@smartledger/bsv 3.4.0 → 3.4.2

package/build/webpack.anchor.config.js

@@ -1,21 +1,17 @@
-var path = require('path')
+const path = require('path')
 
 module.exports = {
-  target: 'web',
-  mode: 'production',
   entry: './anchor-entry.js',
+  mode: 'production',
+  optimization: {
+    minimize: true
+  },
   output: {
-    path: path.resolve(__dirname, '..'),
+    path: path.resolve(__dirname, '../'),
     filename: 'bsv-anchor.min.js',
     library: 'bsvAnchor',
-    libraryTarget: 'umd'
-  },
-  node: {
-    crypto: true,
-    stream: true,
-    buffer: true
+    libraryTarget: 'umd',
+    globalObject: 'this'
   },
-  node: {
-    Buffer: true
-  }
+  target: 'web'
 }

package/build/webpack.didweb.config.js

@@ -1,21 +1,17 @@
-var path = require('path')
+const path = require('path')
 
 module.exports = {
-  target: 'web',
-  mode: 'production',
   entry: './didweb-entry.js',
+  mode: 'production',
+  optimization: {
+    minimize: true
+  },
   output: {
-    path: path.resolve(__dirname, '..'),
+    path: path.resolve(__dirname, '../'),
     filename: 'bsv-didweb.min.js',
-    library: 'bsvDidWeb',
-    libraryTarget: 'umd'
-  },
-  node: {
-    crypto: true,
-    stream: true,
-    buffer: true
+    library: 'bsvDIDWeb',
+    libraryTarget: 'umd',
+    globalObject: 'this'
   },
-  node: {
-    Buffer: true
-  }
+  target: 'web'
 }

package/build/webpack.statuslist.config.js

@@ -1,22 +1,17 @@
-var path = require('path')
+const path = require('path')
 
 module.exports = {
-  target: 'web',
-  mode: 'production',
   entry: './statuslist-entry.js',
+  mode: 'production',
+  optimization: {
+    minimize: true
+  },
   output: {
-    path: path.resolve(__dirname, '..'),
+    path: path.resolve(__dirname, '../'),
     filename: 'bsv-statuslist.min.js',
     library: 'bsvStatusList',
-    libraryTarget: 'umd'
-  },
-  node: {
-    crypto: true,
-    stream: true,
-    buffer: true,
-    zlib: true
+    libraryTarget: 'umd',
+    globalObject: 'this'
   },
-  node: {
-    Buffer: true
-  }
+  target: 'web'
 }

package/build/webpack.vcjwt.config.js

@@ -1,21 +1,17 @@
-var path = require('path')
+const path = require('path')
 
 module.exports = {
-  target: 'web',
-  mode: 'production',
   entry: './vcjwt-entry.js',
+  mode: 'production',
+  optimization: {
+    minimize: true
+  },
   output: {
-    path: path.resolve(__dirname, '..'),
+    path: path.resolve(__dirname, '../'),
     filename: 'bsv-vcjwt.min.js',
     library: 'bsvVcJwt',
-    libraryTarget: 'umd'
-  },
-  node: {
-    crypto: true,
-    stream: true,
-    buffer: true
+    libraryTarget: 'umd',
+    globalObject: 'this'
   },
-  node: {
-    Buffer: true
-  }
+  target: 'web'
 }

package/examples/legacy/README.md

@@ -0,0 +1,11 @@
+# Legacy sanity scripts
+
+Pre-mocha standalone scripts kept here for historical reference. They are not
+part of the test suite (no `describe`/`it`). Run with:
+
+```bash
+node examples/legacy/<file>.js
+```
+
+`smart_contract_test_integration.js` was previously in `lib/smart_contract/`
+but is an integration script (calls `process.exit`), not library code.

package/index.js

@@ -29,7 +29,15 @@ bsv.versionGuard = function (version) {
 bsv.versionGuard(global._bsv)
 global._bsv = bsv.version
 
-// SmartLedger security information
+// SmartLedger security information.
+// NOTE: these properties advertise that hardening *helpers* ship in this
+// package (`bsv.SmartVerify`, `bsv.EllipticFixed`, `signature.toCanonical()`,
+// etc.). They are NOT automatically wired into the default verify path:
+// `transaction.verify()`, `signature.verify()`, and `Message().verify()` go
+// through `lib/crypto/ecdsa.js`, which uses BSV's own pure-JS ECDSA and does
+// not route through `SmartVerify` or `EllipticFixed`. To get the strict
+// input validation, call `bsv.SmartVerify.smartVerify(...)` explicitly.
+// See the Security section of README.md.
 bsv.isHardened = true
 bsv.hardenedBy = 'SmartLedger'
 bsv.baseVersion = 'v1.5.6'
@@ -119,7 +127,9 @@ try {
 try {
   bsv.BrowserUTXOManager = require('./lib/browser-utxo-manager-es5')
 } catch (e) {
-  // BrowserUTXOManager not available
+  if (typeof window === 'undefined') {
+    console.warn('[bsv] BrowserUTXOManager failed to load:', e.message)
+  }
 }
 
 // Node.js specific tools (advanced development tools)
@@ -140,28 +150,36 @@ bsv.GDAF = require('./lib/gdaf')
 try {
   bsv.DIDWeb = require('./lib/didweb')
 } catch (e) {
-  // DIDWeb module not available - use standalone bsv-didweb.min.js
+  if (typeof window === 'undefined') {
+    console.warn('[bsv] DIDWeb module failed to load:', e.message)
+  }
 }
 
 // VC-JWT Module (W3C Verifiable Credentials)
 try {
   bsv.VcJwt = require('./lib/vcjwt')
 } catch (e) {
-  // VcJwt module not available - use standalone bsv-vcjwt.min.js
+  if (typeof window === 'undefined') {
+    console.warn('[bsv] VcJwt module failed to load:', e.message)
+  }
 }
 
 // StatusList2021 Module (Credential revocation)
 try {
   bsv.StatusList = require('./lib/statuslist')
 } catch (e) {
-  // StatusList module not available - use standalone bsv-statuslist.min.js
+  if (typeof window === 'undefined') {
+    console.warn('[bsv] StatusList module failed to load:', e.message)
+  }
 }
 
 // Anchor Module (BSV hash anchoring)
 try {
   bsv.Anchor = require('./lib/anchor')
 } catch (e) {
-  // Anchor module not available - use standalone bsv-anchor.min.js
+  if (typeof window === 'undefined') {
+    console.warn('[bsv] Anchor module failed to load:', e.message)
+  }
 }
 
 // GDAF Direct Access Methods (for easier developer experience)

package/lib/browser-utxo-manager-es5.js

@@ -5,6 +5,13 @@
  * Lightweight UTXO management for browser environments with configurable storage
  */
 
+// Set window.BSV_DEBUG = true (browser) or BSV_DEBUG=1 (Node) to enable info logs.
+var debug = function () {
+  var enabled = (typeof process !== 'undefined' && process.env && process.env.BSV_DEBUG) ||
+                (typeof window !== 'undefined' && window.BSV_DEBUG)
+  if (enabled) console.log.apply(console, arguments)
+}
+
 var STORAGE_TYPES = {
   MEMORY: 'memory',
   SESSION: 'session',
@@ -75,7 +82,7 @@ BrowserUTXOManager.prototype.loadFromStorage = function() {
       this.metadata = parsed.metadata
     }
 
-    console.log('✅ BrowserUTXOManager: Loaded ' + this.utxos.size + ' UTXOs from ' + this.options.storage + ' storage')
+    debug('✅ BrowserUTXOManager: Loaded ' + this.utxos.size + ' UTXOs from ' + this.options.storage + ' storage')
   } catch (e) {
     console.error('Failed to load UTXOs from storage:', e)
   }
@@ -96,7 +103,7 @@ BrowserUTXOManager.prototype.saveToStorage = function() {
     }
 
     storage.setItem(this.options.storageKey, JSON.stringify(data))
-    console.log('💾 BrowserUTXOManager: Saved ' + this.utxos.size + ' UTXOs to ' + this.options.storage + ' storage')
+    debug('💾 BrowserUTXOManager: Saved ' + this.utxos.size + ' UTXOs to ' + this.options.storage + ' storage')
   } catch (e) {
     console.error('Failed to save UTXOs to storage:', e)
   }
@@ -110,7 +117,7 @@ BrowserUTXOManager.prototype.addUTXO = function(utxo) {
   var key = utxo.txid + ':' + utxo.vout
 
   if (this.utxos.has(key)) {
-    console.log('⚠️ UTXO already exists: ' + key)
+    debug('⚠️ UTXO already exists: ' + key)
     return false
   }
 
@@ -298,7 +305,7 @@ BrowserUTXOManager.prototype.importData = function(jsonData, merge) {
       })
     }
 
-    console.log('✅ BrowserUTXOManager: Imported ' + (data.utxos && data.utxos.length || 0) + ' UTXOs')
+    debug('✅ BrowserUTXOManager: Imported ' + (data.utxos && data.utxos.length || 0) + ' UTXOs')
     return true
   } catch (e) {
     console.error('Failed to import UTXO data:', e)

package/lib/browser-utxo-manager.js

@@ -5,6 +5,13 @@
  * Lightweight UTXO management for browser environments with configurable storage
  */
 
+// Set window.BSV_DEBUG = true (browser) or BSV_DEBUG=1 (Node) to enable info logs.
+var debug = function () {
+  var enabled = (typeof process !== 'undefined' && process.env && process.env.BSV_DEBUG) ||
+                (typeof window !== 'undefined' && window.BSV_DEBUG)
+  if (enabled) console.log.apply(console, arguments)
+}
+
 /**
  * Storage types available for browser UTXO management
  */
@@ -127,7 +134,7 @@ function BrowserUTXOManager(options) {
       }
 
       this._updateMetadata()
-      console.log(`✅ BrowserUTXOManager: Loaded ${this.utxos.size} UTXOs from ${this.options.storage} storage`)
+      debug(`✅ BrowserUTXOManager: Loaded ${this.utxos.size} UTXOs from ${this.options.storage} storage`)
 
     } catch (error) {
       console.error('BrowserUTXOManager: Error loading from storage:', error.message)
@@ -163,7 +170,7 @@ function BrowserUTXOManager(options) {
       })
 
       storage.setItem(this.options.storageKey, JSON.stringify(data))
-      console.log(`💾 BrowserUTXOManager: Saved ${this.utxos.size} UTXOs to ${this.options.storage} storage`)
+      debug(`💾 BrowserUTXOManager: Saved ${this.utxos.size} UTXOs to ${this.options.storage} storage`)
 
     } catch (error) {
       console.error('BrowserUTXOManager: Error saving to storage:', error.message)
@@ -186,7 +193,7 @@ function BrowserUTXOManager(options) {
 
       // Check if already exists
       if (this.utxos.has(key)) {
-        console.log(`⚠️ UTXO already exists: ${key}`)
+        debug(`⚠️ UTXO already exists: ${key}`)
         return false
       }
 
@@ -217,7 +224,7 @@ function BrowserUTXOManager(options) {
         this.saveToStorage()
       }
 
-      console.log(`✅ UTXO added: ${key} (${utxo.satoshis} sats)`)
+      debug(`✅ UTXO added: ${key} (${utxo.satoshis} sats)`)
       return true
 
     } catch (error) {
@@ -305,7 +312,7 @@ function BrowserUTXOManager(options) {
           }
         }
 
-        console.log(`❌ UTXO spent: ${key} in ${spentUTXO.spentInTx}`)
+        debug(`❌ UTXO spent: ${key} in ${spentUTXO.spentInTx}`)
       })
 
       this._updateMetadata()
@@ -446,11 +453,11 @@ function BrowserUTXOManager(options) {
       const storage = this._getStorage()
       if (storage) {
         storage.removeItem(this.options.storageKey)
-        console.log(`🔄 Cleared ${this.options.storage} storage`)
+        debug(`🔄 Cleared ${this.options.storage} storage`)
       }
     }
 
-    console.log('🔄 BrowserUTXOManager reset complete')
+    debug('🔄 BrowserUTXOManager reset complete')
   }
 
   /**
@@ -513,7 +520,7 @@ function BrowserUTXOManager(options) {
         this.saveToStorage()
       }
 
-      console.log('✅ BrowserUTXOManager: Imported ' + (data.utxos && data.utxos.length || 0) + ' UTXOs')
+      debug('✅ BrowserUTXOManager: Imported ' + (data.utxos && data.utxos.length || 0) + ' UTXOs')
       return true
 
     } catch (error) {

package/lib/ltp/claim.js

@@ -691,6 +691,7 @@ var ClaimValidator = {
    * @private
    */
   _generateBatchId: function() {
+    // Non-security: identifier collision avoidance only
     var data = 'batch_' + Date.now() + '_' + Math.random()
     return Hash.sha256(Buffer.from(data)).toString('hex').substring(0, 16)
   },

package/lib/ltp/obligation.js

@@ -929,6 +929,7 @@ var ObligationToken = {
    * @private
    */
   _generateUUID: function() {
+    // Non-security: identifier collision avoidance only (not RFC 4122 v4 random)
     return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c) {
       var r = Math.random() * 16 | 0
       var v = c === 'x' ? r : (r & 0x3 | 0x8)

package/lib/ltp/registry.js

@@ -552,6 +552,7 @@ var LTPRegistry = {
    * @private
    */
   _generateRegistryId: function() {
+    // Non-security: identifier collision avoidance only
     var data = 'reg_' + Date.now() + '_' + Math.random()
     return 'reg_' + Hash.sha256(Buffer.from(data)).toString('hex').substring(0, 16)
   },
@@ -685,6 +686,7 @@ var LTPRegistry = {
    * @private
    */
   _generateAuditId: function() {
+    // Non-security: identifier collision avoidance only
     var data = 'audit_' + Date.now() + '_' + Math.random()
     return 'audit_' + Hash.sha256(Buffer.from(data)).toString('hex').substring(0, 12)
   },

package/lib/ltp/right.js

@@ -752,6 +752,7 @@ var RightToken = {
    * @private
    */
   _generateUUID: function() {
+    // Non-security: identifier collision avoidance only (not RFC 4122 v4 random)
     return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c) {
       var r = Math.random() * 16 | 0
       var v = c === 'x' ? r : (r & 0x3 | 0x8)

package/lib/transaction/transaction.js

@@ -577,7 +577,7 @@ Transaction.prototype._fromMultisigUtxo = function (utxo, pubkeys, threshold) {
   } else if (utxo.script.isScriptHashOut()) {
     Clazz = MultiSigScriptHashInput
   } else {
-    throw new Error('@TODO')
+    throw new errors.Transaction.Input.UnsupportedScript(utxo.script.toString())
   }
   this.addInput(new Clazz({
     output: new Output({

package/lib/util/_.js

@@ -1,5 +1,7 @@
 'use strict'
 
+var Random = require('../crypto/random')
+
 var _ = {}
 
 _.isArray = t => Array.isArray(t)
@@ -28,10 +30,14 @@ _.values = o => Object.values(o)
 _.filter = (a, f) => a.filter(f)
 _.reduce = (a, f, s) => a.reduce(f, s)
 _.without = (a, n) => a.filter(t => t !== n)
+// CSPRNG-backed Fisher-Yates. Output-order shuffling is a privacy primitive
+// (Transaction.shuffleOutputs); a predictable PRNG defeats the purpose.
 _.shuffle = a => {
   const result = a.slice(0)
   for (let i = result.length - 1; i > 0; i--) {
-    const j = Math.floor(Math.random() * (i + 1));
+    const buf = Random.getRandomBuffer(4)
+    const r = buf.readUInt32BE(0) / 0x100000000
+    const j = Math.floor(r * (i + 1));
     [result[i], result[j]] = [result[j], result[i]]
   }
   return result

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@smartledger/bsv",
-  "version": "3.4.0",
+  "version": "3.4.2",
   "description": "🚀 Complete Bitcoin SV development framework with legally-recognizable DID:web + W3C VC-JWT toolkit, Legal Token Protocol (LTP), Global Digital Attestation Framework (GDAF), StatusList2021 revocation, and 16 flexible loading options. Standards-based credentials with ES256/ES256K support, on-chain BSV anchoring, and comprehensive Bitcoin SV API. Perfect for legal tokens, verifiable credentials, DeFi, smart contracts, and secure Bitcoin applications.",
   "author": "SmartLedger Technology <hello@smartledger.technology> (https://smartledger.technology)",
   "homepage": "https://github.com/codenlighten/smartledger-bsv#readme",
@@ -62,7 +62,7 @@
     "test:browser": "echo 'Open tests/standalone-modules-test.html in browser for comprehensive testing'",
     "test:bundle": "echo 'Open tests/bundle-completeness-test.html in browser to verify bundle completeness'",
     "preimage:extract": "node examples/preimage/extract_preimage_bidirectional.js",
-    "prepublishOnly": "NODE_OPTIONS=\"--openssl-legacy-provider\" npm run build"
+    "prepublishOnly": "NODE_OPTIONS=\"--openssl-legacy-provider\" npm run build-all"
   },
   "unpkg": "bsv.min.js",
   "jsdelivr": "bsv.min.js",
@@ -70,12 +70,13 @@
   "files": [
     "index.js",
     "lib/",
-    "utilities/",
+    "utilities/*.js",
+    "utilities/README.md",
+    "utilities/wallet.json",
     "ecies/",
     "message/",
     "mnemonic/",
     "build/",
-    "tests/",
     "*-entry.js",
     "bsv.min.js",
     "bsv.bundle.js",
@@ -89,14 +90,11 @@
     "bsv-covenant.min.js",
     "bsv-script-helper.min.js",
     "bsv-security.min.js",
+    "bsv-didweb.min.js",
+    "bsv-vcjwt.min.js",
+    "bsv-statuslist.min.js",
+    "bsv-anchor.min.js",
     "bsv.d.ts",
-    "validation_test.js",
-    "test_shamir.js",
-    "shamir_demo.js",
-    "complete_ltp_demo.js",
-    "simple_demo.js",
-    "architecture_demo.js",
-    "test_standalone_shamir.html",
     "docs/",
     "demos/",
     "examples/",

package/demos/gdaf_core_test.js

@@ -1,131 +0,0 @@
-/**
- * Simple GDAF Demo
- * 
- * Tests core GDAF functionality without async verification issues
- */
-
-const bsv = require('../index.js')
-
-console.log('🌐 SmartLedger BSV GDAF - Core Components Test')
-console.log('==============================================\n')
-
-// Initialize GDAF
-const gdaf = new bsv.GDAF()
-
-try {
-  // 1. Create test identities
-  console.log('🔑 Creating Test Identities')
-  const issuerPrivateKey = new bsv.PrivateKey()
-  const subjectPrivateKey = new bsv.PrivateKey()
-  
-  const issuerDID = gdaf.createDID(issuerPrivateKey.toPublicKey())
-  const subjectDID = gdaf.createDID(subjectPrivateKey.toPublicKey())
-  
-  console.log('✅ Issuer DID:', issuerDID)
-  console.log('✅ Subject DID:', subjectDID)
-  console.log()
-  
-  // 2. Create credentials
-  console.log('📝 Creating Credentials')
-  
-  const emailCredential = gdaf.createEmailCredential(
-    issuerDID,
-    subjectDID,
-    'user@example.com',
-    issuerPrivateKey
-  )
-  
-  const ageCredential = gdaf.createAgeCredential(
-    issuerDID,
-    subjectDID,
-    21,
-    new Date('1995-06-15'),
-    issuerPrivateKey
-  )
-  
-  console.log('✅ Email credential created with proof')
-  console.log('✅ Age credential created with proof')
-  console.log()
-  
-  // 3. Schema validation
-  console.log('🔍 Schema Validation')
-  
-  const emailValidation = gdaf.validateCredential(emailCredential, 'EmailVerifiedCredential')
-  const ageValidation = gdaf.validateCredential(ageCredential, 'AgeVerifiedCredential')
-  
-  console.log('✅ Email validation:', emailValidation.valid ? 'PASSED' : 'FAILED')
-  console.log('✅ Age validation:', ageValidation.valid ? 'PASSED' : 'FAILED')
-  console.log()
-  
-  // 4. Zero-knowledge proofs
-  console.log('🔒 Zero-Knowledge Proofs')
-  
-  const nonce = gdaf.generateNonce()
-  
-  // Selective disclosure proof
-  const selectiveProof = gdaf.generateSelectiveProof(
-    emailCredential,
-    ['credentialSubject.verified'],
-    nonce
-  )
-  
-  console.log('✅ Selective disclosure proof generated')
-  console.log('   - Proof type:', selectiveProof.type)
-  console.log('   - Disclosed fields:', selectiveProof.disclosedFields.length)
-  console.log('   - Merkle proofs:', selectiveProof.merkleProofs.length)
-  
-  // Age proof
-  const ageProof = gdaf.generateAgeProof(ageCredential, 18, nonce)
-  
-  console.log('✅ Age proof generated')
-  console.log('   - Minimum age:', ageProof.minimumAge)
-  console.log('   - Meets requirement:', ageProof.meetsRequirement)
-  
-  // Verify age proof
-  const ageProofVerification = gdaf.verifyAgeProof(ageProof, 18, issuerDID)
-  console.log('✅ Age proof verification:', ageProofVerification ? 'PASSED' : 'FAILED')
-  console.log()
-  
-  // 5. Available schemas
-  console.log('📚 Available Schema Types')
-  const allSchemas = gdaf.getAllSchemas()
-  const schemaNames = Object.keys(allSchemas)
-  
-  console.log('✅ Schema count:', schemaNames.length)
-  console.log('✅ Available types:', schemaNames.join(', '))
-  console.log()
-  
-  // 6. Template generation
-  console.log('📋 Template Generation')
-  
-  const emailTemplate = gdaf.createTemplate('EmailVerifiedCredential')
-  const kycTemplate = gdaf.createTemplate('KYCVerifiedCredential')
-  
-  console.log('✅ Email template generated')
-  console.log('✅ KYC template generated')
-  console.log()
-  
-  // 7. Framework info
-  console.log('ℹ️  Framework Information')
-  const info = gdaf.getInfo()
-  console.log('✅ Name:', info.name)
-  console.log('✅ Version:', info.version)
-  console.log('✅ Standards:', info.standards.length, 'standards supported')
-  console.log('✅ Components:', Object.keys(info.components).length, 'components')
-  console.log()
-  
-  console.log('🎉 GDAF Core Components Test: SUCCESS!')
-  console.log('\n✅ All tested components are working correctly:')
-  console.log('   ✓ DID Creation and Resolution')
-  console.log('   ✓ Credential Creation and Signing')
-  console.log('   ✓ Schema Validation')
-  console.log('   ✓ Zero-Knowledge Proof Generation')
-  console.log('   ✓ Age Proof Verification')
-  console.log('   ✓ Template Generation')
-  console.log('   ✓ Framework Information')
-  
-} catch (error) {
-  console.error('❌ GDAF Core Test failed:', error.message)
-  console.error('Stack trace:', error.stack)
-  process.exit(1)
-}