valr-typescript-client 1.0.9 → 1.0.10

package/CHECKSUMS.txt

@@ -0,0 +1,50 @@
+# Package Checksums
+
+Generated on: 2025-12-30 14:57:51 UTC
+Git commit: 3e9dd020502b07c1e87bb03cd1c06540efde3ebd
+Version: 1.0.10
+
+## Distribution Files (SHA256)
+
+06158769642deabfe17ffb66d8fd2b6d5153bba63e45201a5457d171d8c31497  dist/index.js
+26bfc380548882a1ea5da2b993de618c5566cfc4b6442d8bc67a9a7f25bb1ed7  dist/index.js.map
+69ce37acf0ed6a37333e46eb7e86499e4509eb7d3c2279993a05d1c1fd640cfd  dist/index.d.mts
+69ce37acf0ed6a37333e46eb7e86499e4509eb7d3c2279993a05d1c1fd640cfd  dist/index.d.ts
+9f55f3468cc5c0aa57580e7bbb95b5cae9f5e60982428e90a844aba79d0872af  dist/index.mjs
+c10a93a7b2361bef6672805183ab08595fc948e3bf205d7ca8b5052620f3e226  dist/index.mjs.map
+
+## Source Files (SHA256)
+
+05cf6e982fcbd24cebc6c1b4c6e366095859cdf503eb70f5faf4d9bb9844631a  src/client/ValrClient.ts
+0705454404aa0e0f2ce619615600d871c8052ac0afe495bb412219d9a6c032ac  src/types/public.ts
+0a9bed00d1ee34300d532c01c86a300d76f51b96d50aea2ebae15750c7c06d94  src/api/account.ts
+0b4530d458e0c3bbadb79566943ef466404215e545f25c4965c72d9bfeee86dc  src/api/health.ts
+15ef50a824d04e4466a4e34c29b54429c4d36e64d15eed1374c7165452da3abf  src/api/loans.ts
+174ffc46347008d3f473af1916e8b1b38fb9752e68a69776df831dca676a1342  src/api/public.ts
+392124cca58a1532bd57472ba574bc065052c552ea8f10b7c675c942310c67e8  src/api/wallets.ts
+39fd4908c74bcca8c4e74a3a4e16de4439dfca781a7644ca9383c5f5096744cf  src/types/futures.ts
+3ff881e0a329681fecb0eae9ce178e9d1e6e4d6a6d55bfb5eec99a46c85d4e2a  src/types/margin.ts
+40f2245b2685e634bd0f531367561c1c26d174cc083c496c1f914e8c6a9f948a  src/client/ValrWebSocketClient.ts
+4202fe777fda3e43ff944971783116f17031d124395e4a44cb2bf2bec5ff246c  src/types/bundles.ts
+43ce3b42153a2e1a2d290ea893507c820e4461eb2162b1ccfa0d832118468618  src/api/margin.ts
+4abf3aa146557f6f33f039a03a675cb6588da94f29e885ef97458cb698699425  src/types/common.ts
+4b598e192fe1571f36138724f67d49f645d1b4c90cc527fe0e6901d5f950372c  src/auth/RequestSigner.ts
+5475e829a33f944dec5dd4079066aa621c76c7767ac56f172a322ce110d43f0b  src/types/pay.ts
+551aa287e635dad4d0209502a0410f09c169715a5bac95366a875038c3e50504  src/api/futures.ts
+5572db3151cd4db275a7ac6e8a8859e3c9048e0bd873a113f445139c0db2017c  src/api/bundles.ts
+562187bbc4b29a68add1fad7d63c73fb1345b45154358fa0276e2e224cfb7e5a  src/types/account.ts
+58186035ea5e98178c3a9b2b0404d0b0f57765b074af92289e0f9cfaa7acfcfe  src/utils/http.ts
+593e9b1515cb7e1316feae0cf24a9300b879284677c5e790e650502b32c70706  src/types/websocket.ts
+612b1e543d1bbd97b75e814fa7d9b4ff4b1786f6b3671a03019917049e38a96e  src/types/stake.ts
+6ec43e250aca38bc6a9dc4f16e5fe7e6ca25bd831270c5d02c1bc82d79f5731d  src/types/loans.ts
+70636220daed500243e5cd40d25748efcd401a9ff50f4237fa200bce1fe3be38  src/errors/ValrError.ts
+81ced1343e19c4ea795981dc02f0a8163778b169463675498e508da2843a08e5  src/types/index.ts
+85b2242a529ed84d4e50b75fe9e8a393d4a53404734c8d9165a80bedc74887c4  src/types/trading.ts
+a52c483def6de035f7fcf690b6102129ea22cb817bed5a106d3617c8edc7d849  src/api/stake.ts
+c4c0979b4fc9a035bcf0d1bd8b379e5e2e85c8ea39a812cb7d8cd66ba5c04494  src/api/pay.ts
+d8b3405cad342df23aeacaaacde277a4829028699a13bf0d129aea07beb23d68  src/api/trading.ts
+ec209b0ff8de8e662c2ea701feccee22b53e6ed684affb3eacd39e68c3aa725a  src/index.ts
+f67a6c69ed003a1606221e792de802592aedb7164cafb7d7d2eab4fac105807a  src/utils/constants.ts
+f819d431730bb51a23d2cad32cc6eee83dc9d917e5cb9efd3201ffeb64d76ec5  src/client/AccountWebSocket.ts
+fe3ced400781e287f691c1262b48ea5005d21b45f69172a8a03b470e14c63a6e  src/client/TradeWebSocket.ts
+fe8bec28add01e200bd95ad326a0511334671b3a82a3990d2ee521adca7a7a8e  src/types/wallets.ts

package/README.md

@@ -242,6 +242,112 @@ VALR API uses HMAC SHA512 signatures for authentication. This client handles all
 - Regularly rotate your API keys
 - Delete unused API keys
 
+## Package Integrity & Verification
+
+This package includes cryptographic checksums to verify package integrity and protect against supply chain attacks.
+
+### Verifying Package Checksums
+
+After installing from npm or any registry, you can verify the package integrity:
+
+```bash
+# Using npm script (cross-platform)
+npm run verify
+
+# Or directly with Node.js
+node node_modules/valr-typescript-client/scripts/verify-checksums.js
+
+# Or on Unix systems with bash
+bash node_modules/valr-typescript-client/scripts/verify-checksums.sh
+```
+
+This will verify that:
+- **All `dist/` files** (the compiled JavaScript you actually execute) match the official build
+- The package hasn't been tampered with after publication
+- You're running the exact code from the GitHub release
+- Shows you the Git commit SHA of the source code it was built from
+
+**What you're verifying:** The compiled JavaScript files in `dist/` are what run when you use this package. The checksums prove these match the official build from GitHub Actions.
+
+### What Gets Verified
+
+The checksum verification checks:
+
+**Distribution files (`dist/`)** - **What actually executes:**
+- `dist/index.js`, `dist/index.mjs` - Compiled JavaScript (ESM/CJS)
+- `dist/index.d.ts`, `dist/index.d.mts` - TypeScript definitions
+- `dist/*.map` - Source maps
+
+**Source files (`src/`)** - For transparency:
+- Original TypeScript source code
+- Allows you to inspect what the dist was built from
+- Enables reproducible builds (advanced users)
+
+**Metadata:**
+- **Git commit SHA** - Links to exact source code on GitHub
+- **Build timestamp** - When the package was built
+- **Package version** - Version number
+
+**Security model:** Checksums prove your `dist/` files match the official GitHub Actions build. You can inspect the source code at the Git commit shown in the checksums.
+
+### Building from Source
+
+If you prefer to build from source yourself:
+
+```bash
+# Clone the repository
+git clone https://github.com/yashutanna/valr-typescript-client.git
+cd valr-typescript-client
+
+# Checkout a specific release
+git checkout v1.0.9
+
+# Install dependencies (use ci for reproducible builds)
+npm ci
+
+# Build
+npm run build
+
+# Run tests
+npm test
+```
+
+### Reproducible Builds (Advanced)
+
+For maximum trust, verify the official build was created from clean source code:
+
+```bash
+# Clone and checkout the release
+git clone https://github.com/yashutanna/valr-typescript-client.git
+cd valr-typescript-client
+git checkout v1.0.9
+
+# Build from source
+npm ci
+npm run build
+
+# Compare your build with official checksums
+bash scripts/build-and-verify.sh
+```
+
+This attempts to reproduce the official build and compares your locally-built `dist/` files with the checksums from the official release. Note that perfect reproducibility is challenging with JavaScript builds, but the script will show you any differences.
+
+### CI/CD Transparency
+
+Every package published to npm includes:
+- `CHECKSUMS.txt` - SHA256 hashes of all files
+- Git commit SHA that was built
+- Build timestamp
+- Verification scripts
+
+The checksums are available in multiple places:
+- **In the repository** - Committed with each release (permanent Git history)
+- **GitHub Releases** - Attached as an asset to every release
+- **npm package** - Included at `node_modules/valr-typescript-client/CHECKSUMS.txt`
+- **GitHub Actions** - Available as workflow artifacts
+
+To verify a specific release, check the Git tag or GitHub release assets.
+
 ## Error Handling
 
 The client throws typed errors for different failure scenarios:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "valr-typescript-client",
-  "version": "1.0.9",
+  "version": "1.0.10",
   "description": "TypeScript client for the VALR cryptocurrency exchange API with full type safety, WebSocket support, and comprehensive endpoint coverage",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -13,7 +13,11 @@
     }
   },
   "files": [
-    "dist"
+    "dist",
+    "CHECKSUMS.txt",
+    "scripts/verify-checksums.js",
+    "scripts/verify-checksums.sh",
+    "scripts/build-and-verify.sh"
   ],
   "scripts": {
     "build": "tsup",
@@ -23,7 +27,8 @@
     "test:coverage": "vitest run --coverage",
     "type-check": "tsc --noEmit",
     "lint": "eslint src --ext .ts",
-    "prepublishOnly": "npm run build && npm run test"
+    "prepublishOnly": "npm run build && npm run test",
+    "verify": "node scripts/verify-checksums.js"
   },
   "keywords": [
     "valr",

package/scripts/build-and-verify.sh

@@ -0,0 +1,91 @@
+#!/bin/bash
+
+# Reproducible Build & Verification Script
+# Builds the package from source and compares with official checksums
+
+set -e
+
+echo "🔨 Building from source and verifying against official checksums..."
+echo ""
+
+# Check if CHECKSUMS.txt exists
+if [ ! -f "CHECKSUMS.txt" ]; then
+    echo "❌ CHECKSUMS.txt not found!"
+    echo "   Make sure you're in the package root directory."
+    exit 1
+fi
+
+# Extract expected commit and version
+EXPECTED_COMMIT=$(grep "Git commit:" CHECKSUMS.txt | cut -d' ' -f3)
+EXPECTED_VERSION=$(grep "Version:" CHECKSUMS.txt | cut -d' ' -f2)
+CURRENT_COMMIT=$(git rev-parse HEAD)
+
+echo "📦 Package version: $EXPECTED_VERSION"
+echo "🔖 Official build commit: $EXPECTED_COMMIT"
+echo "🔖 Current commit: $CURRENT_COMMIT"
+echo ""
+
+if [ "$EXPECTED_COMMIT" != "$CURRENT_COMMIT" ]; then
+    echo "⚠️  Warning: You're not on the official release commit!"
+    echo "   Checking out $EXPECTED_COMMIT..."
+    git checkout "$EXPECTED_COMMIT"
+fi
+
+# Clean and build
+echo "🧹 Cleaning previous build..."
+rm -rf dist/
+
+echo "📦 Installing dependencies..."
+npm ci
+
+echo "🔨 Building from source..."
+npm run build
+
+echo ""
+echo "🔍 Comparing your build with official checksums..."
+echo ""
+
+FAILED=0
+MATCHED=0
+
+# Extract and verify dist file checksums
+grep -A 1000 "## Distribution Files" CHECKSUMS.txt | \
+    grep -B 1000 "## Source Files" | \
+    grep "dist/" | \
+    while read -r expected_hash file; do
+        if [ -f "$file" ]; then
+            actual_hash=$(sha256sum "$file" | awk '{print $1}')
+            if [ "$expected_hash" = "$actual_hash" ]; then
+                echo "  ✅ $file"
+                MATCHED=$((MATCHED + 1))
+            else
+                echo "  ❌ $file (MISMATCH!)"
+                echo "     Official: $expected_hash"
+                echo "     Your build: $actual_hash"
+                FAILED=$((FAILED + 1))
+            fi
+        else
+            echo "  ⚠️  $file (missing from your build)"
+            FAILED=$((FAILED + 1))
+        fi
+    done
+
+echo ""
+
+if [ $FAILED -eq 0 ]; then
+    echo "✅ SUCCESS: Your build matches the official build!"
+    echo "   This proves the official package was built from this source code."
+    echo "   The dist/ files you're running are legitimate."
+else
+    echo "⚠️  REPRODUCIBILITY WARNING"
+    echo "   Your build differs from the official build."
+    echo ""
+    echo "   Possible reasons:"
+    echo "   1. Different Node.js version (use Node 24)"
+    echo "   2. Different dependency versions (use npm ci, not npm install)"
+    echo "   3. Different build environment (timestamps, paths, etc.)"
+    echo "   4. Build tools include timestamps or absolute paths"
+    echo ""
+    echo "   Note: Some differences are expected with TypeScript/JavaScript builds."
+    echo "   This doesn't necessarily mean the official build is malicious."
+fi

package/scripts/verify-checksums.js

@@ -0,0 +1,148 @@
+#!/usr/bin/env node
+
+/**
+ * Checksum Verification Script (Cross-platform Node.js version)
+ * Verifies the integrity of the installed package against CHECKSUMS.txt
+ */
+
+const fs = require('fs');
+const crypto = require('crypto');
+const path = require('path');
+
+const CHECKSUM_FILE = 'CHECKSUMS.txt';
+
+function sha256File(filePath) {
+  const fileBuffer = fs.readFileSync(filePath);
+  const hashSum = crypto.createHash('sha256');
+  hashSum.update(fileBuffer);
+  return hashSum.digest('hex');
+}
+
+function parseChecksums(content) {
+  const lines = content.split('\n');
+  const checksums = { dist: [], src: [] };
+  let currentSection = null;
+
+  for (const line of lines) {
+    if (line.includes('## Distribution Files')) {
+      currentSection = 'dist';
+    } else if (line.includes('## Source Files')) {
+      currentSection = 'src';
+    } else if (currentSection && line.match(/^[a-f0-9]{64}\s+/)) {
+      const [hash, ...pathParts] = line.trim().split(/\s+/);
+      const filePath = pathParts.join(' ');
+      checksums[currentSection].push({ hash, path: filePath });
+    } else if (line.startsWith('Git commit:')) {
+      checksums.gitCommit = line.split(':')[1].trim();
+    } else if (line.startsWith('Version:')) {
+      checksums.version = line.split(':')[1].trim();
+    }
+  }
+
+  return checksums;
+}
+
+function main() {
+  console.log('🔍 Verifying package checksums...\n');
+
+  // Check if CHECKSUMS.txt exists
+  if (!fs.existsSync(CHECKSUM_FILE)) {
+    console.error('❌ CHECKSUMS.txt not found!');
+    console.error('   This package may not have been built with checksum verification.');
+    process.exit(1);
+  }
+
+  // Read and parse checksums
+  const checksumContent = fs.readFileSync(CHECKSUM_FILE, 'utf8');
+  const checksums = parseChecksums(checksumContent);
+
+  console.log(`📦 Package version: ${checksums.version}`);
+  console.log(`🔖 Git commit: ${checksums.gitCommit}`);
+  console.log('');
+
+  let failed = 0;
+  let verified = 0;
+  let missing = 0;
+
+  console.log('Verifying distribution files...');
+
+  // Verify dist files
+  for (const { hash: expectedHash, path: filePath } of checksums.dist) {
+    const normalizedPath = path.normalize(filePath);
+
+    if (fs.existsSync(normalizedPath)) {
+      const actualHash = sha256File(normalizedPath);
+      if (expectedHash === actualHash) {
+        console.log(`  ✅ ${filePath}`);
+        verified++;
+      } else {
+        console.log(`  ❌ ${filePath} (checksum mismatch!)`);
+        console.log(`     Expected: ${expectedHash}`);
+        console.log(`     Got:      ${actualHash}`);
+        failed++;
+      }
+    } else {
+      console.log(`  ⚠️  ${filePath} (file missing)`);
+      missing++;
+    }
+  }
+
+  console.log('');
+
+  // Check if we have source files (only in repo, not in npm package)
+  const hasSrcDir = fs.existsSync('src');
+  if (hasSrcDir && checksums.src && checksums.src.length > 0) {
+    console.log('Verifying source files...');
+
+    let srcVerified = 0;
+    let srcFailed = 0;
+    let srcMissing = 0;
+
+    for (const { hash: expectedHash, path: filePath } of checksums.src) {
+      const normalizedPath = path.normalize(filePath);
+
+      if (fs.existsSync(normalizedPath)) {
+        const actualHash = sha256File(normalizedPath);
+        if (expectedHash === actualHash) {
+          console.log(`  ✅ ${filePath}`);
+          srcVerified++;
+        } else {
+          console.log(`  ❌ ${filePath} (checksum mismatch!)`);
+          console.log(`     Expected: ${expectedHash}`);
+          console.log(`     Got:      ${actualHash}`);
+          srcFailed++;
+        }
+      } else {
+        console.log(`  ⚠️  ${filePath} (file missing)`);
+        srcMissing++;
+      }
+    }
+
+    verified += srcVerified;
+    failed += srcFailed;
+    missing += srcMissing;
+
+    console.log('');
+  }
+
+  console.log('');
+
+  if (failed === 0 && missing === 0) {
+    console.log('✅ All checksums verified successfully!');
+    console.log(`   ${verified} file(s) verified`);
+    console.log(`   This package matches the official build from commit ${checksums.gitCommit}`);
+    process.exit(0);
+  } else {
+    console.error('❌ Checksum verification failed!');
+    if (failed > 0) {
+      console.error(`   ${failed} file(s) failed verification`);
+    }
+    if (missing > 0) {
+      console.error(`   ${missing} file(s) missing`);
+    }
+    console.error('   This package may have been tampered with or corrupted.');
+    process.exit(1);
+  }
+}
+
+main();

package/scripts/verify-checksums.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+
+# Checksum Verification Script
+# Verifies the integrity of the installed package against CHECKSUMS.txt
+
+set -e
+
+CHECKSUM_FILE="CHECKSUMS.txt"
+VERIFIED=0
+FAILED=0
+MISSING=0
+
+if [ ! -f "$CHECKSUM_FILE" ]; then
+    echo "❌ CHECKSUMS.txt not found!"
+    echo "   This package may not have been built with checksum verification."
+    exit 1
+fi
+
+echo "🔍 Verifying package checksums..."
+echo ""
+
+# Extract git commit from checksums file
+EXPECTED_COMMIT=$(grep "Git commit:" "$CHECKSUM_FILE" | cut -d' ' -f3)
+PACKAGE_VERSION=$(grep "Version:" "$CHECKSUM_FILE" | cut -d' ' -f2)
+
+echo "📦 Package version: $PACKAGE_VERSION"
+echo "🔖 Git commit: $EXPECTED_COMMIT"
+echo ""
+
+# Verify distribution files
+echo "Verifying distribution files..."
+
+# Extract dist file checksums and verify
+while IFS= read -r line; do
+    expected_hash=$(echo "$line" | awk '{print $1}')
+    file=$(echo "$line" | awk '{$1=""; print $0}' | sed 's/^ //')
+
+    if [ -f "$file" ]; then
+        actual_hash=$(sha256sum "$file" | awk '{print $1}')
+        if [ "$expected_hash" = "$actual_hash" ]; then
+            echo "  ✅ $file"
+            VERIFIED=$((VERIFIED + 1))
+        else
+            echo "  ❌ $file (checksum mismatch!)"
+            echo "     Expected: $expected_hash"
+            echo "     Got:      $actual_hash"
+            FAILED=$((FAILED + 1))
+        fi
+    else
+        echo "  ⚠️  $file (file missing)"
+        MISSING=$((MISSING + 1))
+    fi
+done < <(grep -A 1000 "## Distribution Files" "$CHECKSUM_FILE" | grep -B 1000 "## Source Files" | grep "dist/")
+
+echo ""
+
+# Verify source files (if src directory exists)
+if [ -d "src" ]; then
+    echo "Verifying source files..."
+
+    # Extract src file checksums and verify
+    while IFS= read -r line; do
+        expected_hash=$(echo "$line" | awk '{print $1}')
+        file=$(echo "$line" | awk '{$1=""; print $0}' | sed 's/^ //')
+
+        if [ -f "$file" ]; then
+            actual_hash=$(sha256sum "$file" | awk '{print $1}')
+            if [ "$expected_hash" = "$actual_hash" ]; then
+                echo "  ✅ $file"
+                VERIFIED=$((VERIFIED + 1))
+            else
+                echo "  ❌ $file (checksum mismatch!)"
+                echo "     Expected: $expected_hash"
+                echo "     Got:      $actual_hash"
+                FAILED=$((FAILED + 1))
+            fi
+        else
+            echo "  ⚠️  $file (file missing)"
+            MISSING=$((MISSING + 1))
+        fi
+    done < <(grep -A 1000 "## Source Files" "$CHECKSUM_FILE" | grep "src/")
+
+    echo ""
+fi
+
+echo ""
+
+if [ $FAILED -eq 0 ] && [ $MISSING -eq 0 ]; then
+    echo "✅ All checksums verified successfully!"
+    echo "   $VERIFIED file(s) verified"
+    echo "   This package matches the official build from commit $EXPECTED_COMMIT"
+    exit 0
+else
+    echo "❌ Checksum verification failed!"
+    if [ $FAILED -gt 0 ]; then
+        echo "   $FAILED file(s) failed verification"
+    fi
+    if [ $MISSING -gt 0 ]; then
+        echo "   $MISSING file(s) missing"
+    fi
+    echo "   This package may have been tampered with or corrupted."
+    exit 1
+fi