@waiaas/daemon 2.0.0-rc.1

package/dist/api/error-hints.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Error hint templates for AI agent self-recovery.
+ * Hints are English-only (AI agent consumption).
+ * 31 of 40 actionable error codes have hints.
+ * 9 codes intentionally have no hint (security/permanent/info-only).
+ *
+ * @see docs/55-dx-improvement-spec.md section 2.2
+ */
+export declare const errorHintMap: Record<string, string>;
+/**
+ * Resolve hint for a given error code with optional variable substitution.
+ * Variables in {braces} are replaced from the context map.
+ */
+export declare function resolveHint(code: string, context?: Record<string, string>): string | undefined;
+//# sourceMappingURL=error-hints.d.ts.map

package/dist/api/error-hints.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-hints.d.ts","sourceRoot":"","sources":["../../src/api/error-hints.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,eAAO,MAAM,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAuD/C,CAAC;AAEF;;;GAGG;AACH,wBAAgB,WAAW,CACzB,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B,MAAM,GAAG,SAAS,CAMpB"}

package/dist/api/error-hints.js

@@ -0,0 +1,71 @@
+/**
+ * Error hint templates for AI agent self-recovery.
+ * Hints are English-only (AI agent consumption).
+ * 31 of 40 actionable error codes have hints.
+ * 9 codes intentionally have no hint (security/permanent/info-only).
+ *
+ * @see docs/55-dx-improvement-spec.md section 2.2
+ */
+export const errorHintMap = {
+    // AUTH domain (6 of 8)
+    INVALID_TOKEN: 'Create a new session via POST /v1/sessions with masterAuth credentials.',
+    TOKEN_EXPIRED: 'Renew the session via PUT /v1/sessions/{id}/renew, or create a new session.',
+    SESSION_REVOKED: 'Create a new session via POST /v1/sessions with masterAuth credentials.',
+    INVALID_SIGNATURE: 'Verify the Ed25519 signature format and the nonce from GET /v1/nonce.',
+    INVALID_NONCE: 'Fetch a fresh nonce from GET /v1/nonce and retry within 5 minutes.',
+    INVALID_MASTER_PASSWORD: 'Check the X-Master-Password header value.',
+    // MASTER_PASSWORD_LOCKED: no hint (wait 30min, no action)
+    // SYSTEM_LOCKED: no hint (Kill Switch, Owner recovery needed)
+    // SESSION domain (7 of 8)
+    SESSION_NOT_FOUND: 'The session may have been revoked. Create a new session via POST /v1/sessions.',
+    SESSION_EXPIRED: 'Create a new session via POST /v1/sessions with masterAuth credentials.',
+    SESSION_LIMIT_EXCEEDED: 'Revoke unused sessions via DELETE /v1/sessions/{id} and retry.',
+    CONSTRAINT_VIOLATED: 'Check session constraints (IP, operations). Create a session with correct constraints.',
+    RENEWAL_LIMIT_REACHED: 'Maximum renewals reached. Create a new session via POST /v1/sessions.',
+    SESSION_ABSOLUTE_LIFETIME_EXCEEDED: 'Absolute session lifetime exceeded. Create a new session via POST /v1/sessions.',
+    RENEWAL_TOO_EARLY: 'Wait until 50% of session TTL has elapsed before renewing.',
+    // SESSION_RENEWAL_MISMATCH: no hint (security issue)
+    // TX domain (7 of 21 actionable)
+    ABI_ENCODING_FAILED: 'Check that functionName exists in the provided ABI and args match the expected types. Use a JSON array of ABI fragments for the abi parameter.',
+    INSUFFICIENT_BALANCE: 'Fund the wallet. Check balance via GET /v1/wallet/balance.',
+    INVALID_ADDRESS: 'Verify the recipient address format for the target blockchain.',
+    TX_NOT_FOUND: 'Verify the transaction ID. List transactions via GET /v1/transactions.',
+    TX_EXPIRED: 'The transaction expired. Submit a new transaction via POST /v1/transactions/send.',
+    TX_ALREADY_PROCESSED: 'This transaction was already processed. Check status via GET /v1/transactions/{id}.',
+    CHAIN_ERROR: 'Blockchain RPC error. Retry after a short delay.',
+    // POLICY domain (4 of 5)
+    POLICY_NOT_FOUND: 'Verify the policy ID. List policies via GET /v1/policies.',
+    POLICY_DENIED: 'Transaction denied by policy. Review policies via GET /v1/policies.',
+    SPENDING_LIMIT_EXCEEDED: 'Spending limit exceeded for the current window. Wait for the window to reset or request a policy change.',
+    RATE_LIMIT_EXCEEDED: 'Too many requests. Wait and retry after the rate limit window resets.',
+    // WHITELIST_DENIED: no hint (security)
+    // OWNER domain (3 of 5)
+    OWNER_NOT_CONNECTED: 'Register an owner via PUT /v1/wallets/{walletId}/owner.',
+    APPROVAL_TIMEOUT: 'The approval request timed out. Submit a new transaction.',
+    APPROVAL_NOT_FOUND: 'No pending approval for this transaction. Check status via GET /v1/transactions/{id}.',
+    // OWNER_ALREADY_CONNECTED: no hint (state only)
+    // SYSTEM domain (4 of 6)
+    KEYSTORE_LOCKED: 'The keystore is temporarily locked. Retry after a short delay.',
+    CHAIN_NOT_SUPPORTED: 'This blockchain is not supported. Use SOLANA or EVM.',
+    SHUTTING_DOWN: 'The daemon is shutting down. Wait for restart.',
+    ADAPTER_NOT_AVAILABLE: 'Chain adapter is not available. The daemon may still be initializing. Retry.',
+    // KILL_SWITCH_ACTIVE: no hint (agent cannot recover)
+    // KILL_SWITCH_NOT_ACTIVE: no hint (info only)
+    // WALLET domain (2 of 3)
+    WALLET_NOT_FOUND: 'Verify the wallet ID. List wallets via GET /v1/wallets.',
+    WALLET_SUSPENDED: 'Wallet is suspended. Contact the administrator.',
+    // WALLET_TERMINATED: no hint (permanent)
+};
+/**
+ * Resolve hint for a given error code with optional variable substitution.
+ * Variables in {braces} are replaced from the context map.
+ */
+export function resolveHint(code, context) {
+    const template = errorHintMap[code];
+    if (!template)
+        return undefined;
+    if (!context)
+        return template;
+    return template.replace(/\{(\w+)\}/g, (_, key) => context[key] ?? `{${key}}`);
+}
+//# sourceMappingURL=error-hints.js.map

package/dist/api/error-hints.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-hints.js","sourceRoot":"","sources":["../../src/api/error-hints.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,MAAM,CAAC,MAAM,YAAY,GAA2B;IAClD,uBAAuB;IACvB,aAAa,EAAE,yEAAyE;IACxF,aAAa,EAAE,6EAA6E;IAC5F,eAAe,EAAE,yEAAyE;IAC1F,iBAAiB,EAAE,uEAAuE;IAC1F,aAAa,EAAE,oEAAoE;IACnF,uBAAuB,EAAE,2CAA2C;IACpE,0DAA0D;IAC1D,8DAA8D;IAE9D,0BAA0B;IAC1B,iBAAiB,EAAE,gFAAgF;IACnG,eAAe,EAAE,yEAAyE;IAC1F,sBAAsB,EAAE,gEAAgE;IACxF,mBAAmB,EAAE,wFAAwF;IAC7G,qBAAqB,EAAE,uEAAuE;IAC9F,kCAAkC,EAAE,iFAAiF;IACrH,iBAAiB,EAAE,4DAA4D;IAC/E,qDAAqD;IAErD,iCAAiC;IACjC,mBAAmB,EAAE,gJAAgJ;IACrK,oBAAoB,EAAE,4DAA4D;IAClF,eAAe,EAAE,gEAAgE;IACjF,YAAY,EAAE,wEAAwE;IACtF,UAAU,EAAE,mFAAmF;IAC/F,oBAAoB,EAAE,qFAAqF;IAC3G,WAAW,EAAE,kDAAkD;IAE/D,yBAAyB;IACzB,gBAAgB,EAAE,2DAA2D;IAC7E,aAAa,EAAE,qEAAqE;IACpF,uBAAuB,EAAE,0GAA0G;IACnI,mBAAmB,EAAE,uEAAuE;IAC5F,uCAAuC;IAEvC,wBAAwB;IACxB,mBAAmB,EAAE,yDAAyD;IAC9E,gBAAgB,EAAE,2DAA2D;IAC7E,kBAAkB,EAAE,uFAAuF;IAC3G,gDAAgD;IAEhD,yBAAyB;IACzB,eAAe,EAAE,gEAAgE;IACjF,mBAAmB,EAAE,sDAAsD;IAC3E,aAAa,EAAE,gDAAgD;IAC/D,qBAAqB,EAAE,8EAA8E;IACrG,qDAAqD;IACrD,8CAA8C;IAE9C,yBAAyB;IACzB,gBAAgB,EAAE,yDAAyD;IAC3E,gBAAgB,EAAE,iDAAiD;IACnE,yCAAyC;CAC1C,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,WAAW,CACzB,IAAY,EACZ,OAAgC;IAEhC,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACpC,IAAI,CAAC,QAAQ;QAAE,OAAO,SAAS,CAAC;IAChC,IAAI,CAAC,OAAO;QAAE,OAAO,QAAQ,CAAC;IAE9B,OAAO,QAAQ,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,GAAG,GAAG,CAAC,CAAC;AAChF,CAAC"}

package/dist/api/index.d.ts

@@ -0,0 +1,11 @@
+/**
+ * API module barrel export: server factory, middleware, routes.
+ */
+export { createApp, type CreateAppDeps } from './server.js';
+export { requestId, hostGuard, createKillSwitchGuard, requestLogger, errorHandler, type GetKillSwitchState, } from './middleware/index.js';
+export { health } from './routes/health.js';
+export { walletCrudRoutes, type WalletCrudRouteDeps } from './routes/wallets.js';
+export { walletRoutes, type WalletRouteDeps } from './routes/wallet.js';
+export { transactionRoutes, type TransactionRouteDeps } from './routes/transactions.js';
+export { mcpTokenRoutes, type McpTokenRouteDeps } from './routes/mcp.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/api/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/api/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,SAAS,EAAE,KAAK,aAAa,EAAE,MAAM,aAAa,CAAC;AAG5D,OAAO,EACL,SAAS,EACT,SAAS,EACT,qBAAqB,EACrB,aAAa,EACb,YAAY,EACZ,KAAK,kBAAkB,GACxB,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAC5C,OAAO,EAAE,gBAAgB,EAAE,KAAK,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AACjF,OAAO,EAAE,YAAY,EAAE,KAAK,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,KAAK,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AACxF,OAAO,EAAE,cAAc,EAAE,KAAK,iBAAiB,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/api/index.js

@@ -0,0 +1,14 @@
+/**
+ * API module barrel export: server factory, middleware, routes.
+ */
+// Server factory
+export { createApp } from './server.js';
+// Middleware
+export { requestId, hostGuard, createKillSwitchGuard, requestLogger, errorHandler, } from './middleware/index.js';
+// Routes
+export { health } from './routes/health.js';
+export { walletCrudRoutes } from './routes/wallets.js';
+export { walletRoutes } from './routes/wallet.js';
+export { transactionRoutes } from './routes/transactions.js';
+export { mcpTokenRoutes } from './routes/mcp.js';
+//# sourceMappingURL=index.js.map

package/dist/api/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/api/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,iBAAiB;AACjB,OAAO,EAAE,SAAS,EAAsB,MAAM,aAAa,CAAC;AAE5D,aAAa;AACb,OAAO,EACL,SAAS,EACT,SAAS,EACT,qBAAqB,EACrB,aAAa,EACb,YAAY,GAEb,MAAM,uBAAuB,CAAC;AAE/B,SAAS;AACT,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAC5C,OAAO,EAAE,gBAAgB,EAA4B,MAAM,qBAAqB,CAAC;AACjF,OAAO,EAAE,YAAY,EAAwB,MAAM,oBAAoB,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAA6B,MAAM,0BAA0B,CAAC;AACxF,OAAO,EAAE,cAAc,EAA0B,MAAM,iBAAiB,CAAC"}

package/dist/api/middleware/address-validation.d.ts

@@ -0,0 +1,38 @@
+/**
+ * validateOwnerAddress: Chain-aware address validation utility.
+ *
+ * Validates and normalizes owner wallet addresses for both supported chains:
+ * - **Solana**: Base58-encoded 32-byte Ed25519 public key
+ * - **Ethereum**: 0x-prefixed EIP-55 checksum address (strict mode)
+ *
+ * **EIP-55 strict mode**: All-lowercase and all-uppercase addresses are rejected.
+ * This is intentional -- we require EIP-55 checksum format for security to prevent
+ * address typos from going undetected.
+ *
+ * The `decodeBase58` function is extracted from owner-auth.ts and exported here
+ * as the canonical location. owner-auth.ts will import from here in Plan 87-02.
+ *
+ * @see docs/52-auth-redesign.md
+ */
+import type { ChainType } from '@waiaas/core';
+export interface AddressValidationResult {
+    valid: boolean;
+    /** Normalized address (EIP-55 checksum for Ethereum, unchanged for Solana) */
+    normalized?: string;
+    /** Reason on failure */
+    error?: string;
+}
+/**
+ * Decode a Base58-encoded string (Bitcoin alphabet) to a Buffer.
+ * Characters not in the Base58 alphabet (0, O, I, l) cause an error.
+ */
+export declare function decodeBase58(str: string): Buffer;
+/**
+ * Validate and normalize an owner wallet address for the given chain.
+ *
+ * - Solana: Base58 32-byte Ed25519 public key
+ * - Ethereum: 0x + EIP-55 checksum (strict -- all-lowercase rejected)
+ * - Unknown chain: rejected
+ */
+export declare function validateOwnerAddress(chain: ChainType, address: string): AddressValidationResult;
+//# sourceMappingURL=address-validation.d.ts.map

package/dist/api/middleware/address-validation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"address-validation.d.ts","sourceRoot":"","sources":["../../../src/api/middleware/address-validation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAO9C,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,OAAO,CAAC;IACf,8EAA8E;IAC9E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,wBAAwB;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AASD;;;GAGG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAyChD;AA8DD;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,GAAG,uBAAuB,CAS/F"}

package/dist/api/middleware/address-validation.js

@@ -0,0 +1,134 @@
+/**
+ * validateOwnerAddress: Chain-aware address validation utility.
+ *
+ * Validates and normalizes owner wallet addresses for both supported chains:
+ * - **Solana**: Base58-encoded 32-byte Ed25519 public key
+ * - **Ethereum**: 0x-prefixed EIP-55 checksum address (strict mode)
+ *
+ * **EIP-55 strict mode**: All-lowercase and all-uppercase addresses are rejected.
+ * This is intentional -- we require EIP-55 checksum format for security to prevent
+ * address typos from going undetected.
+ *
+ * The `decodeBase58` function is extracted from owner-auth.ts and exported here
+ * as the canonical location. owner-auth.ts will import from here in Plan 87-02.
+ *
+ * @see docs/52-auth-redesign.md
+ */
+import { isAddress, getAddress } from 'viem';
+// ---------------------------------------------------------------------------
+// Base58 decode (Bitcoin alphabet) -- canonical location
+// Extracted from owner-auth.ts for reuse across address validation.
+// ---------------------------------------------------------------------------
+const BASE58_ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
+/**
+ * Decode a Base58-encoded string (Bitcoin alphabet) to a Buffer.
+ * Characters not in the Base58 alphabet (0, O, I, l) cause an error.
+ */
+export function decodeBase58(str) {
+    // Count leading '1's (zero bytes)
+    let zeroes = 0;
+    for (let i = 0; i < str.length && str[i] === '1'; i++) {
+        zeroes++;
+    }
+    // Allocate enough space in base256 representation
+    const size = Math.ceil((str.length * 733) / 1000) + 1;
+    const b256 = new Uint8Array(size);
+    let length = 0;
+    for (let i = zeroes; i < str.length; i++) {
+        const charIndex = BASE58_ALPHABET.indexOf(str[i]);
+        if (charIndex === -1) {
+            throw new Error(`Invalid Base58 character: ${str[i]}`);
+        }
+        let carry = charIndex;
+        let j = 0;
+        for (let k = size - 1; k >= 0 && (carry !== 0 || j < length); k--, j++) {
+            carry += 58 * (b256[k] ?? 0);
+            b256[k] = carry % 256;
+            carry = Math.floor(carry / 256);
+        }
+        length = j;
+    }
+    // Skip leading zeros in b256
+    let start = 0;
+    while (start < size && b256[start] === 0) {
+        start++;
+    }
+    // Build result with leading zero bytes
+    const result = Buffer.alloc(zeroes + (size - start));
+    for (let i = start; i < size; i++) {
+        result[zeroes + (i - start)] = b256[i];
+    }
+    return result;
+}
+// ---------------------------------------------------------------------------
+// Solana address validation
+// ---------------------------------------------------------------------------
+function validateSolanaAddress(address) {
+    try {
+        const decoded = decodeBase58(address);
+        if (decoded.length !== 32) {
+            return {
+                valid: false,
+                error: `Invalid Solana address: expected 32 bytes, got ${String(decoded.length)}`,
+            };
+        }
+        return { valid: true, normalized: address };
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        return { valid: false, error: `Invalid Solana address (Base58 decode failed): ${msg}` };
+    }
+}
+// ---------------------------------------------------------------------------
+// Ethereum address validation
+// ---------------------------------------------------------------------------
+function validateEthereumAddress(address) {
+    // Check basic format first (0x prefix + hex)
+    if (!address.startsWith('0x')) {
+        return { valid: false, error: 'Invalid Ethereum address format: missing 0x prefix' };
+    }
+    // isAddress with strict=false checks format only (0x + 40 hex chars)
+    if (!isAddress(address, { strict: false })) {
+        return { valid: false, error: 'Invalid Ethereum address format' };
+    }
+    // Require EIP-55 mixed-case checksum format.
+    // viem isAddress(strict:true) still accepts all-lowercase/all-uppercase,
+    // so we explicitly reject those -- we require the checksummed mixed-case form
+    // for security (prevents undetected typos).
+    const hex = address.slice(2);
+    if (hex === hex.toLowerCase() || hex === hex.toUpperCase()) {
+        return { valid: false, error: 'Invalid EIP-55 checksum: all-lowercase or all-uppercase addresses are not accepted, use checksummed format' };
+    }
+    // Verify the mixed-case matches EIP-55 checksum exactly
+    try {
+        const checksummed = getAddress(address);
+        if (checksummed !== address) {
+            return { valid: false, error: 'Invalid EIP-55 checksum' };
+        }
+        return { valid: true, normalized: checksummed };
+    }
+    catch {
+        return { valid: false, error: 'Invalid EIP-55 checksum' };
+    }
+}
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/**
+ * Validate and normalize an owner wallet address for the given chain.
+ *
+ * - Solana: Base58 32-byte Ed25519 public key
+ * - Ethereum: 0x + EIP-55 checksum (strict -- all-lowercase rejected)
+ * - Unknown chain: rejected
+ */
+export function validateOwnerAddress(chain, address) {
+    switch (chain) {
+        case 'solana':
+            return validateSolanaAddress(address);
+        case 'ethereum':
+            return validateEthereumAddress(address);
+        default:
+            return { valid: false, error: `Unsupported chain: ${chain}` };
+    }
+}
+//# sourceMappingURL=address-validation.js.map

package/dist/api/middleware/address-validation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"address-validation.js","sourceRoot":"","sources":["../../../src/api/middleware/address-validation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAc7C,8EAA8E;AAC9E,yDAAyD;AACzD,oEAAoE;AACpE,8EAA8E;AAE9E,MAAM,eAAe,GAAG,4DAA4D,CAAC;AAErF;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,GAAW;IACtC,kCAAkC;IAClC,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QACtD,MAAM,EAAE,CAAC;IACX,CAAC;IAED,kDAAkD;IAClD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;IACtD,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC;IAClC,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,KAAK,IAAI,CAAC,GAAG,MAAM,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAE,CAAC,CAAC;QACnD,IAAI,SAAS,KAAK,CAAC,CAAC,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,6BAA6B,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACzD,CAAC;QAED,IAAI,KAAK,GAAG,SAAS,CAAC;QACtB,IAAI,CAAC,GAAG,CAAC,CAAC;QACV,KAAK,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YACvE,KAAK,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;YAC7B,IAAI,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC;YACtB,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC;QAClC,CAAC;QACD,MAAM,GAAG,CAAC,CAAC;IACb,CAAC;IAED,6BAA6B;IAC7B,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,OAAO,KAAK,GAAG,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;QACzC,KAAK,EAAE,CAAC;IACV,CAAC;IAED,uCAAuC;IACvC,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC;IACrD,KAAK,IAAI,CAAC,GAAG,KAAK,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,CAAE,CAAC;IAC1C,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,4BAA4B;AAC5B,8EAA8E;AAE9E,SAAS,qBAAqB,CAAC,OAAe;IAC5C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,OAAO,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YAC1B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,kDAAkD,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE;aAClF,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;IAC9C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,kDAAkD,GAAG,EAAE,EAAE,CAAC;IAC1F,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,8BAA8B;AAC9B,8EAA8E;AAE9E,SAAS,uBAAuB,CAAC,OAAe;IAC9C,6CAA6C;IAC7C,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,oDAAoD,EAAE,CAAC;IACvF,CAAC;IAED,qEAAqE;IACrE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;QAC3C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAC;IACpE,CAAC;IAED,6CAA6C;IAC7C,yEAAyE;IACzE,8EAA8E;IAC9E,4CAA4C;IAC5C,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC7B,IAAI,GAAG,KAAK,GAAG,CAAC,WAAW,EAAE,IAAI,GAAG,KAAK,GAAG,CAAC,WAAW,EAAE,EAAE,CAAC;QAC3D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,4GAA4G,EAAE,CAAC;IAC/I,CAAC;IAED,wDAAwD;IACxD,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;QACxC,IAAI,WAAW,KAAK,OAAO,EAAE,CAAC;YAC5B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC5D,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC;IAClD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;IAC5D,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAAC,KAAgB,EAAE,OAAe;IACpE,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,QAAQ;YACX,OAAO,qBAAqB,CAAC,OAAO,CAAC,CAAC;QACxC,KAAK,UAAU;YACb,OAAO,uBAAuB,CAAC,OAAO,CAAC,CAAC;QAC1C;YACE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,KAAe,EAAE,EAAE,CAAC;IAC5E,CAAC;AACH,CAAC"}

package/dist/api/middleware/csp.d.ts

@@ -0,0 +1,17 @@
+/**
+ * CSP middleware: Content-Security-Policy header for Admin UI paths.
+ *
+ * Applied to /admin/* routes only. Uses strict CSP:
+ * - default-src 'none'
+ * - script-src 'self'
+ * - style-src 'self' 'unsafe-inline'
+ * - connect-src 'self'
+ * - img-src 'self' data:
+ * - font-src 'self'
+ * - base-uri 'self'
+ * - form-action 'self'
+ *
+ * @see docs/67-admin-web-ui-spec.md section 3
+ */
+export declare const cspMiddleware: import("hono").MiddlewareHandler<any, string, {}, Response>;
+//# sourceMappingURL=csp.d.ts.map

package/dist/api/middleware/csp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"csp.d.ts","sourceRoot":"","sources":["../../../src/api/middleware/csp.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAeH,eAAO,MAAM,aAAa,6DAGxB,CAAC"}

package/dist/api/middleware/csp.js

@@ -0,0 +1,31 @@
+/**
+ * CSP middleware: Content-Security-Policy header for Admin UI paths.
+ *
+ * Applied to /admin/* routes only. Uses strict CSP:
+ * - default-src 'none'
+ * - script-src 'self'
+ * - style-src 'self' 'unsafe-inline'
+ * - connect-src 'self'
+ * - img-src 'self' data:
+ * - font-src 'self'
+ * - base-uri 'self'
+ * - form-action 'self'
+ *
+ * @see docs/67-admin-web-ui-spec.md section 3
+ */
+import { createMiddleware } from 'hono/factory';
+const CSP_VALUE = [
+    "default-src 'none'",
+    "script-src 'self'",
+    "style-src 'self' 'unsafe-inline'",
+    "connect-src 'self'",
+    "img-src 'self' data:",
+    "font-src 'self'",
+    "base-uri 'self'",
+    "form-action 'self'",
+].join('; ');
+export const cspMiddleware = createMiddleware(async (c, next) => {
+    await next();
+    c.res.headers.set('Content-Security-Policy', CSP_VALUE);
+});
+//# sourceMappingURL=csp.js.map

package/dist/api/middleware/csp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"csp.js","sourceRoot":"","sources":["../../../src/api/middleware/csp.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD,MAAM,SAAS,GAAG;IAChB,oBAAoB;IACpB,mBAAmB;IACnB,kCAAkC;IAClC,oBAAoB;IACpB,sBAAsB;IACtB,iBAAiB;IACjB,iBAAiB;IACjB,oBAAoB;CACrB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAEb,MAAM,CAAC,MAAM,aAAa,GAAG,gBAAgB,CAAC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;IAC9D,MAAM,IAAI,EAAE,CAAC;IACb,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,yBAAyB,EAAE,SAAS,CAAC,CAAC;AAC1D,CAAC,CAAC,CAAC"}

package/dist/api/middleware/error-handler.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Error handler: Hono onError handler converting errors to WAIaaSError-shaped JSON.
+ *
+ * - WAIaaSError: responds with error.httpStatus and error.toJSON()
+ *   - Enriches response with hint field from error-hints.ts for AI agent self-recovery
+ * - ZodError: responds with 400 and formatted validation error
+ * - Generic Error: responds with 500 and SYSTEM_LOCKED error
+ *
+ * Always includes requestId from context in the error response.
+ *
+ * @see docs/37-rest-api-complete-spec.md section 10.12
+ * @see docs/55-dx-improvement-spec.md section 2.2
+ */
+import type { ErrorHandler } from 'hono';
+export declare const errorHandler: ErrorHandler;
+//# sourceMappingURL=error-handler.d.ts.map

package/dist/api/middleware/error-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-handler.d.ts","sourceRoot":"","sources":["../../../src/api/middleware/error-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,MAAM,CAAC;AAKzC,eAAO,MAAM,YAAY,EAAE,YAwC1B,CAAC"}

package/dist/api/middleware/error-handler.js

@@ -0,0 +1,46 @@
+/**
+ * Error handler: Hono onError handler converting errors to WAIaaSError-shaped JSON.
+ *
+ * - WAIaaSError: responds with error.httpStatus and error.toJSON()
+ *   - Enriches response with hint field from error-hints.ts for AI agent self-recovery
+ * - ZodError: responds with 400 and formatted validation error
+ * - Generic Error: responds with 500 and SYSTEM_LOCKED error
+ *
+ * Always includes requestId from context in the error response.
+ *
+ * @see docs/37-rest-api-complete-spec.md section 10.12
+ * @see docs/55-dx-improvement-spec.md section 2.2
+ */
+import { WAIaaSError } from '@waiaas/core';
+import { ZodError } from 'zod';
+import { resolveHint } from '../error-hints.js';
+export const errorHandler = (err, c) => {
+    const requestId = c.get('requestId');
+    if (err instanceof WAIaaSError) {
+        const body = err.toJSON();
+        const hint = err.hint ?? resolveHint(err.code);
+        return c.json({ ...body, requestId: requestId ?? body.requestId, ...(hint && { hint }) }, err.httpStatus);
+    }
+    if (err instanceof ZodError) {
+        return c.json({
+            code: 'ACTION_VALIDATION_FAILED',
+            message: 'Validation error',
+            details: {
+                issues: err.issues.map((issue) => ({
+                    path: issue.path.join('.'),
+                    message: issue.message,
+                })),
+            },
+            requestId,
+            retryable: false,
+        }, 400);
+    }
+    // Generic error -> 500
+    return c.json({
+        code: 'SYSTEM_LOCKED',
+        message: err instanceof Error ? err.message : 'Internal server error',
+        requestId,
+        retryable: false,
+    }, 500);
+};
+//# sourceMappingURL=error-handler.js.map

package/dist/api/middleware/error-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-handler.js","sourceRoot":"","sources":["../../../src/api/middleware/error-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAC3C,OAAO,EAAE,QAAQ,EAAE,MAAM,KAAK,CAAC;AAC/B,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEhD,MAAM,CAAC,MAAM,YAAY,GAAiB,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;IACnD,MAAM,SAAS,GAAG,CAAC,CAAC,GAAG,CAAC,WAAW,CAAuB,CAAC;IAE3D,IAAI,GAAG,YAAY,WAAW,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC;QAC1B,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC/C,OAAO,CAAC,CAAC,IAAI,CACX,EAAE,GAAG,IAAI,EAAE,SAAS,EAAE,SAAS,IAAI,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,IAAI,IAAI,EAAE,IAAI,EAAE,CAAC,EAAE,EAC1E,GAAG,CAAC,UAAiB,CACtB,CAAC;IACJ,CAAC;IAED,IAAI,GAAG,YAAY,QAAQ,EAAE,CAAC;QAC5B,OAAO,CAAC,CAAC,IAAI,CACX;YACE,IAAI,EAAE,0BAA0B;YAChC,OAAO,EAAE,kBAAkB;YAC3B,OAAO,EAAE;gBACP,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;oBACjC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;oBAC1B,OAAO,EAAE,KAAK,CAAC,OAAO;iBACvB,CAAC,CAAC;aACJ;YACD,SAAS;YACT,SAAS,EAAE,KAAK;SACjB,EACD,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,uBAAuB;IACvB,OAAO,CAAC,CAAC,IAAI,CACX;QACE,IAAI,EAAE,eAAe;QACrB,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB;QACrE,SAAS;QACT,SAAS,EAAE,KAAK;KACjB,EACD,GAAG,CACJ,CAAC;AACJ,CAAC,CAAC"}

package/dist/api/middleware/host-guard.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Host guard middleware: restricts requests to localhost only.
+ *
+ * Checks the Host header and only allows requests where the hostname
+ * starts with 127.0.0.1, localhost, or [::1].
+ * Non-localhost requests are rejected with 403 SYSTEM_LOCKED.
+ *
+ * @see docs/29-api-framework-design.md
+ */
+export declare const hostGuard: import("hono").MiddlewareHandler<any, string, {}, Response>;
+//# sourceMappingURL=host-guard.d.ts.map

package/dist/api/middleware/host-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"host-guard.d.ts","sourceRoot":"","sources":["../../../src/api/middleware/host-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAOH,eAAO,MAAM,SAAS,6DAgBpB,CAAC"}

package/dist/api/middleware/host-guard.js

@@ -0,0 +1,25 @@
+/**
+ * Host guard middleware: restricts requests to localhost only.
+ *
+ * Checks the Host header and only allows requests where the hostname
+ * starts with 127.0.0.1, localhost, or [::1].
+ * Non-localhost requests are rejected with 403 SYSTEM_LOCKED.
+ *
+ * @see docs/29-api-framework-design.md
+ */
+import { createMiddleware } from 'hono/factory';
+import { WAIaaSError } from '@waiaas/core';
+const LOCALHOST_PATTERNS = ['127.0.0.1', 'localhost', '[::1]'];
+export const hostGuard = createMiddleware(async (c, next) => {
+    const host = c.req.header('Host') ?? '';
+    // Extract hostname (strip port if present)
+    const hostname = host.replace(/:\d+$/, '');
+    const isLocalhost = LOCALHOST_PATTERNS.some((pattern) => hostname === pattern || hostname.startsWith(pattern));
+    if (!isLocalhost) {
+        throw new WAIaaSError('SYSTEM_LOCKED', {
+            message: 'Only localhost access allowed',
+        });
+    }
+    await next();
+});
+//# sourceMappingURL=host-guard.js.map

package/dist/api/middleware/host-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"host-guard.js","sourceRoot":"","sources":["../../../src/api/middleware/host-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAE3C,MAAM,kBAAkB,GAAG,CAAC,WAAW,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;AAE/D,MAAM,CAAC,MAAM,SAAS,GAAG,gBAAgB,CAAC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;IAC1D,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IACxC,2CAA2C;IAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAE3C,MAAM,WAAW,GAAG,kBAAkB,CAAC,IAAI,CACzC,CAAC,OAAO,EAAE,EAAE,CAAC,QAAQ,KAAK,OAAO,IAAI,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAClE,CAAC;IAEF,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,WAAW,CAAC,eAAe,EAAE;YACrC,OAAO,EAAE,+BAA+B;SACzC,CAAC,CAAC;IACL,CAAC;IAED,MAAM,IAAI,EAAE,CAAC;AACf,CAAC,CAAC,CAAC"}

package/dist/api/middleware/index.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Barrel export: all 5 middleware + error handler.
+ */
+export { requestId } from './request-id.js';
+export { hostGuard } from './host-guard.js';
+export { createKillSwitchGuard, type GetKillSwitchState } from './kill-switch-guard.js';
+export { requestLogger } from './request-logger.js';
+export { errorHandler } from './error-handler.js';
+export { createSessionAuth, type SessionAuthDeps } from './session-auth.js';
+export { createMasterAuth, type MasterAuthDeps } from './master-auth.js';
+export { createOwnerAuth, type OwnerAuthDeps } from './owner-auth.js';
+export { cspMiddleware } from './csp.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/api/middleware/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/api/middleware/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,qBAAqB,EAAE,KAAK,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AACxF,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,iBAAiB,EAAE,KAAK,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAC5E,OAAO,EAAE,gBAAgB,EAAE,KAAK,cAAc,EAAE,MAAM,kBAAkB,CAAC;AACzE,OAAO,EAAE,eAAe,EAAE,KAAK,aAAa,EAAE,MAAM,iBAAiB,CAAC;AACtE,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC"}

package/dist/api/middleware/index.js

@@ -0,0 +1,13 @@
+/**
+ * Barrel export: all 5 middleware + error handler.
+ */
+export { requestId } from './request-id.js';
+export { hostGuard } from './host-guard.js';
+export { createKillSwitchGuard } from './kill-switch-guard.js';
+export { requestLogger } from './request-logger.js';
+export { errorHandler } from './error-handler.js';
+export { createSessionAuth } from './session-auth.js';
+export { createMasterAuth } from './master-auth.js';
+export { createOwnerAuth } from './owner-auth.js';
+export { cspMiddleware } from './csp.js';
+//# sourceMappingURL=index.js.map

package/dist/api/middleware/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/api/middleware/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,qBAAqB,EAA2B,MAAM,wBAAwB,CAAC;AACxF,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,iBAAiB,EAAwB,MAAM,mBAAmB,CAAC;AAC5E,OAAO,EAAE,gBAAgB,EAAuB,MAAM,kBAAkB,CAAC;AACzE,OAAO,EAAE,eAAe,EAAsB,MAAM,iBAAiB,CAAC;AACtE,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC"}

package/dist/api/middleware/kill-switch-guard.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Kill switch guard middleware: blocks requests when kill switch is
+ * SUSPENDED or LOCKED (3-state model).
+ *
+ * Accepts a factory function `getKillSwitchState` that returns the current
+ * kill switch state string. If SUSPENDED or LOCKED, rejects with 503
+ * SYSTEM_LOCKED.
+ *
+ * Bypass paths:
+ *   - /health (always public)
+ *   - /v1/admin/* (admin API for management/recovery)
+ *   - /admin/* (Admin SPA for UI)
+ *   - /v1/owner/* (owner kill-switch activation + recovery)
+ *
+ * @see docs/36-killswitch-evm-freeze.md
+ */
+export type GetKillSwitchState = () => string;
+export declare function createKillSwitchGuard(getState?: GetKillSwitchState): import("hono").MiddlewareHandler<any, string, {}, Response>;
+//# sourceMappingURL=kill-switch-guard.d.ts.map

package/dist/api/middleware/kill-switch-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kill-switch-guard.d.ts","sourceRoot":"","sources":["../../../src/api/middleware/kill-switch-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAKH,MAAM,MAAM,kBAAkB,GAAG,MAAM,MAAM,CAAC;AAI9C,wBAAgB,qBAAqB,CAAC,QAAQ,GAAE,kBAAsC,+DAiCrF"}

package/dist/api/middleware/kill-switch-guard.js

@@ -0,0 +1,49 @@
+/**
+ * Kill switch guard middleware: blocks requests when kill switch is
+ * SUSPENDED or LOCKED (3-state model).
+ *
+ * Accepts a factory function `getKillSwitchState` that returns the current
+ * kill switch state string. If SUSPENDED or LOCKED, rejects with 503
+ * SYSTEM_LOCKED.
+ *
+ * Bypass paths:
+ *   - /health (always public)
+ *   - /v1/admin/* (admin API for management/recovery)
+ *   - /admin/* (Admin SPA for UI)
+ *   - /v1/owner/* (owner kill-switch activation + recovery)
+ *
+ * @see docs/36-killswitch-evm-freeze.md
+ */
+import { createMiddleware } from 'hono/factory';
+import { WAIaaSError } from '@waiaas/core';
+const DEFAULT_GET_STATE = () => 'ACTIVE';
+export function createKillSwitchGuard(getState = DEFAULT_GET_STATE) {
+    return createMiddleware(async (c, next) => {
+        // /health always bypasses kill switch
+        if (c.req.path === '/health') {
+            await next();
+            return;
+        }
+        // Admin API paths bypass kill switch (need to manage kill switch state)
+        if (c.req.path.startsWith('/v1/admin/')) {
+            await next();
+            return;
+        }
+        // Admin SPA paths bypass kill switch (need to serve UI for recovery)
+        if (c.req.path === '/admin' || c.req.path.startsWith('/admin/')) {
+            await next();
+            return;
+        }
+        // Owner API paths bypass kill switch (owner kill-switch activation + recovery)
+        if (c.req.path.startsWith('/v1/owner/')) {
+            await next();
+            return;
+        }
+        const state = getState();
+        if (state === 'SUSPENDED' || state === 'LOCKED') {
+            throw new WAIaaSError('SYSTEM_LOCKED');
+        }
+        await next();
+    });
+}
+//# sourceMappingURL=kill-switch-guard.js.map

package/dist/api/middleware/kill-switch-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"kill-switch-guard.js","sourceRoot":"","sources":["../../../src/api/middleware/kill-switch-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAI3C,MAAM,iBAAiB,GAAuB,GAAG,EAAE,CAAC,QAAQ,CAAC;AAE7D,MAAM,UAAU,qBAAqB,CAAC,WAA+B,iBAAiB;IACpF,OAAO,gBAAgB,CAAC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACxC,sCAAsC;QACtC,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,wEAAwE;QACxE,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,qEAAqE;QACrE,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAChE,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,QAAQ,EAAE,CAAC;QACzB,IAAI,KAAK,KAAK,WAAW,IAAI,KAAK,KAAK,QAAQ,EAAE,CAAC;YAChD,MAAM,IAAI,WAAW,CAAC,eAAe,CAAC,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/api/middleware/master-auth.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Master auth middleware: verifies X-Master-Password header against Argon2id hash.
+ *
+ * Protects administrative endpoints (agent creation, policy CRUD).
+ * The password is sent as plaintext in the header (localhost-only, secured by hostGuard).
+ *
+ * Factory pattern: createMasterAuth(deps) returns middleware.
+ *
+ * @see docs/52-auth-redesign.md
+ */
+export interface MasterAuthDeps {
+    masterPasswordHash: string;
+}
+export declare function createMasterAuth(deps: MasterAuthDeps): import("hono").MiddlewareHandler<any, string, {}, Response>;
+//# sourceMappingURL=master-auth.d.ts.map

package/dist/api/middleware/master-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"master-auth.d.ts","sourceRoot":"","sources":["../../../src/api/middleware/master-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAUH,MAAM,WAAW,cAAc;IAC7B,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAMD,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,cAAc,+DAqBpD"}