ProjectOpenSea
diff --git a/‎src/__tests__/auth.test.ts‎
Lines changed: 106 additions & 3 deletions b/‎src/__tests__/auth.test.ts‎
Lines changed: 106 additions & 3 deletions
diff --git a/‎src/__tests__/deploy.test.ts‎
Lines changed: 123 additions & 0 deletions b/‎src/__tests__/deploy.test.ts‎
Lines changed: 123 additions & 0 deletions
@@ -3,10 +3,13 @@ import { afterEach, describe, expect, it, vi } from "vitest"
 // Hardhat/Anvil account #0 — deterministic test key, never holds real funds
 const PRIVATE_KEY =
   "0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80"
+const BANKR_ADDRESS = "0x8b8e1C20E0630De8C60f0e0D5C3e9C7c20F0c20e"
 
 afterEach(() => {
   vi.unstubAllGlobals()
   vi.restoreAllMocks()
+  delete process.env.TOOL_SDK_PRIVATE_KEY
+  delete process.env.BANKR_API_KEY
 })
 
 describe("auth command", () => {
@@ -61,7 +64,6 @@ describe("auth command", () => {
     expect(calls[0].headers["content-type"]).toBe("application/json")
 
     logSpy.mockRestore()
-    delete process.env.TOOL_SDK_PRIVATE_KEY
   })
 
   it("prints hint on 401 auth failure", async () => {
@@ -93,7 +95,6 @@ describe("auth command", () => {
     expect(output).toContain("SIWE authentication failed")
 
     logSpy.mockRestore()
-    delete process.env.TOOL_SDK_PRIVATE_KEY
   })
 
   it("prints hint on 403 with predicate address and toolId", async () => {
@@ -131,6 +132,108 @@ describe("auth command", () => {
     expect(output).toContain("tool-sdk inspect --tool-id 42")
 
     logSpy.mockRestore()
-    delete process.env.TOOL_SDK_PRIVATE_KEY
+  })
+})
+
+function stubBankrFetch() {
+  return vi.fn(async (url: string, init?: RequestInit) => {
+    if (typeof url === "string" && url.includes("/wallet/info")) {
+      return new Response(JSON.stringify({ address: BANKR_ADDRESS }), {
+        status: 200,
+      })
+    }
+    if (typeof url === "string" && url.includes("/wallet/sign")) {
+      return new Response(JSON.stringify({ signature: "0xdeadbeef" }), {
+        status: 200,
+      })
+    }
+    // Tool endpoint
+    const headers = Object.fromEntries(
+      Object.entries(init?.headers ?? {}),
+    ) as Record<string, string>
+    return new Response(JSON.stringify({ result: "ok", headers }), {
+      status: 200,
+    })
+  })
+}
+
+describe("auth command with --bankr-key", () => {
+  it("uses Bankr signer when BANKR_API_KEY is set", async () => {
+    const fetchMock = stubBankrFetch()
+    vi.stubGlobal("fetch", fetchMock)
+
+    const logSpy = vi.spyOn(console, "log").mockImplementation(() => {})
+    process.env.BANKR_API_KEY = "test-bankr-key"
+
+    const { authCommand } = await import("../cli/commands/auth.js")
+
+    await authCommand.parseAsync([
+      "node",
+      "auth",
+      "https://tool.example.com/api",
+      "--body",
+      "{}",
+    ])
+
+    // Should have called /wallet/info first
+    expect(fetchMock.mock.calls[0][0]).toContain("/wallet/info")
+
+    // Should print the Bankr address
+    const output = logSpy.mock.calls.map(c => c.join(" ")).join("\n")
+    expect(output.toLowerCase()).toContain(BANKR_ADDRESS.toLowerCase())
+
+    logSpy.mockRestore()
+  })
+
+  it("errors when both --key and --bankr-key are provided", async () => {
+    const errorSpy = vi.spyOn(console, "error").mockImplementation(() => {})
+    vi.spyOn(console, "log").mockImplementation(() => {})
+    const exitSpy = vi.spyOn(process, "exit").mockImplementation(() => {
+      throw new Error("process.exit")
+    })
+
+    process.env.TOOL_SDK_PRIVATE_KEY = PRIVATE_KEY
+    process.env.BANKR_API_KEY = "test-bankr-key"
+
+    const { authCommand } = await import("../cli/commands/auth.js")
+
+    await expect(
+      authCommand.parseAsync([
+        "node",
+        "auth",
+        "https://tool.example.com/api",
+        "--body",
+        "{}",
+      ]),
+    ).rejects.toThrow("process.exit")
+
+    const output = errorSpy.mock.calls.map(c => c.join(" ")).join("\n")
+    expect(output).toContain("Both --key and --bankr-key")
+    expect(exitSpy).toHaveBeenCalledWith(1)
+  })
+
+  it("shows updated error when neither key is provided", async () => {
+    const errorSpy = vi.spyOn(console, "error").mockImplementation(() => {})
+    vi.spyOn(console, "log").mockImplementation(() => {})
+    const exitSpy = vi.spyOn(process, "exit").mockImplementation(() => {
+      throw new Error("process.exit")
+    })
+
+    const { authCommand } = await import("../cli/commands/auth.js")
+
+    await expect(
+      authCommand.parseAsync([
+        "node",
+        "auth",
+        "https://tool.example.com/api",
+        "--body",
+        "{}",
+      ]),
+    ).rejects.toThrow("process.exit")
+
+    const output = errorSpy.mock.calls.map(c => c.join(" ")).join("\n")
+    expect(output).toContain("TOOL_SDK_PRIVATE_KEY")
+    expect(output).toContain("BANKR_API_KEY")
+    expect(exitSpy).toHaveBeenCalledWith(1)
   })
 })
@@ -12,7 +12,9 @@ import {
 import {
   execCmd,
   extractDeploymentUrl,
+  isSensitiveEnvVar,
   parseEnvExample,
+  tryRecoverDeployUrl,
 } from "../cli/commands/deploy.js"
 
 const fixturesDir = join(import.meta.dirname, "__fixtures_deploy__")
@@ -124,6 +126,45 @@ describe("extractDeploymentUrl", () => {
   })
 })
 
+describe("isSensitiveEnvVar", () => {
+  it.each([
+    "OPENSEA_API_KEY",
+    "ANTHROPIC_API_KEY",
+    "MY_SECRET",
+    "AUTH_TOKEN",
+    "DB_PASSWORD",
+    "WALLET_PRIVATE",
+  ])("should return true for sensitive var %s", name => {
+    expect(isSensitiveEnvVar(name)).toBe(true)
+  })
+
+  it.each([
+    "CREATOR_ADDRESS",
+    "TOOL_ENDPOINT",
+    "DATABASE_URL",
+    "NODE_ENV",
+    "PORT",
+    "KEYBOARD_LAYOUT",
+  ])("should return false for non-sensitive var %s", name => {
+    expect(isSensitiveEnvVar(name)).toBe(false)
+  })
+
+  it("should be case-insensitive", () => {
+    expect(isSensitiveEnvVar("my_api_key")).toBe(true)
+    expect(isSensitiveEnvVar("My_Secret")).toBe(true)
+    expect(isSensitiveEnvVar("auth_token")).toBe(true)
+  })
+
+  it("should only match at the end of the name", () => {
+    expect(isSensitiveEnvVar("SECRET_NAME")).toBe(false)
+    expect(isSensitiveEnvVar("TOKEN_EXPIRY")).toBe(false)
+    expect(isSensitiveEnvVar("PASSWORD_RESET_URL")).toBe(false)
+    expect(isSensitiveEnvVar("RESET_TOKEN_COUNT")).toBe(false)
+    expect(isSensitiveEnvVar("MY_SECRET_NAME")).toBe(false)
+    expect(isSensitiveEnvVar("MY_KEY_STORE")).toBe(false)
+  })
+})
+
 describe("execCmd", () => {
   it("should execute a simple command and return output", () => {
     const result = execCmd("echo hello", { silent: true })
@@ -139,3 +180,85 @@ describe("execCmd", () => {
     expect(result).toBe("test-input")
   })
 })
+
+describe("tryRecoverDeployUrl", () => {
+  afterEach(() => {
+    vi.restoreAllMocks()
+  })
+
+  it("should return undefined when no URL in error message", async () => {
+    const result = await tryRecoverDeployUrl(
+      "Something went wrong",
+      fixturesDir,
+    )
+    expect(result).toBeUndefined()
+  })
+
+  it("should return URL when manifest responds 200", async () => {
+    const manifestDir = join(fixturesDir, "recover-200")
+    mkdirSync(join(manifestDir, "src"), { recursive: true })
+    writeFileSync(join(manifestDir, "src", "manifest.ts"), "")
+    writeFileSync(
+      join(manifestDir, "package.json"),
+      JSON.stringify({ name: "my-tool" }),
+    )
+
+    vi.stubGlobal("fetch", vi.fn().mockResolvedValue({ status: 200 }))
+
+    const result = await tryRecoverDeployUrl(
+      "Error: command exited with code 1\nhttps://my-tool-abc123.vercel.app\nsome other output",
+      manifestDir,
+    )
+    expect(result).toBe("https://my-tool-abc123.vercel.app")
+  })
+
+  it("should return undefined when manifest responds non-200", async () => {
+    const manifestDir = join(fixturesDir, "recover-404")
+    mkdirSync(join(manifestDir, "src"), { recursive: true })
+    writeFileSync(join(manifestDir, "src", "manifest.ts"), "")
+    writeFileSync(
+      join(manifestDir, "package.json"),
+      JSON.stringify({ name: "my-tool" }),
+    )
+
+    vi.stubGlobal("fetch", vi.fn().mockResolvedValue({ status: 404 }))
+
+    const result = await tryRecoverDeployUrl(
+      "Error: failed\nhttps://my-tool-abc123.vercel.app",
+      manifestDir,
+    )
+    expect(result).toBeUndefined()
+  })
+
+  it("should return URL when manifest URL cannot be derived", async () => {
+    const emptyDir = join(fixturesDir, "recover-no-manifest")
+    mkdirSync(emptyDir, { recursive: true })
+
+    const result = await tryRecoverDeployUrl(
+      "Error: exit 1\nhttps://my-tool-abc123.vercel.app",
+      emptyDir,
+    )
+    expect(result).toBe("https://my-tool-abc123.vercel.app")
+  })
+
+  it("should return undefined when fetch throws", async () => {
+    const manifestDir = join(fixturesDir, "recover-fetch-err")
+    mkdirSync(join(manifestDir, "src"), { recursive: true })
+    writeFileSync(join(manifestDir, "src", "manifest.ts"), "")
+    writeFileSync(
+      join(manifestDir, "package.json"),
+      JSON.stringify({ name: "my-tool" }),
+    )
+
+    vi.stubGlobal(
+      "fetch",
+      vi.fn().mockRejectedValue(new Error("network error")),
+    )
+
+    const result = await tryRecoverDeployUrl(
+      "Error: failed\nhttps://my-tool-abc123.vercel.app",
+      manifestDir,
+    )
+    expect(result).toBeUndefined()
+  })
+})