feat(trade): route Treasures tokenized stock buys/sells through acp trade

[ai-virtual-b]

Summary

Stacked on top of #26. Adds a Treasures Finance route to the unified acp trade command — --ticker <SYM> triggers a new "treasures-stock" intent and runs ownership-proof → quote → per-leg EIP-712 sign → submit → poll-status in one command. No SDK; bare fetch in src/lib/treasures/client.ts (one import: CliError).

Why it slots into acp trade (and not its own command)

Treasures buy/sell settles an ERC-20 stock token into the wallet (you own a token, not a position) — topologically identical to a swap. Sitting next to BondingV5/LiFi swaps and HL spot/perp keeps the param-routing pattern from #26 intact.

Intent routing

You pass…	Route
--ticker AAPL --amount-usdc 50	Treasures buy
--ticker AAPL --amount-shares 0.1	Treasures sell
--ticker + neither / both amounts	hard error with recovery hint

--ticker wins over every other path; nothing else carries stock tickers. --side stays perp-only.

Optional filters mirror the API: --protocol ondo|xstocks, --chain sol|eth, --slippage-bps <n> (default 300).

Signing — entirely behind the scenes

1. Canonical challenge treasures-finance-quote-v1\n{issued_at}\n{sol|""}\n{eth|""} (eth lowercased; empty string for the absent side — schema is .strict())
2. provider.signMessage(8453, challenge) for the EIP-191 eth_signature
3. For each returned EVM leg: provider.signTypedData(typed_data.domain.chainId, typed_data) — honoring whatever chainId the server returns, not hard-coding mainnet
4. POST /trade/submit (idempotent on (quote_id, quote_index) so a retry won't double-broadcast)
5. Poll /quote/{id}/status (no auth) until terminal or 120 s timeout

Same keystore plumbing as #26's runSwap / HL signing — createProviderAdapter(), getWalletAddress(). Private keys never leave the keystore.

Out of scope, intentionally

• Solana legs. Keystore is EVM-only; a solana_versioned_tx payload throws with a recovery hint pointing users at --chain eth. When Ed25519 lands, swap the throw for the real impl and --chain sol lights up.
• Bridging Base → mainnet USDC. The existing acp trade --token-in usdc --chain-in 8453 --chain-out 1 swap path already handles it via /trade/plan. No reason to mirror it in a Treasures-specific command.

Config

• TREASURES_API_URL — overrides the host (lets ops point at non-prod without rebuilding).
• Defaults: IS_TESTNET=true → https://staging-api.treasures.io/public/v1, else https://api.treasures.io/public/v1.
• Deliberately separate from ACP_SERVER_URL — IS_TESTNET for ACP and Treasures are independent dials. Mixing prod-ACP + staging-Treasures is the realistic test posture (an agent's wallet/signer live on prod ACP regardless of which Treasures env you're hitting).

Test plan

• tsc --noEmit clean
• acp trade --help shows the new flags and routes (manual)
• Direction validation: rejects neither / both amount fields with a clear recovery hint
• End-to-end against staging-api.treasures.io: request reaches compliance layer; challenge + signature + body all accepted by every server check up to the geo-fence (which currently returns 451 unavailable_for_legal_reasons — same response from a raw curl, so not a CLI issue)
• Full fill (completed aggregate status) — needs staging IP allowlisted, or run from an allowed region
• Sell path on a wallet with stock-token holdings — same code path, not yet exercised against live holdings

Risk / blast radius

Medium. Auto-signs a real EIP-712 Fusion order and POSTs it to a public production-ish API when staging compliance is off. Mitigations: HTTPS-enforced like the existing trade proxy; idempotent submit; 120 s poll timeout that surfaces a TIMEOUT rather than hanging; Sol legs throw rather than half-submit.

🤖 Generated with Claude Code

---

Note

Medium Risk
The CLI auto-signs real EIP-712 Fusion orders and submits them to Treasures production/staging APIs; mitigations include HTTPS enforcement, idempotent submit, Sol-leg refusal, and poll timeout, but failed/partial fills still move real funds on EVM.

Overview
Adds Treasures Finance tokenized stock trading to acp trade via a new treasures-stock intent: --ticker takes priority over swap/HL routes; --amount-usdc vs --amount-shares selects buy vs sell, with optional --protocol, --chain, and --slippage-bps.

The flow signs an ownership-proof challenge, fetches a quote, signs each returned EIP-712 leg with the keystore, submits to Treasures, and polls until a terminal status (non-completed sets exit code 1). Solana legs are rejected explicitly; EVM-only is supported today.

New src/lib/treasures/client.ts wraps the public API with HTTPS-only fetch, TREASURES_API_URL / IS_TESTNET host selection, and typed quote/submit/status helpers.

^{Reviewed by Cursor Bugbot for commit 0622254. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 0622254. Configure here.}

[cursor]

Empty Treasures amount accepted

Medium Severity

Treasures buy/sell direction only checks whether --amount-usdc or --amount-shares is present, not whether the value is non-empty or a valid positive amount. An empty string still counts as “set,” so the flow can sign the ownership proof and call /quote/buy or /quote/sell with blank amounts instead of the intended exactly-one-amount validation.

 

^{Reviewed by Cursor Bugbot for commit 0622254. Configure here.}