@elytro/cli 0.1.0 → 0.2.0

package/dist/index.js

@@ -363,6 +363,8 @@ var STORAGE_KEY = "keyring";
 var KeyringService = class {
   store;
   vault = null;
+  /** Vault key kept in memory for re-encryption operations (addOwner, switchOwner). */
+  vaultKey = null;
   constructor(store) {
     this.store = store;
   }
@@ -373,9 +375,9 @@ var KeyringService = class {
   }
   /**
    * Create a brand-new vault with one owner.
-   * Called during `elytro init`. Encrypts with device key.
+   * Called during `elytro init`. Encrypts with vault key.
    */
-  async createNewOwner(deviceKey) {
+  async createNewOwner(vaultKey) {
     const privateKey = generatePrivateKey();
     const account = privateKeyToAccount(privateKey);
     const owner = { id: account.address, key: privateKey };
@@ -383,26 +385,32 @@ var KeyringService = class {
       owners: [owner],
       currentOwnerId: account.address
     };
-    const encrypted = await encryptWithKey(deviceKey, vault);
+    const encrypted = await encryptWithKey(vaultKey, vault);
     await this.store.save(STORAGE_KEY, encrypted);
     this.vault = vault;
+    this.vaultKey = new Uint8Array(vaultKey);
     return account.address;
   }
   // ─── Unlock / Access ────────────────────────────────────────────
   /**
-   * Decrypt the vault with the device key.
-   * Called automatically by context at CLI startup.
+   * Decrypt the vault with the vault key.
+   * Called automatically by context at CLI startup via SecretProvider.
    */
-  async unlock(deviceKey) {
+  async unlock(vaultKey) {
     const encrypted = await this.store.load(STORAGE_KEY);
     if (!encrypted) {
       throw new Error("Keyring not initialized. Run `elytro init` first.");
     }
-    this.vault = await decryptWithKey(deviceKey, encrypted);
+    this.vault = await decryptWithKey(vaultKey, encrypted);
+    this.vaultKey = new Uint8Array(vaultKey);
   }
-  /** Lock the vault, clearing decrypted keys from memory. */
+  /** Lock the vault, clearing decrypted keys and vault key from memory. */
   lock() {
     this.vault = null;
+    if (this.vaultKey) {
+      this.vaultKey.fill(0);
+      this.vaultKey = null;
+    }
   }
   get isUnlocked() {
     return this.vault !== null;
@@ -441,22 +449,22 @@ var KeyringService = class {
     return privateKeyToAccount(key);
   }
   // ─── Multi-owner management ─────────────────────────────────────
-  async addOwner(deviceKey) {
+  async addOwner() {
     this.ensureUnlocked();
     const privateKey = generatePrivateKey();
     const account = privateKeyToAccount(privateKey);
     this.vault.owners.push({ id: account.address, key: privateKey });
-    await this.persistVault(deviceKey);
+    await this.persistVault();
     return account.address;
   }
-  async switchOwner(ownerId, deviceKey) {
+  async switchOwner(ownerId) {
     this.ensureUnlocked();
     const exists = this.vault.owners.some((o) => o.id === ownerId);
     if (!exists) {
       throw new Error(`Owner ${ownerId} not found in vault.`);
     }
     this.vault.currentOwnerId = ownerId;
-    await this.persistVault(deviceKey);
+    await this.persistVault();
   }
   // ─── Export / Import (password-based for portability) ───────────
   /**
@@ -469,18 +477,20 @@ var KeyringService = class {
   }
   /**
    * Import vault from a password-encrypted backup.
-   * Decrypts with the backup password, then re-encrypts with device key.
+   * Decrypts with the backup password, then re-encrypts with vault key.
    */
-  async importVault(encrypted, password2, deviceKey) {
+  async importVault(encrypted, password2, vaultKey) {
     const vault = await decrypt(password2, encrypted);
     this.vault = vault;
-    const reEncrypted = await encryptWithKey(deviceKey, vault);
+    this.vaultKey = new Uint8Array(vaultKey);
+    const reEncrypted = await encryptWithKey(vaultKey, vault);
     await this.store.save(STORAGE_KEY, reEncrypted);
   }
-  // ─── Rekey (device key rotation) ───────────────────────────────
-  async rekey(newDeviceKey) {
+  // ─── Rekey (vault key rotation) ───────────────────────────────
+  async rekey(newVaultKey) {
     this.ensureUnlocked();
-    await this.persistVault(newDeviceKey);
+    this.vaultKey = new Uint8Array(newVaultKey);
+    await this.persistVault();
   }
   // ─── Internal ───────────────────────────────────────────────────
   getCurrentKey() {
@@ -498,9 +508,10 @@ var KeyringService = class {
       throw new Error("Keyring is locked. Run `elytro init` first.");
     }
   }
-  async persistVault(deviceKey) {
+  async persistVault() {
     if (!this.vault) throw new Error("No vault to persist.");
-    const encrypted = await encryptWithKey(deviceKey, this.vault);
+    if (!this.vaultKey) throw new Error("No vault key available for re-encryption.");
+    const encrypted = await encryptWithKey(this.vaultKey, this.vault);
     await this.store.save(STORAGE_KEY, encrypted);
   }
 };
@@ -555,11 +566,36 @@ function resolveBundler(chainId, pimlicoKey) {
   return PUBLIC_BUNDLER[chainId] ?? PUBLIC_BUNDLER[11155420];
 }
 var CHAIN_META = [
-  { id: 1, name: "Ethereum", nativeCurrency: { name: "Ether", symbol: "ETH", decimals: 18 }, blockExplorer: "https://etherscan.io" },
-  { id: 10, name: "Optimism", nativeCurrency: { name: "Ether", symbol: "ETH", decimals: 18 }, blockExplorer: "https://optimistic.etherscan.io" },
-  { id: 42161, name: "Arbitrum One", nativeCurrency: { name: "Ether", symbol: "ETH", decimals: 18 }, blockExplorer: "https://arbiscan.io" },
-  { id: 11155111, name: "Sepolia", nativeCurrency: { name: "Sepolia ETH", symbol: "ETH", decimals: 18 }, blockExplorer: "https://sepolia.etherscan.io" },
-  { id: 11155420, name: "Optimism Sepolia", nativeCurrency: { name: "Sepolia ETH", symbol: "ETH", decimals: 18 }, blockExplorer: "https://sepolia-optimism.etherscan.io" }
+  {
+    id: 1,
+    name: "Ethereum",
+    nativeCurrency: { name: "Ether", symbol: "ETH", decimals: 18 },
+    blockExplorer: "https://etherscan.io"
+  },
+  {
+    id: 10,
+    name: "Optimism",
+    nativeCurrency: { name: "Ether", symbol: "ETH", decimals: 18 },
+    blockExplorer: "https://optimistic.etherscan.io"
+  },
+  {
+    id: 42161,
+    name: "Arbitrum One",
+    nativeCurrency: { name: "Ether", symbol: "ETH", decimals: 18 },
+    blockExplorer: "https://arbiscan.io"
+  },
+  {
+    id: 11155111,
+    name: "Sepolia",
+    nativeCurrency: { name: "Sepolia ETH", symbol: "ETH", decimals: 18 },
+    blockExplorer: "https://sepolia.etherscan.io"
+  },
+  {
+    id: 11155420,
+    name: "Optimism Sepolia",
+    nativeCurrency: { name: "Sepolia ETH", symbol: "ETH", decimals: 18 },
+    blockExplorer: "https://sepolia-optimism.etherscan.io"
+  }
 ];
 function buildChains(alchemyKey, pimlicoKey) {
   return CHAIN_META.map((meta) => ({
@@ -2064,53 +2100,120 @@ var SecurityHookService = class {
   }
 };
 
-// src/utils/deviceKey.ts
-import { webcrypto as webcrypto2 } from "crypto";
-import { readFile as readFile2, writeFile as writeFile2, stat, chmod } from "fs/promises";
-import { join as join2 } from "path";
-var DEVICE_KEY_FILE = ".device-key";
-var KEY_LENGTH2 = 32;
-var REQUIRED_MODE = 384;
-function generateDeviceKey() {
-  return webcrypto2.getRandomValues(new Uint8Array(KEY_LENGTH2));
-}
-async function saveDeviceKey(dataDir, key) {
-  validateDeviceKey(key);
-  const path = keyPath(dataDir);
-  await writeFile2(path, key, { mode: REQUIRED_MODE });
-  await chmod(path, REQUIRED_MODE);
-}
-async function loadDeviceKey(dataDir) {
-  const path = keyPath(dataDir);
-  try {
-    const st = await stat(path);
-    const mode = st.mode & 511;
-    if (mode !== REQUIRED_MODE) {
-      throw new Error(
-        `Device key has insecure permissions (${modeStr(mode)}). Expected 600. Fix with: chmod 600 ${path}`
-      );
+// src/providers/keychainProvider.ts
+import { execFile } from "child_process";
+import { promisify } from "util";
+var execFileAsync = promisify(execFile);
+var KeychainProvider = class {
+  name = "macos-keychain";
+  service = "elytro-wallet";
+  account = "vault-key";
+  async available() {
+    if (process.platform !== "darwin") return false;
+    try {
+      await execFileAsync("security", ["help"], { timeout: 5e3 });
+      return true;
+    } catch {
+      return process.platform === "darwin";
     }
-    const buf = await readFile2(path);
-    const key = new Uint8Array(buf);
-    validateDeviceKey(key);
-    return key;
-  } catch (err) {
-    if (err.code === "ENOENT") {
-      return null;
+  }
+  async store(secret) {
+    validateKeyLength(secret);
+    const b64 = Buffer.from(secret).toString("base64");
+    try {
+      await execFileAsync("security", [
+        "add-generic-password",
+        "-U",
+        "-s",
+        this.service,
+        "-a",
+        this.account,
+        "-w",
+        b64
+      ]);
+    } catch (err) {
+      throw new Error(`Failed to store vault key in Keychain: ${err.message}`);
     }
-    throw err;
   }
-}
-function validateDeviceKey(key) {
-  if (key.length !== KEY_LENGTH2) {
-    throw new Error(`Invalid device key: expected ${KEY_LENGTH2} bytes, got ${key.length}.`);
+  async load() {
+    try {
+      const { stdout } = await execFileAsync("security", [
+        "find-generic-password",
+        "-s",
+        this.service,
+        "-a",
+        this.account,
+        "-w"
+      ]);
+      const trimmed = stdout.trim();
+      if (!trimmed) return null;
+      const key = Buffer.from(trimmed, "base64");
+      if (key.length !== 32) {
+        throw new Error(`Keychain vault key has invalid length: expected 32 bytes, got ${key.length}.`);
+      }
+      return new Uint8Array(key);
+    } catch (err) {
+      const msg = err.message || "";
+      if (msg.includes("could not be found") || msg.includes("SecKeychainSearchCopyNext")) {
+        return null;
+      }
+      throw new Error(`Failed to load vault key from Keychain: ${msg}`);
+    }
+  }
+  async delete() {
+    try {
+      await execFileAsync("security", ["delete-generic-password", "-s", this.service, "-a", this.account]);
+    } catch {
+    }
+  }
+};
+function validateKeyLength(key) {
+  if (key.length !== 32) {
+    throw new Error(`Invalid vault key: expected 32 bytes, got ${key.length}.`);
   }
 }
-function keyPath(dataDir) {
-  return join2(dataDir, DEVICE_KEY_FILE);
-}
-function modeStr(mode) {
-  return "0o" + mode.toString(8).padStart(3, "0");
+
+// src/providers/envVarProvider.ts
+var ENV_KEY = "ELYTRO_VAULT_SECRET";
+var EnvVarProvider = class {
+  name = "env-var";
+  async available() {
+    return !!process.env[ENV_KEY];
+  }
+  async store(_secret) {
+    throw new Error(
+      "EnvVarProvider is read-only. Cannot store vault key in an environment variable. Use a persistent provider (macOS Keychain) or store the secret manually."
+    );
+  }
+  async load() {
+    const raw = process.env[ENV_KEY];
+    if (!raw) return null;
+    delete process.env[ENV_KEY];
+    const key = Buffer.from(raw, "base64");
+    if (key.length !== 32) {
+      throw new Error(
+        `${ENV_KEY} has invalid length: expected 32 bytes (base64), got ${key.length}. The value must be a base64-encoded 256-bit key.`
+      );
+    }
+    return new Uint8Array(key);
+  }
+  async delete() {
+    delete process.env[ENV_KEY];
+  }
+};
+
+// src/providers/resolveProvider.ts
+async function resolveProvider() {
+  const keychainProvider = new KeychainProvider();
+  const envProvider = new EnvVarProvider();
+  const initProvider = await keychainProvider.available() ? keychainProvider : null;
+  let loadProvider = null;
+  if (await keychainProvider.available()) {
+    loadProvider = keychainProvider;
+  } else if (await envProvider.available()) {
+    loadProvider = envProvider;
+  }
+  return { initProvider, loadProvider };
 }
 
 // src/context.ts
@@ -2125,9 +2228,13 @@ async function createAppContext() {
   const defaultChain = chain.currentChain;
   walletClient.initForChain(defaultChain);
   await sdk.initForChain(defaultChain);
-  const deviceKey = await loadDeviceKey(store.dataDir);
-  if (deviceKey && await keyring.isInitialized()) {
-    await keyring.unlock(deviceKey);
+  const { loadProvider } = await resolveProvider();
+  if (loadProvider && await keyring.isInitialized()) {
+    const vaultKey = await loadProvider.load();
+    if (vaultKey) {
+      await keyring.unlock(vaultKey);
+      vaultKey.fill(0);
+    }
   }
   const account = new AccountService({
     store,
@@ -2148,10 +2255,11 @@ async function createAppContext() {
       }
     }
   }
-  return { store, keyring, chain, sdk, walletClient, account, deviceKey };
+  return { store, keyring, chain, sdk, walletClient, account, secretProvider: loadProvider };
 }
 
 // src/commands/init.ts
+import { webcrypto as webcrypto2 } from "crypto";
 import ora from "ora";
 
 // src/utils/display.ts
@@ -2219,13 +2327,31 @@ function registerInitCommand(program2, ctx) {
     heading("Initialize Elytro Wallet");
     const spinner = ora("Setting up wallet...").start();
     try {
-      const deviceKey = generateDeviceKey();
-      await saveDeviceKey(ctx.store.dataDir, deviceKey);
-      await ctx.keyring.createNewOwner(deviceKey);
-      ctx.deviceKey = deviceKey;
+      const vaultKey = webcrypto2.getRandomValues(new Uint8Array(32));
+      const { initProvider } = await resolveProvider();
+      if (initProvider) {
+        await initProvider.store(vaultKey);
+        spinner.text = `Vault key stored in ${initProvider.name}.`;
+      } else {
+        spinner.stop();
+        const b64 = Buffer.from(vaultKey).toString("base64");
+        console.log("");
+        warn("No persistent secret provider available (not on macOS).");
+        warn("Save the following vault secret \u2014 it will NOT be shown again:");
+        console.log("");
+        console.log(`  ELYTRO_VAULT_SECRET="${b64}"`);
+        console.log("");
+        info("Hint", "Set this environment variable before running any elytro command.");
+        spinner.start("Creating wallet...");
+      }
+      await ctx.keyring.createNewOwner(vaultKey);
+      vaultKey.fill(0);
       spinner.succeed("Wallet initialized.");
       console.log("");
       info("Data", ctx.store.dataDir);
+      if (initProvider) {
+        info("Secret Provider", initProvider.name);
+      }
       console.log("");
       success("Run `elytro account create --chain <chainId>` to create your first smart account.");
     } catch (err) {
@@ -2257,7 +2383,7 @@ init_sponsor();
 function registerAccountCommand(program2, ctx) {
   const account = program2.command("account").description("Manage smart accounts");
   account.command("create").description("Create a new smart account").requiredOption("-c, --chain <chainId>", "Target chain ID").option("-a, --alias <alias>", "Human-readable alias (default: random)").action(async (opts) => {
-    if (!ctx.deviceKey) {
+    if (!ctx.keyring.isUnlocked) {
       error("Wallet not initialized. Run `elytro init` first.");
       process.exitCode = 1;
       return;
@@ -2306,7 +2432,7 @@ function registerAccountCommand(program2, ctx) {
     }
   });
   account.command("activate").description("Deploy the smart contract on-chain").argument("[account]", "Alias or address (default: current)").option("--no-sponsor", "Skip sponsorship check (user pays gas)").action(async (target, opts) => {
-    if (!ctx.deviceKey) {
+    if (!ctx.keyring.isUnlocked) {
       error("Wallet not initialized. Run `elytro init` first.");
       process.exitCode = 1;
       return;
@@ -2704,7 +2830,7 @@ function registerTxCommand(program2, ctx) {
     }
   });
   tx.command("send").description("Send a transaction on-chain").argument("[account]", "Source account alias or address (default: current)").option("--tx <spec...>", 'Transaction spec: "to:0xAddr,value:0.1,data:0x..." (repeatable, ordered)').option("--no-sponsor", "Skip sponsorship check").option("--no-hook", "Skip SecurityHook signing (bypass 2FA)").option("--userop <json>", "Send a pre-built UserOp JSON (skips build step)").action(async (target, opts) => {
-    if (!ctx.deviceKey) {
+    if (!ctx.keyring.isUnlocked) {
       handleTxError(new TxError(ERR_ACCOUNT_NOT_READY, "Wallet not initialized. Run `elytro init` first."));
       return;
     }
@@ -2902,7 +3028,7 @@ function registerTxCommand(program2, ctx) {
     }
   });
   tx.command("simulate").description("Preview a transaction (gas estimate, sponsor check)").argument("[account]", "Source account alias or address (default: current)").option("--tx <spec...>", 'Transaction spec: "to:0xAddr,value:0.1,data:0x..." (repeatable, ordered)').option("--no-sponsor", "Skip sponsorship check").action(async (target, opts) => {
-    if (!ctx.deviceKey) {
+    if (!ctx.keyring.isUnlocked) {
       handleTxError(new TxError(ERR_ACCOUNT_NOT_READY, "Wallet not initialized. Run `elytro init` first."));
       return;
     }
@@ -3500,7 +3626,7 @@ function handleSecurityError(err) {
   process.exitCode = 1;
 }
 function initSecurityContext(ctx) {
-  if (!ctx.deviceKey) {
+  if (!ctx.keyring.isUnlocked) {
     throw new SecurityError(ERR_ACCOUNT_NOT_READY2, "Wallet not initialized. Run `elytro init` first.");
   }
   const current = ctx.account.currentAccount;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elytro/cli",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Elytro ERC-4337 Smart Account Wallet CLI",
   "type": "module",
   "bin": {