nebulon-escrow-cli 0.1.0

package/src/hosted.js

@@ -0,0 +1,288 @@
+const bs58Module = require("bs58");
+const nacl = require("tweetnacl");
+
+const bs58 =
+  (bs58Module && bs58Module.encode && bs58Module) ||
+  (bs58Module && bs58Module.default && bs58Module.default);
+
+const encodeBase58 = (value) => {
+  if (!bs58 || typeof bs58.encode !== "function") {
+    throw new Error("Base58 encoder unavailable.");
+  }
+  return bs58.encode(value);
+};
+
+const ensureUrl = (baseUrl, path) =>
+  `${baseUrl.replace(/\/$/, "")}${path}`;
+
+const fetchJson = async (url, options = {}) => {
+  const res = await fetch(url, {
+    ...options,
+    headers: {
+      "Content-Type": "application/json",
+      ...(options.headers || {}),
+    },
+  });
+  let data = null;
+  let parseError = null;
+  try {
+    data = await res.json();
+  } catch (error) {
+    parseError = error;
+  }
+  if (!res.ok) {
+    const message = (data && (data.error || data.message)) || res.statusText;
+    const error = new Error(message);
+    error.data = data;
+    error.status = res.status;
+    throw error;
+  }
+  if (parseError) {
+    const text = await res.text().catch(() => "");
+    const preview = text ? text.slice(0, 200).replace(/\s+/g, " ") : "n/a";
+    throw new Error(
+      `Unexpected non-JSON response from ${url} (status ${res.status}). Body: ${preview}`
+    );
+  }
+  return data || {};
+};
+
+const getChallenge = async (baseUrl, wallet) =>
+  fetchJson(ensureUrl(baseUrl, "/v1/auth/challenge"), {
+    method: "POST",
+    body: JSON.stringify({ wallet }),
+  });
+
+const signChallenge = (keypair, message) => {
+  const messageBytes = Buffer.from(message, "utf8");
+  const signatureBytes = nacl.sign.detached(messageBytes, keypair.secretKey);
+  return encodeBase58(signatureBytes);
+};
+
+const verify = async (baseUrl, payload) =>
+  fetchJson(ensureUrl(baseUrl, "/v1/auth/verify"), {
+    method: "POST",
+    body: JSON.stringify(payload),
+  });
+
+const login = async (baseUrl, keypair, handle) => {
+  const wallet = keypair.publicKey.toBase58();
+  const challenge = await getChallenge(baseUrl, wallet);
+  const signature = signChallenge(keypair, challenge.message);
+  const body = {
+    wallet,
+    nonce: challenge.nonce,
+    signature,
+  };
+  if (handle) {
+    body.nebulonId = handle;
+  }
+  return verify(baseUrl, body);
+};
+
+const me = async (baseUrl, token) =>
+  fetchJson(ensureUrl(baseUrl, "/v1/auth/me"), {
+    method: "GET",
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+  });
+
+const getContracts = async (baseUrl, token) =>
+  fetchJson(ensureUrl(baseUrl, "/v1/contracts"), {
+    method: "GET",
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+  });
+
+const getContract = async (baseUrl, token, id) =>
+  fetchJson(ensureUrl(baseUrl, `/v1/contracts/${id}`), {
+    method: "GET",
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+  });
+
+const getContractKeys = async (baseUrl, token, id) =>
+  fetchJson(ensureUrl(baseUrl, `/v1/contracts/${id}/keys`), {
+    method: "GET",
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+  });
+
+const updateContract = async (baseUrl, token, id, payload) =>
+  fetchJson(ensureUrl(baseUrl, `/v1/contracts/${id}`), {
+    method: "PATCH",
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+    body: JSON.stringify(payload || {}),
+  });
+
+const setContractKey = async (baseUrl, token, id, publicKey) =>
+  fetchJson(ensureUrl(baseUrl, `/v1/contracts/${id}/keys`), {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+    body: JSON.stringify({ publicKey }),
+  });
+
+const lockContract = async (baseUrl, token, id) =>
+  fetchJson(ensureUrl(baseUrl, `/v1/contracts/${id}/lock`), {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+    body: JSON.stringify({}),
+  });
+
+const signContract = async (baseUrl, token, id) =>
+  fetchJson(ensureUrl(baseUrl, `/v1/contracts/${id}/sign`), {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+    body: JSON.stringify({}),
+  });
+
+const markFunded = async (baseUrl, token, id) =>
+  fetchJson(ensureUrl(baseUrl, `/v1/contracts/${id}/mark-funded`), {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+    body: JSON.stringify({}),
+  });
+
+const refreshContract = async (baseUrl, token, id) =>
+  fetchJson(ensureUrl(baseUrl, `/v1/contracts/${id}/refresh`), {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+    body: JSON.stringify({}),
+  });
+
+const linkEscrow = async (baseUrl, token, id, payload) =>
+  fetchJson(ensureUrl(baseUrl, `/v1/contracts/${id}/link-escrow`), {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+    body: JSON.stringify(payload || {}),
+  });
+
+const rateContract = async (baseUrl, token, id, score) =>
+  fetchJson(ensureUrl(baseUrl, `/v1/contracts/${id}/rate`), {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+    body: JSON.stringify({ score }),
+  });
+
+const createInvite = async (baseUrl, token, payload) =>
+  fetchJson(ensureUrl(baseUrl, "/v1/invites"), {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+    body: JSON.stringify(payload || {}),
+  });
+
+const getInvites = async (baseUrl, token) =>
+  fetchJson(ensureUrl(baseUrl, "/v1/invites"), {
+    method: "GET",
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+  });
+
+const acceptInvite = async (baseUrl, token, inviteToken) =>
+  fetchJson(ensureUrl(baseUrl, "/v1/invites/accept"), {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+    body: JSON.stringify({ token: inviteToken }),
+  });
+
+const acceptInviteById = async (baseUrl, token, payload) =>
+  fetchJson(ensureUrl(baseUrl, "/v1/invites/accept-id"), {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+    body: JSON.stringify(payload || {}),
+  });
+
+const declineInvite = async (baseUrl, token, payload) =>
+  fetchJson(ensureUrl(baseUrl, "/v1/invites/decline"), {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+    body: JSON.stringify(payload || {}),
+  });
+
+const checkHandle = async (baseUrl, handle) =>
+  fetchJson(
+    ensureUrl(baseUrl, `/v1/ids/check?handle=${encodeURIComponent(handle)}`)
+  );
+
+const updateHandle = async (baseUrl, token, handle, pfp) => {
+  const payload = {};
+  if (handle) {
+    payload.nebulonId = handle;
+  }
+  if (pfp) {
+    payload.pfp = pfp;
+  }
+  return fetchJson(ensureUrl(baseUrl, "/v1/auth/handle"), {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+    body: JSON.stringify(payload),
+  });
+};
+
+const faucet = async (baseUrl, token) =>
+  fetchJson(ensureUrl(baseUrl, "/v1/faucet/tusdc"), {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+    body: JSON.stringify({}),
+  });
+
+module.exports = {
+  getConfig: (baseUrl) => fetchJson(ensureUrl(baseUrl, "/v1/config")),
+  getChallenge,
+  signChallenge,
+  verify,
+  getContracts,
+  getContract,
+  getContractKeys,
+  updateContract,
+  setContractKey,
+  lockContract,
+  signContract,
+  markFunded,
+  refreshContract,
+  linkEscrow,
+  rateContract,
+  createInvite,
+  getInvites,
+  acceptInvite,
+  acceptInviteById,
+  declineInvite,
+  checkHandle,
+  updateHandle,
+  login,
+  me,
+  faucet,
+};

package/src/nebulon.js

@@ -0,0 +1,121 @@
+const path = require("path");
+const anchor = require("@coral-xyz/anchor");
+const { Connection, PublicKey, SystemProgram } = require("@solana/web3.js");
+
+const IDL_PATH = path.join(__dirname, "..", "idl", "nebulon.json");
+const IDL = require(IDL_PATH);
+
+const ESCROW_SEED = "escrow";
+const MILESTONE_SEED = "milestone";
+const PRIVATE_MILESTONE_SEED = "private-milestone";
+const TERMS_SEED = "terms";
+const PER_VAULT_SEED = "per-vault";
+const DISPUTE_SEED = "dispute";
+
+const getProgramId = (config) => new PublicKey(config.programId);
+
+const getProvider = (endpoint, keypair, wsEndpoint) => {
+  const connection = wsEndpoint
+    ? new Connection(endpoint, { commitment: "confirmed", wsEndpoint })
+    : new Connection(endpoint, "confirmed");
+  const wallet = new anchor.Wallet(keypair);
+  return new anchor.AnchorProvider(connection, wallet, {
+    commitment: "confirmed",
+  });
+};
+
+const getProgram = (config, keypair, options = {}) => {
+  const endpoint =
+    options.endpoint ||
+    (options.useEphemeral
+      ? config.ephemeralProviderUrl || config.rpcUrl
+      : config.rpcUrl);
+  const provider = getProvider(endpoint, keypair, options.wsEndpoint);
+  const programId = getProgramId(config);
+  const idl = JSON.parse(JSON.stringify(IDL));
+  idl.address = programId.toBase58();
+  const program = new anchor.Program(idl, provider);
+  return { program, provider, connection: provider.connection, programId };
+};
+
+const deriveEscrowPda = (client, escrowId, programId) =>
+  PublicKey.findProgramAddressSync(
+    [
+      Buffer.from(ESCROW_SEED),
+      client.toBuffer(),
+      Buffer.from(
+        Uint8Array.from(
+          (anchor.BN.isBN && anchor.BN.isBN(escrowId)
+            ? escrowId
+            : new anchor.BN(escrowId)
+          ).toArray("le", 8)
+        )
+      ),
+    ],
+    programId
+  )[0];
+
+const deriveMilestonePda = (escrowPda, index, programId) =>
+  PublicKey.findProgramAddressSync(
+    [
+      Buffer.from(MILESTONE_SEED),
+      escrowPda.toBuffer(),
+      Buffer.from([index]),
+    ],
+    programId
+  )[0];
+
+const derivePrivateMilestonePda = (escrowPda, index, programId) =>
+  PublicKey.findProgramAddressSync(
+    [
+      Buffer.from(PRIVATE_MILESTONE_SEED),
+      escrowPda.toBuffer(),
+      Buffer.from([index]),
+    ],
+    programId
+  )[0];
+
+const deriveTermsPda = (escrowPda, programId) =>
+  PublicKey.findProgramAddressSync(
+    [Buffer.from(TERMS_SEED), escrowPda.toBuffer()],
+    programId
+  )[0];
+
+const derivePerVaultPda = (escrowPda, programId) =>
+  PublicKey.findProgramAddressSync(
+    [Buffer.from(PER_VAULT_SEED), escrowPda.toBuffer()],
+    programId
+  )[0];
+
+const deriveDisputePda = (escrowPda, programId) =>
+  PublicKey.findProgramAddressSync(
+    [Buffer.from(DISPUTE_SEED), escrowPda.toBuffer()],
+    programId
+  )[0];
+
+const textToHash = (text) => {
+  const bytes = Buffer.alloc(32);
+  const encoded = Buffer.from(text, "utf8");
+  bytes.set(encoded.subarray(0, 32));
+  return Array.from(bytes);
+};
+
+module.exports = {
+  IDL,
+  ESCROW_SEED,
+  MILESTONE_SEED,
+  PRIVATE_MILESTONE_SEED,
+  TERMS_SEED,
+  PER_VAULT_SEED,
+  DISPUTE_SEED,
+  SystemProgram,
+  getProgram,
+  getProgramId,
+  deriveEscrowPda,
+  deriveMilestonePda,
+  derivePrivateMilestonePda,
+  deriveTermsPda,
+  derivePerVaultPda,
+  deriveDisputePda,
+  textToHash,
+};

package/src/paths.js

@@ -0,0 +1,24 @@
+const os = require("os");
+const path = require("path");
+
+const nebulonHome = () =>
+  process.env.NEBULON_HOME || path.join(os.homedir(), ".nebulon");
+
+const legacyConfigPath = () => path.join(nebulonHome(), "config.json");
+const legacyWalletsDir = () => path.join(nebulonHome(), "wallets");
+const capsulesDir = () => path.join(nebulonHome(), "capsules");
+const activeCapsulePath = () => path.join(nebulonHome(), "active-capsule.json");
+const capsuleRoot = (name) => path.join(capsulesDir(), name);
+const capsuleConfigPath = (name) => path.join(capsuleRoot(name), "config.json");
+const capsuleWalletsDir = (name) => path.join(capsuleRoot(name), "wallets");
+
+module.exports = {
+  nebulonHome,
+  legacyConfigPath,
+  legacyWalletsDir,
+  capsulesDir,
+  activeCapsulePath,
+  capsuleRoot,
+  capsuleConfigPath,
+  capsuleWalletsDir,
+};

package/src/privacy.js

@@ -0,0 +1,117 @@
+const crypto = require("crypto");
+const bs58Module = require("bs58");
+const nacl = require("tweetnacl");
+const { saveConfig } = require("./config");
+
+const bs58 =
+  (bs58Module && bs58Module.encode && bs58Module) ||
+  (bs58Module && bs58Module.default && bs58Module.default);
+
+const encodeBase58 = (value) => {
+  if (!bs58 || typeof bs58.encode !== "function") {
+    throw new Error("Base58 encoder unavailable.");
+  }
+  return bs58.encode(value);
+};
+
+const decodeBase58 = (value) => {
+  if (!bs58 || typeof bs58.decode !== "function") {
+    throw new Error("Base58 decoder unavailable.");
+  }
+  return bs58.decode(value);
+};
+
+const isEncryptedPayload = (value) =>
+  typeof value === "string" && value.startsWith("enc:v1:");
+
+const encodeEncryptedPayload = (nonce, ciphertext, tag) => {
+  const nonceB64 = Buffer.from(nonce).toString("base64");
+  const cipherB64 = Buffer.from(ciphertext).toString("base64");
+  const tagB64 = Buffer.from(tag).toString("base64");
+  return `enc:v1:${nonceB64}:${cipherB64}:${tagB64}`;
+};
+
+const decodeEncryptedPayload = (payload) => {
+  if (!isEncryptedPayload(payload)) {
+    throw new Error("Payload is not encrypted.");
+  }
+  const [, , nonceB64, cipherB64, tagB64] = payload.split(":");
+  if (!nonceB64 || !cipherB64 || !tagB64) {
+    throw new Error("Malformed encrypted payload.");
+  }
+  return {
+    nonce: Buffer.from(nonceB64, "base64"),
+    ciphertext: Buffer.from(cipherB64, "base64"),
+    tag: Buffer.from(tagB64, "base64"),
+  };
+};
+
+const deriveContractKey = (selfSecretKey58, peerPublicKey58, contractId) => {
+  const selfSecret = decodeBase58(selfSecretKey58);
+  const peerPublic = decodeBase58(peerPublicKey58);
+  const shared = nacl.scalarMult(selfSecret, peerPublic);
+  const salt = Buffer.from(String(contractId), "utf8");
+  const info = Buffer.from("nebulon:contract:v1", "utf8");
+  return crypto.hkdfSync("sha256", Buffer.from(shared), salt, info, 32);
+};
+
+const encryptPayload = (key, plaintext, aad) => {
+  const nonce = crypto.randomBytes(12);
+  const cipher = crypto.createCipheriv("aes-256-gcm", key, nonce);
+  if (aad) {
+    cipher.setAAD(Buffer.from(aad, "utf8"));
+  }
+  const ciphertext = Buffer.concat([
+    cipher.update(Buffer.from(plaintext, "utf8")),
+    cipher.final(),
+  ]);
+  const tag = cipher.getAuthTag();
+  return encodeEncryptedPayload(nonce, ciphertext, tag);
+};
+
+const decryptPayload = (key, payload, aad) => {
+  const { nonce, ciphertext, tag } = decodeEncryptedPayload(payload);
+  const decipher = crypto.createDecipheriv("aes-256-gcm", key, nonce);
+  if (aad) {
+    decipher.setAAD(Buffer.from(aad, "utf8"));
+  }
+  decipher.setAuthTag(tag);
+  const plaintext = Buffer.concat([
+    decipher.update(ciphertext),
+    decipher.final(),
+  ]);
+  return plaintext.toString("utf8");
+};
+
+const ensurePrivacyConfig = (config) => {
+  config.privacy = config.privacy || {};
+  config.privacy.contractKeys = config.privacy.contractKeys || {};
+};
+
+const ensureContractKeypair = (config, contractId) => {
+  if (!contractId) {
+    throw new Error("Missing contract ID for privacy keys.");
+  }
+  ensurePrivacyConfig(config);
+  const existing = config.privacy.contractKeys[contractId];
+  if (existing && existing.publicKey && existing.secretKey) {
+    return existing;
+  }
+  const keypair = nacl.box.keyPair();
+  const entry = {
+    publicKey: encodeBase58(keypair.publicKey),
+    secretKey: encodeBase58(keypair.secretKey),
+    createdAt: Math.floor(Date.now() / 1000),
+  };
+  config.privacy.contractKeys[contractId] = entry;
+  saveConfig(config);
+  return entry;
+};
+
+module.exports = {
+  ensureContractKeypair,
+  deriveContractKey,
+  encryptPayload,
+  decryptPayload,
+  isEncryptedPayload,
+};

package/src/session.js

@@ -0,0 +1,131 @@
+const { loadWalletKeypair } = require("./wallets");
+const { saveConfig } = require("./config");
+const { getChallenge, signChallenge, verify, me } = require("./hosted");
+
+const REFRESH_INTERVAL_SECONDS = 15 * 60;
+
+const nowSeconds = () => Math.floor(Date.now() / 1000);
+
+const base64UrlDecode = (value) => {
+  if (!value) {
+    return null;
+  }
+  const normalized = value.replace(/-/g, "+").replace(/_/g, "/");
+  const padded =
+    normalized + "=".repeat((4 - (normalized.length % 4)) % 4);
+  return Buffer.from(padded, "base64").toString("utf8");
+};
+
+const decodeJwt = (token) => {
+  if (!token) {
+    return null;
+  }
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    return null;
+  }
+  try {
+    const payload = base64UrlDecode(parts[1]);
+    return JSON.parse(payload);
+  } catch (error) {
+    return null;
+  }
+};
+
+const ensureAuthState = (config) => {
+  if (!config.auth) {
+    config.auth = {
+      token: null,
+      wallet: null,
+      handle: null,
+      role: null,
+      lastAuthAt: null,
+    };
+  }
+};
+
+const recordAuth = (config, result) => {
+  config.auth.token = result.token;
+  config.auth.wallet = result.user.wallet;
+  config.auth.handle = result.user.handle || null;
+  config.auth.role = result.user.role || null;
+  config.auth.lastAuthAt = nowSeconds();
+};
+
+const shouldRefresh = (config) => {
+  if (!config.auth.token) {
+    return true;
+  }
+  const now = nowSeconds();
+  if (config.auth.lastAuthAt && now - config.auth.lastAuthAt >= REFRESH_INTERVAL_SECONDS) {
+    return true;
+  }
+  const tokenData = decodeJwt(config.auth.token);
+  if (tokenData && tokenData.exp && tokenData.exp - now <= 60) {
+    return true;
+  }
+  return false;
+};
+
+const refreshSession = async (config, options = {}) => {
+  const keypair = loadWalletKeypair(config, config.activeWallet);
+  const wallet = keypair.publicKey.toBase58();
+  if (!options.quiet) {
+    console.log("Refreshing session...");
+  }
+  const challenge = await getChallenge(config.backendUrl, wallet);
+  const signature = signChallenge(keypair, challenge.message);
+  const result = await verify(config.backendUrl, {
+    wallet,
+    nonce: challenge.nonce,
+    signature,
+  });
+  recordAuth(config, result);
+  saveConfig(config);
+  return result;
+};
+
+const ensureHostedSession = async (config, options = {}) => {
+  if (config.mode !== "hosted") {
+    throw new Error("Hosted mode required.");
+  }
+  if (!config.activeWallet) {
+    throw new Error("No active wallet. Run: nebulon init");
+  }
+
+  ensureAuthState(config);
+  if (!config.auth.lastAuthAt && config.auth.token) {
+    const tokenData = decodeJwt(config.auth.token);
+    if (tokenData && tokenData.iat) {
+      config.auth.lastAuthAt = tokenData.iat;
+    }
+  }
+
+  if (shouldRefresh(config)) {
+    await refreshSession(config, options);
+  }
+
+  if (options.requireHandle) {
+    let handle = config.auth.handle;
+    if (!handle && config.auth.token) {
+      try {
+        const profile = await me(config.backendUrl, config.auth.token);
+        handle = profile.nebulonId || profile.handle || null;
+        config.auth.handle = handle;
+        saveConfig(config);
+      } catch (error) {
+        // ignore and fallback to error below
+      }
+    }
+    if (!handle) {
+      throw new Error("Nebulon ID required. Run: nebulon login");
+    }
+  }
+
+  return config;
+};
+
+module.exports = {
+  ensureHostedSession,
+  decodeJwt,
+};