Add Shulam compliance screening and trust scoring skills#168
Add Shulam compliance screening and trust scoring skills#168shulam-pay wants to merge 1 commit intoBankrBot:mainfrom
Conversation
- OFAC/SDN screening with clear/held/blocked status mapping - Trust scores (0-100) with 6-dimension breakdown and tier classification - Combined compliance + trust check (parallel execution) - Zero dependencies (raw fetch), exponential backoff on 429 - Free tier: 100 requests/day Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| const retryAfter = response.headers.get('Retry-After'); | ||
| const delayMs = retryAfter | ||
| ? parseInt(retryAfter, 10) * 1000 | ||
| : Math.min(1000 * 2 ** attempt, 30_000); |
There was a problem hiding this comment.
Retry-After date format causes zero backoff delay
Medium Severity
When the Retry-After header contains an HTTP date string (a valid format per RFC 7231), parseInt returns NaN, making delayMs equal to NaN. Since setTimeout treats NaN as 0, the sleep resolves immediately. The truthy check on retryAfter prevents the exponential backoff fallback from being used. This causes rapid-fire retries against a rate-limited endpoint with no delay whatsoever.
Additional Locations (1)
| } | ||
|
|
||
| throw lastError ?? new Error('Request failed after retries'); | ||
| } |
There was a problem hiding this comment.
Duplicated infrastructure code across both skill files
Low Severity
fetchWithBackoff, sleep, getApiKey, getApiUrl, STATUS_MAP, and ComplianceStatus are near-identically duplicated between the two skill files. Notably, combinedCheck in the trust-scoring skill reimplements compliance screening rather than importing from the compliance-screening skill, meaning any bug fix or behavior change to screening logic needs to be applied in two places independently.
Additional Locations (1)
| : Math.min(1000 * 2 ** attempt, 30_000); | ||
| await sleep(delayMs); | ||
| continue; | ||
| } |
There was a problem hiding this comment.
429 handler sleeps unnecessarily on final retry attempt
Medium Severity
The 429 handling path always sleeps before continue, even on the final attempt when no retry will follow. The error catch path correctly guards this with if (attempt < maxRetries), but the 429 path is missing the same guard. If the server returns a large Retry-After value on the last attempt, the caller blocks for up to 30 seconds (or more) for no reason before the function throws.
Additional Locations (1)
1 participant
Summary
clear,held, orblockedstatus with match scores.Both skills use zero dependencies (raw
fetch), include exponential backoff on rate limits, and are free for 100 requests/day.Test plan
🤖 Generated with Claude Code
Note
Medium Risk
Introduces new network-facing skills that depend on external API behavior and environment configuration; failures or schema changes could impact agent flows, but changes are additive and isolated to new modules.
Overview
Adds a new
shulamprovider with two installable skills: Compliance Screening (single + batch wallet screening via Shulam CaaS, returningclear/held/blockedwith match metadata) and Trust Scoring (wallet trust score lookup with tier + breakdown, plus acombinedCheckthat runs trust + compliance in parallel).Both skills are implemented as dependency-free TypeScript modules using raw
fetch, include exponential backoff handling for429responses, and document required env vars (SHULAM_API_KEY, optionalSHULAM_API_URL, plusMIN_TRUST_SCORE); trust scoring also adds a 60s in-memory cache with aclearCachehelper.Written by Cursor Bugbot for commit fb9ac3c. This will update automatically on new commits. Configure here.