@btc-vision/cli 1.0.13 → 1.1.0

package/build/lib/ipfs.js

@@ -1,9 +1,59 @@
 import * as https from 'https';
 import * as http from 'http';
 import * as fs from 'fs';
+import * as crypto from 'crypto';
 import ora from 'ora';
 import { loadConfig } from './config.js';
 const DEFAULT_MAX_REDIRECTS = 10;
+const MAX_RESPONSE_SIZE = 512 * 1024 * 1024;
+function isPrivateUrl(url) {
+    try {
+        const parsed = new URL(url);
+        const hostname = parsed.hostname;
+        if (hostname === 'localhost' ||
+            hostname === '127.0.0.1' ||
+            hostname === '[::1]' ||
+            hostname === '0.0.0.0' ||
+            hostname.endsWith('.local') ||
+            hostname.endsWith('.internal')) {
+            return true;
+        }
+        const ipv4Match = hostname.match(/^(\d+)\.(\d+)\.(\d+)\.(\d+)$/);
+        if (ipv4Match) {
+            const [, a, b] = ipv4Match.map(Number);
+            if (a === 10 ||
+                a === 127 ||
+                (a === 172 && b >= 16 && b <= 31) ||
+                (a === 192 && b === 168) ||
+                (a === 169 && b === 254) ||
+                a === 0) {
+                return true;
+            }
+        }
+        return false;
+    }
+    catch {
+        return true;
+    }
+}
+function getSafeRedirectOptions(options, originalUrl, redirectUrl) {
+    const original = new URL(originalUrl);
+    const redirect = new URL(redirectUrl);
+    const sameOrigin = original.origin === redirect.origin;
+    if (sameOrigin) {
+        return options;
+    }
+    const safeHeaders = {};
+    if (options.headers) {
+        for (const [key, value] of Object.entries(options.headers)) {
+            const lower = key.toLowerCase();
+            if (lower !== 'authorization' && lower !== 'cookie') {
+                safeHeaders[key] = value;
+            }
+        }
+    }
+    return { ...options, headers: safeHeaders };
+}
 async function httpRequest(url, options, redirectCount = 0) {
     const maxRedirects = options.maxRedirects ?? DEFAULT_MAX_REDIRECTS;
     const followRedirect = options.followRedirect ?? false;
@@ -29,15 +79,29 @@ async function httpRequest(url, options, redirectCount = 0) {
                 const location = Array.isArray(locationHeader) ? locationHeader[0] : locationHeader;
                 if (location) {
                     const redirectUrl = new URL(location, url).href;
+                    if (isPrivateUrl(redirectUrl)) {
+                        res.resume();
+                        reject(new Error(`Redirect blocked: target resolves to a private/internal address`));
+                        return;
+                    }
+                    const safeOptions = getSafeRedirectOptions(options, url, redirectUrl);
                     res.resume();
-                    httpRequest(redirectUrl, options, redirectCount + 1)
+                    httpRequest(redirectUrl, safeOptions, redirectCount + 1)
                         .then(resolve)
                         .catch(reject);
                     return;
                 }
             }
             const chunks = [];
+            let totalSize = 0;
+            const maxResponseSize = options.maxResponseSize ?? MAX_RESPONSE_SIZE;
             res.on('data', (chunk) => {
+                totalSize += chunk.length;
+                if (totalSize > maxResponseSize) {
+                    req.destroy();
+                    reject(new Error(`Response size exceeded limit (${maxResponseSize} bytes)`));
+                    return;
+                }
                 chunks.push(chunk);
             });
             res.on('end', () => {
@@ -47,7 +111,12 @@ async function httpRequest(url, options, redirectCount = 0) {
                     const hrefMatch = bodyStr.match(/href="([^"]+)"/);
                     if (hrefMatch && hrefMatch[1]) {
                         const redirectUrl = new URL(hrefMatch[1], url).href;
-                        httpRequest(redirectUrl, options, redirectCount + 1)
+                        if (isPrivateUrl(redirectUrl)) {
+                            reject(new Error(`Redirect blocked: target resolves to a private/internal address`));
+                            return;
+                        }
+                        const safeOptions = getSafeRedirectOptions(options, url, redirectUrl);
+                        httpRequest(redirectUrl, safeOptions, redirectCount + 1)
                             .then(resolve)
                             .catch(reject);
                         return;
@@ -69,7 +138,9 @@ async function httpRequest(url, options, redirectCount = 0) {
             reject(new Error('Request timeout'));
         });
         if (options.body) {
-            const bodyBuffer = Buffer.isBuffer(options.body) ? options.body : Buffer.from(options.body);
+            const bodyBuffer = Buffer.isBuffer(options.body)
+                ? options.body
+                : Buffer.from(options.body);
             const totalBytes = bodyBuffer.length;
             const chunkSize = 64 * 1024;
             let bytesSent = 0;
@@ -109,7 +180,7 @@ export async function pinToIPFS(data, name) {
         if (!endpoint) {
             throw new Error('IPFS pinning endpoint not configured. Run `opnet config set ipfsPinningEndpoint <url>`');
         }
-        const boundary = '----FormBoundary' + Math.random().toString(36).substring(2);
+        const boundary = '----FormBoundary' + crypto.randomBytes(16).toString('hex');
         const fileName = name || 'plugin.opnet';
         const formParts = [];
         formParts.push(Buffer.from(`--${boundary}\r\n` +
@@ -124,11 +195,13 @@ export async function pinToIPFS(data, name) {
             'Content-Length': body.length.toString(),
         };
         if (config.ipfsPinningAuthHeader) {
-            const [headerName, headerValue] = config.ipfsPinningAuthHeader
-                .split(':')
-                .map((s) => s.trim());
-            if (headerName && headerValue) {
-                headers[headerName] = headerValue;
+            const colonIndex = config.ipfsPinningAuthHeader.indexOf(':');
+            if (colonIndex > 0) {
+                const headerName = config.ipfsPinningAuthHeader.substring(0, colonIndex).trim();
+                const headerValue = config.ipfsPinningAuthHeader.substring(colonIndex + 1).trim();
+                if (headerName && headerValue) {
+                    headers[headerName] = headerValue;
+                }
             }
         }
         else if (config.ipfsPinningApiKey) {
@@ -136,10 +209,10 @@ export async function pinToIPFS(data, name) {
         }
         const url = new URL(endpoint);
         let requestUrl;
-        if (url.hostname.includes('ipfs.opnet.org')) {
+        if (url.hostname === 'ipfs.opnet.org' || url.hostname.endsWith('.ipfs.opnet.org')) {
             requestUrl = endpoint;
         }
-        else if (url.hostname.includes('pinata')) {
+        else if (url.hostname.endsWith('.pinata.cloud') || url.hostname === 'pinata.cloud') {
             requestUrl = 'https://api.pinata.cloud/pinning/pinFileToIPFS';
             if (config.ipfsPinningApiKey && !config.ipfsPinningApiKey.startsWith('eyJ')) {
                 headers['pinata_api_key'] = config.ipfsPinningApiKey;
@@ -148,10 +221,10 @@ export async function pinToIPFS(data, name) {
                 }
             }
         }
-        else if (url.hostname.includes('web3.storage') || url.hostname.includes('w3s.link')) {
+        else if (url.hostname.endsWith('.web3.storage') || url.hostname === 'web3.storage' || url.hostname.endsWith('.w3s.link') || url.hostname === 'w3s.link') {
             requestUrl = endpoint.endsWith('/') ? endpoint + 'upload' : endpoint + '/upload';
         }
-        else if (url.hostname.includes('nft.storage')) {
+        else if (url.hostname.endsWith('.nft.storage') || url.hostname === 'nft.storage') {
             requestUrl = 'https://api.nft.storage/upload';
         }
         else if (url.pathname.includes('/api/v0/')) {
@@ -194,7 +267,9 @@ export async function pinToIPFS(data, name) {
         };
     }
     catch (e) {
-        throw new Error(`IPFS pinning failed: ${e instanceof Error ? e.message : String(e)}`);
+        throw new Error(`IPFS pinning failed: ${e instanceof Error ? e.message : String(e)}`, {
+            cause: e,
+        });
     }
 }
 export async function fetchFromIPFS(cid) {
@@ -372,14 +447,10 @@ function getMimeType(filePath) {
     return mimeTypes[ext] || 'application/octet-stream';
 }
 function generateSessionId() {
-    return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, (c) => {
-        const r = (Math.random() * 16) | 0;
-        const v = c === 'x' ? r : (r & 0x3) | 0x8;
-        return v.toString(16);
-    });
+    return crypto.randomUUID();
 }
 function sleep(ms) {
-    return new Promise(resolve => setTimeout(resolve, ms));
+    return new Promise((resolve) => setTimeout(resolve, ms));
 }
 async function mfsCall(endpoint, apiPath, params, body, headers, maxRetries = 3) {
     const url = new URL(endpoint);
@@ -392,7 +463,7 @@ async function mfsCall(endpoint, apiPath, params, body, headers, maxRetries = 3)
     };
     let formBody;
     if (body) {
-        const boundary = '----FormBoundary' + Math.random().toString(36).substring(2);
+        const boundary = '----FormBoundary' + crypto.randomBytes(16).toString('hex');
         const formParts = [];
         formParts.push(Buffer.from(`--${boundary}\r\n` +
             `Content-Disposition: form-data; name="file"\r\n` +
@@ -541,7 +612,7 @@ export async function uploadDirectory(dirPath, _wrapWithDirectory = true) {
         }
         catch {
         }
-        throw new Error(`IPFS directory upload failed: ${e instanceof Error ? e.message : String(e)}`);
+        throw new Error(`IPFS directory upload failed: ${e instanceof Error ? e.message : String(e)}`, { cause: e });
     }
 }
 export async function uploadFile(filePath) {

package/build/lib/manifest.js

@@ -46,7 +46,9 @@ export function loadManifest(manifestPath) {
         manifest = JSON.parse(content);
     }
     catch (e) {
-        throw new Error(`Failed to parse manifest: ${e instanceof Error ? e.message : String(e)}`);
+        throw new Error(`Failed to parse manifest: ${e instanceof Error ? e.message : String(e)}`, {
+            cause: e,
+        });
     }
     const errors = [];
     if (!manifest.name || typeof manifest.name !== 'string') {

package/build/lib/provider.js

@@ -13,7 +13,11 @@ export function getProvider(network) {
         return cached;
     }
     const bitcoinNetwork = getNetwork(targetNetwork);
-    const provider = new JSONRpcProvider(rpcUrl, bitcoinNetwork, DEFAULT_TIMEOUT);
+    const provider = new JSONRpcProvider({
+        url: rpcUrl,
+        network: bitcoinNetwork,
+        timeout: DEFAULT_TIMEOUT,
+    });
     providerCache.set(cacheKey, provider);
     return provider;
 }

package/build/lib/registry.js

@@ -161,8 +161,21 @@ export function parsePackageName(fullName) {
     }
     return { scope: null, name: fullName };
 }
+function canonicalSort(value) {
+    if (value === null || value === undefined || typeof value !== 'object') {
+        return value;
+    }
+    if (Array.isArray(value)) {
+        return value.map(canonicalSort);
+    }
+    const sorted = {};
+    for (const key of Object.keys(value).sort()) {
+        sorted[key] = canonicalSort(value[key]);
+    }
+    return sorted;
+}
 export function computePermissionsHash(permissions) {
-    const json = JSON.stringify(permissions);
+    const json = JSON.stringify(canonicalSort(permissions));
     const hash = crypto.createHash('sha256').update(json).digest();
     return new Uint8Array(hash);
 }
@@ -179,7 +192,11 @@ export function registryToMldsaLevel(registryLevel) {
         2: 65,
         3: 87,
     };
-    return levels[registryLevel] || 44;
+    const level = levels[registryLevel];
+    if (level === undefined) {
+        throw new Error(`Unknown MLDSA registry level: ${registryLevel}. Expected 1, 2, or 3.`);
+    }
+    return level;
 }
 export function mldsaLevelToRegistry(mldsaLevel) {
     const levels = {

package/build/lib/transaction.js

@@ -19,9 +19,14 @@ export function getWalletAddress(wallet) {
     return wallet.address;
 }
 export function formatSats(sats) {
-    const btc = Number(sats) / 100_000_000;
-    if (btc >= 0.001) {
-        return `${sats} sats (${btc.toFixed(8)} BTC)`;
+    const btcWhole = sats / 100000000n;
+    const btcFrac = sats % 100000000n;
+    const absWhole = btcWhole < 0n ? -btcWhole : btcWhole;
+    const absFrac = btcFrac < 0n ? -btcFrac : btcFrac;
+    const sign = sats < 0n ? '-' : '';
+    const btcStr = `${sign}${absWhole}.${absFrac.toString().padStart(8, '0')}`;
+    if (absWhole > 0n || absFrac >= 100000n) {
+        return `${sats} sats (${btcStr} BTC)`;
     }
     return `${sats} sats`;
 }

package/build/lib/wallet.d.ts

@@ -1,8 +1,8 @@
-import { Network, Signer } from '@btc-vision/bitcoin';
+import { Network } from '@btc-vision/bitcoin';
 import { MLDSASecurityLevel, QuantumBIP32Interface } from '@btc-vision/bip32';
 import { Address } from '@btc-vision/transaction';
 import { CLICredentials, CLIMldsaLevel, NetworkName } from '../types/index.js';
-import { ECPairInterface } from 'ecpair';
+import { UniversalSigner } from '@btc-vision/ecpair';
 export declare function getNetwork(networkName: NetworkName): Network;
 export declare function getMLDSASecurityLevel(level: CLIMldsaLevel): MLDSASecurityLevel;
 export declare class CLIWallet {
@@ -12,21 +12,21 @@ export declare class CLIWallet {
     private constructor();
     get address(): Address;
     get p2trAddress(): string;
-    get keypair(): Signer | ECPairInterface | null;
+    get keypair(): UniversalSigner | null;
     get mldsaKeypair(): QuantumBIP32Interface;
-    get mldsaPublicKey(): Buffer;
+    get mldsaPublicKey(): Uint8Array;
     get mldsaPublicKeyHash(): string;
     get securityLevel(): CLIMldsaLevel;
     static fromCredentials(credentials: CLICredentials): CLIWallet;
     static load(): CLIWallet;
-    static verifyMLDSA(data: Buffer, signature: Buffer, publicKey: Buffer, level: CLIMldsaLevel): boolean;
-    signMLDSA(data: Buffer): Buffer;
-    verifyMLDSA(data: Buffer, signature: Buffer): boolean;
+    static verifyMLDSA(data: Uint8Array, signature: Uint8Array, publicKey: Uint8Array, level: CLIMldsaLevel): boolean;
+    signMLDSA(data: Uint8Array): Uint8Array;
+    verifyMLDSA(data: Uint8Array, signature: Uint8Array): boolean;
 }
 export declare function generateMLDSAKeypair(level: CLIMldsaLevel): {
-    privateKey: Buffer;
-    publicKey: Buffer;
+    privateKey: Uint8Array;
+    publicKey: Uint8Array;
 };
-export declare function computePublicKeyHash(publicKey: Buffer): string;
+export declare function computePublicKeyHash(publicKey: Uint8Array): string;
 export declare function validateMnemonic(phrase: string): boolean;
 export declare function generateMnemonic(): string;

package/build/lib/wallet.js

@@ -45,11 +45,10 @@ export class CLIWallet {
         return this.wallet.mldsaKeypair;
     }
     get mldsaPublicKey() {
-        return Buffer.from(this.wallet.mldsaKeypair.publicKey);
+        return this.wallet.mldsaKeypair.publicKey;
     }
     get mldsaPublicKeyHash() {
-        const hash = crypto.createHash('sha256').update(this.mldsaPublicKey).digest();
-        return hash.toString('hex');
+        return crypto.createHash('sha256').update(this.mldsaPublicKey).digest('hex');
     }
     get securityLevel() {
         return this.mldsaLevel;
@@ -59,7 +58,7 @@ export class CLIWallet {
         const securityLevel = getMLDSASecurityLevel(credentials.mldsaLevel);
         if (credentials.mnemonic) {
             const mnemonic = new Mnemonic(credentials.mnemonic, '', network, securityLevel);
-            const wallet = mnemonic.deriveUnisat();
+            const wallet = mnemonic.deriveOPWallet();
             return new CLIWallet(wallet, network, credentials.mldsaLevel);
         }
         if (credentials.wif && credentials.mldsaPrivateKey) {
@@ -86,7 +85,7 @@ export class CLIWallet {
     }
     signMLDSA(data) {
         const result = MessageSigner.signMLDSAMessage(this.wallet.mldsaKeypair, data);
-        return Buffer.from(result.signature);
+        return result.signature;
     }
     verifyMLDSA(data, signature) {
         return MessageSigner.verifyMLDSASignature(this.wallet.mldsaKeypair, data, signature);
@@ -96,8 +95,8 @@ export function generateMLDSAKeypair(level) {
     const securityLevel = getMLDSASecurityLevel(level);
     const keypair = EcKeyPair.generateQuantumKeyPair(securityLevel);
     return {
-        privateKey: Buffer.from(keypair.privateKey),
-        publicKey: Buffer.from(keypair.publicKey),
+        privateKey: keypair.privateKey,
+        publicKey: keypair.publicKey,
     };
 }
 export function computePublicKeyHash(publicKey) {

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@btc-vision/cli",
-    "version": "1.0.13",
+    "version": "1.1.0",
     "type": "module",
     "description": "CLI for the OPNet plugin ecosystem - scaffolding, compilation, signing, and registry interaction",
     "author": "OP_NET",
@@ -49,32 +49,32 @@
         "prepublishOnly": "npm run build"
     },
     "dependencies": {
-        "@btc-vision/bip32": "^6.0.3",
-        "@btc-vision/bitcoin": "^6.4.11",
-        "@btc-vision/logger": "^1.0.0",
-        "@btc-vision/plugin-sdk": "^1.0.0",
-        "@btc-vision/transaction": "^1.7.19",
-        "@inquirer/prompts": "^8.1.0",
+        "@btc-vision/bip32": "^7.1.2",
+        "@btc-vision/bitcoin": "^7.0.0-rc.4",
+        "@btc-vision/ecpair": "^4.0.5",
+        "@btc-vision/logger": "^1.0.8",
+        "@btc-vision/plugin-sdk": "^1.0.1",
+        "@btc-vision/transaction": "^1.8.0-rc.4",
+        "@inquirer/prompts": "^8.2.1",
         "bytenode": "^1.5.7",
-        "commander": "^14.0.0",
-        "ecpair": "^2.1.0",
-        "esbuild": "^0.27.1",
-        "opnet": "^1.7.18",
-        "ora": "^9.0.0"
+        "commander": "^14.0.3",
+        "esbuild": "^0.27.3",
+        "opnet": "^1.8.1-rc.3",
+        "ora": "^9.3.0"
     },
     "devDependencies": {
-        "@eslint/js": "^9.39.1",
-        "@types/node": "^25.0.2",
-        "eslint": "^9.39.1",
+        "@eslint/js": "^10.0.1",
+        "@types/node": "^25.2.3",
+        "eslint": "^10.0.0",
         "gulp": "^5.0.1",
         "gulp-cached": "^1.1.1",
         "gulp-clean": "^0.4.0",
-        "gulp-eslint-new": "^2.4.0",
+        "gulp-eslint-new": "^2.6.0",
         "gulp-logger-new": "^1.0.1",
         "gulp-typescript": "^6.0.0-alpha.1",
-        "prettier": "^3.6.2",
-        "typescript": "^5.9.2",
-        "typescript-eslint": "^8.39.1"
+        "prettier": "^3.8.1",
+        "typescript": "^5.9.3",
+        "typescript-eslint": "^8.56.0"
     },
     "keywords": [
         "opnet",