@agentlayer.tech/wallet 0.1.17 → 0.1.19

package/agent-wallet/agent_wallet/wallet_layer/wdk_evm.py

@@ -440,6 +440,36 @@ class WdkEvmLocalWalletBackend(AgentWalletBackend):
         self.address = address
         return address
 
+    def sign_x402_evm_exact_typed_data(
+        self,
+        *,
+        domain: dict[str, Any],
+        types: dict[str, Any],
+        primary_type: str,
+        message: dict[str, Any],
+    ) -> bytes:
+        data = self.client.post_sync(
+            "/v1/evm/x402/exact/sign",
+            {
+                "walletId": self.wallet_id,
+                "accountIndex": self.account_index,
+                "network": self.network,
+                "domain": domain,
+                "types": types,
+                "primaryType": primary_type,
+                "message": message,
+            },
+        )
+        signature = str(data.get("signature") or "").strip()
+        if not signature:
+            raise WalletBackendError("wdk-evm-wallet did not return an x402 EVM signature.")
+        if signature.startswith("0x"):
+            signature = signature[2:]
+        try:
+            return bytes.fromhex(signature)
+        except ValueError as exc:
+            raise WalletBackendError("wdk-evm-wallet returned an invalid x402 EVM signature.") from exc
+
     async def get_balance(self, address: str | None = None) -> dict[str, Any]:
         resolved_address = await self.get_address()
         if address is not None and address.strip() and address.strip() != resolved_address:

package/agent-wallet/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "openclaw-agent-wallet"
-version = "0.1.17"
+version = "0.1.19"
 description = "Plugin-friendly wallet backend for OpenClaw agents"
 requires-python = ">=3.10"
 dependencies = [
@@ -15,6 +15,7 @@ dependencies = [
     "python-dotenv>=1.0.0",
     "solana>=0.36.0",
     "solders>=0.27.0",
+    "x402[httpx,svm,evm]>=2.10.0",
 ]
 
 [project.optional-dependencies]

package/agent-wallet/scripts/build_release_bundle.py

@@ -33,6 +33,7 @@ INCLUDED_TOP_LEVEL_DIRS = [
 EXCLUDED_EXACT_RELATIVE_PATHS = {
     ".openclaw/extensions-local",
     ".openclaw/openclaw.local.example.json",
+    ".openclaw/extensions/pay-bridge",
 }
 EXCLUDED_DIR_NAMES = {
     ".git",

package/agent-wallet/scripts/install_agent_wallet.py

@@ -201,6 +201,9 @@ def _ignore_runtime_entries(_directory: str, names: list[str]) -> set[str]:
     keep_dist = ".openclaw" in directory.parts and "extensions" in directory.parts
     ignored: set[str] = set()
     for name in names:
+        if name == "pay-bridge" and directory.parts[-2:] == (".openclaw", "extensions"):
+            ignored.add(name)
+            continue
         if name == "dist" and keep_dist:
             continue
         if name in EXCLUDED_RUNTIME_DIR_NAMES:

package/agent-wallet/scripts/install_openclaw_local_config.py

@@ -5,7 +5,7 @@ from __future__ import annotations
 import argparse
 import json
 import os
-import shutil
+import secrets
 import sys
 from datetime import datetime, timezone
 from pathlib import Path
@@ -49,13 +49,11 @@ OPTIONAL_TOOLS = [
     "flash_trade_close_position",
 ]
 
-PAY_BRIDGE_PLUGIN_ID = "pay-bridge"
-PAY_BRIDGE_TOOLS = [
-    "pay_status",
-    "pay_wallet_info",
-    "pay_search_services",
-    "pay_get_service_endpoints",
-    "pay_api_request",
+X402_TOOLS = [
+    "x402_search_services",
+    "x402_get_service_details",
+    "x402_preview_request",
+    "x402_pay_request",
 ]
 
 
@@ -97,13 +95,6 @@ def _default_extension_path() -> Path:
     return _repo_root() / ".openclaw" / "extensions" / "agent-wallet"
 
 
-def _default_pay_bridge_extension_path() -> Path:
-    runtime_root = _trusted_runtime_root()
-    if runtime_root is not None:
-        return runtime_root / ".openclaw" / "extensions" / PAY_BRIDGE_PLUGIN_ID
-    return _repo_root() / ".openclaw" / "extensions" / PAY_BRIDGE_PLUGIN_ID
-
-
 def _default_package_root() -> Path:
     runtime_root = _trusted_runtime_root()
     if runtime_root is not None:
@@ -126,14 +117,6 @@ def _default_python_bin() -> str:
     return sys.executable
 
 
-def _default_pay_binary() -> str:
-    explicit = os.getenv("OPENCLAW_PAY_BINARY", "").strip()
-    if explicit:
-        return explicit
-    resolved = shutil.which("pay")
-    return resolved or "pay"
-
-
 def _default_user_id() -> str:
     return f"{os.getenv('USER', 'openclaw-user')}-local"
 
@@ -171,10 +154,8 @@ def build_parser() -> argparse.ArgumentParser:
         default=True,
     )
     parser.add_argument("--extension-path", default=str(_default_extension_path()))
-    parser.add_argument("--pay-bridge-extension-path", default=str(_default_pay_bridge_extension_path()))
     parser.add_argument("--package-root", default=str(_default_package_root()))
     parser.add_argument("--python-bin", default=_default_python_bin())
-    parser.add_argument("--pay-binary", default=_default_pay_binary())
     parser.add_argument("--write-master-key", action=argparse.BooleanOptionalAction, default=False)
     return parser
 
@@ -184,12 +165,15 @@ def _collect_sealed_secret_updates() -> dict[str, str]:
     master_key = os.getenv("AGENT_WALLET_MASTER_KEY", "").strip()
     approval_secret = os.getenv("AGENT_WALLET_APPROVAL_SECRET", "").strip()
     private_key = os.getenv("SOLANA_AGENT_PRIVATE_KEY", "").strip()
+    evm_wallet_password = os.getenv("WDK_EVM_WALLET_PASSWORD", "").strip()
     if master_key:
         updates["master_key"] = master_key
     if approval_secret:
         updates["approval_secret"] = approval_secret
     if private_key:
         updates["private_key"] = private_key
+    if evm_wallet_password:
+        updates["wdk_evm_wallet_password"] = evm_wallet_password
     return updates
 
 
@@ -198,10 +182,12 @@ def _maybe_install_sealed_keys() -> str | None:
     if not boot_key:
         return None
     updates = _collect_sealed_secret_updates()
-    if not updates:
-        return None
     sealed_path = resolve_sealed_keys_path()
     existing = unseal_keys(boot_key) if sealed_path.exists() else {}
+    if "wdk_evm_wallet_password" not in existing and "wdk_evm_wallet_password" not in updates:
+        updates["wdk_evm_wallet_password"] = secrets.token_urlsafe(24)
+    if not updates:
+        return None
     return str(seal_keys(boot_key, {**existing, **updates}))
 
 
@@ -248,17 +234,14 @@ def main() -> None:
     allow = plugins.setdefault("allow", [])
     if args.plugin_id not in allow:
         allow.append(args.plugin_id)
-    if PAY_BRIDGE_PLUGIN_ID not in allow:
-        allow.append(PAY_BRIDGE_PLUGIN_ID)
+    allow[:] = [item for item in allow if item != "pay-bridge"]
 
     load = plugins.setdefault("load", {})
     paths = load.setdefault("paths", [])
     extension_path_text = str(Path(args.extension_path).expanduser().resolve())
     if extension_path_text not in paths:
         paths.append(extension_path_text)
-    pay_bridge_extension_path_text = str(Path(args.pay_bridge_extension_path).expanduser().resolve())
-    if pay_bridge_extension_path_text not in paths:
-        paths.append(pay_bridge_extension_path_text)
+    paths[:] = [item for item in paths if "extensions/pay-bridge" not in str(item)]
 
     entries = plugins.setdefault("entries", {})
     effective_network = _normalize_network(args.backend, args.network)
@@ -311,25 +294,19 @@ def main() -> None:
         "enabled": True,
         "config": plugin_config,
     }
-    existing_pay_entry = entries.get(PAY_BRIDGE_PLUGIN_ID) if isinstance(entries.get(PAY_BRIDGE_PLUGIN_ID), dict) else {}
-    existing_pay_config = (
-        dict(existing_pay_entry.get("config"))
-        if isinstance(existing_pay_entry.get("config"), dict)
-        else {}
-    )
-    pay_bridge_config = {
-        **existing_pay_config,
-        "payBinary": args.pay_binary.strip() or _default_pay_binary(),
-        "requireHttps": bool(existing_pay_config.get("requireHttps", True)),
-    }
-    entries[PAY_BRIDGE_PLUGIN_ID] = {
-        "enabled": True,
-        "config": pay_bridge_config,
-    }
+    entries.pop("pay-bridge", None)
 
     tools = data.setdefault("tools", {})
     also_allow = tools.setdefault("alsoAllow", [])
-    for tool_name in OPTIONAL_TOOLS + PAY_BRIDGE_TOOLS:
+    removed_pay_tools = {
+        "pay_status",
+        "pay_wallet_info",
+        "pay_search_services",
+        "pay_get_service_endpoints",
+        "pay_api_request",
+    }
+    also_allow[:] = [tool_name for tool_name in also_allow if tool_name not in removed_pay_tools]
+    for tool_name in OPTIONAL_TOOLS + X402_TOOLS:
         if tool_name not in also_allow:
             also_allow.append(tool_name)
 
@@ -345,7 +322,6 @@ def main() -> None:
                 "config_path": str(config_path),
                 "backup_path": str(backup_path),
                 "extension_path": extension_path_text,
-                "pay_bridge_extension_path": pay_bridge_extension_path_text,
                 "python_bin": args.python_bin,
                 "package_root": plugin_config["packageRoot"],
                 "plugin_id": args.plugin_id,

package/agent-wallet/scripts/install_openclaw_sealed_keys.py

@@ -5,6 +5,7 @@ from __future__ import annotations
 import argparse
 import json
 import os
+import secrets as py_secrets
 import sys
 from pathlib import Path
 
@@ -49,12 +50,15 @@ def _collect_secret_updates() -> dict[str, str]:
     master_key = os.getenv("AGENT_WALLET_MASTER_KEY", "").strip()
     approval_secret = os.getenv("AGENT_WALLET_APPROVAL_SECRET", "").strip()
     private_key = os.getenv("SOLANA_AGENT_PRIVATE_KEY", "").strip()
+    evm_wallet_password = os.getenv("WDK_EVM_WALLET_PASSWORD", "").strip()
     if master_key:
         updates["master_key"] = master_key
     if approval_secret:
         updates["approval_secret"] = approval_secret
     if private_key:
         updates["private_key"] = private_key
+    if evm_wallet_password:
+        updates["wdk_evm_wallet_password"] = evm_wallet_password
     return updates
 
 
@@ -80,6 +84,10 @@ def main() -> None:
     sealed_path = resolve_sealed_keys_path()
     existing = unseal_keys(boot_key) if sealed_path.exists() and not args.replace else {}
     secrets = {**existing, **updates}
+    generated_keys: list[str] = []
+    if "wdk_evm_wallet_password" not in secrets:
+        secrets["wdk_evm_wallet_password"] = py_secrets.token_urlsafe(24)
+        generated_keys.append("wdk_evm_wallet_password")
     if not secrets:
         raise SystemExit(
             "No secrets provided. Set AGENT_WALLET_MASTER_KEY, AGENT_WALLET_APPROVAL_SECRET, "
@@ -93,7 +101,7 @@ def main() -> None:
                 "ok": True,
                 "path": str(path),
                 "stored_keys": sorted(secrets.keys()),
-                "updated_keys": sorted(updates.keys()),
+                "updated_keys": sorted(set(updates.keys()) | set(generated_keys)),
                 "replaced": bool(args.replace),
             },
             indent=2,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentlayer.tech/wallet",
-  "version": "0.1.17",
+  "version": "0.1.19",
   "description": "NPM installer for the OpenClaw Agent Wallet local runtime.",
   "type": "module",
   "repository": {
@@ -40,7 +40,6 @@
     "agent-wallet/pyproject.toml",
     ".openclaw/AGENTS.md",
     ".openclaw/extensions/agent-wallet/",
-    ".openclaw/extensions/pay-bridge/",
     "hermes/plugins/agent_wallet/",
     "wdk-btc-wallet/src/",
     "wdk-btc-wallet/bootstrap.sh",

package/wdk-evm-wallet/src/server.js

@@ -554,6 +554,12 @@ async function handleRequest(request, response) {
       return sendJson(response, 200, { ok: true, data });
     }
 
+    if (method === "POST" && url.pathname === "/v1/evm/x402/exact/sign") {
+      const body = await withResolvedNetwork(await withResolvedSeed(await readJsonBody(request)));
+      const data = await service.signX402ExactTypedData(body);
+      return sendJson(response, 200, { ok: true, data });
+    }
+
     return notFound(response);
   } catch (error) {
     const shaped = toErrorResponse(error, new URL(request.url || "/", "http://localhost").pathname, 400);

package/wdk-evm-wallet/src/wdk_evm_wallet.js

@@ -149,6 +149,14 @@ function assertPositiveBigIntString(value, fieldName) {
   return parsed;
 }
 
+function assertNonNegativeBigIntString(value, fieldName) {
+  const normalized = String(value ?? "").trim();
+  if (!/^[0-9]+$/.test(normalized)) {
+    throw new Error(`${fieldName} must be a non-negative base-10 integer string.`);
+  }
+  return normalized;
+}
+
 function normalizeAddress(value, fieldName) {
   const address = assertNonEmptyString(value, fieldName);
   if (!/^0x[a-fA-F0-9]{40}$/.test(address)) {
@@ -305,6 +313,71 @@ function mergeBridgeLists(...values) {
   return items.length > 0 ? items.join(",") : null;
 }
 
+function assertPlainObject(value, fieldName) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    throw new Error(`${fieldName} must be an object.`);
+  }
+  return value;
+}
+
+function normalizeX402ExactTypedData({ domain, types, primaryType, message }, runtimeConfig) {
+  const normalizedPrimaryType = assertNonEmptyString(primaryType, "primaryType");
+  if (normalizedPrimaryType !== "TransferWithAuthorization") {
+    throw new Error("primaryType must be TransferWithAuthorization for x402 exact EVM payments.");
+  }
+
+  const domainObject = assertPlainObject(domain, "domain");
+  const domainChainId = assertNonNegativeInteger(domainObject.chainId, "domain.chainId");
+  if (domainChainId !== runtimeConfig.chainId) {
+    throw new Error("domain.chainId must match the active network chain id.");
+  }
+  const normalizedDomain = {
+    name: assertNonEmptyString(domainObject.name, "domain.name"),
+    version: assertNonEmptyString(domainObject.version, "domain.version"),
+    chainId: domainChainId,
+    verifyingContract: normalizeAddress(domainObject.verifyingContract, "domain.verifyingContract"),
+  };
+
+  const typesObject = assertPlainObject(types, "types");
+  const primaryFields = typesObject[normalizedPrimaryType];
+  if (!Array.isArray(primaryFields) || primaryFields.length === 0) {
+    throw new Error(`types.${normalizedPrimaryType} must be a non-empty array.`);
+  }
+  const normalizedTypes = {};
+  for (const [typeName, fields] of Object.entries(typesObject)) {
+    if (!Array.isArray(fields) || fields.length === 0) {
+      throw new Error(`types.${typeName} must be a non-empty array.`);
+    }
+    normalizedTypes[typeName] = fields.map((field, index) => {
+      const normalizedField = assertPlainObject(field, `types.${typeName}[${index}]`);
+      return {
+        name: assertNonEmptyString(normalizedField.name, `types.${typeName}[${index}].name`),
+        type: assertNonEmptyString(normalizedField.type, `types.${typeName}[${index}].type`),
+      };
+    });
+  }
+
+  const messageObject = assertPlainObject(message, "message");
+  const normalizedMessage = {
+    from: normalizeAddress(messageObject.from, "message.from"),
+    to: normalizeAddress(messageObject.to, "message.to"),
+    value: assertPositiveBigIntString(messageObject.value, "message.value").toString(),
+    validAfter: assertNonNegativeBigIntString(messageObject.validAfter, "message.validAfter"),
+    validBefore: assertPositiveBigIntString(messageObject.validBefore, "message.validBefore").toString(),
+    nonce: assertNonEmptyString(messageObject.nonce, "message.nonce"),
+  };
+  if (!/^0x[a-fA-F0-9]{64}$/.test(normalizedMessage.nonce)) {
+    throw new Error("message.nonce must be a 32-byte hex string.");
+  }
+
+  return {
+    domain: normalizedDomain,
+    types: normalizedTypes,
+    primaryType: normalizedPrimaryType,
+    message: normalizedMessage,
+  };
+}
+
 function buildSwapRequest({ tokenIn, tokenOut, tokenInAmount }) {
   const swapRequest = {
     tokenIn: normalizeAddress(tokenIn, "tokenIn"),
@@ -2335,6 +2408,41 @@ export class WdkEvmWalletService {
     });
   }
 
+  async signX402ExactTypedData({
+    seedPhrase,
+    accountIndex = 0,
+    network,
+    domain,
+    types,
+    primaryType,
+    message,
+  }) {
+    return this.#withAccount({ seedPhrase, accountIndex, network }, async (account, runtimeConfig) => {
+      const typedData = normalizeX402ExactTypedData(
+        { domain, types, primaryType, message },
+        runtimeConfig
+      );
+      const signerAddress = normalizeAddress(await account.getAddress(), "accountAddress");
+      if (typedData.message.from.toLowerCase() !== signerAddress.toLowerCase()) {
+        throw new Error("message.from must match the active wallet account address.");
+      }
+      const signature = await account.signTypedData({
+        domain: typedData.domain,
+        types: typedData.types,
+        message: typedData.message,
+      });
+      return {
+        network: runtimeConfig.network,
+        chainId: runtimeConfig.chainId,
+        accountIndex,
+        address: signerAddress,
+        primaryType: typedData.primaryType,
+        signature,
+        source: "wdk-wallet-evm",
+      };
+    });
+  }
+
   #resolveRuntimeConfig(networkOverride) {
     const network = assertValidNetwork(networkOverride) || this.config.network;
     const profile = this.config.networkProfiles?.[network];

package/.openclaw/extensions/pay-bridge/README.md

@@ -1,38 +0,0 @@
-# pay-bridge
-
-Thin OpenClaw bridge to the locally installed `pay` CLI.
-
-External install path:
-
-```bash
-openclaw plugins install clawhub:@agentlayertech/pay-bridge-plugin
-```
-
-This plugin is intentionally separate from `agent-wallet`:
-
-- `agent-wallet` remains the execution wallet stack for Solana/EVM/BTC
-- `pay-bridge` only discovers and calls paid APIs through `pay`
-- the `pay` wallet stays separate from the AgentLayer wallet runtime
-
-## Exposed tools
-
-- `pay_status`
-- `pay_wallet_info`
-- `pay_search_services`
-- `pay_get_service_endpoints`
-- `pay_api_request`
-
-## Intended workflow
-
-1. `pay_status`
-2. `pay_search_services`
-3. `pay_get_service_endpoints`
-4. `pay_api_request`
-
-`pay_api_request` is deliberately narrow:
-
-- it requires a `service_fqn`, `resource`, and `url`
-- it validates the URL against `pay skills endpoints`
-- it requires `purpose` and `user_confirmed=true`
-
-This keeps the bridge thin and prevents it from becoming a generic arbitrary paid-curl launcher.