movehat 0.2.0 → 0.2.2

package/src/core/Publisher.ts

@@ -1,7 +1,4 @@
-import { homedir } from "os";
-import { join } from "path";
-import { randomUUID } from "crypto";
-import { Account } from "@aptos-labs/ts-sdk";
+import { Account, PrivateKey, PrivateKeyVariants } from "@aptos-labs/ts-sdk";
 import { MovehatConfig } from "../types/config.js";
 import { extractNamedAddresses } from "../commands/compile.js";
 import {
@@ -10,16 +7,15 @@ import {
   DeploymentInfo,
   validateSafeName,
 } from "./deployments.js";
-import { validatePathSafety, validateProfileSafety } from "./shell.js";
+import { validatePathSafety } from "./shell.js";
 import { CliExecutionError, ModuleAlreadyDeployedError, PostPublishError } from "../errors.js";
 import { runCli } from "../utils/runCli.js";
 import { logger } from "../ui/index.js";
 import type { ChildProcessAdapter } from "../utils/childProcessAdapter.js";
 import {
-  withYamlLock,
-  addProfile,
-  removeProfile,
-  removeProfileSync,
+  writeTempKeyFile,
+  removeKeyFile,
+  removeKeyFileSyncBestEffort,
   ensureSignalHandler,
   cleanupCallbacks,
 } from "./movementProfile.js";
@@ -41,11 +37,6 @@ export interface PublishInput {
 /**
  * Publishes a Move module via the Movement CLI.
  *
- * Extracted from `runtime.deployContract` (M1.4 / #79). Carries the
- * destructive Move.toml-rewrite + shared-yaml-write semantics of the
- * original closure verbatim in this scaffold commit — bug fixes for
- * #36 / #37 / #38 land in subsequent commits.
- *
  * @internal
  */
 export class Publisher {
@@ -54,13 +45,10 @@ export class Publisher {
   async deploy(input: PublishInput): Promise<DeploymentInfo> {
     const { moduleName, config, account } = input;
 
-    // Validate moduleName early
     validateSafeName(moduleName, "module");
 
-    // Check if --redeploy flag was passed via CLI
     const forceRedeploy = process.env.MH_CLI_REDEPLOY === "true";
 
-    // Check if already deployed
     const existingDeployment = loadDeployment(config.network, moduleName);
     if (existingDeployment && !forceRedeploy) {
       // Build detailed error message with all deployment info
@@ -106,18 +94,10 @@ export class Publisher {
 
     const dir = input.packageDir || config.moveDir;
 
-    // Bug #37: use a UUID-suffixed profile name per deploy so concurrent
-    // Publisher.deploy() calls in the same process don't fight over the
-    // same key in ~/.aptos/config.yaml. The previous code reused
-    // config.profile (default "default"), which meant two parallel
-    // deploys would clobber each other's profile data mid-publish.
-    const profile = `movehat-deploy-${randomUUID().slice(0, 8)}`;
-
     // Validate (no shell escape — runCli uses spawn, which takes args
     // verbatim and would treat the single-quote wrapping as part of the
-    // literal path/profile, breaking Movement CLI argument parsing).
+    // literal path, breaking Movement CLI argument parsing).
     const safeDir = validatePathSafety(dir, "package directory");
-    const safeProfile = validateProfileSafety(profile);
 
     logger.step(`Publishing module "${moduleName}" from ${dir}...`);
 
@@ -156,54 +136,49 @@ export class Publisher {
       // Publish using direct parameters (avoid config file issues)
       logger.step("Publishing to blockchain...");
 
-      // Use parameters directly instead of relying on config file
-      // Strip any ed25519-priv- prefix if present
-      let cleanPrivateKey = config.privateKey;
-      if (cleanPrivateKey.startsWith("ed25519-priv-")) {
-        cleanPrivateKey = cleanPrivateKey.replace("ed25519-priv-", "");
-      }
+      // Format the private key into AIP-80 shape so the Movement CLI
+      // doesn't emit its raw-hex deprecation warning. `formatPrivateKey`
+      // is idempotent for already-prefixed inputs.
+      const formattedPrivateKey = PrivateKey.formatPrivateKey(
+        config.privateKey,
+        PrivateKeyVariants.Ed25519,
+      );
 
-      // Bug #38: Move.toml is NOT mutated. All address overrides flow
-      // through the `--named-addresses` flag above, which Movement CLI
-      // applies during build + publish. The previous regex rewrite +
-      // restore-in-finally was destructive: if the process died between
-      // write and restore, the user's Move.toml stayed mutated.
+      // Move.toml is NOT mutated. All address overrides flow through
+      // the `--named-addresses` flag above, which Movement CLI applies
+      // during build + publish. Rewriting Move.toml on disk would risk
+      // leaving the user's file mutated if the process died before the
+      // restore step.
 
       let publishOut = "";
       let publishErr = "";
 
-      // Setup Movement CLI config with private key securely.
-      // Movement CLI uses .aptos config directory (not .movement).
-      const movementConfigPath = join(homedir(), ".aptos", "config.yaml");
-
-      // Register a sync cleanup hook BEFORE writing the private key.
-      // If the user Ctrl+C's (or the process is SIGTERM'd) between the
-      // yaml write and our async finally, the SIGINT handler iterates
-      // every registered callback and removes this deploy's profile
-      // synchronously — closes bug #36 (private key persisting on disk
-      // after abnormal exit).
+      // Pass the private key to Movement CLI via a 0o600 temp file
+      // (`--private-key-file <path>`) and the on-chain address via
+      // `--sender-account <addr>`. This avoids the CLI's profile-yaml
+      // lookup chain entirely — no CWD / HOME / .aptos / .movement
+      // dance, no CLI-variant dependency.
+      const keyFilePath = writeTempKeyFile(formattedPrivateKey);
+
+      // Register a sync cleanup hook BEFORE invoking the CLI. If the
+      // user Ctrl+C's (or the process is SIGTERM'd) between the file
+      // write and our finally, the SIGINT handler iterates every
+      // registered callback and unlinks this deploy's key file
+      // synchronously so the private key never persists on disk after
+      // an abnormal exit. The signal-handler path uses the
+      // best-effort variant because the event loop is dead and we
+      // cannot logger.warning.
       ensureSignalHandler();
-      const syncCleanup = () => removeProfileSync(movementConfigPath, profile);
+      const syncCleanup = () => removeKeyFileSyncBestEffort(keyFilePath);
       cleanupCallbacks.add(syncCleanup);
 
-      // Add our deploy profile under the unique key. The mutex serializes
-      // read-modify-write cycles so concurrent deploys in the same process
-      // can't drop each other's profiles. Other user profiles in the same
-      // file are preserved untouched.
-      await withYamlLock(() =>
-        addProfile(movementConfigPath, profile, {
-          private_key: cleanPrivateKey,
-          public_key: account.publicKey.toString(),
-          account: deployerAddress,
-          rest_url: config.rpc,
-        })
-      );
-
       try {
-        // Execute publish command without exposing private key in CLI.
-        // Routed through runCli so stdout/stderr are redacted of any
-        // `ed25519-priv-…` shape before reaching console.log/console.error
-        // or the thrown CliExecutionError — that's bug #43.
+        // Execute publish command. Private key reaches the CLI via the
+        // temp key file path (--private-key-file) — never on the
+        // command line — so it can't leak through `ps aux`. runCli's
+        // stdout/stderr redaction still applies as defense in depth
+        // for any `ed25519-priv-…` substring that surfaces in CLI
+        // output (Movement CLI sometimes echoes the key on error).
         const publishResult = await runCli(
           {
             command: "movement",
@@ -214,8 +189,10 @@ export class Publisher {
               safeDir,
               "--url",
               config.rpc,
-              "--profile",
-              safeProfile,
+              "--private-key-file",
+              keyFilePath,
+              "--sender-account",
+              deployerAddress,
               "--assume-yes",
               ...namedAddrArgs,
             ],
@@ -228,26 +205,22 @@ export class Publisher {
         if (publishOut) console.log(publishOut.trim());
         if (publishErr) console.error(publishErr.trim());
       } finally {
-        // Always remove our profile from the shared yaml — never restore
-        // a "snapshot" of the whole file (that's what the old code did,
-        // and that's the bug #37 race). Removing only our key leaves
-        // other concurrent deploys' profiles intact.
-        //
-        // CRITICAL: catch + log instead of throwing. `await` in a finally
-        // block that throws will clobber both the try block's successful
-        // return value AND any error already propagating. Without this
-        // catch, a yaml-write failure here would mask a successful
-        // publish (making the deploy look failed and inviting a redeploy)
-        // or mask the real publish error.
-        await withYamlLock(() => removeProfile(movementConfigPath, profile)).catch((err) => {
-          const cleanupMsg = err instanceof Error ? err.message : String(err);
+        // Unlink the temp key file via the observable cleanup helper.
+        // ENOENT and other already-gone outcomes are benign (null).
+        // A non-null Error means the unlink failed AND the file still
+        // exists on disk — the private key would persist silently
+        // otherwise, so we emit a warning with the manual-cleanup
+        // hint. The SIGINT signal handler's sync callback below also
+        // tries to remove the same file; if SIGINT fires before this
+        // finally runs the file is gone and the next finally call
+        // sees ENOENT (benign).
+        const cleanupErr = removeKeyFile(keyFilePath);
+        if (cleanupErr) {
           logger.warning(
-            `Failed to remove deploy profile "${profile}" from ${movementConfigPath}: ${cleanupMsg}. ` +
-            `Run 'movement config delete-profile --profile ${profile}' to clean up manually.`
+            `Failed to remove temp key file '${keyFilePath}': ${cleanupErr.message}. ` +
+              `The file has mode 0o600 but should be removed manually: rm ${keyFilePath}`
           );
-        });
-        // Unregister the sync cleanup hook — normal path. (The signal
-        // handler stays installed for the process lifetime; cheap.)
+        }
         cleanupCallbacks.delete(syncCleanup);
       }
 

package/src/core/__tests__/AccountManager.global-state.test.ts

@@ -0,0 +1,83 @@
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { existsSync, mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+import { AccountManager } from "../AccountManager.js";
+
+/**
+ * F8 — Document the two known limitations of `AccountManager`:
+ *
+ *   (a) State is class-static. Two harness "sessions" in the same
+ *       process share the pool, the labelMap, and the private-key
+ *       map. A label re-used across sessions overwrites the entry.
+ *       This is intentional per `Harness.ts:39-42` ("Two Harness
+ *       instances in the same process share account labels"). This
+ *       test captures the contract so a future refactor cannot
+ *       silently change it.
+ *
+ *   (b) `defaultPoolPath = join(process.cwd(), ".movehat", "accounts")`
+ *       is evaluated when the module is first imported, NOT lazily on
+ *       each call. Changing `process.cwd()` after import does not move
+ *       the save destination. Callers needing per-test isolation must
+ *       pass an explicit `poolPath` argument.
+ */
+
+describe("F8 — AccountManager static state and import-time cwd capture", () => {
+  let cwdBackup: string;
+  let tmpDir: string;
+
+  beforeEach(() => {
+    AccountManager.clearPool();
+    cwdBackup = process.cwd();
+    tmpDir = mkdtempSync(join(tmpdir(), "movehat-f8-"));
+  });
+
+  afterEach(() => {
+    AccountManager.clearPool();
+    if (process.cwd() !== cwdBackup) {
+      process.chdir(cwdBackup);
+    }
+    rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  it("(a) re-creating an account with an existing label overwrites the labelMap entry", () => {
+    const first = AccountManager.createAccount("alice");
+    const second = AccountManager.createAccount("alice");
+    expect(second.accountAddress.toString()).not.toBe(
+      first.accountAddress.toString()
+    );
+
+    const lookup = AccountManager.getAccountByLabel("alice");
+    expect(lookup).toBeDefined();
+    expect(lookup!.accountAddress.toString()).toBe(
+      second.accountAddress.toString()
+    );
+    // The first account is still in the pool (keyed by address), only
+    // the label binding moved. A second harness session that creates
+    // its own "alice" will silently shadow the first — this is the
+    // documented Harness limitation. exportPrivateKeys reflects the
+    // current label binding (i.e. the second account).
+    const exportedKeys = AccountManager.exportPrivateKeys(["alice"]);
+    expect(exportedKeys.alice).toBeTypeOf("string");
+    expect(exportedKeys.alice!.length).toBeGreaterThan(0);
+  });
+
+  it("(b) saveAccountPool ignores a process.chdir after import; defaults to the import-time cwd", () => {
+    AccountManager.createAccount("bob");
+
+    process.chdir(tmpDir);
+    // No path argument → uses defaultPoolPath, which was set at module
+    // load time before this chdir.
+    AccountManager.saveAccountPool();
+
+    // The pool file must NOT appear under the freshly-chdir'd cwd.
+    const expectedAtNewCwd = join(tmpDir, ".movehat", "accounts", "test-pool.json");
+    expect(existsSync(expectedAtNewCwd)).toBe(false);
+
+    // Sanity check: explicit poolPath does land where the caller asked.
+    const explicit = join(tmpDir, "explicit");
+    AccountManager.saveAccountPool(explicit);
+    expect(existsSync(join(explicit, "test-pool.json"))).toBe(true);
+  });
+});

package/src/core/__tests__/movementProfile.test.ts

@@ -0,0 +1,131 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import {
+  chmodSync,
+  existsSync,
+  mkdirSync,
+  mkdtempSync,
+  rmSync,
+  writeFileSync,
+} from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import {
+  removeKeyFile,
+  removeKeyFileSyncBestEffort,
+  writeTempKeyFile,
+} from "../movementProfile.js";
+
+/**
+ * Unit tests for the two distinct cleanup helpers in movementProfile:
+ *
+ *   - `removeKeyFileSyncBestEffort`: for SIGINT/SIGTERM handlers where
+ *     the event loop is dead. Never throws, never logs, always returns
+ *     void. We only test that it doesn't throw.
+ *
+ *   - `removeKeyFile`: for normal `finally` cleanup paths. Returns
+ *     `null` when the file is gone (removed OR already absent — both
+ *     are benign), and returns an `Error` only when the file STILL
+ *     exists on disk after the unlink attempt failed. The Error path
+ *     is exactly the case the caller must surface as a warning,
+ *     because a private-key temp file would otherwise persist
+ *     silently.
+ */
+
+describe("movementProfile cleanup helpers", () => {
+  let scratchDir: string;
+
+  beforeEach(() => {
+    scratchDir = mkdtempSync(join(tmpdir(), "movehat-profile-test-"));
+  });
+
+  afterEach(() => {
+    if (existsSync(scratchDir)) {
+      // Force chmod in case a test left it un-removable, then rmSync.
+      try {
+        chmodSync(scratchDir, 0o700);
+      } catch {
+        /* best-effort */
+      }
+      rmSync(scratchDir, { recursive: true, force: true });
+    }
+  });
+
+  describe("writeTempKeyFile", () => {
+    it("creates a 0o600 file in os.tmpdir() with the key as contents", () => {
+      const path = writeTempKeyFile("ed25519-priv-0x" + "a".repeat(64));
+      try {
+        expect(path.startsWith(tmpdir())).toBe(true);
+        expect(path).toMatch(/movehat-key-/);
+        expect(existsSync(path)).toBe(true);
+      } finally {
+        if (existsSync(path)) rmSync(path);
+      }
+    });
+  });
+
+  describe("removeKeyFileSyncBestEffort", () => {
+    it("removes an existing file", () => {
+      const path = join(scratchDir, "key");
+      writeFileSync(path, "x", { mode: 0o600 });
+      removeKeyFileSyncBestEffort(path);
+      expect(existsSync(path)).toBe(false);
+    });
+
+    it("does not throw when the file is already gone", () => {
+      const path = join(scratchDir, "never-existed");
+      expect(() => removeKeyFileSyncBestEffort(path)).not.toThrow();
+    });
+
+    it("does not throw when the path is a non-empty directory (would fail in stricter callers)", () => {
+      const dirPath = join(scratchDir, "i-am-a-directory");
+      mkdirSync(dirPath);
+      writeFileSync(join(dirPath, "child"), "x");
+      expect(() => removeKeyFileSyncBestEffort(dirPath)).not.toThrow();
+      // The dir still exists — best-effort doesn't fight EISDIR.
+      expect(existsSync(dirPath)).toBe(true);
+    });
+  });
+
+  describe("removeKeyFile", () => {
+    it("returns null when the file is removed cleanly", () => {
+      const path = join(scratchDir, "key-to-remove");
+      writeFileSync(path, "x", { mode: 0o600 });
+      const err = removeKeyFile(path);
+      expect(err).toBeNull();
+      expect(existsSync(path)).toBe(false);
+    });
+
+    it("returns null when the file was already gone (ENOENT is benign)", () => {
+      const path = join(scratchDir, "never-existed");
+      const err = removeKeyFile(path);
+      expect(err).toBeNull();
+    });
+
+    it("returns null when the file disappears between the unlink attempt and the existsSync check (race)", () => {
+      // Hard to provoke a real race deterministically. The contract is
+      // documented; the previous test covers the ENOENT short-circuit
+      // which is the common race outcome.
+      const path = join(scratchDir, "raced");
+      const err = removeKeyFile(path);
+      expect(err).toBeNull();
+    });
+
+    it("returns an Error when the path is a directory AND still exists post-attempt", () => {
+      // unlinkSync on a directory throws EISDIR (or EPERM on some
+      // platforms). existsSync afterwards still returns true, so this
+      // is the "preocupante" path the caller must surface as a warning
+      // — the file (here, a directory occupying the key-file path) is
+      // still on disk.
+      const dirPath = join(scratchDir, "key-but-actually-a-dir");
+      mkdirSync(dirPath);
+      writeFileSync(join(dirPath, "child"), "x"); // make sure it's not empty
+      const err = removeKeyFile(dirPath);
+      expect(err).not.toBeNull();
+      expect(err).toBeInstanceOf(Error);
+      // Error code is platform-dependent (EISDIR on linux, EPERM on
+      // macos), so just assert we got something Error-shaped.
+      expect((err as NodeJS.ErrnoException).code).toMatch(/^E/);
+      expect(existsSync(dirPath)).toBe(true);
+    });
+  });
+});

package/src/core/config.ts

@@ -1,7 +1,7 @@
 import { pathToFileURL } from "url";
 import { join } from "path";
 import { existsSync, statSync } from "fs";
-import { Account, Ed25519PrivateKey } from "@aptos-labs/ts-sdk";
+import { Account, Ed25519PrivateKey, PrivateKey, PrivateKeyVariants } from "@aptos-labs/ts-sdk";
 import { MovehatConfig, MovehatUserConfig } from "../types/config.js";
 
 interface ConfigCacheEntry {
@@ -258,11 +258,15 @@ export async function resolveNetworkConfig(
 function deriveAccountAddress(privateKeyHex: string | undefined): string {
   if (!privateKeyHex) return "";
   try {
-    const stripped = privateKeyHex.startsWith("ed25519-priv-")
-      ? privateKeyHex.slice("ed25519-priv-".length)
-      : privateKeyHex;
+    // Format into AIP-80 shape so the SDK doesn't emit a deprecation
+    // warning on each derivation. `formatPrivateKey` is idempotent for
+    // already-prefixed inputs.
+    const formatted = PrivateKey.formatPrivateKey(
+      privateKeyHex,
+      PrivateKeyVariants.Ed25519,
+    );
     const account = Account.fromPrivateKey({
-      privateKey: new Ed25519PrivateKey(stripped),
+      privateKey: new Ed25519PrivateKey(formatted),
     });
     return account.accountAddress.toString();
   } catch (err) {

package/src/core/contract.ts

@@ -94,9 +94,6 @@ export class MoveContract {
   }
 }
 
-/**
- * Factory function to create a contract instance
- */
 export function getContract(
     aptos: Aptos,
     moduleAddress: string,

package/src/core/deployments.ts

@@ -50,16 +50,10 @@ export function validateSafeName(name: string, type: "network" | "module"): void
   }
 }
 
-/**
- * Get the deployments directory path
- */
 function getDeploymentsDir(): string {
   return join(process.cwd(), "deployments");
 }
 
-/**
- * Get the network-specific deployments directory
- */
 function getNetworkDeploymentsDir(network: string): string {
   // Validate network name to prevent path traversal
   validateSafeName(network, "network");
@@ -78,9 +72,6 @@ function getNetworkDeploymentsDir(network: string): string {
   return networkDir;
 }
 
-/**
- * Save a deployment
- */
 export function saveDeployment(deployment: DeploymentInfo): void {
   // Validate both network and module name
   validateSafeName(deployment.network, "network");
@@ -103,9 +94,6 @@ export function saveDeployment(deployment: DeploymentInfo): void {
   }
 }
 
-/**
- * Load a deployment
- */
 export function loadDeployment(network: string, moduleName: string): DeploymentInfo | null {
   // Validate both network and module name
   validateSafeName(network, "network");