feat(phase2): close-empty-ATA flow — build/decode/preview/sign/confirm/receipt

- @pyre/solana: buildCloseEmptyAccountsTx (UNSIGNED v0 tx; re-validates each account on-chain — owner==wallet, balance==0, correct program, not frozen/delegated, Token-2022 EMPTY_CLOSE_ONLY via §7.1; rejects whole build on any ineligible account), simulateTransaction, decodeTransaction. Rent destination + close authority + fee payer all pinned to the wallet. - @pyre/api: POST /api/build/close-empty (server re-validates, 400 on ineligible) and POST /api/receipt (on-chain verified: meta.err==null, signer==wallet, rent from balance delta; lists only closes whose destination==wallet). - @pyre/web: select empty accounts → build → CLIENT-SIDE decode+match (7 checks: feePayer/all-closeAccount/dest==wallet/closed-set==selected==preview) gates signing → sign in wallet → send → confirm → on-chain receipt w/ explorer link. Built by 3 agents, reviewed by 2 audits (security: SOUND — no critical/high; integration: SHIP). Applied audit fixes: receipt destination check, doc/lint cleanup. typecheck 8/8, core 85, solana 19, web build green. Live-verified: the API refuses to build a close tx for a non-empty account (400). buildBurnTx remains a Phase-3 stub. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 04:49:30 +00:00
parent 18ecbe471b
commit 00f9a96286
12 changed files with 1725 additions and 61 deletions
--- a/packages/core/src/dto.ts
+++ b/packages/core/src/dto.ts
@@ -38,7 +38,7 @@ export interface TokenAccountDto {
  owner: string;
  /** Token mint (base58). */
  mint: string;
-  /** Owning token program (base58). Classic SPL only in the MVP. */
+  /** Owning token program: "spl-token" or "token-2022" (gated per §7.1). */
  tokenProgram: string;
  /** Raw on-chain balance (u64 as string). */
  rawBalance: string;
--- a/packages/core/src/index.ts
+++ b/packages/core/src/index.ts
@@ -3,6 +3,7 @@ export * from "./types";
 export * from "./classify";
 export * from "./extensions";
 export * from "./risk";
+export * from "./tx";
 export * from "./dto";
 export * from "./receipt";
 export * from "./prometheus";
--- a/packages/core/src/tx.ts
+++ b/packages/core/src/tx.ts
@@ -0,0 +1,43 @@
+/**
+ * Transaction decode/simulation contracts shared by `@pyre/solana` (producer)
+ * and `@pyre/web` (the preview matcher).
+ *
+ * Trust rule (§16): the unsigned transaction must be DECODED and matched against
+ * the preview shown to the user before any signature is requested. These types
+ * are the structured, human-comparable form of that decode.
+ */
+
+export type DecodedInstructionType = "closeAccount" | "burn" | "unknown";
+
+export interface DecodedInstruction {
+  type: DecodedInstructionType;
+  /** Program id (base58) that owns the instruction. */
+  programId: string;
+  /** The token account the instruction operates on (base58), if applicable. */
+  account?: string;
+  /** Destination of reclaimed rent (base58), for closeAccount. */
+  destination?: string;
+  /** Authority / owner (base58) that must sign, if applicable. */
+  owner?: string;
+}
+
+export interface DecodedTransactionSummary {
+  /** Fee payer (base58) — must be the user's own wallet. */
+  feePayer: string;
+  /**
+   * Where reclaimed rent is sent. For a close-empty transaction every
+   * closeAccount destination must equal the user's wallet; this is set only when
+   * all destinations agree, otherwise left undefined (a mismatch the UI rejects).
+   */
+  rentDestination?: string;
+  /** Number of closeAccount instructions. */
+  closeCount: number;
+  instructions: DecodedInstruction[];
+}
+
+export interface SimulationResult {
+  /** Non-null when the simulation failed. */
+  err: unknown | null;
+  logs: string[];
+  unitsConsumed?: number;
+}