@t2000/engine 0.46.10 → 0.46.12

package/dist/index.d.ts

@@ -219,6 +219,23 @@ interface GuardConfig {
     costWarning?: boolean;
     retryProtection?: boolean;
     inputValidation?: boolean;
+    /**
+     * Root-cause guard for "LLM types a recipient address from memory and
+     * loses funds to a wrong-but-valid address". When enabled (default),
+     * `send_transfer.to` is rejected unless the address can be sourced
+     * from a saved contact, the user's own wallet, or the user's recent
+     * messages. Set to `false` only if the host has its own equivalent
+     * upstream guard (e.g. an off-process verifier).
+     */
+    addressSource?: boolean;
+    /**
+     * Companion to `addressSource`: blocks send_transfer that defaults to
+     * USDC when the user's recent messages clearly named a non-USDC token
+     * (SUI, USDT, WAL, etc.). Without this, the LLM would call
+     * `send_transfer({ amount, to })` for a "send my SUI" request and the
+     * tool would silently ship USDC. Default on.
+     */
+    assetIntent?: boolean;
 }
 declare const DEFAULT_GUARD_CONFIG: GuardConfig;
 declare class BalanceTracker {
@@ -249,6 +266,7 @@ declare function createGuardRunnerState(): GuardRunnerState;
 declare function runGuards(tool: Tool, call: PendingToolCall, state: GuardRunnerState, config: GuardConfig, conversationContext: {
     fullText: string;
     lastAssistantText: string;
+    recentUserText: string;
 }, 
 /**
  * [v1.4 Item 4] Optional per-guard observation hook. Fired exactly
@@ -256,7 +274,21 @@ declare function runGuards(tool: Tool, call: PendingToolCall, state: GuardRunner
  * up in `events`/`injections`/`block`). Errors thrown by the host
  * are caught so a misbehaving collector can't break tool execution.
  */
-onGuardFired?: (guard: GuardMetric) => void): GuardCheckResult;
+onGuardFired?: (guard: GuardMetric) => void, 
+/**
+ * Identity context for the address-source safety guard. The guard
+ * accepts `send_transfer.to` only when sourced from a saved contact,
+ * the user's own wallet, or the user's recent messages — preventing
+ * the LLM from typing addresses from memory and shipping funds to a
+ * wrong-but-syntactically-valid recipient.
+ */
+identity?: {
+    contacts?: ReadonlyArray<{
+        name: string;
+        address: string;
+    }>;
+    walletAddress?: string;
+}): GuardCheckResult;
 declare function updateGuardStateAfterToolResult(toolName: string, tool: Tool | undefined, input: unknown, result: unknown, isError: boolean, state: GuardRunnerState): void;
 declare function extractConversationText(messages: Array<{
     role: string;
@@ -264,6 +296,7 @@ declare function extractConversationText(messages: Array<{
 }>): {
     fullText: string;
     lastAssistantText: string;
+    recentUserText: string;
 };
 
 /**
@@ -366,8 +399,20 @@ declare const PERMISSION_PRESETS: {
  * `config.autonomousDailyLimit`, an otherwise-`auto` tier is downgraded to
  * `confirm`. This is the runtime guard for the daily autonomous spend cap.
  * Tiers above `auto` are returned unchanged.
+ *
+ * Send-safety rule: when `operation === 'send'` and the destination
+ * address is a raw `0x...` (i.e. NOT one of the user's saved contacts),
+ * an otherwise-`auto` tier is downgraded to `confirm` regardless of
+ * amount. This bounds the "LLM/user typo silently ships funds" failure
+ * mode to a single confirmation per recipient — once saved as a contact,
+ * subsequent sends to the same address auto-approve under tier as normal.
  */
-declare function resolvePermissionTier(operation: string, amountUsd: number, config: UserPermissionConfig, sessionSpendUsd?: number): 'auto' | 'confirm' | 'explicit';
+declare function resolvePermissionTier(operation: string, amountUsd: number, config: UserPermissionConfig, sessionSpendUsd?: number, sendContext?: {
+    to?: string;
+    contacts?: ReadonlyArray<{
+        address: string;
+    }>;
+}): 'auto' | 'confirm' | 'explicit';
 declare function toolNameToOperation(toolName: string): PermissionOperation | undefined;
 /**
  * Resolve the USD value of a tool call from its inputs.
@@ -698,6 +743,18 @@ interface EngineConfig {
     priceCache?: Map<string, number>;
     /** Per-user permission config for USD-threshold write tool gating (B.4). */
     permissionConfig?: UserPermissionConfig;
+    /**
+     * Saved contacts for the current user. Used by `guardAddressSource`
+     * (a saved contact's address is considered a trusted source for
+     * `send_transfer.to`) and by `permission-rules.resolvePermissionTier`
+     * (sends to non-contact addresses always require confirmation,
+     * regardless of amount). Hosts SHOULD also surface these in the
+     * dynamic system prompt block so the LLM can resolve "send to <name>".
+     */
+    contacts?: ReadonlyArray<{
+        name: string;
+        address: string;
+    }>;
     /**
      * [v1.4] Cumulative USD already auto-executed in the current session.
      * Forwarded to `ToolContext` and consulted by `resolvePermissionTier` to
@@ -880,6 +937,7 @@ declare class QueryEngine {
     private readonly contextSummarizer;
     private readonly priceCache;
     private readonly permissionConfig;
+    private readonly contacts;
     private readonly sessionSpendUsd;
     private readonly onAutoExecuted;
     private readonly onGuardFired;
@@ -1810,13 +1868,15 @@ declare const withdrawTool: Tool<{
 }>;
 
 declare const sendTransferTool: Tool<{
-    amount: number;
     to: string;
+    amount: number;
+    asset?: string | undefined;
     memo?: string | undefined;
 }, {
     success: boolean;
     tx: string;
     amount: number;
+    asset: "USDC" | "USDT" | "SUI" | "USDe" | "USDsui" | "WAL" | "ETH" | "NAVX" | "GOLD";
     to: string;
     contactName: string | undefined;
     gasCost: number;
@@ -1879,8 +1939,8 @@ declare const mppServicesTool: Tool<{
 }, Record<string, unknown>>;
 
 declare const swapExecuteTool: Tool<{
-    amount: number;
     to: string;
+    amount: number;
     from: string;
     byAmountIn?: boolean | undefined;
     slippage?: number | undefined;
@@ -1896,8 +1956,8 @@ declare const swapExecuteTool: Tool<{
 }>;
 
 declare const swapQuoteTool: Tool<{
-    amount: number;
     to: string;
+    amount: number;
     from: string;
     byAmountIn?: boolean | undefined;
 }, _t2000_sdk.SwapQuoteResult>;

package/dist/index.js

@@ -1,5 +1,5 @@
 import { z } from 'zod';
-import { resolveSymbol, getDecimalsForCoinType, assertAllowedAsset, getSwapQuote, extractTransferDetails, classifyTransaction } from '@t2000/sdk';
+import { ALL_NAVI_ASSETS, resolveSymbol, getDecimalsForCoinType, assertAllowedAsset, SUPPORTED_ASSETS, getSwapQuote, extractTransferDetails, classifyTransaction } from '@t2000/sdk';
 import { readdirSync, readFileSync } from 'fs';
 import { join } from 'path';
 import yaml from 'js-yaml';
@@ -1447,12 +1447,14 @@ var withdrawTool = buildTool({
     };
   }
 });
+var ASSET_LIST = ALL_NAVI_ASSETS.map((a) => String(a)).join(", ");
 var sendTransferTool = buildTool({
   name: "send_transfer",
-  description: "Send USDC to another Sui address or contact name. Validates the address, checks balance, and executes the on-chain transfer. Returns tx hash, gas cost, and updated balance.",
+  description: `Send ANY supported token (${ASSET_LIST}) to another Sui address or contact name. Validates the address, checks balance, and executes the on-chain transfer. MUST set the \`asset\` field to the token symbol you want to send (case-insensitive). If \`asset\` is omitted, USDC is assumed \u2014 only do this when the user explicitly asks for USDC. When the user asks to send a token by name (SUI, USDT, etc.) or to send the proceeds of a just-completed swap, you MUST pass \`asset\` matching that token. Returns tx hash, gas cost, and updated balance.`,
   inputSchema: z.object({
     to: z.string().min(1),
     amount: z.number().positive(),
+    asset: z.string().optional(),
     memo: z.string().optional()
   }),
   jsonSchema: {
@@ -1464,7 +1466,11 @@ var sendTransferTool = buildTool({
       },
       amount: {
         type: "number",
-        description: "Amount in USD to send"
+        description: "Amount of the asset to send (denominated in the asset\u2019s own units, NOT USD). For USDC this is the USDC count; for SUI this is the SUI count."
+      },
+      asset: {
+        type: "string",
+        description: `Token symbol to send. One of: ${ASSET_LIST}. Defaults to USDC if omitted. REQUIRED whenever the user names a non-USDC token or you are forwarding the proceeds of a swap.`
       },
       memo: {
         type: "string",
@@ -1487,16 +1493,27 @@ var sendTransferTool = buildTool({
     if (input.amount <= 0) {
       return { valid: false, error: "Amount must be positive." };
     }
+    if (input.asset !== void 0) {
+      const normalized = String(input.asset).toUpperCase();
+      if (!(normalized in SUPPORTED_ASSETS)) {
+        return {
+          valid: false,
+          error: `Unsupported asset "${input.asset}". send_transfer accepts: ${ASSET_LIST}.`
+        };
+      }
+    }
     return { valid: true };
   },
   async call(input, context) {
     const agent = requireAgent(context);
-    const result = await agent.send({ to: input.to, amount: input.amount });
+    const asset = input.asset ? String(input.asset).toUpperCase() : "USDC";
+    const result = await agent.send({ to: input.to, amount: input.amount, asset });
     return {
       data: {
         success: result.success,
         tx: result.tx,
         amount: result.amount,
+        asset,
         to: result.to,
         contactName: result.contactName,
         gasCost: result.gasCost,
@@ -1504,7 +1521,7 @@ var sendTransferTool = buildTool({
         balance: result.balance,
         memo: input.memo ?? null
       },
-      displayText: `Sent $${result.amount.toFixed(2)} to ${result.contactName ?? result.to.slice(0, 10)}\u2026 (tx: ${result.tx.slice(0, 8)}\u2026)`
+      displayText: `Sent ${result.amount} ${asset} to ${result.contactName ?? `${result.to.slice(0, 10)}\u2026`} (tx: ${result.tx.slice(0, 8)}\u2026)`
     };
   }
 });
@@ -3609,7 +3626,9 @@ var DEFAULT_GUARD_CONFIG = {
   artifactPreview: true,
   costWarning: true,
   retryProtection: true,
-  inputValidation: true
+  inputValidation: true,
+  addressSource: true,
+  assetIntent: true
 };
 var BalanceTracker = class {
   lastBalanceAt = 0;
@@ -3666,7 +3685,7 @@ function guardIrreversibility(tool, _call, conversationText) {
   if (!tool.flags.irreversible) {
     return { verdict: "pass", gate: "irreversibility", tier: "safety" };
   }
-  const hasPreview = /preview|here.s what|confirm.*send|looks? good/i.test(conversationText);
+  const hasPreview = /preview|here.{0,2}s what|confirm.{0,200}send|looks? good/i.test(conversationText);
   if (hasPreview) {
     return { verdict: "pass", gate: "irreversibility", tier: "safety" };
   }
@@ -3762,7 +3781,7 @@ function guardSlippage(tool, _call, lastAssistantText) {
   if (tool.name !== "swap_execute") {
     return { verdict: "pass", gate: "slippage_warning", tier: "financial" };
   }
-  const hasEstimate = /~?\$?[\d,]+\.?\d*\s*(SUI|USDC|USDT|WETH)/i.test(lastAssistantText) || /approximately|≈|about|expect|receive/i.test(lastAssistantText);
+  const hasEstimate = /~?\$?\d[\d,]{0,30}(?:\.\d{1,10})?\s*(SUI|USDC|USDT|WETH)/i.test(lastAssistantText) || /approximately|≈|about|expect|receive/i.test(lastAssistantText);
   if (hasEstimate) {
     return { verdict: "pass", gate: "slippage_warning", tier: "financial" };
   }
@@ -3788,6 +3807,72 @@ function guardCostWarning(tool, _call, conversationText) {
     message: "This action has a monetary cost. Confirm the user is aware before proceeding."
   };
 }
+var SUI_ADDRESS_REGEX = /^0x[a-fA-F0-9]{64}$/;
+function normalizeAddress(addr) {
+  return addr.trim().toLowerCase();
+}
+var NON_USDC_TOKEN_WORDS = [
+  // Patterns are anchored with \b on both sides. Case-insensitive.
+  { symbol: "SUI", pattern: /\bSUI\b/i },
+  { symbol: "USDT", pattern: /\bUSDT\b/i },
+  { symbol: "USDe", pattern: /\bUSDe\b/i },
+  { symbol: "USDsui", pattern: /\bUSDsui\b/i },
+  { symbol: "WAL", pattern: /\bWAL\b/i },
+  { symbol: "ETH", pattern: /\bETH\b/i },
+  { symbol: "NAVX", pattern: /\bNAVX\b/i },
+  { symbol: "GOLD", pattern: /\bGOLD\b/i }
+];
+function guardAssetIntent(tool, call, userText) {
+  if (tool.name !== "send_transfer") {
+    return { verdict: "pass", gate: "asset_intent", tier: "safety" };
+  }
+  const input = call.input;
+  const assetWasSet = !(input.asset === void 0 || input.asset === null || input.asset === "");
+  if (assetWasSet) {
+    return { verdict: "pass", gate: "asset_intent", tier: "safety" };
+  }
+  const mentioned = NON_USDC_TOKEN_WORDS.find((t) => t.pattern.test(userText));
+  if (!mentioned) {
+    return { verdict: "pass", gate: "asset_intent", tier: "safety" };
+  }
+  return {
+    verdict: "block",
+    gate: "asset_intent",
+    tier: "safety",
+    message: `Asset mismatch: the user's recent messages mention "${mentioned.symbol}" but send_transfer was called without an \`asset\` field (defaults to USDC). If the user asked you to send ${mentioned.symbol}, re-issue send_transfer with \`asset: "${mentioned.symbol}"\`. If the user really meant USDC, set \`asset: "USDC"\` explicitly to confirm intent. Never default to USDC when the user named a different token.`
+  };
+}
+function guardAddressSource(tool, call, userText, contacts, walletAddress) {
+  if (tool.name !== "send_transfer") {
+    return { verdict: "pass", gate: "address_source", tier: "safety" };
+  }
+  const input = call.input;
+  const rawTo = String(input.to ?? "");
+  if (!rawTo) {
+    return { verdict: "pass", gate: "address_source", tier: "safety" };
+  }
+  if (!SUI_ADDRESS_REGEX.test(rawTo)) {
+    return { verdict: "pass", gate: "address_source", tier: "safety" };
+  }
+  const normalizedTo = normalizeAddress(rawTo);
+  if (walletAddress && normalizeAddress(walletAddress) === normalizedTo) {
+    return { verdict: "pass", gate: "address_source", tier: "safety" };
+  }
+  for (const c of contacts) {
+    if (normalizeAddress(c.address) === normalizedTo) {
+      return { verdict: "pass", gate: "address_source", tier: "safety" };
+    }
+  }
+  if (userText.toLowerCase().includes(normalizedTo)) {
+    return { verdict: "pass", gate: "address_source", tier: "safety" };
+  }
+  return {
+    verdict: "block",
+    gate: "address_source",
+    tier: "safety",
+    message: `Safety check failed: the recipient address "${rawTo}" was not provided by the user (no saved contact matches, address is not the user's own wallet, and it does not appear verbatim in the user's recent messages). For safety, addresses must be supplied directly by the user \u2014 never reconstructed from memory or partial recall. Ask the user to paste the destination address again exactly.`
+  };
+}
 function guardArtifactPreview(result) {
   if (!result || typeof result !== "object") return null;
   const r = result;
@@ -3815,7 +3900,7 @@ function createGuardRunnerState() {
     lastHealthFactor: null
   };
 }
-function runGuards(tool, call, state, config, conversationContext, onGuardFired) {
+function runGuards(tool, call, state, config, conversationContext, onGuardFired, identity) {
   const results = [];
   const now = Date.now();
   const fire = (verdict, tier, gate, hadInjection) => {
@@ -3856,6 +3941,20 @@ function runGuards(tool, call, state, config, conversationContext, onGuardFired)
   if (config.retryProtection !== false) {
     results.push(guardRetryProtection(tool, call, state.retryTracker));
   }
+  if (config.addressSource !== false) {
+    results.push(
+      guardAddressSource(
+        tool,
+        call,
+        conversationContext.recentUserText,
+        identity?.contacts ?? [],
+        identity?.walletAddress
+      )
+    );
+  }
+  if (config.assetIntent !== false) {
+    results.push(guardAssetIntent(tool, call, conversationContext.recentUserText));
+  }
   if (config.irreversibility !== false) {
     results.push(guardIrreversibility(tool, call, conversationContext.fullText));
   }
@@ -3926,6 +4025,7 @@ function updateGuardStateAfterToolResult(toolName, tool, input, result, isError,
 }
 function extractConversationText(messages) {
   const textParts = [];
+  const userParts = [];
   let lastAssistantText = "";
   for (const msg of messages) {
     if (!Array.isArray(msg.content)) continue;
@@ -3934,13 +4034,19 @@ function extractConversationText(messages) {
         textParts.push(block.text);
         if (msg.role === "assistant") {
           lastAssistantText = block.text;
+        } else if (msg.role === "user") {
+          userParts.push(block.text);
         }
       }
     }
   }
+  const recentUserParts = userParts.slice(-10);
+  const MAX_REGEX_INPUT = 16 * 1024;
+  const cap = (s) => s.length <= MAX_REGEX_INPUT ? s : s.slice(-MAX_REGEX_INPUT);
   return {
-    fullText: textParts.join("\n"),
-    lastAssistantText
+    fullText: cap(textParts.join("\n")),
+    lastAssistantText: cap(lastAssistantText),
+    recentUserText: cap(recentUserParts.join("\n"))
   };
 }
 
@@ -4240,7 +4346,12 @@ var PERMISSION_PRESETS = {
     ]
   }
 };
-function resolvePermissionTier(operation, amountUsd, config, sessionSpendUsd) {
+function isKnownContactAddress(to, contacts) {
+  if (!to) return false;
+  const normalized = to.trim().toLowerCase();
+  return contacts.some((c) => c.address.trim().toLowerCase() === normalized);
+}
+function resolvePermissionTier(operation, amountUsd, config, sessionSpendUsd, sendContext) {
   const rule = config.rules.find((r) => r.operation === operation);
   const autoBelow = rule?.autoBelow ?? config.globalAutoBelow;
   const confirmBetween = rule?.confirmBetween ?? 1e3;
@@ -4249,7 +4360,10 @@ function resolvePermissionTier(operation, amountUsd, config, sessionSpendUsd) {
   else if (amountUsd < confirmBetween) tier = "confirm";
   else tier = "explicit";
   if (tier === "auto" && typeof sessionSpendUsd === "number" && sessionSpendUsd + amountUsd > config.autonomousDailyLimit) {
-    return "confirm";
+    tier = "confirm";
+  }
+  if (tier === "auto" && operation === "send" && sendContext?.to && !isKnownContactAddress(sendContext.to, sendContext.contacts ?? [])) {
+    tier = "confirm";
   }
   return tier;
 }
@@ -4497,6 +4611,9 @@ var QueryEngine = class {
   contextSummarizer;
   priceCache;
   permissionConfig;
+  // Saved contacts — consulted by `guardAddressSource` and the permission
+  // tier resolver (sends to non-contact addresses always require confirm).
+  contacts;
   // [v1.4] Session-scoped autonomous spend tracking.
   sessionSpendUsd;
   onAutoExecuted;
@@ -4545,6 +4662,7 @@ var QueryEngine = class {
     this.contextSummarizer = config.contextSummarizer;
     this.priceCache = config.priceCache;
     this.permissionConfig = config.permissionConfig;
+    this.contacts = config.contacts ?? [];
     this.sessionSpendUsd = config.sessionSpendUsd;
     this.onAutoExecuted = config.onAutoExecuted;
     this.onGuardFired = config.onGuardFired;
@@ -5064,11 +5182,13 @@ ${recipeCtx}`;
             const operation = toolNameToOperation(call.name);
             if (operation) {
               const usdValue = resolveUsdValue(call.name, call.input, context.priceCache);
+              const callInput = call.input;
               const tier = resolvePermissionTier(
                 operation,
                 usdValue,
                 context.permissionConfig,
-                context.sessionSpendUsd
+                context.sessionSpendUsd,
+                operation === "send" ? { to: typeof callInput.to === "string" ? callInput.to : void 0, contacts: this.contacts } : void 0
               );
               return tier !== "auto";
             }
@@ -5098,7 +5218,8 @@ ${recipeCtx}`;
             this.guardState,
             this.guardConfig,
             convCtx,
-            this.onGuardFired
+            this.onGuardFired,
+            { contacts: this.contacts, walletAddress: this.walletAddress }
           );
           this.guardEvents.push(...check.events);
           if (check.blocked) {
@@ -5228,7 +5349,8 @@ ${recipeCtx}`;
           this.guardState,
           this.guardConfig,
           convCtx,
-          this.onGuardFired
+          this.onGuardFired,
+          { contacts: this.contacts, walletAddress: this.walletAddress }
         );
         this.guardEvents.push(...check.events);
         if (check.blocked) {