@pafi-dev/issuer 0.33.0 → 0.35.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -1139,9 +1139,9 @@ function createPafiEstimatorClient(config) {
1139
1139
  var InMemoryCursorStore = class _InMemoryCursorStore {
1140
1140
  cursor;
1141
1141
  /**
1142
- * Child stores keyed by `forKey()`. Each child has its own cursor
1143
- * (the H-05 fix), so a single InMemoryCursorStore can back N
1144
- * PointIndexers in tests / single-process callers.
1142
+ * Child stores keyed by `forKey()`. Each child has its own cursor,
1143
+ * so a single InMemoryCursorStore can back N PointIndexers in tests
1144
+ * / single-process callers.
1145
1145
  */
1146
1146
  children = /* @__PURE__ */ new Map();
1147
1147
  async load() {
@@ -2151,7 +2151,7 @@ var PTRedeemHandler = class {
2151
2151
  if (!config.supportedTokens) {
2152
2152
  throw new PTRedeemError(
2153
2153
  "UNSUPPORTED_POINT_TOKEN",
2154
- "PTRedeemHandler requires `supportedTokens` (issuer's allow-listed PointToken contracts). See audit PACI5-18."
2154
+ "PTRedeemHandler requires `supportedTokens` (issuer's allow-listed PointToken contracts)."
2155
2155
  );
2156
2156
  }
2157
2157
  this.supportedTokens = config.supportedTokens;
@@ -2165,7 +2165,7 @@ var PTRedeemHandler = class {
2165
2165
  if (this.signatureDeadlineSeconds * 1e3 > maxAllowedSignatureMs) {
2166
2166
  throw new PTRedeemError(
2167
2167
  "INVALID_AMOUNT",
2168
- `PTRedeemHandler config: signatureDeadlineSeconds (${this.signatureDeadlineSeconds}s) must be at most redeemLockDurationMs - safety margin = ${maxAllowedSignatureMs / 1e3}s (redeemLockDurationMs=${this.redeemLockDurationMs / 1e3}s, safety=${M11_SAFETY_MARGIN_MS / 1e3}s). See audit M-11.`
2168
+ `PTRedeemHandler config: signatureDeadlineSeconds (${this.signatureDeadlineSeconds}s) must be at most redeemLockDurationMs - safety margin = ${maxAllowedSignatureMs / 1e3}s (redeemLockDurationMs=${this.redeemLockDurationMs / 1e3}s, safety=${M11_SAFETY_MARGIN_MS / 1e3}s).`
2169
2169
  );
2170
2170
  }
2171
2171
  if (config.redemptionService) {
@@ -2426,13 +2426,13 @@ var DEFAULT_STATUS_CONFIRMATIONS = 3;
2426
2426
  async function isReceiptPastConfirmations(receipt, provider, confirmations, onWarning, handlerName) {
2427
2427
  if (!provider) {
2428
2428
  onWarning?.(
2429
- `${handlerName}: provider missing \u2014 cannot enforce confirmation depth; deferring receipt fallback to on-chain indexer (audit PACI5-13).`
2429
+ `${handlerName}: provider missing \u2014 cannot enforce confirmation depth; deferring receipt fallback to on-chain indexer.`
2430
2430
  );
2431
2431
  return false;
2432
2432
  }
2433
2433
  if (!receipt.blockNumber) {
2434
2434
  onWarning?.(
2435
- `${handlerName}: receipt has no blockNumber \u2014 cannot enforce confirmation depth; deferring to indexer (audit PACI5-13).`
2435
+ `${handlerName}: receipt has no blockNumber \u2014 cannot enforce confirmation depth; deferring to indexer.`
2436
2436
  );
2437
2437
  return false;
2438
2438
  }
@@ -2442,7 +2442,7 @@ async function isReceiptPastConfirmations(receipt, provider, confirmations, onWa
2442
2442
  receiptBlock = BigInt(receipt.blockNumber);
2443
2443
  } catch {
2444
2444
  onWarning?.(
2445
- `${handlerName}: malformed receipt blockNumber (${receipt.blockNumber}) \u2014 deferring to indexer (audit PACI5-13).`
2445
+ `${handlerName}: malformed receipt blockNumber (${receipt.blockNumber}) \u2014 deferring to indexer.`
2446
2446
  );
2447
2447
  return false;
2448
2448
  }
@@ -2451,7 +2451,7 @@ async function isReceiptPastConfirmations(receipt, provider, confirmations, onWa
2451
2451
  head = await provider.getBlockNumber();
2452
2452
  } catch (err) {
2453
2453
  onWarning?.(
2454
- `${handlerName}: getBlockNumber failed (${err instanceof Error ? err.message : String(err)}) \u2014 deferring to indexer (audit PACI5-13).`
2454
+ `${handlerName}: getBlockNumber failed (${err instanceof Error ? err.message : String(err)}) \u2014 deferring to indexer.`
2455
2455
  );
2456
2456
  return false;
2457
2457
  }
@@ -2509,7 +2509,7 @@ async function handleClaimStatus(params) {
2509
2509
  if (receipt.success && receipt.txHash) {
2510
2510
  if (!lock.tokenAddress) {
2511
2511
  params.onWarning?.(
2512
- `handleClaimStatus: lock ${lock.lockId} has no tokenAddress; falling back to status-only flip (PACI5-24 defence degraded). Migrate the ledger to the multi-token schema.`
2512
+ `handleClaimStatus: lock ${lock.lockId} has no tokenAddress; falling back to status-only flip \u2014 atomic debit+flip cannot run on a legacy single-token row. Migrate the ledger to the multi-token schema.`
2513
2513
  );
2514
2514
  await params.ledger.updateMintStatus(lock.lockId, "MINTED", receipt.txHash).catch((err) => {
2515
2515
  params.onWarning?.(
@@ -2763,8 +2763,8 @@ async function prepareMobileUserOp(params) {
2763
2763
  verificationGasLimit: fallback.userOp.verificationGasLimit.toString(),
2764
2764
  preVerificationGas: fallback.userOp.preVerificationGas.toString(),
2765
2765
  userOpHash: fallback.userOpHash,
2766
- // Audit PACI5-21 — carry the fallback-specific lockId so submit
2767
- // can bind the fallback userOpHash to the correct ledger row.
2766
+ // Carry the fallback-specific lockId so submit can bind the
2767
+ // fallback userOpHash to the correct ledger row.
2768
2768
  lockId: params.lockIdFallback
2769
2769
  };
2770
2770
  }
@@ -3041,7 +3041,7 @@ var PTClaimHandler = class {
3041
3041
  if (!config.supportedTokens) {
3042
3042
  throw new PTClaimError(
3043
3043
  "UNSUPPORTED_POINT_TOKEN",
3044
- "PTClaimHandler requires `supportedTokens` (issuer's allow-listed PointToken contracts). See audit PACI5-18."
3044
+ "PTClaimHandler requires `supportedTokens` (issuer's allow-listed PointToken contracts)."
3045
3045
  );
3046
3046
  }
3047
3047
  const lockDurationMs = config.lockDurationMs ?? DEFAULT_LOCK_MS;
@@ -3050,7 +3050,7 @@ var PTClaimHandler = class {
3050
3050
  if (signatureDeadlineSeconds * 1e3 > maxAllowedSignatureMs) {
3051
3051
  throw new PTClaimError(
3052
3052
  "VALIDATION_FAILED",
3053
- `PTClaimHandler config: signatureDeadlineSeconds (${signatureDeadlineSeconds}s) must be at most lockDurationMs - safety margin = ${maxAllowedSignatureMs / 1e3}s (lockDurationMs=${lockDurationMs / 1e3}s, safety=${M11_SAFETY_MARGIN_MS2 / 1e3}s). See audit M-11.`,
3053
+ `PTClaimHandler config: signatureDeadlineSeconds (${signatureDeadlineSeconds}s) must be at most lockDurationMs - safety margin = ${maxAllowedSignatureMs / 1e3}s (lockDurationMs=${lockDurationMs / 1e3}s, safety=${M11_SAFETY_MARGIN_MS2 / 1e3}s).`,
3054
3054
  {
3055
3055
  lockDurationMs,
3056
3056
  signatureDeadlineSeconds,
@@ -3164,6 +3164,13 @@ var PTClaimHandler = class {
3164
3164
  callData: previewUserOp.callData
3165
3165
  }
3166
3166
  }) : 0n;
3167
+ if (feeAmount > 0n && feeAmount >= request.amount) {
3168
+ throw new PTClaimError(
3169
+ "INVALID_AMOUNT",
3170
+ `fee (${feeAmount}) must be strictly less than claim amount (${request.amount})`,
3171
+ { feeAmount: feeAmount.toString(), amount: request.amount.toString() }
3172
+ );
3173
+ }
3167
3174
  const domainName = await this.cfg.domainResolver.resolve(
3168
3175
  request.pointTokenAddress
3169
3176
  );
@@ -3794,8 +3801,6 @@ var IssuerApiAdapter = class {
3794
3801
  userAddress: authenticatedAddress,
3795
3802
  ledger: this.cfg.ledger,
3796
3803
  pafiBackendClient: this.cfg.pafiBackendClient,
3797
- // Audit PACI5-13 — pass the same provider the indexers use so
3798
- // the receipt fallback gates on the same reorg depth.
3799
3804
  provider: this.cfg.provider,
3800
3805
  onWarning: this.cfg.onWarning
3801
3806
  });
@@ -3806,7 +3811,6 @@ var IssuerApiAdapter = class {
3806
3811
  userAddress: authenticatedAddress,
3807
3812
  ledger: this.cfg.ledger,
3808
3813
  pafiBackendClient: this.cfg.pafiBackendClient,
3809
- // Audit PACI5-13 — see claimStatus comment.
3810
3814
  provider: this.cfg.provider,
3811
3815
  onWarning: this.cfg.onWarning
3812
3816
  });
@@ -4897,7 +4901,7 @@ async function createIssuerService(config) {
4897
4901
  const sharedCursorWithMultipleTokens = baseCursorStore !== void 0 && typeof baseCursorStore.forKey !== "function" && tokenAddresses.length > 1;
4898
4902
  if (sharedCursorWithMultipleTokens) {
4899
4903
  console.warn(
4900
- `[@pafi-dev/issuer] cursorStore lacks forKey() and ${tokenAddresses.length} PointTokens are configured. All PointIndexers will share one cursor row, causing token-skipping (audit finding H-05). Implement IIndexerCursorStore.forKey to return per-token derived stores. This permissive path will be removed in a future major release.`
4904
+ `[@pafi-dev/issuer] cursorStore lacks forKey() and ${tokenAddresses.length} PointTokens are configured. All PointIndexers will share one cursor row, causing token-skipping. Implement IIndexerCursorStore.forKey to return per-token derived stores. This permissive path will be removed in a future major release.`
4901
4905
  );
4902
4906
  }
4903
4907
  const indexers = /* @__PURE__ */ new Map();
@@ -4988,7 +4992,7 @@ async function createIssuerService(config) {
4988
4992
  const lock = config.indexer.singletonLock;
4989
4993
  if (!lock) {
4990
4994
  console.warn(
4991
- "[@pafi-dev/issuer] indexer.autoStart=true without singletonLock \u2014 this is UNSAFE in multi-replica deployments (audit finding H-04). Either set replicas=1 + INDEXER_AUTOSTART=false on non-leader pods, or pass `singletonLock: makePostgresSingletonLock(dataSource)`. This permissive path will be removed in a future major release."
4995
+ "[@pafi-dev/issuer] indexer.autoStart=true without singletonLock \u2014 this is UNSAFE in multi-replica deployments. Either set replicas=1 + INDEXER_AUTOSTART=false on non-leader pods, or pass `singletonLock: makePostgresSingletonLock(dataSource)`. This permissive path will be removed in a future major release."
4992
4996
  );
4993
4997
  for (const idx of indexers.values()) {
4994
4998
  idx.start();
@@ -5026,7 +5030,7 @@ import {
5026
5030
  issuerRegistryAbi,
5027
5031
  getContractAddresses as getContractAddresses8
5028
5032
  } from "@pafi-dev/core";
5029
- var ISSUER_RECORD_TTL_MS = 3e4;
5033
+ var ISSUER_RECORD_TTL_MS = 1e4;
5030
5034
  var IssuerStateValidator = class _IssuerStateValidator {
5031
5035
  constructor(provider, registryAddress) {
5032
5036
  this.provider = provider;
@@ -5047,7 +5051,9 @@ var IssuerStateValidator = class _IssuerStateValidator {
5047
5051
  }
5048
5052
  /**
5049
5053
  * Invalidate cached state for one PointToken, or everything if omitted.
5050
- * Call after admin txs that change registry or cap settings.
5054
+ * Call after admin txs that change registry or cap settings — closes
5055
+ * the split-brain window described
5056
+ * passive TTL. Idempotent: safe to call when no entry exists.
5051
5057
  */
5052
5058
  invalidate(pointToken) {
5053
5059
  if (pointToken) {
@@ -5220,7 +5226,7 @@ var MemoryRedemptionHistoryStore = class {
5220
5226
  };
5221
5227
 
5222
5228
  // src/index.ts
5223
- var PAFI_ISSUER_SDK_VERSION = true ? "0.33.0" : "dev";
5229
+ var PAFI_ISSUER_SDK_VERSION = true ? "0.35.0" : "dev";
5224
5230
  export {
5225
5231
  AdapterMisconfiguredError,
5226
5232
  AuthError,