npm - @agirails/sdk - Versions diffs - 2.0.1-beta → 2.0.2 - Mend

@agirails/sdk 2.0.1-beta → 2.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (405) hide show

package/LICENSE +190 -0
package/README.md +116 -108
package/bin/actp +10 -0
package/dist/ACTPClient.d.ts +456 -33
package/dist/ACTPClient.d.ts.map +1 -1
package/dist/ACTPClient.js +477 -93
package/dist/ACTPClient.js.map +1 -1
package/dist/abi/AgentRegistry.json +782 -0
package/dist/abi/EscrowVault.json +106 -38
package/dist/abi/IdentityRegistry.json +316 -0
package/dist/adapters/BaseAdapter.d.ts +231 -0
package/dist/adapters/BaseAdapter.d.ts.map +1 -0
package/dist/adapters/BaseAdapter.js +393 -0
package/dist/adapters/BaseAdapter.js.map +1 -0
package/dist/adapters/BeginnerAdapter.d.ts +152 -0
package/dist/adapters/BeginnerAdapter.d.ts.map +1 -0
package/dist/adapters/BeginnerAdapter.js +168 -0
package/dist/adapters/BeginnerAdapter.js.map +1 -0
package/dist/adapters/IntermediateAdapter.d.ts +211 -0
package/dist/adapters/IntermediateAdapter.d.ts.map +1 -0
package/dist/adapters/IntermediateAdapter.js +260 -0
package/dist/adapters/IntermediateAdapter.js.map +1 -0
package/dist/adapters/index.d.ts +15 -0
package/dist/adapters/index.d.ts.map +1 -0
package/dist/adapters/index.js +26 -0
package/dist/adapters/index.js.map +1 -0
package/dist/builders/DeliveryProofBuilder.d.ts +60 -1
package/dist/builders/DeliveryProofBuilder.d.ts.map +1 -1
package/dist/builders/DeliveryProofBuilder.js +81 -5
package/dist/builders/DeliveryProofBuilder.js.map +1 -1
package/dist/builders/QuoteBuilder.d.ts +101 -0
package/dist/builders/QuoteBuilder.d.ts.map +1 -1
package/dist/builders/QuoteBuilder.js +120 -3
package/dist/builders/QuoteBuilder.js.map +1 -1
package/dist/builders/index.d.ts +4 -0
package/dist/builders/index.d.ts.map +1 -1
package/dist/builders/index.js +4 -0
package/dist/builders/index.js.map +1 -1
package/dist/cli/commands/balance.d.ts +13 -0
package/dist/cli/commands/balance.d.ts.map +1 -0
package/dist/cli/commands/balance.js +89 -0
package/dist/cli/commands/balance.js.map +1 -0
package/dist/cli/commands/batch.d.ts +24 -0
package/dist/cli/commands/batch.d.ts.map +1 -0
package/dist/cli/commands/batch.js +424 -0
package/dist/cli/commands/batch.js.map +1 -0
package/dist/cli/commands/config.d.ts +13 -0
package/dist/cli/commands/config.d.ts.map +1 -0
package/dist/cli/commands/config.js +192 -0
package/dist/cli/commands/config.js.map +1 -0
package/dist/cli/commands/init.d.ts +19 -0
package/dist/cli/commands/init.d.ts.map +1 -0
package/dist/cli/commands/init.js +143 -0
package/dist/cli/commands/init.js.map +1 -0
package/dist/cli/commands/mint.d.ts +13 -0
package/dist/cli/commands/mint.d.ts.map +1 -0
package/dist/cli/commands/mint.js +91 -0
package/dist/cli/commands/mint.js.map +1 -0
package/dist/cli/commands/pay.d.ts +18 -0
package/dist/cli/commands/pay.d.ts.map +1 -0
package/dist/cli/commands/pay.js +87 -0
package/dist/cli/commands/pay.js.map +1 -0
package/dist/cli/commands/simulate.d.ts +32 -0
package/dist/cli/commands/simulate.d.ts.map +1 -0
package/dist/cli/commands/simulate.js +290 -0
package/dist/cli/commands/simulate.js.map +1 -0
package/dist/cli/commands/time.d.ts +29 -0
package/dist/cli/commands/time.d.ts.map +1 -0
package/dist/cli/commands/time.js +252 -0
package/dist/cli/commands/time.js.map +1 -0
package/dist/cli/commands/tx.d.ts +16 -0
package/dist/cli/commands/tx.d.ts.map +1 -0
package/dist/cli/commands/tx.js +379 -0
package/dist/cli/commands/tx.js.map +1 -0
package/dist/cli/commands/watch.d.ts +20 -0
package/dist/cli/commands/watch.d.ts.map +1 -0
package/dist/cli/commands/watch.js +160 -0
package/dist/cli/commands/watch.js.map +1 -0
package/dist/cli/index.d.ts +17 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +104 -0
package/dist/cli/index.js.map +1 -0
package/dist/cli/utils/client.d.ts +70 -0
package/dist/cli/utils/client.d.ts.map +1 -0
package/dist/cli/utils/client.js +240 -0
package/dist/cli/utils/client.js.map +1 -0
package/dist/cli/utils/config.d.ts +91 -0
package/dist/cli/utils/config.d.ts.map +1 -0
package/dist/cli/utils/config.js +240 -0
package/dist/cli/utils/config.js.map +1 -0
package/dist/cli/utils/output.d.ts +174 -0
package/dist/cli/utils/output.d.ts.map +1 -0
package/dist/cli/utils/output.js +380 -0
package/dist/cli/utils/output.js.map +1 -0
package/dist/config/networks.d.ts +28 -0
package/dist/config/networks.d.ts.map +1 -1
package/dist/config/networks.js +60 -12
package/dist/config/networks.js.map +1 -1
package/dist/errors/index.d.ts +165 -2
package/dist/errors/index.d.ts.map +1 -1
package/dist/errors/index.js +260 -2
package/dist/errors/index.js.map +1 -1
package/dist/index.d.ts +61 -13
package/dist/index.d.ts.map +1 -1
package/dist/index.js +141 -36
package/dist/index.js.map +1 -1
package/dist/level0/Provider.d.ts +106 -0
package/dist/level0/Provider.d.ts.map +1 -0
package/dist/level0/Provider.js +10 -0
package/dist/level0/Provider.js.map +1 -0
package/dist/level0/ServiceDirectory.d.ts +74 -0
package/dist/level0/ServiceDirectory.d.ts.map +1 -0
package/dist/level0/ServiceDirectory.js +122 -0
package/dist/level0/ServiceDirectory.js.map +1 -0
package/dist/level0/index.d.ts +10 -0
package/dist/level0/index.d.ts.map +1 -0
package/dist/level0/index.js +15 -0
package/dist/level0/index.js.map +1 -0
package/dist/level0/provide.d.ts +51 -0
package/dist/level0/provide.d.ts.map +1 -0
package/dist/level0/provide.js +113 -0
package/dist/level0/provide.js.map +1 -0
package/dist/level0/request.d.ts +53 -0
package/dist/level0/request.d.ts.map +1 -0
package/dist/level0/request.js +462 -0
package/dist/level0/request.js.map +1 -0
package/dist/level1/Agent.d.ts +472 -0
package/dist/level1/Agent.d.ts.map +1 -0
package/dist/level1/Agent.js +1091 -0
package/dist/level1/Agent.js.map +1 -0
package/dist/level1/index.d.ts +10 -0
package/dist/level1/index.d.ts.map +1 -0
package/dist/level1/index.js +30 -0
package/dist/level1/index.js.map +1 -0
package/dist/level1/pricing/PriceCalculator.d.ts +62 -0
package/dist/level1/pricing/PriceCalculator.d.ts.map +1 -0
package/dist/level1/pricing/PriceCalculator.js +237 -0
package/dist/level1/pricing/PriceCalculator.js.map +1 -0
package/dist/level1/pricing/PricingStrategy.d.ts +179 -0
package/dist/level1/pricing/PricingStrategy.d.ts.map +1 -0
package/dist/level1/pricing/PricingStrategy.js +11 -0
package/dist/level1/pricing/PricingStrategy.js.map +1 -0
package/dist/level1/types/Job.d.ts +166 -0
package/dist/level1/types/Job.d.ts.map +1 -0
package/dist/level1/types/Job.js +11 -0
package/dist/level1/types/Job.js.map +1 -0
package/dist/level1/types/Options.d.ts +258 -0
package/dist/level1/types/Options.d.ts.map +1 -0
package/dist/level1/types/Options.js +8 -0
package/dist/level1/types/Options.js.map +1 -0
package/dist/level1/types/index.d.ts +8 -0
package/dist/level1/types/index.d.ts.map +1 -0
package/dist/level1/types/index.js +8 -0
package/dist/level1/types/index.js.map +1 -0
package/dist/protocol/ACTPKernel.d.ts +229 -2
package/dist/protocol/ACTPKernel.d.ts.map +1 -1
package/dist/protocol/ACTPKernel.js +367 -33
package/dist/protocol/ACTPKernel.js.map +1 -1
package/dist/protocol/AgentRegistry.d.ts +177 -0
package/dist/protocol/AgentRegistry.d.ts.map +1 -0
package/dist/protocol/AgentRegistry.js +449 -0
package/dist/protocol/AgentRegistry.js.map +1 -0
package/dist/protocol/DIDManager.d.ts +289 -0
package/dist/protocol/DIDManager.d.ts.map +1 -0
package/dist/protocol/DIDManager.js +481 -0
package/dist/protocol/DIDManager.js.map +1 -0
package/dist/protocol/DIDResolver.d.ts +236 -0
package/dist/protocol/DIDResolver.d.ts.map +1 -0
package/dist/protocol/DIDResolver.js +495 -0
package/dist/protocol/DIDResolver.js.map +1 -0
package/dist/protocol/EASHelper.d.ts +57 -2
package/dist/protocol/EASHelper.d.ts.map +1 -1
package/dist/protocol/EASHelper.js +230 -37
package/dist/protocol/EASHelper.js.map +1 -1
package/dist/protocol/EscrowVault.d.ts +93 -2
package/dist/protocol/EscrowVault.d.ts.map +1 -1
package/dist/protocol/EscrowVault.js +122 -33
package/dist/protocol/EscrowVault.js.map +1 -1
package/dist/protocol/EventMonitor.d.ts +45 -1
package/dist/protocol/EventMonitor.d.ts.map +1 -1
package/dist/protocol/EventMonitor.js +64 -8
package/dist/protocol/EventMonitor.js.map +1 -1
package/dist/protocol/MessageSigner.d.ts +116 -2
package/dist/protocol/MessageSigner.d.ts.map +1 -1
package/dist/protocol/MessageSigner.js +215 -9
package/dist/protocol/MessageSigner.js.map +1 -1
package/dist/protocol/ProofGenerator.d.ts +93 -0
package/dist/protocol/ProofGenerator.d.ts.map +1 -1
package/dist/protocol/ProofGenerator.js +194 -9
package/dist/protocol/ProofGenerator.js.map +1 -1
package/dist/protocol/QuoteBuilder.d.ts +8 -0
package/dist/protocol/QuoteBuilder.d.ts.map +1 -1
package/dist/protocol/QuoteBuilder.js +8 -0
package/dist/protocol/QuoteBuilder.js.map +1 -1
package/dist/runtime/BlockchainRuntime.d.ts +360 -0
package/dist/runtime/BlockchainRuntime.d.ts.map +1 -0
package/dist/runtime/BlockchainRuntime.js +767 -0
package/dist/runtime/BlockchainRuntime.js.map +1 -0
package/dist/runtime/IACTPRuntime.d.ts +271 -0
package/dist/runtime/IACTPRuntime.d.ts.map +1 -0
package/dist/runtime/IACTPRuntime.js +15 -0
package/dist/runtime/IACTPRuntime.js.map +1 -0
package/dist/runtime/MockRuntime.d.ts +445 -0
package/dist/runtime/MockRuntime.d.ts.map +1 -0
package/dist/runtime/MockRuntime.js +1065 -0
package/dist/runtime/MockRuntime.js.map +1 -0
package/dist/runtime/MockStateManager.d.ts +233 -0
package/dist/runtime/MockStateManager.d.ts.map +1 -0
package/dist/runtime/MockStateManager.js +533 -0
package/dist/runtime/MockStateManager.js.map +1 -0
package/dist/runtime/index.d.ts +14 -0
package/dist/runtime/index.d.ts.map +1 -0
package/dist/runtime/index.js +42 -0
package/dist/runtime/index.js.map +1 -0
package/dist/runtime/types/MockState.d.ts +167 -0
package/dist/runtime/types/MockState.d.ts.map +1 -0
package/dist/runtime/types/MockState.js +43 -0
package/dist/runtime/types/MockState.js.map +1 -0
package/dist/types/agent.d.ts +76 -0
package/dist/types/agent.d.ts.map +1 -0
package/dist/types/agent.js +8 -0
package/dist/types/agent.js.map +1 -0
package/dist/types/did.d.ts +192 -0
package/dist/types/did.d.ts.map +1 -0
package/dist/types/did.js +38 -0
package/dist/types/did.js.map +1 -0
package/dist/types/eip712.d.ts +34 -0
package/dist/types/eip712.d.ts.map +1 -1
package/dist/types/eip712.js +31 -5
package/dist/types/eip712.js.map +1 -1
package/dist/types/escrow.d.ts +17 -10
package/dist/types/escrow.d.ts.map +1 -1
package/dist/types/index.d.ts +5 -0
package/dist/types/index.d.ts.map +1 -1
package/dist/types/index.js +8 -0
package/dist/types/index.js.map +1 -1
package/dist/types/message.d.ts +32 -0
package/dist/types/message.d.ts.map +1 -1
package/dist/types/message.js +4 -0
package/dist/types/message.js.map +1 -1
package/dist/types/state.d.ts +28 -0
package/dist/types/state.d.ts.map +1 -1
package/dist/types/state.js +37 -6
package/dist/types/state.js.map +1 -1
package/dist/types/transaction.d.ts +17 -0
package/dist/types/transaction.d.ts.map +1 -1
package/dist/utils/ErrorRecoveryGuide.d.ts +125 -0
package/dist/utils/ErrorRecoveryGuide.d.ts.map +1 -0
package/dist/utils/ErrorRecoveryGuide.js +579 -0
package/dist/utils/ErrorRecoveryGuide.js.map +1 -0
package/dist/utils/Helpers.d.ts +453 -0
package/dist/utils/Helpers.d.ts.map +1 -0
package/dist/utils/Helpers.js +623 -0
package/dist/utils/Helpers.js.map +1 -0
package/dist/utils/IPFSClient.d.ts +113 -0
package/dist/utils/IPFSClient.d.ts.map +1 -1
package/dist/utils/IPFSClient.js +128 -7
package/dist/utils/IPFSClient.js.map +1 -1
package/dist/utils/Logger.d.ts +195 -0
package/dist/utils/Logger.d.ts.map +1 -0
package/dist/utils/Logger.js +382 -0
package/dist/utils/Logger.js.map +1 -0
package/dist/utils/NonceManager.d.ts +234 -1
package/dist/utils/NonceManager.d.ts.map +1 -1
package/dist/utils/NonceManager.js +372 -7
package/dist/utils/NonceManager.js.map +1 -1
package/dist/utils/RateLimiter.d.ts +253 -0
package/dist/utils/RateLimiter.d.ts.map +1 -0
package/dist/utils/RateLimiter.js +424 -0
package/dist/utils/RateLimiter.js.map +1 -0
package/dist/utils/ReceivedNonceTracker.d.ts +175 -0
package/dist/utils/ReceivedNonceTracker.d.ts.map +1 -1
package/dist/utils/ReceivedNonceTracker.js +261 -5
package/dist/utils/ReceivedNonceTracker.js.map +1 -1
package/dist/utils/SDKLifecycle.d.ts +156 -0
package/dist/utils/SDKLifecycle.d.ts.map +1 -0
package/dist/utils/SDKLifecycle.js +347 -0
package/dist/utils/SDKLifecycle.js.map +1 -0
package/dist/utils/SecureNonce.d.ts +57 -0
package/dist/utils/SecureNonce.d.ts.map +1 -0
package/dist/utils/SecureNonce.js +80 -0
package/dist/utils/SecureNonce.js.map +1 -0
package/dist/utils/Semaphore.d.ts +123 -0
package/dist/utils/Semaphore.d.ts.map +1 -0
package/dist/utils/Semaphore.js +247 -0
package/dist/utils/Semaphore.js.map +1 -0
package/dist/utils/UsedAttestationTracker.d.ts +167 -0
package/dist/utils/UsedAttestationTracker.d.ts.map +1 -0
package/dist/utils/UsedAttestationTracker.js +309 -0
package/dist/utils/UsedAttestationTracker.js.map +1 -0
package/dist/utils/canonicalJson.d.ts +22 -0
package/dist/utils/canonicalJson.d.ts.map +1 -1
package/dist/utils/canonicalJson.js +26 -3
package/dist/utils/canonicalJson.js.map +1 -1
package/dist/utils/computeTypeHash.d.ts +14 -0
package/dist/utils/computeTypeHash.d.ts.map +1 -1
package/dist/utils/computeTypeHash.js +19 -2
package/dist/utils/computeTypeHash.js.map +1 -1
package/dist/utils/fsSafe.d.ts +14 -0
package/dist/utils/fsSafe.d.ts.map +1 -0
package/dist/utils/fsSafe.js +89 -0
package/dist/utils/fsSafe.js.map +1 -0
package/dist/utils/index.d.ts +15 -0
package/dist/utils/index.d.ts.map +1 -0
package/dist/utils/index.js +51 -0
package/dist/utils/index.js.map +1 -0
package/dist/utils/security.d.ts +147 -0
package/dist/utils/security.d.ts.map +1 -0
package/dist/utils/security.js +391 -0
package/dist/utils/security.js.map +1 -0
package/dist/utils/validation.d.ts +40 -0
package/dist/utils/validation.d.ts.map +1 -1
package/dist/utils/validation.js +184 -7
package/dist/utils/validation.js.map +1 -1
package/package.json +54 -37
package/src/ACTPClient.ts +692 -178
package/src/abi/AgentRegistry.json +782 -0
package/src/abi/EscrowVault.json +106 -38
package/src/abi/IdentityRegistry.json +316 -0
package/src/adapters/BaseAdapter.ts +473 -0
package/src/adapters/BeginnerAdapter.ts +232 -0
package/src/adapters/IntermediateAdapter.ts +316 -0
package/src/adapters/index.ts +25 -0
package/src/builders/DeliveryProofBuilder.ts +3 -2
package/src/cli/commands/balance.ts +110 -0
package/src/cli/commands/batch.ts +487 -0
package/src/cli/commands/config.ts +231 -0
package/src/cli/commands/init.ts +161 -0
package/src/cli/commands/mint.ts +116 -0
package/src/cli/commands/pay.ts +113 -0
package/src/cli/commands/simulate.ts +345 -0
package/src/cli/commands/time.ts +303 -0
package/src/cli/commands/tx.ts +448 -0
package/src/cli/commands/watch.ts +211 -0
package/src/cli/index.ts +116 -0
package/src/cli/utils/client.ts +249 -0
package/src/cli/utils/config.ts +282 -0
package/src/cli/utils/output.ts +465 -0
package/src/config/networks.ts +32 -9
package/src/errors/index.ts +298 -1
package/src/index.ts +207 -71
package/src/level0/Provider.ts +117 -0
package/src/level0/ServiceDirectory.ts +131 -0
package/src/level0/index.ts +10 -0
package/src/level0/provide.ts +131 -0
package/src/level0/request.ts +494 -0
package/src/level1/Agent.ts +1432 -0
package/src/level1/index.ts +10 -0
package/src/level1/pricing/PriceCalculator.ts +255 -0
package/src/level1/pricing/PricingStrategy.ts +198 -0
package/src/level1/types/Job.ts +179 -0
package/src/level1/types/Options.ts +291 -0
package/src/level1/types/index.ts +8 -0
package/src/protocol/ACTPKernel.ts +175 -23
package/src/protocol/AgentRegistry.ts +559 -0
package/src/protocol/DIDManager.ts +629 -0
package/src/protocol/DIDResolver.ts +554 -0
package/src/protocol/EASHelper.ts +230 -46
package/src/protocol/EscrowVault.ts +68 -50
package/src/protocol/EventMonitor.ts +44 -15
package/src/protocol/MessageSigner.ts +193 -13
package/src/protocol/ProofGenerator.ts +223 -4
package/src/runtime/BlockchainRuntime.ts +993 -0
package/src/runtime/IACTPRuntime.ts +284 -0
package/src/runtime/MockRuntime.ts +1244 -0
package/src/runtime/MockStateManager.ts +576 -0
package/src/runtime/index.ts +25 -0
package/src/runtime/types/MockState.ts +227 -0
package/src/types/agent.ts +79 -0
package/src/types/did.ts +223 -0
package/src/types/escrow.ts +12 -11
package/src/types/index.ts +5 -1
package/src/types/state.ts +12 -3
package/src/types/transaction.ts +4 -1
package/src/utils/ErrorRecoveryGuide.ts +675 -0
package/src/utils/Helpers.ts +688 -0
package/src/utils/IPFSClient.ts +122 -5
package/src/utils/Logger.ts +484 -0
package/src/utils/NonceManager.ts +305 -8
package/src/utils/RateLimiter.ts +534 -0
package/src/utils/ReceivedNonceTracker.ts +170 -0
package/src/utils/SDKLifecycle.ts +416 -0
package/src/utils/SecureNonce.ts +78 -0
package/src/utils/Semaphore.ts +276 -0
package/src/utils/UsedAttestationTracker.ts +387 -0
package/src/utils/fsSafe.ts +75 -0
package/src/utils/index.ts +80 -0
package/src/utils/security.ts +418 -0
package/src/utils/validation.ts +164 -0
package/src/__tests__/ProofGenerator.test.ts +0 -124
package/src/__tests__/QuoteBuilder.test.ts +0 -516
package/src/__tests__/StateMachine.test.ts +0 -82
package/src/__tests__/builders/DeliveryProofBuilder.test.ts +0 -581
package/src/__tests__/integration/ACTPClient.test.ts +0 -263
package/src/__tests__/integration.test.ts +0 -289
package/src/__tests__/protocol/EASHelper.test.ts +0 -472
package/src/__tests__/protocol/EventMonitor.test.ts +0 -382
package/src/__tests__/security/ACTPKernel.security.test.ts +0 -1167
package/src/__tests__/security/EscrowVault.security.test.ts +0 -570
package/src/__tests__/security/MessageSigner.security.test.ts +0 -286
package/src/__tests__/security/NonceReplay.security.test.ts +0 -501
package/src/__tests__/security/validation.security.test.ts +0 -376
package/src/__tests__/utils/IPFSClient.test.ts +0 -262
package/src/__tests__/utils/NonceManager.test.ts +0 -205
package/src/__tests__/utils/canonicalJson.test.ts +0 -153

package/dist/utils/ReceivedNonceTracker.d.ts CHANGED Viewed

@@ -1,35 +1,210 @@
+/**
+ * ReceivedNonceTracker - Replay Attack Prevention for Message Receivers
+ *
+ * This utility tracks nonces of received messages to prevent replay attacks.
+ * It works in conjunction with NonceManager (for senders) but serves the receiver side.
+ *
+ * Reference: V4 Security Vulnerability (EIP-712 Replay Attack)
+ *
+ * Usage Pattern:
+ * - Sender: Uses NonceManager to generate monotonically increasing nonces
+ * - Receiver: Uses ReceivedNonceTracker to validate and track received nonces
+ *
+ * Security Properties:
+ * 1. Nonces must be monotonically increasing per sender + message type
+ * 2. Duplicate nonces are rejected (replay attack prevention)
+ * 3. Nonces that are lower than the highest seen are rejected (old replay prevention)
+ *
+ * ⚠️ WARNING: In-memory tracking only. For production:
+ * - Use persistent storage (Redis, PostgreSQL, etc.)
+ * - Implement nonce recovery from transaction history
+ * - Consider nonce expiry for long-running processes
+ */
+/**
+ * Nonce validation result
+ */
 export interface NonceValidationResult {
     valid: boolean;
     reason?: string;
     expectedMinimum?: string;
     receivedNonce?: string;
 }
+/**
+ * Interface for tracking received nonces
+ */
 export interface IReceivedNonceTracker {
+    /**
+     * Validate and record a received nonce
+     * @param sender - Sender DID (e.g., "did:ethr:0x...")
+     * @param messageType - Message type (e.g., "agirails.delivery.v1")
+     * @param nonce - Nonce value (bytes32 format: "0x...")
+     * @returns Validation result
+     */
     validateAndRecord(sender: string, messageType: string, nonce: string): NonceValidationResult;
+    /**
+     * Check if a nonce has been used (without recording)
+     * @param sender - Sender DID
+     * @param messageType - Message type
+     * @param nonce - Nonce value (bytes32 format)
+     * @returns true if nonce was already used
+     */
     hasBeenUsed(sender: string, messageType: string, nonce: string): boolean;
+    /**
+     * Get highest nonce seen for sender + message type
+     * @param sender - Sender DID
+     * @param messageType - Message type
+     * @returns Highest nonce (bytes32 format) or null if none seen
+     */
     getHighestNonce(sender: string, messageType: string): string | null;
+    /**
+     * Reset tracking for a specific sender + message type
+     * @param sender - Sender DID
+     * @param messageType - Message type
+     */
     reset(sender: string, messageType: string): void;
+    /**
+     * Clear all tracked nonces
+     */
     clearAll(): void;
 }
+/**
+ * In-Memory Received Nonce Tracker
+ *
+ * Strategy: Track highest nonce seen per sender + message type
+ * - Accept nonces that are strictly greater than the highest seen
+ * - Reject nonces that are <= highest seen (replay attack)
+ *
+ * Trade-off:
+ * - Memory efficient (one value per sender + type)
+ * - Requires ordered nonce sequences
+ * - Cannot skip nonces (nonce gaps are rejected)
+ */
 export declare class InMemoryReceivedNonceTracker implements IReceivedNonceTracker {
     private highestNonces;
+    /**
+     * Validate and record a received nonce
+     */
     validateAndRecord(sender: string, messageType: string, nonce: string): NonceValidationResult;
+    /**
+     * Check if a nonce has been used (non-mutating)
+     */
     hasBeenUsed(sender: string, messageType: string, nonce: string): boolean;
+    /**
+     * Get highest nonce seen
+     */
     getHighestNonce(sender: string, messageType: string): string | null;
+    /**
+     * Reset tracking for sender + message type
+     */
     reset(sender: string, messageType: string): void;
+    /**
+     * Clear all tracked nonces
+     */
     clearAll(): void;
+    /**
+     * Convert BigInt to bytes32 hex string
+     */
     private bigintToBytes32;
+    /**
+     * Get all nonces (for debugging/persistence)
+     */
     getAllNonces(): Record<string, Record<string, string>>;
 }
+/**
+ * Set-Based Received Nonce Tracker
+ *
+ * Strategy: Track exact set of used nonces per sender + message type
+ * - Accept nonces that haven't been seen before
+ * - Reject duplicate nonces (replay attack)
+ * - Allows non-sequential nonces (nonce gaps are OK)
+ *
+ * SECURITY FIX (NEW-H-2): Max size enforcement to prevent memory exhaustion
+ * SECURITY FIX (HIGH-2): Global total entries limit to prevent DoS via many sender combinations
+ * SECURITY FIX (H-2): Rate limiting per sender to prevent flood attacks
+ *
+ * Trade-off:
+ * - Higher memory usage (stores every nonce)
+ * - More flexible (allows out-of-order delivery)
+ * - Requires periodic cleanup to prevent unbounded growth
+ */
 export declare class SetBasedReceivedNonceTracker implements IReceivedNonceTracker {
     private usedNonces;
+    private readonly maxSizePerType;
+    private readonly maxTotalEntries;
+    private totalEntries;
+    private rateLimitState;
+    private readonly maxNoncesPerMinute;
+    private readonly rateLimitWindowMs;
+    /**
+     * Create set-based tracker with optional max size
+     * @param maxSizePerType - Maximum nonces per sender+messageType (default: 10,000)
+     * @param maxTotalEntries - Maximum total nonces across all combinations (default: 100,000)
+     * @param maxNoncesPerMinute - Maximum nonces per sender per minute (default: 100)
+     */
+    constructor(maxSizePerType?: number, maxTotalEntries?: number, maxNoncesPerMinute?: number);
+    /**
+     * SECURITY FIX (H-2): Check rate limit for sender
+     * @param sender - Sender DID
+     * @returns true if rate limit exceeded
+     */
+    private checkRateLimit;
+    /**
+     * SECURITY FIX (H-2): Periodic cleanup of rate limit state
+     * Removes expired rate limit entries (older than 5 minutes)
+     */
+    private cleanupRateLimitState;
+    /**
+     * Validate and record a received nonce
+     *
+     * SECURITY FIX (NEW-H-2): Automatic cleanup when max size reached
+     * SECURITY FIX (HIGH-2): Global limit check to prevent DoS
+     * SECURITY FIX (H-2): Rate limiting per sender (max 100 nonces/minute)
+     */
     validateAndRecord(sender: string, messageType: string, nonce: string): NonceValidationResult;
+    /**
+     * Get number of sender+messageType combinations (for monitoring)
+     * SECURITY FIX (HIGH-2): Monitoring method
+     */
+    private getCombinationCount;
+    /**
+     * Get memory usage statistics
+     * SECURITY FIX (HIGH-2): Monitoring method for DoS detection
+     */
+    getMemoryUsage(): {
+        totalEntries: number;
+        combinations: number;
+        maxTotalEntries: number;
+    };
+    /**
+     * Check if a nonce has been used
+     */
     hasBeenUsed(sender: string, messageType: string, nonce: string): boolean;
+    /**
+     * Get highest nonce seen (for this strategy, compute from set)
+     */
     getHighestNonce(sender: string, messageType: string): string | null;
+    /**
+     * Reset tracking for sender + message type
+     */
     reset(sender: string, messageType: string): void;
+    /**
+     * Clear all tracked nonces
+     */
     clearAll(): void;
+    /**
+     * Get nonce count for sender + message type (for monitoring)
+     */
     getNonceCount(sender: string, messageType: string): number;
+    /**
+     * Cleanup old nonces (keep only last N)
+     * This prevents unbounded memory growth
+     */
     cleanup(sender: string, messageType: string, keepLast?: number): void;
 }
+/**
+ * Factory function to create a nonce tracker
+ * @param strategy - 'memory-efficient' (highest nonce) or 'set-based' (all nonces)
+ * @returns IReceivedNonceTracker instance
+ */
 export declare function createReceivedNonceTracker(strategy?: 'memory-efficient' | 'set-based'): IReceivedNonceTracker;
 //# sourceMappingURL=ReceivedNonceTracker.d.ts.map

package/dist/utils/ReceivedNonceTracker.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"ReceivedNonceTracker.d.ts","sourceRoot":"","sources":["../../src/utils/ReceivedNonceTracker.ts"],"names":[],"mappings":"~~AA0BA~~,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;~~AAKD~~,MAAM,WAAW,qBAAqB;~~IAQpC~~,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,qBAAqB,CAAC;~~IAS7F~~,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;~~IAQzE~~,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;~~IAOpE~~,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;~~IAKjD~~,QAAQ,IAAI,IAAI,CAAC;CAClB;~~AAcD~~,qBAAa,4BAA6B,YAAW,qBAAqB;IAExE,OAAO,CAAC,aAAa,CAA+C;~~IAKpE~~,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,qBAAqB;~~IAgD5F~~,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO;~~IAoBxE~~,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;~~IAiBnE~~,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI;~~IAchD~~,QAAQ,IAAI,IAAI;~~IAOhB~~,OAAO,CAAC,eAAe;~~IAOvB~~,YAAY,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAYvD;~~AAeD~~,qBAAa,4BAA6B,YAAW,qBAAqB;IAExE,OAAO,CAAC,UAAU,CAAoD;~~IAKtE~~,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,qBAAqB;~~IAyC5F~~,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO;~~IAiBxE~~,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;~~IA0BnE~~,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI;~~IAahD~~,QAAQ,IAAI,IAAI;~~IAOhB~~,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM;~~IAc1D~~,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAa,GAAG,IAAI;~~CAsB5E~~;~~AAOD~~,wBAAgB,0BAA0B,CACxC,QAAQ,GAAE,kBAAkB,GAAG,WAAgC,GAC9D,qBAAqB,CAKvB"}
1	+ {"version":3,"file":"ReceivedNonceTracker.d.ts","sourceRoot":"","sources":["../../src/utils/ReceivedNonceTracker.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC;;;;;;OAMG;IACH,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,qBAAqB,CAAC;IAE7F;;;;;;OAMG;IACH,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;IAEzE;;;;;OAKG;IACH,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;IAEpE;;;;OAIG;IACH,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAEjD;;OAEG;IACH,QAAQ,IAAI,IAAI,CAAC;CAClB;AAED;;;;;;;;;;;GAWG;AACH,qBAAa,4BAA6B,YAAW,qBAAqB;IAExE,OAAO,CAAC,aAAa,CAA+C;IAEpE;;OAEG;IACH,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,qBAAqB;IA6C5F;;OAEG;IACH,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO;IAiBxE;;OAEG;IACH,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAcnE;;OAEG;IACH,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI;IAWhD;;OAEG;IACH,QAAQ,IAAI,IAAI;IAIhB;;OAEG;IACH,OAAO,CAAC,eAAe;IAIvB;;OAEG;IACH,YAAY,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAYvD;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,4BAA6B,YAAW,qBAAqB;IAExE,OAAO,CAAC,UAAU,CAAoD;IAGtE,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAS;IAGxC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;IACzC,OAAO,CAAC,YAAY,CAAa;IAIjC,OAAO,CAAC,cAAc,CAAkE;IACxF,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAS;IAC5C,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAiB;IAEnD;;;;;OAKG;gBAED,cAAc,GAAE,MAAc,EAC9B,eAAe,GAAE,MAAe,EAChC,kBAAkB,GAAE,MAAY;IAgBlC;;;;OAIG;IACH,OAAO,CAAC,cAAc;IAwBtB;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IAW7B;;;;;;OAMG;IACH,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,qBAAqB;IAoF5F;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IAQ3B;;;OAGG;IACH,cAAc,IAAI;QAAE,YAAY,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,eAAe,EAAE,MAAM,CAAA;KAAE;IAQzF;;OAEG;IACH,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO;IAcxE;;OAEG;IACH,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAuBnE;;OAEG;IACH,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI;IAehD;;OAEG;IACH,QAAQ,IAAI,IAAI;IAMhB;;OAEG;IACH,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM;IAU1D;;;OAGG;IACH,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAa,GAAG,IAAI;CAyB5E;AAED;;;;GAIG;AACH,wBAAgB,0BAA0B,CACxC,QAAQ,GAAE,kBAAkB,GAAG,WAAgC,GAC9D,qBAAqB,CAKvB"}

package/dist/utils/ReceivedNonceTracker.js CHANGED Viewed

@@ -1,12 +1,50 @@
 "use strict";
+/**
+ * ReceivedNonceTracker - Replay Attack Prevention for Message Receivers
+ *
+ * This utility tracks nonces of received messages to prevent replay attacks.
+ * It works in conjunction with NonceManager (for senders) but serves the receiver side.
+ *
+ * Reference: V4 Security Vulnerability (EIP-712 Replay Attack)
+ *
+ * Usage Pattern:
+ * - Sender: Uses NonceManager to generate monotonically increasing nonces
+ * - Receiver: Uses ReceivedNonceTracker to validate and track received nonces
+ *
+ * Security Properties:
+ * 1. Nonces must be monotonically increasing per sender + message type
+ * 2. Duplicate nonces are rejected (replay attack prevention)
+ * 3. Nonces that are lower than the highest seen are rejected (old replay prevention)
+ *
+ * ⚠️ WARNING: In-memory tracking only. For production:
+ * - Use persistent storage (Redis, PostgreSQL, etc.)
+ * - Implement nonce recovery from transaction history
+ * - Consider nonce expiry for long-running processes
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.SetBasedReceivedNonceTracker = exports.InMemoryReceivedNonceTracker = void 0;
-exports.createReceivedNonceTracker = createReceivedNonceTracker;
+exports.createReceivedNonceTracker = exports.SetBasedReceivedNonceTracker = exports.InMemoryReceivedNonceTracker = void 0;
+/**
+ * In-Memory Received Nonce Tracker
+ *
+ * Strategy: Track highest nonce seen per sender + message type
+ * - Accept nonces that are strictly greater than the highest seen
+ * - Reject nonces that are <= highest seen (replay attack)
+ *
+ * Trade-off:
+ * - Memory efficient (one value per sender + type)
+ * - Requires ordered nonce sequences
+ * - Cannot skip nonces (nonce gaps are rejected)
+ */
 class InMemoryReceivedNonceTracker {
     constructor() {
+        // Map: sender -> messageType -> highest nonce (as BigInt for comparison)
         this.highestNonces = new Map();
     }
+    /**
+     * Validate and record a received nonce
+     */
     validateAndRecord(sender, messageType, nonce) {
+        // Validate nonce format (must be bytes32: 0x + 64 hex chars)
         if (!/^0x[a-fA-F0-9]{64}$/.test(nonce)) {
             return {
                 valid: false,
@@ -14,17 +52,22 @@ class InMemoryReceivedNonceTracker {
                 receivedNonce: nonce
             };
         }
+        // Convert nonce to BigInt for comparison
         const nonceValue = BigInt(nonce);
+        // Get sender's nonce map
         let senderNonces = this.highestNonces.get(sender);
         if (!senderNonces) {
             senderNonces = new Map();
             this.highestNonces.set(sender, senderNonces);
         }
+        // Get highest nonce for this message type
         const highestNonce = senderNonces.get(messageType);
         if (highestNonce === undefined) {
+            // First message from this sender for this type
             senderNonces.set(messageType, nonceValue);
             return { valid: true };
         }
+        // Nonce must be strictly greater than highest seen
         if (nonceValue <= highestNonce) {
             const expectedMinimum = '0x' + (highestNonce + BigInt(1)).toString(16).padStart(64, '0');
             return {
@@ -34,21 +77,29 @@ class InMemoryReceivedNonceTracker {
                 receivedNonce: nonce
             };
         }
+        // Valid nonce - record it
         senderNonces.set(messageType, nonceValue);
         return { valid: true };
     }
+    /**
+     * Check if a nonce has been used (non-mutating)
+     */
     hasBeenUsed(sender, messageType, nonce) {
         const nonceValue = BigInt(nonce);
         const senderNonces = this.highestNonces.get(sender);
         if (!senderNonces) {
-            return false;
+            return false; // No nonces seen from this sender
         }
         const highestNonce = senderNonces.get(messageType);
         if (highestNonce === undefined) {
-            return false;
+            return false; // No nonces seen for this message type
         }
+        // If the provided nonce is <= highest seen, it's been "used"
         return nonceValue <= highestNonce;
     }
+    /**
+     * Get highest nonce seen
+     */
     getHighestNonce(sender, messageType) {
         const senderNonces = this.highestNonces.get(sender);
         if (!senderNonces) {
@@ -60,21 +111,34 @@ class InMemoryReceivedNonceTracker {
         }
         return this.bigintToBytes32(highestNonce);
     }
+    /**
+     * Reset tracking for sender + message type
+     */
     reset(sender, messageType) {
         const senderNonces = this.highestNonces.get(sender);
         if (senderNonces) {
             senderNonces.delete(messageType);
+            // Clean up sender map if empty
             if (senderNonces.size === 0) {
                 this.highestNonces.delete(sender);
             }
         }
     }
+    /**
+     * Clear all tracked nonces
+     */
     clearAll() {
         this.highestNonces.clear();
     }
+    /**
+     * Convert BigInt to bytes32 hex string
+     */
     bigintToBytes32(value) {
         return '0x' + value.toString(16).padStart(64, '0');
     }
+    /**
+     * Get all nonces (for debugging/persistence)
+     */
     getAllNonces() {
         const result = {};
         this.highestNonces.forEach((senderNonces, sender) => {
@@ -87,11 +151,97 @@ class InMemoryReceivedNonceTracker {
     }
 }
 exports.InMemoryReceivedNonceTracker = InMemoryReceivedNonceTracker;
+/**
+ * Set-Based Received Nonce Tracker
+ *
+ * Strategy: Track exact set of used nonces per sender + message type
+ * - Accept nonces that haven't been seen before
+ * - Reject duplicate nonces (replay attack)
+ * - Allows non-sequential nonces (nonce gaps are OK)
+ *
+ * SECURITY FIX (NEW-H-2): Max size enforcement to prevent memory exhaustion
+ * SECURITY FIX (HIGH-2): Global total entries limit to prevent DoS via many sender combinations
+ * SECURITY FIX (H-2): Rate limiting per sender to prevent flood attacks
+ *
+ * Trade-off:
+ * - Higher memory usage (stores every nonce)
+ * - More flexible (allows out-of-order delivery)
+ * - Requires periodic cleanup to prevent unbounded growth
+ */
 class SetBasedReceivedNonceTracker {
-    constructor() {
+    /**
+     * Create set-based tracker with optional max size
+     * @param maxSizePerType - Maximum nonces per sender+messageType (default: 10,000)
+     * @param maxTotalEntries - Maximum total nonces across all combinations (default: 100,000)
+     * @param maxNoncesPerMinute - Maximum nonces per sender per minute (default: 100)
+     */
+    constructor(maxSizePerType = 10000, maxTotalEntries = 100000, maxNoncesPerMinute = 100) {
+        // Map: sender -> messageType -> Set of used nonces
         this.usedNonces = new Map();
+        this.totalEntries = 0;
+        // SECURITY FIX (H-2): Rate limiting per sender
+        // Map: sender -> { count: number, windowStart: number }
+        this.rateLimitState = new Map();
+        this.rateLimitWindowMs = 60000; // 1 minute window
+        if (maxSizePerType <= 0) {
+            throw new Error('maxSizePerType must be positive');
+        }
+        if (maxTotalEntries <= 0) {
+            throw new Error('maxTotalEntries must be positive');
+        }
+        if (maxNoncesPerMinute <= 0) {
+            throw new Error('maxNoncesPerMinute must be positive');
+        }
+        this.maxSizePerType = maxSizePerType;
+        this.maxTotalEntries = maxTotalEntries;
+        this.maxNoncesPerMinute = maxNoncesPerMinute;
+    }
+    /**
+     * SECURITY FIX (H-2): Check rate limit for sender
+     * @param sender - Sender DID
+     * @returns true if rate limit exceeded
+     */
+    checkRateLimit(sender) {
+        const now = Date.now();
+        const state = this.rateLimitState.get(sender);
+        if (!state) {
+            // First nonce from this sender
+            this.rateLimitState.set(sender, { count: 1, windowStart: now });
+            return false; // Not rate limited
+        }
+        // Check if window expired (reset counter)
+        if (now - state.windowStart >= this.rateLimitWindowMs) {
+            state.count = 1;
+            state.windowStart = now;
+            return false; // Not rate limited
+        }
+        // Increment counter
+        state.count++;
+        // Check if rate limit exceeded
+        return state.count > this.maxNoncesPerMinute;
+    }
+    /**
+     * SECURITY FIX (H-2): Periodic cleanup of rate limit state
+     * Removes expired rate limit entries (older than 5 minutes)
+     */
+    cleanupRateLimitState() {
+        const now = Date.now();
+        const expiryThreshold = 5 * 60 * 1000; // 5 minutes
+        for (const [sender, state] of this.rateLimitState.entries()) {
+            if (now - state.windowStart > expiryThreshold) {
+                this.rateLimitState.delete(sender);
+            }
+        }
     }
+    /**
+     * Validate and record a received nonce
+     *
+     * SECURITY FIX (NEW-H-2): Automatic cleanup when max size reached
+     * SECURITY FIX (HIGH-2): Global limit check to prevent DoS
+     * SECURITY FIX (H-2): Rate limiting per sender (max 100 nonces/minute)
+     */
     validateAndRecord(sender, messageType, nonce) {
+        // Validate nonce format
         if (!/^0x[a-fA-F0-9]{64}$/.test(nonce)) {
             return {
                 valid: false,
@@ -99,16 +249,44 @@ class SetBasedReceivedNonceTracker {
                 receivedNonce: nonce
             };
         }
+        // SECURITY FIX (H-2): Rate limit check (BEFORE global limit to avoid unnecessary work)
+        if (this.checkRateLimit(sender)) {
+            return {
+                valid: false,
+                reason: `Rate limit exceeded for sender ${sender}: ` +
+                    `Maximum ${this.maxNoncesPerMinute} nonces per minute allowed. ` +
+                    `This may indicate a flood attack or misconfigured client. ` +
+                    `Wait 1 minute before retrying.`,
+                receivedNonce: nonce
+            };
+        }
+        // SECURITY FIX (H-2): Periodic cleanup every 100 validations (amortized cost)
+        if (this.totalEntries % 100 === 0) {
+            this.cleanupRateLimitState();
+        }
+        // SECURITY FIX (HIGH-2): Check global limit BEFORE adding
+        if (this.totalEntries >= this.maxTotalEntries) {
+            return {
+                valid: false,
+                reason: `Global nonce tracker limit reached (${this.maxTotalEntries} entries). ` +
+                    `This may indicate a DoS attack or need for cleanup. ` +
+                    `Current usage: ${this.totalEntries} entries across ${this.getCombinationCount()} sender+type combinations.`,
+                receivedNonce: nonce
+            };
+        }
+        // Get sender's nonce map
         let senderNonces = this.usedNonces.get(sender);
         if (!senderNonces) {
             senderNonces = new Map();
             this.usedNonces.set(sender, senderNonces);
         }
+        // Get set of used nonces for this message type
         let usedSet = senderNonces.get(messageType);
         if (!usedSet) {
             usedSet = new Set();
             senderNonces.set(messageType, usedSet);
         }
+        // Check if nonce was already used
         if (usedSet.has(nonce)) {
             return {
                 valid: false,
@@ -116,9 +294,52 @@ class SetBasedReceivedNonceTracker {
                 receivedNonce: nonce
             };
         }
+        // SECURITY FIX (NEW-H-2): Auto-cleanup if max size per type reached
+        if (usedSet.size >= this.maxSizePerType) {
+            // Keep only last 80% of entries (sorted by nonce value)
+            const keepCount = Math.floor(this.maxSizePerType * 0.8);
+            const sortedNonces = Array.from(usedSet).sort((a, b) => {
+                const aVal = BigInt(a);
+                const bVal = BigInt(b);
+                return aVal < bVal ? -1 : aVal > bVal ? 1 : 0;
+            });
+            const removedCount = usedSet.size - keepCount;
+            usedSet = new Set(sortedNonces.slice(-keepCount));
+            senderNonces.set(messageType, usedSet);
+            // SECURITY FIX (HIGH-2): Update global counter
+            this.totalEntries -= removedCount;
+        }
+        // Valid nonce - record it
         usedSet.add(nonce);
+        // SECURITY FIX (HIGH-2): Update global counter
+        this.totalEntries++;
         return { valid: true };
     }
+    /**
+     * Get number of sender+messageType combinations (for monitoring)
+     * SECURITY FIX (HIGH-2): Monitoring method
+     */
+    getCombinationCount() {
+        let count = 0;
+        this.usedNonces.forEach(senderMap => {
+            count += senderMap.size;
+        });
+        return count;
+    }
+    /**
+     * Get memory usage statistics
+     * SECURITY FIX (HIGH-2): Monitoring method for DoS detection
+     */
+    getMemoryUsage() {
+        return {
+            totalEntries: this.totalEntries,
+            combinations: this.getCombinationCount(),
+            maxTotalEntries: this.maxTotalEntries
+        };
+    }
+    /**
+     * Check if a nonce has been used
+     */
     hasBeenUsed(sender, messageType, nonce) {
         const senderNonces = this.usedNonces.get(sender);
         if (!senderNonces) {
@@ -130,6 +351,9 @@ class SetBasedReceivedNonceTracker {
         }
         return usedSet.has(nonce);
     }
+    /**
+     * Get highest nonce seen (for this strategy, compute from set)
+     */
     getHighestNonce(sender, messageType) {
         const senderNonces = this.usedNonces.get(sender);
         if (!senderNonces) {
@@ -139,6 +363,7 @@ class SetBasedReceivedNonceTracker {
         if (!usedSet || usedSet.size === 0) {
             return null;
         }
+        // Find maximum nonce in set
         let maxNonce = BigInt(0);
         usedSet.forEach(nonce => {
             const value = BigInt(nonce);
@@ -148,18 +373,34 @@ class SetBasedReceivedNonceTracker {
         });
         return '0x' + maxNonce.toString(16).padStart(64, '0');
     }
+    /**
+     * Reset tracking for sender + message type
+     */
     reset(sender, messageType) {
         const senderNonces = this.usedNonces.get(sender);
         if (senderNonces) {
+            const usedSet = senderNonces.get(messageType);
+            if (usedSet) {
+                // SECURITY FIX (HIGH-2): Update global counter
+                this.totalEntries -= usedSet.size;
+            }
             senderNonces.delete(messageType);
             if (senderNonces.size === 0) {
                 this.usedNonces.delete(sender);
             }
         }
     }
+    /**
+     * Clear all tracked nonces
+     */
     clearAll() {
         this.usedNonces.clear();
+        // SECURITY FIX (HIGH-2): Reset global counter
+        this.totalEntries = 0;
     }
+    /**
+     * Get nonce count for sender + message type (for monitoring)
+     */
     getNonceCount(sender, messageType) {
         const senderNonces = this.usedNonces.get(sender);
         if (!senderNonces) {
@@ -168,6 +409,10 @@ class SetBasedReceivedNonceTracker {
         const usedSet = senderNonces.get(messageType);
         return usedSet ? usedSet.size : 0;
     }
+    /**
+     * Cleanup old nonces (keep only last N)
+     * This prevents unbounded memory growth
+     */
     cleanup(sender, messageType, keepLast = 1000) {
         const senderNonces = this.usedNonces.get(sender);
         if (!senderNonces) {
@@ -177,20 +422,31 @@ class SetBasedReceivedNonceTracker {
         if (!usedSet || usedSet.size <= keepLast) {
             return;
         }
+        // Convert to array and sort by nonce value
         const sortedNonces = Array.from(usedSet).sort((a, b) => {
             const aVal = BigInt(a);
             const bVal = BigInt(b);
             return aVal < bVal ? -1 : aVal > bVal ? 1 : 0;
         });
+        // Keep only the last N nonces
+        const removedCount = usedSet.size - keepLast;
         const toKeep = new Set(sortedNonces.slice(-keepLast));
         senderNonces.set(messageType, toKeep);
+        // SECURITY FIX (HIGH-2): Update global counter
+        this.totalEntries -= removedCount;
     }
 }
 exports.SetBasedReceivedNonceTracker = SetBasedReceivedNonceTracker;
+/**
+ * Factory function to create a nonce tracker
+ * @param strategy - 'memory-efficient' (highest nonce) or 'set-based' (all nonces)
+ * @returns IReceivedNonceTracker instance
+ */
 function createReceivedNonceTracker(strategy = 'memory-efficient') {
     if (strategy === 'set-based') {
         return new SetBasedReceivedNonceTracker();
     }
     return new InMemoryReceivedNonceTracker();
 }
+exports.createReceivedNonceTracker = createReceivedNonceTracker;
 //# sourceMappingURL=ReceivedNonceTracker.js.map