@agirails/sdk 2.3.0 → 2.3.1

package/src/config/networks.ts

@@ -15,6 +15,16 @@ import { ethers } from 'ethers';
 const BASE_SEPOLIA_RPC_URL = process.env.BASE_SEPOLIA_RPC || 'https://sepolia.base.org';
 const BASE_MAINNET_RPC_URL = process.env.BASE_MAINNET_RPC || 'https://mainnet.base.org';
 
+// AGIRAILS CDP Client API Key — safe to embed, cannot access funds/portfolios.
+// Developers can override with their own key via CDP_API_KEY env var.
+// Paymaster policy restricts sponsorship to AGIRAILS contracts only.
+const CDP_CLIENT_KEY = process.env.CDP_API_KEY || '2txciN85t41erCjveqgNnXYyHRcoo5xP';
+
+// Pimlico failover — bundler/paymaster backup if Coinbase CDP is down.
+// Safe to embed: restricted by contract allowlist (AGIRAILS contracts only).
+// Developers can override with their own key via PIMLICO_API_KEY env var.
+const PIMLICO_KEY = process.env.PIMLICO_API_KEY || 'pim_YiHmeAijzTPUvo1UMmXUiN';
+
 /**
  * Network configuration
  */
@@ -49,6 +59,27 @@ export interface NetworkConfig {
    * Set to undefined for no limit (testnet only).
    */
   maxTransactionAmount?: number;
+
+  /**
+   * AIP-12: Account Abstraction (AA) configuration.
+   * EntryPoint v0.6 + CoinbaseSmartWallet.
+   */
+  aa?: {
+    /** ERC-4337 EntryPoint v0.6 address */
+    entryPoint: string;
+    /** CoinbaseSmartWallet factory address */
+    smartWalletFactory: string;
+    /** Bundler RPC URLs */
+    bundlerUrls: {
+      coinbase: string;
+      pimlico?: string;
+    };
+    /** Paymaster RPC URLs (ERC-7677) */
+    paymasterUrls: {
+      coinbase: string;
+      pimlico?: string;
+    };
+  };
 }
 
 /**
@@ -60,38 +91,44 @@ export const BASE_SEPOLIA: NetworkConfig = {
   rpcUrl: BASE_SEPOLIA_RPC_URL,
   blockExplorer: 'https://sepolia.basescan.org',
   contracts: {
-    // Redeployed 2026-02-06 with agentId support
     actpKernel: '0x469CBADbACFFE096270594F0a31f0EEC53753411',
     escrowVault: '0x57f888261b629bB380dfb983f5DA6c70Ff2D49E5',
     usdc: '0x444b4e1A65949AB2ac75979D5d0166Eb7A248Ccb', // MockUSDC
-    // EAS contracts (Base native deployment)
     eas: '0x4200000000000000000000000000000000000021',
     easSchemaRegistry: '0x4200000000000000000000000000000000000020',
-    // AIP-7 Agent Registry (deployed 2025-12-11)
-    agentRegistry: '0xFed6914Aa70c0a53E9c7Cc4d2Ae159e4748fb09D',
-    // AIP-7 Identity Registry - ERC-1056 DID Registry (deployed 2026-01-09)
+    agentRegistry: '0xDd6D66924B43419F484aE981F174b803487AF25A',
     identityRegistry: '0xF64F748C7802a68Cb936a9213881fE74e83FDA97',
-    // AIP-7 Archive Treasury - Arweave funding (deployed 2026-01-09)
     archiveTreasury: '0xeB75DE7cF5ce77ab15BB0fFa3a2A79e6aaa554B0',
-    // X402Relay - atomic payment fee splitting (TODO: deploy and set address)
-    // x402Relay: '0x...',
+    x402Relay: '0x4DCD02b276Dbeab57c265B72435e90507b6Ac81A',
   },
   eas: {
-    // Deployed 2025-11-23 - AIP-4 delivery proof schema
     deliverySchemaUID: '0x1b0ebdf0bd20c28ec9d5362571ce8715a55f46e81c3de2f9b0d8e1b95fb5ffce'
   },
   gasSettings: {
     maxFeePerGas: ethers.parseUnits('2', 'gwei'),
     maxPriorityFeePerGas: ethers.parseUnits('1', 'gwei')
-  }
+  },
+  // AIP-12: Account Abstraction
+  aa: {
+    entryPoint: '0x5FF137D4b0FDCD49DcA30c7CF57E578a026d2789',
+    smartWalletFactory: '0xBA5ED110eFDBa3D005bfC882d75358ACBbB85842',
+    bundlerUrls: {
+      // Coinbase CDP bundler — set CDP_API_KEY env var
+      coinbase: process.env.CDP_BUNDLER_URL || `https://api.developer.coinbase.com/rpc/v1/base-sepolia/${CDP_CLIENT_KEY}`,
+      // Pimlico backup bundler — set PIMLICO_API_KEY env var
+      pimlico: process.env.PIMLICO_BUNDLER_URL || `https://api.pimlico.io/v2/84532/rpc?apikey=${PIMLICO_KEY}`,
+    },
+    paymasterUrls: {
+      // Coinbase CDP paymaster — same endpoint as bundler
+      coinbase: process.env.CDP_PAYMASTER_URL || `https://api.developer.coinbase.com/rpc/v1/base-sepolia/${CDP_CLIENT_KEY}`,
+      // Pimlico failover paymaster
+      pimlico: process.env.PIMLICO_PAYMASTER_URL || `https://api.pimlico.io/v2/84532/rpc?apikey=${PIMLICO_KEY}`,
+    },
+  },
 };
 
 /**
  * Base Mainnet Configuration
- *
- * WARNING: Mainnet contracts are NOT YET DEPLOYED.
- * Using 'base-mainnet' will throw an error until contracts are deployed.
- * Use 'base-sepolia' for testnet development.
  */
 export const BASE_MAINNET: NetworkConfig = {
   name: 'Base Mainnet',
@@ -99,21 +136,16 @@ export const BASE_MAINNET: NetworkConfig = {
   rpcUrl: BASE_MAINNET_RPC_URL,
   blockExplorer: 'https://basescan.org',
   contracts: {
-    // Deployed 2026-02-03
-    actpKernel: '0xeaE4D6925510284dbC45C8C64bb8104a079D4c60',
-    escrowVault: '0xb7bCadF7F26f0761995d95105DFb2346F81AF02D',
-    usdc: '0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913', // Official USDC on Base
-    // EAS contracts (Base native deployment)
+    actpKernel: '0x132B9eB321dBB57c828B083844287171BDC92d29',
+    escrowVault: '0x6aAF45882c4b0dD34130ecC790bb5Ec6be7fFb99',
+    usdc: '0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913',
     eas: '0x4200000000000000000000000000000000000021',
     easSchemaRegistry: '0x4200000000000000000000000000000000000020',
-    // AIP-7 contracts
-    agentRegistry: '0xbf9Aa0FC291A06A4dFA943c3E0Ad41E7aE20DF02',
-    archiveTreasury: '0x64B8f93fef2D2E749F5E88586753343F73246012',
-    // X402Relay - atomic payment fee splitting (TODO: deploy and set address)
-    // x402Relay: '0x...',
+    agentRegistry: '0x6fB222CF3DDdf37Bcb248EE7BBBA42Fb41901de8',
+    archiveTreasury: '0x0516C411C0E8d75D17A768022819a0a4FB3cA2f2',
+    x402Relay: '0x81DFb954A3D58FEc24Fc9c946aC2C71a911609F8',
   },
   eas: {
-    // Registered 2026-02-03
     deliverySchemaUID: '0x166501e7476e2fcf9214c4c5144533c2957d56fe59d639effc1719a0658d9c9a'
   },
   gasSettings: {
@@ -125,7 +157,22 @@ export const BASE_MAINNET: NetworkConfig = {
    * This limits exposure in case of undiscovered vulnerabilities.
    * Will be removed/increased after formal security audit.
    */
-  maxTransactionAmount: 1000
+  maxTransactionAmount: 1000,
+  // AIP-12: Account Abstraction
+  aa: {
+    entryPoint: '0x5FF137D4b0FDCD49DcA30c7CF57E578a026d2789',
+    smartWalletFactory: '0xBA5ED110eFDBa3D005bfC882d75358ACBbB85842',
+    bundlerUrls: {
+      coinbase: process.env.CDP_BUNDLER_URL || `https://api.developer.coinbase.com/rpc/v1/base/${CDP_CLIENT_KEY}`,
+      // Pimlico backup bundler — set PIMLICO_API_KEY env var
+      pimlico: process.env.PIMLICO_BUNDLER_URL || `https://api.pimlico.io/v2/8453/rpc?apikey=${PIMLICO_KEY}`,
+    },
+    paymasterUrls: {
+      coinbase: process.env.CDP_PAYMASTER_URL || `https://api.developer.coinbase.com/rpc/v1/base/${CDP_CLIENT_KEY}`,
+      // Pimlico failover paymaster
+      pimlico: process.env.PIMLICO_PAYMASTER_URL || `https://api.pimlico.io/v2/8453/rpc?apikey=${PIMLICO_KEY}`,
+    },
+  },
 };
 
 /**
@@ -174,7 +221,15 @@ export function getNetwork(network: string): NetworkConfig {
     gasSettings: {
       maxFeePerGas: config.gasSettings.maxFeePerGas,
       maxPriorityFeePerGas: config.gasSettings.maxPriorityFeePerGas
-    }
+    },
+    ...(config.aa ? {
+      aa: {
+        entryPoint: config.aa.entryPoint,
+        smartWalletFactory: config.aa.smartWalletFactory,
+        bundlerUrls: { ...config.aa.bundlerUrls },
+        paymasterUrls: { ...config.aa.paymasterUrls },
+      }
+    } : {}),
   };
 }
 

package/src/config/publishPipeline.ts

@@ -13,7 +13,7 @@
 
 import { readFileSync, writeFileSync } from 'fs';
 import { Signer, keccak256, toUtf8Bytes } from 'ethers';
-import { parseAgirailsMd, computeConfigHash, computeConfigHashFromParts, serializeAgirailsMd } from './agirailsmd';
+import { parseAgirailsMd, computeConfigHash, serializeAgirailsMd } from './agirailsmd';
 import { AgentRegistryClient } from '../registry/AgentRegistryClient';
 import { AgentRegistry } from '../protocol/AgentRegistry';
 import { FilebaseClient } from '../storage/FilebaseClient';
@@ -110,7 +110,7 @@ function usdcToBaseUnits(value: number, fieldName: string): bigint {
  *
  * @throws Error if neither services nor capabilities are present
  */
-function extractRegistrationParams(
+export function extractRegistrationParams(
   frontmatter: Record<string, unknown>
 ): { endpoint: string; serviceDescriptors: ServiceDescriptor[] } {
   // Endpoint: use frontmatter field or placeholder

package/src/erc8004/ERC8004Bridge.ts

@@ -38,6 +38,7 @@ import {
   ERC8004_IDENTITY_ABI,
   ERC8004_DEFAULT_RPC,
 } from '../types/erc8004';
+import { sdkLogger } from '../utils/Logger';
 
 // ============================================================================
 // Types
@@ -137,7 +138,7 @@ export class ERC8004Bridge {
       config.registryAddress ?? ERC8004_IDENTITY_REGISTRY[config.network];
 
     if (registryAddress === ethers.ZeroAddress) {
-      console.warn(
+      sdkLogger.warn(
         `[ERC8004] Registry not deployed on ${config.network}. Using zero address.`
       );
     }
@@ -327,7 +328,7 @@ export class ERC8004Bridge {
 
       return agentIds;
     } catch (error) {
-      console.warn(`[ERC8004] Failed to get agents for owner ${owner}:`, error);
+      sdkLogger.warn(`[ERC8004] Failed to get agents for owner ${owner}: ${error instanceof Error ? error.message : error}`);
       return [];
     }
   }
@@ -417,7 +418,7 @@ export class ERC8004Bridge {
 
       // Validate URL
       if (!url.startsWith('http://') && !url.startsWith('https://')) {
-        console.warn(`[ERC8004] Invalid agentURI scheme for ${agentId}: ${url}`);
+        sdkLogger.warn(`[ERC8004] Invalid agentURI scheme for ${agentId}: ${url}`);
         return undefined;
       }
 
@@ -434,7 +435,7 @@ export class ERC8004Bridge {
         clearTimeout(timeoutId);
 
         if (!response.ok) {
-          console.warn(
+          sdkLogger.warn(
             `[ERC8004] Metadata fetch failed for ${agentId}: HTTP ${response.status}`
           );
           return undefined;
@@ -454,7 +455,7 @@ export class ERC8004Bridge {
             : error.message
           : 'unknown error';
 
-      console.warn(`[ERC8004] Metadata fetch failed for ${agentId}: ${errorMessage}`);
+      sdkLogger.warn(`[ERC8004] Metadata fetch failed for ${agentId}: ${errorMessage}`);
       return undefined;
     }
   }

package/src/erc8004/ReputationReporter.ts

@@ -50,6 +50,7 @@ import {
   ERC8004_REPUTATION_ABI,
   ACTP_FEEDBACK_TAGS,
 } from '../types/erc8004';
+import { sdkLogger } from '../utils/Logger';
 
 // ============================================================================
 // Types
@@ -214,9 +215,8 @@ export class ReputationReporter {
       config.registryAddress ?? ERC8004_REPUTATION_REGISTRY[config.network];
 
     if (registryAddress === ethers.ZeroAddress) {
-      console.warn(
-        `[ERC8004] Reputation Registry not deployed on ${config.network}. ` +
-          'Reports will fail.'
+      sdkLogger.warn(
+        `[ERC8004] Reputation Registry not deployed on ${config.network}. Reports will fail.`
       );
     }
 
@@ -257,7 +257,7 @@ export class ReputationReporter {
 
     // Local dedup check
     if (this.reportedTxIds.has(txId)) {
-      console.warn(`[ERC8004] Already reported txId in this session: ${txId}`);
+      sdkLogger.warn(`[ERC8004] Already reported txId in this session: ${txId}`);
       return null;
     }
 
@@ -322,7 +322,7 @@ export class ReputationReporter {
 
     // Local dedup check
     if (this.reportedTxIds.has(txId)) {
-      console.warn(`[ERC8004] Already reported txId in this session: ${txId}`);
+      sdkLogger.warn(`[ERC8004] Already reported txId in this session: ${txId}`);
       return null;
     }
 
@@ -392,9 +392,8 @@ export class ReputationReporter {
         score: Number(summaryValue),
       };
     } catch (error) {
-      console.error(
-        `[ERC8004] getAgentReputation failed for ${agentId}:`,
-        error instanceof Error ? error.message : error
+      sdkLogger.error(
+        `[ERC8004] getAgentReputation failed for ${agentId}: ${error instanceof Error ? error.message : error}`
       );
       return null;
     }
@@ -449,23 +448,20 @@ export class ReputationReporter {
 
     // Check for common error cases
     if (errorMessage.includes('insufficient funds')) {
-      console.error(
-        `[ERC8004] ${method} failed for agent ${agentId}: ` +
-          'Insufficient funds for gas. Signer needs ETH/native token.'
+      sdkLogger.error(
+        `[ERC8004] ${method} failed for agent ${agentId}: Insufficient funds for gas. Signer needs ETH/native token.`
       );
     } else if (errorMessage.includes('cannot be the agent owner')) {
-      console.error(
-        `[ERC8004] ${method} failed for agent ${agentId}: ` +
-          'Caller is agent owner. ERC-8004 requires different address.'
+      sdkLogger.error(
+        `[ERC8004] ${method} failed for agent ${agentId}: Caller is agent owner. ERC-8004 requires different address.`
       );
     } else if (errorMessage.includes('user rejected')) {
-      console.warn(
+      sdkLogger.warn(
         `[ERC8004] ${method} cancelled by user for agent ${agentId}`
       );
     } else {
-      console.error(
-        `[ERC8004] ${method} failed for agent ${agentId} (tx: ${txId}): ` +
-          errorMessage
+      sdkLogger.error(
+        `[ERC8004] ${method} failed for agent ${agentId} (tx: ${txId}): ${errorMessage}`
       );
     }
   }

package/src/index.ts

@@ -178,6 +178,18 @@ export {
 
 // Wallet
 export { resolvePrivateKey, getCachedAddress } from './wallet/keystore';
+export type {
+  IWalletProvider,
+  TransactionRequest as WalletTransactionRequest,
+  TransactionReceipt as WalletTransactionReceipt,
+  WalletInfo,
+  WalletTier,
+  BatchedPayParams,
+  BatchedPayResult,
+} from './wallet/IWalletProvider';
+export { EOAWalletProvider } from './wallet/EOAWalletProvider';
+export { AutoWalletProvider } from './wallet/AutoWalletProvider';
+export type { AutoWalletConfig } from './wallet/AutoWalletProvider';
 
 // Helper utilities
 export {

package/src/level1/Agent.ts

@@ -19,7 +19,7 @@ import { RequestOptions, RequestResult, NetworkOption } from './types/Options';
 import { PricingStrategy } from './pricing/PricingStrategy';
 import { AgentLifecycleError, ServiceConfigError, ValidationError } from '../errors';
 import { validateServiceName, validatePath, LRUCache } from '../utils/security';
-import { Logger } from '../utils/Logger';
+import { Logger, sdkLogger } from '../utils/Logger';
 import { ServiceHash } from '../utils/Helpers';
 import { Semaphore } from '../utils/Semaphore';
 import { ProofGenerator } from '../protocol/ProofGenerator';
@@ -1311,21 +1311,21 @@ export class Agent extends EventEmitter {
       log: {
         debug: (message: string, meta?: any) => {
           if (agent.config.logging?.level === 'debug') {
-            console.debug(`[${job.id}] ${message}`, meta);
+            sdkLogger.debug(`[${job.id}] ${message}`, meta);
           }
         },
         info: (message: string, meta?: any) => {
           if (['debug', 'info'].includes(agent.config.logging?.level || 'info')) {
-            console.info(`[${job.id}] ${message}`, meta);
+            sdkLogger.info(`[${job.id}] ${message}`, meta);
           }
         },
         warn: (message: string, meta?: any) => {
           if (['debug', 'info', 'warn'].includes(agent.config.logging?.level || 'info')) {
-            console.warn(`[${job.id}] ${message}`, meta);
+            sdkLogger.warn(`[${job.id}] ${message}`, meta);
           }
         },
         error: (message: string, meta?: any) => {
-          console.error(`[${job.id}] ${message}`, meta);
+          sdkLogger.error(`[${job.id}] ${message}`, meta);
         },
       },
 

package/src/protocol/ACTPKernel.ts

@@ -37,14 +37,25 @@ interface GasOptions {
 export class ACTPKernel {
   private contract: Contract;
   private readonly gasSettings?: GasOptions;
+  /**
+   * Number of block confirmations to wait after each state-changing tx.
+   * Default: 2 (Base L2 reorg safety — ~4-6 s on Base's 2 s blocks).
+   * Set to 1 for faster feedback on testnet; never set to 0 in production.
+   */
+  private readonly confirmations: number;
 
   constructor(
     private readonly address: string,
     signer: Signer,
-    gasSettings?: GasOptions
+    gasSettings?: GasOptions,
+    confirmations: number = 2
   ) {
+    if (confirmations < 1) {
+      throw new Error(`confirmations must be >= 1, got ${confirmations}`);
+    }
     this.contract = new Contract(address, ACTPKernelABI, signer);
     this.gasSettings = gasSettings;
+    this.confirmations = confirmations;
   }
 
   /**
@@ -213,7 +224,7 @@ export class ACTPKernel {
         txOptions
       );
 
-      const receipt = await tx.wait(2); // Wait for 2 confirmations (Base L2 reorg safety)
+      const receipt = await tx.wait(this.confirmations);
       if (!receipt) {
         throw new Error('Transaction receipt not available');
       }
@@ -280,7 +291,7 @@ export class ACTPKernel {
 
       const tx = await transitionFunc(txId, newState, proof, txOptions);
 
-      await tx.wait(2); // Wait for 2 confirmations (Base L2 reorg safety)
+      await tx.wait(this.confirmations);
     } catch (error: any) {
       throw new TransactionRevertedError(error.transactionHash, error.reason || error.message);
     }
@@ -400,8 +411,7 @@ export class ACTPKernel {
 
       const tx = await linkEscrowFunc(txId, escrowContract, escrowId, txOptions);
 
-      // Wait for 2 confirmations to ensure state is updated on RPC nodes (Base Sepolia reorg safety)
-      await tx.wait(2);
+      await tx.wait(this.confirmations);
     } catch (error: any) {
       throw new TransactionRevertedError(error.transactionHash, error.reason || error.message);
     }
@@ -437,7 +447,7 @@ export class ACTPKernel {
 
       const tx = await releaseMilestoneFunc(txId, amount, txOptions);
 
-      await tx.wait(2); // Wait for 2 confirmations (Base L2 reorg safety)
+      await tx.wait(this.confirmations);
     } catch (error: any) {
       throw new TransactionRevertedError(error.transactionHash, error.reason || error.message);
     }
@@ -521,7 +531,7 @@ export class ACTPKernel {
 
       const tx = await releaseEscrowFunc(txId, txOptions);
 
-      await tx.wait(2); // Wait for 2 confirmations (Base L2 reorg safety)
+      await tx.wait(this.confirmations);
     } catch (error: any) {
       throw new TransactionRevertedError(error.transactionHash, error.reason || error.message);
     }
@@ -669,7 +679,7 @@ export class ACTPKernel {
         txOptions
       );
 
-      await tx.wait(2); // Wait for 2 confirmations (Base L2 reorg safety)
+      await tx.wait(this.confirmations);
     } catch (error: any) {
       throw new TransactionRevertedError(error.transactionHash, error.reason || error.message);
     }
@@ -735,7 +745,7 @@ export class ACTPKernel {
         txOptions
       );
 
-      await tx.wait(2); // Wait for 2 confirmations (Base L2 reorg safety)
+      await tx.wait(this.confirmations);
     } catch (error: any) {
       throw new TransactionRevertedError(error.transactionHash, error.reason || error.message);
     }
@@ -789,7 +799,7 @@ export class ACTPKernel {
         txOptions
       );
 
-      await tx.wait(2); // Wait for 2 confirmations (Base L2 reorg safety)
+      await tx.wait(this.confirmations);
     } catch (error: any) {
       throw new TransactionRevertedError(error.transactionHash, error.reason || error.message);
     }

package/src/protocol/EventMonitor.ts

@@ -4,6 +4,20 @@ import { State, Transaction } from '../types';
 /**
  * EventMonitor - Listen to blockchain events
  *
+ * ## Confirmation Policy
+ *
+ * Events received by EventMonitor are already confirmed. ACTPKernel waits
+ * for N block confirmations (default 2, configurable via `confirmations`
+ * parameter in BlockchainRuntimeConfig) before returning from state-changing
+ * operations. On Base L2 (~2 s blocks), the default means events arrive
+ * ~4-6 s after submission and are safe from reorgs.
+ *
+ * Confirmation flow:
+ *   User calls ACTPKernel.createTransaction()
+ *     → tx.wait(confirmations) blocks until N confirmations
+ *     → Event emitted (already confirmed)
+ *     → EventMonitor receives event (instant)
+ *
  * SECURITY FIX (EVENT-MONITOR): Corrected event parameter order to match ABI.
  * Per ACTPKernel.json, TransactionCreated signature is:
  *   (bytes32 indexed transactionId, address indexed requester, address indexed provider, uint256 amount, bytes32 serviceHash)

package/src/runtime/BlockchainRuntime.ts

@@ -65,6 +65,11 @@ export interface BlockchainRuntimeConfig {
    * If provided, attestation replay protection will survive restarts
    */
   stateDirectory?: string;
+  /**
+   * Number of block confirmations to wait after each state-changing tx.
+   * Default: 2 (Base L2 reorg safety). Set to 1 on testnet for speed.
+   */
+  confirmations?: number;
 }
 
 /**
@@ -163,7 +168,8 @@ export class BlockchainRuntime implements IACTPRuntime {
     this.kernel = new ACTPKernel(
       this.networkConfig.contracts.actpKernel,
       this.signer,
-      config.gasSettings
+      config.gasSettings,
+      config.confirmations
     );
 
     this.escrow = new EscrowVault(

package/src/storage/ArchiveBundleBuilder.ts

@@ -15,14 +15,12 @@ import { ValidationError } from '../errors';
 import {
   ArchiveBundle,
   ArchiveChainId,
-  ArchiveFinalState,
   ArchiveParticipants,
   ArchiveReferences,
   ArchiveHashes,
   ArchiveSignatures,
   ArchiveAttestation,
   ArchiveSettlement,
-  EscrowRelease,
   ARCHIVE_BUNDLE_TYPE
 } from './types';
 

package/src/storage/ArweaveClient.ts

@@ -48,7 +48,6 @@ import {
 import { withRetry, RetryOptions } from '../utils/retry';
 import {
   GatewayCircuitBreaker,
-  CircuitBreakerConfig
 } from '../utils/circuitBreaker';
 
 // ============================================================================
@@ -538,6 +537,7 @@ export class ArweaveClient {
           const chunks: Uint8Array[] = [];
           let totalSize = 0;
 
+          // eslint-disable-next-line no-constant-condition
           while (true) {
             const { done, value } = await reader.read();
             if (done) break;
@@ -671,6 +671,7 @@ export class ArweaveClient {
           const chunks: Uint8Array[] = [];
           let totalSize = 0;
 
+          // eslint-disable-next-line no-constant-condition
           while (true) {
             const { done, value } = await reader.read();
             if (done) break;

package/src/storage/FilebaseClient.ts

@@ -14,7 +14,7 @@
  * @module storage/FilebaseClient
  */
 
-import { S3Client, PutObjectCommand, GetObjectCommand, HeadObjectCommand } from '@aws-sdk/client-s3';
+import { S3Client, PutObjectCommand, HeadObjectCommand } from '@aws-sdk/client-s3';
 import {
   StorageError,
   StorageAuthenticationError,
@@ -39,8 +39,6 @@ import {
 import { withRetry, RetryOptions } from '../utils/retry';
 import {
   GatewayCircuitBreaker,
-  CircuitBreakerConfig,
-  globalCircuitBreaker
 } from '../utils/circuitBreaker';
 
 // ============================================================================
@@ -329,6 +327,7 @@ export class FilebaseClient {
           const chunks: Uint8Array[] = [];
           let totalSize = 0;
 
+          // eslint-disable-next-line no-constant-condition
           while (true) {
             const { done, value } = await reader.read();
             if (done) break;
@@ -516,6 +515,7 @@ export class FilebaseClient {
           const chunks: Uint8Array[] = [];
           let totalSize = 0;
 
+          // eslint-disable-next-line no-constant-condition
           while (true) {
             const { done, value } = await reader.read();
             if (done) break;

package/src/utils/ErrorRecoveryGuide.ts

@@ -7,6 +7,8 @@
  * @module utils/ErrorRecoveryGuide
  */
 
+import { sdkLogger } from './Logger';
+
 /**
  * Error severity levels for prioritization
  */
@@ -650,14 +652,14 @@ export async function withRecoveryGuidance<T>(
       }
 
       if (logGuidance) {
-        console.error(ErrorRecoveryGuide.formatGuidance(error));
+        sdkLogger.error(ErrorRecoveryGuide.formatGuidance(error));
       }
 
       if (autoRetry && recovery.retryable) {
         const retryParams = ErrorRecoveryGuide.getRetryParams(error);
         if (retryParams && attempts < retryParams.maxRetries) {
           attempts++;
-          console.log(
+          sdkLogger.info(
             `Retrying (${attempts}/${retryParams.maxRetries}) after ${retryParams.delayMs}ms...`
           );
           await new Promise((resolve) =>

package/src/utils/IPFSClient.ts

@@ -74,8 +74,8 @@ export interface IPFSClientConfig {
   allowedProtocols?: string[];
 
   /**
-   * SECURITY FIX (MEDIUM-3): Allow localhost URLs
-   * Default: true (required for local IPFS daemon)
+   * Allow localhost URLs (e.g., local IPFS daemon).
+   * Default: false (SSRF protection). Set to true explicitly for local development.
    */
   allowLocalhost?: boolean;
 }
@@ -85,7 +85,8 @@ export interface IPFSClientConfig {
  */
 export const IPFS_CONFIGS = {
   local: {
-    url: 'http://localhost:5001'
+    url: 'http://localhost:5001',
+    allowLocalhost: true, // Explicit opt-in for local development
   },
   infura: {
     url: 'https://ipfs.infura.io:5001/api/v0'
@@ -128,14 +129,14 @@ export class IPFSHTTPClientImpl implements IPFSClient {
     const url = config.url || 'http://localhost:5001';
 
     // SECURITY FIX (MEDIUM-3): Validate URL
-    this.validateUrl(url, config.allowLocalhost ?? true, config.allowedProtocols);
+    this.validateUrl(url, config.allowLocalhost ?? false, config.allowedProtocols);
 
     this.config = {
       url,
       timeout: config.timeout || 60000,
       maxSize: config.maxSize || IPFSHTTPClientImpl.DEFAULT_MAX_SIZE,
       allowedProtocols: config.allowedProtocols || IPFSHTTPClientImpl.DEFAULT_ALLOWED_PROTOCOLS,
-      allowLocalhost: config.allowLocalhost ?? true,
+      allowLocalhost: config.allowLocalhost ?? false,
       auth: config.auth,
       headers: config.headers,
     } as Required<IPFSClientConfig>;
@@ -359,8 +360,9 @@ export function createIPFSClient(): IPFSClient {
     });
   }
 
-  // Default to local IPFS daemon
+  // Default to local IPFS daemon (explicit localhost opt-in)
   return new IPFSHTTPClientImpl({
-    url: 'http://localhost:5001'
+    url: 'http://localhost:5001',
+    allowLocalhost: true,
   });
 }