SciDEX — Task: [Exchange] Implement per-agent wallet creation and

## REOPENED TASK — CRITICAL CONTEXT This task was previously marked 'done' but the audit could not verify the work actually landed on main. The original work may have been: - Lost to an orphan branch / failed push - Only a spec-file edit (no code changes) - Already addressed by other agents in the meantime - Made obsolete by subsequent work **Before doing anything else:** 1. **Re-evaluate the task in light of CURRENT main state.** Read the spec and the relevant files on origin/main NOW. The original task may have been written against a state of the code that no longer exists. 2. **Verify the task still advances SciDEX's aims.** If the system has evolved past the need for this work (different architecture, different priorities), close the task with reason "obsolete: " instead of doing it. 3. **Check if it's already done.** Run `git log --grep=''` and read the related commits. If real work landed, complete the task with `--no-sha-check --summary 'Already done in '`. 4. **Make sure your changes don't regress recent functionality.** Many agents have been working on this codebase. Before committing, run `git log --since='24 hours ago' -- ` to see what changed in your area, and verify you don't undo any of it. 5. **Stay scoped.** Only do what this specific task asks for. Do not refactor, do not "fix" unrelated issues, do not add features that weren't requested. Scope creep at this point is regression risk. If you cannot do this task safely (because it would regress, conflict with current direction, or the requirements no longer apply), escalate via `orchestra escalate` with a clear explanation instead of committing.

Completion Notes

Verification: commit 700e194d0 on origin/main contains all wallet implementation (wallet_manager.py, migration 102, /api/wallets endpoints with auth). The implementation was merged under "[Senate] Update spec work log: DB corruption fix for metrics" commit message. Remote branch orchestra/task/2147d16e-implement-per-agent-wallet-creation-and has verification at 1b07c18cc.

Git Commits (3)

[Exchange] Add auth protection to wallet mutation endpoints [task:2147d16ef177]2026-04-17

[Exchange] Update wallet spec work log with commit message fix [task:2147d16ef177]2026-04-17

[Exchange] Implement per-agent wallet creation and key management [task:2147d16ef177]2026-04-16

Spec File

[Exchange] Implement per-agent wallet creation and key management

Quest: Crypto Wallets Priority: P3 Status: open

Goal

Implement per-agent wallet creation and key management

Context

This task is part of the Crypto Wallets quest (Exchange layer). It contributes to the broader goal of building out SciDEX's exchange capabilities.

Acceptance Criteria

☐ Implementation complete and tested

☐ All affected pages load (200 status)

☐ Work visible on the website frontend

☐ No broken links introduced

☐ Code follows existing patterns

Approach

Read relevant source files to understand current state

Plan implementation based on existing architecture

Implement changes

Test affected pages with curl

Commit with descriptive message and push

Work Log

2026-04-16 — Implementation

Investigation findings:

scidex/exchange/wallet_manager.py already exists with full implementation:

- generate_wallet() — EVM-compatible keypair generation
- encrypt_key() / decrypt_key() — AES-256-GCM encryption via Fernet
- create_agent_wallet() — creates and stores encrypted wallet for agent
- get_agent_wallet() — retrieves wallet info (no private key exposed)
- list_agent_wallets() — lists all wallets, optionally filtered
- rotate_wallet() — generates new keypair, deletes old key

Module uses agent_registry table with wallet columns (wallet_address, wallet_key_encrypted, wallet_created_at, wallet_chain)
API endpoints were missing — wallet_manager existed but wasn't exposed via REST API

Implemented:

Migration migrations/102_add_agent_wallet_columns.py — adds wallet columns to agent_registry:

- wallet_address (TEXT)
- wallet_key_encrypted (TEXT)
- wallet_created_at (TEXT)
- wallet_chain (TEXT DEFAULT 'ethereum')
- Index on wallet_address for fast lookups
- Idempotent: safe to run multiple times

API endpoints in api.py — 4 new REST endpoints under /api/wallets/:

- GET /api/wallets — list all agent wallets (chain filter, limit)
- GET /api/wallets/{agent_id} — get specific agent's wallet
- POST /api/wallets/{agent_id} — create new wallet for agent
- POST /api/wallets/{agent_id}/rotate — rotate wallet keypair

Verification:

Python syntax checks pass (api.py and migration)
wallet_manager module imports correctly
API endpoints follow existing ledger API patterns

Note: Database has pre-existing schema corruption (test_integration_agent malformed), preventing API startup and migration testing. This is unrelated to wallet implementation — the schema corruption appears to be in a test-related view/table.

2026-04-17 — Commit Message Fix

Issue: Pre-push hook blocked because commit touched critical file api.py but commit message did not mention it.

Fix: Amended commit message to explicitly list modified critical files:

[Exchange] Implement per-agent wallet creation and key management [task:2147d16ef177]

- api.py: Add /api/wallets endpoints (list, get, create, rotate)
- migrations/102_add_agent_wallet_columns.py: Add wallet columns to agent_registry table

Pushed: 60e70f058 — force-pushed to replace original e2ad6ea77.

2026-04-17 — Auth Protection Fix (Retry 2)

Issue: Merge gate REVISE — POST wallet endpoints were unauthenticated, allowing any caller to create or rotate agent wallets via the public API.

Fix: Added api_key: str = Depends(verify_api_key) to both mutation endpoints:

POST /api/wallets/{agent_id} — now requires API authentication
POST /api/wallets/{agent_id}/rotate — now requires API authentication

GET endpoints (GET /api/wallets and GET /api/wallets/{agent_id}) remain public as they only expose non-sensitive wallet metadata.

Verification:

Python syntax check passes
Diff is minimal: only adds auth dependency to two POST endpoints
Follows existing pattern used by other protected endpoints (e.g., api_coverage, api_agent_log)

Files changed:

api.py — +2 lines (auth parameter on two POST endpoints)

Payload JSON

{
  "requirements": {
    "coding": 8,
    "safety": 9
  },
  "completion_shas": [
    "eb0f00863",
    "8e344b4a4",
    "57a3c954d",
    "1b07c18cc"
  ],
  "completion_shas_checked_at": "2026-04-17T10:11:28.501894+00:00",
  "_reset_note": "This task was reset after a database incident on 2026-04-17.\n\n**Context:** SciDEX migrated from SQLite to PostgreSQL after recurring DB\ncorruption. Some work done during Apr 16-17 may have been lost.\n\n**Before starting work:**\n1. Check if the task's goal is ALREADY satisfied (run the relevant checks)\n2. Check `git log --all --grep=task:YOUR_TASK_ID` for prior commits\n3. If complete, verify and mark done. If partial, continue. If not done, proceed.\n\n**DB change:** SciDEX now uses PostgreSQL. `get_db()` auto-detects via\nSCIDEX_DB_BACKEND=postgres env var.",
  "_reset_at": "2026-04-18T06:29:22.046013+00:00",
  "_reset_from_status": "done"
}