npm - @agirails/sdk - Versions diffs - 2.0.1-beta → 2.0.2 - Mend

@agirails/sdk 2.0.1-beta → 2.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (405) hide show

package/LICENSE +190 -0
package/README.md +116 -108
package/bin/actp +10 -0
package/dist/ACTPClient.d.ts +456 -33
package/dist/ACTPClient.d.ts.map +1 -1
package/dist/ACTPClient.js +477 -93
package/dist/ACTPClient.js.map +1 -1
package/dist/abi/AgentRegistry.json +782 -0
package/dist/abi/EscrowVault.json +106 -38
package/dist/abi/IdentityRegistry.json +316 -0
package/dist/adapters/BaseAdapter.d.ts +231 -0
package/dist/adapters/BaseAdapter.d.ts.map +1 -0
package/dist/adapters/BaseAdapter.js +393 -0
package/dist/adapters/BaseAdapter.js.map +1 -0
package/dist/adapters/BeginnerAdapter.d.ts +152 -0
package/dist/adapters/BeginnerAdapter.d.ts.map +1 -0
package/dist/adapters/BeginnerAdapter.js +168 -0
package/dist/adapters/BeginnerAdapter.js.map +1 -0
package/dist/adapters/IntermediateAdapter.d.ts +211 -0
package/dist/adapters/IntermediateAdapter.d.ts.map +1 -0
package/dist/adapters/IntermediateAdapter.js +260 -0
package/dist/adapters/IntermediateAdapter.js.map +1 -0
package/dist/adapters/index.d.ts +15 -0
package/dist/adapters/index.d.ts.map +1 -0
package/dist/adapters/index.js +26 -0
package/dist/adapters/index.js.map +1 -0
package/dist/builders/DeliveryProofBuilder.d.ts +60 -1
package/dist/builders/DeliveryProofBuilder.d.ts.map +1 -1
package/dist/builders/DeliveryProofBuilder.js +81 -5
package/dist/builders/DeliveryProofBuilder.js.map +1 -1
package/dist/builders/QuoteBuilder.d.ts +101 -0
package/dist/builders/QuoteBuilder.d.ts.map +1 -1
package/dist/builders/QuoteBuilder.js +120 -3
package/dist/builders/QuoteBuilder.js.map +1 -1
package/dist/builders/index.d.ts +4 -0
package/dist/builders/index.d.ts.map +1 -1
package/dist/builders/index.js +4 -0
package/dist/builders/index.js.map +1 -1
package/dist/cli/commands/balance.d.ts +13 -0
package/dist/cli/commands/balance.d.ts.map +1 -0
package/dist/cli/commands/balance.js +89 -0
package/dist/cli/commands/balance.js.map +1 -0
package/dist/cli/commands/batch.d.ts +24 -0
package/dist/cli/commands/batch.d.ts.map +1 -0
package/dist/cli/commands/batch.js +424 -0
package/dist/cli/commands/batch.js.map +1 -0
package/dist/cli/commands/config.d.ts +13 -0
package/dist/cli/commands/config.d.ts.map +1 -0
package/dist/cli/commands/config.js +192 -0
package/dist/cli/commands/config.js.map +1 -0
package/dist/cli/commands/init.d.ts +19 -0
package/dist/cli/commands/init.d.ts.map +1 -0
package/dist/cli/commands/init.js +143 -0
package/dist/cli/commands/init.js.map +1 -0
package/dist/cli/commands/mint.d.ts +13 -0
package/dist/cli/commands/mint.d.ts.map +1 -0
package/dist/cli/commands/mint.js +91 -0
package/dist/cli/commands/mint.js.map +1 -0
package/dist/cli/commands/pay.d.ts +18 -0
package/dist/cli/commands/pay.d.ts.map +1 -0
package/dist/cli/commands/pay.js +87 -0
package/dist/cli/commands/pay.js.map +1 -0
package/dist/cli/commands/simulate.d.ts +32 -0
package/dist/cli/commands/simulate.d.ts.map +1 -0
package/dist/cli/commands/simulate.js +290 -0
package/dist/cli/commands/simulate.js.map +1 -0
package/dist/cli/commands/time.d.ts +29 -0
package/dist/cli/commands/time.d.ts.map +1 -0
package/dist/cli/commands/time.js +252 -0
package/dist/cli/commands/time.js.map +1 -0
package/dist/cli/commands/tx.d.ts +16 -0
package/dist/cli/commands/tx.d.ts.map +1 -0
package/dist/cli/commands/tx.js +379 -0
package/dist/cli/commands/tx.js.map +1 -0
package/dist/cli/commands/watch.d.ts +20 -0
package/dist/cli/commands/watch.d.ts.map +1 -0
package/dist/cli/commands/watch.js +160 -0
package/dist/cli/commands/watch.js.map +1 -0
package/dist/cli/index.d.ts +17 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +104 -0
package/dist/cli/index.js.map +1 -0
package/dist/cli/utils/client.d.ts +70 -0
package/dist/cli/utils/client.d.ts.map +1 -0
package/dist/cli/utils/client.js +240 -0
package/dist/cli/utils/client.js.map +1 -0
package/dist/cli/utils/config.d.ts +91 -0
package/dist/cli/utils/config.d.ts.map +1 -0
package/dist/cli/utils/config.js +240 -0
package/dist/cli/utils/config.js.map +1 -0
package/dist/cli/utils/output.d.ts +174 -0
package/dist/cli/utils/output.d.ts.map +1 -0
package/dist/cli/utils/output.js +380 -0
package/dist/cli/utils/output.js.map +1 -0
package/dist/config/networks.d.ts +28 -0
package/dist/config/networks.d.ts.map +1 -1
package/dist/config/networks.js +60 -12
package/dist/config/networks.js.map +1 -1
package/dist/errors/index.d.ts +165 -2
package/dist/errors/index.d.ts.map +1 -1
package/dist/errors/index.js +260 -2
package/dist/errors/index.js.map +1 -1
package/dist/index.d.ts +61 -13
package/dist/index.d.ts.map +1 -1
package/dist/index.js +141 -36
package/dist/index.js.map +1 -1
package/dist/level0/Provider.d.ts +106 -0
package/dist/level0/Provider.d.ts.map +1 -0
package/dist/level0/Provider.js +10 -0
package/dist/level0/Provider.js.map +1 -0
package/dist/level0/ServiceDirectory.d.ts +74 -0
package/dist/level0/ServiceDirectory.d.ts.map +1 -0
package/dist/level0/ServiceDirectory.js +122 -0
package/dist/level0/ServiceDirectory.js.map +1 -0
package/dist/level0/index.d.ts +10 -0
package/dist/level0/index.d.ts.map +1 -0
package/dist/level0/index.js +15 -0
package/dist/level0/index.js.map +1 -0
package/dist/level0/provide.d.ts +51 -0
package/dist/level0/provide.d.ts.map +1 -0
package/dist/level0/provide.js +113 -0
package/dist/level0/provide.js.map +1 -0
package/dist/level0/request.d.ts +53 -0
package/dist/level0/request.d.ts.map +1 -0
package/dist/level0/request.js +462 -0
package/dist/level0/request.js.map +1 -0
package/dist/level1/Agent.d.ts +472 -0
package/dist/level1/Agent.d.ts.map +1 -0
package/dist/level1/Agent.js +1091 -0
package/dist/level1/Agent.js.map +1 -0
package/dist/level1/index.d.ts +10 -0
package/dist/level1/index.d.ts.map +1 -0
package/dist/level1/index.js +30 -0
package/dist/level1/index.js.map +1 -0
package/dist/level1/pricing/PriceCalculator.d.ts +62 -0
package/dist/level1/pricing/PriceCalculator.d.ts.map +1 -0
package/dist/level1/pricing/PriceCalculator.js +237 -0
package/dist/level1/pricing/PriceCalculator.js.map +1 -0
package/dist/level1/pricing/PricingStrategy.d.ts +179 -0
package/dist/level1/pricing/PricingStrategy.d.ts.map +1 -0
package/dist/level1/pricing/PricingStrategy.js +11 -0
package/dist/level1/pricing/PricingStrategy.js.map +1 -0
package/dist/level1/types/Job.d.ts +166 -0
package/dist/level1/types/Job.d.ts.map +1 -0
package/dist/level1/types/Job.js +11 -0
package/dist/level1/types/Job.js.map +1 -0
package/dist/level1/types/Options.d.ts +258 -0
package/dist/level1/types/Options.d.ts.map +1 -0
package/dist/level1/types/Options.js +8 -0
package/dist/level1/types/Options.js.map +1 -0
package/dist/level1/types/index.d.ts +8 -0
package/dist/level1/types/index.d.ts.map +1 -0
package/dist/level1/types/index.js +8 -0
package/dist/level1/types/index.js.map +1 -0
package/dist/protocol/ACTPKernel.d.ts +229 -2
package/dist/protocol/ACTPKernel.d.ts.map +1 -1
package/dist/protocol/ACTPKernel.js +367 -33
package/dist/protocol/ACTPKernel.js.map +1 -1
package/dist/protocol/AgentRegistry.d.ts +177 -0
package/dist/protocol/AgentRegistry.d.ts.map +1 -0
package/dist/protocol/AgentRegistry.js +449 -0
package/dist/protocol/AgentRegistry.js.map +1 -0
package/dist/protocol/DIDManager.d.ts +289 -0
package/dist/protocol/DIDManager.d.ts.map +1 -0
package/dist/protocol/DIDManager.js +481 -0
package/dist/protocol/DIDManager.js.map +1 -0
package/dist/protocol/DIDResolver.d.ts +236 -0
package/dist/protocol/DIDResolver.d.ts.map +1 -0
package/dist/protocol/DIDResolver.js +495 -0
package/dist/protocol/DIDResolver.js.map +1 -0
package/dist/protocol/EASHelper.d.ts +57 -2
package/dist/protocol/EASHelper.d.ts.map +1 -1
package/dist/protocol/EASHelper.js +230 -37
package/dist/protocol/EASHelper.js.map +1 -1
package/dist/protocol/EscrowVault.d.ts +93 -2
package/dist/protocol/EscrowVault.d.ts.map +1 -1
package/dist/protocol/EscrowVault.js +122 -33
package/dist/protocol/EscrowVault.js.map +1 -1
package/dist/protocol/EventMonitor.d.ts +45 -1
package/dist/protocol/EventMonitor.d.ts.map +1 -1
package/dist/protocol/EventMonitor.js +64 -8
package/dist/protocol/EventMonitor.js.map +1 -1
package/dist/protocol/MessageSigner.d.ts +116 -2
package/dist/protocol/MessageSigner.d.ts.map +1 -1
package/dist/protocol/MessageSigner.js +215 -9
package/dist/protocol/MessageSigner.js.map +1 -1
package/dist/protocol/ProofGenerator.d.ts +93 -0
package/dist/protocol/ProofGenerator.d.ts.map +1 -1
package/dist/protocol/ProofGenerator.js +194 -9
package/dist/protocol/ProofGenerator.js.map +1 -1
package/dist/protocol/QuoteBuilder.d.ts +8 -0
package/dist/protocol/QuoteBuilder.d.ts.map +1 -1
package/dist/protocol/QuoteBuilder.js +8 -0
package/dist/protocol/QuoteBuilder.js.map +1 -1
package/dist/runtime/BlockchainRuntime.d.ts +360 -0
package/dist/runtime/BlockchainRuntime.d.ts.map +1 -0
package/dist/runtime/BlockchainRuntime.js +767 -0
package/dist/runtime/BlockchainRuntime.js.map +1 -0
package/dist/runtime/IACTPRuntime.d.ts +271 -0
package/dist/runtime/IACTPRuntime.d.ts.map +1 -0
package/dist/runtime/IACTPRuntime.js +15 -0
package/dist/runtime/IACTPRuntime.js.map +1 -0
package/dist/runtime/MockRuntime.d.ts +445 -0
package/dist/runtime/MockRuntime.d.ts.map +1 -0
package/dist/runtime/MockRuntime.js +1065 -0
package/dist/runtime/MockRuntime.js.map +1 -0
package/dist/runtime/MockStateManager.d.ts +233 -0
package/dist/runtime/MockStateManager.d.ts.map +1 -0
package/dist/runtime/MockStateManager.js +533 -0
package/dist/runtime/MockStateManager.js.map +1 -0
package/dist/runtime/index.d.ts +14 -0
package/dist/runtime/index.d.ts.map +1 -0
package/dist/runtime/index.js +42 -0
package/dist/runtime/index.js.map +1 -0
package/dist/runtime/types/MockState.d.ts +167 -0
package/dist/runtime/types/MockState.d.ts.map +1 -0
package/dist/runtime/types/MockState.js +43 -0
package/dist/runtime/types/MockState.js.map +1 -0
package/dist/types/agent.d.ts +76 -0
package/dist/types/agent.d.ts.map +1 -0
package/dist/types/agent.js +8 -0
package/dist/types/agent.js.map +1 -0
package/dist/types/did.d.ts +192 -0
package/dist/types/did.d.ts.map +1 -0
package/dist/types/did.js +38 -0
package/dist/types/did.js.map +1 -0
package/dist/types/eip712.d.ts +34 -0
package/dist/types/eip712.d.ts.map +1 -1
package/dist/types/eip712.js +31 -5
package/dist/types/eip712.js.map +1 -1
package/dist/types/escrow.d.ts +17 -10
package/dist/types/escrow.d.ts.map +1 -1
package/dist/types/index.d.ts +5 -0
package/dist/types/index.d.ts.map +1 -1
package/dist/types/index.js +8 -0
package/dist/types/index.js.map +1 -1
package/dist/types/message.d.ts +32 -0
package/dist/types/message.d.ts.map +1 -1
package/dist/types/message.js +4 -0
package/dist/types/message.js.map +1 -1
package/dist/types/state.d.ts +28 -0
package/dist/types/state.d.ts.map +1 -1
package/dist/types/state.js +37 -6
package/dist/types/state.js.map +1 -1
package/dist/types/transaction.d.ts +17 -0
package/dist/types/transaction.d.ts.map +1 -1
package/dist/utils/ErrorRecoveryGuide.d.ts +125 -0
package/dist/utils/ErrorRecoveryGuide.d.ts.map +1 -0
package/dist/utils/ErrorRecoveryGuide.js +579 -0
package/dist/utils/ErrorRecoveryGuide.js.map +1 -0
package/dist/utils/Helpers.d.ts +453 -0
package/dist/utils/Helpers.d.ts.map +1 -0
package/dist/utils/Helpers.js +623 -0
package/dist/utils/Helpers.js.map +1 -0
package/dist/utils/IPFSClient.d.ts +113 -0
package/dist/utils/IPFSClient.d.ts.map +1 -1
package/dist/utils/IPFSClient.js +128 -7
package/dist/utils/IPFSClient.js.map +1 -1
package/dist/utils/Logger.d.ts +195 -0
package/dist/utils/Logger.d.ts.map +1 -0
package/dist/utils/Logger.js +382 -0
package/dist/utils/Logger.js.map +1 -0
package/dist/utils/NonceManager.d.ts +234 -1
package/dist/utils/NonceManager.d.ts.map +1 -1
package/dist/utils/NonceManager.js +372 -7
package/dist/utils/NonceManager.js.map +1 -1
package/dist/utils/RateLimiter.d.ts +253 -0
package/dist/utils/RateLimiter.d.ts.map +1 -0
package/dist/utils/RateLimiter.js +424 -0
package/dist/utils/RateLimiter.js.map +1 -0
package/dist/utils/ReceivedNonceTracker.d.ts +175 -0
package/dist/utils/ReceivedNonceTracker.d.ts.map +1 -1
package/dist/utils/ReceivedNonceTracker.js +261 -5
package/dist/utils/ReceivedNonceTracker.js.map +1 -1
package/dist/utils/SDKLifecycle.d.ts +156 -0
package/dist/utils/SDKLifecycle.d.ts.map +1 -0
package/dist/utils/SDKLifecycle.js +347 -0
package/dist/utils/SDKLifecycle.js.map +1 -0
package/dist/utils/SecureNonce.d.ts +57 -0
package/dist/utils/SecureNonce.d.ts.map +1 -0
package/dist/utils/SecureNonce.js +80 -0
package/dist/utils/SecureNonce.js.map +1 -0
package/dist/utils/Semaphore.d.ts +123 -0
package/dist/utils/Semaphore.d.ts.map +1 -0
package/dist/utils/Semaphore.js +247 -0
package/dist/utils/Semaphore.js.map +1 -0
package/dist/utils/UsedAttestationTracker.d.ts +167 -0
package/dist/utils/UsedAttestationTracker.d.ts.map +1 -0
package/dist/utils/UsedAttestationTracker.js +309 -0
package/dist/utils/UsedAttestationTracker.js.map +1 -0
package/dist/utils/canonicalJson.d.ts +22 -0
package/dist/utils/canonicalJson.d.ts.map +1 -1
package/dist/utils/canonicalJson.js +26 -3
package/dist/utils/canonicalJson.js.map +1 -1
package/dist/utils/computeTypeHash.d.ts +14 -0
package/dist/utils/computeTypeHash.d.ts.map +1 -1
package/dist/utils/computeTypeHash.js +19 -2
package/dist/utils/computeTypeHash.js.map +1 -1
package/dist/utils/fsSafe.d.ts +14 -0
package/dist/utils/fsSafe.d.ts.map +1 -0
package/dist/utils/fsSafe.js +89 -0
package/dist/utils/fsSafe.js.map +1 -0
package/dist/utils/index.d.ts +15 -0
package/dist/utils/index.d.ts.map +1 -0
package/dist/utils/index.js +51 -0
package/dist/utils/index.js.map +1 -0
package/dist/utils/security.d.ts +147 -0
package/dist/utils/security.d.ts.map +1 -0
package/dist/utils/security.js +391 -0
package/dist/utils/security.js.map +1 -0
package/dist/utils/validation.d.ts +40 -0
package/dist/utils/validation.d.ts.map +1 -1
package/dist/utils/validation.js +184 -7
package/dist/utils/validation.js.map +1 -1
package/package.json +54 -37
package/src/ACTPClient.ts +692 -178
package/src/abi/AgentRegistry.json +782 -0
package/src/abi/EscrowVault.json +106 -38
package/src/abi/IdentityRegistry.json +316 -0
package/src/adapters/BaseAdapter.ts +473 -0
package/src/adapters/BeginnerAdapter.ts +232 -0
package/src/adapters/IntermediateAdapter.ts +316 -0
package/src/adapters/index.ts +25 -0
package/src/builders/DeliveryProofBuilder.ts +3 -2
package/src/cli/commands/balance.ts +110 -0
package/src/cli/commands/batch.ts +487 -0
package/src/cli/commands/config.ts +231 -0
package/src/cli/commands/init.ts +161 -0
package/src/cli/commands/mint.ts +116 -0
package/src/cli/commands/pay.ts +113 -0
package/src/cli/commands/simulate.ts +345 -0
package/src/cli/commands/time.ts +303 -0
package/src/cli/commands/tx.ts +448 -0
package/src/cli/commands/watch.ts +211 -0
package/src/cli/index.ts +116 -0
package/src/cli/utils/client.ts +249 -0
package/src/cli/utils/config.ts +282 -0
package/src/cli/utils/output.ts +465 -0
package/src/config/networks.ts +32 -9
package/src/errors/index.ts +298 -1
package/src/index.ts +207 -71
package/src/level0/Provider.ts +117 -0
package/src/level0/ServiceDirectory.ts +131 -0
package/src/level0/index.ts +10 -0
package/src/level0/provide.ts +131 -0
package/src/level0/request.ts +494 -0
package/src/level1/Agent.ts +1432 -0
package/src/level1/index.ts +10 -0
package/src/level1/pricing/PriceCalculator.ts +255 -0
package/src/level1/pricing/PricingStrategy.ts +198 -0
package/src/level1/types/Job.ts +179 -0
package/src/level1/types/Options.ts +291 -0
package/src/level1/types/index.ts +8 -0
package/src/protocol/ACTPKernel.ts +175 -23
package/src/protocol/AgentRegistry.ts +559 -0
package/src/protocol/DIDManager.ts +629 -0
package/src/protocol/DIDResolver.ts +554 -0
package/src/protocol/EASHelper.ts +230 -46
package/src/protocol/EscrowVault.ts +68 -50
package/src/protocol/EventMonitor.ts +44 -15
package/src/protocol/MessageSigner.ts +193 -13
package/src/protocol/ProofGenerator.ts +223 -4
package/src/runtime/BlockchainRuntime.ts +993 -0
package/src/runtime/IACTPRuntime.ts +284 -0
package/src/runtime/MockRuntime.ts +1244 -0
package/src/runtime/MockStateManager.ts +576 -0
package/src/runtime/index.ts +25 -0
package/src/runtime/types/MockState.ts +227 -0
package/src/types/agent.ts +79 -0
package/src/types/did.ts +223 -0
package/src/types/escrow.ts +12 -11
package/src/types/index.ts +5 -1
package/src/types/state.ts +12 -3
package/src/types/transaction.ts +4 -1
package/src/utils/ErrorRecoveryGuide.ts +675 -0
package/src/utils/Helpers.ts +688 -0
package/src/utils/IPFSClient.ts +122 -5
package/src/utils/Logger.ts +484 -0
package/src/utils/NonceManager.ts +305 -8
package/src/utils/RateLimiter.ts +534 -0
package/src/utils/ReceivedNonceTracker.ts +170 -0
package/src/utils/SDKLifecycle.ts +416 -0
package/src/utils/SecureNonce.ts +78 -0
package/src/utils/Semaphore.ts +276 -0
package/src/utils/UsedAttestationTracker.ts +387 -0
package/src/utils/fsSafe.ts +75 -0
package/src/utils/index.ts +80 -0
package/src/utils/security.ts +418 -0
package/src/utils/validation.ts +164 -0
package/src/__tests__/ProofGenerator.test.ts +0 -124
package/src/__tests__/QuoteBuilder.test.ts +0 -516
package/src/__tests__/StateMachine.test.ts +0 -82
package/src/__tests__/builders/DeliveryProofBuilder.test.ts +0 -581
package/src/__tests__/integration/ACTPClient.test.ts +0 -263
package/src/__tests__/integration.test.ts +0 -289
package/src/__tests__/protocol/EASHelper.test.ts +0 -472
package/src/__tests__/protocol/EventMonitor.test.ts +0 -382
package/src/__tests__/security/ACTPKernel.security.test.ts +0 -1167
package/src/__tests__/security/EscrowVault.security.test.ts +0 -570
package/src/__tests__/security/MessageSigner.security.test.ts +0 -286
package/src/__tests__/security/NonceReplay.security.test.ts +0 -501
package/src/__tests__/security/validation.security.test.ts +0 -376
package/src/__tests__/utils/IPFSClient.test.ts +0 -262
package/src/__tests__/utils/NonceManager.test.ts +0 -205
package/src/__tests__/utils/canonicalJson.test.ts +0 -153

package/src/utils/ReceivedNonceTracker.ts CHANGED Viewed

@@ -228,6 +228,10 @@ export class InMemoryReceivedNonceTracker implements IReceivedNonceTracker {
  * - Reject duplicate nonces (replay attack)
  * - Allows non-sequential nonces (nonce gaps are OK)
  *
+ * SECURITY FIX (NEW-H-2): Max size enforcement to prevent memory exhaustion
+ * SECURITY FIX (HIGH-2): Global total entries limit to prevent DoS via many sender combinations
+ * SECURITY FIX (H-2): Rate limiting per sender to prevent flood attacks
+ *
  * Trade-off:
  * - Higher memory usage (stores every nonce)
  * - More flexible (allows out-of-order delivery)
@@ -237,8 +241,94 @@ export class SetBasedReceivedNonceTracker implements IReceivedNonceTracker {
   // Map: sender -> messageType -> Set of used nonces
   private usedNonces: Map<string, Map<string, Set<string>>> = new Map();
+  // SECURITY FIX (NEW-H-2): Maximum entries per sender+messageType
+  private readonly maxSizePerType: number;
+  // SECURITY FIX (HIGH-2): Global limit across ALL sender+messageType combinations
+  private readonly maxTotalEntries: number;
+  private totalEntries: number = 0;
+  // SECURITY FIX (H-2): Rate limiting per sender
+  // Map: sender -> { count: number, windowStart: number }
+  private rateLimitState: Map<string, { count: number; windowStart: number }> = new Map();
+  private readonly maxNoncesPerMinute: number;
+  private readonly rateLimitWindowMs: number = 60000; // 1 minute window
+  /**
+   * Create set-based tracker with optional max size
+   * @param maxSizePerType - Maximum nonces per sender+messageType (default: 10,000)
+   * @param maxTotalEntries - Maximum total nonces across all combinations (default: 100,000)
+   * @param maxNoncesPerMinute - Maximum nonces per sender per minute (default: 100)
+   */
+  constructor(
+    maxSizePerType: number = 10000,
+    maxTotalEntries: number = 100000,
+    maxNoncesPerMinute: number = 100
+  ) {
+    if (maxSizePerType <= 0) {
+      throw new Error('maxSizePerType must be positive');
+    }
+    if (maxTotalEntries <= 0) {
+      throw new Error('maxTotalEntries must be positive');
+    }
+    if (maxNoncesPerMinute <= 0) {
+      throw new Error('maxNoncesPerMinute must be positive');
+    }
+    this.maxSizePerType = maxSizePerType;
+    this.maxTotalEntries = maxTotalEntries;
+    this.maxNoncesPerMinute = maxNoncesPerMinute;
+  }
+  /**
+   * SECURITY FIX (H-2): Check rate limit for sender
+   * @param sender - Sender DID
+   * @returns true if rate limit exceeded
+   */
+  private checkRateLimit(sender: string): boolean {
+    const now = Date.now();
+    const state = this.rateLimitState.get(sender);
+    if (!state) {
+      // First nonce from this sender
+      this.rateLimitState.set(sender, { count: 1, windowStart: now });
+      return false; // Not rate limited
+    }
+    // Check if window expired (reset counter)
+    if (now - state.windowStart >= this.rateLimitWindowMs) {
+      state.count = 1;
+      state.windowStart = now;
+      return false; // Not rate limited
+    }
+    // Increment counter
+    state.count++;
+    // Check if rate limit exceeded
+    return state.count > this.maxNoncesPerMinute;
+  }
+  /**
+   * SECURITY FIX (H-2): Periodic cleanup of rate limit state
+   * Removes expired rate limit entries (older than 5 minutes)
+   */
+  private cleanupRateLimitState(): void {
+    const now = Date.now();
+    const expiryThreshold = 5 * 60 * 1000; // 5 minutes
+    for (const [sender, state] of this.rateLimitState.entries()) {
+      if (now - state.windowStart > expiryThreshold) {
+        this.rateLimitState.delete(sender);
+      }
+    }
+  }
   /**
    * Validate and record a received nonce
+   *
+   * SECURITY FIX (NEW-H-2): Automatic cleanup when max size reached
+   * SECURITY FIX (HIGH-2): Global limit check to prevent DoS
+   * SECURITY FIX (H-2): Rate limiting per sender (max 100 nonces/minute)
    */
   validateAndRecord(sender: string, messageType: string, nonce: string): NonceValidationResult {
     // Validate nonce format
@@ -250,6 +340,34 @@ export class SetBasedReceivedNonceTracker implements IReceivedNonceTracker {
       };
     }
+    // SECURITY FIX (H-2): Rate limit check (BEFORE global limit to avoid unnecessary work)
+    if (this.checkRateLimit(sender)) {
+      return {
+        valid: false,
+        reason: `Rate limit exceeded for sender ${sender}: ` +
+                `Maximum ${this.maxNoncesPerMinute} nonces per minute allowed. ` +
+                `This may indicate a flood attack or misconfigured client. ` +
+                `Wait 1 minute before retrying.`,
+        receivedNonce: nonce
+      };
+    }
+    // SECURITY FIX (H-2): Periodic cleanup every 100 validations (amortized cost)
+    if (this.totalEntries % 100 === 0) {
+      this.cleanupRateLimitState();
+    }
+    // SECURITY FIX (HIGH-2): Check global limit BEFORE adding
+    if (this.totalEntries >= this.maxTotalEntries) {
+      return {
+        valid: false,
+        reason: `Global nonce tracker limit reached (${this.maxTotalEntries} entries). ` +
+                `This may indicate a DoS attack or need for cleanup. ` +
+                `Current usage: ${this.totalEntries} entries across ${this.getCombinationCount()} sender+type combinations.`,
+        receivedNonce: nonce
+      };
+    }
     // Get sender's nonce map
     let senderNonces = this.usedNonces.get(sender);
     if (!senderNonces) {
@@ -273,11 +391,53 @@ export class SetBasedReceivedNonceTracker implements IReceivedNonceTracker {
       };
     }
+    // SECURITY FIX (NEW-H-2): Auto-cleanup if max size per type reached
+    if (usedSet.size >= this.maxSizePerType) {
+      // Keep only last 80% of entries (sorted by nonce value)
+      const keepCount = Math.floor(this.maxSizePerType * 0.8);
+      const sortedNonces = Array.from(usedSet).sort((a, b) => {
+        const aVal = BigInt(a);
+        const bVal = BigInt(b);
+        return aVal < bVal ? -1 : aVal > bVal ? 1 : 0;
+      });
+      const removedCount = usedSet.size - keepCount;
+      usedSet = new Set(sortedNonces.slice(-keepCount));
+      senderNonces.set(messageType, usedSet);
+      // SECURITY FIX (HIGH-2): Update global counter
+      this.totalEntries -= removedCount;
+    }
     // Valid nonce - record it
     usedSet.add(nonce);
+    // SECURITY FIX (HIGH-2): Update global counter
+    this.totalEntries++;
     return { valid: true };
   }
+  /**
+   * Get number of sender+messageType combinations (for monitoring)
+   * SECURITY FIX (HIGH-2): Monitoring method
+   */
+  private getCombinationCount(): number {
+    let count = 0;
+    this.usedNonces.forEach(senderMap => {
+      count += senderMap.size;
+    });
+    return count;
+  }
+  /**
+   * Get memory usage statistics
+   * SECURITY FIX (HIGH-2): Monitoring method for DoS detection
+   */
+  getMemoryUsage(): { totalEntries: number; combinations: number; maxTotalEntries: number } {
+    return {
+      totalEntries: this.totalEntries,
+      combinations: this.getCombinationCount(),
+      maxTotalEntries: this.maxTotalEntries
+    };
+  }
   /**
    * Check if a nonce has been used
    */
@@ -327,6 +487,11 @@ export class SetBasedReceivedNonceTracker implements IReceivedNonceTracker {
   reset(sender: string, messageType: string): void {
     const senderNonces = this.usedNonces.get(sender);
     if (senderNonces) {
+      const usedSet = senderNonces.get(messageType);
+      if (usedSet) {
+        // SECURITY FIX (HIGH-2): Update global counter
+        this.totalEntries -= usedSet.size;
+      }
       senderNonces.delete(messageType);
       if (senderNonces.size === 0) {
         this.usedNonces.delete(sender);
@@ -339,6 +504,8 @@ export class SetBasedReceivedNonceTracker implements IReceivedNonceTracker {
    */
   clearAll(): void {
     this.usedNonces.clear();
+    // SECURITY FIX (HIGH-2): Reset global counter
+    this.totalEntries = 0;
   }
   /**
@@ -377,8 +544,11 @@ export class SetBasedReceivedNonceTracker implements IReceivedNonceTracker {
     });
     // Keep only the last N nonces
+    const removedCount = usedSet.size - keepLast;
     const toKeep = new Set(sortedNonces.slice(-keepLast));
     senderNonces.set(messageType, toKeep);
+    // SECURITY FIX (HIGH-2): Update global counter
+    this.totalEntries -= removedCount;
   }
 }

package/src/utils/SDKLifecycle.ts ADDED Viewed

@@ -0,0 +1,416 @@
+/**
+ * SDKLifecycle - Proper cleanup and resource management
+ *
+ * SECURITY FIX (M-8): Ensures proper cleanup on SDK shutdown:
+ * - Connection cleanup
+ * - Pending request handling
+ * - Memory release
+ * - Graceful shutdown
+ *
+ * @module utils/SDKLifecycle
+ */
+import { sdkLogger, Logger } from './Logger';
+/**
+ * Disposable resource interface
+ */
+export interface Disposable {
+  /** Cleanup method */
+  dispose(): Promise<void> | void;
+}
+/**
+ * Shutdown handler function
+ */
+export type ShutdownHandler = () => Promise<void> | void;
+/**
+ * Lifecycle event types
+ */
+export type LifecycleEvent =
+  | 'initializing'
+  | 'ready'
+  | 'shutting-down'
+  | 'shutdown'
+  | 'error';
+/**
+ * Lifecycle event listener
+ */
+export type LifecycleListener = (event: LifecycleEvent, data?: unknown) => void;
+/**
+ * SDK Lifecycle Manager
+ *
+ * Manages SDK initialization, shutdown, and resource cleanup.
+ *
+ * @example
+ * ```typescript
+ * const lifecycle = new SDKLifecycle();
+ *
+ * // Register cleanup handlers
+ * lifecycle.onShutdown(async () => {
+ *   await closeConnections();
+ * });
+ *
+ * // Register disposable resources
+ * lifecycle.registerDisposable(myResource);
+ *
+ * // Later, initiate shutdown
+ * await lifecycle.shutdown();
+ * ```
+ */
+export class SDKLifecycle {
+  private state: LifecycleEvent = 'initializing';
+  private shutdownHandlers: ShutdownHandler[] = [];
+  private disposables: Disposable[] = [];
+  private listeners: LifecycleListener[] = [];
+  private shutdownPromise: Promise<void> | null = null;
+  private readonly logger: Logger;
+  private isShuttingDown = false;
+  // SECURITY FIX (NEW-HIGH-2): Store handler references for cleanup
+  private processHandlers: {
+    sigint?: () => void;
+    sigterm?: () => void;
+    uncaughtException?: (error: Error) => void;
+    unhandledRejection?: (reason: unknown) => void;
+  } = {};
+  private processHandlersRegistered = false;
+  constructor(logger?: Logger) {
+    this.logger = logger ?? sdkLogger.child('Lifecycle');
+    // Register process shutdown handlers
+    this.registerProcessHandlers();
+  }
+  /**
+   * Get current lifecycle state
+   */
+  getState(): LifecycleEvent {
+    return this.state;
+  }
+  /**
+   * Check if SDK is ready for operations
+   */
+  isReady(): boolean {
+    return this.state === 'ready';
+  }
+  /**
+   * Mark SDK as ready
+   */
+  markReady(): void {
+    this.state = 'ready';
+    this.emit('ready');
+    this.logger.info('SDK ready');
+  }
+  /**
+   * Register a shutdown handler
+   *
+   * @param handler - Function to call during shutdown
+   * @returns Unregister function
+   */
+  onShutdown(handler: ShutdownHandler): () => void {
+    this.shutdownHandlers.push(handler);
+    return () => {
+      const index = this.shutdownHandlers.indexOf(handler);
+      if (index > -1) {
+        this.shutdownHandlers.splice(index, 1);
+      }
+    };
+  }
+  /**
+   * Register a disposable resource
+   *
+   * @param disposable - Resource with dispose() method
+   * @returns Unregister function
+   */
+  registerDisposable(disposable: Disposable): () => void {
+    this.disposables.push(disposable);
+    return () => {
+      const index = this.disposables.indexOf(disposable);
+      if (index > -1) {
+        this.disposables.splice(index, 1);
+      }
+    };
+  }
+  /**
+   * Add lifecycle event listener
+   *
+   * @param listener - Event listener function
+   * @returns Unregister function
+   */
+  addListener(listener: LifecycleListener): () => void {
+    this.listeners.push(listener);
+    return () => {
+      const index = this.listeners.indexOf(listener);
+      if (index > -1) {
+        this.listeners.splice(index, 1);
+      }
+    };
+  }
+  /**
+   * Emit lifecycle event
+   */
+  private emit(event: LifecycleEvent, data?: unknown): void {
+    for (const listener of this.listeners) {
+      try {
+        listener(event, data);
+      } catch (error) {
+        this.logger.error('Lifecycle listener error', { event }, error as Error);
+      }
+    }
+  }
+  /**
+   * Initiate graceful shutdown
+   *
+   * @param timeout - Maximum time to wait for cleanup (ms)
+   * @returns Promise that resolves when shutdown is complete
+   */
+  async shutdown(timeout = 30000): Promise<void> {
+    // Prevent multiple shutdown calls
+    if (this.shutdownPromise) {
+      return this.shutdownPromise;
+    }
+    if (this.isShuttingDown) {
+      return;
+    }
+    this.isShuttingDown = true;
+    this.state = 'shutting-down';
+    this.emit('shutting-down');
+    this.logger.info('SDK shutting down...');
+    this.shutdownPromise = this.executeShutdown(timeout);
+    return this.shutdownPromise;
+  }
+  /**
+   * Execute shutdown sequence
+   */
+  private async executeShutdown(timeout: number): Promise<void> {
+    const startTime = Date.now();
+    const errors: Error[] = [];
+    // Create timeout promise
+    const timeoutPromise = new Promise<void>((_, reject) => {
+      setTimeout(() => {
+        reject(new Error(`Shutdown timed out after ${timeout}ms`));
+      }, timeout);
+    });
+    try {
+      // Run shutdown handlers first (in reverse order - LIFO)
+      const handlersPromise = (async () => {
+        for (let i = this.shutdownHandlers.length - 1; i >= 0; i--) {
+          try {
+            const elapsed = Date.now() - startTime;
+            if (elapsed >= timeout) {
+              this.logger.warn('Shutdown timeout reached, skipping remaining handlers');
+              break;
+            }
+            const handler = this.shutdownHandlers[i];
+            await handler();
+          } catch (error) {
+            this.logger.error('Shutdown handler error', {}, error as Error);
+            errors.push(error as Error);
+          }
+        }
+        // Dispose resources (in reverse order)
+        for (let i = this.disposables.length - 1; i >= 0; i--) {
+          try {
+            const elapsed = Date.now() - startTime;
+            if (elapsed >= timeout) {
+              this.logger.warn('Shutdown timeout reached, skipping remaining disposables');
+              break;
+            }
+            const disposable = this.disposables[i];
+            await disposable.dispose();
+          } catch (error) {
+            this.logger.error('Disposable cleanup error', {}, error as Error);
+            errors.push(error as Error);
+          }
+        }
+      })();
+      // Race against timeout
+      await Promise.race([handlersPromise, timeoutPromise]);
+    } catch (error) {
+      if ((error as Error).message.includes('timed out')) {
+        this.logger.warn('Shutdown timed out, forcing cleanup');
+      } else {
+        errors.push(error as Error);
+      }
+    }
+    // SECURITY FIX (NEW-HIGH-2): Remove process handlers to prevent memory leaks
+    this.unregisterProcessHandlers();
+    // Clear registrations
+    this.shutdownHandlers = [];
+    this.disposables = [];
+    this.state = 'shutdown';
+    this.emit('shutdown');
+    this.logger.info('SDK shutdown complete', { errors: errors.length });
+    if (errors.length > 0) {
+      this.logger.error('Shutdown completed with errors', {
+        errorCount: errors.length,
+        errors: errors.map((e) => e.message),
+      });
+    }
+  }
+  /**
+   * Register process-level shutdown handlers
+   *
+   * SECURITY FIX (NEW-HIGH-2): Store handler references for cleanup
+   * to prevent memory leaks when multiple SDKLifecycle instances are created.
+   */
+  private registerProcessHandlers(): void {
+    // Only register in Node.js environment
+    if (typeof process === 'undefined') {
+      return;
+    }
+    // SECURITY FIX (NEW-HIGH-2): Prevent duplicate registrations
+    if (this.processHandlersRegistered) {
+      return;
+    }
+    // SECURITY FIX (NEW-HIGH-2): Create named handlers we can remove later
+    this.processHandlers.sigint = () => {
+      this.logger.info('Received SIGINT, initiating shutdown');
+      this.shutdown().then(() => {
+        process.exit(0);
+      }).catch((error) => {
+        this.logger.error('Shutdown error', {}, error);
+        process.exit(1);
+      });
+    };
+    this.processHandlers.sigterm = () => {
+      this.logger.info('Received SIGTERM, initiating shutdown');
+      this.shutdown().then(() => {
+        process.exit(0);
+      }).catch((error) => {
+        this.logger.error('Shutdown error', {}, error);
+        process.exit(1);
+      });
+    };
+    this.processHandlers.uncaughtException = (error: Error) => {
+      this.logger.error('Uncaught exception', {}, error);
+      this.emit('error', error);
+      this.shutdown().finally(() => {
+        process.exit(1);
+      });
+    };
+    this.processHandlers.unhandledRejection = (reason: unknown) => {
+      const error = reason instanceof Error ? reason : new Error(String(reason));
+      this.logger.error('Unhandled rejection', {}, error);
+      this.emit('error', error);
+    };
+    // Handle termination signals
+    process.on('SIGINT', this.processHandlers.sigint);
+    process.on('SIGTERM', this.processHandlers.sigterm);
+    // Handle uncaught errors
+    process.on('uncaughtException', this.processHandlers.uncaughtException);
+    process.on('unhandledRejection', this.processHandlers.unhandledRejection);
+    this.processHandlersRegistered = true;
+  }
+  /**
+   * Unregister process-level shutdown handlers
+   *
+   * SECURITY FIX (NEW-HIGH-2): Remove handlers to prevent memory leaks
+   */
+  private unregisterProcessHandlers(): void {
+    if (typeof process === 'undefined' || !this.processHandlersRegistered) {
+      return;
+    }
+    if (this.processHandlers.sigint) {
+      process.removeListener('SIGINT', this.processHandlers.sigint);
+    }
+    if (this.processHandlers.sigterm) {
+      process.removeListener('SIGTERM', this.processHandlers.sigterm);
+    }
+    if (this.processHandlers.uncaughtException) {
+      process.removeListener('uncaughtException', this.processHandlers.uncaughtException);
+    }
+    if (this.processHandlers.unhandledRejection) {
+      process.removeListener('unhandledRejection', this.processHandlers.unhandledRejection);
+    }
+    this.processHandlers = {};
+    this.processHandlersRegistered = false;
+  }
+  /**
+   * Create a disposable wrapper for any cleanup function
+   */
+  static createDisposable(cleanup: () => Promise<void> | void): Disposable {
+    return {
+      dispose: cleanup,
+    };
+  }
+}
+/**
+ * Global SDK lifecycle manager instance
+ */
+export const sdkLifecycle = new SDKLifecycle();
+/**
+ * Convenience function to run cleanup on shutdown
+ *
+ * @example
+ * ```typescript
+ * const cleanup = onShutdown(async () => {
+ *   await closeDatabase();
+ * });
+ *
+ * // Later, to remove the handler:
+ * cleanup();
+ * ```
+ */
+export function onShutdown(handler: ShutdownHandler): () => void {
+  return sdkLifecycle.onShutdown(handler);
+}
+/**
+ * Convenience function to register disposable
+ */
+export function registerDisposable(disposable: Disposable): () => void {
+  return sdkLifecycle.registerDisposable(disposable);
+}
+/**
+ * Convenience function to shutdown SDK
+ */
+export function shutdownSDK(timeout?: number): Promise<void> {
+  return sdkLifecycle.shutdown(timeout);
+}

package/src/utils/SecureNonce.ts ADDED Viewed

@@ -0,0 +1,78 @@
+/**
+ * SecureNonce - Cryptographically secure nonce generation
+ *
+ * SECURITY FIX (NEW-H-3): Provides secure random nonce generation
+ * to prevent weak randomness vulnerabilities in EIP-712 message signing.
+ *
+ * Reference: V7 Re-Audit NEW-H-3 (Weak Random Nonce Generation)
+ *
+ * @module utils/SecureNonce
+ */
+import { ethers } from 'ethers';
+/**
+ * Generate a cryptographically secure random nonce (bytes32)
+ *
+ * Uses ethers.js randomBytes() which:
+ * - Uses Node.js crypto.randomBytes() (CSPRNG)
+ * - Uses Web Crypto API in browsers (window.crypto.getRandomValues)
+ * - Guaranteed to be cryptographically secure
+ *
+ * @returns 32-byte hex string (0x...)
+ *
+ * @example
+ * ```typescript
+ * import { generateSecureNonce } from '@agirails/sdk';
+ *
+ * const nonce = generateSecureNonce();
+ * console.log(nonce); // 0x1234...abcd (64 hex chars)
+ * ```
+ */
+export function generateSecureNonce(): string {
+  return ethers.hexlify(ethers.randomBytes(32));
+}
+/**
+ * Validate nonce format (must be bytes32)
+ *
+ * @param nonce - Nonce to validate
+ * @returns true if valid bytes32 format
+ *
+ * @example
+ * ```typescript
+ * isValidNonce('0x' + '00'.repeat(32)); // true
+ * isValidNonce('0x1234'); // false (too short)
+ * isValidNonce('not-hex'); // false (invalid format)
+ * ```
+ */
+export function isValidNonce(nonce: string): boolean {
+  return /^0x[a-fA-F0-9]{64}$/.test(nonce);
+}
+/**
+ * Generate an array of secure nonces
+ *
+ * @param count - Number of nonces to generate
+ * @returns Array of bytes32 hex strings
+ *
+ * @example
+ * ```typescript
+ * const nonces = generateSecureNonces(10);
+ * console.log(nonces.length); // 10
+ * ```
+ */
+export function generateSecureNonces(count: number): string[] {
+  if (count <= 0) {
+    throw new Error('Count must be positive');
+  }
+  if (count > 10000) {
+    throw new Error('Count exceeds maximum allowed (10000)');
+  }
+  const nonces: string[] = [];
+  for (let i = 0; i < count; i++) {
+    nonces.push(generateSecureNonce());
+  }
+  return nonces;
+}