@waiaas/daemon 2.4.0-rc.2 → 2.4.0-rc.3

package/dist/services/signing-sdk/channels/telegram-signing-channel.js

@@ -0,0 +1,87 @@
+/**
+ * TelegramSigningChannel -- sends SignRequests via Telegram inline button message.
+ *
+ * When a PENDING_APPROVAL transaction triggers a SignRequest:
+ *   1. Builds the SignRequest via SignRequestBuilder
+ *   2. Registers the request with SignResponseHandler for later matching
+ *   3. Sends a Telegram message to the admin chat with an inline "Open in Wallet"
+ *      button containing the universal link URL
+ *
+ * Unlike NtfySigningChannel, TelegramSigningChannel does NOT subscribe to a response
+ * topic. The response arrives via the /sign_response Telegram bot command, which
+ * delegates to SignResponseHandler. This is a one-way push channel.
+ *
+ * Implements ISigningChannel interface for consistent channel abstraction.
+ *
+ * @see internal/design/73-signing-protocol-v1.md (Section 7.2, 7.3)
+ * @see internal/design/74-wallet-sdk-daemon-components.md
+ */
+import { escapeMarkdownV2 } from '../../../infrastructure/telegram/telegram-bot-service.js';
+// ---------------------------------------------------------------------------
+// TelegramSigningChannel
+// ---------------------------------------------------------------------------
+export class TelegramSigningChannel {
+    signRequestBuilder;
+    signResponseHandler;
+    settings;
+    telegramApi;
+    constructor(opts) {
+        this.signRequestBuilder = opts.signRequestBuilder;
+        this.signResponseHandler = opts.signResponseHandler;
+        this.settings = opts.settingsService;
+        this.telegramApi = opts.telegramApi;
+    }
+    // -------------------------------------------------------------------------
+    // sendRequest -- send Telegram message with universal link inline button
+    // -------------------------------------------------------------------------
+    /**
+     * Send a SignRequest via Telegram message with an inline "Open in Wallet" button.
+     *
+     * @param params - Transaction metadata + walletId
+     * @returns requestId, requestTopic (empty for Telegram), responseTopic (empty)
+     * @throws Error if telegram chat_id is not configured
+     */
+    async sendRequest(params) {
+        // 1. Build SignRequest via SignRequestBuilder
+        const { request, universalLinkUrl, requestTopic } = this.signRequestBuilder.buildRequest(params);
+        // 2. Register request with SignResponseHandler for later matching
+        this.signResponseHandler.registerRequest(request);
+        // 3. Get admin chat_id from settings
+        const chatIdStr = this.settings.get('notifications.telegram_chat_id');
+        if (!chatIdStr) {
+            throw new Error('Telegram chat_id is not configured in notifications.telegram_chat_id');
+        }
+        const chatId = parseInt(chatIdStr, 10);
+        if (isNaN(chatId)) {
+            throw new Error('Invalid telegram_chat_id: must be a numeric value');
+        }
+        // 4. Format display message with MarkdownV2 escaping
+        const header = '*WAIaaS Sign Request*';
+        const body = escapeMarkdownV2(request.displayMessage);
+        const txInfo = `TX: \`${escapeMarkdownV2(request.metadata.txId.slice(0, 8))}\\.\\.\\.\``;
+        const chain = `Chain: ${escapeMarkdownV2(request.chain)}/${escapeMarkdownV2(request.network)}`;
+        const text = `${header}\n\n${body}\n${txInfo}\n${chain}`;
+        // 5. Send Telegram message with inline keyboard (universal link button)
+        await this.telegramApi.sendMessage(chatId, text, {
+            inline_keyboard: [
+                [{ text: 'Open in Wallet', url: universalLinkUrl }],
+            ],
+        });
+        // 6. Return result (no ntfy topics for Telegram channel)
+        return {
+            requestId: request.requestId,
+            requestTopic,
+            responseTopic: '',
+        };
+    }
+    // -------------------------------------------------------------------------
+    // shutdown -- no-op (no active subscriptions)
+    // -------------------------------------------------------------------------
+    /**
+     * Shutdown the channel. No-op for Telegram (no SSE subscriptions to clean up).
+     */
+    shutdown() {
+        // No active subscriptions to clean up
+    }
+}
+//# sourceMappingURL=telegram-signing-channel.js.map

package/dist/services/signing-sdk/channels/telegram-signing-channel.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"telegram-signing-channel.js","sourceRoot":"","sources":["../../../../src/services/signing-sdk/channels/telegram-signing-channel.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAMH,OAAO,EAAE,gBAAgB,EAAE,MAAM,0DAA0D,CAAC;AAuB5F,8EAA8E;AAC9E,yBAAyB;AACzB,8EAA8E;AAE9E,MAAM,OAAO,sBAAsB;IAChB,kBAAkB,CAAqB;IACvC,mBAAmB,CAAsB;IACzC,QAAQ,CAAkB;IAC1B,WAAW,CAAc;IAE1C,YAAY,IAAgC;QAC1C,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,kBAAkB,CAAC;QAClD,IAAI,CAAC,mBAAmB,GAAG,IAAI,CAAC,mBAAmB,CAAC;QACpD,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,eAAe,CAAC;QACrC,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;IACtC,CAAC;IAED,4EAA4E;IAC5E,yEAAyE;IACzE,4EAA4E;IAE5E;;;;;;OAMG;IACH,KAAK,CAAC,WAAW,CAAC,MAAyB;QACzC,8CAA8C;QAC9C,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,GAC/C,IAAI,CAAC,kBAAkB,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAE/C,kEAAkE;QAClE,IAAI,CAAC,mBAAmB,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QAElD,qCAAqC;QACrC,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QACtE,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;QAC1F,CAAC;QACD,MAAM,MAAM,GAAG,QAAQ,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QACvC,IAAI,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;QACvE,CAAC;QAED,qDAAqD;QACrD,MAAM,MAAM,GAAG,uBAAuB,CAAC;QACvC,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;QACtD,MAAM,MAAM,GAAG,SAAS,gBAAgB,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC;QACzF,MAAM,KAAK,GAAG,UAAU,gBAAgB,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,gBAAgB,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/F,MAAM,IAAI,GAAG,GAAG,MAAM,OAAO,IAAI,KAAK,MAAM,KAAK,KAAK,EAAE,CAAC;QAEzD,wEAAwE;QACxE,MAAM,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,MAAM,EAAE,IAAI,EAAE;YAC/C,eAAe,EAAE;gBACf,CAAC,EAAE,IAAI,EAAE,gBAAgB,EAAE,GAAG,EAAE,gBAAgB,EAAE,CAAC;aACpD;SACF,CAAC,CAAC;QAEH,yDAAyD;QACzD,OAAO;YACL,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,YAAY;YACZ,aAAa,EAAE,EAAE;SAClB,CAAC;IACJ,CAAC;IAED,4EAA4E;IAC5E,8CAA8C;IAC9C,4EAA4E;IAE5E;;OAEG;IACH,QAAQ;QACN,sCAAsC;IACxC,CAAC;CACF"}

package/dist/services/signing-sdk/index.d.ts

@@ -0,0 +1,34 @@
+/**
+ * signing-sdk module -- unified exports for the daemon signing SDK.
+ *
+ * Provides:
+ *   - SignRequestBuilder: builds SignRequest from PENDING_APPROVAL transactions
+ *   - SignResponseHandler: processes wallet app SignResponse (approve/reject)
+ *   - WalletLinkRegistry: manages registered wallet configurations
+ *   - NtfySigningChannel: ntfy-based publish/subscribe signing channel
+ *   - TelegramSigningChannel: Telegram-based one-way push signing channel
+ *   - ApprovalChannelRouter: routes to correct channel based on wallet's owner_approval_method
+ *   - ISigningChannel: channel interface for future channel implementations
+ *
+ * @see internal/design/73-signing-protocol-v1.md
+ * @see internal/design/74-wallet-sdk-daemon-components.md
+ */
+export { SignRequestBuilder } from './sign-request-builder.js';
+export type { BuildRequestParams, BuildRequestResult } from './sign-request-builder.js';
+export { SignResponseHandler } from './sign-response-handler.js';
+export type { SignResponseHandlerDeps, HandleResult } from './sign-response-handler.js';
+export { WalletLinkRegistry } from './wallet-link-registry.js';
+export { NtfySigningChannel } from './channels/index.js';
+export type { NtfySigningChannelOpts, SendRequestParams, SendRequestResult } from './channels/index.js';
+export { TelegramSigningChannel } from './channels/index.js';
+export type { TelegramSigningChannelOpts } from './channels/index.js';
+export { ApprovalChannelRouter } from './approval-channel-router.js';
+export type { ApprovalChannelRouterDeps, RouteResult } from './approval-channel-router.js';
+import type { SendRequestParams as _SendRequestParams } from './channels/index.js';
+export interface ISigningChannel {
+    sendRequest(params: _SendRequestParams): Promise<{
+        requestId: string;
+    }>;
+    shutdown(): void;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/services/signing-sdk/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/services/signing-sdk/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,YAAY,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAExF,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,YAAY,EAAE,uBAAuB,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAExF,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAG/D,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,YAAY,EAAE,sBAAsB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAExG,OAAO,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAC7D,YAAY,EAAE,0BAA0B,EAAE,MAAM,qBAAqB,CAAC;AAGtE,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,YAAY,EAAE,yBAAyB,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAM3F,OAAO,KAAK,EAAE,iBAAiB,IAAI,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAEnF,MAAM,WAAW,eAAe;IAC9B,WAAW,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACxE,QAAQ,IAAI,IAAI,CAAC;CAClB"}

package/dist/services/signing-sdk/index.js

@@ -0,0 +1,25 @@
+/**
+ * signing-sdk module -- unified exports for the daemon signing SDK.
+ *
+ * Provides:
+ *   - SignRequestBuilder: builds SignRequest from PENDING_APPROVAL transactions
+ *   - SignResponseHandler: processes wallet app SignResponse (approve/reject)
+ *   - WalletLinkRegistry: manages registered wallet configurations
+ *   - NtfySigningChannel: ntfy-based publish/subscribe signing channel
+ *   - TelegramSigningChannel: Telegram-based one-way push signing channel
+ *   - ApprovalChannelRouter: routes to correct channel based on wallet's owner_approval_method
+ *   - ISigningChannel: channel interface for future channel implementations
+ *
+ * @see internal/design/73-signing-protocol-v1.md
+ * @see internal/design/74-wallet-sdk-daemon-components.md
+ */
+// Core services
+export { SignRequestBuilder } from './sign-request-builder.js';
+export { SignResponseHandler } from './sign-response-handler.js';
+export { WalletLinkRegistry } from './wallet-link-registry.js';
+// Channels
+export { NtfySigningChannel } from './channels/index.js';
+export { TelegramSigningChannel } from './channels/index.js';
+// Routing
+export { ApprovalChannelRouter } from './approval-channel-router.js';
+//# sourceMappingURL=index.js.map

package/dist/services/signing-sdk/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/services/signing-sdk/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,gBAAgB;AAChB,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAG/D,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAGjE,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAE/D,WAAW;AACX,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAGzD,OAAO,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAG7D,UAAU;AACV,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC"}

package/dist/services/signing-sdk/sign-request-builder.d.ts

@@ -0,0 +1,61 @@
+/**
+ * SignRequestBuilder -- builds SignRequest objects for PENDING_APPROVAL transactions.
+ *
+ * Transforms transaction metadata into a SignRequest with a signing message
+ * (doc 73 Section 5 template), response channel config, and a universal link URL
+ * for the target wallet app.
+ *
+ * Intentionally does NOT go through ApprovalWorkflow -- SignRequestBuilder is
+ * invoked *after* the pipeline has already set the transaction to PENDING_APPROVAL
+ * state. It produces the data needed to notify the owner via ntfy/Telegram channels.
+ *
+ * @see internal/design/73-signing-protocol-v1.md (Section 3, 5)
+ * @see internal/design/74-wallet-sdk-daemon-components.md
+ */
+import { type SignRequest } from '@waiaas/core';
+import type { SettingsService } from '../../infrastructure/settings/settings-service.js';
+import type { WalletLinkRegistry } from './wallet-link-registry.js';
+export interface BuildRequestParams {
+    txId: string;
+    chain: 'solana' | 'evm';
+    network: string;
+    type: string;
+    from: string;
+    to: string;
+    amount?: string;
+    symbol?: string;
+    policyTier: 'APPROVAL' | 'DELAY';
+    walletName?: string;
+}
+export interface BuildRequestResult {
+    request: SignRequest;
+    universalLinkUrl: string;
+    requestTopic: string;
+}
+export declare class SignRequestBuilder {
+    private readonly settings;
+    private readonly walletLinkRegistry;
+    constructor(opts: {
+        settingsService: SettingsService;
+        walletLinkRegistry: WalletLinkRegistry;
+    });
+    /**
+     * Build a SignRequest from a PENDING_APPROVAL transaction.
+     *
+     * @param params - Transaction metadata
+     * @returns The SignRequest, universal link URL, and ntfy request topic
+     * @throws WAIaaSError('SIGNING_SDK_DISABLED') if signing SDK is disabled
+     * @throws WAIaaSError('WALLET_NOT_REGISTERED') if no wallet is configured
+     */
+    buildRequest(params: BuildRequestParams): BuildRequestResult;
+    /**
+     * Build signing message text per doc 73 Section 5 template.
+     * Amount/symbol line is omitted when both are absent.
+     */
+    private buildSigningMessage;
+    /**
+     * Build a concise display message for wallet app UI.
+     */
+    private buildDisplayMessage;
+}
+//# sourceMappingURL=sign-request-builder.d.ts.map

package/dist/services/signing-sdk/sign-request-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign-request-builder.d.ts","sourceRoot":"","sources":["../../../src/services/signing-sdk/sign-request-builder.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EACL,KAAK,WAAW,EAGjB,MAAM,cAAc,CAAC;AACtB,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mDAAmD,CAAC;AACzF,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAOpE,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,QAAQ,GAAG,KAAK,CAAC;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,WAAW,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;IACzB,YAAY,EAAE,MAAM,CAAC;CACtB;AAMD,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAkB;IAC3C,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAqB;gBAE5C,IAAI,EAAE;QAChB,eAAe,EAAE,eAAe,CAAC;QACjC,kBAAkB,EAAE,kBAAkB,CAAC;KACxC;IASD;;;;;;;OAOG;IACH,YAAY,CAAC,MAAM,EAAE,kBAAkB,GAAG,kBAAkB;IAmG5D;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IAuC3B;;OAEG;IACH,OAAO,CAAC,mBAAmB;CAM5B"}

package/dist/services/signing-sdk/sign-request-builder.js

@@ -0,0 +1,157 @@
+/**
+ * SignRequestBuilder -- builds SignRequest objects for PENDING_APPROVAL transactions.
+ *
+ * Transforms transaction metadata into a SignRequest with a signing message
+ * (doc 73 Section 5 template), response channel config, and a universal link URL
+ * for the target wallet app.
+ *
+ * Intentionally does NOT go through ApprovalWorkflow -- SignRequestBuilder is
+ * invoked *after* the pipeline has already set the transaction to PENDING_APPROVAL
+ * state. It produces the data needed to notify the owner via ntfy/Telegram channels.
+ *
+ * @see internal/design/73-signing-protocol-v1.md (Section 3, 5)
+ * @see internal/design/74-wallet-sdk-daemon-components.md
+ */
+import { SignRequestSchema, WAIaaSError, } from '@waiaas/core';
+import { generateId } from '../../infrastructure/database/id.js';
+// ---------------------------------------------------------------------------
+// SignRequestBuilder
+// ---------------------------------------------------------------------------
+export class SignRequestBuilder {
+    settings;
+    walletLinkRegistry;
+    constructor(opts) {
+        this.settings = opts.settingsService;
+        this.walletLinkRegistry = opts.walletLinkRegistry;
+    }
+    // -------------------------------------------------------------------------
+    // buildRequest
+    // -------------------------------------------------------------------------
+    /**
+     * Build a SignRequest from a PENDING_APPROVAL transaction.
+     *
+     * @param params - Transaction metadata
+     * @returns The SignRequest, universal link URL, and ntfy request topic
+     * @throws WAIaaSError('SIGNING_SDK_DISABLED') if signing SDK is disabled
+     * @throws WAIaaSError('WALLET_NOT_REGISTERED') if no wallet is configured
+     */
+    buildRequest(params) {
+        // 1. Check signing SDK enabled
+        const enabled = this.settings.get('signing_sdk.enabled');
+        if (enabled !== 'true') {
+            throw new WAIaaSError('SIGNING_SDK_DISABLED');
+        }
+        // 2. Determine wallet name
+        const walletName = params.walletName ||
+            this.settings.get('signing_sdk.preferred_wallet') ||
+            undefined;
+        if (!walletName) {
+            throw new WAIaaSError('WALLET_NOT_REGISTERED', {
+                message: 'No wallet name specified and no preferred_wallet configured',
+            });
+        }
+        // 3. Verify wallet exists (throws WALLET_NOT_REGISTERED if not found)
+        const walletConfig = this.walletLinkRegistry.getWallet(walletName);
+        // 4. Generate requestId (UUID v7)
+        const requestId = generateId();
+        // 5. Build signing message (doc 73 Section 5 template)
+        const now = new Date();
+        const message = this.buildSigningMessage(params, params.network, requestId, now);
+        // 6. Build display message (concise human-readable version)
+        const displayMessage = this.buildDisplayMessage(params);
+        // 7. Calculate expiresAt from settings
+        const expiryMinStr = this.settings.get('signing_sdk.request_expiry_min');
+        const expiryMin = parseInt(expiryMinStr, 10) || 30;
+        const expiresAt = new Date(now.getTime() + expiryMin * 60 * 1000);
+        // 8. Determine response channel
+        const preferredChannel = this.settings.get('signing_sdk.preferred_channel');
+        const responseTopicPrefix = this.settings.get('signing_sdk.ntfy_response_topic_prefix');
+        let responseChannel;
+        if (preferredChannel === 'telegram') {
+            // Telegram channel -- bot username from telegram settings
+            const botToken = this.settings.get('telegram.bot_token');
+            responseChannel = {
+                type: 'telegram',
+                botUsername: botToken ? 'waiaas_bot' : 'waiaas_bot',
+            };
+        }
+        else {
+            // Default: ntfy channel
+            const ntfyServer = this.settings.get('notifications.ntfy_server');
+            responseChannel = {
+                type: 'ntfy',
+                responseTopic: `${responseTopicPrefix}-${requestId}`,
+                ...(ntfyServer !== 'https://ntfy.sh' ? { serverUrl: ntfyServer } : {}),
+            };
+        }
+        // 9. Assemble SignRequest + validate with Zod
+        const request = SignRequestSchema.parse({
+            version: '1',
+            requestId,
+            chain: params.chain,
+            network: params.network,
+            message,
+            displayMessage,
+            metadata: {
+                txId: params.txId,
+                type: params.type,
+                from: params.from,
+                to: params.to,
+                ...(params.amount !== undefined ? { amount: params.amount } : {}),
+                ...(params.symbol !== undefined ? { symbol: params.symbol } : {}),
+                policyTier: params.policyTier,
+            },
+            responseChannel,
+            expiresAt: expiresAt.toISOString(),
+        });
+        // 10. Build universal link URL
+        const universalLinkUrl = this.walletLinkRegistry.buildSignUrl(walletName, request);
+        // 11. Build request topic for ntfy publish
+        const requestTopicPrefix = this.settings.get('signing_sdk.ntfy_request_topic_prefix');
+        const ntfyTopic = walletConfig.ntfy?.requestTopic ?? `${requestTopicPrefix}-${walletName}`;
+        return {
+            request,
+            universalLinkUrl,
+            requestTopic: ntfyTopic,
+        };
+    }
+    // -------------------------------------------------------------------------
+    // Private: buildSigningMessage (doc 73 Section 5 template)
+    // -------------------------------------------------------------------------
+    /**
+     * Build signing message text per doc 73 Section 5 template.
+     * Amount/symbol line is omitted when both are absent.
+     */
+    buildSigningMessage(params, network, requestId, now) {
+        const lines = [
+            'WAIaaS Transaction Approval',
+            '',
+            `Transaction: ${params.txId}`,
+            `Type: ${params.type}`,
+            `From: ${params.from}`,
+            `To: ${params.to}`,
+        ];
+        // Amount line: only include if amount is present
+        if (params.amount !== undefined) {
+            const amountLine = params.symbol
+                ? `Amount: ${params.amount} ${params.symbol}`
+                : `Amount: ${params.amount}`;
+            lines.push(amountLine);
+        }
+        lines.push(`Network: ${network}`, `Policy Tier: ${params.policyTier}`, '', 'Approve this transaction by signing this message.', `Timestamp: ${now.toISOString()}`, `Nonce: ${requestId}`);
+        return lines.join('\n');
+    }
+    // -------------------------------------------------------------------------
+    // Private: buildDisplayMessage (human-readable summary)
+    // -------------------------------------------------------------------------
+    /**
+     * Build a concise display message for wallet app UI.
+     */
+    buildDisplayMessage(params) {
+        const amountPart = params.amount
+            ? ` ${params.amount}${params.symbol ? ' ' + params.symbol : ''}`
+            : '';
+        return `${params.type}${amountPart} from ${params.from.slice(0, 8)}... to ${params.to.slice(0, 8)}...`;
+    }
+}
+//# sourceMappingURL=sign-request-builder.js.map

package/dist/services/signing-sdk/sign-request-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign-request-builder.js","sourceRoot":"","sources":["../../../src/services/signing-sdk/sign-request-builder.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAEL,iBAAiB,EACjB,WAAW,GACZ,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,UAAU,EAAE,MAAM,qCAAqC,CAAC;AAyBjE,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E,MAAM,OAAO,kBAAkB;IACZ,QAAQ,CAAkB;IAC1B,kBAAkB,CAAqB;IAExD,YAAY,IAGX;QACC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,eAAe,CAAC;QACrC,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,kBAAkB,CAAC;IACpD,CAAC;IAED,4EAA4E;IAC5E,eAAe;IACf,4EAA4E;IAE5E;;;;;;;OAOG;IACH,YAAY,CAAC,MAA0B;QACrC,+BAA+B;QAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;QACzD,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;YACvB,MAAM,IAAI,WAAW,CAAC,sBAAsB,CAAC,CAAC;QAChD,CAAC;QAED,2BAA2B;QAC3B,MAAM,UAAU,GACd,MAAM,CAAC,UAAU;YACjB,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,8BAA8B,CAAC;YACjD,SAAS,CAAC;QAEZ,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,WAAW,CAAC,uBAAuB,EAAE;gBAC7C,OAAO,EAAE,6DAA6D;aACvE,CAAC,CAAC;QACL,CAAC;QAED,sEAAsE;QACtE,MAAM,YAAY,GAAG,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAEnE,kCAAkC;QAClC,MAAM,SAAS,GAAG,UAAU,EAAE,CAAC;QAE/B,uDAAuD;QACvD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,OAAO,GAAG,IAAI,CAAC,mBAAmB,CAAC,MAAM,EAAE,MAAM,CAAC,OAAO,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;QAEjF,4DAA4D;QAC5D,MAAM,cAAc,GAAG,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAExD,uCAAuC;QACvC,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QACzE,MAAM,SAAS,GAAG,QAAQ,CAAC,YAAY,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC;QACnD,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,SAAS,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAElE,gCAAgC;QAChC,MAAM,gBAAgB,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;QAC5E,MAAM,mBAAmB,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC;QAExF,IAAI,eAA+C,CAAC;QAEpD,IAAI,gBAAgB,KAAK,UAAU,EAAE,CAAC;YACpC,0DAA0D;YAC1D,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;YACzD,eAAe,GAAG;gBAChB,IAAI,EAAE,UAAmB;gBACzB,WAAW,EAAE,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY;aACpD,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,wBAAwB;YACxB,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;YAClE,eAAe,GAAG;gBAChB,IAAI,EAAE,MAAe;gBACrB,aAAa,EAAE,GAAG,mBAAmB,IAAI,SAAS,EAAE;gBACpD,GAAG,CAAC,UAAU,KAAK,iBAAiB,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACvE,CAAC;QACJ,CAAC;QAED,8CAA8C;QAC9C,MAAM,OAAO,GAAG,iBAAiB,CAAC,KAAK,CAAC;YACtC,OAAO,EAAE,GAAG;YACZ,SAAS;YACT,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,OAAO;YACP,cAAc;YACd,QAAQ,EAAE;gBACR,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,EAAE,EAAE,MAAM,CAAC,EAAE;gBACb,GAAG,CAAC,MAAM,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjE,GAAG,CAAC,MAAM,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjE,UAAU,EAAE,MAAM,CAAC,UAAU;aAC9B;YACD,eAAe;YACf,SAAS,EAAE,SAAS,CAAC,WAAW,EAAE;SACnC,CAAC,CAAC;QAEH,+BAA+B;QAC/B,MAAM,gBAAgB,GAAG,IAAI,CAAC,kBAAkB,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAEnF,2CAA2C;QAC3C,MAAM,kBAAkB,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;QACtF,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,EAAE,YAAY,IAAI,GAAG,kBAAkB,IAAI,UAAU,EAAE,CAAC;QAE3F,OAAO;YACL,OAAO;YACP,gBAAgB;YAChB,YAAY,EAAE,SAAS;SACxB,CAAC;IACJ,CAAC;IAED,4EAA4E;IAC5E,2DAA2D;IAC3D,4EAA4E;IAE5E;;;OAGG;IACK,mBAAmB,CACzB,MAA0B,EAC1B,OAAe,EACf,SAAiB,EACjB,GAAS;QAET,MAAM,KAAK,GAAa;YACtB,6BAA6B;YAC7B,EAAE;YACF,gBAAgB,MAAM,CAAC,IAAI,EAAE;YAC7B,SAAS,MAAM,CAAC,IAAI,EAAE;YACtB,SAAS,MAAM,CAAC,IAAI,EAAE;YACtB,OAAO,MAAM,CAAC,EAAE,EAAE;SACnB,CAAC;QAEF,iDAAiD;QACjD,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAChC,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM;gBAC9B,CAAC,CAAC,WAAW,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE;gBAC7C,CAAC,CAAC,WAAW,MAAM,CAAC,MAAM,EAAE,CAAC;YAC/B,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACzB,CAAC;QAED,KAAK,CAAC,IAAI,CACR,YAAY,OAAO,EAAE,EACrB,gBAAgB,MAAM,CAAC,UAAU,EAAE,EACnC,EAAE,EACF,mDAAmD,EACnD,cAAc,GAAG,CAAC,WAAW,EAAE,EAAE,EACjC,UAAU,SAAS,EAAE,CACtB,CAAC;QAEF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,4EAA4E;IAC5E,wDAAwD;IACxD,4EAA4E;IAE5E;;OAEG;IACK,mBAAmB,CAAC,MAA0B;QACpD,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM;YAC9B,CAAC,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;YAChE,CAAC,CAAC,EAAE,CAAC;QACP,OAAO,GAAG,MAAM,CAAC,IAAI,GAAG,UAAU,SAAS,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,UAAU,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC;IACzG,CAAC;CACF"}

package/dist/services/signing-sdk/sign-response-handler.d.ts

@@ -0,0 +1,92 @@
+/**
+ * SignResponseHandler -- processes SignResponse from wallet apps.
+ *
+ * Handles approve/reject responses for PENDING_APPROVAL transactions:
+ * - Validates SignResponse schema (Zod)
+ * - Matches requestId to registered pending requests
+ * - Checks request expiration
+ * - Verifies signer address matches wallet owner
+ * - Verifies cryptographic signature (EVM: EIP-191, Solana: Ed25519)
+ * - Updates pending_approvals and transactions tables directly
+ *
+ * **Design Decision: ApprovalWorkflow bypass (intentional)**
+ * SignResponseHandler directly updates pending_approvals/transactions tables,
+ * bypassing ApprovalWorkflow. This is the same pattern used by Telegram bot
+ * approval (/approve, /reject commands). Rationale: SignResponseHandler performs
+ * its own cryptographic signature verification (SIWE/SIWS), making
+ * ApprovalWorkflow's verification step redundant.
+ *
+ * @see internal/design/73-signing-protocol-v1.md (Section 4, 10, 11)
+ * @see internal/design/74-wallet-sdk-daemon-components.md
+ */
+import type { Database as SQLiteDatabase } from 'better-sqlite3';
+import { type SignRequest, type SignResponse } from '@waiaas/core';
+export interface SignResponseHandlerDeps {
+    /** Raw better-sqlite3 database handle for direct SQL (same pattern as Telegram bot) */
+    sqlite: SQLiteDatabase;
+}
+export interface HandleResult {
+    action: 'approved' | 'rejected';
+    txId: string;
+}
+/**
+ * Verifies an EVM EIP-191 personal_sign signature.
+ * Default implementation uses viem's verifyMessage.
+ */
+export type EvmVerifyFn = (params: {
+    address: string;
+    message: string;
+    signature: string;
+}) => Promise<boolean>;
+/**
+ * Verifies a Solana Ed25519 signature.
+ * Default implementation uses @solana/kit's verifySignature.
+ */
+export type SolanaVerifyFn = (params: {
+    publicKeyAddress: string;
+    message: string;
+    signature: string;
+}) => Promise<boolean>;
+export declare class SignResponseHandler {
+    private readonly sqlite;
+    /**
+     * In-memory store: requestId -> { request, createdAt }.
+     * Lost on daemon restart (acceptable -- 1-shot requests with expiry).
+     */
+    private readonly pendingRequests;
+    /**
+     * Set of already-processed requestIds (for duplicate detection).
+     * Also lost on daemon restart.
+     */
+    private readonly processedRequests;
+    /** Expiration timers by requestId */
+    private readonly expirationTimers;
+    /** Injectable verification functions (for testing) */
+    private readonly evmVerify;
+    private readonly solanaVerify;
+    constructor(deps: SignResponseHandlerDeps, opts?: {
+        evmVerify?: EvmVerifyFn;
+        solanaVerify?: SolanaVerifyFn;
+    });
+    /**
+     * Register a SignRequest for later response matching.
+     * Sets an expiration timer to auto-remove the request after expiresAt.
+     */
+    registerRequest(request: SignRequest): void;
+    /**
+     * Process a SignResponse: validate, match, verify signature, update DB.
+     *
+     * @param signResponse - The response from the wallet app
+     * @returns { action: 'approved' | 'rejected', txId }
+     * @throws WAIaaSError with appropriate error code on validation failure
+     */
+    handle(signResponse: SignResponse): Promise<HandleResult>;
+    private handleApprove;
+    private handleReject;
+    private clearTimer;
+    /**
+     * Clear all pending timers. Call during daemon shutdown.
+     */
+    destroy(): void;
+}
+//# sourceMappingURL=sign-response-handler.d.ts.map

package/dist/services/signing-sdk/sign-response-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign-response-handler.d.ts","sourceRoot":"","sources":["../../../src/services/signing-sdk/sign-response-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,KAAK,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACjE,OAAO,EACL,KAAK,WAAW,EAChB,KAAK,YAAY,EAGlB,MAAM,cAAc,CAAC;AAMtB,MAAM,WAAW,uBAAuB;IACtC,uFAAuF;IACvF,MAAM,EAAE,cAAc,CAAC;CACxB;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,UAAU,GAAG,UAAU,CAAC;IAChC,IAAI,EAAE,MAAM,CAAC;CACd;AAUD;;;GAGG;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,MAAM,EAAE;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;AAEvB;;;GAGG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,MAAM,EAAE;IACpC,gBAAgB,EAAE,MAAM,CAAC;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;AA4CvB,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAiB;IAExC;;;OAGG;IACH,OAAO,CAAC,QAAQ,CAAC,eAAe,CAG5B;IAEJ;;;OAGG;IACH,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAqB;IAEvD,qCAAqC;IACrC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAoD;IAErF,sDAAsD;IACtD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAc;IACxC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAiB;gBAG5C,IAAI,EAAE,uBAAuB,EAC7B,IAAI,CAAC,EAAE;QACL,SAAS,CAAC,EAAE,WAAW,CAAC;QACxB,YAAY,CAAC,EAAE,cAAc,CAAC;KAC/B;IAWH;;;OAGG;IACH,eAAe,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IA0B3C;;;;;;OAMG;IACG,MAAM,CAAC,YAAY,EAAE,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;YAuEjD,aAAa;YAoEb,YAAY;IAiE1B,OAAO,CAAC,UAAU;IAYlB;;OAEG;IACH,OAAO,IAAI,IAAI;CAQhB"}