kawasekit 0.4.0 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{chunk-G3UC6SME.js → chunk-P5563RGP.js} +3 -3
- package/dist/{chunk-G3UC6SME.js.map → chunk-P5563RGP.js.map} +1 -1
- package/dist/{chunk-FD6Q4NB2.js → chunk-S2ZSX2VS.js} +136 -31
- package/dist/chunk-S2ZSX2VS.js.map +1 -0
- package/dist/{chunk-5TTOAVHE.js → chunk-VJUXTVSW.js} +11 -3
- package/dist/chunk-VJUXTVSW.js.map +1 -0
- package/dist/cli/index.cjs +1 -1
- package/dist/cli/index.js +4 -4
- package/dist/index.cjs +140 -27
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +3 -3
- package/dist/signer/index.cjs +141 -27
- package/dist/signer/index.cjs.map +1 -1
- package/dist/signer/index.d.cts +57 -1
- package/dist/signer/index.d.ts +57 -1
- package/dist/signer/index.js +2 -2
- package/dist/x402/index.cjs.map +1 -1
- package/dist/x402/index.js +2 -2
- package/package.json +1 -1
- package/dist/chunk-5TTOAVHE.js.map +0 -1
- package/dist/chunk-FD6Q4NB2.js.map +0 -1
package/dist/signer/index.d.cts
CHANGED
|
@@ -65,8 +65,16 @@ declare class PolicyGatedSignerConfigError extends Error {
|
|
|
65
65
|
* ```
|
|
66
66
|
*/
|
|
67
67
|
declare class CoSignUnavailableError extends Error {
|
|
68
|
+
/**
|
|
69
|
+
* `true` when the failure is the **transient transport class** (connect failed /
|
|
70
|
+
* connection dropped) — the only class the adapter's bounded retry replays
|
|
71
|
+
* (RFC m6-3a §4.7: never a delivered rejection, never a ban/identifiable-abort,
|
|
72
|
+
* never a protocol anomaly or timeout). Defaults to `false`.
|
|
73
|
+
*/
|
|
74
|
+
readonly transient: boolean;
|
|
68
75
|
constructor(message: string, options?: {
|
|
69
76
|
cause?: unknown;
|
|
77
|
+
transient?: boolean;
|
|
70
78
|
});
|
|
71
79
|
}
|
|
72
80
|
|
|
@@ -181,6 +189,15 @@ declare function createLocalPolicyGatedSigner(params: CreateLocalPolicyGatedSign
|
|
|
181
189
|
|
|
182
190
|
/** The wire protocol version. A frame whose `wire_version` differs is rejected. */
|
|
183
191
|
declare const WIRE_VERSION: 2;
|
|
192
|
+
/**
|
|
193
|
+
* The inbound round-payload bound, in bytes — mirrors the backend's
|
|
194
|
+
* `crypto-core/src/transport.rs` `MAX_FRAME_BYTES` (8 MiB) so the agent side
|
|
195
|
+
* enforces the same pre-decode cap the backend does (RFC m6-3a §4.2/M3). The
|
|
196
|
+
* adapter refuses an over-bound `round` payload **before** hex-decoding it into
|
|
197
|
+
* the WASM boundary; the private transport should additionally cap raw
|
|
198
|
+
* websocket messages (e.g. the `ws` client's `maxPayload`).
|
|
199
|
+
*/
|
|
200
|
+
declare const MAX_FRAME_BYTES: number;
|
|
184
201
|
/**
|
|
185
202
|
* The string-encoded EIP-3009 intent as it crosses the wire — lowercase `0x`
|
|
186
203
|
* addresses, **decimal** integer strings, `0x` hex nonce. Decoupled from any
|
|
@@ -285,6 +302,14 @@ declare function canonicalRequestBytes(env: CoSignRequestEnvelope): Uint8Array;
|
|
|
285
302
|
* `{ ok: true }` and never a {@link PolicyRejection} (the no-silent-fallback
|
|
286
303
|
* guarantee, RFC m6-3a constraint 3 / W8).
|
|
287
304
|
*
|
|
305
|
+
* **Wire hardening (RFC §4.7/§4.8, Track C):** a bounded **transient-only retry**
|
|
306
|
+
* replays the byte-identical intent (nonce included — idempotency-by-nonce is the
|
|
307
|
+
* safety net) under a fresh A3 envelope and accepts the backend's **roundless
|
|
308
|
+
* idempotent-replay result** via an ecrecover/low-S self-check; the **ceremony
|
|
309
|
+
* deadline always fires before `validBefore`** (minus a clock-skew budget, W11),
|
|
310
|
+
* and inbound round payloads are **bounded** before the WASM boundary (M3). Tuning
|
|
311
|
+
* via {@link Mpc2pWireOptions}.
|
|
312
|
+
*
|
|
288
313
|
* @packageDocumentation
|
|
289
314
|
*/
|
|
290
315
|
|
|
@@ -325,6 +350,35 @@ interface CoSignRequestAuthenticator {
|
|
|
325
350
|
/** Authenticator tag over {@link canonicalRequestBytes}; the key stays inside. */
|
|
326
351
|
tag(canonicalRequest: Uint8Array): Hex | Promise<Hex>;
|
|
327
352
|
}
|
|
353
|
+
/**
|
|
354
|
+
* Wire liveness / retry tuning (RFC m6-3a §4.7 + §4.8). Every field is optional
|
|
355
|
+
* with a safe default. The invariants these enforce:
|
|
356
|
+
*
|
|
357
|
+
* - **Retry (4b/H2):** only the **transient transport class** is retried (connect
|
|
358
|
+
* failed / connection dropped), replaying the **byte-identical intent** — nonce
|
|
359
|
+
* included, so the backend's idempotency-by-nonce is the safety net — under a
|
|
360
|
+
* fresh A3 envelope (the freshness guard rejects a replayed envelope by design).
|
|
361
|
+
* A delivered rejection, a ban/identifiable-abort, a protocol anomaly, or a
|
|
362
|
+
* timeout is never retried.
|
|
363
|
+
* - **Liveness (4c/W11/M1+M3):** the ceremony deadline always fires **before**
|
|
364
|
+
* `intent.validBefore − clockSkewBudgetSecs` (a co-signature must never be born
|
|
365
|
+
* expired), and a `sign()` whose remaining window is under
|
|
366
|
+
* `minWindowSecs + clockSkewBudgetSecs` is refused up front.
|
|
367
|
+
* - **Inbound bound (4c/M3):** a `round` payload over `maxFrameBytes` is refused
|
|
368
|
+
* before it reaches the WASM boundary (mirrors the backend's bound).
|
|
369
|
+
*/
|
|
370
|
+
interface Mpc2pWireOptions {
|
|
371
|
+
/** Max ceremony attempts for transient transport failures (default 2 = one retry). */
|
|
372
|
+
readonly maxAttempts?: number;
|
|
373
|
+
/** Overall per-`sign()` budget in ms, across ALL attempts (default 30_000). */
|
|
374
|
+
readonly ceremonyTimeoutMs?: number;
|
|
375
|
+
/** Minimum remaining validity window required at `sign()` start, in seconds (default 30). */
|
|
376
|
+
readonly minWindowSecs?: number;
|
|
377
|
+
/** Max tolerated agent-host clock skew, in seconds (default 30). */
|
|
378
|
+
readonly clockSkewBudgetSecs?: number;
|
|
379
|
+
/** Inbound round-payload bound in bytes (default {@link MAX_FRAME_BYTES} = 8 MiB). */
|
|
380
|
+
readonly maxFrameBytes?: number;
|
|
381
|
+
}
|
|
328
382
|
/** Parameters for {@link createMpc2pPolicyGatedSigner}. */
|
|
329
383
|
interface Mpc2pSignerParams {
|
|
330
384
|
/** The group 2-of-2 EOA; every `intent.from` must equal this (asserted vs the agent). */
|
|
@@ -342,6 +396,8 @@ interface Mpc2pSignerParams {
|
|
|
342
396
|
readonly transport: CoSignTransport;
|
|
343
397
|
/** The injected A3 authenticator (the pre-shared key never enters the SDK). */
|
|
344
398
|
readonly authenticator: CoSignRequestAuthenticator;
|
|
399
|
+
/** Wire liveness / retry tuning (optional; safe defaults — {@link Mpc2pWireOptions}). */
|
|
400
|
+
readonly wire?: Mpc2pWireOptions;
|
|
345
401
|
}
|
|
346
402
|
/**
|
|
347
403
|
* Construct an `mpc-2p` (cryptographic) PolicyGatedSigner over injected agent +
|
|
@@ -363,4 +419,4 @@ interface Mpc2pSignerParams {
|
|
|
363
419
|
*/
|
|
364
420
|
declare function createMpc2pPolicyGatedSigner(params: Mpc2pSignerParams): PolicyGatedSigner<"cryptographic">;
|
|
365
421
|
|
|
366
|
-
export { type CoSignConnection, type CoSignFrame, type CoSignRequestAuthenticator, type CoSignRequestEnvelope, type CoSignTransport, CoSignUnavailableError, type CreateLocalPolicyGatedSignerParams, type Mpc2pCoSignAgent, type Mpc2pSignerParams, type Mpc2pStepOutcome, NonBypassableEnforcement, PaymentIntent, PolicyGatedSigner, PolicyGatedSignerConfigError, WIRE_VERSION, type WireIntent, assertNonBypassable, canonicalRequestBytes, createLocalPolicyGatedSigner, createMpc2pPolicyGatedSigner, requireNonBypassable, toWireIntent };
|
|
422
|
+
export { type CoSignConnection, type CoSignFrame, type CoSignRequestAuthenticator, type CoSignRequestEnvelope, type CoSignTransport, CoSignUnavailableError, type CreateLocalPolicyGatedSignerParams, MAX_FRAME_BYTES, type Mpc2pCoSignAgent, type Mpc2pSignerParams, type Mpc2pStepOutcome, type Mpc2pWireOptions, NonBypassableEnforcement, PaymentIntent, PolicyGatedSigner, PolicyGatedSignerConfigError, WIRE_VERSION, type WireIntent, assertNonBypassable, canonicalRequestBytes, createLocalPolicyGatedSigner, createMpc2pPolicyGatedSigner, requireNonBypassable, toWireIntent };
|
package/dist/signer/index.d.ts
CHANGED
|
@@ -65,8 +65,16 @@ declare class PolicyGatedSignerConfigError extends Error {
|
|
|
65
65
|
* ```
|
|
66
66
|
*/
|
|
67
67
|
declare class CoSignUnavailableError extends Error {
|
|
68
|
+
/**
|
|
69
|
+
* `true` when the failure is the **transient transport class** (connect failed /
|
|
70
|
+
* connection dropped) — the only class the adapter's bounded retry replays
|
|
71
|
+
* (RFC m6-3a §4.7: never a delivered rejection, never a ban/identifiable-abort,
|
|
72
|
+
* never a protocol anomaly or timeout). Defaults to `false`.
|
|
73
|
+
*/
|
|
74
|
+
readonly transient: boolean;
|
|
68
75
|
constructor(message: string, options?: {
|
|
69
76
|
cause?: unknown;
|
|
77
|
+
transient?: boolean;
|
|
70
78
|
});
|
|
71
79
|
}
|
|
72
80
|
|
|
@@ -181,6 +189,15 @@ declare function createLocalPolicyGatedSigner(params: CreateLocalPolicyGatedSign
|
|
|
181
189
|
|
|
182
190
|
/** The wire protocol version. A frame whose `wire_version` differs is rejected. */
|
|
183
191
|
declare const WIRE_VERSION: 2;
|
|
192
|
+
/**
|
|
193
|
+
* The inbound round-payload bound, in bytes — mirrors the backend's
|
|
194
|
+
* `crypto-core/src/transport.rs` `MAX_FRAME_BYTES` (8 MiB) so the agent side
|
|
195
|
+
* enforces the same pre-decode cap the backend does (RFC m6-3a §4.2/M3). The
|
|
196
|
+
* adapter refuses an over-bound `round` payload **before** hex-decoding it into
|
|
197
|
+
* the WASM boundary; the private transport should additionally cap raw
|
|
198
|
+
* websocket messages (e.g. the `ws` client's `maxPayload`).
|
|
199
|
+
*/
|
|
200
|
+
declare const MAX_FRAME_BYTES: number;
|
|
184
201
|
/**
|
|
185
202
|
* The string-encoded EIP-3009 intent as it crosses the wire — lowercase `0x`
|
|
186
203
|
* addresses, **decimal** integer strings, `0x` hex nonce. Decoupled from any
|
|
@@ -285,6 +302,14 @@ declare function canonicalRequestBytes(env: CoSignRequestEnvelope): Uint8Array;
|
|
|
285
302
|
* `{ ok: true }` and never a {@link PolicyRejection} (the no-silent-fallback
|
|
286
303
|
* guarantee, RFC m6-3a constraint 3 / W8).
|
|
287
304
|
*
|
|
305
|
+
* **Wire hardening (RFC §4.7/§4.8, Track C):** a bounded **transient-only retry**
|
|
306
|
+
* replays the byte-identical intent (nonce included — idempotency-by-nonce is the
|
|
307
|
+
* safety net) under a fresh A3 envelope and accepts the backend's **roundless
|
|
308
|
+
* idempotent-replay result** via an ecrecover/low-S self-check; the **ceremony
|
|
309
|
+
* deadline always fires before `validBefore`** (minus a clock-skew budget, W11),
|
|
310
|
+
* and inbound round payloads are **bounded** before the WASM boundary (M3). Tuning
|
|
311
|
+
* via {@link Mpc2pWireOptions}.
|
|
312
|
+
*
|
|
288
313
|
* @packageDocumentation
|
|
289
314
|
*/
|
|
290
315
|
|
|
@@ -325,6 +350,35 @@ interface CoSignRequestAuthenticator {
|
|
|
325
350
|
/** Authenticator tag over {@link canonicalRequestBytes}; the key stays inside. */
|
|
326
351
|
tag(canonicalRequest: Uint8Array): Hex | Promise<Hex>;
|
|
327
352
|
}
|
|
353
|
+
/**
|
|
354
|
+
* Wire liveness / retry tuning (RFC m6-3a §4.7 + §4.8). Every field is optional
|
|
355
|
+
* with a safe default. The invariants these enforce:
|
|
356
|
+
*
|
|
357
|
+
* - **Retry (4b/H2):** only the **transient transport class** is retried (connect
|
|
358
|
+
* failed / connection dropped), replaying the **byte-identical intent** — nonce
|
|
359
|
+
* included, so the backend's idempotency-by-nonce is the safety net — under a
|
|
360
|
+
* fresh A3 envelope (the freshness guard rejects a replayed envelope by design).
|
|
361
|
+
* A delivered rejection, a ban/identifiable-abort, a protocol anomaly, or a
|
|
362
|
+
* timeout is never retried.
|
|
363
|
+
* - **Liveness (4c/W11/M1+M3):** the ceremony deadline always fires **before**
|
|
364
|
+
* `intent.validBefore − clockSkewBudgetSecs` (a co-signature must never be born
|
|
365
|
+
* expired), and a `sign()` whose remaining window is under
|
|
366
|
+
* `minWindowSecs + clockSkewBudgetSecs` is refused up front.
|
|
367
|
+
* - **Inbound bound (4c/M3):** a `round` payload over `maxFrameBytes` is refused
|
|
368
|
+
* before it reaches the WASM boundary (mirrors the backend's bound).
|
|
369
|
+
*/
|
|
370
|
+
interface Mpc2pWireOptions {
|
|
371
|
+
/** Max ceremony attempts for transient transport failures (default 2 = one retry). */
|
|
372
|
+
readonly maxAttempts?: number;
|
|
373
|
+
/** Overall per-`sign()` budget in ms, across ALL attempts (default 30_000). */
|
|
374
|
+
readonly ceremonyTimeoutMs?: number;
|
|
375
|
+
/** Minimum remaining validity window required at `sign()` start, in seconds (default 30). */
|
|
376
|
+
readonly minWindowSecs?: number;
|
|
377
|
+
/** Max tolerated agent-host clock skew, in seconds (default 30). */
|
|
378
|
+
readonly clockSkewBudgetSecs?: number;
|
|
379
|
+
/** Inbound round-payload bound in bytes (default {@link MAX_FRAME_BYTES} = 8 MiB). */
|
|
380
|
+
readonly maxFrameBytes?: number;
|
|
381
|
+
}
|
|
328
382
|
/** Parameters for {@link createMpc2pPolicyGatedSigner}. */
|
|
329
383
|
interface Mpc2pSignerParams {
|
|
330
384
|
/** The group 2-of-2 EOA; every `intent.from` must equal this (asserted vs the agent). */
|
|
@@ -342,6 +396,8 @@ interface Mpc2pSignerParams {
|
|
|
342
396
|
readonly transport: CoSignTransport;
|
|
343
397
|
/** The injected A3 authenticator (the pre-shared key never enters the SDK). */
|
|
344
398
|
readonly authenticator: CoSignRequestAuthenticator;
|
|
399
|
+
/** Wire liveness / retry tuning (optional; safe defaults — {@link Mpc2pWireOptions}). */
|
|
400
|
+
readonly wire?: Mpc2pWireOptions;
|
|
345
401
|
}
|
|
346
402
|
/**
|
|
347
403
|
* Construct an `mpc-2p` (cryptographic) PolicyGatedSigner over injected agent +
|
|
@@ -363,4 +419,4 @@ interface Mpc2pSignerParams {
|
|
|
363
419
|
*/
|
|
364
420
|
declare function createMpc2pPolicyGatedSigner(params: Mpc2pSignerParams): PolicyGatedSigner<"cryptographic">;
|
|
365
421
|
|
|
366
|
-
export { type CoSignConnection, type CoSignFrame, type CoSignRequestAuthenticator, type CoSignRequestEnvelope, type CoSignTransport, CoSignUnavailableError, type CreateLocalPolicyGatedSignerParams, type Mpc2pCoSignAgent, type Mpc2pSignerParams, type Mpc2pStepOutcome, NonBypassableEnforcement, PaymentIntent, PolicyGatedSigner, PolicyGatedSignerConfigError, WIRE_VERSION, type WireIntent, assertNonBypassable, canonicalRequestBytes, createLocalPolicyGatedSigner, createMpc2pPolicyGatedSigner, requireNonBypassable, toWireIntent };
|
|
422
|
+
export { type CoSignConnection, type CoSignFrame, type CoSignRequestAuthenticator, type CoSignRequestEnvelope, type CoSignTransport, CoSignUnavailableError, type CreateLocalPolicyGatedSignerParams, MAX_FRAME_BYTES, type Mpc2pCoSignAgent, type Mpc2pSignerParams, type Mpc2pStepOutcome, type Mpc2pWireOptions, NonBypassableEnforcement, PaymentIntent, PolicyGatedSigner, PolicyGatedSignerConfigError, WIRE_VERSION, type WireIntent, assertNonBypassable, canonicalRequestBytes, createLocalPolicyGatedSigner, createMpc2pPolicyGatedSigner, requireNonBypassable, toWireIntent };
|
package/dist/signer/index.js
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
export { WIRE_VERSION, canonicalRequestBytes, createLocalPolicyGatedSigner, createMpc2pPolicyGatedSigner, toWireIntent } from '../chunk-
|
|
2
|
-
export { CoSignUnavailableError, PolicyGatedSignerConfigError, assertNonBypassable, requireNonBypassable } from '../chunk-
|
|
1
|
+
export { MAX_FRAME_BYTES, WIRE_VERSION, canonicalRequestBytes, createLocalPolicyGatedSigner, createMpc2pPolicyGatedSigner, toWireIntent } from '../chunk-S2ZSX2VS.js';
|
|
2
|
+
export { CoSignUnavailableError, PolicyGatedSignerConfigError, assertNonBypassable, requireNonBypassable } from '../chunk-VJUXTVSW.js';
|
|
3
3
|
import '../chunk-WMVJNPX2.js';
|
|
4
4
|
import '../chunk-6CNAYQOL.js';
|
|
5
5
|
import '../chunk-KT7XDT2T.js';
|