npm - @elizaos/plugin-wallet - Versions diffs - 2.0.0-beta.1 → 2.0.3-beta.6 - Mend

@elizaos/plugin-wallet 2.0.0-beta.1 → 2.0.3-beta.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (356) hide show

package/README.md +70 -45
package/auto-enable.ts +1 -1
package/dist/actions/failure-codes.d.ts +12 -0
package/dist/actions/index.d.ts +1 -0
package/dist/analytics/birdeye/actions/wallet-search-address.d.ts +7 -0
package/dist/analytics/birdeye/birdeye-task.d.ts +27 -0
package/dist/analytics/birdeye/birdeye.d.ts +140 -0
package/dist/analytics/birdeye/constants.d.ts +68 -0
package/dist/analytics/birdeye/providers/agent-portfolio-provider.d.ts +8 -0
package/dist/analytics/birdeye/providers/market.d.ts +18 -0
package/dist/analytics/birdeye/providers/portfolio-factory.d.ts +10 -0
package/dist/analytics/birdeye/providers/trending.d.ts +19 -0
package/dist/analytics/birdeye/providers/wallet.d.ts +5 -0
package/dist/analytics/birdeye/search-category.d.ts +52 -0
package/dist/analytics/birdeye/service.d.ts +94 -0
package/dist/analytics/birdeye/types/api/common.d.ts +199 -0
package/dist/analytics/birdeye/types/api/defi.d.ts +187 -0
package/dist/analytics/birdeye/types/api/pair.d.ts +182 -0
package/dist/analytics/birdeye/types/api/search.d.ts +64 -0
package/dist/analytics/birdeye/types/api/token.d.ts +580 -0
package/dist/analytics/birdeye/types/api/trader.d.ts +70 -0
package/dist/analytics/birdeye/types/api/wallet.d.ts +161 -0
package/dist/analytics/birdeye/types/shared.d.ts +83 -0
package/dist/analytics/birdeye/utils.d.ts +74 -0
package/dist/analytics/dexscreener/errors.d.ts +2 -0
package/dist/analytics/dexscreener/index.d.ts +3 -0
package/dist/analytics/dexscreener/search-category.d.ts +3 -0
package/dist/analytics/dexscreener/service.d.ts +34 -0
package/dist/analytics/dexscreener/types.d.ts +131 -0
package/dist/analytics/lpinfo/index.d.ts +31 -0
package/dist/analytics/lpinfo/kamino/index.d.ts +7 -0
package/dist/analytics/lpinfo/kamino/providers/kaminoLiquidityProvider.d.ts +6 -0
package/dist/analytics/lpinfo/kamino/providers/kaminoPoolProvider.d.ts +6 -0
package/dist/analytics/lpinfo/kamino/providers/kaminoProvider.d.ts +6 -0
package/dist/analytics/lpinfo/kamino/services/kaminoLiquidityService.d.ts +203 -0
package/dist/analytics/lpinfo/kamino/services/kaminoService.d.ts +171 -0
package/dist/analytics/lpinfo/steer/index.d.ts +7 -0
package/dist/analytics/lpinfo/steer/providers/steerLiquidityProvider.d.ts +6 -0
package/dist/analytics/lpinfo/steer/services/steerLiquidityService.d.ts +208 -0
package/dist/analytics/lpinfo/steer/steer-display-types.d.ts +97 -0
package/dist/analytics/news/index.d.ts +32 -0
package/dist/analytics/news/interfaces/types.d.ts +177 -0
package/dist/analytics/news/providers/defiNewsProvider.d.ts +106 -0
package/dist/analytics/news/services/newsDataService.d.ts +72 -0
package/dist/analytics/news/utils/formatters.d.ts +54 -0
package/dist/analytics/token-info/action.d.ts +6 -0
package/dist/analytics/token-info/index.d.ts +3 -0
package/dist/analytics/token-info/params.d.ts +10 -0
package/dist/analytics/token-info/providers.d.ts +4 -0
package/dist/analytics/token-info/service.d.ts +19 -0
package/dist/analytics/token-info/types.d.ts +45 -0
package/dist/api/wallet-routes.d.ts +100 -0
package/dist/audit/audit-log.d.ts +29 -0
package/dist/browser-shim/build-shim.d.ts +31 -0
package/dist/browser-shim/index.d.ts +1 -0
package/dist/chains/evm/actions/helpers.d.ts +31 -0
package/dist/chains/evm/actions/swap.d.ts +53 -0
package/dist/chains/evm/actions/transfer.d.ts +10 -0
package/dist/chains/evm/bridge-router.d.ts +44 -0
package/dist/chains/evm/build.d.ts +2 -0
package/dist/chains/evm/chain-handler.d.ts +37 -0
package/dist/chains/evm/constants.d.ts +16 -0
package/dist/chains/evm/dex/aerodrome/index.d.ts +6 -0
package/dist/chains/evm/dex/aerodrome/services/AerodromeLpService.d.ts +27 -0
package/dist/chains/evm/dex/aerodrome/types.d.ts +435 -0
package/dist/chains/evm/dex/pancakeswp/index.d.ts +6 -0
package/dist/chains/evm/dex/pancakeswp/services/PancakeSwapV3LpService.d.ts +28 -0
package/dist/chains/evm/dex/pancakeswp/types.d.ts +19 -0
package/dist/chains/evm/dex/uniswap/index.d.ts +6 -0
package/dist/chains/evm/dex/uniswap/services/UniswapV3LpService.d.ts +28 -0
package/dist/chains/evm/dex/uniswap/types.d.ts +458 -0
package/dist/chains/evm/generated/specs/spec-helpers.d.ts +35 -0
package/dist/chains/evm/generated/specs/specs.d.ts +99 -0
package/dist/chains/evm/gov-router.d.ts +6 -0
package/dist/chains/evm/index.browser.d.ts +3 -0
package/dist/chains/evm/index.d.ts +6 -0
package/dist/chains/evm/prompts.d.ts +24 -0
package/dist/chains/evm/providers/get-balance.d.ts +2 -0
package/dist/chains/evm/providers/wallet.d.ts +35 -0
package/dist/chains/evm/routes/sign.d.ts +13 -0
package/dist/chains/evm/rpc-providers.d.ts +26 -0
package/dist/chains/evm/service.d.ts +26 -0
package/dist/chains/evm/templates/index.d.ts +1 -0
package/dist/chains/evm/types/index.d.ts +296 -0
package/dist/chains/evm/vitest.config.d.ts +2 -0
package/dist/chains/registry.d.ts +3 -0
package/dist/chains/solana/actions/confirmation.d.ts +9 -0
package/dist/chains/solana/bn.d.ts +6 -0
package/dist/chains/solana/build.d.ts +2 -0
package/dist/chains/solana/constants.d.ts +2 -0
package/dist/chains/solana/dex/meteora/e2e/scenarios.d.ts +10 -0
package/dist/chains/solana/dex/meteora/e2e/test-utils.d.ts +28 -0
package/dist/chains/solana/dex/meteora/index.d.ts +3 -0
package/dist/chains/solana/dex/meteora/providers/positionProvider.d.ts +9 -0
package/dist/chains/solana/dex/meteora/services/MeteoraLpService.d.ts +37 -0
package/dist/chains/solana/dex/meteora/utils/dlmm.d.ts +6 -0
package/dist/chains/solana/dex/meteora/utils/loadWallet.d.ts +14 -0
package/dist/chains/solana/dex/meteora/utils/sendTransaction.d.ts +2 -0
package/dist/chains/solana/dex/orca/index.d.ts +6 -0
package/dist/chains/solana/dex/orca/providers/positionProvider.d.ts +10 -0
package/dist/chains/solana/dex/orca/services/srv_orca.d.ts +10 -0
package/dist/chains/solana/dex/orca/types.d.ts +61 -0
package/dist/chains/solana/dex/orca/utils/loadWallet.d.ts +1 -0
package/dist/chains/solana/dex/orca/utils/sendTransaction.d.ts +2 -0
package/dist/chains/solana/dex/raydium/index.d.ts +6 -0
package/dist/chains/solana/dex/raydium/providers/positionProvider.d.ts +10 -0
package/dist/chains/solana/dex/raydium/services/srv_raydium.d.ts +104 -0
package/dist/chains/solana/dex/raydium/types.d.ts +42 -0
package/dist/chains/solana/environment.d.ts +15 -0
package/dist/chains/solana/generated/specs/spec-helpers.d.ts +35 -0
package/dist/chains/solana/generated/specs/specs.d.ts +73 -0
package/dist/chains/solana/index.browser.d.ts +3 -0
package/dist/chains/solana/index.d.ts +7 -0
package/dist/chains/solana/keypairUtils.d.ts +7 -0
package/dist/chains/solana/prompts.d.ts +12 -0
package/dist/chains/solana/providers/wallet.d.ts +2 -0
package/dist/chains/solana/routes/index.d.ts +2 -0
package/dist/chains/solana/routes/sign.d.ts +16 -0
package/dist/chains/solana/service.d.ts +237 -0
package/dist/chains/solana/types.d.ts +377 -0
package/dist/chains/solana/vitest.config.d.ts +2 -0
package/dist/chains/wallet-action.d.ts +3 -0
package/dist/contracts.d.ts +58 -0
package/dist/core-augmentation.d.ts +9 -0
package/dist/index.d.mts +27 -34727
package/dist/index.d.ts +27 -0
package/dist/index.mjs +28246 -21186
package/dist/index.mjs.map +153 -0
package/dist/lib/server-wallet-trade.d.ts +22 -0
package/dist/lib/server-wallet-trade.js +333 -0
package/dist/lib/server-wallet-trade.js.map +11 -0
package/dist/lib/wallet-export-guard.d.ts +45 -0
package/dist/lp/actions/liquidity.d.ts +2 -0
package/dist/lp/e2e/real-token-tests.d.ts +6 -0
package/dist/lp/e2e/scenarios.d.ts +9 -0
package/dist/lp/e2e/test-utils.d.ts +28 -0
package/dist/lp/lp-manager-entry.d.ts +18 -0
package/dist/lp/services/ConcentratedLiquidityService.d.ts +32 -0
package/dist/lp/services/DexInteractionService.d.ts +34 -0
package/dist/lp/services/LpManagementService.d.ts +116 -0
package/dist/lp/services/UserLpProfileService.d.ts +18 -0
package/dist/lp/services/VaultService.d.ts +21 -0
package/dist/lp/services/YieldOptimizationService.d.ts +59 -0
package/dist/lp/services/__tests__/MockLpService.d.ts +17 -0
package/dist/lp/types.d.ts +439 -0
package/dist/lp/utils/solanaClient.d.ts +26 -0
package/dist/plugin.d.ts +7 -0
package/dist/policy/policy.d.ts +14 -0
package/dist/providers/canonical-provider.d.ts +19 -0
package/dist/providers/wallet-provider.d.ts +5 -0
package/dist/register-routes.d.ts +1 -0
package/dist/routes/plugin.d.ts +14 -0
package/dist/routes/wallet-market-overview-route.d.ts +7 -0
package/dist/sdk/abi.d.ts +396 -0
package/dist/sdk/bridge/abis.d.ts +63 -0
package/dist/sdk/bridge/client.d.ts +48 -0
package/dist/sdk/bridge/index.d.ts +14 -0
package/dist/sdk/bridge/solana.d.ts +131 -0
package/dist/sdk/bridge/types.d.ts +92 -0
package/dist/sdk/convenience.d.ts +104 -0
package/dist/sdk/escrow/MutualStakeEscrow.d.ts +75 -0
package/dist/sdk/escrow/types.d.ts +58 -0
package/dist/sdk/escrow/verifiers.d.ts +25 -0
package/dist/sdk/identity/erc8004.d.ts +304 -0
package/dist/sdk/identity/reputation.d.ts +317 -0
package/dist/sdk/identity/uaid.d.ts +192 -0
package/dist/sdk/identity/validation.d.ts +282 -0
package/dist/sdk/index.d.ts +133 -0
package/dist/sdk/index.js +5284 -0
package/dist/sdk/index.js.map +40 -0
package/dist/sdk/policy/SpendingPolicy.d.ts +105 -0
package/dist/sdk/policy/UptoBillingPolicy.d.ts +87 -0
package/dist/sdk/router/PaymentRouter.d.ts +77 -0
package/dist/sdk/router/index.d.ts +2 -0
package/dist/sdk/swap/SwapModule.d.ts +47 -0
package/dist/sdk/swap/abi.d.ts +50 -0
package/dist/sdk/swap/index.d.ts +11 -0
package/dist/sdk/swap/types.d.ts +101 -0
package/dist/sdk/tokens/decimals.d.ts +64 -0
package/dist/sdk/tokens/registry.d.ts +81 -0
package/dist/sdk/tokens/solana.d.ts +107 -0
package/dist/sdk/tokens/transfers.d.ts +94 -0
package/dist/sdk/types.d.ts +129 -0
package/dist/sdk/wallet-core.d.ts +29450 -0
package/dist/sdk/x402/budget.d.ts +51 -0
package/dist/sdk/x402/chains/abstract/index.d.ts +134 -0
package/dist/sdk/x402/client.d.ts +66 -0
package/dist/sdk/x402/index.d.ts +8 -0
package/dist/sdk/x402/middleware.d.ts +37 -0
package/dist/sdk/x402/multi-asset.d.ts +53 -0
package/dist/sdk/x402/types.d.ts +109 -0
package/dist/security/wallet-context-safety.d.ts +7 -0
package/dist/security/wallet-financial-confirmation.d.ts +23 -0
package/dist/services/wallet-backend-service.d.ts +39 -0
package/dist/types/wallet-router.d.ts +130 -0
package/dist/utils/intent-trajectory.d.ts +34 -0
package/dist/wallet/backend.d.ts +41 -0
package/dist/wallet/errors.d.ts +17 -0
package/dist/wallet/index.d.ts +6 -0
package/dist/wallet/local-eoa-backend.d.ts +37 -0
package/dist/wallet/pending.d.ts +47 -0
package/dist/wallet/select-backend.d.ts +11 -0
package/dist/wallet/steward-backend.d.ts +22 -0
package/dist/wallet-action.d.ts +1 -0
package/dist/wallet-action.js +6292 -0
package/dist/wallet-action.js.map +44 -0
package/package.json +35 -21
package/registry-entry.json +134 -0
package/src/analytics/birdeye/actions/wallet-search-address.ts +85 -5
package/src/analytics/birdeye/birdeye-task.ts +25 -9
package/src/analytics/birdeye/birdeye.ts +6 -7
package/src/analytics/birdeye/constants.ts +0 -1
package/src/analytics/birdeye/providers/agent-portfolio-provider.ts +0 -1
package/src/analytics/birdeye/providers/market.ts +51 -45
package/src/analytics/birdeye/providers/portfolio-factory.ts +79 -38
package/src/analytics/birdeye/providers/trending.ts +43 -46
package/src/analytics/birdeye/providers/wallet.ts +0 -1
package/src/analytics/birdeye/search-category.test.ts +1 -1
package/src/analytics/birdeye/search-category.ts +77 -12
package/src/analytics/birdeye/service.test.ts +146 -0
package/src/analytics/birdeye/service.ts +220 -105
package/src/analytics/birdeye/types/api/common.ts +0 -1
package/src/analytics/birdeye/types/api/defi.ts +0 -1
package/src/analytics/birdeye/types/api/pair.ts +0 -1
package/src/analytics/birdeye/types/api/search.ts +0 -1
package/src/analytics/birdeye/types/api/token.ts +0 -1
package/src/analytics/birdeye/types/api/trader.ts +0 -1
package/src/analytics/birdeye/types/api/wallet.ts +0 -1
package/src/analytics/birdeye/types/shared.ts +0 -11
package/src/analytics/birdeye/utils.test.ts +69 -0
package/src/analytics/birdeye/utils.ts +11 -8
package/src/analytics/dexscreener/search-category.ts +0 -1
package/src/analytics/dexscreener/service.ts +7 -12
package/src/analytics/dexscreener/types.ts +0 -1
package/src/analytics/lpinfo/index.ts +5 -2
package/src/analytics/lpinfo/kamino/README.md +2 -2
package/src/analytics/lpinfo/kamino/index.ts +9 -2
package/src/analytics/lpinfo/kamino/providers/kaminoLiquidityProvider.ts +6 -26
package/src/analytics/lpinfo/kamino/providers/kaminoPoolProvider.ts +11 -12
package/src/analytics/lpinfo/kamino/providers/kaminoProvider.ts +76 -32
package/src/analytics/lpinfo/kamino/services/kaminoLiquidityService.ts +78 -38
package/src/analytics/lpinfo/kamino/services/kaminoService.ts +71 -31
package/src/analytics/lpinfo/steer/index.ts +7 -2
package/src/analytics/lpinfo/steer/providers/steerLiquidityProvider.ts +25 -26
package/src/analytics/lpinfo/steer/services/steerLiquidityService.ts +367 -149
package/src/analytics/news/index.ts +7 -2
package/src/analytics/news/interfaces/types.ts +0 -1
package/src/analytics/news/providers/defiNewsProvider.ts +17 -44
package/src/analytics/news/services/newsDataService.ts +1 -22
package/src/analytics/news/utils/formatters.test.ts +60 -0
package/src/analytics/news/utils/formatters.ts +0 -1
package/src/analytics/token-info/action.ts +52 -212
package/src/analytics/token-info/index.ts +1 -1
package/src/analytics/token-info/params.test.ts +69 -0
package/src/analytics/token-info/params.ts +13 -11
package/src/analytics/token-info/providers.ts +46 -17
package/src/analytics/token-info/service.ts +3 -3
package/src/analytics/token-info/types.ts +2 -2
package/src/api/wallet-routes.test.ts +56 -0
package/src/api/wallet-routes.ts +1728 -0
package/src/audit/audit-log.ts +57 -2
package/src/browser-shim/build-shim.ts +1 -1
package/src/browser-shim/shim.template.js +107 -117
package/src/chains/{wallet-router.test.ts → __tests__/wallet-router.test.ts} +57 -10
package/src/chains/evm/actions/helpers.ts +9 -7
package/src/chains/evm/actions/swap.ts +176 -22
package/src/chains/evm/actions/transfer.ts +29 -22
package/src/chains/evm/biome.json +1 -1
package/src/chains/evm/build.ts +6 -1
package/src/chains/evm/constants.ts +19 -0
package/src/chains/evm/contracts/artifacts/OZGovernor.json +25 -1682
package/src/chains/evm/dex/aerodrome/index.ts +6 -1
package/src/chains/evm/dex/aerodrome/services/AerodromeLpService.ts +41 -15
package/src/chains/evm/dex/aerodrome/types.ts +1 -2
package/src/chains/evm/dex/pancakeswp/index.ts +6 -1
package/src/chains/evm/dex/pancakeswp/services/PancakeSwapV3LpService.ts +54 -17
package/src/chains/evm/dex/pancakeswp/types.ts +1 -2
package/src/chains/evm/dex/uniswap/index.ts +6 -1
package/src/chains/evm/dex/uniswap/services/UniswapV3LpService.ts +20 -9
package/src/chains/evm/dex/uniswap/types.ts +1 -2
package/src/chains/evm/gov-router.ts +3 -1
package/src/chains/evm/index.browser.ts +1 -1
package/src/chains/evm/index.ts +5 -1
package/src/chains/evm/prompts.ts +5 -0
package/src/chains/evm/providers/get-balance.ts +1 -1
package/src/chains/evm/providers/wallet.ts +80 -9
package/src/chains/evm/routes/sign.ts +35 -26
package/src/chains/evm/rpc-providers.ts +1 -1
package/src/chains/evm/types/index.ts +22 -2
package/src/chains/registry.ts +1 -1
package/src/chains/wallet-action.ts +301 -91
package/src/index.ts +9 -5
package/src/lib/wallet-export-guard.test.ts +233 -0
package/src/lib/wallet-export-guard.ts +1 -1
package/src/lp/actions/liquidity.ts +53 -26
package/src/lp/e2e/real-token-tests.ts +0 -1
package/src/lp/e2e/scenarios.ts +1 -2
package/src/lp/e2e/test-utils.ts +20 -7
package/src/lp/lp-manager-entry.ts +2 -5
package/src/lp/services/ConcentratedLiquidityService.ts +3 -10
package/src/lp/services/DexInteractionService.ts +1 -2
package/src/lp/services/LpManagementService.test.ts +0 -1
package/src/lp/services/LpManagementService.ts +75 -35
package/src/lp/services/UserLpProfileService.ts +2 -3
package/src/lp/services/VaultService.ts +10 -4
package/src/lp/services/YieldOptimizationService.ts +29 -13
package/src/lp/services/__tests__/MockLpService.ts +1 -2
package/src/lp/types.ts +9 -13
package/src/lp/utils/solanaClient.ts +4 -2
package/src/plugin.routes.test.ts +24 -0
package/src/plugin.ts +30 -13
package/src/providers/canonical-provider.ts +1 -1
package/src/providers/{unified-wallet-provider.ts → wallet-provider.ts} +3 -3
package/src/routes/__fixtures__/coingecko-markets.recorded.json +97 -0
package/src/routes/wallet-market-overview-route.ts +1 -1
package/src/routes/wallet-market-overview.contract.test.ts +139 -0
package/src/routes/wallet-market-overview.real.test.ts +83 -0
package/src/sdk/escrow/MutualStakeEscrow.ts +1 -2
package/src/sdk/identity/erc8004.ts +1 -1
package/src/sdk/identity/validation.ts +3 -4
package/src/sdk/index.ts +2 -2
package/src/sdk/policy/SpendingPolicy.ts +1 -1
package/src/sdk/router/PaymentRouter.ts +8 -11
package/src/sdk/swap/SwapModule.ts +1 -1
package/src/sdk/tokens/registry.ts +1 -1
package/src/sdk/x402/middleware.ts +2 -8
package/src/security/__tests__/wallet-context-safety.test.ts +79 -0
package/src/security/__tests__/wallet-financial-confirmation.test.ts +88 -0
package/src/security/wallet-context-safety.ts +128 -0
package/src/security/wallet-financial-confirmation.ts +150 -0
package/src/services/wallet-backend-service.ts +15 -1
package/src/utils/intent-trajectory.ts +2 -2
package/src/wallet/steward-backend.ts +4 -4
package/dist/LpManagementService-BWrQ5-cO.mjs +0 -353
package/dist/MockLpService-D_Apn4Fd.mjs +0 -99
package/dist/aerodrome-CfnESC32.mjs +0 -890
package/dist/chunk-hT5z_Zn9.mjs +0 -35
package/dist/lib/server-wallet-trade.d.mts +0 -34
package/dist/lib/server-wallet-trade.mjs +0 -306
package/dist/meteora-BPX39hZo.mjs +0 -22640
package/dist/orca-Bybp1HXO.mjs +0 -249
package/dist/pancakeswp-CkEXlXti.mjs +0 -604
package/dist/plugin-ZO_MTyd0.mjs +0 -529
package/dist/raydium-rfaM9yEf.mjs +0 -539
package/dist/sdk/index.d.mts +0 -32492
package/dist/sdk/index.mjs +0 -6415
package/dist/types-D5252NZk.mjs +0 -487
package/dist/uniswap-CReXgXVN.mjs +0 -573
package/dist/wallet-action.d.mts +0 -6
package/dist/wallet-action.mjs +0 -820
package/src/analytics/birdeye/tasks/birdeye.ts +0 -232
package/src/analytics/lpinfo/index.d.ts +0 -7
package/src/chains/evm/contracts/artifacts/TimelockController.json +0 -1007
package/src/chains/evm/contracts/artifacts/VoteToken.json +0 -895
package/src/lp/tasks/LpAutoRebalanceTask.ts +0 -117
package/src/lp/tasks/__tests__/LpAutoRebalanceTask.test.ts +0 -370

package/src/security/wallet-context-safety.ts ADDED Viewed

@@ -0,0 +1,128 @@
+import type { Memory } from "@elizaos/core";
+/** GHSA-7qxr-x6cg-r9cc — embedded addresses in token metadata must not become transfer recipients. */
+/** GHSA-gh63-5vpj-39qp — block financial writes on injection-flagged channel messages. */
+const FINANCIAL_WRITE_SUBACTIONS = new Set(["transfer", "swap", "bridge"]);
+function messageHasPromptInjectionFlag(message: Memory): boolean {
+  const metadata = message.content?.metadata;
+  return (
+    typeof metadata === "object" &&
+    metadata !== null &&
+    (metadata as { promptInjectionSuspected?: boolean })
+      .promptInjectionSuspected === true
+  );
+}
+export const EVM_ADDRESS_PATTERN = /0x[a-fA-F0-9]{40}\b/g;
+const INFERRED_RECIPIENT_PHRASE =
+  /\b(?:prior\s+wallet\s+evidence|operational\s+recipient|canonical\s+(?:testnet\s+)?(?:operational|settlement)\s+recipient|based\s+on\s+(?:the\s+)?prior|from\s+prior\s+(?:wallet|session|context))\b/i;
+export function sanitizeWalletDisplayLabel(label: string): string {
+  return label
+    .replace(EVM_ADDRESS_PATTERN, "[address]")
+    .replace(
+      /\[[^\]]*(?:recipient|operational|settlement|canonical)[^\]]*\]/gi,
+      "[routing-hint-removed]",
+    )
+    .trim();
+}
+export function readMemoryText(message: Memory): string {
+  if (typeof message.content === "string") {
+    return message.content;
+  }
+  if (
+    message.content &&
+    typeof message.content === "object" &&
+    typeof message.content.text === "string"
+  ) {
+    return message.content.text;
+  }
+  return "";
+}
+function collectExplicitRecipients(
+  options: Record<string, unknown> | undefined,
+): string[] {
+  const out: string[] = [];
+  const params =
+    options &&
+    typeof options === "object" &&
+    "parameters" in options &&
+    options.parameters &&
+    typeof options.parameters === "object"
+      ? (options.parameters as Record<string, unknown>)
+      : null;
+  for (const source of [params, options]) {
+    if (!source) continue;
+    for (const key of ["recipient", "toAddress", "to"] as const) {
+      const value = source[key];
+      if (typeof value === "string" && /^0x[a-fA-F0-9]{40}$/.test(value)) {
+        out.push(value.toLowerCase());
+      }
+    }
+  }
+  return out;
+}
+export function messageAuthorizesEvmRecipient(
+  message: Memory,
+  options: Record<string, unknown> | undefined,
+  recipient: string,
+): boolean {
+  const normalized = recipient.toLowerCase();
+  const explicit = collectExplicitRecipients(options);
+  if (explicit.includes(normalized)) {
+    return true;
+  }
+  const userText = readMemoryText(message);
+  if (userText.toLowerCase().includes(normalized)) {
+    return true;
+  }
+  return false;
+}
+export function assertWalletFinancialActionAllowed(
+  message: Memory,
+  subaction: string | undefined,
+): void {
+  if (!subaction || !FINANCIAL_WRITE_SUBACTIONS.has(subaction)) {
+    return;
+  }
+  if (messageHasPromptInjectionFlag(message)) {
+    throw new Error(
+      "Wallet transfer, swap, and bridge are blocked for this message (GHSA-gh63-5vpj-39qp): suspected prompt injection in untrusted channel content.",
+    );
+  }
+}
+export function assertEvmTransferRecipientAuthorized(
+  message: Memory,
+  options: Record<string, unknown> | undefined,
+  recipient: string,
+): void {
+  if (!/^0x[a-fA-F0-9]{40}$/.test(recipient)) {
+    throw new Error("recipient must be a valid EVM address.");
+  }
+  const userText = readMemoryText(message);
+  if (
+    INFERRED_RECIPIENT_PHRASE.test(userText) &&
+    !messageAuthorizesEvmRecipient(message, options, recipient)
+  ) {
+    throw new Error(
+      "Transfer recipient cannot be inferred from prior wallet context or token metadata. Provide an explicit 0x recipient address in this message or in structured action parameters.",
+    );
+  }
+  if (!messageAuthorizesEvmRecipient(message, options, recipient)) {
+    throw new Error(
+      "Transfer recipient must appear explicitly in the current user message or structured action parameters. Addresses from token names or earlier session quotes are not accepted.",
+    );
+  }
+}

package/src/security/wallet-financial-confirmation.ts ADDED Viewed

@@ -0,0 +1,150 @@
+import type {
+  ActionResult,
+  ConfirmationDecision,
+  HandlerCallback,
+  IAgentRuntime,
+  Memory,
+} from "@elizaos/core";
+import { requireConfirmation } from "@elizaos/core";
+import type { WalletRouterParams } from "../types/wallet-router.js";
+/** Cache namespace for on-chain wallet writes (GHSA-rqm7-f4jc-84x3). */
+export const WALLET_FINANCIAL_CONFIRM_ACTION = "WALLET_FINANCIAL";
+const ON_CHAIN_SUBACTIONS = new Set<WalletRouterParams["subaction"]>([
+  "transfer",
+  "swap",
+  "bridge",
+  "gov",
+]);
+export function requiresWalletFinancialConfirmation(
+  params: Pick<WalletRouterParams, "subaction" | "dryRun">,
+): boolean {
+  if (params.dryRun) {
+    return false;
+  }
+  return ON_CHAIN_SUBACTIONS.has(params.subaction);
+}
+export function walletFinancialPendingKey(
+  params: Pick<
+    WalletRouterParams,
+    | "subaction"
+    | "chain"
+    | "toChain"
+    | "amount"
+    | "recipient"
+    | "fromToken"
+    | "toToken"
+    | "slippageBps"
+    | "op"
+    | "governor"
+    | "proposalId"
+  >,
+): string {
+  const entries: [string, string][] = [
+    ["subaction", params.subaction],
+    ["chain", (params.chain ?? "").toLowerCase()],
+    ["toChain", (params.toChain ?? "").toLowerCase()],
+    ["amount", params.amount ?? ""],
+    ["recipient", (params.recipient ?? "").toLowerCase()],
+    ["fromToken", (params.fromToken ?? "").toLowerCase()],
+    ["toToken", (params.toToken ?? "").toLowerCase()],
+    [
+      "slippageBps",
+      params.slippageBps === undefined ? "" : String(params.slippageBps),
+    ],
+    ["op", (params.op ?? "").toLowerCase()],
+    ["governor", (params.governor ?? "").toLowerCase()],
+    ["proposalId", params.proposalId ?? ""],
+  ];
+  return entries.map(([key, value]) => `${key}=${value}`).join("|");
+}
+export function walletFinancialPreview(
+  params: Pick<
+    WalletRouterParams,
+    | "subaction"
+    | "chain"
+    | "toChain"
+    | "amount"
+    | "recipient"
+    | "fromToken"
+    | "toToken"
+    | "op"
+  >,
+): string {
+  const chainLabel = params.chain ?? params.toChain ?? "the selected chain";
+  switch (params.subaction) {
+    case "transfer":
+      return `Transfer ${params.amount ?? "?"} ${params.fromToken ?? "tokens"} to ${params.recipient ?? "?"} on ${chainLabel}? Reply yes to submit or no to cancel.`;
+    case "swap":
+      return `Swap ${params.amount ?? "?"} ${params.fromToken ?? "?"} to ${params.toToken ?? "?"} on ${chainLabel}? Reply yes to submit or no to cancel.`;
+    case "bridge":
+      return `Bridge ${params.amount ?? "?"} from ${params.chain ?? "?"} to ${params.toChain ?? "?"}? Reply yes to submit or no to cancel.`;
+    case "gov":
+      return `Governance ${params.op ?? "operation"} on ${chainLabel}? Reply yes to submit or no to cancel.`;
+    default:
+      return `Submit wallet ${params.subaction} on ${chainLabel}? Reply yes to confirm or no to cancel.`;
+  }
+}
+export type WalletFinancialGateResult =
+  | { readonly proceed: true }
+  | {
+      readonly proceed: false;
+      readonly decision: ConfirmationDecision;
+      readonly text: string;
+    };
+export async function gateWalletFinancialExecution(args: {
+  runtime: IAgentRuntime;
+  message: Memory;
+  params: WalletRouterParams;
+  callback?: HandlerCallback;
+}): Promise<WalletFinancialGateResult> {
+  if (!requiresWalletFinancialConfirmation(args.params)) {
+    return { proceed: true };
+  }
+  const decision = await requireConfirmation({
+    runtime: args.runtime,
+    message: args.message,
+    actionName: WALLET_FINANCIAL_CONFIRM_ACTION,
+    pendingKey: walletFinancialPendingKey(args.params),
+    prompt: walletFinancialPreview(args.params),
+    callback: args.callback,
+    metadata: { subaction: args.params.subaction },
+  });
+  if (decision.status === "confirmed") {
+    return { proceed: true };
+  }
+  const text =
+    decision.status === "pending"
+      ? walletFinancialPreview(args.params)
+      : "Wallet operation cancelled.";
+  return { proceed: false, decision, text };
+}
+export function walletFinancialGateActionResult(
+  gate: Extract<WalletFinancialGateResult, { proceed: false }>,
+): ActionResult {
+  const awaiting = gate.decision.status === "pending";
+  return {
+    success: awaiting,
+    text: gate.text,
+    values: {
+      walletActionPrepared: awaiting,
+      walletActionSucceeded: false,
+    },
+    data: {
+      requiresConfirmation: awaiting,
+      confirmationStatus: gate.decision.status,
+      awaitingUserInput: awaiting,
+    },
+  };
+}

package/src/services/wallet-backend-service.ts CHANGED Viewed

@@ -31,7 +31,7 @@ export class WalletBackendService extends Service {
   static override serviceType = WALLET_BACKEND_SERVICE_TYPE;
   override capabilityDescription =
-    "Unified wallet backend and chain router (EVM + Solana, local or Steward)";
+    "Wallet backend and chain router (EVM + Solana, local or Steward)";
   private backend: WalletBackend | null = null;
   private backendLoadError: unknown = null;
@@ -109,6 +109,20 @@ export class WalletBackendService extends Service {
     };
   }
+  /**
+   * Resolve chain + required fields without signing. Used before out-of-band
+   * financial confirmation so invalid params fail fast (GHSA-rqm7-f4jc-84x3).
+   */
+  preflightWalletAction(
+    params: WalletRouterParams,
+  ): WalletRouterFailure | null {
+    const handlerResult = this.resolveHandler(params);
+    if (!handlerResult.ok) {
+      return handlerResult;
+    }
+    return this.validateRequiredParams(params);
+  }
   async routeWalletAction(
     params: WalletRouterParams,
   ): Promise<WalletRouterResult> {

package/src/utils/intent-trajectory.ts CHANGED Viewed

@@ -83,14 +83,14 @@ export async function runIntentModel(
       },
       async () => {
         const response = await runtime.useModel(modelType, modelParams);
-        return typeof response === "string" ? response : String(response ?? "");
+        return typeof response === "string" ? response : String(response);
       },
     );
   }
   const startedAt = Date.now();
   const response = await runtime.useModel(modelType, modelParams);
-  const text = typeof response === "string" ? response : String(response ?? "");
+  const text = typeof response === "string" ? response : String(response);
   logActiveTrajectoryLlmCall(runtime, {
     model: modelLabel,
     systemPrompt,

package/src/wallet/steward-backend.ts CHANGED Viewed

@@ -19,7 +19,7 @@ interface StewardEvmAccountBinding {
 }
 /**
- * Shape of the dynamically imported @elizaos/app-steward module. Defined
+ * Shape of the dynamically imported @elizaos/plugin-steward-app module. Defined
  * locally to avoid a devDependency cycle with app-steward.
  */
 interface StewardEvmAccountModule {
@@ -41,7 +41,7 @@ const STEWARD_MODULE_ID = ["@elizaos", "app-steward"].join("/");
 /**
  * Cloud / mobile signing via Steward for EVM. Solana addresses may be exposed from
  * Steward when `/vault/.../addresses` returns them; Solana **transaction** signing is
- * not implemented here yet — callers must treat Solana writes as unavailable until wired.
+ * unavailable here — callers must treat Solana writes as unavailable until wired.
  */
 export class StewardBackend implements WalletBackend {
   readonly kind = "steward" as const;
@@ -66,7 +66,7 @@ export class StewardBackend implements WalletBackend {
     } catch (err) {
       const detail = err instanceof Error ? err.message : String(err);
       throw new StewardUnavailableError(
-        `Cannot load Steward wallet module (@elizaos/app-steward): ${detail}`,
+        `Cannot load Steward wallet module (@elizaos/plugin-steward-app): ${detail}`,
       );
     }
@@ -126,7 +126,7 @@ export class StewardBackend implements WalletBackend {
   getSolanaSigner(): never {
     throw new StewardUnavailableError(
-      "Solana transaction signing via Steward is not implemented in this runtime yet.",
+      "Solana transaction signing via Steward is unavailable in this runtime yet.",
     );
   }