feat: Guardian Command — Phase 2 multi-agent platform rewrite#70
Merged
feat: Guardian Command — Phase 2 multi-agent platform rewrite#70
Conversation
…and threat checking
…in stats Add getPaymentLinksBySession, expireStaleLinks, getPaymentLinkStats, getAuditStats, and getSessionStats to db.ts with full test coverage (15 new tests, 240 passing). Sort by rowid DESC as tie-breaker for stable ordering when created_at timestamps collide within same tick.
…data Implements the invoice tool with required amount, 7-day default expiry, and invoice_meta JSON (description, dueDate, reference). Reuses payment_links table with type='invoice'. 8 tests covering full metadata, DB storage, validation, and expiry defaults.
Express router for payment link pages with dark-theme Tailwind HTML templates, XSS-safe escaping, open-amount support, expiry/paid/404 states, and confirm endpoint.
…ls + /pay and /admin routes Registers 4 new tools in TOOLS array, TOOL_EXECUTORS, and SYSTEM_PROMPT. Mounts /pay and /admin route groups in index.ts with stale link expiry on the 5-minute purge interval. Updates tools.test.ts to assert 14 tools and stream.test.ts mock to include all new exports.
…kie, tx sig validation, devnet→env
Pure-math synchronous tool that floors amounts to common denominations (10, 50, 100, 500, 1000, 5000, 10000) to reduce amount correlation in privacy-preserving transactions. Remainder stays in vault.
Implements crankTick with expiry, miss-window, max_exec completion, recurring re-schedule via intervalMs, and per-op error isolation. 8 tests covering all branches (executed, expired, missed, failed, skipped).
Creates a single scheduled_op with action='send' and max_exec=1. Supports exact delay, random range, or default 30-60 min. Expiry set to scheduled time + 1 hour. 8 tests, all passing.
Add activity_stream, herald_queue, herald_dms, execution_links, cost_log, and agent_events tables with indexes for Phase 2 Guardian/Command layer. Exports: insertActivity, getActivity, dismissActivity, logCost, getCostTotals, logAgentEvent, getAgentEvents, createExecutionLink, getExecutionLink, updateExecutionLink — all ULID-keyed, ISO 8601 timestamps. TDD: 34 tests in db-schema.test.ts, all passing, no regressions.
…nt backoff (closes #78)
Root tests/coordination/event-bus.test.ts was a duplicate of packages/agent/tests/coordination/event-bus.test.ts (identical logic, different import path). Deleted the root copy. Root tests/pi/tool-adapter.test.ts had no counterpart in packages/agent — moved it to packages/agent/tests/pi/tool-adapter.test.ts with corrected import paths so it runs with the agent package test suite where it belongs.
…devnet (closes #85) Scanner was hardcoded to createConnection('devnet') which would connect to devnet in production. Now reads SOLANA_NETWORK env var, defaulting to mainnet-beta for production safety. Devnet must be explicitly opted into via SOLANA_NETWORK=devnet.
#86) getReadyToPublish() had a TOCTOU race: it queried pending posts then updated them individually, allowing concurrent callers to pick up the same posts. Now wraps the select+update in db.transaction() and adds a CAS guard (AND status = 'pending') on the UPDATE WHERE clause so only the first caller wins the update.
…loses #87) VaultView always rendered MOCK_BALANCE, MOCK_USD, MOCK_FEES, and MOCK_PENDING regardless of API response. Now derives balance, usd, fees, and pendingOps from data when available, falling back to mocks only when data is null (loading or not connected). Extended VaultData interface with optional balance/usd/fees/pending_ops fields and added TODO noting the vault API should be extended to return these fields.
Store originating wallet in pending map and validate req.wallet matches before resolving. Prevents unauthorized confirmation of fund-moving operations by other authenticated wallets.
likeTweet, replyTweet, sendDM, and publishTweet now check the budget gate before executing. Prevents overspending when gate is dm-only or paused.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Full rewrite of Sipher from a hand-rolled REST API + chat agent to a Pi SDK-native multi-agent platform with a world-class frontend.
Plan A: Infrastructure + Pi Migration (16 tasks)
pi-agent-core+pi-ai) replaces Anthropic SDKPlan B: HERALD — X Agent (11 tasks)
Plan C: SENTINEL — Blockchain Monitor (6 tasks)
Plan D: Guardian Command UI (10 tasks)
Stats
docs/superpowers/specs/2026-04-09-sipher-phase2-guardian-command-design.mdTest plan
pnpm test -- --run(588 passing)cd app && pnpm build(builds clean)app/designs/*.htmlfor design reference