@toon-protocol/connector 1.7.1

package/dist/security/backends/gcp-kms-backend.js

@@ -0,0 +1,110 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GCPKMSBackend = void 0;
+const optional_require_1 = require("../../utils/optional-require");
+class GCPKMSBackend {
+    client = null;
+    config;
+    logger;
+    constructor(config, logger) {
+        this.config = config;
+        this.logger = logger.child({ component: 'GCPKMSBackend' });
+        this.logger.info({
+            projectId: config.projectId,
+            locationId: config.locationId,
+            keyRingId: config.keyRingId,
+        }, 'GCPKMSBackend initialized');
+    }
+    async _getClient() {
+        if (!this.client) {
+            const gcpKms = await (0, optional_require_1.requireOptional)('@google-cloud/kms', 'GCP KMS key management');
+            this.client = new gcpKms.KeyManagementServiceClient();
+        }
+        return this.client;
+    }
+    _detectKeyType(_keyId) {
+        return 'evm';
+    }
+    _getCryptoKeyVersionName(keyId) {
+        return `projects/${this.config.projectId}/locations/${this.config.locationId}/keyRings/${this.config.keyRingId}/cryptoKeys/${keyId}/cryptoKeyVersions/1`;
+    }
+    _getCryptoKeyName(keyId) {
+        return `projects/${this.config.projectId}/locations/${this.config.locationId}/keyRings/${this.config.keyRingId}/cryptoKeys/${keyId}`;
+    }
+    async sign(message, keyId) {
+        const keyType = this._detectKeyType(keyId);
+        const cryptoKeyVersionName = this._getCryptoKeyVersionName(keyId);
+        this.logger.debug({ keyId, keyType, cryptoKeyVersionName }, 'Signing with GCP KMS');
+        try {
+            const crypto = require('crypto');
+            const digest = crypto.createHash('sha256').update(message).digest();
+            const client = await this._getClient();
+            const [response] = await client.asymmetricSign({
+                name: cryptoKeyVersionName,
+                digest: {
+                    sha256: digest,
+                },
+            });
+            if (!response.signature) {
+                throw new Error('GCP KMS returned no signature');
+            }
+            const signature = Buffer.from(response.signature);
+            this.logger.info({ keyId, signatureLength: signature.length }, 'GCP KMS signature generated');
+            return signature;
+        }
+        catch (error) {
+            this.logger.error({ keyId, error }, 'GCP KMS signing failed');
+            throw error;
+        }
+    }
+    async getPublicKey(keyId) {
+        const cryptoKeyVersionName = this._getCryptoKeyVersionName(keyId);
+        this.logger.debug({ keyId, cryptoKeyVersionName }, 'Retrieving public key from GCP KMS');
+        try {
+            const client = await this._getClient();
+            const [response] = await client.getPublicKey({
+                name: cryptoKeyVersionName,
+            });
+            if (!response.pem) {
+                throw new Error('GCP KMS returned no public key');
+            }
+            const publicKeyPem = response.pem;
+            const publicKeyDer = this._pemToDer(publicKeyPem);
+            this.logger.info({ keyId, publicKeyLength: publicKeyDer.length }, 'GCP KMS public key retrieved');
+            return publicKeyDer;
+        }
+        catch (error) {
+            this.logger.error({ keyId, error }, 'GCP KMS public key retrieval failed');
+            throw error;
+        }
+    }
+    _pemToDer(pem) {
+        const base64 = pem
+            .replace(/-----BEGIN PUBLIC KEY-----/, '')
+            .replace(/-----END PUBLIC KEY-----/, '')
+            .replace(/\s/g, '');
+        return Buffer.from(base64, 'base64');
+    }
+    async rotateKey(keyId) {
+        const cryptoKeyName = this._getCryptoKeyName(keyId);
+        this.logger.info({ oldKeyId: keyId, cryptoKeyName }, 'Creating new GCP KMS key version for rotation');
+        try {
+            const client = await this._getClient();
+            const [response] = await client.createCryptoKeyVersion({
+                parent: cryptoKeyName,
+            });
+            if (!response.name) {
+                throw new Error('GCP KMS returned no key version name');
+            }
+            const newKeyVersionName = response.name;
+            this.logger.info({ oldKeyId: keyId, newKeyVersionName }, 'GCP KMS key rotation completed');
+            return keyId;
+        }
+        catch (error) {
+            this.logger.error({ keyId, error }, 'GCP KMS key rotation failed');
+            throw error;
+        }
+    }
+}
+exports.GCPKMSBackend = GCPKMSBackend;
+//# sourceMappingURL=gcp-kms-backend.js.map

package/dist/security/backends/gcp-kms-backend.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gcp-kms-backend.js","sourceRoot":"","sources":["../../../src/security/backends/gcp-kms-backend.ts"],"names":[],"mappings":";;;AAGA,mEAA+D;AAM/D,MAAa,aAAa;IAChB,MAAM,GAAyB,IAAI,CAAC;IACpC,MAAM,CAAY;IAClB,MAAM,CAAS;IAEvB,YAAY,MAAiB,EAAE,MAAc;QAC3C,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,eAAe,EAAE,CAAC,CAAC;QAE3D,IAAI,CAAC,MAAM,CAAC,IAAI,CACd;YACE,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,SAAS,EAAE,MAAM,CAAC,SAAS;SAC5B,EACD,2BAA2B,CAC5B,CAAC;IACJ,CAAC;IAKO,KAAK,CAAC,UAAU;QACtB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,MAAM,GAAG,MAAM,IAAA,kCAAe,EAClC,mBAAmB,EACnB,wBAAwB,CACzB,CAAC;YACF,IAAI,CAAC,MAAM,GAAG,IAAI,MAAM,CAAC,0BAA0B,EAAE,CAAC;QACxD,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAOO,cAAc,CAAC,MAAc;QAEnC,OAAO,KAAK,CAAC;IACf,CAAC;IAOO,wBAAwB,CAAC,KAAa;QAC5C,OAAO,YAAY,IAAI,CAAC,MAAM,CAAC,SAAS,cAAc,IAAI,CAAC,MAAM,CAAC,UAAU,aAAa,IAAI,CAAC,MAAM,CAAC,SAAS,eAAe,KAAK,sBAAsB,CAAC;IAC3J,CAAC;IAOO,iBAAiB,CAAC,KAAa;QACrC,OAAO,YAAY,IAAI,CAAC,MAAM,CAAC,SAAS,cAAc,IAAI,CAAC,MAAM,CAAC,UAAU,aAAa,IAAI,CAAC,MAAM,CAAC,SAAS,eAAe,KAAK,EAAE,CAAC;IACvI,CAAC;IAQD,KAAK,CAAC,IAAI,CAAC,OAAe,EAAE,KAAa;QACvC,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;QAC3C,MAAM,oBAAoB,GAAG,IAAI,CAAC,wBAAwB,CAAC,KAAK,CAAC,CAAC;QAElE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,oBAAoB,EAAE,EAAE,sBAAsB,CAAC,CAAC;QAEpF,IAAI,CAAC;YAGH,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;YACjC,MAAM,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;YAEpE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;YACvC,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC;gBAC7C,IAAI,EAAE,oBAAoB;gBAC1B,MAAM,EAAE;oBACN,MAAM,EAAE,MAAM;iBACf;aACF,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;gBACxB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;YACnD,CAAC;YAED,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAuB,CAAC,CAAC;YAChE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,SAAS,CAAC,MAAM,EAAE,EAAE,6BAA6B,CAAC,CAAC;YAE9F,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,wBAAwB,CAAC,CAAC;YAC9D,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAOD,KAAK,CAAC,YAAY,CAAC,KAAa;QAC9B,MAAM,oBAAoB,GAAG,IAAI,CAAC,wBAAwB,CAAC,KAAK,CAAC,CAAC;QAElE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,EAAE,oCAAoC,CAAC,CAAC;QAEzF,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;YACvC,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC;gBAC3C,IAAI,EAAE,oBAAoB;aAC3B,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC;gBAClB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;YACpD,CAAC;YAGD,MAAM,YAAY,GAAG,QAAQ,CAAC,GAAG,CAAC;YAClC,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;YAElD,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,EAAE,KAAK,EAAE,eAAe,EAAE,YAAY,CAAC,MAAM,EAAE,EAC/C,8BAA8B,CAC/B,CAAC;YAEF,OAAO,YAAY,CAAC;QACtB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,qCAAqC,CAAC,CAAC;YAC3E,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAOO,SAAS,CAAC,GAAW;QAE3B,MAAM,MAAM,GAAG,GAAG;aACf,OAAO,CAAC,4BAA4B,EAAE,EAAE,CAAC;aACzC,OAAO,CAAC,0BAA0B,EAAE,EAAE,CAAC;aACvC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACtB,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACvC,CAAC;IAOD,KAAK,CAAC,SAAS,CAAC,KAAa;QAC3B,MAAM,aAAa,GAAG,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QAEpD,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,EAAE,QAAQ,EAAE,KAAK,EAAE,aAAa,EAAE,EAClC,+CAA+C,CAChD,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;YACvC,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC;gBACrD,MAAM,EAAE,aAAa;aACtB,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACnB,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;YAC1D,CAAC;YAED,MAAM,iBAAiB,GAAG,QAAQ,CAAC,IAAI,CAAC;YACxC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,iBAAiB,EAAE,EAAE,gCAAgC,CAAC,CAAC;YAG3F,OAAO,KAAK,CAAC;QACf,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,6BAA6B,CAAC,CAAC;YACnE,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;CACF;AAxLD,sCAwLC"}

package/dist/security/backends/hsm-backend.d.ts

@@ -0,0 +1,18 @@
+import { Logger } from 'pino';
+import { KeyManagerBackend, HSMConfig } from '../key-manager';
+export declare class HSMBackend implements KeyManagerBackend {
+    private pkcs11;
+    private session;
+    private logger;
+    constructor(config: HSMConfig, logger: Logger);
+    private _mapPKCS11Error;
+    private _detectKeyType;
+    private _findPrivateKey;
+    private _findPublicKey;
+    private _getSignMechanism;
+    sign(message: Buffer, keyLabel: string): Promise<Buffer>;
+    getPublicKey(keyLabel: string): Promise<Buffer>;
+    rotateKey(keyLabel: string): Promise<string>;
+    destroy(): void;
+}
+//# sourceMappingURL=hsm-backend.d.ts.map

package/dist/security/backends/hsm-backend.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hsm-backend.d.ts","sourceRoot":"","sources":["../../../src/security/backends/hsm-backend.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAC9B,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAO9D,qBAAa,UAAW,YAAW,iBAAiB;IAElD,OAAO,CAAC,MAAM,CAAM;IAEpB,OAAO,CAAC,OAAO,CAAM;IACrB,OAAO,CAAC,MAAM,CAAS;gBAEX,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM;IA8C7C,OAAO,CAAC,eAAe;IAwBvB,OAAO,CAAC,cAAc;IAWtB,OAAO,CAAC,eAAe;IA0BvB,OAAO,CAAC,cAAc;IA0BtB,OAAO,CAAC,iBAAiB;IAanB,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IA6BxD,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAiC/C,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAuFlD,OAAO,IAAI,IAAI;CAchB"}

package/dist/security/backends/hsm-backend.js

@@ -0,0 +1,187 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HSMBackend = void 0;
+class HSMBackend {
+    pkcs11;
+    session;
+    logger;
+    constructor(config, logger) {
+        this.logger = logger.child({ component: 'HSMBackend' });
+        try {
+            const pkcs11js = require('pkcs11js');
+            this.pkcs11 = new pkcs11js.PKCS11();
+            this.pkcs11.load(config.pkcs11LibraryPath);
+            this.pkcs11.C_Initialize();
+            this.session = this.pkcs11.C_OpenSession(config.slotId, pkcs11js.CKF_SERIAL_SESSION | pkcs11js.CKF_RW_SESSION);
+            const pin = config.pin || process.env.HSM_PIN;
+            if (!pin) {
+                throw new Error('HSM PIN not provided');
+            }
+            this.pkcs11.C_Login(this.session, pkcs11js.CKU_USER, pin);
+            this.logger.info({ slotId: config.slotId, libraryPath: config.pkcs11LibraryPath }, 'HSMBackend initialized and logged in');
+        }
+        catch (error) {
+            this.logger.error({ error }, 'HSMBackend initialization failed');
+            const mappedError = this._mapPKCS11Error(error);
+            throw new Error(`HSMBackend initialization failed: ${mappedError.message}`);
+        }
+    }
+    _mapPKCS11Error(error) {
+        const CKR_PIN_INCORRECT = 0x000000a0;
+        const CKR_KEY_HANDLE_INVALID = 0x00000060;
+        const CKR_FUNCTION_FAILED = 0x00000006;
+        if (typeof error === 'object' && error !== null && 'code' in error) {
+            const code = error.code;
+            if (code === CKR_PIN_INCORRECT) {
+                return new Error('Invalid HSM PIN');
+            }
+            else if (code === CKR_KEY_HANDLE_INVALID) {
+                return new Error('Key not found');
+            }
+            else if (code === CKR_FUNCTION_FAILED) {
+                return new Error('HSM operation failed');
+            }
+        }
+        return error instanceof Error ? error : new Error(String(error));
+    }
+    _detectKeyType(_keyLabel) {
+        return 'evm';
+    }
+    _findPrivateKey(keyLabel) {
+        const pkcs11js = require('pkcs11js');
+        const template = [
+            { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_PRIVATE_KEY },
+            { type: pkcs11js.CKA_LABEL, value: keyLabel },
+        ];
+        this.pkcs11.C_FindObjectsInit(this.session, template);
+        const handles = this.pkcs11.C_FindObjects(this.session, 1);
+        this.pkcs11.C_FindObjectsFinal(this.session);
+        if (handles.length === 0) {
+            throw new Error(`Private key with label "${keyLabel}" not found in HSM`);
+        }
+        return handles[0];
+    }
+    _findPublicKey(keyLabel) {
+        const pkcs11js = require('pkcs11js');
+        const template = [
+            { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_PUBLIC_KEY },
+            { type: pkcs11js.CKA_LABEL, value: keyLabel },
+        ];
+        this.pkcs11.C_FindObjectsInit(this.session, template);
+        const handles = this.pkcs11.C_FindObjects(this.session, 1);
+        this.pkcs11.C_FindObjectsFinal(this.session);
+        if (handles.length === 0) {
+            throw new Error(`Public key with label "${keyLabel}" not found in HSM`);
+        }
+        return handles[0];
+    }
+    _getSignMechanism(_keyType) {
+        const pkcs11js = require('pkcs11js');
+        return { mechanism: pkcs11js.CKM_ECDSA };
+    }
+    async sign(message, keyLabel) {
+        const keyType = this._detectKeyType(keyLabel);
+        const mechanism = this._getSignMechanism(keyType);
+        this.logger.debug({ keyLabel, keyType, mechanism }, 'Signing with HSM');
+        try {
+            const privateKeyHandle = this._findPrivateKey(keyLabel);
+            this.pkcs11.C_SignInit(this.session, mechanism, privateKeyHandle);
+            const signature = this.pkcs11.C_Sign(this.session, message, Buffer.alloc(256));
+            this.logger.info({ keyLabel, signatureLength: signature.length }, 'HSM signature generated');
+            return signature;
+        }
+        catch (error) {
+            this.logger.error({ keyLabel, error }, 'HSM signing failed');
+            throw this._mapPKCS11Error(error);
+        }
+    }
+    async getPublicKey(keyLabel) {
+        this.logger.debug({ keyLabel }, 'Retrieving public key from HSM');
+        try {
+            const pkcs11js = require('pkcs11js');
+            const publicKeyHandle = this._findPublicKey(keyLabel);
+            const template = [{ type: pkcs11js.CKA_VALUE }];
+            const attributes = this.pkcs11.C_GetAttributeValue(this.session, publicKeyHandle, template);
+            if (!attributes[0].value) {
+                throw new Error('HSM returned no public key value');
+            }
+            const publicKey = attributes[0].value;
+            this.logger.info({ keyLabel, publicKeyLength: publicKey.length }, 'HSM public key retrieved');
+            return publicKey;
+        }
+        catch (error) {
+            this.logger.error({ keyLabel, error }, 'HSM public key retrieval failed');
+            throw this._mapPKCS11Error(error);
+        }
+    }
+    async rotateKey(keyLabel) {
+        const keyType = this._detectKeyType(keyLabel);
+        this.logger.info({ oldKeyLabel: keyLabel, keyType }, 'Generating new HSM key pair for rotation');
+        try {
+            const pkcs11js = require('pkcs11js');
+            const newKeyLabel = `${keyLabel}-rotated-${Date.now()}`;
+            let mechanism;
+            let publicKeyTemplate;
+            let privateKeyTemplate;
+            if (keyType === 'evm') {
+                mechanism = { mechanism: pkcs11js.CKM_EC_KEY_PAIR_GEN };
+                const secp256k1Oid = Buffer.from([0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x0a]);
+                publicKeyTemplate = [
+                    { type: pkcs11js.CKA_LABEL, value: newKeyLabel },
+                    { type: pkcs11js.CKA_EC_PARAMS, value: secp256k1Oid },
+                    { type: pkcs11js.CKA_VERIFY, value: true },
+                ];
+                privateKeyTemplate = [
+                    { type: pkcs11js.CKA_LABEL, value: newKeyLabel },
+                    { type: pkcs11js.CKA_SIGN, value: true },
+                    { type: pkcs11js.CKA_SENSITIVE, value: true },
+                    { type: pkcs11js.CKA_EXTRACTABLE, value: false },
+                ];
+            }
+            else {
+                mechanism = { mechanism: pkcs11js.CKM_EC_EDWARDS_KEY_PAIR_GEN };
+                const ed25519Oid = Buffer.from([0x06, 0x03, 0x2b, 0x65, 0x70]);
+                publicKeyTemplate = [
+                    { type: pkcs11js.CKA_LABEL, value: newKeyLabel },
+                    { type: pkcs11js.CKA_EC_PARAMS, value: ed25519Oid },
+                    { type: pkcs11js.CKA_VERIFY, value: true },
+                ];
+                privateKeyTemplate = [
+                    { type: pkcs11js.CKA_LABEL, value: newKeyLabel },
+                    { type: pkcs11js.CKA_SIGN, value: true },
+                    { type: pkcs11js.CKA_SENSITIVE, value: true },
+                    { type: pkcs11js.CKA_EXTRACTABLE, value: false },
+                ];
+            }
+            const keyPair = this.pkcs11.C_GenerateKeyPair(this.session, mechanism, publicKeyTemplate, privateKeyTemplate);
+            this.logger.info({
+                oldKeyLabel: keyLabel,
+                newKeyLabel,
+                publicKey: keyPair.publicKey,
+                privateKey: keyPair.privateKey,
+            }, 'HSM key rotation completed');
+            return newKeyLabel;
+        }
+        catch (error) {
+            this.logger.error({ keyLabel, error }, 'HSM key rotation failed');
+            throw this._mapPKCS11Error(error);
+        }
+    }
+    destroy() {
+        try {
+            if (this.session) {
+                this.pkcs11.C_Logout(this.session);
+                this.pkcs11.C_CloseSession(this.session);
+            }
+            if (this.pkcs11) {
+                this.pkcs11.C_Finalize();
+            }
+            this.logger.info('HSMBackend destroyed');
+        }
+        catch (error) {
+            this.logger.error({ error }, 'HSMBackend cleanup failed');
+        }
+    }
+}
+exports.HSMBackend = HSMBackend;
+//# sourceMappingURL=hsm-backend.js.map

package/dist/security/backends/hsm-backend.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hsm-backend.js","sourceRoot":"","sources":["../../../src/security/backends/hsm-backend.ts"],"names":[],"mappings":";;;AAQA,MAAa,UAAU;IAEb,MAAM,CAAM;IAEZ,OAAO,CAAM;IACb,MAAM,CAAS;IAEvB,YAAY,MAAiB,EAAE,MAAc;QAC3C,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC,CAAC;QAExD,IAAI,CAAC;YAGH,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;YACrC,IAAI,CAAC,MAAM,GAAG,IAAI,QAAQ,CAAC,MAAM,EAAE,CAAC;YAGpC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;YAG3C,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;YAG3B,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,CACtC,MAAM,CAAC,MAAM,EACb,QAAQ,CAAC,kBAAkB,GAAG,QAAQ,CAAC,cAAc,CACtD,CAAC;YAGF,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;YAC9C,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;YAC1C,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;YAE1D,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,EAAE,MAAM,CAAC,iBAAiB,EAAE,EAChE,sCAAsC,CACvC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,EAAE,kCAAkC,CAAC,CAAC;YACjE,MAAM,WAAW,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;YAChD,MAAM,IAAI,KAAK,CAAC,qCAAqC,WAAW,CAAC,OAAO,EAAE,CAAC,CAAC;QAC9E,CAAC;IACH,CAAC;IAQO,eAAe,CAAC,KAAU;QAEhC,MAAM,iBAAiB,GAAG,UAAU,CAAC;QACrC,MAAM,sBAAsB,GAAG,UAAU,CAAC;QAC1C,MAAM,mBAAmB,GAAG,UAAU,CAAC;QAEvC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,MAAM,IAAI,KAAK,EAAE,CAAC;YACnE,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;YACxB,IAAI,IAAI,KAAK,iBAAiB,EAAE,CAAC;gBAC/B,OAAO,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;YACtC,CAAC;iBAAM,IAAI,IAAI,KAAK,sBAAsB,EAAE,CAAC;gBAC3C,OAAO,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;YACpC,CAAC;iBAAM,IAAI,IAAI,KAAK,mBAAmB,EAAE,CAAC;gBACxC,OAAO,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;YAC3C,CAAC;QACH,CAAC;QACD,OAAO,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IACnE,CAAC;IAOO,cAAc,CAAC,SAAiB;QAEtC,OAAO,KAAK,CAAC;IACf,CAAC;IAQO,eAAe,CAAC,QAAgB;QAEtC,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;QAErC,MAAM,QAAQ,GAAG;YACf,EAAE,IAAI,EAAE,QAAQ,CAAC,SAAS,EAAE,KAAK,EAAE,QAAQ,CAAC,eAAe,EAAE;YAC7D,EAAE,IAAI,EAAE,QAAQ,CAAC,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE;SAC9C,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACtD,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAC3D,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAE7C,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,2BAA2B,QAAQ,oBAAoB,CAAC,CAAC;QAC3E,CAAC;QAED,OAAO,OAAO,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAQO,cAAc,CAAC,QAAgB;QAErC,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;QAErC,MAAM,QAAQ,GAAG;YACf,EAAE,IAAI,EAAE,QAAQ,CAAC,SAAS,EAAE,KAAK,EAAE,QAAQ,CAAC,cAAc,EAAE;YAC5D,EAAE,IAAI,EAAE,QAAQ,CAAC,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE;SAC9C,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACtD,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAC3D,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAE7C,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,0BAA0B,QAAQ,oBAAoB,CAAC,CAAC;QAC1E,CAAC;QAED,OAAO,OAAO,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAQO,iBAAiB,CAAC,QAAe;QAEvC,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;QAErC,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC,SAAS,EAAE,CAAC;IAC3C,CAAC;IAQD,KAAK,CAAC,IAAI,CAAC,OAAe,EAAE,QAAgB;QAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;QAC9C,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAElD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,kBAAkB,CAAC,CAAC;QAExE,IAAI,CAAC;YACH,MAAM,gBAAgB,GAAG,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;YAGxD,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,gBAAgB,CAAC,CAAC;YAGlE,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;YAE/E,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,eAAe,EAAE,SAAS,CAAC,MAAM,EAAE,EAAE,yBAAyB,CAAC,CAAC;YAE7F,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,EAAE,oBAAoB,CAAC,CAAC;YAC7D,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;IAOD,KAAK,CAAC,YAAY,CAAC,QAAgB;QACjC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,QAAQ,EAAE,EAAE,gCAAgC,CAAC,CAAC;QAElE,IAAI,CAAC;YAEH,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;YAErC,MAAM,eAAe,GAAG,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;YAGtD,MAAM,QAAQ,GAAG,CAAC,EAAE,IAAI,EAAE,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;YAEhD,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,mBAAmB,CAAC,IAAI,CAAC,OAAO,EAAE,eAAe,EAAE,QAAQ,CAAC,CAAC;YAE5F,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC;gBACzB,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;YACtD,CAAC;YAED,MAAM,SAAS,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,KAAe,CAAC;YAChD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,eAAe,EAAE,SAAS,CAAC,MAAM,EAAE,EAAE,0BAA0B,CAAC,CAAC;YAE9F,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,EAAE,iCAAiC,CAAC,CAAC;YAC1E,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;IAOD,KAAK,CAAC,SAAS,CAAC,QAAgB;QAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;QAE9C,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,EAClC,0CAA0C,CAC3C,CAAC;QAEF,IAAI,CAAC;YAEH,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;YAErC,MAAM,WAAW,GAAG,GAAG,QAAQ,YAAY,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAGxD,IAAI,SAAS,CAAC;YACd,IAAI,iBAAiB,CAAC;YACtB,IAAI,kBAAkB,CAAC;YAEvB,IAAI,OAAO,KAAK,KAAK,EAAE,CAAC;gBAEtB,SAAS,GAAG,EAAE,SAAS,EAAE,QAAQ,CAAC,mBAAmB,EAAE,CAAC;gBAGxD,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;gBAE7E,iBAAiB,GAAG;oBAClB,EAAE,IAAI,EAAE,QAAQ,CAAC,SAAS,EAAE,KAAK,EAAE,WAAW,EAAE;oBAChD,EAAE,IAAI,EAAE,QAAQ,CAAC,aAAa,EAAE,KAAK,EAAE,YAAY,EAAE;oBACrD,EAAE,IAAI,EAAE,QAAQ,CAAC,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE;iBAC3C,CAAC;gBAEF,kBAAkB,GAAG;oBACnB,EAAE,IAAI,EAAE,QAAQ,CAAC,SAAS,EAAE,KAAK,EAAE,WAAW,EAAE;oBAChD,EAAE,IAAI,EAAE,QAAQ,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE;oBACxC,EAAE,IAAI,EAAE,QAAQ,CAAC,aAAa,EAAE,KAAK,EAAE,IAAI,EAAE;oBAC7C,EAAE,IAAI,EAAE,QAAQ,CAAC,eAAe,EAAE,KAAK,EAAE,KAAK,EAAE;iBACjD,CAAC;YACJ,CAAC;iBAAM,CAAC;gBAEN,SAAS,GAAG,EAAE,SAAS,EAAE,QAAQ,CAAC,2BAA2B,EAAE,CAAC;gBAGhE,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;gBAE/D,iBAAiB,GAAG;oBAClB,EAAE,IAAI,EAAE,QAAQ,CAAC,SAAS,EAAE,KAAK,EAAE,WAAW,EAAE;oBAChD,EAAE,IAAI,EAAE,QAAQ,CAAC,aAAa,EAAE,KAAK,EAAE,UAAU,EAAE;oBACnD,EAAE,IAAI,EAAE,QAAQ,CAAC,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE;iBAC3C,CAAC;gBAEF,kBAAkB,GAAG;oBACnB,EAAE,IAAI,EAAE,QAAQ,CAAC,SAAS,EAAE,KAAK,EAAE,WAAW,EAAE;oBAChD,EAAE,IAAI,EAAE,QAAQ,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE;oBACxC,EAAE,IAAI,EAAE,QAAQ,CAAC,aAAa,EAAE,KAAK,EAAE,IAAI,EAAE;oBAC7C,EAAE,IAAI,EAAE,QAAQ,CAAC,eAAe,EAAE,KAAK,EAAE,KAAK,EAAE;iBACjD,CAAC;YACJ,CAAC;YAGD,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAC3C,IAAI,CAAC,OAAO,EACZ,SAAS,EACT,iBAAiB,EACjB,kBAAkB,CACnB,CAAC;YAEF,IAAI,CAAC,MAAM,CAAC,IAAI,CACd;gBACE,WAAW,EAAE,QAAQ;gBACrB,WAAW;gBACX,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,UAAU,EAAE,OAAO,CAAC,UAAU;aAC/B,EACD,4BAA4B,CAC7B,CAAC;YAEF,OAAO,WAAW,CAAC;QACrB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,EAAE,yBAAyB,CAAC,CAAC;YAClE,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;IAKD,OAAO;QACL,IAAI,CAAC;YACH,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBACjB,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACnC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC3C,CAAC;YACD,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChB,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;YAC3B,CAAC;YACD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,EAAE,2BAA2B,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;CACF;AA5TD,gCA4TC"}

package/dist/security/fraud-detector.d.ts

@@ -0,0 +1,79 @@
+import { EventEmitter } from 'events';
+import { Logger } from 'pino';
+export interface FraudRule {
+    name: string;
+    check(event: SettlementEvent | PacketEvent | ChannelEvent): Promise<FraudDetection>;
+    severity: 'low' | 'medium' | 'high' | 'critical';
+}
+export interface FraudDetection {
+    detected: boolean;
+    peerId?: string;
+    details?: {
+        [key: string]: unknown;
+        description?: string;
+    };
+}
+export interface SettlementEvent {
+    type: 'settlement';
+    peerId: string;
+    amount: number;
+    timestamp: number;
+    channelId?: string;
+}
+export interface PacketEvent {
+    type: 'packet';
+    peerId: string;
+    packetCount: number;
+    timestamp: number;
+}
+export interface ChannelEvent {
+    type: 'channel';
+    peerId: string;
+    action: 'open' | 'close';
+    channelId: string;
+    timestamp: number;
+}
+export interface PeerReputationScore {
+    peerId: string;
+    score: number;
+    lastUpdated: number;
+    violations: {
+        timestamp: number;
+        ruleViolated: string;
+        severity: 'low' | 'medium' | 'high' | 'critical';
+        penaltyApplied: number;
+    }[];
+}
+export interface PauseReason {
+    peerId: string;
+    reason: string;
+    timestamp: number;
+    ruleViolated: string;
+    severity: 'low' | 'medium' | 'high' | 'critical';
+}
+export interface FraudDetectorConfig {
+    enabled: boolean;
+    autoPauseThreshold: number;
+    rules: FraudRule[];
+}
+export declare class FraudDetector extends EventEmitter {
+    private readonly logger;
+    private readonly config;
+    private readonly rules;
+    private readonly pausedPeers;
+    private readonly boundHandlers;
+    constructor(logger: Logger, config: FraudDetectorConfig);
+    start(): void;
+    stop(): void;
+    private handleSettlementEvent;
+    private handlePacketEvent;
+    private handleChannelEvent;
+    analyzeEvent(event: SettlementEvent | PacketEvent | ChannelEvent): Promise<void>;
+    private handleFraudDetection;
+    pausePeer(peerId: string, reason: string, ruleViolated: string, severity: 'low' | 'medium' | 'high' | 'critical'): Promise<void>;
+    resumePeer(peerId: string): Promise<void>;
+    isPeerPaused(peerId: string): boolean;
+    getPauseReason(peerId: string): PauseReason | undefined;
+    getPausedPeers(): Map<string, PauseReason>;
+}
+//# sourceMappingURL=fraud-detector.d.ts.map

package/dist/security/fraud-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fraud-detector.d.ts","sourceRoot":"","sources":["../../src/security/fraud-detector.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AACtC,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAK9B,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,KAAK,EAAE,eAAe,GAAG,WAAW,GAAG,YAAY,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC;IACpF,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;CAClD;AAKD,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE;QACR,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;QACvB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;CACH;AAKD,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,YAAY,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAKD,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,QAAQ,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAKD,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,SAAS,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAKD,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE;QACV,SAAS,EAAE,MAAM,CAAC;QAClB,YAAY,EAAE,MAAM,CAAC;QACrB,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;QACjD,cAAc,EAAE,MAAM,CAAC;KACxB,EAAE,CAAC;CACL;AAKD,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;CAClD;AAKD,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,KAAK,EAAE,SAAS,EAAE,CAAC;CACpB;AAQD,qBAAa,aAAc,SAAQ,YAAY;IAC7C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAsB;IAC7C,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAc;IACpC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAA2B;IAGvD,OAAO,CAAC,QAAQ,CAAC,aAAa,CAI5B;gBAEU,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,mBAAmB;IAwBhD,KAAK,IAAI,IAAI;IAiBb,IAAI,IAAI,IAAI;YAYL,qBAAqB;YAOrB,iBAAiB;YAOjB,kBAAkB;IAOnB,YAAY,CAAC,KAAK,EAAE,eAAe,GAAG,WAAW,GAAG,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC;YA+B/E,oBAAoB;IAgCrB,SAAS,CACpB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,GAC/C,OAAO,CAAC,IAAI,CAAC;IAoCH,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA0B/C,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAOrC,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS;IAOvD,cAAc,IAAI,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC;CAGlD"}

package/dist/security/fraud-detector.js

@@ -0,0 +1,147 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FraudDetector = void 0;
+const events_1 = require("events");
+class FraudDetector extends events_1.EventEmitter {
+    logger;
+    config;
+    rules;
+    pausedPeers;
+    boundHandlers;
+    constructor(logger, config) {
+        super();
+        this.logger = logger.child({ component: 'FraudDetector' });
+        this.config = config;
+        this.rules = config.rules;
+        this.pausedPeers = new Map();
+        this.boundHandlers = {
+            handleSettlementEvent: this.handleSettlementEvent.bind(this),
+            handlePacketEvent: this.handlePacketEvent.bind(this),
+            handleChannelEvent: this.handleChannelEvent.bind(this),
+        };
+        this.logger.info('FraudDetector initialized', {
+            enabled: config.enabled,
+            ruleCount: this.rules.length,
+            autoPauseThreshold: config.autoPauseThreshold,
+        });
+    }
+    start() {
+        if (!this.config.enabled) {
+            this.logger.info('FraudDetector is disabled');
+            return;
+        }
+        this.on('SETTLEMENT_EVENT', this.boundHandlers.handleSettlementEvent);
+        this.on('PACKET_EVENT', this.boundHandlers.handlePacketEvent);
+        this.on('CHANNEL_EVENT', this.boundHandlers.handleChannelEvent);
+        this.logger.info('FraudDetector started');
+    }
+    stop() {
+        this.off('SETTLEMENT_EVENT', this.boundHandlers.handleSettlementEvent);
+        this.off('PACKET_EVENT', this.boundHandlers.handlePacketEvent);
+        this.off('CHANNEL_EVENT', this.boundHandlers.handleChannelEvent);
+        this.logger.info('FraudDetector stopped');
+    }
+    async handleSettlementEvent(event) {
+        await this.analyzeEvent(event);
+    }
+    async handlePacketEvent(event) {
+        await this.analyzeEvent(event);
+    }
+    async handleChannelEvent(event) {
+        await this.analyzeEvent(event);
+    }
+    async analyzeEvent(event) {
+        if (!this.config.enabled) {
+            return;
+        }
+        if (event.peerId && this.pausedPeers.has(event.peerId)) {
+            this.logger.debug('Event from paused peer ignored', { peerId: event.peerId });
+            return;
+        }
+        for (const rule of this.rules) {
+            try {
+                const detection = await rule.check(event);
+                if (detection.detected) {
+                    await this.handleFraudDetection(rule, detection, event);
+                }
+            }
+            catch (error) {
+                this.logger.error('Fraud rule evaluation failed', {
+                    ruleName: rule.name,
+                    error: error instanceof Error ? error.message : String(error),
+                });
+            }
+        }
+    }
+    async handleFraudDetection(rule, detection, event) {
+        const peerId = detection.peerId || event.peerId;
+        this.logger.warn('Fraud detected', {
+            ruleName: rule.name,
+            severity: rule.severity,
+            peerId,
+            details: detection.details,
+        });
+        this.emit('FRAUD_DETECTED', {
+            ruleName: rule.name,
+            severity: rule.severity,
+            peerId,
+            timestamp: Date.now(),
+            details: detection.details,
+        });
+    }
+    async pausePeer(peerId, reason, ruleViolated, severity) {
+        try {
+            const pauseReason = {
+                peerId,
+                reason,
+                timestamp: Date.now(),
+                ruleViolated,
+                severity,
+            };
+            this.pausedPeers.set(peerId, pauseReason);
+            this.logger.warn('Peer paused due to fraud detection', {
+                peerId,
+                reason,
+                ruleViolated,
+                severity,
+            });
+            this.emit('PEER_PAUSED', { peerId, reason, ruleViolated, severity });
+        }
+        catch (error) {
+            this.logger.error('Failed to pause peer', {
+                peerId,
+                error: error instanceof Error ? error.message : String(error),
+            });
+            throw error;
+        }
+    }
+    async resumePeer(peerId) {
+        try {
+            if (!this.pausedPeers.has(peerId)) {
+                this.logger.warn('Attempted to resume peer that is not paused', { peerId });
+                return;
+            }
+            this.pausedPeers.delete(peerId);
+            this.logger.info('Peer resumed after manual review', { peerId });
+            this.emit('PEER_RESUMED', { peerId });
+        }
+        catch (error) {
+            this.logger.error('Failed to resume peer', {
+                peerId,
+                error: error instanceof Error ? error.message : String(error),
+            });
+            throw error;
+        }
+    }
+    isPeerPaused(peerId) {
+        return this.pausedPeers.has(peerId);
+    }
+    getPauseReason(peerId) {
+        return this.pausedPeers.get(peerId);
+    }
+    getPausedPeers() {
+        return new Map(this.pausedPeers);
+    }
+}
+exports.FraudDetector = FraudDetector;
+//# sourceMappingURL=fraud-detector.js.map

package/dist/security/fraud-detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fraud-detector.js","sourceRoot":"","sources":["../../src/security/fraud-detector.ts"],"names":[],"mappings":";;;AAAA,mCAAsC;AAiGtC,MAAa,aAAc,SAAQ,qBAAY;IAC5B,MAAM,CAAS;IACf,MAAM,CAAsB;IAC5B,KAAK,CAAc;IACnB,WAAW,CAA2B;IAGtC,aAAa,CAI5B;IAEF,YAAY,MAAc,EAAE,MAA2B;QACrD,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,eAAe,EAAE,CAAC,CAAC;QAC3D,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;QAC1B,IAAI,CAAC,WAAW,GAAG,IAAI,GAAG,EAAE,CAAC;QAG7B,IAAI,CAAC,aAAa,GAAG;YACnB,qBAAqB,EAAE,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC;YAC5D,iBAAiB,EAAE,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;YACpD,kBAAkB,EAAE,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;SACvD,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,2BAA2B,EAAE;YAC5C,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM;YAC5B,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;SAC9C,CAAC,CAAC;IACL,CAAC;IAKM,KAAK;QACV,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;YAC9C,OAAO;QACT,CAAC;QAGD,IAAI,CAAC,EAAE,CAAC,kBAAkB,EAAE,IAAI,CAAC,aAAa,CAAC,qBAAqB,CAAC,CAAC;QACtE,IAAI,CAAC,EAAE,CAAC,cAAc,EAAE,IAAI,CAAC,aAAa,CAAC,iBAAiB,CAAC,CAAC;QAC9D,IAAI,CAAC,EAAE,CAAC,eAAe,EAAE,IAAI,CAAC,aAAa,CAAC,kBAAkB,CAAC,CAAC;QAEhE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IAC5C,CAAC;IAKM,IAAI;QAET,IAAI,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,CAAC,aAAa,CAAC,qBAAqB,CAAC,CAAC;QACvE,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,CAAC,aAAa,CAAC,iBAAiB,CAAC,CAAC;QAC/D,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,aAAa,CAAC,kBAAkB,CAAC,CAAC;QAEjE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IAC5C,CAAC;IAKO,KAAK,CAAC,qBAAqB,CAAC,KAAsB;QACxD,MAAM,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC;IAKO,KAAK,CAAC,iBAAiB,CAAC,KAAkB;QAChD,MAAM,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC;IAKO,KAAK,CAAC,kBAAkB,CAAC,KAAmB;QAClD,MAAM,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC;IAKM,KAAK,CAAC,YAAY,CAAC,KAAmD;QAC3E,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,OAAO;QACT,CAAC;QAGD,IAAI,KAAK,CAAC,MAAM,IAAI,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;YACvD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;YAC9E,OAAO;QACT,CAAC;QAGD,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;gBAC1C,IAAI,SAAS,CAAC,QAAQ,EAAE,CAAC;oBACvB,MAAM,IAAI,CAAC,oBAAoB,CAAC,IAAI,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;gBAC1D,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBAEf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,8BAA8B,EAAE;oBAChD,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;iBAC9D,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAKO,KAAK,CAAC,oBAAoB,CAChC,IAAe,EACf,SAAyB,EACzB,KAAmD;QAEnD,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC;QAEhD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE;YACjC,QAAQ,EAAE,IAAI,CAAC,IAAI;YACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,MAAM;YACN,OAAO,EAAE,SAAS,CAAC,OAAO;SAC3B,CAAC,CAAC;QAGH,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE;YAC1B,QAAQ,EAAE,IAAI,CAAC,IAAI;YACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,MAAM;YACN,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,OAAO,EAAE,SAAS,CAAC,OAAO;SAC3B,CAAC,CAAC;IACL,CAAC;IAUM,KAAK,CAAC,SAAS,CACpB,MAAc,EACd,MAAc,EACd,YAAoB,EACpB,QAAgD;QAEhD,IAAI,CAAC;YACH,MAAM,WAAW,GAAgB;gBAC/B,MAAM;gBACN,MAAM;gBACN,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;gBACrB,YAAY;gBACZ,QAAQ;aACT,CAAC;YAEF,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;YAE1C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oCAAoC,EAAE;gBACrD,MAAM;gBACN,MAAM;gBACN,YAAY;gBACZ,QAAQ;aACT,CAAC,CAAC;YAGH,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,QAAQ,EAAE,CAAC,CAAC;QACvE,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAEf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,sBAAsB,EAAE;gBACxC,MAAM;gBACN,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC9D,CAAC,CAAC;YACH,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAOM,KAAK,CAAC,UAAU,CAAC,MAAc;QACpC,IAAI,CAAC;YACH,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBAClC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,6CAA6C,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;gBAC5E,OAAO;YACT,CAAC;YAED,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAEhC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,kCAAkC,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;YAGjE,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QACxC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAEf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,uBAAuB,EAAE;gBACzC,MAAM;gBACN,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC9D,CAAC,CAAC;YACH,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAKM,YAAY,CAAC,MAAc;QAChC,OAAO,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACtC,CAAC;IAKM,cAAc,CAAC,MAAc;QAClC,OAAO,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACtC,CAAC;IAKM,cAAc;QACnB,OAAO,IAAI,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACnC,CAAC;CACF;AA1OD,sCA0OC"}

package/dist/security/key-manager-signer.d.ts

@@ -0,0 +1,15 @@
+import type { KeyManager } from './key-manager';
+import type { Provider, TransactionRequest, Signer, TypedDataDomain, TypedDataField, TransactionResponse } from 'ethers';
+export interface IKeyManagerSigner extends Signer {
+    getAddress(): Promise<string>;
+    signTransaction(transaction: TransactionRequest): Promise<string>;
+    sendTransaction(transaction: TransactionRequest): Promise<TransactionResponse>;
+    signMessage(message: string | Uint8Array): Promise<string>;
+    signTypedData(domain: TypedDataDomain, types: Record<string, TypedDataField[]>, value: Record<string, any>): Promise<string>;
+    connect(provider: Provider): IKeyManagerSigner;
+}
+export declare function createKeyManagerSigner(keyManager: KeyManager, evmKeyId: string, provider?: Provider): Promise<IKeyManagerSigner>;
+export declare const KeyManagerSigner: {
+    new (keyManager: KeyManager, evmKeyId: string, provider?: Provider): IKeyManagerSigner;
+};
+//# sourceMappingURL=key-manager-signer.d.ts.map

package/dist/security/key-manager-signer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-manager-signer.d.ts","sourceRoot":"","sources":["../../src/security/key-manager-signer.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,KAAK,EACV,QAAQ,EACR,kBAAkB,EAClB,MAAM,EACN,eAAe,EACf,cAAc,EACd,mBAAmB,EACpB,MAAM,QAAQ,CAAC;AAOhB,MAAM,WAAW,iBAAkB,SAAQ,MAAM;IAC/C,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;IAC9B,eAAe,CAAC,WAAW,EAAE,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAClE,eAAe,CAAC,WAAW,EAAE,kBAAkB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC/E,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC3D,aAAa,CACX,MAAM,EAAE,eAAe,EACvB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,EAAE,CAAC,EAEvC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GACzB,OAAO,CAAC,MAAM,CAAC,CAAC;IACnB,OAAO,CAAC,QAAQ,EAAE,QAAQ,GAAG,iBAAiB,CAAC;CAChD;AAWD,wBAAsB,sBAAsB,CAC1C,UAAU,EAAE,UAAU,EACtB,QAAQ,EAAE,MAAM,EAChB,QAAQ,CAAC,EAAE,QAAQ,GAClB,OAAO,CAAC,iBAAiB,CAAC,CAuL5B;AAOD,eAAO,MAAM,gBAAgB,EAAsB;IACjD,KAAK,UAAU,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG,iBAAiB,CAAC;CACxF,CAAC"}