npm - @usesigil/kit - Versions diffs - 0.1.0 - Mend

@usesigil/kit 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (631) hide show

package/LICENSE +191 -0
package/README.md +190 -0
package/dist/advanced-analytics.d.ts +118 -0
package/dist/advanced-analytics.d.ts.map +1 -0
package/dist/advanced-analytics.js +341 -0
package/dist/advanced-analytics.js.map +1 -0
package/dist/agent-analytics.d.ts +76 -0
package/dist/agent-analytics.d.ts.map +1 -0
package/dist/agent-analytics.js +179 -0
package/dist/agent-analytics.js.map +1 -0
package/dist/agent-errors.d.ts +151 -0
package/dist/agent-errors.d.ts.map +1 -0
package/dist/agent-errors.js +2001 -0
package/dist/agent-errors.js.map +1 -0
package/dist/alt-config.d.ts +43 -0
package/dist/alt-config.d.ts.map +1 -0
package/dist/alt-config.js +78 -0
package/dist/alt-config.js.map +1 -0
package/dist/alt-loader.d.ts +47 -0
package/dist/alt-loader.d.ts.map +1 -0
package/dist/alt-loader.js +143 -0
package/dist/alt-loader.js.map +1 -0
package/dist/balance-tracker.d.ts +87 -0
package/dist/balance-tracker.d.ts.map +1 -0
package/dist/balance-tracker.js +181 -0
package/dist/balance-tracker.js.map +1 -0
package/dist/composer.d.ts +56 -0
package/dist/composer.d.ts.map +1 -0
package/dist/composer.js +77 -0
package/dist/composer.js.map +1 -0
package/dist/core/engine.d.ts +17 -0
package/dist/core/engine.d.ts.map +1 -0
package/dist/core/engine.js +177 -0
package/dist/core/engine.js.map +1 -0
package/dist/core/errors.d.ts +24 -0
package/dist/core/errors.d.ts.map +1 -0
package/dist/core/errors.js +16 -0
package/dist/core/errors.js.map +1 -0
package/dist/core/index.d.ts +9 -0
package/dist/core/index.d.ts.map +1 -0
package/dist/core/index.js +10 -0
package/dist/core/index.js.map +1 -0
package/dist/core/policies.d.ts +75 -0
package/dist/core/policies.d.ts.map +1 -0
package/dist/core/policies.js +126 -0
package/dist/core/policies.js.map +1 -0
package/dist/core/registry.d.ts +29 -0
package/dist/core/registry.d.ts.map +1 -0
package/dist/core/registry.js +125 -0
package/dist/core/registry.js.map +1 -0
package/dist/core/state.d.ts +71 -0
package/dist/core/state.d.ts.map +1 -0
package/dist/core/state.js +169 -0
package/dist/core/state.js.map +1 -0
package/dist/create-vault.d.ts +58 -0
package/dist/create-vault.d.ts.map +1 -0
package/dist/create-vault.js +90 -0
package/dist/create-vault.js.map +1 -0
package/dist/custody-adapter.d.ts +54 -0
package/dist/custody-adapter.d.ts.map +1 -0
package/dist/custody-adapter.js +45 -0
package/dist/custody-adapter.js.map +1 -0
package/dist/event-analytics.d.ts +45 -0
package/dist/event-analytics.d.ts.map +1 -0
package/dist/event-analytics.js +277 -0
package/dist/event-analytics.js.map +1 -0
package/dist/events.d.ts +56 -0
package/dist/events.d.ts.map +1 -0
package/dist/events.js +151 -0
package/dist/events.js.map +1 -0
package/dist/formatting.d.ts +103 -0
package/dist/formatting.d.ts.map +1 -0
package/dist/formatting.js +244 -0
package/dist/formatting.js.map +1 -0
package/dist/generated/accounts/agentSpendOverlay.d.ts +54 -0
package/dist/generated/accounts/agentSpendOverlay.d.ts.map +1 -0
package/dist/generated/accounts/agentSpendOverlay.js +74 -0
package/dist/generated/accounts/agentSpendOverlay.js.map +1 -0
package/dist/generated/accounts/agentVault.d.ts +95 -0
package/dist/generated/accounts/agentVault.d.ts.map +1 -0
package/dist/generated/accounts/agentVault.js +83 -0
package/dist/generated/accounts/agentVault.js.map +1 -0
package/dist/generated/accounts/escrowDeposit.d.ts +50 -0
package/dist/generated/accounts/escrowDeposit.d.ts.map +1 -0
package/dist/generated/accounts/escrowDeposit.js +76 -0
package/dist/generated/accounts/escrowDeposit.js.map +1 -0
package/dist/generated/accounts/index.d.ts +17 -0
package/dist/generated/accounts/index.d.ts.map +1 -0
package/dist/generated/accounts/index.js +17 -0
package/dist/generated/accounts/index.js.map +1 -0
package/dist/generated/accounts/instructionConstraints.d.ts +37 -0
package/dist/generated/accounts/instructionConstraints.d.ts.map +1 -0
package/dist/generated/accounts/instructionConstraints.js +64 -0
package/dist/generated/accounts/instructionConstraints.js.map +1 -0
package/dist/generated/accounts/pendingConstraintsUpdate.d.ts +53 -0
package/dist/generated/accounts/pendingConstraintsUpdate.d.ts.map +1 -0
package/dist/generated/accounts/pendingConstraintsUpdate.js +68 -0
package/dist/generated/accounts/pendingConstraintsUpdate.js.map +1 -0
package/dist/generated/accounts/pendingPolicyUpdate.d.ts +72 -0
package/dist/generated/accounts/pendingPolicyUpdate.d.ts.map +1 -0
package/dist/generated/accounts/pendingPolicyUpdate.js +97 -0
package/dist/generated/accounts/pendingPolicyUpdate.js.map +1 -0
package/dist/generated/accounts/policyConfig.d.ts +180 -0
package/dist/generated/accounts/policyConfig.d.ts.map +1 -0
package/dist/generated/accounts/policyConfig.js +88 -0
package/dist/generated/accounts/policyConfig.js.map +1 -0
package/dist/generated/accounts/sessionAuthority.d.ts +104 -0
package/dist/generated/accounts/sessionAuthority.d.ts.map +1 -0
package/dist/generated/accounts/sessionAuthority.js +86 -0
package/dist/generated/accounts/sessionAuthority.js.map +1 -0
package/dist/generated/accounts/spendTracker.d.ts +60 -0
package/dist/generated/accounts/spendTracker.d.ts.map +1 -0
package/dist/generated/accounts/spendTracker.js +74 -0
package/dist/generated/accounts/spendTracker.js.map +1 -0
package/dist/generated/errors/index.d.ts +9 -0
package/dist/generated/errors/index.d.ts.map +1 -0
package/dist/generated/errors/index.js +9 -0
package/dist/generated/errors/index.js.map +1 -0
package/dist/generated/errors/sigil.d.ts +162 -0
package/dist/generated/errors/sigil.d.ts.map +1 -0
package/dist/generated/errors/sigil.js +237 -0
package/dist/generated/errors/sigil.js.map +1 -0
package/dist/generated/event-discriminators.d.ts +2 -0
package/dist/generated/event-discriminators.d.ts.map +1 -0
package/dist/generated/event-discriminators.js +39 -0
package/dist/generated/event-discriminators.js.map +1 -0
package/dist/generated/index.d.ts +13 -0
package/dist/generated/index.d.ts.map +1 -0
package/dist/generated/index.js +13 -0
package/dist/generated/index.js.map +1 -0
package/dist/generated/instructions/agentTransfer.d.ts +109 -0
package/dist/generated/instructions/agentTransfer.d.ts.map +1 -0
package/dist/generated/instructions/agentTransfer.js +211 -0
package/dist/generated/instructions/agentTransfer.js.map +1 -0
package/dist/generated/instructions/applyConstraintsUpdate.d.ts +55 -0
package/dist/generated/instructions/applyConstraintsUpdate.d.ts.map +1 -0
package/dist/generated/instructions/applyConstraintsUpdate.js +129 -0
package/dist/generated/instructions/applyConstraintsUpdate.js.map +1 -0
package/dist/generated/instructions/applyPendingPolicy.d.ts +55 -0
package/dist/generated/instructions/applyPendingPolicy.d.ts.map +1 -0
package/dist/generated/instructions/applyPendingPolicy.js +122 -0
package/dist/generated/instructions/applyPendingPolicy.js.map +1 -0
package/dist/generated/instructions/cancelConstraintsUpdate.d.ts +51 -0
package/dist/generated/instructions/cancelConstraintsUpdate.d.ts.map +1 -0
package/dist/generated/instructions/cancelConstraintsUpdate.js +115 -0
package/dist/generated/instructions/cancelConstraintsUpdate.js.map +1 -0
package/dist/generated/instructions/cancelPendingPolicy.d.ts +55 -0
package/dist/generated/instructions/cancelPendingPolicy.d.ts.map +1 -0
package/dist/generated/instructions/cancelPendingPolicy.js +122 -0
package/dist/generated/instructions/cancelPendingPolicy.js.map +1 -0
package/dist/generated/instructions/closeInstructionConstraints.d.ts +55 -0
package/dist/generated/instructions/closeInstructionConstraints.d.ts.map +1 -0
package/dist/generated/instructions/closeInstructionConstraints.js +120 -0
package/dist/generated/instructions/closeInstructionConstraints.js.map +1 -0
package/dist/generated/instructions/closeSettledEscrow.d.ts +72 -0
package/dist/generated/instructions/closeSettledEscrow.d.ts.map +1 -0
package/dist/generated/instructions/closeSettledEscrow.js +127 -0
package/dist/generated/instructions/closeSettledEscrow.js.map +1 -0
package/dist/generated/instructions/closeVault.d.ts +69 -0
package/dist/generated/instructions/closeVault.d.ts.map +1 -0
package/dist/generated/instructions/closeVault.js +142 -0
package/dist/generated/instructions/closeVault.js.map +1 -0
package/dist/generated/instructions/createEscrow.d.ts +131 -0
package/dist/generated/instructions/createEscrow.d.ts.map +1 -0
package/dist/generated/instructions/createEscrow.js +272 -0
package/dist/generated/instructions/createEscrow.js.map +1 -0
package/dist/generated/instructions/createInstructionConstraints.d.ts +69 -0
package/dist/generated/instructions/createInstructionConstraints.d.ts.map +1 -0
package/dist/generated/instructions/createInstructionConstraints.js +145 -0
package/dist/generated/instructions/createInstructionConstraints.js.map +1 -0
package/dist/generated/instructions/depositFunds.d.ts +82 -0
package/dist/generated/instructions/depositFunds.d.ts.map +1 -0
package/dist/generated/instructions/depositFunds.js +198 -0
package/dist/generated/instructions/depositFunds.js.map +1 -0
package/dist/generated/instructions/finalizeSession.d.ts +126 -0
package/dist/generated/instructions/finalizeSession.d.ts.map +1 -0
package/dist/generated/instructions/finalizeSession.js +218 -0
package/dist/generated/instructions/finalizeSession.js.map +1 -0
package/dist/generated/instructions/freezeVault.d.ts +40 -0
package/dist/generated/instructions/freezeVault.d.ts.map +1 -0
package/dist/generated/instructions/freezeVault.js +66 -0
package/dist/generated/instructions/freezeVault.js.map +1 -0
package/dist/generated/instructions/index.d.ts +37 -0
package/dist/generated/instructions/index.d.ts.map +1 -0
package/dist/generated/instructions/index.js +37 -0
package/dist/generated/instructions/index.js.map +1 -0
package/dist/generated/instructions/initializeVault.d.ts +122 -0
package/dist/generated/instructions/initializeVault.d.ts.map +1 -0
package/dist/generated/instructions/initializeVault.js +187 -0
package/dist/generated/instructions/initializeVault.js.map +1 -0
package/dist/generated/instructions/pauseAgent.d.ts +44 -0
package/dist/generated/instructions/pauseAgent.d.ts.map +1 -0
package/dist/generated/instructions/pauseAgent.js +72 -0
package/dist/generated/instructions/pauseAgent.js.map +1 -0
package/dist/generated/instructions/queueConstraintsUpdate.d.ts +73 -0
package/dist/generated/instructions/queueConstraintsUpdate.d.ts.map +1 -0
package/dist/generated/instructions/queueConstraintsUpdate.js +168 -0
package/dist/generated/instructions/queueConstraintsUpdate.js.map +1 -0
package/dist/generated/instructions/queuePolicyUpdate.d.ts +116 -0
package/dist/generated/instructions/queuePolicyUpdate.d.ts.map +1 -0
package/dist/generated/instructions/queuePolicyUpdate.js +173 -0
package/dist/generated/instructions/queuePolicyUpdate.js.map +1 -0
package/dist/generated/instructions/reactivateVault.d.ts +47 -0
package/dist/generated/instructions/reactivateVault.d.ts.map +1 -0
package/dist/generated/instructions/reactivateVault.js +74 -0
package/dist/generated/instructions/reactivateVault.js.map +1 -0
package/dist/generated/instructions/refundEscrow.d.ts +74 -0
package/dist/generated/instructions/refundEscrow.d.ts.map +1 -0
package/dist/generated/instructions/refundEscrow.js +142 -0
package/dist/generated/instructions/refundEscrow.js.map +1 -0
package/dist/generated/instructions/registerAgent.d.ts +55 -0
package/dist/generated/instructions/registerAgent.d.ts.map +1 -0
package/dist/generated/instructions/registerAgent.js +85 -0
package/dist/generated/instructions/registerAgent.js.map +1 -0
package/dist/generated/instructions/revokeAgent.d.ts +49 -0
package/dist/generated/instructions/revokeAgent.d.ts.map +1 -0
package/dist/generated/instructions/revokeAgent.js +81 -0
package/dist/generated/instructions/revokeAgent.js.map +1 -0
package/dist/generated/instructions/settleEscrow.d.ts +80 -0
package/dist/generated/instructions/settleEscrow.d.ts.map +1 -0
package/dist/generated/instructions/settleEscrow.js +173 -0
package/dist/generated/instructions/settleEscrow.js.map +1 -0
package/dist/generated/instructions/syncPositions.d.ts +44 -0
package/dist/generated/instructions/syncPositions.d.ts.map +1 -0
package/dist/generated/instructions/syncPositions.js +72 -0
package/dist/generated/instructions/syncPositions.js.map +1 -0
package/dist/generated/instructions/unpauseAgent.d.ts +44 -0
package/dist/generated/instructions/unpauseAgent.d.ts.map +1 -0
package/dist/generated/instructions/unpauseAgent.js +72 -0
package/dist/generated/instructions/unpauseAgent.js.map +1 -0
package/dist/generated/instructions/updateAgentPermissions.d.ts +68 -0
package/dist/generated/instructions/updateAgentPermissions.d.ts.map +1 -0
package/dist/generated/instructions/updateAgentPermissions.js +139 -0
package/dist/generated/instructions/updateAgentPermissions.js.map +1 -0
package/dist/generated/instructions/updateInstructionConstraints.d.ts +65 -0
package/dist/generated/instructions/updateInstructionConstraints.d.ts.map +1 -0
package/dist/generated/instructions/updateInstructionConstraints.js +131 -0
package/dist/generated/instructions/updateInstructionConstraints.js.map +1 -0
package/dist/generated/instructions/updatePolicy.d.ts +108 -0
package/dist/generated/instructions/updatePolicy.d.ts.map +1 -0
package/dist/generated/instructions/updatePolicy.js +143 -0
package/dist/generated/instructions/updatePolicy.js.map +1 -0
package/dist/generated/instructions/validateAndAuthorize.d.ts +171 -0
package/dist/generated/instructions/validateAndAuthorize.d.ts.map +1 -0
package/dist/generated/instructions/validateAndAuthorize.js +271 -0
package/dist/generated/instructions/validateAndAuthorize.js.map +1 -0
package/dist/generated/instructions/withdrawFunds.d.ts +74 -0
package/dist/generated/instructions/withdrawFunds.d.ts.map +1 -0
package/dist/generated/instructions/withdrawFunds.js +166 -0
package/dist/generated/instructions/withdrawFunds.js.map +1 -0
package/dist/generated/programs/index.d.ts +9 -0
package/dist/generated/programs/index.d.ts.map +1 -0
package/dist/generated/programs/index.js +9 -0
package/dist/generated/programs/index.js.map +1 -0
package/dist/generated/programs/sigil.d.ts +173 -0
package/dist/generated/programs/sigil.d.ts.map +1 -0
package/dist/generated/programs/sigil.js +443 -0
package/dist/generated/programs/sigil.js.map +1 -0
package/dist/generated/types/accountConstraint.d.ts +18 -0
package/dist/generated/types/accountConstraint.d.ts.map +1 -0
package/dist/generated/types/accountConstraint.js +24 -0
package/dist/generated/types/accountConstraint.js.map +1 -0
package/dist/generated/types/actionAuthorized.d.ts +39 -0
package/dist/generated/types/actionAuthorized.d.ts.map +1 -0
package/dist/generated/types/actionAuthorized.js +43 -0
package/dist/generated/types/actionAuthorized.js.map +1 -0
package/dist/generated/types/actionType.d.ts +37 -0
package/dist/generated/types/actionType.d.ts.map +1 -0
package/dist/generated/types/actionType.js +43 -0
package/dist/generated/types/actionType.js.map +1 -0
package/dist/generated/types/agentContributionEntry.d.ts +49 -0
package/dist/generated/types/agentContributionEntry.d.ts.map +1 -0
package/dist/generated/types/agentContributionEntry.js +26 -0
package/dist/generated/types/agentContributionEntry.js.map +1 -0
package/dist/generated/types/agentEntry.d.ts +24 -0
package/dist/generated/types/agentEntry.d.ts.map +1 -0
package/dist/generated/types/agentEntry.js +28 -0
package/dist/generated/types/agentEntry.js.map +1 -0
package/dist/generated/types/agentPausedEvent.d.ts +22 -0
package/dist/generated/types/agentPausedEvent.d.ts.map +1 -0
package/dist/generated/types/agentPausedEvent.js +26 -0
package/dist/generated/types/agentPausedEvent.js.map +1 -0
package/dist/generated/types/agentPermissionsUpdated.d.ts +24 -0
package/dist/generated/types/agentPermissionsUpdated.d.ts.map +1 -0
package/dist/generated/types/agentPermissionsUpdated.js +28 -0
package/dist/generated/types/agentPermissionsUpdated.js.map +1 -0
package/dist/generated/types/agentRegistered.d.ts +26 -0
package/dist/generated/types/agentRegistered.d.ts.map +1 -0
package/dist/generated/types/agentRegistered.js +30 -0
package/dist/generated/types/agentRegistered.js.map +1 -0
package/dist/generated/types/agentRevoked.d.ts +24 -0
package/dist/generated/types/agentRevoked.d.ts.map +1 -0
package/dist/generated/types/agentRevoked.js +28 -0
package/dist/generated/types/agentRevoked.js.map +1 -0
package/dist/generated/types/agentSpendLimitChecked.d.ts +28 -0
package/dist/generated/types/agentSpendLimitChecked.d.ts.map +1 -0
package/dist/generated/types/agentSpendLimitChecked.js +32 -0
package/dist/generated/types/agentSpendLimitChecked.js.map +1 -0
package/dist/generated/types/agentTransferExecuted.d.ts +24 -0
package/dist/generated/types/agentTransferExecuted.d.ts.map +1 -0
package/dist/generated/types/agentTransferExecuted.js +28 -0
package/dist/generated/types/agentTransferExecuted.js.map +1 -0
package/dist/generated/types/agentUnpausedEvent.d.ts +22 -0
package/dist/generated/types/agentUnpausedEvent.d.ts.map +1 -0
package/dist/generated/types/agentUnpausedEvent.js +26 -0
package/dist/generated/types/agentUnpausedEvent.js.map +1 -0
package/dist/generated/types/constraintEntry.d.ts +23 -0
package/dist/generated/types/constraintEntry.d.ts.map +1 -0
package/dist/generated/types/constraintEntry.js +27 -0
package/dist/generated/types/constraintEntry.js.map +1 -0
package/dist/generated/types/constraintOperator.d.ts +22 -0
package/dist/generated/types/constraintOperator.d.ts.map +1 -0
package/dist/generated/types/constraintOperator.js +28 -0
package/dist/generated/types/constraintOperator.js.map +1 -0
package/dist/generated/types/constraintsChangeApplied.d.ts +20 -0
package/dist/generated/types/constraintsChangeApplied.d.ts.map +1 -0
package/dist/generated/types/constraintsChangeApplied.js +24 -0
package/dist/generated/types/constraintsChangeApplied.js.map +1 -0
package/dist/generated/types/constraintsChangeCancelled.d.ts +16 -0
package/dist/generated/types/constraintsChangeCancelled.d.ts.map +1 -0
package/dist/generated/types/constraintsChangeCancelled.js +18 -0
package/dist/generated/types/constraintsChangeCancelled.js.map +1 -0
package/dist/generated/types/constraintsChangeQueued.d.ts +20 -0
package/dist/generated/types/constraintsChangeQueued.d.ts.map +1 -0
package/dist/generated/types/constraintsChangeQueued.js +24 -0
package/dist/generated/types/constraintsChangeQueued.js.map +1 -0
package/dist/generated/types/dataConstraint.d.ts +23 -0
package/dist/generated/types/dataConstraint.d.ts.map +1 -0
package/dist/generated/types/dataConstraint.js +27 -0
package/dist/generated/types/dataConstraint.js.map +1 -0
package/dist/generated/types/delegationRevoked.d.ts +22 -0
package/dist/generated/types/delegationRevoked.d.ts.map +1 -0
package/dist/generated/types/delegationRevoked.js +26 -0
package/dist/generated/types/delegationRevoked.js.map +1 -0
package/dist/generated/types/epochBucket.d.ts +28 -0
package/dist/generated/types/epochBucket.d.ts.map +1 -0
package/dist/generated/types/epochBucket.js +24 -0
package/dist/generated/types/epochBucket.js.map +1 -0
package/dist/generated/types/escrowCreated.d.ts +30 -0
package/dist/generated/types/escrowCreated.d.ts.map +1 -0
package/dist/generated/types/escrowCreated.js +34 -0
package/dist/generated/types/escrowCreated.js.map +1 -0
package/dist/generated/types/escrowRefunded.d.ts +26 -0
package/dist/generated/types/escrowRefunded.d.ts.map +1 -0
package/dist/generated/types/escrowRefunded.js +30 -0
package/dist/generated/types/escrowRefunded.js.map +1 -0
package/dist/generated/types/escrowSettled.d.ts +26 -0
package/dist/generated/types/escrowSettled.d.ts.map +1 -0
package/dist/generated/types/escrowSettled.js +30 -0
package/dist/generated/types/escrowSettled.js.map +1 -0
package/dist/generated/types/escrowStatus.d.ts +18 -0
package/dist/generated/types/escrowStatus.d.ts.map +1 -0
package/dist/generated/types/escrowStatus.js +24 -0
package/dist/generated/types/escrowStatus.js.map +1 -0
package/dist/generated/types/feesCollected.d.ts +38 -0
package/dist/generated/types/feesCollected.d.ts.map +1 -0
package/dist/generated/types/feesCollected.js +42 -0
package/dist/generated/types/feesCollected.js.map +1 -0
package/dist/generated/types/fundsDeposited.d.ts +24 -0
package/dist/generated/types/fundsDeposited.d.ts.map +1 -0
package/dist/generated/types/fundsDeposited.js +28 -0
package/dist/generated/types/fundsDeposited.js.map +1 -0
package/dist/generated/types/fundsWithdrawn.d.ts +26 -0
package/dist/generated/types/fundsWithdrawn.d.ts.map +1 -0
package/dist/generated/types/fundsWithdrawn.js +30 -0
package/dist/generated/types/fundsWithdrawn.js.map +1 -0
package/dist/generated/types/index.d.ts +50 -0
package/dist/generated/types/index.d.ts.map +1 -0
package/dist/generated/types/index.js +50 -0
package/dist/generated/types/index.js.map +1 -0
package/dist/generated/types/instructionConstraintsClosed.d.ts +20 -0
package/dist/generated/types/instructionConstraintsClosed.d.ts.map +1 -0
package/dist/generated/types/instructionConstraintsClosed.js +24 -0
package/dist/generated/types/instructionConstraintsClosed.js.map +1 -0
package/dist/generated/types/instructionConstraintsCreated.d.ts +24 -0
package/dist/generated/types/instructionConstraintsCreated.d.ts.map +1 -0
package/dist/generated/types/instructionConstraintsCreated.js +28 -0
package/dist/generated/types/instructionConstraintsCreated.js.map +1 -0
package/dist/generated/types/instructionConstraintsUpdated.d.ts +24 -0
package/dist/generated/types/instructionConstraintsUpdated.d.ts.map +1 -0
package/dist/generated/types/instructionConstraintsUpdated.js +28 -0
package/dist/generated/types/instructionConstraintsUpdated.js.map +1 -0
package/dist/generated/types/policyChangeApplied.d.ts +20 -0
package/dist/generated/types/policyChangeApplied.d.ts.map +1 -0
package/dist/generated/types/policyChangeApplied.js +24 -0
package/dist/generated/types/policyChangeApplied.js.map +1 -0
package/dist/generated/types/policyChangeCancelled.d.ts +16 -0
package/dist/generated/types/policyChangeCancelled.d.ts.map +1 -0
package/dist/generated/types/policyChangeCancelled.js +18 -0
package/dist/generated/types/policyChangeCancelled.js.map +1 -0
package/dist/generated/types/policyChangeQueued.d.ts +20 -0
package/dist/generated/types/policyChangeQueued.d.ts.map +1 -0
package/dist/generated/types/policyChangeQueued.js +24 -0
package/dist/generated/types/policyChangeQueued.js.map +1 -0
package/dist/generated/types/policyUpdated.d.ts +34 -0
package/dist/generated/types/policyUpdated.d.ts.map +1 -0
package/dist/generated/types/policyUpdated.js +38 -0
package/dist/generated/types/policyUpdated.js.map +1 -0
package/dist/generated/types/positionsSynced.d.ts +24 -0
package/dist/generated/types/positionsSynced.d.ts.map +1 -0
package/dist/generated/types/positionsSynced.js +28 -0
package/dist/generated/types/positionsSynced.js.map +1 -0
package/dist/generated/types/protocolSpendCounter.d.ts +33 -0
package/dist/generated/types/protocolSpendCounter.d.ts.map +1 -0
package/dist/generated/types/protocolSpendCounter.js +26 -0
package/dist/generated/types/protocolSpendCounter.js.map +1 -0
package/dist/generated/types/sessionFinalized.d.ts +32 -0
package/dist/generated/types/sessionFinalized.d.ts.map +1 -0
package/dist/generated/types/sessionFinalized.js +36 -0
package/dist/generated/types/sessionFinalized.js.map +1 -0
package/dist/generated/types/vaultClosed.d.ts +22 -0
package/dist/generated/types/vaultClosed.d.ts.map +1 -0
package/dist/generated/types/vaultClosed.js +26 -0
package/dist/generated/types/vaultClosed.js.map +1 -0
package/dist/generated/types/vaultCreated.d.ts +24 -0
package/dist/generated/types/vaultCreated.d.ts.map +1 -0
package/dist/generated/types/vaultCreated.js +28 -0
package/dist/generated/types/vaultCreated.js.map +1 -0
package/dist/generated/types/vaultFrozen.d.ts +24 -0
package/dist/generated/types/vaultFrozen.d.ts.map +1 -0
package/dist/generated/types/vaultFrozen.js +28 -0
package/dist/generated/types/vaultFrozen.js.map +1 -0
package/dist/generated/types/vaultReactivated.d.ts +24 -0
package/dist/generated/types/vaultReactivated.d.ts.map +1 -0
package/dist/generated/types/vaultReactivated.js +28 -0
package/dist/generated/types/vaultReactivated.js.map +1 -0
package/dist/generated/types/vaultStatus.d.ts +19 -0
package/dist/generated/types/vaultStatus.d.ts.map +1 -0
package/dist/generated/types/vaultStatus.js +25 -0
package/dist/generated/types/vaultStatus.js.map +1 -0
package/dist/index.d.ts +74 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +113 -0
package/dist/index.js.map +1 -0
package/dist/inscribe.d.ts +134 -0
package/dist/inscribe.d.ts.map +1 -0
package/dist/inscribe.js +149 -0
package/dist/inscribe.js.map +1 -0
package/dist/inspector.d.ts +85 -0
package/dist/inspector.d.ts.map +1 -0
package/dist/inspector.js +188 -0
package/dist/inspector.js.map +1 -0
package/dist/math-utils.d.ts +15 -0
package/dist/math-utils.d.ts.map +1 -0
package/dist/math-utils.js +29 -0
package/dist/math-utils.js.map +1 -0
package/dist/owner-transaction.d.ts +42 -0
package/dist/owner-transaction.d.ts.map +1 -0
package/dist/owner-transaction.js +71 -0
package/dist/owner-transaction.js.map +1 -0
package/dist/policies.d.ts +70 -0
package/dist/policies.d.ts.map +1 -0
package/dist/policies.js +87 -0
package/dist/policies.js.map +1 -0
package/dist/portfolio-analytics.d.ts +82 -0
package/dist/portfolio-analytics.d.ts.map +1 -0
package/dist/portfolio-analytics.js +232 -0
package/dist/portfolio-analytics.js.map +1 -0
package/dist/presets.d.ts +108 -0
package/dist/presets.d.ts.map +1 -0
package/dist/presets.js +110 -0
package/dist/presets.js.map +1 -0
package/dist/priority-fees.d.ts +49 -0
package/dist/priority-fees.d.ts.map +1 -0
package/dist/priority-fees.js +175 -0
package/dist/priority-fees.js.map +1 -0
package/dist/protocol-analytics.d.ts +35 -0
package/dist/protocol-analytics.d.ts.map +1 -0
package/dist/protocol-analytics.js +64 -0
package/dist/protocol-analytics.js.map +1 -0
package/dist/protocol-names.d.ts +9 -0
package/dist/protocol-names.d.ts.map +1 -0
package/dist/protocol-names.js +18 -0
package/dist/protocol-names.js.map +1 -0
package/dist/protocol-resolver.d.ts +54 -0
package/dist/protocol-resolver.d.ts.map +1 -0
package/dist/protocol-resolver.js +123 -0
package/dist/protocol-resolver.js.map +1 -0
package/dist/resolve-accounts.d.ts +38 -0
package/dist/resolve-accounts.d.ts.map +1 -0
package/dist/resolve-accounts.js +120 -0
package/dist/resolve-accounts.js.map +1 -0
package/dist/rpc-helpers.d.ts +50 -0
package/dist/rpc-helpers.d.ts.map +1 -0
package/dist/rpc-helpers.js +119 -0
package/dist/rpc-helpers.js.map +1 -0
package/dist/seal.d.ts +211 -0
package/dist/seal.d.ts.map +1 -0
package/dist/seal.js +569 -0
package/dist/seal.js.map +1 -0
package/dist/security-analytics.d.ts +85 -0
package/dist/security-analytics.d.ts.map +1 -0
package/dist/security-analytics.js +510 -0
package/dist/security-analytics.js.map +1 -0
package/dist/shield.d.ts +235 -0
package/dist/shield.d.ts.map +1 -0
package/dist/shield.js +701 -0
package/dist/shield.js.map +1 -0
package/dist/simulation.d.ts +111 -0
package/dist/simulation.d.ts.map +1 -0
package/dist/simulation.js +514 -0
package/dist/simulation.js.map +1 -0
package/dist/spending-analytics.d.ts +91 -0
package/dist/spending-analytics.d.ts.map +1 -0
package/dist/spending-analytics.js +217 -0
package/dist/spending-analytics.js.map +1 -0
package/dist/state-resolver.d.ts +173 -0
package/dist/state-resolver.d.ts.map +1 -0
package/dist/state-resolver.js +660 -0
package/dist/state-resolver.js.map +1 -0
package/dist/tee/cache.d.ts +28 -0
package/dist/tee/cache.d.ts.map +1 -0
package/dist/tee/cache.js +75 -0
package/dist/tee/cache.js.map +1 -0
package/dist/tee/index.d.ts +9 -0
package/dist/tee/index.d.ts.map +1 -0
package/dist/tee/index.js +9 -0
package/dist/tee/index.js.map +1 -0
package/dist/tee/nitro-root.d.ts +11 -0
package/dist/tee/nitro-root.d.ts.map +1 -0
package/dist/tee/nitro-root.js +24 -0
package/dist/tee/nitro-root.js.map +1 -0
package/dist/tee/providers/crossmint.d.ts +12 -0
package/dist/tee/providers/crossmint.d.ts.map +1 -0
package/dist/tee/providers/crossmint.js +73 -0
package/dist/tee/providers/crossmint.js.map +1 -0
package/dist/tee/providers/privy.d.ts +12 -0
package/dist/tee/providers/privy.d.ts.map +1 -0
package/dist/tee/providers/privy.js +73 -0
package/dist/tee/providers/privy.js.map +1 -0
package/dist/tee/providers/turnkey.d.ts +34 -0
package/dist/tee/providers/turnkey.d.ts.map +1 -0
package/dist/tee/providers/turnkey.js +401 -0
package/dist/tee/providers/turnkey.js.map +1 -0
package/dist/tee/types.d.ts +124 -0
package/dist/tee/types.d.ts.map +1 -0
package/dist/tee/types.js +51 -0
package/dist/tee/types.js.map +1 -0
package/dist/tee/verify.d.ts +34 -0
package/dist/tee/verify.d.ts.map +1 -0
package/dist/tee/verify.js +177 -0
package/dist/tee/verify.js.map +1 -0
package/dist/tee/wallet-types.d.ts +61 -0
package/dist/tee/wallet-types.d.ts.map +1 -0
package/dist/tee/wallet-types.js +42 -0
package/dist/tee/wallet-types.js.map +1 -0
package/dist/testing/devnet.d.ts +64 -0
package/dist/testing/devnet.d.ts.map +1 -0
package/dist/testing/devnet.js +222 -0
package/dist/testing/devnet.js.map +1 -0
package/dist/testing/index.d.ts +3 -0
package/dist/testing/index.d.ts.map +1 -0
package/dist/testing/index.js +9 -0
package/dist/testing/index.js.map +1 -0
package/dist/testing/mock-rpc.d.ts +31 -0
package/dist/testing/mock-rpc.d.ts.map +1 -0
package/dist/testing/mock-rpc.js +50 -0
package/dist/testing/mock-rpc.js.map +1 -0
package/dist/testing/mock-state.d.ts +35 -0
package/dist/testing/mock-state.d.ts.map +1 -0
package/dist/testing/mock-state.js +86 -0
package/dist/testing/mock-state.js.map +1 -0
package/dist/tokens.d.ts +35 -0
package/dist/tokens.d.ts.map +1 -0
package/dist/tokens.js +157 -0
package/dist/tokens.js.map +1 -0
package/dist/transaction-executor.d.ts +116 -0
package/dist/transaction-executor.d.ts.map +1 -0
package/dist/transaction-executor.js +165 -0
package/dist/transaction-executor.js.map +1 -0
package/dist/types.d.ts +102 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +216 -0
package/dist/types.js.map +1 -0
package/dist/vault-analytics.d.ts +83 -0
package/dist/vault-analytics.d.ts.map +1 -0
package/dist/vault-analytics.js +175 -0
package/dist/vault-analytics.js.map +1 -0
package/dist/velocity-tracker.d.ts +79 -0
package/dist/velocity-tracker.d.ts.map +1 -0
package/dist/velocity-tracker.js +183 -0
package/dist/velocity-tracker.js.map +1 -0
package/dist/x402/amount-guard.d.ts +26 -0
package/dist/x402/amount-guard.d.ts.map +1 -0
package/dist/x402/amount-guard.js +80 -0
package/dist/x402/amount-guard.js.map +1 -0
package/dist/x402/audit-trail.d.ts +26 -0
package/dist/x402/audit-trail.d.ts.map +1 -0
package/dist/x402/audit-trail.js +32 -0
package/dist/x402/audit-trail.js.map +1 -0
package/dist/x402/codec.d.ts +26 -0
package/dist/x402/codec.d.ts.map +1 -0
package/dist/x402/codec.js +95 -0
package/dist/x402/codec.js.map +1 -0
package/dist/x402/errors.d.ts +34 -0
package/dist/x402/errors.d.ts.map +1 -0
package/dist/x402/errors.js +53 -0
package/dist/x402/errors.js.map +1 -0
package/dist/x402/facilitator-verify.d.ts +24 -0
package/dist/x402/facilitator-verify.d.ts.map +1 -0
package/dist/x402/facilitator-verify.js +74 -0
package/dist/x402/facilitator-verify.js.map +1 -0
package/dist/x402/index.d.ts +14 -0
package/dist/x402/index.d.ts.map +1 -0
package/dist/x402/index.js +23 -0
package/dist/x402/index.js.map +1 -0
package/dist/x402/nonce-tracker.d.ts +65 -0
package/dist/x402/nonce-tracker.d.ts.map +1 -0
package/dist/x402/nonce-tracker.js +123 -0
package/dist/x402/nonce-tracker.js.map +1 -0
package/dist/x402/payment-selector.d.ts +20 -0
package/dist/x402/payment-selector.d.ts.map +1 -0
package/dist/x402/payment-selector.js +49 -0
package/dist/x402/payment-selector.js.map +1 -0
package/dist/x402/policy-bridge.d.ts +23 -0
package/dist/x402/policy-bridge.d.ts.map +1 -0
package/dist/x402/policy-bridge.js +67 -0
package/dist/x402/policy-bridge.js.map +1 -0
package/dist/x402/shielded-fetch.d.ts +46 -0
package/dist/x402/shielded-fetch.d.ts.map +1 -0
package/dist/x402/shielded-fetch.js +342 -0
package/dist/x402/shielded-fetch.js.map +1 -0
package/dist/x402/transfer-builder.d.ts +43 -0
package/dist/x402/transfer-builder.d.ts.map +1 -0
package/dist/x402/transfer-builder.js +126 -0
package/dist/x402/transfer-builder.js.map +1 -0
package/dist/x402/types.d.ts +109 -0
package/dist/x402/types.d.ts.map +1 -0
package/dist/x402/types.js +8 -0
package/dist/x402/types.js.map +1 -0
package/package.json +98 -0

package/dist/shield.js ADDED Viewed

@@ -0,0 +1,701 @@
+/**
+ * Shield — Kit-native Client-Side Policy Enforcement (Defense-in-Depth)
+ *
+ * Wraps instruction signing with spending limits, rate limits,
+ * program allowlists, and custom checks.
+ *
+ * IMPORTANT: Shield is a CLIENT-SIDE advisory layer, NOT a security boundary.
+ * The on-chain program (validate_and_authorize + finalize_session) provides the
+ * hard enforcement of spending caps, permissions, and protocol allowlists.
+ * Shield reduces blast radius by catching violations before signing, but callers
+ * CAN bypass Shield by using the underlying TransactionSigner directly.
+ * This is by design — Shield prevents accidents, on-chain prevents catastrophe.
+ *
+ * State (spending counters, velocity limits) is in-memory and resets on process
+ * restart. Use syncFromOnChain() to re-sync with the authoritative on-chain state.
+ */
+import { getBase64EncodedWireTransaction } from "@solana/kit";
+import { analyzeInstructions, } from "./inspector.js";
+import { resolvePolicies, } from "./policies.js";
+import { simulateBeforeSend } from "./simulation.js";
+import { SIGIL_PROGRAM_ADDRESS } from "./generated/programs/sigil.js";
+import { VALIDATE_AND_AUTHORIZE_DISCRIMINATOR } from "./generated/instructions/validateAndAuthorize.js";
+import { FINALIZE_SESSION_DISCRIMINATOR } from "./generated/instructions/finalizeSession.js";
+import { resolveVaultState, } from "./state-resolver.js";
+import { isStablecoinMint, validateNetwork } from "./types.js";
+export class ShieldDeniedError extends Error {
+    violations;
+    code;
+    constructor(violations, code) {
+        const msgs = violations.map((v) => v.message).join("; ");
+        super(`Shield denied: ${msgs}`);
+        this.violations = violations;
+        this.name = "ShieldDeniedError";
+        this.code = code;
+    }
+}
+export class ShieldState {
+    spendEntries = [];
+    txEntries = [];
+    // On-chain sync state
+    _resolvedState = null;
+    _localUsdAdditions = 0n;
+    _network = null;
+    // S-7: Mutual exclusivity tracking
+    _enforceUsed = false;
+    getSpendInWindow(mint, windowMs) {
+        const cutoff = Date.now() - windowMs;
+        return this.spendEntries
+            .filter((e) => e.mint === mint && e.timestamp >= cutoff)
+            .reduce((sum, e) => sum + e.amount, 0n);
+    }
+    getTotalSpendInWindow(windowMs) {
+        const cutoff = Date.now() - windowMs;
+        return this.spendEntries
+            .filter((e) => e.timestamp >= cutoff)
+            .reduce((sum, e) => sum + e.amount, 0n);
+    }
+    getTransactionCountInWindow(windowMs) {
+        const cutoff = Date.now() - windowMs;
+        return this.txEntries.filter((e) => e.timestamp >= cutoff).length;
+    }
+    recordSpend(mint, amount) {
+        this.spendEntries.push({ mint, amount, timestamp: Date.now() });
+        this.prune();
+    }
+    recordTransaction() {
+        this.txEntries.push({ timestamp: Date.now() });
+        this.prune();
+    }
+    /** Prune stale entries when arrays exceed threshold. */
+    prune() {
+        const PRUNE_THRESHOLD = 10_000;
+        if (this.spendEntries.length > PRUNE_THRESHOLD) {
+            const cutoff = Date.now() - 86_400_000;
+            this.spendEntries = this.spendEntries.filter((e) => e.timestamp >= cutoff);
+        }
+        if (this.txEntries.length > PRUNE_THRESHOLD) {
+            const cutoff = Date.now() - 86_400_000;
+            this.txEntries = this.txEntries.filter((e) => e.timestamp >= cutoff);
+        }
+    }
+    /** Sync spending baseline from on-chain state. Resets local additions. */
+    syncFromOnChain(state, network) {
+        this._resolvedState = state;
+        this._localUsdAdditions = 0n;
+        if (network !== undefined) {
+            this._network = network;
+        }
+    }
+    /** Record local USD spend (optimistic addition on top of on-chain baseline). */
+    recordUsdSpend(amount) {
+        this._localUsdAdditions += amount;
+    }
+    /** Effective 24h global spend: on-chain baseline + local additions. */
+    getEffectiveGlobalSpent24h() {
+        if (!this._resolvedState)
+            return this._localUsdAdditions;
+        return this._resolvedState.globalBudget.spent24h + this._localUsdAdditions;
+    }
+    /** Effective 24h remaining against on-chain cap. Returns null if not synced. */
+    getEffectiveGlobalRemaining() {
+        if (!this._resolvedState)
+            return null;
+        const cap = this._resolvedState.globalBudget.cap;
+        const spent = this.getEffectiveGlobalSpent24h();
+        return spent < cap ? cap - spent : 0n;
+    }
+    /** Resolved on-chain state, or null if never synced. */
+    get resolvedState() {
+        return this._resolvedState;
+    }
+    /** Local USD additions since last sync. */
+    get localUsdAdditions() {
+        return this._localUsdAdditions;
+    }
+    /** Network configured during sync. Null if never synced with network. */
+    get network() {
+        return this._network;
+    }
+    /** Effective 24h agent spend: on-chain baseline + local additions. Null if no agent budget. */
+    getEffectiveAgentSpent24h() {
+        if (!this._resolvedState?.agentBudget)
+            return null;
+        return this._resolvedState.agentBudget.spent24h + this._localUsdAdditions;
+    }
+    /** Effective 24h remaining against agent cap. Null if no agent budget or not synced. */
+    getEffectiveAgentRemaining() {
+        if (!this._resolvedState?.agentBudget)
+            return null;
+        const cap = this._resolvedState.agentBudget.cap;
+        const spent = this._resolvedState.agentBudget.spent24h + this._localUsdAdditions;
+        return spent < cap ? cap - spent : 0n;
+    }
+    /** S-7: Whether enforce() has been called on this state. */
+    get enforceUsed() {
+        return this._enforceUsed;
+    }
+    /** S-7: Mark that enforce() was used. */
+    markEnforceUsed() {
+        this._enforceUsed = true;
+    }
+    checkpoint() {
+        return {
+            spendEntries: [...this.spendEntries],
+            txEntries: [...this.txEntries],
+            resolvedState: this._resolvedState,
+            localUsdAdditions: this._localUsdAdditions,
+            network: this._network,
+            enforceUsed: this._enforceUsed,
+        };
+    }
+    rollback(cp) {
+        this.spendEntries = [...cp.spendEntries];
+        this.txEntries = [...cp.txEntries];
+        this._resolvedState = cp.resolvedState;
+        this._localUsdAdditions = cp.localUsdAdditions;
+        this._network = cp.network;
+        this._enforceUsed = cp.enforceUsed;
+    }
+    reset() {
+        this.spendEntries = [];
+        this.txEntries = [];
+        this._resolvedState = null;
+        this._localUsdAdditions = 0n;
+        this._network = null;
+        this._enforceUsed = false;
+    }
+}
+// ─── Policy Evaluation ──────────────────────────────────────────────────────
+/**
+ * Evaluate a set of instructions against resolved policies.
+ * When state has on-chain sync, also checks vault/agent caps (requires network).
+ */
+export function evaluateInstructions(instructions, signerAddress, resolved, state, network) {
+    if (network)
+        validateNetwork(network);
+    const violations = [];
+    const analysis = analyzeInstructions(instructions, signerAddress);
+    // 1. Program allowlist check
+    if (resolved.blockUnknownPrograms && resolved.allowedProtocols) {
+        for (const pid of analysis.programIds) {
+            if (!SYSTEM_PROGRAMS.has(pid) && !resolved.allowedProtocols.has(pid)) {
+                violations.push({
+                    rule: "program_allowlist",
+                    message: `Program ${pid} is not in the allowed list`,
+                    suggestion: "Use a protocol that is explicitly allowed by the policy",
+                });
+            }
+        }
+    }
+    // 2. Spend limit check
+    if (resolved.spendLimits) {
+        for (const limit of resolved.spendLimits) {
+            const windowMs = limit.windowMs ?? 86_400_000;
+            const currentSpend = state.getSpendInWindow(limit.mint, windowMs);
+            const txSpend = analysis.tokenTransfers
+                .filter((t) => t.authority === signerAddress &&
+                (t.mint === limit.mint || t.mint === null))
+                .reduce((sum, t) => sum + t.amount, 0n);
+            if (currentSpend + txSpend > limit.amount) {
+                violations.push({
+                    rule: "spend_limit",
+                    message: `Spend limit exceeded for ${limit.mint}: ${currentSpend + txSpend} > ${limit.amount}`,
+                    suggestion: "Reduce the transaction amount or wait for the rolling window to reset",
+                });
+            }
+        }
+    }
+    // 3. Rate limit check
+    if (resolved.rateLimit) {
+        const count = state.getTransactionCountInWindow(resolved.rateLimit.windowMs);
+        if (count >= resolved.rateLimit.maxTransactions) {
+            violations.push({
+                rule: "rate_limit",
+                message: `Rate limit exceeded: ${count}/${resolved.rateLimit.maxTransactions} transactions in window`,
+                suggestion: "Wait before sending more transactions",
+            });
+        }
+    }
+    // 4. Custom check
+    if (resolved.customCheck) {
+        const customAnalysis = {
+            programIds: analysis.programIds,
+            transfers: analysis.tokenTransfers.map((t) => ({
+                mint: (t.mint ?? ""),
+                amount: t.amount,
+                direction: (t.authority === signerAddress ? "outgoing" : "unknown"),
+                destination: t.destination,
+            })),
+            estimatedValueLamports: analysis.estimatedValue,
+        };
+        const customResult = resolved.customCheck(customAnalysis);
+        if (!customResult.allowed) {
+            violations.push({
+                rule: "custom",
+                message: customResult.reason ?? "Custom policy check failed",
+            });
+        }
+    }
+    // 5. On-chain vault/agent cap check (when synced)
+    const effectiveNetwork = network ?? state.network;
+    if (state.resolvedState && effectiveNetwork) {
+        const rs = state.resolvedState;
+        const stablecoinUsdAmount = computeStablecoinUsd(analysis.tokenTransfers, signerAddress, effectiveNetwork);
+        if (stablecoinUsdAmount > 0n) {
+            // Transaction size
+            if (stablecoinUsdAmount > rs.maxTransactionUsd) {
+                violations.push({
+                    rule: "on_chain_tx_size",
+                    message: `Transaction ${stablecoinUsdAmount} exceeds max ${rs.maxTransactionUsd}`,
+                    suggestion: "Reduce the transaction amount",
+                });
+            }
+            // Global vault cap
+            const effectiveGlobalSpent = state.getEffectiveGlobalSpent24h();
+            if (effectiveGlobalSpent + stablecoinUsdAmount > rs.globalBudget.cap) {
+                violations.push({
+                    rule: "on_chain_vault_cap",
+                    message: `Would exceed on-chain daily cap: ${effectiveGlobalSpent + stablecoinUsdAmount} > ${rs.globalBudget.cap}`,
+                    suggestion: "Reduce amount or wait for the 24h window to roll",
+                });
+            }
+            // Per-agent cap
+            const effectiveAgentSpent = state.getEffectiveAgentSpent24h();
+            if (effectiveAgentSpent !== null && rs.agentBudget) {
+                if (effectiveAgentSpent + stablecoinUsdAmount > rs.agentBudget.cap) {
+                    violations.push({
+                        rule: "on_chain_agent_cap",
+                        message: `Would exceed agent spend limit: ${effectiveAgentSpent + stablecoinUsdAmount} > ${rs.agentBudget.cap}`,
+                        suggestion: "Reduce amount or wait",
+                    });
+                }
+            }
+        }
+    }
+    return { violations, analysis };
+}
+const SYSTEM_PROGRAMS = new Set([
+    "11111111111111111111111111111111",
+    "ComputeBudget111111111111111111111111111111",
+    "ATokenGPvbdGVxr1b2hvZbsiqW5xWH25efTNsLJA8knL",
+]);
+/**
+ * Sum USD value of outgoing stablecoin transfers only.
+ * Plain Transfer instructions have mint=null — skip those.
+ * On-chain uses stablecoin identity: USDC/USDT amount / 10^6 = USD.
+ */
+function computeStablecoinUsd(transfers, signerAddress, network) {
+    return transfers
+        .filter((t) => t.authority === signerAddress &&
+        t.mint !== null &&
+        isStablecoinMint(t.mint, network))
+        .reduce((sum, t) => sum + t.amount, 0n);
+}
+/**
+ * Create a Kit-native shield context for client-side policy enforcement.
+ *
+ * Unlike the web3.js shield() which wraps wallet signing,
+ * this works at the instruction level:
+ * - check() validates instructions without side effects
+ * - enforce() validates and records, throwing on violation
+ */
+export function shield(policies, options) {
+    let resolved = resolvePolicies(policies);
+    const state = new ShieldState();
+    let paused = false;
+    const syncConfig = options?.onChainSync;
+    if (syncConfig)
+        validateNetwork(syncConfig.network);
+    const stalenessThreshold = options?.stalenessWarnThresholdSec ?? 300;
+    // S-1: Warn when no onChainSync — spend tracking is ephemeral
+    if (!syncConfig) {
+        console.warn("[Shield] No onChainSync configured — spend tracking is client-side only " +
+            "and will reset on process restart.");
+    }
+    return {
+        check(instructions, signerAddress) {
+            if (paused) {
+                return {
+                    allowed: false,
+                    violations: [
+                        {
+                            rule: "paused",
+                            message: "Shield is paused — all operations blocked until resume()",
+                            suggestion: "Call resume() to re-enable",
+                        },
+                    ],
+                };
+            }
+            // S-2: Staleness warning
+            _warnIfStale(state, stalenessThreshold);
+            const { violations } = evaluateInstructions(instructions, signerAddress, resolved, state, syncConfig?.network);
+            return { allowed: violations.length === 0, violations };
+        },
+        enforce(instructions, signerAddress) {
+            if (paused) {
+                const error = new ShieldDeniedError([
+                    {
+                        rule: "paused",
+                        message: "Shield is paused — all operations blocked until resume()",
+                        suggestion: "Call resume() to re-enable",
+                    },
+                ]);
+                options?.onDenied?.(error);
+                throw error;
+            }
+            // S-2: Staleness warning
+            _warnIfStale(state, stalenessThreshold);
+            const { violations, analysis } = evaluateInstructions(instructions, signerAddress, resolved, state, syncConfig?.network);
+            if (violations.length > 0) {
+                const error = new ShieldDeniedError(violations);
+                options?.onDenied?.(error);
+                throw error;
+            }
+            // Record the transaction — reuse analysis from evaluateInstructions
+            for (const transfer of analysis.tokenTransfers) {
+                if (transfer.authority === signerAddress) {
+                    state.recordSpend(transfer.mint ?? "", transfer.amount);
+                }
+            }
+            state.recordTransaction();
+            // Record aggregate stablecoin USD for on-chain cap tracking
+            if (state.resolvedState && syncConfig) {
+                const stablecoinUsd = computeStablecoinUsd(analysis.tokenTransfers, signerAddress, syncConfig.network);
+                if (stablecoinUsd > 0n) {
+                    state.recordUsdSpend(stablecoinUsd);
+                }
+            }
+            // S-7: Mark that enforce() was used
+            state.markEnforceUsed();
+            options?.onApproved?.();
+        },
+        get resolvedPolicies() {
+            return resolved;
+        },
+        get isPaused() {
+            return paused;
+        },
+        updatePolicies(newPolicies) {
+            resolved = resolvePolicies(newPolicies);
+            options?.onPolicyUpdate?.(newPolicies);
+        },
+        resetState() {
+            state.reset();
+        },
+        pause() {
+            paused = true;
+            options?.onPause?.();
+        },
+        resume() {
+            paused = false;
+            options?.onResume?.();
+        },
+        getSpendingSummary() {
+            const tokens = (resolved.spendLimits ?? []).map((limit) => {
+                const windowMs = limit.windowMs ?? 86_400_000;
+                const spent = state.getSpendInWindow(limit.mint, windowMs);
+                const remaining = limit.amount > spent ? limit.amount - spent : 0n;
+                return {
+                    mint: limit.mint,
+                    spent,
+                    limit: limit.amount,
+                    remaining,
+                    windowMs,
+                };
+            });
+            const rl = resolved.rateLimit ?? {
+                maxTransactions: 60,
+                windowMs: 3_600_000,
+            };
+            const txCount = state.getTransactionCountInWindow(rl.windowMs);
+            const rs = state.resolvedState;
+            const onChain = rs
+                ? {
+                    globalSpent24h: state.getEffectiveGlobalSpent24h(),
+                    globalCap: rs.globalBudget.cap,
+                    globalRemaining: state.getEffectiveGlobalRemaining() ?? 0n,
+                    agentSpent24h: state.getEffectiveAgentSpent24h(),
+                    agentCap: rs.agentBudget?.cap ?? null,
+                    agentRemaining: state.getEffectiveAgentRemaining(),
+                    maxTransactionUsd: rs.maxTransactionUsd,
+                    localAdditions: state.localUsdAdditions,
+                    syncedAt: rs.resolvedAtTimestamp,
+                }
+                : undefined;
+            return {
+                tokens,
+                rateLimit: {
+                    count: txCount,
+                    limit: rl.maxTransactions,
+                    remaining: Math.max(0, rl.maxTransactions - txCount),
+                    windowMs: rl.windowMs,
+                },
+                isPaused: paused,
+                onChain,
+            };
+        },
+        async sync() {
+            if (!syncConfig) {
+                throw new Error("Cannot sync: onChainSync not configured in ShieldOptions");
+            }
+            const resolved = await resolveVaultState(syncConfig.rpc, syncConfig.vaultAddress, syncConfig.agentAddress);
+            state.syncFromOnChain(resolved, syncConfig.network);
+        },
+        get hasOnChainSync() {
+            return syncConfig !== undefined;
+        },
+        get state() {
+            return state;
+        },
+    };
+}
+/**
+ * Create a TransactionSigner that enforces a 5-property pre-sign gate.
+ *
+ * Intercepts every signing call and runs:
+ *   1. Intent-TX correspondence (SOFT — logs warning)
+ *   2. Velocity ceiling (HARD — throws)
+ *   3. Simulation liveness (HARD — throws)
+ *   4. Instruction allowlist via ShieldedContext (HARD — throws)
+ *   5. Session binding (SOFT — logs warning)
+ *
+ * On pass, delegates to the baseSigner. On HARD fail, throws ShieldDeniedError.
+ *
+ * @param baseSigner - The underlying TransactionSigner to delegate to
+ * @param shieldCtx - ShieldedContext providing policy evaluation and state
+ * @param options - Optional configuration for each property
+ */
+export function createShieldedSigner(baseSigner, shieldCtx, options) {
+    return {
+        address: baseSigner.address,
+        async modifyAndSignTransactions(txs) {
+            for (const tx of txs) {
+                const instructions = _extractInstructionsFromCompiled(tx, options?.altCache);
+                // Property 2: Velocity ceiling (HARD)
+                if (options?.velocityThresholds) {
+                    checkVelocityCeiling(shieldCtx.state, instructions, baseSigner.address, options.velocityThresholds);
+                }
+                // Property 3: Simulation liveness (HARD)
+                if (options?.rpc && !options?.skipSimulation) {
+                    let wireBase64;
+                    try {
+                        wireBase64 = getBase64EncodedWireTransaction(tx);
+                    }
+                    catch (encodeErr) {
+                        // Fail-closed: if we can't encode the TX, block signing
+                        throw new ShieldDeniedError([
+                            {
+                                rule: "simulation",
+                                message: `Cannot encode transaction for simulation: ${encodeErr instanceof Error ? encodeErr.message : "unknown error"}`,
+                                suggestion: "Ensure the transaction is properly formed",
+                            },
+                        ]);
+                    }
+                    const result = await simulateBeforeSend(options.rpc, wireBase64);
+                    if (!result.success) {
+                        throw new ShieldDeniedError([
+                            {
+                                rule: "simulation",
+                                message: `Simulation failed: ${result.error?.message ?? "unknown error"}`,
+                                suggestion: result.error?.suggestion ?? "Check transaction validity",
+                            },
+                        ]);
+                    }
+                }
+                // Property 4: Instruction allowlist (HARD)
+                const checkResult = shieldCtx.check(instructions, baseSigner.address);
+                if (!checkResult.allowed) {
+                    throw new ShieldDeniedError(checkResult.violations);
+                }
+                // Property 5: Session binding (severity controlled by S-4)
+                if (options?.sessionContext) {
+                    checkSessionBinding(tx, SIGIL_PROGRAM_ADDRESS, options?.sessionBindingSeverity ?? "hard");
+                }
+                // S-7: Warn about double-counting risk if enforce() was already used
+                if (shieldCtx.state.enforceUsed) {
+                    console.warn("[ShieldedSigner] enforce() was already called on this ShieldState — " +
+                        "using ShieldedSigner after enforce() may double-count spending");
+                }
+                // All checks passed — record spend and transaction in shared state
+                const analysis = analyzeInstructions(instructions, baseSigner.address);
+                for (const transfer of analysis.tokenTransfers) {
+                    if (transfer.authority === baseSigner.address) {
+                        shieldCtx.state.recordSpend(transfer.mint ?? "", transfer.amount);
+                    }
+                }
+                shieldCtx.state.recordTransaction();
+                // Record aggregate stablecoin USD for on-chain cap tracking
+                if (shieldCtx.state.resolvedState && shieldCtx.state.network) {
+                    const stablecoinUsd = computeStablecoinUsd(analysis.tokenTransfers, baseSigner.address, shieldCtx.state.network);
+                    if (stablecoinUsd > 0n) {
+                        shieldCtx.state.recordUsdSpend(stablecoinUsd);
+                    }
+                }
+            }
+            // Delegate to base signer
+            const signer = baseSigner;
+            if (signer.modifyAndSignTransactions) {
+                return signer.modifyAndSignTransactions(txs);
+            }
+            else if (signer.signTransactions) {
+                const sigs = await signer.signTransactions(txs);
+                return txs.map((tx, i) => ({
+                    ...tx,
+                    signatures: { ...tx.signatures, ...sigs[i] },
+                }));
+            }
+            throw new Error("Unsupported signer type: must implement signTransactions or modifyAndSignTransactions");
+        },
+    };
+}
+// ─── Internal Helpers ────────────────────────────────────────────────────────
+/**
+ * Extract InspectableInstruction[] from a compiled transaction object.
+ * Resolves program addresses from staticAccounts[programAddressIndex].
+ * When ALTs are used, resolves ALT-compressed account indices via AltCache.
+ *
+ * Exported as _extractInstructionsFromCompiled for direct testing.
+ */
+export function _extractInstructionsFromCompiled(tx, altCache, warnings) {
+    const msg = tx.compiledMessage;
+    if (!msg?.staticAccounts?.length || !msg?.instructions?.length) {
+        return [];
+    }
+    // Build combined account table: static + ALT-resolved
+    let accountTable = [...msg.staticAccounts];
+    if (msg.addressTableLookups?.length && altCache) {
+        // S-3: Resolve ALT index with bounds check, accumulating warnings on OOB
+        const resolveAltIndex = (idx, resolved) => {
+            if (idx < resolved.length)
+                return resolved[idx];
+            warnings?.push(`ALT index ${idx} out of bounds (table has ${resolved.length} entries) — account substituted with system program for analysis`);
+            return "11111111111111111111111111111111";
+        };
+        // Two-pass ordering: Solana compiled messages order ALL writables from
+        // ALL lookups first, then ALL readonlys from ALL lookups.
+        // Pass 1: ALL writables from ALL lookups (in lookup order)
+        for (const lookup of msg.addressTableLookups) {
+            const resolved = altCache.getCachedAddresses(lookup.lookupTableAddress);
+            if (resolved) {
+                for (const idx of lookup.writableIndexes ?? []) {
+                    accountTable.push(resolveAltIndex(idx, resolved));
+                }
+            }
+        }
+        // Pass 2: ALL readonlys from ALL lookups
+        for (const lookup of msg.addressTableLookups) {
+            const resolved = altCache.getCachedAddresses(lookup.lookupTableAddress);
+            if (resolved) {
+                for (const idx of lookup.readonlyIndexes ?? []) {
+                    accountTable.push(resolveAltIndex(idx, resolved));
+                }
+            }
+        }
+    }
+    else if (msg.addressTableLookups?.length) {
+        console.warn("[ShieldedSigner] ALT-compressed accounts cannot be resolved without AltCache");
+    }
+    return msg.instructions.map((ix) => ({
+        programAddress: accountTable[ix.programAddressIndex],
+        accounts: (ix.accountIndices ?? []).map((i) => ({
+            address: accountTable[i],
+        })),
+        data: ix.data ? new Uint8Array(ix.data) : new Uint8Array(),
+    }));
+}
+/**
+ * Property 2: Check velocity ceilings. HARD — throws ShieldDeniedError.
+ */
+function checkVelocityCeiling(state, instructions, signerAddress, thresholds) {
+    if (thresholds.maxTxPerHour !== undefined) {
+        const count = state.getTransactionCountInWindow(3_600_000);
+        if (count >= thresholds.maxTxPerHour) {
+            throw new ShieldDeniedError([
+                {
+                    rule: "velocity_ceiling",
+                    message: `Transaction rate ${count}/${thresholds.maxTxPerHour} per hour exceeded`,
+                    suggestion: "Wait before sending more transactions",
+                },
+            ]);
+        }
+    }
+    if (thresholds.maxUsdPerHour !== undefined) {
+        const analysis = analyzeInstructions(instructions, signerAddress);
+        const currentSpend = state.getTotalSpendInWindow(3_600_000);
+        const projectedSpend = currentSpend + analysis.estimatedValue;
+        if (projectedSpend > thresholds.maxUsdPerHour) {
+            throw new ShieldDeniedError([
+                {
+                    rule: "velocity_ceiling",
+                    message: `Hourly USD spend ${projectedSpend} exceeds ceiling ${thresholds.maxUsdPerHour}`,
+                    suggestion: "Reduce transaction amounts or wait for the window to reset",
+                },
+            ]);
+        }
+    }
+}
+/**
+ * Property 5: Check session binding (validate+finalize sandwich).
+ * S-4: severity controls behavior — 'hard' throws, 'soft' warns.
+ */
+function checkSessionBinding(tx, programAddress, severity = "hard") {
+    const msg = tx.compiledMessage;
+    if (!msg?.staticAccounts?.length || !msg?.instructions?.length) {
+        const message = "[ShieldedSigner] Cannot verify session binding: no compiled message";
+        if (severity === "hard") {
+            throw new ShieldDeniedError([{ rule: "session_binding", message }]);
+        }
+        console.warn(message);
+        return;
+    }
+    const sigilIxs = msg.instructions.filter((ix) => msg.staticAccounts[ix.programAddressIndex] === programAddress);
+    if (sigilIxs.length === 0) {
+        const message = "[ShieldedSigner] No Sigil instructions found in transaction";
+        if (severity === "hard") {
+            throw new ShieldDeniedError([{ rule: "session_binding", message }]);
+        }
+        console.warn(message);
+        return;
+    }
+    const firstData = sigilIxs[0].data;
+    const lastData = sigilIxs[sigilIxs.length - 1].data;
+    const hasValidate = firstData &&
+        firstData.length >= 8 &&
+        matchesDiscriminator(firstData, VALIDATE_AND_AUTHORIZE_DISCRIMINATOR);
+    const hasFinalize = lastData &&
+        lastData.length >= 8 &&
+        matchesDiscriminator(lastData, FINALIZE_SESSION_DISCRIMINATOR);
+    if (!hasValidate || !hasFinalize) {
+        const message = `[ShieldedSigner] Session binding incomplete: validate=${!!hasValidate}, finalize=${!!hasFinalize}`;
+        if (severity === "hard") {
+            throw new ShieldDeniedError([{ rule: "session_binding", message }]);
+        }
+        console.warn(message);
+    }
+}
+/**
+ * S-2: Warn when resolved state is stale (older than threshold).
+ */
+function _warnIfStale(state, thresholdSec) {
+    if (!state.resolvedState)
+        return;
+    const age = Math.floor(Date.now() / 1000) -
+        Number(state.resolvedState.resolvedAtTimestamp);
+    if (age > thresholdSec) {
+        console.warn(`[Shield] Resolved state is ${age}s old (threshold: ${thresholdSec}s) — call sync() for fresh data`);
+    }
+}
+/**
+ * Compare first N bytes of data against a discriminator.
+ */
+function matchesDiscriminator(data, disc) {
+    if (data.length < disc.length)
+        return false;
+    for (let i = 0; i < disc.length; i++) {
+        if (data[i] !== disc[i])
+            return false;
+    }
+    return true;
+}
+//# sourceMappingURL=shield.js.map