@elytro/cli 0.5.1 → 0.5.2

package/dist/index.js

@@ -233,9 +233,9 @@ var FileStore = class {
     return join(this.root, `${key}.json`);
   }
   async load(key) {
-    const path = this.filePath(key);
+    const path2 = this.filePath(key);
     try {
-      const raw = await readFile(path, "utf-8");
+      const raw = await readFile(path2, "utf-8");
       return JSON.parse(raw);
     } catch (err) {
       if (err.code === "ENOENT") {
@@ -245,15 +245,15 @@ var FileStore = class {
     }
   }
   async save(key, data) {
-    const path = this.filePath(key);
-    await mkdir(dirname(path), { recursive: true });
-    await writeFile(path, JSON.stringify(data, null, 2), "utf-8");
+    const path2 = this.filePath(key);
+    await mkdir(dirname(path2), { recursive: true });
+    await writeFile(path2, JSON.stringify(data, null, 2), "utf-8");
   }
   async remove(key) {
-    const { unlink } = await import("fs/promises");
-    const path = this.filePath(key);
+    const { unlink: unlink2 } = await import("fs/promises");
+    const path2 = this.filePath(key);
     try {
-      await unlink(path);
+      await unlink2(path2);
     } catch (err) {
       if (err.code !== "ENOENT") {
         throw err;
@@ -261,9 +261,9 @@ var FileStore = class {
     }
   }
   async exists(key) {
-    const path = this.filePath(key);
+    const path2 = this.filePath(key);
     try {
-      await access(path);
+      await access(path2);
       return true;
     } catch {
       return false;
@@ -1444,6 +1444,27 @@ var AccountService = class {
     await this.persist();
     return account;
   }
+  // ─── Rename ───────────────────────────────────────────────────────
+  /**
+   * Rename an account's alias.
+   * @param aliasOrAddress - Current alias or address to identify the account.
+   * @param newAlias       - The new alias. Must be unique.
+   */
+  async renameAccount(aliasOrAddress, newAlias) {
+    const account = this.resolveAccount(aliasOrAddress);
+    if (!account) {
+      throw new Error(`Account "${aliasOrAddress}" not found.`);
+    }
+    const conflict = this.state.accounts.find(
+      (a) => a.alias.toLowerCase() === newAlias.toLowerCase() && a.address !== account.address
+    );
+    if (conflict) {
+      throw new Error(`Alias "${newAlias}" is already taken by ${conflict.address}.`);
+    }
+    account.alias = newAlias;
+    await this.persist();
+    return account;
+  }
   // ─── Activation ───────────────────────────────────────────────────
   /**
    * Mark an account as deployed on-chain.
@@ -2151,120 +2172,227 @@ var SecurityHookService = class {
   }
 };
 
-// src/providers/keychainProvider.ts
-import { execFile } from "child_process";
-import { promisify } from "util";
-var execFileAsync = promisify(execFile);
-var KeychainProvider = class {
-  name = "macos-keychain";
+// src/providers/keyringProvider.ts
+import { Entry } from "@napi-rs/keyring";
+var KeyringProvider = class {
+  name;
   service = "elytro-wallet";
   account = "vault-key";
+  constructor() {
+    const platform = process.platform;
+    if (platform === "darwin") this.name = "macos-keychain";
+    else if (platform === "win32") this.name = "windows-credential-manager";
+    else this.name = "linux-secret-service";
+  }
   async available() {
-    if (process.platform !== "darwin") return false;
     try {
-      await execFileAsync("security", ["help"], { timeout: 5e3 });
+      const entry = new Entry(this.service, this.account);
+      entry.getSecret();
       return true;
-    } catch {
-      return process.platform === "darwin";
+    } catch (err) {
+      const msg = err.message || "";
+      if (isNotFoundError(msg)) return true;
+      return false;
     }
   }
   async store(secret) {
     validateKeyLength(secret);
+    try {
+      const entry = new Entry(this.service, this.account);
+      entry.setSecret(Buffer.from(secret));
+    } catch (err) {
+      throw new Error(`Failed to store vault key in OS credential store: ${err.message}`);
+    }
+  }
+  async load() {
+    try {
+      const entry = new Entry(this.service, this.account);
+      const raw = entry.getSecret();
+      if (!raw || raw.length === 0) return null;
+      const key = new Uint8Array(raw);
+      if (key.length !== 32) {
+        throw new Error(
+          `OS credential store returned vault key with invalid length: expected 32 bytes, got ${key.length}.`
+        );
+      }
+      return key;
+    } catch (err) {
+      const msg = err.message || "";
+      if (isNotFoundError(msg)) return null;
+      throw new Error(`Failed to load vault key from OS credential store: ${msg}`);
+    }
+  }
+  async delete() {
+    try {
+      const entry = new Entry(this.service, this.account);
+      entry.deleteCredential();
+    } catch {
+    }
+  }
+};
+function isNotFoundError(msg) {
+  const lower = msg.toLowerCase();
+  return lower.includes("not found") || lower.includes("no matching") || lower.includes("no such") || lower.includes("itemnotfound") || lower.includes("element not found") || // Windows
+  lower.includes("no result") || lower.includes("no password");
+}
+function validateKeyLength(key) {
+  if (key.length !== 32) {
+    throw new Error(`Invalid vault key: expected 32 bytes, got ${key.length}.`);
+  }
+}
+
+// src/providers/fileProvider.ts
+import * as fs from "fs/promises";
+import * as path from "path";
+import { constants } from "fs";
+var FileProvider = class {
+  name = "file-protected";
+  keyPath;
+  /**
+   * @param dataDir — the ~/.elytro/ directory path (from FileStore.dataDir).
+   *                   Defaults to ~/.elytro if not provided.
+   */
+  constructor(dataDir) {
+    const base = dataDir ?? path.join(process.env.HOME || "~", ".elytro");
+    this.keyPath = path.join(base, ".vault-key");
+  }
+  /**
+   * FileProvider is always technically available on any OS (filesystem always exists).
+   * But it should only be used on Linux when the KeyringProvider is not available.
+   * The resolution logic in resolveProvider handles this gating — FileProvider
+   * itself does not restrict by platform.
+   */
+  async available() {
+    try {
+      await fs.access(this.keyPath, constants.R_OK);
+      return true;
+    } catch {
+      try {
+        await fs.access(path.dirname(this.keyPath), constants.W_OK);
+        return true;
+      } catch {
+        return false;
+      }
+    }
+  }
+  async store(secret) {
+    validateKeyLength2(secret);
     const b64 = Buffer.from(secret).toString("base64");
+    const tmpPath = this.keyPath + ".tmp";
     try {
-      await execFileAsync("security", [
-        "add-generic-password",
-        "-U",
-        "-s",
-        this.service,
-        "-a",
-        this.account,
-        "-w",
-        b64
-      ]);
+      await fs.writeFile(tmpPath, b64, { encoding: "utf-8", mode: 384 });
+      await fs.rename(tmpPath, this.keyPath);
+      await fs.chmod(this.keyPath, 384);
     } catch (err) {
-      throw new Error(`Failed to store vault key in Keychain: ${err.message}`);
+      try {
+        await fs.unlink(tmpPath);
+      } catch {
+      }
+      throw new Error(`Failed to store vault key to file: ${err.message}`);
     }
   }
   async load() {
     try {
-      const { stdout } = await execFileAsync("security", [
-        "find-generic-password",
-        "-s",
-        this.service,
-        "-a",
-        this.account,
-        "-w"
-      ]);
-      const trimmed = stdout.trim();
+      const stat2 = await fs.stat(this.keyPath);
+      const mode = stat2.mode & 511;
+      if (mode !== 384) {
+        throw new Error(
+          `Vault key file has insecure permissions: ${modeToOctal(mode)} (expected 0600).
+Fix with: chmod 600 ${this.keyPath}
+Refusing to load until permissions are corrected.`
+        );
+      }
+      const raw = await fs.readFile(this.keyPath, "utf-8");
+      const trimmed = raw.trim();
       if (!trimmed) return null;
       const key = Buffer.from(trimmed, "base64");
       if (key.length !== 32) {
-        throw new Error(`Keychain vault key has invalid length: expected 32 bytes, got ${key.length}.`);
+        throw new Error(
+          `Vault key file has invalid content: expected 32 bytes (base64), got ${key.length}.`
+        );
       }
       return new Uint8Array(key);
     } catch (err) {
       const msg = err.message || "";
-      if (msg.includes("could not be found") || msg.includes("SecKeychainSearchCopyNext")) {
-        return null;
-      }
-      throw new Error(`Failed to load vault key from Keychain: ${msg}`);
+      if (msg.includes("ENOENT")) return null;
+      throw err;
     }
   }
   async delete() {
     try {
-      await execFileAsync("security", ["delete-generic-password", "-s", this.service, "-a", this.account]);
+      await fs.unlink(this.keyPath);
     } catch {
     }
   }
 };
-function validateKeyLength(key) {
+function validateKeyLength2(key) {
   if (key.length !== 32) {
     throw new Error(`Invalid vault key: expected 32 bytes, got ${key.length}.`);
   }
 }
+function modeToOctal(mode) {
+  return "0" + mode.toString(8);
+}
 
 // src/providers/envVarProvider.ts
 var ENV_KEY = "ELYTRO_VAULT_SECRET";
+var ENV_ALLOW = "ELYTRO_ALLOW_ENV";
 var EnvVarProvider = class {
   name = "env-var";
   async available() {
-    return !!process.env[ENV_KEY];
+    return !!process.env[ENV_KEY] && process.env[ENV_ALLOW] === "1";
   }
   async store(_secret) {
     throw new Error(
-      "EnvVarProvider is read-only. Cannot store vault key in an environment variable. Use a persistent provider (macOS Keychain) or store the secret manually."
+      "EnvVarProvider is read-only. Cannot store vault key in an environment variable.\nUse a persistent provider (OS keychain or file-protected) or store the secret manually."
     );
   }
   async load() {
+    if (process.env[ENV_ALLOW] !== "1") return null;
     const raw = process.env[ENV_KEY];
     if (!raw) return null;
     delete process.env[ENV_KEY];
+    delete process.env[ENV_ALLOW];
     const key = Buffer.from(raw, "base64");
     if (key.length !== 32) {
       throw new Error(
-        `${ENV_KEY} has invalid length: expected 32 bytes (base64), got ${key.length}. The value must be a base64-encoded 256-bit key.`
+        `${ENV_KEY} has invalid length: expected 32 bytes (base64), got ${key.length}.
+The value must be a base64-encoded 256-bit key.`
       );
     }
     return new Uint8Array(key);
   }
   async delete() {
     delete process.env[ENV_KEY];
+    delete process.env[ENV_ALLOW];
   }
 };
 
 // src/providers/resolveProvider.ts
 async function resolveProvider() {
-  const keychainProvider = new KeychainProvider();
+  const keyringProvider = new KeyringProvider();
+  const fileProvider = new FileProvider();
   const envProvider = new EnvVarProvider();
-  const initProvider = await keychainProvider.available() ? keychainProvider : null;
-  let loadProvider = null;
-  if (await keychainProvider.available()) {
-    loadProvider = keychainProvider;
-  } else if (await envProvider.available()) {
-    loadProvider = envProvider;
-  }
-  return { initProvider, loadProvider };
+  if (await keyringProvider.available()) {
+    return {
+      initProvider: keyringProvider,
+      loadProvider: keyringProvider
+    };
+  }
+  if (process.platform === "linux" && await fileProvider.available()) {
+    return {
+      initProvider: fileProvider,
+      loadProvider: fileProvider
+    };
+  }
+  if (await envProvider.available()) {
+    return {
+      initProvider: null,
+      // Cannot store via env var
+      loadProvider: envProvider
+    };
+  }
+  return { initProvider: null, loadProvider: null };
 }
 
 // src/context.ts
@@ -2284,14 +2412,15 @@ async function createAppContext() {
   if (isInitialized) {
     if (!loadProvider) {
       throw new Error(
-        "Wallet is initialized but no secret provider is available.\n" + (process.platform === "darwin" ? "Keychain access failed. Check macOS Keychain permissions." : "Set the ELYTRO_VAULT_SECRET environment variable.")
+        "Wallet is initialized but no secret provider is available.\n" + noProviderHint()
       );
     }
     const vaultKey = await loadProvider.load();
     if (!vaultKey) {
       throw new Error(
         `Wallet is initialized but vault key not found in ${loadProvider.name}.
-` + (process.platform === "darwin" ? "The Keychain item may have been deleted. Re-run `elytro init` to create a new wallet,\nor import a backup with `elytro import`." : "Set ELYTRO_VAULT_SECRET to the base64-encoded vault key.")
+The credential may have been deleted. Re-run \`elytro init\` to create a new wallet,
+or import a backup with \`elytro import\`.`
       );
     }
     try {
@@ -2326,6 +2455,16 @@ The vault key may not match the encrypted keyring. Re-run \`elytro init\` or imp
   }
   return { store, keyring, chain, sdk, walletClient, account, secretProvider: loadProvider };
 }
+function noProviderHint() {
+  switch (process.platform) {
+    case "darwin":
+      return "macOS Keychain access failed. Check Keychain permissions or security settings.";
+    case "win32":
+      return "Windows Credential Manager access failed. Run as the same user who initialized the wallet.";
+    default:
+      return "No secret provider available. Options:\n  1. Install and start a Secret Service provider (GNOME Keyring or KWallet)\n  2. The vault key file (~/.elytro/.vault-key) may have been deleted\n  3. For CI: set ELYTRO_VAULT_SECRET and ELYTRO_ALLOW_ENV=1";
+  }
+}
 
 // src/commands/init.ts
 import { webcrypto as webcrypto2 } from "crypto";
@@ -2396,7 +2535,9 @@ function registerInitCommand(program2, ctx) {
         dataDir: ctx.store.dataDir,
         secretProvider: providerName,
         ...vaultSecretB64 ? { vaultSecret: vaultSecretB64 } : {},
-        ...vaultSecretB64 ? { hint: "Save ELYTRO_VAULT_SECRET \u2014 it will NOT be shown again." } : {},
+        ...vaultSecretB64 ? {
+          hint: "No persistent secret provider available. Save this vault key securely \u2014 it will NOT be shown again.\nFor CI: set ELYTRO_VAULT_SECRET=<key> and ELYTRO_ALLOW_ENV=1."
+        } : {},
         nextStep: "Run `elytro account create --chain <chainId>` to create your first smart account."
       });
     } catch (err) {
@@ -2473,6 +2614,14 @@ function registerAccountCommand(program2, ctx) {
       outputError(ERR_INVALID_PARAMS, "Invalid chain ID.", { chain: opts.chain });
       return;
     }
+    const chainConfig = ctx.chain.chains.find((c) => c.id === chainId);
+    if (!chainConfig) {
+      const supported = ctx.chain.chains.map((c) => `${c.id} (${c.name})`);
+      outputError(ERR_INVALID_PARAMS, `Chain ${chainId} is not supported.`, {
+        supportedChains: supported
+      });
+      return;
+    }
     let dailyLimitUsd;
     if (opts.dailyLimit !== void 0) {
       dailyLimitUsd = parseFloat(opts.dailyLimit);
@@ -2487,12 +2636,9 @@ function registerAccountCommand(program2, ctx) {
     } : void 0;
     const spinner = ora2("Creating smart account...").start();
     try {
-      const chainConfig = ctx.chain.chains.find((c) => c.id === chainId);
-      const chainName = chainConfig?.name ?? String(chainId);
-      if (chainConfig) {
-        await ctx.sdk.initForChain(chainConfig);
-        ctx.walletClient.initForChain(chainConfig);
-      }
+      const chainName = chainConfig.name;
+      await ctx.sdk.initForChain(chainConfig);
+      ctx.walletClient.initForChain(chainConfig);
       const accountInfo = await ctx.account.createAccount(chainId, opts.alias, securityIntent);
       spinner.text = "Registering with backend...";
       const { guardianHash, guardianSafePeriod } = ctx.sdk.initDefaults;
@@ -2748,6 +2894,20 @@ function registerAccountCommand(program2, ctx) {
       outputError(ERR_INTERNAL, err.message);
     }
   });
+  account.command("rename").description("Rename an account alias").argument("<account>", "Current alias or address").argument("<newAlias>", "New alias").action(async (target, newAlias) => {
+    try {
+      const renamed = await ctx.account.renameAccount(target, newAlias);
+      const chainConfig = ctx.chain.chains.find((c) => c.id === renamed.chainId);
+      outputResult({
+        alias: renamed.alias,
+        address: renamed.address,
+        chain: chainConfig?.name ?? String(renamed.chainId),
+        chainId: renamed.chainId
+      });
+    } catch (err) {
+      outputError(ERR_INTERNAL, err.message);
+    }
+  });
   account.command("switch").description("Switch the active account").argument("[account]", "Alias or address").action(async (target) => {
     const accounts = ctx.account.allAccounts;
     if (accounts.length === 0) {
@@ -4238,7 +4398,7 @@ import { execSync } from "child_process";
 import { createRequire } from "module";
 function resolveVersion() {
   if (true) {
-    return "0.5.1";
+    return "0.5.2";
   }
   try {
     const require2 = createRequire(import.meta.url);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elytro/cli",
-  "version": "0.5.1",
+  "version": "0.5.2",
   "description": "Elytro ERC-4337 Smart Account Wallet CLI",
   "type": "module",
   "bin": {
@@ -41,6 +41,7 @@
     "@elytro/abi": "latest",
     "@elytro/sdk": "latest",
     "@inquirer/prompts": "^7.0.0",
+    "@napi-rs/keyring": "^1.2.0",
     "chalk": "^5.3.0",
     "commander": "^13.0.0",
     "graphql": "^16.9.0",