moneyos 0.3.2 → 0.3.4

package/README.md

@@ -12,7 +12,6 @@ but the repo is structured so each major surface can evolve independently.
 - `moneyos`: the root SDK + CLI package
 - `@moneyos/core`: runtime interfaces, shared types, chain/token registries
 - `@moneyos/tool-swap`: swap execution tool and provider surface
-- `@moneyos/executor-particle`: Particle AA smart-account executor
 
 ## CLI
 
@@ -23,6 +22,7 @@ moneyos init [--key 0x...] [--force] [--chain 42161] [--rpc https://...]
 moneyos auth unlock
 moneyos auth lock
 moneyos auth status
+moneyos auth change-password
 moneyos backup export [--out ./wallet-backup.json] [--force]
 moneyos backup restore <path> [--force]
 moneyos backup status
@@ -79,6 +79,7 @@ What is landed in code today:
 - `~/.moneyos/config.json` now stores only non-secret settings such as chain and RPC configuration
 - `MONEYOS_PRIVATE_KEY` remains an explicit override for ephemeral CI or agent runs
 - `moneyos auth unlock` opens a short-lived local session for write commands
+- `moneyos auth change-password` rotates the local wallet password and locks the current session
 - `moneyos backup export|restore|status` manages encrypted wallet backups
 - Normal wallet commands resolve their write path through one shared session-aware flow
 - Local EOA signers use viem's nonce manager, so back-to-back live transactions
@@ -120,6 +121,19 @@ If you have a legacy `~/.moneyos/config.json` with a plaintext `privateKey`
 field from a pre-encrypted-wallet version of the CLI, `moneyos init` with no
 flags will detect and import that key automatically.
 
+## Changing the wallet password
+
+Use:
+
+```bash
+moneyos auth change-password
+```
+
+This re-encrypts the active local wallet file with a new password and locks the
+current local session. Existing backup files and previously exported backups
+remain snapshots encrypted with the old password. If you want a backup under
+the new password, run `moneyos backup export` after the password change.
+
 ## Threat model
 
 What this wallet model is meant to protect against:
@@ -186,7 +200,6 @@ What still needs more hands-on validation:
 - live session-backed ETH send
 - live session-backed ERC-20 send
 - live session-backed swap
-- Particle executor against real infrastructure
 - more live usage of the encrypted-wallet/auth/backup flow in a real terminal
 
 ## Development
@@ -195,7 +208,6 @@ What still needs more hands-on validation:
 npm install
 npm run build:core
 npm run build:tool-swap
-npm run build:executor-particle
 npm run typecheck
 npm test
 npm run lint

package/dist/cli/index.js

@@ -47,6 +47,10 @@ var DEFAULT_KDF = {
 };
 var SECURE_FILE_MODE = 384;
 var SECURE_PARENT_MODE = 448;
+var WALLET_WRITE_LABELS = {
+  parentDescription: "Wallet directory",
+  fileDescription: "Wallet file"
+};
 function normalizePassphrase(passphrase) {
   return passphrase.normalize("NFC");
 }
@@ -59,7 +63,7 @@ function walletProofMessage(wallet) {
     `createdAt=${wallet.createdAt}`
   ].join("|");
 }
-function ensureParentDir(path) {
+function ensureParentDir(path, label) {
   const dir = dirname(path);
   if (!existsSync(dir)) {
     mkdirSync(dir, { recursive: true, mode: SECURE_PARENT_MODE });
@@ -68,7 +72,7 @@ function ensureParentDir(path) {
   const mode = statSync(dir).mode & 511;
   if ((mode & 63) !== 0) {
     throw new Error(
-      `Wallet directory ${dir} has insecure permissions (${mode.toString(8)}). Restrict it to 700 before continuing.`
+      `${label} ${dir} has insecure permissions (${mode.toString(8)}). Restrict it to 700 before continuing.`
     );
   }
 }
@@ -161,9 +165,9 @@ function walletAad(kdf) {
     "utf8"
   );
 }
-function writeFileAtomicSecure(path, contents) {
-  ensureParentDir(path);
-  assertSecureFileMode(path, "Wallet file");
+function writeFileAtomicSecure(path, contents, labels = WALLET_WRITE_LABELS) {
+  ensureParentDir(path, labels.parentDescription);
+  assertSecureFileMode(path, labels.fileDescription);
   const tmpPath = join(
     dirname(path),
     `.${basename(path)}.${randomBytes(6).toString("hex")}.tmp`
@@ -190,7 +194,7 @@ function writeFileAtomicSecure(path, contents) {
 }
 async function encryptWallet(params) {
   const account = privateKeyToAccount(params.privateKey);
-  const createdAt = (/* @__PURE__ */ new Date()).toISOString();
+  const createdAt = params.identity?.createdAt ?? (/* @__PURE__ */ new Date()).toISOString();
   const salt = randomBytes(16);
   const nonce = randomBytes(12);
   const key = deriveKey(params.passphrase, salt, DEFAULT_KDF);
@@ -202,7 +206,7 @@ async function encryptWallet(params) {
   );
   const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
   const authTag = cipher.getAuthTag();
-  const addressProof = await account.signMessage({
+  const addressProof = params.identity?.addressProof ?? await account.signMessage({
     message: walletProofMessage({
       version: 1,
       kind: "encrypted-local-eoa",
@@ -210,10 +214,13 @@ async function encryptWallet(params) {
       createdAt
     })
   });
+  if (params.identity && account.address.toLowerCase() !== params.identity.address.toLowerCase()) {
+    throw new Error("wallet address metadata mismatch");
+  }
   return {
-    version: 1,
-    kind: "encrypted-local-eoa",
-    address: account.address,
+    version: params.identity?.version ?? 1,
+    kind: params.identity?.kind ?? "encrypted-local-eoa",
+    address: params.identity?.address ?? account.address,
     createdAt,
     addressProof,
     kdf: DEFAULT_KDF,
@@ -226,6 +233,15 @@ async function encryptWallet(params) {
     }
   };
 }
+function walletIdentity(wallet) {
+  return {
+    version: wallet.version,
+    kind: wallet.kind,
+    address: wallet.address,
+    createdAt: wallet.createdAt,
+    addressProof: wallet.addressProof
+  };
+}
 async function decryptWalletFile(wallet, passphrase) {
   try {
     const salt = Buffer.from(wallet.crypto.salt, "base64");
@@ -276,9 +292,32 @@ var FileEncryptedWalletStore = class {
   }
   async save(params) {
     const wallet = await encryptWallet(params);
-    writeFileAtomicSecure(this.walletPath, JSON.stringify(wallet, null, 2));
+    writeFileAtomicSecure(
+      this.walletPath,
+      JSON.stringify(wallet, null, 2),
+      WALLET_WRITE_LABELS
+    );
     return toMetadata(wallet);
   }
+  async rotatePassphrase(params) {
+    if (!this.exists()) {
+      throw new Error("No wallet configured. Run `moneyos init`.");
+    }
+    assertSecureFileMode(this.walletPath, "Wallet file");
+    const wallet = parseWalletFile(
+      readFileSync(this.walletPath, "utf8"),
+      this.walletPath
+    );
+    await verifyWalletAddressProof(wallet, this.walletPath);
+    const privateKey = await decryptWalletFile(wallet, params.oldPassphrase);
+    const rotated = await encryptWallet({
+      privateKey,
+      passphrase: params.newPassphrase,
+      identity: walletIdentity(wallet)
+    });
+    writeFileAtomicSecure(this.walletPath, JSON.stringify(rotated, null, 2));
+    return toMetadata(rotated);
+  }
   async decrypt(passphrase) {
     if (!this.exists()) {
       throw new Error("No wallet configured. Run `moneyos init`.");
@@ -306,10 +345,20 @@ var FileEncryptedWalletStore = class {
   async restore(data) {
     const wallet = parseWalletFile(JSON.stringify(data), this.walletPath);
     await verifyWalletAddressProof(wallet, this.walletPath);
-    writeFileAtomicSecure(this.walletPath, JSON.stringify(wallet, null, 2));
+    writeFileAtomicSecure(
+      this.walletPath,
+      JSON.stringify(wallet, null, 2),
+      WALLET_WRITE_LABELS
+    );
     return toMetadata(wallet);
   }
 };
+async function writeEncryptedWalletFile(path, data, labels = WALLET_WRITE_LABELS) {
+  const wallet = parseWalletFile(JSON.stringify(data), path);
+  await verifyWalletAddressProof(wallet, path);
+  writeFileAtomicSecure(path, JSON.stringify(wallet, null, 2), labels);
+  return toMetadata(wallet);
+}
 async function readEncryptedWalletFile(path) {
   assertSecureFileMode(path, "Wallet file");
   const wallet = parseWalletFile(readFileSync(path, "utf8"), path);
@@ -360,7 +409,10 @@ var FileBackupProvider = class {
         "Backup file already exists. Re-run with `--force` if you really want to overwrite it."
       );
     }
-    await new FileEncryptedWalletStore(targetPath).restore(wallet);
+    await writeEncryptedWalletFile(targetPath, wallet, {
+      parentDescription: "Backup export destination directory",
+      fileDescription: "Backup export file"
+    });
     return targetPath;
   }
   async restoreWallet(fromPath, options) {
@@ -1259,38 +1311,58 @@ function parseChainId(value, fallback) {
   }
   return parsed;
 }
-var initCommand = new Command("init").description("Initialize MoneyOS with a new or imported encrypted wallet").option("-k, --key <privateKey>", "Import an existing private key").option("--force", "Overwrite the existing encrypted wallet").option("--chain <chainId>", "Default chain ID (default: 42161 Arbitrum)").option("--rpc <url>", "Custom RPC URL").action(async (options) => {
-  const existing = loadFileConfig();
-  const walletPath = getWalletPath(existing);
-  const backupDir = getBackupDir(existing);
-  const wallet = new FileEncryptedWalletStore(walletPath);
+var defaultInitCommandDependencies = {
+  loadFileConfig,
+  getWalletPath,
+  getBackupDir,
+  getConfigPath,
+  createWalletStore: (walletPath) => new FileEncryptedWalletStore(walletPath),
+  createBackupProvider: (params) => new FileBackupProvider(params),
+  hasRemovedOnePasswordConfig,
+  getRemovedOnePasswordStorageMessage,
+  hasLegacyPlaintextWalletConfig,
+  getLegacyPlaintextWalletStorageMessage,
+  promptHidden,
+  lockSession,
+  getSessionSocketPath,
+  getSessionTokenPath,
+  saveConfig,
+  generatePrivateKey,
+  log: (message) => console.log(message),
+  error: (message) => console.error(message)
+};
+async function runInitCommand(options, deps = defaultInitCommandDependencies) {
+  const existing = deps.loadFileConfig();
+  const walletPath = deps.getWalletPath(existing);
+  const backupDir = deps.getBackupDir(existing);
+  const wallet = deps.createWalletStore(walletPath);
   if (wallet.exists() && !options.force) {
     const metadata = await wallet.metadata();
-    console.log(`Already initialized.`);
+    deps.log(`Already initialized.`);
     if (metadata?.address) {
-      console.log(`Address: ${metadata.address}`);
+      deps.log(`Address: ${metadata.address}`);
     }
-    console.log(`Wallet:  ${walletPath}`);
-    console.log(`Config:  ${getConfigPath()}`);
-    console.log(`
+    deps.log(`Wallet:  ${walletPath}`);
+    deps.log(`Config:  ${deps.getConfigPath()}`);
+    deps.log(`
 To reinitialize, run: moneyos init --force --key <privateKey>`);
     return;
   }
-  if (hasRemovedOnePasswordConfig(existing) && !options.key) {
-    console.error(getRemovedOnePasswordStorageMessage());
-    console.error(`Config: ${getConfigPath()}`);
+  if (deps.hasRemovedOnePasswordConfig(existing) && !options.key) {
+    deps.error(deps.getRemovedOnePasswordStorageMessage());
+    deps.error(`Config: ${deps.getConfigPath()}`);
     return;
   }
   try {
-    const privateKey = options.key ?? (hasLegacyPlaintextWalletConfig(existing) ? existing.privateKey : generatePrivateKey());
+    const privateKey = options.key ?? (deps.hasLegacyPlaintextWalletConfig(existing) ? existing.privateKey : deps.generatePrivateKey());
     const account = privateKeyToAccount3(privateKey);
     const chainId = parseChainId(options.chain, existing.chainId ?? 42161);
     const rpcUrl = options.rpc ?? existing.rpcUrl;
-    const passphrase = await promptHidden("Choose wallet password: ");
+    const passphrase = await deps.promptHidden("Choose wallet password: ");
     if (passphrase.length < 8) {
       throw new Error("Wallet password must be at least 8 characters long.");
     }
-    const confirmPassphrase = await promptHidden("Confirm wallet password: ");
+    const confirmPassphrase = await deps.promptHidden("Confirm wallet password: ");
     if (passphrase !== confirmPassphrase) {
       throw new Error("Wallet password confirmation did not match.");
     }
@@ -1298,41 +1370,47 @@ To reinitialize, run: moneyos init --force --key <privateKey>`);
       privateKey,
       passphrase
     });
-    await lockSession(getSessionSocketPath(), getSessionTokenPath());
-    saveConfig({
+    await deps.lockSession(
+      deps.getSessionSocketPath(),
+      deps.getSessionTokenPath()
+    );
+    deps.saveConfig({
       chainId,
       rpcUrl,
       walletPath: existing.walletPath,
       backupDir: existing.backupDir
     });
-    const backupProvider = new FileBackupProvider({
+    const backupProvider = deps.createBackupProvider({
       walletPath,
       backupDir
     });
     const backupPath = await backupProvider.exportWallet();
-    console.log(`MoneyOS initialized.`);
-    console.log(`Address: ${account.address}`);
-    console.log(`Wallet:  ${walletPath}`);
-    console.log(`Config:  ${getConfigPath()}`);
-    console.log(`Backup:  ${backupPath}`);
-    console.log(
+    deps.log(`MoneyOS initialized.`);
+    deps.log(`Address: ${account.address}`);
+    deps.log(`Wallet:  ${walletPath}`);
+    deps.log(`Config:  ${deps.getConfigPath()}`);
+    deps.log(`Backup:  ${backupPath}`);
+    deps.log(
       `
 Save your wallet password in your password manager of choice. MoneyOS does not store or sync it for you.`
     );
-    if (hasLegacyPlaintextWalletConfig(existing) && !options.key) {
-      console.log(`
+    if (deps.hasLegacyPlaintextWalletConfig(existing) && !options.key) {
+      deps.log(`
 Imported legacy plaintext wallet into the encrypted wallet file.`);
-      console.log(getLegacyPlaintextWalletStorageMessage());
+      deps.log(deps.getLegacyPlaintextWalletStorageMessage());
     } else if (!options.key) {
-      console.log(
+      deps.log(
         `
 This is a new account. Fund it before sending transactions.`
       );
     }
   } catch (error) {
-    console.error(error instanceof Error ? error.message : String(error));
+    deps.error(error instanceof Error ? error.message : String(error));
     process.exitCode = 1;
   }
+}
+var initCommand = new Command("init").description("Initialize MoneyOS with a new or imported encrypted wallet").option("-k, --key <privateKey>", "Import an existing private key").option("--force", "Overwrite the existing encrypted wallet").option("--chain <chainId>", "Default chain ID (default: 42161 Arbitrum)").option("--rpc <url>", "Custom RPC URL").action(async (options) => {
+  await runInitCommand(options);
 });
 
 // src/cli/commands/balance.ts
@@ -1992,8 +2070,70 @@ function formatSessionStatus(params) {
   }
   return lines.join("\n");
 }
+var defaultChangePasswordCommandDependencies = {
+  loadFileConfig,
+  getWalletPath,
+  createWalletStore: (walletPath) => new FileEncryptedWalletStore(walletPath),
+  promptHidden,
+  lockSession,
+  getSessionSocketPath,
+  getSessionTokenPath,
+  log: (message) => console.log(message),
+  error: (message) => console.error(message)
+};
+async function runChangePasswordCommand(deps = defaultChangePasswordCommandDependencies) {
+  const config = deps.loadFileConfig();
+  const walletPath = deps.getWalletPath(config);
+  const wallet = deps.createWalletStore(walletPath);
+  if (!wallet.exists()) {
+    deps.error("No encrypted wallet found. Run `moneyos init` first.");
+    process.exitCode = 1;
+    return;
+  }
+  try {
+    const currentPassphrase = await deps.promptHidden("Current wallet password: ");
+    if (currentPassphrase.length === 0) {
+      throw new Error("Current wallet password cannot be empty.");
+    }
+    const newPassphrase = await deps.promptHidden("New wallet password: ");
+    if (newPassphrase.length < 8) {
+      throw new Error("New wallet password must be at least 8 characters long.");
+    }
+    if (newPassphrase === currentPassphrase) {
+      throw new Error(
+        "New wallet password must differ from the current password."
+      );
+    }
+    const confirmPassphrase = await deps.promptHidden(
+      "Confirm new wallet password: "
+    );
+    if (newPassphrase !== confirmPassphrase) {
+      throw new Error("New wallet password confirmation did not match.");
+    }
+    const metadata = await wallet.rotatePassphrase({
+      oldPassphrase: currentPassphrase,
+      newPassphrase
+    });
+    await deps.lockSession(
+      deps.getSessionSocketPath(),
+      deps.getSessionTokenPath()
+    );
+    deps.log("Wallet password changed.");
+    deps.log(`Address:   ${metadata.address}`);
+    deps.log(formatSessionStatus({ state: "locked" }));
+    deps.log(
+      "Existing backup files and exported copies still require the old wallet password."
+    );
+    deps.log(
+      "Run `moneyos backup export` to create a backup encrypted with the new wallet password."
+    );
+  } catch (error) {
+    deps.error(error instanceof Error ? error.message : String(error));
+    process.exitCode = 1;
+  }
+}
 var authCommand = new Command6("auth").description(
-  "Unlock, inspect, and lock the local MoneyOS wallet session"
+  "Unlock, inspect, lock, and change the local MoneyOS wallet password"
 );
 authCommand.command("unlock").description("Unlock the local wallet and start a short-lived session").action(async () => {
   const config = loadFileConfig();
@@ -2032,6 +2172,9 @@ authCommand.command("unlock").description("Unlock the local wallet and start a s
     process.exitCode = 1;
   }
 });
+authCommand.command("change-password").description("Change the local wallet password and lock the current session").action(async () => {
+  await runChangePasswordCommand();
+});
 authCommand.command("lock").description("Lock the local MoneyOS wallet session").action(async () => {
   const locked = await lockSession(
     getSessionSocketPath(),
@@ -2084,6 +2227,13 @@ function formatBackupStatus(params) {
   }
   return lines.join("\n");
 }
+function getBackupExportPasswordGuidance() {
+  return [
+    "This backup is encrypted with the same wallet password as your active wallet.",
+    "You will need that same wallet password to restore it.",
+    "MoneyOS does not store or sync it for you."
+  ].join(" ");
+}
 var backupCommand = new Command7("backup").description(
   "Export, restore, and inspect encrypted wallet backups"
 );
@@ -2099,9 +2249,7 @@ backupCommand.command("export").description("Write a copy of the encrypted walle
       allowOverwrite: Boolean(options.force)
     });
     console.log(`Backup exported to ${targetPath}`);
-    console.log(
-      "Save your wallet password in your password manager of choice. MoneyOS does not store or sync it for you."
-    );
+    console.log(getBackupExportPasswordGuidance());
   } catch (error) {
     console.error(error instanceof Error ? error.message : String(error));
     process.exitCode = 1;