@xyo-network/xl1-cli 1.20.22 → 1.20.24

package/dist/cli-min.mjs

@@ -36699,7 +36699,7 @@ function requireFollowRedirects () {
 var followRedirectsExports = requireFollowRedirects();
 var followRedirects = /*@__PURE__*/getDefaultExportFromCjs(followRedirectsExports);
 
-const VERSION$1 = "1.15.1";
+const VERSION$1 = "1.15.2";
 
 function parseProtocol(url) {
   const match = /^([-+\w]{1,25})(:?\/\/|:)/.exec(url);
@@ -37456,6 +37456,11 @@ const { http: httpFollow, https: httpsFollow } = followRedirects;
 
 const isHttps = /https:?/;
 
+// Symbols used to bind a single 'error' listener to a pooled socket and track
+// the request currently owning that socket across keep-alive reuse (issue #10780).
+const kAxiosSocketListener = Symbol('axios.http.socketListener');
+const kAxiosCurrentReq = Symbol('axios.http.currentReq');
+
 const supportedProtocols = platform.protocols.map((protocol) => {
   return protocol + ':';
 });
@@ -38021,9 +38026,10 @@ var httpAdapter = isHttpAdapterSupported &&
 
       // HTTP basic authentication
       let auth = undefined;
-      if (config.auth) {
-        const username = config.auth.username || '';
-        const password = config.auth.password || '';
+      const configAuth = own('auth');
+      if (configAuth) {
+        const username = configAuth.username || '';
+        const password = configAuth.password || '';
         auth = username + ':' + password;
       }
 
@@ -38057,7 +38063,10 @@ var httpAdapter = isHttpAdapterSupported &&
         false
       );
 
-      const options = {
+      // Null-prototype to block prototype pollution gadgets on properties read
+      // directly by Node's http.request (e.g. insecureHTTPParser, lookup).
+      // See GHSA-q8qp-cvcw-x6jj.
+      const options = Object.assign(Object.create(null), {
         path,
         method: method,
         headers: headers.toJSON(),
@@ -38066,14 +38075,41 @@ var httpAdapter = isHttpAdapterSupported &&
         protocol,
         family,
         beforeRedirect: dispatchBeforeRedirect,
-        beforeRedirects: {},
+        beforeRedirects: Object.create(null),
         http2Options,
-      };
+      });
 
       // cacheable-lookup integration hotfix
       !utils$8.isUndefined(lookup) && (options.lookup = lookup);
 
       if (config.socketPath) {
+        if (typeof config.socketPath !== 'string') {
+          return reject(new AxiosError$1(
+            'socketPath must be a string',
+            AxiosError$1.ERR_BAD_OPTION_VALUE,
+            config
+          ));
+        }
+
+        if (config.allowedSocketPaths != null) {
+          const allowed = Array.isArray(config.allowedSocketPaths)
+            ? config.allowedSocketPaths
+            : [config.allowedSocketPaths];
+
+          const resolvedSocket = resolve$1(config.socketPath);
+          const isAllowed = allowed.some(
+            (entry) => typeof entry === 'string' && resolve$1(entry) === resolvedSocket
+          );
+
+          if (!isAllowed) {
+            return reject(new AxiosError$1(
+              `socketPath "${config.socketPath}" is not permitted by allowedSocketPaths`,
+              AxiosError$1.ERR_BAD_OPTION_VALUE,
+              config
+            ));
+          }
+        }
+
         options.socketPath = config.socketPath;
       } else {
         options.hostname = parsed.hostname.startsWith('[')
@@ -38102,8 +38138,9 @@ var httpAdapter = isHttpAdapterSupported &&
           if (config.maxRedirects) {
             options.maxRedirects = config.maxRedirects;
           }
-          if (config.beforeRedirect) {
-            options.beforeRedirects.config = config.beforeRedirect;
+          const configBeforeRedirect = own('beforeRedirect');
+          if (configBeforeRedirect) {
+            options.beforeRedirects.config = configBeforeRedirect;
           }
           transport = isHttpsRequest ? httpsFollow : httpFollow;
         }
@@ -38116,9 +38153,10 @@ var httpAdapter = isHttpAdapterSupported &&
         options.maxBodyLength = Infinity;
       }
 
-      if (config.insecureHTTPParser) {
-        options.insecureHTTPParser = config.insecureHTTPParser;
-      }
+      // Always set an explicit own value so a polluted
+      // Object.prototype.insecureHTTPParser cannot enable the lenient parser
+      // through Node's internal options copy (GHSA-q8qp-cvcw-x6jj).
+      options.insecureHTTPParser = Boolean(own('insecureHTTPParser'));
 
       // Create the request
       req = transport.request(options, function handleResponse(res) {
@@ -38316,20 +38354,28 @@ var httpAdapter = isHttpAdapterSupported &&
         // default interval of sending ack packet is 1 minute
         socket.setKeepAlive(true, 1000 * 60);
 
-        const removeSocketErrorListener = () => {
-          socket.removeListener('error', handleRequestSocketError);
-        };
+        // Install a single 'error' listener per socket (not per request) to avoid
+        // accumulating listeners on pooled keep-alive sockets that get reassigned
+        // to new requests before the previous request's 'close' fires (issue #10780).
+        // The listener is bound to the socket's currently-active request via a
+        // symbol, which is swapped as the socket is reassigned.
+        if (!socket[kAxiosSocketListener]) {
+          socket.on('error', function handleSocketError(err) {
+            const current = socket[kAxiosCurrentReq];
+            if (current && !current.destroyed) {
+              current.destroy(err);
+            }
+          });
+          socket[kAxiosSocketListener] = true;
+        }
 
-        function handleRequestSocketError(err) {
-          removeSocketErrorListener();
+        socket[kAxiosCurrentReq] = req;
 
-          if (!req.destroyed) {
-            req.destroy(err);
+        req.once('close', function clearCurrentReq() {
+          if (socket[kAxiosCurrentReq] === req) {
+            socket[kAxiosCurrentReq] = null;
           }
-        }
-
-        socket.on('error', handleRequestSocketError);
-        req.once('close', removeSocketErrorListener);
+        });
       });
 
       // Handle request timeout
@@ -38515,7 +38561,18 @@ const headersToObject = (thing) => (thing instanceof AxiosHeaders$1 ? { ...thing
 function mergeConfig$2(config1, config2) {
   // eslint-disable-next-line no-param-reassign
   config2 = config2 || {};
-  const config = {};
+
+  // Use a null-prototype object so that downstream reads such as `config.auth`
+  // or `config.baseURL` cannot inherit polluted values from Object.prototype
+  // (see GHSA-q8qp-cvcw-x6jj). `hasOwnProperty` is restored as a non-enumerable
+  // own slot to preserve ergonomics for user code that relies on it.
+  const config = Object.create(null);
+  Object.defineProperty(config, 'hasOwnProperty', {
+    value: Object.prototype.hasOwnProperty,
+    enumerable: false,
+    writable: true,
+    configurable: true,
+  });
 
   function getMergedValue(target, source, prop, caseless) {
     if (utils$8.isPlainObject(target) && utils$8.isPlainObject(source)) {
@@ -38588,6 +38645,7 @@ function mergeConfig$2(config1, config2) {
     httpsAgent: defaultToConfig2,
     cancelToken: defaultToConfig2,
     socketPath: defaultToConfig2,
+    allowedSocketPaths: defaultToConfig2,
     responseEncoding: defaultToConfig2,
     validateStatus: mergeDirectKeys,
     headers: (a, b, prop) =>
@@ -38609,12 +38667,24 @@ function mergeConfig$2(config1, config2) {
 var resolveConfig$1 = (config) => {
   const newConfig = mergeConfig$2({}, config);
 
-  let { data, withXSRFToken, xsrfHeaderName, xsrfCookieName, headers, auth } = newConfig;
+  // Read only own properties to prevent prototype pollution gadgets
+  // (e.g. Object.prototype.baseURL = 'https://evil.com'). See GHSA-q8qp-cvcw-x6jj.
+  const own = (key) => (utils$8.hasOwnProp(newConfig, key) ? newConfig[key] : undefined);
+
+  const data = own('data');
+  let withXSRFToken = own('withXSRFToken');
+  const xsrfHeaderName = own('xsrfHeaderName');
+  const xsrfCookieName = own('xsrfCookieName');
+  let headers = own('headers');
+  const auth = own('auth');
+  const baseURL = own('baseURL');
+  const allowAbsoluteUrls = own('allowAbsoluteUrls');
+  const url = own('url');
 
   newConfig.headers = headers = AxiosHeaders$1.from(headers);
 
   newConfig.url = buildURL(
-    buildFullPath(newConfig.baseURL, newConfig.url, newConfig.allowAbsoluteUrls),
+    buildFullPath(baseURL, url, allowAbsoluteUrls),
     config.params,
     config.paramsSerializer
   );
@@ -39644,7 +39714,9 @@ function assertOptions(options, schema, allowUnknown) {
   let i = keys.length;
   while (i-- > 0) {
     const opt = keys[i];
-    const validator = schema[opt];
+    // Use hasOwnProperty so a polluted Object.prototype.<opt> cannot supply
+    // a non-function validator and cause a TypeError. See GHSA-q8qp-cvcw-x6jj.
+    const validator = Object.prototype.hasOwnProperty.call(schema, opt) ? schema[opt] : undefined;
     if (validator) {
       const value = options[opt];
       const result = value === undefined || validator(value, opt, options);
@@ -93366,10 +93438,6 @@ async function validateTransactionsOpcodes(txs) {
   }
   return txElevatedPayloads;
 }
-var MnemonicStringZod = string$2().transform((s) => s.trim().replaceAll(/\s+/g, " ")).refine(
-  (s) => [12, 15, 18, 21, 24].includes(s.split(" ").length),
-  { message: "Mnemonic must contain 12, 15, 18, 21, or 24 words." }
-).describe("BIP-39 mnemonic string");
 var ChainConfigZod = object$4({
   id: HexZod.optional().register(globalRegistry, {
     description: "The unique identifier for the chain. Should be the staking contract address for contract-backed chains.",
@@ -94238,11 +94306,15 @@ var BaseConfigZod = object$4({
 });
 
 // src/config/Actor.ts
+var AccountPathZod = string$2().regex(
+  /^(m(\/\d+'?)+|\d+'?(\/\d+'?)*)$/,
+  `Invalid BIP-32 derivation path. Use either an absolute path like "m/44'/60'/0'/0/0" or a relative path like "0", "0/1", or "44'/60'/0'/0/0".`
+);
 var ActorConfigZod = BaseConfigZod.extend({
   name: string$2(),
-  mnemonic: MnemonicStringZod.optional().register(globalRegistry, {
-    description: "Mnemonic for the Actor wallet",
-    title: "mnemonic",
+  accountPath: AccountPathZod.optional().register(globalRegistry, {
+    description: 'BIP-32 derivation path for the actor wallet. Absolute when it starts with "m/"; otherwise relative to the root wallet base path. Each actor must derive to a distinct path.',
+    title: "accountPath",
     type: "string"
   }),
   healthCheckPort: number$2().optional().register(globalRegistry, {
@@ -97354,13 +97426,16 @@ var RuntimeStatusMonitor = class extends LoggerStatusReporter {
     }
   }
 };
+string$2().transform((s) => s.trim().replaceAll(/\s+/g, " ")).refine(
+  (s) => [12, 15, 18, 21, 24].includes(s.split(" ").length),
+  { message: "Mnemonic must contain 12, 15, 18, 21, or 24 words." }
+).describe("BIP-39 mnemonic string");
 
 // src/wallet/paths.ts
 var WALLET_COMPLIANCE = "44'";
 var COIN_TYPES = { Ethereum: "60'" };
 var ACCOUNT_TYPE = { XYO: "0'" };
 var CHANGE_ADDRESS = { XYO: "0" };
-var ADDRESS_INDEX = { XYO: "0" };
 var DEFAULT_WALLET_PATH = `m/${WALLET_COMPLIANCE}/${COIN_TYPES.Ethereum}/${ACCOUNT_TYPE.XYO}/${CHANGE_ADDRESS.XYO}`;
 
 // src/wallet/generateXyoBaseWalletFromPhrase.ts
@@ -106406,7 +106481,7 @@ var ChainHeadSelector = class extends ChainFinalizer {
   constructor(params) {
     super(params);
     this.allowedProducers = params.allowedProducers;
-    this.minCandidates = params.minCandidates ?? 1;
+    this.minCandidates = params.minCandidates;
   }
   get context() {
     return this.params.context;
@@ -202706,15 +202781,7 @@ function buildTelemetryConfig(config, serviceName, serviceVersion, defaultMetric
   return telemetryConfig;
 }
 __name$7(buildTelemetryConfig, "buildTelemetryConfig");
-var ActorAccountIndexZod = /* @__PURE__ */ __name$7((title) => number$2().int().min(0).optional().register(globalRegistry, {
-  description: "Account index derived from the actor wallet phrase. Defaults to 0 for actor mnemonics and to the actor-specific shared index for the root mnemonic.",
-  title,
-  type: "number"
-}), "ActorAccountIndexZod");
-
-// src/shared/config/actors/Api.ts
 var ApiConfigZod = HostActorConfigZod.extend(object$4({
-  accountIndex: ActorAccountIndexZod("api.accountIndex"),
   initRewardsCache: union$1([
     number$3(),
     string$2(),
@@ -202738,7 +202805,6 @@ var DEFAULT_MAX_BRIDGE_AMOUNT = toHex(XL1(1000000n) * AttoXL1ConvertFactor.xl1);
 var DEFAULT_MIN_BRIDGE_AMOUNT = toHex(XL1(1500n) * AttoXL1ConvertFactor.xl1);
 var BasisPointsZod = number$2().int().nonnegative().max(1e4);
 var BridgeConfigZod = HostActorConfigZod.extend({
-  accountIndex: ActorAccountIndexZod("bridge.accountIndex"),
   escrowAddress: AddressZod.optional().register(globalRegistry, {
     description: "Address to which bridge escrow will be sent",
     title: "bridge.escrowAddress",
@@ -202836,9 +202902,8 @@ var BridgeConfigContext = BaseConfigContextZod.extend({
 });
 var asBridgeConfigContext = zodAsFactory(BridgeConfigContext, "asBridgeConfigContext");
 var FinalizerConfigZod = HostActorConfigZod.extend({
-  accountIndex: ActorAccountIndexZod("finalizer.accountIndex"),
   allowedProducers: array$1(AddressZod).optional(),
-  minCandidates: number$3().int().min(0).default(1)
+  minCandidates: number$3().int().min(0).default(DEFAULT_MIN_CANDIDATES)
 });
 BaseConfigContextZod.extend({
   config: FinalizerConfigZod
@@ -202846,7 +202911,6 @@ BaseConfigContextZod.extend({
 var DEFAULT_MEMPOOL_BLOCK_PRUNE_INTERVAL = 1e3;
 var DEFAULT_MEMPOOL_TRANSACTION_PRUNE_INTERVAL = 1e3;
 var MempoolConfigZod = HostActorConfigZod.extend({
-  accountIndex: ActorAccountIndexZod("mempool.accountIndex"),
   enabled: union$1([
     string$2(),
     boolean$1()
@@ -202893,7 +202957,6 @@ BaseConfigContextZod.extend({
 });
 var DEFAULT_BLOCK_PRODUCTION_CHECK_INTERVAL = 1e4;
 var ProducerConfigZod = ActorConfigZod.extend(object$4({
-  accountIndex: ActorAccountIndexZod("producer.accountIndex"),
   allowlist: preprocess((val) => {
     if (typeof val === "string") {
       return val.split(",").map((s) => asAddress(s.trim()));
@@ -202935,9 +202998,7 @@ var ProducerConfigZod = ActorConfigZod.extend(object$4({
 BaseConfigContextZod.extend({
   config: ProducerConfigZod
 });
-var RewardRedemptionConfigZod = HostActorConfigZod.extend({
-  accountIndex: ActorAccountIndexZod("rewardRedemption.accountIndex")
-});
+var RewardRedemptionConfigZod = HostActorConfigZod.extend({});
 BaseConfigContextZod.extend({
   config: RewardRedemptionConfigZod
 });
@@ -202992,21 +203053,20 @@ __name$7(createProducerChainStakeIntentBlock, "createProducerChainStakeIntentBlo
     return this._services[serviceIdentifier];
   }
 });
+var DEFAULT_ACTOR_ACCOUNT_PATH = {
+  api: "3",
+  bridge: "1",
+  finalizer: "5",
+  mempool: "4",
+  producer: "0",
+  rewardRedemption: "2"
+};
 var BUILT_IN_DEV_MNEMONIC = "crane ribbon cook cousin tobacco vital moral protect merit knock veteran hint knee ocean nurse";
 var INSECURE_GENESIS_REWARD_MNEMONIC = "test test test test test test test test test test test junk";
 var GENESIS_REWARD_AMOUNT = 20000000000000000000000n;
 var ATTO_XL1_PER_XL1 = 1000000000000000000n;
 var ROOT_WALLET_RUNTIME_ID = "_root";
 var SHARED_ACCOUNT_REPORT_COUNT = 10;
-var RESERVED_ACTOR_INDEX = {
-  [ROOT_WALLET_RUNTIME_ID]: 0,
-  api: 4,
-  bridge: 2,
-  finalizer: 6,
-  mempool: 5,
-  producer: 1,
-  rewardRedemption: 3
-};
 var ACTOR_LABELS = {
   [ROOT_WALLET_RUNTIME_ID]: "root/local-node",
   api: "api",
@@ -203025,10 +203085,30 @@ function clearResolvedWalletReport() {
   activeWalletReport = void 0;
 }
 __name$7(clearResolvedWalletReport, "clearResolvedWalletReport");
-function getReservedActorIndex(actorName) {
-  return RESERVED_ACTOR_INDEX[actorName] ?? 0;
-}
-__name$7(getReservedActorIndex, "getReservedActorIndex");
+function resolveActorAccountPath(actorName, actorConfig) {
+  if (actorConfig?.accountPath !== void 0) return actorConfig.accountPath;
+  return DEFAULT_ACTOR_ACCOUNT_PATH[actorName] ?? "0";
+}
+__name$7(resolveActorAccountPath, "resolveActorAccountPath");
+function isAbsoluteAccountPath(accountPath) {
+  return accountPath.startsWith("m/");
+}
+__name$7(isAbsoluteAccountPath, "isAbsoluteAccountPath");
+function expandAccountPath(accountPath, basePath = DEFAULT_WALLET_PATH) {
+  return isAbsoluteAccountPath(accountPath) ? accountPath : `${basePath}/${accountPath}`;
+}
+__name$7(expandAccountPath, "expandAccountPath");
+async function deriveWalletAtPath(mnemonic, accountPath) {
+  if (isAbsoluteAccountPath(accountPath)) {
+    const seed = Mnemonic.fromPhrase(mnemonic).computeSeed();
+    const rootNode = HDNodeWallet.fromSeed(seed);
+    const derivedNode = rootNode.derivePath(accountPath);
+    return await HDWallet.createFromNode(derivedNode);
+  }
+  const baseWallet = await generateXyoBaseWalletFromPhrase(mnemonic);
+  return await baseWallet.derivePath(accountPath);
+}
+__name$7(deriveWalletAtPath, "deriveWalletAtPath");
 function getBuiltInDevMnemonic() {
   return BUILT_IN_DEV_MNEMONIC;
 }
@@ -203050,83 +203130,115 @@ function resolveRootWallet(configuration) {
   };
 }
 __name$7(resolveRootWallet, "resolveRootWallet");
-async function resolveWalletMetadata({ accountIndex, actorName, mnemonic, mnemonicKind, source }) {
-  const wallet = await generateXyoBaseWalletFromPhrase(mnemonic);
-  const derivationPath = `${DEFAULT_WALLET_PATH}/${accountIndex}`;
-  const account = await wallet.derivePath(`${accountIndex}`);
+async function resolveWalletMetadata({ accountPath, actorName, mnemonic, mnemonicKind }) {
+  const account = await deriveWalletAtPath(mnemonic, accountPath);
   return {
-    accountIndex,
+    accountPath,
     actorName,
     address: account.address,
-    derivationPath,
+    derivationPath: expandAccountPath(accountPath),
     label: getAccountLabel(actorName),
     mnemonic,
     mnemonicKind,
     privateKey: account.privateKey,
-    source,
     usesBuiltInDevMnemonic: mnemonic === BUILT_IN_DEV_MNEMONIC
   };
 }
 __name$7(resolveWalletMetadata, "resolveWalletMetadata");
 async function resolveActorWallet(actorName, actorConfig, root) {
-  const actorMnemonic = actorConfig?.mnemonic;
-  const accountIndex = actorConfig?.accountIndex;
-  return await resolveWalletMetadata(actorMnemonic ? {
-    accountIndex: accountIndex ?? 0,
-    actorName,
-    mnemonic: actorMnemonic,
-    mnemonicKind: "configured-actor",
-    source: "actor"
-  } : {
-    accountIndex: accountIndex ?? getReservedActorIndex(actorName),
+  return await resolveWalletMetadata({
+    accountPath: resolveActorAccountPath(actorName, actorConfig),
     actorName,
     mnemonic: root.mnemonic,
-    mnemonicKind: root.mnemonicKind,
-    source: "root"
+    mnemonicKind: root.mnemonicKind
   });
 }
 __name$7(resolveActorWallet, "resolveActorWallet");
+var ActorMnemonicNotAllowedError = class extends Error {
+  static {
+    __name$7(this, "ActorMnemonicNotAllowedError");
+  }
+  actors;
+  constructor(actors) {
+    super([
+      `Per-actor mnemonics are no longer allowed (found on: ${actors.join(", ")}).`,
+      'Move the mnemonic to the root (XL1_MNEMONIC, --mnemonic, or config file "xl1.mnemonic") and give each actor a distinct accountPath.'
+    ].join("\n"));
+    this.name = "ActorMnemonicNotAllowedError";
+    this.actors = actors;
+  }
+};
+function assertNoActorMnemonics(configuration) {
+  const offenders = configuration.actors.filter((actor) => typeof actor.mnemonic === "string").map((actor) => actor.name);
+  if (offenders.length > 0) throw new ActorMnemonicNotAllowedError(offenders);
+}
+__name$7(assertNoActorMnemonics, "assertNoActorMnemonics");
+var DerivationPathCollisionError = class extends Error {
+  static {
+    __name$7(this, "DerivationPathCollisionError");
+  }
+  collisions;
+  constructor(collisions) {
+    const lines = Object.entries(collisions).map(([path, actors]) => `  - ${actors.join(", ")} \u2192 ${path}`);
+    super([
+      "Two or more actors resolve to the same wallet derivation path:",
+      ...lines,
+      "Change each actor's accountPath so every actor has a distinct path."
+    ].join("\n"));
+    this.name = "DerivationPathCollisionError";
+    this.collisions = collisions;
+  }
+};
+function detectDerivationPathCollisions(requestedActors, configuration) {
+  const actorConfigMap = new Map(configuration.actors.map((actor) => [
+    actor.name,
+    actor
+  ]));
+  const bucketsByPath = /* @__PURE__ */ new Map();
+  for (const actorName of requestedActors) {
+    const accountPath = resolveActorAccountPath(actorName, actorConfigMap.get(actorName));
+    const fullPath = expandAccountPath(accountPath);
+    const bucket = bucketsByPath.get(fullPath) ?? [];
+    bucket.push(actorName);
+    bucketsByPath.set(fullPath, bucket);
+  }
+  const collisions = {};
+  for (const [path, actors] of bucketsByPath) {
+    if (actors.length > 1) collisions[path] = actors;
+  }
+  if (Object.keys(collisions).length === 0) return void 0;
+  return new DerivationPathCollisionError(collisions);
+}
+__name$7(detectDerivationPathCollisions, "detectDerivationPathCollisions");
 async function resolveWalletReport(requestedActors, configuration) {
   const root = resolveRootWallet(configuration);
   const actorConfigMap = new Map(configuration.actors.map((actor) => [
     actor.name,
     actor
   ]));
-  const isRootRequired = requestedActors.some((actorName) => !actorConfigMap.get(actorName)?.mnemonic);
   const resolvedActors = await Promise.all(requestedActors.map(async (actorName) => await resolveActorWallet(actorName, actorConfigMap.get(actorName), root)));
-  const labelMap = /* @__PURE__ */ new Map([
-    [
-      0,
-      [
-        getAccountLabel(ROOT_WALLET_RUNTIME_ID)
-      ]
-    ]
-  ]);
+  const labelMap = /* @__PURE__ */ new Map();
   for (const actor of resolvedActors) {
-    if (actor.source !== "root") continue;
-    const labels = labelMap.get(actor.accountIndex) ?? [];
+    const labels = labelMap.get(actor.derivationPath) ?? [];
     labels.push(actor.label);
-    labelMap.set(actor.accountIndex, labels);
+    labelMap.set(actor.derivationPath, labels);
   }
   const sharedAccounts = await Promise.all(Array.from({
     length: SHARED_ACCOUNT_REPORT_COUNT
-  }, (_, index) => index).map(async (accountIndex) => {
+  }, (_, index) => index).map(async (sharedIndex) => {
     const account = await resolveWalletMetadata({
-      accountIndex,
+      accountPath: `${sharedIndex}`,
       actorName: ROOT_WALLET_RUNTIME_ID,
       mnemonic: root.mnemonic,
-      mnemonicKind: root.mnemonicKind,
-      source: "root"
+      mnemonicKind: root.mnemonicKind
     });
-    const labels = labelMap.get(accountIndex);
+    const labels = labelMap.get(account.derivationPath);
     return {
       ...account,
-      label: labels?.join(", ") ?? `shared[${accountIndex}]`
+      label: labels?.join(", ") ?? `shared[${sharedIndex}]`
     };
   }));
   return {
-    actorSpecificAccounts: resolvedActors.filter((actor) => actor.source === "actor"),
-    isRootRequired,
     requestedActors: [
       ...requestedActors
     ],
@@ -203138,17 +203250,16 @@ __name$7(resolveWalletReport, "resolveWalletReport");
 async function buildInsecureGenesisRewardAccounts() {
   const accounts = await Promise.all(Array.from({
     length: SHARED_ACCOUNT_REPORT_COUNT
-  }, (_, index) => index).map(async (accountIndex) => {
+  }, (_, index) => index).map(async (sharedIndex) => {
     const account = await resolveWalletMetadata({
-      accountIndex,
+      accountPath: `${sharedIndex}`,
       actorName: "genesisReward",
       mnemonic: INSECURE_GENESIS_REWARD_MNEMONIC,
-      mnemonicKind: "configured-actor",
-      source: "actor"
+      mnemonicKind: "insecure-genesis-reward"
     });
     return {
       ...account,
-      label: accountIndex === 0 ? "genesisRewardAddress" : `genesisReward[${accountIndex}]`
+      label: sharedIndex === 0 ? "genesisRewardAddress" : `genesisReward[${sharedIndex}]`
     };
   }));
   return accounts;
@@ -203165,7 +203276,7 @@ function getResolvedWalletReport() {
 __name$7(getResolvedWalletReport, "getResolvedWalletReport");
 function formatSharedAccount(account, showPrivateKey) {
   const lines = [
-    `[${account.accountIndex}] ${account.label}`,
+    `[${account.accountPath}] ${account.label}`,
     `source: ${account.mnemonicKind === "built-in-dev" ? "built-in dev mnemonic" : "configured root mnemonic"}`,
     `path: ${account.derivationPath}`,
     `address: ${account.address}`
@@ -203174,19 +203285,10 @@ function formatSharedAccount(account, showPrivateKey) {
   return lines.join("\n");
 }
 __name$7(formatSharedAccount, "formatSharedAccount");
-function formatActorSpecificAccount(account) {
-  return [
-    account.label,
-    "source: actor mnemonic",
-    `path: ${account.derivationPath}`,
-    `address: ${account.address}`
-  ].join("\n");
-}
-__name$7(formatActorSpecificAccount, "formatActorSpecificAccount");
 function formatGenesisRewardAccount(account) {
-  const balance = account.accountIndex === 0 ? GENESIS_REWARD_AMOUNT / ATTO_XL1_PER_XL1 : 0n;
+  const balance = account.accountPath === "0" ? GENESIS_REWARD_AMOUNT / ATTO_XL1_PER_XL1 : 0n;
   return [
-    `[${account.accountIndex}] ${account.label}`,
+    `[${account.accountPath}] ${account.label}`,
     `path: ${account.derivationPath}`,
     `address: ${account.address}`,
     `privateKey: ${account.privateKey ?? "unavailable"}`,
@@ -203196,13 +203298,8 @@ function formatGenesisRewardAccount(account) {
 __name$7(formatGenesisRewardAccount, "formatGenesisRewardAccount");
 function formatWalletReport(report) {
   const sections = [];
-  const showRootSection = report.isRootRequired || report.root.isConfigured;
-  const showSecrets = report.root.isBuiltInDevMnemonic && showRootSection;
-  if (showRootSection) {
-    sections.push(showSecrets ? "Development wallet detected." : "Wallet summary");
-  } else {
-    sections.push("Wallet summary (root wallet not required \u2014 every requested actor has its own mnemonic)");
-  }
+  const showSecrets = report.root.isBuiltInDevMnemonic;
+  sections.push(showSecrets ? "Development wallet detected." : "Wallet summary");
   if (showSecrets) {
     sections.push([
       "DEVELOPMENT WALLET WARNING",
@@ -203216,20 +203313,11 @@ function formatWalletReport(report) {
       report.root.mnemonic
     ].join("\n"));
   }
-  if (showRootSection) {
-    sections.push([
-      `Shared wallet accounts from ${report.root.basePath}:`,
-      "",
-      report.sharedAccounts.map((account) => formatSharedAccount(account, showSecrets)).join("\n\n")
-    ].join("\n"));
-  }
-  if (report.actorSpecificAccounts.length > 0) {
-    sections.push([
-      "Actor-specific wallet accounts:",
-      "",
-      report.actorSpecificAccounts.map((account) => formatActorSpecificAccount(account)).join("\n\n")
-    ].join("\n"));
-  }
+  sections.push([
+    `Shared wallet accounts from ${report.root.basePath}:`,
+    "",
+    report.sharedAccounts.map((account) => formatSharedAccount(account, showSecrets)).join("\n\n")
+  ].join("\n"));
   return sections.join("\n\n");
 }
 __name$7(formatWalletReport, "formatWalletReport");
@@ -203259,12 +203347,11 @@ async function resolveGenesisRewardAddress(config) {
   return account.address;
 }
 __name$7(resolveGenesisRewardAddress, "resolveGenesisRewardAddress");
-async function resolveWalletForActor(actorName, mnemonic, accountIndex) {
-  const fromReport = activeWalletReport ? actorName === ROOT_WALLET_RUNTIME_ID ? activeWalletReport.sharedAccounts.find((account) => account.accountIndex === 0) : activeWalletReport.actorSpecificAccounts.find((account) => account.actorName === actorName) ?? activeWalletReport.sharedAccounts.find((account) => account.actorName === actorName || account.label.split(", ").includes(getAccountLabel(actorName))) : void 0;
-  const resolvedMnemonic = fromReport?.mnemonic ?? mnemonic ?? BUILT_IN_DEV_MNEMONIC;
-  const resolvedAccountIndex = fromReport?.accountIndex ?? accountIndex ?? 0;
-  const wallet = await generateXyoBaseWalletFromPhrase(resolvedMnemonic);
-  return await wallet.derivePath(`${resolvedAccountIndex}`);
+async function resolveWalletForActor(actorName, accountPath) {
+  const report = activeWalletReport;
+  const mnemonic = report?.root.mnemonic ?? BUILT_IN_DEV_MNEMONIC;
+  const resolvedAccountPath = accountPath ?? resolveActorAccountPath(actorName);
+  return await deriveWalletAtPath(mnemonic, resolvedAccountPath);
 }
 __name$7(resolveWalletForActor, "resolveWalletForActor");
 
@@ -203273,8 +203360,8 @@ var actorAccountSingletons = {};
 async function initActorAccount({ config, logger }) {
   const actorName = config.name;
   if (isDefined(actorAccountSingletons[actorName])) return actorAccountSingletons[actorName];
-  const accountIndex = "accountIndex" in config && typeof config.accountIndex === "number" ? config.accountIndex : void 0;
-  const account = await resolveWalletForActor(actorName, config.mnemonic, accountIndex);
+  const accountPath = typeof config.accountPath === "string" ? config.accountPath : void 0;
+  const account = await resolveWalletForActor(actorName, accountPath);
   logger?.debug(`[${actorName}] Using wallet address ${account.address}`);
   actorAccountSingletons[actorName] = account;
   return actorAccountSingletons[actorName];
@@ -203284,10 +203371,7 @@ async function initActorSeedPhrase(context, bios) {
   const { logger, config } = context;
   const walletKind = config.name;
   const report = getResolvedWalletReport();
-  const account = config.name === ROOT_WALLET_RUNTIME_ID ? report?.sharedAccounts.find((entry) => entry.accountIndex === 0) : report?.actorSpecificAccounts.find((entry) => entry.actorName === config.name);
-  if (isString$3(account?.mnemonic)) return account.mnemonic;
   if (isString$3(report?.root.mnemonic)) return report.root.mnemonic;
-  if (isString$3(config.mnemonic)) return config.mnemonic;
   const fallback = getBuiltInDevMnemonic();
   logger?.debug(`[${walletKind}] Falling back to built-in development mnemonic`);
   return assertEx(fallback, () => "Unable to resolve mnemonic");
@@ -203336,10 +203420,10 @@ function initStatusReporter({ logger }) {
 __name$7(initStatusReporter, "initStatusReporter");
 
 // src/shared/init/initWallet.ts
-async function initActorWallet(context, mnemonic) {
-  const actorName = context.config.name === ROOT_WALLET_RUNTIME_ID ? ROOT_WALLET_RUNTIME_ID : context.config.name;
-  const accountIndex = "accountIndex" in context.config && typeof context.config.accountIndex === "number" ? context.config.accountIndex : void 0;
-  return await resolveWalletForActor(actorName, mnemonic ?? context.config.mnemonic, accountIndex);
+async function initActorWallet(context) {
+  const actorName = context.config.name;
+  const accountPath = typeof context.config.accountPath === "string" ? context.config.accountPath : void 0;
+  return await resolveWalletForActor(actorName, accountPath);
 }
 __name$7(initActorWallet, "initActorWallet");
 function _ts_decorate2(decorators, target, key, desc) {
@@ -261912,19 +261996,8 @@ var getRemoteTokenAddress = /* @__PURE__ */ __name$4((config) => {
 var accountServiceSingleton;
 var getBridgeWalletAccount = /* @__PURE__ */ __name$4(async (config) => {
   if (accountServiceSingleton) return accountServiceSingleton;
-  let walletPhrase = config.mnemonic;
-  if (isUndefined$1(walletPhrase)) {
-    console.log("[Bridge] No wallet mnemonic specified!");
-    const randomMnemonic = HDWallet.generateMnemonic();
-    console.log(`[Bridge] Using randomly generated mnemonic:
-    
-${randomMnemonic}
-      
-    `);
-    walletPhrase = randomMnemonic;
-  }
-  const wallet = await generateXyoBaseWalletFromPhrase(walletPhrase);
-  const account = await wallet.derivePath(ADDRESS_INDEX.XYO);
+  const accountPath = typeof config.accountPath === "string" ? config.accountPath : void 0;
+  const account = await resolveWalletForActor(config.name, accountPath);
   accountServiceSingleton = account;
   return accountServiceSingleton;
 }, "getBridgeWalletAccount");
@@ -263181,8 +263254,8 @@ var getServices = /* @__PURE__ */ __name$4(async (context, gateway) => {
   const ethTxStateMap = await getIterableMap(config, "liquidity_bridge_xl1_to_eth_eth_tx_state");
   const xl1TxStateMap = await getIterableMap(config, "liquidity_bridge_xl1_to_eth_xl1_tx_state");
   const provider = await initEvmProvider(context);
-  const { remoteBridgeContractAddress, remoteChainWalletPrivateKey, remoteTokenAddress, mnemonic } = config;
-  const account = isDefined(mnemonic) ? await HDWallet.fromPhrase(mnemonic) : await HDWallet.random();
+  const { remoteBridgeContractAddress, remoteChainWalletPrivateKey, remoteTokenAddress, accountPath } = config;
+  const account = await resolveWalletForActor(config.name, accountPath);
   const wallet = new Wallet(remoteChainWalletPrivateKey, provider);
   const bridgeableToken = BridgeableToken__factory.connect(getAddress(remoteTokenAddress), wallet);
   const bridge = LiquidityPoolBridge__factory.connect(getAddress(remoteBridgeContractAddress), wallet);
@@ -264398,31 +264471,11 @@ var getNode = /* @__PURE__ */ __name$1(async (context, gateway, wallet) => {
 
 // src/server/server.ts
 var hostname = "::";
-var getSeedPhrase = /* @__PURE__ */ __name$1(async (bios, config, logger) => {
-  const storedSeedPhrase = await bios.seedPhraseStore.get("os");
-  logger?.debug(`[RewardsRedemption] Stored mnemonic: ${storedSeedPhrase}`);
-  const { mnemonic } = config;
-  if (isString$3(storedSeedPhrase) && isString$3(mnemonic)) {
-    logger?.warn("[RewardsRedemption] Stored mnemonic does not match supplied. Updating stored mnemonic to supplied.");
-    await bios.seedPhraseStore.set("os", mnemonic);
-  } else {
-    let seedPhrase;
-    if (isString$3(mnemonic)) {
-      seedPhrase = mnemonic;
-    } else {
-      seedPhrase = HDWallet.generateMnemonic();
-      logger?.log("[RewardsRedemption] No mnemonic provided, using random mnemonic. This is not recommended for production use.");
-      logger?.log(`[RewardsRedemption] Mnemonic: ${seedPhrase}`);
-    }
-    await bios.seedPhraseStore.set("os", seedPhrase);
-  }
-  return assertEx(await bios.seedPhraseStore.get("os"), () => "Unable to acquire mnemonic from bios");
-}, "getSeedPhrase");
 var getServer = /* @__PURE__ */ __name$1(async (context, gateway, locator, providedNode) => {
   const { logger, config } = context;
-  const { port, mnemonic } = config;
-  const bios = await boot();
-  const seedPhrase = isDefined(mnemonic) ? mnemonic : await getSeedPhrase(bios, config, logger);
+  const { port } = config;
+  await boot();
+  const seedPhrase = await initActorSeedPhrase(context);
   const wallet = await HDWallet.fromPhrase(seedPhrase);
   const node = providedNode ?? await getNode(context, gateway, wallet);
   const app = getApp(node, config, locator);
@@ -264913,34 +264966,52 @@ var __name = (target, value) => __defProp(target, "name", { value, configurable:
 var deepMerge = createDeepMerge({
   arrayStrategy: "concat"
 });
+function coerceActorsArray(argv) {
+  const actors = argv.actors;
+  if (actors === void 0 || Array.isArray(actors)) return argv;
+  if (typeof actors !== "object" || actors === null) return argv;
+  const entries = Object.entries(actors);
+  const numericEntries = entries.map(([key, value]) => [
+    Number(key),
+    value
+  ]).filter(([key]) => Number.isInteger(key) && key >= 0);
+  if (numericEntries.length !== entries.length) return argv;
+  const asArray = [];
+  for (const [key, value] of numericEntries) asArray[key] = value;
+  return {
+    ...argv,
+    actors: asArray
+  };
+}
+__name(coerceActorsArray, "coerceActorsArray");
+function safeParseOrThrow(input2) {
+  const result = ConfigZod.safeParse(input2);
+  if (!result.success) throw result.error;
+  return result.data;
+}
+__name(safeParseOrThrow, "safeParseOrThrow");
+async function buildFinalConfig(argv) {
+  const configPath = argv.config;
+  const parsedConfigFile = await tryParseConfig({
+    configPath
+  });
+  const rootMnemonicFromFile = typeof parsedConfigFile.mnemonic === "string" ? parsedConfigFile.mnemonic : void 0;
+  const normalizedArgv = coerceActorsArray(argv);
+  const parsedConfigArgs = ConfigZod.safeParse(normalizedArgv).data ?? {};
+  const rootMnemonicFromArgs = typeof normalizedArgv.mnemonic === "string" ? normalizedArgv.mnemonic : void 0;
+  const mergedConfig = safeParseOrThrow(deepMerge(parsedConfigFile, parsedConfigArgs));
+  const validated = safeParseOrThrow(resolveConfig(safeParseOrThrow(mergedConfig)));
+  const rootMnemonic = rootMnemonicFromArgs ?? rootMnemonicFromFile;
+  return isDefined(rootMnemonic) ? {
+    ...validated,
+    mnemonic: rootMnemonic
+  } : validated;
+}
+__name(buildFinalConfig, "buildFinalConfig");
 async function configMiddleware(argv, setConfiguration) {
   try {
-    const configPath = argv.config;
-    const parsedConfigFile = await tryParseConfig({
-      configPath
-    });
-    const rootMnemonicFromFile = typeof parsedConfigFile.mnemonic === "string" ? parsedConfigFile.mnemonic : void 0;
-    const parsedConfigArgs = ConfigZod.safeParse(argv).data ?? {};
-    const rootMnemonicFromArgs = typeof argv.mnemonic === "string" ? argv.mnemonic : void 0;
-    const parseResult = ConfigZod.safeParse(deepMerge(parsedConfigFile, parsedConfigArgs));
-    if (!parseResult.success) {
-      throw parseResult.error;
-    }
-    const mergedConfig = parseResult.data;
-    const validatedMergedConfigResult = ConfigZod.safeParse(mergedConfig);
-    if (!validatedMergedConfigResult.success) {
-      throw validatedMergedConfigResult.error;
-    }
-    const resolvedConfig = resolveConfig(validatedMergedConfigResult.data);
-    const validatedConfigResult = ConfigZod.safeParse(resolvedConfig);
-    if (!validatedConfigResult.success) {
-      throw validatedConfigResult.error;
-    }
-    const rootMnemonic = rootMnemonicFromArgs ?? rootMnemonicFromFile;
-    const finalConfig = rootMnemonic ? {
-      ...validatedConfigResult.data,
-      mnemonic: rootMnemonic
-    } : validatedConfigResult.data;
+    const finalConfig = await buildFinalConfig(argv);
+    assertNoActorMnemonics(finalConfig);
     setConfiguration(finalConfig);
     if (argv["dump-config"]) {
       console.log(JSON.stringify(finalConfig, null, 2));
@@ -264949,12 +265020,14 @@ async function configMiddleware(argv, setConfiguration) {
   } catch (err) {
     if (err instanceof ConfigFileNotFoundError) {
       console.error(`${err.message}. Check the path passed to --config/-c and try again.`);
+    } else if (err instanceof ActorMnemonicNotAllowedError) {
+      console.error(err.message);
     } else if (isZodError(err)) {
       console.error(`Zod error: ${err.message}`);
     } else {
       console.error(`Error parsing configuration: ${err}`);
     }
-    if (!(err instanceof ConfigFileNotFoundError)) {
+    if (!(err instanceof ConfigFileNotFoundError) && !(err instanceof ActorMnemonicNotAllowedError)) {
       console.error(`Stack: ${err instanceof Error ? err.stack : "N/A"}`);
     }
     throw new Error("Invalid configuration", {
@@ -265295,7 +265368,7 @@ var optionsFromGlobalZodRegistry = /* @__PURE__ */ __name(() => {
 
 // src/runCLI.ts
 var configuration;
-var version = isDefined("1.20.22") ? "1.20.22" : "unknown";
+var version = isDefined("1.20.24") ? "1.20.24" : "unknown";
 function getConfiguration() {
   return configuration;
 }
@@ -265337,6 +265410,8 @@ async function getLocatorsFromConfig(actors, configuration2) {
   const orchestrator = await Orchestrator.create({
     logger
   });
+  const collision = detectDerivationPathCollisions(actors, configuration2);
+  if (collision) throw collision;
   const walletReport = await initializeResolvedWalletReport(actors, configuration2);
   logger.info(formatWalletReport(walletReport));
   const context = await contextFromConfigWithoutLocator(config2, logger, "xl1-cli", version);