merge: resolve conflict, keep both convenience exports + v6 token exports

Fixed additional compile error: ts-expect-error → ts-ignore for optional @solana/web3.js
155/155 tests passing

Author: up2itnow0822

.coderabbit.yaml

@@ -0,0 +1,29 @@
+language: en-US
+reviews:
+  profile: assertive
+  request_changes_workflow: true
+  high_level_summary: true
+  poem: false
+  auto_review:
+    enabled: true
+    drafts: false
+  path_instructions:
+    - path: "src/**/*.ts"
+      instructions: |
+        Non-custodial cryptocurrency wallet SDK. Review with extreme security focus:
+        - Flag ANY exposure of private keys, mnemonics, or seed phrases in logs, errors, or return values
+        - Flag unvalidated chain IDs, addresses, or transaction amounts
+        - Flag missing spending policy validation before transaction signing
+        - Flag reentrancy risks in contract interactions
+        - Flag hardcoded RPC endpoints or API keys
+        - Flag missing error handling on blockchain calls
+    - path: "src/cli/**/*.ts"
+      instructions: |
+        AgentGuard CLI for transaction policy validation.
+        - Flag private keys passed as CLI arguments (CRITICAL - CVE vector)
+        - Flag missing input sanitization on CLI parameters
+    - path: "**/*.sol"
+      instructions: |
+        Solidity smart contracts. Check for reentrancy, access control, unchecked calls, missing events.
+chat:
+  auto_reply: true

.github/workflows/security-review.yml

@@ -0,0 +1,57 @@
+name: AI Security Review
+on:
+  pull_request:
+    types: [opened, synchronize]
+    branches: [main]
+    paths: ['src/**/*.ts', 'src/**/*.sol', 'contracts/**/*.sol']
+permissions:
+  contents: read
+  pull-requests: write
+jobs:
+  security-review:
+    runs-on: ubuntu-latest
+    name: Wallet Security Scan
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Get changed files
+        id: changed
+        run: |
+          FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }}...${{ github.sha }} | grep -E '\.(ts|sol)$' | grep -v '\.d\.ts$' | grep -v 'test' | grep -v 'spec' | tr '\n' ' ')
+          echo "files=$FILES" >> $GITHUB_OUTPUT
+      - name: Security pattern scan
+        if: steps.changed.outputs.files != ''
+        run: |
+          echo "## Security Scan Results" > /tmp/report.md
+          FOUND=0
+          for file in ${{ steps.changed.outputs.files }}; do
+            [ ! -f "$file" ] && continue
+            if grep -n -i 'console.*\(private\|secret\|mnemonic\|seed\)' "$file" 2>/dev/null; then
+              echo "CRITICAL: Potential key exposure in $file" >> /tmp/report.md; FOUND=1
+            fi
+            if grep -n 'privateKey.*process\.argv\|--private-key\|--secret' "$file" 2>/dev/null; then
+              echo "CRITICAL: Private key via CLI arg in $file" >> /tmp/report.md; FOUND=1
+            fi
+            if grep -n -E 'eval\s*\(|new\s+Function\s*\(' "$file" 2>/dev/null; then
+              echo "HIGH: Dynamic code execution in $file" >> /tmp/report.md; FOUND=1
+            fi
+          done
+          [ "$FOUND" -eq 0 ] && echo "No security patterns detected." >> /tmp/report.md
+          cat /tmp/report.md
+      - name: Post report
+        if: always()
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            let report = 'Security scan completed.';
+            try { report = fs.readFileSync('/tmp/report.md', 'utf-8'); } catch(e) {}
+            const hasCrit = report.includes('CRITICAL:');
+            const icon = hasCrit ? '🔴' : '🟢';
+            await github.rest.issues.createComment({
+              owner: context.repo.owner, repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body: '## ' + icon + ' Security Review\\n\\n' + report
+            });
+            if (hasCrit) core.setFailed('Critical security issues found');

CHANGELOG.md

@@ -1,3 +1,26 @@
+## [6.0.0] — 2026-03-21
+
+### Added
+- **`TokenRegistry` class** — 80+ verified token addresses across 11 EVM chains + Solana
+  - Pre-populated registries: USDC, USDT, DAI, WETH, WBTC, LINK, UNI, AAVE, CRV, MKR, SNX, COMP, LDO, ARB, OP, and more
+  - Native gas token support (ETH, POL, AVAX, S) with `isNative` flag
+  - `addToken()` for custom token imports
+  - Per-chain registry exports: `BASE_REGISTRY`, `ETHEREUM_REGISTRY`, `ARBITRUM_REGISTRY`, etc.
+- **Multi-token EVM transfers**: `sendToken()`, `sendNative()`, `getTokenBalance()`, `getNativeBalance()`, `getBalances()`
+- **Human-readable amount handling**: `toRaw()`, `toHuman()`, `formatBalance()`
+- **Solana SPL token support** (optional peer dependency `@solana/web3.js`):
+  - `SolanaWallet` class with `getSolBalance()`, `sendSol()`, `sendSplToken()`, `getSplTokenBalance()`
+- **x402 multi-asset resolution** — payments now accept any token the server requests, not just USDC
+
+### Changed
+- x402 client updated to resolve assets via `TokenRegistry` (multi-asset support)
+- Bumped version to 6.0.0
+
+### Backward Compatible
+- All v5.x imports continue to work unchanged
+
+---
+
 ## [5.2.0] — 2026-03-16
 
 ### Added