- Secure secrets: gitignored ~/pyre/.env (chmod 600) loaded into the API via
`node --env-file-if-exists`; keys never committed/logged/returned. .env.example
documents the vars. Free-first default (text=gemini, image=pollinations).
- @pyre/config: provider selection + key fields.
- @pyre/prometheus: real providers via fetch (no SDK deps) — Gemini/Anthropic/
OpenAI text, Pollinations(free)/fal/DeepInfra/Replicate image, OpenAI moderation;
`createProviders()` factory selects by config + key presence, falls back to stub.
29 tests.
- @pyre/api: /api/prometheus/generate builds providers from config; keys never logged.
Live-verified end-to-end: admin-gated generate returned a real Spawn ("Ashen
Golem"/$AGOL) with a Pollinations image on the $0 stub-text+free-image stack;
.env-loaded admin token enforced. typecheck 8/8, 150 tests.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
End-to-end burn proven on mainnet (test wallet): build → sign → broadcast →
confirm → receipt → Essence. tx 5ddbmLRz… burned a dust token, closed the
account, returned 0.00197 SOL to the user, sent the 5% (103704 lamports) to the
treasury, recorded as Essence (Round #1 = 103704). Re-scan confirms the account
is gone; treasury credited; DB row written.
Discovered + documented: the treasury must be funded to rent-exemption before
collecting fees (a fee transfer into a 0-balance account fails "insufficient
funds for rent"). Noted in .env.example + design §3.1. Tracker: Phase 3 done.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- @pyre/solana: buildCloseEmptyAccountsTx (UNSIGNED v0 tx; re-validates each
account on-chain — owner==wallet, balance==0, correct program, not
frozen/delegated, Token-2022 EMPTY_CLOSE_ONLY via §7.1; rejects whole build on
any ineligible account), simulateTransaction, decodeTransaction. Rent
destination + close authority + fee payer all pinned to the wallet.
- @pyre/api: POST /api/build/close-empty (server re-validates, 400 on ineligible)
and POST /api/receipt (on-chain verified: meta.err==null, signer==wallet, rent
from balance delta; lists only closes whose destination==wallet).
- @pyre/web: select empty accounts → build → CLIENT-SIDE decode+match (7 checks:
feePayer/all-closeAccount/dest==wallet/closed-set==selected==preview) gates
signing → sign in wallet → send → confirm → on-chain receipt w/ explorer link.
Built by 3 agents, reviewed by 2 audits (security: SOUND — no critical/high;
integration: SHIP). Applied audit fixes: receipt destination check, doc/lint
cleanup. typecheck 8/8, core 85, solana 19, web build green. Live-verified: the
API refuses to build a close tx for a non-empty account (400). buildBurnTx
remains a Phase-3 stub.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Implements the §7.1 policy in code so Token-2022 (pump.fun) tokens are cleanable
when safe:
- @pyre/core: extensions.ts (BLOCKING/FLAGGED/SAFE sets + evaluateTokenExtensions);
classify.ts gates Token-2022 on account+mint extensions; unknown extension or
confidential-transfer/withheld-fee -> UNSUPPORTED; transfer-hook/permanent-
delegate/pausable -> cleanable+flagged. Added malformed-u64-balance guard.
- @pyre/solana: parseTokenAccounts reads account extensions + withheld fee, and
batch-fetches MINT extensions (getMultipleParsedAccounts, chunked).
SECURITY (from audit): mint-fetch failure no longer silently downgrades to
account-level-only (which could hide a mint-level blocking extension). Token-2022
accounts with unverified mints are marked extensionsVerified=false and classified
UNSUPPORTED ("unknown means skip"). Two audit agents: integration SHIP; security
found this CRITICAL -> fixed + tested.
Tests: core 85, solana 8. Live verified: the two pump.fun Token-2022 tokens now
classify INCINERATE_ONLY (were UNSUPPORTED). classic-SPL behavior unchanged.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- TOKEN_CLASSIFICATION.md: ASCII decision-flow diagram updated to match the
Rev-2 prose (program → extension → lock → empty → non-empty protected → route),
no longer routes all Token-2022 to UNSUPPORTED.
- CLAUDE.md: removed stale "Token-2022 support" from out-of-scope; documents
the gated Token-2022 policy + that classifier code still skips it for now.
- status.json: Phase 1 (Wallet Scanner) marked done — app deployed live at
feedthepyre.com (app at /, tracker at /status, api at /api), scan verified
end-to-end through the public stack.
Reviewed by a doc-consistency audit agent (verdict after fixes: consistent).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Most new tokens — incl. all Pump.fun launches — are Token-2022, so cleaning
only classic SPL misses the majority of real dust. PYRE now supports Token-2022
conservatively, gating on account+mint extensions:
- skip: confidential transfer, withheld transfer fees, frozen/default-frozen,
and any unrecognized extension (UNSUPPORTED). "Unknown means skip" now covers
unknown program OR unknown/unsafe extension.
- cleanable but flagged: transfer-hook & permanent-delegate (burn/close don't
fire a hook; you may always burn/close your own account); non-transferable is
burnable.
- rent reclaim = account's live lamports (Token-2022 size varies); CloseAccount
as a top-level instruction (CPI-Guard safe).
Updated PYRE_MVP_DESIGN.md (§5/§6/§7 + new §7.1 policy table + §8/§16),
TOKEN_CLASSIFICATION.md (categories, safety checklist, decision flow), SECURITY.md.
Researched against Solana docs + Neodyme review. Classifier CODE still skips all
Token-2022 (safe subset) until the extension-aware impl lands next.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Server provisioning ran successfully: nginx + PostgreSQL + Redis live, UFW
active (22/2222/80/443), TLS issued for feedthepyre.com (+www), pm2-pyre
service enabled. Status dashboard updated (Phase 0 done; infra all green).
Adds scripts/deploy-status.sh for friction-free status-page redeploys.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- scripts/phase0-provision.sh: idempotent root setup (nginx, PostgreSQL,
Redis, certbot/TLS, UFW). Opens 22/2222/80/443 before enabling UFW so SSH
and Gitea git-SSH can't be locked out. Redis/Postgres stay localhost-only.
- infra/nginx/feedthepyre.com.conf: vhost serving the status page; commented
web(:3000)/api(:4000) reverse-proxy blocks ready for app deploy.
- infra/status/: data-driven dev status dashboard (status.json + gen-status.mjs
+ prebuilt index.html), served at feedthepyre.com.
- ecosystem.config.cjs (PM2), infra/systemd/pm2-pyre.service, infra/logrotate/pyre,
scripts/backup.sh — process mgmt + ops (inert until apps are built).
Built by 4 parallel agents, reviewed by 2 audit agents; audit fixes applied
(logs dir creation, port-citation accuracy, status truthfulness). pm2 installed
user-level. Privileged steps gated on `sudo bash scripts/phase0-provision.sh`.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
