movehat 0.2.1 → 0.2.3

package/src/core/Publisher.ts

@@ -1,7 +1,4 @@
-import { homedir } from "os";
-import { join } from "path";
-import { randomUUID } from "crypto";
-import { Account } from "@aptos-labs/ts-sdk";
+import { Account, PrivateKey, PrivateKeyVariants } from "@aptos-labs/ts-sdk";
 import { MovehatConfig } from "../types/config.js";
 import { extractNamedAddresses } from "../commands/compile.js";
 import {
@@ -10,16 +7,16 @@ import {
   DeploymentInfo,
   validateSafeName,
 } from "./deployments.js";
-import { validatePathSafety, validateProfileSafety } from "./shell.js";
+import { validatePathSafety } from "./shell.js";
 import { CliExecutionError, ModuleAlreadyDeployedError, PostPublishError } from "../errors.js";
 import { runCli } from "../utils/runCli.js";
-import { logger } from "../ui/index.js";
+import { logger, isVerbose } from "../ui/index.js";
+import { withSpinner } from "../ui/spinner.js";
 import type { ChildProcessAdapter } from "../utils/childProcessAdapter.js";
 import {
-  withYamlLock,
-  addProfile,
-  removeProfile,
-  removeProfileSync,
+  writeTempKeyFile,
+  removeKeyFile,
+  removeKeyFileSyncBestEffort,
   ensureSignalHandler,
   cleanupCallbacks,
 } from "./movementProfile.js";
@@ -98,18 +95,10 @@ export class Publisher {
 
     const dir = input.packageDir || config.moveDir;
 
-    // Bug #37: use a UUID-suffixed profile name per deploy so concurrent
-    // Publisher.deploy() calls in the same process don't fight over the
-    // same key in ~/.aptos/config.yaml. The previous code reused
-    // config.profile (default "default"), which meant two parallel
-    // deploys would clobber each other's profile data mid-publish.
-    const profile = `movehat-deploy-${randomUUID().slice(0, 8)}`;
-
     // Validate (no shell escape — runCli uses spawn, which takes args
     // verbatim and would treat the single-quote wrapping as part of the
-    // literal path/profile, breaking Movement CLI argument parsing).
+    // literal path, breaking Movement CLI argument parsing).
     const safeDir = validatePathSafety(dir, "package directory");
-    const safeProfile = validateProfileSafety(profile);
 
     logger.step(`Publishing module "${moduleName}" from ${dir}...`);
 
@@ -134,112 +123,119 @@ export class Publisher {
           : [];
 
       // Build first with named addresses
-      logger.step("Building package...");
-      const buildResult = await runCli(
-        {
-          command: "movement",
-          args: ["move", "build", "--package-dir", safeDir, ...namedAddrArgs],
-          timeoutMs: 120000, // 2 minutes for git dependency downloads
-        },
-        { adapter: this.deps.adapter }
+      const buildResult = await withSpinner(
+        "Building package",
+        () =>
+          runCli(
+            {
+              command: "movement",
+              args: ["move", "build", "--package-dir", safeDir, ...namedAddrArgs],
+              timeoutMs: 120000, // 2 minutes for git dependency downloads
+            },
+            { adapter: this.deps.adapter }
+          ),
       );
-      if (buildResult.stdout) console.log(buildResult.stdout.trim());
+      if (isVerbose() && buildResult.stdout) {
+        logger.info(buildResult.stdout.trim(), 2);
+      }
 
       // Publish using direct parameters (avoid config file issues)
-      logger.step("Publishing to blockchain...");
 
-      // Use parameters directly instead of relying on config file
-      // Strip any ed25519-priv- prefix if present
-      let cleanPrivateKey = config.privateKey;
-      if (cleanPrivateKey.startsWith("ed25519-priv-")) {
-        cleanPrivateKey = cleanPrivateKey.replace("ed25519-priv-", "");
-      }
+      // Format the private key into AIP-80 shape so the Movement CLI
+      // doesn't emit its raw-hex deprecation warning. `formatPrivateKey`
+      // is idempotent for already-prefixed inputs.
+      const formattedPrivateKey = PrivateKey.formatPrivateKey(
+        config.privateKey,
+        PrivateKeyVariants.Ed25519,
+      );
 
-      // Bug #38: Move.toml is NOT mutated. All address overrides flow
-      // through the `--named-addresses` flag above, which Movement CLI
-      // applies during build + publish. The previous regex rewrite +
-      // restore-in-finally was destructive: if the process died between
-      // write and restore, the user's Move.toml stayed mutated.
+      // Move.toml is NOT mutated. All address overrides flow through
+      // the `--named-addresses` flag above, which Movement CLI applies
+      // during build + publish. Rewriting Move.toml on disk would risk
+      // leaving the user's file mutated if the process died before the
+      // restore step.
 
       let publishOut = "";
       let publishErr = "";
 
-      // Setup Movement CLI config with private key securely.
-      // Movement CLI uses .aptos config directory (not .movement).
-      const movementConfigPath = join(homedir(), ".aptos", "config.yaml");
-
-      // Register a sync cleanup hook BEFORE writing the private key.
-      // If the user Ctrl+C's (or the process is SIGTERM'd) between the
-      // yaml write and our async finally, the SIGINT handler iterates
-      // every registered callback and removes this deploy's profile
-      // synchronously — closes bug #36 (private key persisting on disk
-      // after abnormal exit).
+      // Pass the private key to Movement CLI via a 0o600 temp file
+      // (`--private-key-file <path>`) and the on-chain address via
+      // `--sender-account <addr>`. This avoids the CLI's profile-yaml
+      // lookup chain entirely — no CWD / HOME / .aptos / .movement
+      // dance, no CLI-variant dependency.
+      const keyFilePath = writeTempKeyFile(formattedPrivateKey);
+
+      // Register a sync cleanup hook BEFORE invoking the CLI. If the
+      // user Ctrl+C's (or the process is SIGTERM'd) between the file
+      // write and our finally, the SIGINT handler iterates every
+      // registered callback and unlinks this deploy's key file
+      // synchronously so the private key never persists on disk after
+      // an abnormal exit. The signal-handler path uses the
+      // best-effort variant because the event loop is dead and we
+      // cannot logger.warning.
       ensureSignalHandler();
-      const syncCleanup = () => removeProfileSync(movementConfigPath, profile);
+      const syncCleanup = () => removeKeyFileSyncBestEffort(keyFilePath);
       cleanupCallbacks.add(syncCleanup);
 
-      // Add our deploy profile under the unique key. The mutex serializes
-      // read-modify-write cycles so concurrent deploys in the same process
-      // can't drop each other's profiles. Other user profiles in the same
-      // file are preserved untouched.
-      await withYamlLock(() =>
-        addProfile(movementConfigPath, profile, {
-          private_key: cleanPrivateKey,
-          public_key: account.publicKey.toString(),
-          account: deployerAddress,
-          rest_url: config.rpc,
-        })
-      );
-
       try {
-        // Execute publish command without exposing private key in CLI.
-        // Routed through runCli so stdout/stderr are redacted of any
-        // `ed25519-priv-…` shape before reaching console.log/console.error
-        // or the thrown CliExecutionError — that's bug #43.
-        const publishResult = await runCli(
-          {
-            command: "movement",
-            args: [
-              "move",
-              "publish",
-              "--package-dir",
-              safeDir,
-              "--url",
-              config.rpc,
-              "--profile",
-              safeProfile,
-              "--assume-yes",
-              ...namedAddrArgs,
-            ],
-            timeoutMs: 120000, // 2 minutes for blockchain transactions
-          },
-          { adapter: this.deps.adapter }
+        // Execute publish command. Private key reaches the CLI via the
+        // temp key file path (--private-key-file) — never on the
+        // command line — so it can't leak through `ps aux`. runCli's
+        // stdout/stderr redaction still applies as defense in depth
+        // for any `ed25519-priv-…` substring that surfaces in CLI
+        // output (Movement CLI sometimes echoes the key on error).
+        const publishResult = await withSpinner(
+          "Publishing to blockchain",
+          () =>
+            runCli(
+              {
+                command: "movement",
+                args: [
+                  "move",
+                  "publish",
+                  "--package-dir",
+                  safeDir,
+                  "--url",
+                  config.rpc,
+                  "--private-key-file",
+                  keyFilePath,
+                  "--sender-account",
+                  deployerAddress,
+                  "--assume-yes",
+                  ...namedAddrArgs,
+                ],
+                timeoutMs: 120000, // 2 minutes for blockchain transactions
+              },
+              { adapter: this.deps.adapter }
+            ),
         );
         publishOut = publishResult.stdout;
         publishErr = publishResult.stderr;
-        if (publishOut) console.log(publishOut.trim());
-        if (publishErr) console.error(publishErr.trim());
+        // Both stdout and stderr from the publish subprocess are gated
+        // behind isVerbose() — Movement CLI emits progress to both
+        // streams ("Compiling, may take a little while..."), so a
+        // visible stderr line is not by itself a failure signal. The
+        // surrounding withSpinner converts the runCli throw on real
+        // failure into the visible spinner.fail() output instead.
+        if (isVerbose() && publishOut) logger.info(publishOut.trim(), 2);
+        if (isVerbose() && publishErr) logger.info(publishErr.trim(), 2);
       } finally {
-        // Always remove our profile from the shared yaml — never restore
-        // a "snapshot" of the whole file (that's what the old code did,
-        // and that's the bug #37 race). Removing only our key leaves
-        // other concurrent deploys' profiles intact.
-        //
-        // CRITICAL: catch + log instead of throwing. `await` in a finally
-        // block that throws will clobber both the try block's successful
-        // return value AND any error already propagating. Without this
-        // catch, a yaml-write failure here would mask a successful
-        // publish (making the deploy look failed and inviting a redeploy)
-        // or mask the real publish error.
-        await withYamlLock(() => removeProfile(movementConfigPath, profile)).catch((err) => {
-          const cleanupMsg = err instanceof Error ? err.message : String(err);
+        // Unlink the temp key file via the observable cleanup helper.
+        // ENOENT and other already-gone outcomes are benign (null).
+        // A non-null Error means the unlink failed AND the file still
+        // exists on disk — the private key would persist silently
+        // otherwise, so we emit a warning with the manual-cleanup
+        // hint. The SIGINT signal handler's sync callback below also
+        // tries to remove the same file; if SIGINT fires before this
+        // finally runs the file is gone and the next finally call
+        // sees ENOENT (benign).
+        const cleanupErr = removeKeyFile(keyFilePath);
+        if (cleanupErr) {
           logger.warning(
-            `Failed to remove deploy profile "${profile}" from ${movementConfigPath}: ${cleanupMsg}. ` +
-            `Run 'movement config delete-profile --profile ${profile}' to clean up manually.`
+            `Failed to remove temp key file '${keyFilePath}': ${cleanupErr.message}. ` +
+              `The file has mode 0o600 but should be removed manually: rm ${keyFilePath}`
           );
-        });
-        // Unregister the sync cleanup hook — normal path. (The signal
-        // handler stays installed for the process lifetime; cheap.)
+        }
         cleanupCallbacks.delete(syncCleanup);
       }
 
@@ -298,7 +294,7 @@ export class Publisher {
       if (error instanceof CliExecutionError) {
         // stdout/stderr are already redacted by runCli before reaching here,
         // so this branch is safe to log verbatim.
-        if (error.stdoutPreview) console.log(error.stdoutPreview);
+        if (error.stdoutPreview) logger.info(error.stdoutPreview, 2);
         logger.error(`Failed to publish module: ${error.message}\n${error.stderr}`);
       } else {
         // Preserve existing behaviour for non-CLI errors (filesystem write

package/src/core/__tests__/AccountManager.global-state.test.ts

@@ -0,0 +1,83 @@
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { existsSync, mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+import { AccountManager } from "../AccountManager.js";
+
+/**
+ * F8 — Document the two known limitations of `AccountManager`:
+ *
+ *   (a) State is class-static. Two harness "sessions" in the same
+ *       process share the pool, the labelMap, and the private-key
+ *       map. A label re-used across sessions overwrites the entry.
+ *       This is intentional per `Harness.ts:39-42` ("Two Harness
+ *       instances in the same process share account labels"). This
+ *       test captures the contract so a future refactor cannot
+ *       silently change it.
+ *
+ *   (b) `defaultPoolPath = join(process.cwd(), ".movehat", "accounts")`
+ *       is evaluated when the module is first imported, NOT lazily on
+ *       each call. Changing `process.cwd()` after import does not move
+ *       the save destination. Callers needing per-test isolation must
+ *       pass an explicit `poolPath` argument.
+ */
+
+describe("F8 — AccountManager static state and import-time cwd capture", () => {
+  let cwdBackup: string;
+  let tmpDir: string;
+
+  beforeEach(() => {
+    AccountManager.clearPool();
+    cwdBackup = process.cwd();
+    tmpDir = mkdtempSync(join(tmpdir(), "movehat-f8-"));
+  });
+
+  afterEach(() => {
+    AccountManager.clearPool();
+    if (process.cwd() !== cwdBackup) {
+      process.chdir(cwdBackup);
+    }
+    rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  it("(a) re-creating an account with an existing label overwrites the labelMap entry", () => {
+    const first = AccountManager.createAccount("alice");
+    const second = AccountManager.createAccount("alice");
+    expect(second.accountAddress.toString()).not.toBe(
+      first.accountAddress.toString()
+    );
+
+    const lookup = AccountManager.getAccountByLabel("alice");
+    expect(lookup).toBeDefined();
+    expect(lookup!.accountAddress.toString()).toBe(
+      second.accountAddress.toString()
+    );
+    // The first account is still in the pool (keyed by address), only
+    // the label binding moved. A second harness session that creates
+    // its own "alice" will silently shadow the first — this is the
+    // documented Harness limitation. exportPrivateKeys reflects the
+    // current label binding (i.e. the second account).
+    const exportedKeys = AccountManager.exportPrivateKeys(["alice"]);
+    expect(exportedKeys.alice).toBeTypeOf("string");
+    expect(exportedKeys.alice!.length).toBeGreaterThan(0);
+  });
+
+  it("(b) saveAccountPool ignores a process.chdir after import; defaults to the import-time cwd", () => {
+    AccountManager.createAccount("bob");
+
+    process.chdir(tmpDir);
+    // No path argument → uses defaultPoolPath, which was set at module
+    // load time before this chdir.
+    AccountManager.saveAccountPool();
+
+    // The pool file must NOT appear under the freshly-chdir'd cwd.
+    const expectedAtNewCwd = join(tmpDir, ".movehat", "accounts", "test-pool.json");
+    expect(existsSync(expectedAtNewCwd)).toBe(false);
+
+    // Sanity check: explicit poolPath does land where the caller asked.
+    const explicit = join(tmpDir, "explicit");
+    AccountManager.saveAccountPool(explicit);
+    expect(existsSync(join(explicit, "test-pool.json"))).toBe(true);
+  });
+});

package/src/core/__tests__/movementProfile.test.ts

@@ -0,0 +1,131 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import {
+  chmodSync,
+  existsSync,
+  mkdirSync,
+  mkdtempSync,
+  rmSync,
+  writeFileSync,
+} from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import {
+  removeKeyFile,
+  removeKeyFileSyncBestEffort,
+  writeTempKeyFile,
+} from "../movementProfile.js";
+
+/**
+ * Unit tests for the two distinct cleanup helpers in movementProfile:
+ *
+ *   - `removeKeyFileSyncBestEffort`: for SIGINT/SIGTERM handlers where
+ *     the event loop is dead. Never throws, never logs, always returns
+ *     void. We only test that it doesn't throw.
+ *
+ *   - `removeKeyFile`: for normal `finally` cleanup paths. Returns
+ *     `null` when the file is gone (removed OR already absent — both
+ *     are benign), and returns an `Error` only when the file STILL
+ *     exists on disk after the unlink attempt failed. The Error path
+ *     is exactly the case the caller must surface as a warning,
+ *     because a private-key temp file would otherwise persist
+ *     silently.
+ */
+
+describe("movementProfile cleanup helpers", () => {
+  let scratchDir: string;
+
+  beforeEach(() => {
+    scratchDir = mkdtempSync(join(tmpdir(), "movehat-profile-test-"));
+  });
+
+  afterEach(() => {
+    if (existsSync(scratchDir)) {
+      // Force chmod in case a test left it un-removable, then rmSync.
+      try {
+        chmodSync(scratchDir, 0o700);
+      } catch {
+        /* best-effort */
+      }
+      rmSync(scratchDir, { recursive: true, force: true });
+    }
+  });
+
+  describe("writeTempKeyFile", () => {
+    it("creates a 0o600 file in os.tmpdir() with the key as contents", () => {
+      const path = writeTempKeyFile("ed25519-priv-0x" + "a".repeat(64));
+      try {
+        expect(path.startsWith(tmpdir())).toBe(true);
+        expect(path).toMatch(/movehat-key-/);
+        expect(existsSync(path)).toBe(true);
+      } finally {
+        if (existsSync(path)) rmSync(path);
+      }
+    });
+  });
+
+  describe("removeKeyFileSyncBestEffort", () => {
+    it("removes an existing file", () => {
+      const path = join(scratchDir, "key");
+      writeFileSync(path, "x", { mode: 0o600 });
+      removeKeyFileSyncBestEffort(path);
+      expect(existsSync(path)).toBe(false);
+    });
+
+    it("does not throw when the file is already gone", () => {
+      const path = join(scratchDir, "never-existed");
+      expect(() => removeKeyFileSyncBestEffort(path)).not.toThrow();
+    });
+
+    it("does not throw when the path is a non-empty directory (would fail in stricter callers)", () => {
+      const dirPath = join(scratchDir, "i-am-a-directory");
+      mkdirSync(dirPath);
+      writeFileSync(join(dirPath, "child"), "x");
+      expect(() => removeKeyFileSyncBestEffort(dirPath)).not.toThrow();
+      // The dir still exists — best-effort doesn't fight EISDIR.
+      expect(existsSync(dirPath)).toBe(true);
+    });
+  });
+
+  describe("removeKeyFile", () => {
+    it("returns null when the file is removed cleanly", () => {
+      const path = join(scratchDir, "key-to-remove");
+      writeFileSync(path, "x", { mode: 0o600 });
+      const err = removeKeyFile(path);
+      expect(err).toBeNull();
+      expect(existsSync(path)).toBe(false);
+    });
+
+    it("returns null when the file was already gone (ENOENT is benign)", () => {
+      const path = join(scratchDir, "never-existed");
+      const err = removeKeyFile(path);
+      expect(err).toBeNull();
+    });
+
+    it("returns null when the file disappears between the unlink attempt and the existsSync check (race)", () => {
+      // Hard to provoke a real race deterministically. The contract is
+      // documented; the previous test covers the ENOENT short-circuit
+      // which is the common race outcome.
+      const path = join(scratchDir, "raced");
+      const err = removeKeyFile(path);
+      expect(err).toBeNull();
+    });
+
+    it("returns an Error when the path is a directory AND still exists post-attempt", () => {
+      // unlinkSync on a directory throws EISDIR (or EPERM on some
+      // platforms). existsSync afterwards still returns true, so this
+      // is the "preocupante" path the caller must surface as a warning
+      // — the file (here, a directory occupying the key-file path) is
+      // still on disk.
+      const dirPath = join(scratchDir, "key-but-actually-a-dir");
+      mkdirSync(dirPath);
+      writeFileSync(join(dirPath, "child"), "x"); // make sure it's not empty
+      const err = removeKeyFile(dirPath);
+      expect(err).not.toBeNull();
+      expect(err).toBeInstanceOf(Error);
+      // Error code is platform-dependent (EISDIR on linux, EPERM on
+      // macos), so just assert we got something Error-shaped.
+      expect((err as NodeJS.ErrnoException).code).toMatch(/^E/);
+      expect(existsSync(dirPath)).toBe(true);
+    });
+  });
+});

package/src/core/config.ts

@@ -1,8 +1,9 @@
 import { pathToFileURL } from "url";
 import { join } from "path";
 import { existsSync, statSync } from "fs";
-import { Account, Ed25519PrivateKey } from "@aptos-labs/ts-sdk";
+import { Account, Ed25519PrivateKey, PrivateKey, PrivateKeyVariants } from "@aptos-labs/ts-sdk";
 import { MovehatConfig, MovehatUserConfig } from "../types/config.js";
+import { logger } from "../ui/index.js";
 
 interface ConfigCacheEntry {
   mtimeMs: number;
@@ -132,7 +133,7 @@ export async function resolveNetworkConfig(
       url: "https://testnet.movementnetwork.xyz/v1",
       chainId: "testnet",
     };
-    console.log(`testnet not found in config - using default Movement testnet configuration`);
+    logger.info("testnet not found in config - using default Movement testnet configuration");
   }
 
   // Special case: Auto-generate config for local fork server
@@ -141,7 +142,7 @@ export async function resolveNetworkConfig(
       url: "http://localhost:8080/v1",
       chainId: "local",
     };
-    console.log(`Local network not found in config - using default fork server configuration`);
+    logger.info("Local network not found in config - using default fork server configuration");
   }
 
   if (!networkConfig) {
@@ -187,8 +188,10 @@ export async function resolveNetworkConfig(
       // 3. Deterministic = consistent test results
       const testPrivateKey = "0x0000000000000000000000000000000000000000000000000000000000000001";
       accounts = [testPrivateKey];
-      console.log(`\n[TESTNET] Using auto-generated test account (safe for testing only)`);
-      console.log(`[TESTNET] For mainnet, set PRIVATE_KEY in .env\n`);
+      logger.newline();
+      logger.warning("[TESTNET] Using auto-generated test account (safe for testing only)");
+      logger.warning("[TESTNET] For mainnet, set PRIVATE_KEY in .env");
+      logger.newline();
     } else {
       // For any other network (especially mainnet), REQUIRE explicit configuration
       // This prevents accidentally using the test key on production networks
@@ -258,19 +261,23 @@ export async function resolveNetworkConfig(
 function deriveAccountAddress(privateKeyHex: string | undefined): string {
   if (!privateKeyHex) return "";
   try {
-    const stripped = privateKeyHex.startsWith("ed25519-priv-")
-      ? privateKeyHex.slice("ed25519-priv-".length)
-      : privateKeyHex;
+    // Format into AIP-80 shape so the SDK doesn't emit a deprecation
+    // warning on each derivation. `formatPrivateKey` is idempotent for
+    // already-prefixed inputs.
+    const formatted = PrivateKey.formatPrivateKey(
+      privateKeyHex,
+      PrivateKeyVariants.Ed25519,
+    );
     const account = Account.fromPrivateKey({
-      privateKey: new Ed25519PrivateKey(stripped),
+      privateKey: new Ed25519PrivateKey(formatted),
     });
     return account.accountAddress.toString();
   } catch (err) {
     // The private key may have come from several sources (network.accounts,
     // global accounts, PRIVATE_KEY env, auto-generated testnet key). Keep
     // the hint generic so it never points at the wrong source.
-    console.warn(
-      `[movehat] Could not derive account address from the resolved private key: ${
+    logger.warning(
+      `Could not derive account address from the resolved private key: ${
         (err as Error).message
       }. Verify the key configured for this network is a valid Ed25519 private key (with or without the "ed25519-priv-" prefix).`
     );

package/src/core/deployments.ts

@@ -86,9 +86,9 @@ export function saveDeployment(deployment: DeploymentInfo): void {
       `Deployment saved: deployments/${deployment.network}/${deployment.moduleName}.json`
     );
   } catch (error) {
-    console.error(
-      `Failed to save deployment for ${deployment.moduleName} on ${deployment.network} at ${filePath}:`,
-      error
+    const msg = error instanceof Error ? error.message : String(error);
+    logger.error(
+      `Failed to save deployment for ${deployment.moduleName} on ${deployment.network} at ${filePath}: ${msg}`
     );
     throw error;
   }
@@ -110,7 +110,8 @@ export function loadDeployment(network: string, moduleName: string): DeploymentI
     const content = readFileSync(filePath, "utf-8");
     return JSON.parse(content) as DeploymentInfo;
   } catch (error) {
-    console.error(`Failed to load deployment for ${moduleName} on ${network}:`, error);
+    const msg = error instanceof Error ? error.message : String(error);
+    logger.error(`Failed to load deployment for ${moduleName} on ${network}: ${msg}`);
     return null;
   }
 }