npm - @sip-protocol/sdk - Versions diffs - 0.7.2 → 0.7.4 - Mend

@sip-protocol/sdk 0.7.2 → 0.7.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (262) hide show

package/LICENSE +21 -0
package/README.md +267 -0
package/dist/{TransportWebUSB-TQ7WZ4LE.mjs → TransportWebUSB-YQMAGJAJ.mjs} +12 -9
package/dist/browser.d.mts +10 -4
package/dist/browser.d.ts +10 -4
package/dist/browser.js +48874 -18336
package/dist/browser.mjs +674 -48
package/dist/chunk-4GRJ5MAW.mjs +152 -0
package/dist/chunk-5D7A3L3W.mjs +717 -0
package/dist/chunk-64AYA5F5.mjs +7834 -0
package/dist/chunk-GMDGB22A.mjs +379 -0
package/dist/chunk-I534WKN7.mjs +328 -0
package/dist/chunk-IBZVA5Y7.mjs +1003 -0
package/dist/chunk-PRRZAWJE.mjs +223 -0
package/dist/{chunk-UJCSKKID.mjs → chunk-XGB3TDIC.mjs} +13 -1
package/dist/chunk-YWGJ77A2.mjs +33806 -0
package/dist/{chunk-6WGN57S2.mjs → chunk-Z3K7W5S3.mjs} +48 -0
package/dist/constants-LHAAUC2T.mjs +51 -0
package/dist/dist-2OGQ7FED.mjs +3957 -0
package/dist/dist-IFHPYLDX.mjs +254 -0
package/dist/fulfillment_proof-ANHVPKTB.mjs +21 -0
package/dist/funding_proof-ICFZ5LHY.mjs +21 -0
package/dist/index-DXh2IGkz.d.ts +24681 -0
package/dist/index-DeE1ZzA4.d.mts +24681 -0
package/dist/index.d.mts +9 -3
package/dist/index.d.ts +9 -3
package/dist/index.js +48676 -17318
package/dist/index.mjs +583 -19
package/dist/interface-Bf7w1PLW.d.mts +679 -0
package/dist/interface-Bf7w1PLW.d.ts +679 -0
package/dist/{noir-DKfEzWy9.d.mts → noir-kzbLVTei.d.mts} +31 -21
package/dist/{noir-DKfEzWy9.d.ts → noir-kzbLVTei.d.ts} +31 -21
package/dist/proofs/halo2.d.mts +151 -0
package/dist/proofs/halo2.d.ts +151 -0
package/dist/proofs/halo2.js +350 -0
package/dist/proofs/halo2.mjs +11 -0
package/dist/proofs/kimchi.d.mts +160 -0
package/dist/proofs/kimchi.d.ts +160 -0
package/dist/proofs/kimchi.js +431 -0
package/dist/proofs/kimchi.mjs +13 -0
package/dist/proofs/noir.d.mts +1 -1
package/dist/proofs/noir.d.ts +1 -1
package/dist/proofs/noir.js +74 -18
package/dist/proofs/noir.mjs +84 -24
package/dist/solana-U3MEGU7W.mjs +280 -0
package/dist/validity_proof-3POXLPNY.mjs +21 -0
package/package.json +54 -21
package/src/adapters/index.ts +41 -0
package/src/adapters/jupiter.ts +571 -0
package/src/adapters/near-intents.ts +135 -0
package/src/advisor/advisor.ts +653 -0
package/src/advisor/index.ts +54 -0
package/src/advisor/tools.ts +303 -0
package/src/advisor/types.ts +164 -0
package/src/chains/ethereum/announcement.ts +536 -0
package/src/chains/ethereum/bnb-optimizations.ts +474 -0
package/src/chains/ethereum/commitment.ts +522 -0
package/src/chains/ethereum/constants.ts +462 -0
package/src/chains/ethereum/deployment.ts +596 -0
package/src/chains/ethereum/gas-estimation.ts +538 -0
package/src/chains/ethereum/index.ts +268 -0
package/src/chains/ethereum/optimizations.ts +614 -0
package/src/chains/ethereum/privacy-adapter.ts +855 -0
package/src/chains/ethereum/registry.ts +584 -0
package/src/chains/ethereum/rpc.ts +905 -0
package/src/chains/ethereum/stealth.ts +491 -0
package/src/chains/ethereum/token.ts +790 -0
package/src/chains/ethereum/transfer.ts +637 -0
package/src/chains/ethereum/types.ts +456 -0
package/src/chains/ethereum/viewing-key.ts +455 -0
package/src/chains/near/commitment.ts +608 -0
package/src/chains/near/constants.ts +284 -0
package/src/chains/near/function-call.ts +871 -0
package/src/chains/near/history.ts +654 -0
package/src/chains/near/implicit-account.ts +840 -0
package/src/chains/near/index.ts +393 -0
package/src/chains/near/native-transfer.ts +658 -0
package/src/chains/near/nep141.ts +775 -0
package/src/chains/near/privacy-adapter.ts +889 -0
package/src/chains/near/resolver.ts +971 -0
package/src/chains/near/rpc.ts +1016 -0
package/src/chains/near/stealth.ts +419 -0
package/src/chains/near/types.ts +317 -0
package/src/chains/near/viewing-key.ts +876 -0
package/src/chains/solana/anchor-transfer.ts +386 -0
package/src/chains/solana/commitment.ts +577 -0
package/src/chains/solana/constants.ts +126 -12
package/src/chains/solana/ephemeral-keys.ts +543 -0
package/src/chains/solana/index.ts +276 -1
package/src/chains/solana/key-derivation.ts +418 -0
package/src/chains/solana/kit-compat.ts +334 -0
package/src/chains/solana/optimizations.ts +560 -0
package/src/chains/solana/privacy-adapter.ts +605 -0
package/src/chains/solana/providers/generic.ts +201 -0
package/src/chains/solana/providers/helius-enhanced-types.ts +336 -0
package/src/chains/solana/providers/helius-enhanced.ts +623 -0
package/src/chains/solana/providers/helius.ts +402 -0
package/src/chains/solana/providers/index.ts +85 -0
package/src/chains/solana/providers/interface.ts +221 -0
package/src/chains/solana/providers/quicknode.ts +409 -0
package/src/chains/solana/providers/triton.ts +426 -0
package/src/chains/solana/providers/webhook.ts +790 -0
package/src/chains/solana/rpc-client.ts +1150 -0
package/src/chains/solana/scan.ts +170 -73
package/src/chains/solana/sol-transfer.ts +732 -0
package/src/chains/solana/spl-transfer.ts +886 -0
package/src/chains/solana/stealth-scanner.ts +703 -0
package/src/chains/solana/sunspot-verifier.ts +453 -0
package/src/chains/solana/transaction-builder.ts +755 -0
package/src/chains/solana/transfer.ts +74 -5
package/src/chains/solana/types.ts +77 -7
package/src/chains/solana/utils.ts +110 -0
package/src/chains/solana/viewing-key.ts +807 -0
package/src/compliance/fireblocks.ts +921 -0
package/src/compliance/index.ts +37 -0
package/src/compliance/range-sas.ts +956 -0
package/src/config/endpoints.ts +100 -0
package/src/crypto.ts +11 -8
package/src/errors.ts +82 -0
package/src/evm/erc4337-relayer.ts +830 -0
package/src/evm/index.ts +47 -0
package/src/fees/calculator.ts +396 -0
package/src/fees/index.ts +87 -0
package/src/fees/near-contract.ts +429 -0
package/src/fees/types.ts +268 -0
package/src/index.ts +785 -1
package/src/intent.ts +6 -3
package/src/logger.ts +324 -0
package/src/network/index.ts +80 -0
package/src/network/proxy.ts +691 -0
package/src/optimizations/index.ts +541 -0
package/src/oracle/types.ts +1 -0
package/src/privacy-backends/arcium-types.ts +727 -0
package/src/privacy-backends/arcium.ts +719 -0
package/src/privacy-backends/combined-privacy.ts +866 -0
package/src/privacy-backends/cspl-token.ts +595 -0
package/src/privacy-backends/cspl-types.ts +512 -0
package/src/privacy-backends/cspl.ts +907 -0
package/src/privacy-backends/health.ts +488 -0
package/src/privacy-backends/inco-types.ts +323 -0
package/src/privacy-backends/inco.ts +616 -0
package/src/privacy-backends/index.ts +336 -0
package/src/privacy-backends/interface.ts +906 -0
package/src/privacy-backends/lru-cache.ts +343 -0
package/src/privacy-backends/magicblock.ts +458 -0
package/src/privacy-backends/mock.ts +258 -0
package/src/privacy-backends/privacycash-types.ts +278 -0
package/src/privacy-backends/privacycash.ts +456 -0
package/src/privacy-backends/private-swap.ts +570 -0
package/src/privacy-backends/rate-limiter.ts +683 -0
package/src/privacy-backends/registry.ts +690 -0
package/src/privacy-backends/router.ts +626 -0
package/src/privacy-backends/shadowwire.ts +449 -0
package/src/privacy-backends/sip-native.ts +256 -0
package/src/privacy-logger.ts +191 -0
package/src/production-safety.ts +373 -0
package/src/proofs/aggregator.ts +1029 -0
package/src/proofs/browser-composer.ts +1150 -0
package/src/proofs/browser.ts +113 -25
package/src/proofs/cache/index.ts +127 -0
package/src/proofs/cache/interface.ts +545 -0
package/src/proofs/cache/key-generator.ts +188 -0
package/src/proofs/cache/lru-cache.ts +481 -0
package/src/proofs/cache/multi-tier-cache.ts +575 -0
package/src/proofs/cache/persistent-cache.ts +788 -0
package/src/proofs/compliance-proof.ts +872 -0
package/src/proofs/composer/base.ts +923 -0
package/src/proofs/composer/index.ts +25 -0
package/src/proofs/composer/interface.ts +518 -0
package/src/proofs/composer/types.ts +383 -0
package/src/proofs/converters/halo2.ts +452 -0
package/src/proofs/converters/index.ts +208 -0
package/src/proofs/converters/interface.ts +363 -0
package/src/proofs/converters/kimchi.ts +462 -0
package/src/proofs/converters/noir.ts +451 -0
package/src/proofs/fallback.ts +888 -0
package/src/proofs/halo2.ts +42 -0
package/src/proofs/index.ts +471 -0
package/src/proofs/interface.ts +13 -0
package/src/proofs/kimchi.ts +42 -0
package/src/proofs/lazy.ts +1004 -0
package/src/proofs/mock.ts +25 -1
package/src/proofs/noir.ts +111 -30
package/src/proofs/orchestrator.ts +960 -0
package/src/proofs/parallel/concurrency.ts +297 -0
package/src/proofs/parallel/dependency-graph.ts +602 -0
package/src/proofs/parallel/executor.ts +420 -0
package/src/proofs/parallel/index.ts +131 -0
package/src/proofs/parallel/interface.ts +685 -0
package/src/proofs/parallel/worker-pool.ts +644 -0
package/src/proofs/providers/halo2.ts +560 -0
package/src/proofs/providers/index.ts +34 -0
package/src/proofs/providers/kimchi.ts +641 -0
package/src/proofs/validator.ts +881 -0
package/src/proofs/verifier.ts +867 -0
package/src/quantum/index.ts +112 -0
package/src/quantum/winternitz-vault.ts +639 -0
package/src/quantum/wots.ts +611 -0
package/src/settlement/backends/direct-chain.ts +1 -0
package/src/settlement/index.ts +9 -0
package/src/settlement/router.ts +732 -46
package/src/solana/index.ts +72 -0
package/src/solana/jito-relayer.ts +687 -0
package/src/solana/noir-verifier-types.ts +430 -0
package/src/solana/noir-verifier.ts +816 -0
package/src/stealth/address-derivation.ts +193 -0
package/src/stealth/ed25519.ts +431 -0
package/src/stealth/index.ts +233 -0
package/src/stealth/meta-address.ts +221 -0
package/src/stealth/secp256k1.ts +368 -0
package/src/stealth/utils.ts +194 -0
package/src/stealth.ts +50 -1504
package/src/surveillance/algorithms/address-reuse.ts +143 -0
package/src/surveillance/algorithms/cluster.ts +247 -0
package/src/surveillance/algorithms/exchange.ts +295 -0
package/src/surveillance/algorithms/temporal.ts +337 -0
package/src/surveillance/analyzer.ts +442 -0
package/src/surveillance/index.ts +64 -0
package/src/surveillance/scoring.ts +372 -0
package/src/surveillance/types.ts +264 -0
package/src/sync/index.ts +106 -0
package/src/sync/manager.ts +504 -0
package/src/sync/mock-provider.ts +318 -0
package/src/sync/oblivious.ts +625 -0
package/src/tokens/index.ts +15 -0
package/src/tokens/registry.ts +301 -0
package/src/utils/deprecation.ts +94 -0
package/src/utils/index.ts +9 -0
package/src/wallet/ethereum/index.ts +68 -0
package/src/wallet/ethereum/metamask-privacy.ts +420 -0
package/src/wallet/ethereum/multi-wallet.ts +646 -0
package/src/wallet/ethereum/privacy-adapter.ts +700 -0
package/src/wallet/ethereum/types.ts +3 -1
package/src/wallet/ethereum/walletconnect-adapter.ts +675 -0
package/src/wallet/hardware/index.ts +10 -0
package/src/wallet/hardware/ledger-privacy.ts +414 -0
package/src/wallet/index.ts +71 -0
package/src/wallet/near/adapter.ts +626 -0
package/src/wallet/near/index.ts +86 -0
package/src/wallet/near/meteor-wallet.ts +1153 -0
package/src/wallet/near/my-near-wallet.ts +790 -0
package/src/wallet/near/wallet-selector.ts +702 -0
package/src/wallet/solana/adapter.ts +6 -4
package/src/wallet/solana/index.ts +13 -0
package/src/wallet/solana/privacy-adapter.ts +567 -0
package/src/wallet/sui/types.ts +6 -4
package/src/zcash/rpc-client.ts +13 -6
package/dist/chunk-3INS3PR5.mjs +0 -884
package/dist/chunk-3OVABDRH.mjs +0 -17096
package/dist/chunk-DLDWZFYC.mjs +0 -1495
package/dist/chunk-E6SZWREQ.mjs +0 -57
package/dist/chunk-G33LB27A.mjs +0 -16166
package/dist/chunk-HGU6HZRC.mjs +0 -231
package/dist/chunk-L2K34JCU.mjs +0 -1496
package/dist/chunk-SN4ZDTVW.mjs +0 -16166
package/dist/constants-VOI7BSLK.mjs +0 -27
package/dist/index-BYZbDjal.d.ts +0 -11390
package/dist/index-CHB3KuOB.d.mts +0 -11859
package/dist/index-CzWPI6Le.d.ts +0 -11859
package/dist/index-xbWjohNq.d.mts +0 -11390
package/dist/solana-5EMCTPTS.mjs +0 -46
package/dist/solana-Q4NAVBTS.mjs +0 -46

package/src/chains/solana/providers/webhook.ts ADDED Viewed

@@ -0,0 +1,790 @@
+/**
+ * Helius Webhook Handler
+ *
+ * Real-time stealth payment detection using Helius webhooks.
+ * Push-based notifications instead of polling for efficient scanning.
+ *
+ * @see https://docs.helius.dev/webhooks-and-websockets/webhooks
+ *
+ * @example Server setup (Express.js)
+ * ```typescript
+ * import express from 'express'
+ * import { createWebhookHandler } from '@sip-protocol/sdk'
+ *
+ * const app = express()
+ * app.use(express.json())
+ *
+ * const handler = createWebhookHandler({
+ *   viewingPrivateKey: '0x...',
+ *   spendingPublicKey: '0x...',
+ *   onPaymentFound: (payment) => {
+ *     console.log('Found payment!', payment)
+ *     // Notify user, update database, etc.
+ *   },
+ * })
+ *
+ * app.post('/webhook/helius', async (req, res) => {
+ *   await handler(req.body)
+ *   res.status(200).send('OK')
+ * })
+ * ```
+ *
+ * @example Helius webhook configuration
+ * ```
+ * Webhook URL: https://your-server.com/webhook/helius
+ * Transaction Type: Any (or TRANSFER for token transfers)
+ * Account Addresses: [MEMO_PROGRAM_ID] for memo filtering
+ * Webhook Type: raw (to get full transaction data)
+ * ```
+ */
+import type { HexString } from '@sip-protocol/types'
+import {
+  checkEd25519StealthAddress,
+  solanaAddressToEd25519PublicKey,
+} from '../../../stealth'
+import type { StealthAddress } from '@sip-protocol/types'
+import { parseAnnouncement } from '../types'
+import type { SolanaScanResult } from '../types'
+import { SIP_MEMO_PREFIX } from '../constants'
+import { getTokenSymbol, parseTokenTransferFromBalances } from '../utils'
+import { ValidationError, SecurityError } from '../../../errors'
+import { hmac } from '@noble/hashes/hmac'
+import { sha256 } from '@noble/hashes/sha256'
+import { bytesToHex } from '@noble/hashes/utils'
+/**
+ * Helius raw webhook payload for a transaction
+ *
+ * @see https://docs.helius.dev/webhooks-and-websockets/webhooks
+ */
+export interface HeliusWebhookTransaction {
+  /** Block timestamp (Unix seconds) */
+  blockTime: number
+  /** Position within block */
+  indexWithinBlock?: number
+  /** Transaction metadata */
+  meta: {
+    /** Error if transaction failed */
+    err: unknown | null
+    /** Transaction fee in lamports */
+    fee: number
+    /** Inner instructions (CPI calls) */
+    innerInstructions: Array<{
+      index: number
+      instructions: Array<{
+        accounts: number[]
+        data: string
+        programIdIndex: number
+      }>
+    }>
+    /** Loaded address tables */
+    loadedAddresses?: {
+      readonly: string[]
+      writable: string[]
+    }
+    /** Program log messages */
+    logMessages: string[]
+    /** Post-transaction lamport balances */
+    postBalances: number[]
+    /** Post-transaction token balances */
+    postTokenBalances: Array<{
+      accountIndex: number
+      mint: string
+      owner?: string
+      programId?: string
+      uiTokenAmount: {
+        amount: string
+        decimals: number
+        uiAmount: number | null
+        uiAmountString: string
+      }
+    }>
+    /** Pre-transaction lamport balances */
+    preBalances: number[]
+    /** Pre-transaction token balances */
+    preTokenBalances: Array<{
+      accountIndex: number
+      mint: string
+      owner?: string
+      programId?: string
+      uiTokenAmount: {
+        amount: string
+        decimals: number
+        uiAmount: number | null
+        uiAmountString: string
+      }
+    }>
+    /** Rewards */
+    rewards: unknown[]
+  }
+  /** Slot number */
+  slot: number
+  /** Transaction data */
+  transaction: {
+    /** Transaction message */
+    message: {
+      /** Account keys involved */
+      accountKeys: string[]
+      /** Compiled instructions */
+      instructions: Array<{
+        accounts: number[]
+        data: string
+        programIdIndex: number
+      }>
+      /** Recent blockhash */
+      recentBlockhash: string
+    }
+    /** Transaction signatures */
+    signatures: string[]
+  }
+}
+/**
+ * Helius enhanced webhook payload
+ *
+ * Enhanced webhooks provide parsed/decoded transaction data.
+ */
+export interface HeliusEnhancedTransaction {
+  /** Human-readable description */
+  description: string
+  /** Transaction type (TRANSFER, NFT_SALE, etc.) */
+  type: string
+  /** Source wallet/program */
+  source: string
+  /** Transaction fee in lamports */
+  fee: number
+  /** Fee payer address */
+  feePayer: string
+  /** Transaction signature */
+  signature: string
+  /** Slot number */
+  slot: number
+  /** Block timestamp */
+  timestamp: number
+  /** Native SOL transfers */
+  nativeTransfers: Array<{
+    fromUserAccount: string
+    toUserAccount: string
+    amount: number
+  }>
+  /** Token transfers */
+  tokenTransfers: Array<{
+    fromUserAccount: string
+    toUserAccount: string
+    fromTokenAccount: string
+    toTokenAccount: string
+    tokenAmount: number
+    mint: string
+    tokenStandard: string
+  }>
+  /** Account data changes */
+  accountData: Array<{
+    account: string
+    nativeBalanceChange: number
+    tokenBalanceChanges: Array<{
+      userAccount: string
+      tokenAccount: string
+      mint: string
+      rawTokenAmount: {
+        tokenAmount: string
+        decimals: number
+      }
+    }>
+  }>
+  /** Events (NFT sales, etc.) */
+  events?: Record<string, unknown>
+}
+/**
+ * Webhook payload (can be single transaction or array)
+ */
+export type HeliusWebhookPayload =
+  | HeliusWebhookTransaction
+  | HeliusWebhookTransaction[]
+  | HeliusEnhancedTransaction
+  | HeliusEnhancedTransaction[]
+/**
+ * Configuration for the Helius webhook handler
+ *
+ * @security This config contains sensitive cryptographic keys.
+ * Never log, store in plain text, or transmit insecurely.
+ */
+export interface WebhookHandlerConfig {
+  /**
+   * Recipient's viewing private key (hex)
+   *
+   * @security SENSITIVE - This key enables detection of incoming payments.
+   * Store securely (encrypted). Never log or expose in error messages.
+   * Use environment variables or secure vault in production.
+   */
+  viewingPrivateKey: HexString
+  /** Recipient's spending public key (hex) */
+  spendingPublicKey: HexString
+  /**
+   * Callback when a payment is found
+   *
+   * @param payment - The detected payment details
+   */
+  onPaymentFound: (payment: SolanaScanResult) => void | Promise<void>
+  /**
+   * Optional callback for errors
+   *
+   * @param error - The error that occurred
+   * @param transaction - The transaction that caused the error (if available)
+   */
+  onError?: (error: Error, transaction?: HeliusWebhookTransaction) => void
+  /**
+   * Webhook authentication secret (recommended for production)
+   *
+   * When set, the handler will verify the X-Helius-Signature header
+   * using HMAC-SHA256 to ensure webhook payloads are authentic.
+   *
+   * Get your webhook secret from Helius Dashboard:
+   * https://dev.helius.xyz/webhooks
+   */
+  webhookSecret?: string
+  /**
+   * Authorization token for additional security
+   *
+   * When set, the handler will verify the Authorization header
+   * matches this token. Use for simple auth in trusted environments.
+   */
+  authToken?: string
+}
+/**
+ * Webhook request with headers for signature verification
+ */
+export interface WebhookRequest {
+  /** Raw request body as string (for signature verification) */
+  rawBody: string
+  /** Parsed payload */
+  payload: HeliusWebhookPayload
+  /** Request headers */
+  headers: {
+    /** Helius webhook signature (X-Helius-Signature header) */
+    signature?: string
+    /** Authorization header */
+    authorization?: string
+  }
+}
+/**
+ * Result of processing a single webhook transaction
+ */
+export interface WebhookProcessResult {
+  /** Whether a payment was found for us */
+  found: boolean
+  /** The payment details (if found) */
+  payment?: SolanaScanResult
+  /** Transaction signature */
+  signature: string
+}
+/**
+ * Verify Helius webhook signature using HMAC-SHA256
+ *
+ * H-4, H-8 FIX: Implement webhook signature verification
+ *
+ * @param rawBody - Raw request body as string
+ * @param signature - Signature from X-Helius-Signature header
+ * @param secret - Webhook secret from Helius dashboard
+ * @returns True if signature is valid
+ *
+ * @example
+ * ```typescript
+ * const isValid = verifyWebhookSignature(
+ *   req.rawBody,
+ *   req.headers['x-helius-signature'],
+ *   process.env.HELIUS_WEBHOOK_SECRET!
+ * )
+ * if (!isValid) {
+ *   res.status(401).send('Invalid signature')
+ *   return
+ * }
+ * ```
+ */
+export function verifyWebhookSignature(
+  rawBody: string,
+  signature: string | undefined,
+  secret: string
+): boolean {
+  if (!signature || !secret) {
+    return false
+  }
+  try {
+    // Compute expected signature using HMAC-SHA256
+    const encoder = new TextEncoder()
+    const expectedSignature = bytesToHex(
+      hmac(sha256, encoder.encode(secret), encoder.encode(rawBody))
+    )
+    // Constant-time comparison to prevent timing attacks
+    if (signature.length !== expectedSignature.length) {
+      return false
+    }
+    let result = 0
+    for (let i = 0; i < signature.length; i++) {
+      result |= signature.charCodeAt(i) ^ expectedSignature.charCodeAt(i)
+    }
+    return result === 0
+  } catch {
+    return false
+  }
+}
+/**
+ * Verify authorization token
+ *
+ * H-7 FIX: Implement authorization verification
+ *
+ * @param authHeader - Authorization header value
+ * @param expectedToken - Expected token
+ * @returns True if token matches
+ */
+export function verifyAuthToken(
+  authHeader: string | undefined,
+  expectedToken: string
+): boolean {
+  if (!authHeader || !expectedToken) {
+    return false
+  }
+  // Support both "Bearer <token>" and raw token formats
+  const token = authHeader.startsWith('Bearer ')
+    ? authHeader.slice(7)
+    : authHeader
+  // Constant-time comparison
+  if (token.length !== expectedToken.length) {
+    return false
+  }
+  let result = 0
+  for (let i = 0; i < token.length; i++) {
+    result |= token.charCodeAt(i) ^ expectedToken.charCodeAt(i)
+  }
+  return result === 0
+}
+/**
+ * Handler function type returned by createWebhookHandler
+ */
+export interface WebhookHandler {
+  /**
+   * Process a webhook payload (simple mode - no signature verification)
+   */
+  (payload: HeliusWebhookPayload): Promise<WebhookProcessResult[]>
+  /**
+   * Process a webhook request with full authentication
+   *
+   * H-4, H-7, H-8 FIX: Supports signature and auth token verification
+   */
+  processRequest(request: WebhookRequest): Promise<WebhookProcessResult[]>
+}
+/**
+ * Create a webhook handler for processing Helius webhook payloads
+ *
+ * @param config - Handler configuration
+ * @returns Handler function to process webhook payloads
+ *
+ * @example Simple usage (not recommended for production)
+ * ```typescript
+ * const handler = createWebhookHandler({
+ *   viewingPrivateKey: recipientKeys.viewingPrivateKey,
+ *   spendingPublicKey: recipientKeys.spendingPublicKey,
+ *   onPaymentFound: async (payment) => {
+ *     await db.savePayment(payment)
+ *   },
+ * })
+ *
+ * app.post('/webhook', async (req, res) => {
+ *   const results = await handler(req.body)
+ *   res.json({ processed: results.length })
+ * })
+ * ```
+ *
+ * @example Production usage with signature verification
+ * ```typescript
+ * const handler = createWebhookHandler({
+ *   viewingPrivateKey: recipientKeys.viewingPrivateKey,
+ *   spendingPublicKey: recipientKeys.spendingPublicKey,
+ *   webhookSecret: process.env.HELIUS_WEBHOOK_SECRET!,
+ *   onPaymentFound: async (payment) => {
+ *     await db.savePayment(payment)
+ *   },
+ * })
+ *
+ * app.post('/webhook', express.raw({ type: 'application/json' }), async (req, res) => {
+ *   try {
+ *     const results = await handler.processRequest({
+ *       rawBody: req.body.toString(),
+ *       payload: JSON.parse(req.body.toString()),
+ *       headers: {
+ *         signature: req.headers['x-helius-signature'] as string,
+ *         authorization: req.headers['authorization'] as string,
+ *       },
+ *     })
+ *     res.json({ processed: results.length })
+ *   } catch (error) {
+ *     if (error instanceof SecurityError) {
+ *       res.status(401).json({ error: error.message })
+ *     } else {
+ *       res.status(500).json({ error: 'Internal error' })
+ *     }
+ *   }
+ * })
+ * ```
+ */
+export function createWebhookHandler(config: WebhookHandlerConfig): WebhookHandler {
+  const {
+    viewingPrivateKey,
+    spendingPublicKey,
+    onPaymentFound,
+    onError,
+    webhookSecret,
+    authToken,
+  } = config
+  // Validate required keys
+  if (!viewingPrivateKey || !viewingPrivateKey.startsWith('0x')) {
+    throw new ValidationError('viewingPrivateKey must be a valid hex string starting with 0x', 'viewingPrivateKey')
+  }
+  if (!spendingPublicKey || !spendingPublicKey.startsWith('0x')) {
+    throw new ValidationError('spendingPublicKey must be a valid hex string starting with 0x', 'spendingPublicKey')
+  }
+  if (typeof onPaymentFound !== 'function') {
+    throw new ValidationError('onPaymentFound callback is required', 'onPaymentFound')
+  }
+  // Validate key lengths (ed25519 keys are 32 bytes = 64 hex chars + '0x' prefix)
+  if (viewingPrivateKey.length !== 66) {
+    throw new ValidationError('viewingPrivateKey must be 32 bytes (64 hex characters)', 'viewingPrivateKey')
+  }
+  if (spendingPublicKey.length !== 66) {
+    throw new ValidationError('spendingPublicKey must be 32 bytes (64 hex characters)', 'spendingPublicKey')
+  }
+  /**
+   * Process transactions after authentication
+   */
+  async function processTransactions(
+    payload: HeliusWebhookPayload
+  ): Promise<WebhookProcessResult[]> {
+    // H-4 FIX: Validate payload structure before processing
+    if (!payload || (typeof payload !== 'object')) {
+      throw new ValidationError('Invalid webhook payload', 'payload')
+    }
+    // Normalize to array
+    const transactions = Array.isArray(payload) ? payload : [payload]
+    // Validate we have at least one transaction
+    if (transactions.length === 0) {
+      return []
+    }
+    // Limit batch size to prevent DoS
+    const MAX_BATCH_SIZE = 100
+    if (transactions.length > MAX_BATCH_SIZE) {
+      throw new ValidationError(
+        `Batch size exceeds maximum of ${MAX_BATCH_SIZE}`,
+        'payload'
+      )
+    }
+    const results: WebhookProcessResult[] = []
+    for (const tx of transactions) {
+      try {
+        // Handle raw vs enhanced webhook format
+        if (isRawTransaction(tx)) {
+          const result = await processRawTransaction(
+            tx,
+            viewingPrivateKey,
+            spendingPublicKey,
+            onPaymentFound
+          )
+          results.push(result)
+        } else {
+          // Enhanced transactions don't include log messages,
+          // so we can't detect SIP announcements directly
+          // For now, skip enhanced transactions
+          results.push({
+            found: false,
+            signature: (tx as HeliusEnhancedTransaction).signature,
+          })
+        }
+      } catch (error) {
+        onError?.(error as Error, isRawTransaction(tx) ? tx : undefined)
+        results.push({
+          found: false,
+          signature: getSignature(tx),
+        })
+      }
+    }
+    return results
+  }
+  /**
+   * Simple handler (backwards compatible)
+   */
+  const handler = async (payload: HeliusWebhookPayload): Promise<WebhookProcessResult[]> => {
+    return processTransactions(payload)
+  }
+  /**
+   * Process request with full authentication
+   * H-4, H-7, H-8 FIX: Signature and auth verification
+   */
+  handler.processRequest = async (request: WebhookRequest): Promise<WebhookProcessResult[]> => {
+    // Verify webhook signature if configured
+    if (webhookSecret) {
+      if (!verifyWebhookSignature(request.rawBody, request.headers.signature, webhookSecret)) {
+        throw new SecurityError(
+          'Invalid webhook signature - request rejected',
+          'INVALID_SIGNATURE'
+        )
+      }
+    }
+    // Verify auth token if configured
+    if (authToken) {
+      if (!verifyAuthToken(request.headers.authorization, authToken)) {
+        throw new SecurityError(
+          'Invalid authorization token - request rejected',
+          'INVALID_AUTH'
+        )
+      }
+    }
+    return processTransactions(request.payload)
+  }
+  return handler as WebhookHandler
+}
+/**
+ * Process a single raw transaction for SIP announcements
+ */
+async function processRawTransaction(
+  tx: HeliusWebhookTransaction,
+  viewingPrivateKey: HexString,
+  spendingPublicKey: HexString,
+  onPaymentFound: (payment: SolanaScanResult) => void | Promise<void>
+): Promise<WebhookProcessResult> {
+  const signature = tx.transaction?.signatures?.[0] ?? 'unknown'
+  // Check if transaction failed
+  if (tx.meta?.err) {
+    return { found: false, signature }
+  }
+  // Ensure log messages exist
+  if (!tx.meta?.logMessages) {
+    return { found: false, signature }
+  }
+  // Search log messages for SIP announcement
+  for (const log of tx.meta.logMessages) {
+    if (!log.includes(SIP_MEMO_PREFIX)) continue
+    // Extract memo content from log
+    const memoMatch = log.match(/Program log: (.+)/)
+    if (!memoMatch) continue
+    const memoContent = memoMatch[1]
+    const announcement = parseAnnouncement(memoContent)
+    if (!announcement) continue
+    // Check if this payment is for us
+    // H-5 FIX: Validate ephemeral public key before curve operations
+    if (!announcement.ephemeralPublicKey || announcement.ephemeralPublicKey.length < 32) {
+      continue // Invalid ephemeral key format, skip
+    }
+    let ephemeralPubKeyHex: HexString
+    try {
+      ephemeralPubKeyHex = solanaAddressToEd25519PublicKey(
+        announcement.ephemeralPublicKey
+      )
+    } catch {
+      // Invalid base58 encoding or malformed key
+      continue
+    }
+    // H-3 FIX: Enhanced view tag validation with strict hex parsing
+    // View tags are 1 byte (0-255), represented as 2-char hex string
+    const viewTagStr = announcement.viewTag
+    if (!viewTagStr || typeof viewTagStr !== 'string') {
+      continue
+    }
+    // Validate hex format (only 0-9, a-f, A-F)
+    if (!/^[0-9a-fA-F]{1,2}$/.test(viewTagStr)) {
+      continue // Invalid hex format
+    }
+    const viewTagNumber = parseInt(viewTagStr, 16)
+    // Double-check bounds after parse (defense in depth)
+    if (!Number.isInteger(viewTagNumber) || viewTagNumber < 0 || viewTagNumber > 255) {
+      continue // Invalid view tag, skip this announcement
+    }
+    const stealthAddressToCheck: StealthAddress = {
+      address: announcement.stealthAddress
+        ? solanaAddressToEd25519PublicKey(announcement.stealthAddress)
+        : ('0x' + '00'.repeat(32)) as HexString,
+      ephemeralPublicKey: ephemeralPubKeyHex,
+      viewTag: viewTagNumber,
+    }
+    // Check if this is our payment (may throw for invalid curve points)
+    let isOurs = false
+    try {
+      isOurs = checkEd25519StealthAddress(
+        stealthAddressToCheck,
+        viewingPrivateKey,
+        spendingPublicKey
+      )
+    } catch {
+      // Invalid ephemeral key or malformed data - not our payment
+      continue
+    }
+    if (isOurs) {
+      // Parse token transfer info using shared utility
+      const transferInfo = parseTokenTransferFromBalances(
+        tx.meta.preTokenBalances,
+        tx.meta.postTokenBalances
+      )
+      const payment: SolanaScanResult = {
+        stealthAddress: announcement.stealthAddress || '',
+        ephemeralPublicKey: announcement.ephemeralPublicKey,
+        amount: transferInfo?.amount ?? 0n,
+        mint: transferInfo?.mint ?? '',
+        tokenSymbol: transferInfo?.mint ? getTokenSymbol(transferInfo.mint) : undefined,
+        txSignature: signature,
+        slot: tx.slot,
+        timestamp: tx.blockTime,
+      }
+      // Call the callback (wrap in try-catch to prevent callback errors from breaking processing)
+      try {
+        await onPaymentFound(payment)
+      } catch {
+        // Callback error should not prevent returning the found payment
+      }
+      return { found: true, payment, signature }
+    }
+  }
+  return { found: false, signature }
+}
+// Token transfer parsing and symbol lookup moved to ../utils.ts (L3 fix)
+/**
+ * Type guard for raw Helius webhook transaction
+ *
+ * Distinguishes between raw and enhanced transaction formats.
+ * Raw transactions have transaction.signatures array, enhanced have signature directly.
+ *
+ * @param tx - Unknown transaction payload
+ * @returns True if tx is a raw HeliusWebhookTransaction
+ * @internal
+ */
+function isRawTransaction(tx: unknown): tx is HeliusWebhookTransaction {
+  return (
+    typeof tx === 'object' &&
+    tx !== null &&
+    'meta' in tx &&
+    'transaction' in tx &&
+    Array.isArray((tx as HeliusWebhookTransaction).transaction?.signatures)
+  )
+}
+/**
+ * Type guard for enhanced Helius webhook transaction
+ *
+ * Distinguishes between raw and enhanced transaction formats.
+ * Enhanced transactions have signature at top level with type field.
+ *
+ * @param tx - Unknown transaction payload
+ * @returns True if tx is an enhanced HeliusEnhancedTransaction
+ * @internal
+ */
+function isEnhancedTransaction(tx: unknown): tx is HeliusEnhancedTransaction {
+  return (
+    typeof tx === 'object' &&
+    tx !== null &&
+    'signature' in tx &&
+    'type' in tx &&
+    typeof (tx as HeliusEnhancedTransaction).signature === 'string'
+  )
+}
+/**
+ * Extract transaction signature from webhook payload
+ *
+ * Handles both raw and enhanced transaction formats.
+ *
+ * @param tx - Helius webhook transaction (raw or enhanced)
+ * @returns Transaction signature, or 'unknown' if not found
+ * @internal
+ */
+function getSignature(tx: HeliusWebhookTransaction | HeliusEnhancedTransaction): string {
+  // Enhanced transactions have signature at top level
+  if ('signature' in tx && typeof (tx as HeliusEnhancedTransaction).signature === 'string') {
+    return (tx as HeliusEnhancedTransaction).signature
+  }
+  // Raw transactions have signatures array in transaction object
+  if (isRawTransaction(tx)) {
+    return tx.transaction?.signatures?.[0] ?? 'unknown'
+  }
+  return 'unknown'
+}
+/**
+ * Process a single webhook transaction and check if it's a payment for us
+ *
+ * Lower-level function for custom webhook handling.
+ *
+ * @param transaction - Raw Helius webhook transaction
+ * @param viewingPrivateKey - Recipient's viewing private key
+ * @param spendingPublicKey - Recipient's spending public key
+ * @returns Payment result if found, null otherwise
+ *
+ * @example
+ * ```typescript
+ * const payment = await processWebhookTransaction(
+ *   webhookPayload,
+ *   viewingPrivateKey,
+ *   spendingPublicKey
+ * )
+ *
+ * if (payment) {
+ *   console.log('Found payment:', payment.amount, payment.mint)
+ * }
+ * ```
+ */
+export async function processWebhookTransaction(
+  transaction: HeliusWebhookTransaction,
+  viewingPrivateKey: HexString,
+  spendingPublicKey: HexString
+): Promise<SolanaScanResult | null> {
+  const result = await processRawTransaction(
+    transaction,
+    viewingPrivateKey,
+    spendingPublicKey,
+    () => {} // No-op callback
+  )
+  return result.found ? result.payment ?? null : null
+}