npm - walletpair-sdk - Versions diffs - 1.0.2 → 1.0.5 - Mend

walletpair-sdk 1.0.2 → 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (74) hide show

package/README.md +13 -0
package/dist/ble/framing.d.ts.map +1 -1
package/dist/ble/framing.js +2 -2
package/dist/ble/framing.js.map +1 -1
package/dist/ble/index.d.ts +2 -2
package/dist/ble/index.d.ts.map +1 -1
package/dist/ble/index.js +2 -2
package/dist/ble/index.js.map +1 -1
package/dist/ble/web-ble-transport.d.ts +1 -1
package/dist/ble/web-ble-transport.d.ts.map +1 -1
package/dist/ble/web-ble-transport.js +23 -12
package/dist/ble/web-ble-transport.js.map +1 -1
package/dist/crypto.d.ts.map +1 -1
package/dist/crypto.js +29 -12
package/dist/crypto.js.map +1 -1
package/dist/dapp-session.d.ts.map +1 -1
package/dist/dapp-session.js +15 -5
package/dist/dapp-session.js.map +1 -1
package/dist/emitter.d.ts +1 -3
package/dist/emitter.d.ts.map +1 -1
package/dist/emitter.js +4 -2
package/dist/emitter.js.map +1 -1
package/dist/evm/eip1193.d.ts +2 -2
package/dist/evm/eip1193.d.ts.map +1 -1
package/dist/evm/eip1193.js +32 -18
package/dist/evm/eip1193.js.map +1 -1
package/dist/evm/index.d.ts +2 -2
package/dist/evm/index.d.ts.map +1 -1
package/dist/evm/index.js.map +1 -1
package/dist/wallet-session.d.ts.map +1 -1
package/dist/wallet-session.js +4 -3
package/dist/wallet-session.js.map +1 -1
package/dist/ws-transport.d.ts +3 -2
package/dist/ws-transport.d.ts.map +1 -1
package/dist/ws-transport.js +13 -4
package/dist/ws-transport.js.map +1 -1
package/package.json +20 -1
package/src/__tests__/adversarial/crypto-attacks.test.ts +240 -233
package/src/__tests__/adversarial/malicious-dapp.test.ts +228 -194
package/src/__tests__/adversarial/malicious-relay.test.ts +292 -220
package/src/__tests__/adversarial/malicious-wallet.test.ts +246 -180
package/src/__tests__/spec-compliance/canonical-json.test.ts +105 -105
package/src/__tests__/spec-compliance/crypto-vectors.test.ts +149 -154
package/src/__tests__/spec-compliance/message-format.test.ts +180 -151
package/src/__tests__/spec-compliance/sequence-numbers.test.ts +142 -149
package/src/__tests__/spec-compliance/state-machine.test.ts +203 -180
package/src/ble/framing.test.ts +122 -114
package/src/ble/framing.ts +48 -51
package/src/ble/index.ts +7 -7
package/src/ble/web-ble-transport.test.ts +93 -84
package/src/ble/web-ble-transport.ts +70 -57
package/src/ble/web-bluetooth.d.ts +19 -19
package/src/canonical-json.test.ts +301 -285
package/src/crypto-directional.test.ts +155 -129
package/src/crypto-hardening.test.ts +292 -283
package/src/crypto.test.ts +364 -346
package/src/crypto.ts +185 -175
package/src/dapp-session.test.ts +522 -385
package/src/dapp-session.ts +17 -11
package/src/emitter.test.ts +122 -122
package/src/emitter.ts +20 -18
package/src/evm/eip1193.test.ts +283 -205
package/src/evm/eip1193.ts +162 -138
package/src/evm/index.ts +5 -5
package/src/evm/wagmi.test.ts +1 -1
package/src/integration.test.ts +329 -201
package/src/security.test.ts +331 -238
package/src/sequence-validation.test.ts +6 -9
package/src/test-helpers.ts +102 -78
package/src/types.test.ts +45 -50
package/src/wallet-session.test.ts +611 -383
package/src/wallet-session.ts +7 -9
package/src/ws-transport.test.ts +141 -139
package/src/ws-transport.ts +52 -41

package/src/__tests__/adversarial/malicious-dapp.test.ts CHANGED Viewed

@@ -10,26 +10,24 @@
  * malicious dApp.
  */
-import { describe, it, expect, vi } from 'vitest';
-import { DAppSession } from '../../dapp-session.js';
-import { WalletSession } from '../../wallet-session.js';
-import { MockTransport, MockRelay, makeJoinBody } from '../../test-helpers.js';
+import { describe, expect, it, vi } from 'vitest'
 import {
-  generateX25519KeyPair,
-  generateChannelId,
+  b64urlDecode,
+  buildPairingUri,
   computeSharedSecret,
-  deriveSessionKey,
   deriveDirectionalSessionKeys,
+  deriveSessionKey,
+  generateChannelId,
+  generateX25519KeyPair,
   sealPayload,
-  unsealPayload,
-  b64urlEncode,
-  b64urlDecode,
-  buildPairingUri,
-} from '../../crypto.js';
-import type { ProtocolMessage, Capabilities } from '../../types.js';
+} from '../../crypto.js'
+import { DAppSession } from '../../dapp-session.js'
+import { MockRelay, MockTransport, makeJoinBody } from '../../test-helpers.js'
+import type { Capabilities, ProtocolMessage } from '../../types.js'
+import { WalletSession } from '../../wallet-session.js'
 function wait(ms = 50): Promise<void> {
-  return new Promise((r) => setTimeout(r, ms));
+  return new Promise((r) => setTimeout(r, ms))
 }
 // ---------------------------------------------------------------------------
@@ -37,59 +35,69 @@ function wait(ms = 50): Promise<void> {
 // ---------------------------------------------------------------------------
 function setupWalletManual(caps?: Capabilities) {
-  const transport = new MockTransport();
-  const dappKp = generateX25519KeyPair();
-  const channelId = generateChannelId();
+  const transport = new MockTransport()
+  const dappKp = generateX25519KeyPair()
+  const channelId = generateChannelId()
   const session = new WalletSession({
     transport,
-    meta: { name: 'W', description: 'Wallet', url: 'https://wallet.test', icon: 'https://wallet.test/i.png' },
+    meta: {
+      name: 'W',
+      description: 'Wallet',
+      url: 'https://wallet.test',
+      icon: 'https://wallet.test/i.png',
+    },
     capabilities: caps ?? {
       methods: ['wallet_getAccounts', 'wallet_signMessage'],
       events: ['accountsChanged'],
       chains: ['eip155:1'],
     },
-  });
-  return { transport, session, dappKp, channelId };
+  })
+  return { transport, session, dappKp, channelId }
 }
 async function connectWalletManual(ctx: ReturnType<typeof setupWalletManual>) {
-  const { transport, session, dappKp, channelId } = ctx;
+  const { transport, session, dappKp, channelId } = ctx
   const uri = buildPairingUri({
     channelId,
     pubkeyB64: dappKp.publicKeyB64,
     relayUrl: 'ws://localhost/v1',
-    name: 'Evil dApp', url: 'https://evil.test', icon: 'https://evil.test/i.png',
-  });
-  await session.joinFromUri(uri);
+    name: 'Evil dApp',
+    url: 'https://evil.test',
+    icon: 'https://evil.test/i.png',
+  })
+  await session.joinFromUri(uri)
   transport.receive({
-    v: 1, t: 'ready', ch: channelId,
-    ts: Date.now(), from: '_adapter',
+    v: 1,
+    t: 'ready',
+    ch: channelId,
+    ts: Date.now(),
+    from: '_adapter',
     body: { state: 'connected', reconnect: false, remote: dappKp.publicKeyB64 },
-  } as ProtocolMessage);
+  } as ProtocolMessage)
   // Derive the dApp's send key (dappToWalletKey) to craft malicious requests.
   // The wallet's public key is in the join message's "from" field.
-  const walletPubB64 = transport.sent.find(m => m.t === 'join')!.from!;
-  const walletPubKey = b64urlDecode(walletPubB64);
-  const shared = computeSharedSecret(dappKp.privateKey, walletPubKey);
-  const rootKey = deriveSessionKey(shared, channelId);
+  const walletPubB64 = transport.sent.find((m) => m.t === 'join')?.from ?? ''
+  const walletPubKey = b64urlDecode(walletPubB64)
+  const shared = computeSharedSecret(dappKp.privateKey, walletPubKey)
+  const rootKey = deriveSessionKey(shared, channelId)
   const ctx2 = {
     dappPubKeyB64: dappKp.publicKeyB64,
     walletPubKeyB64: walletPubB64,
-    capabilities: (session as any).effectiveCapabilities,
-    walletMeta: (session as any).meta,
+    capabilities: (session as unknown as Record<string, unknown>).effectiveCapabilities,
+    walletMeta: (session as unknown as Record<string, unknown>).meta,
     dappName: 'Evil dApp',
-  };
-  const keys = deriveDirectionalSessionKeys(rootKey, channelId, ctx2);
-  shared.fill(0);
-  rootKey.fill(0);
+  }
+  const keys = deriveDirectionalSessionKeys(rootKey, channelId, ctx2)
+  shared.fill(0)
+  rootKey.fill(0)
   return {
     sendKey: keys.dappToWalletKey, // dApp -> wallet encryption key
     walletPubB64,
     dappPubB64: dappKp.publicKeyB64,
-  };
+  }
 }
 function craftReq(
@@ -101,14 +109,17 @@ function craftReq(
   method: string,
   params?: Record<string, unknown>,
 ): ProtocolMessage {
-  const payload = { _method: method, ...(params ?? {}) };
-  const hdr = { type: 'req' as const, from: dappPubB64, id };
-  const sealed = sealPayload(sendKey, channelId, seq, payload, hdr);
+  const payload = { _method: method, ...(params ?? {}) }
+  const hdr = { type: 'req' as const, from: dappPubB64, id }
+  const sealed = sealPayload(sendKey, channelId, seq, payload, hdr)
   return {
-    v: 1, t: 'req', ch: channelId,
-    ts: Date.now(), from: dappPubB64,
+    v: 1,
+    t: 'req',
+    ch: channelId,
+    ts: Date.now(),
+    from: dappPubB64,
     body: { id, sealed },
-  } as ProtocolMessage;
+  } as ProtocolMessage
 }
 // ---------------------------------------------------------------------------
@@ -124,13 +135,13 @@ describe('Malicious DApp: Request flooding (>32 pending)', () => {
     // PREVENTS: Resource exhaustion on the wallet side. Section 15 rule 11
     // limits pending requests to 32 per channel.
-    const ctx = setupWalletManual();
-    const { transport, session, channelId } = ctx;
-    const { sendKey, dappPubB64 } = await connectWalletManual(ctx);
+    const ctx = setupWalletManual()
+    const { transport, session, channelId } = ctx
+    const { sendKey, dappPubB64 } = await connectWalletManual(ctx)
     // Do NOT handle requests (let them pile up as pending)
-    const requests: Array<{ id: string; method: string }> = [];
-    session.on('request', (req) => requests.push(req));
+    const requests: Array<{ id: string; method: string }> = []
+    session.on('request', (req) => requests.push(req))
     // Send 32 requests one at a time, waiting for each to be processed.
     // The transport.receive() is synchronous — it invokes handleMessage
@@ -138,27 +149,27 @@ describe('Malicious DApp: Request flooding (>32 pending)', () => {
     for (let i = 0; i < 32; i++) {
       transport.receive(
         craftReq(sendKey, channelId, dappPubB64, i, `req-${i}`, 'wallet_getAccounts'),
-      );
+      )
     }
     // All 32 should have been emitted as requests
-    expect(requests).toHaveLength(32);
+    expect(requests).toHaveLength(32)
     // 33rd request should be rate-limited
     transport.receive(
       craftReq(sendKey, channelId, dappPubB64, 32, 'req-overflow', 'wallet_getAccounts'),
-    );
+    )
     // Wallet should have sent a res with rate_limited error (NOT close the channel)
-    const rateLimitedRes = transport.sent.find(m =>
-      m.t === 'res' && (m as any).body?.id === 'req-overflow',
-    ) as any;
-    expect(rateLimitedRes).toBeTruthy();
+    const rateLimitedRes = transport.sent.find(
+      (m) => m.t === 'res' && (m.body as Record<string, unknown>)?.id === 'req-overflow',
+    )
+    expect(rateLimitedRes).toBeTruthy()
     // Verify the session is still alive (do NOT close for rate_limited)
-    expect(session.phase).toBe('connected'); // NOT closed!
-    expect(requests).toHaveLength(32); // 33rd was NOT emitted
-  });
-});
+    expect(session.phase).toBe('connected') // NOT closed!
+    expect(requests).toHaveLength(32) // 33rd was NOT emitted
+  })
+})
 // ---------------------------------------------------------------------------
 // Attack 2: DApp sends req before ready.connected
@@ -173,36 +184,41 @@ describe('Malicious DApp: Request before connected', () => {
     // PREVENTS: Out-of-order message processing that could bypass
     // handshake security (Section 15 rule 7).
-    const ctx = setupWalletManual();
-    const { transport, session, dappKp, channelId } = ctx;
+    const ctx = setupWalletManual()
+    const { transport, session, dappKp, channelId } = ctx
-    const requestHandler = vi.fn();
-    session.on('request', requestHandler);
+    const requestHandler = vi.fn()
+    session.on('request', requestHandler)
     const uri = buildPairingUri({
       channelId,
       pubkeyB64: dappKp.publicKeyB64,
       relayUrl: 'ws://localhost/v1',
-      name: 'D', url: 'https://d.test', icon: 'https://d.test/i.png',
-    });
-    await session.joinFromUri(uri);
+      name: 'D',
+      url: 'https://d.test',
+      icon: 'https://d.test/i.png',
+    })
+    await session.joinFromUri(uri)
     // At this point, wallet is in waiting_accept, NOT connected
     // DApp sends req before ready.connected
     transport.receive({
-      v: 1, t: 'req', ch: channelId,
-      ts: Date.now(), from: dappKp.publicKeyB64,
+      v: 1,
+      t: 'req',
+      ch: channelId,
+      ts: Date.now(),
+      from: dappKp.publicKeyB64,
       body: { id: 'premature-req', sealed: 'fake-sealed-data' },
-    } as ProtocolMessage);
+    } as ProtocolMessage)
-    await wait();
+    await wait()
     // Request should NOT have been processed (recvKey is set but phase check
     // happens via from matching — the wallet will try to decrypt and fail
     // because sealed data is invalid, or the request is dropped)
-    expect(requestHandler).not.toHaveBeenCalled();
-  });
-});
+    expect(requestHandler).not.toHaveBeenCalled()
+  })
+})
 // ---------------------------------------------------------------------------
 // Attack 3: DApp sends req after close
@@ -218,64 +234,64 @@ describe('Malicious DApp: Request after close', () => {
     // Even if a message somehow reaches the handler, it cannot be
     // decrypted (keys are zeroed) and no response can be sent.
-    const ctx = setupWalletManual();
-    const { transport, session, channelId } = ctx;
-    const { sendKey, dappPubB64 } = await connectWalletManual(ctx);
+    const ctx = setupWalletManual()
+    const { transport, session, channelId } = ctx
+    const { sendKey, dappPubB64 } = await connectWalletManual(ctx)
     // Destroy the session (close + key erasure)
-    session.destroy();
-    expect(session.phase).toBe('closed');
+    session.destroy()
+    expect(session.phase).toBe('closed')
-    const sentBefore = transport.sent.length;
+    const sentBefore = transport.sent.length
     // DApp sends req after destroy — keys are zeroed, decryption fails
     transport.receive(
       craftReq(sendKey, channelId, dappPubB64, 0, 'post-close-req', 'wallet_getAccounts'),
-    );
+    )
-    await wait();
+    await wait()
     // No new messages should have been sent (cannot encrypt response
     // because sendKey was zeroed)
-    const newMessages = transport.sent.slice(sentBefore);
-    const resMessages = newMessages.filter(m => m.t === 'res');
-    expect(resMessages).toHaveLength(0);
-  });
+    const newMessages = transport.sent.slice(sentBefore)
+    const resMessages = newMessages.filter((m) => m.t === 'res')
+    expect(resMessages).toHaveLength(0)
+  })
   it('close followed by receive via close message stops further processing', async () => {
     // When the wallet receives a close message from the peer, it
     // transitions to 'closed' and sets intentionalClose. Subsequent
     // messages on the transport should be ignored or fail gracefully.
-    const dappTransport = new MockTransport();
-    const walletTransport = new MockTransport();
-    const _relay = new MockRelay(dappTransport, walletTransport);
+    const dappTransport = new MockTransport()
+    const walletTransport = new MockTransport()
+    new MockRelay(dappTransport, walletTransport)
     const dappSession = new DAppSession({
       transport: dappTransport,
       meta: { name: 'D', description: 'D', url: 'https://d.test', icon: 'https://d.test/i.png' },
-    });
+    })
     const walletSession = new WalletSession({
       transport: walletTransport,
       capabilities: { methods: ['wallet_getAccounts'], events: [], chains: ['eip155:1'] },
       meta: { name: 'W', description: 'W', url: 'https://w.test', icon: 'https://w.test/i.png' },
-    });
+    })
-    const uri = await dappSession.createPairing();
-    await walletSession.joinFromUri(uri);
-    await wait();
-    await wait();
+    const uri = await dappSession.createPairing()
+    await walletSession.joinFromUri(uri)
+    await wait()
+    await wait()
-    expect(walletSession.phase).toBe('connected');
+    expect(walletSession.phase).toBe('connected')
     // DApp closes the session
-    dappSession.close();
-    await wait();
+    dappSession.close()
+    await wait()
     // Wallet should now be closed
-    expect(walletSession.phase).toBe('closed');
-  });
-});
+    expect(walletSession.phase).toBe('closed')
+  })
+})
 // ---------------------------------------------------------------------------
 // Attack 4: DApp retries request with same ID but different params
@@ -291,35 +307,39 @@ describe('Malicious DApp: Duplicate request ID with different params', () => {
     // PREVENTS: Request parameter substitution attacks. Section 9.1
     // requires constant-time params hash comparison.
-    const ctx = setupWalletManual();
-    const { transport, session, channelId } = ctx;
-    const { sendKey, dappPubB64 } = await connectWalletManual(ctx);
+    const ctx = setupWalletManual()
+    const { transport, session, channelId } = ctx
+    const { sendKey, dappPubB64 } = await connectWalletManual(ctx)
     session.on('request', ({ id }) => {
-      session.approve(id, 'approved');
-    });
+      session.approve(id, 'approved')
+    })
     // First request with id "req-1"
     transport.receive(
-      craftReq(sendKey, channelId, dappPubB64, 0, 'req-1', 'wallet_signMessage', { message: 'hello' }),
-    );
-    await wait();
+      craftReq(sendKey, channelId, dappPubB64, 0, 'req-1', 'wallet_signMessage', {
+        message: 'hello',
+      }),
+    )
+    await wait()
     // Retry with same id "req-1" but DIFFERENT params
     transport.receive(
-      craftReq(sendKey, channelId, dappPubB64, 1, 'req-1', 'wallet_signMessage', { message: 'send_all_funds' }),
-    );
-    await wait();
+      craftReq(sendKey, channelId, dappPubB64, 1, 'req-1', 'wallet_signMessage', {
+        message: 'send_all_funds',
+      }),
+    )
+    await wait()
     // Wallet should have sent a rejection response for the second attempt
     // Find the response messages
-    const responses = transport.sent.filter(m => m.t === 'res');
-    expect(responses.length).toBeGreaterThanOrEqual(2);
+    const responses = transport.sent.filter((m) => m.t === 'res')
+    expect(responses.length).toBeGreaterThanOrEqual(2)
     // The session must still be alive (do NOT close for invalid_params)
-    expect(session.phase).toBe('connected');
-  });
-});
+    expect(session.phase).toBe('connected')
+  })
+})
 // ---------------------------------------------------------------------------
 // Attack 5: DApp sends message >64KB
@@ -336,74 +356,83 @@ describe('Malicious DApp: Oversized message', () => {
     // We test the sendRaw() guard directly: the session emits an error
     // and the message is NOT actually delivered to the transport.
-    const ctx = setupWalletManual();
-    const { transport, session, channelId } = ctx;
-    const { sendKey, dappPubB64 } = await connectWalletManual(ctx);
+    const ctx = setupWalletManual()
+    const { transport, session, channelId } = ctx
+    const { sendKey, dappPubB64 } = await connectWalletManual(ctx)
-    const requestHandler = vi.fn();
-    session.on('request', requestHandler);
+    const requestHandler = vi.fn()
+    session.on('request', requestHandler)
     // Craft a request with a payload that when JSON-serialized
     // would exceed 64 KB (the protocol message envelope adds overhead)
-    const hugeData = 'x'.repeat(80_000);
-    const payload = { _method: 'wallet_signMessage', data: hugeData };
-    const hdr = { type: 'req' as const, from: dappPubB64, id: 'huge-req' };
-    const sealed = sealPayload(sendKey, channelId, 0, payload, hdr);
+    const hugeData = 'x'.repeat(80_000)
+    const payload = { _method: 'wallet_signMessage', data: hugeData }
+    const hdr = { type: 'req' as const, from: dappPubB64, id: 'huge-req' }
+    const sealed = sealPayload(sendKey, channelId, 0, payload, hdr)
     // The total message JSON will be > 64KB
     const msg = {
-      v: 1, t: 'req', ch: channelId,
-      ts: Date.now(), from: dappPubB64,
+      v: 1,
+      t: 'req',
+      ch: channelId,
+      ts: Date.now(),
+      from: dappPubB64,
       body: { id: 'huge-req', sealed },
-    } as ProtocolMessage;
+    } as ProtocolMessage
-    const msgSize = new TextEncoder().encode(JSON.stringify(msg)).length;
+    const msgSize = new TextEncoder().encode(JSON.stringify(msg)).length
     // Verify our test setup actually exceeds the limit
-    expect(msgSize).toBeGreaterThan(65536);
+    expect(msgSize).toBeGreaterThan(65536)
     // The wallet receives this directly (bypassing its own sendRaw check).
     // The wallet will try to process it. The relay should have blocked it,
     // but if it reaches the wallet, the wallet processes it normally
     // (the 64KB check is a send-side guard, not a receive-side guard).
     // The key security property is that the SENDER enforces the limit.
-    transport.receive(msg);
-    await wait();
+    transport.receive(msg)
+    await wait()
     // For a send-side test, verify DAppSession's sendRaw blocks oversized messages
-    const dappTransport = new MockTransport();
+    const dappTransport = new MockTransport()
     const dappSession = new DAppSession({
       transport: dappTransport,
       meta: { name: 'D', description: 'D', url: 'https://d.test', icon: 'https://d.test/i.png' },
-    });
+    })
-    const dappErrors: Error[] = [];
-    dappSession.on('error', (e) => dappErrors.push(e));
+    const dappErrors: Error[] = []
+    dappSession.on('error', (e) => dappErrors.push(e))
     // Simulate connected state
-    await dappSession.createPairing();
-    const walletKp = generateX25519KeyPair();
+    await dappSession.createPairing()
+    const walletKp = generateX25519KeyPair()
     dappTransport.receive({
-      v: 1, t: 'join', ch: dappSession.channelId,
-      ts: Date.now(), from: walletKp.publicKeyB64,
-      body: makeJoinBody(dappSession.channelId, dappTransport.sent[0]!.from!, walletKp),
-    } as ProtocolMessage);
+      v: 1,
+      t: 'join',
+      ch: dappSession.channelId,
+      ts: Date.now(),
+      from: walletKp.publicKeyB64,
+      body: makeJoinBody(dappSession.channelId, dappTransport.sent[0]?.from ?? '', walletKp),
+    } as ProtocolMessage)
     dappTransport.receive({
-      v: 1, t: 'ready', ch: dappSession.channelId,
-      ts: Date.now(), from: '_adapter',
+      v: 1,
+      t: 'ready',
+      ch: dappSession.channelId,
+      ts: Date.now(),
+      from: '_adapter',
       body: { state: 'connected', reconnect: false, remote: walletKp.publicKeyB64 },
-    } as ProtocolMessage);
+    } as ProtocolMessage)
-    const sentBefore = dappTransport.sent.length;
+    const _sentBefore = dappTransport.sent.length
     // Try to send a huge request — sendRaw should catch the 64KB limit
     // and emit an error instead of sending
-    dappSession.request('wallet_signMessage', { data: hugeData });
-    await wait();
+    dappSession.request('wallet_signMessage', { data: hugeData })
+    await wait()
     // The error should have been emitted
-    expect(dappErrors.some(e => e.message.includes('64 KB'))).toBe(true);
-  });
-});
+    expect(dappErrors.some((e) => e.message.includes('64 KB'))).toBe(true)
+  })
+})
 // ---------------------------------------------------------------------------
 // Attack 6: DApp calls method not in capabilities
@@ -421,53 +450,55 @@ describe('Malicious DApp: Capability violation', () => {
       methods: ['wallet_getAccounts'], // only getAccounts, NOT signMessage
       events: [],
       chains: ['eip155:1'],
-    });
-    const { transport, session, channelId } = ctx;
-    const { sendKey, dappPubB64 } = await connectWalletManual(ctx);
+    })
+    const { transport, session, channelId } = ctx
+    const { sendKey, dappPubB64 } = await connectWalletManual(ctx)
-    const requestHandler = vi.fn();
-    session.on('request', requestHandler);
+    const requestHandler = vi.fn()
+    session.on('request', requestHandler)
     // DApp tries to call wallet_signMessage which is NOT in capabilities
     transport.receive(
-      craftReq(sendKey, channelId, dappPubB64, 0, 'req-evil', 'wallet_signMessage', { message: 'hack' }),
-    );
-    await wait();
+      craftReq(sendKey, channelId, dappPubB64, 0, 'req-evil', 'wallet_signMessage', {
+        message: 'hack',
+      }),
+    )
+    await wait()
     // Request should NOT have been emitted to the application
-    expect(requestHandler).not.toHaveBeenCalled();
+    expect(requestHandler).not.toHaveBeenCalled()
     // Wallet should have sent an error response
-    const rejectRes = transport.sent.find(m =>
-      m.t === 'res' && (m as any).body?.id === 'req-evil',
-    );
-    expect(rejectRes).toBeTruthy();
+    const rejectRes = transport.sent.find(
+      (m) => m.t === 'res' && (m.body as Record<string, unknown>)?.id === 'req-evil',
+    )
+    expect(rejectRes).toBeTruthy()
     // Session must remain open (do NOT close for unsupported_method)
-    expect(session.phase).toBe('connected');
-  });
+    expect(session.phase).toBe('connected')
+  })
   it('wallet rejects completely unknown method', async () => {
     const ctx = setupWalletManual({
       methods: ['wallet_getAccounts'],
       events: [],
       chains: ['eip155:1'],
-    });
-    const { transport, session, channelId } = ctx;
-    const { sendKey, dappPubB64 } = await connectWalletManual(ctx);
+    })
+    const { transport, session, channelId } = ctx
+    const { sendKey, dappPubB64 } = await connectWalletManual(ctx)
-    const requestHandler = vi.fn();
-    session.on('request', requestHandler);
+    const requestHandler = vi.fn()
+    session.on('request', requestHandler)
     transport.receive(
       craftReq(sendKey, channelId, dappPubB64, 0, 'req-unknown', 'evil_drainWallet'),
-    );
-    await wait();
+    )
+    await wait()
-    expect(requestHandler).not.toHaveBeenCalled();
-    expect(session.phase).toBe('connected');
-  });
-});
+    expect(requestHandler).not.toHaveBeenCalled()
+    expect(session.phase).toBe('connected')
+  })
+})
 // ---------------------------------------------------------------------------
 // Attack 7: DApp sends req with _adapter spoofed from
@@ -481,25 +512,28 @@ describe('Malicious DApp: Spoofed _adapter from', () => {
     //
     // PREVENTS: Adapter impersonation in peer message types.
-    const ctx = setupWalletManual();
-    const { transport, session, channelId } = ctx;
-    await connectWalletManual(ctx);
+    const ctx = setupWalletManual()
+    const { transport, session, channelId } = ctx
+    await connectWalletManual(ctx)
-    const errorHandler = vi.fn();
-    session.on('error', errorHandler);
-    const requestHandler = vi.fn();
-    session.on('request', requestHandler);
+    const errorHandler = vi.fn()
+    session.on('error', errorHandler)
+    const requestHandler = vi.fn()
+    session.on('request', requestHandler)
     transport.receive({
-      v: 1, t: 'req', ch: channelId,
-      ts: Date.now(), from: '_adapter', // spoofed!
+      v: 1,
+      t: 'req',
+      ch: channelId,
+      ts: Date.now(),
+      from: '_adapter', // spoofed!
       body: { id: 'spoofed-req', sealed: 'fake' },
-    } as ProtocolMessage);
+    } as ProtocolMessage)
-    await wait();
+    await wait()
-    expect(errorHandler).toHaveBeenCalled();
-    expect(errorHandler.mock.calls[0]?.[0]?.message).toContain('spoofed _adapter');
-    expect(requestHandler).not.toHaveBeenCalled();
-  });
-});
+    expect(errorHandler).toHaveBeenCalled()
+    expect(errorHandler.mock.calls[0]?.[0]?.message).toContain('spoofed _adapter')
+    expect(requestHandler).not.toHaveBeenCalled()
+  })
+})