@waiaas/daemon 2.0.0-rc.1

package/dist/services/x402/payment-signer.js

@@ -0,0 +1,311 @@
+/**
+ * Payment Signer -- x402 chain-specific payment signature generation.
+ *
+ * Provides signPayment() which delegates to:
+ * - signEip3009() for EVM chains (EIP-3009 transferWithAuthorization via EIP-712 signTypedData)
+ * - signSolanaTransferChecked() for Solana chains (SPL TransferChecked partial signing)
+ *
+ * Key management follows the decrypt -> sign -> finally release pattern
+ * from sign-only.ts Step 9 and stages.ts Stage 5c.
+ *
+ * Does NOT go through IChainAdapter -- EIP-3009 is typed data signing (not tx),
+ * and Solana partial signing uses a different feePayer (facilitator, not wallet).
+ *
+ * @see packages/daemon/src/pipeline/sign-only.ts (Step 9)
+ * @see docs/32-pipeline-design.md
+ */
+import { randomBytes } from 'node:crypto';
+import { privateKeyToAccount } from 'viem/accounts';
+import { address, createNoopSigner, createTransactionMessage, setTransactionMessageFeePayer, appendTransactionMessageInstruction, setTransactionMessageLifetimeUsingBlockhash, compileTransaction, getTransactionEncoder, signBytes, createKeyPairFromBytes, createKeyPairFromPrivateKeyBytes, getAddressFromPublicKey, pipe, } from '@solana/kit';
+import { findAssociatedTokenPda, getTransferCheckedInstruction, TOKEN_PROGRAM_ADDRESS, } from '@solana-program/token';
+import { parseCaip2, WAIaaSError } from '@waiaas/core';
+// ---------------------------------------------------------------------------
+// USDC Domain Table (EIP-3009 EIP-712 domain separators)
+// ---------------------------------------------------------------------------
+/**
+ * USDC v2 contract domain separators by CAIP-2 network identifier.
+ *
+ * Each EVM chain has a unique USDC contract with its own EIP-712 domain separator.
+ * These are the Circle native USDC v2 contracts that support EIP-3009.
+ *
+ * Source: USDC v2 contracts + EIP-3009 standard + x402 reference implementation.
+ */
+export const USDC_DOMAINS = {
+    // Base Mainnet
+    'eip155:8453': {
+        name: 'USD Coin',
+        version: '2',
+        chainId: 8453,
+        verifyingContract: '0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913',
+    },
+    // Base Sepolia (testnet) — on-chain eip712Domain() returns 'USDC' (not 'USD Coin')
+    'eip155:84532': {
+        name: 'USDC',
+        version: '2',
+        chainId: 84532,
+        verifyingContract: '0x036CbD53842c5426634e7929541eC2318f3dCF7e',
+    },
+    // Ethereum Mainnet
+    'eip155:1': {
+        name: 'USD Coin',
+        version: '2',
+        chainId: 1,
+        verifyingContract: '0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48',
+    },
+    // Ethereum Sepolia
+    'eip155:11155111': {
+        name: 'USD Coin',
+        version: '2',
+        chainId: 11155111,
+        verifyingContract: '0x1c7D4B196Cb0C7B01d743Fbc6116a902379C7238',
+    },
+    // Polygon Mainnet
+    'eip155:137': {
+        name: 'USD Coin',
+        version: '2',
+        chainId: 137,
+        verifyingContract: '0x3c499c542cEF5E3811e1192ce70d8cC03d5c3359',
+    },
+    // Arbitrum One
+    'eip155:42161': {
+        name: 'USD Coin',
+        version: '2',
+        chainId: 42161,
+        verifyingContract: '0xaf88d065e77c8cC2239327C5EDb3A432268e5831',
+    },
+    // Optimism
+    'eip155:10': {
+        name: 'USD Coin',
+        version: '2',
+        chainId: 10,
+        verifyingContract: '0x0b2C639c533813f4Aa9D7837CAf62653d097Ff85',
+    },
+};
+// ---------------------------------------------------------------------------
+// EIP-712 TransferWithAuthorization types (EIP-3009)
+// ---------------------------------------------------------------------------
+const TRANSFER_WITH_AUTHORIZATION_TYPES = {
+    TransferWithAuthorization: [
+        { name: 'from', type: 'address' },
+        { name: 'to', type: 'address' },
+        { name: 'value', type: 'uint256' },
+        { name: 'validAfter', type: 'uint256' },
+        { name: 'validBefore', type: 'uint256' },
+        { name: 'nonce', type: 'bytes32' },
+    ],
+};
+// ---------------------------------------------------------------------------
+// Solana transaction encoder (stateless, safe to share)
+// ---------------------------------------------------------------------------
+const txEncoder = getTransactionEncoder();
+// ---------------------------------------------------------------------------
+// signPayment -- entry point with key management
+// ---------------------------------------------------------------------------
+/**
+ * Sign a payment based on chain-specific strategy.
+ *
+ * Key management pattern (identical to sign-only.ts Step 9):
+ * 1. Decrypt private key from keystore
+ * 2. Sign using chain-specific strategy
+ * 3. Finally block: release key (sodium_memzero)
+ *
+ * @param requirements - x402 PaymentRequirements from 402 response
+ * @param keyStore - Keystore for key decrypt/release
+ * @param walletId - Wallet ID for key lookup
+ * @param walletAddress - Wallet public address
+ * @param masterPassword - Master password for key decryption
+ * @param rpc - Solana RPC client (required for Solana chains)
+ * @returns PaymentPayload compatible with @x402/core PaymentPayloadV2Schema
+ */
+export async function signPayment(requirements, keyStore, walletId, walletAddress, masterPassword, rpc) {
+    let privateKey = null;
+    try {
+        privateKey = await keyStore.decryptPrivateKey(walletId, masterPassword);
+        const { namespace } = parseCaip2(requirements.network);
+        if (namespace === 'eip155') {
+            return await signEip3009(requirements, privateKey, walletAddress);
+        }
+        else if (namespace === 'solana') {
+            return await signSolanaTransferChecked(requirements, privateKey, walletAddress, rpc);
+        }
+        else {
+            throw new WAIaaSError('X402_UNSUPPORTED_SCHEME', {
+                message: `Unsupported chain namespace: ${namespace}`,
+            });
+        }
+    }
+    finally {
+        if (privateKey) {
+            keyStore.releaseKey(privateKey);
+        }
+    }
+}
+// ---------------------------------------------------------------------------
+// signEip3009 -- EVM EIP-3009 transferWithAuthorization
+// ---------------------------------------------------------------------------
+/**
+ * Sign EVM EIP-3009 transferWithAuthorization via EIP-712 signTypedData.
+ *
+ * Uses viem's privateKeyToAccount + account.signTypedData for the EIP-712
+ * structured data signature. The signature authorizes a USDC transfer
+ * without requiring an on-chain transaction from the payer.
+ *
+ * @param requirements - Payment requirements (network, asset, amount, payTo)
+ * @param privateKey - Raw private key bytes (32 bytes for secp256k1)
+ * @param walletAddress - EVM wallet address (0x-prefixed EIP-55)
+ * @returns PaymentPayload with signature and authorization object
+ */
+export async function signEip3009(requirements, privateKey, walletAddress) {
+    const { reference: chainIdStr } = parseCaip2(requirements.network);
+    const chainId = parseInt(chainIdStr, 10);
+    // Resolve EIP-712 domain: prefer server-provided extra.name/version (x402 v2 spec),
+    // fall back to USDC_DOMAINS table for backward compatibility.
+    const extra = requirements.extra;
+    const domainName = extra?.name ?? USDC_DOMAINS[requirements.network]?.name;
+    const domainVersion = extra?.version ?? USDC_DOMAINS[requirements.network]?.version;
+    if (!domainName || !domainVersion) {
+        throw new WAIaaSError('X402_UNSUPPORTED_SCHEME', {
+            message: `No EIP-712 domain (name/version) for network: ${requirements.network}`,
+        });
+    }
+    // Generate 32-byte random nonce (EIP-3009 requirement)
+    const nonce = `0x${randomBytes(32).toString('hex')}`;
+    // validBefore = now + 5 minutes (300 seconds) -- minimizes attack window
+    // See Pitfall 3 in research: too long validBefore creates security gap
+    const validBefore = BigInt(Math.floor(Date.now() / 1000) + 300);
+    // Create viem account from private key
+    const privateKeyHex = `0x${Buffer.from(privateKey).toString('hex')}`;
+    const account = privateKeyToAccount(privateKeyHex);
+    // Sign EIP-712 TransferWithAuthorization
+    // verifyingContract = asset address (USDC contract) from requirements
+    const signature = await account.signTypedData({
+        domain: {
+            name: domainName,
+            version: domainVersion,
+            chainId: BigInt(chainId),
+            verifyingContract: requirements.asset,
+        },
+        types: TRANSFER_WITH_AUTHORIZATION_TYPES,
+        primaryType: 'TransferWithAuthorization',
+        message: {
+            from: walletAddress,
+            to: requirements.payTo,
+            value: BigInt(requirements.amount),
+            validAfter: 0n,
+            validBefore,
+            nonce,
+        },
+    });
+    // Build PaymentPayload (compatible with PaymentPayloadV2Schema)
+    return {
+        x402Version: 2,
+        resource: { url: '' }, // handler fills this in
+        accepted: requirements,
+        payload: {
+            signature,
+            authorization: {
+                from: walletAddress,
+                to: requirements.payTo,
+                value: requirements.amount,
+                validAfter: '0',
+                validBefore: validBefore.toString(),
+                nonce,
+            },
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// signSolanaTransferChecked -- Solana SPL TransferChecked partial signing
+// ---------------------------------------------------------------------------
+/**
+ * Sign Solana SPL TransferChecked as partial signature.
+ *
+ * The feePayer is the facilitator (from requirements.extra.feePayer), set as
+ * noopSigner so only a signature slot is created. The wallet signs the
+ * transaction message with its private key.
+ *
+ * The resulting base64-encoded transaction contains:
+ * - feePayer = facilitator address (noopSigner, unsigned)
+ * - authority = wallet (signed)
+ * - TransferChecked instruction for SPL token transfer
+ *
+ * @param requirements - Payment requirements with extra.feePayer and extra.decimals
+ * @param privateKey - Raw private key bytes (32 or 64 bytes)
+ * @param walletAddress - Solana wallet address (base58)
+ * @param rpc - Solana RPC client with getLatestBlockhash method
+ * @returns PaymentPayload with base64-encoded partial-signed transaction
+ */
+export async function signSolanaTransferChecked(requirements, privateKey, _walletAddress, rpc) {
+    // Extract facilitator feePayer from requirements.extra
+    const feePayerStr = requirements.extra?.feePayer;
+    if (!feePayerStr) {
+        throw new WAIaaSError('X402_UNSUPPORTED_SCHEME', {
+            message: 'Missing feePayer in PaymentRequirements.extra',
+        });
+    }
+    const feePayerAddress = address(feePayerStr);
+    // Create key pair from raw bytes (64-byte or 32-byte detection)
+    const keyPair = privateKey.length === 64
+        ? await createKeyPairFromBytes(privateKey)
+        : await createKeyPairFromPrivateKeyBytes(privateKey.slice(0, 32));
+    const walletAddr = await getAddressFromPublicKey(keyPair.publicKey);
+    // Get latest blockhash from RPC
+    const solanaRpc = rpc;
+    const { value: blockhashInfo } = await solanaRpc.getLatestBlockhash().send();
+    // Derive token accounts (ATAs)
+    const mint = address(requirements.asset);
+    const payTo = address(requirements.payTo);
+    const decimals = requirements.extra?.decimals ?? 6;
+    const [sourceAta] = await findAssociatedTokenPda({
+        owner: walletAddr,
+        tokenProgram: address(TOKEN_PROGRAM_ADDRESS),
+        mint,
+    });
+    const [destAta] = await findAssociatedTokenPda({
+        owner: payTo,
+        tokenProgram: address(TOKEN_PROGRAM_ADDRESS),
+        mint,
+    });
+    // Build TransferChecked instruction
+    // Use noopSigner for feePayer (facilitator signs later)
+    const walletSigner = createNoopSigner(walletAddr);
+    const transferIx = getTransferCheckedInstruction({
+        source: sourceAta,
+        mint,
+        destination: destAta,
+        authority: walletSigner,
+        amount: BigInt(requirements.amount),
+        decimals,
+    }, { programAddress: address(TOKEN_PROGRAM_ADDRESS) });
+    // Build transaction message using pipe pattern
+    const txMessage = pipe(createTransactionMessage({ version: 0 }), (msg) => setTransactionMessageFeePayer(feePayerAddress, msg), (msg) => setTransactionMessageLifetimeUsingBlockhash(
+    // RPC blockhash is untyped (from mock/dynamic source), cast to satisfy branded type
+    blockhashInfo, // eslint-disable-line @typescript-eslint/no-explicit-any
+    msg), 
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    (msg) => appendTransactionMessageInstruction(transferIx, msg));
+    // Compile transaction and sign with wallet private key (partial signing)
+    const compiled = compileTransaction(txMessage);
+    const walletSignature = await signBytes(keyPair.privateKey, compiled.messageBytes);
+    // Place wallet signature in the correct slot
+    const partiallySignedTx = {
+        ...compiled,
+        signatures: {
+            ...compiled.signatures,
+            [walletAddr]: walletSignature,
+        },
+    };
+    // Encode to base64
+    const serialized = new Uint8Array(txEncoder.encode(partiallySignedTx));
+    const base64Tx = Buffer.from(serialized).toString('base64');
+    // Build PaymentPayload
+    return {
+        x402Version: 2,
+        resource: { url: '' }, // handler fills this in
+        accepted: requirements,
+        payload: {
+            transaction: base64Tx,
+        },
+    };
+}
+//# sourceMappingURL=payment-signer.js.map

package/dist/services/x402/payment-signer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"payment-signer.js","sourceRoot":"","sources":["../../../src/services/x402/payment-signer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAEpD,OAAO,EACL,OAAO,EACP,gBAAgB,EAChB,wBAAwB,EACxB,6BAA6B,EAC7B,mCAAmC,EACnC,2CAA2C,EAC3C,kBAAkB,EAClB,qBAAqB,EACrB,SAAS,EACT,sBAAsB,EACtB,gCAAgC,EAChC,uBAAuB,EACvB,IAAI,GACL,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,sBAAsB,EACtB,6BAA6B,EAC7B,qBAAqB,GACtB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAqBvD,8EAA8E;AAC9E,yDAAyD;AACzD,8EAA8E;AAE9E;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,YAAY,GAAiC;IACxD,eAAe;IACf,aAAa,EAAE;QACb,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,GAAG;QACZ,OAAO,EAAE,IAAI;QACb,iBAAiB,EAAE,4CAA4C;KAChE;IACD,mFAAmF;IACnF,cAAc,EAAE;QACd,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,GAAG;QACZ,OAAO,EAAE,KAAK;QACd,iBAAiB,EAAE,4CAA4C;KAChE;IACD,mBAAmB;IACnB,UAAU,EAAE;QACV,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,GAAG;QACZ,OAAO,EAAE,CAAC;QACV,iBAAiB,EAAE,4CAA4C;KAChE;IACD,mBAAmB;IACnB,iBAAiB,EAAE;QACjB,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,GAAG;QACZ,OAAO,EAAE,QAAQ;QACjB,iBAAiB,EAAE,4CAA4C;KAChE;IACD,kBAAkB;IAClB,YAAY,EAAE;QACZ,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,GAAG;QACZ,OAAO,EAAE,GAAG;QACZ,iBAAiB,EAAE,4CAA4C;KAChE;IACD,eAAe;IACf,cAAc,EAAE;QACd,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,GAAG;QACZ,OAAO,EAAE,KAAK;QACd,iBAAiB,EAAE,4CAA4C;KAChE;IACD,WAAW;IACX,WAAW,EAAE;QACX,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,GAAG;QACZ,OAAO,EAAE,EAAE;QACX,iBAAiB,EAAE,4CAA4C;KAChE;CACF,CAAC;AAEF,8EAA8E;AAC9E,qDAAqD;AACrD,8EAA8E;AAE9E,MAAM,iCAAiC,GAAG;IACxC,yBAAyB,EAAE;QACzB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE;QACjC,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE;QAC/B,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE;QAClC,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,SAAS,EAAE;QACvC,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,SAAS,EAAE;QACxC,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE;KACnC;CACO,CAAC;AAEX,8EAA8E;AAC9E,wDAAwD;AACxD,8EAA8E;AAE9E,MAAM,SAAS,GAAG,qBAAqB,EAAE,CAAC;AAE1C,8EAA8E;AAC9E,iDAAiD;AACjD,8EAA8E;AAE9E;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,YAAiC,EACjC,QAAyB,EACzB,QAAgB,EAChB,aAAqB,EACrB,cAAsB,EACtB,GAAa;IAEb,IAAI,UAAU,GAAsB,IAAI,CAAC;IACzC,IAAI,CAAC;QACH,UAAU,GAAG,MAAM,QAAQ,CAAC,iBAAiB,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;QACxE,MAAM,EAAE,SAAS,EAAE,GAAG,UAAU,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QAEvD,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;YAC3B,OAAO,MAAM,WAAW,CAAC,YAAY,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;QACpE,CAAC;aAAM,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;YAClC,OAAO,MAAM,yBAAyB,CAAC,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,GAAI,CAAC,CAAC;QACxF,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,WAAW,CAAC,yBAAyB,EAAE;gBAC/C,OAAO,EAAE,gCAAgC,SAAS,EAAE;aACrD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;YAAS,CAAC;QACT,IAAI,UAAU,EAAE,CAAC;YACf,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,wDAAwD;AACxD,8EAA8E;AAE9E;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,YAAiC,EACjC,UAAsB,EACtB,aAAqB;IAErB,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,UAAU,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;IACnE,MAAM,OAAO,GAAG,QAAQ,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAEzC,oFAAoF;IACpF,8DAA8D;IAC9D,MAAM,KAAK,GAAG,YAAY,CAAC,KAA4C,CAAC;IACxE,MAAM,UAAU,GAAI,KAAK,EAAE,IAAe,IAAI,YAAY,CAAC,YAAY,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC;IACvF,MAAM,aAAa,GAAI,KAAK,EAAE,OAAkB,IAAI,YAAY,CAAC,YAAY,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;IAChG,IAAI,CAAC,UAAU,IAAI,CAAC,aAAa,EAAE,CAAC;QAClC,MAAM,IAAI,WAAW,CAAC,yBAAyB,EAAE;YAC/C,OAAO,EAAE,iDAAiD,YAAY,CAAC,OAAO,EAAE;SACjF,CAAC,CAAC;IACL,CAAC;IAED,uDAAuD;IACvD,MAAM,KAAK,GAAG,KAAK,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAS,CAAC;IAE5D,yEAAyE;IACzE,uEAAuE;IACvE,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC;IAEhE,uCAAuC;IACvC,MAAM,aAAa,GAAG,KAAK,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAS,CAAC;IAC5E,MAAM,OAAO,GAAG,mBAAmB,CAAC,aAAa,CAAC,CAAC;IAEnD,yCAAyC;IACzC,sEAAsE;IACtE,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC;QAC5C,MAAM,EAAE;YACN,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,aAAa;YACtB,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC;YACxB,iBAAiB,EAAE,YAAY,CAAC,KAAY;SAC7C;QACD,KAAK,EAAE,iCAAiC;QACxC,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE;YACP,IAAI,EAAE,aAAoB;YAC1B,EAAE,EAAE,YAAY,CAAC,KAAY;YAC7B,KAAK,EAAE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC;YAClC,UAAU,EAAE,EAAE;YACd,WAAW;YACX,KAAK;SACN;KACF,CAAC,CAAC;IAEH,gEAAgE;IAChE,OAAO;QACL,WAAW,EAAE,CAAC;QACd,QAAQ,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,wBAAwB;QAC/C,QAAQ,EAAE,YAAY;QACtB,OAAO,EAAE;YACP,SAAS;YACT,aAAa,EAAE;gBACb,IAAI,EAAE,aAAa;gBACnB,EAAE,EAAE,YAAY,CAAC,KAAK;gBACtB,KAAK,EAAE,YAAY,CAAC,MAAM;gBAC1B,UAAU,EAAE,GAAG;gBACf,WAAW,EAAE,WAAW,CAAC,QAAQ,EAAE;gBACnC,KAAK;aACN;SACF;KACF,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,0EAA0E;AAC1E,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,YAAiC,EACjC,UAAsB,EACtB,cAAsB,EACtB,GAAY;IAEZ,uDAAuD;IACvD,MAAM,WAAW,GAAG,YAAY,CAAC,KAAK,EAAE,QAAkB,CAAC;IAC3D,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,WAAW,CAAC,yBAAyB,EAAE;YAC/C,OAAO,EAAE,+CAA+C;SACzD,CAAC,CAAC;IACL,CAAC;IAED,MAAM,eAAe,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IAE7C,gEAAgE;IAChE,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,KAAK,EAAE;QACtC,CAAC,CAAC,MAAM,sBAAsB,CAAC,UAAU,CAAC;QAC1C,CAAC,CAAC,MAAM,gCAAgC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAEpE,MAAM,UAAU,GAAG,MAAM,uBAAuB,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAEpE,gCAAgC;IAChC,MAAM,SAAS,GAAG,GAA4H,CAAC;IAC/I,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,GAAG,MAAM,SAAS,CAAC,kBAAkB,EAAE,CAAC,IAAI,EAAE,CAAC;IAE7E,+BAA+B;IAC/B,MAAM,IAAI,GAAG,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAI,YAAY,CAAC,KAAK,EAAE,QAAmB,IAAI,CAAC,CAAC;IAE/D,MAAM,CAAC,SAAS,CAAC,GAAG,MAAM,sBAAsB,CAAC;QAC/C,KAAK,EAAE,UAAU;QACjB,YAAY,EAAE,OAAO,CAAC,qBAAqB,CAAC;QAC5C,IAAI;KACL,CAAC,CAAC;IAEH,MAAM,CAAC,OAAO,CAAC,GAAG,MAAM,sBAAsB,CAAC;QAC7C,KAAK,EAAE,KAAK;QACZ,YAAY,EAAE,OAAO,CAAC,qBAAqB,CAAC;QAC5C,IAAI;KACL,CAAC,CAAC;IAEH,oCAAoC;IACpC,wDAAwD;IACxD,MAAM,YAAY,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAC;IAElD,MAAM,UAAU,GAAG,6BAA6B,CAAC;QAC/C,MAAM,EAAE,SAAS;QACjB,IAAI;QACJ,WAAW,EAAE,OAAO;QACpB,SAAS,EAAE,YAAY;QACvB,MAAM,EAAE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC;QACnC,QAAQ;KACT,EAAE,EAAE,cAAc,EAAE,OAAO,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC;IAEvD,+CAA+C;IAE/C,MAAM,SAAS,GAAG,IAAI,CACpB,wBAAwB,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC,EACxC,CAAC,GAAG,EAAE,EAAE,CAAC,6BAA6B,CAAC,eAAe,EAAE,GAAG,CAAC,EAC5D,CAAC,GAAG,EAAE,EAAE,CAAC,2CAA2C;IAClD,oFAAoF;IACpF,aAAoB,EAAE,yDAAyD;IAC/E,GAAG,CACJ;IACD,8DAA8D;IAC9D,CAAC,GAAG,EAAE,EAAE,CAAC,mCAAmC,CAAC,UAAiB,EAAE,GAAG,CAAC,CACrE,CAAC;IAEF,yEAAyE;IACzE,MAAM,QAAQ,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;IAC/C,MAAM,eAAe,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC,UAAU,EAAE,QAAQ,CAAC,YAAY,CAAC,CAAC;IAEnF,6CAA6C;IAC7C,MAAM,iBAAiB,GAAG;QACxB,GAAG,QAAQ;QACX,UAAU,EAAE;YACV,GAAG,QAAQ,CAAC,UAAU;YACtB,CAAC,UAAU,CAAC,EAAE,eAAe;SAC9B;KACF,CAAC;IAEF,mBAAmB;IACnB,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,CAAC;IACvE,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAE5D,uBAAuB;IACvB,OAAO;QACL,WAAW,EAAE,CAAC;QACd,QAAQ,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,wBAAwB;QAC/C,QAAQ,EAAE,YAAY;QACtB,OAAO,EAAE;YACP,WAAW,EAAE,QAAQ;SACtB;KACF,CAAC;AACJ,CAAC"}

package/dist/services/x402/ssrf-guard.d.ts

@@ -0,0 +1,27 @@
+/**
+ * SSRF Guard for x402 HTTP proxy.
+ *
+ * Defense layers:
+ * 1. URL normalization (trailing dot, lowercase, userinfo rejection, port 443 only)
+ * 2. Protocol enforcement (HTTPS only)
+ * 3. DNS pre-resolution + private IP blocking (RFC 5735/6890)
+ * 4. IPv4-mapped IPv6 bypass vector blocking
+ * 5. Redirect re-validation (max 3 hops)
+ *
+ * @module ssrf-guard
+ */
+/**
+ * Validate URL safety against SSRF attacks.
+ * Performs DNS resolution and validates all resolved IPs are public.
+ *
+ * @throws WAIaaSError('X402_SSRF_BLOCKED') if URL targets private/reserved IP
+ */
+export declare function validateUrlSafety(urlString: string): Promise<URL>;
+/**
+ * Fetch with manual redirect handling and SSRF re-validation per hop.
+ * Max 3 redirects. After redirect, method becomes GET and body is dropped.
+ *
+ * @throws WAIaaSError('X402_SSRF_BLOCKED') on private IP redirect or too many redirects
+ */
+export declare function safeFetchWithRedirects(url: URL, method: string, headers?: Record<string, string>, body?: string, timeout?: number): Promise<Response>;
+//# sourceMappingURL=ssrf-guard.d.ts.map

package/dist/services/x402/ssrf-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssrf-guard.d.ts","sourceRoot":"","sources":["../../../src/services/x402/ssrf-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAiBH;;;;;GAKG;AACH,wBAAsB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAuCvE;AAED;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,GAAG,EACR,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAChC,IAAI,CAAC,EAAE,MAAM,EACb,OAAO,GAAE,MAA2B,GACnC,OAAO,CAAC,QAAQ,CAAC,CAuCnB"}

package/dist/services/x402/ssrf-guard.js

@@ -0,0 +1,236 @@
+/**
+ * SSRF Guard for x402 HTTP proxy.
+ *
+ * Defense layers:
+ * 1. URL normalization (trailing dot, lowercase, userinfo rejection, port 443 only)
+ * 2. Protocol enforcement (HTTPS only)
+ * 3. DNS pre-resolution + private IP blocking (RFC 5735/6890)
+ * 4. IPv4-mapped IPv6 bypass vector blocking
+ * 5. Redirect re-validation (max 3 hops)
+ *
+ * @module ssrf-guard
+ */
+import { lookup } from 'node:dns/promises';
+import { isIP } from 'node:net';
+import { WAIaaSError } from '@waiaas/core';
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+const MAX_REDIRECTS = 3;
+const DEFAULT_TIMEOUT_MS = 30_000;
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/**
+ * Validate URL safety against SSRF attacks.
+ * Performs DNS resolution and validates all resolved IPs are public.
+ *
+ * @throws WAIaaSError('X402_SSRF_BLOCKED') if URL targets private/reserved IP
+ */
+export async function validateUrlSafety(urlString) {
+    const url = normalizeUrl(urlString);
+    // Protocol enforcement: HTTPS only
+    if (url.protocol !== 'https:') {
+        throw new WAIaaSError('X402_SSRF_BLOCKED', {
+            message: `Only HTTPS URLs are allowed, got ${url.protocol}`,
+        });
+    }
+    // Reject userinfo
+    if (url.username || url.password) {
+        throw new WAIaaSError('X402_SSRF_BLOCKED', {
+            message: 'URLs with userinfo (@) are not allowed',
+        });
+    }
+    // Port validation: only 443 (or default empty)
+    if (url.port && url.port !== '443') {
+        throw new WAIaaSError('X402_SSRF_BLOCKED', {
+            message: `Non-standard port ${url.port} is not allowed`,
+        });
+    }
+    const hostname = url.hostname;
+    // Direct IP in hostname
+    if (isIP(hostname)) {
+        assertPublicIP(hostname);
+        return url;
+    }
+    // DNS pre-resolution: resolve all A + AAAA records
+    const addresses = await lookup(hostname, { all: true });
+    for (const { address } of addresses) {
+        assertPublicIP(address);
+    }
+    return url;
+}
+/**
+ * Fetch with manual redirect handling and SSRF re-validation per hop.
+ * Max 3 redirects. After redirect, method becomes GET and body is dropped.
+ *
+ * @throws WAIaaSError('X402_SSRF_BLOCKED') on private IP redirect or too many redirects
+ */
+export async function safeFetchWithRedirects(url, method, headers, body, timeout = DEFAULT_TIMEOUT_MS) {
+    let currentUrl = url;
+    for (let i = 0; i <= MAX_REDIRECTS; i++) {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), timeout);
+        try {
+            const response = await fetch(currentUrl.toString(), {
+                method: i === 0 ? method : 'GET',
+                headers: i === 0 ? headers : undefined,
+                body: i === 0 && method !== 'GET' ? body : undefined,
+                signal: controller.signal,
+                redirect: 'manual',
+            });
+            // Non-redirect response: return as-is
+            if (response.status < 300 || response.status >= 400) {
+                return response;
+            }
+            // Redirect: extract and validate Location
+            const location = response.headers.get('Location');
+            if (!location) {
+                return response;
+            }
+            // SSRF re-validation on redirect target
+            currentUrl = await validateUrlSafety(new URL(location, currentUrl).toString());
+        }
+        finally {
+            clearTimeout(timer);
+        }
+    }
+    throw new WAIaaSError('X402_SSRF_BLOCKED', {
+        message: `Too many redirects (max ${MAX_REDIRECTS})`,
+    });
+}
+// ---------------------------------------------------------------------------
+// Internal: URL normalization
+// ---------------------------------------------------------------------------
+function normalizeUrl(urlString) {
+    const url = new URL(urlString);
+    // Remove trailing dot (FQDN normalization)
+    if (url.hostname.endsWith('.')) {
+        url.hostname = url.hostname.slice(0, -1);
+    }
+    return url;
+}
+// ---------------------------------------------------------------------------
+// Internal: IP validation
+// ---------------------------------------------------------------------------
+/**
+ * Assert that an IP address is public (not private/reserved).
+ * Handles IPv4-mapped IPv6 normalization before checking.
+ *
+ * @throws WAIaaSError('X402_SSRF_BLOCKED') if IP is private/reserved
+ */
+function assertPublicIP(ip) {
+    const normalized = normalizeIPv6Mapped(ip);
+    if (isPrivateIP(normalized)) {
+        throw new WAIaaSError('X402_SSRF_BLOCKED', {
+            message: `Resolved IP ${ip} is private/reserved`,
+        });
+    }
+}
+/**
+ * Normalize IPv4-mapped IPv6 addresses to their IPv4 equivalents.
+ * - ::ffff:A.B.C.D -> A.B.C.D (dotted format)
+ * - ::ffff:HHHH:HHHH -> A.B.C.D (hex-encoded format)
+ */
+function normalizeIPv6Mapped(ip) {
+    const lower = ip.toLowerCase();
+    // ::ffff:A.B.C.D format (dotted decimal)
+    if (lower.startsWith('::ffff:') && lower.includes('.')) {
+        return lower.slice(7);
+    }
+    // ::ffff:HHHH:HHHH format (hex-encoded IPv4)
+    const match = lower.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/);
+    if (match) {
+        const hi = parseInt(match[1], 16);
+        const lo = parseInt(match[2], 16);
+        return `${(hi >> 8) & 0xff}.${hi & 0xff}.${(lo >> 8) & 0xff}.${lo & 0xff}`;
+    }
+    return ip;
+}
+/**
+ * Check if an IP (already normalized from IPv4-mapped IPv6) is private/reserved.
+ */
+function isPrivateIP(ip) {
+    // Try IPv4 first, then IPv6
+    if (ip.includes('.')) {
+        return isPrivateIPv4(ip);
+    }
+    return isPrivateIPv6(ip);
+}
+/**
+ * RFC 5735/6890 private/reserved IPv4 ranges.
+ */
+function isPrivateIPv4(ip) {
+    const parts = ip.split('.');
+    if (parts.length !== 4)
+        return false;
+    const a = Number(parts[0]);
+    const b = Number(parts[1]);
+    const c = Number(parts[2]);
+    // 0.0.0.0/8 - This network
+    if (a === 0)
+        return true;
+    // 10.0.0.0/8 - Private
+    if (a === 10)
+        return true;
+    // 100.64.0.0/10 - Shared address space (CGNAT)
+    if (a === 100 && b >= 64 && b <= 127)
+        return true;
+    // 127.0.0.0/8 - Loopback
+    if (a === 127)
+        return true;
+    // 169.254.0.0/16 - Link-local
+    if (a === 169 && b === 254)
+        return true;
+    // 172.16.0.0/12 - Private
+    if (a === 172 && b >= 16 && b <= 31)
+        return true;
+    // 192.0.0.0/24 - IETF Protocol Assignments
+    if (a === 192 && b === 0 && c === 0)
+        return true;
+    // 192.0.2.0/24 - Documentation (TEST-NET-1)
+    if (a === 192 && b === 0 && c === 2)
+        return true;
+    // 192.168.0.0/16 - Private
+    if (a === 192 && b === 168)
+        return true;
+    // 198.18.0.0/15 - Benchmarking
+    if (a === 198 && (b === 18 || b === 19))
+        return true;
+    // 198.51.100.0/24 - Documentation (TEST-NET-2)
+    if (a === 198 && b === 51 && c === 100)
+        return true;
+    // 203.0.113.0/24 - Documentation (TEST-NET-3)
+    if (a === 203 && b === 0 && c === 113)
+        return true;
+    // 224.0.0.0/4 - Multicast
+    if (a >= 224 && a <= 239)
+        return true;
+    // 240.0.0.0/4 - Reserved + 255.255.255.255 broadcast
+    if (a >= 240)
+        return true;
+    return false;
+}
+/**
+ * Private/reserved IPv6 ranges.
+ */
+function isPrivateIPv6(ip) {
+    const lower = ip.toLowerCase();
+    // ::1 - Loopback
+    if (lower === '::1')
+        return true;
+    // :: - Unspecified
+    if (lower === '::')
+        return true;
+    // fe80::/10 - Link-local
+    if (lower.startsWith('fe80:') || lower === 'fe80')
+        return true;
+    // fc00::/7 - Unique local (fc00::/8 + fd00::/8)
+    if (lower.startsWith('fc') || lower.startsWith('fd'))
+        return true;
+    // ff00::/8 - Multicast
+    if (lower.startsWith('ff'))
+        return true;
+    return false;
+}
+//# sourceMappingURL=ssrf-guard.js.map

package/dist/services/x402/ssrf-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssrf-guard.js","sourceRoot":"","sources":["../../../src/services/x402/ssrf-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAC3C,OAAO,EAAE,IAAI,EAAE,MAAM,UAAU,CAAC;AAChC,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAE3C,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,MAAM,aAAa,GAAG,CAAC,CAAC;AACxB,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAElC,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,SAAiB;IACvD,MAAM,GAAG,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;IAEpC,mCAAmC;IACnC,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,WAAW,CAAC,mBAAmB,EAAE;YACzC,OAAO,EAAE,oCAAoC,GAAG,CAAC,QAAQ,EAAE;SAC5D,CAAC,CAAC;IACL,CAAC;IAED,kBAAkB;IAClB,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,WAAW,CAAC,mBAAmB,EAAE;YACzC,OAAO,EAAE,wCAAwC;SAClD,CAAC,CAAC;IACL,CAAC;IAED,+CAA+C;IAC/C,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QACnC,MAAM,IAAI,WAAW,CAAC,mBAAmB,EAAE;YACzC,OAAO,EAAE,qBAAqB,GAAG,CAAC,IAAI,iBAAiB;SACxD,CAAC,CAAC;IACL,CAAC;IAED,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;IAE9B,wBAAwB;IACxB,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnB,cAAc,CAAC,QAAQ,CAAC,CAAC;QACzB,OAAO,GAAG,CAAC;IACb,CAAC;IAED,mDAAmD;IACnD,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,QAAQ,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IACxD,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,SAAS,EAAE,CAAC;QACpC,cAAc,CAAC,OAAO,CAAC,CAAC;IAC1B,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,GAAQ,EACR,MAAc,EACd,OAAgC,EAChC,IAAa,EACb,UAAkB,kBAAkB;IAEpC,IAAI,UAAU,GAAG,GAAG,CAAC;IAErB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,aAAa,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,CAAC;QAE5D,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,UAAU,CAAC,QAAQ,EAAE,EAAE;gBAClD,MAAM,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK;gBAChC,OAAO,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;gBACtC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,MAAM,KAAK,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;gBACpD,MAAM,EAAE,UAAU,CAAC,MAAM;gBACzB,QAAQ,EAAE,QAAQ;aACnB,CAAC,CAAC;YAEH,sCAAsC;YACtC,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;gBACpD,OAAO,QAAQ,CAAC;YAClB,CAAC;YAED,0CAA0C;YAC1C,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAClD,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,OAAO,QAAQ,CAAC;YAClB,CAAC;YAED,wCAAwC;YACxC,UAAU,GAAG,MAAM,iBAAiB,CAClC,IAAI,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,QAAQ,EAAE,CACzC,CAAC;QACJ,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IAED,MAAM,IAAI,WAAW,CAAC,mBAAmB,EAAE;QACzC,OAAO,EAAE,2BAA2B,aAAa,GAAG;KACrD,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,8BAA8B;AAC9B,8EAA8E;AAE9E,SAAS,YAAY,CAAC,SAAiB;IACrC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAC/B,2CAA2C;IAC3C,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/B,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAE9E;;;;;GAKG;AACH,SAAS,cAAc,CAAC,EAAU;IAChC,MAAM,UAAU,GAAG,mBAAmB,CAAC,EAAE,CAAC,CAAC;IAE3C,IAAI,WAAW,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,WAAW,CAAC,mBAAmB,EAAE;YACzC,OAAO,EAAE,eAAe,EAAE,sBAAsB;SACjD,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,mBAAmB,CAAC,EAAU;IACrC,MAAM,KAAK,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC;IAE/B,yCAAyC;IACzC,IAAI,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvD,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACxB,CAAC;IAED,6CAA6C;IAC7C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;IACtE,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,CAAC;QACnC,MAAM,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,CAAC;QACnC,OAAO,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,EAAE,GAAG,IAAI,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,EAAE,GAAG,IAAI,EAAE,CAAC;IAC7E,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,EAAU;IAC7B,4BAA4B;IAC5B,IAAI,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,OAAO,aAAa,CAAC,EAAE,CAAC,CAAC;IAC3B,CAAC;IACD,OAAO,aAAa,CAAC,EAAE,CAAC,CAAC;AAC3B,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,EAAU;IAC/B,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC5B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAErC,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3B,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3B,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAE3B,2BAA2B;IAC3B,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACzB,uBAAuB;IACvB,IAAI,CAAC,KAAK,EAAE;QAAE,OAAO,IAAI,CAAC;IAC1B,+CAA+C;IAC/C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAC;IAClD,yBAAyB;IACzB,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAC3B,8BAA8B;IAC9B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACxC,0BAA0B;IAC1B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;QAAE,OAAO,IAAI,CAAC;IACjD,2CAA2C;IAC3C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACjD,4CAA4C;IAC5C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACjD,2BAA2B;IAC3B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACxC,+BAA+B;IAC/B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;QAAE,OAAO,IAAI,CAAC;IACrD,+CAA+C;IAC/C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACpD,8CAA8C;IAC9C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACnD,0BAA0B;IAC1B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAC;IACtC,qDAAqD;IACrD,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAC;IAE1B,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,EAAU;IAC/B,MAAM,KAAK,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC;IAE/B,iBAAiB;IACjB,IAAI,KAAK,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IACjC,mBAAmB;IACnB,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAChC,yBAAyB;IACzB,IAAI,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,KAAK,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAC/D,gDAAgD;IAChD,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAClE,uBAAuB;IACvB,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAExC,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/services/x402/x402-domain-policy.d.ts

@@ -0,0 +1,50 @@
+/**
+ * X402_ALLOWED_DOMAINS domain policy evaluation.
+ *
+ * Evaluates whether a target domain is allowed for x402 payments based on
+ * the X402_ALLOWED_DOMAINS policy in the policies table.
+ *
+ * Design principle: Default deny -- if no X402_ALLOWED_DOMAINS policy is
+ * configured, x402 payments are disabled entirely.
+ *
+ * This module is separate from DatabasePolicyEngine because X402_ALLOWED_DOMAINS
+ * is a domain-level policy, not a transaction-level policy. The evaluate() method
+ * in DatabasePolicyEngine operates on TransactionParam which has no URL/domain field.
+ *
+ * @see Research Pitfall 1: X402_ALLOWED_DOMAINS evaluation location
+ */
+import type { PolicyEvaluation } from '@waiaas/core';
+/** Policy row shape matching DatabasePolicyEngine's internal PolicyRow. */
+interface PolicyRow {
+    id: string;
+    walletId: string | null;
+    type: string;
+    rules: string;
+    priority: number;
+    enabled: boolean | null;
+    network: string | null;
+}
+/**
+ * Match a domain pattern against a target domain.
+ *
+ * Rules:
+ * - "api.example.com" -> exact match only
+ * - "*.example.com" -> matches sub.example.com, a.b.example.com
+ *                       does NOT match example.com (dot-boundary)
+ * - Case-insensitive comparison
+ *
+ * @param pattern - Domain pattern (exact or wildcard like "*.example.com")
+ * @param target - Target domain to match against
+ * @returns true if pattern matches target
+ */
+export declare function matchDomain(pattern: string, target: string): boolean;
+/**
+ * Evaluate X402_ALLOWED_DOMAINS policy against a target domain.
+ *
+ * @param resolved - Resolved policy rows (after override resolution)
+ * @param targetDomain - The domain to evaluate (e.g., "api.example.com")
+ * @returns PolicyEvaluation with allowed=false if denied, null if allowed (continue to next evaluation)
+ */
+export declare function evaluateX402Domain(resolved: PolicyRow[], targetDomain: string): PolicyEvaluation | null;
+export {};
+//# sourceMappingURL=x402-domain-policy.d.ts.map

package/dist/services/x402/x402-domain-policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"x402-domain-policy.d.ts","sourceRoot":"","sources":["../../../src/services/x402/x402-domain-policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAc,MAAM,cAAc,CAAC;AAMjE,2EAA2E;AAC3E,UAAU,SAAS;IACjB,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,OAAO,GAAG,IAAI,CAAC;IACxB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB;AAWD;;;;;;;;;;;;GAYG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAepE;AAMD;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,SAAS,EAAE,EACrB,YAAY,EAAE,MAAM,GACnB,gBAAgB,GAAG,IAAI,CA4BzB"}