@vainplex/shieldapi-cli 1.2.0 → 1.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/README.md +31 -7
  2. package/package.json +1 -1
  3. package/src/index.js +1 -1
  4. package/src/lib/api.js +5 -4
  5. package/src/lib/wallet.js +17 -10
package/README.md CHANGED
@@ -109,18 +109,42 @@ if [ $? -eq 1 ]; then
109
109
  fi
110
110
  ```
111
111
 
112
- ## Security
112
+ ## Security & Privacy
113
113
 
114
- - **Passwords are hashed locally** with SHA-1 before any network request. Plaintext never leaves your machine.
115
- - **Private keys are never persisted** to disk, logs, or displayed in output.
116
- - **No telemetry** — zero phone-home, zero analytics.
117
- - **Shell history warning** the CLI warns when passwords are passed as arguments (use `--stdin` for sensitive passwords).
114
+ ### Your password never leaves your machine in plaintext
115
+
116
+ 1. Your password is **SHA-1 hashed locally** on your machine plaintext never touches the network.
117
+ 2. The SHA-1 hash is sent over **HTTPS** to the ShieldAPI server.
118
+ 3. The server uses the [HIBP k-Anonymity protocol](https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange) — only the **first 5 characters** of the hash go to the upstream breach database. The full hash never leaves ShieldAPI.
119
+
120
+ **Want true end-to-end k-Anonymity?** Use the `check-password-range` endpoint directly via the API — it only accepts a 5-character prefix and returns all matching suffixes, so you can check locally.
121
+
122
+ ### Avoiding shell history exposure
123
+
124
+ Passing a password as a CLI argument stores it in your shell history (`~/.bash_history`). Use these safer alternatives:
118
125
 
119
126
  ```bash
120
- # Secure password checking (avoids shell history)
121
- echo "mysecretpassword" | shieldapi password dummy --stdin
127
+ # Option 1: Read from stdin (recommended)
128
+ read -sp "Password: " PW && echo -n "$PW" | shieldapi password dummy --stdin --demo
129
+
130
+ # Option 2: Pipe directly
131
+ echo -n "mypassword" | shieldapi password dummy --stdin --demo
132
+
133
+ # Option 3: Hash first, then check the hash
134
+ shieldapi hash "mypassword" # → shows SHA-1 locally
135
+ shieldapi password "7C6A18..." --hash --demo # check by hash, not password
136
+
137
+ # Option 4: Clear history after
138
+ shieldapi password "test" --demo && history -d $(history 1 | awk '{print $1}')
122
139
  ```
123
140
 
141
+ ### Other security guarantees
142
+
143
+ - **Private keys are never persisted** to disk, logs, or displayed in output.
144
+ - **No telemetry** — zero phone-home, zero analytics.
145
+ - **HTTPS only** — all API communication is encrypted.
146
+ - **Shell history warning** — the CLI warns when passwords are passed as arguments.
147
+
124
148
  ## How x402 Works
125
149
 
126
150
  [x402](https://x402.org) is an open protocol for HTTP payments. Instead of API keys:
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@vainplex/shieldapi-cli",
3
- "version": "1.2.0",
3
+ "version": "1.2.2",
4
4
  "description": "Security intelligence from your terminal. Pay-per-request with USDC.",
5
5
  "type": "module",
6
6
  "bin": {
package/src/index.js CHANGED
@@ -14,7 +14,7 @@ export function run(argv) {
14
14
  program
15
15
  .name('shieldapi')
16
16
  .description('🛡️ ShieldAPI CLI — Security intelligence from your terminal. Pay-per-request with USDC.')
17
- .version('1.2.0')
17
+ .version('1.2.2')
18
18
  .option('--wallet <key>', 'Private key for x402 payments (or set SHIELDAPI_WALLET_KEY)')
19
19
  .option('--json', 'Output raw JSON instead of formatted output')
20
20
  .option('--no-color', 'Disable colors')
package/src/lib/api.js CHANGED
@@ -7,7 +7,7 @@ const BASE_URL = 'https://shield.vainplex.dev/api';
7
7
  * @param {Record<string, string>} params - Query parameters
8
8
  * @param {object} options
9
9
  * @param {boolean} options.demo - Use demo mode
10
- * @param {{ client: object }|null} options.wallet - Wallet with viem client
10
+ * @param {{ signer: object }|null} options.wallet - Wallet with x402 ClientEvmSigner
11
11
  * @returns {Promise<object>} Parsed JSON response
12
12
  */
13
13
  export async function apiRequest(endpoint, params = {}, { demo = false, wallet = null } = {}) {
@@ -28,8 +28,8 @@ export async function apiRequest(endpoint, params = {}, { demo = false, wallet =
28
28
  return res.json();
29
29
  }
30
30
 
31
- // Paid endpoint — need wallet
32
- if (!wallet?.client) {
31
+ // Paid endpoint — need wallet with signer
32
+ if (!wallet?.signer) {
33
33
  throw new Error(
34
34
  'No wallet configured. Use --wallet <key> or set SHIELDAPI_WALLET_KEY environment variable.'
35
35
  );
@@ -41,8 +41,9 @@ export async function apiRequest(endpoint, params = {}, { demo = false, wallet =
41
41
  const { wrapFetchWithPayment } = await import('@x402/fetch');
42
42
 
43
43
  // Create x402 client with EVM scheme registered
44
+ // wallet.signer is a ClientEvmSigner (from toClientEvmSigner) with .address + .signTypedData + .readContract
44
45
  const client = new x402Client();
45
- registerExactEvmScheme(client, { signer: wallet.client });
46
+ registerExactEvmScheme(client, { signer: wallet.signer });
46
47
 
47
48
  // Wrap fetch with x402 payment handling
48
49
  const paidFetch = wrapFetchWithPayment(fetch, client);
package/src/lib/wallet.js CHANGED
@@ -1,13 +1,17 @@
1
- import { createWalletClient, http, publicActions } from 'viem';
1
+ import { createWalletClient, createPublicClient, http } from 'viem';
2
2
  import { privateKeyToAccount } from 'viem/accounts';
3
3
  import { base } from 'viem/chains';
4
+ import { toClientEvmSigner } from '@x402/evm';
4
5
 
5
6
  /**
6
- * Create a viem wallet client from a private key.
7
- * Returns a wallet client with publicActions (needed for readContract in x402).
7
+ * Create a wallet + x402-compatible signer from a private key.
8
+ *
9
+ * Uses toClientEvmSigner to compose an account (for signing) with
10
+ * a publicClient (for readContract), producing a ClientEvmSigner
11
+ * that has both `.address` and `.signTypedData` + `.readContract`.
8
12
  *
9
13
  * @param {string} privateKey - Hex private key (with or without 0x prefix)
10
- * @returns {{ client: import('viem').WalletClient, address: string }}
14
+ * @returns {{ signer: object, address: string }}
11
15
  */
12
16
  export function createWallet(privateKey) {
13
17
  if (!privateKey) return null;
@@ -16,23 +20,26 @@ export function createWallet(privateKey) {
16
20
 
17
21
  try {
18
22
  const account = privateKeyToAccount(key);
19
- const client = createWalletClient({
20
- account,
23
+ const publicClient = createPublicClient({
21
24
  chain: base,
22
25
  transport: http(),
23
- }).extend(publicActions);
26
+ });
27
+
28
+ // toClientEvmSigner composes account.signTypedData + publicClient.readContract
29
+ // and exposes .address correctly
30
+ const signer = toClientEvmSigner(account, publicClient);
24
31
 
25
- return { client, address: account.address };
32
+ return { signer, address: account.address };
26
33
  } catch (err) {
27
34
  throw new Error(`Invalid private key: ${err.message}`);
28
35
  }
29
36
  }
30
37
 
31
38
  /**
32
- * Resolve wallet client from CLI option or environment variable.
39
+ * Resolve wallet/signer from CLI option or environment variable.
33
40
  *
34
41
  * @param {object} opts - Commander options
35
- * @returns {{ client: object, address: string }|null}
42
+ * @returns {{ signer: object, address: string }|null}
36
43
  */
37
44
  export function resolveWallet(opts) {
38
45
  const key = opts?.wallet || process.env.SHIELDAPI_WALLET_KEY;