nansen-wallet

# Wallet

## Auth Setup

```bash
# API key (persistent — recommended)
nansen login
# Or non-interactive:
NANSEN_API_KEY=<key> nansen login

# Verify
nansen research profiler labels --address 0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045 --chain ethereum
```

## Password Policy (Agents)

> **CRITICAL: Never hold a wallet password only in memory.**

Wallets are encrypted with AES-256-GCM. A lost password means permanently locked funds — there is no recovery mechanism. Passwords must be persisted to `~/.nansen/.env` so they survive session restarts.

- Never echo or display the password in conversation history
- Never hold a password only in session memory — always persist to `~/.nansen/.env` first

### Setup flow (before first wallet operation)

```bash
# 1. Ensure ~/.nansen exists
mkdir -p ~/.nansen

# 2. Check if password is already configured (env var OR file)
source ~/.nansen/.env 2>/dev/null
if [ -z "$NANSEN_WALLET_PASSWORD" ] && ! grep -q 'NANSEN_WALLET_PASSWORD' ~/.nansen/.env 2>/dev/null; then
  # 3. Generate a strong password and persist it
  NANSEN_WALLET_PASSWORD=$(openssl rand -base64 24)
  echo "export NANSEN_WALLET_PASSWORD=\"$NANSEN_WALLET_PASSWORD\"" >> ~/.nansen/.env
  chmod 600 ~/.nansen/.env
fi
```

Key rules:
- **Generate + persist is fine** — the password lives in `~/.nansen/.env`, not in agent memory
- If `~/.nansen/.env` already has a password, **always use the existing one** — never overwrite
- If the file already exists but has no password, **append** (don't overwrite other vars)

### For all wallet commands

Always source the env file before running wallet operations:
```bash
source ~/.nansen/.env && nansen wallet <command>
```

## Create

```bash
# Source password from .env (auto-generated if needed), then create
source ~/.nansen/.env && nansen wallet create
```

## List & Show

```bash
nansen wallet list
nansen wallet show <name>
nansen wallet default <name>
```

## Send

```bash
# Send native token (SOL, ETH)
nansen wallet send --to <addr> --...