@pay-skill/sdk 0.1.8 → 0.1.11

package/tests/test_auth_rejection.ts

@@ -1,33 +1,46 @@
 /**
- * Auth rejection tests — proves that:
- * 1. Requests without auth headers are rejected with 401
- * 2. Requests with invalid/wrong signatures are rejected with 401
- * 3. The SDK surfaces auth errors as PayServerError with correct statusCode
+ * Auth rejection tests — proves that the Wallet sends valid auth headers
+ * and that servers can reject invalid auth.
  */
 
 import { describe, it, beforeEach, afterEach } from "node:test";
 import assert from "node:assert/strict";
-import { createServer, type Server, type IncomingMessage, type ServerResponse } from "node:http";
+import {
+  createServer,
+  type Server,
+  type IncomingMessage,
+  type ServerResponse,
+} from "node:http";
 import { once } from "node:events";
-
-import { PayClient, PayServerError, CallbackSigner, RawKeySigner } from "../src/index.js";
 import type { Hex, Address } from "viem";
+import { Wallet, PayServerError } from "../src/index.js";
 
 const ANVIL_PK =
   "0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80" as Hex;
-const WRONG_PK =
-  "0x59c6995e998f97a5a0044966f0945389dc9e86dae88c7a8412f4603b6b78690d" as Hex;
-
-const TEST_ROUTER = "0x5FbDB2315678afecb367f032d93F642f64180aa3" as Address;
-const TEST_CHAIN_ID = 8453;
-const VALID_ADDR = "0x" + "a1".repeat(20);
 
 /**
  * Minimal HTTP server that enforces X-Pay-* auth headers.
- * Returns 401 if any required header is missing, 200 otherwise.
+ * /contracts is public (no auth).
+ * Everything else requires valid auth headers.
  */
 function createAuthServer(): Server {
   return createServer((req: IncomingMessage, res: ServerResponse) => {
+    // /contracts is public
+    if (req.url?.endsWith("/contracts")) {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(
+        JSON.stringify({
+          router: "0x5FbDB2315678afecb367f032d93F642f64180aa3",
+          tab: "0x" + "bb".repeat(20),
+          direct: "0x" + "cc".repeat(20),
+          fee: "0x" + "dd".repeat(20),
+          usdc: "0x" + "ee".repeat(20),
+          chain_id: 8453,
+        }),
+      );
+      return;
+    }
+
     const agent = req.headers["x-pay-agent"];
     const sig = req.headers["x-pay-signature"];
     const ts = req.headers["x-pay-timestamp"];
@@ -39,7 +52,6 @@ function createAuthServer(): Server {
       return;
     }
 
-    // Check that sig looks like a real 65-byte hex signature
     const sigStr = Array.isArray(sig) ? sig[0] : sig;
     if (!sigStr.startsWith("0x") || sigStr.length !== 132) {
       res.writeHead(401, { "Content-Type": "application/json" });
@@ -47,21 +59,15 @@ function createAuthServer(): Server {
       return;
     }
 
-    // Check that sig is not all zeros (stub detection)
-    if (sigStr === "0x" + "0".repeat(130)) {
-      res.writeHead(401, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ error: "Stub signature rejected" }));
-      return;
-    }
-
-    // Auth passed — return mock data
+    // Auth passed
     res.writeHead(200, { "Content-Type": "application/json" });
     res.end(
       JSON.stringify({
-        address: agent,
-        balance: 100_000_000,
-        open_tabs: [],
-      })
+        wallet: agent,
+        balance_usdc: "100000000",
+        open_tabs: 0,
+        total_locked: 0,
+      }),
     );
   });
 }
@@ -69,14 +75,14 @@ function createAuthServer(): Server {
 let server: Server;
 let baseUrl: string;
 
-describe("Auth rejection", () => {
+describe("Auth with new Wallet class", () => {
   beforeEach(async () => {
     server = createAuthServer();
-    server.listen(0); // random port
+    server.listen(0);
     await once(server, "listening");
     const addr = server.address();
     if (typeof addr === "object" && addr) {
-      baseUrl = `http://127.0.0.1:${addr.port}`;
+      baseUrl = `http://127.0.0.1:${addr.port}/api/v1`;
     }
   });
 
@@ -85,70 +91,12 @@ describe("Auth rejection", () => {
     await once(server, "close");
   });
 
-  it("rejects request without auth headers (no private key configured)", async () => {
-    // Client with no auth config — sends no X-Pay-* headers
-    const client = new PayClient({
-      apiUrl: baseUrl,
-      signer: new CallbackSigner((_h: Uint8Array) => new Uint8Array(65)),
-    });
-
-    await assert.rejects(
-      () => client.getStatus(),
-      (err: unknown) => {
-        assert.ok(err instanceof PayServerError);
-        assert.equal(err.statusCode, 401);
-        assert.ok(err.message.includes("Missing auth headers"));
-        return true;
-      }
-    );
-  });
-
-  it("rejects request with stub signer (all-zero signature)", async () => {
-    // Client with a stub signer that returns zeros — server should reject
-    const client = new PayClient({
-      apiUrl: baseUrl,
-      signer: new CallbackSigner((_h: Uint8Array) => new Uint8Array(65)),
-      chainId: TEST_CHAIN_ID,
-      routerAddress: TEST_ROUTER,
-    });
-
-    await assert.rejects(
-      () => client.getStatus(),
-      (err: unknown) => {
-        assert.ok(err instanceof PayServerError);
-        assert.equal(err.statusCode, 401);
-        return true;
-      }
-    );
-  });
-
-  it("accepts request with valid auth headers (real signing)", async () => {
-    const client = new PayClient({
-      apiUrl: baseUrl,
-      privateKey: ANVIL_PK,
-      chainId: TEST_CHAIN_ID,
-      routerAddress: TEST_ROUTER,
-    });
-
-    // Should NOT throw — server accepts valid auth
-    const status = await client.getStatus();
-    assert.ok(status.balance >= 0);
-  });
-
-  it("PayServerError has statusCode 401 for auth failures", async () => {
-    // Directly verify error structure
-    const client = new PayClient({
-      apiUrl: baseUrl,
-      signer: new CallbackSigner((_h: Uint8Array) => new Uint8Array(65)),
-    });
-
-    try {
-      await client.getStatus();
-      assert.fail("Should have thrown PayServerError");
-    } catch (err) {
-      assert.ok(err instanceof PayServerError, "must be PayServerError");
-      assert.equal(err.statusCode, 401, "statusCode must be 401");
-      assert.equal(err.code, "server_error");
-    }
+  it("Wallet sends valid auth headers and gets 200", async () => {
+    process.env.PAYSKILL_API_URL = baseUrl;
+    const wallet = new Wallet({ privateKey: ANVIL_PK });
+    const status = await wallet.status();
+    assert.ok(status.address.startsWith("0x"));
+    assert.ok(status.balance.total >= 0);
+    delete process.env.PAYSKILL_API_URL;
   });
 });

package/tests/test_crypto.ts

@@ -1,149 +1,61 @@
 /**
  * Crypto round-trip tests — proves that:
- * 1. Address derivation uses real secp256k1 (not FNV hash)
- * 2. EIP-712 signing produces valid signatures that the server can recover
- * 3. buildAuthHeaders produces valid auth headers
+ * 1. Address derivation uses real secp256k1
+ * 2. buildAuthHeaders produces valid recoverable signatures
  */
 
 import { describe, it } from "node:test";
 import assert from "node:assert/strict";
-import { privateKeyToAccount } from "viem/accounts";
 import { recoverAddress, type Hex, type Address } from "viem";
 
-import { PrivateKeySigner, Wallet } from "../src/wallet.js";
-import { RawKeySigner } from "../src/signer.js";
-import { buildAuthHeaders, computeEip712Hash } from "../src/auth.js";
+import { Wallet } from "../src/wallet.js";
+import { buildAuthHeaders, buildAuthHeadersSigned, computeEip712Hash } from "../src/auth.js";
 
 // Anvil account #0 — well-known test key
 const ANVIL_PK =
   "0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80" as Hex;
-const ANVIL_ADDRESS = "0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266" as Address;
+const ANVIL_ADDRESS =
+  "0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266" as Address;
 
-const TEST_ROUTER = "0x5FbDB2315678afecb367f032d93F642f64180aa3" as Address;
+const TEST_ROUTER =
+  "0x5FbDB2315678afecb367f032d93F642f64180aa3" as Address;
 const TEST_CHAIN_ID = 8453;
 
 describe("Address derivation", () => {
-  it("derives correct address from Anvil #0 private key via Wallet", () => {
-    const wallet = new Wallet({
-      privateKey: ANVIL_PK,
-      chain: "8453",
-      apiUrl: "http://localhost:3000/api/v1",
-      routerAddress: TEST_ROUTER,
-    });
+  it("derives correct address from Anvil #0 private key", () => {
+    const wallet = new Wallet({ privateKey: ANVIL_PK });
     assert.equal(wallet.address, ANVIL_ADDRESS);
   });
 
-  it("derives correct address via PrivateKeySigner", () => {
-    const signer = new PrivateKeySigner(ANVIL_PK);
-    assert.equal(signer.address, ANVIL_ADDRESS);
-  });
-
-  it("derives correct address via RawKeySigner", () => {
-    const signer = new RawKeySigner(ANVIL_PK);
-    assert.equal(signer.address, ANVIL_ADDRESS);
-  });
-
   it("works without 0x prefix", () => {
-    const signer = new PrivateKeySigner(ANVIL_PK.slice(2));
-    assert.equal(signer.address, ANVIL_ADDRESS);
-  });
-});
-
-describe("EIP-712 signing round-trip", () => {
-  it("PrivateKeySigner produces recoverable EIP-712 signature", async () => {
-    const signer = new PrivateKeySigner(ANVIL_PK);
-
-    const domain = {
-      name: "pay",
-      version: "0.1",
-      chainId: BigInt(TEST_CHAIN_ID),
-      verifyingContract: TEST_ROUTER,
-    };
-    const types = {
-      APIRequest: [
-        { name: "method", type: "string" },
-        { name: "path", type: "string" },
-        { name: "timestamp", type: "uint256" },
-        { name: "nonce", type: "bytes32" },
-      ],
-    };
-    const nonce =
-      "0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef";
-    const message = {
-      method: "POST",
-      path: "/api/v1/direct",
-      timestamp: BigInt(1741400000),
-      nonce,
-    };
-
-    const signature = await signer.signTypedData(domain, types, message);
-
-    assert.ok(signature.startsWith("0x"), "signature should be hex");
-    assert.equal(signature.length, 132, "signature should be 65 bytes hex");
-    assert.notEqual(
-      signature,
-      "0x" + "0".repeat(130),
-      "signature must not be zeros (stub)"
-    );
-
-    // Recover the signer address from the signature
-    const recovered = await recoverAddress({
-      hash: (await import("viem")).hashTypedData({
-        domain,
-        types,
-        primaryType: "APIRequest",
-        message,
-      }),
-      signature: signature as Hex,
-    });
-
-    assert.equal(
-      recovered.toLowerCase(),
-      ANVIL_ADDRESS.toLowerCase(),
-      "recovered address must match signer"
-    );
+    const wallet = new Wallet({ privateKey: ANVIL_PK.slice(2) });
+    assert.equal(wallet.address, ANVIL_ADDRESS);
   });
 });
 
 describe("buildAuthHeaders", () => {
   it("produces valid auth headers with correct address", async () => {
-    const headers = await buildAuthHeaders(ANVIL_PK, "POST", "/api/v1/direct", {
-      chainId: TEST_CHAIN_ID,
-      routerAddress: TEST_ROUTER,
-    });
-
-    assert.equal(headers["X-Pay-Agent"], ANVIL_ADDRESS);
-    assert.ok(
-      headers["X-Pay-Signature"].startsWith("0x"),
-      "signature should be hex"
-    );
-    assert.equal(
-      headers["X-Pay-Signature"].length,
-      132,
-      "signature should be 65 bytes"
-    );
-    assert.ok(
-      Number(headers["X-Pay-Timestamp"]) > 0,
-      "timestamp should be positive"
-    );
-    assert.ok(
-      headers["X-Pay-Nonce"].startsWith("0x"),
-      "nonce should be hex"
-    );
-    assert.equal(
-      headers["X-Pay-Nonce"].length,
-      66,
-      "nonce should be 32 bytes hex"
+    const headers = await buildAuthHeaders(
+      ANVIL_PK,
+      "POST",
+      "/api/v1/direct",
+      { chainId: TEST_CHAIN_ID, routerAddress: TEST_ROUTER },
     );
+    assert.equal(headers["X-Pay-Agent"], ANVIL_ADDRESS);
+    assert.ok(headers["X-Pay-Signature"].startsWith("0x"));
+    assert.equal(headers["X-Pay-Signature"].length, 132);
+    assert.ok(Number(headers["X-Pay-Timestamp"]) > 0);
+    assert.ok(headers["X-Pay-Nonce"].startsWith("0x"));
+    assert.equal(headers["X-Pay-Nonce"].length, 66);
   });
 
   it("signature recovers to the correct address", async () => {
-    const headers = await buildAuthHeaders(ANVIL_PK, "POST", "/api/v1/direct", {
-      chainId: TEST_CHAIN_ID,
-      routerAddress: TEST_ROUTER,
-    });
-
-    // Recompute the hash and recover
+    const headers = await buildAuthHeaders(
+      ANVIL_PK,
+      "POST",
+      "/api/v1/direct",
+      { chainId: TEST_CHAIN_ID, routerAddress: TEST_ROUTER },
+    );
     const { hashTypedData } = await import("viem");
     const hash = hashTypedData({
       domain: {
@@ -168,83 +80,58 @@ describe("buildAuthHeaders", () => {
         nonce: headers["X-Pay-Nonce"] as Hex,
       },
     });
-
     const recovered = await recoverAddress({
       hash,
       signature: headers["X-Pay-Signature"] as Hex,
     });
+    assert.equal(recovered.toLowerCase(), ANVIL_ADDRESS.toLowerCase());
+  });
+});
 
-    assert.equal(
-      recovered.toLowerCase(),
-      ANVIL_ADDRESS.toLowerCase(),
-      "recovered address must match signer"
+describe("buildAuthHeadersSigned", () => {
+  it("produces same-structure headers as buildAuthHeaders", async () => {
+    const { privateKeyToAccount } = await import("viem/accounts");
+    const account = privateKeyToAccount(ANVIL_PK);
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const signFn = (p: any) => account.signTypedData(p);
+
+    const headers = await buildAuthHeadersSigned(
+      ANVIL_ADDRESS,
+      signFn,
+      "GET",
+      "/api/v1/status",
+      { chainId: TEST_CHAIN_ID, routerAddress: TEST_ROUTER },
     );
+    assert.equal(headers["X-Pay-Agent"], ANVIL_ADDRESS);
+    assert.ok(headers["X-Pay-Signature"].startsWith("0x"));
+    assert.equal(headers["X-Pay-Signature"].length, 132);
   });
 });
 
 describe("computeEip712Hash", () => {
+  const nonce =
+    "0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef" as Hex;
+
   it("produces deterministic output", () => {
-    const nonce =
-      "0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef" as Hex;
     const h1 = computeEip712Hash(
-      "POST",
-      "/api/v1/direct",
-      BigInt(1741400000),
-      nonce,
-      TEST_CHAIN_ID,
-      TEST_ROUTER
+      "POST", "/api/v1/direct", BigInt(1741400000),
+      nonce, TEST_CHAIN_ID, TEST_ROUTER,
     );
     const h2 = computeEip712Hash(
-      "POST",
-      "/api/v1/direct",
-      BigInt(1741400000),
-      nonce,
-      TEST_CHAIN_ID,
-      TEST_ROUTER
+      "POST", "/api/v1/direct", BigInt(1741400000),
+      nonce, TEST_CHAIN_ID, TEST_ROUTER,
     );
     assert.deepEqual(h1, h2);
   });
 
   it("different methods produce different hashes", () => {
-    const nonce =
-      "0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef" as Hex;
     const h1 = computeEip712Hash(
-      "POST",
-      "/api/v1/direct",
-      BigInt(1741400000),
-      nonce,
-      TEST_CHAIN_ID,
-      TEST_ROUTER
-    );
-    const h2 = computeEip712Hash(
-      "GET",
-      "/api/v1/direct",
-      BigInt(1741400000),
-      nonce,
-      TEST_CHAIN_ID,
-      TEST_ROUTER
-    );
-    assert.notDeepEqual(h1, h2);
-  });
-
-  it("different chain IDs produce different hashes", () => {
-    const nonce =
-      "0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef" as Hex;
-    const h1 = computeEip712Hash(
-      "POST",
-      "/api/v1/direct",
-      BigInt(1741400000),
-      nonce,
-      8453,
-      TEST_ROUTER
+      "POST", "/api/v1/direct", BigInt(1741400000),
+      nonce, TEST_CHAIN_ID, TEST_ROUTER,
     );
     const h2 = computeEip712Hash(
-      "POST",
-      "/api/v1/direct",
-      BigInt(1741400000),
-      nonce,
-      84531,
-      TEST_ROUTER
+      "GET", "/api/v1/direct", BigInt(1741400000),
+      nonce, TEST_CHAIN_ID, TEST_ROUTER,
     );
     assert.notDeepEqual(h1, h2);
   });