@arkade-os/sdk 0.4.23 → 0.4.24

package/dist/cjs/wallet/wallet.js

@@ -37,8 +37,9 @@ const delegator_1 = require("./delegator");
 const repositories_1 = require("../repositories");
 const contractManager_1 = require("../contracts/contractManager");
 const handlers_1 = require("../contracts/handlers");
-const helpers_1 = require("../contracts/handlers/helpers");
+const timelock_1 = require("../utils/timelock");
 const syncCursors_1 = require("../utils/syncCursors");
+const vtxoOwnership_1 = require("../contracts/vtxoOwnership");
 const getArkadeServerUrl = ({ arkServerUrl, }) => arkServerUrl || _1.DEFAULT_ARKADE_SERVER_URL;
 exports.getArkadeServerUrl = getArkadeServerUrl;
 // Historical unilateral exit delay for mainnet (~7 days in seconds).
@@ -55,7 +56,7 @@ function dedupeTimelocks(timelocks) {
     const seen = new Set();
     const deduped = [];
     for (const timelock of timelocks) {
-        const sequence = (0, helpers_1.timelockToSequence)(timelock).toString();
+        const sequence = (0, timelock_1.timelockToSequence)(timelock).toString();
         if (seen.has(sequence))
             continue;
         seen.add(sequence);
@@ -648,7 +649,7 @@ class ReadonlyWallet {
             watcherConfig: this.watcherConfig,
         });
         for (const csvTimelock of this.walletContractTimelocks) {
-            const csvTimelockStr = (0, helpers_1.timelockToSequence)(csvTimelock).toString();
+            const csvTimelockStr = (0, timelock_1.timelockToSequence)(csvTimelock).toString();
             const defaultScript = new default_1.DefaultVtxo.Script({
                 pubKey: this.offchainTapscript.options.pubKey,
                 serverPubKey: this.offchainTapscript.options.serverPubKey,
@@ -1830,7 +1831,7 @@ class Wallet extends ReadonlyWallet {
                 }
             }
             const createdAt = Date.now();
-            const addr = this.arkAddress.encode();
+            const primaryAddr = this.arkAddress.encode();
             // Only save a change virtual output for preconfirmed coins (those with a batchExpiry).
             // Inputs without a batchExpiry are already settled/unrolled and don't need tracking.
             let changeVtxo;
@@ -1857,8 +1858,45 @@ class Wallet extends ReadonlyWallet {
                     script: base_1.hex.encode(this.offchainTapscript.pkScript),
                 };
             }
-            await this.walletRepository.saveVtxos(addr, changeVtxo ? [...spentVtxos, changeVtxo] : spentVtxos);
-            await this.walletRepository.saveTransactions(addr, [
+            // Route spent rows to their owning contract bucket. The wallet's
+            // primary contract is registered with the manager at boot, so
+            // `addrByScript` already includes it; in a multi-contract spend
+            // each input may belong to a different contract.
+            const contracts = await cm.getContracts();
+            const addrByScript = new Map(contracts.map((c) => [c.script, c.address]));
+            const spentByScript = new Map();
+            for (const v of spentVtxos) {
+                if (!v.script) {
+                    throw new Error(`Wallet.updateDbAfterOffchainTx: spent VTXO ${v.txid}:${v.vout} has no script`);
+                }
+                const arr = spentByScript.get(v.script) ?? [];
+                arr.push(v);
+                spentByScript.set(v.script, arr);
+            }
+            const byAddress = new Map();
+            for (const [script, vtxos] of spentByScript) {
+                // User-initiated send path: a wrong-script row here means the
+                // wallet is about to record ownership against the wrong
+                // contract — fail loudly rather than persist inconsistent state.
+                (0, vtxoOwnership_1.validateVtxosForScript)(vtxos, script, "Wallet.updateDbAfterOffchainTx");
+                const targetAddr = addrByScript.get(script);
+                if (!targetAddr) {
+                    throw new Error(`Wallet.updateDbAfterOffchainTx: no contract owns script ${script}`);
+                }
+                const bucket = byAddress.get(targetAddr) ?? [];
+                bucket.push(...vtxos);
+                byAddress.set(targetAddr, bucket);
+            }
+            // Change is always primary-script by construction.
+            if (changeVtxo) {
+                const bucket = byAddress.get(primaryAddr) ?? [];
+                bucket.push(changeVtxo);
+                byAddress.set(primaryAddr, bucket);
+            }
+            for (const [addr, vtxos] of byAddress) {
+                await this.walletRepository.saveVtxos(addr, vtxos);
+            }
+            await this.walletRepository.saveTransactions(primaryAddr, [
                 {
                     key: {
                         boardingTxid: "",
@@ -1874,12 +1912,12 @@ class Wallet extends ReadonlyWallet {
         }
         catch (e) {
             console.warn("error saving offchain tx to repository", e);
+            throw e;
         }
     }
     // mark virtual outputs as spent/settled, remove boarding inputs
     async updateDbAfterSettle(inputs, commitmentTxid) {
         try {
-            const addr = this.arkAddress.encode();
             const boardingAddress = await this.getBoardingAddress();
             const spentVtxos = [];
             const inputArkTxIds = new Set();
@@ -1912,7 +1950,38 @@ class Wallet extends ReadonlyWallet {
                 }
             }
             if (spentVtxos.length > 0) {
-                await this.walletRepository.saveVtxos(addr, spentVtxos);
+                // Route settled rows to their owning contract bucket. In a
+                // multi-contract settle the inputs may belong to several
+                // contracts; the wallet's primary contract is registered with
+                // the manager at boot, so its address is in `addrByScript`
+                // alongside the rest.
+                const contracts = await cm.getContracts();
+                const addrByScript = new Map(contracts.map((c) => [c.script, c.address]));
+                const byAddress = new Map();
+                const byScript = new Map();
+                for (const v of spentVtxos) {
+                    if (!v.script) {
+                        throw new Error(`Wallet.updateDbAfterSettle: spent VTXO ${v.txid}:${v.vout} has no script`);
+                    }
+                    const arr = byScript.get(v.script) ?? [];
+                    arr.push(v);
+                    byScript.set(v.script, arr);
+                }
+                for (const [script, vtxos] of byScript) {
+                    // User-initiated settle path: refuse to record a settle
+                    // against the wrong script.
+                    (0, vtxoOwnership_1.validateVtxosForScript)(vtxos, script, "Wallet.updateDbAfterSettle");
+                    const targetAddr = addrByScript.get(script);
+                    if (!targetAddr) {
+                        throw new Error(`Wallet.updateDbAfterSettle: no contract owns script ${script}`);
+                    }
+                    const bucket = byAddress.get(targetAddr) ?? [];
+                    bucket.push(...vtxos);
+                    byAddress.set(targetAddr, bucket);
+                }
+                for (const [bucketAddr, vtxos] of byAddress) {
+                    await this.walletRepository.saveVtxos(bucketAddr, vtxos);
+                }
             }
             if (boardingUtxoToRemove.size > 0) {
                 const currentUtxos = await this.walletRepository.getUtxos(boardingAddress);
@@ -1926,6 +1995,7 @@ class Wallet extends ReadonlyWallet {
         }
         catch (e) {
             console.warn("error updating repository after settle", e);
+            throw e;
         }
     }
 }

package/dist/cjs/worker/expo/processors/contractPollProcessor.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.contractPollProcessor = exports.CONTRACT_POLL_TASK_TYPE = void 0;
+const vtxoOwnership_1 = require("../../../contracts/vtxoOwnership");
 exports.CONTRACT_POLL_TASK_TYPE = "contract-poll";
 /**
  * Polls the indexer for the latest VTXO state of every contract and
@@ -43,8 +44,12 @@ exports.contractPollProcessor = {
                 hasMore = page ? vtxos.length === pageSize : false;
                 pageIndex++;
             }
-            await walletRepository.saveVtxos(contract.address, allVtxos);
-            vtxosSaved += allVtxos.length;
+            // Skip wrong-script rows (legacy duplicates or indexer drift)
+            // before persisting; the loop must keep going for the remaining
+            // contracts even when one row is rejected.
+            const filtered = (0, vtxoOwnership_1.warnAndFilterVtxosForScript)(allVtxos, contract.script, "contractPollProcessor");
+            await walletRepository.saveVtxos(contract.address, filtered);
+            vtxosSaved += filtered.length;
             contractsProcessed++;
         }
         return {

package/dist/esm/contracts/contractManager.js

@@ -3,6 +3,7 @@ import { ContractWatcher } from './contractWatcher.js';
 import { contractHandlers } from './handlers/index.js';
 import { extendVirtualCoinForContract } from '../wallet/utils.js';
 import { advanceSyncCursor, computeSyncWindow, cursorCutoff, getSyncCursor, } from '../utils/syncCursors.js';
+import { filterVtxosForScript, warnAndFilterVtxosForScript, } from './vtxoOwnership.js';
 const DEFAULT_PAGE_SIZE = 500;
 /**
  * Central manager for contract lifecycle and operations.
@@ -354,9 +355,19 @@ export class ContractManager {
         const contracts = opts?.scripts
             ? await this.getContracts({ script: opts.scripts })
             : undefined;
+        // Only forward an explicit window when the caller supplied one. An
+        // empty `{ after: undefined, before: undefined }` would short-circuit
+        // both the cursor-derived `?after=` query in `syncContracts` (because
+        // `??` doesn't fire on a non-nullish object) AND the cursor-advance
+        // gate (which requires `options.window === undefined`), turning every
+        // `refreshVtxos()` call into an unbounded full re-scan whose cursor
+        // never moves forward.
+        const hasExplicitWindow = opts?.after !== undefined || opts?.before !== undefined;
         await this.syncContracts({
             contracts,
-            window: { after: opts?.after, before: opts?.before },
+            window: hasExplicitWindow
+                ? { after: opts?.after, before: opts?.before }
+                : undefined,
         });
     }
     /**
@@ -399,7 +410,11 @@ export class ContractManager {
         this.emitEvent(event);
     }
     async getVtxosForContracts(contracts) {
-        const res = await Promise.all(contracts.map(({ script, address }) => this.config.walletRepository.getVtxos(address).then((vtxos) => vtxos.map((vtxo) => ({
+        const res = await Promise.all(contracts.map(({ script, address }) => this.config.walletRepository.getVtxos(address).then((vtxos) => 
+        // Address buckets may carry legacy duplicate rows from
+        // other contracts that once shared the same address —
+        // gate by script so the wrong-script row never wins.
+        filterVtxosForScript(vtxos, script).map((vtxo) => ({
             ...vtxo,
             contractScript: script,
         })))));
@@ -467,7 +482,14 @@ export class ContractManager {
             });
         }
         for (const [addr, contractVtxos] of byContract) {
-            await this.config.walletRepository.saveVtxos(addr, contractVtxos);
+            // The bucket is keyed by contract address, so the script filter
+            // here is the same as the contract's. Skip wrong-script rows
+            // rather than crash the reconcile loop.
+            const contract = contracts.find((c) => c.address === addr);
+            const filtered = warnAndFilterVtxosForScript(contractVtxos, contract.script, "ContractManager.reconcilePendingFrontier");
+            if (filtered.length === 0)
+                continue;
+            await this.config.walletRepository.saveVtxos(addr, filtered);
         }
     }
     async fetchContractVxosFromIndexer(contracts, pageSize, syncWindow) {
@@ -477,7 +499,10 @@ export class ContractManager {
             result.set(contractScript, vtxos);
             const contract = contracts.find((c) => c.script === contractScript);
             if (contract) {
-                await this.config.walletRepository.saveVtxos(contract.address, vtxos);
+                const filtered = warnAndFilterVtxosForScript(vtxos, contract.script, "ContractManager.fetchContractVxosFromIndexer");
+                if (filtered.length === 0)
+                    continue;
+                await this.config.walletRepository.saveVtxos(contract.address, filtered);
             }
         }
         return result;

package/dist/esm/contracts/contractWatcher.js

@@ -1,5 +1,6 @@
 import { extendVirtualCoinForContract } from '../wallet/utils.js';
 import { isEventSourceError } from '../providers/utils.js';
+import { filterVtxosForScript } from './vtxoOwnership.js';
 /**
  * Watches multiple contracts for virtual output state changes with resilient connection handling.
  *
@@ -87,7 +88,10 @@ export class ContractWatcher {
      */
     async seedLastKnownVtxos(state) {
         try {
-            const cached = await this.config.walletRepository.getVtxos(state.contract.address);
+            // Apply the same script gate used by getContractVtxos so a legacy
+            // wrong-script row in the address bucket can't seed the baseline
+            // and then look "spent" on the first poll.
+            const cached = filterVtxosForScript(await this.config.walletRepository.getVtxos(state.contract.address), state.contract.script);
             for (const vtxo of cached) {
                 if (vtxo.isSpent)
                     continue;
@@ -166,8 +170,10 @@ export class ContractWatcher {
             return true;
         })
             .map(async (state) => {
-            // Use contract address as cache key
-            const cached = await repo.getVtxos(state.contract.address);
+            // Use contract address as cache key. Legacy address buckets
+            // can contain rows from other contracts; gate by script before
+            // converting so a wrong-script row never reaches the watcher.
+            const cached = filterVtxosForScript(await repo.getVtxos(state.contract.address), state.contract.script);
             if (cached.length > 0) {
                 // Convert to ContractVtxo with contractScript
                 const contractVtxos = cached.map((v) => ({

package/dist/esm/contracts/handlers/default.js

@@ -1,6 +1,7 @@
 import { hex } from "@scure/base";
 import { DefaultVtxo } from '../../script/default.js';
-import { isCsvSpendable, sequenceToTimelock, timelockToSequence, } from './helpers.js';
+import { isCsvSpendable } from './helpers.js';
+import { sequenceToTimelock, timelockToSequence } from '../../utils/timelock.js';
 import { normalizeToDescriptor, extractPubKey, } from '../../identity/descriptor.js';
 /**
  * Extract pubkey bytes from a descriptor or hex string.

package/dist/esm/contracts/handlers/delegate.js

@@ -1,7 +1,8 @@
 import { hex } from "@scure/base";
 import { DelegateVtxo } from '../../script/delegate.js';
 import { DefaultVtxo } from '../../script/default.js';
-import { isCsvSpendable, sequenceToTimelock, timelockToSequence, } from './helpers.js';
+import { isCsvSpendable } from './helpers.js';
+import { sequenceToTimelock, timelockToSequence } from '../../utils/timelock.js';
 /**
  * Handler for delegate wallet virtual outputs.
  *

package/dist/esm/contracts/handlers/helpers.js

@@ -1,4 +1,4 @@
-import * as bip68 from "bip68";
+import { sequenceToTimelock } from '../../utils/timelock.js';
 import { isDescriptor, extractPubKey } from '../../identity/descriptor.js';
 /**
  * Extract raw hex pubkey from a value that may be a descriptor or raw hex.
@@ -16,27 +16,6 @@ function extractRawPubKey(value) {
         return undefined;
     }
 }
-/**
- * Convert RelativeTimelock to BIP68 sequence number.
- */
-export function timelockToSequence(timelock) {
-    return bip68.encode(timelock.type === "blocks"
-        ? { blocks: Number(timelock.value) }
-        : { seconds: Number(timelock.value) });
-}
-/**
- * Convert BIP68 sequence number back to RelativeTimelock.
- */
-export function sequenceToTimelock(sequence) {
-    const decoded = bip68.decode(sequence);
-    if ("blocks" in decoded && decoded.blocks !== undefined) {
-        return { type: "blocks", value: BigInt(decoded.blocks) };
-    }
-    if ("seconds" in decoded && decoded.seconds !== undefined) {
-        return { type: "seconds", value: BigInt(decoded.seconds) };
-    }
-    throw new Error(`Invalid BIP68 sequence: ${sequence}`);
-}
 /**
  * Resolve wallet's role from explicit role or by matching descriptor/pubkey.
  */

package/dist/esm/contracts/handlers/vhtlc.js

@@ -1,6 +1,7 @@
 import { hex } from "@scure/base";
 import { VHTLC } from '../../script/vhtlc.js';
-import { isCltvSatisfied, isCsvSpendable, resolveRole, sequenceToTimelock, timelockToSequence, } from './helpers.js';
+import { isCltvSatisfied, isCsvSpendable, resolveRole } from './helpers.js';
+import { sequenceToTimelock, timelockToSequence } from '../../utils/timelock.js';
 /**
  * Handler for Virtual Hash Time Lock Contract (VHTLC).
  *

package/dist/esm/contracts/vtxoOwnership.js

@@ -0,0 +1,53 @@
+/**
+ * Tier 1 helpers that enforce VTXO ownership at call sites that already know
+ * the intended contract script. Address-keyed repositories may still hand back
+ * legacy duplicate rows under the wrong bucket; these helpers gate reads and
+ * writes so a wrong-script row never wins.
+ *
+ * `script` is the authoritative ownership key. Equality is strict: a missing
+ * or empty `vtxo.script` never matches.
+ */
+export function vtxoOutpoint(vtxo) {
+    return `${vtxo.txid}:${vtxo.vout}`;
+}
+export function isVtxoForScript(vtxo, script) {
+    return !!vtxo.script && vtxo.script === script;
+}
+export function filterVtxosForScript(vtxos, script) {
+    return vtxos.filter((v) => isVtxoForScript(v, script));
+}
+/**
+ * Background/indexer sync flavour: drop wrong-script rows and log enough
+ * context to identify each rejection. Returns only matching rows so the
+ * caller can keep going.
+ */
+export function warnAndFilterVtxosForScript(vtxos, script, context) {
+    const matches = [];
+    const rejected = [];
+    for (const v of vtxos) {
+        if (isVtxoForScript(v, script)) {
+            matches.push(v);
+        }
+        else {
+            rejected.push(`${vtxoOutpoint(v)}(script=${v.script ?? ""})`);
+        }
+    }
+    if (rejected.length > 0) {
+        console.warn(`${context}: dropped ${rejected.length} wrong-script VTXO(s) for script ${script}: ${rejected.join(", ")}`);
+    }
+    return matches;
+}
+/**
+ * User-initiated transaction/signing flavour: throw before persisting or
+ * signing inconsistent ownership state. Silently skipping here would hide a
+ * serious bug in the wallet's spend path.
+ */
+export function validateVtxosForScript(vtxos, script, context) {
+    const mismatches = vtxos.filter((v) => !isVtxoForScript(v, script));
+    if (mismatches.length === 0)
+        return;
+    const detail = mismatches
+        .map((v) => `${vtxoOutpoint(v)}(script=${v.script ?? ""})`)
+        .join(", ");
+    throw new Error(`${context}: refusing to persist ${mismatches.length} VTXO(s) whose script does not match ${script}: ${detail}`);
+}

package/dist/esm/index.js

@@ -42,7 +42,7 @@ export * from './arkfee/index.js';
 export * as asset from './extension/asset/index.js';
 // Contracts
 import { ContractManager, ContractWatcher, contractHandlers, DefaultContractHandler, DelegateContractHandler, VHTLCContractHandler, encodeArkContract, decodeArkContract, contractFromArkContract, contractFromArkContractWithAddress, isArkContract, } from './contracts/index.js';
-import { timelockToSequence, sequenceToTimelock, } from './contracts/handlers/helpers.js';
+import { timelockToSequence, sequenceToTimelock } from './utils/timelock.js';
 import { closeDatabase, openDatabase } from './repositories/indexedDB/manager.js';
 import { WalletMessageHandler, WalletNotInitializedError, ReadonlyWalletError, DelegatorNotConfiguredError, } from './wallet/serviceWorker/wallet-message-handler.js';
 import { MESSAGE_BUS_NOT_INITIALIZED, MessageBusNotInitializedError, ServiceWorkerTimeoutError, } from './worker/errors.js';

package/dist/esm/script/base.js

@@ -1,9 +1,9 @@
 import { Script, Address, p2tr, taprootListToTree, TAPROOT_UNSPENDABLE_KEY, } from "@scure/btc-signer";
-import * as bip68 from "bip68";
 import { TAP_LEAF_VERSION } from "@scure/btc-signer/payment.js";
 import { PSBTOutput } from "@scure/btc-signer/psbt.js";
 import { hex } from "@scure/base";
 import { ArkAddress } from './address.js';
+import { timelockToSequence } from '../utils/timelock.js';
 import { CLTVMultisigTapscript, ConditionCSVMultisigTapscript, CSVMultisigTapscript, } from './tapscript.js';
 export const TapTreeCoder = PSBTOutput.tapTree[2];
 export function scriptFromTapLeafScript(leaf) {
@@ -125,19 +125,19 @@ export class VtxoScript {
         const paths = [];
         for (const leaf of this.leaves) {
             try {
-                const tapscript = CSVMultisigTapscript.decode(scriptFromTapLeafScript(leaf));
-                paths.push(tapscript);
-                continue;
-            }
-            catch (e) {
-                try {
-                    const tapscript = ConditionCSVMultisigTapscript.decode(scriptFromTapLeafScript(leaf));
-                    paths.push(tapscript);
+                const script = scriptFromTapLeafScript(leaf);
+                if (CSVMultisigTapscript.isScriptValid(script) === true) {
+                    const tapScript = CSVMultisigTapscript.decode(script);
+                    paths.push(tapScript);
                 }
-                catch (e) {
-                    continue;
+                else if (ConditionCSVMultisigTapscript.isScriptValid(script) === true) {
+                    const tapScript = ConditionCSVMultisigTapscript.decode(script);
+                    paths.push(tapScript);
                 }
             }
+            catch (e) {
+                console.debug("Failed to decode script", e);
+            }
         }
         return paths;
     }
@@ -167,9 +167,7 @@ export function getSequence(tapLeafScript) {
         const script = scriptWithLeafVersion.subarray(0, scriptWithLeafVersion.length - 1);
         try {
             const params = CSVMultisigTapscript.decode(script).params;
-            sequence = bip68.encode(params.timelock.type === "blocks"
-                ? { blocks: Number(params.timelock.value) }
-                : { seconds: Number(params.timelock.value) });
+            sequence = timelockToSequence(params.timelock);
         }
         catch {
             const params = CLTVMultisigTapscript.decode(script).params;