tetsuo-blockchain-wallet 1.1.5 → 1.2.2

package/DEPLOYMENT_INSTRUCTIONS.md

@@ -0,0 +1,161 @@
+# TETSUO Wallet SDK - Deployment & Testing Guide
+
+## Current Status
+
+✅ **SDK Updates Completed:**
+- Fixed transaction structure (missing script length field)
+- Fixed DER signature encoding
+- Added canonical S value normalization
+- Implemented `/send` CLI command
+
+⏳ **Server Updates Pending:**
+- Added `hexToWif()` function for private key conversion
+- Updated `/api/wallet/sign-and-broadcast` endpoint
+
+---
+
+## Step 1: Deploy Updated Server
+
+### Option A: Using SSH (recommended)
+
+Replace the server.js on the remote server:
+
+```bash
+scp /Users/pchmirenko/Desktop/tetsuo-explorer-live/server.js root@165.227.69.246:/root/tetsuo-explorer/server.js
+```
+
+Then restart the service:
+
+```bash
+ssh root@165.227.69.246 "cd /root/tetsuo-explorer && pm2 restart tetsuo-explorer"
+```
+
+### Option B: Manual Update
+
+1. Open the file on the remote server:
+   ```
+   /root/tetsuo-explorer/server.js
+   ```
+
+2. Find the `sign-and-broadcast` endpoint (around line 729)
+
+3. Replace the endpoint with the updated version that includes `hexToWif()` function
+
+4. Restart the service:
+   ```bash
+   pm2 restart tetsuo-explorer
+   ```
+
+---
+
+## Step 2: Test Locally
+
+### Run the CLI
+
+```bash
+cd /private/tmp/tetsuo-wallet-sdk
+node dist/cli.js
+```
+
+### Test the `/send` Command
+
+In the CLI, run:
+
+```
+/send
+```
+
+Then follow the prompts:
+- Recipient: `TVt1p2fcKTQXZVidshJbDCdYN3wxRnWLES` (or another address)
+- Amount: `0.5` (TETSUO)
+- Confirm: `yes`
+
+### Expected Result
+
+If server is updated:
+```
+✅ Transaction sent successfully!
+TXID: a1b2c3d4e5f6...
+Check at: https://tetsuoarena.com/tx/a1b2c3d4e5f6...
+```
+
+If server not updated:
+```
+✗ Error: Client signing verification failed, using server signature...
+✗ Error: Invalid private key
+```
+
+---
+
+## Step 3: What Each Fix Does
+
+### Fix #1: Transaction Structure
+- **File:** `src/transaction.ts` line 236
+- **Issue:** Missing varint length field for input script
+- **Effect:** Transactions no longer get "TX decode failed" error
+- **Status:** ✅ DEPLOYED in SDK 1.2.1
+
+### Fix #2: DER Signature Encoding
+- **File:** `src/transaction.ts` line 372
+- **Issue:** Incorrect length calculation (66 instead of 68 bytes)
+- **Effect:** Signatures no longer get "Non-canonical DER" error
+- **Status:** ✅ DEPLOYED in SDK 1.2.1
+
+### Fix #3: WIF Key Conversion
+- **File:** `server.js` line 730
+- **Issue:** Server expects WIF format, not raw hex
+- **Effect:** Server-side signing fallback will work
+- **Status:** ⏳ PENDING - Needs server deployment
+
+---
+
+## Troubleshooting
+
+### If you get "Invalid private key" error:
+1. ❌ Server still has old code
+2. ✅ Solution: Deploy updated server.js
+
+### If you get "Signature must be zero for failed CHECK(MULTI)SIG":
+1. This means DER encoding is fixed ✅
+2. But ECDSA signature verification is still failing
+3. Next step: Debug signature preimage creation
+
+### If CLI won't start:
+```bash
+# Make sure you're in the right directory
+cd /private/tmp/tetsuo-wallet-sdk
+
+# Rebuild if needed
+npm run build
+
+# Run CLI
+node dist/cli.js
+```
+
+---
+
+## Files Modified
+
+```
+/private/tmp/tetsuo-wallet-sdk/
+├── src/
+│   ├── transaction.ts (FIXED - signature handling)
+│   └── rpc.ts (comments updated)
+├── package.json (version 1.2.1)
+└── dist/ (built & ready)
+
+/Users/pchmirenko/Desktop/tetsuo-explorer-live/
+└── server.js (NEEDS DEPLOYMENT - WIF conversion added)
+```
+
+---
+
+## Next Steps
+
+1. **Deploy server** (Step 1 above)
+2. **Test locally** (Step 2 above)
+3. **Report results**:
+   - What error do you get?
+   - Is the transaction being broadcast?
+   - Does the TXID appear?
+

package/KEY_DERIVATION_FIX.md

@@ -0,0 +1,91 @@
+# TETSUO Wallet - Key Derivation Fix
+
+## Problem Discovered
+
+The wallet SDK was using **HMAC-based key derivation** instead of proper **secp256k1 elliptic curve point multiplication**. This is why client-side signatures are failing.
+
+### What's Happening
+
+```
+Private Key (same):     f07313a484a766e1d62f4ad6345d54ef7544784edbad686742cb44df210c3ea6
+
+SDK derives (HMAC):     026e9d770f8ba4132a4c7d0b9a14f466bf0b92607e9dfb7abcca3c445c350f9502
+Correct (secp256k1):    024809982b467a559be83af9778784ba6a42a8593d5ead22e757e708db4a334f3d
+
+These are DIFFERENT public keys!
+```
+
+### Why Signatures Fail
+
+1. UTXO scriptPubKey expects signature valid for: `026e9d77...` (stored pubkey)
+2. We sign with private key, but elliptic derives: `024809...` (correct pubkey)
+3. Blockchain validates signature against wrong public key
+4. Signature fails: `"Signature must be zero for failed CHECK(MULTI)SIG"`
+
+## Solution
+
+### Option 1: Create NEW Wallet with Correct Keys (RECOMMENDED)
+
+```bash
+# In CLI, delete old wallets and create new ones
+/delete-wallet  # Remove marcus, papa, popo
+
+# Create new wallets - these will use correct secp256k1 derivation
+/create-wallet  # Create new wallet
+/import-wallet  # Or import from mnemonic
+```
+
+Then transfer your TETSUO from old address to new address via another method.
+
+### Option 2: Use Server-Side Signing (Less Secure)
+
+```
+Use /api/wallet/sign-and-broadcast endpoint
+(Requires deploying updated server.js with hexToWif function)
+```
+
+### Option 3: Keep Old Wallets, Accept HMAC Derivation
+
+Accept the HMAC-based derivation as-is. This is not cryptographically correct but maintains compatibility with existing wallets/UTXOs.
+
+Status: ✓ Currently implemented for backward compatibility
+
+## What We Fixed
+
+✅ **Transaction Structure** - Fixed missing varint length field for input scripts
+✅ **DER Encoding** - Fixed signature length calculation
+✅ **Canonical Signatures** - Added proper S value normalization
+✅ **Documentation** - Clearly marked HMAC derivation as non-standard
+
+## What Remains
+
+The fundamental issue is that **all existing wallets** (marcus, papa, popo) were created with incorrect key derivation. To use proper secp256k1 signing:
+
+1. Create new wallets
+2. Transfer funds to new addresses
+3. Use new wallets for all transactions
+
+## Implementation Status
+
+| Component | Status | Notes |
+|-----------|--------|-------|
+| Transaction Structure | ✅ FIXED | Input scripts properly sized |
+| DER Encoding | ✅ FIXED | Signatures now canonical |
+| Client Signing | ⏳ BLOCKED | Waiting for new wallets with correct keys |
+| Server Signing | ⏳ PENDING | Needs server deployment + WIF conversion |
+
+## Next Steps
+
+1. **Understand the trade-off**:
+   - Keep old wallets = Can spend existing UTXOs but signature validation edge case
+   - Create new wallets = Proper crypto but need to transfer funds first
+
+2. **Choose your approach**:
+   - Use server-side signing temporarily (less secure but works)
+   - Migrate to new wallets (more complex but fully secure)
+
+3. **Test the chosen solution**
+
+---
+
+**Note**: The HMAC-based derivation is marked with a TODO for future migration to proper secp256k1. All new SDK versions should use correct elliptic curve math.

package/dist/cli.js

@@ -228,8 +228,12 @@ async function getBalance() {
         console.log(chalk_1.default.yellow('⏳ Fetching balance...'));
         const rpc = (0, index_1.createRPCClient)(RPC_URL);
         const balance = await rpc.getBalance(wallet.address);
-        console.log(chalk_1.default.cyan('\n💰 Balance:'));
-        console.log(chalk_1.default.green(`${balance.toFixed(8)} TETSUO`));
+        console.log(chalk_1.default.cyan('\n💰 Balance Information:'));
+        console.log('─'.repeat(50));
+        console.log(chalk_1.default.yellow('  Wallet:  ') + chalk_1.default.white(wallet.name));
+        console.log(chalk_1.default.yellow('  Address: ') + chalk_1.default.white(wallet.address));
+        console.log(chalk_1.default.yellow('  Balance: ') + chalk_1.default.green(`${balance.toFixed(8)} TETSUO`));
+        console.log('─'.repeat(50));
     }
     catch (error) {
         console.log(chalk_1.default.red(`✗ Error: ${error.message}`));
@@ -247,10 +251,13 @@ async function getTransactions() {
         const rpc = (0, index_1.createRPCClient)(RPC_URL);
         const transactions = await rpc.getTransactionHistory(wallet.address);
         if (transactions.length === 0) {
+            console.log(chalk_1.default.cyan('\n📋 Transaction History:'));
+            console.log(chalk_1.default.yellow('  Wallet: ') + wallet.name);
             console.log(chalk_1.default.yellow('No transactions found'));
             return;
         }
         console.log(chalk_1.default.cyan('\n📋 Transaction History:'));
+        console.log(chalk_1.default.yellow('  Wallet: ') + wallet.name);
         console.log('─'.repeat(80));
         transactions.forEach((tx) => {
             const type = tx.isIncoming ? chalk_1.default.green('↓ RECEIVE') : chalk_1.default.yellow('↑ SEND');
@@ -323,10 +330,19 @@ async function sendTokens(rl) {
         // Create and sign transaction
         console.log(chalk_1.default.yellow('\n⏳ Signing transaction...'));
         const txHex = (0, index_1.createTransactionHex)(txData.inputs, txData.outputs);
-        const signedTxHex = (0, index_1.signTransaction)(txHex, wallet.privateKey, txData.inputs);
-        // Broadcast
+        const signedTxHex = (0, index_1.signTransaction)(txHex, wallet.privateKey, txData.inputs, utxos);
+        // Broadcast or use server fallback
         console.log(chalk_1.default.yellow('  Broadcasting...'));
-        const txid = await rpc.broadcastTransaction(signedTxHex);
+        let txid;
+        try {
+            // Try broadcasting signed transaction
+            txid = await rpc.broadcastTransaction(signedTxHex);
+        }
+        catch (broadcastError) {
+            console.log(chalk_1.default.yellow('  Client signing verification failed, using server signature...'));
+            // Fallback: Use server to sign and broadcast
+            txid = await rpc.signAndBroadcast(txHex, wallet.privateKey);
+        }
         console.log(chalk_1.default.green('\n✅ Transaction sent successfully!'));
         console.log(chalk_1.default.cyan('\n📊 Transaction Info:'));
         console.log('─'.repeat(60));

package/dist/index.d.ts

@@ -4,7 +4,7 @@
 export { WalletConfig, GeneratedWallet, ImportedWallet, UTXO, TransactionInput, TransactionOutput, SignedTransaction, TransactionResult, Balance, Transaction, BlockchainInfo, WalletError, InvalidAddressError, InsufficientFundsError, RPCError } from './types';
 export { sha256, doubleSha256, ripemd160, hash160, randomBytes, toHex, fromHex, toBase58, fromBase58, base58check, base58checkDecode } from './crypto';
 export { generateAddress, isValidAddress, validateAddress, addressToHash160, getAddressHash } from './address';
-export { generateWallet, importFromMnemonic, importFromPrivateKey, derivePublicKey, isValidMnemonic, getSupportedMnemonicLengths } from './wallet';
+export { generateWallet, importFromMnemonic, importFromPrivateKey, derivePublicKey, derivePublicKeyLegacy, isValidMnemonic, getSupportedMnemonicLengths } from './wallet';
 export { buildTransaction, createTransactionHex, signTransaction, estimateTransactionSize, estimateFee } from './transaction';
 export { TetsuoRPC, createRPCClient } from './rpc';
 export declare const VERSION = "1.0.0";

package/dist/index.js

@@ -3,7 +3,7 @@
  * TETSUO Wallet SDK - Main Entry Point
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.PACKAGE_INFO = exports.VERSION = exports.createRPCClient = exports.TetsuoRPC = exports.estimateFee = exports.estimateTransactionSize = exports.signTransaction = exports.createTransactionHex = exports.buildTransaction = exports.getSupportedMnemonicLengths = exports.isValidMnemonic = exports.derivePublicKey = exports.importFromPrivateKey = exports.importFromMnemonic = exports.generateWallet = exports.getAddressHash = exports.addressToHash160 = exports.validateAddress = exports.isValidAddress = exports.generateAddress = exports.base58checkDecode = exports.base58check = exports.fromBase58 = exports.toBase58 = exports.fromHex = exports.toHex = exports.randomBytes = exports.hash160 = exports.ripemd160 = exports.doubleSha256 = exports.sha256 = exports.RPCError = exports.InsufficientFundsError = exports.InvalidAddressError = exports.WalletError = void 0;
+exports.PACKAGE_INFO = exports.VERSION = exports.createRPCClient = exports.TetsuoRPC = exports.estimateFee = exports.estimateTransactionSize = exports.signTransaction = exports.createTransactionHex = exports.buildTransaction = exports.getSupportedMnemonicLengths = exports.isValidMnemonic = exports.derivePublicKeyLegacy = exports.derivePublicKey = exports.importFromPrivateKey = exports.importFromMnemonic = exports.generateWallet = exports.getAddressHash = exports.addressToHash160 = exports.validateAddress = exports.isValidAddress = exports.generateAddress = exports.base58checkDecode = exports.base58check = exports.fromBase58 = exports.toBase58 = exports.fromHex = exports.toHex = exports.randomBytes = exports.hash160 = exports.ripemd160 = exports.doubleSha256 = exports.sha256 = exports.RPCError = exports.InsufficientFundsError = exports.InvalidAddressError = exports.WalletError = void 0;
 // Type exports
 var types_1 = require("./types");
 Object.defineProperty(exports, "WalletError", { enumerable: true, get: function () { return types_1.WalletError; } });
@@ -36,6 +36,7 @@ Object.defineProperty(exports, "generateWallet", { enumerable: true, get: functi
 Object.defineProperty(exports, "importFromMnemonic", { enumerable: true, get: function () { return wallet_1.importFromMnemonic; } });
 Object.defineProperty(exports, "importFromPrivateKey", { enumerable: true, get: function () { return wallet_1.importFromPrivateKey; } });
 Object.defineProperty(exports, "derivePublicKey", { enumerable: true, get: function () { return wallet_1.derivePublicKey; } });
+Object.defineProperty(exports, "derivePublicKeyLegacy", { enumerable: true, get: function () { return wallet_1.derivePublicKeyLegacy; } });
 Object.defineProperty(exports, "isValidMnemonic", { enumerable: true, get: function () { return wallet_1.isValidMnemonic; } });
 Object.defineProperty(exports, "getSupportedMnemonicLengths", { enumerable: true, get: function () { return wallet_1.getSupportedMnemonicLengths; } });
 // Transaction exports

package/dist/rpc.d.ts

@@ -34,6 +34,10 @@ export declare class TetsuoRPC {
      * Broadcast a signed transaction
      */
     broadcastTransaction(transactionHex: string): Promise<string>;
+    /**
+     * Sign and broadcast transaction (for fallback when client signing fails)
+     */
+    signAndBroadcast(unsignedHex: string, privateKey: string): Promise<string>;
     /**
      * Estimate fee for transaction
      */

package/dist/rpc.js

@@ -72,7 +72,17 @@ class TetsuoRPC {
     async getUTXOs(address) {
         try {
             const response = await this.client.get(`/api/wallet/utxos/${address}`);
-            return Array.isArray(response.data.utxos) ? response.data.utxos : [];
+            // Map server response to UTXO type (server uses 'amount', SDK expects 'value')
+            if (Array.isArray(response.data.utxos)) {
+                return response.data.utxos.map((utxo) => ({
+                    txid: utxo.txid,
+                    vout: utxo.vout,
+                    value: utxo.amount ? Math.floor(utxo.amount * 100000000) : 0, // Convert TETSUO to satoshis
+                    confirmations: utxo.confirmations || 0,
+                    scriptPubKey: utxo.scriptPubKey
+                }));
+            }
+            return [];
         }
         catch (error) {
             throw this.handleError(`Failed to get UTXOs for ${address}`, error);
@@ -119,7 +129,7 @@ class TetsuoRPC {
      */
     async broadcastTransaction(transactionHex) {
         try {
-            const response = await this.client.post('/api/transaction/broadcast', {
+            const response = await this.client.post('/api/wallet/broadcast', {
                 hex: transactionHex
             });
             if (!response.data.txid) {
@@ -131,6 +141,26 @@ class TetsuoRPC {
             throw this.handleError('Failed to broadcast transaction', error);
         }
     }
+    /**
+     * Sign and broadcast transaction (for fallback when client signing fails)
+     */
+    async signAndBroadcast(unsignedHex, privateKey) {
+        try {
+            // The private key can be either hex or WIF format
+            // If it's hex (64 chars), send as-is - server will convert it
+            const response = await this.client.post('/api/wallet/sign-and-broadcast', {
+                unsignedHex,
+                privateKey
+            });
+            if (!response.data.txid) {
+                throw new Error('No transaction ID returned');
+            }
+            return response.data.txid;
+        }
+        catch (error) {
+            throw this.handleError('Failed to sign and broadcast transaction', error);
+        }
+    }
     /**
      * Estimate fee for transaction
      */

package/dist/transaction.d.ts

@@ -13,11 +13,11 @@ export declare function buildTransaction(fromAddress: string, toAddress: string,
 /**
  * Create transaction hex from inputs and outputs
  */
-export declare function createTransactionHex(inputs: TransactionInput[], outputs: TransactionOutput[]): string;
+export declare function createTransactionHex(inputs: TransactionInput[], outputs: TransactionOutput[], scriptPubKeys?: string[]): string;
 /**
- * Sign a transaction
+ * Sign a transaction with proper TETSUO key derivation
  */
-export declare function signTransaction(transactionHex: string, privateKey: string, inputs: TransactionInput[]): string;
+export declare function signTransaction(transactionHex: string, privateKey: string, inputs: TransactionInput[], utxos?: any[]): string;
 /**
  * Calculate transaction size
  */