fix(evm-wallet): address code review — guards, baggage validation, tests

- Remove HOME_SECTION_LIMIT demo counter from homeSection exo (rate-limiting
  belongs on-chain via limitedCalls caveat, not in the vat)
- Add superstruct validation (DelegationGrantStruct) on baggage restore in
  delegator-vat and redeemer-vat instead of unsafe `as` casts
- Tighten delegation-twin guard/type mismatch: M.bigint() guard now matches
  `amount: bigint` param type; remove redundant BigInt coercions
- Add home-coordinator.test.ts covering configureBundler URL/chainId
  validation and revokeGrant error paths
- Add peer-wallet integration test: delegation relay (away → home)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: grypez

packages/evm-wallet-experiment/src/lib/delegation-twin.ts

@@ -53,19 +53,14 @@ export function makeDelegationTwin(
     const exo = makeDiscoverableExo(
       `DelegationTwin:transferNative:${idPrefix}`,
       {
-        async transferNative(
-          recipient: Address,
-          amount: string | number | bigint,
-        ): Promise<Hex> {
-          const amt = BigInt(amount);
-
-          if (maxAmount !== undefined && amt > maxAmount) {
-            throw new Error(`Amount ${amt} exceeds limit ${maxAmount}`);
+        async transferNative(recipient: Address, amount: bigint): Promise<Hex> {
+          if (maxAmount !== undefined && amount > maxAmount) {
+            throw new Error(`Amount ${amount} exceeds limit ${maxAmount}`);
           }
 
           const execution: Execution = {
             target: recipient,
-            value: `0x${amt.toString(16)}`,
+            value: `0x${amount.toString(16)}`,
             callData: '0x' as Hex,
           };
 
@@ -108,30 +103,28 @@ export function makeDelegationTwin(
       async transferFungible(
         tokenAddress: Address,
         recipient: Address,
-        amount: string | number | bigint,
+        amount: bigint,
       ): Promise<Hex> {
-        const amt = BigInt(amount);
-
-        if (amt > max - spent) {
+        if (amount > max - spent) {
           throw new Error(
-            `Insufficient budget: requested ${amt}, remaining ${max - spent}`,
+            `Insufficient budget: requested ${amount}, remaining ${max - spent}`,
           );
         }
 
         // Reserve before the await so concurrent calls see the updated budget.
-        spent += amt;
+        spent += amount;
 
         const execution: Execution = {
           target: tokenAddress,
           value: '0x0' as Hex,
-          callData: encodeTransfer(recipient, amt),
+          callData: encodeTransfer(recipient, amount),
         };
 
         try {
           return await redeemFn(execution);
         } catch (error) {
           // Roll back on redeemFn failure.
-          spent -= amt;
+          spent -= amount;
           throw error;
         }
       },

packages/evm-wallet-experiment/src/types.ts

@@ -349,6 +349,32 @@ export type TransferFungibleGrant = {
   delegation: Delegation;
 };
 
+const BigintStruct = define<bigint>(
+  'bigint',
+  (value) => typeof value === 'bigint',
+);
+
+export const TransferNativeGrantStruct = object({
+  method: literal('transferNative'),
+  to: optional(AddressStruct),
+  maxAmount: optional(BigintStruct),
+  totalLimit: optional(BigintStruct),
+  delegation: DelegationStruct,
+});
+
+export const TransferFungibleGrantStruct = object({
+  method: literal('transferFungible'),
+  token: AddressStruct,
+  to: optional(AddressStruct),
+  maxAmount: optional(BigintStruct),
+  delegation: DelegationStruct,
+});
+
+export const DelegationGrantStruct = union([
+  TransferNativeGrantStruct,
+  TransferFungibleGrantStruct,
+]);
+
 /** Discriminated union of all supported semantic delegation grant types. */
 export type DelegationGrant = TransferNativeGrant | TransferFungibleGrant;
 

packages/evm-wallet-experiment/src/vats/away-coordinator.ts

@@ -1781,13 +1781,15 @@ export function buildRootObject(
     /**
      * Transfer native ETH.
      * Tries each delegation twin in order; falls back to calling home.
+     * Errors from matched twins propagate — they are not swallowed and do
+     * not fall through to the home section.
      *
      * @param to - Recipient address.
      * @param amount - Amount in wei.
      * @returns The transaction hash.
      */
     async transferNative(to: Address, amount: bigint): Promise<Hex> {
-      const amt = BigInt(amount as unknown as string | number | bigint);
+      const amt = amount;
       const matching = delegationSections.filter(
         (sec) => sec.method === 'transferNative',
       );
@@ -1826,7 +1828,7 @@ export function buildRootObject(
       to: Address,
       amount: bigint,
     ): Promise<Hex> {
-      const amt = BigInt(amount as unknown as string | number | bigint);
+      const amt = amount;
       const tokenLower = token.toLowerCase() as Address;
       const matching = delegationSections.filter(
         (sec) => sec.method === 'transferFungible' && sec.token === tokenLower,

packages/evm-wallet-experiment/src/vats/delegator-vat.ts

@@ -1,5 +1,6 @@
 import { makeDefaultExo } from '@metamask/kernel-utils/exo';
 import type { Baggage } from '@metamask/ocap-kernel';
+import { create } from '@metamask/superstruct';
 
 import {
   ENFORCER_CONTRACT_KEY_MAP,
@@ -25,6 +26,7 @@ import type {
   TransferFungibleGrant,
   TransferNativeGrant,
 } from '../types.ts';
+import { DelegationGrantStruct } from '../types.ts';
 
 const harden = globalThis.harden ?? (<T>(value: T): T => value);
 
@@ -53,8 +55,8 @@ export function buildRootObject(
 ): object {
   const grants: Map<string, DelegationGrant> = baggage.has('grants')
     ? new Map(
-        Object.entries(
-          baggage.get('grants') as Record<string, DelegationGrant>,
+        Object.entries(baggage.get('grants') as Record<string, unknown>).map(
+          ([id, raw]) => [id, create(raw, DelegationGrantStruct)],
         ),
       )
     : new Map();

packages/evm-wallet-experiment/src/vats/home-coordinator.test.ts

@@ -0,0 +1,178 @@
+import type { Baggage } from '@metamask/ocap-kernel';
+import { describe, expect, it, vi } from 'vitest';
+
+import type { Address, Delegation, DelegationGrant, Hex } from '../types.ts';
+import { buildRootObject } from './home-coordinator.ts';
+import { makeMockBaggage } from '../../test/helpers.ts';
+
+vi.mock('@endo/eventual-send', () => ({
+  E: (target: Record<string, (...args: unknown[]) => unknown>) =>
+    new Proxy(target, {
+      get(obj, prop: string) {
+        return async (...args: unknown[]) =>
+          Promise.resolve(obj[prop]?.(...args));
+      },
+    }),
+}));
+vi.mock('@metamask/kernel-utils/exo', () => ({
+  makeDefaultExo: (_name: string, methods: Record<string, unknown>) => methods,
+}));
+vi.mock('@metamask/kernel-utils/discoverable', () => ({
+  makeDiscoverableExo: (_name: string, methods: Record<string, unknown>) =>
+    methods,
+}));
+vi.mock('../lib/sdk.ts', () => ({
+  setSdkLogger: vi.fn(),
+  registerEnvironment: vi.fn(),
+  resolveEnvironment: vi.fn().mockReturnValue({ chainId: 11155111 }),
+  getDelegationManagerAddress: vi
+    .fn()
+    .mockReturnValue('0xdb9B1e94B5b69Df7e401DDbedE43491141047dB3' as Address),
+  buildSdkRedeemCallData: vi.fn().mockReturnValue('0x' as Hex),
+  buildSdkDisableCallData: vi.fn().mockReturnValue('0x' as Hex),
+  buildBatchExecuteCallData: vi.fn().mockReturnValue('0x' as Hex),
+  computeSmartAccountAddress: vi.fn(),
+  isEip7702Delegated: vi.fn().mockResolvedValue(false),
+  prepareUserOpTypedData: vi.fn(),
+}));
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+type HomeCoordinator = {
+  bootstrap(
+    vats: Record<string, unknown>,
+    services: Record<string, unknown>,
+  ): Promise<void>;
+  configureBundler(config: {
+    bundlerUrl: string;
+    chainId: number;
+    usePaymaster?: boolean;
+  }): Promise<void>;
+  revokeGrant(id: string): Promise<Hex>;
+};
+
+const SIGNED_DELEGATION: Delegation = {
+  id: '0xaaaa000000000000000000000000000000000000000000000000000000000000',
+  delegator: '0x1111111111111111111111111111111111111111' as Address,
+  delegate: '0x2222222222222222222222222222222222222222' as Address,
+  authority:
+    '0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff' as Hex,
+  caveats: [],
+  salt: '0x01' as Hex,
+  chainId: 11155111,
+  status: 'signed',
+};
+
+const REVOKED_DELEGATION: Delegation = {
+  ...SIGNED_DELEGATION,
+  id: '0xbbbb000000000000000000000000000000000000000000000000000000000000',
+  status: 'revoked',
+};
+
+const NATIVE_GRANT: DelegationGrant = {
+  method: 'transferNative',
+  delegation: SIGNED_DELEGATION,
+};
+
+const REVOKED_GRANT: DelegationGrant = {
+  method: 'transferNative',
+  delegation: REVOKED_DELEGATION,
+};
+
+async function makeCoordinator(
+  delegatorVat?: Record<string, unknown>,
+): Promise<HomeCoordinator> {
+  const baggage = makeMockBaggage();
+  const coordinator = buildRootObject(
+    {},
+    undefined,
+    baggage as unknown as Baggage,
+  ) as unknown as HomeCoordinator;
+
+  if (delegatorVat) {
+    await coordinator.bootstrap({ delegator: delegatorVat }, {});
+  }
+
+  return coordinator;
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe('home-coordinator', () => {
+  describe('configureBundler — URL validation', () => {
+    it.each([
+      'file:///etc/passwd',
+      'ftp://host/path',
+      'ws://host/path',
+      '',
+      'not-a-url',
+    ])('rejects non-HTTP(S) URL: %s', async (bundlerUrl) => {
+      const coordinator = await makeCoordinator();
+      await expect(
+        coordinator.configureBundler({ bundlerUrl, chainId: 1 }),
+      ).rejects.toThrow('Invalid bundler URL');
+    });
+
+    it.each([0, -1, 1.5, NaN])(
+      'rejects invalid chain ID: %s',
+      async (chainId) => {
+        const coordinator = await makeCoordinator();
+        await expect(
+          coordinator.configureBundler({
+            bundlerUrl: 'https://api.pimlico.io/v2/sepolia/rpc?apikey=x',
+            chainId,
+          }),
+        ).rejects.toThrow('Invalid chain ID');
+      },
+    );
+  });
+
+  describe('revokeGrant', () => {
+    it('throws when grant is not found', async () => {
+      const mockDelegator = { listGrants: vi.fn().mockResolvedValue([]) };
+      const coordinator = await makeCoordinator(mockDelegator);
+
+      await expect(
+        coordinator.revokeGrant(SIGNED_DELEGATION.id),
+      ).rejects.toThrow('not found');
+    });
+
+    it('throws when grant is already revoked', async () => {
+      const mockDelegator = {
+        listGrants: vi.fn().mockResolvedValue([REVOKED_GRANT]),
+      };
+      const coordinator = await makeCoordinator(mockDelegator);
+
+      await expect(
+        coordinator.revokeGrant(REVOKED_DELEGATION.id),
+      ).rejects.toThrow('already revoked');
+    });
+
+    it('throws when delegatorVat is not available', async () => {
+      const coordinator = await makeCoordinator();
+
+      await expect(
+        coordinator.revokeGrant(SIGNED_DELEGATION.id),
+      ).rejects.toThrow('Delegator vat not available');
+    });
+
+    it('calls delegatorVat.listGrants to look up the grant', async () => {
+      const mockDelegator = {
+        listGrants: vi.fn().mockResolvedValue([NATIVE_GRANT]),
+        removeGrant: vi.fn().mockResolvedValue(undefined),
+      };
+      const coordinator = await makeCoordinator(mockDelegator);
+
+      // revokeGrant will fail past the lookup (no bundler/provider configured)
+      // but listGrants must have been called once.
+      await coordinator
+        .revokeGrant(SIGNED_DELEGATION.id)
+        .catch((_err) => undefined);
+      expect(mockDelegator.listGrants).toHaveBeenCalledOnce();
+    });
+  });
+});

packages/evm-wallet-experiment/src/vats/home-coordinator.ts

@@ -1089,21 +1089,10 @@ export function buildRootObject(
   // homeSection exo — built once, after all internal functions are defined
   // ---------------------------------------------------------------------------
 
-  // Demo limit: each method throws after 2 uses
-  let transferNativeUses = 0;
-  let transferFungibleUses = 0;
-  const HOME_SECTION_LIMIT = 2;
-
   const homeSection = makeDiscoverableExo(
     'HomeWallet',
     {
       async transferNative(to: Address, amount: bigint): Promise<Hex> {
-        if (transferNativeUses >= HOME_SECTION_LIMIT) {
-          throw new Error(
-            `Home transferNative limit (${HOME_SECTION_LIMIT}) exhausted`,
-          );
-        }
-        transferNativeUses += 1;
         const from = await resolveOwnerAddress();
         const amountHex: Hex = `0x${amount.toString(16)}`;
         if (!providerVat) {
@@ -1138,20 +1127,11 @@ export function buildRootObject(
         to: Address,
         amount: bigint,
       ): Promise<Hex> {
-        if (transferFungibleUses >= HOME_SECTION_LIMIT) {
-          throw new Error(
-            `Home transferFungible limit (${HOME_SECTION_LIMIT}) exhausted`,
-          );
-        }
-        transferFungibleUses += 1;
         const from = await resolveOwnerAddress();
         if (!providerVat) {
           throw new Error('Provider not configured');
         }
-        const callData = encodeTransfer(
-          to,
-          BigInt(amount as unknown as string | number | bigint),
-        );
+        const callData = encodeTransfer(to, amount);
         const chainId = await resolveChainId();
         const nonce = await E(providerVat).getNonce(from);
         const fees = await E(providerVat).getGasFees();

packages/evm-wallet-experiment/src/vats/redeemer-vat.ts

@@ -1,7 +1,9 @@
 import { makeDefaultExo } from '@metamask/kernel-utils/exo';
 import type { Baggage } from '@metamask/ocap-kernel';
+import { create } from '@metamask/superstruct';
 
 import type { DelegationGrant } from '../types.ts';
+import { DelegationGrantStruct } from '../types.ts';
 
 const harden = globalThis.harden ?? (<T>(value: T): T => value);
 
@@ -21,8 +23,8 @@ export function buildRootObject(
   // Restore from baggage on resuscitation
   const grants: Map<string, DelegationGrant> = baggage.has('grants')
     ? new Map(
-        Object.entries(
-          baggage.get('grants') as Record<string, DelegationGrant>,
+        Object.entries(baggage.get('grants') as Record<string, unknown>).map(
+          ([id, raw]) => [id, create(raw, DelegationGrantStruct)],
         ),
       )
     : new Map();