npm - @agirails/sdk - Versions diffs - 2.0.1-beta → 2.0.2 - Mend

@agirails/sdk 2.0.1-beta → 2.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (405) hide show

package/LICENSE +190 -0
package/README.md +116 -108
package/bin/actp +10 -0
package/dist/ACTPClient.d.ts +456 -33
package/dist/ACTPClient.d.ts.map +1 -1
package/dist/ACTPClient.js +477 -93
package/dist/ACTPClient.js.map +1 -1
package/dist/abi/AgentRegistry.json +782 -0
package/dist/abi/EscrowVault.json +106 -38
package/dist/abi/IdentityRegistry.json +316 -0
package/dist/adapters/BaseAdapter.d.ts +231 -0
package/dist/adapters/BaseAdapter.d.ts.map +1 -0
package/dist/adapters/BaseAdapter.js +393 -0
package/dist/adapters/BaseAdapter.js.map +1 -0
package/dist/adapters/BeginnerAdapter.d.ts +152 -0
package/dist/adapters/BeginnerAdapter.d.ts.map +1 -0
package/dist/adapters/BeginnerAdapter.js +168 -0
package/dist/adapters/BeginnerAdapter.js.map +1 -0
package/dist/adapters/IntermediateAdapter.d.ts +211 -0
package/dist/adapters/IntermediateAdapter.d.ts.map +1 -0
package/dist/adapters/IntermediateAdapter.js +260 -0
package/dist/adapters/IntermediateAdapter.js.map +1 -0
package/dist/adapters/index.d.ts +15 -0
package/dist/adapters/index.d.ts.map +1 -0
package/dist/adapters/index.js +26 -0
package/dist/adapters/index.js.map +1 -0
package/dist/builders/DeliveryProofBuilder.d.ts +60 -1
package/dist/builders/DeliveryProofBuilder.d.ts.map +1 -1
package/dist/builders/DeliveryProofBuilder.js +81 -5
package/dist/builders/DeliveryProofBuilder.js.map +1 -1
package/dist/builders/QuoteBuilder.d.ts +101 -0
package/dist/builders/QuoteBuilder.d.ts.map +1 -1
package/dist/builders/QuoteBuilder.js +120 -3
package/dist/builders/QuoteBuilder.js.map +1 -1
package/dist/builders/index.d.ts +4 -0
package/dist/builders/index.d.ts.map +1 -1
package/dist/builders/index.js +4 -0
package/dist/builders/index.js.map +1 -1
package/dist/cli/commands/balance.d.ts +13 -0
package/dist/cli/commands/balance.d.ts.map +1 -0
package/dist/cli/commands/balance.js +89 -0
package/dist/cli/commands/balance.js.map +1 -0
package/dist/cli/commands/batch.d.ts +24 -0
package/dist/cli/commands/batch.d.ts.map +1 -0
package/dist/cli/commands/batch.js +424 -0
package/dist/cli/commands/batch.js.map +1 -0
package/dist/cli/commands/config.d.ts +13 -0
package/dist/cli/commands/config.d.ts.map +1 -0
package/dist/cli/commands/config.js +192 -0
package/dist/cli/commands/config.js.map +1 -0
package/dist/cli/commands/init.d.ts +19 -0
package/dist/cli/commands/init.d.ts.map +1 -0
package/dist/cli/commands/init.js +143 -0
package/dist/cli/commands/init.js.map +1 -0
package/dist/cli/commands/mint.d.ts +13 -0
package/dist/cli/commands/mint.d.ts.map +1 -0
package/dist/cli/commands/mint.js +91 -0
package/dist/cli/commands/mint.js.map +1 -0
package/dist/cli/commands/pay.d.ts +18 -0
package/dist/cli/commands/pay.d.ts.map +1 -0
package/dist/cli/commands/pay.js +87 -0
package/dist/cli/commands/pay.js.map +1 -0
package/dist/cli/commands/simulate.d.ts +32 -0
package/dist/cli/commands/simulate.d.ts.map +1 -0
package/dist/cli/commands/simulate.js +290 -0
package/dist/cli/commands/simulate.js.map +1 -0
package/dist/cli/commands/time.d.ts +29 -0
package/dist/cli/commands/time.d.ts.map +1 -0
package/dist/cli/commands/time.js +252 -0
package/dist/cli/commands/time.js.map +1 -0
package/dist/cli/commands/tx.d.ts +16 -0
package/dist/cli/commands/tx.d.ts.map +1 -0
package/dist/cli/commands/tx.js +379 -0
package/dist/cli/commands/tx.js.map +1 -0
package/dist/cli/commands/watch.d.ts +20 -0
package/dist/cli/commands/watch.d.ts.map +1 -0
package/dist/cli/commands/watch.js +160 -0
package/dist/cli/commands/watch.js.map +1 -0
package/dist/cli/index.d.ts +17 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +104 -0
package/dist/cli/index.js.map +1 -0
package/dist/cli/utils/client.d.ts +70 -0
package/dist/cli/utils/client.d.ts.map +1 -0
package/dist/cli/utils/client.js +240 -0
package/dist/cli/utils/client.js.map +1 -0
package/dist/cli/utils/config.d.ts +91 -0
package/dist/cli/utils/config.d.ts.map +1 -0
package/dist/cli/utils/config.js +240 -0
package/dist/cli/utils/config.js.map +1 -0
package/dist/cli/utils/output.d.ts +174 -0
package/dist/cli/utils/output.d.ts.map +1 -0
package/dist/cli/utils/output.js +380 -0
package/dist/cli/utils/output.js.map +1 -0
package/dist/config/networks.d.ts +28 -0
package/dist/config/networks.d.ts.map +1 -1
package/dist/config/networks.js +60 -12
package/dist/config/networks.js.map +1 -1
package/dist/errors/index.d.ts +165 -2
package/dist/errors/index.d.ts.map +1 -1
package/dist/errors/index.js +260 -2
package/dist/errors/index.js.map +1 -1
package/dist/index.d.ts +61 -13
package/dist/index.d.ts.map +1 -1
package/dist/index.js +141 -36
package/dist/index.js.map +1 -1
package/dist/level0/Provider.d.ts +106 -0
package/dist/level0/Provider.d.ts.map +1 -0
package/dist/level0/Provider.js +10 -0
package/dist/level0/Provider.js.map +1 -0
package/dist/level0/ServiceDirectory.d.ts +74 -0
package/dist/level0/ServiceDirectory.d.ts.map +1 -0
package/dist/level0/ServiceDirectory.js +122 -0
package/dist/level0/ServiceDirectory.js.map +1 -0
package/dist/level0/index.d.ts +10 -0
package/dist/level0/index.d.ts.map +1 -0
package/dist/level0/index.js +15 -0
package/dist/level0/index.js.map +1 -0
package/dist/level0/provide.d.ts +51 -0
package/dist/level0/provide.d.ts.map +1 -0
package/dist/level0/provide.js +113 -0
package/dist/level0/provide.js.map +1 -0
package/dist/level0/request.d.ts +53 -0
package/dist/level0/request.d.ts.map +1 -0
package/dist/level0/request.js +462 -0
package/dist/level0/request.js.map +1 -0
package/dist/level1/Agent.d.ts +472 -0
package/dist/level1/Agent.d.ts.map +1 -0
package/dist/level1/Agent.js +1091 -0
package/dist/level1/Agent.js.map +1 -0
package/dist/level1/index.d.ts +10 -0
package/dist/level1/index.d.ts.map +1 -0
package/dist/level1/index.js +30 -0
package/dist/level1/index.js.map +1 -0
package/dist/level1/pricing/PriceCalculator.d.ts +62 -0
package/dist/level1/pricing/PriceCalculator.d.ts.map +1 -0
package/dist/level1/pricing/PriceCalculator.js +237 -0
package/dist/level1/pricing/PriceCalculator.js.map +1 -0
package/dist/level1/pricing/PricingStrategy.d.ts +179 -0
package/dist/level1/pricing/PricingStrategy.d.ts.map +1 -0
package/dist/level1/pricing/PricingStrategy.js +11 -0
package/dist/level1/pricing/PricingStrategy.js.map +1 -0
package/dist/level1/types/Job.d.ts +166 -0
package/dist/level1/types/Job.d.ts.map +1 -0
package/dist/level1/types/Job.js +11 -0
package/dist/level1/types/Job.js.map +1 -0
package/dist/level1/types/Options.d.ts +258 -0
package/dist/level1/types/Options.d.ts.map +1 -0
package/dist/level1/types/Options.js +8 -0
package/dist/level1/types/Options.js.map +1 -0
package/dist/level1/types/index.d.ts +8 -0
package/dist/level1/types/index.d.ts.map +1 -0
package/dist/level1/types/index.js +8 -0
package/dist/level1/types/index.js.map +1 -0
package/dist/protocol/ACTPKernel.d.ts +229 -2
package/dist/protocol/ACTPKernel.d.ts.map +1 -1
package/dist/protocol/ACTPKernel.js +367 -33
package/dist/protocol/ACTPKernel.js.map +1 -1
package/dist/protocol/AgentRegistry.d.ts +177 -0
package/dist/protocol/AgentRegistry.d.ts.map +1 -0
package/dist/protocol/AgentRegistry.js +449 -0
package/dist/protocol/AgentRegistry.js.map +1 -0
package/dist/protocol/DIDManager.d.ts +289 -0
package/dist/protocol/DIDManager.d.ts.map +1 -0
package/dist/protocol/DIDManager.js +481 -0
package/dist/protocol/DIDManager.js.map +1 -0
package/dist/protocol/DIDResolver.d.ts +236 -0
package/dist/protocol/DIDResolver.d.ts.map +1 -0
package/dist/protocol/DIDResolver.js +495 -0
package/dist/protocol/DIDResolver.js.map +1 -0
package/dist/protocol/EASHelper.d.ts +57 -2
package/dist/protocol/EASHelper.d.ts.map +1 -1
package/dist/protocol/EASHelper.js +230 -37
package/dist/protocol/EASHelper.js.map +1 -1
package/dist/protocol/EscrowVault.d.ts +93 -2
package/dist/protocol/EscrowVault.d.ts.map +1 -1
package/dist/protocol/EscrowVault.js +122 -33
package/dist/protocol/EscrowVault.js.map +1 -1
package/dist/protocol/EventMonitor.d.ts +45 -1
package/dist/protocol/EventMonitor.d.ts.map +1 -1
package/dist/protocol/EventMonitor.js +64 -8
package/dist/protocol/EventMonitor.js.map +1 -1
package/dist/protocol/MessageSigner.d.ts +116 -2
package/dist/protocol/MessageSigner.d.ts.map +1 -1
package/dist/protocol/MessageSigner.js +215 -9
package/dist/protocol/MessageSigner.js.map +1 -1
package/dist/protocol/ProofGenerator.d.ts +93 -0
package/dist/protocol/ProofGenerator.d.ts.map +1 -1
package/dist/protocol/ProofGenerator.js +194 -9
package/dist/protocol/ProofGenerator.js.map +1 -1
package/dist/protocol/QuoteBuilder.d.ts +8 -0
package/dist/protocol/QuoteBuilder.d.ts.map +1 -1
package/dist/protocol/QuoteBuilder.js +8 -0
package/dist/protocol/QuoteBuilder.js.map +1 -1
package/dist/runtime/BlockchainRuntime.d.ts +360 -0
package/dist/runtime/BlockchainRuntime.d.ts.map +1 -0
package/dist/runtime/BlockchainRuntime.js +767 -0
package/dist/runtime/BlockchainRuntime.js.map +1 -0
package/dist/runtime/IACTPRuntime.d.ts +271 -0
package/dist/runtime/IACTPRuntime.d.ts.map +1 -0
package/dist/runtime/IACTPRuntime.js +15 -0
package/dist/runtime/IACTPRuntime.js.map +1 -0
package/dist/runtime/MockRuntime.d.ts +445 -0
package/dist/runtime/MockRuntime.d.ts.map +1 -0
package/dist/runtime/MockRuntime.js +1065 -0
package/dist/runtime/MockRuntime.js.map +1 -0
package/dist/runtime/MockStateManager.d.ts +233 -0
package/dist/runtime/MockStateManager.d.ts.map +1 -0
package/dist/runtime/MockStateManager.js +533 -0
package/dist/runtime/MockStateManager.js.map +1 -0
package/dist/runtime/index.d.ts +14 -0
package/dist/runtime/index.d.ts.map +1 -0
package/dist/runtime/index.js +42 -0
package/dist/runtime/index.js.map +1 -0
package/dist/runtime/types/MockState.d.ts +167 -0
package/dist/runtime/types/MockState.d.ts.map +1 -0
package/dist/runtime/types/MockState.js +43 -0
package/dist/runtime/types/MockState.js.map +1 -0
package/dist/types/agent.d.ts +76 -0
package/dist/types/agent.d.ts.map +1 -0
package/dist/types/agent.js +8 -0
package/dist/types/agent.js.map +1 -0
package/dist/types/did.d.ts +192 -0
package/dist/types/did.d.ts.map +1 -0
package/dist/types/did.js +38 -0
package/dist/types/did.js.map +1 -0
package/dist/types/eip712.d.ts +34 -0
package/dist/types/eip712.d.ts.map +1 -1
package/dist/types/eip712.js +31 -5
package/dist/types/eip712.js.map +1 -1
package/dist/types/escrow.d.ts +17 -10
package/dist/types/escrow.d.ts.map +1 -1
package/dist/types/index.d.ts +5 -0
package/dist/types/index.d.ts.map +1 -1
package/dist/types/index.js +8 -0
package/dist/types/index.js.map +1 -1
package/dist/types/message.d.ts +32 -0
package/dist/types/message.d.ts.map +1 -1
package/dist/types/message.js +4 -0
package/dist/types/message.js.map +1 -1
package/dist/types/state.d.ts +28 -0
package/dist/types/state.d.ts.map +1 -1
package/dist/types/state.js +37 -6
package/dist/types/state.js.map +1 -1
package/dist/types/transaction.d.ts +17 -0
package/dist/types/transaction.d.ts.map +1 -1
package/dist/utils/ErrorRecoveryGuide.d.ts +125 -0
package/dist/utils/ErrorRecoveryGuide.d.ts.map +1 -0
package/dist/utils/ErrorRecoveryGuide.js +579 -0
package/dist/utils/ErrorRecoveryGuide.js.map +1 -0
package/dist/utils/Helpers.d.ts +453 -0
package/dist/utils/Helpers.d.ts.map +1 -0
package/dist/utils/Helpers.js +623 -0
package/dist/utils/Helpers.js.map +1 -0
package/dist/utils/IPFSClient.d.ts +113 -0
package/dist/utils/IPFSClient.d.ts.map +1 -1
package/dist/utils/IPFSClient.js +128 -7
package/dist/utils/IPFSClient.js.map +1 -1
package/dist/utils/Logger.d.ts +195 -0
package/dist/utils/Logger.d.ts.map +1 -0
package/dist/utils/Logger.js +382 -0
package/dist/utils/Logger.js.map +1 -0
package/dist/utils/NonceManager.d.ts +234 -1
package/dist/utils/NonceManager.d.ts.map +1 -1
package/dist/utils/NonceManager.js +372 -7
package/dist/utils/NonceManager.js.map +1 -1
package/dist/utils/RateLimiter.d.ts +253 -0
package/dist/utils/RateLimiter.d.ts.map +1 -0
package/dist/utils/RateLimiter.js +424 -0
package/dist/utils/RateLimiter.js.map +1 -0
package/dist/utils/ReceivedNonceTracker.d.ts +175 -0
package/dist/utils/ReceivedNonceTracker.d.ts.map +1 -1
package/dist/utils/ReceivedNonceTracker.js +261 -5
package/dist/utils/ReceivedNonceTracker.js.map +1 -1
package/dist/utils/SDKLifecycle.d.ts +156 -0
package/dist/utils/SDKLifecycle.d.ts.map +1 -0
package/dist/utils/SDKLifecycle.js +347 -0
package/dist/utils/SDKLifecycle.js.map +1 -0
package/dist/utils/SecureNonce.d.ts +57 -0
package/dist/utils/SecureNonce.d.ts.map +1 -0
package/dist/utils/SecureNonce.js +80 -0
package/dist/utils/SecureNonce.js.map +1 -0
package/dist/utils/Semaphore.d.ts +123 -0
package/dist/utils/Semaphore.d.ts.map +1 -0
package/dist/utils/Semaphore.js +247 -0
package/dist/utils/Semaphore.js.map +1 -0
package/dist/utils/UsedAttestationTracker.d.ts +167 -0
package/dist/utils/UsedAttestationTracker.d.ts.map +1 -0
package/dist/utils/UsedAttestationTracker.js +309 -0
package/dist/utils/UsedAttestationTracker.js.map +1 -0
package/dist/utils/canonicalJson.d.ts +22 -0
package/dist/utils/canonicalJson.d.ts.map +1 -1
package/dist/utils/canonicalJson.js +26 -3
package/dist/utils/canonicalJson.js.map +1 -1
package/dist/utils/computeTypeHash.d.ts +14 -0
package/dist/utils/computeTypeHash.d.ts.map +1 -1
package/dist/utils/computeTypeHash.js +19 -2
package/dist/utils/computeTypeHash.js.map +1 -1
package/dist/utils/fsSafe.d.ts +14 -0
package/dist/utils/fsSafe.d.ts.map +1 -0
package/dist/utils/fsSafe.js +89 -0
package/dist/utils/fsSafe.js.map +1 -0
package/dist/utils/index.d.ts +15 -0
package/dist/utils/index.d.ts.map +1 -0
package/dist/utils/index.js +51 -0
package/dist/utils/index.js.map +1 -0
package/dist/utils/security.d.ts +147 -0
package/dist/utils/security.d.ts.map +1 -0
package/dist/utils/security.js +391 -0
package/dist/utils/security.js.map +1 -0
package/dist/utils/validation.d.ts +40 -0
package/dist/utils/validation.d.ts.map +1 -1
package/dist/utils/validation.js +184 -7
package/dist/utils/validation.js.map +1 -1
package/package.json +54 -37
package/src/ACTPClient.ts +692 -178
package/src/abi/AgentRegistry.json +782 -0
package/src/abi/EscrowVault.json +106 -38
package/src/abi/IdentityRegistry.json +316 -0
package/src/adapters/BaseAdapter.ts +473 -0
package/src/adapters/BeginnerAdapter.ts +232 -0
package/src/adapters/IntermediateAdapter.ts +316 -0
package/src/adapters/index.ts +25 -0
package/src/builders/DeliveryProofBuilder.ts +3 -2
package/src/cli/commands/balance.ts +110 -0
package/src/cli/commands/batch.ts +487 -0
package/src/cli/commands/config.ts +231 -0
package/src/cli/commands/init.ts +161 -0
package/src/cli/commands/mint.ts +116 -0
package/src/cli/commands/pay.ts +113 -0
package/src/cli/commands/simulate.ts +345 -0
package/src/cli/commands/time.ts +303 -0
package/src/cli/commands/tx.ts +448 -0
package/src/cli/commands/watch.ts +211 -0
package/src/cli/index.ts +116 -0
package/src/cli/utils/client.ts +249 -0
package/src/cli/utils/config.ts +282 -0
package/src/cli/utils/output.ts +465 -0
package/src/config/networks.ts +32 -9
package/src/errors/index.ts +298 -1
package/src/index.ts +207 -71
package/src/level0/Provider.ts +117 -0
package/src/level0/ServiceDirectory.ts +131 -0
package/src/level0/index.ts +10 -0
package/src/level0/provide.ts +131 -0
package/src/level0/request.ts +494 -0
package/src/level1/Agent.ts +1432 -0
package/src/level1/index.ts +10 -0
package/src/level1/pricing/PriceCalculator.ts +255 -0
package/src/level1/pricing/PricingStrategy.ts +198 -0
package/src/level1/types/Job.ts +179 -0
package/src/level1/types/Options.ts +291 -0
package/src/level1/types/index.ts +8 -0
package/src/protocol/ACTPKernel.ts +175 -23
package/src/protocol/AgentRegistry.ts +559 -0
package/src/protocol/DIDManager.ts +629 -0
package/src/protocol/DIDResolver.ts +554 -0
package/src/protocol/EASHelper.ts +230 -46
package/src/protocol/EscrowVault.ts +68 -50
package/src/protocol/EventMonitor.ts +44 -15
package/src/protocol/MessageSigner.ts +193 -13
package/src/protocol/ProofGenerator.ts +223 -4
package/src/runtime/BlockchainRuntime.ts +993 -0
package/src/runtime/IACTPRuntime.ts +284 -0
package/src/runtime/MockRuntime.ts +1244 -0
package/src/runtime/MockStateManager.ts +576 -0
package/src/runtime/index.ts +25 -0
package/src/runtime/types/MockState.ts +227 -0
package/src/types/agent.ts +79 -0
package/src/types/did.ts +223 -0
package/src/types/escrow.ts +12 -11
package/src/types/index.ts +5 -1
package/src/types/state.ts +12 -3
package/src/types/transaction.ts +4 -1
package/src/utils/ErrorRecoveryGuide.ts +675 -0
package/src/utils/Helpers.ts +688 -0
package/src/utils/IPFSClient.ts +122 -5
package/src/utils/Logger.ts +484 -0
package/src/utils/NonceManager.ts +305 -8
package/src/utils/RateLimiter.ts +534 -0
package/src/utils/ReceivedNonceTracker.ts +170 -0
package/src/utils/SDKLifecycle.ts +416 -0
package/src/utils/SecureNonce.ts +78 -0
package/src/utils/Semaphore.ts +276 -0
package/src/utils/UsedAttestationTracker.ts +387 -0
package/src/utils/fsSafe.ts +75 -0
package/src/utils/index.ts +80 -0
package/src/utils/security.ts +418 -0
package/src/utils/validation.ts +164 -0
package/src/__tests__/ProofGenerator.test.ts +0 -124
package/src/__tests__/QuoteBuilder.test.ts +0 -516
package/src/__tests__/StateMachine.test.ts +0 -82
package/src/__tests__/builders/DeliveryProofBuilder.test.ts +0 -581
package/src/__tests__/integration/ACTPClient.test.ts +0 -263
package/src/__tests__/integration.test.ts +0 -289
package/src/__tests__/protocol/EASHelper.test.ts +0 -472
package/src/__tests__/protocol/EventMonitor.test.ts +0 -382
package/src/__tests__/security/ACTPKernel.security.test.ts +0 -1167
package/src/__tests__/security/EscrowVault.security.test.ts +0 -570
package/src/__tests__/security/MessageSigner.security.test.ts +0 -286
package/src/__tests__/security/NonceReplay.security.test.ts +0 -501
package/src/__tests__/security/validation.security.test.ts +0 -376
package/src/__tests__/utils/IPFSClient.test.ts +0 -262
package/src/__tests__/utils/NonceManager.test.ts +0 -205
package/src/__tests__/utils/canonicalJson.test.ts +0 -153

package/src/utils/IPFSClient.ts CHANGED Viewed

@@ -59,6 +59,24 @@ export interface IPFSClientConfig {
    * Default: 60000 (60 seconds)
    */
   timeout?: number;
+  /**
+   * SECURITY FIX (MEDIUM-3): Maximum content size in bytes
+   * Default: 50MB (50 * 1024 * 1024)
+   */
+  maxSize?: number;
+  /**
+   * SECURITY FIX (MEDIUM-3): Allowed URL protocols
+   * Default: ['http:', 'https:'] (http for localhost, https for remote)
+   */
+  allowedProtocols?: string[];
+  /**
+   * SECURITY FIX (MEDIUM-3): Allow localhost URLs
+   * Default: true (required for local IPFS daemon)
+   */
+  allowLocalhost?: boolean;
 }
 /**
@@ -81,21 +99,45 @@ export const IPFS_CONFIGS = {
 /**
  * IPFS HTTP Client Implementation
  * Uses ipfs-http-client library
+ *
+ * SECURITY FIX (MEDIUM-3): Now includes URL and size validation
  */
 export class IPFSHTTPClientImpl implements IPFSClient {
   private client: IPFSHTTPClient;
-  private config: IPFSClientConfig;
+  private config: Required<IPFSClientConfig>;
+  // SECURITY FIX (MEDIUM-3): Default security settings
+  private static readonly DEFAULT_MAX_SIZE = 50 * 1024 * 1024; // 50MB
+  private static readonly DEFAULT_ALLOWED_PROTOCOLS = ['http:', 'https:'];
+  private static readonly BLOCKED_HOSTS = [
+    'metadata.google.internal',
+    '169.254.169.254',
+    'metadata.aws.internal',
+  ];
   /**
    * Create IPFS client
+   *
+   * SECURITY FIX (MEDIUM-3): Validates URL and adds size limits
+   *
    * @param config - IPFS client configuration
+   * @throws Error if URL is invalid or blocked
    */
   constructor(config: IPFSClientConfig = {}) {
+    const url = config.url || 'http://localhost:5001';
+    // SECURITY FIX (MEDIUM-3): Validate URL
+    this.validateUrl(url, config.allowLocalhost ?? true, config.allowedProtocols);
     this.config = {
-      url: config.url || 'http://localhost:5001',
+      url,
       timeout: config.timeout || 60000,
-      ...config
-    };
+      maxSize: config.maxSize || IPFSHTTPClientImpl.DEFAULT_MAX_SIZE,
+      allowedProtocols: config.allowedProtocols || IPFSHTTPClientImpl.DEFAULT_ALLOWED_PROTOCOLS,
+      allowLocalhost: config.allowLocalhost ?? true,
+      auth: config.auth,
+      headers: config.headers,
+    } as Required<IPFSClientConfig>;
     const options: Options = {
       url: this.config.url,
@@ -117,15 +159,76 @@ export class IPFSHTTPClientImpl implements IPFSClient {
     this.client = create(options);
   }
+  /**
+   * SECURITY FIX (MEDIUM-3): Validate IPFS endpoint URL
+   */
+  private validateUrl(
+    url: string,
+    allowLocalhost: boolean,
+    allowedProtocols?: string[]
+  ): void {
+    let parsed: URL;
+    try {
+      parsed = new URL(url);
+    } catch {
+      throw new Error(`Invalid IPFS endpoint URL: ${url}`);
+    }
+    const protocols = allowedProtocols || IPFSHTTPClientImpl.DEFAULT_ALLOWED_PROTOCOLS;
+    if (!protocols.includes(parsed.protocol)) {
+      throw new Error(
+        `IPFS endpoint protocol "${parsed.protocol}" not allowed. ` +
+        `Allowed protocols: ${protocols.join(', ')}`
+      );
+    }
+    const hostname = parsed.hostname.toLowerCase();
+    // Check blocked hosts (cloud metadata endpoints)
+    if (IPFSHTTPClientImpl.BLOCKED_HOSTS.includes(hostname)) {
+      throw new Error(
+        `IPFS endpoint hostname "${hostname}" is blocked for security reasons.`
+      );
+    }
+    // Check localhost
+    const isLocalhost = ['localhost', '127.0.0.1', '0.0.0.0', '[::1]'].includes(hostname);
+    if (isLocalhost && !allowLocalhost) {
+      throw new Error(
+        `Localhost IPFS endpoints are disabled. Set allowLocalhost: true to enable.`
+      );
+    }
+    // For remote hosts, require HTTPS
+    if (!isLocalhost && parsed.protocol !== 'https:') {
+      console.warn(
+        `[SECURITY WARNING] Using non-HTTPS protocol "${parsed.protocol}" for remote IPFS endpoint "${hostname}". ` +
+        `This may expose data in transit. Consider using HTTPS.`
+      );
+    }
+  }
   /**
    * Upload data to IPFS
+   *
+   * SECURITY FIX (MEDIUM-3): Validates size before upload
+   *
    * @param data - JSON string or buffer
    * @returns CIDv1 string (base32)
+   * @throws Error if data exceeds maxSize
    */
   async add(data: string | Buffer): Promise<string> {
     try {
       const content = typeof data === 'string' ? Buffer.from(data, 'utf-8') : data;
+      // SECURITY FIX (MEDIUM-3): Check size before upload
+      if (content.length > this.config.maxSize) {
+        throw new Error(
+          `Content too large: ${content.length} bytes exceeds maximum of ${this.config.maxSize} bytes`
+        );
+      }
       const result = await this.client.add(content, {
         cidVersion: 1, // Use CIDv1 (base32)
         hashAlg: 'sha2-256',
@@ -153,19 +256,33 @@ export class IPFSHTTPClientImpl implements IPFSClient {
   /**
    * Retrieve content from IPFS
+   *
+   * SECURITY FIX (MEDIUM-3): Validates size during retrieval
+   *
    * @param cid - IPFS CID
    * @returns Content as string
+   * @throws Error if content exceeds maxSize
    */
   async get(cid: string): Promise<string> {
     try {
       const chunks: Uint8Array[] = [];
+      let totalLength = 0;
       for await (const chunk of this.client.cat(cid)) {
+        totalLength += chunk.length;
+        // SECURITY FIX (MEDIUM-3): Check size during streaming to prevent DoS
+        if (totalLength > this.config.maxSize) {
+          throw new Error(
+            `Content too large: ${totalLength}+ bytes exceeds maximum of ${this.config.maxSize} bytes. ` +
+            `Consider increasing maxSize in IPFSClientConfig if this is expected.`
+          );
+        }
         chunks.push(chunk);
       }
       // Concatenate all chunks
-      const totalLength = chunks.reduce((acc, chunk) => acc + chunk.length, 0);
       const result = new Uint8Array(totalLength);
       let offset = 0;

package/src/utils/Logger.ts ADDED Viewed

@@ -0,0 +1,484 @@
+/**
+ * Logger - Structured Logging Framework for ACTP SDK
+ *
+ * SECURITY FIX (M-6): Comprehensive logging with:
+ * - Log levels (debug, info, warn, error)
+ * - Structured metadata
+ * - Sensitive data filtering
+ * - Configurable output
+ *
+ * @module utils/Logger
+ */
+/**
+ * Log levels in order of severity
+ */
+export type LogLevel = 'debug' | 'info' | 'warn' | 'error';
+/**
+ * Log entry structure
+ */
+export interface LogEntry {
+  /** Timestamp */
+  timestamp: string;
+  /** Log level */
+  level: LogLevel;
+  /** Log message */
+  message: string;
+  /** Source module/component */
+  source?: string;
+  /** Additional metadata */
+  metadata?: Record<string, unknown>;
+  /** Error details (if applicable) */
+  error?: {
+    name: string;
+    message: string;
+    stack?: string;
+  };
+}
+/**
+ * Logger configuration
+ */
+export interface LoggerConfig {
+  /** Minimum log level to output */
+  minLevel?: LogLevel;
+  /** Source identifier for this logger */
+  source?: string;
+  /** Whether to include timestamps */
+  timestamps?: boolean;
+  /** Whether to filter sensitive data */
+  filterSensitive?: boolean;
+  /** Custom output handler */
+  output?: (entry: LogEntry) => void;
+  /** Whether logging is enabled */
+  enabled?: boolean;
+}
+/**
+ * Sensitive key name patterns (for checking object keys)
+ *
+ * SECURITY FIX (NEW-HIGH-3): NO GLOBAL FLAG on patterns used with .test()
+ * Global regex maintains lastIndex state, causing alternating match/no-match
+ * on consecutive calls, potentially leaking sensitive data intermittently.
+ */
+const SENSITIVE_KEY_PATTERNS: RegExp[] = [
+  /privateKey/i,
+  /secret/i,
+  /password/i,
+  /apiKey/i,
+  /authorization/i,
+  /mnemonic/i,
+  /seed/i,
+];
+/**
+ * Sensitive value patterns (for redacting from string values)
+ *
+ * SECURITY FIX (NEW-HIGH-3): These are PATTERN STRINGS that get converted
+ * to fresh RegExp instances with /g flag for each replace() call.
+ * This avoids lastIndex state pollution between calls.
+ */
+const SENSITIVE_VALUE_PATTERNS: string[] = [
+  'bearer\\s+[a-zA-Z0-9\\-_.]+',  // Bearer tokens
+  '0x[a-fA-F0-9]{64}',            // Private keys (64 hex chars)
+  '0x[a-fA-F0-9]{128}',           // Extended private keys
+];
+/**
+ * Log level priority (higher = more severe)
+ */
+const LOG_LEVEL_PRIORITY: Record<LogLevel, number> = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3,
+};
+/**
+ * Structured Logger for ACTP SDK
+ *
+ * @example
+ * ```typescript
+ * const logger = new Logger({ source: 'BlockchainRuntime', minLevel: 'info' });
+ *
+ * logger.info('Transaction created', { txId: '0x...' });
+ * logger.error('Transaction failed', { txId: '0x...' }, error);
+ * ```
+ */
+export class Logger {
+  private config: Required<LoggerConfig>;
+  constructor(config: LoggerConfig = {}) {
+    this.config = {
+      minLevel: config.minLevel ?? 'info',
+      source: config.source ?? 'ACTP-SDK',
+      timestamps: config.timestamps ?? true,
+      filterSensitive: config.filterSensitive ?? true,
+      output: config.output ?? this.defaultOutput.bind(this),
+      enabled: config.enabled ?? true,
+    };
+  }
+  /**
+   * Create child logger with inherited config
+   */
+  child(source: string): Logger {
+    return new Logger({
+      ...this.config,
+      source: `${this.config.source}:${source}`,
+    });
+  }
+  /**
+   * Log debug message
+   */
+  debug(message: string, metadata?: Record<string, unknown>): void {
+    this.log('debug', message, metadata);
+  }
+  /**
+   * Log info message
+   */
+  info(message: string, metadata?: Record<string, unknown>): void {
+    this.log('info', message, metadata);
+  }
+  /**
+   * Log warning message
+   */
+  warn(message: string, metadata?: Record<string, unknown>): void {
+    this.log('warn', message, metadata);
+  }
+  /**
+   * Log error message
+   */
+  error(message: string, metadata?: Record<string, unknown>, error?: Error): void {
+    this.log('error', message, metadata, error);
+  }
+  /**
+   * Core logging method
+   */
+  private log(
+    level: LogLevel,
+    message: string,
+    metadata?: Record<string, unknown>,
+    error?: Error
+  ): void {
+    if (!this.config.enabled) {
+      return;
+    }
+    // Check log level
+    if (LOG_LEVEL_PRIORITY[level] < LOG_LEVEL_PRIORITY[this.config.minLevel]) {
+      return;
+    }
+    // Build log entry
+    const entry: LogEntry = {
+      timestamp: this.config.timestamps ? new Date().toISOString() : '',
+      level,
+      message,
+      source: this.config.source,
+    };
+    // Add metadata (filtered for sensitive data)
+    if (metadata) {
+      entry.metadata = this.config.filterSensitive
+        ? this.filterSensitiveData(metadata)
+        : metadata;
+    }
+    // Add error details
+    if (error) {
+      entry.error = {
+        name: error.name,
+        message: error.message,
+        stack: error.stack,
+      };
+    }
+    // Output the log
+    this.config.output(entry);
+  }
+  /**
+   * Filter sensitive data from metadata
+   *
+   * SECURITY FIX (NEW-HIGH-3): Uses separate pattern arrays for keys and values.
+   * Key patterns have no /g flag (used with .test()).
+   * Value patterns are strings converted to fresh RegExp instances per call.
+   */
+  private filterSensitiveData(obj: Record<string, unknown>): Record<string, unknown> {
+    const filtered: Record<string, unknown> = {};
+    for (const [key, value] of Object.entries(obj)) {
+      // SECURITY FIX (NEW-HIGH-3): Check if key matches sensitive pattern
+      // Using patterns without /g flag - safe to use with .test()
+      const isSensitiveKey = SENSITIVE_KEY_PATTERNS.some((pattern) => pattern.test(key));
+      if (isSensitiveKey) {
+        filtered[key] = '[REDACTED]';
+        continue;
+      }
+      // Recursively filter nested objects
+      if (value && typeof value === 'object' && !Array.isArray(value)) {
+        filtered[key] = this.filterSensitiveData(value as Record<string, unknown>);
+      } else if (Array.isArray(value)) {
+        // SECURITY FIX: Also filter arrays
+        filtered[key] = value.map((item) => {
+          if (typeof item === 'string') {
+            return this.redactSensitiveValues(item);
+          } else if (item && typeof item === 'object') {
+            return this.filterSensitiveData(item as Record<string, unknown>);
+          }
+          return item;
+        });
+      } else if (typeof value === 'string') {
+        // SECURITY FIX (NEW-HIGH-3): Redact sensitive patterns from values
+        filtered[key] = this.redactSensitiveValues(value);
+      } else {
+        filtered[key] = value;
+      }
+    }
+    return filtered;
+  }
+  /**
+   * Redact sensitive patterns from a string value
+   *
+   * SECURITY FIX (NEW-HIGH-3): Creates fresh RegExp instances with /gi flag
+   * for each call, avoiding lastIndex state pollution.
+   */
+  private redactSensitiveValues(value: string): string {
+    let result = value;
+    for (const patternStr of SENSITIVE_VALUE_PATTERNS) {
+      // Create fresh RegExp instance with global+case-insensitive flags
+      // This avoids lastIndex state issues from reusing regex instances
+      const pattern = new RegExp(patternStr, 'gi');
+      result = result.replace(pattern, '[REDACTED]');
+    }
+    return result;
+  }
+  /**
+   * Default console output handler
+   */
+  private defaultOutput(entry: LogEntry): void {
+    const prefix = entry.timestamp ? `[${entry.timestamp}] ` : '';
+    const source = entry.source ? `[${entry.source}] ` : '';
+    const levelStr = entry.level.toUpperCase().padEnd(5);
+    const baseMessage = `${prefix}${levelStr} ${source}${entry.message}`;
+    switch (entry.level) {
+      case 'debug':
+        console.debug(baseMessage, entry.metadata || '');
+        break;
+      case 'info':
+        console.info(baseMessage, entry.metadata || '');
+        break;
+      case 'warn':
+        console.warn(baseMessage, entry.metadata || '');
+        break;
+      case 'error':
+        console.error(baseMessage, entry.metadata || '', entry.error || '');
+        break;
+    }
+  }
+  /**
+   * Enable logging
+   */
+  enable(): void {
+    this.config.enabled = true;
+  }
+  /**
+   * Disable logging
+   */
+  disable(): void {
+    this.config.enabled = false;
+  }
+  /**
+   * Set minimum log level
+   */
+  setLevel(level: LogLevel): void {
+    this.config.minLevel = level;
+  }
+}
+/**
+ * Global SDK logger instance
+ */
+export const sdkLogger = new Logger({
+  source: 'ACTP-SDK',
+  minLevel: process.env.ACTP_LOG_LEVEL as LogLevel || 'info',
+  enabled: process.env.ACTP_LOGGING !== 'false',
+});
+/**
+ * Metrics/monitoring hook interface
+ *
+ * SECURITY FIX (M-7): Metrics and monitoring hooks
+ */
+export interface MetricsHook {
+  /** Called when a transaction is created */
+  onTransactionCreated?: (txId: string, metadata: Record<string, unknown>) => void;
+  /** Called when escrow is linked */
+  onEscrowLinked?: (txId: string, escrowId: string, amount: string) => void;
+  /** Called when state transitions */
+  onStateTransition?: (txId: string, fromState: string, toState: string) => void;
+  /** Called when escrow is released */
+  onEscrowReleased?: (escrowId: string, amount: string) => void;
+  /** Called on errors */
+  onError?: (error: Error, context: Record<string, unknown>) => void;
+  /** Called for performance metrics */
+  onPerformance?: (operation: string, durationMs: number, metadata?: Record<string, unknown>) => void;
+}
+/**
+ * Metrics collector for SDK operations
+ */
+export class MetricsCollector {
+  private hooks: MetricsHook[] = [];
+  private readonly logger: Logger;
+  constructor(logger?: Logger) {
+    this.logger = logger ?? sdkLogger.child('Metrics');
+  }
+  /**
+   * Register a metrics hook
+   */
+  addHook(hook: MetricsHook): void {
+    this.hooks.push(hook);
+  }
+  /**
+   * Remove a metrics hook
+   */
+  removeHook(hook: MetricsHook): void {
+    const index = this.hooks.indexOf(hook);
+    if (index > -1) {
+      this.hooks.splice(index, 1);
+    }
+  }
+  /**
+   * Emit transaction created event
+   */
+  transactionCreated(txId: string, metadata: Record<string, unknown>): void {
+    this.logger.info('Transaction created', { txId, ...metadata });
+    for (const hook of this.hooks) {
+      try {
+        hook.onTransactionCreated?.(txId, metadata);
+      } catch (error) {
+        this.logger.error('Metrics hook error', { hook: 'onTransactionCreated' }, error as Error);
+      }
+    }
+  }
+  /**
+   * Emit escrow linked event
+   */
+  escrowLinked(txId: string, escrowId: string, amount: string): void {
+    this.logger.info('Escrow linked', { txId, escrowId, amount });
+    for (const hook of this.hooks) {
+      try {
+        hook.onEscrowLinked?.(txId, escrowId, amount);
+      } catch (error) {
+        this.logger.error('Metrics hook error', { hook: 'onEscrowLinked' }, error as Error);
+      }
+    }
+  }
+  /**
+   * Emit state transition event
+   */
+  stateTransition(txId: string, fromState: string, toState: string): void {
+    this.logger.info('State transition', { txId, fromState, toState });
+    for (const hook of this.hooks) {
+      try {
+        hook.onStateTransition?.(txId, fromState, toState);
+      } catch (error) {
+        this.logger.error('Metrics hook error', { hook: 'onStateTransition' }, error as Error);
+      }
+    }
+  }
+  /**
+   * Emit escrow released event
+   */
+  escrowReleased(escrowId: string, amount: string): void {
+    this.logger.info('Escrow released', { escrowId, amount });
+    for (const hook of this.hooks) {
+      try {
+        hook.onEscrowReleased?.(escrowId, amount);
+      } catch (error) {
+        this.logger.error('Metrics hook error', { hook: 'onEscrowReleased' }, error as Error);
+      }
+    }
+  }
+  /**
+   * Emit error event
+   */
+  recordError(error: Error, context: Record<string, unknown>): void {
+    this.logger.error('Error recorded', context, error);
+    for (const hook of this.hooks) {
+      try {
+        hook.onError?.(error, context);
+      } catch (hookError) {
+        this.logger.error('Metrics hook error', { hook: 'onError' }, hookError as Error);
+      }
+    }
+  }
+  /**
+   * Emit performance metric
+   */
+  recordPerformance(operation: string, durationMs: number, metadata?: Record<string, unknown>): void {
+    this.logger.debug('Performance', { operation, durationMs, ...metadata });
+    for (const hook of this.hooks) {
+      try {
+        hook.onPerformance?.(operation, durationMs, metadata);
+      } catch (error) {
+        this.logger.error('Metrics hook error', { hook: 'onPerformance' }, error as Error);
+      }
+    }
+  }
+  /**
+   * Helper to time an operation
+   */
+  async timeOperation<T>(
+    operation: string,
+    fn: () => Promise<T>,
+    metadata?: Record<string, unknown>
+  ): Promise<T> {
+    const startTime = Date.now();
+    try {
+      const result = await fn();
+      const durationMs = Date.now() - startTime;
+      this.recordPerformance(operation, durationMs, { ...metadata, success: true });
+      return result;
+    } catch (error) {
+      const durationMs = Date.now() - startTime;
+      this.recordPerformance(operation, durationMs, { ...metadata, success: false });
+      throw error;
+    }
+  }
+}
+/**
+ * Global metrics collector instance
+ */
+export const sdkMetrics = new MetricsCollector();