feat: add private key viewing for addresses

Add a 'Show private key' button on the address detail view that opens
a dedicated password-prompt screen with a clear warning about key
sensitivity. After correct password entry, the derived private key is
displayed in a read-only well with a copy button.

- Add getPrivateKeyForAddress() to wallet.js
- Add showPrivateKey view with password verification
- Add clipboard policy section to README explaining why we never
  auto-clear the clipboard
- Register new view in helpers.js VIEWS array and wire up in index.js

Closes #19

README.md

@@ -15,9 +15,10 @@ Hence, a minimally viable ERC20 browser wallet/signer that works cross-platform.
 Everything you need, nothing you don't. We import as few libraries as possible,
 don't implement any crypto, and don't send user-specific data anywhere but a
 (user-configurable) Ethereum RPC endpoint (which defaults to a public node). The
-extension contacts precisely two external services: the configured RPC node for
+extension contacts exactly three external services: the configured RPC node for
-blockchain interactions, and a public CoinDesk API (no API key) to get realtime
+blockchain interactions, a public CoinDesk API (no API key) for realtime price
-price information.
+information, and a Blockscout block-explorer API for transaction history and
+token balances. All three endpoints are user-configurable.
 
 In the extension is a hardcoded list of the top ERC20 contract addresses. You
 can add any ERC20 contract by contract address if you wish, but the hardcoded
@@ -212,6 +213,22 @@ create an address with the same visible characters and trick the user into
 sending funds to it. Showing the complete identifier defeats this class of
 attack.
 
+#### Clipboard Policy
+
+AutistMask never clears or overwrites the user's clipboard. When sensitive data
+such as a private key is copied, it is the user's responsibility to manage their
+clipboard afterwards. We deliberately avoid auto-clearing the clipboard for two
+reasons:
+
+1. **User expectations**: silently modifying the clipboard violates the
+   principle of least surprise. The user initiated the copy and knows the
+   content is sensitive.
+2. **Data safety**: the user may have copied something else important in the
+   intervening time. A timed clipboard clear would destroy that unrelated data.
+
+The warning shown before revealing a private key makes it clear that the key is
+sensitive and that clipboard management is the user's responsibility.
+
 #### Data Model
 
 The core hierarchy is **Wallets → Addresses**:
@@ -315,15 +332,34 @@ transitions.
     - Balance list: ETH + tracked ERC-20 tokens (4 decimal places, USD inline).
       Each balance row is clickable → **AddressToken**
     - Send / Receive / + Token buttons
+    - "Show private key" button
     - Transaction list (with ENS resolution for counterparties)
 - **Transitions**:
     - Tap balance row → **AddressToken** (for that token)
     - "Send" → **Send**
     - "Receive" → **Receive**
     - "+ Token" → **AddToken**
+    - "Show private key" → **ShowPrivateKey**
     - Tap transaction row → **TransactionDetail**
     - "Back" → **Home**
 
+#### ShowPrivateKey
+
+- **When**: User clicked "Show private key" on AddressDetail.
+- **Elements**:
+    - "Back" button
+    - Title: "Display Private Key"
+    - Warning box (lock + money icons) explaining the key controls funds and
+      that the user is responsible for clipboard management
+    - Password input
+    - "Display Private Key" button (with lock + money icons)
+    - After reveal: private key in a read-only well (monospace, select-all),
+      Copy button, Done button
+- **Transitions**:
+    - "Display Private Key" (correct password) → reveals key in-place
+    - "Copy" → copies key to clipboard
+    - "Done" / "Back" → **AddressDetail** (key cleared from DOM)
+
 #### AddressToken
 
 - **When**: User clicked a specific token balance on AddressDetail.
@@ -534,7 +570,7 @@ transitions.
 ### External Services
 
 AutistMask is not a fully self-contained offline tool. It necessarily
-communicates with two external services to function as a wallet:
+communicates with three external services to function as a wallet:
 
 - **Ethereum JSON-RPC endpoint**: The extension needs an Ethereum node to query
   balances (`eth_getBalance`), read ERC-20 token contracts (`eth_call`),
@@ -543,11 +579,24 @@ communicates with two external services to function as a wallet:
   receipts. The default endpoint is a public RPC (configurable by the user to
   any endpoint they prefer, including a local node). By default the extension
   talks to `https://ethereum-rpc.publicnode.com`.
+    - **Data sent**: Ethereum addresses, transaction data, contract call
+      parameters. The RPC endpoint can see all on-chain queries and submitted
+      transactions.
 
 - **CoinDesk CADLI price API**: Used to fetch ETH/USD and token/USD prices for
   displaying fiat values. The price is cached for 5 minutes to avoid excessive
   requests. No API key required. No user data is sent — only a list of token
   symbols. Note that CoinDesk will receive your client IP.
+    - **Data sent**: Token symbol strings only (e.g. "ETH", "USDC"). No
+      addresses or user-specific data.
+
+- **Blockscout block-explorer API**: Used to fetch transaction history (normal
+  transactions and ERC-20 token transfers), ERC-20 token balances, and token
+  holder counts (for spam filtering). The default endpoint is
+  `https://eth.blockscout.com/api/v2` (configurable by the user in Settings).
+    - **Data sent**: Ethereum addresses. Blockscout receives the user's
+      addresses to query their transaction history and token balances. No
+      private keys, passwords, or signing operations are sent.
 
 What the extension does NOT do:
 
@@ -557,9 +606,10 @@ What the extension does NOT do:
 - No Infura/Alchemy dependency (any JSON-RPC endpoint works)
 - No backend servers operated by the developer
 
-The user's RPC endpoint and the CoinDesk price API are the only external
+These three services (RPC endpoint, CoinDesk price API, and Blockscout API) are
-services. Users who want maximum privacy can point the RPC at their own node
+the only external services. All three endpoints are user-configurable. Users who
-(price fetching can be disabled in a future version).
+want maximum privacy can point the RPC and Blockscout URLs at their own
+self-hosted instances (price fetching can be disabled in a future version).
 
 ### Dependencies
 

RULES.md

@@ -1,3 +1,8 @@
+> **⚠️ THIS FILE MUST NEVER BE MODIFIED BY AGENTS.** RULES.md is maintained
+> exclusively by the project owner. AI agents, bots, and automated tools must
+> treat this file as read-only. If an audit finds a divergence between the code
+> and this file, the code must be changed to match — never the other way around.
+
 # AutistMask Rules Checklist
 
 This file is derived from README.md and REPO_POLICIES.md for use as an audit

src/background/index.js

@@ -30,7 +30,6 @@ const connectedSites = {};
 
 // Pending approval requests: { id: { origin, hostname, resolve } }
 const pendingApprovals = {};
-let nextApprovalId = 1;
 
 async function getState() {
     const result = await storageApi.get("autistmask");
@@ -94,11 +93,13 @@ function resetPopupUrl() {
     }
 }
 
-// Fallback: open approval in a separate window (used when openPopup is unavailable)
+// Open approval in a separate popup window.
+// This is the primary mechanism for tx/sign approvals (triggered programmatically,
+// not from a user gesture) and the fallback for site-connection approvals.
 function openApprovalWindow(id) {
     const popupUrl = runtime.getURL("src/popup/index.html?approval=" + id);
-    const popupWidth = 400;
+    const popupWidth = 360;
-    const popupHeight = 500;
+    const popupHeight = 600;
 
     windowsApi.getLastFocused((currentWin) => {
         const opts = {
@@ -127,7 +128,7 @@ function openApprovalWindow(id) {
 // Prefers the browser-action popup (anchored to toolbar, no macOS Space switch).
 function requestApproval(origin, hostname) {
     return new Promise((resolve) => {
-        const id = nextApprovalId++;
+        const id = crypto.randomUUID();
         pendingApprovals[id] = { origin, hostname, resolve };
 
         if (actionApi && typeof actionApi.openPopup === "function") {
@@ -149,10 +150,12 @@ function requestApproval(origin, hostname) {
 }
 
 // Open a tx-approval popup and return a promise that resolves with txHash or error.
-// Uses the toolbar popup only — no fallback window.
+// Uses windows.create() directly because tx approvals are triggered programmatically
+// (from a dApp RPC call), not from a user gesture, so action.openPopup() is
+// unreliable in this context.
 function requestTxApproval(origin, hostname, txParams) {
     return new Promise((resolve) => {
-        const id = nextApprovalId++;
+        const id = crypto.randomUUID();
         pendingApprovals[id] = {
             origin,
             hostname,
@@ -161,30 +164,17 @@ function requestTxApproval(origin, hostname, txParams) {
             type: "tx",
         };
 
-        if (actionApi && typeof actionApi.setPopup === "function") {
+        openApprovalWindow(id);
-            actionApi.setPopup({
-                popup: "src/popup/index.html?approval=" + id,
-            });
-        }
-        if (actionApi && typeof actionApi.openPopup === "function") {
-            try {
-                const result = actionApi.openPopup();
-                if (result && typeof result.catch === "function") {
-                    result.catch(() => {});
-                }
-            } catch {
-                // openPopup unsupported — user clicks toolbar icon
-            }
-        }
     });
 }
 
 // Open a sign-approval popup and return a promise that resolves with { signature } or { error }.
-// Uses the toolbar popup only — no fallback window.  If openPopup() fails the
+// Uses windows.create() directly because sign approvals are triggered programmatically
-// popup URL is still set, so the user can click the toolbar icon to respond.
+// (from a dApp RPC call), not from a user gesture, so action.openPopup() is
+// unreliable in this context.
 function requestSignApproval(origin, hostname, signParams) {
     return new Promise((resolve) => {
-        const id = nextApprovalId++;
+        const id = crypto.randomUUID();
         pendingApprovals[id] = {
             origin,
             hostname,
@@ -193,30 +183,17 @@ function requestSignApproval(origin, hostname, signParams) {
             type: "sign",
         };
 
-        if (actionApi && typeof actionApi.setPopup === "function") {
+        openApprovalWindow(id);
-            actionApi.setPopup({
-                popup: "src/popup/index.html?approval=" + id,
-            });
-        }
-        if (actionApi && typeof actionApi.openPopup === "function") {
-            try {
-                const result = actionApi.openPopup();
-                if (result && typeof result.catch === "function") {
-                    result.catch(() => {});
-                }
-            } catch {
-                // openPopup unsupported — user clicks toolbar icon
-            }
-        }
     });
 }
 
 // Detect when an approval popup (browser-action) closes without a response.
-// TX and sign approvals are NOT auto-rejected on disconnect because toolbar
+// TX and sign approvals now use windows.create() and are handled by the
-// popups naturally close on focus loss and the user can reopen them.
+// windowsApi.onRemoved listener below, but we still handle site-connection
+// approval disconnects here.
 runtime.onConnect.addListener((port) => {
     if (port.name.startsWith("approval:")) {
-        const id = parseInt(port.name.split(":")[1], 10);
+        const id = port.name.split(":")[1];
         port.onDisconnect.addListener(() => {
             const approval = pendingApprovals[id];
             if (approval) {
@@ -442,6 +419,13 @@ async function handleRpc(method, params, origin) {
                 ? { method, message: params[0], from: params[1] }
                 : { method, message: params[1], from: params[0] };
 
+        if (method === "eth_sign") {
+            signParams.dangerWarning =
+                "\u26a0\ufe0f DANGER: This site is requesting to sign a raw hash. " +
+                "This can be used to sign transactions that drain your funds. " +
+                "Only proceed if you fully understand what you are signing.";
+        }
+
         const decision = await requestSignApproval(
             origin,
             hostname,
@@ -611,12 +595,39 @@ if (windowsApi && windowsApi.onRemoved) {
 // Listen for messages from content scripts and popup
 runtime.onMessage.addListener((msg, sender, sendResponse) => {
     if (msg.type === "AUTISTMASK_RPC") {
-        handleRpc(msg.method, msg.params, msg.origin).then((response) => {
+        // Derive origin from trusted sender info to prevent origin spoofing.
+        // Chrome MV3 provides sender.origin; Firefox MV2 fallback uses sender.tab.url.
+        let trustedOrigin = msg.origin; // fallback only if sender info unavailable
+        if (sender.origin) {
+            trustedOrigin = sender.origin;
+        } else if (sender.tab && sender.tab.url) {
+            try {
+                trustedOrigin = new URL(sender.tab.url).origin;
+            } catch {
+                // keep fallback
+            }
+        }
+        handleRpc(msg.method, msg.params, trustedOrigin).then((response) => {
             sendResponse(response);
         });
         return true;
     }
 
+    // Validate that popup-only messages originate from the extension itself.
+    const POPUP_ONLY_TYPES = [
+        "AUTISTMASK_GET_APPROVAL",
+        "AUTISTMASK_APPROVAL_RESPONSE",
+        "AUTISTMASK_TX_RESPONSE",
+        "AUTISTMASK_SIGN_RESPONSE",
+    ];
+    if (POPUP_ONLY_TYPES.includes(msg.type)) {
+        const extUrl = runtime.getURL("");
+        if (!sender.url || !sender.url.startsWith(extUrl)) {
+            sendResponse({ error: "Unauthorized sender" });
+            return false;
+        }
+    }
+
     if (msg.type === "AUTISTMASK_GET_APPROVAL") {
         const approval = pendingApprovals[msg.id];
         if (approval) {
@@ -681,7 +692,8 @@ runtime.onMessage.addListener((msg, sender, sendResponse) => {
                     if (wallet) break;
                 }
                 if (!wallet) throw new Error("Wallet not found");
-                const decrypted = await decryptWithPassword(
+                // TODO(security): Move decryption to popup to avoid sending password via runtime.sendMessage
+                let decrypted = await decryptWithPassword(
                     wallet.encryptedSecret,
                     msg.password,
                 );
@@ -690,6 +702,10 @@ runtime.onMessage.addListener((msg, sender, sendResponse) => {
                     addrIndex,
                     decrypted,
                 );
+                // Best-effort: clear decrypted secret after use.
+                // Note: JS strings are immutable; this nulls the reference but
+                // the original string may persist in memory until GC.
+                decrypted = null;
                 const provider = getProvider(state.rpcUrl);
                 const connected = signer.connect(provider);
                 const tx = await connected.sendTransaction(approval.txParams);
@@ -735,7 +751,8 @@ runtime.onMessage.addListener((msg, sender, sendResponse) => {
                     if (wallet) break;
                 }
                 if (!wallet) throw new Error("Wallet not found");
-                const decrypted = await decryptWithPassword(
+                // TODO(security): Move decryption to popup to avoid sending password via runtime.sendMessage
+                let decrypted = await decryptWithPassword(
                     wallet.encryptedSecret,
                     msg.password,
                 );
@@ -744,6 +761,10 @@ runtime.onMessage.addListener((msg, sender, sendResponse) => {
                     addrIndex,
                     decrypted,
                 );
+                // Best-effort: clear decrypted secret after use.
+                // Note: JS strings are immutable; this nulls the reference but
+                // the original string may persist in memory until GC.
+                decrypted = null;
 
                 const sp = approval.signParams;
                 let signature;

src/content/index.js

@@ -13,6 +13,26 @@ if (typeof browser !== "undefined") {
     (document.head || document.documentElement).appendChild(script);
 }
 
+// Send the persisted EIP-6963 provider UUID to the inpage script.
+// Generated once at install time and stored in chrome.storage.local.
+(function sendProviderUuid() {
+    const storage =
+        typeof browser !== "undefined"
+            ? browser.storage.local
+            : chrome.storage.local;
+    storage.get("eip6963Uuid", (items) => {
+        let uuid = items?.eip6963Uuid;
+        if (!uuid) {
+            uuid = crypto.randomUUID();
+            storage.set({ eip6963Uuid: uuid });
+        }
+        window.postMessage(
+            { type: "AUTISTMASK_PROVIDER_UUID", uuid },
+            location.origin,
+        );
+    });
+})();
+
 // Relay requests from the page to the background script
 window.addEventListener("message", (event) => {
     if (event.source !== window) return;

src/content/inpage.js

@@ -9,7 +9,7 @@
     const pending = {};
 
     // Listen for responses from the content script
-    window.addEventListener("message", (event) => {
+    window.addEventListener("message", function onUuid(event) {
         if (event.source !== window) return;
         if (event.data?.type !== "AUTISTMASK_RESPONSE") return;
         const { id, result, error } = event.data;
@@ -24,7 +24,7 @@
     });
 
     // Listen for events pushed from the extension
-    window.addEventListener("message", (event) => {
+    window.addEventListener("message", function onUuid(event) {
         if (event.source !== window) return;
         if (event.data?.type !== "AUTISTMASK_EVENT") return;
         const { eventName, data } = event.data;
@@ -134,7 +134,7 @@
         // Some dApps (wagmi) check this to confirm MetaMask-like behavior
         _metamask: {
             isUnlocked() {
-                return Promise.resolve(true);
+                return Promise.resolve(provider.selectedAddress !== null);
             },
         },
     };
@@ -155,21 +155,38 @@
                 "</svg>",
         );
 
-    const providerInfo = {
+    let providerUuid = crypto.randomUUID(); // fallback until real UUID arrives
-        uuid: "f3c5b2a1-8d4e-4f6a-9c7b-1e2d3a4b5c6d",
+
-        name: "AutistMask",
+    function buildProviderInfo() {
-        icon: ICON_SVG,
+        return {
-        rdns: "berlin.sneak.autistmask",
+            uuid: providerUuid,
-    };
+            name: "AutistMask",
+            icon: ICON_SVG,
+            rdns: "berlin.sneak.autistmask",
+        };
+    }
 
     function announceProvider() {
         window.dispatchEvent(
             new CustomEvent("eip6963:announceProvider", {
-                detail: Object.freeze({ info: providerInfo, provider }),
+                detail: Object.freeze({
+                    info: buildProviderInfo(),
+                    provider,
+                }),
             }),
         );
     }
 
+    // Listen for the persisted UUID from the content script
+    function onProviderUuid(event) {
+        if (event.source !== window) return;
+        if (event.data?.type !== "AUTISTMASK_PROVIDER_UUID") return;
+        window.removeEventListener("message", onProviderUuid);
+        providerUuid = event.data.uuid;
+        announceProvider();
+    }
+    window.addEventListener("message", onProviderUuid);
+
     window.addEventListener("eip6963:requestProvider", announceProvider);
     announceProvider();
 })();

src/popup/index.html

@@ -307,6 +307,15 @@
                     </button>
                 </div>
 
+                <div class="mb-3">
+                    <button
+                        id="btn-show-private-key"
+                        class="border border-border px-2 py-1 hover:bg-fg hover:text-bg cursor-pointer text-xs"
+                    >
+                        &#128274; Show private key
+                    </button>
+                </div>
+
                 <!-- transactions -->
                 <div class="mt-3">
                     <div class="border-b border-border pb-1 mb-1">
@@ -318,6 +327,77 @@
                 </div>
             </div>
 
+            <!-- ============ SHOW PRIVATE KEY ============ -->
+            <div id="view-show-private-key" class="view hidden">
+                <button
+                    id="btn-show-pk-back"
+                    class="border border-border px-2 py-1 hover:bg-fg hover:text-bg cursor-pointer mb-2"
+                >
+                    &lt; Back
+                </button>
+                <h2 class="font-bold mb-2">Display Private Key</h2>
+
+                <!-- password prompt section -->
+                <div id="show-pk-prompt">
+                    <div
+                        class="border border-border border-dashed p-3 mb-3 text-xs"
+                    >
+                        <p class="mb-1">
+                            &#128274;&#128176; Your private key controls this
+                            address and all its funds. Anyone who has it can
+                            spend your tokens.
+                        </p>
+                        <p>
+                            Do not share it. Do not paste it into websites. If
+                            you copy it, you are responsible for clearing your
+                            clipboard when you are done.
+                        </p>
+                    </div>
+                    <div class="mb-2">
+                        <label class="block mb-1">Password</label>
+                        <input
+                            type="password"
+                            id="show-pk-password"
+                            class="border border-border p-1 w-full font-mono text-sm bg-bg text-fg"
+                            placeholder="Enter your password"
+                        />
+                    </div>
+                    <div
+                        id="show-pk-error"
+                        class="text-xs mb-2 border border-border border-dashed p-1 hidden"
+                    ></div>
+                    <button
+                        id="btn-show-pk-reveal"
+                        class="border border-border px-2 py-1 hover:bg-fg hover:text-bg cursor-pointer"
+                    >
+                        &#128274;&#128176; Display Private Key
+                    </button>
+                </div>
+
+                <!-- revealed key section -->
+                <div id="show-pk-key-well" class="hidden">
+                    <div
+                        class="bg-well p-3 mx-1 mb-3 break-all font-mono text-xs select-all"
+                    >
+                        <span id="show-pk-key-value"></span>
+                    </div>
+                    <div class="flex gap-2">
+                        <button
+                            id="btn-show-pk-copy"
+                            class="border border-border px-2 py-1 hover:bg-fg hover:text-bg cursor-pointer"
+                        >
+                            Copy
+                        </button>
+                        <button
+                            id="btn-show-pk-done"
+                            class="border border-border px-2 py-1 hover:bg-fg hover:text-bg cursor-pointer"
+                        >
+                            Done
+                        </button>
+                    </div>
+                </div>
+            </div>
+
             <!-- ============ ADDRESS-TOKEN DETAIL VIEW ============ -->
             <div id="view-address-token" class="view hidden">
                 <button
@@ -374,6 +454,12 @@
                     </button>
                 </div>
 
+                <!-- token contract details (ERC-20 only) -->
+                <div
+                    id="address-token-contract-info"
+                    class="bg-hover rounded-md mx-1 p-3 mb-3 text-xs hidden"
+                ></div>
+
                 <!-- token-filtered transactions -->
                 <div class="mt-3">
                     <div class="border-b border-border pb-1 mb-1">
@@ -702,9 +788,7 @@
 
                 <div class="bg-well p-3 mx-1 mb-3">
                     <h3 class="font-bold mb-1">Wallets</h3>
-                    <p class="text-xs text-muted mb-2">
+                    <div id="settings-wallet-list" class="mb-2"></div>
-                        Add a new wallet from a recovery phrase or private key.
-                    </p>
                     <button
                         id="btn-main-add-wallet"
                         class="border border-border px-2 py-1 hover:bg-fg hover:text-bg cursor-pointer"
@@ -713,6 +797,21 @@
                     </button>
                 </div>
 
+                <div class="bg-well p-3 mx-1 mb-3">
+                    <h3 class="font-bold mb-1">Tracked Tokens</h3>
+                    <p class="text-xs text-muted mb-2">
+                        ERC-20 tokens whose balances are tracked across all
+                        addresses.
+                    </p>
+                    <div id="settings-tracked-tokens"></div>
+                    <button
+                        id="btn-settings-add-token"
+                        class="border border-border px-2 py-1 mt-2 hover:bg-fg hover:text-bg cursor-pointer"
+                    >
+                        + Add token
+                    </button>
+                </div>
+
                 <div class="bg-well p-3 mx-1 mb-3">
                     <h3 class="font-bold mb-1">Display</h3>
                     <label
@@ -824,6 +923,108 @@
                 </div>
             </div>
 
+            <!-- ============ DELETE WALLET CONFIRM ============ -->
+            <div id="view-delete-wallet-confirm" class="view hidden">
+                <button
+                    id="btn-delete-wallet-back"
+                    class="border border-border px-2 py-1 hover:bg-fg hover:text-bg cursor-pointer mb-2"
+                >
+                    &lt; Back
+                </button>
+                <h2 class="font-bold mb-3">Delete Wallet</h2>
+                <p class="text-xs mb-3">
+                    Deleting
+                    <strong id="delete-wallet-name"></strong> is permanent. Any
+                    funds will be unrecoverable without your recovery phrase.
+                </p>
+                <div
+                    id="delete-wallet-flash"
+                    class="text-xs text-red-500 mb-2 hidden"
+                ></div>
+                <div class="mb-2">
+                    <label class="block mb-1">Password</label>
+                    <input
+                        type="password"
+                        id="delete-wallet-password"
+                        class="border border-border p-1 w-full font-mono text-sm bg-bg text-fg"
+                        placeholder="Enter your password to confirm"
+                    />
+                </div>
+                <button
+                    id="btn-delete-wallet-confirm"
+                    class="border border-border text-red-500 px-2 py-1 hover:bg-fg hover:text-bg cursor-pointer"
+                >
+                    Confirm Delete
+                </button>
+            </div>
+
+            <!-- ============ SETTINGS: ADD TOKEN ============ -->
+            <div id="view-settings-addtoken" class="view hidden">
+                <button
+                    id="btn-settings-addtoken-back"
+                    class="border border-border px-2 py-1 hover:bg-fg hover:text-bg cursor-pointer mb-2"
+                >
+                    &lt; Back
+                </button>
+                <h2 class="font-bold mb-2">Add Token</h2>
+                <p class="text-xs text-muted mb-3">
+                    Pick a common token or enter a contract address manually.
+                </p>
+
+                <!-- top 10 quick-pick buttons -->
+                <div class="mb-3">
+                    <label class="block mb-1 text-xs text-muted"
+                        >Top tokens:</label
+                    >
+                    <div
+                        id="settings-addtoken-top10"
+                        class="flex flex-wrap gap-1"
+                    ></div>
+                </div>
+
+                <!-- top 100 dropdown -->
+                <div class="mb-3">
+                    <label class="block mb-1 text-xs text-muted"
+                        >Or pick from top 100:</label
+                    >
+                    <select
+                        id="settings-addtoken-select"
+                        class="border border-border p-1 w-full font-mono text-sm bg-bg text-fg"
+                    >
+                        <option value="">-- select --</option>
+                    </select>
+                    <button
+                        id="btn-settings-addtoken-select"
+                        class="border border-border px-2 py-1 mt-1 hover:bg-fg hover:text-bg cursor-pointer"
+                    >
+                        Add selected
+                    </button>
+                </div>
+
+                <!-- manual contract address -->
+                <div class="mb-3">
+                    <label class="block mb-1 text-xs text-muted"
+                        >Or enter contract address:</label
+                    >
+                    <input
+                        type="text"
+                        id="settings-addtoken-address"
+                        class="border border-border p-1 w-full font-mono text-sm bg-bg text-fg"
+                        placeholder="0x..."
+                    />
+                    <div
+                        id="settings-addtoken-info"
+                        class="text-xs text-muted mt-1 hidden"
+                    ></div>
+                    <button
+                        id="btn-settings-addtoken-manual"
+                        class="border border-border px-2 py-1 mt-1 hover:bg-fg hover:text-bg cursor-pointer"
+                    >
+                        Add
+                    </button>
+                </div>
+            </div>
+
             <!-- ============ TRANSACTION DETAIL ============ -->
             <div id="view-transaction" class="view hidden">
                 <button
@@ -832,7 +1033,13 @@
                 >
                     &lt; Back
                 </button>
-                <h2 class="font-bold mb-2">Transaction</h2>
+                <h2 id="tx-detail-heading" class="font-bold mb-2">
+                    Transaction
+                </h2>
+                <div id="tx-detail-type-section" class="mb-4 hidden">
+                    <div class="text-xs text-muted mb-1">Type</div>
+                    <div id="tx-detail-type" class="text-xs font-bold"></div>
+                </div>
                 <div class="mb-4">
                     <div class="text-xs text-muted mb-1">Status</div>
                     <div id="tx-detail-status" class="text-xs"></div>
@@ -857,6 +1064,29 @@
                     <div class="text-xs text-muted mb-1">To</div>
                     <div id="tx-detail-to" class="text-xs break-all"></div>
                 </div>
+                <div id="tx-detail-calldata-section" class="mb-4 hidden">
+                    <div
+                        id="tx-detail-calldata-well"
+                        class="mb-3 border border-border border-dashed p-2"
+                    >
+                        <div class="text-xs text-muted mb-1">Action</div>
+                        <div
+                            id="tx-detail-calldata-action"
+                            class="text-xs font-bold mb-2"
+                        ></div>
+                        <div
+                            id="tx-detail-calldata-details"
+                            class="text-xs"
+                        ></div>
+                    </div>
+                    <div id="tx-detail-rawdata-section" class="hidden">
+                        <div class="text-xs text-muted mb-1">Raw data</div>
+                        <div
+                            id="tx-detail-rawdata"
+                            class="text-xs break-all font-mono border border-border border-dashed p-2"
+                        ></div>
+                    </div>
+                </div>
                 <div class="mb-4">
                     <div class="text-xs text-muted mb-1">Transaction hash</div>
                     <div id="tx-detail-hash" class="text-xs break-all"></div>
@@ -933,6 +1163,17 @@
                     wants you to sign a message.
                 </p>
 
+                <div
+                    id="approve-sign-danger-warning"
+                    class="hidden mb-3 p-2 text-xs font-bold"
+                    style="
+                        background: #fee2e2;
+                        color: #991b1b;
+                        border: 2px solid #dc2626;
+                        border-radius: 6px;
+                    "
+                ></div>
+
                 <div class="mb-3">
                     <div class="text-xs text-muted mb-1">Type</div>
                     <div id="approve-sign-type" class="text-xs font-bold"></div>

src/popup/index.js

@@ -19,7 +19,9 @@ const txStatus = require("./views/txStatus");
 const transactionDetail = require("./views/transactionDetail");
 const receive = require("./views/receive");
 const addToken = require("./views/addToken");
+const showPrivateKey = require("./views/showPrivateKey");
 const settings = require("./views/settings");
+const settingsAddToken = require("./views/settingsAddToken");
 const approval = require("./views/approval");
 
 function renderWalletList() {
@@ -55,11 +57,14 @@ const ctx = {
     showAddWalletView: () => addWallet.show(),
     showImportKeyView: () => importKey.show(),
     showAddressDetail: () => addressDetail.show(),
+    showPrivateKey: () => showPrivateKey.show(),
     showAddressToken: () => addressToken.show(),
     showAddTokenView: () => addToken.show(),
     showConfirmTx: (txInfo) => confirmTx.show(txInfo),
     showReceive: () => receive.show(),
     showTransactionDetail: (tx) => transactionDetail.show(tx),
+    showSettingsView: () => settings.show(),
+    showSettingsAddTokenView: () => settingsAddToken.show(),
 };
 
 // Views that can be fully re-rendered from persisted state.
@@ -70,6 +75,7 @@ const RESTORABLE_VIEWS = new Set([
     "address-token",
     "receive",
     "settings",
+    "settings-addtoken",
     "transaction",
     "success-tx",
     "error-tx",
@@ -120,6 +126,9 @@ function restoreView() {
         case "settings":
             settings.show();
             break;
+        case "settings-addtoken":
+            settingsAddToken.show();
+            break;
         case "transaction":
             if (state.viewData && state.viewData.tx) {
                 transactionDetail.render();
@@ -182,7 +191,7 @@ async function init() {
     const params = new URLSearchParams(window.location.search);
     const approvalId = params.get("approval");
     if (approvalId) {
-        approval.show(parseInt(approvalId, 10));
+        approval.show(approvalId);
         showView("approve-site");
         return;
     }
@@ -205,6 +214,7 @@ async function init() {
     importKey.init(ctx);
     home.init(ctx);
     addressDetail.init(ctx);
+    showPrivateKey.init(ctx);
     addressToken.init(ctx);
     send.init(ctx);
     confirmTx.init(ctx);
@@ -212,6 +222,7 @@ async function init() {
     receive.init(ctx);
     addToken.init(ctx);
     settings.init(ctx);
+    settingsAddToken.init(ctx);
 
     if (!state.hasWallet) {
         showView("welcome");

src/popup/views/addWallet.js

@@ -49,8 +49,8 @@ function init(ctx) {
             showFlash("Please choose a password.");
             return;
         }
-        if (pw.length < 8) {
+        if (pw.length < 12) {
-            showFlash("Password must be at least 8 characters.");
+            showFlash("Password must be at least 12 characters.");
             return;
         }
         if (pw !== pw2) {

src/popup/views/addressDetail.js

@@ -4,6 +4,7 @@ const {
     showFlash,
     balanceLinesForAddress,
     addressDotHtml,
+    addressTitle,
     escapeHtml,
     truncateMiddle,
 } = require("./helpers");
@@ -150,11 +151,11 @@ async function loadTransactions(address) {
 
         loadedTxs = txs;
 
-        // Collect unique counterparty addresses for ENS resolution.
+        // Collect ALL unique addresses (from + to) for ENS resolution so
+        // that reverse lookups work for every displayed address, not just
+        // the ones that were originally entered as ENS names.
         const counterparties = [
-            ...new Set(
+            ...new Set(txs.flatMap((tx) => [tx.from, tx.to].filter(Boolean))),
-                txs.map((tx) => (tx.direction === "sent" ? tx.to : tx.from)),
-            ),
         ];
         if (counterparties.length > 0) {
             try {
@@ -185,14 +186,19 @@ function renderTransactions(txs) {
     let html = "";
     let i = 0;
     for (const tx of txs) {
-        const counterparty = tx.direction === "sent" ? tx.to : tx.from;
+        const counterparty =
+            tx.direction === "sent" || tx.direction === "contract"
+                ? tx.to
+                : tx.from;
         const ensName = ensNameMap.get(counterparty) || null;
+        const title = addressTitle(counterparty, state.wallets);
         const dirLabel = tx.directionLabel;
         const amountStr = tx.value
             ? escapeHtml(tx.value + " " + tx.symbol)
             : escapeHtml(tx.symbol);
         const maxAddr = Math.max(32, 36 - Math.max(0, amountStr.length - 10));
-        const displayAddr = ensName || truncateMiddle(counterparty, maxAddr);
+        const displayAddr =
+            title || ensName || truncateMiddle(counterparty, maxAddr);
         const addrStr = escapeHtml(displayAddr);
         const dot = addressDotHtml(counterparty);
         const err = tx.isError ? " (failed)" : "";
@@ -255,6 +261,10 @@ function init(_ctx) {
     });
 
     $("btn-add-token").addEventListener("click", ctx.showAddTokenView);
+
+    $("btn-show-private-key").addEventListener("click", () => {
+        ctx.showPrivateKey();
+    });
 }
 
 module.exports = { init, show };

src/popup/views/addressToken.js

@@ -6,11 +6,13 @@ const {
     showView,
     showFlash,
     addressDotHtml,
+    addressTitle,
     escapeHtml,
     truncateMiddle,
     balanceLine,
 } = require("./helpers");
 const { state, currentAddress, saveState } = require("../../shared/state");
+const { TOKEN_BY_ADDRESS } = require("../../shared/tokenList");
 const {
     formatUsd,
     getPrice,
@@ -130,6 +132,43 @@ function show() {
     // Single token balance line (no tokenId — not clickable here)
     $("address-token-balance").innerHTML = balanceLine(symbol, amount, price);
 
+    // Token contract details (ERC-20 only)
+    const contractInfo = $("address-token-contract-info");
+    if (tokenId !== "ETH") {
+        const tb = (addr.tokenBalances || []).find(
+            (t) => t.address.toLowerCase() === tokenId.toLowerCase(),
+        );
+        const tokenName = tb && tb.name ? escapeHtml(tb.name) : null;
+        const tokenSymbol = tb && tb.symbol ? escapeHtml(tb.symbol) : null;
+        const tokenDecimals = tb && tb.decimals != null ? tb.decimals : null;
+        const tokenHolders = tb && tb.holders != null ? tb.holders : null;
+        const dot = addressDotHtml(tokenId);
+        const tokenLink = `https://etherscan.io/token/${escapeHtml(tokenId)}`;
+        const knownToken = TOKEN_BY_ADDRESS.get(tokenId.toLowerCase());
+        const projectUrl = knownToken && knownToken.url ? knownToken.url : null;
+        let infoHtml = `<div class="font-bold mb-2">Contract Address</div>`;
+        infoHtml +=
+            `<div class="flex items-center mb-2">${dot}` +
+            `<span class="break-all underline decoration-dashed cursor-pointer" id="address-token-contract-copy" data-copy="${escapeHtml(tokenId)}">${escapeHtml(tokenId)}</span>` +
+            `<a href="${tokenLink}" target="_blank" rel="noopener" class="inline-flex items-center">${EXT_ICON}</a>` +
+            `</div>`;
+        if (tokenName)
+            infoHtml += `<div class="mb-1"><span class="text-muted">Name:</span> ${tokenName}</div>`;
+        if (tokenSymbol)
+            infoHtml += `<div class="mb-1"><span class="text-muted">Symbol:</span> ${tokenSymbol}</div>`;
+        if (tokenDecimals != null)
+            infoHtml += `<div class="mb-1"><span class="text-muted">Decimals:</span> ${tokenDecimals}</div>`;
+        if (tokenHolders != null)
+            infoHtml += `<div class="mb-1"><span class="text-muted">Holders:</span> ${Number(tokenHolders).toLocaleString()}</div>`;
+        if (projectUrl)
+            infoHtml += `<div class="mb-1"><span class="text-muted">Website:</span> <a href="${escapeHtml(projectUrl)}" target="_blank" rel="noopener" class="underline decoration-dashed">${escapeHtml(projectUrl)}</a></div>`;
+        contractInfo.innerHTML = infoHtml;
+        contractInfo.classList.remove("hidden");
+    } else {
+        contractInfo.innerHTML = "";
+        contractInfo.classList.add("hidden");
+    }
+
     // Transactions
     $("address-token-tx-list").innerHTML =
         '<div class="text-muted text-xs py-1">Loading...</div>';
@@ -175,11 +214,10 @@ async function loadTransactions(address, tokenId) {
 
         loadedTxs = txs;
 
-        // Collect unique counterparty addresses for ENS resolution
+        // Collect ALL unique addresses for ENS resolution so reverse
+        // lookups work for every displayed address.
         const counterparties = [
-            ...new Set(
+            ...new Set(txs.flatMap((tx) => [tx.from, tx.to].filter(Boolean))),
-                txs.map((tx) => (tx.direction === "sent" ? tx.to : tx.from)),
-            ),
         ];
         if (counterparties.length > 0) {
             try {
@@ -212,12 +250,14 @@ function renderTransactions(txs) {
     for (const tx of txs) {
         const counterparty = tx.direction === "sent" ? tx.to : tx.from;
         const ensName = ensNameMap.get(counterparty) || null;
+        const title = addressTitle(counterparty, state.wallets);
         const dirLabel = tx.directionLabel;
         const amountStr = tx.value
             ? escapeHtml(tx.value + " " + tx.symbol)
             : escapeHtml(tx.symbol);
         const maxAddr = Math.max(32, 36 - Math.max(0, amountStr.length - 10));
-        const displayAddr = ensName || truncateMiddle(counterparty, maxAddr);
+        const displayAddr =
+            title || ensName || truncateMiddle(counterparty, maxAddr);
         const addrStr = escapeHtml(displayAddr);
         const dot = addressDotHtml(counterparty);
         const err = tx.isError ? " (failed)" : "";
@@ -252,6 +292,14 @@ function init(_ctx) {
         }
     });
 
+    $("address-token-contract-info").addEventListener("click", (e) => {
+        const copyEl = e.target.closest("[data-copy]");
+        if (copyEl) {
+            navigator.clipboard.writeText(copyEl.dataset.copy);
+            showFlash("Copied!");
+        }
+    });
+
     $("btn-address-token-back").addEventListener("click", () => {
         ctx.showAddressDetail();
     });

src/popup/views/approval.js

@@ -1,4 +1,10 @@
-const { $, addressDotHtml, escapeHtml, showView } = require("./helpers");
+const {
+    $,
+    addressDotHtml,
+    addressTitle,
+    escapeHtml,
+    showView,
+} = require("./helpers");
 const { state, saveState } = require("../../shared/state");
 const { formatEther, formatUnits, Interface, toUtf8String } = require("ethers");
 const { ERC20_ABI } = require("../../shared/constants");
@@ -22,7 +28,15 @@ function approvalAddressHtml(address) {
     const dot = addressDotHtml(address);
     const link = `https://etherscan.io/address/${address}`;
     const extLink = `<a href="${link}" target="_blank" rel="noopener" class="inline-flex items-center">${EXT_ICON}</a>`;
-    return `<div class="flex items-center">${dot}<span class="break-all">${escapeHtml(address)}</span>${extLink}</div>`;
+    const title = addressTitle(address, state.wallets);
+    let html = "";
+    if (title) {
+        html += `<div class="flex items-center font-bold">${dot}${escapeHtml(title)}</div>`;
+        html += `<div class="break-all">${escapeHtml(address)}${extLink}</div>`;
+    } else {
+        html += `<div class="flex items-center">${dot}<span class="break-all">${escapeHtml(address)}</span>${extLink}</div>`;
+    }
+    return html;
 }
 
 function formatTxValue(val) {
@@ -294,6 +308,18 @@ function showSignApproval(details) {
         }
     }
 
+    // Display danger warning for eth_sign (raw hash signing)
+    const warningEl = $("approve-sign-danger-warning");
+    if (warningEl) {
+        if (sp.dangerWarning) {
+            warningEl.textContent = sp.dangerWarning;
+            warningEl.classList.remove("hidden");
+        } else {
+            warningEl.textContent = "";
+            warningEl.classList.add("hidden");
+        }
+    }
+
     $("approve-sign-password").value = "";
     $("approve-sign-error").classList.add("hidden");
     $("btn-approve-sign").disabled = false;
@@ -373,6 +399,7 @@ function init(ctx) {
                 type: "AUTISTMASK_TX_RESPONSE",
                 id: approvalId,
                 approved: true,
+                // TODO(security): Move decryption to popup to avoid sending password via runtime.sendMessage
                 password: password,
             },
             (response) => {
@@ -412,6 +439,7 @@ function init(ctx) {
                 type: "AUTISTMASK_SIGN_RESPONSE",
                 id: approvalId,
                 approved: true,
+                // TODO(security): Move decryption to popup to avoid sending password via runtime.sendMessage
                 password: password,
             },
             (response) => {
@@ -439,4 +467,4 @@ function init(ctx) {
     });
 }
 
-module.exports = { init, show };
+module.exports = { init, show, decodeCalldata };

src/popup/views/confirmTx.js

@@ -334,8 +334,13 @@ function init(ctx) {
                 tx = await contract.transfer(pendingTx.to, amount);
             }
 
+            // Best-effort: clear decrypted secret after use.
+            // Note: JS strings are immutable; this nulls the reference but
+            // the original string may persist in memory until GC.
+            decryptedSecret = null;
             txStatus.showWait(pendingTx, tx.hash);
         } catch (e) {
+            decryptedSecret = null;
             const hash = tx ? tx.hash : null;
             txStatus.showError(pendingTx, hash, e.shortMessage || e.message);
         }

src/popup/views/deleteWallet.js

@@ -0,0 +1,90 @@
+const { $, showView, showFlash } = require("./helpers");
+const { state, saveState } = require("../../shared/state");
+const { decryptWithPassword } = require("../../shared/vault");
+
+let deleteWalletIndex = null;
+let ctx = null;
+
+function show(walletIdx) {
+    deleteWalletIndex = walletIdx;
+    const wallet = state.wallets[walletIdx];
+    $("delete-wallet-name").textContent =
+        wallet.name || "Wallet " + (walletIdx + 1);
+    $("delete-wallet-password").value = "";
+    $("delete-wallet-flash").textContent = "";
+    $("delete-wallet-flash").classList.add("hidden");
+    showView("delete-wallet-confirm");
+}
+
+function init(_ctx) {
+    ctx = _ctx;
+
+    $("btn-delete-wallet-back").addEventListener("click", () => {
+        deleteWalletIndex = null;
+        ctx.showSettingsView();
+    });
+
+    $("btn-delete-wallet-confirm").addEventListener("click", async () => {
+        const pw = $("delete-wallet-password").value;
+        if (!pw) {
+            $("delete-wallet-flash").textContent =
+                "Please enter your password.";
+            $("delete-wallet-flash").classList.remove("hidden");
+            return;
+        }
+
+        if (deleteWalletIndex === null) {
+            $("delete-wallet-flash").textContent =
+                "No wallet selected for deletion.";
+            $("delete-wallet-flash").classList.remove("hidden");
+            return;
+        }
+
+        const walletIdx = deleteWalletIndex;
+        const wallet = state.wallets[walletIdx];
+
+        // Verify password against the wallet's encrypted data
+        try {
+            await decryptWithPassword(wallet.encryptedSecret, pw);
+        } catch (_e) {
+            $("delete-wallet-flash").textContent = "Wrong password.";
+            $("delete-wallet-flash").classList.remove("hidden");
+            return;
+        }
+
+        // Collect addresses to clean up from allowedSites/deniedSites
+        const addresses = (wallet.addresses || []).map((a) => a.address);
+
+        // Remove wallet
+        state.wallets.splice(walletIdx, 1);
+
+        // Clean up site permissions for deleted addresses
+        for (const addr of addresses) {
+            delete state.allowedSites[addr];
+            delete state.deniedSites[addr];
+        }
+
+        deleteWalletIndex = null;
+
+        if (state.wallets.length === 0) {
+            // No wallets left — reset selection and show welcome
+            state.selectedWallet = null;
+            state.selectedAddress = null;
+            state.activeAddress = null;
+            await saveState();
+            showView("welcome");
+        } else {
+            // Switch to first wallet if deleted wallet was active
+            state.selectedWallet = 0;
+            state.selectedAddress = 0;
+            state.activeAddress =
+                state.wallets[0].addresses[0]?.address || null;
+            await saveState();
+            ctx.renderWalletList();
+            ctx.showSettingsView();
+            showFlash("Wallet deleted.");
+        }
+    });
+}
+
+module.exports = { init, show };

src/popup/views/helpers.js

@@ -8,12 +8,15 @@ const {
 } = require("../../shared/prices");
 const { state, saveState } = require("../../shared/state");
 
+// When views are added, removed, or transitions between them change,
+// update the view-navigation documentation in README.md to match.
 const VIEWS = [
     "welcome",
     "add-wallet",
     "import-key",
     "main",
     "address",
+    "show-private-key",
     "address-token",
     "send",
     "confirm-tx",
@@ -23,6 +26,8 @@ const VIEWS = [
     "receive",
     "add-token",
     "settings",
+    "delete-wallet-confirm",
+    "settings-addtoken",
     "transaction",
     "approve-site",
     "approve-tx",

src/popup/views/home.js

@@ -6,6 +6,7 @@ const {
     isoDate,
     timeAgo,
     addressDotHtml,
+    addressTitle,
     escapeHtml,
     truncateMiddle,
 } = require("./helpers");
@@ -102,13 +103,17 @@ function renderHomeTxList(ctx) {
     let html = "";
     let i = 0;
     for (const tx of homeTxs) {
-        const counterparty = tx.direction === "sent" ? tx.to : tx.from;
+        const counterparty =
+            tx.direction === "sent" || tx.direction === "contract"
+                ? tx.to
+                : tx.from;
         const dirLabel = tx.directionLabel;
         const amountStr = tx.value
             ? escapeHtml(tx.value + " " + tx.symbol)
             : escapeHtml(tx.symbol);
+        const title = addressTitle(counterparty, state.wallets);
         const maxAddr = Math.max(32, 36 - Math.max(0, amountStr.length - 10));
-        const displayAddr = truncateMiddle(counterparty, maxAddr);
+        const displayAddr = title || truncateMiddle(counterparty, maxAddr);
         const addrStr = escapeHtml(displayAddr);
         const dot = addressDotHtml(counterparty);
         const err = tx.isError ? " (failed)" : "";

src/popup/views/importKey.js

@@ -30,8 +30,8 @@ function init(ctx) {
             showFlash("Please choose a password.");
             return;
         }
-        if (pw.length < 8) {
+        if (pw.length < 12) {
-            showFlash("Password must be at least 8 characters.");
+            showFlash("Password must be at least 12 characters.");
             return;
         }
         if (pw !== pw2) {

src/popup/views/send.js

@@ -1,6 +1,12 @@
 // Send view: collect To, Amount, Token. Then go to confirmation.
 
-const { $, showFlash, addressDotHtml, escapeHtml } = require("./helpers");
+const {
+    $,
+    showFlash,
+    addressDotHtml,
+    addressTitle,
+    escapeHtml,
+} = require("./helpers");
 const { state, currentAddress } = require("../../shared/state");
 let ctx;
 const { getProvider } = require("../../shared/balances");
@@ -44,8 +50,15 @@ function updateSendBalance() {
     const dot = addressDotHtml(addr.address);
     const link = `https://etherscan.io/address/${addr.address}`;
     const extLink = `<a href="${link}" target="_blank" rel="noopener" class="inline-flex items-center">${EXT_ICON}</a>`;
+    const title = addressTitle(addr.address, state.wallets);
     let fromHtml = "";
-    if (addr.ensName) {
+    if (title) {
+        fromHtml += `<div class="flex items-center font-bold">${dot}${escapeHtml(title)}</div>`;
+        if (addr.ensName) {
+            fromHtml += `<div>${escapeHtml(addr.ensName)}</div>`;
+        }
+        fromHtml += `<div class="break-all">${escapeHtml(addr.address)}${extLink}</div>`;
+    } else if (addr.ensName) {
         fromHtml += `<div class="flex items-center font-bold">${dot}${escapeHtml(addr.ensName)}</div>`;
         fromHtml += `<div class="break-all">${escapeHtml(addr.address)}${extLink}</div>`;
     } else {

src/popup/views/settings.js

@@ -1,7 +1,8 @@
-const { $, showView, showFlash } = require("./helpers");
+const { $, showView, showFlash, escapeHtml } = require("./helpers");
 const { state, saveState } = require("../../shared/state");
 const { ETHEREUM_MAINNET_CHAIN_ID } = require("../../shared/constants");
 const { log, debugFetch } = require("../../shared/log");
+const deleteWallet = require("./deleteWallet");
 
 const runtime =
     typeof browser !== "undefined" ? browser.runtime : chrome.runtime;
@@ -38,10 +39,95 @@ function renderSiteList(containerId, siteMap, stateKey) {
     });
 }
 
+function renderTrackedTokens() {
+    const container = $("settings-tracked-tokens");
+    if (state.trackedTokens.length === 0) {
+        container.innerHTML = '<p class="text-xs text-muted">None</p>';
+        return;
+    }
+    let html = "";
+    state.trackedTokens.forEach((token, idx) => {
+        const label = token.name
+            ? escapeHtml(token.name) + " (" + escapeHtml(token.symbol) + ")"
+            : escapeHtml(token.symbol);
+        html += `<div class="flex justify-between items-center text-xs py-1 border-b border-border-light">`;
+        html += `<span>${label}</span>`;
+        html += `<button class="btn-remove-token border border-border px-1 hover:bg-fg hover:text-bg cursor-pointer" data-idx="${idx}">[x]</button>`;
+        html += `</div>`;
+    });
+    container.innerHTML = html;
+    container.querySelectorAll(".btn-remove-token").forEach((btn) => {
+        btn.addEventListener("click", async () => {
+            const idx = parseInt(btn.dataset.idx, 10);
+            state.trackedTokens.splice(idx, 1);
+            await saveState();
+            renderTrackedTokens();
+        });
+    });
+}
+
+function renderWalletListSettings() {
+    const container = $("settings-wallet-list");
+    if (state.wallets.length === 0) {
+        container.innerHTML = '<p class="text-xs text-muted">No wallets.</p>';
+        return;
+    }
+    let html = "";
+    state.wallets.forEach((wallet, idx) => {
+        const name = escapeHtml(wallet.name || "Wallet " + (idx + 1));
+        html += `<div class="flex justify-between items-center text-xs py-1 border-b border-border-light">`;
+        html += `<span class="settings-wallet-name cursor-pointer underline decoration-dashed" data-idx="${idx}">${name}</span>`;
+        html += `<button class="btn-delete-wallet border border-border px-1 hover:bg-fg hover:text-bg cursor-pointer" data-idx="${idx}">[x]</button>`;
+        html += `</div>`;
+    });
+    container.innerHTML = html;
+    container.querySelectorAll(".btn-delete-wallet").forEach((btn) => {
+        btn.addEventListener("click", () => {
+            const idx = parseInt(btn.dataset.idx, 10);
+            deleteWallet.show(idx);
+        });
+    });
+
+    // Inline rename on click
+    container.querySelectorAll(".settings-wallet-name").forEach((span) => {
+        span.addEventListener("click", () => {
+            const idx = parseInt(span.dataset.idx, 10);
+            const wallet = state.wallets[idx];
+            const input = document.createElement("input");
+            input.type = "text";
+            input.className =
+                "border border-border p-0 text-xs bg-bg text-fg w-full";
+            input.value = wallet.name || "Wallet " + (idx + 1);
+            span.replaceWith(input);
+            input.focus();
+            input.select();
+            const finish = async () => {
+                const val = input.value.trim();
+                if (val && val !== wallet.name) {
+                    wallet.name = val;
+                    await saveState();
+                }
+                renderWalletListSettings();
+            };
+            input.addEventListener("blur", finish);
+            input.addEventListener("keydown", (e) => {
+                if (e.key === "Enter") input.blur();
+                if (e.key === "Escape") {
+                    input.value = wallet.name || "Wallet " + (idx + 1);
+                    input.blur();
+                }
+            });
+        });
+    });
+}
+
 function show() {
     $("settings-rpc").value = state.rpcUrl;
     $("settings-blockscout").value = state.blockscoutUrl;
+    renderTrackedTokens();
     renderSiteLists();
+    renderWalletListSettings();
+
     showView("settings");
 }
 
@@ -55,6 +141,8 @@ function renderSiteLists() {
 }
 
 function init(ctx) {
+    deleteWallet.init(ctx);
+
     $("btn-save-rpc").addEventListener("click", async () => {
         const url = $("settings-rpc").value.trim();
         if (!url) {
@@ -155,6 +243,11 @@ function init(ctx) {
 
     $("btn-main-add-wallet").addEventListener("click", ctx.showAddWalletView);
 
+    $("btn-settings-add-token").addEventListener(
+        "click",
+        ctx.showSettingsAddTokenView,
+    );
+
     $("btn-settings-back").addEventListener("click", () => {
         ctx.renderWalletList();
         showView("main");

src/popup/views/settingsAddToken.js

@@ -0,0 +1,159 @@
+const { $, showView, showFlash } = require("./helpers");
+const { getTopTokens } = require("../../shared/tokenList");
+const { state, saveState } = require("../../shared/state");
+const { lookupTokenInfo } = require("../../shared/balances");
+const { isScamAddress } = require("../../shared/scamlist");
+const { log } = require("../../shared/log");
+
+let ctx;
+
+function isTracked(address) {
+    const lower = address.toLowerCase();
+    return state.trackedTokens.some((t) => t.address.toLowerCase() === lower);
+}
+
+function tokenLabel(t) {
+    return t.name ? t.name + " (" + t.symbol + ")" : t.symbol;
+}
+
+function renderTop10() {
+    const el = $("settings-addtoken-top10");
+    el.innerHTML = getTopTokens(10)
+        .map((t) => {
+            const tracked = isTracked(t.address);
+            const cls = tracked
+                ? "border border-border px-1 text-xs opacity-40 cursor-default"
+                : "border border-border px-1 hover:bg-fg hover:text-bg cursor-pointer text-xs";
+            return (
+                `<button class="settings-addtoken-quick ${cls}"` +
+                ` data-address="${t.address}"` +
+                ` data-symbol="${t.symbol}"` +
+                ` data-decimals="${t.decimals}"` +
+                ` data-name="${(t.name || "").replace(/"/g, "&quot;")}"` +
+                `${tracked ? " disabled" : ""}>${t.symbol}</button>`
+            );
+        })
+        .join("");
+    el.querySelectorAll(".settings-addtoken-quick:not([disabled])").forEach(
+        (btn) => {
+            btn.addEventListener("click", async () => {
+                const token = {
+                    address: btn.dataset.address,
+                    symbol: btn.dataset.symbol,
+                    decimals: parseInt(btn.dataset.decimals, 10),
+                    name: btn.dataset.name || btn.dataset.symbol,
+                };
+                state.trackedTokens.push(token);
+                await saveState();
+                showFlash("Added " + token.symbol);
+                renderTop10();
+                renderDropdown();
+                ctx.doRefreshAndRender();
+            });
+        },
+    );
+}
+
+function renderDropdown() {
+    const sel = $("settings-addtoken-select");
+    const tokens = getTopTokens(100);
+    let html = '<option value="">-- select --</option>';
+    for (const t of tokens) {
+        const tracked = isTracked(t.address);
+        const label = tokenLabel(t) + (tracked ? " (tracked)" : "");
+        html +=
+            `<option value="${t.address}"` +
+            ` data-symbol="${t.symbol}"` +
+            ` data-decimals="${t.decimals}"` +
+            ` data-name="${(t.name || "").replace(/"/g, "&quot;")}"` +
+            `${tracked ? " disabled" : ""}>${label}</option>`;
+    }
+    sel.innerHTML = html;
+}
+
+function show() {
+    $("settings-addtoken-address").value = "";
+    $("settings-addtoken-info").classList.add("hidden");
+    renderTop10();
+    renderDropdown();
+    showView("settings-addtoken");
+}
+
+function init(_ctx) {
+    ctx = _ctx;
+
+    $("btn-settings-addtoken-back").addEventListener("click", () => {
+        ctx.showSettingsView();
+    });
+
+    $("btn-settings-addtoken-select").addEventListener("click", async () => {
+        const sel = $("settings-addtoken-select");
+        const opt = sel.options[sel.selectedIndex];
+        if (!opt || !opt.value) {
+            showFlash("Please select a token.");
+            return;
+        }
+        if (isTracked(opt.value)) {
+            showFlash("Already tracked.");
+            return;
+        }
+        const token = {
+            address: opt.value,
+            symbol: opt.dataset.symbol,
+            decimals: parseInt(opt.dataset.decimals, 10),
+            name: opt.dataset.name || opt.dataset.symbol,
+        };
+        state.trackedTokens.push(token);
+        await saveState();
+        showFlash("Added " + token.symbol);
+        renderTop10();
+        renderDropdown();
+        ctx.doRefreshAndRender();
+    });
+
+    $("btn-settings-addtoken-manual").addEventListener("click", async () => {
+        const addr = $("settings-addtoken-address").value.trim();
+        if (!addr || !addr.startsWith("0x")) {
+            showFlash(
+                "Please enter a valid contract address starting with 0x.",
+            );
+            return;
+        }
+        if (isTracked(addr)) {
+            showFlash("Already tracked.");
+            return;
+        }
+        if (isScamAddress(addr)) {
+            showFlash("This address is on a known scam/fraud list.");
+            return;
+        }
+        const infoEl = $("settings-addtoken-info");
+        infoEl.textContent = "Looking up token...";
+        infoEl.classList.remove("hidden");
+        log.debugf("Looking up token contract", addr);
+        try {
+            const info = await lookupTokenInfo(addr, state.rpcUrl);
+            log.infof("Adding token", info.symbol, addr);
+            state.trackedTokens.push({
+                address: addr,
+                symbol: info.symbol,
+                decimals: info.decimals,
+                name: info.name,
+            });
+            await saveState();
+            showFlash("Added " + info.symbol);
+            $("settings-addtoken-address").value = "";
+            infoEl.classList.add("hidden");
+            renderTop10();
+            renderDropdown();
+            ctx.doRefreshAndRender();
+        } catch (e) {
+            const detail = e.shortMessage || e.message || String(e);
+            log.errorf("Token lookup failed for", addr, detail);
+            showFlash(detail);
+            infoEl.classList.add("hidden");
+        }
+    });
+}
+
+module.exports = { init, show };

src/popup/views/showPrivateKey.js

@@ -0,0 +1,79 @@
+const { $, showView, showFlash, showError, hideError } = require("./helpers");
+const { state } = require("../../shared/state");
+const { decryptWithPassword } = require("../../shared/vault");
+const { getPrivateKeyForAddress } = require("../../shared/wallet");
+
+let ctx;
+let revealed = false;
+
+function show() {
+    revealed = false;
+    $("show-pk-password").value = "";
+    $("show-pk-key-well").classList.add("hidden");
+    $("show-pk-key-value").textContent = "";
+    $("show-pk-prompt").classList.remove("hidden");
+    hideError("show-pk-error");
+    showView("show-private-key");
+}
+
+function init(_ctx) {
+    ctx = _ctx;
+
+    $("btn-show-pk-back").addEventListener("click", () => {
+        clearKey();
+        ctx.showAddressDetail();
+    });
+
+    $("btn-show-pk-reveal").addEventListener("click", async () => {
+        const pw = $("show-pk-password").value;
+        if (!pw) {
+            showError("show-pk-error", "Please enter your password.");
+            return;
+        }
+
+        const wallet = state.wallets[state.selectedWallet];
+        let decryptedSecret;
+        try {
+            decryptedSecret = await decryptWithPassword(
+                wallet.encryptedSecret,
+                pw,
+            );
+        } catch (_e) {
+            showError("show-pk-error", "Wrong password.");
+            return;
+        }
+
+        const privateKey = getPrivateKeyForAddress(
+            wallet,
+            state.selectedAddress,
+            decryptedSecret,
+        );
+
+        revealed = true;
+        $("show-pk-prompt").classList.add("hidden");
+        $("show-pk-key-well").classList.remove("hidden");
+        $("show-pk-key-value").textContent = privateKey;
+        hideError("show-pk-error");
+    });
+
+    $("btn-show-pk-copy").addEventListener("click", () => {
+        const key = $("show-pk-key-value").textContent;
+        if (key) {
+            navigator.clipboard.writeText(key);
+            showFlash("Copied!");
+        }
+    });
+
+    $("btn-show-pk-done").addEventListener("click", () => {
+        clearKey();
+        ctx.showAddressDetail();
+    });
+}
+
+function clearKey() {
+    revealed = false;
+    $("show-pk-key-value").textContent = "";
+    $("show-pk-password").value = "";
+}
+
+module.exports = { init, show };

src/popup/views/transactionDetail.js

@@ -13,6 +13,8 @@ const {
 } = require("./helpers");
 const { state } = require("../../shared/state");
 const makeBlockie = require("ethereum-blockies-base64");
+const { log, debugFetch } = require("../../shared/log");
+const { decodeCalldata } = require("./approval");
 
 const EXT_ICON =
     `<span style="display:inline-block;width:10px;height:10px;margin-left:4px;vertical-align:middle">` +
@@ -42,11 +44,11 @@ function txAddressHtml(address, ensName, title) {
     const extLink = `<a href="${link}" target="_blank" rel="noopener" class="inline-flex items-center">${EXT_ICON}</a>`;
     let html = `<div class="mb-1">${blockie}</div>`;
     if (title) {
-        html += `<div class="flex items-center font-bold">${dot}${escapeHtml(title)}</div>`;
+        html += `<div class="font-bold">${escapeHtml(title)}</div>`;
     }
     if (ensName) {
         html +=
-            `<div class="flex items-center">${title ? "" : dot}` +
+            `<div class="flex items-center">${dot}` +
             copyableHtml(ensName, "") +
             extLink +
             `</div>` +
@@ -55,7 +57,7 @@ function txAddressHtml(address, ensName, title) {
             `</div>`;
     } else {
         html +=
-            `<div class="flex items-center">${title ? "" : dot}` +
+            `<div class="flex items-center">${dot}` +
             copyableHtml(address, "break-all") +
             extLink +
             `</div>`;
@@ -85,9 +87,15 @@ function show(tx) {
             fromEns: tx.fromEns || null,
             toEns: tx.toEns || null,
             directionLabel: tx.directionLabel || null,
+            direction: tx.direction || null,
+            isContractCall: tx.isContractCall || false,
+            method: tx.method || null,
         },
     };
     render();
+    if (tx.isContractCall || tx.direction === "contract") {
+        loadCalldata(tx.hash, tx.to);
+    }
 }
 
 function render() {
@@ -121,6 +129,25 @@ function render() {
         nativeEl.parentElement.classList.add("hidden");
     }
 
+    // Show type label for contract interactions (Swap, Execute, etc.)
+    const typeSection = $("tx-detail-type-section");
+    const typeEl = $("tx-detail-type");
+    const headingEl = $("tx-detail-heading");
+    if (tx.direction === "contract" && tx.directionLabel) {
+        if (typeSection) {
+            typeEl.textContent = tx.directionLabel;
+            typeSection.classList.remove("hidden");
+        }
+        if (headingEl) headingEl.textContent = tx.directionLabel;
+    } else {
+        if (typeSection) typeSection.classList.add("hidden");
+        if (headingEl) headingEl.textContent = "Transaction";
+    }
+
+    // Hide calldata section by default; loadCalldata will show it if needed
+    const calldataSection = $("tx-detail-calldata-section");
+    if (calldataSection) calldataSection.classList.add("hidden");
+
     $("tx-detail-time").textContent =
         isoDate(tx.timestamp) + " (" + timeAgo(tx.timestamp) + ")";
     $("tx-detail-status").textContent = tx.isError ? "Failed" : "Success";
@@ -137,6 +164,73 @@ function render() {
         });
 }
 
+async function loadCalldata(txHash, toAddress) {
+    const section = $("tx-detail-calldata-section");
+    const actionEl = $("tx-detail-calldata-action");
+    const detailsEl = $("tx-detail-calldata-details");
+    const wellEl = $("tx-detail-calldata-well");
+    const rawSection = $("tx-detail-rawdata-section");
+    const rawEl = $("tx-detail-rawdata");
+    if (!section || !actionEl || !detailsEl) return;
+
+    try {
+        const resp = await debugFetch(
+            state.blockscoutUrl + "/transactions/" + txHash,
+        );
+        if (!resp.ok) return;
+        const txData = await resp.json();
+        const inputData = txData.raw_input || txData.input || null;
+        if (!inputData || inputData === "0x") return;
+
+        const decoded = decodeCalldata(inputData, toAddress || "");
+        if (decoded) {
+            // Render decoded calldata matching approval view style
+            actionEl.textContent = decoded.name;
+            let detailsHtml = "";
+            if (decoded.description) {
+                detailsHtml += `<div class="mb-2">${escapeHtml(decoded.description)}</div>`;
+            }
+            for (const d of decoded.details || []) {
+                detailsHtml += `<div class="mb-2">`;
+                detailsHtml += `<div class="text-muted">${escapeHtml(d.label)}</div>`;
+                if (d.address) {
+                    const dot = addressDotHtml(d.address);
+                    detailsHtml += `<div>${dot}${copyableHtml(d.value, "break-all")}</div>`;
+                } else {
+                    detailsHtml += `<div class="font-bold">${escapeHtml(d.value)}</div>`;
+                }
+                detailsHtml += `</div>`;
+            }
+            detailsEl.innerHTML = detailsHtml;
+            if (wellEl) wellEl.classList.remove("hidden");
+        } else {
+            // Unknown contract call — show method name in well
+            const method = txData.method || "Unknown contract call";
+            actionEl.textContent = method;
+            detailsEl.innerHTML = "";
+            if (wellEl) wellEl.classList.remove("hidden");
+        }
+
+        // Always show raw data
+        if (rawSection && rawEl) {
+            rawEl.innerHTML = copyableHtml(inputData, "break-all");
+            rawSection.classList.remove("hidden");
+        }
+
+        section.classList.remove("hidden");
+
+        // Bind copy handlers for new elements
+        section.querySelectorAll("[data-copy]").forEach((el) => {
+            el.onclick = () => {
+                navigator.clipboard.writeText(el.dataset.copy);
+                showFlash("Copied!");
+            };
+        });
+    } catch (e) {
+        log.errorf("loadCalldata failed:", e.message);
+    }
+}
+
 function init(_ctx) {
     ctx = _ctx;
     $("btn-tx-back").addEventListener("click", () => {

src/popup/views/txStatus.js

@@ -5,6 +5,7 @@ const {
     showView,
     showFlash,
     addressDotHtml,
+    addressTitle,
     escapeHtml,
 } = require("./helpers");
 const { state, saveState } = require("../../shared/state");
@@ -37,6 +38,13 @@ function toAddressHtml(address) {
     const dot = addressDotHtml(address);
     const link = `https://etherscan.io/address/${address}`;
     const extLink = `<a href="${link}" target="_blank" rel="noopener" class="inline-flex items-center">${EXT_ICON}</a>`;
+    const title = addressTitle(address, state.wallets);
+    if (title) {
+        return (
+            `<div class="flex items-center font-bold">${dot}${escapeHtml(title)}</div>` +
+            `<div class="break-all">${escapeHtml(address)}${extLink}</div>`
+        );
+    }
     return `<div class="flex items-center">${dot}<span class="break-all">${escapeHtml(address)}</span>${extLink}</div>`;
 }
 

src/shared/balances.js

@@ -123,15 +123,27 @@ async function refreshBalances(wallets, rpcUrl, blockscoutUrl, trackedTokens) {
                     }),
             );
 
-            // ENS reverse lookup
+            // ENS reverse lookup — only overwrite on success so that
+            // transient RPC errors don't wipe a previously resolved name.
             updates.push(
                 provider
                     .lookupAddress(addr.address)
                     .then((name) => {
                         addr.ensName = name || null;
+                        log.debugf(
+                            "ENS reverse",
+                            addr.address,
+                            "->",
+                            addr.ensName,
+                        );
                     })
-                    .catch(() => {
+                    .catch((e) => {
-                        addr.ensName = null;
+                        log.errorf(
+                            "ENS reverse failed",
+                            addr.address,
+                            e.message,
+                        );
+                        // Keep existing addr.ensName if we had one
                     }),
             );
 
@@ -192,6 +204,10 @@ async function lookupTokenInfo(contractAddress, rpcUrl) {
         name = symbol;
     }
 
+    // Truncate to prevent storage of excessively long values from RPC
+    name = String(name).slice(0, 64);
+    symbol = String(symbol).slice(0, 12);
+
     log.infof("Token resolved:", symbol, "decimals", Number(decimals));
     return { name, symbol, decimals: Number(decimals) };
 }

src/shared/ens.js

@@ -39,7 +39,7 @@ async function resolveEnsName(address, rpcUrl) {
         return name;
     } catch (e) {
         log.errorf("ENS reverse lookup failed", address, e.message);
-        setCache(address, null);
+        // Don't cache failures — let subsequent lookups retry
         return null;
     }
 }

src/shared/transactions.js

@@ -37,7 +37,21 @@ function parseTx(tx, addrLower) {
         if (token) {
             symbol = token.symbol;
         }
-        const label = method.charAt(0).toUpperCase() + method.slice(1);
+        // Map known DEX methods to "Swap" for cleaner display
+        const SWAP_METHODS = new Set([
+            "execute",
+            "swap",
+            "swapExactTokensForTokens",
+            "swapTokensForExactTokens",
+            "swapExactETHForTokens",
+            "swapTokensForExactETH",
+            "swapExactTokensForETH",
+            "swapETHForExactTokens",
+            "multicall",
+        ]);
+        const label = SWAP_METHODS.has(method)
+            ? "Swap"
+            : method.charAt(0).toUpperCase() + method.slice(1);
         direction = "contract";
         directionLabel = label;
         value = "";
@@ -139,9 +153,18 @@ async function fetchRecentTransactions(address, blockscoutUrl, count = 25) {
 
     // When a token transfer shares a hash with a normal tx, the normal tx
     // is the contract call (0 ETH) and the token transfer has the real
-    // amount and symbol. Replace the normal tx with the token transfer.
+    // amount and symbol. Replace the normal tx with the token transfer,
+    // but preserve contract call metadata (direction, label, method) so
+    // swaps and other contract interactions display correctly.
     for (const tt of ttJson.items || []) {
         const parsed = parseTokenTransfer(tt, addrLower);
+        const existing = txsByHash.get(parsed.hash);
+        if (existing && existing.direction === "contract") {
+            parsed.direction = "contract";
+            parsed.directionLabel = existing.directionLabel;
+            parsed.isContractCall = true;
+            parsed.method = existing.method;
+        }
         txsByHash.set(parsed.hash, parsed);
     }
 

src/shared/wallet.js

@@ -41,6 +41,18 @@ function getSignerForAddress(walletData, addrIndex, decryptedSecret) {
     return new Wallet(decryptedSecret);
 }
 
+function getPrivateKeyForAddress(walletData, addrIndex, decryptedSecret) {
+    if (walletData.type === "hd") {
+        const node = HDNodeWallet.fromPhrase(
+            decryptedSecret,
+            "",
+            BIP44_ETH_PATH,
+        );
+        return node.deriveChild(addrIndex).privateKey;
+    }
+    return decryptedSecret;
+}
+
 function isValidMnemonic(mnemonic) {
     return Mnemonic.isValidMnemonic(mnemonic);
 }
@@ -51,5 +63,6 @@ module.exports = {
     hdWalletFromMnemonic,
     addressFromPrivateKey,
     getSignerForAddress,
+    getPrivateKeyForAddress,
     isValidMnemonic,
 };