openttt 0.1.2 → 0.1.3

package/dist/signer.js

@@ -36,8 +36,6 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.KMSSigner = exports.PrivySigner = exports.TurnkeySignerWrapper = exports.PrivateKeySigner = exports.TTTAbstractSigner = exports.SignerType = void 0;
 exports.createSigner = createSigner;
 const ethers_1 = require("ethers");
-const ethers_2 = require("@turnkey/ethers");
-const api_key_stamper_1 = require("@turnkey/api-key-stamper");
 const errors_1 = require("./errors");
 /**
  * Supported signer types in TTT SDK
@@ -98,6 +96,63 @@ class KMSSigner extends TTTAbstractSigner {
     }
 }
 exports.KMSSigner = KMSSigner;
+/**
+ * Extract the uncompressed secp256k1 public key from a DER-encoded
+ * SubjectPublicKeyInfo structure using proper ASN.1 parsing.
+ *
+ * DER layout: SEQUENCE { SEQUENCE { OID, PARAMS }, BITSTRING { 0x00, key } }
+ * We locate the BITSTRING tag (0x03), read its length, skip the
+ * "unused bits" byte, and return the remaining 65 bytes (04 || X || Y).
+ */
+function extractPublicKeyFromDER(der) {
+    let pos = 0;
+    function readTag() {
+        if (pos >= der.length)
+            throw new Error("DER parse error: unexpected end of data while reading tag");
+        return der[pos++];
+    }
+    function readLength() {
+        if (pos >= der.length)
+            throw new Error("DER parse error: unexpected end of data while reading length");
+        const first = der[pos++];
+        if (first < 0x80)
+            return first;
+        const numBytes = first & 0x7f;
+        if (numBytes === 0 || numBytes > 4)
+            throw new Error(`DER parse error: unsupported length encoding (${numBytes} bytes)`);
+        let length = 0;
+        for (let i = 0; i < numBytes; i++) {
+            if (pos >= der.length)
+                throw new Error("DER parse error: unexpected end of data in multi-byte length");
+            length = (length << 8) | der[pos++];
+        }
+        return length;
+    }
+    // Outer SEQUENCE
+    const outerTag = readTag();
+    if (outerTag !== 0x30)
+        throw new Error(`DER parse error: expected SEQUENCE (0x30), got 0x${outerTag.toString(16)}`);
+    readLength(); // outer sequence length
+    // Inner SEQUENCE (algorithm identifier) -- skip it entirely
+    const innerTag = readTag();
+    if (innerTag !== 0x30)
+        throw new Error(`DER parse error: expected inner SEQUENCE (0x30), got 0x${innerTag.toString(16)}`);
+    const innerLen = readLength();
+    pos += innerLen; // skip OID + params
+    // BITSTRING containing the public key
+    const bsTag = readTag();
+    if (bsTag !== 0x03)
+        throw new Error(`DER parse error: expected BITSTRING (0x03), got 0x${bsTag.toString(16)}`);
+    const bsLen = readLength();
+    const unusedBits = der[pos++];
+    if (unusedBits !== 0x00)
+        throw new Error(`DER parse error: expected 0 unused bits in BITSTRING, got ${unusedBits}`);
+    const keyBytes = der.slice(pos, pos + bsLen - 1);
+    if (keyBytes.length !== 65 || keyBytes[0] !== 0x04) {
+        throw new Error(`DER parse error: expected 65-byte uncompressed secp256k1 key (04||X||Y), got ${keyBytes.length} bytes`);
+    }
+    return keyBytes;
+}
 /**
  * Internal utility to parse DER signature to R and S
  */
@@ -146,7 +201,7 @@ class AWSKMSEthersSigner extends ethers_1.AbstractSigner {
         const command = new GetPublicKeyCommand({ KeyId: this.keyId });
         const response = await this.client.send(command);
         const publicKeyDer = response.PublicKey;
-        const pubKey = Buffer.from(publicKeyDer).slice(-65);
+        const pubKey = extractPublicKeyFromDER(Buffer.from(publicKeyDer));
         this.address = (0, ethers_1.computeAddress)("0x" + pubKey.toString('hex'));
         return this.address;
     }
@@ -213,7 +268,7 @@ class GCPKMSEthersSigner extends ethers_1.AbstractSigner {
         const pem = publicKey.pem;
         const base64 = pem.replace(/-----BEGIN PUBLIC KEY-----|-----END PUBLIC KEY-----|\n|\r/g, '');
         const der = Buffer.from(base64, 'base64');
-        const pubKey = der.slice(-65);
+        const pubKey = extractPublicKeyFromDER(der);
         this.address = (0, ethers_1.computeAddress)("0x" + pubKey.toString('hex'));
         return this.address;
     }
@@ -267,20 +322,23 @@ async function createSigner(config) {
                 key = process.env[config.envVar];
             }
             if (!key)
-                throw new errors_1.TTTSignerError("[Signer] Private key missing", `Neither 'key' nor env var '${config.envVar}' was provided`, "Set the environment variable or provide the key directly in config.");
+                throw new errors_1.TTTSignerError(errors_1.ERROR_CODES.SIGNER_MISSING_KEY, "[Signer] Private key missing", `Neither 'key' nor env var '${config.envVar}' was provided`, "Set the environment variable or provide the key directly in config.");
             if (!key.startsWith('0x'))
                 key = '0x' + key;
             if (!(0, ethers_1.isHexString)(key, 32))
-                throw new errors_1.TTTSignerError("[Signer] Invalid private key format", "Expected 0x + 64 hex characters", "Provide a valid 32-byte hex private key.");
+                throw new errors_1.TTTSignerError(errors_1.ERROR_CODES.SIGNER_INVALID_KEY_FORMAT, "[Signer] Invalid private key format", "Expected 0x + 64 hex characters", "Provide a valid 32-byte hex private key.");
             const wallet = new ethers_1.Wallet(key);
             return new PrivateKeySigner(wallet);
         }
         case 'turnkey': {
-            const stamper = new api_key_stamper_1.ApiKeyStamper({
+            // Dynamic import to avoid mandatory dependency on @turnkey packages
+            const { TurnkeySigner } = await Promise.resolve().then(() => __importStar(require("@turnkey/ethers")));
+            const { ApiKeyStamper } = await Promise.resolve().then(() => __importStar(require("@turnkey/api-key-stamper")));
+            const stamper = new ApiKeyStamper({
                 apiPublicKey: config.apiPublicKey,
                 apiPrivateKey: config.apiPrivateKey,
             });
-            const turnkeySigner = new ethers_2.TurnkeySigner({
+            const turnkeySigner = new TurnkeySigner({
                 baseUrl: config.apiBaseUrl,
                 stamper,
                 organizationId: config.organizationId,
@@ -289,7 +347,7 @@ async function createSigner(config) {
             return new TurnkeySignerWrapper(turnkeySigner);
         }
         case 'privy': {
-            throw new errors_1.TTTSignerError("[Signer] Privy wallet signer extraction not fully implemented", "Privy requires proper session context and walletId", "Refer to Privy server-auth documentation for server-side signing.");
+            throw new errors_1.TTTSignerError(errors_1.ERROR_CODES.SIGNER_PRIVY_NOT_IMPLEMENTED, "[Signer] Privy signer is not yet implemented. Use 'privateKey' or 'turnkey' instead.", "Privy embedded wallet support is planned but not available in this release.", "Use { type: 'privateKey', key: '0x...' } or { type: 'turnkey', ... } as your signer config.");
         }
         case 'kms': {
             if (config.provider === 'aws') {
@@ -301,12 +359,12 @@ async function createSigner(config) {
                     return new KMSSigner(awsSigner);
                 }
                 catch (e) {
-                    throw new errors_1.TTTSignerError("[Signer] AWS KMS initialization failed", e.message, "Ensure @aws-sdk/client-kms is installed and credentials are configured.");
+                    throw new errors_1.TTTSignerError(errors_1.ERROR_CODES.SIGNER_KMS_AWS_INIT_FAILED, "[Signer] AWS KMS initialization failed", e.message, "Ensure @aws-sdk/client-kms is installed and credentials are configured.");
                 }
             }
             else if (config.provider === 'gcp') {
                 if (!config.projectId || !config.locationId || !config.keyRingId || !config.keyVersionId) {
-                    throw new errors_1.TTTSignerError("[Signer] GCP KMS missing required fields", `projectId=${config.projectId}, locationId=${config.locationId}, keyRingId=${config.keyRingId}, keyVersionId=${config.keyVersionId}`, "Provide all required GCP KMS fields: projectId, locationId, keyRingId, keyVersionId.");
+                    throw new errors_1.TTTSignerError(errors_1.ERROR_CODES.SIGNER_KMS_GCP_MISSING_FIELDS, "[Signer] GCP KMS missing required fields", `projectId=${config.projectId}, locationId=${config.locationId}, keyRingId=${config.keyRingId}, keyVersionId=${config.keyVersionId}`, "Provide all required GCP KMS fields: projectId, locationId, keyRingId, keyVersionId.");
                 }
                 try {
                     // @ts-ignore
@@ -317,13 +375,13 @@ async function createSigner(config) {
                     return new KMSSigner(gcpSigner);
                 }
                 catch (e) {
-                    throw new errors_1.TTTSignerError("[Signer] GCP KMS initialization failed", e.message, "Ensure @google-cloud/kms is installed and application default credentials are set.");
+                    throw new errors_1.TTTSignerError(errors_1.ERROR_CODES.SIGNER_KMS_GCP_INIT_FAILED, "[Signer] GCP KMS initialization failed", e.message, "Ensure @google-cloud/kms is installed and application default credentials are set.");
                 }
             }
-            throw new errors_1.TTTSignerError("[Signer] Unsupported KMS provider", `Provider: ${config.provider}`, "Use 'aws' or 'gcp'.");
+            throw new errors_1.TTTSignerError(errors_1.ERROR_CODES.SIGNER_KMS_UNSUPPORTED_PROVIDER, "[Signer] Unsupported KMS provider", `Provider: ${config.provider}`, "Use 'aws' or 'gcp'.");
         }
         default:
             // @ts-ignore
-            throw new errors_1.TTTSignerError(`[Signer] Unsupported signer type`, `Type: ${config.type}`, "Provide a supported signer type: privateKey, turnkey, privy, kms.");
+            throw new errors_1.TTTSignerError(errors_1.ERROR_CODES.SIGNER_UNSUPPORTED_TYPE, `[Signer] Unsupported signer type`, `Type: ${config.type}`, "Provide a supported signer type: privateKey, turnkey, privy, kms.");
     }
 }

package/dist/time_synthesis.d.ts

@@ -3,6 +3,7 @@ import { TimeReading, SynthesizedTime, ProofOfTime } from "./types";
 export interface TimeSource {
     name: string;
     getTime(): Promise<TimeReading>;
+    close?(): void;
 }
 export declare class NTPSource implements TimeSource {
     name: string;
@@ -11,6 +12,28 @@ export declare class NTPSource implements TimeSource {
     constructor(name: string, host: string, port?: number);
     getTime(): Promise<TimeReading>;
 }
+/**
+ * HTTPS-based time source (TLS-protected, immune to MITM).
+ * Uses HTTP Date header from trusted TLS endpoints.
+ * Preferred over plaintext NTP (UDP) which is vulnerable to spoofing.
+ *
+ * SECURITY MODEL — HTTPS Time Sources:
+ * - All HTTPS requests use Node.js `https.request()` with default TLS settings.
+ * - Default TLS behavior: certificate verification is ON (rejectUnauthorized=true).
+ * - No certificate bypass (rejectUnauthorized: false) is used anywhere in this module.
+ * - The TLS handshake itself provides authentication of the time server identity,
+ *   preventing MITM attacks that plaintext NTP (UDP port 123) is vulnerable to.
+ * - Base uncertainty for HTTPS Date header is 500ms (HTTP Date has 1-second resolution).
+ * - For ±10ns precision, HTTPS is a cross-check only; KTSat is the primary source.
+ */
+export declare class HTTPSTimeSource implements TimeSource {
+    name: string;
+    private url;
+    private activeRequests;
+    constructor(name: string, url: string);
+    getTime(): Promise<TimeReading>;
+    close(): void;
+}
 export declare class TimeSynthesis {
     private sources;
     private usedNonces;
@@ -30,6 +53,16 @@ export declare class TimeSynthesis {
      * Fix 2: Checks expiration and nonce replay.
      * Fix 3: Uses sourceReadings (renamed from signatures).
      */
+    /**
+     * Determine PoT verification tolerance based on the lowest stratum
+     * observed across source readings. Lower stratum = more precise source
+     * = tighter tolerance allowed.
+     *
+     *   Stratum 1:  10ms (10_000_000ns) - atomic clock direct
+     *   Stratum 2:  25ms (25_000_000ns) - NTP server synced to stratum 1
+     *   Stratum 3+: 50ms (50_000_000ns) - downstream NTP
+     */
+    private static getToleranceForStratum;
     verifyProofOfTime(pot: ProofOfTime): boolean;
     /**
      * Generates a bytes32 hash of the PoT for on-chain submission.
@@ -51,5 +84,10 @@ export declare class TimeSynthesis {
     /**
      * Deserializes PoT from compact binary format.
      */
+    /**
+     * Closes all sources and clears internal state.
+     * Call this in tests (afterEach/afterAll) to prevent open handle warnings.
+     */
+    close(): void;
     static deserializeFromBinary(buf: Buffer): ProofOfTime;
 }

package/dist/time_synthesis.js

@@ -33,9 +33,10 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.TimeSynthesis = exports.NTPSource = void 0;
+exports.TimeSynthesis = exports.HTTPSTimeSource = exports.NTPSource = void 0;
 const crypto = __importStar(require("crypto"));
 const dgram = __importStar(require("dgram"));
+const https = __importStar(require("https"));
 const buffer_1 = require("buffer");
 const ethers_1 = require("ethers");
 const logger_1 = require("./logger");
@@ -131,30 +132,106 @@ class NTPSource {
     }
 }
 exports.NTPSource = NTPSource;
+/**
+ * HTTPS-based time source (TLS-protected, immune to MITM).
+ * Uses HTTP Date header from trusted TLS endpoints.
+ * Preferred over plaintext NTP (UDP) which is vulnerable to spoofing.
+ *
+ * SECURITY MODEL — HTTPS Time Sources:
+ * - All HTTPS requests use Node.js `https.request()` with default TLS settings.
+ * - Default TLS behavior: certificate verification is ON (rejectUnauthorized=true).
+ * - No certificate bypass (rejectUnauthorized: false) is used anywhere in this module.
+ * - The TLS handshake itself provides authentication of the time server identity,
+ *   preventing MITM attacks that plaintext NTP (UDP port 123) is vulnerable to.
+ * - Base uncertainty for HTTPS Date header is 500ms (HTTP Date has 1-second resolution).
+ * - For ±10ns precision, HTTPS is a cross-check only; KTSat is the primary source.
+ */
+class HTTPSTimeSource {
+    name;
+    url;
+    activeRequests = new Set();
+    constructor(name, url) {
+        this.name = name;
+        this.url = url;
+    }
+    async getTime() {
+        const t1 = BigInt(Date.now()) * 1000000n;
+        return new Promise((resolve, reject) => {
+            const timeout = setTimeout(() => {
+                reject(new errors_1.TTTTimeSynthesisError(`HTTPS time timeout for ${this.name}`, `${this.url} did not respond within 3000ms`, "Check network connectivity or try a different HTTPS time endpoint."));
+            }, 3000);
+            const req = https.request(this.url, { method: 'HEAD' }, (res) => {
+                clearTimeout(timeout);
+                // Consume and discard the response to free the socket
+                res.resume();
+                const t4 = BigInt(Date.now()) * 1000000n;
+                const dateHeader = res.headers['date'];
+                if (!dateHeader) {
+                    this.activeRequests.delete(req);
+                    reject(new errors_1.TTTTimeSynthesisError(`No Date header from ${this.name}`, "HTTPS response missing Date header", "The endpoint must return a Date header (RFC 7231)."));
+                    return;
+                }
+                const serverTime = BigInt(new Date(dateHeader).getTime()) * 1000000n;
+                const rttNs = t4 - t1;
+                const rttMs = Number(rttNs) / 1_000_000;
+                // Offset-corrected: server time + half RTT
+                const corrected = serverTime + rttNs / 2n;
+                this.activeRequests.delete(req);
+                resolve({
+                    timestamp: corrected,
+                    uncertainty: rttMs / 2 + 500, // 500ms base uncertainty for HTTP Date (1s resolution)
+                    stratum: 2, // HTTPS endpoints typically sync to stratum-1
+                    source: this.name
+                });
+            });
+            req.on('error', (err) => {
+                clearTimeout(timeout);
+                this.activeRequests.delete(req);
+                reject(new errors_1.TTTTimeSynthesisError(`HTTPS time error for ${this.name}`, err.message, "Check TLS connectivity."));
+            });
+            this.activeRequests.add(req);
+            req.end();
+        });
+    }
+    close() {
+        for (const req of this.activeRequests) {
+            req.destroy();
+        }
+        this.activeRequests.clear();
+    }
+}
+exports.HTTPSTimeSource = HTTPSTimeSource;
 class TimeSynthesis {
     sources = [];
     // Fix 2: Bounded nonce replay cache (max 10K entries, 60s TTL) — same pattern as protocol_fee.ts
     usedNonces = new Map();
     MAX_NONCE_CACHE = 10000;
-    NONCE_TTL_MS = 60000; // 60 seconds
+    NONCE_TTL_MS = 300_000; // 5 minutes — must exceed PoT expiresAt (60s) to prevent edge-case replay
     constructor(config) {
-        const sourceNames = config?.sources || ['nist', 'kriss', 'google'];
+        const sourceNames = config?.sources || ['nist', 'google', 'cloudflare', 'apple'];
         for (const s of sourceNames) {
             if (s === 'nist') {
-                this.sources.push(new NTPSource('nist', 'time.nist.gov'));
+                this.sources.push(new HTTPSTimeSource('nist', 'https://time.nist.gov/'));
+            }
+            else if (s === 'google' || s === 'galileo') {
+                this.sources.push(new HTTPSTimeSource('google', 'https://time.google.com/'));
+            }
+            else if (s === 'cloudflare') {
+                this.sources.push(new HTTPSTimeSource('cloudflare', 'https://time.cloudflare.com/'));
+            }
+            else if (s === 'apple') {
+                this.sources.push(new HTTPSTimeSource('apple', 'https://time.apple.com/'));
             }
             else if (s === 'kriss') {
+                // Legacy: KRISS NTP (plaintext UDP) — kept for backward compat, not in defaults
                 this.sources.push(new NTPSource('kriss', 'time.kriss.re.kr'));
             }
-            else if (s === 'google' || s === 'galileo') {
-                this.sources.push(new NTPSource('google', 'time.google.com'));
-            }
         }
     }
     async getFromSource(name) {
         const source = this.sources.find(s => s.name === name);
         if (!source)
-            throw new errors_1.TTTTimeSynthesisError(`Source ${name} not found`, "Requested source name is not configured", "Configure the source in the TimeSynthesis constructor.");
+            throw new errors_1.TTTTimeSynthesisError(errors_1.ERROR_CODES.TIME_SYNTHESIS_SOURCE_NOT_FOUND, `Source ${name} not found`, "Requested source name is not configured", "Configure the source in the TimeSynthesis constructor.");
         return source.getTime();
     }
     async synthesize() {
@@ -169,7 +246,7 @@ class TimeSynthesis {
             }
         }
         if (readings.length === 0) {
-            throw new errors_1.TTTTimeSynthesisError('[TimeSynthesis] CRITICAL: All NTP sources failed.', "Zero readings returned from all configured NTP sources", "Ensure UDP port 123 is open and NTP servers are reachable.");
+            throw new errors_1.TTTTimeSynthesisError(errors_1.ERROR_CODES.TIME_SYNTHESIS_ALL_SOURCES_FAILED, '[TimeSynthesis] CRITICAL: All NTP sources failed.', "Zero readings returned from all configured NTP sources", "Ensure UDP port 123 is open and NTP servers are reachable.");
         }
         if (readings.length === 1) {
             logger_1.logger.warn(`[TimeSynthesis] WARNING: Only 1 NTP source available (${readings[0].source}). Time may be unreliable.`);
@@ -216,7 +293,7 @@ class TimeSynthesis {
             }
         }
         if (readings.length === 0) {
-            throw new errors_1.TTTTimeSynthesisError('[TimeSynthesis] Cannot generate PoT: All NTP sources failed.', "No successful readings from NTP servers.", "Check internet connection and UDP 123 access.");
+            throw new errors_1.TTTTimeSynthesisError(errors_1.ERROR_CODES.TIME_SYNTHESIS_POT_ALL_FAILED, '[TimeSynthesis] Cannot generate PoT: All NTP sources failed.', "No successful readings from NTP servers.", "Check internet connection and UDP 123 access.");
         }
         readings.sort((a, b) => (a.timestamp < b.timestamp ? -1 : a.timestamp > b.timestamp ? 1 : 0));
         let finalTimestamp;
@@ -241,7 +318,8 @@ class TimeSynthesis {
         const sourceReadings = readings.map(r => ({
             source: r.source,
             timestamp: r.timestamp,
-            uncertainty: r.uncertainty
+            uncertainty: r.uncertainty,
+            stratum: r.stratum
         }));
         // Fix 2: PoT nonce + expiration for replay protection
         const nonce = crypto.randomBytes(16).toString("hex");
@@ -258,7 +336,7 @@ class TimeSynthesis {
         };
         // Verification Logic: Ensure all source timestamps are within tolerance of synthesized median
         if (!this.verifyProofOfTime(pot)) {
-            throw new errors_1.TTTTimeSynthesisError("[PoT] Self-verification failed", "Source readings are too far apart from synthesized median", "Check for high network jitter or malicious NTP spoofing.");
+            throw new errors_1.TTTTimeSynthesisError(errors_1.ERROR_CODES.TIME_SYNTHESIS_SELF_VERIFY_FAILED, "[PoT] Self-verification failed", "Source readings are too far apart from synthesized median", "Check for high network jitter or malicious NTP spoofing.");
         }
         return pot;
     }
@@ -267,18 +345,42 @@ class TimeSynthesis {
      * Fix 2: Checks expiration and nonce replay.
      * Fix 3: Uses sourceReadings (renamed from signatures).
      */
+    /**
+     * Determine PoT verification tolerance based on the lowest stratum
+     * observed across source readings. Lower stratum = more precise source
+     * = tighter tolerance allowed.
+     *
+     *   Stratum 1:  10ms (10_000_000ns) - atomic clock direct
+     *   Stratum 2:  25ms (25_000_000ns) - NTP server synced to stratum 1
+     *   Stratum 3+: 50ms (50_000_000ns) - downstream NTP
+     */
+    static getToleranceForStratum(stratum) {
+        if (stratum <= 1)
+            return 10000000n;
+        if (stratum === 2)
+            return 25000000n;
+        return 50000000n;
+    }
     verifyProofOfTime(pot) {
-        const TOLERANCE_NS = 100000000n; // 100ms
         if (pot.sourceReadings.length === 0)
             return false;
         if (pot.confidence <= 0)
             return false;
-        // Fix 2: Expiration check
+        // Determine tolerance from the lowest stratum in sourceReadings.
+        // Fall back to pot.stratum if individual readings lack stratum info.
+        let lowestStratum = pot.stratum;
+        for (const reading of pot.sourceReadings) {
+            if (reading.stratum !== undefined && reading.stratum < lowestStratum) {
+                lowestStratum = reading.stratum;
+            }
+        }
+        const toleranceNs = TimeSynthesis.getToleranceForStratum(lowestStratum);
+        // Expiration check
         if (BigInt(Date.now()) > pot.expiresAt) {
             logger_1.logger.warn(`[TimeSynthesis] PoT expired at ${pot.expiresAt}`);
             return false;
         }
-        // Fix 2: Nonce replay protection with bounded cache + TTL cleanup
+        // Nonce replay protection with bounded cache + TTL cleanup
         const now = Date.now();
         // TTL cleanup pass (evict expired entries)
         if (this.usedNonces.size > this.MAX_NONCE_CACHE / 2) {
@@ -300,8 +402,8 @@ class TimeSynthesis {
         this.usedNonces.set(pot.nonce, now);
         for (const sig of pot.sourceReadings) {
             const diff = sig.timestamp > pot.timestamp ? sig.timestamp - pot.timestamp : pot.timestamp - sig.timestamp;
-            if (diff > TOLERANCE_NS) {
-                logger_1.logger.warn(`[TimeSynthesis] Reading from ${sig.source} outside tolerance: ${diff}ns`);
+            if (diff > toleranceNs) {
+                logger_1.logger.warn(`[TimeSynthesis] Reading from ${sig.source} outside tolerance (${toleranceNs}ns, stratum ${lowestStratum}): ${diff}ns`);
                 return false;
             }
         }
@@ -311,9 +413,9 @@ class TimeSynthesis {
      * Generates a bytes32 hash of the PoT for on-chain submission.
      */
     static getOnChainHash(pot) {
-        return (0, ethers_1.keccak256)(ethers_1.AbiCoder.defaultAbiCoder().encode(["uint64", "uint32", "uint8", "uint8", "uint32"], [
-            pot.timestamp / 1000000n, // Convert to ms for storage efficiency
-            Math.round(pot.uncertainty * 1000), // Scale uncertainty
+        return (0, ethers_1.keccak256)(ethers_1.AbiCoder.defaultAbiCoder().encode(["uint64", "uint64", "uint8", "uint8", "uint32"], [
+            pot.timestamp, // Keep full nanosecond precision (uint64 max ~year 2554)
+            Math.round(pot.uncertainty * 1_000_000), // Scale uncertainty to ns
             pot.sources,
             pot.stratum,
             Math.round(pot.confidence * 1000000)
@@ -389,6 +491,18 @@ class TimeSynthesis {
     /**
      * Deserializes PoT from compact binary format.
      */
+    /**
+     * Closes all sources and clears internal state.
+     * Call this in tests (afterEach/afterAll) to prevent open handle warnings.
+     */
+    close() {
+        for (const source of this.sources) {
+            if (typeof source.close === 'function') {
+                source.close();
+            }
+        }
+        this.usedNonces.clear();
+    }
     static deserializeFromBinary(buf) {
         let offset = 0;
         const timestamp = buf.readBigUInt64BE(offset);

package/dist/trust_store.d.ts

@@ -0,0 +1,49 @@
+/**
+ * TTT Labs Trust Store
+ * Manages trusted NTP sources and PoT verifier registry.
+ * TTT Labs operates as the trust store authority, similar to browser CA bundles.
+ */
+export interface TrustedSource {
+    name: string;
+    endpoint: string;
+    stratum: number;
+    region: string;
+    active: boolean;
+    addedAt: number;
+}
+export interface TrustStoreConfig {
+    sources: TrustedSource[];
+    minSources: number;
+    maxStratumDrift: number;
+}
+export declare class TTTTrustStore {
+    private sources;
+    private minSources;
+    private maxStratumDrift;
+    constructor(config: TrustStoreConfig);
+    /**
+     * Get all registered trusted sources.
+     */
+    getSources(): TrustedSource[];
+    /**
+     * Add a new trusted source with validation.
+     */
+    addSource(source: TrustedSource): void;
+    /**
+     * Remove a source by name.
+     */
+    removeSource(name: string): boolean;
+    /**
+     * Validate that the active source quorum is met.
+     */
+    validateSourceQuorum(): {
+        valid: boolean;
+        activeSources: number;
+        required: number;
+    };
+    /**
+     * Filter sources by region.
+     */
+    getSourcesByRegion(region: string): TrustedSource[];
+}
+export declare const DEFAULT_TRUST_STORE: TrustStoreConfig;

package/dist/trust_store.js

@@ -0,0 +1,89 @@
+"use strict";
+/**
+ * TTT Labs Trust Store
+ * Manages trusted NTP sources and PoT verifier registry.
+ * TTT Labs operates as the trust store authority, similar to browser CA bundles.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_TRUST_STORE = exports.TTTTrustStore = void 0;
+class TTTTrustStore {
+    sources = new Map();
+    minSources;
+    maxStratumDrift;
+    constructor(config) {
+        this.minSources = config.minSources;
+        this.maxStratumDrift = config.maxStratumDrift;
+        for (const source of config.sources) {
+            this.sources.set(source.name, source);
+        }
+    }
+    /**
+     * Get all registered trusted sources.
+     */
+    getSources() {
+        return Array.from(this.sources.values());
+    }
+    /**
+     * Add a new trusted source with validation.
+     */
+    addSource(source) {
+        if (!source.name || !source.endpoint || source.stratum < 1 || source.stratum > 15) {
+            throw new Error(`Invalid source configuration: ${source.name}`);
+        }
+        this.sources.set(source.name, { ...source, addedAt: Date.now() });
+    }
+    /**
+     * Remove a source by name.
+     */
+    removeSource(name) {
+        return this.sources.delete(name);
+    }
+    /**
+     * Validate that the active source quorum is met.
+     */
+    validateSourceQuorum() {
+        const activeSources = this.getSources().filter(s => s.active).length;
+        return {
+            valid: activeSources >= this.minSources,
+            activeSources,
+            required: this.minSources
+        };
+    }
+    /**
+     * Filter sources by region.
+     */
+    getSourcesByRegion(region) {
+        return this.getSources().filter(s => s.region === region);
+    }
+}
+exports.TTTTrustStore = TTTTrustStore;
+exports.DEFAULT_TRUST_STORE = {
+    sources: [
+        {
+            name: "NIST",
+            endpoint: "time.nist.gov",
+            stratum: 1,
+            region: "US",
+            active: true,
+            addedAt: 1710412800000 // March 14, 2024
+        },
+        {
+            name: "Apple",
+            endpoint: "time.apple.com",
+            stratum: 1,
+            region: "US",
+            active: true,
+            addedAt: 1710412800000
+        },
+        {
+            name: "Google",
+            endpoint: "time.google.com",
+            stratum: 1,
+            region: "Global",
+            active: true,
+            addedAt: 1710412800000
+        }
+    ],
+    minSources: 2,
+    maxStratumDrift: 1
+};

package/dist/ttt_builder.d.ts

@@ -20,7 +20,7 @@ export declare class TTTBuilder {
      * Verify block data using the AdaptiveSwitch pipeline.
      * Updates the current mode based on verification results.
      */
-    verifyBlock(blockData: Block, tttRecord: TTTRecord): Promise<AdaptiveMode>;
+    verifyBlock(blockData: Block, tttRecord: TTTRecord, chainId: number, poolAddress: string, tier?: string): Promise<AdaptiveMode>;
     /**
      * Return the current TURBO/FULL mode.
      */

package/dist/ttt_builder.js

@@ -61,9 +61,9 @@ class TTTBuilder {
      * Verify block data using the AdaptiveSwitch pipeline.
      * Updates the current mode based on verification results.
      */
-    async verifyBlock(blockData, tttRecord) {
+    async verifyBlock(blockData, tttRecord, chainId, poolAddress, tier) {
         logger_1.logger.info(`[TTTBuilder] Verifying block at timestamp: ${blockData.timestamp}`);
-        const result = this.adaptiveSwitch.verifyBlock(blockData, tttRecord);
+        const result = this.adaptiveSwitch.verifyBlock(blockData, tttRecord, chainId, poolAddress, tier);
         this.mode = result;
         logger_1.logger.info(`[TTTBuilder] Verification complete. Mode: ${this.mode}`);
         return this.mode;