@elizaos/plugin-wallet 2.0.0-beta.1

package/dist/lib/server-wallet-trade.d.mts

@@ -0,0 +1,34 @@
+import http from "node:http";
+
+//#region src/contracts.d.ts
+interface WalletExportRequestBody {
+  confirm?: boolean;
+  exportToken?: string;
+}
+interface WalletExportRejection {
+  status: 400 | 401 | 402 | 403 | 429;
+  reason: string;
+}
+//#endregion
+//#region src/lib/server-wallet-trade.d.ts
+declare function normalizeCompatRejection<T extends {
+  status: number;
+  reason: string;
+} | null>(rejection: T): T;
+declare function runWithCompatAuthContext<T>(req: Pick<http.IncomingMessage, "headers">, operation: () => T): T;
+type TradePermissionMode = "user-sign-only" | "manual-local-key" | "agent-auto";
+declare function resolveTradePermissionMode(config: {
+  features?: {
+    tradePermissionMode?: unknown;
+  } | null;
+}): TradePermissionMode;
+declare function canUseLocalTradeExecution(mode: TradePermissionMode, isAgent: boolean): boolean;
+/**
+ * Hardened wallet export rejection function.
+ *
+ * Wraps the upstream token validation with per-IP rate limiting (1 per 10 min),
+ * audit logging (IP + UA), and a 10s confirmation delay via single-use nonces.
+ */
+declare function resolveWalletExportRejection(req: http.IncomingMessage, body: WalletExportRequestBody): WalletExportRejection | null;
+//#endregion
+export { TradePermissionMode, canUseLocalTradeExecution, normalizeCompatRejection, resolveTradePermissionMode, resolveWalletExportRejection, runWithCompatAuthContext };

package/dist/lib/server-wallet-trade.mjs

@@ -0,0 +1,306 @@
+import crypto from "node:crypto";
+import { syncAppEnvToEliza, syncElizaEnvAliases } from "@elizaos/core";
+//#region src/lib/wallet-export-guard.ts
+/**
+* Hardened wallet private key export guard.
+*
+* Wraps the upstream resolveWalletExportRejection with:
+*   1. Per-IP rate limiting (1 successful export per 10 minutes)
+*   2. Audit logging with IP, User-Agent, and timestamp
+*   3. Forced confirmation delay (10s countdown)
+*
+* The upstream function validates the export token. This module adds
+* defence-in-depth so a compromised session cannot instantly extract
+* keys without leaving an audit trail and hitting rate limits.
+*
+* Exported from the `@elizaos/plugin-wallet` barrel for package consumers.
+*/
+const RATE_LIMIT_WINDOW_MS = 600 * 1e3;
+const RATE_LIMIT_SWEEP_INTERVAL_MS = 900 * 1e3;
+const rateLimitMap = /* @__PURE__ */ new Map();
+const sweepTimer = setInterval(() => {
+	const now = Date.now();
+	for (const [key, entry] of rateLimitMap) if (now - entry.lastExportAt > RATE_LIMIT_WINDOW_MS * 2) rateLimitMap.delete(key);
+}, RATE_LIMIT_SWEEP_INTERVAL_MS);
+if (typeof sweepTimer === "object" && "unref" in sweepTimer) sweepTimer.unref();
+/**
+* Get client IP from the socket directly. X-Forwarded-For is not trusted
+* because this is a local server — trusting XFF would let attackers spoof
+* IPs to bypass rate limits and nonce IP binding.
+*/
+function getClientIp(req) {
+	return req.socket?.remoteAddress ?? null;
+}
+function getUserAgent(req) {
+	return req.headers["user-agent"] ?? "unknown";
+}
+const auditLog = [];
+const MAX_AUDIT_ENTRIES = 100;
+function recordAudit(entry) {
+	auditLog.push(entry);
+	if (auditLog.length > MAX_AUDIT_ENTRIES) auditLog.shift();
+	const logLine = `[wallet-export-audit] ${entry.outcome} ip=${entry.ip} ua="${entry.userAgent}"${entry.reason ? ` reason="${entry.reason}"` : ""}`;
+	console.warn(logLine);
+}
+const EXPORT_DELAY_MS = 1e4;
+const MAX_PENDING_NONCES_PER_IP = 3;
+/**
+* Issue a time-limited export nonce.  The client must wait at least
+* EXPORT_DELAY_MS before submitting the actual export request with this nonce.
+*/
+const pendingExportNonces = /* @__PURE__ */ new Map();
+const NONCE_TTL_MS = 300 * 1e3;
+function issueExportNonce(ip) {
+	const now = Date.now();
+	for (const [key, value] of pendingExportNonces) if (now - value.issuedAt > NONCE_TTL_MS) pendingExportNonces.delete(key);
+	let countForIp = 0;
+	for (const entry of pendingExportNonces.values()) if (entry.ip === ip) countForIp++;
+	if (countForIp >= MAX_PENDING_NONCES_PER_IP) return null;
+	const nonce = `wxn_${crypto.randomBytes(16).toString("hex")}`;
+	pendingExportNonces.set(nonce, {
+		issuedAt: Date.now(),
+		ip
+	});
+	return nonce;
+}
+function validateExportNonce(nonce, ip) {
+	const entry = pendingExportNonces.get(nonce);
+	if (!entry) return {
+		valid: false,
+		reason: "Invalid or expired export nonce."
+	};
+	if (entry.ip !== ip) return {
+		valid: false,
+		reason: "Export nonce was issued to a different client."
+	};
+	const elapsed = Date.now() - entry.issuedAt;
+	if (elapsed < EXPORT_DELAY_MS) return {
+		valid: false,
+		reason: `Export confirmation delay not met. Wait ${Math.ceil((EXPORT_DELAY_MS - elapsed) / 1e3)} more seconds.`
+	};
+	pendingExportNonces.delete(nonce);
+	return { valid: true };
+}
+/**
+* Create a hardened wallet export rejection function that wraps the upstream
+* token validation with rate limiting, audit logging, and a forced delay.
+*
+* Two-phase export flow:
+*   1. POST /api/wallet/export  { confirm: true, exportToken: "...", requestNonce: true }
+*      → 403 with { nonce, delaySeconds } — client must wait
+*   2. POST /api/wallet/export  { confirm: true, exportToken: "...", exportNonce: "wxn_..." }
+*      → 200 with keys (if delay elapsed and rate limit not hit)
+*/
+function createHardenedExportGuard(upstream) {
+	return (req, body) => {
+		const ip = getClientIp(req);
+		const ua = getUserAgent(req);
+		if (!ip) {
+			recordAudit({
+				timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+				ip: "unknown",
+				userAgent: ua,
+				outcome: "rejected",
+				reason: "No client IP available on socket"
+			});
+			return {
+				status: 400,
+				reason: "Unable to determine client IP; request rejected."
+			};
+		}
+		const upstreamRejection = upstream(req, body);
+		if (upstreamRejection) {
+			recordAudit({
+				timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+				ip,
+				userAgent: ua,
+				outcome: "rejected",
+				reason: upstreamRejection.reason
+			});
+			return upstreamRejection;
+		}
+		if (body.requestNonce) {
+			const nonce = issueExportNonce(ip);
+			if (!nonce) {
+				recordAudit({
+					timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+					ip,
+					userAgent: ua,
+					outcome: "rejected",
+					reason: "Too many pending nonces for this IP"
+				});
+				return {
+					status: 429,
+					reason: `Too many pending export requests. Complete or wait for existing nonces to expire.`
+				};
+			}
+			recordAudit({
+				timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+				ip,
+				userAgent: ua,
+				outcome: "rejected",
+				reason: "Nonce issued, waiting for confirmation delay"
+			});
+			return {
+				status: 403,
+				reason: JSON.stringify({
+					countdown: true,
+					nonce,
+					delaySeconds: EXPORT_DELAY_MS / 1e3,
+					message: `Export nonce issued. Wait ${EXPORT_DELAY_MS / 1e3} seconds, then re-submit with exportNonce: "${nonce}".`
+				})
+			};
+		}
+		if (!body.exportNonce) {
+			recordAudit({
+				timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+				ip,
+				userAgent: ua,
+				outcome: "rejected",
+				reason: "Missing export nonce"
+			});
+			return {
+				status: 403,
+				reason: "Export requires a confirmation delay. First send { \"confirm\": true, \"exportToken\": \"...\", \"requestNonce\": true } to start the countdown."
+			};
+		}
+		const nonceResult = validateExportNonce(body.exportNonce, ip);
+		if (!nonceResult.valid) {
+			recordAudit({
+				timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+				ip,
+				userAgent: ua,
+				outcome: "rejected",
+				reason: nonceResult.reason
+			});
+			return {
+				status: 403,
+				reason: nonceResult.reason
+			};
+		}
+		const rateLimitEntry = rateLimitMap.get(ip);
+		if (rateLimitEntry) {
+			const elapsed = Date.now() - rateLimitEntry.lastExportAt;
+			if (elapsed < RATE_LIMIT_WINDOW_MS) {
+				const retryAfter = Math.ceil((RATE_LIMIT_WINDOW_MS - elapsed) / 1e3);
+				recordAudit({
+					timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+					ip,
+					userAgent: ua,
+					outcome: "rate-limited",
+					reason: `Rate limited, retry after ${retryAfter}s`
+				});
+				return {
+					status: 429,
+					reason: `Rate limit exceeded. One export per ${RATE_LIMIT_WINDOW_MS / 6e4} minutes. Retry after ${retryAfter} seconds.`
+				};
+			}
+		}
+		rateLimitMap.set(ip, { lastExportAt: Date.now() });
+		recordAudit({
+			timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+			ip,
+			userAgent: ua,
+			outcome: "allowed"
+		});
+		return null;
+	};
+}
+//#endregion
+//#region src/lib/server-wallet-trade.ts
+/**
+* Wallet / trade compat helpers — trade permission modes, local execution
+* guards, and wallet export rejection wrappers.
+*
+* Exported from the `@elizaos/plugin-wallet` barrel for package consumers.
+*/
+function normalizeCompatReason(reason) {
+	return reason;
+}
+function mirrorCompatHeaders(req) {
+	for (const [appHeader, elizaHeader] of [
+		["x-elizaos-token", "x-eliza-token"],
+		["x-elizaos-export-token", "x-eliza-export-token"],
+		["x-elizaos-client-id", "x-eliza-client-id"],
+		["x-elizaos-terminal-token", "x-eliza-terminal-token"],
+		["x-elizaos-ui-language", "x-eliza-ui-language"],
+		["x-elizaos-agent-action", "x-eliza-agent-action"]
+	]) {
+		const appValue = req.headers[appHeader];
+		const elizaValue = req.headers[elizaHeader];
+		if (appValue != null && elizaValue == null) req.headers[elizaHeader] = appValue;
+		if (elizaValue != null && appValue == null) req.headers[appHeader] = elizaValue;
+	}
+}
+function normalizeCompatRejection(rejection) {
+	if (!rejection) return rejection;
+	return {
+		...rejection,
+		reason: normalizeCompatReason(rejection.reason)
+	};
+}
+function runWithCompatAuthContext(req, operation) {
+	syncElizaEnvAliases();
+	syncAppEnvToEliza();
+	mirrorCompatHeaders(req);
+	try {
+		return operation();
+	} finally {
+		syncAppEnvToEliza();
+		syncElizaEnvAliases();
+	}
+}
+function tokenMatches(expected, provided) {
+	const a = Buffer.from(expected, "utf8");
+	const b = Buffer.from(provided, "utf8");
+	if (a.length !== b.length) return false;
+	return crypto.timingSafeEqual(a, b);
+}
+function resolveBaseWalletExportRejection(req, body) {
+	if (!body.confirm) return {
+		status: 403,
+		reason: "Export requires explicit confirmation. Send { \"confirm\": true } in the request body."
+	};
+	const expected = process.env.ELIZA_WALLET_EXPORT_TOKEN?.trim();
+	if (!expected) return {
+		status: 403,
+		reason: "Wallet export is disabled. Set ELIZA_WALLET_EXPORT_TOKEN to enable secure exports."
+	};
+	const headerToken = typeof req.headers["x-eliza-export-token"] === "string" ? req.headers["x-eliza-export-token"].trim() : "";
+	const bodyToken = typeof body.exportToken === "string" ? body.exportToken.trim() : "";
+	const provided = headerToken || bodyToken;
+	if (!provided) return {
+		status: 401,
+		reason: "Missing export token. Provide X-Eliza-Export-Token header or exportToken in request body."
+	};
+	if (!tokenMatches(expected, provided)) return {
+		status: 401,
+		reason: "Invalid export token."
+	};
+	return null;
+}
+function resolveCompatWalletExportRejection(req, body) {
+	return runWithCompatAuthContext(req, () => normalizeCompatRejection(resolveBaseWalletExportRejection(req, body)));
+}
+const hardenedGuard = createHardenedExportGuard(resolveCompatWalletExportRejection);
+function resolveTradePermissionMode(config) {
+	const raw = config.features?.tradePermissionMode;
+	if (raw === "user-sign-only" || raw === "manual-local-key" || raw === "agent-auto") return raw;
+	return "user-sign-only";
+}
+function canUseLocalTradeExecution(mode, isAgent) {
+	if (mode === "agent-auto") return true;
+	if (mode === "manual-local-key") return !isAgent;
+	return false;
+}
+/**
+* Hardened wallet export rejection function.
+*
+* Wraps the upstream token validation with per-IP rate limiting (1 per 10 min),
+* audit logging (IP + UA), and a 10s confirmation delay via single-use nonces.
+*/
+function resolveWalletExportRejection(req, body) {
+	return runWithCompatAuthContext(req, () => normalizeCompatRejection(hardenedGuard(req, body)));
+}
+//#endregion
+export { canUseLocalTradeExecution, normalizeCompatRejection, resolveTradePermissionMode, resolveWalletExportRejection, runWithCompatAuthContext };