arc402-cli 0.6.0 → 0.7.1

package/dist/commands/wallet.js

@@ -26,6 +26,26 @@ const tree_1 = require("../ui/tree");
 const spinner_1 = require("../ui/spinner");
 const colors_1 = require("../ui/colors");
 const POLICY_ENGINE_DEFAULT = "0x44102e70c2A366632d98Fe40d892a2501fC7fFF2";
+const GUARDIAN_KEY_PATH = path_1.default.join(os_1.default.homedir(), ".arc402", "guardian.key");
+/** Save guardian private key to a restricted standalone file (never to config.json). */
+function saveGuardianKey(privateKey) {
+    fs_1.default.mkdirSync(path_1.default.dirname(GUARDIAN_KEY_PATH), { recursive: true, mode: 0o700 });
+    fs_1.default.writeFileSync(GUARDIAN_KEY_PATH, privateKey + "\n", { mode: 0o400 });
+}
+/** Load guardian private key from file, falling back to config for backwards compat. */
+function loadGuardianKey(config) {
+    try {
+        return fs_1.default.readFileSync(GUARDIAN_KEY_PATH, "utf-8").trim();
+    }
+    catch {
+        // Migration: if key still in config, migrate it to the file now
+        if (config.guardianPrivateKey) {
+            saveGuardianKey(config.guardianPrivateKey);
+            return config.guardianPrivateKey;
+        }
+        return null;
+    }
+}
 function parseAmount(raw) {
     const lower = raw.toLowerCase();
     if (lower.endsWith("eth")) {
@@ -161,6 +181,9 @@ async function runCompleteOnboardingCeremony(walletAddress, ownerAddress, config
         await sendTx({ to: walletAddress, data: mkIface.encodeFunctionData("authorizeMachineKey", [machineKeyAddress]), value: "0x0" }, "authorizeMachineKey");
         console.log(" " + colors_1.c.success + " Machine key authorized");
     }
+    // Save progress after machine key step
+    config.onboardingProgress = { walletAddress, step: 2, completedSteps: ["machineKey"] };
+    (0, config_1.saveConfig)(config);
     // ── Step 3: Passkey ───────────────────────────────────────────────────────
     console.log("\n" + colors_1.c.dim("── Step 3: Passkey (Face ID / WebAuthn) ──────────────────────"));
     let passkeyActive = false;
@@ -192,6 +215,9 @@ async function runCompleteOnboardingCeremony(walletAddress, ownerAddress, config
             console.log(" " + colors_1.c.success + " Passkey set (via browser)");
         }
     }
+    // Save progress after passkey step
+    config.onboardingProgress = { walletAddress, step: 3, completedSteps: ["machineKey", "passkey"] };
+    (0, config_1.saveConfig)(config);
     // ── Step 4: Policy ────────────────────────────────────────────────────────
     console.log("\n" + colors_1.c.dim("── Step 4: Policy ─────────────────────────────────────────────"));
     // 4a) setVelocityLimit
@@ -240,12 +266,15 @@ async function runCompleteOnboardingCeremony(walletAddress, ownerAddress, config
         const guardianInput = guardianAns.guardian?.trim() ?? "";
         if (guardianInput.toLowerCase() === "g") {
             const generatedGuardian = ethers_1.ethers.Wallet.createRandom();
-            config.guardianPrivateKey = generatedGuardian.privateKey;
+            // Save guardian private key to a separate restricted file, NOT config.json
+            const guardianKeyPath = path_1.default.join(os_1.default.homedir(), ".arc402", "guardian.key");
+            fs_1.default.mkdirSync(path_1.default.dirname(guardianKeyPath), { recursive: true, mode: 0o700 });
+            fs_1.default.writeFileSync(guardianKeyPath, generatedGuardian.privateKey + "\n", { mode: 0o400 });
+            // Only save address (not private key) to config
             config.guardianAddress = generatedGuardian.address;
             (0, config_1.saveConfig)(config);
             guardianAddress = generatedGuardian.address;
-            console.log("\n " + colors_1.c.warning + " IMPORTANT: Save this guardian private key (emergency freeze key):");
-            console.log("   " + colors_1.c.dim(generatedGuardian.privateKey));
+            console.log("\n " + colors_1.c.warning + " Guardian key saved to ~/.arc402/guardian.key — move offline for security");
             console.log("   " + colors_1.c.dim("Address: ") + colors_1.c.white(generatedGuardian.address) + "\n");
             const guardianIface = new ethers_1.ethers.Interface(["function setGuardian(address _guardian) external"]);
             await sendTx({ to: walletAddress, data: guardianIface.encodeFunctionData("setGuardian", [guardianAddress]), value: "0x0" }, "setGuardian");
@@ -297,6 +326,9 @@ async function runCompleteOnboardingCeremony(walletAddress, ownerAddress, config
     await sendTx({ to: policyAddress, data: contractInteractionIface.encodeFunctionData("enableContractInteraction", [walletAddress, handshakeAddress]), value: "0x0" }, "enableContractInteraction: Handshake");
     (0, config_1.saveConfig)(config);
     console.log(" " + colors_1.c.success + " Policy configured");
+    // Save progress after policy step
+    config.onboardingProgress = { walletAddress, step: 4, completedSteps: ["machineKey", "passkey", "policy"] };
+    (0, config_1.saveConfig)(config);
     // ── Step 5: Agent Registration ─────────────────────────────────────────────
     console.log("\n" + colors_1.c.dim("── Step 5: Agent Registration ─────────────────────────────────"));
     let agentAlreadyRegistered = false;
@@ -374,6 +406,9 @@ async function runCompleteOnboardingCeremony(walletAddress, ownerAddress, config
     else {
         console.log(" " + colors_1.c.warning + " AgentRegistry address not configured — skipping");
     }
+    // Save progress after agent step, then clear on ceremony complete
+    config.onboardingProgress = { walletAddress, step: 5, completedSteps: ["machineKey", "passkey", "policy", "agent"] };
+    (0, config_1.saveConfig)(config);
     // ── Step 7: Workroom Init ─────────────────────────────────────────────────
     console.log("\n" + colors_1.c.dim("── Step 7: Workroom ────────────────────────────────────────────"));
     let workroomInitialized = false;
@@ -475,6 +510,9 @@ async function runCompleteOnboardingCeremony(walletAddress, ownerAddress, config
     const endpointLabel = agentEndpoint
         ? colors_1.c.white(agentEndpoint) + colors_1.c.dim(` → localhost:${relayPort}`)
         : colors_1.c.dim("—");
+    // Clear onboarding progress — ceremony complete
+    delete config.onboardingProgress;
+    (0, config_1.saveConfig)(config);
     console.log("\n " + colors_1.c.success + colors_1.c.white(" Onboarding complete"));
     (0, tree_1.renderTree)([
         { label: "Wallet", value: colors_1.c.white(walletAddress) },
@@ -637,16 +675,40 @@ function registerWalletCommands(program) {
         console.log(colors_1.c.dim("Next: fund your wallet with ETH, then run: arc402 wallet deploy"));
     });
     // ─── import ────────────────────────────────────────────────────────────────
-    wallet.command("import <privateKey>")
-        .description("Import an existing private key")
+    wallet.command("import")
+        .description("Import an existing private key (use --key-file or stdin prompt)")
         .option("--network <network>", "Network (base-mainnet or base-sepolia)", "base-sepolia")
-        .action(async (privateKey, opts) => {
+        .option("--key-file <path>", "Read private key from file instead of prompting")
+        .action(async (opts) => {
         const network = opts.network;
         const defaults = config_1.NETWORK_DEFAULTS[network];
         if (!defaults) {
             console.error(`Unknown network: ${network}. Use base-mainnet or base-sepolia.`);
             process.exit(1);
         }
+        let privateKey;
+        if (opts.keyFile) {
+            try {
+                privateKey = fs_1.default.readFileSync(opts.keyFile, "utf-8").trim();
+            }
+            catch (e) {
+                console.error(`Cannot read key file: ${e instanceof Error ? e.message : String(e)}`);
+                process.exit(1);
+            }
+        }
+        else {
+            // Interactive prompt — hidden input avoids shell history
+            const answer = await (0, prompts_1.default)({
+                type: "password",
+                name: "key",
+                message: "Paste private key (hidden):",
+            });
+            privateKey = (answer.key ?? "").trim();
+            if (!privateKey) {
+                console.error("No private key entered.");
+                process.exit(1);
+            }
+        }
         let imported;
         try {
             imported = new ethers_1.ethers.Wallet(privateKey);
@@ -794,8 +856,31 @@ function registerWalletCommands(program) {
         .option("--smart-wallet", "Connect via Base Smart Wallet (Coinbase Wallet SDK) instead of WalletConnect")
         .option("--hardware", "Hardware wallet mode: show raw wc: URI only (for Ledger Live, Trezor Suite, etc.)")
         .option("--sponsored", "Use CDP paymaster for gas sponsorship (requires paymasterUrl + cdpKeyName + CDP_PRIVATE_KEY env)")
+        .option("--dry-run", "Simulate the deployment ceremony without sending transactions")
         .action(async (opts) => {
         const config = (0, config_1.loadConfig)();
+        if (opts.dryRun) {
+            const factoryAddr = config.walletFactoryAddress ?? config_1.NETWORK_DEFAULTS[config.network]?.walletFactoryAddress ?? "(not configured)";
+            const chainId = config.network === "base-mainnet" ? 8453 : 84532;
+            console.log();
+            console.log(" " + colors_1.c.dim("── Dry run: wallet deploy ──────────────────────────────────────"));
+            console.log(" " + colors_1.c.dim("Network:         ") + colors_1.c.white(config.network));
+            console.log(" " + colors_1.c.dim("Chain ID:        ") + colors_1.c.white(String(chainId)));
+            console.log(" " + colors_1.c.dim("RPC:             ") + colors_1.c.white(config.rpcUrl));
+            console.log(" " + colors_1.c.dim("WalletFactory:   ") + colors_1.c.white(factoryAddr));
+            console.log(" " + colors_1.c.dim("Signing method:  ") + colors_1.c.white(opts.smartWallet ? "Base Smart Wallet" : opts.hardware ? "Hardware (WC URI)" : "WalletConnect"));
+            console.log(" " + colors_1.c.dim("Sponsored:       ") + colors_1.c.white(opts.sponsored ? "yes" : "no"));
+            console.log();
+            console.log(" " + colors_1.c.dim("Steps that would run:"));
+            console.log("   1. Connect " + (opts.smartWallet ? "Coinbase Smart Wallet" : "WalletConnect") + " session");
+            console.log("   2. Call WalletFactory.createWallet() → deploy ARC402Wallet");
+            console.log("   3. Save walletContractAddress to config");
+            console.log("   4. Run onboarding ceremony (PolicyEngine, machine key, agent registration)");
+            console.log();
+            console.log(" " + colors_1.c.dim("No transactions sent (--dry-run mode)."));
+            console.log();
+            return;
+        }
         const factoryAddress = config.walletFactoryAddress ?? config_1.NETWORK_DEFAULTS[config.network]?.walletFactoryAddress;
         if (!factoryAddress) {
             console.error("walletFactoryAddress not found in config or NETWORK_DEFAULTS. Add walletFactoryAddress to your config.");
@@ -936,12 +1021,44 @@ function registerWalletCommands(program) {
             const telegramOpts = config.telegramBotToken && config.telegramChatId
                 ? { botToken: config.telegramBotToken, chatId: config.telegramChatId, threadId: config.telegramThreadId }
                 : undefined;
+            // ── Resume check ──────────────────────────────────────────────────────
+            const resumeProgress = config.onboardingProgress;
+            const isResuming = !!(resumeProgress?.walletAddress &&
+                resumeProgress.walletAddress === config.walletContractAddress &&
+                config.ownerAddress);
+            if (isResuming) {
+                const stepNames = {
+                    2: "machine key", 3: "passkey", 4: "policy setup", 5: "agent registration",
+                };
+                const nextStep = (resumeProgress.step ?? 1) + 1;
+                console.log(" " + colors_1.c.dim(`◈ Resuming onboarding from step ${nextStep} (${stepNames[nextStep] ?? "ceremony"})...`));
+            }
+            // ── Gas estimation ─────────────────────────────────────────────────────
+            if (!isResuming) {
+                let gasMsg = "~0.003 ETH (6 transactions on Base)";
+                try {
+                    const feeData = await provider.getFeeData();
+                    const gasPrice = feeData.maxFeePerGas ?? feeData.gasPrice ?? BigInt(1500000000);
+                    const deployGas = await provider.estimateGas({
+                        to: factoryAddress,
+                        data: factoryInterface.encodeFunctionData("createWallet", ["0x0000000071727De22E5E9d8BAf0edAc6f37da032"]),
+                    }).catch(() => BigInt(280000));
+                    const ceremonyGas = BigInt(700000); // ~5 ceremony txs × ~140k each
+                    const totalGasEth = parseFloat(ethers_1.ethers.formatEther((deployGas + ceremonyGas) * gasPrice));
+                    gasMsg = `~${totalGasEth.toFixed(4)} ETH (6 transactions on Base)`;
+                }
+                catch { /* use default */ }
+                console.log(" " + colors_1.c.dim(`◈ Estimated gas: ${gasMsg}`));
+            }
             // ── Step 1: Connect ────────────────────────────────────────────────────
-            const { client, session, account } = await (0, walletconnect_1.connectPhoneWallet)(config.walletConnectProjectId, chainId, config, { telegramOpts, prompt: "Approve ARC402Wallet deployment — you will be set as owner", hardware: !!opts.hardware });
+            const connectPrompt = isResuming
+                ? "Connect wallet to resume onboarding"
+                : "Approve ARC402Wallet deployment — you will be set as owner";
+            const { client, session, account } = await (0, walletconnect_1.connectPhoneWallet)(config.walletConnectProjectId, chainId, config, { telegramOpts, prompt: connectPrompt, hardware: !!opts.hardware });
             const networkName = chainId === 8453 ? "Base" : "Base Sepolia";
             const shortAddr = `${account.slice(0, 6)}...${account.slice(-5)}`;
             console.log("\n" + colors_1.c.success + colors_1.c.white(` Connected: ${shortAddr} on ${networkName}`));
-            if (telegramOpts) {
+            if (telegramOpts && !isResuming) {
                 // Send "connected" message with a deploy confirmation button.
                 // TODO: wire up full callback_data round-trip when a persistent bot process is available.
                 await (0, telegram_notify_1.sendTelegramMessage)({
@@ -952,50 +1069,59 @@ function registerWalletCommands(program) {
                     buttons: [[{ text: "🚀 Deploy ARC-402 Wallet", callback_data: "arc402_deploy_confirm" }]],
                 });
             }
-            // ── Step 2: Confirm & Deploy ───────────────────────────────────────────
-            // WalletConnect approval already confirmed intent — sending automatically
-            console.log("Deploying...");
-            const txHash = await (0, walletconnect_1.sendTransactionWithSession)(client, session, account, chainId, {
-                to: factoryAddress,
-                data: factoryInterface.encodeFunctionData("createWallet", ["0x0000000071727De22E5E9d8BAf0edAc6f37da032"]),
-                value: "0x0",
-            });
-            console.log(`\nTransaction submitted: ${txHash}`);
-            console.log("Waiting for confirmation...");
-            const receipt = await provider.waitForTransaction(txHash);
-            if (!receipt) {
-                console.error("Transaction not confirmed. Check on-chain.");
-                process.exit(1);
+            let walletAddress;
+            if (isResuming) {
+                // Resume: skip deploy, use existing wallet
+                walletAddress = config.walletContractAddress;
+                console.log(" " + colors_1.c.dim(`◈ Using existing wallet: ${walletAddress}`));
             }
-            let walletAddress = null;
-            const factoryContract = new ethers_1.ethers.Contract(factoryAddress, abis_1.WALLET_FACTORY_ABI, provider);
-            for (const log of receipt.logs) {
-                try {
-                    const parsed = factoryContract.interface.parseLog(log);
-                    if (parsed?.name === "WalletCreated") {
-                        walletAddress = parsed.args.walletAddress;
-                        break;
+            else {
+                // ── Step 2: Confirm & Deploy ─────────────────────────────────────────
+                // WalletConnect approval already confirmed intent — sending automatically
+                console.log("Deploying...");
+                const txHash = await (0, walletconnect_1.sendTransactionWithSession)(client, session, account, chainId, {
+                    to: factoryAddress,
+                    data: factoryInterface.encodeFunctionData("createWallet", ["0x0000000071727De22E5E9d8BAf0edAc6f37da032"]),
+                    value: "0x0",
+                });
+                console.log(`\nTransaction submitted: ${txHash}`);
+                console.log("Waiting for confirmation...");
+                const receipt = await provider.waitForTransaction(txHash);
+                if (!receipt) {
+                    console.error("Transaction not confirmed. Check on-chain.");
+                    process.exit(1);
+                }
+                let deployedWallet = null;
+                const factoryContract = new ethers_1.ethers.Contract(factoryAddress, abis_1.WALLET_FACTORY_ABI, provider);
+                for (const log of receipt.logs) {
+                    try {
+                        const parsed = factoryContract.interface.parseLog(log);
+                        if (parsed?.name === "WalletCreated") {
+                            deployedWallet = parsed.args.walletAddress;
+                            break;
+                        }
                     }
+                    catch { /* skip unparseable logs */ }
                 }
-                catch { /* skip unparseable logs */ }
-            }
-            if (!walletAddress) {
-                console.error("Could not find WalletCreated event in receipt. Check the transaction on-chain.");
-                process.exit(1);
-            }
-            // ── Step 1 complete: save wallet + owner immediately ─────────────────
-            config.walletContractAddress = walletAddress;
-            config.ownerAddress = account;
-            (0, config_1.saveConfig)(config);
-            try {
-                fs_1.default.chmodSync((0, config_1.getConfigPath)(), 0o600);
+                if (!deployedWallet) {
+                    console.error("Could not find WalletCreated event in receipt. Check the transaction on-chain.");
+                    process.exit(1);
+                }
+                walletAddress = deployedWallet;
+                // ── Step 1 complete: save wallet + owner immediately ─────────────────
+                config.walletContractAddress = walletAddress;
+                config.ownerAddress = account;
+                (0, config_1.saveConfig)(config);
+                try {
+                    fs_1.default.chmodSync((0, config_1.getConfigPath)(), 0o600);
+                }
+                catch { /* best-effort */ }
+                console.log("\n " + colors_1.c.success + colors_1.c.white(" Wallet deployed"));
+                (0, tree_1.renderTree)([
+                    { label: "Wallet", value: walletAddress },
+                    { label: "Owner", value: account, last: true },
+                ]);
             }
-            catch { /* best-effort */ }
-            console.log("\n " + colors_1.c.success + colors_1.c.white(" Wallet deployed"));
-            (0, tree_1.renderTree)([
-                { label: "Wallet", value: walletAddress },
-                { label: "Owner", value: account, last: true },
-            ]);
             // ── Steps 2–6: Complete onboarding ceremony (same WalletConnect session)
             const sendTxCeremony = async (call, description) => {
                 console.log(" " + colors_1.c.dim(`◈ ${description}`));
@@ -1036,8 +1162,11 @@ function registerWalletCommands(program) {
             const guardianWallet = ethers_1.ethers.Wallet.createRandom();
             config.walletContractAddress = walletAddress;
             config.ownerAddress = address;
-            config.guardianPrivateKey = guardianWallet.privateKey;
             config.guardianAddress = guardianWallet.address;
+            // Save key to restricted file — never store in config.json
+            saveGuardianKey(guardianWallet.privateKey);
+            if (config.guardianPrivateKey)
+                delete config.guardianPrivateKey;
             (0, config_1.saveConfig)(config);
             // Call setGuardian on the deployed wallet
             const walletContract = new ethers_1.ethers.Contract(walletAddress, abis_1.ARC402_WALLET_GUARDIAN_ABI, signer);
@@ -1058,7 +1187,7 @@ function registerWalletCommands(program) {
                 { label: "Wallet", value: walletAddress },
                 { label: "Guardian", value: guardianWallet.address, last: true },
             ]);
-            console.log(`Guardian private key saved to config (keep it safe — used for emergency freeze only)`);
+            console.log(`Guardian private key saved to ~/.arc402/guardian.key (chmod 400 — keep it safe, used for emergency freeze only)`);
             console.log(`Your wallet contract is ready for policy enforcement`);
             printOpenShellHint();
         }
@@ -1255,12 +1384,13 @@ function registerWalletCommands(program) {
             console.error("walletContractAddress not set in config. Run `arc402 wallet deploy` first.");
             process.exit(1);
         }
-        if (!config.guardianPrivateKey) {
-            console.error("guardianPrivateKey not set in config. Guardian key was generated during `arc402 wallet deploy`.");
+        const guardianKey = loadGuardianKey(config);
+        if (!guardianKey) {
+            console.error(`Guardian key not found. Expected at ~/.arc402/guardian.key (or guardianPrivateKey in config for legacy setups).`);
             process.exit(1);
         }
         const provider = new ethers_1.ethers.JsonRpcProvider(config.rpcUrl);
-        const guardianSigner = new ethers_1.ethers.Wallet(config.guardianPrivateKey, provider);
+        const guardianSigner = new ethers_1.ethers.Wallet(guardianKey, provider);
         const walletContract = new ethers_1.ethers.Contract(config.walletContractAddress, abis_1.ARC402_WALLET_GUARDIAN_ABI, guardianSigner);
         let tx;
         if (opts.drain) {
@@ -1380,12 +1510,14 @@ function registerWalletCommands(program) {
             value: "0x0",
         });
         await provider.waitForTransaction(txHash);
-        config.guardianPrivateKey = guardianWallet.privateKey;
+        saveGuardianKey(guardianWallet.privateKey);
+        if (config.guardianPrivateKey)
+            delete config.guardianPrivateKey;
         config.guardianAddress = guardianWallet.address;
         (0, config_1.saveConfig)(config);
         console.log("\n" + colors_1.c.success + colors_1.c.white(` Guardian set to: ${guardianWallet.address}`));
         console.log(" " + colors_1.c.dim("Tx:") + " " + colors_1.c.white(txHash));
-        console.log(" " + colors_1.c.dim("Guardian private key saved to config."));
+        console.log(" " + colors_1.c.dim("Guardian private key saved to ~/.arc402/guardian.key (chmod 400)."));
         console.log(" " + colors_1.c.warning + " " + colors_1.c.yellow("The guardian key can freeze your wallet. Store it separately from your hot key."));
     });
     // ─── policy-engine freeze / unfreeze (legacy — for PolicyEngine-level freeze) ──
@@ -2096,9 +2228,11 @@ function registerWalletCommands(program) {
                 txHashes.push(txHash);
             }
         }
-        // Persist guardian key if generated
+        // Persist guardian key if generated — save to restricted file, not config.json
         if (guardianWallet) {
-            config.guardianPrivateKey = guardianWallet.privateKey;
+            saveGuardianKey(guardianWallet.privateKey);
+            if (config.guardianPrivateKey)
+                delete config.guardianPrivateKey;
             config.guardianAddress = guardianWallet.address;
             (0, config_1.saveConfig)(config);
         }
@@ -2110,7 +2244,7 @@ function registerWalletCommands(program) {
             txHashes.forEach((h, i) => console.log(" " + colors_1.c.dim(`Tx ${i + 1}:`) + " " + colors_1.c.white(h)));
         }
         if (guardianWallet) {
-            console.log(" " + colors_1.c.success + colors_1.c.dim(` Guardian key saved to config — address: ${guardianWallet.address}`));
+            console.log(" " + colors_1.c.success + colors_1.c.dim(` Guardian key saved to ~/.arc402/guardian.key — address: ${guardianWallet.address}`));
             console.log(" " + colors_1.c.warning + " " + colors_1.c.yellow("Store the guardian private key separately from your hot key."));
         }
         console.log(colors_1.c.dim("\nVerify with: arc402 wallet status && arc402 wallet policy show"));