feat/wallet core consolidation#31
Merged
Merged
Conversation
1lystore
commented
Jun 19, 2026
1lystore
commented
Owner
- fix(vault): revoke/delete agent now purges its standing grants (no orphaned sessions)
- fix(cloud-connect): rich scope guidance in vault_read/write descriptions + self-correcting deny
- feat: @dcprotocol/wallet-core — shared wallet brain + runner consolidation
…phaned sessions) revokeAgentConnection + deleteAgentConnection + cloud-connect revoke now call revokeAgentSessions(name), so an agent's Allow grants don't linger in Active Sessions (and can't be inherited via name reuse). Test added.
…ons + self-correcting deny - vault_read/vault_write descriptions now list canonical scopes (identity.name, credentials.api.<service>) and tell agents to call vault_scope_guide instead of guessing (fixes ChatGPT requesting non-existent 'profile') - SCOPE_NOT_PERMITTED message now points the agent to vault_scope_guide to self-correct - bump @dcprotocol/vault to 3.0.2
…ation Extract the pure, native-dep-free wallet logic into a new @dcprotocol/wallet-core package (Node / browser / React-Native safe): tx build + validation (anti-blind-sign, swap quote/program checks, idempotency rules), on-chain reads, token registry, Jupiter (fee injected), and the execution runner. core/vault/agent now consume it (re-exported for backward compatibility), so wallet logic lives once for desktop + mobile. Vault transfer/swap can route through the shared runner behind DCP_USE_SHARED_RUNNER (default OFF — the proven path stays live). Transfer is on-chain proven on devnet (20-way concurrency / no overspend, idempotent replay, SPL + ATA creation). Adds golden-harness, wallet-tx, and devnet/mainnet verification suites; extracts vault helper modules into server/lib. Also includes client SDK transport additions and agent connection/scope-guide updates. Tests: wallet-core 83 · core 221 · agent 51 · vault 143 · client 55 · telegram 63 · security 27/27
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…out order) In a fresh checkout, core's tsup --dts re-exports VaultError from @dcprotocol/wallet-core and needs its built dist; the root build forced core first, so wallet-core was not yet built (TS2307). Build wallet-core first in the root build + dev:cli scripts.
- wallet-core toBaseUnits: bound user-supplied decimals to 0..18 before it feeds '0'.repeat(decimals)/toFixed/10n**, closing a resource-exhaustion (DoS) vector CodeQL flagged on solana-tx.ts. Adds a regression test. - vault /v1/vault/transfer + /v1/vault/swap: add explicit per-route rate-limit config (in addition to the global 600/min) so CodeQL sees these money-moving, auth-performing routes are rate-limited.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.