npm - nodpay - Versions diffs - 0.2.35 → 0.2.36 - Mend

nodpay 0.2.35 → 0.2.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "nodpay",
-  "version": "0.2.35",
+  "version": "0.2.36",
   "description": "NodPay CLI — propose on-chain payments from agent-human shared wallets",
   "type": "module",
   "bin": {

package/scripts/env.mjs ADDED Viewed

@@ -0,0 +1,59 @@
+/**
+ * Unified environment variable loader for NodPay CLI.
+ *
+ * Priority (highest wins):
+ *   1. process.env (real env — set by caller, SafeClaw injection, container, etc.)
+ *   2. ~/.nodpay/.env file (convenience layer for local dev)
+ *
+ * The .env file is loaded into process.env WITHOUT overriding existing values.
+ * This matches standard dotenv behavior and Unix conventions:
+ *   NODPAY_AGENT_KEY=0xabc npx nodpay propose  →  uses 0xabc, ignores file
+ *
+ * After loadDotEnv(), all code reads from process.env uniformly.
+ */
+import { readFileSync, existsSync } from 'fs';
+import { join } from 'path';
+const HOME = process.env.HOME || process.env.USERPROFILE || '/tmp';
+const DEFAULT_ENV_PATH = join(HOME, '.nodpay', '.env');
+/**
+ * Parse a .env file and load values into process.env.
+ * Does NOT override existing env vars (real env takes priority).
+ *
+ * @param {string} [envPath] - Path to .env file. Defaults to ~/.nodpay/.env
+ */
+export function loadDotEnv(envPath = DEFAULT_ENV_PATH) {
+  if (!existsSync(envPath)) return;
+  try {
+    const lines = readFileSync(envPath, 'utf8').split('\n');
+    for (const line of lines) {
+      const trimmed = line.trim();
+      if (!trimmed || trimmed.startsWith('#') || !trimmed.includes('=')) continue;
+      const eqIdx = trimmed.indexOf('=');
+      const name = trimmed.slice(0, eqIdx).trim();
+      const value = trimmed.slice(eqIdx + 1).trim().replace(/^["']|["']$/g, '');
+      // Only set if not already in process.env (real env wins)
+      if (!(name in process.env)) {
+        process.env[name] = value;
+      }
+    }
+  } catch {
+    // Non-fatal: .env file may not exist or be unreadable
+  }
+}
+/**
+ * Get an env var after .env has been loaded.
+ * Convenience wrapper — just reads process.env.
+ *
+ * @param {string} name - Environment variable name
+ * @param {string} [fallback] - Default value if not set
+ * @returns {string|undefined}
+ */
+export function env(name, fallback) {
+  return process.env[name] || fallback;
+}
+export { HOME, DEFAULT_ENV_PATH };

package/scripts/keygen.mjs CHANGED Viewed

@@ -14,41 +14,32 @@
 import { Wallet } from 'ethers';
 import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync } from 'fs';
 import { resolve, dirname, join } from 'path';
+import { loadDotEnv, env, HOME } from './env.mjs';
 const args = process.argv.slice(2);
 const envFileIdx = args.indexOf('--env-file');
-const HOME = process.env.HOME || process.env.USERPROFILE || '/tmp';
 const envFile = envFileIdx !== -1
   ? resolve(args[envFileIdx + 1])
   : join(HOME, '.nodpay', '.env');
 const ENV_VAR = 'NODPAY_AGENT_KEY';
-// Check if key already exists in the env file
-function findExistingKey() {
-  if (!existsSync(envFile)) return null;
-  const lines = readFileSync(envFile, 'utf8').split('\n');
-  for (const line of lines) {
-    const trimmed = line.trim();
-    if (trimmed.startsWith('#') || !trimmed.includes('=')) continue;
-    const [name, ...rest] = trimmed.split('=');
-    if (name.trim() === ENV_VAR) {
-      const value = rest.join('=').trim().replace(/^["']|["']$/g, '');
-      if (value) return value;
-    }
-  }
-  return null;
-}
+// Load .env file into process.env (real env takes priority)
+loadDotEnv(envFile);
-const existing = findExistingKey();
+// Check if key already exists (process.env — from real env or .env file)
+const existing = env(ENV_VAR);
 if (existing) {
   try {
     const wallet = new Wallet(existing);
     console.log(wallet.address);
-    console.error(`${ENV_VAR} already configured in ${envFile}`);
+    const source = process.env[ENV_VAR] === existing && !existsSync(envFile)
+      ? 'environment variable'
+      : envFile;
+    console.error(`${ENV_VAR} already configured (${source})`);
   } catch {
-    console.error(`${ENV_VAR} exists in ${envFile} but is invalid. Remove it and re-run.`);
+    console.error(`${ENV_VAR} is set but invalid. Check your env or ${envFile}.`);
     process.exit(1);
   }
 } else {

package/scripts/propose.mjs CHANGED Viewed

@@ -6,7 +6,7 @@
  * The agent signs first (1 of 2). The serialized SafeOperation is
  * output so the web app can have the user co-sign and submit.
  *
- * Agent key: read from .nodpay/.env or via --remote-signer (SafeClaw proxy).
+ * Agent key: from process.env.NODPAY_AGENT_KEY (real env > ~/.nodpay/.env file > --remote-signer).
  * Chain config: resolved via --chain from @nodpay/core networks registry.
  * Bundler: NodPay public proxy (override with OP_STORE_URL for self-hosted).
  *
@@ -27,15 +27,22 @@
 import { Safe4337Pack } from '@safe-global/relay-kit';
 import { ethers } from 'ethers';
-import { readFileSync, writeFileSync, mkdirSync } from 'fs';
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'fs';
 import { join, dirname } from 'path';
 import { fileURLToPath } from 'url';
 import { computeUserOpHash, ENTRYPOINT } from '@nodpay/core';
+import { loadDotEnv, env, HOME } from './env.mjs';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const PENDING_DIR = join(__dirname, '..', '.pending-txs');
 mkdirSync(PENDING_DIR, { recursive: true });
+// Load ~/.nodpay/.env into process.env (real env takes priority, file is fallback)
+const _envFileArg = process.argv.includes('--env-file')
+  ? process.argv[process.argv.indexOf('--env-file') + 1]
+  : undefined;
+loadDotEnv(_envFileArg);
 // Resolve chain config: --chain flag auto-resolves from networks.json, env vars as fallback
 import { createRequire } from 'module';
 const require = createRequire(import.meta.url);
@@ -64,26 +71,10 @@ if (chainArg) {
 }
 const ENTRYPOINT_ADDRESS = ENTRYPOINT;
-const HOME = process.env.HOME || process.env.USERPROFILE || '/tmp';
-// SECURITY: Read agent key from ~/.nodpay/.env file (chmod 600), not from
-// process.env or CLI args. The key is loaded at runtime by the script itself,
-// so it never passes through the LLM agent's context or conversation history.
-function loadAgentKey() {
-  try {
-    const envPath = join(HOME, '.nodpay', '.env');
-    const lines = readFileSync(envPath, 'utf8').split('\n');
-    for (const line of lines) {
-      const trimmed = line.trim();
-      if (trimmed.startsWith('#') || !trimmed.includes('=')) continue;
-      const [name, ...rest] = trimmed.split('=');
-      if (name.trim() === 'NODPAY_AGENT_KEY') {
-        return rest.join('=').trim().replace(/^["']|["']$/g, '');
-      }
-    }
-  } catch {}
-  return null;
-}
+// SECURITY: Agent key is read from process.env.NODPAY_AGENT_KEY.
+// The .env file was loaded above (loadDotEnv) without overriding real env vars.
+// Priority: real env (SafeClaw injection, container, explicit) > .env file.
+// The key never appears in stdout or agent conversation history.
 const DEFAULT_SAFE = null; // always use --safe flag
@@ -91,21 +82,7 @@ const DEFAULT_SAFE = null; // always use --safe flag
 // agents don't need their own bundler API key. This is a thin relay — it
 // forwards the UserOp to a bundler service and returns the result. The proxy
 // only sees the already-signed (partial) UserOp; it cannot modify or execute it.
-// Optional overrides (OP_STORE_URL, WEB_APP_URL) also read from ~/.nodpay/.env.
-function loadDotEnvVar(name, fallback) {
-  try {
-    const envPath = join(HOME, '.nodpay', '.env');
-    const lines = readFileSync(envPath, 'utf8').split('\n');
-    for (const line of lines) {
-      const trimmed = line.trim();
-      if (trimmed.startsWith('#') || !trimmed.includes('=')) continue;
-      const [k, ...rest] = trimmed.split('=');
-      if (k.trim() === name) return rest.join('=').trim().replace(/^["']|["']$/g, '');
-    }
-  } catch {}
-  return fallback;
-}
-const opStoreBase = loadDotEnvVar('OP_STORE_URL', 'https://nodpay.ai/api');
+const opStoreBase = env('OP_STORE_URL', 'https://nodpay.ai/api');
 const BUNDLER_URL = `${opStoreBase}/bundler/${CHAIN_ID}`;
 // --- Agent key: remote signer (SafeClaw proxy) or local key (~/.nodpay/.env) ---
@@ -143,10 +120,10 @@ if (_remoteSignerUrl) {
     return (await signRes.json()).signature;
   };
 } else {
-  // Local mode: read key from ~/.nodpay/.env (original behavior)
-  const NODPAY_AGENT_KEY = loadAgentKey();
+  // Local mode: read key from process.env (loaded from real env or ~/.nodpay/.env)
+  const NODPAY_AGENT_KEY = env('NODPAY_AGENT_KEY');
   if (!NODPAY_AGENT_KEY) {
-    console.error(JSON.stringify({ error: 'Missing NODPAY_AGENT_KEY in ~/.nodpay/.env — run npx nodpay keygen or use --remote-signer' }));
+    console.error(JSON.stringify({ error: 'Missing NODPAY_AGENT_KEY — set env var, add to ~/.nodpay/.env, or use --remote-signer' }));
     process.exit(1);
   }
   _localAgentKey = NODPAY_AGENT_KEY;
@@ -201,6 +178,18 @@ if (!ethers.isAddress(to)) {
 const SAFE_ADDRESS = safeOverride || DEFAULT_SAFE;
+// Read optional wallet JSON for rpId (SafeClaw cross-origin passkey support)
+let walletRpId = null;
+if (SAFE_ADDRESS) {
+  const walletJsonPath = join(HOME, '.nodpay', 'wallets', `${SAFE_ADDRESS}.json`);
+  if (existsSync(walletJsonPath)) {
+    try {
+      const walletData = JSON.parse(readFileSync(walletJsonPath, 'utf8'));
+      if (walletData.rpId) walletRpId = walletData.rpId;
+    } catch {}
+  }
+}
 if (!isCounterfactual && !SAFE_ADDRESS) {
   console.error(JSON.stringify({ error: 'Missing SAFE_ADDRESS. Use --safe <address> or set SAFE_ADDRESS env, or use --counterfactual.' }));
   process.exit(1);
@@ -588,12 +577,13 @@ try {
       result.opStoreError = storeData.error || `HTTP ${storeRes.status}`;
     }
     if (storeData.shortHash) {
-      const webBase = loadDotEnvVar('WEB_APP_URL', 'https://nodpay.ai/');
+      const webBase = env('WEB_APP_URL', 'https://nodpay.ai/');
       // Build approve URL with passkey params for SafeClaw users (no localStorage)
       const approveParams = new URLSearchParams({ safeOpHash: storeData.safeOpHash });
       if (passkeyX) approveParams.set('px', passkeyX);
       if (passkeyY) approveParams.set('py', passkeyY);
       if (recoverySigner) approveParams.set('recovery', recoverySigner);
+      if (walletRpId) approveParams.set('rpId', walletRpId);
       approveUrl = `${webBase}approve?${approveParams.toString()}`;
       result.approveUrl = approveUrl;
       result.opStoreSafeOpHash = storeData.safeOpHash;