feat: add ows swap quote command via LI.FI

[Sertug17]

Part of #125

Adds ows swap quote — a dry-run cross-chain swap route lookup powered by LI.FI's aggregation API (27 bridges, 31 DEXs, 58 chains).

Usage

# Same-chain swap quote
ows swap quote --wallet my-wallet --from ETH --to USDC --amount 0.1 --from-chain ethereum

# Cross-chain swap quote
ows swap quote --wallet my-wallet --from ETH --to USDC --amount 0.5 --from-chain ethereum --to-chain base

# Output example:
#   Swap Route
#   ----------
#   0.1 ETH -> 186.31 USDC
#   Min received:  185.44 USDC
#   Via:           1inch
#   Gas cost:      ~$0.02
#   Est. time:     30s
#
#   [dry-run — no transaction signed]

Changes

ows-pay: new swap.rs module

• LI.FI /v1/quote API client (no SDK dependency, pure REST)
• SwapParams / SwapResult types
• swap_dry_run() — fetches route, formats amounts, returns result
• Token amount formatting with decimal handling
• 3 unit tests for format_amount

ows-cli: new swap subcommand

• ows swap quote with flags: --wallet, --from, --to, --amount, --from-chain, --to-chain, --slippage, --order
• Human-readable output with route details

Not included in this PR

• Transaction signing (follow-up PR)
• ows bridge alias (same as ows swap with --to-chain)
• ows swap execute (after signing integration)
• max_value_usd / allowed_tokens policy rules

---

Note

Medium Risk
Introduces a new external HTTP integration (LI.FI) and new CLI surface area; while it’s quote-only (no signing), failures or parameter/amount formatting issues could impact user output and reliability.

Overview
Adds a new ows swap quote CLI subcommand that loads a wallet, derives an EVM address, converts the user’s amount to a raw integer string, and prints a swap/bridge route summary (min received, tool, gas estimate, duration) as a dry-run.

Introduces a new ows-pay swap module that calls LI.FI’s /v1/quote REST API, deserializes the response, formats token amounts by decimals, and exposes SwapParams, SwapResult, and swap_dry_run() (with unit tests for format_amount).

^{Reviewed by Cursor Bugbot for commit 5b1e6aa. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

@Sertug17 is attempting to deploy a commit to the MoonPay Team on Vercel.

A member of the Team first needs to authorize it.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 5b1e6aa. Configure here.}

[cursor]

Hardcoded decimals wrong for most token types

High Severity

The decimal heuristic only recognizes USDC and USDT as 6-decimal tokens and defaults everything else to 18. Common tokens like WBTC (8 decimals), GUSD (2 decimals), or any other non-18-decimal token will have amount_to_raw produce a wildly incorrect raw amount. For example, swapping 0.1 WBTC computes a fromAmount of 10^17 instead of 10^7 — off by a factor of 10 billion — resulting in a completely wrong quote from the LI.FI API.

 

^{Reviewed by Cursor Bugbot for commit 5b1e6aa. Configure here.}

[cursor]

Third-party API response body included in error

Low Severity

The full LI.FI API error response body is captured via resp.text() and embedded verbatim into the PayError message, which then propagates to the CLI and gets printed. This includes an unfiltered third-party payload in error output, violating the sensitive data logging rule that prohibits logging full HTTP response bodies or third-party payloads.

 

^{Triggered by team rule: Sensitive Data Logging Best Practices}

^{Reviewed by Cursor Bugbot for commit 5b1e6aa. Configure here.}