Encrypt private keys at rest using Alloy's built-in keystore methods

Cargo.toml

@@ -15,7 +15,7 @@ path = "src/main.rs"
 
 [dependencies]
 polymarket-client-sdk = { version = "0.4", features = ["gamma", "data", "bridge", "clob", "ctf"] }
-alloy = { version = "1.6.3", default-features = false, features = ["providers", "sol-types", "contract", "reqwest", "reqwest-rustls-tls", "signer-local", "signers"] }
+alloy = { version = "1.6.3", default-features = false, features = ["providers", "sol-types", "contract", "reqwest", "reqwest-rustls-tls", "signer-local", "signers", "signer-keystore"] }
 clap = { version = "4", features = ["derive"] }
 tokio = { version = "1", features = ["rt-multi-thread", "macros"] }
 serde_json = "1"
@@ -26,6 +26,9 @@ anyhow = "1"
 chrono = "0.4"
 dirs = "6"
 rustyline = "15"
+rpassword = "7"
+rand = "0.8"
+secrecy = "0.10"
 
 [dev-dependencies]
 assert_cmd = "2"

src/auth.rs

@@ -6,6 +6,7 @@ use polymarket_client_sdk::auth::state::Authenticated;
 use polymarket_client_sdk::auth::{LocalSigner, Normal, Signer as _};
 use polymarket_client_sdk::clob::types::SignatureType;
 use polymarket_client_sdk::{POLYGON, clob};
+use secrecy::{ExposeSecret, SecretString};
 
 use crate::config;
 
@@ -19,12 +20,47 @@ fn parse_signature_type(s: &str) -> SignatureType {
     }
 }
 
+/// Resolve the private key hex string, prompting for password if needed.
+pub(crate) fn resolve_key_string(private_key: Option<&str>) -> Result<SecretString> {
+    // 1. CLI flag (highest priority — never overridden by migration)
+    if let Some(key) = private_key {
+        return Ok(SecretString::from(key.to_string()));
+    }
+    // 2. Env var
+    if let Ok(key) = std::env::var(config::ENV_VAR)
+        && !key.is_empty()
+    {
+        return Ok(SecretString::from(key));
+    }
+
+    // Auto-migrate plaintext config to encrypted keystore
+    if config::needs_migration() {
+        eprintln!("Your wallet key is stored in plaintext. Encrypting it now...");
+        let password = crate::password::prompt_new_password()?;
+        config::migrate_to_encrypted(&password)?;
+        eprintln!("Wallet key encrypted successfully.");
+        return config::load_key_encrypted(password.expose_secret());
+    }
+    // 3. Old config (plaintext — for backward compat)
+    if let Some(cfg) = config::load_config()
+        && !cfg.private_key.is_empty()
+    {
+        return Ok(SecretString::from(cfg.private_key));
+    }
+    // 4. Encrypted keystore with retry
+    if config::keystore_exists() {
+        return crate::password::prompt_password_with_retries(|pw| {
+            config::load_key_encrypted(pw)
+        });
+    }
+    anyhow::bail!("{}", config::NO_WALLET_MSG)
+}
+
 pub fn resolve_signer(
     private_key: Option<&str>,
 ) -> Result<impl polymarket_client_sdk::auth::Signer> {
-    let (key, _) = config::resolve_key(private_key);
-    let key = key.ok_or_else(|| anyhow::anyhow!("{}", config::NO_WALLET_MSG))?;
-    LocalSigner::from_str(&key)
+    let key = resolve_key_string(private_key)?;
+    LocalSigner::from_str(key.expose_secret())
         .context("Invalid private key")
         .map(|s| s.with_chain_id(Some(POLYGON)))
 }
@@ -61,9 +97,8 @@ pub async fn create_readonly_provider() -> Result<impl alloy::providers::Provide
 pub async fn create_provider(
     private_key: Option<&str>,
 ) -> Result<impl alloy::providers::Provider + Clone> {
-    let (key, _) = config::resolve_key(private_key);
-    let key = key.ok_or_else(|| anyhow::anyhow!("{}", config::NO_WALLET_MSG))?;
-    let signer = LocalSigner::from_str(&key)
+    let key = resolve_key_string(private_key)?;
+    let signer = LocalSigner::from_str(key.expose_secret())
         .context("Invalid private key")?
         .with_chain_id(Some(POLYGON));
     ProviderBuilder::new()