mobilestacks 0.1.3 → 0.1.5

package/dist/mobilestacks.config.d.ts

@@ -3,18 +3,16 @@ declare const _default: {
         mainnet: {
             url: string;
             name: string;
-            explorerUrl: string;
-            faucetUrl: null;
         };
         testnet: {
             url: string;
             name: string;
-            explorerUrl: string;
-            faucetUrl: string;
         };
     };
     defaultNetwork: string;
-    wallet: {};
+    wallet: {
+        derivationPath: string;
+    };
 };
 export default _default;
 //# sourceMappingURL=mobilestacks.config.d.ts.map

package/dist/mobilestacks.config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mobilestacks.config.d.ts","sourceRoot":"","sources":["../mobilestacks.config.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;AACA,wBAqBE"}
+{"version":3,"file":"mobilestacks.config.d.ts","sourceRoot":"","sources":["../mobilestacks.config.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,wBAWE"}

package/dist/mobilestacks.config.js

@@ -1,25 +1,12 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-// Example mobilestacks.config.ts for testing
 exports.default = {
     networks: {
-        mainnet: {
-            url: "https://stacks-node-api.mainnet.stacks.co",
-            name: "mainnet",
-            explorerUrl: "https://explorer.stacks.co",
-            faucetUrl: null
-        },
-        testnet: {
-            url: "https://stacks-node-api.testnet.stacks.co",
-            name: "testnet",
-            explorerUrl: "https://explorer.stacks.co?chain=testnet",
-            faucetUrl: "https://stacks-node-api.testnet.stacks.co/extended/v1/faucet/stx"
-        }
+        mainnet: { url: 'https://stacks-node-api.mainnet.stacks.co', name: 'mainnet' },
+        testnet: { url: 'https://stacks-node-api.testnet.stacks.co', name: 'testnet' }
     },
-    defaultNetwork: "testnet",
+    defaultNetwork: 'testnet',
     wallet: {
-    // privateKey: "YOUR_PRIVATE_KEY_HERE",
-    // seedPhrase: "your twelve word phrase here",
-    // derivationPath: "m/44'/5757'/0'/0/0"
+        derivationPath: "m/44'/5757'/0'/0/0"
     }
 };

package/dist/src/cli/init.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../../src/cli/init.ts"],"names":[],"mappings":"AAIA,wBAAsB,OAAO,kBAoD5B"}
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../../src/cli/init.ts"],"names":[],"mappings":"AAIA,wBAAsB,OAAO,kBAoF5B"}

package/dist/src/cli/init.js

@@ -28,34 +28,56 @@ async function runInit() {
             message: 'Stacks testnet node URL:',
             default: 'https://stacks-node-api.testnet.stacks.co',
         },
-        {
-            type: 'input',
-            name: 'privateKey',
-            message: 'Your wallet private key (leave blank to use seed phrase):',
-        },
-        {
-            type: 'input',
-            name: 'seedPhrase',
-            message: 'Your wallet seed phrase (leave blank if using private key):',
-        },
         {
             type: 'input',
             name: 'derivationPath',
-            message: 'Derivation path (default: m/44\'/5757\'/0\'/0/0):',
+            message: "Derivation path (default: m/44'/5757'/0'/0/0):",
             default: "m/44'/5757'/0'/0/0",
         },
     ]);
-    const config = `export default {\n  networks: {\n    mainnet: { url: '${answers.mainnetUrl}', name: 'mainnet' },\n    testnet: { url: '${answers.testnetUrl}', name: 'testnet' }\n  },\n  defaultNetwork: 'testnet',\n  wallet: {\n    ${answers.privateKey ? `privateKey: '${answers.privateKey}',` : ''}\n    ${answers.seedPhrase ? `seedPhrase: '${answers.seedPhrase}',` : ''}\n    derivationPath: '${answers.derivationPath}'\n  }\n};\n`;
+    // ── Config file: references env vars, never embeds secrets ──
+    const config = `import 'dotenv/config';
+
+export default {
+  networks: {
+    mainnet: { url: process.env.STACKS_MAINNET_URL || '${answers.mainnetUrl}', name: 'mainnet' },
+    testnet: { url: process.env.STACKS_TESTNET_URL || '${answers.testnetUrl}', name: 'testnet' },
+  },
+  defaultNetwork: 'testnet',
+  wallet: {
+    // Secrets are read from environment variables — never hard-code them here.
+    privateKey: process.env.MOBILESTACKS_PRIVATE_KEY || '',
+    seedPhrase: process.env.MOBILESTACKS_SEED_PHRASE || '',
+    derivationPath: '${answers.derivationPath}',
+  },
+};
+`;
     fs_1.default.writeFileSync(path_1.default.join(process.cwd(), 'mobilestacks.config.ts'), config);
-    // Scaffold example contract
+    // ── .env file (if it doesn't exist yet) ──
+    const envPath = path_1.default.join(process.cwd(), '.env');
+    if (!fs_1.default.existsSync(envPath)) {
+        const envContent = `# Mobilestacks secrets — NEVER commit this file!\nMOBILESTACKS_PRIVATE_KEY=\nMOBILESTACKS_SEED_PHRASE=\nSTACKS_MAINNET_URL=${answers.mainnetUrl}\nSTACKS_TESTNET_URL=${answers.testnetUrl}\n`;
+        fs_1.default.writeFileSync(envPath, envContent, { mode: 0o600 }); // owner-only permissions
+    }
+    // ── Scaffold example contract ──
     const contractsDir = path_1.default.join(process.cwd(), 'contracts');
     if (!fs_1.default.existsSync(contractsDir))
         fs_1.default.mkdirSync(contractsDir);
     fs_1.default.writeFileSync(path_1.default.join(contractsDir, 'sample-contract.clar'), '(define-public (hello-world)\n  (ok "Hello, Stacks!"))\n');
-    // Scaffold example user task
+    // ── Scaffold example user task ──
     const tasksDir = path_1.default.join(process.cwd(), 'src', 'tasks');
     if (!fs_1.default.existsSync(tasksDir))
         fs_1.default.mkdirSync(tasksDir, { recursive: true });
     fs_1.default.writeFileSync(path_1.default.join(tasksDir, 'example-task.ts'), "import { task } from '../core/dsl';\n\ntask('example', 'An example user task for onboarding')\n  .addParam('name', 'Your name', { type: 'string', required: false, defaultValue: 'World' })\n  .setAction(async (args) => {\n    return `Hello, ${args.name}! Welcome to mobilestacks.`;\n  });\n");
-    console.log('Created mobilestacks.config.ts, contracts/sample-contract.clar, and src/tasks/example-task.ts!');
+    // ── Security notice ──
+    console.log('\n✅ Created:');
+    console.log('   • mobilestacks.config.ts  (reads secrets from env vars)');
+    console.log('   • .env                    (store your secrets here)');
+    console.log('   • contracts/sample-contract.clar');
+    console.log('   • src/tasks/example-task.ts');
+    console.log('\n⚠️  SECURITY WARNING:');
+    console.log('   Your wallet secrets belong in the .env file, NOT in source code.');
+    console.log('   • .env is already listed in .gitignore — never remove that entry.');
+    console.log('   • Set MOBILESTACKS_PRIVATE_KEY or MOBILESTACKS_SEED_PHRASE in .env');
+    console.log('   • See .env.example for the full list of supported variables.\n');
 }

package/dist/src/core/runtime-environment.d.ts

@@ -1,3 +1,4 @@
+import 'dotenv/config';
 import { MobilestacksConfig } from '../types/config';
 import { StacksNetwork } from '@stacks/network';
 export declare class RuntimeEnvironment {

package/dist/src/core/runtime-environment.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"runtime-environment.d.ts","sourceRoot":"","sources":["../../../src/core/runtime-environment.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAiB,MAAM,iBAAiB,CAAC;AAGpE,OAAO,EAAE,aAAa,EAAiB,MAAM,iBAAiB,CAAC;AAG/D,qBAAa,kBAAkB;IACtB,MAAM,EAAE,kBAAkB,CAAC;IAC3B,OAAO,EAAE,aAAa,CAAC;IACvB,MAAM,EAAG;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACxE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;gBAEX,MAAM,EAAE,kBAAkB;CA4DvC"}
+{"version":3,"file":"runtime-environment.d.ts","sourceRoot":"","sources":["../../../src/core/runtime-environment.ts"],"names":[],"mappings":"AAAA,OAAO,eAAe,CAAC;AACvB,OAAO,EAAE,kBAAkB,EAAiB,MAAM,iBAAiB,CAAC;AAGpE,OAAO,EAAE,aAAa,EAAiB,MAAM,iBAAiB,CAAC;AAG/D,qBAAa,kBAAkB;IACtB,MAAM,EAAE,kBAAkB,CAAC;IAC3B,OAAO,EAAE,aAAa,CAAC;IACvB,MAAM,EAAG;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACxE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;gBAEX,MAAM,EAAE,kBAAkB;CAkEvC"}

package/dist/src/core/runtime-environment.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.RuntimeEnvironment = void 0;
+require("dotenv/config");
 const transactions_1 = require("@stacks/transactions");
 const wallet_sdk_1 = require("@stacks/wallet-sdk");
 const network_1 = require("@stacks/network");
@@ -27,25 +28,26 @@ class RuntimeEnvironment {
                 client: { baseUrl: networkConfig.url }
             });
         }
-        // Wallet: support privateKey, seedPhrase+derivationPath, or both (prefer privateKey)
-        if (config.wallet.privateKey) {
-            // Derive address from privateKey
-            const address = (0, transactions_1.getAddressFromPrivateKey)(config.wallet.privateKey, networkName === 'mainnet' ? 'mainnet' : 'testnet');
-            this.wallet = {
-                privateKey: config.wallet.privateKey,
-                address,
-            };
+        // ── Resolve wallet secrets (env vars take priority over config) ──
+        const privateKey = process.env.MOBILESTACKS_PRIVATE_KEY ||
+            process.env.STACKS_PRIVATE_KEY ||
+            config.wallet.privateKey ||
+            '';
+        const seedPhrase = process.env.MOBILESTACKS_SEED_PHRASE ||
+            process.env.STACKS_SEED_PHRASE ||
+            config.wallet.seedPhrase ||
+            '';
+        if (privateKey) {
+            const address = (0, transactions_1.getAddressFromPrivateKey)(privateKey, networkName === 'mainnet' ? 'mainnet' : 'testnet');
+            this.wallet = { privateKey, address };
         }
-        else if (config.wallet.seedPhrase) {
-            const path = config.wallet.derivationPath || "m/44'/5757'/0'/0/0"; // Stacks main path
-            // generateWallet requires a password param
-            (0, wallet_sdk_1.generateWallet)({ secretKey: config.wallet.seedPhrase, password: '' }).then(wallet => {
-                const index = parseInt(path.split('/').pop() || '0', 10);
+        else if (seedPhrase) {
+            const derivPath = config.wallet.derivationPath || "m/44'/5757'/0'/0/0";
+            (0, wallet_sdk_1.generateWallet)({ secretKey: seedPhrase, password: '' }).then(wallet => {
+                const index = parseInt(derivPath.split('/').pop() || '0', 10);
                 const account = wallet.accounts[index] || wallet.accounts[0];
-                // Use getStxAddress to get the address
                 // eslint-disable-next-line @typescript-eslint/no-var-requires
                 const { getStxAddress } = require('@stacks/wallet-sdk/dist/models/account');
-                // network.addressVersion has singleSig/multiSig lines. 
                 const address = getStxAddress(account, this.network.transactionVersion);
                 this.wallet = {
                     privateKey: account.stxPrivateKey,
@@ -57,7 +59,8 @@ class RuntimeEnvironment {
             });
         }
         else {
-            throw new Error('No privateKey or seedPhrase provided in wallet config');
+            // No secrets anywhere — warn but don't crash (devnet may not need a wallet)
+            console.warn('⚠️  No wallet secret found. Set MOBILESTACKS_PRIVATE_KEY or MOBILESTACKS_SEED_PHRASE in your .env file.');
         }
         this.stacks = {};
         // Apply extensions

package/dist/src/types/config.d.ts

@@ -15,7 +15,7 @@ export declare const NetworkConfigSchema: z.ZodObject<{
     explorerUrl?: string | undefined;
     faucetUrl?: string | null | undefined;
 }>;
-export declare const WalletConfigSchema: z.ZodEffects<z.ZodObject<{
+export declare const WalletConfigSchema: z.ZodObject<{
     privateKey: z.ZodOptional<z.ZodString>;
     seedPhrase: z.ZodOptional<z.ZodString>;
     derivationPath: z.ZodOptional<z.ZodString>;
@@ -30,16 +30,6 @@ export declare const WalletConfigSchema: z.ZodEffects<z.ZodObject<{
     seedPhrase?: string | undefined;
     derivationPath?: string | undefined;
     address?: string | undefined;
-}>, {
-    privateKey?: string | undefined;
-    seedPhrase?: string | undefined;
-    derivationPath?: string | undefined;
-    address?: string | undefined;
-}, {
-    privateKey?: string | undefined;
-    seedPhrase?: string | undefined;
-    derivationPath?: string | undefined;
-    address?: string | undefined;
 }>;
 export declare const MobilestacksConfigSchema: z.ZodObject<{
     networks: z.ZodRecord<z.ZodString, z.ZodObject<{
@@ -59,7 +49,7 @@ export declare const MobilestacksConfigSchema: z.ZodObject<{
         faucetUrl?: string | null | undefined;
     }>>;
     defaultNetwork: z.ZodString;
-    wallet: z.ZodEffects<z.ZodObject<{
+    wallet: z.ZodObject<{
         privateKey: z.ZodOptional<z.ZodString>;
         seedPhrase: z.ZodOptional<z.ZodString>;
         derivationPath: z.ZodOptional<z.ZodString>;
@@ -74,16 +64,6 @@ export declare const MobilestacksConfigSchema: z.ZodObject<{
         seedPhrase?: string | undefined;
         derivationPath?: string | undefined;
         address?: string | undefined;
-    }>, {
-        privateKey?: string | undefined;
-        seedPhrase?: string | undefined;
-        derivationPath?: string | undefined;
-        address?: string | undefined;
-    }, {
-        privateKey?: string | undefined;
-        seedPhrase?: string | undefined;
-        derivationPath?: string | undefined;
-        address?: string | undefined;
     }>;
 }, "strip", z.ZodTypeAny, {
     networks: Record<string, {

package/dist/src/types/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/types/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;EAK9B,CAAC;AAIH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;EAQ9B,CAAC;AAEF,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAInC,CAAC;AAEH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAChE,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAC9D,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/types/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;EAK9B,CAAC;AAKH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;EAK7B,CAAC;AAEH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAInC,CAAC;AAEH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAChE,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAC9D,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC"}

package/dist/src/types/config.js

@@ -8,13 +8,14 @@ exports.NetworkConfigSchema = zod_1.z.object({
     explorerUrl: zod_1.z.string().url().optional(),
     faucetUrl: zod_1.z.string().url().nullable().optional(),
 });
-// Wallet config: allow privateKey, seedPhrase, or both. If both, privateKey is used.
+// Wallet config: secrets are resolved at runtime from env vars.
+// Config values are optional fallbacks.
 exports.WalletConfigSchema = zod_1.z.object({
-    privateKey: zod_1.z.string().min(1, "Private key is required").optional(),
+    privateKey: zod_1.z.string().optional(),
     seedPhrase: zod_1.z.string().optional(),
     derivationPath: zod_1.z.string().optional(),
     address: zod_1.z.string().optional(),
-}).refine((data) => data.privateKey || data.seedPhrase, { message: "Either privateKey or seedPhrase is required" });
+});
 exports.MobilestacksConfigSchema = zod_1.z.object({
     networks: zod_1.z.record(exports.NetworkConfigSchema),
     defaultNetwork: zod_1.z.string(),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobilestacks",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "description": "Professional Task Runner & CLI for the Stacks Blockchain",
   "main": "dist/src/index.js",
   "types": "dist/src/index.d.ts",
@@ -66,6 +66,7 @@
     "commander": "^11.0.0",
     "dotenv": "^17.3.1",
     "inquirer": "^8.2.7",
+    "mobilestacks": "^0.1.3",
     "node-fetch": "^2.7.0",
     "ts-node": "^10.9.1",
     "zod": "^3.25.76"

package/src/cli/init.ts

@@ -23,35 +23,67 @@ export async function runInit() {
       message: 'Stacks testnet node URL:',
       default: 'https://stacks-node-api.testnet.stacks.co',
     },
-    {
-      type: 'input',
-      name: 'privateKey',
-      message: 'Your wallet private key (leave blank to use seed phrase):',
-    },
-    {
-      type: 'input',
-      name: 'seedPhrase',
-      message: 'Your wallet seed phrase (leave blank if using private key):',
-    },
     {
       type: 'input',
       name: 'derivationPath',
-      message: 'Derivation path (default: m/44\'/5757\'/0\'/0/0):',
+      message: "Derivation path (default: m/44'/5757'/0'/0/0):",
       default: "m/44'/5757'/0'/0/0",
     },
   ]);
 
-  const config = `export default {\n  networks: {\n    mainnet: { url: '${answers.mainnetUrl}', name: 'mainnet' },\n    testnet: { url: '${answers.testnetUrl}', name: 'testnet' }\n  },\n  defaultNetwork: 'testnet',\n  wallet: {\n    ${answers.privateKey ? `privateKey: '${answers.privateKey}',` : ''}\n    ${answers.seedPhrase ? `seedPhrase: '${answers.seedPhrase}',` : ''}\n    derivationPath: '${answers.derivationPath}'\n  }\n};\n`;
+  // ── Config file: references env vars, never embeds secrets ──
+  const config = `import 'dotenv/config';
+
+export default {
+  networks: {
+    mainnet: { url: process.env.STACKS_MAINNET_URL || '${answers.mainnetUrl}', name: 'mainnet' },
+    testnet: { url: process.env.STACKS_TESTNET_URL || '${answers.testnetUrl}', name: 'testnet' },
+  },
+  defaultNetwork: 'testnet',
+  wallet: {
+    // Secrets are read from environment variables — never hard-code them here.
+    privateKey: process.env.MOBILESTACKS_PRIVATE_KEY || '',
+    seedPhrase: process.env.MOBILESTACKS_SEED_PHRASE || '',
+    derivationPath: '${answers.derivationPath}',
+  },
+};
+`;
 
   fs.writeFileSync(path.join(process.cwd(), 'mobilestacks.config.ts'), config);
-  // Scaffold example contract
+
+  // ── .env file (if it doesn't exist yet) ──
+  const envPath = path.join(process.cwd(), '.env');
+  if (!fs.existsSync(envPath)) {
+    const envContent = `# Mobilestacks secrets — NEVER commit this file!\nMOBILESTACKS_PRIVATE_KEY=\nMOBILESTACKS_SEED_PHRASE=\nSTACKS_MAINNET_URL=${answers.mainnetUrl}\nSTACKS_TESTNET_URL=${answers.testnetUrl}\n`;
+    fs.writeFileSync(envPath, envContent, { mode: 0o600 }); // owner-only permissions
+  }
+
+  // ── Scaffold example contract ──
   const contractsDir = path.join(process.cwd(), 'contracts');
   if (!fs.existsSync(contractsDir)) fs.mkdirSync(contractsDir);
-  fs.writeFileSync(path.join(contractsDir, 'sample-contract.clar'), '(define-public (hello-world)\n  (ok "Hello, Stacks!"))\n');
-  // Scaffold example user task
+  fs.writeFileSync(
+    path.join(contractsDir, 'sample-contract.clar'),
+    '(define-public (hello-world)\n  (ok "Hello, Stacks!"))\n',
+  );
+
+  // ── Scaffold example user task ──
   const tasksDir = path.join(process.cwd(), 'src', 'tasks');
   if (!fs.existsSync(tasksDir)) fs.mkdirSync(tasksDir, { recursive: true });
-  fs.writeFileSync(path.join(tasksDir, 'example-task.ts'),
-    "import { task } from '../core/dsl';\n\ntask('example', 'An example user task for onboarding')\n  .addParam('name', 'Your name', { type: 'string', required: false, defaultValue: 'World' })\n  .setAction(async (args) => {\n    return `Hello, ${args.name}! Welcome to mobilestacks.`;\n  });\n");
-  console.log('Created mobilestacks.config.ts, contracts/sample-contract.clar, and src/tasks/example-task.ts!');
+  fs.writeFileSync(
+    path.join(tasksDir, 'example-task.ts'),
+    "import { task } from '../core/dsl';\n\ntask('example', 'An example user task for onboarding')\n  .addParam('name', 'Your name', { type: 'string', required: false, defaultValue: 'World' })\n  .setAction(async (args) => {\n    return `Hello, ${args.name}! Welcome to mobilestacks.`;\n  });\n",
+  );
+
+  // ── Security notice ──
+  console.log('\n✅ Created:');
+  console.log('   • mobilestacks.config.ts  (reads secrets from env vars)');
+  console.log('   • .env                    (store your secrets here)');
+  console.log('   • contracts/sample-contract.clar');
+  console.log('   • src/tasks/example-task.ts');
+
+  console.log('\n⚠️  SECURITY WARNING:');
+  console.log('   Your wallet secrets belong in the .env file, NOT in source code.');
+  console.log('   • .env is already listed in .gitignore — never remove that entry.');
+  console.log('   • Set MOBILESTACKS_PRIVATE_KEY or MOBILESTACKS_SEED_PHRASE in .env');
+  console.log('   • See .env.example for the full list of supported variables.\n');
 }

package/src/core/runtime-environment.ts

@@ -1,3 +1,4 @@
+import 'dotenv/config'; 
 import { MobilestacksConfig, NetworkConfig } from '../types/config';
 import { getAddressFromPrivateKey } from '@stacks/transactions';
 import { generateWallet } from '@stacks/wallet-sdk';
@@ -33,26 +34,29 @@ export class RuntimeEnvironment {
       });
     }
 
-    // Wallet: support privateKey, seedPhrase+derivationPath, or both (prefer privateKey)
-    if (config.wallet.privateKey) {
-      // Derive address from privateKey
-      const address = getAddressFromPrivateKey(config.wallet.privateKey, networkName === 'mainnet' ? 'mainnet' : 'testnet');
-      this.wallet = {
-        privateKey: config.wallet.privateKey,
-        address,
-      };
-    } else if (config.wallet.seedPhrase) {
-      const path = config.wallet.derivationPath || "m/44'/5757'/0'/0/0"; // Stacks main path
-      // generateWallet requires a password param
-      generateWallet({ secretKey: config.wallet.seedPhrase, password: '' }).then(wallet => {
-        const index = parseInt(path.split('/').pop() || '0', 10);
+    // ── Resolve wallet secrets (env vars take priority over config) ──
+    const privateKey =
+      process.env.MOBILESTACKS_PRIVATE_KEY ||
+      process.env.STACKS_PRIVATE_KEY ||
+      config.wallet.privateKey ||
+      '';
+    const seedPhrase =
+      process.env.MOBILESTACKS_SEED_PHRASE ||
+      process.env.STACKS_SEED_PHRASE ||
+      config.wallet.seedPhrase ||
+      '';
+
+    if (privateKey) {
+      const address = getAddressFromPrivateKey(privateKey, networkName === 'mainnet' ? 'mainnet' : 'testnet');
+      this.wallet = { privateKey, address };
+    } else if (seedPhrase) {
+      const derivPath = config.wallet.derivationPath || "m/44'/5757'/0'/0/0";
+      generateWallet({ secretKey: seedPhrase, password: '' }).then(wallet => {
+        const index = parseInt(derivPath.split('/').pop() || '0', 10);
         const account = wallet.accounts[index] || wallet.accounts[0];
-        // Use getStxAddress to get the address
         // eslint-disable-next-line @typescript-eslint/no-var-requires
         const { getStxAddress } = require('@stacks/wallet-sdk/dist/models/account');
-        // network.addressVersion has singleSig/multiSig lines. 
-        const address = getStxAddress(account, this.network.transactionVersion); 
-        
+        const address = getStxAddress(account, this.network.transactionVersion);
         this.wallet = {
           privateKey: account.stxPrivateKey,
           address,
@@ -62,7 +66,10 @@ export class RuntimeEnvironment {
         throw new Error('Failed to generate wallet from seed phrase');
       });
     } else {
-      throw new Error('No privateKey or seedPhrase provided in wallet config');
+      // No secrets anywhere — warn but don't crash (devnet may not need a wallet)
+      console.warn(
+        '⚠️  No wallet secret found. Set MOBILESTACKS_PRIVATE_KEY or MOBILESTACKS_SEED_PHRASE in your .env file.',
+      );
     }
     this.stacks = {};
 

package/src/types/config.ts

@@ -8,16 +8,14 @@ export const NetworkConfigSchema = z.object({
 });
 
 
-// Wallet config: allow privateKey, seedPhrase, or both. If both, privateKey is used.
+// Wallet config: secrets are resolved at runtime from env vars.
+// Config values are optional fallbacks.
 export const WalletConfigSchema = z.object({
-  privateKey: z.string().min(1, "Private key is required").optional(),
+  privateKey: z.string().optional(),
   seedPhrase: z.string().optional(),
   derivationPath: z.string().optional(),
   address: z.string().optional(),
-}).refine(
-  (data) => data.privateKey || data.seedPhrase,
-  { message: "Either privateKey or seedPhrase is required" }
-);
+});
 
 export const MobilestacksConfigSchema = z.object({
   networks: z.record(NetworkConfigSchema),