@hybrd/xmtp 1.3.2 → 1.4.0

package/src/lib/jwt.ts

@@ -1,5 +1,6 @@
 import { Context } from "hono"
 import jwt from "jsonwebtoken"
+import { logger } from "@hybrd/utils"
 
 export interface XMTPToolsPayload {
 	action: "send" | "reply" | "react" | "transaction" | "blockchain-event"
@@ -65,26 +66,26 @@ export function getValidatedPayload(c: Context): XMTPToolsPayload | null {
 
 /**
  * Gets the JWT secret for token signing, with lazy initialization
- * Uses XMTP_ENCRYPTION_KEY environment variable for consistency
+ * Uses XMTP_DB_ENCRYPTION_KEY environment variable for consistency
  * Only falls back to development secret in development/test environments
  */
 function getJwtSecret(): string {
-	const secret = process.env.XMTP_ENCRYPTION_KEY
+	const secret = process.env.XMTP_DB_ENCRYPTION_KEY
 	const nodeEnv = process.env.NODE_ENV || "development"
 
 	// In production, require a real JWT secret
 	if (nodeEnv === "production" && !secret) {
 		throw new Error(
-			"XMTP_ENCRYPTION_KEY environment variable is required in production. " +
+			"XMTP_DB_ENCRYPTION_KEY environment variable is required in production. " +
 				"Generate a secure random secret for JWT token signing."
 		)
 	}
 
 	// In development/test, allow fallback but warn only when actually used
 	if (!secret) {
-		console.warn(
+		logger.warn(
 			"⚠️  [SECURITY] Using fallback JWT secret for development. " +
-				"Set XMTP_ENCRYPTION_KEY environment variable for production."
+				"Set XMTP_DB_ENCRYPTION_KEY environment variable for production."
 		)
 		return "fallback-secret-for-dev-only"
 	}
@@ -111,7 +112,7 @@ function getApiKey(): string {
 
 	// In development/test, allow fallback but warn only when actually used
 	if (!apiKey) {
-		console.warn(
+		logger.warn(
 			"⚠️  [SECURITY] Using fallback API key for development. " +
 				"Set XMTP_API_KEY environment variable for production."
 		)
@@ -148,6 +149,9 @@ const JWT_EXPIRY = 5 * 60 // 5 minutes in seconds
 export function generateXMTPToolsToken(
 	payload: Omit<XMTPToolsPayload, "issued" | "expires">
 ): string {
+	const startTime = performance.now()
+	logger.debug("🔐 [JWT] Starting token generation...")
+
 	const now = Math.floor(Date.now() / 1000)
 	const fullPayload: XMTPToolsPayload = {
 		...payload,
@@ -155,9 +159,16 @@ export function generateXMTPToolsToken(
 		expires: now + JWT_EXPIRY
 	}
 
-	return jwt.sign(fullPayload, getJwtSecret(), {
+	const token = jwt.sign(fullPayload, getJwtSecret(), {
 		expiresIn: JWT_EXPIRY
 	})
+
+	const endTime = performance.now()
+	logger.debug(
+		`🔐 [JWT] Token generation completed in ${(endTime - startTime).toFixed(2)}ms`
+	)
+
+	return token
 }
 
 /**
@@ -184,37 +195,58 @@ export function generateXMTPToolsToken(
  * ```
  */
 export function validateXMTPToolsToken(token: string): XMTPToolsPayload | null {
+	const startTime = performance.now()
+	logger.debug("🔐 [JWT] Starting token validation...")
+
 	// First try API key authentication
 	if (token === getApiKey()) {
-		console.log("🔑 [Auth] Using API key authentication")
+		logger.debug("🔑 [Auth] Using API key authentication")
 		// Return a valid payload for API key auth
 		const now = Math.floor(Date.now() / 1000)
-		return {
-			action: "send", // Default action
+		const result = {
+			action: "send" as const, // Default action
 			conversationId: "", // Will be filled by endpoint
 			issued: now,
 			expires: now + 3600 // API keys are valid for 1 hour
 		}
+
+		const endTime = performance.now()
+		logger.debug(
+			`🔐 [JWT] API key validation completed in ${(endTime - startTime).toFixed(2)}ms`
+		)
+		return result
 	}
 
 	// Then try JWT token authentication
 	try {
 		const decoded = jwt.verify(token, getJwtSecret()) as XMTPToolsPayload
-		console.log("🔑 [Auth] Using JWT token authentication")
+		logger.debug("🔑 [Auth] Using JWT token authentication")
 
 		// Additional expiry check
 		const now = Math.floor(Date.now() / 1000)
 		if (decoded.expires < now) {
-			console.warn("🔒 XMTP tools token has expired")
+			console.log("🔒 XMTP tools token has expired")
+			const endTime = performance.now()
+			logger.debug(
+				`🔐 [JWT] Token validation failed (expired) in ${(endTime - startTime).toFixed(2)}ms`
+			)
 			return null
 		}
 
+		const endTime = performance.now()
+		logger.debug(
+			`🔐 [JWT] JWT validation completed in ${(endTime - startTime).toFixed(2)}ms`
+		)
 		return decoded
 	} catch (error) {
-		console.error(
+		logger.error(
 			"🔒 Invalid XMTP tools token and not matching API key:",
 			error
 		)
+		const endTime = performance.now()
+		logger.debug(
+			`🔐 [JWT] Token validation failed in ${(endTime - startTime).toFixed(2)}ms`
+		)
 		return null
 	}
 }

package/src/lib/{message-listener.test.ts → message-listener.test.ts.old}

@@ -1,6 +1,6 @@
 import { EventEmitter } from "node:events"
 import { beforeEach, describe, expect, it, vi } from "vitest"
-import { MessageListener } from "./message-listener"
+import { MessageListener } from "./message-listener.ts.old"
 
 /**
  * Check if content contains any of the supported agent mention patterns

package/src/lib/subjects.ts

@@ -1,5 +1,6 @@
 import type { BasenameResolver } from "../resolver/basename-resolver"
 import type { ENSResolver } from "../resolver/ens-resolver"
+import { logger } from "@hybrd/utils"
 
 /**
  * Extract basenames/ENS names from message content using @mention pattern
@@ -38,7 +39,7 @@ export async function resolveSubjects(
 		return subjects
 	}
 
-	console.log(
+	logger.debug(
 		`🔍 Found ${mentionedNames.length} name mentions:`,
 		mentionedNames
 	)
@@ -49,20 +50,20 @@ export async function resolveSubjects(
 
 			// Check if it's an ENS name (.eth but not .base.eth)
 			if (ensResolver.isENSName(mentionedName)) {
-				console.log(`🔍 Resolving ENS name: ${mentionedName}`)
+				logger.debug(`🔍 Resolving ENS name: ${mentionedName}`)
 				resolvedAddress = await ensResolver.resolveENSName(mentionedName)
 			} else {
 				// It's a basename (.base.eth or other format)
-				console.log(`🔍 Resolving basename: ${mentionedName}`)
+				logger.debug(`🔍 Resolving basename: ${mentionedName}`)
 				resolvedAddress =
 					await basenameResolver.getBasenameAddress(mentionedName)
 			}
 
 			if (resolvedAddress) {
 				subjects[mentionedName] = resolvedAddress as `0x${string}`
-				console.log(`✅ Resolved ${mentionedName} → ${resolvedAddress}`)
+				logger.debug(`✅ Resolved ${mentionedName} → ${resolvedAddress}`)
 			} else {
-				console.log(`❌ Could not resolve address for: ${mentionedName}`)
+				logger.debug(`❌ Could not resolve address for: ${mentionedName}`)
 			}
 		} catch (error) {
 			console.error(`❌ Error resolving ${mentionedName}:`, error)

package/src/plugin.filters.test.ts

@@ -0,0 +1,158 @@
+import type { HonoVariables, PluginContext } from "@hybrd/types"
+import { Hono } from "hono"
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest"
+import { XMTPPlugin } from "./plugin"
+
+// Mock @xmtp/agent-sdk and ./client used by the plugin
+vi.mock("@xmtp/agent-sdk", () => {
+	const handlers: Record<string, Array<(payload: unknown) => unknown>> = {}
+	const fakeXmtp = {
+		on: (event: string, cb: (payload: unknown) => unknown) => {
+			if (!handlers[event]) handlers[event] = []
+			handlers[event].push(cb)
+		},
+		emit: async (event: string, payload: unknown) => {
+			for (const cb of handlers[event] || []) {
+				// eslint-disable-next-line @typescript-eslint/await-thenable
+				await cb(payload)
+			}
+		},
+		start: vi.fn(async () => {})
+	}
+
+	return {
+		Agent: { create: vi.fn(async () => fakeXmtp) },
+		createUser: vi.fn(() => ({ account: { address: "0xabc" } })),
+		createSigner: vi.fn(() => ({})),
+		getTestUrl: vi.fn(() => "http://test"),
+		XmtpEnv: {},
+		__fakeXmtp: fakeXmtp
+	}
+})
+
+vi.mock("./client", () => {
+	const fakeConversation = {
+		id: "conv1",
+		send: vi.fn(async (_text: string) => {})
+	}
+
+	const fakeClient = {
+		inboxId: "inbox-1",
+		accountIdentifier: { identifier: "0xabc" },
+		conversations: {
+			list: vi.fn(async () => [] as unknown[]),
+			getConversationById: vi.fn(async (_id: string) => fakeConversation),
+			streamAllMessages: vi.fn(async function* () {
+				// Yield one message and finish
+				yield {
+					id: "msg1",
+					senderInboxId: "other-inbox",
+					content: "hello",
+					contentType: { sameAs: () => true },
+					conversationId: "conv1"
+				}
+			})
+		}
+	}
+
+	async function getDbPath(_name: string): Promise<string> {
+		return "/tmp/xmtp-test-db"
+	}
+
+	return {
+		createXMTPClient: vi.fn(async () => fakeClient),
+		getDbPath
+	}
+})
+
+type MockAgentSdk = {
+	__fakeXmtp: {
+		emit: (event: string, payload: unknown) => Promise<void>
+	}
+}
+
+function createTestAgent() {
+	return {
+		name: "test-agent",
+		plugins: { applyAll: vi.fn(async () => {}) },
+		createRuntimeContext: vi.fn(
+			async (base: unknown) => base as Record<string, unknown>
+		),
+		generate: vi.fn(async () => ({ text: "ok" }))
+	}
+}
+
+beforeEach(() => {
+	vi.resetModules()
+	vi.clearAllMocks()
+	process.env.XMTP_WALLET_KEY = "0xabc"
+	process.env.XMTP_DB_ENCRYPTION_KEY = "secret"
+	process.env.XMTP_ENV = "dev"
+	process.env.XMTP_ENABLE_NODE_STREAM = undefined
+})
+
+afterEach(() => {
+	process.env.XMTP_WALLET_KEY = undefined
+	process.env.XMTP_DB_ENCRYPTION_KEY = undefined
+	process.env.XMTP_ENV = undefined
+	process.env.XMTP_ENABLE_NODE_STREAM = undefined
+})
+
+describe("XMTPPlugin behaviors", () => {
+	it("blocks node stream messages when behaviors filter out", async () => {
+		const app = new Hono<{ Variables: HonoVariables }>()
+		const agent = createTestAgent()
+
+		// Mock behaviors to filter out messages
+		const mockBehaviors = {
+			executeBefore: vi.fn(async (context: any) => {
+				context.sendOptions = { filtered: true }
+			}),
+			executeAfter: vi.fn(async () => {})
+		}
+
+		const context = {
+			agent,
+			behaviors: mockBehaviors
+		} as unknown as PluginContext
+
+		const plugin = XMTPPlugin()
+		await plugin.apply(app, context)
+
+		// Allow async stream to tick
+		await new Promise((r) => setTimeout(r, 10))
+
+		// No generation or sending should have occurred
+		expect(agent.generate).not.toHaveBeenCalled()
+	})
+
+	it("allows text handler when behaviors don't filter", async () => {
+		const app = new Hono<{ Variables: HonoVariables }>()
+		const agent = createTestAgent()
+
+		// Mock behaviors to not filter messages
+		const mockBehaviors = {
+			executeBefore: vi.fn(async () => {}),
+			executeAfter: vi.fn(async () => {})
+		}
+
+		const context = {
+			agent,
+			behaviors: mockBehaviors
+		} as unknown as PluginContext
+
+		process.env.XMTP_ENABLE_NODE_STREAM = "false"
+		const plugin = XMTPPlugin()
+		await plugin.apply(app, context)
+
+		const mocked = (await import("@xmtp/agent-sdk")) as unknown as MockAgentSdk
+
+		// Emit a text event
+		await mocked.__fakeXmtp.emit("text", {
+			conversation: { id: "conv1", send: vi.fn(async () => {}) },
+			message: { content: "hello" }
+		})
+
+		expect(agent.generate).toHaveBeenCalledTimes(1)
+	})
+})