From 5883d3c13f6b87d886df4fb7e7e92b9b03dd9cbf Mon Sep 17 00:00:00 2001
From: "L3-37@Decentraliser" <me@decentraliser.dev>
Date: Mon, 27 Apr 2026 11:32:43 +0000
Subject: [PATCH 1/3] fix(splash): resolve blessed from script dir, suppress
 child stderr

Splash subprocess used `node -e require('blessed')` with stdio inherit. Module resolution starts from cwd, so running emblemai from a directory whose node_modules tree lacks blessed (e.g. ~/repositories/claw-os/) leaked a `Cannot find module 'blessed'` stack trace to stderr. Auth still completed (parent try/catch swallowed the throw), but the noise misled operators and AI agents into thinking auth failed.

Set child cwd to the script directory so require() always resolves the bundled blessed dep, and ignore child stderr so any future failure stays cosmetic.

L3-37 Claude
---
 emblemai.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/emblemai.js b/emblemai.js
index 89492c8..3c2b55e 100755
--- a/emblemai.js
+++ b/emblemai.js
@@ -22,6 +22,7 @@
 import fs from 'fs';
 import path from 'path';
 import os from 'os';
+import { fileURLToPath } from 'url';
 import readline from 'readline';
 import chalk from 'chalk';
 import { loadSessionPreferences, saveSession, saveSessionPreferences } from './src/session-store.js';
@@ -534,6 +535,7 @@ function buildMessages(msgs, pluginManager) {
 async function showSplash() {
   try {
     const { execFileSync } = await import('child_process');
+    const scriptDir = path.dirname(fileURLToPath(import.meta.url));
     execFileSync(process.execPath, ['-e', `
       const blessed = require('blessed');
       const screen = blessed.screen({ smartCSR: false, fullUnicode: false, warnings: false });
@@ -552,7 +554,11 @@ async function showSplash() {
       });
       screen.render();
       setTimeout(() => { screen.destroy(); process.exit(0); }, 2000);
-    `], { stdio: 'inherit', timeout: 5000 });
+    `], {
+      cwd: scriptDir,
+      stdio: ['inherit', 'inherit', 'ignore'],
+      timeout: 5000,
+    });
   } catch {
     // blessed not available or timed out — skip
   }

From 55c861a415313f5a34a525e9e5c762316f090580 Mon Sep 17 00:00:00 2001
From: "L3-37@Decentraliser" <me@decentraliser.dev>
Date: Wed, 13 May 2026 04:06:46 +0000
Subject: [PATCH 2/3] =?UTF-8?q?chore(security):=20npm=20supply-chain=20coo?=
 =?UTF-8?q?ldown=20=E2=80=94=20pin=20deps=20+=20.npmrc=20release-age?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Hardening against the Shai-Hulud / TanStack npm+PyPI supply-chain wave.

- add .npmrc: minimum-release-age=10080 (7d cooldown) + save-exact
- pin all 13 third-party direct deps to exact resolved versions; kept @emblemvault/*
  deps as ranges
- regenerate package-lock.json (synced)
- npm audit: 5 pre-existing transitive advisories (2 high) — left for a separate pass

L3-37 Claude
---
 .npmrc            |  3 +++
 package-lock.json | 26 +++++++++++++-------------
 package.json      | 26 +++++++++++++-------------
 3 files changed, 29 insertions(+), 26 deletions(-)
 create mode 100644 .npmrc

diff --git a/.npmrc b/.npmrc
new file mode 100644
index 0000000..4db4d7c
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1,3 @@
+; npm supply-chain cooldown — added 2026-05-13 (Shai-Hulud / TanStack incident)
+minimum-release-age=10080
+save-exact=true
diff --git a/package-lock.json b/package-lock.json
index 2e14ccb..12abd4d 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -9,25 +9,25 @@
       "version": "3.3.0",
       "license": "MIT",
       "dependencies": {
-        "@dotenvx/dotenvx": "^1.52.0",
+        "@dotenvx/dotenvx": "1.52.0",
         "@emblemvault/auth-sdk": "^2.3.18",
-        "@x402/core": "^2.8.0",
-        "@x402/evm": "^2.8.0",
-        "@x402/svm": "^2.8.0",
-        "blessed": "^0.1.81",
-        "chalk": "^5.3.0",
-        "dotenv": "^16.3.1",
-        "hustle-incognito": "^1.1.2",
-        "mppx": "^0.5.0",
-        "viem": "^2.47.6"
+        "@x402/core": "2.9.0",
+        "@x402/evm": "2.9.0",
+        "@x402/svm": "2.9.0",
+        "blessed": "0.1.81",
+        "chalk": "5.6.2",
+        "dotenv": "16.6.1",
+        "hustle-incognito": "1.1.2",
+        "mppx": "0.5.0",
+        "viem": "2.47.6"
       },
       "bin": {
         "emblemai": "emblemai.js"
       },
       "devDependencies": {
-        "@types/node": "^24.0.0",
-        "c8": "^11.0.0",
-        "typescript": "^5.7.0"
+        "@types/node": "24.12.0",
+        "c8": "11.0.0",
+        "typescript": "5.9.3"
       },
       "engines": {
         "node": ">=20.18.0"
diff --git a/package.json b/package.json
index 3245686..0568bef 100644
--- a/package.json
+++ b/package.json
@@ -17,22 +17,22 @@
     "typecheck": "tsc --project tsconfig.json"
   },
   "devDependencies": {
-    "@types/node": "^24.0.0",
-    "c8": "^11.0.0",
-    "typescript": "^5.7.0"
+    "@types/node": "24.12.0",
+    "c8": "11.0.0",
+    "typescript": "5.9.3"
   },
   "dependencies": {
-    "@dotenvx/dotenvx": "^1.52.0",
+    "@dotenvx/dotenvx": "1.52.0",
     "@emblemvault/auth-sdk": "^2.3.18",
-    "@x402/core": "^2.8.0",
-    "@x402/evm": "^2.8.0",
-    "@x402/svm": "^2.8.0",
-    "blessed": "^0.1.81",
-    "chalk": "^5.3.0",
-    "dotenv": "^16.3.1",
-    "hustle-incognito": "^1.1.2",
-    "mppx": "^0.5.0",
-    "viem": "^2.47.6"
+    "@x402/core": "2.9.0",
+    "@x402/evm": "2.9.0",
+    "@x402/svm": "2.9.0",
+    "blessed": "0.1.81",
+    "chalk": "5.6.2",
+    "dotenv": "16.6.1",
+    "hustle-incognito": "1.1.2",
+    "mppx": "0.5.0",
+    "viem": "2.47.6"
   },
   "keywords": [
     "ai",

From 68b1e97216a3a72c7fd042ab7244979b0bc7eb33 Mon Sep 17 00:00:00 2001
From: "L3-37@Decentraliser" <me@decentraliser.dev>
Date: Wed, 13 May 2026 10:43:20 +0000
Subject: [PATCH 3/3] =?UTF-8?q?chore(release):=203.3.1=20=E2=80=94=20suppl?=
 =?UTF-8?q?y-chain=20cooldown?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

L3-37 Claude
---
 package-lock.json | 4 ++--
 package.json      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 12abd4d..9abf332 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@emblemvault/agentwallet",
-  "version": "3.3.0",
+  "version": "3.3.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@emblemvault/agentwallet",
-      "version": "3.3.0",
+      "version": "3.3.1",
       "license": "MIT",
       "dependencies": {
         "@dotenvx/dotenvx": "1.52.0",
diff --git a/package.json b/package.json
index 0568bef..daec19e 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@emblemvault/agentwallet",
-  "version": "3.3.0",
+  "version": "3.3.1",
   "description": "CLI for EmblemAI - autonomous crypto wallet management with browser auth, streaming, and plugins",
   "main": "emblemai.js",
   "type": "module",