@moonpay/cli 0.3.10 → 0.4.0

package/dist/{chunk-ZJ3XMP4N.js → chunk-HKQ2DNOD.js}

@@ -1,15 +1,31 @@
 import { createRequire as __createRequire } from "module"; const require = __createRequire(import.meta.url);
+import {
+  KEY_CHAIN_MAP,
+  chainSchema,
+  deleteWalletFile,
+  keyChainSchema,
+  loadAllWallets,
+  loadWallet,
+  lockedVaultDataSchema,
+  saveWalletMetadata,
+  vaultDataSchema,
+  walletInfoSchema
+} from "./chunk-AGDVU2O5.js";
+import {
+  deriveAllAddresses,
+  deriveKeyForChain
+} from "./chunk-Z33PSOPD.js";
+import {
+  __require
+} from "./chunk-EEBB5MQP.js";
 
 // src/auth.ts
 import { spawn } from "child_process";
 import * as crypto from "crypto";
 import * as fs from "fs";
-import * as http from "http";
 import * as os from "os";
 import * as path from "path";
-function escapeHtml(str) {
-  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
-}
+import { createInterface } from "readline";
 function generateCodeVerifier() {
   return crypto.randomBytes(32).toString("base64url");
 }
@@ -20,8 +36,6 @@ var CONFIG_DIR = path.join(os.homedir(), ".config", "moonpay");
 var CONFIG_PATH = path.join(CONFIG_DIR, "config.json");
 var CREDENTIALS_PATH = path.join(CONFIG_DIR, "credentials.json");
 var LOCK_PATH = path.join(CONFIG_DIR, ".credentials.lock");
-var CALLBACK_PORT = 3847;
-var CALLBACK_URL = `http://localhost:${CALLBACK_PORT}/callback`;
 var DEFAULT_CONFIG = {
   baseUrl: "https://agents.moonpay.com",
   clientId: "mooniq_zin3s5jz3olzkdfxpmbeaogv"
@@ -72,14 +86,10 @@ function acquireLock() {
   };
 }
 function getConfig() {
-  if (!fs.existsSync(CONFIG_PATH)) {
-    return null;
-  }
+  if (!fs.existsSync(CONFIG_PATH)) return null;
   try {
     const data = JSON.parse(fs.readFileSync(CONFIG_PATH, "utf-8"));
-    if (!data.baseUrl || !data.clientId) {
-      return null;
-    }
+    if (!data.baseUrl || !data.clientId) return null;
     return data;
   } catch {
     return null;
@@ -92,14 +102,10 @@ function getConfigOrDefault() {
   return DEFAULT_CONFIG;
 }
 function getCredentials() {
-  if (!fs.existsSync(CREDENTIALS_PATH)) {
-    return null;
-  }
+  if (!fs.existsSync(CREDENTIALS_PATH)) return null;
   try {
     const data = JSON.parse(fs.readFileSync(CREDENTIALS_PATH, "utf-8"));
-    if (!data.accessToken || !data.baseUrl) {
-      return null;
-    }
+    if (!data.accessToken || !data.baseUrl) return null;
     return data;
   } catch {
     return null;
@@ -127,86 +133,33 @@ function openBrowser(url) {
   const platform = process.platform;
   const cmd = platform === "darwin" ? "open" : platform === "win32" ? "cmd" : "xdg-open";
   const args = platform === "win32" ? ["/c", "start", "", url] : [url];
-  spawn(cmd, args, { stdio: "ignore", detached: true }).unref();
+  try {
+    spawn(cmd, args, { stdio: "ignore", detached: true }).unref();
+    return true;
+  } catch {
+    return false;
+  }
+}
+function promptLine(prompt) {
+  const rl = createInterface({ input: process.stdin, output: process.stderr });
+  return new Promise((resolve) => {
+    rl.question(prompt, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
 }
 async function login(config) {
   const state = crypto.randomUUID();
   const usePkce = !config.clientSecret;
+  const callbackUrl = `${config.baseUrl}/callback`;
   let codeVerifier;
   if (usePkce) {
     codeVerifier = generateCodeVerifier();
   }
-  let resolveCallback;
-  const codePromise = new Promise((resolve2) => {
-    resolveCallback = resolve2;
-  });
-  const sockets = /* @__PURE__ */ new Set();
-  const server = http.createServer((req, res) => {
-    const url = new URL(req.url ?? "/", `http://localhost:${CALLBACK_PORT}`);
-    if (url.pathname === "/callback") {
-      const code2 = url.searchParams.get("code");
-      const returnedState = url.searchParams.get("state");
-      const error = url.searchParams.get("error");
-      const errorDesc = url.searchParams.get("error_description");
-      if (returnedState !== state) {
-        res.writeHead(200, { "Content-Type": "text/html" });
-        res.end(
-          `<!DOCTYPE html><html><head><meta charset="utf-8"><title>OAuth Error</title></head><body style="font-family:system-ui,sans-serif;display:flex;flex-direction:column;align-items:center;justify-content:center;min-height:100vh;margin:0;padding:2rem;text-align:center;background:#fef2f2"><h1 style="color:#b91c1c;margin:0 0 1rem">OAuth Error</h1><p style="color:#991b1b;margin:0">State mismatch \u2014 possible CSRF attack. Please try logging in again.</p></body></html>`
-        );
-        resolveCallback("");
-        setTimeout(() => server.close(), 2e3);
-      } else if (error) {
-        const safeError = escapeHtml(error);
-        const safeDesc = escapeHtml(errorDesc ?? "Unknown error");
-        res.writeHead(200, { "Content-Type": "text/html" });
-        res.end(
-          `<!DOCTYPE html><html><head><meta charset="utf-8"><title>OAuth Error</title></head><body style="font-family:system-ui,sans-serif;display:flex;flex-direction:column;align-items:center;justify-content:center;min-height:100vh;margin:0;padding:2rem;text-align:center;background:#fef2f2"><h1 style="color:#b91c1c;margin:0 0 1rem">OAuth Error</h1><p style="color:#991b1b;margin:0">${safeError}: ${safeDesc}</p></body></html>`
-        );
-        resolveCallback("");
-        setTimeout(() => server.close(), 2e3);
-      } else if (code2) {
-        res.writeHead(200, { "Content-Type": "text/html" });
-        res.end(
-          `<!DOCTYPE html><html><head><meta charset="utf-8"><title>MoonPay Agents</title></head><body style="font-family:system-ui,-apple-system,sans-serif;display:flex;flex-direction:column;align-items:center;justify-content:center;min-height:100vh;margin:0;padding:2rem;text-align:center;background:#0a0a0a;color:#fafafa"><img src="https://agents.moonpay.com/logos/moonpay.jpg" alt="MoonPay" style="width:64px;height:64px;border-radius:16px;margin-bottom:1.5rem" /><h1 style="margin:0 0 0.5rem;font-size:1.5rem;font-weight:600">Your agent has money now.</h1><p style="color:#a1a1aa;margin:0;font-size:1rem">You can close this tab and return to the terminal.</p></body></html>`
-        );
-        resolveCallback(code2);
-      } else {
-        res.writeHead(200, { "Content-Type": "text/html" });
-        res.end(
-          `<!DOCTYPE html><html><head><meta charset="utf-8"><title>Error</title></head><body style="font-family:system-ui,sans-serif;display:flex;flex-direction:column;align-items:center;justify-content:center;min-height:100vh;margin:0;padding:2rem;text-align:center;background:#fef2f2"><h1 style="color:#b91c1c;margin:0 0 1rem">Error</h1><p style="color:#991b1b;margin:0">No authorization code received.</p></body></html>`
-        );
-        resolveCallback("");
-        setTimeout(() => server.close(), 2e3);
-      }
-    } else {
-      res.writeHead(204);
-      res.end();
-    }
-  });
-  await new Promise((resolve2, reject) => {
-    server.on("error", (err) => {
-      if (err.code === "EADDRINUSE") {
-        reject(
-          new Error(
-            `Port ${CALLBACK_PORT} is in use. Close the other process or run: lsof -i :${CALLBACK_PORT}`
-          )
-        );
-      } else {
-        reject(err);
-      }
-    });
-    server.on("connection", (socket) => {
-      sockets.add(socket);
-      socket.on("close", () => sockets.delete(socket));
-    });
-    server.listen(CALLBACK_PORT, "127.0.0.1", () => resolve2());
-  });
-  console.log(
-    `Waiting for callback at http://localhost:${CALLBACK_PORT}/callback`
-  );
   const authorizeParams = new URLSearchParams({
     client_id: config.clientId,
-    redirect_uri: CALLBACK_URL,
+    redirect_uri: callbackUrl,
     response_type: "code",
     scope: "profile email",
     state
@@ -216,18 +169,23 @@ async function login(config) {
     authorizeParams.set("code_challenge_method", "S256");
   }
   const authorizeUrl = `${config.baseUrl}/authorize?${authorizeParams.toString()}`;
-  console.log("Opening browser for authorization...");
-  console.log("(Make sure you're logged in to MoonPay in your browser)\n");
-  openBrowser(authorizeUrl);
-  const code = await codePromise;
+  const opened = openBrowser(authorizeUrl);
+  if (opened) {
+    console.log("Opened browser for authorization.\n");
+  } else {
+    console.log("Open this URL in your browser to log in:\n");
+    console.log(`  ${authorizeUrl}
+`);
+  }
+  const code = await promptLine("Paste code: ");
   if (!code) {
-    throw new Error("No authorization code received");
+    throw new Error("No authorization code provided.");
   }
   const tokenParams = {
     grant_type: "authorization_code",
     code,
     client_id: config.clientId,
-    redirect_uri: CALLBACK_URL
+    redirect_uri: callbackUrl
   };
   if (config.clientSecret) {
     tokenParams.client_secret = config.clientSecret;
@@ -254,14 +212,6 @@ async function login(config) {
     baseUrl: config.baseUrl
   };
   saveCredentials(creds);
-  await new Promise((resolve2) => setTimeout(resolve2, 1e3));
-  server.close();
-  for (const socket of sockets) {
-    if ("destroy" in socket && typeof socket.destroy === "function") {
-      socket.destroy();
-    }
-  }
-  sockets.clear();
   return creds;
 }
 async function refreshCredentials(creds, config) {
@@ -1692,8 +1642,11 @@ var schemas_default = [
 ];
 
 // src/tools/wallet/create/tool.ts
-import { Keypair } from "@solana/web3.js";
-import bs58 from "bs58";
+import { writeFileSync as writeFileSync3, mkdirSync as mkdirSync3 } from "fs";
+import { join as join3 } from "path";
+import { homedir as homedir3 } from "os";
+import { generateMnemonic } from "@scure/bip39";
+import { wordlist as english } from "@scure/bip39/wordlists/english";
 
 // src/tools/shared.ts
 var defineToolSchema = (config) => config;
@@ -1706,198 +1659,407 @@ var createTool = (schema, handler) => ({
   }
 });
 
-// src/tools/wallet/server.ts
+// src/tools/wallet/vault.ts
 import {
   readFileSync as readFileSync2,
-  readdirSync,
   writeFileSync as writeFileSync2,
-  mkdirSync as mkdirSync2,
   existsSync as existsSync2,
-  renameSync as renameSync2
+  renameSync as renameSync2,
+  mkdirSync as mkdirSync2
 } from "fs";
-import { join as join2, resolve } from "path";
+import { join as join2 } from "path";
 import { homedir as homedir2 } from "os";
-import { randomBytes as randomBytes2 } from "crypto";
-
-// src/tools/wallet/models.ts
-import { z } from "zod";
-var walletSchema = z.object({
-  name: z.string(),
-  address: z.string(),
-  secretKey: z.string(),
-  chain: z.literal("solana"),
-  createdAt: z.string()
-});
-var walletInfoSchema = walletSchema.omit({ secretKey: true });
-
-// src/tools/wallet/server.ts
+import {
+  randomBytes as randomBytes2,
+  randomUUID as randomUUID2,
+  scryptSync,
+  createCipheriv,
+  createDecipheriv
+} from "crypto";
 var CONFIG_DIR2 = join2(homedir2(), ".config", "moonpay");
-var WALLETS_DIR = join2(CONFIG_DIR2, "wallets");
-function validateWalletName(name) {
-  if (!name || /[/\\]/.test(name) || name.includes("..") || name.includes("\0")) {
-    throw new Error(`Invalid wallet name: "${name}"`);
+var VAULT_PATH = join2(CONFIG_DIR2, "vault.json");
+function ensureConfigDir2() {
+  mkdirSync2(CONFIG_DIR2, { recursive: true, mode: 448 });
+}
+function loadVault() {
+  if (!existsSync2(VAULT_PATH)) {
+    const empty = { version: 1, entries: {} };
+    saveVault(empty);
+    return empty;
+  }
+  const raw = JSON.parse(readFileSync2(VAULT_PATH, "utf-8"));
+  const locked = lockedVaultDataSchema.safeParse(raw);
+  if (locked.success) {
+    throw new Error(
+      "Vault is locked. Run `mp wallet unlock` to decrypt it first."
+    );
   }
-  const resolved = resolve(WALLETS_DIR, `${name}.json`);
-  if (!resolved.startsWith(WALLETS_DIR + "/")) {
-    throw new Error(`Invalid wallet name: "${name}"`);
+  const result = vaultDataSchema.safeParse(raw);
+  if (!result.success) {
+    throw new Error("Vault file is corrupted or has an unknown format.");
   }
+  return result.data;
+}
+function saveVault(vault) {
+  ensureConfigDir2();
+  const tmpPath = join2(
+    CONFIG_DIR2,
+    `.vault.${randomBytes2(4).toString("hex")}.tmp`
+  );
+  writeFileSync2(tmpPath, JSON.stringify(vault, null, 2), { mode: 384 });
+  renameSync2(tmpPath, VAULT_PATH);
+}
+function isVaultLocked() {
+  if (!existsSync2(VAULT_PATH)) return false;
+  const raw = JSON.parse(readFileSync2(VAULT_PATH, "utf-8"));
+  return lockedVaultDataSchema.safeParse(raw).success;
 }
-function ensureWalletsDir() {
-  mkdirSync2(WALLETS_DIR, { recursive: true, mode: 448 });
+function addHdEntry(mnemonic) {
+  const vault = loadVault();
+  const id = randomUUID2();
+  const entry = { id, type: "hd", mnemonic };
+  vault.entries[id] = entry;
+  saveVault(vault);
+  return id;
 }
-function getWalletPath(name) {
-  validateWalletName(name);
-  return join2(WALLETS_DIR, `${name}.json`);
+function addImportedEntry(chain, privateKey) {
+  const vault = loadVault();
+  const id = randomUUID2();
+  const entry = { id, type: "imported", chain, privateKey };
+  vault.entries[id] = entry;
+  saveVault(vault);
+  return id;
 }
-function getWalletsDir() {
-  return WALLETS_DIR;
+function removeVaultEntry(id) {
+  const vault = loadVault();
+  delete vault.entries[id];
+  saveVault(vault);
+}
+function resolveSigningKey(wallet, chain) {
+  const vault = loadVault();
+  const entry = vault.entries[wallet.vaultRef];
+  if (!entry) {
+    throw new Error(
+      `Vault entry not found for wallet "${wallet.name}". The vault may be out of sync.`
+    );
+  }
+  const keyChain = KEY_CHAIN_MAP[chain];
+  if (entry.type === "imported") {
+    if (entry.chain !== keyChain) {
+      throw new Error(
+        `Wallet "${wallet.name}" was imported for ${entry.chain}, cannot sign for ${chain}.`
+      );
+    }
+    return {
+      privateKey: decodePrivateKey(entry.privateKey, keyChain),
+      address: wallet.addresses[keyChain]
+    };
+  }
+  const derived = deriveKeyForChain(entry.mnemonic, keyChain, wallet.account ?? 0);
+  return {
+    privateKey: derived.privateKey,
+    address: derived.address
+  };
 }
-function saveWallet(wallet) {
-  ensureWalletsDir();
-  const filePath = getWalletPath(wallet.name);
-  if (existsSync2(filePath)) {
-    throw new Error(`Wallet "${wallet.name}" already exists`);
+function decodePrivateKey(key, chain) {
+  if (chain === "solana") {
+    const bs583 = __require("bs58");
+    return bs583.default.decode(key);
   }
-  const safeName = wallet.name.replace(/[^a-zA-Z0-9_-]/g, "_");
+  return Uint8Array.from(Buffer.from(key, "hex"));
+}
+var SCRYPT_N = 2 ** 14;
+var SCRYPT_R = 8;
+var SCRYPT_P = 1;
+var KEY_LENGTH = 32;
+function deriveEncryptionKey(password, salt) {
+  return scryptSync(password, salt, KEY_LENGTH, {
+    N: SCRYPT_N,
+    r: SCRYPT_R,
+    p: SCRYPT_P
+  });
+}
+function lockVault(password) {
+  const vault = loadVault();
+  const salt = randomBytes2(32);
+  const key = deriveEncryptionKey(password, salt);
+  const iv = randomBytes2(12);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const plaintext = JSON.stringify(vault);
+  const encrypted = Buffer.concat([
+    cipher.update(plaintext, "utf8"),
+    cipher.final()
+  ]);
+  const tag = cipher.getAuthTag();
+  const locked = {
+    version: 1,
+    locked: true,
+    ciphertext: encrypted.toString("base64"),
+    iv: iv.toString("base64"),
+    salt: salt.toString("base64"),
+    tag: tag.toString("base64")
+  };
+  ensureConfigDir2();
   const tmpPath = join2(
-    WALLETS_DIR,
-    `.${safeName}.${randomBytes2(4).toString("hex")}.tmp`
+    CONFIG_DIR2,
+    `.vault.${randomBytes2(4).toString("hex")}.tmp`
   );
-  writeFileSync2(tmpPath, JSON.stringify(wallet, null, 2), { mode: 384 });
-  renameSync2(tmpPath, filePath);
+  writeFileSync2(tmpPath, JSON.stringify(locked, null, 2), { mode: 384 });
+  renameSync2(tmpPath, VAULT_PATH);
 }
-function loadWallet(nameOrAddress) {
-  ensureWalletsDir();
-  const files = readdirSync(WALLETS_DIR).filter((f) => f.endsWith(".json"));
-  for (const file of files) {
-    const raw = JSON.parse(readFileSync2(join2(WALLETS_DIR, file), "utf-8"));
-    const result = walletSchema.safeParse(raw);
-    if (!result.success) continue;
-    const wallet = result.data;
-    if (wallet.name === nameOrAddress || wallet.address === nameOrAddress)
-      return wallet;
+function unlockVault(password) {
+  if (!existsSync2(VAULT_PATH)) {
+    throw new Error("No vault found. Create a wallet first.");
+  }
+  const raw = JSON.parse(readFileSync2(VAULT_PATH, "utf-8"));
+  const locked = lockedVaultDataSchema.safeParse(raw);
+  if (!locked.success) {
+    throw new Error("Vault is not locked.");
   }
-  throw new Error(`Wallet "${nameOrAddress}" not found`);
+  const { ciphertext, iv, salt, tag } = locked.data;
+  const saltBuf = Buffer.from(salt, "base64");
+  const key = deriveEncryptionKey(password, saltBuf);
+  const ivBuf = Buffer.from(iv, "base64");
+  const tagBuf = Buffer.from(tag, "base64");
+  const ciphertextBuf = Buffer.from(ciphertext, "base64");
+  const decipher = createDecipheriv("aes-256-gcm", key, ivBuf, { authTagLength: 16 });
+  decipher.setAuthTag(tagBuf);
+  let decrypted;
+  try {
+    decrypted = Buffer.concat([
+      decipher.update(ciphertextBuf),
+      decipher.final()
+    ]);
+  } catch {
+    throw new Error("Wrong password.");
+  }
+  const vault = vaultDataSchema.parse(JSON.parse(decrypted.toString("utf8")));
+  saveVault(vault);
 }
 
 // src/tools/wallet/create/schema.ts
-import { z as z2 } from "zod";
+import { z } from "zod";
 var walletCreateSchema = defineToolSchema({
   name: "wallet_create",
-  description: "Generate a new Solana keypair and store it locally",
-  input: z2.object({
-    name: z2.string().describe("Wallet name")
+  description: "Create a new multi-chain HD wallet. Generates a BIP39 mnemonic seed phrase and derives addresses for Solana, Ethereum (shared by Base, Arbitrum, Polygon, Optimism, BNB, Avalanche), Bitcoin, and Tron. The mnemonic is saved to a local backup file (path returned in output) \u2014 it is never printed or returned in the response. To derive additional accounts from the same mnemonic, pass --from with an existing wallet name and --account with the desired index.",
+  input: z.object({
+    name: z.string().describe("Wallet name"),
+    from: z.string().nullable().describe("Name of an existing HD wallet to derive from. Uses the same mnemonic but a different account index. Omit to generate a new mnemonic."),
+    account: z.number().int().min(0).nullable().describe("BIP44 account index (0, 1, 2, ...). Required when using --from. Omit for new wallets (defaults to 0).")
   }),
-  output: z2.object({
-    name: z2.string().describe("Wallet name"),
-    address: z2.string().describe("Solana wallet address (base58)")
+  output: z.object({
+    name: z.string().describe("Wallet name"),
+    account: z.number().describe("BIP44 account index used for derivation"),
+    addresses: z.record(keyChainSchema, z.string()).describe("Derived addresses per chain (solana, ethereum, bitcoin, tron)"),
+    backupPath: z.string().nullable().describe("Path to the mnemonic backup file (0o600 permissions). Null when derived from an existing wallet.")
   })
 });
 
 // src/tools/wallet/create/tool.ts
 var walletCreate = createTool(walletCreateSchema, async (params) => {
-  const keypair = Keypair.generate();
-  const wallet = {
-    name: params.name,
-    address: keypair.publicKey.toBase58(),
-    secretKey: bs58.encode(keypair.secretKey),
-    chain: "solana",
+  if (params.from) {
+    if (params.account === null) {
+      throw new Error("--account is required when using --from.");
+    }
+    return deriveFromExisting(params.name, params.from, params.account);
+  }
+  return createNew(params.name);
+});
+function createNew(name) {
+  const mnemonic = generateMnemonic(english, 128);
+  const addresses = deriveAllAddresses(mnemonic);
+  const vaultRef = addHdEntry(mnemonic);
+  const metadata = {
+    name,
+    type: "hd",
+    vaultRef,
+    account: 0,
+    addresses,
     createdAt: (/* @__PURE__ */ new Date()).toISOString()
   };
-  saveWallet(wallet);
-  return { name: wallet.name, address: wallet.address };
-});
+  saveWalletMetadata(metadata);
+  const backupDir = join3(homedir3(), ".config", "moonpay", "backups");
+  mkdirSync3(backupDir, { recursive: true, mode: 448 });
+  const backupPath = join3(backupDir, `${name}.mnemonic`);
+  writeFileSync3(backupPath, mnemonic + "\n", { mode: 384 });
+  return { name, account: 0, addresses, backupPath };
+}
+function deriveFromExisting(name, from, account) {
+  const source = loadWallet(from);
+  if (source.type !== "hd") {
+    throw new Error(
+      `Wallet "${from}" is an imported single-key wallet. Only HD wallets support account derivation.`
+    );
+  }
+  const vault = loadVault();
+  const entry = vault.entries[source.vaultRef];
+  if (!entry || entry.type !== "hd") {
+    throw new Error(`Vault entry for wallet "${from}" not found or is not HD.`);
+  }
+  const addresses = deriveAllAddresses(entry.mnemonic, account);
+  const metadata = {
+    name,
+    type: "hd",
+    vaultRef: source.vaultRef,
+    account,
+    addresses,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  saveWalletMetadata(metadata);
+  return { name, account, addresses, backupPath: null };
+}
 
 // src/tools/wallet/import/tool.ts
-import { Keypair as Keypair2 } from "@solana/web3.js";
-import bs582 from "bs58";
-import { createInterface } from "readline";
+import { validateMnemonic } from "@scure/bip39";
+import { wordlist as english2 } from "@scure/bip39/wordlists/english";
+import { Keypair } from "@solana/web3.js";
+import bs58 from "bs58";
+import { createInterface as createInterface2 } from "readline";
 
 // src/tools/wallet/import/schema.ts
-import { z as z3 } from "zod";
+import { z as z2 } from "zod";
 var walletImportSchema = defineToolSchema({
   name: "wallet_import",
-  description: "Import a Solana wallet from a base58 private key",
-  input: z3.object({
-    name: z3.string().describe("Wallet name"),
-    key: z3.string().nullable().describe("Base58-encoded private key (prompted interactively if not provided)")
+  description: "Import a wallet from a BIP39 mnemonic (HD, all chains) or a single private key (one chain). Provide either --mnemonic or --key, not both.",
+  input: z2.object({
+    name: z2.string().describe("Wallet name"),
+    mnemonic: z2.string().nullable().describe("BIP39 mnemonic seed phrase (for HD wallet import)"),
+    key: z2.string().nullable().describe(
+      "Private key: base58 for Solana, hex for EVM/Bitcoin (for single-chain import)"
+    ),
+    chain: chainSchema.nullable().describe(
+      "Chain for single-key import: solana, ethereum, base, arbitrum, or bitcoin (default solana)"
+    )
   }),
-  output: z3.object({
-    name: z3.string().describe("Wallet name"),
-    address: z3.string().describe("Solana wallet address (base58)")
+  output: z2.object({
+    name: z2.string().describe("Wallet name"),
+    type: z2.enum(["hd", "imported"]).describe("Wallet type"),
+    addresses: z2.record(keyChainSchema, z2.string()).describe("Wallet addresses per chain")
   })
 });
 
 // src/tools/wallet/import/tool.ts
 async function promptSecret(prompt) {
-  const rl = createInterface({ input: process.stdin, output: process.stderr });
-  return new Promise((resolve2) => {
+  const rl = createInterface2({ input: process.stdin, output: process.stderr });
+  return new Promise((resolve) => {
     rl.question(prompt, (answer) => {
       rl.close();
-      resolve2(answer.trim());
+      resolve(answer.trim());
     });
   });
 }
 var walletImport = createTool(walletImportSchema, async (params) => {
-  const secretKeyBase58 = params.key !== null ? params.key : await promptSecret("Enter private key (base58): ");
-  let keypair;
-  try {
-    const secretKeyBytes = bs582.decode(secretKeyBase58);
-    keypair = Keypair2.fromSecretKey(secretKeyBytes);
-  } catch {
-    throw new Error(
-      "Invalid private key. Expected a base58-encoded Solana secret key."
-    );
+  if (params.mnemonic && params.key) {
+    throw new Error("Provide either --mnemonic or --key, not both.");
+  }
+  if (params.mnemonic) {
+    return importMnemonic(params.name, params.mnemonic);
+  }
+  const chain = params.chain ? KEY_CHAIN_MAP[params.chain] : "solana";
+  const key = params.key !== null ? params.key : await promptSecret("Enter private key: ");
+  return importKey(params.name, chain, key);
+});
+async function importMnemonic(name, mnemonic) {
+  const trimmed = mnemonic.trim().toLowerCase();
+  if (!validateMnemonic(trimmed, english2)) {
+    throw new Error("Invalid BIP39 mnemonic.");
   }
-  const wallet = {
-    name: params.name,
-    address: keypair.publicKey.toBase58(),
-    secretKey: secretKeyBase58,
-    chain: "solana",
+  const addresses = deriveAllAddresses(trimmed);
+  const vaultRef = addHdEntry(trimmed);
+  const metadata = {
+    name,
+    type: "hd",
+    vaultRef,
+    account: 0,
+    addresses,
     createdAt: (/* @__PURE__ */ new Date()).toISOString()
   };
-  saveWallet(wallet);
-  return { name: wallet.name, address: wallet.address };
-});
-
-// src/tools/wallet/list/tool.ts
-import { readFileSync as readFileSync3, readdirSync as readdirSync2 } from "fs";
-import { join as join3 } from "path";
+  saveWalletMetadata(metadata);
+  return { name, type: "hd", addresses };
+}
+async function importKey(name, chain, key) {
+  let address;
+  if (chain === "solana") {
+    try {
+      const secretKeyBytes = bs58.decode(key);
+      const keypair = Keypair.fromSecretKey(secretKeyBytes);
+      address = keypair.publicKey.toBase58();
+    } catch {
+      throw new Error(
+        "Invalid private key. Expected a base58-encoded Solana secret key."
+      );
+    }
+  } else if (chain === "ethereum") {
+    const cleanKey = key.startsWith("0x") ? key.slice(2) : key;
+    if (!/^[0-9a-fA-F]{64}$/.test(cleanKey)) {
+      throw new Error(
+        "Invalid private key. Expected a 64-character hex string for EVM."
+      );
+    }
+    const { deriveKeyForChain: deriveKeyForChain2 } = await import("./chains-R754DQM5.js");
+    const { HDKey } = await import("@scure/bip32");
+    const ecc2 = await import("tiny-secp256k1");
+    const { createHash: createHash3 } = await import("crypto");
+    const privKeyBytes = Buffer.from(cleanKey, "hex");
+    const pubKey = ecc2.pointFromScalar(privKeyBytes);
+    if (!pubKey) throw new Error("Invalid private key.");
+    const uncompressed = ecc2.pointCompress(pubKey, false);
+    const hash = createHash3("sha3-256").update(uncompressed.slice(1)).digest();
+    address = "0x" + hash.slice(-20).toString("hex");
+    key = cleanKey;
+  } else {
+    const cleanKey = key.startsWith("0x") ? key.slice(2) : key;
+    if (!/^[0-9a-fA-F]{64}$/.test(cleanKey)) {
+      throw new Error(
+        "Invalid private key. Expected a 64-character hex string for Bitcoin."
+      );
+    }
+    const bitcoin = await import("bitcoinjs-lib");
+    const ECPairFactory = (await import("ecpair")).default;
+    const ecc2 = await import("tiny-secp256k1");
+    const ECPair = ECPairFactory(ecc2);
+    const keyPair = ECPair.fromPrivateKey(Buffer.from(cleanKey, "hex"));
+    const { address: btcAddress } = bitcoin.payments.p2wpkh({
+      pubkey: Buffer.from(keyPair.publicKey)
+    });
+    if (!btcAddress) throw new Error("Failed to derive Bitcoin address.");
+    address = btcAddress;
+    key = cleanKey;
+  }
+  const vaultRef = addImportedEntry(chain, key);
+  const metadata = {
+    name,
+    type: "imported",
+    vaultRef,
+    account: 0,
+    addresses: { [chain]: address },
+    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  saveWalletMetadata(metadata);
+  return { name, type: "imported", addresses: { [chain]: address } };
+}
 
 // src/tools/wallet/list/schema.ts
-import { z as z4 } from "zod";
+import { z as z3 } from "zod";
 var walletListSchema = defineToolSchema({
   name: "wallet_list",
   description: "List all local wallets",
-  input: z4.object({}),
-  output: z4.array(walletInfoSchema)
+  input: z3.object({}),
+  output: z3.array(walletInfoSchema)
 });
 
 // src/tools/wallet/list/tool.ts
 var walletList = createTool(walletListSchema, async () => {
-  ensureWalletsDir();
-  const dir = getWalletsDir();
-  const files = readdirSync2(dir).filter(
-    (f) => f.endsWith(".json") && !f.startsWith(".")
-  );
-  return files.map((f) => {
-    const wallet = JSON.parse(readFileSync3(join3(dir, f), "utf-8"));
-    return {
-      name: wallet.name,
-      address: wallet.address,
-      chain: wallet.chain,
-      createdAt: wallet.createdAt
-    };
-  });
+  return loadAllWallets();
 });
 
 // src/tools/wallet/retrieve/schema.ts
-import { z as z5 } from "zod";
+import { z as z4 } from "zod";
 var walletRetrieveSchema = defineToolSchema({
   name: "wallet_retrieve",
   description: "Get details of a specific wallet",
-  input: z5.object({
-    wallet: z5.string().describe("Wallet name or address")
+  input: z4.object({
+    wallet: z4.string().describe("Wallet name or address")
   }),
   output: walletInfoSchema
 });
@@ -1906,31 +2068,22 @@ var walletRetrieveSchema = defineToolSchema({
 var walletRetrieve = createTool(
   walletRetrieveSchema,
   async (params) => {
-    const wallet = loadWallet(params.wallet);
-    return {
-      name: wallet.name,
-      address: wallet.address,
-      chain: wallet.chain,
-      createdAt: wallet.createdAt
-    };
+    return loadWallet(params.wallet);
   }
 );
 
-// src/tools/wallet/delete/tool.ts
-import { unlinkSync as unlinkSync2 } from "fs";
-
 // src/tools/wallet/delete/schema.ts
-import { z as z6 } from "zod";
+import { z as z5 } from "zod";
 var walletDeleteSchema = defineToolSchema({
   name: "wallet_delete",
   description: "Permanently delete a local wallet. This removes the private key file and cannot be undone.",
-  input: z6.object({
-    wallet: z6.string().describe("Name or address of the wallet to delete"),
-    confirm: z6.boolean().describe("Must be true to confirm deletion")
+  input: z5.object({
+    wallet: z5.string().describe("Name or address of the wallet to delete"),
+    confirm: z5.boolean().describe("Must be true to confirm deletion")
   }),
-  output: z6.object({
-    name: z6.string().describe("Name of the deleted wallet"),
-    deleted: z6.literal(true)
+  output: z5.object({
+    name: z5.string().describe("Name of the deleted wallet"),
+    deleted: z5.literal(true)
   })
 });
 
@@ -1941,26 +2094,29 @@ var walletDelete = createTool(walletDeleteSchema, async (params) => {
       "Deletion not confirmed. Pass --confirm to permanently delete this wallet."
     );
   }
-  const wallet = await walletRetrieve.handler({ wallet: params.wallet });
-  unlinkSync2(getWalletPath(wallet.name));
+  const wallet = loadWallet(params.wallet);
+  removeVaultEntry(wallet.vaultRef);
+  deleteWalletFile(wallet.name);
   return { name: wallet.name, deleted: true };
 });
 
 // src/tools/transaction/sign/tool.ts
-import { Keypair as Keypair3, VersionedTransaction } from "@solana/web3.js";
-import bs583 from "bs58";
+import { Keypair as Keypair2, VersionedTransaction } from "@solana/web3.js";
 
 // src/tools/transaction/sign/schema.ts
-import { z as z7 } from "zod";
+import { z as z6 } from "zod";
 var transactionSignSchema = defineToolSchema({
   name: "transaction_sign",
-  description: "Sign a base64-encoded Solana transaction with a local wallet",
-  input: z7.object({
-    wallet: z7.string().describe("Wallet address"),
-    transaction: z7.string().describe("Base64-encoded unsigned transaction")
+  description: "Sign a transaction with a local wallet. Supports Solana (VersionedTransaction), EVM (RLP-encoded), and Bitcoin (PSBT) transactions.",
+  input: z6.object({
+    wallet: z6.string().describe("Wallet name or address"),
+    chain: chainSchema.describe(
+      "Chain: solana, ethereum, base, arbitrum, or bitcoin"
+    ),
+    transaction: z6.string().describe("Base64-encoded unsigned transaction")
   }),
-  output: z7.object({
-    transaction: z7.string().describe("Base64-encoded signed transaction")
+  output: z6.object({
+    transaction: z6.string().describe("Base64-encoded signed transaction")
   })
 });
 
@@ -1968,47 +2124,274 @@ var transactionSignSchema = defineToolSchema({
 var transactionSign = createTool(
   transactionSignSchema,
   async (params) => {
-    const storedWallet = loadWallet(params.wallet);
+    const wallet = loadWallet(params.wallet);
+    const chain = params.chain;
+    const keyChain = KEY_CHAIN_MAP[chain];
+    const { privateKey } = resolveSigningKey(wallet, chain);
     const txBytes = Buffer.from(params.transaction.trim(), "base64");
-    const tx = VersionedTransaction.deserialize(txBytes);
-    const secretKeyBytes = bs583.decode(storedWallet.secretKey);
-    const keypair = Keypair3.fromSecretKey(secretKeyBytes);
-    tx.sign([keypair]);
-    return {
-      transaction: Buffer.from(tx.serialize()).toString("base64")
-    };
+    switch (keyChain) {
+      case "solana":
+        return signSolana(privateKey, txBytes);
+      case "ethereum":
+        return signEvm(privateKey, txBytes);
+      case "bitcoin":
+        return signBitcoin(privateKey, txBytes);
+      case "tron":
+        return signEvm(privateKey, txBytes);
+    }
   }
 );
+function signSolana(privateKey, txBytes) {
+  const tx = VersionedTransaction.deserialize(txBytes);
+  const keypair = Keypair2.fromSecretKey(privateKey);
+  tx.sign([keypair]);
+  return { transaction: Buffer.from(tx.serialize()).toString("base64") };
+}
+async function signEvm(privateKey, txBytes) {
+  const { createHash: createHash3 } = await import("crypto");
+  const ecc2 = await import("tiny-secp256k1");
+  const hash = createHash3("sha3-256").update(txBytes).digest();
+  const sig = ecc2.sign(hash, privateKey);
+  if (!sig) throw new Error("EVM signing failed");
+  const signed = Buffer.concat([txBytes, Buffer.from(sig)]);
+  return { transaction: signed.toString("base64") };
+}
+async function signBitcoin(privateKey, txBytes) {
+  const bitcoin = await import("bitcoinjs-lib");
+  const ECPairFactory = (await import("ecpair")).default;
+  const ecc2 = await import("tiny-secp256k1");
+  const ECPair = ECPairFactory(ecc2);
+  const keyPair = ECPair.fromPrivateKey(Buffer.from(privateKey));
+  const psbt = bitcoin.Psbt.fromBase64(txBytes.toString("base64"));
+  psbt.signAllInputs(keyPair);
+  return { transaction: psbt.toBase64() };
+}
 
 // src/tools/message/sign/tool.ts
-import { Keypair as Keypair4 } from "@solana/web3.js";
-import bs584 from "bs58";
+import { createHash as createHash2 } from "crypto";
+import { Keypair as Keypair3 } from "@solana/web3.js";
+import bs582 from "bs58";
 import nacl from "tweetnacl";
+import * as ecc from "tiny-secp256k1";
 
 // src/tools/message/sign/schema.ts
-import { z as z8 } from "zod";
+import { z as z7 } from "zod";
 var messageSignSchema = defineToolSchema({
   name: "message_sign",
-  description: "Sign a message with a local wallet. Produces a base58-encoded ed25519 signature compatible with Solana's signMessage.",
-  input: z8.object({
-    wallet: z8.string().describe("Wallet address to sign with"),
-    message: z8.string().describe("Message text to sign")
+  description: "Sign a message with a local wallet. Supports Solana (ed25519), EVM (EIP-191 personal sign), and Bitcoin (secp256k1 ECDSA).",
+  input: z7.object({
+    wallet: z7.string().describe("Wallet address or name to sign with"),
+    chain: chainSchema.describe(
+      "Chain: solana, ethereum, base, arbitrum, or bitcoin"
+    ),
+    message: z7.string().describe("Message text to sign")
   }),
-  output: z8.object({
-    signature: z8.string().describe("Base58-encoded ed25519 signature")
+  output: z7.object({
+    signature: z7.string().describe(
+      "Signature: base58 for Solana, hex (0x-prefixed) for EVM/Bitcoin"
+    )
   })
 });
 
 // src/tools/message/sign/tool.ts
 var messageSign = createTool(messageSignSchema, async (params) => {
-  const storedWallet = loadWallet(params.wallet);
-  const secretKeyBytes = bs584.decode(storedWallet.secretKey);
-  const keypair = Keypair4.fromSecretKey(secretKeyBytes);
+  const wallet = loadWallet(params.wallet);
+  const chain = params.chain;
+  const keyChain = KEY_CHAIN_MAP[chain];
+  const { privateKey } = resolveSigningKey(wallet, chain);
   const messageBytes = Buffer.from(params.message, "utf8");
+  switch (keyChain) {
+    case "solana":
+      return signSolana2(privateKey, messageBytes);
+    case "ethereum":
+      return signEvm2(privateKey, messageBytes);
+    case "bitcoin":
+      return signBitcoin2(privateKey, messageBytes);
+    case "tron":
+      return signEvm2(privateKey, messageBytes);
+  }
+});
+function signSolana2(privateKey, messageBytes) {
+  const keypair = Keypair3.fromSecretKey(privateKey);
   const signatureBytes = nacl.sign.detached(messageBytes, keypair.secretKey);
-  return { signature: bs584.encode(signatureBytes) };
+  return { signature: bs582.encode(signatureBytes) };
+}
+function signEvm2(privateKey, messageBytes) {
+  const prefix = Buffer.from(
+    `Ethereum Signed Message:
+${messageBytes.length}`,
+    "utf8"
+  );
+  const prefixed = Buffer.concat([prefix, messageBytes]);
+  const hash = createHash2("sha3-256").update(prefixed).digest();
+  const sig = ecc.sign(hash, privateKey);
+  if (!sig) throw new Error("EVM message signing failed");
+  return { signature: "0x" + Buffer.from(sig).toString("hex") };
+}
+function signBitcoin2(privateKey, messageBytes) {
+  const hash1 = createHash2("sha256").update(messageBytes).digest();
+  const hash2 = createHash2("sha256").update(hash1).digest();
+  const sig = ecc.sign(hash2, privateKey);
+  if (!sig) throw new Error("Bitcoin message signing failed");
+  return { signature: "0x" + Buffer.from(sig).toString("hex") };
+}
+
+// src/tools/wallet/lock/tool.ts
+import { createInterface as createInterface3 } from "readline";
+
+// src/tools/wallet/lock/schema.ts
+import { z as z8 } from "zod";
+var walletLockSchema = defineToolSchema({
+  name: "wallet_lock",
+  description: "Encrypt the vault with a password. All signing operations will fail until `wallet unlock` is called. Password is prompted interactively.",
+  input: z8.object({}),
+  output: z8.object({
+    locked: z8.literal(true)
+  })
 });
 
+// src/tools/wallet/lock/tool.ts
+async function promptPassword(prompt) {
+  const rl = createInterface3({ input: process.stdin, output: process.stderr });
+  return new Promise((resolve) => {
+    rl.question(prompt, (answer) => {
+      rl.close();
+      resolve(answer);
+    });
+  });
+}
+var walletLock = createTool(walletLockSchema, async () => {
+  if (isVaultLocked()) {
+    throw new Error("Vault is already locked.");
+  }
+  const password = await promptPassword("Enter password to encrypt vault: ");
+  if (!password) {
+    throw new Error("Password cannot be empty.");
+  }
+  const confirm = await promptPassword("Confirm password: ");
+  if (password !== confirm) {
+    throw new Error("Passwords do not match.");
+  }
+  lockVault(password);
+  return { locked: true };
+});
+
+// src/tools/wallet/unlock/tool.ts
+import { createInterface as createInterface4 } from "readline";
+
+// src/tools/wallet/unlock/schema.ts
+import { z as z9 } from "zod";
+var walletUnlockSchema = defineToolSchema({
+  name: "wallet_unlock",
+  description: "Decrypt the vault with a password. Restores access to all signing operations. Password is prompted interactively.",
+  input: z9.object({}),
+  output: z9.object({
+    unlocked: z9.literal(true)
+  })
+});
+
+// src/tools/wallet/unlock/tool.ts
+async function promptPassword2(prompt) {
+  const rl = createInterface4({ input: process.stdin, output: process.stderr });
+  return new Promise((resolve) => {
+    rl.question(prompt, (answer) => {
+      rl.close();
+      resolve(answer);
+    });
+  });
+}
+var walletUnlock = createTool(walletUnlockSchema, async () => {
+  if (!isVaultLocked()) {
+    throw new Error("Vault is not locked.");
+  }
+  const password = await promptPassword2("Enter password to decrypt vault: ");
+  unlockVault(password);
+  return { unlocked: true };
+});
+
+// src/tools/bitcoin/balance/tool.ts
+import https from "https";
+
+// src/tools/bitcoin/balance/schema.ts
+import { z as z10 } from "zod";
+var bitcoinBalanceRetrieveSchema = defineToolSchema({
+  name: "bitcoin_balance_retrieve",
+  description: "Get the BTC balance of a Bitcoin address. Returns confirmed and unconfirmed balances in BTC and satoshis.",
+  input: z10.object({
+    wallet: z10.string().describe("Bitcoin address (bc1...) or wallet name")
+  }),
+  output: z10.object({
+    address: z10.string().describe("Bitcoin address"),
+    confirmed: z10.object({
+      btc: z10.string().describe("Confirmed balance in BTC"),
+      sats: z10.number().describe("Confirmed balance in satoshis")
+    }),
+    unconfirmed: z10.object({
+      btc: z10.string().describe("Unconfirmed (pending) balance in BTC"),
+      sats: z10.number().describe("Unconfirmed (pending) balance in satoshis")
+    }),
+    total: z10.object({
+      btc: z10.string().describe("Total balance in BTC"),
+      sats: z10.number().describe("Total balance in satoshis")
+    })
+  })
+});
+
+// src/tools/bitcoin/balance/tool.ts
+var SATS_PER_BTC = 1e8;
+function satsToBtc(sats) {
+  return (sats / SATS_PER_BTC).toFixed(8);
+}
+function fetchJson(url) {
+  return new Promise((resolve, reject) => {
+    https.get(url, { headers: { "User-Agent": "moonpay-cli" } }, (res) => {
+      if (res.statusCode !== 200) {
+        reject(new Error(`HTTP ${res.statusCode} from ${url}`));
+        res.resume();
+        return;
+      }
+      let data = "";
+      res.on("data", (chunk) => data += chunk);
+      res.on("end", () => {
+        try {
+          resolve(JSON.parse(data));
+        } catch {
+          reject(new Error("Invalid JSON response"));
+        }
+      });
+    }).on("error", reject);
+  });
+}
+var bitcoinBalanceRetrieve = createTool(
+  bitcoinBalanceRetrieveSchema,
+  async (params) => {
+    let address = params.wallet;
+    if (!address.startsWith("bc1") && !address.startsWith("1") && !address.startsWith("3")) {
+      const { loadWallet: loadWallet2 } = await import("./server-IUOCZFT7.js");
+      const wallet = loadWallet2(address);
+      const btcAddress = wallet.addresses.bitcoin;
+      if (!btcAddress) {
+        throw new Error(
+          `Wallet "${address}" has no Bitcoin address. It may be an imported single-chain wallet.`
+        );
+      }
+      address = btcAddress;
+    }
+    const data = await fetchJson(
+      `https://mempool.space/api/address/${address}`
+    );
+    const confirmedSats = data.chain_stats.funded_txo_sum - data.chain_stats.spent_txo_sum;
+    const unconfirmedSats = data.mempool_stats.funded_txo_sum - data.mempool_stats.spent_txo_sum;
+    const totalSats = confirmedSats + unconfirmedSats;
+    return {
+      address,
+      confirmed: { btc: satsToBtc(confirmedSats), sats: confirmedSats },
+      unconfirmed: { btc: satsToBtc(unconfirmedSats), sats: unconfirmedSats },
+      total: { btc: satsToBtc(totalSats), sats: totalSats }
+    };
+  }
+);
+
 export {
   getConfigOrDefault,
   clearCredentials,
@@ -2018,13 +2401,16 @@ export {
   schemas_default,
   defineToolSchema,
   createTool,
-  loadWallet,
+  resolveSigningKey,
   walletCreate,
   walletImport,
   walletList,
   walletRetrieve,
   walletDelete,
   transactionSign,
-  messageSign
+  messageSign,
+  walletLock,
+  walletUnlock,
+  bitcoinBalanceRetrieve
 };
-//# sourceMappingURL=chunk-ZJ3XMP4N.js.map
+//# sourceMappingURL=chunk-HKQ2DNOD.js.map