@bounded-sh/core 0.0.18 → 0.0.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -5,9 +5,8 @@ export type InvokeOptions = {
5
5
  headers?: Record<string, string>;
6
6
  /**
7
7
  * @internal Auth override. The server `WalletClient.invoke` sets this so the
8
- * call authenticates as that wallet's session instead of the ambient
9
- * `BOUNDED_PRIVATE_KEY` keypair (which would otherwise throw when unset). App
10
- * code never sets this.
8
+ * call authenticates as that wallet's explicit session. App code never sets
9
+ * this, and there is no process-global server signer fallback.
11
10
  */
12
11
  _overrides?: {
13
12
  _getAuthHeaders?: () => Promise<Record<string, string>>;
package/dist/index.js CHANGED
@@ -1,8 +1,8 @@
1
1
  'use strict';
2
2
 
3
3
  var axios = require('axios');
4
- var web3_js = require('@solana/web3.js');
5
4
  var nacl = require('tweetnacl');
5
+ var web3_js = require('@solana/web3.js');
6
6
  var anchor = require('@coral-xyz/anchor');
7
7
  var BN = require('bn.js');
8
8
  var ReconnectingWebSocket = require('reconnecting-websocket');
@@ -3330,231 +3330,6 @@ var sessionManager = /*#__PURE__*/Object.freeze({
3330
3330
  getActiveSessionManager: getActiveSessionManager
3331
3331
  });
3332
3332
 
3333
- var safeBuffer = {exports: {}};
3334
-
3335
- /*! safe-buffer. MIT License. Feross Aboukhadijeh <https://feross.org/opensource> */
3336
-
3337
- var hasRequiredSafeBuffer;
3338
-
3339
- function requireSafeBuffer () {
3340
- if (hasRequiredSafeBuffer) return safeBuffer.exports;
3341
- hasRequiredSafeBuffer = 1;
3342
- (function (module, exports$1) {
3343
- /* eslint-disable node/no-deprecated-api */
3344
- var buffer = requireBuffer();
3345
- var Buffer = buffer.Buffer;
3346
-
3347
- // alternative to using Object.keys for old browsers
3348
- function copyProps (src, dst) {
3349
- for (var key in src) {
3350
- dst[key] = src[key];
3351
- }
3352
- }
3353
- if (Buffer.from && Buffer.alloc && Buffer.allocUnsafe && Buffer.allocUnsafeSlow) {
3354
- module.exports = buffer;
3355
- } else {
3356
- // Copy properties from require('buffer')
3357
- copyProps(buffer, exports$1);
3358
- exports$1.Buffer = SafeBuffer;
3359
- }
3360
-
3361
- function SafeBuffer (arg, encodingOrOffset, length) {
3362
- return Buffer(arg, encodingOrOffset, length)
3363
- }
3364
-
3365
- SafeBuffer.prototype = Object.create(Buffer.prototype);
3366
-
3367
- // Copy static methods from Buffer
3368
- copyProps(Buffer, SafeBuffer);
3369
-
3370
- SafeBuffer.from = function (arg, encodingOrOffset, length) {
3371
- if (typeof arg === 'number') {
3372
- throw new TypeError('Argument must not be a number')
3373
- }
3374
- return Buffer(arg, encodingOrOffset, length)
3375
- };
3376
-
3377
- SafeBuffer.alloc = function (size, fill, encoding) {
3378
- if (typeof size !== 'number') {
3379
- throw new TypeError('Argument must be a number')
3380
- }
3381
- var buf = Buffer(size);
3382
- if (fill !== undefined) {
3383
- if (typeof encoding === 'string') {
3384
- buf.fill(fill, encoding);
3385
- } else {
3386
- buf.fill(fill);
3387
- }
3388
- } else {
3389
- buf.fill(0);
3390
- }
3391
- return buf
3392
- };
3393
-
3394
- SafeBuffer.allocUnsafe = function (size) {
3395
- if (typeof size !== 'number') {
3396
- throw new TypeError('Argument must be a number')
3397
- }
3398
- return Buffer(size)
3399
- };
3400
-
3401
- SafeBuffer.allocUnsafeSlow = function (size) {
3402
- if (typeof size !== 'number') {
3403
- throw new TypeError('Argument must be a number')
3404
- }
3405
- return buffer.SlowBuffer(size)
3406
- };
3407
- } (safeBuffer, safeBuffer.exports));
3408
- return safeBuffer.exports;
3409
- }
3410
-
3411
- var src;
3412
- var hasRequiredSrc;
3413
-
3414
- function requireSrc () {
3415
- if (hasRequiredSrc) return src;
3416
- hasRequiredSrc = 1;
3417
- // base-x encoding / decoding
3418
- // Copyright (c) 2018 base-x contributors
3419
- // Copyright (c) 2014-2018 The Bitcoin Core developers (base58.cpp)
3420
- // Distributed under the MIT software license, see the accompanying
3421
- // file LICENSE or http://www.opensource.org/licenses/mit-license.php.
3422
- // @ts-ignore
3423
- var _Buffer = requireSafeBuffer().Buffer;
3424
- function base (ALPHABET) {
3425
- if (ALPHABET.length >= 255) { throw new TypeError('Alphabet too long') }
3426
- var BASE_MAP = new Uint8Array(256);
3427
- for (var j = 0; j < BASE_MAP.length; j++) {
3428
- BASE_MAP[j] = 255;
3429
- }
3430
- for (var i = 0; i < ALPHABET.length; i++) {
3431
- var x = ALPHABET.charAt(i);
3432
- var xc = x.charCodeAt(0);
3433
- if (BASE_MAP[xc] !== 255) { throw new TypeError(x + ' is ambiguous') }
3434
- BASE_MAP[xc] = i;
3435
- }
3436
- var BASE = ALPHABET.length;
3437
- var LEADER = ALPHABET.charAt(0);
3438
- var FACTOR = Math.log(BASE) / Math.log(256); // log(BASE) / log(256), rounded up
3439
- var iFACTOR = Math.log(256) / Math.log(BASE); // log(256) / log(BASE), rounded up
3440
- function encode (source) {
3441
- if (Array.isArray(source) || source instanceof Uint8Array) { source = _Buffer.from(source); }
3442
- if (!_Buffer.isBuffer(source)) { throw new TypeError('Expected Buffer') }
3443
- if (source.length === 0) { return '' }
3444
- // Skip & count leading zeroes.
3445
- var zeroes = 0;
3446
- var length = 0;
3447
- var pbegin = 0;
3448
- var pend = source.length;
3449
- while (pbegin !== pend && source[pbegin] === 0) {
3450
- pbegin++;
3451
- zeroes++;
3452
- }
3453
- // Allocate enough space in big-endian base58 representation.
3454
- var size = ((pend - pbegin) * iFACTOR + 1) >>> 0;
3455
- var b58 = new Uint8Array(size);
3456
- // Process the bytes.
3457
- while (pbegin !== pend) {
3458
- var carry = source[pbegin];
3459
- // Apply "b58 = b58 * 256 + ch".
3460
- var i = 0;
3461
- for (var it1 = size - 1; (carry !== 0 || i < length) && (it1 !== -1); it1--, i++) {
3462
- carry += (256 * b58[it1]) >>> 0;
3463
- b58[it1] = (carry % BASE) >>> 0;
3464
- carry = (carry / BASE) >>> 0;
3465
- }
3466
- if (carry !== 0) { throw new Error('Non-zero carry') }
3467
- length = i;
3468
- pbegin++;
3469
- }
3470
- // Skip leading zeroes in base58 result.
3471
- var it2 = size - length;
3472
- while (it2 !== size && b58[it2] === 0) {
3473
- it2++;
3474
- }
3475
- // Translate the result into a string.
3476
- var str = LEADER.repeat(zeroes);
3477
- for (; it2 < size; ++it2) { str += ALPHABET.charAt(b58[it2]); }
3478
- return str
3479
- }
3480
- function decodeUnsafe (source) {
3481
- if (typeof source !== 'string') { throw new TypeError('Expected String') }
3482
- if (source.length === 0) { return _Buffer.alloc(0) }
3483
- var psz = 0;
3484
- // Skip and count leading '1's.
3485
- var zeroes = 0;
3486
- var length = 0;
3487
- while (source[psz] === LEADER) {
3488
- zeroes++;
3489
- psz++;
3490
- }
3491
- // Allocate enough space in big-endian base256 representation.
3492
- var size = (((source.length - psz) * FACTOR) + 1) >>> 0; // log(58) / log(256), rounded up.
3493
- var b256 = new Uint8Array(size);
3494
- // Process the characters.
3495
- while (psz < source.length) {
3496
- // Find code of next character
3497
- var charCode = source.charCodeAt(psz);
3498
- // Base map can not be indexed using char code
3499
- if (charCode > 255) { return }
3500
- // Decode character
3501
- var carry = BASE_MAP[charCode];
3502
- // Invalid character
3503
- if (carry === 255) { return }
3504
- var i = 0;
3505
- for (var it3 = size - 1; (carry !== 0 || i < length) && (it3 !== -1); it3--, i++) {
3506
- carry += (BASE * b256[it3]) >>> 0;
3507
- b256[it3] = (carry % 256) >>> 0;
3508
- carry = (carry / 256) >>> 0;
3509
- }
3510
- if (carry !== 0) { throw new Error('Non-zero carry') }
3511
- length = i;
3512
- psz++;
3513
- }
3514
- // Skip leading zeroes in b256.
3515
- var it4 = size - length;
3516
- while (it4 !== size && b256[it4] === 0) {
3517
- it4++;
3518
- }
3519
- var vch = _Buffer.allocUnsafe(zeroes + (size - it4));
3520
- vch.fill(0x00, 0, zeroes);
3521
- var j = zeroes;
3522
- while (it4 !== size) {
3523
- vch[j++] = b256[it4++];
3524
- }
3525
- return vch
3526
- }
3527
- function decode (string) {
3528
- var buffer = decodeUnsafe(string);
3529
- if (buffer) { return buffer }
3530
- throw new Error('Non-base' + BASE + ' character')
3531
- }
3532
- return {
3533
- encode: encode,
3534
- decodeUnsafe: decodeUnsafe,
3535
- decode: decode
3536
- }
3537
- }
3538
- src = base;
3539
- return src;
3540
- }
3541
-
3542
- var bs58$1;
3543
- var hasRequiredBs58;
3544
-
3545
- function requireBs58 () {
3546
- if (hasRequiredBs58) return bs58$1;
3547
- hasRequiredBs58 = 1;
3548
- var basex = requireSrc();
3549
- var ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
3550
-
3551
- bs58$1 = basex(ALPHABET);
3552
- return bs58$1;
3553
- }
3554
-
3555
- var bs58Exports = requireBs58();
3556
- var bs58 = /*@__PURE__*/getDefaultExportFromCjs(bs58Exports);
3557
-
3558
3333
  // ─────────────────────────────────────────────────────────────
3559
3334
  // Local implementation of getSimulationComputeUnits
3560
3335
  // (Replaces @solana-developers/helpers to avoid Wallet import issue in browser/ESM builds)
@@ -3812,36 +3587,7 @@ async function buildSetDocumentsTransaction(connection, idl, anchorProvider, pay
3812
3587
  return { tx: vTx, blockhash, lastValidBlockHeight };
3813
3588
  }
3814
3589
 
3815
- /* ------------------------------------------------------------------ */
3816
- /* ENV helpers */
3817
- /* ------------------------------------------------------------------ */
3818
- // Canonical `BOUNDED_PRIVATE_KEY` (matches the CLI). Only consulted when no
3819
- // explicit keypair was provided (createWalletClient passes one).
3820
- const ENV_KEYPAIR = "BOUNDED_PRIVATE_KEY";
3821
- const LEGACY_ENV_KEYPAIR = "BOUNDED_SOLANA_KEYPAIR";
3822
- function loadKeypairFromEnv() {
3823
- if (process.env[LEGACY_ENV_KEYPAIR]) {
3824
- throw new Error(`${LEGACY_ENV_KEYPAIR} is no longer supported. Set ${ENV_KEYPAIR} instead, ` +
3825
- `or pass an explicit keypair via createWalletClient({ keypair }).`);
3826
- }
3827
- const secret = process.env[ENV_KEYPAIR];
3828
- if (!secret) {
3829
- throw new Error(`No server keypair for this top-level call. The top-level get/set/subscribe/etc. use an ` +
3830
- `AMBIENT session — set ${ENV_KEYPAIR} to a base-58 secret key (or JSON array) to provide one. ` +
3831
- `If you already created a wallet with createWalletClient({ keypair }), call ITS methods instead ` +
3832
- `(client.subscribe / client.set / client.get): that client is self-contained and deliberately does ` +
3833
- `not set the ambient session, so the top-level functions can't see it.`);
3834
- }
3835
- try {
3836
- const secretKey = secret.trim().startsWith("[")
3837
- ? Uint8Array.from(JSON.parse(secret))
3838
- : bs58.decode(secret.trim());
3839
- return web3_js.Keypair.fromSecretKey(secretKey);
3840
- }
3841
- catch (err) {
3842
- throw new Error(`Unable to parse ${ENV_KEYPAIR}. Ensure it is valid base-58 or JSON.`);
3843
- }
3844
- }
3590
+ const NO_AMBIENT_SERVER_SESSION = "Server sessions are not process-global. Use createWalletClient({ keypair }) and call that wallet client's methods.";
3845
3591
  /* ------------------------------------------------------------------ */
3846
3592
  /* SESSION MANAGER */
3847
3593
  /* ------------------------------------------------------------------ */
@@ -3864,8 +3610,10 @@ class ServerSessionManager {
3864
3610
  * Session creation (instance method)
3865
3611
  * ---------------------------------------------- */
3866
3612
  async createSession() {
3867
- var _a;
3868
- const kp = (_a = this.keypair) !== null && _a !== void 0 ? _a : loadKeypairFromEnv();
3613
+ if (!this.keypair) {
3614
+ throw new Error(NO_AMBIENT_SERVER_SESSION);
3615
+ }
3616
+ const kp = this.keypair;
3869
3617
  const address = kp.publicKey.toBase58();
3870
3618
  /* fetch nonce from auth API */
3871
3619
  const nonce = await genAuthNonce();
@@ -3927,7 +3675,7 @@ class ServerSessionManager {
3927
3675
  return (_b = (_a = this.session) === null || _a === void 0 ? void 0 : _a.refreshToken) !== null && _b !== void 0 ? _b : null;
3928
3676
  }
3929
3677
  }
3930
- /* The default singleton instance (reads keypair from env) */
3678
+ /* The default singleton exists only so top-level server calls fail closed. */
3931
3679
  ServerSessionManager.instance = new ServerSessionManager();
3932
3680
 
3933
3681
  /**
@@ -5970,7 +5718,7 @@ async function getOrCreateConnection(appId, isServer, routePath, authTokenProvid
5970
5718
  const roomKey = roomKeyFromRoutePath(routePath);
5971
5719
  // A wallet-scoped subscription (server WalletClient) gets its OWN connection
5972
5720
  // keyed by the wallet identity, so its WS authenticates as that wallet and
5973
- // never shares a connection (or token) with the ambient env identity.
5721
+ // never shares a connection (or token) with any top-level server caller.
5974
5722
  const base = roomKey ? `${appId}#room#${roomKey}` : appId;
5975
5723
  const connKey = principalKey ? `${base}#id#${principalKey}` : base;
5976
5724
  let connection = connections.get(connKey);
@@ -6027,7 +5775,7 @@ async function getOrCreateConnection(appId, isServer, routePath, authTokenProvid
6027
5775
  }
6028
5776
  // Resolve auth token if available. A wallet-scoped connection resolves
6029
5777
  // its token from the wallet's own session (self-refreshing); all others
6030
- // use the ambient env/web session. The token is sent as the first WS
5778
+ // use the browser session or fail closed for top-level server calls. The token is sent as the first WS
6031
5779
  // frame after open, never as a URL query parameter.
6032
5780
  let authToken;
6033
5781
  try {
@@ -6378,8 +6126,8 @@ async function subscribeV2(path, subscriptionOptions, roomRoutePath) {
6378
6126
  // subscribes with identical options (shared process / SSR / login-switch).
6379
6127
  // Per-subscription wallet override (server WalletClient.subscribe). When set,
6380
6128
  // the connection authenticates + caches under the wallet's identity instead of
6381
- // the ambient env keypair — so a `createWalletClient` caller can subscribe
6382
- // without setting BOUNDED_PRIVATE_KEY (and never crashes resolving it).
6129
+ // any top-level server caller — so a `createWalletClient` caller can
6130
+ // subscribe through its explicit wallet session.
6383
6131
  const overrides = subscriptionOptions._overrides;
6384
6132
  const authTokenProvider = (overrides === null || overrides === void 0 ? void 0 : overrides._getAuthHeaders)
6385
6133
  ? async () => bearerFromAuthHeaders(await overrides._getAuthHeaders()) || null
@@ -6668,7 +6416,7 @@ async function doReconnectWithNewAuth() {
6668
6416
  console.warn('[WS v2] Failed to clear HTTP read cache on auth change:', error);
6669
6417
  }
6670
6418
  try {
6671
- const { reconnectRealtimeStoreWithNewAuth } = await Promise.resolve().then(function () { return require('./realtime-store-CDLQdh7S.js'); });
6419
+ const { reconnectRealtimeStoreWithNewAuth } = await Promise.resolve().then(function () { return require('./realtime-store-Ck_VgTcv.js'); });
6672
6420
  await reconnectRealtimeStoreWithNewAuth();
6673
6421
  }
6674
6422
  catch (error) {
@@ -7008,7 +6756,8 @@ async function invoke(name, args = {}, opts = {}) {
7008
6756
  const base = (config.functionsUrl || DEFAULT_FUNCTIONS_URL).replace(/\/$/, '');
7009
6757
  // Attach the caller's session token automatically (same token as data calls).
7010
6758
  // A wallet-scoped call (server WalletClient.invoke) resolves the token from the
7011
- // wallet's own session; all others use the ambient env/web session.
6759
+ // wallet's own session; browser calls use the active web session. Top-level
6760
+ // server calls fail closed because there is no ambient server signer.
7012
6761
  const authHeader = ((_a = opts._overrides) === null || _a === void 0 ? void 0 : _a._getAuthHeaders)
7013
6762
  ? await opts._overrides._getAuthHeaders()
7014
6763
  : await createAuthHeader(config.isServer);