@keeperhub/wallet 0.1.2 → 0.1.4

package/dist/index.d.ts

@@ -37,49 +37,6 @@ declare class WalletConfigMissingError extends Error {
     constructor();
 }
 
-type ClientOptions = {
-    /** Defaults to process.env.KEEPERHUB_API_URL ?? "https://app.keeperhub.com" */
-    baseUrl?: string;
-    /** Injected for tests; defaults to global fetch */
-    fetch?: typeof fetch;
-};
-/**
- * 202 ask-tier envelope returned by /sign and /approval-request when the
- * risk classifier routes a request to the ask queue. Callers poll
- * `/api/agentic-wallet/approval-request/:id` until status !== "pending".
- */
-type AskTierResponse = {
-    _status: 202;
-    approvalRequestId: string;
-};
-/**
- * HMAC-signed HTTP client for the KeeperHub agentic-wallet API surface.
- * Every request to /api/agentic-wallet/* (except /provision, which uses
- * the session cookie) flows through this class.
- *
- * @security No logging of headers, body, or response bodies. Any stdout
- *   emitter (the global console object or util.inspect) added to this
- *   file is a T-34-08 violation (grep-enforced in CI).
- */
-declare class KeeperHubClient {
-    private readonly baseUrl;
-    private readonly fetchImpl;
-    private readonly wallet;
-    constructor(wallet: WalletConfig, opts?: ClientOptions);
-    /**
-     * HMAC-signed POST/GET to any /api/agentic-wallet/* route except
-     * /provision. Path MUST start with a leading slash. Body is
-     * JSON.stringify'd (or the empty string for GET).
-     *
-     * Error mapping: non-2xx/non-202 surface as `KeeperHubError(code,
-     * message)` where `code` is the server-supplied field or the default
-     * taxonomy (`HMAC_INVALID`, `POLICY_BLOCKED`, `NOT_FOUND`,
-     * `TURNKEY_UPSTREAM`, `HTTP_<status>`). 202 ask-tier surfaces as an
-     * AskTierResponse envelope.
-     */
-    request<T>(method: "GET" | "POST", path: string, body?: unknown): Promise<T | AskTierResponse>;
-}
-
 type BalanceSnapshot = {
     base: {
         chain: "base";
@@ -93,23 +50,16 @@ type BalanceSnapshot = {
         amount: string;
         address: `0x${string}`;
     };
-    offChainCredit: {
-        amount: string;
-        currency: "USD";
-    };
 };
 type CheckBalanceOptions = {
     /** Injectable viem client for Base (tests mock readContract). */
     baseClient?: PublicClient;
     /** Injectable viem client for Tempo (tests mock readContract). */
     tempoClient?: PublicClient;
-    /** Injectable KeeperHubClient (tests inject a mocked fetch). */
-    khClient?: KeeperHubClient;
 };
 /**
- * Read the wallet's balance across Base + Tempo + off-chain KeeperHub credit
- * in parallel. All three legs must resolve; any single failure rejects the
- * Promise.
+ * Read the wallet's on-chain balance across Base + Tempo in parallel. Both
+ * legs must resolve; any single failure rejects the Promise.
  *
  * Amounts are formatted as decimal strings (6-decimal USDC precision) so the
  * caller can render them without BigInt math.
@@ -168,6 +118,49 @@ declare const BASE_USDC: "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913";
 /** Bridged USDC (USDC.e) on Tempo mainnet. NOT the same contract as BASE_USDC. */
 declare const TEMPO_USDC_E: "0x20c000000000000000000000b9537d11c60e8b50";
 
+type ClientOptions = {
+    /** Defaults to process.env.KEEPERHUB_API_URL ?? "https://app.keeperhub.com" */
+    baseUrl?: string;
+    /** Injected for tests; defaults to global fetch */
+    fetch?: typeof fetch;
+};
+/**
+ * 202 ask-tier envelope returned by /sign and /approval-request when the
+ * risk classifier routes a request to the ask queue. Callers poll
+ * `/api/agentic-wallet/approval-request/:id` until status !== "pending".
+ */
+type AskTierResponse = {
+    _status: 202;
+    approvalRequestId: string;
+};
+/**
+ * HMAC-signed HTTP client for the KeeperHub agentic-wallet API surface.
+ * Every request to /api/agentic-wallet/* (except /provision, which uses
+ * the session cookie) flows through this class.
+ *
+ * @security No logging of headers, body, or response bodies. Any stdout
+ *   emitter (the global console object or util.inspect) added to this
+ *   file is a T-34-08 violation (grep-enforced in CI).
+ */
+declare class KeeperHubClient {
+    private readonly baseUrl;
+    private readonly fetchImpl;
+    private readonly wallet;
+    constructor(wallet: WalletConfig, opts?: ClientOptions);
+    /**
+     * HMAC-signed POST/GET to any /api/agentic-wallet/* route except
+     * /provision. Path MUST start with a leading slash. Body is
+     * JSON.stringify'd (or the empty string for GET).
+     *
+     * Error mapping: non-2xx/non-202 surface as `KeeperHubError(code,
+     * message)` where `code` is the server-supplied field or the default
+     * taxonomy (`HMAC_INVALID`, `POLICY_BLOCKED`, `NOT_FOUND`,
+     * `TURNKEY_UPSTREAM`, `HTTP_<status>`). 202 ask-tier surfaces as an
+     * AskTierResponse envelope.
+     */
+    request<T>(method: "GET" | "POST", path: string, body?: unknown): Promise<T | AskTierResponse>;
+}
+
 type FundInstructions = {
     /** Coinbase Onramp deeplink (legacy query-param form). */
     coinbaseOnrampUrl: string;
@@ -235,26 +228,29 @@ type CreateHookOptions = {
     /** Match against tool_name. Default: /keeperhub|wallet|sign/i */
     toolNameMatcher?: (name: string) => boolean;
     /** Injected for tests */
-    walletLoader?: () => Promise<WalletConfig>;
-    /** Injected for tests */
     configLoader?: () => Promise<SafetyConfig>;
-    /** Injected for tests */
-    clientFactory?: (w: WalletConfig) => KeeperHubClient;
-    /**
-     * Called when the ask tier opens an approval URL. Default: write to stderr
-     * (stdout is reserved for the Claude Code hook JSON output).
-     */
-    onAskOpen?: (url: string) => void;
-    /** Polling config for the ask tier */
-    poll?: {
-        intervalMs: number;
-        maxAttempts: number;
-    };
 };
 /**
- * Factory returning the PreToolUse hook function. The hook enforces the three
+ * Factory returning the PreToolUse hook function. The hook enforces three
  * client-side safety tiers (auto / ask / block) sourced EXCLUSIVELY from
  * ~/.keeperhub/safety.json -- never from the tool payload (GUARD-05).
+ *
+ * v0.1.4 collapsed the previous four-band behaviour into three:
+ *
+ *   amount <= auto_approve_max_usd                    -> {decision: "allow"}
+ *   auto_approve_max_usd < amount <= block_threshold  -> {decision: "ask"} (Claude Code prompts user inline)
+ *   amount > block_threshold                          -> {decision: "deny"}
+ *
+ * The previous server-approval branch (amount >= ask_threshold -> create a
+ * /api/agentic-wallet/approval-request row, print an approval URL, poll for
+ * browser approval) was removed. It required the wallet to be linked to a
+ * KeeperHub user via /link, and the link command was rough enough that we
+ * never wired it into the documented flow. Returning {decision: "ask"}
+ * inline lets Claude Code surface the prompt in the agent chat directly.
+ *
+ * `ask_threshold_usd` is still read from safety.json for backward-compat
+ * with existing configs but is not consulted for decision-making. Tracked
+ * as KEEP-307 for the permanent architectural decision.
  */
 declare function createPreToolUseHook(options?: CreateHookOptions): Promise<(input: unknown) => Promise<HookDecision>>;
 

package/dist/index.js

@@ -79,124 +79,6 @@ var tempo = defineChain({
 var BASE_USDC = "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913";
 var TEMPO_USDC_E = "0x20c000000000000000000000b9537d11c60e8b50";
 
-// src/hmac.ts
-import { createHash, createHmac } from "crypto";
-function computeSignature(secret, method, path, subOrgId, body, timestamp) {
-  const bodyDigest = createHash("sha256").update(body).digest("hex");
-  const signingString = `${method}
-${path}
-${subOrgId}
-${bodyDigest}
-${timestamp}`;
-  return createHmac("sha256", secret).update(signingString).digest("hex");
-}
-function buildHmacHeaders(secret, method, path, subOrgId, body) {
-  const timestamp = String(Math.floor(Date.now() / 1e3));
-  const signature = computeSignature(
-    secret,
-    method,
-    path,
-    subOrgId,
-    body,
-    timestamp
-  );
-  return {
-    "X-KH-Sub-Org": subOrgId,
-    "X-KH-Timestamp": timestamp,
-    "X-KH-Signature": signature
-  };
-}
-
-// src/types.ts
-var KeeperHubError = class extends Error {
-  code;
-  constructor(code, message) {
-    super(message);
-    this.name = "KeeperHubError";
-    this.code = code;
-  }
-};
-var WalletConfigMissingError = class extends Error {
-  constructor() {
-    super(
-      "Wallet config not found at ~/.keeperhub/wallet.json. Run `npx @keeperhub/wallet add` to provision."
-    );
-    this.name = "WalletConfigMissingError";
-  }
-};
-
-// src/client.ts
-var TRAILING_SLASH = /\/$/;
-function defaultCodeForStatus(status) {
-  if (status === 401) {
-    return "HMAC_INVALID";
-  }
-  if (status === 403) {
-    return "POLICY_BLOCKED";
-  }
-  if (status === 404) {
-    return "NOT_FOUND";
-  }
-  if (status === 502) {
-    return "TURNKEY_UPSTREAM";
-  }
-  return `HTTP_${status}`;
-}
-var KeeperHubClient = class {
-  baseUrl;
-  fetchImpl;
-  wallet;
-  constructor(wallet, opts = {}) {
-    this.wallet = wallet;
-    const envBase = process.env.KEEPERHUB_API_URL;
-    this.baseUrl = (opts.baseUrl ?? envBase ?? "https://app.keeperhub.com").replace(TRAILING_SLASH, "");
-    this.fetchImpl = opts.fetch ?? globalThis.fetch;
-  }
-  /**
-   * HMAC-signed POST/GET to any /api/agentic-wallet/* route except
-   * /provision. Path MUST start with a leading slash. Body is
-   * JSON.stringify'd (or the empty string for GET).
-   *
-   * Error mapping: non-2xx/non-202 surface as `KeeperHubError(code,
-   * message)` where `code` is the server-supplied field or the default
-   * taxonomy (`HMAC_INVALID`, `POLICY_BLOCKED`, `NOT_FOUND`,
-   * `TURNKEY_UPSTREAM`, `HTTP_<status>`). 202 ask-tier surfaces as an
-   * AskTierResponse envelope.
-   */
-  async request(method, path, body) {
-    const bodyStr = body === void 0 ? "" : JSON.stringify(body);
-    const hmacHeaders = buildHmacHeaders(
-      this.wallet.hmacSecret,
-      method,
-      path,
-      this.wallet.subOrgId,
-      bodyStr
-    );
-    const headers = method === "POST" ? { ...hmacHeaders, "content-type": "application/json" } : { ...hmacHeaders };
-    const response = await this.fetchImpl(`${this.baseUrl}${path}`, {
-      method,
-      headers,
-      body: method === "POST" ? bodyStr : void 0
-    });
-    if (response.status === 202) {
-      const data = await response.json();
-      return { _status: 202, approvalRequestId: data.approvalRequestId };
-    }
-    if (!response.ok) {
-      let code = "UNKNOWN";
-      let message = `HTTP ${response.status}`;
-      try {
-        const data = await response.json();
-        code = data.code ?? defaultCodeForStatus(response.status);
-        message = data.error ?? message;
-      } catch {
-      }
-      throw new KeeperHubError(code, message);
-    }
-    return await response.json();
-  }
-};
-
 // src/balance.ts
 var USDC_DECIMALS = 6;
 async function checkBalance(wallet, opts = {}) {
@@ -208,8 +90,7 @@ async function checkBalance(wallet, opts = {}) {
     chain: tempo,
     transport: http()
   });
-  const khClient = opts.khClient ?? new KeeperHubClient(wallet);
-  const [baseRaw, tempoRaw, credit] = await Promise.all([
+  const [baseRaw, tempoRaw] = await Promise.all([
     baseClient.readContract({
       address: BASE_USDC,
       abi: erc20Abi,
@@ -221,12 +102,8 @@ async function checkBalance(wallet, opts = {}) {
       abi: erc20Abi,
       functionName: "balanceOf",
       args: [wallet.walletAddress]
-    }),
-    khClient.request("GET", "/api/agentic-wallet/credit")
+    })
   ]);
-  if ("_status" in credit) {
-    throw new Error("Unexpected 202 response from /api/agentic-wallet/credit");
-  }
   return {
     base: {
       chain: "base",
@@ -239,10 +116,6 @@ async function checkBalance(wallet, opts = {}) {
       token: "USDC.e",
       amount: formatUnits(tempoRaw, USDC_DECIMALS),
       address: wallet.walletAddress
-    },
-    offChainCredit: {
-      amount: credit.amount,
-      currency: "USD"
     }
   };
 }
@@ -372,6 +245,26 @@ async function installSkill(options = {}) {
 import { chmod as chmod2, mkdir as mkdir2, readFile as readFile2, writeFile as writeFile2 } from "fs/promises";
 import { homedir as homedir2 } from "os";
 import { dirname as dirname3, join as join3 } from "path";
+
+// src/types.ts
+var KeeperHubError = class extends Error {
+  code;
+  constructor(code, message) {
+    super(message);
+    this.name = "KeeperHubError";
+    this.code = code;
+  }
+};
+var WalletConfigMissingError = class extends Error {
+  constructor() {
+    super(
+      "Wallet config not found at ~/.keeperhub/wallet.json. Run `npx @keeperhub/wallet add` to provision."
+    );
+    this.name = "WalletConfigMissingError";
+  }
+};
+
+// src/storage.ts
 async function readWalletConfig() {
   const walletPath = join3(homedir2(), ".keeperhub", "wallet.json");
   let raw;
@@ -400,11 +293,11 @@ function getWalletConfigPath() {
 }
 
 // src/cli.ts
-var TRAILING_SLASH2 = /\/$/;
+var TRAILING_SLASH = /\/$/;
 var WALLET_ADDRESS_PATTERN = /^0x[a-fA-F0-9]{40}$/;
 function resolveBaseUrl(override) {
   const candidate = override ?? process.env.KEEPERHUB_API_URL ?? "https://app.keeperhub.com";
-  return candidate.replace(TRAILING_SLASH2, "");
+  return candidate.replace(TRAILING_SLASH, "");
 }
 function isNonEmptyString(value) {
   return typeof value === "string" && value.length > 0;
@@ -464,47 +357,6 @@ async function cmdAdd(opts = {}) {
   process.stdout.write(`config written to ${getWalletConfigPath()}
 `);
 }
-async function cmdLink(opts = {}) {
-  const wallet = await readWalletConfig();
-  const baseUrl = resolveBaseUrl(opts.baseUrl);
-  const sessionCookie = process.env.KH_SESSION_COOKIE;
-  if (!sessionCookie) {
-    process.stderr.write(
-      "[keeperhub-wallet] link requires KH_SESSION_COOKIE env var.\nSign in at app.keeperhub.com, copy the session cookie, and re-run with:\n  KH_SESSION_COOKIE='<cookie>' npx @keeperhub/wallet link\n"
-    );
-    process.exit(1);
-  }
-  const body = JSON.stringify({ subOrgId: wallet.subOrgId });
-  const headers = buildHmacHeaders(
-    wallet.hmacSecret,
-    "POST",
-    "/api/agentic-wallet/link",
-    wallet.subOrgId,
-    body
-  );
-  const response = await fetch(`${baseUrl}/api/agentic-wallet/link`, {
-    method: "POST",
-    headers: {
-      ...headers,
-      "content-type": "application/json",
-      cookie: sessionCookie
-    },
-    body
-  });
-  const json = await response.json().catch(() => ({}));
-  if (!response.ok) {
-    process.stderr.write(
-      `[keeperhub-wallet] link failed: ${json.code ?? response.status}: ${json.error ?? ""}
-`
-    );
-    process.exit(1);
-  }
-  if (json.already) {
-    process.stdout.write("already linked\n");
-    return;
-  }
-  process.stdout.write("linked\n");
-}
 async function cmdFund() {
   const wallet = await readWalletConfig();
   const out = fund(wallet.walletAddress);
@@ -518,14 +370,10 @@ async function cmdFund() {
 async function cmdBalance() {
   const wallet = await readWalletConfig();
   const snap = await checkBalance(wallet);
-  process.stdout.write(`Base USDC:         ${snap.base.amount}
+  process.stdout.write(`Base USDC:    ${snap.base.amount}
 `);
-  process.stdout.write(`Tempo USDC.e:      ${snap.tempo.amount}
+  process.stdout.write(`Tempo USDC.e: ${snap.tempo.amount}
 `);
-  process.stdout.write(
-    `KeeperHub credit:  ${snap.offChainCredit.amount} ${snap.offChainCredit.currency}
-`
-  );
 }
 async function cmdInfo() {
   const wallet = await readWalletConfig();
@@ -538,23 +386,16 @@ async function runCli(argv = process.argv) {
   const program = new Command();
   program.name("keeperhub-wallet").description(
     "KeeperHub agentic wallet CLI (auto-pay x402 + MPP 402 responses)"
-  ).version("0.1.0");
+  ).version("0.1.3");
   program.command("add").description("Provision a new agentic wallet (no account required)").option("--base-url <url>", "KeeperHub API base URL").action(async (opts) => {
     await cmdAdd(opts);
   });
-  program.command("link").description(
-    "Link the current wallet to your KeeperHub account (requires KH_SESSION_COOKIE env)"
-  ).option("--base-url <url>", "KeeperHub API base URL").action(async (opts) => {
-    await cmdLink(opts);
-  });
   program.command("fund").description(
     "Print Coinbase Onramp URL (Base USDC) and Tempo deposit address"
   ).action(async () => {
     await cmdFund();
   });
-  program.command("balance").description(
-    "Print unified balance: Base USDC + Tempo USDC.e + off-chain KeeperHub credit"
-  ).action(async () => {
+  program.command("balance").description("Print on-chain balance: Base USDC + Tempo USDC.e").action(async () => {
     await cmdBalance();
   });
   program.command("info").description("Print subOrgId and walletAddress from local config").action(async () => {
@@ -609,6 +450,106 @@ async function runCli(argv = process.argv) {
   }
 }
 
+// src/hmac.ts
+import { createHash, createHmac } from "crypto";
+function computeSignature(secret, method, path, subOrgId, body, timestamp) {
+  const bodyDigest = createHash("sha256").update(body).digest("hex");
+  const signingString = `${method}
+${path}
+${subOrgId}
+${bodyDigest}
+${timestamp}`;
+  return createHmac("sha256", secret).update(signingString).digest("hex");
+}
+function buildHmacHeaders(secret, method, path, subOrgId, body) {
+  const timestamp = String(Math.floor(Date.now() / 1e3));
+  const signature = computeSignature(
+    secret,
+    method,
+    path,
+    subOrgId,
+    body,
+    timestamp
+  );
+  return {
+    "X-KH-Sub-Org": subOrgId,
+    "X-KH-Timestamp": timestamp,
+    "X-KH-Signature": signature
+  };
+}
+
+// src/client.ts
+var TRAILING_SLASH2 = /\/$/;
+function defaultCodeForStatus(status) {
+  if (status === 401) {
+    return "HMAC_INVALID";
+  }
+  if (status === 403) {
+    return "POLICY_BLOCKED";
+  }
+  if (status === 404) {
+    return "NOT_FOUND";
+  }
+  if (status === 502) {
+    return "TURNKEY_UPSTREAM";
+  }
+  return `HTTP_${status}`;
+}
+var KeeperHubClient = class {
+  baseUrl;
+  fetchImpl;
+  wallet;
+  constructor(wallet, opts = {}) {
+    this.wallet = wallet;
+    const envBase = process.env.KEEPERHUB_API_URL;
+    this.baseUrl = (opts.baseUrl ?? envBase ?? "https://app.keeperhub.com").replace(TRAILING_SLASH2, "");
+    this.fetchImpl = opts.fetch ?? globalThis.fetch;
+  }
+  /**
+   * HMAC-signed POST/GET to any /api/agentic-wallet/* route except
+   * /provision. Path MUST start with a leading slash. Body is
+   * JSON.stringify'd (or the empty string for GET).
+   *
+   * Error mapping: non-2xx/non-202 surface as `KeeperHubError(code,
+   * message)` where `code` is the server-supplied field or the default
+   * taxonomy (`HMAC_INVALID`, `POLICY_BLOCKED`, `NOT_FOUND`,
+   * `TURNKEY_UPSTREAM`, `HTTP_<status>`). 202 ask-tier surfaces as an
+   * AskTierResponse envelope.
+   */
+  async request(method, path, body) {
+    const bodyStr = body === void 0 ? "" : JSON.stringify(body);
+    const hmacHeaders = buildHmacHeaders(
+      this.wallet.hmacSecret,
+      method,
+      path,
+      this.wallet.subOrgId,
+      bodyStr
+    );
+    const headers = method === "POST" ? { ...hmacHeaders, "content-type": "application/json" } : { ...hmacHeaders };
+    const response = await this.fetchImpl(`${this.baseUrl}${path}`, {
+      method,
+      headers,
+      body: method === "POST" ? bodyStr : void 0
+    });
+    if (response.status === 202) {
+      const data = await response.json();
+      return { _status: 202, approvalRequestId: data.approvalRequestId };
+    }
+    if (!response.ok) {
+      let code = "UNKNOWN";
+      let message = `HTTP ${response.status}`;
+      try {
+        const data = await response.json();
+        code = data.code ?? defaultCodeForStatus(response.status);
+        message = data.error ?? message;
+      } catch {
+      }
+      throw new KeeperHubError(code, message);
+    }
+    return await response.json();
+  }
+};
+
 // src/safety-config.ts
 import { chmod as chmod3, mkdir as mkdir3, readFile as readFile3, writeFile as writeFile3 } from "fs/promises";
 import { homedir as homedir3 } from "os";
@@ -689,8 +630,6 @@ function getSafetyConfigPath() {
 }
 
 // src/hook.ts
-var DEFAULT_POLL = { intervalMs: 2e3, maxAttempts: 150 };
-var APPROVAL_URL_BASE = "https://app.keeperhub.com/approve/";
 var USDC_DECIMALS2 = 1e6;
 var ADDRESS_RE = /^0x[0-9a-fA-F]{40}$/;
 var MICRO_USDC_RE = /^\d+$/;
@@ -741,16 +680,6 @@ function usdToMicro(usd) {
 async function createPreToolUseHook(options = {}) {
   const toolMatcher = options.toolNameMatcher ?? defaultToolMatcher;
   const configLoader = options.configLoader ?? loadSafetyConfig;
-  const walletLoader = options.walletLoader ?? readWalletConfig;
-  const clientFactory = options.clientFactory ?? ((w) => new KeeperHubClient(w));
-  const onAskOpen = options.onAskOpen ?? ((url) => {
-    process.stderr.write(
-      `
-[keeperhub-wallet] Approval required. Visit: ${url}
-`
-    );
-  });
-  const poll = options.poll ?? DEFAULT_POLL;
   const safety = await configLoader();
   return async (raw) => {
     const hookInput = raw ?? {};
@@ -766,43 +695,10 @@ async function createPreToolUseHook(options = {}) {
       return { decision: "deny", reason: "AMOUNT_UNDETERMINED" };
     }
     const blockMicro = usdToMicro(safety.block_threshold_usd);
-    const askMicro = usdToMicro(safety.ask_threshold_usd);
     const autoMicro = usdToMicro(safety.auto_approve_max_usd);
     if (amountMicro > blockMicro) {
       return { decision: "deny", reason: "BLOCKED_BY_SAFETY_RULE" };
     }
-    if (amountMicro >= askMicro) {
-      const wallet = await walletLoader();
-      const client = clientFactory(wallet);
-      const created = await client.request("POST", "/api/agentic-wallet/approval-request", {
-        // Server contract (Phase 33): riskLevel MUST be 'ask' or 'block';
-        // operationPayload MUST be a non-array object. The hook only creates
-        // approval-requests at the ask tier (block tier short-circuits above).
-        riskLevel: "ask",
-        operationPayload: {
-          amountMicroUsdc: amountMicro.toString(),
-          contractAddress: contractAddr ?? "",
-          toolName: hookInput.tool_name ?? "",
-          reason: `Agent tool ${hookInput.tool_name}`
-        }
-      });
-      const approvalId = "_status" in created ? created.approvalRequestId : created.id;
-      onAskOpen(`${APPROVAL_URL_BASE}${approvalId}`);
-      for (let attempt = 0; attempt < poll.maxAttempts; attempt++) {
-        await new Promise((r) => setTimeout(r, poll.intervalMs));
-        const status = await client.request("GET", `/api/agentic-wallet/approval-request/${approvalId}`);
-        if (!("status" in status)) {
-          continue;
-        }
-        if (status.status === "approved") {
-          return { decision: "allow" };
-        }
-        if (status.status === "rejected") {
-          return { decision: "deny", reason: "USER_REJECTED" };
-        }
-      }
-      return { decision: "deny", reason: "APPROVAL_TIMEOUT" };
-    }
     if (amountMicro <= autoMicro) {
       return { decision: "allow" };
     }