@waiaas/daemon 2.0.0-rc.1

package/dist/api/middleware/master-auth.js

@@ -0,0 +1,35 @@
+/**
+ * Master auth middleware: verifies X-Master-Password header against Argon2id hash.
+ *
+ * Protects administrative endpoints (agent creation, policy CRUD).
+ * The password is sent as plaintext in the header (localhost-only, secured by hostGuard).
+ *
+ * Factory pattern: createMasterAuth(deps) returns middleware.
+ *
+ * @see docs/52-auth-redesign.md
+ */
+import { createMiddleware } from 'hono/factory';
+import argon2 from 'argon2';
+import { WAIaaSError } from '@waiaas/core';
+// ---------------------------------------------------------------------------
+// Middleware factory
+// ---------------------------------------------------------------------------
+export function createMasterAuth(deps) {
+    return createMiddleware(async (c, next) => {
+        const password = c.req.header('X-Master-Password');
+        if (!password) {
+            throw new WAIaaSError('INVALID_MASTER_PASSWORD', {
+                message: 'X-Master-Password header is required',
+            });
+        }
+        // Verify password against stored Argon2id hash
+        const isValid = await argon2.verify(deps.masterPasswordHash, password);
+        if (!isValid) {
+            throw new WAIaaSError('INVALID_MASTER_PASSWORD', {
+                message: 'Invalid master password',
+            });
+        }
+        await next();
+    });
+}
+//# sourceMappingURL=master-auth.js.map

package/dist/api/middleware/master-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"master-auth.js","sourceRoot":"","sources":["../../../src/api/middleware/master-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAU3C,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E,MAAM,UAAU,gBAAgB,CAAC,IAAoB;IACnD,OAAO,gBAAgB,CAAC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACxC,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;QAEnD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,WAAW,CAAC,yBAAyB,EAAE;gBAC/C,OAAO,EAAE,sCAAsC;aAChD,CAAC,CAAC;QACL,CAAC;QAED,+CAA+C;QAC/C,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,kBAAkB,EAAE,QAAQ,CAAC,CAAC;QAEvE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,WAAW,CAAC,yBAAyB,EAAE;gBAC/C,OAAO,EAAE,yBAAyB;aACnC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/api/middleware/owner-auth.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Owner auth middleware: verifies signature from owner wallet.
+ *
+ * Protects owner-only actions (transaction approval, KS recovery).
+ * The owner signs a message with their wallet, and this middleware verifies
+ * the signature against the registered owner_address on the agent.
+ *
+ * Headers required:
+ *   - X-Owner-Signature: signature (base64 Ed25519 for Solana, 0x hex for EVM)
+ *   - X-Owner-Message: the signed message (UTF-8 for Solana, EIP-4361 for EVM)
+ *   - X-Owner-Address: the owner's wallet address (base58 for Solana, 0x for EVM)
+ *
+ * v1.2: Solana Ed25519.
+ * v1.4.1: EVM SIWE (EIP-4361 + EIP-191) via verifySIWE.
+ *
+ * Chain branching: agent.chain determines verification path:
+ *   - solana  -> Ed25519 detached signature verification (sodium-native)
+ *   - ethereum -> SIWE (EIP-4361 + EIP-191) verification (viem)
+ *
+ * Factory pattern: createOwnerAuth(deps) returns middleware.
+ *
+ * @see docs/52-auth-redesign.md
+ */
+import type { BetterSQLite3Database } from 'drizzle-orm/better-sqlite3';
+import type * as schema from '../../infrastructure/database/schema.js';
+export interface OwnerAuthDeps {
+    db: BetterSQLite3Database<typeof schema>;
+}
+export declare function createOwnerAuth(deps: OwnerAuthDeps): import("hono").MiddlewareHandler<any, string, {}, Response>;
+//# sourceMappingURL=owner-auth.d.ts.map

package/dist/api/middleware/owner-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"owner-auth.d.ts","sourceRoot":"","sources":["../../../src/api/middleware/owner-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAKH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAExE,OAAO,KAAK,KAAK,MAAM,MAAM,yCAAyC,CAAC;AAiBvE,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,qBAAqB,CAAC,OAAO,MAAM,CAAC,CAAC;CAC1C;AAMD,wBAAgB,eAAe,CAAC,IAAI,EAAE,aAAa,+DAsGlD"}

package/dist/api/middleware/owner-auth.js

@@ -0,0 +1,133 @@
+/**
+ * Owner auth middleware: verifies signature from owner wallet.
+ *
+ * Protects owner-only actions (transaction approval, KS recovery).
+ * The owner signs a message with their wallet, and this middleware verifies
+ * the signature against the registered owner_address on the agent.
+ *
+ * Headers required:
+ *   - X-Owner-Signature: signature (base64 Ed25519 for Solana, 0x hex for EVM)
+ *   - X-Owner-Message: the signed message (UTF-8 for Solana, EIP-4361 for EVM)
+ *   - X-Owner-Address: the owner's wallet address (base58 for Solana, 0x for EVM)
+ *
+ * v1.2: Solana Ed25519.
+ * v1.4.1: EVM SIWE (EIP-4361 + EIP-191) via verifySIWE.
+ *
+ * Chain branching: agent.chain determines verification path:
+ *   - solana  -> Ed25519 detached signature verification (sodium-native)
+ *   - ethereum -> SIWE (EIP-4361 + EIP-191) verification (viem)
+ *
+ * Factory pattern: createOwnerAuth(deps) returns middleware.
+ *
+ * @see docs/52-auth-redesign.md
+ */
+import { createMiddleware } from 'hono/factory';
+import { createRequire } from 'node:module';
+import { eq } from 'drizzle-orm';
+import { WAIaaSError } from '@waiaas/core';
+import { wallets } from '../../infrastructure/database/schema.js';
+import { verifySIWE } from './siwe-verify.js';
+import { decodeBase58 } from './address-validation.js';
+const require = createRequire(import.meta.url);
+function loadSodium() {
+    return require('sodium-native');
+}
+// ---------------------------------------------------------------------------
+// Middleware factory
+// ---------------------------------------------------------------------------
+export function createOwnerAuth(deps) {
+    return createMiddleware(async (c, next) => {
+        const signature = c.req.header('X-Owner-Signature');
+        const message = c.req.header('X-Owner-Message');
+        const ownerAddress = c.req.header('X-Owner-Address');
+        if (!signature || !message || !ownerAddress) {
+            throw new WAIaaSError('INVALID_SIGNATURE', {
+                message: 'X-Owner-Signature, X-Owner-Message, and X-Owner-Address headers are required',
+            });
+        }
+        // Look up wallet to verify owner_address match.
+        // Prefer walletId from sessionAuth context (set on /v1/transactions/* routes)
+        // over c.req.param('id') which is the TRANSACTION ID on /v1/transactions/:id/*.
+        // For direct wallet routes like /v1/wallets/:id/*, c.req.param('id') IS the wallet ID.
+        const walletId = c.get('walletId') || c.req.param('id');
+        if (!walletId) {
+            throw new WAIaaSError('WALLET_NOT_FOUND', {
+                message: 'Wallet ID required for owner authentication',
+            });
+        }
+        const wallet = deps.db
+            .select()
+            .from(wallets)
+            .where(eq(wallets.id, walletId))
+            .get();
+        if (!wallet) {
+            throw new WAIaaSError('WALLET_NOT_FOUND');
+        }
+        if (!wallet.ownerAddress) {
+            throw new WAIaaSError('OWNER_NOT_CONNECTED', {
+                message: 'No owner address registered for this wallet',
+            });
+        }
+        if (wallet.ownerAddress !== ownerAddress) {
+            throw new WAIaaSError('INVALID_SIGNATURE', {
+                message: 'Owner address does not match wallet owner',
+            });
+        }
+        // Branch verification by chain type
+        if (wallet.chain === 'ethereum') {
+            // EVM SIWE verification (EIP-4361 + EIP-191)
+            // For SIWE: X-Owner-Message is base64-encoded EIP-4361 message (multi-line messages
+            // cannot be sent as raw HTTP header values), X-Owner-Signature is 0x-prefixed hex
+            const decodedMessage = Buffer.from(message, 'base64').toString('utf8');
+            const result = await verifySIWE({
+                message: decodedMessage,
+                signature, // already hex 0x-prefixed from header
+                expectedAddress: ownerAddress,
+            });
+            if (!result.valid) {
+                throw new WAIaaSError('INVALID_SIGNATURE', {
+                    message: result.error ?? 'SIWE signature verification failed',
+                });
+            }
+        }
+        else {
+            // Solana Ed25519 verification (existing logic)
+            // X-Owner-Signature is base64-encoded Ed25519 detached signature
+            try {
+                const sodium = loadSodium();
+                const signatureBytes = Buffer.from(signature, 'base64');
+                const messageBytes = Buffer.from(message, 'utf8');
+                const publicKeyBytes = decodeBase58(ownerAddress);
+                // Validate key length
+                if (publicKeyBytes.length !== sodium.crypto_sign_PUBLICKEYBYTES) {
+                    throw new WAIaaSError('INVALID_SIGNATURE', {
+                        message: `Invalid public key length: expected ${String(sodium.crypto_sign_PUBLICKEYBYTES)}, got ${String(publicKeyBytes.length)}`,
+                    });
+                }
+                // Validate signature length
+                if (signatureBytes.length !== sodium.crypto_sign_BYTES) {
+                    throw new WAIaaSError('INVALID_SIGNATURE', {
+                        message: `Invalid signature length: expected ${String(sodium.crypto_sign_BYTES)}, got ${String(signatureBytes.length)}`,
+                    });
+                }
+                const valid = sodium.crypto_sign_verify_detached(signatureBytes, messageBytes, publicKeyBytes);
+                if (!valid) {
+                    throw new WAIaaSError('INVALID_SIGNATURE', {
+                        message: 'Ed25519 signature verification failed',
+                    });
+                }
+            }
+            catch (err) {
+                if (err instanceof WAIaaSError)
+                    throw err;
+                throw new WAIaaSError('INVALID_SIGNATURE', {
+                    message: 'Signature verification failed',
+                    cause: err instanceof Error ? err : undefined,
+                });
+            }
+        }
+        c.set('ownerAddress', ownerAddress);
+        await next();
+    });
+}
+//# sourceMappingURL=owner-auth.js.map

package/dist/api/middleware/owner-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"owner-auth.js","sourceRoot":"","sources":["../../../src/api/middleware/owner-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AAEjC,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAE3C,OAAO,EAAE,OAAO,EAAE,MAAM,yCAAyC,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAIvD,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAE/C,SAAS,UAAU;IACjB,OAAO,OAAO,CAAC,eAAe,CAAiB,CAAC;AAClD,CAAC;AAUD,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E,MAAM,UAAU,eAAe,CAAC,IAAmB;IACjD,OAAO,gBAAgB,CAAC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACxC,MAAM,SAAS,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;QACpD,MAAM,OAAO,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;QAChD,MAAM,YAAY,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;QAErD,IAAI,CAAC,SAAS,IAAI,CAAC,OAAO,IAAI,CAAC,YAAY,EAAE,CAAC;YAC5C,MAAM,IAAI,WAAW,CAAC,mBAAmB,EAAE;gBACzC,OAAO,EAAE,8EAA8E;aACxF,CAAC,CAAC;QACL,CAAC;QAED,gDAAgD;QAChD,8EAA8E;QAC9E,gFAAgF;QAChF,uFAAuF;QACvF,MAAM,QAAQ,GAAI,CAAC,CAAC,GAAG,CAAC,UAAmB,CAAwB,IAAI,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACzF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,WAAW,CAAC,kBAAkB,EAAE;gBACxC,OAAO,EAAE,6CAA6C;aACvD,CAAC,CAAC;QACL,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE;aACnB,MAAM,EAAE;aACR,IAAI,CAAC,OAAO,CAAC;aACb,KAAK,CAAC,EAAE,CAAC,OAAO,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;aAC/B,GAAG,EAAE,CAAC;QAET,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,WAAW,CAAC,kBAAkB,CAAC,CAAC;QAC5C,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;YACzB,MAAM,IAAI,WAAW,CAAC,qBAAqB,EAAE;gBAC3C,OAAO,EAAE,6CAA6C;aACvD,CAAC,CAAC;QACL,CAAC;QACD,IAAI,MAAM,CAAC,YAAY,KAAK,YAAY,EAAE,CAAC;YACzC,MAAM,IAAI,WAAW,CAAC,mBAAmB,EAAE;gBACzC,OAAO,EAAE,2CAA2C;aACrD,CAAC,CAAC;QACL,CAAC;QAED,oCAAoC;QACpC,IAAI,MAAM,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;YAChC,6CAA6C;YAC7C,oFAAoF;YACpF,kFAAkF;YAClF,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACvE,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC;gBAC9B,OAAO,EAAE,cAAc;gBACvB,SAAS,EAAE,sCAAsC;gBACjD,eAAe,EAAE,YAAY;aAC9B,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;gBAClB,MAAM,IAAI,WAAW,CAAC,mBAAmB,EAAE;oBACzC,OAAO,EAAE,MAAM,CAAC,KAAK,IAAI,oCAAoC;iBAC9D,CAAC,CAAC;YACL,CAAC;QACH,CAAC;aAAM,CAAC;YACN,+CAA+C;YAC/C,iEAAiE;YACjE,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;gBAE5B,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;gBACxD,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;gBAClD,MAAM,cAAc,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;gBAElD,sBAAsB;gBACtB,IAAI,cAAc,CAAC,MAAM,KAAK,MAAM,CAAC,0BAA0B,EAAE,CAAC;oBAChE,MAAM,IAAI,WAAW,CAAC,mBAAmB,EAAE;wBACzC,OAAO,EAAE,uCAAuC,MAAM,CAAC,MAAM,CAAC,0BAA0B,CAAC,SAAS,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,EAAE;qBAClI,CAAC,CAAC;gBACL,CAAC;gBAED,4BAA4B;gBAC5B,IAAI,cAAc,CAAC,MAAM,KAAK,MAAM,CAAC,iBAAiB,EAAE,CAAC;oBACvD,MAAM,IAAI,WAAW,CAAC,mBAAmB,EAAE;wBACzC,OAAO,EAAE,sCAAsC,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,SAAS,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,EAAE;qBACxH,CAAC,CAAC;gBACL,CAAC;gBAED,MAAM,KAAK,GAAG,MAAM,CAAC,2BAA2B,CAAC,cAAc,EAAE,YAAY,EAAE,cAAc,CAAC,CAAC;gBAC/F,IAAI,CAAC,KAAK,EAAE,CAAC;oBACX,MAAM,IAAI,WAAW,CAAC,mBAAmB,EAAE;wBACzC,OAAO,EAAE,uCAAuC;qBACjD,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,GAAG,YAAY,WAAW;oBAAE,MAAM,GAAG,CAAC;gBAC1C,MAAM,IAAI,WAAW,CAAC,mBAAmB,EAAE;oBACzC,OAAO,EAAE,+BAA+B;oBACxC,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;iBAC9C,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,CAAC,CAAC,GAAG,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC;QACpC,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/api/middleware/request-id.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Request ID middleware: attaches a UUID v7 to every request.
+ *
+ * - Generates a new UUID v7 via generateId() for each request
+ * - If client sends X-Request-Id header, uses that instead
+ * - Sets X-Request-Id response header
+ * - Stores requestId in c.set('requestId', id) for downstream use
+ */
+export declare const requestId: import("hono").MiddlewareHandler<any, string, {}, Response>;
+//# sourceMappingURL=request-id.d.ts.map

package/dist/api/middleware/request-id.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"request-id.d.ts","sourceRoot":"","sources":["../../../src/api/middleware/request-id.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,eAAO,MAAM,SAAS,6DAQpB,CAAC"}

package/dist/api/middleware/request-id.js

@@ -0,0 +1,18 @@
+/**
+ * Request ID middleware: attaches a UUID v7 to every request.
+ *
+ * - Generates a new UUID v7 via generateId() for each request
+ * - If client sends X-Request-Id header, uses that instead
+ * - Sets X-Request-Id response header
+ * - Stores requestId in c.set('requestId', id) for downstream use
+ */
+import { createMiddleware } from 'hono/factory';
+import { generateId } from '../../infrastructure/database/id.js';
+export const requestId = createMiddleware(async (c, next) => {
+    const clientId = c.req.header('X-Request-Id');
+    const id = clientId || generateId();
+    c.set('requestId', id);
+    c.header('X-Request-Id', id);
+    await next();
+});
+//# sourceMappingURL=request-id.js.map

package/dist/api/middleware/request-id.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"request-id.js","sourceRoot":"","sources":["../../../src/api/middleware/request-id.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,qCAAqC,CAAC;AAEjE,MAAM,CAAC,MAAM,SAAS,GAAG,gBAAgB,CAAC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;IAC1D,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;IAC9C,MAAM,EAAE,GAAG,QAAQ,IAAI,UAAU,EAAE,CAAC;IAEpC,CAAC,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IACvB,CAAC,CAAC,MAAM,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;IAE7B,MAAM,IAAI,EAAE,CAAC;AACf,CAAC,CAAC,CAAC"}

package/dist/api/middleware/request-logger.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Request logger middleware: logs method, path, status, and duration.
+ *
+ * Format: [REQ] GET /health 200 12ms
+ *
+ * Uses console.log for now; structured logger deferred to later milestone.
+ */
+export declare const requestLogger: import("hono").MiddlewareHandler<any, string, {}, Response>;
+//# sourceMappingURL=request-logger.d.ts.map

package/dist/api/middleware/request-logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"request-logger.d.ts","sourceRoot":"","sources":["../../../src/api/middleware/request-logger.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,eAAO,MAAM,aAAa,6DAWxB,CAAC"}

package/dist/api/middleware/request-logger.js

@@ -0,0 +1,18 @@
+/**
+ * Request logger middleware: logs method, path, status, and duration.
+ *
+ * Format: [REQ] GET /health 200 12ms
+ *
+ * Uses console.log for now; structured logger deferred to later milestone.
+ */
+import { createMiddleware } from 'hono/factory';
+export const requestLogger = createMiddleware(async (c, next) => {
+    const start = Date.now();
+    await next();
+    const duration = Date.now() - start;
+    const method = c.req.method;
+    const path = c.req.path;
+    const status = c.res.status;
+    console.log(`[REQ] ${method} ${path} ${status} ${duration}ms`);
+});
+//# sourceMappingURL=request-logger.js.map

package/dist/api/middleware/request-logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"request-logger.js","sourceRoot":"","sources":["../../../src/api/middleware/request-logger.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD,MAAM,CAAC,MAAM,aAAa,GAAG,gBAAgB,CAAC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;IAC9D,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEzB,MAAM,IAAI,EAAE,CAAC;IAEb,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;IACpC,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC;IAC5B,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;IACxB,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC;IAE5B,OAAO,CAAC,GAAG,CAAC,SAAS,MAAM,IAAI,IAAI,IAAI,MAAM,IAAI,QAAQ,IAAI,CAAC,CAAC;AACjE,CAAC,CAAC,CAAC"}

package/dist/api/middleware/session-auth.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Session auth middleware: validates wai_sess_ Bearer tokens, checks DB session, sets context.
+ *
+ * Validates Authorization header format (Bearer wai_sess_...),
+ * verifies JWT via JwtSecretManager (supports dual-key rotation),
+ * checks session existence and revocation in SQLite,
+ * and sets sessionId/walletId on Hono context.
+ *
+ * Factory pattern: createSessionAuth(deps) returns middleware.
+ *
+ * @see docs/52-auth-redesign.md
+ */
+import type { BetterSQLite3Database } from 'drizzle-orm/better-sqlite3';
+import type { JwtSecretManager } from '../../infrastructure/jwt/index.js';
+import type * as schema from '../../infrastructure/database/schema.js';
+export interface SessionAuthDeps {
+    jwtSecretManager: JwtSecretManager;
+    db: BetterSQLite3Database<typeof schema>;
+}
+export declare function createSessionAuth(deps: SessionAuthDeps): import("hono").MiddlewareHandler<any, string, {}, Response>;
+//# sourceMappingURL=session-auth.d.ts.map

package/dist/api/middleware/session-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-auth.d.ts","sourceRoot":"","sources":["../../../src/api/middleware/session-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAGxE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AAC1E,OAAO,KAAK,KAAK,MAAM,MAAM,yCAAyC,CAAC;AAOvE,MAAM,WAAW,eAAe;IAC9B,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,EAAE,EAAE,qBAAqB,CAAC,OAAO,MAAM,CAAC,CAAC;CAC1C;AAMD,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,eAAe,+DAoCtD"}

package/dist/api/middleware/session-auth.js

@@ -0,0 +1,51 @@
+/**
+ * Session auth middleware: validates wai_sess_ Bearer tokens, checks DB session, sets context.
+ *
+ * Validates Authorization header format (Bearer wai_sess_...),
+ * verifies JWT via JwtSecretManager (supports dual-key rotation),
+ * checks session existence and revocation in SQLite,
+ * and sets sessionId/walletId on Hono context.
+ *
+ * Factory pattern: createSessionAuth(deps) returns middleware.
+ *
+ * @see docs/52-auth-redesign.md
+ */
+import { createMiddleware } from 'hono/factory';
+import { eq } from 'drizzle-orm';
+import { WAIaaSError } from '@waiaas/core';
+import { sessions } from '../../infrastructure/database/schema.js';
+// ---------------------------------------------------------------------------
+// Middleware factory
+// ---------------------------------------------------------------------------
+export function createSessionAuth(deps) {
+    return createMiddleware(async (c, next) => {
+        // 1. Extract Authorization header
+        const authHeader = c.req.header('Authorization');
+        if (!authHeader || !authHeader.startsWith('Bearer wai_sess_')) {
+            throw new WAIaaSError('INVALID_TOKEN', {
+                message: 'Missing or invalid Authorization header. Expected: Bearer wai_sess_<token>',
+            });
+        }
+        // 2. Extract the full token (including wai_sess_ prefix)
+        const token = authHeader.slice('Bearer '.length);
+        // 3. Verify JWT via JwtSecretManager (handles dual-key rotation)
+        const payload = await deps.jwtSecretManager.verifyToken(token);
+        // 4. Check session in DB (exists, not revoked)
+        const session = deps.db
+            .select()
+            .from(sessions)
+            .where(eq(sessions.id, payload.sub))
+            .get();
+        if (!session) {
+            throw new WAIaaSError('SESSION_NOT_FOUND');
+        }
+        if (session.revokedAt !== null) {
+            throw new WAIaaSError('SESSION_REVOKED');
+        }
+        // 5. Set context variables
+        c.set('sessionId', payload.sub);
+        c.set('walletId', payload.wlt);
+        await next();
+    });
+}
+//# sourceMappingURL=session-auth.js.map

package/dist/api/middleware/session-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-auth.js","sourceRoot":"","sources":["../../../src/api/middleware/session-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD,OAAO,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAG3C,OAAO,EAAE,QAAQ,EAAE,MAAM,yCAAyC,CAAC;AAWnE,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E,MAAM,UAAU,iBAAiB,CAAC,IAAqB;IACrD,OAAO,gBAAgB,CAAC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACxC,kCAAkC;QAClC,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QACjD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC9D,MAAM,IAAI,WAAW,CAAC,eAAe,EAAE;gBACrC,OAAO,EAAE,4EAA4E;aACtF,CAAC,CAAC;QACL,CAAC;QAED,yDAAyD;QACzD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAEjD,iEAAiE;QACjE,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;QAE/D,+CAA+C;QAC/C,MAAM,OAAO,GAAG,IAAI,CAAC,EAAE;aACpB,MAAM,EAAE;aACR,IAAI,CAAC,QAAQ,CAAC;aACd,KAAK,CAAC,EAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;aACnC,GAAG,EAAE,CAAC;QAET,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,WAAW,CAAC,mBAAmB,CAAC,CAAC;QAC7C,CAAC;QACD,IAAI,OAAO,CAAC,SAAS,KAAK,IAAI,EAAE,CAAC;YAC/B,MAAM,IAAI,WAAW,CAAC,iBAAiB,CAAC,CAAC;QAC3C,CAAC;QAED,2BAA2B;QAC3B,CAAC,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;QAChC,CAAC,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;QAE/B,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/api/middleware/siwe-verify.d.ts

@@ -0,0 +1,31 @@
+/**
+ * verifySIWE: Pure function for SIWE (EIP-4361) message verification.
+ *
+ * Verifies that:
+ * 1. The message is a valid EIP-4361 SIWE message (parseable, not expired, not before notBefore)
+ * 2. The EIP-191 personal_sign signature matches the expectedAddress
+ *
+ * Per design decision [v1.4.1]: nonce is NOT validated server-side
+ * (consistency with Solana owner-auth which has no server-side nonce check;
+ * security relies on expirationTime).
+ *
+ * @see docs/52-auth-redesign.md
+ * @see docs/28-daemon.md (owner-auth SIWE)
+ */
+export interface VerifySIWEParams {
+    /** EIP-4361 formatted message string */
+    message: string;
+    /** Hex-encoded 0x-prefixed EIP-191 signature */
+    signature: string;
+    /** 0x EIP-55 checksum address to match */
+    expectedAddress: string;
+}
+export interface VerifySIWEResult {
+    valid: boolean;
+    /** Recovered address on success */
+    address?: string;
+    /** Reason on failure */
+    error?: string;
+}
+export declare function verifySIWE(params: VerifySIWEParams): Promise<VerifySIWEResult>;
+//# sourceMappingURL=siwe-verify.d.ts.map

package/dist/api/middleware/siwe-verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"siwe-verify.d.ts","sourceRoot":"","sources":["../../../src/api/middleware/siwe-verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AASH,MAAM,WAAW,gBAAgB;IAC/B,wCAAwC;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;IAClB,0CAA0C;IAC1C,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,OAAO,CAAC;IACf,mCAAmC;IACnC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wBAAwB;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAMD,wBAAsB,UAAU,CAAC,MAAM,EAAE,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAuCpF"}

package/dist/api/middleware/siwe-verify.js

@@ -0,0 +1,55 @@
+/**
+ * verifySIWE: Pure function for SIWE (EIP-4361) message verification.
+ *
+ * Verifies that:
+ * 1. The message is a valid EIP-4361 SIWE message (parseable, not expired, not before notBefore)
+ * 2. The EIP-191 personal_sign signature matches the expectedAddress
+ *
+ * Per design decision [v1.4.1]: nonce is NOT validated server-side
+ * (consistency with Solana owner-auth which has no server-side nonce check;
+ * security relies on expirationTime).
+ *
+ * @see docs/52-auth-redesign.md
+ * @see docs/28-daemon.md (owner-auth SIWE)
+ */
+import { parseSiweMessage, validateSiweMessage } from 'viem/siwe';
+import { verifyMessage } from 'viem';
+// ---------------------------------------------------------------------------
+// Implementation
+// ---------------------------------------------------------------------------
+export async function verifySIWE(params) {
+    try {
+        // Step 1: Parse the EIP-4361 message
+        const parsed = parseSiweMessage(params.message);
+        // Step 2: Validate structural fields (expirationTime, notBefore, etc.)
+        // Per [v1.4.1] decision: skip nonce validation (no server-side nonce check)
+        const validation = await validateSiweMessage({ message: parsed });
+        if (!validation) {
+            // Check for specific expiration case
+            if (parsed.expirationTime && new Date(parsed.expirationTime) < new Date()) {
+                return { valid: false, error: 'SIWE message expired' };
+            }
+            return { valid: false, error: 'SIWE message validation failed' };
+        }
+        // Step 3: Verify EIP-191 personal_sign signature
+        const isValid = await verifyMessage({
+            address: params.expectedAddress,
+            message: params.message,
+            signature: params.signature,
+        });
+        if (!isValid) {
+            return { valid: false, error: 'EIP-191 signature verification failed' };
+        }
+        return { valid: true, address: params.expectedAddress };
+    }
+    catch (err) {
+        // Parse errors, invalid message format, corrupted signatures, etc.
+        const errorMessage = err instanceof Error ? err.message : String(err);
+        // Surface expiration-related errors clearly
+        if (errorMessage.toLowerCase().includes('expir')) {
+            return { valid: false, error: `SIWE message expired: ${errorMessage}` };
+        }
+        return { valid: false, error: `SIWE verification failed: ${errorMessage}` };
+    }
+}
+//# sourceMappingURL=siwe-verify.js.map

package/dist/api/middleware/siwe-verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"siwe-verify.js","sourceRoot":"","sources":["../../../src/api/middleware/siwe-verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAClE,OAAO,EAAE,aAAa,EAAE,MAAM,MAAM,CAAC;AAuBrC,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,MAAwB;IACvD,IAAI,CAAC;QACH,qCAAqC;QACrC,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAEhD,uEAAuE;QACvE,4EAA4E;QAC5E,MAAM,UAAU,GAAG,MAAM,mBAAmB,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;QAClE,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,qCAAqC;YACrC,IAAI,MAAM,CAAC,cAAc,IAAI,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;gBAC1E,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC;YACzD,CAAC;YACD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,gCAAgC,EAAE,CAAC;QACnE,CAAC;QAED,iDAAiD;QACjD,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC;YAClC,OAAO,EAAE,MAAM,CAAC,eAAgC;YAChD,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,SAAS,EAAE,MAAM,CAAC,SAA0B;SAC7C,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,uCAAuC,EAAE,CAAC;QAC1E,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,eAAe,EAAE,CAAC;IAC1D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,mEAAmE;QACnE,MAAM,YAAY,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAEtE,4CAA4C;QAC5C,IAAI,YAAY,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YACjD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,YAAY,EAAE,EAAE,CAAC;QAC1E,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,6BAA6B,YAAY,EAAE,EAAE,CAAC;IAC9E,CAAC;AACH,CAAC"}

package/dist/api/routes/actions.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Action routes: POST /v1/actions/:provider/:action, GET /v1/actions/providers.
+ *
+ * POST /v1/actions/:provider/:action:
+ *   - Requires sessionAuth (applied at server level in createApp())
+ *   - Resolves action parameters via ActionProviderRegistry.executeResolve()
+ *   - Injects the resulting ContractCallRequest into the existing 6-stage pipeline
+ *   - Returns 201 with txId (same pattern as POST /v1/transactions/send)
+ *
+ * GET /v1/actions/providers:
+ *   - Requires sessionAuth
+ *   - Lists registered action providers with their actions and API key status
+ *
+ * @see docs/62-action-provider-architecture.md
+ */
+import { OpenAPIHono } from '@hono/zod-openapi';
+import type { IPolicyEngine } from '@waiaas/core';
+import type { BetterSQLite3Database } from 'drizzle-orm/better-sqlite3';
+import type { Database as SQLiteDatabase } from 'better-sqlite3';
+import type { ActionProviderRegistry } from '../../infrastructure/action/action-provider-registry.js';
+import type { ApiKeyStore } from '../../infrastructure/action/api-key-store.js';
+import type { AdapterPool } from '../../infrastructure/adapter-pool.js';
+import type { DaemonConfig } from '../../infrastructure/config/loader.js';
+import type { LocalKeyStore } from '../../infrastructure/keystore/keystore.js';
+import type * as schema from '../../infrastructure/database/schema.js';
+import type { ApprovalWorkflow } from '../../workflow/approval-workflow.js';
+import type { DelayQueue } from '../../workflow/delay-queue.js';
+import type { OwnerLifecycleService } from '../../workflow/owner-state.js';
+import type { NotificationService } from '../../notifications/notification-service.js';
+import type { IPriceOracle } from '@waiaas/core';
+import type { SettingsService } from '../../infrastructure/settings/settings-service.js';
+export interface ActionRouteDeps {
+    registry: ActionProviderRegistry;
+    apiKeyStore: ApiKeyStore;
+    db: BetterSQLite3Database<typeof schema>;
+    adapterPool: AdapterPool;
+    config: DaemonConfig;
+    keyStore: LocalKeyStore;
+    policyEngine: IPolicyEngine;
+    masterPassword: string;
+    approvalWorkflow?: ApprovalWorkflow;
+    delayQueue?: DelayQueue;
+    ownerLifecycle?: OwnerLifecycleService;
+    sqlite?: SQLiteDatabase;
+    notificationService?: NotificationService;
+    priceOracle?: IPriceOracle;
+    settingsService?: SettingsService;
+}
+/**
+ * Create action route sub-router.
+ *
+ * GET  /actions/providers -> list registered providers + actions
+ * POST /actions/:provider/:action -> resolve + pipeline execution
+ */
+export declare function actionRoutes(deps: ActionRouteDeps): OpenAPIHono;
+//# sourceMappingURL=actions.d.ts.map

package/dist/api/routes/actions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"actions.d.ts","sourceRoot":"","sources":["../../../src/api/routes/actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,WAAW,EAAkB,MAAM,mBAAmB,CAAC;AAGhE,OAAO,KAAK,EAA2C,aAAa,EAAE,MAAM,cAAc,CAAC;AAC3F,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AACxE,OAAO,KAAK,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACjE,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,yDAAyD,CAAC;AACtG,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,8CAA8C,CAAC;AAChF,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,sCAAsC,CAAC;AAExE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,uCAAuC,CAAC;AAC1E,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,2CAA2C,CAAC;AAC/E,OAAO,KAAK,KAAK,MAAM,MAAM,yCAAyC,CAAC;AAYvE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,qCAAqC,CAAC;AAC5E,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAChE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AAC3E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6CAA6C,CAAC;AACvF,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mDAAmD,CAAC;AAWzF,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,sBAAsB,CAAC;IACjC,WAAW,EAAE,WAAW,CAAC;IACzB,EAAE,EAAE,qBAAqB,CAAC,OAAO,MAAM,CAAC,CAAC;IACzC,WAAW,EAAE,WAAW,CAAC;IACzB,MAAM,EAAE,YAAY,CAAC;IACrB,QAAQ,EAAE,aAAa,CAAC;IACxB,YAAY,EAAE,aAAa,CAAC;IAC5B,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,cAAc,CAAC,EAAE,qBAAqB,CAAC;IACvC,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,mBAAmB,CAAC,EAAE,mBAAmB,CAAC;IAC1C,WAAW,CAAC,EAAE,YAAY,CAAC;IAC3B,eAAe,CAAC,EAAE,eAAe,CAAC;CACnC;AA6FD;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,eAAe,GAAG,WAAW,CAwN/D"}