@toon-protocol/connector 1.7.1

package/dist/security/key-manager-signer.js

@@ -0,0 +1,91 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeyManagerSigner = void 0;
+exports.createKeyManagerSigner = createKeyManagerSigner;
+const optional_require_1 = require("../utils/optional-require");
+async function createKeyManagerSigner(keyManager, evmKeyId, provider) {
+    const { ethers } = await (0, optional_require_1.requireOptional)('ethers', 'EVM settlement');
+    class KeyManagerSignerImpl extends ethers.AbstractSigner {
+        keyManager;
+        evmKeyId;
+        _cachedAddress = null;
+        constructor(km, keyId, p) {
+            super(p);
+            this.keyManager = km;
+            this.evmKeyId = keyId;
+        }
+        async getAddress() {
+            if (this._cachedAddress) {
+                return this._cachedAddress;
+            }
+            const publicKeyBuffer = await this.keyManager.getPublicKey(this.evmKeyId);
+            const publicKeyHex = '0x' + publicKeyBuffer.toString('hex');
+            const pubKeyWithoutPrefix = publicKeyHex.startsWith('0x04')
+                ? '0x' + publicKeyHex.slice(4)
+                : publicKeyHex;
+            const addressHash = ethers.keccak256(pubKeyWithoutPrefix);
+            this._cachedAddress = ethers.getAddress('0x' + addressHash.slice(-40));
+            return this._cachedAddress;
+        }
+        async signTransaction(transaction) {
+            const resolved = await ethers.resolveProperties(transaction);
+            const tx = ethers.Transaction.from(resolved);
+            const digest = tx.unsignedHash;
+            const signatureBuffer = await this.keyManager.sign(Buffer.from(digest.slice(2), 'hex'), this.evmKeyId);
+            const signature = ethers.Signature.from('0x' + signatureBuffer.toString('hex'));
+            tx.signature = signature;
+            return tx.serialized;
+        }
+        async sendTransaction(transaction) {
+            const provider = this.provider;
+            if (!provider) {
+                throw new Error('Provider required to send transaction');
+            }
+            const from = await this.getAddress();
+            const network = await provider.getNetwork();
+            const chainId = Number(network.chainId);
+            const feeData = await provider.getFeeData();
+            if (!feeData.maxFeePerGas || !feeData.maxPriorityFeePerGas) {
+                throw new Error('Unable to retrieve EIP-1559 fee data from provider');
+            }
+            const populatedTx = await ethers.resolveProperties({
+                to: transaction.to,
+                nonce: transaction.nonce !== undefined
+                    ? transaction.nonce
+                    : await provider.getTransactionCount(from, 'pending'),
+                gasLimit: transaction.gasLimit !== undefined
+                    ? transaction.gasLimit
+                    : await provider.estimateGas({
+                        ...transaction,
+                        from: from,
+                    }),
+                data: transaction.data ?? '0x',
+                value: transaction.value ?? 0,
+                chainId: transaction.chainId ?? chainId,
+                type: 2,
+                maxFeePerGas: transaction.maxFeePerGas ?? feeData.maxFeePerGas,
+                maxPriorityFeePerGas: transaction.maxPriorityFeePerGas ?? feeData.maxPriorityFeePerGas,
+            });
+            const signedTx = await this.signTransaction(populatedTx);
+            const txResponse = await provider.broadcastTransaction(signedTx);
+            return txResponse;
+        }
+        async signMessage(message) {
+            const messageBytes = typeof message === 'string' ? ethers.toUtf8Bytes(message) : message;
+            const messageHash = ethers.hashMessage(messageBytes);
+            const signatureBuffer = await this.keyManager.sign(Buffer.from(messageHash.slice(2), 'hex'), this.evmKeyId);
+            return '0x' + signatureBuffer.toString('hex');
+        }
+        async signTypedData(domain, types, value) {
+            const hash = ethers.TypedDataEncoder.hash(domain, types, value);
+            const signatureBuffer = await this.keyManager.sign(Buffer.from(hash.slice(2), 'hex'), this.evmKeyId);
+            return '0x' + signatureBuffer.toString('hex');
+        }
+        connect(provider) {
+            return new KeyManagerSignerImpl(this.keyManager, this.evmKeyId, provider);
+        }
+    }
+    return new KeyManagerSignerImpl(keyManager, evmKeyId, provider);
+}
+exports.KeyManagerSigner = null;
+//# sourceMappingURL=key-manager-signer.js.map

package/dist/security/key-manager-signer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-manager-signer.js","sourceRoot":"","sources":["../../src/security/key-manager-signer.ts"],"names":[],"mappings":";;;AAgDA,wDA2LC;AAxND,gEAA4D;AA6BrD,KAAK,UAAU,sBAAsB,CAC1C,UAAsB,EACtB,QAAgB,EAChB,QAAmB;IAEnB,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAA,kCAAe,EAA0B,QAAQ,EAAE,gBAAgB,CAAC,CAAC;IAE9F,MAAM,oBAAqB,SAAQ,MAAM,CAAC,cAAc;QAC9C,UAAU,CAAa;QACvB,QAAQ,CAAS;QACjB,cAAc,GAAkB,IAAI,CAAC;QAE7C,YAAY,EAAc,EAAE,KAAa,EAAE,CAAY;YACrD,KAAK,CAAC,CAAC,CAAC,CAAC;YACT,IAAI,CAAC,UAAU,GAAG,EAAE,CAAC;YACrB,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC;QACxB,CAAC;QAMD,KAAK,CAAC,UAAU;YACd,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;gBACxB,OAAO,IAAI,CAAC,cAAc,CAAC;YAC7B,CAAC;YAGD,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAK1E,MAAM,YAAY,GAAG,IAAI,GAAG,eAAe,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAG5D,MAAM,mBAAmB,GAAG,YAAY,CAAC,UAAU,CAAC,MAAM,CAAC;gBACzD,CAAC,CAAC,IAAI,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC;gBAC9B,CAAC,CAAC,YAAY,CAAC;YAGjB,MAAM,WAAW,GAAG,MAAM,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;YAC1D,IAAI,CAAC,cAAc,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YAEvE,OAAO,IAAI,CAAC,cAAc,CAAC;QAC7B,CAAC;QAMD,KAAK,CAAC,eAAe,CAAC,WAA+B;YAEnD,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAC;YAI7D,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,QAAe,CAAC,CAAC;YAGpD,MAAM,MAAM,GAAG,EAAE,CAAC,YAAY,CAAC;YAG/B,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAChD,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,EACnC,IAAI,CAAC,QAAQ,CACd,CAAC;YAGF,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;YAGhF,EAAE,CAAC,SAAS,GAAG,SAAS,CAAC;YAGzB,OAAO,EAAE,CAAC,UAAU,CAAC;QACvB,CAAC;QAMD,KAAK,CAAC,eAAe,CAAC,WAA+B;YAEnD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;YAC/B,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;YAC3D,CAAC;YAGD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;YAGrC,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC5C,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YAGxC,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC5C,IAAI,CAAC,OAAO,CAAC,YAAY,IAAI,CAAC,OAAO,CAAC,oBAAoB,EAAE,CAAC;gBAC3D,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;YACxE,CAAC;YAGD,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC;gBACjD,EAAE,EAAE,WAAW,CAAC,EAAE;gBAElB,KAAK,EACH,WAAW,CAAC,KAAK,KAAK,SAAS;oBAC7B,CAAC,CAAC,WAAW,CAAC,KAAK;oBACnB,CAAC,CAAC,MAAM,QAAQ,CAAC,mBAAmB,CAAC,IAAI,EAAE,SAAS,CAAC;gBACzD,QAAQ,EACN,WAAW,CAAC,QAAQ,KAAK,SAAS;oBAChC,CAAC,CAAC,WAAW,CAAC,QAAQ;oBACtB,CAAC,CAAC,MAAM,QAAQ,CAAC,WAAW,CAAC;wBACzB,GAAG,WAAW;wBACd,IAAI,EAAE,IAAI;qBACX,CAAC;gBACR,IAAI,EAAE,WAAW,CAAC,IAAI,IAAI,IAAI;gBAC9B,KAAK,EAAE,WAAW,CAAC,KAAK,IAAI,CAAC;gBAC7B,OAAO,EAAE,WAAW,CAAC,OAAO,IAAI,OAAO;gBACvC,IAAI,EAAE,CAAC;gBACP,YAAY,EAAE,WAAW,CAAC,YAAY,IAAI,OAAO,CAAC,YAAY;gBAC9D,oBAAoB,EAAE,WAAW,CAAC,oBAAoB,IAAI,OAAO,CAAC,oBAAoB;aACvF,CAAC,CAAC;YAGH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;YAGzD,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,oBAAoB,CAAC,QAAQ,CAAC,CAAC;YAEjE,OAAO,UAAU,CAAC;QACpB,CAAC;QAMD,KAAK,CAAC,WAAW,CAAC,OAA4B;YAE5C,MAAM,YAAY,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;YAGzF,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;YAGrD,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAChD,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,EACxC,IAAI,CAAC,QAAQ,CACd,CAAC;YAGF,OAAO,IAAI,GAAG,eAAe,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAChD,CAAC;QAMD,KAAK,CAAC,aAAa,CACjB,MAAuB,EACvB,KAAuC,EAEvC,KAA0B;YAG1B,MAAM,IAAI,GAAG,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;YAGhE,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAChD,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,EACjC,IAAI,CAAC,QAAQ,CACd,CAAC;YAGF,OAAO,IAAI,GAAG,eAAe,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAChD,CAAC;QAKD,OAAO,CAAC,QAAkB;YACxB,OAAO,IAAI,oBAAoB,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC5E,CAAC;KACF;IAED,OAAO,IAAI,oBAAoB,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;AAClE,CAAC;AAOY,QAAA,gBAAgB,GAAG,IAE/B,CAAC"}

package/dist/security/key-manager.d.ts

@@ -0,0 +1,69 @@
+import { Logger } from 'pino';
+export interface KeyManagerBackend {
+    sign(message: Buffer, keyId: string): Promise<Buffer>;
+    getPublicKey(keyId: string): Promise<Buffer>;
+    rotateKey(keyId: string): Promise<string>;
+}
+export interface AWSConfig {
+    region: string;
+    evmKeyId: string;
+    credentials?: {
+        accessKeyId: string;
+        secretAccessKey: string;
+    };
+}
+export interface GCPConfig {
+    projectId: string;
+    locationId: string;
+    keyRingId: string;
+    evmKeyId: string;
+}
+export interface AzureConfig {
+    vaultUrl: string;
+    evmKeyName: string;
+    credentials?: {
+        tenantId: string;
+        clientId: string;
+        clientSecret: string;
+    };
+}
+export interface HSMConfig {
+    pkcs11LibraryPath: string;
+    slotId: number;
+    pin: string;
+    evmKeyLabel: string;
+}
+export interface KeyRotationConfig {
+    enabled: boolean;
+    intervalDays: number;
+    overlapDays: number;
+    notifyBeforeDays: number;
+}
+export interface KeyManagerConfig {
+    backend: 'env' | 'aws-kms' | 'gcp-kms' | 'azure-kv' | 'hsm';
+    nodeId: string;
+    evmPrivateKey?: string;
+    aws?: AWSConfig;
+    gcp?: GCPConfig;
+    azure?: AzureConfig;
+    hsm?: HSMConfig;
+    rotation?: KeyRotationConfig;
+}
+export interface AuditLogEntry {
+    event: 'SIGN_REQUEST' | 'SIGN_SUCCESS' | 'SIGN_FAILURE' | 'KEY_ROTATION_START' | 'KEY_ROTATION_COMPLETE' | 'KEY_ACCESS_DENIED';
+    keyId: string;
+    timestamp: number;
+    nodeId: string;
+    backend: string;
+    details?: Record<string, unknown>;
+}
+export declare class KeyManager {
+    private backend;
+    private logger;
+    private auditLogger;
+    constructor(config: KeyManagerConfig, logger: Logger);
+    sign(message: Buffer, keyId: string): Promise<Buffer>;
+    getPublicKey(keyId: string): Promise<Buffer>;
+    rotateKey(keyId: string): Promise<string>;
+}
+//# sourceMappingURL=key-manager.d.ts.map

package/dist/security/key-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-manager.d.ts","sourceRoot":"","sources":["../../src/security/key-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAO9B,MAAM,WAAW,iBAAiB;IAChC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACtD,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7C,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CAC3C;AAKD,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE;QACZ,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;KACzB,CAAC;CACH;AAKD,MAAM,WAAW,SAAS;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAKD,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE;QACZ,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,EAAE,MAAM,CAAC;KACtB,CAAC;CACH;AAKD,MAAM,WAAW,SAAS;IACxB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,MAAM,CAAC;CACrB;AAKD,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAKD,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,KAAK,GAAG,SAAS,GAAG,SAAS,GAAG,UAAU,GAAG,KAAK,CAAC;IAC5D,MAAM,EAAE,MAAM,CAAC;IAGf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,GAAG,CAAC,EAAE,SAAS,CAAC;IAChB,GAAG,CAAC,EAAE,SAAS,CAAC;IAChB,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB,GAAG,CAAC,EAAE,SAAS,CAAC;IAChB,QAAQ,CAAC,EAAE,iBAAiB,CAAC;CAC9B;AAKD,MAAM,WAAW,aAAa;IAC5B,KAAK,EACD,cAAc,GACd,cAAc,GACd,cAAc,GACd,oBAAoB,GACpB,uBAAuB,GACvB,mBAAmB,CAAC;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAMD,qBAAa,UAAU;IACrB,OAAO,CAAC,OAAO,CAAoB;IACnC,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,WAAW,CAAc;gBAErB,MAAM,EAAE,gBAAgB,EAAE,MAAM,EAAE,MAAM;IAyC9C,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IA6BrD,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAkB5C,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CAkBhD"}

package/dist/security/key-manager.js

@@ -0,0 +1,79 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeyManager = void 0;
+const audit_logger_1 = require("./audit-logger");
+class KeyManager {
+    backend;
+    logger;
+    auditLogger;
+    constructor(config, logger) {
+        this.logger = logger.child({ component: 'KeyManager' });
+        this.auditLogger = new audit_logger_1.AuditLogger(logger, {
+            nodeId: config.nodeId,
+            backend: config.backend,
+        });
+        switch (config.backend) {
+            case 'env': {
+                const { EnvironmentVariableBackend } = require('./backends/environment-backend');
+                this.backend = new EnvironmentVariableBackend(this.logger, {
+                    evmPrivateKey: config.evmPrivateKey,
+                });
+                break;
+            }
+            case 'aws-kms':
+            case 'gcp-kms':
+            case 'azure-kv':
+            case 'hsm': {
+                throw new Error(`Backend type '${config.backend}' is not supported. Only 'env' backend is available.`);
+            }
+            default:
+                throw new Error(`Unknown backend type: ${config.backend}`);
+        }
+        this.logger.info({ backend: config.backend }, 'KeyManager initialized');
+    }
+    async sign(message, keyId) {
+        const messageHash = message.toString('hex');
+        this.auditLogger.logSignRequest(keyId, messageHash);
+        this.logger.debug({ keyId, messageLength: message.length }, 'Signing message');
+        try {
+            const signature = await this.backend.sign(message, keyId);
+            const signatureHash = signature.toString('hex');
+            this.auditLogger.logSignSuccess(keyId, signatureHash);
+            this.logger.info({ keyId, signatureLength: signature.length }, 'Message signed successfully');
+            return signature;
+        }
+        catch (error) {
+            this.auditLogger.logSignFailure(keyId, error);
+            this.logger.error({ keyId, error }, 'Message signing failed');
+            throw error;
+        }
+    }
+    async getPublicKey(keyId) {
+        this.logger.debug({ keyId }, 'Retrieving public key');
+        try {
+            const publicKey = await this.backend.getPublicKey(keyId);
+            this.logger.info({ keyId, publicKeyLength: publicKey.length }, 'Public key retrieved');
+            return publicKey;
+        }
+        catch (error) {
+            this.logger.error({ keyId, error }, 'Public key retrieval failed');
+            throw error;
+        }
+    }
+    async rotateKey(keyId) {
+        this.auditLogger.logKeyRotation(keyId, '', 'START');
+        this.logger.info({ keyId }, 'Starting key rotation');
+        try {
+            const newKeyId = await this.backend.rotateKey(keyId);
+            this.auditLogger.logKeyRotation(keyId, newKeyId, 'COMPLETE');
+            this.logger.info({ oldKeyId: keyId, newKeyId }, 'Key rotation completed');
+            return newKeyId;
+        }
+        catch (error) {
+            this.logger.error({ keyId, error }, 'Key rotation failed');
+            throw error;
+        }
+    }
+}
+exports.KeyManager = KeyManager;
+//# sourceMappingURL=key-manager.js.map

package/dist/security/key-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-manager.js","sourceRoot":"","sources":["../../src/security/key-manager.ts"],"names":[],"mappings":";;;AACA,iDAA6C;AAyG7C,MAAa,UAAU;IACb,OAAO,CAAoB;IAC3B,MAAM,CAAS;IACf,WAAW,CAAc;IAEjC,YAAY,MAAwB,EAAE,MAAc;QAClD,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC,CAAC;QAGxD,IAAI,CAAC,WAAW,GAAG,IAAI,0BAAW,CAAC,MAAM,EAAE;YACzC,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,OAAO,EAAE,MAAM,CAAC,OAAO;SACxB,CAAC,CAAC;QAGH,QAAQ,MAAM,CAAC,OAAO,EAAE,CAAC;YACvB,KAAK,KAAK,CAAC,CAAC,CAAC;gBAGX,MAAM,EAAE,0BAA0B,EAAE,GAAG,OAAO,CAAC,gCAAgC,CAAC,CAAC;gBACjF,IAAI,CAAC,OAAO,GAAG,IAAI,0BAA0B,CAAC,IAAI,CAAC,MAAM,EAAE;oBACzD,aAAa,EAAE,MAAM,CAAC,aAAa;iBACpC,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;YACD,KAAK,SAAS,CAAC;YACf,KAAK,SAAS,CAAC;YACf,KAAK,UAAU,CAAC;YAChB,KAAK,KAAK,CAAC,CAAC,CAAC;gBACX,MAAM,IAAI,KAAK,CACb,iBAAiB,MAAM,CAAC,OAAO,sDAAsD,CACtF,CAAC;YACJ,CAAC;YACD;gBACE,MAAM,IAAI,KAAK,CAAC,yBAAyB,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;QAC/D,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,EAAE,wBAAwB,CAAC,CAAC;IAC1E,CAAC;IAQD,KAAK,CAAC,IAAI,CAAC,OAAe,EAAE,KAAa;QACvC,MAAM,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAG5C,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QACpD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,OAAO,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC;QAE/E,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;YAC1D,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAGhD,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC;YACtD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,SAAS,CAAC,MAAM,EAAE,EAAE,6BAA6B,CAAC,CAAC;YAE9F,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAEf,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,KAAK,EAAE,KAAc,CAAC,CAAC;YACvD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,wBAAwB,CAAC,CAAC;YAC9D,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAOD,KAAK,CAAC,YAAY,CAAC,KAAa;QAC9B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,EAAE,uBAAuB,CAAC,CAAC;QAEtD,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;YACzD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,SAAS,CAAC,MAAM,EAAE,EAAE,sBAAsB,CAAC,CAAC;YACvF,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,6BAA6B,CAAC,CAAC;YACnE,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAOD,KAAK,CAAC,SAAS,CAAC,KAAa;QAE3B,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,KAAK,EAAE,EAAE,EAAE,OAAO,CAAC,CAAC;QACpD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,uBAAuB,CAAC,CAAC;QAErD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;YAGrD,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,KAAK,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;YAC7D,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE,wBAAwB,CAAC,CAAC;YAE1E,OAAO,QAAQ,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,qBAAqB,CAAC,CAAC;YAC3D,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;CACF;AA/GD,gCA+GC"}

package/dist/security/key-rotation-manager.d.ts

@@ -0,0 +1,27 @@
+import { KeyManager, KeyRotationConfig } from './key-manager';
+import { Logger } from 'pino';
+export interface KeyRotationMetadata {
+    oldKeyId: string;
+    newKeyId: string;
+    rotationDate: number;
+    overlapEndsAt: number;
+}
+export declare class KeyRotationManager {
+    private readonly keyManager;
+    private readonly config;
+    private readonly logger;
+    private rotationTimer?;
+    private notificationTimer?;
+    private rotationMetadata;
+    constructor(keyManager: KeyManager, config: KeyRotationConfig, logger: Logger);
+    start(): void;
+    stop(): void;
+    private checkNotificationNeeded;
+    rotateKey(keyId: string): Promise<string>;
+    private scheduleOverlapCleanup;
+    private disableOldKey;
+    isKeyValid(keyId: string): boolean;
+    getRotationMetadata(keyId: string): KeyRotationMetadata | undefined;
+    getAllRotationMetadata(): Map<string, KeyRotationMetadata>;
+}
+//# sourceMappingURL=key-rotation-manager.d.ts.map

package/dist/security/key-rotation-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-rotation-manager.d.ts","sourceRoot":"","sources":["../../src/security/key-rotation-manager.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAC9D,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAM9B,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;CACvB;AAWD,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;IACxC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAoB;IAC3C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,aAAa,CAAC,CAAiB;IACvC,OAAO,CAAC,iBAAiB,CAAC,CAAiB;IAC3C,OAAO,CAAC,gBAAgB,CAA+C;gBAS3D,UAAU,EAAE,UAAU,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,EAAE,MAAM;IA2B7E,KAAK,IAAI,IAAI;IAyCb,IAAI,IAAI,IAAI;IAkBZ,OAAO,CAAC,uBAAuB;IA0BzB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAiD/C,OAAO,CAAC,sBAAsB;IA8B9B,OAAO,CAAC,aAAa;IA6BrB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IA0BlC,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,mBAAmB,GAAG,SAAS;IAsBnE,sBAAsB,IAAI,GAAG,CAAC,MAAM,EAAE,mBAAmB,CAAC;CAG3D"}

package/dist/security/key-rotation-manager.js

@@ -0,0 +1,142 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeyRotationManager = void 0;
+class KeyRotationManager {
+    keyManager;
+    config;
+    logger;
+    rotationTimer;
+    notificationTimer;
+    rotationMetadata = new Map();
+    constructor(keyManager, config, logger) {
+        this.keyManager = keyManager;
+        this.config = config;
+        this.logger = logger.child({ component: 'KeyRotationManager' });
+        if (config.intervalDays <= 0) {
+            throw new Error('Rotation interval must be positive');
+        }
+        if (config.overlapDays < 0) {
+            throw new Error('Overlap days must be non-negative');
+        }
+        if (config.notifyBeforeDays < 0) {
+            throw new Error('Notification days must be non-negative');
+        }
+        if (config.overlapDays >= config.intervalDays) {
+            throw new Error('Overlap period must be less than rotation interval');
+        }
+    }
+    start() {
+        if (!this.config.enabled) {
+            this.logger.info('Key rotation is disabled in configuration');
+            return;
+        }
+        this.stop();
+        const rotationIntervalMs = this.config.intervalDays * 24 * 60 * 60 * 1000;
+        this.rotationTimer = setInterval(() => {
+            this.logger.info('Rotation timer triggered - checking for keys to rotate');
+        }, rotationIntervalMs);
+        const dailyCheckMs = 24 * 60 * 60 * 1000;
+        this.notificationTimer = setInterval(() => {
+            this.checkNotificationNeeded();
+        }, dailyCheckMs);
+        this.logger.info({
+            rotationIntervalDays: this.config.intervalDays,
+            overlapDays: this.config.overlapDays,
+            notifyBeforeDays: this.config.notifyBeforeDays,
+        }, 'Key rotation scheduler started');
+    }
+    stop() {
+        if (this.rotationTimer) {
+            clearInterval(this.rotationTimer);
+            this.rotationTimer = undefined;
+        }
+        if (this.notificationTimer) {
+            clearInterval(this.notificationTimer);
+            this.notificationTimer = undefined;
+        }
+        this.logger.info('Key rotation scheduler stopped');
+    }
+    checkNotificationNeeded() {
+        this.logger.debug('Checking if rotation notifications needed');
+    }
+    async rotateKey(keyId) {
+        this.logger.info({ keyId }, 'Starting key rotation');
+        try {
+            const newKeyId = await this.keyManager.rotateKey(keyId);
+            const rotationDate = Date.now();
+            const overlapEndsAt = rotationDate + this.config.overlapDays * 24 * 60 * 60 * 1000;
+            const metadata = {
+                oldKeyId: keyId,
+                newKeyId,
+                rotationDate,
+                overlapEndsAt,
+            };
+            this.rotationMetadata.set(newKeyId, metadata);
+            this.logger.info({
+                oldKeyId: keyId,
+                newKeyId,
+                rotationDate: new Date(rotationDate).toISOString(),
+                overlapEndsAt: new Date(overlapEndsAt).toISOString(),
+                overlapDays: this.config.overlapDays,
+            }, 'Key rotation completed - overlap period started');
+            this.scheduleOverlapCleanup(keyId, newKeyId, overlapEndsAt);
+            return newKeyId;
+        }
+        catch (error) {
+            this.logger.error({ keyId, error }, 'Key rotation failed');
+            throw error;
+        }
+    }
+    scheduleOverlapCleanup(oldKeyId, newKeyId, overlapEndsAt) {
+        const delayMs = overlapEndsAt - Date.now();
+        if (delayMs <= 0) {
+            this.disableOldKey(oldKeyId, newKeyId);
+            return;
+        }
+        setTimeout(() => {
+            this.disableOldKey(oldKeyId, newKeyId);
+        }, delayMs);
+        this.logger.debug({
+            oldKeyId,
+            newKeyId,
+            overlapEndsAt: new Date(overlapEndsAt).toISOString(),
+            delayMs,
+        }, 'Scheduled old key cleanup after overlap period');
+    }
+    disableOldKey(oldKeyId, newKeyId) {
+        this.logger.info({
+            oldKeyId,
+            newKeyId,
+        }, 'Overlap period expired - disabling old key');
+        this.rotationMetadata.delete(newKeyId);
+    }
+    isKeyValid(keyId) {
+        const metadata = this.rotationMetadata.get(keyId);
+        if (metadata) {
+            return true;
+        }
+        for (const [, meta] of this.rotationMetadata.entries()) {
+            if (meta.oldKeyId === keyId) {
+                return Date.now() < meta.overlapEndsAt;
+            }
+        }
+        return true;
+    }
+    getRotationMetadata(keyId) {
+        const metadata = this.rotationMetadata.get(keyId);
+        if (metadata) {
+            return metadata;
+        }
+        for (const [, meta] of this.rotationMetadata.entries()) {
+            if (meta.oldKeyId === keyId) {
+                return meta;
+            }
+        }
+        return undefined;
+    }
+    getAllRotationMetadata() {
+        return new Map(this.rotationMetadata);
+    }
+}
+exports.KeyRotationManager = KeyRotationManager;
+//# sourceMappingURL=key-rotation-manager.js.map

package/dist/security/key-rotation-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-rotation-manager.js","sourceRoot":"","sources":["../../src/security/key-rotation-manager.ts"],"names":[],"mappings":";;;AA+BA,MAAa,kBAAkB;IACZ,UAAU,CAAa;IACvB,MAAM,CAAoB;IAC1B,MAAM,CAAS;IACxB,aAAa,CAAkB;IAC/B,iBAAiB,CAAkB;IACnC,gBAAgB,GAAqC,IAAI,GAAG,EAAE,CAAC;IASvE,YAAY,UAAsB,EAAE,MAAyB,EAAE,MAAc;QAC3E,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,oBAAoB,EAAE,CAAC,CAAC;QAGhE,IAAI,MAAM,CAAC,YAAY,IAAI,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACxD,CAAC;QACD,IAAI,MAAM,CAAC,WAAW,GAAG,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QACD,IAAI,MAAM,CAAC,gBAAgB,GAAG,CAAC,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;YAC9C,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IASD,KAAK;QACH,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;YAC9D,OAAO;QACT,CAAC;QAGD,IAAI,CAAC,IAAI,EAAE,CAAC;QAEZ,MAAM,kBAAkB,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAG1E,IAAI,CAAC,aAAa,GAAG,WAAW,CAAC,GAAG,EAAE;YACpC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wDAAwD,CAAC,CAAC;QAG7E,CAAC,EAAE,kBAAkB,CAAC,CAAC;QAIvB,MAAM,YAAY,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACzC,IAAI,CAAC,iBAAiB,GAAG,WAAW,CAAC,GAAG,EAAE;YACxC,IAAI,CAAC,uBAAuB,EAAE,CAAC;QACjC,CAAC,EAAE,YAAY,CAAC,CAAC;QAEjB,IAAI,CAAC,MAAM,CAAC,IAAI,CACd;YACE,oBAAoB,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;YAC9C,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;YACpC,gBAAgB,EAAE,IAAI,CAAC,MAAM,CAAC,gBAAgB;SAC/C,EACD,gCAAgC,CACjC,CAAC;IACJ,CAAC;IAQD,IAAI;QACF,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,aAAa,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;YAClC,IAAI,CAAC,aAAa,GAAG,SAAS,CAAC;QACjC,CAAC;QAED,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC3B,aAAa,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;YACtC,IAAI,CAAC,iBAAiB,GAAG,SAAS,CAAC;QACrC,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;IACrD,CAAC;IAMO,uBAAuB;QAO7B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;IACjE,CAAC;IAkBD,KAAK,CAAC,SAAS,CAAC,KAAa;QAC3B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,uBAAuB,CAAC,CAAC;QAErD,IAAI,CAAC;YAEH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;YAGxD,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAChC,MAAM,aAAa,GAAG,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;YAGnF,MAAM,QAAQ,GAAwB;gBACpC,QAAQ,EAAE,KAAK;gBACf,QAAQ;gBACR,YAAY;gBACZ,aAAa;aACd,CAAC;YAEF,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YAE9C,IAAI,CAAC,MAAM,CAAC,IAAI,CACd;gBACE,QAAQ,EAAE,KAAK;gBACf,QAAQ;gBACR,YAAY,EAAE,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE;gBAClD,aAAa,EAAE,IAAI,IAAI,CAAC,aAAa,CAAC,CAAC,WAAW,EAAE;gBACpD,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;aACrC,EACD,iDAAiD,CAClD,CAAC;YAGF,IAAI,CAAC,sBAAsB,CAAC,KAAK,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC;YAE5D,OAAO,QAAQ,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,qBAAqB,CAAC,CAAC;YAC3D,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IASO,sBAAsB,CAAC,QAAgB,EAAE,QAAgB,EAAE,aAAqB;QACtF,MAAM,OAAO,GAAG,aAAa,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE3C,IAAI,OAAO,IAAI,CAAC,EAAE,CAAC;YAEjB,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YACvC,OAAO;QACT,CAAC;QAED,UAAU,CAAC,GAAG,EAAE;YACd,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACzC,CAAC,EAAE,OAAO,CAAC,CAAC;QAEZ,IAAI,CAAC,MAAM,CAAC,KAAK,CACf;YACE,QAAQ;YACR,QAAQ;YACR,aAAa,EAAE,IAAI,IAAI,CAAC,aAAa,CAAC,CAAC,WAAW,EAAE;YACpD,OAAO;SACR,EACD,gDAAgD,CACjD,CAAC;IACJ,CAAC;IAQO,aAAa,CAAC,QAAgB,EAAE,QAAgB;QACtD,IAAI,CAAC,MAAM,CAAC,IAAI,CACd;YACE,QAAQ;YACR,QAAQ;SACT,EACD,4CAA4C,CAC7C,CAAC;QAGF,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAOzC,CAAC;IAYD,UAAU,CAAC,KAAa;QAEtB,MAAM,QAAQ,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAClD,IAAI,QAAQ,EAAE,CAAC;YAEb,OAAO,IAAI,CAAC;QACd,CAAC;QAGD,KAAK,MAAM,CAAC,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC,gBAAgB,CAAC,OAAO,EAAE,EAAE,CAAC;YACvD,IAAI,IAAI,CAAC,QAAQ,KAAK,KAAK,EAAE,CAAC;gBAE5B,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,aAAa,CAAC;YACzC,CAAC;QACH,CAAC;QAGD,OAAO,IAAI,CAAC;IACd,CAAC;IAQD,mBAAmB,CAAC,KAAa;QAE/B,MAAM,QAAQ,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAClD,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,QAAQ,CAAC;QAClB,CAAC;QAGD,KAAK,MAAM,CAAC,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC,gBAAgB,CAAC,OAAO,EAAE,EAAE,CAAC;YACvD,IAAI,IAAI,CAAC,QAAQ,KAAK,KAAK,EAAE,CAAC;gBAC5B,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAOD,sBAAsB;QACpB,OAAO,IAAI,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IACxC,CAAC;CACF;AA9RD,gDA8RC"}

package/dist/security/rate-limit-config.d.ts

@@ -0,0 +1,7 @@
+import type { RateLimitConfig, PeerRateLimitConfig } from './rate-limiter';
+export declare const DEFAULT_RATE_LIMIT_CONFIG: RateLimitConfig;
+export declare function createRateLimitConfig(overrides?: Partial<RateLimitConfig>): RateLimitConfig;
+export declare function addTrustedPeer(config: RateLimitConfig, peerId: string): RateLimitConfig;
+export declare function setPeerLimit(config: RateLimitConfig, peerId: string, peerConfig: PeerRateLimitConfig): RateLimitConfig;
+export declare function isRateLimitingEnabled(): boolean;
+//# sourceMappingURL=rate-limit-config.d.ts.map

package/dist/security/rate-limit-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit-config.d.ts","sourceRoot":"","sources":["../../src/security/rate-limit-config.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAK3E,eAAO,MAAM,yBAAyB,EAAE,eAQvC,CAAC;AAKF,wBAAgB,qBAAqB,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,GAAG,eAAe,CAK3F;AAKD,wBAAgB,cAAc,CAAC,MAAM,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,GAAG,eAAe,CAOvF;AAKD,wBAAgB,YAAY,CAC1B,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,mBAAmB,GAC9B,eAAe,CAOjB;AA8BD,wBAAgB,qBAAqB,IAAI,OAAO,CAE/C"}

package/dist/security/rate-limit-config.js

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_RATE_LIMIT_CONFIG = void 0;
+exports.createRateLimitConfig = createRateLimitConfig;
+exports.addTrustedPeer = addTrustedPeer;
+exports.setPeerLimit = setPeerLimit;
+exports.isRateLimitingEnabled = isRateLimitingEnabled;
+exports.DEFAULT_RATE_LIMIT_CONFIG = {
+    maxRequestsPerSecond: parseIntEnv('RATE_LIMIT_MAX_PER_SECOND', 1000),
+    maxRequestsPerMinute: parseIntEnv('RATE_LIMIT_MAX_PER_MINUTE', 60000),
+    burstSize: parseIntEnv('RATE_LIMIT_BURST_SIZE', 2000),
+    blockDuration: parseIntEnv('RATE_LIMIT_BLOCK_DURATION', 300),
+    violationThreshold: parseIntEnv('RATE_LIMIT_VIOLATION_THRESHOLD', 100),
+    violationWindowSeconds: parseIntEnv('RATE_LIMIT_VIOLATION_WINDOW', 60),
+    adaptiveRateLimiting: parseBoolEnv('RATE_LIMIT_ADAPTIVE_ENABLED', true),
+};
+function createRateLimitConfig(overrides) {
+    return {
+        ...exports.DEFAULT_RATE_LIMIT_CONFIG,
+        ...overrides,
+    };
+}
+function addTrustedPeer(config, peerId) {
+    const trustedPeers = config.trustedPeers ?? new Set();
+    trustedPeers.add(peerId);
+    return {
+        ...config,
+        trustedPeers,
+    };
+}
+function setPeerLimit(config, peerId, peerConfig) {
+    const peerLimits = config.peerLimits ?? new Map();
+    peerLimits.set(peerId, peerConfig);
+    return {
+        ...config,
+        peerLimits,
+    };
+}
+function parseIntEnv(key, defaultValue) {
+    const value = process.env[key];
+    if (!value) {
+        return defaultValue;
+    }
+    const parsed = parseInt(value, 10);
+    return isNaN(parsed) ? defaultValue : parsed;
+}
+function parseBoolEnv(key, defaultValue) {
+    const value = process.env[key]?.toLowerCase();
+    if (!value) {
+        return defaultValue;
+    }
+    return value === 'true' || value === '1' || value === 'yes';
+}
+function isRateLimitingEnabled() {
+    return parseBoolEnv('RATE_LIMIT_ENABLED', true);
+}
+//# sourceMappingURL=rate-limit-config.js.map

package/dist/security/rate-limit-config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit-config.js","sourceRoot":"","sources":["../../src/security/rate-limit-config.ts"],"names":[],"mappings":";;;AAwBA,sDAKC;AAKD,wCAOC;AAKD,oCAWC;AA8BD,sDAEC;AA9EY,QAAA,yBAAyB,GAAoB;IACxD,oBAAoB,EAAE,WAAW,CAAC,2BAA2B,EAAE,IAAI,CAAC;IACpE,oBAAoB,EAAE,WAAW,CAAC,2BAA2B,EAAE,KAAK,CAAC;IACrE,SAAS,EAAE,WAAW,CAAC,uBAAuB,EAAE,IAAI,CAAC;IACrD,aAAa,EAAE,WAAW,CAAC,2BAA2B,EAAE,GAAG,CAAC;IAC5D,kBAAkB,EAAE,WAAW,CAAC,gCAAgC,EAAE,GAAG,CAAC;IACtE,sBAAsB,EAAE,WAAW,CAAC,6BAA6B,EAAE,EAAE,CAAC;IACtE,oBAAoB,EAAE,YAAY,CAAC,6BAA6B,EAAE,IAAI,CAAC;CACxE,CAAC;AAKF,SAAgB,qBAAqB,CAAC,SAAoC;IACxE,OAAO;QACL,GAAG,iCAAyB;QAC5B,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAKD,SAAgB,cAAc,CAAC,MAAuB,EAAE,MAAc;IACpE,MAAM,YAAY,GAAG,MAAM,CAAC,YAAY,IAAI,IAAI,GAAG,EAAE,CAAC;IACtD,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACzB,OAAO;QACL,GAAG,MAAM;QACT,YAAY;KACb,CAAC;AACJ,CAAC;AAKD,SAAgB,YAAY,CAC1B,MAAuB,EACvB,MAAc,EACd,UAA+B;IAE/B,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,IAAI,GAAG,EAAE,CAAC;IAClD,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IACnC,OAAO;QACL,GAAG,MAAM;QACT,UAAU;KACX,CAAC;AACJ,CAAC;AAOD,SAAS,WAAW,CAAC,GAAW,EAAE,YAAoB;IACpD,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,YAAY,CAAC;IACtB,CAAC;IACD,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACnC,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC;AAC/C,CAAC;AAKD,SAAS,YAAY,CAAC,GAAW,EAAE,YAAqB;IACtD,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,WAAW,EAAE,CAAC;IAC9C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,YAAY,CAAC;IACtB,CAAC;IACD,OAAO,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,GAAG,IAAI,KAAK,KAAK,KAAK,CAAC;AAC9D,CAAC;AAKD,SAAgB,qBAAqB;IACnC,OAAO,YAAY,CAAC,oBAAoB,EAAE,IAAI,CAAC,CAAC;AAClD,CAAC"}

package/dist/security/rate-limiter.d.ts

@@ -0,0 +1,46 @@
+import type { Logger } from '../utils/logger';
+export type RequestType = 'BTP_CONNECTION' | 'BTP_MESSAGE' | 'ILP_PACKET' | 'SETTLEMENT' | 'HTTP_API';
+export interface RateLimitConfig {
+    maxRequestsPerSecond: number;
+    maxRequestsPerMinute: number;
+    burstSize: number;
+    blockDuration: number;
+    violationThreshold: number;
+    violationWindowSeconds: number;
+    peerLimits?: Map<string, PeerRateLimitConfig>;
+    trustedPeers?: Set<string>;
+    adaptiveRateLimiting?: boolean;
+}
+export interface PeerRateLimitConfig {
+    maxRequestsPerSecond: number;
+    burstSize: number;
+}
+export interface RateLimitMetrics {
+    recordAllowed(peerId: string, requestType: RequestType): void;
+    recordThrottled(peerId: string, requestType: RequestType): void;
+    recordBlocked(peerId: string, requestType: RequestType): void;
+}
+export declare class RateLimiter {
+    private config;
+    private logger;
+    private tokenBuckets;
+    private blockedPeers;
+    private violationCounter;
+    private metrics?;
+    private adaptiveLimits;
+    constructor(config: RateLimitConfig, logger: Logger, metrics?: RateLimitMetrics);
+    checkLimit(peerId: string, requestType: RequestType): Promise<boolean>;
+    private getOrCreateBucket;
+    private getBucketConfig;
+    private handleViolation;
+    private blockPeer;
+    private unblockPeer;
+    increaseAdaptiveLimit(peerId: string): void;
+    private decreaseAdaptiveLimit;
+    getBlockedPeers(): string[];
+    getRequestsPerSecond(peerId: string): number;
+    unblock(peerId: string): void;
+    private validateConfig;
+    destroy(): void;
+}
+//# sourceMappingURL=rate-limiter.d.ts.map

package/dist/security/rate-limiter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.d.ts","sourceRoot":"","sources":["../../src/security/rate-limiter.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAO9C,MAAM,MAAM,WAAW,GACnB,gBAAgB,GAChB,aAAa,GACb,YAAY,GACZ,YAAY,GACZ,UAAU,CAAC;AAKf,MAAM,WAAW,eAAe;IAE9B,oBAAoB,EAAE,MAAM,CAAC;IAE7B,oBAAoB,EAAE,MAAM,CAAC;IAE7B,SAAS,EAAE,MAAM,CAAC;IAElB,aAAa,EAAE,MAAM,CAAC;IAEtB,kBAAkB,EAAE,MAAM,CAAC;IAE3B,sBAAsB,EAAE,MAAM,CAAC;IAE/B,UAAU,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;IAE9C,YAAY,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAE3B,oBAAoB,CAAC,EAAE,OAAO,CAAC;CAChC;AAKD,MAAM,WAAW,mBAAmB;IAClC,oBAAoB,EAAE,MAAM,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC;CACnB;AAKD,MAAM,WAAW,gBAAgB;IAC/B,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,GAAG,IAAI,CAAC;IAC9D,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,GAAG,IAAI,CAAC;IAChE,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,GAAG,IAAI,CAAC;CAC/D;AAcD,qBAAa,WAAW;IAQpB,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,MAAM;IARhB,OAAO,CAAC,YAAY,CAAkC;IACtD,OAAO,CAAC,YAAY,CAAkC;IACtD,OAAO,CAAC,gBAAgB,CAAmB;IAC3C,OAAO,CAAC,OAAO,CAAC,CAAmB;IACnC,OAAO,CAAC,cAAc,CAA6B;gBAGzC,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,MAAM,EACtB,OAAO,CAAC,EAAE,gBAAgB;IAatB,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC;IA2B5E,OAAO,CAAC,iBAAiB;IAazB,OAAO,CAAC,eAAe;IA0BvB,OAAO,CAAC,eAAe;IA0BvB,OAAO,CAAC,SAAS;IAgCjB,OAAO,CAAC,WAAW;IAiBnB,qBAAqB,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAe3C,OAAO,CAAC,qBAAqB;IAW7B,eAAe,IAAI,MAAM,EAAE;IAO3B,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM;IAe5C,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAW7B,OAAO,CAAC,cAAc;IAwBtB,OAAO,IAAI,IAAI;CAQhB"}