nodpay 0.2.3 → 0.2.4

package/README.md

@@ -28,11 +28,29 @@ NODPAY_AGENT_KEY=0x... npx nodpay propose \
 3. Agent proposes transactions with `npx nodpay propose`
 4. User approves/rejects on their phone
 
+## Key generation
+
+```bash
+npx nodpay keygen --env-file .env
+```
+
+Outputs the agent's **public address only**. The private key is written directly to `.env` — it never appears in stdout, logs, or the agent's context window.
+
+If a key already exists, it reuses it and prints the address.
+
+### Security design
+
+The agent (LLM) **never sees the private key**. `keygen` writes the secret directly to disk; the `propose` command reads it from the environment at runtime. This means:
+
+- No private key in conversation history or context window
+- No risk of leaking the key through prompt injection
+- The agent only needs the public address (for wallet links)
+
 ## Env
 
 | Variable | Required | Description |
 |----------|----------|-------------|
-| `NODPAY_AGENT_KEY` | ✅ | Agent's private key (hex) |
+| `NODPAY_AGENT_KEY` | ✅ | Agent's private key — use `npx nodpay keygen` to generate securely |
 
 ## Supported chains
 

package/SKILL.md

@@ -115,6 +115,7 @@ One agent key serves all wallets — multi-wallet is handled user-side (differen
 ```bash
 NODPAY_AGENT_KEY=0x... \
 npx nodpay propose \
+  --chain <CHAIN_NAME> \
   --safe <WALLET_ADDRESS> \
   --to <RECIPIENT> \
   --value-eth <AMOUNT> \
@@ -159,6 +160,7 @@ Always check before proposing — this tells you the current nonce, pending ops,
 
 | Flag | Required | Description |
 |------|----------|-------------|
+| `--chain` | ✅ | Chain name (e.g. `ethereum`, `base`, `sepolia`) |
 | `--safe` | ✅ | Wallet (Safe) address |
 | `--to` | ✅ | Recipient address |
 | `--value-eth` | ✅ | Amount in ETH |
@@ -178,7 +180,7 @@ Only one env var is required:
 |-----|-------------|
 | `NODPAY_AGENT_KEY` | Agent signing key (required) |
 
-Chain config (RPC, bundler, explorer) is auto-resolved from `references/networks.json`. No need to set `RPC_URL`, `CHAIN_ID`, or bundler keys.
+Chain config (RPC, bundler) is auto-resolved via `--chain` from [`@nodpay/core/networks`](https://www.npmjs.com/package/@nodpay/core). You can override with `RPC_URL`/`CHAIN_ID` env vars if needed, but `--chain` is the recommended way.
 
 ### Supported Chains
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nodpay",
-  "version": "0.2.3",
+  "version": "0.2.4",
   "description": "NodPay CLI — propose on-chain payments from agent-human shared wallets",
   "type": "module",
   "bin": {

package/scripts/propose.mjs

@@ -37,10 +37,31 @@ const __dirname = dirname(fileURLToPath(import.meta.url));
 const PENDING_DIR = join(__dirname, '..', '.pending-txs');
 mkdirSync(PENDING_DIR, { recursive: true });
 
-const RPC_URL = process.env.RPC_URL;
-const CHAIN_ID = process.env.CHAIN_ID;
+// Resolve chain config: --chain flag auto-resolves from networks.json, env vars as fallback
+import { createRequire } from 'module';
+const require = createRequire(import.meta.url);
+const NETWORKS = require('@nodpay/core/networks');
+const allChains = { ...NETWORKS.mainnet, ...NETWORKS.testnet };
+
+const chainArg = process.argv.includes('--chain')
+  ? process.argv[process.argv.indexOf('--chain') + 1]
+  : null;
+
+let RPC_URL, CHAIN_ID;
+if (chainArg) {
+  const net = allChains[chainArg];
+  if (!net) {
+    console.error(`Error: Unknown chain "${chainArg}". Supported: ${Object.keys(allChains).join(', ')}`);
+    process.exit(1);
+  }
+  RPC_URL = process.env.RPC_URL || net.rpcUrl;
+  CHAIN_ID = String(net.chainId);
+} else {
+  RPC_URL = process.env.RPC_URL;
+  CHAIN_ID = process.env.CHAIN_ID;
+}
 if (!RPC_URL || !CHAIN_ID) {
-  console.error('Error: RPC_URL and CHAIN_ID environment variables are required.\nSet them for your target chain. See references/networks.json for supported chains.');
+  console.error('Error: Specify --chain <name> or set RPC_URL + CHAIN_ID env vars.\nSupported chains: ' + Object.keys(allChains).join(', '));
   process.exit(1);
 }
 const ENTRYPOINT_ADDRESS = ENTRYPOINT;