safehands-pharos 1.2.0 → 1.2.4

package/dist/lib/testTools.js

@@ -1,389 +1,398 @@
-// ─── SafeHands — Full 17-Tool Integration Test ────────────────────────
-import { readFileSync } from "fs";
-import { resolve } from "path";
-import { publicClient } from "../lib/pharosClient.js";
-import { formatEther, defineChain, createWalletClient, http, publicActions } from "viem";
-import { privateKeyToAccount } from "viem/accounts";
+// ─── SafeHands — Non-destructive smoke test for tool handlers ───────────
+// This script intentionally avoids broadcasting transactions. It checks that
+// tool handlers can be invoked safely and return predictable AI-readable data
+// or structured failures when external services/env vars are unavailable.
+// ────────────────────────────────────────────────────────────────────────
 import express from "express";
-import { x402Facilitator } from "@x402/core/facilitator";
-import { toFacilitatorEvmSigner } from "@x402/evm";
-import { ExactEvmScheme as FacilitatorExactEvmScheme } from "@x402/evm/exact/facilitator";
-import { ExactEvmScheme as ServerExactEvmScheme } from "@x402/evm/exact/server";
-import { HTTPFacilitatorClient } from "@x402/core/server";
-import { paymentMiddleware, x402ResourceServer } from "@x402/express";
 import { handleAssessRisk } from "../tools/assessRisk.js";
 import { handleExecuteSwap } from "../tools/executeSwap.js";
 import { handleSendPayment } from "../tools/sendPayment.js";
 import { handleSimulateTransaction } from "../tools/simulateTransaction.js";
-import { handleGetExecutionHistory } from "../tools/getExecutionHistory.js";
 import { handleGetTokenPrice } from "../tools/getTokenPrice.js";
 import { handleGetWalletBalance } from "../tools/getWalletBalance.js";
-import { handleCheckAllowance } from "../tools/checkAllowance.js";
-import { handleGetTransactionStatus } from "../tools/getTransactionStatus.js";
 import { handleEstimateGas } from "../tools/estimateGas.js";
 import { handlePublishRiskScore } from "../tools/publishRiskScore.js";
-import { handleQueryRiskRegistry } from "../tools/queryRiskRegistry.js";
 import { handleApproveToken } from "../tools/approveToken.js";
-import { handleGetGasPrice } from "../tools/getGasPrice.js";
-import { handleGetPoolInfo } from "../tools/getPoolInfo.js";
 import { handleCheckTokenSecurity } from "../tools/checkTokenSecurity.js";
 import { handleX402PayAndFetch } from "../tools/x402PayAndFetch.js";
-// ─── Load .env ─────────────────────────────────────────────────────────
-function loadEnv() {
-    const f = readFileSync(resolve(process.cwd(), ".env"), "utf-8");
-    const v = {};
-    for (const l of f.split("\n")) {
-        const t = l.trim();
-        if (!t || t.startsWith("#"))
-            continue;
-        const i = t.indexOf("=");
-        if (i === -1)
-            continue;
-        v[t.slice(0, i).trim()] = t.slice(i + 1).trim();
-    }
-    return v;
+import { fail, ok } from "./toolResponse.js";
+import { handleSafeHandsPreflightCheck } from "../tools/safehandsPreflightCheck.js";
+import { handleSafeHandsX402Preflight } from "../tools/safehandsX402Preflight.js";
+import { handleSafeHandsWalletHealth } from "../tools/safehandsWalletHealth.js";
+import { handleSafeHandsRiskReport } from "../tools/safehandsRiskReport.js";
+import { handleExplainRisk } from "../tools/explainRisk.js";
+import { handleTokenRegistryStatus } from "../tools/tokenRegistryStatus.js";
+import { handleCreateAgentWallet } from "../tools/createAgentWallet.js";
+import { handleGetAgentWallet } from "../tools/getAgentWallet.js";
+import { getSigner, isSignerFailure } from "./signer/index.js";
+import { USDC_ADDRESS } from "./constants.js";
+import { existsSync, readdirSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { spawnSync } from "node:child_process";
+const WALLET = process.env.WALLET_ADDRESS || "0x0000000000000000000000000000000000000001";
+const RECIPIENT = "0x000000000000000000000000000000000000dEaD";
+const TEST_TX = "0x0000000000000000000000000000000000000000000000000000000000000000";
+const rows = [];
+function isStructured(value) {
+    return !!value && typeof value === "object" && "success" in value && "error" in value && "timestamp" in value;
 }
-const env = loadEnv();
-const PK = env.PRIVATE_KEY;
-const WALLET = env.WALLET_ADDRESS;
-// ─── Results tracker ───────────────────────────────────────────────────
-const results = [];
-let swapTxHash = "";
-function ok(tool, key) { results.push({ tool, status: "✅ PASS", key }); }
-function fail(tool, key) { results.push({ tool, status: "❌ FAIL", key }); }
-// ─── Tests ─────────────────────────────────────────────────────────────
-async function run() {
-    console.log("\n🛡️  SafeHands — 17-Tool Integration Test");
-    console.log("─".repeat(64));
-    const bal = formatEther(await publicClient.getBalance({ address: WALLET }));
-    console.log(`  Wallet:  ${WALLET}\n  Balance: ${bal} PHRS\n`);
-    // 1. assess_risk
-    try {
-        const r = await handleAssessRisk({ action: "swap", tokenIn: "PHRS", tokenOut: "USDC", amount: "0.01" });
-        console.log(`1.  assess_risk          → score=${r.riskScore} level=${r.riskLevel}`);
-        ok("assess_risk", `score=${r.riskScore}, ${r.riskLevel}, ${r.recommendation}`);
-    }
-    catch (e) {
-        console.log(`1.  assess_risk          → ❌`);
-        fail("assess_risk", e.message);
-    }
-    // 2. simulate_transaction (swap)
-    try {
-        const r = await handleSimulateTransaction({ action: "swap", tokenIn: "PHRS", tokenOut: "USDC", amount: "0.01" });
-        console.log(`2.  simulate_tx (swap)   → success=${r.wouldSucceed} gas=${r.gasEstimate}`);
-        ok("simulate_transaction", `wouldSucceed=${r.wouldSucceed}, gas=${r.gasEstimate}`);
-    }
-    catch (e) {
-        console.log(`2.  simulate_tx          → ❌`);
-        fail("simulate_transaction", e.message);
-    }
-    // 3. simulate_transaction (transfer)
-    try {
-        const r = await handleSimulateTransaction({ action: "transfer", amount: "0.001", toAddress: "0x000000000000000000000000000000000000dEaD" });
-        console.log(`3.  simulate_tx (xfer)   → success=${r.wouldSucceed} gas=${r.gasEstimate}`);
-        ok("simulate_tx (xfer)", `wouldSucceed=${r.wouldSucceed}, gas=${r.gasEstimate}`);
-    }
-    catch (e) {
-        console.log(`3.  simulate_tx (xfer)   → ❌`);
-        fail("simulate_tx (xfer)", e.message);
-    }
-    // 4. get_token_price
-    try {
-        const r = await handleGetTokenPrice({ token: "PHRS" });
-        console.log(`4.  get_token_price      → PHRS=$${r.priceUsd}`);
-        ok("get_token_price", `PHRS=$${r.priceUsd}`);
-    }
-    catch (e) {
-        console.log(`4.  get_token_price      → ❌`);
-        fail("get_token_price", e.message);
-    }
-    // 5. get_wallet_balance
-    try {
-        const r = await handleGetWalletBalance({ walletAddress: WALLET });
-        console.log(`5.  get_wallet_balance   → PHRS=${r.balances.PHRS.balance} USDC=${r.balances.USDC.balance} USDT=${r.balances.USDT.balance}`);
-        ok("get_wallet_balance", `PHRS=${r.balances.PHRS.balance}, USDC=${r.balances.USDC.balance}, total=$${r.totalUsd}`);
-    }
-    catch (e) {
-        console.log(`5.  get_wallet_balance   → ❌`);
-        fail("get_wallet_balance", e.message);
-    }
-    // 6. check_allowance
-    try {
-        const r = await handleCheckAllowance({ token: "USDC" });
-        console.log(`6.  check_allowance      → USDC allowance=${r.allowance} needsApproval=${r.needsApproval}`);
-        ok("check_allowance", `allowance=${r.allowance}, needsApproval=${r.needsApproval}`);
-    }
-    catch (e) {
-        console.log(`6.  check_allowance      → ❌`);
-        fail("check_allowance", e.message);
-    }
-    // 7. estimate_gas (swap)
-    try {
-        const r = await handleEstimateGas({ walletAddress: WALLET, action: "swap", tokenIn: "PHRS", tokenOut: "USDC", amount: "0.01" });
-        console.log(`7.  estimate_gas         → gas=${r.gasEstimate} cost=${r.gasCostPHRS} PHRS`);
-        ok("estimate_gas", `gas=${r.gasEstimate}, cost=${r.gasCostPHRS} PHRS, sufficient=${r.isSufficient}`);
-    }
-    catch (e) {
-        console.log(`7.  estimate_gas         → ❌`);
-        fail("estimate_gas", e.message);
-    }
-    // 8. get_gas_price
-    try {
-        const r = await handleGetGasPrice({});
-        console.log(`8.  get_gas_price        → ${r.gasPriceGwei} Gwei, trend=${r.trend}`);
-        ok("get_gas_price", `${r.gasPriceGwei} Gwei, trend=${r.trend}`);
-    }
-    catch (e) {
-        console.log(`8.  get_gas_price        → ❌`);
-        fail("get_gas_price", e.message);
-    }
-    // 9. get_pool_info
-    try {
-        const r = await handleGetPoolInfo({ tokenA: "PHRS", tokenB: "USDC" });
-        const ratio = r.available ? r.priceRatio : "no pool";
-        console.log(`9.  get_pool_info        → ${ratio}`);
-        ok("get_pool_info", `available=${r.available}, ${ratio}`);
-    }
-    catch (e) {
-        console.log(`9.  get_pool_info        → ❌`);
-        fail("get_pool_info", e.message);
-    }
-    // 10. execute_swap (LIVE — 0.01 PHRS → USDC)
-    try {
-        const r = await handleExecuteSwap({ tokenIn: "PHRS", tokenOut: "USDC", amountIn: "0.01" });
-        if (r.success) {
-            swapTxHash = r.txHash;
-            console.log(`10. execute_swap         → ✅ out=${r.amountOut} USDC tx=${r.txHash.slice(0, 18)}...`);
-            ok("execute_swap", `out=${r.amountOut} USDC, tx=${r.txHash}`);
-        }
-        else {
-            console.log(`10. execute_swap         → not executed: ${r.error}`);
-            ok("execute_swap", `handled: ${r.error}`);
+function normalize(value) {
+    if (isStructured(value))
+        return value;
+    return ok(value);
+}
+function readAllToolSourceFiles() {
+    const root = join(process.cwd(), "src", "tools");
+    const out = [];
+    function walk(dir) {
+        for (const entry of readdirSync(dir, { withFileTypes: true })) {
+            const full = join(dir, entry.name);
+            if (entry.isDirectory())
+                walk(full);
+            else if (entry.isFile() && entry.name.endsWith(".ts")) {
+                const rel = full.replace(process.cwd(), "").replace(/^[\\/]/, "").replace(/\\/g, "/");
+                out.push({ path: rel, content: readFileSync(full, "utf8") });
+            }
         }
     }
-    catch (e) {
-        console.log(`10. execute_swap         → ❌`);
-        fail("execute_swap", e.message);
-    }
-    // 11. send_payment (LIVE — 0.001 PHRS)
+    walk(root);
+    return out;
+}
+function runBuiltCli(args) {
+    const entry = join(process.cwd(), "dist", "index.js");
+    if (!existsSync(entry))
+        return fail("CLI_DIST_MISSING", "Run npm run build before CLI smoke tests.", false, "cli_smoke");
+    const result = spawnSync(process.execPath, [entry, ...args], {
+        cwd: process.cwd(),
+        env: { ...process.env, WALLET_MODE: "none", WRITE_TOOLS_ENABLED: "false", PRIVATE_KEY: "" },
+        encoding: "utf8",
+    });
+    const stdout = result.stdout.trim();
     try {
-        const r = await handleSendPayment({ toAddress: "0x000000000000000000000000000000000000dEaD", amount: "0.001" });
-        if (r.success) {
-            console.log(`11. send_payment         → ✅ tx=${r.txHash.slice(0, 18)}...`);
-            ok("send_payment", `sent 0.001 PHRS, tx=${r.txHash}`);
-        }
-        else {
-            console.log(`11. send_payment         → not sent: ${r.error}`);
-            ok("send_payment", `handled: ${r.error}`);
-        }
+        return JSON.parse(stdout);
     }
-    catch (e) {
-        console.log(`11. send_payment         → ❌`);
-        fail("send_payment", e.message);
+    catch {
+        return fail("CLI_INVALID_STDOUT", `exit=${result.status} stdout=${stdout.slice(0, 240)} stderr=${result.stderr.slice(0, 240)}`, false, "cli_smoke");
     }
-    // 12. approve_token (LIVE — approve 100 USDC)
+}
+function runBuiltCliRaw(args) {
+    const entry = join(process.cwd(), "dist", "index.js");
+    if (!existsSync(entry))
+        return { status: 127, stdout: "", stderr: "dist/index.js missing" };
+    const result = spawnSync(process.execPath, [entry, ...args], {
+        cwd: process.cwd(),
+        env: { ...process.env, WALLET_MODE: "none", WRITE_TOOLS_ENABLED: "false", PRIVATE_KEY: "", X402_SIGNER_PRIVATE_KEY: "" },
+        encoding: "utf8",
+        timeout: 60_000,
+    });
+    return { status: result.status, stdout: result.stdout, stderr: result.stderr };
+}
+function runNpmPackDryRun() {
+    const result = spawnSync("npm", ["pack", "--dry-run", "--json"], {
+        cwd: process.cwd(),
+        encoding: "utf8",
+        timeout: 60_000,
+        shell: true,
+    });
+    if (result.status !== 0 || result.error)
+        return fail("NPM_PACK_DRY_RUN_FAILED", result.error?.message || result.stderr || result.stdout, false, "npm_pack");
     try {
-        const r = await handleApproveToken({ token: "USDC", amount: "100" });
-        if (r.success) {
-            console.log(`12. approve_token        → ✅ tx=${r.txHash.slice(0, 18)}...`);
-            ok("approve_token", `approved 100 USDC, tx=${r.txHash}`);
-        }
-        else {
-            console.log(`12. approve_token        → not approved: ${r.error}`);
-            fail("approve_token", r.error || "unknown");
-        }
+        const parsed = JSON.parse(result.stdout.trim());
+        const files = (parsed[0]?.files || []).map((f) => f.path);
+        const unsafeExact = new Set([".env", ".env.local", "wallet-store.json"]);
+        const unsafe = files.filter((file) => unsafeExact.has(file) ||
+            file.endsWith(".pem") ||
+            file.endsWith(".key") ||
+            file.includes("node_modules/") ||
+            file.startsWith("logs/") ||
+            file.endsWith(".log"));
+        return unsafe.length ? fail("NPM_PACK_UNSAFE_FILES", unsafe.join(", "), false, "npm_pack") : ok({ totalFiles: files.length, unsafe, includesEnvExample: files.includes(".env.example") });
+    }
+    catch (err) {
+        return fail("NPM_PACK_PARSE_FAILED", err instanceof Error ? err.message : String(err), false, "npm_pack");
     }
-    catch (e) {
-        console.log(`12. approve_token        → ❌`);
-        fail("approve_token", e.message);
+}
+function hasAll(text, parts) {
+    return parts.every((part) => text.includes(part));
+}
+function summarize(value) {
+    if (!value.success)
+        return `${value.error.code}: ${value.error.message}`;
+    if (value.data && typeof value.data === "object") {
+        const keys = Object.keys(value.data).slice(0, 6).join(", ");
+        return `success data keys: ${keys || "none"}`;
+    }
+    return "success";
+}
+async function record(tool, fn, expect) {
+    try {
+        const result = normalize(await fn());
+        const passed = expect ? expect(result) : true;
+        rows.push({ tool, status: passed ? "PASS" : "FAIL", note: summarize(result) });
+    }
+    catch (err) {
+        const result = fail("SMOKE_TEST_HANDLER_THROW", err instanceof Error ? err.message : String(err), false, tool);
+        const passed = expect ? expect(result) : false;
+        rows.push({
+            tool,
+            status: passed ? "PASS" : "FAIL",
+            note: summarize(result),
+        });
     }
-    // 13. get_transaction_status (use swap tx if we got one, else a known tx)
+}
+async function withLocalServer(handler) {
+    const app = express();
+    app.get("/supported", (_req, res) => {
+        res.json({ ok: true, kinds: [{ x402Version: 2, scheme: "exact", network: "eip155:688689" }] });
+    });
+    const server = await new Promise((resolve) => {
+        const instance = app.listen(0, "127.0.0.1", () => resolve(instance));
+    });
     try {
-        const hash = swapTxHash || "0xe628679b65f8c5d34cc570ba16292f972ae8c38687fb4931a69ef63d37ff119d";
-        const r = await handleGetTransactionStatus({ txHash: hash });
-        console.log(`13. get_tx_status        → status=${r.status} block=${r.blockNumber}`);
-        ok("get_transaction_status", `status=${r.status}, block=${r.blockNumber}`);
+        const address = server.address();
+        if (!address || typeof address === "string")
+            throw new Error("Failed to open local test server");
+        return await handler(`http://127.0.0.1:${address.port}/supported`);
     }
-    catch (e) {
-        console.log(`13. get_tx_status        → ❌`);
-        fail("get_transaction_status", e.message);
+    finally {
+        if ("closeAllConnections" in server)
+            server.closeAllConnections();
+        await new Promise((resolve, reject) => server.close((err) => (err ? reject(err) : resolve())));
     }
-    // 14. publish_risk_score (LIVE — publish to registry)
-    try {
-        const r = await handlePublishRiskScore({ action: "swap", tokenIn: "PHRS", tokenOut: "USDC", amount: "1" });
-        if (r.success && r.onChain) {
-            console.log(`14. publish_risk_score   → ✅ score=${r.assessment.riskScore} tx=${r.onChain.txHash.slice(0, 18)}...`);
-            ok("publish_risk_score", `score=${r.assessment.riskScore}, tx=${r.onChain.txHash}`);
+}
+async function run() {
+    console.log("\n🛡️  SafeHands — non-destructive tool smoke test");
+    console.log(`Wallet used for dry/smoke checks: ${WALLET}`);
+    await record("assess_risk_validation", () => handleAssessRisk({ action: "swap", amount: "0.001", walletAddress: WALLET }), (res) => !res.success && res.error.code === "SMOKE_TEST_HANDLER_THROW");
+    await record("simulate_transaction_validation", () => handleSimulateTransaction({ action: "transfer", amount: "0.001", walletAddress: WALLET }));
+    await record("get_token_price_public_mode", () => handleGetTokenPrice({ token: "PHRS" }), (res) => (res.success && typeof res.data === "object" && res.data !== null && "publicMode" in res.data) ||
+        (!res.success && ["DODO_API_AUTH_REQUIRED", "DODO_API_UNAVAILABLE", "DODO_API_TIMEOUT", "DODO_API_RATE_LIMITED"].includes(res.error.code)));
+    await record("get_wallet_balance_invalid_wallet", () => handleGetWalletBalance({ walletAddress: "not-an-address" }), (res) => !res.success && res.error.code === "INVALID_WALLET_ADDRESS");
+    await record("estimate_gas_invalid_wallet", () => handleEstimateGas({ walletAddress: "not-an-address", action: "transfer", amount: "0.001", toAddress: RECIPIENT }), (res) => !res.success && res.error.code === "INVALID_WALLET_ADDRESS");
+    await record("check_token_security_invalid_address", () => handleCheckTokenSecurity({ tokenAddress: "not-an-address" }), (res) => !res.success && res.error.code === "INVALID_TOKEN_ADDRESS");
+    await record("execute_swap_guard", () => handleExecuteSwap({ tokenIn: "PHRS", tokenOut: "USDC", amountIn: "0.001" }), (res) => !res.success && res.error.code === "WRITE_TOOLS_DISABLED");
+    await record("send_payment_guard", () => handleSendPayment({ toAddress: RECIPIENT, amount: "0.001" }), (res) => !res.success && res.error.code === "WRITE_TOOLS_DISABLED");
+    await record("approve_token_guard", () => handleApproveToken({ token: "USDC", amount: "max" }), (res) => !res.success && res.error.code === "WRITE_TOOLS_DISABLED");
+    await record("publish_risk_score_guard", () => handlePublishRiskScore({ action: "transfer", amount: "0.001", toAddress: RECIPIENT }), (res) => !res.success && res.error.code === "WRITE_TOOLS_DISABLED");
+    await record("x402_ssrf_block", () => handleX402PayAndFetch({ url: "http://127.0.0.1:4021/supported" }), (res) => !res.success && res.error.code === "SSRF_BLOCKED");
+    await record("x402_free_local_allowed", async () => withLocalServer(async (url) => {
+        const previous = process.env.ALLOW_LOCAL_X402_FETCH;
+        process.env.ALLOW_LOCAL_X402_FETCH = "true";
+        try {
+            return await handleX402PayAndFetch({ url });
         }
-        else {
-            console.log(`14. publish_risk_score   → ${r.error}`);
-            fail("publish_risk_score", r.error || "unknown");
+        finally {
+            if (previous === undefined)
+                delete process.env.ALLOW_LOCAL_X402_FETCH;
+            else
+                process.env.ALLOW_LOCAL_X402_FETCH = previous;
         }
-    }
-    catch (e) {
-        console.log(`14. publish_risk_score   → ❌`);
-        fail("publish_risk_score", e.message);
-    }
-    // 15. query_risk_registry
-    try {
-        const r = await handleQueryRiskRegistry({ walletAddress: WALLET });
-        if (r.found && r.record) {
-            console.log(`15. query_risk_registry  → score=${r.record.score} level=${r.record.riskLevel}`);
-            ok("query_risk_registry", `score=${r.record.score}, level=${r.record.riskLevel}, ts=${r.record.timestamp}`);
+    }), (res) => res.success === true && res.data.paymentExecuted === false);
+    await record("safehands_preflight_allow", () => handleSafeHandsPreflightCheck({ actionType: "send_payment", amount: "0.001", recipient: RECIPIENT, chainId: 688689, isMainnet: false }), (res) => res.success && res.data.decision !== "BLOCK");
+    await record("safehands_preflight_block_mainnet", () => handleSafeHandsPreflightCheck({ actionType: "send_payment", amount: "0.001", recipient: RECIPIENT, chainId: 1, isMainnet: true }), (res) => res.success && res.data.decision === "BLOCK" && res.data.riskLevel !== "LOW");
+    await record("safehands_preflight_block_unlimited_approval", () => handleSafeHandsPreflightCheck({ actionType: "approve_token", approvalAmount: "max", spender: RECIPIENT }), (res) => res.success && res.data.decision === "BLOCK");
+    await record("token_registry_status_canonical_usdc", () => handleTokenRegistryStatus({ token: USDC_ADDRESS }), (res) => res.success && res.data.status === "SKILL_ENGINE_CANONICAL_TOKEN" && res.data.verificationStatus === "DOCS_VERIFIED_FROM_PHAROS_SKILL_ENGINE");
+    await record("token_registry_status_custom_token", () => handleTokenRegistryStatus({ token: RECIPIENT }), (res) => res.success && res.data.status === "CUSTOM_NON_REGISTRY");
+    await record("token_registry_status_invalid", () => handleTokenRegistryStatus({ token: "not-an-address" }), (res) => res.success && res.data.status === "INVALID_ADDRESS");
+    await record("safehands_x402_preflight_ssrf", () => handleSafeHandsX402Preflight({ url: "http://127.0.0.1:4021/supported" }), (res) => !res.success && res.error.code === "SSRF_BLOCKED");
+    await record("safehands_wallet_health_no_wallet", () => handleSafeHandsWalletHealth({}), (res) => res.success && ["NOT_READY", "DEGRADED"].includes(String(res.data.status)));
+    await record("safehands_risk_report", () => handleSafeHandsRiskReport({ actionType: "approve_token", approvalAmount: "max", spender: RECIPIENT }), (res) => res.success && typeof res.data.summary === "string" && res.data.decision === "BLOCK");
+    await record("explain_risk", () => handleExplainRisk({ decision: "BLOCK", riskLevel: "HIGH", reasons: ["Unlimited approval requested"], requiredActions: ["Use limited approval"] }), (res) => res.success && String(res.data.explanation).includes("blocked"));
+    await record("managed_wallet_signer_deobfuscates", async () => {
+        const prevMode = process.env.WALLET_MODE;
+        const prevKey = process.env.WALLET_ENCRYPTION_KEY;
+        process.env.WALLET_MODE = "managed-testnet";
+        process.env.WALLET_ENCRYPTION_KEY = "test-only-key-for-smoke";
+        try {
+            const created = await handleCreateAgentWallet({ agentId: "smoke-agent", overwrite: true });
+            if (!created.success)
+                return created;
+            const signer = await getSigner("smoke-agent");
+            if (isSignerFailure(signer))
+                return fail(signer.error.code, signer.error.message, false, "managed_wallet_signer");
+            return ok({ address: signer.address, mode: signer.mode });
         }
-        else {
-            console.log(`15. query_risk_registry  → not found`);
-            ok("query_risk_registry", "no record (expected if never published)");
+        finally {
+            if (prevMode === undefined)
+                delete process.env.WALLET_MODE;
+            else
+                process.env.WALLET_MODE = prevMode;
+            if (prevKey === undefined)
+                delete process.env.WALLET_ENCRYPTION_KEY;
+            else
+                process.env.WALLET_ENCRYPTION_KEY = prevKey;
         }
-    }
-    catch (e) {
-        console.log(`15. query_risk_registry  → ❌`);
-        fail("query_risk_registry", e.message);
-    }
-    // 16. check_token_security (GoPlus API — check mainnet USDC)
-    try {
-        const r = await handleCheckTokenSecurity({ tokenAddress: "0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48", chainId: 1 });
-        if (r.success && r.securityProfile) {
-            console.log(`16. check_token_sec      → ✅ safetyScore=${r.securityProfile.safetyScore}`);
-            ok("check_token_security", `score=${r.securityProfile.safetyScore}, honeypot=${r.securityProfile.isHoneypot}`);
+    }, (res) => res.success && res.data.mode === "managed-testnet");
+    await record("private_key_never_returned_in_wallet_response", async () => {
+        const prevMode = process.env.WALLET_MODE;
+        const prevKey = process.env.WALLET_ENCRYPTION_KEY;
+        process.env.WALLET_MODE = "managed-testnet";
+        process.env.WALLET_ENCRYPTION_KEY = "test-only-key-for-smoke";
+        try {
+            const created = await handleCreateAgentWallet({ agentId: "smoke-agent-no-key", overwrite: true });
+            const wallet = await handleGetAgentWallet({ agentId: "smoke-agent-no-key" });
+            return ok({ created, wallet, serialized: JSON.stringify({ created, wallet }) });
         }
-        else {
-            console.log(`16. check_token_sec      → ${r.error}`);
-            fail("check_token_security", r.error || "unknown");
+        finally {
+            if (prevMode === undefined)
+                delete process.env.WALLET_MODE;
+            else
+                process.env.WALLET_MODE = prevMode;
+            if (prevKey === undefined)
+                delete process.env.WALLET_ENCRYPTION_KEY;
+            else
+                process.env.WALLET_ENCRYPTION_KEY = prevKey;
         }
-    }
-    catch (e) {
-        console.log(`16. check_token_sec      → ❌`);
-        fail("check_token_security", e.message);
-    }
-    // 17. x402_pay_and_fetch (E2E payment verification loop)
-    try {
-        const testPort = 4022;
-        const testApp = express();
-        testApp.use(express.json());
-        const pharos = defineChain({
-            id: 688_689,
-            name: "Pharos Atlantic",
-            nativeCurrency: { name: "PHRS", symbol: "PHRS", decimals: 18 },
-            rpcUrls: { default: { http: ["https://atlantic.dplabs-internal.com/"] } },
-            testnet: true,
-        });
-        const account = privateKeyToAccount(PK);
-        const walletClient = createWalletClient({
-            account,
-            chain: pharos,
-            transport: http(undefined, { timeout: 30_000 }),
-        }).extend(publicActions);
-        const evmSigner = toFacilitatorEvmSigner({
-            address: account.address,
-            getCode: (args) => walletClient.getCode(args),
-            readContract: (args) => walletClient.readContract({ ...args, args: args.args || [] }),
-            verifyTypedData: (args) => walletClient.verifyTypedData(args),
-            writeContract: (args) => walletClient.writeContract({ ...args, args: args.args || [] }),
-            sendTransaction: (args) => walletClient.sendTransaction(args),
-            waitForTransactionReceipt: (args) => walletClient.waitForTransactionReceipt(args),
-        });
-        const testFacilitator = new x402Facilitator();
-        testFacilitator.register("eip155:688689", new FacilitatorExactEvmScheme(evmSigner, {}));
-        const testFacilitatorClient = new HTTPFacilitatorClient({ url: `http://localhost:${testPort}` });
-        const testResourceServer = new x402ResourceServer(testFacilitatorClient);
-        const testEvmScheme = new ServerExactEvmScheme();
-        testEvmScheme.registerMoneyParser(async (amount, network) => {
-            if (network === "eip155:688689") {
-                return {
-                    amount: Math.round(amount * 1e6).toString(),
-                    asset: "0xcfC8330f4BCAB529c625D12781b1C19466A9Fc8B",
-                    extra: { token: "USDC", name: "USDC", version: "2" },
-                };
-            }
-            return null;
-        });
-        testResourceServer.register("eip155:688689", testEvmScheme);
-        testApp.post("/verify", async (req, res) => {
-            try {
-                const { paymentPayload, paymentRequirements } = req.body;
-                const result = await testFacilitator.verify(paymentPayload, paymentRequirements);
-                res.json(result);
+    }, (res) => res.success && !String(res.data.serialized).toLowerCase().includes("privatekey") && !String(res.data.serialized).toLowerCase().includes("encryptedkey"));
+    await record("write_tools_use_signer_provider", async () => {
+        const offenders = readAllToolSourceFiles()
+            .filter((f) => /process\.env\.PRIVATE_KEY/.test(f.content) && !f.path.endsWith("x402Server.ts"))
+            .map((f) => f.path);
+        return offenders.length ? fail("PRIVATE_KEY_DIRECT_USAGE", offenders.join(", "), false, "source_scan") : ok({ offenders });
+    }, (res) => res.success);
+    await record("no_private_key_usage_outside_signer_provider", async () => {
+        const root = join(process.cwd(), "src");
+        const offenders = [];
+        function walk(dir) {
+            for (const entry of readdirSync(dir, { withFileTypes: true })) {
+                const full = join(dir, entry.name);
+                if (entry.isDirectory())
+                    walk(full);
+                else if (entry.isFile() && entry.name.endsWith(".ts")) {
+                    const rel = full.replace(process.cwd(), "").replace(/^[\\/]/, "").replace(/\\/g, "/");
+                    if (rel.startsWith("src/lib/signer/"))
+                        continue;
+                    const content = readFileSync(full, "utf8");
+                    if (/process\.env\.PRIVATE_KEY/.test(content))
+                        offenders.push(rel);
+                }
             }
-            catch (e) {
-                res.status(500).json({ error: e.message });
-            }
-        });
-        testApp.post("/settle", async (req, res) => {
-            try {
-                const { paymentPayload, paymentRequirements } = req.body;
-                const result = await testFacilitator.settle(paymentPayload, paymentRequirements);
-                res.json(result);
-            }
-            catch (e) {
-                res.status(500).json({ error: e.message });
-            }
-        });
-        testApp.get("/supported", (req, res) => {
-            res.json(testFacilitator.getSupported());
-        });
-        testApp.use(paymentMiddleware({
-            "GET /test-paid": {
-                accepts: {
-                    scheme: "exact",
-                    price: "0.001",
-                    network: "eip155:688689",
-                    payTo: WALLET,
-                },
-                description: "Test paid endpoint",
-                mimeType: "application/json",
-            },
-        }, testResourceServer));
-        testApp.get("/test-paid", (req, res) => {
-            res.json({ secret: "safehands-x402-passphrase" });
-        });
-        const serverListener = testApp.listen(testPort);
-        const r = await handleX402PayAndFetch({
-            url: `http://localhost:${testPort}/test-paid`,
-            method: "GET",
-        });
-        serverListener.close();
-        if (r.success && r.data && r.data.secret === "safehands-x402-passphrase") {
-            console.log(`17. x402_pay_and_fetch    → ✅ success, payment=${r.paymentExecuted}`);
-            ok("x402_pay_and_fetch", `paymentExecuted=${r.paymentExecuted}`);
         }
-        else {
-            console.log(`17. x402_pay_and_fetch    → ❌`);
-            fail("x402_pay_and_fetch", r.error || "status mismatch");
-        }
-    }
-    catch (e) {
-        console.log(`17. x402_pay_and_fetch    → ❌`);
-        fail("x402_pay_and_fetch", e.message);
-    }
-    // 18. get_execution_history (last — slowest due to scan)
-    try {
-        const r = await handleGetExecutionHistory({ walletAddress: WALLET, limit: 5, filter: "all" });
-        console.log(`18. get_exec_history     → ${r.totalFetched} txs found`);
-        ok("get_execution_history", `${r.totalFetched} txs`);
-    }
-    catch (e) {
-        console.log(`18. get_exec_history     → ❌`);
-        fail("get_execution_history", e.message);
-    }
-    // ─── Summary ──────────────────────────────────────────────────────────
-    const postBal = formatEther(await publicClient.getBalance({ address: WALLET }));
-    console.log("\n" + "═".repeat(90));
-    console.log("  #  │ Status  │ Tool                    │ Key Output");
-    console.log("─".repeat(90));
-    results.forEach((r, i) => {
-        const num = String(i + 1).padStart(3);
-        const tool = r.tool.padEnd(24);
-        const key = r.key.length > 46 ? r.key.slice(0, 43) + "..." : r.key;
-        console.log(`${num} │ ${r.status} │ ${tool}│ ${key}`);
+        walk(root);
+        return offenders.length ? fail("PRIVATE_KEY_DIRECT_USAGE", offenders.join(", "), false, "source_scan") : ok({ offenders });
+    }, (res) => res.success);
+    await record("skill_cli_preflight_valid_json", async () => runBuiltCli(["skill", "safehands_preflight_check", "--input-json", JSON.stringify({ actionType: "send_payment", chainId: 688689, isMainnet: false, amount: "0.001", recipient: RECIPIENT })]), (res) => res.success && res.data.decision !== undefined && res.data.chainId === 688689);
+    await record("skill_cli_invalid_json_structured_error", async () => runBuiltCli(["skill", "safehands_preflight_check", "--input-json", "{not-json"]), (res) => !res.success && res.error.code === "INVALID_INPUT_JSON" && res.error.source === "safehands_cli");
+    await record("skill_cli_readonly_without_private_key", async () => runBuiltCli(["skill", "token_registry_status", "--input-json", JSON.stringify({ token: USDC_ADDRESS })]), (res) => res.success && res.data.status === "SKILL_ENGINE_CANONICAL_TOKEN");
+    await record("skill_engine_example_files_exist", async () => {
+        const files = [
+            "examples/pharos-skill-engine/SKILL.safehands.md",
+            "examples/pharos-skill-engine/references/safehands.md",
+            "examples/pharos-skill-engine/assets/safehands/policy-defaults.json",
+            "examples/pharos-skill-engine/assets/safehands/example-actions.json",
+        ];
+        const missing = files.filter((file) => !existsSync(join(process.cwd(), file)));
+        return missing.length ? fail("SKILL_ENGINE_FILES_MISSING", missing.join(", "), false, "skill_engine_examples") : ok({ files });
+    }, (res) => res.success);
+    await record("skill_engine_reference_required_sections", async () => {
+        const text = readFileSync(join(process.cwd(), "examples/pharos-skill-engine/references/safehands.md"), "utf8");
+        const required = [
+            "## Overview",
+            "## Command Template",
+            "## SafeHands Preflight Check",
+            "## SafeHands x402 Preflight",
+            "## SafeHands Wallet Health",
+            "## Token Registry Status",
+            "## Explain Risk",
+            "## SafeHands Risk Report",
+            "### Error Handling",
+            "### Agent Guidelines",
+        ];
+        return hasAll(text, required) ? ok({ required }) : fail("SKILL_ENGINE_REFERENCE_INCOMPLETE", "Missing one or more required reference sections.", false, "skill_engine_examples");
+    }, (res) => res.success);
+    await record("skill_engine_skill_capability_rows", async () => {
+        const text = readFileSync(join(process.cwd(), "examples/pharos-skill-engine/SKILL.safehands.md"), "utf8");
+        const required = [
+            "SafeHands Preflight Check",
+            "SafeHands x402 Preflight",
+            "SafeHands Wallet Health",
+            "Token Registry Status",
+            "Explain Risk",
+            "SafeHands Risk Report",
+            "references/safehands.md#safehands-preflight-check",
+        ];
+        return hasAll(text, required) ? ok({ required }) : fail("SKILL_ENGINE_CAPABILITY_ROWS_MISSING", "SKILL.safehands.md is missing required capability rows.", false, "skill_engine_examples");
+    }, (res) => res.success);
+    // ── New: skill/ package structure tests ─────────────────────────────
+    await record("skill_package_skill_md_exists", async () => {
+        const path = join(process.cwd(), "skill/SKILL.md");
+        return existsSync(path) ? ok({ file: "skill/SKILL.md" }) : fail("SKILL_PACKAGE_MISSING", "skill/SKILL.md not found", false, "skill_package");
+    }, (res) => res.success);
+    await record("skill_package_yaml_frontmatter", async () => {
+        const text = readFileSync(join(process.cwd(), "skill/SKILL.md"), "utf8");
+        const hasYaml = text.startsWith("---") && text.includes("name: safehands-pharos-guard");
+        return hasYaml ? ok({ frontmatter: true }) : fail("SKILL_PACKAGE_NO_FRONTMATTER", "YAML frontmatter missing or name mismatch", false, "skill_package");
+    }, (res) => res.success);
+    await record("skill_package_references_exist", async () => {
+        const path = join(process.cwd(), "skill/references/safehands.md");
+        return existsSync(path) ? ok({ file: "skill/references/safehands.md" }) : fail("SKILL_PACKAGE_REF_MISSING", "skill/references/safehands.md not found", false, "skill_package");
+    }, (res) => res.success);
+    await record("skill_package_assets_exist", async () => {
+        const files = [
+            "skill/assets/safehands/policy-defaults.json",
+            "skill/assets/safehands/example-actions.json",
+        ];
+        const missing = files.filter((f) => !existsSync(join(process.cwd(), f)));
+        return missing.length === 0 ? ok({ files }) : fail("SKILL_PACKAGE_ASSETS_MISSING", missing.join(", "), false, "skill_package");
+    }, (res) => res.success);
+    await record("skill_package_example_uses_skill_engine_usdc", async () => {
+        const text = readFileSync(join(process.cwd(), "skill/assets/safehands/example-actions.json"), "utf8");
+        const usesSkillEngineUsdc = text.includes("0xE0BE08c77f415F577A1B3A9aD7a1Df1479564ec8");
+        const usesCircleUsdc = text.includes("0xcfC8330f4BCAB529c625D12781b1C19466A9Fc8B");
+        return usesSkillEngineUsdc && !usesCircleUsdc
+            ? ok({ correctUsdc: true })
+            : fail("SKILL_EXAMPLE_WRONG_USDC", "example-actions.json should use Skill Engine USDC (0xE0BE...), not Circle USDC (0xcfC8...)", false, "skill_package");
+    }, (res) => res.success);
+    await record("token_registry_circle_usdc_alternate", () => handleTokenRegistryStatus({ token: "0xcfC8330f4BCAB529c625D12781b1C19466A9Fc8B" }), (res) => res.success && res.data.status === "ALTERNATE_SOURCE_TOKEN" && res.data.verificationStatus === "CIRCLE_REFERENCED_USDC");
+    await record("cli_help_works", async () => {
+        const raw = runBuiltCliRaw(["--help"]);
+        return raw.status === 0 && raw.stdout.includes("Transaction Safety Firewall") && raw.stdout.includes("safehands_preflight_check")
+            ? ok({ stdoutBytes: raw.stdout.length })
+            : fail("CLI_HELP_FAILED", `status=${raw.status} stdout=${raw.stdout.slice(0, 200)} stderr=${raw.stderr.slice(0, 200)}`, false, "cli_help");
+    }, (res) => res.success);
+    await record("demo_runs_or_fails_gracefully", async () => {
+        const raw = runBuiltCliRaw(["--demo"]);
+        return raw.status === 0 && raw.stdout.includes("Demo Complete") && raw.stdout.includes("SSRF_BLOCKED")
+            ? ok({ stdoutBytes: raw.stdout.length })
+            : fail("DEMO_FAILED", `status=${raw.status} stdout=${raw.stdout.slice(0, 300)} stderr=${raw.stderr.slice(0, 300)}`, false, "demo");
+    }, (res) => res.success);
+    await record("readme_contains_final_positioning", async () => {
+        const text = readFileSync(join(process.cwd(), "README.md"), "utf8");
+        const required = [
+            "# SafeHands-Pharos: Transaction Safety Firewall for AI Agents",
+            "Pharos Skill Engine-compatible MCP package",
+            "SafeHands is a guardrail layer",
+            "WRITE_TOOLS_ENABLED=false",
+            "Testnet scope",
+            "Using SafeHands with Pharos Skill Engine",
+        ];
+        return hasAll(text, required) ? ok({ required }) : fail("README_POSITIONING_INCOMPLETE", "Missing final positioning text.", false, "readme");
+    }, (res) => res.success);
+    await record("env_example_safe_placeholders", async () => {
+        const text = readFileSync(join(process.cwd(), ".env.example"), "utf8");
+        const required = ["WALLET_MODE=none", "WRITE_TOOLS_ENABLED=false", "PRIVATE_KEY=", "MAX_X402_PAYMENT_USDC=0.01"];
+        const hasFakeSecret = /PRIVATE_KEY=0x[0-9a-fA-F]{16,}/.test(text) || /WALLET_ENCRYPTION_KEY=.+\S/.test(text);
+        return hasAll(text, required) && !hasFakeSecret ? ok({ required }) : fail("ENV_EXAMPLE_UNSAFE", "Missing safe defaults or contains secret-looking placeholders.", false, "env_example");
+    }, (res) => res.success);
+    await record("npm_pack_excludes_secrets", async () => runNpmPackDryRun(), (res) => res.success && res.data.unsafe.length === 0);
+    console.log("\n#  Status  Tool                         Note");
+    console.log("─".repeat(100));
+    rows.forEach((r, i) => {
+        console.log(`${String(i + 1).padStart(2, "0")} ${r.status.padEnd(6)} ${r.tool.padEnd(28)} ${r.note}`);
     });
-    console.log("═".repeat(90));
-    const passed = results.filter(r => r.status.includes("PASS")).length;
-    const failed = results.filter(r => r.status.includes("FAIL")).length;
-    console.log(`\n  Balance: ${bal} → ${postBal} PHRS`);
-    console.log(`  ${passed}/${results.length} passed, ${failed} failed`);
-    console.log(`  ${failed === 0 ? "🎉 ALL 17 TOOLS PASSED" : "⚠️  SOME TOOLS FAILED"}\n`);
-    process.exit(failed === 0 ? 0 : 1);
+    const failed = rows.filter((r) => r.status === "FAIL");
+    console.log("─".repeat(100));
+    console.log(`${rows.length - failed.length}/${rows.length} smoke checks passed.`);
+    if (failed.length > 0) {
+        console.error("\nFailed smoke checks:");
+        for (const f of failed)
+            console.error(`- ${f.tool}: ${f.note}`);
+        process.exit(1);
+    }
 }
-run().catch(e => { console.error("Fatal:", e); process.exit(1); });
+run().catch((err) => {
+    const structured = fail("SMOKE_TEST_FAILED", err instanceof Error ? err.message : String(err), false, "testTools");
+    console.error(JSON.stringify(structured, null, 2));
+    process.exit(1);
+});
 //# sourceMappingURL=testTools.js.map