kawasekit 0.1.0-beta.4 → 0.1.0-beta.6

package/dist/asset-domain-CpJuDkI2.d.cts

@@ -0,0 +1,102 @@
+import { Address } from 'viem';
+
+/**
+ * Known-asset registry for {@link createX402PaymentSigner}'s
+ * `asset: { kind: "known", id }` discriminated-union branch.
+ *
+ * kawasekit only ships pinned EIP-712 domain definitions for assets it has
+ * verified empirically against the deployed contracts. Adding a new entry
+ * here requires citing the source-file + line reference for the contract
+ * that owns the `name` / `version` (so the next reviewer can spot-check the
+ * claim, the same discipline `docs/THREAT_MODEL.md` §0 demands of any ✅
+ * verdict that delegates to an out-of-scope component).
+ *
+ * @packageDocumentation
+ */
+
+/** Known asset identifiers. New entries must update this union AND the table. */
+type KnownAssetId = "jpyc-v2";
+/** Fully-pinned EIP-712 domain for a known asset. */
+interface KnownAssetDomain {
+    readonly id: KnownAssetId;
+    readonly name: string;
+    readonly version: string;
+    readonly verifyingContract: Address;
+}
+/**
+ * Look up a known asset's pinned EIP-712 domain by id.
+ *
+ * @returns The domain, or `undefined` if the id is not in the registry.
+ *
+ * @example
+ * ```ts
+ * import { getKnownAssetDomain } from "kawasekit";
+ *
+ * const jpyc = getKnownAssetDomain("jpyc-v2");
+ * if (jpyc === undefined) throw new Error("unreachable");
+ * console.log(jpyc.verifyingContract); // 0xE7C3D8C9a439feDe00D2600032D5dB0Be71C3c29
+ * ```
+ */
+declare function getKnownAssetDomain(id: KnownAssetId): KnownAssetDomain | undefined;
+/** List every known asset id (for diagnostics / error messages). */
+declare function listKnownAssetIds(): readonly KnownAssetId[];
+
+/**
+ * EIP-712 asset-domain resolution for x402 / EIP-3009 signing.
+ *
+ * Construction-time pinning of the EIP-712 domain (`name` / `version` /
+ * `verifyingContract`) a signer will use. The integrator declares an
+ * {@link X402AssetParam} — either a kawasekit-maintained `known` asset or a
+ * loud `unsafeOverride` — and {@link resolveAssetParam} resolves it to a pinned
+ * {@link ResolvedAsset}. The signer then trusts only this pinned domain and
+ * refuses to sign for a mismatched advertised asset (Threat 1.4: misadvertised
+ * EIP-712 domain).
+ *
+ * Token-domain concern, reused by both the x402 signer (`src/x402/client.ts`)
+ * and the M6 PolicyGatedSigner (`src/signer/`).
+ *
+ * @packageDocumentation
+ */
+
+/** EIP-712 token domain `name` / `version` pair. */
+interface X402TokenDomain {
+    readonly name: string;
+    readonly version: string;
+}
+/**
+ * Asset binding for {@link createX402PaymentSigner} and the M6 PolicyGatedSigner.
+ * Required, discriminated.
+ *
+ * **Default-on whitelist**: integrators MUST declare which asset they intend
+ * to sign for. The `known` branch references a kawasekit-maintained
+ * whitelist (see `src/tokens/known-assets.ts`); the `unsafeOverride` branch
+ * is the deliberate escape hatch for any other asset and is named loudly so
+ * it survives a code review. Either way, the signer pins the EIP-712 domain
+ * at construction time and refuses to sign if `paymentRequirements.asset`
+ * disagrees with the pinned `verifyingContract`.
+ *
+ * Closes Threat 1.4 (misadvertised EIP-712 domain): the server's advertised
+ * `extra.name` / `extra.version` and `asset` are all ignored for signing
+ * purposes — the signer trusts only what the integrator declared here.
+ */
+type X402AssetParam = {
+    /** Use a kawasekit-maintained pinned EIP-712 domain. */
+    readonly kind: "known";
+    /** The asset id to pin. See {@link KnownAssetId} for the registry. */
+    readonly id: KnownAssetId;
+} | {
+    /**
+     * Use a caller-supplied EIP-712 domain for an asset NOT on the
+     * kawasekit whitelist. The name is deliberately loud — pick this
+     * branch only when you have separately audited the contract and its
+     * `eip712Domain()` output.
+     */
+    readonly kind: "unsafeOverride";
+    readonly domain: {
+        readonly name: string;
+        readonly version: string;
+        readonly verifyingContract: Address;
+    };
+};
+
+export { type KnownAssetDomain as K, type X402AssetParam as X, type KnownAssetId as a, type X402TokenDomain as b, getKnownAssetDomain as g, listKnownAssetIds as l };

package/dist/asset-domain-CpJuDkI2.d.ts

@@ -0,0 +1,102 @@
+import { Address } from 'viem';
+
+/**
+ * Known-asset registry for {@link createX402PaymentSigner}'s
+ * `asset: { kind: "known", id }` discriminated-union branch.
+ *
+ * kawasekit only ships pinned EIP-712 domain definitions for assets it has
+ * verified empirically against the deployed contracts. Adding a new entry
+ * here requires citing the source-file + line reference for the contract
+ * that owns the `name` / `version` (so the next reviewer can spot-check the
+ * claim, the same discipline `docs/THREAT_MODEL.md` §0 demands of any ✅
+ * verdict that delegates to an out-of-scope component).
+ *
+ * @packageDocumentation
+ */
+
+/** Known asset identifiers. New entries must update this union AND the table. */
+type KnownAssetId = "jpyc-v2";
+/** Fully-pinned EIP-712 domain for a known asset. */
+interface KnownAssetDomain {
+    readonly id: KnownAssetId;
+    readonly name: string;
+    readonly version: string;
+    readonly verifyingContract: Address;
+}
+/**
+ * Look up a known asset's pinned EIP-712 domain by id.
+ *
+ * @returns The domain, or `undefined` if the id is not in the registry.
+ *
+ * @example
+ * ```ts
+ * import { getKnownAssetDomain } from "kawasekit";
+ *
+ * const jpyc = getKnownAssetDomain("jpyc-v2");
+ * if (jpyc === undefined) throw new Error("unreachable");
+ * console.log(jpyc.verifyingContract); // 0xE7C3D8C9a439feDe00D2600032D5dB0Be71C3c29
+ * ```
+ */
+declare function getKnownAssetDomain(id: KnownAssetId): KnownAssetDomain | undefined;
+/** List every known asset id (for diagnostics / error messages). */
+declare function listKnownAssetIds(): readonly KnownAssetId[];
+
+/**
+ * EIP-712 asset-domain resolution for x402 / EIP-3009 signing.
+ *
+ * Construction-time pinning of the EIP-712 domain (`name` / `version` /
+ * `verifyingContract`) a signer will use. The integrator declares an
+ * {@link X402AssetParam} — either a kawasekit-maintained `known` asset or a
+ * loud `unsafeOverride` — and {@link resolveAssetParam} resolves it to a pinned
+ * {@link ResolvedAsset}. The signer then trusts only this pinned domain and
+ * refuses to sign for a mismatched advertised asset (Threat 1.4: misadvertised
+ * EIP-712 domain).
+ *
+ * Token-domain concern, reused by both the x402 signer (`src/x402/client.ts`)
+ * and the M6 PolicyGatedSigner (`src/signer/`).
+ *
+ * @packageDocumentation
+ */
+
+/** EIP-712 token domain `name` / `version` pair. */
+interface X402TokenDomain {
+    readonly name: string;
+    readonly version: string;
+}
+/**
+ * Asset binding for {@link createX402PaymentSigner} and the M6 PolicyGatedSigner.
+ * Required, discriminated.
+ *
+ * **Default-on whitelist**: integrators MUST declare which asset they intend
+ * to sign for. The `known` branch references a kawasekit-maintained
+ * whitelist (see `src/tokens/known-assets.ts`); the `unsafeOverride` branch
+ * is the deliberate escape hatch for any other asset and is named loudly so
+ * it survives a code review. Either way, the signer pins the EIP-712 domain
+ * at construction time and refuses to sign if `paymentRequirements.asset`
+ * disagrees with the pinned `verifyingContract`.
+ *
+ * Closes Threat 1.4 (misadvertised EIP-712 domain): the server's advertised
+ * `extra.name` / `extra.version` and `asset` are all ignored for signing
+ * purposes — the signer trusts only what the integrator declared here.
+ */
+type X402AssetParam = {
+    /** Use a kawasekit-maintained pinned EIP-712 domain. */
+    readonly kind: "known";
+    /** The asset id to pin. See {@link KnownAssetId} for the registry. */
+    readonly id: KnownAssetId;
+} | {
+    /**
+     * Use a caller-supplied EIP-712 domain for an asset NOT on the
+     * kawasekit whitelist. The name is deliberately loud — pick this
+     * branch only when you have separately audited the contract and its
+     * `eip712Domain()` output.
+     */
+    readonly kind: "unsafeOverride";
+    readonly domain: {
+        readonly name: string;
+        readonly version: string;
+        readonly verifyingContract: Address;
+    };
+};
+
+export { type KnownAssetDomain as K, type X402AssetParam as X, type KnownAssetId as a, type X402TokenDomain as b, getKnownAssetDomain as g, listKnownAssetIds as l };

package/dist/{chunk-Y6AJKMAL.js → chunk-E2EG72U2.js}

@@ -1,132 +1,12 @@
-import { JPYC_EIP712_DOMAIN_HINT, JPYC_V2_ADDRESS, X402InvalidPayloadError, X402_HEADER_PAYMENT_SIGNATURE, encodePaymentSignatureHeader, X402_HEADER_IDEMPOTENCY_KEY, X402_HEADER_PAYMENT_RESPONSE, decodePaymentResponseHeader, X402InvalidConfigError, X402_HEADER_PAYMENT_REQUIRED, decodePaymentRequiredHeader, jpycAbi } from './chunk-NRGSI52C.js';
+import { X402_HEADER_PAYMENT_SIGNATURE, encodePaymentSignatureHeader, X402_HEADER_IDEMPOTENCY_KEY, X402_HEADER_PAYMENT_RESPONSE, decodePaymentResponseHeader, X402_HEADER_PAYMENT_REQUIRED, decodePaymentRequiredHeader } from './chunk-PVUKX6IF.js';
+import { invokeHookSafely } from './chunk-LEHWRDVS.js';
 import { X402_VERSION, chainIdToX402Network, x402NetworkToChainId } from './chunk-QHUCU5YX.js';
+import { resolveAssetParam, authorizationDeadlineFromNow, deriveAuthorizationNonce, generateAuthorizationNonce, signTransferWithAuthorization, assertNonBypassable } from './chunk-VPRR3TNA.js';
+import { X402InvalidPayloadError, X402PolicyRejectedError } from './chunk-WMVJNPX2.js';
+import { jpycAbi, JPYC_V2_ADDRESS, JPYC_EIP712_DOMAIN_HINT } from './chunk-KT7XDT2T.js';
 import { getChain, isSupportedChainId } from './chunk-SOTYGX67.js';
-import { invokeHookSafely } from './chunk-LEHWRDVS.js';
-import { getAddress, keccak256, stringToHex, parseSignature, isAddress, recoverTypedDataAddress } from 'viem';
+import { getAddress, recoverTypedDataAddress, parseSignature, isAddress } from 'viem';
 
-var transferWithAuthorizationTypes = {
-  TransferWithAuthorization: [
-    { name: "from", type: "address" },
-    { name: "to", type: "address" },
-    { name: "value", type: "uint256" },
-    { name: "validAfter", type: "uint256" },
-    { name: "validBefore", type: "uint256" },
-    { name: "nonce", type: "bytes32" }
-  ]
-};
-var receiveWithAuthorizationTypes = {
-  ReceiveWithAuthorization: [
-    { name: "from", type: "address" },
-    { name: "to", type: "address" },
-    { name: "value", type: "uint256" },
-    { name: "validAfter", type: "uint256" },
-    { name: "validBefore", type: "uint256" },
-    { name: "nonce", type: "bytes32" }
-  ]
-};
-var cancelAuthorizationTypes = {
-  CancelAuthorization: [
-    { name: "authorizer", type: "address" },
-    { name: "nonce", type: "bytes32" }
-  ]
-};
-function generateAuthorizationNonce() {
-  const bytes = new Uint8Array(32);
-  crypto.getRandomValues(bytes);
-  return `0x${Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("")}`;
-}
-var EIP3009_NONCE_DOMAIN_TAG = "kawasekit/eip3009-nonce/1";
-function deriveAuthorizationNonce(input, scope) {
-  if (input.idempotencyKey === "") {
-    throw new Error("deriveAuthorizationNonce: idempotencyKey must be a non-empty string");
-  }
-  const preimage = JSON.stringify([
-    EIP3009_NONCE_DOMAIN_TAG,
-    input.idempotencyKey,
-    getAddress(scope.from),
-    getAddress(scope.verifyingContract),
-    scope.chainId
-  ]);
-  return keccak256(stringToHex(preimage));
-}
-function authorizationDeadlineFromNow(seconds, nowSec) {
-  const now = nowSec ?? BigInt(Math.floor(Date.now() / 1e3));
-  return now + BigInt(seconds);
-}
-function requireSignTypedData(account) {
-  if (!account.signTypedData) {
-    throw new Error(
-      `Account ${account.address} cannot sign typed data \u2014 pass a LocalAccount or a JsonRpcAccount bound to a WalletClient.`
-    );
-  }
-  return account.signTypedData.bind(account);
-}
-function assertSignerMatches(account, expectedFrom, role) {
-  if (getAddress(account.address) !== getAddress(expectedFrom)) {
-    throw new Error(
-      `EIP-3009 ${role} signature must come from \`${role === "cancel" ? "authorizer" : "from"}\`: account is ${account.address}, message says ${expectedFrom}.`
-    );
-  }
-}
-async function signTransferWithAuthorization(account, domain, message) {
-  assertSignerMatches(account, message.from, "transfer");
-  const sign = requireSignTypedData(account);
-  const signature = await sign({
-    domain,
-    types: transferWithAuthorizationTypes,
-    primaryType: "TransferWithAuthorization",
-    message
-  });
-  return splitAuthorization(signature, domain, message);
-}
-async function signReceiveWithAuthorization(account, domain, message) {
-  assertSignerMatches(account, message.from, "receive");
-  const sign = requireSignTypedData(account);
-  const signature = await sign({
-    domain,
-    types: receiveWithAuthorizationTypes,
-    primaryType: "ReceiveWithAuthorization",
-    message
-  });
-  return splitAuthorization(signature, domain, message);
-}
-async function signCancelAuthorization(account, domain, message) {
-  assertSignerMatches(account, message.authorizer, "cancel");
-  const sign = requireSignTypedData(account);
-  const signature = await sign({
-    domain,
-    types: cancelAuthorizationTypes,
-    primaryType: "CancelAuthorization",
-    message
-  });
-  return splitAuthorization(signature, domain, message);
-}
-function splitAuthorization(signature, domain, message) {
-  const parsed = parseSignature(signature);
-  const v = parsed.v !== void 0 ? Number(parsed.v) : (parsed.yParity ?? 0) + 27;
-  return {
-    signature,
-    v,
-    r: parsed.r,
-    s: parsed.s,
-    domain,
-    message
-  };
-}
-var KNOWN_ASSETS = [
-  {
-    id: "jpyc-v2",
-    name: JPYC_EIP712_DOMAIN_HINT.name,
-    version: JPYC_EIP712_DOMAIN_HINT.version,
-    verifyingContract: getAddress(JPYC_V2_ADDRESS)
-  }
-];
-function getKnownAssetDomain(id) {
-  return KNOWN_ASSETS.find((entry) => entry.id === id);
-}
-function listKnownAssetIds() {
-  return KNOWN_ASSETS.map((entry) => entry.id);
-}
 var X402_DEFAULT_AUTHORIZATION_LIFETIME_SECONDS = 300;
 var UINT256_MAX = (1n << 256n) - 1n;
 var UINT256_DECIMAL = /^(0|[1-9][0-9]*)$/;
@@ -155,53 +35,6 @@ function assertAddress(value, field) {
   }
   return value;
 }
-function resolveAssetParam(asset) {
-  if (asset.kind === "known") {
-    const entry = getKnownAssetDomain(asset.id);
-    if (entry === void 0) {
-      throw new X402InvalidConfigError(
-        "asset.id",
-        `unknown asset id ${JSON.stringify(asset.id)}. Supported: ${listKnownAssetIds().map((id) => JSON.stringify(id)).join(", ")}.`
-      );
-    }
-    return {
-      name: entry.name,
-      version: entry.version,
-      verifyingContract: entry.verifyingContract
-    };
-  }
-  if (asset.kind === "unsafeOverride") {
-    const { domain } = asset;
-    if (typeof domain.name !== "string" || domain.name === "") {
-      throw new X402InvalidConfigError(
-        "asset.domain.name",
-        "`unsafeOverride.domain.name` must be a non-empty string"
-      );
-    }
-    if (typeof domain.version !== "string" || domain.version === "") {
-      throw new X402InvalidConfigError(
-        "asset.domain.version",
-        "`unsafeOverride.domain.version` must be a non-empty string"
-      );
-    }
-    if (!isAddress(domain.verifyingContract, { strict: false })) {
-      throw new X402InvalidConfigError(
-        "asset.domain.verifyingContract",
-        `\`unsafeOverride.domain.verifyingContract\` must be a valid address, got ${JSON.stringify(domain.verifyingContract)}`
-      );
-    }
-    return {
-      name: domain.name,
-      version: domain.version,
-      verifyingContract: getAddress(domain.verifyingContract)
-    };
-  }
-  const exhaustive = asset;
-  throw new X402InvalidConfigError(
-    "asset.kind",
-    `unsupported kind ${JSON.stringify(exhaustive.kind)}. Expected "known" or "unsafeOverride".`
-  );
-}
 function validateRequirements(requirements) {
   if (requirements.scheme !== "exact") {
     throw new X402InvalidPayloadError(
@@ -231,6 +64,9 @@ function validateRequirements(requirements) {
   return { chainId, value, asset, payTo };
 }
 function createX402PaymentSigner(params) {
+  if (params.signer !== void 0) {
+    return createSignerBackedX402PaymentSigner(params);
+  }
   const { account, network } = params;
   const defaultLifetimeSeconds = params.defaultLifetimeSeconds ?? X402_DEFAULT_AUTHORIZATION_LIFETIME_SECONDS;
   if (defaultLifetimeSeconds <= 0) {
@@ -336,6 +172,96 @@ function createX402PaymentSigner(params) {
     }
   };
 }
+function createSignerBackedX402PaymentSigner(params) {
+  const { signer, network } = params;
+  const defaultLifetimeSeconds = params.defaultLifetimeSeconds ?? X402_DEFAULT_AUTHORIZATION_LIFETIME_SECONDS;
+  if (defaultLifetimeSeconds <= 0) {
+    throw new X402InvalidPayloadError(
+      "X402PaymentSignerConfig",
+      `\`defaultLifetimeSeconds\` must be positive, got ${defaultLifetimeSeconds}`
+    );
+  }
+  if (params.requireEnforcement !== void 0) {
+    assertNonBypassable(signer);
+  }
+  const pinnedDomain = resolveAssetParam(params.asset);
+  const from = signer.from;
+  return {
+    address: from,
+    async sign(signParams) {
+      const { paymentRequirements } = signParams;
+      const { chainId, value, asset, payTo } = validateRequirements(paymentRequirements);
+      const chain = getChain(chainId);
+      if (network === "mainnet" && chain.isTestnet) {
+        throw new X402InvalidPayloadError(
+          "PaymentRequirements",
+          `signer was configured for network="mainnet" but requirements.network="${paymentRequirements.network}" (chainId ${chainId}) is a testnet`
+        );
+      }
+      if (network === "testnet" && !chain.isTestnet) {
+        throw new X402InvalidPayloadError(
+          "PaymentRequirements",
+          `signer was configured for network="testnet" but requirements.network="${paymentRequirements.network}" (chainId ${chainId}) is a mainnet \u2014 refusing to sign payment for real funds`
+        );
+      }
+      if (getAddress(asset) !== pinnedDomain.verifyingContract) {
+        throw new X402InvalidPayloadError(
+          "PaymentRequirements",
+          `requirements.asset (${getAddress(asset)}) does not match the signer's pinned verifyingContract (${pinnedDomain.verifyingContract}) \u2014 refusing to sign for an asset the signer was not configured to handle`
+        );
+      }
+      const lifetime = Math.min(defaultLifetimeSeconds, paymentRequirements.maxTimeoutSeconds);
+      const validAfter = signParams.validAfter ?? 0n;
+      const validBefore = signParams.validBefore ?? authorizationDeadlineFromNow(lifetime);
+      if (validBefore <= validAfter) {
+        throw new X402InvalidPayloadError(
+          "PaymentRequirements",
+          `\`validBefore\` (${validBefore}) must be greater than \`validAfter\` (${validAfter})`
+        );
+      }
+      const nonce = signParams.idempotencyKey !== void 0 ? deriveAuthorizationNonce(
+        { idempotencyKey: signParams.idempotencyKey },
+        { from, verifyingContract: pinnedDomain.verifyingContract, chainId }
+      ) : generateAuthorizationNonce();
+      const intent = {
+        token: pinnedDomain.verifyingContract,
+        chainId,
+        from,
+        to: payTo,
+        value,
+        validAfter,
+        validBefore,
+        nonce
+      };
+      const signResult = await signer.sign(intent);
+      if (!signResult.ok) {
+        throw new X402PolicyRejectedError(signResult.rejection);
+      }
+      const payload = {
+        signature: signResult.signature,
+        authorization: {
+          from,
+          to: payTo,
+          value: value.toString(),
+          validAfter: validAfter.toString(),
+          validBefore: validBefore.toString(),
+          nonce
+        }
+      };
+      const result = signParams.resource ? {
+        x402Version: X402_VERSION,
+        resource: signParams.resource,
+        accepted: paymentRequirements,
+        payload: { ...payload }
+      } : {
+        x402Version: X402_VERSION,
+        accepted: paymentRequirements,
+        payload: { ...payload }
+      };
+      return result;
+    }
+  };
+}
 var X402_FACILITATOR_ERROR_CODES = {
   insufficient_funds: "insufficient_funds",
   invalid_exact_evm_payload_authorization_valid_after: "invalid_exact_evm_payload_authorization_valid_after",
@@ -958,6 +884,6 @@ function wrapFetch(params) {
   };
 }
 
-export { X402_DEFAULT_AUTHORIZATION_LIFETIME_SECONDS, X402_FACILITATOR_ERROR_CODES, authorizationDeadlineFromNow, createCoinbaseFacilitator, createHttpFacilitator, createSelfFacilitator, createX402PaymentSigner, deriveAuthorizationNonce, deriveReceiptTimeoutMs, generateAuthorizationNonce, getKnownAssetDomain, listKnownAssetIds, signCancelAuthorization, signReceiveWithAuthorization, signTransferWithAuthorization, wrapFetch };
-//# sourceMappingURL=chunk-Y6AJKMAL.js.map
-//# sourceMappingURL=chunk-Y6AJKMAL.js.map
+export { X402_DEFAULT_AUTHORIZATION_LIFETIME_SECONDS, X402_FACILITATOR_ERROR_CODES, createCoinbaseFacilitator, createHttpFacilitator, createSelfFacilitator, createX402PaymentSigner, deriveReceiptTimeoutMs, wrapFetch };
+//# sourceMappingURL=chunk-E2EG72U2.js.map
+//# sourceMappingURL=chunk-E2EG72U2.js.map