@textrp/briij-js-sdk 42.0.0 → 43.1.0

package/src/wallet-recovery.ts

@@ -0,0 +1,327 @@
+/*
+Copyright 2026 TextRP
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import { type WalletE2eeRecoveryEnvelope, type WalletRecoveryWrap } from "./@types/auth.ts";
+
+const ENVELOPE_VERSION = 1;
+const KEY_BYTES = 32;
+const NONCE_BYTES = 12;
+const SALT_BYTES = 16;
+const PASSWORD_KDF_ITERATIONS = 210_000;
+const SUPPORTED_WRAP_ALG = "aes-256-gcm";
+const SUPPORTED_WALLET_WRAP_KDF = "sha256-context-v1";
+const SUPPORTED_PASSWORD_WRAP_KDF = "pbkdf2-sha256-v1";
+
+export interface CreateDualWrapEnvelopeParams {
+    chainId: string;
+    accountId: string;
+    backupPassword: string;
+    walletWrapKey: Uint8Array;
+    createdAtMs?: number;
+    keyId?: string;
+    recoveryKey?: Uint8Array;
+}
+
+export interface UnwrapWithWalletParams {
+    envelope: WalletE2eeRecoveryEnvelope;
+    walletWrapKey: Uint8Array;
+}
+
+export interface UnwrapWithPasswordParams {
+    envelope: WalletE2eeRecoveryEnvelope;
+    backupPassword: string;
+}
+
+function assert(condition: boolean, message: string): asserts condition {
+    if (!condition) throw new Error(message);
+}
+
+function toBase64(bytes: Uint8Array): string {
+    if (typeof Buffer !== "undefined") return Buffer.from(bytes).toString("base64");
+    let binary = "";
+    bytes.forEach((b) => (binary += String.fromCodePoint(b)));
+    return btoa(binary);
+}
+
+function fromBase64(value: string): Uint8Array {
+    if (typeof Buffer !== "undefined") return new Uint8Array(Buffer.from(value, "base64"));
+    const binary = atob(value);
+    const out = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) out[i] = binary.codePointAt(i)!;
+    return out;
+}
+
+function toUtf8(value: string): Uint8Array {
+    return new TextEncoder().encode(value);
+}
+
+function toArrayBuffer(value: Uint8Array): ArrayBuffer {
+    return value.buffer.slice(value.byteOffset, value.byteOffset + value.byteLength) as ArrayBuffer;
+}
+
+function randomBytes(len: number): Uint8Array {
+    const out = new Uint8Array(len);
+    globalThis.crypto.getRandomValues(out);
+    return out;
+}
+
+async function importAesGcmKey(key: Uint8Array): Promise<CryptoKey> {
+    return await globalThis.crypto.subtle.importKey("raw", toArrayBuffer(key), { name: "AES-GCM" }, false, [
+        "encrypt",
+        "decrypt",
+    ]);
+}
+
+async function encryptWrap(
+    plaintext: Uint8Array,
+    {
+        key,
+        aad,
+        kdf,
+        params,
+    }: {
+        key: Uint8Array;
+        aad: Uint8Array;
+        kdf: string;
+        params?: Record<string, unknown>;
+    },
+): Promise<WalletRecoveryWrap> {
+    assert(key.length >= KEY_BYTES, "wallet recovery key must be at least 32 bytes");
+    const salt = randomBytes(SALT_BYTES);
+    const nonce = randomBytes(NONCE_BYTES);
+    const cryptoKey = await importAesGcmKey(key.slice(0, KEY_BYTES));
+    const ciphertext = await globalThis.crypto.subtle.encrypt(
+        {
+            name: "AES-GCM",
+            iv: toArrayBuffer(nonce),
+            additionalData: toArrayBuffer(aad),
+            tagLength: 128,
+        },
+        cryptoKey,
+        toArrayBuffer(plaintext),
+    );
+    return {
+        alg: "aes-256-gcm",
+        kdf,
+        salt: toBase64(salt),
+        nonce: toBase64(nonce),
+        ciphertext: toBase64(new Uint8Array(ciphertext)),
+        aad: toBase64(aad),
+        params,
+    };
+}
+
+async function decryptWrap(wrap: WalletRecoveryWrap, key: Uint8Array): Promise<Uint8Array> {
+    assert(
+        wrap.alg === SUPPORTED_WRAP_ALG,
+        `Unsupported recovery wrap alg '${wrap.alg}', expected '${SUPPORTED_WRAP_ALG}'`,
+    );
+    assert(
+        wrap.kdf === SUPPORTED_WALLET_WRAP_KDF || wrap.kdf === SUPPORTED_PASSWORD_WRAP_KDF,
+        `Unsupported recovery wrap kdf '${wrap.kdf}'`,
+    );
+    const nonce = fromBase64(wrap.nonce);
+    const aad = wrap.aad ? fromBase64(wrap.aad) : new Uint8Array();
+    const ciphertext = fromBase64(wrap.ciphertext);
+    const cryptoKey = await importAesGcmKey(key.slice(0, KEY_BYTES));
+    const plaintext = await globalThis.crypto.subtle.decrypt(
+        {
+            name: "AES-GCM",
+            iv: toArrayBuffer(nonce),
+            additionalData: toArrayBuffer(aad),
+            tagLength: 128,
+        },
+        cryptoKey,
+        toArrayBuffer(ciphertext),
+    );
+    return new Uint8Array(plaintext);
+}
+
+async function derivePasswordWrapKey(password: string, salt: Uint8Array): Promise<Uint8Array> {
+    const keyMaterial = await globalThis.crypto.subtle.importKey(
+        "raw",
+        toArrayBuffer(toUtf8(password)),
+        "PBKDF2",
+        false,
+        ["deriveBits"],
+    );
+    const bits = await globalThis.crypto.subtle.deriveBits(
+        {
+            name: "PBKDF2",
+            hash: "SHA-256",
+            salt: toArrayBuffer(salt),
+            iterations: PASSWORD_KDF_ITERATIONS,
+        },
+        keyMaterial,
+        KEY_BYTES * 8,
+    );
+    return new Uint8Array(bits);
+}
+
+export async function deriveWalletWrapKeyFromSecret(
+    walletSecret: string,
+    chainId: string,
+    accountId: string,
+    homeserver: string,
+): Promise<Uint8Array> {
+    const canonicalHomeserver = canonicalizeHomeserver(homeserver);
+    const context = `briij-wallet-auth-wrap-v1:${canonicalHomeserver}:${chainId}:${accountId}`;
+    const digest = await globalThis.crypto.subtle.digest(
+        "SHA-256",
+        toArrayBuffer(toUtf8(`${context}:${walletSecret}`)),
+    );
+    return new Uint8Array(digest);
+}
+
+export function validateRecoveryEnvelopeShape(value: unknown): asserts value is WalletE2eeRecoveryEnvelope {
+    assert(!!value && typeof value === "object", "recovery envelope must be an object");
+    const envelope = value as WalletE2eeRecoveryEnvelope;
+    assert(typeof envelope.envelope_version === "number", "envelope_version must be a number");
+    assert(
+        envelope.envelope_version === ENVELOPE_VERSION,
+        `Unsupported envelope_version '${envelope.envelope_version}', expected '${ENVELOPE_VERSION}'`,
+    );
+    assert(typeof envelope.chain_id === "string" && envelope.chain_id.length > 0, "chain_id is required");
+    assert(typeof envelope.account_id === "string" && envelope.account_id.length > 0, "account_id is required");
+    assert(typeof envelope.created_at_ms === "number", "created_at_ms must be a number");
+    assert(typeof envelope.key_id === "string" && envelope.key_id.length > 0, "key_id is required");
+    assert(!!envelope.wallet_wrap && typeof envelope.wallet_wrap === "object", "wallet_wrap is required");
+    assert(!!envelope.password_wrap && typeof envelope.password_wrap === "object", "password_wrap is required");
+    assert(
+        typeof envelope.wallet_wrap.alg === "string" && envelope.wallet_wrap.alg.length > 0,
+        "wallet_wrap.alg is required",
+    );
+    assert(
+        typeof envelope.wallet_wrap.kdf === "string" && envelope.wallet_wrap.kdf.length > 0,
+        "wallet_wrap.kdf is required",
+    );
+    assert(
+        envelope.wallet_wrap.alg === SUPPORTED_WRAP_ALG,
+        `Unsupported wallet_wrap.alg '${envelope.wallet_wrap.alg}', expected '${SUPPORTED_WRAP_ALG}'`,
+    );
+    assert(
+        envelope.wallet_wrap.kdf === SUPPORTED_WALLET_WRAP_KDF,
+        `Unsupported wallet_wrap.kdf '${envelope.wallet_wrap.kdf}', expected '${SUPPORTED_WALLET_WRAP_KDF}'`,
+    );
+    assert(
+        typeof envelope.wallet_wrap.salt === "string" && envelope.wallet_wrap.salt.length > 0,
+        "wallet_wrap.salt is required",
+    );
+    assert(
+        typeof envelope.wallet_wrap.nonce === "string" && envelope.wallet_wrap.nonce.length > 0,
+        "wallet_wrap.nonce is required",
+    );
+    assert(
+        typeof envelope.wallet_wrap.ciphertext === "string" && envelope.wallet_wrap.ciphertext.length > 0,
+        "wallet_wrap.ciphertext is required",
+    );
+
+    assert(
+        typeof envelope.password_wrap.alg === "string" && envelope.password_wrap.alg.length > 0,
+        "password_wrap.alg is required",
+    );
+    assert(
+        typeof envelope.password_wrap.kdf === "string" && envelope.password_wrap.kdf.length > 0,
+        "password_wrap.kdf is required",
+    );
+    assert(
+        envelope.password_wrap.alg === SUPPORTED_WRAP_ALG,
+        `Unsupported password_wrap.alg '${envelope.password_wrap.alg}', expected '${SUPPORTED_WRAP_ALG}'`,
+    );
+    assert(
+        envelope.password_wrap.kdf === SUPPORTED_PASSWORD_WRAP_KDF,
+        `Unsupported password_wrap.kdf '${envelope.password_wrap.kdf}', expected '${SUPPORTED_PASSWORD_WRAP_KDF}'`,
+    );
+    assert(
+        typeof envelope.password_wrap.salt === "string" && envelope.password_wrap.salt.length > 0,
+        "password_wrap.salt is required",
+    );
+    assert(
+        typeof envelope.password_wrap.nonce === "string" && envelope.password_wrap.nonce.length > 0,
+        "password_wrap.nonce is required",
+    );
+    assert(
+        typeof envelope.password_wrap.ciphertext === "string" && envelope.password_wrap.ciphertext.length > 0,
+        "password_wrap.ciphertext is required",
+    );
+}
+
+export async function createDualWrapEnvelope(
+    params: CreateDualWrapEnvelopeParams,
+): Promise<WalletE2eeRecoveryEnvelope> {
+    assert(params.chainId.length > 0, "chainId is required");
+    assert(params.accountId.length > 0, "accountId is required");
+    assert(params.backupPassword.length > 0, "backupPassword is required");
+    assert(params.walletWrapKey.length >= KEY_BYTES, "walletWrapKey must be at least 32 bytes");
+
+    const createdAtMs = params.createdAtMs ?? Date.now();
+    const keyId = params.keyId ?? `k-${toBase64(randomBytes(8)).replace(/=+$/g, "")}`;
+    const recoveryKey = params.recoveryKey ?? randomBytes(KEY_BYTES);
+    assert(recoveryKey.length === KEY_BYTES, "recoveryKey must be 32 bytes");
+
+    const aad = toUtf8(`briij-recovery-envelope-v1:${params.chainId}:${params.accountId}:${keyId}:${createdAtMs}`);
+    const walletWrap = await encryptWrap(recoveryKey, {
+        key: params.walletWrapKey,
+        aad,
+        kdf: "sha256-context-v1",
+    });
+
+    const passwordSalt = randomBytes(SALT_BYTES);
+    const passwordWrapKey = await derivePasswordWrapKey(params.backupPassword, passwordSalt);
+    const passwordWrap = await encryptWrap(recoveryKey, {
+        key: passwordWrapKey,
+        aad,
+        kdf: "pbkdf2-sha256-v1",
+        params: {
+            iterations: PASSWORD_KDF_ITERATIONS,
+            hash: "SHA-256",
+        },
+    });
+    passwordWrap.salt = toBase64(passwordSalt);
+
+    return {
+        envelope_version: ENVELOPE_VERSION,
+        chain_id: params.chainId,
+        account_id: params.accountId,
+        created_at_ms: createdAtMs,
+        key_id: keyId,
+        wallet_wrap: walletWrap,
+        password_wrap: passwordWrap,
+    };
+}
+
+export async function unwrapWithWallet({ envelope, walletWrapKey }: UnwrapWithWalletParams): Promise<Uint8Array> {
+    validateRecoveryEnvelopeShape(envelope);
+    return await decryptWrap(envelope.wallet_wrap, walletWrapKey);
+}
+
+export async function unwrapWithPassword({ envelope, backupPassword }: UnwrapWithPasswordParams): Promise<Uint8Array> {
+    validateRecoveryEnvelopeShape(envelope);
+    const passwordSalt = fromBase64(envelope.password_wrap.salt);
+    const passwordWrapKey = await derivePasswordWrapKey(backupPassword, passwordSalt);
+    return await decryptWrap(envelope.password_wrap, passwordWrapKey);
+}
+
+function canonicalizeHomeserver(homeserver: string): string {
+    const trimmed = homeserver.trim().replace(/\/+$/, "");
+    try {
+        const parsed = new URL(trimmed);
+        parsed.hostname = parsed.hostname.toLowerCase();
+        return parsed.toString().replace(/\/+$/, "");
+    } catch {
+        return trimmed.toLowerCase();
+    }
+}

package/src/xrpl/identity.ts

@@ -66,8 +66,19 @@ export function setXamanWalletForXrplIdentity(xamanWallet: XamanWalletAdapter):
     };
 }
 
-export async function mintSoulboundIdentityNFT(matrixUserId: string): Promise<XrplIdentityMintResult | null> {
-    const { homeserverBaseUrl, accessToken, xamanWallet } = mintingConfig;
+export function getConfiguredXrplIdentityMintingConfig(): Partial<XrplIdentityMintingConfig> {
+    return { ...mintingConfig };
+}
+
+export async function mintSoulboundIdentityNFT(
+    matrixUserId: string,
+    config?: Partial<XrplIdentityMintingConfig>,
+): Promise<XrplIdentityMintResult | null> {
+    const effectiveConfig = {
+        ...mintingConfig,
+        ...config,
+    };
+    const { homeserverBaseUrl, accessToken, xamanWallet } = effectiveConfig;
     if (!homeserverBaseUrl || !accessToken || !xamanWallet) {
         logger.warn(
             "Skipping XRPL identity mint for %s: missing homeserver auth and/or Xaman wallet adapter",
@@ -85,10 +96,10 @@ export async function mintSoulboundIdentityNFT(matrixUserId: string): Promise<Xr
     }
 
     const xrplAddress = await xamanWallet.getAddress();
-    const ipfsUri = await buildIpfsUri(matrixUserId, xrplAddress);
+    const ipfsUri = await buildIpfsUri(matrixUserId, xrplAddress, effectiveConfig);
     const encodedUri = toHex(ipfsUri);
 
-    const xrplClient = new XrplClient(resolveXrplWebSocketUrl());
+    const xrplClient = new XrplClient(resolveXrplWebSocketUrl(effectiveConfig));
     await xrplClient.connect();
 
     try {
@@ -102,13 +113,9 @@ export async function mintSoulboundIdentityNFT(matrixUserId: string): Promise<Xr
 
         const autofilled = await xrplClient.autofill(mintTransaction);
         const { hash: txHash } = await xamanWallet.signAndSubmit(autofilled as unknown as Record<string, unknown>);
-        const txResult = await xrplClient.request({
-            command: "tx",
-            transaction: txHash,
-        });
-
+        const txResult = await waitForValidation(xrplClient, txHash);
         const nftTokenId =
-            extractNftTokenId(txResult.result?.meta) ??
+            extractTxScopedNftTokenId(txResult.result) ??
             (await findAccountNftByUri(xrplClient, xrplAddress, encodedUri));
         if (!nftTokenId) {
             throw new Error(`Unable to resolve NFTokenID for transaction ${txHash}`);
@@ -133,9 +140,13 @@ export async function mintSoulboundIdentityNFT(matrixUserId: string): Promise<Xr
     }
 }
 
-async function buildIpfsUri(matrixUserId: string, xrplAddress: string): Promise<string> {
-    if (mintingConfig.ipfsUriFactory) {
-        return await mintingConfig.ipfsUriFactory(matrixUserId, xrplAddress);
+async function buildIpfsUri(
+    matrixUserId: string,
+    xrplAddress: string,
+    config: Partial<XrplIdentityMintingConfig>,
+): Promise<string> {
+    if (config.ipfsUriFactory) {
+        return await config.ipfsUriFactory(matrixUserId, xrplAddress);
     }
 
     const payload = JSON.stringify({ matrixUserId, xrplAddress });
@@ -143,12 +154,26 @@ async function buildIpfsUri(matrixUserId: string, xrplAddress: string): Promise<
     return `ipfs://textrp-briij/${toHex(digest).slice(0, 46)}`;
 }
 
-function resolveXrplWebSocketUrl(): string {
-    if (mintingConfig.websocketUrl) return mintingConfig.websocketUrl;
-    const network = mintingConfig.network ?? DEFAULT_XRPL_NETWORK;
+function resolveXrplWebSocketUrl(config: Partial<XrplIdentityMintingConfig>): string {
+    if (config.websocketUrl) return config.websocketUrl;
+    const network = config.network ?? DEFAULT_XRPL_NETWORK;
     return network === "mainnet" ? DEFAULT_XRPL_MAINNET_WS : DEFAULT_XRPL_TESTNET_WS;
 }
 
+async function waitForValidation(xrplClient: XrplClient, txHash: string): Promise<{ result?: unknown }> {
+    for (let attempt = 0; attempt < 15; attempt += 1) {
+        const response = await xrplClient.request({
+            command: "tx",
+            transaction: txHash,
+        });
+        if (response.result?.validated === true) {
+            return response as unknown as { result?: unknown };
+        }
+        await sleep(1000);
+    }
+    throw new Error(`Timed out waiting for XRPL tx validation: ${txHash}`);
+}
+
 function accountDataUrl(baseUrl: string, matrixUserId: string): string {
     const trimmedBaseUrl = baseUrl.replace(/\/+$/, "");
     return `${trimmedBaseUrl}/_matrix/client/v3/user/${encodeURIComponent(matrixUserId)}/account_data/${encodeURIComponent(XRPL_IDENTITY_ACCOUNT_DATA_TYPE)}`;
@@ -162,7 +187,7 @@ async function getIdentityAccountData(
     const response = await fetch(accountDataUrl(homeserverBaseUrl, matrixUserId), {
         method: "GET",
         headers: {
-            Authorization: `Bearer ${accessToken}`,
+            "Authorization": `Bearer ${accessToken}`,
             "Content-Type": "application/json",
         },
     });
@@ -184,7 +209,7 @@ async function setIdentityAccountData(
     const response = await fetch(accountDataUrl(homeserverBaseUrl, matrixUserId), {
         method: "PUT",
         headers: {
-            Authorization: `Bearer ${accessToken}`,
+            "Authorization": `Bearer ${accessToken}`,
             "Content-Type": "application/json",
         },
         body: JSON.stringify(payload),
@@ -195,7 +220,11 @@ async function setIdentityAccountData(
     }
 }
 
-async function findAccountNftByUri(xrplClient: XrplClient, xrplAddress: string, encodedUri: string): Promise<string | null> {
+async function findAccountNftByUri(
+    xrplClient: XrplClient,
+    xrplAddress: string,
+    encodedUri: string,
+): Promise<string | null> {
     const response = await xrplClient.request({
         command: "account_nfts",
         account: xrplAddress,
@@ -209,28 +238,20 @@ async function findAccountNftByUri(xrplClient: XrplClient, xrplAddress: string,
     return nft?.NFTokenID ?? null;
 }
 
-function extractNftTokenId(meta: unknown): string | null {
-    if (!meta || typeof meta !== "object") return null;
-    const affectedNodes = (meta as { AffectedNodes?: unknown[] }).AffectedNodes ?? [];
-
-    for (const nodeWrapper of affectedNodes) {
-        if (!nodeWrapper || typeof nodeWrapper !== "object") continue;
-        const [nodeValue] = Object.values(nodeWrapper as Record<string, unknown>);
-        if (!nodeValue || typeof nodeValue !== "object") continue;
+function extractTxScopedNftTokenId(result: unknown): string | null {
+    if (!result || typeof result !== "object") {
+        return null;
+    }
 
-        const newFields = (nodeValue as { NewFields?: unknown }).NewFields;
-        const finalFields = (nodeValue as { FinalFields?: unknown }).FinalFields;
-        const tokensContainer = [newFields, finalFields].find((container) => {
-            if (!container || typeof container !== "object") return false;
-            return Array.isArray((container as { NFTokens?: unknown[] }).NFTokens);
-        }) as { NFTokens?: unknown[] } | undefined;
+    const payload = result as Record<string, unknown>;
+    const directTokenId = payload["nftoken_id"];
+    if (typeof directTokenId === "string" && directTokenId.length > 0) {
+        return directTokenId;
+    }
 
-        const nftokens = tokensContainer?.NFTokens ?? [];
-        for (const tokenEntry of nftokens) {
-            if (!tokenEntry || typeof tokenEntry !== "object") continue;
-            const token = (tokenEntry as { NFToken?: { NFTokenID?: string } }).NFToken;
-            if (token?.NFTokenID) return token.NFTokenID;
-        }
+    const directAlternate = payload["NFTokenID"];
+    if (typeof directAlternate === "string" && directAlternate.length > 0) {
+        return directAlternate;
     }
 
     return null;
@@ -243,3 +264,9 @@ function toHex(input: string | Uint8Array): string {
         .join("")
         .toUpperCase();
 }
+
+async function sleep(ms: number): Promise<void> {
+    await new Promise((resolve) => {
+        setTimeout(resolve, ms);
+    });
+}

package/src/xrpl/trust.ts

@@ -15,6 +15,7 @@ limitations under the License.
 */
 
 const DEFAULT_TRUST_PATH = "/_matrix/client/v3/org.textrp.xrpl/trust";
+const DEFAULT_TRUST_TIMEOUT_MS = 10_000;
 
 export interface XrplTrustConfig {
     homeserverBaseUrl: string;
@@ -22,35 +23,51 @@ export interface XrplTrustConfig {
     trustPath?: string;
 }
 
-let xrplTrustConfig: Partial<XrplTrustConfig> = {};
-
-export function configureXrplTrust(config: Partial<XrplTrustConfig>): void {
-    xrplTrustConfig = {
-        ...xrplTrustConfig,
-        ...config,
-    };
+export interface XrplTrustRequestOptions {
+    timeoutMs?: number;
 }
 
-export async function getTrustScore(payer: string, payee: string): Promise<number> {
-    const homeserverBaseUrl = xrplTrustConfig.homeserverBaseUrl;
-    const accessToken = xrplTrustConfig.accessToken;
+export async function getTrustScore(
+    payer: string,
+    payee: string,
+    config: XrplTrustConfig,
+    options?: XrplTrustRequestOptions,
+): Promise<number> {
+    const { homeserverBaseUrl, accessToken } = config;
     if (!homeserverBaseUrl || !accessToken) {
         throw new Error("XRPL trust config is incomplete");
     }
 
     const trimmedBaseUrl = homeserverBaseUrl.replace(/\/+$/, "");
-    const trustPath = xrplTrustConfig.trustPath ?? DEFAULT_TRUST_PATH;
+    const trustPath = config.trustPath ?? DEFAULT_TRUST_PATH;
     const query = new URLSearchParams({
         payer,
         payee,
     });
-    const response = await fetch(`${trimmedBaseUrl}${trustPath}?${query.toString()}`, {
-        method: "GET",
-        headers: {
-            Authorization: `Bearer ${accessToken}`,
-            "Content-Type": "application/json",
-        },
-    });
+    const timeoutMs = options?.timeoutMs ?? DEFAULT_TRUST_TIMEOUT_MS;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => {
+        controller.abort();
+    }, timeoutMs);
+
+    let response: Response;
+    try {
+        response = await fetch(`${trimmedBaseUrl}${trustPath}?${query.toString()}`, {
+            method: "GET",
+            headers: {
+                "Authorization": `Bearer ${accessToken}`,
+                "Content-Type": "application/json",
+            },
+            signal: controller.signal,
+        });
+    } catch (error) {
+        if (error instanceof Error && error.name === "AbortError") {
+            throw new Error(`Timed out fetching trust score after ${timeoutMs}ms`);
+        }
+        throw error;
+    } finally {
+        clearTimeout(timeoutId);
+    }
 
     if (!response.ok) {
         throw new Error(`Failed to fetch trust score: HTTP ${response.status}`);

package/src/xrpl/verification.ts

@@ -114,8 +114,8 @@ export async function acceptVerification(issuerXrplAddress: string): Promise<Xrp
 
     await matrixClient.sendEvent(roomId, XRPL_VERIFY_ACCEPT_EVENT, {
         tx_hash: txHash,
-        issuer_xrpl_address: signerAddress,
-        accepter_xrpl_address: issuerXrplAddress,
+        issuer_xrpl_address: issuerXrplAddress,
+        accepter_xrpl_address: signerAddress,
         nft_token_id: identity.nftTokenId,
         ipfs_uri: updatedUri,
         trust_model: NFT_TRUST_TAG,
@@ -154,10 +154,23 @@ async function signAndValidateOnXrpl(
 
 async function waitForValidation(xrplClient: XrplClient, txHash: string): Promise<void> {
     for (let attempt = 0; attempt < 15; attempt += 1) {
-        const response = await xrplClient.request({
-            command: "tx",
-            transaction: txHash,
-        });
+        let response: { result?: { validated?: boolean } };
+        try {
+            response = (await xrplClient.request({
+                command: "tx",
+                transaction: txHash,
+            })) as { result?: { validated?: boolean } };
+        } catch (error) {
+            const errorCode =
+                error instanceof Error && "data" in error
+                    ? ((error as { data?: { error?: string } }).data?.error ?? (error as { error?: string }).error)
+                    : undefined;
+            if (errorCode === "txnNotFound") {
+                await sleep(1000);
+                continue;
+            }
+            throw error;
+        }
 
         if (response.result?.validated === true) return;
         await sleep(1000);