@livo-build/runtime 0.2.3 → 0.2.5

package/dist/sig.js

@@ -0,0 +1,50 @@
+// EIP-191 personal_sign message verification — prove a user controls an address
+// from a signature, with zero hand-rolled crypto. The counterpart to tx.ts's
+// signing: here we RECOVER the signer of a `personal_sign` message (what
+// wallets produce for `eth_sign`/`personal_sign` and SIWE login). secp256k1
+// recovery via noble; same keccak + hex helpers as the rest of the runtime.
+import { secp256k1 } from "@noble/curves/secp256k1";
+import { keccak_256 } from "@noble/hashes/sha3";
+import { bytesToHex, concatBytes, hexToBytes } from "./hex.js";
+import { toChecksumAddress } from "./tx.js";
+const PERSONAL_PREFIX = "\x19Ethereum Signed Message:\n";
+/**
+ * The EIP-191 digest a wallet signs for `personal_sign(message)`:
+ *   keccak256("\x19Ethereum Signed Message:\n" + byteLength(message) + message)
+ * `message` is treated as UTF-8 text (the common case for login/link flows).
+ */
+export function hashMessage(message) {
+    const body = new TextEncoder().encode(message);
+    const prefix = new TextEncoder().encode(PERSONAL_PREFIX + body.length);
+    return keccak_256(concatBytes(prefix, body));
+}
+/**
+ * Recover the EIP-55 checksummed address that produced `signature` over
+ * `message` (an EIP-191 personal_sign). `signature` is the 65-byte 0x string
+ * r(32) ++ s(32) ++ v(1), where v is 27/28 (or 0/1). Throws on a malformed sig.
+ */
+export function recoverMessageAddress(message, signature) {
+    const bytes = hexToBytes(signature);
+    if (bytes.length !== 65)
+        throw new Error("signature must be 65 bytes (r,s,v)");
+    const v = bytes[64];
+    const recovery = v >= 27 ? v - 27 : v;
+    if (recovery !== 0 && recovery !== 1)
+        throw new Error(`invalid signature recovery byte: ${v}`);
+    const sig = secp256k1.Signature.fromCompact(bytes.slice(0, 64)).addRecoveryBit(recovery);
+    const pub = sig.recoverPublicKey(hashMessage(message)).toRawBytes(false).slice(1); // drop 0x04
+    return toChecksumAddress(bytesToHex(keccak_256(pub).slice(-20)));
+}
+/**
+ * True iff `signature` over `message` was produced by `address` — the safe way to
+ * verify "prove you own this wallet" server-side. Never throws: a malformed
+ * signature returns false.
+ */
+export function verifyMessage({ address, message, signature }) {
+    try {
+        return recoverMessageAddress(message, signature).toLowerCase() === address.toLowerCase();
+    }
+    catch {
+        return false;
+    }
+}

package/dist/telegram.d.ts

@@ -54,6 +54,14 @@ export declare class Telegram {
     handleUpdate(req: Request, reply: (msg: BotMessage) => string | null | undefined | Promise<string | null | undefined>, opts?: SendMessageOptions): Promise<Response>;
     /** Send a message to a chat. No-op-safe: throws if no token is configured. */
     sendMessage(chatId: number | string, text: string, opts?: SendMessageOptions): Promise<void>;
+    /**
+     * Send a photo to a chat. `photo` is a URL Telegram fetches, or a Telegram
+     * file_id. (To upload raw bytes, post multipart/form-data to sendPhoto directly.)
+     */
+    sendPhoto(chatId: number | string, photo: string, opts?: {
+        caption?: string;
+        parseMode?: "Markdown" | "MarkdownV2" | "HTML";
+    }): Promise<void>;
     /** Register the slash-command menu (setMyCommands) — autocompletes in chat. */
     setMyCommands(commands: Array<{
         command: string;

package/dist/telegram.js

@@ -102,6 +102,26 @@ export class Telegram {
         if (!res.ok)
             throw new Error(`Telegram sendMessage failed: HTTP ${res.status}`);
     }
+    /**
+     * Send a photo to a chat. `photo` is a URL Telegram fetches, or a Telegram
+     * file_id. (To upload raw bytes, post multipart/form-data to sendPhoto directly.)
+     */
+    async sendPhoto(chatId, photo, opts = {}) {
+        if (!this.token)
+            throw new Error("Telegram: no bot token (set_secret BOT_TOKEN=<token>).");
+        const body = { chat_id: chatId, photo };
+        if (opts.caption)
+            body.caption = opts.caption;
+        if (opts.parseMode)
+            body.parse_mode = opts.parseMode;
+        const res = await fetch(`${API}${this.token}/sendPhoto`, {
+            method: "POST",
+            headers: { "content-type": "application/json" },
+            body: JSON.stringify(body),
+        });
+        if (!res.ok)
+            throw new Error(`Telegram sendPhoto failed: HTTP ${res.status}`);
+    }
     /** Register the slash-command menu (setMyCommands) — autocompletes in chat. */
     async setMyCommands(commands) {
         if (!this.token)

package/dist/watcher.d.ts

@@ -0,0 +1,83 @@
+interface MinimalEnv {
+    [key: string]: unknown;
+}
+/** Bindings the platform injects into a deployed watcher Worker. */
+export interface WatcherEnv extends MinimalEnv {
+    LIVO_WATCHER_DISPATCH_TOKEN?: string;
+    LIVO_SIGNAL_SUBSCRIBE_URL?: string;
+    LIVO_SIGNAL_CANCEL_URL?: string;
+    LIVO_WATCHER_URL?: string;
+    LIVO_PROJECT_ID?: string;
+    LIVO_WATCHER_NAME?: string;
+    LIVO_CHAIN_ID?: string;
+    LIVO_RUN_URL?: string;
+    LIVO_RUN_TOKEN?: string;
+}
+export type Confidence = "high" | "medium" | "low" | "none";
+export type MatchStatus = "confirmed" | "reverted";
+/** A delivered match (the engine-emitted, priced event that fired a signal). */
+export interface WatcherMatch {
+    deliveryKey: string;
+    matchKey: string;
+    status: MatchStatus;
+    signalId: string;
+    subId: number;
+    watcherId: number;
+    market: {
+        base: string;
+        quote: string;
+        pool: string;
+    };
+    event: {
+        actor: string;
+        kind: string;
+        ts: number;
+        amountUsdMicros: number | null;
+        tokenUsdMicros: number | null;
+        confidence: Confidence;
+        deviationBps: number | null;
+        eventId: {
+            blockHash: string;
+            txHash: string;
+            logIndex: number;
+        };
+    };
+}
+/** A subscription scope (token / watchlist / actor / global). */
+export interface WatcherScope {
+    kind: "token" | "watchlist" | "actor" | "global";
+    market?: string;
+    markets?: string[];
+    actor?: string;
+}
+export interface SubscribeOptions {
+    /** Stable id for this subscription (and self-cancel handle). */
+    subKey: string;
+    signalId: string;
+    scope: WatcherScope;
+    params?: Record<string, unknown>;
+    /** Where matches deliver. Defaults to this watcher's own onMatch URL. */
+    dispatchUrl?: string;
+    chain?: number;
+    /** Time-sensitive (stop-loss/take-profit) — armed immediately. Default true. */
+    ephemeral?: boolean;
+}
+/** Context passed to onMatch: env + runtime subscribe/cancel (exit-triggers). */
+export interface WatcherContext {
+    env: WatcherEnv;
+    /** Arm a new subscription now (e.g. a stop-loss at fill time). */
+    subscribe(opts: SubscribeOptions): Promise<boolean>;
+    /** Remove a subscription by its subKey (self-cancel on fire). */
+    cancel(subKey: string): Promise<boolean>;
+}
+export interface WatcherDefinition {
+    /** The signal this watcher reacts to (informational; the platform routes). */
+    signal?: string;
+    onMatch: (match: WatcherMatch, ctx: WatcherContext) => Promise<void> | void;
+}
+/** A deployable Worker module ({ fetch }) — the shape Cloudflare invokes. */
+export interface WatcherModule {
+    fetch(req: Request, env: WatcherEnv, ctx?: unknown): Promise<Response>;
+}
+export declare function defineWatcher(def: WatcherDefinition): WatcherModule;
+export {};

package/dist/watcher.js

@@ -0,0 +1,155 @@
+// defineWatcher — the watcher-facing primitive for Signal Radar (the onMatch
+// counterpart to keepers' scheduled()). A watcher is an HTTP-triggered Worker:
+// the platform delivers ONE subscription-addressed match per request to its
+// onMatch handler (SIGNAL-RADAR-IMPL-SPEC.md §10–§11).
+//
+// Auth mirrors the rest of the runtime (bearer tokens, not hand-rolled crypto):
+// each delivery carries the watcher's dispatchToken as a bearer, injected at
+// deploy as LIVO_WATCHER_DISPATCH_TOKEN. The same token authenticates this
+// watcher's ctx.subscribe()/cancel() calls. (HMAC-signing the body is a later
+// hardening step; the bearer scopes a leak to this one watcher today.)
+export function defineWatcher(def) {
+    return {
+        async fetch(req, env, _ctx) {
+            if (req.method !== "POST")
+                return jsonResponse({ error: "method_not_allowed" }, 405);
+            // Per-watcher dispatch auth. Fail closed if no token is configured.
+            const expected = env.LIVO_WATCHER_DISPATCH_TOKEN;
+            if (!expected || bearer(req) !== expected) {
+                return jsonResponse({ error: "unauthorized" }, 401);
+            }
+            let match;
+            try {
+                match = parseMatch(await req.json());
+            }
+            catch {
+                return jsonResponse({ error: "bad_request" }, 400);
+            }
+            const ctx = makeContext(env);
+            const startedAt = Date.now();
+            try {
+                await def.onMatch(match, ctx);
+                await reportRun(env, startedAt, true);
+                return jsonResponse({ ok: true }, 200);
+            }
+            catch (e) {
+                await reportRun(env, startedAt, false, String(e));
+                return jsonResponse({ ok: false }, 500);
+            }
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Internals.
+// ---------------------------------------------------------------------------
+function makeContext(env) {
+    const token = env.LIVO_WATCHER_DISPATCH_TOKEN ?? "";
+    return {
+        env,
+        async subscribe(opts) {
+            const url = env.LIVO_SIGNAL_SUBSCRIBE_URL;
+            if (!url)
+                return false;
+            const res = await fetch(url, {
+                method: "POST",
+                headers: { "content-type": "application/json", authorization: `Bearer ${token}` },
+                body: JSON.stringify({
+                    projectId: env.LIVO_PROJECT_ID,
+                    watcherName: env.LIVO_WATCHER_NAME,
+                    chain: opts.chain ?? Number(env.LIVO_CHAIN_ID ?? "1"),
+                    signalId: opts.signalId,
+                    scope: opts.scope,
+                    params: opts.params ?? {},
+                    dispatchUrl: opts.dispatchUrl ?? env.LIVO_WATCHER_URL ?? "",
+                    subKey: opts.subKey,
+                    ephemeral: opts.ephemeral ?? true,
+                }),
+            }).catch(() => undefined);
+            return Boolean(res && res.ok);
+        },
+        async cancel(subKey) {
+            const url = env.LIVO_SIGNAL_CANCEL_URL;
+            if (!url)
+                return false;
+            const res = await fetch(url, {
+                method: "POST",
+                headers: { "content-type": "application/json", authorization: `Bearer ${token}` },
+                body: JSON.stringify({ subKey }),
+            }).catch(() => undefined);
+            return Boolean(res && res.ok);
+        },
+    };
+}
+function bearer(req) {
+    const h = req.headers.get("authorization") ?? req.headers.get("Authorization");
+    if (!h)
+        return null;
+    const m = h.match(/^Bearer\s+(.+)$/i);
+    return m ? m[1] : null;
+}
+function jsonResponse(body, status) {
+    return new Response(JSON.stringify(body), {
+        status,
+        headers: { "content-type": "application/json" },
+    });
+}
+/** Parse the platform's wire envelope (snake_case JSON) into a typed match. */
+function parseMatch(raw) {
+    const b = raw;
+    const ev = (b.event ?? {});
+    const eid = (ev.event_id ?? {});
+    if (typeof b.delivery_key !== "string" || typeof b.match_key !== "string") {
+        throw new Error("malformed match envelope");
+    }
+    return {
+        deliveryKey: b.delivery_key,
+        matchKey: b.match_key,
+        status: b.status === "reverted" ? "reverted" : "confirmed",
+        signalId: String(b.signal_id ?? ""),
+        subId: Number(b.sub_id ?? 0),
+        watcherId: Number(b.watcher_id ?? 0),
+        market: {
+            base: String(b.market?.base ?? ""),
+            quote: String(b.market?.quote ?? ""),
+            pool: String(b.market?.pool ?? ""),
+        },
+        event: {
+            actor: String(ev.actor ?? ""),
+            kind: String(ev.kind ?? ""),
+            ts: Number(ev.ts ?? 0),
+            amountUsdMicros: numOrNull(ev.amount_usd_micros),
+            tokenUsdMicros: numOrNull(ev.token_usd_micros),
+            confidence: ev.confidence ?? "none",
+            deviationBps: numOrNull(ev.deviation_bps),
+            eventId: {
+                blockHash: String(eid.block_hash ?? ""),
+                txHash: String(eid.tx_hash ?? ""),
+                logIndex: Number(eid.log_index ?? 0),
+            },
+        },
+    };
+}
+function numOrNull(v) {
+    return typeof v === "number" ? v : null;
+}
+/** Best-effort run-log report (mirrors the keeper wrapper). Never throws. */
+async function reportRun(env, startedAt, ok, error) {
+    const url = env.LIVO_RUN_URL;
+    const token = env.LIVO_RUN_TOKEN;
+    if (!url || !token)
+        return;
+    await fetch(url, {
+        method: "POST",
+        headers: { "content-type": "application/json", authorization: `Bearer ${token}` },
+        body: JSON.stringify({
+            projectId: env.LIVO_PROJECT_ID,
+            ownerKind: "watcher",
+            ownerName: env.LIVO_WATCHER_NAME,
+            trigger: "match",
+            startedAt,
+            durationMs: Date.now() - startedAt,
+            ok,
+            error,
+        }),
+    }).catch(() => undefined);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@livo-build/runtime",
-  "version": "0.2.3",
+  "version": "0.2.5",
   "description": "Livo runtime — chain signing/reads, D1 state, and logging for keepers, servers, and bots.",
   "type": "module",
   "license": "UNLICENSED",
@@ -35,6 +35,7 @@
     "clean": "rm -rf dist"
   },
   "dependencies": {
+    "@nktkas/hyperliquid": "^0.33.0",
     "@noble/curves": "^1.9.7",
     "@noble/hashes": "^1.8.0"
   },