refactor(owx): remove unused types and optimize memory handling for secret material

Remove unused ChainId CAIP-2 type and related validation logic from chain.rs. Remove log_agent convenience method from audit.rs. Remove SecretKey wrapper type from credential.rs, moving all secret key handling into internal modules.

Optimize secret material handling: change Secret::to_bytes to return Zeroizing<Vec<u8>> for automatic memory scrubbing, remove manual zeroize call in create_api_key. Convert Config::default_rpc to

Author: gitctrlx

owx/src/audit.rs

@@ -83,27 +83,6 @@ impl AuditLog {
         });
     }
 
-    /// Convenience: log an agent operation.
-    pub fn log_agent(
-        &self,
-        operation: &str,
-        wallet_id: Option<&str>,
-        api_key_id: &str,
-        chain_id: Option<&str>,
-        success: bool,
-        error: Option<&str>,
-    ) {
-        self.log(&AuditEntry {
-            timestamp: chrono::Utc::now().to_rfc3339(),
-            operation: operation.to_owned(),
-            wallet_id: wallet_id.map(ToOwned::to_owned),
-            api_key_id: Some(api_key_id.to_owned()),
-            chain_id: chain_id.map(ToOwned::to_owned),
-            success,
-            error: error.map(ToOwned::to_owned),
-        });
-    }
-
     /// Read all audit entries from the log file.
     ///
     /// Returns an empty vec if the file does not exist.

owx/src/broadcast.rs

@@ -174,7 +174,7 @@ pub fn resolve_rpc(
             return Ok(v.clone());
         }
     }
-    for (k, v) in &defaults {
+    for (k, v) in defaults {
         if k.starts_with(ns) {
             return Ok(v.clone());
         }

owx/src/chain.rs

@@ -7,7 +7,7 @@
 use std::fmt;
 use std::str::FromStr;
 
-use serde::{Deserialize, Serialize, de};
+use serde::{Deserialize, Serialize};
 
 /// Master chain table. Every row is:
 ///
@@ -123,98 +123,6 @@ macro_rules! impl_chain_family_methods {
 }
 for_each_chain!(impl_chain_family_methods);
 
-/// CAIP-2 chain identifier (`namespace:reference`).
-#[derive(Debug, Clone, Eq)]
-pub struct ChainId {
-    /// CAIP-2 namespace (e.g. "eip155", "solana").
-    pub namespace: String,
-    /// CAIP-2 reference (e.g. "1", "mainnet").
-    pub reference: String,
-}
-
-impl ChainId {
-    /// Validate a CAIP-2 namespace: 3–8 chars, `[a-z0-9]` only.
-    fn validate_namespace(ns: &str) -> Result<(), String> {
-        if !(3..=8).contains(&ns.len()) {
-            return Err(format!(
-                "namespace must be 3–8 chars, got {} ('{ns}')",
-                ns.len()
-            ));
-        }
-        if !ns
-            .bytes()
-            .all(|b| b.is_ascii_lowercase() || b.is_ascii_digit())
-        {
-            return Err(format!("namespace must be [a-z0-9], got '{ns}'"));
-        }
-        Ok(())
-    }
-
-    /// Validate a CAIP-2 reference: 1–64 chars, `[a-zA-Z0-9-_]` only.
-    fn validate_reference(r: &str) -> Result<(), String> {
-        if r.is_empty() || r.len() > 64 {
-            return Err(format!(
-                "reference must be 1–64 chars, got {} ('{r}')",
-                r.len()
-            ));
-        }
-        if !r
-            .bytes()
-            .all(|b| b.is_ascii_alphanumeric() || b == b'-' || b == b'_')
-        {
-            return Err(format!("reference contains invalid chars: '{r}'"));
-        }
-        Ok(())
-    }
-}
-
-impl FromStr for ChainId {
-    type Err = String;
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        let (ns, reference) = s
-            .split_once(':')
-            .ok_or_else(|| format!("expected 'namespace:reference', got '{s}'"))?;
-        Self::validate_namespace(ns)?;
-        Self::validate_reference(reference)?;
-        Ok(Self {
-            namespace: ns.to_owned(),
-            reference: reference.to_owned(),
-        })
-    }
-}
-
-impl fmt::Display for ChainId {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        write!(f, "{}:{}", self.namespace, self.reference)
-    }
-}
-
-impl PartialEq for ChainId {
-    fn eq(&self, other: &Self) -> bool {
-        self.namespace == other.namespace && self.reference == other.reference
-    }
-}
-
-impl std::hash::Hash for ChainId {
-    fn hash<H: std::hash::Hasher>(&self, state: &mut H) {
-        self.namespace.hash(state);
-        self.reference.hash(state);
-    }
-}
-
-impl Serialize for ChainId {
-    fn serialize<S: serde::Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
-        serializer.serialize_str(&self.to_string())
-    }
-}
-
-impl<'de> Deserialize<'de> for ChainId {
-    fn deserialize<D: serde::Deserializer<'de>>(deserializer: D) -> Result<Self, D::Error> {
-        let s = String::deserialize(deserializer)?;
-        s.parse().map_err(de::Error::custom)
-    }
-}
-
 /// A resolved chain: name + family + CAIP-2 identifier.
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub struct Chain {
@@ -470,22 +378,6 @@ mod tests {
         }
     }
 
-    #[test]
-    fn chain_id_parse_valid() {
-        let id: ChainId = "eip155:1".parse().unwrap();
-        assert_eq!(id.namespace, "eip155");
-        assert_eq!(id.reference, "1");
-        assert_eq!(id.to_string(), "eip155:1");
-    }
-
-    #[test]
-    fn chain_id_reject_invalid() {
-        assert!("".parse::<ChainId>().is_err());
-        assert!("ab:1".parse::<ChainId>().is_err());
-        assert!("eip1551".parse::<ChainId>().is_err());
-        assert!("EIP155:1".parse::<ChainId>().is_err());
-    }
-
     #[test]
     fn default_chain_all_families() {
         for &fam in &ALL_FAMILIES {

owx/src/config.rs

@@ -2,6 +2,7 @@
 
 use std::collections::HashMap;
 use std::path::{Path, PathBuf};
+use std::sync::LazyLock;
 
 use serde::{Deserialize, Serialize};
 
@@ -36,60 +37,63 @@ pub struct Config {
 }
 
 impl Config {
-    /// Built-in default RPC endpoints for well-known chains.
+    /// Built-in default RPC endpoints for well-known chains (lazily initialized).
     #[must_use]
-    pub fn default_rpc() -> HashMap<String, String> {
-        HashMap::from([
-            ("eip155:1".into(), "https://eth.llamarpc.com".into()),
-            ("eip155:137".into(), "https://polygon-rpc.com".into()),
-            ("eip155:42161".into(), "https://arb1.arbitrum.io/rpc".into()),
-            ("eip155:10".into(), "https://mainnet.optimism.io".into()),
-            ("eip155:8453".into(), "https://mainnet.base.org".into()),
-            (
-                "eip155:56".into(),
-                "https://bsc-dataseed.binance.org".into(),
-            ),
-            ("eip155:9745".into(), "https://rpc.plasma.to".into()),
-            (
-                "eip155:43114".into(),
-                "https://api.avax.network/ext/bc/C/rpc".into(),
-            ),
-            (
-                "eip155:42793".into(),
-                "https://node.mainnet.etherlink.com".into(),
-            ),
-            (
-                "solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp".into(),
-                "https://api.mainnet-beta.solana.com".into(),
-            ),
-            (
-                "bip122:000000000019d6689c085ae165831e93".into(),
-                "https://mempool.space/api".into(),
-            ),
-            (
-                "cosmos:cosmoshub-4".into(),
-                "https://cosmos-rest.publicnode.com".into(),
-            ),
-            ("tron:mainnet".into(), "https://api.trongrid.io".into()),
-            ("ton:mainnet".into(), "https://toncenter.com/api/v2".into()),
-            (
-                "fil:mainnet".into(),
-                "https://api.node.glif.io/rpc/v1".into(),
-            ),
-            (
-                "sui:mainnet".into(),
-                "https://fullnode.mainnet.sui.io:443".into(),
-            ),
-            ("xrpl:mainnet".into(), "https://s1.ripple.com:51234".into()),
-            (
-                "xrpl:testnet".into(),
-                "https://s.altnet.rippletest.net:51234".into(),
-            ),
-            (
-                "xrpl:devnet".into(),
-                "https://s.devnet.rippletest.net:51234".into(),
-            ),
-        ])
+    pub fn default_rpc() -> &'static HashMap<String, String> {
+        static RPC: LazyLock<HashMap<String, String>> = LazyLock::new(|| {
+            HashMap::from([
+                ("eip155:1".into(), "https://eth.llamarpc.com".into()),
+                ("eip155:137".into(), "https://polygon-rpc.com".into()),
+                ("eip155:42161".into(), "https://arb1.arbitrum.io/rpc".into()),
+                ("eip155:10".into(), "https://mainnet.optimism.io".into()),
+                ("eip155:8453".into(), "https://mainnet.base.org".into()),
+                (
+                    "eip155:56".into(),
+                    "https://bsc-dataseed.binance.org".into(),
+                ),
+                ("eip155:9745".into(), "https://rpc.plasma.to".into()),
+                (
+                    "eip155:43114".into(),
+                    "https://api.avax.network/ext/bc/C/rpc".into(),
+                ),
+                (
+                    "eip155:42793".into(),
+                    "https://node.mainnet.etherlink.com".into(),
+                ),
+                (
+                    "solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp".into(),
+                    "https://api.mainnet-beta.solana.com".into(),
+                ),
+                (
+                    "bip122:000000000019d6689c085ae165831e93".into(),
+                    "https://mempool.space/api".into(),
+                ),
+                (
+                    "cosmos:cosmoshub-4".into(),
+                    "https://cosmos-rest.publicnode.com".into(),
+                ),
+                ("tron:mainnet".into(), "https://api.trongrid.io".into()),
+                ("ton:mainnet".into(), "https://toncenter.com/api/v2".into()),
+                (
+                    "fil:mainnet".into(),
+                    "https://api.node.glif.io/rpc/v1".into(),
+                ),
+                (
+                    "sui:mainnet".into(),
+                    "https://fullnode.mainnet.sui.io:443".into(),
+                ),
+                ("xrpl:mainnet".into(), "https://s1.ripple.com:51234".into()),
+                (
+                    "xrpl:testnet".into(),
+                    "https://s.altnet.rippletest.net:51234".into(),
+                ),
+                (
+                    "xrpl:devnet".into(),
+                    "https://s.devnet.rippletest.net:51234".into(),
+                ),
+            ])
+        });
+        &RPC
     }
 
     /// Look up an RPC URL by CAIP-2 chain ID.
@@ -123,7 +127,7 @@ impl Default for Config {
     fn default() -> Self {
         Self {
             vault_path: default_vault_path(),
-            rpc: Self::default_rpc(),
+            rpc: Self::default_rpc().clone(),
             plugins: HashMap::new(),
             backup: None,
         }

owx/src/credential.rs

@@ -1,6 +1,4 @@
-//! Authentication credentials and secret key material.
-
-use crate::error::Error;
+//! Authentication credentials.
 
 /// Authentication credential for wallet operations.
 ///
@@ -37,40 +35,6 @@ impl<'a> Credential<'a> {
     }
 }
 
-/// A private signing key that is zeroized on drop.
-///
-/// Wraps raw key bytes (not hex). Never exposed outside the `owx` crate
-/// as a public type — callers interact only through `Owx` methods.
-pub struct SecretKey(zeroize::Zeroizing<Vec<u8>>);
-
-impl SecretKey {
-    /// Create from raw bytes.
-    #[must_use]
-    pub fn new(bytes: Vec<u8>) -> Self {
-        Self(zeroize::Zeroizing::new(bytes))
-    }
-
-    /// Create from a hex-encoded string.
-    pub fn from_hex(hex_str: &str) -> Result<Self, Error> {
-        let clean = hex_str.strip_prefix("0x").unwrap_or(hex_str);
-        let bytes =
-            hex::decode(clean).map_err(|e| Error::InvalidInput(format!("invalid hex key: {e}")))?;
-        Ok(Self::new(bytes))
-    }
-
-    /// Expose the raw key bytes.
-    #[must_use]
-    pub fn as_bytes(&self) -> &[u8] {
-        &self.0
-    }
-}
-
-impl std::fmt::Debug for SecretKey {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        f.write_str("SecretKey([REDACTED])")
-    }
-}
-
 #[cfg(test)]
 #[allow(clippy::unwrap_used)]
 mod tests {
@@ -95,31 +59,4 @@ mod tests {
     fn parse_empty_is_passphrase() {
         assert!(matches!(Credential::parse(""), Credential::Passphrase("")));
     }
-
-    #[test]
-    fn secret_key_from_hex() {
-        let key =
-            SecretKey::from_hex("4c0883a69102937d6231471b5dbb6204fe5129617082792ae468d01a3f362318")
-                .unwrap();
-        assert_eq!(key.as_bytes().len(), 32);
-    }
-
-    #[test]
-    fn secret_key_strips_0x_prefix() {
-        let key = SecretKey::from_hex("0xaabb").unwrap();
-        assert_eq!(key.as_bytes(), &[0xaa, 0xbb]);
-    }
-
-    #[test]
-    fn secret_key_invalid_hex_rejected() {
-        assert!(SecretKey::from_hex("not-hex").is_err());
-    }
-
-    #[test]
-    fn secret_key_debug_redacted() {
-        let key = SecretKey::from_hex("aabb").unwrap();
-        let dbg = format!("{key:?}");
-        assert_eq!(dbg, "SecretKey([REDACTED])");
-        assert!(!dbg.contains("aa"));
-    }
 }