feat: encrypt private keys at rest using Alloy's built-in keystore me…

…thods

Private keys were stored as plaintext in config.json. Now encrypted
using LocalSigner::encrypt_keystore (AES-128-CTR + scrypt) via Alloy's
signer-keystore feature. No new crypto crates added.

- Password-protected keystore.json replaces plaintext key in config.json
- New wallet export command to decrypt and print key for backup
- Auto-migration from plaintext config on first use after upgrade
- POLYMARKET_PASSWORD env var for non-interactive use (scripts/CI)
- 3-retry on wrong password, hidden terminal input via rpassword

Closes #18

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Cargo.toml

@@ -15,7 +15,7 @@ path = "src/main.rs"
 
 [dependencies]
 polymarket-client-sdk = { version = "0.4", features = ["gamma", "data", "bridge", "clob", "ctf"] }
-alloy = { version = "1.6.3", default-features = false, features = ["providers", "sol-types", "contract", "reqwest", "reqwest-rustls-tls", "signer-local", "signers"] }
+alloy = { version = "1.6.3", default-features = false, features = ["providers", "sol-types", "contract", "reqwest", "reqwest-rustls-tls", "signer-local", "signers", "signer-keystore"] }
 clap = { version = "4", features = ["derive"] }
 tokio = { version = "1", features = ["rt-multi-thread", "macros"] }
 serde_json = "1"
@@ -26,6 +26,8 @@ anyhow = "1"
 chrono = "0.4"
 dirs = "6"
 rustyline = "15"
+rpassword = "7"
+rand = "0.8"
 
 [dev-dependencies]
 assert_cmd = "2"

src/auth.rs

@@ -19,11 +19,46 @@ fn parse_signature_type(s: &str) -> SignatureType {
     }
 }
 
+/// Resolve the private key hex string, prompting for password if needed.
+pub(crate) fn resolve_key_string(private_key: Option<&str>) -> Result<String> {
+    // Auto-migrate plaintext config to encrypted keystore
+    if config::needs_migration() {
+        eprintln!("Your wallet key is stored in plaintext. Encrypting it now...");
+        let password = crate::password::prompt_new_password()?;
+        config::migrate_to_encrypted(&password)?;
+        eprintln!("Wallet key encrypted successfully.");
+        return config::load_key_encrypted(&password);
+    }
+
+    // 1. CLI flag
+    if let Some(key) = private_key {
+        return Ok(key.to_string());
+    }
+    // 2. Env var
+    if let Ok(key) = std::env::var(config::ENV_VAR)
+        && !key.is_empty()
+    {
+        return Ok(key);
+    }
+    // 3. Old config (plaintext — for backward compat)
+    if let Some(cfg) = config::load_config()
+        && !cfg.private_key.is_empty()
+    {
+        return Ok(cfg.private_key);
+    }
+    // 4. Encrypted keystore with retry
+    if config::keystore_exists() {
+        return crate::password::prompt_password_with_retries(|pw| {
+            config::load_key_encrypted(pw)
+        });
+    }
+    anyhow::bail!("{}", config::NO_WALLET_MSG)
+}
+
 pub fn resolve_signer(
     private_key: Option<&str>,
 ) -> Result<impl polymarket_client_sdk::auth::Signer> {
-    let (key, _) = config::resolve_key(private_key);
-    let key = key.ok_or_else(|| anyhow::anyhow!("{}", config::NO_WALLET_MSG))?;
+    let key = resolve_key_string(private_key)?;
     LocalSigner::from_str(&key)
         .context("Invalid private key")
         .map(|s| s.with_chain_id(Some(POLYGON)))
@@ -61,8 +96,7 @@ pub async fn create_readonly_provider() -> Result<impl alloy::providers::Provide
 pub async fn create_provider(
     private_key: Option<&str>,
 ) -> Result<impl alloy::providers::Provider + Clone> {
-    let (key, _) = config::resolve_key(private_key);
-    let key = key.ok_or_else(|| anyhow::anyhow!("{}", config::NO_WALLET_MSG))?;
+    let key = resolve_key_string(private_key)?;
     let signer = LocalSigner::from_str(&key)
         .context("Invalid private key")?
         .with_chain_id(Some(POLYGON));

src/commands/setup.rs

@@ -132,7 +132,9 @@ fn setup_wallet() -> Result<Address> {
         (address, hex)
     };
 
-    config::save_wallet(&key_hex, POLYGON, config::DEFAULT_SIGNATURE_TYPE)?;
+    let password = crate::password::prompt_new_password()?;
+    config::save_key_encrypted(&key_hex, &password)?;
+    config::save_wallet_settings(POLYGON, config::DEFAULT_SIGNATURE_TYPE)?;
 
     if has_key {
         println!("  ✓ Wallet imported");
@@ -144,7 +146,7 @@ fn setup_wallet() -> Result<Address> {
 
     if !has_key {
         println!();
-        println!("  ⚠ Back up your private key from the config file.");
+        println!("  ⚠ Remember your password. Use `polymarket wallet export` to back up your key.");
         println!("    If lost, your funds cannot be recovered.");
     }