@fiber-pay/sdk 0.1.0-rc.1

package/dist/index.js

@@ -0,0 +1,1336 @@
+import {
+  ChannelState,
+  FiberRpcClient,
+  FiberRpcError,
+  buildMultiaddr,
+  buildMultiaddrFromNodeId,
+  buildMultiaddrFromRpcUrl,
+  ckbToShannons,
+  fromHex,
+  nodeIdToPeerId,
+  randomBytes32,
+  scriptToAddress,
+  shannonsToCkb,
+  toHex
+} from "./chunk-QQDMPGVR.js";
+
+// src/funds/liquidity-analyzer.ts
+var LiquidityAnalyzer = class {
+  constructor(rpc) {
+    this.rpc = rpc;
+  }
+  /**
+   * Comprehensive liquidity analysis
+   */
+  async analyzeLiquidity() {
+    const timestamp = Date.now();
+    const channels = await this.rpc.listChannels({});
+    const channelMetrics = channels.channels.map(
+      (ch) => this.analyzeChannelHealth(ch)
+    );
+    const totalCkb = channelMetrics.reduce(
+      (sum, ch) => sum + ch.localBalanceCkb + ch.remoteBalanceCkb,
+      0
+    );
+    const availableToSendCkb = channelMetrics.reduce((sum, ch) => sum + ch.availableToSendCkb, 0);
+    const availableToReceiveCkb = channelMetrics.reduce(
+      (sum, ch) => sum + ch.availableToReceiveCkb,
+      0
+    );
+    const gaps = this.identifyLiquidityGaps(channelMetrics, availableToSendCkb);
+    const rebalances = this.generateRebalanceRecommendations(channelMetrics);
+    const fundingNeeds = this.estimateFundingNeeds(channelMetrics, gaps);
+    const runway = this.estimateRunway(availableToSendCkb, channelMetrics);
+    const summary = this.generateSummary(channelMetrics, gaps, fundingNeeds, runway);
+    return {
+      timestamp,
+      balance: {
+        totalCkb,
+        availableToSendCkb,
+        availableToReceiveCkb,
+        lockedInChannelsCkb: totalCkb - availableToSendCkb - availableToReceiveCkb
+      },
+      channels: {
+        count: channels.channels.length,
+        health: channelMetrics,
+        averageHealthScore: channelMetrics.length > 0 ? channelMetrics.reduce((sum, ch) => sum + ch.healthScore, 0) / channelMetrics.length : 0,
+        balancedCount: channelMetrics.filter((ch) => ch.isBalanced).length,
+        imbalancedCount: channelMetrics.filter((ch) => !ch.isBalanced).length
+      },
+      liquidity: {
+        gaps,
+        hasCriticalGaps: gaps.some((g) => g.severity === "high"),
+        runway
+      },
+      recommendations: {
+        rebalances,
+        funding: fundingNeeds
+      },
+      summary
+    };
+  }
+  /**
+   * Analyze individual channel health
+   */
+  analyzeChannelHealth(channel) {
+    const localBalance = shannonsToCkb(channel.local_balance);
+    const remoteBalance = shannonsToCkb(channel.remote_balance);
+    const totalCapacity = localBalance + remoteBalance;
+    const pendingLocal = shannonsToCkb(channel.offered_tlc_balance);
+    const pendingRemote = shannonsToCkb(channel.received_tlc_balance);
+    const availableToSend = Math.max(0, localBalance - pendingLocal);
+    const availableToReceive = Math.max(0, remoteBalance - pendingRemote);
+    const utilizationPercent = totalCapacity > 0 ? (pendingLocal + pendingRemote) / totalCapacity * 100 : 0;
+    const balanceRatioPercent = totalCapacity > 0 ? localBalance / totalCapacity * 100 : 50;
+    const isBalanced = balanceRatioPercent >= 40 && balanceRatioPercent <= 60;
+    let healthScore = 100;
+    if (utilizationPercent > 80) healthScore -= 20;
+    else if (utilizationPercent > 50) healthScore -= 10;
+    const imbalance = Math.abs(50 - balanceRatioPercent);
+    healthScore -= imbalance / 50 * 20;
+    if (isBalanced && utilizationPercent < 50) healthScore += 10;
+    healthScore = Math.max(0, Math.min(100, healthScore));
+    return {
+      channelId: channel.channel_id,
+      peerId: channel.peer_id,
+      localBalanceCkb: localBalance,
+      remoteBalanceCkb: remoteBalance,
+      totalCapacityCkb: totalCapacity,
+      utilizationPercent,
+      balanceRatioPercent,
+      isBalanced,
+      pendingLocalCkb: pendingLocal,
+      pendingRemoteCkb: pendingRemote,
+      availableToSendCkb: availableToSend,
+      availableToReceiveCkb: availableToReceive,
+      healthScore,
+      state: channel.state.state_name
+    };
+  }
+  /**
+   * Identify liquidity shortfalls and gaps
+   */
+  identifyLiquidityGaps(metrics, _totalSendable) {
+    const gaps = [];
+    const sendCapableCount = metrics.filter((ch) => ch.availableToSendCkb > 0).length;
+    if (sendCapableCount === 0 && metrics.length > 0) {
+      gaps.push({
+        amount: 100,
+        // Arbitrary amount - need to rebalance
+        reason: "No channels currently capable of sending. All liquidity on remote side.",
+        severity: "high",
+        affectedChannels: metrics.map((ch) => ch.channelId)
+      });
+    }
+    const allLocalHeavy = metrics.every((ch) => ch.balanceRatioPercent > 70);
+    const allRemoteHeavy = metrics.every((ch) => ch.balanceRatioPercent < 30);
+    if (allLocalHeavy) {
+      gaps.push({
+        amount: 0,
+        // Rebalance doesn't require funding
+        reason: "All channels are local-heavy. Cannot receive payments. Need inbound liquidity.",
+        severity: "high",
+        affectedChannels: metrics.map((ch) => ch.channelId)
+      });
+    }
+    if (allRemoteHeavy) {
+      gaps.push({
+        amount: 0,
+        // Need to open new channels or rebalance
+        reason: "All channels are remote-heavy. Cannot send without rebalancing or new channels.",
+        severity: "high",
+        affectedChannels: metrics.map((ch) => ch.channelId)
+      });
+    }
+    const allHighUtilization = metrics.every((ch) => ch.utilizationPercent > 70);
+    if (allHighUtilization) {
+      gaps.push({
+        amount: 0,
+        reason: "High utilization in all channels. Many pending payments. Risk of payment failures.",
+        severity: "medium",
+        affectedChannels: metrics.map((ch) => ch.channelId)
+      });
+    }
+    return gaps;
+  }
+  /**
+   * Generate rebalance recommendations between channels
+   */
+  generateRebalanceRecommendations(metrics) {
+    const recommendations = [];
+    const localHeavy = metrics.filter((ch) => ch.balanceRatioPercent > 65);
+    const remoteHeavy = metrics.filter((ch) => ch.balanceRatioPercent < 35);
+    localHeavy.sort((a, b) => b.balanceRatioPercent - a.balanceRatioPercent);
+    remoteHeavy.sort((a, b) => a.balanceRatioPercent - b.balanceRatioPercent);
+    for (let i = 0; i < Math.min(localHeavy.length, remoteHeavy.length); i++) {
+      const source = localHeavy[i];
+      const dest = remoteHeavy[i];
+      const sourceExcess = source.localBalanceCkb - source.totalCapacityCkb * 0.5;
+      const destDeficit = dest.totalCapacityCkb * 0.5 - dest.localBalanceCkb;
+      const amountToMove = Math.min(sourceExcess, destDeficit) * 0.8;
+      if (amountToMove > 0.1) {
+        recommendations.push({
+          from: source.channelId,
+          to: dest.channelId,
+          amountCkb: amountToMove,
+          reason: `Rebalance liquidity: source is ${source.balanceRatioPercent.toFixed(0)}% local, destination is ${dest.balanceRatioPercent.toFixed(0)}% local`,
+          benefit: `Improves payment success rate by balancing channel liquidity`,
+          estimatedRoutingFeeCkb: amountToMove * 1e-3,
+          // 0.1% estimated fee
+          priority: Math.round(
+            (Math.abs(50 - source.balanceRatioPercent) + Math.abs(50 - dest.balanceRatioPercent)) / 20
+          )
+          // 1-10
+        });
+      }
+    }
+    return recommendations.sort((a, b) => b.priority - a.priority);
+  }
+  /**
+   * Estimate funding needs for future operations
+   */
+  estimateFundingNeeds(metrics, gaps) {
+    const needs = [];
+    const criticalGaps = gaps.filter((g) => g.severity === "high");
+    if (criticalGaps.length > 0) {
+      const bestChannel = [...metrics].filter((ch) => ch.state === "CHANNEL_READY" /* ChannelReady */).sort((a, b) => {
+        const scoreA = a.healthScore + a.totalCapacityCkb / 1e3;
+        const scoreB = b.healthScore + b.totalCapacityCkb / 1e3;
+        return scoreB - scoreA;
+      })[0];
+      const fundingAmount = Math.ceil(bestChannel?.totalCapacityCkb || 100);
+      needs.push({
+        amount: fundingAmount,
+        reason: "Critical liquidity gaps detected in current channels",
+        optimalChannelPeerId: bestChannel?.peerId,
+        urgency: "high"
+      });
+    }
+    const avgCapacity = metrics.length > 0 ? metrics.reduce((sum, ch) => sum + ch.totalCapacityCkb, 0) / metrics.length : 0;
+    if (avgCapacity < 100) {
+      needs.push({
+        amount: 500,
+        // Reasonable growth target
+        reason: "Average channel capacity is small. Consider larger channels for reliability.",
+        urgency: "low"
+      });
+    }
+    return needs;
+  }
+  /**
+   * Estimate runway (days until liquidity depleted at current spending rate)
+   */
+  estimateRunway(availableToSend, _metrics) {
+    const estimatedDailySpend = 0.1;
+    if (availableToSend > 0 && estimatedDailySpend > 0) {
+      const days = availableToSend / estimatedDailySpend;
+      return {
+        daysAtCurrentRate: Math.floor(days),
+        estimatedDailySpendCkb: estimatedDailySpend
+      };
+    }
+    return {};
+  }
+  /**
+   * Generate human-readable summary
+   */
+  generateSummary(metrics, gaps, fundingNeeds, runway) {
+    const parts = [];
+    if (metrics.length === 0) {
+      return "No channels available. Open a channel to start making payments.";
+    }
+    parts.push(
+      `Channel Health: ${metrics.filter((ch) => ch.healthScore >= 70).length}/${metrics.length} channels healthy`
+    );
+    const avgScore = metrics.reduce((sum, ch) => sum + ch.healthScore, 0) / metrics.length;
+    if (avgScore >= 80) {
+      parts.push("Overall liquidity is good \u2713");
+    } else if (avgScore >= 60) {
+      parts.push("Overall liquidity is fair. Some rebalancing recommended.");
+    } else {
+      parts.push("Overall liquidity is poor. Rebalancing needed urgently.");
+    }
+    if (gaps.length > 0) {
+      parts.push(`${gaps.length} liquidity gap(s) detected.`);
+    }
+    if (fundingNeeds.length > 0) {
+      parts.push(
+        `Need to fund ${fundingNeeds.map((n) => n.amount).join(", ")} CKB to resolve issues.`
+      );
+    }
+    if (runway.daysAtCurrentRate) {
+      parts.push(`Estimated runway: ${runway.daysAtCurrentRate} days at current spending rate.`);
+    }
+    return parts.join(" ");
+  }
+  /**
+   * Get missing liquidity for a specific amount
+   */
+  async getMissingLiquidityForAmount(targetCkb) {
+    const report = await this.analyzeLiquidity();
+    const shortfallCkb = Math.max(0, targetCkb - report.balance.availableToSendCkb);
+    const canSend = shortfallCkb === 0;
+    let recommendation = "";
+    if (canSend) {
+      recommendation = `You have enough liquidity to send ${targetCkb} CKB.`;
+    } else {
+      recommendation = `You need ${shortfallCkb.toFixed(4)} more CKB in send capacity. Consider rebalancing or opening larger channels.`;
+    }
+    return { canSend, shortfallCkb, recommendation };
+  }
+};
+
+// src/proxy/cors-proxy.ts
+import http from "http";
+var CorsProxy = class {
+  server = null;
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  /**
+   * Start the CORS proxy server
+   */
+  start() {
+    return new Promise((resolve, reject) => {
+      const targetUrl = new URL(this.config.targetUrl);
+      this.server = http.createServer(async (req, res) => {
+        const origin = req.headers.origin || "*";
+        const allowedOrigin = this.getAllowedOrigin(origin);
+        res.setHeader("Access-Control-Allow-Origin", allowedOrigin);
+        res.setHeader("Access-Control-Allow-Methods", "POST, OPTIONS");
+        res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
+        res.setHeader("Access-Control-Max-Age", "86400");
+        if (req.method === "OPTIONS") {
+          res.writeHead(204);
+          res.end();
+          return;
+        }
+        if (req.method !== "POST") {
+          res.writeHead(405, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "Method not allowed" }));
+          return;
+        }
+        const chunks = [];
+        req.on("data", (chunk) => chunks.push(chunk));
+        req.on("end", () => {
+          const body = Buffer.concat(chunks);
+          const proxyReq = http.request(
+            {
+              hostname: targetUrl.hostname,
+              port: targetUrl.port || 80,
+              path: targetUrl.pathname,
+              method: "POST",
+              headers: {
+                "Content-Type": "application/json",
+                "Content-Length": body.length,
+                ...req.headers.authorization && { Authorization: req.headers.authorization }
+              }
+            },
+            (proxyRes) => {
+              const headers = {
+                ...proxyRes.headers,
+                "Access-Control-Allow-Origin": allowedOrigin
+              };
+              res.writeHead(proxyRes.statusCode || 500, headers);
+              proxyRes.pipe(res);
+            }
+          );
+          proxyReq.on("error", (err) => {
+            res.writeHead(502, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ error: `Proxy error: ${err.message}` }));
+          });
+          proxyReq.write(body);
+          proxyReq.end();
+        });
+        req.on("error", (err) => {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: `Request error: ${err.message}` }));
+        });
+      });
+      this.server.on("error", (err) => {
+        reject(err);
+      });
+      this.server.listen(this.config.port, () => {
+        resolve();
+      });
+    });
+  }
+  /**
+   * Stop the CORS proxy server
+   */
+  stop() {
+    return new Promise((resolve) => {
+      if (this.server) {
+        this.server.close(() => {
+          this.server = null;
+          resolve();
+        });
+      } else {
+        resolve();
+      }
+    });
+  }
+  /**
+   * Get the allowed origin based on config
+   */
+  getAllowedOrigin(requestOrigin) {
+    const allowed = this.config.allowedOrigins;
+    if (!allowed || allowed === "*") {
+      return "*";
+    }
+    if (Array.isArray(allowed)) {
+      return allowed.includes(requestOrigin) ? requestOrigin : allowed[0];
+    }
+    return allowed;
+  }
+  /**
+   * Get the proxy URL
+   */
+  getUrl() {
+    return `http://127.0.0.1:${this.config.port}`;
+  }
+};
+
+// src/security/key-manager.ts
+import { createDecipheriv, createHash, randomBytes, scryptSync } from "crypto";
+import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
+import { dirname, join } from "path";
+var SCRYPT_N = 2 ** 14;
+var SCRYPT_R = 8;
+var SCRYPT_P = 1;
+var KEY_LENGTH = 32;
+var SALT_LENGTH = 32;
+var IV_LENGTH = 16;
+var AUTH_TAG_LENGTH = 16;
+var ENCRYPTED_MAGIC = Buffer.from("FIBERENC");
+var KeyManager = class {
+  config;
+  fiberKeyPath;
+  ckbKeyPath;
+  constructor(config) {
+    this.config = config;
+    this.fiberKeyPath = join(config.baseDir, "fiber", "sk");
+    this.ckbKeyPath = join(config.baseDir, "ckb", "key");
+  }
+  /**
+   * Initialize keys - generate if they don't exist and autoGenerate is true
+   */
+  async initialize() {
+    const fiberExists = existsSync(this.fiberKeyPath);
+    const ckbExists = existsSync(this.ckbKeyPath);
+    if (!fiberExists || !ckbExists) {
+      if (!this.config.autoGenerate) {
+        throw new Error(
+          `Keys not found and autoGenerate is disabled. Missing: ${[!fiberExists && "fiber", !ckbExists && "ckb"].filter(Boolean).join(", ")}`
+        );
+      }
+    }
+    if (!fiberExists) {
+      await this.generateKey("fiber");
+    }
+    if (!ckbExists) {
+      await this.generateKey("ckb");
+    }
+    return {
+      fiber: await this.getKeyInfo("fiber"),
+      ckb: await this.getKeyInfo("ckb")
+    };
+  }
+  /**
+   * Generate a new key
+   */
+  async generateKey(type) {
+    const keyPath = type === "fiber" ? this.fiberKeyPath : this.ckbKeyPath;
+    const keyDir = dirname(keyPath);
+    if (!existsSync(keyDir)) {
+      mkdirSync(keyDir, { recursive: true });
+    }
+    const privateKey = randomBytes(32);
+    let keyData;
+    if (type === "fiber") {
+      keyData = privateKey;
+    } else {
+      keyData = privateKey.toString("hex");
+    }
+    writeFileSync(keyPath, keyData);
+    chmodSync(keyPath, 384);
+    return this.getKeyInfo(type);
+  }
+  /**
+   * Get information about a key (without exposing the private key)
+   */
+  async getKeyInfo(type) {
+    const keyPath = type === "fiber" ? this.fiberKeyPath : this.ckbKeyPath;
+    if (!existsSync(keyPath)) {
+      throw new Error(`Key not found: ${keyPath}`);
+    }
+    const keyData = readFileSync(keyPath);
+    const encrypted = this.isEncrypted(keyData);
+    const privateKey = await this.loadPrivateKey(type);
+    const publicKey = this.derivePublicKey(privateKey);
+    return {
+      publicKey,
+      encrypted,
+      path: keyPath,
+      createdAt: Date.now()
+      // TODO: get actual file creation time
+    };
+  }
+  /**
+   * Load and decrypt a private key (for internal use only)
+   * This should NEVER be exposed to the LLM context
+   */
+  async loadPrivateKey(type) {
+    const keyPath = type === "fiber" ? this.fiberKeyPath : this.ckbKeyPath;
+    const keyData = readFileSync(keyPath);
+    if (this.isEncrypted(keyData)) {
+      if (!this.config.encryptionPassword) {
+        throw new Error("Key is encrypted but no password provided");
+      }
+      return this.decryptKey(keyData, this.config.encryptionPassword);
+    }
+    if (type === "fiber") {
+      return keyData;
+    } else {
+      const hexString = keyData.toString("utf-8").trim();
+      return Buffer.from(hexString, "hex");
+    }
+  }
+  /**
+   * Export keys for use with the Fiber node process
+   * Returns the password to use for FIBER_SECRET_KEY_PASSWORD env var
+   */
+  getNodeKeyConfig() {
+    return {
+      password: this.config.encryptionPassword
+    };
+  }
+  /**
+   * Check if key data is encrypted
+   */
+  isEncrypted(data) {
+    return data.length >= ENCRYPTED_MAGIC.length && data.subarray(0, ENCRYPTED_MAGIC.length).equals(ENCRYPTED_MAGIC);
+  }
+  /**
+   * Decrypt a key
+   */
+  decryptKey(data, password) {
+    let offset = ENCRYPTED_MAGIC.length;
+    const salt = data.subarray(offset, offset + SALT_LENGTH);
+    offset += SALT_LENGTH;
+    const iv = data.subarray(offset, offset + IV_LENGTH);
+    offset += IV_LENGTH;
+    const authTag = data.subarray(offset, offset + AUTH_TAG_LENGTH);
+    offset += AUTH_TAG_LENGTH;
+    const encrypted = data.subarray(offset);
+    const derivedKey = scryptSync(password, salt, KEY_LENGTH, {
+      N: SCRYPT_N,
+      r: SCRYPT_R,
+      p: SCRYPT_P
+    });
+    const decipher = createDecipheriv("aes-256-gcm", derivedKey, iv);
+    decipher.setAuthTag(authTag);
+    return Buffer.concat([decipher.update(encrypted), decipher.final()]);
+  }
+  /**
+   * Derive public key from private key (secp256k1)
+   * This is a simplified version - in production, use a proper secp256k1 library
+   */
+  derivePublicKey(privateKey) {
+    const hash = createHash("sha256").update(privateKey).digest();
+    return `0x${hash.toString("hex")}`;
+  }
+};
+function createKeyManager(baseDir, options) {
+  const password = process.env.FIBER_KEY_PASSWORD || options?.encryptionPassword;
+  return new KeyManager({
+    baseDir,
+    encryptionPassword: password,
+    autoGenerate: options?.autoGenerate ?? true
+  });
+}
+
+// src/security/policy-engine.ts
+var PolicyEngine = class {
+  policy;
+  auditLog = [];
+  spendingState;
+  rateLimitState;
+  constructor(policy) {
+    this.policy = policy;
+    this.spendingState = {
+      ...policy.spending ?? {
+        maxPerTransaction: "0x0",
+        maxPerWindow: "0x0",
+        windowSeconds: 3600
+      },
+      currentSpent: "0x0",
+      windowStart: Date.now()
+    };
+    this.rateLimitState = {
+      ...policy.rateLimit ?? {
+        maxTransactions: 0,
+        windowSeconds: 3600,
+        cooldownSeconds: 0
+      },
+      currentCount: 0,
+      windowStart: Date.now(),
+      lastTransaction: 0
+    };
+  }
+  /**
+   * Check if a payment is allowed by the policy
+   */
+  checkPayment(params) {
+    const violations = [];
+    let requiresConfirmation = false;
+    if (!this.policy.enabled) {
+      return { allowed: true, violations: [], requiresConfirmation: false };
+    }
+    const amount = fromHex(params.amount);
+    if (this.policy.spending) {
+      const maxPerTx = fromHex(this.policy.spending.maxPerTransaction);
+      if (amount > maxPerTx) {
+        violations.push({
+          type: "SPENDING_LIMIT_PER_TX",
+          message: `Amount ${amount} exceeds per-transaction limit of ${maxPerTx}`,
+          details: {
+            requested: params.amount,
+            limit: this.policy.spending.maxPerTransaction
+          }
+        });
+      }
+      this.refreshSpendingWindow();
+      const currentSpent = fromHex(this.spendingState.currentSpent);
+      const maxPerWindow = fromHex(this.policy.spending.maxPerWindow);
+      if (currentSpent + amount > maxPerWindow) {
+        const remaining = maxPerWindow - currentSpent;
+        violations.push({
+          type: "SPENDING_LIMIT_PER_WINDOW",
+          message: `Amount ${amount} would exceed window limit. Remaining: ${remaining}`,
+          details: {
+            requested: params.amount,
+            limit: this.policy.spending.maxPerWindow,
+            remaining: toHex(remaining > 0n ? remaining : 0n)
+          }
+        });
+      }
+    }
+    if (this.policy.rateLimit) {
+      this.refreshRateLimitWindow();
+      if ((this.rateLimitState.currentCount ?? 0) >= this.policy.rateLimit.maxTransactions) {
+        violations.push({
+          type: "RATE_LIMIT_EXCEEDED",
+          message: `Rate limit of ${this.policy.rateLimit.maxTransactions} transactions per ${this.policy.rateLimit.windowSeconds}s exceeded`,
+          details: {}
+        });
+      }
+      const now = Date.now();
+      const cooldownMs = this.policy.rateLimit.cooldownSeconds * 1e3;
+      const timeSinceLast = now - (this.rateLimitState.lastTransaction || 0);
+      if (timeSinceLast < cooldownMs) {
+        violations.push({
+          type: "RATE_LIMIT_COOLDOWN",
+          message: `Cooldown period not elapsed. Wait ${Math.ceil((cooldownMs - timeSinceLast) / 1e3)}s`,
+          details: {
+            cooldownRemaining: Math.ceil((cooldownMs - timeSinceLast) / 1e3)
+          }
+        });
+      }
+    }
+    if (this.policy.recipients && params.recipient) {
+      if (this.policy.recipients.blocklist?.includes(params.recipient)) {
+        violations.push({
+          type: "RECIPIENT_BLOCKED",
+          message: `Recipient ${params.recipient} is blocklisted`,
+          details: { recipient: params.recipient }
+        });
+      }
+      if (this.policy.recipients.allowlist && this.policy.recipients.allowlist.length > 0 && !this.policy.recipients.allowlist.includes(params.recipient) && !this.policy.recipients.allowUnknown) {
+        violations.push({
+          type: "RECIPIENT_NOT_ALLOWED",
+          message: `Recipient ${params.recipient} is not in allowlist`,
+          details: { recipient: params.recipient }
+        });
+      }
+    }
+    if (this.policy.confirmationThreshold) {
+      const threshold = fromHex(this.policy.confirmationThreshold);
+      if (amount > threshold) {
+        requiresConfirmation = true;
+        violations.push({
+          type: "REQUIRES_CONFIRMATION",
+          message: `Amount ${amount} exceeds confirmation threshold of ${threshold}`,
+          details: {
+            requested: params.amount,
+            limit: this.policy.confirmationThreshold
+          }
+        });
+      }
+    }
+    return {
+      allowed: violations.filter((v) => v.type !== "REQUIRES_CONFIRMATION").length === 0,
+      violations,
+      requiresConfirmation
+    };
+  }
+  /**
+   * Check if a channel operation is allowed
+   */
+  checkChannelOperation(params) {
+    const violations = [];
+    if (!this.policy.enabled || !this.policy.channels) {
+      return { allowed: true, violations: [], requiresConfirmation: false };
+    }
+    const { channels } = this.policy;
+    if (params.operation === "open") {
+      if (!channels.allowOpen) {
+        violations.push({
+          type: "CHANNEL_OPEN_NOT_ALLOWED",
+          message: "Channel opening is not allowed by policy",
+          details: {}
+        });
+      }
+      if (params.fundingAmount && channels.maxFundingAmount) {
+        const funding = fromHex(params.fundingAmount);
+        const max = fromHex(channels.maxFundingAmount);
+        if (funding > max) {
+          violations.push({
+            type: "CHANNEL_FUNDING_EXCEEDS_MAX",
+            message: `Funding amount ${funding} exceeds maximum ${max}`,
+            details: {
+              requested: params.fundingAmount,
+              limit: channels.maxFundingAmount
+            }
+          });
+        }
+      }
+      if (params.fundingAmount && channels.minFundingAmount) {
+        const funding = fromHex(params.fundingAmount);
+        const min = fromHex(channels.minFundingAmount);
+        if (funding < min) {
+          violations.push({
+            type: "CHANNEL_FUNDING_BELOW_MIN",
+            message: `Funding amount ${funding} below minimum ${min}`,
+            details: {
+              requested: params.fundingAmount,
+              limit: channels.minFundingAmount
+            }
+          });
+        }
+      }
+      if (channels.maxChannels && params.currentChannelCount !== void 0 && params.currentChannelCount >= channels.maxChannels) {
+        violations.push({
+          type: "MAX_CHANNELS_REACHED",
+          message: `Maximum channel count of ${channels.maxChannels} reached`,
+          details: {}
+        });
+      }
+    }
+    if (params.operation === "close" && !channels.allowClose) {
+      violations.push({
+        type: "CHANNEL_CLOSE_NOT_ALLOWED",
+        message: "Channel closing is not allowed by policy",
+        details: {}
+      });
+    }
+    if (params.operation === "force_close" && !channels.allowForceClose) {
+      violations.push({
+        type: "CHANNEL_FORCE_CLOSE_NOT_ALLOWED",
+        message: "Force channel closing is not allowed by policy",
+        details: {}
+      });
+    }
+    return {
+      allowed: violations.length === 0,
+      violations,
+      requiresConfirmation: false
+    };
+  }
+  /**
+   * Record a successful payment (updates spending and rate limit state)
+   */
+  recordPayment(amount) {
+    this.refreshSpendingWindow();
+    this.refreshRateLimitWindow();
+    const currentSpent = fromHex(this.spendingState.currentSpent);
+    const paymentAmount = fromHex(amount);
+    this.spendingState.currentSpent = toHex(currentSpent + paymentAmount);
+    this.rateLimitState.currentCount = (this.rateLimitState.currentCount ?? 0) + 1;
+    this.rateLimitState.lastTransaction = Date.now();
+  }
+  /**
+   * Add an entry to the audit log
+   */
+  addAuditEntry(action, success, details, violations) {
+    if (!this.policy.auditLogging) return;
+    this.auditLog.push({
+      timestamp: Date.now(),
+      action,
+      success,
+      details,
+      policyViolations: violations
+    });
+    if (this.auditLog.length > 1e3) {
+      this.auditLog = this.auditLog.slice(-1e3);
+    }
+  }
+  /**
+   * Get the audit log
+   */
+  getAuditLog(options) {
+    let log = this.auditLog;
+    const since = options?.since;
+    if (since !== void 0) {
+      log = log.filter((entry) => entry.timestamp >= since);
+    }
+    if (options?.limit) {
+      log = log.slice(-options.limit);
+    }
+    return log;
+  }
+  /**
+   * Get remaining spending allowance
+   */
+  getRemainingAllowance() {
+    this.refreshSpendingWindow();
+    const maxPerTx = this.policy.spending ? fromHex(this.policy.spending.maxPerTransaction) : BigInt(Number.MAX_SAFE_INTEGER);
+    const maxPerWindow = this.policy.spending ? fromHex(this.policy.spending.maxPerWindow) : BigInt(Number.MAX_SAFE_INTEGER);
+    const currentSpent = fromHex(this.spendingState.currentSpent);
+    const remainingWindow = maxPerWindow - currentSpent;
+    return {
+      perTransaction: maxPerTx,
+      perWindow: remainingWindow > 0n ? remainingWindow : 0n
+    };
+  }
+  /**
+   * Update the policy
+   */
+  updatePolicy(newPolicy) {
+    this.policy = { ...this.policy, ...newPolicy };
+    this.addAuditEntry("POLICY_UPDATED", true, { newPolicy });
+  }
+  /**
+   * Get the current policy
+   */
+  getPolicy() {
+    return { ...this.policy };
+  }
+  // ===========================================================================
+  // Private Methods
+  // ===========================================================================
+  refreshSpendingWindow() {
+    if (!this.policy.spending) return;
+    const now = Date.now();
+    const windowMs = this.policy.spending.windowSeconds * 1e3;
+    const windowStart = this.spendingState.windowStart || now;
+    if (now - windowStart >= windowMs) {
+      this.spendingState.currentSpent = "0x0";
+      this.spendingState.windowStart = now;
+    }
+  }
+  refreshRateLimitWindow() {
+    if (!this.policy.rateLimit) return;
+    const now = Date.now();
+    const windowMs = this.policy.rateLimit.windowSeconds * 1e3;
+    const windowStart = this.rateLimitState.windowStart || now;
+    if (now - windowStart >= windowMs) {
+      this.rateLimitState.currentCount = 0;
+      this.rateLimitState.windowStart = now;
+    }
+  }
+};
+
+// src/verification/invoice-verifier.ts
+var InvoiceVerifier = class {
+  constructor(rpc) {
+    this.rpc = rpc;
+  }
+  /**
+   * Fully validate an invoice before payment
+   */
+  async verifyInvoice(invoiceString) {
+    const issues = [];
+    const checks = {
+      validFormat: false,
+      notExpired: false,
+      validAmount: false,
+      peerConnected: false
+    };
+    const formatCheck = this.validateInvoiceFormat(invoiceString);
+    checks.validFormat = formatCheck.valid;
+    if (!formatCheck.valid) {
+      issues.push({
+        type: "critical",
+        code: "INVALID_INVOICE_FORMAT",
+        message: formatCheck.error || "Invoice format is invalid"
+      });
+    }
+    let invoice = null;
+    if (checks.validFormat) {
+      try {
+        const result = await this.rpc.parseInvoice({ invoice: invoiceString });
+        invoice = result.invoice;
+      } catch (error) {
+        issues.push({
+          type: "critical",
+          code: "PARSE_INVOICE_FAILED",
+          message: `Failed to parse invoice: ${error instanceof Error ? error.message : "Unknown error"}`
+        });
+      }
+    }
+    const details = {
+      paymentHash: invoice?.data.payment_hash || "unknown",
+      amountCkb: invoice?.amount ? shannonsToCkb(invoice.amount) : 0,
+      expiresAt: this.getExpiryTimestamp(invoice),
+      description: this.getDescription(invoice),
+      isExpired: invoice ? this.isInvoiceExpired(invoice) : true
+    };
+    if (invoice) {
+      if (!details.isExpired) {
+        checks.notExpired = true;
+      } else {
+        issues.push({
+          type: "critical",
+          code: "INVOICE_EXPIRED",
+          message: `Invoice expired at ${new Date(details.expiresAt).toISOString()}`
+        });
+      }
+    }
+    if (invoice?.amount) {
+      const validAmount = this.validateAmount(invoice.amount);
+      checks.validAmount = validAmount.valid;
+      if (!validAmount.valid) {
+        issues.push({
+          type: "critical",
+          code: validAmount.code || "INVALID_AMOUNT",
+          message: validAmount.message || "Amount validation failed"
+        });
+      }
+    }
+    const payeePublicKey = this.extractNodeIdFromInvoice(invoice);
+    try {
+      const peers = await this.rpc.listPeers();
+      if (payeePublicKey) {
+        if (peers.peers && peers.peers.length > 0) {
+          checks.peerConnected = true;
+        } else {
+          issues.push({
+            type: "warning",
+            code: "NO_PEERS_CONNECTED",
+            message: `No peers connected. Cannot route payment to payee ${payeePublicKey.slice(0, 16)}...`
+          });
+        }
+      } else {
+        if (peers.peers && peers.peers.length > 0) {
+          checks.peerConnected = true;
+        } else {
+          issues.push({
+            type: "warning",
+            code: "NO_PEERS_CONNECTED",
+            message: "No peers currently connected. Payment may fail."
+          });
+        }
+      }
+    } catch {
+      issues.push({
+        type: "warning",
+        code: "PEER_CHECK_FAILED",
+        message: "Could not verify peer connectivity"
+      });
+    }
+    const criticalIssues = issues.filter((i) => i.type === "critical");
+    const valid = criticalIssues.length === 0;
+    let recommendation;
+    let reason;
+    if (!valid) {
+      recommendation = "reject";
+      reason = `Invoice has ${criticalIssues.length} critical issue(s): ${criticalIssues.map((i) => i.code).join(", ")}`;
+    } else if (issues.length > 0) {
+      recommendation = "warn";
+      reason = `Invoice is valid but has warnings: ${issues.map((i) => i.code).join(", ")}`;
+    } else {
+      recommendation = "proceed";
+      reason = "Invoice is valid and safe to pay";
+    }
+    return {
+      valid,
+      details,
+      peer: {
+        nodeId: payeePublicKey,
+        // Use the already-extracted payee public key
+        isConnected: checks.peerConnected || issues.filter((i) => i.code === "NO_PEERS_CONNECTED").length === 0,
+        trustScore: this.calculateTrustScore(checks, issues)
+      },
+      checks: {
+        ...checks
+      },
+      issues,
+      recommendation,
+      reason
+    };
+  }
+  /**
+   * Quick format validation (regex-based, before RPC call)
+   */
+  validateInvoiceFormat(invoice) {
+    const invoiceRegex = /^fib[tb]{1}[a-z0-9]{50,}$/i;
+    if (!invoiceRegex.test(invoice)) {
+      return {
+        valid: false,
+        error: "Invoice must be bech32-encoded (fibt... for testnet or fibb... for mainnet)"
+      };
+    }
+    return { valid: true };
+  }
+  /**
+   * Validate amount is positive and reasonable
+   */
+  validateAmount(amountHex) {
+    try {
+      const amount = fromHex(amountHex);
+      if (amount <= 0n) {
+        return {
+          valid: false,
+          code: "ZERO_AMOUNT",
+          message: "Invoice amount must be greater than zero"
+        };
+      }
+      const maxShannons = BigInt(1e6) * BigInt(1e8);
+      if (amount > maxShannons) {
+        const amountCkb = Number(amount) / 1e8;
+        return {
+          valid: false,
+          code: "AMOUNT_TOO_LARGE",
+          message: `Invoice amount (${amountCkb.toFixed(2)} CKB) exceeds reasonable maximum`
+        };
+      }
+      return { valid: true };
+    } catch {
+      return {
+        valid: false,
+        code: "INVALID_AMOUNT_FORMAT",
+        message: "Could not parse invoice amount"
+      };
+    }
+  }
+  /**
+   * Check if invoice has expired
+   */
+  isInvoiceExpired(invoice) {
+    const expiryTimestamp = this.getExpiryTimestamp(invoice);
+    return Date.now() > expiryTimestamp;
+  }
+  /**
+   * Get expiry timestamp in milliseconds
+   */
+  getExpiryTimestamp(invoice) {
+    if (!invoice) return 0;
+    try {
+      const createdSeconds = fromHex(invoice.data.timestamp);
+      const expiryDeltaSeconds = this.getAttributeU64(invoice.data.attrs, "ExpiryTime") ?? BigInt(60 * 60);
+      return Number(createdSeconds + expiryDeltaSeconds) * 1e3;
+    } catch {
+    }
+    return Date.now() + 60 * 60 * 1e3;
+  }
+  getAttributeU64(attrs, key) {
+    for (const attr of attrs) {
+      if (key in attr) {
+        return fromHex(attr[key]);
+      }
+    }
+    return void 0;
+  }
+  getDescription(invoice) {
+    if (!invoice) return void 0;
+    for (const attr of invoice.data.attrs) {
+      if ("Description" in attr) {
+        return attr.Description;
+      }
+    }
+    return void 0;
+  }
+  /**
+   * Try to extract payee node public key from invoice attributes
+   * The payee public key is embedded in the invoice as a PayeePublicKey attribute
+   */
+  extractNodeIdFromInvoice(invoice) {
+    if (!invoice) {
+      return void 0;
+    }
+    for (const attr of invoice.data.attrs) {
+      if ("PayeePublicKey" in attr) {
+        return attr.PayeePublicKey;
+      }
+    }
+    return void 0;
+  }
+  /**
+   * Calculate trust score (0-100) based on various factors
+   */
+  calculateTrustScore(checks, issues) {
+    let score = 100;
+    if (!checks.validFormat) score -= 25;
+    if (!checks.notExpired) score -= 20;
+    if (!checks.validAmount) score -= 15;
+    if (!checks.peerConnected) score -= 10;
+    const warnings = issues.filter((i) => i.type === "warning").length;
+    score -= warnings * 5;
+    return Math.max(0, score);
+  }
+};
+
+// src/verification/payment-proof.ts
+import { createHash as createHash2 } from "crypto";
+import { readFile, writeFile } from "fs/promises";
+import { dirname as dirname2 } from "path";
+var PaymentProofManager = class {
+  proofs = /* @__PURE__ */ new Map();
+  proofFilePath;
+  maxStoredProofs = 1e4;
+  // Prevent unbounded growth
+  constructor(dataDir) {
+    this.proofFilePath = `${dataDir}/payment-proofs.json`;
+  }
+  /**
+   * Load proofs from disk
+   */
+  async load() {
+    try {
+      const data = await readFile(this.proofFilePath, "utf-8");
+      const proofs = JSON.parse(data);
+      this.proofs.clear();
+      proofs.forEach((proof) => {
+        this.proofs.set(proof.id, proof);
+      });
+    } catch {
+      this.proofs.clear();
+    }
+  }
+  /**
+   * Save proofs to disk
+   */
+  async save() {
+    const proofs = Array.from(this.proofs.values());
+    const data = JSON.stringify(proofs, null, 2);
+    try {
+      await writeFile(this.proofFilePath, data, "utf-8");
+    } catch (error) {
+      if (error instanceof Error && error.message.includes("ENOENT")) {
+        await this.ensureDirectory();
+        await writeFile(this.proofFilePath, data, "utf-8");
+      } else {
+        throw error;
+      }
+    }
+  }
+  /**
+   * Record a payment proof after successful execution
+   */
+  recordPaymentProof(paymentHash, invoice, invoiceDetails, execution, status, proof) {
+    const now = Date.now();
+    const fullProof = {
+      id: paymentHash,
+      status,
+      invoice,
+      invoiceDetails,
+      execution,
+      proof: proof || {},
+      verified: false,
+      metadata: {
+        createdAt: now,
+        updatedAt: now
+      }
+    };
+    this.proofs.set(paymentHash, fullProof);
+    if (proof?.preimage) {
+      const isValid = this.verifyPreimageHash(proof.preimage, invoiceDetails.paymentHash);
+      if (isValid) {
+        fullProof.verified = true;
+        fullProof.verifiedAt = now;
+        fullProof.verificationMethod = "preimage_hash";
+      }
+    }
+    if (this.proofs.size > this.maxStoredProofs) {
+      this.pruneOldestProofs(this.maxStoredProofs * 0.8);
+    }
+    return fullProof;
+  }
+  /**
+   * Get proof by payment hash
+   */
+  getProof(paymentHash) {
+    return this.proofs.get(paymentHash);
+  }
+  /**
+   * Verify a proof's authenticity
+   */
+  verifyProof(proof) {
+    if (proof.verified && proof.verificationMethod === "preimage_hash") {
+      return {
+        valid: true,
+        reason: "Verified via preimage hash match"
+      };
+    }
+    if (proof.proof?.preimage) {
+      const hashValid = this.verifyPreimageHash(
+        proof.proof.preimage,
+        proof.invoiceDetails.paymentHash
+      );
+      if (!hashValid) {
+        return {
+          valid: false,
+          reason: "Preimage does not hash to payment hash"
+        };
+      }
+      proof.verified = true;
+      proof.verifiedAt = Date.now();
+      proof.verificationMethod = "preimage_hash";
+      return {
+        valid: true,
+        reason: "Preimage verified via hash"
+      };
+    }
+    if (proof.status === "Success") {
+      return {
+        valid: true,
+        reason: "Payment succeeded according to RPC (preimage not available)"
+      };
+    }
+    return {
+      valid: false,
+      reason: "No verification method available"
+    };
+  }
+  /**
+   * Get payment timeline between two timestamps
+   */
+  getPaymentChain(startTime, endTime) {
+    return Array.from(this.proofs.values()).filter((p) => p.metadata.createdAt >= startTime && p.metadata.createdAt <= endTime).sort((a, b) => a.metadata.createdAt - b.metadata.createdAt);
+  }
+  /**
+   * Get summary statistics
+   */
+  getSummary() {
+    const proofs = Array.from(this.proofs.values());
+    let verifiedCount = 0;
+    let pendingCount = 0;
+    let failedCount = 0;
+    let totalAmountCkb = 0;
+    let totalFeesCkb = 0;
+    let earliest;
+    let latest;
+    proofs.forEach((proof) => {
+      if (proof.verified) verifiedCount++;
+      else if (proof.status === "Inflight" || proof.status === "Created") pendingCount++;
+      else if (proof.status === "Failed") failedCount++;
+      totalAmountCkb += proof.execution.amountCkb;
+      totalFeesCkb += proof.execution.feeCkb;
+      const createdAt = proof.metadata.createdAt;
+      if (!earliest || createdAt < earliest) earliest = createdAt;
+      if (!latest || createdAt > latest) latest = createdAt;
+    });
+    return {
+      totalProofs: proofs.length,
+      verifiedCount,
+      pendingCount,
+      failedCount,
+      totalAmountCkb,
+      totalFeesCkb,
+      timeRange: {
+        earliest,
+        latest
+      }
+    };
+  }
+  /**
+   * Export proofs as audit report
+   */
+  exportAuditReport(startTime, endTime) {
+    const proofs = Array.from(this.proofs.values()).filter((p) => {
+      if (!startTime && !endTime) return true;
+      const created = p.metadata.createdAt;
+      if (startTime && created < startTime) return false;
+      if (endTime && created > endTime) return false;
+      return true;
+    }).sort((a, b) => a.metadata.createdAt - b.metadata.createdAt);
+    const lines = [
+      "Payment Audit Report",
+      `Generated: ${(/* @__PURE__ */ new Date()).toISOString()}`,
+      `Time Range: ${startTime ? new Date(startTime).toISOString() : "All"} - ${endTime ? new Date(endTime).toISOString() : "All"}`,
+      `Total Payments: ${proofs.length}`,
+      "",
+      "Payment ID | Status | Amount CKB | Fee CKB | Verified | Created At",
+      "-".repeat(80)
+    ];
+    proofs.forEach((p) => {
+      lines.push(
+        `${p.id.slice(0, 16)}... | ${p.status} | ${p.execution.amountCkb.toFixed(4)} | ${p.execution.feeCkb.toFixed(8)} | ${p.verified ? "Yes" : "No"} | ${new Date(p.metadata.createdAt).toISOString()}`
+      );
+    });
+    return lines.join("\n");
+  }
+  /**
+   * Verify preimage hash (SHA256 of preimage = payment_hash)
+   */
+  verifyPreimageHash(preimage, paymentHash) {
+    try {
+      const preimageHex = preimage.startsWith("0x") ? preimage.slice(2) : preimage;
+      const paymentHashHex = paymentHash.startsWith("0x") ? paymentHash.slice(2) : paymentHash;
+      const preimageBuffer = Buffer.from(preimageHex, "hex");
+      const paymentHashBuffer = Buffer.from(paymentHashHex, "hex");
+      const hash = createHash2("sha256").update(preimageBuffer).digest();
+      return hash.equals(paymentHashBuffer);
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Remove oldest proofs to keep storage bounded
+   */
+  pruneOldestProofs(count) {
+    const sorted = Array.from(this.proofs.values()).sort(
+      (a, b) => a.metadata.createdAt - b.metadata.createdAt
+    );
+    const toRemove = sorted.slice(0, Math.floor(sorted.length - count));
+    toRemove.forEach((p) => {
+      this.proofs.delete(p.id);
+    });
+  }
+  /**
+   * Ensure directory exists
+   */
+  async ensureDirectory() {
+    const dir = dirname2(this.proofFilePath);
+    try {
+      const fs = await import("fs");
+      fs.mkdirSync(dir, { recursive: true });
+    } catch {
+    }
+  }
+};
+export {
+  ChannelState,
+  CorsProxy,
+  FiberRpcClient,
+  FiberRpcError,
+  InvoiceVerifier,
+  KeyManager,
+  LiquidityAnalyzer,
+  PaymentProofManager,
+  PolicyEngine,
+  buildMultiaddr,
+  buildMultiaddrFromNodeId,
+  buildMultiaddrFromRpcUrl,
+  ckbToShannons,
+  createKeyManager,
+  fromHex,
+  nodeIdToPeerId,
+  randomBytes32,
+  scriptToAddress,
+  shannonsToCkb,
+  toHex
+};
+//# sourceMappingURL=index.js.map