@agentlayer.tech/wallet 0.1.28 → 0.1.32

package/codex/plugins/agent-wallet/skills/wallet-operator/SKILL.md

@@ -0,0 +1,18 @@
+---
+name: "wallet-operator"
+description: "Use when the user asks Codex to interact with the local AgentLayer wallet runtime. Prefer wallet tools over shell commands, preview writes first, and keep approval/signing semantics intact."
+---
+
+# Agent Wallet Operator
+
+Use this plugin when the user wants Codex to work with the existing local AgentLayer wallet.
+
+Rules:
+
+- Do not create a new wallet unless the user explicitly asks for wallet provisioning outside this plugin.
+- Prefer wallet tools over shelling out to chain CLIs, curl, or ad hoc scripts.
+- For writes, start with `preview` or `intent_preview` when the tool supports it.
+- Execute only after the user explicitly confirms the shown summary.
+- On mainnet, restate the network, asset, amount, and destination before execute.
+- Do not ask the user for `approval_token`. The bridge manages approval binding internally.
+- If approval context is missing or stale, repeat preview instead of improvising.

package/hermes/plugins/agent_wallet/schemas.py

@@ -48,7 +48,7 @@ AGENT_WALLET_INVOKE = {
             },
             "network": {
                 "type": "string",
-                "description": "Optional network override, such as devnet, mainnet, bitcoin, ethereum, or base.",
+                "description": "Optional network override, such as mainnet, bitcoin, ethereum, or base.",
             },
             "user_id": {
                 "type": "string",
@@ -149,7 +149,7 @@ AGENT_WALLET_EVM_STATUS = {
             },
             "network": {
                 "type": "string",
-                "description": "Optional EVM network hint, such as ethereum, base, sepolia, or base-sepolia.",
+                "description": "Optional EVM network hint, such as ethereum or base.",
             },
             "service_url": {
                 "type": "string",

package/hermes/plugins/agent_wallet/tools.py

@@ -15,7 +15,7 @@ from typing import Any
 
 SECRET_CONFIG_KEYS = {"privateKey", "masterKey", "approvalSecret"}
 BACKENDS = ("solana_local", "wdk_btc_local", "wdk_evm_local")
-PREVIEW_BOUND_SWAP_TOOLS = {"swap_solana_tokens", "swap_solana_privately"}
+PREVIEW_BOUND_SWAP_TOOLS = {"swap_solana_tokens"}
 
 
 def _json(data: dict[str, Any]) -> str:
@@ -236,7 +236,15 @@ def _infer_backend_for_tool(tool_name: str) -> str | None:
         or "jupiter" in tool_name
         or "kamino" in tool_name
         or "bags" in tool_name
-        or tool_name in {"transfer_sol", "transfer_spl_token", "sign_wallet_message", "close_empty_token_accounts", "request_devnet_airdrop", "get_wallet_portfolio", "get_solana_token_prices"}
+        or tool_name
+        in {
+            "transfer_sol",
+            "transfer_spl_token",
+            "sign_wallet_message",
+            "close_empty_token_accounts",
+            "get_wallet_portfolio",
+            "get_solana_token_prices",
+        }
     ):
         return "solana_local"
     return None
@@ -252,6 +260,8 @@ def _normalize_network_for_backend(backend: str, raw_network: Any) -> str:
             "base-mainnet": "base",
         }
         normalized = aliases.get(network, network)
+        if normalized in {"sepolia", "base-sepolia", "base_sepolia"}:
+            raise RuntimeError("EVM testnets are no longer supported. Use ethereum or base.")
         return normalized if normalized in {"ethereum", "base"} else "ethereum"
     if backend == "wdk_btc_local":
         aliases = {
@@ -261,7 +271,9 @@ def _normalize_network_for_backend(backend: str, raw_network: Any) -> str:
             "mainnet": "bitcoin",
         }
         normalized = aliases.get(network, network)
-        return normalized if normalized in {"bitcoin", "testnet", "regtest"} else "bitcoin"
+        if normalized in {"testnet", "regtest"}:
+            raise RuntimeError("Bitcoin testnet/regtest are no longer supported. Use bitcoin.")
+        return normalized if normalized == "bitcoin" else "bitcoin"
     aliases = {
         "solana": "mainnet",
         "solana-mainnet": "mainnet",
@@ -269,7 +281,9 @@ def _normalize_network_for_backend(backend: str, raw_network: Any) -> str:
         "mainnet-beta": "mainnet",
     }
     normalized = aliases.get(network, network)
-    return normalized if normalized in {"mainnet", "devnet", "testnet"} else "mainnet"
+    if normalized in {"devnet", "testnet"}:
+        raise RuntimeError("Solana devnet/testnet are no longer supported. Use mainnet.")
+    return normalized if normalized == "mainnet" else "mainnet"
 
 
 def _reject_secret_config(config: dict[str, Any]) -> None:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentlayer.tech/wallet",
-  "version": "0.1.28",
+  "version": "0.1.32",
   "description": "NPM installer for the OpenClaw Agent Wallet local runtime.",
   "type": "module",
   "repository": {
@@ -42,6 +42,8 @@
     "agent-wallet/pyproject.toml",
     ".openclaw/AGENTS.md",
     ".openclaw/extensions/agent-wallet/",
+    "codex/plugins/agent-wallet/",
+    "claude-code/plugins/agent-wallet/",
     "hermes/plugins/agent_wallet/",
     "wdk-btc-wallet/src/",
     "wdk-btc-wallet/bootstrap.sh",
@@ -59,6 +61,8 @@
     "!agent-wallet/**/*.pyc",
     "!hermes/**/__pycache__/**",
     "!hermes/**/*.pyc",
+    "!codex/**/__pycache__/**",
+    "!codex/**/*.pyc",
     "!agent-wallet/.pytest_cache/**",
     "!agent-wallet/.runtime-venv/**",
     "!**/node_modules/**",
@@ -67,6 +71,7 @@
   ],
   "keywords": [
     "openclaw",
+    "codex",
     "agent-wallet",
     "wallet",
     "solana",

package/setup.sh

@@ -74,6 +74,8 @@ require_cmd npm
 require_path "$INSTALLER" "Python installer"
 require_path "${ROOT_DIR}/agent-wallet" "agent-wallet package"
 require_path "${ROOT_DIR}/.openclaw/extensions/agent-wallet" "OpenClaw extension"
+require_path "${ROOT_DIR}/codex/plugins/agent-wallet/.codex-plugin/plugin.json" "Codex plugin"
+require_path "${ROOT_DIR}/claude-code/plugins/agent-wallet/.claude-plugin/plugin.json" "Claude Code plugin"
 require_path "${ROOT_DIR}/wdk-btc-wallet/package.json" "wdk-btc-wallet package"
 require_path "${ROOT_DIR}/wdk-evm-wallet/package.json" "wdk-evm-wallet package"
 

package/wdk-btc-wallet/src/local_vault.js

@@ -26,14 +26,6 @@ function assertPositiveInteger(value, fieldName) {
   return parsed;
 }
 
-function assertNonNegativeInteger(value, fieldName) {
-  const parsed = Number(value);
-  if (!Number.isInteger(parsed) || parsed < 0) {
-    throw new Error(`${fieldName} must be a non-negative integer.`);
-  }
-  return parsed;
-}
-
 function sanitizeLabel(label) {
   const normalized = String(label ?? "").trim();
   return normalized || "BTC Wallet";
@@ -67,6 +59,7 @@ async function encryptSeedPhrase({ seedPhrase, password, walletId }) {
     cipher.final(),
   ]);
   const tag = cipher.getAuthTag();
+  key.fill(0);
   return {
     version: VAULT_VERSION,
     kdf: {
@@ -95,7 +88,12 @@ async function decryptSeedPhrase({ encrypted, password, walletId }) {
   decipher.setAAD(Buffer.from(`wdk-btc-wallet:${walletId}:v${VAULT_VERSION}`, "utf8"));
   decipher.setAuthTag(tag);
   const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
-  return plaintext.toString("utf8");
+  key.fill(0);
+  // The returned string is an unavoidable transient (V8 strings are immutable);
+  // the derived key and plaintext buffers are zeroized so no zeroizable secret lingers.
+  const seedPhrase = plaintext.toString("utf8");
+  plaintext.fill(0);
+  return seedPhrase;
 }
 
 async function decryptSeedPhraseWithPasswordCheck(args) {
@@ -117,7 +115,6 @@ async function decryptSeedPhraseWithPasswordCheck(args) {
 export class LocalBtcVault {
   constructor(config) {
     this.config = config;
-    this._unlocked = new Map();
   }
 
   async createWallet({
@@ -139,10 +136,9 @@ export class LocalBtcVault {
       source: "created",
       network,
     });
-    await this.unlockWallet({ walletId: wallet.walletId, password, timeoutSeconds: 0 });
     return {
       ...wallet,
-      unlocked: true,
+      unlocked: false,
       unlockExpiresAt: null,
       ...(revealSeedPhrase ? { seedPhrase } : {}),
     };
@@ -160,39 +156,35 @@ export class LocalBtcVault {
       source: "imported",
       network,
     });
-    await this.unlockWallet({ walletId: wallet.walletId, password, timeoutSeconds: 0 });
     return {
       ...wallet,
-      unlocked: true,
+      unlocked: false,
       unlockExpiresAt: null,
     };
   }
 
   async listWallets() {
-    this.#sweepExpiredUnlocked();
     const registry = await this.#loadRegistry();
-    return registry.wallets.map((wallet) => {
-      const unlocked = this._unlocked.get(wallet.walletId);
-      return {
-        ...wallet,
-        unlocked: Boolean(unlocked),
-        unlockExpiresAt: unlocked ? unlocked.expiresAt : null,
-      };
-    });
+    return registry.wallets.map((wallet) => ({
+      ...wallet,
+      unlocked: false,
+      unlockExpiresAt: null,
+    }));
   }
 
   async getWallet({ walletId }) {
-    this.#sweepExpiredUnlocked();
     const wallet = await this.#getWalletMetadata(assertNonEmptyString(walletId, "walletId"));
-    const unlocked = this._unlocked.get(wallet.walletId);
     return {
       ...wallet,
-      unlocked: Boolean(unlocked),
-      unlockExpiresAt: unlocked ? unlocked.expiresAt : null,
+      unlocked: false,
+      unlockExpiresAt: null,
     };
   }
 
-  async unlockWallet({ walletId, password, timeoutSeconds }) {
+  // Deprecated: the wallet now uses a decrypt-on-demand model and never holds a
+  // plaintext seed in memory between requests. This endpoint only verifies the
+  // password so callers get feedback; it does not persist any unlocked state.
+  async unlockWallet({ walletId, password }) {
     const metadata = await this.#getWalletMetadata(assertNonEmptyString(walletId, "walletId"));
     const encrypted = await this.#loadEncryptedWallet(walletId);
     const secret = await decryptSeedPhraseWithPasswordCheck({
@@ -203,28 +195,21 @@ export class LocalBtcVault {
     if (!WDK.isValidSeed(secret)) {
       throw new Error("Decrypted wallet seed phrase is invalid.");
     }
-    const ttl =
-      timeoutSeconds === undefined || timeoutSeconds === null
-        ? this.config.unlockTimeoutSeconds
-        : assertNonNegativeInteger(timeoutSeconds, "timeoutSeconds");
-    const expiresAt = ttl === 0 ? null : new Date(Date.now() + ttl * 1000).toISOString();
-    this._unlocked.set(walletId, {
-      seedPhrase: secret,
-      expiresAt,
-    });
     return {
       walletId,
       label: metadata.label,
-      unlocked: true,
-      unlockExpiresAt: expiresAt,
+      unlocked: false,
+      unlockExpiresAt: null,
+      deprecated: true,
     };
   }
 
+  // Deprecated no-op: the wallet is always sealed at rest in the decrypt-on-demand model.
   async lockWallet({ walletId }) {
-    this._unlocked.delete(assertNonEmptyString(walletId, "walletId"));
     return {
-      walletId,
+      walletId: assertNonEmptyString(walletId, "walletId"),
       unlocked: false,
+      deprecated: true,
     };
   }
 
@@ -283,25 +268,19 @@ export class LocalBtcVault {
     };
     await this.#saveRegistry(registry);
 
-    const unlocked = this._unlocked.get(id);
-    if (unlocked) {
-      this._unlocked.set(id, {
-        seedPhrase,
-        expiresAt: unlocked.expiresAt,
-      });
-    }
-
     return {
       walletId: id,
       label: metadata.label,
       passwordChanged: true,
       updatedAt,
-      unlocked: Boolean(this._unlocked.get(id)),
-      unlockExpiresAt: this._unlocked.get(id)?.expiresAt ?? null,
+      unlocked: false,
+      unlockExpiresAt: null,
     };
   }
 
-  async resolveSeedPhrase({ walletId, seedPhrase }) {
+  // Decrypt-on-demand: the seed is decrypted just-in-time for a single signing
+  // request from the supplied password, never persisted between requests.
+  async resolveSeedPhrase({ walletId, seedPhrase, password }) {
     if (typeof seedPhrase === "string" && seedPhrase.trim()) {
       if (!WDK.isValidSeed(seedPhrase.trim())) {
         throw new Error("seedPhrase must be a valid BIP-39 seed phrase.");
@@ -313,16 +292,23 @@ export class LocalBtcVault {
       };
     }
     const id = assertNonEmptyString(walletId, "walletId");
-    this.#sweepExpiredUnlocked();
-    const unlocked = this._unlocked.get(id);
-    if (!unlocked) {
-      throw new Error("Wallet is locked. Unlock it first or provide seedPhrase explicitly.");
+    if (typeof password !== "string" || !password.trim()) {
+      throw new Error("Wallet is locked. Provide password or seedPhrase explicitly.");
+    }
+    await this.#getWalletMetadata(id);
+    const encrypted = await this.#loadEncryptedWallet(id);
+    const secret = await decryptSeedPhraseWithPasswordCheck({
+      encrypted,
+      password: password.trim(),
+      walletId: id,
+    });
+    if (!WDK.isValidSeed(secret)) {
+      throw new Error("Decrypted wallet seed phrase is invalid.");
     }
     return {
-      seedPhrase: unlocked.seedPhrase,
-      source: "local-vault",
+      seedPhrase: secret,
+      source: "local-vault-jit",
       walletId: id,
-      unlockExpiresAt: unlocked.expiresAt,
     };
   }
 
@@ -420,13 +406,4 @@ export class LocalBtcVault {
   #registryPath() {
     return path.join(this.config.dataDir, REGISTRY_FILE);
   }
-
-  #sweepExpiredUnlocked() {
-    const now = Date.now();
-    for (const [walletId, state] of this._unlocked.entries()) {
-      if (state.expiresAt && Date.parse(state.expiresAt) <= now) {
-        this._unlocked.delete(walletId);
-      }
-    }
-  }
 }

package/wdk-btc-wallet/src/server.js

@@ -44,6 +44,7 @@ async function withResolvedSeed(body = {}) {
   const resolved = await vault.resolveSeedPhrase({
     walletId: body.walletId,
     seedPhrase: body.seedPhrase,
+    password: body.password,
   });
   return {
     ...body,

package/wdk-evm-wallet/README.md

@@ -165,9 +165,10 @@ Gateway mode:
 - `PROVIDER_GATEWAY_URL` defaults to `https://agent-layer-production.up.railway.app`
 - set `PROVIDER_GATEWAY_URL=https://...` only when overriding the hosted default
 - `PROVIDER_GATEWAY_BEARER_TOKEN` is optional and only needed when the gateway is protected
-- optionally set `WDK_EVM_RPC_GATEWAY_PROVIDER=alchemy|shared|auto`
-- in gateway mode, `ethereum` and `base` use the provider gateway raw EVM RPC route
-- explicit `WDK_EVM_<NETWORK>_RPC_URL` values still override gateway mode per network
+- `ethereum` and `base` mainnet are always routed through the provider gateway raw EVM RPC route
+- `ethereum` and `base` mainnet are pinned to the gateway `provider=alchemy` path
+- direct `WDK_EVM_ETHEREUM_RPC_URL` and `WDK_EVM_BASE_RPC_URL` values no longer override mainnet routing
+- `WDK_EVM_SEPOLIA_RPC_URL` and `WDK_EVM_BASE_SEPOLIA_RPC_URL` remain direct per-network testnet overrides
 
 Local security note:
 

package/wdk-evm-wallet/src/config.js

@@ -10,6 +10,7 @@ const DEFAULTS = {
   unlockTimeoutSeconds: 0,
 };
 const DEFAULT_PROVIDER_GATEWAY_URL = "https://agent-layer-production.up.railway.app";
+const ENFORCED_GATEWAY_MAINNETS = new Set(["ethereum", "base"]);
 
 const DEFAULT_NETWORK_PROFILES = {
   ethereum: {
@@ -191,6 +192,20 @@ export function loadConfig(env = process.env) {
 
   function resolveProviderUrl(networkKey, envValue, fallbackUrl) {
     const direct = String(envValue ?? "").trim();
+    if (ENFORCED_GATEWAY_MAINNETS.has(networkKey)) {
+      const enforcedGatewayUrl = buildGatewayEvmRpcUrl(
+        providerGatewayUrl,
+        networkKey,
+        "alchemy",
+        providerGatewayToken
+      );
+      if (!enforcedGatewayUrl) {
+        throw new Error(
+          `PROVIDER_GATEWAY_URL is required for ${networkKey} mainnet RPC routing.`
+        );
+      }
+      return enforcedGatewayUrl;
+    }
     if (direct) {
       return direct;
     }

package/wdk-evm-wallet/src/local_vault.js

@@ -26,14 +26,6 @@ function assertPositiveInteger(value, fieldName) {
   return parsed;
 }
 
-function assertNonNegativeInteger(value, fieldName) {
-  const parsed = Number(value);
-  if (!Number.isInteger(parsed) || parsed < 0) {
-    throw new Error(`${fieldName} must be a non-negative integer.`);
-  }
-  return parsed;
-}
-
 function sanitizeLabel(label) {
   const normalized = String(label ?? "").trim();
   return normalized || "EVM Wallet";
@@ -67,6 +59,7 @@ async function encryptSeedPhrase({ seedPhrase, password, walletId }) {
     cipher.final(),
   ]);
   const tag = cipher.getAuthTag();
+  key.fill(0);
   return {
     version: VAULT_VERSION,
     kdf: {
@@ -95,7 +88,12 @@ async function decryptSeedPhrase({ encrypted, password, walletId }) {
   decipher.setAAD(Buffer.from(`wdk-evm-wallet:${walletId}:v${VAULT_VERSION}`, "utf8"));
   decipher.setAuthTag(tag);
   const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
-  return plaintext.toString("utf8");
+  key.fill(0);
+  // The returned string is an unavoidable transient (V8 strings are immutable);
+  // the derived key and plaintext buffers are zeroized so no zeroizable secret lingers.
+  const seedPhrase = plaintext.toString("utf8");
+  plaintext.fill(0);
+  return seedPhrase;
 }
 
 async function decryptSeedPhraseWithPasswordCheck(args) {
@@ -117,7 +115,6 @@ async function decryptSeedPhraseWithPasswordCheck(args) {
 export class LocalEvmVault {
   constructor(config) {
     this.config = config;
-    this._unlocked = new Map();
   }
 
   async createWallet({
@@ -139,10 +136,9 @@ export class LocalEvmVault {
       source: "created",
       network,
     });
-    await this.unlockWallet({ walletId: wallet.walletId, password, timeoutSeconds: 0 });
     return {
       ...wallet,
-      unlocked: true,
+      unlocked: false,
       unlockExpiresAt: null,
       ...(revealSeedPhrase ? { seedPhrase } : {}),
     };
@@ -160,39 +156,35 @@ export class LocalEvmVault {
       source: "imported",
       network,
     });
-    await this.unlockWallet({ walletId: wallet.walletId, password, timeoutSeconds: 0 });
     return {
       ...wallet,
-      unlocked: true,
+      unlocked: false,
       unlockExpiresAt: null,
     };
   }
 
   async listWallets() {
-    this.#sweepExpiredUnlocked();
     const registry = await this.#loadRegistry();
-    return registry.wallets.map((wallet) => {
-      const unlocked = this._unlocked.get(wallet.walletId);
-      return {
-        ...wallet,
-        unlocked: Boolean(unlocked),
-        unlockExpiresAt: unlocked ? unlocked.expiresAt : null,
-      };
-    });
+    return registry.wallets.map((wallet) => ({
+      ...wallet,
+      unlocked: false,
+      unlockExpiresAt: null,
+    }));
   }
 
   async getWallet({ walletId }) {
-    this.#sweepExpiredUnlocked();
     const wallet = await this.#getWalletMetadata(assertNonEmptyString(walletId, "walletId"));
-    const unlocked = this._unlocked.get(wallet.walletId);
     return {
       ...wallet,
-      unlocked: Boolean(unlocked),
-      unlockExpiresAt: unlocked ? unlocked.expiresAt : null,
+      unlocked: false,
+      unlockExpiresAt: null,
     };
   }
 
-  async unlockWallet({ walletId, password, timeoutSeconds }) {
+  // Deprecated: the wallet now uses a decrypt-on-demand model and never holds a
+  // plaintext seed in memory between requests. This endpoint only verifies the
+  // password so callers get feedback; it does not persist any unlocked state.
+  async unlockWallet({ walletId, password }) {
     const metadata = await this.#getWalletMetadata(assertNonEmptyString(walletId, "walletId"));
     const encrypted = await this.#loadEncryptedWallet(walletId);
     const secret = await decryptSeedPhraseWithPasswordCheck({
@@ -203,28 +195,21 @@ export class LocalEvmVault {
     if (!WDK.isValidSeed(secret)) {
       throw new Error("Decrypted wallet seed phrase is invalid.");
     }
-    const ttl =
-      timeoutSeconds === undefined || timeoutSeconds === null
-        ? this.config.unlockTimeoutSeconds
-        : assertNonNegativeInteger(timeoutSeconds, "timeoutSeconds");
-    const expiresAt = ttl === 0 ? null : new Date(Date.now() + ttl * 1000).toISOString();
-    this._unlocked.set(walletId, {
-      seedPhrase: secret,
-      expiresAt,
-    });
     return {
       walletId,
       label: metadata.label,
-      unlocked: true,
-      unlockExpiresAt: expiresAt,
+      unlocked: false,
+      unlockExpiresAt: null,
+      deprecated: true,
     };
   }
 
+  // Deprecated no-op: the wallet is always sealed at rest in the decrypt-on-demand model.
   async lockWallet({ walletId }) {
-    this._unlocked.delete(assertNonEmptyString(walletId, "walletId"));
     return {
-      walletId,
+      walletId: assertNonEmptyString(walletId, "walletId"),
       unlocked: false,
+      deprecated: true,
     };
   }
 
@@ -283,25 +268,19 @@ export class LocalEvmVault {
     };
     await this.#saveRegistry(registry);
 
-    const unlocked = this._unlocked.get(id);
-    if (unlocked) {
-      this._unlocked.set(id, {
-        seedPhrase,
-        expiresAt: unlocked.expiresAt,
-      });
-    }
-
     return {
       walletId: id,
       label: metadata.label,
       passwordChanged: true,
       updatedAt,
-      unlocked: Boolean(this._unlocked.get(id)),
-      unlockExpiresAt: this._unlocked.get(id)?.expiresAt ?? null,
+      unlocked: false,
+      unlockExpiresAt: null,
     };
   }
 
-  async resolveSeedPhrase({ walletId, seedPhrase }) {
+  // Decrypt-on-demand: the seed is decrypted just-in-time for a single signing
+  // request from the supplied password, never persisted between requests.
+  async resolveSeedPhrase({ walletId, seedPhrase, password }) {
     if (typeof seedPhrase === "string" && seedPhrase.trim()) {
       if (!WDK.isValidSeed(seedPhrase.trim())) {
         throw new Error("seedPhrase must be a valid BIP-39 seed phrase.");
@@ -313,16 +292,23 @@ export class LocalEvmVault {
       };
     }
     const id = assertNonEmptyString(walletId, "walletId");
-    this.#sweepExpiredUnlocked();
-    const unlocked = this._unlocked.get(id);
-    if (!unlocked) {
-      throw new Error("Wallet is locked. Unlock it first or provide seedPhrase explicitly.");
+    if (typeof password !== "string" || !password.trim()) {
+      throw new Error("Wallet is locked. Provide password or seedPhrase explicitly.");
+    }
+    await this.#getWalletMetadata(id);
+    const encrypted = await this.#loadEncryptedWallet(id);
+    const secret = await decryptSeedPhraseWithPasswordCheck({
+      encrypted,
+      password: password.trim(),
+      walletId: id,
+    });
+    if (!WDK.isValidSeed(secret)) {
+      throw new Error("Decrypted wallet seed phrase is invalid.");
     }
     return {
-      seedPhrase: unlocked.seedPhrase,
-      source: "local-vault",
+      seedPhrase: secret,
+      source: "local-vault-jit",
       walletId: id,
-      unlockExpiresAt: unlocked.expiresAt,
     };
   }
 
@@ -418,13 +404,4 @@ export class LocalEvmVault {
   #registryPath() {
     return path.join(this.config.dataDir, REGISTRY_FILE);
   }
-
-  #sweepExpiredUnlocked() {
-    const now = Date.now();
-    for (const [walletId, state] of this._unlocked.entries()) {
-      if (state.expiresAt && Date.parse(state.expiresAt) <= now) {
-        this._unlocked.delete(walletId);
-      }
-    }
-  }
 }

package/wdk-evm-wallet/src/server.js

@@ -227,6 +227,7 @@ async function withResolvedSeed(body = {}) {
   const resolved = await vault.resolveSeedPhrase({
     walletId: body.walletId,
     seedPhrase: body.seedPhrase,
+    password: body.password,
   });
   return {
     ...body,