@ocap/tx-protocols 1.29.13 → 1.29.15

package/esm/protocols/account/delegate.mjs

@@ -6,6 +6,7 @@ import get from "lodash/get.js";
 import pick from "lodash/pick.js";
 import { toDelegateAddress } from "@arcblock/did-util";
 import { account, delegation } from "@ocap/state";
+import { scopeMatchAny } from "@ocap/util";
 import Debug from "debug";
 import { formatMessage } from "@ocap/message";
 import cloneDeep from "lodash/cloneDeep.js";
@@ -48,6 +49,8 @@ const schema = Joi.object({
 			assetsList: []
 		})
 	})).unique((a, b) => a.typeUrl === b.typeUrl).min(1).required(),
+	denyList: Joi.array().items(Joi.string().pattern(/^fg:/).max(256)).max(128).unique().optional().allow(null).default([]),
+	validUntil: Joi.number().integer().min(0).optional().allow(null).default(0),
 	data: Joi.any().optional().allow(null)
 }).options({
 	stripUnknown: true,
@@ -73,7 +76,7 @@ runner.use(pipes.VerifyInfo([{
 	fn: (ctx) => {
 		const context = ctx;
 		const allowed = get(context.config, "transaction.delegate.typeUrls", []);
-		return (context.formattedItx?.ops || []).every((op) => allowed.includes(op.typeUrl));
+		return (context.formattedItx?.ops || []).every((op) => scopeMatchAny(op.typeUrl, allowed));
 	}
 }]));
 runner.use(pipes.ExtractState({
@@ -125,6 +128,8 @@ runner.use(async (context, next) => {
 	const { tx: tx$1, itx, formattedItx, validatedItx, statedb, senderState, receiverState, delegationState, senderUpdates, updateVaults } = context;
 	const ops = formattedItx?.ops || [];
 	const opsList = validatedItx?.opsList || [];
+	const deny = itx.denyList || [];
+	const validUntil = itx.validUntil || 0;
 	const merged = cloneDeep(ops).reduce((acc, x, i) => {
 		const tokens = x.limit?.tokens || [];
 		const assets = x.limit?.assets || [];
@@ -174,11 +179,15 @@ runner.use(async (context, next) => {
 		delegationState ? statedb.delegation.update(itx.address, delegation.update(delegationState, {
 			...itx,
 			from: sender,
-			ops: merged
+			ops: merged,
+			deny,
+			validUntil
 		}, context), context) : statedb.delegation.create(itx.address, delegation.create({
 			...itx,
 			from: sender,
-			ops: merged
+			ops: merged,
+			deny,
+			validUntil
 		}, context), context)
 	]);
 	if (updateVaults) await updateVaults();

package/lib/protocols/account/delegate.cjs

@@ -10,6 +10,7 @@ let lodash_pick = require("lodash/pick");
 lodash_pick = require_rolldown_runtime.__toESM(lodash_pick);
 let _arcblock_did_util = require("@arcblock/did-util");
 let _ocap_state = require("@ocap/state");
+let _ocap_util = require("@ocap/util");
 let debug = require("debug");
 debug = require_rolldown_runtime.__toESM(debug);
 let _ocap_message = require("@ocap/message");
@@ -54,6 +55,8 @@ const schema = _arcblock_validator.Joi.object({
 			assetsList: []
 		})
 	})).unique((a, b) => a.typeUrl === b.typeUrl).min(1).required(),
+	denyList: _arcblock_validator.Joi.array().items(_arcblock_validator.Joi.string().pattern(/^fg:/).max(256)).max(128).unique().optional().allow(null).default([]),
+	validUntil: _arcblock_validator.Joi.number().integer().min(0).optional().allow(null).default(0),
 	data: _arcblock_validator.Joi.any().optional().allow(null)
 }).options({
 	stripUnknown: true,
@@ -79,7 +82,7 @@ runner.use(_ocap_tx_pipeline.pipes.VerifyInfo([{
 	fn: (ctx) => {
 		const context = ctx;
 		const allowed = (0, lodash_get.default)(context.config, "transaction.delegate.typeUrls", []);
-		return (context.formattedItx?.ops || []).every((op) => allowed.includes(op.typeUrl));
+		return (context.formattedItx?.ops || []).every((op) => (0, _ocap_util.scopeMatchAny)(op.typeUrl, allowed));
 	}
 }]));
 runner.use(_ocap_tx_pipeline.pipes.ExtractState({
@@ -131,6 +134,8 @@ runner.use(async (context, next) => {
 	const { tx, itx, formattedItx, validatedItx, statedb, senderState, receiverState, delegationState, senderUpdates, updateVaults } = context;
 	const ops = formattedItx?.ops || [];
 	const opsList = validatedItx?.opsList || [];
+	const deny = itx.denyList || [];
+	const validUntil = itx.validUntil || 0;
 	const merged = (0, lodash_cloneDeep.default)(ops).reduce((acc, x, i) => {
 		const tokens = x.limit?.tokens || [];
 		const assets = x.limit?.assets || [];
@@ -180,11 +185,15 @@ runner.use(async (context, next) => {
 		delegationState ? statedb.delegation.update(itx.address, _ocap_state.delegation.update(delegationState, {
 			...itx,
 			from: sender,
-			ops: merged
+			ops: merged,
+			deny,
+			validUntil
 		}, context), context) : statedb.delegation.create(itx.address, _ocap_state.delegation.create({
 			...itx,
 			from: sender,
-			ops: merged
+			ops: merged,
+			deny,
+			validUntil
 		}, context), context)
 	]);
 	if (updateVaults) await updateVaults();

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.29.13",
+  "version": "1.29.15",
   "description": "Predefined tx pipeline sets to execute certain type of transactions",
   "type": "module",
   "main": "./lib/index.cjs",
@@ -46,34 +46,34 @@
   "author": "wangshijun <wangshijun2010@gmail.com> (http://github.com/wangshijun)",
   "license": "MIT",
   "dependencies": {
-    "@arcblock/did": "1.29.13",
-    "@arcblock/did-util": "1.29.13",
-    "@arcblock/jwt": "1.29.13",
-    "@arcblock/validator": "1.29.13",
-    "@arcblock/vc": "1.29.13",
+    "@arcblock/did": "1.29.15",
+    "@arcblock/did-util": "1.29.15",
+    "@arcblock/jwt": "1.29.15",
+    "@arcblock/validator": "1.29.15",
+    "@arcblock/vc": "1.29.15",
     "@blocklet/xss": "^0.3.7",
-    "@ocap/asset": "1.29.13",
-    "@ocap/client": "1.29.13",
-    "@ocap/mcrypto": "1.29.13",
-    "@ocap/merkle-tree": "1.29.13",
-    "@ocap/message": "1.29.13",
-    "@ocap/state": "1.29.13",
-    "@ocap/tx-pipeline": "1.29.13",
-    "@ocap/types": "1.29.13",
-    "@ocap/util": "1.29.13",
-    "@ocap/wallet": "1.29.13",
+    "@ocap/asset": "1.29.15",
+    "@ocap/client": "1.29.15",
+    "@ocap/mcrypto": "1.29.15",
+    "@ocap/merkle-tree": "1.29.15",
+    "@ocap/message": "1.29.15",
+    "@ocap/state": "1.29.15",
+    "@ocap/tx-pipeline": "1.29.15",
+    "@ocap/types": "1.29.15",
+    "@ocap/util": "1.29.15",
+    "@ocap/wallet": "1.29.15",
     "debug": "^4.4.3",
     "deep-diff": "^1.0.2",
     "lodash": "^4.17.23",
     "url-join": "^4.0.1"
   },
   "resolutions": {
-    "bn.js": "5.2.2",
+    "bn.js": "5.2.3",
     "elliptic": "6.5.3"
   },
   "devDependencies": {
-    "@ocap/e2e-test": "1.29.13",
-    "@ocap/statedb-memory": "1.29.13",
+    "@ocap/e2e-test": "1.29.15",
+    "@ocap/statedb-memory": "1.29.15",
     "@types/debug": "^4.1.12",
     "@types/lodash": "^4.17.16",
     "start-server-and-test": "^1.14.0"

package/tools/fixtures.ts

@@ -14,8 +14,7 @@ import { create as createVC } from '@arcblock/vc';
 import { getTestChain, closeTestChain } from '@ocap/e2e-test/fixture';
 import defaultConfigModule from '@ocap/e2e-test/config';
 
-// @ts-ignore - compiled output
-import { execute, createExecutor } from '../lib';
+import { execute, createExecutor } from '../src';
 
 const defaultConfig = cloneDeep(defaultConfigModule);
 

package/tools/test-helpers.ts

@@ -0,0 +1,82 @@
+/**
+ * Test helper utilities for IDD six-dimension testing.
+ *
+ * - assertNoSensitiveData: Data Leak detection
+ * - captureStateSnapshot / assertStateUnchanged: Data Damage verification
+ */
+
+/**
+ * Patterns that match sensitive data commonly found in blockchain SDKs.
+ * Used by Data Leak tests to verify error messages and outputs don't leak secrets.
+ */
+export const SENSITIVE_PATTERNS: { pattern: RegExp; label: string }[] = [
+  { pattern: /-----BEGIN.*PRIVATE KEY-----/, label: 'PEM private key' },
+  { pattern: /\b(mnemonic|seed\s*phrase)\b/i, label: 'mnemonic keyword' },
+  { pattern: /sk[A-Za-z0-9+/]{40,}/, label: 'base58-encoded secret key' },
+];
+
+/**
+ * Assert that a string or object does not contain sensitive data patterns.
+ * Throws if any SENSITIVE_PATTERNS match.
+ */
+export function assertNoSensitiveData(data: string | object, context = 'output'): void {
+  const str = typeof data === 'string' ? data : JSON.stringify(data);
+  for (const { pattern, label } of SENSITIVE_PATTERNS) {
+    if (pattern.test(str)) {
+      throw new Error(`Data leak detected in ${context}: matches ${label} (${pattern})`);
+    }
+  }
+}
+
+/**
+ * Capture a deep-cloned snapshot of account states for the given addresses.
+ * Returns a Map<address, state>. Addresses with no state are skipped.
+ */
+export async function captureStateSnapshot(
+  statedb: { account: { get(address: string): Promise<any> } },
+  addresses: string[]
+): Promise<Map<string, any>> {
+  const snapshot = new Map<string, any>();
+  for (const addr of addresses) {
+    const state = await statedb.account.get(addr);
+    if (state) {
+      snapshot.set(addr, JSON.parse(JSON.stringify(state)));
+    }
+  }
+  return snapshot;
+}
+
+/**
+ * Assert that account states have not changed between two snapshots.
+ * Compares by JSON serialization (deep equality).
+ *
+ * @param fields - If provided, only compare these fields on each state.
+ *                 Useful when dynamic fields (e.g. _retrievedAt) differ.
+ */
+export function assertStateUnchanged(
+  before: Map<string, any>,
+  after: Map<string, any>,
+  message = '',
+  fields?: string[]
+): void {
+  for (const [addr, beforeState] of before) {
+    const afterState = after.get(addr);
+    const pick = (obj: any) => {
+      if (!fields || !obj) return obj;
+      const result: Record<string, any> = {};
+      for (const f of fields) {
+        result[f] = obj[f];
+      }
+      return result;
+    };
+    const beforeStr = JSON.stringify(pick(beforeState));
+    const afterStr = JSON.stringify(pick(afterState));
+    if (beforeStr !== afterStr) {
+      throw new Error(
+        `State changed for ${addr}${message ? ': ' + message : ''}\n` +
+          `  before: ${beforeStr}\n` +
+          `  after:  ${afterStr}`
+      );
+    }
+  }
+}