@adastracomputing/ink 0.1.0-alpha.2 → 0.1.0-alpha.5

package/src/ink/discovery-gating.ts

@@ -1,147 +0,0 @@
-/**
- * Capability-gated Agent Card discovery.
- *
- * Implements §6 of the INK Containment spec:
- * - Redacted cards for unauthenticated requests on non-public visibility
- * - Authenticated card query endpoint schemas
- * - Access denial response schemas
- */
-
-import { z } from "zod";
-import { AgentCardSchema, type AgentCard } from "../models/agent-card.js";
-import type { AgentCardVisibility } from "../models/ink-handshake.js";
-
-export { AgentCardVisibilitySchema, type AgentCardVisibility } from "../models/ink-handshake.js";
-
-// ── Redacted card ──
-
-export interface RedactedAgentCard {
-  type: "tulpa.agent.card";
-  version: "1.0";
-  agentId: string;
-  displayName?: string;
-  visibility: "network_only" | "capability_gated";
-  supportsInk: true;
-  discoveryMode: "authenticate_for_details";
-  /**
-   * Bootstrap / legacy single public key. Preserved so peers can still verify
-   * Ed25519 signatures from cards without a full keys block.
-   */
-  publicKeyMultibase: string;
-  /**
-   * Authoritative signing key set (rotation). Public material only — revealing
-   * these is safe and necessary so peers can discover key rotations even when
-   * the rest of the Card is gated. Without this, an agent that rotated to a
-   * new key under network_only / capability_gated visibility would be
-   * unverifiable to first-contact peers.
-   */
-  keys?: {
-    signing: Array<{
-      keyId: string;
-      publicKeyMultibase: string;
-      status: "active" | "retired" | "revoked";
-      /** Validity-window fields are preserved in the redacted card so a
-       * first-contact peer that only ever sees the redacted form still
-       * enforces the same `[validFrom, validUntil]` bound the full card
-       * would. Stripping them creates a softer verification path. */
-      validFrom?: string;
-      validUntil?: string;
-      revokedAt?: string;
-    }>;
-  };
-  updatedAt: string;
-}
-
-/**
- * Build a redacted Agent Card from a full card.
- *
- * Strips capabilities, endpoints, availability, profile, and other
- * sensitive-on-a-closed-card fields. **Public signing keys are preserved**:
- * Ed25519 public keys are not secrets — they are the identity. Hiding them
- * would prevent peers from verifying signatures across key rotation when the
- * full Card is gated.
- */
-export function buildRedactedCard(card: AgentCard): RedactedAgentCard {
-  // `visibility` is typed on AgentCard but a malformed runtime value can
-  // still slip through (e.g. a card deserialised without schema validation).
-  // Default to `capability_gated` — the least-privilege visibility — when
-  // the field is anything other than the known enum members.
-  const visibility: "network_only" | "capability_gated" =
-    card.visibility === "network_only" ? "network_only" : "capability_gated";
-  const out: RedactedAgentCard = {
-    type: "tulpa.agent.card",
-    version: "1.0",
-    agentId: card.agentId,
-    displayName: card.displayName,
-    supportsInk: true,
-    discoveryMode: "authenticate_for_details",
-    visibility,
-    publicKeyMultibase: card.publicKeyMultibase,
-    updatedAt: new Date().toISOString(),
-  };
-  // Preserve `keys.signing` on PRESENCE, not on truthiness/length.
-  // An empty signing array is an authoritative "no usable signing
-  // keys" statement (e.g. all keys revoked) and the verifier's key
-  // rotation authority rule treats it as a reject-all signal. Dropping
-  // the field here would let peers fall back to publicKeyMultibase or
-  // bootstrap derivation, undoing the rotation. See
-  // multi-key-verify and middleware/ink-auth for the authority rule.
-  if (Array.isArray(card.keys?.signing)) {
-    out.keys = {
-      signing: card.keys.signing.map((k) => ({
-        keyId: k.keyId,
-        publicKeyMultibase: k.publicKeyMultibase,
-        status: k.status,
-        // Preserve validity / revocation metadata: these are public
-        // facts about the key, not secrets, and a redacted card must
-        // not be weaker than the full card for signature verification.
-        validFrom: k.validFrom,
-        validUntil: k.validUntil,
-        revokedAt: k.revokedAt,
-      })),
-    };
-  }
-  return out;
-}
-
-// ── Query/Response schemas ──
-
-export const AgentCardQuerySchema = z.object({
-  protocol: z.literal("ink/0.1"),
-  type: z.literal("network.tulpa.agent_card_query"),
-  from: z.string(),
-  nonce: z.string(),
-  timestamp: z.string().datetime(),
-  requestedFields: z.array(z.string()).optional(),
-});
-
-export type AgentCardQuery = z.infer<typeof AgentCardQuerySchema>;
-
-export const AgentCardResponseSchema = z.object({
-  protocol: z.literal("ink/0.1"),
-  type: z.literal("network.tulpa.agent_card_response"),
-  card: AgentCardSchema,
-  grantedFields: z.array(z.string()),
-  timestamp: z.string().datetime(),
-});
-
-export type AgentCardResponse = z.infer<typeof AgentCardResponseSchema>;
-
-export const AgentCardDeniedSchema = z.object({
-  protocol: z.literal("ink/0.1"),
-  type: z.literal("network.tulpa.agent_card_denied"),
-  reason: z.enum(["unknown_requester", "insufficient_trust", "not_connected"]),
-  timestamp: z.string().datetime(),
-});
-
-export type AgentCardDenied = z.infer<typeof AgentCardDeniedSchema>;
-
-// ── Visibility check ──
-
-/**
- * Determine whether an unauthenticated GET should return a full card
- * or a redacted card based on visibility setting.
- */
-export function shouldRedactOnGet(visibility: AgentCardVisibility): boolean {
-  return visibility !== "public";
-}

package/src/ink/handshake-budget.ts

@@ -1,413 +0,0 @@
-/**
- * Handshake flood resistance — per-correlation and per-sender budget tracking.
- *
- * Implements §5 of the INK Containment spec:
- * - Per-correlation budgets: max challenges, terminal states, total transitions, TTL
- * - Per-sender rate limits: sliding window for intents and total handshake messages
- * - First violation returns typed rejection with backoff hint
- * - Subsequent violations are silent drops
- */
-
-import type { InkBackoffHint } from "../models/ink-handshake.js";
-
-// ── Budget constants ──
-
-const DEFAULT_MAX_CHALLENGES = 3;
-const DEFAULT_MAX_TOTAL_TRANSITIONS = 5;
-const DEFAULT_MAX_INTENTS_PER_MINUTE = 10;
-const DEFAULT_MAX_HANDSHAKE_MSGS_PER_MINUTE = 30;
-const DEFAULT_MAX_CORRELATIONS = 10_000;
-const DEFAULT_MAX_SENDERS = 1_000;
-const DEFAULT_MAX_REJECTION_ENTRIES = 5_000;
-const DEFAULT_PRUNE_INTERVAL = 100;
-const DEFAULT_HANDSHAKE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
-// Cap correlationId and fromDid lengths to prevent memory exhaustion via large IDs.
-// Real correlation IDs are UUIDs (~36 chars); agent DIDs are ~50-100 chars.
-// 256 is generous headroom while bounding per-entry memory cost.
-const MAX_ID_LENGTH = 256;
-const SENDER_REJECTION_WINDOW_MS = 60_000;
-
-const TERMINAL_TYPES = new Set(["rejection", "resolution"]);
-
-// ── Types ──
-
-interface CorrelationState {
-  challenges: number;
-  totalTransitions: number;
-  terminal: boolean;
-  expiresAt: number; // epoch ms
-  createdAt: number;
-}
-
-interface SenderState {
-  intentTimestamps: number[];
-  handshakeTimestamps: number[];
-  lastActivity: number; // epoch ms — used for LRU eviction
-}
-
-export interface BudgetCheckResult {
-  allowed: boolean;
-  reason?: string;
-  backoffHint?: InkBackoffHint;
-  silentDrop?: boolean;
-}
-
-export interface HandshakeBudgetConfig {
-  maxChallenges?: number;
-  maxTotalTransitions?: number;
-  maxIntentsPerMinute?: number;
-  maxHandshakeMsgsPerMinute?: number;
-  maxCorrelations?: number;
-  maxSenders?: number;
-  maxRejectionEntries?: number;
-}
-
-// ── Budget tracker ──
-
-export class HandshakeBudgetTracker {
-  private correlations = new Map<string, CorrelationState>();
-  private senders = new Map<string, SenderState>();
-  private rejectionsSent = new Set<string>(); // "${correlationId}:${fromDid}"
-  // Tracks when a sender last received a rate-limit rejection. Subsequent
-  // violations within SENDER_REJECTION_WINDOW_MS are silent-dropped to prevent
-  // an over-limit sender from forcing repeated reject/backoff responses.
-  private senderRejectionsSent = new Map<string, number>();
-
-  private readonly maxChallenges: number;
-  private readonly maxTotalTransitions: number;
-  private readonly maxIntentsPerMinute: number;
-  private readonly maxHandshakeMsgsPerMinute: number;
-  private readonly maxCorrelations: number;
-  private readonly maxSenders: number;
-  private readonly maxRejectionEntries: number;
-  private checkCounter = 0;
-
-  constructor(config: HandshakeBudgetConfig = {}) {
-    const pos = (v: number | undefined, def: number, cap: number): number => {
-      if (typeof v !== "number" || !Number.isFinite(v) || v <= 0) return def;
-      return Math.min(Math.floor(v), cap);
-    };
-    this.maxChallenges = pos(config.maxChallenges, DEFAULT_MAX_CHALLENGES, 1_000);
-    this.maxTotalTransitions = pos(config.maxTotalTransitions, DEFAULT_MAX_TOTAL_TRANSITIONS, 10_000);
-    this.maxIntentsPerMinute = pos(config.maxIntentsPerMinute, DEFAULT_MAX_INTENTS_PER_MINUTE, 100_000);
-    this.maxHandshakeMsgsPerMinute = pos(config.maxHandshakeMsgsPerMinute, DEFAULT_MAX_HANDSHAKE_MSGS_PER_MINUTE, 100_000);
-    this.maxCorrelations = pos(config.maxCorrelations, DEFAULT_MAX_CORRELATIONS, 1_000_000);
-    this.maxSenders = pos(config.maxSenders, DEFAULT_MAX_SENDERS, 1_000_000);
-    this.maxRejectionEntries = pos(config.maxRejectionEntries, DEFAULT_MAX_REJECTION_ENTRIES, 1_000_000);
-  }
-
-  checkAndRecord(params: {
-    correlationId: string;
-    fromDid: string;
-    messageType: "intent" | "challenge" | "rejection" | "resolution";
-    intentExpiresAt?: string;
-  }): BudgetCheckResult {
-    const { correlationId, fromDid, messageType, intentExpiresAt } = params;
-    const now = Date.now();
-    // Reject unbounded IDs before they hit Map keys / Set entries — caps the
-    // per-entry memory cost regardless of the maxCorrelations / maxSenders
-    // count caps. Stringifying the whole pair amplifies the attack surface.
-    if (typeof correlationId !== "string" || correlationId.length > MAX_ID_LENGTH ||
-        typeof fromDid !== "string" || fromDid.length > MAX_ID_LENGTH) {
-      return { allowed: false, reason: "handshake_budget_exhausted", silentDrop: true };
-    }
-    // Use JSON encoding to prevent key collisions when IDs contain colons.
-    // e.g. correlationId="a:b", fromDid="c" vs correlationId="a", fromDid="b:c"
-    // would both produce "a:b:c" with naive string concatenation.
-    const pairKey = JSON.stringify([correlationId, fromDid]);
-
-    // Periodic pruning of expired state
-    this.checkCounter++;
-    if (this.checkCounter >= DEFAULT_PRUNE_INTERVAL) {
-      this.checkCounter = 0;
-      this.pruneExpired();
-    }
-
-    // Check per-sender rate limits first (applies across all correlations)
-    const senderResult = this.checkSenderLimits(fromDid, messageType, now);
-    if (!senderResult.allowed) {
-      return senderResult;
-    }
-
-    // Record sender activity FIRST so per-sender limits accumulate on every
-    // syntactically valid attempt — including ones that fail downstream
-    // budget checks. Otherwise an attacker varying correlationId can trigger
-    // unlimited typed rejections without ever hitting the per-sender cap.
-    this.recordSenderActivity(fromDid, messageType, now);
-
-    // Check TTL from intent expiry.
-    // Distinguish "field absent" (undefined) from "field present but
-    // malformed/empty". An intent that supplies `intentExpiresAt: ""`
-    // is malformed — treat it as a rejected handshake instead of
-    // falling through to the default 24h TTL (which would let
-    // attacker-supplied empty expiries retain state longer than the
-    // sender's claimed window). Also guard against NaN: new
-    // Date("garbage").getTime() returns NaN and NaN <= now is false.
-    let parsedExpiryMs: number | null = null;
-    if (intentExpiresAt !== undefined) {
-      // Length cap matches the timestamp cap used everywhere else in
-      // INK (64 chars, well above any real ISO 8601 string). Without
-      // this, a sender can submit a multi-megabyte expiry string and
-      // force the JS engine into a long Date parser run before the
-      // budget tracker rejects.
-      if (
-        typeof intentExpiresAt !== "string" ||
-        intentExpiresAt.length === 0 ||
-        intentExpiresAt.length > 64
-      ) {
-        return this.makeRejection(pairKey, "handshake_budget_exhausted", {
-          backoffClass: "intent_ref",
-        });
-      }
-      const expiryMs = new Date(intentExpiresAt).getTime();
-      if (!Number.isFinite(expiryMs) || expiryMs <= now) {
-        return this.makeRejection(pairKey, "handshake_budget_exhausted", {
-          backoffClass: "intent_ref",
-        });
-      }
-      parsedExpiryMs = expiryMs;
-    }
-
-    // Get or create correlation state. KEY BY pairKey, not correlationId,
-    // so two senders that happen to use the same correlationId can't
-    // consume each other's transitions or set terminal state on each
-    // other's handshake.
-    let state = this.correlations.get(pairKey);
-    if (!state) {
-      // Enforce memory bounds before creating new entry
-      this.enforceMemoryBounds();
-
-      // Reuse the parsed expiry from above instead of re-parsing.
-      const ttl = parsedExpiryMs !== null
-        ? Math.min(parsedExpiryMs, now + DEFAULT_HANDSHAKE_TTL_MS)
-        : now + DEFAULT_HANDSHAKE_TTL_MS;
-
-      state = {
-        challenges: 0,
-        totalTransitions: 0,
-        terminal: false,
-        expiresAt: ttl,
-        createdAt: now,
-      };
-      this.correlations.set(pairKey, state);
-    }
-
-    // Check if correlation has expired
-    if (state.expiresAt <= now) {
-      return this.makeRejection(pairKey, "handshake_budget_exhausted", {
-        backoffClass: "intent_ref",
-      });
-    }
-
-    // Check if terminal state was already reached
-    if (state.terminal) {
-      return this.makeRejection(pairKey, "handshake_budget_exhausted", {
-        backoffClass: "intent_ref",
-      });
-    }
-
-    // Check total transitions
-    if (state.totalTransitions >= this.maxTotalTransitions) {
-      return this.makeRejection(pairKey, "handshake_budget_exhausted", {
-        backoffClass: "intent_ref",
-      });
-    }
-
-    // Check per-type limits
-    if (messageType === "challenge" && state.challenges >= this.maxChallenges) {
-      return this.makeRejection(pairKey, "handshake_budget_exhausted", {
-        backoffClass: "intent_ref",
-      });
-    }
-
-    // Record the message
-    state.totalTransitions++;
-    if (messageType === "challenge") {
-      state.challenges++;
-    }
-    if (TERMINAL_TYPES.has(messageType)) {
-      state.terminal = true;
-    }
-
-    // Sender activity was already recorded above (before the budget checks)
-    // so per-sender limits accumulate even on rejected attempts.
-
-    return { allowed: true };
-  }
-
-  pruneExpired(): void {
-    const now = Date.now();
-    for (const [pairKey, state] of this.correlations) {
-      if (state.expiresAt <= now) {
-        this.correlations.delete(pairKey);
-        // Rejection tracking is keyed by the same pairKey, so we can drop
-        // it directly.
-        this.rejectionsSent.delete(pairKey);
-      }
-    }
-
-    // Prune stale sender windows
-    const oneMinuteAgo = now - 60_000;
-    for (const [did, state] of this.senders) {
-      state.intentTimestamps = state.intentTimestamps.filter((t) => t > oneMinuteAgo);
-      state.handshakeTimestamps = state.handshakeTimestamps.filter((t) => t > oneMinuteAgo);
-      if (state.intentTimestamps.length === 0 && state.handshakeTimestamps.length === 0) {
-        this.senders.delete(did);
-      }
-    }
-
-    // Prune sender-rejection records older than the silent-drop window.
-    for (const [did, ts] of this.senderRejectionsSent) {
-      if (now - ts >= SENDER_REJECTION_WINDOW_MS) {
-        this.senderRejectionsSent.delete(did);
-      }
-    }
-  }
-
-  private checkSenderLimits(
-    fromDid: string,
-    messageType: string,
-    now: number,
-  ): BudgetCheckResult {
-    const state = this.senders.get(fromDid);
-    if (!state) return { allowed: true };
-
-    const oneMinuteAgo = now - 60_000;
-
-    // Check per-minute intent limit
-    if (messageType === "intent") {
-      const recentIntents = state.intentTimestamps.filter((t) => t > oneMinuteAgo);
-      if (recentIntents.length >= this.maxIntentsPerMinute) {
-        return this.makeSenderRejection(fromDid, now);
-      }
-    }
-
-    // Check per-minute total handshake message limit
-    const recentHandshake = state.handshakeTimestamps.filter((t) => t > oneMinuteAgo);
-    if (recentHandshake.length >= this.maxHandshakeMsgsPerMinute) {
-      return this.makeSenderRejection(fromDid, now);
-    }
-
-    return { allowed: true };
-  }
-
-  // Sender-level rate-limit rejection. Sends a typed reject (with backoff hint)
-  // the first time a sender crosses the limit in the current window; silent-drops
-  // subsequent violations until the window resets. Mirrors the per-correlation
-  // makeRejection pattern from §5 of the INK Containment spec.
-  private makeSenderRejection(fromDid: string, now: number): BudgetCheckResult {
-    const lastSent = this.senderRejectionsSent.get(fromDid);
-    if (lastSent !== undefined && now - lastSent < SENDER_REJECTION_WINDOW_MS) {
-      return { allowed: false, reason: "sender_rate_limited", silentDrop: true };
-    }
-    // Bound the map by maxSenders to prevent attacker-driven growth. Evict the
-    // oldest record if at capacity; the pruneExpired pass also cleans up
-    // records older than the silent-drop window.
-    if (this.senderRejectionsSent.size >= this.maxSenders &&
-        !this.senderRejectionsSent.has(fromDid)) {
-      let oldestDid: string | null = null;
-      let oldestTs = Infinity;
-      for (const [d, t] of this.senderRejectionsSent) {
-        if (t < oldestTs) { oldestTs = t; oldestDid = d; }
-      }
-      if (oldestDid) this.senderRejectionsSent.delete(oldestDid);
-    }
-    this.senderRejectionsSent.set(fromDid, now);
-    return {
-      allowed: false,
-      reason: "sender_rate_limited",
-      backoffHint: { retryAfterSeconds: 60, backoffClass: "sender" },
-      silentDrop: false,
-    };
-  }
-
-  private recordSenderActivity(fromDid: string, messageType: string, now: number): void {
-    let state = this.senders.get(fromDid);
-    if (!state) {
-      // Enforce sender cap before adding a new entry
-      this.enforceSenderBounds();
-      state = { intentTimestamps: [], handshakeTimestamps: [], lastActivity: now };
-      this.senders.set(fromDid, state);
-    }
-
-    state.lastActivity = now;
-    if (messageType === "intent") {
-      state.intentTimestamps.push(now);
-    }
-    state.handshakeTimestamps.push(now);
-  }
-
-  private makeRejection(
-    pairKey: string,
-    reason: string,
-    backoffHint: InkBackoffHint,
-  ): BudgetCheckResult {
-    if (this.rejectionsSent.has(pairKey)) {
-      return { allowed: false, reason, silentDrop: true };
-    }
-    this.rejectionsSent.add(pairKey);
-    this.enforceRejectionBounds();
-    return { allowed: false, reason, backoffHint, silentDrop: false };
-  }
-
-  private enforceRejectionBounds(): void {
-    if (this.rejectionsSent.size <= this.maxRejectionEntries) return;
-
-    // Prune rejection entries whose backing correlation no longer exists
-    // (already expired or evicted). Rejection keys and correlation keys are
-    // both pairKeys now, so the lookup is direct.
-    const now = Date.now();
-    for (const key of this.rejectionsSent) {
-      const state = this.correlations.get(key);
-      if (!state || state.expiresAt <= now) {
-        this.rejectionsSent.delete(key);
-      }
-    }
-
-    // If still over limit, clear the oldest half (Set maintains insertion order)
-    if (this.rejectionsSent.size > this.maxRejectionEntries) {
-      const entries = [...this.rejectionsSent];
-      const keepFrom = Math.floor(entries.length / 2);
-      this.rejectionsSent.clear();
-      for (let i = keepFrom; i < entries.length; i++) {
-        this.rejectionsSent.add(entries[i]!);
-      }
-    }
-  }
-
-  private enforceSenderBounds(): void {
-    if (this.senders.size < this.maxSenders) return;
-
-    // Evict sender with oldest lastActivity
-    let oldestDid: string | null = null;
-    let oldestTime = Infinity;
-    for (const [did, state] of this.senders) {
-      if (state.lastActivity < oldestTime) {
-        oldestTime = state.lastActivity;
-        oldestDid = did;
-      }
-    }
-    if (oldestDid) {
-      this.senders.delete(oldestDid);
-    }
-  }
-
-  private enforceMemoryBounds(): void {
-    if (this.correlations.size < this.maxCorrelations) return;
-
-    // Evict oldest entry (by createdAt)
-    let oldestKey: string | null = null;
-    let oldestTime = Infinity;
-    for (const [key, state] of this.correlations) {
-      if (state.createdAt < oldestTime) {
-        oldestTime = state.createdAt;
-        oldestKey = key;
-      }
-    }
-    if (oldestKey) {
-      this.correlations.delete(oldestKey);
-      // Rejection tracking is keyed by the same pairKey, so drop directly.
-      this.rejectionsSent.delete(oldestKey);
-    }
-  }
-}

package/src/ink/receipts.ts

@@ -1,114 +0,0 @@
-import { computeMessageHash, signInkMessage, buildAuthHeader } from "../crypto/ink.js";
-import { signMessage } from "../crypto/sign.js";
-import { isPrivateHostname } from "../discovery/agent-card.js";
-import type { InkReceipt } from "../models/ink-audit.js";
-
-export interface BuildReceiptInput {
-  from: string;
-  to: string;
-  messageId: string;
-  messageBody: Record<string, unknown>;
-  disposition: "received" | "delivered" | "acted" | "rejected";
-  note?: string;
-  privateKey: Uint8Array;
-}
-
-/** Build a signed INK receipt envelope. */
-export async function buildReceipt(input: BuildReceiptInput): Promise<InkReceipt> {
-  if (input === null || typeof input !== "object" || Array.isArray(input)) {
-    throw new Error("input must be a non-null object");
-  }
-  if (!(input.privateKey instanceof Uint8Array) || input.privateKey.length !== 32) {
-    throw new Error("input.privateKey must be a 32-byte Uint8Array");
-  }
-  const now = new Date().toISOString();
-  const messageHash = await computeMessageHash(input.messageBody);
-  const nonce = crypto.randomUUID().replace(/-/g, "");
-
-  const unsigned = {
-    protocol: "ink/0.1" as const,
-    type: "network.tulpa.receipt" as const,
-    from: input.from,
-    to: input.to,
-    messageId: input.messageId,
-    disposition: input.disposition,
-    dispositionAt: now,
-    messageHash,
-    nonce,
-    timestamp: now,
-    ...(input.note ? { note: input.note } : {}),
-  };
-
-  const signature = await signMessage(unsigned as unknown as Record<string, unknown>, input.privateKey);
-
-  return { ...unsigned, signature };
-}
-
-/** Loop prevention: don't send receipts for receipts or audit messages. */
-const NO_RECEIPT_TYPES = new Set([
-  "network.tulpa.receipt",
-  "network.tulpa.audit_query",
-  "network.tulpa.audit_response",
-  "network.tulpa.audit_submit",
-  "network.tulpa.audit_inclusion",
-]);
-
-export function shouldSendReceipt(intentOrType: string): boolean {
-  return !NO_RECEIPT_TYPES.has(intentOrType);
-}
-
-export interface SendReceiptOptions {
-  /** Allow endpoints whose hostname is loopback / private / link-local /
-   *  IANA special-use. Off by default — flip on only for tests or for
-   *  intentional intranet deployments where peer endpoints are trusted. */
-  allowPrivateHosts?: boolean;
-}
-
-/** Fire-and-forget POST of a receipt with INK request signature. Never throws.
- *
- *  Endpoint MUST be an absolute `https://` URL. Other schemes (file://, data:,
- *  blob:, http://) are rejected silently to prevent SSRF and local-file
- *  exfiltration when integrators pass peer-supplied URLs without sanitising.
- *
- *  Mirrors the SSRF defenses in fetchAgentCard: https-only, no userinfo,
- *  literal-hostname allowlist excluding private/loopback/special-use, no
- *  redirect following, request timeout. DNS rebinding is still the
- *  integrator's responsibility — pass a connect-time-pinning `fetchFn`
- *  when the endpoint is not fully trusted. */
-export async function sendReceiptFireAndForget(
-  endpoint: string,
-  receipt: InkReceipt,
-  privateKey: Uint8Array,
-  fetchFn: typeof fetch = globalThis.fetch,
-  signingKeyId?: string,
-  options?: SendReceiptOptions,
-): Promise<void> {
-  try {
-    let url: URL;
-    try { url = new URL(endpoint); } catch { return; }
-    if (url.protocol !== "https:") return;
-    if (url.username || url.password) return;
-    if (!options?.allowPrivateHosts && isPrivateHostname(url.hostname)) return;
-
-    const sig = await signInkMessage({
-      method: "POST",
-      path: url.pathname,
-      recipientDid: receipt.to,
-      body: receipt as unknown as Record<string, unknown>,
-      timestamp: receipt.timestamp,
-    }, privateKey);
-
-    await fetchFn(endpoint, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "Authorization": buildAuthHeader(sig, signingKeyId),
-      },
-      body: JSON.stringify(receipt),
-      redirect: "manual",
-      signal: AbortSignal.timeout(5000),
-    });
-  } catch {
-    // Fire-and-forget — swallow errors
-  }
-}