@quantulabs/8004-mcp 0.1.0

package/dist/core/wallet/wallet-manager.js

@@ -0,0 +1,783 @@
+// Multi-wallet manager with AES-256-GCM encryption and Argon2id key derivation
+// Supports Solana (Ed25519) and EVM (secp256k1) wallets
+import { randomBytes, createCipheriv, createDecipheriv } from 'crypto';
+import { Keypair } from '@solana/web3.js';
+import { generatePrivateKey, privateKeyToAccount } from 'viem/accounts';
+import * as argon2 from 'argon2';
+import { promises as fs } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+// Crypto constants
+const ALGORITHM = 'aes-256-gcm';
+const KEY_LENGTH = 32; // 256 bits
+const NONCE_LENGTH = 12; // 96 bits for GCM
+const SALT_LENGTH = 32; // 256 bits
+// Argon2id parameters (OWASP recommended for password hashing)
+const ARGON2_OPTIONS = {
+    type: argon2.argon2id,
+    memoryCost: 65536, // 64 MB
+    timeCost: 3, // 3 iterations
+    parallelism: 4, // 4 parallel threads
+    hashLength: KEY_LENGTH,
+};
+// Auto-lock configuration
+const DEFAULT_AUTO_LOCK_MS = 15 * 60 * 1000; // 15 minutes default
+const MIN_AUTO_LOCK_MS = 60 * 1000; // 1 minute minimum
+const MAX_AUTO_LOCK_MS = 24 * 60 * 60 * 1000; // 24 hours maximum
+export class WalletManager {
+    walletDir;
+    walletsPath;
+    unlockedWallets = new Map();
+    walletSessions = new Map();
+    autoLockMs = DEFAULT_AUTO_LOCK_MS;
+    constructor(walletDir) {
+        this.walletDir = walletDir ?? join(homedir(), '.8004-mcp');
+        this.walletsPath = join(this.walletDir, 'wallets');
+    }
+    // Configure auto-lock timeout (in milliseconds)
+    setAutoLockTimeout(ms) {
+        this.autoLockMs = Math.max(MIN_AUTO_LOCK_MS, Math.min(MAX_AUTO_LOCK_MS, ms));
+    }
+    // Get current auto-lock timeout
+    getAutoLockTimeout() {
+        return this.autoLockMs;
+    }
+    // Start or refresh auto-lock timer for a wallet
+    refreshAutoLock(name) {
+        const session = this.walletSessions.get(name);
+        if (session) {
+            // Clear existing timer
+            clearTimeout(session.timer);
+            // Set new timer
+            session.timer = setTimeout(() => this.autoLockWallet(name), this.autoLockMs);
+            session.lastActivity = Date.now();
+        }
+    }
+    // Auto-lock a wallet (called by timer)
+    autoLockWallet(name) {
+        const session = this.walletSessions.get(name);
+        if (session) {
+            // Securely clear the wallet from memory
+            this.secureWipe(session.wallet);
+            this.walletSessions.delete(name);
+            this.unlockedWallets.delete(name);
+        }
+    }
+    // Securely wipe sensitive data from memory
+    secureWipe(wallet) {
+        // Overwrite Solana keypair secret key with zeros
+        if (wallet.solanaKeypair) {
+            const secretKey = wallet.solanaKeypair.secretKey;
+            for (let i = 0; i < secretKey.length; i++) {
+                secretKey[i] = 0;
+            }
+        }
+        // Overwrite EVM private key string (limited in JS, but try)
+        if (wallet.evmPrivateKey) {
+            // TypeScript won't let us mutate, but we can delete the reference
+            wallet.evmPrivateKey = undefined;
+        }
+        if (wallet.evmAccount) {
+            wallet.evmAccount = undefined;
+        }
+    }
+    // Touch a wallet to refresh its auto-lock timer (call on every operation)
+    touchWallet(name) {
+        if (this.walletSessions.has(name)) {
+            this.refreshAutoLock(name);
+            return true;
+        }
+        return false;
+    }
+    // Derive encryption key from password using Argon2id
+    async deriveKey(password, salt) {
+        const hash = await argon2.hash(password, {
+            ...ARGON2_OPTIONS,
+            salt,
+            raw: true,
+        });
+        return Buffer.from(hash);
+    }
+    // Encrypt private key with AES-256-GCM
+    encrypt(secretKey, key, nonce) {
+        const cipher = createCipheriv(ALGORITHM, key, nonce);
+        const ciphertext = Buffer.concat([
+            cipher.update(Buffer.from(secretKey)),
+            cipher.final(),
+        ]);
+        const authTag = cipher.getAuthTag();
+        return { ciphertext, authTag };
+    }
+    // Decrypt private key with AES-256-GCM
+    decrypt(ciphertext, key, nonce, authTag) {
+        const decipher = createDecipheriv(ALGORITHM, key, nonce);
+        decipher.setAuthTag(authTag);
+        return Buffer.concat([
+            decipher.update(ciphertext),
+            decipher.final(),
+        ]);
+    }
+    // Ensure wallets directory exists
+    async ensureDir() {
+        try {
+            await fs.mkdir(this.walletsPath, { recursive: true, mode: 0o700 });
+        }
+        catch (err) {
+            if (err.code !== 'EEXIST')
+                throw err;
+        }
+    }
+    // Get wallet file path from name
+    getWalletPath(name) {
+        // Sanitize name for filesystem
+        const safeName = name.toLowerCase().replace(/[^a-z0-9-_]/g, '-');
+        return join(this.walletsPath, `${safeName}.enc`);
+    }
+    // Check if wallet exists by name
+    async exists(name) {
+        try {
+            await fs.access(this.getWalletPath(name));
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    // Read wallet file (without decrypting)
+    async readWalletFile(name) {
+        try {
+            const content = await fs.readFile(this.getWalletPath(name), 'utf-8');
+            return JSON.parse(content);
+        }
+        catch {
+            return null;
+        }
+    }
+    // List all wallets
+    async list() {
+        await this.ensureDir();
+        try {
+            const files = await fs.readdir(this.walletsPath);
+            const wallets = [];
+            for (const file of files) {
+                if (!file.endsWith('.enc'))
+                    continue;
+                const filePath = join(this.walletsPath, file);
+                try {
+                    const content = await fs.readFile(filePath, 'utf-8');
+                    const wallet = JSON.parse(content);
+                    wallets.push({
+                        name: wallet.name,
+                        chainType: wallet.chainType,
+                        address: wallet.address,
+                        publicKey: wallet.publicKey,
+                        createdAt: wallet.createdAt,
+                        isUnlocked: this.unlockedWallets.has(wallet.name),
+                    });
+                }
+                catch {
+                    // Skip invalid files
+                }
+            }
+            // Sort by name
+            wallets.sort((a, b) => a.name.localeCompare(b.name));
+            return {
+                wallets,
+                unlockedCount: this.unlockedWallets.size,
+            };
+        }
+        catch {
+            return { wallets: [], unlockedCount: 0 };
+        }
+    }
+    // Get wallet info by name
+    async getInfo(name) {
+        const walletFile = await this.readWalletFile(name);
+        if (!walletFile)
+            return null;
+        return {
+            name: walletFile.name,
+            chainType: walletFile.chainType,
+            address: walletFile.address,
+            publicKey: walletFile.publicKey,
+            createdAt: walletFile.createdAt,
+            isUnlocked: this.unlockedWallets.has(walletFile.name),
+        };
+    }
+    // Create new wallet
+    async create(name, chainType, password) {
+        // Check if wallet already exists
+        if (await this.exists(name)) {
+            throw new Error(`Wallet "${name}" already exists. Use a different name or delete the existing wallet.`);
+        }
+        // Validate password strength
+        if (password.length < 8) {
+            throw new Error('Password must be at least 8 characters long.');
+        }
+        // Validate name
+        if (!name || name.length < 1 || name.length > 50) {
+            throw new Error('Wallet name must be between 1 and 50 characters.');
+        }
+        // Generate keys based on chain type
+        let secretKey;
+        let publicKey;
+        let address;
+        if (chainType === 'solana') {
+            const keypair = Keypair.generate();
+            secretKey = keypair.secretKey;
+            publicKey = keypair.publicKey.toBase58();
+            address = publicKey; // Solana address is the public key
+        }
+        else if (chainType === 'evm') {
+            const privateKey = generatePrivateKey();
+            const account = privateKeyToAccount(privateKey);
+            // Convert hex private key to bytes (remove 0x prefix)
+            secretKey = Buffer.from(privateKey.slice(2), 'hex');
+            publicKey = account.address; // For EVM, we store the address as public key
+            address = account.address;
+        }
+        else {
+            throw new Error(`Unsupported chain type: ${chainType}`);
+        }
+        // Generate cryptographic random values
+        const salt = randomBytes(SALT_LENGTH);
+        const nonce = randomBytes(NONCE_LENGTH);
+        // Derive encryption key from password
+        const key = await this.deriveKey(password, salt);
+        // Encrypt the secret key
+        const { ciphertext, authTag } = this.encrypt(secretKey, key, nonce);
+        // Create wallet file
+        const walletFile = {
+            version: 2,
+            chainType,
+            algorithm: 'aes-256-gcm',
+            kdf: 'argon2id',
+            kdfParams: {
+                memoryCost: ARGON2_OPTIONS.memoryCost,
+                timeCost: ARGON2_OPTIONS.timeCost,
+                parallelism: ARGON2_OPTIONS.parallelism,
+            },
+            salt: salt.toString('base64'),
+            nonce: nonce.toString('base64'),
+            authTag: authTag.toString('base64'),
+            ciphertext: ciphertext.toString('base64'),
+            publicKey,
+            address,
+            name,
+            createdAt: new Date().toISOString(),
+            updatedAt: new Date().toISOString(),
+        };
+        // Ensure directory exists and write file
+        await this.ensureDir();
+        const filePath = this.getWalletPath(name);
+        await fs.writeFile(filePath, JSON.stringify(walletFile, null, 2), {
+            encoding: 'utf-8',
+            mode: 0o600, // Read/write for owner only
+        });
+        // Auto-unlock after creation with auto-lock timer
+        if (chainType === 'solana') {
+            const keypair = Keypair.fromSecretKey(secretKey);
+            this.unlockedWallets.set(name, {
+                name,
+                chainType,
+                address,
+                publicKey,
+                solanaKeypair: keypair,
+            });
+        }
+        else {
+            const privateKeyHex = `0x${Buffer.from(secretKey).toString('hex')}`;
+            const account = privateKeyToAccount(privateKeyHex);
+            this.unlockedWallets.set(name, {
+                name,
+                chainType,
+                address,
+                publicKey,
+                evmAccount: account,
+                evmPrivateKey: privateKeyHex,
+            });
+        }
+        // Create session with auto-lock timer
+        const wallet = this.unlockedWallets.get(name);
+        const timer = setTimeout(() => this.autoLockWallet(name), this.autoLockMs);
+        this.walletSessions.set(name, {
+            wallet,
+            timer,
+            lastActivity: Date.now(),
+        });
+        return {
+            name,
+            chainType,
+            address,
+            publicKey,
+            filePath,
+            message: `Wallet "${name}" created and unlocked. Fund this address: ${address}`,
+        };
+    }
+    // Import existing private key
+    async import(name, chainType, privateKey, password) {
+        // Check if wallet already exists
+        if (await this.exists(name)) {
+            throw new Error(`Wallet "${name}" already exists. Use a different name.`);
+        }
+        // Validate password strength
+        if (password.length < 8) {
+            throw new Error('Password must be at least 8 characters long.');
+        }
+        // Parse private key based on chain type
+        let secretKey;
+        let publicKey;
+        let address;
+        if (chainType === 'solana') {
+            const keypair = this.parseSolanaPrivateKey(privateKey);
+            secretKey = keypair.secretKey;
+            publicKey = keypair.publicKey.toBase58();
+            address = publicKey;
+        }
+        else if (chainType === 'evm') {
+            const { account, privateKeyBytes } = this.parseEvmPrivateKey(privateKey);
+            secretKey = privateKeyBytes;
+            publicKey = account.address;
+            address = account.address;
+        }
+        else {
+            throw new Error(`Unsupported chain type: ${chainType}`);
+        }
+        // Generate cryptographic random values
+        const salt = randomBytes(SALT_LENGTH);
+        const nonce = randomBytes(NONCE_LENGTH);
+        // Derive encryption key from password
+        const key = await this.deriveKey(password, salt);
+        // Encrypt the secret key
+        const { ciphertext, authTag } = this.encrypt(secretKey, key, nonce);
+        // Create wallet file
+        const walletFile = {
+            version: 2,
+            chainType,
+            algorithm: 'aes-256-gcm',
+            kdf: 'argon2id',
+            kdfParams: {
+                memoryCost: ARGON2_OPTIONS.memoryCost,
+                timeCost: ARGON2_OPTIONS.timeCost,
+                parallelism: ARGON2_OPTIONS.parallelism,
+            },
+            salt: salt.toString('base64'),
+            nonce: nonce.toString('base64'),
+            authTag: authTag.toString('base64'),
+            ciphertext: ciphertext.toString('base64'),
+            publicKey,
+            address,
+            name,
+            createdAt: new Date().toISOString(),
+            updatedAt: new Date().toISOString(),
+        };
+        // Ensure directory exists and write file
+        await this.ensureDir();
+        const filePath = this.getWalletPath(name);
+        await fs.writeFile(filePath, JSON.stringify(walletFile, null, 2), {
+            encoding: 'utf-8',
+            mode: 0o600,
+        });
+        // Auto-unlock after import with auto-lock timer
+        if (chainType === 'solana') {
+            const keypair = Keypair.fromSecretKey(secretKey);
+            this.unlockedWallets.set(name, {
+                name,
+                chainType,
+                address,
+                publicKey,
+                solanaKeypair: keypair,
+            });
+        }
+        else {
+            const privateKeyHex = `0x${Buffer.from(secretKey).toString('hex')}`;
+            const account = privateKeyToAccount(privateKeyHex);
+            this.unlockedWallets.set(name, {
+                name,
+                chainType,
+                address,
+                publicKey,
+                evmAccount: account,
+                evmPrivateKey: privateKeyHex,
+            });
+        }
+        // Create session with auto-lock timer
+        const importedWallet = this.unlockedWallets.get(name);
+        const importTimer = setTimeout(() => this.autoLockWallet(name), this.autoLockMs);
+        this.walletSessions.set(name, {
+            wallet: importedWallet,
+            timer: importTimer,
+            lastActivity: Date.now(),
+        });
+        return {
+            name,
+            chainType,
+            address,
+            publicKey,
+            filePath,
+            message: `Wallet "${name}" imported and unlocked. Address: ${address}`,
+        };
+    }
+    // Parse Solana private key from various formats
+    parseSolanaPrivateKey(privateKey) {
+        try {
+            const trimmed = privateKey.trim();
+            // JSON array format [1,2,3,...]
+            if (trimmed.startsWith('[')) {
+                const arr = JSON.parse(trimmed);
+                return Keypair.fromSecretKey(Uint8Array.from(arr));
+            }
+            // Hex format
+            if (trimmed.startsWith('0x') || (trimmed.length === 128 && /^[0-9a-fA-F]+$/.test(trimmed))) {
+                const hex = trimmed.startsWith('0x') ? trimmed.slice(2) : trimmed;
+                return Keypair.fromSecretKey(Uint8Array.from(Buffer.from(hex, 'hex')));
+            }
+            // Base64 format
+            const decoded = Buffer.from(trimmed, 'base64');
+            if (decoded.length === 64) {
+                return Keypair.fromSecretKey(Uint8Array.from(decoded));
+            }
+            throw new Error('Invalid private key format');
+        }
+        catch (err) {
+            throw new Error(`Failed to parse Solana private key: ${err instanceof Error ? err.message : 'Invalid format'}`);
+        }
+    }
+    // Parse EVM private key from various formats
+    parseEvmPrivateKey(privateKey) {
+        try {
+            const trimmed = privateKey.trim();
+            let privateKeyHex;
+            // 0x prefixed hex
+            if (trimmed.startsWith('0x')) {
+                privateKeyHex = trimmed;
+            }
+            // Unprefixed hex (64 chars = 32 bytes)
+            else if (trimmed.length === 64 && /^[0-9a-fA-F]+$/.test(trimmed)) {
+                privateKeyHex = `0x${trimmed}`;
+            }
+            // Base64
+            else {
+                const decoded = Buffer.from(trimmed, 'base64');
+                if (decoded.length === 32) {
+                    privateKeyHex = `0x${decoded.toString('hex')}`;
+                }
+                else {
+                    throw new Error('Invalid private key length');
+                }
+            }
+            const account = privateKeyToAccount(privateKeyHex);
+            const privateKeyBytes = Buffer.from(privateKeyHex.slice(2), 'hex');
+            return { account, privateKeyBytes };
+        }
+        catch (err) {
+            throw new Error(`Failed to parse EVM private key: ${err instanceof Error ? err.message : 'Invalid format'}`);
+        }
+    }
+    // Unlock wallet with password
+    async unlock(name, password) {
+        // Check if wallet exists
+        if (!(await this.exists(name))) {
+            throw new Error(`Wallet "${name}" not found. Use wallet_list to see available wallets.`);
+        }
+        // Already unlocked? Refresh timer and return
+        if (this.unlockedWallets.has(name)) {
+            const wallet = this.unlockedWallets.get(name);
+            this.refreshAutoLock(name);
+            const timeoutMinutes = Math.round(this.autoLockMs / 60000);
+            return {
+                name: wallet.name,
+                chainType: wallet.chainType,
+                address: wallet.address,
+                message: `Wallet "${name}" is already unlocked. Timer refreshed (${timeoutMinutes} min).`,
+            };
+        }
+        // Read wallet file
+        const walletFile = await this.readWalletFile(name);
+        if (!walletFile) {
+            throw new Error('Failed to read wallet file.');
+        }
+        // Validate version and algorithm
+        if (walletFile.version !== 2 || walletFile.algorithm !== 'aes-256-gcm') {
+            throw new Error('Unsupported wallet format.');
+        }
+        // Decode values
+        const salt = Buffer.from(walletFile.salt, 'base64');
+        const nonce = Buffer.from(walletFile.nonce, 'base64');
+        const authTag = Buffer.from(walletFile.authTag, 'base64');
+        const ciphertext = Buffer.from(walletFile.ciphertext, 'base64');
+        // Derive key from password
+        const key = await this.deriveKey(password, salt);
+        // Decrypt
+        let secretKey;
+        try {
+            secretKey = this.decrypt(ciphertext, key, nonce, authTag);
+        }
+        catch {
+            throw new Error('Incorrect password.');
+        }
+        // Reconstruct keys based on chain type
+        if (walletFile.chainType === 'solana') {
+            const keypair = Keypair.fromSecretKey(Uint8Array.from(secretKey));
+            // Verify public key matches
+            if (keypair.publicKey.toBase58() !== walletFile.publicKey) {
+                throw new Error('Wallet integrity check failed.');
+            }
+            this.unlockedWallets.set(name, {
+                name: walletFile.name,
+                chainType: walletFile.chainType,
+                address: walletFile.address,
+                publicKey: walletFile.publicKey,
+                solanaKeypair: keypair,
+            });
+        }
+        else if (walletFile.chainType === 'evm') {
+            const privateKeyHex = `0x${secretKey.toString('hex')}`;
+            const account = privateKeyToAccount(privateKeyHex);
+            // Verify address matches
+            if (account.address.toLowerCase() !== walletFile.address.toLowerCase()) {
+                throw new Error('Wallet integrity check failed.');
+            }
+            this.unlockedWallets.set(name, {
+                name: walletFile.name,
+                chainType: walletFile.chainType,
+                address: walletFile.address,
+                publicKey: walletFile.publicKey,
+                evmAccount: account,
+                evmPrivateKey: privateKeyHex,
+            });
+        }
+        // Clear sensitive data from decryption
+        secretKey.fill(0);
+        // Create session with auto-lock timer
+        const wallet = this.unlockedWallets.get(name);
+        const timer = setTimeout(() => this.autoLockWallet(name), this.autoLockMs);
+        this.walletSessions.set(name, {
+            wallet,
+            timer,
+            lastActivity: Date.now(),
+        });
+        const timeoutMinutes = Math.round(this.autoLockMs / 60000);
+        return {
+            name: walletFile.name,
+            chainType: walletFile.chainType,
+            address: walletFile.address,
+            message: `Wallet "${name}" unlocked successfully. Auto-locks after ${timeoutMinutes} min of inactivity.`,
+        };
+    }
+    // Lock a specific wallet (securely wipes memory)
+    lock(name) {
+        const session = this.walletSessions.get(name);
+        if (session) {
+            clearTimeout(session.timer);
+            this.secureWipe(session.wallet);
+            this.walletSessions.delete(name);
+        }
+        if (this.unlockedWallets.has(name)) {
+            this.unlockedWallets.delete(name);
+            return true;
+        }
+        return false;
+    }
+    // Lock all wallets (securely wipes all memory)
+    lockAll() {
+        // Clear all timers and wipe memory
+        for (const [, session] of this.walletSessions.entries()) {
+            clearTimeout(session.timer);
+            this.secureWipe(session.wallet);
+        }
+        this.walletSessions.clear();
+        const count = this.unlockedWallets.size;
+        this.unlockedWallets.clear();
+        return count;
+    }
+    // Check if wallet is unlocked
+    isUnlocked(name) {
+        return this.unlockedWallets.has(name);
+    }
+    // Get session info for all unlocked wallets
+    getSessionInfo() {
+        const sessions = [];
+        for (const [name, session] of this.walletSessions.entries()) {
+            sessions.push({
+                name,
+                lastActivity: session.lastActivity,
+                chainType: session.wallet.chainType,
+            });
+        }
+        return sessions;
+    }
+    // Get unlocked wallet (throws if locked) - refreshes auto-lock timer
+    getUnlockedWallet(name) {
+        const wallet = this.unlockedWallets.get(name);
+        if (!wallet) {
+            throw new Error(`Wallet "${name}" is locked. Use wallet_unlock to unlock it first.`);
+        }
+        // Refresh auto-lock timer on access
+        this.refreshAutoLock(name);
+        return wallet;
+    }
+    // Get Solana keypair for unlocked wallet (throws if not Solana or locked)
+    getSolanaKeypair(name) {
+        const wallet = this.getUnlockedWallet(name);
+        if (wallet.chainType !== 'solana' || !wallet.solanaKeypair) {
+            throw new Error(`Wallet "${name}" is not a Solana wallet.`);
+        }
+        return wallet.solanaKeypair;
+    }
+    // Get EVM account for unlocked wallet (throws if not EVM or locked)
+    getEvmAccount(name) {
+        const wallet = this.getUnlockedWallet(name);
+        if (wallet.chainType !== 'evm' || !wallet.evmAccount) {
+            throw new Error(`Wallet "${name}" is not an EVM wallet.`);
+        }
+        return wallet.evmAccount;
+    }
+    // Get any unlocked Solana keypair (for backward compatibility)
+    getAnyUnlockedSolanaKeypair() {
+        for (const wallet of this.unlockedWallets.values()) {
+            if (wallet.chainType === 'solana' && wallet.solanaKeypair) {
+                return wallet.solanaKeypair;
+            }
+        }
+        return null;
+    }
+    // Get any unlocked EVM account
+    getAnyUnlockedEvmAccount() {
+        for (const wallet of this.unlockedWallets.values()) {
+            if (wallet.chainType === 'evm' && wallet.evmAccount) {
+                return wallet.evmAccount;
+            }
+        }
+        return null;
+    }
+    // Get any unlocked EVM private key (for SDK initialization)
+    getAnyUnlockedEvmPrivateKey() {
+        for (const wallet of this.unlockedWallets.values()) {
+            if (wallet.chainType === 'evm' && wallet.evmPrivateKey) {
+                return wallet.evmPrivateKey;
+            }
+        }
+        return null;
+    }
+    // Export wallet as encrypted backup
+    async export(name, currentPassword, exportPassword) {
+        // First unlock to verify password
+        if (!this.isUnlocked(name)) {
+            await this.unlock(name, currentPassword);
+        }
+        // Read current file and return it (optionally re-encrypt with new password)
+        const walletFile = await this.readWalletFile(name);
+        if (!walletFile) {
+            throw new Error('Failed to read wallet file.');
+        }
+        // If export password is the same or not provided, return current file
+        if (!exportPassword || exportPassword === currentPassword) {
+            return JSON.stringify(walletFile, null, 2);
+        }
+        // Re-encrypt with new password
+        const wallet = this.getUnlockedWallet(name);
+        let secretKey;
+        if (wallet.chainType === 'solana' && wallet.solanaKeypair) {
+            secretKey = wallet.solanaKeypair.secretKey;
+        }
+        else if (wallet.chainType === 'evm' && wallet.evmAccount) {
+            // Need to extract private key from account - not directly accessible
+            // We'll need to re-derive from the current encrypted state
+            const salt = Buffer.from(walletFile.salt, 'base64');
+            const nonce = Buffer.from(walletFile.nonce, 'base64');
+            const authTag = Buffer.from(walletFile.authTag, 'base64');
+            const ciphertext = Buffer.from(walletFile.ciphertext, 'base64');
+            const key = await this.deriveKey(currentPassword, salt);
+            secretKey = this.decrypt(ciphertext, key, nonce, authTag);
+        }
+        else {
+            throw new Error('Cannot export wallet.');
+        }
+        // Generate new salt/nonce for export
+        const salt = randomBytes(SALT_LENGTH);
+        const nonce = randomBytes(NONCE_LENGTH);
+        const key = await this.deriveKey(exportPassword, salt);
+        const { ciphertext, authTag } = this.encrypt(secretKey, key, nonce);
+        const exportData = {
+            ...walletFile,
+            salt: salt.toString('base64'),
+            nonce: nonce.toString('base64'),
+            authTag: authTag.toString('base64'),
+            ciphertext: ciphertext.toString('base64'),
+            updatedAt: new Date().toISOString(),
+        };
+        return JSON.stringify(exportData, null, 2);
+    }
+    // Delete wallet (requires password confirmation)
+    async delete(name, password) {
+        // Verify password first
+        await this.unlock(name, password);
+        this.lock(name);
+        // Delete file
+        await fs.unlink(this.getWalletPath(name));
+    }
+    // Change password
+    async changePassword(name, currentPassword, newPassword) {
+        // Validate new password
+        if (newPassword.length < 8) {
+            throw new Error('New password must be at least 8 characters long.');
+        }
+        // Unlock with current password
+        if (!this.isUnlocked(name)) {
+            await this.unlock(name, currentPassword);
+        }
+        const wallet = this.getUnlockedWallet(name);
+        const walletFile = await this.readWalletFile(name);
+        if (!walletFile) {
+            throw new Error('Failed to read wallet file.');
+        }
+        // Get secret key
+        let secretKey;
+        if (wallet.chainType === 'solana' && wallet.solanaKeypair) {
+            secretKey = wallet.solanaKeypair.secretKey;
+        }
+        else if (wallet.chainType === 'evm') {
+            const salt = Buffer.from(walletFile.salt, 'base64');
+            const nonce = Buffer.from(walletFile.nonce, 'base64');
+            const authTag = Buffer.from(walletFile.authTag, 'base64');
+            const ciphertext = Buffer.from(walletFile.ciphertext, 'base64');
+            const key = await this.deriveKey(currentPassword, salt);
+            secretKey = this.decrypt(ciphertext, key, nonce, authTag);
+        }
+        else {
+            throw new Error('Cannot change password for this wallet.');
+        }
+        // Generate new salt/nonce
+        const salt = randomBytes(SALT_LENGTH);
+        const nonce = randomBytes(NONCE_LENGTH);
+        const key = await this.deriveKey(newPassword, salt);
+        const { ciphertext, authTag } = this.encrypt(secretKey, key, nonce);
+        // Update wallet file
+        const updatedFile = {
+            ...walletFile,
+            salt: salt.toString('base64'),
+            nonce: nonce.toString('base64'),
+            authTag: authTag.toString('base64'),
+            ciphertext: ciphertext.toString('base64'),
+            updatedAt: new Date().toISOString(),
+        };
+        // Write file
+        await fs.writeFile(this.getWalletPath(name), JSON.stringify(updatedFile, null, 2), {
+            encoding: 'utf-8',
+            mode: 0o600,
+        });
+    }
+}
+// Singleton instance
+let walletManagerInstance = null;
+export function getWalletManager() {
+    if (!walletManagerInstance) {
+        walletManagerInstance = new WalletManager();
+    }
+    return walletManagerInstance;
+}
+export function setWalletManager(manager) {
+    walletManagerInstance = manager;
+}
+//# sourceMappingURL=wallet-manager.js.map