@caypo/canton-sdk 0.1.0

package/src/__tests__/keystore.test.ts

@@ -0,0 +1,197 @@
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { mkdtemp, rm } from "node:fs/promises";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import { Keystore } from "../wallet/keystore.js";
+
+// ---------------------------------------------------------------------------
+// Setup / teardown
+// ---------------------------------------------------------------------------
+
+let tmpDir: string;
+let walletPath: string;
+
+const PIN = "1234";
+const PARTY = "Agent::1220abcdef1234567890";
+const JWT = "eyJhbGciOiJSUzI1NiJ9.test-jwt-payload";
+const USER_ID = "ledger-api-user";
+
+beforeEach(async () => {
+  tmpDir = await mkdtemp(join(tmpdir(), "caypo-keystore-test-"));
+  walletPath = join(tmpDir, "wallet.key");
+});
+
+afterEach(async () => {
+  await rm(tmpDir, { recursive: true, force: true });
+});
+
+// ---------------------------------------------------------------------------
+// Keystore.create
+// ---------------------------------------------------------------------------
+
+describe("Keystore.create", () => {
+  it("creates a new wallet and returns a Keystore instance", async () => {
+    const ks = await Keystore.create(
+      PIN,
+      { partyId: PARTY, jwt: JWT, userId: USER_ID },
+      walletPath,
+    );
+
+    expect(ks.address).toBe(PARTY);
+  });
+
+  it("getCredentials returns partyId, jwt, userId", async () => {
+    const ks = await Keystore.create(
+      PIN,
+      { partyId: PARTY, jwt: JWT, userId: USER_ID },
+      walletPath,
+    );
+
+    const creds = ks.getCredentials();
+    expect(creds.partyId).toBe(PARTY);
+    expect(creds.jwt).toBe(JWT);
+    expect(creds.userId).toBe(USER_ID);
+  });
+
+  it("creates parent directories if they don't exist", async () => {
+    const nested = join(tmpDir, "deep", "nested", "wallet.key");
+    const ks = await Keystore.create(
+      PIN,
+      { partyId: PARTY, jwt: JWT, userId: USER_ID },
+      nested,
+    );
+
+    expect(ks.address).toBe(PARTY);
+
+    // Verify it can be loaded back
+    const loaded = await Keystore.load(PIN, nested);
+    expect(loaded.address).toBe(PARTY);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Keystore.load
+// ---------------------------------------------------------------------------
+
+describe("Keystore.load", () => {
+  it("loads and decrypts an existing wallet with correct PIN", async () => {
+    await Keystore.create(
+      PIN,
+      { partyId: PARTY, jwt: JWT, userId: USER_ID },
+      walletPath,
+    );
+
+    const loaded = await Keystore.load(PIN, walletPath);
+
+    expect(loaded.address).toBe(PARTY);
+    const creds = loaded.getCredentials();
+    expect(creds.partyId).toBe(PARTY);
+    expect(creds.jwt).toBe(JWT);
+    expect(creds.userId).toBe(USER_ID);
+  });
+
+  it("throws with wrong PIN", async () => {
+    await Keystore.create(
+      PIN,
+      { partyId: PARTY, jwt: JWT, userId: USER_ID },
+      walletPath,
+    );
+
+    await expect(Keystore.load("wrong-pin", walletPath)).rejects.toThrow(
+      "Invalid PIN or corrupted wallet file",
+    );
+  });
+
+  it("throws if file does not exist", async () => {
+    await expect(Keystore.load(PIN, join(tmpDir, "nonexistent.key"))).rejects.toThrow();
+  });
+
+  it("different PINs produce different encryptions", async () => {
+    const path1 = join(tmpDir, "w1.key");
+    const path2 = join(tmpDir, "w2.key");
+
+    await Keystore.create(PIN, { partyId: PARTY, jwt: JWT, userId: USER_ID }, path1);
+    await Keystore.create("5678", { partyId: PARTY, jwt: JWT, userId: USER_ID }, path2);
+
+    // Files should have different content (different salt, IV)
+    const { readFile } = await import("node:fs/promises");
+    const f1 = await readFile(path1, "utf8");
+    const f2 = await readFile(path2, "utf8");
+    expect(f1).not.toBe(f2);
+
+    // But both should load correctly with their own PINs
+    const ks1 = await Keystore.load(PIN, path1);
+    const ks2 = await Keystore.load("5678", path2);
+    expect(ks1.address).toBe(PARTY);
+    expect(ks2.address).toBe(PARTY);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Keystore.changePin
+// ---------------------------------------------------------------------------
+
+describe("Keystore.changePin", () => {
+  it("re-encrypts with new PIN, old PIN no longer works", async () => {
+    const ks = await Keystore.create(
+      PIN,
+      { partyId: PARTY, jwt: JWT, userId: USER_ID },
+      walletPath,
+    );
+
+    await ks.changePin(PIN, "9999");
+
+    // New PIN works
+    const loaded = await Keystore.load("9999", walletPath);
+    expect(loaded.address).toBe(PARTY);
+    expect(loaded.getCredentials().jwt).toBe(JWT);
+
+    // Old PIN fails
+    await expect(Keystore.load(PIN, walletPath)).rejects.toThrow(
+      "Invalid PIN or corrupted wallet file",
+    );
+  });
+
+  it("throws if old PIN is wrong", async () => {
+    const ks = await Keystore.create(
+      PIN,
+      { partyId: PARTY, jwt: JWT, userId: USER_ID },
+      walletPath,
+    );
+
+    await expect(ks.changePin("wrong", "9999")).rejects.toThrow(
+      "Invalid PIN or corrupted wallet file",
+    );
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Keystore.exportKey
+// ---------------------------------------------------------------------------
+
+describe("Keystore.exportKey", () => {
+  it("returns a 64-character hex string (32 bytes)", async () => {
+    const ks = await Keystore.create(
+      PIN,
+      { partyId: PARTY, jwt: JWT, userId: USER_ID },
+      walletPath,
+    );
+
+    const key = ks.exportKey(PIN);
+    expect(key).toMatch(/^[0-9a-f]{64}$/);
+  });
+
+  it("returns consistent key across load cycles", async () => {
+    const ks = await Keystore.create(
+      PIN,
+      { partyId: PARTY, jwt: JWT, userId: USER_ID },
+      walletPath,
+    );
+    const key1 = ks.exportKey(PIN);
+
+    const loaded = await Keystore.load(PIN, walletPath);
+    const key2 = loaded.exportKey(PIN);
+
+    expect(key1).toBe(key2);
+  });
+});

package/src/__tests__/pay-client.test.ts

@@ -0,0 +1,257 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { MppPayClient, parseWwwAuthenticate } from "../mpp/pay-client.js";
+import type { USDCxService } from "../canton/usdcx.js";
+import { SafeguardManager } from "../safeguards/manager.js";
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+const AGENT_PARTY = "Agent::1220aaaa";
+const GATEWAY_PARTY = "Gateway::1220bbbb";
+
+const mockFetch = vi.fn<(input: RequestInfo | URL, init?: RequestInit) => Promise<Response>>();
+
+beforeEach(() => {
+  vi.stubGlobal("fetch", mockFetch);
+});
+
+afterEach(() => {
+  vi.restoreAllMocks();
+});
+
+function mockUsdcx(): USDCxService {
+  return {
+    getHoldings: vi.fn().mockResolvedValue([]),
+    getBalance: vi.fn().mockResolvedValue("100"),
+    transfer: vi.fn().mockResolvedValue({
+      updateId: "upd-pay",
+      completionOffset: 50,
+      commandId: "cmd-pay",
+    }),
+    mergeHoldings: vi.fn(),
+  } as unknown as USDCxService;
+}
+
+function make402Response(amount: string): Response {
+  return new Response("Payment Required", {
+    status: 402,
+    headers: {
+      "WWW-Authenticate": `Payment method="canton", amount="${amount}", currency="USDCx", recipient="${GATEWAY_PARTY}", network="testnet"`,
+    },
+  });
+}
+
+// ---------------------------------------------------------------------------
+// parseWwwAuthenticate
+// ---------------------------------------------------------------------------
+
+describe("parseWwwAuthenticate", () => {
+  it("parses valid Canton payment challenge", () => {
+    const result = parseWwwAuthenticate(
+      `Payment method="canton", amount="0.01", currency="USDCx", recipient="${GATEWAY_PARTY}", network="mainnet"`,
+    );
+
+    expect(result).toEqual({
+      amount: "0.01",
+      currency: "USDCx",
+      recipient: GATEWAY_PARTY,
+      network: "mainnet",
+    });
+  });
+
+  it("parses challenge with description", () => {
+    const result = parseWwwAuthenticate(
+      `Payment method="canton", amount="0.50", currency="USDCx", recipient="Gw::1220", network="testnet", description="API call"`,
+    );
+
+    expect(result?.description).toBe("API call");
+  });
+
+  it("defaults currency to USDCx if missing", () => {
+    const result = parseWwwAuthenticate(
+      `Payment method="canton", amount="1.0", recipient="R::1220", network="testnet"`,
+    );
+
+    expect(result?.currency).toBe("USDCx");
+  });
+
+  it("returns null for non-Payment header", () => {
+    expect(parseWwwAuthenticate("Bearer realm=\"api\"")).toBeNull();
+  });
+
+  it("returns null for wrong method", () => {
+    expect(
+      parseWwwAuthenticate(`Payment method="stripe", amount="1.0", recipient="x", network="y"`),
+    ).toBeNull();
+  });
+
+  it("returns null for missing required fields", () => {
+    expect(parseWwwAuthenticate(`Payment method="canton"`)).toBeNull();
+    expect(parseWwwAuthenticate(`Payment method="canton", amount="1.0"`)).toBeNull();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// MppPayClient.pay — non-402 response
+// ---------------------------------------------------------------------------
+
+describe("MppPayClient.pay — non-402", () => {
+  it("returns response as-is with paid=false", async () => {
+    mockFetch.mockResolvedValueOnce(
+      new Response(JSON.stringify({ data: "ok" }), { status: 200 }),
+    );
+
+    const safeguards = new SafeguardManager();
+    const client = new MppPayClient(mockUsdcx(), safeguards, AGENT_PARTY, "testnet");
+
+    const result = await client.pay("https://api.example.com/data");
+
+    expect(result.paid).toBe(false);
+    expect(result.receipt).toBeUndefined();
+    expect(result.response.status).toBe(200);
+    expect(mockFetch).toHaveBeenCalledOnce();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// MppPayClient.pay — full 402 flow
+// ---------------------------------------------------------------------------
+
+describe("MppPayClient.pay — 402 flow", () => {
+  it("pays and retries on 402", async () => {
+    // First call: 402
+    mockFetch.mockResolvedValueOnce(make402Response("0.01"));
+    // Second call: 200 (after payment)
+    mockFetch.mockResolvedValueOnce(
+      new Response(JSON.stringify({ result: "success" }), { status: 200 }),
+    );
+
+    const usdcx = mockUsdcx();
+    const safeguards = new SafeguardManager();
+    const client = new MppPayClient(usdcx, safeguards, AGENT_PARTY, "testnet");
+
+    const result = await client.pay("https://api.example.com/data");
+
+    expect(result.paid).toBe(true);
+    expect(result.receipt).toBeDefined();
+    expect(result.receipt!.updateId).toBe("upd-pay");
+    expect(result.receipt!.amount).toBe("0.01");
+    expect(result.response.status).toBe(200);
+
+    // Verify transfer was called
+    expect(usdcx.transfer).toHaveBeenCalledWith({
+      recipient: GATEWAY_PARTY,
+      amount: "0.01",
+    });
+
+    // Verify retry includes Authorization header
+    const retryCall = mockFetch.mock.calls[1];
+    const retryHeaders = retryCall[1]?.headers as Record<string, string>;
+    expect(retryHeaders.Authorization).toMatch(/^Payment /);
+
+    // Verify credential is valid base64 JSON
+    const credBase64 = retryHeaders.Authorization.replace("Payment ", "");
+    const cred = JSON.parse(Buffer.from(credBase64, "base64").toString("utf-8"));
+    expect(cred.updateId).toBe("upd-pay");
+    expect(cred.sender).toBe(AGENT_PARTY);
+    expect(cred.commandId).toBe("cmd-pay");
+  });
+
+  it("records spend in safeguards", async () => {
+    mockFetch.mockResolvedValueOnce(make402Response("5.00"));
+    mockFetch.mockResolvedValueOnce(new Response("ok", { status: 200 }));
+
+    const safeguards = new SafeguardManager();
+    const client = new MppPayClient(mockUsdcx(), safeguards, AGENT_PARTY, "testnet");
+
+    await client.pay("https://api.example.com/data");
+
+    expect(safeguards.settings().dailySpent).toBe("5");
+  });
+});
+
+// ---------------------------------------------------------------------------
+// MppPayClient.pay — error cases
+// ---------------------------------------------------------------------------
+
+describe("MppPayClient.pay — errors", () => {
+  it("throws on network mismatch", async () => {
+    const header = `Payment method="canton", amount="0.01", currency="USDCx", recipient="${GATEWAY_PARTY}", network="mainnet"`;
+    mockFetch.mockResolvedValueOnce(
+      new Response("", { status: 402, headers: { "WWW-Authenticate": header } }),
+    );
+
+    const client = new MppPayClient(mockUsdcx(), new SafeguardManager(), AGENT_PARTY, "testnet");
+
+    await expect(client.pay("https://api.example.com/data")).rejects.toThrow(
+      "Network mismatch",
+    );
+  });
+
+  it("throws when price exceeds maxPrice", async () => {
+    mockFetch.mockResolvedValueOnce(make402Response("10.00"));
+
+    const client = new MppPayClient(mockUsdcx(), new SafeguardManager(), AGENT_PARTY, "testnet");
+
+    await expect(
+      client.pay("https://api.example.com/data", { maxPrice: "5.00" }),
+    ).rejects.toThrow("exceeds maxPrice");
+  });
+
+  it("throws when safeguards block payment", async () => {
+    mockFetch.mockResolvedValueOnce(make402Response("0.01"));
+
+    const safeguards = new SafeguardManager();
+    safeguards.lock("1234");
+    const client = new MppPayClient(mockUsdcx(), safeguards, AGENT_PARTY, "testnet");
+
+    await expect(client.pay("https://api.example.com/data")).rejects.toThrow(
+      "Safeguard rejected",
+    );
+  });
+
+  it("throws on 402 without valid challenge header", async () => {
+    mockFetch.mockResolvedValueOnce(
+      new Response("", { status: 402, headers: { "WWW-Authenticate": "Bearer realm=\"api\"" } }),
+    );
+
+    const client = new MppPayClient(mockUsdcx(), new SafeguardManager(), AGENT_PARTY, "testnet");
+
+    await expect(client.pay("https://api.example.com/data")).rejects.toThrow(
+      "no valid Canton payment challenge",
+    );
+  });
+
+  it("throws on 402 without WWW-Authenticate header", async () => {
+    mockFetch.mockResolvedValueOnce(new Response("", { status: 402 }));
+
+    const client = new MppPayClient(mockUsdcx(), new SafeguardManager(), AGENT_PARTY, "testnet");
+
+    await expect(client.pay("https://api.example.com/data")).rejects.toThrow(
+      "no valid Canton payment challenge",
+    );
+  });
+
+  it("passes custom method and body to requests", async () => {
+    mockFetch.mockResolvedValueOnce(make402Response("0.01"));
+    mockFetch.mockResolvedValueOnce(new Response("ok", { status: 200 }));
+
+    const client = new MppPayClient(mockUsdcx(), new SafeguardManager(), AGENT_PARTY, "testnet");
+
+    await client.pay("https://api.example.com/data", {
+      method: "POST",
+      body: JSON.stringify({ prompt: "hello" }),
+      headers: { "Content-Type": "application/json" },
+    });
+
+    // Both requests should use POST
+    expect(mockFetch.mock.calls[0][1]?.method).toBe("POST");
+    expect(mockFetch.mock.calls[1][1]?.method).toBe("POST");
+
+    // Retry should include both content-type and authorization
+    const retryHeaders = mockFetch.mock.calls[1][1]?.headers as Record<string, string>;
+    expect(retryHeaders["Content-Type"]).toBe("application/json");
+    expect(retryHeaders.Authorization).toMatch(/^Payment /);
+  });
+});