@arc402/daemon 1.2.0

package/dist/auth-server.js

@@ -0,0 +1,266 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildChallengeMessage = buildChallengeMessage;
+exports.issueAuthChallenge = issueAuthChallenge;
+exports.consumeAuthChallenge = consumeAuthChallenge;
+exports.registerAuthRoutes = registerAuthRoutes;
+/**
+ * RemoteAuth — owner key challenge-response (Spec 46 §11/§16).
+ *
+ * Implements the three auth endpoints:
+ *   POST /auth/challenge  — issue context-bound challenge for owner to sign
+ *   POST /auth/session    — verify EIP-191 signature, issue 24h session token
+ *   POST /auth/revoke     — self-revoke all sessions for this wallet
+ *
+ * Security properties:
+ *   - Challenge is single-use and expires in 300s
+ *   - Challenge binds to: challengeId + daemonId + wallet + chainId + scope + expiresAt
+ *   - Recovered signer must equal wallet.owner() (on-chain check)
+ *   - Session token stored as sha256(token) only
+ *   - Session scoped to one wallet address
+ */
+const crypto = __importStar(require("crypto"));
+const ethers_1 = require("ethers");
+const session_manager_1 = require("./session-manager");
+const abis_1 = require("./abis");
+const ARC402_WALLET_OWNER_CHECK_ABI = [
+    "function owner() external view returns (address)",
+];
+const CHALLENGE_TTL_MS = 300000; // 5 minutes
+/**
+ * Build the EIP-191 message that the owner must sign.
+ *
+ * "ARC-402 Remote Auth\nChallenge: " + keccak256(abi.encodePacked(
+ *   challengeId, daemonId, wallet, chainId, requestedScope, expiresAt
+ * ))
+ */
+function buildChallengeMessage(challengeId, daemonId, wallet, chainId, scope, expiresAt) {
+    const packed = ethers_1.ethers.solidityPacked(["bytes32", "address", "address", "uint256", "string", "uint256"], [
+        ethers_1.ethers.zeroPadBytes(`0x${challengeId}`, 32),
+        daemonId,
+        wallet,
+        chainId,
+        scope,
+        expiresAt,
+    ]);
+    const hash = ethers_1.ethers.keccak256(packed);
+    return `ARC-402 Remote Auth\nChallenge: ${hash}`;
+}
+function issueAuthChallenge(sessions, cfg, wallet, requestedScope) {
+    const scope = requestedScope ?? "operator";
+    const challengeId = crypto.randomBytes(32).toString("hex");
+    const now = Date.now();
+    const expiresAt = now + CHALLENGE_TTL_MS;
+    sessions.storeChallenge({
+        challengeId,
+        daemonId: cfg.daemonId,
+        wallet,
+        chainId: cfg.chainId,
+        scope,
+        expiresAt,
+    });
+    return {
+        challengeId,
+        challenge: buildChallengeMessage(challengeId, cfg.daemonId, wallet, cfg.chainId, scope, expiresAt),
+        daemonId: cfg.daemonId,
+        wallet,
+        chainId: cfg.chainId,
+        scope,
+        expiresAt,
+        issuedAt: now,
+    };
+}
+async function consumeAuthChallenge(sessions, cfg, deps, provider, challengeId, signature) {
+    const challenge = sessions.getChallenge(challengeId);
+    if (!challenge) {
+        return { ok: false, status: 401, error: "challenge_not_found" };
+    }
+    if (challenge.used) {
+        return { ok: false, status: 401, error: "challenge_already_used" };
+    }
+    if (Date.now() > challenge.expires_at) {
+        return { ok: false, status: 401, error: "challenge_expired" };
+    }
+    const message = buildChallengeMessage(challenge.challenge_id ?? challengeId, challenge.daemon_id, challenge.wallet, challenge.chain_id, challenge.scope, challenge.expires_at);
+    let recoveredSigner;
+    try {
+        recoveredSigner = deps.recoverSigner?.(message, signature) ?? ethers_1.ethers.verifyMessage(message, signature);
+    }
+    catch {
+        return { ok: false, status: 401, error: "invalid_signature" };
+    }
+    let onChainOwner;
+    try {
+        onChainOwner = deps.getWalletOwner
+            ? await deps.getWalletOwner(challenge.wallet, provider)
+            : await new ethers_1.ethers.Contract(challenge.wallet, ARC402_WALLET_OWNER_CHECK_ABI, provider).owner();
+    }
+    catch {
+        return { ok: false, status: 503, error: "rpc_unavailable" };
+    }
+    if (recoveredSigner.toLowerCase() !== onChainOwner.toLowerCase()) {
+        return { ok: false, status: 401, error: "signer_not_owner" };
+    }
+    let ownedWallets = [];
+    try {
+        ownedWallets = deps.getWalletsForOwner
+            ? await deps.getWalletsForOwner(recoveredSigner, provider, cfg.chainId)
+            : await getWalletsForOwner(recoveredSigner, provider, cfg.chainId);
+    }
+    catch {
+        // Non-fatal — continue with empty wallet list
+    }
+    if (!ownedWallets.some((wallet) => wallet.toLowerCase() === challenge.wallet.toLowerCase())) {
+        ownedWallets = [challenge.wallet, ...ownedWallets];
+    }
+    sessions.markChallengeUsed(challengeId);
+    const rawToken = sessions.createSession(challenge.wallet, challenge.scope);
+    const SESSION_TTL_MS = 24 * 60 * 60 * 1000;
+    return {
+        ok: true,
+        token: rawToken,
+        wallets: ownedWallets,
+        wallet: challenge.wallet,
+        scope: challenge.scope,
+        expiresAt: Date.now() + SESSION_TTL_MS,
+    };
+}
+/**
+ * Query WalletFactory WalletDeployed events to find all wallets owned by a given EOA.
+ * Uses eth_getLogs with the WalletFactory addresses known to the daemon.
+ */
+async function getWalletsForOwner(ownerAddress, provider, chainId) {
+    // WalletFactory addresses on Base mainnet (8453)
+    // Canonical addresses from the RegistryV3 — hardcoded for Base mainnet fallback
+    const WALLET_FACTORY_ADDRESSES_BASE = [
+        "0x9406Cc6185a346906296840746125a0E449764545", // WalletFactoryV6 (Base mainnet)
+    ];
+    if (chainId !== 8453) {
+        // Non-mainnet: skip factory query, return empty (caller handles gracefully)
+        return [];
+    }
+    const wallets = [];
+    const factoryIface = new ethers_1.ethers.Interface(abis_1.WALLET_FACTORY_ABI);
+    const deployedTopic = factoryIface.getEvent("WalletDeployed")?.topicHash;
+    const createdTopic = factoryIface.getEvent("WalletCreated")?.topicHash;
+    // Pad owner address to 32 bytes for topic filter
+    const ownerTopic = ethers_1.ethers.zeroPadValue(ownerAddress.toLowerCase(), 32);
+    for (const factoryAddr of WALLET_FACTORY_ADDRESSES_BASE) {
+        try {
+            // Try WalletDeployed(wallet indexed, owner indexed)
+            if (deployedTopic) {
+                const logs = await provider.getLogs({
+                    address: factoryAddr,
+                    topics: [deployedTopic, null, ownerTopic],
+                    fromBlock: 0,
+                    toBlock: "latest",
+                });
+                for (const log of logs) {
+                    const parsed = factoryIface.parseLog(log);
+                    if (parsed?.args.wallet)
+                        wallets.push(parsed.args.wallet);
+                }
+            }
+            // Try WalletCreated(owner indexed, walletAddress indexed)
+            if (createdTopic) {
+                const logs = await provider.getLogs({
+                    address: factoryAddr,
+                    topics: [createdTopic, ownerTopic],
+                    fromBlock: 0,
+                    toBlock: "latest",
+                });
+                for (const log of logs) {
+                    const parsed = factoryIface.parseLog(log);
+                    if (parsed?.args.walletAddress)
+                        wallets.push(parsed.args.walletAddress);
+                }
+            }
+        }
+        catch {
+            // Factory query failed — continue with other factories
+        }
+    }
+    return [...new Set(wallets)];
+}
+function registerAuthRoutes(app, db, cfg, deps = {}) {
+    const sessions = new session_manager_1.SessionManager(db);
+    const provider = deps.createProvider?.(cfg.rpcUrl) ?? new ethers_1.ethers.JsonRpcProvider(cfg.rpcUrl);
+    // ─── POST /auth/challenge ─────────────────────────────────────────────────────
+    // { wallet, requestedScope } → { challengeId, challenge, expiresAt }
+    app.post("/auth/challenge", (req, res) => {
+        const { wallet, requestedScope } = req.body;
+        if (!wallet || !ethers_1.ethers.isAddress(wallet)) {
+            res.status(400).json({ error: "valid wallet address required" });
+            return;
+        }
+        res.json(issueAuthChallenge(sessions, cfg, wallet, requestedScope));
+    });
+    // ─── POST /auth/session ───────────────────────────────────────────────────────
+    // { challengeId, signature } → { token, wallets, expiresAt }
+    app.post("/auth/session", (req, res) => {
+        void (async () => {
+            const { challengeId, signature } = req.body;
+            if (!challengeId || !signature) {
+                res.status(400).json({ error: "challengeId and signature required" });
+                return;
+            }
+            const result = await consumeAuthChallenge(sessions, cfg, deps, provider, challengeId, signature);
+            if (!result.ok) {
+                res.status(result.status).json({ error: result.error });
+                return;
+            }
+            res.json(result);
+        })();
+    });
+    // ─── POST /auth/revoke ────────────────────────────────────────────────────────
+    // Invalidate all sessions for this wallet. Requires valid session token.
+    app.post("/auth/revoke", (req, res) => {
+        const authHeader = req.headers["authorization"];
+        const token = authHeader?.replace("Bearer ", "");
+        if (!token) {
+            res.status(401).json({ error: "no_session" });
+            return;
+        }
+        const session = sessions.validateSession(token);
+        if (!session) {
+            res.status(401).json({ error: "invalid_session" });
+            return;
+        }
+        sessions.revokeByWallet(session.wallet);
+        res.json({ ok: true, revoked: session.wallet });
+    });
+}
+//# sourceMappingURL=auth-server.js.map

package/dist/auth-server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-server.js","sourceRoot":"","sources":["../src/auth-server.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqDA,sDAqBC;AAaD,gDAqCC;AAiBD,oDA2EC;AAkED,gDA6EC;AAvWD;;;;;;;;;;;;;;GAcG;AACH,+CAAiC;AACjC,mCAAgC;AAGhC,uDAAmD;AACnD,iCAA4C;AAE5C,MAAM,6BAA6B,GAAG;IACpC,kDAAkD;CAC1C,CAAC;AAEX,MAAM,gBAAgB,GAAG,MAAO,CAAC,CAAC,YAAY;AAoB9C;;;;;;GAMG;AACH,SAAgB,qBAAqB,CACnC,WAAmB,EACnB,QAAgB,EAChB,MAAc,EACd,OAAe,EACf,KAAa,EACb,SAAiB;IAEjB,MAAM,MAAM,GAAG,eAAM,CAAC,cAAc,CAClC,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,CAAC,EACjE;QACE,eAAM,CAAC,YAAY,CAAC,KAAK,WAAW,EAAE,EAAE,EAAE,CAAC;QAC3C,QAAQ;QACR,MAAM;QACN,OAAO;QACP,KAAK;QACL,SAAS;KACV,CACF,CAAC;IACF,MAAM,IAAI,GAAG,eAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACtC,OAAO,mCAAmC,IAAI,EAAE,CAAC;AACnD,CAAC;AAaD,SAAgB,kBAAkB,CAChC,QAAwB,EACxB,GAAqB,EACrB,MAAc,EACd,cAAuB;IAEvB,MAAM,KAAK,GAAG,cAAc,IAAI,UAAU,CAAC;IAC3C,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC3D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,SAAS,GAAG,GAAG,GAAG,gBAAgB,CAAC;IAEzC,QAAQ,CAAC,cAAc,CAAC;QACtB,WAAW;QACX,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,MAAM;QACN,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,KAAK;QACL,SAAS;KACV,CAAC,CAAC;IAEH,OAAO;QACL,WAAW;QACX,SAAS,EAAE,qBAAqB,CAC9B,WAAW,EACX,GAAG,CAAC,QAAQ,EACZ,MAAM,EACN,GAAG,CAAC,OAAO,EACX,KAAK,EACL,SAAS,CACV;QACD,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,MAAM;QACN,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,KAAK;QACL,SAAS;QACT,QAAQ,EAAE,GAAG;KACd,CAAC;AACJ,CAAC;AAiBM,KAAK,UAAU,oBAAoB,CACxC,QAAwB,EACxB,GAAqB,EACrB,IAA4B,EAC5B,QAAyB,EACzB,WAAmB,EACnB,SAAiB;IAEjB,MAAM,SAAS,GAAG,QAAQ,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;IACrD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;IAClE,CAAC;IACD,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;QACnB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAC;IACrE,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,UAAU,EAAE,CAAC;QACtC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IAChE,CAAC;IAED,MAAM,OAAO,GAAG,qBAAqB,CACnC,SAAS,CAAC,YAAY,IAAI,WAAW,EACrC,SAAS,CAAC,SAAS,EACnB,SAAS,CAAC,MAAM,EAChB,SAAS,CAAC,QAAQ,EAClB,SAAS,CAAC,KAAK,EACf,SAAS,CAAC,UAAU,CACrB,CAAC;IAEF,IAAI,eAAuB,CAAC;IAC5B,IAAI,CAAC;QACH,eAAe,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC,OAAO,EAAE,SAAS,CAAC,IAAI,eAAM,CAAC,aAAa,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IACzG,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IAChE,CAAC;IAED,IAAI,YAAoB,CAAC;IACzB,IAAI,CAAC;QACH,YAAY,GAAG,IAAI,CAAC,cAAc;YAChC,CAAC,CAAC,MAAM,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC;YACvD,CAAC,CAAC,MAAM,IAAI,eAAM,CAAC,QAAQ,CACvB,SAAS,CAAC,MAAM,EAChB,6BAA6B,EAC7B,QAAQ,CACT,CAAC,KAAK,EAAY,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;IAC9D,CAAC;IAED,IAAI,eAAe,CAAC,WAAW,EAAE,KAAK,YAAY,CAAC,WAAW,EAAE,EAAE,CAAC;QACjE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;IAC/D,CAAC;IAED,IAAI,YAAY,GAAa,EAAE,CAAC;IAChC,IAAI,CAAC;QACH,YAAY,GAAG,IAAI,CAAC,kBAAkB;YACpC,CAAC,CAAC,MAAM,IAAI,CAAC,kBAAkB,CAAC,eAAe,EAAE,QAAQ,EAAE,GAAG,CAAC,OAAO,CAAC;YACvE,CAAC,CAAC,MAAM,kBAAkB,CAAC,eAAe,EAAE,QAAQ,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,8CAA8C;IAChD,CAAC;IACD,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,SAAS,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAC5F,YAAY,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,GAAG,YAAY,CAAC,CAAC;IACrD,CAAC;IAED,QAAQ,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAC;IACxC,MAAM,QAAQ,GAAG,QAAQ,CAAC,aAAa,CAAC,SAAS,CAAC,MAAM,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;IAC3E,MAAM,cAAc,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAC3C,OAAO;QACL,EAAE,EAAE,IAAI;QACR,KAAK,EAAE,QAAQ;QACf,OAAO,EAAE,YAAY;QACrB,MAAM,EAAE,SAAS,CAAC,MAAM;QACxB,KAAK,EAAE,SAAS,CAAC,KAAK;QACtB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc;KACvC,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,kBAAkB,CAC/B,YAAoB,EACpB,QAAyB,EACzB,OAAe;IAEf,iDAAiD;IACjD,gFAAgF;IAChF,MAAM,6BAA6B,GAAa;QAC9C,6CAA6C,EAAE,iCAAiC;KACjF,CAAC;IAEF,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACrB,4EAA4E;QAC5E,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,YAAY,GAAG,IAAI,eAAM,CAAC,SAAS,CAAC,yBAAyC,CAAC,CAAC;IACrF,MAAM,aAAa,GAAG,YAAY,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,SAAS,CAAC;IACzE,MAAM,YAAY,GAAI,YAAY,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,SAAS,CAAC;IAExE,iDAAiD;IACjD,MAAM,UAAU,GAAG,eAAM,CAAC,YAAY,CAAC,YAAY,CAAC,WAAW,EAAE,EAAE,EAAE,CAAC,CAAC;IAEvE,KAAK,MAAM,WAAW,IAAI,6BAA6B,EAAE,CAAC;QACxD,IAAI,CAAC;YACH,oDAAoD;YACpD,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC;oBAClC,OAAO,EAAE,WAAW;oBACpB,MAAM,EAAE,CAAC,aAAa,EAAE,IAAI,EAAE,UAAU,CAAC;oBACzC,SAAS,EAAE,CAAC;oBACZ,OAAO,EAAE,QAAQ;iBAClB,CAAC,CAAC;gBACH,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;oBACvB,MAAM,MAAM,GAAG,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;oBAC1C,IAAI,MAAM,EAAE,IAAI,CAAC,MAAM;wBAAE,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAgB,CAAC,CAAC;gBACtE,CAAC;YACH,CAAC;YACD,0DAA0D;YAC1D,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC;oBAClC,OAAO,EAAE,WAAW;oBACpB,MAAM,EAAE,CAAC,YAAY,EAAE,UAAU,CAAC;oBAClC,SAAS,EAAE,CAAC;oBACZ,OAAO,EAAE,QAAQ;iBAClB,CAAC,CAAC;gBACH,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;oBACvB,MAAM,MAAM,GAAG,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;oBAC1C,IAAI,MAAM,EAAE,IAAI,CAAC,aAAa;wBAAE,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,aAAuB,CAAC,CAAC;gBACpF,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,uDAAuD;QACzD,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;AAC/B,CAAC;AAED,SAAgB,kBAAkB,CAChC,GAAY,EACZ,EAAqB,EACrB,GAAqB,EACrB,OAA+B,EAAE;IAEjC,MAAM,QAAQ,GAAG,IAAI,gCAAc,CAAC,EAAE,CAAC,CAAC;IACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,eAAM,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAE7F,iFAAiF;IACjF,qEAAqE;IAErE,GAAG,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC,GAAY,EAAE,GAAa,EAAQ,EAAE;QAChE,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,GAAG,GAAG,CAAC,IAGtC,CAAC;QAEF,IAAI,CAAC,MAAM,IAAI,CAAC,eAAM,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;YACzC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,+BAA+B,EAAE,CAAC,CAAC;YACjE,OAAO;QACT,CAAC;QAED,GAAG,CAAC,IAAI,CAAC,kBAAkB,CAAC,QAAQ,EAAE,GAAG,EAAE,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,iFAAiF;IACjF,6DAA6D;IAE7D,GAAG,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC,GAAY,EAAE,GAAa,EAAQ,EAAE;QAC9D,KAAK,CAAC,KAAK,IAAI,EAAE;YACf,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,GAAG,GAAG,CAAC,IAGtC,CAAC;YAEF,IAAI,CAAC,WAAW,IAAI,CAAC,SAAS,EAAE,CAAC;gBAC/B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC,CAAC;gBACtE,OAAO;YACT,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,oBAAoB,CACvC,QAAQ,EACR,GAAG,EACH,IAAI,EACJ,QAAQ,EACR,WAAW,EACX,SAAS,CACV,CAAC;YACF,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;gBACf,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;gBACxD,OAAO;YACT,CAAC;YACD,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACnB,CAAC,CAAC,EAAE,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,iFAAiF;IACjF,yEAAyE;IAEzE,GAAG,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC,GAAY,EAAE,GAAa,EAAQ,EAAE;QAC7D,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAChD,MAAM,KAAK,GAAG,UAAU,EAAE,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QACjD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC;YAC9C,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,QAAQ,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAChD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;YACnD,OAAO;QACT,CAAC;QAED,QAAQ,CAAC,cAAc,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACxC,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/bundler.d.ts

@@ -0,0 +1,68 @@
+type Arc402Config = {
+    rpcUrl: string;
+};
+export declare const DEFAULT_ENTRY_POINT = "0x0000000071727De22E5E9d8BAf0edAc6f37da032";
+export declare const DEFAULT_BUNDLER_URL = "https://api.pimlico.io/v2/base/rpc";
+export type UserOperation = {
+    sender: string;
+    nonce: string;
+    callData: string;
+    callGasLimit: string;
+    verificationGasLimit: string;
+    preVerificationGas: string;
+    maxFeePerGas: string;
+    maxPriorityFeePerGas: string;
+    signature: string;
+    factory?: string;
+    factoryData?: string;
+    paymaster?: string;
+    paymasterData?: string;
+    paymasterVerificationGasLimit?: string;
+    paymasterPostOpGasLimit?: string;
+};
+export type GasEstimate = {
+    callGasLimit: string;
+    verificationGasLimit: string;
+    preVerificationGas: string;
+    paymasterVerificationGasLimit?: string;
+    paymasterPostOpGasLimit?: string;
+};
+export type UserOpReceipt = {
+    userOpHash: string;
+    entryPoint: string;
+    sender: string;
+    nonce: string;
+    success: boolean;
+    actualGasCost: string;
+    actualGasUsed: string;
+    logs: unknown[];
+    receipt: {
+        transactionHash: string;
+        blockNumber: string;
+        blockHash: string;
+        [key: string]: unknown;
+    };
+};
+export declare class BundlerClient {
+    private bundlerUrl;
+    private entryPointAddress;
+    private chainId;
+    constructor(bundlerUrl: string, entryPointAddress: string, chainId: number);
+    private rpc;
+    sendUserOperation(userOp: UserOperation): Promise<string>;
+    getUserOperationReceipt(userOpHash: string): Promise<UserOpReceipt>;
+    estimateUserOperationGas(userOp: Partial<UserOperation>): Promise<GasEstimate>;
+}
+export declare class PaymasterClient {
+    private paymasterUrl;
+    private cdpKeyName?;
+    private cdpPrivateKey?;
+    constructor(paymasterUrl: string, cdpKeyName?: string, cdpPrivateKey?: string);
+    private buildJwt;
+    private rpc;
+    sponsorUserOperation(userOp: Partial<UserOperation>, entryPoint: string): Promise<UserOperation>;
+}
+export declare function buildUserOp(callData: string, sender: string, nonce: bigint, config: Arc402Config): Promise<UserOperation>;
+export declare function buildSponsoredUserOp(callData: string, sender: string, nonce: bigint, config: Arc402Config, paymasterClient: PaymasterClient): Promise<UserOperation>;
+export {};
+//# sourceMappingURL=bundler.d.ts.map

package/dist/bundler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bundler.d.ts","sourceRoot":"","sources":["../src/bundler.ts"],"names":[],"mappings":"AAGA,KAAK,YAAY,GAAG;IAAE,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,eAAO,MAAM,mBAAmB,+CAA+C,CAAC;AAChF,eAAO,MAAM,mBAAmB,uCAAuC,CAAC;AAExE,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,6BAA6B,CAAC,EAAE,MAAM,CAAC;IACvC,uBAAuB,CAAC,EAAE,MAAM,CAAC;CAClC,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IACxB,YAAY,EAAE,MAAM,CAAC;IACrB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,6BAA6B,CAAC,EAAE,MAAM,CAAC;IACvC,uBAAuB,CAAC,EAAE,MAAM,CAAC;CAClC,CAAC;AAEF,MAAM,MAAM,aAAa,GAAG;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,OAAO,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,IAAI,EAAE,OAAO,EAAE,CAAC;IAChB,OAAO,EAAE;QACP,eAAe,EAAE,MAAM,CAAC;QACxB,WAAW,EAAE,MAAM,CAAC;QACpB,SAAS,EAAE,MAAM,CAAC;QAClB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;KACxB,CAAC;CACH,CAAC;AAOF,qBAAa,aAAa;IACxB,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,iBAAiB,CAAS;IAClC,OAAO,CAAC,OAAO,CAAS;gBAEZ,UAAU,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;YAM5D,GAAG;IAgBX,iBAAiB,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC;IAKzD,uBAAuB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAenE,wBAAwB,CAAC,MAAM,EAAE,OAAO,CAAC,aAAa,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC;CAOrF;AAID,qBAAa,eAAe;IAC1B,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,UAAU,CAAC,CAAS;IAC5B,OAAO,CAAC,aAAa,CAAC,CAAS;gBAEnB,YAAY,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,EAAE,aAAa,CAAC,EAAE,MAAM;YAM/D,QAAQ;YA6BR,GAAG;IAmBX,oBAAoB,CACxB,MAAM,EAAE,OAAO,CAAC,aAAa,CAAC,EAC9B,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,aAAa,CAAC;CAqB1B;AAID,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,YAAY,GACnB,OAAO,CAAC,aAAa,CAAC,CAkBxB;AAED,wBAAsB,oBAAoB,CACxC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,YAAY,EACpB,eAAe,EAAE,eAAe,GAC/B,OAAO,CAAC,aAAa,CAAC,CAGxB"}

package/dist/bundler.js

@@ -0,0 +1,181 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PaymasterClient = exports.BundlerClient = exports.DEFAULT_BUNDLER_URL = exports.DEFAULT_ENTRY_POINT = void 0;
+exports.buildUserOp = buildUserOp;
+exports.buildSponsoredUserOp = buildSponsoredUserOp;
+const ethers_1 = require("ethers");
+const crypto_1 = require("crypto");
+exports.DEFAULT_ENTRY_POINT = "0x0000000071727De22E5E9d8BAf0edAc6f37da032";
+exports.DEFAULT_BUNDLER_URL = "https://api.pimlico.io/v2/base/rpc";
+class BundlerClient {
+    constructor(bundlerUrl, entryPointAddress, chainId) {
+        this.bundlerUrl = bundlerUrl;
+        this.entryPointAddress = entryPointAddress;
+        this.chainId = chainId;
+    }
+    async rpc(method, params) {
+        const response = await fetch(this.bundlerUrl, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ jsonrpc: "2.0", id: 1, method, params }),
+        });
+        if (!response.ok) {
+            throw new Error(`Bundler HTTP ${response.status}: ${response.statusText}`);
+        }
+        const json = (await response.json());
+        if (json.error) {
+            throw new Error(`Bundler RPC error [${json.error.code}]: ${json.error.message}`);
+        }
+        return json.result;
+    }
+    async sendUserOperation(userOp) {
+        const hash = await this.rpc("eth_sendUserOperation", [userOp, this.entryPointAddress]);
+        return hash;
+    }
+    async getUserOperationReceipt(userOpHash) {
+        const POLL_INTERVAL_MS = 2000;
+        const MAX_ATTEMPTS = 30;
+        for (let i = 0; i < MAX_ATTEMPTS; i++) {
+            const receipt = await this.rpc("eth_getUserOperationReceipt", [userOpHash]);
+            if (receipt !== null && receipt !== undefined) {
+                return receipt;
+            }
+            await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+        }
+        throw new Error(`UserOperation ${userOpHash} not confirmed after ${(MAX_ATTEMPTS * POLL_INTERVAL_MS) / 1000}s`);
+    }
+    async estimateUserOperationGas(userOp) {
+        const estimate = await this.rpc("eth_estimateUserOperationGas", [
+            userOp,
+            this.entryPointAddress,
+        ]);
+        return estimate;
+    }
+}
+exports.BundlerClient = BundlerClient;
+// ─── PaymasterClient ──────────────────────────────────────────────────────────
+class PaymasterClient {
+    constructor(paymasterUrl, cdpKeyName, cdpPrivateKey) {
+        this.paymasterUrl = paymasterUrl;
+        this.cdpKeyName = cdpKeyName;
+        this.cdpPrivateKey = cdpPrivateKey;
+    }
+    async buildJwt() {
+        if (!this.cdpKeyName || !this.cdpPrivateKey)
+            return null;
+        const { SignJWT, importPKCS8 } = await Promise.resolve().then(() => __importStar(require("jose")));
+        // Convert SEC1 base64 DER or SEC1 PEM → PKCS8 PEM using Node's crypto module
+        let pkcs8Pem;
+        if (this.cdpPrivateKey.includes("-----BEGIN")) {
+            if (this.cdpPrivateKey.includes("EC PRIVATE KEY")) {
+                const key = (0, crypto_1.createPrivateKey)({ key: this.cdpPrivateKey, format: "pem", type: "sec1" });
+                pkcs8Pem = key.export({ format: "pem", type: "pkcs8" });
+            }
+            else {
+                pkcs8Pem = this.cdpPrivateKey;
+            }
+        }
+        else {
+            const der = Buffer.from(this.cdpPrivateKey, "base64");
+            const key = (0, crypto_1.createPrivateKey)({ key: der, format: "der", type: "sec1" });
+            pkcs8Pem = key.export({ format: "pem", type: "pkcs8" });
+        }
+        const privateKey = await importPKCS8(pkcs8Pem, "ES256");
+        const now = Math.floor(Date.now() / 1000);
+        return new SignJWT({ sub: this.cdpKeyName })
+            .setProtectedHeader({ alg: "ES256", kid: this.cdpKeyName })
+            .setIssuer(this.cdpKeyName)
+            .setNotBefore(now)
+            .setExpirationTime(now + 120)
+            .sign(privateKey);
+    }
+    async rpc(method, params) {
+        const jwt = await this.buildJwt();
+        const headers = { "Content-Type": "application/json" };
+        if (jwt)
+            headers["Authorization"] = `Bearer ${jwt}`;
+        const response = await fetch(this.paymasterUrl, {
+            method: "POST",
+            headers,
+            body: JSON.stringify({ jsonrpc: "2.0", id: 1, method, params }),
+        });
+        if (!response.ok) {
+            throw new Error(`Paymaster HTTP ${response.status}: ${response.statusText}`);
+        }
+        const json = (await response.json());
+        if (json.error) {
+            throw new Error(`Paymaster RPC error [${json.error.code}]: ${json.error.message}`);
+        }
+        return json.result;
+    }
+    async sponsorUserOperation(userOp, entryPoint) {
+        const result = (await this.rpc("pm_sponsorUserOperation", [userOp, entryPoint, {}]));
+        return {
+            ...userOp,
+            paymaster: result.paymaster,
+            paymasterData: result.paymasterData,
+            paymasterVerificationGasLimit: result.paymasterVerificationGasLimit,
+            paymasterPostOpGasLimit: result.paymasterPostOpGasLimit,
+            ...(result.callGasLimit && { callGasLimit: result.callGasLimit }),
+            ...(result.verificationGasLimit && { verificationGasLimit: result.verificationGasLimit }),
+            ...(result.preVerificationGas && { preVerificationGas: result.preVerificationGas }),
+        };
+    }
+}
+exports.PaymasterClient = PaymasterClient;
+// ─── buildUserOp / buildSponsoredUserOp ───────────────────────────────────────
+async function buildUserOp(callData, sender, nonce, config) {
+    const provider = new ethers_1.ethers.JsonRpcProvider(config.rpcUrl);
+    const feeData = await provider.getFeeData();
+    const maxFeePerGas = feeData.maxFeePerGas ?? BigInt(1000000000);
+    const maxPriorityFeePerGas = feeData.maxPriorityFeePerGas ?? BigInt(100000000);
+    return {
+        sender,
+        nonce: ethers_1.ethers.toBeHex(nonce),
+        callData,
+        callGasLimit: ethers_1.ethers.toBeHex(300000),
+        verificationGasLimit: ethers_1.ethers.toBeHex(150000),
+        preVerificationGas: ethers_1.ethers.toBeHex(50000),
+        maxFeePerGas: ethers_1.ethers.toBeHex(maxFeePerGas),
+        maxPriorityFeePerGas: ethers_1.ethers.toBeHex(maxPriorityFeePerGas),
+        signature: "0x",
+    };
+}
+async function buildSponsoredUserOp(callData, sender, nonce, config, paymasterClient) {
+    const userOp = await buildUserOp(callData, sender, nonce, config);
+    return paymasterClient.sponsorUserOperation(userOp, exports.DEFAULT_ENTRY_POINT);
+}
+//# sourceMappingURL=bundler.js.map

package/dist/bundler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bundler.js","sourceRoot":"","sources":["../src/bundler.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyMA,kCAuBC;AAED,oDASC;AA3OD,mCAAgC;AAChC,mCAA0C;AAI7B,QAAA,mBAAmB,GAAG,4CAA4C,CAAC;AACnE,QAAA,mBAAmB,GAAG,oCAAoC,CAAC;AAkDxE,MAAa,aAAa;IAKxB,YAAY,UAAkB,EAAE,iBAAyB,EAAE,OAAe;QACxE,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,iBAAiB,GAAG,iBAAiB,CAAC;QAC3C,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAEO,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,MAAiB;QACjD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,UAAU,EAAE;YAC5C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;SAChE,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,gBAAgB,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QAC7E,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAgB,CAAC;QACpD,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,sBAAsB,IAAI,CAAC,KAAK,CAAC,IAAI,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACnF,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,MAAqB;QAC3C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,uBAAuB,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC;QACvF,OAAO,IAAc,CAAC;IACxB,CAAC;IAED,KAAK,CAAC,uBAAuB,CAAC,UAAkB;QAC9C,MAAM,gBAAgB,GAAG,IAAI,CAAC;QAC9B,MAAM,YAAY,GAAG,EAAE,CAAC;QACxB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,6BAA6B,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;YAC5E,IAAI,OAAO,KAAK,IAAI,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;gBAC9C,OAAO,OAAwB,CAAC;YAClC,CAAC;YACD,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC,CAAC;QAC9E,CAAC;QACD,MAAM,IAAI,KAAK,CACb,iBAAiB,UAAU,wBAAwB,CAAC,YAAY,GAAG,gBAAgB,CAAC,GAAG,IAAI,GAAG,CAC/F,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,wBAAwB,CAAC,MAA8B;QAC3D,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,8BAA8B,EAAE;YAC9D,MAAM;YACN,IAAI,CAAC,iBAAiB;SACvB,CAAC,CAAC;QACH,OAAO,QAAuB,CAAC;IACjC,CAAC;CACF;AAtDD,sCAsDC;AAED,iFAAiF;AAEjF,MAAa,eAAe;IAK1B,YAAY,YAAoB,EAAE,UAAmB,EAAE,aAAsB;QAC3E,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;QACjC,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC;IACrC,CAAC;IAEO,KAAK,CAAC,QAAQ;QACpB,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,aAAa;YAAE,OAAO,IAAI,CAAC;QACzD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,wDAAa,MAAM,GAAC,CAAC;QAEtD,6EAA6E;QAC7E,IAAI,QAAgB,CAAC;QACrB,IAAI,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YAC9C,IAAI,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAClD,MAAM,GAAG,GAAG,IAAA,yBAAgB,EAAC,EAAE,GAAG,EAAE,IAAI,CAAC,aAAa,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;gBACvF,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAW,CAAC;YACpE,CAAC;iBAAM,CAAC;gBACN,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC;YAChC,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;YACtD,MAAM,GAAG,GAAG,IAAA,yBAAgB,EAAC,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;YACxE,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAW,CAAC;QACpE,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,WAAW,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACxD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,OAAO,IAAI,OAAO,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC;aACzC,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC;aAC1D,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC;aAC1B,YAAY,CAAC,GAAG,CAAC;aACjB,iBAAiB,CAAC,GAAG,GAAG,GAAG,CAAC;aAC5B,IAAI,CAAC,UAAU,CAAC,CAAC;IACtB,CAAC;IAEO,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,MAAiB;QACjD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QAClC,MAAM,OAAO,GAA2B,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;QAC/E,IAAI,GAAG;YAAE,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,GAAG,EAAE,CAAC;QACpD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,YAAY,EAAE;YAC9C,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;SAChE,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,kBAAkB,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QAC/E,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAoE,CAAC;QACxG,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,wBAAwB,IAAI,CAAC,KAAK,CAAC,IAAI,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACrF,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,oBAAoB,CACxB,MAA8B,EAC9B,UAAkB;QAElB,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,GAAG,CAAC,yBAAyB,EAAE,CAAC,MAAM,EAAE,UAAU,EAAE,EAAE,CAAC,CAAC,CAQlF,CAAC;QACF,OAAO;YACL,GAAI,MAAwB;YAC5B,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,6BAA6B,EAAE,MAAM,CAAC,6BAA6B;YACnE,uBAAuB,EAAE,MAAM,CAAC,uBAAuB;YACvD,GAAG,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,YAAY,EAAE,MAAM,CAAC,YAAY,EAAE,CAAC;YACjE,GAAG,CAAC,MAAM,CAAC,oBAAoB,IAAI,EAAE,oBAAoB,EAAE,MAAM,CAAC,oBAAoB,EAAE,CAAC;YACzF,GAAG,CAAC,MAAM,CAAC,kBAAkB,IAAI,EAAE,kBAAkB,EAAE,MAAM,CAAC,kBAAkB,EAAE,CAAC;SACpF,CAAC;IACJ,CAAC;CACF;AAnFD,0CAmFC;AAED,iFAAiF;AAE1E,KAAK,UAAU,WAAW,CAC/B,QAAgB,EAChB,MAAc,EACd,KAAa,EACb,MAAoB;IAEpB,MAAM,QAAQ,GAAG,IAAI,eAAM,CAAC,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC3D,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;IAE5C,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,MAAM,CAAC,UAAa,CAAC,CAAC;IACnE,MAAM,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,IAAI,MAAM,CAAC,SAAW,CAAC,CAAC;IAEjF,OAAO;QACL,MAAM;QACN,KAAK,EAAE,eAAM,CAAC,OAAO,CAAC,KAAK,CAAC;QAC5B,QAAQ;QACR,YAAY,EAAE,eAAM,CAAC,OAAO,CAAC,MAAO,CAAC;QACrC,oBAAoB,EAAE,eAAM,CAAC,OAAO,CAAC,MAAO,CAAC;QAC7C,kBAAkB,EAAE,eAAM,CAAC,OAAO,CAAC,KAAM,CAAC;QAC1C,YAAY,EAAE,eAAM,CAAC,OAAO,CAAC,YAAY,CAAC;QAC1C,oBAAoB,EAAE,eAAM,CAAC,OAAO,CAAC,oBAAoB,CAAC;QAC1D,SAAS,EAAE,IAAI;KAChB,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,oBAAoB,CACxC,QAAgB,EAChB,MAAc,EACd,KAAa,EACb,MAAoB,EACpB,eAAgC;IAEhC,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAClE,OAAO,eAAe,CAAC,oBAAoB,CAAC,MAAM,EAAE,2BAAmB,CAAC,CAAC;AAC3E,CAAC"}

package/dist/capabilities.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Capability maps — session token access control.
+ * Spec 46 §16 Pattern 3.
+ *
+ * SESSION_CAPABILITIES: what a session token MAY trigger.
+ * SESSION_FORBIDDEN: never executes via session token, ever.
+ *
+ * Hardcoded — not configurable at runtime. Policy changes require daemon rebuild.
+ */
+export declare const SESSION_CAPABILITIES: Set<string>;
+export declare const SESSION_FORBIDDEN: Set<string>;
+/**
+ * Check whether a capability is permitted for session token use.
+ * Returns true if allowed, false if forbidden or not in the capability set.
+ */
+export declare function isCapabilityAllowed(capability: string): boolean;
+//# sourceMappingURL=capabilities.d.ts.map

package/dist/capabilities.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"capabilities.d.ts","sourceRoot":"","sources":["../src/capabilities.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,eAAO,MAAM,oBAAoB,aAe/B,CAAC;AAGH,eAAO,MAAM,iBAAiB,aAU5B,CAAC;AAEH;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAM/D"}

package/dist/capabilities.js

@@ -0,0 +1,57 @@
+"use strict";
+/**
+ * Capability maps — session token access control.
+ * Spec 46 §16 Pattern 3.
+ *
+ * SESSION_CAPABILITIES: what a session token MAY trigger.
+ * SESSION_FORBIDDEN: never executes via session token, ever.
+ *
+ * Hardcoded — not configurable at runtime. Policy changes require daemon rebuild.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SESSION_FORBIDDEN = exports.SESSION_CAPABILITIES = void 0;
+exports.isCapabilityAllowed = isCapabilityAllowed;
+// Capabilities a session token MAY trigger
+exports.SESSION_CAPABILITIES = new Set([
+    "wallet.read",
+    "agreement.read",
+    "agreement.propose",
+    "agreement.accept",
+    "agreement.deliver",
+    "agreement.verify",
+    "compute.propose",
+    "compute.end",
+    "subscribe",
+    "arena.*",
+    "workroom.status",
+    "userop.simulate",
+    "userop.execute", // routes to signer; PolicyEngine bounds apply
+    "session.revoke:self",
+]);
+// These NEVER execute via session token — ever
+exports.SESSION_FORBIDDEN = new Set([
+    "wallet.setGuardian",
+    "wallet.setMachineKey",
+    "wallet.authorizeMachineKey",
+    "policy.setSpendLimit",
+    "daemon.exportKey",
+    "daemon.readSecrets",
+    "daemon.shell",
+    "daemon.restart", // local admin only
+    "daemon.config.write",
+]);
+/**
+ * Check whether a capability is permitted for session token use.
+ * Returns true if allowed, false if forbidden or not in the capability set.
+ */
+function isCapabilityAllowed(capability) {
+    if (exports.SESSION_FORBIDDEN.has(capability))
+        return false;
+    if (exports.SESSION_CAPABILITIES.has(capability))
+        return true;
+    // arena.* wildcard: allow any capability starting with "arena."
+    if (capability.startsWith("arena."))
+        return true;
+    return false;
+}
+//# sourceMappingURL=capabilities.js.map

package/dist/capabilities.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"capabilities.js","sourceRoot":"","sources":["../src/capabilities.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAqCH,kDAMC;AAzCD,2CAA2C;AAC9B,QAAA,oBAAoB,GAAG,IAAI,GAAG,CAAC;IAC1C,aAAa;IACb,gBAAgB;IAChB,mBAAmB;IACnB,kBAAkB;IAClB,mBAAmB;IACnB,kBAAkB;IAClB,iBAAiB;IACjB,aAAa;IACb,WAAW;IACX,SAAS;IACT,iBAAiB;IACjB,iBAAiB;IACjB,gBAAgB,EAAW,8CAA8C;IACzE,qBAAqB;CACtB,CAAC,CAAC;AAEH,+CAA+C;AAClC,QAAA,iBAAiB,GAAG,IAAI,GAAG,CAAC;IACvC,oBAAoB;IACpB,sBAAsB;IACtB,4BAA4B;IAC5B,sBAAsB;IACtB,kBAAkB;IAClB,oBAAoB;IACpB,cAAc;IACd,gBAAgB,EAAW,mBAAmB;IAC9C,qBAAqB;CACtB,CAAC,CAAC;AAEH;;;GAGG;AACH,SAAgB,mBAAmB,CAAC,UAAkB;IACpD,IAAI,yBAAiB,CAAC,GAAG,CAAC,UAAU,CAAC;QAAE,OAAO,KAAK,CAAC;IACpD,IAAI,4BAAoB,CAAC,GAAG,CAAC,UAAU,CAAC;QAAE,OAAO,IAAI,CAAC;IACtD,gEAAgE;IAChE,IAAI,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IACjD,OAAO,KAAK,CAAC;AACf,CAAC"}