Skip to content

Release v4.6.2 — Autopilot money-safety, ARIA approval routing, and swap-gate fixes#211

Merged
nullxnothing merged 18 commits into
mainfrom
feat/aria-autopilot
Jul 3, 2026
Merged

Release v4.6.2 — Autopilot money-safety, ARIA approval routing, and swap-gate fixes#211
nullxnothing merged 18 commits into
mainfrom
feat/aria-autopilot

Conversation

@nullxnothing

Copy link
Copy Markdown
Owner

Ships the 4.6.x line to main (autopilot, fee meter, Hyperliquid, agent economy tower) plus a full release-readiness hardening pass on top.

Highlights since main (v4.5.0)

  • Agent economy control tower — track agent-routed execution, fees, and paid-resource activity in one panel.
  • ARIA Autopilot — unattended, structured trading mandates with exit rules, exposure cap, and kill switch.
  • Execution fee meter — transparent fee line on agent-routed SOL transfers (devnet free, config-driven, treasury-gated).
  • Hyperliquid via HypurrClaw — read markets and trade perps/spot through the agent CLI, testnet by default.

4.6.2 hardening (this pass)

Correctness

  • Price impact is normalized to a percentage exactly once, so ordinary sub-5% swaps are no longer hard-blocked (it was double-scaled x100).
  • Streamed ARIA tool-call/approval-request/patch-proposal events are tagged with the session id, so cards can't render in or leak an approval into the wrong conversation, and patch proposals no longer hang the turn.
  • The ARIA terminal backend no longer deadlocks on approvals; piped aria exits cleanly.
  • claude:install-cli works on Windows (no more EINVAL).

Autopilot money-safety (schema V57 adds bought_raw_tokens)

  • Cluster re-validated every tick with auto-hold on a devnet switch or mismatch.
  • Ledger row claimed before the swap + a boot reconciler for interrupted ticks, closing a crash double-buy window.
  • Exit-rule thresholds validated; unattended slippage capped and high-impact clips skipped; exits sell only the mandate's tracked position; fees that were never charged are no longer recorded.

Security

  • isTrustedSender on the raw aria approval-resolution channels; hl_update_leverage reclassified sensitive.
  • Bridge/ARIA file reads deny secret-bearing paths (.env, keypairs) and enforce realpath containment.
  • Swarm lanes run with a minimal allowlisted env and have push disabled at the git layer.
  • The ARIA read-only fast path only fires on unambiguous commands; approval cards show all material fields.

Docs

  • CHANGELOG backfilled 4.3.0–4.6.2; README features refreshed; Whatsnew updated; execution fee meter documented.

Verification

  • pnpm run typecheck — clean
  • pnpm run lint:styles — clean
  • pnpm run test1003 passing (+24: swap-impact regression, autopilot safety, scoped-path security, AgentEconomy DOM)
  • pnpm run build — clean

Deferred (documented, non-blocking)

  • README screenshots predate the 4.3 shell (need a live capture).
  • Garrison claim/stake write-after-send hazards — unreachable (services not wired to IPC/tools); fix before wiring.

Companion landing-site fixes are on daemon-landing@0bedd95 (nav anchors, m-dash sweep, receipts copy, roadmap ETAs).

nullxnothing and others added 14 commits June 11, 2026 13:14
25bps fee (config-driven, 75bps compiled ceiling) rides as an atomic
SystemProgram.transfer leg appended at the SolanaExecutionService
chokepoint. Devnet always free; meter hard-disabled until a treasury is
configured. New transfer_sol ARIA tool routes agent sends through the
meter, with the fee quoted on the approval card before anything signs.
fee_events ledger (V52) is the local source of truth for routed-volume
and wallet-concentration metrics; only aggregates cross IPC.
Add ARIA Autopilot — standing, structured trading mandates that execute
unattended on mainnet on a schedule. A mandate is parsed from natural
language into a strategy (target mint, DCA clip, exposure cap, interval,
TP/SL/liquidity exit rules); arming it authorizes all subsequent
autonomous trades.

Execution reuses the human-swap path: getSwapQuote mints the hash-pinned
review draft server-side, executeSwap signs through the signer guard and
fires the fee meter. No guard is bypassed.

- schema V54: autopilot_mandates + idempotent autopilot_actions ledger
- AutopilotService: CRUD, arm/disarm, kill switch, hard exposure cap,
  position valuation via reverse quote, TP/SL/liquidity exits, P&L
- AutopilotScheduler: re-entrancy-guarded 5s sweep, boots with the app
- ARIA tools: create_mandate, autopilot_arm/disarm/list
- IPC + preload + top-level Autopilot panel ("The Desk"): mandate cards
  with live unrealized P&L, action tape, kill switch

Also carries the in-progress Flywheel platform-share work staged in the
shared schema/types files, and fixes a latent FlywheelPreview typecheck
gap (missing platformBps).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Watch the active project root in the main process and push fs:changed so
the explorer reloads when files are created/added/removed outside DAEMON.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…us work

Hidden terminal instances stayed stacked on top of the active one and
swallowed wheel/click events. Move visibility to the wrapper and disable
pointer-events when not visible.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Drop the agent-first `hyperliquid` CLI into ARIA as a tool domain so the
operator can read Hyperliquid markets and trade perps/spot from natural
language. Reads auto-run; signing actions are sensitive-gated and dry-run
previewable. Network defaults to testnet; the CLI owns its own encrypted
wallet so DAEMON never holds a Hyperliquid key.

- HyperliquidCliService: binary discovery + execFile-only runner (forces
  JSON, injects --testnet/--dry-run, maps CLI exit codes), typed wrappers
- aria/tools/hyperliquid: hl_* read/preview/trade tools with strict input
  validation and an [HL-MAINNET]/[HL-TESTNET] marker on sensitive summaries
- SettingsService: hyperliquid network setting (testnet default)
- ipc/hyperliquid + preload bridge: status + set-network
# Conflicts:
#	electron/main/index.ts
#	electron/preload/index.ts
#	src/panels/AgentWorkbench/ApprovalCard.tsx
Terminal: reconcile the store when a PTY exits on its own (shell exit,
agent crash, external kill) so dead sessions no longer linger as ghost
tabs. Adds reconcileTerminalExit and a single app-level onExit listener.

ARIA operator: isolate streamed events per session. Events now route by
messageId===sessionId and through a per-session active-turn map, so
switching sessions mid-stream no longer leaks a response or an approval
card into the wrong conversation. Loading state is per-session and a
second concurrent send in the same session is blocked.

SwarmMonitor: add distinct loading and error states with retry — a failed
swarm.list no longer masquerades as "no runs", and a transient refresh
failure keeps the populated list.

AgentLauncher: clamp the keyboard selection when the agent list shrinks
so Enter can't launch a stale/wrong agent after a delete.

AgentStation: move busy-state resets into try/finally across all handlers
so a thrown IPC error no longer wedges the button; check res.ok on delete.

Editor welcome: long branch names now ellipsis instead of hard-clipping.

Adds regression tests for each (suite at 974, typecheck + lint:styles clean).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ApprovalCard: derive the sensitive-tool confirm string from the tool name
instead of the first input value. The old Object.values(input)[0] target
depended on argument key order and could collapse to a number, empty
string, or whitespace, making the typed confirmation a weak or confusing
gate. The transport-level approval enforcement is unchanged.

Swap execute: make the high-impact acknowledgement gate server-authoritative.
getSwapQuote now records the server-computed price impact in the quote draft,
and the execute handler reads it by quoteId rather than trusting the price
impact in the renderer-supplied quote, so a caller can't send a low impact
to skip the acknowledgement. executeSwap already rejects a missing quote, so
there is no unguarded path.

Also stabilizes a flaky AgentLauncher test by waiting for the clamp effect
to settle instead of reading selection state synchronously.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…d swap impact gate

Release-readiness pass for 4.6.2.

Correctness:
- Normalize Jupiter price impact to a percentage exactly once so ordinary sub-5%
  swaps are no longer hard-blocked by the high-impact gate (it was double-scaled x100).
- Tag streamed ARIA tool-call/approval-request/patch-proposal events with the session
  id so cards can't render in or leak an approval into the wrong conversation, and
  patch proposals no longer hang the turn.
- Stop the ARIA terminal backend deadlocking on approval frames; piped aria exits cleanly.
- Route npm.cmd through the shell so install-cli works on Windows.

Autopilot (schema V57 adds bought_raw_tokens):
- Re-validate the cluster every tick and auto-hold armed mandates on a devnet switch
  or mismatch, so devnet balances can't green-light a mainnet spend.
- Claim the ledger row before swapping and reconcile interrupted ticks on boot to close
  a crash double-buy window.
- Validate exit-rule thresholds, cap unattended slippage, skip high-impact clips, sell
  only the mandate's tracked position, and stop recording fees swaps never charge.

Security:
- isTrustedSender on the raw aria approval-resolution channels; hl_update_leverage is
  now sensitive; deny secret-file reads and enforce realpath containment for ARIA/bridge;
  minimal allowlisted env + git-layer push disable for swarm lanes; narrow the ARIA
  read-only fast path to unambiguous commands; approval card shows all material fields.

Docs: backfill CHANGELOG 4.3-4.6.2, refresh README features and Whatsnew, document the fee meter.

Tests: 1003 passing (+24). Adds swap-impact regression, autopilot safety, scoped-path
security, and AgentEconomy panel DOM coverage.
# Conflicts:
#	electron/db/migrations.ts
#	electron/db/schema.ts
#	electron/ipc/aria.ts
#	electron/services/AutopilotScheduler.ts
#	electron/services/AutopilotService.ts
#	electron/services/aria/toolCatalog.ts
#	electron/services/aria/tools/hyperliquid.ts
#	electron/shared/types.ts
#	package.json
#	src/store/aria.ts
Comment thread electron/ipc/claude.ts Fixed
New OSV advisory (CVSS 8.7, quadratic-complexity DoS in LinkifyIt.match) flags
linkify-it 5.0.0, pulled in transitively via mailparser. 5.0.1 is the patched
release; add a pnpm override to force it. Fixes the validate/OSV CI gate.
The backslash traversal case only escapes on Windows (where \ is a path
separator); on POSIX it's a valid in-root filename, so the CI (Linux) run
saw no throw. Keep the universal forward-slash escape assertion and gate the
backslash one behind path.sep === '\'.
CodeQL flagged incomplete string escaping at the nested cmd /k command token
(only quotes were escaped, not the general case). Inside cmd double-quotes a
backslash is literal, so strip any stray double-quote (illegal in a Windows
path anyway) instead of a broken escape that would corrupt C:\ paths.
@nullxnothing nullxnothing merged commit e971ccb into main Jul 3, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants