@t2000/engine 0.46.10 → 0.46.11

package/dist/index.d.ts

@@ -219,6 +219,15 @@ interface GuardConfig {
     costWarning?: boolean;
     retryProtection?: boolean;
     inputValidation?: boolean;
+    /**
+     * Root-cause guard for "LLM types a recipient address from memory and
+     * loses funds to a wrong-but-valid address". When enabled (default),
+     * `send_transfer.to` is rejected unless the address can be sourced
+     * from a saved contact, the user's own wallet, or the user's recent
+     * messages. Set to `false` only if the host has its own equivalent
+     * upstream guard (e.g. an off-process verifier).
+     */
+    addressSource?: boolean;
 }
 declare const DEFAULT_GUARD_CONFIG: GuardConfig;
 declare class BalanceTracker {
@@ -249,6 +258,7 @@ declare function createGuardRunnerState(): GuardRunnerState;
 declare function runGuards(tool: Tool, call: PendingToolCall, state: GuardRunnerState, config: GuardConfig, conversationContext: {
     fullText: string;
     lastAssistantText: string;
+    recentUserText: string;
 }, 
 /**
  * [v1.4 Item 4] Optional per-guard observation hook. Fired exactly
@@ -256,7 +266,21 @@ declare function runGuards(tool: Tool, call: PendingToolCall, state: GuardRunner
  * up in `events`/`injections`/`block`). Errors thrown by the host
  * are caught so a misbehaving collector can't break tool execution.
  */
-onGuardFired?: (guard: GuardMetric) => void): GuardCheckResult;
+onGuardFired?: (guard: GuardMetric) => void, 
+/**
+ * Identity context for the address-source safety guard. The guard
+ * accepts `send_transfer.to` only when sourced from a saved contact,
+ * the user's own wallet, or the user's recent messages — preventing
+ * the LLM from typing addresses from memory and shipping funds to a
+ * wrong-but-syntactically-valid recipient.
+ */
+identity?: {
+    contacts?: ReadonlyArray<{
+        name: string;
+        address: string;
+    }>;
+    walletAddress?: string;
+}): GuardCheckResult;
 declare function updateGuardStateAfterToolResult(toolName: string, tool: Tool | undefined, input: unknown, result: unknown, isError: boolean, state: GuardRunnerState): void;
 declare function extractConversationText(messages: Array<{
     role: string;
@@ -264,6 +288,7 @@ declare function extractConversationText(messages: Array<{
 }>): {
     fullText: string;
     lastAssistantText: string;
+    recentUserText: string;
 };
 
 /**
@@ -366,8 +391,20 @@ declare const PERMISSION_PRESETS: {
  * `config.autonomousDailyLimit`, an otherwise-`auto` tier is downgraded to
  * `confirm`. This is the runtime guard for the daily autonomous spend cap.
  * Tiers above `auto` are returned unchanged.
+ *
+ * Send-safety rule: when `operation === 'send'` and the destination
+ * address is a raw `0x...` (i.e. NOT one of the user's saved contacts),
+ * an otherwise-`auto` tier is downgraded to `confirm` regardless of
+ * amount. This bounds the "LLM/user typo silently ships funds" failure
+ * mode to a single confirmation per recipient — once saved as a contact,
+ * subsequent sends to the same address auto-approve under tier as normal.
  */
-declare function resolvePermissionTier(operation: string, amountUsd: number, config: UserPermissionConfig, sessionSpendUsd?: number): 'auto' | 'confirm' | 'explicit';
+declare function resolvePermissionTier(operation: string, amountUsd: number, config: UserPermissionConfig, sessionSpendUsd?: number, sendContext?: {
+    to?: string;
+    contacts?: ReadonlyArray<{
+        address: string;
+    }>;
+}): 'auto' | 'confirm' | 'explicit';
 declare function toolNameToOperation(toolName: string): PermissionOperation | undefined;
 /**
  * Resolve the USD value of a tool call from its inputs.
@@ -698,6 +735,18 @@ interface EngineConfig {
     priceCache?: Map<string, number>;
     /** Per-user permission config for USD-threshold write tool gating (B.4). */
     permissionConfig?: UserPermissionConfig;
+    /**
+     * Saved contacts for the current user. Used by `guardAddressSource`
+     * (a saved contact's address is considered a trusted source for
+     * `send_transfer.to`) and by `permission-rules.resolvePermissionTier`
+     * (sends to non-contact addresses always require confirmation,
+     * regardless of amount). Hosts SHOULD also surface these in the
+     * dynamic system prompt block so the LLM can resolve "send to <name>".
+     */
+    contacts?: ReadonlyArray<{
+        name: string;
+        address: string;
+    }>;
     /**
      * [v1.4] Cumulative USD already auto-executed in the current session.
      * Forwarded to `ToolContext` and consulted by `resolvePermissionTier` to
@@ -880,6 +929,7 @@ declare class QueryEngine {
     private readonly contextSummarizer;
     private readonly priceCache;
     private readonly permissionConfig;
+    private readonly contacts;
     private readonly sessionSpendUsd;
     private readonly onAutoExecuted;
     private readonly onGuardFired;
@@ -1810,8 +1860,8 @@ declare const withdrawTool: Tool<{
 }>;
 
 declare const sendTransferTool: Tool<{
-    amount: number;
     to: string;
+    amount: number;
     memo?: string | undefined;
 }, {
     success: boolean;
@@ -1879,8 +1929,8 @@ declare const mppServicesTool: Tool<{
 }, Record<string, unknown>>;
 
 declare const swapExecuteTool: Tool<{
-    amount: number;
     to: string;
+    amount: number;
     from: string;
     byAmountIn?: boolean | undefined;
     slippage?: number | undefined;
@@ -1896,8 +1946,8 @@ declare const swapExecuteTool: Tool<{
 }>;
 
 declare const swapQuoteTool: Tool<{
-    amount: number;
     to: string;
+    amount: number;
     from: string;
     byAmountIn?: boolean | undefined;
 }, _t2000_sdk.SwapQuoteResult>;

package/dist/index.js

@@ -3609,7 +3609,8 @@ var DEFAULT_GUARD_CONFIG = {
   artifactPreview: true,
   costWarning: true,
   retryProtection: true,
-  inputValidation: true
+  inputValidation: true,
+  addressSource: true
 };
 var BalanceTracker = class {
   lastBalanceAt = 0;
@@ -3666,7 +3667,7 @@ function guardIrreversibility(tool, _call, conversationText) {
   if (!tool.flags.irreversible) {
     return { verdict: "pass", gate: "irreversibility", tier: "safety" };
   }
-  const hasPreview = /preview|here.s what|confirm.*send|looks? good/i.test(conversationText);
+  const hasPreview = /preview|here.{0,2}s what|confirm.{0,200}send|looks? good/i.test(conversationText);
   if (hasPreview) {
     return { verdict: "pass", gate: "irreversibility", tier: "safety" };
   }
@@ -3762,7 +3763,7 @@ function guardSlippage(tool, _call, lastAssistantText) {
   if (tool.name !== "swap_execute") {
     return { verdict: "pass", gate: "slippage_warning", tier: "financial" };
   }
-  const hasEstimate = /~?\$?[\d,]+\.?\d*\s*(SUI|USDC|USDT|WETH)/i.test(lastAssistantText) || /approximately|≈|about|expect|receive/i.test(lastAssistantText);
+  const hasEstimate = /~?\$?\d[\d,]{0,30}(?:\.\d{1,10})?\s*(SUI|USDC|USDT|WETH)/i.test(lastAssistantText) || /approximately|≈|about|expect|receive/i.test(lastAssistantText);
   if (hasEstimate) {
     return { verdict: "pass", gate: "slippage_warning", tier: "financial" };
   }
@@ -3788,6 +3789,41 @@ function guardCostWarning(tool, _call, conversationText) {
     message: "This action has a monetary cost. Confirm the user is aware before proceeding."
   };
 }
+var SUI_ADDRESS_REGEX = /^0x[a-fA-F0-9]{64}$/;
+function normalizeAddress(addr) {
+  return addr.trim().toLowerCase();
+}
+function guardAddressSource(tool, call, userText, contacts, walletAddress) {
+  if (tool.name !== "send_transfer") {
+    return { verdict: "pass", gate: "address_source", tier: "safety" };
+  }
+  const input = call.input;
+  const rawTo = String(input.to ?? "");
+  if (!rawTo) {
+    return { verdict: "pass", gate: "address_source", tier: "safety" };
+  }
+  if (!SUI_ADDRESS_REGEX.test(rawTo)) {
+    return { verdict: "pass", gate: "address_source", tier: "safety" };
+  }
+  const normalizedTo = normalizeAddress(rawTo);
+  if (walletAddress && normalizeAddress(walletAddress) === normalizedTo) {
+    return { verdict: "pass", gate: "address_source", tier: "safety" };
+  }
+  for (const c of contacts) {
+    if (normalizeAddress(c.address) === normalizedTo) {
+      return { verdict: "pass", gate: "address_source", tier: "safety" };
+    }
+  }
+  if (userText.toLowerCase().includes(normalizedTo)) {
+    return { verdict: "pass", gate: "address_source", tier: "safety" };
+  }
+  return {
+    verdict: "block",
+    gate: "address_source",
+    tier: "safety",
+    message: `Safety check failed: the recipient address "${rawTo}" was not provided by the user (no saved contact matches, address is not the user's own wallet, and it does not appear verbatim in the user's recent messages). For safety, addresses must be supplied directly by the user \u2014 never reconstructed from memory or partial recall. Ask the user to paste the destination address again exactly.`
+  };
+}
 function guardArtifactPreview(result) {
   if (!result || typeof result !== "object") return null;
   const r = result;
@@ -3815,7 +3851,7 @@ function createGuardRunnerState() {
     lastHealthFactor: null
   };
 }
-function runGuards(tool, call, state, config, conversationContext, onGuardFired) {
+function runGuards(tool, call, state, config, conversationContext, onGuardFired, identity) {
   const results = [];
   const now = Date.now();
   const fire = (verdict, tier, gate, hadInjection) => {
@@ -3856,6 +3892,17 @@ function runGuards(tool, call, state, config, conversationContext, onGuardFired)
   if (config.retryProtection !== false) {
     results.push(guardRetryProtection(tool, call, state.retryTracker));
   }
+  if (config.addressSource !== false) {
+    results.push(
+      guardAddressSource(
+        tool,
+        call,
+        conversationContext.recentUserText,
+        identity?.contacts ?? [],
+        identity?.walletAddress
+      )
+    );
+  }
   if (config.irreversibility !== false) {
     results.push(guardIrreversibility(tool, call, conversationContext.fullText));
   }
@@ -3926,6 +3973,7 @@ function updateGuardStateAfterToolResult(toolName, tool, input, result, isError,
 }
 function extractConversationText(messages) {
   const textParts = [];
+  const userParts = [];
   let lastAssistantText = "";
   for (const msg of messages) {
     if (!Array.isArray(msg.content)) continue;
@@ -3934,13 +3982,19 @@ function extractConversationText(messages) {
         textParts.push(block.text);
         if (msg.role === "assistant") {
           lastAssistantText = block.text;
+        } else if (msg.role === "user") {
+          userParts.push(block.text);
         }
       }
     }
   }
+  const recentUserParts = userParts.slice(-10);
+  const MAX_REGEX_INPUT = 16 * 1024;
+  const cap = (s) => s.length <= MAX_REGEX_INPUT ? s : s.slice(-MAX_REGEX_INPUT);
   return {
-    fullText: textParts.join("\n"),
-    lastAssistantText
+    fullText: cap(textParts.join("\n")),
+    lastAssistantText: cap(lastAssistantText),
+    recentUserText: cap(recentUserParts.join("\n"))
   };
 }
 
@@ -4240,7 +4294,12 @@ var PERMISSION_PRESETS = {
     ]
   }
 };
-function resolvePermissionTier(operation, amountUsd, config, sessionSpendUsd) {
+function isKnownContactAddress(to, contacts) {
+  if (!to) return false;
+  const normalized = to.trim().toLowerCase();
+  return contacts.some((c) => c.address.trim().toLowerCase() === normalized);
+}
+function resolvePermissionTier(operation, amountUsd, config, sessionSpendUsd, sendContext) {
   const rule = config.rules.find((r) => r.operation === operation);
   const autoBelow = rule?.autoBelow ?? config.globalAutoBelow;
   const confirmBetween = rule?.confirmBetween ?? 1e3;
@@ -4249,7 +4308,10 @@ function resolvePermissionTier(operation, amountUsd, config, sessionSpendUsd) {
   else if (amountUsd < confirmBetween) tier = "confirm";
   else tier = "explicit";
   if (tier === "auto" && typeof sessionSpendUsd === "number" && sessionSpendUsd + amountUsd > config.autonomousDailyLimit) {
-    return "confirm";
+    tier = "confirm";
+  }
+  if (tier === "auto" && operation === "send" && sendContext?.to && !isKnownContactAddress(sendContext.to, sendContext.contacts ?? [])) {
+    tier = "confirm";
   }
   return tier;
 }
@@ -4497,6 +4559,9 @@ var QueryEngine = class {
   contextSummarizer;
   priceCache;
   permissionConfig;
+  // Saved contacts — consulted by `guardAddressSource` and the permission
+  // tier resolver (sends to non-contact addresses always require confirm).
+  contacts;
   // [v1.4] Session-scoped autonomous spend tracking.
   sessionSpendUsd;
   onAutoExecuted;
@@ -4545,6 +4610,7 @@ var QueryEngine = class {
     this.contextSummarizer = config.contextSummarizer;
     this.priceCache = config.priceCache;
     this.permissionConfig = config.permissionConfig;
+    this.contacts = config.contacts ?? [];
     this.sessionSpendUsd = config.sessionSpendUsd;
     this.onAutoExecuted = config.onAutoExecuted;
     this.onGuardFired = config.onGuardFired;
@@ -5064,11 +5130,13 @@ ${recipeCtx}`;
             const operation = toolNameToOperation(call.name);
             if (operation) {
               const usdValue = resolveUsdValue(call.name, call.input, context.priceCache);
+              const callInput = call.input;
               const tier = resolvePermissionTier(
                 operation,
                 usdValue,
                 context.permissionConfig,
-                context.sessionSpendUsd
+                context.sessionSpendUsd,
+                operation === "send" ? { to: typeof callInput.to === "string" ? callInput.to : void 0, contacts: this.contacts } : void 0
               );
               return tier !== "auto";
             }
@@ -5098,7 +5166,8 @@ ${recipeCtx}`;
             this.guardState,
             this.guardConfig,
             convCtx,
-            this.onGuardFired
+            this.onGuardFired,
+            { contacts: this.contacts, walletAddress: this.walletAddress }
           );
           this.guardEvents.push(...check.events);
           if (check.blocked) {
@@ -5228,7 +5297,8 @@ ${recipeCtx}`;
           this.guardState,
           this.guardConfig,
           convCtx,
-          this.onGuardFired
+          this.onGuardFired,
+          { contacts: this.contacts, walletAddress: this.walletAddress }
         );
         this.guardEvents.push(...check.events);
         if (check.blocked) {