fix(stacks-alpha-engine): post-#339 audit sweep — rebase of #346

[whoabuddy]

Summary

Rebased version of #346 (cliqueengagements) onto current main. Same content, single squashed commit.

Why a fresh PR

#346 was 18 commits behind main with cascading skills.json conflicts on each commit during the rebase chain (each commit touched the manifest, and main moved a lot since Apr 21). Rather than walk through 18 separate take-theirs + regen resolutions, took the cleaner approach: reset to current main, cherry-pick the stacks-alpha-engine/ directory contents from the PR's tip in one shot, regen manifest. Same end-state, single clean commit.

Per the established Wave 2 pattern (#427→#490 etc.) for forks where rebase-on-PR is impractical or would obscure history.

Diff

• stacks-alpha-engine/stacks-alpha-engine.ts — main audit-sweep changes
• stacks-alpha-engine/SKILL.md — doc updates
• stacks-alpha-engine/AGENT.md — agent guidance updates
• skills.json — regen for manifest

Total: +496/-105 lines (matches the original PR's +503/-105 closely; small delta is just from the manifest format).

Closes #346.

Test plan

• bun run typecheck clean
• bun run manifest clean (95 skills)
• CI green here

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e165e2e9a0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Exclude borrow/repay from pool-based guardian checks

The new borrow/repay commands are still funneled through inferTargetPoolId, which falls back to dlmm_1 for any non-deploy/migrate command, so _runPipeline applies HODLMM slippage/volume gates to Zest debt operations that do not touch DLMM at all. In practice this means borrow/repay can be refused when dlmm_1 volume is low or Bitflow pool data is unavailable, even though the Zest transaction itself is valid.

Useful? React with 👍 / 👎.

[arc0btc]

Post-#339 audit sweep: adds borrow/repay commands to stacks-alpha-engine, fixes DLMM swap min-received calculation, corrects FT assetName bindings across protocols, and flips safety gates to fail-CLOSED. Each change is backed by on-chain proof — clean work.

What works well:

• The DLMM swap min-received fix is the right call. The old Math.floor(amount * (1 - slip / 100)) computed the floor in input-token units, which is meaningless to the router. Computing in expected output-token units is correct, and expectedSwapOutput is a clean helper for it.
• FT assetName corrections (usdh-token → usdh, bridged-usdc → aeUSDC, etc.) match what the contracts actually emit — these were silent failures waiting to happen.
• Granite redeem PC shape is now right. The old bindings (lp-v1 as principal, bridged-usdc as asset name) didn't match the real flow; anchoring to state-v1 + 3-PC envelope (receive floor, receive cap, burn floor) is the correct pattern. The on-chain proof txids close the loop.
• Fail-CLOSED on slippage, volume, and gas exceptions is a meaningful safety improvement. The old catch { /* allow */ } pattern was a silent footgun.
• inferTargetPoolId correctly routes guardian checks to the pool the operation will actually touch rather than always measuring dlmm_1. That's an important fix for Hermetica/Granite deploys.
• max-steps 6 → 230 per the #339 audit recommendation.
• migrate --amount now required. The old implicit sBTC-balance default was a silent foot-gun for stablecoin protocol migrations.

[suggestion] Guardian slippage/volume gates don't apply to borrow/repay (stacks-alpha-engine.ts borrow/repay pipeline, inferTargetPoolId)

borrow and repay don't touch any DLMM pool — they call zest_borrow / zest_repay directly against the Zest market contract. But inferTargetPoolId falls through to "dlmm_1" for these commands, so the Guardian will refuse a valid borrow if dlmm_1 happens to have high slippage or low 24h volume that day. The cooldown and gas gates make sense for borrow/repay; the HODLMM slippage and volume gates don't.

One fix: add borrow and repay to inferTargetPoolId and return a sentinel like "none", then skip the slippage/volume blocks in checkGuardian when targetPoolId === "none". Alternatively, extract a dedicated checkGuardianForDebt() that only runs price, gas, and cooldown gates.

[nit] validTokens_borrowRepay: Record<string, string[]> is a local const initialized inline as { zest: ["usdh"] } and only read once two lines later. A direct const validBorrowTokens = ["usdh"] (dropping the protocol nesting, since we've already asserted protocol === "zest" in the preceding guard) would be simpler and avoids the surprising mixed-case name.

Operational context: We run Zest sBTC supply/withdraw ops nightly. From MEMORY: borrow-helper-v2-1-7 is confirmed required for mainnet borrow operations — the USDh-only gate here matches what we've seen empirically. The on-chain proof txids for the full borrow/repay cycle at the top of SKILL.md are the right way to document this. The DLMM dual-pin post-condition pattern (willSendLte on caller + willSendGte on pool) matches what we validated from bff-skills#494.

The fail-CLOSED refactors alone are worth merging. The borrow/repay guardian issue is an improvement-not-blocker — borrow will still work most of the time; it'll just refuse on days dlmm_1 liquidity dips. Worth a follow-up if you want the gate to be purely debt-condition-aware.

[Copilot]

Pull request overview

Rebases and lands the post-#339 audit sweep for the stacks-alpha-engine skill, focusing on fund-safety hardening (post-conditions), more accurate guardian gating, and adding Zest USDh borrow/repay to support a documented leveraged-yield flow.

Changes:

• Hardened Bitflow DLMM swap safety (dual-pin allow-mode envelope, output-based min-received, higher max-steps) and improved Guardian pool targeting/fail-closed behavior.
• Added Zest borrow / repay command surface (USDh-only) plus updated docs/agent guidance.
• Regenerated skills.json manifest to include new commands.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.

File	Description
stacks-alpha-engine/stacks-alpha-engine.ts	Adds borrow/repay commands, refines guardian gating, updates DLMM swap post-conditions, and parameterizes HODLMM deploy by pool-id.
stacks-alpha-engine/SKILL.md	Updates surfaced command list and expands operational docs (proofs + leveraged-yield pattern + post-condition rationale).
stacks-alpha-engine/AGENT.md	Updates agent operational rules to match the new Zest borrow/repay scope and restrictions.
skills.json	Manifest regeneration to include new commands and updated generated timestamp.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The on-chain proof bullets label USDh amounts as “µUSDh” (micro), but elsewhere (and in code) USDh is treated as 8-decimal. Using “µUSDh” implies 6 decimals and can lead to 100× mis-sized amounts. Suggest rewording these to “atomic USDh (8 decimals)” or “10^-8 units” (and similarly in the leveraged-yield example placeholders).

Suggested change

	- **Zest USDh borrow**: [`0x2b465aae…`](https://explorer.hiro.so/txid/0x2b465aae05812d25e4f52799b5f2882b21ca411d892359aba5157dba85d1162a?chain=mainnet) — 50M µUSDh borrowed against sBTC collateral via `v0-4-market.borrow`
	- **Zest USDh repay**: [`0xd3b46ae7…`](https://explorer.hiro.so/txid/0xd3b46ae74b666af2e06a765d29e30bd2b0341507266827a2140cc4d9e6053fba?chain=mainnet) — full 50M µUSDh debt cleared via `v0-4-market.repay`
	- **Zest USDh borrow**: [`0x2b465aae…`](https://explorer.hiro.so/txid/0x2b465aae05812d25e4f52799b5f2882b21ca411d892359aba5157dba85d1162a?chain=mainnet) — 50M atomic USDh (8 decimals) borrowed against sBTC collateral via `v0-4-market.borrow`
	- **Zest USDh repay**: [`0xd3b46ae7…`](https://explorer.hiro.so/txid/0xd3b46ae74b666af2e06a765d29e30bd2b0341507266827a2140cc4d9e6053fba?chain=mainnet) — full 50M atomic USDh (8 decimals) debt cleared via `v0-4-market.repay`

[Copilot]

In the leveraged-yield example, the placeholders use <debt_micro_usdh> for USDh amounts, but the repo treats USDh as 8-decimal. Consider renaming the placeholder to reflect 10^-8 base units (or just “atomic units”) to avoid users passing 6-decimal-scaled values.

Suggested change

	borrow --protocol zest --token usdh --amount <debt_micro_usdh> # take USDh debt (~7% APR)
	deploy --protocol hermetica --token usdh --amount <debt_micro_usdh> # stake for 40% APY
	# ---- earning ~33% positive carry on debt_micro_usdh while sBTC exposure preserved ----
	borrow --protocol zest --token usdh --amount <debt_atomic_usdh> # take USDh debt (~7% APR)
	deploy --protocol hermetica --token usdh --amount <debt_atomic_usdh> # stake for 40% APY
	# ---- earning ~33% positive carry on debt_atomic_usdh while sBTC exposure preserved ----

[Copilot]

getDlmmSwapRoute currently treats tokenIn === "stx" as routable directly into the USDh/USDCx and aeUSDC/USDCx pools, but those pools don’t support STX as an input asset. As written, a deploy --protocol hermetica --token stx (or granite) path will build a swap that actually sends USDCx, causing an invalid/failed instruction. Either remove stx from these single-hop routes (and from the deploy validTokens list), or implement an explicit STX→USDCx hop (using an STX/USDCx pool) and emit a 2-step swap-simple-multi route.

[Copilot]

The slippage gate only fails-closed on thrown errors. If fetchBitflowPools() returns an empty list or the targetPoolId entry is missing/has no tokens, the code silently skips the slippage check (leaving slippageOk=true) and may allow writes without measuring price drift. Consider treating “pool not found / tokens missing” as an unavailable slippage check and refusing (similar to the catch-path), and likewise distinguishing “pool data unavailable” from a real $0 volume reading.

[Copilot]

In the migrate executor path, const token = opts.token ?? inferToken(to); is passed through to buildDeployInstructions without normalization. If a user supplies --token with different casing (e.g. USDH), the downstream comparisons (token === "usdh", route lookup keys, etc.) won’t match and the migrate will take the wrong branch. Normalize opts.token to lowercase (and ideally validate it against the target protocol’s allowed tokens) the same way the deploy path does.

Suggested change

	const token = opts.token ?? inferToken(to);
	const token = (opts.token?.toLowerCase()) ?? inferToken(to);

[Copilot]

The borrow/repay CLI help strings describe the smallest USDh unit as “µUSDh”, but the code/config treats USDh as having 8 decimals, so the smallest unit is 1e-8 (not micro/1e-6). Please adjust the wording to avoid implying 6 decimals (e.g., “atomic units (10^-8)” or similar) so users don’t pass incorrectly-scaled amounts.