@agentlayer.tech/wallet 0.1.30 → 0.1.32

package/agent-wallet/agent_wallet/openclaw_cli.py

@@ -101,14 +101,7 @@ def _apply_config_overrides(config: dict[str, Any]) -> None:
             config.get("jupiterPortfolioBaseUrl"),
             True,
         ),
-        "jupiterLendBaseUrl": ("JUPITER_LEND_API_BASE_URL", config.get("jupiterLendBaseUrl"), True),
         "jupiterApiKey": ("JUPITER_API_KEY", config.get("jupiterApiKey"), True),
-        "houdiniBaseUrl": ("HOUDINI_API_BASE_URL", config.get("houdiniBaseUrl"), True),
-        "houdiniApiKey": ("HOUDINI_API_KEY", config.get("houdiniApiKey"), True),
-        "houdiniApiSecret": ("HOUDINI_API_SECRET", config.get("houdiniApiSecret"), True),
-        "houdiniUserIp": ("HOUDINI_USER_IP", config.get("houdiniUserIp"), True),
-        "houdiniUserAgent": ("HOUDINI_USER_AGENT", config.get("houdiniUserAgent"), True),
-        "houdiniUserTimezone": ("HOUDINI_USER_TIMEZONE", config.get("houdiniUserTimezone"), True),
         "kaminoBaseUrl": ("KAMINO_API_BASE_URL", config.get("kaminoBaseUrl"), True),
         "kaminoProgramId": ("KAMINO_PROGRAM_ID", config.get("kaminoProgramId"), True),
     }

package/agent-wallet/agent_wallet/providers/evm_portfolio.py

@@ -14,11 +14,6 @@ COINGECKO_API_URL = "https://api.coingecko.com/api/v3"
 PORTFOLIO_TOKEN_CACHE_TTL_SECONDS = 30.0
 PORTFOLIO_PRICE_CACHE_TTL_SECONDS = 60.0
 
-ALCHEMY_RPC_URLS = {
-    "ethereum": "https://eth-mainnet.g.alchemy.com/v2",
-    "base": "https://base-mainnet.g.alchemy.com/v2",
-}
-
 TOKEN_METADATA: dict[str, dict[str, dict[str, Any]]] = {
     "ethereum": {
         "0xdac17f958d2ee523a2206206994597c13d831ec7": {
@@ -204,51 +199,32 @@ def _to_decimal(value: Any) -> Decimal | None:
         return None
 
 
-async def _gateway_or_alchemy_rpc_call(network: str, method: str, params: list[Any]) -> dict[str, Any]:
+async def _gateway_rpc_call(network: str, method: str, params: list[Any]) -> dict[str, Any]:
     client = get_client()
     payload = {"jsonrpc": "2.0", "id": 1, "method": method, "params": params}
     gateway_url = str(settings.provider_gateway_url or "").strip()
     bearer = str(settings.provider_gateway_bearer_token or "").strip()
-    gateway_error: Exception | None = None
-
-    if gateway_url:
-        try:
-            response = await client.post(
-                f"{gateway_url.rstrip('/')}/v1/evm/rpc/{network}?provider=alchemy",
-                json=payload,
-                headers={"Authorization": f"Bearer {bearer}"} if bearer else None,
-            )
-            if response.status_code == 200:
-                data = response.json()
-                if isinstance(data, dict) and "error" not in data:
-                    return data
-                gateway_error = ProviderError("evm-portfolio", f"Gateway RPC error: {data}")
-            else:
-                gateway_error = ProviderError(
-                    "evm-portfolio",
-                    f"Gateway returned HTTP {response.status_code} for {method}",
-                )
-        except Exception as exc:  # pragma: no cover - network path
-            gateway_error = exc
-
-    alchemy_key = str(settings.alchemy_api_key or "").strip()
-    if not alchemy_key:
-        if gateway_error is not None:
-            raise ProviderError("evm-portfolio", f"No fallback Alchemy key available after gateway failure: {gateway_error}")
-        raise ProviderError("evm-portfolio", "No gateway URL or Alchemy API key configured for EVM portfolio lookup.")
-
-    base_url = ALCHEMY_RPC_URLS.get(network)
-    if not base_url:
-        raise ProviderError("evm-portfolio", f"No Alchemy RPC URL configured for {network}.")
+    if not gateway_url:
+        raise ProviderError(
+            "evm-portfolio",
+            "Provider gateway URL is required for EVM portfolio lookup on ethereum/base.",
+        )
     try:
-        response = await client.post(f"{base_url}/{alchemy_key}", json=payload)
+        response = await client.post(
+            f"{gateway_url.rstrip('/')}/v1/evm/rpc/{network}?provider=alchemy",
+            json=payload,
+            headers={"Authorization": f"Bearer {bearer}"} if bearer else None,
+        )
     except Exception as exc:  # pragma: no cover - network path
-        raise ProviderError("evm-portfolio", f"Alchemy request failed: {exc}") from exc
+        raise ProviderError("evm-portfolio", f"Provider gateway request failed: {exc}") from exc
     if response.status_code != 200:
-        raise ProviderError("evm-portfolio", f"Alchemy returned HTTP {response.status_code} for {method}.")
+        raise ProviderError(
+            "evm-portfolio",
+            f"Provider gateway returned HTTP {response.status_code} for {method}.",
+        )
     data = response.json()
     if "error" in data:
-        raise ProviderError("evm-portfolio", f"Alchemy RPC error: {data['error']}")
+        raise ProviderError("evm-portfolio", f"Provider gateway RPC error: {data['error']}")
     return data
 
 
@@ -259,7 +235,7 @@ async def fetch_token_balances(address: str, network: str) -> list[dict[str, Any
     if cached is not None:
         return cached
 
-    data = await _gateway_or_alchemy_rpc_call(
+    data = await _gateway_rpc_call(
         normalized_network,
         "alchemy_getTokenBalances",
         [address, "erc20"],

package/agent-wallet/agent_wallet/providers/jupiter.py

@@ -1,4 +1,4 @@
-"""Jupiter providers for swap routing, prices, portfolio, and lend/earn flows."""
+"""Jupiter providers for swap routing, prices, and portfolio flows."""
 
 from __future__ import annotations
 
@@ -20,14 +20,6 @@ def _headers() -> dict[str, str]:
     return headers
 
 
-def _require_api_key(provider_name: str) -> None:
-    if not settings.jupiter_api_key.strip():
-        raise ProviderError(
-            provider_name,
-            "Jupiter API key is required for this endpoint. Set JUPITER_API_KEY first.",
-        )
-
-
 def _gateway_base_url() -> str:
     return os.getenv("PROVIDER_GATEWAY_URL", settings.provider_gateway_url).strip().rstrip("/")
 
@@ -47,16 +39,6 @@ def _gateway_enabled() -> bool:
     return bool(_gateway_base_url())
 
 
-def _gateway_route_missing(status_code: int, payload: Any) -> bool:
-    if status_code == 404:
-        return True
-    if isinstance(payload, dict):
-        message = str(payload.get("error") or "").lower()
-        if "not found" in message:
-            return True
-    return False
-
-
 async def _gateway_get(path_suffix: str, *, params: dict[str, Any] | None = None) -> tuple[int, Any]:
     """Make a GET request through provider gateway."""
     client = get_client()
@@ -126,125 +108,6 @@ def _swap_v2_base_url() -> str:
     ).strip().rstrip("/")
 
 
-def _unwrap_gateway_payload(
-    status_code: int,
-    payload: Any,
-    *,
-    operation: str,
-) -> Any:
-    if isinstance(payload, dict) and payload.get("ok") is False:
-        message = str(payload.get("error") or f"{operation} failed.")
-        raise ProviderError("jupiter-lend", f"{operation} failed via provider gateway: {message}")
-
-    if status_code != 200:
-        message = payload
-        if isinstance(payload, dict):
-            message = payload.get("error") or payload
-        raise ProviderError("jupiter-lend", f"{operation} failed via provider gateway: {message}")
-
-    return payload
-
-
-async def _gateway_get_json(
-    path: str,
-    *,
-    params: dict[str, Any] | None,
-    operation: str,
-) -> Any:
-    client = get_client()
-    response = await client.get(
-        f"{_gateway_base_url()}{path}",
-        params=params,
-        headers=_gateway_headers(),
-    )
-    payload = response.json() if response.content else {}
-    return _unwrap_gateway_payload(
-        response.status_code,
-        payload,
-        operation=operation,
-    )
-
-
-async def _gateway_post_json(
-    path: str,
-    *,
-    body: dict[str, Any],
-    operation: str,
-) -> Any:
-    client = get_client()
-    response = await client.post(
-        f"{_gateway_base_url()}{path}",
-        json=body,
-        headers={**_gateway_headers(), "Content-Type": "application/json"},
-    )
-    payload = response.json() if response.content else {}
-    return _unwrap_gateway_payload(
-        response.status_code,
-        payload,
-        operation=operation,
-    )
-
-
-async def _earn_get_with_gateway_fallback(
-    *,
-    path: str,
-    params: dict[str, Any] | None,
-    operation: str,
-) -> Any:
-    if _gateway_enabled():
-        client = get_client()
-        response = await client.get(
-            f"{_gateway_base_url()}{path}",
-            params=params,
-            headers=_gateway_headers(),
-        )
-        payload = response.json() if response.content else {}
-        if _gateway_route_missing(response.status_code, payload) and _direct_jupiter_enabled():
-            return None
-        return _unwrap_gateway_payload(response.status_code, payload, operation=operation)
-    return None
-
-
-async def _earn_post_with_gateway_fallback(
-    *,
-    path: str,
-    body: dict[str, Any],
-    operation: str,
-) -> Any:
-    if _gateway_enabled():
-        client = get_client()
-        response = await client.post(
-            f"{_gateway_base_url()}{path}",
-            json=body,
-            headers={**_gateway_headers(), "Content-Type": "application/json"},
-        )
-        payload = response.json() if response.content else {}
-        if _gateway_route_missing(response.status_code, payload) and _direct_jupiter_enabled():
-            return None
-        return _unwrap_gateway_payload(response.status_code, payload, operation=operation)
-    return None
-
-
-def _normalize_named_list_response(
-    data: Any,
-    *,
-    key: str,
-    provider_name: str,
-) -> dict[str, Any]:
-    if isinstance(data, list):
-        return {key: data}
-    if isinstance(data, dict):
-        items = data.get(key)
-        if isinstance(items, list):
-            return data
-        fallback = data.get("data")
-        if isinstance(fallback, list):
-            normalized = dict(data)
-            normalized[key] = fallback
-            return normalized
-    raise ProviderError(provider_name, f"Unexpected {key} response from Jupiter.")
-
-
 async def fetch_quote(
     *,
     input_mint: str,
@@ -678,172 +541,3 @@ async def fetch_staked_jup(*, address: str) -> dict[str, Any]:
     if not isinstance(data, dict):
         raise ProviderError("jupiter-portfolio", "Unexpected staked JUP response.")
     return data
-
-
-async def fetch_earn_tokens() -> dict[str, Any]:
-    """Fetch supported Jupiter Earn vault tokens."""
-    gateway_response = await _earn_get_with_gateway_fallback(
-        path="/v1/jupiter/earn/tokens",
-        params=None,
-        operation="Jupiter Earn tokens",
-    )
-    if gateway_response is not None:
-        return _normalize_named_list_response(
-            gateway_response,
-            key="tokens",
-            provider_name="jupiter-lend",
-        )
-
-    _require_api_key("jupiter-lend")
-    client = get_client()
-    response = await client.get(
-        f"{settings.jupiter_lend_api_base_url.rstrip('/')}/earn/tokens",
-        headers=_headers(),
-    )
-    if response.status_code != 200:
-        raise ProviderError("jupiter-lend", f"HTTP {response.status_code}: {response.text[:300]}")
-    return _normalize_named_list_response(
-        response.json(),
-        key="tokens",
-        provider_name="jupiter-lend",
-    )
-
-
-async def fetch_earn_positions(*, users: list[str]) -> dict[str, Any]:
-    """Fetch Jupiter Earn positions for one or more users."""
-    gateway_response = await _earn_get_with_gateway_fallback(
-        path="/v1/jupiter/earn/positions",
-        params={"users": ",".join(users)},
-        operation="Jupiter Earn positions",
-    )
-    if gateway_response is not None:
-        return _normalize_named_list_response(
-            gateway_response,
-            key="positions",
-            provider_name="jupiter-lend",
-        )
-
-    _require_api_key("jupiter-lend")
-    client = get_client()
-    response = await client.get(
-        f"{settings.jupiter_lend_api_base_url.rstrip('/')}/earn/positions",
-        params={"users": ",".join(users)},
-        headers=_headers(),
-    )
-    if response.status_code != 200:
-        raise ProviderError("jupiter-lend", f"HTTP {response.status_code}: {response.text[:300]}")
-    return _normalize_named_list_response(
-        response.json(),
-        key="positions",
-        provider_name="jupiter-lend",
-    )
-
-
-async def fetch_earn_earnings(*, user: str, positions: list[str]) -> dict[str, Any]:
-    """Fetch Jupiter Earn earnings for a user and position list."""
-    gateway_response = await _earn_get_with_gateway_fallback(
-        path="/v1/jupiter/earn/earnings",
-        params={"user": user, "positions": ",".join(positions)},
-        operation="Jupiter Earn earnings",
-    )
-    if gateway_response is not None:
-        return _normalize_named_list_response(
-            gateway_response,
-            key="earnings",
-            provider_name="jupiter-lend",
-        )
-
-    _require_api_key("jupiter-lend")
-    client = get_client()
-    response = await client.get(
-        f"{settings.jupiter_lend_api_base_url.rstrip('/')}/earn/earnings",
-        params={"user": user, "positions": ",".join(positions)},
-        headers=_headers(),
-    )
-    if response.status_code != 200:
-        raise ProviderError("jupiter-lend", f"HTTP {response.status_code}: {response.text[:300]}")
-    return _normalize_named_list_response(
-        response.json(),
-        key="earnings",
-        provider_name="jupiter-lend",
-    )
-
-
-async def build_earn_deposit_transaction(
-    *,
-    asset: str,
-    user_address: str,
-    amount_raw: str,
-) -> dict[str, Any]:
-    """Build an unsigned Jupiter Earn deposit transaction."""
-    gateway_response = await _earn_post_with_gateway_fallback(
-        path="/v1/jupiter/earn/deposit",
-        body={
-            "asset": asset,
-            "signer": user_address,
-            "amount": amount_raw,
-        },
-        operation="Jupiter Earn deposit",
-    )
-    if gateway_response is not None:
-        if not isinstance(gateway_response, dict) or "transaction" not in gateway_response:
-            raise ProviderError("jupiter-lend", "Unexpected Earn deposit response.")
-        return gateway_response
-
-    _require_api_key("jupiter-lend")
-    client = get_client()
-    response = await client.post(
-        f"{settings.jupiter_lend_api_base_url.rstrip('/')}/earn/deposit",
-        json={
-            "asset": asset,
-            "signer": user_address,
-            "amount": amount_raw,
-        },
-        headers=_headers(),
-    )
-    if response.status_code != 200:
-        raise ProviderError("jupiter-lend", f"HTTP {response.status_code}: {response.text[:300]}")
-    data = response.json()
-    if not isinstance(data, dict) or "transaction" not in data:
-        raise ProviderError("jupiter-lend", "Unexpected Earn deposit response.")
-    return data
-
-
-async def build_earn_withdraw_transaction(
-    *,
-    asset: str,
-    user_address: str,
-    amount_raw: str,
-) -> dict[str, Any]:
-    """Build an unsigned Jupiter Earn withdraw transaction."""
-    gateway_response = await _earn_post_with_gateway_fallback(
-        path="/v1/jupiter/earn/withdraw",
-        body={
-            "asset": asset,
-            "signer": user_address,
-            "amount": amount_raw,
-        },
-        operation="Jupiter Earn withdraw",
-    )
-    if gateway_response is not None:
-        if not isinstance(gateway_response, dict) or "transaction" not in gateway_response:
-            raise ProviderError("jupiter-lend", "Unexpected Earn withdraw response.")
-        return gateway_response
-
-    _require_api_key("jupiter-lend")
-    client = get_client()
-    response = await client.post(
-        f"{settings.jupiter_lend_api_base_url.rstrip('/')}/earn/withdraw",
-        json={
-            "asset": asset,
-            "signer": user_address,
-            "amount": amount_raw,
-        },
-        headers=_headers(),
-    )
-    if response.status_code != 200:
-        raise ProviderError("jupiter-lend", f"HTTP {response.status_code}: {response.text[:300]}")
-    data = response.json()
-    if not isinstance(data, dict) or "transaction" not in data:
-        raise ProviderError("jupiter-lend", "Unexpected Earn withdraw response.")
-    return data

package/agent-wallet/agent_wallet/providers/wdk_btc_local.py

@@ -9,7 +9,7 @@ from urllib.parse import urlparse
 
 import httpx
 
-from agent_wallet.config import resolve_openclaw_home
+from agent_wallet.config import resolve_btc_wallet_password, resolve_openclaw_home
 from agent_wallet.wallet_layer.base import WalletBackendError
 
 LOCAL_WDK_BTC_HOSTS = {"127.0.0.1", "localhost", "::1"}
@@ -72,6 +72,30 @@ class WdkBtcLocalClient:
             "Accept": "application/json",
             "Authorization": f"Bearer {_load_local_token()}",
         }
+        self._wallet_password: str | None = None
+
+    def _resolve_wallet_password(self) -> str:
+        """Resolve the sealed local BTC vault password once per client instance.
+
+        The decrypt-on-demand vault needs the password on every signing request;
+        resolving it once per client keeps the Argon2id unseal off the per-request
+        path. The agent already holds the boot key, so caching adds no extra exposure.
+        """
+        if self._wallet_password is None:
+            try:
+                self._wallet_password = resolve_btc_wallet_password() or ""
+            except Exception:
+                self._wallet_password = ""
+        return self._wallet_password
+
+    def _with_credentials(self, payload: dict[str, Any]) -> dict[str, Any]:
+        """Attach the sealed vault password unless the caller supplied one."""
+        if not isinstance(payload, dict) or payload.get("password"):
+            return payload
+        password = self._resolve_wallet_password()
+        if not password:
+            return payload
+        return {**payload, "password": password}
 
     async def post(self, path: str, payload: dict[str, Any]) -> dict[str, Any]:
         async with httpx.AsyncClient(
@@ -80,7 +104,9 @@ class WdkBtcLocalClient:
             follow_redirects=False,
             trust_env=False,
         ) as client:
-            response = await client.post(f"{self.base_url}{path}", json=payload)
+            response = await client.post(
+                f"{self.base_url}{path}", json=self._with_credentials(payload)
+            )
         return _unwrap_payload(response)
 
     async def get(self, path: str) -> dict[str, Any]:
@@ -100,7 +126,9 @@ class WdkBtcLocalClient:
             follow_redirects=False,
             trust_env=False,
         ) as client:
-            response = client.post(f"{self.base_url}{path}", json=payload)
+            response = client.post(
+                f"{self.base_url}{path}", json=self._with_credentials(payload)
+            )
         return _unwrap_payload(response)
 
     def get_sync(self, path: str) -> dict[str, Any]:

package/agent-wallet/agent_wallet/providers/wdk_evm_local.py

@@ -9,7 +9,7 @@ from urllib.parse import urlparse
 
 import httpx
 
-from agent_wallet.config import resolve_openclaw_home, settings
+from agent_wallet.config import resolve_evm_wallet_password, resolve_openclaw_home, settings
 from agent_wallet.wallet_layer.base import WalletBackendError
 
 LOCAL_WDK_EVM_HOSTS = {"127.0.0.1", "localhost", "::1"}
@@ -140,6 +140,36 @@ class WdkEvmLocalClient:
             "Accept": "application/json",
             "Authorization": f"Bearer {_load_local_token()}",
         }
+        self._wallet_password: str | None = None
+
+    def _resolve_wallet_password(self) -> str:
+        """Resolve the sealed local EVM vault password once per client instance.
+
+        The decrypt-on-demand vault needs the password on every signing request.
+        Resolving (and unsealing) it once per client keeps the Argon2id unseal off
+        the per-request path. The agent already holds the boot key, so caching the
+        derived password here adds no exposure beyond what the boot key grants.
+        """
+        if self._wallet_password is None:
+            try:
+                self._wallet_password = resolve_evm_wallet_password() or ""
+            except Exception:
+                self._wallet_password = ""
+        return self._wallet_password
+
+    def _with_credentials(self, payload: dict[str, Any]) -> dict[str, Any]:
+        """Attach the sealed vault password unless the caller supplied one.
+
+        Read endpoints that resolve via a stored address ignore the field; only
+        seed-requiring (signing) endpoints consume it. Injecting it uniformly means
+        no signing path can accidentally be missed.
+        """
+        if not isinstance(payload, dict) or payload.get("password"):
+            return payload
+        password = self._resolve_wallet_password()
+        if not password:
+            return payload
+        return {**payload, "password": password}
 
     async def post(self, path: str, payload: dict[str, Any]) -> dict[str, Any]:
         try:
@@ -149,7 +179,9 @@ class WdkEvmLocalClient:
                 follow_redirects=False,
                 trust_env=False,
             ) as client:
-                response = await client.post(f"{self.base_url}{path}", json=payload)
+                response = await client.post(
+                    f"{self.base_url}{path}", json=self._with_credentials(payload)
+                )
         except httpx.TimeoutException as exc:
             raise WalletBackendError(
                 "wdk-evm-wallet request timed out.",
@@ -195,7 +227,9 @@ class WdkEvmLocalClient:
                 follow_redirects=False,
                 trust_env=False,
             ) as client:
-                response = client.post(f"{self.base_url}{path}", json=payload)
+                response = client.post(
+                    f"{self.base_url}{path}", json=self._with_credentials(payload)
+                )
         except httpx.TimeoutException as exc:
             raise WalletBackendError(
                 "wdk-evm-wallet request timed out.",