npm - @agirails/sdk - Versions diffs - 2.5.2 → 2.5.4 - Mend

@agirails/sdk 2.5.2 → 2.5.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (172) hide show

package/dist/ACTPClient.d.ts +18 -0
package/dist/ACTPClient.d.ts.map +1 -1
package/dist/ACTPClient.js +67 -22
package/dist/ACTPClient.js.map +1 -1
package/dist/adapters/BasicAdapter.d.ts +12 -0
package/dist/adapters/BasicAdapter.d.ts.map +1 -1
package/dist/adapters/BasicAdapter.js +30 -4
package/dist/adapters/BasicAdapter.js.map +1 -1
package/dist/adapters/StandardAdapter.d.ts +20 -3
package/dist/adapters/StandardAdapter.d.ts.map +1 -1
package/dist/adapters/StandardAdapter.js +45 -11
package/dist/adapters/StandardAdapter.js.map +1 -1
package/dist/cli/commands/publish.js +16 -4
package/dist/cli/commands/publish.js.map +1 -1
package/dist/cli/commands/register.js +16 -4
package/dist/cli/commands/register.js.map +1 -1
package/dist/cli/commands/tx.js +31 -3
package/dist/cli/commands/tx.js.map +1 -1
package/dist/cli/utils/client.d.ts.map +1 -1
package/dist/cli/utils/client.js +1 -0
package/dist/cli/utils/client.js.map +1 -1
package/dist/config/networks.d.ts +2 -2
package/dist/config/networks.d.ts.map +1 -1
package/dist/config/networks.js +27 -22
package/dist/config/networks.js.map +1 -1
package/dist/level0/request.d.ts.map +1 -1
package/dist/level0/request.js +2 -1
package/dist/level0/request.js.map +1 -1
package/dist/runtime/BlockchainRuntime.d.ts.map +1 -1
package/dist/runtime/BlockchainRuntime.js +11 -5
package/dist/runtime/BlockchainRuntime.js.map +1 -1
package/dist/runtime/MockStateManager.d.ts.map +1 -1
package/dist/runtime/MockStateManager.js +2 -1
package/dist/runtime/MockStateManager.js.map +1 -1
package/dist/utils/IPFSClient.d.ts +3 -1
package/dist/utils/IPFSClient.d.ts.map +1 -1
package/dist/utils/IPFSClient.js +27 -7
package/dist/utils/IPFSClient.js.map +1 -1
package/dist/wallet/AutoWalletProvider.d.ts.map +1 -1
package/dist/wallet/AutoWalletProvider.js +52 -18
package/dist/wallet/AutoWalletProvider.js.map +1 -1
package/dist/wallet/SmartWalletRouter.d.ts +116 -0
package/dist/wallet/SmartWalletRouter.d.ts.map +1 -0
package/dist/wallet/SmartWalletRouter.js +212 -0
package/dist/wallet/SmartWalletRouter.js.map +1 -0
package/dist/wallet/aa/DualNonceManager.d.ts +19 -0
package/dist/wallet/aa/DualNonceManager.d.ts.map +1 -1
package/dist/wallet/aa/DualNonceManager.js +100 -5
package/dist/wallet/aa/DualNonceManager.js.map +1 -1
package/package.json +3 -6
package/src/ACTPClient.ts +0 -1579
package/src/abi/ACTPKernel.json +0 -1356
package/src/abi/AgentRegistry.json +0 -915
package/src/abi/ERC20.json +0 -40
package/src/abi/EscrowVault.json +0 -134
package/src/abi/IdentityRegistry.json +0 -316
package/src/adapters/AdapterRegistry.ts +0 -173
package/src/adapters/AdapterRouter.ts +0 -416
package/src/adapters/BaseAdapter.ts +0 -498
package/src/adapters/BasicAdapter.ts +0 -514
package/src/adapters/IAdapter.ts +0 -292
package/src/adapters/StandardAdapter.ts +0 -555
package/src/adapters/X402Adapter.ts +0 -731
package/src/adapters/index.ts +0 -60
package/src/builders/DeliveryProofBuilder.ts +0 -327
package/src/builders/QuoteBuilder.ts +0 -483
package/src/builders/index.ts +0 -17
package/src/cli/commands/balance.ts +0 -110
package/src/cli/commands/batch.ts +0 -487
package/src/cli/commands/config.ts +0 -231
package/src/cli/commands/deploy-check.ts +0 -364
package/src/cli/commands/deploy-env.ts +0 -120
package/src/cli/commands/diff.ts +0 -141
package/src/cli/commands/init.ts +0 -469
package/src/cli/commands/mint.ts +0 -116
package/src/cli/commands/pay.ts +0 -113
package/src/cli/commands/publish.ts +0 -475
package/src/cli/commands/pull.ts +0 -124
package/src/cli/commands/register.ts +0 -247
package/src/cli/commands/simulate.ts +0 -345
package/src/cli/commands/time.ts +0 -302
package/src/cli/commands/tx.ts +0 -448
package/src/cli/commands/watch.ts +0 -211
package/src/cli/index.ts +0 -134
package/src/cli/utils/client.ts +0 -251
package/src/cli/utils/config.ts +0 -389
package/src/cli/utils/output.ts +0 -465
package/src/cli/utils/wallet.ts +0 -109
package/src/config/agirailsmd.ts +0 -262
package/src/config/networks.ts +0 -275
package/src/config/pendingPublish.ts +0 -237
package/src/config/publishPipeline.ts +0 -359
package/src/config/syncOperations.ts +0 -279
package/src/erc8004/ERC8004Bridge.ts +0 -462
package/src/erc8004/ReputationReporter.ts +0 -468
package/src/erc8004/index.ts +0 -61
package/src/errors/index.ts +0 -427
package/src/index.ts +0 -364
package/src/level0/Provider.ts +0 -117
package/src/level0/ServiceDirectory.ts +0 -131
package/src/level0/index.ts +0 -10
package/src/level0/provide.ts +0 -132
package/src/level0/request.ts +0 -432
package/src/level1/Agent.ts +0 -1426
package/src/level1/index.ts +0 -10
package/src/level1/pricing/PriceCalculator.ts +0 -255
package/src/level1/pricing/PricingStrategy.ts +0 -198
package/src/level1/types/Job.ts +0 -179
package/src/level1/types/Options.ts +0 -291
package/src/level1/types/index.ts +0 -8
package/src/protocol/ACTPKernel.ts +0 -808
package/src/protocol/AgentRegistry.ts +0 -559
package/src/protocol/DIDManager.ts +0 -629
package/src/protocol/DIDResolver.ts +0 -554
package/src/protocol/EASHelper.ts +0 -378
package/src/protocol/EscrowVault.ts +0 -255
package/src/protocol/EventMonitor.ts +0 -204
package/src/protocol/MessageSigner.ts +0 -510
package/src/protocol/ProofGenerator.ts +0 -339
package/src/protocol/QuoteBuilder.ts +0 -15
package/src/registry/AgentRegistryClient.ts +0 -202
package/src/runtime/BlockchainRuntime.ts +0 -1015
package/src/runtime/IACTPRuntime.ts +0 -306
package/src/runtime/MockRuntime.ts +0 -1298
package/src/runtime/MockStateManager.ts +0 -576
package/src/runtime/index.ts +0 -25
package/src/runtime/types/MockState.ts +0 -237
package/src/storage/ArchiveBundleBuilder.ts +0 -561
package/src/storage/ArweaveClient.ts +0 -946
package/src/storage/FilebaseClient.ts +0 -790
package/src/storage/index.ts +0 -96
package/src/storage/types.ts +0 -348
package/src/types/adapter.ts +0 -310
package/src/types/agent.ts +0 -79
package/src/types/did.ts +0 -223
package/src/types/eip712.ts +0 -175
package/src/types/erc8004.ts +0 -293
package/src/types/escrow.ts +0 -27
package/src/types/index.ts +0 -17
package/src/types/message.ts +0 -145
package/src/types/state.ts +0 -87
package/src/types/transaction.ts +0 -69
package/src/types/x402.ts +0 -251
package/src/utils/ErrorRecoveryGuide.ts +0 -676
package/src/utils/Helpers.ts +0 -688
package/src/utils/IPFSClient.ts +0 -368
package/src/utils/Logger.ts +0 -484
package/src/utils/NonceManager.ts +0 -591
package/src/utils/RateLimiter.ts +0 -534
package/src/utils/ReceivedNonceTracker.ts +0 -567
package/src/utils/SDKLifecycle.ts +0 -416
package/src/utils/SecureNonce.ts +0 -78
package/src/utils/Semaphore.ts +0 -276
package/src/utils/UsedAttestationTracker.ts +0 -385
package/src/utils/canonicalJson.ts +0 -38
package/src/utils/circuitBreaker.ts +0 -324
package/src/utils/computeTypeHash.ts +0 -48
package/src/utils/fsSafe.ts +0 -80
package/src/utils/index.ts +0 -80
package/src/utils/retry.ts +0 -364
package/src/utils/security.ts +0 -418
package/src/utils/validation.ts +0 -540
package/src/wallet/AutoWalletProvider.ts +0 -299
package/src/wallet/EOAWalletProvider.ts +0 -69
package/src/wallet/IWalletProvider.ts +0 -135
package/src/wallet/aa/BundlerClient.ts +0 -274
package/src/wallet/aa/DualNonceManager.ts +0 -173
package/src/wallet/aa/PaymasterClient.ts +0 -174
package/src/wallet/aa/TransactionBatcher.ts +0 -353
package/src/wallet/aa/UserOpBuilder.ts +0 -246
package/src/wallet/aa/constants.ts +0 -60
package/src/wallet/keystore.ts +0 -240

package/src/utils/validation.ts DELETED Viewed

@@ -1,540 +0,0 @@
-import { isAddress, getAddress } from 'ethers';
-import {
-  InvalidAddressError,
-  InvalidAmountError,
-  ValidationError,
-  InvalidCIDError,
-  InvalidArweaveTxIdError
-} from '../errors';
-/**
- * Input validation utilities
- */
-// ============================================================================
-// Shared Validation Patterns (AIP-7 Storage)
-// ============================================================================
-/** Ethereum address validation pattern */
-export const ADDRESS_PATTERN = /^0x[a-fA-F0-9]{40}$/;
-/** Transaction ID (bytes32) validation pattern */
-export const TX_ID_PATTERN = /^0x[a-fA-F0-9]{64}$/;
-/** Hash (bytes32) validation pattern */
-export const HASH_PATTERN = /^0x[a-fA-F0-9]{64}$/;
-/** Signature (65 bytes = 130 hex chars) validation pattern */
-export const SIGNATURE_PATTERN = /^0x[a-fA-F0-9]{130}$/;
-/** CID validation pattern (CIDv0 or CIDv1) */
-export const CID_PATTERN = /^(Qm[1-9A-HJ-NP-Za-km-z]{44}|b[a-z2-7]{58,})$/;
-/** Arweave TX ID pattern (43 characters, base64url) */
-export const ARWEAVE_TX_ID_PATTERN = /^[a-zA-Z0-9_-]{43}$/;
-/** Semver pattern for version validation */
-export const SEMVER_PATTERN = /^\d+\.\d+\.\d+$/;
-// ============================================================================
-// Gateway URL Whitelist (SSRF Protection - P0-1)
-// ============================================================================
-/**
- * Allowed IPFS gateway domains
- * Only whitelisted gateways are allowed for downloads
- */
-export const ALLOWED_IPFS_GATEWAYS = [
-  'ipfs.filebase.io',
-  'gateway.pinata.cloud',
-  'cloudflare-ipfs.com',
-  'ipfs.io',
-  'dweb.link',
-  'w3s.link',
-  'nftstorage.link'
-] as const;
-/**
- * Allowed Arweave gateway domains
- * Only whitelisted gateways are allowed for downloads
- */
-export const ALLOWED_ARWEAVE_GATEWAYS = [
-  'arweave.net',
-  'gateway.irys.xyz',
-  'arweave.dev'
-] as const;
-// ============================================================================
-// Validation Functions
-// ============================================================================
-/**
- * Validate Ethereum address
- */
-export function validateAddress(address: string, fieldName: string = 'address'): void {
-  if (!address || !isAddress(address)) {
-    throw new InvalidAddressError(address);
-  }
-  if (address === getAddress('0x0000000000000000000000000000000000000000')) {
-    throw new ValidationError(fieldName, 'Address cannot be zero address');
-  }
-}
-/**
- * Validate amount (must be > 0)
- */
-export function validateAmount(amount: bigint, _fieldName: string = 'amount'): void {
-  // Handle null/undefined before calling toString()
-  if (!amount) {
-    throw new InvalidAmountError(String(amount)); // Convert safely to string
-  }
-  if (amount <= 0n) {
-    throw new InvalidAmountError(amount.toString());
-  }
-}
-/**
- * Validate deadline (must be future timestamp)
- */
-export function validateDeadline(deadline: number, fieldName: string = 'deadline'): void {
-  const now = Math.floor(Date.now() / 1000);
-  if (deadline <= now) {
-    throw new ValidationError(
-      fieldName,
-      `Deadline must be in the future (now: ${now}, deadline: ${deadline})`
-    );
-  }
-}
-/**
- * Validate dispute window (max 30 days per spec)
- */
-export function validateDisputeWindow(
-  disputeWindow: number,
-  fieldName: string = 'disputeWindow'
-): void {
-  const MAX_DISPUTE_WINDOW = 30 * 24 * 60 * 60; // 30 days in seconds
-  if (disputeWindow < 0) {
-    throw new ValidationError(fieldName, 'Dispute window cannot be negative');
-  }
-  if (disputeWindow > MAX_DISPUTE_WINDOW) {
-    throw new ValidationError(
-      fieldName,
-      `Dispute window exceeds maximum (${MAX_DISPUTE_WINDOW}s = 30 days)`
-    );
-  }
-}
-/**
- * Validate transaction ID format
- */
-export function validateTxId(txId: string, fieldName: string = 'txId'): void {
-  if (!txId || !txId.match(/^0x[a-fA-F0-9]{64}$/)) {
-    throw new ValidationError(fieldName, 'Invalid transaction ID format (expected bytes32)');
-  }
-}
-/**
- * Check if IP address is private/local (SSRF protection)
- *
- * SECURITY FIX (H-1): Comprehensive private IP detection
- * - IPv4: 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16
- * - IPv6: ::1, fc00::/7, fd00::/8, fe80::/10
- * - IPv4-mapped IPv6: ::ffff:127.0.0.0/8, ::ffff:10.0.0.0/8, etc.
- *
- * @param ip - IP address (v4 or v6, no brackets)
- * @returns true if IP is private/local
- */
-function isPrivateIP(ip: string): boolean {
-  // Remove IPv6 brackets if present
-  const cleanIP = ip.replace(/^\[|\]$/g, '');
-  // IPv4 patterns
-  const ipv4PrivatePatterns = [
-    /^127\./,                      // Loopback
-    /^10\./,                       // Private class A
-    /^172\.(1[6-9]|2\d|3[01])\./,  // Private class B (172.16-172.31)
-    /^192\.168\./,                 // Private class C
-    /^169\.254\./,                 // Link-local / AWS metadata
-    /^0\./,                        // Invalid source
-    /^localhost$/i                 // Localhost hostname
-  ];
-  for (const pattern of ipv4PrivatePatterns) {
-    if (pattern.test(cleanIP)) {
-      return true;
-    }
-  }
-  // IPv6 patterns (without brackets)
-  // Includes both standard ::ffff: and alternative ::ffff:0: notation (NEW-2 fix)
-  const ipv6PrivatePatterns = [
-    /^::1$/,                       // IPv6 loopback
-    /^::ffff:127\./,               // IPv4-mapped localhost
-    /^::ffff:0:127\./,             // Alternative IPv4-mapped localhost
-    /^::ffff:10\./,                // IPv4-mapped private 10.x
-    /^::ffff:0:10\./,              // Alternative IPv4-mapped private 10.x
-    /^::ffff:192\.168\./,          // IPv4-mapped private 192.168.x
-    /^::ffff:0:192\.168\./,        // Alternative IPv4-mapped private 192.168.x
-    /^::ffff:172\.(1[6-9]|2\d|3[01])\./,  // IPv4-mapped private 172.16-31.x
-    /^::ffff:0:172\.(1[6-9]|2\d|3[01])\./,// Alternative IPv4-mapped private 172.16-31.x
-    /^::ffff:169\.254\./,          // IPv4-mapped link-local (CRITICAL: AWS metadata)
-    /^::ffff:0:169\.254\./,        // Alternative IPv4-mapped link-local
-    /^fc00:/i,                     // IPv6 ULA fc00::/7
-    /^fd/i,                        // IPv6 ULA fd00::/8
-    /^fe80:/i                      // IPv6 link-local fe80::/10
-  ];
-  for (const pattern of ipv6PrivatePatterns) {
-    if (pattern.test(cleanIP)) {
-      return true;
-    }
-  }
-  return false;
-}
-/**
- * Validate endpoint URL (for AgentRegistry)
- *
- * SECURITY FIX (H-1): Enhanced SSRF protection with DNS resolution
- *
- * Security checks:
- * - Valid URL format
- * - HTTPS or IPFS protocols only
- * - Maximum length 256 characters
- * - DNS resolution check (hostname → IP validation)
- * - No private/local IP addresses (SSRF protection)
- * - Blocks AWS metadata endpoint (169.254.169.254)
- * - Fail-secure: if DNS lookup fails, reject
- *
- * **CRITICAL**: This function is now ASYNC due to DNS resolution.
- * All callers MUST await this function.
- *
- * @param endpoint - URL to validate
- * @param fieldName - Field name for error messages
- * @throws {ValidationError} If endpoint is invalid or points to private IP
- */
-export async function validateEndpointURL(endpoint: string, fieldName: string = 'endpoint'): Promise<void> {
-  if (!endpoint || endpoint.length === 0) {
-    throw new ValidationError(fieldName, 'Endpoint is required');
-  }
-  const MAX_LENGTH = 256;
-  if (endpoint.length > MAX_LENGTH) {
-    throw new ValidationError(fieldName, `Endpoint exceeds maximum length (${MAX_LENGTH})`);
-  }
-  let parsedUrl: URL;
-  try {
-    parsedUrl = new URL(endpoint);
-  } catch (e) {
-    throw new ValidationError(fieldName, 'Endpoint must be a valid URL');
-  }
-  const allowedProtocols = ['https:', 'ipfs:'];
-  if (!allowedProtocols.includes(parsedUrl.protocol)) {
-    throw new ValidationError(
-      fieldName,
-      `Endpoint protocol must be one of: ${allowedProtocols.join(', ')}`
-    );
-  }
-  // SECURITY FIX (H-1): First check hostname syntax
-  // URL().hostname strips brackets from IPv6 addresses
-  const hostname = parsedUrl.hostname;
-  // Check if hostname itself looks like a private IP (bypass DNS for direct IPs)
-  if (isPrivateIP(hostname)) {
-    throw new ValidationError(
-      fieldName,
-      `Endpoint hostname "${hostname}" is a private/local address (SSRF protection)`
-    );
-  }
-  // SECURITY FIX (H-1): DNS resolution check
-  // Resolve hostname to IP address(es) and validate each resolved IP
-  // This prevents DNS rebinding attacks where hostname resolves to private IP
-  if (parsedUrl.protocol === 'https:') {
-    try {
-      // Dynamic import for Node.js dns module (not available in browser)
-      // If running in browser, skip DNS check (browsers have their own SSRF protection)
-      const dns = await import('dns').catch(() => null);
-      if (dns) {
-        // Resolve hostname to ALL IP addresses and validate each (prevents AAAA/A bypass)
-        const results = await dns.promises.lookup(hostname, { all: true });
-        for (const { address, family } of results) {
-          // Validate resolved IP is not private
-          if (isPrivateIP(address)) {
-            throw new ValidationError(
-              fieldName,
-              `Endpoint hostname "${hostname}" resolves to private IP address ${address} (SSRF protection). ` +
-                `This could be an attempt to access internal services. ` +
-                `IP family: IPv${family}`
-            );
-          }
-          // SECURITY FIX (H-1): CRITICAL - Block AWS metadata endpoint explicitly
-          if (address === '169.254.169.254') {
-            throw new ValidationError(
-              fieldName,
-              `Endpoint resolves to AWS metadata endpoint (169.254.169.254). ` +
-                `This is blocked for security reasons (credential theft prevention).`
-            );
-          }
-        }
-      }
-    } catch (error: any) {
-      // SECURITY FIX (H-1): Fail-secure - if DNS lookup fails, reject
-      // Don't allow requests to unresolvable hostnames (could be DNS rebinding setup)
-      if (error instanceof ValidationError) {
-        throw error; // Re-throw validation errors
-      }
-      throw new ValidationError(
-        fieldName,
-        `Failed to resolve hostname "${hostname}": ${error.message}. ` +
-        `DNS resolution is required for SSRF protection (fail-secure mode).`
-      );
-    }
-  }
-  // IPFS endpoints skip DNS check (no DNS resolution for IPFS CIDs)
-}
-// ============================================================================
-// Storage Validation Functions (AIP-7)
-// ============================================================================
-/**
- * Validate IPFS CID format
- *
- * @param cid - IPFS CID to validate
- * @param fieldName - Field name for error messages
- * @throws {InvalidCIDError} If CID is invalid
- */
-export function validateCID(cid: string, _fieldName: string = 'cid'): void {
-  if (!cid || typeof cid !== 'string') {
-    throw new InvalidCIDError(String(cid), 'CID is required');
-  }
-  if (!CID_PATTERN.test(cid)) {
-    throw new InvalidCIDError(cid, 'Invalid CID format (expected CIDv0 Qm... or CIDv1 bafy...)');
-  }
-}
-/**
- * Validate Arweave transaction ID format
- *
- * @param txId - Arweave TX ID to validate
- * @param fieldName - Field name for error messages
- * @throws {InvalidArweaveTxIdError} If TX ID is invalid
- */
-export function validateArweaveTxId(txId: string, _fieldName: string = 'txId'): void {
-  if (!txId || typeof txId !== 'string') {
-    throw new InvalidArweaveTxIdError(String(txId), 'TX ID is required');
-  }
-  if (!ARWEAVE_TX_ID_PATTERN.test(txId)) {
-    throw new InvalidArweaveTxIdError(
-      txId,
-      'Invalid format (expected 43 character base64url string)'
-    );
-  }
-}
-/**
- * Validate gateway URL against whitelist (SSRF Protection - P0-1)
- *
- * SECURITY FIX: Only allow downloads from whitelisted gateway domains.
- * This prevents SSRF attacks where attacker controls the gateway URL.
- *
- * @param url - Full gateway URL to validate
- * @param allowedGateways - List of allowed gateway domains
- * @param fieldName - Field name for error messages
- * @throws {ValidationError} If gateway is not whitelisted
- */
-export function validateGatewayURL(
-  url: string,
-  allowedGateways: readonly string[],
-  fieldName: string = 'gatewayUrl'
-): void {
-  if (!url || typeof url !== 'string') {
-    throw new ValidationError(fieldName, 'Gateway URL is required');
-  }
-  let parsedUrl: URL;
-  try {
-    parsedUrl = new URL(url);
-  } catch {
-    throw new ValidationError(fieldName, 'Invalid URL format');
-  }
-  // Must be HTTPS
-  if (parsedUrl.protocol !== 'https:') {
-    throw new ValidationError(fieldName, 'Gateway URL must use HTTPS');
-  }
-  // NEW-3: Validate port (must be 443 or default, prevents port bypass attacks)
-  const port = parsedUrl.port;
-  if (port && !['443', ''].includes(port)) {
-    throw new ValidationError(
-      fieldName,
-      `Gateway URL must use standard HTTPS port (443). Found port: ${port}. ` +
-      `Non-standard ports may bypass whitelist intent.`
-    );
-  }
-  // Check hostname against whitelist
-  const hostname = parsedUrl.hostname.toLowerCase();
-  const isAllowed = allowedGateways.some(gateway =>
-    hostname === gateway.toLowerCase() ||
-    hostname.endsWith('.' + gateway.toLowerCase())
-  );
-  if (!isAllowed) {
-    throw new ValidationError(
-      fieldName,
-      `Gateway "${hostname}" is not in the allowed list. ` +
-      `Allowed gateways: ${allowedGateways.join(', ')}. ` +
-      `This restriction prevents SSRF attacks.`
-    );
-  }
-}
-/**
- * Validate semver version string
- *
- * @param version - Version string to validate
- * @param fieldName - Field name for error messages
- * @throws {ValidationError} If version is invalid
- */
-export function validateSemver(version: string, fieldName: string = 'version'): void {
-  if (!version || typeof version !== 'string') {
-    throw new ValidationError(fieldName, 'Version is required');
-  }
-  if (!SEMVER_PATTERN.test(version)) {
-    throw new ValidationError(fieldName, 'Must be semver format (e.g., 1.0.0)');
-  }
-}
-/**
- * Validate hash (bytes32) format
- *
- * @param hash - Hash to validate
- * @param fieldName - Field name for error messages
- * @throws {ValidationError} If hash is invalid
- */
-export function validateHash(hash: string, fieldName: string = 'hash'): void {
-  if (!hash || typeof hash !== 'string') {
-    throw new ValidationError(fieldName, 'Hash is required');
-  }
-  if (!HASH_PATTERN.test(hash)) {
-    throw new ValidationError(fieldName, 'Invalid hash format (expected bytes32 hex string)');
-  }
-}
-/**
- * Validate signature format (65 bytes)
- *
- * @param signature - Signature to validate
- * @param fieldName - Field name for error messages
- * @throws {ValidationError} If signature is invalid
- */
-export function validateSignature(signature: string, fieldName: string = 'signature'): void {
-  if (!signature || typeof signature !== 'string') {
-    throw new ValidationError(fieldName, 'Signature is required');
-  }
-  if (!SIGNATURE_PATTERN.test(signature)) {
-    throw new ValidationError(
-      fieldName,
-      'Invalid signature format (expected 65 bytes = 0x + 130 hex chars)'
-    );
-  }
-}
-// ============================================================================
-// Error Sanitization (P0-2)
-// ============================================================================
-/**
- * Sanitize error messages to remove sensitive data
- *
- * SECURITY FIX (P0-2): Removes credentials, private keys, and other
- * sensitive data from error messages before logging/returning.
- *
- * @param error - Error to sanitize
- * @returns Sanitized error message
- */
-export function sanitizeErrorMessage(error: unknown): string {
-  if (!error) return 'Unknown error';
-  let message = '';
-  if (error instanceof Error) {
-    message = error.message;
-  } else if (typeof error === 'string') {
-    message = error;
-  } else {
-    message = String(error);
-  }
-  // Patterns to redact
-  const sensitivePatterns = [
-    // Private keys (hex)
-    /0x[a-fA-F0-9]{64}/g,
-    // AWS access key IDs
-    /AKIA[0-9A-Z]{16}/g,
-    // AWS secret keys (40 chars)
-    /[a-zA-Z0-9/+=]{40}/g,
-    // Bearer tokens
-    /Bearer\s+[a-zA-Z0-9._-]+/gi,
-    // API keys (generic pattern)
-    /api[_-]?key[=:]\s*["']?[a-zA-Z0-9_-]+["']?/gi,
-    // Secret in URL query params
-    /secret[=][^&\s]+/gi,
-    // Password in URL
-    /password[=][^&\s]+/gi,
-    // Authorization headers
-    /authorization[=:]\s*["']?[^"'\s]+["']?/gi
-  ];
-  let sanitized = message;
-  for (const pattern of sensitivePatterns) {
-    sanitized = sanitized.replace(pattern, '[REDACTED]');
-  }
-  return sanitized;
-}
-/**
- * Create a safe error object for external consumption
- *
- * SECURITY FIX (P0-2): Returns error without stack trace or sensitive details
- *
- * @param error - Original error
- * @param operation - What operation failed
- * @returns Safe error object
- */
-export function createSafeError(
-  error: unknown,
-  operation: string
-): { message: string; code: string; operation: string } {
-  const sanitizedMessage = sanitizeErrorMessage(error);
-  // Don't expose internal details - generic message with operation context
-  return {
-    message: `Operation failed: ${operation}. ${sanitizedMessage}`,
-    code: (error as any)?.code || 'UNKNOWN_ERROR',
-    operation
-  };
-}