moneyos 0.5.1 → 0.6.0

package/CHANGELOG.md

@@ -2,6 +2,39 @@
 
 All notable changes to the repo's current `main` branch are documented here.
 
+## 0.6.0 - 2026-04-15
+
+Gasless execution, local contacts, and a wave of wallet UX cleanup.
+
+### Added
+
+- Gasless execution mode, opt-in and default-off. `moneyos gasless status|enable|disable` routes write commands through a smart-account executor instead of the owner EOA. The relay sponsors gas; the smart account still has to hold the asset being sent or swapped. Arbitrum One is the v1 target, with baked defaults for the relay URL, sponsor, factory, and derived smart-account address so `moneyos gasless enable` works out of the box.
+- Smart-account primitives shipped inside the new `@moneyos/gasless` workspace package: `MoneyOSAccountV1`, `MoneyOSAccountFactoryV1` with deterministic CREATE2 deployment, EIP-712 `IntentV1`, ERC-1271 owner-only validation, and replay-safe signer-scoped nonce lanes. The package is bundled inside the published root `moneyos` tarball and is not published to npm on its own.
+- Hosted gasless relay at `services/relay/` — Fastify HTTP app with `POST /v1/execute`, `GET /v1/capabilities`, `GET /v1/tx/:id`; SQLite persistence for nonce reservations, submissions, and usage counters; nonce/simulation/treasury/wallet/health gates; submission adapter with `deployAndExecute` for undeployed smart accounts; kill switch; deploy artifacts for macOS launchd, Linux systemd, and Docker.
+- Local contacts address book. `moneyos contact set|list|remove` stores `name → address` pairs in `~/.moneyos/contacts.json` with 0600 permissions. `moneyos send <amount> <token> <name>` now accepts either a 0x address or a saved contact name, and prints the resolved address before execution so the recipient is always visible.
+- `moneyos update [tool] [--check]` for updating installed MoneyOS CLI tools from the user tool home.
+- `moneyos balance --all` to list balances across every built-in token on the selected chain in one call.
+
+### Changed
+
+- Session send requests are idempotent by request ID at the session layer, so a disconnect after broadcast no longer races into a replay.
+- Cross-chain writes resolve RPC URLs from the chain registry instead of always using the configured default chain's RPC.
+- Core asset registry is honored consistently by balance reads.
+- Release PR shape is mechanically enforced in CI: any PR that bumps a `package.json` version is rejected if it touches anything outside `package.json`, `CHANGELOG.md`, or `package-lock.json` (and their workspace equivalents).
+- Release discipline documented end-to-end in `CONTRIBUTING.md` and `DEVELOPER_GUIDE.md`.
+- Repo docs aligned with the shipped gasless state: `docs/architecture.md`, `DEVELOPER_GUIDE.md`, root `README.md`, `docs/adr-gasless-v1.md`, and the gasless planning documents relabeled as current-state or historical as appropriate.
+- Dropped the implicit "no AI attribution" rule from `DEVELOPER_GUIDE.md`. Commit signature hygiene stays a norm; explicit AI attribution is neither required nor forbidden.
+
+### Fixed
+
+- `moneyos gasless enable` on a fresh install now derives and persists the default smart-account address before marking gasless enabled; previously the enabled flag could save without the derived account.
+- First gasless send against an undeployed smart account no longer fails while trying to read nonce from bytecode that does not exist yet; missing account code is treated as nonce 0.
+- Replayed relay submissions that were already `submitted` or `confirmed` are no longer overwritten by a later rejection record; replay idempotency holds at the app boundary.
+- Gasless executor backdates `validAfter` by 30 seconds to tolerate small client/relay clock skew.
+- The baked Arbitrum gasless relay default was refreshed to the live Funnel hostname after a Tailscale naming drift.
+- Windows session socket/token transport: ACL handling for secure-file checks, named-pipe coverage, and a platform-specific regression fix.
+- `moneyos update` edge cases covered by regression tests.
+
 ## 0.5.1 - 2026-04-13
 
 ### Fixed

package/README.md

@@ -12,12 +12,20 @@ but the repo is structured so each major surface can evolve independently.
 
 - `moneyos`: the root SDK + CLI package for runtime, wallet, balance, and send
 - `@moneyos/core`: runtime interfaces, shared types, chain/token registries
+- `@moneyos/gasless`: smart-account contracts, intent helpers, gasless executor, relay client, and baked Arbitrum defaults
 - `@moneyos/swap`: canonical swap package and Odos provider, published on npm
+- `services/relay`: the hosted relay service that sponsors gas for the gasless path
 
 Current package-boundary rules live in [`docs/architecture.md`](docs/architecture.md).
 
 ## CLI
 
+Install the CLI globally:
+
+```bash
+npm install -g moneyos
+```
+
 Available commands:
 
 ```bash
@@ -26,16 +34,28 @@ moneyos auth unlock
 moneyos auth lock
 moneyos auth status
 moneyos auth change-password
+moneyos gasless status
+moneyos gasless enable
+moneyos gasless disable
 moneyos add <tool>
 moneyos remove <tool>
+moneyos update [tool] [--check]
 moneyos tools
-moneyos swap <amount> <tokenIn> <tokenOut> [--chain <id>] [--provider odos]
 moneyos backup export [--out ./wallet-backup.json] [--force]
 moneyos backup restore <path> [--force]
 moneyos backup status
+moneyos contact set <name> <address>
+moneyos contact list
+moneyos contact remove <name>
 moneyos keystore status
-moneyos balance <token> [--address 0x...]
-moneyos send <amount> <token> <to>
+moneyos balance [token] [--address 0x...] [--chain <id>] [--all]
+moneyos send <amount> <token> <to|contact>
+```
+
+After `moneyos add swap`, the installed swap tool adds:
+
+```bash
+moneyos swap <amount> <tokenIn> <tokenOut> [--chain <id>] [--provider odos]
 ```
 
 For the full command surface and flag details, run `moneyos --help`.
@@ -43,13 +63,102 @@ For the full command surface and flag details, run `moneyos --help`.
 Example:
 
 ```bash
+npm install -g moneyos
 moneyos init
 moneyos auth unlock
+moneyos balance --all
+```
+
+If you want to try swap from the CLI, fund the wallet first with the token you
+want to swap and enough gas for the target chain, then install the tool:
+
+```bash
 moneyos add swap
 moneyos tools
 moneyos swap 0.1 RYZE ETH
 ```
 
+### Local contacts
+
+Save addresses as named contacts and send to them by name:
+
+```bash
+moneyos contact set dad 0x689c78B4DBa64A88A0dC03a579D01681F52C5A73
+moneyos contact list
+moneyos send 10 USDC dad
+moneyos contact remove dad
+```
+
+Contacts are stored locally at `~/.moneyos/contacts.json`. The file is
+per-user, never shared, never synced. `moneyos send` prints the resolved
+address before executing so you can verify the recipient:
+
+```
+$ moneyos send 10 USDC dad
+Resolved dad → 0x689c78B4DBa64A88A0dC03a579D01681F52C5A73
+Sending 10 USDC to 0x689c78B4... on Arbitrum One...
+```
+
+Raw addresses still work — `moneyos send 10 USDC 0x...` behaves exactly as
+before. If the recipient is neither a valid address nor a known contact, the
+send fails with a clear error.
+
+### Gasless mode (v1 opt-in)
+
+Gasless is available but default-off in v1.
+
+Gasless changes execution mode. It does not replace or convert the imported
+wallet.
+
+Mental model:
+
+- your imported private key remains the owner EOA
+- `moneyos gasless enable` derives and stores a separate deterministic smart-account address for that owner
+- with the baked network defaults, the same owner derives the same smart-account address on a given chain, so the mapping is recoverable from the owner key alone
+- after the next `moneyos auth unlock`, write commands execute from the smart account instead of the owner EOA
+- balances do not move automatically between the owner EOA and the smart account
+- the relay sponsors gas only; the smart account still needs the asset being sent or swapped
+
+```bash
+moneyos gasless status
+moneyos gasless enable
+# re-unlock so the new executor mode applies
+moneyos auth unlock
+```
+
+When gasless mode is enabled, write commands use the gasless smart-account
+executor instead of the EOA executor. Disable it to return to EOA:
+
+```bash
+moneyos gasless disable
+moneyos auth unlock
+```
+
+On Arbitrum One v1, `moneyos gasless enable` now bakes in the public relay URL, sponsor, and factory-derived smart-account address automatically. Manual overrides still exist through these environment variables:
+
+- `MONEYOS_GASLESS_RELAY_URL`
+- `MONEYOS_GASLESS_ACCOUNT`
+- `MONEYOS_GASLESS_SPONSOR`
+- optional: `MONEYOS_GASLESS_NONCE_KEY`
+- optional: `MONEYOS_GASLESS_VALIDITY_WINDOW_SECONDS`
+
+Important bootstrap note: this is gasless execution, not gasless onboarding. The relay sponsors gas, but it does not sponsor transfer value. A brand-new user still has to fund the smart account with actual assets first, for example USDC, ETH, WETH, or RYZE on Arbitrum One, before a gasless send can succeed.
+
+If you already have funds in the owner EOA, the practical flow is:
+
+1. have an initialized wallet (`moneyos init` or `moneyos init --key 0x...`) and unlock it with `moneyos auth unlock`
+2. run `moneyos balance --all` to inspect the owner EOA balance
+3. run `moneyos gasless enable`, then `moneyos auth unlock`
+4. run `moneyos auth status` to see the active smart-account address
+5. fund that smart-account address from the owner EOA or another wallet
+6. run `moneyos balance --all --address <smart-account-address>` to inspect smart-account funds
+7. retry the gasless send or swap
+
+Note: `moneyos balance` without `--address` still shows the owner EOA balance,
+even when gasless mode is active. Use `moneyos auth status` to get the active
+smart-account address, then pass that address with `--address` to inspect
+smart-account funds.
+
 ## SDK
 
 ```ts
@@ -86,6 +195,12 @@ const moneyos = createMoneyOS({
 });
 ```
 
+Session-backed writes currently support the registered chain set only:
+Arbitrum `42161`, Ethereum `1`, and Polygon `137`. Each send/swap request
+carries its own `chainId`, so a single unlocked session can target any of
+those supported chains. A custom `rpcUrl` still applies only to the configured
+default chain; other supported chains use the built-in chain registry RPC URLs.
+
 Tool packages should still execute against `moneyos.runtime`; they should not
 import `connectLocalSession()` themselves.
 
@@ -96,13 +211,19 @@ plug in.
 Swap still lives in the separate `@moneyos/swap` package, but the root CLI now
 owns first-class tool install/use UX for CLI-integrated packages.
 
-For CLI usage, install the root package and then add tools into the user-level
-MoneyOS tool home:
+For CLI usage, install the root package first and validate the wallet surface:
 
 ```bash
-npm install moneyos
+npm install -g moneyos
 moneyos init
 moneyos auth unlock
+moneyos balance --all
+```
+
+If you want to use swap from the CLI, fund the wallet first with the input
+token and enough gas for the target chain, then add the tool:
+
+```bash
 moneyos add swap
 moneyos tools
 moneyos swap 0.1 RYZE ETH
@@ -147,6 +268,8 @@ Published packages:
 - `@moneyos/core`
 - `@moneyos/swap`
 
+`@moneyos/gasless` exists in this repo but is not published to npm yet.
+
 Current `moneyos` releases no longer bundle swap into the root SDK or CLI. If
 you want swap from the root CLI, install `moneyos` and then run
 `moneyos add swap`.
@@ -157,6 +280,7 @@ What is landed in code today:
 
 - The CLI stores the root wallet in an encrypted local wallet file at `~/.moneyos/wallet.json`
 - `~/.moneyos/config.json` now stores only non-secret settings such as chain and RPC configuration
+- `moneyos gasless enable` keeps that encrypted wallet as the owner EOA and stores a separate smart-account config for gasless execution
 - `MONEYOS_PRIVATE_KEY` remains an explicit override for ephemeral CI or agent runs
 - `moneyos auth unlock` opens a short-lived local session for write commands
 - workflow scripts can attach to that unlocked session with `connectLocalSession()`
@@ -193,6 +317,10 @@ MoneyOS prompts you for a wallet password, encrypts the key into
 `~/.moneyos/backups/`. After that, use `moneyos auth unlock` before any
 write command.
 
+Importing a raw private key keeps that address as the owner EOA. If you later
+enable gasless, MoneyOS derives a separate smart-account address from that
+owner key; it does not convert the imported EOA or move its assets.
+
 The CLI only supports raw hex private-key import today. Seed phrases,
 keystore v3 JSON files, and hardware-wallet derivation are not implemented.
 If your wallet currently lives in one of those formats, derive the raw hex
@@ -267,6 +395,7 @@ What we have verified locally on the current code:
 - unit tests pass
 - lint passes
 - typechecks pass
+- workspace lint/typecheck passes after `build:core`
 - workspace builds pass
 - the built CLI runs
 - encrypted wallet creation, unlock/session, backup export, and backup restore protections are covered by tests
@@ -290,8 +419,12 @@ npm install
 npm run build:core
 npm run build:swap
 npm run typecheck
+npm run typecheck:core
+npm run typecheck:swap
 npm test
 npm run lint
+npm run lint:core
+npm run lint:swap
 npm run build
 ```