npm - @waiaas/daemon - Versions diffs - 2.11.0-rc.7 → 2.11.0 - Mend

@waiaas/daemon 2.11.0-rc.7 → 2.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (430) hide show

package/dist/services/x402/ssrf-guard.d.ts CHANGED Viewed

@@ -1,27 +1,8 @@
 /**
- * SSRF Guard for x402 HTTP proxy.
+ * Re-export from infrastructure/security/ssrf-guard.ts for backward compatibility.
  *
- * Defense layers:
- * 1. URL normalization (trailing dot, lowercase, userinfo rejection, port 443 only)
- * 2. Protocol enforcement (HTTPS only)
- * 3. DNS pre-resolution + private IP blocking (RFC 5735/6890)
- * 4. IPv4-mapped IPv6 bypass vector blocking
- * 5. Redirect re-validation (max 3 hops)
- *
- * @module ssrf-guard
- */
-/**
- * Validate URL safety against SSRF attacks.
- * Performs DNS resolution and validates all resolved IPs are public.
- *
- * @throws WAIaaSError('X402_SSRF_BLOCKED') if URL targets private/reserved IP
- */
-export declare function validateUrlSafety(urlString: string): Promise<URL>;
-/**
- * Fetch with manual redirect handling and SSRF re-validation per hop.
- * Max 3 redirects. After redirect, method becomes GET and body is dropped.
- *
- * @throws WAIaaSError('X402_SSRF_BLOCKED') on private IP redirect or too many redirects
+ * @deprecated Import from '../../infrastructure/security/ssrf-guard.js' instead.
  */
-export declare function safeFetchWithRedirects(url: URL, method: string, headers?: Record<string, string>, body?: string, timeout?: number): Promise<Response>;
+export { validateUrlSafety, safeFetchWithRedirects, } from '../../infrastructure/security/ssrf-guard.js';
+export type { ValidateUrlOptions } from '../../infrastructure/security/ssrf-guard.js';
 //# sourceMappingURL=ssrf-guard.d.ts.map

package/dist/services/x402/ssrf-guard.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"ssrf-guard.d.ts","sourceRoot":"","sources":["../../../src/services/x402/ssrf-guard.ts"],"names":[],"mappings":"AAAA~~;;;;;;;;;;;GAWG~~;~~AAiBH;;;;;GAKG;~~AACH,~~wBAAsB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,~~OAAO,~~CAAC~~,~~GAAG~~,~~CAAC~~,~~CAuCvE;AAED;;;;;GAKG;AACH,wBAAsB,~~sBAAsB,~~CAC1C~~,~~GAAG,EAAE,GAAG,EACR,~~MAAM,~~EAAE~~,~~MAAM,EACd,OAAO,~~CAAC,~~EAAE~~,~~MAAM,CAAC,MAAM,~~EAAE,~~MAAM~~,~~CAAC,EAChC,IAAI,CAAC,~~EAAE,MAAM,~~EACb~~,~~OAAO,GAAE,MAA2B,GACnC,OAAO,~~CAAC~~,QAAQ,CAAC,CAuCnB~~"}
1	+ {"version":3,"file":"ssrf-guard.d.ts","sourceRoot":"","sources":["../../../src/services/x402/ssrf-guard.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EACL,iBAAiB,EACjB,sBAAsB,GACvB,MAAM,6CAA6C,CAAC;AACrD,YAAY,EAAE,kBAAkB,EAAE,MAAM,6CAA6C,CAAC"}

package/dist/services/x402/ssrf-guard.js CHANGED Viewed

@@ -1,236 +1,7 @@
 /**
- * SSRF Guard for x402 HTTP proxy.
+ * Re-export from infrastructure/security/ssrf-guard.ts for backward compatibility.
  *
- * Defense layers:
- * 1. URL normalization (trailing dot, lowercase, userinfo rejection, port 443 only)
- * 2. Protocol enforcement (HTTPS only)
- * 3. DNS pre-resolution + private IP blocking (RFC 5735/6890)
- * 4. IPv4-mapped IPv6 bypass vector blocking
- * 5. Redirect re-validation (max 3 hops)
- *
- * @module ssrf-guard
- */
-import { lookup } from 'node:dns/promises';
-import { isIP } from 'node:net';
-import { WAIaaSError } from '@waiaas/core';
-// ---------------------------------------------------------------------------
-// Constants
-// ---------------------------------------------------------------------------
-const MAX_REDIRECTS = 3;
-const DEFAULT_TIMEOUT_MS = 30_000;
-// ---------------------------------------------------------------------------
-// Public API
-// ---------------------------------------------------------------------------
-/**
- * Validate URL safety against SSRF attacks.
- * Performs DNS resolution and validates all resolved IPs are public.
- *
- * @throws WAIaaSError('X402_SSRF_BLOCKED') if URL targets private/reserved IP
- */
-export async function validateUrlSafety(urlString) {
-    const url = normalizeUrl(urlString);
-    // Protocol enforcement: HTTPS only
-    if (url.protocol !== 'https:') {
-        throw new WAIaaSError('X402_SSRF_BLOCKED', {
-            message: `Only HTTPS URLs are allowed, got ${url.protocol}`,
-        });
-    }
-    // Reject userinfo
-    if (url.username || url.password) {
-        throw new WAIaaSError('X402_SSRF_BLOCKED', {
-            message: 'URLs with userinfo (@) are not allowed',
-        });
-    }
-    // Port validation: only 443 (or default empty)
-    if (url.port && url.port !== '443') {
-        throw new WAIaaSError('X402_SSRF_BLOCKED', {
-            message: `Non-standard port ${url.port} is not allowed`,
-        });
-    }
-    const hostname = url.hostname;
-    // Direct IP in hostname
-    if (isIP(hostname)) {
-        assertPublicIP(hostname);
-        return url;
-    }
-    // DNS pre-resolution: resolve all A + AAAA records
-    const addresses = await lookup(hostname, { all: true });
-    for (const { address } of addresses) {
-        assertPublicIP(address);
-    }
-    return url;
-}
-/**
- * Fetch with manual redirect handling and SSRF re-validation per hop.
- * Max 3 redirects. After redirect, method becomes GET and body is dropped.
- *
- * @throws WAIaaSError('X402_SSRF_BLOCKED') on private IP redirect or too many redirects
- */
-export async function safeFetchWithRedirects(url, method, headers, body, timeout = DEFAULT_TIMEOUT_MS) {
-    let currentUrl = url;
-    for (let i = 0; i <= MAX_REDIRECTS; i++) {
-        const controller = new AbortController();
-        const timer = setTimeout(() => controller.abort(), timeout);
-        try {
-            const response = await fetch(currentUrl.toString(), {
-                method: i === 0 ? method : 'GET',
-                headers: i === 0 ? headers : undefined,
-                body: i === 0 && method !== 'GET' ? body : undefined,
-                signal: controller.signal,
-                redirect: 'manual',
-            });
-            // Non-redirect response: return as-is
-            if (response.status < 300 || response.status >= 400) {
-                return response;
-            }
-            // Redirect: extract and validate Location
-            const location = response.headers.get('Location');
-            if (!location) {
-                return response;
-            }
-            // SSRF re-validation on redirect target
-            currentUrl = await validateUrlSafety(new URL(location, currentUrl).toString());
-        }
-        finally {
-            clearTimeout(timer);
-        }
-    }
-    throw new WAIaaSError('X402_SSRF_BLOCKED', {
-        message: `Too many redirects (max ${MAX_REDIRECTS})`,
-    });
-}
-// ---------------------------------------------------------------------------
-// Internal: URL normalization
-// ---------------------------------------------------------------------------
-function normalizeUrl(urlString) {
-    const url = new URL(urlString);
-    // Remove trailing dot (FQDN normalization)
-    if (url.hostname.endsWith('.')) {
-        url.hostname = url.hostname.slice(0, -1);
-    }
-    return url;
-}
-// ---------------------------------------------------------------------------
-// Internal: IP validation
-// ---------------------------------------------------------------------------
-/**
- * Assert that an IP address is public (not private/reserved).
- * Handles IPv4-mapped IPv6 normalization before checking.
- *
- * @throws WAIaaSError('X402_SSRF_BLOCKED') if IP is private/reserved
- */
-function assertPublicIP(ip) {
-    const normalized = normalizeIPv6Mapped(ip);
-    if (isPrivateIP(normalized)) {
-        throw new WAIaaSError('X402_SSRF_BLOCKED', {
-            message: `Resolved IP ${ip} is private/reserved`,
-        });
-    }
-}
-/**
- * Normalize IPv4-mapped IPv6 addresses to their IPv4 equivalents.
- * - ::ffff:A.B.C.D -> A.B.C.D (dotted format)
- * - ::ffff:HHHH:HHHH -> A.B.C.D (hex-encoded format)
- */
-function normalizeIPv6Mapped(ip) {
-    const lower = ip.toLowerCase();
-    // ::ffff:A.B.C.D format (dotted decimal)
-    if (lower.startsWith('::ffff:') && lower.includes('.')) {
-        return lower.slice(7);
-    }
-    // ::ffff:HHHH:HHHH format (hex-encoded IPv4)
-    const match = lower.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/);
-    if (match) {
-        const hi = parseInt(match[1], 16);
-        const lo = parseInt(match[2], 16);
-        return `${(hi >> 8) & 0xff}.${hi & 0xff}.${(lo >> 8) & 0xff}.${lo & 0xff}`;
-    }
-    return ip;
-}
-/**
- * Check if an IP (already normalized from IPv4-mapped IPv6) is private/reserved.
- */
-function isPrivateIP(ip) {
-    // Try IPv4 first, then IPv6
-    if (ip.includes('.')) {
-        return isPrivateIPv4(ip);
-    }
-    return isPrivateIPv6(ip);
-}
-/**
- * RFC 5735/6890 private/reserved IPv4 ranges.
- */
-function isPrivateIPv4(ip) {
-    const parts = ip.split('.');
-    if (parts.length !== 4)
-        return false;
-    const a = Number(parts[0]);
-    const b = Number(parts[1]);
-    const c = Number(parts[2]);
-    // 0.0.0.0/8 - This network
-    if (a === 0)
-        return true;
-    // 10.0.0.0/8 - Private
-    if (a === 10)
-        return true;
-    // 100.64.0.0/10 - Shared address space (CGNAT)
-    if (a === 100 && b >= 64 && b <= 127)
-        return true;
-    // 127.0.0.0/8 - Loopback
-    if (a === 127)
-        return true;
-    // 169.254.0.0/16 - Link-local
-    if (a === 169 && b === 254)
-        return true;
-    // 172.16.0.0/12 - Private
-    if (a === 172 && b >= 16 && b <= 31)
-        return true;
-    // 192.0.0.0/24 - IETF Protocol Assignments
-    if (a === 192 && b === 0 && c === 0)
-        return true;
-    // 192.0.2.0/24 - Documentation (TEST-NET-1)
-    if (a === 192 && b === 0 && c === 2)
-        return true;
-    // 192.168.0.0/16 - Private
-    if (a === 192 && b === 168)
-        return true;
-    // 198.18.0.0/15 - Benchmarking
-    if (a === 198 && (b === 18 || b === 19))
-        return true;
-    // 198.51.100.0/24 - Documentation (TEST-NET-2)
-    if (a === 198 && b === 51 && c === 100)
-        return true;
-    // 203.0.113.0/24 - Documentation (TEST-NET-3)
-    if (a === 203 && b === 0 && c === 113)
-        return true;
-    // 224.0.0.0/4 - Multicast
-    if (a >= 224 && a <= 239)
-        return true;
-    // 240.0.0.0/4 - Reserved + 255.255.255.255 broadcast
-    if (a >= 240)
-        return true;
-    return false;
-}
-/**
- * Private/reserved IPv6 ranges.
+ * @deprecated Import from '../../infrastructure/security/ssrf-guard.js' instead.
  */
-function isPrivateIPv6(ip) {
-    const lower = ip.toLowerCase();
-    // ::1 - Loopback
-    if (lower === '::1')
-        return true;
-    // :: - Unspecified
-    if (lower === '::')
-        return true;
-    // fe80::/10 - Link-local
-    if (lower.startsWith('fe80:') || lower === 'fe80')
-        return true;
-    // fc00::/7 - Unique local (fc00::/8 + fd00::/8)
-    if (lower.startsWith('fc') || lower.startsWith('fd'))
-        return true;
-    // ff00::/8 - Multicast
-    if (lower.startsWith('ff'))
-        return true;
-    return false;
-}
+export { validateUrlSafety, safeFetchWithRedirects, } from '../../infrastructure/security/ssrf-guard.js';
 //# sourceMappingURL=ssrf-guard.js.map

package/dist/services/x402/ssrf-guard.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"ssrf-guard.js","sourceRoot":"","sources":["../../../src/services/x402/ssrf-guard.ts"],"names":[],"mappings":"AAAA~~;;;;;;;;;;;GAWG~~;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAC3C,OAAO,EAAE,IAAI,EAAE,MAAM,UAAU,CAAC;AAChC,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAE3C,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,MAAM,aAAa,GAAG,CAAC,CAAC;AACxB,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAElC,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E;;;;;GAKG;AACH,~~MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,SAAiB;IACvD,MAAM,GAAG,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;IAEpC,mCAAmC;IACnC,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,WAAW,CAAC,mBAAmB,EAAE;YACzC,~~OAAO,~~EAAE~~,oCAAoC,GAAG,CAAC,QAAQ,EAAE;SAC5D,CAAC,CAAC;IACL,CAAC;IAED,kBAAkB;IAClB,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,WAAW,CAAC,mBAAmB,EAAE;YACzC,OAAO,EAAE,wCAAwC;SAClD,CAAC,CAAC;IACL,CAAC;IAED,+CAA+C;IAC/C,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QACnC,MAAM,IAAI,WAAW,CAAC,mBAAmB,EAAE;YACzC,OAAO,EAAE,qBAAqB,GAAG,CAAC,IAAI,iBAAiB~~;SACxD~~,~~CAAC~~,CAAC;IACL,CAAC;IAED,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;IAE9B,wBAAwB;IACxB,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnB,cAAc,CAAC,QAAQ,CAAC,CAAC;QACzB,OAAO,GAAG,CAAC;IACb,CAAC;IAED,mDAAmD;IACnD,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,QAAQ,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IACxD,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,SAAS,EAAE,CAAC;QACpC,cAAc,CAAC,OAAO,CAAC,CAAC;IAC1B,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,~~CAC1C~~,~~GAAQ,EACR,MAAc,EACd,OAAgC,EAChC,IAAa,EACb,UAAkB,kBAAkB;IAEpC,IAAI,UAAU,GAAG,GAAG,CAAC;IAErB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,aAAa,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,~~MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,CAAC;QAE5D,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,UAAU,CAAC,QAAQ,EAAE,EAAE;gBAClD,MAAM,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK;gBAChC,OAAO,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;gBACtC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,MAAM,KAAK,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;gBACpD,MAAM,EAAE,UAAU,CAAC,MAAM;gBACzB,QAAQ,EAAE,QAAQ;aACnB,CAAC,CAAC;YAEH,sCAAsC;YACtC,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;gBACpD,OAAO,QAAQ,CAAC;YAClB,CAAC;YAED,0CAA0C;YAC1C,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAClD,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,OAAO,QAAQ,CAAC;YAClB,CAAC;YAED,wCAAwC;YACxC,UAAU,GAAG,MAAM,iBAAiB,CAClC,IAAI,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,QAAQ,EAAE,CACzC,CAAC;QACJ,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IAED,MAAM,IAAI,WAAW,CAAC,mBAAmB,EAAE;QACzC,OAAO,EAAE,2BAA2B,aAAa,GAAG;KACrD,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,8BAA8B;AAC9B,8EAA8E;AAE9E,SAAS,YAAY,CAAC,SAAiB;IACrC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAC/B,2CAA2C;IAC3C,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/B,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAE9E;;;;;GAKG;AACH,SAAS,cAAc,CAAC,EAAU;IAChC,MAAM,UAAU,GAAG,mBAAmB,CAAC,EAAE,CAAC,CAAC;IAE3C,IAAI,WAAW,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,WAAW,CAAC,mBAAmB,EAAE;YACzC,OAAO,EAAE,eAAe,EAAE,sBAAsB;SACjD,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,mBAAmB,CAAC,EAAU;IACrC,MAAM,KAAK,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC;IAE/B,yCAAyC;IACzC,IAAI,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvD,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACxB,CAAC;IAED,6CAA6C~~;IAC7C~~,~~MAAM,KAAK,GAAG,KAAK,~~CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;IACtE,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,CAAC;QACnC,MAAM,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,CAAC;QACnC,OAAO,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,EAAE,GAAG,IAAI,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,EAAE,GAAG,IAAI,EAAE,CAAC;IAC7E,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,EAAU;IAC7B,4BAA4B;IAC5B,IAAI,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,OAAO,aAAa,CAAC,EAAE,CAAC,CAAC;IAC3B,CAAC;IACD,OAAO,aAAa,CAAC,EAAE,CAAC,CAAC;AAC3B,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,EAAU;IAC/B,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC5B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAErC,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3B,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3B,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAE3B,2BAA2B;IAC3B,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACzB,uBAAuB;IACvB,IAAI,CAAC,KAAK,EAAE;QAAE,OAAO,IAAI,CAAC;IAC1B,+CAA+C;IAC/C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAC;IAClD,yBAAyB;IACzB,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAC3B,8BAA8B;IAC9B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACxC,0BAA0B;IAC1B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;QAAE,OAAO,IAAI,CAAC;IACjD,2CAA2C;IAC3C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACjD,4CAA4C;IAC5C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACjD,2BAA2B;IAC3B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACxC,+BAA+B;IAC/B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;QAAE,OAAO,IAAI,CAAC;IACrD,+CAA+C;IAC/C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACpD,8CAA8C;IAC9C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACnD,0BAA0B;IAC1B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAC;IACtC,qDAAqD;IACrD,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAC;IAE1B,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,EAAU;IAC/B,MAAM,KAAK,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC;IAE/B,iBAAiB;IACjB,IAAI,KAAK,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IACjC,mBAAmB;IACnB,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAChC,yBAAyB;IACzB,IAAI,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,KAAK,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAC/D,gDAAgD;IAChD,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAClE,uBAAuB;IACvB,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAExC,OAAO,KAAK,CAAC;AACf,CAAC"}
1	+ {"version":3,"file":"ssrf-guard.js","sourceRoot":"","sources":["../../../src/services/x402/ssrf-guard.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EACL,iBAAiB,EACjB,sBAAsB,GACvB,MAAM,6CAA6C,CAAC"}

package/dist/signing/capabilities/eip712-signer.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"eip712-signer.d.ts","sourceRoot":"","sources":["../../../src/signing/capabilities/eip712-signer.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,iBAAiB,EAAE,aAAa,EAAE,aAAa,EAAuB,MAAM,aAAa,CAAC;AAGxG,qBAAa,sBAAuB,YAAW,iBAAiB;IAC9D,QAAQ,CAAC,MAAM,EAAG,QAAQ,CAAU;IAEpC,OAAO,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO;IAMjC,IAAI,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;~~CAoB1D~~"}
1	+ {"version":3,"file":"eip712-signer.d.ts","sourceRoot":"","sources":["../../../src/signing/capabilities/eip712-signer.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,iBAAiB,EAAE,aAAa,EAAE,aAAa,EAAuB,MAAM,aAAa,CAAC;AAGxG,qBAAa,sBAAuB,YAAW,iBAAiB;IAC9D,QAAQ,CAAC,MAAM,EAAG,QAAQ,CAAU;IAEpC,OAAO,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO;IAMjC,IAAI,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;CAsB1D"}

package/dist/signing/capabilities/eip712-signer.js CHANGED Viewed

@@ -20,6 +20,8 @@ export class Eip712SignerCapability {
         try {
             const account = privateKeyToAccount(p.privateKey);
             const signature = await account.signTypedData({
+                // EIP-712 domain/types/message are loosely typed in our signing params
+                // but viem requires specific literal generics -- use targeted assertions
                 domain: p.domain,
                 types: p.types,
                 primaryType: p.primaryType,

package/dist/signing/capabilities/eip712-signer.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"eip712-signer.js","sourceRoot":"","sources":["../../../src/signing/capabilities/eip712-signer.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAEpD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAEnD,MAAM,OAAO,sBAAsB;IACxB,MAAM,GAAG,QAAiB,CAAC;IAEpC,OAAO,CAAC,MAAqB;QAC3B,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC7C,MAAM,CAAC,GAAG,MAA6B,CAAC;QACxC,OAAO,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC;IACrE,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,MAAqB;QAC9B,MAAM,CAAC,GAAG,MAA6B,CAAC;QACxC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,mBAAmB,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;YAClD,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC;gBAC5C,MAAM,EAAE,CAAC,CAAC,~~MAAa~~;~~gBACvB~~,KAAK,EAAE,CAAC,CAAC,~~KAAY~~;~~gBACrB~~,WAAW,EAAE,CAAC,CAAC,WAAW;gBAC1B,OAAO,EAAE,CAAC,CAAC,~~KAAY~~;~~aACxB~~,CAAC,CAAC;YACH,OAAO,EAAE,SAAS,EAAE,CAAC;QACvB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,YAAY,CACpB,2BAA4B,GAAa,CAAC,OAAO,EAAE,EACnD,QAAQ,EACR,aAAa,EACb,GAAY,CACb,CAAC;QACJ,CAAC;IACH,CAAC;CACF"}
1	+ {"version":3,"file":"eip712-signer.js","sourceRoot":"","sources":["../../../src/signing/capabilities/eip712-signer.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAEpD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAEnD,MAAM,OAAO,sBAAsB;IACxB,MAAM,GAAG,QAAiB,CAAC;IAEpC,OAAO,CAAC,MAAqB;QAC3B,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC7C,MAAM,CAAC,GAAG,MAA6B,CAAC;QACxC,OAAO,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC;IACrE,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,MAAqB;QAC9B,MAAM,CAAC,GAAG,MAA6B,CAAC;QACxC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,mBAAmB,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;YAClD,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC;gBAC5C,uEAAuE;gBACvE,yEAAyE;gBACzE,MAAM,EAAE,CAAC,CAAC,MAAiC;gBAC3C,KAAK,EAAE,CAAC,CAAC,KAA8D;gBACvE,WAAW,EAAE,CAAC,CAAC,WAAW;gBAC1B,OAAO,EAAE,CAAC,CAAC,KAAgC;aAC5C,CAAC,CAAC;YACH,OAAO,EAAE,SAAS,EAAE,CAAC;QACvB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,YAAY,CACpB,2BAA4B,GAAa,CAAC,OAAO,EAAE,EACnD,QAAQ,EACR,aAAa,EACb,GAAY,CACb,CAAC;QACJ,CAAC;IACH,CAAC;CACF"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@waiaas/daemon",
-  "version": "2.11.0-rc.7",
+  "version": "2.11.0",
   "description": "WAIaaS daemon - self-hosted wallet service for AI agents",
   "license": "MIT",
   "type": "module",
@@ -49,10 +49,10 @@
     "viem": "^2.21.0",
     "zod": "^3.24.0",
     "zod-to-json-schema": "^3.25.1",
-    "@waiaas/actions": "2.11.0-rc.7",
-    "@waiaas/adapter-evm": "2.11.0-rc.7",
-    "@waiaas/adapter-solana": "2.11.0-rc.7",
-    "@waiaas/core": "2.11.0-rc.7"
+    "@waiaas/actions": "2.11.0",
+    "@waiaas/adapter-evm": "2.11.0",
+    "@waiaas/adapter-solana": "2.11.0",
+    "@waiaas/core": "2.11.0"
   },
   "devDependencies": {
     "@types/better-sqlite3": "^7.6.0",