Release v4.6.2 — Autopilot money-safety, ARIA approval routing, and swap-gate fixes#211
Merged
Conversation
25bps fee (config-driven, 75bps compiled ceiling) rides as an atomic SystemProgram.transfer leg appended at the SolanaExecutionService chokepoint. Devnet always free; meter hard-disabled until a treasury is configured. New transfer_sol ARIA tool routes agent sends through the meter, with the fee quoted on the approval card before anything signs. fee_events ledger (V52) is the local source of truth for routed-volume and wallet-concentration metrics; only aggregates cross IPC.
Add ARIA Autopilot — standing, structured trading mandates that execute
unattended on mainnet on a schedule. A mandate is parsed from natural
language into a strategy (target mint, DCA clip, exposure cap, interval,
TP/SL/liquidity exit rules); arming it authorizes all subsequent
autonomous trades.
Execution reuses the human-swap path: getSwapQuote mints the hash-pinned
review draft server-side, executeSwap signs through the signer guard and
fires the fee meter. No guard is bypassed.
- schema V54: autopilot_mandates + idempotent autopilot_actions ledger
- AutopilotService: CRUD, arm/disarm, kill switch, hard exposure cap,
position valuation via reverse quote, TP/SL/liquidity exits, P&L
- AutopilotScheduler: re-entrancy-guarded 5s sweep, boots with the app
- ARIA tools: create_mandate, autopilot_arm/disarm/list
- IPC + preload + top-level Autopilot panel ("The Desk"): mandate cards
with live unrealized P&L, action tape, kill switch
Also carries the in-progress Flywheel platform-share work staged in the
shared schema/types files, and fixes a latent FlywheelPreview typecheck
gap (missing platformBps).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Watch the active project root in the main process and push fs:changed so the explorer reloads when files are created/added/removed outside DAEMON. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…us work Hidden terminal instances stayed stacked on top of the active one and swallowed wheel/click events. Move visibility to the wrapper and disable pointer-events when not visible. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Drop the agent-first `hyperliquid` CLI into ARIA as a tool domain so the operator can read Hyperliquid markets and trade perps/spot from natural language. Reads auto-run; signing actions are sensitive-gated and dry-run previewable. Network defaults to testnet; the CLI owns its own encrypted wallet so DAEMON never holds a Hyperliquid key. - HyperliquidCliService: binary discovery + execFile-only runner (forces JSON, injects --testnet/--dry-run, maps CLI exit codes), typed wrappers - aria/tools/hyperliquid: hl_* read/preview/trade tools with strict input validation and an [HL-MAINNET]/[HL-TESTNET] marker on sensitive summaries - SettingsService: hyperliquid network setting (testnet default) - ipc/hyperliquid + preload bridge: status + set-network
# Conflicts: # electron/main/index.ts # electron/preload/index.ts # src/panels/AgentWorkbench/ApprovalCard.tsx
Terminal: reconcile the store when a PTY exits on its own (shell exit, agent crash, external kill) so dead sessions no longer linger as ghost tabs. Adds reconcileTerminalExit and a single app-level onExit listener. ARIA operator: isolate streamed events per session. Events now route by messageId===sessionId and through a per-session active-turn map, so switching sessions mid-stream no longer leaks a response or an approval card into the wrong conversation. Loading state is per-session and a second concurrent send in the same session is blocked. SwarmMonitor: add distinct loading and error states with retry — a failed swarm.list no longer masquerades as "no runs", and a transient refresh failure keeps the populated list. AgentLauncher: clamp the keyboard selection when the agent list shrinks so Enter can't launch a stale/wrong agent after a delete. AgentStation: move busy-state resets into try/finally across all handlers so a thrown IPC error no longer wedges the button; check res.ok on delete. Editor welcome: long branch names now ellipsis instead of hard-clipping. Adds regression tests for each (suite at 974, typecheck + lint:styles clean). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ApprovalCard: derive the sensitive-tool confirm string from the tool name instead of the first input value. The old Object.values(input)[0] target depended on argument key order and could collapse to a number, empty string, or whitespace, making the typed confirmation a weak or confusing gate. The transport-level approval enforcement is unchanged. Swap execute: make the high-impact acknowledgement gate server-authoritative. getSwapQuote now records the server-computed price impact in the quote draft, and the execute handler reads it by quoteId rather than trusting the price impact in the renderer-supplied quote, so a caller can't send a low impact to skip the acknowledgement. executeSwap already rejects a missing quote, so there is no unguarded path. Also stabilizes a flaky AgentLauncher test by waiting for the clamp effect to settle instead of reading selection state synchronously. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…d swap impact gate Release-readiness pass for 4.6.2. Correctness: - Normalize Jupiter price impact to a percentage exactly once so ordinary sub-5% swaps are no longer hard-blocked by the high-impact gate (it was double-scaled x100). - Tag streamed ARIA tool-call/approval-request/patch-proposal events with the session id so cards can't render in or leak an approval into the wrong conversation, and patch proposals no longer hang the turn. - Stop the ARIA terminal backend deadlocking on approval frames; piped aria exits cleanly. - Route npm.cmd through the shell so install-cli works on Windows. Autopilot (schema V57 adds bought_raw_tokens): - Re-validate the cluster every tick and auto-hold armed mandates on a devnet switch or mismatch, so devnet balances can't green-light a mainnet spend. - Claim the ledger row before swapping and reconcile interrupted ticks on boot to close a crash double-buy window. - Validate exit-rule thresholds, cap unattended slippage, skip high-impact clips, sell only the mandate's tracked position, and stop recording fees swaps never charge. Security: - isTrustedSender on the raw aria approval-resolution channels; hl_update_leverage is now sensitive; deny secret-file reads and enforce realpath containment for ARIA/bridge; minimal allowlisted env + git-layer push disable for swarm lanes; narrow the ARIA read-only fast path to unambiguous commands; approval card shows all material fields. Docs: backfill CHANGELOG 4.3-4.6.2, refresh README features and Whatsnew, document the fee meter. Tests: 1003 passing (+24). Adds swap-impact regression, autopilot safety, scoped-path security, and AgentEconomy panel DOM coverage.
# Conflicts: # electron/db/migrations.ts # electron/db/schema.ts # electron/ipc/aria.ts # electron/services/AutopilotScheduler.ts # electron/services/AutopilotService.ts # electron/services/aria/toolCatalog.ts # electron/services/aria/tools/hyperliquid.ts # electron/shared/types.ts # package.json # src/store/aria.ts
New OSV advisory (CVSS 8.7, quadratic-complexity DoS in LinkifyIt.match) flags linkify-it 5.0.0, pulled in transitively via mailparser. 5.0.1 is the patched release; add a pnpm override to force it. Fixes the validate/OSV CI gate.
The backslash traversal case only escapes on Windows (where \ is a path separator); on POSIX it's a valid in-root filename, so the CI (Linux) run saw no throw. Keep the universal forward-slash escape assertion and gate the backslash one behind path.sep === '\'.
CodeQL flagged incomplete string escaping at the nested cmd /k command token (only quotes were escaped, not the general case). Inside cmd double-quotes a backslash is literal, so strip any stray double-quote (illegal in a Windows path anyway) instead of a broken escape that would corrupt C:\ paths.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ships the 4.6.x line to
main(autopilot, fee meter, Hyperliquid, agent economy tower) plus a full release-readiness hardening pass on top.Highlights since main (v4.5.0)
4.6.2 hardening (this pass)
Correctness
ariaexits cleanly.claude:install-cliworks on Windows (no more EINVAL).Autopilot money-safety (schema V57 adds
bought_raw_tokens)Security
isTrustedSenderon the raw aria approval-resolution channels;hl_update_leveragereclassified sensitive..env, keypairs) and enforce realpath containment.Docs
Verification
pnpm run typecheck— cleanpnpm run lint:styles— cleanpnpm run test— 1003 passing (+24: swap-impact regression, autopilot safety, scoped-path security, AgentEconomy DOM)pnpm run build— cleanDeferred (documented, non-blocking)
Companion landing-site fixes are on
daemon-landing@0bedd95(nav anchors, m-dash sweep, receipts copy, roadmap ETAs).