feat: KEEP-177 add Safe wallet integration

.github/workflows/e2e-tests-ephemeral.yml

@@ -201,6 +201,27 @@ jobs:
           chain_rpc_config: ${{ secrets.CHAIN_RPC_CONFIG }}
           integration_encryption_key: ${{ secrets.TEST_INTEGRATION_ENCRYPTION_KEY }}
 
+      - name: Start anvil Sepolia fork for orchestrator integration tests
+        run: |
+          docker compose --profile test up -d --wait test-anvil-fork || \
+            docker compose --profile test up -d test-anvil-fork
+          # Health-poll the fork up to ~60s -- the wait flag above is best-effort
+          # because the foundry image's healthcheck depends on cast resolving
+          # the public Sepolia RPC over IPv4.
+          retries=0
+          until curl -sf -X POST http://localhost:8547 \
+                -H "Content-Type: application/json" \
+                -d '{"jsonrpc":"2.0","method":"eth_chainId","id":1}' | grep -q '"0xaa36a7"'; do
+            retries=$((retries + 1))
+            if [ "$retries" -ge 30 ]; then
+              echo "anvil Sepolia fork did not become ready in 60s"
+              docker logs keeperhub-test-anvil-fork || true
+              exit 1
+            fi
+            sleep 2
+          done
+          echo "anvil Sepolia fork ready on localhost:8547"
+
       - name: Run E2E Vitest tests
         run: pnpm test:e2e:vitest
         env:

.gitignore

@@ -108,6 +108,7 @@ lib/types/integration.ts
 lib/workflow/codegen/registry.ts
 lib/step-registry.ts
 lib/output-display-configs.ts
+public/.well-known/
 lib/credential-map.ts
 public/monaco/
 

.npmrc

@@ -1,5 +1,27 @@
 # Reject packages published less than 3 days ago to mitigate supply chain attacks
 minimum-release-age=3d
+# Zodiac Roles SDK + deployments registry are maintained by Gnosis Guild and
+# pinned here; skip the release-age gate for this dep (same reason we accept
+# their audited contracts on-chain).
+minimum-release-age-exclude[]=zodiac-roles-sdk
+minimum-release-age-exclude[]=zodiac-roles-deployments
+# defi-kit (karpatkey's audited Zodiac Roles preset library) and its
+# Gnosis-Guild + CowProtocol SDK transitive deps. Same reason we accept the
+# upstream Zodiac packages: maintained by audited DeFi infrastructure teams.
+minimum-release-age-exclude[]=defi-kit
+minimum-release-age-exclude[]=@gnosis-guild/eth-sdk
+minimum-release-age-exclude[]=@gnosis-guild/eth-sdk-client
+minimum-release-age-exclude[]=@gnosis-guild/zodiac
+minimum-release-age-exclude[]=@cowprotocol/sdk-config
+minimum-release-age-exclude[]=@cowprotocol/sdk-common
+minimum-release-age-exclude[]=@cowprotocol/sdk-bridging
+minimum-release-age-exclude[]=@cowprotocol/sdk-trading
+minimum-release-age-exclude[]=@cowprotocol/sdk-order-book
+minimum-release-age-exclude[]=@cowprotocol/sdk-order-signing
+minimum-release-age-exclude[]=@cowprotocol/sdk-cow-shed
+minimum-release-age-exclude[]=@cowprotocol/sdk-trading-sdk
+minimum-release-age-exclude[]=@cowprotocol/cow-sdk
+minimum-release-age-exclude[]=@cowprotocol/contracts
 
 # Skip the pre-script lockfile freshness check. Recent pnpm versions
 # re-run `pnpm install` at the start of every script (`pnpm dev`,

app/api/user/safe/[safeId]/role/allowances/[tokenAddress]/route.ts

@@ -0,0 +1,106 @@
+import { ethers } from "ethers";
+import { NextResponse } from "next/server";
+import { apiError } from "@/lib/api-error";
+import { ErrorCategory, logSystemError } from "@/lib/logging";
+import { getSafeForOrg, validateSafeOwner } from "@/lib/safe/auth";
+import { PROTOCOL_CATALOG } from "@/lib/safe/protocol-registry";
+import {
+  DIRECT_RULE_PROTOCOL_SLUG,
+  revokeRoleTokenAllowance,
+} from "@/lib/safe/roles-orchestrator";
+
+// Slugs that may key an allowance bucket: any known protocol plus the
+// synthetic "direct" slug used by per-rule (transfer/approve) caps.
+const ALLOWED_ALLOWANCE_SLUGS: ReadonlySet<string> = new Set<string>([
+  ...Object.keys(PROTOCOL_CATALOG),
+  DIRECT_RULE_PROTOCOL_SLUG,
+]);
+
+type RouteParams = {
+  params: Promise<{ safeId: string; tokenAddress: string }>;
+};
+
+export async function DELETE(
+  request: Request,
+  { params }: RouteParams
+): Promise<NextResponse> {
+  try {
+    // Authenticate first: don't leak route-shape (specific 400 messages
+    // about token-address validity or required protocolSlug) to
+    // unauthenticated probes. Review #923-r3 LOW.
+    //
+    // Owner-only by design: revoking a single on-chain allowance bucket
+    // is destructive. Admins can view + edit but only the org owner can
+    // revoke. The UI pairs the 403 with a tooltip on the disabled control.
+    const owner = await validateSafeOwner(request);
+    if ("error" in owner) {
+      return NextResponse.json(
+        { error: owner.error },
+        { status: owner.status }
+      );
+    }
+
+    const { safeId, tokenAddress } = await params;
+    if (!ethers.isAddress(tokenAddress)) {
+      return NextResponse.json(
+        { error: `Invalid token address: ${tokenAddress}` },
+        { status: 400 }
+      );
+    }
+
+    const url = new URL(request.url);
+    const protocolSlug = url.searchParams.get("protocolSlug");
+    if (!protocolSlug) {
+      return NextResponse.json(
+        { error: "protocolSlug query parameter is required" },
+        { status: 400 }
+      );
+    }
+    if (!ALLOWED_ALLOWANCE_SLUGS.has(protocolSlug)) {
+      return NextResponse.json(
+        { error: `Unknown protocolSlug: ${protocolSlug}` },
+        { status: 400 }
+      );
+    }
+
+    const safe = await getSafeForOrg({
+      safeId,
+      organizationId: owner.organizationId,
+    });
+    if (!safe) {
+      return NextResponse.json({ error: "Safe not found" }, { status: 404 });
+    }
+
+    const result = await revokeRoleTokenAllowance({
+      organizationId: owner.organizationId,
+      chainId: safe.chainId,
+      protocolSlug,
+      tokenAddress,
+    });
+
+    if (!result.success) {
+      logSystemError(
+        ErrorCategory.TRANSACTION,
+        `[Safe] Revoke role allowance failed safe=${safe.id} token=${tokenAddress}`,
+        new Error(result.error),
+        {
+          endpoint: "/api/user/safe/[safeId]/role/allowances/[tokenAddress]",
+          component: "safe-role-allowances-api",
+          chain_id: safe.chainId.toString(),
+        }
+      );
+      return NextResponse.json({ error: result.error }, { status: 500 });
+    }
+
+    return NextResponse.json({
+      success: true,
+      deleted: {
+        id: result.deleted.id,
+        tokenAddress: result.deleted.tokenAddress,
+        tokenSymbol: result.deleted.tokenSymbol,
+      },
+    });
+  } catch (error) {
+    return apiError(error, "Failed to revoke Safe role allowance");
+  }
+}

app/api/user/safe/[safeId]/role/allowances/route.ts

@@ -0,0 +1,192 @@
+import { ethers } from "ethers";
+import { NextResponse } from "next/server";
+import { apiError } from "@/lib/api-error";
+import { ErrorCategory, logSystemError } from "@/lib/logging";
+import { getSafeForOrg, validateSafeAdmin } from "@/lib/safe/auth";
+import { PROTOCOL_CATALOG } from "@/lib/safe/protocol-registry";
+import {
+  DIRECT_RULE_PROTOCOL_SLUG,
+  getSafeRole,
+  listRoleAllowances,
+  setRoleTokenAllowance,
+} from "@/lib/safe/roles-orchestrator";
+
+// Slugs that may key an allowance bucket: any known protocol plus the
+// synthetic "direct" slug used by per-rule (transfer/approve) caps.
+const ALLOWED_ALLOWANCE_SLUGS: ReadonlySet<string> = new Set<string>([
+  ...Object.keys(PROTOCOL_CATALOG),
+  DIRECT_RULE_PROTOCOL_SLUG,
+]);
+
+type RouteParams = { params: Promise<{ safeId: string }> };
+
+type SetAllowanceBody = {
+  protocolSlug?: string;
+  tokenAddress?: string;
+  maxRefillWei?: string;
+  refillWei?: string;
+  periodSeconds?: number;
+  tokenSymbol?: string;
+  tokenDecimals?: number;
+};
+
+export async function GET(
+  request: Request,
+  { params }: RouteParams
+): Promise<NextResponse> {
+  try {
+    const admin = await validateSafeAdmin(request);
+    if ("error" in admin) {
+      return NextResponse.json(
+        { error: admin.error },
+        { status: admin.status }
+      );
+    }
+
+    const { safeId } = await params;
+    const safe = await getSafeForOrg({
+      safeId,
+      organizationId: admin.organizationId,
+    });
+    if (!safe) {
+      return NextResponse.json({ error: "Safe not found" }, { status: 404 });
+    }
+
+    const role = await getSafeRole(safe.id);
+    if (!role) {
+      return NextResponse.json({ allowances: [] });
+    }
+
+    const rows = await listRoleAllowances(role.id);
+    return NextResponse.json({
+      allowances: rows.map((row) => ({
+        id: row.id,
+        allowanceKey: row.allowanceKey,
+        tokenAddress: row.tokenAddress,
+        tokenSymbol: row.tokenSymbol,
+        tokenDecimals: row.tokenDecimals,
+        maxRefillWei: row.maxRefillWei,
+        refillWei: row.refillWei,
+        periodSeconds: row.periodSeconds,
+        lastChainBalanceWei: row.lastChainBalanceWei,
+        lastChainTimestamp: row.lastChainTimestamp,
+        lastReconciledAt: row.lastReconciledAt,
+        lastUpdatedAt: row.lastUpdatedAt,
+      })),
+    });
+  } catch (error) {
+    return apiError(error, "Failed to list Safe role allowances");
+  }
+}
+
+export async function POST(
+  request: Request,
+  { params }: RouteParams
+): Promise<NextResponse> {
+  try {
+    const admin = await validateSafeAdmin(request);
+    if ("error" in admin) {
+      return NextResponse.json(
+        { error: admin.error },
+        { status: admin.status }
+      );
+    }
+
+    const { safeId } = await params;
+    const safe = await getSafeForOrg({
+      safeId,
+      organizationId: admin.organizationId,
+    });
+    if (!safe) {
+      return NextResponse.json({ error: "Safe not found" }, { status: 404 });
+    }
+
+    const body = (await request.json()) as SetAllowanceBody;
+    if (!body.protocolSlug || typeof body.protocolSlug !== "string") {
+      return NextResponse.json(
+        { error: "protocolSlug is required" },
+        { status: 400 }
+      );
+    }
+    if (!ALLOWED_ALLOWANCE_SLUGS.has(body.protocolSlug)) {
+      return NextResponse.json(
+        { error: `Unknown protocolSlug: ${body.protocolSlug}` },
+        { status: 400 }
+      );
+    }
+    if (!(body.tokenAddress && ethers.isAddress(body.tokenAddress))) {
+      return NextResponse.json(
+        { error: "tokenAddress is required and must be a valid address" },
+        { status: 400 }
+      );
+    }
+    if (!body.maxRefillWei || typeof body.maxRefillWei !== "string") {
+      return NextResponse.json(
+        { error: "maxRefillWei is required (stringified uint128)" },
+        { status: 400 }
+      );
+    }
+    if (!body.refillWei || typeof body.refillWei !== "string") {
+      return NextResponse.json(
+        { error: "refillWei is required (stringified uint128)" },
+        { status: 400 }
+      );
+    }
+    if (
+      typeof body.periodSeconds !== "number" ||
+      !Number.isInteger(body.periodSeconds) ||
+      body.periodSeconds < 0
+    ) {
+      return NextResponse.json(
+        {
+          error: "periodSeconds is required and must be a non-negative integer",
+        },
+        { status: 400 }
+      );
+    }
+
+    const result = await setRoleTokenAllowance({
+      organizationId: admin.organizationId,
+      chainId: safe.chainId,
+      protocolSlug: body.protocolSlug,
+      tokenAddress: body.tokenAddress,
+      maxRefillWei: body.maxRefillWei,
+      refillWei: body.refillWei,
+      periodSeconds: body.periodSeconds,
+      tokenSymbol: body.tokenSymbol,
+      tokenDecimals: body.tokenDecimals,
+    });
+
+    if (!result.success) {
+      logSystemError(
+        ErrorCategory.TRANSACTION,
+        `[Safe] Set role allowance failed safe=${safe.id} token=${body.tokenAddress}`,
+        new Error(result.error),
+        {
+          endpoint: "/api/user/safe/[safeId]/role/allowances",
+          component: "safe-role-allowances-api",
+          chain_id: safe.chainId.toString(),
+        }
+      );
+      return NextResponse.json({ error: result.error }, { status: 500 });
+    }
+
+    return NextResponse.json({
+      success: true,
+      allowance: {
+        id: result.allowance.id,
+        allowanceKey: result.allowance.allowanceKey,
+        tokenAddress: result.allowance.tokenAddress,
+        tokenSymbol: result.allowance.tokenSymbol,
+        tokenDecimals: result.allowance.tokenDecimals,
+        maxRefillWei: result.allowance.maxRefillWei,
+        refillWei: result.allowance.refillWei,
+        periodSeconds: result.allowance.periodSeconds,
+        lastAppliedTxHash: result.allowance.lastAppliedTxHash,
+        lastUpdatedAt: result.allowance.lastUpdatedAt,
+      },
+    });
+  } catch (error) {
+    return apiError(error, "Failed to set Safe role allowance");
+  }
+}