npm - @agirails/sdk - Versions diffs - 2.0.1-beta → 2.0.2 - Mend

@agirails/sdk 2.0.1-beta → 2.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (405) hide show

package/LICENSE +190 -0
package/README.md +116 -108
package/bin/actp +10 -0
package/dist/ACTPClient.d.ts +456 -33
package/dist/ACTPClient.d.ts.map +1 -1
package/dist/ACTPClient.js +477 -93
package/dist/ACTPClient.js.map +1 -1
package/dist/abi/AgentRegistry.json +782 -0
package/dist/abi/EscrowVault.json +106 -38
package/dist/abi/IdentityRegistry.json +316 -0
package/dist/adapters/BaseAdapter.d.ts +231 -0
package/dist/adapters/BaseAdapter.d.ts.map +1 -0
package/dist/adapters/BaseAdapter.js +393 -0
package/dist/adapters/BaseAdapter.js.map +1 -0
package/dist/adapters/BeginnerAdapter.d.ts +152 -0
package/dist/adapters/BeginnerAdapter.d.ts.map +1 -0
package/dist/adapters/BeginnerAdapter.js +168 -0
package/dist/adapters/BeginnerAdapter.js.map +1 -0
package/dist/adapters/IntermediateAdapter.d.ts +211 -0
package/dist/adapters/IntermediateAdapter.d.ts.map +1 -0
package/dist/adapters/IntermediateAdapter.js +260 -0
package/dist/adapters/IntermediateAdapter.js.map +1 -0
package/dist/adapters/index.d.ts +15 -0
package/dist/adapters/index.d.ts.map +1 -0
package/dist/adapters/index.js +26 -0
package/dist/adapters/index.js.map +1 -0
package/dist/builders/DeliveryProofBuilder.d.ts +60 -1
package/dist/builders/DeliveryProofBuilder.d.ts.map +1 -1
package/dist/builders/DeliveryProofBuilder.js +81 -5
package/dist/builders/DeliveryProofBuilder.js.map +1 -1
package/dist/builders/QuoteBuilder.d.ts +101 -0
package/dist/builders/QuoteBuilder.d.ts.map +1 -1
package/dist/builders/QuoteBuilder.js +120 -3
package/dist/builders/QuoteBuilder.js.map +1 -1
package/dist/builders/index.d.ts +4 -0
package/dist/builders/index.d.ts.map +1 -1
package/dist/builders/index.js +4 -0
package/dist/builders/index.js.map +1 -1
package/dist/cli/commands/balance.d.ts +13 -0
package/dist/cli/commands/balance.d.ts.map +1 -0
package/dist/cli/commands/balance.js +89 -0
package/dist/cli/commands/balance.js.map +1 -0
package/dist/cli/commands/batch.d.ts +24 -0
package/dist/cli/commands/batch.d.ts.map +1 -0
package/dist/cli/commands/batch.js +424 -0
package/dist/cli/commands/batch.js.map +1 -0
package/dist/cli/commands/config.d.ts +13 -0
package/dist/cli/commands/config.d.ts.map +1 -0
package/dist/cli/commands/config.js +192 -0
package/dist/cli/commands/config.js.map +1 -0
package/dist/cli/commands/init.d.ts +19 -0
package/dist/cli/commands/init.d.ts.map +1 -0
package/dist/cli/commands/init.js +143 -0
package/dist/cli/commands/init.js.map +1 -0
package/dist/cli/commands/mint.d.ts +13 -0
package/dist/cli/commands/mint.d.ts.map +1 -0
package/dist/cli/commands/mint.js +91 -0
package/dist/cli/commands/mint.js.map +1 -0
package/dist/cli/commands/pay.d.ts +18 -0
package/dist/cli/commands/pay.d.ts.map +1 -0
package/dist/cli/commands/pay.js +87 -0
package/dist/cli/commands/pay.js.map +1 -0
package/dist/cli/commands/simulate.d.ts +32 -0
package/dist/cli/commands/simulate.d.ts.map +1 -0
package/dist/cli/commands/simulate.js +290 -0
package/dist/cli/commands/simulate.js.map +1 -0
package/dist/cli/commands/time.d.ts +29 -0
package/dist/cli/commands/time.d.ts.map +1 -0
package/dist/cli/commands/time.js +252 -0
package/dist/cli/commands/time.js.map +1 -0
package/dist/cli/commands/tx.d.ts +16 -0
package/dist/cli/commands/tx.d.ts.map +1 -0
package/dist/cli/commands/tx.js +379 -0
package/dist/cli/commands/tx.js.map +1 -0
package/dist/cli/commands/watch.d.ts +20 -0
package/dist/cli/commands/watch.d.ts.map +1 -0
package/dist/cli/commands/watch.js +160 -0
package/dist/cli/commands/watch.js.map +1 -0
package/dist/cli/index.d.ts +17 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +104 -0
package/dist/cli/index.js.map +1 -0
package/dist/cli/utils/client.d.ts +70 -0
package/dist/cli/utils/client.d.ts.map +1 -0
package/dist/cli/utils/client.js +240 -0
package/dist/cli/utils/client.js.map +1 -0
package/dist/cli/utils/config.d.ts +91 -0
package/dist/cli/utils/config.d.ts.map +1 -0
package/dist/cli/utils/config.js +240 -0
package/dist/cli/utils/config.js.map +1 -0
package/dist/cli/utils/output.d.ts +174 -0
package/dist/cli/utils/output.d.ts.map +1 -0
package/dist/cli/utils/output.js +380 -0
package/dist/cli/utils/output.js.map +1 -0
package/dist/config/networks.d.ts +28 -0
package/dist/config/networks.d.ts.map +1 -1
package/dist/config/networks.js +60 -12
package/dist/config/networks.js.map +1 -1
package/dist/errors/index.d.ts +165 -2
package/dist/errors/index.d.ts.map +1 -1
package/dist/errors/index.js +260 -2
package/dist/errors/index.js.map +1 -1
package/dist/index.d.ts +61 -13
package/dist/index.d.ts.map +1 -1
package/dist/index.js +141 -36
package/dist/index.js.map +1 -1
package/dist/level0/Provider.d.ts +106 -0
package/dist/level0/Provider.d.ts.map +1 -0
package/dist/level0/Provider.js +10 -0
package/dist/level0/Provider.js.map +1 -0
package/dist/level0/ServiceDirectory.d.ts +74 -0
package/dist/level0/ServiceDirectory.d.ts.map +1 -0
package/dist/level0/ServiceDirectory.js +122 -0
package/dist/level0/ServiceDirectory.js.map +1 -0
package/dist/level0/index.d.ts +10 -0
package/dist/level0/index.d.ts.map +1 -0
package/dist/level0/index.js +15 -0
package/dist/level0/index.js.map +1 -0
package/dist/level0/provide.d.ts +51 -0
package/dist/level0/provide.d.ts.map +1 -0
package/dist/level0/provide.js +113 -0
package/dist/level0/provide.js.map +1 -0
package/dist/level0/request.d.ts +53 -0
package/dist/level0/request.d.ts.map +1 -0
package/dist/level0/request.js +462 -0
package/dist/level0/request.js.map +1 -0
package/dist/level1/Agent.d.ts +472 -0
package/dist/level1/Agent.d.ts.map +1 -0
package/dist/level1/Agent.js +1091 -0
package/dist/level1/Agent.js.map +1 -0
package/dist/level1/index.d.ts +10 -0
package/dist/level1/index.d.ts.map +1 -0
package/dist/level1/index.js +30 -0
package/dist/level1/index.js.map +1 -0
package/dist/level1/pricing/PriceCalculator.d.ts +62 -0
package/dist/level1/pricing/PriceCalculator.d.ts.map +1 -0
package/dist/level1/pricing/PriceCalculator.js +237 -0
package/dist/level1/pricing/PriceCalculator.js.map +1 -0
package/dist/level1/pricing/PricingStrategy.d.ts +179 -0
package/dist/level1/pricing/PricingStrategy.d.ts.map +1 -0
package/dist/level1/pricing/PricingStrategy.js +11 -0
package/dist/level1/pricing/PricingStrategy.js.map +1 -0
package/dist/level1/types/Job.d.ts +166 -0
package/dist/level1/types/Job.d.ts.map +1 -0
package/dist/level1/types/Job.js +11 -0
package/dist/level1/types/Job.js.map +1 -0
package/dist/level1/types/Options.d.ts +258 -0
package/dist/level1/types/Options.d.ts.map +1 -0
package/dist/level1/types/Options.js +8 -0
package/dist/level1/types/Options.js.map +1 -0
package/dist/level1/types/index.d.ts +8 -0
package/dist/level1/types/index.d.ts.map +1 -0
package/dist/level1/types/index.js +8 -0
package/dist/level1/types/index.js.map +1 -0
package/dist/protocol/ACTPKernel.d.ts +229 -2
package/dist/protocol/ACTPKernel.d.ts.map +1 -1
package/dist/protocol/ACTPKernel.js +367 -33
package/dist/protocol/ACTPKernel.js.map +1 -1
package/dist/protocol/AgentRegistry.d.ts +177 -0
package/dist/protocol/AgentRegistry.d.ts.map +1 -0
package/dist/protocol/AgentRegistry.js +449 -0
package/dist/protocol/AgentRegistry.js.map +1 -0
package/dist/protocol/DIDManager.d.ts +289 -0
package/dist/protocol/DIDManager.d.ts.map +1 -0
package/dist/protocol/DIDManager.js +481 -0
package/dist/protocol/DIDManager.js.map +1 -0
package/dist/protocol/DIDResolver.d.ts +236 -0
package/dist/protocol/DIDResolver.d.ts.map +1 -0
package/dist/protocol/DIDResolver.js +495 -0
package/dist/protocol/DIDResolver.js.map +1 -0
package/dist/protocol/EASHelper.d.ts +57 -2
package/dist/protocol/EASHelper.d.ts.map +1 -1
package/dist/protocol/EASHelper.js +230 -37
package/dist/protocol/EASHelper.js.map +1 -1
package/dist/protocol/EscrowVault.d.ts +93 -2
package/dist/protocol/EscrowVault.d.ts.map +1 -1
package/dist/protocol/EscrowVault.js +122 -33
package/dist/protocol/EscrowVault.js.map +1 -1
package/dist/protocol/EventMonitor.d.ts +45 -1
package/dist/protocol/EventMonitor.d.ts.map +1 -1
package/dist/protocol/EventMonitor.js +64 -8
package/dist/protocol/EventMonitor.js.map +1 -1
package/dist/protocol/MessageSigner.d.ts +116 -2
package/dist/protocol/MessageSigner.d.ts.map +1 -1
package/dist/protocol/MessageSigner.js +215 -9
package/dist/protocol/MessageSigner.js.map +1 -1
package/dist/protocol/ProofGenerator.d.ts +93 -0
package/dist/protocol/ProofGenerator.d.ts.map +1 -1
package/dist/protocol/ProofGenerator.js +194 -9
package/dist/protocol/ProofGenerator.js.map +1 -1
package/dist/protocol/QuoteBuilder.d.ts +8 -0
package/dist/protocol/QuoteBuilder.d.ts.map +1 -1
package/dist/protocol/QuoteBuilder.js +8 -0
package/dist/protocol/QuoteBuilder.js.map +1 -1
package/dist/runtime/BlockchainRuntime.d.ts +360 -0
package/dist/runtime/BlockchainRuntime.d.ts.map +1 -0
package/dist/runtime/BlockchainRuntime.js +767 -0
package/dist/runtime/BlockchainRuntime.js.map +1 -0
package/dist/runtime/IACTPRuntime.d.ts +271 -0
package/dist/runtime/IACTPRuntime.d.ts.map +1 -0
package/dist/runtime/IACTPRuntime.js +15 -0
package/dist/runtime/IACTPRuntime.js.map +1 -0
package/dist/runtime/MockRuntime.d.ts +445 -0
package/dist/runtime/MockRuntime.d.ts.map +1 -0
package/dist/runtime/MockRuntime.js +1065 -0
package/dist/runtime/MockRuntime.js.map +1 -0
package/dist/runtime/MockStateManager.d.ts +233 -0
package/dist/runtime/MockStateManager.d.ts.map +1 -0
package/dist/runtime/MockStateManager.js +533 -0
package/dist/runtime/MockStateManager.js.map +1 -0
package/dist/runtime/index.d.ts +14 -0
package/dist/runtime/index.d.ts.map +1 -0
package/dist/runtime/index.js +42 -0
package/dist/runtime/index.js.map +1 -0
package/dist/runtime/types/MockState.d.ts +167 -0
package/dist/runtime/types/MockState.d.ts.map +1 -0
package/dist/runtime/types/MockState.js +43 -0
package/dist/runtime/types/MockState.js.map +1 -0
package/dist/types/agent.d.ts +76 -0
package/dist/types/agent.d.ts.map +1 -0
package/dist/types/agent.js +8 -0
package/dist/types/agent.js.map +1 -0
package/dist/types/did.d.ts +192 -0
package/dist/types/did.d.ts.map +1 -0
package/dist/types/did.js +38 -0
package/dist/types/did.js.map +1 -0
package/dist/types/eip712.d.ts +34 -0
package/dist/types/eip712.d.ts.map +1 -1
package/dist/types/eip712.js +31 -5
package/dist/types/eip712.js.map +1 -1
package/dist/types/escrow.d.ts +17 -10
package/dist/types/escrow.d.ts.map +1 -1
package/dist/types/index.d.ts +5 -0
package/dist/types/index.d.ts.map +1 -1
package/dist/types/index.js +8 -0
package/dist/types/index.js.map +1 -1
package/dist/types/message.d.ts +32 -0
package/dist/types/message.d.ts.map +1 -1
package/dist/types/message.js +4 -0
package/dist/types/message.js.map +1 -1
package/dist/types/state.d.ts +28 -0
package/dist/types/state.d.ts.map +1 -1
package/dist/types/state.js +37 -6
package/dist/types/state.js.map +1 -1
package/dist/types/transaction.d.ts +17 -0
package/dist/types/transaction.d.ts.map +1 -1
package/dist/utils/ErrorRecoveryGuide.d.ts +125 -0
package/dist/utils/ErrorRecoveryGuide.d.ts.map +1 -0
package/dist/utils/ErrorRecoveryGuide.js +579 -0
package/dist/utils/ErrorRecoveryGuide.js.map +1 -0
package/dist/utils/Helpers.d.ts +453 -0
package/dist/utils/Helpers.d.ts.map +1 -0
package/dist/utils/Helpers.js +623 -0
package/dist/utils/Helpers.js.map +1 -0
package/dist/utils/IPFSClient.d.ts +113 -0
package/dist/utils/IPFSClient.d.ts.map +1 -1
package/dist/utils/IPFSClient.js +128 -7
package/dist/utils/IPFSClient.js.map +1 -1
package/dist/utils/Logger.d.ts +195 -0
package/dist/utils/Logger.d.ts.map +1 -0
package/dist/utils/Logger.js +382 -0
package/dist/utils/Logger.js.map +1 -0
package/dist/utils/NonceManager.d.ts +234 -1
package/dist/utils/NonceManager.d.ts.map +1 -1
package/dist/utils/NonceManager.js +372 -7
package/dist/utils/NonceManager.js.map +1 -1
package/dist/utils/RateLimiter.d.ts +253 -0
package/dist/utils/RateLimiter.d.ts.map +1 -0
package/dist/utils/RateLimiter.js +424 -0
package/dist/utils/RateLimiter.js.map +1 -0
package/dist/utils/ReceivedNonceTracker.d.ts +175 -0
package/dist/utils/ReceivedNonceTracker.d.ts.map +1 -1
package/dist/utils/ReceivedNonceTracker.js +261 -5
package/dist/utils/ReceivedNonceTracker.js.map +1 -1
package/dist/utils/SDKLifecycle.d.ts +156 -0
package/dist/utils/SDKLifecycle.d.ts.map +1 -0
package/dist/utils/SDKLifecycle.js +347 -0
package/dist/utils/SDKLifecycle.js.map +1 -0
package/dist/utils/SecureNonce.d.ts +57 -0
package/dist/utils/SecureNonce.d.ts.map +1 -0
package/dist/utils/SecureNonce.js +80 -0
package/dist/utils/SecureNonce.js.map +1 -0
package/dist/utils/Semaphore.d.ts +123 -0
package/dist/utils/Semaphore.d.ts.map +1 -0
package/dist/utils/Semaphore.js +247 -0
package/dist/utils/Semaphore.js.map +1 -0
package/dist/utils/UsedAttestationTracker.d.ts +167 -0
package/dist/utils/UsedAttestationTracker.d.ts.map +1 -0
package/dist/utils/UsedAttestationTracker.js +309 -0
package/dist/utils/UsedAttestationTracker.js.map +1 -0
package/dist/utils/canonicalJson.d.ts +22 -0
package/dist/utils/canonicalJson.d.ts.map +1 -1
package/dist/utils/canonicalJson.js +26 -3
package/dist/utils/canonicalJson.js.map +1 -1
package/dist/utils/computeTypeHash.d.ts +14 -0
package/dist/utils/computeTypeHash.d.ts.map +1 -1
package/dist/utils/computeTypeHash.js +19 -2
package/dist/utils/computeTypeHash.js.map +1 -1
package/dist/utils/fsSafe.d.ts +14 -0
package/dist/utils/fsSafe.d.ts.map +1 -0
package/dist/utils/fsSafe.js +89 -0
package/dist/utils/fsSafe.js.map +1 -0
package/dist/utils/index.d.ts +15 -0
package/dist/utils/index.d.ts.map +1 -0
package/dist/utils/index.js +51 -0
package/dist/utils/index.js.map +1 -0
package/dist/utils/security.d.ts +147 -0
package/dist/utils/security.d.ts.map +1 -0
package/dist/utils/security.js +391 -0
package/dist/utils/security.js.map +1 -0
package/dist/utils/validation.d.ts +40 -0
package/dist/utils/validation.d.ts.map +1 -1
package/dist/utils/validation.js +184 -7
package/dist/utils/validation.js.map +1 -1
package/package.json +54 -37
package/src/ACTPClient.ts +692 -178
package/src/abi/AgentRegistry.json +782 -0
package/src/abi/EscrowVault.json +106 -38
package/src/abi/IdentityRegistry.json +316 -0
package/src/adapters/BaseAdapter.ts +473 -0
package/src/adapters/BeginnerAdapter.ts +232 -0
package/src/adapters/IntermediateAdapter.ts +316 -0
package/src/adapters/index.ts +25 -0
package/src/builders/DeliveryProofBuilder.ts +3 -2
package/src/cli/commands/balance.ts +110 -0
package/src/cli/commands/batch.ts +487 -0
package/src/cli/commands/config.ts +231 -0
package/src/cli/commands/init.ts +161 -0
package/src/cli/commands/mint.ts +116 -0
package/src/cli/commands/pay.ts +113 -0
package/src/cli/commands/simulate.ts +345 -0
package/src/cli/commands/time.ts +303 -0
package/src/cli/commands/tx.ts +448 -0
package/src/cli/commands/watch.ts +211 -0
package/src/cli/index.ts +116 -0
package/src/cli/utils/client.ts +249 -0
package/src/cli/utils/config.ts +282 -0
package/src/cli/utils/output.ts +465 -0
package/src/config/networks.ts +32 -9
package/src/errors/index.ts +298 -1
package/src/index.ts +207 -71
package/src/level0/Provider.ts +117 -0
package/src/level0/ServiceDirectory.ts +131 -0
package/src/level0/index.ts +10 -0
package/src/level0/provide.ts +131 -0
package/src/level0/request.ts +494 -0
package/src/level1/Agent.ts +1432 -0
package/src/level1/index.ts +10 -0
package/src/level1/pricing/PriceCalculator.ts +255 -0
package/src/level1/pricing/PricingStrategy.ts +198 -0
package/src/level1/types/Job.ts +179 -0
package/src/level1/types/Options.ts +291 -0
package/src/level1/types/index.ts +8 -0
package/src/protocol/ACTPKernel.ts +175 -23
package/src/protocol/AgentRegistry.ts +559 -0
package/src/protocol/DIDManager.ts +629 -0
package/src/protocol/DIDResolver.ts +554 -0
package/src/protocol/EASHelper.ts +230 -46
package/src/protocol/EscrowVault.ts +68 -50
package/src/protocol/EventMonitor.ts +44 -15
package/src/protocol/MessageSigner.ts +193 -13
package/src/protocol/ProofGenerator.ts +223 -4
package/src/runtime/BlockchainRuntime.ts +993 -0
package/src/runtime/IACTPRuntime.ts +284 -0
package/src/runtime/MockRuntime.ts +1244 -0
package/src/runtime/MockStateManager.ts +576 -0
package/src/runtime/index.ts +25 -0
package/src/runtime/types/MockState.ts +227 -0
package/src/types/agent.ts +79 -0
package/src/types/did.ts +223 -0
package/src/types/escrow.ts +12 -11
package/src/types/index.ts +5 -1
package/src/types/state.ts +12 -3
package/src/types/transaction.ts +4 -1
package/src/utils/ErrorRecoveryGuide.ts +675 -0
package/src/utils/Helpers.ts +688 -0
package/src/utils/IPFSClient.ts +122 -5
package/src/utils/Logger.ts +484 -0
package/src/utils/NonceManager.ts +305 -8
package/src/utils/RateLimiter.ts +534 -0
package/src/utils/ReceivedNonceTracker.ts +170 -0
package/src/utils/SDKLifecycle.ts +416 -0
package/src/utils/SecureNonce.ts +78 -0
package/src/utils/Semaphore.ts +276 -0
package/src/utils/UsedAttestationTracker.ts +387 -0
package/src/utils/fsSafe.ts +75 -0
package/src/utils/index.ts +80 -0
package/src/utils/security.ts +418 -0
package/src/utils/validation.ts +164 -0
package/src/__tests__/ProofGenerator.test.ts +0 -124
package/src/__tests__/QuoteBuilder.test.ts +0 -516
package/src/__tests__/StateMachine.test.ts +0 -82
package/src/__tests__/builders/DeliveryProofBuilder.test.ts +0 -581
package/src/__tests__/integration/ACTPClient.test.ts +0 -263
package/src/__tests__/integration.test.ts +0 -289
package/src/__tests__/protocol/EASHelper.test.ts +0 -472
package/src/__tests__/protocol/EventMonitor.test.ts +0 -382
package/src/__tests__/security/ACTPKernel.security.test.ts +0 -1167
package/src/__tests__/security/EscrowVault.security.test.ts +0 -570
package/src/__tests__/security/MessageSigner.security.test.ts +0 -286
package/src/__tests__/security/NonceReplay.security.test.ts +0 -501
package/src/__tests__/security/validation.security.test.ts +0 -376
package/src/__tests__/utils/IPFSClient.test.ts +0 -262
package/src/__tests__/utils/NonceManager.test.ts +0 -205
package/src/__tests__/utils/canonicalJson.test.ts +0 -153

package/src/utils/NonceManager.ts CHANGED Viewed

@@ -2,7 +2,21 @@
  * Nonce Manager Implementation
  * Tracks nonces per DID + message type for AIP-4 delivery proofs
  * Reference: AIP-4 §3.2 (nonce field requirement)
+ *
+ * SECURITY FIXES:
+ * - C-2: Added atomic nonce allocation with locking
+ * - H-1: Added persistent nonce storage option
+ * - H-5: Added nonce upper bound validation
+ */
+import { assertSafeFileForRead, ensureSafeDir, ensureSafeFile } from './fsSafe';
+/**
+ * Maximum allowed nonce value.
+ * SECURITY FIX (H-5): Prevents nonce overflow attacks.
+ * Using Number.MAX_SAFE_INTEGER (2^53 - 1) to ensure safe JavaScript integer operations.
  */
+export const MAX_NONCE_VALUE = Number.MAX_SAFE_INTEGER;
 /**
  * Nonce Manager Interface (from DeliveryProofBuilder)
@@ -40,6 +54,10 @@ export interface NonceManager {
  * In-Memory Nonce Manager
  * Simple implementation using Map for per-message-type nonce tracking
  *
+ * SECURITY FIXES:
+ * - C-2: Added atomic getAndIncrementNonce() to prevent race conditions
+ * - H-5: Added nonce upper bound validation
+ *
  * ⚠️ WARNING: Nonces are lost on process restart. For production:
  * - Use persistent storage (Redis, PostgreSQL, etc.)
  * - Implement nonce recovery from blockchain events
@@ -47,6 +65,9 @@ export interface NonceManager {
  */
 export class InMemoryNonceManager implements NonceManager {
   private nonces: Map<string, number> = new Map();
+  // SECURITY FIX (C-2): Mutex for atomic nonce operations
+  // Store both the promise and its resolver for proper lock release
+  private locks: Map<string, { promise: Promise<void>; resolve: () => void }> = new Map();
   /**
    * Create in-memory nonce manager
@@ -55,11 +76,58 @@ export class InMemoryNonceManager implements NonceManager {
   constructor(initialNonces?: Record<string, number>) {
     if (initialNonces) {
       Object.entries(initialNonces).forEach(([messageType, nonce]) => {
+        // SECURITY FIX (H-5): Validate initial nonces
+        if (nonce > MAX_NONCE_VALUE) {
+          throw new Error(
+            `Initial nonce ${nonce} for ${messageType} exceeds maximum allowed value ${MAX_NONCE_VALUE}`
+          );
+        }
         this.nonces.set(messageType, nonce);
       });
     }
   }
+  /**
+   * SECURITY FIX (C-2 + DEADLOCK-FIX): Acquire lock for message type
+   * Ensures atomic nonce operations.
+   *
+   * FIXED: Previous implementation had a deadlock bug where:
+   * - The resolver was stored in a closure but never accessible to releaseLock()
+   * - releaseLock() just deleted the entry without resolving waiting Promises
+   *
+   * New implementation stores both promise AND resolver together.
+   */
+  private async acquireLock(messageType: string): Promise<void> {
+    // Wait for any existing lock to be released
+    while (this.locks.has(messageType)) {
+      const existingLock = this.locks.get(messageType);
+      if (existingLock) {
+        await existingLock.promise;
+      }
+    }
+    // Create new lock with stored resolver
+    let resolver: () => void = () => {};
+    const lockPromise = new Promise<void>((resolve) => {
+      resolver = resolve;
+    });
+    this.locks.set(messageType, { promise: lockPromise, resolve: resolver });
+  }
+  /**
+   * SECURITY FIX (C-2 + DEADLOCK-FIX): Release lock for message type
+   *
+   * FIXED: Now properly resolves the Promise before deleting,
+   * so any waiting acquireLock() calls can proceed.
+   */
+  private releaseLock(messageType: string): void {
+    const lock = this.locks.get(messageType);
+    if (lock) {
+      lock.resolve(); // Resolve the promise first
+      this.locks.delete(messageType); // Then delete the entry
+    }
+  }
   /**
    * Get next nonce for message type
    * @param messageType - Message type identifier
@@ -67,7 +135,44 @@ export class InMemoryNonceManager implements NonceManager {
    */
   getNextNonce(messageType: string): number {
     const current = this.nonces.get(messageType) || 0;
-    return current + 1;
+    const next = current + 1;
+    // SECURITY FIX (H-5): Check upper bound
+    if (next > MAX_NONCE_VALUE) {
+      throw new Error(
+        `Nonce overflow: next nonce ${next} exceeds maximum allowed value ${MAX_NONCE_VALUE}. ` +
+        `Consider resetting nonces or using a larger storage type.`
+      );
+    }
+    return next;
+  }
+  /**
+   * SECURITY FIX (C-2): Atomic get-and-increment nonce
+   * Returns the next nonce and records it atomically to prevent race conditions.
+   *
+   * @param messageType - Message type identifier
+   * @returns Atomically allocated nonce
+   */
+  async getAndIncrementNonce(messageType: string): Promise<number> {
+    await this.acquireLock(messageType);
+    try {
+      const current = this.nonces.get(messageType) || 0;
+      const next = current + 1;
+      // SECURITY FIX (H-5): Check upper bound
+      if (next > MAX_NONCE_VALUE) {
+        throw new Error(
+          `Nonce overflow: next nonce ${next} exceeds maximum allowed value ${MAX_NONCE_VALUE}`
+        );
+      }
+      this.nonces.set(messageType, next);
+      return next;
+    } finally {
+      this.releaseLock(messageType);
+    }
   }
   /**
@@ -78,6 +183,13 @@ export class InMemoryNonceManager implements NonceManager {
   recordNonce(messageType: string, nonce: number): void {
     const current = this.nonces.get(messageType) || 0;
+    // SECURITY FIX (H-5): Check upper bound
+    if (nonce > MAX_NONCE_VALUE) {
+      throw new Error(
+        `Nonce ${nonce} exceeds maximum allowed value ${MAX_NONCE_VALUE}`
+      );
+    }
     // Ensure monotonic increase
     if (nonce <= current) {
       throw new Error(
@@ -276,18 +388,203 @@ export class DIDScopedNonceManager implements NonceManager {
   }
 }
+/**
+ * File-based Nonce Manager for Persistent Storage
+ *
+ * SECURITY FIX (H-1): Persists nonces to disk to survive process restarts.
+ * SECURITY FIX (NEW-H-4): File locking to prevent concurrent write corruption.
+ * Uses atomic file writes (temp file + rename) for crash safety.
+ *
+ * @module utils/NonceManager
+ */
+export class FileBasedNonceManager implements NonceManager {
+  private inMemory: InMemoryNonceManager;
+  private filePath: string;
+  private fs: typeof import('fs');
+  private path: typeof import('path');
+  private lockfile: typeof import('proper-lockfile');
+  /**
+   * Create file-based nonce manager
+   * @param stateDirectory - Directory to store nonces file
+   */
+  constructor(stateDirectory: string) {
+    this.fs = require('fs');
+    this.path = require('path');
+    // SECURITY FIX (NEW-H-4): File locking to prevent race conditions
+    this.lockfile = require('proper-lockfile');
+    // Ensure .actp directory exists
+    const actpDir = this.path.join(stateDirectory, '.actp');
+    ensureSafeDir(actpDir, 0o755);
+    this.filePath = this.path.join(actpDir, 'nonces.json');
+    // Load existing nonces
+    const initialNonces = this.loadFromFile();
+    this.inMemory = new InMemoryNonceManager(initialNonces);
+  }
+  /**
+   * Load nonces from file
+   */
+  private loadFromFile(): Record<string, number> | undefined {
+    if (!this.fs.existsSync(this.filePath)) {
+      return undefined;
+    }
+    try {
+      // SECURITY: Refuse to read from symlinked nonce files
+      assertSafeFileForRead(this.filePath);
+      const MAX_NONCE_FILE_SIZE = 5 * 1024 * 1024; // 5MB
+      const st = this.fs.statSync(this.filePath);
+      if (st.size > MAX_NONCE_FILE_SIZE) {
+        throw new Error(
+          `nonces.json exceeds ${MAX_NONCE_FILE_SIZE / 1024 / 1024}MB limit: ${this.filePath}`
+        );
+      }
+      const data = JSON.parse(this.fs.readFileSync(this.filePath, 'utf-8'));
+      return data as Record<string, number>;
+    } catch (e: any) {
+      // Fail closed: nonce resets can enable replay.
+      throw new Error(
+        `Failed to parse nonces.json (replay protection would be weakened). ` +
+          `Fix/delete the file: ${this.filePath}. Error: ${e?.message || String(e)}`
+      );
+    }
+  }
+  /**
+   * Save nonces to file atomically with file locking
+   *
+   * SECURITY FIX (NEW-H-4): File locking prevents concurrent write corruption
+   */
+  private async saveToFile(): Promise<void> {
+    const data = this.inMemory.getAllNonces();
+    const tempPath = `${this.filePath}.tmp`;
+    // SECURITY FIX: Ensure file exists before locking (proper-lockfile requirement)
+    ensureSafeFile(this.filePath, '{}', 0o644);
+    // SECURITY FIX (NEW-H-4): Acquire file lock before writing
+    let release: (() => Promise<void>) | null = null;
+    try {
+      release = await this.lockfile.lock(this.filePath, {
+        stale: 10000, // Lock expires after 10 seconds if process crashes
+        retries: {
+          retries: 5,
+          minTimeout: 100,
+          maxTimeout: 500
+        }
+      });
+      // Atomic write: temp file + rename
+      if (this.fs.existsSync(tempPath)) {
+        this.fs.unlinkSync(tempPath);
+      }
+      this.fs.writeFileSync(tempPath, JSON.stringify(data, null, 2), {
+        encoding: 'utf-8',
+        mode: 0o644,
+        flag: 'wx'
+      });
+      this.fs.renameSync(tempPath, this.filePath);
+    } catch (error) {
+      // Clean up temp file on error
+      if (this.fs.existsSync(tempPath)) {
+        try {
+          this.fs.unlinkSync(tempPath);
+        } catch {
+          // Ignore cleanup errors
+        }
+      }
+      throw error;
+    } finally {
+      if (release) {
+        await release();
+      }
+    }
+  }
+  getNextNonce(messageType: string): number {
+    return this.inMemory.getNextNonce(messageType);
+  }
+  /**
+   * Atomic get and increment with persistence
+   */
+  async getAndIncrementNonce(messageType: string): Promise<number> {
+    const nonce = await this.inMemory.getAndIncrementNonce(messageType);
+    // SECURITY FIX (NEW-H-4): saveToFile is now async
+    await this.saveToFile();
+    return nonce;
+  }
+  recordNonce(messageType: string, nonce: number): void {
+    this.inMemory.recordNonce(messageType, nonce);
+    // Fire-and-forget to maintain sync interface
+    this.saveToFile().catch((err) => {
+      console.error('Failed to save nonce manager state:', err);
+    });
+  }
+  getCurrentNonce(messageType: string): number {
+    return this.inMemory.getCurrentNonce(messageType);
+  }
+  resetNonce(messageType: string): void {
+    this.inMemory.resetNonce(messageType);
+    // Fire-and-forget to maintain sync interface
+    this.saveToFile().catch((err) => {
+      console.error('Failed to save nonce manager state:', err);
+    });
+  }
+  getAllNonces(): Record<string, number> {
+    return this.inMemory.getAllNonces();
+  }
+  clearAll(): void {
+    this.inMemory.clearAll();
+    if (this.fs.existsSync(this.filePath)) {
+      this.fs.unlinkSync(this.filePath);
+    }
+  }
+}
 /**
  * Create nonce manager based on environment
- * @param did - Optional DID for scoped tracking
- * @param initialNonces - Optional initial nonces
+ * @param options - Configuration options
  * @returns NonceManager instance
+ *
+ * @example
+ * ```typescript
+ * // In-memory (default)
+ * const manager = createNonceManager();
+ *
+ * // DID-scoped
+ * const manager = createNonceManager({ did: 'did:ethr:0x...' });
+ *
+ * // Persistent (survives restarts)
+ * const manager = createNonceManager({ stateDirectory: '/path/to/project' });
+ * ```
  */
 export function createNonceManager(
-  did?: string,
-  initialNonces?: Record<string, number>
+  options?: {
+    did?: string;
+    initialNonces?: Record<string, number>;
+    stateDirectory?: string;
+  }
 ): NonceManager {
-  if (did) {
-    return new DIDScopedNonceManager(did, initialNonces);
+  // SECURITY FIX (H-1): Support persistent storage
+  if (options?.stateDirectory) {
+    return new FileBasedNonceManager(options.stateDirectory);
   }
-  return new InMemoryNonceManager(initialNonces);
+  if (options?.did) {
+    return new DIDScopedNonceManager(options.did, options?.initialNonces);
+  }
+  return new InMemoryNonceManager(options?.initialNonces);
 }