@elizaos/plugin-steward-app 2.0.3-beta.6 → 2.0.3-beta.7

package/dist/security/hydrate-wallet-keys-from-platform-store.js

@@ -0,0 +1,43 @@
+import { deriveAgentVaultId } from "@elizaos/app-core/security/agent-vault-id";
+import {
+  createNodePlatformSecureStore,
+  isWalletOsStoreReadEnabled
+} from "@elizaos/app-core/security/platform-secure-store-node";
+import { logger } from "@elizaos/core";
+const WALLET_ENV_PAIRS = [
+  ["EVM_PRIVATE_KEY", "wallet.evm_private_key"],
+  ["SOLANA_PRIVATE_KEY", "wallet.solana_private_key"],
+  ["STEWARD_API_URL", "steward.api_url"],
+  ["STEWARD_AGENT_ID", "steward.agent_id"],
+  ["STEWARD_AGENT_TOKEN", "steward.agent_token"]
+];
+async function hydrateWalletKeysFromNodePlatformSecureStore() {
+  if (!isWalletOsStoreReadEnabled()) {
+    return;
+  }
+  try {
+    const store = createNodePlatformSecureStore();
+    if (!await store.isAvailable()) {
+      return;
+    }
+    const vaultId = deriveAgentVaultId();
+    for (const [envKey, kind] of WALLET_ENV_PAIRS) {
+      const cur = process.env[envKey];
+      if (typeof cur === "string" && cur.trim()) {
+        continue;
+      }
+      const got = await store.get(vaultId, kind);
+      if (got.ok) {
+        process.env[envKey] = got.value;
+      }
+    }
+  } catch (err) {
+    logger.warn(
+      `[wallet][os-store] hydrate failed: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
+export {
+  hydrateWalletKeysFromNodePlatformSecureStore
+};
+//# sourceMappingURL=hydrate-wallet-keys-from-platform-store.js.map

package/dist/security/hydrate-wallet-keys-from-platform-store.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/security/hydrate-wallet-keys-from-platform-store.ts"],"sourcesContent":["import { deriveAgentVaultId } from \"@elizaos/app-core/security/agent-vault-id\";\nimport type { SecureStoreSecretKind } from \"@elizaos/app-core/security/platform-secure-store\";\nimport {\n  createNodePlatformSecureStore,\n  isWalletOsStoreReadEnabled,\n} from \"@elizaos/app-core/security/platform-secure-store-node\";\nimport { logger } from \"@elizaos/core\";\n\nconst WALLET_ENV_PAIRS: [keyof NodeJS.ProcessEnv, SecureStoreSecretKind][] = [\n  [\"EVM_PRIVATE_KEY\", \"wallet.evm_private_key\"],\n  [\"SOLANA_PRIVATE_KEY\", \"wallet.solana_private_key\"],\n  [\"STEWARD_API_URL\", \"steward.api_url\"],\n  [\"STEWARD_AGENT_ID\", \"steward.agent_id\"],\n  [\"STEWARD_AGENT_TOKEN\", \"steward.agent_token\"],\n];\n\n/**\n * Fills `process.env` wallet keys from the OS secret store when the key is\n * unset/blank. Runs before upstream `startApiServer` merges `config.env`, so\n * persisted config only fills gaps the store did not supply.\n */\nexport async function hydrateWalletKeysFromNodePlatformSecureStore(): Promise<void> {\n  if (!isWalletOsStoreReadEnabled()) {\n    return;\n  }\n\n  try {\n    const store = createNodePlatformSecureStore();\n    if (!(await store.isAvailable())) {\n      return;\n    }\n\n    const vaultId = deriveAgentVaultId();\n\n    for (const [envKey, kind] of WALLET_ENV_PAIRS) {\n      const cur = process.env[envKey];\n      if (typeof cur === \"string\" && cur.trim()) {\n        continue;\n      }\n\n      const got = await store.get(vaultId, kind);\n      if (got.ok) {\n        process.env[envKey] = got.value;\n      }\n    }\n  } catch (err) {\n    logger.warn(\n      `[wallet][os-store] hydrate failed: ${err instanceof Error ? err.message : String(err)}`,\n    );\n  }\n}\n"],"mappings":"AAAA,SAAS,0BAA0B;AAEnC;AAAA,EACE;AAAA,EACA;AAAA,OACK;AACP,SAAS,cAAc;AAEvB,MAAM,mBAAuE;AAAA,EAC3E,CAAC,mBAAmB,wBAAwB;AAAA,EAC5C,CAAC,sBAAsB,2BAA2B;AAAA,EAClD,CAAC,mBAAmB,iBAAiB;AAAA,EACrC,CAAC,oBAAoB,kBAAkB;AAAA,EACvC,CAAC,uBAAuB,qBAAqB;AAC/C;AAOA,eAAsB,+CAA8D;AAClF,MAAI,CAAC,2BAA2B,GAAG;AACjC;AAAA,EACF;AAEA,MAAI;AACF,UAAM,QAAQ,8BAA8B;AAC5C,QAAI,CAAE,MAAM,MAAM,YAAY,GAAI;AAChC;AAAA,IACF;AAEA,UAAM,UAAU,mBAAmB;AAEnC,eAAW,CAAC,QAAQ,IAAI,KAAK,kBAAkB;AAC7C,YAAM,MAAM,QAAQ,IAAI,MAAM;AAC9B,UAAI,OAAO,QAAQ,YAAY,IAAI,KAAK,GAAG;AACzC;AAAA,MACF;AAEA,YAAM,MAAM,MAAM,MAAM,IAAI,SAAS,IAAI;AACzC,UAAI,IAAI,IAAI;AACV,gBAAQ,IAAI,MAAM,IAAI,IAAI;AAAA,MAC5B;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,WAAO;AAAA,MACL,sCAAsC,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,IACxF;AAAA,EACF;AACF;","names":[]}

package/dist/security/wallet-os-store-actions.d.ts

@@ -0,0 +1,14 @@
+export declare function deleteWalletSecretsFromOsStore(): Promise<void>;
+export type MigrateWalletPrivateKeysToOsStoreResult = {
+    migrated: string[];
+    failed: string[];
+    /** True when the backend cannot run on this host (e.g. Linux without secret-tool). */
+    unavailable?: boolean;
+};
+/**
+ * Copies wallet keys from `process.env` and/or persisted `config.env` into the
+ * OS store, strips them from saved config, and ensures `process.env` holds the
+ * values for the running process.
+ */
+export declare function migrateWalletPrivateKeysToOsStore(): Promise<MigrateWalletPrivateKeysToOsStoreResult>;
+//# sourceMappingURL=wallet-os-store-actions.d.ts.map

package/dist/security/wallet-os-store-actions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wallet-os-store-actions.d.ts","sourceRoot":"","sources":["../../src/security/wallet-os-store-actions.ts"],"names":[],"mappings":"AAUA,wBAAsB,8BAA8B,IAAI,OAAO,CAAC,IAAI,CAAC,CAKpE;AAED,MAAM,MAAM,uCAAuC,GAAG;IACpD,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,sFAAsF;IACtF,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB,CAAC;AAEF;;;;GAIG;AACH,wBAAsB,iCAAiC,IAAI,OAAO,CAAC,uCAAuC,CAAC,CA6D1G"}

package/dist/security/wallet-os-store-actions.js

@@ -0,0 +1,63 @@
+import { loadElizaConfig, saveElizaConfig } from "@elizaos/agent/config/config";
+import { deriveAgentVaultId } from "@elizaos/app-core/security/agent-vault-id";
+import { createNodePlatformSecureStore } from "@elizaos/app-core/security/platform-secure-store-node";
+const WALLET_PAIRS = [
+  ["EVM_PRIVATE_KEY", "wallet.evm_private_key"],
+  ["SOLANA_PRIVATE_KEY", "wallet.solana_private_key"]
+];
+async function deleteWalletSecretsFromOsStore() {
+  const store = createNodePlatformSecureStore();
+  const vaultId = deriveAgentVaultId();
+  await store.delete(vaultId, "wallet.evm_private_key");
+  await store.delete(vaultId, "wallet.solana_private_key");
+}
+async function migrateWalletPrivateKeysToOsStore() {
+  const store = createNodePlatformSecureStore();
+  const migrated = [];
+  const failed = [];
+  if (!await store.isAvailable()) {
+    return { migrated, failed: [], unavailable: true };
+  }
+  const vaultId = deriveAgentVaultId();
+  const config = loadElizaConfig();
+  const persisted = config.env && typeof config.env === "object" && !Array.isArray(config.env) ? config.env : {};
+  for (const [envKey, kind] of WALLET_PAIRS) {
+    const fromProcess = typeof process.env[envKey] === "string" ? process.env[envKey]?.trim() : "";
+    const fromConfig = typeof persisted[envKey] === "string" ? String(persisted[envKey]).trim() : "";
+    const value = fromProcess || fromConfig;
+    if (!value) {
+      continue;
+    }
+    const r = await store.set(vaultId, kind, value);
+    if (!r.ok) {
+      failed.push(envKey);
+      continue;
+    }
+    migrated.push(envKey);
+    if (!fromProcess) {
+      process.env[envKey] = value;
+    }
+  }
+  let dirty = false;
+  const nextEnv = { ...persisted };
+  for (const [envKey] of WALLET_PAIRS) {
+    if (typeof nextEnv[envKey] === "string") {
+      delete nextEnv[envKey];
+      dirty = true;
+    }
+  }
+  if (dirty) {
+    if (Object.keys(nextEnv).length === 0) {
+      delete config.env;
+    } else {
+      config.env = nextEnv;
+    }
+    saveElizaConfig(config);
+  }
+  return { migrated, failed };
+}
+export {
+  deleteWalletSecretsFromOsStore,
+  migrateWalletPrivateKeysToOsStore
+};
+//# sourceMappingURL=wallet-os-store-actions.js.map

package/dist/security/wallet-os-store-actions.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/security/wallet-os-store-actions.ts"],"sourcesContent":["import { loadElizaConfig, saveElizaConfig } from \"@elizaos/agent/config/config\";\nimport { deriveAgentVaultId } from \"@elizaos/app-core/security/agent-vault-id\";\nimport type { SecureStoreSecretKind } from \"@elizaos/app-core/security/platform-secure-store\";\nimport { createNodePlatformSecureStore } from \"@elizaos/app-core/security/platform-secure-store-node\";\n\nconst WALLET_PAIRS: [string, SecureStoreSecretKind][] = [\n  [\"EVM_PRIVATE_KEY\", \"wallet.evm_private_key\"],\n  [\"SOLANA_PRIVATE_KEY\", \"wallet.solana_private_key\"],\n];\n\nexport async function deleteWalletSecretsFromOsStore(): Promise<void> {\n  const store = createNodePlatformSecureStore();\n  const vaultId = deriveAgentVaultId();\n  await store.delete(vaultId, \"wallet.evm_private_key\");\n  await store.delete(vaultId, \"wallet.solana_private_key\");\n}\n\nexport type MigrateWalletPrivateKeysToOsStoreResult = {\n  migrated: string[];\n  failed: string[];\n  /** True when the backend cannot run on this host (e.g. Linux without secret-tool). */\n  unavailable?: boolean;\n};\n\n/**\n * Copies wallet keys from `process.env` and/or persisted `config.env` into the\n * OS store, strips them from saved config, and ensures `process.env` holds the\n * values for the running process.\n */\nexport async function migrateWalletPrivateKeysToOsStore(): Promise<MigrateWalletPrivateKeysToOsStoreResult> {\n  const store = createNodePlatformSecureStore();\n  const migrated: string[] = [];\n  const failed: string[] = [];\n\n  if (!(await store.isAvailable())) {\n    return { migrated, failed: [], unavailable: true };\n  }\n\n  const vaultId = deriveAgentVaultId();\n  const config = loadElizaConfig();\n  const persisted =\n    config.env && typeof config.env === \"object\" && !Array.isArray(config.env)\n      ? (config.env as Record<string, unknown>)\n      : {};\n\n  for (const [envKey, kind] of WALLET_PAIRS) {\n    const fromProcess =\n      typeof process.env[envKey] === \"string\"\n        ? process.env[envKey]?.trim()\n        : \"\";\n    const fromConfig =\n      typeof persisted[envKey] === \"string\"\n        ? String(persisted[envKey]).trim()\n        : \"\";\n    const value = fromProcess || fromConfig;\n    if (!value) {\n      continue;\n    }\n\n    const r = await store.set(vaultId, kind, value);\n    if (!r.ok) {\n      failed.push(envKey);\n      continue;\n    }\n\n    migrated.push(envKey);\n    if (!fromProcess) {\n      process.env[envKey] = value;\n    }\n  }\n\n  let dirty = false;\n  const nextEnv = { ...persisted };\n  for (const [envKey] of WALLET_PAIRS) {\n    if (typeof nextEnv[envKey] === \"string\") {\n      delete nextEnv[envKey];\n      dirty = true;\n    }\n  }\n\n  if (dirty) {\n    if (Object.keys(nextEnv).length === 0) {\n      delete config.env;\n    } else {\n      config.env = nextEnv as typeof config.env;\n    }\n    saveElizaConfig(config);\n  }\n\n  return { migrated, failed };\n}\n"],"mappings":"AAAA,SAAS,iBAAiB,uBAAuB;AACjD,SAAS,0BAA0B;AAEnC,SAAS,qCAAqC;AAE9C,MAAM,eAAkD;AAAA,EACtD,CAAC,mBAAmB,wBAAwB;AAAA,EAC5C,CAAC,sBAAsB,2BAA2B;AACpD;AAEA,eAAsB,iCAAgD;AACpE,QAAM,QAAQ,8BAA8B;AAC5C,QAAM,UAAU,mBAAmB;AACnC,QAAM,MAAM,OAAO,SAAS,wBAAwB;AACpD,QAAM,MAAM,OAAO,SAAS,2BAA2B;AACzD;AAcA,eAAsB,oCAAsF;AAC1G,QAAM,QAAQ,8BAA8B;AAC5C,QAAM,WAAqB,CAAC;AAC5B,QAAM,SAAmB,CAAC;AAE1B,MAAI,CAAE,MAAM,MAAM,YAAY,GAAI;AAChC,WAAO,EAAE,UAAU,QAAQ,CAAC,GAAG,aAAa,KAAK;AAAA,EACnD;AAEA,QAAM,UAAU,mBAAmB;AACnC,QAAM,SAAS,gBAAgB;AAC/B,QAAM,YACJ,OAAO,OAAO,OAAO,OAAO,QAAQ,YAAY,CAAC,MAAM,QAAQ,OAAO,GAAG,IACpE,OAAO,MACR,CAAC;AAEP,aAAW,CAAC,QAAQ,IAAI,KAAK,cAAc;AACzC,UAAM,cACJ,OAAO,QAAQ,IAAI,MAAM,MAAM,WAC3B,QAAQ,IAAI,MAAM,GAAG,KAAK,IAC1B;AACN,UAAM,aACJ,OAAO,UAAU,MAAM,MAAM,WACzB,OAAO,UAAU,MAAM,CAAC,EAAE,KAAK,IAC/B;AACN,UAAM,QAAQ,eAAe;AAC7B,QAAI,CAAC,OAAO;AACV;AAAA,IACF;AAEA,UAAM,IAAI,MAAM,MAAM,IAAI,SAAS,MAAM,KAAK;AAC9C,QAAI,CAAC,EAAE,IAAI;AACT,aAAO,KAAK,MAAM;AAClB;AAAA,IACF;AAEA,aAAS,KAAK,MAAM;AACpB,QAAI,CAAC,aAAa;AAChB,cAAQ,IAAI,MAAM,IAAI;AAAA,IACxB;AAAA,EACF;AAEA,MAAI,QAAQ;AACZ,QAAM,UAAU,EAAE,GAAG,UAAU;AAC/B,aAAW,CAAC,MAAM,KAAK,cAAc;AACnC,QAAI,OAAO,QAAQ,MAAM,MAAM,UAAU;AACvC,aAAO,QAAQ,MAAM;AACrB,cAAQ;AAAA,IACV;AAAA,EACF;AAEA,MAAI,OAAO;AACT,QAAI,OAAO,KAAK,OAAO,EAAE,WAAW,GAAG;AACrC,aAAO,OAAO;AAAA,IAChB,OAAO;AACL,aAAO,MAAM;AAAA,IACf;AACA,oBAAgB,MAAM;AAAA,EACxB;AAEA,SAAO,EAAE,UAAU,OAAO;AAC5B;","names":[]}

package/dist/services/steward-credentials.d.ts

@@ -0,0 +1,2 @@
+export * from "@elizaos/app-core";
+//# sourceMappingURL=steward-credentials.d.ts.map

package/dist/services/steward-credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"steward-credentials.d.ts","sourceRoot":"","sources":["../../src/services/steward-credentials.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAC"}

package/dist/services/steward-credentials.js

@@ -0,0 +1,2 @@
+export * from "@elizaos/app-core";
+//# sourceMappingURL=steward-credentials.js.map

package/dist/services/steward-credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/services/steward-credentials.ts"],"sourcesContent":["export * from \"@elizaos/app-core\";\n"],"mappings":"AAAA,cAAc;","names":[]}

package/dist/services/steward-evm-account.d.ts

@@ -0,0 +1,75 @@
+/**
+ * Steward EVM Account — a viem-compatible Account that routes all signing
+ * through the Steward API. No private keys touch the container.
+ *
+ * Used when ELIZA_CLOUD_PROVISIONED=1 and STEWARD_AGENT_TOKEN is set.
+ *
+ * Implements viem's CustomAccount interface:
+ *   - address
+ *   - signMessage({ message })
+ *   - signTransaction({ ... })
+ *   - signTypedData({ domain, types, primaryType, message })
+ *
+ * The Steward API endpoints used:
+ *   POST /vault/:agentId/sign          — sign + optionally broadcast EVM tx
+ *   POST /vault/:agentId/sign-message  — sign arbitrary message (EIP-191)
+ *   POST /vault/:agentId/sign-typed-data — sign EIP-712 typed data
+ *
+ * Auth: Bearer token (STEWARD_AGENT_TOKEN JWT) in Authorization header.
+ */
+import type { Account, Address } from "viem";
+export interface StewardEvmAccountConfig {
+    /** Steward API base URL (e.g. http://172.18.0.1:3200) */
+    apiUrl: string;
+    /** JWT bearer token for agent authentication */
+    agentToken: string;
+    /** Agent ID in Steward */
+    agentId: string;
+    /** EVM wallet address (fetched from Steward at init) */
+    address: Address;
+}
+/**
+ * Fetch the EVM wallet address for an agent from the Steward API.
+ * Tries /vault/:agentId/addresses first (multi-chain), falls back to /agents/:agentId.
+ */
+/**
+ * Fetch optional multi-chain addresses from Steward (`/vault` first, then `/agents`).
+ * Solana may be present from `/vault/.../addresses` while EVM may come from either path.
+ */
+export declare function fetchStewardVaultChainAddresses(apiUrl: string, agentToken: string, agentId: string): Promise<{
+    evm: Address | null;
+    solana: string | null;
+}>;
+export declare function fetchStewardWalletAddress(apiUrl: string, agentToken: string, agentId: string): Promise<Address>;
+/**
+ * Create a viem-compatible Account that routes signing through Steward API.
+ *
+ * Usage:
+ *   const account = createStewardEvmAccount({ apiUrl, agentToken, agentId, address });
+ *   const walletProvider = new WalletProvider(account, runtime, chains);
+ */
+export declare function createStewardEvmAccount(config: StewardEvmAccountConfig): Account;
+/**
+ * Check if the runtime has the credentials needed to sign EVM transactions
+ * through the Steward API. True for both cloud-provisioned containers
+ * (ELIZA_CLOUD_PROVISIONED=1) and self-hosted Steward deployments — the
+ * signing capability only depends on having the API URL and agent token.
+ */
+export declare function isStewardSigningReady(): boolean;
+/**
+ * True when this runtime is a cloud-provisioned container. Informational —
+ * distinguishes cloud Steward from self-hosted Steward in logs and UI, but
+ * does NOT gate signing capability.
+ */
+export declare function isStewardCloudProvisioned(): boolean;
+/**
+ * Resolve Steward config from environment variables.
+ * Returns null when signing credentials are unavailable.
+ */
+export declare function resolveStewardEvmConfig(): StewardEvmAccountConfig | null;
+/**
+ * Initialize a Steward-backed viem Account. Fetches the wallet address from the API.
+ * Returns null if Steward is unavailable (allows fallback to local key).
+ */
+export declare function initStewardEvmAccount(): Promise<Account | null>;
+//# sourceMappingURL=steward-evm-account.d.ts.map

package/dist/services/steward-evm-account.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"steward-evm-account.d.ts","sourceRoot":"","sources":["../../src/services/steward-evm-account.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EACV,OAAO,EACP,OAAO,EAOR,MAAM,MAAM,CAAC;AAQd,MAAM,WAAW,uBAAuB;IACtC,yDAAyD;IACzD,MAAM,EAAE,MAAM,CAAC;IACf,gDAAgD;IAChD,UAAU,EAAE,MAAM,CAAC;IACnB,0BAA0B;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,wDAAwD;IACxD,OAAO,EAAE,OAAO,CAAC;CAClB;AAmHD;;;GAGG;AACH;;;GAGG;AACH,wBAAsB,+BAA+B,CACnD,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;IAAE,GAAG,EAAE,OAAO,GAAG,IAAI,CAAC;IAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CAAC,CA2DzD;AAED,wBAAsB,yBAAyB,CAC7C,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,CAAC,CAalB;AAID;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,uBAAuB,GAC9B,OAAO,CAkHT;AAID;;;;;GAKG;AACH,wBAAgB,qBAAqB,IAAI,OAAO,CAE/C;AAED;;;;GAIG;AACH,wBAAgB,yBAAyB,IAAI,OAAO,CAEnD;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,IAAI,uBAAuB,GAAG,IAAI,CAwBxE;AAqBD;;;GAGG;AACH,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAyBrE"}

package/dist/services/steward-evm-account.js

@@ -0,0 +1,279 @@
+import { toAccount } from "viem/accounts";
+const ZERO_ADDRESS_SENTINEL = "0x0000000000000000000000000000000000000000";
+class StewardSigningClient {
+  baseUrl;
+  agentToken;
+  agentId;
+  constructor(config) {
+    this.baseUrl = config.apiUrl.replace(/\/+$/, "");
+    this.agentToken = config.agentToken;
+    this.agentId = config.agentId;
+  }
+  async request(path, body) {
+    const url = `${this.baseUrl}${path}`;
+    const response = await fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "application/json",
+        Authorization: `Bearer ${this.agentToken}`
+      },
+      body: JSON.stringify(body)
+    });
+    const text = await response.text();
+    let parsed;
+    try {
+      parsed = JSON.parse(text);
+    } catch {
+      throw new Error(
+        `[StewardAccount] Invalid JSON from Steward API (${response.status}): ${text.slice(0, 200)}`
+      );
+    }
+    if (!parsed.ok) {
+      if (response.status === 202 && parsed.data && typeof parsed.data === "object" && "status" in parsed.data && parsed.data.status === "pending_approval") {
+        throw new Error(
+          `[StewardAccount] Transaction requires manual approval (txId: ${parsed.data.txId})`
+        );
+      }
+      throw new Error(
+        `[StewardAccount] API error (${response.status}): ${parsed.error || "Unknown error"}`
+      );
+    }
+    return parsed.data;
+  }
+  /**
+   * Sign an EVM transaction.
+   * Returns the signed transaction hex (when broadcast=false) or txHash (when broadcast=true).
+   */
+  async signTransaction(tx) {
+    return this.request(`/vault/${encodeURIComponent(this.agentId)}/sign`, {
+      ...tx,
+      broadcast: tx.broadcast ?? false
+    });
+  }
+  /**
+   * Sign an arbitrary message (EIP-191 personal_sign).
+   */
+  async signMessage(message) {
+    return this.request(
+      `/vault/${encodeURIComponent(this.agentId)}/sign-message`,
+      { message }
+    );
+  }
+  /**
+   * Sign EIP-712 typed data.
+   */
+  async signTypedData(input) {
+    return this.request(
+      `/vault/${encodeURIComponent(this.agentId)}/sign-typed-data`,
+      input
+    );
+  }
+}
+async function fetchStewardVaultChainAddresses(apiUrl, agentToken, agentId) {
+  const baseUrl = apiUrl.replace(/\/+$/, "");
+  const timeoutMs = 1e4;
+  const headers = {
+    "Content-Type": "application/json",
+    Accept: "application/json",
+    Authorization: `Bearer ${agentToken}`
+  };
+  try {
+    const addrResp = await fetch(
+      `${baseUrl}/vault/${encodeURIComponent(agentId)}/addresses`,
+      {
+        headers,
+        signal: AbortSignal.timeout(timeoutMs)
+      }
+    );
+    if (addrResp.ok) {
+      const addrData = await addrResp.json();
+      if (addrData.ok && addrData.data) {
+        const evmRaw = addrData.data.evm?.trim();
+        const solRaw = addrData.data.solana?.trim();
+        return {
+          evm: evmRaw ? evmRaw : null,
+          solana: solRaw ?? null
+        };
+      }
+    }
+  } catch {
+  }
+  try {
+    const agentResp = await fetch(
+      `${baseUrl}/agents/${encodeURIComponent(agentId)}`,
+      {
+        headers,
+        signal: AbortSignal.timeout(timeoutMs)
+      }
+    );
+    if (agentResp.ok) {
+      const agentData = await agentResp.json();
+      if (agentData.ok && agentData.data?.walletAddress) {
+        return {
+          evm: agentData.data.walletAddress,
+          solana: null
+        };
+      }
+    }
+  } catch {
+  }
+  return { evm: null, solana: null };
+}
+async function fetchStewardWalletAddress(apiUrl, agentToken, agentId) {
+  const baseUrl = apiUrl.replace(/\/+$/, "");
+  const { evm } = await fetchStewardVaultChainAddresses(
+    apiUrl,
+    agentToken,
+    agentId
+  );
+  if (!evm) {
+    throw new Error(
+      `[StewardAccount] Could not fetch wallet address for agent "${agentId}" from ${baseUrl}`
+    );
+  }
+  return evm;
+}
+function createStewardEvmAccount(config) {
+  const client = new StewardSigningClient({
+    apiUrl: config.apiUrl,
+    agentToken: config.agentToken,
+    agentId: config.agentId
+  });
+  const signTypedData = async (typedData) => {
+    const td = typedData;
+    const domain = td.domain && typeof td.domain === "object" ? td.domain : {};
+    const types = {
+      ...td.types && typeof td.types === "object" ? td.types : {}
+    };
+    const primaryType = typeof td.primaryType === "string" ? td.primaryType : "";
+    const value = td.message && typeof td.message === "object" ? td.message : {};
+    delete types.EIP712Domain;
+    const result = await client.signTypedData({
+      domain,
+      types,
+      primaryType,
+      value
+    });
+    return result.signature;
+  };
+  return toAccount({
+    address: config.address,
+    async signMessage({ message }) {
+      let msgStr;
+      if (typeof message === "string") {
+        msgStr = message;
+      } else if (typeof message === "object" && "raw" in message) {
+        const raw = message.raw;
+        if (typeof raw === "string") {
+          msgStr = raw;
+        } else {
+          msgStr = `0x${Buffer.from(raw).toString("hex")}`;
+        }
+      } else {
+        msgStr = String(message);
+      }
+      const result = await client.signMessage(msgStr);
+      return result.signature;
+    },
+    async signTransaction(transaction) {
+      const to = transaction.to ?? "0x0000000000000000000000000000000000000000";
+      const value = transaction.value?.toString() ?? "0";
+      const data = transaction.data;
+      const result = await client.signTransaction({
+        to,
+        value,
+        data,
+        chainId: transaction.chainId,
+        nonce: transaction.nonce,
+        gas: transaction.gas?.toString(),
+        maxFeePerGas: transaction.maxFeePerGas?.toString(),
+        maxPriorityFeePerGas: transaction.maxPriorityFeePerGas?.toString(),
+        broadcast: false
+        // We want the signed tx back, not a broadcast
+      });
+      if (result.signedTx) {
+        return result.signedTx;
+      }
+      if (result.txHash) {
+        console.warn(
+          "[StewardAccount] Steward auto-broadcast tx despite broadcast=false. Hash:",
+          result.txHash
+        );
+        return result.txHash;
+      }
+      throw new Error(
+        "[StewardAccount] signTransaction returned neither signedTx nor txHash"
+      );
+    },
+    signTypedData
+  });
+}
+function isStewardSigningReady() {
+  return !!process.env.STEWARD_AGENT_TOKEN && !!process.env.STEWARD_API_URL;
+}
+function isStewardCloudProvisioned() {
+  return process.env.ELIZA_CLOUD_PROVISIONED === "1" && isStewardSigningReady();
+}
+function resolveStewardEvmConfig() {
+  if (!isStewardSigningReady()) return null;
+  const apiUrl = process.env.STEWARD_API_URL;
+  const agentToken = process.env.STEWARD_AGENT_TOKEN;
+  const agentId = process.env.STEWARD_AGENT_ID || process.env.ELIZA_STEWARD_AGENT_ID || extractAgentIdFromJwt(agentToken) || "";
+  if (!agentId) {
+    console.warn("[StewardAccount] No agent ID found in env or JWT token");
+    return null;
+  }
+  return {
+    apiUrl,
+    agentToken,
+    agentId,
+    address: ZERO_ADDRESS_SENTINEL
+  };
+}
+function extractAgentIdFromJwt(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payloadB64 = parts[1];
+    if (!payloadB64) return null;
+    const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
+    return payload.agentId || payload.sub || null;
+  } catch {
+    return null;
+  }
+}
+async function initStewardEvmAccount() {
+  const config = resolveStewardEvmConfig();
+  if (!config) return null;
+  try {
+    console.log(
+      "[StewardAccount] Cloud-provisioned mode detected, fetching wallet address..."
+    );
+    const address = await fetchStewardWalletAddress(
+      config.apiUrl,
+      config.agentToken,
+      config.agentId
+    );
+    config.address = address;
+    console.log(`[StewardAccount] Wallet address: ${address}`);
+    const account = createStewardEvmAccount(config);
+    console.log("[StewardAccount] \u2713 Steward signing proxy ready");
+    return account;
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.error(`[StewardAccount] Failed to initialize: ${msg}`);
+    console.warn("[StewardAccount] Falling back to local key signing");
+    return null;
+  }
+}
+export {
+  createStewardEvmAccount,
+  fetchStewardVaultChainAddresses,
+  fetchStewardWalletAddress,
+  initStewardEvmAccount,
+  isStewardCloudProvisioned,
+  isStewardSigningReady,
+  resolveStewardEvmConfig
+};
+//# sourceMappingURL=steward-evm-account.js.map

package/dist/services/steward-evm-account.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/services/steward-evm-account.ts"],"sourcesContent":["/**\n * Steward EVM Account — a viem-compatible Account that routes all signing\n * through the Steward API. No private keys touch the container.\n *\n * Used when ELIZA_CLOUD_PROVISIONED=1 and STEWARD_AGENT_TOKEN is set.\n *\n * Implements viem's CustomAccount interface:\n *   - address\n *   - signMessage({ message })\n *   - signTransaction({ ... })\n *   - signTypedData({ domain, types, primaryType, message })\n *\n * The Steward API endpoints used:\n *   POST /vault/:agentId/sign          — sign + optionally broadcast EVM tx\n *   POST /vault/:agentId/sign-message  — sign arbitrary message (EIP-191)\n *   POST /vault/:agentId/sign-typed-data — sign EIP-712 typed data\n *\n * Auth: Bearer token (STEWARD_AGENT_TOKEN JWT) in Authorization header.\n */\n\nimport type {\n  Account,\n  Address,\n  CustomSource,\n  Hex,\n  SignableMessage,\n  TransactionSerializable,\n  TypedData,\n  TypedDataDefinition,\n} from \"viem\";\nimport { toAccount } from \"viem/accounts\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nconst ZERO_ADDRESS_SENTINEL =\n  \"0x0000000000000000000000000000000000000000\" as Address;\n\nexport interface StewardEvmAccountConfig {\n  /** Steward API base URL (e.g. http://172.18.0.1:3200) */\n  apiUrl: string;\n  /** JWT bearer token for agent authentication */\n  agentToken: string;\n  /** Agent ID in Steward */\n  agentId: string;\n  /** EVM wallet address (fetched from Steward at init) */\n  address: Address;\n}\n\ninterface StewardApiResponse<T = unknown> {\n  ok: boolean;\n  data?: T;\n  error?: string;\n}\n\n// ─── Steward API Client (minimal, signing-only) ──────────────────────────────\n\nclass StewardSigningClient {\n  private baseUrl: string;\n  private agentToken: string;\n  private agentId: string;\n\n  constructor(\n    config: Pick<StewardEvmAccountConfig, \"apiUrl\" | \"agentToken\" | \"agentId\">,\n  ) {\n    this.baseUrl = config.apiUrl.replace(/\\/+$/, \"\");\n    this.agentToken = config.agentToken;\n    this.agentId = config.agentId;\n  }\n\n  private async request<T>(path: string, body: unknown): Promise<T> {\n    const url = `${this.baseUrl}${path}`;\n    const response = await fetch(url, {\n      method: \"POST\",\n      headers: {\n        \"Content-Type\": \"application/json\",\n        Accept: \"application/json\",\n        Authorization: `Bearer ${this.agentToken}`,\n      },\n      body: JSON.stringify(body),\n    });\n\n    const text = await response.text();\n    let parsed: StewardApiResponse<T>;\n    try {\n      parsed = JSON.parse(text);\n    } catch {\n      throw new Error(\n        `[StewardAccount] Invalid JSON from Steward API (${response.status}): ${text.slice(0, 200)}`,\n      );\n    }\n\n    if (!parsed.ok) {\n      // 202 with pending_approval is a special case\n      if (\n        response.status === 202 &&\n        parsed.data &&\n        typeof parsed.data === \"object\" &&\n        \"status\" in (parsed.data as Record<string, unknown>) &&\n        (parsed.data as Record<string, unknown>).status === \"pending_approval\"\n      ) {\n        throw new Error(\n          `[StewardAccount] Transaction requires manual approval (txId: ${(parsed.data as Record<string, unknown>).txId})`,\n        );\n      }\n      throw new Error(\n        `[StewardAccount] API error (${response.status}): ${parsed.error || \"Unknown error\"}`,\n      );\n    }\n\n    return parsed.data as T;\n  }\n\n  /**\n   * Sign an EVM transaction.\n   * Returns the signed transaction hex (when broadcast=false) or txHash (when broadcast=true).\n   */\n  async signTransaction(tx: {\n    to: string;\n    value: string;\n    data?: string;\n    chainId?: number;\n    nonce?: number;\n    gas?: string;\n    maxFeePerGas?: string;\n    maxPriorityFeePerGas?: string;\n    broadcast?: boolean;\n  }): Promise<{ signedTx?: string; txHash?: string }> {\n    return this.request(`/vault/${encodeURIComponent(this.agentId)}/sign`, {\n      ...tx,\n      broadcast: tx.broadcast ?? false,\n    });\n  }\n\n  /**\n   * Sign an arbitrary message (EIP-191 personal_sign).\n   */\n  async signMessage(message: string): Promise<{ signature: string }> {\n    return this.request(\n      `/vault/${encodeURIComponent(this.agentId)}/sign-message`,\n      { message },\n    );\n  }\n\n  /**\n   * Sign EIP-712 typed data.\n   */\n  async signTypedData(input: {\n    domain: Record<string, unknown>;\n    types: Record<string, unknown>;\n    primaryType: string;\n    value: Record<string, unknown>;\n  }): Promise<{ signature: string }> {\n    return this.request(\n      `/vault/${encodeURIComponent(this.agentId)}/sign-typed-data`,\n      input,\n    );\n  }\n}\n\n// ─── Fetch wallet address from Steward ───────────────────────────────────────\n\n/**\n * Fetch the EVM wallet address for an agent from the Steward API.\n * Tries /vault/:agentId/addresses first (multi-chain), falls back to /agents/:agentId.\n */\n/**\n * Fetch optional multi-chain addresses from Steward (`/vault` first, then `/agents`).\n * Solana may be present from `/vault/.../addresses` while EVM may come from either path.\n */\nexport async function fetchStewardVaultChainAddresses(\n  apiUrl: string,\n  agentToken: string,\n  agentId: string,\n): Promise<{ evm: Address | null; solana: string | null }> {\n  const baseUrl = apiUrl.replace(/\\/+$/, \"\");\n  const timeoutMs = 10_000;\n  const headers = {\n    \"Content-Type\": \"application/json\",\n    Accept: \"application/json\",\n    Authorization: `Bearer ${agentToken}`,\n  };\n\n  try {\n    const addrResp = await fetch(\n      `${baseUrl}/vault/${encodeURIComponent(agentId)}/addresses`,\n      {\n        headers,\n        signal: AbortSignal.timeout(timeoutMs),\n      },\n    );\n    if (addrResp.ok) {\n      const addrData = (await addrResp.json()) as StewardApiResponse<{\n        evm?: string;\n        solana?: string;\n      }>;\n      if (addrData.ok && addrData.data) {\n        const evmRaw = addrData.data.evm?.trim();\n        const solRaw = addrData.data.solana?.trim();\n        return {\n          evm: evmRaw ? (evmRaw as Address) : null,\n          solana: solRaw ?? null,\n        };\n      }\n    }\n  } catch {\n    // fall through\n  }\n\n  try {\n    const agentResp = await fetch(\n      `${baseUrl}/agents/${encodeURIComponent(agentId)}`,\n      {\n        headers,\n        signal: AbortSignal.timeout(timeoutMs),\n      },\n    );\n    if (agentResp.ok) {\n      const agentData = (await agentResp.json()) as StewardApiResponse<{\n        walletAddress?: string;\n      }>;\n      if (agentData.ok && agentData.data?.walletAddress) {\n        return {\n          evm: agentData.data.walletAddress as Address,\n          solana: null,\n        };\n      }\n    }\n  } catch {\n    // fall through\n  }\n\n  return { evm: null, solana: null };\n}\n\nexport async function fetchStewardWalletAddress(\n  apiUrl: string,\n  agentToken: string,\n  agentId: string,\n): Promise<Address> {\n  const baseUrl = apiUrl.replace(/\\/+$/, \"\");\n  const { evm } = await fetchStewardVaultChainAddresses(\n    apiUrl,\n    agentToken,\n    agentId,\n  );\n  if (!evm) {\n    throw new Error(\n      `[StewardAccount] Could not fetch wallet address for agent \"${agentId}\" from ${baseUrl}`,\n    );\n  }\n  return evm;\n}\n\n// ─── Create viem Account ─────────────────────────────────────────────────────\n\n/**\n * Create a viem-compatible Account that routes signing through Steward API.\n *\n * Usage:\n *   const account = createStewardEvmAccount({ apiUrl, agentToken, agentId, address });\n *   const walletProvider = new WalletProvider(account, runtime, chains);\n */\nexport function createStewardEvmAccount(\n  config: StewardEvmAccountConfig,\n): Account {\n  const client = new StewardSigningClient({\n    apiUrl: config.apiUrl,\n    agentToken: config.agentToken,\n    agentId: config.agentId,\n  });\n  const signTypedData = async <\n    const typedData extends TypedData | Record<string, unknown>,\n    primaryType extends keyof typedData | \"EIP712Domain\" = keyof typedData,\n  >(\n    typedData: TypedDataDefinition<typedData, primaryType>,\n  ): Promise<Hex> => {\n    const td = typedData as Record<string, unknown>;\n    const domain =\n      td.domain && typeof td.domain === \"object\"\n        ? (td.domain as Record<string, unknown>)\n        : {};\n    const types = {\n      ...((td.types && typeof td.types === \"object\" ? td.types : {}) as Record<\n        string,\n        unknown\n      >),\n    };\n    const primaryType =\n      typeof td.primaryType === \"string\" ? td.primaryType : \"\";\n    const value =\n      td.message && typeof td.message === \"object\"\n        ? (td.message as Record<string, unknown>)\n        : {};\n\n    // Remove the EIP712Domain type if present (Steward expects raw types)\n    delete types.EIP712Domain;\n\n    const result = await client.signTypedData({\n      domain,\n      types,\n      primaryType,\n      value,\n    });\n    return result.signature as Hex;\n  };\n\n  return toAccount({\n    address: config.address,\n\n    async signMessage({ message }: { message: SignableMessage }): Promise<Hex> {\n      // Normalize message to string\n      let msgStr: string;\n      if (typeof message === \"string\") {\n        msgStr = message;\n      } else if (typeof message === \"object\" && \"raw\" in message) {\n        // Raw bytes\n        const raw = message.raw;\n        if (typeof raw === \"string\") {\n          msgStr = raw; // already hex\n        } else {\n          // Uint8Array → hex\n          msgStr = `0x${Buffer.from(raw).toString(\"hex\")}`;\n        }\n      } else {\n        msgStr = String(message);\n      }\n\n      const result = await client.signMessage(msgStr);\n      return result.signature as Hex;\n    },\n\n    async signTransaction(transaction: TransactionSerializable): Promise<Hex> {\n      // Build a signing request for Steward\n      const to = transaction.to ?? \"0x0000000000000000000000000000000000000000\";\n      const value = transaction.value?.toString() ?? \"0\";\n\n      // Serialize calldata if present\n      const data = (transaction as Record<string, unknown>).data as\n        | string\n        | undefined;\n\n      const result = await client.signTransaction({\n        to,\n        value,\n        data,\n        chainId: transaction.chainId,\n        nonce: transaction.nonce,\n        gas: transaction.gas?.toString(),\n        maxFeePerGas: (\n          transaction as Record<string, unknown>\n        ).maxFeePerGas?.toString(),\n        maxPriorityFeePerGas: (\n          transaction as Record<string, unknown>\n        ).maxPriorityFeePerGas?.toString(),\n        broadcast: false, // We want the signed tx back, not a broadcast\n      });\n\n      if (result.signedTx) {\n        return result.signedTx as Hex;\n      }\n\n      // If Steward returned a txHash instead (auto-broadcast), wrap it\n      if (result.txHash) {\n        console.warn(\n          \"[StewardAccount] Steward auto-broadcast tx despite broadcast=false. Hash:\",\n          result.txHash,\n        );\n        // Return the hash — callers will need to handle this edge case\n        return result.txHash as Hex;\n      }\n\n      throw new Error(\n        \"[StewardAccount] signTransaction returned neither signedTx nor txHash\",\n      );\n    },\n\n    signTypedData: signTypedData as CustomSource[\"signTypedData\"],\n  });\n}\n\n// ─── Integration helper ──────────────────────────────────────────────────────\n\n/**\n * Check if the runtime has the credentials needed to sign EVM transactions\n * through the Steward API. True for both cloud-provisioned containers\n * (ELIZA_CLOUD_PROVISIONED=1) and self-hosted Steward deployments — the\n * signing capability only depends on having the API URL and agent token.\n */\nexport function isStewardSigningReady(): boolean {\n  return !!process.env.STEWARD_AGENT_TOKEN && !!process.env.STEWARD_API_URL;\n}\n\n/**\n * True when this runtime is a cloud-provisioned container. Informational —\n * distinguishes cloud Steward from self-hosted Steward in logs and UI, but\n * does NOT gate signing capability.\n */\nexport function isStewardCloudProvisioned(): boolean {\n  return process.env.ELIZA_CLOUD_PROVISIONED === \"1\" && isStewardSigningReady();\n}\n\n/**\n * Resolve Steward config from environment variables.\n * Returns null when signing credentials are unavailable.\n */\nexport function resolveStewardEvmConfig(): StewardEvmAccountConfig | null {\n  if (!isStewardSigningReady()) return null;\n\n  const apiUrl = process.env.STEWARD_API_URL as string;\n  const agentToken = process.env.STEWARD_AGENT_TOKEN as string;\n\n  // Agent ID can come from the JWT payload or env var\n  const agentId =\n    process.env.STEWARD_AGENT_ID ||\n    process.env.ELIZA_STEWARD_AGENT_ID ||\n    extractAgentIdFromJwt(agentToken) ||\n    \"\";\n\n  if (!agentId) {\n    console.warn(\"[StewardAccount] No agent ID found in env or JWT token\");\n    return null;\n  }\n\n  return {\n    apiUrl,\n    agentToken,\n    agentId,\n    address: ZERO_ADDRESS_SENTINEL,\n  };\n}\n\n/**\n * Extract agentId from a JWT token's payload (without verification).\n * Steward JWTs typically have { sub: agentId, ... } or { agentId: \"...\" }.\n */\nfunction extractAgentIdFromJwt(token: string): string | null {\n  try {\n    const parts = token.split(\".\");\n    if (parts.length !== 3) return null;\n    const payloadB64 = parts[1];\n    if (!payloadB64) return null;\n    const payload = JSON.parse(Buffer.from(payloadB64, \"base64url\").toString());\n    return payload.agentId || payload.sub || null;\n  } catch {\n    return null;\n  }\n}\n\n// ─── Full initialization helper ──────────────────────────────────────────────\n\n/**\n * Initialize a Steward-backed viem Account. Fetches the wallet address from the API.\n * Returns null if Steward is unavailable (allows fallback to local key).\n */\nexport async function initStewardEvmAccount(): Promise<Account | null> {\n  const config = resolveStewardEvmConfig();\n  if (!config) return null;\n\n  try {\n    console.log(\n      \"[StewardAccount] Cloud-provisioned mode detected, fetching wallet address...\",\n    );\n    const address = await fetchStewardWalletAddress(\n      config.apiUrl,\n      config.agentToken,\n      config.agentId,\n    );\n    config.address = address;\n    console.log(`[StewardAccount] Wallet address: ${address}`);\n\n    const account = createStewardEvmAccount(config);\n    console.log(\"[StewardAccount] ✓ Steward signing proxy ready\");\n    return account;\n  } catch (err) {\n    const msg = err instanceof Error ? err.message : String(err);\n    console.error(`[StewardAccount] Failed to initialize: ${msg}`);\n    console.warn(\"[StewardAccount] Falling back to local key signing\");\n    return null;\n  }\n}\n"],"mappings":"AA8BA,SAAS,iBAAiB;AAI1B,MAAM,wBACJ;AAqBF,MAAM,qBAAqB;AAAA,EACjB;AAAA,EACA;AAAA,EACA;AAAA,EAER,YACE,QACA;AACA,SAAK,UAAU,OAAO,OAAO,QAAQ,QAAQ,EAAE;AAC/C,SAAK,aAAa,OAAO;AACzB,SAAK,UAAU,OAAO;AAAA,EACxB;AAAA,EAEA,MAAc,QAAW,MAAc,MAA2B;AAChE,UAAM,MAAM,GAAG,KAAK,OAAO,GAAG,IAAI;AAClC,UAAM,WAAW,MAAM,MAAM,KAAK;AAAA,MAChC,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,QAAQ;AAAA,QACR,eAAe,UAAU,KAAK,UAAU;AAAA,MAC1C;AAAA,MACA,MAAM,KAAK,UAAU,IAAI;AAAA,IAC3B,CAAC;AAED,UAAM,OAAO,MAAM,SAAS,KAAK;AACjC,QAAI;AACJ,QAAI;AACF,eAAS,KAAK,MAAM,IAAI;AAAA,IAC1B,QAAQ;AACN,YAAM,IAAI;AAAA,QACR,mDAAmD,SAAS,MAAM,MAAM,KAAK,MAAM,GAAG,GAAG,CAAC;AAAA,MAC5F;AAAA,IACF;AAEA,QAAI,CAAC,OAAO,IAAI;AAEd,UACE,SAAS,WAAW,OACpB,OAAO,QACP,OAAO,OAAO,SAAS,YACvB,YAAa,OAAO,QACnB,OAAO,KAAiC,WAAW,oBACpD;AACA,cAAM,IAAI;AAAA,UACR,gEAAiE,OAAO,KAAiC,IAAI;AAAA,QAC/G;AAAA,MACF;AACA,YAAM,IAAI;AAAA,QACR,+BAA+B,SAAS,MAAM,MAAM,OAAO,SAAS,eAAe;AAAA,MACrF;AAAA,IACF;AAEA,WAAO,OAAO;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,gBAAgB,IAU8B;AAClD,WAAO,KAAK,QAAQ,UAAU,mBAAmB,KAAK,OAAO,CAAC,SAAS;AAAA,MACrE,GAAG;AAAA,MACH,WAAW,GAAG,aAAa;AAAA,IAC7B,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAAY,SAAiD;AACjE,WAAO,KAAK;AAAA,MACV,UAAU,mBAAmB,KAAK,OAAO,CAAC;AAAA,MAC1C,EAAE,QAAQ;AAAA,IACZ;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,cAAc,OAKe;AACjC,WAAO,KAAK;AAAA,MACV,UAAU,mBAAmB,KAAK,OAAO,CAAC;AAAA,MAC1C;AAAA,IACF;AAAA,EACF;AACF;AAYA,eAAsB,gCACpB,QACA,YACA,SACyD;AACzD,QAAM,UAAU,OAAO,QAAQ,QAAQ,EAAE;AACzC,QAAM,YAAY;AAClB,QAAM,UAAU;AAAA,IACd,gBAAgB;AAAA,IAChB,QAAQ;AAAA,IACR,eAAe,UAAU,UAAU;AAAA,EACrC;AAEA,MAAI;AACF,UAAM,WAAW,MAAM;AAAA,MACrB,GAAG,OAAO,UAAU,mBAAmB,OAAO,CAAC;AAAA,MAC/C;AAAA,QACE;AAAA,QACA,QAAQ,YAAY,QAAQ,SAAS;AAAA,MACvC;AAAA,IACF;AACA,QAAI,SAAS,IAAI;AACf,YAAM,WAAY,MAAM,SAAS,KAAK;AAItC,UAAI,SAAS,MAAM,SAAS,MAAM;AAChC,cAAM,SAAS,SAAS,KAAK,KAAK,KAAK;AACvC,cAAM,SAAS,SAAS,KAAK,QAAQ,KAAK;AAC1C,eAAO;AAAA,UACL,KAAK,SAAU,SAAqB;AAAA,UACpC,QAAQ,UAAU;AAAA,QACpB;AAAA,MACF;AAAA,IACF;AAAA,EACF,QAAQ;AAAA,EAER;AAEA,MAAI;AACF,UAAM,YAAY,MAAM;AAAA,MACtB,GAAG,OAAO,WAAW,mBAAmB,OAAO,CAAC;AAAA,MAChD;AAAA,QACE;AAAA,QACA,QAAQ,YAAY,QAAQ,SAAS;AAAA,MACvC;AAAA,IACF;AACA,QAAI,UAAU,IAAI;AAChB,YAAM,YAAa,MAAM,UAAU,KAAK;AAGxC,UAAI,UAAU,MAAM,UAAU,MAAM,eAAe;AACjD,eAAO;AAAA,UACL,KAAK,UAAU,KAAK;AAAA,UACpB,QAAQ;AAAA,QACV;AAAA,MACF;AAAA,IACF;AAAA,EACF,QAAQ;AAAA,EAER;AAEA,SAAO,EAAE,KAAK,MAAM,QAAQ,KAAK;AACnC;AAEA,eAAsB,0BACpB,QACA,YACA,SACkB;AAClB,QAAM,UAAU,OAAO,QAAQ,QAAQ,EAAE;AACzC,QAAM,EAAE,IAAI,IAAI,MAAM;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR,8DAA8D,OAAO,UAAU,OAAO;AAAA,IACxF;AAAA,EACF;AACA,SAAO;AACT;AAWO,SAAS,wBACd,QACS;AACT,QAAM,SAAS,IAAI,qBAAqB;AAAA,IACtC,QAAQ,OAAO;AAAA,IACf,YAAY,OAAO;AAAA,IACnB,SAAS,OAAO;AAAA,EAClB,CAAC;AACD,QAAM,gBAAgB,OAIpB,cACiB;AACjB,UAAM,KAAK;AACX,UAAM,SACJ,GAAG,UAAU,OAAO,GAAG,WAAW,WAC7B,GAAG,SACJ,CAAC;AACP,UAAM,QAAQ;AAAA,MACZ,GAAK,GAAG,SAAS,OAAO,GAAG,UAAU,WAAW,GAAG,QAAQ,CAAC;AAAA,IAI9D;AACA,UAAM,cACJ,OAAO,GAAG,gBAAgB,WAAW,GAAG,cAAc;AACxD,UAAM,QACJ,GAAG,WAAW,OAAO,GAAG,YAAY,WAC/B,GAAG,UACJ,CAAC;AAGP,WAAO,MAAM;AAEb,UAAM,SAAS,MAAM,OAAO,cAAc;AAAA,MACxC;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AACD,WAAO,OAAO;AAAA,EAChB;AAEA,SAAO,UAAU;AAAA,IACf,SAAS,OAAO;AAAA,IAEhB,MAAM,YAAY,EAAE,QAAQ,GAA+C;AAEzE,UAAI;AACJ,UAAI,OAAO,YAAY,UAAU;AAC/B,iBAAS;AAAA,MACX,WAAW,OAAO,YAAY,YAAY,SAAS,SAAS;AAE1D,cAAM,MAAM,QAAQ;AACpB,YAAI,OAAO,QAAQ,UAAU;AAC3B,mBAAS;AAAA,QACX,OAAO;AAEL,mBAAS,KAAK,OAAO,KAAK,GAAG,EAAE,SAAS,KAAK,CAAC;AAAA,QAChD;AAAA,MACF,OAAO;AACL,iBAAS,OAAO,OAAO;AAAA,MACzB;AAEA,YAAM,SAAS,MAAM,OAAO,YAAY,MAAM;AAC9C,aAAO,OAAO;AAAA,IAChB;AAAA,IAEA,MAAM,gBAAgB,aAAoD;AAExE,YAAM,KAAK,YAAY,MAAM;AAC7B,YAAM,QAAQ,YAAY,OAAO,SAAS,KAAK;AAG/C,YAAM,OAAQ,YAAwC;AAItD,YAAM,SAAS,MAAM,OAAO,gBAAgB;AAAA,QAC1C;AAAA,QACA;AAAA,QACA;AAAA,QACA,SAAS,YAAY;AAAA,QACrB,OAAO,YAAY;AAAA,QACnB,KAAK,YAAY,KAAK,SAAS;AAAA,QAC/B,cACE,YACA,cAAc,SAAS;AAAA,QACzB,sBACE,YACA,sBAAsB,SAAS;AAAA,QACjC,WAAW;AAAA;AAAA,MACb,CAAC;AAED,UAAI,OAAO,UAAU;AACnB,eAAO,OAAO;AAAA,MAChB;AAGA,UAAI,OAAO,QAAQ;AACjB,gBAAQ;AAAA,UACN;AAAA,UACA,OAAO;AAAA,QACT;AAEA,eAAO,OAAO;AAAA,MAChB;AAEA,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAAA,IAEA;AAAA,EACF,CAAC;AACH;AAUO,SAAS,wBAAiC;AAC/C,SAAO,CAAC,CAAC,QAAQ,IAAI,uBAAuB,CAAC,CAAC,QAAQ,IAAI;AAC5D;AAOO,SAAS,4BAAqC;AACnD,SAAO,QAAQ,IAAI,4BAA4B,OAAO,sBAAsB;AAC9E;AAMO,SAAS,0BAA0D;AACxE,MAAI,CAAC,sBAAsB,EAAG,QAAO;AAErC,QAAM,SAAS,QAAQ,IAAI;AAC3B,QAAM,aAAa,QAAQ,IAAI;AAG/B,QAAM,UACJ,QAAQ,IAAI,oBACZ,QAAQ,IAAI,0BACZ,sBAAsB,UAAU,KAChC;AAEF,MAAI,CAAC,SAAS;AACZ,YAAQ,KAAK,wDAAwD;AACrE,WAAO;AAAA,EACT;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA,SAAS;AAAA,EACX;AACF;AAMA,SAAS,sBAAsB,OAA8B;AAC3D,MAAI;AACF,UAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,QAAI,MAAM,WAAW,EAAG,QAAO;AAC/B,UAAM,aAAa,MAAM,CAAC;AAC1B,QAAI,CAAC,WAAY,QAAO;AACxB,UAAM,UAAU,KAAK,MAAM,OAAO,KAAK,YAAY,WAAW,EAAE,SAAS,CAAC;AAC1E,WAAO,QAAQ,WAAW,QAAQ,OAAO;AAAA,EAC3C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAQA,eAAsB,wBAAiD;AACrE,QAAM,SAAS,wBAAwB;AACvC,MAAI,CAAC,OAAQ,QAAO;AAEpB,MAAI;AACF,YAAQ;AAAA,MACN;AAAA,IACF;AACA,UAAM,UAAU,MAAM;AAAA,MACpB,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AACA,WAAO,UAAU;AACjB,YAAQ,IAAI,oCAAoC,OAAO,EAAE;AAEzD,UAAM,UAAU,wBAAwB,MAAM;AAC9C,YAAQ,IAAI,qDAAgD;AAC5D,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,UAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,YAAQ,MAAM,0CAA0C,GAAG,EAAE;AAC7D,YAAQ,KAAK,oDAAoD;AACjE,WAAO;AAAA,EACT;AACF;","names":[]}

package/dist/services/steward-evm-bridge.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Steward EVM Bridge — intercepts plugin-wallet EVM initialization in cloud-provisioned
+ * containers to route signing through Steward API instead of local private keys.
+ *
+ * Strategy:
+ *   1. Before the runtime starts plugins, check if we're in cloud-provisioned mode
+ *   2. If so, create a Steward viem Account
+ *   3. Inject a reserved EVM_PRIVATE_KEY setting so initWalletProvider doesn't
+ *      generate a random key, then immediately replace the account on the
+ *      WalletProvider after EVMService starts
+ *
+ * This module exports a boot hook that should be called early in the runtime
+ * initialization, before plugins are loaded.
+ */
+import type { IAgentRuntime } from "@elizaos/core";
+import { initStewardEvmAccount } from "./steward-evm-account.js";
+/**
+ * Pre-boot hook: call before plugins are loaded.
+ * Sets a reserved EVM_PRIVATE_KEY if in Steward mode so that initWalletProvider
+ * does not auto-generate and persist a random key.
+ */
+export declare function stewardEvmPreBoot(runtime: IAgentRuntime): Promise<void>;
+/**
+ * Post-boot hook: call after plugins have started.
+ * Replaces the WalletProvider's account on the EVMService with the Steward account.
+ */
+export declare function stewardEvmPostBoot(runtime: IAgentRuntime): Promise<void>;
+/**
+ * Get the Steward account if initialized (for use by other services).
+ */
+export declare function getStewardEvmAccount(): Awaited<ReturnType<typeof initStewardEvmAccount>>;
+/**
+ * Check if Steward EVM bridge is active.
+ */
+export declare function isStewardEvmBridgeActive(): boolean;
+//# sourceMappingURL=steward-evm-bridge.d.ts.map

package/dist/services/steward-evm-bridge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"steward-evm-bridge.d.ts","sourceRoot":"","sources":["../../src/services/steward-evm-bridge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AACnD,OAAO,EACL,qBAAqB,EAGtB,MAAM,uBAAuB,CAAC;AAY/B;;;;GAIG;AACH,wBAAsB,iBAAiB,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAwC7E;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,IAAI,CAAC,CAuCf;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,OAAO,CAC7C,UAAU,CAAC,OAAO,qBAAqB,CAAC,CACzC,CAEA;AAED;;GAEG;AACH,wBAAgB,wBAAwB,IAAI,OAAO,CAElD"}