@livo-build/runtime 0.2.6 → 0.2.13

package/dist/siwe.js

@@ -0,0 +1,33 @@
+// Sign-In With Ethereum (EIP-4361) — build the canonical message + verify a signed
+// one. The standard way to authenticate a wallet to a backend; pairs with sessions.
+import { verifyMessage } from "./sig.js";
+export function createSiweMessage(p) {
+    const lines = [`${p.domain} wants you to sign in with your Ethereum account:`, p.address, ""];
+    if (p.statement)
+        lines.push(p.statement, "");
+    lines.push(`URI: ${p.uri}`, `Version: ${p.version ?? "1"}`, `Chain ID: ${p.chainId}`, `Nonce: ${p.nonce}`, `Issued At: ${p.issuedAt ?? new Date().toISOString()}`);
+    if (p.expirationTime)
+        lines.push(`Expiration Time: ${p.expirationTime}`);
+    return lines.join("\n");
+}
+function field(message, label) {
+    const m = new RegExp(`^${label}(.*)$`, "m").exec(message);
+    return m?.[1]?.trim();
+}
+// Verify a SIWE message + signature: the signature recovers to the claimed address,
+// the nonce matches (if given), and it isn't expired.
+export async function verifySiweMessage(message, signature, opts = {}) {
+    const address = message.split("\n")[1]?.trim();
+    if (!address || !/^0x[0-9a-fA-F]{40}$/.test(address))
+        return { valid: false };
+    const nonce = field(message, "Nonce: ");
+    if (opts.nonce && nonce !== opts.nonce)
+        return { valid: false };
+    if (opts.domain && !message.startsWith(opts.domain + " "))
+        return { valid: false };
+    const exp = field(message, "Expiration Time: ");
+    if (exp && Date.parse(exp) < Date.now())
+        return { valid: false };
+    const ok = await verifyMessage({ address: address, message, signature: signature });
+    return { valid: ok, address: ok ? address : undefined, nonce };
+}

package/dist/sse.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/sse.test.js

@@ -0,0 +1,28 @@
+import { describe, it, expect } from "vitest";
+import { sse } from "./http.js";
+async function readAll(res) {
+    return await res.text();
+}
+describe("sse", () => {
+    it("formats events (data/event/id) and a heartbeat, and sets the right headers", async () => {
+        const conn = sse();
+        expect(conn.response.headers.get("content-type")).toBe("text/event-stream");
+        conn.send({ px: 100 });
+        conn.send("hello", { event: "tick", id: "7" });
+        conn.ping();
+        conn.send("a\nb"); // multiline → two data: lines
+        conn.close();
+        const text = await readAll(conn.response);
+        expect(text).toContain('data: {"px":100}\n\n');
+        expect(text).toContain("event: tick\nid: 7\ndata: hello\n\n");
+        expect(text).toContain(": ping\n\n");
+        expect(text).toContain("data: a\ndata: b\n\n");
+        expect(conn.closed).toBe(true);
+    });
+    it("stops writing after close (no throw)", async () => {
+        const conn = sse();
+        conn.close();
+        conn.send({ ignored: true });
+        expect(await readAll(conn.response)).toBe("");
+    });
+});

package/dist/webhook.d.ts

@@ -0,0 +1,18 @@
+export type SignatureEncoding = "hex" | "base64";
+/** Compute the HMAC-SHA256 signature of a payload (for signing outgoing webhooks/tests). */
+export declare function signWebhook(payload: string, secret: string, encoding?: SignatureEncoding): Promise<string>;
+export interface VerifyWebhookParams {
+    /** The RAW request body (verify before JSON.parse — re-serialization changes bytes). */
+    payload: string;
+    secret: string;
+    /** The signature header value. A `scheme=` prefix (e.g. "sha256=") is stripped for hex. */
+    signature: string;
+    /** Digest encoding of `signature` (default "hex"). */
+    encoding?: SignatureEncoding;
+}
+/**
+ * Verify a webhook's HMAC-SHA256 signature against the raw body. Returns true iff the
+ * signature matches. For hex signatures a leading `algo=` prefix (GitHub's "sha256=")
+ * is stripped automatically.
+ */
+export declare function verifyWebhook(params: VerifyWebhookParams): Promise<boolean>;

package/dist/webhook.js

@@ -0,0 +1,49 @@
+// Inbound webhook signature verification (GitHub/Stripe-style HMAC-SHA256). Verify
+// that a raw request body was signed with your shared secret before trusting it.
+// Constant-time comparison; no hand-rolled crypto.
+function enc(s) {
+    return new TextEncoder().encode(s);
+}
+function toHex(bytes) {
+    let out = "";
+    for (const b of bytes)
+        out += b.toString(16).padStart(2, "0");
+    return out;
+}
+function toBase64(bytes) {
+    let bin = "";
+    for (const b of bytes)
+        bin += String.fromCharCode(b);
+    return btoa(bin);
+}
+async function hmac(secret, payload) {
+    const key = await crypto.subtle.importKey("raw", enc(secret), { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
+    return new Uint8Array(await crypto.subtle.sign("HMAC", key, enc(payload)));
+}
+/** Constant-time string compare (length-independent leak is acceptable for digests). */
+function timingSafeEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let diff = 0;
+    for (let i = 0; i < a.length; i++)
+        diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+    return diff === 0;
+}
+/** Compute the HMAC-SHA256 signature of a payload (for signing outgoing webhooks/tests). */
+export async function signWebhook(payload, secret, encoding = "hex") {
+    const mac = await hmac(secret, payload);
+    return encoding === "base64" ? toBase64(mac) : toHex(mac);
+}
+/**
+ * Verify a webhook's HMAC-SHA256 signature against the raw body. Returns true iff the
+ * signature matches. For hex signatures a leading `algo=` prefix (GitHub's "sha256=")
+ * is stripped automatically.
+ */
+export async function verifyWebhook(params) {
+    const encoding = params.encoding ?? "hex";
+    let provided = params.signature.trim();
+    if (encoding === "hex")
+        provided = provided.replace(/^[A-Za-z0-9_-]+=/, ""); // strip "sha256=" etc (hex has no '=')
+    const expected = await signWebhook(params.payload, params.secret, encoding);
+    return timingSafeEqual(expected.toLowerCase(), provided.toLowerCase());
+}

package/dist/webhook.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/webhook.test.js

@@ -0,0 +1,46 @@
+import { describe, it, expect } from "vitest";
+import { signWebhook, verifyWebhook } from "./webhook.js";
+import { cached } from "./cache.js";
+describe("webhook signatures", () => {
+    it("round-trips a hex signature and strips a sha256= prefix", async () => {
+        const sig = await signWebhook("payload-body", "shh");
+        expect(await verifyWebhook({ payload: "payload-body", secret: "shh", signature: sig })).toBe(true);
+        expect(await verifyWebhook({ payload: "payload-body", secret: "shh", signature: "sha256=" + sig })).toBe(true);
+    });
+    it("rejects a wrong secret or tampered payload", async () => {
+        const sig = await signWebhook("a", "s1");
+        expect(await verifyWebhook({ payload: "a", secret: "s2", signature: sig })).toBe(false);
+        expect(await verifyWebhook({ payload: "b", secret: "s1", signature: sig })).toBe(false);
+    });
+    it("supports base64 encoding", async () => {
+        const sig = await signWebhook("x", "k", "base64");
+        expect(await verifyWebhook({ payload: "x", secret: "k", signature: sig, encoding: "base64" })).toBe(true);
+    });
+});
+function memKv() {
+    const store = new Map();
+    return {
+        store,
+        get: async (k) => store.get(k) ?? null,
+        put: async (k, v) => void store.set(k, v),
+    };
+}
+describe("cached", () => {
+    it("computes once, then serves from cache", async () => {
+        const kv = memKv();
+        let calls = 0;
+        const produce = async () => {
+            calls++;
+            return { n: 42 };
+        };
+        expect(await cached(kv, "k", produce, { ttlSeconds: 60 })).toEqual({ n: 42 });
+        expect(await cached(kv, "k", produce, { ttlSeconds: 60 })).toEqual({ n: 42 });
+        expect(calls).toBe(1);
+        expect(kv.store.has("cache:k")).toBe(true);
+    });
+    it("recomputes when the cached value is corrupt", async () => {
+        const kv = memKv();
+        kv.store.set("cache:bad", "{not json");
+        expect(await cached(kv, "bad", async () => "fresh", { ttlSeconds: 60 })).toBe("fresh");
+    });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@livo-build/runtime",
-  "version": "0.2.6",
+  "version": "0.2.13",
   "description": "Livo runtime — chain signing/reads, D1 state, and logging for keepers, servers, and bots.",
   "type": "module",
   "license": "UNLICENSED",