honesty: retire /api/risk + /api/gold (returned fabricated demo data)#209
Merged
operatoruplift merged 1 commit intomasterfrom Apr 28, 2026
Merged
Conversation
Both routes were serving hardcoded "demo until API key configured" data with zero internal callers: - /api/risk -> lib/webacy-risk.ts returned overall: 87, grade: 'A', flagged: false, sanctions: false for any wallet/contract/transaction. A "your wallet is safe" answer regardless of input. - /api/gold -> lib/oro-grail.ts returned balanceOz: 0.0847, balanceUsd: 278.24 — exactly the values that tests/e2e/dashboard-honesty.spec.ts bans (Gold Agent retired in #164). The dashboard widget was retired but the API + lib survived. Both routes now return 410 Gone with a clear nextAction, mirroring the pattern from #173 (x402 charge) and #182 (subscription confirm). Both libs deleted (no callers). DD.xyz integration entry on /integrations: status updated from "available" to "coming_soon" since the lib backing it returned fake data. Now matches the truth. tests/e2e/request-id-runtime.spec.ts: /api/risk expectStatus updated [400, 401] -> [401, 410]. Added /api/gold probe with [401, 410]. Hermetic spec count stays at 17 (just adds a probe to an existing spec).
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
4 tasks
operatoruplift
added a commit
that referenced
this pull request
Apr 28, 2026
The /agents/builder wizard step 3 (Tools) presented 20 tools the user could attach to a custom agent: Web Search, Web Scraper, Code Executor, File System, Memory Bank, Database, HTTP/API, GitHub, Shell, Code Search, Email, Calendar, Slack, Notion, Solana, Oro GRAIL, DD.xyz Risk, x402, Image Gen, Voice. The grid was uniform — every option looked equally available and selectable. Reality: only 5 of these have a backing /api/tools/* route the agent runtime can actually call (web-search, memory, email/gmail, calendar, x402). Selecting any of the other 15 saved an entry to the agent's tool list that the runtime would never invoke, because no router exists. A user could ship an agent claiming "Slack + Notion + Database" that secretly couldn't do any of those. Three changes: 1. TOOLS list gains a `live: boolean` field. 5 marked live (web-search, memory, email, calendar, x402), 14 marked demo. Drop the 'oro-grail' row entirely (the API was retired in #209). Add a 'tokens' row (live, the existing /api/tools/tokens route). 2. Each tool tile renders a small DEMO badge when `live=false` and gets `opacity-70` so the visual hierarchy matches the truth. 3. Comment block above TOOLS spells out the contract: stay aligned with /integrations and the toolCalls router; never mark `live: true` without a working /api/tools/* route. Pure UI disclosure — no behavior change. Selecting demo tools still works (writes to the agent's localStorage entry); the user just sees the badge before they pick.
6 tasks
operatoruplift
added a commit
that referenced
this pull request
Apr 28, 2026
Adds a fourth grep-guard alongside copy-check, capability-check, and trust-gate. Each rule encodes a fabrication pattern we've explicitly retired and points at the original cleanup PR so a future contributor can read the prior agreement before reintroducing it. 10 rules covering: - Gold Agent fake balances (0.0847 oz, $278.24, $3284.50/oz) retired in #209 - Webacy fake "wallet grade A, not flagged, not sanctioned" risk grades retired in #209 - Fabricated x402-devnet-${Date.now()} tx signature pattern retired in #173 - Random-vector fake (Math.floor(Math.random() * 2000) + 100) on /memory retired in #210 - Fake-Pro confirm fall-through tx_signature pattern retired in #182 - Pre-seeded fake "Operator Uplift Architecture" memory node retired in #210 - "API key generated (expires in 30 days)" toast lie retired in #212 - 2-second setTimeout fake-install alert on /store retired in #216 Comment-line heuristic skips lines starting with //, /*, *, or <!-- so the audit-trail comments documenting these retirements (e.g. the new /api/gold route's comment block explaining why the lib was deleted) don't trigger false positives. Wired into pnpm check via scripts/check.mjs and added a top-level script `pnpm fabrication-rot-check` for direct invocation. Sanity-tested both directions: - Clean state: 197 files scanned, 0 hits - Plant a 'balanceOz: 0.0847' in lib/: guard fires with the rule name and the retiring-PR pointer, exit code 1.
2 tasks
operatoruplift
added a commit
that referenced
this pull request
Apr 28, 2026
…sion net (#226) CLAUDE.md still listed 3 grep-guards and only 4 dashboard pages covered by the honesty net. After this batch's PRs (#194-#225), the actual state is: - 4 grep-guards: copy-check, capability-check, trust-gate, fabrication-rot. The new one is described inline so a reader who runs into a fabrication-rot failure can jump to scripts/fabrication-rot-check.mjs for the rule + PR pointer. - dashboard-honesty.spec.ts now covers 7 surfaces (added /memory, /integrations, /agents/builder, /settings on top of the original /app, /notifications, /workflows). - request-id-runtime.spec.ts is at 17 probes including the new 410-Gone endpoints from #209 (/api/risk, /api/gold). Pure docs update. pnpm check passes (4/4).
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two API routes were serving hardcoded "demo until API key configured" data with zero internal callers:
Both routes now return 410 Gone with a clear `nextAction`, mirroring the pattern from #173 (x402 charge) and #182 (subscription confirm). Both libs deleted (no callers anywhere).
Bonus integrity fix: `/integrations` showed `dd_xyz` (DD.xyz) as `status: 'available'` while its backing lib returned fake data. Updated to `coming_soon` to match the truth.
Test plan