@waiaas/daemon 2.0.0-rc.1

package/dist/services/x402/x402-domain-policy.js

@@ -0,0 +1,78 @@
+/**
+ * X402_ALLOWED_DOMAINS domain policy evaluation.
+ *
+ * Evaluates whether a target domain is allowed for x402 payments based on
+ * the X402_ALLOWED_DOMAINS policy in the policies table.
+ *
+ * Design principle: Default deny -- if no X402_ALLOWED_DOMAINS policy is
+ * configured, x402 payments are disabled entirely.
+ *
+ * This module is separate from DatabasePolicyEngine because X402_ALLOWED_DOMAINS
+ * is a domain-level policy, not a transaction-level policy. The evaluate() method
+ * in DatabasePolicyEngine operates on TransactionParam which has no URL/domain field.
+ *
+ * @see Research Pitfall 1: X402_ALLOWED_DOMAINS evaluation location
+ */
+// ---------------------------------------------------------------------------
+// matchDomain
+// ---------------------------------------------------------------------------
+/**
+ * Match a domain pattern against a target domain.
+ *
+ * Rules:
+ * - "api.example.com" -> exact match only
+ * - "*.example.com" -> matches sub.example.com, a.b.example.com
+ *                       does NOT match example.com (dot-boundary)
+ * - Case-insensitive comparison
+ *
+ * @param pattern - Domain pattern (exact or wildcard like "*.example.com")
+ * @param target - Target domain to match against
+ * @returns true if pattern matches target
+ */
+export function matchDomain(pattern, target) {
+    const p = pattern.toLowerCase();
+    const t = target.toLowerCase();
+    // Exact match
+    if (p === t)
+        return true;
+    // Wildcard match: *.example.com
+    if (p.startsWith('*.')) {
+        const suffix = p.slice(1); // ".example.com"
+        // target must end with suffix AND be longer (dot-boundary: excludes root domain)
+        return t.endsWith(suffix) && t.length > suffix.length;
+    }
+    return false;
+}
+// ---------------------------------------------------------------------------
+// evaluateX402Domain
+// ---------------------------------------------------------------------------
+/**
+ * Evaluate X402_ALLOWED_DOMAINS policy against a target domain.
+ *
+ * @param resolved - Resolved policy rows (after override resolution)
+ * @param targetDomain - The domain to evaluate (e.g., "api.example.com")
+ * @returns PolicyEvaluation with allowed=false if denied, null if allowed (continue to next evaluation)
+ */
+export function evaluateX402Domain(resolved, targetDomain) {
+    const policy = resolved.find((p) => p.type === 'X402_ALLOWED_DOMAINS');
+    // No policy -> default deny (same pattern as ALLOWED_TOKENS)
+    if (!policy) {
+        return {
+            allowed: false,
+            tier: 'INSTANT',
+            reason: 'x402 payments disabled: no X402_ALLOWED_DOMAINS policy configured',
+        };
+    }
+    const rules = JSON.parse(policy.rules);
+    // Check if domain is in allowed list
+    const isAllowed = rules.domains.some((domainPattern) => matchDomain(domainPattern, targetDomain));
+    if (!isAllowed) {
+        return {
+            allowed: false,
+            tier: 'INSTANT',
+            reason: `Domain '${targetDomain}' not in allowed x402 domains list`,
+        };
+    }
+    return null; // Domain allowed, continue to next evaluation
+}
+//# sourceMappingURL=x402-domain-policy.js.map

package/dist/services/x402/x402-domain-policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"x402-domain-policy.js","sourceRoot":"","sources":["../../../src/services/x402/x402-domain-policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAwBH,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAE9E;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,WAAW,CAAC,OAAe,EAAE,MAAc;IACzD,MAAM,CAAC,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAChC,MAAM,CAAC,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IAE/B,cAAc;IACd,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEzB,gCAAgC;IAChC,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,iBAAiB;QAC5C,iFAAiF;QACjF,OAAO,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;IACxD,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAChC,QAAqB,EACrB,YAAoB;IAEpB,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,sBAAsB,CAAC,CAAC;IAEvE,6DAA6D;IAC7D,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO;YACL,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,SAAuB;YAC7B,MAAM,EAAE,mEAAmE;SAC5E,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAA4B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAEhE,qCAAqC;IACrC,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,EAAE,CACrD,WAAW,CAAC,aAAa,EAAE,YAAY,CAAC,CACzC,CAAC;IAEF,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,SAAuB;YAC7B,MAAM,EAAE,WAAW,YAAY,oCAAoC;SACpE,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC,CAAC,8CAA8C;AAC7D,CAAC"}

package/dist/services/x402/x402-handler.d.ts

@@ -0,0 +1,71 @@
+/**
+ * x402 Handler -- orchestrates SSRF guard + payment signing + 402 response handling.
+ *
+ * Independent pipeline (does NOT extend 6-stage pipeline):
+ * 1. SSRF guard (validateUrlSafety)
+ * 2. HTTP request (safeFetchWithRedirects)
+ * 3. Non-402 passthrough
+ * 4. 402 response parsing (PAYMENT-REQUIRED header -> PaymentRequired V2)
+ * 5. (scheme, network) auto-selection from accepts array
+ * 6. Payment signing (signPayment)
+ * 7. Re-request with PAYMENT-SIGNATURE header
+ * 8. Retry limit: 1 retry after payment, then X402_PAYMENT_REJECTED
+ *
+ * @module x402-handler
+ */
+import type { X402FetchRequest, X402FetchResponse, PaymentRequirements } from '@waiaas/core';
+/** Dependencies injected into the x402 handler. */
+export interface X402HandlerDeps {
+    keyStore: {
+        decryptPrivateKey(walletId: string, masterPassword: string): Promise<Uint8Array>;
+        releaseKey(key: Uint8Array): void;
+    };
+    walletId: string;
+    walletAddress: string;
+    masterPassword: string;
+    supportedNetworks: Set<string>;
+}
+/**
+ * Fetch a URL with x402 payment handling.
+ *
+ * Flow:
+ * 1. Validate URL safety (SSRF guard)
+ * 2. Make initial request
+ * 3. If non-402: return passthrough response
+ * 4. If 402: parse payment requirements, select best option, sign, re-request
+ * 5. If re-request returns 402: throw X402_PAYMENT_REJECTED (1 retry max)
+ * 6. If re-request returns non-ok: throw X402_SERVER_ERROR
+ * 7. If re-request returns ok: return payment response
+ */
+export declare function handleX402Fetch(request: X402FetchRequest, deps: X402HandlerDeps): Promise<X402FetchResponse>;
+/** Parsed PaymentRequired V2 structure. */
+interface ParsedPaymentRequired {
+    x402Version: number;
+    accepts: PaymentRequirements[];
+    resource: {
+        url: string;
+    };
+}
+/**
+ * Parse a 402 response into PaymentRequired V2 structure.
+ *
+ * Attempts to parse from:
+ * 1. PAYMENT-REQUIRED header (base64-encoded JSON)
+ * 2. Response body (JSON)
+ *
+ * Validates against PaymentRequiredV2Schema (Zod).
+ */
+export declare function parse402Response(response: Response): Promise<ParsedPaymentRequired>;
+/**
+ * Select the best PaymentRequirements from an accepts array.
+ *
+ * Criteria:
+ * 1. scheme must be 'exact' (streaming/other schemes not supported)
+ * 2. network must be in supportedNetworks AND resolvable via resolveX402Network
+ * 3. Among matching items, select the one with lowest amount
+ *
+ * @throws WAIaaSError('X402_UNSUPPORTED_SCHEME') if no matching requirement found
+ */
+export declare function selectPaymentRequirement(accepts: PaymentRequirements[], supportedNetworks: Set<string>): PaymentRequirements;
+export {};
+//# sourceMappingURL=x402-handler.d.ts.map

package/dist/services/x402/x402-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"x402-handler.d.ts","sourceRoot":"","sources":["../../../src/services/x402/x402-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAOH,OAAO,KAAK,EACV,gBAAgB,EAChB,iBAAiB,EAEjB,mBAAmB,EACpB,MAAM,cAAc,CAAC;AAQtB,mDAAmD;AACnD,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE;QACR,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;QACjF,UAAU,CAAC,GAAG,EAAE,UAAU,GAAG,IAAI,CAAC;KACnC,CAAC;IACF,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,iBAAiB,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;CAChC;AA4BD;;;;;;;;;;;GAWG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,gBAAgB,EACzB,IAAI,EAAE,eAAe,GACpB,OAAO,CAAC,iBAAiB,CAAC,CAmE5B;AAMD,2CAA2C;AAC3C,UAAU,qBAAqB;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,mBAAmB,EAAE,CAAC;IAC/B,QAAQ,EAAE;QAAE,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;CAC3B;AAED;;;;;;;;GAQG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,QAAQ,GACjB,OAAO,CAAC,qBAAqB,CAAC,CAoBhC;AAMD;;;;;;;;;GASG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,mBAAmB,EAAE,EAC9B,iBAAiB,EAAE,GAAG,CAAC,MAAM,CAAC,GAC7B,mBAAmB,CA6BrB"}

package/dist/services/x402/x402-handler.js

@@ -0,0 +1,195 @@
+/**
+ * x402 Handler -- orchestrates SSRF guard + payment signing + 402 response handling.
+ *
+ * Independent pipeline (does NOT extend 6-stage pipeline):
+ * 1. SSRF guard (validateUrlSafety)
+ * 2. HTTP request (safeFetchWithRedirects)
+ * 3. Non-402 passthrough
+ * 4. 402 response parsing (PAYMENT-REQUIRED header -> PaymentRequired V2)
+ * 5. (scheme, network) auto-selection from accepts array
+ * 6. Payment signing (signPayment)
+ * 7. Re-request with PAYMENT-SIGNATURE header
+ * 8. Retry limit: 1 retry after payment, then X402_PAYMENT_REJECTED
+ *
+ * @module x402-handler
+ */
+import { WAIaaSError, PaymentRequiredV2Schema, resolveX402Network, } from '@waiaas/core';
+import { validateUrlSafety, safeFetchWithRedirects } from './ssrf-guard.js';
+import { signPayment } from './payment-signer.js';
+// ---------------------------------------------------------------------------
+// Base64 JSON encode/decode (equivalent to @x402/core/http helpers)
+// ---------------------------------------------------------------------------
+/**
+ * Encode a PaymentPayload as a base64 header value.
+ * Equivalent to @x402/core/http encodePaymentSignatureHeader.
+ */
+function encodePaymentSignatureHeader(paymentPayload) {
+    const json = JSON.stringify(paymentPayload);
+    return Buffer.from(json, 'utf-8').toString('base64');
+}
+/**
+ * Decode a base64 PAYMENT-REQUIRED header into a PaymentRequired object.
+ * Equivalent to @x402/core/http decodePaymentRequiredHeader.
+ */
+function decodePaymentRequiredHeader(headerValue) {
+    const decoded = Buffer.from(headerValue, 'base64').toString('utf-8');
+    return JSON.parse(decoded);
+}
+// ---------------------------------------------------------------------------
+// handleX402Fetch -- main entry point
+// ---------------------------------------------------------------------------
+/**
+ * Fetch a URL with x402 payment handling.
+ *
+ * Flow:
+ * 1. Validate URL safety (SSRF guard)
+ * 2. Make initial request
+ * 3. If non-402: return passthrough response
+ * 4. If 402: parse payment requirements, select best option, sign, re-request
+ * 5. If re-request returns 402: throw X402_PAYMENT_REJECTED (1 retry max)
+ * 6. If re-request returns non-ok: throw X402_SERVER_ERROR
+ * 7. If re-request returns ok: return payment response
+ */
+export async function handleX402Fetch(request, deps) {
+    // Step 1: SSRF guard
+    const validatedUrl = await validateUrlSafety(request.url);
+    // Step 2: Initial request
+    const response = await safeFetchWithRedirects(validatedUrl, request.method ?? 'GET', request.headers, request.body);
+    // Step 3: Non-402 passthrough
+    if (response.status !== 402) {
+        return buildPassthroughResponse(response);
+    }
+    // Step 4: Parse 402 response
+    const paymentRequired = await parse402Response(response);
+    // Step 5: Select best (scheme, network) from accepts
+    const selected = selectPaymentRequirement(paymentRequired.accepts, deps.supportedNetworks);
+    // Step 6: Sign payment
+    const paymentPayload = await signPayment(selected, deps.keyStore, deps.walletId, deps.walletAddress, deps.masterPassword);
+    // Fill resource.url in the payment payload
+    paymentPayload.resource = { url: request.url };
+    // Step 7: Encode and re-request with PAYMENT-SIGNATURE header
+    const encodedSignature = encodePaymentSignatureHeader(paymentPayload);
+    const retryHeaders = {
+        ...(request.headers ?? {}),
+        'PAYMENT-SIGNATURE': encodedSignature,
+    };
+    const retryResponse = await safeFetchWithRedirects(validatedUrl, request.method ?? 'GET', retryHeaders, request.body);
+    // Step 8: Handle retry response
+    if (retryResponse.status === 402) {
+        throw new WAIaaSError('X402_PAYMENT_REJECTED', {
+            message: 'Payment was rejected by the resource server after retry',
+        });
+    }
+    if (!retryResponse.ok) {
+        throw new WAIaaSError('X402_SERVER_ERROR', {
+            message: `Resource server returned ${retryResponse.status} after payment`,
+        });
+    }
+    // Step 9: Build success response with payment info
+    return buildPaymentResponse(retryResponse, selected);
+}
+/**
+ * Parse a 402 response into PaymentRequired V2 structure.
+ *
+ * Attempts to parse from:
+ * 1. PAYMENT-REQUIRED header (base64-encoded JSON)
+ * 2. Response body (JSON)
+ *
+ * Validates against PaymentRequiredV2Schema (Zod).
+ */
+export async function parse402Response(response) {
+    let raw;
+    // Try header first
+    const headerValue = response.headers.get('payment-required');
+    if (headerValue) {
+        raw = decodePaymentRequiredHeader(headerValue);
+    }
+    else {
+        // Fallback: JSON body
+        raw = await response.json();
+    }
+    // Validate with Zod
+    const parsed = PaymentRequiredV2Schema.parse(raw);
+    return {
+        x402Version: parsed.x402Version,
+        accepts: parsed.accepts,
+        resource: parsed.resource,
+    };
+}
+// ---------------------------------------------------------------------------
+// selectPaymentRequirement
+// ---------------------------------------------------------------------------
+/**
+ * Select the best PaymentRequirements from an accepts array.
+ *
+ * Criteria:
+ * 1. scheme must be 'exact' (streaming/other schemes not supported)
+ * 2. network must be in supportedNetworks AND resolvable via resolveX402Network
+ * 3. Among matching items, select the one with lowest amount
+ *
+ * @throws WAIaaSError('X402_UNSUPPORTED_SCHEME') if no matching requirement found
+ */
+export function selectPaymentRequirement(accepts, supportedNetworks) {
+    // Filter for exact scheme + supported network
+    const candidates = accepts.filter((req) => {
+        if (req.scheme !== 'exact')
+            return false;
+        if (!supportedNetworks.has(req.network))
+            return false;
+        // Verify network is known to WAIaaS
+        try {
+            resolveX402Network(req.network);
+            return true;
+        }
+        catch {
+            return false;
+        }
+    });
+    if (candidates.length === 0) {
+        throw new WAIaaSError('X402_UNSUPPORTED_SCHEME', {
+            message: 'No supported (scheme=exact, network) pair found in accepts',
+            details: {
+                available: accepts.map((a) => ({ scheme: a.scheme, network: a.network })),
+                supported: [...supportedNetworks],
+            },
+        });
+    }
+    // Select lowest amount
+    return candidates.reduce((min, req) => BigInt(req.amount) < BigInt(min.amount) ? req : min);
+}
+// ---------------------------------------------------------------------------
+// Response builders
+// ---------------------------------------------------------------------------
+/**
+ * Build a passthrough X402FetchResponse from a non-402 response.
+ */
+async function buildPassthroughResponse(response) {
+    const body = await response.text();
+    const headers = {};
+    response.headers.forEach((value, key) => {
+        headers[key] = value;
+    });
+    return {
+        status: response.status,
+        headers,
+        body,
+    };
+}
+/**
+ * Build a payment X402FetchResponse from a successful retry response.
+ */
+async function buildPaymentResponse(response, requirement) {
+    const base = await buildPassthroughResponse(response);
+    const payment = {
+        amount: requirement.amount,
+        asset: requirement.asset,
+        network: requirement.network,
+        payTo: requirement.payTo,
+        txId: '', // Not yet available -- facilitator settles asynchronously
+    };
+    return {
+        ...base,
+        payment,
+    };
+}
+//# sourceMappingURL=x402-handler.js.map

package/dist/services/x402/x402-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"x402-handler.js","sourceRoot":"","sources":["../../../src/services/x402/x402-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EACL,WAAW,EACX,uBAAuB,EACvB,kBAAkB,GACnB,MAAM,cAAc,CAAC;AAOtB,OAAO,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AAC5E,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAkBlD,8EAA8E;AAC9E,oEAAoE;AACpE,8EAA8E;AAE9E;;;GAGG;AACH,SAAS,4BAA4B,CAAC,cAAuC;IAC3E,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;IAC5C,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACvD,CAAC;AAED;;;GAGG;AACH,SAAS,2BAA2B,CAAC,WAAmB;IACtD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACrE,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAY,CAAC;AACxC,CAAC;AAED,8EAA8E;AAC9E,sCAAsC;AACtC,8EAA8E;AAE9E;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,OAAyB,EACzB,IAAqB;IAErB,qBAAqB;IACrB,MAAM,YAAY,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAE1D,0BAA0B;IAC1B,MAAM,QAAQ,GAAG,MAAM,sBAAsB,CAC3C,YAAY,EACZ,OAAO,CAAC,MAAM,IAAI,KAAK,EACvB,OAAO,CAAC,OAAO,EACf,OAAO,CAAC,IAAI,CACb,CAAC;IAEF,8BAA8B;IAC9B,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,OAAO,wBAAwB,CAAC,QAAQ,CAAC,CAAC;IAC5C,CAAC;IAED,6BAA6B;IAC7B,MAAM,eAAe,GAAG,MAAM,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAEzD,qDAAqD;IACrD,MAAM,QAAQ,GAAG,wBAAwB,CACvC,eAAe,CAAC,OAAO,EACvB,IAAI,CAAC,iBAAiB,CACvB,CAAC;IAEF,uBAAuB;IACvB,MAAM,cAAc,GAAG,MAAM,WAAW,CACtC,QAAQ,EACR,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,aAAa,EAClB,IAAI,CAAC,cAAc,CACpB,CAAC;IAEF,2CAA2C;IAC3C,cAAc,CAAC,QAAQ,GAAG,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;IAE/C,8DAA8D;IAC9D,MAAM,gBAAgB,GAAG,4BAA4B,CAAC,cAAc,CAAC,CAAC;IACtE,MAAM,YAAY,GAA2B;QAC3C,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAAC;QAC1B,mBAAmB,EAAE,gBAAgB;KACtC,CAAC;IAEF,MAAM,aAAa,GAAG,MAAM,sBAAsB,CAChD,YAAY,EACZ,OAAO,CAAC,MAAM,IAAI,KAAK,EACvB,YAAY,EACZ,OAAO,CAAC,IAAI,CACb,CAAC;IAEF,gCAAgC;IAChC,IAAI,aAAa,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QACjC,MAAM,IAAI,WAAW,CAAC,uBAAuB,EAAE;YAC7C,OAAO,EAAE,yDAAyD;SACnE,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,WAAW,CAAC,mBAAmB,EAAE;YACzC,OAAO,EAAE,4BAA4B,aAAa,CAAC,MAAM,gBAAgB;SAC1E,CAAC,CAAC;IACL,CAAC;IAED,mDAAmD;IACnD,OAAO,oBAAoB,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;AACvD,CAAC;AAaD;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,QAAkB;IAElB,IAAI,GAAY,CAAC;IAEjB,mBAAmB;IACnB,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAC7D,IAAI,WAAW,EAAE,CAAC;QAChB,GAAG,GAAG,2BAA2B,CAAC,WAAW,CAAC,CAAC;IACjD,CAAC;SAAM,CAAC;QACN,sBAAsB;QACtB,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAa,CAAC;IACzC,CAAC;IAED,oBAAoB;IACpB,MAAM,MAAM,GAAG,uBAAuB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAElD,OAAO;QACL,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,OAAO,EAAE,MAAM,CAAC,OAAgC;QAChD,QAAQ,EAAE,MAAM,CAAC,QAAQ;KAC1B,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,2BAA2B;AAC3B,8EAA8E;AAE9E;;;;;;;;;GASG;AACH,MAAM,UAAU,wBAAwB,CACtC,OAA8B,EAC9B,iBAA8B;IAE9B,8CAA8C;IAC9C,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE;QACxC,IAAI,GAAG,CAAC,MAAM,KAAK,OAAO;YAAE,OAAO,KAAK,CAAC;QACzC,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC;YAAE,OAAO,KAAK,CAAC;QAEtD,oCAAoC;QACpC,IAAI,CAAC;YACH,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAChC,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,WAAW,CAAC,yBAAyB,EAAE;YAC/C,OAAO,EAAE,4DAA4D;YACrE,OAAO,EAAE;gBACP,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;gBACzE,SAAS,EAAE,CAAC,GAAG,iBAAiB,CAAC;aAClC;SACF,CAAC,CAAC;IACL,CAAC;IAED,uBAAuB;IACvB,OAAO,UAAU,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CACpC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CACpD,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E;;GAEG;AACH,KAAK,UAAU,wBAAwB,CACrC,QAAkB;IAElB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,MAAM,OAAO,GAA2B,EAAE,CAAC;IAC3C,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QACtC,OAAO,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACvB,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,OAAO;QACP,IAAI;KACL,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,oBAAoB,CACjC,QAAkB,EAClB,WAAgC;IAEhC,MAAM,IAAI,GAAG,MAAM,wBAAwB,CAAC,QAAQ,CAAC,CAAC;IAEtD,MAAM,OAAO,GAAoB;QAC/B,MAAM,EAAE,WAAW,CAAC,MAAM;QAC1B,KAAK,EAAE,WAAW,CAAC,KAAK;QACxB,OAAO,EAAE,WAAW,CAAC,OAAO;QAC5B,KAAK,EAAE,WAAW,CAAC,KAAK;QACxB,IAAI,EAAE,EAAE,EAAE,0DAA0D;KACrE,CAAC;IAEF,OAAO;QACL,GAAG,IAAI;QACP,OAAO;KACR,CAAC;AACJ,CAAC"}

package/dist/services/x402/x402-usd-resolver.d.ts

@@ -0,0 +1,26 @@
+/**
+ * x402 payment amount USD resolution.
+ *
+ * Converts x402 PaymentRequirements amounts to USD for SPENDING_LIMIT policy evaluation.
+ *
+ * Strategy:
+ * - USDC (6 decimals, $1 peg): Direct conversion without oracle call.
+ *   USDC addresses come from USDC_DOMAINS (EVM) and SOLANA_USDC_ADDRESSES (Solana).
+ * - Non-USDC tokens: IPriceOracle.getPrice() with chain-appropriate default decimals.
+ * - No oracle / oracle error: Returns 0 (safe fallback, allows INSTANT tier pass).
+ *
+ * @see packages/daemon/src/pipeline/resolve-effective-amount-usd.ts (5-type pattern)
+ * @see packages/daemon/src/services/x402/payment-signer.ts (USDC_DOMAINS)
+ */
+import type { IPriceOracle } from '@waiaas/core';
+/**
+ * Resolve x402 payment amount to USD value.
+ *
+ * @param amount - Raw token amount (string, integer units)
+ * @param asset - Token contract/mint address
+ * @param caip2Network - CAIP-2 network identifier (e.g., "eip155:8453", "solana:5eykt4...")
+ * @param priceOracle - Optional IPriceOracle for non-USDC tokens
+ * @returns USD amount (number). Returns 0 if price cannot be determined (safe fallback).
+ */
+export declare function resolveX402UsdAmount(amount: string, asset: string, caip2Network: string, priceOracle?: IPriceOracle): Promise<number>;
+//# sourceMappingURL=x402-usd-resolver.d.ts.map

package/dist/services/x402/x402-usd-resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"x402-usd-resolver.d.ts","sourceRoot":"","sources":["../../../src/services/x402/x402-usd-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAwBjD;;;;;;;;GAQG;AACH,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,YAAY,EAAE,MAAM,EACpB,WAAW,CAAC,EAAE,YAAY,GACzB,OAAO,CAAC,MAAM,CAAC,CAoCjB"}

package/dist/services/x402/x402-usd-resolver.js

@@ -0,0 +1,79 @@
+/**
+ * x402 payment amount USD resolution.
+ *
+ * Converts x402 PaymentRequirements amounts to USD for SPENDING_LIMIT policy evaluation.
+ *
+ * Strategy:
+ * - USDC (6 decimals, $1 peg): Direct conversion without oracle call.
+ *   USDC addresses come from USDC_DOMAINS (EVM) and SOLANA_USDC_ADDRESSES (Solana).
+ * - Non-USDC tokens: IPriceOracle.getPrice() with chain-appropriate default decimals.
+ * - No oracle / oracle error: Returns 0 (safe fallback, allows INSTANT tier pass).
+ *
+ * @see packages/daemon/src/pipeline/resolve-effective-amount-usd.ts (5-type pattern)
+ * @see packages/daemon/src/services/x402/payment-signer.ts (USDC_DOMAINS)
+ */
+import { USDC_DOMAINS } from './payment-signer.js';
+import { parseCaip2 } from '@waiaas/core';
+// ---------------------------------------------------------------------------
+// Solana USDC addresses (not in USDC_DOMAINS which is EVM-only EIP-712)
+// ---------------------------------------------------------------------------
+/**
+ * Known Solana USDC token mint addresses by CAIP-2 network.
+ *
+ * Circle native USDC on Solana uses SPL Token, not EIP-3009,
+ * so these are separate from USDC_DOMAINS (which stores EIP-712 domain separators).
+ */
+const SOLANA_USDC_ADDRESSES = {
+    // Solana Mainnet (Circle native USDC)
+    'solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp': 'EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v',
+    // Solana Devnet (Circle USDC devnet)
+    'solana:EtWTRABZaYq6iMfeYKouRu166VU2xqa1': '4zMMC9srt5Ri5X14GAgXhaHii3GnPAEERYPJgZJDncDU',
+};
+// ---------------------------------------------------------------------------
+// resolveX402UsdAmount
+// ---------------------------------------------------------------------------
+/**
+ * Resolve x402 payment amount to USD value.
+ *
+ * @param amount - Raw token amount (string, integer units)
+ * @param asset - Token contract/mint address
+ * @param caip2Network - CAIP-2 network identifier (e.g., "eip155:8453", "solana:5eykt4...")
+ * @param priceOracle - Optional IPriceOracle for non-USDC tokens
+ * @returns USD amount (number). Returns 0 if price cannot be determined (safe fallback).
+ */
+export async function resolveX402UsdAmount(amount, asset, caip2Network, priceOracle) {
+    // 1. Check EVM USDC (USDC_DOMAINS has verifyingContract for 7 EVM chains)
+    const usdcDomain = USDC_DOMAINS[caip2Network];
+    if (usdcDomain && usdcDomain.verifyingContract.toLowerCase() === asset.toLowerCase()) {
+        // USDC: 6 decimals, $1 direct conversion
+        return Number(amount) / 1_000_000;
+    }
+    // 2. Check Solana USDC (separate address table, case-sensitive for base58)
+    const solanaUsdcAddress = SOLANA_USDC_ADDRESSES[caip2Network];
+    if (solanaUsdcAddress && solanaUsdcAddress === asset) {
+        // Solana USDC: 6 decimals, $1 direct conversion
+        return Number(amount) / 1_000_000;
+    }
+    // 3. Non-USDC: use IPriceOracle (if available)
+    if (!priceOracle)
+        return 0;
+    const { namespace } = parseCaip2(caip2Network);
+    const chain = namespace === 'eip155' ? 'ethereum' : 'solana';
+    try {
+        // x402 PaymentRequirements does not include decimals, use chain defaults
+        // EVM: 18 (most common), Solana: 9 (most common)
+        const decimals = chain === 'ethereum' ? 18 : 9;
+        const priceInfo = await priceOracle.getPrice({
+            address: asset,
+            decimals,
+            chain: chain,
+        });
+        const humanAmount = Number(amount) / Math.pow(10, decimals);
+        return humanAmount * priceInfo.usdPrice;
+    }
+    catch {
+        // Safe fallback: unknown price -> 0 (INSTANT tier pass)
+        return 0;
+    }
+}
+//# sourceMappingURL=x402-usd-resolver.js.map

package/dist/services/x402/x402-usd-resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"x402-usd-resolver.js","sourceRoot":"","sources":["../../../src/services/x402/x402-usd-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAE1C,8EAA8E;AAC9E,wEAAwE;AACxE,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,qBAAqB,GAA2B;IACpD,sCAAsC;IACtC,yCAAyC,EAAE,8CAA8C;IACzF,qCAAqC;IACrC,yCAAyC,EAAE,8CAA8C;CAC1F,CAAC;AAEF,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,MAAc,EACd,KAAa,EACb,YAAoB,EACpB,WAA0B;IAE1B,0EAA0E;IAC1E,MAAM,UAAU,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;IAC9C,IAAI,UAAU,IAAI,UAAU,CAAC,iBAAiB,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;QACrF,yCAAyC;QACzC,OAAO,MAAM,CAAC,MAAM,CAAC,GAAG,SAAS,CAAC;IACpC,CAAC;IAED,2EAA2E;IAC3E,MAAM,iBAAiB,GAAG,qBAAqB,CAAC,YAAY,CAAC,CAAC;IAC9D,IAAI,iBAAiB,IAAI,iBAAiB,KAAK,KAAK,EAAE,CAAC;QACrD,gDAAgD;QAChD,OAAO,MAAM,CAAC,MAAM,CAAC,GAAG,SAAS,CAAC;IACpC,CAAC;IAED,+CAA+C;IAC/C,IAAI,CAAC,WAAW;QAAE,OAAO,CAAC,CAAC;IAE3B,MAAM,EAAE,SAAS,EAAE,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IAC/C,MAAM,KAAK,GAAG,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC;IAE7D,IAAI,CAAC;QACH,yEAAyE;QACzE,iDAAiD;QACjD,MAAM,QAAQ,GAAG,KAAK,KAAK,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/C,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,QAAQ,CAAC;YAC3C,OAAO,EAAE,KAAK;YACd,QAAQ;YACR,KAAK,EAAE,KAA8B;SACtC,CAAC,CAAC;QACH,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;QAC5D,OAAO,WAAW,GAAG,SAAS,CAAC,QAAQ,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,wDAAwD;QACxD,OAAO,CAAC,CAAC;IACX,CAAC;AACH,CAAC"}

package/dist/workflow/approval-workflow.d.ts

@@ -0,0 +1,103 @@
+/**
+ * ApprovalWorkflow - APPROVAL tier owner sign-off management.
+ *
+ * Manages APPROVAL tier transactions through their approval lifecycle:
+ * - requestApproval: creates pending_approvals record, sets tx QUEUED
+ * - approve: owner signs off, sets tx EXECUTING
+ * - reject: owner rejects, sets tx CANCELLED
+ * - processExpiredApprovals: batch-expire timed-out approvals
+ *
+ * Timeout resolution follows 3-level priority:
+ * 1. Policy-specific approval_timeout (from rules)
+ * 2. Config policy_defaults_approval_timeout (global config)
+ * 3. 3600s hardcoded fallback
+ *
+ * Uses BEGIN IMMEDIATE for atomic approve/reject/expire to prevent
+ * concurrent race conditions.
+ *
+ * @see docs/33-time-lock-approval-mechanism.md
+ */
+import type { BetterSQLite3Database } from 'drizzle-orm/better-sqlite3';
+import type { Database as SQLiteDatabase } from 'better-sqlite3';
+import type * as schema from '../infrastructure/database/schema.js';
+interface ApprovalWorkflowDeps {
+    db: BetterSQLite3Database<typeof schema>;
+    sqlite: SQLiteDatabase;
+    config: {
+        policy_defaults_approval_timeout: number;
+    };
+}
+interface RequestApprovalOptions {
+    policyTimeoutSeconds?: number;
+}
+interface RequestApprovalResult {
+    approvalId: string;
+    expiresAt: number;
+}
+interface ApproveResult {
+    txId: string;
+    approvedAt: number;
+}
+interface RejectResult {
+    txId: string;
+    rejectedAt: number;
+}
+export declare class ApprovalWorkflow {
+    private readonly sqlite;
+    private readonly configTimeout;
+    constructor(deps: ApprovalWorkflowDeps);
+    /**
+     * Create a pending approval for an APPROVAL tier transaction.
+     *
+     * Sets the transaction status to QUEUED and creates a pending_approvals
+     * record with an expiration time based on the 3-level timeout priority.
+     *
+     * @param txId - The transaction ID
+     * @param options - Optional policy-specific timeout
+     * @returns The approval ID and expiration timestamp
+     */
+    requestApproval(txId: string, options?: RequestApprovalOptions): RequestApprovalResult;
+    /**
+     * Approve a pending APPROVAL transaction with owner signature.
+     *
+     * Atomically validates the approval, sets approvedAt + ownerSignature,
+     * transitions the transaction to EXECUTING, and clears reserved_amount.
+     *
+     * @param txId - The transaction ID
+     * @param ownerSignature - The owner's cryptographic signature
+     * @returns The transaction ID and approval timestamp
+     * @throws WAIaaSError APPROVAL_NOT_FOUND if no pending approval exists
+     * @throws WAIaaSError APPROVAL_TIMEOUT if the approval has expired
+     */
+    approve(txId: string, ownerSignature: string): ApproveResult;
+    /**
+     * Reject a pending APPROVAL transaction.
+     *
+     * Atomically sets rejectedAt, transitions the transaction to CANCELLED,
+     * and clears reserved_amount.
+     *
+     * @param txId - The transaction ID
+     * @returns The transaction ID and rejection timestamp
+     * @throws WAIaaSError APPROVAL_NOT_FOUND if no pending approval exists
+     */
+    reject(txId: string): RejectResult;
+    /**
+     * Batch-expire pending approvals that have exceeded their timeout.
+     *
+     * For each expired approval: sets the transaction status to EXPIRED and
+     * clears reserved_amount. Does NOT set rejectedAt (expired != rejected).
+     *
+     * @param now - Current Unix epoch seconds
+     * @returns Count of expired approvals
+     */
+    processExpiredApprovals(now: number): number;
+    /**
+     * Resolve approval timeout with 3-level priority:
+     * 1. Policy-specific timeout (from options)
+     * 2. Config timeout (policy_defaults_approval_timeout)
+     * 3. 3600 hardcoded fallback
+     */
+    private resolveTimeout;
+}
+export {};
+//# sourceMappingURL=approval-workflow.d.ts.map

package/dist/workflow/approval-workflow.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval-workflow.d.ts","sourceRoot":"","sources":["../../src/workflow/approval-workflow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AACxE,OAAO,KAAK,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAGjE,OAAO,KAAK,KAAK,MAAM,MAAM,sCAAsC,CAAC;AAapE,UAAU,oBAAoB;IAC5B,EAAE,EAAE,qBAAqB,CAAC,OAAO,MAAM,CAAC,CAAC;IACzC,MAAM,EAAE,cAAc,CAAC;IACvB,MAAM,EAAE;QACN,gCAAgC,EAAE,MAAM,CAAC;KAC1C,CAAC;CACH;AAED,UAAU,sBAAsB;IAC9B,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED,UAAU,qBAAqB;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,UAAU,aAAa;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,YAAY;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;CACpB;AAcD,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAiB;IACxC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;gBAE3B,IAAI,EAAE,oBAAoB;IAStC;;;;;;;;;OASG;IACH,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,sBAAsB,GAAG,qBAAqB;IA8BtF;;;;;;;;;;;OAWG;IACH,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,aAAa;IA6C5D;;;;;;;;;OASG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,YAAY;IAuClC;;;;;;;;OAQG;IACH,uBAAuB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM;IAqC5C;;;;;OAKG;IACH,OAAO,CAAC,cAAc;CASvB"}