@prktsol/prkt 1.0.0

package/dist/demo/scenarios/multiAgentDevnetScenario.js

@@ -0,0 +1,170 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runMultiAgentDevnetScenario = runMultiAgentDevnetScenario;
+const AgentRunner_1 = require("../../agent/runner/AgentRunner");
+const MemoHeartbeatStrategy_1 = require("../../agent/strategies/MemoHeartbeatStrategy");
+const SimpleScriptedTransferStrategy_1 = require("../../agent/strategies/SimpleScriptedTransferStrategy");
+const TreasuryDistributorStrategy_1 = require("../../agent/strategies/TreasuryDistributorStrategy");
+const agentPolicies_1 = require("../../config/agentPolicies");
+const env_1 = require("../../config/env");
+const BalanceService_1 = require("../../core/balances/BalanceService");
+const DevnetFundingService_1 = require("../../core/funding/DevnetFundingService");
+const RpcClient_1 = require("../../core/rpc/RpcClient");
+const TokenService_1 = require("../../core/tokens/TokenService");
+const TransactionService_1 = require("../../core/transactions/TransactionService");
+const managedAgentWallet_1 = require("../../scripts/managedAgentWallet");
+const LAMPORTS_PER_SOL = 1_000_000_000;
+const DEMO_TRANSFER_SOL = 0.01;
+const DEMO_TOKEN_DECIMALS = 6;
+const DEMO_TOKEN_MINT_RAW = 10000000n;
+const DEMO_TOKEN_DISTRIBUTION_RAW = 1000000n;
+const TREASURY_MINIMUM_SOL = 0.5;
+async function runMultiAgentDevnetScenario() {
+    const rpcClient = new RpcClient_1.RpcClient((0, env_1.getRpcUrl)(), "confirmed");
+    const transactionService = new TransactionService_1.TransactionService(rpcClient);
+    const tokenService = new TokenService_1.TokenService(rpcClient);
+    const fundingService = new DevnetFundingService_1.DevnetFundingService(rpcClient, transactionService);
+    const runner = new AgentRunner_1.AgentRunner();
+    const treasuryManaged = (0, managedAgentWallet_1.resolveManagedAgentWallet)({
+        agentName: "multi-agent-treasury",
+        ownerId: "multi-agent-devnet"
+    });
+    const treasuryWallet = treasuryManaged.walletManager;
+    const treasuryBalanceService = new BalanceService_1.BalanceService(rpcClient, tokenService);
+    await (0, managedAgentWallet_1.ensureManagedAgentWalletFunding)({
+        balanceService: treasuryBalanceService,
+        fundingService,
+        minimumSol: TREASURY_MINIMUM_SOL,
+        publicKey: treasuryWallet.publicKey
+    });
+    const managedAgents = [
+        (0, managedAgentWallet_1.resolveManagedAgentWallet)({ agentName: "multi-agent-1", ownerId: "multi-agent-devnet" }),
+        (0, managedAgentWallet_1.resolveManagedAgentWallet)({ agentName: "multi-agent-2", ownerId: "multi-agent-devnet" }),
+        (0, managedAgentWallet_1.resolveManagedAgentWallet)({ agentName: "multi-agent-3", ownerId: "multi-agent-devnet" })
+    ];
+    const wallets = managedAgents.map((entry) => entry.walletManager);
+    for (const wallet of wallets) {
+        const transfer = await transactionService.buildTransaction({
+            feePayer: treasuryWallet.publicKey,
+            instructions: [
+                transactionService.buildSolTransferInstructionInSol({
+                    from: treasuryWallet.publicKey,
+                    to: wallet.publicKey,
+                    amountSol: DEMO_TRANSFER_SOL
+                })
+            ],
+            signer: treasuryWallet
+        });
+        await transactionService.sendAndConfirm(transfer);
+    }
+    const mintSetup = await tokenService.buildCreateMintInstructions({
+        payer: treasuryWallet.publicKey,
+        mintAuthority: treasuryWallet.publicKey,
+        decimals: DEMO_TOKEN_DECIMALS
+    });
+    const mintBuild = await transactionService.buildTransaction({
+        feePayer: treasuryWallet.publicKey,
+        instructions: mintSetup.instructions,
+        signer: treasuryWallet
+    });
+    mintBuild.transaction.sign([mintSetup.mintKeypair]);
+    await transactionService.sendAndConfirm(mintBuild);
+    const treasuryAta = await tokenService.ensureAtaInstruction({
+        mint: mintSetup.mintKeypair.publicKey,
+        owner: treasuryWallet.publicKey,
+        payer: treasuryWallet.publicKey
+    });
+    const mintInstructions = [
+        ...(treasuryAta.createInstruction ? [treasuryAta.createInstruction] : []),
+        tokenService.buildMintToInstruction({
+            mint: mintSetup.mintKeypair.publicKey,
+            destinationAta: treasuryAta.address,
+            authority: treasuryWallet.publicKey,
+            amount: DEMO_TOKEN_MINT_RAW
+        })
+    ];
+    const mintToTreasury = await transactionService.buildTransaction({
+        feePayer: treasuryWallet.publicKey,
+        instructions: mintInstructions,
+        signer: treasuryWallet
+    });
+    await transactionService.sendAndConfirm(mintToTreasury);
+    const recipients = wallets.map((wallet) => wallet.publicKey.toBase58());
+    const treasuryContext = {
+        id: treasuryManaged.agent.name,
+        walletManager: treasuryWallet,
+        walletPublicKey: treasuryWallet.publicKey,
+        rpcClient,
+        transactionService,
+        tokenService,
+        balanceService: treasuryBalanceService,
+        policyConfig: (0, agentPolicies_1.createDefaultPolicyConfig)({
+            agentId: treasuryManaged.agent.name,
+            allowedMints: [mintSetup.mintKeypair.publicKey.toBase58()],
+            allowedTransferDestinations: recipients
+        }),
+        logger: (message) => console.log(`[${treasuryManaged.agent.name}] ${message}`)
+    };
+    const transferContext = wallets.map((wallet, index) => ({
+        id: managedAgents[index].agent.name,
+        walletManager: wallet,
+        walletPublicKey: wallet.publicKey,
+        rpcClient,
+        transactionService,
+        tokenService,
+        balanceService: new BalanceService_1.BalanceService(rpcClient, tokenService),
+        policyConfig: (0, agentPolicies_1.createDefaultPolicyConfig)({
+            agentId: managedAgents[index].agent.name,
+            allowedMints: [mintSetup.mintKeypair.publicKey.toBase58()],
+            allowedTransferDestinations: [
+                treasuryWallet.publicKey.toBase58(),
+                ...wallets.map((candidate) => candidate.publicKey.toBase58())
+            ]
+        }),
+        logger: (message) => console.log(`[${managedAgents[index].agent.name}] ${message}`)
+    }));
+    runner.registerAgent({
+        context: treasuryContext,
+        strategy: new TreasuryDistributorStrategy_1.TreasuryDistributorStrategy({
+            mint: mintSetup.mintKeypair.publicKey.toBase58(),
+            recipients,
+            amountRawPerRecipient: DEMO_TOKEN_DISTRIBUTION_RAW
+        }),
+        approvalMode: "sandbox"
+    });
+    runner.registerAgent({
+        context: transferContext[0],
+        strategy: new SimpleScriptedTransferStrategy_1.SimpleScriptedTransferStrategy({
+            to: transferContext[1].walletPublicKey.toBase58(),
+            lamports: Math.round(0.001 * LAMPORTS_PER_SOL),
+            memo: "agent-1 scripted transfer"
+        })
+    });
+    runner.registerAgent({
+        context: transferContext[1],
+        strategy: new MemoHeartbeatStrategy_1.MemoHeartbeatStrategy()
+    });
+    runner.registerAgent({
+        context: transferContext[2],
+        strategy: new SimpleScriptedTransferStrategy_1.SimpleScriptedTransferStrategy({
+            to: treasuryWallet.publicKey.toBase58(),
+            lamports: Math.round(0.0005 * LAMPORTS_PER_SOL),
+            memo: "agent-3 return transfer"
+        })
+    });
+    const runResults = await runner.runOnceParallel();
+    const signatures = runResults.flatMap((result) => result.outcomes.flatMap((outcome) => (outcome.signature ? [outcome.signature] : [])));
+    for (const context of [treasuryContext, ...transferContext]) {
+        const sol = await context.balanceService.getSolBalance(context.walletPublicKey);
+        const spl = await context.balanceService.getSplTokenBalance({
+            owner: context.walletPublicKey,
+            mint: mintSetup.mintKeypair.publicKey
+        });
+        console.log(`${context.id} -> SOL: ${sol.toFixed(4)}, demo token: ${spl.toFixed(4)}`);
+    }
+    return {
+        rpc: rpcClient.rpcUrl,
+        mintAddress: mintSetup.mintKeypair.publicKey.toBase58(),
+        signatures
+    };
+}

package/dist/demo/scripts/runMultiAgentDevnetDemo.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const multiAgentDevnetScenario_1 = require("../scenarios/multiAgentDevnetScenario");
+async function main() {
+    console.log("PRKT multi-agent devnet demo");
+    const result = await (0, multiAgentDevnetScenario_1.runMultiAgentDevnetScenario)();
+    console.log(`RPC: ${result.rpc}`);
+    console.log(`Demo mint: ${result.mintAddress}`);
+    for (const signature of result.signatures) {
+        console.log(`tx: ${signature}`);
+    }
+}
+main().catch((error) => {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    console.error(`Multi-agent devnet demo failed: ${message}`);
+    process.exitCode = 1;
+});

package/dist/dex/JupiterSwapClient.js

@@ -0,0 +1,59 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JupiterSwapClient = exports.JupiterApiError = void 0;
+class JupiterApiError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "JupiterApiError";
+    }
+}
+exports.JupiterApiError = JupiterApiError;
+class JupiterSwapClient {
+    baseUrl;
+    fetchImpl;
+    constructor(baseUrl, fetchImpl = fetch) {
+        this.baseUrl = baseUrl;
+        this.fetchImpl = fetchImpl;
+    }
+    async getQuote(input) {
+        const params = new URLSearchParams({
+            inputMint: input.inputMint,
+            outputMint: input.outputMint,
+            amount: input.amount.toString(),
+            slippageBps: input.slippageBps.toString()
+        });
+        const response = await this.fetchImpl(`${this.baseUrl}/swap/v1/quote?${params.toString()}`);
+        if (!response.ok) {
+            throw new JupiterApiError(`Jupiter quote failed with HTTP ${response.status}.`);
+        }
+        const payload = (await response.json());
+        const route = payload.data?.[0];
+        if (!route) {
+            throw new JupiterApiError("Jupiter quote returned no routes.");
+        }
+        return route;
+    }
+    async buildSwapTransaction(input) {
+        const response = await this.fetchImpl(`${this.baseUrl}/swap/v1/swap`, {
+            method: "POST",
+            headers: {
+                "content-type": "application/json"
+            },
+            body: JSON.stringify({
+                quoteResponse: input.quoteResponse,
+                userPublicKey: input.userPublicKey.toBase58(),
+                wrapAndUnwrapSol: true,
+                dynamicComputeUnitLimit: true
+            })
+        });
+        if (!response.ok) {
+            throw new JupiterApiError(`Jupiter swap build failed with HTTP ${response.status}.`);
+        }
+        const payload = (await response.json());
+        if (!payload.swapTransaction) {
+            throw new JupiterApiError("Jupiter swap response did not include a swapTransaction.");
+        }
+        return payload.swapTransaction;
+    }
+}
+exports.JupiterSwapClient = JupiterSwapClient;

package/dist/dex/SwapExecutor.js

@@ -0,0 +1,52 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SwapExecutor = void 0;
+const web3_js_1 = require("@solana/web3.js");
+const WRAPPED_SOL_MINT = "So11111111111111111111111111111111111111112";
+class SwapExecutor {
+    jupiterClient;
+    constructor(jupiterClient) {
+        this.jupiterClient = jupiterClient;
+    }
+    async buildSolToTokenSwapTransaction(input) {
+        const quote = await this.jupiterClient.getQuote({
+            inputMint: WRAPPED_SOL_MINT,
+            outputMint: input.outputMint,
+            amount: BigInt(Math.round(input.amountSol * web3_js_1.LAMPORTS_PER_SOL)),
+            slippageBps: input.slippageBps ?? 50
+        });
+        const swapTransactionBase64 = await this.jupiterClient.buildSwapTransaction({
+            quoteResponse: quote,
+            userPublicKey: input.walletManager.publicKey
+        });
+        const transaction = web3_js_1.VersionedTransaction.deserialize(Buffer.from(swapTransactionBase64, "base64"));
+        const signedTransaction = await input.walletManager.signTransaction(transaction);
+        return {
+            outputMint: input.outputMint,
+            quoteOutAmount: quote.outAmount,
+            routeType: "jupiter",
+            transaction: signedTransaction
+        };
+    }
+    async executeSolToTokenSwap(input) {
+        const prepared = await this.buildSolToTokenSwapTransaction({
+            amountSol: input.amountSol,
+            outputMint: input.outputMint,
+            slippageBps: input.slippageBps,
+            walletManager: input.walletManager
+        });
+        const transaction = prepared.transaction;
+        input.policyGuard.validate(transaction);
+        const execution = await input.koraSigner.signAndSendGasless(transaction, `JUPITER_SWAP:${input.amountSol.toFixed(2)} SOL->${input.outputMint}`);
+        return {
+            execution,
+            outputMint: prepared.outputMint,
+            quoteOutAmount: prepared.quoteOutAmount,
+            routeType: prepared.routeType
+        };
+    }
+    static isLikelySolMint(mintAddress) {
+        return new web3_js_1.PublicKey(mintAddress).toBase58() === WRAPPED_SOL_MINT;
+    }
+}
+exports.SwapExecutor = SwapExecutor;

package/dist/index.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const web3_js_1 = require("@solana/web3.js");
+const env_1 = require("./config/env");
+const WalletManager_1 = require("./wallet/WalletManager");
+async function main() {
+    const rpcUrl = (0, env_1.getRpcUrl)();
+    const connection = new web3_js_1.Connection(rpcUrl, "confirmed");
+    const walletManager = WalletManager_1.WalletManager.loadOrGenerate();
+    const { publicKey, source } = walletManager.toSafeSummary();
+    console.log("PRKT wallet ready.");
+    console.log(`RPC: ${rpcUrl}`);
+    console.log(`Wallet source: ${source}`);
+    console.log(`Devnet public key: ${publicKey}`);
+    const balanceLamports = await connection.getBalance(walletManager.publicKey);
+    console.log(`Devnet balance (lamports): ${balanceLamports}`);
+}
+main().catch((error) => {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    console.error(`Startup failed: ${message}`);
+    process.exitCode = 1;
+});

package/dist/kora/KoraRpcClient.js

@@ -0,0 +1,60 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KoraRpcClient = exports.KoraRpcError = void 0;
+class KoraRpcError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "KoraRpcError";
+    }
+}
+exports.KoraRpcError = KoraRpcError;
+class KoraRpcClient {
+    endpoint;
+    fetchImpl;
+    constructor(endpoint, fetchImpl = fetch) {
+        this.endpoint = endpoint;
+        this.fetchImpl = fetchImpl;
+    }
+    get rpcUrl() {
+        return this.endpoint;
+    }
+    async getBlockhash() {
+        const result = await this.call("getBlockhash", []);
+        const blockhash = result.blockhash ?? result.value?.blockhash;
+        if (!blockhash) {
+            throw new KoraRpcError("Kora getBlockhash response did not include a blockhash.");
+        }
+        return blockhash;
+    }
+    async signAndSendTransaction(transaction) {
+        const result = await this.call("signAndSendTransaction", [{ transaction }]);
+        const signature = result.signature ?? result.txid;
+        if (!signature) {
+            throw new KoraRpcError("Kora signAndSendTransaction response did not include a signature.");
+        }
+        return { signature };
+    }
+    async call(method, params) {
+        const response = await this.fetchImpl(this.endpoint, {
+            method: "POST",
+            headers: {
+                "content-type": "application/json"
+            },
+            body: JSON.stringify({
+                jsonrpc: "2.0",
+                id: method,
+                method,
+                params
+            })
+        });
+        if (!response.ok) {
+            throw new KoraRpcError(`Kora RPC request failed with HTTP ${response.status}.`);
+        }
+        const payload = (await response.json());
+        if ("error" in payload) {
+            throw new KoraRpcError(`Kora RPC error ${payload.error.code}: ${payload.error.message}`);
+        }
+        return payload.result;
+    }
+}
+exports.KoraRpcClient = KoraRpcClient;

package/dist/kora/KoraSigner.js

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KoraSigner = void 0;
+const crypto_1 = require("crypto");
+const web3_js_1 = require("@solana/web3.js");
+const programs_1 = require("../solana/programs");
+class KoraSigner {
+    client;
+    options;
+    constructor(client, options) {
+        this.client = client;
+        this.options = options;
+    }
+    async buildMemoTransaction(walletManager, memo) {
+        const recentBlockhash = this.options.mockMode
+            ? programs_1.MOCK_BLOCKHASH
+            : await this.client.getBlockhash();
+        const memoInstruction = new web3_js_1.TransactionInstruction({
+            programId: programs_1.MEMO_PROGRAM_ID,
+            keys: [],
+            data: Buffer.from(memo, "utf8")
+        });
+        const message = new web3_js_1.TransactionMessage({
+            payerKey: walletManager.publicKey,
+            recentBlockhash,
+            instructions: [memoInstruction]
+        }).compileToV0Message();
+        const transaction = new web3_js_1.VersionedTransaction(message);
+        return walletManager.signTransaction(transaction);
+    }
+    async signAndSendGasless(transaction, memo) {
+        const serializedTransaction = Buffer.from(transaction.serialize()).toString("base64");
+        if (this.options.mockMode) {
+            return {
+                endpoint: this.client.rpcUrl,
+                memo,
+                mock: true,
+                signature: this.createMockSignature(serializedTransaction)
+            };
+        }
+        const { signature } = await this.client.signAndSendTransaction(serializedTransaction);
+        return {
+            endpoint: this.client.rpcUrl,
+            memo,
+            mock: false,
+            signature
+        };
+    }
+    async submitGaslessMemo(walletManager, memo) {
+        const transaction = await this.buildMemoTransaction(walletManager, memo);
+        return this.signAndSendGasless(transaction, memo);
+    }
+    createMockSignature(serializedTransaction) {
+        return (0, crypto_1.createHash)("sha256").update(serializedTransaction).digest("hex");
+    }
+}
+exports.KoraSigner = KoraSigner;

package/dist/kora/gaslessDemo.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assertGaslessDemoReadiness = assertGaslessDemoReadiness;
+exports.parseUiAmount = parseUiAmount;
+function assertGaslessDemoReadiness(input) {
+    if (input.solLamports !== 0) {
+        throw new Error("wallet:gasless requires the agent wallet to start with exactly 0 SOL so the fee abstraction claim is unambiguous.");
+    }
+    if (input.usdcBalance < 1) {
+        throw new Error("wallet:gasless requires at least 1.0 USDC in the agent wallet.");
+    }
+}
+function parseUiAmount(input) {
+    if (input.uiAmount !== null) {
+        return input.uiAmount;
+    }
+    return Number(input.amount) / 10 ** input.decimals;
+}

package/dist/policy/PolicyGuard.js

@@ -0,0 +1,158 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PolicyGuard = void 0;
+const spl_token_1 = require("@solana/spl-token");
+const web3_js_1 = require("@solana/web3.js");
+const errors_1 = require("./errors");
+const emergencyLock_1 = require("./emergencyLock");
+const programs_1 = require("../solana/programs");
+class PolicyGuard {
+    policy;
+    constructor(policy) {
+        this.policy = policy;
+    }
+    validate(transaction) {
+        this.ensureEmergencyOverrideInactive();
+        this.ensureSessionActive();
+        const decompiledMessage = web3_js_1.TransactionMessage.decompile(transaction.message);
+        let totalSpendUnits = 0n;
+        for (const instruction of decompiledMessage.instructions) {
+            this.ensureProgramAllowed(instruction);
+            this.ensureInstructionShapeAllowed(instruction);
+            const spendDetails = this.tryDecodeSpend(instruction);
+            if (!spendDetails) {
+                continue;
+            }
+            const destination = spendDetails.destination.toBase58();
+            if (!this.policy.whitelistedTransferDestinations.includes(destination)) {
+                throw new errors_1.SecurityViolationError(`Transfer blocked: destination ${destination} is not whitelisted.`);
+            }
+            totalSpendUnits += spendDetails.amount;
+        }
+        const maxSpendLamports = BigInt(this.policy.maxSpend.lamports);
+        if (totalSpendUnits > maxSpendLamports) {
+            throw new errors_1.SecurityViolationError(`Transfer blocked: ${totalSpendUnits} exceeds max spend ${maxSpendLamports}.`);
+        }
+    }
+    ensureEmergencyOverrideInactive() {
+        const status = (0, emergencyLock_1.getEmergencyLockStatus)();
+        if (status.locked) {
+            throw new errors_1.SecurityViolationError(status.reason ?? "Human-in-the-loop Override engaged. Transaction execution is locked.");
+        }
+    }
+    ensureSessionActive() {
+        const expiresAt = Date.parse(this.policy.sessionExpiry.iso8601);
+        if (Number.isNaN(expiresAt)) {
+            throw new errors_1.SecurityViolationError("Session blocked: invalid session expiry.");
+        }
+        if (Date.now() > expiresAt) {
+            throw new errors_1.SecurityViolationError("Session blocked: session has expired.");
+        }
+    }
+    ensureProgramAllowed(instruction) {
+        const programId = instruction.programId.toBase58();
+        if (this.policy.whitelistedPrograms.includes(programId)) {
+            return;
+        }
+        throw new errors_1.SecurityViolationError(`Program blocked: ${programId} is not whitelisted.`);
+    }
+    tryDecodeSpend(instruction) {
+        if (instruction.programId.equals(web3_js_1.SystemProgram.programId)) {
+            try {
+                const transfer = web3_js_1.SystemInstruction.decodeTransfer(instruction);
+                return {
+                    amount: transfer.lamports,
+                    destination: transfer.toPubkey
+                };
+            }
+            catch {
+                return null;
+            }
+        }
+        // Parse SPL token spend instructions so token outflows are policy-constrained.
+        try {
+            const transfer = (0, spl_token_1.decodeTransferInstruction)(instruction);
+            return {
+                amount: BigInt(transfer.data.amount.toString()),
+                destination: transfer.keys.destination.pubkey
+            };
+        }
+        catch {
+            // Not a Transfer instruction.
+        }
+        try {
+            const transferChecked = (0, spl_token_1.decodeTransferCheckedInstruction)(instruction);
+            return {
+                amount: BigInt(transferChecked.data.amount.toString()),
+                destination: transferChecked.keys.destination.pubkey
+            };
+        }
+        catch {
+            // Not a TransferChecked instruction.
+        }
+        return null;
+    }
+    ensureInstructionShapeAllowed(instruction) {
+        const blockedVector = this.detectBlockedSpendVector(instruction);
+        if (blockedVector) {
+            throw new errors_1.SecurityViolationError(blockedVector);
+        }
+        if (this.tryDecodeSpend(instruction)) {
+            return;
+        }
+        const programId = instruction.programId.toBase58();
+        const knownNonSpendPrograms = [
+            web3_js_1.SystemProgram.programId.toBase58(),
+            programs_1.TOKEN_PROGRAM_ID.toBase58(),
+            programs_1.ASSOCIATED_TOKEN_PROGRAM_ID.toBase58(),
+            programs_1.MEMO_PROGRAM_ID.toBase58()
+        ];
+        if (knownNonSpendPrograms.includes(programId)) {
+            return;
+        }
+        throw new errors_1.SecurityViolationError(`Opaque instruction blocked: ${programId} is not explicitly approved.`);
+    }
+    detectBlockedSpendVector(instruction) {
+        try {
+            const approve = (0, spl_token_1.decodeApproveInstruction)(instruction);
+            return `Delegate approval blocked: ${approve.keys.delegate.pubkey.toBase58()}`;
+        }
+        catch {
+            // ignore
+        }
+        try {
+            const approveChecked = (0, spl_token_1.decodeApproveCheckedInstruction)(instruction);
+            return `Delegate approval blocked: ${approveChecked.keys.delegate.pubkey.toBase58()}`;
+        }
+        catch {
+            // ignore
+        }
+        try {
+            const revoke = (0, spl_token_1.decodeRevokeInstruction)(instruction);
+            return `Delegate revoke requires explicit approval: ${revoke.keys.account.pubkey.toBase58()}`;
+        }
+        catch {
+            // ignore
+        }
+        try {
+            const closeAccount = (0, spl_token_1.decodeCloseAccountInstruction)(instruction);
+            return `Close-account drain blocked: ${closeAccount.keys.destination.pubkey.toBase58()}`;
+        }
+        catch {
+            // ignore
+        }
+        try {
+            const setAuthority = (0, spl_token_1.decodeSetAuthorityInstruction)(instruction);
+            if (setAuthority.data.authorityType === spl_token_1.AuthorityType.AccountOwner ||
+                setAuthority.data.authorityType === spl_token_1.AuthorityType.CloseAccount ||
+                setAuthority.data.authorityType === spl_token_1.AuthorityType.MintTokens) {
+                return `Authority change blocked: ${spl_token_1.AuthorityType[setAuthority.data.authorityType]}`;
+            }
+        }
+        catch {
+            // ignore
+        }
+        return null;
+    }
+}
+exports.PolicyGuard = PolicyGuard;