shll-skills 5.3.4 → 5.4.1

package/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: shll-run
 description: Execute DeFi transactions on BSC via SHLL AgentNFA. The AI handles all commands — users only need to chat.
-version: 5.3.4
+version: 5.4.1
 author: SHLL Team
 website: https://shll.run
 twitter: https://twitter.com/shllrun

package/dist/index.js

@@ -797,6 +797,57 @@ function createClient(options) {
     chainId: 56
   });
 }
+var AGENT_NFA_ACCESS_ABI = [
+  { name: "operatorExpiresOf", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "uint256" }] },
+  { name: "userExpires", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "uint256" }] },
+  { name: "operatorOf", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "address" }] },
+  { name: "userOf", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "address" }] },
+  { name: "ownerOf", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "address" }] }
+];
+async function checkAccess(opts, tokenId) {
+  const rpcUrl = opts.rpc || DEFAULT_RPC;
+  const nfa = opts.nfaAddress || DEFAULT_NFA;
+  const pk = toHex(process.env.RUNNER_PRIVATE_KEY || "");
+  const account = (0, import_accounts2.privateKeyToAccount)(pk);
+  const pc = (0, import_viem2.createPublicClient)({ chain: import_chains2.bsc, transport: (0, import_viem2.http)(rpcUrl) });
+  const [operatorExpires, userExpires, operator, renter, owner] = await Promise.all([
+    pc.readContract({ address: nfa, abi: AGENT_NFA_ACCESS_ABI, functionName: "operatorExpiresOf", args: [tokenId] }),
+    pc.readContract({ address: nfa, abi: AGENT_NFA_ACCESS_ABI, functionName: "userExpires", args: [tokenId] }),
+    pc.readContract({ address: nfa, abi: AGENT_NFA_ACCESS_ABI, functionName: "operatorOf", args: [tokenId] }),
+    pc.readContract({ address: nfa, abi: AGENT_NFA_ACCESS_ABI, functionName: "userOf", args: [tokenId] }),
+    pc.readContract({ address: nfa, abi: AGENT_NFA_ACCESS_ABI, functionName: "ownerOf", args: [tokenId] })
+  ]);
+  const now = BigInt(Math.floor(Date.now() / 1e3));
+  if (now > userExpires) {
+    output({ status: "error", message: `Agent token-id ${tokenId} rental has EXPIRED (expired at ${new Date(Number(userExpires) * 1e3).toISOString()}). Please renew at https://shll.run/me` });
+    process.exit(1);
+  }
+  if (now > operatorExpires) {
+    output({ status: "error", message: `Agent token-id ${tokenId} operator authorization has EXPIRED (expired at ${new Date(Number(operatorExpires) * 1e3).toISOString()}). Please re-authorize via setup_guide.` });
+    process.exit(1);
+  }
+  const runnerAddr = account.address.toLowerCase();
+  const isOperator = operator.toLowerCase() === runnerAddr;
+  const isRenter = renter.toLowerCase() === runnerAddr;
+  const isOwner = owner.toLowerCase() === runnerAddr;
+  if (!isOperator && !isRenter && !isOwner) {
+    output({
+      status: "error",
+      message: `RUNNER_PRIVATE_KEY wallet (${account.address}) is NOT authorized for token-id ${tokenId}. On-chain operator is ${operator}.`,
+      yourWallet: account.address,
+      onChainOperator: operator,
+      onChainRenter: renter,
+      onChainOwner: owner,
+      howToFix: [
+        `1. Use 'setup_guide' command to generate an OperatorPermit for this wallet`,
+        `2. Renter (${renter}) can call setOperator(${tokenId}, ${account.address}, <expiry>) on AgentNFA`,
+        `3. Go to https://shll.run/agent/0xE98DCdbf370D7b52c9A2b88F79bEF514A5375a2b/${tokenId}/console/safety to set operator`,
+        `4. Use the correct RUNNER_PRIVATE_KEY for operator ${operator}`
+      ]
+    });
+    process.exit(1);
+  }
+}
 var program = new import_commander.Command();
 program.name("shll-onchain-runner").description("Execute DeFi actions securely via SHLL AgentNFA");
 var swapCmd = new import_commander.Command("swap").description("Swap tokens on PancakeSwap (auto-routes V2/V3)").requiredOption("-f, --from <token>", "Input token (symbol or 0x address, e.g. USDC, BNB)").requiredOption("-t, --to <token>", "Output token (symbol or 0x address)").requiredOption("-a, --amount <number>", "Amount to swap (human-readable, e.g. 0.5)").option("-s, --slippage <percent>", "Slippage tolerance in percent (default: 5)", "5").option("--dex <mode>", "DEX routing: auto, v2, v3 (default: auto)", "auto").option("--fee <tier>", "V3 fee tier in bps (default: 2500 = 0.25%)", "2500").option("--router <address>", "DEX router address (override)");
@@ -805,6 +856,7 @@ swapCmd.action(async (opts) => {
   try {
     const client = createClient(opts);
     const tokenId = BigInt(opts.tokenId);
+    await checkAccess(opts, tokenId);
     const rpcUrl = opts.rpc || DEFAULT_RPC;
     const fromToken = resolveToken(opts.from);
     const toToken = resolveToken(opts.to);
@@ -1361,6 +1413,7 @@ wrapCmd.action(async (opts) => {
       output({ status: "error", message: "RUNNER_PRIVATE_KEY environment variable is missing" });
       process.exit(1);
     }
+    await checkAccess(opts, BigInt(opts.tokenId));
     const client = new PolicyClient({
       operatorPrivateKey: toHex(process.env.RUNNER_PRIVATE_KEY),
       rpcUrl: opts.rpc || DEFAULT_RPC,
@@ -1396,6 +1449,7 @@ unwrapCmd.action(async (opts) => {
       output({ status: "error", message: "RUNNER_PRIVATE_KEY environment variable is missing" });
       process.exit(1);
     }
+    await checkAccess(opts, BigInt(opts.tokenId));
     const client = new PolicyClient({
       operatorPrivateKey: toHex(process.env.RUNNER_PRIVATE_KEY),
       rpcUrl: opts.rpc || DEFAULT_RPC,
@@ -1432,6 +1486,7 @@ transferCmd.action(async (opts) => {
       output({ status: "error", message: "RUNNER_PRIVATE_KEY environment variable is missing" });
       process.exit(1);
     }
+    await checkAccess(opts, BigInt(opts.tokenId));
     const client = new PolicyClient({
       operatorPrivateKey: toHex(process.env.RUNNER_PRIVATE_KEY),
       rpcUrl: opts.rpc || DEFAULT_RPC,
@@ -2003,6 +2058,7 @@ lendCmd.action(async (opts) => {
   try {
     const client = createClient(opts);
     const tokenId = BigInt(opts.tokenId);
+    await checkAccess(opts, tokenId);
     const rpcUrl = opts.rpc || DEFAULT_RPC;
     const publicClient = (0, import_viem2.createPublicClient)({ chain: import_chains2.bsc, transport: (0, import_viem2.http)(rpcUrl) });
     const symbol = opts.token.toUpperCase();
@@ -2070,6 +2126,7 @@ redeemCmd.action(async (opts) => {
   try {
     const client = createClient(opts);
     const tokenId = BigInt(opts.tokenId);
+    await checkAccess(opts, tokenId);
     const symbol = opts.token.toUpperCase();
     const vTokenAddr = VENUS_VTOKENS[symbol];
     if (!vTokenAddr) {

package/dist/index.mjs

@@ -309,6 +309,57 @@ function createClient(options) {
     chainId: 56
   });
 }
+var AGENT_NFA_ACCESS_ABI = [
+  { name: "operatorExpiresOf", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "uint256" }] },
+  { name: "userExpires", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "uint256" }] },
+  { name: "operatorOf", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "address" }] },
+  { name: "userOf", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "address" }] },
+  { name: "ownerOf", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "address" }] }
+];
+async function checkAccess(opts, tokenId) {
+  const rpcUrl = opts.rpc || DEFAULT_RPC;
+  const nfa = opts.nfaAddress || DEFAULT_NFA;
+  const pk = toHex(process.env.RUNNER_PRIVATE_KEY || "");
+  const account = privateKeyToAccount(pk);
+  const pc = createPublicClient({ chain: bsc, transport: http(rpcUrl) });
+  const [operatorExpires, userExpires, operator, renter, owner] = await Promise.all([
+    pc.readContract({ address: nfa, abi: AGENT_NFA_ACCESS_ABI, functionName: "operatorExpiresOf", args: [tokenId] }),
+    pc.readContract({ address: nfa, abi: AGENT_NFA_ACCESS_ABI, functionName: "userExpires", args: [tokenId] }),
+    pc.readContract({ address: nfa, abi: AGENT_NFA_ACCESS_ABI, functionName: "operatorOf", args: [tokenId] }),
+    pc.readContract({ address: nfa, abi: AGENT_NFA_ACCESS_ABI, functionName: "userOf", args: [tokenId] }),
+    pc.readContract({ address: nfa, abi: AGENT_NFA_ACCESS_ABI, functionName: "ownerOf", args: [tokenId] })
+  ]);
+  const now = BigInt(Math.floor(Date.now() / 1e3));
+  if (now > userExpires) {
+    output({ status: "error", message: `Agent token-id ${tokenId} rental has EXPIRED (expired at ${new Date(Number(userExpires) * 1e3).toISOString()}). Please renew at https://shll.run/me` });
+    process.exit(1);
+  }
+  if (now > operatorExpires) {
+    output({ status: "error", message: `Agent token-id ${tokenId} operator authorization has EXPIRED (expired at ${new Date(Number(operatorExpires) * 1e3).toISOString()}). Please re-authorize via setup_guide.` });
+    process.exit(1);
+  }
+  const runnerAddr = account.address.toLowerCase();
+  const isOperator = operator.toLowerCase() === runnerAddr;
+  const isRenter = renter.toLowerCase() === runnerAddr;
+  const isOwner = owner.toLowerCase() === runnerAddr;
+  if (!isOperator && !isRenter && !isOwner) {
+    output({
+      status: "error",
+      message: `RUNNER_PRIVATE_KEY wallet (${account.address}) is NOT authorized for token-id ${tokenId}. On-chain operator is ${operator}.`,
+      yourWallet: account.address,
+      onChainOperator: operator,
+      onChainRenter: renter,
+      onChainOwner: owner,
+      howToFix: [
+        `1. Use 'setup_guide' command to generate an OperatorPermit for this wallet`,
+        `2. Renter (${renter}) can call setOperator(${tokenId}, ${account.address}, <expiry>) on AgentNFA`,
+        `3. Go to https://shll.run/agent/0xE98DCdbf370D7b52c9A2b88F79bEF514A5375a2b/${tokenId}/console/safety to set operator`,
+        `4. Use the correct RUNNER_PRIVATE_KEY for operator ${operator}`
+      ]
+    });
+    process.exit(1);
+  }
+}
 var program = new Command();
 program.name("shll-onchain-runner").description("Execute DeFi actions securely via SHLL AgentNFA");
 var swapCmd = new Command("swap").description("Swap tokens on PancakeSwap (auto-routes V2/V3)").requiredOption("-f, --from <token>", "Input token (symbol or 0x address, e.g. USDC, BNB)").requiredOption("-t, --to <token>", "Output token (symbol or 0x address)").requiredOption("-a, --amount <number>", "Amount to swap (human-readable, e.g. 0.5)").option("-s, --slippage <percent>", "Slippage tolerance in percent (default: 5)", "5").option("--dex <mode>", "DEX routing: auto, v2, v3 (default: auto)", "auto").option("--fee <tier>", "V3 fee tier in bps (default: 2500 = 0.25%)", "2500").option("--router <address>", "DEX router address (override)");
@@ -317,6 +368,7 @@ swapCmd.action(async (opts) => {
   try {
     const client = createClient(opts);
     const tokenId = BigInt(opts.tokenId);
+    await checkAccess(opts, tokenId);
     const rpcUrl = opts.rpc || DEFAULT_RPC;
     const fromToken = resolveToken(opts.from);
     const toToken = resolveToken(opts.to);
@@ -873,6 +925,7 @@ wrapCmd.action(async (opts) => {
       output({ status: "error", message: "RUNNER_PRIVATE_KEY environment variable is missing" });
       process.exit(1);
     }
+    await checkAccess(opts, BigInt(opts.tokenId));
     const client = new PolicyClient({
       operatorPrivateKey: toHex(process.env.RUNNER_PRIVATE_KEY),
       rpcUrl: opts.rpc || DEFAULT_RPC,
@@ -908,6 +961,7 @@ unwrapCmd.action(async (opts) => {
       output({ status: "error", message: "RUNNER_PRIVATE_KEY environment variable is missing" });
       process.exit(1);
     }
+    await checkAccess(opts, BigInt(opts.tokenId));
     const client = new PolicyClient({
       operatorPrivateKey: toHex(process.env.RUNNER_PRIVATE_KEY),
       rpcUrl: opts.rpc || DEFAULT_RPC,
@@ -944,6 +998,7 @@ transferCmd.action(async (opts) => {
       output({ status: "error", message: "RUNNER_PRIVATE_KEY environment variable is missing" });
       process.exit(1);
     }
+    await checkAccess(opts, BigInt(opts.tokenId));
     const client = new PolicyClient({
       operatorPrivateKey: toHex(process.env.RUNNER_PRIVATE_KEY),
       rpcUrl: opts.rpc || DEFAULT_RPC,
@@ -1515,6 +1570,7 @@ lendCmd.action(async (opts) => {
   try {
     const client = createClient(opts);
     const tokenId = BigInt(opts.tokenId);
+    await checkAccess(opts, tokenId);
     const rpcUrl = opts.rpc || DEFAULT_RPC;
     const publicClient = createPublicClient({ chain: bsc, transport: http(rpcUrl) });
     const symbol = opts.token.toUpperCase();
@@ -1582,6 +1638,7 @@ redeemCmd.action(async (opts) => {
   try {
     const client = createClient(opts);
     const tokenId = BigInt(opts.tokenId);
+    await checkAccess(opts, tokenId);
     const symbol = opts.token.toUpperCase();
     const vTokenAddr = VENUS_VTOKENS[symbol];
     if (!vTokenAddr) {

package/dist/mcp.js

@@ -646,16 +646,23 @@ function createClients() {
   });
   return { account, publicClient, policyClient, config };
 }
-var AGENT_NFA_EXPIRY_ABI = [
+var AGENT_NFA_CHECK_ABI = [
   { name: "operatorExpiresOf", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "uint256" }] },
-  { name: "userExpires", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "uint256" }] }
+  { name: "userExpires", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "uint256" }] },
+  { name: "operatorOf", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "address" }] },
+  { name: "userOf", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "address" }] },
+  { name: "ownerOf", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "address" }] }
 ];
 async function checkAgentExpiry(tokenId) {
   const config = getConfig();
+  const account = (0, import_accounts2.privateKeyToAccount)(config.privateKey);
   const pc = (0, import_viem2.createPublicClient)({ chain: import_chains2.bsc, transport: (0, import_viem2.http)(config.rpc) });
-  const [operatorExpires, userExpires] = await Promise.all([
-    pc.readContract({ address: config.nfa, abi: AGENT_NFA_EXPIRY_ABI, functionName: "operatorExpiresOf", args: [tokenId] }),
-    pc.readContract({ address: config.nfa, abi: AGENT_NFA_EXPIRY_ABI, functionName: "userExpires", args: [tokenId] })
+  const [operatorExpires, userExpires, operator, renter, owner] = await Promise.all([
+    pc.readContract({ address: config.nfa, abi: AGENT_NFA_CHECK_ABI, functionName: "operatorExpiresOf", args: [tokenId] }),
+    pc.readContract({ address: config.nfa, abi: AGENT_NFA_CHECK_ABI, functionName: "userExpires", args: [tokenId] }),
+    pc.readContract({ address: config.nfa, abi: AGENT_NFA_CHECK_ABI, functionName: "operatorOf", args: [tokenId] }),
+    pc.readContract({ address: config.nfa, abi: AGENT_NFA_CHECK_ABI, functionName: "userOf", args: [tokenId] }),
+    pc.readContract({ address: config.nfa, abi: AGENT_NFA_CHECK_ABI, functionName: "ownerOf", args: [tokenId] })
   ]);
   const now = BigInt(Math.floor(Date.now() / 1e3));
   if (now > operatorExpires) {
@@ -686,6 +693,33 @@ async function checkAgentExpiry(tokenId) {
       }]
     };
   }
+  const runnerAddr = account.address.toLowerCase();
+  const isOperator = operator.toLowerCase() === runnerAddr;
+  const isRenter = renter.toLowerCase() === runnerAddr;
+  const isOwner = owner.toLowerCase() === runnerAddr;
+  if (!isOperator && !isRenter && !isOwner) {
+    return {
+      expired: true,
+      // reuse expired flag to block execution
+      content: [{
+        type: "text",
+        text: JSON.stringify({
+          status: "error",
+          message: `RUNNER_PRIVATE_KEY wallet (${account.address}) is NOT authorized for token-id ${tokenId}. On-chain operator is ${operator}. Your wallet must be the operator, renter, or owner to execute transactions.`,
+          yourWallet: account.address,
+          onChainOperator: operator,
+          onChainRenter: renter,
+          onChainOwner: owner,
+          howToFix: [
+            `Option 1: Use the 'setup_guide' tool \u2014 it generates an EIP-712 OperatorPermit that lets the renter (${renter}) authorize your current wallet (${account.address}) as operator. The renter signs the permit in their browser wallet, then the runner submits it on-chain.`,
+            `Option 2: The renter (${renter}) can call setOperator(${tokenId}, ${account.address}, <expiry_timestamp>) on AgentNFA contract at ${config.nfa} to directly authorize this wallet.`,
+            `Option 3: Go to https://shll.run/agent/0xE98DCdbf370D7b52c9A2b88F79bEF514A5375a2b/${tokenId}/console/safety and set ${account.address} as the operator.`,
+            `Option 4: If you have access to the correct operator wallet (${operator}), set RUNNER_PRIVATE_KEY to that wallet's private key instead.`
+          ]
+        })
+      }]
+    };
+  }
   return { expired: false };
 }
 function policyRejectionHelp(reason, tokenId) {

package/dist/mcp.mjs

@@ -157,16 +157,23 @@ function createClients() {
   });
   return { account, publicClient, policyClient, config };
 }
-var AGENT_NFA_EXPIRY_ABI = [
+var AGENT_NFA_CHECK_ABI = [
   { name: "operatorExpiresOf", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "uint256" }] },
-  { name: "userExpires", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "uint256" }] }
+  { name: "userExpires", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "uint256" }] },
+  { name: "operatorOf", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "address" }] },
+  { name: "userOf", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "address" }] },
+  { name: "ownerOf", type: "function", stateMutability: "view", inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "address" }] }
 ];
 async function checkAgentExpiry(tokenId) {
   const config = getConfig();
+  const account = privateKeyToAccount(config.privateKey);
   const pc = createPublicClient({ chain: bsc, transport: http(config.rpc) });
-  const [operatorExpires, userExpires] = await Promise.all([
-    pc.readContract({ address: config.nfa, abi: AGENT_NFA_EXPIRY_ABI, functionName: "operatorExpiresOf", args: [tokenId] }),
-    pc.readContract({ address: config.nfa, abi: AGENT_NFA_EXPIRY_ABI, functionName: "userExpires", args: [tokenId] })
+  const [operatorExpires, userExpires, operator, renter, owner] = await Promise.all([
+    pc.readContract({ address: config.nfa, abi: AGENT_NFA_CHECK_ABI, functionName: "operatorExpiresOf", args: [tokenId] }),
+    pc.readContract({ address: config.nfa, abi: AGENT_NFA_CHECK_ABI, functionName: "userExpires", args: [tokenId] }),
+    pc.readContract({ address: config.nfa, abi: AGENT_NFA_CHECK_ABI, functionName: "operatorOf", args: [tokenId] }),
+    pc.readContract({ address: config.nfa, abi: AGENT_NFA_CHECK_ABI, functionName: "userOf", args: [tokenId] }),
+    pc.readContract({ address: config.nfa, abi: AGENT_NFA_CHECK_ABI, functionName: "ownerOf", args: [tokenId] })
   ]);
   const now = BigInt(Math.floor(Date.now() / 1e3));
   if (now > operatorExpires) {
@@ -197,6 +204,33 @@ async function checkAgentExpiry(tokenId) {
       }]
     };
   }
+  const runnerAddr = account.address.toLowerCase();
+  const isOperator = operator.toLowerCase() === runnerAddr;
+  const isRenter = renter.toLowerCase() === runnerAddr;
+  const isOwner = owner.toLowerCase() === runnerAddr;
+  if (!isOperator && !isRenter && !isOwner) {
+    return {
+      expired: true,
+      // reuse expired flag to block execution
+      content: [{
+        type: "text",
+        text: JSON.stringify({
+          status: "error",
+          message: `RUNNER_PRIVATE_KEY wallet (${account.address}) is NOT authorized for token-id ${tokenId}. On-chain operator is ${operator}. Your wallet must be the operator, renter, or owner to execute transactions.`,
+          yourWallet: account.address,
+          onChainOperator: operator,
+          onChainRenter: renter,
+          onChainOwner: owner,
+          howToFix: [
+            `Option 1: Use the 'setup_guide' tool \u2014 it generates an EIP-712 OperatorPermit that lets the renter (${renter}) authorize your current wallet (${account.address}) as operator. The renter signs the permit in their browser wallet, then the runner submits it on-chain.`,
+            `Option 2: The renter (${renter}) can call setOperator(${tokenId}, ${account.address}, <expiry_timestamp>) on AgentNFA contract at ${config.nfa} to directly authorize this wallet.`,
+            `Option 3: Go to https://shll.run/agent/0xE98DCdbf370D7b52c9A2b88F79bEF514A5375a2b/${tokenId}/console/safety and set ${account.address} as the operator.`,
+            `Option 4: If you have access to the correct operator wallet (${operator}), set RUNNER_PRIVATE_KEY to that wallet's private key instead.`
+          ]
+        })
+      }]
+    };
+  }
   return { expired: false };
 }
 function policyRejectionHelp(reason, tokenId) {

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "shll-skills",
-    "version": "5.3.4",
+    "version": "5.4.1",
     "description": "SHLL DeFi Agent — CLI + MCP Server for BSC",
     "main": "dist/index.js",
     "bin": {
@@ -24,4 +24,4 @@
         "tsup": "^8.0.2",
         "typescript": "^5.4.5"
     }
-}
+}

package/src/index.ts

@@ -325,8 +325,61 @@ function createClient(options: Record<string, string>): PolicyClient {
         chainId: 56,
     });
 }
-
 // ── Program ─────────────────────────────────────────────
+
+// Pre-check: prevents write operations on expired/unauthorized agents with clear error
+const AGENT_NFA_ACCESS_ABI = [
+    { name: "operatorExpiresOf", type: "function" as const, stateMutability: "view" as const, inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "uint256" }] },
+    { name: "userExpires", type: "function" as const, stateMutability: "view" as const, inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "uint256" }] },
+    { name: "operatorOf", type: "function" as const, stateMutability: "view" as const, inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "address" }] },
+    { name: "userOf", type: "function" as const, stateMutability: "view" as const, inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "address" }] },
+    { name: "ownerOf", type: "function" as const, stateMutability: "view" as const, inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "address" }] },
+] as const;
+
+async function checkAccess(opts: Record<string, string>, tokenId: bigint) {
+    const rpcUrl = opts.rpc || DEFAULT_RPC;
+    const nfa = (opts.nfaAddress || DEFAULT_NFA) as Address;
+    const pk = toHex(process.env.RUNNER_PRIVATE_KEY || "");
+    const account = privateKeyToAccount(pk);
+    const pc = createPublicClient({ chain: bsc, transport: http(rpcUrl) });
+    const [operatorExpires, userExpires, operator, renter, owner] = await Promise.all([
+        pc.readContract({ address: nfa, abi: AGENT_NFA_ACCESS_ABI, functionName: "operatorExpiresOf", args: [tokenId] }) as Promise<bigint>,
+        pc.readContract({ address: nfa, abi: AGENT_NFA_ACCESS_ABI, functionName: "userExpires", args: [tokenId] }) as Promise<bigint>,
+        pc.readContract({ address: nfa, abi: AGENT_NFA_ACCESS_ABI, functionName: "operatorOf", args: [tokenId] }) as Promise<Address>,
+        pc.readContract({ address: nfa, abi: AGENT_NFA_ACCESS_ABI, functionName: "userOf", args: [tokenId] }) as Promise<Address>,
+        pc.readContract({ address: nfa, abi: AGENT_NFA_ACCESS_ABI, functionName: "ownerOf", args: [tokenId] }) as Promise<Address>,
+    ]);
+    const now = BigInt(Math.floor(Date.now() / 1000));
+    if (now > userExpires) {
+        output({ status: "error", message: `Agent token-id ${tokenId} rental has EXPIRED (expired at ${new Date(Number(userExpires) * 1000).toISOString()}). Please renew at https://shll.run/me` });
+        process.exit(1);
+    }
+    if (now > operatorExpires) {
+        output({ status: "error", message: `Agent token-id ${tokenId} operator authorization has EXPIRED (expired at ${new Date(Number(operatorExpires) * 1000).toISOString()}). Please re-authorize via setup_guide.` });
+        process.exit(1);
+    }
+    const runnerAddr = account.address.toLowerCase();
+    const isOperator = operator.toLowerCase() === runnerAddr;
+    const isRenter = renter.toLowerCase() === runnerAddr;
+    const isOwner = owner.toLowerCase() === runnerAddr;
+    if (!isOperator && !isRenter && !isOwner) {
+        output({
+            status: "error",
+            message: `RUNNER_PRIVATE_KEY wallet (${account.address}) is NOT authorized for token-id ${tokenId}. On-chain operator is ${operator}.`,
+            yourWallet: account.address,
+            onChainOperator: operator,
+            onChainRenter: renter,
+            onChainOwner: owner,
+            howToFix: [
+                `1. Use 'setup_guide' command to generate an OperatorPermit for this wallet`,
+                `2. Renter (${renter}) can call setOperator(${tokenId}, ${account.address}, <expiry>) on AgentNFA`,
+                `3. Go to https://shll.run/agent/0xE98DCdbf370D7b52c9A2b88F79bEF514A5375a2b/${tokenId}/console/safety to set operator`,
+                `4. Use the correct RUNNER_PRIVATE_KEY for operator ${operator}`,
+            ],
+        });
+        process.exit(1);
+    }
+}
 const program = new Command();
 program.name("shll-onchain-runner").description("Execute DeFi actions securely via SHLL AgentNFA");
 
@@ -346,6 +399,7 @@ swapCmd.action(async (opts) => {
     try {
         const client = createClient(opts);
         const tokenId = BigInt(opts.tokenId);
+        await checkAccess(opts, tokenId);
         const rpcUrl = opts.rpc || DEFAULT_RPC;
 
         const fromToken = resolveToken(opts.from);
@@ -1067,6 +1121,7 @@ wrapCmd.action(async (opts) => {
             output({ status: "error", message: "RUNNER_PRIVATE_KEY environment variable is missing" });
             process.exit(1);
         }
+        await checkAccess(opts, BigInt(opts.tokenId));
         const client = new PolicyClient({
             operatorPrivateKey: toHex(process.env.RUNNER_PRIVATE_KEY),
             rpcUrl: opts.rpc || DEFAULT_RPC,
@@ -1117,6 +1172,7 @@ unwrapCmd.action(async (opts) => {
             output({ status: "error", message: "RUNNER_PRIVATE_KEY environment variable is missing" });
             process.exit(1);
         }
+        await checkAccess(opts, BigInt(opts.tokenId));
         const client = new PolicyClient({
             operatorPrivateKey: toHex(process.env.RUNNER_PRIVATE_KEY),
             rpcUrl: opts.rpc || DEFAULT_RPC,
@@ -1170,6 +1226,7 @@ transferCmd.action(async (opts) => {
             output({ status: "error", message: "RUNNER_PRIVATE_KEY environment variable is missing" });
             process.exit(1);
         }
+        await checkAccess(opts, BigInt(opts.tokenId));
         const client = new PolicyClient({
             operatorPrivateKey: toHex(process.env.RUNNER_PRIVATE_KEY),
             rpcUrl: opts.rpc || DEFAULT_RPC,
@@ -1909,6 +1966,7 @@ lendCmd.action(async (opts) => {
     try {
         const client = createClient(opts);
         const tokenId = BigInt(opts.tokenId);
+        await checkAccess(opts, tokenId);
         const rpcUrl = opts.rpc || DEFAULT_RPC;
         const publicClient = createPublicClient({ chain: bsc, transport: http(rpcUrl) });
 
@@ -1997,6 +2055,7 @@ redeemCmd.action(async (opts) => {
     try {
         const client = createClient(opts);
         const tokenId = BigInt(opts.tokenId);
+        await checkAccess(opts, tokenId);
 
         const symbol = opts.token.toUpperCase();
         const vTokenAddr = VENUS_VTOKENS[symbol];

package/src/mcp.ts

@@ -196,18 +196,25 @@ function createClients() {
     return { account, publicClient, policyClient, config };
 }
 
-// Expiry pre-check: prevents write operations on expired agents with clear error
-const AGENT_NFA_EXPIRY_ABI = [
+// Pre-check: prevents write operations on expired/unauthorized agents with clear errors
+const AGENT_NFA_CHECK_ABI = [
     { name: "operatorExpiresOf", type: "function" as const, stateMutability: "view" as const, inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "uint256" }] },
     { name: "userExpires", type: "function" as const, stateMutability: "view" as const, inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "uint256" }] },
+    { name: "operatorOf", type: "function" as const, stateMutability: "view" as const, inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "address" }] },
+    { name: "userOf", type: "function" as const, stateMutability: "view" as const, inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "address" }] },
+    { name: "ownerOf", type: "function" as const, stateMutability: "view" as const, inputs: [{ name: "tokenId", type: "uint256" }], outputs: [{ name: "", type: "address" }] },
 ] as const;
 
 async function checkAgentExpiry(tokenId: bigint) {
     const config = getConfig();
+    const account = privateKeyToAccount(config.privateKey as Hex);
     const pc = createPublicClient({ chain: bsc, transport: http(config.rpc) });
-    const [operatorExpires, userExpires] = await Promise.all([
-        pc.readContract({ address: config.nfa as Address, abi: AGENT_NFA_EXPIRY_ABI, functionName: "operatorExpiresOf", args: [tokenId] }) as Promise<bigint>,
-        pc.readContract({ address: config.nfa as Address, abi: AGENT_NFA_EXPIRY_ABI, functionName: "userExpires", args: [tokenId] }) as Promise<bigint>,
+    const [operatorExpires, userExpires, operator, renter, owner] = await Promise.all([
+        pc.readContract({ address: config.nfa as Address, abi: AGENT_NFA_CHECK_ABI, functionName: "operatorExpiresOf", args: [tokenId] }) as Promise<bigint>,
+        pc.readContract({ address: config.nfa as Address, abi: AGENT_NFA_CHECK_ABI, functionName: "userExpires", args: [tokenId] }) as Promise<bigint>,
+        pc.readContract({ address: config.nfa as Address, abi: AGENT_NFA_CHECK_ABI, functionName: "operatorOf", args: [tokenId] }) as Promise<Address>,
+        pc.readContract({ address: config.nfa as Address, abi: AGENT_NFA_CHECK_ABI, functionName: "userOf", args: [tokenId] }) as Promise<Address>,
+        pc.readContract({ address: config.nfa as Address, abi: AGENT_NFA_CHECK_ABI, functionName: "ownerOf", args: [tokenId] }) as Promise<Address>,
     ]);
     const now = BigInt(Math.floor(Date.now() / 1000));
     if (now > operatorExpires) {
@@ -236,6 +243,32 @@ async function checkAgentExpiry(tokenId: bigint) {
             }],
         };
     }
+    // Operator identity check: verify RUNNER_PRIVATE_KEY wallet can execute
+    const runnerAddr = account.address.toLowerCase();
+    const isOperator = operator.toLowerCase() === runnerAddr;
+    const isRenter = renter.toLowerCase() === runnerAddr;
+    const isOwner = owner.toLowerCase() === runnerAddr;
+    if (!isOperator && !isRenter && !isOwner) {
+        return {
+            expired: true, // reuse expired flag to block execution
+            content: [{
+                type: "text" as const, text: JSON.stringify({
+                    status: "error",
+                    message: `RUNNER_PRIVATE_KEY wallet (${account.address}) is NOT authorized for token-id ${tokenId}. On-chain operator is ${operator}. Your wallet must be the operator, renter, or owner to execute transactions.`,
+                    yourWallet: account.address,
+                    onChainOperator: operator,
+                    onChainRenter: renter,
+                    onChainOwner: owner,
+                    howToFix: [
+                        `Option 1: Use the 'setup_guide' tool — it generates an EIP-712 OperatorPermit that lets the renter (${renter}) authorize your current wallet (${account.address}) as operator. The renter signs the permit in their browser wallet, then the runner submits it on-chain.`,
+                        `Option 2: The renter (${renter}) can call setOperator(${tokenId}, ${account.address}, <expiry_timestamp>) on AgentNFA contract at ${config.nfa} to directly authorize this wallet.`,
+                        `Option 3: Go to https://shll.run/agent/0xE98DCdbf370D7b52c9A2b88F79bEF514A5375a2b/${tokenId}/console/safety and set ${account.address} as the operator.`,
+                        `Option 4: If you have access to the correct operator wallet (${operator}), set RUNNER_PRIVATE_KEY to that wallet's private key instead.`,
+                    ],
+                })
+            }],
+        };
+    }
     return { expired: false };
 }