smartledger-bsv 3.4.0 → 3.4.4

package/index.js

@@ -2,17 +2,30 @@
 
 var bsv = module.exports
 
-// Initialize dependencies first to avoid circular dependency issues
+// Initialize dependencies first to avoid circular dependency issues.
+//
+// `bn.js`, `bs58`, and `elliptic` are declared runtime deps in
+// package.json. In Node they MUST be installed — silently swallowing
+// a require() failure here used to mask broken installs behind cryptic
+// downstream errors in lib/crypto/bn.js etc. We now let those throw in
+// Node so the failure points at the real cause (`npm install` is broken).
+// In a browser context the bundler is expected to inline these; if it
+// somehow didn't, we tolerate the absence rather than block the whole
+// library load.
 bsv.deps = bsv.deps || {}
-try {
+bsv.deps._ = require('./lib/util/_')
+bsv.deps.Buffer = (typeof Buffer !== 'undefined') ? Buffer : null
+
+if (typeof window === 'undefined') {
+  // Node — hard require; failure means broken install.
   bsv.deps.bnjs = require('bn.js')
   bsv.deps.bs58 = require('bs58')
-  bsv.deps.Buffer = (typeof Buffer !== 'undefined') ? Buffer : null
   bsv.deps.elliptic = require('elliptic')
-  bsv.deps._ = require('./lib/util/_')
-} catch (e) {
-  // Handle browser environment gracefully
-  console.warn('Some dependencies may not be available in browser environment:', e.message)
+} else {
+  // Browser — bundler-resolved; tolerate absence individually.
+  try { bsv.deps.bnjs = require('bn.js') } catch (e) { /* polyfilled by bundler */ }
+  try { bsv.deps.bs58 = require('bs58') } catch (e) { /* polyfilled by bundler */ }
+  try { bsv.deps.elliptic = require('elliptic') } catch (e) { /* polyfilled by bundler */ }
 }
 
 // module information
@@ -29,7 +42,15 @@ bsv.versionGuard = function (version) {
 bsv.versionGuard(global._bsv)
 global._bsv = bsv.version
 
-// SmartLedger security information
+// SmartLedger security information.
+// NOTE: these properties advertise that hardening *helpers* ship in this
+// package (`bsv.SmartVerify`, `bsv.EllipticFixed`, `signature.toCanonical()`,
+// etc.). They are NOT automatically wired into the default verify path:
+// `transaction.verify()`, `signature.verify()`, and `Message().verify()` go
+// through `lib/crypto/ecdsa.js`, which uses BSV's own pure-JS ECDSA and does
+// not route through `SmartVerify` or `EllipticFixed`. To get the strict
+// input validation, call `bsv.SmartVerify.smartVerify(...)` explicitly.
+// See the Security section of README.md.
 bsv.isHardened = true
 bsv.hardenedBy = 'SmartLedger'
 bsv.baseVersion = 'v1.5.6'
@@ -119,7 +140,9 @@ try {
 try {
   bsv.BrowserUTXOManager = require('./lib/browser-utxo-manager-es5')
 } catch (e) {
-  // BrowserUTXOManager not available
+  if (typeof window === 'undefined') {
+    console.warn('[bsv] BrowserUTXOManager failed to load:', e.message)
+  }
 }
 
 // Node.js specific tools (advanced development tools)
@@ -140,28 +163,36 @@ bsv.GDAF = require('./lib/gdaf')
 try {
   bsv.DIDWeb = require('./lib/didweb')
 } catch (e) {
-  // DIDWeb module not available - use standalone bsv-didweb.min.js
+  if (typeof window === 'undefined') {
+    console.warn('[bsv] DIDWeb module failed to load:', e.message)
+  }
 }
 
 // VC-JWT Module (W3C Verifiable Credentials)
 try {
   bsv.VcJwt = require('./lib/vcjwt')
 } catch (e) {
-  // VcJwt module not available - use standalone bsv-vcjwt.min.js
+  if (typeof window === 'undefined') {
+    console.warn('[bsv] VcJwt module failed to load:', e.message)
+  }
 }
 
 // StatusList2021 Module (Credential revocation)
 try {
   bsv.StatusList = require('./lib/statuslist')
 } catch (e) {
-  // StatusList module not available - use standalone bsv-statuslist.min.js
+  if (typeof window === 'undefined') {
+    console.warn('[bsv] StatusList module failed to load:', e.message)
+  }
 }
 
 // Anchor Module (BSV hash anchoring)
 try {
   bsv.Anchor = require('./lib/anchor')
 } catch (e) {
-  // Anchor module not available - use standalone bsv-anchor.min.js
+  if (typeof window === 'undefined') {
+    console.warn('[bsv] Anchor module failed to load:', e.message)
+  }
 }
 
 // GDAF Direct Access Methods (for easier developer experience)

package/lib/browser-utxo-manager-es5.js

@@ -5,6 +5,13 @@
  * Lightweight UTXO management for browser environments with configurable storage
  */
 
+// Set window.BSV_DEBUG = true (browser) or BSV_DEBUG=1 (Node) to enable info logs.
+var debug = function () {
+  var enabled = (typeof process !== 'undefined' && process.env && process.env.BSV_DEBUG) ||
+                (typeof window !== 'undefined' && window.BSV_DEBUG)
+  if (enabled) console.log.apply(console, arguments)
+}
+
 var STORAGE_TYPES = {
   MEMORY: 'memory',
   SESSION: 'session',
@@ -75,7 +82,7 @@ BrowserUTXOManager.prototype.loadFromStorage = function() {
       this.metadata = parsed.metadata
     }
 
-    console.log('✅ BrowserUTXOManager: Loaded ' + this.utxos.size + ' UTXOs from ' + this.options.storage + ' storage')
+    debug('✅ BrowserUTXOManager: Loaded ' + this.utxos.size + ' UTXOs from ' + this.options.storage + ' storage')
   } catch (e) {
     console.error('Failed to load UTXOs from storage:', e)
   }
@@ -96,7 +103,7 @@ BrowserUTXOManager.prototype.saveToStorage = function() {
     }
 
     storage.setItem(this.options.storageKey, JSON.stringify(data))
-    console.log('💾 BrowserUTXOManager: Saved ' + this.utxos.size + ' UTXOs to ' + this.options.storage + ' storage')
+    debug('💾 BrowserUTXOManager: Saved ' + this.utxos.size + ' UTXOs to ' + this.options.storage + ' storage')
   } catch (e) {
     console.error('Failed to save UTXOs to storage:', e)
   }
@@ -110,7 +117,7 @@ BrowserUTXOManager.prototype.addUTXO = function(utxo) {
   var key = utxo.txid + ':' + utxo.vout
 
   if (this.utxos.has(key)) {
-    console.log('⚠️ UTXO already exists: ' + key)
+    debug('⚠️ UTXO already exists: ' + key)
     return false
   }
 
@@ -298,7 +305,7 @@ BrowserUTXOManager.prototype.importData = function(jsonData, merge) {
       })
     }
 
-    console.log('✅ BrowserUTXOManager: Imported ' + (data.utxos && data.utxos.length || 0) + ' UTXOs')
+    debug('✅ BrowserUTXOManager: Imported ' + (data.utxos && data.utxos.length || 0) + ' UTXOs')
     return true
   } catch (e) {
     console.error('Failed to import UTXO data:', e)

package/lib/browser-utxo-manager.js

@@ -5,6 +5,13 @@
  * Lightweight UTXO management for browser environments with configurable storage
  */
 
+// Set window.BSV_DEBUG = true (browser) or BSV_DEBUG=1 (Node) to enable info logs.
+var debug = function () {
+  var enabled = (typeof process !== 'undefined' && process.env && process.env.BSV_DEBUG) ||
+                (typeof window !== 'undefined' && window.BSV_DEBUG)
+  if (enabled) console.log.apply(console, arguments)
+}
+
 /**
  * Storage types available for browser UTXO management
  */
@@ -127,7 +134,7 @@ function BrowserUTXOManager(options) {
       }
 
       this._updateMetadata()
-      console.log(`✅ BrowserUTXOManager: Loaded ${this.utxos.size} UTXOs from ${this.options.storage} storage`)
+      debug(`✅ BrowserUTXOManager: Loaded ${this.utxos.size} UTXOs from ${this.options.storage} storage`)
 
     } catch (error) {
       console.error('BrowserUTXOManager: Error loading from storage:', error.message)
@@ -163,7 +170,7 @@ function BrowserUTXOManager(options) {
       })
 
       storage.setItem(this.options.storageKey, JSON.stringify(data))
-      console.log(`💾 BrowserUTXOManager: Saved ${this.utxos.size} UTXOs to ${this.options.storage} storage`)
+      debug(`💾 BrowserUTXOManager: Saved ${this.utxos.size} UTXOs to ${this.options.storage} storage`)
 
     } catch (error) {
       console.error('BrowserUTXOManager: Error saving to storage:', error.message)
@@ -186,7 +193,7 @@ function BrowserUTXOManager(options) {
 
       // Check if already exists
       if (this.utxos.has(key)) {
-        console.log(`⚠️ UTXO already exists: ${key}`)
+        debug(`⚠️ UTXO already exists: ${key}`)
         return false
       }
 
@@ -217,7 +224,7 @@ function BrowserUTXOManager(options) {
         this.saveToStorage()
       }
 
-      console.log(`✅ UTXO added: ${key} (${utxo.satoshis} sats)`)
+      debug(`✅ UTXO added: ${key} (${utxo.satoshis} sats)`)
       return true
 
     } catch (error) {
@@ -305,7 +312,7 @@ function BrowserUTXOManager(options) {
           }
         }
 
-        console.log(`❌ UTXO spent: ${key} in ${spentUTXO.spentInTx}`)
+        debug(`❌ UTXO spent: ${key} in ${spentUTXO.spentInTx}`)
       })
 
       this._updateMetadata()
@@ -446,11 +453,11 @@ function BrowserUTXOManager(options) {
       const storage = this._getStorage()
       if (storage) {
         storage.removeItem(this.options.storageKey)
-        console.log(`🔄 Cleared ${this.options.storage} storage`)
+        debug(`🔄 Cleared ${this.options.storage} storage`)
       }
     }
 
-    console.log('🔄 BrowserUTXOManager reset complete')
+    debug('🔄 BrowserUTXOManager reset complete')
   }
 
   /**
@@ -513,7 +520,7 @@ function BrowserUTXOManager(options) {
         this.saveToStorage()
       }
 
-      console.log('✅ BrowserUTXOManager: Imported ' + (data.utxos && data.utxos.length || 0) + ' UTXOs')
+      debug('✅ BrowserUTXOManager: Imported ' + (data.utxos && data.utxos.length || 0) + ' UTXOs')
       return true
 
     } catch (error) {

package/lib/ltp/claim.js

@@ -691,6 +691,7 @@ var ClaimValidator = {
    * @private
    */
   _generateBatchId: function() {
+    // Non-security: identifier collision avoidance only
     var data = 'batch_' + Date.now() + '_' + Math.random()
     return Hash.sha256(Buffer.from(data)).toString('hex').substring(0, 16)
   },

package/lib/ltp/obligation.js

@@ -929,6 +929,7 @@ var ObligationToken = {
    * @private
    */
   _generateUUID: function() {
+    // Non-security: identifier collision avoidance only (not RFC 4122 v4 random)
     return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c) {
       var r = Math.random() * 16 | 0
       var v = c === 'x' ? r : (r & 0x3 | 0x8)

package/lib/ltp/registry.js

@@ -552,6 +552,7 @@ var LTPRegistry = {
    * @private
    */
   _generateRegistryId: function() {
+    // Non-security: identifier collision avoidance only
     var data = 'reg_' + Date.now() + '_' + Math.random()
     return 'reg_' + Hash.sha256(Buffer.from(data)).toString('hex').substring(0, 16)
   },
@@ -685,6 +686,7 @@ var LTPRegistry = {
    * @private
    */
   _generateAuditId: function() {
+    // Non-security: identifier collision avoidance only
     var data = 'audit_' + Date.now() + '_' + Math.random()
     return 'audit_' + Hash.sha256(Buffer.from(data)).toString('hex').substring(0, 12)
   },

package/lib/ltp/right.js

@@ -752,6 +752,7 @@ var RightToken = {
    * @private
    */
   _generateUUID: function() {
+    // Non-security: identifier collision avoidance only (not RFC 4122 v4 random)
     return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c) {
       var r = Math.random() * 16 | 0
       var v = c === 'x' ? r : (r & 0x3 | 0x8)

package/lib/smart_contract/covenant.js

@@ -26,6 +26,15 @@ try {
   fs = null
 }
 
+// Set BSV_DEBUG=1 (Node) or window.BSV_DEBUG = true (browser) to surface
+// informational warnings from this module. Matches the gating pattern
+// used by lib/browser-utxo-manager-es5.js since v3.4.1.
+var debug = function () {
+  var enabled = (typeof process !== 'undefined' && process.env && process.env.BSV_DEBUG) ||
+                (typeof window !== 'undefined' && window.BSV_DEBUG)
+  if (enabled) console.log.apply(console, arguments)
+}
+
 /**
  * Covenant Class - Advanced covenant management
  * @param {PrivateKey} privateKey - Private key for covenant operations
@@ -212,7 +221,7 @@ Covenant.prototype.validate = function(spendingTx, covenantUtxo) {
  */
 Covenant.prototype.save = function(covenantUtxo) {
   if (!fs) {
-    console.warn('File system operations not available in browser environment')
+    debug('File system operations not available in browser environment')
     return covenantUtxo
   }
   

package/lib/smartutxo.js

@@ -5,6 +5,15 @@
  * Provides blockchain state management and UTXO tracking for testing and development
  */
 
+// Set BSV_DEBUG=1 (Node) or window.BSV_DEBUG = true (browser) to surface
+// info/warning output from this module. Matches the gating pattern used
+// by lib/browser-utxo-manager-es5.js since v3.4.1.
+const debug = function () {
+  const enabled = (typeof process !== 'undefined' && process.env && process.env.BSV_DEBUG) ||
+                  (typeof window !== 'undefined' && window.BSV_DEBUG)
+  if (enabled) console.log.apply(console, arguments)
+}
+
 // Browser-compatible imports
 let fs, path, crypto, blockchainState
 
@@ -16,8 +25,7 @@ if (typeof window === 'undefined' && typeof require === 'function') {
     crypto = require('crypto')
     blockchainState = require('../utilities/blockchain-state')
   } catch (e) {
-    // Fallback for environments where these modules aren't available
-    console.warn('SmartUTXO: Running in browser mode - some features may be limited')
+    debug('SmartUTXO: Running in browser mode - some features may be limited')
   }
 }
 
@@ -40,7 +48,7 @@ class SmartUTXOManager {
       const state = blockchainState.loadBlockchainState()
       return state
     } catch (error) {
-      console.log('⚠️ Could not load blockchain state:', error.message)
+      debug('⚠️ Could not load blockchain state:', error.message)
       return null
     }
   }
@@ -53,9 +61,9 @@ class SmartUTXOManager {
       const state = blockchainState.loadBlockchainState()
       blockchainState.saveBlockchainState(state)
       const utxoCount = Object.keys(state.globalUTXOSet || {}).length
-      console.log(`💾 Saved blockchain state with ${utxoCount} UTXOs`)
+      debug(`💾 Saved blockchain state with ${utxoCount} UTXOs`)
     } catch (error) {
-      console.log('⚠️ Could not save blockchain state:', error.message)
+      debug('⚠️ Could not save blockchain state:', error.message)
     }
   }
 
@@ -76,7 +84,7 @@ class SmartUTXOManager {
       // Return the wallet's UTXOs
       return state.wallets[address].utxos || []
     } catch (error) {
-      console.log('⚠️ Error getting UTXOs:', error.message)
+      debug('⚠️ Error getting UTXOs:', error.message)
       return []
     }
   }
@@ -90,7 +98,7 @@ class SmartUTXOManager {
       // Use the correct API: addUTXO(utxo, ownerAddress)
       blockchainState.addUTXO(utxo, utxo.address)
     } catch (error) {
-      console.log('⚠️ Error adding UTXO:', error.message)
+      debug('⚠️ Error adding UTXO:', error.message)
     }
   }
 
@@ -106,7 +114,7 @@ class SmartUTXOManager {
         blockchainState.spendUTXO(input.txid, input.vout, spentInTx)
       }
     } catch (error) {
-      console.log('⚠️ Error spending UTXOs:', error.message)
+      debug('⚠️ Error spending UTXOs:', error.message)
     }
   }
 
@@ -156,7 +164,7 @@ class SmartUTXOManager {
       // Return the wallet's total value
       return state.wallets[address].totalValue || 0
     } catch (error) {
-      console.log('⚠️ Error getting balance:', error.message)
+      debug('⚠️ Error getting balance:', error.message)
       return 0
     }
   }
@@ -176,7 +184,7 @@ class SmartUTXOManager {
         lastUpdated: state.metadata.lastUpdated
       }
     } catch (error) {
-      console.log('⚠️ Error getting stats:', error.message)
+      debug('⚠️ Error getting stats:', error.message)
       return { totalUTXOs: 0, totalValue: 0, totalWallets: 0, blockHeight: 0 }
     }
   }
@@ -189,10 +197,10 @@ class SmartUTXOManager {
       const statePath = path.join(__dirname, '../utilities/blockchain-state.json')
       if (fs.existsSync(statePath)) {
         fs.unlinkSync(statePath)
-        console.log('🔄 Blockchain state reset')
+        debug('🔄 Blockchain state reset')
       }
     } catch (error) {
-      console.log('⚠️ Could not reset blockchain state:', error.message)
+      debug('⚠️ Could not reset blockchain state:', error.message)
     }
   }
 }

package/lib/transaction/transaction.js

@@ -577,7 +577,7 @@ Transaction.prototype._fromMultisigUtxo = function (utxo, pubkeys, threshold) {
   } else if (utxo.script.isScriptHashOut()) {
     Clazz = MultiSigScriptHashInput
   } else {
-    throw new Error('@TODO')
+    throw new errors.Transaction.Input.UnsupportedScript(utxo.script.toString())
   }
   this.addInput(new Clazz({
     output: new Output({
@@ -911,6 +911,13 @@ Transaction.prototype._getUnspentValue = function () {
 
 Transaction.prototype._clearSignatures = function () {
   _.each(this.inputs, function (input) {
+    // Custom-script inputs (bare Input base class — e.g. covenant or other
+    // non-standard locking scripts) have no library-managed signatures to
+    // clear; the caller owns input.script. Mirror the guard pattern used by
+    // Transaction.prototype.isFullySigned / isValidSignature below.
+    if (input.clearSignatures === Input.prototype.clearSignatures) {
+      return
+    }
     input.clearSignatures()
   })
 }

package/lib/util/_.js

@@ -1,5 +1,7 @@
 'use strict'
 
+var Random = require('../crypto/random')
+
 var _ = {}
 
 _.isArray = t => Array.isArray(t)
@@ -28,10 +30,14 @@ _.values = o => Object.values(o)
 _.filter = (a, f) => a.filter(f)
 _.reduce = (a, f, s) => a.reduce(f, s)
 _.without = (a, n) => a.filter(t => t !== n)
+// CSPRNG-backed Fisher-Yates. Output-order shuffling is a privacy primitive
+// (Transaction.shuffleOutputs); a predictable PRNG defeats the purpose.
 _.shuffle = a => {
   const result = a.slice(0)
   for (let i = result.length - 1; i > 0; i--) {
-    const j = Math.floor(Math.random() * (i + 1));
+    const buf = Random.getRandomBuffer(4)
+    const r = buf.readUInt32BE(0) / 0x100000000
+    const j = Math.floor(r * (i + 1));
     [result[i], result[j]] = [result[j], result[i]]
   }
   return result

package/ltp-entry.js

@@ -1,2 +1 @@
-// LTP module placeholder - will be implemented in future release
-module.exports = require('./lib/smart_contract');
+module.exports = require('./lib/ltp')

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "smartledger-bsv",
-  "version": "3.4.0",
+  "version": "3.4.4",
   "description": "🚀 Complete Bitcoin SV development framework with legally-recognizable DID:web + W3C VC-JWT toolkit, Legal Token Protocol (LTP), Global Digital Attestation Framework (GDAF), StatusList2021 revocation, and 16 flexible loading options. Standards-based credentials with ES256/ES256K support, on-chain BSV anchoring, and comprehensive Bitcoin SV API. Perfect for legal tokens, verifiable credentials, DeFi, smart contracts, and secure Bitcoin applications.",
   "author": "SmartLedger Technology <hello@smartledger.technology> (https://smartledger.technology)",
   "homepage": "https://github.com/codenlighten/smartledger-bsv#readme",
@@ -8,12 +8,14 @@
     "url": "https://github.com/codenlighten/smartledger-bsv/issues"
   },
   "main": "index.js",
+  "types": "bsv.d.ts",
   "bin": {
     "smartledger-bsv": "./bin/cli.js"
   },
   "scripts": {
     "lint": "standard",
     "test": "mocha",
+    "test:cli": "mocha test/cli/smoke.js --timeout 25000",
     "test:ltp": "node complete_ltp_demo.js",
     "test:ltp-primitives": "node simple_demo.js",
     "test:architecture": "node architecture_demo.js",
@@ -62,7 +64,7 @@
     "test:browser": "echo 'Open tests/standalone-modules-test.html in browser for comprehensive testing'",
     "test:bundle": "echo 'Open tests/bundle-completeness-test.html in browser to verify bundle completeness'",
     "preimage:extract": "node examples/preimage/extract_preimage_bidirectional.js",
-    "prepublishOnly": "NODE_OPTIONS=\"--openssl-legacy-provider\" npm run build"
+    "prepublishOnly": "NODE_OPTIONS=\"--openssl-legacy-provider\" npm run build-all"
   },
   "unpkg": "bsv.min.js",
   "jsdelivr": "bsv.min.js",
@@ -70,12 +72,13 @@
   "files": [
     "index.js",
     "lib/",
-    "utilities/",
+    "utilities/*.js",
+    "utilities/README.md",
+    "utilities/wallet.json",
     "ecies/",
     "message/",
     "mnemonic/",
     "build/",
-    "tests/",
     "*-entry.js",
     "bsv.min.js",
     "bsv.bundle.js",
@@ -89,17 +92,12 @@
     "bsv-covenant.min.js",
     "bsv-script-helper.min.js",
     "bsv-security.min.js",
+    "bsv-didweb.min.js",
+    "bsv-vcjwt.min.js",
+    "bsv-statuslist.min.js",
+    "bsv-anchor.min.js",
     "bsv.d.ts",
-    "validation_test.js",
-    "test_shamir.js",
-    "shamir_demo.js",
-    "complete_ltp_demo.js",
-    "simple_demo.js",
-    "architecture_demo.js",
-    "test_standalone_shamir.html",
     "docs/",
-    "demos/",
-    "examples/",
     "LICENSE",
     "README.md",
     "SECURITY.md",