trac-msb 0.2.1 → 0.2.2

package/LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
+    Copyright 2025 Trac Systems UG
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ -198,4 +198,4 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
+   limitations under the License.

package/SECURITY.md

@@ -0,0 +1,54 @@
+# Security Policy
+
+## Supported Versions
+
+The following table shows which versions of this project are currently receiving security updates.
+
+| Version | Supported          |
+| -------- | ------------------ |
+| 0.2.x    | :white_check_mark: |
+| < 0.2    | :x:                |
+
+Older versions (< 0.2.x) are no longer supported.  
+Please upgrade to the latest release to ensure you receive security fixes.
+
+---
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability affecting the TRAC Network,  
+please **do not disclose it publicly** (e.g., on social media, Discord, or GitHub Issues).
+
+Instead, report it responsibly and confidentially through one of the following contacts:
+
+- 📧 **info@trac.network** — protocol, API, infrastructure, or tooling vulnerabilities 
+
+Alternatively, you can use the **“Report a vulnerability”** option on GitHub if available.
+
+---
+
+### Responsible Disclosure Guidelines
+
+- **Do not exploit or test vulnerabilities on mainnet.**  
+  Use **testnet** environments or isolated local nodes for proof-of-concepts (PoCs).  
+- Include clear and reproducible details in your report:
+  - affected **component or module**,  
+  - minimal **proof of concept (PoC)** showing the issue,  
+  - expected vs. actual behavior,  
+  - estimated **impact** (e.g., fund loss, network instability, or data integrity issue),  
+  - any relevant **logs or transaction hashes** if applicable.  
+- Please avoid:
+  - phishing or social engineering,  
+  - denial-of-service (DoS) or spam tests,  
+  - public disclosure before coordinated remediation.
+
+---
+
+### Response Process
+
+- You will receive an **acknowledgment within 72 hours** of submission.  
+- The TRAC Network security team will investigate and validate the issue.  
+- If confirmed, we’ll provide updates on the **remediation plan and timeline**.  
+- After a fix is deployed, we may publicly recognize your contribution (with your consent).  
+
+Thank you for helping us keep the TRAC Network ecosystem secure and resilient 💙

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "trac-msb",
   "main": "msb.mjs",
-  "version": "0.2.1",
+  "version": "0.2.2",
   "pear": {
     "name": "trac-msb",
     "type": "terminal"

package/src/index.js

@@ -1199,7 +1199,7 @@ export class MainSettlementBus extends ReadyResource {
                             this.network.validatorConnectionManager.rotate() // force change connection rotation for the next retry
                         }
 
-                        return { message: "Transaction broadcasted successfully.", signedLength, unsignedLength };
+                        return { message: "Transaction broadcasted successfully.", signedLength, unsignedLength, tx: hash };
                     } else {
                         // Handle case where payload is missing if called internally without one.
                         throw new Error("Transaction payload is required for broadcast_transaction command.");

package/test/acceptance/v1/rpc.test.mjs

@@ -124,6 +124,7 @@ describe("API acceptance tests", () => {
                 message: "Transaction broadcasted successfully.",
                 signedLength: expect.any(Number),
                 unsignedLength: expect.any(Number),
+                tx: expect.any(String)
             }
         })
     })

package/test/state/apply.addAdmin.basic.test.js

@@ -1,111 +0,0 @@
-import { test, hook } from '../utils/wrapper.js'
-import Corestore from 'corestore'
-import path from 'path'
-import os from 'os'
-import { promises as fsp } from 'fs'
-import b4a from 'b4a'
-
-import PeerWallet from 'trac-wallet'
-import State from '../../src/core/state/State.js'
-import CompleteStateMessageOperations from '../../src/messages/completeStateMessages/CompleteStateMessageOperations.js'
-import { ADMIN_INITIAL_BALANCE } from '../../src/utils/constants.js'
-
-// Prosty, szybki test apply(add_admin) inspirowany stylem Autobase/test/basic.js
-// Minimalny setup: Corestore + State + Wallet, bez sieci i dodatkowych warstw
-
-let tmpDir
-let store
-let wallet
-let state
-
-const STATE_OPTIONS = {
-  enable_tx_apply_logs: false,
-  enable_error_apply_logs: false
-}
-
-async function createTempStore() {
-  const base = path.join(os.tmpdir(), `msb-state-test-${Date.now()}-${Math.random().toString(16).slice(2)}`)
-  await fsp.mkdir(base, { recursive: true })
-  return { base, db: path.join(base, 'db') }
-}
-
-async function createWalletFromFixture({ mnemonic }) {
-  const w = new PeerWallet({ mnemonic })
-  await w.ready
-  return w
-}
-
-hook('setup state for add_admin', async () => {
-  const paths = await createTempStore()
-  tmpDir = paths.base
-
-  const { testKeyPair1 } = await import('../fixtures/apply.fixtures.js')
-  wallet = await createWalletFromFixture(testKeyPair1)
-
-  // wyciągnij writing key bootstrapu (== klucz lokalnego writera)
-  const bootstrapKey = await deriveBootstrapWriterKey(paths.db, wallet)
-
-  // właściwy store + stan testowy
-  store = new Corestore(paths.db)
-  await store.ready()
-
-  state = new State(store, bootstrapKey, wallet, STATE_OPTIONS)
-  await state.ready()
-
-  // pierwszy pusty append zapewnia, że widok/indexery są zainicjalizowane
-  await state.append(null)
-  await fastForwardIfAvailable(state)
-  await state.base.view.update()
-})
-
-test('State.apply(add_admin) – podstawowy scenariusz', async t => {
-  // preconditions
-  const beforeAdmin = await state.getAdminEntry()
-  t.is(beforeAdmin, null, 'admin entry nie istnieje przed operacją')
-
-  // assemble + append
-  const validity = await state.getIndexerSequenceState()
-  const msg = await CompleteStateMessageOperations.assembleAddAdminMessage(
-    wallet,
-    state.writingKey,
-    validity
-  )
-
-  await state.append(msg)
-  // wymuś natychmiastowe przetworzenie apply i aktualizację widoku
-  await fastForwardIfAvailable(state)
-  await state.base.view.update()
-
-  // assertions
-  const adminEntry = await state.getAdminEntry()
-  t.ok(adminEntry, 'admin entry powinien zostać dodany')
-  t.ok(b4a.equals(adminEntry.wk, state.writingKey), 'wk admina == writingKey')
-
-  const node = await state.getNodeEntry(adminEntry.address)
-  t.ok(node?.isWriter, 'admin powinien być writerem')
-  t.ok(node?.isIndexer, 'admin powinien być indexerem')
-  t.ok(b4a.equals(node.balance, ADMIN_INITIAL_BALANCE), 'admin powinien mieć saldo początkowe')
-})
-
-hook('teardown state for add_admin', async () => {
-  try { if (state) await state.close() } catch {}
-  try { if (store) await store.close() } catch {}
-  try { if (tmpDir) await fsp.rm(tmpDir, { recursive: true, force: true }) } catch {}
-})
-
-async function deriveBootstrapWriterKey(dbPath, walletInstance) {
-  const bootstrapStore = new Corestore(dbPath)
-  await bootstrapStore.ready()
-  const bootstrapState = new State(bootstrapStore, null, walletInstance, STATE_OPTIONS)
-  await bootstrapState.ready()
-  const wk = bootstrapState.writingKey
-  await bootstrapState.close()
-  await bootstrapStore.close()
-  return wk
-}
-
-async function fastForwardIfAvailable(testState) {
-  if (typeof testState.base.forceFastForward === 'function') {
-    await testState.base.forceFastForward()
-  }
-}