openclaw-overlay-plugin 0.7.22

package/dist/test/comprehensive-overlay.test.js

@@ -0,0 +1,593 @@
+/**
+ * Comprehensive Overlay Submission Tests
+ *
+ * Tests all aspects of overlay submission:
+ * - BEEF format and construction
+ * - Payload validation (identity, service, revocation)
+ * - PushDrop script format
+ * - Transaction chain validation
+ * - Server response handling
+ *
+ * Run with: npx tsx src/test/comprehensive-overlay.test.ts
+ */
+import { Beef, Transaction, PrivateKey, P2PKH, LockingScript, OP } from '@bsv/sdk';
+import { PROTOCOL_ID, extractPushDropFields, parseIdentityOutput, parseRevocationOutput, parseServiceOutput, identifyIdentityOutputs, identifyServiceOutputs, validateBeef, validateBeefAncestry, } from './utils/server-logic.js';
+const results = [];
+function test(name, fn) {
+    try {
+        const result = fn();
+        if (result instanceof Promise) {
+            result
+                .then(() => {
+                results.push({ name, passed: true });
+                console.log(`✅ ${name}`);
+            })
+                .catch((e) => {
+                results.push({ name, passed: false, error: e.message });
+                console.log(`❌ ${name}: ${e.message}`);
+            });
+        }
+        else {
+            results.push({ name, passed: true });
+            console.log(`✅ ${name}`);
+        }
+    }
+    catch (e) {
+        const errorMessage = e instanceof Error ? e.message : String(e);
+        results.push({ name, passed: false, error: errorMessage });
+        console.log(`❌ ${name}: ${errorMessage}`);
+    }
+}
+function assert(condition, message) {
+    if (!condition)
+        throw new Error(message);
+}
+function assertEqual(actual, expected, message) {
+    if (actual !== expected) {
+        throw new Error(`${message}: expected ${expected}, got ${actual}`);
+    }
+}
+// ============================================================================
+// Helper Functions - PushDrop Script Building
+// ============================================================================
+/**
+ * Create a minimally encoded push chunk for script building.
+ */
+function createPushChunk(data) {
+    if (data.length === 0) {
+        return { op: 0 };
+    }
+    if (data.length === 1 && data[0] === 0) {
+        return { op: 0 };
+    }
+    if (data.length === 1 && data[0] > 0 && data[0] <= 16) {
+        return { op: 0x50 + data[0] };
+    }
+    if (data.length <= 75) {
+        return { op: data.length, data };
+    }
+    if (data.length <= 255) {
+        return { op: 0x4c, data };
+    }
+    if (data.length <= 65535) {
+        return { op: 0x4d, data };
+    }
+    return { op: 0x4e, data };
+}
+/**
+ * Build a PushDrop-style locking script with JSON payload.
+ * Format: <pubkey> OP_CHECKSIG <jsonBytes> OP_DROP
+ *
+ * This mimics what PushDrop.lock() produces for testing purposes.
+ */
+function buildPushDropScript(privKey, payload) {
+    const pubKey = privKey.toPublicKey();
+    const pubKeyBytes = pubKey.toDER();
+    const jsonBytes = Array.from(new TextEncoder().encode(JSON.stringify(payload)));
+    const chunks = [];
+    // P2PK lock: <pubkey> OP_CHECKSIG
+    chunks.push({ op: pubKeyBytes.length, data: pubKeyBytes });
+    chunks.push({ op: OP.OP_CHECKSIG });
+    // Data field: <jsonBytes>
+    chunks.push(createPushChunk(jsonBytes));
+    // OP_DROP to clean stack
+    chunks.push({ op: OP.OP_DROP });
+    return new LockingScript(chunks);
+}
+async function createSignedTransaction(privKey, sourceTx, sourceVout, pushDropPayload, changeSats = 9900) {
+    const tx = new Transaction();
+    const pubKeyHash = privKey.toPublicKey().toHash();
+    tx.addInput({
+        sourceTransaction: sourceTx,
+        sourceOutputIndex: sourceVout,
+        unlockingScriptTemplate: new P2PKH().unlock(privKey),
+    });
+    tx.addOutput({
+        lockingScript: buildPushDropScript(privKey, pushDropPayload),
+        satoshis: 1, // PushDrop outputs need at least 1 sat
+    });
+    if (changeSats > 0) {
+        tx.addOutput({
+            lockingScript: new P2PKH().lock(pubKeyHash),
+            satoshis: changeSats,
+        });
+    }
+    await tx.sign();
+    return tx;
+}
+function createSourceTransaction(privKey, satoshis = 10000) {
+    const pubKeyHash = privKey.toPublicKey().toHash();
+    const tx = new Transaction();
+    tx.addOutput({
+        lockingScript: new P2PKH().lock(pubKeyHash),
+        satoshis,
+    });
+    return tx;
+}
+// ============================================================================
+// BEEF Format Tests
+// ============================================================================
+console.log('\n=== BEEF Format Tests ===\n');
+test('BEEF: valid v2 magic bytes', async () => {
+    const privKey = PrivateKey.fromRandom();
+    const sourceTx = createSourceTransaction(privKey);
+    const tx = await createSignedTransaction(privKey, sourceTx, 0, { test: true });
+    const beef = new Beef();
+    beef.mergeTransaction(tx);
+    const binary = beef.toBinary();
+    const result = validateBeef(binary);
+    assert(result.valid, result.error || 'BEEF should be valid');
+    assertEqual(result.version, 2, 'Should be BEEF v2');
+});
+test('BEEF: contains multiple transactions', async () => {
+    const privKey = PrivateKey.fromRandom();
+    const sourceTx = createSourceTransaction(privKey);
+    const tx = await createSignedTransaction(privKey, sourceTx, 0, { test: true });
+    const beef = new Beef();
+    beef.mergeTransaction(tx);
+    const binary = beef.toBinary();
+    const result = validateBeef(binary);
+    assert(result.txCount >= 2, `Should have at least 2 txs, got ${result.txCount}`);
+});
+test('BEEF: invalid magic bytes rejected', () => {
+    const garbage = [0xDE, 0xAD, 0xBE, 0xEF, 0, 0, 0, 0];
+    const result = validateBeef(garbage);
+    assert(!result.valid, 'Should reject invalid magic');
+});
+test('BEEF: empty BEEF rejected', () => {
+    const emptyBeef = new Beef();
+    const binary = emptyBeef.toBinary();
+    const result = validateBeef(binary);
+    assert(!result.valid, 'Should reject empty BEEF');
+});
+// ============================================================================
+// Identity Payload Tests
+// ============================================================================
+console.log('\n=== Identity Payload Tests ===\n');
+test('Identity: valid payload accepted', () => {
+    const privKey = PrivateKey.fromRandom();
+    const identityKey = privKey.toPublicKey().toString();
+    const payload = {
+        protocol: PROTOCOL_ID,
+        type: 'identity',
+        identityKey,
+        name: 'test-agent',
+        description: 'A test agent',
+        channels: { overlay: 'https://example.com' },
+        capabilities: ['testing'],
+        timestamp: new Date().toISOString(),
+    };
+    const script = buildPushDropScript(privKey, payload);
+    const parsed = parseIdentityOutput(script);
+    assert(parsed !== null, 'Should parse valid identity');
+    assertEqual(parsed.identityKey, identityKey, 'Identity key should match');
+    assertEqual(parsed.name, 'test-agent', 'Name should match');
+});
+test('Identity: wrong protocol rejected', () => {
+    const privKey = PrivateKey.fromRandom();
+    const payload = {
+        protocol: 'wrong-protocol',
+        type: 'identity',
+        identityKey: privKey.toPublicKey().toString(),
+        name: 'test',
+        description: '',
+        channels: {},
+        capabilities: [],
+        timestamp: new Date().toISOString(),
+    };
+    const script = buildPushDropScript(privKey, payload);
+    assert(parseIdentityOutput(script) === null, 'Should reject wrong protocol');
+});
+test('Identity: wrong type rejected', () => {
+    const privKey = PrivateKey.fromRandom();
+    const payload = {
+        protocol: PROTOCOL_ID,
+        type: 'service', // Wrong type
+        identityKey: privKey.toPublicKey().toString(),
+        name: 'test',
+        description: '',
+        channels: {},
+        capabilities: [],
+        timestamp: new Date().toISOString(),
+    };
+    const script = buildPushDropScript(privKey, payload);
+    assert(parseIdentityOutput(script) === null, 'Should reject wrong type');
+});
+test('Identity: invalid identity key rejected', () => {
+    const privKey = PrivateKey.fromRandom();
+    const payload = {
+        protocol: PROTOCOL_ID,
+        type: 'identity',
+        identityKey: 'not-a-valid-key',
+        name: 'test',
+        description: '',
+        channels: {},
+        capabilities: [],
+        timestamp: new Date().toISOString(),
+    };
+    const script = buildPushDropScript(privKey, payload);
+    assert(parseIdentityOutput(script) === null, 'Should reject invalid identity key');
+});
+test('Identity: short identity key rejected', () => {
+    const privKey = PrivateKey.fromRandom();
+    const payload = {
+        protocol: PROTOCOL_ID,
+        type: 'identity',
+        identityKey: '02abcd', // Too short
+        name: 'test',
+        description: '',
+        channels: {},
+        capabilities: [],
+        timestamp: new Date().toISOString(),
+    };
+    const script = buildPushDropScript(privKey, payload);
+    assert(parseIdentityOutput(script) === null, 'Should reject short identity key');
+});
+test('Identity: empty name rejected', () => {
+    const privKey = PrivateKey.fromRandom();
+    const payload = {
+        protocol: PROTOCOL_ID,
+        type: 'identity',
+        identityKey: privKey.toPublicKey().toString(),
+        name: '',
+        description: '',
+        channels: {},
+        capabilities: [],
+        timestamp: new Date().toISOString(),
+    };
+    const script = buildPushDropScript(privKey, payload);
+    assert(parseIdentityOutput(script) === null, 'Should reject empty name');
+});
+test('Identity: non-array capabilities rejected', () => {
+    const privKey = PrivateKey.fromRandom();
+    const payload = {
+        protocol: PROTOCOL_ID,
+        type: 'identity',
+        identityKey: privKey.toPublicKey().toString(),
+        name: 'test',
+        description: '',
+        channels: {},
+        capabilities: 'not-an-array',
+        timestamp: new Date().toISOString(),
+    };
+    const script = buildPushDropScript(privKey, payload);
+    assert(parseIdentityOutput(script) === null, 'Should reject non-array capabilities');
+});
+// ============================================================================
+// Service Payload Tests
+// ============================================================================
+console.log('\n=== Service Payload Tests ===\n');
+test('Service: valid payload accepted', () => {
+    const privKey = PrivateKey.fromRandom();
+    const identityKey = privKey.toPublicKey().toString();
+    const payload = {
+        protocol: PROTOCOL_ID,
+        type: 'service',
+        identityKey,
+        serviceId: 'test-service',
+        name: 'Test Service',
+        description: 'A test service',
+        pricing: { model: 'per-task', amountSats: 100 },
+        timestamp: new Date().toISOString(),
+    };
+    const script = buildPushDropScript(privKey, payload);
+    const parsed = parseServiceOutput(script);
+    assert(parsed !== null, 'Should parse valid service');
+    assertEqual(parsed.serviceId, 'test-service', 'Service ID should match');
+    assertEqual(parsed.pricing.amountSats, 100, 'Price should match');
+});
+test('Service: empty serviceId rejected', () => {
+    const privKey = PrivateKey.fromRandom();
+    const payload = {
+        protocol: PROTOCOL_ID,
+        type: 'service',
+        identityKey: privKey.toPublicKey().toString(),
+        serviceId: '',
+        name: 'Test',
+        description: '',
+        pricing: { model: 'per-task', amountSats: 100 },
+        timestamp: new Date().toISOString(),
+    };
+    const script = buildPushDropScript(privKey, payload);
+    assert(parseServiceOutput(script) === null, 'Should reject empty serviceId');
+});
+test('Service: missing pricing rejected', () => {
+    const privKey = PrivateKey.fromRandom();
+    const payload = {
+        protocol: PROTOCOL_ID,
+        type: 'service',
+        identityKey: privKey.toPublicKey().toString(),
+        serviceId: 'test',
+        name: 'Test',
+        description: '',
+        timestamp: new Date().toISOString(),
+    };
+    const script = buildPushDropScript(privKey, payload);
+    assert(parseServiceOutput(script) === null, 'Should reject missing pricing');
+});
+test('Service: invalid pricing rejected', () => {
+    const privKey = PrivateKey.fromRandom();
+    const payload = {
+        protocol: PROTOCOL_ID,
+        type: 'service',
+        identityKey: privKey.toPublicKey().toString(),
+        serviceId: 'test',
+        name: 'Test',
+        description: '',
+        pricing: { model: 'per-task', amountSats: 'not-a-number' },
+        timestamp: new Date().toISOString(),
+    };
+    const script = buildPushDropScript(privKey, payload);
+    assert(parseServiceOutput(script) === null, 'Should reject invalid pricing');
+});
+// ============================================================================
+// Revocation Payload Tests
+// ============================================================================
+console.log('\n=== Revocation Payload Tests ===\n');
+test('Revocation: valid payload accepted', () => {
+    const privKey = PrivateKey.fromRandom();
+    const identityKey = privKey.toPublicKey().toString();
+    const payload = {
+        protocol: PROTOCOL_ID,
+        type: 'identity-revocation',
+        identityKey,
+        reason: 'Test revocation',
+        timestamp: new Date().toISOString(),
+    };
+    const script = buildPushDropScript(privKey, payload);
+    const parsed = parseRevocationOutput(script);
+    assert(parsed !== null, 'Should parse valid revocation');
+    assertEqual(parsed.identityKey, identityKey, 'Identity key should match');
+});
+test('Revocation: invalid identity key rejected', () => {
+    const privKey = PrivateKey.fromRandom();
+    const payload = {
+        protocol: PROTOCOL_ID,
+        type: 'identity-revocation',
+        identityKey: 'invalid',
+        timestamp: new Date().toISOString(),
+    };
+    const script = buildPushDropScript(privKey, payload);
+    assert(parseRevocationOutput(script) === null, 'Should reject invalid identity key');
+});
+// ============================================================================
+// Topic Manager Simulation Tests
+// ============================================================================
+console.log('\n=== Topic Manager Simulation Tests ===\n');
+test('TopicManager: identity output admitted', async () => {
+    const privKey = PrivateKey.fromRandom();
+    const identityKey = privKey.toPublicKey().toString();
+    const sourceTx = createSourceTransaction(privKey);
+    const payload = {
+        protocol: PROTOCOL_ID,
+        type: 'identity',
+        identityKey,
+        name: 'test-agent',
+        description: 'Test',
+        channels: {},
+        capabilities: [],
+        timestamp: new Date().toISOString(),
+    };
+    const tx = await createSignedTransaction(privKey, sourceTx, 0, payload);
+    const beef = new Beef();
+    beef.mergeTransaction(tx);
+    const binary = beef.toBinary();
+    const result = identifyIdentityOutputs(binary);
+    assertEqual(result.outputsToAdmit.length, 1, 'Should admit 1 output');
+    assertEqual(result.outputsToAdmit[0], 0, 'Should admit output 0');
+});
+test('TopicManager: revocation output admitted', async () => {
+    const privKey = PrivateKey.fromRandom();
+    const identityKey = privKey.toPublicKey().toString();
+    const sourceTx = createSourceTransaction(privKey);
+    const payload = {
+        protocol: PROTOCOL_ID,
+        type: 'identity-revocation',
+        identityKey,
+        timestamp: new Date().toISOString(),
+    };
+    const tx = await createSignedTransaction(privKey, sourceTx, 0, payload);
+    const beef = new Beef();
+    beef.mergeTransaction(tx);
+    const binary = beef.toBinary();
+    const result = identifyIdentityOutputs(binary);
+    assertEqual(result.outputsToAdmit.length, 1, 'Should admit revocation');
+});
+test('TopicManager: service output admitted', async () => {
+    const privKey = PrivateKey.fromRandom();
+    const identityKey = privKey.toPublicKey().toString();
+    const sourceTx = createSourceTransaction(privKey);
+    const payload = {
+        protocol: PROTOCOL_ID,
+        type: 'service',
+        identityKey,
+        serviceId: 'test-svc',
+        name: 'Test Service',
+        description: 'Test',
+        pricing: { model: 'per-task', amountSats: 50 },
+        timestamp: new Date().toISOString(),
+    };
+    const tx = await createSignedTransaction(privKey, sourceTx, 0, payload);
+    const beef = new Beef();
+    beef.mergeTransaction(tx);
+    const binary = beef.toBinary();
+    const result = identifyServiceOutputs(binary);
+    assertEqual(result.outputsToAdmit.length, 1, 'Should admit service');
+});
+test('TopicManager: invalid payload not admitted', async () => {
+    const privKey = PrivateKey.fromRandom();
+    const sourceTx = createSourceTransaction(privKey);
+    // Invalid payload (wrong protocol)
+    const payload = {
+        protocol: 'wrong',
+        type: 'identity',
+        identityKey: privKey.toPublicKey().toString(),
+        name: 'test',
+        description: '',
+        channels: {},
+        capabilities: [],
+        timestamp: new Date().toISOString(),
+    };
+    const tx = await createSignedTransaction(privKey, sourceTx, 0, payload);
+    const beef = new Beef();
+    beef.mergeTransaction(tx);
+    const binary = beef.toBinary();
+    const result = identifyIdentityOutputs(binary);
+    assertEqual(result.outputsToAdmit.length, 0, 'Should not admit invalid payload');
+});
+// ============================================================================
+// Transaction Chain Tests
+// ============================================================================
+console.log('\n=== Transaction Chain Tests ===\n');
+test('Chain: two unconfirmed transactions', async () => {
+    const privKey = PrivateKey.fromRandom();
+    const identityKey = privKey.toPublicKey().toString();
+    const pubKeyHash = privKey.toPublicKey().toHash();
+    // Grandparent (simulating mined)
+    const grandparentTx = createSourceTransaction(privKey, 100000);
+    // Parent (first overlay tx)
+    const parentPayload = {
+        protocol: PROTOCOL_ID,
+        type: 'identity',
+        identityKey,
+        name: 'parent-tx',
+        description: 'First',
+        channels: {},
+        capabilities: [],
+        timestamp: new Date().toISOString(),
+    };
+    const parentTx = await createSignedTransaction(privKey, grandparentTx, 0, parentPayload, 99900);
+    // Child (second overlay tx, spending parent's change)
+    const childPayload = {
+        protocol: PROTOCOL_ID,
+        type: 'service',
+        identityKey,
+        serviceId: 'child-svc',
+        name: 'Child Service',
+        description: 'Second',
+        pricing: { model: 'per-task', amountSats: 25 },
+        timestamp: new Date().toISOString(),
+    };
+    const childTx = new Transaction();
+    childTx.addInput({
+        sourceTransaction: parentTx,
+        sourceOutputIndex: 1, // Change output
+        unlockingScriptTemplate: new P2PKH().unlock(privKey),
+    });
+    childTx.addOutput({
+        lockingScript: buildPushDropScript(privKey, childPayload),
+        satoshis: 1,
+    });
+    childTx.addOutput({
+        lockingScript: new P2PKH().lock(pubKeyHash),
+        satoshis: 99800,
+    });
+    await childTx.sign();
+    // Build BEEF
+    const beef = new Beef();
+    beef.mergeTransaction(childTx);
+    const binary = beef.toBinary();
+    const validation = validateBeef(binary);
+    assert(validation.valid, validation.error || 'BEEF should be valid');
+    assert(validation.txCount >= 3, `Should have at least 3 txs, got ${validation.txCount}`);
+    // Verify service output is admitted
+    const result = identifyServiceOutputs(binary);
+    assertEqual(result.outputsToAdmit.length, 1, 'Should admit service output');
+});
+test('Chain: BEEF ancestry validation', async () => {
+    const privKey = PrivateKey.fromRandom();
+    const sourceTx = createSourceTransaction(privKey);
+    const tx = await createSignedTransaction(privKey, sourceTx, 0, { test: true });
+    const beef = new Beef();
+    beef.mergeTransaction(tx);
+    const binary = beef.toBinary();
+    const result = validateBeefAncestry(binary);
+    assert(result.valid, result.error || 'Ancestry should be valid');
+    assert(result.chain.length >= 2, 'Chain should have at least 2 txids');
+});
+// ============================================================================
+// PushDrop Script Format Tests
+// ============================================================================
+console.log('\n=== PushDrop Script Format Tests ===\n');
+test('Script: PushDrop format with P2PK lock', () => {
+    const privKey = PrivateKey.fromRandom();
+    const payload = { test: 'data' };
+    const script = buildPushDropScript(privKey, payload);
+    const chunks = script.chunks;
+    // First chunk should be pubkey push (33 bytes)
+    assertEqual(chunks[0].op, 33, 'First op should push 33 bytes (pubkey)');
+    assert(chunks[0].data !== undefined, 'Should have pubkey data');
+    assertEqual(chunks[0].data.length, 33, 'Pubkey should be 33 bytes');
+    // Second chunk should be OP_CHECKSIG
+    assertEqual(chunks[1].op, OP.OP_CHECKSIG, 'Second op should be OP_CHECKSIG');
+    // Should have data field and OP_DROP
+    assert(chunks.length >= 4, 'Should have at least 4 chunks');
+});
+test('Script: JSON payload extraction', () => {
+    const privKey = PrivateKey.fromRandom();
+    const payload = { foo: 'bar', num: 42 };
+    const script = buildPushDropScript(privKey, payload);
+    const fields = extractPushDropFields(script);
+    assert(fields !== null, 'Should extract fields');
+    assert(fields.length >= 1, 'Should have at least 1 field');
+    const jsonStr = new TextDecoder().decode(new Uint8Array(fields[0]));
+    const parsed = JSON.parse(jsonStr);
+    assertEqual(parsed.foo, 'bar', 'Foo should match');
+    assertEqual(parsed.num, 42, 'Num should match');
+});
+test('Script: large payload handling', () => {
+    const privKey = PrivateKey.fromRandom();
+    const largePayload = {
+        protocol: PROTOCOL_ID,
+        type: 'identity',
+        identityKey: privKey.toPublicKey().toString(),
+        name: 'test',
+        description: 'A'.repeat(500), // Large description
+        channels: {},
+        capabilities: Array(50).fill('cap'), // Many capabilities
+        timestamp: new Date().toISOString(),
+    };
+    const script = buildPushDropScript(privKey, largePayload);
+    const fields = extractPushDropFields(script);
+    assert(fields !== null, 'Should handle large payload');
+    const parsed = JSON.parse(new TextDecoder().decode(new Uint8Array(fields[0])));
+    assertEqual(parsed.description.length, 500, 'Description should be preserved');
+});
+// ============================================================================
+// Summary
+// ============================================================================
+// Give async tests time to complete
+setTimeout(() => {
+    console.log('\n========================================');
+    const passed = results.filter(r => r.passed).length;
+    const failed = results.filter(r => !r.passed).length;
+    console.log(`Tests completed: ${passed} passed, ${failed} failed`);
+    console.log('========================================\n');
+    if (failed > 0) {
+        console.log('Failed tests:');
+        results.filter(r => !r.passed).forEach(r => {
+            console.log(`  - ${r.name}: ${r.error}`);
+        });
+        process.exit(1);
+    }
+}, 2000);

package/dist/test/key-derivation.test.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Unit tests for key derivation consistency.
+ *
+ * CRITICAL: These tests ensure that transaction signing uses the correct
+ * child private key that matches the derived address.
+ *
+ * Bug history: Initially, code was deriving a child address using BRC-29
+ * but signing with the root private key, causing OP_EQUALVERIFY failures.
+ *
+ * Run: node dist/test/key-derivation.test.js
+ */
+export {};

package/dist/test/key-derivation.test.js

@@ -0,0 +1,86 @@
+/**
+ * Unit tests for key derivation consistency.
+ *
+ * CRITICAL: These tests ensure that transaction signing uses the correct
+ * child private key that matches the derived address.
+ *
+ * Bug history: Initially, code was deriving a child address using BRC-29
+ * but signing with the root private key, causing OP_EQUALVERIFY failures.
+ *
+ * Run: node dist/test/key-derivation.test.js
+ */
+import { PrivateKey, Transaction, P2PKH, CachedKeyDeriver, Utils } from '@bsv/sdk';
+import { brc29ProtocolID } from '@bsv/wallet-toolbox';
+async function assert(condition, message) {
+    if (!condition) {
+        throw new Error(`Assertion failed: ${message}`);
+    }
+}
+async function runTests() {
+    console.log('🧪 Running Key Derivation Tests...\n');
+    // Test setup
+    const rootPrivKey = PrivateKey.fromRandom();
+    const keyDeriver = new CachedKeyDeriver(rootPrivKey);
+    const derivationPrefix = Utils.toBase64(Array.from(Utils.toArray('import', 'utf8')));
+    const derivationSuffix = Utils.toBase64(Array.from(Utils.toArray('now', 'utf8')));
+    const keyString = `${derivationPrefix} ${derivationSuffix}`;
+    const childPrivKey = keyDeriver.derivePrivateKey(brc29ProtocolID, keyString, 'self');
+    const pubKey = keyDeriver.derivePublicKey(brc29ProtocolID, keyString, 'self', true);
+    const derivedAddress = pubKey.toAddress();
+    const hashResult = pubKey.toHash();
+    const derivedHash160 = typeof hashResult === 'string'
+        ? new Uint8Array(hashResult.match(/.{2}/g).map(h => parseInt(h, 16)))
+        : new Uint8Array(hashResult);
+    // Test 1: Consistency
+    console.log('✓ Test 1: Derived keys are consistent');
+    const keyDeriver2 = new CachedKeyDeriver(rootPrivKey);
+    const childPrivKey2 = keyDeriver2.derivePrivateKey(brc29ProtocolID, keyString, 'self');
+    await assert(childPrivKey.toHex() === childPrivKey2.toHex(), 'Child keys should be identical');
+    // Test 2: Child key matches derived address
+    console.log('✓ Test 2: Child private key matches derived address');
+    const childPubKey = childPrivKey.toPublicKey();
+    const childAddress = childPubKey.toAddress();
+    await assert(childAddress === derivedAddress, 'Child key address should match derived address');
+    // Test 3: Root key does NOT match (critical!)
+    console.log('✓ Test 3: CRITICAL - Root key does NOT match derived address');
+    const rootAddress = rootPrivKey.toPublicKey().toAddress();
+    await assert(rootAddress !== derivedAddress, 'Root address must differ from derived address');
+    // Test 4: Transaction with child key succeeds
+    console.log('✓ Test 4: CRITICAL - Transaction signed with child key validates');
+    const fundingTx = new Transaction();
+    fundingTx.addOutput({
+        lockingScript: new P2PKH().lock(Array.from(derivedHash160)),
+        satoshis: 1000,
+    });
+    const spendingTx = new Transaction();
+    spendingTx.addInput({
+        sourceTransaction: fundingTx,
+        sourceOutputIndex: 0,
+        unlockingScriptTemplate: new P2PKH().unlock(childPrivKey),
+    });
+    spendingTx.addOutput({
+        lockingScript: new P2PKH().lock(Array.from(derivedHash160)),
+        satoshis: 900,
+    });
+    await spendingTx.sign();
+    const inputScript = spendingTx.inputs[0].unlockingScript;
+    await assert(!!inputScript, 'Unlocking script should be present');
+    await assert(Array.from(inputScript.toBinary()).length > 0, 'Script should have content');
+    // Test 5: Different paths produce different addresses
+    console.log('✓ Test 5: Different derivation paths produce different addresses');
+    const path1 = Utils.toBase64(Array.from(Utils.toArray('import', 'utf8'))) + ' ' + Utils.toBase64(Array.from(Utils.toArray('now', 'utf8')));
+    const path2 = Utils.toBase64(Array.from(Utils.toArray('import', 'utf8'))) + ' ' + Utils.toBase64(Array.from(Utils.toArray('later', 'utf8')));
+    const pubKey1 = keyDeriver.derivePublicKey(brc29ProtocolID, path1, 'self', true);
+    const pubKey2 = keyDeriver.derivePublicKey(brc29ProtocolID, path2, 'self', true);
+    await assert(pubKey1.toAddress() !== pubKey2.toAddress(), 'Different paths should produce different addresses');
+    console.log('\n✅ All tests passed!\n');
+    console.log('Key derivation is working correctly:');
+    console.log(`  Root address:    ${rootAddress}`);
+    console.log(`  Derived address: ${derivedAddress}`);
+    console.log(`  Child key works: YES`);
+    console.log(`  Root key works:  NO (correctly rejected)\n`);
+}
+runTests().catch((err) => {
+    console.error('\n❌ Tests failed:', err.message);
+    process.exit(1);
+});