nodpay 0.2.2 → 0.2.4

package/README.md

@@ -28,11 +28,29 @@ NODPAY_AGENT_KEY=0x... npx nodpay propose \
 3. Agent proposes transactions with `npx nodpay propose`
 4. User approves/rejects on their phone
 
+## Key generation
+
+```bash
+npx nodpay keygen --env-file .env
+```
+
+Outputs the agent's **public address only**. The private key is written directly to `.env` — it never appears in stdout, logs, or the agent's context window.
+
+If a key already exists, it reuses it and prints the address.
+
+### Security design
+
+The agent (LLM) **never sees the private key**. `keygen` writes the secret directly to disk; the `propose` command reads it from the environment at runtime. This means:
+
+- No private key in conversation history or context window
+- No risk of leaking the key through prompt injection
+- The agent only needs the public address (for wallet links)
+
 ## Env
 
 | Variable | Required | Description |
 |----------|----------|-------------|
-| `NODPAY_AGENT_KEY` | ✅ | Agent's private key (hex) |
+| `NODPAY_AGENT_KEY` | ✅ | Agent's private key — use `npx nodpay keygen` to generate securely |
 
 ## Supported chains
 

package/SKILL.md

@@ -39,12 +39,19 @@ The wallet is a **Safe 2-of-3 multisig**. You hold 1 key, the user holds 2 (pass
 ### 1. Generate an agent key
 
 ```bash
-node -e "const w=require('ethers').Wallet.createRandom();console.log('Address:',w.address,'\nKey:',w.privateKey)"
+npx nodpay keygen --env-file .env
 ```
 
-Store the private key as `NODPAY_AGENT_KEY` in your environment. The address is your public agent identity.
+This outputs your agent's **public address** (stdout). The private key is written directly to `.env` — it never appears in your output or context.
 
-**⚠️ Storing the env var may trigger a restart.** Complete all config/env changes and wait for the restart to finish BEFORE sending any message to the user. Do not send messages and update config in parallel — the restart will truncate your message.
+If `NODPAY_AGENT_KEY` already exists in the file, it reuses the existing key and prints the address.
+
+**After keygen**, trigger a gateway restart so the env var takes effect. Send your wallet link message to the user BEFORE restarting — the restart will interrupt your session.
+
+Recommended sequence:
+1. Run `npx nodpay keygen --env-file .env` → note the address
+2. Send the wallet link to your user (step 2 below)
+3. Trigger gateway restart
 
 ### 2. Send the user a wallet link
 
@@ -108,6 +115,7 @@ One agent key serves all wallets — multi-wallet is handled user-side (differen
 ```bash
 NODPAY_AGENT_KEY=0x... \
 npx nodpay propose \
+  --chain <CHAIN_NAME> \
   --safe <WALLET_ADDRESS> \
   --to <RECIPIENT> \
   --value-eth <AMOUNT> \
@@ -152,6 +160,7 @@ Always check before proposing — this tells you the current nonce, pending ops,
 
 | Flag | Required | Description |
 |------|----------|-------------|
+| `--chain` | ✅ | Chain name (e.g. `ethereum`, `base`, `sepolia`) |
 | `--safe` | ✅ | Wallet (Safe) address |
 | `--to` | ✅ | Recipient address |
 | `--value-eth` | ✅ | Amount in ETH |
@@ -171,7 +180,7 @@ Only one env var is required:
 |-----|-------------|
 | `NODPAY_AGENT_KEY` | Agent signing key (required) |
 
-Chain config (RPC, bundler, explorer) is auto-resolved from `references/networks.json`. No need to set `RPC_URL`, `CHAIN_ID`, or bundler keys.
+Chain config (RPC, bundler) is auto-resolved via `--chain` from [`@nodpay/core/networks`](https://www.npmjs.com/package/@nodpay/core). You can override with `RPC_URL`/`CHAIN_ID` env vars if needed, but `--chain` is the recommended way.
 
 ### Supported Chains
 

package/bin/nodpay.mjs

@@ -7,6 +7,10 @@ if (command === 'propose') {
   const scriptPath = new URL('../scripts/propose.mjs', import.meta.url).pathname;
   process.argv = [process.argv[0], scriptPath, ...process.argv.slice(3)];
   await import(scriptPath);
+} else if (command === 'keygen') {
+  const scriptPath = new URL('../scripts/keygen.mjs', import.meta.url).pathname;
+  process.argv = [process.argv[0], scriptPath, ...process.argv.slice(3)];
+  await import(scriptPath);
 } else if (command === 'version' || command === '--version' || command === '-v') {
   const { readFileSync } = await import('fs');
   const pkg = JSON.parse(readFileSync(new URL('../package.json', import.meta.url), 'utf8'));
@@ -15,9 +19,11 @@ if (command === 'propose') {
   console.log(`Usage: nodpay <command>
 
 Commands:
+  keygen    Generate (or reuse) agent keypair
   propose   Propose a transaction for human approval
 
-Example:
+Examples:
+  nodpay keygen --env-file .env
   nodpay propose --safe 0x... --to 0x... --value-eth 0.01 --signer-type passkey
 
 Docs: https://nodpay.ai/skill.md`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nodpay",
-  "version": "0.2.2",
+  "version": "0.2.4",
   "description": "NodPay CLI — propose on-chain payments from agent-human shared wallets",
   "type": "module",
   "bin": {

package/scripts/keygen.mjs

@@ -0,0 +1,61 @@
+#!/usr/bin/env node
+/**
+ * Generate (or reuse) an agent keypair.
+ *
+ * - If NODPAY_AGENT_KEY already exists in --env-file, derives and prints the address.
+ * - Otherwise generates a new keypair, appends to --env-file, prints the address.
+ *
+ * The private key NEVER appears in stdout — only the public address.
+ *
+ * Usage:
+ *   npx nodpay keygen --env-file .env
+ */
+
+import { Wallet } from 'ethers';
+import { readFileSync, appendFileSync, existsSync } from 'fs';
+import { resolve } from 'path';
+
+const args = process.argv.slice(2);
+const envFileIdx = args.indexOf('--env-file');
+const envFile = envFileIdx !== -1 ? resolve(args[envFileIdx + 1]) : null;
+
+if (!envFile) {
+  console.error('Usage: npx nodpay keygen --env-file <path>');
+  process.exit(1);
+}
+
+const ENV_VAR = 'NODPAY_AGENT_KEY';
+
+// Check if key already exists in the env file
+function findExistingKey() {
+  if (!existsSync(envFile)) return null;
+  const lines = readFileSync(envFile, 'utf8').split('\n');
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (trimmed.startsWith('#') || !trimmed.includes('=')) continue;
+    const [name, ...rest] = trimmed.split('=');
+    if (name.trim() === ENV_VAR) {
+      const value = rest.join('=').trim().replace(/^["']|["']$/g, '');
+      if (value) return value;
+    }
+  }
+  return null;
+}
+
+const existing = findExistingKey();
+
+if (existing) {
+  try {
+    const wallet = new Wallet(existing);
+    console.log(wallet.address);
+    console.error(`${ENV_VAR} already configured in ${envFile}`);
+  } catch {
+    console.error(`${ENV_VAR} exists in ${envFile} but is invalid. Remove it and re-run.`);
+    process.exit(1);
+  }
+} else {
+  const wallet = Wallet.createRandom();
+  appendFileSync(envFile, `\n${ENV_VAR}=${wallet.privateKey}\n`);
+  console.log(wallet.address);
+  console.error(`Generated new agent key → ${envFile}`);
+}

package/scripts/propose.mjs

@@ -37,10 +37,31 @@ const __dirname = dirname(fileURLToPath(import.meta.url));
 const PENDING_DIR = join(__dirname, '..', '.pending-txs');
 mkdirSync(PENDING_DIR, { recursive: true });
 
-const RPC_URL = process.env.RPC_URL;
-const CHAIN_ID = process.env.CHAIN_ID;
+// Resolve chain config: --chain flag auto-resolves from networks.json, env vars as fallback
+import { createRequire } from 'module';
+const require = createRequire(import.meta.url);
+const NETWORKS = require('@nodpay/core/networks');
+const allChains = { ...NETWORKS.mainnet, ...NETWORKS.testnet };
+
+const chainArg = process.argv.includes('--chain')
+  ? process.argv[process.argv.indexOf('--chain') + 1]
+  : null;
+
+let RPC_URL, CHAIN_ID;
+if (chainArg) {
+  const net = allChains[chainArg];
+  if (!net) {
+    console.error(`Error: Unknown chain "${chainArg}". Supported: ${Object.keys(allChains).join(', ')}`);
+    process.exit(1);
+  }
+  RPC_URL = process.env.RPC_URL || net.rpcUrl;
+  CHAIN_ID = String(net.chainId);
+} else {
+  RPC_URL = process.env.RPC_URL;
+  CHAIN_ID = process.env.CHAIN_ID;
+}
 if (!RPC_URL || !CHAIN_ID) {
-  console.error('Error: RPC_URL and CHAIN_ID environment variables are required.\nSet them for your target chain. See references/networks.json for supported chains.');
+  console.error('Error: Specify --chain <name> or set RPC_URL + CHAIN_ID env vars.\nSupported chains: ' + Object.keys(allChains).join(', '));
   process.exit(1);
 }
 const ENTRYPOINT_ADDRESS = ENTRYPOINT;