@toon-protocol/connector 1.7.1

package/dist/security/audit-logger.js

@@ -0,0 +1,132 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuditLogger = void 0;
+exports.createAuditLogger = createAuditLogger;
+const tslib_1 = require("tslib");
+const pino_1 = tslib_1.__importDefault(require("pino"));
+class AuditLogger {
+    logger;
+    nodeId;
+    backend;
+    retentionDays;
+    constructor(logger, config) {
+        this.logger = logger.child({
+            component: 'AuditLogger',
+            nodeId: config.nodeId,
+            backend: config.backend,
+        });
+        this.nodeId = config.nodeId;
+        this.backend = config.backend;
+        this.retentionDays = config.retentionDays ?? 365;
+        this.logger.info('AuditLogger initialized', {
+            retentionDays: this.retentionDays,
+        });
+    }
+    logSignRequest(keyId, messageHash) {
+        const entry = this._createEntry('SIGN_REQUEST', keyId, {
+            messageHash: messageHash.substring(0, 16) + '...',
+        });
+        this.logger.info(entry, 'Sign request initiated');
+    }
+    logSignSuccess(keyId, signatureHash) {
+        const entry = this._createEntry('SIGN_SUCCESS', keyId, {
+            signatureHash: signatureHash.substring(0, 16) + '...',
+        });
+        this.logger.info(entry, 'Sign operation successful');
+    }
+    logSignFailure(keyId, error) {
+        const entry = this._createEntry('SIGN_FAILURE', keyId, {
+            errorMessage: error.message,
+            errorName: error.name,
+        });
+        this.logger.error(entry, 'Sign operation failed');
+    }
+    logKeyRotation(oldKeyId, newKeyId, phase) {
+        const event = phase === 'START' ? 'KEY_ROTATION_START' : 'KEY_ROTATION_COMPLETE';
+        const entry = this._createEntry(event, oldKeyId, {
+            oldKeyId,
+            newKeyId,
+        });
+        this.logger.info(entry, `Key rotation ${phase.toLowerCase()}`);
+    }
+    logAccessDenied(keyId, reason) {
+        const entry = this._createEntry('KEY_ACCESS_DENIED', keyId, {
+            reason,
+        });
+        this.logger.warn(entry, 'Key access denied');
+    }
+    logFraudDetection(peerId, ruleName, severity, details) {
+        const entry = this._createEntry('FRAUD_DETECTED', peerId, {
+            ruleName,
+            severity,
+            ...details,
+        });
+        this.logger.warn(entry, 'Fraud detected');
+    }
+    logPeerPause(peerId, reason, ruleViolated, severity) {
+        const entry = this._createEntry('PEER_PAUSED', peerId, {
+            reason,
+            ruleViolated,
+            severity,
+        });
+        this.logger.warn(entry, 'Peer paused due to fraud detection');
+    }
+    logPeerResume(peerId, operator) {
+        const entry = this._createEntry('PEER_RESUMED', peerId, {
+            operator,
+        });
+        this.logger.info(entry, 'Peer resumed after manual review');
+    }
+    async exportAuditLogs(startDate, endDate) {
+        this.logger.info('Audit log export requested', {
+            startDate: new Date(startDate).toISOString(),
+            endDate: new Date(endDate).toISOString(),
+        });
+        this.logger.warn('exportAuditLogs is a placeholder - integrate with log aggregation system for production');
+        return [];
+    }
+    _createEntry(event, keyId, details) {
+        return {
+            event,
+            keyId,
+            timestamp: Date.now(),
+            nodeId: this.nodeId,
+            backend: this.backend,
+            details,
+        };
+    }
+}
+exports.AuditLogger = AuditLogger;
+function createAuditLogger(_config) {
+    return (0, pino_1.default)({
+        serializers: {
+            privateKey: () => '[REDACTED]',
+            PIN: () => '[REDACTED]',
+            pin: () => '[REDACTED]',
+            credentials: () => '[REDACTED]',
+            secretAccessKey: () => '[REDACTED]',
+            clientSecret: () => '[REDACTED]',
+            aws: (value) => {
+                if (typeof value === 'object' && value !== null) {
+                    return {
+                        ...value,
+                        credentials: '[REDACTED]',
+                        secretAccessKey: '[REDACTED]',
+                    };
+                }
+                return value;
+            },
+            azure: (value) => {
+                if (typeof value === 'object' && value !== null) {
+                    return {
+                        ...value,
+                        credentials: '[REDACTED]',
+                        clientSecret: '[REDACTED]',
+                    };
+                }
+                return value;
+            },
+        },
+    });
+}
+//# sourceMappingURL=audit-logger.js.map

package/dist/security/audit-logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-logger.js","sourceRoot":"","sources":["../../src/security/audit-logger.ts"],"names":[],"mappings":";;;AAkOA,8CAoCC;;AAtQD,wDAAwB;AA+CxB,MAAa,WAAW;IACL,MAAM,CAAc;IACpB,MAAM,CAAS;IACf,OAAO,CAAS;IAChB,aAAa,CAAS;IAEvC,YAAY,MAAmB,EAAE,MAAsB;QACrD,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC;YACzB,SAAS,EAAE,aAAa;YACxB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,OAAO,EAAE,MAAM,CAAC,OAAO;SACxB,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QAC5B,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,IAAI,GAAG,CAAC;QAEjD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yBAAyB,EAAE;YAC1C,aAAa,EAAE,IAAI,CAAC,aAAa;SAClC,CAAC,CAAC;IACL,CAAC;IAKD,cAAc,CAAC,KAAa,EAAE,WAAmB;QAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,KAAK,EAAE;YACrD,WAAW,EAAE,WAAW,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;SAClD,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,wBAAwB,CAAC,CAAC;IACpD,CAAC;IAKD,cAAc,CAAC,KAAa,EAAE,aAAqB;QACjD,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,KAAK,EAAE;YACrD,aAAa,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;SACtD,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,2BAA2B,CAAC,CAAC;IACvD,CAAC;IAKD,cAAc,CAAC,KAAa,EAAE,KAAY;QACxC,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,KAAK,EAAE;YACrD,YAAY,EAAE,KAAK,CAAC,OAAO;YAC3B,SAAS,EAAE,KAAK,CAAC,IAAI;SACtB,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,uBAAuB,CAAC,CAAC;IACpD,CAAC;IAKD,cAAc,CAAC,QAAgB,EAAE,QAAgB,EAAE,KAA2B;QAC5E,MAAM,KAAK,GAAG,KAAK,KAAK,OAAO,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,uBAAuB,CAAC;QACjF,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,QAAQ,EAAE;YAC/C,QAAQ;YACR,QAAQ;SACT,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,gBAAgB,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IACjE,CAAC;IAKD,eAAe,CAAC,KAAa,EAAE,MAAc;QAC3C,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,mBAAmB,EAAE,KAAK,EAAE;YAC1D,MAAM;SACP,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;IAC/C,CAAC;IAKD,iBAAiB,CACf,MAAc,EACd,QAAgB,EAChB,QAAgD,EAChD,OAAiC;QAEjC,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,gBAAgB,EAAE,MAAM,EAAE;YACxD,QAAQ;YACR,QAAQ;YACR,GAAG,OAAO;SACX,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IAC5C,CAAC;IAKD,YAAY,CAAC,MAAc,EAAE,MAAc,EAAE,YAAoB,EAAE,QAAgB;QACjF,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,aAAa,EAAE,MAAM,EAAE;YACrD,MAAM;YACN,YAAY;YACZ,QAAQ;SACT,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,oCAAoC,CAAC,CAAC;IAChE,CAAC;IAKD,aAAa,CAAC,MAAc,EAAE,QAAiB;QAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,MAAM,EAAE;YACtD,QAAQ;SACT,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,kCAAkC,CAAC,CAAC;IAC9D,CAAC;IAaD,KAAK,CAAC,eAAe,CAAC,SAAiB,EAAE,OAAe;QACtD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,4BAA4B,EAAE;YAC7C,SAAS,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE;YAC5C,OAAO,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE;SACzC,CAAC,CAAC;QAeH,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,yFAAyF,CAC1F,CAAC;QAEF,OAAO,EAAE,CAAC;IACZ,CAAC;IAKO,YAAY,CAClB,KAAqB,EACrB,KAAa,EACb,OAAiC;QAEjC,OAAO;YACL,KAAK;YACL,KAAK;YACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,OAAO;SACR,CAAC;IACJ,CAAC;CACF;AAvKD,kCAuKC;AAYD,SAAgB,iBAAiB,CAAC,OAAuB;IACvD,OAAO,IAAA,cAAI,EAAC;QACV,WAAW,EAAE;YAEX,UAAU,EAAE,GAAG,EAAE,CAAC,YAAY;YAE9B,GAAG,EAAE,GAAG,EAAE,CAAC,YAAY;YACvB,GAAG,EAAE,GAAG,EAAE,CAAC,YAAY;YAEvB,WAAW,EAAE,GAAG,EAAE,CAAC,YAAY;YAC/B,eAAe,EAAE,GAAG,EAAE,CAAC,YAAY;YACnC,YAAY,EAAE,GAAG,EAAE,CAAC,YAAY;YAEhC,GAAG,EAAE,CAAC,KAAc,EAAE,EAAE;gBACtB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;oBAChD,OAAO;wBACL,GAAI,KAAiC;wBACrC,WAAW,EAAE,YAAY;wBACzB,eAAe,EAAE,YAAY;qBAC9B,CAAC;gBACJ,CAAC;gBACD,OAAO,KAAK,CAAC;YACf,CAAC;YAED,KAAK,EAAE,CAAC,KAAc,EAAE,EAAE;gBACxB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;oBAChD,OAAO;wBACL,GAAI,KAAiC;wBACrC,WAAW,EAAE,YAAY;wBACzB,YAAY,EAAE,YAAY;qBAC3B,CAAC;gBACJ,CAAC;gBACD,OAAO,KAAK,CAAC;YACf,CAAC;SACF;KACF,CAAC,CAAC;AACL,CAAC"}

package/dist/security/backends/aws-kms-backend.d.ts

@@ -0,0 +1,18 @@
+import { Logger } from 'pino';
+import { KeyManagerBackend, AWSConfig } from '../key-manager';
+export declare class AWSKMSBackend implements KeyManagerBackend {
+    private client;
+    private awsSdk;
+    private config;
+    private logger;
+    constructor(config: AWSConfig, logger: Logger);
+    private _getClient;
+    private _getSdk;
+    private _detectKeyType;
+    private _getSigningAlgorithm;
+    private _getKeySpec;
+    sign(message: Buffer, keyId: string): Promise<Buffer>;
+    getPublicKey(keyId: string): Promise<Buffer>;
+    rotateKey(keyId: string): Promise<string>;
+}
+//# sourceMappingURL=aws-kms-backend.d.ts.map

package/dist/security/backends/aws-kms-backend.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws-kms-backend.d.ts","sourceRoot":"","sources":["../../../src/security/backends/aws-kms-backend.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAM9B,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAO9D,qBAAa,aAAc,YAAW,iBAAiB;IACrD,OAAO,CAAC,MAAM,CAA8B;IAC5C,OAAO,CAAC,MAAM,CAAqD;IACnE,OAAO,CAAC,MAAM,CAAY;IAC1B,OAAO,CAAC,MAAM,CAAS;gBAEX,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM;YAa/B,UAAU;YAiBV,OAAO;IAerB,OAAO,CAAC,cAAc;YASR,oBAAoB;YASpB,WAAW;IAWnB,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAqCrD,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAkC5C,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CA+ChD"}

package/dist/security/backends/aws-kms-backend.js

@@ -0,0 +1,130 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AWSKMSBackend = void 0;
+const optional_require_1 = require("../../utils/optional-require");
+class AWSKMSBackend {
+    client = null;
+    awsSdk = null;
+    config;
+    logger;
+    constructor(config, logger) {
+        this.config = config;
+        this.logger = logger.child({ component: 'AWSKMSBackend' });
+        this.logger.info({ region: config.region, evmKeyId: config.evmKeyId }, 'AWSKMSBackend initialized');
+    }
+    async _getClient() {
+        if (!this.client) {
+            this.awsSdk = await (0, optional_require_1.requireOptional)('@aws-sdk/client-kms', 'AWS KMS key management');
+            this.client = new this.awsSdk.KMSClient({
+                region: this.config.region,
+                credentials: this.config.credentials,
+            });
+        }
+        return this.client;
+    }
+    async _getSdk() {
+        if (!this.awsSdk) {
+            this.awsSdk = await (0, optional_require_1.requireOptional)('@aws-sdk/client-kms', 'AWS KMS key management');
+        }
+        return this.awsSdk;
+    }
+    _detectKeyType(_keyId) {
+        return 'evm';
+    }
+    async _getSigningAlgorithm() {
+        const sdk = await this._getSdk();
+        return sdk.SigningAlgorithmSpec.ECDSA_SHA_256;
+    }
+    async _getKeySpec() {
+        const sdk = await this._getSdk();
+        return sdk.KeySpec.ECC_SECG_P256K1;
+    }
+    async sign(message, keyId) {
+        const keyType = this._detectKeyType(keyId);
+        const signingAlgorithm = await this._getSigningAlgorithm();
+        const sdk = await this._getSdk();
+        const client = await this._getClient();
+        this.logger.debug({ keyId, keyType, signingAlgorithm }, 'Signing with AWS KMS');
+        try {
+            const command = new sdk.SignCommand({
+                KeyId: keyId,
+                Message: message,
+                SigningAlgorithm: signingAlgorithm,
+                MessageType: 'RAW',
+            });
+            const response = await client.send(command);
+            if (!response.Signature) {
+                throw new Error('AWS KMS returned no signature');
+            }
+            const signature = Buffer.from(response.Signature);
+            this.logger.info({ keyId, signatureLength: signature.length }, 'AWS KMS signature generated');
+            return signature;
+        }
+        catch (error) {
+            this.logger.error({ keyId, error }, 'AWS KMS signing failed');
+            throw error;
+        }
+    }
+    async getPublicKey(keyId) {
+        this.logger.debug({ keyId }, 'Retrieving public key from AWS KMS');
+        const sdk = await this._getSdk();
+        const client = await this._getClient();
+        try {
+            const command = new sdk.GetPublicKeyCommand({
+                KeyId: keyId,
+            });
+            const response = await client.send(command);
+            if (!response.PublicKey) {
+                throw new Error('AWS KMS returned no public key');
+            }
+            const publicKey = Buffer.from(response.PublicKey);
+            this.logger.info({ keyId, publicKeyLength: publicKey.length }, 'AWS KMS public key retrieved');
+            return publicKey;
+        }
+        catch (error) {
+            this.logger.error({ keyId, error }, 'AWS KMS public key retrieval failed');
+            throw error;
+        }
+    }
+    async rotateKey(keyId) {
+        const keyType = this._detectKeyType(keyId);
+        const keySpec = await this._getKeySpec();
+        const sdk = await this._getSdk();
+        const client = await this._getClient();
+        this.logger.info({ oldKeyId: keyId, keyType, keySpec }, 'Creating new AWS KMS key for rotation');
+        try {
+            const command = new sdk.CreateKeyCommand({
+                KeyUsage: sdk.KeyUsageType.SIGN_VERIFY,
+                KeySpec: keySpec,
+                Description: `Rotated ${keyType.toUpperCase()} key from ${keyId}`,
+                Tags: [
+                    {
+                        TagKey: 'Purpose',
+                        TagValue: 'ILP-Connector-Settlement',
+                    },
+                    {
+                        TagKey: 'KeyType',
+                        TagValue: keyType.toUpperCase(),
+                    },
+                    {
+                        TagKey: 'RotatedFrom',
+                        TagValue: keyId,
+                    },
+                ],
+            });
+            const response = await client.send(command);
+            if (!response.KeyMetadata?.Arn) {
+                throw new Error('AWS KMS returned no key ARN');
+            }
+            const newKeyId = response.KeyMetadata.Arn;
+            this.logger.info({ oldKeyId: keyId, newKeyId }, 'AWS KMS key rotation completed');
+            return newKeyId;
+        }
+        catch (error) {
+            this.logger.error({ keyId, error }, 'AWS KMS key rotation failed');
+            throw error;
+        }
+    }
+}
+exports.AWSKMSBackend = AWSKMSBackend;
+//# sourceMappingURL=aws-kms-backend.js.map

package/dist/security/backends/aws-kms-backend.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws-kms-backend.js","sourceRoot":"","sources":["../../../src/security/backends/aws-kms-backend.ts"],"names":[],"mappings":";;;AAOA,mEAA+D;AAM/D,MAAa,aAAa;IAChB,MAAM,GAAyB,IAAI,CAAC;IACpC,MAAM,GAAgD,IAAI,CAAC;IAC3D,MAAM,CAAY;IAClB,MAAM,CAAS;IAEvB,YAAY,MAAiB,EAAE,MAAc;QAC3C,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,eAAe,EAAE,CAAC,CAAC;QAE3D,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,EACpD,2BAA2B,CAC5B,CAAC;IACJ,CAAC;IAKO,KAAK,CAAC,UAAU;QACtB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,IAAI,CAAC,MAAM,GAAG,MAAM,IAAA,kCAAe,EACjC,qBAAqB,EACrB,wBAAwB,CACzB,CAAC;YACF,IAAI,CAAC,MAAM,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;gBACtC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;gBAC1B,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;aACrC,CAAC,CAAC;QACL,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAKO,KAAK,CAAC,OAAO;QACnB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,IAAI,CAAC,MAAM,GAAG,MAAM,IAAA,kCAAe,EACjC,qBAAqB,EACrB,wBAAwB,CACzB,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAOO,cAAc,CAAC,MAAc;QAEnC,OAAO,KAAK,CAAC;IACf,CAAC;IAMO,KAAK,CAAC,oBAAoB;QAChC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,OAAO,GAAG,CAAC,oBAAoB,CAAC,aAAa,CAAC;IAChD,CAAC;IAMO,KAAK,CAAC,WAAW;QACvB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,OAAO,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC;IACrC,CAAC;IAQD,KAAK,CAAC,IAAI,CAAC,OAAe,EAAE,KAAa;QACvC,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;QAC3C,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC3D,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QAEvC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,gBAAgB,EAAE,EAAE,sBAAsB,CAAC,CAAC;QAEhF,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC;gBAClC,KAAK,EAAE,KAAK;gBACZ,OAAO,EAAE,OAAO;gBAChB,gBAAgB,EAAE,gBAAgB;gBAClC,WAAW,EAAE,KAAK;aACnB,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAE5C,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;gBACxB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;YACnD,CAAC;YAED,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YAClD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,SAAS,CAAC,MAAM,EAAE,EAAE,6BAA6B,CAAC,CAAC;YAE9F,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,wBAAwB,CAAC,CAAC;YAC9D,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAOD,KAAK,CAAC,YAAY,CAAC,KAAa;QAC9B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,EAAE,oCAAoC,CAAC,CAAC;QACnE,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QAEvC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,mBAAmB,CAAC;gBAC1C,KAAK,EAAE,KAAK;aACb,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAE5C,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;gBACxB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;YACpD,CAAC;YAED,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YAClD,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,EAAE,KAAK,EAAE,eAAe,EAAE,SAAS,CAAC,MAAM,EAAE,EAC5C,8BAA8B,CAC/B,CAAC;YAEF,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,qCAAqC,CAAC,CAAC;YAC3E,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAOD,KAAK,CAAC,SAAS,CAAC,KAAa;QAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;QAC3C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;QACzC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QAEvC,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,EACrC,uCAAuC,CACxC,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,gBAAgB,CAAC;gBACvC,QAAQ,EAAE,GAAG,CAAC,YAAY,CAAC,WAAW;gBACtC,OAAO,EAAE,OAAO;gBAChB,WAAW,EAAE,WAAW,OAAO,CAAC,WAAW,EAAE,aAAa,KAAK,EAAE;gBACjE,IAAI,EAAE;oBACJ;wBACE,MAAM,EAAE,SAAS;wBACjB,QAAQ,EAAE,0BAA0B;qBACrC;oBACD;wBACE,MAAM,EAAE,SAAS;wBACjB,QAAQ,EAAE,OAAO,CAAC,WAAW,EAAE;qBAChC;oBACD;wBACE,MAAM,EAAE,aAAa;wBACrB,QAAQ,EAAE,KAAK;qBAChB;iBACF;aACF,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAE5C,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,GAAG,EAAE,CAAC;gBAC/B,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;YACjD,CAAC;YAED,MAAM,QAAQ,GAAG,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC;YAC1C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE,gCAAgC,CAAC,CAAC;YAElF,OAAO,QAAQ,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,6BAA6B,CAAC,CAAC;YACnE,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;CACF;AAtMD,sCAsMC"}

package/dist/security/backends/azure-kv-backend.d.ts

@@ -0,0 +1,17 @@
+import { Logger } from 'pino';
+import { KeyManagerBackend, AzureConfig } from '../key-manager';
+export declare class AzureKeyVaultBackend implements KeyManagerBackend {
+    private keyClient;
+    private kvSdk;
+    private config;
+    private logger;
+    constructor(config: AzureConfig, logger: Logger);
+    private _getKeyClient;
+    private _getKvSdk;
+    private _detectKeyType;
+    private _getSignAlgorithm;
+    sign(message: Buffer, keyName: string): Promise<Buffer>;
+    getPublicKey(keyName: string): Promise<Buffer>;
+    rotateKey(keyName: string): Promise<string>;
+}
+//# sourceMappingURL=azure-kv-backend.d.ts.map

package/dist/security/backends/azure-kv-backend.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"azure-kv-backend.d.ts","sourceRoot":"","sources":["../../../src/security/backends/azure-kv-backend.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAE9B,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAOhE,qBAAa,oBAAqB,YAAW,iBAAiB;IAC5D,OAAO,CAAC,SAAS,CAA8B;IAC/C,OAAO,CAAC,KAAK,CAAsD;IACnE,OAAO,CAAC,MAAM,CAAc;IAC5B,OAAO,CAAC,MAAM,CAAS;gBAEX,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM;YAajC,aAAa;YA8Bb,SAAS;IAevB,OAAO,CAAC,cAAc;IAUtB,OAAO,CAAC,iBAAiB;IAUnB,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAoDvD,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAwC9C,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CA2ClD"}

package/dist/security/backends/azure-kv-backend.js

@@ -0,0 +1,121 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AzureKeyVaultBackend = void 0;
+const optional_require_1 = require("../../utils/optional-require");
+class AzureKeyVaultBackend {
+    keyClient = null;
+    kvSdk = null;
+    config;
+    logger;
+    constructor(config, logger) {
+        this.config = config;
+        this.logger = logger.child({ component: 'AzureKeyVaultBackend' });
+        this.logger.info({ vaultUrl: config.vaultUrl, evmKeyName: config.evmKeyName }, 'AzureKeyVaultBackend initialized');
+    }
+    async _getKeyClient() {
+        if (!this.keyClient) {
+            const identitySdk = await (0, optional_require_1.requireOptional)('@azure/identity', 'Azure Key Vault authentication');
+            this.kvSdk = await (0, optional_require_1.requireOptional)('@azure/keyvault-keys', 'Azure Key Vault key management');
+            let credential;
+            if (this.config.credentials) {
+                credential = new identitySdk.ClientSecretCredential(this.config.credentials.tenantId, this.config.credentials.clientId, this.config.credentials.clientSecret);
+            }
+            else {
+                credential = new identitySdk.DefaultAzureCredential();
+            }
+            this.keyClient = new this.kvSdk.KeyClient(this.config.vaultUrl, credential);
+        }
+        return this.keyClient;
+    }
+    async _getKvSdk() {
+        if (!this.kvSdk) {
+            this.kvSdk = await (0, optional_require_1.requireOptional)('@azure/keyvault-keys', 'Azure Key Vault key management');
+        }
+        return this.kvSdk;
+    }
+    _detectKeyType(_keyName) {
+        return 'evm';
+    }
+    _getSignAlgorithm(_keyType) {
+        return 'ES256K';
+    }
+    async sign(message, keyName) {
+        const keyType = this._detectKeyType(keyName);
+        const algorithm = this._getSignAlgorithm(keyType);
+        this.logger.debug({ keyName, keyType, algorithm }, 'Signing with Azure Key Vault');
+        try {
+            const keyClient = await this._getKeyClient();
+            const kvSdk = await this._getKvSdk();
+            const key = await keyClient.getKey(keyName);
+            if (!key.id) {
+                throw new Error('Azure Key Vault returned no key ID');
+            }
+            const cryptoClient = new kvSdk.CryptographyClient(key, keyClient['credential']);
+            const crypto = require('crypto');
+            const digest = crypto.createHash('sha256').update(message).digest();
+            const result = await cryptoClient.sign(algorithm, digest);
+            if (!result.result) {
+                throw new Error('Azure Key Vault returned no signature');
+            }
+            const signature = Buffer.from(result.result);
+            this.logger.info({ keyName, signatureLength: signature.length }, 'Azure Key Vault signature generated');
+            return signature;
+        }
+        catch (error) {
+            this.logger.error({ keyName, error }, 'Azure Key Vault signing failed');
+            throw error;
+        }
+    }
+    async getPublicKey(keyName) {
+        this.logger.debug({ keyName }, 'Retrieving public key from Azure Key Vault');
+        try {
+            const keyClient = await this._getKeyClient();
+            const key = await keyClient.getKey(keyName);
+            if (!key.key) {
+                throw new Error('Azure Key Vault returned no public key');
+            }
+            if (key.key.x && key.key.y) {
+                const xBuffer = Buffer.from(key.key.x);
+                const yBuffer = Buffer.from(key.key.y);
+                const publicKey = Buffer.concat([Buffer.from([0x04]), xBuffer, yBuffer]);
+                this.logger.info({ keyName, publicKeyLength: publicKey.length }, 'Azure Key Vault public key retrieved');
+                return publicKey;
+            }
+            else {
+                throw new Error('Azure Key Vault key missing x or y coordinates');
+            }
+        }
+        catch (error) {
+            this.logger.error({ keyName, error }, 'Azure Key Vault public key retrieval failed');
+            throw error;
+        }
+    }
+    async rotateKey(keyName) {
+        const keyType = this._detectKeyType(keyName);
+        this.logger.info({ oldKeyName: keyName, keyType }, 'Creating new Azure Key Vault key for rotation');
+        try {
+            const keyClient = await this._getKeyClient();
+            const newKeyName = `${keyName}-rotated-${Date.now()}`;
+            const curve = keyType === 'evm' ? 'SECP256K1' : 'Ed25519';
+            const newKey = await keyClient.createKey(newKeyName, curve, {
+                keyOps: ['sign', 'verify'],
+                tags: {
+                    purpose: 'ILP-Connector-Settlement',
+                    keyType: keyType.toUpperCase(),
+                    rotatedFrom: keyName,
+                },
+            });
+            if (!newKey.name) {
+                throw new Error('Azure Key Vault returned no key name');
+            }
+            this.logger.info({ oldKeyName: keyName, newKeyName: newKey.name }, 'Azure Key Vault key rotation completed');
+            return newKey.name;
+        }
+        catch (error) {
+            this.logger.error({ keyName, error }, 'Azure Key Vault key rotation failed');
+            throw error;
+        }
+    }
+}
+exports.AzureKeyVaultBackend = AzureKeyVaultBackend;
+//# sourceMappingURL=azure-kv-backend.js.map

package/dist/security/backends/azure-kv-backend.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azure-kv-backend.js","sourceRoot":"","sources":["../../../src/security/backends/azure-kv-backend.ts"],"names":[],"mappings":";;;AAGA,mEAA+D;AAM/D,MAAa,oBAAoB;IACvB,SAAS,GAAyB,IAAI,CAAC;IACvC,KAAK,GAAiD,IAAI,CAAC;IAC3D,MAAM,CAAc;IACpB,MAAM,CAAS;IAEvB,YAAY,MAAmB,EAAE,MAAc;QAC7C,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,sBAAsB,EAAE,CAAC,CAAC;QAElE,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,EAC5D,kCAAkC,CACnC,CAAC;IACJ,CAAC;IAKO,KAAK,CAAC,aAAa;QACzB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACpB,MAAM,WAAW,GAAG,MAAM,IAAA,kCAAe,EACvC,iBAAiB,EACjB,gCAAgC,CACjC,CAAC;YACF,IAAI,CAAC,KAAK,GAAG,MAAM,IAAA,kCAAe,EAChC,sBAAsB,EACtB,gCAAgC,CACjC,CAAC;YAEF,IAAI,UAAU,CAAC;YACf,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;gBAC5B,UAAU,GAAG,IAAI,WAAW,CAAC,sBAAsB,CACjD,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ,EAChC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ,EAChC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,YAAY,CACrC,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,UAAU,GAAG,IAAI,WAAW,CAAC,sBAAsB,EAAE,CAAC;YACxD,CAAC;YAED,IAAI,CAAC,SAAS,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QAC9E,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAKO,KAAK,CAAC,SAAS;QACrB,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,KAAK,GAAG,MAAM,IAAA,kCAAe,EAChC,sBAAsB,EACtB,gCAAgC,CACjC,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAOO,cAAc,CAAC,QAAgB;QAErC,OAAO,KAAK,CAAC;IACf,CAAC;IAOO,iBAAiB,CAAC,QAAe;QACvC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAQD,KAAK,CAAC,IAAI,CAAC,OAAe,EAAE,OAAe;QACzC,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QAC7C,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAElD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,8BAA8B,CAAC,CAAC;QAEnF,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;YAC7C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;YAGrC,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAE5C,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;YACxD,CAAC;YAID,MAAM,YAAY,GAAG,IAAI,KAAK,CAAC,kBAAkB,CAAC,GAAG,EAAG,SAAiB,CAAC,YAAY,CAAC,CAAC,CAAC;YAIzF,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;YACjC,MAAM,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;YAIpE,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,SAAgB,EAAE,MAAM,CAAC,CAAC;YAEjE,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;gBACnB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;YAC3D,CAAC;YAED,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAC7C,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,EAAE,OAAO,EAAE,eAAe,EAAE,SAAS,CAAC,MAAM,EAAE,EAC9C,qCAAqC,CACtC,CAAC;YAEF,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,gCAAgC,CAAC,CAAC;YACxE,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAOD,KAAK,CAAC,YAAY,CAAC,OAAe;QAChC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,OAAO,EAAE,EAAE,4CAA4C,CAAC,CAAC;QAE7E,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;YAC7C,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAE5C,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;YAC5D,CAAC;YAID,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;gBAC3B,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;gBACvC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;gBAGvC,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;gBAEzE,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,EAAE,OAAO,EAAE,eAAe,EAAE,SAAS,CAAC,MAAM,EAAE,EAC9C,sCAAsC,CACvC,CAAC;gBAEF,OAAO,SAAS,CAAC;YACnB,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;YACpE,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,6CAA6C,CAAC,CAAC;YACrF,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAOD,KAAK,CAAC,SAAS,CAAC,OAAe;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QAE7C,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,EAAE,UAAU,EAAE,OAAO,EAAE,OAAO,EAAE,EAChC,+CAA+C,CAChD,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;YAI7C,MAAM,UAAU,GAAG,GAAG,OAAO,YAAY,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAGtD,MAAM,KAAK,GAAG,OAAO,KAAK,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC;YAG1D,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,UAAU,EAAE,KAAY,EAAE;gBACjE,MAAM,EAAE,CAAC,MAAM,EAAE,QAAQ,CAAC;gBAC1B,IAAI,EAAE;oBACJ,OAAO,EAAE,0BAA0B;oBACnC,OAAO,EAAE,OAAO,CAAC,WAAW,EAAE;oBAC9B,WAAW,EAAE,OAAO;iBACrB;aACF,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;YAC1D,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,IAAI,EAAE,EAChD,wCAAwC,CACzC,CAAC;YAEF,OAAO,MAAM,CAAC,IAAI,CAAC;QACrB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,qCAAqC,CAAC,CAAC;YAC7E,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;CACF;AA3ND,oDA2NC"}

package/dist/security/backends/environment-backend.d.ts

@@ -0,0 +1,15 @@
+import { Logger } from 'pino';
+import { KeyManagerBackend } from '../key-manager';
+export declare class EnvironmentVariableBackend implements KeyManagerBackend {
+    private evmWallet?;
+    private evmPrivateKey?;
+    private logger;
+    constructor(logger: Logger, options?: {
+        evmPrivateKey?: string;
+    });
+    private _ensureEvmWallet;
+    sign(message: Buffer, _keyId: string): Promise<Buffer>;
+    getPublicKey(_keyId: string): Promise<Buffer>;
+    rotateKey(_keyId: string): Promise<string>;
+}
+//# sourceMappingURL=environment-backend.d.ts.map

package/dist/security/backends/environment-backend.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"environment-backend.d.ts","sourceRoot":"","sources":["../../../src/security/backends/environment-backend.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAE9B,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAOnD,qBAAa,0BAA2B,YAAW,iBAAiB;IAClE,OAAO,CAAC,SAAS,CAAC,CAAS;IAC3B,OAAO,CAAC,aAAa,CAAC,CAAS;IAC/B,OAAO,CAAC,MAAM,CAAS;gBAQX,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,CAAA;KAAE;YAmBlD,gBAAgB;IA2BxB,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAetD,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAc7C,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CAKjD"}

package/dist/security/backends/environment-backend.js

@@ -0,0 +1,56 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EnvironmentVariableBackend = void 0;
+const optional_require_1 = require("../../utils/optional-require");
+class EnvironmentVariableBackend {
+    evmWallet;
+    evmPrivateKey;
+    logger;
+    constructor(logger, options) {
+        this.logger = logger.child({ component: 'EnvironmentVariableBackend' });
+        const evmPrivateKey = options?.evmPrivateKey ?? process.env.EVM_PRIVATE_KEY;
+        if (evmPrivateKey) {
+            this.evmPrivateKey = evmPrivateKey;
+            this.logger.info('EVM private key found in environment (wallet initialization deferred)');
+        }
+        if (!this.evmPrivateKey) {
+            this.logger.warn('No EVM private key loaded from environment (EVM_PRIVATE_KEY)');
+        }
+    }
+    async _ensureEvmWallet() {
+        if (this.evmWallet) {
+            return this.evmWallet;
+        }
+        if (!this.evmPrivateKey) {
+            throw new Error('EVM wallet not initialized. Set EVM_PRIVATE_KEY environment variable.');
+        }
+        try {
+            const { Wallet } = await (0, optional_require_1.requireOptional)('ethers', 'EVM settlement');
+            this.evmWallet = new Wallet(this.evmPrivateKey);
+            this.logger.info({ address: this.evmWallet.address }, 'EVM wallet loaded from environment');
+            return this.evmWallet;
+        }
+        catch (error) {
+            if (error instanceof Error && error.message.includes('is required for')) {
+                throw error;
+            }
+            this.logger.error({ error }, 'Failed to load EVM private key');
+            throw new Error('Invalid EVM_PRIVATE_KEY in environment');
+        }
+    }
+    async sign(message, _keyId) {
+        const evmWallet = await this._ensureEvmWallet();
+        const signature = evmWallet.signingKey.sign(message);
+        return Buffer.from(signature.serialized.slice(2), 'hex');
+    }
+    async getPublicKey(_keyId) {
+        const evmWallet = await this._ensureEvmWallet();
+        const publicKey = evmWallet.signingKey.publicKey;
+        return Buffer.from(publicKey.slice(2), 'hex');
+    }
+    async rotateKey(_keyId) {
+        throw new Error('Manual rotation required for environment backend. Update EVM_PRIVATE_KEY and restart the connector.');
+    }
+}
+exports.EnvironmentVariableBackend = EnvironmentVariableBackend;
+//# sourceMappingURL=environment-backend.js.map

package/dist/security/backends/environment-backend.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"environment-backend.js","sourceRoot":"","sources":["../../../src/security/backends/environment-backend.ts"],"names":[],"mappings":";;;AAGA,mEAA+D;AAM/D,MAAa,0BAA0B;IAC7B,SAAS,CAAU;IACnB,aAAa,CAAU;IACvB,MAAM,CAAS;IAQvB,YAAY,MAAc,EAAE,OAAoC;QAC9D,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,4BAA4B,EAAE,CAAC,CAAC;QAIxE,MAAM,aAAa,GAAG,OAAO,EAAE,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;QAC5E,IAAI,aAAa,EAAE,CAAC;YAClB,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC;YACnC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC;QAC5F,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,8DAA8D,CAAC,CAAC;QACnF,CAAC;IACH,CAAC;IAKO,KAAK,CAAC,gBAAgB;QAC5B,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,OAAO,IAAI,CAAC,SAAS,CAAC;QACxB,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,uEAAuE,CAAC,CAAC;QAC3F,CAAC;QACD,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAA,kCAAe,EAA0B,QAAQ,EAAE,gBAAgB,CAAC,CAAC;YAC9F,IAAI,CAAC,SAAS,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;YAChD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,oCAAoC,CAAC,CAAC;YAC5F,OAAO,IAAI,CAAC,SAAS,CAAC;QACxB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;gBACxE,MAAM,KAAK,CAAC;YACd,CAAC;YACD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,EAAE,gCAAgC,CAAC,CAAC;YAC/D,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAQD,KAAK,CAAC,IAAI,CAAC,OAAe,EAAE,MAAc;QACxC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAIhD,MAAM,SAAS,GAAG,SAAS,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAErD,OAAO,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAC3D,CAAC;IAOD,KAAK,CAAC,YAAY,CAAC,MAAc;QAC/B,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAGhD,MAAM,SAAS,GAAG,SAAS,CAAC,UAAU,CAAC,SAAS,CAAC;QACjD,OAAO,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAChD,CAAC;IAQD,KAAK,CAAC,SAAS,CAAC,MAAc;QAC5B,MAAM,IAAI,KAAK,CACb,qGAAqG,CACtG,CAAC;IACJ,CAAC;CACF;AA3FD,gEA2FC"}

package/dist/security/backends/gcp-kms-backend.d.ts

@@ -0,0 +1,17 @@
+import { Logger } from 'pino';
+import { KeyManagerBackend, GCPConfig } from '../key-manager';
+export declare class GCPKMSBackend implements KeyManagerBackend {
+    private client;
+    private config;
+    private logger;
+    constructor(config: GCPConfig, logger: Logger);
+    private _getClient;
+    private _detectKeyType;
+    private _getCryptoKeyVersionName;
+    private _getCryptoKeyName;
+    sign(message: Buffer, keyId: string): Promise<Buffer>;
+    getPublicKey(keyId: string): Promise<Buffer>;
+    private _pemToDer;
+    rotateKey(keyId: string): Promise<string>;
+}
+//# sourceMappingURL=gcp-kms-backend.d.ts.map

package/dist/security/backends/gcp-kms-backend.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gcp-kms-backend.d.ts","sourceRoot":"","sources":["../../../src/security/backends/gcp-kms-backend.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAE9B,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAO9D,qBAAa,aAAc,YAAW,iBAAiB;IACrD,OAAO,CAAC,MAAM,CAA8B;IAC5C,OAAO,CAAC,MAAM,CAAY;IAC1B,OAAO,CAAC,MAAM,CAAS;gBAEX,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM;YAiB/B,UAAU;IAgBxB,OAAO,CAAC,cAAc;IAUtB,OAAO,CAAC,wBAAwB;IAShC,OAAO,CAAC,iBAAiB;IAUnB,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAuCrD,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAoClD,OAAO,CAAC,SAAS;IAcX,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CA4BhD"}