech/agent-wallet-plugin
-openclaw plugins install clawhub:@agentlayertech/pay-bridge-plugin
 ```
 
 Those ClawHub packages do not replace the npm installer. Keep `npx @agentlayer.tech/wallet install --yes` for laying down the local wallet runtime, Python backend, and helper services. The ClawHub packages only install the OpenClaw plugin surfaces that point at that runtime.
@@ -92,7 +91,6 @@ Use ClawHub when you want the plugin itself to be installed through OpenClaw:
 
 ```bash
 openclaw plugins install clawhub:@agentlayertech/agent-wallet-plugin
-openclaw plugins install clawhub:@agentlayertech/pay-bridge-plugin
 ```
 
 Recommended order:

package/RELEASING.md

@@ -12,11 +12,10 @@ The public install command is:
 npx @agentlayer.tech/wallet install --yes
 ```
 
-The repo also ships two native OpenClaw plugin packages for ClawHub:
+The repo also ships a native OpenClaw plugin package for ClawHub:
 
 ```text
 @agentlayertech/agent-wallet-plugin
-@agentlayertech/pay-bridge-plugin
 ```
 
 ## When npm Publishes
@@ -200,7 +199,6 @@ Dry-run the package contents from each plugin directory:
 
 ```bash
 (cd .openclaw/extensions/agent-wallet && npm pack --dry-run)
-(cd .openclaw/extensions/pay-bridge && npm pack --dry-run)
 ```
 
 Publish to ClawHub with the package-specific command documented by OpenClaw:
@@ -208,16 +206,12 @@ Publish to ClawHub with the package-specific command documented by OpenClaw:
 ```bash
 clawhub package publish .openclaw/extensions/agent-wallet --dry-run
 clawhub package publish .openclaw/extensions/agent-wallet
-
-clawhub package publish .openclaw/extensions/pay-bridge --dry-run
-clawhub package publish .openclaw/extensions/pay-bridge
 ```
 
 Users then install them natively through OpenClaw:
 
 ```bash
 openclaw plugins install clawhub:@agentlayertech/agent-wallet-plugin
-openclaw plugins install clawhub:@agentlayertech/pay-bridge-plugin
 ```
 
 GitHub Actions can publish the same packages automatically from tags and manual
@@ -231,14 +225,13 @@ CLAWHUB_TOKEN
 
 Workflow behavior:
 
-- `pull_request`: packs both plugins and runs ClawHub `--dry-run`
+- `pull_request`: packs the plugin and runs ClawHub `--dry-run`
 - `workflow_dispatch`: publishes or dry-runs based on the `dry_run` input
-- `push` on `v*` tags: publishes both plugins automatically
+- `push` on `v*` tags: publishes the plugin automatically
 
 The workflow currently publishes:
 
 - `.openclaw/extensions/agent-wallet` as `bundle-plugin`
-- `.openclaw/extensions/pay-bridge` as `code-plugin`
 
 `agent-wallet` stays on `bundle-plugin` because that package name was first
 published to ClawHub with that family, and ClawHub does not allow family
@@ -298,17 +291,16 @@ It publishes these ClawHub packages:
 
 ```text
 @agentlayertech/agent-wallet-plugin
-@agentlayertech/pay-bridge-plugin
 ```
 
 ### Triggers
 
 - `pull_request`
-  - runs ClawHub publish in `--dry-run` mode for both plugin packages
+  - runs ClawHub publish in `--dry-run` mode for the plugin package
 - `workflow_dispatch`
   - supports manual runs with a `dry_run` boolean input
 - `push` on git tags matching `v*`
-  - publishes both plugin packages to ClawHub
+  - publishes the plugin package to ClawHub
 
 ### Required secret
 
@@ -330,7 +322,6 @@ publisher access to:
 The workflow currently publishes:
 
 - `.openclaw/extensions/agent-wallet` as `bundle-plugin`
-- `.openclaw/extensions/pay-bridge` as `code-plugin`
 
 `agent-wallet` remains on `bundle-plugin` because the package
 `@agentlayertech/agent-wallet-plugin` was first created in ClawHub with that
@@ -346,7 +337,6 @@ If you want one git tag to publish both npm and ClawHub surfaces together:
 package.json
 agent-wallet/pyproject.toml
 .openclaw/extensions/agent-wallet/package.json
-.openclaw/extensions/pay-bridge/package.json
 ```
 
 2. Commit the release version bump.

package/agent-wallet/README.md

@@ -108,6 +108,10 @@ Current safe tools:
 - `deactivate_solana_stake`
 - `withdraw_solana_stake`
 - `request_devnet_airdrop`
+- `x402_search_services`
+- `x402_get_service_details`
+- `x402_preview_request`
+- `x402_pay_request`
 
 Temporarily disabled but kept in the codebase for later re-enable:
 
@@ -401,6 +405,7 @@ For the local EVM backend (`backend=wdk_evm_local`), the lifecycle mirrors the B
 - the EVM service is localhost-only and no longer accepts remote service URLs through the OpenClaw EVM flow
 - `agent-wallet` talks to it through a local bearer token loaded from `~/.openclaw/wdk-evm-wallet/local-auth-token`
 - `agent-wallet` stores only a per-user EVM wallet binding under `~/.openclaw/users/<normalized-user-id>/wallets/evm-<network>-agent.json`
+- the runtime can auto-create missing EVM bindings or auto-unlock the local vault during ordinary OpenClaw switching/tool calls when `sealed_keys.json` contains `wdk_evm_wallet_password`
 - supported EVM networks are `ethereum`, `sepolia`, `base`, and `base-sepolia`
 - OpenClaw-facing EVM tools accept an optional per-call `network` override for `ethereum` or `base`, so the agent can switch between the two mainnet EVM paths without editing host config
 - EVM `get_wallet_balance` now returns an enriched portfolio-style payload with native balance, discovered ERC-20 balances, and USD values when token discovery and pricing are available
@@ -425,6 +430,7 @@ That wrapper:
 - can auto-start `wdk-evm-wallet/run-local.sh` if the local service is not already healthy
 - creates or unlocks the local EVM wallet binding
 - also binds the paired EVM network by default: `ethereum <-> base`, `sepolia <-> base-sepolia`
+- stores the entered EVM vault password into `sealed_keys.json` when `AGENT_WALLET_BOOT_KEY` is available, so later OpenClaw wallet switching can auto-raise the EVM backend without another password prompt
 - patches OpenClaw config to `backend=wdk_evm_local`
 
 Example host-side EVM wallet creation:
@@ -449,6 +455,7 @@ Per-user wallets are now encrypted at rest in one hardened mode:
 
 Do not store `masterKey`, `privateKey`, or approval secrets in plugin config JSON or direct runtime environment variables.
 `AGENT_WALLET_MASTER_KEY`, `AGENT_WALLET_APPROVAL_SECRET`, and `SOLANA_AGENT_PRIVATE_KEY` are now provisioning-only inputs for installer/admin scripts and are rejected by the runtime.
+The installer also provisions a sealed `wdk_evm_wallet_password` by default so greenfield EVM wallet setup can happen automatically on first switch.
 Create or update that sealed file with:
 
 ```bash

package/agent-wallet/agent_wallet/config.py

@@ -368,6 +368,17 @@ def resolve_solana_private_key() -> str:
     )
 
 
+def resolve_evm_wallet_password() -> str:
+    """Resolve the local EVM vault password from env or the sealed secret store."""
+    direct = os.getenv("WDK_EVM_WALLET_PASSWORD", "").strip()
+    if direct:
+        return direct
+    return _resolve_sealed_secret(
+        "wdk_evm_wallet_password",
+        "evm_wallet_password",
+    )
+
+
 def use_encrypted_user_wallets() -> bool:
     """Per-user wallet files are always encrypted in the hardened runtime."""
     return True