@claw-network/node 0.2.0

package/README.md

@@ -0,0 +1,49 @@
+# @claw-network/node
+
+> ClawNet node daemon — HTTP API and P2P networking for the AI agent economy.
+
+## Install
+
+```bash
+npm install @claw-network/node
+```
+
+## Usage
+
+### Start as daemon
+
+```bash
+npx clawnetd
+# API available at http://127.0.0.1:9528
+```
+
+### Options
+
+```
+clawnetd [options]
+
+  --data-dir <path>         Override storage root
+  --api-host <host>         API host (default: 127.0.0.1)
+  --api-port <port>         API port (default: 9528)
+  --no-api                  Disable local API server
+  --listen <multiaddr>      libp2p listen address (repeatable)
+  --bootstrap <multiaddr>   Bootstrap peer (repeatable)
+  -h, --help                Show help
+```
+
+### Programmatic
+
+```typescript
+import { startDaemon } from '@claw-network/node';
+
+await startDaemon(['--api-port', '9528']);
+```
+
+## Documentation
+
+- [Deployment Guide](https://github.com/claw-network/clawnet/blob/main/docs/DEPLOYMENT.md)
+- [API Reference](https://github.com/claw-network/clawnet/blob/main/docs/API_REFERENCE.md)
+
+## License
+
+MIT

package/dist/api/api-key-store.d.ts

@@ -0,0 +1,74 @@
+/**
+ * API Key Store — SQLite-backed multi-key management.
+ *
+ * Each key has:
+ *  - id: auto-increment primary key
+ *  - key: 64-char hex token (crypto-random)
+ *  - label: human-readable tag (e.g. "alice-agent", "bot-prod")
+ *  - status: 'active' | 'revoked'
+ *  - createdAt: ISO-8601 timestamp
+ *  - revokedAt: ISO-8601 timestamp (nullable)
+ *  - lastUsedAt: ISO-8601 timestamp (nullable)
+ *
+ * Uses the same `better-sqlite3` that IndexerStore already depends on.
+ */
+export interface ApiKeyRecord {
+    id: number;
+    key: string;
+    label: string;
+    status: 'active' | 'revoked';
+    createdAt: string;
+    revokedAt: string | null;
+    lastUsedAt: string | null;
+}
+/** Public-facing record (omits the full key, shows only prefix). */
+export interface ApiKeySummary {
+    id: number;
+    keyPrefix: string;
+    label: string;
+    status: 'active' | 'revoked';
+    createdAt: string;
+    revokedAt: string | null;
+    lastUsedAt: string | null;
+}
+export declare class ApiKeyStore {
+    private readonly db;
+    private stmtInsert;
+    private stmtLookup;
+    private stmtListAll;
+    private stmtListActive;
+    private stmtRevoke;
+    private stmtTouch;
+    private stmtGetById;
+    private stmtDelete;
+    constructor(dbPath: string);
+    /**
+     * Add the `key_prefix` column if it doesn't exist yet (schema upgrade).
+     * SQLite has no `ADD COLUMN IF NOT EXISTS`, so check PRAGMA table_info.
+     */
+    private migrateAddKeyPrefix;
+    /**
+     * One-time migration: if the `key_prefix` column was just added to an
+     * existing database, hash any plaintext keys that are still stored.
+     * Plaintext keys are 64-char hex; hashed keys are also 64-char hex but
+     * we detect the old schema by checking whether `key_prefix` is empty.
+     */
+    private migrateHashKeys;
+    private prepareStatements;
+    /** Generate a new API key. Returns the full plaintext key (only shown once). */
+    create(label: string): ApiKeyRecord;
+    /** Validate an API key. Returns the record if active, null otherwise. */
+    validate(key: string): ApiKeyRecord | null;
+    /** List all keys (with truncated key values for safety). */
+    list(includeRevoked?: boolean): ApiKeySummary[];
+    /** Get a key by ID (returns null if not found). */
+    getById(id: number): ApiKeyRecord | null;
+    /** Revoke a key. Returns true if revoked, false if already revoked or not found. */
+    revoke(id: number): boolean;
+    /** Permanently delete a key. */
+    delete(id: number): boolean;
+    /** Total active key count. */
+    activeCount(): number;
+    close(): void;
+}
+//# sourceMappingURL=api-key-store.d.ts.map

package/dist/api/api-key-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-key-store.d.ts","sourceRoot":"","sources":["../../src/api/api-key-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAiBH,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,QAAQ,GAAG,SAAS,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED,oEAAoE;AACpE,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,QAAQ,GAAG,SAAS,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAyBD,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAoB;IAGvC,OAAO,CAAC,UAAU,CAAsB;IACxC,OAAO,CAAC,UAAU,CAAsB;IACxC,OAAO,CAAC,WAAW,CAAsB;IACzC,OAAO,CAAC,cAAc,CAAsB;IAC5C,OAAO,CAAC,UAAU,CAAsB;IACxC,OAAO,CAAC,SAAS,CAAsB;IACvC,OAAO,CAAC,WAAW,CAAsB;IACzC,OAAO,CAAC,UAAU,CAAsB;gBAE5B,MAAM,EAAE,MAAM;IAS1B;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IAQ3B;;;;;OAKG;IACH,OAAO,CAAC,eAAe;IAiBvB,OAAO,CAAC,iBAAiB;IA6BzB,gFAAgF;IAChF,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY;IAWnC,yEAAyE;IACzE,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI;IAS1C,4DAA4D;IAC5D,IAAI,CAAC,cAAc,UAAQ,GAAG,aAAa,EAAE;IAO7C,mDAAmD;IACnD,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI;IAIxC,oFAAoF;IACpF,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAM3B,gCAAgC;IAChC,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAK3B,8BAA8B;IAC9B,WAAW,IAAI,MAAM;IAKrB,KAAK,IAAI,IAAI;CAGd"}

package/dist/api/api-key-store.js

@@ -0,0 +1,170 @@
+/**
+ * API Key Store — SQLite-backed multi-key management.
+ *
+ * Each key has:
+ *  - id: auto-increment primary key
+ *  - key: 64-char hex token (crypto-random)
+ *  - label: human-readable tag (e.g. "alice-agent", "bot-prod")
+ *  - status: 'active' | 'revoked'
+ *  - createdAt: ISO-8601 timestamp
+ *  - revokedAt: ISO-8601 timestamp (nullable)
+ *  - lastUsedAt: ISO-8601 timestamp (nullable)
+ *
+ * Uses the same `better-sqlite3` that IndexerStore already depends on.
+ */
+import Database from 'better-sqlite3';
+import crypto from 'node:crypto';
+// ---------------------------------------------------------------------------
+// Key hashing — SHA-256 is sufficient because API keys are 256-bit random.
+// ---------------------------------------------------------------------------
+function hashKey(raw) {
+    return crypto.createHash('sha256').update(raw, 'utf8').digest('hex');
+}
+// ---------------------------------------------------------------------------
+// Schema
+// ---------------------------------------------------------------------------
+const SCHEMA_SQL = `
+CREATE TABLE IF NOT EXISTS api_keys (
+  id          INTEGER PRIMARY KEY AUTOINCREMENT,
+  key         TEXT    NOT NULL UNIQUE,
+  key_prefix  TEXT    NOT NULL DEFAULT '',
+  label       TEXT    NOT NULL,
+  status      TEXT    NOT NULL DEFAULT 'active',
+  created_at  TEXT    NOT NULL,
+  revoked_at  TEXT,
+  last_used_at TEXT
+);
+CREATE INDEX IF NOT EXISTS idx_api_keys_key    ON api_keys(key);
+CREATE INDEX IF NOT EXISTS idx_api_keys_status ON api_keys(status);
+`;
+// ---------------------------------------------------------------------------
+// Store
+// ---------------------------------------------------------------------------
+export class ApiKeyStore {
+    db;
+    // Prepared statements (lazy-init)
+    stmtInsert;
+    stmtLookup;
+    stmtListAll;
+    stmtListActive;
+    stmtRevoke;
+    stmtTouch;
+    stmtGetById;
+    stmtDelete;
+    constructor(dbPath) {
+        this.db = new Database(dbPath);
+        this.db.pragma('journal_mode = WAL');
+        this.db.exec(SCHEMA_SQL);
+        this.migrateAddKeyPrefix();
+        this.migrateHashKeys();
+        this.prepareStatements();
+    }
+    /**
+     * Add the `key_prefix` column if it doesn't exist yet (schema upgrade).
+     * SQLite has no `ADD COLUMN IF NOT EXISTS`, so check PRAGMA table_info.
+     */
+    migrateAddKeyPrefix() {
+        const columns = this.db.pragma('table_info(api_keys)');
+        const hasColumn = columns.some((c) => c.name === 'key_prefix');
+        if (!hasColumn) {
+            this.db.exec("ALTER TABLE api_keys ADD COLUMN key_prefix TEXT NOT NULL DEFAULT ''");
+        }
+    }
+    /**
+     * One-time migration: if the `key_prefix` column was just added to an
+     * existing database, hash any plaintext keys that are still stored.
+     * Plaintext keys are 64-char hex; hashed keys are also 64-char hex but
+     * we detect the old schema by checking whether `key_prefix` is empty.
+     */
+    migrateHashKeys() {
+        const rows = this.db
+            .prepare("SELECT id, key FROM api_keys WHERE key_prefix = ''")
+            .all();
+        if (rows.length === 0)
+            return;
+        const update = this.db.prepare('UPDATE api_keys SET key = ?, key_prefix = ? WHERE id = ?');
+        const migrate = this.db.transaction(() => {
+            for (const row of rows) {
+                update.run(hashKey(row.key), row.key.slice(0, 8) + '…', row.id);
+            }
+        });
+        migrate();
+    }
+    prepareStatements() {
+        this.stmtInsert = this.db.prepare(`INSERT INTO api_keys (key, key_prefix, label, status, created_at) VALUES (?, ?, ?, 'active', ?)`);
+        this.stmtLookup = this.db.prepare(`SELECT id, key, key_prefix AS keyPrefix, label, status, created_at AS createdAt, revoked_at AS revokedAt, last_used_at AS lastUsedAt
+       FROM api_keys WHERE key = ?`);
+        this.stmtListAll = this.db.prepare(`SELECT id, key, key_prefix AS keyPrefix, label, status, created_at AS createdAt, revoked_at AS revokedAt, last_used_at AS lastUsedAt
+       FROM api_keys ORDER BY id`);
+        this.stmtListActive = this.db.prepare(`SELECT id, key, key_prefix AS keyPrefix, label, status, created_at AS createdAt, revoked_at AS revokedAt, last_used_at AS lastUsedAt
+       FROM api_keys WHERE status = 'active' ORDER BY id`);
+        this.stmtRevoke = this.db.prepare(`UPDATE api_keys SET status = 'revoked', revoked_at = ? WHERE id = ? AND status = 'active'`);
+        this.stmtTouch = this.db.prepare(`UPDATE api_keys SET last_used_at = ? WHERE id = ?`);
+        this.stmtGetById = this.db.prepare(`SELECT id, key, key_prefix AS keyPrefix, label, status, created_at AS createdAt, revoked_at AS revokedAt, last_used_at AS lastUsedAt
+       FROM api_keys WHERE id = ?`);
+        this.stmtDelete = this.db.prepare(`DELETE FROM api_keys WHERE id = ?`);
+    }
+    /** Generate a new API key. Returns the full plaintext key (only shown once). */
+    create(label) {
+        const rawKey = crypto.randomBytes(32).toString('hex'); // 64-char hex
+        const keyHash = hashKey(rawKey);
+        const prefix = rawKey.slice(0, 8) + '…';
+        const now = new Date().toISOString();
+        this.stmtInsert.run(keyHash, prefix, label, now);
+        // Return the record with the PLAINTEXT key — this is the only time it's visible
+        const row = this.stmtLookup.get(keyHash);
+        return { ...row, key: rawKey };
+    }
+    /** Validate an API key. Returns the record if active, null otherwise. */
+    validate(key) {
+        const keyHash = hashKey(key);
+        const record = this.stmtLookup.get(keyHash);
+        if (!record || record.status !== 'active')
+            return null;
+        // Touch last_used_at asynchronously (non-blocking for perf)
+        this.stmtTouch.run(new Date().toISOString(), record.id);
+        return record;
+    }
+    /** List all keys (with truncated key values for safety). */
+    list(includeRevoked = false) {
+        const rows = includeRevoked
+            ? this.stmtListAll.all()
+            : this.stmtListActive.all();
+        return rows.map(toSummary);
+    }
+    /** Get a key by ID (returns null if not found). */
+    getById(id) {
+        return this.stmtGetById.get(id) ?? null;
+    }
+    /** Revoke a key. Returns true if revoked, false if already revoked or not found. */
+    revoke(id) {
+        const now = new Date().toISOString();
+        const result = this.stmtRevoke.run(now, id);
+        return result.changes > 0;
+    }
+    /** Permanently delete a key. */
+    delete(id) {
+        const result = this.stmtDelete.run(id);
+        return result.changes > 0;
+    }
+    /** Total active key count. */
+    activeCount() {
+        const row = this.db.prepare('SELECT COUNT(*) AS cnt FROM api_keys WHERE status = ?').get('active');
+        return row.cnt;
+    }
+    close() {
+        this.db.close();
+    }
+}
+function toSummary(record) {
+    return {
+        id: record.id,
+        keyPrefix: record.keyPrefix || record.key.slice(0, 8) + '…',
+        label: record.label,
+        status: record.status,
+        createdAt: record.createdAt,
+        revokedAt: record.revokedAt,
+        lastUsedAt: record.lastUsedAt,
+    };
+}
+//# sourceMappingURL=api-key-store.js.map

package/dist/api/api-key-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-key-store.js","sourceRoot":"","sources":["../../src/api/api-key-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,QAAQ,MAAM,gBAAgB,CAAC;AACtC,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,8EAA8E;AAC9E,2EAA2E;AAC3E,8EAA8E;AAE9E,SAAS,OAAO,CAAC,GAAW;IAC1B,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACvE,CAAC;AA2BD,8EAA8E;AAC9E,SAAS;AACT,8EAA8E;AAE9E,MAAM,UAAU,GAAG;;;;;;;;;;;;;CAalB,CAAC;AAEF,8EAA8E;AAC9E,QAAQ;AACR,8EAA8E;AAE9E,MAAM,OAAO,WAAW;IACL,EAAE,CAAoB;IAEvC,kCAAkC;IAC1B,UAAU,CAAsB;IAChC,UAAU,CAAsB;IAChC,WAAW,CAAsB;IACjC,cAAc,CAAsB;IACpC,UAAU,CAAsB;IAChC,SAAS,CAAsB;IAC/B,WAAW,CAAsB;IACjC,UAAU,CAAsB;IAExC,YAAY,MAAc;QACxB,IAAI,CAAC,EAAE,GAAG,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC/B,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;QACrC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACzB,IAAI,CAAC,mBAAmB,EAAE,CAAC;QAC3B,IAAI,CAAC,eAAe,EAAE,CAAC;QACvB,IAAI,CAAC,iBAAiB,EAAE,CAAC;IAC3B,CAAC;IAED;;;OAGG;IACK,mBAAmB;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,sBAAsB,CAA4B,CAAC;QAClF,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC;QAC/D,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,qEAAqE,CAAC,CAAC;QACtF,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACK,eAAe;QACrB,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE;aACjB,OAAO,CAAC,oDAAoD,CAAC;aAC7D,GAAG,EAAwC,CAAC;QAC/C,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO;QAE9B,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC5B,0DAA0D,CAC3D,CAAC;QACF,MAAM,OAAO,GAAG,IAAI,CAAC,EAAE,CAAC,WAAW,CAAC,GAAG,EAAE;YACvC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;YAClE,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,EAAE,CAAC;IACZ,CAAC;IAEO,iBAAiB;QACvB,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC/B,iGAAiG,CAClG,CAAC;QACF,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC/B;mCAC6B,CAC9B,CAAC;QACF,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAChC;iCAC2B,CAC5B,CAAC;QACF,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CACnC;yDACmD,CACpD,CAAC;QACF,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC/B,2FAA2F,CAC5F,CAAC;QACF,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC9B,mDAAmD,CACpD,CAAC;QACF,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAChC;kCAC4B,CAC7B,CAAC;QACF,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,mCAAmC,CAAC,CAAC;IACzE,CAAC;IAED,gFAAgF;IAChF,MAAM,CAAC,KAAa;QAClB,MAAM,MAAM,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,cAAc;QACrE,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;QAChC,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC;QACxC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACrC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;QACjD,gFAAgF;QAChF,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,OAAO,CAAiB,CAAC;QACzD,OAAO,EAAE,GAAG,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;IACjC,CAAC;IAED,yEAAyE;IACzE,QAAQ,CAAC,GAAW;QAClB,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,OAAO,CAA6B,CAAC;QACxE,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QACvD,4DAA4D;QAC5D,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;QACxD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,4DAA4D;IAC5D,IAAI,CAAC,cAAc,GAAG,KAAK;QACzB,MAAM,IAAI,GAAG,cAAc;YACzB,CAAC,CAAE,IAAI,CAAC,WAAW,CAAC,GAAG,EAAiB;YACxC,CAAC,CAAE,IAAI,CAAC,cAAc,CAAC,GAAG,EAAiB,CAAC;QAC9C,OAAO,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC7B,CAAC;IAED,mDAAmD;IACnD,OAAO,CAAC,EAAU;QAChB,OAAQ,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAkB,IAAI,IAAI,CAAC;IAC5D,CAAC;IAED,oFAAoF;IACpF,MAAM,CAAC,EAAU;QACf,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACrC,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC5C,OAAO,MAAM,CAAC,OAAO,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED,gCAAgC;IAChC,MAAM,CAAC,EAAU;QACf,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACvC,OAAO,MAAM,CAAC,OAAO,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED,8BAA8B;IAC9B,WAAW;QACT,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,uDAAuD,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAoB,CAAC;QACtH,OAAO,GAAG,CAAC,GAAG,CAAC;IACjB,CAAC;IAED,KAAK;QACH,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;CACF;AAWD,SAAS,SAAS,CAAC,MAAgB;IACjC,OAAO;QACL,EAAE,EAAE,MAAM,CAAC,EAAE;QACb,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,GAAG;QAC3D,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,UAAU,EAAE,MAAM,CAAC,UAAU;KAC9B,CAAC;AACJ,CAAC"}

package/dist/api/auth.d.ts

@@ -0,0 +1,30 @@
+/**
+ * API Key authentication middleware.
+ *
+ * Strategy:
+ *  1. If no ApiKeyStore is configured → skip auth (backwards-compatible).
+ *  2. If the store has 0 active keys → skip auth (fresh node, not yet configured).
+ *  3. Otherwise, require a valid `X-Api-Key` header (or `Authorization: Bearer <key>`).
+ *  4. GET requests to /api/v1/node (status endpoint) are always open.
+ *
+ * When auth is enforced, the middleware rejects with 401 Unauthorized.
+ * The validated key metadata is attached to the request for downstream use.
+ */
+import type { IncomingMessage } from 'node:http';
+import type { Middleware } from './router.js';
+import type { ApiKeyStore } from './api-key-store.js';
+import type { NetworkType } from './types.js';
+export interface ApiKeyAuth {
+    keyId: number;
+    label: string;
+}
+/** Retrieve the authenticated key from a request (or undefined). */
+export declare function getApiKeyAuth(req: IncomingMessage): ApiKeyAuth | undefined;
+/**
+ * Create the API key auth middleware.
+ *
+ * @param store - optional ApiKeyStore. If undefined or has 0 keys, auth is skipped.
+ * @param network - network type. On mainnet, 0-key still enforces 401.
+ */
+export declare function apiKeyAuth(store: ApiKeyStore | undefined, network?: NetworkType): Middleware;
+//# sourceMappingURL=auth.d.ts.map

package/dist/api/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/api/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAkB,MAAM,WAAW,CAAC;AACjE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAC9C,OAAO,KAAK,EAAE,WAAW,EAAgB,MAAM,oBAAoB,CAAC;AACpE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAS9C,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;CACf;AAED,oEAAoE;AACpE,wBAAgB,aAAa,CAAC,GAAG,EAAE,eAAe,GAAG,UAAU,GAAG,SAAS,CAE1E;AAsBD;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,WAAW,GAAG,SAAS,EAAE,OAAO,CAAC,EAAE,WAAW,GAAG,UAAU,CAoD5F"}

package/dist/api/auth.js

@@ -0,0 +1,115 @@
+/**
+ * API Key authentication middleware.
+ *
+ * Strategy:
+ *  1. If no ApiKeyStore is configured → skip auth (backwards-compatible).
+ *  2. If the store has 0 active keys → skip auth (fresh node, not yet configured).
+ *  3. Otherwise, require a valid `X-Api-Key` header (or `Authorization: Bearer <key>`).
+ *  4. GET requests to /api/v1/node (status endpoint) are always open.
+ *
+ * When auth is enforced, the middleware rejects with 401 Unauthorized.
+ * The validated key metadata is attached to the request for downstream use.
+ */
+import { unauthorized } from './response.js';
+// ---------------------------------------------------------------------------
+// Augment request to carry auth context
+// ---------------------------------------------------------------------------
+const AUTH_SYMBOL = Symbol('apiKeyAuth');
+/** Retrieve the authenticated key from a request (or undefined). */
+export function getApiKeyAuth(req) {
+    return req[AUTH_SYMBOL];
+}
+// ---------------------------------------------------------------------------
+// Public route patterns (no auth required)
+// ---------------------------------------------------------------------------
+/** Routes that are always accessible without an API key. */
+const PUBLIC_ROUTES = [
+    // Node status — needed by health checks and SDK connection probing
+    (url) => url === '/api/v1/node' || url === '/api/v1/node/',
+    // OPTIONS (CORS preflight)
+    (_url, method) => method === 'OPTIONS',
+];
+function isPublicRoute(url, method) {
+    return PUBLIC_ROUTES.some((check) => check(url, method));
+}
+// ---------------------------------------------------------------------------
+// Middleware factory
+// ---------------------------------------------------------------------------
+/**
+ * Create the API key auth middleware.
+ *
+ * @param store - optional ApiKeyStore. If undefined or has 0 keys, auth is skipped.
+ * @param network - network type. On mainnet, 0-key still enforces 401.
+ */
+export function apiKeyAuth(store, network) {
+    return async (req, res, next) => {
+        // No store configured → open access (backward-compatible)
+        if (!store) {
+            await next();
+            return;
+        }
+        // Parse the URL pathname
+        const pathname = new URL(req.url ?? '/', `http://${req.headers.host ?? 'localhost'}`).pathname;
+        const method = (req.method ?? 'GET').toUpperCase();
+        // Public routes are always accessible
+        if (isPublicRoute(pathname, method)) {
+            await next();
+            return;
+        }
+        // If no keys have been created yet:
+        //  - mainnet: still enforce 401 (must create keys before API is usable)
+        //  - testnet/devnet: open access (fresh node, backwards-compatible)
+        if (store.activeCount() === 0) {
+            if (network === 'mainnet') {
+                unauthorized(res, 'No API keys configured. Create a key with `clawnet api-key create <label>` before using mainnet API.', pathname);
+                return;
+            }
+            await next();
+            return;
+        }
+        // Extract key from header
+        const key = extractApiKey(req);
+        if (!key) {
+            unauthorized(res, 'API key required. Provide via X-Api-Key header or Authorization: Bearer <key>', pathname);
+            return;
+        }
+        // Validate against store
+        const record = store.validate(key);
+        if (!record) {
+            unauthorized(res, 'Invalid or revoked API key', pathname);
+            return;
+        }
+        // Attach auth context to request
+        req[AUTH_SYMBOL] = {
+            keyId: record.id,
+            label: record.label,
+        };
+        await next();
+    };
+}
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function extractApiKey(req) {
+    // Try X-Api-Key header first
+    const xApiKey = firstHeaderValue(req.headers['x-api-key']);
+    if (xApiKey)
+        return xApiKey.trim();
+    // Fall back to Authorization: Bearer <key>
+    const auth = firstHeaderValue(req.headers.authorization);
+    if (!auth)
+        return undefined;
+    const normalized = auth.trim();
+    if (!normalized.toLowerCase().startsWith('bearer '))
+        return undefined;
+    const token = normalized.slice(7).trim();
+    return token || undefined;
+}
+function firstHeaderValue(value) {
+    if (typeof value === 'string')
+        return value;
+    if (Array.isArray(value) && value.length > 0)
+        return value[0];
+    return undefined;
+}
+//# sourceMappingURL=auth.js.map

package/dist/api/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/api/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAMH,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAE7C,8EAA8E;AAC9E,wCAAwC;AACxC,8EAA8E;AAE9E,MAAM,WAAW,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC;AAOzC,oEAAoE;AACpE,MAAM,UAAU,aAAa,CAAC,GAAoB;IAChD,OAAQ,GAA6C,CAAC,WAAW,CAAC,CAAC;AACrE,CAAC;AAED,8EAA8E;AAC9E,2CAA2C;AAC3C,8EAA8E;AAE9E,4DAA4D;AAC5D,MAAM,aAAa,GAAoD;IACrE,mEAAmE;IACnE,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,KAAK,cAAc,IAAI,GAAG,KAAK,eAAe;IAC1D,2BAA2B;IAC3B,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CAAC,MAAM,KAAK,SAAS;CACvC,CAAC;AAEF,SAAS,aAAa,CAAC,GAAW,EAAE,MAAc;IAChD,OAAO,aAAa,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,UAAU,UAAU,CAAC,KAA8B,EAAE,OAAqB;IAC9E,OAAO,KAAK,EAAE,GAAoB,EAAE,GAAmB,EAAE,IAAyB,EAAE,EAAE;QACpF,0DAA0D;QAC1D,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,yBAAyB;QACzB,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC;QAC/F,MAAM,MAAM,GAAG,CAAC,GAAG,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;QAEnD,sCAAsC;QACtC,IAAI,aAAa,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC;YACpC,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,oCAAoC;QACpC,wEAAwE;QACxE,oEAAoE;QACpE,IAAI,KAAK,CAAC,WAAW,EAAE,KAAK,CAAC,EAAE,CAAC;YAC9B,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;gBAC1B,YAAY,CAAC,GAAG,EAAE,sGAAsG,EAAE,QAAQ,CAAC,CAAC;gBACpI,OAAO;YACT,CAAC;YACD,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,0BAA0B;QAC1B,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,YAAY,CAAC,GAAG,EAAE,+EAA+E,EAAE,QAAQ,CAAC,CAAC;YAC7G,OAAO;QACT,CAAC;QAED,yBAAyB;QACzB,MAAM,MAAM,GAAwB,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QACxD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,YAAY,CAAC,GAAG,EAAE,4BAA4B,EAAE,QAAQ,CAAC,CAAC;YAC1D,OAAO;QACT,CAAC;QAED,iCAAiC;QAChC,GAA6C,CAAC,WAAW,CAAC,GAAG;YAC5D,KAAK,EAAE,MAAM,CAAC,EAAE;YAChB,KAAK,EAAE,MAAM,CAAC,KAAK;SACpB,CAAC;QAEF,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,SAAS,aAAa,CAAC,GAAoB;IACzC,6BAA6B;IAC7B,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC;IAC3D,IAAI,OAAO;QAAE,OAAO,OAAO,CAAC,IAAI,EAAE,CAAC;IAEnC,2CAA2C;IAC3C,MAAM,IAAI,GAAG,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IACzD,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAE5B,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC/B,IAAI,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,SAAS,CAAC;IACtE,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACzC,OAAO,KAAK,IAAI,SAAS,CAAC;AAC5B,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAoC;IAC5D,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5C,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAC9D,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/api/legacy.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Legacy event-sourced helper functions.
+ *
+ * These power the fallback path when on-chain services are unavailable.
+ * Extracted from the original server.ts monolith.
+ */
+import type { EventStore, EventEnvelope } from '@claw-network/core';
+import { type WalletState, type SearchQuery } from '@claw-network/protocol';
+export declare function parseEvent(bytes: unknown): EventEnvelope | null;
+export interface IdentityView {
+    did: string;
+    publicKey: string;
+    created: number;
+    updated: number;
+    displayName?: string;
+    avatar?: string;
+    bio?: string;
+    platformLinks: Array<Record<string, unknown>>;
+    capabilities: Array<Record<string, unknown>>;
+}
+export declare function resolveLocalIdentity(dataDir?: string): Promise<IdentityView | null>;
+export declare function buildIdentityView(eventStore: EventStore, did: string): Promise<IdentityView | null>;
+export declare function buildIdentityCapabilities(eventStore: EventStore, did?: string): Promise<Array<Record<string, unknown>>>;
+export declare function buildWalletState(eventStore: EventStore): Promise<WalletState>;
+export declare function parseMarketSearchQuery(params: URLSearchParams): SearchQuery;
+//# sourceMappingURL=legacy.d.ts.map

package/dist/api/legacy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"legacy.d.ts","sourceRoot":"","sources":["../../src/api/legacy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAOpE,OAAO,EAGL,KAAK,WAAW,EAChB,KAAK,WAAW,EASjB,MAAM,wBAAwB,CAAC;AAKhC,wBAAgB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,aAAa,GAAG,IAAI,CAW/D;AAID,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,aAAa,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IAC9C,YAAY,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CAC9C;AAED,wBAAsB,oBAAoB,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CA6BzF;AAED,wBAAsB,iBAAiB,CACrC,UAAU,EAAE,UAAU,EACtB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAqD9B;AAED,wBAAsB,yBAAyB,CAC7C,UAAU,EAAE,UAAU,EACtB,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,CA2BzC;AAID,wBAAsB,gBAAgB,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC,WAAW,CAAC,CAoBnF;AAyBD,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CA6E3E"}