@agenticvault/agentic-vault 0.1.0

package/dist/protocols/policy/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/protocols/policy/types.ts"],"names":[],"mappings":""}

package/dist/protocols/registry.d.ts

@@ -0,0 +1,21 @@
+import type { Address, Hex } from 'viem';
+import type { ProtocolDecoder } from './types.js';
+export interface ContractEntry {
+    protocol: string;
+    decoder: ProtocolDecoder;
+}
+export interface RegistryConfig {
+    contracts: Record<string, ContractEntry>;
+    interfaceDecoders: ProtocolDecoder[];
+}
+export declare class ProtocolRegistry {
+    private readonly addressMap;
+    private readonly interfaceDecoders;
+    constructor(config: RegistryConfig);
+    /**
+     * Lookup protocol by chainId + contract address (Stage 1).
+     * Falls back to interface-based decoder matching by selector (Stage 2).
+     */
+    resolve(chainId: number, to: Address, selector: Hex): ProtocolDecoder | undefined;
+}
+export declare function createDefaultRegistry(): RegistryConfig;

package/dist/protocols/registry.js

@@ -0,0 +1,52 @@
+import { erc20Decoder } from './decoders/erc20.js';
+import { uniswapV3Decoder } from './decoders/uniswap-v3.js';
+import { aaveV3Decoder } from './decoders/aave-v3.js';
+export class ProtocolRegistry {
+    addressMap;
+    interfaceDecoders;
+    constructor(config) {
+        // Normalize keys to lowercase for case-insensitive address matching
+        this.addressMap = new Map(Object.entries(config.contracts).map(([key, entry]) => [key.toLowerCase(), entry]));
+        this.interfaceDecoders = config.interfaceDecoders;
+    }
+    /**
+     * Lookup protocol by chainId + contract address (Stage 1).
+     * Falls back to interface-based decoder matching by selector (Stage 2).
+     */
+    resolve(chainId, to, selector) {
+        const key = `${chainId}:${to.toLowerCase()}`;
+        const entry = this.addressMap.get(key);
+        if (entry)
+            return entry.decoder;
+        const normalizedSelector = selector.toLowerCase();
+        return this.interfaceDecoders.find((d) => d.supportedSelectors.some((s) => s.toLowerCase() === normalizedSelector));
+    }
+}
+export function createDefaultRegistry() {
+    return {
+        contracts: {
+            // Uniswap V3 SwapRouter02 (Ethereum mainnet)
+            '1:0x68b3465833fb72a70ecdf485e0e4c7bd8665fc45': {
+                protocol: 'uniswap_v3',
+                decoder: uniswapV3Decoder,
+            },
+            // Uniswap V3 SwapRouter02 (Sepolia testnet)
+            '11155111:0x3bfa4769fb09eefc5a80d6e87c3b9c650f7ae48e': {
+                protocol: 'uniswap_v3',
+                decoder: uniswapV3Decoder,
+            },
+            // Aave V3 Pool (Ethereum mainnet)
+            '1:0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2': {
+                protocol: 'aave_v3',
+                decoder: aaveV3Decoder,
+            },
+            // Aave V3 Pool (Sepolia testnet)
+            '11155111:0x6ae43d3271ff6888e7fc43fd7321a503ff738951': {
+                protocol: 'aave_v3',
+                decoder: aaveV3Decoder,
+            },
+        },
+        interfaceDecoders: [erc20Decoder],
+    };
+}
+//# sourceMappingURL=registry.js.map

package/dist/protocols/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/protocols/registry.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAYtD,MAAM,OAAO,gBAAgB;IACV,UAAU,CAA6B;IACvC,iBAAiB,CAAoB;IAEtD,YAAY,MAAsB;QAChC,oEAAoE;QACpE,IAAI,CAAC,UAAU,GAAG,IAAI,GAAG,CACvB,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,KAAK,CAAC,CAAC,CACnF,CAAC;QACF,IAAI,CAAC,iBAAiB,GAAG,MAAM,CAAC,iBAAiB,CAAC;IACpD,CAAC;IAED;;;OAGG;IACH,OAAO,CAAC,OAAe,EAAE,EAAW,EAAE,QAAa;QACjD,MAAM,GAAG,GAAG,GAAG,OAAO,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;QAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,KAAK;YAAE,OAAO,KAAK,CAAC,OAAO,CAAC;QAEhC,MAAM,kBAAkB,GAAG,QAAQ,CAAC,WAAW,EAAS,CAAC;QACzD,OAAO,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CACvC,CAAC,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,kBAAkB,CAAC,CACzE,CAAC;IACJ,CAAC;CACF;AAED,MAAM,UAAU,qBAAqB;IACnC,OAAO;QACL,SAAS,EAAE;YACT,6CAA6C;YAC7C,8CAA8C,EAAE;gBAC9C,QAAQ,EAAE,YAAY;gBACtB,OAAO,EAAE,gBAAgB;aAC1B;YACD,4CAA4C;YAC5C,qDAAqD,EAAE;gBACrD,QAAQ,EAAE,YAAY;gBACtB,OAAO,EAAE,gBAAgB;aAC1B;YACD,kCAAkC;YAClC,8CAA8C,EAAE;gBAC9C,QAAQ,EAAE,SAAS;gBACnB,OAAO,EAAE,aAAa;aACvB;YACD,iCAAiC;YACjC,qDAAqD,EAAE;gBACrD,QAAQ,EAAE,SAAS;gBACnB,OAAO,EAAE,aAAa;aACvB;SACF;QACD,iBAAiB,EAAE,CAAC,YAAY,CAAC;KAClC,CAAC;AACJ,CAAC"}

package/dist/protocols/types.d.ts

@@ -0,0 +1,90 @@
+import type { Address, Hex } from 'viem';
+interface IntentBase {
+    chainId: number;
+    to: Address;
+    selector: Hex;
+}
+export interface Erc20ApproveIntent extends IntentBase {
+    protocol: 'erc20';
+    action: 'approve';
+    args: {
+        spender: Address;
+        amount: bigint;
+    };
+}
+export interface Erc20TransferIntent extends IntentBase {
+    protocol: 'erc20';
+    action: 'transfer';
+    args: {
+        to: Address;
+        amount: bigint;
+    };
+}
+export interface UniswapV3ExactInputSingleIntent extends IntentBase {
+    protocol: 'uniswap_v3';
+    action: 'exactInputSingle';
+    args: {
+        tokenIn: Address;
+        tokenOut: Address;
+        fee: number;
+        recipient: Address;
+        amountIn: bigint;
+        amountOutMinimum: bigint;
+        sqrtPriceLimitX96: bigint;
+    };
+}
+export interface AaveV3SupplyIntent extends IntentBase {
+    protocol: 'aave_v3';
+    action: 'supply';
+    args: {
+        asset: Address;
+        amount: bigint;
+        onBehalfOf: Address;
+        referralCode: number;
+    };
+}
+export interface AaveV3BorrowIntent extends IntentBase {
+    protocol: 'aave_v3';
+    action: 'borrow';
+    args: {
+        asset: Address;
+        amount: bigint;
+        interestRateMode: bigint;
+        referralCode: number;
+        onBehalfOf: Address;
+    };
+}
+export interface AaveV3RepayIntent extends IntentBase {
+    protocol: 'aave_v3';
+    action: 'repay';
+    args: {
+        asset: Address;
+        amount: bigint;
+        interestRateMode: bigint;
+        onBehalfOf: Address;
+    };
+}
+export interface AaveV3WithdrawIntent extends IntentBase {
+    protocol: 'aave_v3';
+    action: 'withdraw';
+    args: {
+        asset: Address;
+        amount: bigint;
+        to: Address;
+    };
+}
+export interface UnknownIntent {
+    protocol: 'unknown';
+    chainId: number;
+    to: Address;
+    selector?: Hex;
+    rawData: Hex;
+    reason: string;
+}
+export type DecodedIntent = Erc20ApproveIntent | Erc20TransferIntent | UniswapV3ExactInputSingleIntent | AaveV3SupplyIntent | AaveV3BorrowIntent | AaveV3RepayIntent | AaveV3WithdrawIntent | UnknownIntent;
+export interface ProtocolDecoder {
+    readonly protocol: string;
+    readonly supportedSelectors: readonly Hex[];
+    decode(chainId: number, to: Address, data: Hex): DecodedIntent;
+}
+export {};

package/dist/protocols/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/protocols/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/protocols/types.ts"],"names":[],"mappings":""}

package/dist/protocols/workflows/get-address.d.ts

@@ -0,0 +1,2 @@
+import type { WorkflowContext, WorkflowResult } from './types.js';
+export declare function getAddress(ctx: WorkflowContext): Promise<WorkflowResult>;

package/dist/protocols/workflows/get-address.js

@@ -0,0 +1,41 @@
+const DEFAULT_SERVICE = 'agentic-vault';
+export async function getAddress(ctx) {
+    const service = ctx.service ?? DEFAULT_SERVICE;
+    if (!ctx.signer) {
+        ctx.auditSink.log({
+            service,
+            action: 'get_address',
+            who: ctx.caller,
+            what: 'Signer not available for address lookup',
+            why: 'Configuration error: signer is required',
+            result: 'error',
+        });
+        return { status: 'error', reason: 'Signer is required for get_address' };
+    }
+    try {
+        const address = await ctx.signer.getAddress();
+        ctx.auditSink.log({
+            service,
+            action: 'get_address',
+            who: ctx.caller,
+            what: `Retrieved wallet address: ${address}`,
+            why: 'Address lookup requested',
+            result: 'approved',
+        });
+        return { status: 'approved', data: address };
+    }
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        ctx.auditSink.log({
+            service,
+            action: 'get_address',
+            who: ctx.caller,
+            what: 'Failed to retrieve wallet address',
+            why: 'Address lookup error',
+            result: 'error',
+            details: { error: msg },
+        });
+        return { status: 'error', reason: msg };
+    }
+}
+//# sourceMappingURL=get-address.js.map

package/dist/protocols/workflows/get-address.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"get-address.js","sourceRoot":"","sources":["../../../src/protocols/workflows/get-address.ts"],"names":[],"mappings":"AAEA,MAAM,eAAe,GAAG,eAAe,CAAC;AAExC,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,GAAoB;IACnD,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,IAAI,eAAe,CAAC;IAE/C,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;QAChB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,aAAa;YACrB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,yCAAyC;YAC/C,GAAG,EAAE,yCAAyC;YAC9C,MAAM,EAAE,OAAO;SAChB,CAAC,CAAC;QACH,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,oCAAoC,EAAE,CAAC;IAC3E,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;QAE9C,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,aAAa;YACrB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,6BAA6B,OAAO,EAAE;YAC5C,GAAG,EAAE,0BAA0B;YAC/B,MAAM,EAAE,UAAU;SACnB,CAAC,CAAC;QAEH,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IAC/C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,aAAa;YACrB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,mCAAmC;YACzC,GAAG,EAAE,sBAAsB;YAC3B,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE;SACxB,CAAC,CAAC;QACH,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;IAC1C,CAAC;AACH,CAAC"}

package/dist/protocols/workflows/health-check.d.ts

@@ -0,0 +1,2 @@
+import type { WorkflowContext, WorkflowResult } from './types.js';
+export declare function healthCheck(ctx: WorkflowContext): Promise<WorkflowResult>;

package/dist/protocols/workflows/health-check.js

@@ -0,0 +1,41 @@
+const DEFAULT_SERVICE = 'agentic-vault';
+export async function healthCheck(ctx) {
+    const service = ctx.service ?? DEFAULT_SERVICE;
+    if (!ctx.signer) {
+        ctx.auditSink.log({
+            service,
+            action: 'health_check',
+            who: ctx.caller,
+            what: 'Signer not available for health check',
+            why: 'Configuration error: signer is required',
+            result: 'error',
+        });
+        return { status: 'error', reason: 'Signer is required for health_check' };
+    }
+    try {
+        await ctx.signer.healthCheck();
+        ctx.auditSink.log({
+            service,
+            action: 'health_check',
+            who: ctx.caller,
+            what: 'Health check passed',
+            why: 'Health check requested',
+            result: 'approved',
+        });
+        return { status: 'approved', data: JSON.stringify({ status: 'healthy' }) };
+    }
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        ctx.auditSink.log({
+            service,
+            action: 'health_check',
+            who: ctx.caller,
+            what: 'Health check failed',
+            why: 'Health check error',
+            result: 'error',
+            details: { error: msg },
+        });
+        return { status: 'error', reason: msg };
+    }
+}
+//# sourceMappingURL=health-check.js.map

package/dist/protocols/workflows/health-check.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"health-check.js","sourceRoot":"","sources":["../../../src/protocols/workflows/health-check.ts"],"names":[],"mappings":"AAEA,MAAM,eAAe,GAAG,eAAe,CAAC;AAExC,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,GAAoB;IACpD,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,IAAI,eAAe,CAAC;IAE/C,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;QAChB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,cAAc;YACtB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,uCAAuC;YAC7C,GAAG,EAAE,yCAAyC;YAC9C,MAAM,EAAE,OAAO;SAChB,CAAC,CAAC;QACH,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,qCAAqC,EAAE,CAAC;IAC5E,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QAE/B,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,cAAc;YACtB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,qBAAqB;YAC3B,GAAG,EAAE,wBAAwB;YAC7B,MAAM,EAAE,UAAU;SACnB,CAAC,CAAC;QAEH,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;IAC7E,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,cAAc;YACtB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,qBAAqB;YAC3B,GAAG,EAAE,oBAAoB;YACzB,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE;SACxB,CAAC,CAAC;QACH,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;IAC1C,CAAC;AACH,CAAC"}

package/dist/protocols/workflows/index.d.ts

@@ -0,0 +1,5 @@
+export type { WorkflowCaller, AuditSink, WorkflowSigner, WorkflowPolicyEngine, WorkflowDispatcher, WorkflowDecodedIntent, WorkflowContext, WorkflowResult, } from './types.js';
+export { signDefiCall, type SignDefiCallInput } from './sign-defi-call.js';
+export { signPermit, type SignPermitInput } from './sign-permit.js';
+export { getAddress } from './get-address.js';
+export { healthCheck } from './health-check.js';

package/dist/protocols/workflows/index.js

@@ -0,0 +1,5 @@
+export { signDefiCall } from './sign-defi-call.js';
+export { signPermit } from './sign-permit.js';
+export { getAddress } from './get-address.js';
+export { healthCheck } from './health-check.js';
+//# sourceMappingURL=index.js.map

package/dist/protocols/workflows/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/protocols/workflows/index.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,YAAY,EAA0B,MAAM,qBAAqB,CAAC;AAC3E,OAAO,EAAE,UAAU,EAAwB,MAAM,kBAAkB,CAAC;AACpE,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/protocols/workflows/sign-defi-call.d.ts

@@ -0,0 +1,14 @@
+import type { WorkflowContext, WorkflowResult } from './types.js';
+export interface SignDefiCallInput {
+    chainId: number;
+    to: string;
+    data: string;
+    value?: string;
+}
+/**
+ * Decode → fail-closed reject → policy → sign workflow.
+ *
+ * Interface-agnostic: callers provide WorkflowContext with their own
+ * AuditSink, caller tag, and service name.
+ */
+export declare function signDefiCall(ctx: WorkflowContext, actionName: string, input: SignDefiCallInput): Promise<WorkflowResult>;

package/dist/protocols/workflows/sign-defi-call.js

@@ -0,0 +1,157 @@
+const DEFAULT_SERVICE = 'agentic-vault';
+/**
+ * Decode → fail-closed reject → policy → sign workflow.
+ *
+ * Interface-agnostic: callers provide WorkflowContext with their own
+ * AuditSink, caller tag, and service name.
+ */
+export async function signDefiCall(ctx, actionName, input) {
+    const service = ctx.service ?? DEFAULT_SERVICE;
+    const to = input.to.toLowerCase();
+    const data = input.data;
+    // 1. Require dispatcher
+    if (!ctx.dispatcher) {
+        throw new Error(`${actionName} requires dispatcher in WorkflowContext`);
+    }
+    // 2. Decode calldata
+    const intent = ctx.dispatcher.dispatch(input.chainId, to, data);
+    // 3. Reject unknown protocols (fail-closed)
+    if (intent.protocol === 'unknown') {
+        ctx.auditSink.log({
+            service,
+            action: actionName,
+            who: ctx.caller,
+            what: `Rejected unknown calldata for ${to} on chain ${input.chainId}`,
+            why: `Decoder rejection: ${intent.reason}`,
+            result: 'denied',
+            details: { chainId: input.chainId, to, reason: intent.reason },
+        });
+        return {
+            status: 'denied',
+            reason: `Rejected: ${intent.reason}`,
+        };
+    }
+    // 4. Parse value
+    let amountWei;
+    if (input.value) {
+        try {
+            amountWei = BigInt(input.value);
+        }
+        catch {
+            ctx.auditSink.log({
+                service,
+                action: actionName,
+                who: ctx.caller,
+                what: `Invalid value parameter for ${to} on chain ${input.chainId}`,
+                why: 'Input validation: value must be a decimal string',
+                result: 'error',
+                details: { chainId: input.chainId, to },
+            });
+            return {
+                status: 'error',
+                reason: 'Invalid value: must be a decimal string',
+            };
+        }
+    }
+    // 5. Policy evaluation with decoded intent
+    const evaluation = ctx.policyEngine.evaluate({
+        chainId: input.chainId,
+        to,
+        selector: intent.selector,
+        amountWei,
+        intent,
+    });
+    if (!evaluation.allowed) {
+        ctx.auditSink.log({
+            service,
+            action: actionName,
+            who: ctx.caller,
+            what: `Policy denied ${intent.protocol}:${intent.action} on chain ${input.chainId}`,
+            why: `Violations: ${evaluation.violations.join('; ')}`,
+            result: 'denied',
+            details: {
+                chainId: input.chainId,
+                to,
+                protocol: intent.protocol,
+                action: intent.action,
+                violations: evaluation.violations,
+            },
+        });
+        return {
+            status: 'denied',
+            reason: `Policy denied: ${evaluation.violations.join('; ')}`,
+            violations: evaluation.violations,
+        };
+    }
+    // 6. Dry-run: return decoded intent + policy evaluation without signing
+    if (ctx.dryRun) {
+        ctx.auditSink.log({
+            service,
+            action: actionName,
+            who: ctx.caller,
+            what: `Dry-run approved ${intent.protocol}:${intent.action} on chain ${input.chainId}`,
+            why: 'Approved by decoder + policy (dry-run)',
+            result: 'approved',
+            details: { chainId: input.chainId, to, protocol: intent.protocol, action: intent.action, dryRun: true },
+        });
+        return {
+            status: 'dry-run-approved',
+            details: {
+                protocol: intent.protocol,
+                action: intent.action,
+                chainId: input.chainId,
+                to,
+                intent,
+                evaluation: { allowed: true, violations: [] },
+            },
+        };
+    }
+    // 7. Sign
+    if (!ctx.signer) {
+        ctx.auditSink.log({
+            service,
+            action: actionName,
+            who: ctx.caller,
+            what: 'Signer not available for signing',
+            why: 'Configuration error: signer is required when dryRun is not enabled',
+            result: 'error',
+        });
+        return { status: 'error', reason: 'Signer is required when dryRun is not enabled' };
+    }
+    try {
+        const signedTx = await ctx.signer.signTransaction({
+            chainId: input.chainId,
+            to,
+            data,
+            value: amountWei,
+        });
+        ctx.auditSink.log({
+            service,
+            action: actionName,
+            who: ctx.caller,
+            what: `Signed ${intent.protocol}:${intent.action} for ${to} on chain ${input.chainId}`,
+            why: 'Approved by decoder + policy',
+            result: 'approved',
+            details: { chainId: input.chainId, to, protocol: intent.protocol, action: intent.action },
+        });
+        return {
+            status: 'approved',
+            data: signedTx,
+            details: { protocol: intent.protocol, action: intent.action },
+        };
+    }
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        ctx.auditSink.log({
+            service,
+            action: actionName,
+            who: ctx.caller,
+            what: `Failed to sign ${intent.protocol}:${intent.action}`,
+            why: 'Signing error',
+            result: 'error',
+            details: { error: msg },
+        });
+        return { status: 'error', reason: `Signing error: ${msg}` };
+    }
+}
+//# sourceMappingURL=sign-defi-call.js.map

package/dist/protocols/workflows/sign-defi-call.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign-defi-call.js","sourceRoot":"","sources":["../../../src/protocols/workflows/sign-defi-call.ts"],"names":[],"mappings":"AASA,MAAM,eAAe,GAAG,eAAe,CAAC;AAExC;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,GAAoB,EACpB,UAAkB,EAClB,KAAwB;IAExB,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,IAAI,eAAe,CAAC;IAC/C,MAAM,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC,WAAW,EAAmB,CAAC;IACnD,MAAM,IAAI,GAAG,KAAK,CAAC,IAAqB,CAAC;IAEzC,wBAAwB;IACxB,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,GAAG,UAAU,yCAAyC,CAAC,CAAC;IAC1E,CAAC;IAED,qBAAqB;IACrB,MAAM,MAAM,GAAG,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,CAAC;IAEhE,4CAA4C;IAC5C,IAAI,MAAM,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;QAClC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,UAAU;YAClB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,iCAAiC,EAAE,aAAa,KAAK,CAAC,OAAO,EAAE;YACrE,GAAG,EAAE,sBAAsB,MAAM,CAAC,MAAM,EAAE;YAC1C,MAAM,EAAE,QAAQ;YAChB,OAAO,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE;SAC/D,CAAC,CAAC;QACH,OAAO;YACL,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,aAAa,MAAM,CAAC,MAAM,EAAE;SACrC,CAAC;IACJ,CAAC;IAED,iBAAiB;IACjB,IAAI,SAA6B,CAAC;IAClC,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,IAAI,CAAC;YACH,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAClC,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;gBAChB,OAAO;gBACP,MAAM,EAAE,UAAU;gBAClB,GAAG,EAAE,GAAG,CAAC,MAAM;gBACf,IAAI,EAAE,+BAA+B,EAAE,aAAa,KAAK,CAAC,OAAO,EAAE;gBACnE,GAAG,EAAE,kDAAkD;gBACvD,MAAM,EAAE,OAAO;gBACf,OAAO,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,EAAE,EAAE;aACxC,CAAC,CAAC;YACH,OAAO;gBACL,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,yCAAyC;aAClD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,2CAA2C;IAC3C,MAAM,UAAU,GAAG,GAAG,CAAC,YAAY,CAAC,QAAQ,CAAC;QAC3C,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,EAAE;QACF,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,SAAS;QACT,MAAM;KACP,CAAC,CAAC;IAEH,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,UAAU;YAClB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,iBAAiB,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,MAAM,aAAa,KAAK,CAAC,OAAO,EAAE;YACnF,GAAG,EAAE,eAAe,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACtD,MAAM,EAAE,QAAQ;YAChB,OAAO,EAAE;gBACP,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,EAAE;gBACF,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,UAAU,EAAE,UAAU,CAAC,UAAU;aAClC;SACF,CAAC,CAAC;QACH,OAAO;YACL,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,kBAAkB,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YAC5D,UAAU,EAAE,UAAU,CAAC,UAAU;SAClC,CAAC;IACJ,CAAC;IAED,wEAAwE;IACxE,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;QACf,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,UAAU;YAClB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,oBAAoB,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,MAAM,aAAa,KAAK,CAAC,OAAO,EAAE;YACtF,GAAG,EAAE,wCAAwC;YAC7C,MAAM,EAAE,UAAU;YAClB,OAAO,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE;SACxG,CAAC,CAAC;QACH,OAAO;YACL,MAAM,EAAE,kBAAkB;YAC1B,OAAO,EAAE;gBACP,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,EAAE;gBACF,MAAM;gBACN,UAAU,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE;aAC9C;SACF,CAAC;IACJ,CAAC;IAED,UAAU;IACV,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;QAChB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,UAAU;YAClB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,kCAAkC;YACxC,GAAG,EAAE,oEAAoE;YACzE,MAAM,EAAE,OAAO;SAChB,CAAC,CAAC;QACH,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,+CAA+C,EAAE,CAAC;IACtF,CAAC;IAED,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC;YAChD,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,EAAE;YACF,IAAI;YACJ,KAAK,EAAE,SAAS;SACjB,CAAC,CAAC;QAEH,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,UAAU;YAClB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,UAAU,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,MAAM,QAAQ,EAAE,aAAa,KAAK,CAAC,OAAO,EAAE;YACtF,GAAG,EAAE,8BAA8B;YACnC,MAAM,EAAE,UAAU;YAClB,OAAO,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE;SAC1F,CAAC,CAAC;QAEH,OAAO;YACL,MAAM,EAAE,UAAU;YAClB,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE;SAC9D,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,UAAU;YAClB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,kBAAkB,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,MAAM,EAAE;YAC1D,GAAG,EAAE,eAAe;YACpB,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE;SACxB,CAAC,CAAC;QACH,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,kBAAkB,GAAG,EAAE,EAAE,CAAC;IAC9D,CAAC;AACH,CAAC"}

package/dist/protocols/workflows/sign-permit.d.ts

@@ -0,0 +1,21 @@
+import type { WorkflowContext, WorkflowResult } from './types.js';
+export interface SignPermitInput {
+    chainId: number;
+    token: string;
+    spender: string;
+    value: string;
+    deadline: number;
+    domain: Record<string, unknown>;
+    types: Record<string, unknown>;
+    message: Record<string, unknown>;
+}
+/**
+ * EIP-2612 permit signing workflow.
+ *
+ * Security validations:
+ * 1. Canonical EIP-2612 types.Permit field check
+ * 2. Message field presence (value, spender, deadline)
+ * 3. Payload/metadata consistency (message vs top-level args)
+ * 4. Domain validation (verifyingContract, chainId)
+ */
+export declare function signPermit(ctx: WorkflowContext, input: SignPermitInput): Promise<WorkflowResult>;