fix(pancakeswap): fix add/remove-liquidity failures and sandwich vulnerability

[GeoGu360]

Summary

• Bug 1 — Balance check before approve/mint: add-liquidity now calls rpc::get_balance() for both tokens before submitting any transaction. Previously the command would approve tokens the wallet didn't have, burning gas before the mint reverted. Validated by the test note: "没有先查钱包余额，导致失败".

• Bug 2 — Auto tick range: --tick-lower and --tick-upper are now optional. When omitted, the plugin fetches the pool's current tick from slot0() and computes a ±10% price range (~±1000 ticks) aligned to the fee tier's tickSpacing. Explicit ticks still work as before.

• Bug 3 — Sandwich vulnerability in remove-liquidity: amount0Min/amount1Min for decreaseLiquidity were previously computed from tokens_owed (already-accrued uncollected fees), which is completely unrelated to what decreaseLiquidity returns. For any position with tokens_owed = 0 both minimums silently became 0 — zero slippage protection, open to sandwich attacks. Fix: added amounts_from_liquidity() to rpc.rs implementing standard Uniswap V3 liquidity math (using the pool's current sqrtPriceX96 from slot0()), and slippage minimums are now derived from the actual expected output.

Files changed

File	Change
src/commands/add_liquidity.rs	Balance check + optional tick auto-compute
src/commands/remove_liquidity.rs	V3 math-based slippage protection
src/rpc.rs	Added amounts_from_liquidity() + tick_to_sqrt_price()
src/main.rs	tick_lower/tick_upper changed to Option<i32>

Test plan

• add-liquidity with insufficient balance → clear error before any tx
• add-liquidity without --tick-lower/--tick-upper → auto range printed, mint succeeds
• add-liquidity with explicit ticks → behaviour unchanged
• remove-liquidity --dry-run → prints non-zero amount0Min/amount1Min for in-range position
• cargo build passes with no new warnings

🤖 Generated with Claude Code

[github-actions]

Phase 4: Summary + Pre-flight for pancakeswap

Review below. AI Code Review is in a separate check.

---

Auto-injected Pre-flight

## Pre-flight Dependencies (auto-injected by Plugin Store CI)

> Run once per session before first use. These checks ensure required tools are installed.

### Install onchainos CLI + Skills (auto-injected)

```bash
# 1. Install onchainos CLI
onchainos --version 2>/dev/null || curl -fsSL https://raw.githubusercontent.com/okx/onchainos-skills/main/install.sh | sh

# 2. Install onchainos skills (enables AI agent to use onchainos commands)
npx skills add okx/onchainos-skills --yes --global

# 3. Install plugin-store skills (enables plugin discovery and management)
npx skills add okx/plugin-store --skill plugin-store --yes --global

Install pancakeswap binary (auto-injected)

if ! command -v pancakeswap >/dev/null 2>&1; then
  OS=$(uname -s | tr A-Z a-z)
  ARCH=$(uname -m)
  EXT=""
  case "${OS}_${ARCH}" in
    darwin_arm64)  TARGET="aarch64-apple-darwin" ;;
    darwin_x86_64) TARGET="x86_64-apple-darwin" ;;
    linux_x86_64)  TARGET="x86_64-unknown-linux-gnu" ;;
    linux_i686)    TARGET="i686-unknown-linux-gnu" ;;
    linux_aarch64) TARGET="aarch64-unknown-linux-gnu" ;;
    linux_armv7l)  TARGET="armv7-unknown-linux-gnueabihf" ;;
    mingw*_x86_64|msys*_x86_64|cygwin*_x86_64)   TARGET="x86_64-pc-windows-msvc"; EXT=".exe" ;;
    mingw*_i686|msys*_i686|cygwin*_i686)           TARGET="i686-pc-windows-msvc"; EXT=".exe" ;;
    mingw*_aarch64|msys*_aarch64|cygwin*_aarch64)  TARGET="aarch64-pc-windows-msvc"; EXT=".exe" ;;
  esac
  mkdir -p ~/.local/bin
  curl -fsSL "https://github.com/okx/plugin-store/releases/download/plugins/pancakeswap@0.1.0/pancakeswap-${TARGET}${EXT}" -o ~/.local/bin/pancakeswap${EXT}
  chmod +x ~/.local/bin/pancakeswap${EXT}
fi

Report install (auto-injected, runs once)

REPORT_FLAG="$HOME/.plugin-store/reported/pancakeswap"
if [ ! -f "$REPORT_FLAG" ]; then
  mkdir -p "$HOME/.plugin-store/reported"
  # Device fingerprint → SHA256 → 32-char device ID
  DEV_RAW="$(hostname):$(uname -s):$(uname -m):$HOME"
  DEV_ID=$(echo -n "$DEV_RAW" | shasum -a 256 | head -c 32)
  # HMAC signature (obfuscated key, same as CLI binary)
  _K=$(echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | base64 -d 2>/dev/null || echo 'OE9nNWFRUFdfSVJkektrMExOV2RNeTIzV2JibXo3ZWNTbExJUDFIWnVoZw==' | openssl base64 -d)
  HMAC_SIG=$(echo -n "${_K}${DEV_ID}" | shasum -a 256 | head -c 8)
  DIV_ID="${DEV_ID}${HMAC_SIG}"
  unset _K
  # Report to Vercel stats
  curl -s -X POST "https://plugin-store-dun.vercel.app/install" \
    -H "Content-Type: application/json" \
    -d '{"name":"pancakeswap","version":"0.1.0"}' >/dev/null 2>&1 || true
  # Report to OKX API (with HMAC-signed device token)
  curl -s -X POST "https://www.okx.com/priapi/v1/wallet/plugins/download/report" \
    -H "Content-Type: application/json" \
    -d '{"pluginName":"pancakeswap","divId":"'"$DIV_ID"'"}' >/dev/null 2>&1 || true
  touch "$REPORT_FLAG"
fi

---

</details>

---
*Generated by Plugin Store CI after maintainer approval.*

[github-actions]

🔨 Phase 2: Build Verification — ✅ PASSED

Plugin: pancakeswap | Language: rust
Source: @

Compiled from developer source code by our CI. Users install our build artifacts.

Build succeeded. Compiled artifact uploaded as workflow artifact.

---

Source integrity: commit SHA `` is the content fingerprint.

[github-actions]

📋 Phase 3: AI Code Review Report — Score: N/A/100

Plugin: pancakeswap | Recommendation: 👤 Manual review required

🔗 Reviewed against latest onchainos source code (live from main branch) | Model: unavailable via Anthropic API | Cost: N/A

This is an advisory report. It does NOT block merging. Final decision is made by human reviewers.

---

❌ AI review FAILED (HTTP 401): x-api-key header is required. Request size: 849428 bytes, plugin content: 161632 bytes.

---

Generated by Claude AI via Anthropic API — review the full report before approving.