safehands-pharos 1.3.0 → 1.5.0

package/dist/cli.d.ts

@@ -1,5 +1,5 @@
 import { type ToolResponse } from "./lib/toolResponse.js";
-export type SkillCliToolName = "safehands_preflight_check" | "safehands_x402_preflight" | "safehands_wallet_health" | "token_registry_status" | "explain_risk" | "safehands_risk_report" | "safehands_safe_execute" | "create_agent_wallet" | "get_agent_wallet" | "get_agent_wallet_balance" | "check_token_security";
+export type SkillCliToolName = "safehands_preflight_check" | "safehands_x402_preflight" | "safehands_wallet_health" | "token_registry_status" | "explain_risk" | "safehands_risk_report" | "safehands_safe_execute" | "create_agent_wallet" | "get_agent_wallet" | "get_agent_wallet_balance" | "check_token_security" | "assess_risk" | "get_wallet_balance" | "simulate_transaction" | "estimate_gas" | "get_token_price" | "get_transaction_status" | "query_risk_registry" | "publish_risk_score";
 export declare function getSkillCliToolNames(): string[];
 export declare function invokeSkillCliTool(toolName: string, input: unknown): Promise<ToolResponse<unknown>>;
 export declare function runSkillCli(argv: string[]): Promise<number>;

package/dist/cli.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAMA,OAAO,EAAY,KAAK,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAapE,MAAM,MAAM,gBAAgB,GACxB,2BAA2B,GAC3B,0BAA0B,GAC1B,yBAAyB,GACzB,uBAAuB,GACvB,cAAc,GACd,uBAAuB,GACvB,wBAAwB,GACxB,qBAAqB,GACrB,kBAAkB,GAClB,0BAA0B,GAC1B,sBAAsB,CAAC;AA6C3B,wBAAgB,oBAAoB,IAAI,MAAM,EAAE,CAE/C;AAED,wBAAsB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,CAuBzG;AAED,wBAAsB,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CA4BjE"}
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAMA,OAAO,EAAY,KAAK,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAqBpE,MAAM,MAAM,gBAAgB,GACxB,2BAA2B,GAC3B,0BAA0B,GAC1B,yBAAyB,GACzB,uBAAuB,GACvB,cAAc,GACd,uBAAuB,GACvB,wBAAwB,GACxB,qBAAqB,GACrB,kBAAkB,GAClB,0BAA0B,GAC1B,sBAAsB,GACtB,aAAa,GACb,oBAAoB,GACpB,sBAAsB,GACtB,cAAc,GACd,iBAAiB,GACjB,wBAAwB,GACxB,qBAAqB,GACrB,oBAAoB,CAAC;AA+DzB,wBAAgB,oBAAoB,IAAI,MAAM,EAAE,CAE/C;AAED,wBAAsB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,CAuBzG;AAED,wBAAsB,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CA4BjE"}

package/dist/cli.js

@@ -15,6 +15,14 @@ import { handleCreateAgentWallet } from "./tools/createAgentWallet.js";
 import { handleGetAgentWallet } from "./tools/getAgentWallet.js";
 import { handleGetAgentWalletBalance } from "./tools/getAgentWalletBalance.js";
 import { handleCheckTokenSecurity } from "./tools/checkTokenSecurity.js";
+import { handleAssessRisk } from "./tools/assessRisk.js";
+import { handleGetWalletBalance } from "./tools/getWalletBalance.js";
+import { handleSimulateTransaction } from "./tools/simulateTransaction.js";
+import { handleEstimateGas } from "./tools/estimateGas.js";
+import { handleGetTokenPrice } from "./tools/getTokenPrice.js";
+import { handleGetTransactionStatus } from "./tools/getTransactionStatus.js";
+import { handleQueryRiskRegistry } from "./tools/queryRiskRegistry.js";
+import { handlePublishRiskScore } from "./tools/publishRiskScore.js";
 const SKILL_CLI_TOOLS = {
     safehands_preflight_check: handleSafeHandsPreflightCheck,
     safehands_x402_preflight: handleSafeHandsX402Preflight,
@@ -27,6 +35,14 @@ const SKILL_CLI_TOOLS = {
     get_agent_wallet: handleGetAgentWallet,
     get_agent_wallet_balance: handleGetAgentWalletBalance,
     check_token_security: handleCheckTokenSecurity,
+    assess_risk: handleAssessRisk,
+    get_wallet_balance: handleGetWalletBalance,
+    simulate_transaction: handleSimulateTransaction,
+    estimate_gas: handleEstimateGas,
+    get_token_price: handleGetTokenPrice,
+    get_transaction_status: handleGetTransactionStatus,
+    query_risk_registry: handleQueryRiskRegistry,
+    publish_risk_score: handlePublishRiskScore,
 };
 function isStructuredResponse(value) {
     return !!value && typeof value === "object" && "success" in value && "data" in value && "error" in value && "timestamp" in value;
@@ -37,20 +53,32 @@ function printJson(response) {
 function usage() {
     const tools = Object.keys(SKILL_CLI_TOOLS).sort().join(", ");
     return [
-        "Usage: npx safehands-pharos skill <tool_name> --input-json '<json>'",
+        "Usage: npx safehands-pharos skill <tool_name> [<json> | --input-json '<json>' | -i '<json>']",
         "",
         `Supported Skill Engine tools: ${tools}`,
         "",
-        "Example:",
-        "  npx safehands-pharos skill safehands_preflight_check --input-json '{\"actionType\":\"approve_token\",\"chainId\":688689,\"amount\":\"1\"}'",
+        "Examples:",
+        "  npx safehands-pharos skill assess_risk '{\"action\":\"swap\",\"amount\":\"0.01\"}'",
+        "  npx safehands-pharos skill get_wallet_balance '{\"walletAddress\":\"0xABC...\"}'",
+        "  npx safehands-pharos skill safehands_preflight_check -i '{\"actionType\":\"approve_token\",\"chainId\":688689,\"amount\":\"1\"}'",
     ].join("\n");
 }
 function readInputJsonArg(argv) {
-    const positional = argv.indexOf("--input-json");
-    if (positional >= 0)
-        return argv[positional + 1] ?? null;
-    const prefixed = argv.find((arg) => arg.startsWith("--input-json="));
-    return prefixed ? prefixed.slice("--input-json=".length) : null;
+    // --input-json <json>
+    const flag = argv.indexOf("--input-json");
+    if (flag >= 0)
+        return argv[flag + 1] ?? null;
+    // --input-json=<json>
+    const inline = argv.find((a) => a.startsWith("--input-json="));
+    if (inline)
+        return inline.slice("--input-json=".length);
+    // -i <json>
+    const short = argv.indexOf("-i");
+    if (short >= 0)
+        return argv[short + 1] ?? null;
+    // positional: first arg that looks like JSON or is not a flag
+    const positional = argv.find((a) => !a.startsWith("-"));
+    return positional ?? null;
 }
 export function getSkillCliToolNames() {
     return Object.keys(SKILL_CLI_TOOLS).sort();

package/dist/cli.js.map

@@ -1 +1 @@
-{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,mEAAmE;AACnE,qEAAqE;AACrE,gDAAgD;AAChD,2EAA2E;AAE3E,OAAO,EAAE,IAAI,EAAE,EAAE,EAAqB,MAAM,uBAAuB,CAAC;AACpE,OAAO,EAAE,6BAA6B,EAAE,MAAM,oCAAoC,CAAC;AACnF,OAAO,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AACjF,OAAO,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAC;AAC/E,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAC;AAC/E,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAC;AAiBzE,MAAM,eAAe,GAA8C;IACjE,yBAAyB,EAAE,6BAA6B;IACxD,wBAAwB,EAAE,4BAA4B;IACtD,uBAAuB,EAAE,2BAA2B;IACpD,qBAAqB,EAAE,yBAAyB;IAChD,YAAY,EAAE,iBAAiB;IAC/B,qBAAqB,EAAE,yBAAyB;IAChD,sBAAsB,EAAE,0BAA0B;IAClD,mBAAmB,EAAE,uBAAuB;IAC5C,gBAAgB,EAAE,oBAAoB;IACtC,wBAAwB,EAAE,2BAA2B;IACrD,oBAAoB,EAAE,wBAAwB;CAC/C,CAAC;AAEF,SAAS,oBAAoB,CAAC,KAAc;IAC1C,OAAO,CAAC,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,SAAS,IAAI,KAAK,IAAI,MAAM,IAAI,KAAK,IAAI,OAAO,IAAI,KAAK,IAAI,WAAW,IAAI,KAAK,CAAC;AACnI,CAAC;AAED,SAAS,SAAS,CAAC,QAA+B;IAChD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;AACjE,CAAC;AAED,SAAS,KAAK;IACZ,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7D,OAAO;QACL,qEAAqE;QACrE,EAAE;QACF,iCAAiC,KAAK,EAAE;QACxC,EAAE;QACF,UAAU;QACV,8IAA8I;KAC/I,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAc;IACtC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAChD,IAAI,UAAU,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC;IACzD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC,CAAC;IACrE,OAAO,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAClE,CAAC;AAED,MAAM,UAAU,oBAAoB;IAClC,OAAO,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,IAAI,EAAE,CAAC;AAC7C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,QAAgB,EAAE,KAAc;IACvE,MAAM,OAAO,GAAG,eAAe,CAAC,QAA4B,CAAC,CAAC;IAC9D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,IAAI,CACT,oBAAoB,EACpB,wCAAwC,QAAQ,sBAAsB,oBAAoB,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EACzG,KAAK,EACL,eAAe,CAChB,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,CAAC;QACpC,IAAI,oBAAoB,CAAC,MAAM,CAAC;YAAE,OAAO,MAAM,CAAC;QAChD,OAAO,EAAE,CAAC,MAAM,CAAC,CAAC;IACpB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,IAAI,CACT,uBAAuB,EACvB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAChD,KAAK,EACL,QAAQ,CACT,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAc;IAC9C,MAAM,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC;IACxB,IAAI,CAAC,QAAQ,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QAC5D,SAAS,CAAC,IAAI,CAAC,iBAAiB,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC,CAAC;QACpE,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,CAAC,eAAe,CAAC,QAA4B,CAAC,EAAE,CAAC;QACnD,SAAS,CAAC,MAAM,kBAAkB,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,CAAC;QAClD,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACrB,SAAS,CAAC,IAAI,CAAC,oBAAoB,EAAE,kDAAkD,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC,CAAC;QAClH,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,KAAc,CAAC;IACnB,IAAI,CAAC;QACH,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC9B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,SAAS,CAAC,IAAI,CAAC,oBAAoB,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC,CAAC;QAChH,OAAO,CAAC,CAAC;IACX,CAAC;IAED,SAAS,CAAC,MAAM,kBAAkB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC;IACrD,OAAO,CAAC,CAAC;AACX,CAAC"}
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,mEAAmE;AACnE,qEAAqE;AACrE,gDAAgD;AAChD,2EAA2E;AAE3E,OAAO,EAAE,IAAI,EAAE,EAAE,EAAqB,MAAM,uBAAuB,CAAC;AACpE,OAAO,EAAE,6BAA6B,EAAE,MAAM,oCAAoC,CAAC;AACnF,OAAO,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AACjF,OAAO,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAC;AAC/E,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAC;AAC/E,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAC;AACzE,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AACrE,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAC/D,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAyBrE,MAAM,eAAe,GAA8C;IACjE,yBAAyB,EAAE,6BAA6B;IACxD,wBAAwB,EAAE,4BAA4B;IACtD,uBAAuB,EAAE,2BAA2B;IACpD,qBAAqB,EAAE,yBAAyB;IAChD,YAAY,EAAE,iBAAiB;IAC/B,qBAAqB,EAAE,yBAAyB;IAChD,sBAAsB,EAAE,0BAA0B;IAClD,mBAAmB,EAAE,uBAAuB;IAC5C,gBAAgB,EAAE,oBAAoB;IACtC,wBAAwB,EAAE,2BAA2B;IACrD,oBAAoB,EAAE,wBAAwB;IAC9C,WAAW,EAAE,gBAAgB;IAC7B,kBAAkB,EAAE,sBAAsB;IAC1C,oBAAoB,EAAE,yBAAyB;IAC/C,YAAY,EAAE,iBAAiB;IAC/B,eAAe,EAAE,mBAAmB;IACpC,sBAAsB,EAAE,0BAA0B;IAClD,mBAAmB,EAAE,uBAAuB;IAC5C,kBAAkB,EAAE,sBAAsB;CAC3C,CAAC;AAEF,SAAS,oBAAoB,CAAC,KAAc;IAC1C,OAAO,CAAC,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,SAAS,IAAI,KAAK,IAAI,MAAM,IAAI,KAAK,IAAI,OAAO,IAAI,KAAK,IAAI,WAAW,IAAI,KAAK,CAAC;AACnI,CAAC;AAED,SAAS,SAAS,CAAC,QAA+B;IAChD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;AACjE,CAAC;AAED,SAAS,KAAK;IACZ,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7D,OAAO;QACL,8FAA8F;QAC9F,EAAE;QACF,iCAAiC,KAAK,EAAE;QACxC,EAAE;QACF,WAAW;QACX,sFAAsF;QACtF,oFAAoF;QACpF,oIAAoI;KACrI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAc;IACtC,sBAAsB;IACtB,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAC1C,IAAI,IAAI,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC;IAC7C,sBAAsB;IACtB,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC,CAAC;IAC/D,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;IACxD,YAAY;IACZ,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IACjC,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC;IAC/C,8DAA8D;IAC9D,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IACxD,OAAO,UAAU,IAAI,IAAI,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,oBAAoB;IAClC,OAAO,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,IAAI,EAAE,CAAC;AAC7C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,QAAgB,EAAE,KAAc;IACvE,MAAM,OAAO,GAAG,eAAe,CAAC,QAA4B,CAAC,CAAC;IAC9D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,IAAI,CACT,oBAAoB,EACpB,wCAAwC,QAAQ,sBAAsB,oBAAoB,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EACzG,KAAK,EACL,eAAe,CAChB,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,CAAC;QACpC,IAAI,oBAAoB,CAAC,MAAM,CAAC;YAAE,OAAO,MAAM,CAAC;QAChD,OAAO,EAAE,CAAC,MAAM,CAAC,CAAC;IACpB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,IAAI,CACT,uBAAuB,EACvB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAChD,KAAK,EACL,QAAQ,CACT,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAc;IAC9C,MAAM,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC;IACxB,IAAI,CAAC,QAAQ,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QAC5D,SAAS,CAAC,IAAI,CAAC,iBAAiB,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC,CAAC;QACpE,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,CAAC,eAAe,CAAC,QAA4B,CAAC,EAAE,CAAC;QACnD,SAAS,CAAC,MAAM,kBAAkB,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,CAAC;QAClD,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACrB,SAAS,CAAC,IAAI,CAAC,oBAAoB,EAAE,kDAAkD,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC,CAAC;QAClH,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,KAAc,CAAC;IACnB,IAAI,CAAC;QACH,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC9B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,SAAS,CAAC,IAAI,CAAC,oBAAoB,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC,CAAC;QAChH,OAAO,CAAC,CAAC;IACX,CAAC;IAED,SAAS,CAAC,MAAM,kBAAkB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC;IACrD,OAAO,CAAC,CAAC;AACX,CAAC"}

package/dist/index.d.ts

@@ -1,3 +1,3 @@
 #!/usr/bin/env node
-export {};
+import "./lib/envLoader.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAMA,OAAO,oBAAoB,CAAC"}

package/dist/index.js

@@ -2,6 +2,11 @@
 // ─── SafeHands MCP Server ──────────────────────────────────────────────
 // Entry point — registers 27 tools (17 legacy/core + 3 managed wallet + 7 SafeHands guardrail tools) and starts the MCP server.
 // ────────────────────────────────────────────────────────────────────────
+// Must be first import — loads .env before any module reads process.env at init time
+import "./lib/envLoader.js";
+import { createRequire } from "module";
+const require = createRequire(import.meta.url);
+const PKG_VERSION = require("../package.json").version;
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { assessRiskSchema, handleAssessRisk } from "./tools/assessRisk.js";
@@ -32,9 +37,41 @@ import { tokenRegistryStatusSchema, handleTokenRegistryStatus } from "./tools/to
 import { getAgentWalletSchema, handleGetAgentWallet } from "./tools/getAgentWallet.js";
 import { getAgentWalletBalanceSchema, handleGetAgentWalletBalance } from "./tools/getAgentWalletBalance.js";
 import { fail, ok } from "./lib/toolResponse.js";
+import { auditLog } from "./lib/auditLog.js";
 import { runSkillCli } from "./cli.js";
 import { runDemo } from "./demo.js";
 import { runInit } from "./init.js";
+// ─── Per-tool rate limiting ────────────────────────────────────────────
+// Heavy tools (block-scan history) get a tighter limit.
+// Write tools get a moderate limit to prevent agent loops.
+// All other tools share a generous global limit.
+const HEAVY_TOOLS = new Set(["get_execution_history"]);
+const WRITE_TOOLS = new Set([
+    "execute_swap", "send_payment", "approve_token",
+    "publish_risk_score", "x402_pay_and_fetch", "safehands_safe_execute",
+]);
+const RATE_LIMITS = {
+    heavy: parseInt(process.env.MCP_RATE_LIMIT_HEAVY || "5", 10),
+    write: parseInt(process.env.MCP_RATE_LIMIT_WRITE || "15", 10),
+    default: parseInt(process.env.MCP_RATE_LIMIT_DEFAULT || "120", 10),
+};
+const rateBuckets = new Map();
+function checkMcpRateLimit(tool) {
+    const limit = HEAVY_TOOLS.has(tool) ? RATE_LIMITS.heavy
+        : WRITE_TOOLS.has(tool) ? RATE_LIMITS.write
+            : RATE_LIMITS.default;
+    const now = Date.now();
+    let bucket = rateBuckets.get(tool);
+    if (!bucket || bucket.resetAt <= now) {
+        bucket = { count: 0, resetAt: now + 60_000 };
+    }
+    bucket.count++;
+    rateBuckets.set(tool, bucket);
+    if (bucket.count > limit) {
+        return `Rate limit exceeded for ${tool} (${limit}/min). Slow down and retry after ${Math.ceil((bucket.resetAt - now) / 1000)}s.`;
+    }
+    return null;
+}
 function isStructuredResponse(value) {
     return (!!value &&
         typeof value === "object" &&
@@ -43,16 +80,37 @@ function isStructuredResponse(value) {
         "error" in value);
 }
 async function invokeTool(handler, params, source) {
+    const rateLimitMsg = checkMcpRateLimit(source);
+    if (rateLimitMsg) {
+        auditLog({ ts: new Date().toISOString(), tool: source, success: false, errorCode: "RATE_LIMITED" });
+        return fail("RATE_LIMITED", rateLimitMsg, true, source);
+    }
+    const start = Date.now();
     try {
         const result = await handler(params);
-        if (isStructuredResponse(result))
+        if (isStructuredResponse(result)) {
+            const r = result;
+            auditLog({ ts: new Date().toISOString(), tool: source, success: r.success, errorCode: r.success ? undefined : r.error?.code, durationMs: Date.now() - start });
             return result;
-        if (result && typeof result === "object" && "error" in result && !("success" in result)) {
-            return fail("TOOL_RETURNED_ERROR", String(result.error), false, source);
         }
+        if (result && typeof result === "object") {
+            if ("error" in result && !("success" in result)) {
+                const msg = String(result.error);
+                auditLog({ ts: new Date().toISOString(), tool: source, success: false, errorCode: "TOOL_RETURNED_ERROR", durationMs: Date.now() - start });
+                return fail("TOOL_RETURNED_ERROR", msg, false, source);
+            }
+            // Defense-in-depth: non-ToolResponse shapes with success:false must not surface as ok()
+            if ("success" in result && result.success === false) {
+                const msg = "error" in result ? String(result.error) : "Tool returned failure without ToolResponse shape";
+                auditLog({ ts: new Date().toISOString(), tool: source, success: false, errorCode: "TOOL_RETURNED_ERROR", durationMs: Date.now() - start });
+                return fail("TOOL_RETURNED_ERROR", msg, false, source);
+            }
+        }
+        auditLog({ ts: new Date().toISOString(), tool: source, success: true, durationMs: Date.now() - start });
         return ok(result);
     }
     catch (err) {
+        auditLog({ ts: new Date().toISOString(), tool: source, success: false, errorCode: "TOOL_EXECUTION_FAILED", durationMs: Date.now() - start });
         return fail("TOOL_EXECUTION_FAILED", err instanceof Error ? err.message : String(err), false, source);
     }
 }
@@ -76,155 +134,158 @@ if (process.argv[2] === "init") {
     process.exit(0);
 }
 // ─── Deterministic Demo CLI ───────────────────────────────────────────
-if (process.argv.includes("--demo")) {
+const isDemoMode = process.argv.includes("--demo");
+if (isDemoMode) {
     await runDemo();
-    // Brief delay allows libuv handles (express sockets) to close cleanly on Windows
-    setTimeout(() => process.exit(0), 100);
-    // Wait indefinitely so the script doesn't continue down to start the MCP server
-    await new Promise(() => { });
+    // Set exit code and let the event loop drain naturally.
+    // Avoids Windows libuv UV_HANDLE_CLOSING assertion that occurs with process.exit() while
+    // async handles (express close, viem HTTP keep-alive) are still winding down.
+    process.exitCode = 0;
 }
 // ─── CLI Help ──────────────────────────────────────────────────────────
 if (process.argv.includes("--help") || process.argv.includes("-h")) {
-    process.stdout.write(`
-🛡️  SafeHands-Pharos — Transaction Safety Firewall for AI Agents
-   v1.2.6 | Pharos Atlantic Testnet | Chain ID 688689
-
-USAGE
-  npx safehands-pharos
-      Start SafeHands as an MCP server over stdio.
-
-  npx safehands-pharos --help
-      Show this help.
-
-  npx safehands-pharos init
-      Launch the interactive setup wizard to configure your .env file safely.
-
-  npx safehands-pharos --demo
-      Run the deterministic non-destructive hackathon demo.
-
-  npx safehands-pharos skill <tool_name> --input-json '<json>'
-      Run a Pharos Skill Engine-compatible SafeHands CLI tool.
-
-POSITIONING
-  SafeHands is a guardrail layer, not a generic Web3 toolbox.
-  It checks whether an AI agent action is safe before execution.
-
-  User intent
-  → SafeHands preflight
-  → ALLOW / WARN / BLOCK / REQUIRE_CONFIRMATION
-  → Pharos Skill Engine or MCP execution only if safe
-  → SafeHands risk report
-
-SAFEHANDS BRANDED TOOLS
-  safehands_preflight_check   Policy preflight for payments, approvals, swaps, x402, and custom calls
-  safehands_safe_execute      Guarded wrapper that preflights before execution
-  safehands_wallet_health     Wallet/signer/gas/x402 readiness report
-  safehands_x402_preflight    URL, payment, token, and signer safety check before x402 payment
-  safehands_risk_report       Human-readable judge/demo risk report
-  explain_risk                Explain ALLOW/WARN/BLOCK decisions in plain English
-  token_registry_status       Classify canonical, test, custom, unknown, or invalid token address
-
-OTHER MCP TOOLS
-  Core safety: assess_risk, check_token_security, simulate_transaction, estimate_gas
-  Execution: execute_swap, send_payment, approve_token
-  Market: get_token_price, get_pool_info, get_gas_price
-  Wallet/history: get_wallet_balance, check_allowance, get_transaction_status, get_execution_history
-  Risk registry: publish_risk_score, query_risk_registry
-  x402: x402_pay_and_fetch
-  Managed testnet wallet: create_agent_wallet, get_agent_wallet, get_agent_wallet_balance
-
-PHAROS ATLANTIC TESTNET
-  Environment: atlantic-testnet
-  Chain ID: 688689
-  RPC: https://atlantic.dplabs-internal.com
-  Explorer: https://atlantic.pharosscan.xyz/
-  RiskRegistry: 0x61962a6c812ee9f57b207e1ea47c19ae70bb7141
-
-x402 BEHAVIOR
-  Free endpoints, such as /supported and /health, do not require a private key.
-  Paid endpoints are fetched normally first. Only after HTTP 402 does SafeHands run x402 preflight and request a signer.
-  Signed payment payloads and payment headers are not logged or returned.
-
-DEFAULT SAFETY
-  WALLET_MODE=none
-  WRITE_TOOLS_ENABLED=false
-  ALLOW_UNLIMITED_APPROVAL=false
-  ALLOW_LOCAL_X402_FETCH=false
-
-  No wallet is created on install, import, or startup.
-  Write tools are disabled by default.
-  Unlimited approvals are blocked by default.
-  Mainnet actions are blocked.
-  SSRF-sensitive x402 URLs are blocked by default.
-
-EXAMPLES
-  npx safehands-pharos skill safehands_preflight_check --input-json '{"actionType":"send_payment","chainId":688689,"isMainnet":false,"amount":"0.001","recipient":"0x0000000000000000000000000000000000000001"}'
-
-  npx safehands-pharos skill token_registry_status --input-json '{"tokenAddress":"0xE0BE08c77f415F577A1B3A9aD7a1Df1479564ec8"}'
-
-DOCS
-  README.md
-  skill/SKILL.md
+    process.stdout.write(`
+🛡️  SafeHands-Pharos — Transaction Safety Firewall for AI Agents
+   v${PKG_VERSION} | Pharos Atlantic Testnet | Chain ID 688689
+
+USAGE
+  npx safehands-pharos
+      Start SafeHands as an MCP server over stdio.
+
+  npx safehands-pharos --help
+      Show this help.
+
+  npx safehands-pharos init
+      Launch the interactive setup wizard to configure your .env file safely.
+
+  npx safehands-pharos --demo
+      Run the deterministic non-destructive hackathon demo.
+
+  npx safehands-pharos skill <tool_name> --input-json '<json>'
+      Run a Pharos Skill Engine-compatible SafeHands CLI tool.
+
+POSITIONING
+  SafeHands is a guardrail layer, not a generic Web3 toolbox.
+  It checks whether an AI agent action is safe before execution.
+
+  User intent
+  → SafeHands preflight
+  → ALLOW / WARN / BLOCK / REQUIRE_CONFIRMATION
+  → Pharos Skill Engine or MCP execution only if safe
+  → SafeHands risk report
+
+SAFEHANDS BRANDED TOOLS
+  safehands_preflight_check   Policy preflight for payments, approvals, swaps, x402, and custom calls
+  safehands_safe_execute      Guarded wrapper that preflights before execution
+  safehands_wallet_health     Wallet/signer/gas/x402 readiness report
+  safehands_x402_preflight    URL, payment, token, and signer safety check before x402 payment
+  safehands_risk_report       Human-readable judge/demo risk report
+  explain_risk                Explain ALLOW/WARN/BLOCK decisions in plain English
+  token_registry_status       Classify canonical, test, custom, unknown, or invalid token address
+
+OTHER MCP TOOLS
+  Core safety: assess_risk, check_token_security, simulate_transaction, estimate_gas
+  Execution: execute_swap, send_payment, approve_token
+  Market: get_token_price, get_pool_info, get_gas_price
+  Wallet/history: get_wallet_balance, check_allowance, get_transaction_status, get_execution_history
+  Risk registry: publish_risk_score, query_risk_registry
+  x402: x402_pay_and_fetch
+  Managed testnet wallet: create_agent_wallet, get_agent_wallet, get_agent_wallet_balance
+
+PHAROS ATLANTIC TESTNET
+  Environment: atlantic-testnet
+  Chain ID: 688689
+  RPC: https://atlantic.dplabs-internal.com
+  Explorer: https://atlantic.pharosscan.xyz/
+  RiskRegistry: 0x61962a6c812ee9f57b207e1ea47c19ae70bb7141
+
+x402 BEHAVIOR
+  Free endpoints, such as /supported and /health, do not require a private key.
+  Paid endpoints are fetched normally first. Only after HTTP 402 does SafeHands run x402 preflight and request a signer.
+  Signed payment payloads and payment headers are not logged or returned.
+
+DEFAULT SAFETY
+  WALLET_MODE=none
+  WRITE_TOOLS_ENABLED=false
+  ALLOW_UNLIMITED_APPROVAL=false
+  ALLOW_LOCAL_X402_FETCH=false
+
+  No wallet is created on install, import, or startup.
+  Write tools are disabled by default.
+  Unlimited approvals are blocked by default.
+  Mainnet actions are blocked.
+  SSRF-sensitive x402 URLs are blocked by default.
+
+EXAMPLES
+  npx safehands-pharos skill safehands_preflight_check --input-json '{"actionType":"send_payment","chainId":688689,"isMainnet":false,"amount":"0.001","recipient":"0x0000000000000000000000000000000000000001"}'
+
+  npx safehands-pharos skill token_registry_status --input-json '{"tokenAddress":"0xE0BE08c77f415F577A1B3A9aD7a1Df1479564ec8"}'
+
+DOCS
+  README.md
+  skill/SKILL.md
 `);
     process.exit(0);
 }
-// ─── Startup Validation ────────────────────────────────────────────────
-const walletMode = process.env.WALLET_MODE || "none";
-const hasManagedWalletMode = walletMode === "managed-testnet";
-const hasExplicitSignerMode = walletMode === "managed-testnet" || walletMode === "env";
-if (process.env.WRITE_TOOLS_ENABLED !== "true") {
-    console.error("⚠️  SafeHands — write tools are disabled by default.");
-    console.error("   Preflight, risk report, token registry, read-only, and x402 free endpoint checks remain available.");
-    console.error("   To execute trusted testnet actions, set WRITE_TOOLS_ENABLED=true and configure a signer via WALLET_MODE=managed-testnet or WALLET_MODE=env.");
-    console.error("");
-}
-else if (!hasExplicitSignerMode) {
-    console.error("⚠️  SafeHands — write tools enabled but no signer mode detected.");
-    console.error("   Use WALLET_MODE=managed-testnet with create_agent_wallet, or WALLET_MODE=env for testnet developer mode.");
-    console.error("");
-}
-// ─── Server Setup ──────────────────────────────────────────────────────
-const server = new McpServer({
-    name: "safehands",
-    version: "1.2.4",
-});
-// ─── Tool Registration ─────────────────────────────────────────────────
-server.tool("safehands_preflight_check", "Run a SafeHands policy preflight before an AI agent sends payment, approves tokens, swaps, publishes risk data, or pays x402.", safehandsPreflightCheckSchema.shape, async (params) => mcpText(await invokeTool(handleSafeHandsPreflightCheck, params, "safehands_preflight_check")));
-server.tool("safehands_safe_execute", "Guarded execution wrapper: preflight first, then execute only allowed and explicitly confirmed testnet actions.", safehandsSafeExecuteSchema.shape, async (params) => mcpText(await invokeTool(handleSafeHandsSafeExecute, params, "safehands_safe_execute")));
-server.tool("safehands_wallet_health", "Check whether an AI agent wallet is funded, signer-ready, and safe to use on Pharos Atlantic Testnet.", safehandsWalletHealthSchema.shape, async (params) => mcpText(await invokeTool(handleSafeHandsWalletHealth, params, "safehands_wallet_health")));
-server.tool("safehands_x402_preflight", "Check an x402 paid resource for URL safety, payment amount, token, signer, and testnet policy before signing.", safehandsX402PreflightSchema.shape, async (params) => mcpText(await invokeTool(handleSafeHandsX402Preflight, params, "safehands_x402_preflight")));
-server.tool("safehands_risk_report", "Generate an audit-friendly human-readable SafeHands risk report for an AI agent action.", safehandsRiskReportSchema.shape, async (params) => mcpText(await invokeTool(handleSafeHandsRiskReport, params, "safehands_risk_report")));
-server.tool("explain_risk", "Explain a SafeHands risk/policy decision in human-readable language.", explainRiskSchema.shape, async (params) => mcpText(await invokeTool(handleExplainRisk, params, "explain_risk")));
-server.tool("token_registry_status", "Classify exact token input as canonical testnet token, test liquidity token, custom, unknown, or invalid.", tokenRegistryStatusSchema.shape, async (params) => mcpText(await invokeTool(handleTokenRegistryStatus, params, "token_registry_status")));
-server.tool("assess_risk", "Evaluate the risk of a planned on-chain action (swap or transfer). Returns 0-100 risk score with 5-dimension breakdown.", assessRiskSchema.shape, async (params) => mcpText(await invokeTool(handleAssessRisk, params, "assess_risk")));
-server.tool("execute_swap", "Swap tokens via FaroSwap with built-in risk gate. Runs risk assessment first, blocks if score > 80.", executeSwapSchema.shape, async (params) => mcpText(await invokeTool(handleExecuteSwap, params, "execute_swap")));
-server.tool("send_payment", "Send native PHRS with pre-flight validation. Checks address, balance, and warns on high exposure.", sendPaymentSchema.shape, async (params) => mcpText(await invokeTool(handleSendPayment, params, "send_payment")));
-server.tool("simulate_transaction", "Dry run a swap or transfer via eth_call — no gas spent. Returns expected output and revert reasons.", simulateTransactionSchema.shape, async (params) => mcpText(await invokeTool(handleSimulateTransaction, params, "simulate_transaction")));
-server.tool("get_execution_history", "Pull on-chain transaction history for a wallet. Filters by swap, transfer, or all.", getExecutionHistorySchema.shape, async (params) => mcpText(await invokeTool(handleGetExecutionHistory, params, "get_execution_history")));
-server.tool("get_token_price", "Fetch real-time price of PHRS, USDC, or USDT on Pharos using DODO liquidity quotes.", getTokenPriceSchema.shape, async (params) => mcpText(await invokeTool(handleGetTokenPrice, params, "get_token_price")));
-server.tool("get_wallet_balance", "Return PHRS, USDC, USDT balances for a wallet with total USD estimate.", getWalletBalanceSchema.shape, async (params) => mcpText(await invokeTool(handleGetWalletBalance, params, "get_wallet_balance")));
-server.tool("check_allowance", "Check ERC-20 token allowance for DODO swap approval. Returns whether approval is needed.", checkAllowanceSchema.shape, async (params) => mcpText(await invokeTool(handleCheckAllowance, params, "check_allowance")));
-server.tool("get_transaction_status", "Check on-chain transaction status by hash. Returns status, block, gas, and explorer link.", getTransactionStatusSchema.shape, async (params) => mcpText(await invokeTool(handleGetTransactionStatus, params, "get_transaction_status")));
-server.tool("estimate_gas", "Estimate gas cost for a swap or transfer before executing. Returns cost in PHRS and USD.", estimateGasSchema.shape, async (params) => mcpText(await invokeTool(handleEstimateGas, params, "estimate_gas")));
-server.tool("publish_risk_score", "Run risk assessment and publish result to the on-chain RiskRegistry. Other agents can query it.", publishRiskScoreSchema.shape, async (params) => mcpText(await invokeTool(handlePublishRiskScore, params, "publish_risk_score")));
-server.tool("query_risk_registry", "Query the on-chain RiskRegistry for a wallet's published risk score. Read-only, no private key needed.", queryRiskRegistrySchema.shape, async (params) => mcpText(await invokeTool(handleQueryRiskRegistry, params, "query_risk_registry")));
-server.tool("approve_token", "Approve ERC-20 token spending for FaroSwap (DODO) router. Required before swapping non-native tokens.", approveTokenSchema.shape, async (params) => mcpText(await invokeTool(handleApproveToken, params, "approve_token")));
-server.tool("get_gas_price", "Get current gas price on Pharos with trend classification and cost estimates.", getGasPriceSchema.shape, async (params) => mcpText(await invokeTool(handleGetGasPrice, params, "get_gas_price")));
-server.tool("get_pool_info", "Fetch DODO liquidity pool info for a token pair on Pharos. Returns price ratio, impact, and fees.", getPoolInfoSchema.shape, async (params) => mcpText(await invokeTool(handleGetPoolInfo, params, "get_pool_info")));
-server.tool("check_token_security", "Check token contract security (honeypot, mintable, ownership privileges, tax) via GoPlus Security API.", checkTokenSecuritySchema.shape, async (params) => mcpText(await invokeTool(handleCheckTokenSecurity, params, "check_token_security")));
-server.tool("x402_pay_and_fetch", "Fetch resources from an HTTP x402 payment-gated server. Automatically handles HTTP 402 payment challenge.", x402PayAndFetchSchema.shape, async (params) => mcpText(await invokeTool(handleX402PayAndFetch, params, "x402_pay_and_fetch")));
-// ─── Managed Wallet Tools ──────────────────────────────────────────────
-server.tool("create_agent_wallet", "Create a new managed testnet agent wallet. Private key is encrypted and never returned. Fund the wallet with testnet PHRS before using write tools.", createAgentWalletSchema.shape, async (params) => mcpText(await invokeTool(handleCreateAgentWallet, params, "create_agent_wallet")));
-server.tool("get_agent_wallet", "Get public info (address, environment, chainId) for a managed agent wallet. Never returns private key.", getAgentWalletSchema.shape, async (params) => mcpText(await invokeTool(handleGetAgentWallet, params, "get_agent_wallet")));
-server.tool("get_agent_wallet_balance", "Get PHRS, USDC, and USDT balances for a managed agent wallet on Pharos testnet.", getAgentWalletBalanceSchema.shape, async (params) => mcpText(await invokeTool(handleGetAgentWalletBalance, params, "get_agent_wallet_balance")));
-// ─── Start Server ──────────────────────────────────────────────────────
-async function main() {
-    const transport = new StdioServerTransport();
-    await server.connect(transport);
-    console.error("SafeHands-Pharos MCP Server v1.2.6 running on stdio");
-}
-main().catch((error) => {
-    console.error("Fatal error:", error);
-    process.exit(1);
-});
+if (!isDemoMode) {
+    // ─── Startup Validation ────────────────────────────────────────────────
+    const walletMode = process.env.WALLET_MODE || "none";
+    const hasManagedWalletMode = walletMode === "managed-testnet";
+    const hasExplicitSignerMode = walletMode === "managed-testnet" || walletMode === "env";
+    if (process.env.WRITE_TOOLS_ENABLED !== "true") {
+        console.error("⚠️  SafeHands — write tools are disabled by default.");
+        console.error("   Preflight, risk report, token registry, read-only, and x402 free endpoint checks remain available.");
+        console.error("   To execute trusted testnet actions, set WRITE_TOOLS_ENABLED=true and configure a signer via WALLET_MODE=managed-testnet or WALLET_MODE=env.");
+        console.error("");
+    }
+    else if (!hasExplicitSignerMode) {
+        console.error("⚠️  SafeHands — write tools enabled but no signer mode detected.");
+        console.error("   Use WALLET_MODE=managed-testnet with create_agent_wallet, or WALLET_MODE=env for testnet developer mode.");
+        console.error("");
+    }
+    // ─── Server Setup ──────────────────────────────────────────────────────
+    const server = new McpServer({
+        name: "safehands",
+        version: PKG_VERSION,
+    });
+    // ─── Tool Registration ─────────────────────────────────────────────────
+    server.tool("safehands_preflight_check", "Run a SafeHands policy preflight before an AI agent sends payment, approves tokens, swaps, publishes risk data, or pays x402.", safehandsPreflightCheckSchema.shape, async (params) => mcpText(await invokeTool(handleSafeHandsPreflightCheck, params, "safehands_preflight_check")));
+    server.tool("safehands_safe_execute", "Guarded execution wrapper: preflight first, then execute only allowed and explicitly confirmed testnet actions.", safehandsSafeExecuteSchema.shape, async (params) => mcpText(await invokeTool(handleSafeHandsSafeExecute, params, "safehands_safe_execute")));
+    server.tool("safehands_wallet_health", "Check whether an AI agent wallet is funded, signer-ready, and safe to use on Pharos Atlantic Testnet.", safehandsWalletHealthSchema.shape, async (params) => mcpText(await invokeTool(handleSafeHandsWalletHealth, params, "safehands_wallet_health")));
+    server.tool("safehands_x402_preflight", "Check an x402 paid resource for URL safety, payment amount, token, signer, and testnet policy before signing.", safehandsX402PreflightSchema.shape, async (params) => mcpText(await invokeTool(handleSafeHandsX402Preflight, params, "safehands_x402_preflight")));
+    server.tool("safehands_risk_report", "Generate an audit-friendly human-readable SafeHands risk report for an AI agent action.", safehandsRiskReportSchema.shape, async (params) => mcpText(await invokeTool(handleSafeHandsRiskReport, params, "safehands_risk_report")));
+    server.tool("explain_risk", "Explain a SafeHands risk/policy decision in human-readable language.", explainRiskSchema.shape, async (params) => mcpText(await invokeTool(handleExplainRisk, params, "explain_risk")));
+    server.tool("token_registry_status", "Classify exact token input as canonical testnet token, test liquidity token, custom, unknown, or invalid.", tokenRegistryStatusSchema.shape, async (params) => mcpText(await invokeTool(handleTokenRegistryStatus, params, "token_registry_status")));
+    server.tool("assess_risk", "Evaluate the risk of a planned on-chain action (swap or transfer). Returns 0-100 risk score with 5-dimension breakdown.", assessRiskSchema.shape, async (params) => mcpText(await invokeTool(handleAssessRisk, params, "assess_risk")));
+    server.tool("execute_swap", "Swap tokens via FaroSwap with built-in risk gate. Runs risk assessment first, blocks if score > 80.", executeSwapSchema.shape, async (params) => mcpText(await invokeTool(handleExecuteSwap, params, "execute_swap")));
+    server.tool("send_payment", "Send native PHRS with pre-flight validation. Checks address, balance, and warns on high exposure.", sendPaymentSchema.shape, async (params) => mcpText(await invokeTool(handleSendPayment, params, "send_payment")));
+    server.tool("simulate_transaction", "Dry run a swap or transfer via eth_call — no gas spent. Returns expected output and revert reasons.", simulateTransactionSchema.shape, async (params) => mcpText(await invokeTool(handleSimulateTransaction, params, "simulate_transaction")));
+    server.tool("get_execution_history", "Pull on-chain transaction history for a wallet. Filters by swap, transfer, or all.", getExecutionHistorySchema.shape, async (params) => mcpText(await invokeTool(handleGetExecutionHistory, params, "get_execution_history")));
+    server.tool("get_token_price", "Fetch real-time price of PHRS, USDC, or USDT on Pharos using DODO liquidity quotes.", getTokenPriceSchema.shape, async (params) => mcpText(await invokeTool(handleGetTokenPrice, params, "get_token_price")));
+    server.tool("get_wallet_balance", "Return PHRS, USDC, USDT balances for a wallet with total USD estimate.", getWalletBalanceSchema.shape, async (params) => mcpText(await invokeTool(handleGetWalletBalance, params, "get_wallet_balance")));
+    server.tool("check_allowance", "Check ERC-20 token allowance for DODO swap approval. Returns whether approval is needed.", checkAllowanceSchema.shape, async (params) => mcpText(await invokeTool(handleCheckAllowance, params, "check_allowance")));
+    server.tool("get_transaction_status", "Check on-chain transaction status by hash. Returns status, block, gas, and explorer link.", getTransactionStatusSchema.shape, async (params) => mcpText(await invokeTool(handleGetTransactionStatus, params, "get_transaction_status")));
+    server.tool("estimate_gas", "Estimate gas cost for a swap or transfer before executing. Returns cost in PHRS and USD.", estimateGasSchema.shape, async (params) => mcpText(await invokeTool(handleEstimateGas, params, "estimate_gas")));
+    server.tool("publish_risk_score", "Run risk assessment and publish result to the on-chain RiskRegistry. Other agents can query it.", publishRiskScoreSchema.shape, async (params) => mcpText(await invokeTool(handlePublishRiskScore, params, "publish_risk_score")));
+    server.tool("query_risk_registry", "Query the on-chain RiskRegistry for a wallet's published risk score. Read-only, no private key needed.", queryRiskRegistrySchema.shape, async (params) => mcpText(await invokeTool(handleQueryRiskRegistry, params, "query_risk_registry")));
+    server.tool("approve_token", "Approve ERC-20 token spending for FaroSwap (DODO) router. Required before swapping non-native tokens.", approveTokenSchema.shape, async (params) => mcpText(await invokeTool(handleApproveToken, params, "approve_token")));
+    server.tool("get_gas_price", "Get current gas price on Pharos with trend classification and cost estimates.", getGasPriceSchema.shape, async (params) => mcpText(await invokeTool(handleGetGasPrice, params, "get_gas_price")));
+    server.tool("get_pool_info", "Fetch DODO liquidity pool info for a token pair on Pharos. Returns price ratio, impact, and fees.", getPoolInfoSchema.shape, async (params) => mcpText(await invokeTool(handleGetPoolInfo, params, "get_pool_info")));
+    server.tool("check_token_security", "Check token contract security (honeypot, mintable, ownership privileges, tax) via GoPlus Security API.", checkTokenSecuritySchema.shape, async (params) => mcpText(await invokeTool(handleCheckTokenSecurity, params, "check_token_security")));
+    server.tool("x402_pay_and_fetch", "Fetch resources from an HTTP x402 payment-gated server. Automatically handles HTTP 402 payment challenge.", x402PayAndFetchSchema.shape, async (params) => mcpText(await invokeTool(handleX402PayAndFetch, params, "x402_pay_and_fetch")));
+    // ─── Managed Wallet Tools ──────────────────────────────────────────────
+    server.tool("create_agent_wallet", "Create a new managed testnet agent wallet. Private key is encrypted and never returned. Fund the wallet with testnet PHRS before using write tools.", createAgentWalletSchema.shape, async (params) => mcpText(await invokeTool(handleCreateAgentWallet, params, "create_agent_wallet")));
+    server.tool("get_agent_wallet", "Get public info (address, environment, chainId) for a managed agent wallet. Never returns private key.", getAgentWalletSchema.shape, async (params) => mcpText(await invokeTool(handleGetAgentWallet, params, "get_agent_wallet")));
+    server.tool("get_agent_wallet_balance", "Get PHRS, USDC, and USDT balances for a managed agent wallet on Pharos testnet.", getAgentWalletBalanceSchema.shape, async (params) => mcpText(await invokeTool(handleGetAgentWalletBalance, params, "get_agent_wallet_balance")));
+    // ─── Start Server ──────────────────────────────────────────────────────
+    async function main() {
+        const transport = new StdioServerTransport();
+        await server.connect(transport);
+        console.error(`SafeHands-Pharos MCP Server v${PKG_VERSION} running on stdio`);
+    }
+    main().catch((error) => {
+        console.error("Fatal error:", error);
+        process.exit(1);
+    });
+} // end: !isDemoMode
 //# sourceMappingURL=index.js.map