fix: CodeRabbit review — deep-canonical policyDigest (nested solana was hashed as {}), type-strict enabled gate, never broadcast unsimulated (even unrestricted), cluster-aware ledger entries + explorer links, test env restoration

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

Author: Klow

mcp-server/src/__tests__/agent_keystore_solana.test.ts

@@ -6,6 +6,8 @@ import { PublicKey } from '@solana/web3.js';
 
 import './_setup.js';
 // Never touch the real OS keychain from tests — force env-var-only resolution.
+const PRIOR_DISABLE = process.env.CHAINGPT_DISABLE_KEYCHAIN;
+const PRIOR_PASS = process.env.CHAINGPT_AGENT_WALLET_PASSPHRASE;
 process.env.CHAINGPT_DISABLE_KEYCHAIN = '1';
 process.env.CHAINGPT_AGENT_WALLET_PASSPHRASE = 'super-long-passphrase-for-tests-only-1234';
 
@@ -26,6 +28,8 @@ beforeEach(() => {
 
 afterAll(() => {
   delete process.env.CHAINGPT_SOLANA_KEYSTORE_FILE;
+  if (PRIOR_DISABLE === undefined) delete process.env.CHAINGPT_DISABLE_KEYCHAIN; else process.env.CHAINGPT_DISABLE_KEYCHAIN = PRIOR_DISABLE;
+  if (PRIOR_PASS === undefined) delete process.env.CHAINGPT_AGENT_WALLET_PASSPHRASE; else process.env.CHAINGPT_AGENT_WALLET_PASSPHRASE = PRIOR_PASS;
   rmSync(TMP, { recursive: true, force: true });
 });
 

mcp-server/src/__tests__/agent_policy_solana.test.ts

@@ -105,6 +105,22 @@ describe('checkSolanaPolicy', () => {
   });
 });
 
+describe('policyDigest — nested canonicalization', () => {
+  it('different solana sub-policies produce different digests', async () => {
+    const { policyDigest } = await import('../lib/agent-policy.js');
+    const a = { ...base };
+    const b = { ...base, solana: { ...base.solana!, maxTxLamports: '999' } };
+    expect(policyDigest(a)).not.toBe(policyDigest(b));
+  });
+});
+
+describe('checkSolanaPolicy — type-strict enabled', () => {
+  it('a hand-edited string "true" does NOT arm Solana', () => {
+    const p = { version: 1, killSwitch: false, solana: { enabled: 'true' as unknown as boolean } } as AgentPolicy;
+    expect(checkSolanaPolicy(intent(), p, NO_SPEND).allowed).toBe(false);
+  });
+});
+
 describe('validatePolicyInput — solana sub-object', () => {
   const valid = {
     version: 1,

mcp-server/src/lib/agent-activity.ts

@@ -61,7 +61,10 @@ export function logActivity(e: ActivityEntry): void {
 export type ChainClass = 'evm' | 'solana' | 'all';
 
 function entryClass(e: ActivityEntry): Exclude<ChainClass, 'all'> {
-  return e.chain === 'solana' ? 'solana' : 'evm';
+  // 'solana', 'solana-devnet', 'solana-testnet' — all clusters share the class.
+  // Devnet/testnet sends therefore CONSUME the lamport caps: conservative on
+  // purpose (a cap that over-counts fails safe; one that under-counts does not).
+  return e.chain.startsWith('solana') ? 'solana' : 'evm';
 }
 
 export function spendStats(windowHours = 24, chainClass: ChainClass = 'all'): { totalWei: bigint; txCount: number; ok: boolean } {

mcp-server/src/lib/agent-policy.ts

@@ -226,9 +226,20 @@ export function loadPolicy(): AgentPolicy {
 }
 
 export function policyDigest(p: AgentPolicy): string {
-  // Stable hash for surfacing in status output. Sort keys for determinism.
-  const ordered = JSON.stringify(p, Object.keys(p).sort());
-  return createHash('sha256').update(ordered).digest('hex').slice(0, 16);
+  // Stable hash for surfacing in status output. Recursively sort keys for
+  // determinism. (A replacer ARRAY would filter NESTED keys too — the old
+  // implementation serialized the `solana` sub-object as {} and gave
+  // different Solana policies identical digests.)
+  const canonical = (v: unknown): unknown => {
+    if (Array.isArray(v)) return v.map(canonical);
+    if (v && typeof v === 'object') {
+      return Object.fromEntries(
+        Object.keys(v as object).sort().map((k) => [k, canonical((v as Record<string, unknown>)[k])])
+      );
+    }
+    return v;
+  };
+  return createHash('sha256').update(JSON.stringify(canonical(p))).digest('hex').slice(0, 16);
 }
 
 export interface TxIntent {
@@ -422,7 +433,7 @@ export function checkSolanaPolicy(
   // admin must explicitly opt in. unrestricted does NOT bypass this —
   // YOLO mode was granted for the EVM surface; silently arming a second
   // chain the admin never enabled violates least surprise.
-  if (!sol?.enabled) {
+  if (sol?.enabled !== true) { // type-strict: a hand-edited "true"/1 must not arm a chain
     return {
       allowed: false,
       reason: 'Solana signing is not enabled in the policy. An admin must add `"solana": { "enabled": true, ... }` via the dashboard or a text editor.',

mcp-server/src/tools/agent_wallet.ts

@@ -853,9 +853,10 @@ async function renderDashboard(res: ServerResponse, address: string, chains: str
   const activityRows = activity.length === 0
     ? `<div class="subtle" style="padding:12px">No transactions yet. When the agent runs <code>chaingpt_agent_wallet_sign_and_send</code> and the policy allows it, entries will appear here.</div>`
     : activity.map((a) => {
-        const isSolana = a.chain === 'solana';
+        const isSolana = a.chain.startsWith('solana');
+        const solCluster = isSolana && a.chain !== 'solana' ? `?cluster=${a.chain.slice('solana-'.length)}` : '';
         const chain = isSolana ? null : resolveChainWithCustom(a.chain);
-        const txLink = isSolana ? `https://solscan.io/tx/${a.hash}` : (chain?.explorer ? `${chain.explorer}/tx/${a.hash}` : '#');
+        const txLink = isSolana ? `https://solscan.io/tx/${a.hash}${solCluster}` : (chain?.explorer ? `${chain.explorer}/tx/${a.hash}` : '#');
         const addrLink = isSolana ? '#' : (chain?.explorer ? `${chain.explorer}/address/${a.to}` : '#');
         const valueEth = isSolana ? fmtSol(BigInt(a.valueWei)) : fmtEth(BigInt(a.valueWei));
         return `<div class="activity-row">

mcp-server/src/tools/agent_wallet_solana.ts

@@ -232,7 +232,18 @@ export async function handleAgentWalletSolanaTool(
         return refusalBlock(decision.reason, decision.policyDigest);
       }
 
-      // 6. Never autonomously broadcast a tx that simulates to failure
+      // 6a. Never broadcast UNSIMULATED — applies even in unrestricted mode
+      // (the policy gate allows unrestricted before the lamport checks run,
+      // so this handler-level refusal is the backstop).
+      if (!sim.ok) {
+        return {
+          content: [{
+            type: 'text',
+            text: `⛔ Refused: the transaction could not be simulated (RPC unavailable or fee-payer state unreadable). A policy-fenced agent never broadcasts blind — not even in unrestricted mode. Check SOLANA_RPC_URL and retry.`,
+          }],
+        };
+      }
+      // 6b. Never autonomously broadcast a tx that simulates to failure
       if (sim.ok && sim.err) {
         return {
           content: [{
@@ -278,7 +289,7 @@ export async function handleAgentWalletSolanaTool(
       try {
         logActivity({
           ts: new Date().toISOString(),
-          chain: 'solana',
+          chain: network === 'mainnet' ? 'solana' : `solana-${network}`,
           chainId: 0,
           from: agentAddress,
           to: programIds.join(','),