npm - @teneo-protocol/sdk - Versions diffs - 1.0.0 - Mend

@teneo-protocol/sdk 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (281) hide show

package/.dockerignore +14 -0
package/.env.test.example +14 -0
package/.eslintrc.json +26 -0
package/.github/workflows/claude-code-review.yml +78 -0
package/.github/workflows/claude-reviewer.yml +64 -0
package/.github/workflows/publish-npm.yml +38 -0
package/.github/workflows/push-to-main.yml +23 -0
package/.node-version +1 -0
package/.prettierrc +11 -0
package/Dockerfile +25 -0
package/LICENCE +661 -0
package/README.md +709 -0
package/dist/constants.d.ts +42 -0
package/dist/constants.d.ts.map +1 -0
package/dist/constants.js +45 -0
package/dist/constants.js.map +1 -0
package/dist/core/websocket-client.d.ts +261 -0
package/dist/core/websocket-client.d.ts.map +1 -0
package/dist/core/websocket-client.js +875 -0
package/dist/core/websocket-client.js.map +1 -0
package/dist/formatters/response-formatter.d.ts +354 -0
package/dist/formatters/response-formatter.d.ts.map +1 -0
package/dist/formatters/response-formatter.js +575 -0
package/dist/formatters/response-formatter.js.map +1 -0
package/dist/handlers/message-handler-registry.d.ts +155 -0
package/dist/handlers/message-handler-registry.d.ts.map +1 -0
package/dist/handlers/message-handler-registry.js +216 -0
package/dist/handlers/message-handler-registry.js.map +1 -0
package/dist/handlers/message-handlers/agent-selected-handler.d.ts +112 -0
package/dist/handlers/message-handlers/agent-selected-handler.d.ts.map +1 -0
package/dist/handlers/message-handlers/agent-selected-handler.js +40 -0
package/dist/handlers/message-handlers/agent-selected-handler.js.map +1 -0
package/dist/handlers/message-handlers/agents-list-handler.d.ts +14 -0
package/dist/handlers/message-handlers/agents-list-handler.d.ts.map +1 -0
package/dist/handlers/message-handlers/agents-list-handler.js +25 -0
package/dist/handlers/message-handlers/agents-list-handler.js.map +1 -0
package/dist/handlers/message-handlers/auth-error-handler.d.ts +71 -0
package/dist/handlers/message-handlers/auth-error-handler.d.ts.map +1 -0
package/dist/handlers/message-handlers/auth-error-handler.js +30 -0
package/dist/handlers/message-handlers/auth-error-handler.js.map +1 -0
package/dist/handlers/message-handlers/auth-message-handler.d.ts +18 -0
package/dist/handlers/message-handlers/auth-message-handler.d.ts.map +1 -0
package/dist/handlers/message-handlers/auth-message-handler.js +60 -0
package/dist/handlers/message-handlers/auth-message-handler.js.map +1 -0
package/dist/handlers/message-handlers/auth-required-handler.d.ts +76 -0
package/dist/handlers/message-handlers/auth-required-handler.d.ts.map +1 -0
package/dist/handlers/message-handlers/auth-required-handler.js +23 -0
package/dist/handlers/message-handlers/auth-required-handler.js.map +1 -0
package/dist/handlers/message-handlers/auth-success-handler.d.ts +18 -0
package/dist/handlers/message-handlers/auth-success-handler.d.ts.map +1 -0
package/dist/handlers/message-handlers/auth-success-handler.js +51 -0
package/dist/handlers/message-handlers/auth-success-handler.js.map +1 -0
package/dist/handlers/message-handlers/base-handler.d.ts +55 -0
package/dist/handlers/message-handlers/base-handler.d.ts.map +1 -0
package/dist/handlers/message-handlers/base-handler.js +83 -0
package/dist/handlers/message-handlers/base-handler.js.map +1 -0
package/dist/handlers/message-handlers/challenge-handler.d.ts +73 -0
package/dist/handlers/message-handlers/challenge-handler.d.ts.map +1 -0
package/dist/handlers/message-handlers/challenge-handler.js +47 -0
package/dist/handlers/message-handlers/challenge-handler.js.map +1 -0
package/dist/handlers/message-handlers/error-message-handler.d.ts +76 -0
package/dist/handlers/message-handlers/error-message-handler.d.ts.map +1 -0
package/dist/handlers/message-handlers/error-message-handler.js +29 -0
package/dist/handlers/message-handlers/error-message-handler.js.map +1 -0
package/dist/handlers/message-handlers/index.d.ts +28 -0
package/dist/handlers/message-handlers/index.d.ts.map +1 -0
package/dist/handlers/message-handlers/index.js +100 -0
package/dist/handlers/message-handlers/index.js.map +1 -0
package/dist/handlers/message-handlers/list-rooms-response-handler.d.ts +122 -0
package/dist/handlers/message-handlers/list-rooms-response-handler.d.ts.map +1 -0
package/dist/handlers/message-handlers/list-rooms-response-handler.js +30 -0
package/dist/handlers/message-handlers/list-rooms-response-handler.js.map +1 -0
package/dist/handlers/message-handlers/ping-pong-handler.d.ts +104 -0
package/dist/handlers/message-handlers/ping-pong-handler.d.ts.map +1 -0
package/dist/handlers/message-handlers/ping-pong-handler.js +36 -0
package/dist/handlers/message-handlers/ping-pong-handler.js.map +1 -0
package/dist/handlers/message-handlers/regular-message-handler.d.ts +56 -0
package/dist/handlers/message-handlers/regular-message-handler.d.ts.map +1 -0
package/dist/handlers/message-handlers/regular-message-handler.js +59 -0
package/dist/handlers/message-handlers/regular-message-handler.js.map +1 -0
package/dist/handlers/message-handlers/subscribe-response-handler.d.ts +81 -0
package/dist/handlers/message-handlers/subscribe-response-handler.d.ts.map +1 -0
package/dist/handlers/message-handlers/subscribe-response-handler.js +48 -0
package/dist/handlers/message-handlers/subscribe-response-handler.js.map +1 -0
package/dist/handlers/message-handlers/task-response-handler.d.ts +14 -0
package/dist/handlers/message-handlers/task-response-handler.d.ts.map +1 -0
package/dist/handlers/message-handlers/task-response-handler.js +44 -0
package/dist/handlers/message-handlers/task-response-handler.js.map +1 -0
package/dist/handlers/message-handlers/types.d.ts +51 -0
package/dist/handlers/message-handlers/types.d.ts.map +1 -0
package/dist/handlers/message-handlers/types.js +7 -0
package/dist/handlers/message-handlers/types.js.map +1 -0
package/dist/handlers/message-handlers/unsubscribe-response-handler.d.ts +81 -0
package/dist/handlers/message-handlers/unsubscribe-response-handler.d.ts.map +1 -0
package/dist/handlers/message-handlers/unsubscribe-response-handler.js +48 -0
package/dist/handlers/message-handlers/unsubscribe-response-handler.js.map +1 -0
package/dist/handlers/webhook-handler.d.ts +202 -0
package/dist/handlers/webhook-handler.d.ts.map +1 -0
package/dist/handlers/webhook-handler.js +511 -0
package/dist/handlers/webhook-handler.js.map +1 -0
package/dist/index.d.ts +71 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +217 -0
package/dist/index.js.map +1 -0
package/dist/managers/agent-registry.d.ts +173 -0
package/dist/managers/agent-registry.d.ts.map +1 -0
package/dist/managers/agent-registry.js +310 -0
package/dist/managers/agent-registry.js.map +1 -0
package/dist/managers/connection-manager.d.ts +134 -0
package/dist/managers/connection-manager.d.ts.map +1 -0
package/dist/managers/connection-manager.js +176 -0
package/dist/managers/connection-manager.js.map +1 -0
package/dist/managers/index.d.ts +9 -0
package/dist/managers/index.d.ts.map +1 -0
package/dist/managers/index.js +16 -0
package/dist/managers/index.js.map +1 -0
package/dist/managers/message-router.d.ts +112 -0
package/dist/managers/message-router.d.ts.map +1 -0
package/dist/managers/message-router.js +260 -0
package/dist/managers/message-router.js.map +1 -0
package/dist/managers/room-manager.d.ts +165 -0
package/dist/managers/room-manager.d.ts.map +1 -0
package/dist/managers/room-manager.js +227 -0
package/dist/managers/room-manager.js.map +1 -0
package/dist/teneo-sdk.d.ts +703 -0
package/dist/teneo-sdk.d.ts.map +1 -0
package/dist/teneo-sdk.js +907 -0
package/dist/teneo-sdk.js.map +1 -0
package/dist/types/config.d.ts +1047 -0
package/dist/types/config.d.ts.map +1 -0
package/dist/types/config.js +720 -0
package/dist/types/config.js.map +1 -0
package/dist/types/error-codes.d.ts +29 -0
package/dist/types/error-codes.d.ts.map +1 -0
package/dist/types/error-codes.js +41 -0
package/dist/types/error-codes.js.map +1 -0
package/dist/types/events.d.ts +616 -0
package/dist/types/events.d.ts.map +1 -0
package/dist/types/events.js +261 -0
package/dist/types/events.js.map +1 -0
package/dist/types/health.d.ts +40 -0
package/dist/types/health.d.ts.map +1 -0
package/dist/types/health.js +6 -0
package/dist/types/health.js.map +1 -0
package/dist/types/index.d.ts +10 -0
package/dist/types/index.d.ts.map +1 -0
package/dist/types/index.js +123 -0
package/dist/types/index.js.map +1 -0
package/dist/types/messages.d.ts +3734 -0
package/dist/types/messages.d.ts.map +1 -0
package/dist/types/messages.js +482 -0
package/dist/types/messages.js.map +1 -0
package/dist/types/validation.d.ts +81 -0
package/dist/types/validation.d.ts.map +1 -0
package/dist/types/validation.js +115 -0
package/dist/types/validation.js.map +1 -0
package/dist/utils/bounded-queue.d.ts +127 -0
package/dist/utils/bounded-queue.d.ts.map +1 -0
package/dist/utils/bounded-queue.js +181 -0
package/dist/utils/bounded-queue.js.map +1 -0
package/dist/utils/circuit-breaker.d.ts +141 -0
package/dist/utils/circuit-breaker.d.ts.map +1 -0
package/dist/utils/circuit-breaker.js +215 -0
package/dist/utils/circuit-breaker.js.map +1 -0
package/dist/utils/deduplication-cache.d.ts +110 -0
package/dist/utils/deduplication-cache.d.ts.map +1 -0
package/dist/utils/deduplication-cache.js +177 -0
package/dist/utils/deduplication-cache.js.map +1 -0
package/dist/utils/event-waiter.d.ts +101 -0
package/dist/utils/event-waiter.d.ts.map +1 -0
package/dist/utils/event-waiter.js +118 -0
package/dist/utils/event-waiter.js.map +1 -0
package/dist/utils/index.d.ts +51 -0
package/dist/utils/index.d.ts.map +1 -0
package/dist/utils/index.js +72 -0
package/dist/utils/index.js.map +1 -0
package/dist/utils/logger.d.ts +22 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +91 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/rate-limiter.d.ts +122 -0
package/dist/utils/rate-limiter.d.ts.map +1 -0
package/dist/utils/rate-limiter.js +190 -0
package/dist/utils/rate-limiter.js.map +1 -0
package/dist/utils/retry-policy.d.ts +191 -0
package/dist/utils/retry-policy.d.ts.map +1 -0
package/dist/utils/retry-policy.js +225 -0
package/dist/utils/retry-policy.js.map +1 -0
package/dist/utils/secure-private-key.d.ts +113 -0
package/dist/utils/secure-private-key.d.ts.map +1 -0
package/dist/utils/secure-private-key.js +188 -0
package/dist/utils/secure-private-key.js.map +1 -0
package/dist/utils/signature-verifier.d.ts +143 -0
package/dist/utils/signature-verifier.d.ts.map +1 -0
package/dist/utils/signature-verifier.js +238 -0
package/dist/utils/signature-verifier.js.map +1 -0
package/dist/utils/ssrf-validator.d.ts +36 -0
package/dist/utils/ssrf-validator.d.ts.map +1 -0
package/dist/utils/ssrf-validator.js +195 -0
package/dist/utils/ssrf-validator.js.map +1 -0
package/examples/.env.example +17 -0
package/examples/basic-usage.ts +211 -0
package/examples/production-dashboard/.env.example +153 -0
package/examples/production-dashboard/package.json +39 -0
package/examples/production-dashboard/public/dashboard.html +642 -0
package/examples/production-dashboard/server.ts +753 -0
package/examples/webhook-integration.ts +239 -0
package/examples/x-influencer-battle-redesign.html +1065 -0
package/examples/x-influencer-battle-server.ts +217 -0
package/examples/x-influencer-battle.html +787 -0
package/package.json +65 -0
package/src/constants.ts +43 -0
package/src/core/websocket-client.test.ts +512 -0
package/src/core/websocket-client.ts +1056 -0
package/src/formatters/response-formatter.test.ts +571 -0
package/src/formatters/response-formatter.ts +677 -0
package/src/handlers/message-handler-registry.ts +239 -0
package/src/handlers/message-handlers/agent-selected-handler.ts +40 -0
package/src/handlers/message-handlers/agents-list-handler.ts +26 -0
package/src/handlers/message-handlers/auth-error-handler.ts +31 -0
package/src/handlers/message-handlers/auth-message-handler.ts +66 -0
package/src/handlers/message-handlers/auth-required-handler.ts +23 -0
package/src/handlers/message-handlers/auth-success-handler.ts +57 -0
package/src/handlers/message-handlers/base-handler.ts +101 -0
package/src/handlers/message-handlers/challenge-handler.ts +57 -0
package/src/handlers/message-handlers/error-message-handler.ts +27 -0
package/src/handlers/message-handlers/index.ts +77 -0
package/src/handlers/message-handlers/list-rooms-response-handler.ts +28 -0
package/src/handlers/message-handlers/ping-pong-handler.ts +30 -0
package/src/handlers/message-handlers/regular-message-handler.ts +65 -0
package/src/handlers/message-handlers/subscribe-response-handler.ts +47 -0
package/src/handlers/message-handlers/task-response-handler.ts +45 -0
package/src/handlers/message-handlers/types.ts +77 -0
package/src/handlers/message-handlers/unsubscribe-response-handler.ts +47 -0
package/src/handlers/webhook-handler.test.ts +789 -0
package/src/handlers/webhook-handler.ts +576 -0
package/src/index.ts +269 -0
package/src/managers/agent-registry.test.ts +466 -0
package/src/managers/agent-registry.ts +347 -0
package/src/managers/connection-manager.ts +195 -0
package/src/managers/index.ts +9 -0
package/src/managers/message-router.ts +349 -0
package/src/managers/room-manager.ts +248 -0
package/src/teneo-sdk.ts +1022 -0
package/src/types/config.test.ts +325 -0
package/src/types/config.ts +799 -0
package/src/types/error-codes.ts +44 -0
package/src/types/events.test.ts +302 -0
package/src/types/events.ts +382 -0
package/src/types/health.ts +46 -0
package/src/types/index.ts +199 -0
package/src/types/messages.test.ts +660 -0
package/src/types/messages.ts +570 -0
package/src/types/validation.ts +123 -0
package/src/utils/bounded-queue.test.ts +356 -0
package/src/utils/bounded-queue.ts +205 -0
package/src/utils/circuit-breaker.test.ts +394 -0
package/src/utils/circuit-breaker.ts +262 -0
package/src/utils/deduplication-cache.test.ts +380 -0
package/src/utils/deduplication-cache.ts +198 -0
package/src/utils/event-waiter.test.ts +381 -0
package/src/utils/event-waiter.ts +172 -0
package/src/utils/index.ts +74 -0
package/src/utils/logger.ts +87 -0
package/src/utils/rate-limiter.test.ts +341 -0
package/src/utils/rate-limiter.ts +211 -0
package/src/utils/retry-policy.test.ts +558 -0
package/src/utils/retry-policy.ts +272 -0
package/src/utils/secure-private-key.test.ts +356 -0
package/src/utils/secure-private-key.ts +205 -0
package/src/utils/signature-verifier.test.ts +464 -0
package/src/utils/signature-verifier.ts +298 -0
package/src/utils/ssrf-validator.test.ts +372 -0
package/src/utils/ssrf-validator.ts +224 -0
package/tests/integration/real-server.test.ts +740 -0
package/tests/integration/websocket.test.ts +381 -0
package/tests/integration-setup.ts +16 -0
package/tests/setup.ts +34 -0
package/tsconfig.json +32 -0
package/vitest.config.ts +42 -0
package/vitest.integration.config.ts +23 -0

package/src/utils/signature-verifier.ts ADDED Viewed

@@ -0,0 +1,298 @@
+/**
+ * Signature Verifier for Message Authentication
+ * Provides cryptographic verification of message signatures using Ethereum ECDSA
+ */
+import { verifyMessage, hashMessage, type Address } from 'viem';
+import { BaseMessage, MessageType } from '../types';
+/**
+ * Options for signature verification
+ */
+export interface SignatureVerificationOptions {
+  /** Whitelist of trusted agent addresses (empty = allow all) */
+  trustedAddresses?: Address[];
+  /** Message types that require signatures */
+  requireSignaturesFor?: MessageType[];
+  /** Reject messages with missing signatures (vs just warn) */
+  strictMode?: boolean;
+}
+/**
+ * Result of signature verification
+ */
+export interface VerificationResult {
+  /** Whether the signature is valid */
+  valid: boolean;
+  /** Recovered address from signature (if signature present) */
+  recoveredAddress?: Address;
+  /** Reason for failure (if not valid) */
+  reason?: string;
+  /** Whether signature was missing */
+  signatureMissing: boolean;
+  /** Whether address is in trusted whitelist (if whitelist configured) */
+  isTrusted?: boolean;
+}
+/**
+ * Signature verifier for authenticating message origins
+ * Prevents spoofing attacks by verifying Ethereum signatures on messages
+ *
+ * @example
+ * ```typescript
+ * const verifier = new SignatureVerifier({
+ *   trustedAddresses: ['0x123...', '0x456...'],
+ *   requireSignaturesFor: ['task_response', 'agent_selected'],
+ *   strictMode: true
+ * });
+ *
+ * const result = await verifier.verify(message);
+ * if (!result.valid) {
+ *   console.log(`Verification failed: ${result.reason}`);
+ * }
+ * ```
+ */
+export class SignatureVerifier {
+  private readonly options: Required<SignatureVerificationOptions>;
+  /**
+   * Creates a new signature verifier
+   *
+   * @param options - Verification options
+   *
+   * @example
+   * ```typescript
+   * const verifier = new SignatureVerifier({
+   *   trustedAddresses: ['0x123...'],
+   *   requireSignaturesFor: ['task_response'],
+   *   strictMode: false
+   * });
+   * ```
+   */
+  constructor(options: SignatureVerificationOptions = {}) {
+    this.options = {
+      trustedAddresses: options.trustedAddresses || [],
+      requireSignaturesFor: options.requireSignaturesFor || [],
+      strictMode: options.strictMode !== undefined ? options.strictMode : false
+    };
+  }
+  /**
+   * Verify a message's signature
+   *
+   * @param message - The message to verify
+   * @returns Verification result with validity and recovered address
+   *
+   * @example
+   * ```typescript
+   * const result = await verifier.verify(message);
+   * if (result.valid) {
+   *   console.log(`Valid signature from ${result.recoveredAddress}`);
+   * } else {
+   *   console.log(`Invalid: ${result.reason}`);
+   * }
+   * ```
+   */
+  public async verify(message: BaseMessage): Promise<VerificationResult> {
+    // Check if signature is present
+    if (!message.signature) {
+      const isRequired = this.isSignatureRequired(message.type);
+      return {
+        valid: !isRequired && !this.options.strictMode,
+        signatureMissing: true,
+        reason: isRequired
+          ? `Signature required for message type '${message.type}'`
+          : 'Signature missing but not required'
+      };
+    }
+    // Extract signable content (excludes signature and publicKey fields)
+    const signableContent = this.getSignableContent(message);
+    // Create canonical message hash
+    const messageHash = this.createMessageHash(signableContent);
+    try {
+      // Determine which address to verify against
+      const addressToVerify = await this.getVerificationAddress(message);
+      if (!addressToVerify) {
+        return {
+          valid: false,
+          signatureMissing: false,
+          reason: 'No address available for verification (missing publicKey and from fields)'
+        };
+      }
+      // Verify signature using viem
+      const isValid = await verifyMessage({
+        address: addressToVerify,
+        message: messageHash,
+        signature: message.signature as `0x${string}`
+      });
+      if (!isValid) {
+        return {
+          valid: false,
+          recoveredAddress: addressToVerify,
+          signatureMissing: false,
+          reason: 'Signature verification failed - signature does not match message content'
+        };
+      }
+      // Check if address is trusted (if whitelist configured)
+      const isTrusted = this.isTrustedAddress(addressToVerify);
+      // If whitelist is configured and address is not trusted, reject
+      if (this.options.trustedAddresses.length > 0 && !isTrusted) {
+        return {
+          valid: false,
+          recoveredAddress: addressToVerify,
+          signatureMissing: false,
+          isTrusted: false,
+          reason: `Address ${addressToVerify} is not in trusted whitelist`
+        };
+      }
+      return {
+        valid: true,
+        recoveredAddress: addressToVerify,
+        signatureMissing: false,
+        isTrusted
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        signatureMissing: false,
+        reason: `Signature verification error: ${error instanceof Error ? error.message : String(error)}`
+      };
+    }
+  }
+  /**
+   * Create a canonical hash of message content for signing
+   *
+   * @param content - The signable content object
+   * @returns Message hash string
+   */
+  public createMessageHash(content: object): string {
+    // Create canonical JSON string (sorted keys for consistency)
+    const canonical = JSON.stringify(content, Object.keys(content).sort());
+    // Use viem's hashMessage for Ethereum-compatible hashing
+    return hashMessage(canonical);
+  }
+  /**
+   * Extract signable content from message
+   * Excludes signature and publicKey fields to prevent circular dependency
+   *
+   * @param message - The message to extract content from
+   * @returns Object containing signable fields
+   */
+  public getSignableContent(message: BaseMessage): object {
+    const { signature, publicKey, id, ...signableContent } = message;
+    // Include only defined fields for consistent hashing
+    const filtered: Record<string, any> = {};
+    for (const [key, value] of Object.entries(signableContent)) {
+      if (value !== undefined) {
+        filtered[key] = value;
+      }
+    }
+    return filtered;
+  }
+  /**
+   * Check if signature is required for a message type
+   *
+   * @param messageType - The type of message
+   * @returns True if signature is required
+   */
+  public isSignatureRequired(messageType: MessageType): boolean {
+    return this.options.requireSignaturesFor.includes(messageType);
+  }
+  /**
+   * Check if an address is in the trusted whitelist
+   *
+   * @param address - The address to check
+   * @returns True if address is trusted (or no whitelist configured)
+   */
+  public isTrustedAddress(address: Address): boolean {
+    if (this.options.trustedAddresses.length === 0) {
+      return true; // No whitelist = trust all
+    }
+    return this.options.trustedAddresses.some(
+      trusted => trusted.toLowerCase() === address.toLowerCase()
+    );
+  }
+  /**
+   * Get the address to verify against
+   * Tries publicKey first, falls back to 'from' field
+   *
+   * @param message - The message to get address from
+   * @returns Address to verify, or undefined if none available
+   */
+  private async getVerificationAddress(message: BaseMessage): Promise<Address | undefined> {
+    // If message includes publicKey, derive address from it
+    if (message.publicKey) {
+      // publicKey should be an Ethereum address already
+      // If it's actually a public key, we'd need to derive the address
+      // For now, assume publicKey field contains the address
+      return message.publicKey as Address;
+    }
+    // Fall back to 'from' field if it looks like an address
+    if (message.from && message.from.startsWith('0x') && message.from.length === 42) {
+      return message.from as Address;
+    }
+    return undefined;
+  }
+  /**
+   * Update verification options
+   *
+   * @param options - New options (merged with existing)
+   *
+   * @example
+   * ```typescript
+   * verifier.updateOptions({
+   *   trustedAddresses: ['0x789...'],
+   *   strictMode: true
+   * });
+   * ```
+   */
+  public updateOptions(options: Partial<SignatureVerificationOptions>): void {
+    if (options.trustedAddresses !== undefined) {
+      this.options.trustedAddresses = options.trustedAddresses;
+    }
+    if (options.requireSignaturesFor !== undefined) {
+      this.options.requireSignaturesFor = options.requireSignaturesFor;
+    }
+    if (options.strictMode !== undefined) {
+      this.options.strictMode = options.strictMode;
+    }
+  }
+  /**
+   * Get current verification options
+   *
+   * @returns Copy of current options
+   */
+  public getOptions(): SignatureVerificationOptions {
+    return { ...this.options };
+  }
+}

package/src/utils/ssrf-validator.test.ts ADDED Viewed

@@ -0,0 +1,372 @@
+/**
+ * Tests for SSRF validator
+ */
+import { describe, it, expect } from "vitest";
+import {
+  isPrivateIP,
+  isCloudMetadataEndpoint,
+  isLocalhostException,
+  validateWebhookUrl
+} from "./ssrf-validator";
+describe("SSRF Validator", () => {
+  describe("isPrivateIP", () => {
+    it("should detect RFC1918 private IPv4 ranges", () => {
+      // 10.0.0.0/8
+      expect(isPrivateIP("10.0.0.1")).toBe(true);
+      expect(isPrivateIP("10.255.255.255")).toBe(true);
+      // 192.168.0.0/16
+      expect(isPrivateIP("192.168.0.1")).toBe(true);
+      expect(isPrivateIP("192.168.255.255")).toBe(true);
+      // 172.16.0.0/12 (172.16-31)
+      expect(isPrivateIP("172.16.0.1")).toBe(true);
+      expect(isPrivateIP("172.31.255.255")).toBe(true);
+    });
+    it("should NOT detect public IPv4 addresses as private", () => {
+      expect(isPrivateIP("8.8.8.8")).toBe(false);
+      expect(isPrivateIP("1.1.1.1")).toBe(false);
+      expect(isPrivateIP("172.15.0.1")).toBe(false); // Before 172.16
+      expect(isPrivateIP("172.32.0.1")).toBe(false); // After 172.31
+    });
+    it("should detect IPv4 loopback addresses", () => {
+      expect(isPrivateIP("127.0.0.1")).toBe(true);
+      expect(isPrivateIP("127.0.0.255")).toBe(true);
+      expect(isPrivateIP("127.255.255.255")).toBe(true);
+    });
+    it("should detect IPv4 link-local addresses", () => {
+      expect(isPrivateIP("169.254.0.0")).toBe(true);
+      expect(isPrivateIP("169.254.169.254")).toBe(true);
+      expect(isPrivateIP("169.254.255.255")).toBe(true);
+    });
+    it("should detect IPv4 multicast addresses", () => {
+      expect(isPrivateIP("224.0.0.1")).toBe(true);
+      expect(isPrivateIP("239.255.255.255")).toBe(true);
+    });
+    it("should detect IPv4 broadcast address", () => {
+      expect(isPrivateIP("255.255.255.255")).toBe(true);
+    });
+    it("should detect IPv6 loopback", () => {
+      expect(isPrivateIP("::1")).toBe(true);
+      expect(isPrivateIP("[::1]")).toBe(true);
+      expect(isPrivateIP("0:0:0:0:0:0:0:1")).toBe(true);
+    });
+    it("should detect IPv6 unspecified address", () => {
+      expect(isPrivateIP("::")).toBe(true);
+      expect(isPrivateIP("[::]")).toBe(true);
+      expect(isPrivateIP("0:0:0:0:0:0:0:0")).toBe(true);
+    });
+    it("should detect IPv6 link-local addresses", () => {
+      expect(isPrivateIP("fe80::1")).toBe(true);
+      expect(isPrivateIP("fe80:0000:0000:0000:0000:0000:0000:0001")).toBe(true);
+      expect(isPrivateIP("feb0::1")).toBe(true);
+    });
+    it("should detect IPv6 unique local addresses", () => {
+      expect(isPrivateIP("fc00::1")).toBe(true);
+      expect(isPrivateIP("fd00::1")).toBe(true);
+      expect(isPrivateIP("fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff")).toBe(true);
+    });
+    it("should NOT detect public IPv6 addresses as private", () => {
+      expect(isPrivateIP("2001:4860:4860::8888")).toBe(false); // Google DNS
+      expect(isPrivateIP("2606:4700:4700::1111")).toBe(false); // Cloudflare DNS
+    });
+  });
+  describe("isCloudMetadataEndpoint", () => {
+    it("should detect AWS metadata endpoints", () => {
+      expect(isCloudMetadataEndpoint("169.254.169.254")).toBe(true);
+      expect(isCloudMetadataEndpoint("fd00:ec2::254")).toBe(true);
+      expect(isCloudMetadataEndpoint("instance-data")).toBe(true);
+      expect(isCloudMetadataEndpoint("instance-data.ec2.internal")).toBe(true);
+    });
+    it("should detect Google Cloud metadata endpoints", () => {
+      expect(isCloudMetadataEndpoint("metadata.google.internal")).toBe(true);
+      expect(isCloudMetadataEndpoint("metadata.google.com")).toBe(true);
+    });
+    it("should detect Kubernetes endpoints", () => {
+      expect(isCloudMetadataEndpoint("kubernetes.default")).toBe(true);
+      expect(isCloudMetadataEndpoint("kubernetes.default.svc")).toBe(true);
+      expect(isCloudMetadataEndpoint("kubernetes.default.svc.cluster.local")).toBe(true);
+    });
+    it("should detect bind-all addresses", () => {
+      expect(isCloudMetadataEndpoint("0.0.0.0")).toBe(true);
+      expect(isCloudMetadataEndpoint("::")).toBe(true);
+      expect(isCloudMetadataEndpoint("[::]")).toBe(true);
+    });
+    it("should NOT detect normal hostnames as metadata", () => {
+      expect(isCloudMetadataEndpoint("example.com")).toBe(false);
+      expect(isCloudMetadataEndpoint("api.example.com")).toBe(false);
+    });
+    it("should be case-insensitive", () => {
+      expect(isCloudMetadataEndpoint("METADATA.GOOGLE.INTERNAL")).toBe(true);
+      expect(isCloudMetadataEndpoint("Kubernetes.Default")).toBe(true);
+    });
+  });
+  describe("isLocalhostException", () => {
+    it("should detect localhost hostnames", () => {
+      expect(isLocalhostException("localhost")).toBe(true);
+      expect(isLocalhostException("LOCALHOST")).toBe(true);
+      expect(isLocalhostException("127.0.0.1")).toBe(true);
+      expect(isLocalhostException("::1")).toBe(true);
+      expect(isLocalhostException("[::1]")).toBe(true);
+    });
+    it("should NOT detect bind-all addresses as localhost", () => {
+      expect(isLocalhostException("0.0.0.0")).toBe(false);
+      expect(isLocalhostException("::")).toBe(false);
+      expect(isLocalhostException("[::]")).toBe(false);
+    });
+    it("should NOT detect non-localhost as localhost", () => {
+      expect(isLocalhostException("example.com")).toBe(false);
+      expect(isLocalhostException("127.0.0.2")).toBe(false);
+    });
+  });
+  describe("validateWebhookUrl", () => {
+    describe("Valid URLs", () => {
+      it("should accept HTTPS public URLs", () => {
+        const urls = [
+          "https://webhook.example.com/events",
+          "https://api.example.org/webhook",
+          "https://example.com:8443/webhook"
+        ];
+        urls.forEach((url) => {
+          expect(() => validateWebhookUrl(url, false)).not.toThrow();
+        });
+      });
+      it("should accept localhost HTTP when allowed", () => {
+        const urls = [
+          "http://localhost/webhook",
+          "http://localhost:3000/events",
+          "http://127.0.0.1/webhook",
+          "http://127.0.0.1:8080/events",
+          "http://[::1]/webhook"
+        ];
+        urls.forEach((url) => {
+          expect(() => validateWebhookUrl(url, true)).not.toThrow();
+        });
+      });
+    });
+    describe("Protocol Validation", () => {
+      it("should reject non-HTTP/HTTPS protocols", () => {
+        const urls = [
+          "ftp://example.com/webhook",
+          "file:///etc/passwd",
+          "javascript:alert(1)",
+          "data:text/html,<script>alert(1)</script>"
+        ];
+        urls.forEach((url) => {
+          expect(() => validateWebhookUrl(url, false)).toThrow(/protocol/i);
+        });
+      });
+      it("should reject HTTP for non-localhost without allowLocalhost", () => {
+        // Public domain should require HTTPS
+        expect(() => validateWebhookUrl("http://example.com/webhook", false)).toThrow(/HTTPS/i);
+        // Private IPs should be blocked as private IPs (more specific error)
+        expect(() => validateWebhookUrl("http://192.168.1.1/webhook", false)).toThrow(
+          /private IP address/i
+        );
+        expect(() => validateWebhookUrl("http://10.0.0.1/webhook", false)).toThrow(
+          /private IP address/i
+        );
+      });
+    });
+    describe("Cloud Metadata Protection", () => {
+      it("should block AWS metadata endpoints", () => {
+        const urls = [
+          "http://169.254.169.254/latest/meta-data/",
+          "https://169.254.169.254/latest/meta-data/iam/security-credentials/",
+          "http://instance-data/latest/meta-data/",
+          "http://instance-data.ec2.internal/latest/meta-data/"
+        ];
+        urls.forEach((url) => {
+          expect(() => validateWebhookUrl(url, true)).toThrow(/cloud metadata endpoint/i);
+        });
+      });
+      it("should block Google Cloud metadata endpoints", () => {
+        const urls = [
+          "http://metadata.google.internal/computeMetadata/v1/",
+          "http://metadata.google.com/computeMetadata/v1/"
+        ];
+        urls.forEach((url) => {
+          expect(() => validateWebhookUrl(url, true)).toThrow(/cloud metadata endpoint/i);
+        });
+      });
+      it("should block Kubernetes service discovery", () => {
+        // Kubernetes default endpoints are in BLOCKED_HOSTNAMES (cloud metadata)
+        const k8sDefaultUrls = [
+          "http://kubernetes.default/api",
+          "http://kubernetes.default.svc/api",
+          "http://kubernetes.default.svc.cluster.local/api"
+        ];
+        k8sDefaultUrls.forEach((url) => {
+          expect(() => validateWebhookUrl(url, true)).toThrow(/cloud metadata endpoint/i);
+        });
+        // Other k8s services should be blocked by isKubernetesService check
+        expect(() => validateWebhookUrl("http://redis.default.svc.cluster.local:6379", true)).toThrow(
+          /Kubernetes service/i
+        );
+      });
+    });
+    describe("Private IP Protection", () => {
+      it("should block RFC1918 private IP ranges", () => {
+        const urls = [
+          "https://10.0.0.1/webhook",
+          "https://192.168.1.1/webhook",
+          "https://172.16.0.1/webhook",
+          "https://172.31.255.255/webhook"
+        ];
+        urls.forEach((url) => {
+          expect(() => validateWebhookUrl(url, false)).toThrow(/private IP address/i);
+        });
+      });
+      it("should block loopback addresses (except allowed localhost)", () => {
+        const urls = [
+          "https://127.0.0.2/webhook", // Not 127.0.0.1
+          "https://127.255.255.255/webhook"
+        ];
+        urls.forEach((url) => {
+          expect(() => validateWebhookUrl(url, false)).toThrow(/private IP|localhost/i);
+        });
+      });
+      it("should block link-local addresses", () => {
+        const urls = ["https://169.254.1.1/webhook", "https://169.254.255.255/webhook"];
+        urls.forEach((url) => {
+          expect(() => validateWebhookUrl(url, false)).toThrow(/private IP|cloud metadata/i);
+        });
+      });
+      it("should block IPv6 private ranges", () => {
+        const urls = [
+          "https://[fc00::1]/webhook",
+          "https://[fd00::1]/webhook",
+          "https://[fe80::1]/webhook"
+        ];
+        urls.forEach((url) => {
+          expect(() => validateWebhookUrl(url, false)).toThrow(/private IP/i);
+        });
+      });
+    });
+    describe("Dangerous Ports Protection", () => {
+      it("should block common internal service ports", () => {
+        const dangerousPorts = [
+          { port: 22, name: "SSH" },
+          { port: 3306, name: "MySQL" },
+          { port: 5432, name: "PostgreSQL" },
+          { port: 6379, name: "Redis" },
+          { port: 27017, name: "MongoDB" }
+        ];
+        dangerousPorts.forEach(({ port }) => {
+          const url = `https://example.com:${port}/webhook`;
+          expect(() => validateWebhookUrl(url, false)).toThrow(/Port.*internal services/i);
+        });
+      });
+      it("should allow safe ports", () => {
+        const safePorts = [80, 443, 8080, 8443, 3000, 4000, 5000];
+        safePorts.forEach((port) => {
+          const url = `https://example.com:${port}/webhook`;
+          expect(() => validateWebhookUrl(url, false)).not.toThrow();
+        });
+      });
+    });
+    describe("Localhost Handling", () => {
+      it("should block localhost HTTP when allowLocalhost=false", () => {
+        const urls = ["http://localhost/webhook", "http://127.0.0.1/webhook"];
+        urls.forEach((url) => {
+          expect(() => validateWebhookUrl(url, false)).toThrow(/localhost.*allowInsecureWebhooks/i);
+        });
+      });
+      it("should block bind-all addresses even with allowLocalhost=true", () => {
+        const urls = ["http://0.0.0.0/webhook", "http://[::]/webhook"];
+        urls.forEach((url) => {
+          expect(() => validateWebhookUrl(url, true)).toThrow(/cloud metadata|private IP/i);
+        });
+      });
+    });
+    describe("Error Messages", () => {
+      it("should provide helpful error messages", () => {
+        try {
+          validateWebhookUrl("http://169.254.169.254/latest/meta-data/", true);
+          expect.fail("Should have thrown");
+        } catch (error) {
+          expect((error as Error).message).toContain("cloud metadata endpoint");
+          expect((error as Error).message).toContain("sensitive credentials");
+        }
+        try {
+          validateWebhookUrl("https://10.0.0.1/webhook", false);
+          expect.fail("Should have thrown");
+        } catch (error) {
+          expect((error as Error).message).toContain("private IP address");
+          expect((error as Error).message).toContain("allowInsecureWebhooks");
+        }
+      });
+    });
+    describe("Invalid URLs", () => {
+      it("should reject malformed URLs", () => {
+        // Truly malformed URLs (cannot be parsed)
+        const malformedUrls = ["not-a-url", "", "example.com"];
+        malformedUrls.forEach((url) => {
+          expect(() => validateWebhookUrl(url, false)).toThrow(/Invalid webhook URL/i);
+        });
+      });
+      it("should reject URLs with invalid protocols", () => {
+        // Valid URLs but wrong protocol
+        expect(() => validateWebhookUrl("htp://example.com", false)).toThrow(/protocol/i);
+        expect(() => validateWebhookUrl("ftp://example.com", false)).toThrow(/protocol/i);
+      });
+    });
+  });
+});