amped-defi 1.0.0

package/src/policy/policyEngine.ts

@@ -0,0 +1,389 @@
+/**
+ * Policy Engine
+ *
+ * Enforces security policies for DeFi operations including:
+ * - Spend limits per transaction and daily
+ * - Allowed chain and token allowlists
+ * - Blocked recipient addresses
+ * - Maximum slippage tolerance
+ * - Simulation requirements
+ */
+
+import { BridgeOperation, PolicyConfig } from '../types';
+import { normalizeChainId } from '../wallet/types';
+
+/**
+ * Policy check result
+ */
+export interface PolicyCheckResult {
+  allowed: boolean;
+  reason?: string;
+  details?: Record<string, unknown>;
+}
+
+/**
+ * Policy Engine class for enforcing security constraints
+ */
+export class PolicyEngine {
+  private config: PolicyConfig;
+
+  constructor(policyId?: string) {
+    this.config = this.loadPolicyConfig(policyId);
+  }
+
+  /**
+   * Load policy configuration from environment
+   *
+   * @param policyId - Optional policy profile ID for custom limits
+   * @returns The policy configuration
+   */
+  private loadPolicyConfig(policyId?: string): PolicyConfig {
+    const limitsJson = process.env.AMPED_OC_LIMITS_JSON;
+
+    if (!limitsJson) {
+      return {};
+    }
+
+    try {
+      const allConfigs = JSON.parse(limitsJson) as Record<string, PolicyConfig>;
+
+      // If policyId is specified, use that config; otherwise use 'default' or empty
+      const config = policyId
+        ? allConfigs[policyId]
+        : allConfigs['default'] || allConfigs;
+
+      if (policyId && !config) {
+        return allConfigs['default'] || {};
+      }
+
+      return config || {};
+    } catch (_error) {
+      return {};
+    }
+  }
+
+  /**
+   * Check if a chain is allowed
+   *
+   * @param chainId - The chain ID to check
+   * @returns Policy check result
+   */
+  private checkChainAllowed(chainId: string): PolicyCheckResult {
+    const { allowedChains } = this.config;
+
+    if (allowedChains && allowedChains.length > 0) {
+      const normalizedChain = normalizeChainId(chainId);
+      if (!allowedChains.includes(normalizedChain)) {
+        return {
+          allowed: false,
+          reason: `Chain not allowed: ${chainId}. Allowed chains: ${allowedChains.join(', ')}`,
+        };
+      }
+    }
+
+    return { allowed: true };
+  }
+
+  /**
+   * Check if a token is allowed on a specific chain
+   *
+   * @param chainId - The chain ID
+   * @param token - The token address or symbol
+   * @returns Policy check result
+   */
+  private checkTokenAllowed(chainId: string, token: string): PolicyCheckResult {
+    const { allowedTokensByChain } = this.config;
+
+    if (allowedTokensByChain) {
+      const normalizedChainForTokens = normalizeChainId(chainId);
+      const allowedTokens = allowedTokensByChain[normalizedChainForTokens];
+      if (allowedTokens && allowedTokens.length > 0) {
+        if (!allowedTokens.includes(token)) {
+          return {
+            allowed: false,
+            reason: `Token not allowed on ${chainId}: ${token}. Allowed tokens: ${allowedTokens.join(', ')}`,
+          };
+        }
+      }
+    }
+
+    return { allowed: true };
+  }
+
+  /**
+   * Check if a recipient is blocked
+   *
+   * @param recipient - The recipient address
+   * @returns Policy check result
+   */
+  private checkRecipientNotBlocked(recipient: string): PolicyCheckResult {
+    const { blockedRecipients } = this.config;
+
+    if (blockedRecipients && blockedRecipients.length > 0) {
+      if (blockedRecipients.includes(recipient.toLowerCase())) {
+        return {
+          allowed: false,
+          reason: `Recipient is blocked: ${recipient}`,
+        };
+      }
+    }
+
+    return { allowed: true };
+  }
+
+  /**
+   * Check bridge amount against limits
+   *
+   * @param token - The token address or symbol
+   * @param amount - The amount in human-readable units
+   * @returns Policy check result
+   */
+  private checkBridgeAmount(token: string, amount: string): PolicyCheckResult {
+    const { maxBridgeAmountToken } = this.config;
+
+    if (maxBridgeAmountToken) {
+      const maxAmount = maxBridgeAmountToken[token];
+      if (maxAmount !== undefined) {
+        const amountNum = parseFloat(amount);
+        if (amountNum > maxAmount) {
+          return {
+            allowed: false,
+            reason: `Bridge amount ${amount} exceeds maximum ${maxAmount} for token ${token}`,
+            details: { maxAllowed: maxAmount, requested: amountNum },
+          };
+        }
+      }
+    }
+
+    return { allowed: true };
+  }
+
+  /**
+   * Check a bridge operation against all policies
+   *
+   * @param operation - The bridge operation to validate
+   * @returns Policy check result
+   */
+  async checkBridge(operation: BridgeOperation): Promise<PolicyCheckResult> {
+    const { srcChainId, dstChainId, srcToken, dstToken, amount, recipient } = operation;
+
+    // Check source chain
+    const srcChainCheck = this.checkChainAllowed(srcChainId);
+    if (!srcChainCheck.allowed) return srcChainCheck;
+
+    // Check destination chain
+    const dstChainCheck = this.checkChainAllowed(dstChainId);
+    if (!dstChainCheck.allowed) return dstChainCheck;
+
+    // Check source token
+    const srcTokenCheck = this.checkTokenAllowed(srcChainId, srcToken);
+    if (!srcTokenCheck.allowed) return srcTokenCheck;
+
+    // Check destination token
+    const dstTokenCheck = this.checkTokenAllowed(dstChainId, dstToken);
+    if (!dstTokenCheck.allowed) return dstTokenCheck;
+
+    // Check amount limits
+    const amountCheck = this.checkBridgeAmount(srcToken, amount);
+    if (!amountCheck.allowed) return amountCheck;
+
+    // Check recipient if specified
+    if (recipient) {
+      const recipientCheck = this.checkRecipientNotBlocked(recipient);
+      if (!recipientCheck.allowed) return recipientCheck;
+    }
+
+    return { allowed: true };
+  }
+
+  /**
+   * Get the current policy configuration
+   * @returns The policy configuration
+   */
+  getConfig(): PolicyConfig {
+    return { ...this.config };
+  }
+
+  /**
+   * Get available policy IDs from the configuration
+   * @returns Array of available policy IDs
+   */
+  getAvailablePolicies(): string[] {
+    const limitsJson = process.env.AMPED_OC_LIMITS_JSON;
+    if (!limitsJson) return [];
+    
+    try {
+      const allConfigs = JSON.parse(limitsJson) as Record<string, PolicyConfig>;
+      return Object.keys(allConfigs);
+    } catch {
+      return [];
+    }
+  }
+
+  // ============================================================================
+  // Swap Policy Checks
+  // ============================================================================
+
+  /**
+   * Check swap input amount against USD limits
+   */
+  private checkSwapAmount(inputAmount: string, srcToken: string): PolicyCheckResult {
+    const { maxSwapInputUsd, maxSwapInputToken } = this.config;
+
+    // Check per-token limit if configured
+    if (maxSwapInputToken) {
+      const maxTokenAmount = maxSwapInputToken[srcToken];
+      if (maxTokenAmount !== undefined) {
+        const amountNum = parseFloat(inputAmount);
+        if (amountNum > maxTokenAmount) {
+          return {
+            allowed: false,
+            reason: `Swap input amount ${inputAmount} exceeds maximum ${maxTokenAmount} for token ${srcToken}`,
+            details: { maxAllowed: maxTokenAmount, requested: amountNum },
+          };
+        }
+      }
+    }
+
+    // Note: USD limit check would require price oracle integration
+    // For now, we skip enforcement without prices
+
+    return { allowed: true };
+  }
+
+  /**
+   * Check slippage against maximum allowed
+   */
+  private checkSlippage(slippageBps: number): PolicyCheckResult {
+    const { maxSlippageBps } = this.config;
+
+    if (maxSlippageBps !== undefined && slippageBps > maxSlippageBps) {
+      return {
+        allowed: false,
+        reason: `Slippage ${slippageBps} bps exceeds maximum allowed ${maxSlippageBps} bps`,
+        details: { maxAllowed: maxSlippageBps, requested: slippageBps },
+      };
+    }
+
+    return { allowed: true };
+  }
+
+  /**
+   * Check a swap operation against all policies
+   */
+  async checkSwap(params: {
+    walletId: string;
+    srcChainId: string;
+    dstChainId: string;
+    srcToken: string;
+    dstToken: string;
+    inputAmount: string;
+    slippageBps: number;
+    policyId?: string;
+  }): Promise<PolicyCheckResult> {
+    const { srcChainId, dstChainId, srcToken, dstToken, inputAmount, slippageBps } = params;
+
+    // Check source chain
+    const srcChainCheck = this.checkChainAllowed(srcChainId);
+    if (!srcChainCheck.allowed) return srcChainCheck;
+
+    // Check destination chain
+    const dstChainCheck = this.checkChainAllowed(dstChainId);
+    if (!dstChainCheck.allowed) return dstChainCheck;
+
+    // Check source token
+    const srcTokenCheck = this.checkTokenAllowed(srcChainId, srcToken);
+    if (!srcTokenCheck.allowed) return srcTokenCheck;
+
+    // Check destination token
+    const dstTokenCheck = this.checkTokenAllowed(dstChainId, dstToken);
+    if (!dstTokenCheck.allowed) return dstTokenCheck;
+
+    // Check swap amount limits
+    const amountCheck = this.checkSwapAmount(inputAmount, srcToken);
+    if (!amountCheck.allowed) return amountCheck;
+
+    // Check slippage
+    const slippageCheck = this.checkSlippage(slippageBps);
+    if (!slippageCheck.allowed) return slippageCheck;
+
+    return { allowed: true };
+  }
+
+  // ============================================================================
+  // Money Market Policy Checks
+  // ============================================================================
+
+  /**
+   * Check borrow amount against limits
+   */
+  private checkBorrowAmount(token: string, amount: string, amountUsd?: number): PolicyCheckResult {
+    const { maxBorrowUsd, maxBorrowToken } = this.config;
+
+    // Check per-token limit if configured
+    if (maxBorrowToken) {
+      const maxTokenAmount = maxBorrowToken[token];
+      if (maxTokenAmount !== undefined) {
+        const amountNum = parseFloat(amount);
+        if (amountNum > maxTokenAmount) {
+          return {
+            allowed: false,
+            reason: `Borrow amount ${amount} exceeds maximum ${maxTokenAmount} for token ${token}`,
+            details: { maxAllowed: maxTokenAmount, requested: amountNum },
+          };
+        }
+      }
+    }
+
+    // Check USD limit if amountUsd is provided
+    if (maxBorrowUsd !== undefined && amountUsd !== undefined) {
+      if (amountUsd > maxBorrowUsd) {
+        return {
+          allowed: false,
+          reason: `Borrow amount $${amountUsd} exceeds maximum $${maxBorrowUsd}`,
+          details: { maxAllowed: maxBorrowUsd, requested: amountUsd },
+        };
+      }
+    }
+
+    return { allowed: true };
+  }
+
+  /**
+   * Check a money market operation against all policies
+   */
+  async checkMoneyMarket(params: {
+    walletId: string;
+    chainId: string;
+    dstChainId?: string;
+    token: string;
+    amount: string;
+    amountUsd?: number;
+    operation: 'supply' | 'withdraw' | 'borrow' | 'repay';
+    policyId?: string;
+  }): Promise<PolicyCheckResult> {
+    const { chainId, dstChainId, token, amount, amountUsd, operation } = params;
+
+    // Check source chain
+    const chainCheck = this.checkChainAllowed(chainId);
+    if (!chainCheck.allowed) return chainCheck;
+
+    // Check destination chain if cross-chain operation
+    if (dstChainId) {
+      const dstChainCheck = this.checkChainAllowed(dstChainId);
+      if (!dstChainCheck.allowed) return dstChainCheck;
+    }
+
+    // Check token
+    const tokenCheck = this.checkTokenAllowed(chainId, token);
+    if (!tokenCheck.allowed) return tokenCheck;
+
+    // Operation-specific checks
+    if (operation === 'borrow') {
+      const borrowCheck = this.checkBorrowAmount(token, amount, amountUsd);
+      if (!borrowCheck.allowed) return borrowCheck;
+    }
+
+    return { allowed: true };
+  }
+}

package/src/providers/spokeProviderFactory.ts

@@ -0,0 +1,283 @@
+/**
+ * Spoke Provider Factory
+ *
+ * Creates spoke providers for SODAX operations.
+ * Supports both local key signing and Bankr API execution.
+ * 
+ * Flow:
+ * 1. Resolve wallet by nickname using WalletManager
+ * 2. Check if wallet supports requested chain
+ * 3. For local wallets: use SDK's EvmWalletProvider
+ * 4. For Bankr wallets: use BankrWalletProvider (submits to Bankr API)
+ */
+
+// Official SDK wallet provider
+import { EvmWalletProvider } from '@sodax/wallet-sdk-core';
+
+// Import spoke providers and chain config from SDK
+import { 
+  EvmSpokeProvider, 
+  SonicSpokeProvider,
+  type SpokeProvider 
+} from '@sodax/sdk';
+
+// Import chain configuration from types
+import { spokeChainConfig, type SpokeChainId } from '@sodax/types';
+
+// Import wallet management
+import { getWalletManager, type IWalletBackend, createBankrWalletProvider } from '../wallet';
+import { getWalletAdapter } from '../wallet/skillWalletAdapter';
+import { BANKR_CHAIN_IDS, normalizeChainId, getBankrChainId } from '../wallet/types';
+
+// Cache for providers: Map<cacheKey, SpokeProvider>
+const providerCache = new Map<string, SpokeProvider>();
+
+// Sonic hub chain identifier
+const SONIC_CHAIN_ID = 'sonic';
+
+// Chain ID mapping for SDK (some chains need specific format)
+const CHAIN_ID_MAP: Record<string, SpokeChainId> = {
+  'sonic': 'sonic',
+  'ethereum': 'ethereum',
+  'arbitrum': '0xa4b1.arbitrum',
+  'optimism': '0xa.optimism',
+  'base': '0x2105.base',
+  'polygon': '0x89.polygon',
+  'bsc': '0x38.bsc',
+  'avalanche': '0xa86a.avax',
+  'lightlink': 'lightlink',
+  'hyperevm': 'hyper',
+  'hyper': 'hyper',
+} as Record<string, SpokeChainId>;
+
+/**
+ * Get RPC URL for a chain
+ */
+async function getRpcUrl(chainId: string): Promise<string> {
+  const skillAdapter = getWalletAdapter();
+  return skillAdapter.getRpcUrl(chainId);
+}
+
+/**
+ * Get the SDK chain ID for a given chain
+ */
+function getSdkChainId(chainId: string): SpokeChainId {
+  return (CHAIN_ID_MAP[chainId] || chainId) as SpokeChainId;
+}
+
+/**
+ * Validate that wallet supports the requested chain
+ */
+function validateChainSupport(wallet: IWalletBackend, chainId: string): void {
+  const normalizedForWallet = normalizeChainId(chainId);
+  if (!wallet.supportsChain(normalizedForWallet)) {
+    throw new Error(
+      `Wallet "${wallet.nickname}" doesn't support chain "${chainId}". ` +
+      `Supported chains: ${wallet.supportedChains.join(', ')}. ` +
+      `Try a different wallet.`
+    );
+  }
+}
+
+/**
+ * Create a spoke provider for local key signing
+ */
+async function createLocalSpokeProvider(
+  wallet: IWalletBackend,
+  chainId: string,
+  rpcUrl: string
+): Promise<SpokeProvider> {
+  if (!wallet.getPrivateKey) {
+    throw new Error(`Wallet "${wallet.nickname}" does not support local signing`);
+  }
+
+  const privateKey = await wallet.getPrivateKey();
+  const sdkChainId = getSdkChainId(chainId);
+
+  // Get chain config from SDK
+  const chainConfig = spokeChainConfig[sdkChainId];
+  if (!chainConfig) {
+    throw new Error(`Chain config not found for: ${sdkChainId}. Available: ${Object.keys(spokeChainConfig).join(', ')}`);
+  }
+
+  // Create wallet provider using official SDK
+  const walletProvider = new EvmWalletProvider({
+    privateKey,
+    chainId: sdkChainId,
+    rpcUrl: rpcUrl as `http${string}`,
+  });
+
+  // Use SonicSpokeProvider for Sonic hub chain, EvmSpokeProvider for others
+  if (chainId === SONIC_CHAIN_ID) {
+    console.log('[spokeProviderFactory] Creating SonicSpokeProvider', {
+      wallet: wallet.nickname,
+      chainId,
+    });
+
+    return new SonicSpokeProvider(
+      walletProvider,
+      chainConfig as any,
+      rpcUrl
+    );
+  } else {
+    console.log('[spokeProviderFactory] Creating EvmSpokeProvider', {
+      wallet: wallet.nickname,
+      chainId,
+      sdkChainId,
+    });
+
+    return new EvmSpokeProvider(
+      walletProvider,
+      chainConfig as any,
+      rpcUrl
+    );
+  }
+}
+
+/**
+ * Create a spoke provider for Bankr wallet
+ * Uses BankrWalletProvider which submits transactions to Bankr API
+ */
+async function createBankrSpokeProvider(
+  wallet: IWalletBackend,
+  chainId: string,
+  rpcUrl: string
+): Promise<SpokeProvider> {
+  const sdkChainId = getSdkChainId(chainId);
+  
+  // Normalize chain ID for Bankr lookup (0x2105.base -> base)
+  const normalizedChainId = normalizeChainId(chainId);
+  const numericChainId = getBankrChainId(normalizedChainId);
+  
+  console.log('[spokeProviderFactory] Bankr chain resolution', {
+    input: chainId,
+    normalized: normalizedChainId,
+    numeric: numericChainId,
+  });
+
+  // Get chain config from SDK
+  const chainConfig = spokeChainConfig[sdkChainId];
+  if (!chainConfig) {
+    throw new Error(`Chain config not found for: ${sdkChainId}`);
+  }
+
+  // Get Bankr API key from environment
+  const apiKey = process.env.BANKR_API_KEY;
+  if (!apiKey) {
+    throw new Error('BANKR_API_KEY environment variable not set');
+  }
+
+  // Get the Bankr wallet address (cached after first call)
+  const walletAddress = await wallet.getAddress();
+
+  // Create BankrWalletProvider which implements IEvmWalletProvider
+  const walletProvider = createBankrWalletProvider({
+    apiKey,
+    apiUrl: process.env.BANKR_API_URL,
+    chainId: numericChainId,
+    rpcUrl,
+    cachedAddress: walletAddress,
+  });
+
+  console.log('[spokeProviderFactory] Creating EvmSpokeProvider with Bankr backend', {
+    wallet: wallet.nickname,
+    chainId,
+    sdkChainId,
+    address: walletAddress?.slice(0, 10) + '...',
+  });
+
+  // Use standard EvmSpokeProvider with our BankrWalletProvider
+  // The SDK doesn't care how transactions are signed - it just calls the interface methods
+  return new EvmSpokeProvider(
+    walletProvider as any, // BankrWalletProvider implements IEvmWalletProvider
+    chainConfig as any,
+    rpcUrl
+  );
+}
+
+/**
+ * Create a spoke provider for the given wallet and chain
+ * 
+ * @param walletId - Wallet nickname (e.g., "main", "bankr", "trading")
+ * @param chainId - Chain identifier (e.g., "ethereum", "base")
+ */
+async function createSpokeProvider(
+  walletId: string,
+  chainId: string
+): Promise<SpokeProvider> {
+  // Get wallet from unified manager
+  const walletManager = getWalletManager();
+  const wallet = await walletManager.resolve(walletId);
+  
+  // Validate chain support
+  validateChainSupport(wallet, chainId);
+
+  const rpcUrl = await getRpcUrl(chainId);
+
+  // Route based on wallet type
+  if (wallet.type === 'bankr') {
+    // Use BankrWalletProvider for Bankr wallets
+    return createBankrSpokeProvider(wallet, chainId, rpcUrl);
+  }
+
+  // Local key signing (evm-wallet-skill or env)
+  return createLocalSpokeProvider(wallet, chainId, rpcUrl);
+}
+
+/**
+ * Get a spoke provider for the given wallet and chain
+ * Returns cached provider if available, otherwise creates a new one
+ *
+ * @param walletId - The wallet identifier/nickname
+ * @param chainId - The chain identifier
+ * @param raw - If true, still creates full provider (raw mode not yet supported)
+ * @returns The spoke provider instance
+ */
+export async function getSpokeProvider(
+  walletId: string,
+  chainId: string,
+  raw = false
+): Promise<SpokeProvider> {
+  const cacheKey = `${walletId}:${chainId}`;
+
+  // Check cache
+  const cached = providerCache.get(cacheKey);
+  if (cached) {
+    console.log('[spokeProviderFactory] Using cached provider', {
+      walletId,
+      chainId,
+    });
+    return cached;
+  }
+
+  // Create new provider
+  const provider = await createSpokeProvider(walletId, chainId);
+
+  // Cache the provider
+  providerCache.set(cacheKey, provider);
+
+  return provider;
+}
+
+/**
+ * Clear the provider cache
+ * Useful for testing or when wallet configuration changes
+ */
+export function clearProviderCache(): void {
+  providerCache.clear();
+  console.log('[spokeProviderFactory] Provider cache cleared');
+}
+
+/**
+ * Get cache statistics
+ * @returns Object with cache size and keys
+ */
+export function getCacheStats(): { size: number; keys: string[] } {
+  return {
+    size: providerCache.size,
+    keys: Array.from(providerCache.keys()),
+  };
+}
+
+// Export the type for use in other modules
+export type { SpokeProvider };